The new validation_method option can be: dns, webroot or standalone.
Previously we guessed the challenge type:
1. if the DNS provider is specified then it's dns
2. if standalone=1
3. fallback to webroot
The logic is preserved and if the validation_method wasn't set explicitly we'll guess it in old manner.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
keylength, being an acme.sh value type, uses pure numbers for rsa keys.
This can be disorienting for other acme clients. This change introduces
a new option "key_type" that aims to remove this ambiguity, and makes
all key type names follow the same pattern, making acme-common more
client agnostic.
Signed-off-by: Glen Huang <me@glenhuang.com>
ACME clients shouldn't deal with deprecated values. They should be
processed by acme-common.
Reformatting is done by shfmt.
Signed-off-by: Glen Huang <me@glenhuang.com>
The haproxy hotplug script creates a 'combined' certificate bundle that
contains both the certificate chain and the private key. However, having a
daemon hotplug script write into CERT_DIR is not great; so let's provide
the bundle as part of the main acme framework, keeping it in $domain_dir
and just linking it into CERT_DIR. That way we can keep CERT_DIR as just a
collection of links for everything, that no consumers should need to write
into.
Also make sure to set the umask correctly so the combined file is not
world-readable (since it contains the private key).
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The acme-acmesh package hardcoded the certificate path in its hook script.
Now that we export it as a variable we can avoid hard-coding and use the
variable version instead. Also factor out the linking of certificates into
a function so it's not repeated.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
acme.sh by default use public DNS resolvers to check if TXT record was
correctly added when using DNS-01. This can be undesirable in a private
environment where the DNS server is not publicly accessible.
This option allows bypassing such check and simply waiting for a
specific length of time for the TXT record to take effect.
Signed-off-by: Glen Huang <i@glenhuang.com>
Directly calling `/etc/init.d/<service> reload` in a hotplug script can
inadvertently start a stopped service.
Signed-off-by: Glen Huang <i@glenhuang.com>
Sergey Ponomarev