5 # concat file atomic way
11 cp -f $file $file.dehydrated~
16 if [ ! -x /usr/sbin/lighttpd ] || [ ! -f /etc/lighttpd/server.pem ]; then
20 echo " + Hook: Overwritting /etc/lighttpd/server.pem and reloading lighttpd..."
21 atomic_concat /etc/lighttpd/server.pem "$FULLCHAINFILE" "$KEYFILE"
22 /sbin/service lighttpd reload
26 if [ ! -x /usr/sbin/haproxy ] || [ ! -f /etc/haproxy/server.pem ]; then
30 echo " + Hook: Overwritting /etc/haproxy/server.pem and restarting haproxy..."
31 atomic_concat /etc/haproxy/server.pem "$FULLCHAINFILE" "$KEYFILE"
32 /sbin/service haproxy reload
36 if [ ! -f /etc/nginx/server.crt ] || [ ! -f /etc/nginx/server.key ]; then
40 echo " + Hook: Overwritting /etc/nginx/server.{crt,key} and reloading nginx..."
41 atomic_concat /etc/nginx/server.crt "$FULLCHAINFILE"
42 atomic_concat /etc/nginx/server.key "$KEYFILE"
43 /sbin/service nginx reload
47 if [ ! -x /etc/rc.d/init.d/httpd ]; then
51 echo " + Hook: Reloading Apache 2..."
52 atomic_concat /etc/httpd/ssl/server.crt "$FULLCHAINFILE"
53 atomic_concat /etc/httpd/ssl/server.key "$KEYFILE"
54 /sbin/service httpd graceful
58 local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
60 # This hook is called once for every domain that needs to be
61 # validated, including any alternative names you may have listed.
65 # The domain name (CN or subject alternative name) being
68 # The name of the file containing the token to be served for HTTP
69 # validation. Should be served by your web server as
70 # /.well-known/acme-challenge/${TOKEN_FILENAME}.
72 # The token value that needs to be served for validation. For DNS
73 # validation, this is what you want to put in the _acme-challenge
74 # TXT record. For HTTP validation it is the value that is expected
75 # be found in the $TOKEN_FILENAME file.
77 # Simple example: Use nsupdate with local named
78 # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
82 local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
84 # This hook is called after attempting to validate each domain,
85 # whether or not validation was successful. Here you can delete
86 # files or DNS records that are no longer needed.
88 # The parameters are the same as for deploy_challenge.
90 # Simple example: Use nsupdate with local named
91 # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
95 local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
97 # This hook is called once for each certificate that has been
98 # produced. Here you might, for instance, copy your new certificates
99 # to service-specific locations and reload the service.
103 # The primary domain name, i.e. the certificate common
106 # The path of the file containing the private key.
108 # The path of the file containing the signed certificate.
110 # The path of the file containing the full certificate chain.
112 # The path of the file containing the intermediate certificate(s).
114 # Timestamp when the specified certificate was created.
116 # Simple example: Copy file to nginx config
117 # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
118 # systemctl reload nginx
127 local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}"
129 # This hook is called once for each updated ocsp stapling file that has
130 # been produced. Here you might, for instance, copy your new ocsp stapling
131 # files to service-specific locations and reload the service.
135 # The primary domain name, i.e. the certificate common
138 # The path of the ocsp stapling file
140 # Timestamp when the specified ocsp stapling file was created.
142 # Simple example: Copy file to nginx config
143 # cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
144 # systemctl reload nginx
148 local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
150 # This hook is called once for each certificate that is still
151 # valid and therefore wasn't reissued.
155 # The primary domain name, i.e. the certificate common
158 # The path of the file containing the private key.
160 # The path of the file containing the signed certificate.
162 # The path of the file containing the full certificate chain.
164 # The path of the file containing the intermediate certificate(s).
167 invalid_challenge() {
168 local DOMAIN="${1}" RESPONSE="${2}"
170 # This hook is called if the challenge response has failed, so domain
171 # owners can be aware and act accordingly.
175 # The primary domain name, i.e. the certificate common
178 # The response that the verification server returned
180 # Simple example: Send mail to root
181 # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root
185 local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
187 # This hook is called when an HTTP request fails (e.g., when the ACME
188 # server is busy, returns an error, etc). It will be called upon any
189 # response code that does not start with '2'. Useful to alert admins
190 # about problems with requests.
194 # The HTML status code that originated the error.
196 # The specified reason for the error.
198 # The kind of request that was made (GET, POST...)
200 # HTTP headers returned by the CA
202 # Simple example: Send mail to root
203 # printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root
207 local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
209 # This hook is called before any certificate signing operation takes place.
210 # It can be used to generate or fetch a certificate signing request with external
212 # The output should be just the cerificate signing request formatted as PEM.
216 # The primary domain as specified in domains.txt. This does not need to
217 # match with the domains in the CSR, it's basically just the directory name.
219 # Certificate output directory for this particular certificate. Can be used
220 # for storing additional files.
222 # All domain names for the current certificate as specified in domains.txt.
223 # Again, this doesn't need to match with the CSR, it's just there for convenience.
225 # Simple example: Look for pre-generated CSRs
226 # if [ -e "${CERTDIR}/pre-generated.csr" ]; then
227 # cat "${CERTDIR}/pre-generated.csr"
232 # This hook is called before the cron command to do some initial tasks
233 # (e.g. starting a webserver).
239 # This hook is called at the end of the cron command and can be used to
240 # do some final (cleanup or other) tasks.
248 deploy_challenge|clean_challenge|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)
252 echo " + Hook: $HANDLER: Nothing to do..."