2 # based on https://github.com/lukas2511/dehydrated/wiki/example-dns-01-nsupdate-script
6 # concat file atomic way
12 cp -f $file $file.dehydrated~
17 if [ ! -x /usr/sbin/lighttpd ] || [ ! -f /etc/lighttpd/server.pem ]; then
21 echo " + Hook: Overwritting /etc/lighttpd/server.pem and reloading lighttpd..."
22 atomic_concat /etc/lighttpd/server.pem "$FULLCHAINFILE" "$KEYFILE"
23 /sbin/service lighttpd reload
27 if [ ! -x /usr/sbin/haproxy ] || [ ! -f /etc/haproxy/server.pem ]; then
31 echo " + Hook: Overwritting /etc/haproxy/server.pem and restarting haproxy..."
32 atomic_concat /etc/haproxy/server.pem "$FULLCHAINFILE" "$KEYFILE"
33 /sbin/service haproxy reload
37 if [ ! -f /etc/nginx/server.crt ] || [ ! -f /etc/nginx/server.key ]; then
41 echo " + Hook: Overwritting /etc/nginx/server.{crt,key} and reloading nginx..."
42 atomic_concat /etc/nginx/server.crt "$FULLCHAINFILE"
43 atomic_concat /etc/nginx/server.key "$KEYFILE"
44 /sbin/service nginx reload
48 if [ ! -x /etc/rc.d/init.d/httpd ]; then
52 echo " + Hook: Reloading Apache 2..."
53 atomic_concat /etc/httpd/ssl/server.crt "$FULLCHAINFILE"
54 atomic_concat /etc/httpd/ssl/server.key "$KEYFILE"
55 /sbin/service httpd graceful
59 local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
61 # This hook is called once for every domain that needs to be
62 # validated, including any alternative names you may have listed.
66 # The domain name (CN or subject alternative name) being
69 # The name of the file containing the token to be served for HTTP
70 # validation. Should be served by your web server as
71 # /.well-known/acme-challenge/${TOKEN_FILENAME}.
73 # The token value that needs to be served for validation. For DNS
74 # validation, this is what you want to put in the _acme-challenge
75 # TXT record. For HTTP validation it is the value that is expected
76 # be found in the $TOKEN_FILENAME file.
78 # Simple example: Use nsupdate with local named
79 # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
82 echo "Add the following to the zone definition of ${DOMAIN}:"
83 echo "'_acme-challenge.${DOMAIN}:${TOKEN_VALUE}:300"
85 echo -n "Press enter to continue..."
91 local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
93 # This hook is called after attempting to validate each domain,
94 # whether or not validation was successful. Here you can delete
95 # files or DNS records that are no longer needed.
97 # The parameters are the same as for deploy_challenge.
99 # Simple example: Use nsupdate with local named
100 # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
103 echo "Now you can remove the following from the zone definition of ${DOMAIN}:"
104 echo "'_acme-challenge.${DOMAIN}:${TOKEN_VALUE}:300"
106 echo -n "Press enter to continue..."
112 local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
114 # This hook is called once for each certificate that has been
115 # produced. Here you might, for instance, copy your new certificates
116 # to service-specific locations and reload the service.
120 # The primary domain name, i.e. the certificate common
123 # The path of the file containing the private key.
125 # The path of the file containing the signed certificate.
127 # The path of the file containing the full certificate chain.
129 # The path of the file containing the intermediate certificate(s).
131 # Timestamp when the specified certificate was created.
133 # Simple example: Copy file to nginx config
134 # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
135 # systemctl reload nginx
144 local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}"
146 # This hook is called once for each updated ocsp stapling file that has
147 # been produced. Here you might, for instance, copy your new ocsp stapling
148 # files to service-specific locations and reload the service.
152 # The primary domain name, i.e. the certificate common
155 # The path of the ocsp stapling file
157 # Timestamp when the specified ocsp stapling file was created.
159 # Simple example: Copy file to nginx config
160 # cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
161 # systemctl reload nginx
165 local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
167 # This hook is called once for each certificate that is still
168 # valid and therefore wasn't reissued.
172 # The primary domain name, i.e. the certificate common
175 # The path of the file containing the private key.
177 # The path of the file containing the signed certificate.
179 # The path of the file containing the full certificate chain.
181 # The path of the file containing the intermediate certificate(s).
184 invalid_challenge() {
185 local DOMAIN="${1}" RESPONSE="${2}"
187 # This hook is called if the challenge response has failed, so domain
188 # owners can be aware and act accordingly.
192 # The primary domain name, i.e. the certificate common
195 # The response that the verification server returned
197 # Simple example: Send mail to root
198 # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root
202 local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
204 # This hook is called when an HTTP request fails (e.g., when the ACME
205 # server is busy, returns an error, etc). It will be called upon any
206 # response code that does not start with '2'. Useful to alert admins
207 # about problems with requests.
211 # The HTML status code that originated the error.
213 # The specified reason for the error.
215 # The kind of request that was made (GET, POST...)
217 # HTTP headers returned by the CA
219 # Simple example: Send mail to root
220 # printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root
224 local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
226 # This hook is called before any certificate signing operation takes place.
227 # It can be used to generate or fetch a certificate signing request with external
229 # The output should be just the cerificate signing request formatted as PEM.
233 # The primary domain as specified in domains.txt. This does not need to
234 # match with the domains in the CSR, it's basically just the directory name.
236 # Certificate output directory for this particular certificate. Can be used
237 # for storing additional files.
239 # All domain names for the current certificate as specified in domains.txt.
240 # Again, this doesn't need to match with the CSR, it's just there for convenience.
242 # Simple example: Look for pre-generated CSRs
243 # if [ -e "${CERTDIR}/pre-generated.csr" ]; then
244 # cat "${CERTDIR}/pre-generated.csr"
249 # This hook is called before the cron command to do some initial tasks
250 # (e.g. starting a webserver).
256 # This hook is called at the end of the cron command and can be used to
257 # do some final (cleanup or other) tasks.
265 deploy_challenge|clean_challenge|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)
269 echo " + Hook: $HANDLER: Nothing to do..."