diff options
| author | Sergey Ponomarev <stokito@gmail.com> | 2024-02-28 21:59:27 +0200 |
|---|---|---|
| committer | Toke Høiland-Jørgensen <toke@toke.dk> | 2024-03-01 17:01:40 +0100 |
| commit | 7d07c75154d8d77b39db1012493a21ef02cbf5bb (patch) | |
| tree | 2a2ea1b408e8b9a5561e3eea4ac82dc9b063724a | |
| parent | 5ad1f0ebbeaf64c07d06da2125fd7596e5be1a4b (diff) | |
acme-common: use validation_method option instead of guessing
The new validation_method option can be: dns, webroot or standalone.
Previously we guessed the challenge type:
1. if the DNS provider is specified then it's dns
2. if standalone=1
3. fallback to webroot
The logic is preserved and if the validation_method wasn't set explicitly we'll guess it in old manner.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
| -rw-r--r-- | net/acme-common/files/acme.config | 2 | ||||
| -rw-r--r-- | net/acme-common/files/acme.init | 22 |
2 files changed, 20 insertions, 4 deletions
diff --git a/net/acme-common/files/acme.config b/net/acme-common/files/acme.config index 75fd1cf09..c67c24e78 100644 --- a/net/acme-common/files/acme.config +++ b/net/acme-common/files/acme.config @@ -8,6 +8,7 @@ config cert 'example_wildcard' list domains example.org list domains sub.example.org list domains *.sub.example.org + option validation_method dns option dns "dns_freedns" list credentials 'FREEDNS_User="ssladmin@example.org"' list credentials 'FREEDNS_Password="1234"' @@ -19,3 +20,4 @@ config cert 'example' option staging 1 list domains example.org list domains sub.example.org + validation_method webroot diff --git a/net/acme-common/files/acme.init b/net/acme-common/files/acme.init index d4ff51063..808d18732 100644 --- a/net/acme-common/files/acme.init +++ b/net/acme-common/files/acme.init @@ -56,8 +56,8 @@ load_options() { export acme_server config_get days "$section" days export days - config_get standalone "$section" standalone 0 - export standalone + config_get standalone "$section" standalone + [ -n "$standalone" ] && log warn "Option \"standalone\" is deprecated." config_get dns_wait "$section" dns_wait export dns_wait config_get webroot "$section" webroot @@ -65,6 +65,20 @@ load_options() { log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR." CHALLENGE_DIR=$webroot fi + + config_get validation_method "$section" validation_method + # if validation_method isn't set then guess it + if [ -z "$validation_method" ]; then + if [ -n "$dns" ]; then + validation_method="dns" + elif [ "$standalone" = 1 ]; then + validation_method="standalone" + else + validation_method="webroot" + fi + log warn "Please set \"option validation_method $validation_method\"." + fi + export validation_method } first_arg() { @@ -78,11 +92,11 @@ get_cert() { [ "$enabled" = 1 ] || return load_options "$section" - if [ -z "$dns" ] && [ "$standalone" = 0 ]; then + if [ "$validation_method" = "webroot" ]; then mkdir -p "$CHALLENGE_DIR" fi - if [ "$standalone" = 1 ] && [ -z "$NFT_HANDLE" ]; then + if [ "$validation_method" = "standalone" ] && [ -z "$NFT_HANDLE" ]; then if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+'); then return 1 fi |