mirror of
https://github.com/krislamo/puppet-acme_vault
synced 2024-11-09 20:30:36 +00:00
update acme_vault repo - Aug-8-2019
This commit is contained in:
drew
parent
2c7ac6c72f
commit
012f5295fe
@ -3,6 +3,10 @@
|
|||||||
# this script compares the existing cert against the new cert in vault, and
|
# this script compares the existing cert against the new cert in vault, and
|
||||||
# replaces existing cert only if it is newer and valid.
|
# replaces existing cert only if it is newer and valid.
|
||||||
|
|
||||||
|
# TODO serious refactoring to apply DRY
|
||||||
|
# TODO help / argument checking
|
||||||
|
# TODO need a force flag - also something that checks if all things match
|
||||||
|
|
||||||
# function defs
|
# function defs
|
||||||
get_fingerprint() {
|
get_fingerprint() {
|
||||||
openssl x509 -noout -fingerprint -in <(echo "$1") | awk -F= '{print $2}'
|
openssl x509 -noout -fingerprint -in <(echo "$1") | awk -F= '{print $2}'
|
||||||
@ -15,13 +19,18 @@ get_enddate() {
|
|||||||
deploy_cert() {
|
deploy_cert() {
|
||||||
NEWCERT=$1
|
NEWCERT=$1
|
||||||
NEWKEY=$2
|
NEWKEY=$2
|
||||||
EXISTING_CERT_PATH=$3
|
NEWCHAIN=$3
|
||||||
EXISTING_KEY_PATH=$4
|
NEWFULLCHAIN=$4
|
||||||
|
EXISTING_CERT_PATH=$5
|
||||||
|
EXISTING_KEY_PATH=$6
|
||||||
|
EXISTING_CHAIN_PATH=$7
|
||||||
|
EXISTING_FULLCHAIN_PATH=$8
|
||||||
|
|
||||||
echo "deploying cert to $EXISTING_CERT_PATH"
|
echo "deploying cert to $EXISTING_CERT_PATH"
|
||||||
#mkdir $EXISTING_CERT_DIR || true #TODO MOVE
|
|
||||||
echo "$NEWCERT" > $EXISTING_CERT_PATH
|
echo "$NEWCERT" > $EXISTING_CERT_PATH
|
||||||
echo "$NEWKEY" > $EXISTING_KEY_PATH
|
echo "$NEWKEY" > $EXISTING_KEY_PATH
|
||||||
|
echo "$NEWCHAIN" > $EXISTING_CHAIN_PATH
|
||||||
|
echo "$NEWFULLCHAIN" > $EXISTING_FULLCHAIN_PATH
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -31,6 +40,8 @@ CERT_PREFIX=$2
|
|||||||
EXISTING_CERT_DIR="${CERT_PREFIX}/${DOMAIN}"
|
EXISTING_CERT_DIR="${CERT_PREFIX}/${DOMAIN}"
|
||||||
EXISTING_CERT_PATH="${EXISTING_CERT_DIR}/cert.pem"
|
EXISTING_CERT_PATH="${EXISTING_CERT_DIR}/cert.pem"
|
||||||
EXISTING_KEY_PATH="${EXISTING_CERT_DIR}/cert.key"
|
EXISTING_KEY_PATH="${EXISTING_CERT_DIR}/cert.key"
|
||||||
|
EXISTING_CHAIN_PATH="${EXISTING_CERT_DIR}/chain.pem"
|
||||||
|
EXISTING_FULLCHAIN_PATH="${EXISTING_CERT_DIR}/fullchain.pem"
|
||||||
|
|
||||||
# variables
|
# variables
|
||||||
ONE_WEEK=604800
|
ONE_WEEK=604800
|
||||||
@ -39,10 +50,14 @@ TODAY=$(date --iso-8601)
|
|||||||
|
|
||||||
NEWCERT_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/cert.pem"
|
NEWCERT_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/cert.pem"
|
||||||
NEWKEY_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/cert.key"
|
NEWKEY_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/cert.key"
|
||||||
|
NEWCHAIN_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/chain.pem"
|
||||||
|
NEWFULLCHAIN_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/fullchain.pem"
|
||||||
|
|
||||||
# Get new cert info
|
# Get new cert info
|
||||||
NEWCERT=$(vault read -field=value $NEWCERT_VAULT_PATH) || exit -1
|
NEWCERT=$(vault read -field=value $NEWCERT_VAULT_PATH) || exit -1
|
||||||
NEWKEY=$(vault read -field=value $NEWKEY_VAULT_PATH) || exit -1
|
NEWKEY=$(vault read -field=value $NEWKEY_VAULT_PATH) || exit -1
|
||||||
|
NEWCHAIN=$(vault read -field=value $NEWCHAIN_VAULT_PATH) || exit -1
|
||||||
|
NEWFULLCHAIN=$(vault read -field=value $NEWFULLCHAIN_VAULT_PATH) || exit -1
|
||||||
NEWCERT_FINGERPRINT=$(get_fingerprint "$NEWCERT")
|
NEWCERT_FINGERPRINT=$(get_fingerprint "$NEWCERT")
|
||||||
NEWCERT_ENDDATE=$(get_enddate "$NEWCERT")
|
NEWCERT_ENDDATE=$(get_enddate "$NEWCERT")
|
||||||
|
|
||||||
@ -70,7 +85,7 @@ else
|
|||||||
then
|
then
|
||||||
mkdir -p $EXISTING_CERT_DIR
|
mkdir -p $EXISTING_CERT_DIR
|
||||||
fi
|
fi
|
||||||
deploy_cert "$NEWCERT" "$NEWKEY" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH"
|
deploy_cert "$NEWCERT" "$NEWKEY" "$NEWCHAIN" "$NEWFULLCHAIN" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH" "$EXISTING_CHAIN_PATH" "$EXISTING_FULLCHAIN_PATH"
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -101,7 +116,7 @@ fi
|
|||||||
|
|
||||||
# if we made it this far, the cert looks good, replace it
|
# if we made it this far, the cert looks good, replace it
|
||||||
|
|
||||||
deploy_cert "$NEWCERT" "$NEWKEY" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH"
|
deploy_cert "$NEWCERT" "$NEWKEY" "$NEWCHAIN" "$NEWFULLCHAIN" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH" "$EXISTING_CHAIN_PATH" "$EXISTING_FULLCHAIN_PATH"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -7,6 +7,7 @@ class acme_vault::common (
|
|||||||
$home_dir = $::acme_vault::params::home_dir,
|
$home_dir = $::acme_vault::params::home_dir,
|
||||||
$contact_email = $::acme_vault::params::contact_email,
|
$contact_email = $::acme_vault::params::contact_email,
|
||||||
$domains = $::acme_vault::params::domains,
|
$domains = $::acme_vault::params::domains,
|
||||||
|
$overrides = $::acme_vault::params::overrides,
|
||||||
|
|
||||||
$vault_token = $::acme_vault::params::vault_token,
|
$vault_token = $::acme_vault::params::vault_token,
|
||||||
$vault_addr = $::acme_vault::params::vault_addr,
|
$vault_addr = $::acme_vault::params::vault_addr,
|
||||||
|
|||||||
@ -6,6 +6,9 @@ class acme_vault::params {
|
|||||||
$home_dir = '/home/acme_vault'
|
$home_dir = '/home/acme_vault'
|
||||||
$contact_email = ''
|
$contact_email = ''
|
||||||
$domains = undef
|
$domains = undef
|
||||||
|
# overrides is a list of challenge-alias overrides. It defaults to the domain itself.
|
||||||
|
# see https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
|
||||||
|
$overrides = {}
|
||||||
|
|
||||||
# authentication
|
# authentication
|
||||||
$vault_token = undef
|
$vault_token = undef
|
||||||
|
|||||||
@ -7,6 +7,7 @@ class acme_vault::request (
|
|||||||
$home_dir = $::acme_vault::common::home_dir,
|
$home_dir = $::acme_vault::common::home_dir,
|
||||||
$contact_email = $::acme_vault::common::contact_email,
|
$contact_email = $::acme_vault::common::contact_email,
|
||||||
$domains = $::acme_vault::common::domains,
|
$domains = $::acme_vault::common::domains,
|
||||||
|
$overrides = $::acme_vault::common::overrides,
|
||||||
|
|
||||||
$staging = $::acme_vault::params::staging,
|
$staging = $::acme_vault::params::staging,
|
||||||
$staging_url = $::acme_vault::params::staging_url,
|
$staging_url = $::acme_vault::params::staging_url,
|
||||||
@ -87,6 +88,7 @@ END
|
|||||||
staging => $staging,
|
staging => $staging,
|
||||||
staging_url => $staging_url,
|
staging_url => $staging_url,
|
||||||
prod_url => $prod_url,
|
prod_url => $prod_url,
|
||||||
|
overrides => $overrides,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,13 +7,32 @@
|
|||||||
--staging \
|
--staging \
|
||||||
--server <%= $staging_url %> \
|
--server <%= $staging_url %> \
|
||||||
<% } else { -%>
|
<% } else { -%>
|
||||||
--server <%= $prod_url %>
|
--server <%= $prod_url %> \
|
||||||
<% } -%>
|
<% } -%>
|
||||||
--dns dns_lexicon \
|
--dns dns_lexicon \
|
||||||
--dnssleep 600 \
|
--dnssleep 1800 \
|
||||||
--domain "<%= $domain %>" \
|
--domain "<%= $domain %>" --challenge-alias <%= "$domain" %> \
|
||||||
<% $domains.each |$d| { -%>
|
<% $domains.each |$d| {
|
||||||
--domain "<%= $d %>" \
|
# this uses the challenge-alias override if specified, otherwise
|
||||||
|
# uses the sld.tld of the given domain
|
||||||
|
if $overrides[$d] {
|
||||||
|
$ca = $overrides[$d]
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
# we need to calculate the challenge-alias
|
||||||
|
$ds = split($d, '[.]')
|
||||||
|
|
||||||
|
# we don't want to count the wildcard, so strip it off
|
||||||
|
if $ds[0] == "*" {
|
||||||
|
$clean = $ds[1, -1]
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$clean = $ds[0, -1]
|
||||||
|
}
|
||||||
|
$ca = join($clean, ".")
|
||||||
|
}
|
||||||
|
-%>
|
||||||
|
--domain "<%= $d %>" --challenge-alias <%= "${ca}" %> \
|
||||||
<% } -%>
|
<% } -%>
|
||||||
> /dev/null && \
|
> /dev/null && \
|
||||||
<%= $acme_script %> \
|
<%= $acme_script %> \
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user