mirror of
https://github.com/krislamo/puppet-acme_vault
synced 2025-01-18 07:30:34 +00:00
update acme_vault repo - Aug-8-2019
This commit is contained in:
drew
parent
2c7ac6c72f
commit
012f5295fe
@ -3,6 +3,10 @@
|
||||
# this script compares the existing cert against the new cert in vault, and
|
||||
# replaces existing cert only if it is newer and valid.
|
||||
|
||||
# TODO serious refactoring to apply DRY
|
||||
# TODO help / argument checking
|
||||
# TODO need a force flag - also something that checks if all things match
|
||||
|
||||
# function defs
|
||||
get_fingerprint() {
|
||||
openssl x509 -noout -fingerprint -in <(echo "$1") | awk -F= '{print $2}'
|
||||
@ -15,13 +19,18 @@ get_enddate() {
|
||||
deploy_cert() {
|
||||
NEWCERT=$1
|
||||
NEWKEY=$2
|
||||
EXISTING_CERT_PATH=$3
|
||||
EXISTING_KEY_PATH=$4
|
||||
NEWCHAIN=$3
|
||||
NEWFULLCHAIN=$4
|
||||
EXISTING_CERT_PATH=$5
|
||||
EXISTING_KEY_PATH=$6
|
||||
EXISTING_CHAIN_PATH=$7
|
||||
EXISTING_FULLCHAIN_PATH=$8
|
||||
|
||||
echo "deploying cert to $EXISTING_CERT_PATH"
|
||||
#mkdir $EXISTING_CERT_DIR || true #TODO MOVE
|
||||
echo "$NEWCERT" > $EXISTING_CERT_PATH
|
||||
echo "$NEWKEY" > $EXISTING_KEY_PATH
|
||||
echo "$NEWCHAIN" > $EXISTING_CHAIN_PATH
|
||||
echo "$NEWFULLCHAIN" > $EXISTING_FULLCHAIN_PATH
|
||||
|
||||
}
|
||||
|
||||
@ -31,6 +40,8 @@ CERT_PREFIX=$2
|
||||
EXISTING_CERT_DIR="${CERT_PREFIX}/${DOMAIN}"
|
||||
EXISTING_CERT_PATH="${EXISTING_CERT_DIR}/cert.pem"
|
||||
EXISTING_KEY_PATH="${EXISTING_CERT_DIR}/cert.key"
|
||||
EXISTING_CHAIN_PATH="${EXISTING_CERT_DIR}/chain.pem"
|
||||
EXISTING_FULLCHAIN_PATH="${EXISTING_CERT_DIR}/fullchain.pem"
|
||||
|
||||
# variables
|
||||
ONE_WEEK=604800
|
||||
@ -39,10 +50,14 @@ TODAY=$(date --iso-8601)
|
||||
|
||||
NEWCERT_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/cert.pem"
|
||||
NEWKEY_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/cert.key"
|
||||
NEWCHAIN_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/chain.pem"
|
||||
NEWFULLCHAIN_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/fullchain.pem"
|
||||
|
||||
# Get new cert info
|
||||
NEWCERT=$(vault read -field=value $NEWCERT_VAULT_PATH) || exit -1
|
||||
NEWKEY=$(vault read -field=value $NEWKEY_VAULT_PATH) || exit -1
|
||||
NEWCHAIN=$(vault read -field=value $NEWCHAIN_VAULT_PATH) || exit -1
|
||||
NEWFULLCHAIN=$(vault read -field=value $NEWFULLCHAIN_VAULT_PATH) || exit -1
|
||||
NEWCERT_FINGERPRINT=$(get_fingerprint "$NEWCERT")
|
||||
NEWCERT_ENDDATE=$(get_enddate "$NEWCERT")
|
||||
|
||||
@ -70,7 +85,7 @@ else
|
||||
then
|
||||
mkdir -p $EXISTING_CERT_DIR
|
||||
fi
|
||||
deploy_cert "$NEWCERT" "$NEWKEY" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH"
|
||||
deploy_cert "$NEWCERT" "$NEWKEY" "$NEWCHAIN" "$NEWFULLCHAIN" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH" "$EXISTING_CHAIN_PATH" "$EXISTING_FULLCHAIN_PATH"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
@ -101,7 +116,7 @@ fi
|
||||
|
||||
# if we made it this far, the cert looks good, replace it
|
||||
|
||||
deploy_cert "$NEWCERT" "$NEWKEY" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH"
|
||||
deploy_cert "$NEWCERT" "$NEWKEY" "$NEWCHAIN" "$NEWFULLCHAIN" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH" "$EXISTING_CHAIN_PATH" "$EXISTING_FULLCHAIN_PATH"
|
||||
|
||||
|
||||
|
||||
|
||||
@ -7,6 +7,7 @@ class acme_vault::common (
|
||||
$home_dir = $::acme_vault::params::home_dir,
|
||||
$contact_email = $::acme_vault::params::contact_email,
|
||||
$domains = $::acme_vault::params::domains,
|
||||
$overrides = $::acme_vault::params::overrides,
|
||||
|
||||
$vault_token = $::acme_vault::params::vault_token,
|
||||
$vault_addr = $::acme_vault::params::vault_addr,
|
||||
|
||||
@ -6,6 +6,9 @@ class acme_vault::params {
|
||||
$home_dir = '/home/acme_vault'
|
||||
$contact_email = ''
|
||||
$domains = undef
|
||||
# overrides is a list of challenge-alias overrides. It defaults to the domain itself.
|
||||
# see https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
|
||||
$overrides = {}
|
||||
|
||||
# authentication
|
||||
$vault_token = undef
|
||||
|
||||
@ -7,6 +7,7 @@ class acme_vault::request (
|
||||
$home_dir = $::acme_vault::common::home_dir,
|
||||
$contact_email = $::acme_vault::common::contact_email,
|
||||
$domains = $::acme_vault::common::domains,
|
||||
$overrides = $::acme_vault::common::overrides,
|
||||
|
||||
$staging = $::acme_vault::params::staging,
|
||||
$staging_url = $::acme_vault::params::staging_url,
|
||||
@ -87,6 +88,7 @@ END
|
||||
staging => $staging,
|
||||
staging_url => $staging_url,
|
||||
prod_url => $prod_url,
|
||||
overrides => $overrides,
|
||||
}
|
||||
)
|
||||
}
|
||||
|
||||
@ -7,13 +7,32 @@
|
||||
--staging \
|
||||
--server <%= $staging_url %> \
|
||||
<% } else { -%>
|
||||
--server <%= $prod_url %>
|
||||
--server <%= $prod_url %> \
|
||||
<% } -%>
|
||||
--dns dns_lexicon \
|
||||
--dnssleep 600 \
|
||||
--domain "<%= $domain %>" \
|
||||
<% $domains.each |$d| { -%>
|
||||
--domain "<%= $d %>" \
|
||||
--dnssleep 1800 \
|
||||
--domain "<%= $domain %>" --challenge-alias <%= "$domain" %> \
|
||||
<% $domains.each |$d| {
|
||||
# this uses the challenge-alias override if specified, otherwise
|
||||
# uses the sld.tld of the given domain
|
||||
if $overrides[$d] {
|
||||
$ca = $overrides[$d]
|
||||
}
|
||||
else {
|
||||
# we need to calculate the challenge-alias
|
||||
$ds = split($d, '[.]')
|
||||
|
||||
# we don't want to count the wildcard, so strip it off
|
||||
if $ds[0] == "*" {
|
||||
$clean = $ds[1, -1]
|
||||
}
|
||||
else {
|
||||
$clean = $ds[0, -1]
|
||||
}
|
||||
$ca = join($clean, ".")
|
||||
}
|
||||
-%>
|
||||
--domain "<%= $d %>" --challenge-alias <%= "${ca}" %> \
|
||||
<% } -%>
|
||||
> /dev/null && \
|
||||
<%= $acme_script %> \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user