summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHendrik Jäger <gitcommit@henk.geekmail.org>2024-02-01 16:02:58 +0100
committerHendrik Jäger <gitcommit@henk.geekmail.org>2024-02-01 16:02:58 +0100
commit14b4edf199e865cc50f03544be3c11925d50460d (patch)
tree50ae8044c3b5323bd160cac4029676ced5363094
parent07495d9f32df050861343f62c5d89365dca762de (diff)
tidy
-rw-r--r--macir.rb80
1 files changed, 42 insertions, 38 deletions
diff --git a/macir.rb b/macir.rb
index fb79323..57ec69e 100644
--- a/macir.rb
+++ b/macir.rb
@@ -16,6 +16,7 @@ def read_config( path = 'config.yaml' )
raise
rescue Errno::ENOENT
$stderr.puts "IO failed: " + $!.to_s
+ raise
end
return config
end
@@ -40,7 +41,7 @@ end
def read_cert_key( domain )
folder = "./certs/#{domain}/"
- path = folder + "current.key"
+ path = "#{folder}/current.key"
p "Reading cert key from #{path}"
if File.readable?( path )
p "File #{path} is readable, trying to parse"
@@ -61,43 +62,45 @@ def read_cert_key( domain )
end
def deploy_dns01_challenge_token( domain, challenge, nameserver, config )
- p "Creating DNS UPDATE packet"
+ p 'Creating DNS UPDATE packet'
update = Dnsruby::Update.new( domain )
# TODO: delete challenge token record after validation
update.delete( challenge.record_name + "." + domain, challenge.record_type )
update.add( challenge.record_name + "." + domain, challenge.record_type, 10, challenge.record_content )
- p "Creating object for contacting nameserver"
+ p 'Creating object for contacting nameserver'
res = Dnsruby::Resolver.new( nameserver )
res.dnssec = false
- p "Looking up TSIG parameters"
+ p 'Looking up TSIG parameters'
tsig_name = config['domains'][domain]['tsig_key']
tsig_key = config['tsig_keys'][tsig_name]['key']
tsig_alg = config['tsig_keys'][tsig_name]['algorithm']
- p "Creating TSIG object"
- tsig = Dnsruby::RR.create({
- :name => tsig_name,
- :type => 'TSIG',
- :key => tsig_key,
- :algorithm => tsig_alg,
- })
-
- p "Signing DNS UPDATE packet with TSIG object"
+ p 'Creating TSIG object'
+ tsig = Dnsruby::RR.create(
+ {
+ name: tsig_name,
+ type: 'TSIG',
+ key: tsig_key,
+ algorithm: tsig_alg,
+ }
+ )
+
+ p 'Signing DNS UPDATE packet with TSIG object'
tsig.apply(update)
- p "Sending UPDATE to nameserver"
+ p 'Sending UPDATE to nameserver'
response = res.send_message(update)
end
def wait_for_challenge_propagation( domain, challenge )
- p "Creating recursor object for checking challenge propagation"
+ p 'Creating recursor object for checking challenge propagation'
rec = Dnsruby::Recursor.new
p "Getting NS records for #{domain}"
domain_auth_ns = rec.query_no_validation_or_recursion( domain, "NS" )
- p "Checking challenge status on all NS"
+ p 'Checking challenge status on all NS'
domain_auth_ns.answer.each do |ns|
nameserver = ns.rdata.to_s
p "Creating resolver object for checking propagation on #{nameserver}"
@@ -105,14 +108,14 @@ def wait_for_challenge_propagation( domain, challenge )
res.dnssec = false
res.do_caching = false
begin
- p "Querying ACME challenge record"
+ p 'Querying ACME challenge record'
result = res.query_no_validation_or_recursion( "_acme-challenge." + domain, "TXT" )
p result
propagated = result.answer.any? do |answer|
answer.rdata[0] == challenge.record_content
end
unless propagated
- p "Not yet propagated, sleeping before checking again"
+ p 'Not yet propagated, sleeping before checking again'
sleep(1)
end
end until propagated
@@ -120,40 +123,44 @@ def wait_for_challenge_propagation( domain, challenge )
end
def wait_for_challenge_validation( challenge )
- p "Requesting validation of challenge"
+ p 'Requesting validation of challenge'
challenge.request_validation
while challenge.status == 'pending'
- p "Sleeping because challenge validation is pending"
+ p 'Sleeping because challenge validation is pending'
sleep(1)
- p "Checking again"
+ p 'Checking again'
challenge.reload
end
end
def get_cert( order, domains, domain_key )
path = "./certs/#{domains[0]}/"
- crt_file = path + "cert.pem"
- p "Creating CSR object"
- csr = Acme::Client::CertificateRequest.new(private_key: domain_key, names: domains, subject: { common_name: "#{domains[0]}" })
- p "Finalize cert order"
+ crt_file = "#{path}/cert.pem"
+ p 'Creating CSR object'
+ csr = Acme::Client::CertificateRequest.new(
+ private_key: domain_key,
+ names: domains,
+ subject: { common_name: "#{domains[0]}" }
+ )
+ p 'Finalize cert order'
order.finalize(csr: csr)
while order.status == 'processing'
- p "Sleep while order is processing"
+ p 'Sleep while order is processing'
sleep(1)
- p "Rechecking order status"
+ p 'Rechecking order status'
order.reload
end
cert = order.certificate
- p "Writing cert"
+ p 'Writing cert'
cert_file = File.new( path + Time.now.to_i.to_s + ".crt", 'w' )
cert_file.write( cert )
- if File.symlink?( File.dirname( cert_file ) + "/current.crt" ) then
+ if File.symlink?( File.dirname( cert_file ) + "/current.crt" )
File.unlink( File.dirname( cert_file ) + "/current.crt" )
File.symlink( File.basename( cert_file ), File.dirname( cert_file ) + "/current.crt" )
else
- raise Exception
+ raise StandardError
end
return cert
end
@@ -173,17 +180,17 @@ config['certs'].each_pair do |cert_name, cert_opts|
private_key = read_account_key( account['keyfile'] )
- p "Creating client object for communication with CA"
+ p 'Creating client object for communication with CA'
client = Acme::Client.new( private_key: private_key, directory: acme_directory_url )
client.new_account(contact: "mailto:#{email}", terms_of_service_agreed: true)
p "Creating order object for cert #{cert_name}"
order = client.new_order(identifiers: cert_opts['domain_names'] )
- if order.status != "ready" then
- p "Order is not ready, we need to authorize first"
+ if order.status != 'ready'
+ p 'Order is not ready, we need to authorize first'
- p "Iterating over required authorizations"
+ p 'Iterating over required authorizations'
order.authorizations.each do |auth|
p "Processing authorization for #{auth.domain}"
p "Finding challenge type for #{auth.domain}"
@@ -192,11 +199,8 @@ config['certs'].each_pair do |cert_name, cert_opts|
wait_for_challenge_propagation( auth.domain, challenge )
wait_for_challenge_validation( challenge )
end
-
- # deploy_dns01_challenge_token( cert_opts['domain_names'][0], challenge.record_content, cert_opts['challenge']['primary_ns'], config )
-
else
- p "Order is ready, we don’t need to authorize"
+ p 'Order is ready, we don’t need to authorize'
end
domain_key = read_cert_key( cert_opts['domain_names'][0] )