diff options
author | Hendrik Jäger <gitcommit@henk.geekmail.org> | 2024-02-01 16:02:58 +0100 |
---|---|---|
committer | Hendrik Jäger <gitcommit@henk.geekmail.org> | 2024-02-01 16:02:58 +0100 |
commit | 14b4edf199e865cc50f03544be3c11925d50460d (patch) | |
tree | 50ae8044c3b5323bd160cac4029676ced5363094 | |
parent | 07495d9f32df050861343f62c5d89365dca762de (diff) |
tidy
-rw-r--r-- | macir.rb | 80 |
1 files changed, 42 insertions, 38 deletions
@@ -16,6 +16,7 @@ def read_config( path = 'config.yaml' ) raise rescue Errno::ENOENT $stderr.puts "IO failed: " + $!.to_s + raise end return config end @@ -40,7 +41,7 @@ end def read_cert_key( domain ) folder = "./certs/#{domain}/" - path = folder + "current.key" + path = "#{folder}/current.key" p "Reading cert key from #{path}" if File.readable?( path ) p "File #{path} is readable, trying to parse" @@ -61,43 +62,45 @@ def read_cert_key( domain ) end def deploy_dns01_challenge_token( domain, challenge, nameserver, config ) - p "Creating DNS UPDATE packet" + p 'Creating DNS UPDATE packet' update = Dnsruby::Update.new( domain ) # TODO: delete challenge token record after validation update.delete( challenge.record_name + "." + domain, challenge.record_type ) update.add( challenge.record_name + "." + domain, challenge.record_type, 10, challenge.record_content ) - p "Creating object for contacting nameserver" + p 'Creating object for contacting nameserver' res = Dnsruby::Resolver.new( nameserver ) res.dnssec = false - p "Looking up TSIG parameters" + p 'Looking up TSIG parameters' tsig_name = config['domains'][domain]['tsig_key'] tsig_key = config['tsig_keys'][tsig_name]['key'] tsig_alg = config['tsig_keys'][tsig_name]['algorithm'] - p "Creating TSIG object" - tsig = Dnsruby::RR.create({ - :name => tsig_name, - :type => 'TSIG', - :key => tsig_key, - :algorithm => tsig_alg, - }) - - p "Signing DNS UPDATE packet with TSIG object" + p 'Creating TSIG object' + tsig = Dnsruby::RR.create( + { + name: tsig_name, + type: 'TSIG', + key: tsig_key, + algorithm: tsig_alg, + } + ) + + p 'Signing DNS UPDATE packet with TSIG object' tsig.apply(update) - p "Sending UPDATE to nameserver" + p 'Sending UPDATE to nameserver' response = res.send_message(update) end def wait_for_challenge_propagation( domain, challenge ) - p "Creating recursor object for checking challenge propagation" + p 'Creating recursor object for checking challenge propagation' rec = Dnsruby::Recursor.new p "Getting NS records for #{domain}" domain_auth_ns = rec.query_no_validation_or_recursion( domain, "NS" ) - p "Checking challenge status on all NS" + p 'Checking challenge status on all NS' domain_auth_ns.answer.each do |ns| nameserver = ns.rdata.to_s p "Creating resolver object for checking propagation on #{nameserver}" @@ -105,14 +108,14 @@ def wait_for_challenge_propagation( domain, challenge ) res.dnssec = false res.do_caching = false begin - p "Querying ACME challenge record" + p 'Querying ACME challenge record' result = res.query_no_validation_or_recursion( "_acme-challenge." + domain, "TXT" ) p result propagated = result.answer.any? do |answer| answer.rdata[0] == challenge.record_content end unless propagated - p "Not yet propagated, sleeping before checking again" + p 'Not yet propagated, sleeping before checking again' sleep(1) end end until propagated @@ -120,40 +123,44 @@ def wait_for_challenge_propagation( domain, challenge ) end def wait_for_challenge_validation( challenge ) - p "Requesting validation of challenge" + p 'Requesting validation of challenge' challenge.request_validation while challenge.status == 'pending' - p "Sleeping because challenge validation is pending" + p 'Sleeping because challenge validation is pending' sleep(1) - p "Checking again" + p 'Checking again' challenge.reload end end def get_cert( order, domains, domain_key ) path = "./certs/#{domains[0]}/" - crt_file = path + "cert.pem" - p "Creating CSR object" - csr = Acme::Client::CertificateRequest.new(private_key: domain_key, names: domains, subject: { common_name: "#{domains[0]}" }) - p "Finalize cert order" + crt_file = "#{path}/cert.pem" + p 'Creating CSR object' + csr = Acme::Client::CertificateRequest.new( + private_key: domain_key, + names: domains, + subject: { common_name: "#{domains[0]}" } + ) + p 'Finalize cert order' order.finalize(csr: csr) while order.status == 'processing' - p "Sleep while order is processing" + p 'Sleep while order is processing' sleep(1) - p "Rechecking order status" + p 'Rechecking order status' order.reload end cert = order.certificate - p "Writing cert" + p 'Writing cert' cert_file = File.new( path + Time.now.to_i.to_s + ".crt", 'w' ) cert_file.write( cert ) - if File.symlink?( File.dirname( cert_file ) + "/current.crt" ) then + if File.symlink?( File.dirname( cert_file ) + "/current.crt" ) File.unlink( File.dirname( cert_file ) + "/current.crt" ) File.symlink( File.basename( cert_file ), File.dirname( cert_file ) + "/current.crt" ) else - raise Exception + raise StandardError end return cert end @@ -173,17 +180,17 @@ config['certs'].each_pair do |cert_name, cert_opts| private_key = read_account_key( account['keyfile'] ) - p "Creating client object for communication with CA" + p 'Creating client object for communication with CA' client = Acme::Client.new( private_key: private_key, directory: acme_directory_url ) client.new_account(contact: "mailto:#{email}", terms_of_service_agreed: true) p "Creating order object for cert #{cert_name}" order = client.new_order(identifiers: cert_opts['domain_names'] ) - if order.status != "ready" then - p "Order is not ready, we need to authorize first" + if order.status != 'ready' + p 'Order is not ready, we need to authorize first' - p "Iterating over required authorizations" + p 'Iterating over required authorizations' order.authorizations.each do |auth| p "Processing authorization for #{auth.domain}" p "Finding challenge type for #{auth.domain}" @@ -192,11 +199,8 @@ config['certs'].each_pair do |cert_name, cert_opts| wait_for_challenge_propagation( auth.domain, challenge ) wait_for_challenge_validation( challenge ) end - - # deploy_dns01_challenge_token( cert_opts['domain_names'][0], challenge.record_content, cert_opts['challenge']['primary_ns'], config ) - else - p "Order is ready, we don’t need to authorize" + p 'Order is ready, we don’t need to authorize' end domain_key = read_cert_key( cert_opts['domain_names'][0] ) |