summaryrefslogtreecommitdiff
path: root/macir.rb
diff options
context:
space:
mode:
authorHendrik Jäger <gitcommit@henk.geekmail.org>2024-02-01 15:43:17 +0100
committerHendrik Jäger <gitcommit@henk.geekmail.org>2024-02-01 15:43:17 +0100
commit07495d9f32df050861343f62c5d89365dca762de (patch)
tree62c20398db8b31de67373bad22e0e429082c1da6 /macir.rb
parent096b365dec694df1a77114c38f39f072fd121774 (diff)
tidying
Diffstat (limited to 'macir.rb')
-rw-r--r--macir.rb65
1 files changed, 30 insertions, 35 deletions
diff --git a/macir.rb b/macir.rb
index 83f1917..fb79323 100644
--- a/macir.rb
+++ b/macir.rb
@@ -1,7 +1,5 @@
#!/usr/bin/ruby
-# require 'net/http'
-# require 'json'
require 'yaml'
require 'openssl'
require 'acme-client'
@@ -40,12 +38,34 @@ def read_account_key( path = 'pkey.pem' )
return private_key
end
-def deploy_dns01_challenge_token( domain, token, nameserver, config )
+def read_cert_key( domain )
+ folder = "./certs/#{domain}/"
+ path = folder + "current.key"
+ p "Reading cert key from #{path}"
+ if File.readable?( path )
+ p "File #{path} is readable, trying to parse"
+ privatekey_string = File.read( path )
+ private_key = OpenSSL::PKey::EC.new( privatekey_string )
+ else
+ if File.exists?( path )
+ raise( "The file #{path} exists but is not readable. Make it readable or specify different path" )
+ else
+ p "File #{path} does not exist, trying to create"
+ private_key = OpenSSL::PKey::EC.generate( "prime256v1" )
+ pkey_file = File.new( folder + Time.now.to_i.to_s + ".key", 'w' )
+ pkey_file.write( private_key.private_to_pem )
+ File.symlink( File.basename( pkey_file ), File.dirname( pkey_file ) + "/current.key" )
+ end
+ end
+ return private_key
+end
+
+def deploy_dns01_challenge_token( domain, challenge, nameserver, config )
p "Creating DNS UPDATE packet"
update = Dnsruby::Update.new( domain )
# TODO: delete challenge token record after validation
- update.delete( "_acme-challenge." + domain , 'TXT' )
- update.add( "_acme-challenge." + domain, 'TXT', 10, token )
+ update.delete( challenge.record_name + "." + domain, challenge.record_type )
+ update.add( challenge.record_name + "." + domain, challenge.record_type, 10, challenge.record_content )
p "Creating object for contacting nameserver"
res = Dnsruby::Resolver.new( nameserver )
@@ -55,6 +75,7 @@ def deploy_dns01_challenge_token( domain, token, nameserver, config )
tsig_name = config['domains'][domain]['tsig_key']
tsig_key = config['tsig_keys'][tsig_name]['key']
tsig_alg = config['tsig_keys'][tsig_name]['algorithm']
+
p "Creating TSIG object"
tsig = Dnsruby::RR.create({
:name => tsig_name,
@@ -88,15 +109,10 @@ def wait_for_challenge_propagation( domain, challenge )
result = res.query_no_validation_or_recursion( "_acme-challenge." + domain, "TXT" )
p result
propagated = result.answer.any? do |answer|
- p "Checking response"
- p answer
- p answer.rdata[0]
- p "against challenge string"
- p challenge.record_content
answer.rdata[0] == challenge.record_content
end
unless propagated
- p "Sleeping before checking again"
+ p "Not yet propagated, sleeping before checking again"
sleep(1)
end
end until propagated
@@ -115,28 +131,8 @@ def wait_for_challenge_validation( challenge )
end
end
-def get_cert_key( domain )
- path = "./domains/#{domain}/"
- key_file = path + "current.key"
- p "Reading cert key from #{key_file}"
- if File.readable?( key_file )
- p "Cert key is readable, trying to read"
- pkey_file = File.new( key_file )
- privatekey_string = pkey_file.read
- domain_key = OpenSSL::PKey::EC.new( privatekey_string )
- else
- p "Cert key is not readable, trying to create one"
- pkey_file = File.new( path + Time.now.to_i.to_s + ".key", 'w' )
- domain_key = OpenSSL::PKey::EC.generate( "prime256v1" )
- pkey_pem = domain_key.private_to_pem
- pkey_file.write( pkey_pem )
- File.symlink( File.basename( pkey_file ), File.dirname( pkey_file ) + "/current.key" )
- end
- return domain_key
-end
-
def get_cert( order, domains, domain_key )
- path = "./domains/#{domains[0]}/"
+ path = "./certs/#{domains[0]}/"
crt_file = path + "cert.pem"
p "Creating CSR object"
csr = Acme::Client::CertificateRequest.new(private_key: domain_key, names: domains, subject: { common_name: "#{domains[0]}" })
@@ -191,9 +187,8 @@ config['certs'].each_pair do |cert_name, cert_opts|
order.authorizations.each do |auth|
p "Processing authorization for #{auth.domain}"
p "Finding challenge type for #{auth.domain}"
- p config['domains'][auth.domain]['challenge']
challenge = auth.dns01
- deploy_dns01_challenge_token( auth.domain, challenge.record_content, config['domains'][auth.domain]['primary_ns'], config )
+ deploy_dns01_challenge_token( auth.domain, challenge, config['domains'][auth.domain]['primary_ns'], config )
wait_for_challenge_propagation( auth.domain, challenge )
wait_for_challenge_validation( challenge )
end
@@ -203,7 +198,7 @@ config['certs'].each_pair do |cert_name, cert_opts|
else
p "Order is ready, we don’t need to authorize"
end
- domain_key = get_cert_key( cert_opts['domain_names'][0] )
+ domain_key = read_cert_key( cert_opts['domain_names'][0] )
get_cert( order, cert_opts['domain_names'], domain_key )
end