diff options
Diffstat (limited to 'macir.rb')
-rw-r--r-- | macir.rb | 65 |
1 files changed, 30 insertions, 35 deletions
@@ -1,7 +1,5 @@ #!/usr/bin/ruby -# require 'net/http' -# require 'json' require 'yaml' require 'openssl' require 'acme-client' @@ -40,12 +38,34 @@ def read_account_key( path = 'pkey.pem' ) return private_key end -def deploy_dns01_challenge_token( domain, token, nameserver, config ) +def read_cert_key( domain ) + folder = "./certs/#{domain}/" + path = folder + "current.key" + p "Reading cert key from #{path}" + if File.readable?( path ) + p "File #{path} is readable, trying to parse" + privatekey_string = File.read( path ) + private_key = OpenSSL::PKey::EC.new( privatekey_string ) + else + if File.exists?( path ) + raise( "The file #{path} exists but is not readable. Make it readable or specify different path" ) + else + p "File #{path} does not exist, trying to create" + private_key = OpenSSL::PKey::EC.generate( "prime256v1" ) + pkey_file = File.new( folder + Time.now.to_i.to_s + ".key", 'w' ) + pkey_file.write( private_key.private_to_pem ) + File.symlink( File.basename( pkey_file ), File.dirname( pkey_file ) + "/current.key" ) + end + end + return private_key +end + +def deploy_dns01_challenge_token( domain, challenge, nameserver, config ) p "Creating DNS UPDATE packet" update = Dnsruby::Update.new( domain ) # TODO: delete challenge token record after validation - update.delete( "_acme-challenge." + domain , 'TXT' ) - update.add( "_acme-challenge." + domain, 'TXT', 10, token ) + update.delete( challenge.record_name + "." + domain, challenge.record_type ) + update.add( challenge.record_name + "." + domain, challenge.record_type, 10, challenge.record_content ) p "Creating object for contacting nameserver" res = Dnsruby::Resolver.new( nameserver ) @@ -55,6 +75,7 @@ def deploy_dns01_challenge_token( domain, token, nameserver, config ) tsig_name = config['domains'][domain]['tsig_key'] tsig_key = config['tsig_keys'][tsig_name]['key'] tsig_alg = config['tsig_keys'][tsig_name]['algorithm'] + p "Creating TSIG object" tsig = Dnsruby::RR.create({ :name => tsig_name, @@ -88,15 +109,10 @@ def wait_for_challenge_propagation( domain, challenge ) result = res.query_no_validation_or_recursion( "_acme-challenge." + domain, "TXT" ) p result propagated = result.answer.any? do |answer| - p "Checking response" - p answer - p answer.rdata[0] - p "against challenge string" - p challenge.record_content answer.rdata[0] == challenge.record_content end unless propagated - p "Sleeping before checking again" + p "Not yet propagated, sleeping before checking again" sleep(1) end end until propagated @@ -115,28 +131,8 @@ def wait_for_challenge_validation( challenge ) end end -def get_cert_key( domain ) - path = "./domains/#{domain}/" - key_file = path + "current.key" - p "Reading cert key from #{key_file}" - if File.readable?( key_file ) - p "Cert key is readable, trying to read" - pkey_file = File.new( key_file ) - privatekey_string = pkey_file.read - domain_key = OpenSSL::PKey::EC.new( privatekey_string ) - else - p "Cert key is not readable, trying to create one" - pkey_file = File.new( path + Time.now.to_i.to_s + ".key", 'w' ) - domain_key = OpenSSL::PKey::EC.generate( "prime256v1" ) - pkey_pem = domain_key.private_to_pem - pkey_file.write( pkey_pem ) - File.symlink( File.basename( pkey_file ), File.dirname( pkey_file ) + "/current.key" ) - end - return domain_key -end - def get_cert( order, domains, domain_key ) - path = "./domains/#{domains[0]}/" + path = "./certs/#{domains[0]}/" crt_file = path + "cert.pem" p "Creating CSR object" csr = Acme::Client::CertificateRequest.new(private_key: domain_key, names: domains, subject: { common_name: "#{domains[0]}" }) @@ -191,9 +187,8 @@ config['certs'].each_pair do |cert_name, cert_opts| order.authorizations.each do |auth| p "Processing authorization for #{auth.domain}" p "Finding challenge type for #{auth.domain}" - p config['domains'][auth.domain]['challenge'] challenge = auth.dns01 - deploy_dns01_challenge_token( auth.domain, challenge.record_content, config['domains'][auth.domain]['primary_ns'], config ) + deploy_dns01_challenge_token( auth.domain, challenge, config['domains'][auth.domain]['primary_ns'], config ) wait_for_challenge_propagation( auth.domain, challenge ) wait_for_challenge_validation( challenge ) end @@ -203,7 +198,7 @@ config['certs'].each_pair do |cert_name, cert_opts| else p "Order is ready, we don’t need to authorize" end - domain_key = get_cert_key( cert_opts['domain_names'][0] ) + domain_key = read_cert_key( cert_opts['domain_names'][0] ) get_cert( order, cert_opts['domain_names'], domain_key ) end |