X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=macir.rb;h=fb793233b8f7f16661b8aa0b88d9c7005d30927d;hb=07495d9f32df050861343f62c5d89365dca762de;hp=83f1917a39b107e8f9244718ad72f2c79198b39f;hpb=096b365dec694df1a77114c38f39f072fd121774;p=user%2Fhenk%2Fcode%2Fruby%2Fmacir.git

diff --git a/macir.rb b/macir.rb
index 83f1917..fb79323 100644
--- a/macir.rb
+++ b/macir.rb
@@ -1,7 +1,5 @@
 #!/usr/bin/ruby
 
-# require 'net/http'
-# require 'json'
 require 'yaml'
 require 'openssl'
 require 'acme-client'
@@ -40,12 +38,34 @@ def read_account_key( path = 'pkey.pem' )
   return private_key
 end
 
-def deploy_dns01_challenge_token( domain, token, nameserver, config )
+def read_cert_key( domain )
+  folder = "./certs/#{domain}/"
+  path = folder + "current.key"
+  p "Reading cert key from #{path}"
+  if File.readable?( path )
+    p "File #{path} is readable, trying to parse"
+    privatekey_string = File.read( path )
+    private_key = OpenSSL::PKey::EC.new( privatekey_string )
+  else
+    if File.exists?( path )
+      raise( "The file #{path} exists but is not readable. Make it readable or specify different path" )
+    else
+      p "File #{path} does not exist, trying to create"
+      private_key = OpenSSL::PKey::EC.generate( "prime256v1" )
+      pkey_file = File.new( folder + Time.now.to_i.to_s + ".key", 'w' )
+      pkey_file.write( private_key.private_to_pem )
+      File.symlink( File.basename( pkey_file ), File.dirname( pkey_file ) + "/current.key" )
+    end
+  end
+  return private_key
+end
+
+def deploy_dns01_challenge_token( domain, challenge, nameserver, config )
   p "Creating DNS UPDATE packet"
   update = Dnsruby::Update.new( domain )
   # TODO: delete challenge token record after validation
-  update.delete( "_acme-challenge." + domain , 'TXT' )
-  update.add( "_acme-challenge." + domain, 'TXT', 10, token )
+  update.delete( challenge.record_name + "." + domain, challenge.record_type )
+  update.add( challenge.record_name + "." + domain, challenge.record_type, 10, challenge.record_content )
 
   p "Creating object for contacting nameserver"
   res = Dnsruby::Resolver.new( nameserver )
@@ -55,6 +75,7 @@ def deploy_dns01_challenge_token( domain, token, nameserver, config )
   tsig_name = config['domains'][domain]['tsig_key']
   tsig_key = config['tsig_keys'][tsig_name]['key']
   tsig_alg = config['tsig_keys'][tsig_name]['algorithm']
+
   p "Creating TSIG object"
   tsig = Dnsruby::RR.create({
     :name      => tsig_name,
@@ -88,15 +109,10 @@ def wait_for_challenge_propagation( domain, challenge )
       result = res.query_no_validation_or_recursion( "_acme-challenge." + domain, "TXT" )
       p result
       propagated = result.answer.any? do |answer|
-        p "Checking response"
-        p answer
-        p answer.rdata[0]
-        p "against challenge string"
-        p challenge.record_content
         answer.rdata[0] == challenge.record_content
       end
       unless propagated
-        p "Sleeping before checking again"
+        p "Not yet propagated, sleeping before checking again"
         sleep(1)
       end
     end until propagated
@@ -115,28 +131,8 @@ def wait_for_challenge_validation( challenge )
   end
 end
 
-def get_cert_key( domain )
-  path = "./domains/#{domain}/"
-  key_file = path + "current.key"
-  p "Reading cert key from #{key_file}"
-  if File.readable?( key_file )
-    p "Cert key is readable, trying to read"
-    pkey_file = File.new( key_file )
-    privatekey_string = pkey_file.read
-    domain_key = OpenSSL::PKey::EC.new( privatekey_string )
-  else
-    p "Cert key is not readable, trying to create one"
-    pkey_file = File.new( path + Time.now.to_i.to_s + ".key", 'w' )
-    domain_key = OpenSSL::PKey::EC.generate( "prime256v1" )
-    pkey_pem = domain_key.private_to_pem
-    pkey_file.write( pkey_pem )
-    File.symlink( File.basename( pkey_file ), File.dirname( pkey_file ) + "/current.key" )
-  end
-  return domain_key
-end
-
 def get_cert( order, domains, domain_key )
-  path = "./domains/#{domains[0]}/"
+  path = "./certs/#{domains[0]}/"
   crt_file = path + "cert.pem"
   p "Creating CSR object"
   csr = Acme::Client::CertificateRequest.new(private_key: domain_key, names: domains, subject: { common_name: "#{domains[0]}" })
@@ -191,9 +187,8 @@ config['certs'].each_pair do |cert_name, cert_opts|
     order.authorizations.each do |auth|
       p "Processing authorization for #{auth.domain}"
       p "Finding challenge type for #{auth.domain}"
-      p config['domains'][auth.domain]['challenge']
       challenge = auth.dns01
-      deploy_dns01_challenge_token( auth.domain, challenge.record_content, config['domains'][auth.domain]['primary_ns'], config )
+      deploy_dns01_challenge_token( auth.domain, challenge, config['domains'][auth.domain]['primary_ns'], config )
       wait_for_challenge_propagation( auth.domain, challenge )
       wait_for_challenge_validation( challenge )
     end
@@ -203,7 +198,7 @@ config['certs'].each_pair do |cert_name, cert_opts|
   else
     p "Order is ready, we don’t need to authorize"
   end
-  domain_key = get_cert_key( cert_opts['domain_names'][0] )
+  domain_key = read_cert_key( cert_opts['domain_names'][0] )
 
   get_cert( order, cert_opts['domain_names'], domain_key )
 end