add support for the lexicon dns tool, which makes integrating dehydrated with different DNS providers very easy
This commit is contained in:
parent
469fd3287b
commit
a6ef1720ca
36
Dockerfile
36
Dockerfile
|
@ -1,22 +1,26 @@
|
||||||
FROM docker.jcg.re/base-alpine
|
FROM docker.jcg.re/base-alpine
|
||||||
MAINTAINER Jan Christian Grünhage <jan.christian@gruenhage.xyz>
|
|
||||||
|
|
||||||
ENV UID=192 \
|
RUN apk add --no-cache \
|
||||||
GID=192
|
--virtual .build-deps \
|
||||||
|
git \
|
||||||
|
python3-dev \
|
||||||
|
libffi-dev \
|
||||||
|
build-base \
|
||||||
|
openssl-dev \
|
||||||
|
&& apk add --no-cache \
|
||||||
|
--virtual .runtime-deps \
|
||||||
|
openssl \
|
||||||
|
curl \
|
||||||
|
sed \
|
||||||
|
grep \
|
||||||
|
bash \
|
||||||
|
su-exec \
|
||||||
|
libxml2-utils \
|
||||||
|
&& git clone https://github.com/lukas2511/dehydrated /dehydrated \
|
||||||
|
&& pip3 install requests[security] \
|
||||||
|
&& pip3 install dns-lexicon \
|
||||||
|
&& apk del .build-deps
|
||||||
|
|
||||||
RUN apk update \
|
|
||||||
&& apk add --upgrade \
|
|
||||||
git \
|
|
||||||
openssl \
|
|
||||||
curl \
|
|
||||||
sed \
|
|
||||||
grep \
|
|
||||||
bash \
|
|
||||||
su-exec \
|
|
||||||
libxml2-utils \
|
|
||||||
&& git clone https://github.com/lukas2511/dehydrated /dehydrated
|
|
||||||
|
|
||||||
# Add the files in the 'root' folder to the images filesystem
|
|
||||||
ADD root /
|
ADD root /
|
||||||
|
|
||||||
VOLUME /etc/dehydrated
|
VOLUME /etc/dehydrated
|
||||||
|
|
130
root/usr/local/bin/lexicon-hook
Executable file
130
root/usr/local/bin/lexicon-hook
Executable file
|
@ -0,0 +1,130 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
#
|
||||||
|
# Example how to deploy a DNS challenge using lexicon
|
||||||
|
|
||||||
|
set -e
|
||||||
|
set -u
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
export PROVIDER=${PROVIDER:-"cloudflare"}
|
||||||
|
|
||||||
|
function deploy_challenge {
|
||||||
|
local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
|
||||||
|
|
||||||
|
echo "deploy_challenge called: ${DOMAIN}, ${TOKEN_FILENAME}, ${TOKEN_VALUE}"
|
||||||
|
|
||||||
|
lexicon $PROVIDER create ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}"
|
||||||
|
|
||||||
|
sleep 30
|
||||||
|
|
||||||
|
# This hook is called once for every domain that needs to be
|
||||||
|
# validated, including any alternative names you may have listed.
|
||||||
|
#
|
||||||
|
# Parameters:
|
||||||
|
# - DOMAIN
|
||||||
|
# The domain name (CN or subject alternative name) being
|
||||||
|
# validated.
|
||||||
|
# - TOKEN_FILENAME
|
||||||
|
# The name of the file containing the token to be served for HTTP
|
||||||
|
# validation. Should be served by your web server as
|
||||||
|
# /.well-known/acme-challenge/${TOKEN_FILENAME}.
|
||||||
|
# - TOKEN_VALUE
|
||||||
|
# The token value that needs to be served for validation. For DNS
|
||||||
|
# validation, this is what you want to put in the _acme-challenge
|
||||||
|
# TXT record. For HTTP validation it is the value that is expected
|
||||||
|
# be found in the $TOKEN_FILENAME file.
|
||||||
|
}
|
||||||
|
|
||||||
|
function clean_challenge {
|
||||||
|
local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
|
||||||
|
|
||||||
|
echo "clean_challenge called: ${DOMAIN}, ${TOKEN_FILENAME}, ${TOKEN_VALUE}"
|
||||||
|
|
||||||
|
lexicon $PROVIDER delete ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}"
|
||||||
|
|
||||||
|
# This hook is called after attempting to validate each domain,
|
||||||
|
# whether or not validation was successful. Here you can delete
|
||||||
|
# files or DNS records that are no longer needed.
|
||||||
|
#
|
||||||
|
# The parameters are the same as for deploy_challenge.
|
||||||
|
}
|
||||||
|
|
||||||
|
function invalid_challenge() {
|
||||||
|
local DOMAIN="${1}" RESPONSE="${2}"
|
||||||
|
|
||||||
|
echo "invalid_challenge called: ${DOMAIN}, ${RESPONSE}"
|
||||||
|
|
||||||
|
# This hook is called if the challenge response has failed, so domain
|
||||||
|
# owners can be aware and act accordingly.
|
||||||
|
#
|
||||||
|
# Parameters:
|
||||||
|
# - DOMAIN
|
||||||
|
# The primary domain name, i.e. the certificate common
|
||||||
|
# name (CN).
|
||||||
|
# - RESPONSE
|
||||||
|
# The response that the verification server returned
|
||||||
|
}
|
||||||
|
|
||||||
|
function deploy_cert {
|
||||||
|
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
|
||||||
|
|
||||||
|
echo "deploy_cert called: ${DOMAIN}, ${KEYFILE}, ${CERTFILE}, ${FULLCHAINFILE}, ${CHAINFILE}"
|
||||||
|
|
||||||
|
# This hook is called once for each certificate that has been
|
||||||
|
# produced. Here you might, for instance, copy your new certificates
|
||||||
|
# to service-specific locations and reload the service.
|
||||||
|
#
|
||||||
|
# Parameters:
|
||||||
|
# - DOMAIN
|
||||||
|
# The primary domain name, i.e. the certificate common
|
||||||
|
# name (CN).
|
||||||
|
# - KEYFILE
|
||||||
|
# The path of the file containing the private key.
|
||||||
|
# - CERTFILE
|
||||||
|
# The path of the file containing the signed certificate.
|
||||||
|
# - FULLCHAINFILE
|
||||||
|
# The path of the file containing the full certificate chain.
|
||||||
|
# - CHAINFILE
|
||||||
|
# The path of the file containing the intermediate certificate(s).
|
||||||
|
}
|
||||||
|
|
||||||
|
function unchanged_cert {
|
||||||
|
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
|
||||||
|
|
||||||
|
echo "unchanged_cert called: ${DOMAIN}, ${KEYFILE}, ${CERTFILE}, ${FULLCHAINFILE}, ${CHAINFILE}"
|
||||||
|
|
||||||
|
# This hook is called once for each certificate that is still
|
||||||
|
# valid and therefore wasn't reissued.
|
||||||
|
#
|
||||||
|
# Parameters:
|
||||||
|
# - DOMAIN
|
||||||
|
# The primary domain name, i.e. the certificate common
|
||||||
|
# name (CN).
|
||||||
|
# - KEYFILE
|
||||||
|
# The path of the file containing the private key.
|
||||||
|
# - CERTFILE
|
||||||
|
# The path of the file containing the signed certificate.
|
||||||
|
# - FULLCHAINFILE
|
||||||
|
# The path of the file containing the full certificate chain.
|
||||||
|
# - CHAINFILE
|
||||||
|
# The path of the file containing the intermediate certificate(s).
|
||||||
|
}
|
||||||
|
|
||||||
|
exit_hook() {
|
||||||
|
# This hook is called at the end of a dehydrated command and can be used
|
||||||
|
# to do some final (cleanup or other) tasks.
|
||||||
|
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
startup_hook() {
|
||||||
|
# This hook is called before the dehydrated command to do some initial tasks
|
||||||
|
# (e.g. starting a webserver).
|
||||||
|
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
HANDLER=$1; shift;
|
||||||
|
if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then
|
||||||
|
$HANDLER "$@"
|
||||||
|
fi
|
Loading…
Reference in a new issue