Home Explore Help
Sign In
kolter
/
ansible-playbooks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 5d817082fb
Branches Tags
ansible-play...
/
roles
/
common
/
templates
/
dehydrated
/
hooks
/
apache2.sh.j2

apache2.sh.j2 8.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247 
  1. #!/usr/bin/env bash
    2. 

  2. {% if ansible_controlled is defined and ansible_controlled != "" %}
    3. 

  3. #
    4. 

  4. # {{ ansible_controlled }}
    5. 

  5. #
    6. 

  6. {% endif %}
    7. 

  7. 

  8. deploy_challenge() {
    9. 

  9.     local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
    10. 

  10. 

  11.     # This hook is called once for every domain that needs to be
    12. 

  12.     # validated, including any alternative names you may have listed.
    13. 

  13.     #
    14. 

  14.     # Parameters:
    15. 

  15.     # - DOMAIN
    16. 

  16.     #   The domain name (CN or subject alternative name) being
    17. 

  17.     #   validated.
    18. 

  18.     # - TOKEN_FILENAME
    19. 

  19.     #   The name of the file containing the token to be served for HTTP
    20. 

  20.     #   validation. Should be served by your web server as
    21. 

  21.     #   /.well-known/acme-challenge/${TOKEN_FILENAME}.
    22. 

  22.     # - TOKEN_VALUE
    23. 

  23.     #   The token value that needs to be served for validation. For DNS
    24. 

  24.     #   validation, this is what you want to put in the _acme-challenge
    25. 

  25.     #   TXT record. For HTTP validation it is the value that is expected
    26. 

  26.     #   be found in the $TOKEN_FILENAME file.
    27. 

  27. 

  28.     # Simple example: Use nsupdate with local named
    29. 

  29.     # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
    30. 

  30. }
    31. 

  31. 

  32. clean_challenge() {
    33. 

  33.     local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
    34. 

  34. 

  35.     # This hook is called after attempting to validate each domain,
    36. 

  36.     # whether or not validation was successful. Here you can delete
    37. 

  37.     # files or DNS records that are no longer needed.
    38. 

  38.     #
    39. 

  39.     # The parameters are the same as for deploy_challenge.
    40. 

  40. 

  41.     # Simple example: Use nsupdate with local named
    42. 

  42.     # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
    43. 

  43. }
    44. 

  44. 

  45. sync_cert() {
    46. 

  46.     local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}"
    47. 

  47. 

  48.     # This hook is called after the certificates have been created but before
    49. 

  49.     # they are symlinked. This allows you to sync the files to disk to prevent
    50. 

  50.     # creating a symlink to empty files on unexpected system crashes.
    51. 

  51.     #
    52. 

  52.     # This hook is not intended to be used for further processing of certificate
    53. 

  53.     # files, see deploy_cert for that.
    54. 

  54.     #
    55. 

  55.     # Parameters:
    56. 

  56.     # - KEYFILE
    57. 

  57.     #   The path of the file containing the private key.
    58. 

  58.     # - CERTFILE
    59. 

  59.     #   The path of the file containing the signed certificate.
    60. 

  60.     # - FULLCHAINFILE
    61. 

  61.     #   The path of the file containing the full certificate chain.
    62. 

  62.     # - CHAINFILE
    63. 

  63.     #   The path of the file containing the intermediate certificate(s).
    64. 

  64.     # - REQUESTFILE
    65. 

  65.     #   The path of the file containing the certificate signing request.
    66. 

  66. 

  67.     # Simple example: sync the files before symlinking them
    68. 

  68.     # sync "${KEYFILE}" "${CERTFILE} "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}"
    69. 

  69. }
    70. 

  70. 

  71. deploy_cert() {
    72. 

  72.     local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
    73. 

  73. 

  74.     # This hook is called once for each certificate that has been
    75. 

  75.     # produced. Here you might, for instance, copy your new certificates
    76. 

  76.     # to service-specific locations and reload the service.
    77. 

  77.     #
    78. 

  78.     # Parameters:
    79. 

  79.     # - DOMAIN
    80. 

  80.     #   The primary domain name, i.e. the certificate common
    81. 

  81.     #   name (CN).
    82. 

  82.     # - KEYFILE
    83. 

  83.     #   The path of the file containing the private key.
    84. 

  84.     # - CERTFILE
    85. 

  85.     #   The path of the file containing the signed certificate.
    86. 

  86.     # - FULLCHAINFILE
    87. 

  87.     #   The path of the file containing the full certificate chain.
    88. 

  88.     # - CHAINFILE
    89. 

  89.     #   The path of the file containing the intermediate certificate(s).
    90. 

  90.     # - TIMESTAMP
    91. 

  91.     #   Timestamp when the specified certificate was created.
    92. 

  92. 

  93.     # Simple example: Copy file to nginx config
    94. 

  94.     # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
    95. 

  95.     # systemctl reload nginx
    96. 

  96. 

  97.     if systemctl -q is-active apache2 ; then
    98. 

  98.         if apache2ctl configtest >/dev/null 2>&1 ; then
    99. 

  99.             systemctl reload-or-try-restart apache2
    100. 

  100.         else
    101. 

  101.             echo "Apache configuration check failed with the following error:"
    102. 

  102.             apache2ctl configtest
    103. 

  103.         fi
    104. 

  104.     fi
    105. 

  105. }
    106. 

  106. 

  107. deploy_ocsp() {
    108. 

  108.     local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}"
    109. 

  109. 

  110.     # This hook is called once for each updated ocsp stapling file that has
    111. 

  111.     # been produced. Here you might, for instance, copy your new ocsp stapling
    112. 

  112.     # files to service-specific locations and reload the service.
    113. 

  113.     #
    114. 

  114.     # Parameters:
    115. 

  115.     # - DOMAIN
    116. 

  116.     #   The primary domain name, i.e. the certificate common
    117. 

  117.     #   name (CN).
    118. 

  118.     # - OCSPFILE
    119. 

  119.     #   The path of the ocsp stapling file
    120. 

  120.     # - TIMESTAMP
    121. 

  121.     #   Timestamp when the specified ocsp stapling file was created.
    122. 

  122. 

  123.     # Simple example: Copy file to nginx config
    124. 

  124.     # cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
    125. 

  125.     # systemctl reload nginx
    126. 

  126. 

  127.     if systemctl -q is-active apache2 ; then
    128. 

  128.         if apache2ctl configtest >/dev/null 2>&1 ; then
    129. 

  129.             systemctl reload-or-try-restart apache2
    130. 

  130.         else
    131. 

  131.             echo "Apache configuration check failed with the following error:"
    132. 

  132.             apache2ctl configtest
    133. 

  133.         fi
    134. 

  134.     fi
    135. 

  135. }
    136. 

  136. 

  137. 

  138. unchanged_cert() {
    139. 

  139.     local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
    140. 

  140. 

  141.     # This hook is called once for each certificate that is still
    142. 

  142.     # valid and therefore wasn't reissued.
    143. 

  143.     #
    144. 

  144.     # Parameters:
    145. 

  145.     # - DOMAIN
    146. 

  146.     #   The primary domain name, i.e. the certificate common
    147. 

  147.     #   name (CN).
    148. 

  148.     # - KEYFILE
    149. 

  149.     #   The path of the file containing the private key.
    150. 

  150.     # - CERTFILE
    151. 

  151.     #   The path of the file containing the signed certificate.
    152. 

  152.     # - FULLCHAINFILE
    153. 

  153.     #   The path of the file containing the full certificate chain.
    154. 

  154.     # - CHAINFILE
    155. 

  155.     #   The path of the file containing the intermediate certificate(s).
    156. 

  156. }
    157. 

  157. 

  158. invalid_challenge() {
    159. 

  159.     local DOMAIN="${1}" RESPONSE="${2}"
    160. 

  160. 

  161.     # This hook is called if the challenge response has failed, so domain
    162. 

  162.     # owners can be aware and act accordingly.
    163. 

  163.     #
    164. 

  164.     # Parameters:
    165. 

  165.     # - DOMAIN
    166. 

  166.     #   The primary domain name, i.e. the certificate common
    167. 

  167.     #   name (CN).
    168. 

  168.     # - RESPONSE
    169. 

  169.     #   The response that the verification server returned
    170. 

  170. 

  171.     # Simple example: Send mail to root
    172. 

  172.     # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root
    173. 

  173. }
    174. 

  174. 

  175. request_failure() {
    176. 

  176.     local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
    177. 

  177. 

  178.     # This hook is called when an HTTP request fails (e.g., when the ACME
    179. 

  179.     # server is busy, returns an error, etc). It will be called upon any
    180. 

  180.     # response code that does not start with '2'. Useful to alert admins
    181. 

  181.     # about problems with requests.
    182. 

  182.     #
    183. 

  183.     # Parameters:
    184. 

  184.     # - STATUSCODE
    185. 

  185.     #   The HTML status code that originated the error.
    186. 

  186.     # - REASON
    187. 

  187.     #   The specified reason for the error.
    188. 

  188.     # - REQTYPE
    189. 

  189.     #   The kind of request that was made (GET, POST...)
    190. 

  190.     # - HEADERS
    191. 

  191.     #   HTTP headers returned by the CA
    192. 

  192. 

  193.     # Simple example: Send mail to root
    194. 

  194.     # printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root
    195. 

  195. }
    196. 

  196. 

  197. generate_csr() {
    198. 

  198.     local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
    199. 

  199. 

  200.     # This hook is called before any certificate signing operation takes place.
    201. 

  201.     # It can be used to generate or fetch a certificate signing request with external
    202. 

  202.     # tools.
    203. 

  203.     # The output should be just the cerificate signing request formatted as PEM.
    204. 

  204.     #
    205. 

  205.     # Parameters:
    206. 

  206.     # - DOMAIN
    207. 

  207.     #   The primary domain as specified in domains.txt. This does not need to
    208. 

  208.     #   match with the domains in the CSR, it's basically just the directory name.
    209. 

  209.     # - CERTDIR
    210. 

  210.     #   Certificate output directory for this particular certificate. Can be used
    211. 

  211.     #   for storing additional files.
    212. 

  212.     # - ALTNAMES
    213. 

  213.     #   All domain names for the current certificate as specified in domains.txt.
    214. 

  214.     #   Again, this doesn't need to match with the CSR, it's just there for convenience.
    215. 

  215. 

  216.     # Simple example: Look for pre-generated CSRs
    217. 

  217.     # if [ -e "${CERTDIR}/pre-generated.csr" ]; then
    218. 

  218.     #   cat "${CERTDIR}/pre-generated.csr"
    219. 

  219.     # fi
    220. 

  220. }
    221. 

  221. 

  222. startup_hook() {
    223. 

  223.   # This hook is called before the cron command to do some initial tasks
    224. 

  224.   # (e.g. starting a webserver).
    225. 

  225. 

  226.   :
    227. 

  227. }
    228. 

  228. 

  229. exit_hook() {
    230. 

  230.   local ERROR="${1:-}"
    231. 

  231. 

  232.   # This hook is called at the end of the cron command and can be used to
    233. 

  233.   # do some final (cleanup or other) tasks.
    234. 

  234.   #
    235. 

  235.   # Parameters:
    236. 

  236.   # - ERROR
    237. 

  237.   #   Contains error message if dehydrated exits with error
    238. 

  238. }
    239. 

  239. 

  240. HANDLER="$1"
    241. 

  241. shift
    242. 

  242. 

  243. if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then
    244. 

  244.   "$HANDLER" "$@"
    245. 

  245. fi
    246. 

  246. 

  247. exit 0
    248.