nginx.sh.j2 8.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246
  1. #!/usr/bin/env bash
  2. {% if ansible_prolog %}
  3. {% from 'templates/ansible/prolog.j2' import prolog with context %}
  4. {{ prolog() }}
  5. {% endif %}
  6. deploy_challenge() {
  7. local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
  8. # This hook is called once for every domain that needs to be
  9. # validated, including any alternative names you may have listed.
  10. #
  11. # Parameters:
  12. # - DOMAIN
  13. # The domain name (CN or subject alternative name) being
  14. # validated.
  15. # - TOKEN_FILENAME
  16. # The name of the file containing the token to be served for HTTP
  17. # validation. Should be served by your web server as
  18. # /.well-known/acme-challenge/${TOKEN_FILENAME}.
  19. # - TOKEN_VALUE
  20. # The token value that needs to be served for validation. For DNS
  21. # validation, this is what you want to put in the _acme-challenge
  22. # TXT record. For HTTP validation it is the value that is expected
  23. # be found in the $TOKEN_FILENAME file.
  24. # Simple example: Use nsupdate with local named
  25. # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
  26. }
  27. clean_challenge() {
  28. local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
  29. # This hook is called after attempting to validate each domain,
  30. # whether or not validation was successful. Here you can delete
  31. # files or DNS records that are no longer needed.
  32. #
  33. # The parameters are the same as for deploy_challenge.
  34. # Simple example: Use nsupdate with local named
  35. # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
  36. }
  37. sync_cert() {
  38. local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}"
  39. # This hook is called after the certificates have been created but before
  40. # they are symlinked. This allows you to sync the files to disk to prevent
  41. # creating a symlink to empty files on unexpected system crashes.
  42. #
  43. # This hook is not intended to be used for further processing of certificate
  44. # files, see deploy_cert for that.
  45. #
  46. # Parameters:
  47. # - KEYFILE
  48. # The path of the file containing the private key.
  49. # - CERTFILE
  50. # The path of the file containing the signed certificate.
  51. # - FULLCHAINFILE
  52. # The path of the file containing the full certificate chain.
  53. # - CHAINFILE
  54. # The path of the file containing the intermediate certificate(s).
  55. # - REQUESTFILE
  56. # The path of the file containing the certificate signing request.
  57. # Simple example: sync the files before symlinking them
  58. # sync "${KEYFILE}" "${CERTFILE} "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}"
  59. }
  60. deploy_cert() {
  61. local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
  62. # This hook is called once for each certificate that has been
  63. # produced. Here you might, for instance, copy your new certificates
  64. # to service-specific locations and reload the service.
  65. #
  66. # Parameters:
  67. # - DOMAIN
  68. # The primary domain name, i.e. the certificate common
  69. # name (CN).
  70. # - KEYFILE
  71. # The path of the file containing the private key.
  72. # - CERTFILE
  73. # The path of the file containing the signed certificate.
  74. # - FULLCHAINFILE
  75. # The path of the file containing the full certificate chain.
  76. # - CHAINFILE
  77. # The path of the file containing the intermediate certificate(s).
  78. # - TIMESTAMP
  79. # Timestamp when the specified certificate was created.
  80. # Simple example: Copy file to nginx config
  81. # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
  82. # systemctl reload nginx
  83. if systemctl -q is-active nginx ; then
  84. if nginx -q -t 2>/dev/null ; then
  85. systemctl reload-or-try-restart nginx
  86. else
  87. echo "Nginx configuration check failed with the following error:"
  88. nginx -t
  89. fi
  90. fi
  91. }
  92. deploy_ocsp() {
  93. local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}"
  94. # This hook is called once for each updated ocsp stapling file that has
  95. # been produced. Here you might, for instance, copy your new ocsp stapling
  96. # files to service-specific locations and reload the service.
  97. #
  98. # Parameters:
  99. # - DOMAIN
  100. # The primary domain name, i.e. the certificate common
  101. # name (CN).
  102. # - OCSPFILE
  103. # The path of the ocsp stapling file
  104. # - TIMESTAMP
  105. # Timestamp when the specified ocsp stapling file was created.
  106. # Simple example: Copy file to nginx config
  107. # cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
  108. # systemctl reload nginx
  109. if systemctl -q is-active nginx ; then
  110. if nginx -q -t 2>/dev/null ; then
  111. systemctl reload-or-try-restart nginx
  112. else
  113. echo "Nginx configuration check failed with the following error:"
  114. nginx -t
  115. fi
  116. fi
  117. }
  118. unchanged_cert() {
  119. local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
  120. # This hook is called once for each certificate that is still
  121. # valid and therefore wasn't reissued.
  122. #
  123. # Parameters:
  124. # - DOMAIN
  125. # The primary domain name, i.e. the certificate common
  126. # name (CN).
  127. # - KEYFILE
  128. # The path of the file containing the private key.
  129. # - CERTFILE
  130. # The path of the file containing the signed certificate.
  131. # - FULLCHAINFILE
  132. # The path of the file containing the full certificate chain.
  133. # - CHAINFILE
  134. # The path of the file containing the intermediate certificate(s).
  135. }
  136. invalid_challenge() {
  137. local DOMAIN="${1}" RESPONSE="${2}"
  138. # This hook is called if the challenge response has failed, so domain
  139. # owners can be aware and act accordingly.
  140. #
  141. # Parameters:
  142. # - DOMAIN
  143. # The primary domain name, i.e. the certificate common
  144. # name (CN).
  145. # - RESPONSE
  146. # The response that the verification server returned
  147. # Simple example: Send mail to root
  148. # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root
  149. }
  150. request_failure() {
  151. local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
  152. # This hook is called when an HTTP request fails (e.g., when the ACME
  153. # server is busy, returns an error, etc). It will be called upon any
  154. # response code that does not start with '2'. Useful to alert admins
  155. # about problems with requests.
  156. #
  157. # Parameters:
  158. # - STATUSCODE
  159. # The HTML status code that originated the error.
  160. # - REASON
  161. # The specified reason for the error.
  162. # - REQTYPE
  163. # The kind of request that was made (GET, POST...)
  164. # - HEADERS
  165. # HTTP headers returned by the CA
  166. # Simple example: Send mail to root
  167. # printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root
  168. }
  169. generate_csr() {
  170. local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
  171. # This hook is called before any certificate signing operation takes place.
  172. # It can be used to generate or fetch a certificate signing request with external
  173. # tools.
  174. # The output should be just the cerificate signing request formatted as PEM.
  175. #
  176. # Parameters:
  177. # - DOMAIN
  178. # The primary domain as specified in domains.txt. This does not need to
  179. # match with the domains in the CSR, it's basically just the directory name.
  180. # - CERTDIR
  181. # Certificate output directory for this particular certificate. Can be used
  182. # for storing additional files.
  183. # - ALTNAMES
  184. # All domain names for the current certificate as specified in domains.txt.
  185. # Again, this doesn't need to match with the CSR, it's just there for convenience.
  186. # Simple example: Look for pre-generated CSRs
  187. # if [ -e "${CERTDIR}/pre-generated.csr" ]; then
  188. # cat "${CERTDIR}/pre-generated.csr"
  189. # fi
  190. }
  191. startup_hook() {
  192. # This hook is called before the cron command to do some initial tasks
  193. # (e.g. starting a webserver).
  194. :
  195. }
  196. exit_hook() {
  197. local ERROR="${1:-}"
  198. # This hook is called at the end of the cron command and can be used to
  199. # do some final (cleanup or other) tasks.
  200. #
  201. # Parameters:
  202. # - ERROR
  203. # Contains error message if dehydrated exits with error
  204. }
  205. HANDLER="$1"
  206. shift
  207. if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then
  208. "$HANDLER" "$@"
  209. fi
  210. exit 0