Skip to content
Snippets Groups Projects
Commit 42635565 authored by Hahn Axel (hahn)'s avatar Hahn Axel (hahn)
Browse files

support for http challenge on port 80; more params supported for force renew, http challenge

parent a3903eed
No related branches found
No related tags found
1 merge request!24Add http challenge
Show whitespace changes
Inline Side-by-side
Showing
with 637 additions and 532 deletions
cm.sh
+ 637
532
View file @ 42635565
...@@ -37,6 +37,7 @@ ...@@ -37,6 +37,7 @@
# 2023-02-01 <axel.hahn@unibe.ch> skip function _fixKeyfile with former workaround # 2023-02-01 <axel.hahn@unibe.ch> skip function _fixKeyfile with former workaround
# 2023-05-08 <axel.hahn@unibe.ch> fix: "key and cert do not match" # 2023-05-08 <axel.hahn@unibe.ch> fix: "key and cert do not match"
# 2024-03-21 <axel.hahn@unibe.ch> shorter sleep times # 2024-03-21 <axel.hahn@unibe.ch> shorter sleep times
# 2025-01-08 <axel.hahn@unibe.ch> support for http challenge on port 80; more params supported for force renew, http challenge
# ====================================================================== # ======================================================================
...@@ -46,6 +47,8 @@ ...@@ -46,6 +47,8 @@
# #
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
_version="2025-01-08"
logdir="./log" logdir="./log"
touchfile="$logdir/lastchange.txt" touchfile="$logdir/lastchange.txt"
logfile="$logdir/certmanager.log" logfile="$logdir/certmanager.log"
...@@ -67,6 +70,12 @@ CM_writedebuglog=0 ...@@ -67,6 +70,12 @@ CM_writedebuglog=0
CM_timer_start=$( date +%s.%N ) CM_timer_start=$( date +%s.%N )
# webroot to write challenge files into -
CM_webroot=""
# force renew (default: disabled - remember quotas on LE)
CM_force=0
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# #
# INTERNAL FUNCTIONS # INTERNAL FUNCTIONS
...@@ -112,7 +121,7 @@ function _certExists(){ ...@@ -112,7 +121,7 @@ function _certExists(){
function _certMustExist(){ function _certMustExist(){
_certExists _certExists
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "ERROR: cert ${CM_fqdn} was not added yet." _we "Cert ${CM_fqdn} was not added yet."
exit 1 exit 1
fi fi
} }
...@@ -123,7 +132,7 @@ function _certMustExist(){ ...@@ -123,7 +132,7 @@ function _certMustExist(){
function _certMustNotExist(){ function _certMustNotExist(){
if _certExists if _certExists
then then
echo "ERROR: cert ${CM_fqdn} was added already." _we "Cert ${CM_fqdn} was added already."
# exit 1 # exit 1
echo "Press Ctrl+C to abort within the next 3 sec..." echo "Press Ctrl+C to abort within the next 3 sec..."
sleep 3 sleep 3
...@@ -176,8 +185,8 @@ function _certTransfer(){ ...@@ -176,8 +185,8 @@ function _certTransfer(){
function _certMatching(){ function _certMatching(){
# CSR USAGE WAS REMOVED # CSR USAGE WAS REMOVED
# local md5_csr=$( test -f ${CM_filecsr} && openssl req -noout -modulus -in ${CM_filecsr} | openssl md5 | cut -f 2 -d " " ) # local md5_csr=$( test -f ${CM_filecsr} && openssl req -noout -modulus -in ${CM_filecsr} | openssl md5 | cut -f 2 -d " " )
local md5_key=$( test -f ${CM_outfile_key} && openssl rsa -noout -modulus -in ${CM_outfile_key} | openssl md5 | cut -f 2 -d " " ) local md5_key; md5_key=$( test -f ${CM_outfile_key} && openssl rsa -noout -modulus -in ${CM_outfile_key} | openssl md5 | cut -f 2 -d " " )
local md5_cert=$( test -f ${CM_outfile_cert} && openssl x509 -noout -modulus -in ${CM_outfile_cert} | openssl md5 | cut -f 2 -d " " ) local md5_cert; md5_cert=$( test -f ${CM_outfile_cert} && openssl x509 -noout -modulus -in ${CM_outfile_cert} | openssl md5 | cut -f 2 -d " " )
echo echo
echo "--- compare hashes" echo "--- compare hashes"
...@@ -188,7 +197,7 @@ function _certMatching(){ ...@@ -188,7 +197,7 @@ function _certMatching(){
if [ "$md5_key" = "$md5_cert" ]; then if [ "$md5_key" = "$md5_cert" ]; then
echo "OK, key and cert match :-)" echo "OK, key and cert match :-)"
else else
echo "ERROR: key and cert do NOT MATCH!" _we "Key and cert do NOT MATCH!"
fi fi
echo echo
} }
...@@ -210,7 +219,7 @@ function _checkDig(){ ...@@ -210,7 +219,7 @@ function _checkDig(){
# _wd "[$myfqdn] exists as type [$_type] in DNS?" # _wd "[$myfqdn] exists as type [$_type] in DNS?"
if ! dig "${myfqdn}" "${_type}" | grep "^${myfqdn}" | grep -E "${_verify}" if ! dig "${myfqdn}" "${_type}" | grep "^${myfqdn}" | grep -E "${_verify}"
then then
echo "ERROR: [$myfqdn] was not found. Maybe there is a typo in the hostname or it does not exist in DNS." _we "[$myfqdn] was not found. Maybe there is a typo in the hostname or it does not exist in DNS."
exit 2 exit 2
fi fi
_wd "OK: [$myfqdn] exists in DNS." _wd "OK: [$myfqdn] exists in DNS."
...@@ -245,7 +254,6 @@ function _dnsCheck(){ ...@@ -245,7 +254,6 @@ function _dnsCheck(){
_checkDig "${_subdomain}.${_mydomain}" "cname" "${_subdomain}.${CM_challenge_alias}" _checkDig "${_subdomain}.${_mydomain}" "cname" "${_subdomain}.${CM_challenge_alias}"
fi fi
done done
} }
# CSR USAGE WAS REMOVED # CSR USAGE WAS REMOVED
...@@ -282,20 +290,20 @@ function _dnsCheck(){ ...@@ -282,20 +290,20 @@ function _dnsCheck(){
# internal function; get a sorted list of DNS aliases in the current cert # internal function; get a sorted list of DNS aliases in the current cert
function _getAliases(){ function _getAliases(){
_sortWords $( _sortWords "$(
openssl x509 -noout -text -in ${CM_outfile_cert} \ openssl x509 -noout -text -in ${CM_outfile_cert} \
| grep -E "(DNS:)" \ | grep -E "(DNS:)" \
| sed "s#^ *##g" \ | sed "s#^ *##g" \
| sed "s#DNS:##g" \ | sed "s#DNS:##g" \
| sed "s#,##g" | sed "s#,##g"
) )"
} }
# internal function; check if a required 2nd CLI parameter was given # internal function; check if a required 2nd CLI parameter was given
# if not the script will abort # if not the script will abort
function _requiresFqdn(){ function _requiresFqdn(){
if [ -z "$CM_fqdn" ]; then if [ -z "$CM_fqdn" ]; then
echo "ERROR: 2nd parameter must be a FQDN for Main_Domain." _we "2nd parameter must be a FQDN for Main_Domain."
exit 1 exit 1
fi fi
} }
...@@ -304,8 +312,7 @@ function _requiresFqdn(){ ...@@ -304,8 +312,7 @@ function _requiresFqdn(){
# server. It shows a message that it is allowed to test arround ... or to be # server. It shows a message that it is allowed to test arround ... or to be
# careful with LE requests on a production system # careful with LE requests on a production system
function _testStaging(){ function _testStaging(){
echo $ACME_Params | grep "\-\-staging" >/dev/null if echo "${ACME_Params}" | grep -- "--staging" >/dev/null; then
if [ $? -eq 0 ]; then
_wd "Using Let's Encrypt STAGE environment ..." _wd "Using Let's Encrypt STAGE environment ..."
_wd "You can test and mess around. Do not use certs in production." _wd "You can test and mess around. Do not use certs in production."
else else
...@@ -318,13 +325,13 @@ function _testStaging(){ ...@@ -318,13 +325,13 @@ function _testStaging(){
# current user # current user
function _testUser(){ function _testUser(){
if [ ! -z "$CM_user" ]; then if [ ! -z "$CM_user" ]; then
local _sUser=`id | cut -f 2 -d "(" | cut -f 1 -d ")"` local _sUser
_sUser="$( id | cut -f 2 -d "(" | cut -f 1 -d ")")"
if [[ $_sUser != "$CM_user" ]]; then if [[ $_sUser != "$CM_user" ]]; then
echo "ERROR: Run this script under user [$CM_user] - not as $_sUser." _we "Run this script under user [$CM_user] - not as $_sUser."
exit 1 exit 1
fi fi
fi fi
} }
# set update message into access log file # set update message into access log file
...@@ -378,8 +385,16 @@ function _wait_for_free_slot(){ ...@@ -378,8 +385,16 @@ function _wait_for_free_slot(){
} }
# write debug output if CM_showdebug is set to 1 # write debug output if CM_showdebug is set to 1
# param string message (prefix "DEBUG" will be added in front)
function _wd(){ function _wd(){
test ${CM_showdebug} -ne 0 && echo "DEBUG: $*" test ${CM_showdebug} -ne 0 && echo -e "\e[1;30mDEBUG: $* \e[0m"
}
# show error message;
# param string message (prefix "ERROR" will be added in front)
function _we(){
echo -e "\e[1;37;41mERROR: $*\e[0m"
} }
# set environment for a single certificate based on FQDN # set environment for a single certificate based on FQDN
...@@ -400,11 +415,11 @@ function _setenv(){ ...@@ -400,11 +415,11 @@ function _setenv(){
CM_outfile_ca=${CM_dircerts}/${CM_fqdn}.ca.cer CM_outfile_ca=${CM_dircerts}/${CM_fqdn}.ca.cer
# echo $CM_fqdn; set | grep "^CM_"; echo # echo $CM_fqdn; set | grep "^CM_"; echo
} }
# internal function; helper: sort words in alphabetic order # internal function; helper: sort words in alphabetic order
function _sortWords(){ function _sortWords(){
echo $* | tr " " "\n" | sort | tr "\n" " " echo "$*" | tr " " "\n" | sort | tr "\n" " "
} }
# internal function; verify fqdn in cli params - each fqdn is allowed only once. # internal function; verify fqdn in cli params - each fqdn is allowed only once.
...@@ -413,7 +428,7 @@ function _testFqdncount(){ ...@@ -413,7 +428,7 @@ function _testFqdncount(){
typeset -i local iHostsInParam=$( echo $* | wc -w ) typeset -i local iHostsInParam=$( echo $* | wc -w )
typeset -i iHostsUniq=$( echo $* | tr " " "\n" | sort -u | wc -w ) typeset -i iHostsUniq=$( echo $* | tr " " "\n" | sort -u | wc -w )
if [ $iHostsInParam -ne $iHostsUniq ]; then if [ $iHostsInParam -ne $iHostsUniq ]; then
echo "ERROR: each given FQDN is allowed only once. You need to remove double entries." _we "Each given FQDN is allowed only once. You need to remove double entries."
for myhost in $( echo $* | tr " " "\n" | sort -u ) for myhost in $( echo $* | tr " " "\n" | sort -u )
do do
...@@ -428,17 +443,120 @@ function _testFqdncount(){ ...@@ -428,17 +443,120 @@ function _testFqdncount(){
# get time in sec and milliseconds since start # get time in sec and milliseconds since start
# no parameter is required # no parameter is required
function show_timer(){ function show_timer(){
local timer_end=$( date +%s.%N ) local timer_end; timer_end=$( date +%s.%N )
local totaltime=$( awk "BEGIN {print $timer_end - $CM_timer_start }" ) local totaltime; totaltime=$( awk "BEGIN {print $timer_end - $CM_timer_start }" )
local sec_time=$( echo $totaltime | cut -f 1 -d "." ) local sec_time; sec_time=$( echo "$totaltime" | cut -f 1 -d "." )
test -z "$sec_time" && sec_time=0 test -z "$sec_time" && sec_time=0
local ms_time=$( echo $totaltime | cut -f 2 -d "." | cut -c 1-3 ) local ms_time; ms_time=$( echo "$totaltime" | cut -f 2 -d "." | cut -c 1-3 )
echo "$sec_time.$ms_time sec" echo "$sec_time.$ms_time sec"
} }
# show help text
function show_help(){
self="$( basename "$0" )"
cat <<EOF
HELP
Wrapper script for acme.sh to handle certificates.
For automation you should use the "ensure" action that detects if a
certificate must be created, renewed or re-created.
📄 Source: <https://git-repo.iml.unibe.ch/iml-open-source/iml-certman>
📜 License: GNU GPL 3.0
📗 Docs: <https://os-docs.iml.unibe.ch/iml-certman/>
SYNTAX:
$self [OPTIONS] ACTION <FQDN> [<ALIASES>]
OPTIONS:
-a|--alias
Use http challenge with existing http server on port 80
Challenge file will be written into ../alias-dir/
-f|--force
Force renew of certificate even if it is not due yet.
Use it carefully - remember the execution limits on Let's Encrypt.
-t|--trace
the output additionally will be written into a tracelog file
below $logdir.
-v|--verbose
show debug infos on console.
Remark: for permanent usage set CM_showdebug=1 in inc_config.sh
-w|--webroot <DIR>
Use http challenge with existing http server on port 80
Challenge file will be written into given directory
The ACTIONs for SINGLE certificate handlings are:
add <FQDN> [.. <FQDN-N>]
create new certificate
The first FQDN is a hostname to generate the certificate for.
Following multiple hostnames will be used as DNS aliases in the
same certificate.
It updates files in ${CM_diracme}
ensure <FQDN> [.. <FQDN-N>]
It ensures that a certificate with given aliases exists and is up to date.
This param is for simple usage in automation tools like Ansible or Puppet.
It is required to add all aliases as parameters what is unhandy for
direct usage on cli.
If the cert does not exist it will be created (see "add").
If fqdn and aliases are the same like in the certificate it performs a renew.
If fqdn and aliases differ:
- the current certificate will be rejected + deleted (see "delete")
- a new certificate will be added ()
delete <FQDN>
delete all files of a given certificate
renew <FQDN>
renew (an already added) certificate
and update files in ${CM_diracme}
show <FQDN>
show place of certificate data and show basic certificate data
(issuer, subject, aliases, ending date)
transfer <FQDN>
Transfer cert from acme.sh internal cache to our output dir again.
It is done during add or renew. With transfer command you can repeat it.
ACTIONs for ALL certs
list
list all certificates including creation and renew date
list-old
list all certificates older 65 and older 90 days and exit.
Exitcodes:
0 - all certs are up to date.
1 - certificates to renew were found
2 - outdatedt certificates were found
renew-all
renew all certificates (fast mode - without --force)
and update files in ${CM_diracme}
It is useful for a cronjob.
other ACTIONs
selftest
check of health with current setup and requirements.
This command is helpful for initial setups.
EOF
}
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# #
# PUBLIC FUNCTIONS # PUBLIC FUNCTIONS
...@@ -458,16 +576,32 @@ function public_add(){ ...@@ -458,16 +576,32 @@ function public_add(){
_dnsCheck $CM_fqdn $* _dnsCheck $CM_fqdn $*
local iCounter
typeset -i iCounter=0
for _mydomain in $CM_fqdn $* for _mydomain in $CM_fqdn $*
do do
_params+="-d $_mydomain --challenge-alias " iCounter+=1
_params+="-d $_mydomain "
if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null if [ -n "$CM_webroot" ]
then
echo "WEBROOT found"
if [ $iCounter -eq 1 ]
then
_params+="-w $CM_webroot "
fi
else
if [ -n "${CM_challenge_alias}" ]
then
_params+=" --challenge-alias "
if ! echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null
then then
_params+="${CM_challenge_alias} " _params+="${CM_challenge_alias} "
else else
_params+="no " _params+="no "
fi fi
fi
fi
done done
# 2023-05-08: Specifies the domain key length # 2023-05-08: Specifies the domain key length
...@@ -480,8 +614,8 @@ function public_add(){ ...@@ -480,8 +614,8 @@ function public_add(){
echo "$ACME --issue $_params $ACME_Params" echo "$ACME --issue $_params $ACME_Params"
if ! $ACME --issue $_params $ACME_Params if ! $ACME --issue $_params $ACME_Params
then then
echo "ERROR: adding cert failed. Trying to delete internal data ..." _we "Adding cert failed. Trying to delete internal data ..."
public_delete $CM_fqdn public_delete "$CM_fqdn"
exit 1 exit 1
fi fi
# $ACME --issue -d $CM_fqdn $ACME_Params || exit 1 # $ACME --issue -d $CM_fqdn $ACME_Params || exit 1
...@@ -540,8 +674,8 @@ function public_ensure(){ ...@@ -540,8 +674,8 @@ function public_ensure(){
_certExists _certExists
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
_wd "--- cert $CM_fqdn was found ... compare aliases" _wd "--- cert $CM_fqdn was found ... compare aliases"
local _newAliases=$( _sortWords $CM_fqdn $* ) local _newAliases; _newAliases=$( _sortWords $CM_fqdn $* )
local _certAliases=$( _getAliases ) local _certAliases; _certAliases=$( _getAliases )
_wd "from params: $_newAliases" _wd "from params: $_newAliases"
_wd "inside cert: $_certAliases" _wd "inside cert: $_certAliases"
...@@ -583,22 +717,20 @@ function public_delete(){ ...@@ -583,22 +717,20 @@ function public_delete(){
_debuglog "end public_delete" _debuglog "end public_delete"
} }
# #
# public function; list certificates incl. creation date and renew date # public function; list certificates incl. creation date and renew date
# #
function public_list(){ function public_list(){
_listCerts _listCerts
} }
# #
# public function; list old / outdated certificates # public function; list old / outdated certificates
# #
function public_list-old(){ function public_list-old(){
local _iRuntime=90 local _iRuntime=90
local _iWarn=65 local _iWarn=65
typeset -i local _rc=0 local _rc; typeset -i _rc=0
cd "${CM_dircerts}" || exit 1 cd "${CM_dircerts}" || exit 1
...@@ -630,7 +762,6 @@ function public_list-old(){ ...@@ -630,7 +762,6 @@ function public_list-old(){
exit $_rc exit $_rc
} }
# #
# public function - renew a certificate # public function - renew a certificate
# param string fqdn of domain to renew # param string fqdn of domain to renew
...@@ -642,7 +773,13 @@ function public_renew(){ ...@@ -642,7 +773,13 @@ function public_renew(){
_fixKeyfile _fixKeyfile
$ACME --renew -d ${CM_fqdn} $ACME_Params if [ $CM_force -ne 0 ]; then
_wd "renew was forced"
$ACME --force --renew -d "${CM_fqdn}" $ACME_Params
else
_wd "soft renew"
$ACME --renew -d "${CM_fqdn}" $ACME_Params
fi
local _rc=$? local _rc=$?
case $_rc in case $_rc in
...@@ -665,14 +802,12 @@ function public_renew(){ ...@@ -665,14 +802,12 @@ function public_renew(){
# public function - renew all certificates (to be used in a cronjob) # public function - renew all certificates (to be used in a cronjob)
# no params # no params
function public_renew-all(){ function public_renew-all(){
_listCertdomains | while read mydomain _listCertdomains | while read mydomain
do do
_wd "--- renew $mydomain" _wd "--- renew $mydomain"
_setenv ${mydomain} _setenv ${mydomain}
public_renew public_renew
done done
} }
...@@ -700,7 +835,6 @@ function _selftestItem(){ ...@@ -700,7 +835,6 @@ function _selftestItem(){
# list existing certs # list existing certs
# no params # no params
function public_selftest(){ function public_selftest(){
typeset -i _iErrors=0 typeset -i _iErrors=0
echo echo
...@@ -735,7 +869,6 @@ function public_selftest(){ ...@@ -735,7 +869,6 @@ function public_selftest(){
_selftestItem "test -w ${CM_diracme}" "it is writable" _selftestItem "test -w ${CM_diracme}" "it is writable"
echo echo
echo --- logs echo --- logs
_selftestItem "ls -ld ./log/" "Logdir exists" _selftestItem "ls -ld ./log/" "Logdir exists"
_selftestItem "test -w" "Logdir is writable" _selftestItem "test -w" "Logdir is writable"
...@@ -792,34 +925,75 @@ function public_transfer(){ ...@@ -792,34 +925,75 @@ function public_transfer(){
cd $( dirname $0 ) cd $( dirname $0 )
if [ "$1" = "--trace" ]; then cat <<ENDOFHEADER
tracelog="$logdir/trace__$2__$3__`date +%Y-%m-%d__%H-%M-%S`.log" $line
exec > >(tee -a ${tracelog} )
exec 2> >(tee -a ${tracelog} >&2)
- - - ---===>>> CERT MANAGER - v$_version <<<===--- - - -
$line
ENDOFHEADER
while [[ "$#" -gt 0 ]]; do case $1 in
-a|--alias)
cd ..
CM_webroot="$( pwd )/alias-dir"
cd -
echo "INFO: directory for challenges is [$CM_webroot]"
shift
;;
-f|--force)
echo "INFO: enable --force (for renewal)"
CM_force=1
exit 0
;;
-h|--help)
show_help
exit 0
;;
-t|--trace)
tracelog="$logdir/trace__$2__$3__$(date +%Y-%m-%d__%H-%M-%S).log"
exec > >(tee -a "${tracelog}" )
exec 2> >(tee -a "${tracelog}" >&2)
echo "TRACELOG was triggered." echo "TRACELOG was triggered."
echo "TIME : $(date)" echo "TIME : $(date)"
echo "COMMAND: $0 $*" echo "COMMAND: $0 $*"
echo "LOG : $tracelog" echo "LOG : $tracelog"
# set -vx # set -vx
shift 1 shift 1
fi ;;
cat <<ENDOFHEADER
$line
- - - ---===>>> CERT MANAGER <<<===--- - - - -v|--verbose)
CM_showdebug=1
shift 1
;;
$line -w|--webroot)
CM_webroot="$2"
echo "INFO: directory for challenges is [$CM_webroot]"
# ACME="sudo $ACME"
# shift
shift
;;
ENDOFHEADER *) if grep "^-" <<< "$1" >/dev/null ; then
echo; _we "Unknown parameter: $1"; show_help; exit 2
fi
break;
;;
esac; done
which openssl >/dev/null || exit 1 which openssl >/dev/null || exit 1
. ./inc_config.sh . ./inc_config.sh
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "ERROR: loading the config failed." _we "Loading the config failed."
echo "Copy the inc_config.sh.dist to inc_config.sh and make your settings in it." echo "Copy the inc_config.sh.dist to inc_config.sh and make your settings in it."
echo echo
exit 1 exit 1
...@@ -831,22 +1005,22 @@ _testStaging ...@@ -831,22 +1005,22 @@ _testStaging
test -z "${CM_diracme}" && CM_diracme=./certs test -z "${CM_diracme}" && CM_diracme=./certs
test -z "${CM_dircsr}" && CM_dircsr=./csr test -z "${CM_dircsr}" && CM_dircsr=./csr
grep "function\ public_$1" $( basename $0 ) >/dev/null grep "function public_$1" "$( basename "$0" )" >/dev/null
if [ $# -gt 0 -a $? -eq 0 ]; then if [ $# -gt 0 -a $? -eq 0 ]; then
# _wd $* # _wd $*
action=$1 action=$1
CM_fqdn=$2 CM_fqdn=$2
shift 2 shift 2
_testFqdncount $CM_fqdn $* _testFqdncount "$CM_fqdn" $*
test -z "${ACME}" && ACME=$( which acme.sh ) test -z "${ACME}" && ACME=$( which acme.sh )
if [ ! -x "${ACME}" ]; then if [ ! -x "${ACME}" ]; then
echo "ERROR: acme.sh not found. You need to install acme.sh client and configure it in inc_config.sh." _we "acme.sh not found. You need to install acme.sh client and configure it in inc_config.sh."
exit 1 exit 1
fi fi
_setenv $CM_fqdn _setenv "$CM_fqdn"
_wd "A C T I O N -->> $action <<--" _wd "A C T I O N -->> $action <<--"
_debuglog ">>> START public_$action $CM_fqdn $*" _debuglog ">>> START public_$action $CM_fqdn $*"
...@@ -854,80 +1028,11 @@ if [ $# -gt 0 -a $? -eq 0 ]; then ...@@ -854,80 +1028,11 @@ if [ $# -gt 0 -a $? -eq 0 ]; then
_debuglog ">>> DONE public_$action $CM_fqdn $*" _debuglog ">>> DONE public_$action $CM_fqdn $*"
else else
self=$( basename $0 ) _we "No valid action was specified"
cat <<EOF show_help
HELP
The basic syntax is
$self [--trace] ACTION [FQDN] [ALIAS_1 [.. ALIAS_N]]
The ACTIONs for SINGLE certificate handlings are:
add FQDN [.. FQDN-N]
create new certificate
The first FQDN is a hostname to generate the certificate for.
Following multiple hostnames will be used as DNS aliases in the
same certificate.
It updates files in ${CM_diracme}
ensure FQDN [.. FQDN-N]
It ensures that a certificate with given aliases exists and is up to date.
This param is for simple usage in automation tools like Ansible or Puppet.
It is required to add all aliases as parameters what is unhandy for
direct usage on cli.
If the cert does not exist it will be created (see "add").
If fqdn and aliases are the same like in the certificate it performs a renew.
If fqdn and aliases differ:
- the current certificate will be rejected + deleted (see "delete")
- a new certificate will be added ()
delete FQDN
delete all files of a given certificate
renew FQDN
renew (an already added) certificate
and update files in ${CM_diracme}
show FQDN
show place of certificate data and show basic certificate data
(issuer, subject, aliases, ending date)
transfer FQDN
Transfer cert from acme.sh internal cache to our output dir again.
It is done during add or renew. With transfer command you can repeat it.
ACTIONs for ALL certs
list
list all certificates including creation and renew date
list-old
list all certificates older 65 and older 90 days and exit.
Exitcodes:
0 - all certs are up to date.
1 - certificates to renew were found
2 - outdatedt certificates were found
renew-all
renew all certificates (fast mode - without --force)
and update files in ${CM_diracme}
It is useful for a cronjob.
other ACTIONs
selftest
check of health with current setup and requirements.
This command is helpful for initial setups.
OPTIONS
--trace (it must be the 1st parameter)
the output additionally will be written into a tracelog file
below $logdir.
EOF
fi fi
echo echo
_testStaging _testStaging
# ----------------------------------------------------------------------
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment