Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Makes DNS validation selectable by domain: each SAN (additional domain) can use different validation #826

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Makes DNS validation selectable by domain: each SAN (additional domain) can use different validation #826

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
de2bb1d
Makes DNS validation selectable by domain
baquilla Dec 6, 2023
2988b1a
Fix typo in comments
baquilla Dec 6, 2023
521ba0f
Fix errors reported by Lint check
baquilla Dec 6, 2023
09f44a7
Update version and revision history
baquilla Dec 6, 2023
a266d2b
Fix error wrong var used and minor typos
baquilla Dec 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 19 additions & 10 deletions getssl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,7 @@
# 2022-11-01 Add FTP_PORT
# 2023-02-04 Create newline to ensure [SAN] section can be parsed (#792)(MRigal)
# 2023-02-22 Remove cronie from deb package dependencies (2.48)
# 2023-12-06 Makes DNS validation selectable by domain (2.49)
# ----------------------------------------------------------------------------------------

case :$SHELLOPTS: in
Expand All @@ -297,7 +298,7 @@ esac

PROGNAME=${0##*/}
PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)"
VERSION="2.48"
VERSION="2.49"

# defaults
ACCOUNT_KEY_LENGTH=4096
Expand Down Expand Up @@ -344,7 +345,7 @@ USE_SINGLE_ACL="false"
WORKING_DIR_CANDIDATES=("/etc/getssl" "${PROGDIR}/conf" "${PROGDIR}/.getssl" "${HOME}/.getssl")

# Variables used when validating using a DNS entry
VALIDATE_VIA_DNS="" # Set this to "true" to enable DNS validation
VALIDATE_VIA_DNS="" # Set this to "true" to enable DNS validation or set a list of domains to only enable DNS for them.
export AUTH_DNS_SERVER="" # Use this DNS server to check the challenge token has been set
export DNS_CHECK_OPTIONS="" # Options (such as TSIG file) required by DNS_CHECK_FUNC
export PUBLIC_DNS_SERVER="" # Use this DNS server to find the authoritative DNS servers for the domain
Expand All @@ -357,6 +358,14 @@ DNS_WAIT=10 # How long to wait before checking the DNS recor
DNS_EXTRA_WAIT=60 # How long to wait after the DNS entries are visible to us before telling the ACME server to check.
DNS_WAIT_RETRY_ADD="false" # Try the dns_add_command again if the DNS record hasn't updated

validate_via_dns() { # Check dns validation. Return 0 if some domain, or the given domain, requires DNS validation.
[[ -z $VALIDATE_VIA_DNS || $VALIDATE_VIA_DNS == "false" ]] && return 1

# Only dot and wilcard are valid chars for a domain that should be escaped. Full match is ensured between espaces or commas.
local d=$1; d=${d//\./\\.}; d=${d//\*/\\*}
[[ -z $d || $VALIDATE_VIA_DNS =~ (true|(^|[ ,])${d}($|[ ,])) ]] && return 0
}

# Private variables
_CHECK_ALL=0
_CREATE_CONFIG=0
Expand Down Expand Up @@ -702,13 +711,13 @@ check_config() { # check the config files for all obvious errors
config_errors=true
fi

if [[ $VALIDATE_VIA_DNS == "true" ]]; then # using dns-01 challenge
if validate_via_dns; then # using dns-01 challenge
if [[ -z "$DNS_ADD_COMMAND" ]]; then
info "${DOMAIN}: DNS_ADD_COMMAND not defined (whilst VALIDATE_VIA_DNS=\"true\")"
info "${DOMAIN}: DNS_ADD_COMMAND not defined (whilst VALIDATE_VIA_DNS='${VALIDATE_VIA_DNS}')"
config_errors=true
fi
if [[ -z "$DNS_DEL_COMMAND" ]]; then
info "${DOMAIN}: DNS_DEL_COMMAND not defined (whilst VALIDATE_VIA_DNS=\"true\")"
info "${DOMAIN}: DNS_DEL_COMMAND not defined (whilst VALIDATE_VIA_DNS='${VALIDATE_VIA_DNS}')"
config_errors=true
fi
fi
Expand All @@ -721,7 +730,7 @@ check_config() { # check the config files for all obvious errors
if [[ "$(grep "^${d}$" "$tmplist")" = "$d" ]]; then
info "${DOMAIN}: $d appears to be duplicated in domain, SAN list"
config_errors=true
elif [[ "$d" != "${d##\*.}" ]] && [[ "$VALIDATE_VIA_DNS" != "true" ]]; then
elif [[ "$d" != "${d##\*.}" ]] && ! validate_via_dns "$d"; then
info "${DOMAIN}: cannot use http-01 validation for wildcard domains"
config_errors=true
else
Expand All @@ -734,7 +743,7 @@ check_config() { # check the config files for all obvious errors
DOMAIN_ACL="${ACL[$dn]}"
fi

if [[ $VALIDATE_VIA_DNS != "true" ]]; then # using http-01 challenge
if ! validate_via_dns "$d"; then # using http-01 challenge
if [[ -z "${DOMAIN_ACL}" ]]; then
info "${DOMAIN}: ACL location not specified for domain $d in $DOMAIN_DIR/getssl.cfg"
config_errors=true
Expand Down Expand Up @@ -949,7 +958,7 @@ check_version() { # true if version string $1 >= $2

clean_up() { # Perform pre-exit housekeeping
umask "$ORIG_UMASK"
if [[ $VALIDATE_VIA_DNS == "true" ]]; then
if validate_via_dns; then
# Tidy up DNS entries if things failed part way though.
shopt -s nullglob
for dnsfile in "$TEMP_DIR"/dns_verify/*; do
Expand Down Expand Up @@ -1408,7 +1417,7 @@ for d in "${alldomains[@]}"; do
((dn++))
else
PREVIOUSLY_VALIDATED="false"
if [[ $VALIDATE_VIA_DNS == "true" ]]; then # set up the correct DNS token for verification
if validate_via_dns "$d"; then # set up the correct DNS token for verification
if [[ $API -eq 1 ]]; then
# get the dns component of the ACME response
# get the token and uri from the dns component
Expand Down Expand Up @@ -2813,7 +2822,7 @@ write_getssl_template() { # write out the main template file
CHECK_REMOTE="true"

# Use the following 3 variables if you want to validate via DNS
#VALIDATE_VIA_DNS="true"
#VALIDATE_VIA_DNS="true" or "domain1,domain2,..." to use DNS validation only for listed domains.
#DNS_ADD_COMMAND=
#DNS_DEL_COMMAND=

Expand Down
Loading