You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

275 lines
9.3 KiB

8 years ago
8 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
8 years ago
8 years ago
  1. #!/usr/bin/env sh
  2. # Script for acme.sh to deploy certificates to haproxy
  3. #
  4. # The following variables can be exported:
  5. #
  6. # export DEPLOY_HAPROXY_PEM_NAME="${domain}.pem"
  7. #
  8. # Defines the name of the PEM file.
  9. # Defaults to "<domain>.pem"
  10. #
  11. # export DEPLOY_HAPROXY_PEM_PATH="/etc/haproxy"
  12. #
  13. # Defines location of PEM file for HAProxy.
  14. # Defaults to /etc/haproxy
  15. #
  16. # export DEPLOY_HAPROXY_RELOAD="systemctl reload haproxy"
  17. #
  18. # OPTIONAL: Reload command used post deploy
  19. # This defaults to be a no-op (ie "true").
  20. # It is strongly recommended to set this something that makes sense
  21. # for your distro.
  22. #
  23. # export DEPLOY_HAPROXY_ISSUER="no"
  24. #
  25. # OPTIONAL: Places CA file as "${DEPLOY_HAPROXY_PEM}.issuer"
  26. # Note: Required for OCSP stapling to work
  27. #
  28. # export DEPLOY_HAPROXY_BUNDLE="no"
  29. #
  30. # OPTIONAL: Deploy this certificate as part of a multi-cert bundle
  31. # This adds a suffix to the certificate based on the certificate type
  32. # eg RSA certificates will have .rsa as a suffix to the file name
  33. # HAProxy will load all certificates and provide one or the other
  34. # depending on client capabilities
  35. # Note: This functionality requires HAProxy was compiled against
  36. # a version of OpenSSL that supports this.
  37. #
  38. ######## Public functions #####################
  39. #domain keyfile certfile cafile fullchain
  40. haproxy_deploy() {
  41. _cdomain="$1"
  42. _ckey="$2"
  43. _ccert="$3"
  44. _cca="$4"
  45. _cfullchain="$5"
  46. # Some defaults
  47. DEPLOY_HAPROXY_PEM_PATH_DEFAULT="/etc/haproxy"
  48. DEPLOY_HAPROXY_PEM_NAME_DEFAULT="${_cdomain}.pem"
  49. DEPLOY_HAPROXY_BUNDLE_DEFAULT="no"
  50. DEPLOY_HAPROXY_ISSUER_DEFAULT="no"
  51. DEPLOY_HAPROXY_RELOAD_DEFAULT="true"
  52. if [ -f "${DOMAIN_CONF}" ]; then
  53. # shellcheck disable=SC1090
  54. . "${DOMAIN_CONF}"
  55. fi
  56. _debug _cdomain "${_cdomain}"
  57. _debug _ckey "${_ckey}"
  58. _debug _ccert "${_ccert}"
  59. _debug _cca "${_cca}"
  60. _debug _cfullchain "${_cfullchain}"
  61. # PEM_PATH is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}"
  62. if [ -n "${DEPLOY_HAPROXY_PEM_PATH}" ]; then
  63. Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH}"
  64. _savedomainconf Le_Deploy_haproxy_pem_path "${Le_Deploy_haproxy_pem_path}"
  65. elif [ -z "${Le_Deploy_haproxy_pem_path}" ]; then
  66. Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}"
  67. fi
  68. # Ensure PEM_PATH exists
  69. if [ -d "${Le_Deploy_haproxy_pem_path}" ]; then
  70. _debug "PEM_PATH ${Le_Deploy_haproxy_pem_path} exists"
  71. else
  72. _err "PEM_PATH ${Le_Deploy_haproxy_pem_path} does not exist"
  73. return 1
  74. fi
  75. # PEM_NAME is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}"
  76. if [ -n "${DEPLOY_HAPROXY_PEM_NAME}" ]; then
  77. Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME}"
  78. _savedomainconf Le_Deploy_haproxy_pem_name "${Le_Deploy_haproxy_pem_name}"
  79. elif [ -z "${Le_Deploy_haproxy_pem_name}" ]; then
  80. Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}"
  81. fi
  82. # BUNDLE is optional. If not provided then assume "${DEPLOY_HAPROXY_BUNDLE_DEFAULT}"
  83. if [ -n "${DEPLOY_HAPROXY_BUNDLE}" ]; then
  84. Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE}"
  85. _savedomainconf Le_Deploy_haproxy_bundle "${Le_Deploy_haproxy_bundle}"
  86. elif [ -z "${Le_Deploy_haproxy_bundle}" ]; then
  87. Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE_DEFAULT}"
  88. fi
  89. # ISSUER is optional. If not provided then assume "${DEPLOY_HAPROXY_ISSUER_DEFAULT}"
  90. if [ -n "${DEPLOY_HAPROXY_ISSUER}" ]; then
  91. Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER}"
  92. _savedomainconf Le_Deploy_haproxy_issuer "${Le_Deploy_haproxy_issuer}"
  93. elif [ -z "${Le_Deploy_haproxy_issuer}" ]; then
  94. Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER_DEFAULT}"
  95. fi
  96. # RELOAD is optional. If not provided then assume "${DEPLOY_HAPROXY_RELOAD_DEFAULT}"
  97. if [ -n "${DEPLOY_HAPROXY_RELOAD}" ]; then
  98. Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD}"
  99. _savedomainconf Le_Deploy_haproxy_reload "${Le_Deploy_haproxy_reload}"
  100. elif [ -z "${Le_Deploy_haproxy_reload}" ]; then
  101. Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD_DEFAULT}"
  102. fi
  103. # Set the suffix depending if we are creating a bundle or not
  104. if [ "${Le_Deploy_haproxy_bundle}" = "yes" ]; then
  105. _info "Bundle creation requested"
  106. # Initialise $Le_Keylength if its not already set
  107. if [ -z "${Le_Keylength}" ]; then
  108. Le_Keylength=""
  109. fi
  110. if _isEccKey "${Le_Keylength}"; then
  111. _info "ECC key type detected"
  112. _suffix=".ecdsa"
  113. else
  114. _info "RSA key type detected"
  115. _suffix=".rsa"
  116. fi
  117. else
  118. _suffix=""
  119. fi
  120. _debug _suffix "${_suffix}"
  121. # Set variables for later
  122. _pem="${Le_Deploy_haproxy_pem_path}/${Le_Deploy_haproxy_pem_name}${_suffix}"
  123. _issuer="${_pem}.issuer"
  124. _ocsp="${_pem}.ocsp"
  125. _reload="${Le_Deploy_haproxy_reload}"
  126. _info "Deploying PEM file"
  127. # Create a temporary PEM file
  128. _temppem="$(_mktemp)"
  129. _debug _temppem "${_temppem}"
  130. cat "${_ckey}" "${_ccert}" "${_cca}" >"${_temppem}"
  131. _ret="$?"
  132. # Check that we could create the temporary file
  133. if [ "${_ret}" != "0" ]; then
  134. _err "Error code ${_ret} returned during PEM file creation"
  135. [ -f "${_temppem}" ] && rm -f "${_temppem}"
  136. return ${_ret}
  137. fi
  138. # Move PEM file into place
  139. _info "Moving new certificate into place"
  140. _debug _pem "${_pem}"
  141. cat "${_temppem}" >"${_pem}"
  142. _ret=$?
  143. # Clean up temp file
  144. [ -f "${_temppem}" ] && rm -f "${_temppem}"
  145. # Deal with any failure of moving PEM file into place
  146. if [ "${_ret}" != "0" ]; then
  147. _err "Error code ${_ret} returned while moving new certificate into place"
  148. return ${_ret}
  149. fi
  150. # Update .issuer file if requested
  151. if [ "${Le_Deploy_haproxy_issuer}" = "yes" ]; then
  152. _info "Updating .issuer file"
  153. _debug _issuer "${_issuer}"
  154. cat "${_cca}" >"${_issuer}"
  155. _ret="$?"
  156. if [ "${_ret}" != "0" ]; then
  157. _err "Error code ${_ret} returned while copying issuer/CA certificate into place"
  158. return ${_ret}
  159. fi
  160. else
  161. [ -f "${_issuer}" ] && _err "Issuer file update not requested but .issuer file exists"
  162. fi
  163. # Update .ocsp file if certificate was requested with --ocsp/--ocsp-must-staple option
  164. if [ -z "${Le_OCSP_Staple}" ]; then
  165. Le_OCSP_Staple="0"
  166. fi
  167. if [ "${Le_OCSP_Staple}" = "1" ]; then
  168. _info "Updating OCSP stapling info"
  169. _debug _ocsp "${_ocsp}"
  170. _info "Extracting OCSP URL"
  171. _ocsp_url=$(openssl x509 -noout -ocsp_uri -in "${_pem}")
  172. _debug _ocsp_url "${_ocsp_url}"
  173. # Only process OCSP if URL was present
  174. if [ "${_ocsp_url}" != "" ]; then
  175. # Extract the hostname from the OCSP URL
  176. _info "Extracting OCSP URL"
  177. _ocsp_host=$(echo "${_ocsp_url}" | cut -d/ -f3)
  178. _debug _ocsp_host "${_ocsp_host}"
  179. # Only process the certificate if we have a .issuer file
  180. if [ -r "${_issuer}" ]; then
  181. # Check if issuer cert is also a root CA cert
  182. _subjectdn=$(openssl x509 -in "${_issuer}" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
  183. _debug _subjectdn "${_subjectdn}"
  184. _issuerdn=$(openssl x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
  185. _debug _issuerdn "${_issuerdn}"
  186. _info "Requesting OCSP response"
  187. # If the issuer is a CA cert then our command line has "-CAfile" added
  188. if [ "${_subjectdn}" = "${_issuerdn}" ]; then
  189. _cafile_argument="-CAfile \"${_issuer}\""
  190. else
  191. _cafile_argument=""
  192. fi
  193. _debug _cafile_argument "${_cafile_argument}"
  194. # if OpenSSL/LibreSSL is v1.1 or above, the format for the -header option has changed
  195. _openssl_version=$(openssl version | cut -d' ' -f2)
  196. _debug _openssl_version "${_openssl_version}"
  197. _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
  198. _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
  199. if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then
  200. _header_sep="="
  201. else
  202. _header_sep=" "
  203. fi
  204. # Request the OCSP response from the issuer and store it
  205. _openssl_ocsp_cmd="openssl ocsp \
  206. -issuer \"${_issuer}\" \
  207. -cert \"${_pem}\" \
  208. -url \"${_ocsp_url}\" \
  209. -header Host${_header_sep}\"${_ocsp_host}\" \
  210. -respout \"${_ocsp}\" \
  211. -verify_other \"${_issuer}\" \
  212. ${_cafile_argument} \
  213. | grep -q \"${_pem}: good\""
  214. _debug _openssl_ocsp_cmd "${_openssl_ocsp_cmd}"
  215. eval "${_openssl_ocsp_cmd}"
  216. _ret=$?
  217. else
  218. # Non fatal: No issuer file was present so no OCSP stapling file created
  219. _err "OCSP stapling in use but no .issuer file was present"
  220. fi
  221. else
  222. # Non fatal: No OCSP url was found int the certificate
  223. _err "OCSP update requested but no OCSP URL was found in certificate"
  224. fi
  225. # Non fatal: Check return code of openssl command
  226. if [ "${_ret}" != "0" ]; then
  227. _err "Updating OCSP stapling failed with return code ${_ret}"
  228. fi
  229. else
  230. # An OCSP file was already present but certificate did not have OCSP extension
  231. if [ -f "${_ocsp}" ]; then
  232. _err "OCSP was not requested but .ocsp file exists."
  233. # Could remove the file at this step, although HAProxy just ignores it in this case
  234. # rm -f "${_ocsp}" || _err "Problem removing stale .ocsp file"
  235. fi
  236. fi
  237. # Reload HAProxy
  238. _debug _reload "${_reload}"
  239. eval "${_reload}"
  240. _ret=$?
  241. if [ "${_ret}" != "0" ]; then
  242. _err "Error code ${_ret} during reload"
  243. return ${_ret}
  244. else
  245. _info "Reload successful"
  246. fi
  247. return 0
  248. }