aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Lange <code@nerdmind.de>2022-11-02 11:40:17 +0100
committerThomas Lange <code@nerdmind.de>2022-11-02 11:51:52 +0100
commit21f43360a5f044d20caa9f9cccabe234cb2fc9a7 (patch)
tree9bb32281c7b36d2d62a24a23eef2aa7cfe9c89cb
parent35215a4678627f29fe791d51e71d5cc0dd4840f7 (diff)
downloadpainlessle-master.tar.gz
painlessle-master.tar.xz
painlessle-master.zip
Add "--server" and "--staging" optionsHEADmaster
Introduce a "--server" and "--staging" option to easily specify a custom ACME endpoint (or use of the staging server) which eliminates the hassle of manually editing the script for specifying a different ACME endpoint.
-rwxr-xr-xpackage/sbin/painless-le38
-rw-r--r--readme.md13
2 files changed, 30 insertions, 21 deletions
diff --git a/package/sbin/painless-le b/package/sbin/painless-le
index 177662d..59ac735 100755
--- a/package/sbin/painless-le
+++ b/package/sbin/painless-le
@@ -14,23 +14,19 @@
# TARGET_DIR: Path to the target directory for the certificate files. #
# DNS_DOMAIN: One or more DNS hostnames to include in the certficate. #
# #
-# OPTION [-K]: Filename of the existing private key in target directory. #
-# OPTION [-I]: Filename for the intermediate certificate in target directory. #
-# OPTION [-C]: Filename for the standalone certificate in target directory. #
-# OPTION [-F]: Filename for the certificate+intermediate in target directory. #
+# [-K name]: Filename of the existing private key in target directory. #
+# [-I name]: Filename for the intermediate certificate in target directory. #
+# [-C name]: Filename for the standalone certificate in target directory. #
+# [-F name]: Filename for the certificate+intermediate in target directory. #
+# [--server URL]: Specify a custom URL to an ACME endpoint. #
+# [--staging]: Use a staging server to obtain an invalid test certificate. #
# #
#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#
#===============================================================================
-# Define ACME endpoint URL
-#===============================================================================
-ACME_ENDPOINT="https://acme-v02.api.letsencrypt.org/directory"
-#ACME_ENDPOINT="https://acme-staging-v02.api.letsencrypt.org/directory"
-
-#===============================================================================
# Normalize command-line argument string
#===============================================================================
-eval set -- "$(getopt -o K:I:C:F: -- "$@")"
+eval set -- "$(getopt -o K:I:C:F: -l server:,staging -- "$@")"
#===============================================================================
# Parse command-line options
@@ -41,6 +37,8 @@ while true; do
-I) OPT_INTERMEDIATE="$2"; shift 2;;
-C) OPT_CERTIFICATE_ONLY="$2"; shift 2;;
-F) OPT_CERTIFICATE_FULL="$2"; shift 2;;
+ --server) OPT_SERVER="$2"; shift 2;;
+ --staging) OPT_STAGING=1; shift;;
--) shift; break;;
esac
done
@@ -97,10 +95,22 @@ if [ $? != 0 ]; then
fi
#===============================================================================
-# Run Certbot to accomplish the ACME challenge to get the certificate
+# Run Certbot to obtain the certificate
#===============================================================================
-certbot certonly --authenticator standalone --server "${ACME_ENDPOINT}" --csr "${REQUESTFILE}" \
- --cert-path "${CERTIFICATE_ONLY}.$$" --fullchain-path "${CERTIFICATE_FULL}.$$" --chain-path "${INTERMEDIATE}.$$"
+CERTBOT_OPTIONS=(
+ "--csr" "${REQUESTFILE}"
+ "--cert-path" "${CERTIFICATE_ONLY}.$$"
+ "--chain-path" "${INTERMEDIATE}.$$"
+ "--fullchain-path" "${CERTIFICATE_FULL}.$$"
+)
+
+[ ! -z "$OPT_STAGING" ] && \
+ CERTBOT_OPTIONS+=("--staging")
+
+[ ! -z "$OPT_SERVER" ] && [ -z "$OPT_STAGING" ] && \
+ CERTBOT_OPTIONS+=("--server" "${OPT_SERVER}")
+
+certbot certonly --authenticator standalone "${CERTBOT_OPTIONS[@]}"
#===============================================================================
# Check if Certbot failed to obtain a certificate
diff --git a/readme.md b/readme.md
index 90455a3..a67981e 100644
--- a/readme.md
+++ b/readme.md
@@ -21,9 +21,6 @@ stow -t /usr/local package
Make sure that no unprivileged user has write permissions on `/usr/local/sbin`, the symlink targets (in case you've choosen `stow`) and/or the `painless-le` script, because PainlessLE is usually executed with `root` privileges.
-## Configuration
-You can change the `ACME_ENDPOINT` variable to the URL of the ACME staging API for testing purposes.
-
## Usage
~~~
painless-le [OPTIONS] TARGET_DIR DNS_DOMAIN [DNS_DOMAIN ...]
@@ -36,10 +33,12 @@ painless-le /etc/painless-le/example.org/ example.org www.example.org
* `DNS_DOMAIN`: A list of one or more DNS hostnames to include within the certificate.
### Additional command-line options:
-* `[-K]`: Filename of the existing private key in target directory. (default: `confidential.pem`)
-* `[-I]`: Filename for the intermediate certificate in target directory. (default: `intermediate.pem`)
-* `[-C]`: Filename for the standalone certificate in target directory. (default: `certificate_only.pem`)
-* `[-F]`: Filename for the certificate+intermediate in target directory. (default: `certificate_full.pem`)
+* `[-K name]`: Filename of the existing private key in target directory. (default: `confidential.pem`)
+* `[-I name]`: Filename for the intermediate certificate in target directory. (default: `intermediate.pem`)
+* `[-C name]`: Filename for the standalone certificate in target directory. (default: `certificate_only.pem`)
+* `[-F name]`: Filename for the certificate+intermediate in target directory. (default: `certificate_full.pem`)
+* `[--server URL]`: Specify a custom URL to an ACME endpoint. If `--staging` is also given, PainlessLE will ignore any `--server` option and only passes `--staging` to Certbot. (default: see `man certbot`)
+* `[--staging]`: Use a staging server to obtain an invalid test certificate. The server that is used is the same as the one which is listed as default for the `--staging` option in Certbot (see `man certbot`). (default: `FALSE`)
## Example
PainlessLE assumes that there already is an RSA/ECDSA private key file (in PEM format) in the target directory. The private key file should already have the desired UNIX permissions that the new certificate files will inherit.