From 21f43360a5f044d20caa9f9cccabe234cb2fc9a7 Mon Sep 17 00:00:00 2001 From: Thomas Lange Date: Wed, 2 Nov 2022 11:40:17 +0100 Subject: Add "--server" and "--staging" options Introduce a "--server" and "--staging" option to easily specify a custom ACME endpoint (or use of the staging server) which eliminates the hassle of manually editing the script for specifying a different ACME endpoint. --- package/sbin/painless-le | 38 ++++++++++++++++++++++++-------------- readme.md | 13 ++++++------- 2 files changed, 30 insertions(+), 21 deletions(-) diff --git a/package/sbin/painless-le b/package/sbin/painless-le index 177662d..59ac735 100755 --- a/package/sbin/painless-le +++ b/package/sbin/painless-le @@ -14,23 +14,19 @@ # TARGET_DIR: Path to the target directory for the certificate files. # # DNS_DOMAIN: One or more DNS hostnames to include in the certficate. # # # -# OPTION [-K]: Filename of the existing private key in target directory. # -# OPTION [-I]: Filename for the intermediate certificate in target directory. # -# OPTION [-C]: Filename for the standalone certificate in target directory. # -# OPTION [-F]: Filename for the certificate+intermediate in target directory. # +# [-K name]: Filename of the existing private key in target directory. # +# [-I name]: Filename for the intermediate certificate in target directory. # +# [-C name]: Filename for the standalone certificate in target directory. # +# [-F name]: Filename for the certificate+intermediate in target directory. # +# [--server URL]: Specify a custom URL to an ACME endpoint. # +# [--staging]: Use a staging server to obtain an invalid test certificate. # # # #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%# -#=============================================================================== -# Define ACME endpoint URL -#=============================================================================== -ACME_ENDPOINT="https://acme-v02.api.letsencrypt.org/directory" -#ACME_ENDPOINT="https://acme-staging-v02.api.letsencrypt.org/directory" - #=============================================================================== # Normalize command-line argument string #=============================================================================== -eval set -- "$(getopt -o K:I:C:F: -- "$@")" +eval set -- "$(getopt -o K:I:C:F: -l server:,staging -- "$@")" #=============================================================================== # Parse command-line options @@ -41,6 +37,8 @@ while true; do -I) OPT_INTERMEDIATE="$2"; shift 2;; -C) OPT_CERTIFICATE_ONLY="$2"; shift 2;; -F) OPT_CERTIFICATE_FULL="$2"; shift 2;; + --server) OPT_SERVER="$2"; shift 2;; + --staging) OPT_STAGING=1; shift;; --) shift; break;; esac done @@ -97,10 +95,22 @@ if [ $? != 0 ]; then fi #=============================================================================== -# Run Certbot to accomplish the ACME challenge to get the certificate +# Run Certbot to obtain the certificate #=============================================================================== -certbot certonly --authenticator standalone --server "${ACME_ENDPOINT}" --csr "${REQUESTFILE}" \ - --cert-path "${CERTIFICATE_ONLY}.$$" --fullchain-path "${CERTIFICATE_FULL}.$$" --chain-path "${INTERMEDIATE}.$$" +CERTBOT_OPTIONS=( + "--csr" "${REQUESTFILE}" + "--cert-path" "${CERTIFICATE_ONLY}.$$" + "--chain-path" "${INTERMEDIATE}.$$" + "--fullchain-path" "${CERTIFICATE_FULL}.$$" +) + +[ ! -z "$OPT_STAGING" ] && \ + CERTBOT_OPTIONS+=("--staging") + +[ ! -z "$OPT_SERVER" ] && [ -z "$OPT_STAGING" ] && \ + CERTBOT_OPTIONS+=("--server" "${OPT_SERVER}") + +certbot certonly --authenticator standalone "${CERTBOT_OPTIONS[@]}" #=============================================================================== # Check if Certbot failed to obtain a certificate diff --git a/readme.md b/readme.md index 90455a3..a67981e 100644 --- a/readme.md +++ b/readme.md @@ -21,9 +21,6 @@ stow -t /usr/local package Make sure that no unprivileged user has write permissions on `/usr/local/sbin`, the symlink targets (in case you've choosen `stow`) and/or the `painless-le` script, because PainlessLE is usually executed with `root` privileges. -## Configuration -You can change the `ACME_ENDPOINT` variable to the URL of the ACME staging API for testing purposes. - ## Usage ~~~ painless-le [OPTIONS] TARGET_DIR DNS_DOMAIN [DNS_DOMAIN ...] @@ -36,10 +33,12 @@ painless-le /etc/painless-le/example.org/ example.org www.example.org * `DNS_DOMAIN`: A list of one or more DNS hostnames to include within the certificate. ### Additional command-line options: -* `[-K]`: Filename of the existing private key in target directory. (default: `confidential.pem`) -* `[-I]`: Filename for the intermediate certificate in target directory. (default: `intermediate.pem`) -* `[-C]`: Filename for the standalone certificate in target directory. (default: `certificate_only.pem`) -* `[-F]`: Filename for the certificate+intermediate in target directory. (default: `certificate_full.pem`) +* `[-K name]`: Filename of the existing private key in target directory. (default: `confidential.pem`) +* `[-I name]`: Filename for the intermediate certificate in target directory. (default: `intermediate.pem`) +* `[-C name]`: Filename for the standalone certificate in target directory. (default: `certificate_only.pem`) +* `[-F name]`: Filename for the certificate+intermediate in target directory. (default: `certificate_full.pem`) +* `[--server URL]`: Specify a custom URL to an ACME endpoint. If `--staging` is also given, PainlessLE will ignore any `--server` option and only passes `--staging` to Certbot. (default: see `man certbot`) +* `[--staging]`: Use a staging server to obtain an invalid test certificate. The server that is used is the same as the one which is listed as default for the `--staging` option in Certbot (see `man certbot`). (default: `FALSE`) ## Example PainlessLE assumes that there already is an RSA/ECDSA private key file (in PEM format) in the target directory. The private key file should already have the desired UNIX permissions that the new certificate files will inherit. -- cgit v1.2.3