[Eisfair] Certs_dehydrated dns-01 challenge mit Cloudflare

Christian Richter christian at richter-ch.de
Do Nov 5 11:39:59 CET 2020


Am 05.11.20 um 09:13 schrieb Juergen Edner:
> Hallo Christian,
> 
>> Hier ist ein Auszug aus dem Script, mit dem Curl aufruf
>>
>> dosenbrot # perl certs-download-mozilla-ca-bundle.pl
>                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> welchen Sinn soll es machen die CA-Bundles über einen
> certs_dehydrated-Hook herunterladen zu wollen? Dies verstehe
> ich nicht. Root-Zertifikate legt man einmal auf seinem Server
> ab und das war es dann.
> 

Hallo Jürgen,

*Ascheaufmeinhaupt*
das ist auch absoluter Bullshit, den ich da geschrieben hatte.
Ich habe einfach mal per Copy und Paste den falschen Text in die 
Newsgroup gepostet.

Das hier ist eigentlich das was ich schreiben wollte.


> #!/usr/bin/env bash
> 
> prefix="_acme-challenge."
> 
> #if [[ ! -f "${PWD}/hooks/cfhookbash/config.sh" ]]; then
> #    if [[ -f "${PWD}/config.sh" ]]; then
> #        configFile="${PWD}/config.sh";
> #    fi
> #else
> #    configFile="${PWD}/hooks/cfhookbash/config.sh";
> #fi
> 
> # see https://stackoverflow.com/questions/59895/how-to-get-the-source-directory-of-a-bash-script-from-within-the-script-itself
> hookDirectory=$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )
> configFile="${hookDirectory}/config.sh"
> 
> 
> 
> deploy_challenge() {
>     local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
> 
>     . "${configFile}"
>     #if [[ -z "${ROOT_DIR}" ]];then
>     #    hookDirectory="${PWD}/hooks/cfhookbash";
>     #else
>     #    hookDirectory="${ROOT_DIR}";
>     #fi
> 
>     if [ -z $api_token ]; then
>         # New-style API token not found, fall back to global API key
>         curl -X POST "https://api.cloudflare.com/client/v4/zones/${zones}/dns_records"\
>             -H "X-Auth-Email: ${email}"\
>             -H "X-Auth-Key: ${global_api_key}"\
>             -H "Content-Type: application/json"\
>             --data '{"type":"TXT","name":"'${prefix}${1}'","content":"'${3}'","ttl":120,"priority":10,"proxied":false}'\
>             -o "${hookDirectory}/${1}.txt" | jq -r '{"result"}[] | .[0] | .id'
>     else
>         curl -X POST "https://api.cloudflare.com/client/v4/zones/${zones}/dns_records"\
>             -H "Authorization: Bearer ${api_token}"\
>             -H "Content-Type: application/json"\
>             --data '{"type":"TXT","name":"'${prefix}${1}'","content":"'${3}'","ttl":120,"priority":10,"proxied":false}'\
>             -o "${hookDirectory}/${1}.txt" | jq -r '{"result"}[] | .[0] | .id'
>     fi
> 
>     # Add delay to get the new DNS record
>     local DELAY=10;
>     echo "+++ Wait for ${DELAY} seconds. +++";
>     while [ $DELAY -gt 0 ]; do
>         sleep 1;
>        : $((DELAY--))
>     done
> 
> 
>     # This hook is called once for every domain that needs to be
>     # validated, including any alternative names you may have listed.
>     #
>     # Parameters:
>     # - DOMAIN
>     #   The domain name (CN or subject alternative name) being
>     #   validated.
>     # - TOKEN_FILENAME
>     #   The name of the file containing the token to be served for HTTP
>     #   validation. Should be served by your web server as
>     #   /.well-known/acme-challenge/${TOKEN_FILENAME}.
>     # - TOKEN_VALUE
>     #   The token value that needs to be served for validation. For DNS
>     #   validation, this is what you want to put in the _acme-challenge
>     #   TXT record. For HTTP validation it is the value that is expected
>     #   be found in the $TOKEN_FILENAME file.
> 
>     # Simple example: Use nsupdate with local named
>     # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
> }


Gruß Christian



Mehr Informationen über die Mailingliste Eisfair