blob: e7f4cfc840fa9c2c375a18ec12a1b30d7bc7bb0b (
plain) (
blame)
| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
 | #!/bin/sh
[ "${acme:-}" = true ] || return 0
: ${acme_email:="root@${email_domain}"}
: ${acme_keylength:='ec-256'}
acme_cert_dir=/usr/local/etc/ssl/acme
acme_standalone_port=9080
acme_user=acme
acme_home=/var/db/acme
acme_webroot=/usr/local/www/acme
acmeproxy_home=/var/spool/acmeproxy
dhparams_path=/etc/ssl/dhparams.pem
pkg install -y acme.sh
# Create dataset to persist acme data across OS rebuilds.
create_dataset -o "mountpoint=${acme_home}" "${state_dataset}/acme"
install_directory -o "$acme_user" -g "$acme_user" -m 0750 "$acme_home"
install_directory -m 0775 -o root -g "$acme_user" "$acme_cert_dir"
install_template -m 0644 /etc/cron.d/acme
if [ -n "${acme_eab_kid:-}" ]; then
  su -m "$acme_user" -c "acme.sh --home ${acme_home} --register-account --eab-kid ${acme_eab_kid} --eab-hmac-key ${acme_eab_hmac_key}"
else
  su -m "$acme_user" -c "acme.sh --home ${acme_home} --register-account --email ${acme_email}"
fi
if [ "${nginx_public:-}" = true ] && ! [ -f "$dhparams_path" ]; then
  openssl dhparam -out "$dhparams_path" 2048
fi
if [ "${acme_standalone:-}" != true ]; then
  install_directory -o root -g "$acme_user" -m 0775 "$acme_webroot"
fi
acme_install_certificate(){
  _aic_group=0
  _aic_reload_cmd=
  _aic_name=
  _aic_domain=
  while getopts g:r: _aic_opt; do
    case $_aic_opt in
      g) _aic_group=$OPTARG ;;
      r) _aic_reload_cmd=$OPTARG ;;
    esac
  done
  shift $((OPTIND - 1))
  _aic_name=$1; shift
  _aic_key_path="${acme_cert_dir}/${_aic_name}.key"
  _aic_cert_path="${acme_cert_dir}/${_aic_name}.crt"
  _aic_ca_path="${acme_cert_dir}/${_aic_name}.ca.crt"
  _aic_firstdomain=$1
  _aic_domain_args=''
  for _aic_domain; do
    _aic_domain_args="${_aic_domain_args} -d ${_aic_domain}"
  done
  # Acquire the certificate via HTTP ACME challenge.
  if [ "${acme_standalone:-}" = true ]; then
     su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} --standalone --httpport ${acme_standalone_port} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$?
  else
    su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} -w ${acme_webroot} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$?
  fi
  case $_aic_rc in
    0) ;; # New cert was issued.
    2) ;; # Cert was unchanged.
    *) die "failed to issue ACME certificate for: $*" ;;
  esac
  # Install the certificate to the requested location.
  if [ -f "$_aic_key_path" ]; then
    chmod 640 "$_aic_key_path"
    chown "${acme_user}:${_aic_group}" "$_aic_key_path"
  else
    install -o "$acme_user" -g "$_aic_group" -m 0640 /dev/null "$_aic_key_path"
  fi
  if [ -n "$_aic_reload_cmd" ]; then
    su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_firstdomain} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${_aic_ca_path} --reloadcmd '${_aic_reload_cmd}'"
  else
    su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_firstdomain} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${_aic_ca_path} "
  fi
}
acme_setup_proxy(){
  [ -n "${acmeproxy_domains:-}" ] || return 0
  install_directory -o root -g wheel -m 0755 "$acmeproxy_home"
  install_directory -o "$acme_user" -g "${acmeproxy_client_gid:-${acmeproxy_client_group}}" -m 0750 "${acmeproxy_home}/certs"
  # Configure SSHD for acmeproxy.
  install_template -m 0644 /usr/local/etc/ssh/sshd_config.d/acmeproxy.conf
  service openssh reload
  # Acquire ACME certificates for client SFTP.
  for domain in $acmeproxy_domains; do
    su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} -w ${acme_webroot} -d ${domain}" && _asp_rc=$? || _asp_rc=$?
    case $_asp_rc in
      0) ;; # New cert was issued.
      2) ;; # Cert was unchanged.
      *) die "failed to issue ACME certificate for ${domain}" ;;
    esac
    _asp_cert="${acmeproxy_home}/certs/${domain}.crt"
    _asp_key="${acmeproxy_home}/certs/${domain}.key"
    _asp_group="${acmeproxy_client_gid:-${acmeproxy_client_group}}"
    if [ -f "$_asp_key" ]; then
      chmod 640 "$_asp_key"
      chown "${acme_user}:${_asp_group}" "$_asp_key"
    else
      install -o "$acme_user" -g "$_asp_group" -m 0640 /dev/null "$_asp_key"
    fi
    su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${domain} --key-file ${_asp_key} --fullchain-file ${_asp_cert}"
  done
}
 |