Created
September 30, 2020 10:48
-
-
Save danimo/3c76efd18ede79d34f78c8b00b329129 to your computer and use it in GitHub Desktop.
A start at implementing --dry-run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/dehydrated b/dehydrated | |
index 6c59db5..e1d1775 100755 | |
--- a/dehydrated | |
+++ b/dehydrated | |
@@ -506,6 +506,7 @@ load_config() { | |
[[ -n "${PARAM_KEY_ALGO:-}" ]] && KEY_ALGO="${PARAM_KEY_ALGO}" | |
[[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}" | |
[[ -n "${PARAM_IP_VERSION:-}" ]] && IP_VERSION="${PARAM_IP_VERSION}" | |
+ [[ -n "${PARAM_DRY_RUN:-}" ]] && DRY_RUN="${PARAM_DRY_RUN}" | |
if [ ! "${1:-}" = "noverify" ]; then | |
verify_config | |
@@ -1637,48 +1638,51 @@ command_sign_domains() { | |
local update_ocsp | |
update_ocsp="no" | |
- # Sign certificate for this domain | |
- if [[ ! "${skip}" = "yes" ]]; then | |
- update_ocsp="yes" | |
- [[ -z "${csr}" ]] || printf "%s" "${csr}" > "${certdir}/cert-${timestamp}.csr" | |
- if [[ "${PARAM_KEEP_GOING:-}" = "yes" ]]; then | |
- skip_exit_hook=yes | |
- sign_domain "${certdir}" ${timestamp} ${domain} ${morenames} & | |
- wait $! || exit_with_errorcode=1 | |
- skip_exit_hook=no | |
- else | |
- sign_domain "${certdir}" ${timestamp} ${domain} ${morenames} | |
+ # Do not renew on dry-run | |
+ if [[ ! "${DRY_RUN}" = "yes" ]]; then | |
+ # Sign certificate for this domain | |
+ if [[ ! "${skip}" = "yes" ]]; then | |
+ update_ocsp="yes" | |
+ [[ -z "${csr}" ]] || printf "%s" "${csr}" > "${certdir}/cert-${timestamp}.csr" | |
+ if [[ "${PARAM_KEEP_GOING:-}" = "yes" ]]; then | |
+ skip_exit_hook=yes | |
+ sign_domain "${certdir}" ${timestamp} ${domain} ${morenames} & | |
+ wait $! || exit_with_errorcode=1 | |
+ skip_exit_hook=no | |
+ else | |
+ sign_domain "${certdir}" ${timestamp} ${domain} ${morenames} | |
+ fi | |
fi | |
- fi | |
- if [[ "${OCSP_FETCH}" = "yes" ]]; then | |
- local ocsp_url | |
- ocsp_url="$(get_ocsp_url "${cert}")" | |
+ if [[ "${OCSP_FETCH}" = "yes" ]]; then | |
+ local ocsp_url | |
+ ocsp_url="$(get_ocsp_url "${cert}")" | |
- if [[ ! -e "${certdir}/ocsp.der" ]]; then | |
- update_ocsp="yes" | |
- elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS*24*3600)) 2>&1 | grep -q "${cert}: good"); then | |
- update_ocsp="yes" | |
- fi | |
+ if [[ ! -e "${certdir}/ocsp.der" ]]; then | |
+ update_ocsp="yes" | |
+ elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS*24*3600)) 2>&1 | grep -q "${cert}: good"); then | |
+ update_ocsp="yes" | |
+ fi | |
- if [[ "${update_ocsp}" = "yes" ]]; then | |
- echo " + Updating OCSP stapling file" | |
- ocsp_timestamp="$(date +%s)" | |
- if grep -qE "^(0|(1\.0))\." <<< "$(${OPENSSL} version | awk '{print $2}')"; then | |
- ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" -header "HOST" "$(echo "${ocsp_url}" | _sed -e 's/^http(s?):\/\///' -e 's/\/.*$//g')" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}" | |
+ if [[ "${update_ocsp}" = "yes" ]]; then | |
+ echo " + Updating OCSP stapling file" | |
+ ocsp_timestamp="$(date +%s)" | |
+ if grep -qE "^(0|(1\.0))\." <<< "$(${OPENSSL} version | awk '{print $2}')"; then | |
+ ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" -header "HOST" "$(echo "${ocsp_url}" | _sed -e 's/^http(s?):\/\///' -e 's/\/.*$//g')" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}" | |
+ else | |
+ ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}" | |
+ fi | |
+ ln -sf "ocsp-${ocsp_timestamp}.der" "${certdir}/ocsp.der" | |
+ [[ -n "${HOOK}" ]] && (altnames="${domain} ${morenames}" "${HOOK}" "deploy_ocsp" "${domain}" "${certdir}/ocsp.der" "${ocsp_timestamp}" || _exiterr 'deploy_ocsp hook returned with non-zero exit code') | |
else | |
- ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}" | |
+ echo " + OCSP stapling file is still valid (skipping update)" | |
fi | |
- ln -sf "ocsp-${ocsp_timestamp}.der" "${certdir}/ocsp.der" | |
- [[ -n "${HOOK}" ]] && (altnames="${domain} ${morenames}" "${HOOK}" "deploy_ocsp" "${domain}" "${certdir}/ocsp.der" "${ocsp_timestamp}" || _exiterr 'deploy_ocsp hook returned with non-zero exit code') | |
- else | |
- echo " + OCSP stapling file is still valid (skipping update)" | |
fi | |
fi | |
done | |
reset_configvars | |
- # remove temporary domains.txt file if used | |
+ # remove temporary domains.txt file if used | |
[[ -n "${PARAM_DOMAIN:-}" ]] && rm -f "${DOMAINS_TXT}" | |
[[ -n "${HOOK}" ]] && ("${HOOK}" "exit_hook" || echo 'exit_hook returned with non-zero exit code!' >&2) | |
@@ -1763,19 +1767,23 @@ command_revoke() { | |
fi | |
[[ -f "${cert}" ]] || _exiterr "Could not find certificate ${cert}" | |
- echo "Revoking ${cert}" | |
- | |
- cert64="$("${OPENSSL}" x509 -in "${cert}" -inform PEM -outform DER | urlbase64)" | |
- if [[ ${API} -eq 1 ]]; then | |
- response="$(signed_request "${CA_REVOKE_CERT}" '{"resource": "revoke-cert", "certificate": "'"${cert64}"'"}' | clean_json)" | |
+ if [[ "${DRY_RUN}" == "yes" ]]; then | |
+ echo "Would revoke ${cert}" | |
else | |
- response="$(signed_request "${CA_REVOKE_CERT}" '{"certificate": "'"${cert64}"'"}' | clean_json)" | |
+ echo "Revoking ${cert}" | |
+ | |
+ cert64="$("${OPENSSL}" x509 -in "${cert}" -inform PEM -outform DER | urlbase64)" | |
+ if [[ ${API} -eq 1 ]]; then | |
+ response="$(signed_request "${CA_REVOKE_CERT}" '{"resource": "revoke-cert", "certificate": "'"${cert64}"'"}' | clean_json)" | |
+ else | |
+ response="$(signed_request "${CA_REVOKE_CERT}" '{"certificate": "'"${cert64}"'"}' | clean_json)" | |
+ fi | |
+ # if there is a problem with our revoke request _request (via signed_request) will report this and "exit 1" out | |
+ # so if we are here, it is safe to assume the request was successful | |
+ echo " + Done." | |
+ echo " + Renaming certificate to ${cert}-revoked" | |
+ mv -f "${cert}" "${cert}-revoked" | |
fi | |
- # if there is a problem with our revoke request _request (via signed_request) will report this and "exit 1" out | |
- # so if we are here, it is safe to assume the request was successful | |
- echo " + Done." | |
- echo " + Renaming certificate to ${cert}-revoked" | |
- mv -f "${cert}" "${cert}-revoked" | |
} | |
# Usage: --deactivate | |
@@ -1846,8 +1854,12 @@ command_cleanup() { | |
# Check if current file is in use, if unused move to archive directory | |
filename="$(basename "${file}")" | |
if [[ ! "${filename}" = "${current}" ]]; then | |
- echo "Moving unused file to archive directory: ${certname}/${filename}" | |
- mv "${certdir}/${filename}" "${archivedir}/${filename}" | |
+ if [[ "${DRY_RUN}" = "yes" ]]; then | |
+ echo "Would move unused file to archive directory: ${certname}/${filename}" | |
+ else | |
+ echo "Moving unused file to archive directory: ${certname}/${filename}" | |
+ mv "${certdir}/${filename}" "${archivedir}/${filename}" | |
+ fi | |
fi | |
done | |
done | |
@@ -2100,6 +2112,13 @@ main() { | |
PARAM_KEY_ALGO="${1}" | |
;; | |
+ # PARAM_Usage: --dry-run | |
+ # PARAM_Description: Show which actions would be performed without executing them | |
+ --dry-run) | |
+ shift 1 | |
+ PARAM_DRY_RUN="yes" | |
+ ;; | |
+ | |
*) | |
echo "Unknown parameter detected: ${1}" >&2 | |
echo >&2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment