hdonnay/tls-hook.sh

## tls-hook.sh
#!/bin/sh
# Provided in the public domain.
#
# This works best as a suid hook.
# nginx may complain about the server_name being too long. Either fix it, or
# the commented out pattern should work.
NGINX_SITES=/etc/nginx/sites-enabled
cfg="$NGINX_SITES/challenge-$2"
pem="${TMPDIR:-/tmp}/challenge-$2.pem"

case "$1" in
challenge-tls-sni-start)
	cat - >"$pem"
	sed -n '/BEGIN EC PRIVATE KEY/,$p' < "$pem" > "${pem}.key"
	sed -n '0,/END CERTIFICATE/p' < "$pem" > "${pem}.crt"

	cat <<EOF > "$cfg"
server {
	listen 443 ssl;
	#server_name .acme.invalid;
	server_name $4;
	ssl_certificate  ${pem}.crt;
	ssl_certificate_key  ${pem}.key;
	location / {
		default_type text/plain;
		return 200 "";
	}
}
EOF
	echo $1 $2 >&2
	exec service nginx reload
	;;
challenge-tls-sni-stop)
	rm "$cfg" "$pem"*
	echo $1 $2 >&2
	exec service nginx reload
	;;
*)
	exit 42
	;;
esac
	#!/bin/sh
	# Provided in the public domain.
	#
	# This works best as a suid hook.
	# nginx may complain about the server_name being too long. Either fix it, or
	# the commented out pattern should work.
	NGINX_SITES=/etc/nginx/sites-enabled
	cfg="$NGINX_SITES/challenge-$2"
	pem="${TMPDIR:-/tmp}/challenge-$2.pem"

	case "$1" in
	challenge-tls-sni-start)
	cat - >"$pem"
	sed -n '/BEGIN EC PRIVATE KEY/,$p' < "$pem" > "${pem}.key"
	sed -n '0,/END CERTIFICATE/p' < "$pem" > "${pem}.crt"

	cat <<EOF > "$cfg"
	server {
	listen 443 ssl;
	#server_name .acme.invalid;
	server_name $4;
	ssl_certificate ${pem}.crt;
	ssl_certificate_key ${pem}.key;
	location / {
	default_type text/plain;
	return 200 "";
	}
	}
	EOF
	echo $1 $2 >&2
	exec service nginx reload
	;;
	challenge-tls-sni-stop)
	rm "$cfg" "$pem"*
	echo $1 $2 >&2
	exec service nginx reload
	;;
	*)
	exit 42
	;;
	esac