From 568bb725a732aa7d1d641d5b167d2fa72c7189c9 Mon Sep 17 00:00:00 2001 From: srvrco Date: Thu, 17 Nov 2016 22:25:22 +0000 Subject: [PATCH] add PREVENT_NON_INTERACTIVE_RENEWAL option --- getssl | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/getssl b/getssl index 85a6038..803317d 100755 --- a/getssl +++ b/getssl @@ -156,10 +156,11 @@ # 2016-11-08 Add and comment optional sshuserid for ssh ACL (1.80) # 2016-11-09 Add SKIP_HTTP_TOKEN_CHECK option (Issue #170) (1.81) # 2016-11-13 bug fix DOMAIN_KEY_CERT generation (1.82) +# 2016-11-17 add PREVENT_NON_INTERACTIVE_RENEWAL option (1.83) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} -VERSION="1.82" +VERSION="1.83" # defaults CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl" @@ -557,7 +558,6 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n all_auth_dns_servers=$(nslookup -type=soa -type=ns "$gad_d" "$gad_s" \ | awk ' $2 ~ "nameserver" {print $4}' \ | sed 's/\.$//g'| tr '\n' ' ') - if [[ $CHECK_ALL_AUTH_DNS == "true" ]]; then primary_ns="$all_auth_dns_servers" else @@ -665,7 +665,7 @@ get_signing_params() { # get signing parameters from key *) error_exit "invalid curve algorithm type $gsp_keytype";; esac fi - case "$crv" in + case "$crv" in P-256) jwkalg="ES256" ; signalg="sha256" ;; P-384) jwkalg="ES384" ; signalg="sha384" ;; P-521) jwkalg="ES512" ; signalg="sha512" ;; @@ -1404,7 +1404,7 @@ if [[ "${CHECK_REMOTE}" == "true" ]] && [[ $_FORCE_RENEW -eq 0 ]]; then # remote has longer to expiry date than local copy. debug "remote cert has longer to run than local cert - ignoring" else - info "remote expires sooner than local, attempting to upload from local" + info "remote expires sooner than local for $DOMAIN, attempting to upload from local" copy_file_to_location "domain certificate" \ "$CERT_FILE" \ "$DOMAIN_CERT_LOCATION" @@ -1457,7 +1457,11 @@ if [[ -s "$CERT_FILE" ]]; then fi # end of .... if there is an existing certificate file, check details. - +if [[ ! -t 0 ]] && [[ "$PREVENT_NON_INTERACTIVE_RENEWAL" = "true" ]]; then + errmsg="$DOMAIN due for renewal, " + errmsg+="Did not not completed due to PREVENT_NON_INTERACTIVE_RENEWAL=true in config" + error_exit "$errmsg" +fi # create account key if it doesn't exist. if [[ -s "$ACCOUNT_KEY" ]]; then @@ -1544,10 +1548,6 @@ else fi info "Registering account" -regjson='{"resource": "new-reg", "agreement": "'$AGREEMENT'"}' -if [[ "$ACCOUNT_EMAIL" ]] ; then - regjson='{"resource": "new-reg", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}' -fi # send the request to the ACME server. send_signed_request "$CA/acme/new-reg" "$regjson" @@ -1721,7 +1721,7 @@ for d in $alldomains; do ftp -n <<- EOF open $ftphost user $ftpuser $ftppass - cd $ftplocn + cd $ftplocn delete ${token:?} EOF else @@ -1893,6 +1893,9 @@ reload_service if [[ "$DEACTIVATE_AUTH" == "true" ]]; then debug "in deactivate list is $deactivate_url_list" for deactivate_url in $deactivate_url_list; do + resp=$(curl "$deactivate_url" 2>/dev/null) + d=$(json_get "$resp" "hostname") + info "deactivating domain $d" debug "deactivating $deactivate_url" send_signed_request "$deactivate_url" "{\"resource\": \"authz\", \"status\": \"deactivated\"}" # check response