From de2bb1d8999fc7fb3754ef8055840a851433a9ac Mon Sep 17 00:00:00 2001 From: Juan Javier Baca Date: Wed, 6 Dec 2023 23:58:31 +0100 Subject: [PATCH 1/5] Makes DNS validation selectable by domain --- getssl | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/getssl b/getssl index 30d8837b..d6d518ab 100755 --- a/getssl +++ b/getssl @@ -344,7 +344,7 @@ USE_SINGLE_ACL="false" WORKING_DIR_CANDIDATES=("/etc/getssl" "${PROGDIR}/conf" "${PROGDIR}/.getssl" "${HOME}/.getssl") # Variables used when validating using a DNS entry -VALIDATE_VIA_DNS="" # Set this to "true" to enable DNS validation +VALIDATE_VIA_DNS="" # Set this to "true" to enable DNS validation or set a list of domains to only enable DNS from them. export AUTH_DNS_SERVER="" # Use this DNS server to check the challenge token has been set export DNS_CHECK_OPTIONS="" # Options (such as TSIG file) required by DNS_CHECK_FUNC export PUBLIC_DNS_SERVER="" # Use this DNS server to find the authoritative DNS servers for the domain @@ -357,6 +357,14 @@ DNS_WAIT=10 # How long to wait before checking the DNS recor DNS_EXTRA_WAIT=60 # How long to wait after the DNS entries are visible to us before telling the ACME server to check. DNS_WAIT_RETRY_ADD="false" # Try the dns_add_command again if the DNS record hasn't updated +validate_via_dns() { # Check dns validation. Return 0 if some domain, or the given domain, requires DNS validation. + [[ -z $VALIDATE_VIA_DNS || $VALIDATE_VIA_DNS == "false" ]] && return 1 + + # Only dot and wilcard ard valid chars for a domain that should be escaped. Full match is ensured between espaces or commas. + local d=$1; d=${d//\./\\.}; d=${d//\*/\\*} + [[ -z $1 || $VALIDATE_VIA_DNS =~ (true|(^|[ ,])${1//\./\\.}($|[ ,])) ]] && return 0 +} + # Private variables _CHECK_ALL=0 _CREATE_CONFIG=0 @@ -702,13 +710,13 @@ check_config() { # check the config files for all obvious errors config_errors=true fi - if [[ $VALIDATE_VIA_DNS == "true" ]]; then # using dns-01 challenge + if [[ validate_via_dns ]]; then # using dns-01 challenge if [[ -z "$DNS_ADD_COMMAND" ]]; then - info "${DOMAIN}: DNS_ADD_COMMAND not defined (whilst VALIDATE_VIA_DNS=\"true\")" + info "${DOMAIN}: DNS_ADD_COMMAND not defined (whilst VALIDATE_VIA_DNS='${VALIDATE_VIA_DNS}')" config_errors=true fi if [[ -z "$DNS_DEL_COMMAND" ]]; then - info "${DOMAIN}: DNS_DEL_COMMAND not defined (whilst VALIDATE_VIA_DNS=\"true\")" + info "${DOMAIN}: DNS_DEL_COMMAND not defined (whilst VALIDATE_VIA_DNS='${VALIDATE_VIA_DNS}')" config_errors=true fi fi @@ -721,7 +729,7 @@ check_config() { # check the config files for all obvious errors if [[ "$(grep "^${d}$" "$tmplist")" = "$d" ]]; then info "${DOMAIN}: $d appears to be duplicated in domain, SAN list" config_errors=true - elif [[ "$d" != "${d##\*.}" ]] && [[ "$VALIDATE_VIA_DNS" != "true" ]]; then + elif [[ "$d" != "${d##\*.}" ]] && ! validate_via_dns $d; then info "${DOMAIN}: cannot use http-01 validation for wildcard domains" config_errors=true else @@ -734,7 +742,7 @@ check_config() { # check the config files for all obvious errors DOMAIN_ACL="${ACL[$dn]}" fi - if [[ $VALIDATE_VIA_DNS != "true" ]]; then # using http-01 challenge + if ! validate_via_dns $d; then # using http-01 challenge if [[ -z "${DOMAIN_ACL}" ]]; then info "${DOMAIN}: ACL location not specified for domain $d in $DOMAIN_DIR/getssl.cfg" config_errors=true @@ -949,7 +957,7 @@ check_version() { # true if version string $1 >= $2 clean_up() { # Perform pre-exit housekeeping umask "$ORIG_UMASK" - if [[ $VALIDATE_VIA_DNS == "true" ]]; then + if validate_via_dns; then # Tidy up DNS entries if things failed part way though. shopt -s nullglob for dnsfile in "$TEMP_DIR"/dns_verify/*; do @@ -1408,7 +1416,7 @@ for d in "${alldomains[@]}"; do ((dn++)) else PREVIOUSLY_VALIDATED="false" - if [[ $VALIDATE_VIA_DNS == "true" ]]; then # set up the correct DNS token for verification + if validate_via_dns $d; then # set up the correct DNS token for verification if [[ $API -eq 1 ]]; then # get the dns component of the ACME response # get the token and uri from the dns component @@ -2813,7 +2821,7 @@ write_getssl_template() { # write out the main template file CHECK_REMOTE="true" # Use the following 3 variables if you want to validate via DNS - #VALIDATE_VIA_DNS="true" + #VALIDATE_VIA_DNS="true" or "domain1,domain2,..." to use DNS validation only for listed domains. #DNS_ADD_COMMAND= #DNS_DEL_COMMAND= From 2988b1a8e549082dc1a1baf71e79e6ee52067f01 Mon Sep 17 00:00:00 2001 From: Juan Javier Baca Date: Thu, 7 Dec 2023 00:12:30 +0100 Subject: [PATCH 2/5] Fix typo in comments --- getssl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/getssl b/getssl index d6d518ab..867663b7 100755 --- a/getssl +++ b/getssl @@ -360,7 +360,7 @@ DNS_WAIT_RETRY_ADD="false" # Try the dns_add_command again if the DNS recor validate_via_dns() { # Check dns validation. Return 0 if some domain, or the given domain, requires DNS validation. [[ -z $VALIDATE_VIA_DNS || $VALIDATE_VIA_DNS == "false" ]] && return 1 - # Only dot and wilcard ard valid chars for a domain that should be escaped. Full match is ensured between espaces or commas. + # Only dot and wilcard are valid chars for a domain that should be escaped. Full match is ensured between espaces or commas. local d=$1; d=${d//\./\\.}; d=${d//\*/\\*} [[ -z $1 || $VALIDATE_VIA_DNS =~ (true|(^|[ ,])${1//\./\\.}($|[ ,])) ]] && return 0 } From 521ba0f6113ff97e3ab8ef07e7de69d8459baef1 Mon Sep 17 00:00:00 2001 From: Juan Javier Baca Date: Thu, 7 Dec 2023 00:21:11 +0100 Subject: [PATCH 3/5] Fix errors reported by Lint check --- getssl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/getssl b/getssl index 867663b7..7df05a56 100755 --- a/getssl +++ b/getssl @@ -710,7 +710,7 @@ check_config() { # check the config files for all obvious errors config_errors=true fi - if [[ validate_via_dns ]]; then # using dns-01 challenge + if validate_via_dns; then # using dns-01 challenge if [[ -z "$DNS_ADD_COMMAND" ]]; then info "${DOMAIN}: DNS_ADD_COMMAND not defined (whilst VALIDATE_VIA_DNS='${VALIDATE_VIA_DNS}')" config_errors=true @@ -729,7 +729,7 @@ check_config() { # check the config files for all obvious errors if [[ "$(grep "^${d}$" "$tmplist")" = "$d" ]]; then info "${DOMAIN}: $d appears to be duplicated in domain, SAN list" config_errors=true - elif [[ "$d" != "${d##\*.}" ]] && ! validate_via_dns $d; then + elif [[ "$d" != "${d##\*.}" ]] && ! validate_via_dns "$d"; then info "${DOMAIN}: cannot use http-01 validation for wildcard domains" config_errors=true else @@ -742,7 +742,7 @@ check_config() { # check the config files for all obvious errors DOMAIN_ACL="${ACL[$dn]}" fi - if ! validate_via_dns $d; then # using http-01 challenge + if ! validate_via_dns "$d"; then # using http-01 challenge if [[ -z "${DOMAIN_ACL}" ]]; then info "${DOMAIN}: ACL location not specified for domain $d in $DOMAIN_DIR/getssl.cfg" config_errors=true @@ -1416,7 +1416,7 @@ for d in "${alldomains[@]}"; do ((dn++)) else PREVIOUSLY_VALIDATED="false" - if validate_via_dns $d; then # set up the correct DNS token for verification + if validate_via_dns "$d"; then # set up the correct DNS token for verification if [[ $API -eq 1 ]]; then # get the dns component of the ACME response # get the token and uri from the dns component From 09f44a7f32d418bd15c6551e7fe38a24eaccd10e Mon Sep 17 00:00:00 2001 From: Juan Javier Baca Date: Thu, 7 Dec 2023 00:30:27 +0100 Subject: [PATCH 4/5] Update version and revision history --- getssl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/getssl b/getssl index 7df05a56..cdb580a7 100755 --- a/getssl +++ b/getssl @@ -289,6 +289,7 @@ # 2022-11-01 Add FTP_PORT # 2023-02-04 Create newline to ensure [SAN] section can be parsed (#792)(MRigal) # 2023-02-22 Remove cronie from deb package dependencies (2.48) +# 2023-12-06 Makes DNS validation selectable by domain (2.49) # ---------------------------------------------------------------------------------------- case :$SHELLOPTS: in @@ -297,7 +298,7 @@ esac PROGNAME=${0##*/} PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)" -VERSION="2.48" +VERSION="2.49" # defaults ACCOUNT_KEY_LENGTH=4096 From a266d2baad05735da2934b8847ee97e107f9f394 Mon Sep 17 00:00:00 2001 From: Juan Javier Baca Moreno-Torres Date: Sun, 10 Dec 2023 17:06:18 +0100 Subject: [PATCH 5/5] Fix error wrong var used and minor typos --- getssl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/getssl b/getssl index cdb580a7..50320009 100755 --- a/getssl +++ b/getssl @@ -345,7 +345,7 @@ USE_SINGLE_ACL="false" WORKING_DIR_CANDIDATES=("/etc/getssl" "${PROGDIR}/conf" "${PROGDIR}/.getssl" "${HOME}/.getssl") # Variables used when validating using a DNS entry -VALIDATE_VIA_DNS="" # Set this to "true" to enable DNS validation or set a list of domains to only enable DNS from them. +VALIDATE_VIA_DNS="" # Set this to "true" to enable DNS validation or set a list of domains to only enable DNS for them. export AUTH_DNS_SERVER="" # Use this DNS server to check the challenge token has been set export DNS_CHECK_OPTIONS="" # Options (such as TSIG file) required by DNS_CHECK_FUNC export PUBLIC_DNS_SERVER="" # Use this DNS server to find the authoritative DNS servers for the domain @@ -363,7 +363,7 @@ validate_via_dns() { # Check dns validation. Return 0 if some domain, or the giv # Only dot and wilcard are valid chars for a domain that should be escaped. Full match is ensured between espaces or commas. local d=$1; d=${d//\./\\.}; d=${d//\*/\\*} - [[ -z $1 || $VALIDATE_VIA_DNS =~ (true|(^|[ ,])${1//\./\\.}($|[ ,])) ]] && return 0 + [[ -z $d || $VALIDATE_VIA_DNS =~ (true|(^|[ ,])${d}($|[ ,])) ]] && return 0 } # Private variables