acme-common: use validation_method option instead of guessing

The new validation_method option can be: dns, webroot or standalone.
Previously we guessed the challenge type:
1. if the DNS provider is specified then it's dns
2. if standalone=1
3. fallback to webroot

The logic is preserved and if the validation_method wasn't set explicitly we'll guess it in old manner.

Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
(cherry picked from commit 7d07c75154d8d77b39db1012493a21ef02cbf5bb)

diff --git a/net/acme-common/files/acme.config b/net/acme-common/files/acme.config
index 75fd1cf096a3929e38ddb0c47f12d72e3cb69185..c67c24e78b7ab4d1e8c608c0f3c9ec82dd492593 100644 (file)
--- a/net/acme-common/files/acme.config
+++ b/net/acme-common/files/acme.config
@@ -8,6 +8,7 @@ config cert 'example_wildcard'
        list domains example.org
        list domains sub.example.org
        list domains *.sub.example.org
+       option validation_method dns
        option dns "dns_freedns"
        list credentials 'FREEDNS_User="ssladmin@example.org"'
        list credentials 'FREEDNS_Password="1234"'
@@ -19,3 +20,4 @@ config cert 'example'
        option staging 1
        list domains example.org
        list domains sub.example.org
+       validation_method webroot

diff --git a/net/acme-common/files/acme.init b/net/acme-common/files/acme.init
index a97856496ececfe2bcbacfc9507f4bde4961cbe9..71ee8c0ade3a3222835429db4311412562701d80 100644 (file)
--- a/net/acme-common/files/acme.init
+++ b/net/acme-common/files/acme.init
@@ -47,8 +47,8 @@ load_options() {
        export acme_server
        config_get days "$section" days
        export days
-       config_get standalone "$section" standalone 0
-       export standalone
+       config_get standalone "$section" standalone
+       [ -n "$standalone" ] && log warn "Option \"standalone\" is deprecated."
        config_get dns_wait "$section" dns_wait
        export dns_wait
 
@@ -57,6 +57,20 @@ load_options() {
        if [ "$webroot" ]; then
                log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
        fi
+
+       config_get validation_method "$section" validation_method
+       # if validation_method isn't set then guess it
+       if [ -z "$validation_method" ]; then
+               if [ -n "$dns" ]; then
+                       validation_method="dns"
+               elif [ "$standalone" = 1 ]; then
+                       validation_method="standalone"
+               else
+                       validation_method="webroot"
+               fi
+               log warn "Please set \"option validation_method $validation_method\"."
+       fi
+       export validation_method
 }
 
 first_arg() {
@@ -70,11 +84,11 @@ get_cert() {
        [ "$enabled" = 1 ] || return
 
        load_options "$section"
-       if [ -z "$dns" ] && [ "$standalone" = 0 ]; then
+       if [ "$validation_method" = "webroot" ]; then
                mkdir -p "$CHALLENGE_DIR"
        fi
 
-       if [ "$standalone" = 1 ] && [ -z "$NFT_HANDLE" ]; then
+       if [ "$validation_method" = "standalone" ] && [ -z "$NFT_HANDLE" ]; then
                if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+'); then
                        return 1
                fi