|
292 | 292 | # 2024-03-16 Use FTP_PORT when deleting ftp tokens. Delete tokens when using sftp, davfs, ftpes, ftps (#693,#839) (tlhackque) |
293 | 293 | # 2024 03-16 Fix dns-01's CNAME processing. (#840) (tlhackque) |
294 | 294 | # 2024-03-17 Automatically update the ACCOUNT_EMAIL (#827) (tlhackque) |
295 | | -# 2024-08-18 Implement --new-account-key and --DEACTIVATE-account (tlhackque) |
| 295 | +# 2024-03-18 Implement --new-account-key and --DEACTIVATE-account (tlhackque) |
| 296 | +# 2024-03-18 Implement token substitution in ACLs (#267) (tlhackque) |
296 | 297 | # ---------------------------------------------------------------------------------------- |
297 | 298 |
|
298 | 299 | case :$SHELLOPTS: in |
@@ -727,6 +728,10 @@ check_config() { # check the config files for all obvious errors |
727 | 728 | else |
728 | 729 | DOMAIN_ACL="${ACL[$dn]}" |
729 | 730 | fi |
| 731 | + # shellcheck disable=SC2016 |
| 732 | + DOMAIN_ACL="$(sed -e's/\${DOMAIN}\|\$DOMAIN/'"$DOMAIN"'/g' <<<"$DOMAIN_ACL")" |
| 733 | + # shellcheck disable=SC2016 |
| 734 | + DOMAIN_ACL="$(sed -e's/\${SAN}\|\$SAN/'"$d"'/g' <<<"$DOMAIN_ACL")" |
730 | 735 |
|
731 | 736 | if [[ $VALIDATE_VIA_DNS != "true" ]]; then # using http-01 challenge |
732 | 737 | if [[ -z "${DOMAIN_ACL}" ]]; then |
@@ -1381,6 +1386,10 @@ for d in "${alldomains[@]}"; do |
1381 | 1386 | else |
1382 | 1387 | DOMAIN_ACL="${ACL[$dn]}" |
1383 | 1388 | fi |
| 1389 | + # shellcheck disable=SC2016 |
| 1390 | + DOMAIN_ACL="$(sed -e's/\${DOMAIN}\|\$DOMAIN/'"$DOMAIN"'/g' <<<"$DOMAIN_ACL")" |
| 1391 | + # shellcheck disable=SC2016 |
| 1392 | + DOMAIN_ACL="$(sed -e's/\${SAN}\|\$SAN/'"$d"'/g' <<<"$DOMAIN_ACL")" |
1384 | 1393 |
|
1385 | 1394 | # request a challenge token from ACME server |
1386 | 1395 | if [[ $API -eq 1 ]]; then |
@@ -2759,11 +2768,13 @@ write_domain_template() { # write out a template file for a domain. |
2759 | 2768 | # You can also user WebDAV over HTTPS as transport mechanism. To do so, start with davs: followed by username, |
2760 | 2769 | # password, host, port (explicitly needed even if using default port 443) and path on the server. |
2761 | 2770 | # Multiple locations can be defined for a file by separating the locations with a semi-colon. |
| 2771 | + # The tokens '\$DOMAIN', '\${DOMAIN}', '\$SAN', and '\${SAN}' can be used to minimize the number of ACL |
| 2772 | + # entries when the challenge location follows a pattern (Often true with multiple vertual hosts). Also "USE_SINGLE_ACL": |
2762 | 2773 | #ACL=('/var/www/${DOMAIN}/web/.well-known/acme-challenge' |
2763 | 2774 | # 'ssh:server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge' |
2764 | 2775 | # 'ssh:sshuserid@server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge' |
2765 | 2776 | # 'ftp:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge' |
2766 | | - # 'davs:davsuserid:davspassword:{DOMAIN}:443:/web/.well-known/acme-challenge' |
| 2777 | + # 'davs:davsuserid:davspassword:${DOMAIN}:443:/web/.well-known/acme-challenge' |
2767 | 2778 | # 'ftps:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge' |
2768 | 2779 | # 'ftpes:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge') |
2769 | 2780 |
|
@@ -2878,7 +2889,7 @@ write_getssl_template() { # write out the main template file |
2878 | 2889 | # PUBLIC_DNS_SERVER="8.8.8.8" |
2879 | 2890 |
|
2880 | 2891 | # If getssl is unable to determine the authoritative nameserver for a domain |
2881 | | - # it will as you to enter AUTH_DNS_SERVER. This is a server that |
| 2892 | + # it will ask you to enter AUTH_DNS_SERVER. This is a server that |
2882 | 2893 | # can answer queries for the zone - a master or a slave, not a recursive server. |
2883 | 2894 | # AUTH_DNS_SERVER="10.0.0.14" |
2884 | 2895 | _EOF_getssl_ |
|
0 commit comments