Respect domain-specific hooks when using dns-01 challenge type

[henk84]

dehydrated/dehydrated

Lines 325 to 326 in e3ef43c

	if [[ "${CHALLENGETYPE}" = "dns-01" ]] && [[ -z "${HOOK}" ]]; then
	_exiterr "Challenge type dns-01 needs a hook script for deployment... cannot continue."

This check ignores a domain specific configfile containing a domain specific hook.

(I’m not sure whether I need to say more or what to say more. If it’s unclear, let me know and I’ll try again/harder to explain better.)

This is important when handling multiple domains spread over multiple hosts on an admin system: a domain dependent hook-script is important for deploying the certs to the correct machines.

Yes, there are ways to work around it, but it would be nice if one wouldn’t have to work around them.

Spontaneous idea: it would be cool to have hooks for each action in each domain, e.g.:

domains.d/example.org/deploy_challenge
domains.d/example.org/clean_challenge
domains.d/example.org/exit_hook
domains.d/example.org/deploy_cert
domains.d/example.net/deploy_cert
default_hooks/deploy_challenge
default_hooks/clean_challenge

[henk84]

dehydrated/dehydrated

Lines 325 to 326 in e3ef43c

	if [[ "${CHALLENGETYPE}" = "dns-01" ]] && [[ -z "${HOOK}" ]]; then
	_exiterr "Challenge type dns-01 needs a hook script for deployment... cannot continue."

This check ignores a domain specific configfile containing a domain specific hook.

(I’m not sure whether I need to say more or what to say more. If it’s unclear, let me know and I’ll try again/harder to explain better.)

This is important when handling multiple domains spread over multiple hosts on an admin system: a domain dependent hook-script is important for deploying the certs to the correct machines.

Yes, there are ways to work around it, but it would be nice if one wouldn’t have to work around them.

Spontaneous idea: it would be cool to have hooks for each action in each domain, e.g.:

domains.d/example.org/deploy_challenge
domains.d/example.org/clean_challenge
domains.d/example.org/exit_hook
domains.d/example.org/deploy_cert
domains.d/example.net/deploy_cert
default_hooks/deploy_challenge
default_hooks/clean_challenge

I managed to build something similar to this.
It is based on the hook from https://ente.limmat.ch/ftp/pub/software/bash/letsencrypt/

I then added code like the following:

case "$reason" in
[…]
	deploy_cert|unchanged_cert|invalid_challenge|request_failure|startup_hook|exit_hook)
		# echo "running ${reason} hook"
		if [ -x "domains.d/${HOST}_hooks/${reason}.sh" ]
		then
			domains.d/${HOST}_hooks/${reason}.sh "${@}"
		elif [ -x "domains.d/hooks/common-${reason}.sh" ]
		then
			domains.d/hooks/common-${reason}.sh "${@}"
		else
			# echo "No hook for ${reason} found to run"
			reason="nothing to do!"
		fi
		;;

Example for a "common" hook:

#!/usr/bin/env bash

REASON="${1}" DOMAIN="${2}" KEYFILE="${3}" CERTFILE="${4}" FULLCHAINFILE="${5}" CHAINFILE="${6}" TIMESTAMP="${7}"

. domains.d/${DOMAIN}_vars

for srv in ${servers[@]}
do
	rsync \
		--copy-links \
		--human-readable \
		--verbose \
		--partial \
		--progress \
		--chown=root:ssl-cert \
		--chmod=0644 \
		"${FULLCHAINFILE}" \
		"root@${srv}:/etc/ssl/localcerts/${DOMAIN}.crt"
	rsync \
		--copy-links \
		--human-readable \
		--verbose \
		--partial \
		--progress \
		--chown=root:ssl-cert \
		--chmod=0640 \
		"${KEYFILE}" \
		"root@${srv}:/etc/ssl/private/${DOMAIN}.key"

	for sv in ${services[@]}
	do
		ssh root@${srv} service ${sv} reload
	done
done

Issue can be closed.