ACMEv2.

undp · Apr 17, 2020 · 7059684 · 7059684
1 parent 2a1dfd1
commit 7059684
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 61 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,4 @@
-# We clone https://github.com/lukas2511/dehydrated no need to commit.
+# We clone https://github.com/dehydrated-io/dehydrated no need to commit.
 dehydrated
 acquia_cloud_cert_deployment/composer-stable.phar
 
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # Let's Encrypt Drupal
 
-Wrapper script for https://github.com/lukas2511/dehydrated opinionated towards running in Drupal hosting environments and reporting to Slack. Slack is optional. Let's Encrypt challenge is published trough Drupal using Drush. There is no need to alter webserver settings or upload files.
+Wrapper script for https://github.com/dehydrated-io/dehydrated opinionated towards running in Drupal hosting environments and reporting to Slack. Slack is optional. Let's Encrypt challenge is published trough Drupal using Drush. There is no need to alter webserver settings or upload files.
 
 ## What it does
 
@@ -10,7 +10,7 @@ Wrapper script for https://github.com/lukas2511/dehydrated opinionated towards r
   * Add cron task.
 * Every time script gets executed (ideally once a week) it will
   * Self update check.
-  * Check if lukas2511/dehydrated is available and download it if needed.
+  * Check if dehydrated-io/dehydrated is available or download it, if needed.
   * [If] There is **no** certificate generated by this script yet.
     * Generate a key pair.
     * Register you with Let's Encrypt.
@@ -37,9 +37,9 @@ Wrapper script for https://github.com/lukas2511/dehydrated opinionated towards r
 
 ## Installation
 
-These steps are for PROD environment of PROJECT on Acquia Cloud. Can be easily adapted to other hosting environments.
+These steps are for `prod` environment of PROJECT on Acquia Cloud. Can be easily adapted to other hosting environments.
 
-* `ssh PROJECT.PROD@srv-XXXX.devcloud.hosting.acquia.com`
+* `ssh PROJECT.prod@srv-XXXX.devcloud.hosting.acquia.com`
   * (You can get the address on "Servers" tab in Acquia UI)
   * `cd ~`
   * `git clone https://github.com/morpht/letsencrypt_drupal.git`
@@ -50,7 +50,7 @@ These steps are for PROD environment of PROJECT on Acquia Cloud. Can be easily a
     * `rm -rf tmp_lea/`
     * Edit `letsencrypt_drupal/dehydrated/config.sh` 
       * You need to set your e-mail. The script provides the rest of defaults needed to get a certificate.
-      * You can alter other values as described here: https://github.com/lukas2511/dehydrated/blob/master/docs/examples/config
+      * You can alter other values as described here: https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/config
     * Edit `letsencrypt_drupal/domains_site.env.txt`
       * Rename it based on site alias you are going to be using.
       * For multiple environments create multiple copies of this file.
@@ -71,7 +71,7 @@ These steps are for PROD environment of PROJECT on Acquia Cloud. Can be easily a
       * `domains_site.prod.txt`
     * `secrets.settings.php`
       * Should *not* be committed in project repository.
-      * Should be placed on Acquia server here: `/mnt/files/PROJECT.PROD/secrets.settings.php`
+      * Should be placed on Acquia server here: `/mnt/files/PROJECT.prod/secrets.settings.php`
   * Add https://www.drupal.org/project/letsencrypt_challenge module.
     * `composer require drupal/letsencrypt_challenge`
   * Commit and deploy to production.
@@ -82,7 +82,7 @@ These steps are for PROD environment of PROJECT on Acquia Cloud. Can be easily a
     * You should have 60 days of time (with default settings) even if something fails or new manual certificate upload is needed.
   * New job:
     * Job name: `LE renew cert` (just a default, feel free change it)
-    * Command: `/home/PROJECT/letsencrypt_drupal/letsencrypt_drupal.sh PROJECT PROD &>> /var/log/sites/${AH_SITE_NAME}/logs/$(hostname -s)/letsencrypt_drupal.log`
+    * Command: `/home/PROJECT/letsencrypt_drupal/letsencrypt_drupal.sh PROJECT prod &>> /var/log/sites/${AH_SITE_NAME}/logs/$(hostname -s)/letsencrypt_drupal.log`
     * Command frequency `0 7 * * 1` ( https://crontab.guru/#0_7_*_*_1 )
   * It's good idea to run the command on Acquia manually first time to check if all is OK.
 * First script run will post results/instructions to Slack.
diff --git a/example_project_config/letsencrypt_drupal/dehydrated/config.sh b/example_project_config/letsencrypt_drupal/dehydrated/config.sh
@@ -1,5 +1,5 @@
 # Only overrides here.
-# @See: https://github.com/lukas2511/dehydrated/blob/master/docs/examples/config
+# @See: https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/config
 CONTACT_EMAIL="[email protected]"
 
 # Minimum days before expiration to automatically renew certificate (default: 30)
@@ -8,5 +8,4 @@ RENEW_DAYS="60"
 
 # You should use following staging URLs when experimenting with this script
 # to not hit Let's Encrypt's rate limits.
-#CA="https://acme-staging.api.letsencrypt.org/directory"
-#CA_TERMS="https://acme-staging.api.letsencrypt.org/terms"
+#CA="https://acme-staging-v02.api.letsencrypt.org/directory"
diff --git a/functions.sh b/functions.sh
@@ -11,7 +11,7 @@ PROJECT_ROOT="/var/www/html/${PROJECT}.${ENVIRONMENT}"
 FILE_CONFIG=${PROJECT_ROOT}/letsencrypt_drupal/config_${PROJECT}.${ENVIRONMENT}.sh
 DIRECTORY_DEHYDRATED_CONFIG=${PROJECT_ROOT}/letsencrypt_drupal/dehydrated
 FILE_DOMAINSTXT=${PROJECT_ROOT}/letsencrypt_drupal/domains_${PROJECT}.${ENVIRONMENT}.txt
-DEHYDRATED="https://github.com/lukas2511/dehydrated.git"
+DEHYDRATED="https://github.com/dehydrated-io/dehydrated.git"
 CERT_DIR=~/.letsencrypt_drupal
 TMP_DIR=/tmp/letsencrypt_drupal
 FILE_BASECONFIG=${TMP_DIR}/baseconfig
@@ -47,11 +47,7 @@ slackpost()
 
   if [[ "$SLACK_WEBHOOK_URL" =~ ^https:\/\/hooks.slack.com* ]]; then
     # based on https://gist.github.com/dopiaza/6449505
-#    echo "BEFORE"
-#    echo "$TEXT"
     escapedText=$(echo $TEXT | sed 's/"/\"/g' | sed "s/'/\'/g")
-#    echo "AFTER"
-#    echo "$escapedText"
     json="{\"channel\": \"$SLACK_CHANNEL\", \"username\":\"$USERNAME\", \"icon_emoji\":\"ghost\", \"attachments\":[{\"color\":\"$COLOR\" , \"text\": \"$escapedText\"}]}"
     curl -s -d "payload=$json" "$SLACK_WEBHOOK_URL" || logline "Failed to send message to slack: ${USERNAME}: ${TEXT}"
   else
@@ -85,13 +81,39 @@ drush_set_challenge()
   TOKEN_VALUE="${4}"
 
   if [[ "${DRUPAL_VERSION}" == "7" ]]; then
+    echo "EXECUTING: drush ${DRUSH_ALIAS} en -y --uri=${DOMAIN} letsencrypt_challenge"
     drush ${DRUSH_ALIAS} en -y --uri=${DOMAIN} letsencrypt_challenge
+    echo "EXECUTING: drush ${DRUSH_ALIAS} vset -y --uri=${DOMAIN} letsencrypt_challenge \"${TOKEN_VALUE}\""
     drush ${DRUSH_ALIAS} vset -y --uri=${DOMAIN} letsencrypt_challenge "${TOKEN_VALUE}"
   elif [[ "${DRUPAL_VERSION}" == "8" ]]; then
-    drush ${DRUSH_ALIAS} en -y --uri=${DOMAIN} letsencrypt_challenge
-    drush ${DRUSH_ALIAS} sset -y --uri=${DOMAIN} letsencrypt_challenge.challenge "${TOKEN_VALUE}"
+    echo "EXECUTING: drush9 ${DRUSH_ALIAS} en -y --uri=${DOMAIN} letsencrypt_challenge"
+    drush9 ${DRUSH_ALIAS} en -y --uri=${DOMAIN} letsencrypt_challenge
+    echo "EXECUTING: drush9 ${DRUSH_ALIAS} sset -y --uri=${DOMAIN} letsencrypt_challenge.challenge \"${TOKEN_VALUE}\""
+    drush9 ${DRUSH_ALIAS} sset -y --uri=${DOMAIN} letsencrypt_challenge.challenge "${TOKEN_VALUE}"
   elif [[ "${DRUPAL_VERSION}" == "9" ]]; then
-    drush ${DRUSH_ALIAS} en -y --uri=${DOMAIN} letsencrypt_challenge
-    drush ${DRUSH_ALIAS} sset -y --uri=${DOMAIN} letsencrypt_challenge.challenge "${TOKEN_VALUE}"
+    echo "EXECUTING: drush9 ${DRUSH_ALIAS} en -y --uri=${DOMAIN} letsencrypt_challenge"
+    drush9 ${DRUSH_ALIAS} en -y --uri=${DOMAIN} letsencrypt_challenge
+    echo "EXECUTING: drush9 ${DRUSH_ALIAS} sset -y --uri=${DOMAIN} letsencrypt_challenge.challenge \"${TOKEN_VALUE}\""
+    drush9 ${DRUSH_ALIAS} sset -y --uri=${DOMAIN} letsencrypt_challenge.challenge "${TOKEN_VALUE}"
+  fi
+}
+
+drush_clean_challenge()
+{
+  DRUSH_ALIAS="${1}"
+  DRUPAL_VERSION="${2}"
+  DOMAIN="${3}"
+
+  if [[ "${DRUPAL_VERSION}" == "7" ]]; then
+    echo "EXECUTING: drush ${DRUSH_ALIAS} dis -y --uri=${DOMAIN} letsencrypt_challenge"
+    drush ${DRUSH_ALIAS} dis -y --uri=${DOMAIN} letsencrypt_challenge
+    echo "EXECUTING: drush ${DRUSH_ALIAS} pmu -y --uri=${DOMAIN} letsencrypt_challenge"
+    drush ${DRUSH_ALIAS} pmu -y --uri=${DOMAIN} letsencrypt_challenge
+  elif [[ "${DRUPAL_VERSION}" == "8" ]]; then
+    echo "EXECUTING: drush9 ${DRUSH_ALIAS} pmu -y --uri=${DOMAIN} letsencrypt_challenge"
+    drush9 ${DRUSH_ALIAS} pmu -y --uri=${DOMAIN} letsencrypt_challenge
+  elif [[ "${DRUPAL_VERSION}" == "9" ]]; then
+    echo "EXECUTING: drush9 ${DRUSH_ALIAS} pmu -y --uri=${DOMAIN} letsencrypt_challenge"
+    drush9 ${DRUSH_ALIAS} pmu -y --uri=${DOMAIN} letsencrypt_challenge
   fi
 }
diff --git a/hooks/letsencrypt_drupal_hooks.sh b/hooks/letsencrypt_drupal_hooks.sh
@@ -40,7 +40,7 @@ clean_challenge() {
     #
     # The parameters are the same as for deploy_challenge.
 
-    drush_set_challenge ${DRUSH_ALIAS} ${DRUPAL_VERSION} ${DOMAIN} "clean_challenge"
+    drush_clean_challenge ${DRUSH_ALIAS} ${DRUPAL_VERSION} ${DOMAIN}
 }
 
 deploy_cert() {
@@ -162,20 +162,3 @@ HANDLER="$1"; shift
 if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|deploy_cert|unchanged_cert|invalid_challenge|request_failure|startup_hook|exit_hook)$ ]]; then
   "$HANDLER" "$@"
 fi
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/letsencrypt_drupal.sh b/letsencrypt_drupal.sh
@@ -76,22 +76,6 @@ main() {
       exit 1
     fi
 
-    # Workaround!
-    #
-    # @ToDo: Update to new version ASAP!
-    #
-    # New version requests all challenges for all domains at once.
-    #
-    # Our script builds on old approach where
-    # the whole challenge and verification process
-    # is proccesed site by site.
-    #
-    # Using this version from Dec 2017 works.
-    # But still includes this bug: https://github.com/dehydrated-io/dehydrated/issues/450
-    cd ${CURRENT_DIR}/dehydrated || exit
-    git checkout 2adc57791ca10ffa43c535a6f69fb77ebb0e351a
-    cd ${CURRENT_DIR} || exit
-
   else
     logline "${DEHYDRATED} is already in place - all good."
   fi
@@ -102,20 +86,16 @@ main() {
   mkdir -p ${CERT_DIR}
 
   # Generate config and create empty domains.txt
-  echo 'CA="https://acme-v01.api.letsencrypt.org/directory"' > ${FILE_BASECONFIG}
-  echo 'CA_TERMS="https://acme-v01.api.letsencrypt.org/terms"' >> ${FILE_BASECONFIG}
+  echo 'CA="https://acme-v02.api.letsencrypt.org/directory"' > ${FILE_BASECONFIG}
   echo 'CHALLENGETYPE="http-01"' >> ${FILE_BASECONFIG}
   echo 'WELLKNOWN="'${TMP_DIR}/wellknown'"' >> ${FILE_BASECONFIG}
   echo 'BASEDIR="'${CERT_DIR}'"' >> ${FILE_BASECONFIG}
   echo 'HOOK="'${CURRENT_DIR}'/hooks/letsencrypt_drupal_hooks.sh"' >> ${FILE_BASECONFIG}
   echo 'DOMAINS_TXT="'${FILE_DOMAINSTXT}'"' >> ${FILE_BASECONFIG}
+  echo 'HOOK_CHAIN="no"' >> ${FILE_BASECONFIG}
   echo 'CONFIG_D="'${DIRECTORY_DEHYDRATED_CONFIG}'"' >> ${FILE_BASECONFIG}
 
-#  # Dehydrated does not pass arbitary parameters to hooks. Save some data aside.
-#  echo ${DRUSH_ALIAS} > ${FILE_DRUSH_ALIAS}
-#  echo ${DRUPAL_VERSION} > ${FILE_DRUPAL_VERSION}
-#  echo ${PROJECT_ROOT} > ${FILE_PROJECT_ROOT}
-
+  echo "EXECUTING: ${CURRENT_DIR}/dehydrated/dehydrated --config ${FILE_BASECONFIG} --cron --accept-terms"
   DEHYDRATED_RESULT=$(${CURRENT_DIR}/dehydrated/dehydrated --config ${FILE_BASECONFIG} --cron --accept-terms 2>&1)
   if [ $? -eq 0 ]
   then