blob: 0c9671d0cd62700d591adb2c1a4f06c8c8b12cdf (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
#
# $OpenBSD: acme-client.conf,v 1.4 2020/09/17 09:13:06 florian Exp $
#
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
api url "https://acme-staging-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
authority buypass {
api url "https://api.buypass.com/acme/directory"
account key "/etc/acme/buypass-privkey.pem"
contact "mailto:me@example.com"
}
authority buypass-test {
api url "https://api.test4.buypass.no/acme/directory"
account key "/etc/acme/buypass-test-privkey.pem"
contact "mailto:me@example.com"
}
<% for my $host (@$acme_hosts) {
next if $host eq 'blowfish.buetow.org' or $host eq 'fishfinger.buetow.org';
# Skip ipv4/ipv6 subdomains - they're included as SANs in parent cert
next if $host =~ /^(ipv4|ipv6)\./;
-%>
<% # Check if this host has ipv4/ipv6 subdomains that need to be included as SANs
my @alt_names;
# Don't add www prefix for f3s hosts - they don't have DNS records for www variants
unless (grep { $_ eq $host } @$f3s_hosts) {
push @alt_names, "www.$host";
}
for my $sub_host (@$acme_hosts) {
if ($sub_host =~ /^(ipv4|ipv6)\.\Q$host\E$/) {
push @alt_names, $sub_host;
}
}
my $alt_names_str = join(' ', @alt_names);
-%>
domain <%= $host %> {
alternative names { <%= $alt_names_str %> }
domain key "/etc/ssl/private/<%= $host %>.key"
domain full chain certificate "/etc/ssl/<%= $host %>.fullchain.pem"
sign with letsencrypt
}
<% unless (grep { $_ eq $host } @$f3s_hosts) { -%>
domain standby.<%= $host %> {
domain key "/etc/ssl/private/standby.<%= $host %>.key"
domain full chain certificate "/etc/ssl/standby.<%= $host %>.fullchain.pem"
sign with letsencrypt
}
<% } -%>
<% } -%>
# Current server's FQDN (blowfish.buetow.org or fishfinger.buetow.org)
# Each server only has its own cert, no www/standby variants for server hostnames
domain <%= "$hostname.$domain" %> {
domain key "/etc/ssl/private/<%= "$hostname.$domain" %>.key"
domain full chain certificate "/etc/ssl/<%= "$hostname.$domain" %>.fullchain.pem"
sign with letsencrypt
}
|
