@@ -20,6 +20,9 @@ function obtain_or_renew_certificate {
2020 local acme_url=" ${5} "
2121 local mail=" ${6} "
2222 local letsencrypt_ssh_port=" ${7} "
23+ local eab=" ${8} "
24+ local hmac=" ${9} "
25+ local key_id=" ${10} "
2326
2427 certificate_domain_opts=$( echo ${certificate_fqdns} | sed -r -e ' s/^/,/g' ' s/,/--domains=/g' ' s/--/ --/g' )
2528 certificate_fqdn=$( echo ${certificate_fqdns} | awk -F ' ,' ' {print $1}' )
@@ -54,6 +57,10 @@ function obtain_or_renew_certificate {
5457
5558 [ ! -e " /etc/letsencrypt/lego/${certificate_type} /certificates/${certificate_fqdn} .pem" && local lego_action=" run" || local lego_action=" renew"
5659
60+ if [ ${eab} ]; then
61+ eab_opts=" --eab --hmac ${hmac} --kid ${key_id} "
62+ fi
63+
5764 log_info " [${certificate_fqdn} - cron] Obtaining certificate for domains ${certificate_fqdns} ."
5865 mapfile -t cmd_output < <( /opt/lego --email=" ${mail} "
5966 ${certificate_domain_opts} \
@@ -64,6 +71,7 @@ function obtain_or_renew_certificate {
6471 --cert.timeout ${valid_days} \
6572 --accept-tos \
6673 --http \
74+ ${eab_opts} \
6775 --pem ${lego_action} \
6876 --${lego_action} -hook=" /usr/bin/sync-and-update-certificate --${certificate_type} --fqdn ${certificate_fqdn} --haproxies-ssh ${letsencrypt_ssh_port} " 2>&1 )
6977
@@ -98,10 +106,11 @@ function obtain_or_renew_certificate {
98106
99107INTERNAL_SET=" false"
100108EXTERNAL_SET=" false"
109+ EXTERNAL_ACCOUNT_BINDING=" false"
101110LOG_FILE=" /var/log/kolla/letsencrypt/lesencrypt-lego.log"
102111
103112
104- VALID_ARGS=$( getopt -o ief:p:d:m:a:v:h: --long internal,external,fqdns:,port:,days:,mail:,acme:,vips:,haproxies-ssh: -- " $@ " )
113+ VALID_ARGS=$( getopt -o ief:p:d:m:a:v:h: --long internal,external,fqdns:,port:,days:,mail:,acme:,vips:,haproxies-ssh:,eab,kid:,hmac: -- " $@ " )
105114if [[ $? -ne 0 ]]; then
106115 exit 1;
107116fi
@@ -147,6 +156,18 @@ while [ : ]; do
147156 LETSENCRYPT_SSH_PORT=" ${2} "
148157 shift 2
149158 ;;
159+ --eab)
160+ EXTERNAL_ACCOUNT_BINDING=" true"
161+ shift
162+ ;;
163+ --hmac)
164+ HMAC=" ${2} "
165+ shift 2
166+ ;;
167+ --kid)
168+ KEY_ID=" ${2} "
169+ shift 2
170+ ;;
150171 --) shift ;
151172 break
152173 ;;
@@ -170,17 +191,22 @@ if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then
170191 LETSENCRYPT_EXTERNAL_FQDNS=" ${FQDNS} "
171192 fi
172193
194+ if [ " ${EXTERNAL_ACCOUNT_BINDING} " = " true" ; then
195+ EXTERNAL_ACCOUNT_BINDING_OPTS=" --eab ${HMAC} ${KEY_ID} "
196+ else
197+ EXTERNAL_ACCOUNT_BINDING_OPTS=" "
198+ fi
173199
174200 if /usr/sbin/ip a | egrep -q " ${LETSENCRYPT_VIP_ADDRESSES} " ; then
175201 log_info " [${FQDN} - cron] This Letsencrypt-lego host is active..."
176202 if [ " ${LETSENCRYPT_INTERNAL_FQDNS} " != " " ; then
177203 log_info " [${FQDN} - cron] Processing domains ${LETSENCRYPT_INTERNAL_FQDNS} "
178- obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT}
204+ obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING_OPTS}
179205 fi
180206
181207 if [ " ${LETSENCRYPT_EXTERNAL_FQDNS} " != " " ; then
182208 log_info " [${FQDN} - cron] Processing domains ${LETSENCRYPT_EXTERNAL_FQDNS} "
183- obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT}
209+ obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING_OPTS}
184210 fi
185211 else
186212 log_info " [${FQDN} - cron] This Letsencrypt-lego host is passive, nothing to do..."
0 commit comments