Add support for proxy domain validation to tls_cert resource

2024-04-26 12:24:17 +02:00
parent 6931fe05d0
commit 4cbda69a6b
4 changed files with 59 additions and 30 deletions
--- a/site-cookbooks/kosmos-ejabberd/templates/gandi_dns_certbot_hook.sh.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/gandi_dns_certbot_hook.sh.erb
@@ -3,17 +3,14 @@ set -euf -o pipefail

 # ************** USAGE **************
 #
-# Example usage (with this hook file saved in /root/):
+# Example usage:
 #
-#   sudo su -
 #   certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
 #     --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
 #
-# This hook requires configuration, continue reading.
-#
 # ************** CONFIGURATION **************
 #
-# GANDI_API_KEY: Your Gandi Live API key
+# ACCESS_TOKEN: Your Gandi Live API key
 #
 # PROVIDER_UPDATE_DELAY:
 #   How many seconds to wait after updating your DNS records. This may be required,
@@ -23,6 +20,10 @@ set -euf -o pipefail
 #
 #   Defaults to 30 seconds.
 #
+# VALIDATION_DOMAIN:
+#   Domain to create ACME DNS entries on. Use this when redirecting ACME subdomains
+#   from the original domain to a proxy validation domain that we control.
+#
 ACCESS_TOKEN="<%= @access_token %>"
 PROVIDER_UPDATE_DELAY=10
 VALIDATION_DOMAIN="${2:-}"