acme2certifer allows for the specification of pre and post enrollment hooks. Hooks are disabled by default and must be activated in acme_srv.cfg
by specifying a file containing the required Hook class and methods.
[Hooks]
hooks_file: examples/hooks/skeleton_hooks.py
Creating your own hook-handler is pretty straightforward. All you need to do is to create your own handler.py with a "Hooks" class containing the following methods.
pre_hook
- to be executed before certificate enrollmentpost_hook
- to be executed after certificate enrollment regardless of the resultsuccess_hook
- to be executed in case of a successful certificate enrollment; this is executed before thepost_hook
The skeleton_hooks.py contains a skeleton which can be used to create a customized handler.
The below code describes the different input parameters given by acme2certifier as well as the expected return values.
class Hooks(object):
""" EAB file handler """
def __init__(self, logger) -> None:
self.logger = logger
def pre_hook(self, certificate_name, order_name, csr) -> None:
""" run before obtaining any certificates """
self.logger.debug('Hook.pre_hook()')
def post_hook(self, certificate_name, order_name, csr, error) -> None:
""" run after *attempting* to obtain/renew certificates """
self.logger.debug('Hook.post_hook()')
def success_hook(self, certificate_name, order_name, csr, certificate, certificate_raw, poll_identifier) -> None:
""" run after each successful certificate enrollment/renewal """
self.logger.debug('Hook.success_hook()')
- self.logger - reference to a logging object
- certificate - certificate in
application/pem-certificate-chain
format - certificate_name - name of the certificate resource in acme2certifier
- certificate_raw - certificate in base64 encoded binary format
- csr - certificate signing request in base64 encoded binary format
- error - error message in case of certificate enrollment
- order_name - name of the order resource in acme2certifier
The different methods must not return any data. Exceptions during hook execution are handled by acme2certifier, see below.
By default, certificate enrollment/renewal is aborted (and acme2certifier returns an error code to
the client) if either the pre_hook
or success_hook
fails. In either case, later hooks are also not executed:
- If the
pre_hook
fails, neithersuccess_hook
norpost_hook
is executed. - If the
success_hook
fails, thepost_hook
is not executed.
If the post_hook
throws an exception, the error is logged but it has no effect on the
enrollment/renewal; i.e., it finishes successfully (given that no other error occurred).
This behavior can be controlled through the configuration options allow_pre_hook_failure
,
allow_post_hook_failure
, and allow_success_hook_failure
, see the configuration
table.