acme-init

#!/bin/bash
[ "$(id -u)" -eq 0 ] || exec sudo --non-interactive --preserve-env "PATH=${PATH}" "${0}" "${@}"

set -euo pipefail
. /.functions

# Just for safety's sake
cd /

marker_exists()
{
	local MARKER="${1}"
	is_file "${MARKER}" || return 1
	[ -s "${MARKER}" ] || return 1
	return 0
}

wait_for_marker()
{
	local MARKER="${1}"
	local ACME_WAIT_TIMEOUT_STR="$(secs_to_timestr "${ACME_WAIT_TIMEOUT}")"
	local FIRST="true"
	local START="$(date +%s)"
	while ! marker_exists "${MARKER}" ; do
		"${FIRST}" && waiting "Waiting for the ACME certificates to be initialized (up to ${ACME_WAIT_TIMEOUT_STR} total)..."
		FIRST="false"

		# Poke every 100ms (10 times per second)
		sleep 0.1 || fail "Sleep interrupted"
		local NOW="$(date +%s)"

		# If the timeout has expired, return a non-zero value
		[ $(( NOW - START )) -lt ${ACME_WAIT_TIMEOUT} ] || return 1
	done
	ok "ACME client is initialized is ready"
	return 0
}

create_marker()
{
	local MARKER="${1}"
	local DIR="$(dirname "${MARKER}")"
	[ -d "${DIR}" ] || mkdir -p "${DIR}" && timestamp > "${MARKER}"
	return ${?}
}

is_valid_url()
{
	local URL="${1}"
	[[ "${URL}" =~ ^([^:/?#]+)://([^/?#]*)?([^?#]*)([?]([^#]*))?(#(.*))?$ ]] || return 1
	return 0
}

validate_ip()
{
	[ ${#} -ge 1 ] || return 1
	local PARTS=()
	for IP in "${@}" ; do
		is_valid_ipv4 "${IP}" || return 1
		echo "${IP}"
	done
	return 0
}

is_variable_true()
{
	local V="${1}"
	[ -v "${V}" ] || return 1
	case "${!V,,}" in
		true | t | yes | y | on ) return 0 ;;
	esac
	return 1
}

is_supported()
{
	local V="${1}"
	[ -n "${V}" ] || return 1
	is_variable_true "ACME_SUPPORT_${V}"
}

validate_cert()
{
	local CERT="${1}"
	is_file_readable "${CERT}" || return 1
	[ -s "${CERT}" ] || return 1
	openssl x509 -noout -text -in "${CERT}" &>/dev/null || return ${?}
	return 0
}

is_ca()
{
	local CERT="${1}"
	validate_cert "${CERT}" || return ${?}
	# Is the certificate a CA certificate of some kind?
	openssl x509 -noout -ext basicConstraints -in "${CERT}" | \
		tail -n +2 | \
		sed -e 's;, ;\n;g' -e 's;^\s*;;g' | \
		grep -qi "^CA:TRUE" || return ${?}
	return 0
}

install_chain()
{
	local CERT_BASE_NAME="${1}"
	local DEST="$(readlink -f "$(mktemp -d)")"
	( cd "${DEST}" && csplit /dev/stdin '/BEGIN CERTIFICATE/' '{*}' &>/dev/null ) || return $?
	while read n ; do
		# Leave only the certificate bits in each split out file
		sed -i -e '/^-\+END CERTIFICATE-\+$/q' "${n}"

		# Keep only the files that contain certificate bits
		if grep -q "END CERTIFICATE" "${n}" && is_ca "${n}" ; then
			local SUBJECT="$(openssl x509 -noout -subject -in "${n}" | sed -e 's;^subject=;;g')"
			local ISSUER="$(openssl x509 -noout -issuer -in "${n}" | sed -e 's;^issuer=;;g')"
			say "\tInstalling certificate: ${SUBJECT}"
			[ "${SUBJECT}" != "${ISSUER}" ] && say "\tIssued by: ${ISSUER}"
			local TGT_NAME="${CERT_BASE_NAME}.${n##*/}.pem"
			mv -f "${n}" "${TGT_NAME}"
		else
			rm -f "${n}" &>/dev/null
		fi
	done < <(find "${DEST}" -mindepth 1 -maxdepth 1 -type f -name 'xx*')
	rm -rf "${DEST}"
}

download_from_port()
{
	local HOST="${1}"
	local SNI="${2}"
	local PORT="${3}"
	local PROTOCOL="${4}"
	local TARGET="${5}"

	local SNI_FLAGS=()
	[ -n "${SNI}" ] && SNI_FLAGS+=(-servername "${SNI}")

	local TLS_FLAGS=()
	if [ -n "${PROTOCOL}" ] ; then
		TLS_FLAGS+=(-starttls "${PROTOCOL}")
		[ -n "${SNI}" ]  && TLS_FLAGS+=(-name "${SNI}")
		PROTOCOL=":${PROTOCOL}"
	fi

	local CERT_BASE_NAME="${SNI}"
	[ -n "${CERT_BASE_NAME}" ] && CERT_BASE_NAME+="@"
	CERT_BASE_NAME+="${HOST}:${PORT}${PROTOCOL}"

	openssl s_client -connect "${HOST}:${PORT}" \
		"${SNI_FLAGS[@]}" "${TLS_FLAGS[@]}" \
		-showcerts </dev/null 2>/dev/null | \
			install_chain "${TARGET}/${CERT_BASE_NAME}"
	return 0
}

download_chain()
{
	local CERT_BASE_NAME="${1}"
	local URL="${2}"
	local RC=0
	OUT="$(curl -kL --fail --silent --show-error --connect-timeout 5 -o >(install_chain "${CERT_BASE_NAME}") "${URL}" 2>&1)" || RC=${?}
	[ ${RC} -ne 0 ] && err "Failed to download the certificates from [${URL}] (rc=${RC}):\n${OUT}"
	return ${RC}
}

add_global_trusts()
{
	local TYPE="${1}"
	local KEYSTORE="${2}"
	local PASSWORD="${3}"

	to_boolean "${ACME_KEYSTORE_WITH_TRUSTS:-false}" || return 0

	doing "Adding the default global trusts..."
	# First off, add the trusts from the default CACERTS
	keytool \
		-importkeystore \
		-srckeystore "${CACERTS}" \
		-srcstorepass "${CACERTS_PASS}" \
		-destkeystore "${KEYSTORE}" \
		-deststorepass "${PASSWORD}" \
		-deststoretype "${TYPE}" < /dev/null || err "Could not append the global trusts (cacerts)"

	# Now add any files from the anchors directory. By now,
	# these should include any and all declared trusts
	doing "Adding additional global trusts..."
	while read CERT ; do
		ALIAS="${CERT##*/}"
		ALIAS="acme-${ALIAS%.*}"
		keytool \
			-importcert \
			-noprompt \
			-keystore "${KEYSTORE}" \
			-storepass "${PASSWORD}" \
			-storetype "${TYPE}" \
			-alias "${ALIAS}" \
			-file "${CERT}" < /dev/null || err "Could not append [${CERT}]"
	done < <(find "${ANCHORS}" -mindepth 1 -maxdepth 1 -type f | sort)
}

if "$(to_boolean "${ACME_DISABLE:-false}")" ; then
	ok "ACME Processing is disabled by configuration (ACME_DISABLE == ${ACME_DISABLE})"
	exit 0
fi

[ -v ACM_GROUP ] || ACM_GROUP=""
[ -n "${ACM_GROUP}" ] || fail "The ACM_GROUP environment variable is REQUIRED"
getent group "${ACM_GROUP}" &>/dev/null || fail "The group [${ACM_GROUP}] does not exist"

set_or_default SSL_DIR "/.ssl"
set_or_default SSL_TRUSTS_DIR "/.trusts"
set_or_default PKI_HOME "/etc/pki"
set_or_default ANCHORS "${PKI_HOME}/ca-trust/source/anchors"
set_or_default CACERTS "${PKI_HOME}/java/cacerts"

set_or_default CACERTS_PASS "changeit"
set_or_default ACME_URL "https://acme:9000"
set_or_default ACME_KEY_ALIAS "acme"
set_or_default ACME_WAIT "false"
set_or_default ACME_WAIT_MARKER "${SSL_DIR}/.acme-ready"
set_or_default ACME_WAIT_TIMEOUT "$(timestr_to_secs 20m)"

# Validate the URL
[[ "${ACME_URL}" =~ ^http(s)?://([^:/]+)(:([1-9][0-9]*))?(/.*)?$ ]] || fail "Malformed URL for the ACME CA: [${ACME_URL}]"

ACME_HOST="${BASH_REMATCH[2]}"
ACME_PORT="80"
[ -z "${BASH_REMATCH[1]}" ] || ACME_PORT="443"
[ -z "${BASH_REMATCH[4]}" ] || ACME_PORT="${BASH_REMATCH[4]}"

# Validate the values captured above ... must have a valid host and port
is_valid_hostname "${ACME_HOST}" || fail "Malformed URL for the ACME CA: bad hostname [${ACME_URL}]"
is_valid_port "${ACME_PORT}" || fail "The port in the URL must be between 1 and 65535"

ACME_ROOT_CA_BASENAME="ca-root"
ACME_ROOT_CA_ANCHOR="${ANCHORS}/${ACME_ROOT_CA_BASENAME}.crt"
ACME_INT_CA_BASENAME="ca-int"
ACME_INT_CA_ANCHOR="${ANCHORS}/${ACME_INT_CA_BASENAME}.crt"

if "${ACME_WAIT}" ; then
	wait_for_marker "${ACME_WAIT_MARKER}" || fail "ACME client initialization timed out"
fi

################################################################################
#
# Check that our existing stuff is valid
#
################################################################################
GENERATE_NEW_CERTIFICATES="false"
acme-validate || GENERATE_NEW_CERTIFICATES="true"

if "${GENERATE_NEW_CERTIFICATES}" ; then
	################################################################################
	#
	# Download the root CA we'll use to trust everything from this cluster
	#
	################################################################################

	# Wait up to 5 minutes for the CA to come up
	MAX_WAIT=300
	START="$(date +%s)"
	doing "Fetching the root CA certificate from [${ACME_HOST}]"
	while true ; do
		# TODO: What's the standard way to do this in ACME-land?
		OUT="$(curl -k -fsSL -o "${ACME_ROOT_CA_ANCHOR}" "${ACME_URL}/roots.pem" 2>&1)" && break
		err "Failed to get the step root CA (rc=${?}):\n${OUT}"
		NOW="$(date +%s)"
		[ $(( NOW - START )) -ge ${MAX_WAIT} ] && fail "Timed out trying to reach the CA issuer at [${ACME_URL}]"
		sleep 5 || fail "Sleep interrupted trying to wait for [${ACME_URL}] - cannot continue"
	done
	say "\t✅ Fetch OK!"

	# Fetch the intermediate CA as well
	# TODO: What's the standard way to do this in ACME-land?
	doing "Fetching the intermediate CA certificate from [${ACME_HOST}]"
	(
		set -euo pipefail
		D="$(mktemp -d)"
		cd "${D}"
		INT_FILE="xx02"
		csplit <(openssl s_client -connect "${ACME_HOST}:${ACME_PORT}" -showcerts </dev/null 2>/dev/null) \
			'/BEGIN CERTIFICATE/' '{*}' &>/dev/null
		sed -i -e '/^-\+END CERTIFICATE-\+$/q' "${INT_FILE}"
		mv -f "${INT_FILE}" "${ACME_INT_CA_ANCHOR}"
		cd /
		rm -rf "${D}" || true
	) || fail "Failed to fetch the intermediate CA from [${ACME_URL}]"
	say "\t✅ Fetch OK!"
fi

################################################################################
#
# Trust the certificates we're told to trust
#
################################################################################
doing "Deploying the common trusted certificates from [${SSL_TRUSTS_DIR}]"
[ -d "${SSL_TRUSTS_DIR}" ] || mkdir -p "${SSL_TRUSTS_DIR}"
SSL_TRUSTS_DIR="$(readlink -f "${SSL_TRUSTS_DIR}")"

COUNT=0
while read cert ; do
	CERT="${cert##*/}"
	if [ ! -f "${cert}" ] ; then
		say "\tWARNING: The certificate [${CERT}] is not a regular file, skipping"
		continue
	fi

	case "${CERT,,}" in
		# If the data is an actual certificate, copy it verbatim
		*.pem )
			say "\tDeploying certificate [${CERT}]..."
			install_chain "${ANCHORS}/${CERT%.*}" < "${cert}"
			;;

		# If the data is a URL, then try to pull it down and put the resulting file into
		# the correct location using ${CERT} as the name
		*.url )
			URL="$(<"${cert}")"
			is_valid_url "${URL}" || fail "\tThe certificate [${CERT}] is invalid - the URL syntax is invalid: [${URL}]"
			say "\tDownloading the certificate [${CERT}] from [${URL}]..."
			download_chain "${ANCHORS}/${CERT%.*}" "${URL}" || fail "\tFailed to download the certificate [${CERT}] from the URL [${URL}]"
			;;

		*.ssl )
			SERVER="$(<"${cert}")"
			[[ "${SERVER}" =~ ^(([^@]+)@)?(([^:]+):([0-9]+))$ ]] || fail "\tThe certificate [${CERT}] is invalid - the SSL server string [${SERVER}] did not match the required pattern ([serverName@]hostNameOrIP:port)"
			SERVER_NAME="${BASH_REMATCH[2]}"
			HOST_NAME="${BASH_REMATCH[4]}"
			PORT="${BASH_REMATCH[5]}"
			if [ -n "${SERVER_NAME}" ] ; then
				is_valid_hostname "${SERVER_NAME}" || fail "\tInvalid server name [${SERVER_NAME}] in spec [${SERVER}] from [${CERT}]"
			fi
			is_valid_hostname "${HOST_NAME}" || fail "\tInvalid host name [${HOST_NAME}] in spec: [${SERVER}] from [${CERT}]"
			is_valid_port "${PORT}" || fail "\tInvalid port number [${PORT}] in spec: [${SERVER}] from [${CERT}]"
			say "\tDownloading the certificate [${CERT}] from the SSL server [${SERVER}]..."
			download_from_port "${HOST_NAME}" "${SERVER_NAME}" "${PORT}" "" "${ANCHORS}" || fail "\tFailed to download the certificate from [${SERVER}] from [${CERT}]"
			;;

		*.tls )
			SERVER="$(<"${cert}")"
			[[ "${SERVER}" =~ ^(([^@]+)@)?(([^:]+):([0-9]+))(/(.*))$ ]] || fail "\tThe certificate [${CERT}] is invalid - the TLS server string [${SERVER}] did not match the required pattern ([serverName@]hostNameOrIP:port/protocol)"
			SERVER_NAME="${BASH_REMATCH[2]}"
			HOST_NAME="${BASH_REMATCH[4]}"
			PORT="${BASH_REMATCH[5]}"
			PROTOCOL="${BASH_REMATCH[7]}"
			[ -n "${SERVER_NAME}" ] || is_valid_hostname "${SERVER_NAME}" || fail "\tInvalid server name [${SERVER_NAME}] in spec [${SERVER}] from [${CERT}]"
			is_valid_hostname "${HOST_NAME}" || fail "\tInvalid host name [${HOST_NAME}] in spec: [${SERVER}] from [${CERT}]"
			is_valid_port "${PORT}" || fail "\tInvalid port number [${PORT}] in spec: [${SERVER}] from [${CERT}]"
			case "${PROTOCOL,,}" in
				ftp | imap | irc | ldap | lmtp | mysql | nntp | pop3 | postgres | sieve | smtp | xmpp | xmpp-server ) ;;
				* ) fail "\tInvalid TLS protocol [${PROTOCOL}]" ;;
			esac
			say "\tDownloading the certificate [${CERT}] from the TLS server [${SERVER}]..."
			download_from_port "${HOST_NAME}" "${SERVER_NAME}" "${PORT}" "${PROTOCOL,,}" "${ANCHORS}" || fail "\tFailed to download the certificate from [${SERVER}] from [${CERT}]"
			;;

		* )
			say "\tWARNING: Don't know how to handle certificate [${CERT}], skipping"
			continue
			;;
	esac

	(( ++COUNT ))
done < <(find "${SSL_TRUSTS_DIR}" -mindepth 1 -maxdepth 1 -name "ssl-trust-*.*" | sort)
if [ ${COUNT} -eq 0 ] ; then
	say "\t✅ No certificates to deploy."
else
	say "\t✅ Deployed ${COUNT} certificates!"
fi

################################################################################
#
# Download our new certificates from the ACME instance
#
################################################################################
set_or_default ACME_PASSWORD_FILE "/.acme.password"
if [ -f "${ACME_PASSWORD_FILE}" ] ; then
	################################################################################
	#
	# Initialize the ACME client
	#
	################################################################################
	if step ca health &>/dev/null ; then
		ok "Step CA client already initialized!"
	else
		doing "Initializing the Step CA Acme Client"
		step ca bootstrap -f \
			--ca-url "${ACME_URL}" \
			--fingerprint "$(step certificate fingerprint "${ACME_ROOT_CA_ANCHOR}")"
		say "\t✅ Done!"
	fi

	# This array will contain the list of (absolute) paths for all
	# files whose ownership and permissions will be set to the most
	# restrictive of all: only readable by the owner
	SECURE_FILES=()

	if "${GENERATE_NEW_CERTIFICATES}" && ! "${ACME_WAIT}" ; then
		FQDN="$(hostname -f)"
		IFS="." read POD SERVICE NAMESPACE SVC CLUSTER_DOMAIN <<< "${FQDN}"

		# Fully-Qualified Service Name
		FQSN=""

		SAN=()

		# ACME_SERVICE_NAME is the "consumable" service, while
		# SERVICE is the (possibly headless) default service
		# associated to a pod. They *may* be the same but
		# aren't required to be. Thus, we check to see if they're
		# the same, to avoid adding duplicate values
		set_or_default ACME_SERVICE_NAME "${SERVICE}"
		if [ "${ACME_SERVICE_NAME}" != "${SERVICE}" ] ; then
			if [ -n "${NAMESPACE}" ] ; then
				if [ -n "${CLUSTER_DOMAIN}" ] ; then
					[ -n "${FQSN}" ] || FQSN="${ACME_SERVICE_NAME}.${NAMESPACE}.svc.${CLUSTER_DOMAIN}"
					SAN+=(--san "${FQSN}")
				fi
				SAN+=(--san "${ACME_SERVICE_NAME}.${NAMESPACE}")
			fi
			SAN+=(--san "${ACME_SERVICE_NAME}")

			SVC_VAR="${ACME_SERVICE_NAME^^}_SERVICE_HOST"
			if [ -v "${SVC_VAR}" ] ; then
				SVC_IP="$(validate_ip "${!SVC_VAR}")" && [ "${SVC_IP}" != "127.0.01" ] && SAN+=(--san "${SVC_IP}")
			fi
		fi

		if [ -n "${SERVICE}" ] ; then
			if [ -n "${NAMESPACE}" ] ; then
				if [ -n "${CLUSTER_DOMAIN}" ] ; then
					[ -n "${FQSN}" ] || FQSN="${SERVICE}.${NAMESPACE}.svc.${CLUSTER_DOMAIN}"
					SAN+=(
						--san "${POD}.${SERVICE}.${NAMESPACE}.svc.${CLUSTER_DOMAIN}"
						--san "${SERVICE}.${NAMESPACE}.svc.${CLUSTER_DOMAIN}"
					)
				fi
				SAN+=(
					--san "${POD}.${SERVICE}.${NAMESPACE}"
					--san "${SERVICE}.${NAMESPACE}"
				)
			fi
			SAN+=(
				--san "${POD}.${SERVICE}"
				--san "${SERVICE}"
			)

			SVC_VAR="${SERVICE^^}_SERVICE_HOST"
			if [ -v "${SVC_VAR}" ] ; then
				SVC_IP="$(validate_ip "${!SVC_VAR}")" && [ "${SVC_IP}" != "127.0.01" ] && SAN+=(--san "${SVC_IP}")
			fi
		fi

		if [ -v POD_IP ] ; then
			POD_IP="$(validate_ip "${POD_IP}")" && [ "${POD_IP}" != "127.0.01" ] && SAN+=(--san "${POD_IP}")
		fi

		# TODO: Use the ${SERVICE_NAME}_SERVICE_HOST as the service IP

		# The least specific values
		SAN+=(
			--san "${POD}"
			--san "localhost.localdomain"
			--san "localhost"
		)

		ensure_dir "${SSL_DIR}"

		if [ -v ACME_KEYSTORE_PASSWORD_FILE ] ; then
			[ -n "${ACME_KEYSTORE_PASSWORD_FILE}" ] || fail "The variable ACME_KEYSTORE_PASSWORD_FILE may not be empty"
			[ -s "${ACME_KEYSTORE_PASSWORD_FILE}" ] || fail "The password file [${ACME_KEYSTORE_PASSWORD_FILE}] may not be empty"
		else
			# We weren't given a password file to use, so use the default value
			ACME_KEYSTORE_PASSWORD_FILE="${SSL_DIR}/keystore.pass"
			SECURE_FILES+="${ACME_KEYSTORE_PASSWORD_FILE}"

			# Allow the use of ACME_KEYSTORE_PASSWORD to set the password. This isn't
			# particularly secure, but it may be required in some instances where the
			# pod needs to know the password beforehand (i.e. b/c Helm needs to know it)
			if [ -v ACME_KEYSTORE_PASSWORD ] ; then
				[ -n "${ACME_KEYSTORE_PASSWORD}" ] || fail "The variable ACME_KEYSTORE_PASSWORD may not be empty"
				echo -n "${ACME_KEYSTORE_PASSWORD}" > "${ACME_KEYSTORE_PASSWORD_FILE}" || fail "Failed to render the password file at [${ACME_KEYSTORE_PASSWORD_FILE}] with the password given in ACME_KEYSTORE_PASSWORD"
			else
				# We weren't given a password, so just render a random one
				render_password > "${ACME_KEYSTORE_PASSWORD_FILE}" || fail "Failed to render a new password into [${ACME_KEYSTORE_PASSWORD_FILE}]"
			fi
		fi

		doing "Rendering a new certificate for this pod's use"
		step ca certificate \
			"${FQSN:-${FQDN}}" "${SSL_DIR}/cert.pem" "${SSL_DIR}/cert.key" \
			"${SAN[@]}" \
			-f \
			--size 4096 \
			--kty RSA \
			--provisioner-password-file "${ACME_PASSWORD_FILE}" \
			--password-file="${ACME_KEYSTORE_PASSWORD_FILE}"
		doing "Removing extra stuff from the certificate..."
		sed -i -e '/^-\+END CERTIFICATE-\+$/q' "${SSL_DIR}/cert.pem"
		say "\t✅ Certificate ready!"

		doing "Creating an encrypted version of the key..."
		openssl rsa -aes256 \
			-in "${SSL_DIR}/cert.key" \
			-out "${SSL_DIR}/cert.key.enc" \
			-passout file:<(yes "$(<"${ACME_KEYSTORE_PASSWORD_FILE}")" | head -2)
		SECURE_FILES+=("${SSL_DIR}/cert.key")
		say "\t✅ Encrypted key ready!"

		doing "Copying the root and intermediate CAs into the target directory..."
		cp -f "${ACME_ROOT_CA_ANCHOR}" "${SSL_DIR}/ca-root.pem"
		cp -f "${ACME_INT_CA_ANCHOR}" "${SSL_DIR}/ca-int.pem"
		cat \
			"${ACME_INT_CA_ANCHOR}" \
			"${ACME_ROOT_CA_ANCHOR}" \
			> "${SSL_DIR}/ca-chain.pem"
		say "\t✅ Done!"
	else
		ok "Existing certificates and keys are still valid, will not generate new ones!"
		if [ ! -v ACME_KEYSTORE_PASSWORD_FILE ] ; then
			ACME_KEYSTORE_PASSWORD_FILE="${SSL_DIR}/keystore.pass"
			SECURE_FILES+=("${ACME_KEYSTORE_PASSWORD_FILE}")
		fi
	fi

	doing "Rendering the certificate files for HAProxy..."
	cat \
		"${SSL_DIR}/cert.pem" \
		"${SSL_DIR}/ca-chain.pem" \
		"${SSL_DIR}/cert.key" \
		> "${SSL_DIR}/haproxy-cert.pem"
	SECURE_FILES+=("${SSL_DIR}/haproxy-cert.pem")
	say "\t✅ Done!"

	# Find the Java keytool, if it's installed
	if type -P keytool &>/dev/null && ! "${ACME_WAIT}" ; then
		doing "Rendering a PKCS12 Keystore with the new certificate & key..."
		STOREPASS="$(<"${ACME_KEYSTORE_PASSWORD_FILE}")"

		# First, create the base keystore
		PKCS12="${SSL_DIR}/keystore.pkcs12"
		openssl pkcs12 \
			-export \
			-in "${SSL_DIR}/cert.pem" \
			-inkey "${SSL_DIR}/cert.key" \
			-passin file:<(yes "${STOREPASS}" | head -2) \
			-name "${ACME_KEY_ALIAS}" \
			-out "${PKCS12}" \
			-passout file:<(yes "${STOREPASS}" | head -2)

		# Then, append the additional CAs into the newly-created keystore
		for CERT in ca-int.pem ca-root.pem ; do
			say "\t👉 Adding ${CERT}..."
			keytool \
				-importcert \
				-noprompt \
				-keystore "${PKCS12}" \
				-storepass "${STOREPASS}" \
				-storetype "PKCS12" \
				-alias "acme-${CERT%.*}" \
				-file "${SSL_DIR}/${CERT}"
		done

		# Finally, if so configured, append both the additional trusts and the
		# Operating system's default trusts into the keystore
		add_global_trusts PKCS12 "${PKCS12}" "${STOREPASS}"
		say "\t✅ Ready!"

		# Finally, if other keystore types are required, use them
		for STORETYPE in jks jceks ; do
			is_supported "${STORETYPE^^}" || continue
			doing "Creating a ${STORETYPE^^} Java Keystore with the new certificate & key..." 
			STOREFILE="${SSL_DIR}/keystore.${STORETYPE}"
			rm -f "${STOREFILE}" &>/dev/null || true

			# First, copy only the key and cert we want
			keytool \
				-importkeystore \
				-srcalias "${ACME_KEY_ALIAS}" \
				-srckeystore "${PKCS12}" \
				-srcstorepass "${STOREPASS}" \
				-srcstoretype PKCS12 \
				-destkeystore "${STOREFILE}" \
				-deststorepass "${STOREPASS}" \
				-destkeypass "${STOREPASS}" \
				-deststoretype "${STORETYPE}"

			# Then, append the additional CAs into the newly-created keystore
			for CERT in ca-int.pem ca-root.pem ; do
				say "\t👉 Adding ${CERT}..."
				keytool \
					-importcert \
					-noprompt \
					-keystore "${STOREFILE}" \
					-storepass "${STOREPASS}" \
					-storetype "${STORETYPE}" \
					-alias "acme-${CERT%.*}" \
					-file "${SSL_DIR}/${CERT}"
			done

			add_global_trusts "${STORETYPE}" "${STOREFILE}" "${STOREPASS}"
			say "\t✅ Ready!"
		done
	fi

	doing "Setting tight permissions for the generated data..."

	# By default, owned by root but readable by ACM_GROUP
	chown -R "root:${ACM_GROUP}" "${SSL_DIR}"
	chmod -R a=rX "${SSL_DIR}"

	# Secure the most sensitive files so they're only readable
	# by the user who will be consuming them ... the other files
	# can easily be world-readable since they're all encrypted
	# one way or another, or are meant to be publicly-accessible
	if [ ${#SECURE_FILES[@]} -gt 0 ] ; then
		KEY_OWNER="root"
		[ -v SUDO_USER ] && KEY_OWNER="${SUDO_USER}"
		chown "${KEY_OWNER}:${ACM_GROUP}" "${SECURE_FILES[@]}"
		chmod -R u=r,go= "${SECURE_FILES[@]}"
	fi

	say "\t✅ Done!"

else
	err "Can't find the provisioner password file at [${ACME_PASSWORD_FILE}], did not generate any new certificates or keystores"
fi

"${ACME_WAIT}" || create_marker "${ACME_WAIT_MARKER}" || warn "Failed to create the wait marker [${ACME_WAIT_MARKER}]"

doing "Updating the trusted certificates"
chown -R root:root "${ANCHORS}"
chmod -R 0440 "${ANCHORS}"
update-ca-trust extract || fail "Failed to update the CA trusts"
say "\t✅ CA trusts updated system-wide!"