You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

3793 lines
94 KiB

9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
  1. #!/usr/bin/env sh
  2. VER=2.5.7
  3. PROJECT_NAME="acme.sh"
  4. PROJECT_ENTRY="acme.sh"
  5. PROJECT="https://github.com/Neilpang/$PROJECT_NAME"
  6. DEFAULT_INSTALL_HOME="$HOME/.$PROJECT_NAME"
  7. _SCRIPT_="$0"
  8. DEFAULT_CA="https://acme-v01.api.letsencrypt.org"
  9. DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
  10. DEFAULT_USER_AGENT="$PROJECT_ENTRY client v$VER : $PROJECT"
  11. DEFAULT_ACCOUNT_EMAIL=""
  12. STAGE_CA="https://acme-staging.api.letsencrypt.org"
  13. VTYPE_HTTP="http-01"
  14. VTYPE_DNS="dns-01"
  15. VTYPE_TLS="tls-sni-01"
  16. VTYPE_TLS2="tls-sni-02"
  17. LOCAL_ANY_ADDRESS="0.0.0.0"
  18. MAX_RENEW=80
  19. DEFAULT_DNS_SLEEP=120
  20. NO_VALUE="no"
  21. W_TLS="tls"
  22. STATE_VERIFIED="verified_ok"
  23. BEGIN_CSR="-----BEGIN CERTIFICATE REQUEST-----"
  24. END_CSR="-----END CERTIFICATE REQUEST-----"
  25. BEGIN_CERT="-----BEGIN CERTIFICATE-----"
  26. END_CERT="-----END CERTIFICATE-----"
  27. RENEW_SKIP=2
  28. ECC_SEP="_"
  29. ECC_SUFFIX="${ECC_SEP}ecc"
  30. if [ -z "$AGREEMENT" ] ; then
  31. AGREEMENT="$DEFAULT_AGREEMENT"
  32. fi
  33. __INTERACTIVE=""
  34. if [ -t 1 ] ; then
  35. __INTERACTIVE="1"
  36. fi
  37. __green() {
  38. if [ "$__INTERACTIVE" ] ; then
  39. printf '\033[1;31;32m'
  40. fi
  41. printf -- "$1"
  42. if [ "$__INTERACTIVE" ] ; then
  43. printf '\033[0m'
  44. fi
  45. }
  46. __red() {
  47. if [ "$__INTERACTIVE" ] ; then
  48. printf '\033[1;31;40m'
  49. fi
  50. printf -- "$1"
  51. if [ "$__INTERACTIVE" ] ; then
  52. printf '\033[0m'
  53. fi
  54. }
  55. __mytee() {
  56. tee -a $1
  57. }
  58. _info() {
  59. if [ -z "$2" ] ; then
  60. printf -- "[$(date)] $1" | __mytee $LOG_FILE
  61. else
  62. printf -- "[$(date)] $1='$2'" | __mytee $LOG_FILE
  63. fi
  64. printf "\n" | __mytee $LOG_FILE
  65. }
  66. _err_e() {
  67. if [ -z "$2" ] ; then
  68. __red "$1" | __mytee $LOG_FILE >&2
  69. else
  70. __red "$1='$2'" | __mytee $LOG_FILE >&2
  71. fi
  72. printf "\n" | __mytee $LOG_FILE >&2
  73. }
  74. _err() {
  75. printf -- "[$(date)] " | __mytee $LOG_FILE >&2
  76. _err_e "$@"
  77. return 1
  78. }
  79. _usage() {
  80. _err_e "$@"
  81. }
  82. _debug() {
  83. if [ -z "$DEBUG" ] ; then
  84. return
  85. fi
  86. if [ -z "$2" ] ; then
  87. printf -- "[$(date)] $1" | __mytee $LOG_FILE >&2
  88. else
  89. printf -- "[$(date)] $1='$2'" | __mytee $LOG_FILE >&2
  90. fi
  91. printf "\n" | __mytee $LOG_FILE >&2
  92. return 0
  93. }
  94. _debug2() {
  95. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  96. _debug "$@"
  97. fi
  98. return
  99. }
  100. _debug3() {
  101. if [ "$DEBUG" ] && [ "$DEBUG" -ge "3" ] ; then
  102. _debug "$@"
  103. fi
  104. return
  105. }
  106. _startswith(){
  107. _str="$1"
  108. _sub="$2"
  109. echo "$_str" | grep "^$_sub" >/dev/null 2>&1
  110. }
  111. _endswith(){
  112. _str="$1"
  113. _sub="$2"
  114. echo "$_str" | grep -- "$_sub\$" >/dev/null 2>&1
  115. }
  116. _contains(){
  117. _str="$1"
  118. _sub="$2"
  119. echo "$_str" | grep -- "$_sub" >/dev/null 2>&1
  120. }
  121. _hasfield() {
  122. _str="$1"
  123. _field="$2"
  124. _sep="$3"
  125. if [ -z "$_field" ] ; then
  126. _usage "Usage: str field [sep]"
  127. return 1
  128. fi
  129. if [ -z "$_sep" ] ; then
  130. _sep=","
  131. fi
  132. for f in $(echo "$_str" | tr ',' ' ') ; do
  133. if [ "$f" = "$_field" ] ; then
  134. _debug2 "'$_str' contains '$_field'"
  135. return 0 #contains ok
  136. fi
  137. done
  138. _debug2 "'$_str' does not contain '$_field'"
  139. return 1 #not contains
  140. }
  141. _getfield(){
  142. _str="$1"
  143. _findex="$2"
  144. _sep="$3"
  145. if [ -z "$_findex" ] ; then
  146. _usage "Usage: str field [sep]"
  147. return 1
  148. fi
  149. if [ -z "$_sep" ] ; then
  150. _sep=","
  151. fi
  152. _ffi=$_findex
  153. while [ "$_ffi" -gt "0" ]
  154. do
  155. _fv="$(echo "$_str" | cut -d $_sep -f $_ffi)"
  156. if [ "$_fv" ] ; then
  157. printf -- "%s" "$_fv"
  158. return 0
  159. fi
  160. _ffi="$(_math $_ffi - 1)"
  161. done
  162. printf -- "%s" "$_str"
  163. }
  164. _exists(){
  165. cmd="$1"
  166. if [ -z "$cmd" ] ; then
  167. _usage "Usage: _exists cmd"
  168. return 1
  169. fi
  170. if type command >/dev/null 2>&1 ; then
  171. command -v "$cmd" >/dev/null 2>&1
  172. else
  173. type "$cmd" >/dev/null 2>&1
  174. fi
  175. ret="$?"
  176. _debug3 "$cmd exists=$ret"
  177. return $ret
  178. }
  179. #a + b
  180. _math(){
  181. expr "$@"
  182. }
  183. _h_char_2_dec() {
  184. _ch=$1
  185. case "${_ch}" in
  186. a|A)
  187. printf "10"
  188. ;;
  189. b|B)
  190. printf "11"
  191. ;;
  192. c|C)
  193. printf "12"
  194. ;;
  195. d|D)
  196. printf "13"
  197. ;;
  198. e|E)
  199. printf "14"
  200. ;;
  201. f|F)
  202. printf "15"
  203. ;;
  204. *)
  205. printf "%s" "$_ch"
  206. ;;
  207. esac
  208. }
  209. _URGLY_PRINTF=""
  210. if [ "$(printf '\x41')" != 'A' ] ; then
  211. _URGLY_PRINTF=1
  212. fi
  213. _h2b() {
  214. hex=$(cat)
  215. i=1
  216. j=2
  217. if _exists let ; then
  218. uselet="1"
  219. fi
  220. _debug3 uselet "$uselet"
  221. _debug3 _URGLY_PRINTF "$_URGLY_PRINTF"
  222. while true ; do
  223. if [ -z "$_URGLY_PRINTF" ] ; then
  224. h="$(printf $hex | cut -c $i-$j)"
  225. if [ -z "$h" ] ; then
  226. break;
  227. fi
  228. printf "\x$h"
  229. else
  230. ic="$(printf $hex | cut -c $i)"
  231. jc="$(printf $hex | cut -c $j)"
  232. if [ -z "$ic$jc" ] ; then
  233. break;
  234. fi
  235. ic="$(_h_char_2_dec "$ic")"
  236. jc="$(_h_char_2_dec "$jc")"
  237. printf '\'"$(printf %o "$(_math $ic \* 16 + $jc)")"
  238. fi
  239. if [ "$uselet" ] ; then
  240. let "i+=2" >/dev/null
  241. let "j+=2" >/dev/null
  242. else
  243. i="$(_math $i + 2)"
  244. j="$(_math $j + 2)"
  245. fi
  246. done
  247. }
  248. #options file
  249. _sed_i() {
  250. options="$1"
  251. filename="$2"
  252. if [ -z "$filename" ] ; then
  253. _usage "Usage:_sed_i options filename"
  254. return 1
  255. fi
  256. _debug2 options "$options"
  257. if sed -h 2>&1 | grep "\-i\[SUFFIX]" >/dev/null 2>&1; then
  258. _debug "Using sed -i"
  259. sed -i "$options" "$filename"
  260. else
  261. _debug "No -i support in sed"
  262. text="$(cat "$filename")"
  263. echo "$text" | sed "$options" > "$filename"
  264. fi
  265. }
  266. _egrep_o() {
  267. if _contains "$(egrep -o 2>&1)" "egrep: illegal option -- o" ; then
  268. sed -n 's/.*\('"$1"'\).*/\1/p'
  269. else
  270. egrep -o "$1"
  271. fi
  272. }
  273. #Usage: file startline endline
  274. _getfile() {
  275. filename="$1"
  276. startline="$2"
  277. endline="$3"
  278. if [ -z "$endline" ] ; then
  279. _usage "Usage: file startline endline"
  280. return 1
  281. fi
  282. i="$(grep -n -- "$startline" "$filename" | cut -d : -f 1)"
  283. if [ -z "$i" ] ; then
  284. _err "Can not find start line: $startline"
  285. return 1
  286. fi
  287. i="$(_math "$i" + 1)"
  288. _debug i "$i"
  289. j="$(grep -n -- "$endline" "$filename" | cut -d : -f 1)"
  290. if [ -z "$j" ] ; then
  291. _err "Can not find end line: $endline"
  292. return 1
  293. fi
  294. j="$(_math "$j" - 1)"
  295. _debug j "$j"
  296. sed -n "$i,${j}p" "$filename"
  297. }
  298. #Usage: multiline
  299. _base64() {
  300. if [ "$1" ] ; then
  301. openssl base64 -e
  302. else
  303. openssl base64 -e | tr -d '\r\n'
  304. fi
  305. }
  306. #Usage: multiline
  307. _dbase64() {
  308. if [ "$1" ] ; then
  309. openssl base64 -d -A
  310. else
  311. openssl base64 -d
  312. fi
  313. }
  314. #Usage: hashalg [outputhex]
  315. #Output Base64-encoded digest
  316. _digest() {
  317. alg="$1"
  318. if [ -z "$alg" ] ; then
  319. _usage "Usage: _digest hashalg"
  320. return 1
  321. fi
  322. outputhex="$2"
  323. if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ]; then
  324. if [ "$outputhex" ] ; then
  325. openssl dgst -$alg -hex | cut -d = -f 2 | tr -d ' '
  326. else
  327. openssl dgst -$alg -binary | _base64
  328. fi
  329. else
  330. _err "$alg is not supported yet"
  331. return 1
  332. fi
  333. }
  334. #Usage: keyfile hashalg
  335. #Output: Base64-encoded signature value
  336. _sign() {
  337. keyfile="$1"
  338. alg="$2"
  339. if [ -z "$alg" ] ; then
  340. _usage "Usage: _sign keyfile hashalg"
  341. return 1
  342. fi
  343. if [ "$alg" = "sha256" ] ; then
  344. openssl dgst -sha256 -sign "$keyfile" | _base64
  345. else
  346. _err "$alg is not supported yet"
  347. return 1
  348. fi
  349. }
  350. #keylength
  351. _isEccKey() {
  352. _length="$1"
  353. if [ -z "$_length" ] ;then
  354. return 1
  355. fi
  356. [ "$_length" != "1024" ] \
  357. && [ "$_length" != "2048" ] \
  358. && [ "$_length" != "3072" ] \
  359. && [ "$_length" != "4096" ] \
  360. && [ "$_length" != "8192" ]
  361. }
  362. # _createkey 2048|ec-256 file
  363. _createkey() {
  364. length="$1"
  365. f="$2"
  366. eccname="$length"
  367. if _startswith "$length" "ec-" ; then
  368. length=$(printf $length | cut -d '-' -f 2-100)
  369. if [ "$length" = "256" ] ; then
  370. eccname="prime256v1"
  371. fi
  372. if [ "$length" = "384" ] ; then
  373. eccname="secp384r1"
  374. fi
  375. if [ "$length" = "521" ] ; then
  376. eccname="secp521r1"
  377. fi
  378. fi
  379. if [ -z "$length" ] ; then
  380. length=2048
  381. fi
  382. _debug "Use length $length"
  383. if _isEccKey "$length" ; then
  384. _debug "Using ec name: $eccname"
  385. openssl ecparam -name $eccname -genkey 2>/dev/null > "$f"
  386. else
  387. _debug "Using RSA: $length"
  388. openssl genrsa $length 2>/dev/null > "$f"
  389. fi
  390. if [ "$?" != "0" ] ; then
  391. _err "Create key error."
  392. return 1
  393. fi
  394. }
  395. #_createcsr cn san_list keyfile csrfile conf
  396. _createcsr() {
  397. _debug _createcsr
  398. domain="$1"
  399. domainlist="$2"
  400. csrkey="$3"
  401. csr="$4"
  402. csrconf="$5"
  403. _debug2 domain "$domain"
  404. _debug2 domainlist "$domainlist"
  405. _debug2 csrkey "$csrkey"
  406. _debug2 csr "$csr"
  407. _debug2 csrconf "$csrconf"
  408. printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" > "$csrconf"
  409. if [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
  410. #single domain
  411. _info "Single domain" "$domain"
  412. else
  413. if _contains "$domainlist" "," ; then
  414. alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")"
  415. else
  416. alt="DNS:$domainlist"
  417. fi
  418. #multi
  419. _info "Multi domain" "$alt"
  420. printf -- "\nsubjectAltName=$alt" >> "$csrconf"
  421. fi
  422. if [ "$Le_OCSP_Stable" ] ; then
  423. _savedomainconf Le_OCSP_Stable "$Le_OCSP_Stable"
  424. printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >> "$csrconf"
  425. fi
  426. openssl req -new -sha256 -key "$csrkey" -subj "/CN=$domain" -config "$csrconf" -out "$csr"
  427. }
  428. #_signcsr key csr conf cert
  429. _signcsr() {
  430. key="$1"
  431. csr="$2"
  432. conf="$3"
  433. cert="$4"
  434. _debug "_signcsr"
  435. _msg="$(openssl x509 -req -days 365 -in "$csr" -signkey "$key" -extensions v3_req -extfile "$conf" -out "$cert" 2>&1)"
  436. _ret="$?"
  437. _debug "$_msg"
  438. return $_ret
  439. }
  440. #_csrfile
  441. _readSubjectFromCSR() {
  442. _csrfile="$1"
  443. if [ -z "$_csrfile" ] ; then
  444. _usage "_readSubjectFromCSR mycsr.csr"
  445. return 1
  446. fi
  447. openssl req -noout -in "$_csrfile" -subject | _egrep_o "CN=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n'
  448. }
  449. #_csrfile
  450. #echo comma separated domain list
  451. _readSubjectAltNamesFromCSR() {
  452. _csrfile="$1"
  453. if [ -z "$_csrfile" ] ; then
  454. _usage "_readSubjectAltNamesFromCSR mycsr.csr"
  455. return 1
  456. fi
  457. _csrsubj="$(_readSubjectFromCSR "$_csrfile")"
  458. _debug _csrsubj "$_csrsubj"
  459. _dnsAltnames="$(openssl req -noout -text -in "$_csrfile" | grep "^ *DNS:.*" | tr -d ' \n')"
  460. _debug _dnsAltnames "$_dnsAltnames"
  461. if _contains "$_dnsAltnames," "DNS:$_csrsubj," ; then
  462. _debug "AltNames contains subject"
  463. _dnsAltnames="$(printf "%s" "$_dnsAltnames," | sed "s/DNS:$_csrsubj,//g")"
  464. else
  465. _debug "AltNames doesn't contain subject"
  466. fi
  467. printf "%s" "$_dnsAltnames" | sed "s/DNS://g"
  468. }
  469. #_csrfile
  470. _readKeyLengthFromCSR() {
  471. _csrfile="$1"
  472. if [ -z "$_csrfile" ] ; then
  473. _usage "_readKeyLengthFromCSR mycsr.csr"
  474. return 1
  475. fi
  476. _outcsr="$(openssl req -noout -text -in "$_csrfile")"
  477. if _contains "$_outcsr" "Public Key Algorithm: id-ecPublicKey" ; then
  478. _debug "ECC CSR"
  479. echo "$_outcsr" | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
  480. else
  481. _debug "RSA CSR"
  482. echo "$_outcsr" | _egrep_o "^ *Public-Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1
  483. fi
  484. }
  485. _ss() {
  486. _port="$1"
  487. if _exists "ss" ; then
  488. _debug "Using: ss"
  489. ss -ntpl | grep ":$_port "
  490. return 0
  491. fi
  492. if _exists "netstat" ; then
  493. _debug "Using: netstat"
  494. if netstat -h 2>&1 | grep "\-p proto" >/dev/null ; then
  495. #for windows version netstat tool
  496. netstat -an -p tcp | grep "LISTENING" | grep ":$_port "
  497. else
  498. if netstat -help 2>&1 | grep "\-p protocol" >/dev/null ; then
  499. netstat -an -p tcp | grep LISTEN | grep ":$_port "
  500. elif netstat -help 2>&1 | grep -- '-P protocol' >/dev/null ; then
  501. #for solaris
  502. netstat -an -P tcp | grep "\.$_port " | grep "LISTEN"
  503. else
  504. netstat -ntpl | grep ":$_port "
  505. fi
  506. fi
  507. return 0
  508. fi
  509. return 1
  510. }
  511. #domain [password] [isEcc]
  512. toPkcs() {
  513. domain="$1"
  514. pfxPassword="$2"
  515. if [ -z "$domain" ] ; then
  516. _usage "Usage: $PROJECT_ENTRY --toPkcs -d domain [--password pfx-password]"
  517. return 1
  518. fi
  519. _isEcc="$3"
  520. _initpath "$domain" "$_isEcc"
  521. if [ "$pfxPassword" ] ; then
  522. openssl pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH" -password "pass:$pfxPassword"
  523. else
  524. openssl pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH"
  525. fi
  526. if [ "$?" = "0" ] ; then
  527. _info "Success, Pfx is exported to: $CERT_PFX_PATH"
  528. fi
  529. }
  530. #[2048]
  531. createAccountKey() {
  532. _info "Creating account key"
  533. if [ -z "$1" ] ; then
  534. _usage "Usage: $PROJECT_ENTRY --createAccountKey --accountkeylength 2048"
  535. return
  536. fi
  537. length=$1
  538. if _isEccKey "$length" ; then
  539. length=2048
  540. fi
  541. if [ -z "$length" ] || [ "$length" = "$NO_VALUE" ] ; then
  542. _debug "Use default length 2048"
  543. length=2048
  544. fi
  545. _debug length "$length"
  546. _initpath
  547. if [ -f "$ACCOUNT_KEY_PATH" ] ; then
  548. _info "Account key exists, skip"
  549. return
  550. else
  551. #generate account key
  552. _createkey "$length" "$ACCOUNT_KEY_PATH"
  553. fi
  554. }
  555. #domain [length]
  556. createDomainKey() {
  557. _info "Creating domain key"
  558. if [ -z "$1" ] ; then
  559. _usage "Usage: $PROJECT_ENTRY --createDomainKey -d domain.com [ --keylength 2048 ]"
  560. return
  561. fi
  562. domain=$1
  563. length=$2
  564. _initpath $domain "$length"
  565. if [ ! -f "$CERT_KEY_PATH" ] || ( [ "$FORCE" ] && ! [ "$IS_RENEW" ] ); then
  566. _createkey "$length" "$CERT_KEY_PATH"
  567. else
  568. if [ "$IS_RENEW" ] ; then
  569. _info "Domain key exists, skip"
  570. return 0
  571. else
  572. _err "Domain key exists, do you want to overwrite the key?"
  573. _err "Add '--force', and try again."
  574. return 1
  575. fi
  576. fi
  577. }
  578. # domain domainlist isEcc
  579. createCSR() {
  580. _info "Creating csr"
  581. if [ -z "$1" ] ; then
  582. _usage "Usage: $PROJECT_ENTRY --createCSR -d domain1.com [-d domain2.com -d domain3.com ... ]"
  583. return
  584. fi
  585. domain="$1"
  586. domainlist="$2"
  587. _isEcc="$3"
  588. _initpath "$domain" "$_isEcc"
  589. if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && [ -z "$FORCE" ]; then
  590. _info "CSR exists, skip"
  591. return
  592. fi
  593. if [ ! -f "$CERT_KEY_PATH" ] ; then
  594. _err "The key file is not found: $CERT_KEY_PATH"
  595. _err "Please create the key file first."
  596. return 1
  597. fi
  598. _createcsr "$domain" "$domainlist" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"
  599. }
  600. _urlencode() {
  601. __n=$(cat)
  602. echo $__n | tr '/+' '_-' | tr -d '= '
  603. }
  604. _time2str() {
  605. #BSD
  606. if date -u -d@$1 2>/dev/null ; then
  607. return
  608. fi
  609. #Linux
  610. if date -u -r $1 2>/dev/null ; then
  611. return
  612. fi
  613. #Soaris
  614. if _exists adb ; then
  615. echo $(echo "0t${1}=Y" | adb)
  616. fi
  617. }
  618. _normalizeJson() {
  619. sed "s/\" *: *\([\"{\[]\)/\":\1/g" | sed "s/^ *\([^ ]\)/\1/" | tr -d "\r\n"
  620. }
  621. _stat() {
  622. #Linux
  623. if stat -c '%U:%G' "$1" 2>/dev/null ; then
  624. return
  625. fi
  626. #BSD
  627. if stat -f '%Su:%Sg' "$1" 2>/dev/null ; then
  628. return
  629. fi
  630. return 1; #error, 'stat' not found
  631. }
  632. #keyfile
  633. _calcjwk() {
  634. keyfile="$1"
  635. if [ -z "$keyfile" ] ; then
  636. _usage "Usage: _calcjwk keyfile"
  637. return 1
  638. fi
  639. EC_SIGN=""
  640. if grep "BEGIN RSA PRIVATE KEY" "$keyfile" > /dev/null 2>&1 ; then
  641. _debug "RSA key"
  642. pub_exp=$(openssl rsa -in $keyfile -noout -text | grep "^publicExponent:"| cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1)
  643. if [ "${#pub_exp}" = "5" ] ; then
  644. pub_exp=0$pub_exp
  645. fi
  646. _debug3 pub_exp "$pub_exp"
  647. e=$(echo $pub_exp | _h2b | _base64)
  648. _debug3 e "$e"
  649. modulus=$(openssl rsa -in $keyfile -modulus -noout | cut -d '=' -f 2 )
  650. _debug3 modulus "$modulus"
  651. n="$(printf "%s" "$modulus"| _h2b | _base64 | _urlencode )"
  652. jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}'
  653. _debug3 jwk "$jwk"
  654. HEADER='{"alg": "RS256", "jwk": '$jwk'}'
  655. HEADERPLACE_PART1='{"nonce": "'
  656. HEADERPLACE_PART2='", "alg": "RS256", "jwk": '$jwk'}'
  657. elif grep "BEGIN EC PRIVATE KEY" "$keyfile" > /dev/null 2>&1 ; then
  658. _debug "EC key"
  659. EC_SIGN="1"
  660. crv="$(openssl ec -in $keyfile -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n")"
  661. _debug3 crv "$crv"
  662. pubi="$(openssl ec -in $keyfile -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1)"
  663. pubi=$(_math $pubi + 1)
  664. _debug3 pubi "$pubi"
  665. pubj="$(openssl ec -in $keyfile -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1)"
  666. pubj=$(_math $pubj + 1)
  667. _debug3 pubj "$pubj"
  668. pubtext="$(openssl ec -in $keyfile -noout -text 2>/dev/null | sed -n "$pubi,${pubj}p" | tr -d " \n\r")"
  669. _debug3 pubtext "$pubtext"
  670. xlen="$(printf "$pubtext" | tr -d ':' | wc -c)"
  671. xlen=$(_math $xlen / 4)
  672. _debug3 xlen "$xlen"
  673. xend=$(_math "$xend" + 1)
  674. x="$(printf $pubtext | cut -d : -f 2-$xend)"
  675. _debug3 x "$x"
  676. x64="$(printf $x | tr -d : | _h2b | _base64 | _urlencode)"
  677. _debug3 x64 "$x64"
  678. xend=$(_math "$xend" + 1)
  679. y="$(printf $pubtext | cut -d : -f $xend-10000)"
  680. _debug3 y "$y"
  681. y64="$(printf $y | tr -d : | _h2b | _base64 | _urlencode)"
  682. _debug3 y64 "$y64"
  683. jwk='{"kty": "EC", "crv": "'$crv'", "x": "'$x64'", "y": "'$y64'"}'
  684. _debug3 jwk "$jwk"
  685. HEADER='{"alg": "ES256", "jwk": '$jwk'}'
  686. HEADERPLACE_PART1='{"nonce": "'
  687. HEADERPLACE_PART2='", "alg": "ES256", "jwk": '$jwk'}'
  688. else
  689. _err "Only RSA or EC key is supported."
  690. return 1
  691. fi
  692. _debug3 HEADER "$HEADER"
  693. }
  694. _time() {
  695. date -u "+%s"
  696. }
  697. _mktemp() {
  698. if _exists mktemp ; then
  699. mktemp
  700. return
  701. fi
  702. if [ -d "/tmp" ] ; then
  703. echo "/tmp/${PROJECT_NAME}wefADf24sf.$(_time).tmp"
  704. return 0
  705. fi
  706. _err "Can not create temp file."
  707. }
  708. _inithttp() {
  709. if [ -z "$HTTP_HEADER" ] || ! touch "$HTTP_HEADER" ; then
  710. HTTP_HEADER="$(_mktemp)"
  711. _debug2 HTTP_HEADER "$HTTP_HEADER"
  712. fi
  713. if [ -z "$CURL" ] ; then
  714. CURL="curl -L --silent --dump-header $HTTP_HEADER "
  715. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  716. _CURL_DUMP="$(_mktemp)"
  717. CURL="$CURL --trace-ascii $_CURL_DUMP "
  718. fi
  719. if [ "$CA_BUNDLE" ] ; then
  720. CURL="$CURL --cacert $CA_BUNDLE "
  721. fi
  722. if [ "$HTTPS_INSECURE" ] ; then
  723. CURL="$CURL --insecure "
  724. fi
  725. fi
  726. if [ -z "$WGET" ] ; then
  727. WGET="wget -q"
  728. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  729. WGET="$WGET -d "
  730. fi
  731. if [ "$CA_BUNDLE" ] ; then
  732. WGET="$WGET --ca-certificate $CA_BUNDLE "
  733. fi
  734. if [ "$HTTPS_INSECURE" ] ; then
  735. WGET="$WGET --no-check-certificate "
  736. fi
  737. fi
  738. }
  739. # body url [needbase64] [POST|PUT]
  740. _post() {
  741. body="$1"
  742. url="$2"
  743. needbase64="$3"
  744. httpmethod="$4"
  745. if [ -z "$httpmethod" ] ; then
  746. httpmethod="POST"
  747. fi
  748. _debug $httpmethod
  749. _debug "url" "$url"
  750. _debug2 "body" "$body"
  751. _inithttp
  752. if _exists "curl" ; then
  753. _CURL="$CURL"
  754. _debug "_CURL" "$_CURL"
  755. if [ "$needbase64" ] ; then
  756. response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url" | _base64)"
  757. else
  758. response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url" )"
  759. fi
  760. _ret="$?"
  761. if [ "$_ret" != "0" ] ; then
  762. _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $_ret"
  763. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  764. _err "Here is the curl dump log:"
  765. _err "$(cat "$_CURL_DUMP")"
  766. fi
  767. fi
  768. elif _exists "wget" ; then
  769. _debug "WGET" "$WGET"
  770. if [ "$needbase64" ] ; then
  771. if [ "$httpmethod"="POST" ] ; then
  772. response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
  773. else
  774. response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
  775. fi
  776. else
  777. if [ "$httpmethod"="POST" ] ; then
  778. response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER")"
  779. else
  780. response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER")"
  781. fi
  782. fi
  783. _ret="$?"
  784. if [ "$_ret" != "0" ] ; then
  785. _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret"
  786. fi
  787. _sed_i "s/^ *//g" "$HTTP_HEADER"
  788. else
  789. _ret="$?"
  790. _err "Neither curl nor wget is found, can not do $httpmethod."
  791. fi
  792. _debug "_ret" "$_ret"
  793. printf "%s" "$response"
  794. return $_ret
  795. }
  796. # url getheader timeout
  797. _get() {
  798. _debug GET
  799. url="$1"
  800. onlyheader="$2"
  801. t="$3"
  802. _debug url $url
  803. _debug "timeout" "$t"
  804. _inithttp
  805. if _exists "curl" ; then
  806. _CURL="$CURL"
  807. if [ "$t" ] ; then
  808. _CURL="$_CURL --connect-timeout $t"
  809. fi
  810. _debug "_CURL" "$_CURL"
  811. if [ "$onlyheader" ] ; then
  812. $_CURL -I --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" $url
  813. else
  814. $_CURL --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" $url
  815. fi
  816. ret=$?
  817. if [ "$ret" != "0" ] ; then
  818. _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $ret"
  819. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  820. _err "Here is the curl dump log:"
  821. _err "$(cat "$_CURL_DUMP")"
  822. fi
  823. fi
  824. elif _exists "wget" ; then
  825. _WGET="$WGET"
  826. if [ "$t" ] ; then
  827. _WGET="$_WGET --timeout=$t"
  828. fi
  829. _debug "_WGET" "$_WGET"
  830. if [ "$onlyheader" ] ; then
  831. $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null $url 2>&1 | sed 's/^[ ]*//g'
  832. else
  833. $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -O - $url
  834. fi
  835. ret=$?
  836. if [ "$ret" != "0" ] ; then
  837. _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $ret"
  838. fi
  839. else
  840. ret=$?
  841. _err "Neither curl nor wget is found, can not do GET."
  842. fi
  843. _debug "ret" "$ret"
  844. return $ret
  845. }
  846. # url payload needbase64 keyfile
  847. _send_signed_request() {
  848. url=$1
  849. payload=$2
  850. needbase64=$3
  851. keyfile=$4
  852. if [ -z "$keyfile" ] ; then
  853. keyfile="$ACCOUNT_KEY_PATH"
  854. fi
  855. _debug url $url
  856. _debug payload "$payload"
  857. if ! _calcjwk "$keyfile" ; then
  858. return 1
  859. fi
  860. payload64=$(printf "%s" "$payload" | _base64 | _urlencode)
  861. _debug3 payload64 $payload64
  862. nonceurl="$API/directory"
  863. _headers="$(_get $nonceurl "onlyheader")"
  864. if [ "$?" != "0" ] ; then
  865. _err "Can not connect to $nonceurl to get nonce."
  866. return 1
  867. fi
  868. _debug3 _headers "$_headers"
  869. nonce="$( echo "$_headers" | grep "Replay-Nonce:" | head -1 | tr -d "\r\n " | cut -d ':' -f 2)"
  870. _debug3 nonce "$nonce"
  871. protected="$HEADERPLACE_PART1$nonce$HEADERPLACE_PART2"
  872. _debug3 protected "$protected"
  873. protected64="$(printf "$protected" | _base64 | _urlencode)"
  874. _debug3 protected64 "$protected64"
  875. sig=$(printf "%s" "$protected64.$payload64" | _sign "$keyfile" "sha256" | _urlencode)
  876. _debug3 sig "$sig"
  877. body="{\"header\": $HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
  878. _debug3 body "$body"
  879. response="$(_post "$body" $url "$needbase64")"
  880. if [ "$?" != "0" ] ; then
  881. _err "Can not post to $url."
  882. return 1
  883. fi
  884. _debug2 original "$response"
  885. response="$( echo "$response" | _normalizeJson )"
  886. responseHeaders="$(cat $HTTP_HEADER)"
  887. _debug2 responseHeaders "$responseHeaders"
  888. _debug2 response "$response"
  889. code="$(grep "^HTTP" $HTTP_HEADER | tail -1 | cut -d " " -f 2 | tr -d "\r\n" )"
  890. _debug code $code
  891. }
  892. #setopt "file" "opt" "=" "value" [";"]
  893. _setopt() {
  894. __conf="$1"
  895. __opt="$2"
  896. __sep="$3"
  897. __val="$4"
  898. __end="$5"
  899. if [ -z "$__opt" ] ; then
  900. _usage usage: _setopt '"file" "opt" "=" "value" [";"]'
  901. return
  902. fi
  903. if [ ! -f "$__conf" ] ; then
  904. touch "$__conf"
  905. fi
  906. if grep -n "^$__opt$__sep" "$__conf" > /dev/null ; then
  907. _debug3 OK
  908. if _contains "$__val" "&" ; then
  909. __val="$(echo $__val | sed 's/&/\\&/g')"
  910. fi
  911. text="$(cat $__conf)"
  912. echo "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf"
  913. elif grep -n "^#$__opt$__sep" "$__conf" > /dev/null ; then
  914. if _contains "$__val" "&" ; then
  915. __val="$(echo $__val | sed 's/&/\\&/g')"
  916. fi
  917. text="$(cat $__conf)"
  918. echo "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf"
  919. else
  920. _debug3 APP
  921. echo "$__opt$__sep$__val$__end" >> "$__conf"
  922. fi
  923. _debug2 "$(grep -n "^$__opt$__sep" $__conf)"
  924. }
  925. #_savedomainconf key value
  926. #save to domain.conf
  927. _savedomainconf() {
  928. _sdkey="$1"
  929. _sdvalue="$2"
  930. if [ "$DOMAIN_CONF" ] ; then
  931. _setopt "$DOMAIN_CONF" "$_sdkey" "=" "\"$_sdvalue\""
  932. else
  933. _err "DOMAIN_CONF is empty, can not save $_sdkey=$_sdvalue"
  934. fi
  935. }
  936. #_cleardomainconf key
  937. _cleardomainconf() {
  938. _sdkey="$1"
  939. if [ "$DOMAIN_CONF" ] ; then
  940. _sed_i "s/^$_sdkey.*$//" "$DOMAIN_CONF"
  941. else
  942. _err "DOMAIN_CONF is empty, can not save $_sdkey=$value"
  943. fi
  944. }
  945. #_readdomainconf key
  946. _readdomainconf() {
  947. _sdkey="$1"
  948. if [ "$DOMAIN_CONF" ] ; then
  949. (
  950. eval $(grep "^$_sdkey *=" "$DOMAIN_CONF")
  951. eval "printf \"%s\" \"\$$_sdkey\""
  952. )
  953. else
  954. _err "DOMAIN_CONF is empty, can not read $_sdkey"
  955. fi
  956. }
  957. #_saveaccountconf key value
  958. _saveaccountconf() {
  959. _sckey="$1"
  960. _scvalue="$2"
  961. if [ "$ACCOUNT_CONF_PATH" ] ; then
  962. _setopt "$ACCOUNT_CONF_PATH" "$_sckey" "=" "\"$_scvalue\""
  963. else
  964. _err "ACCOUNT_CONF_PATH is empty, can not save $_sckey=$_scvalue"
  965. fi
  966. }
  967. #_clearaccountconf key
  968. _clearaccountconf() {
  969. _scvalue="$1"
  970. if [ "$ACCOUNT_CONF_PATH" ] ; then
  971. _sed_i "s/^$_scvalue.*$//" "$ACCOUNT_CONF_PATH"
  972. else
  973. _err "ACCOUNT_CONF_PATH is empty, can not clear $_scvalue"
  974. fi
  975. }
  976. # content localaddress
  977. _startserver() {
  978. content="$1"
  979. ncaddr="$2"
  980. _debug "ncaddr" "$ncaddr"
  981. _debug "startserver: $$"
  982. nchelp="$(nc -h 2>&1)"
  983. if echo "$nchelp" | grep "\-q[ ,]" >/dev/null ; then
  984. _NC="nc -q 1 -l $ncaddr"
  985. else
  986. if echo "$nchelp" | grep "GNU netcat" >/dev/null && echo "$nchelp" | grep "\-c, \-\-close" >/dev/null ; then
  987. _NC="nc -c -l $ncaddr"
  988. elif echo "$nchelp" | grep "\-N" |grep "Shutdown the network socket after EOF on stdin" >/dev/null ; then
  989. _NC="nc -N -l $ncaddr"
  990. else
  991. _NC="nc -l $ncaddr"
  992. fi
  993. fi
  994. _debug "_NC" "$_NC"
  995. _debug Le_HTTPPort "$Le_HTTPPort"
  996. # while true ; do
  997. if [ "$DEBUG" ] ; then
  998. if ! printf "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -p $Le_HTTPPort ; then
  999. printf "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC $Le_HTTPPort ;
  1000. fi
  1001. else
  1002. if ! printf "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -p $Le_HTTPPort > /dev/null 2>&1; then
  1003. printf "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC $Le_HTTPPort > /dev/null 2>&1
  1004. fi
  1005. fi
  1006. if [ "$?" != "0" ] ; then
  1007. _err "nc listen error."
  1008. exit 1
  1009. fi
  1010. # done
  1011. }
  1012. _stopserver(){
  1013. pid="$1"
  1014. _debug "pid" "$pid"
  1015. if [ -z "$pid" ] ; then
  1016. return
  1017. fi
  1018. _debug2 "Le_HTTPPort" "$Le_HTTPPort"
  1019. if [ "$Le_HTTPPort" ] ; then
  1020. if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ] ; then
  1021. _get "http://localhost:$Le_HTTPPort" "" 1
  1022. else
  1023. _get "http://localhost:$Le_HTTPPort" "" 1 >/dev/null 2>&1
  1024. fi
  1025. fi
  1026. _debug2 "Le_TLSPort" "$Le_TLSPort"
  1027. if [ "$Le_TLSPort" ] ; then
  1028. if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ] ; then
  1029. _get "https://localhost:$Le_TLSPort" "" 1
  1030. _get "https://localhost:$Le_TLSPort" "" 1
  1031. else
  1032. _get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
  1033. _get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
  1034. fi
  1035. fi
  1036. }
  1037. # _starttlsserver san_a san_b port content
  1038. _starttlsserver() {
  1039. _info "Starting tls server."
  1040. san_a="$1"
  1041. san_b="$2"
  1042. port="$3"
  1043. content="$4"
  1044. _debug san_a "$san_a"
  1045. _debug san_b "$san_b"
  1046. _debug port "$port"
  1047. #create key TLS_KEY
  1048. if ! _createkey "2048" "$TLS_KEY" ; then
  1049. _err "Create tls validation key error."
  1050. return 1
  1051. fi
  1052. #create csr
  1053. alt="$san_a"
  1054. if [ "$san_b" ] ; then
  1055. alt="$alt,$san_b"
  1056. fi
  1057. if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" ; then
  1058. _err "Create tls validation csr error."
  1059. return 1
  1060. fi
  1061. #self signed
  1062. if ! _signcsr "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" "$TLS_CERT" ; then
  1063. _err "Create tls validation cert error."
  1064. return 1
  1065. fi
  1066. #start openssl
  1067. _debug "openssl s_server -cert \"$TLS_CERT\" -key \"$TLS_KEY\" -accept $port -tlsextdebug"
  1068. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  1069. (printf "HTTP/1.1 200 OK\r\n\r\n$content" | openssl s_server -cert "$TLS_CERT" -key "$TLS_KEY" -accept $port -tlsextdebug ) &
  1070. else
  1071. (printf "HTTP/1.1 200 OK\r\n\r\n$content" | openssl s_server -cert "$TLS_CERT" -key "$TLS_KEY" -accept $port >/dev/null 2>&1) &
  1072. fi
  1073. serverproc="$!"
  1074. sleep 2
  1075. _debug serverproc $serverproc
  1076. }
  1077. #file
  1078. _readlink() {
  1079. _rf="$1"
  1080. if ! readlink -f "$_rf" 2>/dev/null; then
  1081. if _startswith "$_rf" "\./$PROJECT_ENTRY" ; then
  1082. printf -- "%s" "$(pwd)/$PROJECT_ENTRY"
  1083. return 0
  1084. fi
  1085. readlink "$_rf"
  1086. fi
  1087. }
  1088. __initHome() {
  1089. if [ -z "$_SCRIPT_HOME" ] ; then
  1090. if _exists readlink && _exists dirname ; then
  1091. _debug "Lets guess script dir."
  1092. _debug "_SCRIPT_" "$_SCRIPT_"
  1093. _script="$(_readlink "$_SCRIPT_")"
  1094. _debug "_script" "$_script"
  1095. _script_home="$(dirname "$_script")"
  1096. _debug "_script_home" "$_script_home"
  1097. if [ -d "$_script_home" ] ; then
  1098. _SCRIPT_HOME="$_script_home"
  1099. else
  1100. _err "It seems the script home is not correct:$_script_home"
  1101. fi
  1102. fi
  1103. fi
  1104. if [ -z "$LE_WORKING_DIR" ] ; then
  1105. if [ -f "$DEFAULT_INSTALL_HOME/account.conf" ] ; then
  1106. _debug "It seems that $PROJECT_NAME is already installed in $DEFAULT_INSTALL_HOME"
  1107. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  1108. else
  1109. LE_WORKING_DIR="$_SCRIPT_HOME"
  1110. fi
  1111. fi
  1112. if [ -z "$LE_WORKING_DIR" ] ; then
  1113. _debug "Using default home:$DEFAULT_INSTALL_HOME"
  1114. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  1115. fi
  1116. export LE_WORKING_DIR
  1117. _DEFAULT_ACCOUNT_CONF_PATH="$LE_WORKING_DIR/account.conf"
  1118. if [ -z "$ACCOUNT_CONF_PATH" ] ; then
  1119. if [ -f "$_DEFAULT_ACCOUNT_CONF_PATH" ] ; then
  1120. . "$_DEFAULT_ACCOUNT_CONF_PATH"
  1121. fi
  1122. fi
  1123. if [ -z "$ACCOUNT_CONF_PATH" ] ; then
  1124. ACCOUNT_CONF_PATH="$_DEFAULT_ACCOUNT_CONF_PATH"
  1125. fi
  1126. DEFAULT_LOG_FILE="$LE_WORKING_DIR/$PROJECT_NAME.log"
  1127. }
  1128. #[domain] [keylength]
  1129. _initpath() {
  1130. __initHome
  1131. if [ -f "$ACCOUNT_CONF_PATH" ] ; then
  1132. . "$ACCOUNT_CONF_PATH"
  1133. fi
  1134. if [ "$IN_CRON" ] ; then
  1135. if [ ! "$_USER_PATH_EXPORTED" ] ; then
  1136. _USER_PATH_EXPORTED=1
  1137. export PATH="$USER_PATH:$PATH"
  1138. fi
  1139. fi
  1140. if [ -z "$API" ] ; then
  1141. if [ -z "$STAGE" ] ; then
  1142. API="$DEFAULT_CA"
  1143. else
  1144. API="$STAGE_CA"
  1145. _info "Using stage api:$API"
  1146. fi
  1147. fi
  1148. if [ -z "$ACME_DIR" ] ; then
  1149. ACME_DIR="/home/.acme"
  1150. fi
  1151. if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then
  1152. APACHE_CONF_BACKUP_DIR="$LE_WORKING_DIR"
  1153. fi
  1154. if [ -z "$USER_AGENT" ] ; then
  1155. USER_AGENT="$DEFAULT_USER_AGENT"
  1156. fi
  1157. if [ -z "$HTTP_HEADER" ] ; then
  1158. HTTP_HEADER="$LE_WORKING_DIR/http.header"
  1159. fi
  1160. _DEFAULT_ACCOUNT_KEY_PATH="$LE_WORKING_DIR/account.key"
  1161. if [ -z "$ACCOUNT_KEY_PATH" ] ; then
  1162. ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
  1163. fi
  1164. _DEFAULT_CERT_HOME="$LE_WORKING_DIR"
  1165. if [ -z "$CERT_HOME" ] ; then
  1166. CERT_HOME="$_DEFAULT_CERT_HOME"
  1167. fi
  1168. if [ -z "$1" ] ; then
  1169. return 0
  1170. fi
  1171. domain="$1"
  1172. _ilength="$2"
  1173. if [ -z "$DOMAIN_PATH" ] ; then
  1174. domainhome="$CERT_HOME/$domain"
  1175. domainhomeecc="$CERT_HOME/$domain$ECC_SUFFIX"
  1176. DOMAIN_PATH="$domainhome"
  1177. if _isEccKey "$_ilength" ; then
  1178. DOMAIN_PATH="$domainhomeecc"
  1179. else
  1180. if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ] ; then
  1181. _info "The domain '$domain' seems to have a ECC cert already, please add '$(__red "--ecc")' parameter if you want to use that cert."
  1182. fi
  1183. fi
  1184. _debug DOMAIN_PATH "$DOMAIN_PATH"
  1185. fi
  1186. if [ ! -d "$DOMAIN_PATH" ] ; then
  1187. if ! mkdir -p "$DOMAIN_PATH" ; then
  1188. _err "Can not create domain path: $DOMAIN_PATH"
  1189. return 1
  1190. fi
  1191. fi
  1192. if [ -z "$DOMAIN_CONF" ] ; then
  1193. DOMAIN_CONF="$DOMAIN_PATH/$domain.conf"
  1194. fi
  1195. if [ -z "$DOMAIN_SSL_CONF" ] ; then
  1196. DOMAIN_SSL_CONF="$DOMAIN_PATH/$domain.csr.conf"
  1197. fi
  1198. if [ -z "$CSR_PATH" ] ; then
  1199. CSR_PATH="$DOMAIN_PATH/$domain.csr"
  1200. fi
  1201. if [ -z "$CERT_KEY_PATH" ] ; then
  1202. CERT_KEY_PATH="$DOMAIN_PATH/$domain.key"
  1203. fi
  1204. if [ -z "$CERT_PATH" ] ; then
  1205. CERT_PATH="$DOMAIN_PATH/$domain.cer"
  1206. fi
  1207. if [ -z "$CA_CERT_PATH" ] ; then
  1208. CA_CERT_PATH="$DOMAIN_PATH/ca.cer"
  1209. fi
  1210. if [ -z "$CERT_FULLCHAIN_PATH" ] ; then
  1211. CERT_FULLCHAIN_PATH="$DOMAIN_PATH/fullchain.cer"
  1212. fi
  1213. if [ -z "$CERT_PFX_PATH" ] ; then
  1214. CERT_PFX_PATH="$DOMAIN_PATH/$domain.pfx"
  1215. fi
  1216. if [ -z "$TLS_CONF" ] ; then
  1217. TLS_CONF="$DOMAIN_PATH/tls.valdation.conf"
  1218. fi
  1219. if [ -z "$TLS_CERT" ] ; then
  1220. TLS_CERT="$DOMAIN_PATH/tls.valdation.cert"
  1221. fi
  1222. if [ -z "$TLS_KEY" ] ; then
  1223. TLS_KEY="$DOMAIN_PATH/tls.valdation.key"
  1224. fi
  1225. if [ -z "$TLS_CSR" ] ; then
  1226. TLS_CSR="$DOMAIN_PATH/tls.valdation.csr"
  1227. fi
  1228. }
  1229. _apachePath() {
  1230. _APACHECTL="apachectl"
  1231. if ! _exists apachectl ; then
  1232. if _exists apache2ctl ; then
  1233. _APACHECTL="apache2ctl"
  1234. else
  1235. _err "'apachectl not found. It seems that apache is not installed, or you are not root user.'"
  1236. _err "Please use webroot mode to try again."
  1237. return 1
  1238. fi
  1239. fi
  1240. httpdconfname="$($_APACHECTL -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | tr -d '"' )"
  1241. _debug httpdconfname "$httpdconfname"
  1242. if _startswith "$httpdconfname" '/' ; then
  1243. httpdconf="$httpdconfname"
  1244. httpdconfname="$(basename $httpdconfname)"
  1245. else
  1246. httpdroot="$($_APACHECTL -V | grep HTTPD_ROOT= | cut -d = -f 2 | tr -d '"' )"
  1247. _debug httpdroot "$httpdroot"
  1248. httpdconf="$httpdroot/$httpdconfname"
  1249. httpdconfname="$(basename $httpdconfname)"
  1250. fi
  1251. _debug httpdconf "$httpdconf"
  1252. _debug httpdconfname "$httpdconfname"
  1253. if [ ! -f "$httpdconf" ] ; then
  1254. _err "Apache Config file not found" "$httpdconf"
  1255. return 1
  1256. fi
  1257. return 0
  1258. }
  1259. _restoreApache() {
  1260. if [ -z "$usingApache" ] ; then
  1261. return 0
  1262. fi
  1263. _initpath
  1264. if ! _apachePath ; then
  1265. return 1
  1266. fi
  1267. if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ] ; then
  1268. _debug "No config file to restore."
  1269. return 0
  1270. fi
  1271. cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" > "$httpdconf"
  1272. _debug "Restored: $httpdconf."
  1273. if ! $_APACHECTL -t >/dev/null 2>&1 ; then
  1274. _err "Sorry, restore apache config error, please contact me."
  1275. return 1;
  1276. fi
  1277. _debug "Restored successfully."
  1278. rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname"
  1279. return 0
  1280. }
  1281. _setApache() {
  1282. _initpath
  1283. if ! _apachePath ; then
  1284. return 1
  1285. fi
  1286. #test the conf first
  1287. _info "Checking if there is an error in the apache config file before starting."
  1288. _msg="$($_APACHECTL -t 2>&1 )"
  1289. if [ "$?" != "0" ] ; then
  1290. _err "Sorry, apache config file has error, please fix it first, then try again."
  1291. _err "Don't worry, there is nothing changed to your system."
  1292. _err "$_msg"
  1293. return 1;
  1294. else
  1295. _info "OK"
  1296. fi
  1297. #backup the conf
  1298. _debug "Backup apache config file" "$httpdconf"
  1299. if ! cp "$httpdconf" "$APACHE_CONF_BACKUP_DIR/" ; then
  1300. _err "Can not backup apache config file, so abort. Don't worry, the apache config is not changed."
  1301. _err "This might be a bug of $PROJECT_NAME , pleae report issue: $PROJECT"
  1302. return 1
  1303. fi
  1304. _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname"
  1305. _info "In case there is an error that can not be restored automatically, you may try restore it yourself."
  1306. _info "The backup file will be deleted on sucess, just forget it."
  1307. #add alias
  1308. apacheVer="$($_APACHECTL -V | grep "Server version:" | cut -d : -f 2 | cut -d " " -f 2 | cut -d '/' -f 2 )"
  1309. _debug "apacheVer" "$apacheVer"
  1310. apacheMajer="$(echo "$apacheVer" | cut -d . -f 1)"
  1311. apacheMinor="$(echo "$apacheVer" | cut -d . -f 2)"
  1312. if [ "$apacheVer" ] && [ "$apacheMajer$apacheMinor" -ge "24" ] ; then
  1313. echo "
  1314. Alias /.well-known/acme-challenge $ACME_DIR
  1315. <Directory $ACME_DIR >
  1316. Require all granted
  1317. </Directory>
  1318. " >> "$httpdconf"
  1319. else
  1320. echo "
  1321. Alias /.well-known/acme-challenge $ACME_DIR
  1322. <Directory $ACME_DIR >
  1323. Order allow,deny
  1324. Allow from all
  1325. </Directory>
  1326. " >> "$httpdconf"
  1327. fi
  1328. _msg="$($_APACHECTL -t 2>&1 )"
  1329. if [ "$?" != "0" ] ; then
  1330. _err "Sorry, apache config error"
  1331. if _restoreApache ; then
  1332. _err "The apache config file is restored."
  1333. else
  1334. _err "Sorry, The apache config file can not be restored, please report bug."
  1335. fi
  1336. return 1;
  1337. fi
  1338. if [ ! -d "$ACME_DIR" ] ; then
  1339. mkdir -p "$ACME_DIR"
  1340. chmod 755 "$ACME_DIR"
  1341. fi
  1342. if ! $_APACHECTL graceful ; then
  1343. _err "Sorry, $_APACHECTL graceful error, please contact me."
  1344. _restoreApache
  1345. return 1;
  1346. fi
  1347. usingApache="1"
  1348. return 0
  1349. }
  1350. _clearup() {
  1351. _stopserver $serverproc
  1352. serverproc=""
  1353. _restoreApache
  1354. if [ -z "$DEBUG" ] ; then
  1355. rm -f "$TLS_CONF"
  1356. rm -f "$TLS_CERT"
  1357. rm -f "$TLS_KEY"
  1358. rm -f "$TLS_CSR"
  1359. fi
  1360. }
  1361. # webroot removelevel tokenfile
  1362. _clearupwebbroot() {
  1363. __webroot="$1"
  1364. if [ -z "$__webroot" ] ; then
  1365. _debug "no webroot specified, skip"
  1366. return 0
  1367. fi
  1368. _rmpath=""
  1369. if [ "$2" = '1' ] ; then
  1370. _rmpath="$__webroot/.well-known"
  1371. elif [ "$2" = '2' ] ; then
  1372. _rmpath="$__webroot/.well-known/acme-challenge"
  1373. elif [ "$2" = '3' ] ; then
  1374. _rmpath="$__webroot/.well-known/acme-challenge/$3"
  1375. else
  1376. _debug "Skip for removelevel:$2"
  1377. fi
  1378. if [ "$_rmpath" ] ; then
  1379. if [ "$DEBUG" ] ; then
  1380. _debug "Debugging, skip removing: $_rmpath"
  1381. else
  1382. rm -rf "$_rmpath"
  1383. fi
  1384. fi
  1385. return 0
  1386. }
  1387. _on_before_issue() {
  1388. if _hasfield "$Le_Webroot" "$NO_VALUE" ; then
  1389. if ! _exists "nc" ; then
  1390. _err "Please install netcat(nc) tools first."
  1391. return 1
  1392. fi
  1393. elif ! _hasfield "$Le_Webroot" "$W_TLS" ; then
  1394. #no need to check anymore
  1395. return 0
  1396. fi
  1397. _debug Le_LocalAddress "$Le_LocalAddress"
  1398. alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' )
  1399. _index=1
  1400. _currentRoot=""
  1401. _addrIndex=1
  1402. for d in $alldomains
  1403. do
  1404. _debug "Check for domain" $d
  1405. _currentRoot="$(_getfield "$Le_Webroot" $_index)"
  1406. _debug "_currentRoot" "$_currentRoot"
  1407. _index=$(_math $_index + 1)
  1408. _checkport=""
  1409. if [ "$_currentRoot" = "$NO_VALUE" ] ; then
  1410. _info "Standalone mode."
  1411. if [ -z "$Le_HTTPPort" ] ; then
  1412. Le_HTTPPort=80
  1413. else
  1414. _savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
  1415. fi
  1416. _checkport="$Le_HTTPPort"
  1417. elif [ "$_currentRoot" = "$W_TLS" ] ; then
  1418. _info "Standalone tls mode."
  1419. if [ -z "$Le_TLSPort" ] ; then
  1420. Le_TLSPort=443
  1421. else
  1422. _savedomainconf "Le_TLSPort" "$Le_TLSPort"
  1423. fi
  1424. _checkport="$Le_TLSPort"
  1425. fi
  1426. if [ "$_checkport" ] ; then
  1427. _debug _checkport "$_checkport"
  1428. _checkaddr="$(_getfield "$Le_LocalAddress" $_addrIndex)"
  1429. _debug _checkaddr "$_checkaddr"
  1430. _addrIndex="$(_math $_addrIndex + 1)"
  1431. _netprc="$(_ss "$_checkport" | grep "$_checkport")"
  1432. netprc="$(echo "$_netprc" | grep "$_checkaddr")"
  1433. if [ -z "$netprc" ] ; then
  1434. netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS")"
  1435. fi
  1436. if [ "$netprc" ] ; then
  1437. _err "$netprc"
  1438. _err "tcp port $_checkport is already used by $(echo "$netprc" | cut -d : -f 4)"
  1439. _err "Please stop it first"
  1440. return 1
  1441. fi
  1442. fi
  1443. done
  1444. if _hasfield "$Le_Webroot" "apache" ; then
  1445. if ! _setApache ; then
  1446. _err "set up apache error. Report error to me."
  1447. return 1
  1448. fi
  1449. else
  1450. usingApache=""
  1451. fi
  1452. #run pre hook
  1453. if [ "$Le_PreHook" ] ; then
  1454. _info "Run pre hook:'$Le_PreHook'"
  1455. if ! (
  1456. cd "$DOMAIN_PATH" && eval "$Le_PreHook"
  1457. ) ; then
  1458. _err "Error when run pre hook."
  1459. return 1
  1460. fi
  1461. fi
  1462. }
  1463. _on_issue_err() {
  1464. #run the post hook
  1465. if [ "$Le_PostHook" ] ; then
  1466. _info "Run post hook:'$Le_PostHook'"
  1467. if ! (
  1468. cd "$DOMAIN_PATH" && eval "$Le_PostHook"
  1469. ) ; then
  1470. _err "Error when run post hook."
  1471. return 1
  1472. fi
  1473. fi
  1474. }
  1475. _on_issue_success() {
  1476. #run the post hook
  1477. if [ "$Le_PostHook" ] ; then
  1478. _info "Run post hook:'$Le_PostHook'"
  1479. if ! (
  1480. cd "$DOMAIN_PATH" && eval "$Le_PostHook"
  1481. ) ; then
  1482. _err "Error when run post hook."
  1483. return 1
  1484. fi
  1485. fi
  1486. #run renew hook
  1487. if [ "$IS_RENEW" ] && [ "$Le_RenewHook" ] ; then
  1488. _info "Run renew hook:'$Le_RenewHook'"
  1489. if ! (
  1490. cd "$DOMAIN_PATH" && eval "$Le_RenewHook"
  1491. ) ; then
  1492. _err "Error when run renew hook."
  1493. return 1
  1494. fi
  1495. fi
  1496. }
  1497. #webroot, domain domainlist keylength
  1498. issue() {
  1499. if [ -z "$2" ] ; then
  1500. _usage "Usage: $PROJECT_ENTRY --issue -d a.com -w /path/to/webroot/a.com/ "
  1501. return 1
  1502. fi
  1503. Le_Webroot="$1"
  1504. Le_Domain="$2"
  1505. Le_Alt="$3"
  1506. Le_Keylength="$4"
  1507. Le_RealCertPath="$5"
  1508. Le_RealKeyPath="$6"
  1509. Le_RealCACertPath="$7"
  1510. Le_ReloadCmd="$8"
  1511. Le_RealFullChainPath="$9"
  1512. Le_PreHook="${10}"
  1513. Le_PostHook="${11}"
  1514. Le_RenewHook="${12}"
  1515. Le_LocalAddress="${13}"
  1516. #remove these later.
  1517. if [ "$Le_Webroot" = "dns-cf" ] ; then
  1518. Le_Webroot="dns_cf"
  1519. fi
  1520. if [ "$Le_Webroot" = "dns-dp" ] ; then
  1521. Le_Webroot="dns_dp"
  1522. fi
  1523. if [ "$Le_Webroot" = "dns-cx" ] ; then
  1524. Le_Webroot="dns_cx"
  1525. fi
  1526. if [ ! "$IS_RENEW" ] ; then
  1527. _initpath $Le_Domain "$Le_Keylength"
  1528. mkdir -p "$DOMAIN_PATH"
  1529. fi
  1530. if [ -f "$DOMAIN_CONF" ] ; then
  1531. Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
  1532. _debug Le_NextRenewTime "$Le_NextRenewTime"
  1533. if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ $(_time) -lt $Le_NextRenewTime ] ; then
  1534. _info "Skip, Next renewal time is: $(__green "$(_readdomainconf Le_NextRenewTimeStr)")"
  1535. _info "Add '$(__red '--force')' to force to renew."
  1536. return $RENEW_SKIP
  1537. fi
  1538. fi
  1539. _savedomainconf "Le_Domain" "$Le_Domain"
  1540. _savedomainconf "Le_Alt" "$Le_Alt"
  1541. _savedomainconf "Le_Webroot" "$Le_Webroot"
  1542. _savedomainconf "Le_PreHook" "$Le_PreHook"
  1543. _savedomainconf "Le_PostHook" "$Le_PostHook"
  1544. _savedomainconf "Le_RenewHook" "$Le_RenewHook"
  1545. _savedomainconf "Le_LocalAddress" "$Le_LocalAddress"
  1546. if [ "$Le_Alt" = "$NO_VALUE" ] ; then
  1547. Le_Alt=""
  1548. fi
  1549. if ! _on_before_issue ; then
  1550. _err "_on_before_issue."
  1551. return 1
  1552. fi
  1553. if [ ! -f "$ACCOUNT_KEY_PATH" ] ; then
  1554. _acck="$NO_VALUE"
  1555. if [ "$Le_Keylength" ] ; then
  1556. _acck="$Le_Keylength"
  1557. fi
  1558. if ! createAccountKey "$_acck" ; then
  1559. _err "Create account key error."
  1560. if [ "$usingApache" ] ; then
  1561. _restoreApache
  1562. fi
  1563. _on_issue_err
  1564. return 1
  1565. fi
  1566. fi
  1567. if ! _calcjwk "$ACCOUNT_KEY_PATH" ; then
  1568. if [ "$usingApache" ] ; then
  1569. _restoreApache
  1570. fi
  1571. _on_issue_err
  1572. return 1
  1573. fi
  1574. accountkey_json=$(printf "%s" "$jwk" | tr -d ' ' )
  1575. thumbprint=$(printf "%s" "$accountkey_json" | _digest "sha256" | _urlencode)
  1576. regjson='{"resource": "new-reg", "agreement": "'$AGREEMENT'"}'
  1577. if [ "$ACCOUNT_EMAIL" ] ; then
  1578. regjson='{"resource": "new-reg", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}'
  1579. fi
  1580. accountkeyhash="$(cat "$ACCOUNT_KEY_PATH" | _digest "sha256" )"
  1581. accountkeyhash="$(echo $accountkeyhash$API$regjson | _digest "sha256" )"
  1582. if [ "$accountkeyhash" != "$ACCOUNT_KEY_HASH" ] ; then
  1583. _info "Registering account"
  1584. _send_signed_request "$API/acme/new-reg" "$regjson"
  1585. if [ "$code" = "" ] || [ "$code" = '201' ] ; then
  1586. _info "Registered"
  1587. echo "$response" > $LE_WORKING_DIR/account.json
  1588. elif [ "$code" = '409' ] ; then
  1589. _info "Already registered"
  1590. else
  1591. _err "Register account Error: $response"
  1592. _clearup
  1593. _on_issue_err
  1594. return 1
  1595. fi
  1596. ACCOUNT_KEY_HASH="$accountkeyhash"
  1597. _saveaccountconf "ACCOUNT_KEY_HASH" "$ACCOUNT_KEY_HASH"
  1598. else
  1599. _info "Skip register account key"
  1600. fi
  1601. if [ "$Le_Keylength" = "$NO_VALUE" ] ; then
  1602. Le_Keylength=""
  1603. fi
  1604. if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ] ; then
  1605. _info "Signing from existing CSR."
  1606. else
  1607. _key=$(_readdomainconf Le_Keylength)
  1608. _debug "Read key length:$_key"
  1609. if [ ! -f "$CERT_KEY_PATH" ] || [ "$Le_Keylength" != "$_key" ] ; then
  1610. if ! createDomainKey $Le_Domain $Le_Keylength ; then
  1611. _err "Create domain key error."
  1612. _clearup
  1613. _on_issue_err
  1614. return 1
  1615. fi
  1616. fi
  1617. if ! _createcsr "$Le_Domain" "$Le_Alt" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF" ; then
  1618. _err "Create CSR error."
  1619. _clearup
  1620. _on_issue_err
  1621. return 1
  1622. fi
  1623. fi
  1624. _savedomainconf "Le_Keylength" "$Le_Keylength"
  1625. vlist="$Le_Vlist"
  1626. # verify each domain
  1627. _info "Verify each domain"
  1628. sep='#'
  1629. if [ -z "$vlist" ] ; then
  1630. alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' )
  1631. _index=1
  1632. _currentRoot=""
  1633. for d in $alldomains
  1634. do
  1635. _info "Getting webroot for domain" $d
  1636. _w="$(echo $Le_Webroot | cut -d , -f $_index)"
  1637. _info _w "$_w"
  1638. if [ "$_w" ] ; then
  1639. _currentRoot="$_w"
  1640. fi
  1641. _debug "_currentRoot" "$_currentRoot"
  1642. _index=$(_math $_index + 1)
  1643. vtype="$VTYPE_HTTP"
  1644. if _startswith "$_currentRoot" "dns" ; then
  1645. vtype="$VTYPE_DNS"
  1646. fi
  1647. if [ "$_currentRoot" = "$W_TLS" ] ; then
  1648. vtype="$VTYPE_TLS"
  1649. fi
  1650. _info "Getting new-authz for domain" $d
  1651. if ! _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$d\"}}" ; then
  1652. _err "Can not get domain token."
  1653. _clearup
  1654. _on_issue_err
  1655. return 1
  1656. fi
  1657. if [ ! -z "$code" ] && [ ! "$code" = '201' ] ; then
  1658. _err "new-authz error: $response"
  1659. _clearup
  1660. _on_issue_err
  1661. return 1
  1662. fi
  1663. entry="$(printf "%s\n" "$response" | _egrep_o '[^{]*"type":"'$vtype'"[^}]*')"
  1664. _debug entry "$entry"
  1665. if [ -z "$entry" ] ; then
  1666. _err "Error, can not get domain token $d"
  1667. _clearup
  1668. _on_issue_err
  1669. return 1
  1670. fi
  1671. token="$(printf "%s\n" "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
  1672. _debug token $token
  1673. uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )"
  1674. _debug uri $uri
  1675. keyauthorization="$token.$thumbprint"
  1676. _debug keyauthorization "$keyauthorization"
  1677. if printf "$response" | grep '"status":"valid"' >/dev/null 2>&1 ; then
  1678. _info "$d is already verified, skip."
  1679. keyauthorization=$STATE_VERIFIED
  1680. _debug keyauthorization "$keyauthorization"
  1681. fi
  1682. dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"
  1683. _debug dvlist "$dvlist"
  1684. vlist="$vlist$dvlist,"
  1685. done
  1686. #add entry
  1687. dnsadded=""
  1688. ventries=$(echo "$vlist" | tr ',' ' ' )
  1689. for ventry in $ventries
  1690. do
  1691. d=$(echo $ventry | cut -d $sep -f 1)
  1692. keyauthorization=$(echo $ventry | cut -d $sep -f 2)
  1693. vtype=$(echo $ventry | cut -d $sep -f 4)
  1694. _currentRoot=$(echo $ventry | cut -d $sep -f 5)
  1695. if [ "$keyauthorization" = "$STATE_VERIFIED" ] ; then
  1696. _info "$d is already verified, skip $vtype."
  1697. continue
  1698. fi
  1699. if [ "$vtype" = "$VTYPE_DNS" ] ; then
  1700. dnsadded='0'
  1701. txtdomain="_acme-challenge.$d"
  1702. _debug txtdomain "$txtdomain"
  1703. txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _urlencode)"
  1704. _debug txt "$txt"
  1705. #dns
  1706. #1. check use api
  1707. d_api=""
  1708. if [ -f "$LE_WORKING_DIR/$d/$_currentRoot" ] ; then
  1709. d_api="$LE_WORKING_DIR/$d/$_currentRoot"
  1710. elif [ -f "$LE_WORKING_DIR/$d/$_currentRoot.sh" ] ; then
  1711. d_api="$LE_WORKING_DIR/$d/$_currentRoot.sh"
  1712. elif [ -f "$LE_WORKING_DIR/$_currentRoot" ] ; then
  1713. d_api="$LE_WORKING_DIR/$_currentRoot"
  1714. elif [ -f "$LE_WORKING_DIR/$_currentRoot.sh" ] ; then
  1715. d_api="$LE_WORKING_DIR/$_currentRoot.sh"
  1716. elif [ -f "$LE_WORKING_DIR/dnsapi/$_currentRoot" ] ; then
  1717. d_api="$LE_WORKING_DIR/dnsapi/$_currentRoot"
  1718. elif [ -f "$LE_WORKING_DIR/dnsapi/$_currentRoot.sh" ] ; then
  1719. d_api="$LE_WORKING_DIR/dnsapi/$_currentRoot.sh"
  1720. fi
  1721. _debug d_api "$d_api"
  1722. if [ "$d_api" ] ; then
  1723. _info "Found domain api file: $d_api"
  1724. else
  1725. _err "Add the following TXT record:"
  1726. _err "Domain: '$(__green $txtdomain)'"
  1727. _err "TXT value: '$(__green $txt)'"
  1728. _err "Please be aware that you prepend _acme-challenge. before your domain"
  1729. _err "so the resulting subdomain will be: $txtdomain"
  1730. continue
  1731. fi
  1732. (
  1733. if ! . $d_api ; then
  1734. _err "Load file $d_api error. Please check your api file and try again."
  1735. _on_issue_err
  1736. return 1
  1737. fi
  1738. addcommand="${_currentRoot}_add"
  1739. if ! _exists $addcommand ; then
  1740. _err "It seems that your api file is not correct, it must have a function named: $addcommand"
  1741. _on_issue_err
  1742. return 1
  1743. fi
  1744. if ! $addcommand $txtdomain $txt ; then
  1745. _err "Error add txt for domain:$txtdomain"
  1746. _on_issue_err
  1747. return 1
  1748. fi
  1749. )
  1750. if [ "$?" != "0" ] ; then
  1751. _clearup
  1752. _on_issue_err
  1753. return 1
  1754. fi
  1755. dnsadded='1'
  1756. fi
  1757. done
  1758. if [ "$dnsadded" = '0' ] ; then
  1759. _savedomainconf "Le_Vlist" "$vlist"
  1760. _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit."
  1761. _err "Please add the TXT records to the domains, and retry again."
  1762. _clearup
  1763. _on_issue_err
  1764. return 1
  1765. fi
  1766. fi
  1767. if [ "$dnsadded" = '1' ] ; then
  1768. if [ -z "$Le_DNSSleep" ] ; then
  1769. Le_DNSSleep=$DEFAULT_DNS_SLEEP
  1770. else
  1771. _savedomainconf "Le_DNSSleep" "$Le_DNSSleep"
  1772. fi
  1773. _info "Sleep $(__green $Le_DNSSleep) seconds for the txt records to take effect"
  1774. sleep $Le_DNSSleep
  1775. fi
  1776. _debug "ok, let's start to verify"
  1777. _ncIndex=1
  1778. ventries=$(echo "$vlist" | tr ',' ' ' )
  1779. for ventry in $ventries
  1780. do
  1781. d=$(echo $ventry | cut -d $sep -f 1)
  1782. keyauthorization=$(echo $ventry | cut -d $sep -f 2)
  1783. uri=$(echo $ventry | cut -d $sep -f 3)
  1784. vtype=$(echo $ventry | cut -d $sep -f 4)
  1785. _currentRoot=$(echo $ventry | cut -d $sep -f 5)
  1786. if [ "$keyauthorization" = "$STATE_VERIFIED" ] ; then
  1787. _info "$d is already verified, skip $vtype."
  1788. continue
  1789. fi
  1790. _info "Verifying:$d"
  1791. _debug "d" "$d"
  1792. _debug "keyauthorization" "$keyauthorization"
  1793. _debug "uri" "$uri"
  1794. removelevel=""
  1795. token="$(printf "%s" "$keyauthorization" | cut -d '.' -f 1)"
  1796. _debug "_currentRoot" "$_currentRoot"
  1797. if [ "$vtype" = "$VTYPE_HTTP" ] ; then
  1798. if [ "$_currentRoot" = "$NO_VALUE" ] ; then
  1799. _info "Standalone mode server"
  1800. _ncaddr="$(_getfield "$Le_LocalAddress" "$_ncIndex" )"
  1801. _ncIndex="$(_math $_ncIndex + 1)"
  1802. _startserver "$keyauthorization" "$_ncaddr" &
  1803. if [ "$?" != "0" ] ; then
  1804. _clearup
  1805. _on_issue_err
  1806. return 1
  1807. fi
  1808. serverproc="$!"
  1809. sleep 2
  1810. _debug serverproc $serverproc
  1811. else
  1812. if [ "$_currentRoot" = "apache" ] ; then
  1813. wellknown_path="$ACME_DIR"
  1814. else
  1815. wellknown_path="$_currentRoot/.well-known/acme-challenge"
  1816. if [ ! -d "$_currentRoot/.well-known" ] ; then
  1817. removelevel='1'
  1818. elif [ ! -d "$_currentRoot/.well-known/acme-challenge" ] ; then
  1819. removelevel='2'
  1820. else
  1821. removelevel='3'
  1822. fi
  1823. fi
  1824. _debug wellknown_path "$wellknown_path"
  1825. _debug "writing token:$token to $wellknown_path/$token"
  1826. mkdir -p "$wellknown_path"
  1827. printf "%s" "$keyauthorization" > "$wellknown_path/$token"
  1828. if [ ! "$usingApache" ] ; then
  1829. if webroot_owner=$(_stat $_currentRoot) ; then
  1830. _debug "Changing owner/group of .well-known to $webroot_owner"
  1831. chown -R $webroot_owner "$_currentRoot/.well-known"
  1832. else
  1833. _debug "not chaning owner/group of webroot";
  1834. fi
  1835. fi
  1836. fi
  1837. elif [ "$vtype" = "$VTYPE_TLS" ] ; then
  1838. #create A
  1839. #_hash_A="$(printf "%s" $token | _digest "sha256" "hex" )"
  1840. #_debug2 _hash_A "$_hash_A"
  1841. #_x="$(echo $_hash_A | cut -c 1-32)"
  1842. #_debug2 _x "$_x"
  1843. #_y="$(echo $_hash_A | cut -c 33-64)"
  1844. #_debug2 _y "$_y"
  1845. #_SAN_A="$_x.$_y.token.acme.invalid"
  1846. #_debug2 _SAN_A "$_SAN_A"
  1847. #create B
  1848. _hash_B="$(printf "%s" $keyauthorization | _digest "sha256" "hex" )"
  1849. _debug2 _hash_B "$_hash_B"
  1850. _x="$(echo $_hash_B | cut -c 1-32)"
  1851. _debug2 _x "$_x"
  1852. _y="$(echo $_hash_B | cut -c 33-64)"
  1853. _debug2 _y "$_y"
  1854. #_SAN_B="$_x.$_y.ka.acme.invalid"
  1855. _SAN_B="$_x.$_y.acme.invalid"
  1856. _debug2 _SAN_B "$_SAN_B"
  1857. _ncaddr="$(_getfield "$Le_LocalAddress" "$_ncIndex" )"
  1858. _ncIndex="$(_math $_ncIndex + 1)"
  1859. if ! _starttlsserver "$_SAN_B" "$_SAN_A" "$Le_TLSPort" "$keyauthorization" "$_ncaddr"; then
  1860. _err "Start tls server error."
  1861. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1862. _clearup
  1863. _on_issue_err
  1864. return 1
  1865. fi
  1866. fi
  1867. if ! _send_signed_request $uri "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}" ; then
  1868. _err "$d:Can not get challenge: $response"
  1869. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1870. _clearup
  1871. _on_issue_err
  1872. return 1
  1873. fi
  1874. if [ ! -z "$code" ] && [ ! "$code" = '202' ] ; then
  1875. _err "$d:Challenge error: $response"
  1876. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1877. _clearup
  1878. _on_issue_err
  1879. return 1
  1880. fi
  1881. waittimes=0
  1882. if [ -z "$MAX_RETRY_TIMES" ] ; then
  1883. MAX_RETRY_TIMES=30
  1884. fi
  1885. while true ; do
  1886. waittimes=$(_math $waittimes + 1)
  1887. if [ "$waittimes" -ge "$MAX_RETRY_TIMES" ] ; then
  1888. _err "$d:Timeout"
  1889. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1890. _clearup
  1891. _on_issue_err
  1892. return 1
  1893. fi
  1894. _debug "sleep 5 secs to verify"
  1895. sleep 5
  1896. _debug "checking"
  1897. response="$(_get $uri)"
  1898. if [ "$?" != "0" ] ; then
  1899. _err "$d:Verify error:$response"
  1900. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1901. _clearup
  1902. _on_issue_err
  1903. return 1
  1904. fi
  1905. _debug2 original "$response"
  1906. response="$(echo "$response" | _normalizeJson )"
  1907. _debug2 response "$response"
  1908. status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
  1909. if [ "$status" = "valid" ] ; then
  1910. _info "Success"
  1911. _stopserver $serverproc
  1912. serverproc=""
  1913. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1914. break;
  1915. fi
  1916. if [ "$status" = "invalid" ] ; then
  1917. error="$(echo "$response" | _egrep_o '"error":\{[^}]*}')"
  1918. _debug2 error "$error"
  1919. errordetail="$(echo $error | _egrep_o '"detail": *"[^"]*"' | cut -d '"' -f 4)"
  1920. _debug2 errordetail "$errordetail"
  1921. if [ "$errordetail" ] ; then
  1922. _err "$d:Verify error:$errordetail"
  1923. else
  1924. _err "$d:Verify error:$error"
  1925. fi
  1926. if [ "$DEBUG" ] ; then
  1927. if [ "$vtype" = "$VTYPE_HTTP" ] ; then
  1928. _debug "Debug: get token url."
  1929. _get "http://$d/.well-known/acme-challenge/$token"
  1930. fi
  1931. fi
  1932. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1933. _clearup
  1934. _on_issue_err
  1935. return 1;
  1936. fi
  1937. if [ "$status" = "pending" ] ; then
  1938. _info "Pending"
  1939. else
  1940. _err "$d:Verify error:$response"
  1941. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1942. _clearup
  1943. _on_issue_err
  1944. return 1
  1945. fi
  1946. done
  1947. done
  1948. _clearup
  1949. _info "Verify finished, start to sign."
  1950. der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _urlencode)"
  1951. if ! _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64" ; then
  1952. _err "Sign failed."
  1953. _on_issue_err
  1954. return 1
  1955. fi
  1956. Le_LinkCert="$(grep -i '^Location.*$' $HTTP_HEADER | head -1 | tr -d "\r\n" | cut -d " " -f 2)"
  1957. _savedomainconf "Le_LinkCert" "$Le_LinkCert"
  1958. if [ "$Le_LinkCert" ] ; then
  1959. echo "$BEGIN_CERT" > "$CERT_PATH"
  1960. _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH"
  1961. echo "$END_CERT" >> "$CERT_PATH"
  1962. _info "$(__green "Cert success.")"
  1963. cat "$CERT_PATH"
  1964. _info "Your cert is in $( __green " $CERT_PATH ")"
  1965. if [ -f "$CERT_KEY_PATH" ] ; then
  1966. _info "Your cert key is in $( __green " $CERT_KEY_PATH ")"
  1967. fi
  1968. cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
  1969. if [ ! "$USER_PATH" ] || [ ! "$IN_CRON" ] ; then
  1970. USER_PATH="$PATH"
  1971. _saveaccountconf "USER_PATH" "$USER_PATH"
  1972. fi
  1973. fi
  1974. if [ -z "$Le_LinkCert" ] ; then
  1975. response="$(echo $response | _dbase64 "multiline" | _normalizeJson )"
  1976. _err "Sign failed: $(echo "$response" | _egrep_o '"detail":"[^"]*"')"
  1977. _on_issue_err
  1978. return 1
  1979. fi
  1980. _cleardomainconf "Le_Vlist"
  1981. Le_LinkIssuer=$(grep -i '^Link' $HTTP_HEADER | head -1 | cut -d " " -f 2| cut -d ';' -f 1 | tr -d '<>' )
  1982. if ! _contains "$Le_LinkIssuer" ":" ; then
  1983. Le_LinkIssuer="$API$Le_LinkIssuer"
  1984. fi
  1985. _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
  1986. if [ "$Le_LinkIssuer" ] ; then
  1987. echo "$BEGIN_CERT" > "$CA_CERT_PATH"
  1988. _get "$Le_LinkIssuer" | _base64 "multiline" >> "$CA_CERT_PATH"
  1989. echo "$END_CERT" >> "$CA_CERT_PATH"
  1990. _info "The intermediate CA cert is in $( __green " $CA_CERT_PATH ")"
  1991. cat "$CA_CERT_PATH" >> "$CERT_FULLCHAIN_PATH"
  1992. _info "And the full chain certs is there: $( __green " $CERT_FULLCHAIN_PATH ")"
  1993. fi
  1994. Le_CertCreateTime=$(_time)
  1995. _savedomainconf "Le_CertCreateTime" "$Le_CertCreateTime"
  1996. Le_CertCreateTimeStr=$(date -u )
  1997. _savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr"
  1998. if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ] || [ "$Le_RenewalDays" -gt "$MAX_RENEW" ] ; then
  1999. Le_RenewalDays=$MAX_RENEW
  2000. else
  2001. _savedomainconf "Le_RenewalDays" "$Le_RenewalDays"
  2002. fi
  2003. if [ "$CA_BUNDLE" ] ; then
  2004. _saveaccountconf CA_BUNDLE "$CA_BUNDLE"
  2005. else
  2006. _clearaccountconf "CA_BUNDLE"
  2007. fi
  2008. if [ "$HTTPS_INSECURE" ] ; then
  2009. _saveaccountconf HTTPS_INSECURE "$HTTPS_INSECURE"
  2010. else
  2011. _clearaccountconf "HTTPS_INSECURE"
  2012. fi
  2013. Le_NextRenewTime=$(_math $Le_CertCreateTime + $Le_RenewalDays \* 24 \* 60 \* 60)
  2014. Le_NextRenewTimeStr=$( _time2str $Le_NextRenewTime )
  2015. _savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr"
  2016. Le_NextRenewTime=$(_math $Le_NextRenewTime - 86400)
  2017. _savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
  2018. _on_issue_success
  2019. if [ "$Le_RealCertPath$Le_RealKeyPath$Le_RealCACertPath$Le_ReloadCmd$Le_RealFullChainPath" ] ; then
  2020. _installcert
  2021. fi
  2022. }
  2023. #domain [isEcc]
  2024. renew() {
  2025. Le_Domain="$1"
  2026. if [ -z "$Le_Domain" ] ; then
  2027. _usage "Usage: $PROJECT_ENTRY --renew -d domain.com [--ecc]"
  2028. return 1
  2029. fi
  2030. _isEcc="$2"
  2031. _initpath $Le_Domain "$_isEcc"
  2032. _info "$(__green "Renew: '$Le_Domain'")"
  2033. if [ ! -f "$DOMAIN_CONF" ] ; then
  2034. _info "'$Le_Domain' is not a issued domain, skip."
  2035. return 0;
  2036. fi
  2037. if [ "$Le_RenewalDays" ] ; then
  2038. _savedomainconf Le_RenewalDays "$Le_RenewalDays"
  2039. fi
  2040. . "$DOMAIN_CONF"
  2041. if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ] ; then
  2042. _info "Skip, Next renewal time is: $(__green "$Le_NextRenewTimeStr")"
  2043. _info "Add '$(__red '--force')' to force to renew."
  2044. return $RENEW_SKIP
  2045. fi
  2046. IS_RENEW="1"
  2047. issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress"
  2048. res=$?
  2049. IS_RENEW=""
  2050. return $res
  2051. }
  2052. #renewAll [stopRenewOnError]
  2053. renewAll() {
  2054. _initpath
  2055. _stopRenewOnError="$1"
  2056. _debug "_stopRenewOnError" "$_stopRenewOnError"
  2057. _ret="0"
  2058. for d in $(ls -F ${CERT_HOME}/ | grep [^.].*[.].*/$ ) ; do
  2059. d=$(echo $d | cut -d '/' -f 1)
  2060. (
  2061. if _endswith $d "$ECC_SUFFIX" ; then
  2062. _isEcc=$(echo $d | cut -d "$ECC_SEP" -f 2)
  2063. d=$(echo $d | cut -d "$ECC_SEP" -f 1)
  2064. fi
  2065. renew "$d" "$_isEcc"
  2066. )
  2067. rc="$?"
  2068. _debug "Return code: $rc"
  2069. if [ "$rc" != "0" ] ; then
  2070. if [ "$rc" = "$RENEW_SKIP" ] ; then
  2071. _info "Skipped $d"
  2072. elif [ "$_stopRenewOnError" ] ; then
  2073. _err "Error renew $d, stop now."
  2074. return $rc
  2075. else
  2076. _ret="$rc"
  2077. _err "Error renew $d, Go ahead to next one."
  2078. fi
  2079. fi
  2080. done
  2081. return $_ret
  2082. }
  2083. #csr webroot
  2084. signcsr(){
  2085. _csrfile="$1"
  2086. _csrW="$2"
  2087. if [ -z "$_csrfile" ] || [ -z "$_csrW" ]; then
  2088. _usage "Usage: $PROJECT_ENTRY --signcsr --csr mycsr.csr -w /path/to/webroot/a.com/ "
  2089. return 1
  2090. fi
  2091. _initpath
  2092. _csrsubj=$(_readSubjectFromCSR "$_csrfile")
  2093. if [ "$?" != "0" ] || [ -z "$_csrsubj" ] ; then
  2094. _err "Can not read subject from csr: $_csrfile"
  2095. return 1
  2096. fi
  2097. _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
  2098. if [ "$?" != "0" ] ; then
  2099. _err "Can not read domain list from csr: $_csrfile"
  2100. return 1
  2101. fi
  2102. _debug "_csrdomainlist" "$_csrdomainlist"
  2103. _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
  2104. if [ "$?" != "0" ] || [ -z "$_csrkeylength" ] ; then
  2105. _err "Can not read key length from csr: $_csrfile"
  2106. return 1
  2107. fi
  2108. _initpath "$_csrsubj" "$_csrkeylength"
  2109. mkdir -p "$DOMAIN_PATH"
  2110. _info "Copy csr to: $CSR_PATH"
  2111. cp "$_csrfile" "$CSR_PATH"
  2112. issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength"
  2113. }
  2114. showcsr() {
  2115. _csrfile="$1"
  2116. _csrd="$2"
  2117. if [ -z "$_csrfile" ] && [ -z "$_csrd" ]; then
  2118. _usage "Usage: $PROJECT_ENTRY --showcsr --csr mycsr.csr"
  2119. return 1
  2120. fi
  2121. _initpath
  2122. _csrsubj=$(_readSubjectFromCSR "$_csrfile")
  2123. if [ "$?" != "0" ] || [ -z "$_csrsubj" ] ; then
  2124. _err "Can not read subject from csr: $_csrfile"
  2125. return 1
  2126. fi
  2127. _info "Subject=$_csrsubj"
  2128. _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
  2129. if [ "$?" != "0" ] ; then
  2130. _err "Can not read domain list from csr: $_csrfile"
  2131. return 1
  2132. fi
  2133. _debug "_csrdomainlist" "$_csrdomainlist"
  2134. _info "SubjectAltNames=$_csrdomainlist"
  2135. _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
  2136. if [ "$?" != "0" ] || [ -z "$_csrkeylength" ] ; then
  2137. _err "Can not read key length from csr: $_csrfile"
  2138. return 1
  2139. fi
  2140. _info "KeyLength=$_csrkeylength"
  2141. }
  2142. list() {
  2143. _raw="$1"
  2144. _initpath
  2145. _sep="|"
  2146. if [ "$_raw" ] ; then
  2147. printf "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Created${_sep}Renew\n"
  2148. for d in $(ls -F ${CERT_HOME}/ | grep [^.].*[.].*/$ ) ; do
  2149. d=$(echo $d | cut -d '/' -f 1)
  2150. (
  2151. if _endswith $d "$ECC_SUFFIX" ; then
  2152. _isEcc=$(echo $d | cut -d "$ECC_SEP" -f 2)
  2153. d=$(echo $d | cut -d "$ECC_SEP" -f 1)
  2154. fi
  2155. _initpath $d "$_isEcc"
  2156. if [ -f "$DOMAIN_CONF" ] ; then
  2157. . "$DOMAIN_CONF"
  2158. printf "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr\n"
  2159. fi
  2160. )
  2161. done
  2162. else
  2163. if _exists column ; then
  2164. list "raw" | column -t -s "$_sep"
  2165. else
  2166. list "raw" | tr "$_sep" '\t'
  2167. fi
  2168. fi
  2169. }
  2170. installcert() {
  2171. Le_Domain="$1"
  2172. if [ -z "$Le_Domain" ] ; then
  2173. _usage "Usage: $PROJECT_ENTRY --installcert -d domain.com [--ecc] [--certpath cert-file-path] [--keypath key-file-path] [--capath ca-cert-file-path] [ --reloadCmd reloadCmd] [--fullchainpath fullchain-path]"
  2174. return 1
  2175. fi
  2176. Le_RealCertPath="$2"
  2177. Le_RealKeyPath="$3"
  2178. Le_RealCACertPath="$4"
  2179. Le_ReloadCmd="$5"
  2180. Le_RealFullChainPath="$6"
  2181. _isEcc="$7"
  2182. _initpath $Le_Domain "$_isEcc"
  2183. if [ ! -d "$DOMAIN_PATH" ] ; then
  2184. _err "Domain is not valid:'$Le_Domain'"
  2185. return 1
  2186. fi
  2187. _installcert
  2188. }
  2189. _installcert() {
  2190. _savedomainconf "Le_RealCertPath" "$Le_RealCertPath"
  2191. _savedomainconf "Le_RealCACertPath" "$Le_RealCACertPath"
  2192. _savedomainconf "Le_RealKeyPath" "$Le_RealKeyPath"
  2193. _savedomainconf "Le_ReloadCmd" "$Le_ReloadCmd"
  2194. _savedomainconf "Le_RealFullChainPath" "$Le_RealFullChainPath"
  2195. if [ "$Le_RealCertPath" = "$NO_VALUE" ] ; then
  2196. Le_RealCertPath=""
  2197. fi
  2198. if [ "$Le_RealKeyPath" = "$NO_VALUE" ] ; then
  2199. Le_RealKeyPath=""
  2200. fi
  2201. if [ "$Le_RealCACertPath" = "$NO_VALUE" ] ; then
  2202. Le_RealCACertPath=""
  2203. fi
  2204. if [ "$Le_ReloadCmd" = "$NO_VALUE" ] ; then
  2205. Le_ReloadCmd=""
  2206. fi
  2207. if [ "$Le_RealFullChainPath" = "$NO_VALUE" ] ; then
  2208. Le_RealFullChainPath=""
  2209. fi
  2210. _installed="0"
  2211. if [ "$Le_RealCertPath" ] ; then
  2212. _installed=1
  2213. _info "Installing cert to:$Le_RealCertPath"
  2214. if [ -f "$Le_RealCertPath" ] && [ ! "$IS_RENEW" ] ; then
  2215. cp "$Le_RealCertPath" "$Le_RealCertPath".bak
  2216. fi
  2217. cat "$CERT_PATH" > "$Le_RealCertPath"
  2218. fi
  2219. if [ "$Le_RealCACertPath" ] ; then
  2220. _installed=1
  2221. _info "Installing CA to:$Le_RealCACertPath"
  2222. if [ "$Le_RealCACertPath" = "$Le_RealCertPath" ] ; then
  2223. echo "" >> "$Le_RealCACertPath"
  2224. cat "$CA_CERT_PATH" >> "$Le_RealCACertPath"
  2225. else
  2226. if [ -f "$Le_RealCACertPath" ] && [ ! "$IS_RENEW" ] ; then
  2227. cp "$Le_RealCACertPath" "$Le_RealCACertPath".bak
  2228. fi
  2229. cat "$CA_CERT_PATH" > "$Le_RealCACertPath"
  2230. fi
  2231. fi
  2232. if [ "$Le_RealKeyPath" ] ; then
  2233. _installed=1
  2234. _info "Installing key to:$Le_RealKeyPath"
  2235. if [ -f "$Le_RealKeyPath" ] && [ ! "$IS_RENEW" ] ; then
  2236. cp "$Le_RealKeyPath" "$Le_RealKeyPath".bak
  2237. fi
  2238. cat "$CERT_KEY_PATH" > "$Le_RealKeyPath"
  2239. fi
  2240. if [ "$Le_RealFullChainPath" ] ; then
  2241. _installed=1
  2242. _info "Installing full chain to:$Le_RealFullChainPath"
  2243. if [ -f "$Le_RealFullChainPath" ] && [ ! "$IS_RENEW" ] ; then
  2244. cp "$Le_RealFullChainPath" "$Le_RealFullChainPath".bak
  2245. fi
  2246. cat "$CERT_FULLCHAIN_PATH" > "$Le_RealFullChainPath"
  2247. fi
  2248. if [ "$Le_ReloadCmd" ] ; then
  2249. _installed=1
  2250. _info "Run Le_ReloadCmd: $Le_ReloadCmd"
  2251. if (cd "$DOMAIN_PATH" && eval "$Le_ReloadCmd") ; then
  2252. _info "$(__green "Reload success")"
  2253. else
  2254. _err "Reload error for :$Le_Domain"
  2255. fi
  2256. fi
  2257. }
  2258. installcronjob() {
  2259. _initpath
  2260. if ! _exists "crontab" ; then
  2261. _err "crontab doesn't exist, so, we can not install cron jobs."
  2262. _err "All your certs will not be renewed automatically."
  2263. _err "You must add your own cron job to call '$PROJECT_ENTRY --cron' everyday."
  2264. return 1
  2265. fi
  2266. _info "Installing cron job"
  2267. if ! crontab -l | grep "$PROJECT_ENTRY --cron" ; then
  2268. if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ] ; then
  2269. lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
  2270. else
  2271. _err "Can not install cronjob, $PROJECT_ENTRY not found."
  2272. return 1
  2273. fi
  2274. if _exists uname && uname -a | grep solaris >/dev/null ; then
  2275. crontab -l | { cat; echo "0 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"; } | crontab --
  2276. else
  2277. crontab -l | { cat; echo "0 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"; } | crontab -
  2278. fi
  2279. fi
  2280. if [ "$?" != "0" ] ; then
  2281. _err "Install cron job failed. You need to manually renew your certs."
  2282. _err "Or you can add cronjob by yourself:"
  2283. _err "$lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"
  2284. return 1
  2285. fi
  2286. }
  2287. uninstallcronjob() {
  2288. if ! _exists "crontab" ; then
  2289. return
  2290. fi
  2291. _info "Removing cron job"
  2292. cr="$(crontab -l | grep "$PROJECT_ENTRY --cron")"
  2293. if [ "$cr" ] ; then
  2294. if _exists uname && uname -a | grep solaris >/dev/null ; then
  2295. crontab -l | sed "/$PROJECT_ENTRY --cron/d" | crontab --
  2296. else
  2297. crontab -l | sed "/$PROJECT_ENTRY --cron/d" | crontab -
  2298. fi
  2299. LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 9 | tr -d '"')"
  2300. _info LE_WORKING_DIR "$LE_WORKING_DIR"
  2301. fi
  2302. _initpath
  2303. }
  2304. revoke() {
  2305. Le_Domain="$1"
  2306. if [ -z "$Le_Domain" ] ; then
  2307. _usage "Usage: $PROJECT_ENTRY --revoke -d domain.com"
  2308. return 1
  2309. fi
  2310. _isEcc="$2"
  2311. _initpath $Le_Domain "$_isEcc"
  2312. if [ ! -f "$DOMAIN_CONF" ] ; then
  2313. _err "$Le_Domain is not a issued domain, skip."
  2314. return 1;
  2315. fi
  2316. if [ ! -f "$CERT_PATH" ] ; then
  2317. _err "Cert for $Le_Domain $CERT_PATH is not found, skip."
  2318. return 1
  2319. fi
  2320. cert="$(_getfile "${CERT_PATH}" "${BEGIN_CERT}" "${END_CERT}"| tr -d "\r\n" | _urlencode)"
  2321. if [ -z "$cert" ] ; then
  2322. _err "Cert for $Le_Domain is empty found, skip."
  2323. return 1
  2324. fi
  2325. data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
  2326. uri="$API/acme/revoke-cert"
  2327. _info "Try domain key first."
  2328. if _send_signed_request $uri "$data" "" "$CERT_KEY_PATH"; then
  2329. if [ -z "$response" ] ; then
  2330. _info "Revoke success."
  2331. rm -f $CERT_PATH
  2332. return 0
  2333. else
  2334. _err "Revoke error by domain key."
  2335. _err "$response"
  2336. fi
  2337. fi
  2338. _info "Then try account key."
  2339. if _send_signed_request $uri "$data" "" "$ACCOUNT_KEY_PATH" ; then
  2340. if [ -z "$response" ] ; then
  2341. _info "Revoke success."
  2342. rm -f $CERT_PATH
  2343. return 0
  2344. else
  2345. _err "Revoke error."
  2346. _debug "$response"
  2347. fi
  2348. fi
  2349. return 1
  2350. }
  2351. #domain vtype
  2352. _deactivate() {
  2353. _d_domain="$1"
  2354. _d_type="$2"
  2355. _initpath
  2356. _d_i=0
  2357. _d_max_retry=9
  2358. while [ "$_d_i" -lt "$_d_max_retry" ] ;
  2359. do
  2360. _d_i="$(_math $_d_i + 1)"
  2361. if ! _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$_d_domain\"}}" ; then
  2362. _err "Can not get domain token."
  2363. return 1
  2364. fi
  2365. authzUri="$(echo "$responseHeaders" | grep "^Location:" | cut -d ' ' -f 2 | tr -d "\r\n")"
  2366. _debug "authzUri" "$authzUri"
  2367. if [ ! -z "$code" ] && [ ! "$code" = '201' ] ; then
  2368. _err "new-authz error: $response"
  2369. return 1
  2370. fi
  2371. entry="$(printf "%s\n" "$response" | _egrep_o '[^{]*"status":"valid","uri"[^}]*')"
  2372. _debug entry "$entry"
  2373. if [ -z "$entry" ] ; then
  2374. _info "No more valid entry found."
  2375. break
  2376. fi
  2377. _vtype="$(printf "%s\n" "$entry" | _egrep_o '"type": *"[^"]*"' | cut -d : -f 2 | tr -d '"')"
  2378. _debug _vtype $_vtype
  2379. _info "Found $_vtype"
  2380. uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )"
  2381. _debug uri $uri
  2382. if [ "$_d_type" ] && [ "$_d_type" != "$_vtype" ] ; then
  2383. _info "Skip $_vtype"
  2384. continue
  2385. fi
  2386. _info "Deactivate: $_vtype"
  2387. if ! _send_signed_request "$authzUri" "{\"resource\": \"authz\", \"status\":\"deactivated\"}" ; then
  2388. _err "Can not deactivate $_vtype."
  2389. return 1
  2390. fi
  2391. _info "Deactivate: $_vtype success."
  2392. done
  2393. _debug "$_d_i"
  2394. if [ "$_d_i" -lt "$_d_max_retry" ] ; then
  2395. _info "Deactivated success!"
  2396. else
  2397. _err "Deactivate failed."
  2398. fi
  2399. }
  2400. deactivate() {
  2401. _d_domain_list="$1"
  2402. _d_type="$2"
  2403. _initpath
  2404. _debug _d_domain_list "$_d_domain_list"
  2405. if [ -z "$(echo $_d_domain_list | cut -d , -f 1 )" ] ; then
  2406. _usage "Usage: $PROJECT_ENTRY --deactivate -d domain.com [-d domain.com]"
  2407. return 1
  2408. fi
  2409. for _d_dm in $(echo "$_d_domain_list" | tr ',' ' ' ) ;
  2410. do
  2411. if [ -z "$_d_dm" ] || [ "$_d_dm" = "$NO_VALUE" ] ; then
  2412. continue
  2413. fi
  2414. _deactivate "$_d_dm" $_d_type
  2415. done
  2416. }
  2417. # Detect profile file if not specified as environment variable
  2418. _detect_profile() {
  2419. if [ -n "$PROFILE" -a -f "$PROFILE" ] ; then
  2420. echo "$PROFILE"
  2421. return
  2422. fi
  2423. DETECTED_PROFILE=''
  2424. SHELLTYPE="$(basename "/$SHELL")"
  2425. if [ "$SHELLTYPE" = "bash" ] ; then
  2426. if [ -f "$HOME/.bashrc" ] ; then
  2427. DETECTED_PROFILE="$HOME/.bashrc"
  2428. elif [ -f "$HOME/.bash_profile" ] ; then
  2429. DETECTED_PROFILE="$HOME/.bash_profile"
  2430. fi
  2431. elif [ "$SHELLTYPE" = "zsh" ] ; then
  2432. DETECTED_PROFILE="$HOME/.zshrc"
  2433. fi
  2434. if [ -z "$DETECTED_PROFILE" ] ; then
  2435. if [ -f "$HOME/.profile" ] ; then
  2436. DETECTED_PROFILE="$HOME/.profile"
  2437. elif [ -f "$HOME/.bashrc" ] ; then
  2438. DETECTED_PROFILE="$HOME/.bashrc"
  2439. elif [ -f "$HOME/.bash_profile" ] ; then
  2440. DETECTED_PROFILE="$HOME/.bash_profile"
  2441. elif [ -f "$HOME/.zshrc" ] ; then
  2442. DETECTED_PROFILE="$HOME/.zshrc"
  2443. fi
  2444. fi
  2445. if [ ! -z "$DETECTED_PROFILE" ] ; then
  2446. echo "$DETECTED_PROFILE"
  2447. fi
  2448. }
  2449. _initconf() {
  2450. _initpath
  2451. if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then
  2452. echo "#ACCOUNT_CONF_PATH=xxxx
  2453. #Account configurations:
  2454. #Here are the supported macros, uncomment them to make them take effect.
  2455. #ACCOUNT_EMAIL=aaa@aaa.com # the account email used to register account.
  2456. #ACCOUNT_KEY_PATH=\"/path/to/account.key\"
  2457. #CERT_HOME=\"/path/to/cert/home\"
  2458. #LOG_FILE=\"$DEFAULT_LOG_FILE\"
  2459. #AUTO_UPGRADE=\"1\"
  2460. #STAGE=1 # Use the staging api
  2461. #FORCE=1 # Force to issue cert
  2462. #DEBUG=1 # Debug mode
  2463. #ACCOUNT_KEY_HASH=account key hash
  2464. #USER_AGENT=\"$USER_AGENT\"
  2465. #USER_PATH=""
  2466. #dns api
  2467. #######################
  2468. #Cloudflare:
  2469. #api key
  2470. #CF_Key=\"sdfsdfsdfljlbjkljlkjsdfoiwje\"
  2471. #account email
  2472. #CF_Email=\"xxxx@sss.com\"
  2473. #######################
  2474. #Dnspod.cn:
  2475. #api key id
  2476. #DP_Id=\"1234\"
  2477. #api key
  2478. #DP_Key=\"sADDsdasdgdsf\"
  2479. #######################
  2480. #Cloudxns.com:
  2481. #CX_Key=\"1234\"
  2482. #
  2483. #CX_Secret=\"sADDsdasdgdsf\"
  2484. #######################
  2485. #Godaddy.com:
  2486. #GD_Key=\"sdfdsgdgdfdasfds\"
  2487. #
  2488. #GD_Secret=\"sADDsdasdfsdfdssdgdsf\"
  2489. " > $ACCOUNT_CONF_PATH
  2490. fi
  2491. }
  2492. # nocron
  2493. _precheck() {
  2494. _nocron="$1"
  2495. if ! _exists "curl" && ! _exists "wget"; then
  2496. _err "Please install curl or wget first, we need to access http resources."
  2497. return 1
  2498. fi
  2499. if [ -z "$_nocron" ] ; then
  2500. if ! _exists "crontab" ; then
  2501. _err "It is recommended to install crontab first. try to install 'cron, crontab, crontabs or vixie-cron'."
  2502. _err "We need to set cron job to renew the certs automatically."
  2503. _err "Otherwise, your certs will not be able to be renewed automatically."
  2504. if [ -z "$FORCE" ] ; then
  2505. _err "Please add '--force' and try install again to go without crontab."
  2506. _err "./$PROJECT_ENTRY --install --force"
  2507. return 1
  2508. fi
  2509. fi
  2510. fi
  2511. if ! _exists "openssl" ; then
  2512. _err "Please install openssl first."
  2513. _err "We need openssl to generate keys."
  2514. return 1
  2515. fi
  2516. if ! _exists "nc" ; then
  2517. _err "It is recommended to install nc first, try to install 'nc' or 'netcat'."
  2518. _err "We use nc for standalone server if you use standalone mode."
  2519. _err "If you don't use standalone mode, just ignore this warning."
  2520. fi
  2521. return 0
  2522. }
  2523. _setShebang() {
  2524. _file="$1"
  2525. _shebang="$2"
  2526. if [ -z "$_shebang" ] ; then
  2527. _usage "Usage: file shebang"
  2528. return 1
  2529. fi
  2530. cp "$_file" "$_file.tmp"
  2531. echo "$_shebang" > "$_file"
  2532. sed -n 2,99999p "$_file.tmp" >> "$_file"
  2533. rm -f "$_file.tmp"
  2534. }
  2535. _installalias() {
  2536. _initpath
  2537. _envfile="$LE_WORKING_DIR/$PROJECT_ENTRY.env"
  2538. if [ "$_upgrading" ] && [ "$_upgrading" = "1" ] ; then
  2539. echo "$(cat $_envfile)" | sed "s|^LE_WORKING_DIR.*$||" > "$_envfile"
  2540. echo "$(cat $_envfile)" | sed "s|^alias le.*$||" > "$_envfile"
  2541. echo "$(cat $_envfile)" | sed "s|^alias le.sh.*$||" > "$_envfile"
  2542. fi
  2543. _setopt "$_envfile" "export LE_WORKING_DIR" "=" "\"$LE_WORKING_DIR\""
  2544. _setopt "$_envfile" "alias $PROJECT_ENTRY" "=" "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  2545. _profile="$(_detect_profile)"
  2546. if [ "$_profile" ] ; then
  2547. _debug "Found profile: $_profile"
  2548. _setopt "$_profile" ". \"$_envfile\""
  2549. _info "OK, Close and reopen your terminal to start using $PROJECT_NAME"
  2550. else
  2551. _info "No profile is found, you will need to go into $LE_WORKING_DIR to use $PROJECT_NAME"
  2552. fi
  2553. #for csh
  2554. _cshfile="$LE_WORKING_DIR/$PROJECT_ENTRY.csh"
  2555. _csh_profile="$HOME/.cshrc"
  2556. if [ -f "$_csh_profile" ] ; then
  2557. _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
  2558. _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  2559. _setopt "$_csh_profile" "source \"$_cshfile\""
  2560. fi
  2561. #for tcsh
  2562. _tcsh_profile="$HOME/.tcshrc"
  2563. if [ -f "$_tcsh_profile" ] ; then
  2564. _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
  2565. _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  2566. _setopt "$_tcsh_profile" "source \"$_cshfile\""
  2567. fi
  2568. }
  2569. # nocron
  2570. install() {
  2571. if [ -z "$LE_WORKING_DIR" ] ; then
  2572. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  2573. fi
  2574. _nocron="$1"
  2575. if ! _initpath ; then
  2576. _err "Install failed."
  2577. return 1
  2578. fi
  2579. if [ "$_nocron" ] ; then
  2580. _debug "Skip install cron job"
  2581. fi
  2582. if ! _precheck "$_nocron" ; then
  2583. _err "Pre-check failed, can not install."
  2584. return 1
  2585. fi
  2586. #convert from le
  2587. if [ -d "$HOME/.le" ] ; then
  2588. for envfile in "le.env" "le.sh.env"
  2589. do
  2590. if [ -f "$HOME/.le/$envfile" ] ; then
  2591. if grep "le.sh" "$HOME/.le/$envfile" >/dev/null ; then
  2592. _upgrading="1"
  2593. _info "You are upgrading from le.sh"
  2594. _info "Renaming \"$HOME/.le\" to $LE_WORKING_DIR"
  2595. mv "$HOME/.le" "$LE_WORKING_DIR"
  2596. mv "$LE_WORKING_DIR/$envfile" "$LE_WORKING_DIR/$PROJECT_ENTRY.env"
  2597. break;
  2598. fi
  2599. fi
  2600. done
  2601. fi
  2602. _info "Installing to $LE_WORKING_DIR"
  2603. if ! mkdir -p "$LE_WORKING_DIR" ; then
  2604. _err "Can not create working dir: $LE_WORKING_DIR"
  2605. return 1
  2606. fi
  2607. chmod 700 "$LE_WORKING_DIR"
  2608. cp $PROJECT_ENTRY "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/$PROJECT_ENTRY"
  2609. if [ "$?" != "0" ] ; then
  2610. _err "Install failed, can not copy $PROJECT_ENTRY"
  2611. return 1
  2612. fi
  2613. _info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
  2614. _installalias
  2615. if [ -d "dnsapi" ] ; then
  2616. mkdir -p $LE_WORKING_DIR/dnsapi
  2617. cp dnsapi/* $LE_WORKING_DIR/dnsapi/
  2618. fi
  2619. if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then
  2620. _initconf
  2621. fi
  2622. if [ "$_DEFAULT_ACCOUNT_CONF_PATH" != "$ACCOUNT_CONF_PATH" ] ; then
  2623. _setopt "$_DEFAULT_ACCOUNT_CONF_PATH" "ACCOUNT_CONF_PATH" "=" "\"$ACCOUNT_CONF_PATH\""
  2624. fi
  2625. if [ "$_DEFAULT_CERT_HOME" != "$CERT_HOME" ] ; then
  2626. _saveaccountconf "CERT_HOME" "$CERT_HOME"
  2627. fi
  2628. if [ "$_DEFAULT_ACCOUNT_KEY_PATH" != "$ACCOUNT_KEY_PATH" ] ; then
  2629. _saveaccountconf "ACCOUNT_KEY_PATH" "$ACCOUNT_KEY_PATH"
  2630. fi
  2631. if [ -z "$_nocron" ] ; then
  2632. installcronjob
  2633. fi
  2634. if [ -z "$NO_DETECT_SH" ] ; then
  2635. #Modify shebang
  2636. if _exists bash ; then
  2637. _info "Good, bash is installed, change the shebang to use bash as prefered."
  2638. _shebang='#!/usr/bin/env bash'
  2639. _setShebang "$LE_WORKING_DIR/$PROJECT_ENTRY" "$_shebang"
  2640. if [ -d "$LE_WORKING_DIR/dnsapi" ] ; then
  2641. for _apifile in $(ls "$LE_WORKING_DIR/dnsapi/"*.sh) ; do
  2642. _setShebang "$_apifile" "$_shebang"
  2643. done
  2644. fi
  2645. fi
  2646. fi
  2647. _info OK
  2648. }
  2649. # nocron
  2650. uninstall() {
  2651. _nocron="$1"
  2652. if [ -z "$_nocron" ] ; then
  2653. uninstallcronjob
  2654. fi
  2655. _initpath
  2656. _profile="$(_detect_profile)"
  2657. if [ "$_profile" ] ; then
  2658. text="$(cat $_profile)"
  2659. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.env\"$||" > "$_profile"
  2660. fi
  2661. _csh_profile="$HOME/.cshrc"
  2662. if [ -f "$_csh_profile" ] ; then
  2663. text="$(cat $_csh_profile)"
  2664. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" > "$_csh_profile"
  2665. fi
  2666. _tcsh_profile="$HOME/.tcshrc"
  2667. if [ -f "$_tcsh_profile" ] ; then
  2668. text="$(cat $_tcsh_profile)"
  2669. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" > "$_tcsh_profile"
  2670. fi
  2671. rm -f $LE_WORKING_DIR/$PROJECT_ENTRY
  2672. _info "The keys and certs are in $LE_WORKING_DIR, you can remove them by yourself."
  2673. }
  2674. cron() {
  2675. IN_CRON=1
  2676. _initpath
  2677. if [ "$AUTO_UPGRADE" ] ; then
  2678. export LE_WORKING_DIR
  2679. (
  2680. if ! upgrade ; then
  2681. _err "Cron:Upgrade failed!"
  2682. return 1
  2683. fi
  2684. )
  2685. . $LE_WORKING_DIR/$PROJECT_ENTRY >/dev/null
  2686. if [ -t 1 ] ; then
  2687. __INTERACTIVE="1"
  2688. fi
  2689. _info "Auto upgraded to: $VER"
  2690. fi
  2691. renewAll
  2692. _ret="$?"
  2693. IN_CRON=""
  2694. exit $_ret
  2695. }
  2696. version() {
  2697. echo "$PROJECT"
  2698. echo "v$VER"
  2699. }
  2700. showhelp() {
  2701. _initpath
  2702. version
  2703. echo "Usage: $PROJECT_ENTRY command ...[parameters]....
  2704. Commands:
  2705. --help, -h Show this help message.
  2706. --version, -v Show version info.
  2707. --install Install $PROJECT_NAME to your system.
  2708. --uninstall Uninstall $PROJECT_NAME, and uninstall the cron job.
  2709. --upgrade Upgrade $PROJECT_NAME to the latest code from $PROJECT .
  2710. --issue Issue a cert.
  2711. --signcsr Issue a cert from an existing csr.
  2712. --installcert Install the issued cert to apache/nginx or any other server.
  2713. --renew, -r Renew a cert.
  2714. --renewAll Renew all the certs.
  2715. --revoke Revoke a cert.
  2716. --list List all the certs.
  2717. --showcsr Show the content of a csr.
  2718. --installcronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
  2719. --uninstallcronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
  2720. --cron Run cron job to renew all the certs.
  2721. --toPkcs Export the certificate and key to a pfx file.
  2722. --createAccountKey, -cak Create an account private key, professional use.
  2723. --createDomainKey, -cdk Create an domain private key, professional use.
  2724. --createCSR, -ccsr Create CSR , professional use.
  2725. --deactivate Deactivate the domain authz, professional use.
  2726. Parameters:
  2727. --domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
  2728. --force, -f Used to force to install or force to renew a cert immediately.
  2729. --staging, --test Use staging server, just for test.
  2730. --debug Output debug info.
  2731. --webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
  2732. --standalone Use standalone mode.
  2733. --tls Use standalone tls mode.
  2734. --apache Use apache mode.
  2735. --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
  2736. --dnssleep [$DEFAULT_DNS_SLEEP] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
  2737. --keylength, -k [2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
  2738. --accountkeylength, -ak [2048] Specifies the account key length.
  2739. --log [/path/to/logfile] Specifies the log file. The default is: \"$DEFAULT_LOG_FILE\" if you don't give a file path here.
  2740. These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
  2741. --certpath /path/to/real/cert/file After issue/renew, the cert will be copied to this path.
  2742. --keypath /path/to/real/key/file After issue/renew, the key will be copied to this path.
  2743. --capath /path/to/real/ca/file After issue/renew, the intermediate cert will be copied to this path.
  2744. --fullchainpath /path/to/fullchain/file After issue/renew, the fullchain cert will be copied to this path.
  2745. --reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
  2746. --accountconf Specifies a customized account config file.
  2747. --home Specifies the home dir for $PROJECT_NAME .
  2748. --certhome Specifies the home dir to save all the certs, only valid for '--install' command.
  2749. --useragent Specifies the user agent string. it will be saved for future use too.
  2750. --accountemail Specifies the account email for registering, Only valid for the '--install' command.
  2751. --accountkey Specifies the account key path, Only valid for the '--install' command.
  2752. --days Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days.
  2753. --httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
  2754. --tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
  2755. --local-address Specifies the standalone server listening address, in case you have multiple ip addresses.
  2756. --listraw Only used for '--list' command, list the certs in raw format.
  2757. --stopRenewOnError, -se Only valid for '--renewall' command. Stop if one cert has error in renewal.
  2758. --insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
  2759. --ca-bundle Specifices the path to the CA certificate bundle to verify api server's certificate.
  2760. --nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
  2761. --ecc Specifies to use the ECC cert. Valid for '--installcert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
  2762. --csr Specifies the input csr.
  2763. --pre-hook Command to be run before obtaining any certificates.
  2764. --post-hook Command to be run after attempting to obtain/renew certificates. No matter the obain/renew is success or failed.
  2765. --renew-hook Command to be run once for each successfully renewed certificate.
  2766. --ocsp-must-staple, --ocsp Generate ocsp must Staple extension.
  2767. "
  2768. }
  2769. # nocron
  2770. _installOnline() {
  2771. _info "Installing from online archive."
  2772. _nocron="$1"
  2773. if [ ! "$BRANCH" ] ; then
  2774. BRANCH="master"
  2775. fi
  2776. target="$PROJECT/archive/$BRANCH.tar.gz"
  2777. _info "Downloading $target"
  2778. localname="$BRANCH.tar.gz"
  2779. if ! _get "$target" > $localname ; then
  2780. _err "Download error."
  2781. return 1
  2782. fi
  2783. (
  2784. _info "Extracting $localname"
  2785. tar xzf $localname
  2786. cd "$PROJECT_NAME-$BRANCH"
  2787. chmod +x $PROJECT_ENTRY
  2788. if ./$PROJECT_ENTRY install "$_nocron" ; then
  2789. _info "Install success!"
  2790. fi
  2791. cd ..
  2792. rm -rf "$PROJECT_NAME-$BRANCH"
  2793. rm -f "$localname"
  2794. )
  2795. }
  2796. upgrade() {
  2797. if (
  2798. _initpath
  2799. export LE_WORKING_DIR
  2800. cd "$LE_WORKING_DIR"
  2801. _installOnline "nocron"
  2802. ) ; then
  2803. _info "Upgrade success!"
  2804. exit 0
  2805. else
  2806. _err "Upgrade failed!"
  2807. exit 1
  2808. fi
  2809. }
  2810. _processAccountConf() {
  2811. if [ "$_useragent" ] ; then
  2812. _saveaccountconf "USER_AGENT" "$_useragent"
  2813. elif [ "$USER_AGENT" != "$DEFAULT_USER_AGENT" ] ; then
  2814. _saveaccountconf "USER_AGENT" "$USER_AGENT"
  2815. fi
  2816. if [ "$_accountemail" ] ; then
  2817. _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail"
  2818. elif [ "$ACCOUNT_EMAIL" != "$DEFAULT_ACCOUNT_EMAIL" ] ; then
  2819. _saveaccountconf "ACCOUNT_EMAIL" "$ACCOUNT_EMAIL"
  2820. fi
  2821. }
  2822. _process() {
  2823. _CMD=""
  2824. _domain=""
  2825. _altdomains="$NO_VALUE"
  2826. _webroot=""
  2827. _keylength=""
  2828. _accountkeylength=""
  2829. _certpath=""
  2830. _keypath=""
  2831. _capath=""
  2832. _fullchainpath=""
  2833. _reloadcmd=""
  2834. _password=""
  2835. _accountconf=""
  2836. _useragent=""
  2837. _accountemail=""
  2838. _accountkey=""
  2839. _certhome=""
  2840. _httpport=""
  2841. _tlsport=""
  2842. _dnssleep=""
  2843. _listraw=""
  2844. _stopRenewOnError=""
  2845. _insecure=""
  2846. _ca_bundle=""
  2847. _nocron=""
  2848. _ecc=""
  2849. _csr=""
  2850. _pre_hook=""
  2851. _post_hook=""
  2852. _renew_hook=""
  2853. _logfile=""
  2854. _log=""
  2855. _local_address=""
  2856. while [ ${#} -gt 0 ] ; do
  2857. case "${1}" in
  2858. --help|-h)
  2859. showhelp
  2860. return
  2861. ;;
  2862. --version|-v)
  2863. version
  2864. return
  2865. ;;
  2866. --install)
  2867. _CMD="install"
  2868. ;;
  2869. --uninstall)
  2870. _CMD="uninstall"
  2871. ;;
  2872. --upgrade)
  2873. _CMD="upgrade"
  2874. ;;
  2875. --issue)
  2876. _CMD="issue"
  2877. ;;
  2878. --signcsr)
  2879. _CMD="signcsr"
  2880. ;;
  2881. --showcsr)
  2882. _CMD="showcsr"
  2883. ;;
  2884. --installcert|-i)
  2885. _CMD="installcert"
  2886. ;;
  2887. --renew|-r)
  2888. _CMD="renew"
  2889. ;;
  2890. --renewAll|--renewall)
  2891. _CMD="renewAll"
  2892. ;;
  2893. --revoke)
  2894. _CMD="revoke"
  2895. ;;
  2896. --list)
  2897. _CMD="list"
  2898. ;;
  2899. --installcronjob)
  2900. _CMD="installcronjob"
  2901. ;;
  2902. --uninstallcronjob)
  2903. _CMD="uninstallcronjob"
  2904. ;;
  2905. --cron)
  2906. _CMD="cron"
  2907. ;;
  2908. --toPkcs)
  2909. _CMD="toPkcs"
  2910. ;;
  2911. --createAccountKey|--createaccountkey|-cak)
  2912. _CMD="createAccountKey"
  2913. ;;
  2914. --createDomainKey|--createdomainkey|-cdk)
  2915. _CMD="createDomainKey"
  2916. ;;
  2917. --createCSR|--createcsr|-ccr)
  2918. _CMD="createCSR"
  2919. ;;
  2920. --deactivate)
  2921. _CMD="deactivate"
  2922. ;;
  2923. --domain|-d)
  2924. _dvalue="$2"
  2925. if [ "$_dvalue" ] ; then
  2926. if _startswith "$_dvalue" "-" ; then
  2927. _err "'$_dvalue' is not a valid domain for parameter '$1'"
  2928. return 1
  2929. fi
  2930. if [ -z "$_domain" ] ; then
  2931. _domain="$_dvalue"
  2932. else
  2933. if [ "$_altdomains" = "$NO_VALUE" ] ; then
  2934. _altdomains="$_dvalue"
  2935. else
  2936. _altdomains="$_altdomains,$_dvalue"
  2937. fi
  2938. fi
  2939. fi
  2940. shift
  2941. ;;
  2942. --force|-f)
  2943. FORCE="1"
  2944. ;;
  2945. --staging|--test)
  2946. STAGE="1"
  2947. ;;
  2948. --debug)
  2949. if [ -z "$2" ] || _startswith "$2" "-" ; then
  2950. DEBUG="1"
  2951. else
  2952. DEBUG="$2"
  2953. shift
  2954. fi
  2955. ;;
  2956. --webroot|-w)
  2957. wvalue="$2"
  2958. if [ -z "$_webroot" ] ; then
  2959. _webroot="$wvalue"
  2960. else
  2961. _webroot="$_webroot,$wvalue"
  2962. fi
  2963. shift
  2964. ;;
  2965. --standalone)
  2966. wvalue="$NO_VALUE"
  2967. if [ -z "$_webroot" ] ; then
  2968. _webroot="$wvalue"
  2969. else
  2970. _webroot="$_webroot,$wvalue"
  2971. fi
  2972. ;;
  2973. --local-address)
  2974. lvalue="$2"
  2975. _local_address="$_local_address$lvalue,"
  2976. shift
  2977. ;;
  2978. --apache)
  2979. wvalue="apache"
  2980. if [ -z "$_webroot" ] ; then
  2981. _webroot="$wvalue"
  2982. else
  2983. _webroot="$_webroot,$wvalue"
  2984. fi
  2985. ;;
  2986. --tls)
  2987. wvalue="$W_TLS"
  2988. if [ -z "$_webroot" ] ; then
  2989. _webroot="$wvalue"
  2990. else
  2991. _webroot="$_webroot,$wvalue"
  2992. fi
  2993. ;;
  2994. --dns)
  2995. wvalue="dns"
  2996. if ! _startswith "$2" "-" ; then
  2997. wvalue="$2"
  2998. shift
  2999. fi
  3000. if [ -z "$_webroot" ] ; then
  3001. _webroot="$wvalue"
  3002. else
  3003. _webroot="$_webroot,$wvalue"
  3004. fi
  3005. ;;
  3006. --dnssleep)
  3007. _dnssleep="$2"
  3008. Le_DNSSleep="$_dnssleep"
  3009. shift
  3010. ;;
  3011. --keylength|-k)
  3012. _keylength="$2"
  3013. if [ "$_accountkeylength" = "$NO_VALUE" ] ; then
  3014. _accountkeylength="$2"
  3015. fi
  3016. shift
  3017. ;;
  3018. --accountkeylength|-ak)
  3019. _accountkeylength="$2"
  3020. shift
  3021. ;;
  3022. --certpath)
  3023. _certpath="$2"
  3024. shift
  3025. ;;
  3026. --keypath)
  3027. _keypath="$2"
  3028. shift
  3029. ;;
  3030. --capath)
  3031. _capath="$2"
  3032. shift
  3033. ;;
  3034. --fullchainpath)
  3035. _fullchainpath="$2"
  3036. shift
  3037. ;;
  3038. --reloadcmd|--reloadCmd)
  3039. _reloadcmd="$2"
  3040. shift
  3041. ;;
  3042. --password)
  3043. _password="$2"
  3044. shift
  3045. ;;
  3046. --accountconf)
  3047. _accountconf="$2"
  3048. ACCOUNT_CONF_PATH="$_accountconf"
  3049. shift
  3050. ;;
  3051. --home)
  3052. LE_WORKING_DIR="$2"
  3053. shift
  3054. ;;
  3055. --certhome)
  3056. _certhome="$2"
  3057. CERT_HOME="$_certhome"
  3058. shift
  3059. ;;
  3060. --useragent)
  3061. _useragent="$2"
  3062. USER_AGENT="$_useragent"
  3063. shift
  3064. ;;
  3065. --accountemail )
  3066. _accountemail="$2"
  3067. ACCOUNT_EMAIL="$_accountemail"
  3068. shift
  3069. ;;
  3070. --accountkey )
  3071. _accountkey="$2"
  3072. ACCOUNT_KEY_PATH="$_accountkey"
  3073. shift
  3074. ;;
  3075. --days )
  3076. _days="$2"
  3077. Le_RenewalDays="$_days"
  3078. shift
  3079. ;;
  3080. --httpport )
  3081. _httpport="$2"
  3082. Le_HTTPPort="$_httpport"
  3083. shift
  3084. ;;
  3085. --tlsport )
  3086. _tlsport="$2"
  3087. Le_TLSPort="$_tlsport"
  3088. shift
  3089. ;;
  3090. --listraw )
  3091. _listraw="raw"
  3092. ;;
  3093. --stopRenewOnError|--stoprenewonerror|-se )
  3094. _stopRenewOnError="1"
  3095. ;;
  3096. --insecure)
  3097. _insecure="1"
  3098. HTTPS_INSECURE="1"
  3099. ;;
  3100. --ca-bundle)
  3101. _ca_bundle="$(readlink -f $2)"
  3102. CA_BUNDLE="$_ca_bundle"
  3103. shift
  3104. ;;
  3105. --nocron)
  3106. _nocron="1"
  3107. ;;
  3108. --ecc)
  3109. _ecc="isEcc"
  3110. ;;
  3111. --csr)
  3112. _csr="$2"
  3113. shift
  3114. ;;
  3115. --pre-hook)
  3116. _pre_hook="$2"
  3117. shift
  3118. ;;
  3119. --post-hook)
  3120. _post_hook="$2"
  3121. shift
  3122. ;;
  3123. --renew-hook)
  3124. _renew_hook="$2"
  3125. shift
  3126. ;;
  3127. --ocsp-must-staple|--ocsp)
  3128. Le_OCSP_Stable="1"
  3129. ;;
  3130. --log|--logfile)
  3131. _log="1"
  3132. _logfile="$2"
  3133. if [ -z "$_logfile" ] || _startswith "$_logfile" '-' ; then
  3134. _logfile=""
  3135. else
  3136. shift
  3137. fi
  3138. LOG_FILE="$_logfile"
  3139. ;;
  3140. *)
  3141. _err "Unknown parameter : $1"
  3142. return 1
  3143. ;;
  3144. esac
  3145. shift 1
  3146. done
  3147. if [ "${_CMD}" != "install" ] ; then
  3148. __initHome
  3149. if [ "$_log" ] && [ -z "$_logfile" ] ; then
  3150. _logfile="$DEFAULT_LOG_FILE"
  3151. fi
  3152. if [ "$_logfile" ] ; then
  3153. _saveaccountconf "LOG_FILE" "$_logfile"
  3154. fi
  3155. LOG_FILE="$_logfile"
  3156. _processAccountConf
  3157. fi
  3158. if [ "$DEBUG" ] ; then
  3159. version
  3160. fi
  3161. case "${_CMD}" in
  3162. install) install "$_nocron" ;;
  3163. uninstall) uninstall "$_nocron" ;;
  3164. upgrade) upgrade ;;
  3165. issue)
  3166. issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
  3167. ;;
  3168. signcsr)
  3169. signcsr "$_csr" "$_webroot"
  3170. ;;
  3171. showcsr)
  3172. showcsr "$_csr" "$_domain"
  3173. ;;
  3174. installcert)
  3175. installcert "$_domain" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_ecc"
  3176. ;;
  3177. renew)
  3178. renew "$_domain" "$_ecc"
  3179. ;;
  3180. renewAll)
  3181. renewAll "$_stopRenewOnError"
  3182. ;;
  3183. revoke)
  3184. revoke "$_domain" "$_ecc"
  3185. ;;
  3186. deactivate)
  3187. deactivate "$_domain,$_altdomains"
  3188. ;;
  3189. list)
  3190. list "$_listraw"
  3191. ;;
  3192. installcronjob) installcronjob ;;
  3193. uninstallcronjob) uninstallcronjob ;;
  3194. cron) cron ;;
  3195. toPkcs)
  3196. toPkcs "$_domain" "$_password" "$_ecc"
  3197. ;;
  3198. createAccountKey)
  3199. createAccountKey "$_accountkeylength"
  3200. ;;
  3201. createDomainKey)
  3202. createDomainKey "$_domain" "$_keylength"
  3203. ;;
  3204. createCSR)
  3205. createCSR "$_domain" "$_altdomains" "$_ecc"
  3206. ;;
  3207. *)
  3208. _err "Invalid command: $_CMD"
  3209. showhelp;
  3210. return 1
  3211. ;;
  3212. esac
  3213. _ret="$?"
  3214. if [ "$_ret" != "0" ] ; then
  3215. return $_ret
  3216. fi
  3217. if [ "${_CMD}" = "install" ] ; then
  3218. if [ "$_log" ] ; then
  3219. if [ -z "$LOG_FILE" ] ; then
  3220. LOG_FILE="$DEFAULT_LOG_FILE"
  3221. fi
  3222. _saveaccountconf "LOG_FILE" "$LOG_FILE"
  3223. fi
  3224. _processAccountConf
  3225. fi
  3226. }
  3227. if [ "$INSTALLONLINE" ] ; then
  3228. INSTALLONLINE=""
  3229. _installOnline $BRANCH
  3230. exit
  3231. fi
  3232. main() {
  3233. [ -z "$1" ] && showhelp && return
  3234. if _startswith "$1" '-' ; then _process "$@"; else "$@";fi
  3235. }
  3236. main "$@"