You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

4534 lines
112 KiB

9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
  1. #!/usr/bin/env sh
  2. VER=2.6.5
  3. PROJECT_NAME="acme.sh"
  4. PROJECT_ENTRY="acme.sh"
  5. PROJECT="https://github.com/Neilpang/$PROJECT_NAME"
  6. DEFAULT_INSTALL_HOME="$HOME/.$PROJECT_NAME"
  7. _SCRIPT_="$0"
  8. _SUB_FOLDERS="dnsapi deploy"
  9. DEFAULT_CA="https://acme-v01.api.letsencrypt.org"
  10. DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
  11. DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
  12. DEFAULT_ACCOUNT_EMAIL=""
  13. DEFAULT_ACCOUNT_KEY_LENGTH=2048
  14. DEFAULT_DOMAIN_KEY_LENGTH=2048
  15. DEFAULT_OPENSSL_BIN="openssl"
  16. STAGE_CA="https://acme-staging.api.letsencrypt.org"
  17. VTYPE_HTTP="http-01"
  18. VTYPE_DNS="dns-01"
  19. VTYPE_TLS="tls-sni-01"
  20. #VTYPE_TLS2="tls-sni-02"
  21. LOCAL_ANY_ADDRESS="0.0.0.0"
  22. MAX_RENEW=60
  23. DEFAULT_DNS_SLEEP=120
  24. NO_VALUE="no"
  25. W_TLS="tls"
  26. STATE_VERIFIED="verified_ok"
  27. BEGIN_CSR="-----BEGIN CERTIFICATE REQUEST-----"
  28. END_CSR="-----END CERTIFICATE REQUEST-----"
  29. BEGIN_CERT="-----BEGIN CERTIFICATE-----"
  30. END_CERT="-----END CERTIFICATE-----"
  31. RENEW_SKIP=2
  32. ECC_SEP="_"
  33. ECC_SUFFIX="${ECC_SEP}ecc"
  34. LOG_LEVEL_1=1
  35. LOG_LEVEL_2=2
  36. LOG_LEVEL_3=3
  37. DEFAULT_LOG_LEVEL="$LOG_LEVEL_1"
  38. _DEBUG_WIKI="https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh"
  39. __INTERACTIVE=""
  40. if [ -t 1 ]; then
  41. __INTERACTIVE="1"
  42. fi
  43. __green() {
  44. if [ "$__INTERACTIVE" ]; then
  45. printf '\033[1;31;32m'
  46. fi
  47. printf -- "$1"
  48. if [ "$__INTERACTIVE" ]; then
  49. printf '\033[0m'
  50. fi
  51. }
  52. __red() {
  53. if [ "$__INTERACTIVE" ]; then
  54. printf '\033[1;31;40m'
  55. fi
  56. printf -- "$1"
  57. if [ "$__INTERACTIVE" ]; then
  58. printf '\033[0m'
  59. fi
  60. }
  61. _printargs() {
  62. if [ -z "$NO_TIMESTAMP" ] || [ "$NO_TIMESTAMP" = "0" ]; then
  63. printf -- "%s" "[$(date)] "
  64. fi
  65. if [ -z "$2" ]; then
  66. printf -- "%s" "$1"
  67. else
  68. printf -- "%s" "$1='$2'"
  69. fi
  70. printf "\n"
  71. }
  72. _dlg_versions() {
  73. echo "Diagnosis versions: "
  74. echo "openssl:$OPENSSL_BIN"
  75. if _exists "$OPENSSL_BIN"; then
  76. $OPENSSL_BIN version 2>&1
  77. else
  78. echo "$OPENSSL_BIN doesn't exists."
  79. fi
  80. echo "apache:"
  81. if [ "$_APACHECTL" ] && _exists "$_APACHECTL"; then
  82. _APACHECTL -V 2>&1
  83. else
  84. echo "apache doesn't exists."
  85. fi
  86. echo "nc:"
  87. if _exists "nc"; then
  88. nc -h 2>&1
  89. else
  90. _debug "nc doesn't exists."
  91. fi
  92. }
  93. _log() {
  94. [ -z "$LOG_FILE" ] && return
  95. _printargs "$@" >>"$LOG_FILE"
  96. }
  97. _info() {
  98. _log "$@"
  99. _printargs "$@"
  100. }
  101. _err() {
  102. _log "$@"
  103. if [ -z "$NO_TIMESTAMP" ] || [ "$NO_TIMESTAMP" = "0" ]; then
  104. printf -- "%s" "[$(date)] " >&2
  105. fi
  106. if [ -z "$2" ]; then
  107. __red "$1" >&2
  108. else
  109. __red "$1='$2'" >&2
  110. fi
  111. printf "\n" >&2
  112. return 1
  113. }
  114. _usage() {
  115. __red "$@" >&2
  116. printf "\n" >&2
  117. }
  118. _debug() {
  119. if [ -z "$LOG_LEVEL" ] || [ "$LOG_LEVEL" -ge "$LOG_LEVEL_1" ]; then
  120. _log "$@"
  121. fi
  122. if [ -z "$DEBUG" ]; then
  123. return
  124. fi
  125. _printargs "$@" >&2
  126. }
  127. _debug2() {
  128. if [ "$LOG_LEVEL" ] && [ "$LOG_LEVEL" -ge "$LOG_LEVEL_2" ]; then
  129. _log "$@"
  130. fi
  131. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  132. _debug "$@"
  133. fi
  134. }
  135. _debug3() {
  136. if [ "$LOG_LEVEL" ] && [ "$LOG_LEVEL" -ge "$LOG_LEVEL_3" ]; then
  137. _log "$@"
  138. fi
  139. if [ "$DEBUG" ] && [ "$DEBUG" -ge "3" ]; then
  140. _debug "$@"
  141. fi
  142. }
  143. _startswith() {
  144. _str="$1"
  145. _sub="$2"
  146. echo "$_str" | grep "^$_sub" >/dev/null 2>&1
  147. }
  148. _endswith() {
  149. _str="$1"
  150. _sub="$2"
  151. echo "$_str" | grep -- "$_sub\$" >/dev/null 2>&1
  152. }
  153. _contains() {
  154. _str="$1"
  155. _sub="$2"
  156. echo "$_str" | grep -- "$_sub" >/dev/null 2>&1
  157. }
  158. _hasfield() {
  159. _str="$1"
  160. _field="$2"
  161. _sep="$3"
  162. if [ -z "$_field" ]; then
  163. _usage "Usage: str field [sep]"
  164. return 1
  165. fi
  166. if [ -z "$_sep" ]; then
  167. _sep=","
  168. fi
  169. for f in $(echo "$_str" | tr ',' ' '); do
  170. if [ "$f" = "$_field" ]; then
  171. _debug2 "'$_str' contains '$_field'"
  172. return 0 #contains ok
  173. fi
  174. done
  175. _debug2 "'$_str' does not contain '$_field'"
  176. return 1 #not contains
  177. }
  178. _getfield() {
  179. _str="$1"
  180. _findex="$2"
  181. _sep="$3"
  182. if [ -z "$_findex" ]; then
  183. _usage "Usage: str field [sep]"
  184. return 1
  185. fi
  186. if [ -z "$_sep" ]; then
  187. _sep=","
  188. fi
  189. _ffi="$_findex"
  190. while [ "$_ffi" -gt "0" ]; do
  191. _fv="$(echo "$_str" | cut -d "$_sep" -f "$_ffi")"
  192. if [ "$_fv" ]; then
  193. printf -- "%s" "$_fv"
  194. return 0
  195. fi
  196. _ffi="$(_math "$_ffi" - 1)"
  197. done
  198. printf -- "%s" "$_str"
  199. }
  200. _exists() {
  201. cmd="$1"
  202. if [ -z "$cmd" ]; then
  203. _usage "Usage: _exists cmd"
  204. return 1
  205. fi
  206. if eval type type >/dev/null 2>&1; then
  207. eval type "$cmd" >/dev/null 2>&1
  208. elif command >/dev/null 2>&1; then
  209. command -v "$cmd" >/dev/null 2>&1
  210. else
  211. which "$cmd" >/dev/null 2>&1
  212. fi
  213. ret="$?"
  214. _debug3 "$cmd exists=$ret"
  215. return $ret
  216. }
  217. #a + b
  218. _math() {
  219. _m_opts="$@"
  220. printf "%s" "$(($_m_opts))"
  221. }
  222. _h_char_2_dec() {
  223. _ch=$1
  224. case "${_ch}" in
  225. a | A)
  226. printf "10"
  227. ;;
  228. b | B)
  229. printf "11"
  230. ;;
  231. c | C)
  232. printf "12"
  233. ;;
  234. d | D)
  235. printf "13"
  236. ;;
  237. e | E)
  238. printf "14"
  239. ;;
  240. f | F)
  241. printf "15"
  242. ;;
  243. *)
  244. printf "%s" "$_ch"
  245. ;;
  246. esac
  247. }
  248. _URGLY_PRINTF=""
  249. if [ "$(printf '\x41')" != 'A' ]; then
  250. _URGLY_PRINTF=1
  251. fi
  252. _h2b() {
  253. hex=$(cat)
  254. i=1
  255. j=2
  256. _debug3 _URGLY_PRINTF "$_URGLY_PRINTF"
  257. while true; do
  258. if [ -z "$_URGLY_PRINTF" ]; then
  259. h="$(printf "%s" "$hex" | cut -c $i-$j)"
  260. if [ -z "$h" ]; then
  261. break
  262. fi
  263. printf "\x$h%s"
  264. else
  265. ic="$(printf "%s" "$hex" | cut -c $i)"
  266. jc="$(printf "%s" "$hex" | cut -c $j)"
  267. if [ -z "$ic$jc" ]; then
  268. break
  269. fi
  270. ic="$(_h_char_2_dec "$ic")"
  271. jc="$(_h_char_2_dec "$jc")"
  272. printf '\'"$(printf "%o" "$(_math "$ic" \* 16 + $jc)")""%s"
  273. fi
  274. i="$(_math "$i" + 2)"
  275. j="$(_math "$j" + 2)"
  276. done
  277. }
  278. #hex string
  279. _hex() {
  280. _str="$1"
  281. _str_len=${#_str}
  282. _h_i=1
  283. while [ "$_h_i" -le "$_str_len" ]; do
  284. _str_c="$(printf "%s" "$_str" | cut -c "$_h_i")"
  285. printf "%02x" "'$_str_c"
  286. _h_i="$(_math "$_h_i" + 1)"
  287. done
  288. }
  289. #options file
  290. _sed_i() {
  291. options="$1"
  292. filename="$2"
  293. if [ -z "$filename" ]; then
  294. _usage "Usage:_sed_i options filename"
  295. return 1
  296. fi
  297. _debug2 options "$options"
  298. if sed -h 2>&1 | grep "\-i\[SUFFIX]" >/dev/null 2>&1; then
  299. _debug "Using sed -i"
  300. sed -i "$options" "$filename"
  301. else
  302. _debug "No -i support in sed"
  303. text="$(cat "$filename")"
  304. echo "$text" | sed "$options" >"$filename"
  305. fi
  306. }
  307. _egrep_o() {
  308. if ! egrep -o "$1" 2>/dev/null; then
  309. sed -n 's/.*\('"$1"'\).*/\1/p'
  310. fi
  311. }
  312. #Usage: file startline endline
  313. _getfile() {
  314. filename="$1"
  315. startline="$2"
  316. endline="$3"
  317. if [ -z "$endline" ]; then
  318. _usage "Usage: file startline endline"
  319. return 1
  320. fi
  321. i="$(grep -n -- "$startline" "$filename" | cut -d : -f 1)"
  322. if [ -z "$i" ]; then
  323. _err "Can not find start line: $startline"
  324. return 1
  325. fi
  326. i="$(_math "$i" + 1)"
  327. _debug i "$i"
  328. j="$(grep -n -- "$endline" "$filename" | cut -d : -f 1)"
  329. if [ -z "$j" ]; then
  330. _err "Can not find end line: $endline"
  331. return 1
  332. fi
  333. j="$(_math "$j" - 1)"
  334. _debug j "$j"
  335. sed -n "$i,${j}p" "$filename"
  336. }
  337. #Usage: multiline
  338. _base64() {
  339. if [ "$1" ]; then
  340. $OPENSSL_BIN base64 -e
  341. else
  342. $OPENSSL_BIN base64 -e | tr -d '\r\n'
  343. fi
  344. }
  345. #Usage: multiline
  346. _dbase64() {
  347. if [ "$1" ]; then
  348. $OPENSSL_BIN base64 -d -A
  349. else
  350. $OPENSSL_BIN base64 -d
  351. fi
  352. }
  353. #Usage: hashalg [outputhex]
  354. #Output Base64-encoded digest
  355. _digest() {
  356. alg="$1"
  357. if [ -z "$alg" ]; then
  358. _usage "Usage: _digest hashalg"
  359. return 1
  360. fi
  361. outputhex="$2"
  362. if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ] || [ "$alg" = "md5" ]; then
  363. if [ "$outputhex" ]; then
  364. $OPENSSL_BIN dgst -"$alg" -hex | cut -d = -f 2 | tr -d ' '
  365. else
  366. $OPENSSL_BIN dgst -"$alg" -binary | _base64
  367. fi
  368. else
  369. _err "$alg is not supported yet"
  370. return 1
  371. fi
  372. }
  373. #Usage: hashalg secret_hex [outputhex]
  374. #Output binary hmac
  375. _hmac() {
  376. alg="$1"
  377. secret_hex="$2"
  378. outputhex="$3"
  379. if [ -z "$secret_hex" ]; then
  380. _usage "Usage: _hmac hashalg secret [outputhex]"
  381. return 1
  382. fi
  383. if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ]; then
  384. if [ "$outputhex" ]; then
  385. $OPENSSL_BIN dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" | cut -d = -f 2 | tr -d ' '
  386. else
  387. $OPENSSL_BIN dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" -binary
  388. fi
  389. else
  390. _err "$alg is not supported yet"
  391. return 1
  392. fi
  393. }
  394. #Usage: keyfile hashalg
  395. #Output: Base64-encoded signature value
  396. _sign() {
  397. keyfile="$1"
  398. alg="$2"
  399. if [ -z "$alg" ]; then
  400. _usage "Usage: _sign keyfile hashalg"
  401. return 1
  402. fi
  403. _sign_openssl="$OPENSSL_BIN dgst -sign $keyfile "
  404. if [ "$alg" = "sha256" ]; then
  405. _sign_openssl="$_sign_openssl -$alg"
  406. else
  407. _err "$alg is not supported yet"
  408. return 1
  409. fi
  410. if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
  411. $_sign_openssl | _base64
  412. elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
  413. if ! _signedECText="$($_sign_openssl | $OPENSSL_BIN asn1parse -inform DER)"; then
  414. _err "Sign failed: $_sign_openssl"
  415. _err "Key file: $keyfile"
  416. _err "Key content:$(wc -l <"$keyfile") lises"
  417. return 1
  418. fi
  419. _debug3 "_signedECText" "$_signedECText"
  420. _ec_r="$(echo "$_signedECText" | _head_n 2 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")"
  421. _debug3 "_ec_r" "$_ec_r"
  422. _ec_s="$(echo "$_signedECText" | _head_n 3 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")"
  423. _debug3 "_ec_s" "$_ec_s"
  424. printf "%s" "$_ec_r$_ec_s" | _h2b | _base64
  425. else
  426. _err "Unknown key file format."
  427. return 1
  428. fi
  429. }
  430. #keylength
  431. _isEccKey() {
  432. _length="$1"
  433. if [ -z "$_length" ]; then
  434. return 1
  435. fi
  436. [ "$_length" != "1024" ] \
  437. && [ "$_length" != "2048" ] \
  438. && [ "$_length" != "3072" ] \
  439. && [ "$_length" != "4096" ] \
  440. && [ "$_length" != "8192" ]
  441. }
  442. # _createkey 2048|ec-256 file
  443. _createkey() {
  444. length="$1"
  445. f="$2"
  446. _debug2 "_createkey for file:$f"
  447. eccname="$length"
  448. if _startswith "$length" "ec-"; then
  449. length=$(printf "%s" "$length" | cut -d '-' -f 2-100)
  450. if [ "$length" = "256" ]; then
  451. eccname="prime256v1"
  452. fi
  453. if [ "$length" = "384" ]; then
  454. eccname="secp384r1"
  455. fi
  456. if [ "$length" = "521" ]; then
  457. eccname="secp521r1"
  458. fi
  459. fi
  460. if [ -z "$length" ]; then
  461. length=2048
  462. fi
  463. _debug "Use length $length"
  464. if _isEccKey "$length"; then
  465. _debug "Using ec name: $eccname"
  466. $OPENSSL_BIN ecparam -name "$eccname" -genkey 2>/dev/null >"$f"
  467. else
  468. _debug "Using RSA: $length"
  469. $OPENSSL_BIN genrsa "$length" 2>/dev/null >"$f"
  470. fi
  471. if [ "$?" != "0" ]; then
  472. _err "Create key error."
  473. return 1
  474. fi
  475. }
  476. #domain
  477. _is_idn() {
  478. _is_idn_d="$1"
  479. _debug2 _is_idn_d "$_is_idn_d"
  480. _idn_temp=$(printf "%s" "$_is_idn_d" | tr -d '[0-9]' | tr -d '[a-z]' | tr -d '[A-Z]' | tr -d '.,-')
  481. _debug2 _idn_temp "$_idn_temp"
  482. [ "$_idn_temp" ]
  483. }
  484. #aa.com
  485. #aa.com,bb.com,cc.com
  486. _idn() {
  487. __idn_d="$1"
  488. if ! _is_idn "$__idn_d"; then
  489. printf "%s" "$__idn_d"
  490. return 0
  491. fi
  492. if _exists idn; then
  493. if _contains "$__idn_d" ','; then
  494. _i_first="1"
  495. for f in $(echo "$__idn_d" | tr ',' ' '); do
  496. [ -z "$f" ] && continue
  497. if [ -z "$_i_first" ]; then
  498. printf "%s" ","
  499. else
  500. _i_first=""
  501. fi
  502. idn --quiet "$f" | tr -d "\r\n"
  503. done
  504. else
  505. idn "$__idn_d" | tr -d "\r\n"
  506. fi
  507. else
  508. _err "Please install idn to process IDN names."
  509. fi
  510. }
  511. #_createcsr cn san_list keyfile csrfile conf
  512. _createcsr() {
  513. _debug _createcsr
  514. domain="$1"
  515. domainlist="$2"
  516. csrkey="$3"
  517. csr="$4"
  518. csrconf="$5"
  519. _debug2 domain "$domain"
  520. _debug2 domainlist "$domainlist"
  521. _debug2 csrkey "$csrkey"
  522. _debug2 csr "$csr"
  523. _debug2 csrconf "$csrconf"
  524. printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf"
  525. if [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
  526. #single domain
  527. _info "Single domain" "$domain"
  528. else
  529. domainlist="$(_idn "$domainlist")"
  530. _debug2 domainlist "$domainlist"
  531. if _contains "$domainlist" ","; then
  532. alt="DNS:$(echo "$domainlist" | sed "s/,/,DNS:/g")"
  533. else
  534. alt="DNS:$domainlist"
  535. fi
  536. #multi
  537. _info "Multi domain" "$alt"
  538. printf -- "\nsubjectAltName=$alt" >>"$csrconf"
  539. fi
  540. if [ "$Le_OCSP_Stable" ]; then
  541. _savedomainconf Le_OCSP_Stable "$Le_OCSP_Stable"
  542. printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >>"$csrconf"
  543. fi
  544. _csr_cn="$(_idn "$domain")"
  545. _debug2 _csr_cn "$_csr_cn"
  546. $OPENSSL_BIN req -new -sha256 -key "$csrkey" -subj "/CN=$_csr_cn" -config "$csrconf" -out "$csr"
  547. }
  548. #_signcsr key csr conf cert
  549. _signcsr() {
  550. key="$1"
  551. csr="$2"
  552. conf="$3"
  553. cert="$4"
  554. _debug "_signcsr"
  555. _msg="$($OPENSSL_BIN x509 -req -days 365 -in "$csr" -signkey "$key" -extensions v3_req -extfile "$conf" -out "$cert" 2>&1)"
  556. _ret="$?"
  557. _debug "$_msg"
  558. return $_ret
  559. }
  560. #_csrfile
  561. _readSubjectFromCSR() {
  562. _csrfile="$1"
  563. if [ -z "$_csrfile" ]; then
  564. _usage "_readSubjectFromCSR mycsr.csr"
  565. return 1
  566. fi
  567. $OPENSSL_BIN req -noout -in "$_csrfile" -subject | _egrep_o "CN=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n'
  568. }
  569. #_csrfile
  570. #echo comma separated domain list
  571. _readSubjectAltNamesFromCSR() {
  572. _csrfile="$1"
  573. if [ -z "$_csrfile" ]; then
  574. _usage "_readSubjectAltNamesFromCSR mycsr.csr"
  575. return 1
  576. fi
  577. _csrsubj="$(_readSubjectFromCSR "$_csrfile")"
  578. _debug _csrsubj "$_csrsubj"
  579. _dnsAltnames="$($OPENSSL_BIN req -noout -text -in "$_csrfile" | grep "^ *DNS:.*" | tr -d ' \n')"
  580. _debug _dnsAltnames "$_dnsAltnames"
  581. if _contains "$_dnsAltnames," "DNS:$_csrsubj,"; then
  582. _debug "AltNames contains subject"
  583. _dnsAltnames="$(printf "%s" "$_dnsAltnames," | sed "s/DNS:$_csrsubj,//g")"
  584. else
  585. _debug "AltNames doesn't contain subject"
  586. fi
  587. printf "%s" "$_dnsAltnames" | sed "s/DNS://g"
  588. }
  589. #_csrfile
  590. _readKeyLengthFromCSR() {
  591. _csrfile="$1"
  592. if [ -z "$_csrfile" ]; then
  593. _usage "_readKeyLengthFromCSR mycsr.csr"
  594. return 1
  595. fi
  596. _outcsr="$($OPENSSL_BIN req -noout -text -in "$_csrfile")"
  597. if _contains "$_outcsr" "Public Key Algorithm: id-ecPublicKey"; then
  598. _debug "ECC CSR"
  599. echo "$_outcsr" | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
  600. else
  601. _debug "RSA CSR"
  602. echo "$_outcsr" | _egrep_o "^ *Public-Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1
  603. fi
  604. }
  605. _ss() {
  606. _port="$1"
  607. if _exists "ss"; then
  608. _debug "Using: ss"
  609. ss -ntpl | grep ":$_port "
  610. return 0
  611. fi
  612. if _exists "netstat"; then
  613. _debug "Using: netstat"
  614. if netstat -h 2>&1 | grep "\-p proto" >/dev/null; then
  615. #for windows version netstat tool
  616. netstat -an -p tcp | grep "LISTENING" | grep ":$_port "
  617. else
  618. if netstat -help 2>&1 | grep "\-p protocol" >/dev/null; then
  619. netstat -an -p tcp | grep LISTEN | grep ":$_port "
  620. elif netstat -help 2>&1 | grep -- '-P protocol' >/dev/null; then
  621. #for solaris
  622. netstat -an -P tcp | grep "\.$_port " | grep "LISTEN"
  623. else
  624. netstat -ntpl | grep ":$_port "
  625. fi
  626. fi
  627. return 0
  628. fi
  629. return 1
  630. }
  631. #domain [password] [isEcc]
  632. toPkcs() {
  633. domain="$1"
  634. pfxPassword="$2"
  635. if [ -z "$domain" ]; then
  636. _usage "Usage: $PROJECT_ENTRY --toPkcs -d domain [--password pfx-password]"
  637. return 1
  638. fi
  639. _isEcc="$3"
  640. _initpath "$domain" "$_isEcc"
  641. if [ "$pfxPassword" ]; then
  642. $OPENSSL_BIN pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH" -password "pass:$pfxPassword"
  643. else
  644. $OPENSSL_BIN pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH"
  645. fi
  646. if [ "$?" = "0" ]; then
  647. _info "Success, Pfx is exported to: $CERT_PFX_PATH"
  648. fi
  649. }
  650. #[2048]
  651. createAccountKey() {
  652. _info "Creating account key"
  653. if [ -z "$1" ]; then
  654. _usage "Usage: $PROJECT_ENTRY --createAccountKey --accountkeylength 2048"
  655. return
  656. fi
  657. length=$1
  658. _create_account_key "$length"
  659. }
  660. _create_account_key() {
  661. length=$1
  662. if [ -z "$length" ] || [ "$length" = "$NO_VALUE" ]; then
  663. _debug "Use default length $DEFAULT_ACCOUNT_KEY_LENGTH"
  664. length="$DEFAULT_ACCOUNT_KEY_LENGTH"
  665. fi
  666. _debug length "$length"
  667. _initpath
  668. mkdir -p "$CA_DIR"
  669. if [ -f "$ACCOUNT_KEY_PATH" ]; then
  670. _info "Account key exists, skip"
  671. return
  672. else
  673. #generate account key
  674. _createkey "$length" "$ACCOUNT_KEY_PATH"
  675. fi
  676. }
  677. #domain [length]
  678. createDomainKey() {
  679. _info "Creating domain key"
  680. if [ -z "$1" ]; then
  681. _usage "Usage: $PROJECT_ENTRY --createDomainKey -d domain.com [ --keylength 2048 ]"
  682. return
  683. fi
  684. domain=$1
  685. length=$2
  686. if [ -z "$length" ]; then
  687. _debug "Use DEFAULT_DOMAIN_KEY_LENGTH=$DEFAULT_DOMAIN_KEY_LENGTH"
  688. length="$DEFAULT_DOMAIN_KEY_LENGTH"
  689. fi
  690. _initpath "$domain" "$length"
  691. if [ ! -f "$CERT_KEY_PATH" ] || ([ "$FORCE" ] && ! [ "$IS_RENEW" ]); then
  692. _createkey "$length" "$CERT_KEY_PATH"
  693. else
  694. if [ "$IS_RENEW" ]; then
  695. _info "Domain key exists, skip"
  696. return 0
  697. else
  698. _err "Domain key exists, do you want to overwrite the key?"
  699. _err "Add '--force', and try again."
  700. return 1
  701. fi
  702. fi
  703. }
  704. # domain domainlist isEcc
  705. createCSR() {
  706. _info "Creating csr"
  707. if [ -z "$1" ]; then
  708. _usage "Usage: $PROJECT_ENTRY --createCSR -d domain1.com [-d domain2.com -d domain3.com ... ]"
  709. return
  710. fi
  711. domain="$1"
  712. domainlist="$2"
  713. _isEcc="$3"
  714. _initpath "$domain" "$_isEcc"
  715. if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && [ -z "$FORCE" ]; then
  716. _info "CSR exists, skip"
  717. return
  718. fi
  719. if [ ! -f "$CERT_KEY_PATH" ]; then
  720. _err "The key file is not found: $CERT_KEY_PATH"
  721. _err "Please create the key file first."
  722. return 1
  723. fi
  724. _createcsr "$domain" "$domainlist" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"
  725. }
  726. _urlencode() {
  727. tr '/+' '_-' | tr -d '= '
  728. }
  729. _time2str() {
  730. #BSD
  731. if date -u -d@"$1" 2>/dev/null; then
  732. return
  733. fi
  734. #Linux
  735. if date -u -r "$1" 2>/dev/null; then
  736. return
  737. fi
  738. #Soaris
  739. if _exists adb; then
  740. _t_s_a=$(echo "0t${1}=Y" | adb)
  741. echo "$_t_s_a"
  742. fi
  743. }
  744. _normalizeJson() {
  745. sed "s/\" *: *\([\"{\[]\)/\":\1/g" | sed "s/^ *\([^ ]\)/\1/" | tr -d "\r\n"
  746. }
  747. _stat() {
  748. #Linux
  749. if stat -c '%U:%G' "$1" 2>/dev/null; then
  750. return
  751. fi
  752. #BSD
  753. if stat -f '%Su:%Sg' "$1" 2>/dev/null; then
  754. return
  755. fi
  756. return 1 #error, 'stat' not found
  757. }
  758. #keyfile
  759. _calcjwk() {
  760. keyfile="$1"
  761. if [ -z "$keyfile" ]; then
  762. _usage "Usage: _calcjwk keyfile"
  763. return 1
  764. fi
  765. if [ "$JWK_HEADER" ] && [ "$__CACHED_JWK_KEY_FILE" = "$keyfile" ]; then
  766. _debug2 "Use cached jwk for file: $__CACHED_JWK_KEY_FILE"
  767. return 0
  768. fi
  769. if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
  770. _debug "RSA key"
  771. pub_exp=$($OPENSSL_BIN rsa -in "$keyfile" -noout -text | grep "^publicExponent:" | cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1)
  772. if [ "${#pub_exp}" = "5" ]; then
  773. pub_exp=0$pub_exp
  774. fi
  775. _debug3 pub_exp "$pub_exp"
  776. e=$(echo "$pub_exp" | _h2b | _base64)
  777. _debug3 e "$e"
  778. modulus=$($OPENSSL_BIN rsa -in "$keyfile" -modulus -noout | cut -d '=' -f 2)
  779. _debug3 modulus "$modulus"
  780. n="$(printf "%s" "$modulus" | _h2b | _base64 | _urlencode)"
  781. jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}'
  782. _debug3 jwk "$jwk"
  783. JWK_HEADER='{"alg": "RS256", "jwk": '$jwk'}'
  784. JWK_HEADERPLACE_PART1='{"nonce": "'
  785. JWK_HEADERPLACE_PART2='", "alg": "RS256", "jwk": '$jwk'}'
  786. elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
  787. _debug "EC key"
  788. crv="$($OPENSSL_BIN ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n")"
  789. _debug3 crv "$crv"
  790. if [ -z "$crv" ]; then
  791. _debug "Let's try ASN1 OID"
  792. crv_oid="$($OPENSSL_BIN ec -in "$keyfile" -noout -text 2>/dev/null | grep "^ASN1 OID:" | cut -d ":" -f 2 | tr -d " \r\n")"
  793. _debug3 crv_oid "$crv_oid"
  794. case "${crv_oid}" in
  795. "prime256v1")
  796. crv="P-256"
  797. ;;
  798. "secp384r1")
  799. crv="P-384"
  800. ;;
  801. "secp521r1")
  802. crv="P-521"
  803. ;;
  804. *)
  805. _err "ECC oid : $crv_oid"
  806. return 1
  807. ;;
  808. esac
  809. _debug3 crv "$crv"
  810. fi
  811. pubi="$($OPENSSL_BIN ec -in "$keyfile" -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1)"
  812. pubi=$(_math "$pubi" + 1)
  813. _debug3 pubi "$pubi"
  814. pubj="$($OPENSSL_BIN ec -in "$keyfile" -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1)"
  815. pubj=$(_math "$pubj" - 1)
  816. _debug3 pubj "$pubj"
  817. pubtext="$($OPENSSL_BIN ec -in "$keyfile" -noout -text 2>/dev/null | sed -n "$pubi,${pubj}p" | tr -d " \n\r")"
  818. _debug3 pubtext "$pubtext"
  819. xlen="$(printf "%s" "$pubtext" | tr -d ':' | wc -c)"
  820. xlen=$(_math "$xlen" / 4)
  821. _debug3 xlen "$xlen"
  822. xend=$(_math "$xlen" + 1)
  823. x="$(printf "%s" "$pubtext" | cut -d : -f 2-"$xend")"
  824. _debug3 x "$x"
  825. x64="$(printf "%s" "$x" | tr -d : | _h2b | _base64 | _urlencode)"
  826. _debug3 x64 "$x64"
  827. xend=$(_math "$xend" + 1)
  828. y="$(printf "%s" "$pubtext" | cut -d : -f "$xend"-10000)"
  829. _debug3 y "$y"
  830. y64="$(printf "%s" "$y" | tr -d : | _h2b | _base64 | _urlencode)"
  831. _debug3 y64 "$y64"
  832. jwk='{"crv": "'$crv'", "kty": "EC", "x": "'$x64'", "y": "'$y64'"}'
  833. _debug3 jwk "$jwk"
  834. JWK_HEADER='{"alg": "ES256", "jwk": '$jwk'}'
  835. JWK_HEADERPLACE_PART1='{"nonce": "'
  836. JWK_HEADERPLACE_PART2='", "alg": "ES256", "jwk": '$jwk'}'
  837. else
  838. _err "Only RSA or EC key is supported."
  839. return 1
  840. fi
  841. _debug3 JWK_HEADER "$JWK_HEADER"
  842. __CACHED_JWK_KEY_FILE="$keyfile"
  843. }
  844. _time() {
  845. date -u "+%s"
  846. }
  847. _mktemp() {
  848. if _exists mktemp; then
  849. if mktemp 2>/dev/null; then
  850. return 0
  851. elif _contains "$(mktemp 2>&1)" "-t prefix" && mktemp -t "$PROJECT_NAME" 2>/dev/null; then
  852. #for Mac osx
  853. return 0
  854. fi
  855. fi
  856. if [ -d "/tmp" ]; then
  857. echo "/tmp/${PROJECT_NAME}wefADf24sf.$(_time).tmp"
  858. return 0
  859. elif [ "$LE_TEMP_DIR" ] && mkdir -p "$LE_TEMP_DIR"; then
  860. echo "/$LE_TEMP_DIR/wefADf24sf.$(_time).tmp"
  861. return 0
  862. fi
  863. _err "Can not create temp file."
  864. }
  865. _inithttp() {
  866. if [ -z "$HTTP_HEADER" ] || ! touch "$HTTP_HEADER"; then
  867. HTTP_HEADER="$(_mktemp)"
  868. _debug2 HTTP_HEADER "$HTTP_HEADER"
  869. fi
  870. if [ "$__HTTP_INITIALIZED" ]; then
  871. if [ "$_ACME_CURL$_ACME_WGET" ]; then
  872. _debug2 "Http already initialized."
  873. return 0
  874. fi
  875. fi
  876. if [ -z "$_ACME_CURL" ] && _exists "curl"; then
  877. _ACME_CURL="curl -L --silent --dump-header $HTTP_HEADER "
  878. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  879. _CURL_DUMP="$(_mktemp)"
  880. _ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP "
  881. fi
  882. if [ "$CA_BUNDLE" ]; then
  883. _ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE "
  884. fi
  885. fi
  886. if [ -z "$_ACME_WGET" ] && _exists "wget"; then
  887. _ACME_WGET="wget -q"
  888. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  889. _ACME_WGET="$_ACME_WGET -d "
  890. fi
  891. if [ "$CA_BUNDLE" ]; then
  892. _ACME_WGET="$_ACME_WGET --ca-certificate $CA_BUNDLE "
  893. fi
  894. fi
  895. __HTTP_INITIALIZED=1
  896. }
  897. # body url [needbase64] [POST|PUT]
  898. _post() {
  899. body="$1"
  900. url="$2"
  901. needbase64="$3"
  902. httpmethod="$4"
  903. if [ -z "$httpmethod" ]; then
  904. httpmethod="POST"
  905. fi
  906. _debug $httpmethod
  907. _debug "url" "$url"
  908. _debug2 "body" "$body"
  909. _inithttp
  910. if [ "$_ACME_CURL" ]; then
  911. _CURL="$_ACME_CURL"
  912. if [ "$HTTPS_INSECURE" ]; then
  913. _CURL="$_CURL --insecure "
  914. fi
  915. _debug "_CURL" "$_CURL"
  916. if [ "$needbase64" ]; then
  917. response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url" | _base64)"
  918. else
  919. response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url")"
  920. fi
  921. _ret="$?"
  922. if [ "$_ret" != "0" ]; then
  923. _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $_ret"
  924. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  925. _err "Here is the curl dump log:"
  926. _err "$(cat "$_CURL_DUMP")"
  927. fi
  928. fi
  929. elif [ "$_ACME_WGET" ]; then
  930. _WGET="$_ACME_WGET"
  931. if [ "$HTTPS_INSECURE" ]; then
  932. _WGET="$_WGET --no-check-certificate "
  933. fi
  934. _debug "_WGET" "$_WGET"
  935. if [ "$needbase64" ]; then
  936. if [ "$httpmethod" = "POST" ]; then
  937. response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
  938. else
  939. response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
  940. fi
  941. else
  942. if [ "$httpmethod" = "POST" ]; then
  943. response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER")"
  944. else
  945. response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER")"
  946. fi
  947. fi
  948. _ret="$?"
  949. if [ "$_ret" = "8" ]; then
  950. _ret=0
  951. _debug "wget returns 8, the server returns a 'Bad request' respons, lets process the response later."
  952. fi
  953. if [ "$_ret" != "0" ]; then
  954. _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret"
  955. fi
  956. _sed_i "s/^ *//g" "$HTTP_HEADER"
  957. else
  958. _ret="$?"
  959. _err "Neither curl nor wget is found, can not do $httpmethod."
  960. fi
  961. _debug "_ret" "$_ret"
  962. printf "%s" "$response"
  963. return $_ret
  964. }
  965. # url getheader timeout
  966. _get() {
  967. _debug GET
  968. url="$1"
  969. onlyheader="$2"
  970. t="$3"
  971. _debug url "$url"
  972. _debug "timeout" "$t"
  973. _inithttp
  974. if [ "$_ACME_CURL" ]; then
  975. _CURL="$_ACME_CURL"
  976. if [ "$HTTPS_INSECURE" ]; then
  977. _CURL="$_CURL --insecure "
  978. fi
  979. if [ "$t" ]; then
  980. _CURL="$_CURL --connect-timeout $t"
  981. fi
  982. _debug "_CURL" "$_CURL"
  983. if [ "$onlyheader" ]; then
  984. $_CURL -I --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url"
  985. else
  986. $_CURL --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url"
  987. fi
  988. ret=$?
  989. if [ "$ret" != "0" ]; then
  990. _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $ret"
  991. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  992. _err "Here is the curl dump log:"
  993. _err "$(cat "$_CURL_DUMP")"
  994. fi
  995. fi
  996. elif [ "$_ACME_WGET" ]; then
  997. _WGET="$_ACME_WGET"
  998. if [ "$HTTPS_INSECURE" ]; then
  999. _WGET="$_WGET --no-check-certificate "
  1000. fi
  1001. if [ "$t" ]; then
  1002. _WGET="$_WGET --timeout=$t"
  1003. fi
  1004. _debug "_WGET" "$_WGET"
  1005. if [ "$onlyheader" ]; then
  1006. $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1 | sed 's/^[ ]*//g'
  1007. else
  1008. $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -O - "$url"
  1009. fi
  1010. ret=$?
  1011. if [ "$_ret" = "8" ]; then
  1012. _ret=0
  1013. _debug "wget returns 8, the server returns a 'Bad request' respons, lets process the response later."
  1014. fi
  1015. if [ "$ret" != "0" ]; then
  1016. _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $ret"
  1017. fi
  1018. else
  1019. ret=$?
  1020. _err "Neither curl nor wget is found, can not do GET."
  1021. fi
  1022. _debug "ret" "$ret"
  1023. return $ret
  1024. }
  1025. _head_n() {
  1026. head -n "$1"
  1027. }
  1028. _tail_n() {
  1029. if ! tail -n "$1" 2>/dev/null; then
  1030. #fix for solaris
  1031. tail -"$1"
  1032. fi
  1033. }
  1034. # url payload needbase64 keyfile
  1035. _send_signed_request() {
  1036. url=$1
  1037. payload=$2
  1038. needbase64=$3
  1039. keyfile=$4
  1040. if [ -z "$keyfile" ]; then
  1041. keyfile="$ACCOUNT_KEY_PATH"
  1042. fi
  1043. _debug url "$url"
  1044. _debug payload "$payload"
  1045. if ! _calcjwk "$keyfile"; then
  1046. return 1
  1047. fi
  1048. payload64=$(printf "%s" "$payload" | _base64 | _urlencode)
  1049. _debug3 payload64 "$payload64"
  1050. if [ -z "$_CACHED_NONCE" ]; then
  1051. _debug2 "Get nonce."
  1052. nonceurl="$API/directory"
  1053. _headers="$(_get "$nonceurl" "onlyheader")"
  1054. if [ "$?" != "0" ]; then
  1055. _err "Can not connect to $nonceurl to get nonce."
  1056. return 1
  1057. fi
  1058. _debug2 _headers "$_headers"
  1059. _CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
  1060. _debug2 _CACHED_NONCE "$_CACHED_NONCE"
  1061. else
  1062. _debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE"
  1063. fi
  1064. nonce="$_CACHED_NONCE"
  1065. _debug2 nonce "$nonce"
  1066. protected="$JWK_HEADERPLACE_PART1$nonce$JWK_HEADERPLACE_PART2"
  1067. _debug3 protected "$protected"
  1068. protected64="$(printf "%s" "$protected" | _base64 | _urlencode)"
  1069. _debug3 protected64 "$protected64"
  1070. if ! _sig_t="$(printf "%s" "$protected64.$payload64" | _sign "$keyfile" "sha256")"; then
  1071. _err "Sign request failed."
  1072. return 1
  1073. fi
  1074. _debug3 _sig_t "$_sig_t"
  1075. sig="$(printf "%s" "$_sig_t" | _urlencode)"
  1076. _debug3 sig "$sig"
  1077. body="{\"header\": $JWK_HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
  1078. _debug3 body "$body"
  1079. response="$(_post "$body" "$url" "$needbase64")"
  1080. _CACHED_NONCE=""
  1081. if [ "$?" != "0" ]; then
  1082. _err "Can not post to $url"
  1083. return 1
  1084. fi
  1085. _debug2 original "$response"
  1086. response="$(echo "$response" | _normalizeJson)"
  1087. responseHeaders="$(cat "$HTTP_HEADER")"
  1088. _debug2 responseHeaders "$responseHeaders"
  1089. _debug2 response "$response"
  1090. code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
  1091. _debug code "$code"
  1092. _CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
  1093. }
  1094. #setopt "file" "opt" "=" "value" [";"]
  1095. _setopt() {
  1096. __conf="$1"
  1097. __opt="$2"
  1098. __sep="$3"
  1099. __val="$4"
  1100. __end="$5"
  1101. if [ -z "$__opt" ]; then
  1102. _usage usage: _setopt '"file" "opt" "=" "value" [";"]'
  1103. return
  1104. fi
  1105. if [ ! -f "$__conf" ]; then
  1106. touch "$__conf"
  1107. fi
  1108. if grep -n "^$__opt$__sep" "$__conf" >/dev/null; then
  1109. _debug3 OK
  1110. if _contains "$__val" "&"; then
  1111. __val="$(echo "$__val" | sed 's/&/\\&/g')"
  1112. fi
  1113. text="$(cat "$__conf")"
  1114. echo "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf"
  1115. elif grep -n "^#$__opt$__sep" "$__conf" >/dev/null; then
  1116. if _contains "$__val" "&"; then
  1117. __val="$(echo "$__val" | sed 's/&/\\&/g')"
  1118. fi
  1119. text="$(cat "$__conf")"
  1120. echo "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf"
  1121. else
  1122. _debug3 APP
  1123. echo "$__opt$__sep$__val$__end" >>"$__conf"
  1124. fi
  1125. _debug2 "$(grep -n "^$__opt$__sep" "$__conf")"
  1126. }
  1127. #_save_conf file key value
  1128. #save to conf
  1129. _save_conf() {
  1130. _s_c_f="$1"
  1131. _sdkey="$2"
  1132. _sdvalue="$3"
  1133. if [ "$_s_c_f" ]; then
  1134. _setopt "$_s_c_f" "$_sdkey" "=" "'$_sdvalue'"
  1135. else
  1136. _err "config file is empty, can not save $_sdkey=$_sdvalue"
  1137. fi
  1138. }
  1139. #_clear_conf file key
  1140. _clear_conf() {
  1141. _c_c_f="$1"
  1142. _sdkey="$2"
  1143. if [ "$_c_c_f" ]; then
  1144. _conf_data="$(cat "$_c_c_f")"
  1145. echo "$_conf_data" | sed "s/^$_sdkey *=.*$//" >"$_c_c_f"
  1146. else
  1147. _err "config file is empty, can not clear"
  1148. fi
  1149. }
  1150. #_read_conf file key
  1151. _read_conf() {
  1152. _r_c_f="$1"
  1153. _sdkey="$2"
  1154. if [ -f "$_r_c_f" ]; then
  1155. (
  1156. eval "$(grep "^$_sdkey *=" "$_r_c_f")"
  1157. eval "printf \"%s\" \"\$$_sdkey\""
  1158. )
  1159. else
  1160. _debug "config file is empty, can not read $_sdkey"
  1161. fi
  1162. }
  1163. #_savedomainconf key value
  1164. #save to domain.conf
  1165. _savedomainconf() {
  1166. _save_conf "$DOMAIN_CONF" "$1" "$2"
  1167. }
  1168. #_cleardomainconf key
  1169. _cleardomainconf() {
  1170. _clear_conf "$DOMAIN_CONF" "$1"
  1171. }
  1172. #_readdomainconf key
  1173. _readdomainconf() {
  1174. _read_conf "$DOMAIN_CONF" "$1"
  1175. }
  1176. #_saveaccountconf key value
  1177. _saveaccountconf() {
  1178. _save_conf "$ACCOUNT_CONF_PATH" "$1" "$2"
  1179. }
  1180. #_clearaccountconf key
  1181. _clearaccountconf() {
  1182. _clear_conf "$ACCOUNT_CONF_PATH" "$1"
  1183. }
  1184. #_savecaconf key value
  1185. _savecaconf() {
  1186. _save_conf "$CA_CONF" "$1" "$2"
  1187. }
  1188. #_readcaconf key
  1189. _readcaconf() {
  1190. _read_conf "$CA_CONF" "$1"
  1191. }
  1192. #_clearaccountconf key
  1193. _clearcaconf() {
  1194. _clear_conf "$CA_CONF" "$1"
  1195. }
  1196. # content localaddress
  1197. _startserver() {
  1198. content="$1"
  1199. ncaddr="$2"
  1200. _debug "ncaddr" "$ncaddr"
  1201. _debug "startserver: $$"
  1202. nchelp="$(nc -h 2>&1)"
  1203. _debug Le_HTTPPort "$Le_HTTPPort"
  1204. _debug Le_Listen_V4 "$Le_Listen_V4"
  1205. _debug Le_Listen_V6 "$Le_Listen_V6"
  1206. _NC="nc"
  1207. if [ "$Le_Listen_V4" ]; then
  1208. _NC="$_NC -4"
  1209. elif [ "$Le_Listen_V6" ]; then
  1210. _NC="$_NC -6"
  1211. fi
  1212. if echo "$nchelp" | grep "\-q[ ,]" >/dev/null; then
  1213. _NC="$_NC -q 1 -l $ncaddr"
  1214. else
  1215. if echo "$nchelp" | grep "GNU netcat" >/dev/null && echo "$nchelp" | grep "\-c, \-\-close" >/dev/null; then
  1216. _NC="$_NC -c -l $ncaddr"
  1217. elif echo "$nchelp" | grep "\-N" | grep "Shutdown the network socket after EOF on stdin" >/dev/null; then
  1218. _NC="$_NC -N -l $ncaddr"
  1219. else
  1220. _NC="$_NC -l $ncaddr"
  1221. fi
  1222. fi
  1223. _debug "_NC" "$_NC"
  1224. #for centos ncat
  1225. if _contains "$nchelp" "nmap.org"; then
  1226. _debug "Using ncat: nmap.org"
  1227. if ! _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC \"$Le_HTTPPort\" >&2"; then
  1228. _exec_err
  1229. return 1
  1230. fi
  1231. if [ "$DEBUG" ]; then
  1232. _exec_err
  1233. fi
  1234. return
  1235. fi
  1236. # while true ; do
  1237. if ! _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC -p \"$Le_HTTPPort\" >&2"; then
  1238. _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC \"$Le_HTTPPort\" >&2"
  1239. fi
  1240. if [ "$?" != "0" ]; then
  1241. _err "nc listen error."
  1242. _exec_err
  1243. exit 1
  1244. fi
  1245. if [ "$DEBUG" ]; then
  1246. _exec_err
  1247. fi
  1248. # done
  1249. }
  1250. _stopserver() {
  1251. pid="$1"
  1252. _debug "pid" "$pid"
  1253. if [ -z "$pid" ]; then
  1254. return
  1255. fi
  1256. _debug2 "Le_HTTPPort" "$Le_HTTPPort"
  1257. if [ "$Le_HTTPPort" ]; then
  1258. if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
  1259. _get "http://localhost:$Le_HTTPPort" "" 1
  1260. else
  1261. _get "http://localhost:$Le_HTTPPort" "" 1 >/dev/null 2>&1
  1262. fi
  1263. fi
  1264. _debug2 "Le_TLSPort" "$Le_TLSPort"
  1265. if [ "$Le_TLSPort" ]; then
  1266. if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
  1267. _get "https://localhost:$Le_TLSPort" "" 1
  1268. _get "https://localhost:$Le_TLSPort" "" 1
  1269. else
  1270. _get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
  1271. _get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
  1272. fi
  1273. fi
  1274. }
  1275. # sleep sec
  1276. _sleep() {
  1277. _sleep_sec="$1"
  1278. if [ "$__INTERACTIVE" ]; then
  1279. _sleep_c="$_sleep_sec"
  1280. while [ "$_sleep_c" -ge "0" ]; do
  1281. printf "\r \r"
  1282. __green "$_sleep_c"
  1283. _sleep_c="$(_math "$_sleep_c" - 1)"
  1284. sleep 1
  1285. done
  1286. printf "\r"
  1287. else
  1288. sleep "$_sleep_sec"
  1289. fi
  1290. }
  1291. # _starttlsserver san_a san_b port content _ncaddr
  1292. _starttlsserver() {
  1293. _info "Starting tls server."
  1294. san_a="$1"
  1295. san_b="$2"
  1296. port="$3"
  1297. content="$4"
  1298. opaddr="$5"
  1299. _debug san_a "$san_a"
  1300. _debug san_b "$san_b"
  1301. _debug port "$port"
  1302. #create key TLS_KEY
  1303. if ! _createkey "2048" "$TLS_KEY"; then
  1304. _err "Create tls validation key error."
  1305. return 1
  1306. fi
  1307. #create csr
  1308. alt="$san_a"
  1309. if [ "$san_b" ]; then
  1310. alt="$alt,$san_b"
  1311. fi
  1312. if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF"; then
  1313. _err "Create tls validation csr error."
  1314. return 1
  1315. fi
  1316. #self signed
  1317. if ! _signcsr "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" "$TLS_CERT"; then
  1318. _err "Create tls validation cert error."
  1319. return 1
  1320. fi
  1321. __S_OPENSSL="$OPENSSL_BIN s_server -cert $TLS_CERT -key $TLS_KEY "
  1322. if [ "$opaddr" ]; then
  1323. __S_OPENSSL="$__S_OPENSSL -accept $opaddr:$port"
  1324. else
  1325. __S_OPENSSL="$__S_OPENSSL -accept $port"
  1326. fi
  1327. _debug Le_Listen_V4 "$Le_Listen_V4"
  1328. _debug Le_Listen_V6 "$Le_Listen_V6"
  1329. if [ "$Le_Listen_V4" ]; then
  1330. __S_OPENSSL="$__S_OPENSSL -4"
  1331. elif [ "$Le_Listen_V6" ]; then
  1332. __S_OPENSSL="$__S_OPENSSL -6"
  1333. fi
  1334. _debug "$__S_OPENSSL"
  1335. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  1336. (printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL -tlsextdebug) &
  1337. else
  1338. (printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL >/dev/null 2>&1) &
  1339. fi
  1340. serverproc="$!"
  1341. sleep 1
  1342. _debug serverproc "$serverproc"
  1343. }
  1344. #file
  1345. _readlink() {
  1346. _rf="$1"
  1347. if ! readlink -f "$_rf" 2>/dev/null; then
  1348. if _startswith "$_rf" "\./$PROJECT_ENTRY"; then
  1349. printf -- "%s" "$(pwd)/$PROJECT_ENTRY"
  1350. return 0
  1351. fi
  1352. readlink "$_rf"
  1353. fi
  1354. }
  1355. __initHome() {
  1356. if [ -z "$_SCRIPT_HOME" ]; then
  1357. if _exists readlink && _exists dirname; then
  1358. _debug "Lets find script dir."
  1359. _debug "_SCRIPT_" "$_SCRIPT_"
  1360. _script="$(_readlink "$_SCRIPT_")"
  1361. _debug "_script" "$_script"
  1362. _script_home="$(dirname "$_script")"
  1363. _debug "_script_home" "$_script_home"
  1364. if [ -d "$_script_home" ]; then
  1365. _SCRIPT_HOME="$_script_home"
  1366. else
  1367. _err "It seems the script home is not correct:$_script_home"
  1368. fi
  1369. fi
  1370. fi
  1371. # if [ -z "$LE_WORKING_DIR" ]; then
  1372. # if [ -f "$DEFAULT_INSTALL_HOME/account.conf" ]; then
  1373. # _debug "It seems that $PROJECT_NAME is already installed in $DEFAULT_INSTALL_HOME"
  1374. # LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  1375. # else
  1376. # LE_WORKING_DIR="$_SCRIPT_HOME"
  1377. # fi
  1378. # fi
  1379. if [ -z "$LE_WORKING_DIR" ]; then
  1380. _debug "Using default home:$DEFAULT_INSTALL_HOME"
  1381. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  1382. fi
  1383. export LE_WORKING_DIR
  1384. _DEFAULT_ACCOUNT_CONF_PATH="$LE_WORKING_DIR/account.conf"
  1385. if [ -z "$ACCOUNT_CONF_PATH" ]; then
  1386. if [ -f "$_DEFAULT_ACCOUNT_CONF_PATH" ]; then
  1387. . "$_DEFAULT_ACCOUNT_CONF_PATH"
  1388. fi
  1389. fi
  1390. if [ -z "$ACCOUNT_CONF_PATH" ]; then
  1391. ACCOUNT_CONF_PATH="$_DEFAULT_ACCOUNT_CONF_PATH"
  1392. fi
  1393. DEFAULT_LOG_FILE="$LE_WORKING_DIR/$PROJECT_NAME.log"
  1394. DEFAULT_CA_HOME="$LE_WORKING_DIR/ca"
  1395. if [ -z "$LE_TEMP_DIR" ]; then
  1396. LE_TEMP_DIR="$LE_WORKING_DIR/tmp"
  1397. fi
  1398. }
  1399. #[domain] [keylength]
  1400. _initpath() {
  1401. __initHome
  1402. if [ -f "$ACCOUNT_CONF_PATH" ]; then
  1403. . "$ACCOUNT_CONF_PATH"
  1404. fi
  1405. if [ "$IN_CRON" ]; then
  1406. if [ ! "$_USER_PATH_EXPORTED" ]; then
  1407. _USER_PATH_EXPORTED=1
  1408. export PATH="$USER_PATH:$PATH"
  1409. fi
  1410. fi
  1411. if [ -z "$CA_HOME" ]; then
  1412. CA_HOME="$DEFAULT_CA_HOME"
  1413. fi
  1414. if [ -z "$API" ]; then
  1415. if [ -z "$STAGE" ]; then
  1416. API="$DEFAULT_CA"
  1417. else
  1418. API="$STAGE_CA"
  1419. _info "Using stage api:$API"
  1420. fi
  1421. fi
  1422. _API_HOST="$(echo "$API" | cut -d : -f 2 | tr -d '/')"
  1423. CA_DIR="$CA_HOME/$_API_HOST"
  1424. _DEFAULT_CA_CONF="$CA_DIR/ca.conf"
  1425. if [ -z "$CA_CONF" ]; then
  1426. CA_CONF="$_DEFAULT_CA_CONF"
  1427. fi
  1428. _debug3 CA_CONF "$CA_CONF"
  1429. if [ -f "$CA_CONF" ]; then
  1430. . "$CA_CONF"
  1431. fi
  1432. if [ -z "$ACME_DIR" ]; then
  1433. ACME_DIR="/home/.acme"
  1434. fi
  1435. if [ -z "$APACHE_CONF_BACKUP_DIR" ]; then
  1436. APACHE_CONF_BACKUP_DIR="$LE_WORKING_DIR"
  1437. fi
  1438. if [ -z "$USER_AGENT" ]; then
  1439. USER_AGENT="$DEFAULT_USER_AGENT"
  1440. fi
  1441. if [ -z "$HTTP_HEADER" ]; then
  1442. HTTP_HEADER="$LE_WORKING_DIR/http.header"
  1443. fi
  1444. _OLD_ACCOUNT_KEY="$LE_WORKING_DIR/account.key"
  1445. _OLD_ACCOUNT_JSON="$LE_WORKING_DIR/account.json"
  1446. _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
  1447. _DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
  1448. if [ -z "$ACCOUNT_KEY_PATH" ]; then
  1449. ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
  1450. fi
  1451. if [ -z "$ACCOUNT_JSON_PATH" ]; then
  1452. ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
  1453. fi
  1454. _DEFAULT_CERT_HOME="$LE_WORKING_DIR"
  1455. if [ -z "$CERT_HOME" ]; then
  1456. CERT_HOME="$_DEFAULT_CERT_HOME"
  1457. fi
  1458. if [ -z "$OPENSSL_BIN" ]; then
  1459. OPENSSL_BIN="$DEFAULT_OPENSSL_BIN"
  1460. fi
  1461. if [ -z "$1" ]; then
  1462. return 0
  1463. fi
  1464. domain="$1"
  1465. _ilength="$2"
  1466. if [ -z "$DOMAIN_PATH" ]; then
  1467. domainhome="$CERT_HOME/$domain"
  1468. domainhomeecc="$CERT_HOME/$domain$ECC_SUFFIX"
  1469. DOMAIN_PATH="$domainhome"
  1470. if _isEccKey "$_ilength"; then
  1471. DOMAIN_PATH="$domainhomeecc"
  1472. else
  1473. if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then
  1474. _info "The domain '$domain' seems to have a ECC cert already, please add '$(__red "--ecc")' parameter if you want to use that cert."
  1475. fi
  1476. fi
  1477. _debug DOMAIN_PATH "$DOMAIN_PATH"
  1478. fi
  1479. if [ -z "$DOMAIN_CONF" ]; then
  1480. DOMAIN_CONF="$DOMAIN_PATH/$domain.conf"
  1481. fi
  1482. if [ -z "$DOMAIN_SSL_CONF" ]; then
  1483. DOMAIN_SSL_CONF="$DOMAIN_PATH/$domain.csr.conf"
  1484. fi
  1485. if [ -z "$CSR_PATH" ]; then
  1486. CSR_PATH="$DOMAIN_PATH/$domain.csr"
  1487. fi
  1488. if [ -z "$CERT_KEY_PATH" ]; then
  1489. CERT_KEY_PATH="$DOMAIN_PATH/$domain.key"
  1490. fi
  1491. if [ -z "$CERT_PATH" ]; then
  1492. CERT_PATH="$DOMAIN_PATH/$domain.cer"
  1493. fi
  1494. if [ -z "$CA_CERT_PATH" ]; then
  1495. CA_CERT_PATH="$DOMAIN_PATH/ca.cer"
  1496. fi
  1497. if [ -z "$CERT_FULLCHAIN_PATH" ]; then
  1498. CERT_FULLCHAIN_PATH="$DOMAIN_PATH/fullchain.cer"
  1499. fi
  1500. if [ -z "$CERT_PFX_PATH" ]; then
  1501. CERT_PFX_PATH="$DOMAIN_PATH/$domain.pfx"
  1502. fi
  1503. if [ -z "$TLS_CONF" ]; then
  1504. TLS_CONF="$DOMAIN_PATH/tls.valdation.conf"
  1505. fi
  1506. if [ -z "$TLS_CERT" ]; then
  1507. TLS_CERT="$DOMAIN_PATH/tls.valdation.cert"
  1508. fi
  1509. if [ -z "$TLS_KEY" ]; then
  1510. TLS_KEY="$DOMAIN_PATH/tls.valdation.key"
  1511. fi
  1512. if [ -z "$TLS_CSR" ]; then
  1513. TLS_CSR="$DOMAIN_PATH/tls.valdation.csr"
  1514. fi
  1515. }
  1516. _exec() {
  1517. if [ -z "$_EXEC_TEMP_ERR" ]; then
  1518. _EXEC_TEMP_ERR="$(_mktemp)"
  1519. fi
  1520. if [ "$_EXEC_TEMP_ERR" ]; then
  1521. eval "$@ 2>>$_EXEC_TEMP_ERR"
  1522. else
  1523. eval "$@"
  1524. fi
  1525. }
  1526. _exec_err() {
  1527. [ "$_EXEC_TEMP_ERR" ] && _err "$(cat "$_EXEC_TEMP_ERR")" && echo "" >"$_EXEC_TEMP_ERR"
  1528. }
  1529. _apachePath() {
  1530. _APACHECTL="apachectl"
  1531. if ! _exists apachectl; then
  1532. if _exists apache2ctl; then
  1533. _APACHECTL="apache2ctl"
  1534. else
  1535. _err "'apachectl not found. It seems that apache is not installed, or you are not root user.'"
  1536. _err "Please use webroot mode to try again."
  1537. return 1
  1538. fi
  1539. fi
  1540. if ! _exec $_APACHECTL -V >/dev/null; then
  1541. _exec_err
  1542. return 1
  1543. fi
  1544. if [ "$APACHE_HTTPD_CONF" ]; then
  1545. _saveaccountconf APACHE_HTTPD_CONF "$APACHE_HTTPD_CONF"
  1546. httpdconf="$APACHE_HTTPD_CONF"
  1547. httpdconfname="$(basename "$httpdconfname")"
  1548. else
  1549. httpdconfname="$($_APACHECTL -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | tr -d '"')"
  1550. _debug httpdconfname "$httpdconfname"
  1551. if [ -z "$httpdconfname" ]; then
  1552. _err "Can not read apache config file."
  1553. return 1
  1554. fi
  1555. if _startswith "$httpdconfname" '/'; then
  1556. httpdconf="$httpdconfname"
  1557. httpdconfname="$(basename "$httpdconfname")"
  1558. else
  1559. httpdroot="$($_APACHECTL -V | grep HTTPD_ROOT= | cut -d = -f 2 | tr -d '"')"
  1560. _debug httpdroot "$httpdroot"
  1561. httpdconf="$httpdroot/$httpdconfname"
  1562. httpdconfname="$(basename "$httpdconfname")"
  1563. fi
  1564. fi
  1565. _debug httpdconf "$httpdconf"
  1566. _debug httpdconfname "$httpdconfname"
  1567. if [ ! -f "$httpdconf" ]; then
  1568. _err "Apache Config file not found" "$httpdconf"
  1569. return 1
  1570. fi
  1571. return 0
  1572. }
  1573. _restoreApache() {
  1574. if [ -z "$usingApache" ]; then
  1575. return 0
  1576. fi
  1577. _initpath
  1578. if ! _apachePath; then
  1579. return 1
  1580. fi
  1581. if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ]; then
  1582. _debug "No config file to restore."
  1583. return 0
  1584. fi
  1585. cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" >"$httpdconf"
  1586. _debug "Restored: $httpdconf."
  1587. if ! _exec $_APACHECTL -t; then
  1588. _exec_err
  1589. _err "Sorry, restore apache config error, please contact me."
  1590. return 1
  1591. fi
  1592. _debug "Restored successfully."
  1593. rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname"
  1594. return 0
  1595. }
  1596. _setApache() {
  1597. _initpath
  1598. if ! _apachePath; then
  1599. return 1
  1600. fi
  1601. #test the conf first
  1602. _info "Checking if there is an error in the apache config file before starting."
  1603. if ! _exec "$_APACHECTL" -t >/dev/null; then
  1604. _exec_err
  1605. _err "The apache config file has error, please fix it first, then try again."
  1606. _err "Don't worry, there is nothing changed to your system."
  1607. return 1
  1608. else
  1609. _info "OK"
  1610. fi
  1611. #backup the conf
  1612. _debug "Backup apache config file" "$httpdconf"
  1613. if ! cp "$httpdconf" "$APACHE_CONF_BACKUP_DIR/"; then
  1614. _err "Can not backup apache config file, so abort. Don't worry, the apache config is not changed."
  1615. _err "This might be a bug of $PROJECT_NAME , pleae report issue: $PROJECT"
  1616. return 1
  1617. fi
  1618. _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname"
  1619. _info "In case there is an error that can not be restored automatically, you may try restore it yourself."
  1620. _info "The backup file will be deleted on success, just forget it."
  1621. #add alias
  1622. apacheVer="$($_APACHECTL -V | grep "Server version:" | cut -d : -f 2 | cut -d " " -f 2 | cut -d '/' -f 2)"
  1623. _debug "apacheVer" "$apacheVer"
  1624. apacheMajer="$(echo "$apacheVer" | cut -d . -f 1)"
  1625. apacheMinor="$(echo "$apacheVer" | cut -d . -f 2)"
  1626. if [ "$apacheVer" ] && [ "$apacheMajer$apacheMinor" -ge "24" ]; then
  1627. echo "
  1628. Alias /.well-known/acme-challenge $ACME_DIR
  1629. <Directory $ACME_DIR >
  1630. Require all granted
  1631. </Directory>
  1632. " >>"$httpdconf"
  1633. else
  1634. echo "
  1635. Alias /.well-known/acme-challenge $ACME_DIR
  1636. <Directory $ACME_DIR >
  1637. Order allow,deny
  1638. Allow from all
  1639. </Directory>
  1640. " >>"$httpdconf"
  1641. fi
  1642. _msg="$($_APACHECTL -t 2>&1)"
  1643. if [ "$?" != "0" ]; then
  1644. _err "Sorry, apache config error"
  1645. if _restoreApache; then
  1646. _err "The apache config file is restored."
  1647. else
  1648. _err "Sorry, The apache config file can not be restored, please report bug."
  1649. fi
  1650. return 1
  1651. fi
  1652. if [ ! -d "$ACME_DIR" ]; then
  1653. mkdir -p "$ACME_DIR"
  1654. chmod 755 "$ACME_DIR"
  1655. fi
  1656. if ! _exec "$_APACHECTL" graceful; then
  1657. _exec_err
  1658. _err "$_APACHECTL graceful error, please contact me."
  1659. _restoreApache
  1660. return 1
  1661. fi
  1662. usingApache="1"
  1663. return 0
  1664. }
  1665. _clearup() {
  1666. _stopserver "$serverproc"
  1667. serverproc=""
  1668. _restoreApache
  1669. _clearupdns
  1670. if [ -z "$DEBUG" ]; then
  1671. rm -f "$TLS_CONF"
  1672. rm -f "$TLS_CERT"
  1673. rm -f "$TLS_KEY"
  1674. rm -f "$TLS_CSR"
  1675. fi
  1676. }
  1677. _clearupdns() {
  1678. _debug "_clearupdns"
  1679. if [ "$dnsadded" != 1 ] || [ -z "$vlist" ]; then
  1680. _debug "Dns not added, skip."
  1681. return
  1682. fi
  1683. ventries=$(echo "$vlist" | tr ',' ' ')
  1684. for ventry in $ventries; do
  1685. d=$(echo "$ventry" | cut -d "$sep" -f 1)
  1686. keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
  1687. vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
  1688. _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
  1689. txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _urlencode)"
  1690. _debug txt "$txt"
  1691. if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
  1692. _info "$d is already verified, skip $vtype."
  1693. continue
  1694. fi
  1695. if [ "$vtype" != "$VTYPE_DNS" ]; then
  1696. _info "Skip $d for $vtype"
  1697. continue
  1698. fi
  1699. d_api="$(_findHook "$d" dnsapi "$_currentRoot")"
  1700. _debug d_api "$d_api"
  1701. if [ -z "$d_api" ]; then
  1702. _info "Not Found domain api file: $d_api"
  1703. continue
  1704. fi
  1705. (
  1706. if ! . "$d_api"; then
  1707. _err "Load file $d_api error. Please check your api file and try again."
  1708. return 1
  1709. fi
  1710. rmcommand="${_currentRoot}_rm"
  1711. if ! _exists "$rmcommand"; then
  1712. _err "It seems that your api file doesn't define $rmcommand"
  1713. return 1
  1714. fi
  1715. txtdomain="_acme-challenge.$d"
  1716. if ! $rmcommand "$txtdomain" "$txt"; then
  1717. _err "Error removing txt for domain:$txtdomain"
  1718. return 1
  1719. fi
  1720. )
  1721. done
  1722. }
  1723. # webroot removelevel tokenfile
  1724. _clearupwebbroot() {
  1725. __webroot="$1"
  1726. if [ -z "$__webroot" ]; then
  1727. _debug "no webroot specified, skip"
  1728. return 0
  1729. fi
  1730. _rmpath=""
  1731. if [ "$2" = '1' ]; then
  1732. _rmpath="$__webroot/.well-known"
  1733. elif [ "$2" = '2' ]; then
  1734. _rmpath="$__webroot/.well-known/acme-challenge"
  1735. elif [ "$2" = '3' ]; then
  1736. _rmpath="$__webroot/.well-known/acme-challenge/$3"
  1737. else
  1738. _debug "Skip for removelevel:$2"
  1739. fi
  1740. if [ "$_rmpath" ]; then
  1741. if [ "$DEBUG" ]; then
  1742. _debug "Debugging, skip removing: $_rmpath"
  1743. else
  1744. rm -rf "$_rmpath"
  1745. fi
  1746. fi
  1747. return 0
  1748. }
  1749. _on_before_issue() {
  1750. _debug _on_before_issue
  1751. if _hasfield "$Le_Webroot" "$NO_VALUE"; then
  1752. if ! _exists "nc"; then
  1753. _err "Please install netcat(nc) tools first."
  1754. return 1
  1755. fi
  1756. fi
  1757. _debug Le_LocalAddress "$Le_LocalAddress"
  1758. alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ')
  1759. _index=1
  1760. _currentRoot=""
  1761. _addrIndex=1
  1762. for d in $alldomains; do
  1763. _debug "Check for domain" "$d"
  1764. _currentRoot="$(_getfield "$Le_Webroot" $_index)"
  1765. _debug "_currentRoot" "$_currentRoot"
  1766. _index=$(_math $_index + 1)
  1767. _checkport=""
  1768. if [ "$_currentRoot" = "$NO_VALUE" ]; then
  1769. _info "Standalone mode."
  1770. if [ -z "$Le_HTTPPort" ]; then
  1771. Le_HTTPPort=80
  1772. else
  1773. _savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
  1774. fi
  1775. _checkport="$Le_HTTPPort"
  1776. elif [ "$_currentRoot" = "$W_TLS" ]; then
  1777. _info "Standalone tls mode."
  1778. if [ -z "$Le_TLSPort" ]; then
  1779. Le_TLSPort=443
  1780. else
  1781. _savedomainconf "Le_TLSPort" "$Le_TLSPort"
  1782. fi
  1783. _checkport="$Le_TLSPort"
  1784. fi
  1785. if [ "$_checkport" ]; then
  1786. _debug _checkport "$_checkport"
  1787. _checkaddr="$(_getfield "$Le_LocalAddress" $_addrIndex)"
  1788. _debug _checkaddr "$_checkaddr"
  1789. _addrIndex="$(_math $_addrIndex + 1)"
  1790. _netprc="$(_ss "$_checkport" | grep "$_checkport")"
  1791. netprc="$(echo "$_netprc" | grep "$_checkaddr")"
  1792. if [ -z "$netprc" ]; then
  1793. netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS")"
  1794. fi
  1795. if [ "$netprc" ]; then
  1796. _err "$netprc"
  1797. _err "tcp port $_checkport is already used by $(echo "$netprc" | cut -d : -f 4)"
  1798. _err "Please stop it first"
  1799. return 1
  1800. fi
  1801. fi
  1802. done
  1803. if _hasfield "$Le_Webroot" "apache"; then
  1804. if ! _setApache; then
  1805. _err "set up apache error. Report error to me."
  1806. return 1
  1807. fi
  1808. else
  1809. usingApache=""
  1810. fi
  1811. #run pre hook
  1812. if [ "$Le_PreHook" ]; then
  1813. _info "Run pre hook:'$Le_PreHook'"
  1814. if ! (
  1815. cd "$DOMAIN_PATH" && eval "$Le_PreHook"
  1816. ); then
  1817. _err "Error when run pre hook."
  1818. return 1
  1819. fi
  1820. fi
  1821. }
  1822. _on_issue_err() {
  1823. _debug _on_issue_err
  1824. if [ "$LOG_FILE" ]; then
  1825. _err "Please check log file for more details: $LOG_FILE"
  1826. else
  1827. _err "Please add '--debug' or '--log' to check more details."
  1828. _err "See: $_DEBUG_WIKI"
  1829. fi
  1830. if [ "$DEBUG" ] && [ "$DEBUG" -gt "0" ]; then
  1831. _debug "$(_dlg_versions)"
  1832. fi
  1833. #run the post hook
  1834. if [ "$Le_PostHook" ]; then
  1835. _info "Run post hook:'$Le_PostHook'"
  1836. if ! (
  1837. cd "$DOMAIN_PATH" && eval "$Le_PostHook"
  1838. ); then
  1839. _err "Error when run post hook."
  1840. return 1
  1841. fi
  1842. fi
  1843. }
  1844. _on_issue_success() {
  1845. _debug _on_issue_success
  1846. #run the post hook
  1847. if [ "$Le_PostHook" ]; then
  1848. _info "Run post hook:'$Le_PostHook'"
  1849. if ! (
  1850. cd "$DOMAIN_PATH" && eval "$Le_PostHook"
  1851. ); then
  1852. _err "Error when run post hook."
  1853. return 1
  1854. fi
  1855. fi
  1856. #run renew hook
  1857. if [ "$IS_RENEW" ] && [ "$Le_RenewHook" ]; then
  1858. _info "Run renew hook:'$Le_RenewHook'"
  1859. if ! (
  1860. cd "$DOMAIN_PATH" && eval "$Le_RenewHook"
  1861. ); then
  1862. _err "Error when run renew hook."
  1863. return 1
  1864. fi
  1865. fi
  1866. }
  1867. updateaccount() {
  1868. _initpath
  1869. _regAccount
  1870. }
  1871. registeraccount() {
  1872. _reg_length="$1"
  1873. _initpath
  1874. _regAccount "$_reg_length"
  1875. }
  1876. __calcAccountKeyHash() {
  1877. [ -f "$ACCOUNT_KEY_PATH" ] && _digest sha256 <"$ACCOUNT_KEY_PATH"
  1878. }
  1879. #keylength
  1880. _regAccount() {
  1881. _initpath
  1882. _reg_length="$1"
  1883. if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
  1884. _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
  1885. mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
  1886. fi
  1887. if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
  1888. _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
  1889. mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
  1890. fi
  1891. if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
  1892. if ! _create_account_key "$_reg_length"; then
  1893. _err "Create account key error."
  1894. return 1
  1895. fi
  1896. fi
  1897. if ! _calcjwk "$ACCOUNT_KEY_PATH"; then
  1898. return 1
  1899. fi
  1900. _updateTos=""
  1901. _reg_res="new-reg"
  1902. while true; do
  1903. _debug AGREEMENT "$AGREEMENT"
  1904. regjson='{"resource": "'$_reg_res'", "agreement": "'$AGREEMENT'"}'
  1905. if [ "$ACCOUNT_EMAIL" ]; then
  1906. regjson='{"resource": "'$_reg_res'", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}'
  1907. fi
  1908. if [ -z "$_updateTos" ]; then
  1909. _info "Registering account"
  1910. if ! _send_signed_request "$API/acme/new-reg" "$regjson"; then
  1911. _err "Register account Error: $response"
  1912. return 1
  1913. fi
  1914. if [ "$code" = "" ] || [ "$code" = '201' ]; then
  1915. echo "$response" >"$ACCOUNT_JSON_PATH"
  1916. _info "Registered"
  1917. elif [ "$code" = '409' ]; then
  1918. _info "Already registered"
  1919. else
  1920. _err "Register account Error: $response"
  1921. return 1
  1922. fi
  1923. _accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
  1924. _debug "_accUri" "$_accUri"
  1925. _tos="$(echo "$responseHeaders" | grep "^Link:.*rel=\"terms-of-service\"" | _head_n 1 | _egrep_o "<.*>" | tr -d '<>')"
  1926. _debug "_tos" "$_tos"
  1927. if [ -z "$_tos" ]; then
  1928. _debug "Use default tos: $DEFAULT_AGREEMENT"
  1929. _tos="$DEFAULT_AGREEMENT"
  1930. fi
  1931. if [ "$_tos" != "$AGREEMENT" ]; then
  1932. _updateTos=1
  1933. AGREEMENT="$_tos"
  1934. _reg_res="reg"
  1935. continue
  1936. fi
  1937. else
  1938. _debug "Update tos: $_tos"
  1939. if ! _send_signed_request "$_accUri" "$regjson"; then
  1940. _err "Update tos error."
  1941. return 1
  1942. fi
  1943. if [ "$code" = '202' ]; then
  1944. _info "Update success."
  1945. CA_KEY_HASH="$(__calcAccountKeyHash)"
  1946. _debug "Calc CA_KEY_HASH" "$CA_KEY_HASH"
  1947. _savecaconf CA_KEY_HASH "$CA_KEY_HASH"
  1948. else
  1949. _err "Update account error."
  1950. return 1
  1951. fi
  1952. fi
  1953. return 0
  1954. done
  1955. }
  1956. # domain folder file
  1957. _findHook() {
  1958. _hookdomain="$1"
  1959. _hookcat="$2"
  1960. _hookname="$3"
  1961. if [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname" ]; then
  1962. d_api="$_SCRIPT_HOME/$_hookcat/$_hookname"
  1963. elif [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname.sh" ]; then
  1964. d_api="$_SCRIPT_HOME/$_hookcat/$_hookname.sh"
  1965. elif [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname" ]; then
  1966. d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname"
  1967. elif [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname.sh" ]; then
  1968. d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname.sh"
  1969. elif [ -f "$LE_WORKING_DIR/$_hookname" ]; then
  1970. d_api="$LE_WORKING_DIR/$_hookname"
  1971. elif [ -f "$LE_WORKING_DIR/$_hookname.sh" ]; then
  1972. d_api="$LE_WORKING_DIR/$_hookname.sh"
  1973. elif [ -f "$LE_WORKING_DIR/$_hookcat/$_hookname" ]; then
  1974. d_api="$LE_WORKING_DIR/$_hookcat/$_hookname"
  1975. elif [ -f "$LE_WORKING_DIR/$_hookcat/$_hookname.sh" ]; then
  1976. d_api="$LE_WORKING_DIR/$_hookcat/$_hookname.sh"
  1977. fi
  1978. printf "%s" "$d_api"
  1979. }
  1980. #domain
  1981. __get_domain_new_authz() {
  1982. _gdnd="$1"
  1983. _info "Getting new-authz for domain" "$_gdnd"
  1984. _Max_new_authz_retry_times=5
  1985. _authz_i=0
  1986. while [ "$_authz_i" -lt "$_Max_new_authz_retry_times" ]; do
  1987. _debug "Try new-authz for the $_authz_i time."
  1988. if ! _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$(_idn "$_gdnd")\"}}"; then
  1989. _err "Can not get domain new authz."
  1990. return 1
  1991. fi
  1992. if ! _contains "$response" "An error occurred while processing your request"; then
  1993. _info "The new-authz request is ok."
  1994. break
  1995. fi
  1996. _authz_i="$(_math "$_authz_i" + 1)"
  1997. _info "The server is busy, Sleep $_authz_i to retry."
  1998. _sleep "$_authz_i"
  1999. done
  2000. if [ "$_authz_i" = "$_Max_new_authz_retry_times" ]; then
  2001. _err "new-authz retry reach the max $_Max_new_authz_retry_times times."
  2002. fi
  2003. if [ ! -z "$code" ] && [ ! "$code" = '201' ]; then
  2004. _err "new-authz error: $response"
  2005. return 1
  2006. fi
  2007. }
  2008. #webroot, domain domainlist keylength
  2009. issue() {
  2010. if [ -z "$2" ]; then
  2011. _usage "Usage: $PROJECT_ENTRY --issue -d a.com -w /path/to/webroot/a.com/ "
  2012. return 1
  2013. fi
  2014. Le_Webroot="$1"
  2015. Le_Domain="$2"
  2016. Le_Alt="$3"
  2017. Le_Keylength="$4"
  2018. Le_RealCertPath="$5"
  2019. Le_RealKeyPath="$6"
  2020. Le_RealCACertPath="$7"
  2021. Le_ReloadCmd="$8"
  2022. Le_RealFullChainPath="$9"
  2023. Le_PreHook="${10}"
  2024. Le_PostHook="${11}"
  2025. Le_RenewHook="${12}"
  2026. Le_LocalAddress="${13}"
  2027. #remove these later.
  2028. if [ "$Le_Webroot" = "dns-cf" ]; then
  2029. Le_Webroot="dns_cf"
  2030. fi
  2031. if [ "$Le_Webroot" = "dns-dp" ]; then
  2032. Le_Webroot="dns_dp"
  2033. fi
  2034. if [ "$Le_Webroot" = "dns-cx" ]; then
  2035. Le_Webroot="dns_cx"
  2036. fi
  2037. _debug "Using api: $API"
  2038. if [ ! "$IS_RENEW" ]; then
  2039. _initpath "$Le_Domain" "$Le_Keylength"
  2040. mkdir -p "$DOMAIN_PATH"
  2041. fi
  2042. if [ -f "$DOMAIN_CONF" ]; then
  2043. Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
  2044. _debug Le_NextRenewTime "$Le_NextRenewTime"
  2045. if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then
  2046. _saved_domain=$(_readdomainconf Le_Domain)
  2047. _debug _saved_domain "$_saved_domain"
  2048. _saved_alt=$(_readdomainconf Le_Alt)
  2049. _debug _saved_alt "$_saved_alt"
  2050. if [ "$_saved_domain,$_saved_alt" = "$Le_Domain,$Le_Alt" ]; then
  2051. _info "Domains not changed."
  2052. _info "Skip, Next renewal time is: $(__green "$(_readdomainconf Le_NextRenewTimeStr)")"
  2053. _info "Add '$(__red '--force')' to force to renew."
  2054. return $RENEW_SKIP
  2055. else
  2056. _info "Domains have changed."
  2057. fi
  2058. fi
  2059. fi
  2060. _savedomainconf "Le_Domain" "$Le_Domain"
  2061. _savedomainconf "Le_Alt" "$Le_Alt"
  2062. _savedomainconf "Le_Webroot" "$Le_Webroot"
  2063. _savedomainconf "Le_PreHook" "$Le_PreHook"
  2064. _savedomainconf "Le_PostHook" "$Le_PostHook"
  2065. _savedomainconf "Le_RenewHook" "$Le_RenewHook"
  2066. if [ "$Le_LocalAddress" ]; then
  2067. _savedomainconf "Le_LocalAddress" "$Le_LocalAddress"
  2068. else
  2069. _cleardomainconf "Le_LocalAddress"
  2070. fi
  2071. Le_API="$API"
  2072. _savedomainconf "Le_API" "$Le_API"
  2073. if [ "$Le_Alt" = "$NO_VALUE" ]; then
  2074. Le_Alt=""
  2075. fi
  2076. if [ "$Le_Keylength" = "$NO_VALUE" ]; then
  2077. Le_Keylength=""
  2078. fi
  2079. if ! _on_before_issue; then
  2080. _err "_on_before_issue."
  2081. return 1
  2082. fi
  2083. _saved_account_key_hash="$(_readcaconf "CA_KEY_HASH")"
  2084. _debug2 _saved_account_key_hash "$_saved_account_key_hash"
  2085. if [ -z "$_saved_account_key_hash" ] || [ "$_saved_account_key_hash" != "$(__calcAccountKeyHash)" ]; then
  2086. if ! _regAccount "$_accountkeylength"; then
  2087. _on_issue_err
  2088. return 1
  2089. fi
  2090. else
  2091. _debug "_saved_account_key_hash is not changed, skip register account."
  2092. fi
  2093. if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ]; then
  2094. _info "Signing from existing CSR."
  2095. else
  2096. _key=$(_readdomainconf Le_Keylength)
  2097. _debug "Read key length:$_key"
  2098. if [ ! -f "$CERT_KEY_PATH" ] || [ "$Le_Keylength" != "$_key" ]; then
  2099. if ! createDomainKey "$Le_Domain" "$Le_Keylength"; then
  2100. _err "Create domain key error."
  2101. _clearup
  2102. _on_issue_err
  2103. return 1
  2104. fi
  2105. fi
  2106. if ! _createcsr "$Le_Domain" "$Le_Alt" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"; then
  2107. _err "Create CSR error."
  2108. _clearup
  2109. _on_issue_err
  2110. return 1
  2111. fi
  2112. fi
  2113. _savedomainconf "Le_Keylength" "$Le_Keylength"
  2114. vlist="$Le_Vlist"
  2115. _info "Getting domain auth token for each domain"
  2116. sep='#'
  2117. if [ -z "$vlist" ]; then
  2118. alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ')
  2119. _index=1
  2120. _currentRoot=""
  2121. for d in $alldomains; do
  2122. _info "Getting webroot for domain" "$d"
  2123. _w="$(echo $Le_Webroot | cut -d , -f $_index)"
  2124. _info _w "$_w"
  2125. if [ "$_w" ]; then
  2126. _currentRoot="$_w"
  2127. fi
  2128. _debug "_currentRoot" "$_currentRoot"
  2129. _index=$(_math $_index + 1)
  2130. vtype="$VTYPE_HTTP"
  2131. if _startswith "$_currentRoot" "dns"; then
  2132. vtype="$VTYPE_DNS"
  2133. fi
  2134. if [ "$_currentRoot" = "$W_TLS" ]; then
  2135. vtype="$VTYPE_TLS"
  2136. fi
  2137. if ! __get_domain_new_authz "$d"; then
  2138. _clearup
  2139. _on_issue_err
  2140. return 1
  2141. fi
  2142. if [ -z "$thumbprint" ]; then
  2143. accountkey_json=$(printf "%s" "$jwk" | tr -d ' ')
  2144. thumbprint=$(printf "%s" "$accountkey_json" | _digest "sha256" | _urlencode)
  2145. fi
  2146. entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
  2147. _debug entry "$entry"
  2148. if [ -z "$entry" ]; then
  2149. _err "Error, can not get domain token $d"
  2150. _clearup
  2151. _on_issue_err
  2152. return 1
  2153. fi
  2154. token="$(printf "%s\n" "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
  2155. _debug token "$token"
  2156. uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*' | cut -d : -f 2,3 | tr -d '"')"
  2157. _debug uri "$uri"
  2158. keyauthorization="$token.$thumbprint"
  2159. _debug keyauthorization "$keyauthorization"
  2160. if printf "%s" "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
  2161. _info "$d is already verified, skip."
  2162. keyauthorization="$STATE_VERIFIED"
  2163. _debug keyauthorization "$keyauthorization"
  2164. fi
  2165. dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"
  2166. _debug dvlist "$dvlist"
  2167. vlist="$vlist$dvlist,"
  2168. done
  2169. #add entry
  2170. dnsadded=""
  2171. ventries=$(echo "$vlist" | tr ',' ' ')
  2172. for ventry in $ventries; do
  2173. d=$(echo "$ventry" | cut -d "$sep" -f 1)
  2174. keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
  2175. vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
  2176. _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
  2177. if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
  2178. _info "$d is already verified, skip $vtype."
  2179. continue
  2180. fi
  2181. if [ "$vtype" = "$VTYPE_DNS" ]; then
  2182. dnsadded='0'
  2183. txtdomain="_acme-challenge.$d"
  2184. _debug txtdomain "$txtdomain"
  2185. txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _urlencode)"
  2186. _debug txt "$txt"
  2187. d_api="$(_findHook "$d" dnsapi "$_currentRoot")"
  2188. _debug d_api "$d_api"
  2189. if [ "$d_api" ]; then
  2190. _info "Found domain api file: $d_api"
  2191. else
  2192. _err "Add the following TXT record:"
  2193. _err "Domain: '$(__green "$txtdomain")'"
  2194. _err "TXT value: '$(__green "$txt")'"
  2195. _err "Please be aware that you prepend _acme-challenge. before your domain"
  2196. _err "so the resulting subdomain will be: $txtdomain"
  2197. continue
  2198. fi
  2199. (
  2200. if ! . "$d_api"; then
  2201. _err "Load file $d_api error. Please check your api file and try again."
  2202. return 1
  2203. fi
  2204. addcommand="${_currentRoot}_add"
  2205. if ! _exists "$addcommand"; then
  2206. _err "It seems that your api file is not correct, it must have a function named: $addcommand"
  2207. return 1
  2208. fi
  2209. if ! $addcommand "$txtdomain" "$txt"; then
  2210. _err "Error add txt for domain:$txtdomain"
  2211. return 1
  2212. fi
  2213. )
  2214. if [ "$?" != "0" ]; then
  2215. _clearup
  2216. _on_issue_err
  2217. return 1
  2218. fi
  2219. dnsadded='1'
  2220. fi
  2221. done
  2222. if [ "$dnsadded" = '0' ]; then
  2223. _savedomainconf "Le_Vlist" "$vlist"
  2224. _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit."
  2225. _err "Please add the TXT records to the domains, and retry again."
  2226. _clearup
  2227. _on_issue_err
  2228. return 1
  2229. fi
  2230. fi
  2231. if [ "$dnsadded" = '1' ]; then
  2232. if [ -z "$Le_DNSSleep" ]; then
  2233. Le_DNSSleep="$DEFAULT_DNS_SLEEP"
  2234. else
  2235. _savedomainconf "Le_DNSSleep" "$Le_DNSSleep"
  2236. fi
  2237. _info "Sleep $(__green $Le_DNSSleep) seconds for the txt records to take effect"
  2238. _sleep "$Le_DNSSleep"
  2239. fi
  2240. _debug "ok, let's start to verify"
  2241. _ncIndex=1
  2242. ventries=$(echo "$vlist" | tr ',' ' ')
  2243. for ventry in $ventries; do
  2244. d=$(echo "$ventry" | cut -d "$sep" -f 1)
  2245. keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
  2246. uri=$(echo "$ventry" | cut -d "$sep" -f 3)
  2247. vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
  2248. _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
  2249. if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
  2250. _info "$d is already verified, skip $vtype."
  2251. continue
  2252. fi
  2253. _info "Verifying:$d"
  2254. _debug "d" "$d"
  2255. _debug "keyauthorization" "$keyauthorization"
  2256. _debug "uri" "$uri"
  2257. removelevel=""
  2258. token="$(printf "%s" "$keyauthorization" | cut -d '.' -f 1)"
  2259. _debug "_currentRoot" "$_currentRoot"
  2260. if [ "$vtype" = "$VTYPE_HTTP" ]; then
  2261. if [ "$_currentRoot" = "$NO_VALUE" ]; then
  2262. _info "Standalone mode server"
  2263. _ncaddr="$(_getfield "$Le_LocalAddress" "$_ncIndex")"
  2264. _ncIndex="$(_math $_ncIndex + 1)"
  2265. _startserver "$keyauthorization" "$_ncaddr" &
  2266. if [ "$?" != "0" ]; then
  2267. _clearup
  2268. _on_issue_err
  2269. return 1
  2270. fi
  2271. serverproc="$!"
  2272. sleep 1
  2273. _debug serverproc "$serverproc"
  2274. else
  2275. if [ "$_currentRoot" = "apache" ]; then
  2276. wellknown_path="$ACME_DIR"
  2277. else
  2278. wellknown_path="$_currentRoot/.well-known/acme-challenge"
  2279. if [ ! -d "$_currentRoot/.well-known" ]; then
  2280. removelevel='1'
  2281. elif [ ! -d "$_currentRoot/.well-known/acme-challenge" ]; then
  2282. removelevel='2'
  2283. else
  2284. removelevel='3'
  2285. fi
  2286. fi
  2287. _debug wellknown_path "$wellknown_path"
  2288. _debug "writing token:$token to $wellknown_path/$token"
  2289. mkdir -p "$wellknown_path"
  2290. if ! printf "%s" "$keyauthorization" >"$wellknown_path/$token"; then
  2291. _err "$d:Can not write token to file : $wellknown_path/$token"
  2292. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2293. _clearup
  2294. _on_issue_err
  2295. return 1
  2296. fi
  2297. if [ ! "$usingApache" ]; then
  2298. if webroot_owner=$(_stat "$_currentRoot"); then
  2299. _debug "Changing owner/group of .well-known to $webroot_owner"
  2300. chown -R "$webroot_owner" "$_currentRoot/.well-known"
  2301. else
  2302. _debug "not chaning owner/group of webroot"
  2303. fi
  2304. fi
  2305. fi
  2306. elif [ "$vtype" = "$VTYPE_TLS" ]; then
  2307. #create A
  2308. #_hash_A="$(printf "%s" $token | _digest "sha256" "hex" )"
  2309. #_debug2 _hash_A "$_hash_A"
  2310. #_x="$(echo $_hash_A | cut -c 1-32)"
  2311. #_debug2 _x "$_x"
  2312. #_y="$(echo $_hash_A | cut -c 33-64)"
  2313. #_debug2 _y "$_y"
  2314. #_SAN_A="$_x.$_y.token.acme.invalid"
  2315. #_debug2 _SAN_A "$_SAN_A"
  2316. #create B
  2317. _hash_B="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"
  2318. _debug2 _hash_B "$_hash_B"
  2319. _x="$(echo "$_hash_B" | cut -c 1-32)"
  2320. _debug2 _x "$_x"
  2321. _y="$(echo "$_hash_B" | cut -c 33-64)"
  2322. _debug2 _y "$_y"
  2323. #_SAN_B="$_x.$_y.ka.acme.invalid"
  2324. _SAN_B="$_x.$_y.acme.invalid"
  2325. _debug2 _SAN_B "$_SAN_B"
  2326. _ncaddr="$(_getfield "$Le_LocalAddress" "$_ncIndex")"
  2327. _ncIndex="$(_math "$_ncIndex" + 1)"
  2328. if ! _starttlsserver "$_SAN_B" "$_SAN_A" "$Le_TLSPort" "$keyauthorization" "$_ncaddr"; then
  2329. _err "Start tls server error."
  2330. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2331. _clearup
  2332. _on_issue_err
  2333. return 1
  2334. fi
  2335. fi
  2336. if ! _send_signed_request "$uri" "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}"; then
  2337. _err "$d:Can not get challenge: $response"
  2338. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2339. _clearup
  2340. _on_issue_err
  2341. return 1
  2342. fi
  2343. if [ ! -z "$code" ] && [ ! "$code" = '202' ]; then
  2344. _err "$d:Challenge error: $response"
  2345. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2346. _clearup
  2347. _on_issue_err
  2348. return 1
  2349. fi
  2350. waittimes=0
  2351. if [ -z "$MAX_RETRY_TIMES" ]; then
  2352. MAX_RETRY_TIMES=30
  2353. fi
  2354. while true; do
  2355. waittimes=$(_math "$waittimes" + 1)
  2356. if [ "$waittimes" -ge "$MAX_RETRY_TIMES" ]; then
  2357. _err "$d:Timeout"
  2358. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2359. _clearup
  2360. _on_issue_err
  2361. return 1
  2362. fi
  2363. _debug "sleep 2 secs to verify"
  2364. sleep 2
  2365. _debug "checking"
  2366. response="$(_get "$uri")"
  2367. if [ "$?" != "0" ]; then
  2368. _err "$d:Verify error:$response"
  2369. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2370. _clearup
  2371. _on_issue_err
  2372. return 1
  2373. fi
  2374. _debug2 original "$response"
  2375. response="$(echo "$response" | _normalizeJson)"
  2376. _debug2 response "$response"
  2377. status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
  2378. if [ "$status" = "valid" ]; then
  2379. _info "$(__green Success)"
  2380. _stopserver "$serverproc"
  2381. serverproc=""
  2382. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2383. break
  2384. fi
  2385. if [ "$status" = "invalid" ]; then
  2386. error="$(echo "$response" | tr -d "\r\n" | _egrep_o '"error":\{[^\}]*')"
  2387. _debug2 error "$error"
  2388. errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)"
  2389. _debug2 errordetail "$errordetail"
  2390. if [ "$errordetail" ]; then
  2391. _err "$d:Verify error:$errordetail"
  2392. else
  2393. _err "$d:Verify error:$error"
  2394. fi
  2395. if [ "$DEBUG" ]; then
  2396. if [ "$vtype" = "$VTYPE_HTTP" ]; then
  2397. _debug "Debug: get token url."
  2398. _get "http://$d/.well-known/acme-challenge/$token" "" 1
  2399. fi
  2400. fi
  2401. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2402. _clearup
  2403. _on_issue_err
  2404. return 1
  2405. fi
  2406. if [ "$status" = "pending" ]; then
  2407. _info "Pending"
  2408. else
  2409. _err "$d:Verify error:$response"
  2410. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2411. _clearup
  2412. _on_issue_err
  2413. return 1
  2414. fi
  2415. done
  2416. done
  2417. _clearup
  2418. _info "Verify finished, start to sign."
  2419. der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _urlencode)"
  2420. if ! _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then
  2421. _err "Sign failed."
  2422. _on_issue_err
  2423. return 1
  2424. fi
  2425. _rcert="$response"
  2426. Le_LinkCert="$(grep -i '^Location.*$' "$HTTP_HEADER" | _head_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
  2427. _savedomainconf "Le_LinkCert" "$Le_LinkCert"
  2428. if [ "$Le_LinkCert" ]; then
  2429. echo "$BEGIN_CERT" >"$CERT_PATH"
  2430. #if ! _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH" ; then
  2431. # _debug "Get cert failed. Let's try last response."
  2432. # printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
  2433. #fi
  2434. if ! printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >>"$CERT_PATH"; then
  2435. _debug "Try cert link."
  2436. _get "$Le_LinkCert" | _base64 "multiline" >>"$CERT_PATH"
  2437. fi
  2438. echo "$END_CERT" >>"$CERT_PATH"
  2439. _info "$(__green "Cert success.")"
  2440. cat "$CERT_PATH"
  2441. _info "Your cert is in $(__green " $CERT_PATH ")"
  2442. if [ -f "$CERT_KEY_PATH" ]; then
  2443. _info "Your cert key is in $(__green " $CERT_KEY_PATH ")"
  2444. fi
  2445. cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
  2446. if [ ! "$USER_PATH" ] || [ ! "$IN_CRON" ]; then
  2447. USER_PATH="$PATH"
  2448. _saveaccountconf "USER_PATH" "$USER_PATH"
  2449. fi
  2450. fi
  2451. if [ -z "$Le_LinkCert" ]; then
  2452. response="$(echo "$response" | _dbase64 "multiline" | _normalizeJson)"
  2453. _err "Sign failed: $(echo "$response" | _egrep_o '"detail":"[^"]*"')"
  2454. _on_issue_err
  2455. return 1
  2456. fi
  2457. _cleardomainconf "Le_Vlist"
  2458. Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
  2459. if ! _contains "$Le_LinkIssuer" ":"; then
  2460. Le_LinkIssuer="$API$Le_LinkIssuer"
  2461. fi
  2462. _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
  2463. if [ "$Le_LinkIssuer" ]; then
  2464. echo "$BEGIN_CERT" >"$CA_CERT_PATH"
  2465. _get "$Le_LinkIssuer" | _base64 "multiline" >>"$CA_CERT_PATH"
  2466. echo "$END_CERT" >>"$CA_CERT_PATH"
  2467. _info "The intermediate CA cert is in $(__green " $CA_CERT_PATH ")"
  2468. cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH"
  2469. _info "And the full chain certs is there: $(__green " $CERT_FULLCHAIN_PATH ")"
  2470. fi
  2471. Le_CertCreateTime=$(_time)
  2472. _savedomainconf "Le_CertCreateTime" "$Le_CertCreateTime"
  2473. Le_CertCreateTimeStr=$(date -u)
  2474. _savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr"
  2475. if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ] || [ "$Le_RenewalDays" -gt "$MAX_RENEW" ]; then
  2476. Le_RenewalDays="$MAX_RENEW"
  2477. else
  2478. _savedomainconf "Le_RenewalDays" "$Le_RenewalDays"
  2479. fi
  2480. if [ "$CA_BUNDLE" ]; then
  2481. _saveaccountconf CA_BUNDLE "$CA_BUNDLE"
  2482. else
  2483. _clearaccountconf "CA_BUNDLE"
  2484. fi
  2485. if [ "$HTTPS_INSECURE" ]; then
  2486. _saveaccountconf HTTPS_INSECURE "$HTTPS_INSECURE"
  2487. else
  2488. _clearaccountconf "HTTPS_INSECURE"
  2489. fi
  2490. if [ "$Le_Listen_V4" ]; then
  2491. _savedomainconf "Le_Listen_V4" "$Le_Listen_V4"
  2492. _cleardomainconf Le_Listen_V6
  2493. elif [ "$Le_Listen_V6" ]; then
  2494. _savedomainconf "Le_Listen_V6" "$Le_Listen_V6"
  2495. _cleardomainconf Le_Listen_V4
  2496. fi
  2497. Le_NextRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60)
  2498. Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
  2499. _savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr"
  2500. Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400)
  2501. _savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
  2502. _on_issue_success
  2503. if [ "$Le_RealCertPath$Le_RealKeyPath$Le_RealCACertPath$Le_ReloadCmd$Le_RealFullChainPath" ]; then
  2504. _installcert
  2505. fi
  2506. }
  2507. #domain [isEcc]
  2508. renew() {
  2509. Le_Domain="$1"
  2510. if [ -z "$Le_Domain" ]; then
  2511. _usage "Usage: $PROJECT_ENTRY --renew -d domain.com [--ecc]"
  2512. return 1
  2513. fi
  2514. _isEcc="$2"
  2515. _initpath "$Le_Domain" "$_isEcc"
  2516. _info "$(__green "Renew: '$Le_Domain'")"
  2517. if [ ! -f "$DOMAIN_CONF" ]; then
  2518. _info "'$Le_Domain' is not a issued domain, skip."
  2519. return 0
  2520. fi
  2521. if [ "$Le_RenewalDays" ]; then
  2522. _savedomainconf Le_RenewalDays "$Le_RenewalDays"
  2523. fi
  2524. . "$DOMAIN_CONF"
  2525. if [ "$Le_API" ]; then
  2526. API="$Le_API"
  2527. #reload ca configs
  2528. ACCOUNT_KEY_PATH=""
  2529. ACCOUNT_JSON_PATH=""
  2530. CA_CONF=""
  2531. _debug3 "initpath again."
  2532. _initpath "$Le_Domain" "$_isEcc"
  2533. fi
  2534. if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then
  2535. _info "Skip, Next renewal time is: $(__green "$Le_NextRenewTimeStr")"
  2536. _info "Add '$(__red '--force')' to force to renew."
  2537. return "$RENEW_SKIP"
  2538. fi
  2539. IS_RENEW="1"
  2540. issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress"
  2541. res="$?"
  2542. if [ "$res" != "0" ]; then
  2543. return "$res"
  2544. fi
  2545. if [ "$Le_DeployHook" ]; then
  2546. deploy "$Le_Domain" "$Le_DeployHook" "$Le_Keylength"
  2547. res="$?"
  2548. fi
  2549. IS_RENEW=""
  2550. return "$res"
  2551. }
  2552. #renewAll [stopRenewOnError]
  2553. renewAll() {
  2554. _initpath
  2555. _stopRenewOnError="$1"
  2556. _debug "_stopRenewOnError" "$_stopRenewOnError"
  2557. _ret="0"
  2558. for di in "${CERT_HOME}"/*.*/; do
  2559. _debug di "$di"
  2560. if ! [ -d "$di" ]; then
  2561. _debug "Not directory, skip: $di"
  2562. continue
  2563. fi
  2564. d=$(basename "$di")
  2565. _debug d "$d"
  2566. (
  2567. if _endswith "$d" "$ECC_SUFFIX"; then
  2568. _isEcc=$(echo "$d" | cut -d "$ECC_SEP" -f 2)
  2569. d=$(echo "$d" | cut -d "$ECC_SEP" -f 1)
  2570. fi
  2571. renew "$d" "$_isEcc"
  2572. )
  2573. rc="$?"
  2574. _debug "Return code: $rc"
  2575. if [ "$rc" != "0" ]; then
  2576. if [ "$rc" = "$RENEW_SKIP" ]; then
  2577. _info "Skipped $d"
  2578. elif [ "$_stopRenewOnError" ]; then
  2579. _err "Error renew $d, stop now."
  2580. return "$rc"
  2581. else
  2582. _ret="$rc"
  2583. _err "Error renew $d, Go ahead to next one."
  2584. fi
  2585. fi
  2586. done
  2587. return "$_ret"
  2588. }
  2589. #csr webroot
  2590. signcsr() {
  2591. _csrfile="$1"
  2592. _csrW="$2"
  2593. if [ -z "$_csrfile" ] || [ -z "$_csrW" ]; then
  2594. _usage "Usage: $PROJECT_ENTRY --signcsr --csr mycsr.csr -w /path/to/webroot/a.com/ "
  2595. return 1
  2596. fi
  2597. _initpath
  2598. _csrsubj=$(_readSubjectFromCSR "$_csrfile")
  2599. if [ "$?" != "0" ]; then
  2600. _err "Can not read subject from csr: $_csrfile"
  2601. return 1
  2602. fi
  2603. _debug _csrsubj "$_csrsubj"
  2604. _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
  2605. if [ "$?" != "0" ]; then
  2606. _err "Can not read domain list from csr: $_csrfile"
  2607. return 1
  2608. fi
  2609. _debug "_csrdomainlist" "$_csrdomainlist"
  2610. if [ -z "$_csrsubj" ]; then
  2611. _csrsubj="$(_getfield "$_csrdomainlist" 1)"
  2612. _debug _csrsubj "$_csrsubj"
  2613. _csrdomainlist="$(echo "$_csrdomainlist" | cut -d , -f 2-)"
  2614. _debug "_csrdomainlist" "$_csrdomainlist"
  2615. fi
  2616. if [ -z "$_csrsubj" ]; then
  2617. _err "Can not read subject from csr: $_csrfile"
  2618. return 1
  2619. fi
  2620. _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
  2621. if [ "$?" != "0" ] || [ -z "$_csrkeylength" ]; then
  2622. _err "Can not read key length from csr: $_csrfile"
  2623. return 1
  2624. fi
  2625. _initpath "$_csrsubj" "$_csrkeylength"
  2626. mkdir -p "$DOMAIN_PATH"
  2627. _info "Copy csr to: $CSR_PATH"
  2628. cp "$_csrfile" "$CSR_PATH"
  2629. issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength"
  2630. }
  2631. showcsr() {
  2632. _csrfile="$1"
  2633. _csrd="$2"
  2634. if [ -z "$_csrfile" ] && [ -z "$_csrd" ]; then
  2635. _usage "Usage: $PROJECT_ENTRY --showcsr --csr mycsr.csr"
  2636. return 1
  2637. fi
  2638. _initpath
  2639. _csrsubj=$(_readSubjectFromCSR "$_csrfile")
  2640. if [ "$?" != "0" ] || [ -z "$_csrsubj" ]; then
  2641. _err "Can not read subject from csr: $_csrfile"
  2642. return 1
  2643. fi
  2644. _info "Subject=$_csrsubj"
  2645. _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
  2646. if [ "$?" != "0" ]; then
  2647. _err "Can not read domain list from csr: $_csrfile"
  2648. return 1
  2649. fi
  2650. _debug "_csrdomainlist" "$_csrdomainlist"
  2651. _info "SubjectAltNames=$_csrdomainlist"
  2652. _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
  2653. if [ "$?" != "0" ] || [ -z "$_csrkeylength" ]; then
  2654. _err "Can not read key length from csr: $_csrfile"
  2655. return 1
  2656. fi
  2657. _info "KeyLength=$_csrkeylength"
  2658. }
  2659. list() {
  2660. _raw="$1"
  2661. _initpath
  2662. _sep="|"
  2663. if [ "$_raw" ]; then
  2664. printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Created${_sep}Renew"
  2665. for di in "${CERT_HOME}"/*.*/; do
  2666. if ! [ -d "$di" ]; then
  2667. _debug "Not directory, skip: $di"
  2668. continue
  2669. fi
  2670. d=$(basename "$di")
  2671. _debug d "$d"
  2672. (
  2673. if _endswith "$d" "$ECC_SUFFIX"; then
  2674. _isEcc=$(echo "$d" | cut -d "$ECC_SEP" -f 2)
  2675. d=$(echo "$d" | cut -d "$ECC_SEP" -f 1)
  2676. fi
  2677. _initpath "$d" "$_isEcc"
  2678. if [ -f "$DOMAIN_CONF" ]; then
  2679. . "$DOMAIN_CONF"
  2680. printf "%s\n" "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr"
  2681. fi
  2682. )
  2683. done
  2684. else
  2685. if _exists column; then
  2686. list "raw" | column -t -s "$_sep"
  2687. else
  2688. list "raw" | tr "$_sep" '\t'
  2689. fi
  2690. fi
  2691. }
  2692. deploy() {
  2693. Le_Domain="$1"
  2694. Le_DeployHook="$2"
  2695. _isEcc="$3"
  2696. if [ -z "$Le_DeployHook" ]; then
  2697. _usage "Usage: $PROJECT_ENTRY --deploy -d domain.com --deploy-hook cpanel [--ecc] "
  2698. return 1
  2699. fi
  2700. _initpath "$Le_Domain" "$_isEcc"
  2701. if [ ! -d "$DOMAIN_PATH" ]; then
  2702. _err "Domain is not valid:'$Le_Domain'"
  2703. return 1
  2704. fi
  2705. _deployApi="$(_findHook "$Le_Domain" deploy "$Le_DeployHook")"
  2706. if [ -z "$_deployApi" ]; then
  2707. _err "The deploy hook $Le_DeployHook is not found."
  2708. return 1
  2709. fi
  2710. _debug _deployApi "$_deployApi"
  2711. _savedomainconf Le_DeployHook "$Le_DeployHook"
  2712. if ! (
  2713. if ! . "$_deployApi"; then
  2714. _err "Load file $_deployApi error. Please check your api file and try again."
  2715. return 1
  2716. fi
  2717. d_command="${Le_DeployHook}_deploy"
  2718. if ! _exists "$d_command"; then
  2719. _err "It seems that your api file is not correct, it must have a function named: $d_command"
  2720. return 1
  2721. fi
  2722. if ! $d_command "$Le_Domain" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$CERT_FULLCHAIN_PATH"; then
  2723. _err "Error deploy for domain:$Le_Domain"
  2724. _on_issue_err
  2725. return 1
  2726. fi
  2727. ); then
  2728. _err "Deploy error."
  2729. return 1
  2730. else
  2731. _info "$(__green Success)"
  2732. fi
  2733. }
  2734. installcert() {
  2735. Le_Domain="$1"
  2736. if [ -z "$Le_Domain" ]; then
  2737. _usage "Usage: $PROJECT_ENTRY --installcert -d domain.com [--ecc] [--certpath cert-file-path] [--keypath key-file-path] [--capath ca-cert-file-path] [ --reloadCmd reloadCmd] [--fullchainpath fullchain-path]"
  2738. return 1
  2739. fi
  2740. Le_RealCertPath="$2"
  2741. Le_RealKeyPath="$3"
  2742. Le_RealCACertPath="$4"
  2743. Le_ReloadCmd="$5"
  2744. Le_RealFullChainPath="$6"
  2745. _isEcc="$7"
  2746. _initpath "$Le_Domain" "$_isEcc"
  2747. if [ ! -d "$DOMAIN_PATH" ]; then
  2748. _err "Domain is not valid:'$Le_Domain'"
  2749. return 1
  2750. fi
  2751. _installcert
  2752. }
  2753. _installcert() {
  2754. _savedomainconf "Le_RealCertPath" "$Le_RealCertPath"
  2755. _savedomainconf "Le_RealCACertPath" "$Le_RealCACertPath"
  2756. _savedomainconf "Le_RealKeyPath" "$Le_RealKeyPath"
  2757. _savedomainconf "Le_ReloadCmd" "$Le_ReloadCmd"
  2758. _savedomainconf "Le_RealFullChainPath" "$Le_RealFullChainPath"
  2759. if [ "$Le_RealCertPath" = "$NO_VALUE" ]; then
  2760. Le_RealCertPath=""
  2761. fi
  2762. if [ "$Le_RealKeyPath" = "$NO_VALUE" ]; then
  2763. Le_RealKeyPath=""
  2764. fi
  2765. if [ "$Le_RealCACertPath" = "$NO_VALUE" ]; then
  2766. Le_RealCACertPath=""
  2767. fi
  2768. if [ "$Le_ReloadCmd" = "$NO_VALUE" ]; then
  2769. Le_ReloadCmd=""
  2770. fi
  2771. if [ "$Le_RealFullChainPath" = "$NO_VALUE" ]; then
  2772. Le_RealFullChainPath=""
  2773. fi
  2774. if [ "$Le_RealCertPath" ]; then
  2775. _info "Installing cert to:$Le_RealCertPath"
  2776. if [ -f "$Le_RealCertPath" ] && [ ! "$IS_RENEW" ]; then
  2777. cp "$Le_RealCertPath" "$Le_RealCertPath".bak
  2778. fi
  2779. cat "$CERT_PATH" >"$Le_RealCertPath"
  2780. fi
  2781. if [ "$Le_RealCACertPath" ]; then
  2782. _info "Installing CA to:$Le_RealCACertPath"
  2783. if [ "$Le_RealCACertPath" = "$Le_RealCertPath" ]; then
  2784. echo "" >>"$Le_RealCACertPath"
  2785. cat "$CA_CERT_PATH" >>"$Le_RealCACertPath"
  2786. else
  2787. if [ -f "$Le_RealCACertPath" ] && [ ! "$IS_RENEW" ]; then
  2788. cp "$Le_RealCACertPath" "$Le_RealCACertPath".bak
  2789. fi
  2790. cat "$CA_CERT_PATH" >"$Le_RealCACertPath"
  2791. fi
  2792. fi
  2793. if [ "$Le_RealKeyPath" ]; then
  2794. _info "Installing key to:$Le_RealKeyPath"
  2795. if [ -f "$Le_RealKeyPath" ] && [ ! "$IS_RENEW" ]; then
  2796. cp "$Le_RealKeyPath" "$Le_RealKeyPath".bak
  2797. fi
  2798. cat "$CERT_KEY_PATH" >"$Le_RealKeyPath"
  2799. fi
  2800. if [ "$Le_RealFullChainPath" ]; then
  2801. _info "Installing full chain to:$Le_RealFullChainPath"
  2802. if [ -f "$Le_RealFullChainPath" ] && [ ! "$IS_RENEW" ]; then
  2803. cp "$Le_RealFullChainPath" "$Le_RealFullChainPath".bak
  2804. fi
  2805. cat "$CERT_FULLCHAIN_PATH" >"$Le_RealFullChainPath"
  2806. fi
  2807. if [ "$Le_ReloadCmd" ]; then
  2808. _info "Run Le_ReloadCmd: $Le_ReloadCmd"
  2809. if (cd "$DOMAIN_PATH" && eval "$Le_ReloadCmd"); then
  2810. _info "$(__green "Reload success")"
  2811. else
  2812. _err "Reload error for :$Le_Domain"
  2813. fi
  2814. fi
  2815. }
  2816. installcronjob() {
  2817. _initpath
  2818. if ! _exists "crontab"; then
  2819. _err "crontab doesn't exist, so, we can not install cron jobs."
  2820. _err "All your certs will not be renewed automatically."
  2821. _err "You must add your own cron job to call '$PROJECT_ENTRY --cron' everyday."
  2822. return 1
  2823. fi
  2824. _info "Installing cron job"
  2825. if ! crontab -l | grep "$PROJECT_ENTRY --cron"; then
  2826. if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ]; then
  2827. lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
  2828. else
  2829. _err "Can not install cronjob, $PROJECT_ENTRY not found."
  2830. return 1
  2831. fi
  2832. if _exists uname && uname -a | grep solaris >/dev/null; then
  2833. crontab -l | {
  2834. cat
  2835. echo "0 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"
  2836. } | crontab --
  2837. else
  2838. crontab -l | {
  2839. cat
  2840. echo "0 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"
  2841. } | crontab -
  2842. fi
  2843. fi
  2844. if [ "$?" != "0" ]; then
  2845. _err "Install cron job failed. You need to manually renew your certs."
  2846. _err "Or you can add cronjob by yourself:"
  2847. _err "$lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"
  2848. return 1
  2849. fi
  2850. }
  2851. uninstallcronjob() {
  2852. if ! _exists "crontab"; then
  2853. return
  2854. fi
  2855. _info "Removing cron job"
  2856. cr="$(crontab -l | grep "$PROJECT_ENTRY --cron")"
  2857. if [ "$cr" ]; then
  2858. if _exists uname && uname -a | grep solaris >/dev/null; then
  2859. crontab -l | sed "/$PROJECT_ENTRY --cron/d" | crontab --
  2860. else
  2861. crontab -l | sed "/$PROJECT_ENTRY --cron/d" | crontab -
  2862. fi
  2863. LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 9 | tr -d '"')"
  2864. _info LE_WORKING_DIR "$LE_WORKING_DIR"
  2865. fi
  2866. _initpath
  2867. }
  2868. revoke() {
  2869. Le_Domain="$1"
  2870. if [ -z "$Le_Domain" ]; then
  2871. _usage "Usage: $PROJECT_ENTRY --revoke -d domain.com"
  2872. return 1
  2873. fi
  2874. _isEcc="$2"
  2875. _initpath "$Le_Domain" "$_isEcc"
  2876. if [ ! -f "$DOMAIN_CONF" ]; then
  2877. _err "$Le_Domain is not a issued domain, skip."
  2878. return 1
  2879. fi
  2880. if [ ! -f "$CERT_PATH" ]; then
  2881. _err "Cert for $Le_Domain $CERT_PATH is not found, skip."
  2882. return 1
  2883. fi
  2884. cert="$(_getfile "${CERT_PATH}" "${BEGIN_CERT}" "${END_CERT}" | tr -d "\r\n" | _urlencode)"
  2885. if [ -z "$cert" ]; then
  2886. _err "Cert for $Le_Domain is empty found, skip."
  2887. return 1
  2888. fi
  2889. data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
  2890. uri="$API/acme/revoke-cert"
  2891. if [ -f "$CERT_KEY_PATH" ]; then
  2892. _info "Try domain key first."
  2893. if _send_signed_request "$uri" "$data" "" "$CERT_KEY_PATH"; then
  2894. if [ -z "$response" ]; then
  2895. _info "Revoke success."
  2896. rm -f "$CERT_PATH"
  2897. return 0
  2898. else
  2899. _err "Revoke error by domain key."
  2900. _err "$response"
  2901. fi
  2902. fi
  2903. else
  2904. _info "Domain key file doesn't exists."
  2905. fi
  2906. _info "Try account key."
  2907. if _send_signed_request "$uri" "$data" "" "$ACCOUNT_KEY_PATH"; then
  2908. if [ -z "$response" ]; then
  2909. _info "Revoke success."
  2910. rm -f "$CERT_PATH"
  2911. return 0
  2912. else
  2913. _err "Revoke error."
  2914. _debug "$response"
  2915. fi
  2916. fi
  2917. return 1
  2918. }
  2919. #domain vtype
  2920. _deactivate() {
  2921. _d_domain="$1"
  2922. _d_type="$2"
  2923. _initpath
  2924. _d_i=0
  2925. _d_max_retry=9
  2926. while [ "$_d_i" -lt "$_d_max_retry" ]; do
  2927. _info "Deactivate: $_d_domain"
  2928. _d_i="$(_math $_d_i + 1)"
  2929. if ! __get_domain_new_authz "$_d_domain"; then
  2930. _err "Can not get domain new authz token."
  2931. return 1
  2932. fi
  2933. authzUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
  2934. _debug "authzUri" "$authzUri"
  2935. if [ ! -z "$code" ] && [ ! "$code" = '201' ]; then
  2936. _err "new-authz error: $response"
  2937. return 1
  2938. fi
  2939. entry="$(printf "%s\n" "$response" | _egrep_o '{"type":"[^"]*","status":"valid","uri"[^}]*')"
  2940. _debug entry "$entry"
  2941. if [ -z "$entry" ]; then
  2942. _info "No more valid entry found."
  2943. break
  2944. fi
  2945. _vtype="$(printf "%s\n" "$entry" | _egrep_o '"type": *"[^"]*"' | cut -d : -f 2 | tr -d '"')"
  2946. _debug _vtype "$_vtype"
  2947. _info "Found $_vtype"
  2948. uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*' | cut -d : -f 2,3 | tr -d '"')"
  2949. _debug uri "$uri"
  2950. if [ "$_d_type" ] && [ "$_d_type" != "$_vtype" ]; then
  2951. _info "Skip $_vtype"
  2952. continue
  2953. fi
  2954. _info "Deactivate: $_vtype"
  2955. if ! _send_signed_request "$authzUri" "{\"resource\": \"authz\", \"status\":\"deactivated\"}"; then
  2956. _err "Can not deactivate $_vtype."
  2957. return 1
  2958. fi
  2959. _info "Deactivate: $_vtype success."
  2960. done
  2961. _debug "$_d_i"
  2962. if [ "$_d_i" -lt "$_d_max_retry" ]; then
  2963. _info "Deactivated success!"
  2964. else
  2965. _err "Deactivate failed."
  2966. fi
  2967. }
  2968. deactivate() {
  2969. _d_domain_list="$1"
  2970. _d_type="$2"
  2971. _initpath
  2972. _debug _d_domain_list "$_d_domain_list"
  2973. if [ -z "$(echo $_d_domain_list | cut -d , -f 1)" ]; then
  2974. _usage "Usage: $PROJECT_ENTRY --deactivate -d domain.com [-d domain.com]"
  2975. return 1
  2976. fi
  2977. for _d_dm in $(echo "$_d_domain_list" | tr ',' ' '); do
  2978. if [ -z "$_d_dm" ] || [ "$_d_dm" = "$NO_VALUE" ]; then
  2979. continue
  2980. fi
  2981. if ! _deactivate "$_d_dm" "$_d_type"; then
  2982. return 1
  2983. fi
  2984. done
  2985. }
  2986. # Detect profile file if not specified as environment variable
  2987. _detect_profile() {
  2988. if [ -n "$PROFILE" -a -f "$PROFILE" ]; then
  2989. echo "$PROFILE"
  2990. return
  2991. fi
  2992. DETECTED_PROFILE=''
  2993. SHELLTYPE="$(basename "/$SHELL")"
  2994. if [ "$SHELLTYPE" = "bash" ]; then
  2995. if [ -f "$HOME/.bashrc" ]; then
  2996. DETECTED_PROFILE="$HOME/.bashrc"
  2997. elif [ -f "$HOME/.bash_profile" ]; then
  2998. DETECTED_PROFILE="$HOME/.bash_profile"
  2999. fi
  3000. elif [ "$SHELLTYPE" = "zsh" ]; then
  3001. DETECTED_PROFILE="$HOME/.zshrc"
  3002. fi
  3003. if [ -z "$DETECTED_PROFILE" ]; then
  3004. if [ -f "$HOME/.profile" ]; then
  3005. DETECTED_PROFILE="$HOME/.profile"
  3006. elif [ -f "$HOME/.bashrc" ]; then
  3007. DETECTED_PROFILE="$HOME/.bashrc"
  3008. elif [ -f "$HOME/.bash_profile" ]; then
  3009. DETECTED_PROFILE="$HOME/.bash_profile"
  3010. elif [ -f "$HOME/.zshrc" ]; then
  3011. DETECTED_PROFILE="$HOME/.zshrc"
  3012. fi
  3013. fi
  3014. if [ ! -z "$DETECTED_PROFILE" ]; then
  3015. echo "$DETECTED_PROFILE"
  3016. fi
  3017. }
  3018. _initconf() {
  3019. _initpath
  3020. if [ ! -f "$ACCOUNT_CONF_PATH" ]; then
  3021. echo "#ACCOUNT_CONF_PATH=xxxx
  3022. #ACCOUNT_EMAIL=aaa@example.com # the account email used to register account.
  3023. #ACCOUNT_KEY_PATH=\"/path/to/account.key\"
  3024. #CERT_HOME=\"/path/to/cert/home\"
  3025. #LOG_FILE=\"$DEFAULT_LOG_FILE\"
  3026. #LOG_LEVEL=1
  3027. #AUTO_UPGRADE=\"1\"
  3028. #NO_TIMESTAMP=1
  3029. #OPENSSL_BIN=openssl
  3030. #USER_AGENT=\"$USER_AGENT\"
  3031. #USER_PATH=
  3032. " >"$ACCOUNT_CONF_PATH"
  3033. fi
  3034. }
  3035. # nocron
  3036. _precheck() {
  3037. _nocron="$1"
  3038. if ! _exists "curl" && ! _exists "wget"; then
  3039. _err "Please install curl or wget first, we need to access http resources."
  3040. return 1
  3041. fi
  3042. if [ -z "$_nocron" ]; then
  3043. if ! _exists "crontab"; then
  3044. _err "It is recommended to install crontab first. try to install 'cron, crontab, crontabs or vixie-cron'."
  3045. _err "We need to set cron job to renew the certs automatically."
  3046. _err "Otherwise, your certs will not be able to be renewed automatically."
  3047. if [ -z "$FORCE" ]; then
  3048. _err "Please add '--force' and try install again to go without crontab."
  3049. _err "./$PROJECT_ENTRY --install --force"
  3050. return 1
  3051. fi
  3052. fi
  3053. fi
  3054. if ! _exists "$OPENSSL_BIN"; then
  3055. _err "Please install openssl first."
  3056. _err "We need openssl to generate keys."
  3057. return 1
  3058. fi
  3059. if ! _exists "nc"; then
  3060. _err "It is recommended to install nc first, try to install 'nc' or 'netcat'."
  3061. _err "We use nc for standalone server if you use standalone mode."
  3062. _err "If you don't use standalone mode, just ignore this warning."
  3063. fi
  3064. return 0
  3065. }
  3066. _setShebang() {
  3067. _file="$1"
  3068. _shebang="$2"
  3069. if [ -z "$_shebang" ]; then
  3070. _usage "Usage: file shebang"
  3071. return 1
  3072. fi
  3073. cp "$_file" "$_file.tmp"
  3074. echo "$_shebang" >"$_file"
  3075. sed -n 2,99999p "$_file.tmp" >>"$_file"
  3076. rm -f "$_file.tmp"
  3077. }
  3078. _installalias() {
  3079. _initpath
  3080. _envfile="$LE_WORKING_DIR/$PROJECT_ENTRY.env"
  3081. if [ "$_upgrading" ] && [ "$_upgrading" = "1" ]; then
  3082. echo "$(cat "$_envfile")" | sed "s|^LE_WORKING_DIR.*$||" >"$_envfile"
  3083. echo "$(cat "$_envfile")" | sed "s|^alias le.*$||" >"$_envfile"
  3084. echo "$(cat "$_envfile")" | sed "s|^alias le.sh.*$||" >"$_envfile"
  3085. fi
  3086. _setopt "$_envfile" "export LE_WORKING_DIR" "=" "\"$LE_WORKING_DIR\""
  3087. _setopt "$_envfile" "alias $PROJECT_ENTRY" "=" "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  3088. _profile="$(_detect_profile)"
  3089. if [ "$_profile" ]; then
  3090. _debug "Found profile: $_profile"
  3091. _info "Installing alias to '$_profile'"
  3092. _setopt "$_profile" ". \"$_envfile\""
  3093. _info "OK, Close and reopen your terminal to start using $PROJECT_NAME"
  3094. else
  3095. _info "No profile is found, you will need to go into $LE_WORKING_DIR to use $PROJECT_NAME"
  3096. fi
  3097. #for csh
  3098. _cshfile="$LE_WORKING_DIR/$PROJECT_ENTRY.csh"
  3099. _csh_profile="$HOME/.cshrc"
  3100. if [ -f "$_csh_profile" ]; then
  3101. _info "Installing alias to '$_csh_profile'"
  3102. _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
  3103. _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  3104. _setopt "$_csh_profile" "source \"$_cshfile\""
  3105. fi
  3106. #for tcsh
  3107. _tcsh_profile="$HOME/.tcshrc"
  3108. if [ -f "$_tcsh_profile" ]; then
  3109. _info "Installing alias to '$_tcsh_profile'"
  3110. _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
  3111. _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  3112. _setopt "$_tcsh_profile" "source \"$_cshfile\""
  3113. fi
  3114. }
  3115. # nocron
  3116. install() {
  3117. if [ -z "$LE_WORKING_DIR" ]; then
  3118. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  3119. fi
  3120. _nocron="$1"
  3121. if ! _initpath; then
  3122. _err "Install failed."
  3123. return 1
  3124. fi
  3125. if [ "$_nocron" ]; then
  3126. _debug "Skip install cron job"
  3127. fi
  3128. if ! _precheck "$_nocron"; then
  3129. _err "Pre-check failed, can not install."
  3130. return 1
  3131. fi
  3132. #convert from le
  3133. if [ -d "$HOME/.le" ]; then
  3134. for envfile in "le.env" "le.sh.env"; do
  3135. if [ -f "$HOME/.le/$envfile" ]; then
  3136. if grep "le.sh" "$HOME/.le/$envfile" >/dev/null; then
  3137. _upgrading="1"
  3138. _info "You are upgrading from le.sh"
  3139. _info "Renaming \"$HOME/.le\" to $LE_WORKING_DIR"
  3140. mv "$HOME/.le" "$LE_WORKING_DIR"
  3141. mv "$LE_WORKING_DIR/$envfile" "$LE_WORKING_DIR/$PROJECT_ENTRY.env"
  3142. break
  3143. fi
  3144. fi
  3145. done
  3146. fi
  3147. _info "Installing to $LE_WORKING_DIR"
  3148. if ! mkdir -p "$LE_WORKING_DIR"; then
  3149. _err "Can not create working dir: $LE_WORKING_DIR"
  3150. return 1
  3151. fi
  3152. chmod 700 "$LE_WORKING_DIR"
  3153. cp "$PROJECT_ENTRY" "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/$PROJECT_ENTRY"
  3154. if [ "$?" != "0" ]; then
  3155. _err "Install failed, can not copy $PROJECT_ENTRY"
  3156. return 1
  3157. fi
  3158. _info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
  3159. _installalias
  3160. for subf in $_SUB_FOLDERS; do
  3161. if [ -d "$subf" ]; then
  3162. mkdir -p "$LE_WORKING_DIR/$subf"
  3163. cp "$subf"/* "$LE_WORKING_DIR"/"$subf"/
  3164. fi
  3165. done
  3166. if [ ! -f "$ACCOUNT_CONF_PATH" ]; then
  3167. _initconf
  3168. fi
  3169. if [ "$_DEFAULT_ACCOUNT_CONF_PATH" != "$ACCOUNT_CONF_PATH" ]; then
  3170. _setopt "$_DEFAULT_ACCOUNT_CONF_PATH" "ACCOUNT_CONF_PATH" "=" "\"$ACCOUNT_CONF_PATH\""
  3171. fi
  3172. if [ "$_DEFAULT_CERT_HOME" != "$CERT_HOME" ]; then
  3173. _saveaccountconf "CERT_HOME" "$CERT_HOME"
  3174. fi
  3175. if [ "$_DEFAULT_ACCOUNT_KEY_PATH" != "$ACCOUNT_KEY_PATH" ]; then
  3176. _saveaccountconf "ACCOUNT_KEY_PATH" "$ACCOUNT_KEY_PATH"
  3177. fi
  3178. if [ -z "$_nocron" ]; then
  3179. installcronjob
  3180. fi
  3181. if [ -z "$NO_DETECT_SH" ]; then
  3182. #Modify shebang
  3183. if _exists bash; then
  3184. _info "Good, bash is found, so change the shebang to use bash as preferred."
  3185. _shebang='#!/usr/bin/env bash'
  3186. _setShebang "$LE_WORKING_DIR/$PROJECT_ENTRY" "$_shebang"
  3187. for subf in $_SUB_FOLDERS; do
  3188. if [ -d "$LE_WORKING_DIR/$subf" ]; then
  3189. for _apifile in "$LE_WORKING_DIR/$subf/"*.sh; do
  3190. _setShebang "$_apifile" "$_shebang"
  3191. done
  3192. fi
  3193. done
  3194. fi
  3195. fi
  3196. _info OK
  3197. }
  3198. # nocron
  3199. uninstall() {
  3200. _nocron="$1"
  3201. if [ -z "$_nocron" ]; then
  3202. uninstallcronjob
  3203. fi
  3204. _initpath
  3205. _uninstallalias
  3206. rm -f "$LE_WORKING_DIR/$PROJECT_ENTRY"
  3207. _info "The keys and certs are in $LE_WORKING_DIR, you can remove them by yourself."
  3208. }
  3209. _uninstallalias() {
  3210. _initpath
  3211. _profile="$(_detect_profile)"
  3212. if [ "$_profile" ]; then
  3213. _info "Uninstalling alias from: '$_profile'"
  3214. text="$(cat "$_profile")"
  3215. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.env\"$||" >"$_profile"
  3216. fi
  3217. _csh_profile="$HOME/.cshrc"
  3218. if [ -f "$_csh_profile" ]; then
  3219. _info "Uninstalling alias from: '$_csh_profile'"
  3220. text="$(cat "$_csh_profile")"
  3221. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" >"$_csh_profile"
  3222. fi
  3223. _tcsh_profile="$HOME/.tcshrc"
  3224. if [ -f "$_tcsh_profile" ]; then
  3225. _info "Uninstalling alias from: '$_csh_profile'"
  3226. text="$(cat "$_tcsh_profile")"
  3227. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" >"$_tcsh_profile"
  3228. fi
  3229. }
  3230. cron() {
  3231. IN_CRON=1
  3232. _initpath
  3233. if [ "$AUTO_UPGRADE" = "1" ]; then
  3234. export LE_WORKING_DIR
  3235. (
  3236. if ! upgrade; then
  3237. _err "Cron:Upgrade failed!"
  3238. return 1
  3239. fi
  3240. )
  3241. . "$LE_WORKING_DIR/$PROJECT_ENTRY" >/dev/null
  3242. if [ -t 1 ]; then
  3243. __INTERACTIVE="1"
  3244. fi
  3245. _info "Auto upgraded to: $VER"
  3246. fi
  3247. renewAll
  3248. _ret="$?"
  3249. IN_CRON=""
  3250. exit $_ret
  3251. }
  3252. version() {
  3253. echo "$PROJECT"
  3254. echo "v$VER"
  3255. }
  3256. showhelp() {
  3257. _initpath
  3258. version
  3259. echo "Usage: $PROJECT_ENTRY command ...[parameters]....
  3260. Commands:
  3261. --help, -h Show this help message.
  3262. --version, -v Show version info.
  3263. --install Install $PROJECT_NAME to your system.
  3264. --uninstall Uninstall $PROJECT_NAME, and uninstall the cron job.
  3265. --upgrade Upgrade $PROJECT_NAME to the latest code from $PROJECT .
  3266. --issue Issue a cert.
  3267. --signcsr Issue a cert from an existing csr.
  3268. --deploy Deploy the cert to your server.
  3269. --installcert Install the issued cert to apache/nginx or any other server.
  3270. --renew, -r Renew a cert.
  3271. --renewAll Renew all the certs.
  3272. --revoke Revoke a cert.
  3273. --list List all the certs.
  3274. --showcsr Show the content of a csr.
  3275. --installcronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
  3276. --uninstallcronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
  3277. --cron Run cron job to renew all the certs.
  3278. --toPkcs Export the certificate and key to a pfx file.
  3279. --updateaccount Update account info.
  3280. --registeraccount Register account key.
  3281. --createAccountKey, -cak Create an account private key, professional use.
  3282. --createDomainKey, -cdk Create an domain private key, professional use.
  3283. --createCSR, -ccsr Create CSR , professional use.
  3284. --deactivate Deactivate the domain authz, professional use.
  3285. Parameters:
  3286. --domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
  3287. --force, -f Used to force to install or force to renew a cert immediately.
  3288. --staging, --test Use staging server, just for test.
  3289. --debug Output debug info.
  3290. --webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
  3291. --standalone Use standalone mode.
  3292. --tls Use standalone tls mode.
  3293. --apache Use apache mode.
  3294. --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
  3295. --dnssleep [$DEFAULT_DNS_SLEEP] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
  3296. --keylength, -k [2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
  3297. --accountkeylength, -ak [2048] Specifies the account key length.
  3298. --log [/path/to/logfile] Specifies the log file. The default is: \"$DEFAULT_LOG_FILE\" if you don't give a file path here.
  3299. --log-level 1|2 Specifies the log level, default is 1.
  3300. These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
  3301. --certpath /path/to/real/cert/file After issue/renew, the cert will be copied to this path.
  3302. --keypath /path/to/real/key/file After issue/renew, the key will be copied to this path.
  3303. --capath /path/to/real/ca/file After issue/renew, the intermediate cert will be copied to this path.
  3304. --fullchainpath /path/to/fullchain/file After issue/renew, the fullchain cert will be copied to this path.
  3305. --reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
  3306. --accountconf Specifies a customized account config file.
  3307. --home Specifies the home dir for $PROJECT_NAME .
  3308. --certhome Specifies the home dir to save all the certs, only valid for '--install' command.
  3309. --useragent Specifies the user agent string. it will be saved for future use too.
  3310. --accountemail Specifies the account email for registering, Only valid for the '--install' command.
  3311. --accountkey Specifies the account key path, Only valid for the '--install' command.
  3312. --days Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days.
  3313. --httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
  3314. --tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
  3315. --local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
  3316. --listraw Only used for '--list' command, list the certs in raw format.
  3317. --stopRenewOnError, -se Only valid for '--renewall' command. Stop if one cert has error in renewal.
  3318. --insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
  3319. --ca-bundle Specifices the path to the CA certificate bundle to verify api server's certificate.
  3320. --nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
  3321. --ecc Specifies to use the ECC cert. Valid for '--installcert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
  3322. --csr Specifies the input csr.
  3323. --pre-hook Command to be run before obtaining any certificates.
  3324. --post-hook Command to be run after attempting to obtain/renew certificates. No matter the obain/renew is success or failed.
  3325. --renew-hook Command to be run once for each successfully renewed certificate.
  3326. --deploy-hook The hook file to deploy cert
  3327. --ocsp-must-staple, --ocsp Generate ocsp must Staple extension.
  3328. --auto-upgrade [0|1] Valid for '--upgrade' command, indicating whether to upgrade automatically in future.
  3329. --listen-v4 Force standalone/tls server to listen at ipv4.
  3330. --listen-v6 Force standalone/tls server to listen at ipv6.
  3331. --openssl-bin Specifies a custom openssl bin location.
  3332. "
  3333. }
  3334. # nocron
  3335. _installOnline() {
  3336. _info "Installing from online archive."
  3337. _nocron="$1"
  3338. if [ ! "$BRANCH" ]; then
  3339. BRANCH="master"
  3340. fi
  3341. target="$PROJECT/archive/$BRANCH.tar.gz"
  3342. _info "Downloading $target"
  3343. localname="$BRANCH.tar.gz"
  3344. if ! _get "$target" >$localname; then
  3345. _err "Download error."
  3346. return 1
  3347. fi
  3348. (
  3349. _info "Extracting $localname"
  3350. tar xzf $localname
  3351. cd "$PROJECT_NAME-$BRANCH"
  3352. chmod +x $PROJECT_ENTRY
  3353. if ./$PROJECT_ENTRY install "$_nocron"; then
  3354. _info "Install success!"
  3355. fi
  3356. cd ..
  3357. rm -rf "$PROJECT_NAME-$BRANCH"
  3358. rm -f "$localname"
  3359. )
  3360. }
  3361. upgrade() {
  3362. if (
  3363. _initpath
  3364. export LE_WORKING_DIR
  3365. cd "$LE_WORKING_DIR"
  3366. _installOnline "nocron"
  3367. ); then
  3368. _info "Upgrade success!"
  3369. exit 0
  3370. else
  3371. _err "Upgrade failed!"
  3372. exit 1
  3373. fi
  3374. }
  3375. _processAccountConf() {
  3376. if [ "$_useragent" ]; then
  3377. _saveaccountconf "USER_AGENT" "$_useragent"
  3378. elif [ "$USER_AGENT" ] && [ "$USER_AGENT" != "$DEFAULT_USER_AGENT" ]; then
  3379. _saveaccountconf "USER_AGENT" "$USER_AGENT"
  3380. fi
  3381. if [ "$_accountemail" ]; then
  3382. _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail"
  3383. elif [ "$ACCOUNT_EMAIL" ] && [ "$ACCOUNT_EMAIL" != "$DEFAULT_ACCOUNT_EMAIL" ]; then
  3384. _saveaccountconf "ACCOUNT_EMAIL" "$ACCOUNT_EMAIL"
  3385. fi
  3386. if [ "$_openssl_bin" ]; then
  3387. _saveaccountconf "OPENSSL_BIN" "$_openssl_bin"
  3388. elif [ "$OPENSSL_BIN" ] && [ "$OPENSSL_BIN" != "$DEFAULT_OPENSSL_BIN" ]; then
  3389. _saveaccountconf "OPENSSL_BIN" "$OPENSSL_BIN"
  3390. fi
  3391. if [ "$_auto_upgrade" ]; then
  3392. _saveaccountconf "AUTO_UPGRADE" "$_auto_upgrade"
  3393. elif [ "$AUTO_UPGRADE" ]; then
  3394. _saveaccountconf "AUTO_UPGRADE" "$AUTO_UPGRADE"
  3395. fi
  3396. }
  3397. _process() {
  3398. _CMD=""
  3399. _domain=""
  3400. _altdomains="$NO_VALUE"
  3401. _webroot=""
  3402. _keylength=""
  3403. _accountkeylength=""
  3404. _certpath=""
  3405. _keypath=""
  3406. _capath=""
  3407. _fullchainpath=""
  3408. _reloadcmd=""
  3409. _password=""
  3410. _accountconf=""
  3411. _useragent=""
  3412. _accountemail=""
  3413. _accountkey=""
  3414. _certhome=""
  3415. _httpport=""
  3416. _tlsport=""
  3417. _dnssleep=""
  3418. _listraw=""
  3419. _stopRenewOnError=""
  3420. #_insecure=""
  3421. _ca_bundle=""
  3422. _nocron=""
  3423. _ecc=""
  3424. _csr=""
  3425. _pre_hook=""
  3426. _post_hook=""
  3427. _renew_hook=""
  3428. _deploy_hook=""
  3429. _logfile=""
  3430. _log=""
  3431. _local_address=""
  3432. _log_level=""
  3433. _auto_upgrade=""
  3434. _listen_v4=""
  3435. _listen_v6=""
  3436. _openssl_bin=""
  3437. while [ ${#} -gt 0 ]; do
  3438. case "${1}" in
  3439. --help | -h)
  3440. showhelp
  3441. return
  3442. ;;
  3443. --version | -v)
  3444. version
  3445. return
  3446. ;;
  3447. --install)
  3448. _CMD="install"
  3449. ;;
  3450. --uninstall)
  3451. _CMD="uninstall"
  3452. ;;
  3453. --upgrade)
  3454. _CMD="upgrade"
  3455. ;;
  3456. --issue)
  3457. _CMD="issue"
  3458. ;;
  3459. --deploy)
  3460. _CMD="deploy"
  3461. ;;
  3462. --signcsr)
  3463. _CMD="signcsr"
  3464. ;;
  3465. --showcsr)
  3466. _CMD="showcsr"
  3467. ;;
  3468. --installcert | -i)
  3469. _CMD="installcert"
  3470. ;;
  3471. --renew | -r)
  3472. _CMD="renew"
  3473. ;;
  3474. --renewAll | --renewall)
  3475. _CMD="renewAll"
  3476. ;;
  3477. --revoke)
  3478. _CMD="revoke"
  3479. ;;
  3480. --list)
  3481. _CMD="list"
  3482. ;;
  3483. --installcronjob)
  3484. _CMD="installcronjob"
  3485. ;;
  3486. --uninstallcronjob)
  3487. _CMD="uninstallcronjob"
  3488. ;;
  3489. --cron)
  3490. _CMD="cron"
  3491. ;;
  3492. --toPkcs)
  3493. _CMD="toPkcs"
  3494. ;;
  3495. --createAccountKey | --createaccountkey | -cak)
  3496. _CMD="createAccountKey"
  3497. ;;
  3498. --createDomainKey | --createdomainkey | -cdk)
  3499. _CMD="createDomainKey"
  3500. ;;
  3501. --createCSR | --createcsr | -ccr)
  3502. _CMD="createCSR"
  3503. ;;
  3504. --deactivate)
  3505. _CMD="deactivate"
  3506. ;;
  3507. --updateaccount)
  3508. _CMD="updateaccount"
  3509. ;;
  3510. --registeraccount)
  3511. _CMD="registeraccount"
  3512. ;;
  3513. --domain | -d)
  3514. _dvalue="$2"
  3515. if [ "$_dvalue" ]; then
  3516. if _startswith "$_dvalue" "-"; then
  3517. _err "'$_dvalue' is not a valid domain for parameter '$1'"
  3518. return 1
  3519. fi
  3520. if _is_idn "$_dvalue" && ! _exists idn; then
  3521. _err "It seems that $_dvalue is an IDN( Internationalized Domain Names), please install 'idn' command first."
  3522. return 1
  3523. fi
  3524. if [ -z "$_domain" ]; then
  3525. _domain="$_dvalue"
  3526. else
  3527. if [ "$_altdomains" = "$NO_VALUE" ]; then
  3528. _altdomains="$_dvalue"
  3529. else
  3530. _altdomains="$_altdomains,$_dvalue"
  3531. fi
  3532. fi
  3533. fi
  3534. shift
  3535. ;;
  3536. --force | -f)
  3537. FORCE="1"
  3538. ;;
  3539. --staging | --test)
  3540. STAGE="1"
  3541. ;;
  3542. --debug)
  3543. if [ -z "$2" ] || _startswith "$2" "-"; then
  3544. DEBUG="1"
  3545. else
  3546. DEBUG="$2"
  3547. shift
  3548. fi
  3549. ;;
  3550. --webroot | -w)
  3551. wvalue="$2"
  3552. if [ -z "$_webroot" ]; then
  3553. _webroot="$wvalue"
  3554. else
  3555. _webroot="$_webroot,$wvalue"
  3556. fi
  3557. shift
  3558. ;;
  3559. --standalone)
  3560. wvalue="$NO_VALUE"
  3561. if [ -z "$_webroot" ]; then
  3562. _webroot="$wvalue"
  3563. else
  3564. _webroot="$_webroot,$wvalue"
  3565. fi
  3566. ;;
  3567. --local-address)
  3568. lvalue="$2"
  3569. _local_address="$_local_address$lvalue,"
  3570. shift
  3571. ;;
  3572. --apache)
  3573. wvalue="apache"
  3574. if [ -z "$_webroot" ]; then
  3575. _webroot="$wvalue"
  3576. else
  3577. _webroot="$_webroot,$wvalue"
  3578. fi
  3579. ;;
  3580. --tls)
  3581. wvalue="$W_TLS"
  3582. if [ -z "$_webroot" ]; then
  3583. _webroot="$wvalue"
  3584. else
  3585. _webroot="$_webroot,$wvalue"
  3586. fi
  3587. ;;
  3588. --dns)
  3589. wvalue="dns"
  3590. if ! _startswith "$2" "-"; then
  3591. wvalue="$2"
  3592. shift
  3593. fi
  3594. if [ -z "$_webroot" ]; then
  3595. _webroot="$wvalue"
  3596. else
  3597. _webroot="$_webroot,$wvalue"
  3598. fi
  3599. ;;
  3600. --dnssleep)
  3601. _dnssleep="$2"
  3602. Le_DNSSleep="$_dnssleep"
  3603. shift
  3604. ;;
  3605. --keylength | -k)
  3606. _keylength="$2"
  3607. shift
  3608. ;;
  3609. --accountkeylength | -ak)
  3610. _accountkeylength="$2"
  3611. shift
  3612. ;;
  3613. --certpath)
  3614. _certpath="$2"
  3615. shift
  3616. ;;
  3617. --keypath)
  3618. _keypath="$2"
  3619. shift
  3620. ;;
  3621. --capath)
  3622. _capath="$2"
  3623. shift
  3624. ;;
  3625. --fullchainpath)
  3626. _fullchainpath="$2"
  3627. shift
  3628. ;;
  3629. --reloadcmd | --reloadCmd)
  3630. _reloadcmd="$2"
  3631. shift
  3632. ;;
  3633. --password)
  3634. _password="$2"
  3635. shift
  3636. ;;
  3637. --accountconf)
  3638. _accountconf="$2"
  3639. ACCOUNT_CONF_PATH="$_accountconf"
  3640. shift
  3641. ;;
  3642. --home)
  3643. LE_WORKING_DIR="$2"
  3644. shift
  3645. ;;
  3646. --certhome)
  3647. _certhome="$2"
  3648. CERT_HOME="$_certhome"
  3649. shift
  3650. ;;
  3651. --useragent)
  3652. _useragent="$2"
  3653. USER_AGENT="$_useragent"
  3654. shift
  3655. ;;
  3656. --accountemail)
  3657. _accountemail="$2"
  3658. ACCOUNT_EMAIL="$_accountemail"
  3659. shift
  3660. ;;
  3661. --accountkey)
  3662. _accountkey="$2"
  3663. ACCOUNT_KEY_PATH="$_accountkey"
  3664. shift
  3665. ;;
  3666. --days)
  3667. _days="$2"
  3668. Le_RenewalDays="$_days"
  3669. shift
  3670. ;;
  3671. --httpport)
  3672. _httpport="$2"
  3673. Le_HTTPPort="$_httpport"
  3674. shift
  3675. ;;
  3676. --tlsport)
  3677. _tlsport="$2"
  3678. Le_TLSPort="$_tlsport"
  3679. shift
  3680. ;;
  3681. --listraw)
  3682. _listraw="raw"
  3683. ;;
  3684. --stopRenewOnError | --stoprenewonerror | -se)
  3685. _stopRenewOnError="1"
  3686. ;;
  3687. --insecure)
  3688. #_insecure="1"
  3689. HTTPS_INSECURE="1"
  3690. ;;
  3691. --ca-bundle)
  3692. _ca_bundle="$(readlink -f "$2")"
  3693. CA_BUNDLE="$_ca_bundle"
  3694. shift
  3695. ;;
  3696. --nocron)
  3697. _nocron="1"
  3698. ;;
  3699. --ecc)
  3700. _ecc="isEcc"
  3701. ;;
  3702. --csr)
  3703. _csr="$2"
  3704. shift
  3705. ;;
  3706. --pre-hook)
  3707. _pre_hook="$2"
  3708. shift
  3709. ;;
  3710. --post-hook)
  3711. _post_hook="$2"
  3712. shift
  3713. ;;
  3714. --renew-hook)
  3715. _renew_hook="$2"
  3716. shift
  3717. ;;
  3718. --deploy-hook)
  3719. _deploy_hook="$2"
  3720. shift
  3721. ;;
  3722. --ocsp-must-staple | --ocsp)
  3723. Le_OCSP_Stable="1"
  3724. ;;
  3725. --log | --logfile)
  3726. _log="1"
  3727. _logfile="$2"
  3728. if _startswith "$_logfile" '-'; then
  3729. _logfile=""
  3730. else
  3731. shift
  3732. fi
  3733. LOG_FILE="$_logfile"
  3734. if [ -z "$LOG_LEVEL" ]; then
  3735. LOG_LEVEL="$DEFAULT_LOG_LEVEL"
  3736. fi
  3737. ;;
  3738. --log-level)
  3739. _log_level="$2"
  3740. LOG_LEVEL="$_log_level"
  3741. shift
  3742. ;;
  3743. --auto-upgrade)
  3744. _auto_upgrade="$2"
  3745. if [ -z "$_auto_upgrade" ] || _startswith "$_auto_upgrade" '-'; then
  3746. _auto_upgrade="1"
  3747. else
  3748. shift
  3749. fi
  3750. AUTO_UPGRADE="$_auto_upgrade"
  3751. ;;
  3752. --listen-v4)
  3753. _listen_v4="1"
  3754. Le_Listen_V4="$_listen_v4"
  3755. ;;
  3756. --listen-v6)
  3757. _listen_v6="1"
  3758. Le_Listen_V6="$_listen_v6"
  3759. ;;
  3760. --openssl-bin)
  3761. _openssl_bin="$2"
  3762. OPENSSL_BIN="$_openssl_bin"
  3763. ;;
  3764. *)
  3765. _err "Unknown parameter : $1"
  3766. return 1
  3767. ;;
  3768. esac
  3769. shift 1
  3770. done
  3771. if [ "${_CMD}" != "install" ]; then
  3772. __initHome
  3773. if [ "$_log" ]; then
  3774. if [ -z "$_logfile" ]; then
  3775. _logfile="$DEFAULT_LOG_FILE"
  3776. fi
  3777. fi
  3778. if [ "$_logfile" ]; then
  3779. _saveaccountconf "LOG_FILE" "$_logfile"
  3780. LOG_FILE="$_logfile"
  3781. fi
  3782. if [ "$_log_level" ]; then
  3783. _saveaccountconf "LOG_LEVEL" "$_log_level"
  3784. LOG_LEVEL="$_log_level"
  3785. fi
  3786. _processAccountConf
  3787. fi
  3788. _debug2 LE_WORKING_DIR "$LE_WORKING_DIR"
  3789. if [ "$DEBUG" ]; then
  3790. version
  3791. fi
  3792. case "${_CMD}" in
  3793. install) install "$_nocron" ;;
  3794. uninstall) uninstall "$_nocron" ;;
  3795. upgrade) upgrade ;;
  3796. issue)
  3797. issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
  3798. ;;
  3799. deploy)
  3800. deploy "$_domain" "$_deploy_hook" "$_ecc"
  3801. ;;
  3802. signcsr)
  3803. signcsr "$_csr" "$_webroot"
  3804. ;;
  3805. showcsr)
  3806. showcsr "$_csr" "$_domain"
  3807. ;;
  3808. installcert)
  3809. installcert "$_domain" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_ecc"
  3810. ;;
  3811. renew)
  3812. renew "$_domain" "$_ecc"
  3813. ;;
  3814. renewAll)
  3815. renewAll "$_stopRenewOnError"
  3816. ;;
  3817. revoke)
  3818. revoke "$_domain" "$_ecc"
  3819. ;;
  3820. deactivate)
  3821. deactivate "$_domain,$_altdomains"
  3822. ;;
  3823. registeraccount)
  3824. registeraccount "$_accountkeylength"
  3825. ;;
  3826. updateaccount)
  3827. updateaccount
  3828. ;;
  3829. list)
  3830. list "$_listraw"
  3831. ;;
  3832. installcronjob) installcronjob ;;
  3833. uninstallcronjob) uninstallcronjob ;;
  3834. cron) cron ;;
  3835. toPkcs)
  3836. toPkcs "$_domain" "$_password" "$_ecc"
  3837. ;;
  3838. createAccountKey)
  3839. createAccountKey "$_accountkeylength"
  3840. ;;
  3841. createDomainKey)
  3842. createDomainKey "$_domain" "$_keylength"
  3843. ;;
  3844. createCSR)
  3845. createCSR "$_domain" "$_altdomains" "$_ecc"
  3846. ;;
  3847. *)
  3848. _err "Invalid command: $_CMD"
  3849. showhelp
  3850. return 1
  3851. ;;
  3852. esac
  3853. _ret="$?"
  3854. if [ "$_ret" != "0" ]; then
  3855. return $_ret
  3856. fi
  3857. if [ "${_CMD}" = "install" ]; then
  3858. if [ "$_log" ]; then
  3859. if [ -z "$LOG_FILE" ]; then
  3860. LOG_FILE="$DEFAULT_LOG_FILE"
  3861. fi
  3862. _saveaccountconf "LOG_FILE" "$LOG_FILE"
  3863. fi
  3864. if [ "$_log_level" ]; then
  3865. _saveaccountconf "LOG_LEVEL" "$_log_level"
  3866. fi
  3867. _processAccountConf
  3868. fi
  3869. }
  3870. if [ "$INSTALLONLINE" ]; then
  3871. INSTALLONLINE=""
  3872. _installOnline $BRANCH
  3873. exit
  3874. fi
  3875. main() {
  3876. [ -z "$1" ] && showhelp && return
  3877. if _startswith "$1" '-'; then _process "$@"; else "$@"; fi
  3878. }
  3879. main "$@"