You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

4532 lines
112 KiB

9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
  1. #!/usr/bin/env sh
  2. VER=2.6.5
  3. PROJECT_NAME="acme.sh"
  4. PROJECT_ENTRY="acme.sh"
  5. PROJECT="https://github.com/Neilpang/$PROJECT_NAME"
  6. DEFAULT_INSTALL_HOME="$HOME/.$PROJECT_NAME"
  7. _SCRIPT_="$0"
  8. _SUB_FOLDERS="dnsapi deploy"
  9. DEFAULT_CA="https://acme-v01.api.letsencrypt.org"
  10. DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
  11. DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
  12. DEFAULT_ACCOUNT_EMAIL=""
  13. DEFAULT_ACCOUNT_KEY_LENGTH=2048
  14. DEFAULT_DOMAIN_KEY_LENGTH=2048
  15. STAGE_CA="https://acme-staging.api.letsencrypt.org"
  16. VTYPE_HTTP="http-01"
  17. VTYPE_DNS="dns-01"
  18. VTYPE_TLS="tls-sni-01"
  19. #VTYPE_TLS2="tls-sni-02"
  20. LOCAL_ANY_ADDRESS="0.0.0.0"
  21. MAX_RENEW=60
  22. DEFAULT_DNS_SLEEP=120
  23. NO_VALUE="no"
  24. W_TLS="tls"
  25. STATE_VERIFIED="verified_ok"
  26. BEGIN_CSR="-----BEGIN CERTIFICATE REQUEST-----"
  27. END_CSR="-----END CERTIFICATE REQUEST-----"
  28. BEGIN_CERT="-----BEGIN CERTIFICATE-----"
  29. END_CERT="-----END CERTIFICATE-----"
  30. RENEW_SKIP=2
  31. ECC_SEP="_"
  32. ECC_SUFFIX="${ECC_SEP}ecc"
  33. LOG_LEVEL_1=1
  34. LOG_LEVEL_2=2
  35. LOG_LEVEL_3=3
  36. DEFAULT_LOG_LEVEL="$LOG_LEVEL_1"
  37. _DEBUG_WIKI="https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh"
  38. __INTERACTIVE=""
  39. if [ -t 1 ]; then
  40. __INTERACTIVE="1"
  41. fi
  42. __green() {
  43. if [ "$__INTERACTIVE" ]; then
  44. printf '\033[1;31;32m'
  45. fi
  46. printf -- "$1"
  47. if [ "$__INTERACTIVE" ]; then
  48. printf '\033[0m'
  49. fi
  50. }
  51. __red() {
  52. if [ "$__INTERACTIVE" ]; then
  53. printf '\033[1;31;40m'
  54. fi
  55. printf -- "$1"
  56. if [ "$__INTERACTIVE" ]; then
  57. printf '\033[0m'
  58. fi
  59. }
  60. _printargs() {
  61. if [ -z "$2" ]; then
  62. printf -- "[$(date)] $1"
  63. else
  64. printf -- "[$(date)] $1='$2'"
  65. fi
  66. printf "\n"
  67. }
  68. _dlg_versions() {
  69. echo "Diagnosis versions: "
  70. echo "openssl:"
  71. if _exists openssl; then
  72. openssl version 2>&1
  73. else
  74. echo "openssl doesn't exists."
  75. fi
  76. echo "apache:"
  77. if [ "$_APACHECTL" ] && _exists "$_APACHECTL"; then
  78. _APACHECTL -V 2>&1
  79. else
  80. echo "apache doesn't exists."
  81. fi
  82. echo "nc:"
  83. if _exists "nc"; then
  84. nc -h 2>&1
  85. else
  86. _debug "nc doesn't exists."
  87. fi
  88. }
  89. _log() {
  90. [ -z "$LOG_FILE" ] && return
  91. _printargs "$@" >>"$LOG_FILE"
  92. }
  93. _info() {
  94. _log "$@"
  95. _printargs "$@"
  96. }
  97. _err() {
  98. _log "$@"
  99. printf -- "[$(date)] " >&2
  100. if [ -z "$2" ]; then
  101. __red "$1" >&2
  102. else
  103. __red "$1='$2'" >&2
  104. fi
  105. printf "\n" >&2
  106. return 1
  107. }
  108. _usage() {
  109. __red "$@" >&2
  110. printf "\n" >&2
  111. }
  112. _debug() {
  113. if [ -z "$LOG_LEVEL" ] || [ "$LOG_LEVEL" -ge "$LOG_LEVEL_1" ]; then
  114. _log "$@"
  115. fi
  116. if [ -z "$DEBUG" ]; then
  117. return
  118. fi
  119. _printargs "$@" >&2
  120. }
  121. _debug2() {
  122. if [ "$LOG_LEVEL" ] && [ "$LOG_LEVEL" -ge "$LOG_LEVEL_2" ]; then
  123. _log "$@"
  124. fi
  125. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  126. _debug "$@"
  127. fi
  128. }
  129. _debug3() {
  130. if [ "$LOG_LEVEL" ] && [ "$LOG_LEVEL" -ge "$LOG_LEVEL_3" ]; then
  131. _log "$@"
  132. fi
  133. if [ "$DEBUG" ] && [ "$DEBUG" -ge "3" ]; then
  134. _debug "$@"
  135. fi
  136. }
  137. _startswith() {
  138. _str="$1"
  139. _sub="$2"
  140. echo "$_str" | grep "^$_sub" >/dev/null 2>&1
  141. }
  142. _endswith() {
  143. _str="$1"
  144. _sub="$2"
  145. echo "$_str" | grep -- "$_sub\$" >/dev/null 2>&1
  146. }
  147. _contains() {
  148. _str="$1"
  149. _sub="$2"
  150. echo "$_str" | grep -- "$_sub" >/dev/null 2>&1
  151. }
  152. _hasfield() {
  153. _str="$1"
  154. _field="$2"
  155. _sep="$3"
  156. if [ -z "$_field" ]; then
  157. _usage "Usage: str field [sep]"
  158. return 1
  159. fi
  160. if [ -z "$_sep" ]; then
  161. _sep=","
  162. fi
  163. for f in $(echo "$_str" | tr ',' ' '); do
  164. if [ "$f" = "$_field" ]; then
  165. _debug2 "'$_str' contains '$_field'"
  166. return 0 #contains ok
  167. fi
  168. done
  169. _debug2 "'$_str' does not contain '$_field'"
  170. return 1 #not contains
  171. }
  172. _getfield() {
  173. _str="$1"
  174. _findex="$2"
  175. _sep="$3"
  176. if [ -z "$_findex" ]; then
  177. _usage "Usage: str field [sep]"
  178. return 1
  179. fi
  180. if [ -z "$_sep" ]; then
  181. _sep=","
  182. fi
  183. _ffi="$_findex"
  184. while [ "$_ffi" -gt "0" ]; do
  185. _fv="$(echo "$_str" | cut -d "$_sep" -f "$_ffi")"
  186. if [ "$_fv" ]; then
  187. printf -- "%s" "$_fv"
  188. return 0
  189. fi
  190. _ffi="$(_math "$_ffi" - 1)"
  191. done
  192. printf -- "%s" "$_str"
  193. }
  194. _exists() {
  195. cmd="$1"
  196. if [ -z "$cmd" ]; then
  197. _usage "Usage: _exists cmd"
  198. return 1
  199. fi
  200. if command >/dev/null 2>&1; then
  201. command -v "$cmd" >/dev/null 2>&1
  202. elif which >/dev/null 2>&1; then
  203. which "$cmd" >/dev/null 2>&1
  204. fi
  205. ret="$?"
  206. _debug3 "$cmd exists=$ret"
  207. return $ret
  208. }
  209. #a + b
  210. _math() {
  211. _m_opts="$@"
  212. printf "%s" "$(($_m_opts))"
  213. }
  214. _h_char_2_dec() {
  215. _ch=$1
  216. case "${_ch}" in
  217. a | A)
  218. printf "10"
  219. ;;
  220. b | B)
  221. printf "11"
  222. ;;
  223. c | C)
  224. printf "12"
  225. ;;
  226. d | D)
  227. printf "13"
  228. ;;
  229. e | E)
  230. printf "14"
  231. ;;
  232. f | F)
  233. printf "15"
  234. ;;
  235. *)
  236. printf "%s" "$_ch"
  237. ;;
  238. esac
  239. }
  240. _URGLY_PRINTF=""
  241. if [ "$(printf '\x41')" != 'A' ]; then
  242. _URGLY_PRINTF=1
  243. fi
  244. _h2b() {
  245. hex=$(cat)
  246. i=1
  247. j=2
  248. _debug3 _URGLY_PRINTF "$_URGLY_PRINTF"
  249. while true; do
  250. if [ -z "$_URGLY_PRINTF" ]; then
  251. h="$(printf "%s" "$hex" | cut -c $i-$j)"
  252. if [ -z "$h" ]; then
  253. break
  254. fi
  255. printf "\x$h%s"
  256. else
  257. ic="$(printf "%s" "$hex" | cut -c $i)"
  258. jc="$(printf "%s" "$hex" | cut -c $j)"
  259. if [ -z "$ic$jc" ]; then
  260. break
  261. fi
  262. ic="$(_h_char_2_dec "$ic")"
  263. jc="$(_h_char_2_dec "$jc")"
  264. printf '\'"$(printf "%o" "$(_math "$ic" \* 16 + $jc)")""%s"
  265. fi
  266. i="$(_math "$i" + 2)"
  267. j="$(_math "$j" + 2)"
  268. done
  269. }
  270. #options file
  271. _sed_i() {
  272. options="$1"
  273. filename="$2"
  274. if [ -z "$filename" ]; then
  275. _usage "Usage:_sed_i options filename"
  276. return 1
  277. fi
  278. _debug2 options "$options"
  279. if sed -h 2>&1 | grep "\-i\[SUFFIX]" >/dev/null 2>&1; then
  280. _debug "Using sed -i"
  281. sed -i "$options" "$filename"
  282. else
  283. _debug "No -i support in sed"
  284. text="$(cat "$filename")"
  285. echo "$text" | sed "$options" >"$filename"
  286. fi
  287. }
  288. _egrep_o() {
  289. if _contains "$(egrep -o 2>&1)" "egrep: illegal option -- o"; then
  290. sed -n 's/.*\('"$1"'\).*/\1/p'
  291. else
  292. egrep -o "$1"
  293. fi
  294. }
  295. #Usage: file startline endline
  296. _getfile() {
  297. filename="$1"
  298. startline="$2"
  299. endline="$3"
  300. if [ -z "$endline" ]; then
  301. _usage "Usage: file startline endline"
  302. return 1
  303. fi
  304. i="$(grep -n -- "$startline" "$filename" | cut -d : -f 1)"
  305. if [ -z "$i" ]; then
  306. _err "Can not find start line: $startline"
  307. return 1
  308. fi
  309. i="$(_math "$i" + 1)"
  310. _debug i "$i"
  311. j="$(grep -n -- "$endline" "$filename" | cut -d : -f 1)"
  312. if [ -z "$j" ]; then
  313. _err "Can not find end line: $endline"
  314. return 1
  315. fi
  316. j="$(_math "$j" - 1)"
  317. _debug j "$j"
  318. sed -n "$i,${j}p" "$filename"
  319. }
  320. #Usage: multiline
  321. _base64() {
  322. if [ "$1" ]; then
  323. openssl base64 -e
  324. else
  325. openssl base64 -e | tr -d '\r\n'
  326. fi
  327. }
  328. #Usage: multiline
  329. _dbase64() {
  330. if [ "$1" ]; then
  331. openssl base64 -d -A
  332. else
  333. openssl base64 -d
  334. fi
  335. }
  336. #Usage: hashalg [outputhex]
  337. #Output Base64-encoded digest
  338. _digest() {
  339. alg="$1"
  340. if [ -z "$alg" ]; then
  341. _usage "Usage: _digest hashalg"
  342. return 1
  343. fi
  344. outputhex="$2"
  345. if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ] || [ "$alg" = "md5" ]; then
  346. if [ "$outputhex" ]; then
  347. openssl dgst -"$alg" -hex | cut -d = -f 2 | tr -d ' '
  348. else
  349. openssl dgst -"$alg" -binary | _base64
  350. fi
  351. else
  352. _err "$alg is not supported yet"
  353. return 1
  354. fi
  355. }
  356. #Usage: hashalg secret [outputhex]
  357. #Output Base64-encoded hmac
  358. _hmac() {
  359. alg="$1"
  360. hmac_sec="$2"
  361. outputhex="$3"
  362. if [ -z "$hmac_sec" ]; then
  363. _usage "Usage: _hmac hashalg secret [outputhex]"
  364. return 1
  365. fi
  366. if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ]; then
  367. if [ "$outputhex" ]; then
  368. openssl dgst -"$alg" -hmac "$hmac_sec" | cut -d = -f 2 | tr -d ' '
  369. else
  370. openssl dgst -"$alg" -hmac "$hmac_sec" -binary | _base64
  371. fi
  372. else
  373. _err "$alg is not supported yet"
  374. return 1
  375. fi
  376. }
  377. #Usage: keyfile hashalg
  378. #Output: Base64-encoded signature value
  379. _sign() {
  380. keyfile="$1"
  381. alg="$2"
  382. if [ -z "$alg" ]; then
  383. _usage "Usage: _sign keyfile hashalg"
  384. return 1
  385. fi
  386. _sign_openssl="openssl dgst -sign $keyfile "
  387. if [ "$alg" = "sha256" ]; then
  388. _sign_openssl="$_sign_openssl -$alg"
  389. else
  390. _err "$alg is not supported yet"
  391. return 1
  392. fi
  393. if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
  394. $_sign_openssl | _base64
  395. elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
  396. if ! _signedECText="$($_sign_openssl | openssl asn1parse -inform DER)"; then
  397. _err "Sign failed: $_sign_openssl"
  398. _err "Key file: $keyfile"
  399. _err "Key content:$(wc -l <"$keyfile") lises"
  400. return 1
  401. fi
  402. _debug3 "_signedECText" "$_signedECText"
  403. _ec_r="$(echo "$_signedECText" | _head_n 2 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")"
  404. _debug3 "_ec_r" "$_ec_r"
  405. _ec_s="$(echo "$_signedECText" | _head_n 3 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")"
  406. _debug3 "_ec_s" "$_ec_s"
  407. printf "%s" "$_ec_r$_ec_s" | _h2b | _base64
  408. else
  409. _err "Unknown key file format."
  410. return 1
  411. fi
  412. }
  413. #keylength
  414. _isEccKey() {
  415. _length="$1"
  416. if [ -z "$_length" ]; then
  417. return 1
  418. fi
  419. [ "$_length" != "1024" ] \
  420. && [ "$_length" != "2048" ] \
  421. && [ "$_length" != "3072" ] \
  422. && [ "$_length" != "4096" ] \
  423. && [ "$_length" != "8192" ]
  424. }
  425. # _createkey 2048|ec-256 file
  426. _createkey() {
  427. length="$1"
  428. f="$2"
  429. eccname="$length"
  430. if _startswith "$length" "ec-"; then
  431. length=$(printf "%s" "$length" | cut -d '-' -f 2-100)
  432. if [ "$length" = "256" ]; then
  433. eccname="prime256v1"
  434. fi
  435. if [ "$length" = "384" ]; then
  436. eccname="secp384r1"
  437. fi
  438. if [ "$length" = "521" ]; then
  439. eccname="secp521r1"
  440. fi
  441. fi
  442. if [ -z "$length" ]; then
  443. length=2048
  444. fi
  445. _debug "Use length $length"
  446. if _isEccKey "$length"; then
  447. _debug "Using ec name: $eccname"
  448. openssl ecparam -name "$eccname" -genkey 2>/dev/null >"$f"
  449. else
  450. _debug "Using RSA: $length"
  451. openssl genrsa "$length" 2>/dev/null >"$f"
  452. fi
  453. if [ "$?" != "0" ]; then
  454. _err "Create key error."
  455. return 1
  456. fi
  457. }
  458. #domain
  459. _is_idn() {
  460. _is_idn_d="$1"
  461. _debug2 _is_idn_d "$_is_idn_d"
  462. _idn_temp=$(printf "%s" "$_is_idn_d" | tr -d '[0-9]' | tr -d '[a-z]' | tr -d '[A-Z]' | tr -d '.,-')
  463. _debug2 _idn_temp "$_idn_temp"
  464. [ "$_idn_temp" ]
  465. }
  466. #aa.com
  467. #aa.com,bb.com,cc.com
  468. _idn() {
  469. __idn_d="$1"
  470. if ! _is_idn "$__idn_d"; then
  471. printf "%s" "$__idn_d"
  472. return 0
  473. fi
  474. if _exists idn; then
  475. if _contains "$__idn_d" ','; then
  476. _i_first="1"
  477. for f in $(echo "$__idn_d" | tr ',' ' '); do
  478. [ -z "$f" ] && continue
  479. if [ -z "$_i_first" ]; then
  480. printf "%s" ","
  481. else
  482. _i_first=""
  483. fi
  484. idn --quiet "$f" | tr -d "\r\n"
  485. done
  486. else
  487. idn "$__idn_d" | tr -d "\r\n"
  488. fi
  489. else
  490. _err "Please install idn to process IDN names."
  491. fi
  492. }
  493. #_createcsr cn san_list keyfile csrfile conf
  494. _createcsr() {
  495. _debug _createcsr
  496. domain="$1"
  497. domainlist="$2"
  498. csrkey="$3"
  499. csr="$4"
  500. csrconf="$5"
  501. _debug2 domain "$domain"
  502. _debug2 domainlist "$domainlist"
  503. _debug2 csrkey "$csrkey"
  504. _debug2 csr "$csr"
  505. _debug2 csrconf "$csrconf"
  506. printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf"
  507. if [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
  508. #single domain
  509. _info "Single domain" "$domain"
  510. else
  511. domainlist="$(_idn "$domainlist")"
  512. _debug2 domainlist "$domainlist"
  513. if _contains "$domainlist" ","; then
  514. alt="DNS:$(echo "$domainlist" | sed "s/,/,DNS:/g")"
  515. else
  516. alt="DNS:$domainlist"
  517. fi
  518. #multi
  519. _info "Multi domain" "$alt"
  520. printf -- "\nsubjectAltName=$alt" >>"$csrconf"
  521. fi
  522. if [ "$Le_OCSP_Stable" ]; then
  523. _savedomainconf Le_OCSP_Stable "$Le_OCSP_Stable"
  524. printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >>"$csrconf"
  525. fi
  526. _csr_cn="$(_idn "$domain")"
  527. _debug2 _csr_cn "$_csr_cn"
  528. openssl req -new -sha256 -key "$csrkey" -subj "/CN=$_csr_cn" -config "$csrconf" -out "$csr"
  529. }
  530. #_signcsr key csr conf cert
  531. _signcsr() {
  532. key="$1"
  533. csr="$2"
  534. conf="$3"
  535. cert="$4"
  536. _debug "_signcsr"
  537. _msg="$(openssl x509 -req -days 365 -in "$csr" -signkey "$key" -extensions v3_req -extfile "$conf" -out "$cert" 2>&1)"
  538. _ret="$?"
  539. _debug "$_msg"
  540. return $_ret
  541. }
  542. #_csrfile
  543. _readSubjectFromCSR() {
  544. _csrfile="$1"
  545. if [ -z "$_csrfile" ]; then
  546. _usage "_readSubjectFromCSR mycsr.csr"
  547. return 1
  548. fi
  549. openssl req -noout -in "$_csrfile" -subject | _egrep_o "CN=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n'
  550. }
  551. #_csrfile
  552. #echo comma separated domain list
  553. _readSubjectAltNamesFromCSR() {
  554. _csrfile="$1"
  555. if [ -z "$_csrfile" ]; then
  556. _usage "_readSubjectAltNamesFromCSR mycsr.csr"
  557. return 1
  558. fi
  559. _csrsubj="$(_readSubjectFromCSR "$_csrfile")"
  560. _debug _csrsubj "$_csrsubj"
  561. _dnsAltnames="$(openssl req -noout -text -in "$_csrfile" | grep "^ *DNS:.*" | tr -d ' \n')"
  562. _debug _dnsAltnames "$_dnsAltnames"
  563. if _contains "$_dnsAltnames," "DNS:$_csrsubj,"; then
  564. _debug "AltNames contains subject"
  565. _dnsAltnames="$(printf "%s" "$_dnsAltnames," | sed "s/DNS:$_csrsubj,//g")"
  566. else
  567. _debug "AltNames doesn't contain subject"
  568. fi
  569. printf "%s" "$_dnsAltnames" | sed "s/DNS://g"
  570. }
  571. #_csrfile
  572. _readKeyLengthFromCSR() {
  573. _csrfile="$1"
  574. if [ -z "$_csrfile" ]; then
  575. _usage "_readKeyLengthFromCSR mycsr.csr"
  576. return 1
  577. fi
  578. _outcsr="$(openssl req -noout -text -in "$_csrfile")"
  579. if _contains "$_outcsr" "Public Key Algorithm: id-ecPublicKey"; then
  580. _debug "ECC CSR"
  581. echo "$_outcsr" | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
  582. else
  583. _debug "RSA CSR"
  584. echo "$_outcsr" | _egrep_o "^ *Public-Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1
  585. fi
  586. }
  587. _ss() {
  588. _port="$1"
  589. if _exists "ss"; then
  590. _debug "Using: ss"
  591. ss -ntpl | grep ":$_port "
  592. return 0
  593. fi
  594. if _exists "netstat"; then
  595. _debug "Using: netstat"
  596. if netstat -h 2>&1 | grep "\-p proto" >/dev/null; then
  597. #for windows version netstat tool
  598. netstat -an -p tcp | grep "LISTENING" | grep ":$_port "
  599. else
  600. if netstat -help 2>&1 | grep "\-p protocol" >/dev/null; then
  601. netstat -an -p tcp | grep LISTEN | grep ":$_port "
  602. elif netstat -help 2>&1 | grep -- '-P protocol' >/dev/null; then
  603. #for solaris
  604. netstat -an -P tcp | grep "\.$_port " | grep "LISTEN"
  605. else
  606. netstat -ntpl | grep ":$_port "
  607. fi
  608. fi
  609. return 0
  610. fi
  611. return 1
  612. }
  613. #domain [password] [isEcc]
  614. toPkcs() {
  615. domain="$1"
  616. pfxPassword="$2"
  617. if [ -z "$domain" ]; then
  618. _usage "Usage: $PROJECT_ENTRY --toPkcs -d domain [--password pfx-password]"
  619. return 1
  620. fi
  621. _isEcc="$3"
  622. _initpath "$domain" "$_isEcc"
  623. if [ "$pfxPassword" ]; then
  624. openssl pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH" -password "pass:$pfxPassword"
  625. else
  626. openssl pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH"
  627. fi
  628. if [ "$?" = "0" ]; then
  629. _info "Success, Pfx is exported to: $CERT_PFX_PATH"
  630. fi
  631. }
  632. #[2048]
  633. createAccountKey() {
  634. _info "Creating account key"
  635. if [ -z "$1" ]; then
  636. _usage "Usage: $PROJECT_ENTRY --createAccountKey --accountkeylength 2048"
  637. return
  638. fi
  639. length=$1
  640. _create_account_key "$length"
  641. }
  642. _create_account_key() {
  643. length=$1
  644. if [ -z "$length" ] || [ "$length" = "$NO_VALUE" ]; then
  645. _debug "Use default length $DEFAULT_ACCOUNT_KEY_LENGTH"
  646. length="$DEFAULT_ACCOUNT_KEY_LENGTH"
  647. fi
  648. _debug length "$length"
  649. _initpath
  650. mkdir -p "$CA_DIR"
  651. if [ -f "$ACCOUNT_KEY_PATH" ]; then
  652. _info "Account key exists, skip"
  653. return
  654. else
  655. #generate account key
  656. _createkey "$length" "$ACCOUNT_KEY_PATH"
  657. fi
  658. }
  659. #domain [length]
  660. createDomainKey() {
  661. _info "Creating domain key"
  662. if [ -z "$1" ]; then
  663. _usage "Usage: $PROJECT_ENTRY --createDomainKey -d domain.com [ --keylength 2048 ]"
  664. return
  665. fi
  666. domain=$1
  667. length=$2
  668. if [ -z "$length" ]; then
  669. _debug "Use DEFAULT_DOMAIN_KEY_LENGTH=$DEFAULT_DOMAIN_KEY_LENGTH"
  670. length="$DEFAULT_DOMAIN_KEY_LENGTH"
  671. fi
  672. _initpath "$domain" "$length"
  673. if [ ! -f "$CERT_KEY_PATH" ] || ([ "$FORCE" ] && ! [ "$IS_RENEW" ]); then
  674. _createkey "$length" "$CERT_KEY_PATH"
  675. else
  676. if [ "$IS_RENEW" ]; then
  677. _info "Domain key exists, skip"
  678. return 0
  679. else
  680. _err "Domain key exists, do you want to overwrite the key?"
  681. _err "Add '--force', and try again."
  682. return 1
  683. fi
  684. fi
  685. }
  686. # domain domainlist isEcc
  687. createCSR() {
  688. _info "Creating csr"
  689. if [ -z "$1" ]; then
  690. _usage "Usage: $PROJECT_ENTRY --createCSR -d domain1.com [-d domain2.com -d domain3.com ... ]"
  691. return
  692. fi
  693. domain="$1"
  694. domainlist="$2"
  695. _isEcc="$3"
  696. _initpath "$domain" "$_isEcc"
  697. if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && [ -z "$FORCE" ]; then
  698. _info "CSR exists, skip"
  699. return
  700. fi
  701. if [ ! -f "$CERT_KEY_PATH" ]; then
  702. _err "The key file is not found: $CERT_KEY_PATH"
  703. _err "Please create the key file first."
  704. return 1
  705. fi
  706. _createcsr "$domain" "$domainlist" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"
  707. }
  708. _urlencode() {
  709. tr '/+' '_-' | tr -d '= '
  710. }
  711. _time2str() {
  712. #BSD
  713. if date -u -d@"$1" 2>/dev/null; then
  714. return
  715. fi
  716. #Linux
  717. if date -u -r "$1" 2>/dev/null; then
  718. return
  719. fi
  720. #Soaris
  721. if _exists adb; then
  722. _t_s_a=$(echo "0t${1}=Y" | adb)
  723. echo "$_t_s_a"
  724. fi
  725. }
  726. _normalizeJson() {
  727. sed "s/\" *: *\([\"{\[]\)/\":\1/g" | sed "s/^ *\([^ ]\)/\1/" | tr -d "\r\n"
  728. }
  729. _stat() {
  730. #Linux
  731. if stat -c '%U:%G' "$1" 2>/dev/null; then
  732. return
  733. fi
  734. #BSD
  735. if stat -f '%Su:%Sg' "$1" 2>/dev/null; then
  736. return
  737. fi
  738. return 1 #error, 'stat' not found
  739. }
  740. #keyfile
  741. _calcjwk() {
  742. keyfile="$1"
  743. if [ -z "$keyfile" ]; then
  744. _usage "Usage: _calcjwk keyfile"
  745. return 1
  746. fi
  747. if [ "$JWK_HEADER" ] && [ "$__CACHED_JWK_KEY_FILE" = "$keyfile" ]; then
  748. _debug2 "Use cached jwk for file: $__CACHED_JWK_KEY_FILE"
  749. return 0
  750. fi
  751. if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
  752. _debug "RSA key"
  753. pub_exp=$(openssl rsa -in "$keyfile" -noout -text | grep "^publicExponent:" | cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1)
  754. if [ "${#pub_exp}" = "5" ]; then
  755. pub_exp=0$pub_exp
  756. fi
  757. _debug3 pub_exp "$pub_exp"
  758. e=$(echo "$pub_exp" | _h2b | _base64)
  759. _debug3 e "$e"
  760. modulus=$(openssl rsa -in "$keyfile" -modulus -noout | cut -d '=' -f 2)
  761. _debug3 modulus "$modulus"
  762. n="$(printf "%s" "$modulus" | _h2b | _base64 | _urlencode)"
  763. jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}'
  764. _debug3 jwk "$jwk"
  765. JWK_HEADER='{"alg": "RS256", "jwk": '$jwk'}'
  766. JWK_HEADERPLACE_PART1='{"nonce": "'
  767. JWK_HEADERPLACE_PART2='", "alg": "RS256", "jwk": '$jwk'}'
  768. elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
  769. _debug "EC key"
  770. crv="$(openssl ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n")"
  771. _debug3 crv "$crv"
  772. if [ -z "$crv" ]; then
  773. _debug "Let's try ASN1 OID"
  774. crv_oid="$(openssl ec -in "$keyfile" -noout -text 2>/dev/null | grep "^ASN1 OID:" | cut -d ":" -f 2 | tr -d " \r\n")"
  775. _debug3 crv_oid "$crv_oid"
  776. case "${crv_oid}" in
  777. "prime256v1")
  778. crv="P-256"
  779. ;;
  780. "secp384r1")
  781. crv="P-384"
  782. ;;
  783. "secp521r1")
  784. crv="P-521"
  785. ;;
  786. *)
  787. _err "ECC oid : $crv_oid"
  788. return 1
  789. ;;
  790. esac
  791. _debug3 crv "$crv"
  792. fi
  793. pubi="$(openssl ec -in "$keyfile" -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1)"
  794. pubi=$(_math "$pubi" + 1)
  795. _debug3 pubi "$pubi"
  796. pubj="$(openssl ec -in "$keyfile" -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1)"
  797. pubj=$(_math "$pubj" - 1)
  798. _debug3 pubj "$pubj"
  799. pubtext="$(openssl ec -in "$keyfile" -noout -text 2>/dev/null | sed -n "$pubi,${pubj}p" | tr -d " \n\r")"
  800. _debug3 pubtext "$pubtext"
  801. xlen="$(printf "%s" "$pubtext" | tr -d ':' | wc -c)"
  802. xlen=$(_math "$xlen" / 4)
  803. _debug3 xlen "$xlen"
  804. xend=$(_math "$xlen" + 1)
  805. x="$(printf "%s" "$pubtext" | cut -d : -f 2-"$xend")"
  806. _debug3 x "$x"
  807. x64="$(printf "%s" "$x" | tr -d : | _h2b | _base64 | _urlencode)"
  808. _debug3 x64 "$x64"
  809. xend=$(_math "$xend" + 1)
  810. y="$(printf "%s" "$pubtext" | cut -d : -f "$xend"-10000)"
  811. _debug3 y "$y"
  812. y64="$(printf "%s" "$y" | tr -d : | _h2b | _base64 | _urlencode)"
  813. _debug3 y64 "$y64"
  814. jwk='{"crv": "'$crv'", "kty": "EC", "x": "'$x64'", "y": "'$y64'"}'
  815. _debug3 jwk "$jwk"
  816. JWK_HEADER='{"alg": "ES256", "jwk": '$jwk'}'
  817. JWK_HEADERPLACE_PART1='{"nonce": "'
  818. JWK_HEADERPLACE_PART2='", "alg": "ES256", "jwk": '$jwk'}'
  819. else
  820. _err "Only RSA or EC key is supported."
  821. return 1
  822. fi
  823. _debug3 JWK_HEADER "$JWK_HEADER"
  824. __CACHED_JWK_KEY_FILE="$keyfile"
  825. }
  826. _time() {
  827. date -u "+%s"
  828. }
  829. _mktemp() {
  830. if _exists mktemp; then
  831. if mktemp 2>/dev/null; then
  832. return 0
  833. elif _contains "$(mktemp 2>&1)" "-t prefix" && mktemp -t "$PROJECT_NAME" 2>/dev/null; then
  834. #for Mac osx
  835. return 0
  836. fi
  837. fi
  838. if [ -d "/tmp" ]; then
  839. echo "/tmp/${PROJECT_NAME}wefADf24sf.$(_time).tmp"
  840. return 0
  841. elif [ "$LE_TEMP_DIR" ] && mkdir -p "$LE_TEMP_DIR"; then
  842. echo "/$LE_TEMP_DIR/wefADf24sf.$(_time).tmp"
  843. return 0
  844. fi
  845. _err "Can not create temp file."
  846. }
  847. _inithttp() {
  848. if [ -z "$HTTP_HEADER" ] || ! touch "$HTTP_HEADER"; then
  849. HTTP_HEADER="$(_mktemp)"
  850. _debug2 HTTP_HEADER "$HTTP_HEADER"
  851. fi
  852. if [ "$__HTTP_INITIALIZED" ]; then
  853. if [ "$_ACME_CURL$_ACME_WGET" ]; then
  854. _debug2 "Http already initialized."
  855. return 0
  856. fi
  857. fi
  858. if [ -z "$_ACME_CURL" ] && _exists "curl"; then
  859. _ACME_CURL="curl -L --silent --dump-header $HTTP_HEADER "
  860. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  861. _CURL_DUMP="$(_mktemp)"
  862. _ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP "
  863. fi
  864. if [ "$CA_BUNDLE" ]; then
  865. _ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE "
  866. fi
  867. if [ "$HTTPS_INSECURE" ]; then
  868. _ACME_CURL="$_ACME_CURL --insecure "
  869. fi
  870. fi
  871. if [ -z "$_ACME_WGET" ] && _exists "wget"; then
  872. _ACME_WGET="wget -q"
  873. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  874. _ACME_WGET="$_ACME_WGET -d "
  875. fi
  876. if [ "$CA_BUNDLE" ]; then
  877. _ACME_WGET="$_ACME_WGET --ca-certificate $CA_BUNDLE "
  878. fi
  879. if [ "$HTTPS_INSECURE" ]; then
  880. _ACME_WGET="$_ACME_WGET --no-check-certificate "
  881. fi
  882. fi
  883. __HTTP_INITIALIZED=1
  884. }
  885. # body url [needbase64] [POST|PUT]
  886. _post() {
  887. body="$1"
  888. url="$2"
  889. needbase64="$3"
  890. httpmethod="$4"
  891. if [ -z "$httpmethod" ]; then
  892. httpmethod="POST"
  893. fi
  894. _debug $httpmethod
  895. _debug "url" "$url"
  896. _debug2 "body" "$body"
  897. _inithttp
  898. if [ "$_ACME_CURL" ]; then
  899. _CURL="$_ACME_CURL"
  900. _debug "_CURL" "$_CURL"
  901. if [ "$needbase64" ]; then
  902. response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url" | _base64)"
  903. else
  904. response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url")"
  905. fi
  906. _ret="$?"
  907. if [ "$_ret" != "0" ]; then
  908. _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $_ret"
  909. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  910. _err "Here is the curl dump log:"
  911. _err "$(cat "$_CURL_DUMP")"
  912. fi
  913. fi
  914. elif [ "$_ACME_WGET" ]; then
  915. _debug "_ACME_WGET" "$_ACME_WGET"
  916. if [ "$needbase64" ]; then
  917. if [ "$httpmethod" = "POST" ]; then
  918. response="$($_ACME_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
  919. else
  920. response="$($_ACME_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
  921. fi
  922. else
  923. if [ "$httpmethod" = "POST" ]; then
  924. response="$($_ACME_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER")"
  925. else
  926. response="$($_ACME_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER")"
  927. fi
  928. fi
  929. _ret="$?"
  930. if [ "$_ret" = "8" ]; then
  931. _ret=0
  932. _debug "wget returns 8, the server returns a 'Bad request' respons, lets process the response later."
  933. fi
  934. if [ "$_ret" != "0" ]; then
  935. _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret"
  936. fi
  937. _sed_i "s/^ *//g" "$HTTP_HEADER"
  938. else
  939. _ret="$?"
  940. _err "Neither curl nor wget is found, can not do $httpmethod."
  941. fi
  942. _debug "_ret" "$_ret"
  943. printf "%s" "$response"
  944. return $_ret
  945. }
  946. # url getheader timeout
  947. _get() {
  948. _debug GET
  949. url="$1"
  950. onlyheader="$2"
  951. t="$3"
  952. _debug url "$url"
  953. _debug "timeout" "$t"
  954. _inithttp
  955. if [ "$_ACME_CURL" ]; then
  956. _CURL="$_ACME_CURL"
  957. if [ "$t" ]; then
  958. _CURL="$_CURL --connect-timeout $t"
  959. fi
  960. _debug "_CURL" "$_CURL"
  961. if [ "$onlyheader" ]; then
  962. $_CURL -I --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url"
  963. else
  964. $_CURL --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url"
  965. fi
  966. ret=$?
  967. if [ "$ret" != "0" ]; then
  968. _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $ret"
  969. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  970. _err "Here is the curl dump log:"
  971. _err "$(cat "$_CURL_DUMP")"
  972. fi
  973. fi
  974. elif [ "$_ACME_WGET" ]; then
  975. _WGET="$_ACME_WGET"
  976. if [ "$t" ]; then
  977. _WGET="$_WGET --timeout=$t"
  978. fi
  979. _debug "_WGET" "$_WGET"
  980. if [ "$onlyheader" ]; then
  981. $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1 | sed 's/^[ ]*//g'
  982. else
  983. $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -O - "$url"
  984. fi
  985. ret=$?
  986. if [ "$_ret" = "8" ]; then
  987. _ret=0
  988. _debug "wget returns 8, the server returns a 'Bad request' respons, lets process the response later."
  989. fi
  990. if [ "$ret" != "0" ]; then
  991. _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $ret"
  992. fi
  993. else
  994. ret=$?
  995. _err "Neither curl nor wget is found, can not do GET."
  996. fi
  997. _debug "ret" "$ret"
  998. return $ret
  999. }
  1000. _head_n() {
  1001. head -n "$1"
  1002. }
  1003. _tail_n() {
  1004. if ! tail -n "$1" 2>/dev/null; then
  1005. #fix for solaris
  1006. tail -"$1"
  1007. fi
  1008. }
  1009. # url payload needbase64 keyfile
  1010. _send_signed_request() {
  1011. url=$1
  1012. payload=$2
  1013. needbase64=$3
  1014. keyfile=$4
  1015. if [ -z "$keyfile" ]; then
  1016. keyfile="$ACCOUNT_KEY_PATH"
  1017. fi
  1018. _debug url "$url"
  1019. _debug payload "$payload"
  1020. if ! _calcjwk "$keyfile"; then
  1021. return 1
  1022. fi
  1023. payload64=$(printf "%s" "$payload" | _base64 | _urlencode)
  1024. _debug3 payload64 "$payload64"
  1025. if [ -z "$_CACHED_NONCE" ]; then
  1026. _debug2 "Get nonce."
  1027. nonceurl="$API/directory"
  1028. _headers="$(_get "$nonceurl" "onlyheader")"
  1029. if [ "$?" != "0" ]; then
  1030. _err "Can not connect to $nonceurl to get nonce."
  1031. return 1
  1032. fi
  1033. _debug2 _headers "$_headers"
  1034. _CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
  1035. _debug2 _CACHED_NONCE "$_CACHED_NONCE"
  1036. else
  1037. _debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE"
  1038. fi
  1039. nonce="$_CACHED_NONCE"
  1040. _debug2 nonce "$nonce"
  1041. protected="$JWK_HEADERPLACE_PART1$nonce$JWK_HEADERPLACE_PART2"
  1042. _debug3 protected "$protected"
  1043. protected64="$(printf "%s" "$protected" | _base64 | _urlencode)"
  1044. _debug3 protected64 "$protected64"
  1045. if ! _sig_t="$(printf "%s" "$protected64.$payload64" | _sign "$keyfile" "sha256")"; then
  1046. _err "Sign request failed."
  1047. return 1
  1048. fi
  1049. _debug3 _sig_t "$_sig_t"
  1050. sig="$(printf "%s" "$_sig_t" | _urlencode)"
  1051. _debug3 sig "$sig"
  1052. body="{\"header\": $JWK_HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
  1053. _debug3 body "$body"
  1054. response="$(_post "$body" "$url" "$needbase64")"
  1055. _CACHED_NONCE=""
  1056. if [ "$?" != "0" ]; then
  1057. _err "Can not post to $url"
  1058. return 1
  1059. fi
  1060. _debug2 original "$response"
  1061. response="$(echo "$response" | _normalizeJson)"
  1062. responseHeaders="$(cat "$HTTP_HEADER")"
  1063. _debug2 responseHeaders "$responseHeaders"
  1064. _debug2 response "$response"
  1065. code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
  1066. _debug code "$code"
  1067. _CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
  1068. }
  1069. #setopt "file" "opt" "=" "value" [";"]
  1070. _setopt() {
  1071. __conf="$1"
  1072. __opt="$2"
  1073. __sep="$3"
  1074. __val="$4"
  1075. __end="$5"
  1076. if [ -z "$__opt" ]; then
  1077. _usage usage: _setopt '"file" "opt" "=" "value" [";"]'
  1078. return
  1079. fi
  1080. if [ ! -f "$__conf" ]; then
  1081. touch "$__conf"
  1082. fi
  1083. if grep -n "^$__opt$__sep" "$__conf" >/dev/null; then
  1084. _debug3 OK
  1085. if _contains "$__val" "&"; then
  1086. __val="$(echo "$__val" | sed 's/&/\\&/g')"
  1087. fi
  1088. text="$(cat "$__conf")"
  1089. echo "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf"
  1090. elif grep -n "^#$__opt$__sep" "$__conf" >/dev/null; then
  1091. if _contains "$__val" "&"; then
  1092. __val="$(echo "$__val" | sed 's/&/\\&/g')"
  1093. fi
  1094. text="$(cat "$__conf")"
  1095. echo "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf"
  1096. else
  1097. _debug3 APP
  1098. echo "$__opt$__sep$__val$__end" >>"$__conf"
  1099. fi
  1100. _debug2 "$(grep -n "^$__opt$__sep" "$__conf")"
  1101. }
  1102. #_save_conf file key value
  1103. #save to conf
  1104. _save_conf() {
  1105. _s_c_f="$1"
  1106. _sdkey="$2"
  1107. _sdvalue="$3"
  1108. if [ "$_s_c_f" ]; then
  1109. _setopt "$_s_c_f" "$_sdkey" "=" "'$_sdvalue'"
  1110. else
  1111. _err "config file is empty, can not save $_sdkey=$_sdvalue"
  1112. fi
  1113. }
  1114. #_clear_conf file key
  1115. _clear_conf() {
  1116. _c_c_f="$1"
  1117. _sdkey="$2"
  1118. if [ "$_c_c_f" ]; then
  1119. _conf_data="$(cat "$_c_c_f")"
  1120. echo "$_conf_data" | sed "s/^$_sdkey *=.*$//" > "$_c_c_f"
  1121. else
  1122. _err "config file is empty, can not clear"
  1123. fi
  1124. }
  1125. #_read_conf file key
  1126. _read_conf() {
  1127. _r_c_f="$1"
  1128. _sdkey="$2"
  1129. if [ -f "$_r_c_f" ]; then
  1130. (
  1131. eval "$(grep "^$_sdkey *=" "$_r_c_f")"
  1132. eval "printf \"%s\" \"\$$_sdkey\""
  1133. )
  1134. else
  1135. _debug "config file is empty, can not read $_sdkey"
  1136. fi
  1137. }
  1138. #_savedomainconf key value
  1139. #save to domain.conf
  1140. _savedomainconf() {
  1141. _save_conf "$DOMAIN_CONF" "$1" "$2"
  1142. }
  1143. #_cleardomainconf key
  1144. _cleardomainconf() {
  1145. _clear_conf "$DOMAIN_CONF" "$1"
  1146. }
  1147. #_readdomainconf key
  1148. _readdomainconf() {
  1149. _read_conf "$DOMAIN_CONF" "$1"
  1150. }
  1151. #_saveaccountconf key value
  1152. _saveaccountconf() {
  1153. _save_conf "$ACCOUNT_CONF_PATH" "$1" "$2"
  1154. }
  1155. #_clearaccountconf key
  1156. _clearaccountconf() {
  1157. _clear_conf "$ACCOUNT_CONF_PATH" "$1"
  1158. }
  1159. #_savecaconf key value
  1160. _savecaconf() {
  1161. _save_conf "$CA_CONF" "$1" "$2"
  1162. }
  1163. #_readcaconf key
  1164. _readcaconf() {
  1165. _read_conf "$CA_CONF" "$1"
  1166. }
  1167. #_clearaccountconf key
  1168. _clearcaconf() {
  1169. _clear_conf "$CA_CONF" "$1"
  1170. }
  1171. # content localaddress
  1172. _startserver() {
  1173. content="$1"
  1174. ncaddr="$2"
  1175. _debug "ncaddr" "$ncaddr"
  1176. _debug "startserver: $$"
  1177. nchelp="$(nc -h 2>&1)"
  1178. _debug Le_HTTPPort "$Le_HTTPPort"
  1179. _debug Le_Listen_V4 "$Le_Listen_V4"
  1180. _debug Le_Listen_V6 "$Le_Listen_V6"
  1181. _NC="nc"
  1182. if [ "$Le_Listen_V4" ]; then
  1183. _NC="$_NC -4"
  1184. elif [ "$Le_Listen_V6" ]; then
  1185. _NC="$_NC -6"
  1186. fi
  1187. if echo "$nchelp" | grep "\-q[ ,]" >/dev/null; then
  1188. _NC="$_NC -q 1 -l $ncaddr"
  1189. else
  1190. if echo "$nchelp" | grep "GNU netcat" >/dev/null && echo "$nchelp" | grep "\-c, \-\-close" >/dev/null; then
  1191. _NC="$_NC -c -l $ncaddr"
  1192. elif echo "$nchelp" | grep "\-N" | grep "Shutdown the network socket after EOF on stdin" >/dev/null; then
  1193. _NC="$_NC -N -l $ncaddr"
  1194. else
  1195. _NC="$_NC -l $ncaddr"
  1196. fi
  1197. fi
  1198. _debug "_NC" "$_NC"
  1199. #for centos ncat
  1200. if _contains "$nchelp" "nmap.org"; then
  1201. _debug "Using ncat: nmap.org"
  1202. if [ "$DEBUG" ]; then
  1203. if printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $_NC "$Le_HTTPPort"; then
  1204. return
  1205. fi
  1206. else
  1207. if printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $_NC "$Le_HTTPPort" >/dev/null 2>&1; then
  1208. return
  1209. fi
  1210. fi
  1211. _err "ncat listen error."
  1212. fi
  1213. # while true ; do
  1214. if [ "$DEBUG" ]; then
  1215. if ! printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $_NC -p "$Le_HTTPPort"; then
  1216. printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $_NC "$Le_HTTPPort"
  1217. fi
  1218. else
  1219. if ! printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $_NC -p "$Le_HTTPPort" >/dev/null 2>&1; then
  1220. printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $_NC "$Le_HTTPPort" >/dev/null 2>&1
  1221. fi
  1222. fi
  1223. if [ "$?" != "0" ]; then
  1224. _err "nc listen error."
  1225. exit 1
  1226. fi
  1227. # done
  1228. }
  1229. _stopserver() {
  1230. pid="$1"
  1231. _debug "pid" "$pid"
  1232. if [ -z "$pid" ]; then
  1233. return
  1234. fi
  1235. _debug2 "Le_HTTPPort" "$Le_HTTPPort"
  1236. if [ "$Le_HTTPPort" ]; then
  1237. if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
  1238. _get "http://localhost:$Le_HTTPPort" "" 1
  1239. else
  1240. _get "http://localhost:$Le_HTTPPort" "" 1 >/dev/null 2>&1
  1241. fi
  1242. fi
  1243. _debug2 "Le_TLSPort" "$Le_TLSPort"
  1244. if [ "$Le_TLSPort" ]; then
  1245. if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
  1246. _get "https://localhost:$Le_TLSPort" "" 1
  1247. _get "https://localhost:$Le_TLSPort" "" 1
  1248. else
  1249. _get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
  1250. _get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
  1251. fi
  1252. fi
  1253. }
  1254. # sleep sec
  1255. _sleep() {
  1256. _sleep_sec="$1"
  1257. if [ "$__INTERACTIVE" ]; then
  1258. _sleep_c="$_sleep_sec"
  1259. while [ "$_sleep_c" -ge "0" ]; do
  1260. printf "\r \r"
  1261. __green "$_sleep_c"
  1262. _sleep_c="$(_math "$_sleep_c" - 1)"
  1263. sleep 1
  1264. done
  1265. printf "\r"
  1266. else
  1267. sleep "$_sleep_sec"
  1268. fi
  1269. }
  1270. # _starttlsserver san_a san_b port content _ncaddr
  1271. _starttlsserver() {
  1272. _info "Starting tls server."
  1273. san_a="$1"
  1274. san_b="$2"
  1275. port="$3"
  1276. content="$4"
  1277. opaddr="$5"
  1278. _debug san_a "$san_a"
  1279. _debug san_b "$san_b"
  1280. _debug port "$port"
  1281. #create key TLS_KEY
  1282. if ! _createkey "2048" "$TLS_KEY"; then
  1283. _err "Create tls validation key error."
  1284. return 1
  1285. fi
  1286. #create csr
  1287. alt="$san_a"
  1288. if [ "$san_b" ]; then
  1289. alt="$alt,$san_b"
  1290. fi
  1291. if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF"; then
  1292. _err "Create tls validation csr error."
  1293. return 1
  1294. fi
  1295. #self signed
  1296. if ! _signcsr "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" "$TLS_CERT"; then
  1297. _err "Create tls validation cert error."
  1298. return 1
  1299. fi
  1300. __S_OPENSSL="openssl s_server -cert $TLS_CERT -key $TLS_KEY "
  1301. if [ "$opaddr" ]; then
  1302. __S_OPENSSL="$__S_OPENSSL -accept $opaddr:$port"
  1303. else
  1304. __S_OPENSSL="$__S_OPENSSL -accept $port"
  1305. fi
  1306. _debug Le_Listen_V4 "$Le_Listen_V4"
  1307. _debug Le_Listen_V6 "$Le_Listen_V6"
  1308. if [ "$Le_Listen_V4" ]; then
  1309. __S_OPENSSL="$__S_OPENSSL -4"
  1310. elif [ "$Le_Listen_V6" ]; then
  1311. __S_OPENSSL="$__S_OPENSSL -6"
  1312. fi
  1313. #start openssl
  1314. _debug "$__S_OPENSSL"
  1315. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  1316. (printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL -tlsextdebug) &
  1317. else
  1318. (printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL >/dev/null 2>&1) &
  1319. fi
  1320. serverproc="$!"
  1321. sleep 1
  1322. _debug serverproc "$serverproc"
  1323. }
  1324. #file
  1325. _readlink() {
  1326. _rf="$1"
  1327. if ! readlink -f "$_rf" 2>/dev/null; then
  1328. if _startswith "$_rf" "\./$PROJECT_ENTRY"; then
  1329. printf -- "%s" "$(pwd)/$PROJECT_ENTRY"
  1330. return 0
  1331. fi
  1332. readlink "$_rf"
  1333. fi
  1334. }
  1335. __initHome() {
  1336. if [ -z "$_SCRIPT_HOME" ]; then
  1337. if _exists readlink && _exists dirname; then
  1338. _debug "Lets find script dir."
  1339. _debug "_SCRIPT_" "$_SCRIPT_"
  1340. _script="$(_readlink "$_SCRIPT_")"
  1341. _debug "_script" "$_script"
  1342. _script_home="$(dirname "$_script")"
  1343. _debug "_script_home" "$_script_home"
  1344. if [ -d "$_script_home" ]; then
  1345. _SCRIPT_HOME="$_script_home"
  1346. else
  1347. _err "It seems the script home is not correct:$_script_home"
  1348. fi
  1349. fi
  1350. fi
  1351. if [ -z "$LE_WORKING_DIR" ]; then
  1352. if [ -f "$DEFAULT_INSTALL_HOME/account.conf" ]; then
  1353. _debug "It seems that $PROJECT_NAME is already installed in $DEFAULT_INSTALL_HOME"
  1354. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  1355. else
  1356. LE_WORKING_DIR="$_SCRIPT_HOME"
  1357. fi
  1358. fi
  1359. if [ -z "$LE_WORKING_DIR" ]; then
  1360. _debug "Using default home:$DEFAULT_INSTALL_HOME"
  1361. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  1362. fi
  1363. export LE_WORKING_DIR
  1364. _DEFAULT_ACCOUNT_CONF_PATH="$LE_WORKING_DIR/account.conf"
  1365. if [ -z "$ACCOUNT_CONF_PATH" ]; then
  1366. if [ -f "$_DEFAULT_ACCOUNT_CONF_PATH" ]; then
  1367. . "$_DEFAULT_ACCOUNT_CONF_PATH"
  1368. fi
  1369. fi
  1370. if [ -z "$ACCOUNT_CONF_PATH" ]; then
  1371. ACCOUNT_CONF_PATH="$_DEFAULT_ACCOUNT_CONF_PATH"
  1372. fi
  1373. DEFAULT_LOG_FILE="$LE_WORKING_DIR/$PROJECT_NAME.log"
  1374. DEFAULT_CA_HOME="$LE_WORKING_DIR/ca"
  1375. if [ -z "$LE_TEMP_DIR" ]; then
  1376. LE_TEMP_DIR="$LE_WORKING_DIR/tmp"
  1377. fi
  1378. }
  1379. #[domain] [keylength]
  1380. _initpath() {
  1381. __initHome
  1382. if [ -f "$ACCOUNT_CONF_PATH" ]; then
  1383. . "$ACCOUNT_CONF_PATH"
  1384. fi
  1385. if [ "$IN_CRON" ]; then
  1386. if [ ! "$_USER_PATH_EXPORTED" ]; then
  1387. _USER_PATH_EXPORTED=1
  1388. export PATH="$USER_PATH:$PATH"
  1389. fi
  1390. fi
  1391. if [ -z "$CA_HOME" ]; then
  1392. CA_HOME="$DEFAULT_CA_HOME"
  1393. fi
  1394. if [ -z "$API" ]; then
  1395. if [ -z "$STAGE" ]; then
  1396. API="$DEFAULT_CA"
  1397. else
  1398. API="$STAGE_CA"
  1399. _info "Using stage api:$API"
  1400. fi
  1401. fi
  1402. _API_HOST="$(echo "$API" | cut -d : -f 2 | tr -d '/')"
  1403. CA_DIR="$CA_HOME/$_API_HOST"
  1404. _DEFAULT_CA_CONF="$CA_DIR/ca.conf"
  1405. if [ -z "$CA_CONF" ]; then
  1406. CA_CONF="$_DEFAULT_CA_CONF"
  1407. fi
  1408. if [ -f "$CA_CONF" ]; then
  1409. . "$CA_CONF"
  1410. fi
  1411. if [ -z "$ACME_DIR" ]; then
  1412. ACME_DIR="/home/.acme"
  1413. fi
  1414. if [ -z "$APACHE_CONF_BACKUP_DIR" ]; then
  1415. APACHE_CONF_BACKUP_DIR="$LE_WORKING_DIR"
  1416. fi
  1417. if [ -z "$USER_AGENT" ]; then
  1418. USER_AGENT="$DEFAULT_USER_AGENT"
  1419. fi
  1420. if [ -z "$HTTP_HEADER" ]; then
  1421. HTTP_HEADER="$LE_WORKING_DIR/http.header"
  1422. fi
  1423. _OLD_ACCOUNT_KEY="$LE_WORKING_DIR/account.key"
  1424. _OLD_ACCOUNT_JSON="$LE_WORKING_DIR/account.json"
  1425. _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
  1426. _DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
  1427. if [ -z "$ACCOUNT_KEY_PATH" ]; then
  1428. ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
  1429. fi
  1430. if [ -z "$ACCOUNT_JSON_PATH" ]; then
  1431. ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
  1432. fi
  1433. _DEFAULT_CERT_HOME="$LE_WORKING_DIR"
  1434. if [ -z "$CERT_HOME" ]; then
  1435. CERT_HOME="$_DEFAULT_CERT_HOME"
  1436. fi
  1437. if [ -z "$1" ]; then
  1438. return 0
  1439. fi
  1440. mkdir -p "$CA_DIR"
  1441. domain="$1"
  1442. _ilength="$2"
  1443. if [ -z "$DOMAIN_PATH" ]; then
  1444. domainhome="$CERT_HOME/$domain"
  1445. domainhomeecc="$CERT_HOME/$domain$ECC_SUFFIX"
  1446. DOMAIN_PATH="$domainhome"
  1447. if _isEccKey "$_ilength"; then
  1448. DOMAIN_PATH="$domainhomeecc"
  1449. else
  1450. if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then
  1451. _info "The domain '$domain' seems to have a ECC cert already, please add '$(__red "--ecc")' parameter if you want to use that cert."
  1452. fi
  1453. fi
  1454. _debug DOMAIN_PATH "$DOMAIN_PATH"
  1455. fi
  1456. if [ ! -d "$DOMAIN_PATH" ]; then
  1457. if ! mkdir -p "$DOMAIN_PATH"; then
  1458. _err "Can not create domain path: $DOMAIN_PATH"
  1459. return 1
  1460. fi
  1461. fi
  1462. if [ -z "$DOMAIN_CONF" ]; then
  1463. DOMAIN_CONF="$DOMAIN_PATH/$domain.conf"
  1464. fi
  1465. if [ -z "$DOMAIN_SSL_CONF" ]; then
  1466. DOMAIN_SSL_CONF="$DOMAIN_PATH/$domain.csr.conf"
  1467. fi
  1468. if [ -z "$CSR_PATH" ]; then
  1469. CSR_PATH="$DOMAIN_PATH/$domain.csr"
  1470. fi
  1471. if [ -z "$CERT_KEY_PATH" ]; then
  1472. CERT_KEY_PATH="$DOMAIN_PATH/$domain.key"
  1473. fi
  1474. if [ -z "$CERT_PATH" ]; then
  1475. CERT_PATH="$DOMAIN_PATH/$domain.cer"
  1476. fi
  1477. if [ -z "$CA_CERT_PATH" ]; then
  1478. CA_CERT_PATH="$DOMAIN_PATH/ca.cer"
  1479. fi
  1480. if [ -z "$CERT_FULLCHAIN_PATH" ]; then
  1481. CERT_FULLCHAIN_PATH="$DOMAIN_PATH/fullchain.cer"
  1482. fi
  1483. if [ -z "$CERT_PFX_PATH" ]; then
  1484. CERT_PFX_PATH="$DOMAIN_PATH/$domain.pfx"
  1485. fi
  1486. if [ -z "$TLS_CONF" ]; then
  1487. TLS_CONF="$DOMAIN_PATH/tls.valdation.conf"
  1488. fi
  1489. if [ -z "$TLS_CERT" ]; then
  1490. TLS_CERT="$DOMAIN_PATH/tls.valdation.cert"
  1491. fi
  1492. if [ -z "$TLS_KEY" ]; then
  1493. TLS_KEY="$DOMAIN_PATH/tls.valdation.key"
  1494. fi
  1495. if [ -z "$TLS_CSR" ]; then
  1496. TLS_CSR="$DOMAIN_PATH/tls.valdation.csr"
  1497. fi
  1498. }
  1499. _exec() {
  1500. if [ -z "$_EXEC_TEMP_ERR" ]; then
  1501. _EXEC_TEMP_ERR="$(_mktemp)"
  1502. fi
  1503. if [ "$_EXEC_TEMP_ERR" ]; then
  1504. "$@" 2>"$_EXEC_TEMP_ERR"
  1505. else
  1506. "$@"
  1507. fi
  1508. }
  1509. _exec_err() {
  1510. [ "$_EXEC_TEMP_ERR" ] && _err "$(cat "$_EXEC_TEMP_ERR")"
  1511. }
  1512. _apachePath() {
  1513. _APACHECTL="apachectl"
  1514. if ! _exists apachectl; then
  1515. if _exists apache2ctl; then
  1516. _APACHECTL="apache2ctl"
  1517. else
  1518. _err "'apachectl not found. It seems that apache is not installed, or you are not root user.'"
  1519. _err "Please use webroot mode to try again."
  1520. return 1
  1521. fi
  1522. fi
  1523. if ! _exec $_APACHECTL -V >/dev/null; then
  1524. _exec_err
  1525. return 1
  1526. fi
  1527. if [ "$APACHE_HTTPD_CONF" ]; then
  1528. _saveaccountconf APACHE_HTTPD_CONF "$APACHE_HTTPD_CONF"
  1529. httpdconf="$APACHE_HTTPD_CONF"
  1530. httpdconfname="$(basename "$httpdconfname")"
  1531. else
  1532. httpdconfname="$($_APACHECTL -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | tr -d '"')"
  1533. _debug httpdconfname "$httpdconfname"
  1534. if [ -z "$httpdconfname" ]; then
  1535. _err "Can not read apache config file."
  1536. return 1
  1537. fi
  1538. if _startswith "$httpdconfname" '/'; then
  1539. httpdconf="$httpdconfname"
  1540. httpdconfname="$(basename "$httpdconfname")"
  1541. else
  1542. httpdroot="$($_APACHECTL -V | grep HTTPD_ROOT= | cut -d = -f 2 | tr -d '"')"
  1543. _debug httpdroot "$httpdroot"
  1544. httpdconf="$httpdroot/$httpdconfname"
  1545. httpdconfname="$(basename "$httpdconfname")"
  1546. fi
  1547. fi
  1548. _debug httpdconf "$httpdconf"
  1549. _debug httpdconfname "$httpdconfname"
  1550. if [ ! -f "$httpdconf" ]; then
  1551. _err "Apache Config file not found" "$httpdconf"
  1552. return 1
  1553. fi
  1554. return 0
  1555. }
  1556. _restoreApache() {
  1557. if [ -z "$usingApache" ]; then
  1558. return 0
  1559. fi
  1560. _initpath
  1561. if ! _apachePath; then
  1562. return 1
  1563. fi
  1564. if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ]; then
  1565. _debug "No config file to restore."
  1566. return 0
  1567. fi
  1568. cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" >"$httpdconf"
  1569. _debug "Restored: $httpdconf."
  1570. if ! _exec $_APACHECTL -t; then
  1571. _exec_err
  1572. _err "Sorry, restore apache config error, please contact me."
  1573. return 1
  1574. fi
  1575. _debug "Restored successfully."
  1576. rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname"
  1577. return 0
  1578. }
  1579. _setApache() {
  1580. _initpath
  1581. if ! _apachePath; then
  1582. return 1
  1583. fi
  1584. #test the conf first
  1585. _info "Checking if there is an error in the apache config file before starting."
  1586. if ! _exec "$_APACHECTL" -t >/dev/null; then
  1587. _exec_err
  1588. _err "The apache config file has error, please fix it first, then try again."
  1589. _err "Don't worry, there is nothing changed to your system."
  1590. return 1
  1591. else
  1592. _info "OK"
  1593. fi
  1594. #backup the conf
  1595. _debug "Backup apache config file" "$httpdconf"
  1596. if ! cp "$httpdconf" "$APACHE_CONF_BACKUP_DIR/"; then
  1597. _err "Can not backup apache config file, so abort. Don't worry, the apache config is not changed."
  1598. _err "This might be a bug of $PROJECT_NAME , pleae report issue: $PROJECT"
  1599. return 1
  1600. fi
  1601. _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname"
  1602. _info "In case there is an error that can not be restored automatically, you may try restore it yourself."
  1603. _info "The backup file will be deleted on sucess, just forget it."
  1604. #add alias
  1605. apacheVer="$($_APACHECTL -V | grep "Server version:" | cut -d : -f 2 | cut -d " " -f 2 | cut -d '/' -f 2)"
  1606. _debug "apacheVer" "$apacheVer"
  1607. apacheMajer="$(echo "$apacheVer" | cut -d . -f 1)"
  1608. apacheMinor="$(echo "$apacheVer" | cut -d . -f 2)"
  1609. if [ "$apacheVer" ] && [ "$apacheMajer$apacheMinor" -ge "24" ]; then
  1610. echo "
  1611. Alias /.well-known/acme-challenge $ACME_DIR
  1612. <Directory $ACME_DIR >
  1613. Require all granted
  1614. </Directory>
  1615. " >>"$httpdconf"
  1616. else
  1617. echo "
  1618. Alias /.well-known/acme-challenge $ACME_DIR
  1619. <Directory $ACME_DIR >
  1620. Order allow,deny
  1621. Allow from all
  1622. </Directory>
  1623. " >>"$httpdconf"
  1624. fi
  1625. _msg="$($_APACHECTL -t 2>&1)"
  1626. if [ "$?" != "0" ]; then
  1627. _err "Sorry, apache config error"
  1628. if _restoreApache; then
  1629. _err "The apache config file is restored."
  1630. else
  1631. _err "Sorry, The apache config file can not be restored, please report bug."
  1632. fi
  1633. return 1
  1634. fi
  1635. if [ ! -d "$ACME_DIR" ]; then
  1636. mkdir -p "$ACME_DIR"
  1637. chmod 755 "$ACME_DIR"
  1638. fi
  1639. if ! _exec "$_APACHECTL" graceful; then
  1640. _exec_err
  1641. _err "$_APACHECTL graceful error, please contact me."
  1642. _restoreApache
  1643. return 1
  1644. fi
  1645. usingApache="1"
  1646. return 0
  1647. }
  1648. _clearup() {
  1649. _stopserver "$serverproc"
  1650. serverproc=""
  1651. _restoreApache
  1652. _clearupdns
  1653. if [ -z "$DEBUG" ]; then
  1654. rm -f "$TLS_CONF"
  1655. rm -f "$TLS_CERT"
  1656. rm -f "$TLS_KEY"
  1657. rm -f "$TLS_CSR"
  1658. fi
  1659. }
  1660. _clearupdns() {
  1661. _debug "_clearupdns"
  1662. if [ "$dnsadded" != 1 ] || [ -z "$vlist" ]; then
  1663. _debug "Dns not added, skip."
  1664. return
  1665. fi
  1666. ventries=$(echo "$vlist" | tr ',' ' ')
  1667. for ventry in $ventries; do
  1668. d=$(echo "$ventry" | cut -d "$sep" -f 1)
  1669. keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
  1670. vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
  1671. _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
  1672. if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
  1673. _info "$d is already verified, skip $vtype."
  1674. continue
  1675. fi
  1676. if [ "$vtype" != "$VTYPE_DNS" ]; then
  1677. _info "Skip $d for $vtype"
  1678. continue
  1679. fi
  1680. d_api="$(_findHook "$d" dnsapi "$_currentRoot")"
  1681. _debug d_api "$d_api"
  1682. if [ -z "$d_api" ]; then
  1683. _info "Not Found domain api file: $d_api"
  1684. continue
  1685. fi
  1686. (
  1687. if ! . "$d_api"; then
  1688. _err "Load file $d_api error. Please check your api file and try again."
  1689. return 1
  1690. fi
  1691. rmcommand="${_currentRoot}_rm"
  1692. if ! _exists "$rmcommand"; then
  1693. _err "It seems that your api file doesn't define $rmcommand"
  1694. return 1
  1695. fi
  1696. txtdomain="_acme-challenge.$d"
  1697. if ! $rmcommand "$txtdomain"; then
  1698. _err "Error removing txt for domain:$txtdomain"
  1699. return 1
  1700. fi
  1701. )
  1702. done
  1703. }
  1704. # webroot removelevel tokenfile
  1705. _clearupwebbroot() {
  1706. __webroot="$1"
  1707. if [ -z "$__webroot" ]; then
  1708. _debug "no webroot specified, skip"
  1709. return 0
  1710. fi
  1711. _rmpath=""
  1712. if [ "$2" = '1' ]; then
  1713. _rmpath="$__webroot/.well-known"
  1714. elif [ "$2" = '2' ]; then
  1715. _rmpath="$__webroot/.well-known/acme-challenge"
  1716. elif [ "$2" = '3' ]; then
  1717. _rmpath="$__webroot/.well-known/acme-challenge/$3"
  1718. else
  1719. _debug "Skip for removelevel:$2"
  1720. fi
  1721. if [ "$_rmpath" ]; then
  1722. if [ "$DEBUG" ]; then
  1723. _debug "Debugging, skip removing: $_rmpath"
  1724. else
  1725. rm -rf "$_rmpath"
  1726. fi
  1727. fi
  1728. return 0
  1729. }
  1730. _on_before_issue() {
  1731. _debug _on_before_issue
  1732. if _hasfield "$Le_Webroot" "$NO_VALUE"; then
  1733. if ! _exists "nc"; then
  1734. _err "Please install netcat(nc) tools first."
  1735. return 1
  1736. fi
  1737. fi
  1738. _debug Le_LocalAddress "$Le_LocalAddress"
  1739. alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ')
  1740. _index=1
  1741. _currentRoot=""
  1742. _addrIndex=1
  1743. for d in $alldomains; do
  1744. _debug "Check for domain" "$d"
  1745. _currentRoot="$(_getfield "$Le_Webroot" $_index)"
  1746. _debug "_currentRoot" "$_currentRoot"
  1747. _index=$(_math $_index + 1)
  1748. _checkport=""
  1749. if [ "$_currentRoot" = "$NO_VALUE" ]; then
  1750. _info "Standalone mode."
  1751. if [ -z "$Le_HTTPPort" ]; then
  1752. Le_HTTPPort=80
  1753. else
  1754. _savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
  1755. fi
  1756. _checkport="$Le_HTTPPort"
  1757. elif [ "$_currentRoot" = "$W_TLS" ]; then
  1758. _info "Standalone tls mode."
  1759. if [ -z "$Le_TLSPort" ]; then
  1760. Le_TLSPort=443
  1761. else
  1762. _savedomainconf "Le_TLSPort" "$Le_TLSPort"
  1763. fi
  1764. _checkport="$Le_TLSPort"
  1765. fi
  1766. if [ "$_checkport" ]; then
  1767. _debug _checkport "$_checkport"
  1768. _checkaddr="$(_getfield "$Le_LocalAddress" $_addrIndex)"
  1769. _debug _checkaddr "$_checkaddr"
  1770. _addrIndex="$(_math $_addrIndex + 1)"
  1771. _netprc="$(_ss "$_checkport" | grep "$_checkport")"
  1772. netprc="$(echo "$_netprc" | grep "$_checkaddr")"
  1773. if [ -z "$netprc" ]; then
  1774. netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS")"
  1775. fi
  1776. if [ "$netprc" ]; then
  1777. _err "$netprc"
  1778. _err "tcp port $_checkport is already used by $(echo "$netprc" | cut -d : -f 4)"
  1779. _err "Please stop it first"
  1780. return 1
  1781. fi
  1782. fi
  1783. done
  1784. if _hasfield "$Le_Webroot" "apache"; then
  1785. if ! _setApache; then
  1786. _err "set up apache error. Report error to me."
  1787. return 1
  1788. fi
  1789. else
  1790. usingApache=""
  1791. fi
  1792. #run pre hook
  1793. if [ "$Le_PreHook" ]; then
  1794. _info "Run pre hook:'$Le_PreHook'"
  1795. if ! (
  1796. cd "$DOMAIN_PATH" && eval "$Le_PreHook"
  1797. ); then
  1798. _err "Error when run pre hook."
  1799. return 1
  1800. fi
  1801. fi
  1802. }
  1803. _on_issue_err() {
  1804. _debug _on_issue_err
  1805. if [ "$LOG_FILE" ]; then
  1806. _err "Please check log file for more details: $LOG_FILE"
  1807. else
  1808. _err "Please add '--debug' or '--log' to check more details."
  1809. _err "See: $_DEBUG_WIKI"
  1810. fi
  1811. if [ "$DEBUG" ] && [ "$DEBUG" -gt "0" ]; then
  1812. _debug "$(_dlg_versions)"
  1813. fi
  1814. #run the post hook
  1815. if [ "$Le_PostHook" ]; then
  1816. _info "Run post hook:'$Le_PostHook'"
  1817. if ! (
  1818. cd "$DOMAIN_PATH" && eval "$Le_PostHook"
  1819. ); then
  1820. _err "Error when run post hook."
  1821. return 1
  1822. fi
  1823. fi
  1824. }
  1825. _on_issue_success() {
  1826. _debug _on_issue_success
  1827. #run the post hook
  1828. if [ "$Le_PostHook" ]; then
  1829. _info "Run post hook:'$Le_PostHook'"
  1830. if ! (
  1831. cd "$DOMAIN_PATH" && eval "$Le_PostHook"
  1832. ); then
  1833. _err "Error when run post hook."
  1834. return 1
  1835. fi
  1836. fi
  1837. #run renew hook
  1838. if [ "$IS_RENEW" ] && [ "$Le_RenewHook" ]; then
  1839. _info "Run renew hook:'$Le_RenewHook'"
  1840. if ! (
  1841. cd "$DOMAIN_PATH" && eval "$Le_RenewHook"
  1842. ); then
  1843. _err "Error when run renew hook."
  1844. return 1
  1845. fi
  1846. fi
  1847. }
  1848. updateaccount() {
  1849. _initpath
  1850. _regAccount
  1851. }
  1852. registeraccount() {
  1853. _reg_length="$1"
  1854. _initpath
  1855. _regAccount "$_reg_length"
  1856. }
  1857. __calcAccountKeyHash() {
  1858. [ -f "$ACCOUNT_KEY_PATH" ] && _digest sha256 <"$ACCOUNT_KEY_PATH"
  1859. }
  1860. #keylength
  1861. _regAccount() {
  1862. _initpath
  1863. _reg_length="$1"
  1864. if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
  1865. _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
  1866. mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
  1867. fi
  1868. if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
  1869. _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
  1870. mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
  1871. fi
  1872. if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
  1873. if ! _create_account_key "$_reg_length"; then
  1874. _err "Create account key error."
  1875. return 1
  1876. fi
  1877. fi
  1878. if ! _calcjwk "$ACCOUNT_KEY_PATH"; then
  1879. return 1
  1880. fi
  1881. _updateTos=""
  1882. _reg_res="new-reg"
  1883. while true; do
  1884. _debug AGREEMENT "$AGREEMENT"
  1885. regjson='{"resource": "'$_reg_res'", "agreement": "'$AGREEMENT'"}'
  1886. if [ "$ACCOUNT_EMAIL" ]; then
  1887. regjson='{"resource": "'$_reg_res'", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}'
  1888. fi
  1889. if [ -z "$_updateTos" ]; then
  1890. _info "Registering account"
  1891. if ! _send_signed_request "$API/acme/new-reg" "$regjson"; then
  1892. _err "Register account Error: $response"
  1893. return 1
  1894. fi
  1895. if [ "$code" = "" ] || [ "$code" = '201' ]; then
  1896. echo "$response" >"$ACCOUNT_JSON_PATH"
  1897. _info "Registered"
  1898. elif [ "$code" = '409' ]; then
  1899. _info "Already registered"
  1900. else
  1901. _err "Register account Error: $response"
  1902. return 1
  1903. fi
  1904. _accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
  1905. _debug "_accUri" "$_accUri"
  1906. _tos="$(echo "$responseHeaders" | grep "^Link:.*rel=\"terms-of-service\"" | _head_n 1 | _egrep_o "<.*>" | tr -d '<>')"
  1907. _debug "_tos" "$_tos"
  1908. if [ -z "$_tos" ]; then
  1909. _debug "Use default tos: $DEFAULT_AGREEMENT"
  1910. _tos="$DEFAULT_AGREEMENT"
  1911. fi
  1912. if [ "$_tos" != "$AGREEMENT" ]; then
  1913. _updateTos=1
  1914. AGREEMENT="$_tos"
  1915. _reg_res="reg"
  1916. continue
  1917. fi
  1918. else
  1919. _debug "Update tos: $_tos"
  1920. if ! _send_signed_request "$_accUri" "$regjson"; then
  1921. _err "Update tos error."
  1922. return 1
  1923. fi
  1924. if [ "$code" = '202' ]; then
  1925. _info "Update success."
  1926. CA_KEY_HASH="$(__calcAccountKeyHash)"
  1927. _debug "Calc CA_KEY_HASH" "$CA_KEY_HASH"
  1928. _savecaconf CA_KEY_HASH "$CA_KEY_HASH"
  1929. else
  1930. _err "Update account error."
  1931. return 1
  1932. fi
  1933. fi
  1934. return 0
  1935. done
  1936. }
  1937. # domain folder file
  1938. _findHook() {
  1939. _hookdomain="$1"
  1940. _hookcat="$2"
  1941. _hookname="$3"
  1942. if [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname" ]; then
  1943. d_api="$_SCRIPT_HOME/$_hookcat/$_hookname"
  1944. elif [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname.sh" ]; then
  1945. d_api="$_SCRIPT_HOME/$_hookcat/$_hookname.sh"
  1946. elif [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname" ]; then
  1947. d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname"
  1948. elif [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname.sh" ]; then
  1949. d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname.sh"
  1950. elif [ -f "$LE_WORKING_DIR/$_hookname" ]; then
  1951. d_api="$LE_WORKING_DIR/$_hookname"
  1952. elif [ -f "$LE_WORKING_DIR/$_hookname.sh" ]; then
  1953. d_api="$LE_WORKING_DIR/$_hookname.sh"
  1954. elif [ -f "$LE_WORKING_DIR/$_hookcat/$_hookname" ]; then
  1955. d_api="$LE_WORKING_DIR/$_hookcat/$_hookname"
  1956. elif [ -f "$LE_WORKING_DIR/$_hookcat/$_hookname.sh" ]; then
  1957. d_api="$LE_WORKING_DIR/$_hookcat/$_hookname.sh"
  1958. fi
  1959. printf "%s" "$d_api"
  1960. }
  1961. #domain
  1962. __get_domain_new_authz() {
  1963. _gdnd="$1"
  1964. _info "Getting new-authz for domain" "$_gdnd"
  1965. _Max_new_authz_retry_times=5
  1966. _authz_i=0
  1967. while [ "$_authz_i" -lt "$_Max_new_authz_retry_times" ]; do
  1968. _debug "Try new-authz for the $_authz_i time."
  1969. if ! _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$(_idn "$_gdnd")\"}}"; then
  1970. _err "Can not get domain new authz."
  1971. return 1
  1972. fi
  1973. if ! _contains "$response" "An error occurred while processing your request"; then
  1974. _info "The new-authz request is ok."
  1975. break
  1976. fi
  1977. _authz_i="$(_math "$_authz_i" + 1)"
  1978. _info "The server is busy, Sleep $_authz_i to retry."
  1979. _sleep "$_authz_i"
  1980. done
  1981. if [ "$_authz_i" = "$_Max_new_authz_retry_times" ]; then
  1982. _err "new-authz retry reach the max $_Max_new_authz_retry_times times."
  1983. fi
  1984. if [ ! -z "$code" ] && [ ! "$code" = '201' ]; then
  1985. _err "new-authz error: $response"
  1986. return 1
  1987. fi
  1988. }
  1989. #webroot, domain domainlist keylength
  1990. issue() {
  1991. if [ -z "$2" ]; then
  1992. _usage "Usage: $PROJECT_ENTRY --issue -d a.com -w /path/to/webroot/a.com/ "
  1993. return 1
  1994. fi
  1995. Le_Webroot="$1"
  1996. Le_Domain="$2"
  1997. Le_Alt="$3"
  1998. Le_Keylength="$4"
  1999. Le_RealCertPath="$5"
  2000. Le_RealKeyPath="$6"
  2001. Le_RealCACertPath="$7"
  2002. Le_ReloadCmd="$8"
  2003. Le_RealFullChainPath="$9"
  2004. Le_PreHook="${10}"
  2005. Le_PostHook="${11}"
  2006. Le_RenewHook="${12}"
  2007. Le_LocalAddress="${13}"
  2008. #remove these later.
  2009. if [ "$Le_Webroot" = "dns-cf" ]; then
  2010. Le_Webroot="dns_cf"
  2011. fi
  2012. if [ "$Le_Webroot" = "dns-dp" ]; then
  2013. Le_Webroot="dns_dp"
  2014. fi
  2015. if [ "$Le_Webroot" = "dns-cx" ]; then
  2016. Le_Webroot="dns_cx"
  2017. fi
  2018. _debug "Using api: $API"
  2019. if [ ! "$IS_RENEW" ]; then
  2020. _initpath "$Le_Domain" "$Le_Keylength"
  2021. mkdir -p "$DOMAIN_PATH"
  2022. fi
  2023. if [ -f "$DOMAIN_CONF" ]; then
  2024. Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
  2025. _debug Le_NextRenewTime "$Le_NextRenewTime"
  2026. if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then
  2027. _saved_domain=$(_readdomainconf Le_Domain)
  2028. _debug _saved_domain "$_saved_domain"
  2029. _saved_alt=$(_readdomainconf Le_Alt)
  2030. _debug _saved_alt "$_saved_alt"
  2031. if [ "$_saved_domain,$_saved_alt" = "$Le_Domain,$Le_Alt" ]; then
  2032. _info "Domains not changed."
  2033. _info "Skip, Next renewal time is: $(__green "$(_readdomainconf Le_NextRenewTimeStr)")"
  2034. _info "Add '$(__red '--force')' to force to renew."
  2035. return $RENEW_SKIP
  2036. else
  2037. _info "Domains have changed."
  2038. fi
  2039. fi
  2040. fi
  2041. _savedomainconf "Le_Domain" "$Le_Domain"
  2042. _savedomainconf "Le_Alt" "$Le_Alt"
  2043. _savedomainconf "Le_Webroot" "$Le_Webroot"
  2044. _savedomainconf "Le_PreHook" "$Le_PreHook"
  2045. _savedomainconf "Le_PostHook" "$Le_PostHook"
  2046. _savedomainconf "Le_RenewHook" "$Le_RenewHook"
  2047. if [ "$Le_LocalAddress" ]; then
  2048. _savedomainconf "Le_LocalAddress" "$Le_LocalAddress"
  2049. else
  2050. _cleardomainconf "Le_LocalAddress"
  2051. fi
  2052. Le_API="$API"
  2053. _savedomainconf "Le_API" "$Le_API"
  2054. if [ "$Le_Alt" = "$NO_VALUE" ]; then
  2055. Le_Alt=""
  2056. fi
  2057. if [ "$Le_Keylength" = "$NO_VALUE" ]; then
  2058. Le_Keylength=""
  2059. fi
  2060. if ! _on_before_issue; then
  2061. _err "_on_before_issue."
  2062. return 1
  2063. fi
  2064. _saved_account_key_hash="$(_readcaconf "CA_KEY_HASH")"
  2065. _debug2 _saved_account_key_hash "$_saved_account_key_hash"
  2066. if [ -z "$_saved_account_key_hash" ] || [ "$_saved_account_key_hash" != "$(__calcAccountKeyHash)" ]; then
  2067. if ! _regAccount "$_accountkeylength"; then
  2068. _on_issue_err
  2069. return 1
  2070. fi
  2071. else
  2072. _debug "_saved_account_key_hash is not changed, skip register account."
  2073. fi
  2074. if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ]; then
  2075. _info "Signing from existing CSR."
  2076. else
  2077. _key=$(_readdomainconf Le_Keylength)
  2078. _debug "Read key length:$_key"
  2079. if [ ! -f "$CERT_KEY_PATH" ] || [ "$Le_Keylength" != "$_key" ]; then
  2080. if ! createDomainKey "$Le_Domain" "$Le_Keylength"; then
  2081. _err "Create domain key error."
  2082. _clearup
  2083. _on_issue_err
  2084. return 1
  2085. fi
  2086. fi
  2087. if ! _createcsr "$Le_Domain" "$Le_Alt" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"; then
  2088. _err "Create CSR error."
  2089. _clearup
  2090. _on_issue_err
  2091. return 1
  2092. fi
  2093. fi
  2094. _savedomainconf "Le_Keylength" "$Le_Keylength"
  2095. vlist="$Le_Vlist"
  2096. _info "Getting domain auth token for each domain"
  2097. sep='#'
  2098. if [ -z "$vlist" ]; then
  2099. alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ')
  2100. _index=1
  2101. _currentRoot=""
  2102. for d in $alldomains; do
  2103. _info "Getting webroot for domain" "$d"
  2104. _w="$(echo $Le_Webroot | cut -d , -f $_index)"
  2105. _info _w "$_w"
  2106. if [ "$_w" ]; then
  2107. _currentRoot="$_w"
  2108. fi
  2109. _debug "_currentRoot" "$_currentRoot"
  2110. _index=$(_math $_index + 1)
  2111. vtype="$VTYPE_HTTP"
  2112. if _startswith "$_currentRoot" "dns"; then
  2113. vtype="$VTYPE_DNS"
  2114. fi
  2115. if [ "$_currentRoot" = "$W_TLS" ]; then
  2116. vtype="$VTYPE_TLS"
  2117. fi
  2118. if ! __get_domain_new_authz "$d"; then
  2119. _clearup
  2120. _on_issue_err
  2121. return 1
  2122. fi
  2123. if [ -z "$thumbprint" ]; then
  2124. accountkey_json=$(printf "%s" "$jwk" | tr -d ' ')
  2125. thumbprint=$(printf "%s" "$accountkey_json" | _digest "sha256" | _urlencode)
  2126. fi
  2127. entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
  2128. _debug entry "$entry"
  2129. if [ -z "$entry" ]; then
  2130. _err "Error, can not get domain token $d"
  2131. _clearup
  2132. _on_issue_err
  2133. return 1
  2134. fi
  2135. token="$(printf "%s\n" "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
  2136. _debug token "$token"
  2137. uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*' | cut -d : -f 2,3 | tr -d '"')"
  2138. _debug uri "$uri"
  2139. keyauthorization="$token.$thumbprint"
  2140. _debug keyauthorization "$keyauthorization"
  2141. if printf "%s" "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
  2142. _info "$d is already verified, skip."
  2143. keyauthorization="$STATE_VERIFIED"
  2144. _debug keyauthorization "$keyauthorization"
  2145. fi
  2146. dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"
  2147. _debug dvlist "$dvlist"
  2148. vlist="$vlist$dvlist,"
  2149. done
  2150. #add entry
  2151. dnsadded=""
  2152. ventries=$(echo "$vlist" | tr ',' ' ')
  2153. for ventry in $ventries; do
  2154. d=$(echo "$ventry" | cut -d "$sep" -f 1)
  2155. keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
  2156. vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
  2157. _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
  2158. if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
  2159. _info "$d is already verified, skip $vtype."
  2160. continue
  2161. fi
  2162. if [ "$vtype" = "$VTYPE_DNS" ]; then
  2163. dnsadded='0'
  2164. txtdomain="_acme-challenge.$d"
  2165. _debug txtdomain "$txtdomain"
  2166. txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _urlencode)"
  2167. _debug txt "$txt"
  2168. d_api="$(_findHook "$d" dnsapi "$_currentRoot")"
  2169. _debug d_api "$d_api"
  2170. if [ "$d_api" ]; then
  2171. _info "Found domain api file: $d_api"
  2172. else
  2173. _err "Add the following TXT record:"
  2174. _err "Domain: '$(__green "$txtdomain")'"
  2175. _err "TXT value: '$(__green "$txt")'"
  2176. _err "Please be aware that you prepend _acme-challenge. before your domain"
  2177. _err "so the resulting subdomain will be: $txtdomain"
  2178. continue
  2179. fi
  2180. (
  2181. if ! . "$d_api"; then
  2182. _err "Load file $d_api error. Please check your api file and try again."
  2183. return 1
  2184. fi
  2185. addcommand="${_currentRoot}_add"
  2186. if ! _exists "$addcommand"; then
  2187. _err "It seems that your api file is not correct, it must have a function named: $addcommand"
  2188. return 1
  2189. fi
  2190. if ! $addcommand "$txtdomain" "$txt"; then
  2191. _err "Error add txt for domain:$txtdomain"
  2192. return 1
  2193. fi
  2194. )
  2195. if [ "$?" != "0" ]; then
  2196. _clearup
  2197. _on_issue_err
  2198. return 1
  2199. fi
  2200. dnsadded='1'
  2201. fi
  2202. done
  2203. if [ "$dnsadded" = '0' ]; then
  2204. _savedomainconf "Le_Vlist" "$vlist"
  2205. _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit."
  2206. _err "Please add the TXT records to the domains, and retry again."
  2207. _clearup
  2208. _on_issue_err
  2209. return 1
  2210. fi
  2211. fi
  2212. if [ "$dnsadded" = '1' ]; then
  2213. if [ -z "$Le_DNSSleep" ]; then
  2214. Le_DNSSleep="$DEFAULT_DNS_SLEEP"
  2215. else
  2216. _savedomainconf "Le_DNSSleep" "$Le_DNSSleep"
  2217. fi
  2218. _info "Sleep $(__green $Le_DNSSleep) seconds for the txt records to take effect"
  2219. _sleep "$Le_DNSSleep"
  2220. fi
  2221. _debug "ok, let's start to verify"
  2222. _ncIndex=1
  2223. ventries=$(echo "$vlist" | tr ',' ' ')
  2224. for ventry in $ventries; do
  2225. d=$(echo "$ventry" | cut -d "$sep" -f 1)
  2226. keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
  2227. uri=$(echo "$ventry" | cut -d "$sep" -f 3)
  2228. vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
  2229. _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
  2230. if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
  2231. _info "$d is already verified, skip $vtype."
  2232. continue
  2233. fi
  2234. _info "Verifying:$d"
  2235. _debug "d" "$d"
  2236. _debug "keyauthorization" "$keyauthorization"
  2237. _debug "uri" "$uri"
  2238. removelevel=""
  2239. token="$(printf "%s" "$keyauthorization" | cut -d '.' -f 1)"
  2240. _debug "_currentRoot" "$_currentRoot"
  2241. if [ "$vtype" = "$VTYPE_HTTP" ]; then
  2242. if [ "$_currentRoot" = "$NO_VALUE" ]; then
  2243. _info "Standalone mode server"
  2244. _ncaddr="$(_getfield "$Le_LocalAddress" "$_ncIndex")"
  2245. _ncIndex="$(_math $_ncIndex + 1)"
  2246. _startserver "$keyauthorization" "$_ncaddr" &
  2247. if [ "$?" != "0" ]; then
  2248. _clearup
  2249. _on_issue_err
  2250. return 1
  2251. fi
  2252. serverproc="$!"
  2253. sleep 1
  2254. _debug serverproc "$serverproc"
  2255. else
  2256. if [ "$_currentRoot" = "apache" ]; then
  2257. wellknown_path="$ACME_DIR"
  2258. else
  2259. wellknown_path="$_currentRoot/.well-known/acme-challenge"
  2260. if [ ! -d "$_currentRoot/.well-known" ]; then
  2261. removelevel='1'
  2262. elif [ ! -d "$_currentRoot/.well-known/acme-challenge" ]; then
  2263. removelevel='2'
  2264. else
  2265. removelevel='3'
  2266. fi
  2267. fi
  2268. _debug wellknown_path "$wellknown_path"
  2269. _debug "writing token:$token to $wellknown_path/$token"
  2270. mkdir -p "$wellknown_path"
  2271. if ! printf "%s" "$keyauthorization" >"$wellknown_path/$token"; then
  2272. _err "$d:Can not write token to file : $wellknown_path/$token"
  2273. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2274. _clearup
  2275. _on_issue_err
  2276. return 1
  2277. fi
  2278. if [ ! "$usingApache" ]; then
  2279. if webroot_owner=$(_stat "$_currentRoot"); then
  2280. _debug "Changing owner/group of .well-known to $webroot_owner"
  2281. chown -R "$webroot_owner" "$_currentRoot/.well-known"
  2282. else
  2283. _debug "not chaning owner/group of webroot"
  2284. fi
  2285. fi
  2286. fi
  2287. elif [ "$vtype" = "$VTYPE_TLS" ]; then
  2288. #create A
  2289. #_hash_A="$(printf "%s" $token | _digest "sha256" "hex" )"
  2290. #_debug2 _hash_A "$_hash_A"
  2291. #_x="$(echo $_hash_A | cut -c 1-32)"
  2292. #_debug2 _x "$_x"
  2293. #_y="$(echo $_hash_A | cut -c 33-64)"
  2294. #_debug2 _y "$_y"
  2295. #_SAN_A="$_x.$_y.token.acme.invalid"
  2296. #_debug2 _SAN_A "$_SAN_A"
  2297. #create B
  2298. _hash_B="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"
  2299. _debug2 _hash_B "$_hash_B"
  2300. _x="$(echo "$_hash_B" | cut -c 1-32)"
  2301. _debug2 _x "$_x"
  2302. _y="$(echo "$_hash_B" | cut -c 33-64)"
  2303. _debug2 _y "$_y"
  2304. #_SAN_B="$_x.$_y.ka.acme.invalid"
  2305. _SAN_B="$_x.$_y.acme.invalid"
  2306. _debug2 _SAN_B "$_SAN_B"
  2307. _ncaddr="$(_getfield "$Le_LocalAddress" "$_ncIndex")"
  2308. _ncIndex="$(_math "$_ncIndex" + 1)"
  2309. if ! _starttlsserver "$_SAN_B" "$_SAN_A" "$Le_TLSPort" "$keyauthorization" "$_ncaddr"; then
  2310. _err "Start tls server error."
  2311. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2312. _clearup
  2313. _on_issue_err
  2314. return 1
  2315. fi
  2316. fi
  2317. if ! _send_signed_request "$uri" "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}"; then
  2318. _err "$d:Can not get challenge: $response"
  2319. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2320. _clearup
  2321. _on_issue_err
  2322. return 1
  2323. fi
  2324. if [ ! -z "$code" ] && [ ! "$code" = '202' ]; then
  2325. _err "$d:Challenge error: $response"
  2326. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2327. _clearup
  2328. _on_issue_err
  2329. return 1
  2330. fi
  2331. waittimes=0
  2332. if [ -z "$MAX_RETRY_TIMES" ]; then
  2333. MAX_RETRY_TIMES=30
  2334. fi
  2335. while true; do
  2336. waittimes=$(_math "$waittimes" + 1)
  2337. if [ "$waittimes" -ge "$MAX_RETRY_TIMES" ]; then
  2338. _err "$d:Timeout"
  2339. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2340. _clearup
  2341. _on_issue_err
  2342. return 1
  2343. fi
  2344. _debug "sleep 2 secs to verify"
  2345. sleep 2
  2346. _debug "checking"
  2347. response="$(_get "$uri")"
  2348. if [ "$?" != "0" ]; then
  2349. _err "$d:Verify error:$response"
  2350. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2351. _clearup
  2352. _on_issue_err
  2353. return 1
  2354. fi
  2355. _debug2 original "$response"
  2356. response="$(echo "$response" | _normalizeJson)"
  2357. _debug2 response "$response"
  2358. status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
  2359. if [ "$status" = "valid" ]; then
  2360. _info "Success"
  2361. _stopserver "$serverproc"
  2362. serverproc=""
  2363. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2364. break
  2365. fi
  2366. if [ "$status" = "invalid" ]; then
  2367. error="$(echo "$response" | tr -d "\r\n" | _egrep_o '"error":\{[^\}]*')"
  2368. _debug2 error "$error"
  2369. errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)"
  2370. _debug2 errordetail "$errordetail"
  2371. if [ "$errordetail" ]; then
  2372. _err "$d:Verify error:$errordetail"
  2373. else
  2374. _err "$d:Verify error:$error"
  2375. fi
  2376. if [ "$DEBUG" ]; then
  2377. if [ "$vtype" = "$VTYPE_HTTP" ]; then
  2378. _debug "Debug: get token url."
  2379. _get "http://$d/.well-known/acme-challenge/$token" "" 1
  2380. fi
  2381. fi
  2382. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2383. _clearup
  2384. _on_issue_err
  2385. return 1
  2386. fi
  2387. if [ "$status" = "pending" ]; then
  2388. _info "Pending"
  2389. else
  2390. _err "$d:Verify error:$response"
  2391. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2392. _clearup
  2393. _on_issue_err
  2394. return 1
  2395. fi
  2396. done
  2397. done
  2398. _clearup
  2399. _info "Verify finished, start to sign."
  2400. der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _urlencode)"
  2401. if ! _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then
  2402. _err "Sign failed."
  2403. _on_issue_err
  2404. return 1
  2405. fi
  2406. _rcert="$response"
  2407. Le_LinkCert="$(grep -i '^Location.*$' "$HTTP_HEADER" | _head_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
  2408. _savedomainconf "Le_LinkCert" "$Le_LinkCert"
  2409. if [ "$Le_LinkCert" ]; then
  2410. echo "$BEGIN_CERT" >"$CERT_PATH"
  2411. #if ! _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH" ; then
  2412. # _debug "Get cert failed. Let's try last response."
  2413. # printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
  2414. #fi
  2415. if ! printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >>"$CERT_PATH"; then
  2416. _debug "Try cert link."
  2417. _get "$Le_LinkCert" | _base64 "multiline" >>"$CERT_PATH"
  2418. fi
  2419. echo "$END_CERT" >>"$CERT_PATH"
  2420. _info "$(__green "Cert success.")"
  2421. cat "$CERT_PATH"
  2422. _info "Your cert is in $(__green " $CERT_PATH ")"
  2423. if [ -f "$CERT_KEY_PATH" ]; then
  2424. _info "Your cert key is in $(__green " $CERT_KEY_PATH ")"
  2425. fi
  2426. cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
  2427. if [ ! "$USER_PATH" ] || [ ! "$IN_CRON" ]; then
  2428. USER_PATH="$PATH"
  2429. _saveaccountconf "USER_PATH" "$USER_PATH"
  2430. fi
  2431. fi
  2432. if [ -z "$Le_LinkCert" ]; then
  2433. response="$(echo "$response" | _dbase64 "multiline" | _normalizeJson)"
  2434. _err "Sign failed: $(echo "$response" | _egrep_o '"detail":"[^"]*"')"
  2435. _on_issue_err
  2436. return 1
  2437. fi
  2438. _cleardomainconf "Le_Vlist"
  2439. Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
  2440. if ! _contains "$Le_LinkIssuer" ":"; then
  2441. Le_LinkIssuer="$API$Le_LinkIssuer"
  2442. fi
  2443. _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
  2444. if [ "$Le_LinkIssuer" ]; then
  2445. echo "$BEGIN_CERT" >"$CA_CERT_PATH"
  2446. _get "$Le_LinkIssuer" | _base64 "multiline" >>"$CA_CERT_PATH"
  2447. echo "$END_CERT" >>"$CA_CERT_PATH"
  2448. _info "The intermediate CA cert is in $(__green " $CA_CERT_PATH ")"
  2449. cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH"
  2450. _info "And the full chain certs is there: $(__green " $CERT_FULLCHAIN_PATH ")"
  2451. fi
  2452. Le_CertCreateTime=$(_time)
  2453. _savedomainconf "Le_CertCreateTime" "$Le_CertCreateTime"
  2454. Le_CertCreateTimeStr=$(date -u)
  2455. _savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr"
  2456. if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ] || [ "$Le_RenewalDays" -gt "$MAX_RENEW" ]; then
  2457. Le_RenewalDays="$MAX_RENEW"
  2458. else
  2459. _savedomainconf "Le_RenewalDays" "$Le_RenewalDays"
  2460. fi
  2461. if [ "$CA_BUNDLE" ]; then
  2462. _saveaccountconf CA_BUNDLE "$CA_BUNDLE"
  2463. else
  2464. _clearaccountconf "CA_BUNDLE"
  2465. fi
  2466. if [ "$HTTPS_INSECURE" ]; then
  2467. _saveaccountconf HTTPS_INSECURE "$HTTPS_INSECURE"
  2468. else
  2469. _clearaccountconf "HTTPS_INSECURE"
  2470. fi
  2471. if [ "$Le_Listen_V4" ]; then
  2472. _savedomainconf "Le_Listen_V4" "$Le_Listen_V4"
  2473. _cleardomainconf Le_Listen_V6
  2474. elif [ "$Le_Listen_V6" ]; then
  2475. _savedomainconf "Le_Listen_V6" "$Le_Listen_V6"
  2476. _cleardomainconf Le_Listen_V4
  2477. fi
  2478. Le_NextRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60)
  2479. Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
  2480. _savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr"
  2481. Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400)
  2482. _savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
  2483. _on_issue_success
  2484. if [ "$Le_RealCertPath$Le_RealKeyPath$Le_RealCACertPath$Le_ReloadCmd$Le_RealFullChainPath" ]; then
  2485. _installcert
  2486. fi
  2487. }
  2488. #domain [isEcc]
  2489. renew() {
  2490. Le_Domain="$1"
  2491. if [ -z "$Le_Domain" ]; then
  2492. _usage "Usage: $PROJECT_ENTRY --renew -d domain.com [--ecc]"
  2493. return 1
  2494. fi
  2495. _isEcc="$2"
  2496. _initpath "$Le_Domain" "$_isEcc"
  2497. _info "$(__green "Renew: '$Le_Domain'")"
  2498. if [ ! -f "$DOMAIN_CONF" ]; then
  2499. _info "'$Le_Domain' is not a issued domain, skip."
  2500. return 0
  2501. fi
  2502. if [ "$Le_RenewalDays" ]; then
  2503. _savedomainconf Le_RenewalDays "$Le_RenewalDays"
  2504. fi
  2505. . "$DOMAIN_CONF"
  2506. if [ "$Le_API" ]; then
  2507. API="$Le_API"
  2508. fi
  2509. if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then
  2510. _info "Skip, Next renewal time is: $(__green "$Le_NextRenewTimeStr")"
  2511. _info "Add '$(__red '--force')' to force to renew."
  2512. return "$RENEW_SKIP"
  2513. fi
  2514. IS_RENEW="1"
  2515. issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress"
  2516. res="$?"
  2517. if [ "$res" != "0" ]; then
  2518. return "$res"
  2519. fi
  2520. if [ "$Le_DeployHook" ]; then
  2521. deploy "$Le_Domain" "$Le_DeployHook" "$Le_Keylength"
  2522. res="$?"
  2523. fi
  2524. IS_RENEW=""
  2525. return "$res"
  2526. }
  2527. #renewAll [stopRenewOnError]
  2528. renewAll() {
  2529. _initpath
  2530. _stopRenewOnError="$1"
  2531. _debug "_stopRenewOnError" "$_stopRenewOnError"
  2532. _ret="0"
  2533. for di in "${CERT_HOME}"/*.*/; do
  2534. _debug di "$di"
  2535. d=$(basename "$di")
  2536. _debug d "$d"
  2537. (
  2538. if _endswith "$d" "$ECC_SUFFIX"; then
  2539. _isEcc=$(echo "$d" | cut -d "$ECC_SEP" -f 2)
  2540. d=$(echo "$d" | cut -d "$ECC_SEP" -f 1)
  2541. fi
  2542. renew "$d" "$_isEcc"
  2543. )
  2544. rc="$?"
  2545. _debug "Return code: $rc"
  2546. if [ "$rc" != "0" ]; then
  2547. if [ "$rc" = "$RENEW_SKIP" ]; then
  2548. _info "Skipped $d"
  2549. elif [ "$_stopRenewOnError" ]; then
  2550. _err "Error renew $d, stop now."
  2551. return "$rc"
  2552. else
  2553. _ret="$rc"
  2554. _err "Error renew $d, Go ahead to next one."
  2555. fi
  2556. fi
  2557. done
  2558. return "$_ret"
  2559. }
  2560. #csr webroot
  2561. signcsr() {
  2562. _csrfile="$1"
  2563. _csrW="$2"
  2564. if [ -z "$_csrfile" ] || [ -z "$_csrW" ]; then
  2565. _usage "Usage: $PROJECT_ENTRY --signcsr --csr mycsr.csr -w /path/to/webroot/a.com/ "
  2566. return 1
  2567. fi
  2568. _initpath
  2569. _csrsubj=$(_readSubjectFromCSR "$_csrfile")
  2570. if [ "$?" != "0" ]; then
  2571. _err "Can not read subject from csr: $_csrfile"
  2572. return 1
  2573. fi
  2574. _debug _csrsubj "$_csrsubj"
  2575. _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
  2576. if [ "$?" != "0" ]; then
  2577. _err "Can not read domain list from csr: $_csrfile"
  2578. return 1
  2579. fi
  2580. _debug "_csrdomainlist" "$_csrdomainlist"
  2581. if [ -z "$_csrsubj" ]; then
  2582. _csrsubj="$(_getfield "$_csrdomainlist" 1)"
  2583. _debug _csrsubj "$_csrsubj"
  2584. _csrdomainlist="$(echo "$_csrdomainlist" | cut -d , -f 2-)"
  2585. _debug "_csrdomainlist" "$_csrdomainlist"
  2586. fi
  2587. if [ -z "$_csrsubj" ]; then
  2588. _err "Can not read subject from csr: $_csrfile"
  2589. return 1
  2590. fi
  2591. _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
  2592. if [ "$?" != "0" ] || [ -z "$_csrkeylength" ]; then
  2593. _err "Can not read key length from csr: $_csrfile"
  2594. return 1
  2595. fi
  2596. _initpath "$_csrsubj" "$_csrkeylength"
  2597. mkdir -p "$DOMAIN_PATH"
  2598. _info "Copy csr to: $CSR_PATH"
  2599. cp "$_csrfile" "$CSR_PATH"
  2600. issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength"
  2601. }
  2602. showcsr() {
  2603. _csrfile="$1"
  2604. _csrd="$2"
  2605. if [ -z "$_csrfile" ] && [ -z "$_csrd" ]; then
  2606. _usage "Usage: $PROJECT_ENTRY --showcsr --csr mycsr.csr"
  2607. return 1
  2608. fi
  2609. _initpath
  2610. _csrsubj=$(_readSubjectFromCSR "$_csrfile")
  2611. if [ "$?" != "0" ] || [ -z "$_csrsubj" ]; then
  2612. _err "Can not read subject from csr: $_csrfile"
  2613. return 1
  2614. fi
  2615. _info "Subject=$_csrsubj"
  2616. _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
  2617. if [ "$?" != "0" ]; then
  2618. _err "Can not read domain list from csr: $_csrfile"
  2619. return 1
  2620. fi
  2621. _debug "_csrdomainlist" "$_csrdomainlist"
  2622. _info "SubjectAltNames=$_csrdomainlist"
  2623. _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
  2624. if [ "$?" != "0" ] || [ -z "$_csrkeylength" ]; then
  2625. _err "Can not read key length from csr: $_csrfile"
  2626. return 1
  2627. fi
  2628. _info "KeyLength=$_csrkeylength"
  2629. }
  2630. list() {
  2631. _raw="$1"
  2632. _initpath
  2633. _sep="|"
  2634. if [ "$_raw" ]; then
  2635. printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Created${_sep}Renew"
  2636. for di in "${CERT_HOME}"/*.*/; do
  2637. d=$(basename "$di")
  2638. _debug d "$d"
  2639. (
  2640. if _endswith "$d" "$ECC_SUFFIX"; then
  2641. _isEcc=$(echo "$d" | cut -d "$ECC_SEP" -f 2)
  2642. d=$(echo "$d" | cut -d "$ECC_SEP" -f 1)
  2643. fi
  2644. _initpath "$d" "$_isEcc"
  2645. if [ -f "$DOMAIN_CONF" ]; then
  2646. . "$DOMAIN_CONF"
  2647. printf "%s\n" "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr"
  2648. fi
  2649. )
  2650. done
  2651. else
  2652. if _exists column; then
  2653. list "raw" | column -t -s "$_sep"
  2654. else
  2655. list "raw" | tr "$_sep" '\t'
  2656. fi
  2657. fi
  2658. }
  2659. deploy() {
  2660. Le_Domain="$1"
  2661. Le_DeployHook="$2"
  2662. _isEcc="$3"
  2663. if [ -z "$Le_DeployHook" ]; then
  2664. _usage "Usage: $PROJECT_ENTRY --deploy -d domain.com --deploy-hook cpanel [--ecc] "
  2665. return 1
  2666. fi
  2667. _initpath "$Le_Domain" "$_isEcc"
  2668. if [ ! -d "$DOMAIN_PATH" ]; then
  2669. _err "Domain is not valid:'$Le_Domain'"
  2670. return 1
  2671. fi
  2672. _deployApi="$(_findHook "$Le_Domain" deploy "$Le_DeployHook")"
  2673. if [ -z "$_deployApi" ]; then
  2674. _err "The deploy hook $Le_DeployHook is not found."
  2675. return 1
  2676. fi
  2677. _debug _deployApi "$_deployApi"
  2678. _savedomainconf Le_DeployHook "$Le_DeployHook"
  2679. if ! (
  2680. if ! . "$_deployApi"; then
  2681. _err "Load file $_deployApi error. Please check your api file and try again."
  2682. return 1
  2683. fi
  2684. d_command="${Le_DeployHook}_deploy"
  2685. if ! _exists "$d_command"; then
  2686. _err "It seems that your api file is not correct, it must have a function named: $d_command"
  2687. return 1
  2688. fi
  2689. if ! $d_command "$Le_Domain" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$CERT_FULLCHAIN_PATH"; then
  2690. _err "Error deploy for domain:$Le_Domain"
  2691. _on_issue_err
  2692. return 1
  2693. fi
  2694. ); then
  2695. _err "Deploy error."
  2696. return 1
  2697. else
  2698. _info "$(__green Success)"
  2699. fi
  2700. }
  2701. installcert() {
  2702. Le_Domain="$1"
  2703. if [ -z "$Le_Domain" ]; then
  2704. _usage "Usage: $PROJECT_ENTRY --installcert -d domain.com [--ecc] [--certpath cert-file-path] [--keypath key-file-path] [--capath ca-cert-file-path] [ --reloadCmd reloadCmd] [--fullchainpath fullchain-path]"
  2705. return 1
  2706. fi
  2707. Le_RealCertPath="$2"
  2708. Le_RealKeyPath="$3"
  2709. Le_RealCACertPath="$4"
  2710. Le_ReloadCmd="$5"
  2711. Le_RealFullChainPath="$6"
  2712. _isEcc="$7"
  2713. _initpath "$Le_Domain" "$_isEcc"
  2714. if [ ! -d "$DOMAIN_PATH" ]; then
  2715. _err "Domain is not valid:'$Le_Domain'"
  2716. return 1
  2717. fi
  2718. _installcert
  2719. }
  2720. _installcert() {
  2721. _savedomainconf "Le_RealCertPath" "$Le_RealCertPath"
  2722. _savedomainconf "Le_RealCACertPath" "$Le_RealCACertPath"
  2723. _savedomainconf "Le_RealKeyPath" "$Le_RealKeyPath"
  2724. _savedomainconf "Le_ReloadCmd" "$Le_ReloadCmd"
  2725. _savedomainconf "Le_RealFullChainPath" "$Le_RealFullChainPath"
  2726. if [ "$Le_RealCertPath" = "$NO_VALUE" ]; then
  2727. Le_RealCertPath=""
  2728. fi
  2729. if [ "$Le_RealKeyPath" = "$NO_VALUE" ]; then
  2730. Le_RealKeyPath=""
  2731. fi
  2732. if [ "$Le_RealCACertPath" = "$NO_VALUE" ]; then
  2733. Le_RealCACertPath=""
  2734. fi
  2735. if [ "$Le_ReloadCmd" = "$NO_VALUE" ]; then
  2736. Le_ReloadCmd=""
  2737. fi
  2738. if [ "$Le_RealFullChainPath" = "$NO_VALUE" ]; then
  2739. Le_RealFullChainPath=""
  2740. fi
  2741. if [ "$Le_RealCertPath" ]; then
  2742. _info "Installing cert to:$Le_RealCertPath"
  2743. if [ -f "$Le_RealCertPath" ] && [ ! "$IS_RENEW" ]; then
  2744. cp "$Le_RealCertPath" "$Le_RealCertPath".bak
  2745. fi
  2746. cat "$CERT_PATH" >"$Le_RealCertPath"
  2747. fi
  2748. if [ "$Le_RealCACertPath" ]; then
  2749. _info "Installing CA to:$Le_RealCACertPath"
  2750. if [ "$Le_RealCACertPath" = "$Le_RealCertPath" ]; then
  2751. echo "" >>"$Le_RealCACertPath"
  2752. cat "$CA_CERT_PATH" >>"$Le_RealCACertPath"
  2753. else
  2754. if [ -f "$Le_RealCACertPath" ] && [ ! "$IS_RENEW" ]; then
  2755. cp "$Le_RealCACertPath" "$Le_RealCACertPath".bak
  2756. fi
  2757. cat "$CA_CERT_PATH" >"$Le_RealCACertPath"
  2758. fi
  2759. fi
  2760. if [ "$Le_RealKeyPath" ]; then
  2761. _info "Installing key to:$Le_RealKeyPath"
  2762. if [ -f "$Le_RealKeyPath" ] && [ ! "$IS_RENEW" ]; then
  2763. cp "$Le_RealKeyPath" "$Le_RealKeyPath".bak
  2764. fi
  2765. cat "$CERT_KEY_PATH" >"$Le_RealKeyPath"
  2766. fi
  2767. if [ "$Le_RealFullChainPath" ]; then
  2768. _info "Installing full chain to:$Le_RealFullChainPath"
  2769. if [ -f "$Le_RealFullChainPath" ] && [ ! "$IS_RENEW" ]; then
  2770. cp "$Le_RealFullChainPath" "$Le_RealFullChainPath".bak
  2771. fi
  2772. cat "$CERT_FULLCHAIN_PATH" >"$Le_RealFullChainPath"
  2773. fi
  2774. if [ "$Le_ReloadCmd" ]; then
  2775. _info "Run Le_ReloadCmd: $Le_ReloadCmd"
  2776. if (cd "$DOMAIN_PATH" && eval "$Le_ReloadCmd"); then
  2777. _info "$(__green "Reload success")"
  2778. else
  2779. _err "Reload error for :$Le_Domain"
  2780. fi
  2781. fi
  2782. }
  2783. installcronjob() {
  2784. _initpath
  2785. if ! _exists "crontab"; then
  2786. _err "crontab doesn't exist, so, we can not install cron jobs."
  2787. _err "All your certs will not be renewed automatically."
  2788. _err "You must add your own cron job to call '$PROJECT_ENTRY --cron' everyday."
  2789. return 1
  2790. fi
  2791. _info "Installing cron job"
  2792. if ! crontab -l | grep "$PROJECT_ENTRY --cron"; then
  2793. if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ]; then
  2794. lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
  2795. else
  2796. _err "Can not install cronjob, $PROJECT_ENTRY not found."
  2797. return 1
  2798. fi
  2799. if _exists uname && uname -a | grep solaris >/dev/null; then
  2800. crontab -l | {
  2801. cat
  2802. echo "0 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"
  2803. } | crontab --
  2804. else
  2805. crontab -l | {
  2806. cat
  2807. echo "0 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"
  2808. } | crontab -
  2809. fi
  2810. fi
  2811. if [ "$?" != "0" ]; then
  2812. _err "Install cron job failed. You need to manually renew your certs."
  2813. _err "Or you can add cronjob by yourself:"
  2814. _err "$lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"
  2815. return 1
  2816. fi
  2817. }
  2818. uninstallcronjob() {
  2819. if ! _exists "crontab"; then
  2820. return
  2821. fi
  2822. _info "Removing cron job"
  2823. cr="$(crontab -l | grep "$PROJECT_ENTRY --cron")"
  2824. if [ "$cr" ]; then
  2825. if _exists uname && uname -a | grep solaris >/dev/null; then
  2826. crontab -l | sed "/$PROJECT_ENTRY --cron/d" | crontab --
  2827. else
  2828. crontab -l | sed "/$PROJECT_ENTRY --cron/d" | crontab -
  2829. fi
  2830. LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 9 | tr -d '"')"
  2831. _info LE_WORKING_DIR "$LE_WORKING_DIR"
  2832. fi
  2833. _initpath
  2834. }
  2835. revoke() {
  2836. Le_Domain="$1"
  2837. if [ -z "$Le_Domain" ]; then
  2838. _usage "Usage: $PROJECT_ENTRY --revoke -d domain.com"
  2839. return 1
  2840. fi
  2841. _isEcc="$2"
  2842. _initpath "$Le_Domain" "$_isEcc"
  2843. if [ ! -f "$DOMAIN_CONF" ]; then
  2844. _err "$Le_Domain is not a issued domain, skip."
  2845. return 1
  2846. fi
  2847. if [ ! -f "$CERT_PATH" ]; then
  2848. _err "Cert for $Le_Domain $CERT_PATH is not found, skip."
  2849. return 1
  2850. fi
  2851. cert="$(_getfile "${CERT_PATH}" "${BEGIN_CERT}" "${END_CERT}" | tr -d "\r\n" | _urlencode)"
  2852. if [ -z "$cert" ]; then
  2853. _err "Cert for $Le_Domain is empty found, skip."
  2854. return 1
  2855. fi
  2856. data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
  2857. uri="$API/acme/revoke-cert"
  2858. if [ -f "$CERT_KEY_PATH" ]; then
  2859. _info "Try domain key first."
  2860. if _send_signed_request "$uri" "$data" "" "$CERT_KEY_PATH"; then
  2861. if [ -z "$response" ]; then
  2862. _info "Revoke success."
  2863. rm -f "$CERT_PATH"
  2864. return 0
  2865. else
  2866. _err "Revoke error by domain key."
  2867. _err "$response"
  2868. fi
  2869. fi
  2870. else
  2871. _info "Domain key file doesn't exists."
  2872. fi
  2873. _info "Try account key."
  2874. if _send_signed_request "$uri" "$data" "" "$ACCOUNT_KEY_PATH"; then
  2875. if [ -z "$response" ]; then
  2876. _info "Revoke success."
  2877. rm -f "$CERT_PATH"
  2878. return 0
  2879. else
  2880. _err "Revoke error."
  2881. _debug "$response"
  2882. fi
  2883. fi
  2884. return 1
  2885. }
  2886. #domain vtype
  2887. _deactivate() {
  2888. _d_domain="$1"
  2889. _d_type="$2"
  2890. _initpath
  2891. _d_i=0
  2892. _d_max_retry=9
  2893. while [ "$_d_i" -lt "$_d_max_retry" ]; do
  2894. _info "Deactivate: $_d_domain"
  2895. _d_i="$(_math $_d_i + 1)"
  2896. if ! __get_domain_new_authz "$_d_domain"; then
  2897. _err "Can not get domain new authz token."
  2898. return 1
  2899. fi
  2900. authzUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
  2901. _debug "authzUri" "$authzUri"
  2902. if [ ! -z "$code" ] && [ ! "$code" = '201' ]; then
  2903. _err "new-authz error: $response"
  2904. return 1
  2905. fi
  2906. entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"status":"valid","uri"[^\}]*')"
  2907. _debug entry "$entry"
  2908. if [ -z "$entry" ]; then
  2909. _info "No more valid entry found."
  2910. break
  2911. fi
  2912. _vtype="$(printf "%s\n" "$entry" | _egrep_o '"type": *"[^"]*"' | cut -d : -f 2 | tr -d '"')"
  2913. _debug _vtype "$_vtype"
  2914. _info "Found $_vtype"
  2915. uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*' | cut -d : -f 2,3 | tr -d '"')"
  2916. _debug uri "$uri"
  2917. if [ "$_d_type" ] && [ "$_d_type" != "$_vtype" ]; then
  2918. _info "Skip $_vtype"
  2919. continue
  2920. fi
  2921. _info "Deactivate: $_vtype"
  2922. if ! _send_signed_request "$authzUri" "{\"resource\": \"authz\", \"status\":\"deactivated\"}"; then
  2923. _err "Can not deactivate $_vtype."
  2924. return 1
  2925. fi
  2926. _info "Deactivate: $_vtype success."
  2927. done
  2928. _debug "$_d_i"
  2929. if [ "$_d_i" -lt "$_d_max_retry" ]; then
  2930. _info "Deactivated success!"
  2931. else
  2932. _err "Deactivate failed."
  2933. fi
  2934. }
  2935. deactivate() {
  2936. _d_domain_list="$1"
  2937. _d_type="$2"
  2938. _initpath
  2939. _debug _d_domain_list "$_d_domain_list"
  2940. if [ -z "$(echo $_d_domain_list | cut -d , -f 1)" ]; then
  2941. _usage "Usage: $PROJECT_ENTRY --deactivate -d domain.com [-d domain.com]"
  2942. return 1
  2943. fi
  2944. for _d_dm in $(echo "$_d_domain_list" | tr ',' ' '); do
  2945. if [ -z "$_d_dm" ] || [ "$_d_dm" = "$NO_VALUE" ]; then
  2946. continue
  2947. fi
  2948. if ! _deactivate "$_d_dm" "$_d_type"; then
  2949. return 1
  2950. fi
  2951. done
  2952. }
  2953. # Detect profile file if not specified as environment variable
  2954. _detect_profile() {
  2955. if [ -n "$PROFILE" -a -f "$PROFILE" ]; then
  2956. echo "$PROFILE"
  2957. return
  2958. fi
  2959. DETECTED_PROFILE=''
  2960. SHELLTYPE="$(basename "/$SHELL")"
  2961. if [ "$SHELLTYPE" = "bash" ]; then
  2962. if [ -f "$HOME/.bashrc" ]; then
  2963. DETECTED_PROFILE="$HOME/.bashrc"
  2964. elif [ -f "$HOME/.bash_profile" ]; then
  2965. DETECTED_PROFILE="$HOME/.bash_profile"
  2966. fi
  2967. elif [ "$SHELLTYPE" = "zsh" ]; then
  2968. DETECTED_PROFILE="$HOME/.zshrc"
  2969. fi
  2970. if [ -z "$DETECTED_PROFILE" ]; then
  2971. if [ -f "$HOME/.profile" ]; then
  2972. DETECTED_PROFILE="$HOME/.profile"
  2973. elif [ -f "$HOME/.bashrc" ]; then
  2974. DETECTED_PROFILE="$HOME/.bashrc"
  2975. elif [ -f "$HOME/.bash_profile" ]; then
  2976. DETECTED_PROFILE="$HOME/.bash_profile"
  2977. elif [ -f "$HOME/.zshrc" ]; then
  2978. DETECTED_PROFILE="$HOME/.zshrc"
  2979. fi
  2980. fi
  2981. if [ ! -z "$DETECTED_PROFILE" ]; then
  2982. echo "$DETECTED_PROFILE"
  2983. fi
  2984. }
  2985. _initconf() {
  2986. _initpath
  2987. if [ ! -f "$ACCOUNT_CONF_PATH" ]; then
  2988. echo "#ACCOUNT_CONF_PATH=xxxx
  2989. #Account configurations:
  2990. #Here are the supported macros, uncomment them to make them take effect.
  2991. #ACCOUNT_EMAIL=aaa@example.com # the account email used to register account.
  2992. #ACCOUNT_KEY_PATH=\"/path/to/account.key\"
  2993. #CERT_HOME=\"/path/to/cert/home\"
  2994. #LOG_FILE=\"$DEFAULT_LOG_FILE\"
  2995. #LOG_LEVEL=1
  2996. #AUTO_UPGRADE=\"1\"
  2997. #STAGE=1 # Use the staging api
  2998. #FORCE=1 # Force to issue cert
  2999. #DEBUG=1 # Debug mode
  3000. #USER_AGENT=\"$USER_AGENT\"
  3001. #USER_PATH=
  3002. #dns api
  3003. #######################
  3004. #Cloudflare:
  3005. #api key
  3006. #CF_Key=\"sdfsdfsdfljlbjkljlkjsdfoiwje\"
  3007. #account email
  3008. #CF_Email=\"xxxx@sss.com\"
  3009. #######################
  3010. #Dnspod.cn:
  3011. #api key id
  3012. #DP_Id=\"1234\"
  3013. #api key
  3014. #DP_Key=\"sADDsdasdgdsf\"
  3015. #######################
  3016. #Cloudxns.com:
  3017. #CX_Key=\"1234\"
  3018. #
  3019. #CX_Secret=\"sADDsdasdgdsf\"
  3020. #######################
  3021. #Godaddy.com:
  3022. #GD_Key=\"sdfdsgdgdfdasfds\"
  3023. #
  3024. #GD_Secret=\"sADDsdasdfsdfdssdgdsf\"
  3025. #######################
  3026. #nsupdate:
  3027. #NSUPDATE_KEY=\"/path/to/update.key\"
  3028. #NSUPDATE_SERVER=\"192.168.0.1\"
  3029. #######################
  3030. #PowerDNS:
  3031. #PDNS_Url=\"http://ns.example.com:8081\"
  3032. #PDNS_ServerId=\"localhost\"
  3033. #PDNS_Token=\"0123456789ABCDEF\"
  3034. #PDNS_Ttl=60
  3035. " >"$ACCOUNT_CONF_PATH"
  3036. fi
  3037. }
  3038. # nocron
  3039. _precheck() {
  3040. _nocron="$1"
  3041. if ! _exists "curl" && ! _exists "wget"; then
  3042. _err "Please install curl or wget first, we need to access http resources."
  3043. return 1
  3044. fi
  3045. if [ -z "$_nocron" ]; then
  3046. if ! _exists "crontab"; then
  3047. _err "It is recommended to install crontab first. try to install 'cron, crontab, crontabs or vixie-cron'."
  3048. _err "We need to set cron job to renew the certs automatically."
  3049. _err "Otherwise, your certs will not be able to be renewed automatically."
  3050. if [ -z "$FORCE" ]; then
  3051. _err "Please add '--force' and try install again to go without crontab."
  3052. _err "./$PROJECT_ENTRY --install --force"
  3053. return 1
  3054. fi
  3055. fi
  3056. fi
  3057. if ! _exists "openssl"; then
  3058. _err "Please install openssl first."
  3059. _err "We need openssl to generate keys."
  3060. return 1
  3061. fi
  3062. if ! _exists "nc"; then
  3063. _err "It is recommended to install nc first, try to install 'nc' or 'netcat'."
  3064. _err "We use nc for standalone server if you use standalone mode."
  3065. _err "If you don't use standalone mode, just ignore this warning."
  3066. fi
  3067. return 0
  3068. }
  3069. _setShebang() {
  3070. _file="$1"
  3071. _shebang="$2"
  3072. if [ -z "$_shebang" ]; then
  3073. _usage "Usage: file shebang"
  3074. return 1
  3075. fi
  3076. cp "$_file" "$_file.tmp"
  3077. echo "$_shebang" >"$_file"
  3078. sed -n 2,99999p "$_file.tmp" >>"$_file"
  3079. rm -f "$_file.tmp"
  3080. }
  3081. _installalias() {
  3082. _initpath
  3083. _envfile="$LE_WORKING_DIR/$PROJECT_ENTRY.env"
  3084. if [ "$_upgrading" ] && [ "$_upgrading" = "1" ]; then
  3085. echo "$(cat "$_envfile")" | sed "s|^LE_WORKING_DIR.*$||" >"$_envfile"
  3086. echo "$(cat "$_envfile")" | sed "s|^alias le.*$||" >"$_envfile"
  3087. echo "$(cat "$_envfile")" | sed "s|^alias le.sh.*$||" >"$_envfile"
  3088. fi
  3089. _setopt "$_envfile" "export LE_WORKING_DIR" "=" "\"$LE_WORKING_DIR\""
  3090. _setopt "$_envfile" "alias $PROJECT_ENTRY" "=" "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  3091. _profile="$(_detect_profile)"
  3092. if [ "$_profile" ]; then
  3093. _debug "Found profile: $_profile"
  3094. _info "Installing alias to '$_profile'"
  3095. _setopt "$_profile" ". \"$_envfile\""
  3096. _info "OK, Close and reopen your terminal to start using $PROJECT_NAME"
  3097. else
  3098. _info "No profile is found, you will need to go into $LE_WORKING_DIR to use $PROJECT_NAME"
  3099. fi
  3100. #for csh
  3101. _cshfile="$LE_WORKING_DIR/$PROJECT_ENTRY.csh"
  3102. _csh_profile="$HOME/.cshrc"
  3103. if [ -f "$_csh_profile" ]; then
  3104. _info "Installing alias to '$_csh_profile'"
  3105. _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
  3106. _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  3107. _setopt "$_csh_profile" "source \"$_cshfile\""
  3108. fi
  3109. #for tcsh
  3110. _tcsh_profile="$HOME/.tcshrc"
  3111. if [ -f "$_tcsh_profile" ]; then
  3112. _info "Installing alias to '$_tcsh_profile'"
  3113. _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
  3114. _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  3115. _setopt "$_tcsh_profile" "source \"$_cshfile\""
  3116. fi
  3117. }
  3118. # nocron
  3119. install() {
  3120. if [ -z "$LE_WORKING_DIR" ]; then
  3121. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  3122. fi
  3123. _nocron="$1"
  3124. if ! _initpath; then
  3125. _err "Install failed."
  3126. return 1
  3127. fi
  3128. if [ "$_nocron" ]; then
  3129. _debug "Skip install cron job"
  3130. fi
  3131. if ! _precheck "$_nocron"; then
  3132. _err "Pre-check failed, can not install."
  3133. return 1
  3134. fi
  3135. #convert from le
  3136. if [ -d "$HOME/.le" ]; then
  3137. for envfile in "le.env" "le.sh.env"; do
  3138. if [ -f "$HOME/.le/$envfile" ]; then
  3139. if grep "le.sh" "$HOME/.le/$envfile" >/dev/null; then
  3140. _upgrading="1"
  3141. _info "You are upgrading from le.sh"
  3142. _info "Renaming \"$HOME/.le\" to $LE_WORKING_DIR"
  3143. mv "$HOME/.le" "$LE_WORKING_DIR"
  3144. mv "$LE_WORKING_DIR/$envfile" "$LE_WORKING_DIR/$PROJECT_ENTRY.env"
  3145. break
  3146. fi
  3147. fi
  3148. done
  3149. fi
  3150. _info "Installing to $LE_WORKING_DIR"
  3151. if ! mkdir -p "$LE_WORKING_DIR"; then
  3152. _err "Can not create working dir: $LE_WORKING_DIR"
  3153. return 1
  3154. fi
  3155. chmod 700 "$LE_WORKING_DIR"
  3156. cp "$PROJECT_ENTRY" "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/$PROJECT_ENTRY"
  3157. if [ "$?" != "0" ]; then
  3158. _err "Install failed, can not copy $PROJECT_ENTRY"
  3159. return 1
  3160. fi
  3161. _info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
  3162. _installalias
  3163. for subf in $_SUB_FOLDERS; do
  3164. if [ -d "$subf" ]; then
  3165. mkdir -p "$LE_WORKING_DIR/$subf"
  3166. cp "$subf"/* "$LE_WORKING_DIR"/"$subf"/
  3167. fi
  3168. done
  3169. if [ ! -f "$ACCOUNT_CONF_PATH" ]; then
  3170. _initconf
  3171. fi
  3172. if [ "$_DEFAULT_ACCOUNT_CONF_PATH" != "$ACCOUNT_CONF_PATH" ]; then
  3173. _setopt "$_DEFAULT_ACCOUNT_CONF_PATH" "ACCOUNT_CONF_PATH" "=" "\"$ACCOUNT_CONF_PATH\""
  3174. fi
  3175. if [ "$_DEFAULT_CERT_HOME" != "$CERT_HOME" ]; then
  3176. _saveaccountconf "CERT_HOME" "$CERT_HOME"
  3177. fi
  3178. if [ "$_DEFAULT_ACCOUNT_KEY_PATH" != "$ACCOUNT_KEY_PATH" ]; then
  3179. _saveaccountconf "ACCOUNT_KEY_PATH" "$ACCOUNT_KEY_PATH"
  3180. fi
  3181. if [ -z "$_nocron" ]; then
  3182. installcronjob
  3183. fi
  3184. if [ -z "$NO_DETECT_SH" ]; then
  3185. #Modify shebang
  3186. if _exists bash; then
  3187. _info "Good, bash is found, so change the shebang to use bash as prefered."
  3188. _shebang='#!/usr/bin/env bash'
  3189. _setShebang "$LE_WORKING_DIR/$PROJECT_ENTRY" "$_shebang"
  3190. for subf in $_SUB_FOLDERS; do
  3191. if [ -d "$LE_WORKING_DIR/$subf" ]; then
  3192. for _apifile in "$LE_WORKING_DIR/$subf/"*.sh; do
  3193. _setShebang "$_apifile" "$_shebang"
  3194. done
  3195. fi
  3196. done
  3197. fi
  3198. fi
  3199. _info OK
  3200. }
  3201. # nocron
  3202. uninstall() {
  3203. _nocron="$1"
  3204. if [ -z "$_nocron" ]; then
  3205. uninstallcronjob
  3206. fi
  3207. _initpath
  3208. _uninstallalias
  3209. rm -f "$LE_WORKING_DIR/$PROJECT_ENTRY"
  3210. _info "The keys and certs are in $LE_WORKING_DIR, you can remove them by yourself."
  3211. }
  3212. _uninstallalias() {
  3213. _initpath
  3214. _profile="$(_detect_profile)"
  3215. if [ "$_profile" ]; then
  3216. _info "Uninstalling alias from: '$_profile'"
  3217. text="$(cat "$_profile")"
  3218. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.env\"$||" >"$_profile"
  3219. fi
  3220. _csh_profile="$HOME/.cshrc"
  3221. if [ -f "$_csh_profile" ]; then
  3222. _info "Uninstalling alias from: '$_csh_profile'"
  3223. text="$(cat "$_csh_profile")"
  3224. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" >"$_csh_profile"
  3225. fi
  3226. _tcsh_profile="$HOME/.tcshrc"
  3227. if [ -f "$_tcsh_profile" ]; then
  3228. _info "Uninstalling alias from: '$_csh_profile'"
  3229. text="$(cat "$_tcsh_profile")"
  3230. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" >"$_tcsh_profile"
  3231. fi
  3232. }
  3233. cron() {
  3234. IN_CRON=1
  3235. _initpath
  3236. if [ "$AUTO_UPGRADE" = "1" ]; then
  3237. export LE_WORKING_DIR
  3238. (
  3239. if ! upgrade; then
  3240. _err "Cron:Upgrade failed!"
  3241. return 1
  3242. fi
  3243. )
  3244. . "$LE_WORKING_DIR/$PROJECT_ENTRY" >/dev/null
  3245. if [ -t 1 ]; then
  3246. __INTERACTIVE="1"
  3247. fi
  3248. _info "Auto upgraded to: $VER"
  3249. fi
  3250. renewAll
  3251. _ret="$?"
  3252. IN_CRON=""
  3253. exit $_ret
  3254. }
  3255. version() {
  3256. echo "$PROJECT"
  3257. echo "v$VER"
  3258. }
  3259. showhelp() {
  3260. _initpath
  3261. version
  3262. echo "Usage: $PROJECT_ENTRY command ...[parameters]....
  3263. Commands:
  3264. --help, -h Show this help message.
  3265. --version, -v Show version info.
  3266. --install Install $PROJECT_NAME to your system.
  3267. --uninstall Uninstall $PROJECT_NAME, and uninstall the cron job.
  3268. --upgrade Upgrade $PROJECT_NAME to the latest code from $PROJECT .
  3269. --issue Issue a cert.
  3270. --signcsr Issue a cert from an existing csr.
  3271. --deploy Deploy the cert to your server.
  3272. --installcert Install the issued cert to apache/nginx or any other server.
  3273. --renew, -r Renew a cert.
  3274. --renewAll Renew all the certs.
  3275. --revoke Revoke a cert.
  3276. --list List all the certs.
  3277. --showcsr Show the content of a csr.
  3278. --installcronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
  3279. --uninstallcronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
  3280. --cron Run cron job to renew all the certs.
  3281. --toPkcs Export the certificate and key to a pfx file.
  3282. --updateaccount Update account info.
  3283. --registeraccount Register account key.
  3284. --createAccountKey, -cak Create an account private key, professional use.
  3285. --createDomainKey, -cdk Create an domain private key, professional use.
  3286. --createCSR, -ccsr Create CSR , professional use.
  3287. --deactivate Deactivate the domain authz, professional use.
  3288. Parameters:
  3289. --domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
  3290. --force, -f Used to force to install or force to renew a cert immediately.
  3291. --staging, --test Use staging server, just for test.
  3292. --debug Output debug info.
  3293. --webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
  3294. --standalone Use standalone mode.
  3295. --tls Use standalone tls mode.
  3296. --apache Use apache mode.
  3297. --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
  3298. --dnssleep [$DEFAULT_DNS_SLEEP] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
  3299. --keylength, -k [2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
  3300. --accountkeylength, -ak [2048] Specifies the account key length.
  3301. --log [/path/to/logfile] Specifies the log file. The default is: \"$DEFAULT_LOG_FILE\" if you don't give a file path here.
  3302. --log-level 1|2 Specifies the log level, default is 1.
  3303. These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
  3304. --certpath /path/to/real/cert/file After issue/renew, the cert will be copied to this path.
  3305. --keypath /path/to/real/key/file After issue/renew, the key will be copied to this path.
  3306. --capath /path/to/real/ca/file After issue/renew, the intermediate cert will be copied to this path.
  3307. --fullchainpath /path/to/fullchain/file After issue/renew, the fullchain cert will be copied to this path.
  3308. --reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
  3309. --accountconf Specifies a customized account config file.
  3310. --home Specifies the home dir for $PROJECT_NAME .
  3311. --certhome Specifies the home dir to save all the certs, only valid for '--install' command.
  3312. --useragent Specifies the user agent string. it will be saved for future use too.
  3313. --accountemail Specifies the account email for registering, Only valid for the '--install' command.
  3314. --accountkey Specifies the account key path, Only valid for the '--install' command.
  3315. --days Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days.
  3316. --httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
  3317. --tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
  3318. --local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
  3319. --listraw Only used for '--list' command, list the certs in raw format.
  3320. --stopRenewOnError, -se Only valid for '--renewall' command. Stop if one cert has error in renewal.
  3321. --insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
  3322. --ca-bundle Specifices the path to the CA certificate bundle to verify api server's certificate.
  3323. --nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
  3324. --ecc Specifies to use the ECC cert. Valid for '--installcert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
  3325. --csr Specifies the input csr.
  3326. --pre-hook Command to be run before obtaining any certificates.
  3327. --post-hook Command to be run after attempting to obtain/renew certificates. No matter the obain/renew is success or failed.
  3328. --renew-hook Command to be run once for each successfully renewed certificate.
  3329. --deploy-hook The hook file to deploy cert
  3330. --ocsp-must-staple, --ocsp Generate ocsp must Staple extension.
  3331. --auto-upgrade [0|1] Valid for '--upgrade' command, indicating whether to upgrade automatically in future.
  3332. --listen-v4 Force standalone/tls server to listen at ipv4.
  3333. --listen-v6 Force standalone/tls server to listen at ipv6.
  3334. "
  3335. }
  3336. # nocron
  3337. _installOnline() {
  3338. _info "Installing from online archive."
  3339. _nocron="$1"
  3340. if [ ! "$BRANCH" ]; then
  3341. BRANCH="master"
  3342. fi
  3343. target="$PROJECT/archive/$BRANCH.tar.gz"
  3344. _info "Downloading $target"
  3345. localname="$BRANCH.tar.gz"
  3346. if ! _get "$target" >$localname; then
  3347. _err "Download error."
  3348. return 1
  3349. fi
  3350. (
  3351. _info "Extracting $localname"
  3352. tar xzf $localname
  3353. cd "$PROJECT_NAME-$BRANCH"
  3354. chmod +x $PROJECT_ENTRY
  3355. if ./$PROJECT_ENTRY install "$_nocron"; then
  3356. _info "Install success!"
  3357. fi
  3358. cd ..
  3359. rm -rf "$PROJECT_NAME-$BRANCH"
  3360. rm -f "$localname"
  3361. )
  3362. }
  3363. upgrade() {
  3364. if (
  3365. _initpath
  3366. export LE_WORKING_DIR
  3367. cd "$LE_WORKING_DIR"
  3368. _installOnline "nocron"
  3369. ); then
  3370. _info "Upgrade success!"
  3371. exit 0
  3372. else
  3373. _err "Upgrade failed!"
  3374. exit 1
  3375. fi
  3376. }
  3377. _processAccountConf() {
  3378. if [ "$_useragent" ]; then
  3379. _saveaccountconf "USER_AGENT" "$_useragent"
  3380. elif [ "$USER_AGENT" ] && [ "$USER_AGENT" != "$DEFAULT_USER_AGENT" ]; then
  3381. _saveaccountconf "USER_AGENT" "$USER_AGENT"
  3382. fi
  3383. if [ "$_accountemail" ]; then
  3384. _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail"
  3385. elif [ "$ACCOUNT_EMAIL" ] && [ "$ACCOUNT_EMAIL" != "$DEFAULT_ACCOUNT_EMAIL" ]; then
  3386. _saveaccountconf "ACCOUNT_EMAIL" "$ACCOUNT_EMAIL"
  3387. fi
  3388. if [ "$_auto_upgrade" ]; then
  3389. _saveaccountconf "AUTO_UPGRADE" "$_auto_upgrade"
  3390. elif [ "$AUTO_UPGRADE" ]; then
  3391. _saveaccountconf "AUTO_UPGRADE" "$AUTO_UPGRADE"
  3392. fi
  3393. }
  3394. _process() {
  3395. _CMD=""
  3396. _domain=""
  3397. _altdomains="$NO_VALUE"
  3398. _webroot=""
  3399. _keylength=""
  3400. _accountkeylength=""
  3401. _certpath=""
  3402. _keypath=""
  3403. _capath=""
  3404. _fullchainpath=""
  3405. _reloadcmd=""
  3406. _password=""
  3407. _accountconf=""
  3408. _useragent=""
  3409. _accountemail=""
  3410. _accountkey=""
  3411. _certhome=""
  3412. _httpport=""
  3413. _tlsport=""
  3414. _dnssleep=""
  3415. _listraw=""
  3416. _stopRenewOnError=""
  3417. #_insecure=""
  3418. _ca_bundle=""
  3419. _nocron=""
  3420. _ecc=""
  3421. _csr=""
  3422. _pre_hook=""
  3423. _post_hook=""
  3424. _renew_hook=""
  3425. _deploy_hook=""
  3426. _logfile=""
  3427. _log=""
  3428. _local_address=""
  3429. _log_level=""
  3430. _auto_upgrade=""
  3431. _listen_v4=""
  3432. _listen_v6=""
  3433. while [ ${#} -gt 0 ]; do
  3434. case "${1}" in
  3435. --help | -h)
  3436. showhelp
  3437. return
  3438. ;;
  3439. --version | -v)
  3440. version
  3441. return
  3442. ;;
  3443. --install)
  3444. _CMD="install"
  3445. ;;
  3446. --uninstall)
  3447. _CMD="uninstall"
  3448. ;;
  3449. --upgrade)
  3450. _CMD="upgrade"
  3451. ;;
  3452. --issue)
  3453. _CMD="issue"
  3454. ;;
  3455. --deploy)
  3456. _CMD="deploy"
  3457. ;;
  3458. --signcsr)
  3459. _CMD="signcsr"
  3460. ;;
  3461. --showcsr)
  3462. _CMD="showcsr"
  3463. ;;
  3464. --installcert | -i)
  3465. _CMD="installcert"
  3466. ;;
  3467. --renew | -r)
  3468. _CMD="renew"
  3469. ;;
  3470. --renewAll | --renewall)
  3471. _CMD="renewAll"
  3472. ;;
  3473. --revoke)
  3474. _CMD="revoke"
  3475. ;;
  3476. --list)
  3477. _CMD="list"
  3478. ;;
  3479. --installcronjob)
  3480. _CMD="installcronjob"
  3481. ;;
  3482. --uninstallcronjob)
  3483. _CMD="uninstallcronjob"
  3484. ;;
  3485. --cron)
  3486. _CMD="cron"
  3487. ;;
  3488. --toPkcs)
  3489. _CMD="toPkcs"
  3490. ;;
  3491. --createAccountKey | --createaccountkey | -cak)
  3492. _CMD="createAccountKey"
  3493. ;;
  3494. --createDomainKey | --createdomainkey | -cdk)
  3495. _CMD="createDomainKey"
  3496. ;;
  3497. --createCSR | --createcsr | -ccr)
  3498. _CMD="createCSR"
  3499. ;;
  3500. --deactivate)
  3501. _CMD="deactivate"
  3502. ;;
  3503. --updateaccount)
  3504. _CMD="updateaccount"
  3505. ;;
  3506. --registeraccount)
  3507. _CMD="registeraccount"
  3508. ;;
  3509. --domain | -d)
  3510. _dvalue="$2"
  3511. if [ "$_dvalue" ]; then
  3512. if _startswith "$_dvalue" "-"; then
  3513. _err "'$_dvalue' is not a valid domain for parameter '$1'"
  3514. return 1
  3515. fi
  3516. if _is_idn "$_dvalue" && ! _exists idn; then
  3517. _err "It seems that $_dvalue is an IDN( Internationalized Domain Names), please install 'idn' command first."
  3518. return 1
  3519. fi
  3520. if [ -z "$_domain" ]; then
  3521. _domain="$_dvalue"
  3522. else
  3523. if [ "$_altdomains" = "$NO_VALUE" ]; then
  3524. _altdomains="$_dvalue"
  3525. else
  3526. _altdomains="$_altdomains,$_dvalue"
  3527. fi
  3528. fi
  3529. fi
  3530. shift
  3531. ;;
  3532. --force | -f)
  3533. FORCE="1"
  3534. ;;
  3535. --staging | --test)
  3536. STAGE="1"
  3537. ;;
  3538. --debug)
  3539. if [ -z "$2" ] || _startswith "$2" "-"; then
  3540. DEBUG="1"
  3541. else
  3542. DEBUG="$2"
  3543. shift
  3544. fi
  3545. ;;
  3546. --webroot | -w)
  3547. wvalue="$2"
  3548. if [ -z "$_webroot" ]; then
  3549. _webroot="$wvalue"
  3550. else
  3551. _webroot="$_webroot,$wvalue"
  3552. fi
  3553. shift
  3554. ;;
  3555. --standalone)
  3556. wvalue="$NO_VALUE"
  3557. if [ -z "$_webroot" ]; then
  3558. _webroot="$wvalue"
  3559. else
  3560. _webroot="$_webroot,$wvalue"
  3561. fi
  3562. ;;
  3563. --local-address)
  3564. lvalue="$2"
  3565. _local_address="$_local_address$lvalue,"
  3566. shift
  3567. ;;
  3568. --apache)
  3569. wvalue="apache"
  3570. if [ -z "$_webroot" ]; then
  3571. _webroot="$wvalue"
  3572. else
  3573. _webroot="$_webroot,$wvalue"
  3574. fi
  3575. ;;
  3576. --tls)
  3577. wvalue="$W_TLS"
  3578. if [ -z "$_webroot" ]; then
  3579. _webroot="$wvalue"
  3580. else
  3581. _webroot="$_webroot,$wvalue"
  3582. fi
  3583. ;;
  3584. --dns)
  3585. wvalue="dns"
  3586. if ! _startswith "$2" "-"; then
  3587. wvalue="$2"
  3588. shift
  3589. fi
  3590. if [ -z "$_webroot" ]; then
  3591. _webroot="$wvalue"
  3592. else
  3593. _webroot="$_webroot,$wvalue"
  3594. fi
  3595. ;;
  3596. --dnssleep)
  3597. _dnssleep="$2"
  3598. Le_DNSSleep="$_dnssleep"
  3599. shift
  3600. ;;
  3601. --keylength | -k)
  3602. _keylength="$2"
  3603. shift
  3604. ;;
  3605. --accountkeylength | -ak)
  3606. _accountkeylength="$2"
  3607. shift
  3608. ;;
  3609. --certpath)
  3610. _certpath="$2"
  3611. shift
  3612. ;;
  3613. --keypath)
  3614. _keypath="$2"
  3615. shift
  3616. ;;
  3617. --capath)
  3618. _capath="$2"
  3619. shift
  3620. ;;
  3621. --fullchainpath)
  3622. _fullchainpath="$2"
  3623. shift
  3624. ;;
  3625. --reloadcmd | --reloadCmd)
  3626. _reloadcmd="$2"
  3627. shift
  3628. ;;
  3629. --password)
  3630. _password="$2"
  3631. shift
  3632. ;;
  3633. --accountconf)
  3634. _accountconf="$2"
  3635. ACCOUNT_CONF_PATH="$_accountconf"
  3636. shift
  3637. ;;
  3638. --home)
  3639. LE_WORKING_DIR="$2"
  3640. shift
  3641. ;;
  3642. --certhome)
  3643. _certhome="$2"
  3644. CERT_HOME="$_certhome"
  3645. shift
  3646. ;;
  3647. --useragent)
  3648. _useragent="$2"
  3649. USER_AGENT="$_useragent"
  3650. shift
  3651. ;;
  3652. --accountemail)
  3653. _accountemail="$2"
  3654. ACCOUNT_EMAIL="$_accountemail"
  3655. shift
  3656. ;;
  3657. --accountkey)
  3658. _accountkey="$2"
  3659. ACCOUNT_KEY_PATH="$_accountkey"
  3660. shift
  3661. ;;
  3662. --days)
  3663. _days="$2"
  3664. Le_RenewalDays="$_days"
  3665. shift
  3666. ;;
  3667. --httpport)
  3668. _httpport="$2"
  3669. Le_HTTPPort="$_httpport"
  3670. shift
  3671. ;;
  3672. --tlsport)
  3673. _tlsport="$2"
  3674. Le_TLSPort="$_tlsport"
  3675. shift
  3676. ;;
  3677. --listraw)
  3678. _listraw="raw"
  3679. ;;
  3680. --stopRenewOnError | --stoprenewonerror | -se)
  3681. _stopRenewOnError="1"
  3682. ;;
  3683. --insecure)
  3684. #_insecure="1"
  3685. HTTPS_INSECURE="1"
  3686. ;;
  3687. --ca-bundle)
  3688. _ca_bundle="$(readlink -f "$2")"
  3689. CA_BUNDLE="$_ca_bundle"
  3690. shift
  3691. ;;
  3692. --nocron)
  3693. _nocron="1"
  3694. ;;
  3695. --ecc)
  3696. _ecc="isEcc"
  3697. ;;
  3698. --csr)
  3699. _csr="$2"
  3700. shift
  3701. ;;
  3702. --pre-hook)
  3703. _pre_hook="$2"
  3704. shift
  3705. ;;
  3706. --post-hook)
  3707. _post_hook="$2"
  3708. shift
  3709. ;;
  3710. --renew-hook)
  3711. _renew_hook="$2"
  3712. shift
  3713. ;;
  3714. --deploy-hook)
  3715. _deploy_hook="$2"
  3716. shift
  3717. ;;
  3718. --ocsp-must-staple | --ocsp)
  3719. Le_OCSP_Stable="1"
  3720. ;;
  3721. --log | --logfile)
  3722. _log="1"
  3723. _logfile="$2"
  3724. if _startswith "$_logfile" '-'; then
  3725. _logfile=""
  3726. else
  3727. shift
  3728. fi
  3729. LOG_FILE="$_logfile"
  3730. if [ -z "$LOG_LEVEL" ]; then
  3731. LOG_LEVEL="$DEFAULT_LOG_LEVEL"
  3732. fi
  3733. ;;
  3734. --log-level)
  3735. _log_level="$2"
  3736. LOG_LEVEL="$_log_level"
  3737. shift
  3738. ;;
  3739. --auto-upgrade)
  3740. _auto_upgrade="$2"
  3741. if [ -z "$_auto_upgrade" ] || _startswith "$_auto_upgrade" '-'; then
  3742. _auto_upgrade="1"
  3743. else
  3744. shift
  3745. fi
  3746. AUTO_UPGRADE="$_auto_upgrade"
  3747. ;;
  3748. --listen-v4)
  3749. _listen_v4="1"
  3750. Le_Listen_V4="$_listen_v4"
  3751. ;;
  3752. --listen-v6)
  3753. _listen_v6="1"
  3754. Le_Listen_V6="$_listen_v6"
  3755. ;;
  3756. *)
  3757. _err "Unknown parameter : $1"
  3758. return 1
  3759. ;;
  3760. esac
  3761. shift 1
  3762. done
  3763. if [ "${_CMD}" != "install" ]; then
  3764. __initHome
  3765. if [ "$_log" ]; then
  3766. if [ -z "$_logfile" ]; then
  3767. _logfile="$DEFAULT_LOG_FILE"
  3768. fi
  3769. fi
  3770. if [ "$_logfile" ]; then
  3771. _saveaccountconf "LOG_FILE" "$_logfile"
  3772. LOG_FILE="$_logfile"
  3773. fi
  3774. if [ "$_log_level" ]; then
  3775. _saveaccountconf "LOG_LEVEL" "$_log_level"
  3776. LOG_LEVEL="$_log_level"
  3777. fi
  3778. _processAccountConf
  3779. fi
  3780. _debug2 LE_WORKING_DIR "$LE_WORKING_DIR"
  3781. if [ "$DEBUG" ]; then
  3782. version
  3783. fi
  3784. case "${_CMD}" in
  3785. install) install "$_nocron" ;;
  3786. uninstall) uninstall "$_nocron" ;;
  3787. upgrade) upgrade ;;
  3788. issue)
  3789. issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
  3790. ;;
  3791. deploy)
  3792. deploy "$_domain" "$_deploy_hook" "$_ecc"
  3793. ;;
  3794. signcsr)
  3795. signcsr "$_csr" "$_webroot"
  3796. ;;
  3797. showcsr)
  3798. showcsr "$_csr" "$_domain"
  3799. ;;
  3800. installcert)
  3801. installcert "$_domain" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_ecc"
  3802. ;;
  3803. renew)
  3804. renew "$_domain" "$_ecc"
  3805. ;;
  3806. renewAll)
  3807. renewAll "$_stopRenewOnError"
  3808. ;;
  3809. revoke)
  3810. revoke "$_domain" "$_ecc"
  3811. ;;
  3812. deactivate)
  3813. deactivate "$_domain,$_altdomains"
  3814. ;;
  3815. registeraccount)
  3816. registeraccount "$_accountkeylength"
  3817. ;;
  3818. updateaccount)
  3819. updateaccount
  3820. ;;
  3821. list)
  3822. list "$_listraw"
  3823. ;;
  3824. installcronjob) installcronjob ;;
  3825. uninstallcronjob) uninstallcronjob ;;
  3826. cron) cron ;;
  3827. toPkcs)
  3828. toPkcs "$_domain" "$_password" "$_ecc"
  3829. ;;
  3830. createAccountKey)
  3831. createAccountKey "$_accountkeylength"
  3832. ;;
  3833. createDomainKey)
  3834. createDomainKey "$_domain" "$_keylength"
  3835. ;;
  3836. createCSR)
  3837. createCSR "$_domain" "$_altdomains" "$_ecc"
  3838. ;;
  3839. *)
  3840. _err "Invalid command: $_CMD"
  3841. showhelp
  3842. return 1
  3843. ;;
  3844. esac
  3845. _ret="$?"
  3846. if [ "$_ret" != "0" ]; then
  3847. return $_ret
  3848. fi
  3849. if [ "${_CMD}" = "install" ]; then
  3850. if [ "$_log" ]; then
  3851. if [ -z "$LOG_FILE" ]; then
  3852. LOG_FILE="$DEFAULT_LOG_FILE"
  3853. fi
  3854. _saveaccountconf "LOG_FILE" "$LOG_FILE"
  3855. fi
  3856. if [ "$_log_level" ]; then
  3857. _saveaccountconf "LOG_LEVEL" "$_log_level"
  3858. fi
  3859. _processAccountConf
  3860. fi
  3861. }
  3862. if [ "$INSTALLONLINE" ]; then
  3863. INSTALLONLINE=""
  3864. _installOnline $BRANCH
  3865. exit
  3866. fi
  3867. main() {
  3868. [ -z "$1" ] && showhelp && return
  3869. if _startswith "$1" '-'; then _process "$@"; else "$@"; fi
  3870. }
  3871. main "$@"