You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

3945 lines
98 KiB

9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
  1. #!/usr/bin/env sh
  2. VER=2.5.8
  3. PROJECT_NAME="acme.sh"
  4. PROJECT_ENTRY="acme.sh"
  5. PROJECT="https://github.com/Neilpang/$PROJECT_NAME"
  6. DEFAULT_INSTALL_HOME="$HOME/.$PROJECT_NAME"
  7. _SCRIPT_="$0"
  8. DEFAULT_CA="https://acme-v01.api.letsencrypt.org"
  9. DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
  10. DEFAULT_USER_AGENT="$PROJECT_ENTRY client v$VER : $PROJECT"
  11. DEFAULT_ACCOUNT_EMAIL=""
  12. STAGE_CA="https://acme-staging.api.letsencrypt.org"
  13. VTYPE_HTTP="http-01"
  14. VTYPE_DNS="dns-01"
  15. VTYPE_TLS="tls-sni-01"
  16. VTYPE_TLS2="tls-sni-02"
  17. LOCAL_ANY_ADDRESS="0.0.0.0"
  18. MAX_RENEW=80
  19. DEFAULT_DNS_SLEEP=120
  20. NO_VALUE="no"
  21. W_TLS="tls"
  22. STATE_VERIFIED="verified_ok"
  23. BEGIN_CSR="-----BEGIN CERTIFICATE REQUEST-----"
  24. END_CSR="-----END CERTIFICATE REQUEST-----"
  25. BEGIN_CERT="-----BEGIN CERTIFICATE-----"
  26. END_CERT="-----END CERTIFICATE-----"
  27. RENEW_SKIP=2
  28. ECC_SEP="_"
  29. ECC_SUFFIX="${ECC_SEP}ecc"
  30. LOG_LEVEL_1=1
  31. LOG_LEVEL_2=2
  32. LOG_LEVEL_3=3
  33. DEFAULT_LOG_LEVEL="$LOG_LEVEL_1"
  34. _DEBUG_WIKI="https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh"
  35. __INTERACTIVE=""
  36. if [ -t 1 ] ; then
  37. __INTERACTIVE="1"
  38. fi
  39. __green() {
  40. if [ "$__INTERACTIVE" ] ; then
  41. printf '\033[1;31;32m'
  42. fi
  43. printf -- "$1"
  44. if [ "$__INTERACTIVE" ] ; then
  45. printf '\033[0m'
  46. fi
  47. }
  48. __red() {
  49. if [ "$__INTERACTIVE" ] ; then
  50. printf '\033[1;31;40m'
  51. fi
  52. printf -- "$1"
  53. if [ "$__INTERACTIVE" ] ; then
  54. printf '\033[0m'
  55. fi
  56. }
  57. _printargs() {
  58. if [ -z "$2" ] ; then
  59. printf -- "[$(date)] $1"
  60. else
  61. printf -- "[$(date)] $1='$2'"
  62. fi
  63. printf "\n"
  64. }
  65. _log() {
  66. [ -z "$LOG_FILE" ] && return
  67. _printargs "$@" >> "$LOG_FILE"
  68. }
  69. _info() {
  70. _log "$@"
  71. _printargs "$@"
  72. }
  73. _err() {
  74. _log "$@"
  75. __red "$(_printargs "$@")" >&2
  76. printf "\n" >&2
  77. return 1
  78. }
  79. _usage() {
  80. __red "$@"
  81. }
  82. _debug() {
  83. if [ -z "$LOG_LEVEL" ] || [ "$LOG_LEVEL" -ge "$LOG_LEVEL_1" ] ; then
  84. _log "$@"
  85. fi
  86. if [ -z "$DEBUG" ] ; then
  87. return
  88. fi
  89. _printargs "$@" >&2
  90. }
  91. _debug2() {
  92. if [ "$LOG_LEVEL" ] && [ "$LOG_LEVEL" -ge "$LOG_LEVEL_2" ] ; then
  93. _log "$@"
  94. fi
  95. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  96. _debug "$@"
  97. fi
  98. }
  99. _debug3() {
  100. if [ "$LOG_LEVEL" ] && [ "$LOG_LEVEL" -ge "$LOG_LEVEL_3" ] ; then
  101. _log "$@"
  102. fi
  103. if [ "$DEBUG" ] && [ "$DEBUG" -ge "3" ] ; then
  104. _debug "$@"
  105. fi
  106. }
  107. _startswith(){
  108. _str="$1"
  109. _sub="$2"
  110. echo "$_str" | grep "^$_sub" >/dev/null 2>&1
  111. }
  112. _endswith(){
  113. _str="$1"
  114. _sub="$2"
  115. echo "$_str" | grep -- "$_sub\$" >/dev/null 2>&1
  116. }
  117. _contains(){
  118. _str="$1"
  119. _sub="$2"
  120. echo "$_str" | grep -- "$_sub" >/dev/null 2>&1
  121. }
  122. _hasfield() {
  123. _str="$1"
  124. _field="$2"
  125. _sep="$3"
  126. if [ -z "$_field" ] ; then
  127. _usage "Usage: str field [sep]"
  128. return 1
  129. fi
  130. if [ -z "$_sep" ] ; then
  131. _sep=","
  132. fi
  133. for f in $(echo "$_str" | tr ',' ' ') ; do
  134. if [ "$f" = "$_field" ] ; then
  135. _debug2 "'$_str' contains '$_field'"
  136. return 0 #contains ok
  137. fi
  138. done
  139. _debug2 "'$_str' does not contain '$_field'"
  140. return 1 #not contains
  141. }
  142. _getfield(){
  143. _str="$1"
  144. _findex="$2"
  145. _sep="$3"
  146. if [ -z "$_findex" ] ; then
  147. _usage "Usage: str field [sep]"
  148. return 1
  149. fi
  150. if [ -z "$_sep" ] ; then
  151. _sep=","
  152. fi
  153. _ffi=$_findex
  154. while [ "$_ffi" -gt "0" ]
  155. do
  156. _fv="$(echo "$_str" | cut -d $_sep -f $_ffi)"
  157. if [ "$_fv" ] ; then
  158. printf -- "%s" "$_fv"
  159. return 0
  160. fi
  161. _ffi="$(_math $_ffi - 1)"
  162. done
  163. printf -- "%s" "$_str"
  164. }
  165. _exists(){
  166. cmd="$1"
  167. if [ -z "$cmd" ] ; then
  168. _usage "Usage: _exists cmd"
  169. return 1
  170. fi
  171. if type command >/dev/null 2>&1 ; then
  172. command -v "$cmd" >/dev/null 2>&1
  173. else
  174. type "$cmd" >/dev/null 2>&1
  175. fi
  176. ret="$?"
  177. _debug3 "$cmd exists=$ret"
  178. return $ret
  179. }
  180. #a + b
  181. _math(){
  182. expr "$@"
  183. }
  184. _h_char_2_dec() {
  185. _ch=$1
  186. case "${_ch}" in
  187. a|A)
  188. printf "10"
  189. ;;
  190. b|B)
  191. printf "11"
  192. ;;
  193. c|C)
  194. printf "12"
  195. ;;
  196. d|D)
  197. printf "13"
  198. ;;
  199. e|E)
  200. printf "14"
  201. ;;
  202. f|F)
  203. printf "15"
  204. ;;
  205. *)
  206. printf "%s" "$_ch"
  207. ;;
  208. esac
  209. }
  210. _URGLY_PRINTF=""
  211. if [ "$(printf '\x41')" != 'A' ] ; then
  212. _URGLY_PRINTF=1
  213. fi
  214. _h2b() {
  215. hex=$(cat)
  216. i=1
  217. j=2
  218. if _exists let ; then
  219. uselet="1"
  220. fi
  221. _debug3 uselet "$uselet"
  222. _debug3 _URGLY_PRINTF "$_URGLY_PRINTF"
  223. while true ; do
  224. if [ -z "$_URGLY_PRINTF" ] ; then
  225. h="$(printf $hex | cut -c $i-$j)"
  226. if [ -z "$h" ] ; then
  227. break;
  228. fi
  229. printf "\x$h"
  230. else
  231. ic="$(printf $hex | cut -c $i)"
  232. jc="$(printf $hex | cut -c $j)"
  233. if [ -z "$ic$jc" ] ; then
  234. break;
  235. fi
  236. ic="$(_h_char_2_dec "$ic")"
  237. jc="$(_h_char_2_dec "$jc")"
  238. printf '\'"$(printf %o "$(_math $ic \* 16 + $jc)")"
  239. fi
  240. if [ "$uselet" ] ; then
  241. let "i+=2" >/dev/null
  242. let "j+=2" >/dev/null
  243. else
  244. i="$(_math $i + 2)"
  245. j="$(_math $j + 2)"
  246. fi
  247. done
  248. }
  249. #options file
  250. _sed_i() {
  251. options="$1"
  252. filename="$2"
  253. if [ -z "$filename" ] ; then
  254. _usage "Usage:_sed_i options filename"
  255. return 1
  256. fi
  257. _debug2 options "$options"
  258. if sed -h 2>&1 | grep "\-i\[SUFFIX]" >/dev/null 2>&1; then
  259. _debug "Using sed -i"
  260. sed -i "$options" "$filename"
  261. else
  262. _debug "No -i support in sed"
  263. text="$(cat "$filename")"
  264. echo "$text" | sed "$options" > "$filename"
  265. fi
  266. }
  267. _egrep_o() {
  268. if _contains "$(egrep -o 2>&1)" "egrep: illegal option -- o" ; then
  269. sed -n 's/.*\('"$1"'\).*/\1/p'
  270. else
  271. egrep -o "$1"
  272. fi
  273. }
  274. #Usage: file startline endline
  275. _getfile() {
  276. filename="$1"
  277. startline="$2"
  278. endline="$3"
  279. if [ -z "$endline" ] ; then
  280. _usage "Usage: file startline endline"
  281. return 1
  282. fi
  283. i="$(grep -n -- "$startline" "$filename" | cut -d : -f 1)"
  284. if [ -z "$i" ] ; then
  285. _err "Can not find start line: $startline"
  286. return 1
  287. fi
  288. i="$(_math "$i" + 1)"
  289. _debug i "$i"
  290. j="$(grep -n -- "$endline" "$filename" | cut -d : -f 1)"
  291. if [ -z "$j" ] ; then
  292. _err "Can not find end line: $endline"
  293. return 1
  294. fi
  295. j="$(_math "$j" - 1)"
  296. _debug j "$j"
  297. sed -n "$i,${j}p" "$filename"
  298. }
  299. #Usage: multiline
  300. _base64() {
  301. if [ "$1" ] ; then
  302. openssl base64 -e
  303. else
  304. openssl base64 -e | tr -d '\r\n'
  305. fi
  306. }
  307. #Usage: multiline
  308. _dbase64() {
  309. if [ "$1" ] ; then
  310. openssl base64 -d -A
  311. else
  312. openssl base64 -d
  313. fi
  314. }
  315. #Usage: hashalg [outputhex]
  316. #Output Base64-encoded digest
  317. _digest() {
  318. alg="$1"
  319. if [ -z "$alg" ] ; then
  320. _usage "Usage: _digest hashalg"
  321. return 1
  322. fi
  323. outputhex="$2"
  324. if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ]; then
  325. if [ "$outputhex" ] ; then
  326. openssl dgst -$alg -hex | cut -d = -f 2 | tr -d ' '
  327. else
  328. openssl dgst -$alg -binary | _base64
  329. fi
  330. else
  331. _err "$alg is not supported yet"
  332. return 1
  333. fi
  334. }
  335. #Usage: keyfile hashalg
  336. #Output: Base64-encoded signature value
  337. _sign() {
  338. keyfile="$1"
  339. alg="$2"
  340. if [ -z "$alg" ] ; then
  341. _usage "Usage: _sign keyfile hashalg"
  342. return 1
  343. fi
  344. if [ "$alg" = "sha256" ] ; then
  345. openssl dgst -sha256 -sign "$keyfile" | _base64
  346. else
  347. _err "$alg is not supported yet"
  348. return 1
  349. fi
  350. }
  351. #keylength
  352. _isEccKey() {
  353. _length="$1"
  354. if [ -z "$_length" ] ;then
  355. return 1
  356. fi
  357. [ "$_length" != "1024" ] \
  358. && [ "$_length" != "2048" ] \
  359. && [ "$_length" != "3072" ] \
  360. && [ "$_length" != "4096" ] \
  361. && [ "$_length" != "8192" ]
  362. }
  363. # _createkey 2048|ec-256 file
  364. _createkey() {
  365. length="$1"
  366. f="$2"
  367. eccname="$length"
  368. if _startswith "$length" "ec-" ; then
  369. length=$(printf $length | cut -d '-' -f 2-100)
  370. if [ "$length" = "256" ] ; then
  371. eccname="prime256v1"
  372. fi
  373. if [ "$length" = "384" ] ; then
  374. eccname="secp384r1"
  375. fi
  376. if [ "$length" = "521" ] ; then
  377. eccname="secp521r1"
  378. fi
  379. fi
  380. if [ -z "$length" ] ; then
  381. length=2048
  382. fi
  383. _debug "Use length $length"
  384. if _isEccKey "$length" ; then
  385. _debug "Using ec name: $eccname"
  386. openssl ecparam -name $eccname -genkey 2>/dev/null > "$f"
  387. else
  388. _debug "Using RSA: $length"
  389. openssl genrsa $length 2>/dev/null > "$f"
  390. fi
  391. if [ "$?" != "0" ] ; then
  392. _err "Create key error."
  393. return 1
  394. fi
  395. }
  396. #_createcsr cn san_list keyfile csrfile conf
  397. _createcsr() {
  398. _debug _createcsr
  399. domain="$1"
  400. domainlist="$2"
  401. csrkey="$3"
  402. csr="$4"
  403. csrconf="$5"
  404. _debug2 domain "$domain"
  405. _debug2 domainlist "$domainlist"
  406. _debug2 csrkey "$csrkey"
  407. _debug2 csr "$csr"
  408. _debug2 csrconf "$csrconf"
  409. printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" > "$csrconf"
  410. if [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
  411. #single domain
  412. _info "Single domain" "$domain"
  413. else
  414. if _contains "$domainlist" "," ; then
  415. alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")"
  416. else
  417. alt="DNS:$domainlist"
  418. fi
  419. #multi
  420. _info "Multi domain" "$alt"
  421. printf -- "\nsubjectAltName=$alt" >> "$csrconf"
  422. fi
  423. if [ "$Le_OCSP_Stable" ] ; then
  424. _savedomainconf Le_OCSP_Stable "$Le_OCSP_Stable"
  425. printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >> "$csrconf"
  426. fi
  427. openssl req -new -sha256 -key "$csrkey" -subj "/CN=$domain" -config "$csrconf" -out "$csr"
  428. }
  429. #_signcsr key csr conf cert
  430. _signcsr() {
  431. key="$1"
  432. csr="$2"
  433. conf="$3"
  434. cert="$4"
  435. _debug "_signcsr"
  436. _msg="$(openssl x509 -req -days 365 -in "$csr" -signkey "$key" -extensions v3_req -extfile "$conf" -out "$cert" 2>&1)"
  437. _ret="$?"
  438. _debug "$_msg"
  439. return $_ret
  440. }
  441. #_csrfile
  442. _readSubjectFromCSR() {
  443. _csrfile="$1"
  444. if [ -z "$_csrfile" ] ; then
  445. _usage "_readSubjectFromCSR mycsr.csr"
  446. return 1
  447. fi
  448. openssl req -noout -in "$_csrfile" -subject | _egrep_o "CN=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n'
  449. }
  450. #_csrfile
  451. #echo comma separated domain list
  452. _readSubjectAltNamesFromCSR() {
  453. _csrfile="$1"
  454. if [ -z "$_csrfile" ] ; then
  455. _usage "_readSubjectAltNamesFromCSR mycsr.csr"
  456. return 1
  457. fi
  458. _csrsubj="$(_readSubjectFromCSR "$_csrfile")"
  459. _debug _csrsubj "$_csrsubj"
  460. _dnsAltnames="$(openssl req -noout -text -in "$_csrfile" | grep "^ *DNS:.*" | tr -d ' \n')"
  461. _debug _dnsAltnames "$_dnsAltnames"
  462. if _contains "$_dnsAltnames," "DNS:$_csrsubj," ; then
  463. _debug "AltNames contains subject"
  464. _dnsAltnames="$(printf "%s" "$_dnsAltnames," | sed "s/DNS:$_csrsubj,//g")"
  465. else
  466. _debug "AltNames doesn't contain subject"
  467. fi
  468. printf "%s" "$_dnsAltnames" | sed "s/DNS://g"
  469. }
  470. #_csrfile
  471. _readKeyLengthFromCSR() {
  472. _csrfile="$1"
  473. if [ -z "$_csrfile" ] ; then
  474. _usage "_readKeyLengthFromCSR mycsr.csr"
  475. return 1
  476. fi
  477. _outcsr="$(openssl req -noout -text -in "$_csrfile")"
  478. if _contains "$_outcsr" "Public Key Algorithm: id-ecPublicKey" ; then
  479. _debug "ECC CSR"
  480. echo "$_outcsr" | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
  481. else
  482. _debug "RSA CSR"
  483. echo "$_outcsr" | _egrep_o "^ *Public-Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1
  484. fi
  485. }
  486. _ss() {
  487. _port="$1"
  488. if _exists "ss" ; then
  489. _debug "Using: ss"
  490. ss -ntpl | grep ":$_port "
  491. return 0
  492. fi
  493. if _exists "netstat" ; then
  494. _debug "Using: netstat"
  495. if netstat -h 2>&1 | grep "\-p proto" >/dev/null ; then
  496. #for windows version netstat tool
  497. netstat -an -p tcp | grep "LISTENING" | grep ":$_port "
  498. else
  499. if netstat -help 2>&1 | grep "\-p protocol" >/dev/null ; then
  500. netstat -an -p tcp | grep LISTEN | grep ":$_port "
  501. elif netstat -help 2>&1 | grep -- '-P protocol' >/dev/null ; then
  502. #for solaris
  503. netstat -an -P tcp | grep "\.$_port " | grep "LISTEN"
  504. else
  505. netstat -ntpl | grep ":$_port "
  506. fi
  507. fi
  508. return 0
  509. fi
  510. return 1
  511. }
  512. #domain [password] [isEcc]
  513. toPkcs() {
  514. domain="$1"
  515. pfxPassword="$2"
  516. if [ -z "$domain" ] ; then
  517. _usage "Usage: $PROJECT_ENTRY --toPkcs -d domain [--password pfx-password]"
  518. return 1
  519. fi
  520. _isEcc="$3"
  521. _initpath "$domain" "$_isEcc"
  522. if [ "$pfxPassword" ] ; then
  523. openssl pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH" -password "pass:$pfxPassword"
  524. else
  525. openssl pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH"
  526. fi
  527. if [ "$?" = "0" ] ; then
  528. _info "Success, Pfx is exported to: $CERT_PFX_PATH"
  529. fi
  530. }
  531. #[2048]
  532. createAccountKey() {
  533. _info "Creating account key"
  534. if [ -z "$1" ] ; then
  535. _usage "Usage: $PROJECT_ENTRY --createAccountKey --accountkeylength 2048"
  536. return
  537. fi
  538. length=$1
  539. if _isEccKey "$length" ; then
  540. length=2048
  541. fi
  542. if [ -z "$length" ] || [ "$length" = "$NO_VALUE" ] ; then
  543. _debug "Use default length 2048"
  544. length=2048
  545. fi
  546. _debug length "$length"
  547. _initpath
  548. if [ -f "$ACCOUNT_KEY_PATH" ] ; then
  549. _info "Account key exists, skip"
  550. return
  551. else
  552. #generate account key
  553. _createkey "$length" "$ACCOUNT_KEY_PATH"
  554. fi
  555. }
  556. #domain [length]
  557. createDomainKey() {
  558. _info "Creating domain key"
  559. if [ -z "$1" ] ; then
  560. _usage "Usage: $PROJECT_ENTRY --createDomainKey -d domain.com [ --keylength 2048 ]"
  561. return
  562. fi
  563. domain=$1
  564. length=$2
  565. _initpath $domain "$length"
  566. if [ ! -f "$CERT_KEY_PATH" ] || ( [ "$FORCE" ] && ! [ "$IS_RENEW" ] ); then
  567. _createkey "$length" "$CERT_KEY_PATH"
  568. else
  569. if [ "$IS_RENEW" ] ; then
  570. _info "Domain key exists, skip"
  571. return 0
  572. else
  573. _err "Domain key exists, do you want to overwrite the key?"
  574. _err "Add '--force', and try again."
  575. return 1
  576. fi
  577. fi
  578. }
  579. # domain domainlist isEcc
  580. createCSR() {
  581. _info "Creating csr"
  582. if [ -z "$1" ] ; then
  583. _usage "Usage: $PROJECT_ENTRY --createCSR -d domain1.com [-d domain2.com -d domain3.com ... ]"
  584. return
  585. fi
  586. domain="$1"
  587. domainlist="$2"
  588. _isEcc="$3"
  589. _initpath "$domain" "$_isEcc"
  590. if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && [ -z "$FORCE" ]; then
  591. _info "CSR exists, skip"
  592. return
  593. fi
  594. if [ ! -f "$CERT_KEY_PATH" ] ; then
  595. _err "The key file is not found: $CERT_KEY_PATH"
  596. _err "Please create the key file first."
  597. return 1
  598. fi
  599. _createcsr "$domain" "$domainlist" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"
  600. }
  601. _urlencode() {
  602. __n=$(cat)
  603. echo $__n | tr '/+' '_-' | tr -d '= '
  604. }
  605. _time2str() {
  606. #BSD
  607. if date -u -d@$1 2>/dev/null ; then
  608. return
  609. fi
  610. #Linux
  611. if date -u -r $1 2>/dev/null ; then
  612. return
  613. fi
  614. #Soaris
  615. if _exists adb ; then
  616. echo $(echo "0t${1}=Y" | adb)
  617. fi
  618. }
  619. _normalizeJson() {
  620. sed "s/\" *: *\([\"{\[]\)/\":\1/g" | sed "s/^ *\([^ ]\)/\1/" | tr -d "\r\n"
  621. }
  622. _stat() {
  623. #Linux
  624. if stat -c '%U:%G' "$1" 2>/dev/null ; then
  625. return
  626. fi
  627. #BSD
  628. if stat -f '%Su:%Sg' "$1" 2>/dev/null ; then
  629. return
  630. fi
  631. return 1; #error, 'stat' not found
  632. }
  633. #keyfile
  634. _calcjwk() {
  635. keyfile="$1"
  636. if [ -z "$keyfile" ] ; then
  637. _usage "Usage: _calcjwk keyfile"
  638. return 1
  639. fi
  640. EC_SIGN=""
  641. if grep "BEGIN RSA PRIVATE KEY" "$keyfile" > /dev/null 2>&1 ; then
  642. _debug "RSA key"
  643. pub_exp=$(openssl rsa -in $keyfile -noout -text | grep "^publicExponent:"| cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1)
  644. if [ "${#pub_exp}" = "5" ] ; then
  645. pub_exp=0$pub_exp
  646. fi
  647. _debug3 pub_exp "$pub_exp"
  648. e=$(echo $pub_exp | _h2b | _base64)
  649. _debug3 e "$e"
  650. modulus=$(openssl rsa -in $keyfile -modulus -noout | cut -d '=' -f 2 )
  651. _debug3 modulus "$modulus"
  652. n="$(printf "%s" "$modulus"| _h2b | _base64 | _urlencode )"
  653. jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}'
  654. _debug3 jwk "$jwk"
  655. HEADER='{"alg": "RS256", "jwk": '$jwk'}'
  656. HEADERPLACE_PART1='{"nonce": "'
  657. HEADERPLACE_PART2='", "alg": "RS256", "jwk": '$jwk'}'
  658. elif grep "BEGIN EC PRIVATE KEY" "$keyfile" > /dev/null 2>&1 ; then
  659. _debug "EC key"
  660. EC_SIGN="1"
  661. crv="$(openssl ec -in $keyfile -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n")"
  662. _debug3 crv "$crv"
  663. pubi="$(openssl ec -in $keyfile -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1)"
  664. pubi=$(_math $pubi + 1)
  665. _debug3 pubi "$pubi"
  666. pubj="$(openssl ec -in $keyfile -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1)"
  667. pubj=$(_math $pubj + 1)
  668. _debug3 pubj "$pubj"
  669. pubtext="$(openssl ec -in $keyfile -noout -text 2>/dev/null | sed -n "$pubi,${pubj}p" | tr -d " \n\r")"
  670. _debug3 pubtext "$pubtext"
  671. xlen="$(printf "$pubtext" | tr -d ':' | wc -c)"
  672. xlen=$(_math $xlen / 4)
  673. _debug3 xlen "$xlen"
  674. xend=$(_math "$xend" + 1)
  675. x="$(printf $pubtext | cut -d : -f 2-$xend)"
  676. _debug3 x "$x"
  677. x64="$(printf $x | tr -d : | _h2b | _base64 | _urlencode)"
  678. _debug3 x64 "$x64"
  679. xend=$(_math "$xend" + 1)
  680. y="$(printf $pubtext | cut -d : -f $xend-10000)"
  681. _debug3 y "$y"
  682. y64="$(printf $y | tr -d : | _h2b | _base64 | _urlencode)"
  683. _debug3 y64 "$y64"
  684. jwk='{"kty": "EC", "crv": "'$crv'", "x": "'$x64'", "y": "'$y64'"}'
  685. _debug3 jwk "$jwk"
  686. HEADER='{"alg": "ES256", "jwk": '$jwk'}'
  687. HEADERPLACE_PART1='{"nonce": "'
  688. HEADERPLACE_PART2='", "alg": "ES256", "jwk": '$jwk'}'
  689. else
  690. _err "Only RSA or EC key is supported."
  691. return 1
  692. fi
  693. _debug3 HEADER "$HEADER"
  694. }
  695. _time() {
  696. date -u "+%s"
  697. }
  698. _mktemp() {
  699. if _exists mktemp ; then
  700. if mktemp 2>/dev/null ; then
  701. return
  702. elif _contains "$(mktemp 2>&1)" "-t prefix" && mktemp -t "$PROJECT_NAME" 2>/dev/null ; then
  703. #for Mac osx
  704. return
  705. fi
  706. fi
  707. if [ -d "/tmp" ] ; then
  708. echo "/tmp/${PROJECT_NAME}wefADf24sf.$(_time).tmp"
  709. return 0
  710. fi
  711. _err "Can not create temp file."
  712. }
  713. _inithttp() {
  714. if [ -z "$HTTP_HEADER" ] || ! touch "$HTTP_HEADER" ; then
  715. HTTP_HEADER="$(_mktemp)"
  716. _debug2 HTTP_HEADER "$HTTP_HEADER"
  717. fi
  718. if [ -z "$CURL" ] ; then
  719. CURL="curl -L --silent --dump-header $HTTP_HEADER "
  720. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  721. _CURL_DUMP="$(_mktemp)"
  722. CURL="$CURL --trace-ascii $_CURL_DUMP "
  723. fi
  724. if [ "$CA_BUNDLE" ] ; then
  725. CURL="$CURL --cacert $CA_BUNDLE "
  726. fi
  727. if [ "$HTTPS_INSECURE" ] ; then
  728. CURL="$CURL --insecure "
  729. fi
  730. fi
  731. if [ -z "$WGET" ] ; then
  732. WGET="wget -q"
  733. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  734. WGET="$WGET -d "
  735. fi
  736. if [ "$CA_BUNDLE" ] ; then
  737. WGET="$WGET --ca-certificate $CA_BUNDLE "
  738. fi
  739. if [ "$HTTPS_INSECURE" ] ; then
  740. WGET="$WGET --no-check-certificate "
  741. fi
  742. fi
  743. }
  744. # body url [needbase64] [POST|PUT]
  745. _post() {
  746. body="$1"
  747. url="$2"
  748. needbase64="$3"
  749. httpmethod="$4"
  750. if [ -z "$httpmethod" ] ; then
  751. httpmethod="POST"
  752. fi
  753. _debug $httpmethod
  754. _debug "url" "$url"
  755. _debug2 "body" "$body"
  756. _inithttp
  757. if _exists "curl" ; then
  758. _CURL="$CURL"
  759. _debug "_CURL" "$_CURL"
  760. if [ "$needbase64" ] ; then
  761. response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url" | _base64)"
  762. else
  763. response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url" )"
  764. fi
  765. _ret="$?"
  766. if [ "$_ret" != "0" ] ; then
  767. _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $_ret"
  768. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  769. _err "Here is the curl dump log:"
  770. _err "$(cat "$_CURL_DUMP")"
  771. fi
  772. fi
  773. elif _exists "wget" ; then
  774. _debug "WGET" "$WGET"
  775. if [ "$needbase64" ] ; then
  776. if [ "$httpmethod"="POST" ] ; then
  777. response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
  778. else
  779. response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
  780. fi
  781. else
  782. if [ "$httpmethod"="POST" ] ; then
  783. response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER")"
  784. else
  785. response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER")"
  786. fi
  787. fi
  788. _ret="$?"
  789. if [ "$_ret" != "0" ] ; then
  790. _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret"
  791. fi
  792. _sed_i "s/^ *//g" "$HTTP_HEADER"
  793. else
  794. _ret="$?"
  795. _err "Neither curl nor wget is found, can not do $httpmethod."
  796. fi
  797. _debug "_ret" "$_ret"
  798. printf "%s" "$response"
  799. return $_ret
  800. }
  801. # url getheader timeout
  802. _get() {
  803. _debug GET
  804. url="$1"
  805. onlyheader="$2"
  806. t="$3"
  807. _debug url $url
  808. _debug "timeout" "$t"
  809. _inithttp
  810. if _exists "curl" ; then
  811. _CURL="$CURL"
  812. if [ "$t" ] ; then
  813. _CURL="$_CURL --connect-timeout $t"
  814. fi
  815. _debug "_CURL" "$_CURL"
  816. if [ "$onlyheader" ] ; then
  817. $_CURL -I --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" $url
  818. else
  819. $_CURL --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" $url
  820. fi
  821. ret=$?
  822. if [ "$ret" != "0" ] ; then
  823. _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $ret"
  824. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  825. _err "Here is the curl dump log:"
  826. _err "$(cat "$_CURL_DUMP")"
  827. fi
  828. fi
  829. elif _exists "wget" ; then
  830. _WGET="$WGET"
  831. if [ "$t" ] ; then
  832. _WGET="$_WGET --timeout=$t"
  833. fi
  834. _debug "_WGET" "$_WGET"
  835. if [ "$onlyheader" ] ; then
  836. $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null $url 2>&1 | sed 's/^[ ]*//g'
  837. else
  838. $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -O - $url
  839. fi
  840. ret=$?
  841. if [ "$ret" != "0" ] ; then
  842. _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $ret"
  843. fi
  844. else
  845. ret=$?
  846. _err "Neither curl nor wget is found, can not do GET."
  847. fi
  848. _debug "ret" "$ret"
  849. return $ret
  850. }
  851. # url payload needbase64 keyfile
  852. _send_signed_request() {
  853. url=$1
  854. payload=$2
  855. needbase64=$3
  856. keyfile=$4
  857. if [ -z "$keyfile" ] ; then
  858. keyfile="$ACCOUNT_KEY_PATH"
  859. fi
  860. _debug url $url
  861. _debug payload "$payload"
  862. if ! _calcjwk "$keyfile" ; then
  863. return 1
  864. fi
  865. payload64=$(printf "%s" "$payload" | _base64 | _urlencode)
  866. _debug3 payload64 $payload64
  867. nonceurl="$API/directory"
  868. _headers="$(_get $nonceurl "onlyheader")"
  869. if [ "$?" != "0" ] ; then
  870. _err "Can not connect to $nonceurl to get nonce."
  871. return 1
  872. fi
  873. _debug3 _headers "$_headers"
  874. nonce="$( echo "$_headers" | grep "Replay-Nonce:" | head -1 | tr -d "\r\n " | cut -d ':' -f 2)"
  875. _debug3 nonce "$nonce"
  876. protected="$HEADERPLACE_PART1$nonce$HEADERPLACE_PART2"
  877. _debug3 protected "$protected"
  878. protected64="$(printf "$protected" | _base64 | _urlencode)"
  879. _debug3 protected64 "$protected64"
  880. sig=$(printf "%s" "$protected64.$payload64" | _sign "$keyfile" "sha256" | _urlencode)
  881. _debug3 sig "$sig"
  882. body="{\"header\": $HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
  883. _debug3 body "$body"
  884. response="$(_post "$body" $url "$needbase64")"
  885. if [ "$?" != "0" ] ; then
  886. _err "Can not post to $url."
  887. return 1
  888. fi
  889. _debug2 original "$response"
  890. response="$( echo "$response" | _normalizeJson )"
  891. responseHeaders="$(cat $HTTP_HEADER)"
  892. _debug2 responseHeaders "$responseHeaders"
  893. _debug2 response "$response"
  894. code="$(grep "^HTTP" $HTTP_HEADER | tail -1 | cut -d " " -f 2 | tr -d "\r\n" )"
  895. _debug code $code
  896. }
  897. #setopt "file" "opt" "=" "value" [";"]
  898. _setopt() {
  899. __conf="$1"
  900. __opt="$2"
  901. __sep="$3"
  902. __val="$4"
  903. __end="$5"
  904. if [ -z "$__opt" ] ; then
  905. _usage usage: _setopt '"file" "opt" "=" "value" [";"]'
  906. return
  907. fi
  908. if [ ! -f "$__conf" ] ; then
  909. touch "$__conf"
  910. fi
  911. if grep -n "^$__opt$__sep" "$__conf" > /dev/null ; then
  912. _debug3 OK
  913. if _contains "$__val" "&" ; then
  914. __val="$(echo $__val | sed 's/&/\\&/g')"
  915. fi
  916. text="$(cat $__conf)"
  917. echo "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf"
  918. elif grep -n "^#$__opt$__sep" "$__conf" > /dev/null ; then
  919. if _contains "$__val" "&" ; then
  920. __val="$(echo $__val | sed 's/&/\\&/g')"
  921. fi
  922. text="$(cat $__conf)"
  923. echo "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf"
  924. else
  925. _debug3 APP
  926. echo "$__opt$__sep$__val$__end" >> "$__conf"
  927. fi
  928. _debug2 "$(grep -n "^$__opt$__sep" $__conf)"
  929. }
  930. #_savedomainconf key value
  931. #save to domain.conf
  932. _savedomainconf() {
  933. _sdkey="$1"
  934. _sdvalue="$2"
  935. if [ "$DOMAIN_CONF" ] ; then
  936. _setopt "$DOMAIN_CONF" "$_sdkey" "=" "\"$_sdvalue\""
  937. else
  938. _err "DOMAIN_CONF is empty, can not save $_sdkey=$_sdvalue"
  939. fi
  940. }
  941. #_cleardomainconf key
  942. _cleardomainconf() {
  943. _sdkey="$1"
  944. if [ "$DOMAIN_CONF" ] ; then
  945. _sed_i "s/^$_sdkey.*$//" "$DOMAIN_CONF"
  946. else
  947. _err "DOMAIN_CONF is empty, can not save $_sdkey=$value"
  948. fi
  949. }
  950. #_readdomainconf key
  951. _readdomainconf() {
  952. _sdkey="$1"
  953. if [ "$DOMAIN_CONF" ] ; then
  954. (
  955. eval $(grep "^$_sdkey *=" "$DOMAIN_CONF")
  956. eval "printf \"%s\" \"\$$_sdkey\""
  957. )
  958. else
  959. _err "DOMAIN_CONF is empty, can not read $_sdkey"
  960. fi
  961. }
  962. #_saveaccountconf key value
  963. _saveaccountconf() {
  964. _sckey="$1"
  965. _scvalue="$2"
  966. if [ "$ACCOUNT_CONF_PATH" ] ; then
  967. _setopt "$ACCOUNT_CONF_PATH" "$_sckey" "=" "\"$_scvalue\""
  968. else
  969. _err "ACCOUNT_CONF_PATH is empty, can not save $_sckey=$_scvalue"
  970. fi
  971. }
  972. #_clearaccountconf key
  973. _clearaccountconf() {
  974. _scvalue="$1"
  975. if [ "$ACCOUNT_CONF_PATH" ] ; then
  976. _sed_i "s/^$_scvalue.*$//" "$ACCOUNT_CONF_PATH"
  977. else
  978. _err "ACCOUNT_CONF_PATH is empty, can not clear $_scvalue"
  979. fi
  980. }
  981. # content localaddress
  982. _startserver() {
  983. content="$1"
  984. ncaddr="$2"
  985. _debug "ncaddr" "$ncaddr"
  986. _debug "startserver: $$"
  987. nchelp="$(nc -h 2>&1)"
  988. if echo "$nchelp" | grep "\-q[ ,]" >/dev/null ; then
  989. _NC="nc -q 1 -l $ncaddr"
  990. else
  991. if echo "$nchelp" | grep "GNU netcat" >/dev/null && echo "$nchelp" | grep "\-c, \-\-close" >/dev/null ; then
  992. _NC="nc -c -l $ncaddr"
  993. elif echo "$nchelp" | grep "\-N" |grep "Shutdown the network socket after EOF on stdin" >/dev/null ; then
  994. _NC="nc -N -l $ncaddr"
  995. else
  996. _NC="nc -l $ncaddr"
  997. fi
  998. fi
  999. _debug "_NC" "$_NC"
  1000. _debug Le_HTTPPort "$Le_HTTPPort"
  1001. # while true ; do
  1002. if [ "$DEBUG" ] ; then
  1003. if ! printf "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -p $Le_HTTPPort ; then
  1004. printf "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC $Le_HTTPPort ;
  1005. fi
  1006. else
  1007. if ! printf "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -p $Le_HTTPPort > /dev/null 2>&1; then
  1008. printf "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC $Le_HTTPPort > /dev/null 2>&1
  1009. fi
  1010. fi
  1011. if [ "$?" != "0" ] ; then
  1012. _err "nc listen error."
  1013. exit 1
  1014. fi
  1015. # done
  1016. }
  1017. _stopserver(){
  1018. pid="$1"
  1019. _debug "pid" "$pid"
  1020. if [ -z "$pid" ] ; then
  1021. return
  1022. fi
  1023. _debug2 "Le_HTTPPort" "$Le_HTTPPort"
  1024. if [ "$Le_HTTPPort" ] ; then
  1025. if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ] ; then
  1026. _get "http://localhost:$Le_HTTPPort" "" 1
  1027. else
  1028. _get "http://localhost:$Le_HTTPPort" "" 1 >/dev/null 2>&1
  1029. fi
  1030. fi
  1031. _debug2 "Le_TLSPort" "$Le_TLSPort"
  1032. if [ "$Le_TLSPort" ] ; then
  1033. if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ] ; then
  1034. _get "https://localhost:$Le_TLSPort" "" 1
  1035. _get "https://localhost:$Le_TLSPort" "" 1
  1036. else
  1037. _get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
  1038. _get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
  1039. fi
  1040. fi
  1041. }
  1042. # _starttlsserver san_a san_b port content
  1043. _starttlsserver() {
  1044. _info "Starting tls server."
  1045. san_a="$1"
  1046. san_b="$2"
  1047. port="$3"
  1048. content="$4"
  1049. _debug san_a "$san_a"
  1050. _debug san_b "$san_b"
  1051. _debug port "$port"
  1052. #create key TLS_KEY
  1053. if ! _createkey "2048" "$TLS_KEY" ; then
  1054. _err "Create tls validation key error."
  1055. return 1
  1056. fi
  1057. #create csr
  1058. alt="$san_a"
  1059. if [ "$san_b" ] ; then
  1060. alt="$alt,$san_b"
  1061. fi
  1062. if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" ; then
  1063. _err "Create tls validation csr error."
  1064. return 1
  1065. fi
  1066. #self signed
  1067. if ! _signcsr "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" "$TLS_CERT" ; then
  1068. _err "Create tls validation cert error."
  1069. return 1
  1070. fi
  1071. #start openssl
  1072. _debug "openssl s_server -cert \"$TLS_CERT\" -key \"$TLS_KEY\" -accept $port -tlsextdebug"
  1073. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  1074. (printf "HTTP/1.1 200 OK\r\n\r\n$content" | openssl s_server -cert "$TLS_CERT" -key "$TLS_KEY" -accept $port -tlsextdebug ) &
  1075. else
  1076. (printf "HTTP/1.1 200 OK\r\n\r\n$content" | openssl s_server -cert "$TLS_CERT" -key "$TLS_KEY" -accept $port >/dev/null 2>&1) &
  1077. fi
  1078. serverproc="$!"
  1079. sleep 2
  1080. _debug serverproc $serverproc
  1081. }
  1082. #file
  1083. _readlink() {
  1084. _rf="$1"
  1085. if ! readlink -f "$_rf" 2>/dev/null; then
  1086. if _startswith "$_rf" "\./$PROJECT_ENTRY" ; then
  1087. printf -- "%s" "$(pwd)/$PROJECT_ENTRY"
  1088. return 0
  1089. fi
  1090. readlink "$_rf"
  1091. fi
  1092. }
  1093. __initHome() {
  1094. if [ -z "$_SCRIPT_HOME" ] ; then
  1095. if _exists readlink && _exists dirname ; then
  1096. _debug "Lets guess script dir."
  1097. _debug "_SCRIPT_" "$_SCRIPT_"
  1098. _script="$(_readlink "$_SCRIPT_")"
  1099. _debug "_script" "$_script"
  1100. _script_home="$(dirname "$_script")"
  1101. _debug "_script_home" "$_script_home"
  1102. if [ -d "$_script_home" ] ; then
  1103. _SCRIPT_HOME="$_script_home"
  1104. else
  1105. _err "It seems the script home is not correct:$_script_home"
  1106. fi
  1107. fi
  1108. fi
  1109. if [ -z "$LE_WORKING_DIR" ] ; then
  1110. if [ -f "$DEFAULT_INSTALL_HOME/account.conf" ] ; then
  1111. _debug "It seems that $PROJECT_NAME is already installed in $DEFAULT_INSTALL_HOME"
  1112. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  1113. else
  1114. LE_WORKING_DIR="$_SCRIPT_HOME"
  1115. fi
  1116. fi
  1117. if [ -z "$LE_WORKING_DIR" ] ; then
  1118. _debug "Using default home:$DEFAULT_INSTALL_HOME"
  1119. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  1120. fi
  1121. export LE_WORKING_DIR
  1122. _DEFAULT_ACCOUNT_CONF_PATH="$LE_WORKING_DIR/account.conf"
  1123. if [ -z "$ACCOUNT_CONF_PATH" ] ; then
  1124. if [ -f "$_DEFAULT_ACCOUNT_CONF_PATH" ] ; then
  1125. . "$_DEFAULT_ACCOUNT_CONF_PATH"
  1126. fi
  1127. fi
  1128. if [ -z "$ACCOUNT_CONF_PATH" ] ; then
  1129. ACCOUNT_CONF_PATH="$_DEFAULT_ACCOUNT_CONF_PATH"
  1130. fi
  1131. DEFAULT_LOG_FILE="$LE_WORKING_DIR/$PROJECT_NAME.log"
  1132. DEFAULT_CA_HOME="$LE_WORKING_DIR/ca"
  1133. }
  1134. #[domain] [keylength]
  1135. _initpath() {
  1136. __initHome
  1137. if [ -f "$ACCOUNT_CONF_PATH" ] ; then
  1138. . "$ACCOUNT_CONF_PATH"
  1139. fi
  1140. if [ "$IN_CRON" ] ; then
  1141. if [ ! "$_USER_PATH_EXPORTED" ] ; then
  1142. _USER_PATH_EXPORTED=1
  1143. export PATH="$USER_PATH:$PATH"
  1144. fi
  1145. fi
  1146. if [ -z "$CA_HOME" ] ; then
  1147. CA_HOME="$DEFAULT_CA_HOME"
  1148. fi
  1149. if [ -z "$API" ] ; then
  1150. if [ -z "$STAGE" ] ; then
  1151. API="$DEFAULT_CA"
  1152. else
  1153. API="$STAGE_CA"
  1154. _info "Using stage api:$API"
  1155. fi
  1156. fi
  1157. _API_HOST="$(echo "$API" | cut -d : -f 2 | tr -d '/')"
  1158. CA_DIR="$CA_HOME/$_API_HOST"
  1159. _DEFAULT_CA_CONF="$CA_DIR/ca.conf"
  1160. if [ -z "$CA_CONF" ] ; then
  1161. CA_CONF="$_DEFAULT_CA_CONF"
  1162. fi
  1163. if [ -f "$CA_CONF" ] ; then
  1164. . "$CA_CONF"
  1165. fi
  1166. if [ -z "$ACME_DIR" ] ; then
  1167. ACME_DIR="/home/.acme"
  1168. fi
  1169. if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then
  1170. APACHE_CONF_BACKUP_DIR="$LE_WORKING_DIR"
  1171. fi
  1172. if [ -z "$USER_AGENT" ] ; then
  1173. USER_AGENT="$DEFAULT_USER_AGENT"
  1174. fi
  1175. if [ -z "$HTTP_HEADER" ] ; then
  1176. HTTP_HEADER="$LE_WORKING_DIR/http.header"
  1177. fi
  1178. _OLD_ACCOUNT_KEY="$LE_WORKING_DIR/account.key"
  1179. _OLD_ACCOUNT_JSON="$LE_WORKING_DIR/account.json"
  1180. _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
  1181. _DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
  1182. if [ -z "$ACCOUNT_KEY_PATH" ] ; then
  1183. ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
  1184. fi
  1185. if [ -z "$ACCOUNT_JSON_PATH" ] ; then
  1186. ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
  1187. fi
  1188. _DEFAULT_CERT_HOME="$LE_WORKING_DIR"
  1189. if [ -z "$CERT_HOME" ] ; then
  1190. CERT_HOME="$_DEFAULT_CERT_HOME"
  1191. fi
  1192. if [ -z "$1" ] ; then
  1193. return 0
  1194. fi
  1195. mkdir -p "$CA_DIR"
  1196. domain="$1"
  1197. _ilength="$2"
  1198. if [ -z "$DOMAIN_PATH" ] ; then
  1199. domainhome="$CERT_HOME/$domain"
  1200. domainhomeecc="$CERT_HOME/$domain$ECC_SUFFIX"
  1201. DOMAIN_PATH="$domainhome"
  1202. if _isEccKey "$_ilength" ; then
  1203. DOMAIN_PATH="$domainhomeecc"
  1204. else
  1205. if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ] ; then
  1206. _info "The domain '$domain' seems to have a ECC cert already, please add '$(__red "--ecc")' parameter if you want to use that cert."
  1207. fi
  1208. fi
  1209. _debug DOMAIN_PATH "$DOMAIN_PATH"
  1210. fi
  1211. if [ ! -d "$DOMAIN_PATH" ] ; then
  1212. if ! mkdir -p "$DOMAIN_PATH" ; then
  1213. _err "Can not create domain path: $DOMAIN_PATH"
  1214. return 1
  1215. fi
  1216. fi
  1217. if [ -z "$DOMAIN_CONF" ] ; then
  1218. DOMAIN_CONF="$DOMAIN_PATH/$domain.conf"
  1219. fi
  1220. if [ -z "$DOMAIN_SSL_CONF" ] ; then
  1221. DOMAIN_SSL_CONF="$DOMAIN_PATH/$domain.csr.conf"
  1222. fi
  1223. if [ -z "$CSR_PATH" ] ; then
  1224. CSR_PATH="$DOMAIN_PATH/$domain.csr"
  1225. fi
  1226. if [ -z "$CERT_KEY_PATH" ] ; then
  1227. CERT_KEY_PATH="$DOMAIN_PATH/$domain.key"
  1228. fi
  1229. if [ -z "$CERT_PATH" ] ; then
  1230. CERT_PATH="$DOMAIN_PATH/$domain.cer"
  1231. fi
  1232. if [ -z "$CA_CERT_PATH" ] ; then
  1233. CA_CERT_PATH="$DOMAIN_PATH/ca.cer"
  1234. fi
  1235. if [ -z "$CERT_FULLCHAIN_PATH" ] ; then
  1236. CERT_FULLCHAIN_PATH="$DOMAIN_PATH/fullchain.cer"
  1237. fi
  1238. if [ -z "$CERT_PFX_PATH" ] ; then
  1239. CERT_PFX_PATH="$DOMAIN_PATH/$domain.pfx"
  1240. fi
  1241. if [ -z "$TLS_CONF" ] ; then
  1242. TLS_CONF="$DOMAIN_PATH/tls.valdation.conf"
  1243. fi
  1244. if [ -z "$TLS_CERT" ] ; then
  1245. TLS_CERT="$DOMAIN_PATH/tls.valdation.cert"
  1246. fi
  1247. if [ -z "$TLS_KEY" ] ; then
  1248. TLS_KEY="$DOMAIN_PATH/tls.valdation.key"
  1249. fi
  1250. if [ -z "$TLS_CSR" ] ; then
  1251. TLS_CSR="$DOMAIN_PATH/tls.valdation.csr"
  1252. fi
  1253. }
  1254. _apachePath() {
  1255. _APACHECTL="apachectl"
  1256. if ! _exists apachectl ; then
  1257. if _exists apache2ctl ; then
  1258. _APACHECTL="apache2ctl"
  1259. else
  1260. _err "'apachectl not found. It seems that apache is not installed, or you are not root user.'"
  1261. _err "Please use webroot mode to try again."
  1262. return 1
  1263. fi
  1264. fi
  1265. httpdconfname="$($_APACHECTL -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | tr -d '"' )"
  1266. _debug httpdconfname "$httpdconfname"
  1267. if _startswith "$httpdconfname" '/' ; then
  1268. httpdconf="$httpdconfname"
  1269. httpdconfname="$(basename $httpdconfname)"
  1270. else
  1271. httpdroot="$($_APACHECTL -V | grep HTTPD_ROOT= | cut -d = -f 2 | tr -d '"' )"
  1272. _debug httpdroot "$httpdroot"
  1273. httpdconf="$httpdroot/$httpdconfname"
  1274. httpdconfname="$(basename $httpdconfname)"
  1275. fi
  1276. _debug httpdconf "$httpdconf"
  1277. _debug httpdconfname "$httpdconfname"
  1278. if [ ! -f "$httpdconf" ] ; then
  1279. _err "Apache Config file not found" "$httpdconf"
  1280. return 1
  1281. fi
  1282. return 0
  1283. }
  1284. _restoreApache() {
  1285. if [ -z "$usingApache" ] ; then
  1286. return 0
  1287. fi
  1288. _initpath
  1289. if ! _apachePath ; then
  1290. return 1
  1291. fi
  1292. if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ] ; then
  1293. _debug "No config file to restore."
  1294. return 0
  1295. fi
  1296. cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" > "$httpdconf"
  1297. _debug "Restored: $httpdconf."
  1298. if ! $_APACHECTL -t >/dev/null 2>&1 ; then
  1299. _err "Sorry, restore apache config error, please contact me."
  1300. return 1;
  1301. fi
  1302. _debug "Restored successfully."
  1303. rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname"
  1304. return 0
  1305. }
  1306. _setApache() {
  1307. _initpath
  1308. if ! _apachePath ; then
  1309. return 1
  1310. fi
  1311. #test the conf first
  1312. _info "Checking if there is an error in the apache config file before starting."
  1313. _msg="$($_APACHECTL -t 2>&1 )"
  1314. if [ "$?" != "0" ] ; then
  1315. _err "Sorry, apache config file has error, please fix it first, then try again."
  1316. _err "Don't worry, there is nothing changed to your system."
  1317. _err "$_msg"
  1318. return 1;
  1319. else
  1320. _info "OK"
  1321. fi
  1322. #backup the conf
  1323. _debug "Backup apache config file" "$httpdconf"
  1324. if ! cp "$httpdconf" "$APACHE_CONF_BACKUP_DIR/" ; then
  1325. _err "Can not backup apache config file, so abort. Don't worry, the apache config is not changed."
  1326. _err "This might be a bug of $PROJECT_NAME , pleae report issue: $PROJECT"
  1327. return 1
  1328. fi
  1329. _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname"
  1330. _info "In case there is an error that can not be restored automatically, you may try restore it yourself."
  1331. _info "The backup file will be deleted on sucess, just forget it."
  1332. #add alias
  1333. apacheVer="$($_APACHECTL -V | grep "Server version:" | cut -d : -f 2 | cut -d " " -f 2 | cut -d '/' -f 2 )"
  1334. _debug "apacheVer" "$apacheVer"
  1335. apacheMajer="$(echo "$apacheVer" | cut -d . -f 1)"
  1336. apacheMinor="$(echo "$apacheVer" | cut -d . -f 2)"
  1337. if [ "$apacheVer" ] && [ "$apacheMajer$apacheMinor" -ge "24" ] ; then
  1338. echo "
  1339. Alias /.well-known/acme-challenge $ACME_DIR
  1340. <Directory $ACME_DIR >
  1341. Require all granted
  1342. </Directory>
  1343. " >> "$httpdconf"
  1344. else
  1345. echo "
  1346. Alias /.well-known/acme-challenge $ACME_DIR
  1347. <Directory $ACME_DIR >
  1348. Order allow,deny
  1349. Allow from all
  1350. </Directory>
  1351. " >> "$httpdconf"
  1352. fi
  1353. _msg="$($_APACHECTL -t 2>&1 )"
  1354. if [ "$?" != "0" ] ; then
  1355. _err "Sorry, apache config error"
  1356. if _restoreApache ; then
  1357. _err "The apache config file is restored."
  1358. else
  1359. _err "Sorry, The apache config file can not be restored, please report bug."
  1360. fi
  1361. return 1;
  1362. fi
  1363. if [ ! -d "$ACME_DIR" ] ; then
  1364. mkdir -p "$ACME_DIR"
  1365. chmod 755 "$ACME_DIR"
  1366. fi
  1367. if ! $_APACHECTL graceful ; then
  1368. _err "Sorry, $_APACHECTL graceful error, please contact me."
  1369. _restoreApache
  1370. return 1;
  1371. fi
  1372. usingApache="1"
  1373. return 0
  1374. }
  1375. _clearup() {
  1376. _stopserver $serverproc
  1377. serverproc=""
  1378. _restoreApache
  1379. if [ -z "$DEBUG" ] ; then
  1380. rm -f "$TLS_CONF"
  1381. rm -f "$TLS_CERT"
  1382. rm -f "$TLS_KEY"
  1383. rm -f "$TLS_CSR"
  1384. fi
  1385. }
  1386. # webroot removelevel tokenfile
  1387. _clearupwebbroot() {
  1388. __webroot="$1"
  1389. if [ -z "$__webroot" ] ; then
  1390. _debug "no webroot specified, skip"
  1391. return 0
  1392. fi
  1393. _rmpath=""
  1394. if [ "$2" = '1' ] ; then
  1395. _rmpath="$__webroot/.well-known"
  1396. elif [ "$2" = '2' ] ; then
  1397. _rmpath="$__webroot/.well-known/acme-challenge"
  1398. elif [ "$2" = '3' ] ; then
  1399. _rmpath="$__webroot/.well-known/acme-challenge/$3"
  1400. else
  1401. _debug "Skip for removelevel:$2"
  1402. fi
  1403. if [ "$_rmpath" ] ; then
  1404. if [ "$DEBUG" ] ; then
  1405. _debug "Debugging, skip removing: $_rmpath"
  1406. else
  1407. rm -rf "$_rmpath"
  1408. fi
  1409. fi
  1410. return 0
  1411. }
  1412. _on_before_issue() {
  1413. _debug _on_before_issue
  1414. if _hasfield "$Le_Webroot" "$NO_VALUE" ; then
  1415. if ! _exists "nc" ; then
  1416. _err "Please install netcat(nc) tools first."
  1417. return 1
  1418. fi
  1419. elif ! _hasfield "$Le_Webroot" "$W_TLS" ; then
  1420. #no need to check anymore
  1421. return 0
  1422. fi
  1423. _debug Le_LocalAddress "$Le_LocalAddress"
  1424. alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' )
  1425. _index=1
  1426. _currentRoot=""
  1427. _addrIndex=1
  1428. for d in $alldomains
  1429. do
  1430. _debug "Check for domain" $d
  1431. _currentRoot="$(_getfield "$Le_Webroot" $_index)"
  1432. _debug "_currentRoot" "$_currentRoot"
  1433. _index=$(_math $_index + 1)
  1434. _checkport=""
  1435. if [ "$_currentRoot" = "$NO_VALUE" ] ; then
  1436. _info "Standalone mode."
  1437. if [ -z "$Le_HTTPPort" ] ; then
  1438. Le_HTTPPort=80
  1439. else
  1440. _savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
  1441. fi
  1442. _checkport="$Le_HTTPPort"
  1443. elif [ "$_currentRoot" = "$W_TLS" ] ; then
  1444. _info "Standalone tls mode."
  1445. if [ -z "$Le_TLSPort" ] ; then
  1446. Le_TLSPort=443
  1447. else
  1448. _savedomainconf "Le_TLSPort" "$Le_TLSPort"
  1449. fi
  1450. _checkport="$Le_TLSPort"
  1451. fi
  1452. if [ "$_checkport" ] ; then
  1453. _debug _checkport "$_checkport"
  1454. _checkaddr="$(_getfield "$Le_LocalAddress" $_addrIndex)"
  1455. _debug _checkaddr "$_checkaddr"
  1456. _addrIndex="$(_math $_addrIndex + 1)"
  1457. _netprc="$(_ss "$_checkport" | grep "$_checkport")"
  1458. netprc="$(echo "$_netprc" | grep "$_checkaddr")"
  1459. if [ -z "$netprc" ] ; then
  1460. netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS")"
  1461. fi
  1462. if [ "$netprc" ] ; then
  1463. _err "$netprc"
  1464. _err "tcp port $_checkport is already used by $(echo "$netprc" | cut -d : -f 4)"
  1465. _err "Please stop it first"
  1466. return 1
  1467. fi
  1468. fi
  1469. done
  1470. if _hasfield "$Le_Webroot" "apache" ; then
  1471. if ! _setApache ; then
  1472. _err "set up apache error. Report error to me."
  1473. return 1
  1474. fi
  1475. else
  1476. usingApache=""
  1477. fi
  1478. #run pre hook
  1479. if [ "$Le_PreHook" ] ; then
  1480. _info "Run pre hook:'$Le_PreHook'"
  1481. if ! (
  1482. cd "$DOMAIN_PATH" && eval "$Le_PreHook"
  1483. ) ; then
  1484. _err "Error when run pre hook."
  1485. return 1
  1486. fi
  1487. fi
  1488. }
  1489. _on_issue_err() {
  1490. _debug _on_issue_err
  1491. if [ "$LOG_FILE" ] ; then
  1492. _err "Please check log file for more details: $LOG_FILE"
  1493. else
  1494. _err "Please use add '--debug' or '--log' to check more details."
  1495. _err "See: $_DEBUG_WIKI"
  1496. fi
  1497. #run the post hook
  1498. if [ "$Le_PostHook" ] ; then
  1499. _info "Run post hook:'$Le_PostHook'"
  1500. if ! (
  1501. cd "$DOMAIN_PATH" && eval "$Le_PostHook"
  1502. ) ; then
  1503. _err "Error when run post hook."
  1504. return 1
  1505. fi
  1506. fi
  1507. }
  1508. _on_issue_success() {
  1509. _debug _on_issue_success
  1510. #run the post hook
  1511. if [ "$Le_PostHook" ] ; then
  1512. _info "Run post hook:'$Le_PostHook'"
  1513. if ! (
  1514. cd "$DOMAIN_PATH" && eval "$Le_PostHook"
  1515. ) ; then
  1516. _err "Error when run post hook."
  1517. return 1
  1518. fi
  1519. fi
  1520. #run renew hook
  1521. if [ "$IS_RENEW" ] && [ "$Le_RenewHook" ] ; then
  1522. _info "Run renew hook:'$Le_RenewHook'"
  1523. if ! (
  1524. cd "$DOMAIN_PATH" && eval "$Le_RenewHook"
  1525. ) ; then
  1526. _err "Error when run renew hook."
  1527. return 1
  1528. fi
  1529. fi
  1530. }
  1531. updateaccount() {
  1532. _initpath
  1533. _regAccount
  1534. }
  1535. registeraccount() {
  1536. _initpath
  1537. _regAccount
  1538. }
  1539. _regAccount() {
  1540. _initpath
  1541. if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
  1542. _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
  1543. mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
  1544. fi
  1545. if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
  1546. _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
  1547. mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
  1548. fi
  1549. if [ ! -f "$ACCOUNT_KEY_PATH" ] ; then
  1550. _acck="no"
  1551. if [ "$Le_Keylength" ] ; then
  1552. _acck="$Le_Keylength"
  1553. fi
  1554. if ! createAccountKey "$_acck" ; then
  1555. _err "Create account key error."
  1556. return 1
  1557. fi
  1558. fi
  1559. if ! _calcjwk "$ACCOUNT_KEY_PATH" ; then
  1560. return 1
  1561. fi
  1562. _updateTos=""
  1563. _reg_res="new-reg"
  1564. while true ;
  1565. do
  1566. _debug AGREEMENT "$AGREEMENT"
  1567. accountkey_json=$(printf "%s" "$jwk" | tr -d ' ' )
  1568. thumbprint=$(printf "%s" "$accountkey_json" | _digest "sha256" | _urlencode)
  1569. regjson='{"resource": "'$_reg_res'", "agreement": "'$AGREEMENT'"}'
  1570. if [ "$ACCOUNT_EMAIL" ] ; then
  1571. regjson='{"resource": "'$_reg_res'", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}'
  1572. fi
  1573. if [ -z "$_updateTos" ] ; then
  1574. _info "Registering account"
  1575. if ! _send_signed_request "$API/acme/new-reg" "$regjson" ; then
  1576. _err "Register account Error: $response"
  1577. return 1
  1578. fi
  1579. if [ "$code" = "" ] || [ "$code" = '201' ] ; then
  1580. echo "$response" > $ACCOUNT_JSON_PATH
  1581. _info "Registered"
  1582. elif [ "$code" = '409' ] ; then
  1583. _info "Already registered"
  1584. else
  1585. _err "Register account Error: $response"
  1586. return 1
  1587. fi
  1588. _accUri="$(echo "$responseHeaders" | grep "^Location:" | cut -d ' ' -f 2| tr -d "\r\n")"
  1589. _debug "_accUri" "$_accUri"
  1590. _tos="$(echo "$responseHeaders" | grep "^Link:.*rel=\"terms-of-service\"" | _egrep_o "<.*>" | tr -d '<>')"
  1591. _debug "_tos" "$_tos"
  1592. if [ -z "$_tos" ] ; then
  1593. _debug "Use default tos: $DEFAULT_AGREEMENT"
  1594. _tos="$DEFAULT_AGREEMENT"
  1595. fi
  1596. if [ "$_tos" != "$AGREEMENT" ]; then
  1597. _updateTos=1
  1598. AGREEMENT="$_tos"
  1599. _reg_res="reg"
  1600. continue
  1601. fi
  1602. else
  1603. _debug "Update tos: $_tos"
  1604. if ! _send_signed_request "$_accUri" "$regjson" ; then
  1605. _err "Update tos error."
  1606. return 1
  1607. fi
  1608. if [ "$code" = '202' ] ; then
  1609. _info "Update success."
  1610. else
  1611. _err "Update error."
  1612. return 1
  1613. fi
  1614. fi
  1615. return 0
  1616. done
  1617. }
  1618. #webroot, domain domainlist keylength
  1619. issue() {
  1620. if [ -z "$2" ] ; then
  1621. _usage "Usage: $PROJECT_ENTRY --issue -d a.com -w /path/to/webroot/a.com/ "
  1622. return 1
  1623. fi
  1624. Le_Webroot="$1"
  1625. Le_Domain="$2"
  1626. Le_Alt="$3"
  1627. Le_Keylength="$4"
  1628. Le_RealCertPath="$5"
  1629. Le_RealKeyPath="$6"
  1630. Le_RealCACertPath="$7"
  1631. Le_ReloadCmd="$8"
  1632. Le_RealFullChainPath="$9"
  1633. Le_PreHook="${10}"
  1634. Le_PostHook="${11}"
  1635. Le_RenewHook="${12}"
  1636. Le_LocalAddress="${13}"
  1637. #remove these later.
  1638. if [ "$Le_Webroot" = "dns-cf" ] ; then
  1639. Le_Webroot="dns_cf"
  1640. fi
  1641. if [ "$Le_Webroot" = "dns-dp" ] ; then
  1642. Le_Webroot="dns_dp"
  1643. fi
  1644. if [ "$Le_Webroot" = "dns-cx" ] ; then
  1645. Le_Webroot="dns_cx"
  1646. fi
  1647. _debug "Using api: $API"
  1648. if [ ! "$IS_RENEW" ] ; then
  1649. _initpath $Le_Domain "$Le_Keylength"
  1650. mkdir -p "$DOMAIN_PATH"
  1651. fi
  1652. if [ -f "$DOMAIN_CONF" ] ; then
  1653. Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
  1654. _debug Le_NextRenewTime "$Le_NextRenewTime"
  1655. if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ $(_time) -lt $Le_NextRenewTime ] ; then
  1656. _info "Skip, Next renewal time is: $(__green "$(_readdomainconf Le_NextRenewTimeStr)")"
  1657. _info "Add '$(__red '--force')' to force to renew."
  1658. return $RENEW_SKIP
  1659. fi
  1660. fi
  1661. _savedomainconf "Le_Domain" "$Le_Domain"
  1662. _savedomainconf "Le_Alt" "$Le_Alt"
  1663. _savedomainconf "Le_Webroot" "$Le_Webroot"
  1664. _savedomainconf "Le_PreHook" "$Le_PreHook"
  1665. _savedomainconf "Le_PostHook" "$Le_PostHook"
  1666. _savedomainconf "Le_RenewHook" "$Le_RenewHook"
  1667. _savedomainconf "Le_LocalAddress" "$Le_LocalAddress"
  1668. Le_API="$API"
  1669. _savedomainconf "Le_API" "$Le_API"
  1670. if [ "$Le_Alt" = "$NO_VALUE" ] ; then
  1671. Le_Alt=""
  1672. fi
  1673. if [ "$Le_Keylength" = "$NO_VALUE" ] ; then
  1674. Le_Keylength=""
  1675. fi
  1676. if ! _on_before_issue ; then
  1677. _err "_on_before_issue."
  1678. return 1
  1679. fi
  1680. if ! _regAccount ; then
  1681. _on_issue_err
  1682. return 1
  1683. fi
  1684. if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ] ; then
  1685. _info "Signing from existing CSR."
  1686. else
  1687. _key=$(_readdomainconf Le_Keylength)
  1688. _debug "Read key length:$_key"
  1689. if [ ! -f "$CERT_KEY_PATH" ] || [ "$Le_Keylength" != "$_key" ] ; then
  1690. if ! createDomainKey $Le_Domain $Le_Keylength ; then
  1691. _err "Create domain key error."
  1692. _clearup
  1693. _on_issue_err
  1694. return 1
  1695. fi
  1696. fi
  1697. if ! _createcsr "$Le_Domain" "$Le_Alt" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF" ; then
  1698. _err "Create CSR error."
  1699. _clearup
  1700. _on_issue_err
  1701. return 1
  1702. fi
  1703. fi
  1704. _savedomainconf "Le_Keylength" "$Le_Keylength"
  1705. vlist="$Le_Vlist"
  1706. # verify each domain
  1707. _info "Verify each domain"
  1708. sep='#'
  1709. if [ -z "$vlist" ] ; then
  1710. alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' )
  1711. _index=1
  1712. _currentRoot=""
  1713. for d in $alldomains
  1714. do
  1715. _info "Getting webroot for domain" $d
  1716. _w="$(echo $Le_Webroot | cut -d , -f $_index)"
  1717. _info _w "$_w"
  1718. if [ "$_w" ] ; then
  1719. _currentRoot="$_w"
  1720. fi
  1721. _debug "_currentRoot" "$_currentRoot"
  1722. _index=$(_math $_index + 1)
  1723. vtype="$VTYPE_HTTP"
  1724. if _startswith "$_currentRoot" "dns" ; then
  1725. vtype="$VTYPE_DNS"
  1726. fi
  1727. if [ "$_currentRoot" = "$W_TLS" ] ; then
  1728. vtype="$VTYPE_TLS"
  1729. fi
  1730. _info "Getting new-authz for domain" $d
  1731. if ! _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$d\"}}" ; then
  1732. _err "Can not get domain token."
  1733. _clearup
  1734. _on_issue_err
  1735. return 1
  1736. fi
  1737. if [ ! -z "$code" ] && [ ! "$code" = '201' ] ; then
  1738. _err "new-authz error: $response"
  1739. _clearup
  1740. _on_issue_err
  1741. return 1
  1742. fi
  1743. entry="$(printf "%s\n" "$response" | _egrep_o '[^{]*"type":"'$vtype'"[^}]*')"
  1744. _debug entry "$entry"
  1745. if [ -z "$entry" ] ; then
  1746. _err "Error, can not get domain token $d"
  1747. _clearup
  1748. _on_issue_err
  1749. return 1
  1750. fi
  1751. token="$(printf "%s\n" "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
  1752. _debug token $token
  1753. uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )"
  1754. _debug uri $uri
  1755. keyauthorization="$token.$thumbprint"
  1756. _debug keyauthorization "$keyauthorization"
  1757. if printf "$response" | grep '"status":"valid"' >/dev/null 2>&1 ; then
  1758. _info "$d is already verified, skip."
  1759. keyauthorization=$STATE_VERIFIED
  1760. _debug keyauthorization "$keyauthorization"
  1761. fi
  1762. dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"
  1763. _debug dvlist "$dvlist"
  1764. vlist="$vlist$dvlist,"
  1765. done
  1766. #add entry
  1767. dnsadded=""
  1768. ventries=$(echo "$vlist" | tr ',' ' ' )
  1769. for ventry in $ventries
  1770. do
  1771. d=$(echo $ventry | cut -d $sep -f 1)
  1772. keyauthorization=$(echo $ventry | cut -d $sep -f 2)
  1773. vtype=$(echo $ventry | cut -d $sep -f 4)
  1774. _currentRoot=$(echo $ventry | cut -d $sep -f 5)
  1775. if [ "$keyauthorization" = "$STATE_VERIFIED" ] ; then
  1776. _info "$d is already verified, skip $vtype."
  1777. continue
  1778. fi
  1779. if [ "$vtype" = "$VTYPE_DNS" ] ; then
  1780. dnsadded='0'
  1781. txtdomain="_acme-challenge.$d"
  1782. _debug txtdomain "$txtdomain"
  1783. txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _urlencode)"
  1784. _debug txt "$txt"
  1785. #dns
  1786. #1. check use api
  1787. d_api=""
  1788. if [ -f "$LE_WORKING_DIR/$d/$_currentRoot" ] ; then
  1789. d_api="$LE_WORKING_DIR/$d/$_currentRoot"
  1790. elif [ -f "$LE_WORKING_DIR/$d/$_currentRoot.sh" ] ; then
  1791. d_api="$LE_WORKING_DIR/$d/$_currentRoot.sh"
  1792. elif [ -f "$LE_WORKING_DIR/$_currentRoot" ] ; then
  1793. d_api="$LE_WORKING_DIR/$_currentRoot"
  1794. elif [ -f "$LE_WORKING_DIR/$_currentRoot.sh" ] ; then
  1795. d_api="$LE_WORKING_DIR/$_currentRoot.sh"
  1796. elif [ -f "$LE_WORKING_DIR/dnsapi/$_currentRoot" ] ; then
  1797. d_api="$LE_WORKING_DIR/dnsapi/$_currentRoot"
  1798. elif [ -f "$LE_WORKING_DIR/dnsapi/$_currentRoot.sh" ] ; then
  1799. d_api="$LE_WORKING_DIR/dnsapi/$_currentRoot.sh"
  1800. fi
  1801. _debug d_api "$d_api"
  1802. if [ "$d_api" ] ; then
  1803. _info "Found domain api file: $d_api"
  1804. else
  1805. _err "Add the following TXT record:"
  1806. _err "Domain: '$(__green $txtdomain)'"
  1807. _err "TXT value: '$(__green $txt)'"
  1808. _err "Please be aware that you prepend _acme-challenge. before your domain"
  1809. _err "so the resulting subdomain will be: $txtdomain"
  1810. continue
  1811. fi
  1812. (
  1813. if ! . $d_api ; then
  1814. _err "Load file $d_api error. Please check your api file and try again."
  1815. return 1
  1816. fi
  1817. addcommand="${_currentRoot}_add"
  1818. if ! _exists $addcommand ; then
  1819. _err "It seems that your api file is not correct, it must have a function named: $addcommand"
  1820. return 1
  1821. fi
  1822. if ! $addcommand $txtdomain $txt ; then
  1823. _err "Error add txt for domain:$txtdomain"
  1824. return 1
  1825. fi
  1826. )
  1827. if [ "$?" != "0" ] ; then
  1828. _clearup
  1829. _on_issue_err
  1830. return 1
  1831. fi
  1832. dnsadded='1'
  1833. fi
  1834. done
  1835. if [ "$dnsadded" = '0' ] ; then
  1836. _savedomainconf "Le_Vlist" "$vlist"
  1837. _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit."
  1838. _err "Please add the TXT records to the domains, and retry again."
  1839. _clearup
  1840. _on_issue_err
  1841. return 1
  1842. fi
  1843. fi
  1844. if [ "$dnsadded" = '1' ] ; then
  1845. if [ -z "$Le_DNSSleep" ] ; then
  1846. Le_DNSSleep=$DEFAULT_DNS_SLEEP
  1847. else
  1848. _savedomainconf "Le_DNSSleep" "$Le_DNSSleep"
  1849. fi
  1850. _info "Sleep $(__green $Le_DNSSleep) seconds for the txt records to take effect"
  1851. sleep $Le_DNSSleep
  1852. fi
  1853. _debug "ok, let's start to verify"
  1854. _ncIndex=1
  1855. ventries=$(echo "$vlist" | tr ',' ' ' )
  1856. for ventry in $ventries
  1857. do
  1858. d=$(echo $ventry | cut -d $sep -f 1)
  1859. keyauthorization=$(echo $ventry | cut -d $sep -f 2)
  1860. uri=$(echo $ventry | cut -d $sep -f 3)
  1861. vtype=$(echo $ventry | cut -d $sep -f 4)
  1862. _currentRoot=$(echo $ventry | cut -d $sep -f 5)
  1863. if [ "$keyauthorization" = "$STATE_VERIFIED" ] ; then
  1864. _info "$d is already verified, skip $vtype."
  1865. continue
  1866. fi
  1867. _info "Verifying:$d"
  1868. _debug "d" "$d"
  1869. _debug "keyauthorization" "$keyauthorization"
  1870. _debug "uri" "$uri"
  1871. removelevel=""
  1872. token="$(printf "%s" "$keyauthorization" | cut -d '.' -f 1)"
  1873. _debug "_currentRoot" "$_currentRoot"
  1874. if [ "$vtype" = "$VTYPE_HTTP" ] ; then
  1875. if [ "$_currentRoot" = "$NO_VALUE" ] ; then
  1876. _info "Standalone mode server"
  1877. _ncaddr="$(_getfield "$Le_LocalAddress" "$_ncIndex" )"
  1878. _ncIndex="$(_math $_ncIndex + 1)"
  1879. _startserver "$keyauthorization" "$_ncaddr" &
  1880. if [ "$?" != "0" ] ; then
  1881. _clearup
  1882. _on_issue_err
  1883. return 1
  1884. fi
  1885. serverproc="$!"
  1886. sleep 2
  1887. _debug serverproc $serverproc
  1888. else
  1889. if [ "$_currentRoot" = "apache" ] ; then
  1890. wellknown_path="$ACME_DIR"
  1891. else
  1892. wellknown_path="$_currentRoot/.well-known/acme-challenge"
  1893. if [ ! -d "$_currentRoot/.well-known" ] ; then
  1894. removelevel='1'
  1895. elif [ ! -d "$_currentRoot/.well-known/acme-challenge" ] ; then
  1896. removelevel='2'
  1897. else
  1898. removelevel='3'
  1899. fi
  1900. fi
  1901. _debug wellknown_path "$wellknown_path"
  1902. _debug "writing token:$token to $wellknown_path/$token"
  1903. mkdir -p "$wellknown_path"
  1904. printf "%s" "$keyauthorization" > "$wellknown_path/$token"
  1905. if [ ! "$usingApache" ] ; then
  1906. if webroot_owner=$(_stat $_currentRoot) ; then
  1907. _debug "Changing owner/group of .well-known to $webroot_owner"
  1908. chown -R $webroot_owner "$_currentRoot/.well-known"
  1909. else
  1910. _debug "not chaning owner/group of webroot";
  1911. fi
  1912. fi
  1913. fi
  1914. elif [ "$vtype" = "$VTYPE_TLS" ] ; then
  1915. #create A
  1916. #_hash_A="$(printf "%s" $token | _digest "sha256" "hex" )"
  1917. #_debug2 _hash_A "$_hash_A"
  1918. #_x="$(echo $_hash_A | cut -c 1-32)"
  1919. #_debug2 _x "$_x"
  1920. #_y="$(echo $_hash_A | cut -c 33-64)"
  1921. #_debug2 _y "$_y"
  1922. #_SAN_A="$_x.$_y.token.acme.invalid"
  1923. #_debug2 _SAN_A "$_SAN_A"
  1924. #create B
  1925. _hash_B="$(printf "%s" $keyauthorization | _digest "sha256" "hex" )"
  1926. _debug2 _hash_B "$_hash_B"
  1927. _x="$(echo $_hash_B | cut -c 1-32)"
  1928. _debug2 _x "$_x"
  1929. _y="$(echo $_hash_B | cut -c 33-64)"
  1930. _debug2 _y "$_y"
  1931. #_SAN_B="$_x.$_y.ka.acme.invalid"
  1932. _SAN_B="$_x.$_y.acme.invalid"
  1933. _debug2 _SAN_B "$_SAN_B"
  1934. _ncaddr="$(_getfield "$Le_LocalAddress" "$_ncIndex" )"
  1935. _ncIndex="$(_math $_ncIndex + 1)"
  1936. if ! _starttlsserver "$_SAN_B" "$_SAN_A" "$Le_TLSPort" "$keyauthorization" "$_ncaddr"; then
  1937. _err "Start tls server error."
  1938. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1939. _clearup
  1940. _on_issue_err
  1941. return 1
  1942. fi
  1943. fi
  1944. if ! _send_signed_request $uri "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}" ; then
  1945. _err "$d:Can not get challenge: $response"
  1946. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1947. _clearup
  1948. _on_issue_err
  1949. return 1
  1950. fi
  1951. if [ ! -z "$code" ] && [ ! "$code" = '202' ] ; then
  1952. _err "$d:Challenge error: $response"
  1953. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1954. _clearup
  1955. _on_issue_err
  1956. return 1
  1957. fi
  1958. waittimes=0
  1959. if [ -z "$MAX_RETRY_TIMES" ] ; then
  1960. MAX_RETRY_TIMES=30
  1961. fi
  1962. while true ; do
  1963. waittimes=$(_math $waittimes + 1)
  1964. if [ "$waittimes" -ge "$MAX_RETRY_TIMES" ] ; then
  1965. _err "$d:Timeout"
  1966. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1967. _clearup
  1968. _on_issue_err
  1969. return 1
  1970. fi
  1971. _debug "sleep 5 secs to verify"
  1972. sleep 5
  1973. _debug "checking"
  1974. response="$(_get $uri)"
  1975. if [ "$?" != "0" ] ; then
  1976. _err "$d:Verify error:$response"
  1977. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1978. _clearup
  1979. _on_issue_err
  1980. return 1
  1981. fi
  1982. _debug2 original "$response"
  1983. response="$(echo "$response" | _normalizeJson )"
  1984. _debug2 response "$response"
  1985. status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
  1986. if [ "$status" = "valid" ] ; then
  1987. _info "Success"
  1988. _stopserver $serverproc
  1989. serverproc=""
  1990. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  1991. break;
  1992. fi
  1993. if [ "$status" = "invalid" ] ; then
  1994. error="$(echo "$response" | _egrep_o '"error":\{[^}]*}')"
  1995. _debug2 error "$error"
  1996. errordetail="$(echo $error | _egrep_o '"detail": *"[^"]*"' | cut -d '"' -f 4)"
  1997. _debug2 errordetail "$errordetail"
  1998. if [ "$errordetail" ] ; then
  1999. _err "$d:Verify error:$errordetail"
  2000. else
  2001. _err "$d:Verify error:$error"
  2002. fi
  2003. if [ "$DEBUG" ] ; then
  2004. if [ "$vtype" = "$VTYPE_HTTP" ] ; then
  2005. _debug "Debug: get token url."
  2006. _get "http://$d/.well-known/acme-challenge/$token"
  2007. fi
  2008. fi
  2009. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2010. _clearup
  2011. _on_issue_err
  2012. return 1;
  2013. fi
  2014. if [ "$status" = "pending" ] ; then
  2015. _info "Pending"
  2016. else
  2017. _err "$d:Verify error:$response"
  2018. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2019. _clearup
  2020. _on_issue_err
  2021. return 1
  2022. fi
  2023. done
  2024. done
  2025. _clearup
  2026. _info "Verify finished, start to sign."
  2027. der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _urlencode)"
  2028. if ! _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64" ; then
  2029. _err "Sign failed."
  2030. _on_issue_err
  2031. return 1
  2032. fi
  2033. _rcert="$response"
  2034. Le_LinkCert="$(grep -i '^Location.*$' $HTTP_HEADER | head -1 | tr -d "\r\n" | cut -d " " -f 2)"
  2035. _savedomainconf "Le_LinkCert" "$Le_LinkCert"
  2036. if [ "$Le_LinkCert" ] ; then
  2037. echo "$BEGIN_CERT" > "$CERT_PATH"
  2038. if ! _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH" ; then
  2039. _debug "Get cert failed. Let's try last response."
  2040. printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
  2041. fi
  2042. echo "$END_CERT" >> "$CERT_PATH"
  2043. _info "$(__green "Cert success.")"
  2044. cat "$CERT_PATH"
  2045. _info "Your cert is in $( __green " $CERT_PATH ")"
  2046. if [ -f "$CERT_KEY_PATH" ] ; then
  2047. _info "Your cert key is in $( __green " $CERT_KEY_PATH ")"
  2048. fi
  2049. cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
  2050. if [ ! "$USER_PATH" ] || [ ! "$IN_CRON" ] ; then
  2051. USER_PATH="$PATH"
  2052. _saveaccountconf "USER_PATH" "$USER_PATH"
  2053. fi
  2054. fi
  2055. if [ -z "$Le_LinkCert" ] ; then
  2056. response="$(echo $response | _dbase64 "multiline" | _normalizeJson )"
  2057. _err "Sign failed: $(echo "$response" | _egrep_o '"detail":"[^"]*"')"
  2058. _on_issue_err
  2059. return 1
  2060. fi
  2061. _cleardomainconf "Le_Vlist"
  2062. Le_LinkIssuer=$(grep -i '^Link' $HTTP_HEADER | head -1 | cut -d " " -f 2| cut -d ';' -f 1 | tr -d '<>' )
  2063. if ! _contains "$Le_LinkIssuer" ":" ; then
  2064. Le_LinkIssuer="$API$Le_LinkIssuer"
  2065. fi
  2066. _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
  2067. if [ "$Le_LinkIssuer" ] ; then
  2068. echo "$BEGIN_CERT" > "$CA_CERT_PATH"
  2069. _get "$Le_LinkIssuer" | _base64 "multiline" >> "$CA_CERT_PATH"
  2070. echo "$END_CERT" >> "$CA_CERT_PATH"
  2071. _info "The intermediate CA cert is in $( __green " $CA_CERT_PATH ")"
  2072. cat "$CA_CERT_PATH" >> "$CERT_FULLCHAIN_PATH"
  2073. _info "And the full chain certs is there: $( __green " $CERT_FULLCHAIN_PATH ")"
  2074. fi
  2075. Le_CertCreateTime=$(_time)
  2076. _savedomainconf "Le_CertCreateTime" "$Le_CertCreateTime"
  2077. Le_CertCreateTimeStr=$(date -u )
  2078. _savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr"
  2079. if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ] || [ "$Le_RenewalDays" -gt "$MAX_RENEW" ] ; then
  2080. Le_RenewalDays=$MAX_RENEW
  2081. else
  2082. _savedomainconf "Le_RenewalDays" "$Le_RenewalDays"
  2083. fi
  2084. if [ "$CA_BUNDLE" ] ; then
  2085. _saveaccountconf CA_BUNDLE "$CA_BUNDLE"
  2086. else
  2087. _clearaccountconf "CA_BUNDLE"
  2088. fi
  2089. if [ "$HTTPS_INSECURE" ] ; then
  2090. _saveaccountconf HTTPS_INSECURE "$HTTPS_INSECURE"
  2091. else
  2092. _clearaccountconf "HTTPS_INSECURE"
  2093. fi
  2094. Le_NextRenewTime=$(_math $Le_CertCreateTime + $Le_RenewalDays \* 24 \* 60 \* 60)
  2095. Le_NextRenewTimeStr=$( _time2str $Le_NextRenewTime )
  2096. _savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr"
  2097. Le_NextRenewTime=$(_math $Le_NextRenewTime - 86400)
  2098. _savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
  2099. _on_issue_success
  2100. if [ "$Le_RealCertPath$Le_RealKeyPath$Le_RealCACertPath$Le_ReloadCmd$Le_RealFullChainPath" ] ; then
  2101. _installcert
  2102. fi
  2103. }
  2104. #domain [isEcc]
  2105. renew() {
  2106. Le_Domain="$1"
  2107. if [ -z "$Le_Domain" ] ; then
  2108. _usage "Usage: $PROJECT_ENTRY --renew -d domain.com [--ecc]"
  2109. return 1
  2110. fi
  2111. _isEcc="$2"
  2112. _initpath $Le_Domain "$_isEcc"
  2113. _info "$(__green "Renew: '$Le_Domain'")"
  2114. if [ ! -f "$DOMAIN_CONF" ] ; then
  2115. _info "'$Le_Domain' is not a issued domain, skip."
  2116. return 0;
  2117. fi
  2118. if [ "$Le_RenewalDays" ] ; then
  2119. _savedomainconf Le_RenewalDays "$Le_RenewalDays"
  2120. fi
  2121. . "$DOMAIN_CONF"
  2122. if [ "$Le_API" ] ; then
  2123. API="$Le_API"
  2124. fi
  2125. if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ] ; then
  2126. _info "Skip, Next renewal time is: $(__green "$Le_NextRenewTimeStr")"
  2127. _info "Add '$(__red '--force')' to force to renew."
  2128. return $RENEW_SKIP
  2129. fi
  2130. IS_RENEW="1"
  2131. issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress"
  2132. res=$?
  2133. IS_RENEW=""
  2134. return $res
  2135. }
  2136. #renewAll [stopRenewOnError]
  2137. renewAll() {
  2138. _initpath
  2139. _stopRenewOnError="$1"
  2140. _debug "_stopRenewOnError" "$_stopRenewOnError"
  2141. _ret="0"
  2142. for d in $(ls -F ${CERT_HOME}/ | grep [^.].*[.].*/$ ) ; do
  2143. d=$(echo $d | cut -d '/' -f 1)
  2144. (
  2145. if _endswith $d "$ECC_SUFFIX" ; then
  2146. _isEcc=$(echo $d | cut -d "$ECC_SEP" -f 2)
  2147. d=$(echo $d | cut -d "$ECC_SEP" -f 1)
  2148. fi
  2149. renew "$d" "$_isEcc"
  2150. )
  2151. rc="$?"
  2152. _debug "Return code: $rc"
  2153. if [ "$rc" != "0" ] ; then
  2154. if [ "$rc" = "$RENEW_SKIP" ] ; then
  2155. _info "Skipped $d"
  2156. elif [ "$_stopRenewOnError" ] ; then
  2157. _err "Error renew $d, stop now."
  2158. return $rc
  2159. else
  2160. _ret="$rc"
  2161. _err "Error renew $d, Go ahead to next one."
  2162. fi
  2163. fi
  2164. done
  2165. return $_ret
  2166. }
  2167. #csr webroot
  2168. signcsr(){
  2169. _csrfile="$1"
  2170. _csrW="$2"
  2171. if [ -z "$_csrfile" ] || [ -z "$_csrW" ]; then
  2172. _usage "Usage: $PROJECT_ENTRY --signcsr --csr mycsr.csr -w /path/to/webroot/a.com/ "
  2173. return 1
  2174. fi
  2175. _initpath
  2176. _csrsubj=$(_readSubjectFromCSR "$_csrfile")
  2177. if [ "$?" != "0" ] || [ -z "$_csrsubj" ] ; then
  2178. _err "Can not read subject from csr: $_csrfile"
  2179. return 1
  2180. fi
  2181. _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
  2182. if [ "$?" != "0" ] ; then
  2183. _err "Can not read domain list from csr: $_csrfile"
  2184. return 1
  2185. fi
  2186. _debug "_csrdomainlist" "$_csrdomainlist"
  2187. _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
  2188. if [ "$?" != "0" ] || [ -z "$_csrkeylength" ] ; then
  2189. _err "Can not read key length from csr: $_csrfile"
  2190. return 1
  2191. fi
  2192. _initpath "$_csrsubj" "$_csrkeylength"
  2193. mkdir -p "$DOMAIN_PATH"
  2194. _info "Copy csr to: $CSR_PATH"
  2195. cp "$_csrfile" "$CSR_PATH"
  2196. issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength"
  2197. }
  2198. showcsr() {
  2199. _csrfile="$1"
  2200. _csrd="$2"
  2201. if [ -z "$_csrfile" ] && [ -z "$_csrd" ]; then
  2202. _usage "Usage: $PROJECT_ENTRY --showcsr --csr mycsr.csr"
  2203. return 1
  2204. fi
  2205. _initpath
  2206. _csrsubj=$(_readSubjectFromCSR "$_csrfile")
  2207. if [ "$?" != "0" ] || [ -z "$_csrsubj" ] ; then
  2208. _err "Can not read subject from csr: $_csrfile"
  2209. return 1
  2210. fi
  2211. _info "Subject=$_csrsubj"
  2212. _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
  2213. if [ "$?" != "0" ] ; then
  2214. _err "Can not read domain list from csr: $_csrfile"
  2215. return 1
  2216. fi
  2217. _debug "_csrdomainlist" "$_csrdomainlist"
  2218. _info "SubjectAltNames=$_csrdomainlist"
  2219. _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
  2220. if [ "$?" != "0" ] || [ -z "$_csrkeylength" ] ; then
  2221. _err "Can not read key length from csr: $_csrfile"
  2222. return 1
  2223. fi
  2224. _info "KeyLength=$_csrkeylength"
  2225. }
  2226. list() {
  2227. _raw="$1"
  2228. _initpath
  2229. _sep="|"
  2230. if [ "$_raw" ] ; then
  2231. printf "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Created${_sep}Renew\n"
  2232. for d in $(ls -F ${CERT_HOME}/ | grep [^.].*[.].*/$ ) ; do
  2233. d=$(echo $d | cut -d '/' -f 1)
  2234. (
  2235. if _endswith $d "$ECC_SUFFIX" ; then
  2236. _isEcc=$(echo $d | cut -d "$ECC_SEP" -f 2)
  2237. d=$(echo $d | cut -d "$ECC_SEP" -f 1)
  2238. fi
  2239. _initpath $d "$_isEcc"
  2240. if [ -f "$DOMAIN_CONF" ] ; then
  2241. . "$DOMAIN_CONF"
  2242. printf "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr\n"
  2243. fi
  2244. )
  2245. done
  2246. else
  2247. if _exists column ; then
  2248. list "raw" | column -t -s "$_sep"
  2249. else
  2250. list "raw" | tr "$_sep" '\t'
  2251. fi
  2252. fi
  2253. }
  2254. installcert() {
  2255. Le_Domain="$1"
  2256. if [ -z "$Le_Domain" ] ; then
  2257. _usage "Usage: $PROJECT_ENTRY --installcert -d domain.com [--ecc] [--certpath cert-file-path] [--keypath key-file-path] [--capath ca-cert-file-path] [ --reloadCmd reloadCmd] [--fullchainpath fullchain-path]"
  2258. return 1
  2259. fi
  2260. Le_RealCertPath="$2"
  2261. Le_RealKeyPath="$3"
  2262. Le_RealCACertPath="$4"
  2263. Le_ReloadCmd="$5"
  2264. Le_RealFullChainPath="$6"
  2265. _isEcc="$7"
  2266. _initpath $Le_Domain "$_isEcc"
  2267. if [ ! -d "$DOMAIN_PATH" ] ; then
  2268. _err "Domain is not valid:'$Le_Domain'"
  2269. return 1
  2270. fi
  2271. _installcert
  2272. }
  2273. _installcert() {
  2274. _savedomainconf "Le_RealCertPath" "$Le_RealCertPath"
  2275. _savedomainconf "Le_RealCACertPath" "$Le_RealCACertPath"
  2276. _savedomainconf "Le_RealKeyPath" "$Le_RealKeyPath"
  2277. _savedomainconf "Le_ReloadCmd" "$Le_ReloadCmd"
  2278. _savedomainconf "Le_RealFullChainPath" "$Le_RealFullChainPath"
  2279. if [ "$Le_RealCertPath" = "$NO_VALUE" ] ; then
  2280. Le_RealCertPath=""
  2281. fi
  2282. if [ "$Le_RealKeyPath" = "$NO_VALUE" ] ; then
  2283. Le_RealKeyPath=""
  2284. fi
  2285. if [ "$Le_RealCACertPath" = "$NO_VALUE" ] ; then
  2286. Le_RealCACertPath=""
  2287. fi
  2288. if [ "$Le_ReloadCmd" = "$NO_VALUE" ] ; then
  2289. Le_ReloadCmd=""
  2290. fi
  2291. if [ "$Le_RealFullChainPath" = "$NO_VALUE" ] ; then
  2292. Le_RealFullChainPath=""
  2293. fi
  2294. _installed="0"
  2295. if [ "$Le_RealCertPath" ] ; then
  2296. _installed=1
  2297. _info "Installing cert to:$Le_RealCertPath"
  2298. if [ -f "$Le_RealCertPath" ] && [ ! "$IS_RENEW" ] ; then
  2299. cp "$Le_RealCertPath" "$Le_RealCertPath".bak
  2300. fi
  2301. cat "$CERT_PATH" > "$Le_RealCertPath"
  2302. fi
  2303. if [ "$Le_RealCACertPath" ] ; then
  2304. _installed=1
  2305. _info "Installing CA to:$Le_RealCACertPath"
  2306. if [ "$Le_RealCACertPath" = "$Le_RealCertPath" ] ; then
  2307. echo "" >> "$Le_RealCACertPath"
  2308. cat "$CA_CERT_PATH" >> "$Le_RealCACertPath"
  2309. else
  2310. if [ -f "$Le_RealCACertPath" ] && [ ! "$IS_RENEW" ] ; then
  2311. cp "$Le_RealCACertPath" "$Le_RealCACertPath".bak
  2312. fi
  2313. cat "$CA_CERT_PATH" > "$Le_RealCACertPath"
  2314. fi
  2315. fi
  2316. if [ "$Le_RealKeyPath" ] ; then
  2317. _installed=1
  2318. _info "Installing key to:$Le_RealKeyPath"
  2319. if [ -f "$Le_RealKeyPath" ] && [ ! "$IS_RENEW" ] ; then
  2320. cp "$Le_RealKeyPath" "$Le_RealKeyPath".bak
  2321. fi
  2322. cat "$CERT_KEY_PATH" > "$Le_RealKeyPath"
  2323. fi
  2324. if [ "$Le_RealFullChainPath" ] ; then
  2325. _installed=1
  2326. _info "Installing full chain to:$Le_RealFullChainPath"
  2327. if [ -f "$Le_RealFullChainPath" ] && [ ! "$IS_RENEW" ] ; then
  2328. cp "$Le_RealFullChainPath" "$Le_RealFullChainPath".bak
  2329. fi
  2330. cat "$CERT_FULLCHAIN_PATH" > "$Le_RealFullChainPath"
  2331. fi
  2332. if [ "$Le_ReloadCmd" ] ; then
  2333. _installed=1
  2334. _info "Run Le_ReloadCmd: $Le_ReloadCmd"
  2335. if (cd "$DOMAIN_PATH" && eval "$Le_ReloadCmd") ; then
  2336. _info "$(__green "Reload success")"
  2337. else
  2338. _err "Reload error for :$Le_Domain"
  2339. fi
  2340. fi
  2341. }
  2342. installcronjob() {
  2343. _initpath
  2344. if ! _exists "crontab" ; then
  2345. _err "crontab doesn't exist, so, we can not install cron jobs."
  2346. _err "All your certs will not be renewed automatically."
  2347. _err "You must add your own cron job to call '$PROJECT_ENTRY --cron' everyday."
  2348. return 1
  2349. fi
  2350. _info "Installing cron job"
  2351. if ! crontab -l | grep "$PROJECT_ENTRY --cron" ; then
  2352. if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ] ; then
  2353. lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
  2354. else
  2355. _err "Can not install cronjob, $PROJECT_ENTRY not found."
  2356. return 1
  2357. fi
  2358. if _exists uname && uname -a | grep solaris >/dev/null ; then
  2359. crontab -l | { cat; echo "0 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"; } | crontab --
  2360. else
  2361. crontab -l | { cat; echo "0 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"; } | crontab -
  2362. fi
  2363. fi
  2364. if [ "$?" != "0" ] ; then
  2365. _err "Install cron job failed. You need to manually renew your certs."
  2366. _err "Or you can add cronjob by yourself:"
  2367. _err "$lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"
  2368. return 1
  2369. fi
  2370. }
  2371. uninstallcronjob() {
  2372. if ! _exists "crontab" ; then
  2373. return
  2374. fi
  2375. _info "Removing cron job"
  2376. cr="$(crontab -l | grep "$PROJECT_ENTRY --cron")"
  2377. if [ "$cr" ] ; then
  2378. if _exists uname && uname -a | grep solaris >/dev/null ; then
  2379. crontab -l | sed "/$PROJECT_ENTRY --cron/d" | crontab --
  2380. else
  2381. crontab -l | sed "/$PROJECT_ENTRY --cron/d" | crontab -
  2382. fi
  2383. LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 9 | tr -d '"')"
  2384. _info LE_WORKING_DIR "$LE_WORKING_DIR"
  2385. fi
  2386. _initpath
  2387. }
  2388. revoke() {
  2389. Le_Domain="$1"
  2390. if [ -z "$Le_Domain" ] ; then
  2391. _usage "Usage: $PROJECT_ENTRY --revoke -d domain.com"
  2392. return 1
  2393. fi
  2394. _isEcc="$2"
  2395. _initpath $Le_Domain "$_isEcc"
  2396. if [ ! -f "$DOMAIN_CONF" ] ; then
  2397. _err "$Le_Domain is not a issued domain, skip."
  2398. return 1;
  2399. fi
  2400. if [ ! -f "$CERT_PATH" ] ; then
  2401. _err "Cert for $Le_Domain $CERT_PATH is not found, skip."
  2402. return 1
  2403. fi
  2404. cert="$(_getfile "${CERT_PATH}" "${BEGIN_CERT}" "${END_CERT}"| tr -d "\r\n" | _urlencode)"
  2405. if [ -z "$cert" ] ; then
  2406. _err "Cert for $Le_Domain is empty found, skip."
  2407. return 1
  2408. fi
  2409. data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
  2410. uri="$API/acme/revoke-cert"
  2411. _info "Try domain key first."
  2412. if _send_signed_request $uri "$data" "" "$CERT_KEY_PATH"; then
  2413. if [ -z "$response" ] ; then
  2414. _info "Revoke success."
  2415. rm -f $CERT_PATH
  2416. return 0
  2417. else
  2418. _err "Revoke error by domain key."
  2419. _err "$response"
  2420. fi
  2421. fi
  2422. _info "Then try account key."
  2423. if _send_signed_request $uri "$data" "" "$ACCOUNT_KEY_PATH" ; then
  2424. if [ -z "$response" ] ; then
  2425. _info "Revoke success."
  2426. rm -f $CERT_PATH
  2427. return 0
  2428. else
  2429. _err "Revoke error."
  2430. _debug "$response"
  2431. fi
  2432. fi
  2433. return 1
  2434. }
  2435. #domain vtype
  2436. _deactivate() {
  2437. _d_domain="$1"
  2438. _d_type="$2"
  2439. _initpath
  2440. _d_i=0
  2441. _d_max_retry=9
  2442. while [ "$_d_i" -lt "$_d_max_retry" ] ;
  2443. do
  2444. _info "Deactivate: $_d_domain"
  2445. _d_i="$(_math $_d_i + 1)"
  2446. if ! _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$_d_domain\"}}" ; then
  2447. _err "Can not get domain token."
  2448. return 1
  2449. fi
  2450. authzUri="$(echo "$responseHeaders" | grep "^Location:" | cut -d ' ' -f 2 | tr -d "\r\n")"
  2451. _debug "authzUri" "$authzUri"
  2452. if [ ! -z "$code" ] && [ ! "$code" = '201' ] ; then
  2453. _err "new-authz error: $response"
  2454. return 1
  2455. fi
  2456. entry="$(printf "%s\n" "$response" | _egrep_o '[^{]*"status":"valid","uri"[^}]*')"
  2457. _debug entry "$entry"
  2458. if [ -z "$entry" ] ; then
  2459. _info "No more valid entry found."
  2460. break
  2461. fi
  2462. _vtype="$(printf "%s\n" "$entry" | _egrep_o '"type": *"[^"]*"' | cut -d : -f 2 | tr -d '"')"
  2463. _debug _vtype $_vtype
  2464. _info "Found $_vtype"
  2465. uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )"
  2466. _debug uri $uri
  2467. if [ "$_d_type" ] && [ "$_d_type" != "$_vtype" ] ; then
  2468. _info "Skip $_vtype"
  2469. continue
  2470. fi
  2471. _info "Deactivate: $_vtype"
  2472. if ! _send_signed_request "$authzUri" "{\"resource\": \"authz\", \"status\":\"deactivated\"}" ; then
  2473. _err "Can not deactivate $_vtype."
  2474. return 1
  2475. fi
  2476. _info "Deactivate: $_vtype success."
  2477. done
  2478. _debug "$_d_i"
  2479. if [ "$_d_i" -lt "$_d_max_retry" ] ; then
  2480. _info "Deactivated success!"
  2481. else
  2482. _err "Deactivate failed."
  2483. fi
  2484. }
  2485. deactivate() {
  2486. _d_domain_list="$1"
  2487. _d_type="$2"
  2488. _initpath
  2489. _debug _d_domain_list "$_d_domain_list"
  2490. if [ -z "$(echo $_d_domain_list | cut -d , -f 1 )" ] ; then
  2491. _usage "Usage: $PROJECT_ENTRY --deactivate -d domain.com [-d domain.com]"
  2492. return 1
  2493. fi
  2494. for _d_dm in $(echo "$_d_domain_list" | tr ',' ' ' ) ;
  2495. do
  2496. if [ -z "$_d_dm" ] || [ "$_d_dm" = "$NO_VALUE" ] ; then
  2497. continue
  2498. fi
  2499. if ! _deactivate "$_d_dm" $_d_type ; then
  2500. return 1
  2501. fi
  2502. done
  2503. }
  2504. # Detect profile file if not specified as environment variable
  2505. _detect_profile() {
  2506. if [ -n "$PROFILE" -a -f "$PROFILE" ] ; then
  2507. echo "$PROFILE"
  2508. return
  2509. fi
  2510. DETECTED_PROFILE=''
  2511. SHELLTYPE="$(basename "/$SHELL")"
  2512. if [ "$SHELLTYPE" = "bash" ] ; then
  2513. if [ -f "$HOME/.bashrc" ] ; then
  2514. DETECTED_PROFILE="$HOME/.bashrc"
  2515. elif [ -f "$HOME/.bash_profile" ] ; then
  2516. DETECTED_PROFILE="$HOME/.bash_profile"
  2517. fi
  2518. elif [ "$SHELLTYPE" = "zsh" ] ; then
  2519. DETECTED_PROFILE="$HOME/.zshrc"
  2520. fi
  2521. if [ -z "$DETECTED_PROFILE" ] ; then
  2522. if [ -f "$HOME/.profile" ] ; then
  2523. DETECTED_PROFILE="$HOME/.profile"
  2524. elif [ -f "$HOME/.bashrc" ] ; then
  2525. DETECTED_PROFILE="$HOME/.bashrc"
  2526. elif [ -f "$HOME/.bash_profile" ] ; then
  2527. DETECTED_PROFILE="$HOME/.bash_profile"
  2528. elif [ -f "$HOME/.zshrc" ] ; then
  2529. DETECTED_PROFILE="$HOME/.zshrc"
  2530. fi
  2531. fi
  2532. if [ ! -z "$DETECTED_PROFILE" ] ; then
  2533. echo "$DETECTED_PROFILE"
  2534. fi
  2535. }
  2536. _initconf() {
  2537. _initpath
  2538. if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then
  2539. echo "#ACCOUNT_CONF_PATH=xxxx
  2540. #Account configurations:
  2541. #Here are the supported macros, uncomment them to make them take effect.
  2542. #ACCOUNT_EMAIL=aaa@aaa.com # the account email used to register account.
  2543. #ACCOUNT_KEY_PATH=\"/path/to/account.key\"
  2544. #CERT_HOME=\"/path/to/cert/home\"
  2545. #LOG_FILE=\"$DEFAULT_LOG_FILE\"
  2546. #LOG_LEVEL=1
  2547. #AUTO_UPGRADE=\"1\"
  2548. #STAGE=1 # Use the staging api
  2549. #FORCE=1 # Force to issue cert
  2550. #DEBUG=1 # Debug mode
  2551. #USER_AGENT=\"$USER_AGENT\"
  2552. #USER_PATH=""
  2553. #dns api
  2554. #######################
  2555. #Cloudflare:
  2556. #api key
  2557. #CF_Key=\"sdfsdfsdfljlbjkljlkjsdfoiwje\"
  2558. #account email
  2559. #CF_Email=\"xxxx@sss.com\"
  2560. #######################
  2561. #Dnspod.cn:
  2562. #api key id
  2563. #DP_Id=\"1234\"
  2564. #api key
  2565. #DP_Key=\"sADDsdasdgdsf\"
  2566. #######################
  2567. #Cloudxns.com:
  2568. #CX_Key=\"1234\"
  2569. #
  2570. #CX_Secret=\"sADDsdasdgdsf\"
  2571. #######################
  2572. #Godaddy.com:
  2573. #GD_Key=\"sdfdsgdgdfdasfds\"
  2574. #
  2575. #GD_Secret=\"sADDsdasdfsdfdssdgdsf\"
  2576. " > $ACCOUNT_CONF_PATH
  2577. fi
  2578. }
  2579. # nocron
  2580. _precheck() {
  2581. _nocron="$1"
  2582. if ! _exists "curl" && ! _exists "wget"; then
  2583. _err "Please install curl or wget first, we need to access http resources."
  2584. return 1
  2585. fi
  2586. if [ -z "$_nocron" ] ; then
  2587. if ! _exists "crontab" ; then
  2588. _err "It is recommended to install crontab first. try to install 'cron, crontab, crontabs or vixie-cron'."
  2589. _err "We need to set cron job to renew the certs automatically."
  2590. _err "Otherwise, your certs will not be able to be renewed automatically."
  2591. if [ -z "$FORCE" ] ; then
  2592. _err "Please add '--force' and try install again to go without crontab."
  2593. _err "./$PROJECT_ENTRY --install --force"
  2594. return 1
  2595. fi
  2596. fi
  2597. fi
  2598. if ! _exists "openssl" ; then
  2599. _err "Please install openssl first."
  2600. _err "We need openssl to generate keys."
  2601. return 1
  2602. fi
  2603. if ! _exists "nc" ; then
  2604. _err "It is recommended to install nc first, try to install 'nc' or 'netcat'."
  2605. _err "We use nc for standalone server if you use standalone mode."
  2606. _err "If you don't use standalone mode, just ignore this warning."
  2607. fi
  2608. return 0
  2609. }
  2610. _setShebang() {
  2611. _file="$1"
  2612. _shebang="$2"
  2613. if [ -z "$_shebang" ] ; then
  2614. _usage "Usage: file shebang"
  2615. return 1
  2616. fi
  2617. cp "$_file" "$_file.tmp"
  2618. echo "$_shebang" > "$_file"
  2619. sed -n 2,99999p "$_file.tmp" >> "$_file"
  2620. rm -f "$_file.tmp"
  2621. }
  2622. _installalias() {
  2623. _initpath
  2624. _envfile="$LE_WORKING_DIR/$PROJECT_ENTRY.env"
  2625. if [ "$_upgrading" ] && [ "$_upgrading" = "1" ] ; then
  2626. echo "$(cat $_envfile)" | sed "s|^LE_WORKING_DIR.*$||" > "$_envfile"
  2627. echo "$(cat $_envfile)" | sed "s|^alias le.*$||" > "$_envfile"
  2628. echo "$(cat $_envfile)" | sed "s|^alias le.sh.*$||" > "$_envfile"
  2629. fi
  2630. _setopt "$_envfile" "export LE_WORKING_DIR" "=" "\"$LE_WORKING_DIR\""
  2631. _setopt "$_envfile" "alias $PROJECT_ENTRY" "=" "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  2632. _profile="$(_detect_profile)"
  2633. if [ "$_profile" ] ; then
  2634. _debug "Found profile: $_profile"
  2635. _setopt "$_profile" ". \"$_envfile\""
  2636. _info "OK, Close and reopen your terminal to start using $PROJECT_NAME"
  2637. else
  2638. _info "No profile is found, you will need to go into $LE_WORKING_DIR to use $PROJECT_NAME"
  2639. fi
  2640. #for csh
  2641. _cshfile="$LE_WORKING_DIR/$PROJECT_ENTRY.csh"
  2642. _csh_profile="$HOME/.cshrc"
  2643. if [ -f "$_csh_profile" ] ; then
  2644. _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
  2645. _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  2646. _setopt "$_csh_profile" "source \"$_cshfile\""
  2647. fi
  2648. #for tcsh
  2649. _tcsh_profile="$HOME/.tcshrc"
  2650. if [ -f "$_tcsh_profile" ] ; then
  2651. _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
  2652. _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  2653. _setopt "$_tcsh_profile" "source \"$_cshfile\""
  2654. fi
  2655. }
  2656. # nocron
  2657. install() {
  2658. if [ -z "$LE_WORKING_DIR" ] ; then
  2659. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  2660. fi
  2661. _nocron="$1"
  2662. if ! _initpath ; then
  2663. _err "Install failed."
  2664. return 1
  2665. fi
  2666. if [ "$_nocron" ] ; then
  2667. _debug "Skip install cron job"
  2668. fi
  2669. if ! _precheck "$_nocron" ; then
  2670. _err "Pre-check failed, can not install."
  2671. return 1
  2672. fi
  2673. #convert from le
  2674. if [ -d "$HOME/.le" ] ; then
  2675. for envfile in "le.env" "le.sh.env"
  2676. do
  2677. if [ -f "$HOME/.le/$envfile" ] ; then
  2678. if grep "le.sh" "$HOME/.le/$envfile" >/dev/null ; then
  2679. _upgrading="1"
  2680. _info "You are upgrading from le.sh"
  2681. _info "Renaming \"$HOME/.le\" to $LE_WORKING_DIR"
  2682. mv "$HOME/.le" "$LE_WORKING_DIR"
  2683. mv "$LE_WORKING_DIR/$envfile" "$LE_WORKING_DIR/$PROJECT_ENTRY.env"
  2684. break;
  2685. fi
  2686. fi
  2687. done
  2688. fi
  2689. _info "Installing to $LE_WORKING_DIR"
  2690. if ! mkdir -p "$LE_WORKING_DIR" ; then
  2691. _err "Can not create working dir: $LE_WORKING_DIR"
  2692. return 1
  2693. fi
  2694. chmod 700 "$LE_WORKING_DIR"
  2695. cp $PROJECT_ENTRY "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/$PROJECT_ENTRY"
  2696. if [ "$?" != "0" ] ; then
  2697. _err "Install failed, can not copy $PROJECT_ENTRY"
  2698. return 1
  2699. fi
  2700. _info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
  2701. _installalias
  2702. if [ -d "dnsapi" ] ; then
  2703. mkdir -p $LE_WORKING_DIR/dnsapi
  2704. cp dnsapi/* $LE_WORKING_DIR/dnsapi/
  2705. fi
  2706. if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then
  2707. _initconf
  2708. fi
  2709. if [ "$_DEFAULT_ACCOUNT_CONF_PATH" != "$ACCOUNT_CONF_PATH" ] ; then
  2710. _setopt "$_DEFAULT_ACCOUNT_CONF_PATH" "ACCOUNT_CONF_PATH" "=" "\"$ACCOUNT_CONF_PATH\""
  2711. fi
  2712. if [ "$_DEFAULT_CERT_HOME" != "$CERT_HOME" ] ; then
  2713. _saveaccountconf "CERT_HOME" "$CERT_HOME"
  2714. fi
  2715. if [ "$_DEFAULT_ACCOUNT_KEY_PATH" != "$ACCOUNT_KEY_PATH" ] ; then
  2716. _saveaccountconf "ACCOUNT_KEY_PATH" "$ACCOUNT_KEY_PATH"
  2717. fi
  2718. if [ -z "$_nocron" ] ; then
  2719. installcronjob
  2720. fi
  2721. if [ -z "$NO_DETECT_SH" ] ; then
  2722. #Modify shebang
  2723. if _exists bash ; then
  2724. _info "Good, bash is installed, change the shebang to use bash as prefered."
  2725. _shebang='#!/usr/bin/env bash'
  2726. _setShebang "$LE_WORKING_DIR/$PROJECT_ENTRY" "$_shebang"
  2727. if [ -d "$LE_WORKING_DIR/dnsapi" ] ; then
  2728. for _apifile in $(ls "$LE_WORKING_DIR/dnsapi/"*.sh) ; do
  2729. _setShebang "$_apifile" "$_shebang"
  2730. done
  2731. fi
  2732. fi
  2733. fi
  2734. _info OK
  2735. }
  2736. # nocron
  2737. uninstall() {
  2738. _nocron="$1"
  2739. if [ -z "$_nocron" ] ; then
  2740. uninstallcronjob
  2741. fi
  2742. _initpath
  2743. _profile="$(_detect_profile)"
  2744. if [ "$_profile" ] ; then
  2745. text="$(cat $_profile)"
  2746. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.env\"$||" > "$_profile"
  2747. fi
  2748. _csh_profile="$HOME/.cshrc"
  2749. if [ -f "$_csh_profile" ] ; then
  2750. text="$(cat $_csh_profile)"
  2751. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" > "$_csh_profile"
  2752. fi
  2753. _tcsh_profile="$HOME/.tcshrc"
  2754. if [ -f "$_tcsh_profile" ] ; then
  2755. text="$(cat $_tcsh_profile)"
  2756. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" > "$_tcsh_profile"
  2757. fi
  2758. rm -f $LE_WORKING_DIR/$PROJECT_ENTRY
  2759. _info "The keys and certs are in $LE_WORKING_DIR, you can remove them by yourself."
  2760. }
  2761. cron() {
  2762. IN_CRON=1
  2763. _initpath
  2764. if [ "$AUTO_UPGRADE" ] ; then
  2765. export LE_WORKING_DIR
  2766. (
  2767. if ! upgrade ; then
  2768. _err "Cron:Upgrade failed!"
  2769. return 1
  2770. fi
  2771. )
  2772. . $LE_WORKING_DIR/$PROJECT_ENTRY >/dev/null
  2773. if [ -t 1 ] ; then
  2774. __INTERACTIVE="1"
  2775. fi
  2776. _info "Auto upgraded to: $VER"
  2777. fi
  2778. renewAll
  2779. _ret="$?"
  2780. IN_CRON=""
  2781. exit $_ret
  2782. }
  2783. version() {
  2784. echo "$PROJECT"
  2785. echo "v$VER"
  2786. }
  2787. showhelp() {
  2788. _initpath
  2789. version
  2790. echo "Usage: $PROJECT_ENTRY command ...[parameters]....
  2791. Commands:
  2792. --help, -h Show this help message.
  2793. --version, -v Show version info.
  2794. --install Install $PROJECT_NAME to your system.
  2795. --uninstall Uninstall $PROJECT_NAME, and uninstall the cron job.
  2796. --upgrade Upgrade $PROJECT_NAME to the latest code from $PROJECT .
  2797. --issue Issue a cert.
  2798. --signcsr Issue a cert from an existing csr.
  2799. --installcert Install the issued cert to apache/nginx or any other server.
  2800. --renew, -r Renew a cert.
  2801. --renewAll Renew all the certs.
  2802. --revoke Revoke a cert.
  2803. --list List all the certs.
  2804. --showcsr Show the content of a csr.
  2805. --installcronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
  2806. --uninstallcronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
  2807. --cron Run cron job to renew all the certs.
  2808. --toPkcs Export the certificate and key to a pfx file.
  2809. --updateaccount Update account info.
  2810. --registeraccount Register account key.
  2811. --createAccountKey, -cak Create an account private key, professional use.
  2812. --createDomainKey, -cdk Create an domain private key, professional use.
  2813. --createCSR, -ccsr Create CSR , professional use.
  2814. --deactivate Deactivate the domain authz, professional use.
  2815. Parameters:
  2816. --domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
  2817. --force, -f Used to force to install or force to renew a cert immediately.
  2818. --staging, --test Use staging server, just for test.
  2819. --debug Output debug info.
  2820. --webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
  2821. --standalone Use standalone mode.
  2822. --tls Use standalone tls mode.
  2823. --apache Use apache mode.
  2824. --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
  2825. --dnssleep [$DEFAULT_DNS_SLEEP] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
  2826. --keylength, -k [2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
  2827. --accountkeylength, -ak [2048] Specifies the account key length.
  2828. --log [/path/to/logfile] Specifies the log file. The default is: \"$DEFAULT_LOG_FILE\" if you don't give a file path here.
  2829. --log-level 1|2 Specifies the log level, default is 1.
  2830. These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
  2831. --certpath /path/to/real/cert/file After issue/renew, the cert will be copied to this path.
  2832. --keypath /path/to/real/key/file After issue/renew, the key will be copied to this path.
  2833. --capath /path/to/real/ca/file After issue/renew, the intermediate cert will be copied to this path.
  2834. --fullchainpath /path/to/fullchain/file After issue/renew, the fullchain cert will be copied to this path.
  2835. --reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
  2836. --accountconf Specifies a customized account config file.
  2837. --home Specifies the home dir for $PROJECT_NAME .
  2838. --certhome Specifies the home dir to save all the certs, only valid for '--install' command.
  2839. --useragent Specifies the user agent string. it will be saved for future use too.
  2840. --accountemail Specifies the account email for registering, Only valid for the '--install' command.
  2841. --accountkey Specifies the account key path, Only valid for the '--install' command.
  2842. --days Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days.
  2843. --httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
  2844. --tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
  2845. --local-address Specifies the standalone server listening address, in case you have multiple ip addresses.
  2846. --listraw Only used for '--list' command, list the certs in raw format.
  2847. --stopRenewOnError, -se Only valid for '--renewall' command. Stop if one cert has error in renewal.
  2848. --insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
  2849. --ca-bundle Specifices the path to the CA certificate bundle to verify api server's certificate.
  2850. --nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
  2851. --ecc Specifies to use the ECC cert. Valid for '--installcert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
  2852. --csr Specifies the input csr.
  2853. --pre-hook Command to be run before obtaining any certificates.
  2854. --post-hook Command to be run after attempting to obtain/renew certificates. No matter the obain/renew is success or failed.
  2855. --renew-hook Command to be run once for each successfully renewed certificate.
  2856. --ocsp-must-staple, --ocsp Generate ocsp must Staple extension.
  2857. "
  2858. }
  2859. # nocron
  2860. _installOnline() {
  2861. _info "Installing from online archive."
  2862. _nocron="$1"
  2863. if [ ! "$BRANCH" ] ; then
  2864. BRANCH="master"
  2865. fi
  2866. target="$PROJECT/archive/$BRANCH.tar.gz"
  2867. _info "Downloading $target"
  2868. localname="$BRANCH.tar.gz"
  2869. if ! _get "$target" > $localname ; then
  2870. _err "Download error."
  2871. return 1
  2872. fi
  2873. (
  2874. _info "Extracting $localname"
  2875. tar xzf $localname
  2876. cd "$PROJECT_NAME-$BRANCH"
  2877. chmod +x $PROJECT_ENTRY
  2878. if ./$PROJECT_ENTRY install "$_nocron" ; then
  2879. _info "Install success!"
  2880. fi
  2881. cd ..
  2882. rm -rf "$PROJECT_NAME-$BRANCH"
  2883. rm -f "$localname"
  2884. )
  2885. }
  2886. upgrade() {
  2887. if (
  2888. _initpath
  2889. export LE_WORKING_DIR
  2890. cd "$LE_WORKING_DIR"
  2891. _installOnline "nocron"
  2892. ) ; then
  2893. _info "Upgrade success!"
  2894. exit 0
  2895. else
  2896. _err "Upgrade failed!"
  2897. exit 1
  2898. fi
  2899. }
  2900. _processAccountConf() {
  2901. if [ "$_useragent" ] ; then
  2902. _saveaccountconf "USER_AGENT" "$_useragent"
  2903. elif [ "$USER_AGENT" ] && [ "$USER_AGENT" != "$DEFAULT_USER_AGENT" ] ; then
  2904. _saveaccountconf "USER_AGENT" "$USER_AGENT"
  2905. fi
  2906. if [ "$_accountemail" ] ; then
  2907. _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail"
  2908. elif [ "$ACCOUNT_EMAIL" ] && [ "$ACCOUNT_EMAIL" != "$DEFAULT_ACCOUNT_EMAIL" ] ; then
  2909. _saveaccountconf "ACCOUNT_EMAIL" "$ACCOUNT_EMAIL"
  2910. fi
  2911. }
  2912. _process() {
  2913. _CMD=""
  2914. _domain=""
  2915. _altdomains="$NO_VALUE"
  2916. _webroot=""
  2917. _keylength=""
  2918. _accountkeylength=""
  2919. _certpath=""
  2920. _keypath=""
  2921. _capath=""
  2922. _fullchainpath=""
  2923. _reloadcmd=""
  2924. _password=""
  2925. _accountconf=""
  2926. _useragent=""
  2927. _accountemail=""
  2928. _accountkey=""
  2929. _certhome=""
  2930. _httpport=""
  2931. _tlsport=""
  2932. _dnssleep=""
  2933. _listraw=""
  2934. _stopRenewOnError=""
  2935. _insecure=""
  2936. _ca_bundle=""
  2937. _nocron=""
  2938. _ecc=""
  2939. _csr=""
  2940. _pre_hook=""
  2941. _post_hook=""
  2942. _renew_hook=""
  2943. _logfile=""
  2944. _log=""
  2945. _local_address=""
  2946. _log_level=""
  2947. while [ ${#} -gt 0 ] ; do
  2948. case "${1}" in
  2949. --help|-h)
  2950. showhelp
  2951. return
  2952. ;;
  2953. --version|-v)
  2954. version
  2955. return
  2956. ;;
  2957. --install)
  2958. _CMD="install"
  2959. ;;
  2960. --uninstall)
  2961. _CMD="uninstall"
  2962. ;;
  2963. --upgrade)
  2964. _CMD="upgrade"
  2965. ;;
  2966. --issue)
  2967. _CMD="issue"
  2968. ;;
  2969. --signcsr)
  2970. _CMD="signcsr"
  2971. ;;
  2972. --showcsr)
  2973. _CMD="showcsr"
  2974. ;;
  2975. --installcert|-i)
  2976. _CMD="installcert"
  2977. ;;
  2978. --renew|-r)
  2979. _CMD="renew"
  2980. ;;
  2981. --renewAll|--renewall)
  2982. _CMD="renewAll"
  2983. ;;
  2984. --revoke)
  2985. _CMD="revoke"
  2986. ;;
  2987. --list)
  2988. _CMD="list"
  2989. ;;
  2990. --installcronjob)
  2991. _CMD="installcronjob"
  2992. ;;
  2993. --uninstallcronjob)
  2994. _CMD="uninstallcronjob"
  2995. ;;
  2996. --cron)
  2997. _CMD="cron"
  2998. ;;
  2999. --toPkcs)
  3000. _CMD="toPkcs"
  3001. ;;
  3002. --createAccountKey|--createaccountkey|-cak)
  3003. _CMD="createAccountKey"
  3004. ;;
  3005. --createDomainKey|--createdomainkey|-cdk)
  3006. _CMD="createDomainKey"
  3007. ;;
  3008. --createCSR|--createcsr|-ccr)
  3009. _CMD="createCSR"
  3010. ;;
  3011. --deactivate)
  3012. _CMD="deactivate"
  3013. ;;
  3014. --updateaccount)
  3015. _CMD="updateaccount"
  3016. ;;
  3017. --registeraccount)
  3018. _CMD="registeraccount"
  3019. ;;
  3020. --domain|-d)
  3021. _dvalue="$2"
  3022. if [ "$_dvalue" ] ; then
  3023. if _startswith "$_dvalue" "-" ; then
  3024. _err "'$_dvalue' is not a valid domain for parameter '$1'"
  3025. return 1
  3026. fi
  3027. if [ -z "$_domain" ] ; then
  3028. _domain="$_dvalue"
  3029. else
  3030. if [ "$_altdomains" = "$NO_VALUE" ] ; then
  3031. _altdomains="$_dvalue"
  3032. else
  3033. _altdomains="$_altdomains,$_dvalue"
  3034. fi
  3035. fi
  3036. fi
  3037. shift
  3038. ;;
  3039. --force|-f)
  3040. FORCE="1"
  3041. ;;
  3042. --staging|--test)
  3043. STAGE="1"
  3044. ;;
  3045. --debug)
  3046. if [ -z "$2" ] || _startswith "$2" "-" ; then
  3047. DEBUG="1"
  3048. else
  3049. DEBUG="$2"
  3050. shift
  3051. fi
  3052. ;;
  3053. --webroot|-w)
  3054. wvalue="$2"
  3055. if [ -z "$_webroot" ] ; then
  3056. _webroot="$wvalue"
  3057. else
  3058. _webroot="$_webroot,$wvalue"
  3059. fi
  3060. shift
  3061. ;;
  3062. --standalone)
  3063. wvalue="$NO_VALUE"
  3064. if [ -z "$_webroot" ] ; then
  3065. _webroot="$wvalue"
  3066. else
  3067. _webroot="$_webroot,$wvalue"
  3068. fi
  3069. ;;
  3070. --local-address)
  3071. lvalue="$2"
  3072. _local_address="$_local_address$lvalue,"
  3073. shift
  3074. ;;
  3075. --apache)
  3076. wvalue="apache"
  3077. if [ -z "$_webroot" ] ; then
  3078. _webroot="$wvalue"
  3079. else
  3080. _webroot="$_webroot,$wvalue"
  3081. fi
  3082. ;;
  3083. --tls)
  3084. wvalue="$W_TLS"
  3085. if [ -z "$_webroot" ] ; then
  3086. _webroot="$wvalue"
  3087. else
  3088. _webroot="$_webroot,$wvalue"
  3089. fi
  3090. ;;
  3091. --dns)
  3092. wvalue="dns"
  3093. if ! _startswith "$2" "-" ; then
  3094. wvalue="$2"
  3095. shift
  3096. fi
  3097. if [ -z "$_webroot" ] ; then
  3098. _webroot="$wvalue"
  3099. else
  3100. _webroot="$_webroot,$wvalue"
  3101. fi
  3102. ;;
  3103. --dnssleep)
  3104. _dnssleep="$2"
  3105. Le_DNSSleep="$_dnssleep"
  3106. shift
  3107. ;;
  3108. --keylength|-k)
  3109. _keylength="$2"
  3110. if [ "$_accountkeylength" = "$NO_VALUE" ] ; then
  3111. _accountkeylength="$2"
  3112. fi
  3113. shift
  3114. ;;
  3115. --accountkeylength|-ak)
  3116. _accountkeylength="$2"
  3117. shift
  3118. ;;
  3119. --certpath)
  3120. _certpath="$2"
  3121. shift
  3122. ;;
  3123. --keypath)
  3124. _keypath="$2"
  3125. shift
  3126. ;;
  3127. --capath)
  3128. _capath="$2"
  3129. shift
  3130. ;;
  3131. --fullchainpath)
  3132. _fullchainpath="$2"
  3133. shift
  3134. ;;
  3135. --reloadcmd|--reloadCmd)
  3136. _reloadcmd="$2"
  3137. shift
  3138. ;;
  3139. --password)
  3140. _password="$2"
  3141. shift
  3142. ;;
  3143. --accountconf)
  3144. _accountconf="$2"
  3145. ACCOUNT_CONF_PATH="$_accountconf"
  3146. shift
  3147. ;;
  3148. --home)
  3149. LE_WORKING_DIR="$2"
  3150. shift
  3151. ;;
  3152. --certhome)
  3153. _certhome="$2"
  3154. CERT_HOME="$_certhome"
  3155. shift
  3156. ;;
  3157. --useragent)
  3158. _useragent="$2"
  3159. USER_AGENT="$_useragent"
  3160. shift
  3161. ;;
  3162. --accountemail )
  3163. _accountemail="$2"
  3164. ACCOUNT_EMAIL="$_accountemail"
  3165. shift
  3166. ;;
  3167. --accountkey )
  3168. _accountkey="$2"
  3169. ACCOUNT_KEY_PATH="$_accountkey"
  3170. shift
  3171. ;;
  3172. --days )
  3173. _days="$2"
  3174. Le_RenewalDays="$_days"
  3175. shift
  3176. ;;
  3177. --httpport )
  3178. _httpport="$2"
  3179. Le_HTTPPort="$_httpport"
  3180. shift
  3181. ;;
  3182. --tlsport )
  3183. _tlsport="$2"
  3184. Le_TLSPort="$_tlsport"
  3185. shift
  3186. ;;
  3187. --listraw )
  3188. _listraw="raw"
  3189. ;;
  3190. --stopRenewOnError|--stoprenewonerror|-se )
  3191. _stopRenewOnError="1"
  3192. ;;
  3193. --insecure)
  3194. _insecure="1"
  3195. HTTPS_INSECURE="1"
  3196. ;;
  3197. --ca-bundle)
  3198. _ca_bundle="$(readlink -f $2)"
  3199. CA_BUNDLE="$_ca_bundle"
  3200. shift
  3201. ;;
  3202. --nocron)
  3203. _nocron="1"
  3204. ;;
  3205. --ecc)
  3206. _ecc="isEcc"
  3207. ;;
  3208. --csr)
  3209. _csr="$2"
  3210. shift
  3211. ;;
  3212. --pre-hook)
  3213. _pre_hook="$2"
  3214. shift
  3215. ;;
  3216. --post-hook)
  3217. _post_hook="$2"
  3218. shift
  3219. ;;
  3220. --renew-hook)
  3221. _renew_hook="$2"
  3222. shift
  3223. ;;
  3224. --ocsp-must-staple|--ocsp)
  3225. Le_OCSP_Stable="1"
  3226. ;;
  3227. --log|--logfile)
  3228. _log="1"
  3229. _logfile="$2"
  3230. if [ -z "$_logfile" ] || _startswith "$_logfile" '-' ; then
  3231. _logfile=""
  3232. else
  3233. shift
  3234. fi
  3235. LOG_FILE="$_logfile"
  3236. if [ -z "$LOG_LEVEL" ] ; then
  3237. LOG_LEVEL="$DEFAULT_LOG_LEVEL"
  3238. fi
  3239. ;;
  3240. --log-level)
  3241. _log_level="$2"
  3242. LOG_LEVEL="$_log_level"
  3243. shift
  3244. ;;
  3245. *)
  3246. _err "Unknown parameter : $1"
  3247. return 1
  3248. ;;
  3249. esac
  3250. shift 1
  3251. done
  3252. if [ "${_CMD}" != "install" ] ; then
  3253. __initHome
  3254. if [ "$_log" ] && [ -z "$_logfile" ] ; then
  3255. _logfile="$DEFAULT_LOG_FILE"
  3256. fi
  3257. if [ "$_logfile" ] ; then
  3258. _saveaccountconf "LOG_FILE" "$_logfile"
  3259. fi
  3260. LOG_FILE="$_logfile"
  3261. if [ "$_log_level" ] ; then
  3262. _saveaccountconf "LOG_LEVEL" "$_log_level"
  3263. LOG_LEVEL="$_log_level"
  3264. fi
  3265. _processAccountConf
  3266. fi
  3267. if [ "$DEBUG" ] ; then
  3268. version
  3269. fi
  3270. case "${_CMD}" in
  3271. install) install "$_nocron" ;;
  3272. uninstall) uninstall "$_nocron" ;;
  3273. upgrade) upgrade ;;
  3274. issue)
  3275. issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
  3276. ;;
  3277. signcsr)
  3278. signcsr "$_csr" "$_webroot"
  3279. ;;
  3280. showcsr)
  3281. showcsr "$_csr" "$_domain"
  3282. ;;
  3283. installcert)
  3284. installcert "$_domain" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_ecc"
  3285. ;;
  3286. renew)
  3287. renew "$_domain" "$_ecc"
  3288. ;;
  3289. renewAll)
  3290. renewAll "$_stopRenewOnError"
  3291. ;;
  3292. revoke)
  3293. revoke "$_domain" "$_ecc"
  3294. ;;
  3295. deactivate)
  3296. deactivate "$_domain,$_altdomains"
  3297. ;;
  3298. registeraccount)
  3299. registeraccount
  3300. ;;
  3301. updateaccount)
  3302. updateaccount
  3303. ;;
  3304. list)
  3305. list "$_listraw"
  3306. ;;
  3307. installcronjob) installcronjob ;;
  3308. uninstallcronjob) uninstallcronjob ;;
  3309. cron) cron ;;
  3310. toPkcs)
  3311. toPkcs "$_domain" "$_password" "$_ecc"
  3312. ;;
  3313. createAccountKey)
  3314. createAccountKey "$_accountkeylength"
  3315. ;;
  3316. createDomainKey)
  3317. createDomainKey "$_domain" "$_keylength"
  3318. ;;
  3319. createCSR)
  3320. createCSR "$_domain" "$_altdomains" "$_ecc"
  3321. ;;
  3322. *)
  3323. _err "Invalid command: $_CMD"
  3324. showhelp;
  3325. return 1
  3326. ;;
  3327. esac
  3328. _ret="$?"
  3329. if [ "$_ret" != "0" ] ; then
  3330. return $_ret
  3331. fi
  3332. if [ "${_CMD}" = "install" ] ; then
  3333. if [ "$_log" ] ; then
  3334. if [ -z "$LOG_FILE" ] ; then
  3335. LOG_FILE="$DEFAULT_LOG_FILE"
  3336. fi
  3337. _saveaccountconf "LOG_FILE" "$LOG_FILE"
  3338. fi
  3339. if [ "$_log_level" ] ; then
  3340. _saveaccountconf "LOG_LEVEL" "$_log_level"
  3341. fi
  3342. _processAccountConf
  3343. fi
  3344. }
  3345. if [ "$INSTALLONLINE" ] ; then
  3346. INSTALLONLINE=""
  3347. _installOnline $BRANCH
  3348. exit
  3349. fi
  3350. main() {
  3351. [ -z "$1" ] && showhelp && return
  3352. if _startswith "$1" '-' ; then _process "$@"; else "$@";fi
  3353. }
  3354. main "$@"