Merge pull request #6604 from acmesh-official/dev

sync
2 days ago · 0a4500e85b
8 changed files with 252 additions and 8 deletions
--- a/.github/workflows/PebbleStrict.yml
+++ b/.github/workflows/PebbleStrict.yml
@ -65,7 +65,7 @@ jobs:
      run: |
        docker run --rm -itd --name=pebble \
        -e PEBBLE_VA_ALWAYS_VALID=1 \
-        -p 14000:14000 -p 15000:15000   letsencrypt/pebble:latest pebble -config /test/config/pebble-config.json -strict
+        -p 14000:14000 -p 15000:15000   ghcr.io/letsencrypt/pebble:latest -config /test/config/pebble-config.json -strict
    - name: Clone acmetest
      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - name: Run acmetest
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-FROM alpine:3.21
+FROM alpine:3.22

 RUN apk --no-cache add -f \
  openssl \
--- a/deploy/keyhelp_api.sh
+++ b/deploy/keyhelp_api.sh
@ -0,0 +1,86 @@
+#!/usr/bin/env sh
+
+keyhelp_api_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+
+  # Read config from saved values or env
+  _getdeployconf DEPLOY_KEYHELP_HOST
+  _getdeployconf DEPLOY_KEYHELP_API_KEY
+
+  _debug DEPLOY_KEYHELP_HOST "$DEPLOY_KEYHELP_HOST"
+  _secure_debug DEPLOY_KEYHELP_API_KEY "$DEPLOY_KEYHELP_API_KEY"
+
+  if [ -z "$DEPLOY_KEYHELP_HOST" ]; then
+    _err "KeyHelp host not found, please define DEPLOY_KEYHELP_HOST."
+    return 1
+  fi
+  if [ -z "$DEPLOY_KEYHELP_API_KEY" ]; then
+    _err "KeyHelp api key not found, please define DEPLOY_KEYHELP_API_KEY."
+    return 1
+  fi
+
+  # Save current values
+  _savedeployconf DEPLOY_KEYHELP_HOST "$DEPLOY_KEYHELP_HOST"
+  _savedeployconf DEPLOY_KEYHELP_API_KEY "$DEPLOY_KEYHELP_API_KEY"
+
+  _request_key="$(tr '\n' ':' <"$_ckey" | sed 's/:/\\n/g')"
+  _request_cert="$(tr '\n' ':' <"$_ccert" | sed 's/:/\\n/g')"
+  _request_ca="$(tr '\n' ':' <"$_cca" | sed 's/:/\\n/g')"
+
+  _request_body="{
+    \"name\": \"$_cdomain\",
+    \"components\": {
+      \"private_key\": \"$_request_key\",
+      \"certificate\": \"$_request_cert\",
+      \"ca_certificate\": \"$_request_ca\"
+    }
+  }"
+
+  _hosts="$(echo "$DEPLOY_KEYHELP_HOST" | tr "," " ")"
+  _keys="$(echo "$DEPLOY_KEYHELP_API_KEY" | tr "," " ")"
+  _i=1
+
+  for _host in $_hosts; do
+    _key="$(_getfield "$_keys" "$_i" " ")"
+    _i="$(_math "$_i" + 1)"
+
+    export _H1="X-API-Key: $_key"
+
+    _put_url="$_host/api/v2/certificates/name/$_cdomain"
+    if _post "$_request_body" "$_put_url" "" "PUT" "application/json" >/dev/null; then
+      _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
+    else
+      _err "Cannot make PUT request to $_put_url"
+      return 1
+    fi
+
+    if [ "$_code" = "404" ]; then
+      _info "$_cdomain not found, creating new entry at $_host"
+
+      _post_url="$_host/api/v2/certificates"
+      if _post "$_request_body" "$_post_url" "" "POST" "application/json" >/dev/null; then
+        _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
+      else
+        _err "Cannot make POST request to $_post_url"
+        return 1
+      fi
+    fi
+
+    if _startswith "$_code" "2"; then
+      _info "$_cdomain set at $_host"
+    else
+      _err "HTTP status code is $_code"
+      return 1
+    fi
+  done
+
+  return 0
+}
--- a/deploy/truenas_ws.sh
+++ b/deploy/truenas_ws.sh
@ -71,7 +71,7 @@ with Client(uri="$_ws_uri") as c:
      fullchain = file.read()
    with open('$2', 'r') as file:
      privatekey = file.read()
-    ret = c.call("certificate.create", {"name": "$3", "create_type": "CERTIFICATE_CREATE_IMPORTED", "certificate": fullchain, "privatekey": privatekey, "passphrase": ""}, job=True)
+    ret = c.call("certificate.create", {"name": "$3", "create_type": "CERTIFICATE_CREATE_IMPORTED", "certificate": fullchain, "privatekey": privatekey}, job=True)
    print("R:" + str(ret["id"]))
    sys.exit(0)
  else:
--- a/deploy/unifi.sh
+++ b/deploy/unifi.sh
@ -143,8 +143,10 @@ unifi_deploy() {

    # correct file ownership according to the directory, the keystore is placed in
    _unifi_keystore_dir=$(dirname "${_unifi_keystore}")
-    _unifi_keystore_dir_owner=$(find "${_unifi_keystore_dir}" -maxdepth 0 -printf '%u\n')
-    _unifi_keystore_owner=$(find "${_unifi_keystore}" -maxdepth 0 -printf '%u\n')
+    # shellcheck disable=SC2012
+    _unifi_keystore_dir_owner=$(ls -ld "${_unifi_keystore_dir}" | awk '{print $3}')
+    # shellcheck disable=SC2012
+    _unifi_keystore_owner=$(ls -l "${_unifi_keystore}" | awk '{print $3}')
    if ! [ "${_unifi_keystore_owner}" = "${_unifi_keystore_dir_owner}" ]; then
      _debug "Changing keystore owner to ${_unifi_keystore_dir_owner}"
      chown "$_unifi_keystore_dir_owner" "${_unifi_keystore}" >/dev/null 2>&1 # fail quietly if we're not running as root
--- a/dnsapi/dns_curanet.sh
+++ b/dnsapi/dns_curanet.sh
@ -15,7 +15,7 @@ CURANET_REST_URL="https://api.curanet.dk/dns/v1/Domains"
 CURANET_AUTH_URL="https://apiauth.dk.team.blue/auth/realms/Curanet/protocol/openid-connect/token"
 CURANET_ACCESS_TOKEN=""

-########  Public functions #####################
+########  Public functions ####################

 #Usage: dns_curanet_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_curanet_add() {
@ -154,7 +154,7 @@ _get_root() {
    export _H3="Authorization: Bearer $CURANET_ACCESS_TOKEN"
    response="$(_get "$CURANET_REST_URL/$h/Records" "" "")"

-    if [ ! "$(echo "$response" | _egrep_o "Entity not found")" ]; then
+    if [ ! "$(echo "$response" | _egrep_o "Entity not found|Bad Request")" ]; then
      _domain=$h
      return 0
    fi
--- a/notify/ntfy.sh
+++ b/notify/ntfy.sh
@ -14,6 +14,13 @@ ntfy_send() {
  _debug "_content" "$_content"
  _debug "_statusCode" "$_statusCode"

+  _priority_default="default"
+  _priority_error="high"
+
+  _tag_success="white_check_mark"
+  _tag_error="warning"
+  _tag_info="information_source"
+
  NTFY_URL="${NTFY_URL:-$(_readaccountconf_mutable NTFY_URL)}"
  if [ "$NTFY_URL" ]; then
    _saveaccountconf_mutable NTFY_URL "$NTFY_URL"
@ -30,7 +37,26 @@ ntfy_send() {
    export _H1="Authorization: Bearer $NTFY_TOKEN"
  fi

-  _data="${_subject}. $_content"
+  case "$_statusCode" in
+  0)
+    _priority="$_priority_default"
+    _tag="$_tag_success"
+    ;;
+  1)
+    _priority="$_priority_error"
+    _tag="$_tag_error"
+    ;;
+  2)
+    _priority="$_priority_default"
+    _tag="$_tag_info"
+    ;;
+  esac
+
+  export _H2="Priority: $_priority"
+  export _H3="Tags: $_tag"
+  export _H4="Title: $PROJECT_NAME: $_subject"
+
+  _data="$_content"
  response="$(_post "$_data" "$NTFY_URL/$NTFY_TOPIC" "" "POST" "")"

  if [ "$?" = "0" ] && _contains "$response" "expires"; then
--- a/notify/opsgenie.sh
+++ b/notify/opsgenie.sh
@ -0,0 +1,130 @@
+#!/usr/bin/env sh
+
+#Support OpsGenie API integration
+
+#OPSGENIE_API_KEY="" Required, opsgenie api key
+#OPSGENIE_REGION="" Optional, opsgenie region, can be EU or US (default: US)
+#OPSGENIE_PRIORITY_SUCCESS="" Optional, opsgenie priority for success (default: P5)
+#OPSGENIE_PRIORITY_ERROR="" Optional, opsgenie priority for error (default: P2)
+#OPSGENIE_PRIORITY_SKIP="" Optional, opsgenie priority for renew skipped (default: P5)
+
+_OPSGENIE_AVAIL_REGION="US,EU"
+_OPSGENIE_AVAIL_PRIORITIES="P1,P2,P3,P4,P5"
+
+opsgenie_send() {
+  _subject="$1"
+  _content="$2"
+  _status_code="$3" #0: success, 1: error, 2($RENEW_SKIP): skipped
+
+  OPSGENIE_API_KEY="${OPSGENIE_API_KEY:-$(_readaccountconf_mutable OPSGENIE_API_KEY)}"
+  if [ -z "$OPSGENIE_API_KEY" ]; then
+    OPSGENIE_API_KEY=""
+    _err "You didn't specify an OpsGenie API key OPSGENIE_API_KEY yet."
+    return 1
+  fi
+  _saveaccountconf_mutable OPSGENIE_API_KEY "$OPSGENIE_API_KEY"
+  export _H1="Authorization: GenieKey $OPSGENIE_API_KEY"
+
+  OPSGENIE_REGION="${OPSGENIE_REGION:-$(_readaccountconf_mutable OPSGENIE_REGION)}"
+  if [ -z "$OPSGENIE_REGION" ]; then
+    OPSGENIE_REGION="US"
+    _info "The OPSGENIE_REGION is not set, so use the default US as regeion."
+  elif ! _hasfield "$_OPSGENIE_AVAIL_REGION" "$OPSGENIE_REGION"; then
+    _err "The OPSGENIE_REGION \"$OPSGENIE_REGION\" is not available, should be one of $_OPSGENIE_AVAIL_REGION"
+    OPSGENIE_REGION=""
+    return 1
+  else
+    _saveaccountconf_mutable OPSGENIE_REGION "$OPSGENIE_REGION"
+  fi
+
+  OPSGENIE_PRIORITY_SUCCESS="${OPSGENIE_PRIORITY_SUCCESS:-$(_readaccountconf_mutable OPSGENIE_PRIORITY_SUCCESS)}"
+  if [ -z "$OPSGENIE_PRIORITY_SUCCESS" ]; then
+    OPSGENIE_PRIORITY_SUCCESS="P5"
+    _info "The OPSGENIE_PRIORITY_SUCCESS is not set, so use the default P5 as priority."
+  elif ! _hasfield "$_OPSGENIE_AVAIL_PRIORITIES" "$OPSGENIE_PRIORITY_SUCCESS"; then
+    _err "The OPSGENIE_PRIORITY_SUCCESS \"$OPSGENIE_PRIORITY_SUCCESS\" is not available, should be one of $_OPSGENIE_AVAIL_PRIORITIES"
+    OPSGENIE_PRIORITY_SUCCESS=""
+    return 1
+  else
+    _saveaccountconf_mutable OPSGENIE_PRIORITY_SUCCESS "$OPSGENIE_PRIORITY_SUCCESS"
+  fi
+
+  OPSGENIE_PRIORITY_ERROR="${OPSGENIE_PRIORITY_ERROR:-$(_readaccountconf_mutable OPSGENIE_PRIORITY_ERROR)}"
+  if [ -z "$OPSGENIE_PRIORITY_ERROR" ]; then
+    OPSGENIE_PRIORITY_ERROR="P2"
+    _info "The OPSGENIE_PRIORITY_ERROR is not set, so use the default P2 as priority."
+  elif ! _hasfield "$_OPSGENIE_AVAIL_PRIORITIES" "$OPSGENIE_PRIORITY_ERROR"; then
+    _err "The OPSGENIE_PRIORITY_ERROR \"$OPSGENIE_PRIORITY_ERROR\" is not available, should be one of $_OPSGENIE_AVAIL_PRIORITIES"
+    OPSGENIE_PRIORITY_ERROR=""
+    return 1
+  else
+    _saveaccountconf_mutable OPSGENIE_PRIORITY_ERROR "$OPSGENIE_PRIORITY_ERROR"
+  fi
+
+  OPSGENIE_PRIORITY_SKIP="${OPSGENIE_PRIORITY_SKIP:-$(_readaccountconf_mutable OPSGENIE_PRIORITY_SKIP)}"
+  if [ -z "$OPSGENIE_PRIORITY_SKIP" ]; then
+    OPSGENIE_PRIORITY_SKIP="P5"
+    _info "The OPSGENIE_PRIORITY_SKIP is not set, so use the default P5 as priority."
+  elif ! _hasfield "$_OPSGENIE_AVAIL_PRIORITIES" "$OPSGENIE_PRIORITY_SKIP"; then
+    _err "The OPSGENIE_PRIORITY_SKIP \"$OPSGENIE_PRIORITY_SKIP\" is not available, should be one of $_OPSGENIE_AVAIL_PRIORITIES"
+    OPSGENIE_PRIORITY_SKIP=""
+    return 1
+  else
+    _saveaccountconf_mutable OPSGENIE_PRIORITY_SKIP "$OPSGENIE_PRIORITY_SKIP"
+  fi
+
+  case "$OPSGENIE_REGION" in
+  "US")
+    _opsgenie_url="https://api.opsgenie.com/v2/alerts"
+    ;;
+  "EU")
+    _opsgenie_url="https://api.eu.opsgenie.com/v2/alerts"
+    ;;
+  *)
+    _err "opsgenie region error."
+    return 1
+    ;;
+  esac
+
+  case $_status_code in
+  0)
+    _priority=$OPSGENIE_PRIORITY_SUCCESS
+    ;;
+  1)
+    _priority=$OPSGENIE_PRIORITY_ERROR
+    ;;
+  2)
+    _priority=$OPSGENIE_PRIORITY_SKIP
+    ;;
+  *)
+    _priority=$OPSGENIE_PRIORITY_ERROR
+    ;;
+  esac
+
+  _subject_json=$(echo "$_subject" | _json_encode)
+  _content_json=$(echo "$_content" | _json_encode)
+  _subject_underscore=$(echo "$_subject" | sed 's/ /_/g')
+  _alias_json=$(echo "acme.sh-$(hostname)-$_subject_underscore-$(date +%Y%m%d)" | base64 --wrap=0 | _json_encode)
+
+  _data="{
+    \"message\": \"$_subject_json\",
+    \"alias\": \"$_alias_json\",
+    \"description\": \"$_content_json\",
+    \"tags\": [
+        \"acme.sh\",
+        \"host:$(hostname)\"
+    ],
+    \"entity\": \"$(hostname -f)\",
+    \"priority\": \"$_priority\"
+}"
+
+  if response=$(_post "$_data" "$_opsgenie_url" "" "" "application/json"); then
+    if ! _contains "$response" error; then
+      _info "opsgenie send success."
+      return 0
+    fi
+  fi
+  _err "opsgenie send error."
+  _err "$response"
+  return 1
+}