|
@ -1,6 +1,6 @@ |
|
|
#!/usr/bin/env sh |
|
|
#!/usr/bin/env sh |
|
|
|
|
|
|
|
|
VER=2.5.0 |
|
|
|
|
|
|
|
|
VER=2.5.1 |
|
|
|
|
|
|
|
|
PROJECT_NAME="acme.sh" |
|
|
PROJECT_NAME="acme.sh" |
|
|
|
|
|
|
|
@ -163,11 +163,11 @@ _hasfield() { |
|
|
|
|
|
|
|
|
for f in $(echo "$_str" | tr ',' ' ') ; do |
|
|
for f in $(echo "$_str" | tr ',' ' ') ; do |
|
|
if [ "$f" = "$_field" ] ; then |
|
|
if [ "$f" = "$_field" ] ; then |
|
|
_debug "'$_str' contains '$_field'" |
|
|
|
|
|
|
|
|
_debug2 "'$_str' contains '$_field'" |
|
|
return 0 #contains ok |
|
|
return 0 #contains ok |
|
|
fi |
|
|
fi |
|
|
done |
|
|
done |
|
|
_debug "'$_str' does not contain '$_field'" |
|
|
|
|
|
|
|
|
_debug2 "'$_str' does not contain '$_field'" |
|
|
return 1 #not contains |
|
|
return 1 #not contains |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
@ -440,16 +440,20 @@ _createcsr() { |
|
|
_debug _createcsr |
|
|
_debug _createcsr |
|
|
domain="$1" |
|
|
domain="$1" |
|
|
domainlist="$2" |
|
|
domainlist="$2" |
|
|
key="$3" |
|
|
|
|
|
|
|
|
csrkey="$3" |
|
|
csr="$4" |
|
|
csr="$4" |
|
|
csrconf="$5" |
|
|
csrconf="$5" |
|
|
_debug2 domain "$domain" |
|
|
_debug2 domain "$domain" |
|
|
_debug2 domainlist "$domainlist" |
|
|
_debug2 domainlist "$domainlist" |
|
|
|
|
|
_debug2 csrkey "$csrkey" |
|
|
|
|
|
_debug2 csr "$csr" |
|
|
|
|
|
_debug2 csrconf "$csrconf" |
|
|
|
|
|
|
|
|
|
|
|
printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" > "$csrconf" |
|
|
|
|
|
|
|
|
if [ -z "$domainlist" ] || [ "$domainlist" = "no" ]; then |
|
|
if [ -z "$domainlist" ] || [ "$domainlist" = "no" ]; then |
|
|
#single domain |
|
|
#single domain |
|
|
_info "Single domain" "$domain" |
|
|
_info "Single domain" "$domain" |
|
|
printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\n" > "$csrconf" |
|
|
|
|
|
openssl req -new -sha256 -key "$key" -subj "/CN=$domain" -config "$csrconf" -out "$csr" |
|
|
|
|
|
else |
|
|
else |
|
|
if _contains "$domainlist" "," ; then |
|
|
if _contains "$domainlist" "," ; then |
|
|
alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")" |
|
|
alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")" |
|
@ -458,9 +462,13 @@ _createcsr() { |
|
|
fi |
|
|
fi |
|
|
#multi |
|
|
#multi |
|
|
_info "Multi domain" "$alt" |
|
|
_info "Multi domain" "$alt" |
|
|
printf -- "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment\nsubjectAltName=$alt" > "$csrconf" |
|
|
|
|
|
openssl req -new -sha256 -key "$key" -subj "/CN=$domain" -config "$csrconf" -out "$csr" |
|
|
|
|
|
|
|
|
printf -- "\nsubjectAltName=$alt" >> "$csrconf" |
|
|
|
|
|
fi |
|
|
|
|
|
if [ "$Le_OCSP_Stable" ] ; then |
|
|
|
|
|
_savedomainconf Le_OCSP_Stable "$Le_OCSP_Stable" |
|
|
|
|
|
printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >> "$csrconf" |
|
|
fi |
|
|
fi |
|
|
|
|
|
openssl req -new -sha256 -key "$csrkey" -subj "/CN=$domain" -config "$csrconf" -out "$csr" |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
#_signcsr key csr conf cert |
|
|
#_signcsr key csr conf cert |
|
@ -1066,56 +1074,56 @@ _setopt() { |
|
|
#_savedomainconf key value |
|
|
#_savedomainconf key value |
|
|
#save to domain.conf |
|
|
#save to domain.conf |
|
|
_savedomainconf() { |
|
|
_savedomainconf() { |
|
|
key="$1" |
|
|
|
|
|
value="$2" |
|
|
|
|
|
|
|
|
_sdkey="$1" |
|
|
|
|
|
_sdvalue="$2" |
|
|
if [ "$DOMAIN_CONF" ] ; then |
|
|
if [ "$DOMAIN_CONF" ] ; then |
|
|
_setopt "$DOMAIN_CONF" "$key" "=" "\"$value\"" |
|
|
|
|
|
|
|
|
_setopt "$DOMAIN_CONF" "$_sdkey" "=" "\"$_sdvalue\"" |
|
|
else |
|
|
else |
|
|
_err "DOMAIN_CONF is empty, can not save $key=$value" |
|
|
|
|
|
|
|
|
_err "DOMAIN_CONF is empty, can not save $_sdkey=$_sdvalue" |
|
|
fi |
|
|
fi |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
#_cleardomainconf key |
|
|
#_cleardomainconf key |
|
|
_cleardomainconf() { |
|
|
_cleardomainconf() { |
|
|
key="$1" |
|
|
|
|
|
|
|
|
_sdkey="$1" |
|
|
if [ "$DOMAIN_CONF" ] ; then |
|
|
if [ "$DOMAIN_CONF" ] ; then |
|
|
_sed_i "s/^$key.*$//" "$DOMAIN_CONF" |
|
|
|
|
|
|
|
|
_sed_i "s/^$_sdkey.*$//" "$DOMAIN_CONF" |
|
|
else |
|
|
else |
|
|
_err "DOMAIN_CONF is empty, can not save $key=$value" |
|
|
|
|
|
|
|
|
_err "DOMAIN_CONF is empty, can not save $_sdkey=$value" |
|
|
fi |
|
|
fi |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
#_readdomainconf key |
|
|
#_readdomainconf key |
|
|
_readdomainconf() { |
|
|
_readdomainconf() { |
|
|
key="$1" |
|
|
|
|
|
|
|
|
_sdkey="$1" |
|
|
if [ "$DOMAIN_CONF" ] ; then |
|
|
if [ "$DOMAIN_CONF" ] ; then |
|
|
( |
|
|
( |
|
|
eval $(grep "^$key *=" "$DOMAIN_CONF") |
|
|
|
|
|
eval "printf \"%s\" \"\$$key\"" |
|
|
|
|
|
|
|
|
eval $(grep "^$_sdkey *=" "$DOMAIN_CONF") |
|
|
|
|
|
eval "printf \"%s\" \"\$$_sdkey\"" |
|
|
) |
|
|
) |
|
|
else |
|
|
else |
|
|
_err "DOMAIN_CONF is empty, can not read $key" |
|
|
|
|
|
|
|
|
_err "DOMAIN_CONF is empty, can not read $_sdkey" |
|
|
fi |
|
|
fi |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
#_saveaccountconf key value |
|
|
#_saveaccountconf key value |
|
|
_saveaccountconf() { |
|
|
_saveaccountconf() { |
|
|
key="$1" |
|
|
|
|
|
value="$2" |
|
|
|
|
|
|
|
|
_sckey="$1" |
|
|
|
|
|
_scvalue="$2" |
|
|
if [ "$ACCOUNT_CONF_PATH" ] ; then |
|
|
if [ "$ACCOUNT_CONF_PATH" ] ; then |
|
|
_setopt "$ACCOUNT_CONF_PATH" "$key" "=" "\"$value\"" |
|
|
|
|
|
|
|
|
_setopt "$ACCOUNT_CONF_PATH" "$_sckey" "=" "\"$_scvalue\"" |
|
|
else |
|
|
else |
|
|
_err "ACCOUNT_CONF_PATH is empty, can not save $key=$value" |
|
|
|
|
|
|
|
|
_err "ACCOUNT_CONF_PATH is empty, can not save $_sckey=$_scvalue" |
|
|
fi |
|
|
fi |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
#_clearaccountconf key |
|
|
#_clearaccountconf key |
|
|
_clearaccountconf() { |
|
|
_clearaccountconf() { |
|
|
key="$1" |
|
|
|
|
|
|
|
|
_scvalue="$1" |
|
|
if [ "$ACCOUNT_CONF_PATH" ] ; then |
|
|
if [ "$ACCOUNT_CONF_PATH" ] ; then |
|
|
_sed_i "s/^$key.*$//" "$ACCOUNT_CONF_PATH" |
|
|
|
|
|
|
|
|
_sed_i "s/^$_scvalue.*$//" "$ACCOUNT_CONF_PATH" |
|
|
else |
|
|
else |
|
|
_err "ACCOUNT_CONF_PATH is empty, can not clear $key" |
|
|
|
|
|
|
|
|
_err "ACCOUNT_CONF_PATH is empty, can not clear $_scvalue" |
|
|
fi |
|
|
fi |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
@ -1357,7 +1365,7 @@ _initpath() { |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
if [ -z "$DOMAIN_SSL_CONF" ] ; then |
|
|
if [ -z "$DOMAIN_SSL_CONF" ] ; then |
|
|
DOMAIN_SSL_CONF="$DOMAIN_PATH/$domain.ssl.conf" |
|
|
|
|
|
|
|
|
DOMAIN_SSL_CONF="$DOMAIN_PATH/$domain.csr.conf" |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
if [ -z "$CSR_PATH" ] ; then |
|
|
if [ -z "$CSR_PATH" ] ; then |
|
@ -3079,6 +3087,7 @@ Parameters: |
|
|
--pre-hook Command to be run before obtaining any certificates. |
|
|
--pre-hook Command to be run before obtaining any certificates. |
|
|
--post-hook Command to be run after attempting to obtain/renew certificates. No matter the obain/renew is success or failed. |
|
|
--post-hook Command to be run after attempting to obtain/renew certificates. No matter the obain/renew is success or failed. |
|
|
--renew-hook Command to be run once for each successfully renewed certificate. |
|
|
--renew-hook Command to be run once for each successfully renewed certificate. |
|
|
|
|
|
--ocsp-must-staple, --ocsp Generate ocsp must Staple extension. |
|
|
" |
|
|
" |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
@ -3431,6 +3440,9 @@ _process() { |
|
|
_renew_hook="$2" |
|
|
_renew_hook="$2" |
|
|
shift |
|
|
shift |
|
|
;; |
|
|
;; |
|
|
|
|
|
--ocsp-must-staple|--ocsp) |
|
|
|
|
|
Le_OCSP_Stable="1" |
|
|
|
|
|
;; |
|
|
*) |
|
|
*) |
|
|
_err "Unknown parameter : $1" |
|
|
_err "Unknown parameter : $1" |
|
|
return 1 |
|
|
return 1 |
|
|