@ -1,6 +1,6 @@
#!/usr/bin/env sh
VER = 2.4.3
VER = 2.4.4
PROJECT_NAME = "acme.sh"
@ -463,6 +463,60 @@ _signcsr() {
return $_ret
}
#_csrfile
_readSubjectFromCSR( ) {
_csrfile = " $1 "
if [ -z " $_csrfile " ] ; then
_usage "_readSubjectFromCSR mycsr.csr"
return 1
fi
openssl req -noout -in " $_csrfile " -subject | _egrep_o "CN=.*" | cut -d = -f 2 | cut -d / -f 1
}
#_csrfile
#echo comma separated domain list
_readSubjectAltNamesFromCSR( ) {
_csrfile = " $1 "
if [ -z " $_csrfile " ] ; then
_usage "_readSubjectAltNamesFromCSR mycsr.csr"
return 1
fi
_csrsubj = " $( _readSubjectFromCSR " $_csrfile " ) "
_debug _csrsubj " $_csrsubj "
_dnsAltnames = " $( openssl req -noout -text -in " $_csrfile " | grep "^ *DNS:.*" | tr -d ' ' ) "
_debug _dnsAltnames " $_dnsAltnames "
if _contains " $_dnsAltnames , " " DNS: $_csrsubj , " ; then
_debug "AltNames contains subject"
_dnsAltnames = " $( echo " $_dnsAltnames , " | sed " s/DNS: $_csrsubj ,//g " ) "
else
_debug "AltNames doesn't contain subject"
fi
echo " $_dnsAltnames " | sed "s/DNS://g"
}
#_csrfile
_readKeyLengthFromCSR( ) {
_csrfile = " $1 "
if [ -z " $_csrfile " ] ; then
_usage "_readAllDomainListFromCSR mycsr.csr"
return 1
fi
_outcsr = " $( openssl req -noout -text -in " $_csrfile " ) "
if _contains " $_outcsr " "Public Key Algorithm: id-ecPublicKey" ; then
_debug "ECC CSR"
echo " $_outcsr " | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
else
_debug "RSA CSR"
echo " $_outcsr " | _egrep_o "^ *Public-Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1
fi
}
_ss( ) {
_port = " $1 "
@ -1478,6 +1532,7 @@ _clearupwebbroot() {
}
#webroot, domain domainlist keylength
issue( ) {
if [ -z " $2 " ] ; then
_usage " Usage: $PROJECT_ENTRY --issue -d a.com -w /path/to/webroot/a.com/ "
@ -1631,6 +1686,10 @@ issue() {
Le_Keylength = ""
fi
if [ -f " $CSR_PATH " ] && [ ! -f " $CERT_KEY_PATH " ] ; then
_info "Signing from existing CSR."
else
_key = $( _readdomainconf Le_Keylength)
_debug " Read key length: $_key "
if [ ! -f " $CERT_KEY_PATH " ] || [ " $Le_Keylength " != " $_key " ] ; then
@ -1641,14 +1700,14 @@ issue() {
fi
fi
_savedomainconf "Le_Keylength" " $Le_Keylength "
if ! _createcsr " $Le_Domain " " $Le_Alt " " $CERT_KEY_PATH " " $CSR_PATH " " $DOMAIN_SSL_CONF " ; then
_err "Create CSR error."
_clearup
return 1
fi
fi
_savedomainconf "Le_Keylength" " $Le_Keylength "
vlist = " $Le_Vlist "
# verify each domain
@ -2169,6 +2228,82 @@ renewAll() {
}
#csr webroot
signcsr( ) {
_csrfile = " $1 "
_csrW = " $2 "
if [ -z " $_csrfile " ] || [ -z " $_csrW " ] ; then
_usage " Usage: $PROJECT_ENTRY --signcsr --csr mycsr.csr -w /path/to/webroot/a.com/ "
return 1
fi
_initpath
_csrsubj = $( _readSubjectFromCSR " $_csrfile " )
if [ " $? " != "0" ] || [ -z " $_csrsubj " ] ; then
_err " Can not read subject from csr: $_csrfile "
return 1
fi
_csrdomainlist = $( _readSubjectAltNamesFromCSR " $_csrfile " )
if [ " $? " != "0" ] ; then
_err " Can not read domain list from csr: $_csrfile "
return 1
fi
_debug "_csrdomainlist" " $_csrdomainlist "
_csrkeylength = $( _readKeyLengthFromCSR " $_csrfile " )
if [ " $? " != "0" ] || [ -z " $_csrkeylength " ] ; then
_err " Can not read key length from csr: $_csrfile "
return 1
fi
_initpath " $_csrsubj " " $_csrkeylength "
mkdir -p " $DOMAIN_PATH "
_info " Copy csr to: $CSR_PATH "
cp " $_csrfile " " $CSR_PATH "
issue " $_csrW " " $_csrsubj " " $_csrdomainlist " " $_csrkeylength "
}
showcsr( ) {
_csrfile = " $1 "
_csrd = " $2 "
if [ -z " $_csrfile " ] && [ -z " $_csrd " ] ; then
_usage " Usage: $PROJECT_ENTRY --showcsr --csr mycsr.csr "
return 1
fi
_initpath
_csrsubj = $( _readSubjectFromCSR " $_csrfile " )
if [ " $? " != "0" ] || [ -z " $_csrsubj " ] ; then
_err " Can not read subject from csr: $_csrfile "
return 1
fi
_info " Subject= $_csrsubj "
_csrdomainlist = $( _readSubjectAltNamesFromCSR " $_csrfile " )
if [ " $? " != "0" ] ; then
_err " Can not read domain list from csr: $_csrfile "
return 1
fi
_debug "_csrdomainlist" " $_csrdomainlist "
_info " SubjectAltNames= $_csrdomainlist "
_csrkeylength = $( _readKeyLengthFromCSR " $_csrfile " )
if [ " $? " != "0" ] || [ -z " $_csrkeylength " ] ; then
_err " Can not read key length from csr: $_csrfile "
return 1
fi
_info " KeyLength= $_csrkeylength "
}
list( ) {
_raw = " $1 "
_initpath
@ -2741,13 +2876,15 @@ Commands:
--version, -v Show version info.
--install Install $PROJECT_NAME to your system.
--uninstall Uninstall $PROJECT_NAME , and uninstall the cron job.
--upgrade Upgrade $PROJECT_NAME to the latest code from $PROJECT
--upgrade Upgrade $PROJECT_NAME to the latest code from $PROJECT .
--issue Issue a cert.
--signcsr Issue a cert from an existing csr.
--installcert Install the issued cert to apache/nginx or any other server.
--renew, -r Renew a cert.
--renewAll Renew all the certs
--renewAll Renew all the certs.
--revoke Revoke a cert.
--list List all the certs
--list List all the certs.
--showcsr Show the content of a csr.
--installcronjob Install the cron job to renew certs, you don't need to call this. The ' install' command can automatically install the cron job.
--uninstallcronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
--cron Run cron job to renew all the certs.
@ -2796,6 +2933,7 @@ Parameters:
--ca-bundle Specifices the path to the CA certificate bundle to verify api server' s certificate.
--nocron Only valid for '--install' command, which means: do not install the default cron job. In this case , the certs will not be renewed automatically.
--ecc Specifies to use the ECC cert. Valid for '--installcert' , '--renew' , '--revoke' , '--toPkcs' and '--createCSR'
--csr Specifies the input csr.
"
}
@ -2871,6 +3009,7 @@ _process() {
_ca_bundle = ""
_nocron = ""
_ecc = ""
_csr = ""
while [ ${# } -gt 0 ] ; do
case " ${ 1 } " in
@ -2894,6 +3033,12 @@ _process() {
--issue)
_CMD = "issue"
; ;
--signcsr)
_CMD = "signcsr"
; ;
--showcsr)
_CMD = "showcsr"
; ;
--installcert| -i)
_CMD = "installcert"
; ;
@ -3122,7 +3267,10 @@ _process() {
--ecc)
_ecc = "isEcc"
; ;
--csr)
_csr = " $2 "
shift
; ;
*)
_err " Unknown parameter : $1 "
return 1
@ -3143,6 +3291,12 @@ _process() {
issue)
issue " $_webroot " " $_domain " " $_altdomains " " $_keylength " " $_certpath " " $_keypath " " $_capath " " $_reloadcmd " " $_fullchainpath "
; ;
signcsr)
signcsr " $_csr " " $_webroot "
; ;
showcsr)
showcsr " $_csr " " $_domain "
; ;
installcert)
installcert " $_domain " " $_certpath " " $_keypath " " $_capath " " $_reloadcmd " " $_fullchainpath " " $_ecc "
; ;