|
|
@ -2328,6 +2328,25 @@ _send_signed_request() { |
|
|
|
|
|
|
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
_calc_cert_id() { |
|
|
|
|
|
_cf="$1" |
|
|
|
|
|
_cert_serial=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -serial -in "$_cf" | cut -d '=' -f 2 | _h2b | _base64 | _url_replace) |
|
|
|
|
|
_debug3 "Certificate Serial Number: $_cert_serial" |
|
|
|
|
|
if [ -z "$_cert_serial" ]; then |
|
|
|
|
|
_err "Failed to parse certificate Serial Number" |
|
|
|
|
|
return 1 |
|
|
|
|
|
fi |
|
|
|
|
|
_cert_authority_kid=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -text -in "$_cf" | grep -i "authority key id" -A 1 | _tail_n 1 | _egrep_o "[A-F0-9:]+" | tr -d ':' | _h2b | _base64 | _url_replace) |
|
|
|
|
|
_debug3 "Certificate Authority Key Identifier: $_cert_authority_kid" |
|
|
|
|
|
if [ -z "$_cert_authority_kid" ]; then |
|
|
|
|
|
_err "Failed to parse certificate Authority Key Identifier" |
|
|
|
|
|
return 1 |
|
|
|
|
|
fi |
|
|
|
|
|
Le_RenewalInfoCertId="$_cert_authority_kid.$_cert_serial" |
|
|
|
|
|
_debug2 "Certificate ID for Renewal Info: $Le_RenewalInfoCertId" |
|
|
|
|
|
return 0 |
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
#setopt "file" "opt" "=" "value" [";"] |
|
|
#setopt "file" "opt" "=" "value" [";"] |
|
|
_setopt() { |
|
|
_setopt() { |
|
|
__conf="$1" |
|
|
__conf="$1" |
|
|
@ -2770,6 +2789,7 @@ _clearAPI() { |
|
|
ACME_KEY_CHANGE="" |
|
|
ACME_KEY_CHANGE="" |
|
|
ACME_NEW_AUTHZ="" |
|
|
ACME_NEW_AUTHZ="" |
|
|
ACME_NEW_ORDER="" |
|
|
ACME_NEW_ORDER="" |
|
|
|
|
|
ACME_RENEWAL_INFO="" |
|
|
ACME_REVOKE_CERT="" |
|
|
ACME_REVOKE_CERT="" |
|
|
ACME_NEW_NONCE="" |
|
|
ACME_NEW_NONCE="" |
|
|
ACME_AGREEMENT="" |
|
|
ACME_AGREEMENT="" |
|
|
@ -2808,6 +2828,9 @@ _initAPI() { |
|
|
ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3) |
|
|
ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3) |
|
|
export ACME_NEW_ACCOUNT |
|
|
export ACME_NEW_ACCOUNT |
|
|
|
|
|
|
|
|
|
|
|
ACME_RENEWAL_INFO=$(echo "$response" | _egrep_o 'renewalInfo" *: *"[^"]*"' | cut -d '"' -f 3) |
|
|
|
|
|
export ACME_RENEWAL_INFO |
|
|
|
|
|
|
|
|
ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3) |
|
|
ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3) |
|
|
export ACME_REVOKE_CERT |
|
|
export ACME_REVOKE_CERT |
|
|
|
|
|
|
|
|
@ -2821,6 +2844,7 @@ _initAPI() { |
|
|
_debug "ACME_NEW_AUTHZ" "$ACME_NEW_AUTHZ" |
|
|
_debug "ACME_NEW_AUTHZ" "$ACME_NEW_AUTHZ" |
|
|
_debug "ACME_NEW_ORDER" "$ACME_NEW_ORDER" |
|
|
_debug "ACME_NEW_ORDER" "$ACME_NEW_ORDER" |
|
|
_debug "ACME_NEW_ACCOUNT" "$ACME_NEW_ACCOUNT" |
|
|
_debug "ACME_NEW_ACCOUNT" "$ACME_NEW_ACCOUNT" |
|
|
|
|
|
_debug "ACME_RENEWAL_INFO" "$ACME_RENEWAL_INFO" |
|
|
_debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT" |
|
|
_debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT" |
|
|
_debug "ACME_AGREEMENT" "$ACME_AGREEMENT" |
|
|
_debug "ACME_AGREEMENT" "$ACME_AGREEMENT" |
|
|
_debug "ACME_NEW_NONCE" "$ACME_NEW_NONCE" |
|
|
_debug "ACME_NEW_NONCE" "$ACME_NEW_NONCE" |
|
|
@ -4318,6 +4342,48 @@ _get_chain_subjects() { |
|
|
fi |
|
|
fi |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
_update_renewal_info() { |
|
|
|
|
|
if [ -z "$ACME_RENEWAL_INFO" ]; then |
|
|
|
|
|
_debug3 "Renewal Info is not supported for $Le_API." |
|
|
|
|
|
return 1 |
|
|
|
|
|
fi |
|
|
|
|
|
if [ -z "$Le_RenewalInfoCertId" ]; then |
|
|
|
|
|
_debug3 "No Certificate Identifier found. Skipping ACME Renewal Info." |
|
|
|
|
|
return 1 |
|
|
|
|
|
fi |
|
|
|
|
|
if [ -z "$Le_EnableRenewalInfo" ] || [ "$Le_EnableRenewalInfo" -ne "1" ]; then |
|
|
|
|
|
_debug3 "Renewal Info is not enabled." |
|
|
|
|
|
_cleardomainconf "Le_RenewalInfoLastUpdate" |
|
|
|
|
|
_cleardomainconf "Le_RenewalInfoLastUpdateStr" |
|
|
|
|
|
_cleardomainconf "Le_RenewalInfoExplanation" |
|
|
|
|
|
return 1 |
|
|
|
|
|
fi |
|
|
|
|
|
response=$(_get "$ACME_RENEWAL_INFO/$Le_RenewalInfoCertId" | _json_decode | _normalizeJson) |
|
|
|
|
|
if ! _contains "$response" "\"start\"" || ! _contains "$response" "\"end\""; then |
|
|
|
|
|
_debug2 "Failed to parse Renewal Info." |
|
|
|
|
|
return 1 |
|
|
|
|
|
fi |
|
|
|
|
|
_renewal_info_start_time_str="$(echo $response | _egrep_o '"start":"[^"]+"' | cut -d '"' -f 4)" |
|
|
|
|
|
_renewal_info_start_time="$(_date2time "$_renewal_info_start_time_str")" |
|
|
|
|
|
_renewal_info_end_time_str="$(echo $response | _egrep_o '"end":"[^"]+"' | cut -d '"' -f 4)" |
|
|
|
|
|
_renewal_info_end_time="$(_date2time "$_renewal_info_end_time_str")" |
|
|
|
|
|
if [ $_renewal_info_start_time -gt $_renewal_info_end_time ]; then |
|
|
|
|
|
_debug2 "Malformed Renewal Info." |
|
|
|
|
|
return 1 |
|
|
|
|
|
fi |
|
|
|
|
|
_savedomainconf "Le_NextRenewTime" "$_renewal_info_start_time" |
|
|
|
|
|
_savedomainconf "Le_NextRenewTimeStr" "$_renewal_info_start_time_str" |
|
|
|
|
|
if _contains "$response" "\"explanationURL\""; then |
|
|
|
|
|
Le_RenewalInfoExplanation="$(echo $response | _egrep_o '"explanationURL":"[^"]+"' | cut -d '"' -f 4)" |
|
|
|
|
|
export Le_RenewalInfoExplanation |
|
|
|
|
|
fi |
|
|
|
|
|
Le_RenewalInfoLastUpdate="$(_time)" |
|
|
|
|
|
Le_RenewalInfoLastUpdateStr="$(_time2str "$Le_RenewalInfoLastUpdate")" |
|
|
|
|
|
_savedomainconf "Le_RenewalInfoLastUpdate" "$Le_RenewalInfoLastUpdate" |
|
|
|
|
|
_savedomainconf "Le_RenewalInfoLastUpdateStr" "$Le_RenewalInfoLastUpdateStr" |
|
|
|
|
|
return 0 |
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
#cert issuer |
|
|
#cert issuer |
|
|
_match_issuer() { |
|
|
_match_issuer() { |
|
|
_cfile="$1" |
|
|
_cfile="$1" |
|
|
@ -4647,6 +4713,10 @@ issue() { |
|
|
if [ "$_notAfter" ]; then |
|
|
if [ "$_notAfter" ]; then |
|
|
_newOrderObj="$_newOrderObj,\"notAfter\": \"$_notAfter\"" |
|
|
_newOrderObj="$_newOrderObj,\"notAfter\": \"$_notAfter\"" |
|
|
fi |
|
|
fi |
|
|
|
|
|
Le_RenewalInfoCertId=$(_readdomainconf "Le_RenewalInfoCertId") |
|
|
|
|
|
if [ "$_ACME_IS_RENEW" ] && [ -n "$Le_EnableRenewalInfo" ] && [ "$Le_EnableRenewalInfo" -eq "1" ] && [ -n "$Le_RenewalInfoCertId" ]; then |
|
|
|
|
|
_newOrderObj="$_newOrderObj,\"replaces\": \"$Le_RenewalInfoCertId\"" |
|
|
|
|
|
fi |
|
|
if [ "$_certificate_profile" ]; then |
|
|
if [ "$_certificate_profile" ]; then |
|
|
_newOrderObj="$_newOrderObj,\"profile\": \"$_certificate_profile\"" |
|
|
_newOrderObj="$_newOrderObj,\"profile\": \"$_certificate_profile\"" |
|
|
fi |
|
|
fi |
|
|
@ -5330,6 +5400,10 @@ $_authorizations_map" |
|
|
_info "Your cert key is in: $(__green "$CERT_KEY_PATH")" |
|
|
_info "Your cert key is in: $(__green "$CERT_KEY_PATH")" |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
if [ "$_ACME_IS_RENEW" ] && [ -n "$Le_EnableRenewalInfo" ] && [ "$Le_EnableRenewalInfo" -eq "1" ] && [ -n "$Le_RenewalInfoExplanation" ]; then |
|
|
|
|
|
_info "More info on this renewal: $(__green "$Le_RenewalInfoExplanation")." |
|
|
|
|
|
fi |
|
|
|
|
|
|
|
|
if [ ! "$USER_PATH" ] || [ ! "$_ACME_IN_CRON" ]; then |
|
|
if [ ! "$USER_PATH" ] || [ ! "$_ACME_IN_CRON" ]; then |
|
|
USER_PATH="$PATH" |
|
|
USER_PATH="$PATH" |
|
|
_saveaccountconf "USER_PATH" "$USER_PATH" |
|
|
_saveaccountconf "USER_PATH" "$USER_PATH" |
|
|
@ -5348,6 +5422,12 @@ $_authorizations_map" |
|
|
Le_CertCreateTimeStr=$(_time2str "$Le_CertCreateTime") |
|
|
Le_CertCreateTimeStr=$(_time2str "$Le_CertCreateTime") |
|
|
_savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr" |
|
|
_savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr" |
|
|
|
|
|
|
|
|
|
|
|
if _calc_cert_id "$CERT_PATH"; then |
|
|
|
|
|
_savedomainconf "Le_RenewalInfoCertId" "$Le_RenewalInfoCertId" |
|
|
|
|
|
else |
|
|
|
|
|
_cleardomainconf "Le_RenewalInfoCertId" |
|
|
|
|
|
fi |
|
|
|
|
|
|
|
|
if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ]; then |
|
|
if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ]; then |
|
|
Le_RenewalDays="$DEFAULT_RENEW" |
|
|
Le_RenewalDays="$DEFAULT_RENEW" |
|
|
else |
|
|
else |
|
|
@ -5415,6 +5495,14 @@ $_authorizations_map" |
|
|
_savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr" |
|
|
_savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr" |
|
|
_savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime" |
|
|
_savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime" |
|
|
|
|
|
|
|
|
|
|
|
if [ -z "$Le_EnableRenewalInfo" ] || [ "$Le_EnableRenewalInfo" -eq "1" ]; then |
|
|
|
|
|
_savedomainconf "Le_EnableRenewalInfo" "1" |
|
|
|
|
|
else |
|
|
|
|
|
_savedomainconf "Le_EnableRenewalInfo" "0" |
|
|
|
|
|
fi |
|
|
|
|
|
Le_EnableRenewalInfo="$(_readdomainconf "Le_EnableRenewalInfo")" |
|
|
|
|
|
_update_renewal_info |
|
|
|
|
|
|
|
|
#convert to pkcs12 |
|
|
#convert to pkcs12 |
|
|
if [ "$Le_PFXPassword" ]; then |
|
|
if [ "$Le_PFXPassword" ]; then |
|
|
_toPkcs "$CERT_PFX_PATH" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$Le_PFXPassword" |
|
|
_toPkcs "$CERT_PFX_PATH" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$Le_PFXPassword" |
|
|
@ -5482,6 +5570,15 @@ renew() { |
|
|
. "$DOMAIN_CONF" |
|
|
. "$DOMAIN_CONF" |
|
|
_debug Le_API "$Le_API" |
|
|
_debug Le_API "$Le_API" |
|
|
|
|
|
|
|
|
|
|
|
ACME_DIRECTORY="$Le_API" |
|
|
|
|
|
|
|
|
|
|
|
_initAPI |
|
|
|
|
|
if _update_renewal_info; then |
|
|
|
|
|
Le_NextRenewTime=$(_readdomainconf "Le_NextRenewTime") |
|
|
|
|
|
Le_NextRenewTimeStr=$(_readdomainconf "Le_NextRenewTimeStr") |
|
|
|
|
|
fi |
|
|
|
|
|
_clearAPI |
|
|
|
|
|
|
|
|
case "$Le_API" in |
|
|
case "$Le_API" in |
|
|
"$CA_LETSENCRYPT_V2_TEST") |
|
|
"$CA_LETSENCRYPT_V2_TEST") |
|
|
_info "Switching back to $CA_LETSENCRYPT_V2" |
|
|
_info "Switching back to $CA_LETSENCRYPT_V2" |
|
|
@ -7111,6 +7208,9 @@ Parameters: |
|
|
-m, --email <email> Specifies the account email, only valid for the '--install' and '--update-account' command. |
|
|
-m, --email <email> Specifies the account email, only valid for the '--install' and '--update-account' command. |
|
|
--accountkey <file> Specifies the account key path, only valid for the '--install' command. |
|
|
--accountkey <file> Specifies the account key path, only valid for the '--install' command. |
|
|
--days <ndays> Specifies the days to renew the cert when using '--issue' command. The default value is $DEFAULT_RENEW days. |
|
|
--days <ndays> Specifies the days to renew the cert when using '--issue' command. The default value is $DEFAULT_RENEW days. |
|
|
|
|
|
--enable-ari <0|1> Enable/Disable ACME Renewal Info (ARI). Default value is: 1. |
|
|
|
|
|
0: disabled. Local check only. |
|
|
|
|
|
1: enabled. Ask the CA for Renewal Window. |
|
|
--httpport <port> Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer. |
|
|
--httpport <port> Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer. |
|
|
--tlsport <port> Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer. |
|
|
--tlsport <port> Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer. |
|
|
--local-address <ip> Specifies the standalone/tls server listening address, in case you have multiple ip addresses. |
|
|
--local-address <ip> Specifies the standalone/tls server listening address, in case you have multiple ip addresses. |
|
|
@ -7399,6 +7499,7 @@ _process() { |
|
|
_accountkey="" |
|
|
_accountkey="" |
|
|
_certhome="" |
|
|
_certhome="" |
|
|
_confighome="" |
|
|
_confighome="" |
|
|
|
|
|
_enable_ari="" |
|
|
_httpport="" |
|
|
_httpport="" |
|
|
_tlsport="" |
|
|
_tlsport="" |
|
|
_dnssleep="" |
|
|
_dnssleep="" |
|
|
@ -7750,6 +7851,15 @@ _process() { |
|
|
Le_RenewalDays="$_days" |
|
|
Le_RenewalDays="$_days" |
|
|
shift |
|
|
shift |
|
|
;; |
|
|
;; |
|
|
|
|
|
--enable-ari) |
|
|
|
|
|
_enable_ari="$2" |
|
|
|
|
|
if [ -z "$_enable_ari" ] || _startswith "$_enable_ari" '-'; then |
|
|
|
|
|
Le_EnableRenewalInfo="1" |
|
|
|
|
|
else |
|
|
|
|
|
shift |
|
|
|
|
|
fi |
|
|
|
|
|
Le_EnableRenewalInfo="$_enable_ari" |
|
|
|
|
|
;; |
|
|
--valid-from) |
|
|
--valid-from) |
|
|
_valid_from="$2" |
|
|
_valid_from="$2" |
|
|
shift |
|
|
shift |
|
|
|
Simon V.
1 day ago
GitHub