From 8881a9f40e1ae697ec0004670cda032c5a17f1a1 Mon Sep 17 00:00:00 2001 From: Arnaud Launay <2205303+alaunay@users.noreply.github.com> Date: Mon, 5 Oct 2020 15:46:18 +0200 Subject: [PATCH 001/276] Add BookMyName API support --- dnsapi/dns_bookmyname.sh | 93 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 dnsapi/dns_bookmyname.sh diff --git a/dnsapi/dns_bookmyname.sh b/dnsapi/dns_bookmyname.sh new file mode 100644 index 00000000..188d93cb --- /dev/null +++ b/dnsapi/dns_bookmyname.sh @@ -0,0 +1,93 @@ +#!/usr/bin/env sh + +#Here is a sample custom api script. +#This file name is "dns_bookmyname.sh" +#So, here must be a method dns_bookmyname_add() +#Which will be called by acme.sh to add the txt record to your api system. +#returns 0 means success, otherwise error. +# +#Author: Neilpang +#Report Bugs here: https://github.com/acmesh-official/acme.sh +# +######## Public functions ##################### + +# Please Read this guide first: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide + + +# BMN urls: +# https://BMN_USER:BMN_PASSWORD@www.bookmyname.com/dyndns/?hostname=_acme-challenge.domain.tld&type=txt&ttl=300&do=add&value="XXXXXXXX"' +# https://BMN_USER:BMN_PASSWORD@www.bookmyname.com/dyndns/?hostname=_acme-challenge.domain.tld&type=txt&ttl=300&do=remove&value="XXXXXXXX"' + +# Output: +#good: update done, cid 123456, domain id 456789, type txt, ip XXXXXXXX +#good: remove done 1, cid 123456, domain id 456789, ttl 300, type txt, ip XXXXXXXX + +# Be careful, BMN DNS servers can be slow to pick up changes; using dnssleep is thus advised. + +# Usage: +# export BOOKMYNAME_USERNAME="ABCDE-FREE" +# export BOOKMYNAME_PASSWORD="MyPassword" +# /usr/local/ssl/acme.sh/acme.sh --dns dns_bookmyname --dnssleep 600 --issue -d domain.tld + + +#Usage: dns_bookmyname_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_bookmyname_add() { + fulldomain=$1 + txtvalue=$2 + _info "Using bookmyname" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + BOOKMYNAME_USERNAME="${BOOKMYNAME_USERNAME:-$(_readaccountconf_mutable BOOKMYNAME_USERNAME)}" + BOOKMYNAME_PASSWORD="${BOOKMYNAME_PASSWORD:-$(_readaccountconf_mutable BOOKMYNAME_PASSWORD)}" + + if [ -z "$BOOKMYNAME_USERNAME" ] || [ -z "$BOOKMYNAME_PASSWORD" ]; then + BOOKMYNAME_USERNAME="" + BOOKMYNAME_PASSWORD="" + _err "You didn't specify BookMyName username and password yet." + _err "Please specify them and try again." + return 1 + fi + + #save the credentials to the account conf file. + _saveaccountconf_mutable BOOKMYNAME_USERNAME "$BOOKMYNAME_USERNAME" + _saveaccountconf_mutable BOOKMYNAME_PASSWORD "$BOOKMYNAME_PASSWORD" + + + uri="https://${BOOKMYNAME_USERNAME}:${BOOKMYNAME_PASSWORD}@www.bookmyname.com/dyndns/" + data="?hostname=${fulldomain}&type=TXT&ttl=300&do=add&value=${txtvalue}" + result="$(_get "${uri}${data}")" + _debug "Result: $result" + + if ! _startswith "$result" 'good: update done, cid '; then + _err "Can't add $fulldomain" + return 1 + fi + +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_bookmyname_rm() { + fulldomain=$1 + txtvalue=$2 + _info "Using bookmyname" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + BOOKMYNAME_USERNAME="${BOOKMYNAME_USERNAME:-$(_readaccountconf_mutable BOOKMYNAME_USERNAME)}" + BOOKMYNAME_PASSWORD="${BOOKMYNAME_PASSWORD:-$(_readaccountconf_mutable BOOKMYNAME_PASSWORD)}" + + + uri="https://${BOOKMYNAME_USERNAME}:${BOOKMYNAME_PASSWORD}@www.bookmyname.com/dyndns/" + data="?hostname=${fulldomain}&type=TXT&ttl=300&do=remove&value=${txtvalue}" + result="$(_get "${uri}${data}")" + _debug "Result: $result" + + if ! _startswith "$result" 'good: remove done 1, cid '; then + _info "Can't remove $fulldomain" + fi + +} + +#################### Private functions below ################################## From 4ab5456a984eeafed71a6f56d1dda2830780c446 Mon Sep 17 00:00:00 2001 From: Arnaud Launay <2205303+alaunay@users.noreply.github.com> Date: Mon, 5 Oct 2020 15:49:00 +0200 Subject: [PATCH 002/276] keep shfmt happy --- dnsapi/dns_bookmyname.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/dnsapi/dns_bookmyname.sh b/dnsapi/dns_bookmyname.sh index 188d93cb..99b3b680 100644 --- a/dnsapi/dns_bookmyname.sh +++ b/dnsapi/dns_bookmyname.sh @@ -13,7 +13,6 @@ # Please Read this guide first: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide - # BMN urls: # https://BMN_USER:BMN_PASSWORD@www.bookmyname.com/dyndns/?hostname=_acme-challenge.domain.tld&type=txt&ttl=300&do=add&value="XXXXXXXX"' # https://BMN_USER:BMN_PASSWORD@www.bookmyname.com/dyndns/?hostname=_acme-challenge.domain.tld&type=txt&ttl=300&do=remove&value="XXXXXXXX"' @@ -29,7 +28,6 @@ # export BOOKMYNAME_PASSWORD="MyPassword" # /usr/local/ssl/acme.sh/acme.sh --dns dns_bookmyname --dnssleep 600 --issue -d domain.tld - #Usage: dns_bookmyname_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_bookmyname_add() { fulldomain=$1 @@ -53,7 +51,6 @@ dns_bookmyname_add() { _saveaccountconf_mutable BOOKMYNAME_USERNAME "$BOOKMYNAME_USERNAME" _saveaccountconf_mutable BOOKMYNAME_PASSWORD "$BOOKMYNAME_PASSWORD" - uri="https://${BOOKMYNAME_USERNAME}:${BOOKMYNAME_PASSWORD}@www.bookmyname.com/dyndns/" data="?hostname=${fulldomain}&type=TXT&ttl=300&do=add&value=${txtvalue}" result="$(_get "${uri}${data}")" @@ -78,7 +75,6 @@ dns_bookmyname_rm() { BOOKMYNAME_USERNAME="${BOOKMYNAME_USERNAME:-$(_readaccountconf_mutable BOOKMYNAME_USERNAME)}" BOOKMYNAME_PASSWORD="${BOOKMYNAME_PASSWORD:-$(_readaccountconf_mutable BOOKMYNAME_PASSWORD)}" - uri="https://${BOOKMYNAME_USERNAME}:${BOOKMYNAME_PASSWORD}@www.bookmyname.com/dyndns/" data="?hostname=${fulldomain}&type=TXT&ttl=300&do=remove&value=${txtvalue}" result="$(_get "${uri}${data}")" From 7eea866869031a7a02aea7ada5c27edc37470458 Mon Sep 17 00:00:00 2001 From: Arnaud Launay <2205303+alaunay@users.noreply.github.com> Date: Mon, 5 Oct 2020 15:57:52 +0200 Subject: [PATCH 003/276] BMN -> BookMyName --- dnsapi/dns_bookmyname.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_bookmyname.sh b/dnsapi/dns_bookmyname.sh index 99b3b680..7acdea02 100644 --- a/dnsapi/dns_bookmyname.sh +++ b/dnsapi/dns_bookmyname.sh @@ -21,7 +21,7 @@ #good: update done, cid 123456, domain id 456789, type txt, ip XXXXXXXX #good: remove done 1, cid 123456, domain id 456789, ttl 300, type txt, ip XXXXXXXX -# Be careful, BMN DNS servers can be slow to pick up changes; using dnssleep is thus advised. +# Be careful, BookMyName DNS servers can be slow to pick up changes; using dnssleep is thus advised. # Usage: # export BOOKMYNAME_USERNAME="ABCDE-FREE" From 4a60292f8284bc74c54d7f376bac70b2ded6ecd9 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 9 Oct 2020 22:33:21 +0800 Subject: [PATCH 004/276] update freebsd --- .github/workflows/DNS.yml | 3 ++- .github/workflows/LetsEncrypt.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 976aff56..b06db229 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -183,10 +183,11 @@ jobs: - uses: actions/checkout@v2 - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/freebsd-vm@v0.0.4 + - uses: vmactions/freebsd-vm@v0.0.5 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: pkg install -y socat curl + usesh: true run: | if [ "${{ secrets.TokenName1}}" ] ; then export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} diff --git a/.github/workflows/LetsEncrypt.yml b/.github/workflows/LetsEncrypt.yml index ba5e933d..d71f3ac1 100644 --- a/.github/workflows/LetsEncrypt.yml +++ b/.github/workflows/LetsEncrypt.yml @@ -106,10 +106,11 @@ jobs: - uses: actions/checkout@v2 - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/freebsd-vm@v0.0.4 + - uses: vmactions/freebsd-vm@v0.0.5 with: envs: 'NGROK_TOKEN TEST_LOCAL' prepare: pkg install -y socat curl + usesh: true run: | cd ../acmetest && ./letest.sh From d76fb566a258ad1bdefe0d7629493ca85fbcf51d Mon Sep 17 00:00:00 2001 From: Arnaud Launay <2205303+alaunay@users.noreply.github.com> Date: Sat, 10 Oct 2020 11:02:47 +0200 Subject: [PATCH 005/276] no private functions --- dnsapi/dns_bookmyname.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/dnsapi/dns_bookmyname.sh b/dnsapi/dns_bookmyname.sh index 7acdea02..79e6b14d 100644 --- a/dnsapi/dns_bookmyname.sh +++ b/dnsapi/dns_bookmyname.sh @@ -85,5 +85,3 @@ dns_bookmyname_rm() { fi } - -#################### Private functions below ################################## From b71a088da73f4ecc3a4d3e4a79de0e838f532e5e Mon Sep 17 00:00:00 2001 From: Arnaud Launay <2205303+alaunay@users.noreply.github.com> Date: Sat, 10 Oct 2020 11:46:32 +0200 Subject: [PATCH 006/276] Revert "no private functions" This reverts commit d76fb566a258ad1bdefe0d7629493ca85fbcf51d. --- dnsapi/dns_bookmyname.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dnsapi/dns_bookmyname.sh b/dnsapi/dns_bookmyname.sh index 79e6b14d..7acdea02 100644 --- a/dnsapi/dns_bookmyname.sh +++ b/dnsapi/dns_bookmyname.sh @@ -85,3 +85,5 @@ dns_bookmyname_rm() { fi } + +#################### Private functions below ################################## From 0781e8cf12f09fad71d0d63ce59c49c701b35d50 Mon Sep 17 00:00:00 2001 From: Marcel Waldvogel Date: Mon, 12 Oct 2020 13:52:57 +0200 Subject: [PATCH 007/276] Use random hour for cron job The hour for the cron job isn't really random (as is the minute), but assuming acme.sh installation times are not correlated, neither will be the resulting cron start times. --- acme.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 3be3849d..eb8aca49 100755 --- a/acme.sh +++ b/acme.sh @@ -5590,6 +5590,7 @@ installcronjob() { fi _t=$(_time) random_minute=$(_math $_t % 60) + random_hour=$(_math $_t / 60 % 24) if ! _exists "$_CRONTAB" && _exists "fcrontab"; then _CRONTAB="fcrontab" @@ -5616,12 +5617,12 @@ installcronjob() { if _exists uname && uname -a | grep SunOS >/dev/null; then $_CRONTAB -l | { cat - echo "$random_minute 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null" + echo "$random_minute $random_hour * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null" } | $_CRONTAB -- else $_CRONTAB -l | { cat - echo "$random_minute 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null" + echo "$random_minute $random_hour * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null" } | $_CRONTAB - fi fi From 92dbe6cdf8eb7d3b07b84876db79032c1d41f9c6 Mon Sep 17 00:00:00 2001 From: Marcel Waldvogel Date: Mon, 12 Oct 2020 14:20:40 +0200 Subject: [PATCH 008/276] Simplify and clarify SunOS crontab differences --- acme.sh | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/acme.sh b/acme.sh index eb8aca49..2ea5ccd7 100755 --- a/acme.sh +++ b/acme.sh @@ -5615,16 +5615,14 @@ installcronjob() { _info "Installing cron job" if ! $_CRONTAB -l | grep "$PROJECT_ENTRY --cron"; then if _exists uname && uname -a | grep SunOS >/dev/null; then - $_CRONTAB -l | { - cat - echo "$random_minute $random_hour * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null" - } | $_CRONTAB -- + _CRONTAB_STDIN="$_CRONTAB --" else - $_CRONTAB -l | { - cat - echo "$random_minute $random_hour * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null" - } | $_CRONTAB - + _CRONTAB_STDIN="$_CRONTAB -" fi + $_CRONTAB -l | { + cat + echo "$random_minute $random_hour * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null" + } | $_CRONTAB_STDIN fi if [ "$?" != "0" ]; then _err "Install cron job failed. You need to manually renew your certs." From 20d23fcb92bcc58360089b8e0f3208c8291602aa Mon Sep 17 00:00:00 2001 From: fradev Date: Wed, 25 Aug 2021 16:55:36 +0200 Subject: [PATCH 009/276] Update ssh.sh Added scp mode for copy the certs --- deploy/ssh.sh | 229 ++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 201 insertions(+), 28 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 18de4aa6..b4a8140e 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -23,6 +23,8 @@ # export DEPLOY_SSH_BACKUP="" # yes or no, default to yes or previously saved value # export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" # path on remote system. Defaults to .acme_ssh_deploy # export DEPLOY_SSH_MULTI_CALL="" # yes or no, default to no or previously saved value +# export DEPLOY_SSH_USE_SCP="" yes or no , default to no +# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -T -q " # ######## Public functions ##################### @@ -73,6 +75,25 @@ ssh_deploy() { Le_Deploy_ssh_cmd="ssh -T" fi + # USE_SCP is optional. If not provided then default to previously saved + # value (which may be undefined... equivalent to "no"). + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + Le_Deploy_ssh_use_scp="yes" + _savedomainconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" + elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then + Le_Deploy_ssh_use_scp="" + _cleardomainconf Le_Deploy_ssh_use_scp + fi + + # SCP_CMD is optional. If not provided then use scp + if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then + Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" + _savedomainconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" + elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then + Le_Deploy_ssh_scp_cmd="scp -T" + fi + + # BACKUP is optional. If not provided then default to previously saved value or yes. if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then Le_Deploy_ssh_backup="no" @@ -99,6 +120,26 @@ ssh_deploy() { _cleardomainconf Le_Deploy_ssh_multi_call fi + # USE_SCP is optional. If not provided then default to previously saved + # value (which may be undefined... equivalent to "no"). + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + Le_Deploy_ssh_use_scp="yes" + _savedomainconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" + Le_Deploy_ssh_multi_call="yes" + _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then + Le_Deploy_ssh_use_scp="" + _cleardomainconf Le_Deploy_ssh_use_scp + fi + + # SCP_CMD is optional. If not provided then use scp + if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then + Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" + _savedomainconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" + elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then + Le_Deploy_ssh_scp_cmd="scp -T -q " + fi + _deploy_ssh_servers=$Le_Deploy_ssh_server for Le_Deploy_ssh_server in $_deploy_ssh_servers; do _ssh_deploy @@ -110,8 +151,16 @@ _ssh_deploy() { _cmdstr="" _backupprefix="" _backupdir="" + _local_cert_file="" + _local_ca_file="" + _local_full_file="" _info "Deploy certificates to remote server $Le_Deploy_ssh_user@$Le_Deploy_ssh_server" + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + _info "Using scp as alternate method for copying files. Multicall Mode is implicit" + Le_Deploy_ssh_multi_call="yes" + _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + fi if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" else @@ -149,15 +198,30 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d if [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_keyfile $_backupdir >/dev/null;" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi fi - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;" - _info "will copy private key to remote file $Le_Deploy_ssh_keyfile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - if ! _ssh_remote_cmd "$_cmdstr"; then - return $_err_code + + + # copy new key into file. + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + # scp the file + if ! _scp_remote_cmd "$_ckey" "$Le_Deploy_ssh_keyfile"; then + return $_err_code + fi + else + _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;" + _info "will copy private key to remote file $Le_Deploy_ssh_keyfile" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" fi - _cmdstr="" fi fi @@ -172,18 +236,40 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d if [ "$Le_Deploy_ssh_certfile" = "$Le_Deploy_ssh_keyfile" ]; then # if filename is same as previous file then append. _pipe=">>" + _local_cert_file=$(_mktemp) + cat $_ckey > $_local_cert_file + cat $_ccert >> $_local_cert_file elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi fi - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;" - _info "will copy certificate to remote file $Le_Deploy_ssh_certfile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - if ! _ssh_remote_cmd "$_cmdstr"; then - return $_err_code + + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + if -n $_local_cert_file ; then + if ! _scp_remote_cmd "$_local_cert_file" "$Le_Deploy_ssh_certfile"; then + return $_err_code + fi + else + if ! _scp_remote_cmd "$_ccert" "$Le_Deploy_ssh_certfile"; then + return $_err_code + fi + fi + else + # copy new certificate into file. + _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;" + _info "will copy certificate to remote file $Le_Deploy_ssh_certfile" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" fi - _cmdstr="" fi fi @@ -199,18 +285,47 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then # if filename is same as previous file then append. _pipe=">>" + _local_ca_file=$(_mktemp) + if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] ; then + cat $_ckey >> $_local_ca_file + fi + if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then + cat $_ccert >> $_local_ca_file + fi + + cat $_cca >> $_local_ca_file + elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir >/dev/null;" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi fi - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;" - _info "will copy CA file to remote file $Le_Deploy_ssh_cafile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - if ! _ssh_remote_cmd "$_cmdstr"; then - return $_err_code + + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + if -n $_local_ca_file ; then + if ! _scp_remote_cmd "$_local_ca_file" "$Le_Deploy_ssh_cafile"; then + return $_err_code + fi + else + if ! _scp_remote_cmd "$_cca" "$Le_Deploy_ssh_cafile"; then + return $_err_code + fi + fi + else + # copy new certificate into file. + _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;" + _info "will copy CA file to remote file $Le_Deploy_ssh_cafile" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" fi - _cmdstr="" fi fi @@ -227,20 +342,63 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then # if filename is same as previous file then append. _pipe=">>" + _local_full_file=$(_mktemp) + if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] ; then + cat $_ckey >> $_local_full_file + fi + if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ]; then + cat $_ccert >> $_local_full_file + fi + if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then + cat $_cca >> $_local_full_file + fi + cat $_cfullchain >> $_local_full_file + elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir >/dev/null;" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi fi - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;" - _info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - if ! _ssh_remote_cmd "$_cmdstr"; then - return $_err_code + + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + if -n $_local_full_file ; then + if ! _scp_remote_cmd "$_local_full_file" "$Le_Deploy_ssh_fullchain"; then + return $_err_code + fi + else + if ! _scp_remote_cmd "$_cfullchain" "$Le_Deploy_ssh_fullchain"; then + return $_err_code + fi + fi + else + # copy new certificate into file. + _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;" + _info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" fi - _cmdstr="" fi fi + # cleanup local files if any + + if [ -n "$_local_cert_file" ]; then + rm $_local_cert_file > /dev/null 1>&2 + fi + if [ -n "$_local_ca_file" ]; then + rm $_local_ca_file > /dev/null 1>&2 + fi + if [ -n "$_local_full_file" ]; then + rm $_local_full_file > /dev/null 1>&2 + fi + # REMOTE_CMD is optional. # If provided then this command will be executed on remote host. @@ -265,6 +423,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d return $_err_code fi fi + # cleanup in case all is ok return 0 } @@ -284,3 +443,17 @@ _ssh_remote_cmd() { return $_err_code } + +# cmd scp +_scp_remote_cmd() { + _secure_debug "Remote scp source $1 and destination $2 using : $Le_Deploy_ssh_scp_cmd" + _info "Submitting secure copy command : $Le_Deploy_ssh_scp_cmd" + $Le_Deploy_ssh_scp_cmd "$1" "$Le_Deploy_ssh_user"@"$Le_Deploy_ssh_server":"$2" + _err_code="$?" + + if [ "$_err_code" != "0" ]; then + _err "Error code $_err_code returned from scp" + fi + + return $_err_code +} From 613475ac264bf9cf48681bd11f72b4d2aa341e54 Mon Sep 17 00:00:00 2001 From: fradev Date: Mon, 30 Aug 2021 11:08:06 +0200 Subject: [PATCH 010/276] Update ssh.sh --- deploy/ssh.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index b4a8140e..3424055f 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -237,8 +237,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # if filename is same as previous file then append. _pipe=">>" _local_cert_file=$(_mktemp) - cat $_ckey > $_local_cert_file - cat $_ccert >> $_local_cert_file + cat "$_ckey" > "$_local_cert_file" + cat "$_ccert" >> "$_local_cert_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;" @@ -344,15 +344,15 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _pipe=">>" _local_full_file=$(_mktemp) if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] ; then - cat $_ckey >> $_local_full_file + cat "$_ckey" >> "$_local_full_file" fi if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ]; then - cat $_ccert >> $_local_full_file + cat "$_ccert" >> "$_local_full_file" fi if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then - cat $_cca >> $_local_full_file + cat "$_cca" >> "$_local_full_file" fi - cat $_cfullchain >> $_local_full_file + cat "$_cfullchain" >> "$_local_full_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. @@ -390,13 +390,13 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # cleanup local files if any if [ -n "$_local_cert_file" ]; then - rm $_local_cert_file > /dev/null 1>&2 + rm "$_local_cert_file" > /dev/null 1>&2 fi if [ -n "$_local_ca_file" ]; then - rm $_local_ca_file > /dev/null 1>&2 + rm "$_local_ca_file" > /dev/null 1>&2 fi if [ -n "$_local_full_file" ]; then - rm $_local_full_file > /dev/null 1>&2 + rm "$_local_full_file" > /dev/null 1>&2 fi From 4cda54774aeaae0f58352cff18dc243a69bdb9e9 Mon Sep 17 00:00:00 2001 From: fradev Date: Mon, 30 Aug 2021 11:17:03 +0200 Subject: [PATCH 011/276] Update ssh.sh SC2086 and SC2215 --- deploy/ssh.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 3424055f..8b91a055 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -251,7 +251,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if -n $_local_cert_file ; then + if [ -n "$_local_cert_file" ]; then if ! _scp_remote_cmd "$_local_cert_file" "$Le_Deploy_ssh_certfile"; then return $_err_code fi @@ -287,13 +287,13 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _pipe=">>" _local_ca_file=$(_mktemp) if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] ; then - cat $_ckey >> $_local_ca_file + cat "$_ckey" >> "$_local_ca_file" fi if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then - cat $_ccert >> $_local_ca_file + cat "$_ccert" >> "$_local_ca_file" fi - cat $_cca >> $_local_ca_file + cat "$_cca" >> "$_local_ca_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. @@ -307,7 +307,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if -n $_local_ca_file ; then + if [ -n "$_local_ca_file" ]; then if ! _scp_remote_cmd "$_local_ca_file" "$Le_Deploy_ssh_cafile"; then return $_err_code fi @@ -366,7 +366,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if -n $_local_full_file ; then + if [ -n "$_local_full_file" ] ; then if ! _scp_remote_cmd "$_local_full_file" "$Le_Deploy_ssh_fullchain"; then return $_err_code fi From 08d60fcbf26172a3277a8785b9e161b8d1aa6c23 Mon Sep 17 00:00:00 2001 From: fradev Date: Mon, 30 Aug 2021 11:32:07 +0200 Subject: [PATCH 012/276] Update ssh.sh shfmt formatting --- deploy/ssh.sh | 47 ++++++++++++++++++++++------------------------- 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 8b91a055..6039eefb 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -93,7 +93,6 @@ ssh_deploy() { Le_Deploy_ssh_scp_cmd="scp -T" fi - # BACKUP is optional. If not provided then default to previously saved value or yes. if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then Le_Deploy_ssh_backup="no" @@ -206,12 +205,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # copy new key into file. if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then # scp the file if ! _scp_remote_cmd "$_ckey" "$Le_Deploy_ssh_keyfile"; then - return $_err_code + return $_err_code fi else _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;" @@ -237,8 +235,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # if filename is same as previous file then append. _pipe=">>" _local_cert_file=$(_mktemp) - cat "$_ckey" > "$_local_cert_file" - cat "$_ccert" >> "$_local_cert_file" + cat "$_ckey" >"$_local_cert_file" + cat "$_ccert" >>"$_local_cert_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;" @@ -253,11 +251,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then if [ -n "$_local_cert_file" ]; then if ! _scp_remote_cmd "$_local_cert_file" "$Le_Deploy_ssh_certfile"; then - return $_err_code + return $_err_code fi else if ! _scp_remote_cmd "$_ccert" "$Le_Deploy_ssh_certfile"; then - return $_err_code + return $_err_code fi fi else @@ -286,14 +284,14 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # if filename is same as previous file then append. _pipe=">>" _local_ca_file=$(_mktemp) - if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] ; then - cat "$_ckey" >> "$_local_ca_file" + if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ]; then + cat "$_ckey" >>"$_local_ca_file" fi if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then - cat "$_ccert" >> "$_local_ca_file" + cat "$_ccert" >>"$_local_ca_file" fi - cat "$_cca" >> "$_local_ca_file" + cat "$_cca" >>"$_local_ca_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. @@ -309,11 +307,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then if [ -n "$_local_ca_file" ]; then if ! _scp_remote_cmd "$_local_ca_file" "$Le_Deploy_ssh_cafile"; then - return $_err_code + return $_err_code fi else if ! _scp_remote_cmd "$_cca" "$Le_Deploy_ssh_cafile"; then - return $_err_code + return $_err_code fi fi else @@ -343,16 +341,16 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # if filename is same as previous file then append. _pipe=">>" _local_full_file=$(_mktemp) - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] ; then - cat "$_ckey" >> "$_local_full_file" + if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ]; then + cat "$_ckey" >>"$_local_full_file" fi if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ]; then - cat "$_ccert" >> "$_local_full_file" + cat "$_ccert" >>"$_local_full_file" fi if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then - cat "$_cca" >> "$_local_full_file" + cat "$_cca" >>"$_local_full_file" fi - cat "$_cfullchain" >> "$_local_full_file" + cat "$_cfullchain" >>"$_local_full_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. @@ -366,13 +364,13 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if [ -n "$_local_full_file" ] ; then + if [ -n "$_local_full_file" ]; then if ! _scp_remote_cmd "$_local_full_file" "$Le_Deploy_ssh_fullchain"; then - return $_err_code + return $_err_code fi else if ! _scp_remote_cmd "$_cfullchain" "$Le_Deploy_ssh_fullchain"; then - return $_err_code + return $_err_code fi fi else @@ -390,16 +388,15 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # cleanup local files if any if [ -n "$_local_cert_file" ]; then - rm "$_local_cert_file" > /dev/null 1>&2 + rm "$_local_cert_file" >/dev/null 1>&2 fi if [ -n "$_local_ca_file" ]; then - rm "$_local_ca_file" > /dev/null 1>&2 + rm "$_local_ca_file" >/dev/null 1>&2 fi if [ -n "$_local_full_file" ]; then - rm "$_local_full_file" > /dev/null 1>&2 + rm "$_local_full_file" >/dev/null 1>&2 fi - # REMOTE_CMD is optional. # If provided then this command will be executed on remote host. if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then From bcf63b5d270a4535347e64e7f25f24970e474e6f Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Sun, 27 Feb 2022 14:17:34 +0100 Subject: [PATCH 013/276] Add ArtFiles.de DNS API plugin --- dnsapi/dns_artfiles.sh | 176 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 176 insertions(+) create mode 100644 dnsapi/dns_artfiles.sh diff --git a/dnsapi/dns_artfiles.sh b/dnsapi/dns_artfiles.sh new file mode 100644 index 00000000..c857060a --- /dev/null +++ b/dnsapi/dns_artfiles.sh @@ -0,0 +1,176 @@ +#!/usr/bin/env sh + +################################################################################ +# ACME.sh 3rd party DNS API plugin for ArtFiles.de +################################################################################ +# Author: Martin Arndt, https://troublezone.net/ +# Released: 2022-02-27 +# Issues: https://github.com/acmesh-official/acme.sh/issues/XXXX +################################################################################ +# Usage: +# 1. export AF_API_Username="api12345678" +# 2. export AF_API_Password="apiPassword" +# 3. acme.sh --issue -d example.com --dns dns_artfiles +################################################################################ + +########## API configuration ################################################### +AF_API_SUCCESS='status":"OK' +AF_URL_DCP='https://dcp.c.artfiles.de/api/' +AF_URL_DNS=${AF_URL_DCP}'dns/{*}_dns.html?domain=' +AF_URL_DOMAINS=${AF_URL_BASE}'domain/get_domains.html' + +########## Public functions #################################################### + +# Adds a new TXT record for given ACME challenge value & domain. +# Usage: dns_artfiles_add _acme-challenge.www.example.com "ACME challenge value" +dns_artfiles_add() { + domain="$1" + txtValue="$2" + _info 'Using ArtFiles.de DNS addition API' + _debug 'Domain' "$domain" + _debug 'txtValue' "$txtValue" + + AF_API_USERNAME="${AF_API_USERNAME:-$(_readaccountconf_mutable AF_API_USERNAME)}" + AF_API_PASSWORD="${AF_API_PASSWORD:-$(_readaccountconf_mutable AF_API_PASSWORD)}" + if [ -z "$AF_API_USERNAME" ] || [ -z "$AF_API_PASSWORD" ]; then + _err 'Missing ArtFiles.de username and/or password.' + _err 'Please ensure both are set via export command & try again.' + + return 1 + fi + + _saveaccountconf_mutable 'AF_API_USERNAME' "$AF_API_USERNAME" + _saveaccountconf_mutable 'AF_API_PASSWORD' "$AF_API_PASSWORD" + + _set_headers + _get_zone "$domain" + _dns 'GET' + if ! _contains "$response" 'TXT'; then + _err 'Retrieving TXT records failed.' + + return 1 + fi + + _clean_records + _dns 'SET' "$(printf -- '%s\n_acme-challenge "%s"' "$response" "$txtValue")" + if ! _contains "$response" "$AF_API_SUCCESS"; then + _err 'Adding ACME challenge value failed.' + + return 1 + fi +} + +# Removes the existing TXT record for given ACME challenge value & domain. +# Usage: dns_artfiles_rm _acme-challenge.www.example.com "ACME challenge value" +dns_artfiles_rm() { + domain="$1" + txtValue="$2" + _info 'Using ArtFiles.de DNS removal API' + _debug 'Domain' "$domain" + _debug 'txtValue' "$txtValue" + + _set_headers + _get_zone "$domain" + if ! _dns 'GET'; then + return 1 + fi + + if ! _contains "$response" "$txtValue"; then + _err 'Retrieved TXT records are missing given ACME challenge value.' + + return 1 + fi + + _clean_records + response="$(printf -- '%s' "$response" | sed '$d')" + _dns 'SET' "$response" + if ! _contains "$response" "$AF_API_SUCCESS"; then + _err 'Removing ACME challenge value failed.' + + return 1 + fi +} + +########## Private functions ################################################### + +# Cleans awful TXT records response of ArtFiles's API & pretty prints it. +# Usage: _clean_records +_clean_records() +{ + # Extract TXT part, strip trailing quote sign (ACME.sh API guidelines forbid + # usage of SED's GNU extensions, hence couldn't omit it via regex), strip '\' + # from '\"' & turn '\n' into real LF characters. + # Yup, awful API to use - but that's all we got to get this working, so... ;) + _debug2 'Raw ' "$response" + response="$(printf -- '%s' "$response" + \ | sed 's/^\(.*TXT":"\)\([^,}]*\)\(.*\)$/\2/;s/.$//;s/\\"/"/g;s/\\n/\n/g')" + _debug2 'Clean' "$response" +} + +# Executes an HTTP GET or POST request for getting or setting DNS records, +# containing given payload upon POST. +# Usage: _dns [GET | SET] [payload] +_dns() +{ + action="$1" + payload="$(printf -- '%s' "$2" | _url_encode)" + url="$(printf -- '%s%s' "$AF_URL_DNS" "$domain" + \ | sed 's/{\*}/'"$(printf -- '%s' "$action" | _lower_case)"'/')" + + if [ "$action" = 'SET' ]; then + _debug2 'Payload' "$payload" + response="$(_post '' "$url&TXT=$payload" '' 'POST' 'application/x-www-form-urlencoded')" + else + response="$(_get "$url" '' 10)" + fi + + if ! _contains "$response" "$AF_API_SUCCESS"; then + _err "DNS API error: $response" + + return 1 + fi + + _debug 'Response' "$response" + + return 0 +} + +# Gets the root domain zone for given domain. +# Usage: _get_zone _acme-challenge.www.example.com +_get_zone() +{ + _info 'Getting domain zone...' + _debug2 'Initial FQDN' "$1" + fqdn="$1" + fqdn="${fqdn#*.}" # Strip "_acme-challenge" right away + _debug2 'Reduced FQDN' "$fqdn" + + domains="$(_get "$AF_URL_DOMAINS" '' 10)" + while true; do + if _contains "$domains" "$fqdn"; then + domain="$fqdn" + _info "Found root domain zone: $domain" + break + else + fqdn="${fqdn#*.}" + _debug2 'FQDN' "$fqdn" + fi + done + + if [ "$domain" = "$fqdn" ]; then + return 0 + fi + + _err "Couldn't find root domain zone." + + return 1 +} + +# Adds the HTTP Authorization & Content-Type headers to a follow-up request. +# Usage: _set_headers +_set_headers() +{ + encoded="$(printf -- '%s:%s' "$AF_API_USERNAME" "$AF_API_PASSWORD" | _base64)" + export _H1="Authorization: Basic $encoded" + export _H2='Content-Type: application/json' +} From 72d02f442e2e8528afb04a0e55c88185bb99a7e9 Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Sun, 27 Feb 2022 14:35:21 +0100 Subject: [PATCH 014/276] Fix formatting according to Shellcheck --- dnsapi/dns_artfiles.sh | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/dnsapi/dns_artfiles.sh b/dnsapi/dns_artfiles.sh index c857060a..4598854d 100644 --- a/dnsapi/dns_artfiles.sh +++ b/dnsapi/dns_artfiles.sh @@ -95,8 +95,7 @@ dns_artfiles_rm() { # Cleans awful TXT records response of ArtFiles's API & pretty prints it. # Usage: _clean_records -_clean_records() -{ +_clean_records() { # Extract TXT part, strip trailing quote sign (ACME.sh API guidelines forbid # usage of SED's GNU extensions, hence couldn't omit it via regex), strip '\' # from '\"' & turn '\n' into real LF characters. @@ -110,8 +109,7 @@ _clean_records() # Executes an HTTP GET or POST request for getting or setting DNS records, # containing given payload upon POST. # Usage: _dns [GET | SET] [payload] -_dns() -{ +_dns() { action="$1" payload="$(printf -- '%s' "$2" | _url_encode)" url="$(printf -- '%s%s' "$AF_URL_DNS" "$domain" @@ -137,8 +135,7 @@ _dns() # Gets the root domain zone for given domain. # Usage: _get_zone _acme-challenge.www.example.com -_get_zone() -{ +_get_zone() { _info 'Getting domain zone...' _debug2 'Initial FQDN' "$1" fqdn="$1" @@ -168,8 +165,7 @@ _get_zone() # Adds the HTTP Authorization & Content-Type headers to a follow-up request. # Usage: _set_headers -_set_headers() -{ +_set_headers() { encoded="$(printf -- '%s:%s' "$AF_API_USERNAME" "$AF_API_PASSWORD" | _base64)" export _H1="Authorization: Basic $encoded" export _H2='Content-Type: application/json' From 0bea2e2b94e49f59e05c7507bcec548c50a4abac Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Sun, 27 Feb 2022 14:37:22 +0100 Subject: [PATCH 015/276] Fix formatting according to Shellcheck 2/2 --- dnsapi/dns_artfiles.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_artfiles.sh b/dnsapi/dns_artfiles.sh index 4598854d..f83ce64a 100644 --- a/dnsapi/dns_artfiles.sh +++ b/dnsapi/dns_artfiles.sh @@ -101,8 +101,9 @@ _clean_records() { # from '\"' & turn '\n' into real LF characters. # Yup, awful API to use - but that's all we got to get this working, so... ;) _debug2 'Raw ' "$response" - response="$(printf -- '%s' "$response" - \ | sed 's/^\(.*TXT":"\)\([^,}]*\)\(.*\)$/\2/;s/.$//;s/\\"/"/g;s/\\n/\n/g')" + response="$( + printf -- '%s' "$response" + \ | sed 's/^\(.*TXT":"\)\([^,}]*\)\(.*\)$/\2/;s/.$//;s/\\"/"/g;s/\\n/\n/g')" _debug2 'Clean' "$response" } @@ -112,8 +113,9 @@ _clean_records() { _dns() { action="$1" payload="$(printf -- '%s' "$2" | _url_encode)" - url="$(printf -- '%s%s' "$AF_URL_DNS" "$domain" - \ | sed 's/{\*}/'"$(printf -- '%s' "$action" | _lower_case)"'/')" + url="$( + printf -- '%s%s' "$AF_URL_DNS" "$domain" + \ | sed 's/{\*}/'"$(printf -- '%s' "$action" | _lower_case)"'/')" if [ "$action" = 'SET' ]; then _debug2 'Payload' "$payload" From fb457968ecae380bc17914f22d134bcfba93d304 Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Sun, 27 Feb 2022 14:38:24 +0100 Subject: [PATCH 016/276] Fix formatting according to Shellcheck 3/3 --- dnsapi/dns_artfiles.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_artfiles.sh b/dnsapi/dns_artfiles.sh index f83ce64a..9c1a4338 100644 --- a/dnsapi/dns_artfiles.sh +++ b/dnsapi/dns_artfiles.sh @@ -103,7 +103,8 @@ _clean_records() { _debug2 'Raw ' "$response" response="$( printf -- '%s' "$response" - \ | sed 's/^\(.*TXT":"\)\([^,}]*\)\(.*\)$/\2/;s/.$//;s/\\"/"/g;s/\\n/\n/g')" + \ | sed 's/^\(.*TXT":"\)\([^,}]*\)\(.*\)$/\2/;s/.$//;s/\\"/"/g;s/\\n/\n/g' + )" _debug2 'Clean' "$response" } @@ -115,7 +116,8 @@ _dns() { payload="$(printf -- '%s' "$2" | _url_encode)" url="$( printf -- '%s%s' "$AF_URL_DNS" "$domain" - \ | sed 's/{\*}/'"$(printf -- '%s' "$action" | _lower_case)"'/')" + \ | sed 's/{\*}/'"$(printf -- '%s' "$action" | _lower_case)"'/' + )" if [ "$action" = 'SET' ]; then _debug2 'Payload' "$payload" From ed56d52af309a4d90747169a321dbd3698a4b71a Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Sun, 27 Feb 2022 15:12:05 +0100 Subject: [PATCH 017/276] Changed GitHub issues URL --- dnsapi/dns_artfiles.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_artfiles.sh b/dnsapi/dns_artfiles.sh index 9c1a4338..8e0a6151 100644 --- a/dnsapi/dns_artfiles.sh +++ b/dnsapi/dns_artfiles.sh @@ -5,7 +5,7 @@ ################################################################################ # Author: Martin Arndt, https://troublezone.net/ # Released: 2022-02-27 -# Issues: https://github.com/acmesh-official/acme.sh/issues/XXXX +# Issues: https://github.com/Eagle3386/acme.sh/issues ################################################################################ # Usage: # 1. export AF_API_Username="api12345678" From b37bf06de87ab41d495e0a3156f538c5baf9c679 Mon Sep 17 00:00:00 2001 From: fradev Date: Tue, 1 Mar 2022 17:57:59 +0100 Subject: [PATCH 018/276] Update ssh.sh --- deploy/ssh.sh | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 604d8642..7d9e82e8 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -24,7 +24,7 @@ # export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" # path on remote system. Defaults to .acme_ssh_deploy # export DEPLOY_SSH_MULTI_CALL="" # yes or no, default to no or previously saved value # export DEPLOY_SSH_USE_SCP="" yes or no , default to no -# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -T -q " +# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q " # ######## Public functions ##################### @@ -53,7 +53,7 @@ ssh_deploy() { fi else Le_Deploy_ssh_user="$DEPLOY_SSH_USER" - _savedomainconf Le_Deploy_ssh_user "$Le_Deploy_ssh_user" + _savedeployconf Le_Deploy_ssh_user "$Le_Deploy_ssh_user" fi # SERVER is optional. If not provided then use _cdomain @@ -61,7 +61,7 @@ ssh_deploy() { _debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER" if [ -n "$DEPLOY_SSH_SERVER" ]; then Le_Deploy_ssh_server="$DEPLOY_SSH_SERVER" - _savedomainconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server" + _savedeployconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server" elif [ -z "$Le_Deploy_ssh_server" ]; then Le_Deploy_ssh_server="$_cdomain" fi @@ -71,7 +71,7 @@ ssh_deploy() { _debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD" if [ -n "$DEPLOY_SSH_CMD" ]; then Le_Deploy_ssh_cmd="$DEPLOY_SSH_CMD" - _savedomainconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd" + _savedeployconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd" elif [ -z "$Le_Deploy_ssh_cmd" ]; then Le_Deploy_ssh_cmd="ssh -T" fi @@ -80,7 +80,7 @@ ssh_deploy() { # value (which may be undefined... equivalent to "no"). if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then Le_Deploy_ssh_use_scp="yes" - _savedomainconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" + _savedeployconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then Le_Deploy_ssh_use_scp="" _cleardomainconf Le_Deploy_ssh_use_scp @@ -89,9 +89,9 @@ ssh_deploy() { # SCP_CMD is optional. If not provided then use scp if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" - _savedomainconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" + _savedeployconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then - Le_Deploy_ssh_scp_cmd="scp -T" + Le_Deploy_ssh_scp_cmd="scp -q" fi # BACKUP is optional. If not provided then default to previously saved value or yes. @@ -102,7 +102,7 @@ ssh_deploy() { elif [ -z "$Le_Deploy_ssh_backup" ] || [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then Le_Deploy_ssh_backup="yes" fi - _savedomainconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup" + _savedeployconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup" # BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy _getdeployconf DEPLOY_SSH_BACKUP_PATH @@ -112,7 +112,7 @@ ssh_deploy() { elif [ -z "$Le_Deploy_ssh_backup_path" ]; then Le_Deploy_ssh_backup_path=".acme_ssh_deploy" fi - _savedomainconf Le_Deploy_ssh_backup_path "$Le_Deploy_ssh_backup_path" + _savedeployconf Le_Deploy_ssh_backup_path "$Le_Deploy_ssh_backup_path" # MULTI_CALL is optional. If not provided then default to previously saved # value (which may be undefined... equivalent to "no"). @@ -120,7 +120,7 @@ ssh_deploy() { _debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL" if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then Le_Deploy_ssh_multi_call="yes" - _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" elif [ "$DEPLOY_SSH_MULTI_CALL" = "no" ]; then Le_Deploy_ssh_multi_call="" _cleardomainconf Le_Deploy_ssh_multi_call @@ -130,9 +130,9 @@ ssh_deploy() { # value (which may be undefined... equivalent to "no"). if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then Le_Deploy_ssh_use_scp="yes" - _savedomainconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" + _savedeployconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" Le_Deploy_ssh_multi_call="yes" - _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then Le_Deploy_ssh_use_scp="" _cleardomainconf Le_Deploy_ssh_use_scp @@ -141,7 +141,7 @@ ssh_deploy() { # SCP_CMD is optional. If not provided then use scp if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" - _savedomainconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" + _savedeployconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then Le_Deploy_ssh_scp_cmd="scp -T -q " fi @@ -165,7 +165,7 @@ _ssh_deploy() { if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then _info "Using scp as alternate method for copying files. Multicall Mode is implicit" Le_Deploy_ssh_multi_call="yes" - _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" fi if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" @@ -200,7 +200,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" if [ -n "$DEPLOY_SSH_KEYFILE" ]; then Le_Deploy_ssh_keyfile="$DEPLOY_SSH_KEYFILE" - _savedomainconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile" + _savedeployconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile" fi if [ -n "$Le_Deploy_ssh_keyfile" ]; then if [ "$Le_Deploy_ssh_backup" = "yes" ]; then @@ -238,7 +238,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" if [ -n "$DEPLOY_SSH_CERTFILE" ]; then Le_Deploy_ssh_certfile="$DEPLOY_SSH_CERTFILE" - _savedomainconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile" + _savedeployconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile" fi if [ -n "$Le_Deploy_ssh_certfile" ]; then _pipe=">" @@ -288,7 +288,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" if [ -n "$DEPLOY_SSH_CAFILE" ]; then Le_Deploy_ssh_cafile="$DEPLOY_SSH_CAFILE" - _savedomainconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile" + _savedeployconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile" fi if [ -n "$Le_Deploy_ssh_cafile" ]; then _pipe=">" @@ -346,7 +346,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then Le_Deploy_ssh_fullchain="$DEPLOY_SSH_FULLCHAIN" - _savedomainconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain" + _savedeployconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain" fi if [ -n "$Le_Deploy_ssh_fullchain" ]; then _pipe=">" @@ -418,7 +418,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then Le_Deploy_ssh_remote_cmd="$DEPLOY_SSH_REMOTE_CMD" - _savedomainconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd" + _savedeployconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd" fi if [ -n "$Le_Deploy_ssh_remote_cmd" ]; then _cmdstr="$_cmdstr $Le_Deploy_ssh_remote_cmd;" From ea3c37d754801b289fa6a5abcbeadea1c773b147 Mon Sep 17 00:00:00 2001 From: lufi42 <101186892+lufi42@users.noreply.github.com> Date: Wed, 9 Mar 2022 01:36:06 +0100 Subject: [PATCH 019/276] Corrected use of Plesk API calls to fetch all domain for all Plesk editions This implementation of the Plesk API will add support for Plesk web admin edition and will now discover all domains managed by the specific plesk instance. The existing implementation of the Plesk API uses the customer API. This brings two problems: 1. The current API call only fetches the domains of resellers/customers and not the domains that are managed by administrative users. compare: https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-customer-accounts/retrieving-the-list-of-customer%E2%80%99s-domains.75309/ https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-plesk-server/getting-server-information/response-packet-structure-and-samples/list-of-domains.75294/ 2. The customer API is only available in the pro/admin editions. The most common license on VPS/Dedicated Servers is the web host edition. See: https://www.plesk.com/editions/ The correct way to get all domains in all Plesk editions is to use the Sites (Domains) API: https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-sites-domains/getting-information-about-sites.66583/ --- dnsapi/dns_pleskxml.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_pleskxml.sh b/dnsapi/dns_pleskxml.sh index f5986827..0f7dc241 100644 --- a/dnsapi/dns_pleskxml.sh +++ b/dnsapi/dns_pleskxml.sh @@ -41,7 +41,7 @@ pleskxml_init_checks_done=0 NEWLINE='\ ' -pleskxml_tplt_get_domains="" +pleskxml_tplt_get_domains="" # Get a list of domains that PLESK can manage, so we can check root domain + host for acme.sh # Also used to test credentials and URI. # No params. @@ -375,7 +375,7 @@ _pleskxml_get_root_domain() { # Output will be one line per known domain, containing 2 tages and a single tag # We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned. - output="$(_api_response_split "$pleskxml_prettyprint_result" 'domain' 'domain' | sed 's///g;s/<\/ascii-name>/<\/name>/g' | grep '' | grep '')" + output="$(_api_response_split "$pleskxml_prettyprint_result" 'result' 'ok' | sed 's///g;s/<\/ascii-name>/<\/name>/g' | grep '' | grep '')" _debug 'Domains managed by Plesk server are (ignore the hacked output):' _debug "$output" From a6b58bc88d390a21baf3cf457f3d3daba314222b Mon Sep 17 00:00:00 2001 From: lufi42 <101186892+lufi42@users.noreply.github.com> Date: Wed, 9 Mar 2022 01:36:06 +0100 Subject: [PATCH 020/276] Corrected use of Plesk API calls to fetch all domain for all Plesk editions This implementation of the Plesk API will add support for Plesk web admin edition and will now discover all domains ( of customers & administrative users) managed by the specific plesk instance. The previous implementation of the Plesk API uses the customer API. This brings two problems: 1. The current API call only fetches the domains of resellers/customers and not the domains that are managed by administrative users. compare: https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-customer-accounts/retrieving-the-list-of-customer%E2%80%99s-domains.75309/ https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-plesk-server/getting-server-information/response-packet-structure-and-samples/list-of-domains.75294/ 2. The customer API is only available in the web pro/host editions. The most common license on VPS/Dedicated Servers is nowadays the web admin edition. See: https://www.plesk.com/editions/ The correct way to get all domains in all Plesk editions is to use the Sites (Domains) API: https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-sites-domains/getting-information-about-sites.66583/ This way is working for all plesk editions the same way. --- dnsapi/dns_pleskxml.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_pleskxml.sh b/dnsapi/dns_pleskxml.sh index f5986827..0f7dc241 100644 --- a/dnsapi/dns_pleskxml.sh +++ b/dnsapi/dns_pleskxml.sh @@ -41,7 +41,7 @@ pleskxml_init_checks_done=0 NEWLINE='\ ' -pleskxml_tplt_get_domains="" +pleskxml_tplt_get_domains="" # Get a list of domains that PLESK can manage, so we can check root domain + host for acme.sh # Also used to test credentials and URI. # No params. @@ -375,7 +375,7 @@ _pleskxml_get_root_domain() { # Output will be one line per known domain, containing 2 tages and a single tag # We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned. - output="$(_api_response_split "$pleskxml_prettyprint_result" 'domain' 'domain' | sed 's///g;s/<\/ascii-name>/<\/name>/g' | grep '' | grep '')" + output="$(_api_response_split "$pleskxml_prettyprint_result" 'result' 'ok' | sed 's///g;s/<\/ascii-name>/<\/name>/g' | grep '' | grep '')" _debug 'Domains managed by Plesk server are (ignore the hacked output):' _debug "$output" From 9fb5bb620d2ffa51eabb0354dfccc29ea9d88315 Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:13:24 +0800 Subject: [PATCH 021/276] refact ssh hook to use deploy config --- acme.sh | 20 +++ deploy/ssh.sh | 414 +++++++++++++++++++++++--------------------------- 2 files changed, 210 insertions(+), 224 deletions(-) diff --git a/acme.sh b/acme.sh index 260733a2..37c625d2 100755 --- a/acme.sh +++ b/acme.sh @@ -2332,6 +2332,26 @@ _readdomainconf() { _read_conf "$DOMAIN_CONF" "$1" } +#_migratedomainconf oldkey newkey base64encode +_migratedomainconf() { + _old_key="$1" + _new_key="$2" + _b64encode="$3" + _value=$(_readdomainconf "$_old_key") + if [ -z "$_value" ]; then + return 1 # oldkey is not found + fi + _savedomainconf "$_new_key" "$_value" "$_b64encode" + _cleardomainconf "$_old_key" + _debug "Domain config $_old_key has been migrated to $_new_key" +} + +#_migratedeployconf oldkey newkey base64encode +_migratedeployconf() { + _migratedomainconf "$1" "SAVED_$2" "$3" || + _migratedomainconf "SAVED_$1" "SAVED_$2" "$3" # try only when oldkey itself is not found +} + #key value base64encode _savedeployconf() { _savedomainconf "SAVED_$1" "$2" "$3" diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 7d9e82e8..73d71597 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -23,8 +23,8 @@ # export DEPLOY_SSH_BACKUP="" # yes or no, default to yes or previously saved value # export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" # path on remote system. Defaults to .acme_ssh_deploy # export DEPLOY_SSH_MULTI_CALL="" # yes or no, default to no or previously saved value -# export DEPLOY_SSH_USE_SCP="" yes or no , default to no -# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q " +# export DEPLOY_SSH_USE_SCP="" yes or no, default to no +# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q" # ######## Public functions ##################### @@ -44,110 +44,134 @@ ssh_deploy() { _debug _cfullchain "$_cfullchain" # USER is required to login by SSH to remote host. + _migratedeployconf Le_Deploy_ssh_user DEPLOY_SSH_USER _getdeployconf DEPLOY_SSH_USER _debug2 DEPLOY_SSH_USER "$DEPLOY_SSH_USER" if [ -z "$DEPLOY_SSH_USER" ]; then - if [ -z "$Le_Deploy_ssh_user" ]; then - _err "DEPLOY_SSH_USER not defined." - return 1 - fi - else - Le_Deploy_ssh_user="$DEPLOY_SSH_USER" - _savedeployconf Le_Deploy_ssh_user "$Le_Deploy_ssh_user" + _err "DEPLOY_SSH_USER not defined." + return 1 fi + _savedeployconf DEPLOY_SSH_USER "$DEPLOY_SSH_USER" # SERVER is optional. If not provided then use _cdomain + _migratedeployconf Le_Deploy_ssh_server DEPLOY_SSH_SERVER _getdeployconf DEPLOY_SSH_SERVER _debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER" - if [ -n "$DEPLOY_SSH_SERVER" ]; then - Le_Deploy_ssh_server="$DEPLOY_SSH_SERVER" - _savedeployconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server" - elif [ -z "$Le_Deploy_ssh_server" ]; then - Le_Deploy_ssh_server="$_cdomain" + if [ -z "$DEPLOY_SSH_SERVER" ]; then + DEPLOY_SSH_SERVER="$_cdomain" fi + _savedeployconf DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER" # CMD is optional. If not provided then use ssh + _migratedeployconf Le_Deploy_ssh_cmd DEPLOY_SSH_CMD _getdeployconf DEPLOY_SSH_CMD _debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD" - if [ -n "$DEPLOY_SSH_CMD" ]; then - Le_Deploy_ssh_cmd="$DEPLOY_SSH_CMD" - _savedeployconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd" - elif [ -z "$Le_Deploy_ssh_cmd" ]; then - Le_Deploy_ssh_cmd="ssh -T" - fi - - # USE_SCP is optional. If not provided then default to previously saved - # value (which may be undefined... equivalent to "no"). - if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then - Le_Deploy_ssh_use_scp="yes" - _savedeployconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" - elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then - Le_Deploy_ssh_use_scp="" - _cleardomainconf Le_Deploy_ssh_use_scp - fi - - # SCP_CMD is optional. If not provided then use scp - if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then - Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" - _savedeployconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" - elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then - Le_Deploy_ssh_scp_cmd="scp -q" + if [ -z "$DEPLOY_SSH_CMD" ]; then + DEPLOY_SSH_CMD="ssh -T" fi + _savedeployconf DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD" # BACKUP is optional. If not provided then default to previously saved value or yes. + _migratedeployconf Le_Deploy_ssh_backup DEPLOY_SSH_BACKUP _getdeployconf DEPLOY_SSH_BACKUP _debug2 DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP" - if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then - Le_Deploy_ssh_backup="no" - elif [ -z "$Le_Deploy_ssh_backup" ] || [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then - Le_Deploy_ssh_backup="yes" + if [ -z "$DEPLOY_SSH_BACKUP" ]; then + DEPLOY_SSH_BACKUP="yes" fi - _savedeployconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup" + _savedeployconf DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP" # BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy + _migratedeployconf Le_Deploy_ssh_backup_path DEPLOY_SSH_BACKUP_PATH _getdeployconf DEPLOY_SSH_BACKUP_PATH _debug2 DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH" - if [ -n "$DEPLOY_SSH_BACKUP_PATH" ]; then - Le_Deploy_ssh_backup_path="$DEPLOY_SSH_BACKUP_PATH" - elif [ -z "$Le_Deploy_ssh_backup_path" ]; then - Le_Deploy_ssh_backup_path=".acme_ssh_deploy" + if [ -z "$DEPLOY_SSH_BACKUP_PATH" ]; then + DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" fi - _savedeployconf Le_Deploy_ssh_backup_path "$Le_Deploy_ssh_backup_path" + _savedeployconf DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH" # MULTI_CALL is optional. If not provided then default to previously saved # value (which may be undefined... equivalent to "no"). + _migratedeployconf Le_Deploy_ssh_multi_call DEPLOY_SSH_MULTI_CALL _getdeployconf DEPLOY_SSH_MULTI_CALL _debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL" - if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then - Le_Deploy_ssh_multi_call="yes" - _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" - elif [ "$DEPLOY_SSH_MULTI_CALL" = "no" ]; then - Le_Deploy_ssh_multi_call="" - _cleardomainconf Le_Deploy_ssh_multi_call + if [ -z "$DEPLOY_SSH_MULTI_CALL" ]; then + DEPLOY_SSH_MULTI_CALL="no" + fi + _savedeployconf DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL" + + # KEYFILE is optional. + # If provided then private key will be copied to provided filename. + _migratedeployconf Le_Deploy_ssh_keyfile DEPLOY_SSH_KEYFILE + _getdeployconf DEPLOY_SSH_KEYFILE + _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" + if [ -n "$DEPLOY_SSH_KEYFILE" ]; then + _savedeployconf DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" + fi + + # CERTFILE is optional. + # If provided then certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_ssh_certfile DEPLOY_SSH_CERTFILE + _getdeployconf DEPLOY_SSH_CERTFILE + _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" + if [ -n "$DEPLOY_SSH_CERTFILE" ]; then + _savedeployconf DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" + fi + + # CAFILE is optional. + # If provided then CA intermediate certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_ssh_cafile DEPLOY_SSH_CAFILE + _getdeployconf DEPLOY_SSH_CAFILE + _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" + if [ -n "$DEPLOY_SSH_CAFILE" ]; then + _savedeployconf DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" + fi + + # FULLCHAIN is optional. + # If provided then fullchain certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_ssh_fullchain DEPLOY_SSH_FULLCHAIN + _getdeployconf DEPLOY_SSH_FULLCHAIN + _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" + if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then + _savedeployconf DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" + fi + + # REMOTE_CMD is optional. + # If provided then this command will be executed on remote host. + _migratedeployconf Le_Deploy_ssh_remote_cmd DEPLOY_SSH_REMOTE_CMD + _getdeployconf DEPLOY_SSH_REMOTE_CMD + _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" + if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then + _savedeployconf DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" fi # USE_SCP is optional. If not provided then default to previously saved # value (which may be undefined... equivalent to "no"). - if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then - Le_Deploy_ssh_use_scp="yes" - _savedeployconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" - Le_Deploy_ssh_multi_call="yes" - _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" - elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then - Le_Deploy_ssh_use_scp="" - _cleardomainconf Le_Deploy_ssh_use_scp + _getdeployconf DEPLOY_SSH_USE_SCP + _debug2 DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP" + if [ -z "$DEPLOY_SSH_USE_SCP" ]; then + DEPLOY_SSH_USE_SCP="no" fi + _savedeployconf DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP" # SCP_CMD is optional. If not provided then use scp - if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then - Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" - _savedeployconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" - elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then - Le_Deploy_ssh_scp_cmd="scp -T -q " + _getdeployconf DEPLOY_SSH_SCP_CMD + _debug2 DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD" + if [ -z "$DEPLOY_SSH_SCP_CMD" ]; then + DEPLOY_SSH_SCP_CMD="scp -q" + fi + _savedeployconf DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD" + + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + DEPLOY_SSH_MULTI_CALL="yes" + _info "Using scp as alternate method for copying files. Multicall Mode is implicit" + elif [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then + _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" + else + _info "Required commands batched and sent in single call to remote host" fi - _deploy_ssh_servers=$Le_Deploy_ssh_server - for Le_Deploy_ssh_server in $_deploy_ssh_servers; do + _deploy_ssh_servers=$DEPLOY_SSH_SERVER + for DEPLOY_SSH_SERVER in $_deploy_ssh_servers; do _ssh_deploy done } @@ -161,20 +185,10 @@ _ssh_deploy() { _local_ca_file="" _local_full_file="" - _info "Deploy certificates to remote server $Le_Deploy_ssh_user@$Le_Deploy_ssh_server" - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - _info "Using scp as alternate method for copying files. Multicall Mode is implicit" - Le_Deploy_ssh_multi_call="yes" - _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" - fi - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" - else - _info "Required commands batched and sent in single call to remote host" - fi + _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$DEPLOY_SSH_SERVER" - if [ "$Le_Deploy_ssh_backup" = "yes" ]; then - _backupprefix="$Le_Deploy_ssh_backup_path/$_cdomain-backup" + if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then + _backupprefix="$DEPLOY_SSH_BACKUP_PATH/$_cdomain-backup" _backupdir="$_backupprefix-$(_utc_date | tr ' ' '-')" # run cleanup on the backup directory, erase all older # than 180 days (15552000 seconds). @@ -186,7 +200,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _cmdstr="mkdir -p $_backupdir; $_cmdstr" _info "Backup of old certificate files will be placed in remote directory $_backupdir" _info "Backup directories erased after 180 days." - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -194,19 +208,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # KEYFILE is optional. - # If provided then private key will be copied to provided filename. - _getdeployconf DEPLOY_SSH_KEYFILE - _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" if [ -n "$DEPLOY_SSH_KEYFILE" ]; then - Le_Deploy_ssh_keyfile="$DEPLOY_SSH_KEYFILE" - _savedeployconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile" - fi - if [ -n "$Le_Deploy_ssh_keyfile" ]; then - if [ "$Le_Deploy_ssh_backup" = "yes" ]; then + if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then # backup file we are about to overwrite. - _cmdstr="$_cmdstr cp $Le_Deploy_ssh_keyfile $_backupdir >/dev/null;" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr cp $DEPLOY_SSH_KEYFILE $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -215,15 +221,16 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi # copy new key into file. - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then # scp the file - if ! _scp_remote_cmd "$_ckey" "$Le_Deploy_ssh_keyfile"; then + if ! _scp_remote_cmd "$_ckey" "$DEPLOY_SSH_KEYFILE"; then return $_err_code fi else - _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;" - _info "will copy private key to remote file $Le_Deploy_ssh_keyfile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $DEPLOY_SSH_KEYFILE;" + _info "will copy private key to remote file $DEPLOY_SSH_KEYFILE" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -232,26 +239,15 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # CERTFILE is optional. - # If provided then certificate will be copied or appended to provided filename. - _getdeployconf DEPLOY_SSH_CERTFILE - _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" if [ -n "$DEPLOY_SSH_CERTFILE" ]; then - Le_Deploy_ssh_certfile="$DEPLOY_SSH_CERTFILE" - _savedeployconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile" - fi - if [ -n "$Le_Deploy_ssh_certfile" ]; then _pipe=">" - if [ "$Le_Deploy_ssh_certfile" = "$Le_Deploy_ssh_keyfile" ]; then + if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then # if filename is same as previous file then append. _pipe=">>" - _local_cert_file=$(_mktemp) - cat "$_ckey" >"$_local_cert_file" - cat "$_ccert" >>"$_local_cert_file" - elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then + elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then # backup file we are about to overwrite. - _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr cp $DEPLOY_SSH_CERTFILE $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -259,21 +255,22 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if [ -n "$_local_cert_file" ]; then - if ! _scp_remote_cmd "$_local_cert_file" "$Le_Deploy_ssh_certfile"; then - return $_err_code - fi - else - if ! _scp_remote_cmd "$_ccert" "$Le_Deploy_ssh_certfile"; then - return $_err_code - fi + # copy new certificate into file. + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + # scp the file + _local_cert_file=$(_mktemp) + if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then + cat "$_ckey" >> "$_local_cert_file" + fi + cat "$_ccert" >> "$_local_cert_file" + if ! _scp_remote_cmd "$_local_cert_file" "$DEPLOY_SSH_CERTFILE"; then + return $_err_code fi else - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;" - _info "will copy certificate to remote file $Le_Deploy_ssh_certfile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $DEPLOY_SSH_CERTFILE;" + _info "will copy certificate to remote file $DEPLOY_SSH_CERTFILE" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -282,34 +279,16 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # CAFILE is optional. - # If provided then CA intermediate certificate will be copied or appended to provided filename. - _getdeployconf DEPLOY_SSH_CAFILE - _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" if [ -n "$DEPLOY_SSH_CAFILE" ]; then - Le_Deploy_ssh_cafile="$DEPLOY_SSH_CAFILE" - _savedeployconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile" - fi - if [ -n "$Le_Deploy_ssh_cafile" ]; then _pipe=">" - if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] || - [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then + if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ] || + [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then # if filename is same as previous file then append. _pipe=">>" - _local_ca_file=$(_mktemp) - if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ]; then - cat "$_ckey" >>"$_local_ca_file" - fi - if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then - cat "$_ccert" >>"$_local_ca_file" - fi - - cat "$_cca" >>"$_local_ca_file" - - elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then + elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then # backup file we are about to overwrite. - _cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir >/dev/null;" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr cp $DEPLOY_SSH_CAFILE $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -317,21 +296,25 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if [ -n "$_local_ca_file" ]; then - if ! _scp_remote_cmd "$_local_ca_file" "$Le_Deploy_ssh_cafile"; then - return $_err_code - fi - else - if ! _scp_remote_cmd "$_cca" "$Le_Deploy_ssh_cafile"; then - return $_err_code - fi + # copy new certificate into file. + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + # scp the file + _local_ca_file=$(_mktemp) + if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ]; then + cat "$_ckey" >> "$_local_ca_file" + fi + if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then + cat "$_ccert" >> "$_local_ca_file" + fi + cat "$_cca" >>"$_local_ca_file" + if ! _scp_remote_cmd "$_local_ca_file" "$DEPLOY_SSH_CAFILE"; then + return $_err_code fi else - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;" - _info "will copy CA file to remote file $Le_Deploy_ssh_cafile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $DEPLOY_SSH_CAFILE;" + _info "will copy CA file to remote file $DEPLOY_SSH_CAFILE" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -340,37 +323,17 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # FULLCHAIN is optional. - # If provided then fullchain certificate will be copied or appended to provided filename. - _getdeployconf DEPLOY_SSH_FULLCHAIN - _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then - Le_Deploy_ssh_fullchain="$DEPLOY_SSH_FULLCHAIN" - _savedeployconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain" - fi - if [ -n "$Le_Deploy_ssh_fullchain" ]; then _pipe=">" - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] || - [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ] || - [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ] || + [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ] || + [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then # if filename is same as previous file then append. _pipe=">>" - _local_full_file=$(_mktemp) - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ]; then - cat "$_ckey" >>"$_local_full_file" - fi - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ]; then - cat "$_ccert" >>"$_local_full_file" - fi - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then - cat "$_cca" >>"$_local_full_file" - fi - cat "$_cfullchain" >>"$_local_full_file" - - elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then + elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then # backup file we are about to overwrite. - _cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir >/dev/null;" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr cp $DEPLOY_SSH_FULLCHAIN $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_FULLCHAIN" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -378,21 +341,28 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if [ -n "$_local_full_file" ]; then - if ! _scp_remote_cmd "$_local_full_file" "$Le_Deploy_ssh_fullchain"; then - return $_err_code - fi - else - if ! _scp_remote_cmd "$_cfullchain" "$Le_Deploy_ssh_fullchain"; then - return $_err_code - fi + # copy new certificate into file. + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + # scp the file + _local_full_file=$(_mktemp) + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ]; then + cat "$_ckey" >> "$_local_full_file" + fi + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ]; then + cat "$_ccert" >> "$_local_full_file" + fi + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then + cat "$_cca" >> "$_local_full_file" + fi + cat "$_cfullchain" >> "$_local_full_file" + if ! _scp_remote_cmd "$_local_full_file" "$DEPLOY_SSH_FULLCHAIN"; then + return $_err_code fi else - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;" - _info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $DEPLOY_SSH_FULLCHAIN;" + _info "will copy fullchain to remote file $DEPLOY_SSH_FULLCHAIN" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -400,30 +370,22 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi fi - # cleanup local files if any - if [ -n "$_local_cert_file" ]; then - rm "$_local_cert_file" >/dev/null 1>&2 + # cleanup local files if any + if [ -f "$_local_cert_file" ]; then + rm -f "$_local_cert_file" fi - if [ -n "$_local_ca_file" ]; then - rm "$_local_ca_file" >/dev/null 1>&2 + if [ -f "$_local_ca_file" ]; then + rm -f "$_local_ca_file" fi - if [ -n "$_local_full_file" ]; then - rm "$_local_full_file" >/dev/null 1>&2 + if [ -f "$_local_full_file" ]; then + rm -f "$_local_full_file" fi - # REMOTE_CMD is optional. - # If provided then this command will be executed on remote host. - _getdeployconf DEPLOY_SSH_REMOTE_CMD - _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then - Le_Deploy_ssh_remote_cmd="$DEPLOY_SSH_REMOTE_CMD" - _savedeployconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd" - fi - if [ -n "$Le_Deploy_ssh_remote_cmd" ]; then - _cmdstr="$_cmdstr $Le_Deploy_ssh_remote_cmd;" - _info "Will execute remote command $Le_Deploy_ssh_remote_cmd" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr $DEPLOY_SSH_REMOTE_CMD;" + _info "Will execute remote command $DEPLOY_SSH_REMOTE_CMD" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -445,10 +407,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _ssh_remote_cmd() { _cmd="$1" _secure_debug "Remote commands to execute: $_cmd" - _info "Submitting sequence of commands to remote server by ssh" + _info "Submitting sequence of commands to remote server by $DEPLOY_SSH_CMD" + # quotations in bash cmd below intended. Squash travis spellcheck error # shellcheck disable=SC2029 - $Le_Deploy_ssh_cmd "$Le_Deploy_ssh_user@$Le_Deploy_ssh_server" sh -c "'$_cmd'" + $DEPLOY_SSH_CMD "$DEPLOY_SSH_USER@$DEPLOY_SSH_SERVER" sh -c "'$_cmd'" _err_code="$?" if [ "$_err_code" != "0" ]; then @@ -460,9 +423,12 @@ _ssh_remote_cmd() { # cmd scp _scp_remote_cmd() { - _secure_debug "Remote scp source $1 and destination $2 using : $Le_Deploy_ssh_scp_cmd" - _info "Submitting secure copy command : $Le_Deploy_ssh_scp_cmd" - $Le_Deploy_ssh_scp_cmd "$1" "$Le_Deploy_ssh_user"@"$Le_Deploy_ssh_server":"$2" + _src=$1 + _dest=$2 + _secure_debug "Remote copy source $_src to destination $_dest using: $DEPLOY_SSH_SCP_CMD" + _info "Submitting secure copy command: $DEPLOY_SSH_SCP_CMD" + + $DEPLOY_SSH_SCP_CMD "$_src" "$DEPLOY_SSH_USER"@"$DEPLOY_SSH_SERVER":"$_dest" _err_code="$?" if [ "$_err_code" != "0" ]; then From c8929ca0cb13abb2213cd5da7abd9bd1b140af9a Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:29:19 +0800 Subject: [PATCH 022/276] support specifying port for each host --- deploy/ssh.sh | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 73d71597..2de0d325 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -14,7 +14,7 @@ # The following examples are for QNAP NAS running QTS 4.2 # export DEPLOY_SSH_CMD="" # defaults to "ssh -T" # export DEPLOY_SSH_USER="admin" # required -# export DEPLOY_SSH_SERVER="qnap" # defaults to domain name +# export DEPLOY_SSH_SERVER="qnap" # defaults to domain name, support multiple servers with optional port (eg. "host1 host2:8022") # export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem" # export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem" # export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem" @@ -185,7 +185,12 @@ _ssh_deploy() { _local_ca_file="" _local_full_file="" - _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$DEPLOY_SSH_SERVER" + case $DEPLOY_SSH_SERVER in + (*:*) _host=${DEPLOY_SSH_SERVER%:*} _port=${DEPLOY_SSH_SERVER##*:};; + (*) _host=$DEPLOY_SSH_SERVER _port=;; + esac + + _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port" if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then _backupprefix="$DEPLOY_SSH_BACKUP_PATH/$_cdomain-backup" @@ -406,12 +411,18 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d #cmd _ssh_remote_cmd() { _cmd="$1" + + _ssh_cmd="$DEPLOY_SSH_CMD" + if [ -n "$_port" ]; then + _ssh_cmd="$_ssh_cmd -p $_port" + fi + _secure_debug "Remote commands to execute: $_cmd" - _info "Submitting sequence of commands to remote server by $DEPLOY_SSH_CMD" + _info "Submitting sequence of commands to remote server by $_ssh_cmd" # quotations in bash cmd below intended. Squash travis spellcheck error # shellcheck disable=SC2029 - $DEPLOY_SSH_CMD "$DEPLOY_SSH_USER@$DEPLOY_SSH_SERVER" sh -c "'$_cmd'" + $_ssh_cmd "$DEPLOY_SSH_USER@$_host" sh -c "'$_cmd'" _err_code="$?" if [ "$_err_code" != "0" ]; then @@ -425,10 +436,16 @@ _ssh_remote_cmd() { _scp_remote_cmd() { _src=$1 _dest=$2 - _secure_debug "Remote copy source $_src to destination $_dest using: $DEPLOY_SSH_SCP_CMD" - _info "Submitting secure copy command: $DEPLOY_SSH_SCP_CMD" - $DEPLOY_SSH_SCP_CMD "$_src" "$DEPLOY_SSH_USER"@"$DEPLOY_SSH_SERVER":"$_dest" + _scp_cmd="$DEPLOY_SSH_SCP_CMD" + if [ -n "$_port" ]; then + _scp_cmd="$_scp_cmd -P $_port" + fi + + _secure_debug "Remote copy source $_src to destination $_dest" + _info "Submitting secure copy by $_scp_cmd" + + $_scp_cmd "$_src" "$DEPLOY_SSH_USER"@"$_host":"$_dest" _err_code="$?" if [ "$_err_code" != "0" ]; then From f90cbb636a101625b118fbdb57b64f7d4d0bdabb Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:41:59 +0800 Subject: [PATCH 023/276] fix format --- acme.sh | 2 +- deploy/ssh.sh | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/acme.sh b/acme.sh index 37c625d2..4366501b 100755 --- a/acme.sh +++ b/acme.sh @@ -2349,7 +2349,7 @@ _migratedomainconf() { #_migratedeployconf oldkey newkey base64encode _migratedeployconf() { _migratedomainconf "$1" "SAVED_$2" "$3" || - _migratedomainconf "SAVED_$1" "SAVED_$2" "$3" # try only when oldkey itself is not found + _migratedomainconf "SAVED_$1" "SAVED_$2" "$3" # try only when oldkey itself is not found } #key value base64encode diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 2de0d325..d40bba43 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -186,8 +186,8 @@ _ssh_deploy() { _local_full_file="" case $DEPLOY_SSH_SERVER in - (*:*) _host=${DEPLOY_SSH_SERVER%:*} _port=${DEPLOY_SSH_SERVER##*:};; - (*) _host=$DEPLOY_SSH_SERVER _port=;; + *:*) _host=${DEPLOY_SSH_SERVER%:*} _port=${DEPLOY_SSH_SERVER##*:};; + *) _host=$DEPLOY_SSH_SERVER _port=;; esac _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port" @@ -265,9 +265,9 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # scp the file _local_cert_file=$(_mktemp) if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then - cat "$_ckey" >> "$_local_cert_file" + cat "$_ckey" >>"$_local_cert_file" fi - cat "$_ccert" >> "$_local_cert_file" + cat "$_ccert" >>"$_local_cert_file" if ! _scp_remote_cmd "$_local_cert_file" "$DEPLOY_SSH_CERTFILE"; then return $_err_code fi @@ -306,10 +306,10 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # scp the file _local_ca_file=$(_mktemp) if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ]; then - cat "$_ckey" >> "$_local_ca_file" + cat "$_ckey" >>"$_local_ca_file" fi if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then - cat "$_ccert" >> "$_local_ca_file" + cat "$_ccert" >>"$_local_ca_file" fi cat "$_cca" >>"$_local_ca_file" if ! _scp_remote_cmd "$_local_ca_file" "$DEPLOY_SSH_CAFILE"; then @@ -351,15 +351,15 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # scp the file _local_full_file=$(_mktemp) if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ]; then - cat "$_ckey" >> "$_local_full_file" + cat "$_ckey" >>"$_local_full_file" fi if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ]; then - cat "$_ccert" >> "$_local_full_file" + cat "$_ccert" >>"$_local_full_file" fi if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then - cat "$_cca" >> "$_local_full_file" + cat "$_cca" >>"$_local_full_file" fi - cat "$_cfullchain" >> "$_local_full_file" + cat "$_cfullchain" >>"$_local_full_file" if ! _scp_remote_cmd "$_local_full_file" "$DEPLOY_SSH_FULLCHAIN"; then return $_err_code fi From 74f28021e701c53665774c4861d68863775bb206 Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:49:40 +0800 Subject: [PATCH 024/276] fix format again --- deploy/ssh.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index d40bba43..074af84f 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -186,8 +186,14 @@ _ssh_deploy() { _local_full_file="" case $DEPLOY_SSH_SERVER in - *:*) _host=${DEPLOY_SSH_SERVER%:*} _port=${DEPLOY_SSH_SERVER##*:};; - *) _host=$DEPLOY_SSH_SERVER _port=;; + *:*) + _host=${DEPLOY_SSH_SERVER%:*} + _port=${DEPLOY_SSH_SERVER##*:} + ;; + *) + _host=$DEPLOY_SSH_SERVER + _port= + ;; esac _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port" From 3ce7d410c8ee18d4ed1049ccdc500a6624613df7 Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:59:02 +0800 Subject: [PATCH 025/276] improve doc comments --- deploy/ssh.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 074af84f..1aed7d3e 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -14,7 +14,7 @@ # The following examples are for QNAP NAS running QTS 4.2 # export DEPLOY_SSH_CMD="" # defaults to "ssh -T" # export DEPLOY_SSH_USER="admin" # required -# export DEPLOY_SSH_SERVER="qnap" # defaults to domain name, support multiple servers with optional port (eg. "host1 host2:8022") +# export DEPLOY_SSH_SERVER="host1 host2:8022 192.168.0.1:9022" # defaults to domain name, support multiple servers with optional port # export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem" # export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem" # export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem" From d2a9d731edbc5d6dcfc434560ba605bef9039ed2 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 May 2022 22:25:44 +0800 Subject: [PATCH 026/276] Update ssh.sh --- deploy/ssh.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 1aed7d3e..c66e2e19 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -170,7 +170,7 @@ ssh_deploy() { _info "Required commands batched and sent in single call to remote host" fi - _deploy_ssh_servers=$DEPLOY_SSH_SERVER + _deploy_ssh_servers="$DEPLOY_SSH_SERVER" for DEPLOY_SSH_SERVER in $_deploy_ssh_servers; do _ssh_deploy done From 13c71829485aac03e1d0da98784ea50e983e73cd Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Sat, 18 Jun 2022 17:32:56 +0200 Subject: [PATCH 027/276] Fix usage docs in file's header comment --- dnsapi/dns_artfiles.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_artfiles.sh b/dnsapi/dns_artfiles.sh index 8e0a6151..2f8e158f 100644 --- a/dnsapi/dns_artfiles.sh +++ b/dnsapi/dns_artfiles.sh @@ -8,8 +8,8 @@ # Issues: https://github.com/Eagle3386/acme.sh/issues ################################################################################ # Usage: -# 1. export AF_API_Username="api12345678" -# 2. export AF_API_Password="apiPassword" +# 1. export AF_API_USERNAME="api12345678" +# 2. export AF_API_PASSWORD="apiPassword" # 3. acme.sh --issue -d example.com --dns dns_artfiles ################################################################################ From 095697900b94e05f3ba8176c53632d6d3a7769e0 Mon Sep 17 00:00:00 2001 From: Marcel Hellkamp Date: Wed, 22 Jun 2022 17:54:49 +0200 Subject: [PATCH 028/276] fix: Challenge not skipped for pre-validated wildcard domain orders Some CAs auto-validate orders based on account-level rules and do not require a challenge at all. Sectigo introduced a non-standard challenges named 'sectigo-dns-01', presumably to work around this issue in certbot. This also works for non-wildcard domains in acme.sh, but wildcard domains are rejected because acme.sh hard-codes 'dns-01' as the only allowed challenge for wildcard domains, which is not offered by Sectigo. This change simply moves the '"status":"valid"' check up a bit and ignores challenge type mismatches or missing tokens if no challenge is needed anyway. --- acme.sh | 42 +++++++++++++++++------------------------- 1 file changed, 17 insertions(+), 25 deletions(-) diff --git a/acme.sh b/acme.sh index 260733a2..3210efd6 100755 --- a/acme.sh +++ b/acme.sh @@ -4600,28 +4600,26 @@ $_authorizations_map" thumbprint="$(__calc_account_thumbprint)" fi + keyauthorization="" + + if echo "$response" | grep '"status":"valid"' >/dev/null 2>&1; then + _debug "$d is already valid." + keyauthorization="$STATE_VERIFIED" + _debug keyauthorization "$keyauthorization" + fi + entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" _debug entry "$entry" - keyauthorization="" - if [ -z "$entry" ]; then - if ! _startswith "$d" '*.'; then - _debug "Not a wildcard domain, lets check whether the validation is already valid." - if echo "$response" | grep '"status":"valid"' >/dev/null 2>&1; then - _debug "$d is already valid." - keyauthorization="$STATE_VERIFIED" - _debug keyauthorization "$keyauthorization" - fi - fi - if [ -z "$keyauthorization" ]; then - _err "Error, can not get domain token entry $d for $vtype" - _supported_vtypes="$(echo "$response" | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ')" - if [ "$_supported_vtypes" ]; then - _err "The supported validation types are: $_supported_vtypes, but you specified: $vtype" - fi - _clearup - _on_issue_err "$_post_hook" - return 1 + + if [ -z "$keyauthorization" -a -z "$entry" ]; then + _err "Error, can not get domain token entry $d for $vtype" + _supported_vtypes="$(echo "$response" | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ')" + if [ "$_supported_vtypes" ]; then + _err "The supported validation types are: $_supported_vtypes, but you specified: $vtype" fi + _clearup + _on_issue_err "$_post_hook" + return 1 fi if [ -z "$keyauthorization" ]; then @@ -4647,12 +4645,6 @@ $_authorizations_map" fi keyauthorization="$token.$thumbprint" _debug keyauthorization "$keyauthorization" - - if printf "%s" "$response" | grep '"status":"valid"' >/dev/null 2>&1; then - _debug "$d is already verified." - keyauthorization="$STATE_VERIFIED" - _debug keyauthorization "$keyauthorization" - fi fi dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot" From b3529dc7482e6a8d2bdbb0e77374d960b58974a1 Mon Sep 17 00:00:00 2001 From: seidler2547 Date: Mon, 27 Jun 2022 19:42:16 +0000 Subject: [PATCH 029/276] remove dns_do as it does not work anymore The API that it uses was shut down in May 2022 --- dnsapi/dns_do.sh | 148 ----------------------------------------------- 1 file changed, 148 deletions(-) delete mode 100755 dnsapi/dns_do.sh diff --git a/dnsapi/dns_do.sh b/dnsapi/dns_do.sh deleted file mode 100755 index 3850890c..00000000 --- a/dnsapi/dns_do.sh +++ /dev/null @@ -1,148 +0,0 @@ -#!/usr/bin/env sh - -# DNS API for Domain-Offensive / Resellerinterface / Domainrobot - -# Report bugs at https://github.com/seidler2547/acme.sh/issues - -# set these environment variables to match your customer ID and password: -# DO_PID="KD-1234567" -# DO_PW="cdfkjl3n2" - -DO_URL="https://soap.resellerinterface.de/" - -######## Public functions ##################### - -#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" -dns_do_add() { - fulldomain=$1 - txtvalue=$2 - if _dns_do_authenticate; then - _info "Adding TXT record to ${_domain} as ${fulldomain}" - _dns_do_soap createRR origin "${_domain}" name "${fulldomain}" type TXT data "${txtvalue}" ttl 300 - if _contains "${response}" '>success<'; then - return 0 - fi - _err "Could not create resource record, check logs" - fi - return 1 -} - -#fulldomain -dns_do_rm() { - fulldomain=$1 - if _dns_do_authenticate; then - if _dns_do_list_rrs; then - _dns_do_had_error=0 - for _rrid in ${_rr_list}; do - _info "Deleting resource record $_rrid for $_domain" - _dns_do_soap deleteRR origin "${_domain}" rrid "${_rrid}" - if ! _contains "${response}" '>success<'; then - _dns_do_had_error=1 - _err "Could not delete resource record for ${_domain}, id ${_rrid}" - fi - done - return $_dns_do_had_error - fi - fi - return 1 -} - -#################### Private functions below ################################## -_dns_do_authenticate() { - _info "Authenticating as ${DO_PID}" - _dns_do_soap authPartner partner "${DO_PID}" password "${DO_PW}" - if _contains "${response}" '>success<'; then - _get_root "$fulldomain" - _debug "_domain $_domain" - return 0 - else - _err "Authentication failed, are DO_PID and DO_PW set correctly?" - fi - return 1 -} - -_dns_do_list_rrs() { - _dns_do_soap getRRList origin "${_domain}" - if ! _contains "${response}" 'SOAP-ENC:Array'; then - _err "getRRList origin ${_domain} failed" - return 1 - fi - _rr_list="$(echo "${response}" | - tr -d "\n\r\t" | - sed -e 's//\n/g' | - grep ">$(_regexcape "$fulldomain")" | - sed -e 's/<\/item>/\n/g' | - grep '>id[0-9]{1,16}<' | - tr -d '><')" - [ "${_rr_list}" ] -} - -_dns_do_soap() { - func="$1" - shift - # put the parameters to xml - body="" - while [ "$1" ]; do - _k="$1" - shift - _v="$1" - shift - body="$body<$_k>$_v" - done - body="$body" - _debug2 "SOAP request ${body}" - - # build SOAP XML - _xml=' - - '"$body"' -' - - # set SOAP headers - export _H1="SOAPAction: ${DO_URL}#${func}" - - if ! response="$(_post "${_xml}" "${DO_URL}")"; then - _err "Error <$1>" - return 1 - fi - _debug2 "SOAP response $response" - - # retrieve cookie header - _H2="$(_egrep_o 'Cookie: [^;]+' <"$HTTP_HEADER" | _head_n 1)" - export _H2 - - return 0 -} - -_get_root() { - domain=$1 - i=1 - - _dns_do_soap getDomainList - _all_domains="$(echo "${response}" | - tr -d "\n\r\t " | - _egrep_o 'domain]+>[^<]+' | - sed -e 's/^domain<\/key>]*>//g')" - - while true; do - h=$(printf "%s" "$domain" | cut -d . -f $i-100) - if [ -z "$h" ]; then - return 1 - fi - - if _contains "${_all_domains}" "^$(_regexcape "$h")\$"; then - _domain="$h" - return 0 - fi - - i=$(_math $i + 1) - done - _debug "$domain not found" - - return 1 -} - -_regexcape() { - echo "$1" | sed -e 's/\([]\.$*^[]\)/\\\1/g' -} From ba3e088b238382c76922fcf4a312819292bc75cb Mon Sep 17 00:00:00 2001 From: lufi42 <101186892+lufi42@users.noreply.github.com> Date: Thu, 7 Jul 2022 17:32:22 +0200 Subject: [PATCH 030/276] Improved error handling Improved error handling when result contains data-structure which might contain another status-flag that is related to the status of the related object and not the api call Revert "Improved error handling" This reverts commit fa6df1cfab134d38baad19fc1caa0842f00416d5. Revert "Revert "Improved error handling"" This reverts commit 5a4b78392f063863ee9f56686f5c429e9376af1b. --- dnsapi/dns_pleskxml.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_pleskxml.sh b/dnsapi/dns_pleskxml.sh index 0f7dc241..e0b1724b 100644 --- a/dnsapi/dns_pleskxml.sh +++ b/dnsapi/dns_pleskxml.sh @@ -251,9 +251,12 @@ _call_api() { # Detect any that isn't "ok". None of the used calls should fail if the API is working correctly. # Also detect if there simply aren't any status lines (null result?) and report that, as well. + # Remove structure from result string, since it might contain values that are related to the status of the domain and not to the API request - statuslines_count_total="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *[^<]* *$')" - statuslines_count_okay="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *ok *$')" + statuslines_count_total="$(echo "$pleskxml_prettyprint_result" | sed '//,/<\/data>/d' | grep -c '^ *[^<]* *$')" + statuslines_count_okay="$(echo "$pleskxml_prettyprint_result" | sed '//,/<\/data>/d' | grep -c '^ *ok *$')" + _debug "statuslines_count_total=$statuslines_count_total." + _debug "statuslines_count_okay=$statuslines_count_okay." if [ -z "$statuslines_count_total" ]; then From b41d40da4010bc99bae3966dcc84df4b7b9abbd9 Mon Sep 17 00:00:00 2001 From: lufi42 <101186892+lufi42@users.noreply.github.com> Date: Sat, 9 Jul 2022 21:23:50 +0200 Subject: [PATCH 031/276] Extended debug logging in dns_pleskxml_rm() --- dnsapi/dns_pleskxml.sh | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_pleskxml.sh b/dnsapi/dns_pleskxml.sh index e0b1724b..bcd72d9a 100644 --- a/dnsapi/dns_pleskxml.sh +++ b/dnsapi/dns_pleskxml.sh @@ -152,13 +152,23 @@ dns_pleskxml_rm() { _debug "Got list of DNS TXT records for root domain '$root_domain_name':" _debug "$reclist" - recid="$( + recline="$( _value "$reclist" | grep "${fulldomain}." | - grep "${txtvalue}" | + grep "${txtvalue}" + )" + + _debug "Got line for ${fulldomain}. and ${txtvalue}:" + _debug "$recline" + + recid="$( + _value "$recline" | sed 's/^.*\([0-9]\{1,\}\)<\/id>.*$/\1/' )" + _debug "Got id from line:" + _debug $recid + if ! _value "$recid" | grep '^[0-9]\{1,\}$' >/dev/null; then _err "DNS records for root domain '${root_domain_name}' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'" _err "Cannot delete TXT record. Exiting." From 55a55e9f74a7c0842ed12d9e76d89b2c3232cdce Mon Sep 17 00:00:00 2001 From: lufi42 <101186892+lufi42@users.noreply.github.com> Date: Sat, 9 Jul 2022 21:28:19 +0200 Subject: [PATCH 032/276] Fixed debug log to prevent globbing and word splitting. --- dnsapi/dns_pleskxml.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_pleskxml.sh b/dnsapi/dns_pleskxml.sh index bcd72d9a..56902e20 100644 --- a/dnsapi/dns_pleskxml.sh +++ b/dnsapi/dns_pleskxml.sh @@ -157,7 +157,7 @@ dns_pleskxml_rm() { grep "${fulldomain}." | grep "${txtvalue}" )" - + _debug "Got line for ${fulldomain}. and ${txtvalue}:" _debug "$recline" @@ -167,7 +167,7 @@ dns_pleskxml_rm() { )" _debug "Got id from line:" - _debug $recid + _debug "$recid" if ! _value "$recid" | grep '^[0-9]\{1,\}$' >/dev/null; then _err "DNS records for root domain '${root_domain_name}' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'" From bc7e02b47a7b04c367e08962a84a63170701f890 Mon Sep 17 00:00:00 2001 From: lufi42 <101186892+lufi42@users.noreply.github.com> Date: Sun, 10 Jul 2022 17:11:27 +0200 Subject: [PATCH 033/276] Fixed removal of TXT record when subdomain is case-sensitive and improved debug logging Plesk SPI return domain names always lower-case. Therefore the search for domain names in the API response must be case-insensitve. Set debug logging to the values that are reallys used for the spi calls. added comment --- dnsapi/dns_pleskxml.sh | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/dnsapi/dns_pleskxml.sh b/dnsapi/dns_pleskxml.sh index 56902e20..a8f7f7be 100644 --- a/dnsapi/dns_pleskxml.sh +++ b/dnsapi/dns_pleskxml.sh @@ -145,32 +145,25 @@ dns_pleskxml_rm() { )" if [ -z "$reclist" ]; then - _err "No TXT records found for root domain ${root_domain_name} (Plesk domain ID ${root_domain_id}). Exiting." + _err "No TXT records found for root domain $fulldomain (Plesk domain ID ${root_domain_id}). Exiting." return 1 fi - _debug "Got list of DNS TXT records for root domain '$root_domain_name':" + _debug "Got list of DNS TXT records for root Plesk domain ID ${root_domain_id} of root domain $fulldomain:" _debug "$reclist" - recline="$( - _value "$reclist" | - grep "${fulldomain}." | - grep "${txtvalue}" - )" - - _debug "Got line for ${fulldomain}. and ${txtvalue}:" - _debug "$recline" - + # Extracting the id of the TXT record for the full domain (NOT case-sensitive) and corresponding value recid="$( - _value "$recline" | + _value "$reclist" | + grep -i "${fulldomain}." | + grep "${txtvalue}" | sed 's/^.*\([0-9]\{1,\}\)<\/id>.*$/\1/' )" - _debug "Got id from line:" - _debug "$recid" + _debug "Got id from line: $recid" if ! _value "$recid" | grep '^[0-9]\{1,\}$' >/dev/null; then - _err "DNS records for root domain '${root_domain_name}' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'" + _err "DNS records for root domain '${fulldomain}.' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'" _err "Cannot delete TXT record. Exiting." return 1 fi From ca0981645fd0d855679e19565f59a40096c61fcf Mon Sep 17 00:00:00 2001 From: lufi42 <101186892+lufi42@users.noreply.github.com> Date: Sun, 10 Jul 2022 17:34:30 +0200 Subject: [PATCH 034/276] Fixed shfmt error --- dnsapi/dns_pleskxml.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_pleskxml.sh b/dnsapi/dns_pleskxml.sh index a8f7f7be..799c374c 100644 --- a/dnsapi/dns_pleskxml.sh +++ b/dnsapi/dns_pleskxml.sh @@ -160,7 +160,7 @@ dns_pleskxml_rm() { sed 's/^.*\([0-9]\{1,\}\)<\/id>.*$/\1/' )" - _debug "Got id from line: $recid" + _debug "Got id from line: $recid" if ! _value "$recid" | grep '^[0-9]\{1,\}$' >/dev/null; then _err "DNS records for root domain '${fulldomain}.' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'" From dcf9c467c386e49c606aa98069f63efd8bc32309 Mon Sep 17 00:00:00 2001 From: Monius Date: Sat, 20 Aug 2022 19:37:51 +0800 Subject: [PATCH 035/276] fix issue, when profile not end with newline --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e8228e30..aecef894 100755 --- a/acme.sh +++ b/acme.sh @@ -6371,7 +6371,7 @@ _installalias() { if [ "$_profile" ]; then _debug "Found profile: $_profile" _info "Installing alias to '$_profile'" - _setopt "$_profile" ". \"$_envfile\"" + _setopt "$_profile" "\n. \"$_envfile\"" _info "OK, Close and reopen your terminal to start using $PROJECT_NAME" else _info "No profile is found, you will need to go into $LE_WORKING_DIR to use $PROJECT_NAME" From f2634b44cdd4bc38cfd9838ca6cb2e975bd4c25a Mon Sep 17 00:00:00 2001 From: Monius Date: Sun, 21 Aug 2022 12:26:37 +0800 Subject: [PATCH 036/276] add EOF, if $__conf not end with one --- acme.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index aecef894..ec4f90b7 100755 --- a/acme.sh +++ b/acme.sh @@ -2239,7 +2239,11 @@ _setopt() { if [ ! -f "$__conf" ]; then touch "$__conf" fi - + if [ -n "$(tail -c 1 <"$__conf")" ]; then + _debug3 No New Line + echo >>"$__conf" + fi + if grep -n "^$__opt$__sep" "$__conf" >/dev/null; then _debug3 OK if _contains "$__val" "&"; then @@ -6371,7 +6375,7 @@ _installalias() { if [ "$_profile" ]; then _debug "Found profile: $_profile" _info "Installing alias to '$_profile'" - _setopt "$_profile" "\n. \"$_envfile\"" + _setopt "$_profile" ". \"$_envfile\"" _info "OK, Close and reopen your terminal to start using $PROJECT_NAME" else _info "No profile is found, you will need to go into $LE_WORKING_DIR to use $PROJECT_NAME" From 6502a71083de93cef288992b00f8d38f4d35c9a4 Mon Sep 17 00:00:00 2001 From: Monius Date: Mon, 22 Aug 2022 05:26:12 +0800 Subject: [PATCH 037/276] fix, but remove debug info --- acme.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/acme.sh b/acme.sh index ec4f90b7..882aaf03 100755 --- a/acme.sh +++ b/acme.sh @@ -2240,7 +2240,6 @@ _setopt() { touch "$__conf" fi if [ -n "$(tail -c 1 <"$__conf")" ]; then - _debug3 No New Line echo >>"$__conf" fi From 5a604bfdeec85bf0e578d73f57e7c6bb4ae91409 Mon Sep 17 00:00:00 2001 From: Monius Date: Mon, 22 Aug 2022 15:16:30 +0800 Subject: [PATCH 038/276] shfmt check? --- acme.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 882aaf03..11814b6e 100755 --- a/acme.sh +++ b/acme.sh @@ -2239,10 +2239,11 @@ _setopt() { if [ ! -f "$__conf" ]; then touch "$__conf" fi + if [ -n "$(tail -c 1 <"$__conf")" ]; then echo >>"$__conf" fi - + if grep -n "^$__opt$__sep" "$__conf" >/dev/null; then _debug3 OK if _contains "$__val" "&"; then From b95f836256ca2c7b57d74c1a4a9b524fc92255bc Mon Sep 17 00:00:00 2001 From: Monius Date: Tue, 23 Aug 2022 06:30:09 +0800 Subject: [PATCH 039/276] final try --- acme.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/acme.sh b/acme.sh index 11814b6e..bb6863c7 100755 --- a/acme.sh +++ b/acme.sh @@ -2239,7 +2239,6 @@ _setopt() { if [ ! -f "$__conf" ]; then touch "$__conf" fi - if [ -n "$(tail -c 1 <"$__conf")" ]; then echo >>"$__conf" fi From a7dd86de71400c48127038ba61603dfdf52133ca Mon Sep 17 00:00:00 2001 From: Markus Lippert Date: Thu, 29 Sep 2022 12:22:45 +0200 Subject: [PATCH 040/276] fix(deploy-synology_dsm): support DID with DSM 7 --- deploy/synology_dsm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index f30f82c0..c31a5df0 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -108,7 +108,7 @@ synology_dsm_deploy() { _debug3 H1 "${_H1}" fi - response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code" "$_base_url/webapi/auth.cgi?enable_syno_token=yes") + response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code&device_name=certrenewal&device_id=$SYNO_DID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes") token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p') _debug3 response "$response" _debug token "$token" From 666c716bdae095252f75d6d58dd694baffee42e9 Mon Sep 17 00:00:00 2001 From: Adam Tao Date: Tue, 11 Oct 2022 20:36:09 +0800 Subject: [PATCH 041/276] Fix error during saving conf There might be '|' in __val (e.g., SYNO_Password), which will cause that all content of the conf file is cleared. Fix it by escaping '|' manually. Signed-off-by: Adam Tao --- acme.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/acme.sh b/acme.sh index e1ee3867..1ba2c6a5 100755 --- a/acme.sh +++ b/acme.sh @@ -2266,6 +2266,9 @@ _setopt() { if _contains "$__val" "&"; then __val="$(echo "$__val" | sed 's/&/\\&/g')" fi + if _contains "$__val" "|"; then + __val="$(echo "$__val" | sed 's/|/\\|/g')" + fi text="$(cat "$__conf")" printf -- "%s\n" "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf" @@ -2273,6 +2276,9 @@ _setopt() { if _contains "$__val" "&"; then __val="$(echo "$__val" | sed 's/&/\\&/g')" fi + if _contains "$__val" "|"; then + __val="$(echo "$__val" | sed 's/|/\\|/g')" + fi text="$(cat "$__conf")" printf -- "%s\n" "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf" From 1c16931e260d0dec38ee8c8857c5f33960adceb4 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 16 Oct 2022 16:06:01 +0800 Subject: [PATCH 042/276] add Le_Next_Domain_Key for tlsa fix https://github.com/acmesh-official/acme.sh/issues/3096 Usage: https://github.com/acmesh-official/acme.sh/wiki/tlsa-next-key --- acme.sh | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/acme.sh b/acme.sh index 1ba2c6a5..1ee76307 100755 --- a/acme.sh +++ b/acme.sh @@ -4423,6 +4423,7 @@ issue() { _debug "_saved_account_key_hash is not changed, skip register account." fi + export Le_Next_Domain_Key="$CERT_KEY_PATH.next" if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ]; then _info "Signing from existing CSR." else @@ -4435,14 +4436,30 @@ issue() { fi _debug "Read key length:$_key" if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ] || [ "$Le_ForceNewDomainKey" = "1" ]; then - if ! createDomainKey "$_main_domain" "$_key_length"; then - _err "Create domain key error." - _clearup - _on_issue_err "$_post_hook" + if [ "$Le_ForceNewDomainKey" = "1" ] && [ -f "$Le_Next_Domain_Key" ]; then + _info "Using pre generated key: $Le_Next_Domain_Key" + cat "$Le_Next_Domain_Key" >"$CERT_KEY_PATH" + echo "" >"$Le_Next_Domain_Key" + else + if ! createDomainKey "$_main_domain" "$_key_length"; then + _err "Create domain key error." + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + fi + fi + if [ "$Le_ForceNewDomainKey" ]; then + _info "Generate next pre-generate key." + if [ ! -e "$Le_Next_Domain_Key" ]; then + touch "$Le_Next_Domain_Key" + chmod 600 "$Le_Next_Domain_Key" + fi + if ! _createkey "$_key_length" "$Le_Next_Domain_Key"; then + _err "Can not pre generate domain key" return 1 fi fi - if ! _createcsr "$_main_domain" "$_alt_domains" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"; then _err "Create CSR error." _clearup @@ -5178,6 +5195,9 @@ $_authorizations_map" [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in: $(__green "$CA_CERT_PATH")" [ -f "$CERT_FULLCHAIN_PATH" ] && _info "And the full chain certs is there: $(__green "$CERT_FULLCHAIN_PATH")" + if [ "$Le_ForceNewDomainKey" ] && [ -e "$Le_Next_Domain_Key" ]; then + _info "Your pre-generated next key for future cert key change is in: $(__green "$Le_Next_Domain_Key")" + fi Le_CertCreateTime=$(_time) _savedomainconf "Le_CertCreateTime" "$Le_CertCreateTime" @@ -5752,7 +5772,8 @@ installcert() { _savedomainconf "Le_RealKeyPath" "$_real_key" _savedomainconf "Le_ReloadCmd" "$_reload_cmd" "base64" _savedomainconf "Le_RealFullChainPath" "$_real_fullchain" - + export Le_ForceNewDomainKey="$(_readdomainconf Le_ForceNewDomainKey)" + export Le_Next_Domain_Key _installcert "$_main_domain" "$_real_cert" "$_real_key" "$_real_ca" "$_real_fullchain" "$_reload_cmd" } @@ -5844,6 +5865,8 @@ _installcert() { export CA_CERT_PATH export CERT_FULLCHAIN_PATH export Le_Domain="$_main_domain" + export Le_ForceNewDomainKey + export Le_Next_Domain_Key cd "$DOMAIN_PATH" && eval "$_reload_cmd" ); then _info "$(__green "Reload success")" From 3c933158c888785494c177bf7e83aa4c25c56633 Mon Sep 17 00:00:00 2001 From: Peter Dave Hello Date: Mon, 17 Oct 2022 16:45:48 +0800 Subject: [PATCH 043/276] Use encrypted https instead of plain-text http when we can --- .github/workflows/DNS.yml | 2 +- .github/workflows/NetBSD.yml | 2 +- .github/workflows/Windows.yml | 2 +- dnsapi/dns_acmeproxy.sh | 2 +- dnsapi/dns_gandi_livedns.sh | 2 +- dnsapi/dns_kinghost.sh | 2 +- dnsapi/dns_leaseweb.sh | 2 +- dnsapi/dns_namecheap.sh | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index be44c09b..c13e3087 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -172,7 +172,7 @@ jobs: shell: cmd - name: Install cygwin additional packages run: | - C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git + C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s https://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git shell: cmd - name: Set ENV shell: cmd diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index 10952778..9eee1668 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -61,7 +61,7 @@ jobs: nat: | "8080": "80" prepare: | - export PKG_PATH="http://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/$(uname -p)/$(uname -r|cut -f '1 2' -d.)/All/" + export PKG_PATH="https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/$(uname -p)/$(uname -r|cut -f '1 2' -d.)/All/" pkg_add curl socat usesh: true copyback: false diff --git a/.github/workflows/Windows.yml b/.github/workflows/Windows.yml index 3b7bf2eb..773ceee3 100644 --- a/.github/workflows/Windows.yml +++ b/.github/workflows/Windows.yml @@ -57,7 +57,7 @@ jobs: shell: cmd - name: Install cygwin additional packages run: | - C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git,xxd + C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s https://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git,xxd shell: cmd - name: Set ENV shell: cmd diff --git a/dnsapi/dns_acmeproxy.sh b/dnsapi/dns_acmeproxy.sh index d4a0e172..9d5533f9 100644 --- a/dnsapi/dns_acmeproxy.sh +++ b/dnsapi/dns_acmeproxy.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -## Acmeproxy DNS provider to be used with acmeproxy (http://github.com/mdbraber/acmeproxy) +## Acmeproxy DNS provider to be used with acmeproxy (https://github.com/mdbraber/acmeproxy) ## API integration by Maarten den Braber ## ## Report any bugs via https://github.com/mdbraber/acme.sh diff --git a/dnsapi/dns_gandi_livedns.sh b/dnsapi/dns_gandi_livedns.sh index 87119521..931da883 100644 --- a/dnsapi/dns_gandi_livedns.sh +++ b/dnsapi/dns_gandi_livedns.sh @@ -1,7 +1,7 @@ #!/usr/bin/env sh # Gandi LiveDNS v5 API -# http://doc.livedns.gandi.net/ +# https://doc.livedns.gandi.net/ # currently under beta # # Requires GANDI API KEY set in GANDI_LIVEDNS_KEY set as environment variable diff --git a/dnsapi/dns_kinghost.sh b/dnsapi/dns_kinghost.sh index 6253c71d..f640242f 100644 --- a/dnsapi/dns_kinghost.sh +++ b/dnsapi/dns_kinghost.sh @@ -2,7 +2,7 @@ ############################################################ # KingHost API support # -# http://api.kinghost.net/doc/ # +# https://api.kinghost.net/doc/ # # # # Author: Felipe Keller Braz # # Report Bugs here: https://github.com/kinghost/acme.sh # diff --git a/dnsapi/dns_leaseweb.sh b/dnsapi/dns_leaseweb.sh index a1d9e749..63f81869 100644 --- a/dnsapi/dns_leaseweb.sh +++ b/dnsapi/dns_leaseweb.sh @@ -3,7 +3,7 @@ #Author: Rolph Haspers #Utilize leaseweb.com API to finish dns-01 verifications. #Requires a Leaseweb API Key (export LSW_Key="Your Key") -#See http://developer.leaseweb.com for more information. +#See https://developer.leaseweb.com for more information. ######## Public functions ##################### LSW_API="https://api.leaseweb.com/hosting/v2/domains/" diff --git a/dnsapi/dns_namecheap.sh b/dnsapi/dns_namecheap.sh index dcd87723..a5f667a9 100755 --- a/dnsapi/dns_namecheap.sh +++ b/dnsapi/dns_namecheap.sh @@ -82,7 +82,7 @@ _get_root() { _debug "Failed domain lookup via domains.getList api call. Trying domain lookup via domains.dns.getHosts api." # The above "getList" api will only return hosts *owned* by the calling user. However, if the calling # user is not the owner, but still has administrative rights, we must query the getHosts api directly. - # See this comment and the official namecheap response: http://disq.us/p/1q6v9x9 + # See this comment and the official namecheap response: https://disq.us/p/1q6v9x9 if ! _get_root_by_getHosts "$fulldomain"; then return 1 fi From 424da018782cf0c6f10ba2f8093a0898257cf899 Mon Sep 17 00:00:00 2001 From: Peter Dave Hello Date: Mon, 17 Oct 2022 18:49:10 +0800 Subject: [PATCH 044/276] Reduce acmetest git clone depth to speed up CI pipeline --- .github/workflows/DNS.yml | 16 ++++++++-------- .github/workflows/DragonFlyBSD.yml | 2 +- .github/workflows/FreeBSD.yml | 2 +- .github/workflows/Linux.yml | 2 +- .github/workflows/MacOS.yml | 2 +- .github/workflows/NetBSD.yml | 2 +- .github/workflows/OpenBSD.yml | 2 +- .github/workflows/PebbleStrict.yml | 4 ++-- .github/workflows/Solaris.yml | 2 +- .github/workflows/Ubuntu.yml | 2 +- .github/workflows/Windows.yml | 2 +- 11 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index be44c09b..37397da8 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -67,7 +67,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Set env file run: | cd ../acmetest @@ -117,7 +117,7 @@ jobs: - name: Install tools run: brew install socat - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest run: | if [ "${{ secrets.TokenName1}}" ] ; then @@ -179,7 +179,7 @@ jobs: run: | echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin >> %GITHUB_ENV% - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest shell: bash run: | @@ -225,7 +225,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/freebsd-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' @@ -276,7 +276,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/openbsd-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' @@ -327,7 +327,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/netbsd-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' @@ -379,7 +379,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/dragonflybsd-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' @@ -435,7 +435,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/solaris-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' diff --git a/.github/workflows/DragonFlyBSD.yml b/.github/workflows/DragonFlyBSD.yml index 8581db47..2dff172a 100644 --- a/.github/workflows/DragonFlyBSD.yml +++ b/.github/workflows/DragonFlyBSD.yml @@ -54,7 +54,7 @@ jobs: - name: Set envs run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/dragonflybsd-vm@v0 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' diff --git a/.github/workflows/FreeBSD.yml b/.github/workflows/FreeBSD.yml index 795ddc75..c9f1d623 100644 --- a/.github/workflows/FreeBSD.yml +++ b/.github/workflows/FreeBSD.yml @@ -60,7 +60,7 @@ jobs: - name: Set envs run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/freebsd-vm@v0 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' diff --git a/.github/workflows/Linux.yml b/.github/workflows/Linux.yml index 238b3016..d5c98a31 100644 --- a/.github/workflows/Linux.yml +++ b/.github/workflows/Linux.yml @@ -37,7 +37,7 @@ jobs: - name: Clone acmetest run: | cd .. \ - && git clone https://github.com/acmesh-official/acmetest.git \ + && git clone --depth=1 https://github.com/acmesh-official/acmetest.git \ && cp -r acme.sh acmetest/ - name: Run acmetest run: | diff --git a/.github/workflows/MacOS.yml b/.github/workflows/MacOS.yml index 69fb09f7..1a0b4488 100644 --- a/.github/workflows/MacOS.yml +++ b/.github/workflows/MacOS.yml @@ -50,7 +50,7 @@ jobs: - name: Clone acmetest run: | cd .. \ - && git clone https://github.com/acmesh-official/acmetest.git \ + && git clone --depth=1 https://github.com/acmesh-official/acmetest.git \ && cp -r acme.sh acmetest/ - name: Run acmetest run: | diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index 10952778..781e8fe0 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -54,7 +54,7 @@ jobs: - name: Set envs run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/netbsd-vm@v0 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' diff --git a/.github/workflows/OpenBSD.yml b/.github/workflows/OpenBSD.yml index 9c21daa1..da46424a 100644 --- a/.github/workflows/OpenBSD.yml +++ b/.github/workflows/OpenBSD.yml @@ -60,7 +60,7 @@ jobs: - name: Set envs run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/openbsd-vm@v0 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' diff --git a/.github/workflows/PebbleStrict.yml b/.github/workflows/PebbleStrict.yml index 7417b8b0..1740fc3f 100644 --- a/.github/workflows/PebbleStrict.yml +++ b/.github/workflows/PebbleStrict.yml @@ -41,7 +41,7 @@ jobs: - name: Set up Pebble run: curl --request POST --data '{"ip":"10.30.50.1"}' http://localhost:8055/set-default-ipv4 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest run: cd ../acmetest && ./letest.sh @@ -67,6 +67,6 @@ jobs: -e PEBBLE_VA_ALWAYS_VALID=1 \ -p 14000:14000 -p 15000:15000 letsencrypt/pebble:latest pebble -config /test/config/pebble-config.json -strict - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest run: cd ../acmetest && ./letest.sh \ No newline at end of file diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index 3a86d3dc..3488f78f 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -60,7 +60,7 @@ jobs: - name: Set envs run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/solaris-vm@v0 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index 664ba92c..0a2ec971 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -88,7 +88,7 @@ jobs: - name: Clone acmetest run: | cd .. \ - && git clone https://github.com/acmesh-official/acmetest.git \ + && git clone --depth=1 https://github.com/acmesh-official/acmetest.git \ && cp -r acme.sh acmetest/ - name: Run acmetest run: | diff --git a/.github/workflows/Windows.yml b/.github/workflows/Windows.yml index 3b7bf2eb..81e646e5 100644 --- a/.github/workflows/Windows.yml +++ b/.github/workflows/Windows.yml @@ -69,7 +69,7 @@ jobs: echo "PATH=%PATH%" - name: Clone acmetest shell: cmd - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest shell: cmd run: cd ../acmetest && bash.exe -c ./letest.sh From c9a55f395bf17d5545604c3ef88193246ade1cb6 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 29 Oct 2022 10:08:42 +0800 Subject: [PATCH 045/276] fix doh https://github.com/acmesh-official/acme.sh/issues/4369 --- acme.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 1ee76307..d6d8e48c 100755 --- a/acme.sh +++ b/acme.sh @@ -4050,8 +4050,7 @@ _ns_lookup_dp() { _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type" } -#domain, type -_ns_lookup() { +_ns_select_doh() { if [ -z "$DOH_USE" ]; then _debug "Detect dns server first." if _ns_is_available_cf; then @@ -4070,7 +4069,11 @@ _ns_lookup() { _err "No doh" fi fi +} +#domain, type +_ns_lookup() { + _ns_select_doh if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then _ns_lookup_cf "$@" elif [ "$DOH_USE" = "$DOH_GOOGLE" ]; then @@ -4093,6 +4096,7 @@ __check_txt() { _debug "_c_txtdomain" "$_c_txtdomain" _debug "_c_aliasdomain" "$_c_aliasdomain" _debug "_c_txt" "$_c_txt" + _ns_select_doh _answers="$(_ns_lookup "$_c_aliasdomain" TXT)" _contains "$_answers" "$_c_txt" From d102943a324ba85992c8a7703152f2aedf35bbcc Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 7 Nov 2022 22:36:40 +0800 Subject: [PATCH 046/276] upgrade actions/checkout@v3 --- .github/workflows/DNS.yml | 16 ++++++++-------- .github/workflows/DragonFlyBSD.yml | 2 +- .github/workflows/FreeBSD.yml | 2 +- .github/workflows/Linux.yml | 2 +- .github/workflows/MacOS.yml | 2 +- .github/workflows/NetBSD.yml | 2 +- .github/workflows/OpenBSD.yml | 2 +- .github/workflows/PebbleStrict.yml | 4 ++-- .github/workflows/Solaris.yml | 2 +- .github/workflows/Ubuntu.yml | 2 +- .github/workflows/Windows.yml | 2 +- .github/workflows/dockerhub.yml | 2 +- 12 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index dd031efd..17e98ae3 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -65,7 +65,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Set env file @@ -113,7 +113,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install tools run: brew install socat - name: Clone acmetest @@ -164,7 +164,7 @@ jobs: - name: Set git to use LF run: | git config --global core.autocrlf false - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install cygwin base packages with chocolatey run: | choco config get cacheLocation @@ -223,7 +223,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/freebsd-vm@v0 @@ -274,7 +274,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/openbsd-vm@v0 @@ -325,7 +325,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/netbsd-vm@v0 @@ -377,7 +377,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/dragonflybsd-vm@v0 @@ -433,7 +433,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/solaris-vm@v0 diff --git a/.github/workflows/DragonFlyBSD.yml b/.github/workflows/DragonFlyBSD.yml index 2dff172a..46a572f0 100644 --- a/.github/workflows/DragonFlyBSD.yml +++ b/.github/workflows/DragonFlyBSD.yml @@ -45,7 +45,7 @@ jobs: CA_EMAIL: ${{ matrix.CA_EMAIL }} TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: vmactions/cf-tunnel@v0.0.3 id: tunnel with: diff --git a/.github/workflows/FreeBSD.yml b/.github/workflows/FreeBSD.yml index c9f1d623..d83c5d84 100644 --- a/.github/workflows/FreeBSD.yml +++ b/.github/workflows/FreeBSD.yml @@ -51,7 +51,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: vmactions/cf-tunnel@v0.0.3 id: tunnel with: diff --git a/.github/workflows/Linux.yml b/.github/workflows/Linux.yml index d5c98a31..156fa5df 100644 --- a/.github/workflows/Linux.yml +++ b/.github/workflows/Linux.yml @@ -33,7 +33,7 @@ jobs: TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 TEST_ACME_Server: "LetsEncrypt.org_test" steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: | cd .. \ diff --git a/.github/workflows/MacOS.yml b/.github/workflows/MacOS.yml index 1a0b4488..c1f29769 100644 --- a/.github/workflows/MacOS.yml +++ b/.github/workflows/MacOS.yml @@ -44,7 +44,7 @@ jobs: CA_EMAIL: ${{ matrix.CA_EMAIL }} TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install tools run: brew install socat - name: Clone acmetest diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index 136640a2..e0cb5586 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -45,7 +45,7 @@ jobs: CA_EMAIL: ${{ matrix.CA_EMAIL }} TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: vmactions/cf-tunnel@v0.0.3 id: tunnel with: diff --git a/.github/workflows/OpenBSD.yml b/.github/workflows/OpenBSD.yml index da46424a..f87ec207 100644 --- a/.github/workflows/OpenBSD.yml +++ b/.github/workflows/OpenBSD.yml @@ -51,7 +51,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: vmactions/cf-tunnel@v0.0.3 id: tunnel with: diff --git a/.github/workflows/PebbleStrict.yml b/.github/workflows/PebbleStrict.yml index 1740fc3f..9f3a98ce 100644 --- a/.github/workflows/PebbleStrict.yml +++ b/.github/workflows/PebbleStrict.yml @@ -33,7 +33,7 @@ jobs: TEST_CA: "Pebble Intermediate CA" steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install tools run: sudo apt-get install -y socat - name: Run Pebble @@ -58,7 +58,7 @@ jobs: TEST_IPCERT: 1 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install tools run: sudo apt-get install -y socat - name: Run Pebble diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index 3488f78f..e1aea253 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -51,7 +51,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: vmactions/cf-tunnel@v0.0.3 id: tunnel with: diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index 0a2ec971..a6ec714c 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -70,7 +70,7 @@ jobs: TestingDomain: ${{ matrix.TestingDomain }} ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install tools run: sudo apt-get install -y socat wget - name: Start StepCA diff --git a/.github/workflows/Windows.yml b/.github/workflows/Windows.yml index e5dfb172..c02e2f77 100644 --- a/.github/workflows/Windows.yml +++ b/.github/workflows/Windows.yml @@ -49,7 +49,7 @@ jobs: - name: Set git to use LF run: | git config --global core.autocrlf false - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install cygwin base packages with chocolatey run: | choco config get cacheLocation diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index 4d9f34b3..bd2c01aa 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -41,7 +41,7 @@ jobs: if: "contains(needs.CheckToken.outputs.hasToken, 'true')" steps: - name: checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set up QEMU uses: docker/setup-qemu-action@v1 - name: Set up Docker Buildx From 5a51454d136bb23eeb7d7fa6ca20bed00bfde7fd Mon Sep 17 00:00:00 2001 From: Jan Wagner Date: Thu, 17 Nov 2022 15:20:11 +0100 Subject: [PATCH 047/276] Update Alpine to 1.16.3 With #4399 applied we can pick minor versions safely. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 049649f6..79fd1d89 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.15 +FROM alpine:3.16.3 RUN apk --no-cache add -f \ openssl \ From cdb238e41ce572647433880f3e3a4dd683990f3e Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:12:52 +0800 Subject: [PATCH 048/276] fix cf-tunnel --- .github/workflows/DragonFlyBSD.yml | 2 +- .github/workflows/FreeBSD.yml | 2 +- .github/workflows/NetBSD.yml | 2 +- .github/workflows/OpenBSD.yml | 2 +- .github/workflows/Solaris.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/DragonFlyBSD.yml b/.github/workflows/DragonFlyBSD.yml index 46a572f0..6daa9be4 100644 --- a/.github/workflows/DragonFlyBSD.yml +++ b/.github/workflows/DragonFlyBSD.yml @@ -46,7 +46,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - uses: actions/checkout@v3 - - uses: vmactions/cf-tunnel@v0.0.3 + - uses: vmactions/cf-tunnel@v0 id: tunnel with: protocol: http diff --git a/.github/workflows/FreeBSD.yml b/.github/workflows/FreeBSD.yml index d83c5d84..0fa55fd4 100644 --- a/.github/workflows/FreeBSD.yml +++ b/.github/workflows/FreeBSD.yml @@ -52,7 +52,7 @@ jobs: ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - uses: actions/checkout@v3 - - uses: vmactions/cf-tunnel@v0.0.3 + - uses: vmactions/cf-tunnel@v0 id: tunnel with: protocol: http diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index e0cb5586..33bcf23c 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -46,7 +46,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - uses: actions/checkout@v3 - - uses: vmactions/cf-tunnel@v0.0.3 + - uses: vmactions/cf-tunnel@v0 id: tunnel with: protocol: http diff --git a/.github/workflows/OpenBSD.yml b/.github/workflows/OpenBSD.yml index f87ec207..7746645a 100644 --- a/.github/workflows/OpenBSD.yml +++ b/.github/workflows/OpenBSD.yml @@ -52,7 +52,7 @@ jobs: ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - uses: actions/checkout@v3 - - uses: vmactions/cf-tunnel@v0.0.3 + - uses: vmactions/cf-tunnel@v0 id: tunnel with: protocol: http diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index e1aea253..34d31a59 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -52,7 +52,7 @@ jobs: ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - uses: actions/checkout@v3 - - uses: vmactions/cf-tunnel@v0.0.3 + - uses: vmactions/cf-tunnel@v0 id: tunnel with: protocol: http From 60315e5b91507802371253be2d4cf5c8ebc079fd Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:28:17 +0800 Subject: [PATCH 049/276] fix shellcheck warnings --- deploy/gitlab.sh | 2 +- dnsapi/dns_dynv6.sh | 8 ++++---- dnsapi/dns_edgedns.sh | 2 +- dnsapi/dns_infomaniak.sh | 4 ++-- dnsapi/dns_servercow.sh | 2 +- dnsapi/dns_vultr.sh | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/deploy/gitlab.sh b/deploy/gitlab.sh index ba2d3122..d8a93ad2 100644 --- a/deploy/gitlab.sh +++ b/deploy/gitlab.sh @@ -67,7 +67,7 @@ gitlab_deploy() { error_response="error" - if test "${_response#*$error_response}" != "$_response"; then + if test ${_response#*"$error_response"} != "$_response"; then _err "Error in deploying certificate:" _err "$_response" return 1 diff --git a/dnsapi/dns_dynv6.sh b/dnsapi/dns_dynv6.sh index 9efc9aeb..739eccf9 100644 --- a/dnsapi/dns_dynv6.sh +++ b/dnsapi/dns_dynv6.sh @@ -94,8 +94,8 @@ _get_domain() { _your_hosts="$(echo "$_your_hosts" | awk '/\./ {print $1}')" for l in $_your_hosts; do #echo "host: $l" - if test "${_full_domain#*$l}" != "$_full_domain"; then - _record="${_full_domain%.$l}" + if test ${_full_domain#*"$l"} != "$_full_domain"; then + _record=${_full_domain%."$l"} _host=$l _debug "The host is $_host and the record $_record" return 0 @@ -143,7 +143,7 @@ _dns_dynv6_add_http() { return 1 fi _get_zone_name "$_zone_id" - record="${fulldomain%%.$_zone_name}" + record=${fulldomain%%."$_zone_name"} _set_record TXT "$record" "$txtvalue" if _contains "$response" "$txtvalue"; then _info "Successfully added record" @@ -161,7 +161,7 @@ _dns_dynv6_rm_http() { return 1 fi _get_zone_name "$_zone_id" - record="${fulldomain%%.$_zone_name}" + record=${fulldomain%%."$_zone_name"} _get_record_id "$_zone_id" "$record" "$txtvalue" _del_record "$_zone_id" "$_record_id" if [ -z "$response" ]; then diff --git a/dnsapi/dns_edgedns.sh b/dnsapi/dns_edgedns.sh index 11c132fa..27650eb1 100755 --- a/dnsapi/dns_edgedns.sh +++ b/dnsapi/dns_edgedns.sh @@ -418,7 +418,7 @@ _edgedns_make_data_to_sign() { _secure_debug2 "hdr" "$hdr" _edgedns_make_content_hash path="$(echo "$_request_url_path" | tr -d "\n\r" | sed 's/https\?:\/\///')" - path="${path#*$AKAMAI_HOST}" + path=${path#*"$AKAMAI_HOST"} _debug "hier path" "$path" # dont expose headers to sign so use MT string _mdata="$(printf "%s\thttps\t%s\t%s\t%s\t%s\t%s" "$_request_method" "$AKAMAI_HOST" "$path" "" "$_hash" "$hdr")" diff --git a/dnsapi/dns_infomaniak.sh b/dnsapi/dns_infomaniak.sh index 765cf39d..a005132c 100755 --- a/dnsapi/dns_infomaniak.sh +++ b/dnsapi/dns_infomaniak.sh @@ -76,7 +76,7 @@ dns_infomaniak_add() { domain_id=${zone_and_id#* } # extract first part of domain - key=${fulldomain%.$zone} + key=${fulldomain%."$zone"} _debug "zone:$zone id:$domain_id key:$key" @@ -149,7 +149,7 @@ dns_infomaniak_rm() { domain_id=${zone_and_id#* } # extract first part of domain - key=${fulldomain%.$zone} + key=${fulldomain%."$zone"} _debug "zone:$zone id:$domain_id key:$key" diff --git a/dnsapi/dns_servercow.sh b/dnsapi/dns_servercow.sh index f70a2294..52137905 100755 --- a/dnsapi/dns_servercow.sh +++ b/dnsapi/dns_servercow.sh @@ -53,7 +53,7 @@ dns_servercow_add() { if printf -- "%s" "$response" | grep "{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\"" >/dev/null; then _info "A txt record with the same name already exists." # trim the string on the left - txtvalue_old=${response#*{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\",\"content\":\"} + txtvalue_old=${response#*{\"name\":\""$_sub_domain"\",\"ttl\":20,\"type\":\"TXT\",\"content\":\"} # trim the string on the right txtvalue_old=${txtvalue_old%%\"*} diff --git a/dnsapi/dns_vultr.sh b/dnsapi/dns_vultr.sh index bd925fdb..58f14be1 100644 --- a/dnsapi/dns_vultr.sh +++ b/dnsapi/dns_vultr.sh @@ -139,7 +139,7 @@ _vultr_rest() { data="$3" _debug "$ep" - api_key_trimmed=$(echo $VULTR_API_KEY | tr -d '"') + api_key_trimmed=$(echo "$VULTR_API_KEY" | tr -d '"') export _H1="Authorization: Bearer $api_key_trimmed" export _H2='Content-Type: application/json' From e275cb1efd295f3d688569fec2b467d894830b44 Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:33:29 +0800 Subject: [PATCH 050/276] fix shellcheck warnings --- .github/workflows/shellcheck.yml | 2 +- deploy/gitlab.sh | 2 +- dnsapi/dns_dynv6.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index d628ea93..9beb5489 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -26,7 +26,7 @@ jobs: - name: Install Shellcheck run: sudo apt-get install -y shellcheck - name: DoShellcheck - run: shellcheck -V && shellcheck -e SC2181 **/*.sh && echo "shellcheck OK" + run: shellcheck -V && shellcheck -e SC2181 -e SC2089 **/*.sh && echo "shellcheck OK" shfmt: runs-on: ubuntu-latest diff --git a/deploy/gitlab.sh b/deploy/gitlab.sh index d8a93ad2..595b6d20 100644 --- a/deploy/gitlab.sh +++ b/deploy/gitlab.sh @@ -67,7 +67,7 @@ gitlab_deploy() { error_response="error" - if test ${_response#*"$error_response"} != "$_response"; then + if test "${_response#*"$error_response"}" != "$_response"; then _err "Error in deploying certificate:" _err "$_response" return 1 diff --git a/dnsapi/dns_dynv6.sh b/dnsapi/dns_dynv6.sh index 739eccf9..90814b1b 100644 --- a/dnsapi/dns_dynv6.sh +++ b/dnsapi/dns_dynv6.sh @@ -94,7 +94,7 @@ _get_domain() { _your_hosts="$(echo "$_your_hosts" | awk '/\./ {print $1}')" for l in $_your_hosts; do #echo "host: $l" - if test ${_full_domain#*"$l"} != "$_full_domain"; then + if test "${_full_domain#*"$l"}" != "$_full_domain"; then _record=${_full_domain%."$l"} _host=$l _debug "The host is $_host and the record $_record" From e684abdacde657ea2a22ecc627e4d63b209131d3 Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:34:58 +0800 Subject: [PATCH 051/276] fix checkout --- .github/workflows/shellcheck.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 9beb5489..a5a08bbf 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -22,7 +22,7 @@ jobs: ShellCheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install Shellcheck run: sudo apt-get install -y shellcheck - name: DoShellcheck @@ -31,7 +31,7 @@ jobs: shfmt: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install shfmt run: curl -sSL https://github.com/mvdan/sh/releases/download/v3.1.2/shfmt_v3.1.2_linux_amd64 -o ~/shfmt && chmod +x ~/shfmt - name: shfmt From 3a1c6d84f0f4609e98239512357599cade4c807f Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:40:34 +0800 Subject: [PATCH 052/276] fix shellcheck warnings --- dnsapi/dns_oci.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_oci.sh b/dnsapi/dns_oci.sh index 18d74410..3b81143f 100644 --- a/dnsapi/dns_oci.sh +++ b/dnsapi/dns_oci.sh @@ -265,6 +265,7 @@ _signed_request() { _response="$(_get "https://${_sig_host}${_sig_target}")" elif [ "$_curl_method" = "PATCH" ]; then export _H1="$_date_header" + # shellcheck disable=SC2090 export _H2="$_sig_body_sha256" export _H3="$_sig_body_type" export _H4="$_sig_body_length" From 7a756ebc4d08e60d5a127b220505d27fb54fe358 Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:55:19 +0800 Subject: [PATCH 053/276] start v3.0.6 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d6d8e48c..4d4aceb1 100755 --- a/acme.sh +++ b/acme.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -VER=3.0.5 +VER=3.0.6 PROJECT_NAME="acme.sh" From ec0e871592d286b8cd4e1d407411f0ba17c775e6 Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:57:38 +0800 Subject: [PATCH 054/276] Use ec-256 as default key length fix https://github.com/acmesh-official/acme.sh/issues/2350#issuecomment-1324029469 --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 4d4aceb1..c1a576a5 100755 --- a/acme.sh +++ b/acme.sh @@ -53,8 +53,8 @@ CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$ DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)" -DEFAULT_ACCOUNT_KEY_LENGTH=2048 -DEFAULT_DOMAIN_KEY_LENGTH=2048 +DEFAULT_ACCOUNT_KEY_LENGTH=ec-256 +DEFAULT_DOMAIN_KEY_LENGTH=ec-256 DEFAULT_OPENSSL_BIN="openssl" From f4ed1b32b85d3cdf256168e698bc8e4261db7a3e Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Sat, 26 Nov 2022 18:12:11 +0330 Subject: [PATCH 055/276] Update dns_arvan.sh Update API URL --- dnsapi/dns_arvan.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index 4c9217e5..2118883b 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -2,7 +2,7 @@ #Arvan_Token="Apikey xxxx" -ARVAN_API_URL="https://napi.arvancloud.com/cdn/4.0/domains" +ARVAN_API_URL="https://napi.arvancloud.ir/cdn/4.0/domains" #Author: Vahid Fardi #Report Bugs here: https://github.com/Neilpang/acme.sh # @@ -18,7 +18,7 @@ dns_arvan_add() { if [ -z "$Arvan_Token" ]; then _err "You didn't specify \"Arvan_Token\" token yet." - _err "You can get yours from here https://npanel.arvancloud.com/profile/api-keys" + _err "You can get yours from here https://npanel.arvancloud.ir/profile/api-keys" return 1 fi #save the api token to the account conf file. From 9f942a6b65bda8c97dbd989549a0ced034cb6f42 Mon Sep 17 00:00:00 2001 From: Kiril Isakov Date: Sat, 26 Nov 2022 16:00:03 +0100 Subject: [PATCH 056/276] Trim trailing slash in `--home` argument's value # What's expected Since in `acme.sh` path strings are concatenated with a hardcoded slash in between, the left operand must never end with a trailing slash for the resulting path to be valid. Otherwise, obviously, the resulting path will have two adjacent slashes in the middle and will not be valid. # What actually happens Even though I cannot tell for each of the input params, I know this for sure for the the `--home` argument's value. If I run `acme.sh` with `--home` argument's value being a path ending in a trailing slash, ```sh acme.sh ... --debug ... --home /some/path/ ... -d somedomainna.me ... ``` I get the following (distinct) occurrencies of resulting invalid paths containing two adjacent slashes: ``` [...] Using config home:/some/path/ [...] DOMAIN_PATH='/some/path//somedomainna.me' [...] _CURL='curl --silent --dump-header /some/path//http.header -L -g ' [...] The domain key is here: /some/path//somedomainna.me/somedomainna.me.key [...] _CURL='curl --silent --dump-header /some/path//http.header -L -g -I ' [...] Your cert is in: /some/path//somedomainna.me/somedomainna.me.cer [...] Your cert key is in: /some/path//somedomainna.me/somedomainna.me.key [...] The intermediate CA cert is in: /some/path//somedomainna.me/ca.cer [...] And the full chain certs is there: /some/path//somedomainna.me/fullchain.cer ``` # Suggested fix Trim trailing slash in `--home` argument's value from the get-go. --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d6d8e48c..77f0b8c1 100755 --- a/acme.sh +++ b/acme.sh @@ -7496,7 +7496,7 @@ _process() { shift ;; --home) - export LE_WORKING_DIR="$2" + export LE_WORKING_DIR="${2%/}" shift ;; --cert-home | --certhome) From ecf1f17cf4088cfab6e891a7002c445fa4bb6a8e Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 27 Nov 2022 11:10:14 +0800 Subject: [PATCH 057/276] update key type --- README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 30e6e554..15bc4089 100644 --- a/README.md +++ b/README.md @@ -361,10 +361,6 @@ Ok, it's done. # 10. Issue ECC certificates -`Let's Encrypt` can now issue **ECDSA** certificates. - -And we support them too! - Just set the `keylength` parameter with a prefix `ec-`. For example: @@ -385,10 +381,12 @@ Please look at the `keylength` parameter above. Valid values are: -1. **ec-256 (prime256v1, "ECDSA P-256")** +1. **ec-256 (prime256v1, "ECDSA P-256", which is the default key type)** 2. **ec-384 (secp384r1, "ECDSA P-384")** 3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)** - +4. **2048 (RSA2048)** +5. **3072 (RSA3072)** +6. **4096 (RSA4096)** # 11. Issue Wildcard certificates From 4610204c831d39716d792bd975dbbda65ac06699 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Sun, 27 Nov 2022 10:21:24 +0330 Subject: [PATCH 058/276] Test CI --- dnsapi/dns_arvan.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index 2118883b..593e789f 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -1,10 +1,10 @@ #!/usr/bin/env sh -#Arvan_Token="Apikey xxxx" +# Arvan_Token="Apikey xxxx" ARVAN_API_URL="https://napi.arvancloud.ir/cdn/4.0/domains" -#Author: Vahid Fardi -#Report Bugs here: https://github.com/Neilpang/acme.sh +# Author: Vahid Fardi +# Report Bugs here: https://github.com/Neilpang/acme.sh # ######## Public functions ##################### From 264b9819ff92655c0714cc46e6a756201ffd9c9a Mon Sep 17 00:00:00 2001 From: Kiril Isakov Date: Sun, 27 Nov 2022 09:22:06 +0100 Subject: [PATCH 059/276] Replace the BASH parameter substitution mechanism (unsupported by sh) with standard commands (supported by sh) --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 77f0b8c1..714bd9bf 100755 --- a/acme.sh +++ b/acme.sh @@ -7496,7 +7496,7 @@ _process() { shift ;; --home) - export LE_WORKING_DIR="${2%/}" + export LE_WORKING_DIR="$(echo "$2" | sed 's|/$||')" shift ;; --cert-home | --certhome) From 04a5d794ac05acee31018a72d8e6df216a5f7e33 Mon Sep 17 00:00:00 2001 From: beartom <369622765@qq.com> Date: Sun, 27 Nov 2022 21:55:01 +0800 Subject: [PATCH 060/276] Update truenas.sh for certificate in chart release Update certificate in chart release of TrueCharts if any chart release Apps is using the same certificate as TrueNAS web UI. --- deploy/truenas.sh | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 84cfd5f4..3f36a56e 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -184,6 +184,30 @@ truenas_deploy() { _info "S3 certificate is not configured or is not the same as TrueNAS web UI" fi + +_info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required" + if _exists jq; then + _info "Query all chart release" + _release_list=$(_get "$_api_url/chart/release") + _related_name_list=$(printf "%s" $_release_list | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") + _release_length=$(printf "%s" $_related_name_list | jq -r "length") + _info "Found $_release_length related chart release in list: $_related_name_list" + for i in $(seq 0 $((_release_length-1))); + do + _release_name=$(echo $_related_name_list | jq -r ".[$i]") + _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name" + #Read the chart release configuration + _chart_config=$(printf "%s" $_release_list | jq -r ".[] | select(.name==\"$_release_name\")") + #Replace the old certificate id with the new one in path .config.ingress.main.tls[].scaleCert. Then update .config.ingress + _updated_chart_config=$(printf "%s" $_chart_config | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress " ) + _update_chart_result="$(_post "{\"values\" : { \"ingress\" : $_updated_chart_config } }" "$_api_url/chart/release/id/$_release_name" "" "PUT" "application/json")" + _debug3 _update_chart_result "$_update_chart_result" + done + else + _info "Tool 'jq' does not exists, skip chart release checking" + fi + + _info "Deleting old certificate" _delete_result="$(_post "" "$_api_url/certificate/id/$_active_cert_id" "" "DELETE" "application/json")" From c07db3aa14e28689ee673832cf147494fb2ae2d4 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Mon, 28 Nov 2022 16:09:17 +0330 Subject: [PATCH 061/276] add 'Accept' header --- dnsapi/dns_arvan.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index 593e789f..b8c9da35 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -141,10 +141,11 @@ _arvan_rest() { response="$(_post "$data" "$ARVAN_API_URL/$ep" "" "$mtd")" elif [ "$mtd" = "POST" ]; then export _H2="Content-Type: application/json" + export _H3="Accept: application/json" _debug data "$data" response="$(_post "$data" "$ARVAN_API_URL/$ep" "" "$mtd")" else response="$(_get "$ARVAN_API_URL/$ep$data")" fi return 0 -} +} \ No newline at end of file From eab9603921789b541a8d8527b833a50f313f1381 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Mon, 28 Nov 2022 16:11:17 +0330 Subject: [PATCH 062/276] Fix SH format --- dnsapi/dns_arvan.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index b8c9da35..71ef2387 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -148,4 +148,4 @@ _arvan_rest() { response="$(_get "$ARVAN_API_URL/$ep$data")" fi return 0 -} \ No newline at end of file +} From 0c0d1d4e5210bd5b03f91df789f2471b09e849c7 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Mon, 28 Nov 2022 16:22:25 +0330 Subject: [PATCH 063/276] Update duplicate message --- dnsapi/dns_arvan.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index 71ef2387..4ca5b685 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -40,7 +40,7 @@ dns_arvan_add() { _info "response id is $response" _info "Added, OK" return 0 - elif _contains "$response" "Record Data is Duplicated"; then + elif _contains "$response" "Record Data is duplicate"; then _info "Already exists, OK" return 0 else From bd2d0e6ad3c9dfad76cfe30e79d845fc62c8e228 Mon Sep 17 00:00:00 2001 From: beartom <369622765@qq.com> Date: Mon, 28 Nov 2022 20:59:10 +0800 Subject: [PATCH 064/276] Format Format --- deploy/truenas.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 3f36a56e..6b299f3a 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -185,7 +185,7 @@ truenas_deploy() { fi -_info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required" + _info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required" if _exists jq; then _info "Query all chart release" _release_list=$(_get "$_api_url/chart/release") From 5a0225d03365d1bc36c4c18570d28d2ef97cc99e Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Tue, 29 Nov 2022 12:21:49 +0330 Subject: [PATCH 065/276] Fix export problem for special values --- .github/workflows/DNS.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 17e98ae3..55dec225 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -121,19 +121,19 @@ jobs: - name: Run acmetest run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh From 257de15c738d05780321fd5131671e59e1294931 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Tue, 29 Nov 2022 13:45:04 +0330 Subject: [PATCH 066/276] Fix export problems --- .github/workflows/DNS.yml | 60 +++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 55dec225..615e5d8b 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -184,19 +184,19 @@ jobs: shell: bash run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -234,19 +234,19 @@ jobs: copyback: false run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -285,19 +285,19 @@ jobs: copyback: false run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -337,19 +337,19 @@ jobs: copyback: false run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -389,19 +389,19 @@ jobs: copyback: false run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -445,19 +445,19 @@ jobs: pkg set-mediator -v -I default@1.1 openssl export PATH=/usr/gnu/bin:$PATH if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh From 7d13146859552faf630205072a1fe337476436ba Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Tue, 29 Nov 2022 21:39:06 +0100 Subject: [PATCH 067/276] Added dns provider for ipv64.net --- dnsapi/dns_ipv64.sh | 150 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100755 dnsapi/dns_ipv64.sh diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh new file mode 100755 index 00000000..90207ba6 --- /dev/null +++ b/dnsapi/dns_ipv64.sh @@ -0,0 +1,150 @@ +#!/usr/bin/env sh + +#Created by Roman Lumetsberger, to use ipv64.net's API to add/remove text records +#2022/11/29 + +# Pass credentials before "acme.sh --issue --dns dns_ipv64 ..." +# -- +# export IPv64_Token="aaaaaaaaaaaaaaaaaaaaaaaaaa" +# -- +# + +IPv64_API="https://ipv64.net/api" + +######## Public functions ###################### + +#Usage: dns_ipv64_add _acme-challenge.domain.ipv64.net "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_ipv64_add() { + fulldomain=$1 + txtvalue=$2 + + IPv64_Token="${IPv64_Token:-$(_readaccountconf_mutable IPv64_Token)}" + if [ -z "$IPv64_Token" ]; then + _err "You must export variable: IPv64_Token" + _err "The API Key for your IPv64 account is necessary." + _err "You can look it up in your IPv64 account." + return 1 + fi + + # Now save the credentials. + _saveaccountconf_mutable IPv64_Token "$IPv64_Token" + + if ! _get_root "$fulldomain"; then + _err "invalid domain" "$fulldomain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # Now add the TXT record + _info "Trying to add TXT record" + if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then + _info "TXT record has been successfully added." + return 0 + else + _err "Errors happened during adding the TXT record, response=$_response" + return 1 + fi + +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_ipv64_rm() { + fulldomain=$1 + txtvalue=$2 + + IPv64_Token="${IPv64_Token:-$(_readaccountconf_mutable IPv64_Token)}" + if [ -z "$IPv64_Token" ]; then + _err "You must export variable: IPv64_Token" + _err "The API Key for your IPv64 account is necessary." + _err "You can look it up in your IPv64 account." + return 1 + fi + + if ! _get_root "$fulldomain"; then + _err "invalid domain" "$fulldomain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # Now delete the TXT record + _info "Trying to delete TXT record" + if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then + _info "TXT record has been successfully deleted." + return 0 + else + _err "Errors happened during deleting the TXT record, response=$_response" + return 1 + fi + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain="$1" + i=1 + p=1 + + _ipv64_get "get_domains" + domain_data=$_response + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + #if _contains "$domain_data" "\""$h"\"\:"; then + if _contains "$domain_data" "\"""$h""\"\:"; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") + _domain="$h" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +#send get request to api +# $1 has to set the api-function +_ipv64_get() { + url="$IPv64_API?$1" + export _H1="Authorization: Bearer $IPv64_Token" + + _response=$(_get "$url") + _response="$(echo "$_response" | _normalizeJson)" + + if _contains "$_response" "429 Too Many Requests"; then + _info "API throttled, sleeping to reset the limit" + _sleep 10 + _response=$(_get "$url") + _response="$(echo "$_response" | _normalizeJson)" + fi +} + +_ipv64_rest() { + url="$IPv64_API" + export _H1="Authorization: Bearer $IPv64_Token" + export _H2="Content-Type: application/x-www-form-urlencoded" + _response=$(_post "$2" "$url" "" "$1") + + if _contains "$_response" "429 Too Many Requests"; then + _info "API throttled, sleeping to reset the limit" + _sleep 10 + _response=$(_post "$2" "$url" "" "$1") + fi + + if ! _contains "$_response" "\"info\":\"success\""; then + return 1 + fi + _debug2 response "$_response" + return 0 +} From 91e387e8b9deae01b4a7dd45c70c08bf35ee3574 Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Wed, 30 Nov 2022 08:55:27 +0100 Subject: [PATCH 068/276] added doc for dns_ipv64_rm --- dnsapi/dns_ipv64.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index 90207ba6..9979be42 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -49,6 +49,7 @@ dns_ipv64_add() { } #Usage: fulldomain txtvalue +#Usage: dns_ipv64_rm _acme-challenge.domain.ipv64.net "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" #Remove the txt record after validation. dns_ipv64_rm() { fulldomain=$1 From a2af26635fe679af3892deffc671abe93c5f0b38 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 4 Dec 2022 15:05:30 +0800 Subject: [PATCH 069/276] use ecc cert --- acme.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 0b5c1614..62add812 100755 --- a/acme.sh +++ b/acme.sh @@ -2857,7 +2857,8 @@ _initpath() { DOMAIN_PATH="$domainhomeecc" else if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then - _info "The domain '$domain' seems to have a ECC cert already, please add '$(__red "--ecc")' parameter if you want to use that cert." + _info "The domain '$domain' seems to have a ECC cert already, lets use ecc cert." + DOMAIN_PATH="$domainhomeecc" fi fi _debug DOMAIN_PATH "$DOMAIN_PATH" From 160513c67189b252434ddc52346a0d58843d004a Mon Sep 17 00:00:00 2001 From: Zachary Peschke Date: Fri, 9 Dec 2022 09:47:19 -0700 Subject: [PATCH 070/276] Minor grammar fixes for gd --- dnsapi/dns_gd.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_gd.sh b/dnsapi/dns_gd.sh index 44c3d279..1729115e 100755 --- a/dnsapi/dns_gd.sh +++ b/dnsapi/dns_gd.sh @@ -22,8 +22,8 @@ dns_gd_add() { if [ -z "$GD_Key" ] || [ -z "$GD_Secret" ]; then GD_Key="" GD_Secret="" - _err "You don't specify godaddy api key and secret yet." - _err "Please create you key and try again." + _err "You didn't specify godaddy api key and secret yet." + _err "Please create your key and try again." return 1 fi @@ -46,7 +46,7 @@ dns_gd_add() { fi if _contains "$response" "$txtvalue"; then - _info "The record is existing, skip" + _info "This record already exists, skipping" return 0 fi From 764a4c99fac9f59f79638648d0499ef2e293ead5 Mon Sep 17 00:00:00 2001 From: plummer86 Date: Sun, 18 Dec 2022 22:32:49 +0000 Subject: [PATCH 071/276] Fix assignment to _wget_out --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d6d8e48c..02bc041c 100755 --- a/acme.sh +++ b/acme.sh @@ -2058,7 +2058,7 @@ _get() { fi _debug "_WGET" "$_WGET" if [ "$onlyheader" ]; then - _wget_out = "$($_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1)" + _wget_out="$($_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1)" if _contains "$_WGET" " -d "; then # Demultiplex wget debug output echo "$_wget_out" >&2 From 0cafc00c4fdac30032168450d97b468c23199f3c Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 17:22:12 +0800 Subject: [PATCH 072/276] append --fail-with-body argument to curl if supported --- acme.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/acme.sh b/acme.sh index f4afa397..5d80399f 100755 --- a/acme.sh +++ b/acme.sh @@ -1855,6 +1855,11 @@ _inithttp() { if _contains "$(curl --help 2>&1)" "--globoff"; then _ACME_CURL="$_ACME_CURL -g " fi + + #from curl 7.76: return fail on HTTP errors but keep the body + if [ "$_ACME_CURL" ] && _contains "$($_ACME_CURL --help http)" "--fail-with-body"; then + _ACME_CURL="$_ACME_CURL --fail-with-body " + fi fi if [ -z "$_ACME_WGET" ] && _exists "wget"; then From 057c95bd1c0ebcfb30d0ab36aa267fcc544a87f7 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 17:24:34 +0800 Subject: [PATCH 073/276] improve `wget --content-on-error` condition --- acme.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index 5d80399f..45dda74f 100755 --- a/acme.sh +++ b/acme.sh @@ -1877,11 +1877,11 @@ _inithttp() { elif [ "$CA_BUNDLE" ]; then _ACME_WGET="$_ACME_WGET --ca-certificate=$CA_BUNDLE " fi - fi - #from wget 1.14: do not skip body on 404 error - if [ "$_ACME_WGET" ] && _contains "$($_ACME_WGET --help 2>&1)" "--content-on-error"; then - _ACME_WGET="$_ACME_WGET --content-on-error " + #from wget 1.14: do not skip body on 404 error + if _contains "$(wget --help 2>&1)" "--content-on-error"; then + _ACME_WGET="$_ACME_WGET --content-on-error " + fi fi __HTTP_INITIALIZED=1 From 7154c9ee5dd07d29d85a949e4853d3482333a360 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 17:42:27 +0800 Subject: [PATCH 074/276] improve `curl --help` predication --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 45dda74f..999ef563 100755 --- a/acme.sh +++ b/acme.sh @@ -1852,12 +1852,12 @@ _inithttp() { _ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE " fi - if _contains "$(curl --help 2>&1)" "--globoff"; then + if _contains "$(curl --help curl 2>&1)" "--globoff"; then _ACME_CURL="$_ACME_CURL -g " fi #from curl 7.76: return fail on HTTP errors but keep the body - if [ "$_ACME_CURL" ] && _contains "$($_ACME_CURL --help http)" "--fail-with-body"; then + if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then _ACME_CURL="$_ACME_CURL --fail-with-body " fi fi From fe1bfe9ae16b03e6647f47ee62809ed8641bf51c Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 16:34:18 +0800 Subject: [PATCH 075/276] improve vault and vault_api deployhooks --- deploy/vault.sh | 75 +++++++++++++++++++++++++++++++++++++-------- deploy/vault_cli.sh | 43 +++++++++++++++++++++++++- 2 files changed, 105 insertions(+), 13 deletions(-) diff --git a/deploy/vault.sh b/deploy/vault.sh index 399abaee..2e4d0702 100644 --- a/deploy/vault.sh +++ b/deploy/vault.sh @@ -7,13 +7,16 @@ # # VAULT_PREFIX - this contains the prefix path in vault # VAULT_ADDR - vault requires this to find your vault server +# VAULT_SAVE_TOKEN - set to anything if you want to save the token +# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying +# VAULT_KV_V2 - set to anything if you are using v2 of the kv engine # # additionally, you need to ensure that VAULT_TOKEN is avialable # to access the vault server #returns 0 means success, otherwise error. -######## Public functions ##################### +######## Public functions ##################### #domain keyfile certfile cafile fullchain vault_deploy() { @@ -45,6 +48,24 @@ vault_deploy() { fi _savedeployconf VAULT_ADDR "$VAULT_ADDR" + _getdeployconf VAULT_SAVE_TOKEN + _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN" + + _getdeployconf VAULT_RENEW_TOKEN + _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN" + + _getdeployconf VAULT_KV_V2 + _savedeployconf VAULT_KV_V2 "$VAULT_KV_V2" + + _getdeployconf VAULT_TOKEN + if [ -z "$VAULT_TOKEN" ]; then + _err "VAULT_TOKEN needs to be defined" + return 1 + fi + if [ -n "$VAULT_SAVE_TOKEN" ]; then + _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" + fi + # JSON does not allow multiline strings. # So replacing new-lines with "\n" here _ckey=$(sed -z 's/\n/\\n/g' <"$2") @@ -52,26 +73,56 @@ vault_deploy() { _cca=$(sed -z 's/\n/\\n/g' <"$4") _cfullchain=$(sed -z 's/\n/\\n/g' <"$5") - URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain" export _H1="X-Vault-Token: $VAULT_TOKEN" + if [ -n "$VAULT_RENEW_TOKEN" ]; then + URL="$VAULT_ADDR/v1/auth/token/renew-self" + _info "Renew the token to default TTL" + if ! _post "" "$URL" >/dev/null; then + _err "Failed to renew the token" + return 1 + fi + fi + + URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain" + if [ -n "$FABIO" ]; then + _info "Writing certificate and key to $URL in Fabio mode" if [ -n "$VAULT_KV_V2" ]; then - _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" + _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1 else - _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" + _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" >/dev/null || return 1 fi else if [ -n "$VAULT_KV_V2" ]; then - _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" - _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" - _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" - _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" + _info "Writing certificate to $URL/cert.pem" + _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" >/dev/null || return 1 + _info "Writing key to $URL/cert.key" + _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" >/dev/null || return 1 + _info "Writing CA certificate to $URL/ca.pem" + _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/ca.pem" >/dev/null || return 1 + _info "Writing full-chain certificate to $URL/fullchain.pem" + _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" >/dev/null || return 1 else - _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" - _post "{\"value\": \"$_ckey\"}" "$URL/cert.key" - _post "{\"value\": \"$_cca\"}" "$URL/chain.pem" - _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" + _info "Writing certificate to $URL/cert.pem" + _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" >/dev/null || return 1 + _info "Writing key to $URL/cert.key" + _post "{\"value\": \"$_ckey\"}" "$URL/cert.key" >/dev/null || return 1 + _info "Writing CA certificate to $URL/ca.pem" + _post "{\"value\": \"$_cca\"}" "$URL/ca.pem" >/dev/null || return 1 + _info "Writing full-chain certificate to $URL/fullchain.pem" + _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" >/dev/null || return 1 + fi + + # To make it compatible with the wrong ca path `chain.pem` which was used in former versions + if _get "$URL/chain.pem" >/dev/null; then + _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" + _info "Updating CA certificate to $URL/chain.pem for backward compatibility" + if [ -n "$VAULT_KV_V2" ]; then + _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" >/dev/null || return 1 + else + _post "{\"value\": \"$_cca\"}" "$URL/chain.pem" >/dev/null || return 1 + fi fi fi diff --git a/deploy/vault_cli.sh b/deploy/vault_cli.sh index cbb8cc59..da6fe093 100644 --- a/deploy/vault_cli.sh +++ b/deploy/vault_cli.sh @@ -8,6 +8,8 @@ # # VAULT_PREFIX - this contains the prefix path in vault # VAULT_ADDR - vault requires this to find your vault server +# VAULT_SAVE_TOKEN - set to anything if you want to save the token +# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying # # additionally, you need to ensure that VAULT_TOKEN is avialable or # `vault auth` has applied the appropriate authorization for the vault binary @@ -33,15 +35,34 @@ vault_cli_deploy() { _debug _cfullchain "$_cfullchain" # validate required env vars + _getdeployconf VAULT_PREFIX if [ -z "$VAULT_PREFIX" ]; then _err "VAULT_PREFIX needs to be defined (contains prefix path in vault)" return 1 fi + _savedeployconf VAULT_PREFIX "$VAULT_PREFIX" + _getdeployconf VAULT_ADDR if [ -z "$VAULT_ADDR" ]; then _err "VAULT_ADDR needs to be defined (contains vault connection address)" return 1 fi + _savedeployconf VAULT_ADDR "$VAULT_ADDR" + + _getdeployconf VAULT_SAVE_TOKEN + _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN" + + _getdeployconf VAULT_RENEW_TOKEN + _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN" + + _getdeployconf VAULT_TOKEN + if [ -z "$VAULT_TOKEN" ]; then + _err "VAULT_TOKEN needs to be defined" + return 1 + fi + if [ -n "$VAULT_SAVE_TOKEN" ]; then + _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" + fi VAULT_CMD=$(command -v vault) if [ ! $? ]; then @@ -49,13 +70,33 @@ vault_cli_deploy() { return 1 fi + if [ -n "$VAULT_RENEW_TOKEN" ]; then + _info "Renew the token to default TTL" + if ! $VAULT_CMD token renew; then + _err "Failed to renew the token" + return 1 + fi + fi + if [ -n "$FABIO" ]; then + _info "Writing certificate and key to $URL in Fabio mode" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1 else + _info "Writing certificate to $URL/cert.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1 + _info "Writing key to $URL/cert.key" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1 - $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1 + _info "Writing CA certificate to $URL/ca.pem" + $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/ca.pem" value=@"$_cca" || return 1 + _info "Writing full-chain certificate to $URL/fullchain.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1 + + # To make it compatible with the wrong ca path `chain.pem` which was used in former versions + if $VAULT_CMD kv get "${VAULT_PREFIX}/${_cdomain}/chain.pem" >/dev/null; then + _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" + _info "Updating CA certificate to $URL/chain.pem for backward compatibility" + $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1 + fi fi } From b8d0d3c2429e2f33dceb9c94ad8e5273762be72a Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 19:17:37 +0800 Subject: [PATCH 076/276] improve chain.pem exists evaluating --- deploy/vault.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/vault.sh b/deploy/vault.sh index 2e4d0702..6c953fc6 100644 --- a/deploy/vault.sh +++ b/deploy/vault.sh @@ -115,7 +115,7 @@ vault_deploy() { fi # To make it compatible with the wrong ca path `chain.pem` which was used in former versions - if _get "$URL/chain.pem" >/dev/null; then + if _contains "$(_get "$URL/chain.pem")" "-----BEGIN CERTIFICATE-----"; then _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" _info "Updating CA certificate to $URL/chain.pem for backward compatibility" if [ -n "$VAULT_KV_V2" ]; then From ed63eb6833ab288b2a963255875bf9df99e39c79 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 19:32:06 +0800 Subject: [PATCH 077/276] migrate FABIO to VAULT_FABIO_MODE and persist it --- deploy/vault.sh | 4 +++- deploy/vault_cli.sh | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/deploy/vault.sh b/deploy/vault.sh index 6c953fc6..30e825eb 100644 --- a/deploy/vault.sh +++ b/deploy/vault.sh @@ -66,6 +66,8 @@ vault_deploy() { _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" fi + _migratedeployconf FABIO VAULT_FABIO_MODE + # JSON does not allow multiline strings. # So replacing new-lines with "\n" here _ckey=$(sed -z 's/\n/\\n/g' <"$2") @@ -86,7 +88,7 @@ vault_deploy() { URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain" - if [ -n "$FABIO" ]; then + if [ -n "$VAULT_FABIO_MODE" ]; then _info "Writing certificate and key to $URL in Fabio mode" if [ -n "$VAULT_KV_V2" ]; then _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1 diff --git a/deploy/vault_cli.sh b/deploy/vault_cli.sh index da6fe093..ecbffd23 100644 --- a/deploy/vault_cli.sh +++ b/deploy/vault_cli.sh @@ -64,6 +64,8 @@ vault_cli_deploy() { _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" fi + _migratedeployconf FABIO VAULT_FABIO_MODE + VAULT_CMD=$(command -v vault) if [ ! $? ]; then _err "cannot find vault binary!" @@ -78,7 +80,7 @@ vault_cli_deploy() { fi fi - if [ -n "$FABIO" ]; then + if [ -n "$VAULT_FABIO_MODE" ]; then _info "Writing certificate and key to $URL in Fabio mode" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1 else From 7b623f85cd9dcf49958b0431d397ff75bda2a189 Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 26 Dec 2022 21:43:02 +0800 Subject: [PATCH 078/276] minor --- .github/workflows/NetBSD.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index 33bcf23c..25872c42 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -61,7 +61,6 @@ jobs: nat: | "8080": "80" prepare: | - export PKG_PATH="https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/$(uname -p)/$(uname -r|cut -f '1 2' -d.)/All/" pkg_add curl socat usesh: true copyback: false From a2c64e79ff1b597b15d7bf7cb17aa627e7b7eb3f Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 26 Dec 2022 22:28:08 +0800 Subject: [PATCH 079/276] fix for openbsd --- acme.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index f4afa397..d8a46a6f 100755 --- a/acme.sh +++ b/acme.sh @@ -1637,7 +1637,7 @@ _stat() { #keyfile _isRSA() { keyfile=$1 - if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text | grep "^publicExponent:" >/dev/null 2>&1; then + if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text 2>&1 | grep "^publicExponent:" 2>&1 >/dev/null; then return 0 fi return 1 @@ -1646,7 +1646,7 @@ _isRSA() { #keyfile _isEcc() { keyfile=$1 - if grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" >/dev/null 2>&1; then + if grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" 2>&1 >/dev/null; then return 0 fi return 1 @@ -1744,7 +1744,7 @@ _calcjwk() { _debug3 x64 "$x64" xend=$(_math "$xend" + 1) - y="$(printf "%s" "$pubtext" | cut -d : -f "$xend"-10000)" + y="$(printf "%s" "$pubtext" | cut -d : -f "$xend"-2048)" _debug3 y "$y" y64="$(printf "%s" "$y" | tr -d : | _h2b | _base64 | _url_replace)" From 1ccfa96c2e2c78aaca1ba92549e62b9f52fa9461 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Wed, 28 Dec 2022 02:47:49 +0800 Subject: [PATCH 080/276] improve logging --- deploy/vault.sh | 4 ++-- deploy/vault_cli.sh | 16 ++++++++-------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/deploy/vault.sh b/deploy/vault.sh index 30e825eb..569faba2 100644 --- a/deploy/vault.sh +++ b/deploy/vault.sh @@ -79,9 +79,9 @@ vault_deploy() { if [ -n "$VAULT_RENEW_TOKEN" ]; then URL="$VAULT_ADDR/v1/auth/token/renew-self" - _info "Renew the token to default TTL" + _info "Renew the Vault token to default TTL" if ! _post "" "$URL" >/dev/null; then - _err "Failed to renew the token" + _err "Failed to renew the Vault token" return 1 fi fi diff --git a/deploy/vault_cli.sh b/deploy/vault_cli.sh index ecbffd23..3ebb8074 100644 --- a/deploy/vault_cli.sh +++ b/deploy/vault_cli.sh @@ -73,30 +73,30 @@ vault_cli_deploy() { fi if [ -n "$VAULT_RENEW_TOKEN" ]; then - _info "Renew the token to default TTL" + _info "Renew the Vault token to default TTL" if ! $VAULT_CMD token renew; then - _err "Failed to renew the token" + _err "Failed to renew the Vault token" return 1 fi fi if [ -n "$VAULT_FABIO_MODE" ]; then - _info "Writing certificate and key to $URL in Fabio mode" + _info "Writing certificate and key to ${VAULT_PREFIX}/${_cdomain} in Fabio mode" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1 else - _info "Writing certificate to $URL/cert.pem" + _info "Writing certificate to ${VAULT_PREFIX}/${_cdomain}/cert.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1 - _info "Writing key to $URL/cert.key" + _info "Writing key to ${VAULT_PREFIX}/${_cdomain}/cert.key" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1 - _info "Writing CA certificate to $URL/ca.pem" + _info "Writing CA certificate to ${VAULT_PREFIX}/${_cdomain}/ca.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/ca.pem" value=@"$_cca" || return 1 - _info "Writing full-chain certificate to $URL/fullchain.pem" + _info "Writing full-chain certificate to ${VAULT_PREFIX}/${_cdomain}/fullchain.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1 # To make it compatible with the wrong ca path `chain.pem` which was used in former versions if $VAULT_CMD kv get "${VAULT_PREFIX}/${_cdomain}/chain.pem" >/dev/null; then _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" - _info "Updating CA certificate to $URL/chain.pem for backward compatibility" + _info "Updating CA certificate to ${VAULT_PREFIX}/${_cdomain}/chain.pem for backward compatibility" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1 fi fi From 27f30631ed48636a02aeb4cbe67de8a68e0e3615 Mon Sep 17 00:00:00 2001 From: Gavin Leo Date: Sun, 27 Nov 2022 21:32:20 +0800 Subject: [PATCH 081/276] Add gcore dns support. https://apidocs.gcore.com/dns --- dnsapi/dns_gcore.sh | 187 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 187 insertions(+) create mode 100755 dnsapi/dns_gcore.sh diff --git a/dnsapi/dns_gcore.sh b/dnsapi/dns_gcore.sh new file mode 100755 index 00000000..d549a650 --- /dev/null +++ b/dnsapi/dns_gcore.sh @@ -0,0 +1,187 @@ +#!/usr/bin/env sh + +# +#GCORE_Key='773$7b7adaf2a2b32bfb1b83787b4ff32a67eb178e3ada1af733e47b1411f2461f7f4fa7ed7138e2772a46124377bad7384b3bb8d87748f87b3f23db4b8bbe41b2bb' +# + +GCORE_Api="https://api.gcorelabs.com/dns/v2" +GCORE_Doc="https://apidocs.gcore.com/dns" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_gcore_add() { + fulldomain=$1 + txtvalue=$2 + + GCORE_Key="${GCORE_Key:-$(_readaccountconf_mutable GCORE_Key)}" + + if [ -z "$GCORE_Key" ]; then + GCORE_Key="" + _err "You didn't specify a Gcore api key yet." + _err "You can get yours from here $GCORE_Doc" + return 1 + fi + + #save the api key to the account conf file. + _saveaccountconf_mutable GCORE_Key "$GCORE_Key" + + _debug "First detect the zone name" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _zone_name "$_zone_name" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _gcore_rest GET "zones/$_zone_name/$fulldomain/TXT" + payload="" + + if echo "$response" | grep "record is not found" >/dev/null; then + _info "Record doesn't exists" + payload="{\"resource_records\":[{\"content\":[\"$txtvalue\"],\"enabled\":true}],\"ttl\":120}" + elif echo "$response" | grep "$txtvalue" >/dev/null; then + _info "Already exists, OK" + return 0 + elif echo "$response" | tr -d " " | grep \"name\":\""$fulldomain"\",\"type\":\"TXT\" >/dev/null; then + _info "Record with mismatch txtvalue, try update it" + payload=$(echo "$response" | tr -d " " | sed 's/"updated_at":[0-9]\+,//g' | sed 's/"meta":{}}]}/"meta":{}},{"content":['\""$txtvalue"\"'],"enabled":true}]}/') + fi + + # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so + # we can not use updating anymore. + # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) + # _debug count "$count" + # if [ "$count" = "0" ]; then + _info "Adding record" + if _gcore_rest PUT "zones/$_zone_name/$fulldomain/TXT" "$payload"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + return 0 + elif _contains "$response" "rrset is already exists"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 +} + +#fulldomain txtvalue +dns_gcore_rm() { + fulldomain=$1 + txtvalue=$2 + + GCORE_Key="${GCORE_Key:-$(_readaccountconf_mutable GCORE_Key)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _zone_name "$_zone_name" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _gcore_rest GET "zones/$_zone_name/$fulldomain/TXT" + + if echo "$response" | grep "record is not found" >/dev/null; then + _info "No such txt recrod" + return 0 + fi + + if ! echo "$response" | tr -d " " | grep \"name\":\""$fulldomain"\",\"type\":\"TXT\" >/dev/null; then + _err "Error: $response" + return 1 + fi + + if ! echo "$response" | tr -d " " | grep \""$txtvalue"\" >/dev/null; then + _info "No such txt recrod" + return 0 + fi + + count="$(echo "$response" | grep -o "content" | wc -l)" + + if [ "$count" = "1" ]; then + if ! _gcore_rest DELETE "zones/$_zone_name/$fulldomain/TXT"; then + _err "Delete record error. $response" + return 1 + fi + return 0 + fi + + payload="$(echo "$response" | tr -d " " | sed 's/"updated_at":[0-9]\+,//g' | sed 's/{"id":[0-9]\+,"content":\["'"$txtvalue"'"\],"enabled":true,"meta":{}}//' | sed 's/\[,/\[/' | sed 's/,,/,/' | sed 's/,\]/\]/')" + if ! _gcore_rest PUT "zones/$_zone_name/$fulldomain/TXT" "$payload"; then + _err "Delete record error. $response" + fi +} + +#################### Private functions below ################################## +#_acme-challenge.sub.domain.com +#returns +# _sub_domain=_acme-challenge.sub or _acme-challenge +# _domain=domain.com +# _zone_name=domain.com or sub.domain.com +_get_root() { + domain=$1 + i=1 + p=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _gcore_rest GET "zones/$h"; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\""; then + _zone_name=$h + if [ "$_zone_name" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_gcore_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + key_trimmed=$(echo "$GCORE_Key" | tr -d '"') + + export _H1="Content-Type: application/json" + export _H2="Authorization: APIKey $key_trimmed" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$GCORE_Api/$ep" "" "$m")" + else + response="$(_get "$GCORE_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} From 1bfd3642e829bcd90b5c5e43371f975eb525165e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=B0=E9=9B=AA=E6=AE=87=E7=92=83=E9=99=8C=E6=A2=A6?= Date: Thu, 19 Jan 2023 10:19:05 +0800 Subject: [PATCH 082/276] Update gcore_cdn.sh --- deploy/gcore_cdn.sh | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/deploy/gcore_cdn.sh b/deploy/gcore_cdn.sh index f573a3aa..fd17cc25 100644 --- a/deploy/gcore_cdn.sh +++ b/deploy/gcore_cdn.sh @@ -1,10 +1,11 @@ #!/usr/bin/env sh -# Here is the script to deploy the cert to G-Core CDN service (https://gcorelabs.com/ru/) using the G-Core Labs API (https://docs.gcorelabs.com/cdn/). +# Here is the script to deploy the cert to G-Core CDN service (https://gcore.com/) using the G-Core Labs API (https://apidocs.gcore.com/cdn). # Returns 0 when success. # # Written by temoffey # Public domain, 2019 +# Update by DreamOfIce in 2023 #export DEPLOY_GCORE_CDN_USERNAME=myusername #export DEPLOY_GCORE_CDN_PASSWORD=mypassword @@ -56,7 +57,7 @@ gcore_cdn_deploy() { _request="{\"username\":\"$Le_Deploy_gcore_cdn_username\",\"password\":\"$Le_Deploy_gcore_cdn_password\"}" _debug _request "$_request" export _H1="Content-Type:application/json" - _response=$(_post "$_request" "https://api.gcdn.co/auth/jwt/login") + _response=$(_post "$_request" "https://api.gcore.com/auth/jwt/login") _debug _response "$_response" _regex=".*\"access\":\"\([-._0-9A-Za-z]*\)\".*$" _debug _regex "$_regex" @@ -69,8 +70,8 @@ gcore_cdn_deploy() { fi _info "Find CDN resource with cname $_cdomain" - export _H2="Authorization:Token $_token" - _response=$(_get "https://api.gcdn.co/resources") + export _H2="Authorization:Bearer $_token" + _response=$(_get "https://api.gcore.com/cdn/resources") _debug _response "$_response" _regex="\"primary_resource\":null}," _debug _regex "$_regex" @@ -102,7 +103,7 @@ gcore_cdn_deploy() { _date=$(date "+%d.%m.%Y %H:%M:%S") _request="{\"name\":\"$_cdomain ($_date)\",\"sslCertificate\":\"$_fullchain\",\"sslPrivateKey\":\"$_key\"}" _debug _request "$_request" - _response=$(_post "$_request" "https://api.gcdn.co/sslData") + _response=$(_post "$_request" "https://api.gcore.com/cdn/sslData") _debug _response "$_response" _regex=".*\"id\":\([0-9]*\).*$" _debug _regex "$_regex" @@ -117,7 +118,7 @@ gcore_cdn_deploy() { _info "Update CDN resource" _request="{\"originGroup\":$_originGroup,\"sslData\":$_sslDataAdd}" _debug _request "$_request" - _response=$(_post "$_request" "https://api.gcdn.co/resources/$_resourceId" '' "PUT") + _response=$(_post "$_request" "https://api.gcore.com/cdn/resources/$_resourceId" '' "PUT") _debug _response "$_response" _regex=".*\"sslData\":\([0-9]*\).*$" _debug _regex "$_regex" @@ -133,7 +134,7 @@ gcore_cdn_deploy() { _info "Not found old SSL certificate" else _info "Delete old SSL certificate" - _response=$(_post '' "https://api.gcdn.co/sslData/$_sslDataOld" '' "DELETE") + _response=$(_post '' "https://api.gcore.com/cdn/sslData/$_sslDataOld" '' "DELETE") _debug _response "$_response" fi From 7bbdd1f839c2bb1556a81b97636730f788457947 Mon Sep 17 00:00:00 2001 From: Vladislav Sharapov Date: Fri, 20 Jan 2023 23:43:15 +0400 Subject: [PATCH 083/276] fix(dns_openstack): fix argparse error Add equal sign to '--record' option to fix argparse error occurring when ACME token starts with '-'. --- dnsapi/dns_openstack.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_openstack.sh b/dnsapi/dns_openstack.sh index 38619e6f..fcc1dc2e 100755 --- a/dnsapi/dns_openstack.sh +++ b/dnsapi/dns_openstack.sh @@ -57,16 +57,16 @@ _dns_openstack_create_recordset() { if [ -z "$_recordset_id" ]; then _info "Creating a new recordset" - if ! _recordset_id=$(openstack recordset create -c id -f value --type TXT --record "$txtvalue" "$_zone_id" "$fulldomain."); then + if ! _recordset_id=$(openstack recordset create -c id -f value --type TXT --record="$txtvalue" "$_zone_id" "$fulldomain."); then _err "No recordset ID found after create" return 1 fi else _info "Updating existing recordset" - # Build new list of --record args for update - _record_args="--record $txtvalue" + # Build new list of --record= args for update + _record_args="--record=$txtvalue" for _rec in $_records; do - _record_args="$_record_args --record $_rec" + _record_args="$_record_args --record=$_rec" done # shellcheck disable=SC2086 if ! _recordset_id=$(openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain."); then @@ -107,13 +107,13 @@ _dns_openstack_delete_recordset() { fi else _info "Found existing records, updating recordset" - # Build new list of --record args for update + # Build new list of --record= args for update _record_args="" for _rec in $_records; do if [ "$_rec" = "$txtvalue" ]; then continue fi - _record_args="$_record_args --record $_rec" + _record_args="$_record_args --record=$_rec" done # shellcheck disable=SC2086 if ! openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain." >/dev/null; then From bf50fce5bd2bcd58582e6768350de96aeb881d90 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 15:17:21 +0800 Subject: [PATCH 084/276] fix https://github.com/acmesh-official/acme.sh/issues/4470 --- acme.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index d8a46a6f..7683495b 100755 --- a/acme.sh +++ b/acme.sh @@ -2386,12 +2386,14 @@ _getdeployconf() { if [ "$_rac_value" ]; then if _startswith "$_rac_value" '"' && _endswith "$_rac_value" '"'; then _debug2 "trim quotation marks" - eval "export $_rac_key=$_rac_value" + eval $_rac_key=$_rac_value + export $_rac_key fi return 0 # do nothing fi - _saved=$(_readdomainconf "SAVED_$_rac_key") - eval "export $_rac_key=\"\$_saved\"" + _saved="$(_readdomainconf "SAVED_$_rac_key")" + eval $_rac_key="$_saved" + export $_rac_key } #_saveaccountconf key value base64encode From 6c0a7144f677a0d3cc14c45e91c1104191e0dbe2 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 15:45:25 +0800 Subject: [PATCH 085/276] fix https://github.com/acmesh-official/acme.sh/issues/4445 --- acme.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 7683495b..cfef7ee6 100755 --- a/acme.sh +++ b/acme.sh @@ -7122,7 +7122,9 @@ _selectServer() { _getCAShortName() { caurl="$1" if [ -z "$caurl" ]; then - caurl="$DEFAULT_CA" + #use letsencrypt as default value if the Le_API is empty + #this case can only come from the old upgrading. + caurl="$CA_LETSENCRYPT_V2" fi if [ "$CA_SSLCOM_ECC" = "$caurl" ]; then caurl="$CA_SSLCOM_RSA" #just hack to get the short name From b99c9980576a72c776e37aedaaea3ebd2f9e8f5d Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 16:13:42 +0800 Subject: [PATCH 086/276] fix https://github.com/acmesh-official/acme.sh/issues/4463 --- acme.sh | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index cfef7ee6..c6c16056 100755 --- a/acme.sh +++ b/acme.sh @@ -6730,6 +6730,13 @@ _send_notify() { return 0 fi + _nsource="$NOTIFY_SOURCE" + if [ -z "$_nsource" ]; then + _nsource="$(hostname)" + fi + + _nsubject="$_nsubject by $_nsource" + _send_err=0 for _n_hook in $(echo "$_nhooks" | tr ',' " "); do _n_hook_file="$(_findHook "" $_SUB_FOLDER_NOTIFY "$_n_hook")" @@ -6784,11 +6791,12 @@ setnotify() { _nhook="$1" _nlevel="$2" _nmode="$3" + _nsource="$4" _initpath if [ -z "$_nhook$_nlevel$_nmode" ]; then - _usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook ] [--notify-level <0|1|2|3>] [--notify-mode <0|1>]" + _usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook ] [--notify-level <0|1|2|3>] [--notify-mode <0|1>] [--notify-source ]" _usage "$_NOTIFY_WIKI" return 1 fi @@ -6805,6 +6813,12 @@ setnotify() { _saveaccountconf "NOTIFY_MODE" "$NOTIFY_MODE" fi + if [ "$_nsource" ]; then + _info "Set notify source to: $_nsource" + export "NOTIFY_SOURCE=$_nsource" + _saveaccountconf "NOTIFY_SOURCE" "$NOTIFY_SOURCE" + fi + if [ "$_nhook" ]; then _info "Set notify hook to: $_nhook" if [ "$_nhook" = "$NO_VALUE" ]; then @@ -6965,6 +6979,7 @@ Parameters: 0: Bulk mode. Send all the domain's notifications in one message(mail). 1: Cert mode. Send a message for every single cert. --notify-hook Set the notify hook + --notify-source Set the server name in the notification message --revoke-reason <0-10> The reason for revocation, can be used in conjunction with the '--revoke' command. See: $_REVOKE_WIKI @@ -7241,6 +7256,7 @@ _process() { _notify_hook="" _notify_level="" _notify_mode="" + _notify_source="" _revoke_reason="" _eab_kid="" _eab_hmac_key="" @@ -7733,6 +7749,15 @@ _process() { _notify_mode="$_nmode" shift ;; + --notify-source) + _nsource="$2" + if _startswith "$_nsource" "-"; then + _err "'$_nsource' is not valid host name for '$1'" + return 1 + fi + _notify_source="$_nsource" + shift + ;; --revoke-reason) _revoke_reason="$2" if _startswith "$_revoke_reason" "-"; then @@ -7887,7 +7912,7 @@ _process() { createCSR "$_domain" "$_altdomains" "$_ecc" ;; setnotify) - setnotify "$_notify_hook" "$_notify_level" "$_notify_mode" + setnotify "$_notify_hook" "$_notify_level" "$_notify_mode" "$_notify_source" ;; setdefaultca) setdefaultca From ab2305e259e1e0854ce096a6f84d6a82045f1137 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 16:42:10 +0800 Subject: [PATCH 087/276] fix stepca --- .github/workflows/Ubuntu.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index a6ec714c..df1a816b 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -80,8 +80,9 @@ jobs: -p 9000:9000 \ -e "DOCKER_STEPCA_INIT_NAME=Smallstep" \ -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \ + -e "DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT=true" \ --name stepca \ - smallstep/step-ca \ + smallstep/step-ca:0.23.1 \ && sleep 5 && docker exec stepca step ca provisioner add acme --type ACME \ && docker exec stepca kill -1 1 \ && docker exec stepca cat /home/step/certs/root_ca.crt | sudo bash -c "cat - >>/etc/ssl/certs/ca-certificates.crt" From 015a9b9271c956255879eb3320c9f99602056c22 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 16:45:12 +0800 Subject: [PATCH 088/276] fix notify --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index c6c16056..74a855f9 100755 --- a/acme.sh +++ b/acme.sh @@ -6795,7 +6795,7 @@ setnotify() { _initpath - if [ -z "$_nhook$_nlevel$_nmode" ]; then + if [ -z "$_nhook$_nlevel$_nmode$_nsource" ]; then _usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook ] [--notify-level <0|1|2|3>] [--notify-mode <0|1>] [--notify-source ]" _usage "$_NOTIFY_WIKI" return 1 From deb63b4adfe09f6603654d59a8c6ecc2af34e506 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 17:58:46 +0800 Subject: [PATCH 089/276] fix stepca --- .github/workflows/Ubuntu.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index df1a816b..22c8b2c5 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -81,9 +81,13 @@ jobs: -e "DOCKER_STEPCA_INIT_NAME=Smallstep" \ -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \ -e "DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT=true" \ + -e "DOCKER_STEPCA_INIT_PASSWORD=test" \ --name stepca \ - smallstep/step-ca:0.23.1 \ - && sleep 5 && docker exec stepca step ca provisioner add acme --type ACME \ + smallstep/step-ca:0.23.1 + + sleep 5 + docker exec stepca bash -c "echo test >test" + docker exec -it stepca step ca provisioner add acme --type ACME --admin-subject step --admin-password-file=/home/step/test \ && docker exec stepca kill -1 1 \ && docker exec stepca cat /home/step/certs/root_ca.crt | sudo bash -c "cat - >>/etc/ssl/certs/ca-certificates.crt" - name: Clone acmetest From 6748c55c04109099c3755313801e8503615364d5 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 18:00:09 +0800 Subject: [PATCH 090/276] fix stepca --- .github/workflows/Ubuntu.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index 22c8b2c5..4bf2ba29 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -86,8 +86,8 @@ jobs: smallstep/step-ca:0.23.1 sleep 5 - docker exec stepca bash -c "echo test >test" - docker exec -it stepca step ca provisioner add acme --type ACME --admin-subject step --admin-password-file=/home/step/test \ + docker exec stepca bash -c "echo test >test" \ + && docker exec stepca step ca provisioner add acme --type ACME --admin-subject step --admin-password-file=/home/step/test \ && docker exec stepca kill -1 1 \ && docker exec stepca cat /home/step/certs/root_ca.crt | sudo bash -c "cat - >>/etc/ssl/certs/ca-certificates.crt" - name: Clone acmetest From 16bdc7d0a33a791e6629a4cb38e6b8ff6b6908d0 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 27 Jan 2023 11:44:06 +0800 Subject: [PATCH 091/276] fix from OpenAI https://github.com/acmesh-official/acme.sh/issues/992 https://github.com/acmesh-official/acme.sh/pull/2609 --- Dockerfile | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 79fd1d89..7b50f080 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.16.3 +FROM alpine:3.17 RUN apk --no-cache add -f \ openssl \ @@ -12,7 +12,8 @@ RUN apk --no-cache add -f \ oath-toolkit-oathtool \ tar \ libidn \ - jq + jq \ + cronie ENV LE_CONFIG_HOME /acme.sh @@ -64,12 +65,10 @@ RUN for verb in help \ RUN printf "%b" '#!'"/usr/bin/env sh\n \ if [ \"\$1\" = \"daemon\" ]; then \n \ - trap \"echo stop && killall crond && exit 0\" SIGTERM SIGINT \n \ - crond && sleep infinity &\n \ - wait \n \ + exec crond -n \n \ else \n \ exec -- \"\$@\"\n \ -fi" >/entry.sh && chmod +x /entry.sh +fi\n" >/entry.sh && chmod +x /entry.sh VOLUME /acme.sh From 5a59c3903650672d05cfc6ffdbf4d3bfae1b0c3a Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 15:24:21 +0800 Subject: [PATCH 092/276] fix format --- deploy/truenas.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 6b299f3a..60dbb1b5 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -184,22 +184,21 @@ truenas_deploy() { _info "S3 certificate is not configured or is not the same as TrueNAS web UI" fi - _info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required" if _exists jq; then _info "Query all chart release" _release_list=$(_get "$_api_url/chart/release") - _related_name_list=$(printf "%s" $_release_list | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") + _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") _release_length=$(printf "%s" $_related_name_list | jq -r "length") _info "Found $_release_length related chart release in list: $_related_name_list" for i in $(seq 0 $((_release_length-1))); do - _release_name=$(echo $_related_name_list | jq -r ".[$i]") + _release_name=$(echo "$_related_name_list" | jq -r ".[$i]") _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name" #Read the chart release configuration - _chart_config=$(printf "%s" $_release_list | jq -r ".[] | select(.name==\"$_release_name\")") + _chart_config=$(printf "%s" "$_release_list" | jq -r ".[] | select(.name==\"$_release_name\")") #Replace the old certificate id with the new one in path .config.ingress.main.tls[].scaleCert. Then update .config.ingress - _updated_chart_config=$(printf "%s" $_chart_config | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress " ) + _updated_chart_config=$(printf "%s" "$_chart_config" | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress " ) _update_chart_result="$(_post "{\"values\" : { \"ingress\" : $_updated_chart_config } }" "$_api_url/chart/release/id/$_release_name" "" "PUT" "application/json")" _debug3 _update_chart_result "$_update_chart_result" done @@ -207,7 +206,6 @@ truenas_deploy() { _info "Tool 'jq' does not exists, skip chart release checking" fi - _info "Deleting old certificate" _delete_result="$(_post "" "$_api_url/certificate/id/$_active_cert_id" "" "DELETE" "application/json")" From 41b6f18a5d1b7805dc5c56ecb7abc2baa9a852f8 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 15:25:50 +0800 Subject: [PATCH 093/276] fix format --- deploy/truenas.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 60dbb1b5..f9e540f7 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -191,14 +191,13 @@ truenas_deploy() { _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") _release_length=$(printf "%s" $_related_name_list | jq -r "length") _info "Found $_release_length related chart release in list: $_related_name_list" - for i in $(seq 0 $((_release_length-1))); - do + for i in $(seq 0 $((_release_length-1))); do _release_name=$(echo "$_related_name_list" | jq -r ".[$i]") _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name" #Read the chart release configuration _chart_config=$(printf "%s" "$_release_list" | jq -r ".[] | select(.name==\"$_release_name\")") #Replace the old certificate id with the new one in path .config.ingress.main.tls[].scaleCert. Then update .config.ingress - _updated_chart_config=$(printf "%s" "$_chart_config" | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress " ) + _updated_chart_config=$(printf "%s" "$_chart_config" | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress ") _update_chart_result="$(_post "{\"values\" : { \"ingress\" : $_updated_chart_config } }" "$_api_url/chart/release/id/$_release_name" "" "PUT" "application/json")" _debug3 _update_chart_result "$_update_chart_result" done From e3b688c9d87d74a493a189c874c1c3c6864b503d Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 15:26:54 +0800 Subject: [PATCH 094/276] fix format --- deploy/truenas.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index f9e540f7..88b24684 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -191,7 +191,7 @@ truenas_deploy() { _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") _release_length=$(printf "%s" $_related_name_list | jq -r "length") _info "Found $_release_length related chart release in list: $_related_name_list" - for i in $(seq 0 $((_release_length-1))); do + for i in $(seq 0 $((_release_length - 1))); do _release_name=$(echo "$_related_name_list" | jq -r ".[$i]") _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name" #Read the chart release configuration From 2690c05781096875af7a30efd31c37a38ff8d84e Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 15:28:06 +0800 Subject: [PATCH 095/276] fix format --- deploy/truenas.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 88b24684..c79e6dac 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -189,7 +189,7 @@ truenas_deploy() { _info "Query all chart release" _release_list=$(_get "$_api_url/chart/release") _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") - _release_length=$(printf "%s" $_related_name_list | jq -r "length") + _release_length=$(printf "%s" "$_related_name_list" | jq -r "length") _info "Found $_release_length related chart release in list: $_related_name_list" for i in $(seq 0 $((_release_length - 1))); do _release_name=$(echo "$_related_name_list" | jq -r ".[$i]") From aa9cbf7c551dfe75bc6b806c101ab004afe7b759 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 16:18:27 +0800 Subject: [PATCH 096/276] fix https://github.com/acmesh-official/acme.sh/issues/992 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7b50f080..d9c243b8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -65,7 +65,7 @@ RUN for verb in help \ RUN printf "%b" '#!'"/usr/bin/env sh\n \ if [ \"\$1\" = \"daemon\" ]; then \n \ - exec crond -n \n \ + exec crond -n -s -m off \n \ else \n \ exec -- \"\$@\"\n \ fi\n" >/entry.sh && chmod +x /entry.sh From 01249d0cb9a43c528cb1e410ee50b68e292a4a0d Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 16:24:27 +0800 Subject: [PATCH 097/276] fix warning --- .github/workflows/dockerhub.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index bd2c01aa..e60d6f7f 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -28,9 +28,9 @@ jobs: id: step_one run: | if [ "$DOCKER_PASSWORD" ] ; then - echo "::set-output name=hasToken::true" + echo "hasToken=true" >>$GITHUB_OUTPUT else - echo "::set-output name=hasToken::false" + echo "hasToken=false" >>$GITHUB_OUTPUT fi - name: Check the value run: echo ${{ steps.step_one.outputs.hasToken }} From a5b04a032896d92e2cd96d75d159e7471b0f7cb0 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Sat, 28 Jan 2023 17:19:04 +0800 Subject: [PATCH 098/276] ensure `curl --help` backward compatible --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 999ef563..c8a62f1d 100755 --- a/acme.sh +++ b/acme.sh @@ -1852,7 +1852,7 @@ _inithttp() { _ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE " fi - if _contains "$(curl --help curl 2>&1)" "--globoff"; then + if _contains "$(curl --help 2>&1)" "--globoff" || _contains "$(curl --help curl 2>&1)" "--globoff"; then _ACME_CURL="$_ACME_CURL -g " fi From ba9d146d6c615ab5ec4ede949602880246d17d05 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 17:29:03 +0800 Subject: [PATCH 099/276] fix https://github.com/acmesh-official/acme.sh/issues/992 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d9c243b8..2ad50e6a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,7 +26,7 @@ COPY ./ /install_acme.sh/ RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/ -RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null##' | crontab - +RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null#> /proc/1/fd/1 2>/proc/1/fd/2#' | crontab - RUN for verb in help \ version \ From f537c606f730318021d6f297b59d6314ad9702e7 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 29 Jan 2023 11:13:23 +0800 Subject: [PATCH 100/276] fix warnings --- .github/workflows/dockerhub.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index e60d6f7f..48c44429 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -43,9 +43,9 @@ jobs: - name: checkout code uses: actions/checkout@v3 - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2 - name: login to docker hub run: | echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin From c2344f3717d1c5d57a207c7cca2a60f97d4b48bf Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 30 Jan 2023 14:39:03 +0800 Subject: [PATCH 101/276] add log for doh https://github.com/acmesh-official/acme.sh/issues/4481 --- acme.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index 53387117..cd509cbc 100755 --- a/acme.sh +++ b/acme.sh @@ -4023,7 +4023,7 @@ _ns_purge_cf() { #checks if cf server is available _ns_is_available_cf() { - if _get "https://cloudflare-dns.com" "" 1 >/dev/null 2>&1; then + if _get "https://cloudflare-dns.com" "" 10 >/dev/null; then return 0 else return 1 @@ -4031,7 +4031,7 @@ _ns_is_available_cf() { } _ns_is_available_google() { - if _get "https://dns.google" "" 1 >/dev/null 2>&1; then + if _get "https://dns.google" "" 10 >/dev/null; then return 0 else return 1 @@ -4047,7 +4047,7 @@ _ns_lookup_google() { } _ns_is_available_ali() { - if _get "https://dns.alidns.com" "" 1 >/dev/null 2>&1; then + if _get "https://dns.alidns.com" "" 10 >/dev/null; then return 0 else return 1 @@ -4063,7 +4063,7 @@ _ns_lookup_ali() { } _ns_is_available_dp() { - if _get "https://doh.pub" "" 1 >/dev/null 2>&1; then + if _get "https://doh.pub" "" 10 >/dev/null; then return 0 else return 1 From 7b5d94d0622e2fde9cacf7a18f578dabb5f559c9 Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Tue, 31 Jan 2023 11:10:42 +0100 Subject: [PATCH 102/276] convert domain and subdomain to lower case --- dnsapi/dns_ipv64.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index 9979be42..afa6df5a 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -36,6 +36,10 @@ dns_ipv64_add() { _debug _sub_domain "$_sub_domain" _debug _domain "$_domain" + # convert to lower case + _domain = $(echo "$_domain" | tr '[:upper:]' '[:lower:]') + _sub_domain = $(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]') + # Now add the TXT record _info "Trying to add TXT record" if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then @@ -70,6 +74,10 @@ dns_ipv64_rm() { _debug _sub_domain "$_sub_domain" _debug _domain "$_domain" + # convert to lower case + _domain = $(echo "$_domain" | tr '[:upper:]' '[:lower:]') + _sub_domain = $(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]') + # Now delete the TXT record _info "Trying to delete TXT record" if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then From 553d861b8ae823f624a41979aec7965cbaefe921 Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Tue, 31 Jan 2023 11:17:33 +0100 Subject: [PATCH 103/276] fix shell check and formatting --- dnsapi/dns_ipv64.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index afa6df5a..489df5c9 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -37,9 +37,8 @@ dns_ipv64_add() { _debug _domain "$_domain" # convert to lower case - _domain = $(echo "$_domain" | tr '[:upper:]' '[:lower:]') - _sub_domain = $(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]') - + _domain="$(echo "$_domain" | tr '[:upper:]' '[:lower:]')" + _sub_domain="$(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]')" # Now add the TXT record _info "Trying to add TXT record" if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then @@ -75,9 +74,8 @@ dns_ipv64_rm() { _debug _domain "$_domain" # convert to lower case - _domain = $(echo "$_domain" | tr '[:upper:]' '[:lower:]') - _sub_domain = $(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]') - + _domain="$(echo "$_domain" | tr '[:upper:]' '[:lower:]')" + _sub_domain="$(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]')" # Now delete the TXT record _info "Trying to delete TXT record" if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then From 59dab6eac746946db8d846ba0edb565b88a22f41 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 3 Feb 2023 09:55:51 +0800 Subject: [PATCH 104/276] fix https://github.com/acmesh-official/acme.sh/issues/4485#issuecomment-1414022376 https://github.com/acmesh-official/acme.sh/issues/4483#issuecomment-1414460122 --- acme.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index cd509cbc..d9a8ea38 100755 --- a/acme.sh +++ b/acme.sh @@ -1856,10 +1856,11 @@ _inithttp() { _ACME_CURL="$_ACME_CURL -g " fi - #from curl 7.76: return fail on HTTP errors but keep the body - if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then - _ACME_CURL="$_ACME_CURL --fail-with-body " - fi + # don't use --fail-with-body + ##from curl 7.76: return fail on HTTP errors but keep the body + #if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then + # _ACME_CURL="$_ACME_CURL --fail-with-body " + #fi fi if [ -z "$_ACME_WGET" ] && _exists "wget"; then From 3cf8f7874542e31f339a2ee09ab85fac83862b37 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 3 Feb 2023 09:57:56 +0800 Subject: [PATCH 105/276] fix format --- acme.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/acme.sh b/acme.sh index d9a8ea38..f512356a 100755 --- a/acme.sh +++ b/acme.sh @@ -1856,11 +1856,11 @@ _inithttp() { _ACME_CURL="$_ACME_CURL -g " fi - # don't use --fail-with-body - ##from curl 7.76: return fail on HTTP errors but keep the body - #if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then - # _ACME_CURL="$_ACME_CURL --fail-with-body " - #fi +#don't use --fail-with-body +##from curl 7.76: return fail on HTTP errors but keep the body +#if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then +# _ACME_CURL="$_ACME_CURL --fail-with-body " +#fi fi if [ -z "$_ACME_WGET" ] && _exists "wget"; then From a5fbf3fb806dd32fda16b7442b28e52dd20b58d8 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 3 Feb 2023 09:59:42 +0800 Subject: [PATCH 106/276] fix format --- acme.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/acme.sh b/acme.sh index f512356a..1df8a053 100755 --- a/acme.sh +++ b/acme.sh @@ -1856,11 +1856,11 @@ _inithttp() { _ACME_CURL="$_ACME_CURL -g " fi -#don't use --fail-with-body -##from curl 7.76: return fail on HTTP errors but keep the body -#if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then -# _ACME_CURL="$_ACME_CURL --fail-with-body " -#fi + #don't use --fail-with-body + ##from curl 7.76: return fail on HTTP errors but keep the body + #if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then + # _ACME_CURL="$_ACME_CURL --fail-with-body " + #fi fi if [ -z "$_ACME_WGET" ] && _exists "wget"; then From d6cf15368a3ee70845cd49b41dda0234bd04e1a8 Mon Sep 17 00:00:00 2001 From: Aleksandr Kunin Date: Wed, 24 Aug 2022 08:41:54 +0700 Subject: [PATCH 107/276] Vultr DNS: fix "grep: repetition-operator operand invalid" on FreeBSD --- dnsapi/dns_vultr.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_vultr.sh b/dnsapi/dns_vultr.sh index 58f14be1..54e5b6ce 100644 --- a/dnsapi/dns_vultr.sh +++ b/dnsapi/dns_vultr.sh @@ -78,7 +78,7 @@ dns_vultr_rm() { return 1 fi - _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'id' | cut -d : -f 2)" + _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'id' | cut -d : -f 2 | tr -d '"')" _debug _record_id "$_record_id" if [ "$_record_id" ]; then _info "Successfully retrieved the record id for ACME challenge." @@ -116,7 +116,7 @@ _get_root() { return 1 fi - if printf "%s\n" "$response" | grep '^\{.*\}' >/dev/null; then + if printf "%s\n" "$response" | grep -E '^\{.*\}' >/dev/null; then if _contains "$response" "\"domain\":\"$_domain\""; then _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")" return 0 From 05a2eb3df46a3fcbdb59039ed35141a3d38e985e Mon Sep 17 00:00:00 2001 From: dharp Date: Tue, 21 Feb 2023 10:19:07 -0600 Subject: [PATCH 108/276] add additional debug statement for DOMAIN_CONF --- acme.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/acme.sh b/acme.sh index 1df8a053..76830473 100755 --- a/acme.sh +++ b/acme.sh @@ -5772,6 +5772,7 @@ deploy() { return 1 fi + _debug2 DOMAIN_CONF "$DOMAIN_CONF" . "$DOMAIN_CONF" _savedomainconf Le_DeployHook "$_hooks" From c0639c66087cb25a684dc3862d3c22ab7704bd1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=20=7C=20Anton=20R=C3=B6hm?= <18481195+AnTheMaker@users.noreply.github.com> Date: Thu, 23 Feb 2023 23:29:46 +0100 Subject: [PATCH 109/276] Create first version of Nanelo DNS API integration [create dnsapi/dns_nanelo.sh] --- dnsapi/dns_nanelo.sh | 59 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 dnsapi/dns_nanelo.sh diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh new file mode 100644 index 00000000..a3cea3b1 --- /dev/null +++ b/dnsapi/dns_nanelo.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env sh + +# Official DNS API for Nanelo.com + +# Provide the required API Key like this: +# NANELO_TOKEN="FmD408PdqT1E269gUK57" + +NANELO_API="https://api.nanelo.com/v1/" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_nanelo_add() { + fulldomain=$1 + txtvalue=$2 + + NANELO_TOKEN="${NANELO_TOKEN:-$(_readaccountconf_mutable NANELO_TOKEN)}" + if [ -z "$NANELO_TOKEN" ]; then + NANELO_TOKEN="" + _err "You didn't configure a Nanelo API Key yet." + _err "Please set NANELO_TOKEN and try again." + _err "Login to Nanelo.com and go to Settings > API Keys to get a Key" + return 1 + fi + _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" + + _info "Adding TXT record to ${fulldomain}" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?type=TXT&name=${fulldomain}&value=${txtvalue}")" + if _contains "${response}" 'success'; then + return 0 + fi + _err "Could not create resource record, check logs" + _err "${response}" + return 1 +} + +dns_nanelo_rm() { + fulldomain=$1 + txtvalue=$2 + + NANELO_TOKEN="${NANELO_TOKEN:-$(_readaccountconf_mutable NANELO_TOKEN)}" + if [ -z "$NANELO_TOKEN" ]; then + NANELO_TOKEN="" + _err "You didn't configure a Nanelo API Key yet." + _err "Please set NANELO_TOKEN and try again." + _err "Login to Nanelo.com and go to Settings > API Keys to get a Key" + return 1 + fi + _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" + + _info "Deleting resource record $fulldomain" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?type=TXT&name=${fulldomain}&value=${txtvalue}")" + if _contains "${response}" 'success'; then + return 0 + fi + _err "Could not delete resource record, check logs" + _err "${response}" + return 1 +} From d3fefd223d5b7f9c4f1e43bea85d63ec1e532bdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=20=7C=20Anton=20R=C3=B6hm?= <18481195+AnTheMaker@users.noreply.github.com> Date: Fri, 24 Feb 2023 00:01:39 +0100 Subject: [PATCH 110/276] improve output --- dnsapi/dns_nanelo.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh index a3cea3b1..2a22ecdb 100644 --- a/dnsapi/dns_nanelo.sh +++ b/dnsapi/dns_nanelo.sh @@ -9,7 +9,7 @@ NANELO_API="https://api.nanelo.com/v1/" ######## Public functions ##################### -#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_nanelo_add() { fulldomain=$1 txtvalue=$2 @@ -29,7 +29,7 @@ dns_nanelo_add() { if _contains "${response}" 'success'; then return 0 fi - _err "Could not create resource record, check logs" + _err "Could not create resource record, please check the logs" _err "${response}" return 1 } @@ -53,7 +53,7 @@ dns_nanelo_rm() { if _contains "${response}" 'success'; then return 0 fi - _err "Could not delete resource record, check logs" + _err "Could not delete resource record, please check the logs" _err "${response}" return 1 } From 06e12a30e74042f3ee34a65b1197a3f20ca2adfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=20=7C=20Anton=20R=C3=B6hm?= <18481195+AnTheMaker@users.noreply.github.com> Date: Fri, 24 Feb 2023 00:13:21 +0100 Subject: [PATCH 111/276] reduce nanelo dns ttl --- dnsapi/dns_nanelo.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh index 2a22ecdb..8ccc8c29 100644 --- a/dnsapi/dns_nanelo.sh +++ b/dnsapi/dns_nanelo.sh @@ -25,7 +25,7 @@ dns_nanelo_add() { _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" _info "Adding TXT record to ${fulldomain}" - response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?type=TXT&name=${fulldomain}&value=${txtvalue}")" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")" if _contains "${response}" 'success'; then return 0 fi @@ -49,7 +49,7 @@ dns_nanelo_rm() { _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" _info "Deleting resource record $fulldomain" - response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?type=TXT&name=${fulldomain}&value=${txtvalue}")" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")" if _contains "${response}" 'success'; then return 0 fi From 7dd12044dee65b3731d90e838a40afe21cef93a6 Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Sat, 25 Feb 2023 11:18:33 +0000 Subject: [PATCH 112/276] use _lower_case function --- dnsapi/dns_ipv64.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index 489df5c9..b50b8663 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -37,8 +37,8 @@ dns_ipv64_add() { _debug _domain "$_domain" # convert to lower case - _domain="$(echo "$_domain" | tr '[:upper:]' '[:lower:]')" - _sub_domain="$(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]')" + _domain="$(echo "$_domain" | _lower_case')" + _sub_domain="$(echo "$_sub_domain" | _lower_case)" # Now add the TXT record _info "Trying to add TXT record" if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then @@ -74,8 +74,8 @@ dns_ipv64_rm() { _debug _domain "$_domain" # convert to lower case - _domain="$(echo "$_domain" | tr '[:upper:]' '[:lower:]')" - _sub_domain="$(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]')" + _domain="$(echo "$_domain" | _lower_case)" + _sub_domain="$(echo "$_sub_domain" | _lower_case)" # Now delete the TXT record _info "Trying to delete TXT record" if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then From df14b153974228d23ffe8396e8f2d32ab488ba9d Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Sat, 25 Feb 2023 11:22:27 +0000 Subject: [PATCH 113/276] fix quote --- dnsapi/dns_ipv64.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index b50b8663..54470119 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -37,7 +37,7 @@ dns_ipv64_add() { _debug _domain "$_domain" # convert to lower case - _domain="$(echo "$_domain" | _lower_case')" + _domain="$(echo "$_domain" | _lower_case)" _sub_domain="$(echo "$_sub_domain" | _lower_case)" # Now add the TXT record _info "Trying to add TXT record" From 1522b713da92e1f267208a4a35935e3abc687b15 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 28 Feb 2023 21:08:15 -0500 Subject: [PATCH 114/276] Use grep -E instead of expr expr was printing `expr: warning: '^.*[<>"]': using '^' as the first character of a basic regular expression is not portable;` --- notify/smtp.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/notify/smtp.sh b/notify/smtp.sh index 293c665e..f5ebebca 100644 --- a/notify/smtp.sh +++ b/notify/smtp.sh @@ -169,7 +169,7 @@ _clean_email_header() { # email _email_has_display_name() { _email="$1" - expr "$_email" : '^.*[<>"]' >/dev/null + echo "$_email" | grep -q -E '^.*[<>"]' } ## @@ -249,7 +249,7 @@ _mime_encoded_word() { _text="$1" # (regex character ranges like [a-z] can be locale-dependent; enumerate ASCII chars to avoid that) _ascii='] $`"'"[!#%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ~^_abcdefghijklmnopqrstuvwxyz{|}~-" - if expr "$_text" : "^.*[^$_ascii]" >/dev/null; then + if echo "$_text" | grep -q -E "^.*[^$_ascii]"; then # At least one non-ASCII char; convert entire thing to encoded word printf "%s" "=?UTF-8?B?$(printf "%s" "$_text" | _base64)?=" else From 15f96b72390c6137239e73fd81ec9f17fe33f6d1 Mon Sep 17 00:00:00 2001 From: Markus Hoffrogge Date: Thu, 2 Mar 2023 00:02:13 +0100 Subject: [PATCH 115/276] Fix to handle LE overload status 503 appropriately - LE HTTP response status 503 is not an error, it must be handled via sleep and retry - s. https://community.letsencrypt.org/t/new-service-busy-responses-beginning-during-high-load/184174 fixes #4530 --- acme.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/acme.sh b/acme.sh index 1df8a053..af2d0dfb 100755 --- a/acme.sh +++ b/acme.sh @@ -2229,6 +2229,12 @@ _send_signed_request() { _debug3 _body "$_body" fi + if [ "$code" = '503' ]; then + _sleep_overload_retry_sec=3 + _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." + _sleep $_sleep_overload_retry_sec + continue + fi if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds." _CACHED_NONCE="" From 982c54b60504eb4cc83f31b651d936d4b04b1d75 Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 2 Mar 2023 18:06:09 +0800 Subject: [PATCH 116/276] fix https://github.com/acmesh-official/acme.sh/issues/4530 --- acme.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index af2d0dfb..a6f3b905 100755 --- a/acme.sh +++ b/acme.sh @@ -2230,7 +2230,11 @@ _send_signed_request() { fi if [ "$code" = '503' ]; then - _sleep_overload_retry_sec=3 + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + _sleep_overload_retry_sec=$_retryafter + if [ -z "$_sleep_overload_retry_sec" ]; then + _sleep_overload_retry_sec=5 + fi _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." _sleep $_sleep_overload_retry_sec continue From cb8b341fb4ded4c993c812b40441d3978eb73b0f Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 2 Mar 2023 18:10:38 +0800 Subject: [PATCH 117/276] fix https://github.com/acmesh-official/acme.sh/issues/4530 --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index a6f3b905..f5f403ce 100755 --- a/acme.sh +++ b/acme.sh @@ -2229,8 +2229,8 @@ _send_signed_request() { _debug3 _body "$_body" fi - if [ "$code" = '503' ]; then - _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + if [ "$code" = '503' ] || [ "$_retryafter" ]; then _sleep_overload_retry_sec=$_retryafter if [ -z "$_sleep_overload_retry_sec" ]; then _sleep_overload_retry_sec=5 From 20cfc4ac668b1ec360553ef5c86b0edeb0c69a30 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 4 Mar 2023 21:22:17 +0800 Subject: [PATCH 118/276] fix https://github.com/acmesh-official/acme.sh/issues/4535 --- acme.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index f5f403ce..e2006868 100755 --- a/acme.sh +++ b/acme.sh @@ -2873,7 +2873,7 @@ _initpath() { if _isEccKey "$_ilength"; then DOMAIN_PATH="$domainhomeecc" - else + elif [ -z "$__SELECTED_RSA_KEY" ] if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then _info "The domain '$domain' seems to have a ECC cert already, lets use ecc cert." DOMAIN_PATH="$domainhomeecc" @@ -7518,6 +7518,9 @@ _process() { --keylength | -k) _keylength="$2" shift + if [ "$_keylength" ] && ! _isEccKey "$_keylength"; then + export __SELECTED_RSA_KEY=1 + fi ;; -ak | --accountkeylength) _accountkeylength="$2" From ce629e8e70b6438573b97c4d3ffe2a6c87a4b295 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 4 Mar 2023 21:23:31 +0800 Subject: [PATCH 119/276] fix typo --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e2006868..5d73cdb6 100755 --- a/acme.sh +++ b/acme.sh @@ -2873,7 +2873,7 @@ _initpath() { if _isEccKey "$_ilength"; then DOMAIN_PATH="$domainhomeecc" - elif [ -z "$__SELECTED_RSA_KEY" ] + elif [ -z "$__SELECTED_RSA_KEY" ]; then if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then _info "The domain '$domain' seems to have a ECC cert already, lets use ecc cert." DOMAIN_PATH="$domainhomeecc" From dde1bab1a83c17ceb69c453741de1b17e5576969 Mon Sep 17 00:00:00 2001 From: Hobby-Student <6012744+Hobby-Student@users.noreply.github.com> Date: Mon, 6 Mar 2023 20:18:15 +0100 Subject: [PATCH 120/276] improve deletion of records --- dnsapi/dns_kas.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_kas.sh b/dnsapi/dns_kas.sh index 053abd21..87025fcf 100755 --- a/dnsapi/dns_kas.sh +++ b/dnsapi/dns_kas.sh @@ -215,7 +215,7 @@ _get_record_id() { return 1 fi - _record_id="$(echo "$response" | tr -d '\n\r' | sed "s//\n/g" | grep -i "$_record_name" | grep -i ">TXT<" | sed "s/record_id<\/key>/=>/g" | sed "s/<\/value><\/item>/\n/g" | grep "=>" | sed "s/=>//g")" + _record_id="$(echo "$response" | tr -d '\n\r' | sed "s//\n/g" | grep -i "$_record_name" | grep -i ">TXT<" | sed "s/record_id<\/key>/=>/g" | grep -i "$_txtvalue" | sed "s/<\/value><\/item>/\n/g" | grep "=>" | sed "s/=>//g")" _debug "[KAS] -> Record Id: " "$_record_id" return 0 } @@ -278,4 +278,4 @@ _callAPI() { response="$(_post "$data" "$KAS_Api" "" "POST" "$contentType")" _debug2 "[KAS] -> Response" "$response" echo "$response" -} +} \ No newline at end of file From dea8a08b64d8f7b51923bfe2ff01464f032e1928 Mon Sep 17 00:00:00 2001 From: Hobby-Student <6012744+Hobby-Student@users.noreply.github.com> Date: Mon, 6 Mar 2023 20:36:53 +0100 Subject: [PATCH 121/276] added missing new line at EOF --- dnsapi/dns_kas.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_kas.sh b/dnsapi/dns_kas.sh index 87025fcf..1253cf27 100755 --- a/dnsapi/dns_kas.sh +++ b/dnsapi/dns_kas.sh @@ -278,4 +278,4 @@ _callAPI() { response="$(_post "$data" "$KAS_Api" "" "POST" "$contentType")" _debug2 "[KAS] -> Response" "$response" echo "$response" -} \ No newline at end of file +} From acbd8bce21a0f63cc9bdd4b87b3427355b5a5f5e Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 09:48:13 +0800 Subject: [PATCH 122/276] feat: add retry count for removing record set This avoids infinite loop when something went wrong and throws a error --- dnsapi/dns_huaweicloud.sh | 60 ++++++++++++++++++++++++++++++++------- 1 file changed, 50 insertions(+), 10 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index ceda9258..b1bb61dc 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -98,19 +98,59 @@ dns_huaweicloud_rm() { fi _debug "Zone ID is:" "${zoneid}" + _recursive_rm_record "${token}" "${fulldomain}" "${zoneid}" "${record_id}" + ret="$?" + if [ "${ret}" != "0" ]; then + _err "dns_api(dns_huaweicloud): Error removing record." + return 1 + fi + + return 0 +} + +################### Private functions below ################################## + + +# _recursive_rm_record +# remove all records from the record set +# +# _token=$1 +# _domain=$2 +# _zoneid=$3 +# _record_id=$4 +# +# Returns 0 on success +_recursive_rm_record() { + _token=$1 + _domain=$2 + _zoneid=$3 + _record_id=$4 + + # Most likely to have problems will huaweicloud side if more than 50 attempts but still cannot fully remove the record set + # Maybe can be removed manually in the dashboard + _retry_cnt=50 + # Remove all records # Therotically HuaweiCloud does not allow more than one record set # But remove them recurringly to increase robusty - while [ "${record_id}" != "0" ]; do + + while [ "${_record_id}" != "0" && "${_retry_cnt}" != "0" ]; do _debug "Removing Record" - _rm_record "${token}" "${zoneid}" "${record_id}" - record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")" + _retry_cnt=$((${_retry_cnt} - 1)) + _rm_record "${_token}" "${_zoneid}" "${_record_id}" + _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${_zoneid}")" + _debug2 "Checking record exists: record_id=${_record_id}" done + + # Check if retry count is reached + if [ "${_retry_cnt}" == "0" ]; then + _debug "Failed to remove record after 50 attempts, please try removing it manually in the dashboard" + return 1 + fi + return 0 } -################### Private functions below ################################## - # _get_zoneid # # _token=$1 @@ -216,11 +256,11 @@ _add_record() { _debug "Record Set ID is:" "${_record_id}" # Remove all records - while [ "${_record_id}" != "0" ]; do - _debug "Removing Record" - _rm_record "${_token}" "${zoneid}" "${_record_id}" - _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${zoneid}")" - done + _recursive_rm_record "${token}" "${_domain}" "${_zoneid}" "${_record_id}" + ret="$?" + if [ "${ret}" != "0" ]; then + return 1 + fi # Add brand new records with all old and new records export _H2="Content-Type: application/json" From 0cce2d60985b112fa4ef31672cec880ff4a01740 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 09:57:39 +0800 Subject: [PATCH 123/276] fix: fix shellcheck --- dnsapi/dns_huaweicloud.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index b1bb61dc..54f18226 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -98,6 +98,7 @@ dns_huaweicloud_rm() { fi _debug "Zone ID is:" "${zoneid}" + record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")" _recursive_rm_record "${token}" "${fulldomain}" "${zoneid}" "${record_id}" ret="$?" if [ "${ret}" != "0" ]; then @@ -134,16 +135,16 @@ _recursive_rm_record() { # Therotically HuaweiCloud does not allow more than one record set # But remove them recurringly to increase robusty - while [ "${_record_id}" != "0" && "${_retry_cnt}" != "0" ]; do + while [ "${_record_id}" != "0" ] && [ "${_retry_cnt}" != "0" ]; do _debug "Removing Record" - _retry_cnt=$((${_retry_cnt} - 1)) + _retry_cnt=$((_retry_cnt - 1)) _rm_record "${_token}" "${_zoneid}" "${_record_id}" _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${_zoneid}")" _debug2 "Checking record exists: record_id=${_record_id}" done # Check if retry count is reached - if [ "${_retry_cnt}" == "0" ]; then + if [ "${_retry_cnt}" = "0" ]; then _debug "Failed to remove record after 50 attempts, please try removing it manually in the dashboard" return 1 fi @@ -164,7 +165,7 @@ _get_zoneid() { i=1 while true; do - h=$(printf "%s" "${_domain_string}" | cut -d . -f $i-100) + h=$(printf "%s" "${_domain_string}" | cut -d . -f "$i"-100) if [ -z "$h" ]; then #not valid return 1 From 4dba84d09e129ea1a69c4158cbbce133e32e1562 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 10:01:20 +0800 Subject: [PATCH 124/276] fix: fix shfmt --- dnsapi/dns_huaweicloud.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index 54f18226..1869a756 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -105,16 +105,15 @@ dns_huaweicloud_rm() { _err "dns_api(dns_huaweicloud): Error removing record." return 1 fi - + return 0 } ################### Private functions below ################################## - # _recursive_rm_record # remove all records from the record set -# +# # _token=$1 # _domain=$2 # _zoneid=$3 From e9366f8c7635858f0bf875786fb00e0df93b412a Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 10:56:10 +0800 Subject: [PATCH 125/276] fix: fix huaweicloud existing record 400 --- dnsapi/dns_huaweicloud.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index 1869a756..401390dc 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -246,8 +246,7 @@ _add_record() { \"type\": \"TXT\", \"ttl\": 1, \"records\": [ - ${_exist_record}, - \"\\\"${_txtvalue}\\\"\" + ${_exist_record},\"\\\"${_txtvalue}\\\"\" ] }" fi From bddde60522ebb25314568b157b56d7185a97bbca Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 11:27:08 +0800 Subject: [PATCH 126/276] fix: use update instead of remove then add --- dnsapi/dns_huaweicloud.sh | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index 401390dc..cad9f425 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -254,19 +254,16 @@ _add_record() { _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${zoneid}")" _debug "Record Set ID is:" "${_record_id}" - # Remove all records - _recursive_rm_record "${token}" "${_domain}" "${_zoneid}" "${_record_id}" - ret="$?" - if [ "${ret}" != "0" ]; then - return 1 - fi - # Add brand new records with all old and new records export _H2="Content-Type: application/json" export _H1="X-Auth-Token: ${_token}" _debug2 "${_post_body}" - _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null + if [ -z "${_exist_record}" ]; then + _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null + else + _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets/{$_record_id}" false "PUT" >/dev/null + fi _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" if [ "$_code" != "202" ]; then _err "dns_huaweicloud: http code ${_code}" From 7560c64f46f3ad19ec185c7337241d1753f47d09 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 11:30:32 +0800 Subject: [PATCH 127/276] fix: fix typo --- dnsapi/dns_huaweicloud.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index cad9f425..766123c2 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -261,9 +261,9 @@ _add_record() { _debug2 "${_post_body}" if [ -z "${_exist_record}" ]; then _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null - else - _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets/{$_record_id}" false "PUT" >/dev/null - fi + else + _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets/${_record_id}" false "PUT" >/dev/null + fi _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" if [ "$_code" != "202" ]; then _err "dns_huaweicloud: http code ${_code}" From 1f777a94a7cf22e95b6545c4ece8bbc1eea647a8 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 17:50:44 +0800 Subject: [PATCH 128/276] fix: change some debug comments --- dnsapi/dns_huaweicloud.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index 766123c2..c8601f34 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -175,11 +175,11 @@ _get_zoneid() { if _contains "${response}" '"id"'; then zoneidlist=$(echo "${response}" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | tr -d " ") zonenamelist=$(echo "${response}" | _egrep_o "\"name\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | tr -d " ") - _debug2 "Return Zone ID(s):" "${zoneidlist}" - _debug2 "Return Zone Name(s):" "${zonenamelist}" + _debug2 "Returned Zone ID(s):" "${zoneidlist}" + _debug2 "Returned Zone Name(s):" "${zonenamelist}" zoneidnum=0 zoneidcount=$(echo "${zoneidlist}" | grep -c '^') - _debug "Retund Zone ID(s) Count:" "${zoneidcount}" + _debug "Returned Zone ID(s) Count:" "${zoneidcount}" while [ "${zoneidnum}" -lt "${zoneidcount}" ]; do zoneidnum=$(_math "$zoneidnum" + 1) _zoneid=$(echo "${zoneidlist}" | sed -n "${zoneidnum}p") From 70f4cad2ca9ed671c3a3d55a53913d8aed49871b Mon Sep 17 00:00:00 2001 From: Markus Hoffrogge Date: Tue, 7 Mar 2023 13:22:46 +0100 Subject: [PATCH 129/276] Fix Retry-After handling - closes #4543 --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 5d73cdb6..b7d9129d 100755 --- a/acme.sh +++ b/acme.sh @@ -2229,8 +2229,8 @@ _send_signed_request() { _debug3 _body "$_body" fi - _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') - if [ "$code" = '503' ] || [ "$_retryafter" ]; then + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *: *[0-9]\+ *" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + if [ "$code" = '503' ]; then _sleep_overload_retry_sec=$_retryafter if [ -z "$_sleep_overload_retry_sec" ]; then _sleep_overload_retry_sec=5 From 2d8c0c0131f56924aaee10078da9ca076fbf69f5 Mon Sep 17 00:00:00 2001 From: Alex Leigh Date: Tue, 7 Mar 2023 02:31:27 -0800 Subject: [PATCH 130/276] Add support for Google Domains DNS API. https://domains.google/learn/gts-acme/ This is an ACME API for Google Domains customers, which is different from the Google Cloud Domains API for Google Cloud customers. --- dnsapi/dns_googledomains.sh | 173 ++++++++++++++++++++++++++++++++++++ 1 file changed, 173 insertions(+) create mode 100755 dnsapi/dns_googledomains.sh diff --git a/dnsapi/dns_googledomains.sh b/dnsapi/dns_googledomains.sh new file mode 100755 index 00000000..63e3073b --- /dev/null +++ b/dnsapi/dns_googledomains.sh @@ -0,0 +1,173 @@ +#!/usr/bin/env sh + +# Author: Alex Leigh +# Created: 2023-03-02 + +#GOOGLEDOMAINS_ACCESS_TOKEN="xxxx" +#GOOGLEDOMAINS_ZONE="xxxx" +GOOGLEDOMAINS_API="https://acmedns.googleapis.com/v1/acmeChallengeSets" + +######## Public functions ######## + +#Usage: dns_googledomains_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_googledomains_add() { + fulldomain=$1 + txtvalue=$2 + + _info "Invoking Google Domains ACME DNS API." + + if ! _dns_googledomains_setup; then + return 1 + fi + + zone="$(_dns_googledomains_get_zone "$fulldomain")" + if [ -z "$zone" ]; then + _err "Could not find a Google Domains-managed zone containing the requested domain." + return 1 + fi + + _debug zone "$zone" + _debug txtvalue "$txtvalue" + + _info "Adding TXT record for $fulldomain." + if _dns_googledomains_api "$zone" ":rotateChallenges" "{\"accessToken\":\"$GOOGLEDOMAINS_ACCESS_TOKEN\",\"recordsToAdd\":[{\"fqdn\":\"$fulldomain\",\"digest\":\"$txtvalue\"}],\"keepExpiredRecords\":true}"; then + if _contains "$response" "$txtvalue"; then + _info "TXT record added." + return 0 + else + _err "Error adding TXT record." + return 1 + fi + fi + + _err "Error adding TXT record." + return 1 +} + +#Usage: dns_googledomains_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_googledomains_rm() { + fulldomain=$1 + txtvalue=$2 + + _info "Invoking Google Domains ACME DNS API." + + if ! _dns_googledomains_setup; then + return 1 + fi + + zone="$(_dns_googledomains_get_zone "$fulldomain")" + if [ -z "$zone" ]; then + _err "Could not find a Google Domains-managed domain based on request." + return 1 + fi + + _debug zone "$zone" + _debug txtvalue "$txtvalue" + + _info "Removing TXT record for $fulldomain." + if _dns_googledomains_api "$zone" ":rotateChallenges" "{\"accessToken\":\"$GOOGLEDOMAINS_ACCESS_TOKEN\",\"recordsToRemove\":[{\"fqdn\":\"$fulldomain\",\"digest\":\"$txtvalue\"}],\"keepExpiredRecords\":true}"; then + if _contains "$response" "$txtvalue"; then + _err "Error removing TXT record." + return 1 + else + _info "TXT record removed." + return 0 + fi + fi + + _err "Error removing TXT record." + return 1 +} + +######## Private functions ######## + +_dns_googledomains_setup() { + if [ -n "$GOOGLEDOMAINS_SETUP_COMPLETED" ]; then + return 0 + fi + + GOOGLEDOMAINS_ACCESS_TOKEN="${GOOGLEDOMAINS_ACCESS_TOKEN:-$(_readaccountconf_mutable GOOGLEDOMAINS_ACCESS_TOKEN)}" + GOOGLEDOMAINS_ZONE="${GOOGLEDOMAINS_ZONE:-$(_readaccountconf_mutable GOOGLEDOMAINS_ZONE)}" + + if [ -z "$GOOGLEDOMAINS_ACCESS_TOKEN" ]; then + GOOGLEDOMAINS_ACCESS_TOKEN="" + _err "Google Domains access token was not specified." + _err "Please visit Google Domains Security settings to provision an ACME DNS API access token." + return 1 + fi + + if [ "$GOOGLEDOMAINS_ZONE" ]; then + _savedomainconf GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN" + _savedomainconf GOOGLEDOMAINS_ZONE "$GOOGLEDOMAINS_ZONE" + else + _saveaccountconf_mutable GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN" + _clearaccountconf_mutable GOOGLEDOMAINS_ZONE + _clearaccountconf GOOGLEDOMAINS_ZONE + fi + + _debug GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN" + _debug GOOGLEDOMAINS_ZONE "$GOOGLEDOMAINS_ZONE" + + GOOGLEDOMAINS_SETUP_COMPLETED=1 + return 0 +} + +_dns_googledomains_get_zone() { + domain=$1 + + # Use zone directly if provided + if [ "$GOOGLEDOMAINS_ZONE" ]; then + if ! _dns_googledomains_api "$GOOGLEDOMAINS_ZONE"; then + return 1 + fi + + echo "$GOOGLEDOMAINS_ZONE" + return 0 + fi + + i=2 + while true; do + curr=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug curr "$curr" + + if [ -z "$curr" ]; then + return 1 + fi + + if _dns_googledomains_api "$curr"; then + echo "$curr" + return 0 + fi + + i=$(_math "$i" + 1) + done + + return 1 +} + +_dns_googledomains_api() { + zone=$1 + apimethod=$2 + data="$3" + + if [ -z "$data" ]; then + response="$(_get "$GOOGLEDOMAINS_API/$zone$apimethod")" + else + _debug data "$data" + export _H1="Content-Type: application/json" + response="$(_post "$data" "$GOOGLEDOMAINS_API/$zone$apimethod")" + fi + + _debug response "$response" + + if [ "$?" != "0" ]; then + _err "Error" + return 1 + fi + + if _contains "$response" "\"error\": {"; then + return 1 + fi + + return 0 +} From ae3e5dbf2c4c8f53f5705f00387f24d36abc7a06 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Sun, 12 Mar 2023 12:41:29 +0800 Subject: [PATCH 131/276] fix: fix DomainName not retreived properly Co-Authored-By: idawnlight --- dnsapi/dns_huaweicloud.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index c8601f34..b61c1d43 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -23,7 +23,7 @@ dns_huaweicloud_add() { HUAWEICLOUD_Username="${HUAWEICLOUD_Username:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}" HUAWEICLOUD_Password="${HUAWEICLOUD_Password:-$(_readaccountconf_mutable HUAWEICLOUD_Password)}" - HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}" + HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_DomainName)}" # Check information if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_DomainName}" ]; then @@ -74,7 +74,7 @@ dns_huaweicloud_rm() { HUAWEICLOUD_Username="${HUAWEICLOUD_Username:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}" HUAWEICLOUD_Password="${HUAWEICLOUD_Password:-$(_readaccountconf_mutable HUAWEICLOUD_Password)}" - HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}" + HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_DomainName)}" # Check information if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_DomainName}" ]; then From 42a5cd961dc22f655d732167aabebf8725a84784 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 17 Mar 2023 17:21:10 +0800 Subject: [PATCH 132/276] fix https://github.com/acmesh-official/acme.sh/issues/4530#issuecomment-1473395845 --- acme.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index b7d9129d..e89662cd 100755 --- a/acme.sh +++ b/acme.sh @@ -2235,9 +2235,13 @@ _send_signed_request() { if [ -z "$_sleep_overload_retry_sec" ]; then _sleep_overload_retry_sec=5 fi - _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." - _sleep $_sleep_overload_retry_sec - continue + if [ $_sleep_overload_retry_sec -le 600 ]; then + _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." + _sleep $_sleep_overload_retry_sec + continue + else + _info "The retryafter=$_retryafter is too large > 600, not retry anymore." + fi fi if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds." From 7ef2533b98ae0566fc5775c32aa5ebfcfb3b724b Mon Sep 17 00:00:00 2001 From: imlonghao Date: Tue, 28 Mar 2023 22:34:04 +0800 Subject: [PATCH 133/276] fix(cloudns): fix grep when record start with hyphen symbol --- dnsapi/dns_cloudns.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_cloudns.sh b/dnsapi/dns_cloudns.sh index b03fd579..8d7fd437 100755 --- a/dnsapi/dns_cloudns.sh +++ b/dnsapi/dns_cloudns.sh @@ -78,7 +78,7 @@ dns_cloudns_rm() { return 1 fi - for i in $(echo "$response" | tr '{' "\n" | grep "$record"); do + for i in $(echo "$response" | tr '{' "\n" | grep -- "$record"); do record_id=$(echo "$i" | tr ',' "\n" | grep -E '^"id"' | sed -re 's/^\"id\"\:\"([0-9]+)\"$/\1/g') if [ -n "$record_id" ]; then From 6ee72e119c421474f9d966af37422a186b6a5852 Mon Sep 17 00:00:00 2001 From: Paul Dee Date: Fri, 31 Mar 2023 01:13:41 +0200 Subject: [PATCH 134/276] Spelling / grammar --- dnsapi/dns_loopia.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_loopia.sh b/dnsapi/dns_loopia.sh index 399c7867..60d072e0 100644 --- a/dnsapi/dns_loopia.sh +++ b/dnsapi/dns_loopia.sh @@ -107,7 +107,7 @@ _loopia_load_config() { fi if _contains "$LOOPIA_Password" "'" || _contains "$LOOPIA_Password" '"'; then - _err "Password contains quoute or double quoute and this is not supported by dns_loopia.sh" + _err "Password contains a quotation mark or double quotation marks and this is not supported by dns_loopia.sh" return 1 fi From cbb7082afd25419779152faf7d35b664a09030b3 Mon Sep 17 00:00:00 2001 From: sg1888 Date: Fri, 31 Mar 2023 00:33:44 +0000 Subject: [PATCH 135/276] Fixed bug with wildcard certs and ecc keys --- deploy/panos.sh | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index ef622ded..3ee889b7 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -61,7 +61,7 @@ deployer() { content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456" - content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cdomain.key")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" fi #Close multipart content="$content${nl}--$delim--${nl}${nl}" @@ -92,9 +92,18 @@ deployer() { # This is the main function that will call the other functions to deploy everything. panos_deploy() { - _cdomain="$1" + _cdomain=${1//[*]/WILDCARD_} #Wildcard Safe filename _ckey="$2" _cfullchain="$5" + # VALID ECC KEY CHECK + if [[ "${_ckey: -8}" == "_ecc.key" ]] && [[ ! -f $_ckey ]]; then + _debug "The ECC key $_ckey doesn't exist. Attempting to strip _ecc from the filename" + _ckey="${_ckey:0:${#_ckey}-8}.key" + if [[ ! -f $_ckey ]]; then + _err "Still didn't work. Try issuing the certificate using RSA (non-ECC) encryption." + return 1 + fi + fi # PANOS ENV VAR check if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then _debug "No ENV variables found lets check for saved variables" From dc1f36da4348dfb9e737ad8121d5150c6e2c96d9 Mon Sep 17 00:00:00 2001 From: David Schramm Date: Sat, 1 Apr 2023 09:25:19 +0200 Subject: [PATCH 136/276] prevent whitespace splitting --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e89662cd..33721de5 100755 --- a/acme.sh +++ b/acme.sh @@ -2412,7 +2412,7 @@ _getdeployconf() { return 0 # do nothing fi _saved="$(_readdomainconf "SAVED_$_rac_key")" - eval $_rac_key="$_saved" + eval $_rac_key=\$_saved export $_rac_key } From dcdbe2fbb8d13579c0178b77822d29fc24520a4d Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 2 Apr 2023 12:04:58 +0800 Subject: [PATCH 137/276] fix https://github.com/acmesh-official/acme.sh/pull/4577 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e89662cd..fa350584 100755 --- a/acme.sh +++ b/acme.sh @@ -2412,7 +2412,7 @@ _getdeployconf() { return 0 # do nothing fi _saved="$(_readdomainconf "SAVED_$_rac_key")" - eval $_rac_key="$_saved" + eval $_rac_key=\"$_saved\" export $_rac_key } From a570fda1cb179476405370c94ddefa88dfd7a830 Mon Sep 17 00:00:00 2001 From: David Schramm Date: Sun, 2 Apr 2023 17:30:47 +0200 Subject: [PATCH 138/276] prevent whitespace splitting --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index fa350584..33721de5 100755 --- a/acme.sh +++ b/acme.sh @@ -2412,7 +2412,7 @@ _getdeployconf() { return 0 # do nothing fi _saved="$(_readdomainconf "SAVED_$_rac_key")" - eval $_rac_key=\"$_saved\" + eval $_rac_key=\$_saved export $_rac_key } From df753e2619f5e0069955ed07e32f6a340418126b Mon Sep 17 00:00:00 2001 From: sg1888 Date: Wed, 12 Apr 2023 22:00:53 +0000 Subject: [PATCH 139/276] Added functionality to save and reuse API key --- deploy/panos.sh | 34 ++++++++++++++++++++++++++++++---- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 3ee889b7..8edf115b 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -25,15 +25,27 @@ parse_response() { else status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g') message=$(echo "$1" | sed 's/^.*\(.*\)<\/result.*/\1/g') + if [ "$type" = 'testkey' ] && [ "$status" != "success" ]; then + _debug "**** Saved API key is invalid ****" + unset _panos_key + fi fi return 0 } deployer() { content="" - type=$1 # Types are keygen, cert, key, commit - _debug "**** Deploying $type *****" + type=$1 # Types are testkey, keygen, cert, key, commit + _debug "**** Deploying $type ****" panos_url="https://$_panos_host/api/" + + #Test API Key by performing an empty commit. + if [ "$type" = 'testkey' ]; then + _H1="Content-Type: application/x-www-form-urlencoded" + content="type=commit&cmd=&key=$_panos_key" + fi + + # Generate API Key if [ "$type" = 'keygen' ]; then _H1="Content-Type: application/x-www-form-urlencoded" content="type=keygen&user=$_panos_user&password=$_panos_pass" @@ -134,8 +146,22 @@ panos_deploy() { _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST" return 1 else - _debug "Getting PANOS KEY" - deployer keygen + #Check for saved API Key + _getdeployconf PANOS_KEY + _panos_key=$PANOS_KEY + if [ "$_panos_key" ]; then + _debug "**** Testing Saved API KEY ****" + deployer testkey + fi + + # Generate a new API key if needed + if [ -z "$_panos_key" ]; then + _debug "**** Generating new PANOS API KEY ****" + deployer keygen + _savedeployconf PANOS_KEY "$_panos_key" 1 + fi + + # Recheck the key if [ -z "$_panos_key" ]; then _err "Missing apikey." return 1 From f66a29d1c3d450641f88c74de04a8967ef0d6cec Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 20 Apr 2023 18:07:59 +0800 Subject: [PATCH 140/276] fix https://github.com/acmesh-official/acme.sh/issues/4606 --- acme.sh | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/acme.sh b/acme.sh index 8b519f1f..d5caee4d 100755 --- a/acme.sh +++ b/acme.sh @@ -6146,8 +6146,22 @@ revoke() { uri="${ACME_REVOKE_CERT}" + _info "Try account key first." + if _send_signed_request "$uri" "$data" "" "$ACCOUNT_KEY_PATH"; then + if [ -z "$response" ]; then + _info "Revoke success." + rm -f "$CERT_PATH" + cat "$CERT_KEY_PATH" >"$CERT_KEY_PATH.revoked" + cat "$CSR_PATH" >"$CSR_PATH.revoked" + return 0 + else + _err "Revoke error." + _debug "$response" + fi + fi + if [ -f "$CERT_KEY_PATH" ]; then - _info "Try domain key first." + _info "Try domain key." if _send_signed_request "$uri" "$data" "" "$CERT_KEY_PATH"; then if [ -z "$response" ]; then _info "Revoke success." @@ -6163,21 +6177,6 @@ revoke() { else _info "Domain key file doesn't exist." fi - - _info "Try account key." - - if _send_signed_request "$uri" "$data" "" "$ACCOUNT_KEY_PATH"; then - if [ -z "$response" ]; then - _info "Revoke success." - rm -f "$CERT_PATH" - cat "$CERT_KEY_PATH" >"$CERT_KEY_PATH.revoked" - cat "$CSR_PATH" >"$CSR_PATH.revoked" - return 0 - else - _err "Revoke error." - _debug "$response" - fi - fi return 1 } From 84e4181ed74f26e2dbd78666f999eafa4642930f Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 20 Apr 2023 18:11:55 +0800 Subject: [PATCH 141/276] fix https://github.com/acmesh-official/acme.sh/issues/4604 --- dnsapi/dns_leaseweb.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_leaseweb.sh b/dnsapi/dns_leaseweb.sh index 63f81869..4cd3a8f8 100644 --- a/dnsapi/dns_leaseweb.sh +++ b/dnsapi/dns_leaseweb.sh @@ -6,7 +6,7 @@ #See https://developer.leaseweb.com for more information. ######## Public functions ##################### -LSW_API="https://api.leaseweb.com/hosting/v2/domains/" +LSW_API="https://api.leaseweb.com/hosting/v2/domains" #Usage: dns_leaseweb_add _acme-challenge.www.domain.com dns_leaseweb_add() { From a7bc2293c0874129b3daf297905fa6c11eeb9d5b Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 23 Apr 2023 13:16:12 +0800 Subject: [PATCH 142/276] fix https://github.com/acmesh-official/acme.sh/issues/4612#issuecomment-1518929996 --- deploy/docker.sh | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/deploy/docker.sh b/deploy/docker.sh index 3aa1b2cd..457e29ab 100755 --- a/deploy/docker.sh +++ b/deploy/docker.sh @@ -273,16 +273,27 @@ _check_curl_version() { _minor="$(_getfield "$_cversion" 2 '.')" _debug2 "_minor" "$_minor" - if [ "$_major$_minor" -lt "740" ]; then + if [ "$_major" -ge "8" ]; then + #ok + return 0; + fi + if [ "$_major" = "7" ]; then + if [ "$_minor" -lt "40" ]; then + _err "curl v$_cversion doesn't support unit socket" + _err "Please upgrade to curl 7.40 or later." + return 1 + fi + if [ "$_minor" -lt "50" ]; then + _debug "Use short host name" + export _CURL_NO_HOST=1 + else + export _CURL_NO_HOST= + fi + return 0 + else _err "curl v$_cversion doesn't support unit socket" _err "Please upgrade to curl 7.40 or later." return 1 fi - if [ "$_major$_minor" -lt "750" ]; then - _debug "Use short host name" - export _CURL_NO_HOST=1 - else - export _CURL_NO_HOST= - fi - return 0 + } From b937665b90d742ea5432c135b3cfc18eecf33014 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 23 Apr 2023 13:18:17 +0800 Subject: [PATCH 143/276] minor --- deploy/docker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/docker.sh b/deploy/docker.sh index 457e29ab..c9815d5b 100755 --- a/deploy/docker.sh +++ b/deploy/docker.sh @@ -275,7 +275,7 @@ _check_curl_version() { if [ "$_major" -ge "8" ]; then #ok - return 0; + return 0 fi if [ "$_major" = "7" ]; then if [ "$_minor" -lt "40" ]; then From 7623025b9007386281d64275978d41a0c52a1bf3 Mon Sep 17 00:00:00 2001 From: sg1888 Date: Mon, 24 Apr 2023 18:45:50 +0000 Subject: [PATCH 144/276] Fixes for POSIX sh shell --- deploy/panos.sh | 37 +++++++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 8edf115b..7fb0c9db 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -10,6 +10,7 @@ # export PANOS_USER="" # required # export PANOS_PASS="" # required # export PANOS_HOST="" # required +# export PANOS_KEY="" # optional # This function is to parse the XML parse_response() { @@ -25,7 +26,7 @@ parse_response() { else status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g') message=$(echo "$1" | sed 's/^.*\(.*\)<\/result.*/\1/g') - if [ "$type" = 'testkey' ] && [ "$status" != "success" ]; then + if [ "$type" = 'testkey' ] && [ "$status" != "success" ]; then _debug "**** Saved API key is invalid ****" unset _panos_key fi @@ -38,7 +39,7 @@ deployer() { type=$1 # Types are testkey, keygen, cert, key, commit _debug "**** Deploying $type ****" panos_url="https://$_panos_host/api/" - + #Test API Key by performing an empty commit. if [ "$type" = 'testkey' ]; then _H1="Content-Type: application/x-www-form-urlencoded" @@ -104,16 +105,17 @@ deployer() { # This is the main function that will call the other functions to deploy everything. panos_deploy() { - _cdomain=${1//[*]/WILDCARD_} #Wildcard Safe filename + _cdomain=$(echo "$1" | sed 's/*/WILDCARD_/g') #Wildcard Safe Filename _ckey="$2" _cfullchain="$5" # VALID ECC KEY CHECK - if [[ "${_ckey: -8}" == "_ecc.key" ]] && [[ ! -f $_ckey ]]; then - _debug "The ECC key $_ckey doesn't exist. Attempting to strip _ecc from the filename" - _ckey="${_ckey:0:${#_ckey}-8}.key" - if [[ ! -f $_ckey ]]; then - _err "Still didn't work. Try issuing the certificate using RSA (non-ECC) encryption." - return 1 + keysuffix=$(printf '%s' "$_ckey" | tail -c 8) + if [ "$keysuffix" = "_ecc.key" ] && [ ! -f "$_ckey" ]; then + _debug "The ECC key $_ckey doesn't exist. Attempting to strip '_ecc' from the key name" + _ckey=$(echo "$_ckey" | sed 's/\(.*\)_ecc.key$/\1.key/g') + if [ ! -f "$_ckey" ]; then + _err "Unable to find a valid key. Try issuing the certificate using RSA (non-ECC) encryption." + return 1 fi fi # PANOS ENV VAR check @@ -122,9 +124,11 @@ panos_deploy() { _getdeployconf PANOS_USER _getdeployconf PANOS_PASS _getdeployconf PANOS_HOST + _getdeployconf PANOS_KEY _panos_user=$PANOS_USER _panos_pass=$PANOS_PASS _panos_host=$PANOS_HOST + _panos_key=$PANOS_KEY if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then _err "No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs." return 1 @@ -140,28 +144,33 @@ panos_deploy() { _panos_user="$PANOS_USER" _panos_pass="$PANOS_PASS" _panos_host="$PANOS_HOST" + if [ "$PANOS_KEY" ]; then + _savedeployconf PANOS_KEY "$PANOS_KEY" 1 + _panos_key="$PANOS_KEY" + else + _getdeployconf PANOS_KEY + _panos_key=$PANOS_KEY + fi fi _debug "Let's use username and pass to generate token." if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST" return 1 else - #Check for saved API Key - _getdeployconf PANOS_KEY - _panos_key=$PANOS_KEY + #Test API Key if [ "$_panos_key" ]; then _debug "**** Testing Saved API KEY ****" deployer testkey fi - # Generate a new API key if needed + # Generate a new API key if no valid key exists if [ -z "$_panos_key" ]; then _debug "**** Generating new PANOS API KEY ****" deployer keygen _savedeployconf PANOS_KEY "$_panos_key" 1 fi - # Recheck the key + # Confirm that a valid key was generated if [ -z "$_panos_key" ]; then _err "Missing apikey." return 1 From bb5f3cc32606507520f1705bb1a50334fc2796f5 Mon Sep 17 00:00:00 2001 From: Alexander Pushkarev Date: Mon, 1 May 2023 23:00:01 +0300 Subject: [PATCH 145/276] Add support for Mattermost notifications. --- notify/mattermost.sh | 52 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 notify/mattermost.sh diff --git a/notify/mattermost.sh b/notify/mattermost.sh new file mode 100644 index 00000000..9037ae0d --- /dev/null +++ b/notify/mattermost.sh @@ -0,0 +1,52 @@ +#!/usr/bin/env sh + +# Support mattermost bots + +#MATTERMOST_API_URL="" +#MATTERMOST_CHANNEL_ID="" +#MATTERMOST_BOT_TOKEN="" + +mattermost_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_statusCode" "$_statusCode" + + MATTERMOST_API_URL="${MATTERMOST_API_URL:-$(_readaccountconf_mutable MATTERMOST_API_URL)}" + if [ -z "$MATTERMOST_API_URL" ]; then + _err "You didn't specify a Mattermost API URL MATTERMOST_API_URL yet." + return 1 + fi + _saveaccountconf_mutable MATTERMOST_API_URL "$MATTERMOST_API_URL" + + MATTERMOST_CHANNEL_ID="${MATTERMOST_CHANNEL_ID:-$(_readaccountconf_mutable MATTERMOST_CHANNEL_ID)}" + if [ -z "$MATTERMOST_CHANNEL_ID" ]; then + _err "You didn't specify a Mattermost channel id MATTERMOST_CHANNEL_ID yet." + return 1 + fi + _saveaccountconf_mutable MATTERMOST_CHANNEL_ID "$MATTERMOST_CHANNEL_ID" + + MATTERMOST_BOT_TOKEN="${MATTERMOST_BOT_TOKEN:-$(_readaccountconf_mutable MATTERMOST_BOT_TOKEN)}" + if [ -z "$MATTERMOST_BOT_TOKEN" ]; then + _err "You didn't specify a Mattermost bot API token MATTERMOST_BOT_TOKEN yet." + return 1 + fi + _saveaccountconf_mutable MATTERMOST_BOT_TOKEN "$MATTERMOST_BOT_TOKEN" + + _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)" + _data="{\"channel_id\": \"$MATTERMOST_CHANNEL_ID\", " + _data="$_data\"message\": \"$_content\"}" + + export _H1="Authorization: Bearer $MATTERMOST_BOT_TOKEN" + + if _post "$_data" "$MATTERMOST_API_URL" "" "POST" "application/json; charset=utf-8"; then + MATTERMOST_RESULT_OK=$(echo "$response" | _egrep_o 'create_at') + if [ "$?" = "0" ] && [ "$MATTERMOST_RESULT_OK" ]; then + _info "mattermost send success." + return 0 + fi + fi + _err "mattermost send error." + _err "$response" + return 1 +} From e6e22a1ca15cd7fc20242e3e8074858d9081d04f Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Tue, 9 May 2023 08:44:18 +0200 Subject: [PATCH 146/276] dnsapi: fix OPNsense script to be compatible with upcoming 23.1.8 The current script is already broken due to Bind 9.16 -> 9.18 changes due to their renaming scheme for primary/secondary so do not rely on the compat layer (which was also broken for other reasons). --- dnsapi/dns_opnsense.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_opnsense.sh b/dnsapi/dns_opnsense.sh index c2806a1b..d40cbe28 100755 --- a/dnsapi/dns_opnsense.sh +++ b/dnsapi/dns_opnsense.sh @@ -137,7 +137,7 @@ _get_root() { domain=$1 i=2 p=1 - if _opns_rest "GET" "/domain/searchMasterDomain"; then + if _opns_rest "GET" "/domain/searchPrimaryDomain"; then _domain_response="$response" else return 1 @@ -150,7 +150,7 @@ _get_root() { return 1 fi _debug h "$h" - id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"master\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2) + id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"primary\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2) if [ -n "$id" ]; then _debug id "$id" _host=$(printf "%s" "$domain" | cut -d . -f 1-$p) From a8fba65cbd06d2bf1a25895a24c17f3c04f2dbca Mon Sep 17 00:00:00 2001 From: sg1888 Date: Mon, 15 May 2023 01:43:54 +0000 Subject: [PATCH 147/276] Cleaned up verbiage. Added ability to store / update user variable. Added ability to use user/pass OR key --- deploy/panos.sh | 140 ++++++++++++++++++++++++++++++------------------ 1 file changed, 88 insertions(+), 52 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 7fb0c9db..774060b0 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -7,10 +7,24 @@ # # Firewall admin with superuser and IP address is required. # -# export PANOS_USER="" # required -# export PANOS_PASS="" # required -# export PANOS_HOST="" # required -# export PANOS_KEY="" # optional +# You MUST include the following environment variable when first running +# the sccript (can be deleted afterwards): +# +# REQURED: +# export PANOS_HOST="" # required +# +# AND one of the two authenticiation methods: +# +# Method 1: Username & Password (RECOMMENDED) +# export PANOS_USER="" +# export PANOS_PASS="" +# +# Method 2: API KEY +# export PANOS_KEY="" +# +# +# The Username & Password method will automatically generate a new API key if +# no key is found, or if a saved key has expired or is invalid. # This function is to parse the XML parse_response() { @@ -26,8 +40,8 @@ parse_response() { else status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g') message=$(echo "$1" | sed 's/^.*\(.*\)<\/result.*/\1/g') - if [ "$type" = 'testkey' ] && [ "$status" != "success" ]; then - _debug "**** Saved API key is invalid ****" + if [ "$type" = 'keytest' ] && [ "$status" != "success" ]; then + _debug "**** API Key has EXPIRED or is INVALID ****" unset _panos_key fi fi @@ -36,25 +50,27 @@ parse_response() { deployer() { content="" - type=$1 # Types are testkey, keygen, cert, key, commit - _debug "**** Deploying $type ****" + type=$1 # Types are keytest, keygen, cert, key, commit panos_url="https://$_panos_host/api/" #Test API Key by performing an empty commit. - if [ "$type" = 'testkey' ]; then + if [ "$type" = 'keytest' ]; then + _debug "**** Testing saved API Key ****" _H1="Content-Type: application/x-www-form-urlencoded" content="type=commit&cmd=&key=$_panos_key" fi # Generate API Key if [ "$type" = 'keygen' ]; then + _debug "**** Generating new API Key ****" _H1="Content-Type: application/x-www-form-urlencoded" content="type=keygen&user=$_panos_user&password=$_panos_pass" # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}" fi if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then - #Generate DEIM + _debug "**** Deploying $type ****" + #Generate DELIM delim="-----MultipartDelimiter$(date "+%s%N")" nl="\015\012" #Set Header @@ -83,8 +99,14 @@ deployer() { fi if [ "$type" = 'commit' ]; then + _debug "**** Committing changes ****" export _H1="Content-Type: application/x-www-form-urlencoded" - cmd=$(printf "%s" "<$_panos_user>" | _url_encode) + if [ "$_panos_user" ]; then + _commit_desc=$_panos_user + else + _commit_desc="acmesh" + fi + cmd=$(printf "%s" "<$_commit_desc>" | _url_encode) content="type=commit&key=$_panos_key&cmd=$cmd" fi response=$(_post "$content" "$panos_url" "" "POST") @@ -118,52 +140,66 @@ panos_deploy() { return 1 fi fi - # PANOS ENV VAR check - if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then - _debug "No ENV variables found lets check for saved variables" - _getdeployconf PANOS_USER - _getdeployconf PANOS_PASS - _getdeployconf PANOS_HOST - _getdeployconf PANOS_KEY - _panos_user=$PANOS_USER - _panos_pass=$PANOS_PASS - _panos_host=$PANOS_HOST - _panos_key=$PANOS_KEY - if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then - _err "No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs." - return 1 - else - _debug "Using saved env variables." - fi + + # Environment Checks + + # PANOS_HOST + if [ "$PANOS_HOST" ]; then + _debug "Detected ENV variable PANOS_HOST. Saving to file." + _savedeployconf PANOS_HOST "$PANOS_HOST" 1 else - _debug "Detected ENV variables to be saved to the deploy conf." - # Encrypt and save user + _debug "Attempting to load variable PANOS_HOST from file." + _getdeployconf PANOS_HOST + fi + + # PANOS USER + if [ "$PANOS_USER" ]; then + _debug "Detected ENV variable PANOS_USER. Saving to file." _savedeployconf PANOS_USER "$PANOS_USER" 1 + else + _debug "Attempting to load variable PANOS_USER from file." + _getdeployconf PANOS_USER + fi + + # PANOS_KEY + if [ "$PANOS_PASS" ]; then + _debug "Detected ENV variable PANOS_PASS. Saving to file." _savedeployconf PANOS_PASS "$PANOS_PASS" 1 - _savedeployconf PANOS_HOST "$PANOS_HOST" 1 - _panos_user="$PANOS_USER" - _panos_pass="$PANOS_PASS" - _panos_host="$PANOS_HOST" - if [ "$PANOS_KEY" ]; then - _savedeployconf PANOS_KEY "$PANOS_KEY" 1 - _panos_key="$PANOS_KEY" - else - _getdeployconf PANOS_KEY - _panos_key=$PANOS_KEY - fi + else + _debug "Attempting to load variable PANOS_PASS from file." + _getdeployconf PANOS_PASS fi - _debug "Let's use username and pass to generate token." - if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then - _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST" - return 1 + + # PANOS_KEY + if [ "$PANOS_KEY" ]; then + _debug "Detected ENV variable PANOS_KEY. Saving to file." + _savedeployconf PANOS_KEY "$PANOS_KEY" 1 else - #Test API Key - if [ "$_panos_key" ]; then - _debug "**** Testing Saved API KEY ****" - deployer testkey - fi + _debug "Attempting to load variable PANOS_KEY from file." + _getdeployconf PANOS_KEY + fi + + #Store variables + _panos_host=$PANOS_HOST + _panos_key=$PANOS_KEY + _panos_user=$PANOS_USER + _panos_pass=$PANOS_PASS - # Generate a new API key if no valid key exists + #Test API Key if found. If the key is invalid, the variable panos_key will be unset. + if [ "$_panos_host" ] && [ "$_panos_key" ]; then + _debug "**** Testing API KEY ****" + deployer keytest + fi + + # Check for valid variables + if [ -z "$_panos_host" ]; then + _err "No host found. Please enter a valid host as environment variable PANOS_HOST." + return 1 + elif [ -z "$_panos_key" ] && { [ -z "$_panos_user" ] || [ -z "$_panos_pass" ]; }; then + _err "No user and pass OR valid API key found.. If this is the first time deploying please set PANOS_USER and PANOS_PASS -- AND/OR -- PANOS_KEY in environment variables. Delete them after you have succesfully deployed certs." + return 1 + else + # Generate a new API key if no valid API key is found if [ -z "$_panos_key" ]; then _debug "**** Generating new PANOS API KEY ****" deployer keygen @@ -172,7 +208,7 @@ panos_deploy() { # Confirm that a valid key was generated if [ -z "$_panos_key" ]; then - _err "Missing apikey." + _err "Unable to generate an API key. The user and pass may be invalid or not authorized to generate a new key. Please check the credentials and try again" return 1 else deployer cert From 0ebc9f7a44f05f595084e55b83cff59b471b8d9f Mon Sep 17 00:00:00 2001 From: sg1888 Date: Mon, 15 May 2023 01:46:21 +0000 Subject: [PATCH 148/276] Fixed typo --- deploy/panos.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 774060b0..755ad5c9 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -161,7 +161,7 @@ panos_deploy() { _getdeployconf PANOS_USER fi - # PANOS_KEY + # PANOS_PASS if [ "$PANOS_PASS" ]; then _debug "Detected ENV variable PANOS_PASS. Saving to file." _savedeployconf PANOS_PASS "$PANOS_PASS" 1 From 2e2e7cd05408f8bf98016c5c0c9762608cd4e681 Mon Sep 17 00:00:00 2001 From: sg1888 Date: Wed, 17 May 2023 20:06:06 +0000 Subject: [PATCH 149/276] Added ability to force commit to firewall. Username is now also mandatory --- deploy/panos.sh | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 755ad5c9..2744ba6d 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -7,26 +7,24 @@ # # Firewall admin with superuser and IP address is required. # -# You MUST include the following environment variable when first running -# the sccript (can be deleted afterwards): -# # REQURED: # export PANOS_HOST="" # required +# export PANOS_USER="" # required # # AND one of the two authenticiation methods: # -# Method 1: Username & Password (RECOMMENDED) -# export PANOS_USER="" +# Method 1: Password (RECOMMENDED) # export PANOS_PASS="" # # Method 2: API KEY # export PANOS_KEY="" # # -# The Username & Password method will automatically generate a new API key if +# The Password method will automatically generate a new API key if # no key is found, or if a saved key has expired or is invalid. +# -# This function is to parse the XML +# This function is to parse the XML response from the firewall parse_response() { type=$2 if [ "$type" = 'keygen' ]; then @@ -48,6 +46,7 @@ parse_response() { return 0 } +#This function is used to deploy to the firewall deployer() { content="" type=$1 # Types are keytest, keygen, cert, key, commit @@ -68,6 +67,7 @@ deployer() { # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}" fi + # Deploy Cert or Key if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then _debug "**** Deploying $type ****" #Generate DELIM @@ -98,17 +98,19 @@ deployer() { content=$(printf %b "$content") fi + # Commit changes if [ "$type" = 'commit' ]; then _debug "**** Committing changes ****" export _H1="Content-Type: application/x-www-form-urlencoded" - if [ "$_panos_user" ]; then - _commit_desc=$_panos_user + #Check for force commit + if [ "$FORCE" ]; then + cmd=$(printf "%s" "<$_panos_user>" | _url_encode) else - _commit_desc="acmesh" + cmd=$(printf "%s" "<$_panos_user>" | _url_encode) fi - cmd=$(printf "%s" "<$_commit_desc>" | _url_encode) content="type=commit&key=$_panos_key&cmd=$cmd" fi + response=$(_post "$content" "$panos_url" "" "POST") parse_response "$response" "$type" # Saving response to variables @@ -141,8 +143,6 @@ panos_deploy() { fi fi - # Environment Checks - # PANOS_HOST if [ "$PANOS_HOST" ]; then _debug "Detected ENV variable PANOS_HOST. Saving to file." @@ -193,10 +193,13 @@ panos_deploy() { # Check for valid variables if [ -z "$_panos_host" ]; then - _err "No host found. Please enter a valid host as environment variable PANOS_HOST." + _err "No host found. If this is your first time deploying, please set PANOS_HOST in ENV variables. You can delete it after you have successfully deployed the certs." + return 1 + elif [ -z "$_panos_user" ]; then + _err "No user found. If this is your first time deploying, please set PANOS_USER in ENV variables. You can delete it after you have successfully deployed certs." return 1 elif [ -z "$_panos_key" ] && { [ -z "$_panos_user" ] || [ -z "$_panos_pass" ]; }; then - _err "No user and pass OR valid API key found.. If this is the first time deploying please set PANOS_USER and PANOS_PASS -- AND/OR -- PANOS_KEY in environment variables. Delete them after you have succesfully deployed certs." + _err "No pass OR valid API key found. If this is your first time deploying please set PANOS_PASS and/or PANOS_KEY in ENV variables. You can delete them after you have succesfully deployed certs." return 1 else # Generate a new API key if no valid API key is found @@ -208,7 +211,7 @@ panos_deploy() { # Confirm that a valid key was generated if [ -z "$_panos_key" ]; then - _err "Unable to generate an API key. The user and pass may be invalid or not authorized to generate a new key. Please check the credentials and try again" + _err "Unable to generate an API key. The user and pass may be invalid or not authorized to generate a new key. Please check the PANOS_USER and PANOS_PASS credentials and try again" return 1 else deployer cert From 126df9647b6ef11da3a7efe9897b453cf4e501d9 Mon Sep 17 00:00:00 2001 From: sg1888 Date: Wed, 24 May 2023 18:51:57 +0000 Subject: [PATCH 150/276] Modified keytest to perform a partial empty commit --- deploy/panos.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 2744ba6d..880e4cec 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -56,7 +56,7 @@ deployer() { if [ "$type" = 'keytest' ]; then _debug "**** Testing saved API Key ****" _H1="Content-Type: application/x-www-form-urlencoded" - content="type=commit&cmd=&key=$_panos_key" + content="type=commit&key=$_panos_key&action=partial&cmd=acmekeytest" fi # Generate API Key @@ -132,6 +132,7 @@ panos_deploy() { _cdomain=$(echo "$1" | sed 's/*/WILDCARD_/g') #Wildcard Safe Filename _ckey="$2" _cfullchain="$5" + # VALID ECC KEY CHECK keysuffix=$(printf '%s' "$_ckey" | tail -c 8) if [ "$keysuffix" = "_ecc.key" ] && [ ! -f "$_ckey" ]; then @@ -196,10 +197,10 @@ panos_deploy() { _err "No host found. If this is your first time deploying, please set PANOS_HOST in ENV variables. You can delete it after you have successfully deployed the certs." return 1 elif [ -z "$_panos_user" ]; then - _err "No user found. If this is your first time deploying, please set PANOS_USER in ENV variables. You can delete it after you have successfully deployed certs." + _err "No user found. If this is your first time deploying, please set PANOS_USER in ENV variables. You can delete it after you have successfully deployed the certs." return 1 elif [ -z "$_panos_key" ] && { [ -z "$_panos_user" ] || [ -z "$_panos_pass" ]; }; then - _err "No pass OR valid API key found. If this is your first time deploying please set PANOS_PASS and/or PANOS_KEY in ENV variables. You can delete them after you have succesfully deployed certs." + _err "No pass OR valid API key found. If this is your first time deploying please set PANOS_PASS and/or PANOS_KEY in ENV variables. You can delete them after you have succesfully deployed the certs." return 1 else # Generate a new API key if no valid API key is found From 623d615cd737de93b73e1c1a70dafb19b41d91f1 Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Sun, 28 May 2023 21:42:53 +0200 Subject: [PATCH 151/276] Remove external OTP dependency from synology_dsm.sh Also adapt to DSM 7's API improvements. --- deploy/synology_dsm.sh | 142 +++++++++++++++++++++++------------------ 1 file changed, 79 insertions(+), 63 deletions(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index c31a5df0..4e6ce661 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -1,34 +1,35 @@ -#!/usr/bin/env sh - -# Here is a script to deploy cert to Synology DSM -# -# It requires following environment variables: -# -# SYNO_Username - Synology Username to login (must be an administrator) -# SYNO_Password - Synology Password to login -# SYNO_Certificate - Certificate description to target for replacement -# -# The following environmental variables may be set if you don't like their -# default values: -# -# SYNO_Scheme - defaults to http -# SYNO_Hostname - defaults to localhost -# SYNO_Port - defaults to 5000 -# SYNO_DID - device ID to skip OTP - defaults to empty -# SYNO_TOTP_SECRET - TOTP secret to generate OTP - defaults to empty -# +#!/bin/bash + +################################################################################ +# ACME.sh 3rd party deploy plugin for Synology DSM +################################################################################ +# Authors: Brian Hartvigsen (creator), https://github.com/tresni +# Martin Arndt (contributor), https://troublezone.net/ +# Updated: 2023-05-28 +# Issues: https://github.com/acmesh-official/acme.sh/issues/2727 +################################################################################ +# Usage: +# 1. export SYNO_Username="adminUser" +# 2. export SYNO_Password="adminPassword" +# Optional exports (shown values are the defaults): +# - export SYNO_Certificate="" to replace a specific certificate via description +# - export SYNO_Scheme="http" +# - export SYNO_Hostname="localhost" +# - export SYNO_Port="5000" +# - export SYNO_Device_Name="CertRenewal" - required for skipping 2FA-OTP +# - export SYNO_Device_ID="" - required for skipping 2FA-OTP +# 3. acme.sh --deploy --deploy-hook synology_dsm -d example.com +################################################################################ # Dependencies: -# ------------- -# - jq and curl -# - oathtool (When using 2 Factor Authentication and SYNO_TOTP_SECRET is set) -# -#returns 0 means success, otherwise error. - -######## Public functions ##################### +# - jq & curl +################################################################################ +# Return value: +# 0 means success, otherwise error. +################################################################################ +########## Public functions #################################################### #domain keyfile certfile cafile fullchain synology_dsm_deploy() { - _cdomain="$1" _ckey="$2" _ccert="$3" @@ -36,34 +37,39 @@ synology_dsm_deploy() { _debug _cdomain "$_cdomain" - # Get Username and Password, but don't save until we successfully authenticate + # Get username & password, but don't save until we authenticated successfully _getdeployconf SYNO_Username _getdeployconf SYNO_Password _getdeployconf SYNO_Create - _getdeployconf SYNO_DID - _getdeployconf SYNO_TOTP_SECRET + _getdeployconf SYNO_Device_Name + _getdeployconf SYNO_Device_ID if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then _err "SYNO_Username & SYNO_Password must be set" return 1 fi + if [ -n "${SYNO_Device_Name:-}" ] && [ -z "${SYNO_Device_ID:-}" ]; then + _err "SYNO_Device_Name set, but SYNO_Device_ID is empty" + return 1 + fi _debug2 SYNO_Username "$SYNO_Username" _secure_debug2 SYNO_Password "$SYNO_Password" + _debug2 SYNO_Create "$SYNO_Create" + _debug2 SYNO_Device_Name "$SYNO_Device_Name" + _secure_debug2 SYNO_Device_ID "$SYNO_Device_ID" - # Optional scheme, hostname, and port for Synology DSM + # Optional scheme, hostname & port for Synology DSM _getdeployconf SYNO_Scheme _getdeployconf SYNO_Hostname _getdeployconf SYNO_Port - # default vaules for scheme, hostname, and port - # defaulting to localhost and http because it's localhost... + # Default values for scheme, hostname & port + # Defaulting to localhost & http, because it's localhost… [ -n "${SYNO_Scheme}" ] || SYNO_Scheme="http" [ -n "${SYNO_Hostname}" ] || SYNO_Hostname="localhost" [ -n "${SYNO_Port}" ] || SYNO_Port="5000" - _savedeployconf SYNO_Scheme "$SYNO_Scheme" _savedeployconf SYNO_Hostname "$SYNO_Hostname" _savedeployconf SYNO_Port "$SYNO_Port" - _debug2 SYNO_Scheme "$SYNO_Scheme" _debug2 SYNO_Hostname "$SYNO_Hostname" _debug2 SYNO_Port "$SYNO_Port" @@ -87,49 +93,49 @@ synology_dsm_deploy() { _debug3 response "$response" _debug3 api_version "$api_version" - # Login, get the token from JSON and session id from cookie + # Login, get the session ID & SynoToken from JSON _info "Logging into $SYNO_Hostname:$SYNO_Port" encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)" encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)" - otp_code="" - if [ -n "$SYNO_TOTP_SECRET" ]; then - if _exists oathtool; then - otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)" - else - _err "oathtool could not be found, install oathtool to use SYNO_TOTP_SECRET" - return 1 + # Get device ID if still empty first, otherwise log in right away + if [ -z "${SYNO_Device_ID:-}" ]; then + printf "Enter OTP code for user '%s': " "$SYNO_Username" + read -r otp_code + if [ -z "${SYNO_Device_Name:-}" ]; then + printf "Enter device name or leave empty for default (CertRenewal): " + read -r SYNO_Device_Name + [ -n "${SYNO_Device_Name}" ] || SYNO_Device_Name="CertRenewal" fi - fi - if [ -n "$SYNO_DID" ]; then - _H1="Cookie: did=$SYNO_DID" - export _H1 - _debug3 H1 "${_H1}" + response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&otp_code=$otp_code&enable_syno_token=yes&enable_device_token=yes&device_name=$SYNO_Device_Name") + _debug3 response "$response" + SYNO_Device_ID=$(echo "$response" | grep "device_id" | sed -n 's/.*"device_id" *: *"\([^"]*\).*/\1/p') + _secure_debug2 SYNO_Device_ID "$SYNO_Device_ID" + else + response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&device_name=$SYNO_Device_Name&device_id=$SYNO_Device_ID") + _debug3 response "$response" fi - response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code&device_name=certrenewal&device_id=$SYNO_DID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes") + sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p') token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p') - _debug3 response "$response" - _debug token "$token" - - if [ -z "$token" ]; then - _err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme." - _err "Check your username and password." - _err "If two-factor authentication is enabled for the user, set SYNO_TOTP_SECRET." + _debug Session ID "$sid" + _debug SynoToken "$token" + if [ -z "$SYNO_Device_ID" ] || [ -z "$sid" ] || [ -z "$token" ]; then + _err "Unable to authenticate to $_base_url - check your username & password." + _err "If two-factor authentication is enabled for the user, set SYNO_Device_ID." return 1 fi - sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p') _H1="X-SYNO-TOKEN: $token" export _H1 _debug2 H1 "${_H1}" - # Now that we know the username and password are good, save them + # Now that we know the username & password are good, save them _savedeployconf SYNO_Username "$SYNO_Username" _savedeployconf SYNO_Password "$SYNO_Password" - _savedeployconf SYNO_DID "$SYNO_DID" - _savedeployconf SYNO_TOTP_SECRET "$SYNO_TOTP_SECRET" + _savedeployconf SYNO_Device_Name "$SYNO_Device_Name" + _savedeployconf SYNO_Device_ID "$SYNO_Device_ID" _info "Getting certificates in Synology DSM" response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi") @@ -140,7 +146,7 @@ synology_dsm_deploy() { _debug2 id "$id" if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then - _err "Unable to find certificate: $SYNO_Certificate and \$SYNO_Create is not set" + _err "Unable to find certificate: $SYNO_Certificate & \$SYNO_Create is not set" return 1 fi @@ -171,13 +177,23 @@ synology_dsm_deploy() { if ! echo "$response" | grep '"error":' >/dev/null; then if echo "$response" | grep '"restart_httpd":true' >/dev/null; then - _info "http services were restarted" + _info "Restarting HTTP services succeeded" else - _info "http services were NOT restarted" + _info "Restarting HTTP services failed" fi + + _logout return 0 else _err "Unable to update certificate, error code $response" + _logout return 1 fi } + +#################### Private functions below ################################## +_logout() { + # Logout to not occupy a permanent session, e. g. in DSM's "Connected Users" widget + response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=logout") + _debug3 response "$response" +} From 0548ad2fc6b4febe557620ec2280bdec6b7ec304 Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Sun, 28 May 2023 22:33:15 +0200 Subject: [PATCH 152/276] Fix debug output of session ID --- deploy/synology_dsm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index 4e6ce661..f709e0fb 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -119,7 +119,7 @@ synology_dsm_deploy() { sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p') token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p') - _debug Session ID "$sid" + _debug "Session ID" "$sid" _debug SynoToken "$token" if [ -z "$SYNO_Device_ID" ] || [ -z "$sid" ] || [ -z "$token" ]; then _err "Unable to authenticate to $_base_url - check your username & password." From 63fca33b0459b1483c91c38a9ae3060bb6ef621a Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Mon, 29 May 2023 20:12:52 +0200 Subject: [PATCH 153/276] Fix retrieval of domain zone --- dnsapi/dns_artfiles.sh | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/dnsapi/dns_artfiles.sh b/dnsapi/dns_artfiles.sh index 2f8e158f..703c02ac 100644 --- a/dnsapi/dns_artfiles.sh +++ b/dnsapi/dns_artfiles.sh @@ -140,14 +140,13 @@ _dns() { # Gets the root domain zone for given domain. # Usage: _get_zone _acme-challenge.www.example.com _get_zone() { - _info 'Getting domain zone...' - _debug2 'Initial FQDN' "$1" fqdn="$1" - fqdn="${fqdn#*.}" # Strip "_acme-challenge" right away - _debug2 'Reduced FQDN' "$fqdn" + domains="$(_get "$AF_URL_DOMAINS" "" 10)" + _info 'Getting domain zone...' + _debug2 'FQDN' "$fqdn" + _debug2 'Domains' "$domains" - domains="$(_get "$AF_URL_DOMAINS" '' 10)" - while true; do + while _contains "$fqdn" "."; do if _contains "$domains" "$fqdn"; then domain="$fqdn" _info "Found root domain zone: $domain" @@ -162,7 +161,7 @@ _get_zone() { return 0 fi - _err "Couldn't find root domain zone." + _err 'Couldn\'t find root domain zone.' return 1 } From fb33ea2a0b6fc8ff260da123709b0872c6b91e79 Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Mon, 29 May 2023 20:21:16 +0200 Subject: [PATCH 154/276] Fix single quote escaping --- dnsapi/dns_artfiles.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_artfiles.sh b/dnsapi/dns_artfiles.sh index 703c02ac..ad547e3f 100644 --- a/dnsapi/dns_artfiles.sh +++ b/dnsapi/dns_artfiles.sh @@ -161,7 +161,7 @@ _get_zone() { return 0 fi - _err 'Couldn\'t find root domain zone.' + _err 'Couldn'\''t find root domain zone.' return 1 } From d108072bfbc057f895d29620a8ecd6752ebe47f6 Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Tue, 30 May 2023 09:24:17 +0200 Subject: [PATCH 155/276] Add ArtFiles.de DNS API plugin --- dnsapi/dns_artfiles.sh | 175 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 175 insertions(+) create mode 100644 dnsapi/dns_artfiles.sh diff --git a/dnsapi/dns_artfiles.sh b/dnsapi/dns_artfiles.sh new file mode 100644 index 00000000..ad547e3f --- /dev/null +++ b/dnsapi/dns_artfiles.sh @@ -0,0 +1,175 @@ +#!/usr/bin/env sh + +################################################################################ +# ACME.sh 3rd party DNS API plugin for ArtFiles.de +################################################################################ +# Author: Martin Arndt, https://troublezone.net/ +# Released: 2022-02-27 +# Issues: https://github.com/Eagle3386/acme.sh/issues +################################################################################ +# Usage: +# 1. export AF_API_USERNAME="api12345678" +# 2. export AF_API_PASSWORD="apiPassword" +# 3. acme.sh --issue -d example.com --dns dns_artfiles +################################################################################ + +########## API configuration ################################################### +AF_API_SUCCESS='status":"OK' +AF_URL_DCP='https://dcp.c.artfiles.de/api/' +AF_URL_DNS=${AF_URL_DCP}'dns/{*}_dns.html?domain=' +AF_URL_DOMAINS=${AF_URL_BASE}'domain/get_domains.html' + +########## Public functions #################################################### + +# Adds a new TXT record for given ACME challenge value & domain. +# Usage: dns_artfiles_add _acme-challenge.www.example.com "ACME challenge value" +dns_artfiles_add() { + domain="$1" + txtValue="$2" + _info 'Using ArtFiles.de DNS addition API' + _debug 'Domain' "$domain" + _debug 'txtValue' "$txtValue" + + AF_API_USERNAME="${AF_API_USERNAME:-$(_readaccountconf_mutable AF_API_USERNAME)}" + AF_API_PASSWORD="${AF_API_PASSWORD:-$(_readaccountconf_mutable AF_API_PASSWORD)}" + if [ -z "$AF_API_USERNAME" ] || [ -z "$AF_API_PASSWORD" ]; then + _err 'Missing ArtFiles.de username and/or password.' + _err 'Please ensure both are set via export command & try again.' + + return 1 + fi + + _saveaccountconf_mutable 'AF_API_USERNAME' "$AF_API_USERNAME" + _saveaccountconf_mutable 'AF_API_PASSWORD' "$AF_API_PASSWORD" + + _set_headers + _get_zone "$domain" + _dns 'GET' + if ! _contains "$response" 'TXT'; then + _err 'Retrieving TXT records failed.' + + return 1 + fi + + _clean_records + _dns 'SET' "$(printf -- '%s\n_acme-challenge "%s"' "$response" "$txtValue")" + if ! _contains "$response" "$AF_API_SUCCESS"; then + _err 'Adding ACME challenge value failed.' + + return 1 + fi +} + +# Removes the existing TXT record for given ACME challenge value & domain. +# Usage: dns_artfiles_rm _acme-challenge.www.example.com "ACME challenge value" +dns_artfiles_rm() { + domain="$1" + txtValue="$2" + _info 'Using ArtFiles.de DNS removal API' + _debug 'Domain' "$domain" + _debug 'txtValue' "$txtValue" + + _set_headers + _get_zone "$domain" + if ! _dns 'GET'; then + return 1 + fi + + if ! _contains "$response" "$txtValue"; then + _err 'Retrieved TXT records are missing given ACME challenge value.' + + return 1 + fi + + _clean_records + response="$(printf -- '%s' "$response" | sed '$d')" + _dns 'SET' "$response" + if ! _contains "$response" "$AF_API_SUCCESS"; then + _err 'Removing ACME challenge value failed.' + + return 1 + fi +} + +########## Private functions ################################################### + +# Cleans awful TXT records response of ArtFiles's API & pretty prints it. +# Usage: _clean_records +_clean_records() { + # Extract TXT part, strip trailing quote sign (ACME.sh API guidelines forbid + # usage of SED's GNU extensions, hence couldn't omit it via regex), strip '\' + # from '\"' & turn '\n' into real LF characters. + # Yup, awful API to use - but that's all we got to get this working, so... ;) + _debug2 'Raw ' "$response" + response="$( + printf -- '%s' "$response" + \ | sed 's/^\(.*TXT":"\)\([^,}]*\)\(.*\)$/\2/;s/.$//;s/\\"/"/g;s/\\n/\n/g' + )" + _debug2 'Clean' "$response" +} + +# Executes an HTTP GET or POST request for getting or setting DNS records, +# containing given payload upon POST. +# Usage: _dns [GET | SET] [payload] +_dns() { + action="$1" + payload="$(printf -- '%s' "$2" | _url_encode)" + url="$( + printf -- '%s%s' "$AF_URL_DNS" "$domain" + \ | sed 's/{\*}/'"$(printf -- '%s' "$action" | _lower_case)"'/' + )" + + if [ "$action" = 'SET' ]; then + _debug2 'Payload' "$payload" + response="$(_post '' "$url&TXT=$payload" '' 'POST' 'application/x-www-form-urlencoded')" + else + response="$(_get "$url" '' 10)" + fi + + if ! _contains "$response" "$AF_API_SUCCESS"; then + _err "DNS API error: $response" + + return 1 + fi + + _debug 'Response' "$response" + + return 0 +} + +# Gets the root domain zone for given domain. +# Usage: _get_zone _acme-challenge.www.example.com +_get_zone() { + fqdn="$1" + domains="$(_get "$AF_URL_DOMAINS" "" 10)" + _info 'Getting domain zone...' + _debug2 'FQDN' "$fqdn" + _debug2 'Domains' "$domains" + + while _contains "$fqdn" "."; do + if _contains "$domains" "$fqdn"; then + domain="$fqdn" + _info "Found root domain zone: $domain" + break + else + fqdn="${fqdn#*.}" + _debug2 'FQDN' "$fqdn" + fi + done + + if [ "$domain" = "$fqdn" ]; then + return 0 + fi + + _err 'Couldn'\''t find root domain zone.' + + return 1 +} + +# Adds the HTTP Authorization & Content-Type headers to a follow-up request. +# Usage: _set_headers +_set_headers() { + encoded="$(printf -- '%s:%s' "$AF_API_USERNAME" "$AF_API_PASSWORD" | _base64)" + export _H1="Authorization: Basic $encoded" + export _H2='Content-Type: application/json' +} From 6c8920f63eb59e554767e40dcefacec55ecf1396 Mon Sep 17 00:00:00 2001 From: Sergey Ponomarev Date: Mon, 5 Jun 2023 12:54:54 +0300 Subject: [PATCH 156/276] dns_ovh.sh Add ovh-us endpoint Remove discontinued runabove.com If any new env will be added then a user may spe Signed-off-by: Sergey Ponomarev --- dnsapi/dns_ovh.sh | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_ovh.sh b/dnsapi/dns_ovh.sh index 5e35011b..e1a958f6 100755 --- a/dnsapi/dns_ovh.sh +++ b/dnsapi/dns_ovh.sh @@ -14,6 +14,9 @@ #'ovh-eu' OVH_EU='https://eu.api.ovh.com/1.0' +#'ovh-us' +OVH_US='https://api.us.ovhcloud.com/1.0' + #'ovh-ca': OVH_CA='https://ca.api.ovh.com/1.0' @@ -29,9 +32,6 @@ SYS_EU='https://eu.api.soyoustart.com/1.0' #'soyoustart-ca' SYS_CA='https://ca.api.soyoustart.com/1.0' -#'runabove-ca' -RAV_CA='https://api.runabove.com/1.0' - wiki="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-OVH-domain-api" ovh_success="https://github.com/acmesh-official/acme.sh/wiki/OVH-Success" @@ -45,6 +45,10 @@ _ovh_get_api() { printf "%s" $OVH_EU return ;; + ovh-us | ovhus) + printf "%s" $OVH_US + return + ;; ovh-ca | ovhca) printf "%s" $OVH_CA return @@ -65,14 +69,15 @@ _ovh_get_api() { printf "%s" $SYS_CA return ;; - runabove-ca | runaboveca) - printf "%s" $RAV_CA + # raw API url starts with https:// + https*) + printf "%s" "$1" return ;; *) - _err "Unknown parameter : $1" + _err "Unknown endpoint : $1" return 1 ;; esac From beab808b76fa49ab0eb2306b4b800acdb39e7f0e Mon Sep 17 00:00:00 2001 From: Justin Nogossek Date: Wed, 7 Jun 2023 23:35:47 +0200 Subject: [PATCH 157/276] Update URL --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 15bc4089..d04d4d48 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa) - [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297) - [archlinux](https://www.archlinux.org/packages/community/any/acme.sh) - [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient) -- [CentOS Web Panel](http://centos-webpanel.com/) +- [CentOS Web Panel](https://control-webpanel.com) - [lnmp.org](https://lnmp.org/) - [more...](https://github.com/acmesh-official/acme.sh/wiki/Blogs-and-tutorials) From caf23f9a0484c81ed9185e7ed479394d9736d3af Mon Sep 17 00:00:00 2001 From: Justin Nogossek Date: Wed, 7 Jun 2023 23:36:18 +0200 Subject: [PATCH 158/276] Remove not anymore exists tutorials and websites --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index d04d4d48..73ff3321 100644 --- a/README.md +++ b/README.md @@ -51,12 +51,10 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa) - [ruby-china.org](https://ruby-china.org/topics/31983) - [Proxmox](https://pve.proxmox.com/wiki/Certificate_Management) - [pfsense](https://github.com/pfsense/FreeBSD-ports/pull/89) -- [webfaction](https://community.webfaction.com/questions/19988/using-letsencrypt) - [Loadbalancer.org](https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty) - [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709) - [Centminmod](https://centminmod.com/letsencrypt-acmetool-https.html) - [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297) -- [archlinux](https://www.archlinux.org/packages/community/any/acme.sh) - [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient) - [CentOS Web Panel](https://control-webpanel.com) - [lnmp.org](https://lnmp.org/) From 4c30250782ff7440ca5ceeddb066a67ca450fcc7 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 9 Jun 2023 19:59:29 +0800 Subject: [PATCH 159/276] fix https://github.com/acmesh-official/acme.sh/issues/4659 --- acme.sh | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/acme.sh b/acme.sh index 37d13662..df0bd27d 100755 --- a/acme.sh +++ b/acme.sh @@ -2884,6 +2884,7 @@ _initpath() { fi fi _debug DOMAIN_PATH "$DOMAIN_PATH" + export DOMAIN_PATH fi if [ -z "$DOMAIN_BACKUP_PATH" ]; then @@ -4952,18 +4953,6 @@ $_authorizations_map" if ! chmod a+r "$wellknown_path/$token"; then _debug "chmod failed, but we just continue." fi - if [ ! "$usingApache" ]; then - if webroot_owner=$(_stat "$_currentRoot"); then - _debug "Changing owner/group of .well-known to $webroot_owner" - if ! _exec "chown -R \"$webroot_owner\" \"$_currentRoot/.well-known\""; then - _debug "$(cat "$_EXEC_TEMP_ERR")" - _exec_err >/dev/null 2>&1 - fi - else - _debug "not changing owner/group of webroot" - fi - fi - fi elif [ "$vtype" = "$VTYPE_ALPN" ]; then acmevalidationv1="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")" From 327e2fb0a4bdbe4b75339e1cad6d20bda29318d6 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 9 Jun 2023 20:18:38 +0800 Subject: [PATCH 160/276] remove all exec. https://github.com/acmesh-official/acme.sh/issues/4659 --- acme.sh | 40 ++++++++-------------------------------- 1 file changed, 8 insertions(+), 32 deletions(-) diff --git a/acme.sh b/acme.sh index df0bd27d..633eb9fa 100755 --- a/acme.sh +++ b/acme.sh @@ -2936,22 +2936,6 @@ _initpath() { } -_exec() { - if [ -z "$_EXEC_TEMP_ERR" ]; then - _EXEC_TEMP_ERR="$(_mktemp)" - fi - - if [ "$_EXEC_TEMP_ERR" ]; then - eval "$@ 2>>$_EXEC_TEMP_ERR" - else - eval "$@" - fi -} - -_exec_err() { - [ "$_EXEC_TEMP_ERR" ] && _err "$(cat "$_EXEC_TEMP_ERR")" && echo "" >"$_EXEC_TEMP_ERR" -} - _apachePath() { _APACHECTL="apachectl" if ! _exists apachectl; then @@ -2964,8 +2948,7 @@ _apachePath() { fi fi - if ! _exec $_APACHECTL -V >/dev/null; then - _exec_err + if ! $_APACHECTL -V >/dev/null; then return 1 fi @@ -3017,8 +3000,7 @@ _restoreApache() { cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" >"$httpdconf" _debug "Restored: $httpdconf." - if ! _exec $_APACHECTL -t; then - _exec_err + if ! $_APACHECTL -t; then _err "Sorry, restore apache config error, please contact me." return 1 fi @@ -3036,8 +3018,7 @@ _setApache() { #test the conf first _info "Checking if there is an error in the apache config file before starting." - if ! _exec "$_APACHECTL" -t >/dev/null; then - _exec_err + if ! $_APACHECTL -t >/dev/null; then _err "The apache config file has error, please fix it first, then try again." _err "Don't worry, there is nothing changed to your system." return 1 @@ -3098,8 +3079,7 @@ Allow from all chmod 755 "$ACME_DIR" fi - if ! _exec "$_APACHECTL" graceful; then - _exec_err + if ! $_APACHECTL graceful; then _err "$_APACHECTL graceful error, please contact me." _restoreApache return 1 @@ -3184,8 +3164,7 @@ _setNginx() { return 1 fi _info "Check the nginx conf before setting up." - if ! _exec "nginx -t" >/dev/null; then - _exec_err + if ! nginx -t >/dev/null; then return 1 fi @@ -3212,16 +3191,14 @@ location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" { fi _debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)" _info "nginx conf is done, let's check it again." - if ! _exec "nginx -t" >/dev/null; then - _exec_err + if ! nginx -t >/dev/null; then _err "It seems that nginx conf was broken, let's restore." cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF" return 1 fi _info "Reload nginx" - if ! _exec "nginx -s reload" >/dev/null; then - _exec_err + if ! nginx -s reload >/dev/null; then _err "It seems that nginx reload error, let's restore." cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF" return 1 @@ -3346,8 +3323,7 @@ _restoreNginx() { done _info "Reload nginx" - if ! _exec "nginx -s reload" >/dev/null; then - _exec_err + if ! nginx -s reload >/dev/null; then _err "It seems that nginx reload error, please report bug." return 1 fi From f680ede9802fb7e1dfa5a68da53c50675bfa9607 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 10 Jun 2023 01:16:57 +0800 Subject: [PATCH 161/276] start 3.0.7 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 633eb9fa..0cc52131 100755 --- a/acme.sh +++ b/acme.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -VER=3.0.6 +VER=3.0.7 PROJECT_NAME="acme.sh" From 0d0478245fe4ac60eec7ab1621fa47fda3bfd27a Mon Sep 17 00:00:00 2001 From: Adrian Fedoreanu Date: Sat, 26 Nov 2022 20:11:41 +0100 Subject: [PATCH 162/276] dns_1984hosting.sh: fix login with valid csrftoken and sessionid --- dnsapi/dns_1984hosting.sh | 156 ++++++++++++++++++++------------------ 1 file changed, 84 insertions(+), 72 deletions(-) diff --git a/dnsapi/dns_1984hosting.sh b/dnsapi/dns_1984hosting.sh index 6accc597..2c6b2e4f 100755 --- a/dnsapi/dns_1984hosting.sh +++ b/dnsapi/dns_1984hosting.sh @@ -1,46 +1,46 @@ #!/usr/bin/env sh -#This file name is "dns_1984hosting.sh" -#So, here must be a method dns_1984hosting_add() -#Which will be called by acme.sh to add the txt record to your api system. -#returns 0 means success, otherwise error. +# This file name is "dns_1984hosting.sh" +# So, here must be a method dns_1984hosting_add() +# Which will be called by acme.sh to add the txt record to your api system. +# returns 0 means success, otherwise error. -#Author: Adrian Fedoreanu -#Report Bugs here: https://github.com/acmesh-official/acme.sh +# Author: Adrian Fedoreanu +# Report Bugs here: https://github.com/acmesh-official/acme.sh # or here... https://github.com/acmesh-official/acme.sh/issues/2851 -# -######## Public functions ##################### + +######## Public functions ##################### # Export 1984HOSTING username and password in following variables # # One984HOSTING_Username=username # One984HOSTING_Password=password # -# sessionid cookie is saved in ~/.acme.sh/account.conf -# username/password need to be set only when changed. +# username/password and csrftoken/sessionid cookies are saved in ~/.acme.sh/account.conf -#Usage: dns_1984hosting_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Usage: dns_1984hosting_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Add a text record. dns_1984hosting_add() { fulldomain=$1 txtvalue=$2 - _info "Add TXT record using 1984Hosting" + _info "Add TXT record using 1984Hosting." _debug fulldomain "$fulldomain" _debug txtvalue "$txtvalue" if ! _1984hosting_login; then - _err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file" + _err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file." return 1 fi - _debug "First detect the root zone" + _debug "First detect the root zone." if ! _get_root "$fulldomain"; then - _err "invalid domain" "$fulldomain" + _err "Invalid domain '$fulldomain'." return 1 fi _debug _sub_domain "$_sub_domain" _debug _domain "$_domain" - _debug "Add TXT record $fulldomain with value '$txtvalue'" + _debug "Add TXT record $fulldomain with value '$txtvalue'." value="$(printf '%s' "$txtvalue" | _url_encode)" url="https://1984.hosting/domains/entry/" @@ -53,93 +53,97 @@ dns_1984hosting_add() { _debug2 postdata "$postdata" _authpost "$postdata" "$url" - response="$(echo "$_response" | _normalizeJson)" - _debug2 response "$response" - - if _contains "$response" '"haserrors": true'; then - _err "1984Hosting failed to add TXT record for $_sub_domain bad RC from _post" + if _contains "$_response" '"haserrors": true'; then + _err "1984Hosting failed to add TXT record for $_sub_domain bad RC from _post." return 1 - elif _contains "$response" "html>"; then - _err "1984Hosting failed to add TXT record for $_sub_domain. Check $HTTP_HEADER file" + elif _contains "$_response" "html>"; then + _err "1984Hosting failed to add TXT record for $_sub_domain. Check $HTTP_HEADER file." return 1 - elif _contains "$response" '"auth": false'; then - _err "1984Hosting failed to add TXT record for $_sub_domain. Invalid or expired cookie" + elif _contains "$_response" '"auth": false'; then + _err "1984Hosting failed to add TXT record for $_sub_domain. Invalid or expired cookie." return 1 fi - _info "Added acme challenge TXT record for $fulldomain at 1984Hosting" + _info "Added acme challenge TXT record for $fulldomain at 1984Hosting." return 0 } -#Usage: fulldomain txtvalue -#Remove the txt record after validation. +# Usage: fulldomain txtvalue +# Remove the txt record after validation. dns_1984hosting_rm() { fulldomain=$1 txtvalue=$2 - _info "Delete TXT record using 1984Hosting" + _info "Delete TXT record using 1984Hosting." _debug fulldomain "$fulldomain" _debug txtvalue "$txtvalue" if ! _1984hosting_login; then - _err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file" + _err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file." return 1 fi - _debug "First detect the root zone" + _debug "First detect the root zone." if ! _get_root "$fulldomain"; then - _err "invalid domain" "$fulldomain" + _err "Invalid domain '$fulldomain'." return 1 fi _debug _sub_domain "$_sub_domain" _debug _domain "$_domain" - _debug "Delete $fulldomain TXT record" + _debug "Delete $fulldomain TXT record." url="https://1984.hosting/domains" if ! _get_zone_id "$url" "$_domain"; then - _err "invalid zone" "$_domain" + _err "Invalid zone '$_domain'." return 1 fi _htmlget "$url/$_zone_id" "$txtvalue" - _debug2 _response "$_response" entry_id="$(echo "$_response" | _egrep_o 'entry_[0-9]+' | sed 's/entry_//')" _debug2 entry_id "$entry_id" if [ -z "$entry_id" ]; then - _err "Error getting TXT entry_id for $1" + _err "Error getting TXT entry_id for $1." return 1 fi _authpost "entry=$entry_id" "$url/delentry/" - response="$(echo "$_response" | _normalizeJson)" - _debug2 response "$response" - - if ! _contains "$response" '"ok": true'; then - _err "1984Hosting failed to delete TXT record for $entry_id bad RC from _post" + if ! _contains "$_response" '"ok": true'; then + _err "1984Hosting failed to delete TXT record for $entry_id bad RC from _post." return 1 fi - _info "Deleted acme challenge TXT record for $fulldomain at 1984Hosting" + _info "Deleted acme challenge TXT record for $fulldomain at 1984Hosting." return 0 } #################### Private functions below ################################## - -# usage: _1984hosting_login username password -# returns 0 success _1984hosting_login() { if ! _check_credentials; then return 1; fi if _check_cookies; then - _debug "Already logged in" + _debug "Already logged in." return 0 fi - _debug "Login to 1984Hosting as user $One984HOSTING_Username" + _debug "Login to 1984Hosting as user $One984HOSTING_Username." username=$(printf '%s' "$One984HOSTING_Username" | _url_encode) password=$(printf '%s' "$One984HOSTING_Password" | _url_encode) url="https://1984.hosting/accounts/checkuserauth/" + _get "https://1984.hosting/accounts/login/" | grep "csrfmiddlewaretoken" + csrftoken="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')" + sessionid="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'sessionid=[^;]*;' | tr -d ';')" + + if [ -z "$csrftoken" ] || [ -z "$sessionid" ]; then + _err "One or more cookies are empty: '$csrftoken', '$sessionid'." + return 1 + fi + + export _H1="Cookie: $csrftoken; $sessionid" + export _H2="Referer: https://1984.hosting/accounts/login/" + csrf_header=$(echo "$csrftoken" | sed 's/csrftoken=//' | _head_n 1) + export _H3="X-CSRFToken: $csrf_header" + response="$(_post "username=$username&password=$password&otpkey=" $url)" response="$(echo "$response" | _normalizeJson)" _debug2 response "$response" @@ -149,6 +153,8 @@ _1984hosting_login() { One984HOSTING_CSRFTOKEN_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')" export One984HOSTING_SESSIONID_COOKIE export One984HOSTING_CSRFTOKEN_COOKIE + _saveaccountconf_mutable One984HOSTING_Username "$One984HOSTING_Username" + _saveaccountconf_mutable One984HOSTING_Password "$One984HOSTING_Password" _saveaccountconf_mutable One984HOSTING_SESSIONID_COOKIE "$One984HOSTING_SESSIONID_COOKIE" _saveaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE "$One984HOSTING_CSRFTOKEN_COOKIE" return 0 @@ -157,9 +163,13 @@ _1984hosting_login() { } _check_credentials() { + One984HOSTING_Username="${One984HOSTING_Username:-$(_readaccountconf_mutable One984HOSTING_Username)}" + One984HOSTING_Password="${One984HOSTING_Password:-$(_readaccountconf_mutable One984HOSTING_Password)}" if [ -z "$One984HOSTING_Username" ] || [ -z "$One984HOSTING_Password" ]; then One984HOSTING_Username="" One984HOSTING_Password="" + _clearaccountconf_mutable One984HOSTING_Username + _clearaccountconf_mutable One984HOSTING_Password _err "You haven't specified 1984Hosting username or password yet." _err "Please export as One984HOSTING_Username / One984HOSTING_Password and try again." return 1 @@ -171,42 +181,43 @@ _check_cookies() { One984HOSTING_SESSIONID_COOKIE="${One984HOSTING_SESSIONID_COOKIE:-$(_readaccountconf_mutable One984HOSTING_SESSIONID_COOKIE)}" One984HOSTING_CSRFTOKEN_COOKIE="${One984HOSTING_CSRFTOKEN_COOKIE:-$(_readaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE)}" if [ -z "$One984HOSTING_SESSIONID_COOKIE" ] || [ -z "$One984HOSTING_CSRFTOKEN_COOKIE" ]; then - _debug "No cached cookie(s) found" + _debug "No cached cookie(s) found." return 1 fi _authget "https://1984.hosting/accounts/loginstatus/" - if _contains "$response" '"ok": true'; then - _debug "Cached cookies still valid" + if _contains "$_response" '"ok": true'; then + _debug "Cached cookies still valid." return 0 fi - _debug "Cached cookies no longer valid" + + _debug "Cached cookies no longer valid. Clearing cookies." One984HOSTING_SESSIONID_COOKIE="" One984HOSTING_CSRFTOKEN_COOKIE="" - _saveaccountconf_mutable One984HOSTING_SESSIONID_COOKIE "$One984HOSTING_SESSIONID_COOKIE" - _saveaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE "$One984HOSTING_CSRFTOKEN_COOKIE" + _clearaccountconf_mutable One984HOSTING_SESSIONID_COOKIE + _clearaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE return 1 } -#_acme-challenge.www.domain.com -#returns -# _sub_domain=_acme-challenge.www -# _domain=domain.com +# _acme-challenge.www.domain.com +# Returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com _get_root() { domain="$1" i=1 p=1 while true; do - h=$(printf "%s" "$domain" | cut -d . -f $i-100) + h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) + # not valid if [ -z "$h" ]; then - #not valid return 1 fi _authget "https://1984.hosting/domains/soacheck/?zone=$h&nameserver=ns0.1984.is." if _contains "$_response" "serial" && ! _contains "$_response" "null"; then - _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") _domain="$h" return 0 fi @@ -216,46 +227,47 @@ _get_root() { return 1 } -#usage: _get_zone_id url domain.com -#returns zone id for domain.com +# Usage: _get_zone_id url domain.com +# Returns zone id for domain.com _get_zone_id() { url=$1 domain=$2 _htmlget "$url" "$domain" - _debug2 _response "$_response" _zone_id="$(echo "$_response" | _egrep_o 'zone\/[0-9]+' | _head_n 1)" _debug2 _zone_id "$_zone_id" if [ -z "$_zone_id" ]; then - _err "Error getting _zone_id for $2" + _err "Error getting _zone_id for $2." return 1 fi return 0 } -# add extra headers to request +# Add extra headers to request _authget() { - export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE" + export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE; $One984HOSTING_SESSIONID_COOKIE" _response=$(_get "$1" | _normalizeJson) _debug2 _response "$_response" } -# truncate huge HTML response -# echo: Argument list too long +# Truncate huge HTML response +# Echo: Argument list too long _htmlget() { - export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE" + export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE; $One984HOSTING_SESSIONID_COOKIE" _response=$(_get "$1" | grep "$2") if _contains "$_response" "@$2"; then _response=$(echo "$_response" | grep -v "[@]" | _head_n 1) fi + _debug2 _response "$_response" } -# add extra headers to request +# Add extra headers to request _authpost() { url="https://1984.hosting/domains" _get_zone_id "$url" "$_domain" csrf_header="$(echo "$One984HOSTING_CSRFTOKEN_COOKIE" | _egrep_o "=[^=][0-9a-zA-Z]*" | tr -d "=")" - export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE" + export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE; $One984HOSTING_SESSIONID_COOKIE" export _H2="Referer: https://1984.hosting/domains/$_zone_id" export _H3="X-CSRFToken: $csrf_header" - _response=$(_post "$1" "$2") + _response="$(_post "$1" "$2" | _normalizeJson)" + _debug2 _response "$_response" } From db3f131dfc92022fda39386b6b2f2ac33a29e010 Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Tue, 4 Jul 2023 15:47:19 +0200 Subject: [PATCH 163/276] Re-add deprecated SYNO_TOTP_SECRET part for legacy compatibility As requested in acmesh-official/acme.sh/pull/4646 by Neil Pang --- deploy/synology_dsm.sh | 40 ++++++++++++++++++++++++++++++++-------- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index f709e0fb..406c6ac0 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -5,7 +5,7 @@ ################################################################################ # Authors: Brian Hartvigsen (creator), https://github.com/tresni # Martin Arndt (contributor), https://troublezone.net/ -# Updated: 2023-05-28 +# Updated: 2023-07-03 # Issues: https://github.com/acmesh-official/acme.sh/issues/2727 ################################################################################ # Usage: @@ -41,6 +41,8 @@ synology_dsm_deploy() { _getdeployconf SYNO_Username _getdeployconf SYNO_Password _getdeployconf SYNO_Create + _getdeployconf SYNO_DID + _getdeployconf SYNO_TOTP_SECRET _getdeployconf SYNO_Device_Name _getdeployconf SYNO_Device_ID if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then @@ -74,7 +76,7 @@ synology_dsm_deploy() { _debug2 SYNO_Hostname "$SYNO_Hostname" _debug2 SYNO_Port "$SYNO_Port" - # Get the certificate description, but don't save it until we verfiy it's real + # Get the certificate description, but don't save it until we verify it's real _getdeployconf SYNO_Certificate _debug SYNO_Certificate "${SYNO_Certificate:-}" @@ -97,9 +99,31 @@ synology_dsm_deploy() { _info "Logging into $SYNO_Hostname:$SYNO_Port" encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)" encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)" + + # START - DEPRECATED, only kept for legacy compatibility reasons + if [ -n "$SYNO_TOTP_SECRET" ]; then + _info "WARNING: Usage of SYNO_TOTP_SECRET is deprecated!" + _info " See synology_dsm.sh script or ACME.sh Wiki page for details:" + _info " https://github.com/acmesh-official/acme.sh/wiki/Synology-NAS-Guide" + DEPRECATED_otp_code="" + if _exists oathtool; then + DEPRECATED_otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)" + else + _err "oathtool could not be found, install oathtool to use SYNO_TOTP_SECRET" + return 1 + fi + if [ -n "$SYNO_DID" ]; then + _H1="Cookie: did=$SYNO_DID" + export _H1 + _debug3 H1 "${_H1}" + fi + + response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code&device_name=certrenewal&device_id=$SYNO_DID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes") + _debug3 response "$response" + # END - DEPRECATED, only kept for legacy compatibility reasons # Get device ID if still empty first, otherwise log in right away - if [ -z "${SYNO_Device_ID:-}" ]; then + elif [ -z "${SYNO_Device_ID:-}" ]; then printf "Enter OTP code for user '%s': " "$SYNO_Username" read -r otp_code if [ -z "${SYNO_Device_Name:-}" ]; then @@ -121,7 +145,7 @@ synology_dsm_deploy() { token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p') _debug "Session ID" "$sid" _debug SynoToken "$token" - if [ -z "$SYNO_Device_ID" ] || [ -z "$sid" ] || [ -z "$token" ]; then + if [ -z "$SYNO_DID" && -z "$SYNO_Device_ID" ] || [ -z "$sid" ] || [ -z "$token" ]; then _err "Unable to authenticate to $_base_url - check your username & password." _err "If two-factor authentication is enabled for the user, set SYNO_Device_ID." return 1 @@ -150,7 +174,7 @@ synology_dsm_deploy() { return 1 fi - # we've verified this certificate description is a thing, so save it + # We've verified this certificate description is a thing, so save it _savedeployconf SYNO_Certificate "$SYNO_Certificate" "base64" _info "Generate form POST request" @@ -162,10 +186,10 @@ synology_dsm_deploy() { content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}" if echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then - _debug2 default "this is the default certificate" + _debug2 default "This is the default certificate" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}true" else - _debug2 default "this is NOT the default certificate" + _debug2 default "This is NOT the default certificate" fi content="$content${nl}--$delim--${nl}" content="$(printf "%b_" "$content")" @@ -193,7 +217,7 @@ synology_dsm_deploy() { #################### Private functions below ################################## _logout() { - # Logout to not occupy a permanent session, e. g. in DSM's "Connected Users" widget + # Logout to not occupy a permanent session, e.g. in DSM's "Connected Users" widget response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=logout") _debug3 response "$response" } From 0c9e4f67a89bfbc6ee14802139324c3b80c3ac03 Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Tue, 4 Jul 2023 15:55:44 +0200 Subject: [PATCH 164/276] Update synology_dsm.sh Split "[ && ]" into "[ ] && [ ]" to make ShellCheck happy --- deploy/synology_dsm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index 406c6ac0..04d59e55 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -145,7 +145,7 @@ synology_dsm_deploy() { token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p') _debug "Session ID" "$sid" _debug SynoToken "$token" - if [ -z "$SYNO_DID" && -z "$SYNO_Device_ID" ] || [ -z "$sid" ] || [ -z "$token" ]; then + if [ -z "$SYNO_DID" ] && [ -z "$SYNO_Device_ID" ] || [ -z "$sid" ] || [ -z "$token" ]; then _err "Unable to authenticate to $_base_url - check your username & password." _err "If two-factor authentication is enabled for the user, set SYNO_Device_ID." return 1 From 0d7b831661dc01ba28d8b461c930049cea3e6ea4 Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Tue, 4 Jul 2023 16:58:14 +0200 Subject: [PATCH 165/276] Fix variable initialization --- deploy/synology_dsm.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index 04d59e55..7398b350 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -99,7 +99,8 @@ synology_dsm_deploy() { _info "Logging into $SYNO_Hostname:$SYNO_Port" encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)" encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)" - + + otp_code="" # START - DEPRECATED, only kept for legacy compatibility reasons if [ -n "$SYNO_TOTP_SECRET" ]; then _info "WARNING: Usage of SYNO_TOTP_SECRET is deprecated!" @@ -119,7 +120,7 @@ synology_dsm_deploy() { _debug3 H1 "${_H1}" fi - response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code&device_name=certrenewal&device_id=$SYNO_DID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes") + response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$DEPRECATED_otp_code&device_name=certrenewal&device_id=$SYNO_DID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes") _debug3 response "$response" # END - DEPRECATED, only kept for legacy compatibility reasons # Get device ID if still empty first, otherwise log in right away From e0d96bcb3928fda0c8e40ffa189578250822323a Mon Sep 17 00:00:00 2001 From: Steven Zhu Date: Tue, 4 Jul 2023 21:54:49 -0400 Subject: [PATCH 166/276] Add initial AWS SES support Copied most of the v4 api stuff from DNS_AWS hook (Thanks!) New tokens added: AWS_SES_ACCESS_KEY_ID AWS_SES_SECRET_ACCESS_KEY AWS_SES_REGION AWS_SES_TO AWS_SES_FROM AWS_SES_FROM_NAME (Optional) --- notify/aws_ses.sh | 226 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 226 insertions(+) create mode 100644 notify/aws_ses.sh diff --git a/notify/aws_ses.sh b/notify/aws_ses.sh new file mode 100644 index 00000000..0741ca81 --- /dev/null +++ b/notify/aws_ses.sh @@ -0,0 +1,226 @@ +#!/usr/bin/env sh + +# +#AWS_SES_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje" +# +#AWS_SES_SECRET_ACCESS_KEY="xxxxxxx" +# +#AWS_SES_REGION="us-east-1" +# +#AWS_SES_TO="xxxx@xxx.com" +# +#AWS_SES_FROM="xxxx@cccc.com" +# +#AWS_SES_FROM_NAME="Something something" +#This is the Amazon SES api wrapper for acme.sh +AWS_WIKI="https://docs.aws.amazon.com/ses/latest/dg/send-email-api.html" + +aws_ses_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_statusCode" "$_statusCode" + + AWS_SES_ACCESS_KEY_ID="${AWS_SES_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_SES_ACCESS_KEY_ID)}" + AWS_SES_SECRET_ACCESS_KEY="${AWS_SES_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SES_SECRET_ACCESS_KEY)}" + AWS_SES_REGION="${AWS_SES_REGION:-$(_readaccountconf_mutable AWS_SES_REGION)}" + + + if [ -z "$AWS_SES_ACCESS_KEY_ID" ] || [ -z "$AWS_SES_SECRET_ACCESS_KEY" ]; then + _use_container_role || _use_instance_role + fi + + if [ -z "$AWS_SES_ACCESS_KEY_ID" ] || [ -z "$AWS_SES_SECRET_ACCESS_KEY" ]; then + AWS_SES_ACCESS_KEY_ID="" + AWS_SES_SECRET_ACCESS_KEY="" + _err "You haven't specified the aws SES api key id and and api key secret yet." + _err "Please create your key and try again. see $(__green $AWS_WIKI)" + return 1 + fi + + if [ -z "$AWS_SES_REGION" ]; then + AWS_SES_REGION="" + _err "You haven't specified the aws SES api region yet." + _err "Please specify your region and try again. see https://docs.aws.amazon.com/general/latest/gr/ses.html" + return 1 + fi + + #save for future use, unless using a role which will be fetched as needed + if [ -z "$_using_role" ]; then + _saveaccountconf_mutable AWS_SES_ACCESS_KEY_ID "$AWS_SES_ACCESS_KEY_ID" + _saveaccountconf_mutable AWS_SES_SECRET_ACCESS_KEY "$AWS_SES_SECRET_ACCESS_KEY" + fi + + AWS_SES_TO="${AWS_SES_TO:-$(_readaccountconf_mutable AWS_SES_TO)}" + if [ -z "$AWS_SES_TO" ]; then + AWS_SES_TO="" + _err "You didn't specify an email to AWS_SES_TO receive messages." + return 1 + fi + _saveaccountconf_mutable AWS_SES_TO "$AWS_SES_TO" + + AWS_SES_FROM="${AWS_SES_FROM:-$(_readaccountconf_mutable AWS_SES_FROM)}" + if [ -z "$AWS_SES_FROM" ]; then + AWS_SES_FROM="" + _err "You didn't specify an email to AWS_SES_FROM receive messages." + return 1 + fi + _saveaccountconf_mutable AWS_SES_FROM "$AWS_SES_FROM" + + AWS_SES_FROM_NAME="${AWS_SES_FROM_NAME:-$(_readaccountconf_mutable AWS_SES_FROM_NAME)}" + _saveaccountconf_mutable AWS_SES_FROM_NAME "$AWS_SES_FROM_NAME" + + AWS_SES_SENDFROM="$AWS_SES_FROM_NAME <$AWS_SES_FROM>" + + AWS_SES_ACTION="Action=SendEmail" + AWS_SES_SOURCE="Source=$AWS_SES_SENDFROM" + AWS_SES_TO="Destination.ToAddresses.member.1=$AWS_SES_TO" + AWS_SES_SUBJECT="Message.Subject.Data=$_subject" + AWS_SES_MESSAGE="Message.Body.Text.Data=$_content" + + _data="${AWS_SES_ACTION}&${AWS_SES_SOURCE}&${AWS_SES_TO}&${AWS_SES_SUBJECT}&${AWS_SES_MESSAGE}" + + response="$(aws_rest POST "" "" "$_data")" +} + +_use_metadata() { + _aws_creds="$( + _get "$1" "" 1 | + _normalizeJson | + tr '{,}' '\n' | + while read -r _line; do + _key="$(echo "${_line%%:*}" | tr -d '"')" + _value="${_line#*:}" + _debug3 "_key" "$_key" + _secure_debug3 "_value" "$_value" + case "$_key" in + AccessKeyId) echo "AWS_SES_ACCESS_KEY_ID=$_value" ;; + SecretAccessKey) echo "AWS_SES_SECRET_ACCESS_KEY=$_value" ;; + Token) echo "AWS_SESSION_TOKEN=$_value" ;; + esac + done | + paste -sd' ' - + )" + _secure_debug "_aws_creds" "$_aws_creds" + + if [ -z "$_aws_creds" ]; then + return 1 + fi + + eval "$_aws_creds" + _using_role=true +} + +#method uri qstr data +aws_rest() { + mtd="$1" + ep="$2" + qsr="$3" + data="$4" + + _debug mtd "$mtd" + _debug ep "$ep" + _debug qsr "$qsr" + _debug data "$data" + + CanonicalURI="/$ep" + _debug2 CanonicalURI "$CanonicalURI" + + CanonicalQueryString="$qsr" + _debug2 CanonicalQueryString "$CanonicalQueryString" + + RequestDate="$(date -u +"%Y%m%dT%H%M%SZ")" + _debug2 RequestDate "$RequestDate" + + #RequestDate="20161120T141056Z" ############## + + export _H1="x-amz-date: $RequestDate" + + aws_host="email.$AWS_SES_REGION.amazonaws.com" + CanonicalHeaders="host:$aws_host\nx-amz-date:$RequestDate\n" + SignedHeaders="host;x-amz-date" + if [ -n "$AWS_SESSION_TOKEN" ]; then + export _H3="x-amz-security-token: $AWS_SESSION_TOKEN" + CanonicalHeaders="${CanonicalHeaders}x-amz-security-token:$AWS_SESSION_TOKEN\n" + SignedHeaders="${SignedHeaders};x-amz-security-token" + fi + _debug2 CanonicalHeaders "$CanonicalHeaders" + _debug2 SignedHeaders "$SignedHeaders" + + RequestPayload="$data" + _debug2 RequestPayload "$RequestPayload" + + Hash="sha256" + + CanonicalRequest="$mtd\n$CanonicalURI\n$CanonicalQueryString\n$CanonicalHeaders\n$SignedHeaders\n$(printf "%s" "$RequestPayload" | _digest "$Hash" hex)" + _debug2 CanonicalRequest "$CanonicalRequest" + + HashedCanonicalRequest="$(printf "$CanonicalRequest%s" | _digest "$Hash" hex)" + _debug2 HashedCanonicalRequest "$HashedCanonicalRequest" + + Algorithm="AWS4-HMAC-SHA256" + _debug2 Algorithm "$Algorithm" + + RequestDateOnly="$(echo "$RequestDate" | cut -c 1-8)" + _debug2 RequestDateOnly "$RequestDateOnly" + + Region="$AWS_SES_REGION" + Service="ses" + + CredentialScope="$RequestDateOnly/$Region/$Service/aws4_request" + _debug2 CredentialScope "$CredentialScope" + + StringToSign="$Algorithm\n$RequestDate\n$CredentialScope\n$HashedCanonicalRequest" + + _debug2 StringToSign "$StringToSign" + + kSecret="AWS4$AWS_SES_SECRET_ACCESS_KEY" + + #kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################ + + _secure_debug2 kSecret "$kSecret" + + kSecretH="$(printf "%s" "$kSecret" | _hex_dump | tr -d " ")" + _secure_debug2 kSecretH "$kSecretH" + + kDateH="$(printf "$RequestDateOnly%s" | _hmac "$Hash" "$kSecretH" hex)" + _debug2 kDateH "$kDateH" + + kRegionH="$(printf "$Region%s" | _hmac "$Hash" "$kDateH" hex)" + _debug2 kRegionH "$kRegionH" + + kServiceH="$(printf "$Service%s" | _hmac "$Hash" "$kRegionH" hex)" + _debug2 kServiceH "$kServiceH" + + kSigningH="$(printf "%s" "aws4_request" | _hmac "$Hash" "$kServiceH" hex)" + _debug2 kSigningH "$kSigningH" + + signature="$(printf "$StringToSign%s" | _hmac "$Hash" "$kSigningH" hex)" + _debug2 signature "$signature" + + Authorization="$Algorithm Credential=$AWS_SES_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature" + _debug2 Authorization "$Authorization" + + _H2="Authorization: $Authorization" + _debug _H2 "$_H2" + + url="https://$aws_host/$ep" + if [ "$qsr" ]; then + url="https://$aws_host/$ep?$qsr" + fi + + if [ "$mtd" = "GET" ]; then + response="$(_get "$url")" + else + response="$(_post "$data" "$url")" + fi + + _ret="$?" + _debug2 response "$response" + if [ "$_ret" = "0" ]; then + if _contains "$response" " Date: Tue, 4 Jul 2023 22:14:17 -0400 Subject: [PATCH 167/276] Add newline at end of file to satisfy shfmt's "No newline at end of file" error --- notify/aws_ses.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/notify/aws_ses.sh b/notify/aws_ses.sh index 0741ca81..3d4de630 100644 --- a/notify/aws_ses.sh +++ b/notify/aws_ses.sh @@ -223,4 +223,4 @@ aws_rest() { return 1 fi fi -} \ No newline at end of file +} From 8d136c6a25484687cc802b1425c48cbe6f63982d Mon Sep 17 00:00:00 2001 From: Steven Zhu Date: Tue, 4 Jul 2023 22:15:53 -0400 Subject: [PATCH 168/276] Add newline at end of file to satisfy shfmt's "extra line" error --- notify/aws_ses.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/notify/aws_ses.sh b/notify/aws_ses.sh index 3d4de630..1060763d 100644 --- a/notify/aws_ses.sh +++ b/notify/aws_ses.sh @@ -25,7 +25,6 @@ aws_ses_send() { AWS_SES_SECRET_ACCESS_KEY="${AWS_SES_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SES_SECRET_ACCESS_KEY)}" AWS_SES_REGION="${AWS_SES_REGION:-$(_readaccountconf_mutable AWS_SES_REGION)}" - if [ -z "$AWS_SES_ACCESS_KEY_ID" ] || [ -z "$AWS_SES_SECRET_ACCESS_KEY" ]; then _use_container_role || _use_instance_role fi From a6b5f0c9d41a514929bf503bd830244785f9ce95 Mon Sep 17 00:00:00 2001 From: Steven Zhu Date: Tue, 4 Jul 2023 22:31:30 -0400 Subject: [PATCH 169/276] Fix variable naming to make the access key and secret key consistent with Route53. --- notify/aws_ses.sh | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/notify/aws_ses.sh b/notify/aws_ses.sh index 1060763d..571fd392 100644 --- a/notify/aws_ses.sh +++ b/notify/aws_ses.sh @@ -1,9 +1,9 @@ #!/usr/bin/env sh # -#AWS_SES_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje" +#AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje" # -#AWS_SES_SECRET_ACCESS_KEY="xxxxxxx" +#AWS_SECRET_ACCESS_KEY="xxxxxxx" # #AWS_SES_REGION="us-east-1" # @@ -21,17 +21,17 @@ aws_ses_send() { _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped _debug "_statusCode" "$_statusCode" - AWS_SES_ACCESS_KEY_ID="${AWS_SES_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_SES_ACCESS_KEY_ID)}" - AWS_SES_SECRET_ACCESS_KEY="${AWS_SES_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SES_SECRET_ACCESS_KEY)}" + AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}" + AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}" AWS_SES_REGION="${AWS_SES_REGION:-$(_readaccountconf_mutable AWS_SES_REGION)}" - if [ -z "$AWS_SES_ACCESS_KEY_ID" ] || [ -z "$AWS_SES_SECRET_ACCESS_KEY" ]; then + if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then _use_container_role || _use_instance_role fi - if [ -z "$AWS_SES_ACCESS_KEY_ID" ] || [ -z "$AWS_SES_SECRET_ACCESS_KEY" ]; then - AWS_SES_ACCESS_KEY_ID="" - AWS_SES_SECRET_ACCESS_KEY="" + if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then + AWS_ACCESS_KEY_ID="" + AWS_SECRET_ACCESS_KEY="" _err "You haven't specified the aws SES api key id and and api key secret yet." _err "Please create your key and try again. see $(__green $AWS_WIKI)" return 1 @@ -46,8 +46,8 @@ aws_ses_send() { #save for future use, unless using a role which will be fetched as needed if [ -z "$_using_role" ]; then - _saveaccountconf_mutable AWS_SES_ACCESS_KEY_ID "$AWS_SES_ACCESS_KEY_ID" - _saveaccountconf_mutable AWS_SES_SECRET_ACCESS_KEY "$AWS_SES_SECRET_ACCESS_KEY" + _saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" + _saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" fi AWS_SES_TO="${AWS_SES_TO:-$(_readaccountconf_mutable AWS_SES_TO)}" @@ -93,8 +93,8 @@ _use_metadata() { _debug3 "_key" "$_key" _secure_debug3 "_value" "$_value" case "$_key" in - AccessKeyId) echo "AWS_SES_ACCESS_KEY_ID=$_value" ;; - SecretAccessKey) echo "AWS_SES_SECRET_ACCESS_KEY=$_value" ;; + AccessKeyId) echo "AWS_ACCESS_KEY_ID=$_value" ;; + SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY=$_value" ;; Token) echo "AWS_SESSION_TOKEN=$_value" ;; esac done | @@ -173,7 +173,7 @@ aws_rest() { _debug2 StringToSign "$StringToSign" - kSecret="AWS4$AWS_SES_SECRET_ACCESS_KEY" + kSecret="AWS4$AWS_SECRET_ACCESS_KEY" #kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################ @@ -197,7 +197,7 @@ aws_rest() { signature="$(printf "$StringToSign%s" | _hmac "$Hash" "$kSigningH" hex)" _debug2 signature "$signature" - Authorization="$Algorithm Credential=$AWS_SES_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature" + Authorization="$Algorithm Credential=$AWS_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature" _debug2 Authorization "$Authorization" _H2="Authorization: $Authorization" From db8a2d0c653ba19df024c8289942166d7e5bb025 Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Wed, 5 Jul 2023 11:05:06 +0200 Subject: [PATCH 170/276] Fix & improve DNS API for ArtFiles.de --- dnsapi/dns_artfiles.sh | 80 ++++++++++++++++++++++++------------------ 1 file changed, 46 insertions(+), 34 deletions(-) diff --git a/dnsapi/dns_artfiles.sh b/dnsapi/dns_artfiles.sh index ad547e3f..6224c416 100644 --- a/dnsapi/dns_artfiles.sh +++ b/dnsapi/dns_artfiles.sh @@ -5,40 +5,34 @@ ################################################################################ # Author: Martin Arndt, https://troublezone.net/ # Released: 2022-02-27 -# Issues: https://github.com/Eagle3386/acme.sh/issues +# Issues: https://github.com/acmesh-official/acme.sh/issues/XXXX ################################################################################ # Usage: -# 1. export AF_API_USERNAME="api12345678" -# 2. export AF_API_PASSWORD="apiPassword" +# 1. export AF_API_USERNAME='api12345678' +# 2. export AF_API_PASSWORD='apiPassword' # 3. acme.sh --issue -d example.com --dns dns_artfiles ################################################################################ ########## API configuration ################################################### + AF_API_SUCCESS='status":"OK' AF_URL_DCP='https://dcp.c.artfiles.de/api/' AF_URL_DNS=${AF_URL_DCP}'dns/{*}_dns.html?domain=' -AF_URL_DOMAINS=${AF_URL_BASE}'domain/get_domains.html' +AF_URL_DOMAINS=${AF_URL_DCP}'domain/get_domains.html' ########## Public functions #################################################### # Adds a new TXT record for given ACME challenge value & domain. # Usage: dns_artfiles_add _acme-challenge.www.example.com "ACME challenge value" -dns_artfiles_add() { +dns_artfiles_add() +{ domain="$1" txtValue="$2" - _info 'Using ArtFiles.de DNS addition API' + _info 'Using ArtFiles.de DNS addition API…' _debug 'Domain' "$domain" _debug 'txtValue' "$txtValue" - AF_API_USERNAME="${AF_API_USERNAME:-$(_readaccountconf_mutable AF_API_USERNAME)}" - AF_API_PASSWORD="${AF_API_PASSWORD:-$(_readaccountconf_mutable AF_API_PASSWORD)}" - if [ -z "$AF_API_USERNAME" ] || [ -z "$AF_API_PASSWORD" ]; then - _err 'Missing ArtFiles.de username and/or password.' - _err 'Please ensure both are set via export command & try again.' - - return 1 - fi - + _set_credentials _saveaccountconf_mutable 'AF_API_USERNAME' "$AF_API_USERNAME" _saveaccountconf_mutable 'AF_API_PASSWORD' "$AF_API_PASSWORD" @@ -62,13 +56,15 @@ dns_artfiles_add() { # Removes the existing TXT record for given ACME challenge value & domain. # Usage: dns_artfiles_rm _acme-challenge.www.example.com "ACME challenge value" -dns_artfiles_rm() { +dns_artfiles_rm() +{ domain="$1" txtValue="$2" - _info 'Using ArtFiles.de DNS removal API' + _info 'Using ArtFiles.de DNS removal API…' _debug 'Domain' "$domain" _debug 'txtValue' "$txtValue" + _set_credentials _set_headers _get_zone "$domain" if ! _dns 'GET'; then @@ -95,29 +91,28 @@ dns_artfiles_rm() { # Cleans awful TXT records response of ArtFiles's API & pretty prints it. # Usage: _clean_records -_clean_records() { +_clean_records() +{ + _info 'Cleaning TXT records…' # Extract TXT part, strip trailing quote sign (ACME.sh API guidelines forbid # usage of SED's GNU extensions, hence couldn't omit it via regex), strip '\' # from '\"' & turn '\n' into real LF characters. - # Yup, awful API to use - but that's all we got to get this working, so... ;) + # Yup, awful API to use - but that's all we got to get this working, so… ;) _debug2 'Raw ' "$response" - response="$( - printf -- '%s' "$response" - \ | sed 's/^\(.*TXT":"\)\([^,}]*\)\(.*\)$/\2/;s/.$//;s/\\"/"/g;s/\\n/\n/g' - )" + + response="$(printf -- '%s' "$response" | sed 's/^.*TXT":"\([^}]*\).*$/\1/;s/,".*$//;s/.$//;s/\\"/"/g;s/\\n/\n/g')" _debug2 'Clean' "$response" } # Executes an HTTP GET or POST request for getting or setting DNS records, # containing given payload upon POST. # Usage: _dns [GET | SET] [payload] -_dns() { +_dns() +{ + _info 'Executing HTTP request…' action="$1" payload="$(printf -- '%s' "$2" | _url_encode)" - url="$( - printf -- '%s%s' "$AF_URL_DNS" "$domain" - \ | sed 's/{\*}/'"$(printf -- '%s' "$action" | _lower_case)"'/' - )" + url="$(printf -- '%s%s' "$AF_URL_DNS" "$domain" | sed 's/{\*}/'"$(printf -- '%s' "$action" | _lower_case)"'/')" if [ "$action" = 'SET' ]; then _debug2 'Payload' "$payload" @@ -139,10 +134,11 @@ _dns() { # Gets the root domain zone for given domain. # Usage: _get_zone _acme-challenge.www.example.com -_get_zone() { +_get_zone() +{ fqdn="$1" - domains="$(_get "$AF_URL_DOMAINS" "" 10)" - _info 'Getting domain zone...' + domains="$(_get "$AF_URL_DOMAINS" '' 10)" + _info 'Getting domain zone…' _debug2 'FQDN' "$fqdn" _debug2 'Domains' "$domains" @@ -166,10 +162,26 @@ _get_zone() { return 1 } +# Sets the credentials for accessing ArtFiles's API +# Usage: _set_credentials +_set_credentials() +{ + _info 'Setting credentials…' + AF_API_USERNAME="${AF_API_USERNAME:-$(_readaccountconf_mutable AF_API_USERNAME)}" + AF_API_PASSWORD="${AF_API_PASSWORD:-$(_readaccountconf_mutable AF_API_PASSWORD)}" + if [ -z "$AF_API_USERNAME" ] || [ -z "$AF_API_PASSWORD" ]; then + _err 'Missing ArtFiles.de username and/or password.' + _err 'Please ensure both are set via export command & try again.' + + return 1 + fi +} + # Adds the HTTP Authorization & Content-Type headers to a follow-up request. # Usage: _set_headers -_set_headers() { - encoded="$(printf -- '%s:%s' "$AF_API_USERNAME" "$AF_API_PASSWORD" | _base64)" - export _H1="Authorization: Basic $encoded" +_set_headers() +{ + _info 'Setting headers…' + export _H1="$(printf -- 'Authorization: Basic %s:%s' "$AF_API_USERNAME" "$AF_API_PASSWORD" | _base64)" export _H2='Content-Type: application/json' } From 2961a90e7ffb37ad498a8d841d00dbb2a08d251c Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Wed, 5 Jul 2023 11:14:49 +0200 Subject: [PATCH 171/276] Make ShellCheck & ShellFormat happy --- dnsapi/dns_artfiles.sh | 25 +++++++++---------------- 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/dnsapi/dns_artfiles.sh b/dnsapi/dns_artfiles.sh index 6224c416..04cdf026 100644 --- a/dnsapi/dns_artfiles.sh +++ b/dnsapi/dns_artfiles.sh @@ -24,8 +24,7 @@ AF_URL_DOMAINS=${AF_URL_DCP}'domain/get_domains.html' # Adds a new TXT record for given ACME challenge value & domain. # Usage: dns_artfiles_add _acme-challenge.www.example.com "ACME challenge value" -dns_artfiles_add() -{ +dns_artfiles_add() { domain="$1" txtValue="$2" _info 'Using ArtFiles.de DNS addition API…' @@ -56,8 +55,7 @@ dns_artfiles_add() # Removes the existing TXT record for given ACME challenge value & domain. # Usage: dns_artfiles_rm _acme-challenge.www.example.com "ACME challenge value" -dns_artfiles_rm() -{ +dns_artfiles_rm() { domain="$1" txtValue="$2" _info 'Using ArtFiles.de DNS removal API…' @@ -91,15 +89,13 @@ dns_artfiles_rm() # Cleans awful TXT records response of ArtFiles's API & pretty prints it. # Usage: _clean_records -_clean_records() -{ +_clean_records() { _info 'Cleaning TXT records…' # Extract TXT part, strip trailing quote sign (ACME.sh API guidelines forbid # usage of SED's GNU extensions, hence couldn't omit it via regex), strip '\' # from '\"' & turn '\n' into real LF characters. # Yup, awful API to use - but that's all we got to get this working, so… ;) _debug2 'Raw ' "$response" - response="$(printf -- '%s' "$response" | sed 's/^.*TXT":"\([^}]*\).*$/\1/;s/,".*$//;s/.$//;s/\\"/"/g;s/\\n/\n/g')" _debug2 'Clean' "$response" } @@ -107,8 +103,7 @@ _clean_records() # Executes an HTTP GET or POST request for getting or setting DNS records, # containing given payload upon POST. # Usage: _dns [GET | SET] [payload] -_dns() -{ +_dns() { _info 'Executing HTTP request…' action="$1" payload="$(printf -- '%s' "$2" | _url_encode)" @@ -134,8 +129,7 @@ _dns() # Gets the root domain zone for given domain. # Usage: _get_zone _acme-challenge.www.example.com -_get_zone() -{ +_get_zone() { fqdn="$1" domains="$(_get "$AF_URL_DOMAINS" '' 10)" _info 'Getting domain zone…' @@ -164,8 +158,7 @@ _get_zone() # Sets the credentials for accessing ArtFiles's API # Usage: _set_credentials -_set_credentials() -{ +_set_credentials() { _info 'Setting credentials…' AF_API_USERNAME="${AF_API_USERNAME:-$(_readaccountconf_mutable AF_API_USERNAME)}" AF_API_PASSWORD="${AF_API_PASSWORD:-$(_readaccountconf_mutable AF_API_PASSWORD)}" @@ -179,9 +172,9 @@ _set_credentials() # Adds the HTTP Authorization & Content-Type headers to a follow-up request. # Usage: _set_headers -_set_headers() -{ +_set_headers() { _info 'Setting headers…' - export _H1="$(printf -- 'Authorization: Basic %s:%s' "$AF_API_USERNAME" "$AF_API_PASSWORD" | _base64)" + encoded="$(printf -- '%s:%s' "$AF_API_USERNAME" "$AF_API_PASSWORD" | _base64)" + export _H1="Authorization: Basic $encoded" export _H2='Content-Type: application/json' } From 8b3acb719eb6eee82ef40edff94ed2372ecdc1df Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Wed, 5 Jul 2023 13:04:08 +0200 Subject: [PATCH 172/276] Fix TXT record removal --- dnsapi/dns_artfiles.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_artfiles.sh b/dnsapi/dns_artfiles.sh index 04cdf026..faf8c2ae 100644 --- a/dnsapi/dns_artfiles.sh +++ b/dnsapi/dns_artfiles.sh @@ -76,7 +76,7 @@ dns_artfiles_rm() { fi _clean_records - response="$(printf -- '%s' "$response" | sed '$d')" + response="$(printf -- '%s' "$response" | sed '/_acme-challenge "'"$txtValue"'"/d')" _dns 'SET' "$response" if ! _contains "$response" "$AF_API_SUCCESS"; then _err 'Removing ACME challenge value failed.' From 299a157409c7cd07228cbaf31ccfc0879dba8f44 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 8 Jul 2023 11:17:19 +0800 Subject: [PATCH 173/276] fix https://github.com/acmesh-official/acme.sh/issues/4680 zerossl returns retry-after header within "200 OK" code. so we don't check the "503" code anymore. --- acme.sh | 60 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/acme.sh b/acme.sh index 0cc52131..85082d5c 100755 --- a/acme.sh +++ b/acme.sh @@ -2222,40 +2222,40 @@ _send_signed_request() { _CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2 | cut -d , -f 1)" - if ! _startswith "$code" "2"; then - _body="$response" - if [ "$needbase64" ]; then - _body="$(echo "$_body" | _dbase64 multiline)" - _debug3 _body "$_body" - fi - - _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *: *[0-9]\+ *" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') - if [ "$code" = '503' ]; then - _sleep_overload_retry_sec=$_retryafter - if [ -z "$_sleep_overload_retry_sec" ]; then - _sleep_overload_retry_sec=5 - fi - if [ $_sleep_overload_retry_sec -le 600 ]; then - _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." - _sleep $_sleep_overload_retry_sec - continue - else - _info "The retryafter=$_retryafter is too large > 600, not retry anymore." - fi - fi - if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then - _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds." - _CACHED_NONCE="" - _sleep $_sleep_retry_sec - continue + _body="$response" + if [ "$needbase64" ]; then + _body="$(echo "$_body" | _dbase64 multiline)" + _debug3 _body "$_body" + fi + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *: *[0-9]\+ *" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + + if [ "$code" = '503' ] || [ "$_retryafter" ]; then + _sleep_overload_retry_sec=$_retryafter + if [ -z "$_sleep_overload_retry_sec" ]; then + _sleep_overload_retry_sec=5 fi - if _contains "$_body" "The Replay Nonce is not recognized"; then - _info "The replay Nonce is not valid, let's get a new one, Sleeping $_sleep_retry_sec seconds." - _CACHED_NONCE="" - _sleep $_sleep_retry_sec + if [ $_sleep_overload_retry_sec -le 600 ]; then + _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." + _sleep $_sleep_overload_retry_sec continue + else + _info "The retryafter=$_retryafter is too large > 600, not retry anymore." + return 1 fi fi + if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then + _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds." + _CACHED_NONCE="" + _sleep $_sleep_retry_sec + continue + fi + if _contains "$_body" "The Replay Nonce is not recognized"; then + _info "The replay Nonce is not valid, let's get a new one, Sleeping $_sleep_retry_sec seconds." + _CACHED_NONCE="" + _sleep $_sleep_retry_sec + continue + fi + return 0 done _info "Giving up sending to CA server after $MAX_REQUEST_RETRY_TIMES retries." From 09041fb81d3e6f8e931c97a9141f49d5fc3009dc Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 8 Jul 2023 11:19:09 +0800 Subject: [PATCH 174/276] fix format --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 85082d5c..f680e0fb 100755 --- a/acme.sh +++ b/acme.sh @@ -2224,8 +2224,8 @@ _send_signed_request() { _body="$response" if [ "$needbase64" ]; then - _body="$(echo "$_body" | _dbase64 multiline)" - _debug3 _body "$_body" + _body="$(echo "$_body" | _dbase64 multiline)" + _debug3 _body "$_body" fi _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *: *[0-9]\+ *" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') From 0472f5da6a01229967647cc31f2c113141e49ed3 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 8 Jul 2023 11:43:44 +0800 Subject: [PATCH 175/276] Revert "fix format" This reverts commit 09041fb81d3e6f8e931c97a9141f49d5fc3009dc. Revert "fix https://github.com/acmesh-official/acme.sh/issues/4680" This reverts commit 299a157409c7cd07228cbaf31ccfc0879dba8f44. --- acme.sh | 60 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/acme.sh b/acme.sh index f680e0fb..0cc52131 100755 --- a/acme.sh +++ b/acme.sh @@ -2222,40 +2222,40 @@ _send_signed_request() { _CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2 | cut -d , -f 1)" - _body="$response" - if [ "$needbase64" ]; then - _body="$(echo "$_body" | _dbase64 multiline)" - _debug3 _body "$_body" - fi - _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *: *[0-9]\+ *" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') - - if [ "$code" = '503' ] || [ "$_retryafter" ]; then - _sleep_overload_retry_sec=$_retryafter - if [ -z "$_sleep_overload_retry_sec" ]; then - _sleep_overload_retry_sec=5 + if ! _startswith "$code" "2"; then + _body="$response" + if [ "$needbase64" ]; then + _body="$(echo "$_body" | _dbase64 multiline)" + _debug3 _body "$_body" + fi + + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *: *[0-9]\+ *" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + if [ "$code" = '503' ]; then + _sleep_overload_retry_sec=$_retryafter + if [ -z "$_sleep_overload_retry_sec" ]; then + _sleep_overload_retry_sec=5 + fi + if [ $_sleep_overload_retry_sec -le 600 ]; then + _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." + _sleep $_sleep_overload_retry_sec + continue + else + _info "The retryafter=$_retryafter is too large > 600, not retry anymore." + fi fi - if [ $_sleep_overload_retry_sec -le 600 ]; then - _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." - _sleep $_sleep_overload_retry_sec + if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then + _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds." + _CACHED_NONCE="" + _sleep $_sleep_retry_sec + continue + fi + if _contains "$_body" "The Replay Nonce is not recognized"; then + _info "The replay Nonce is not valid, let's get a new one, Sleeping $_sleep_retry_sec seconds." + _CACHED_NONCE="" + _sleep $_sleep_retry_sec continue - else - _info "The retryafter=$_retryafter is too large > 600, not retry anymore." - return 1 fi fi - if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then - _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds." - _CACHED_NONCE="" - _sleep $_sleep_retry_sec - continue - fi - if _contains "$_body" "The Replay Nonce is not recognized"; then - _info "The replay Nonce is not valid, let's get a new one, Sleeping $_sleep_retry_sec seconds." - _CACHED_NONCE="" - _sleep $_sleep_retry_sec - continue - fi - return 0 done _info "Giving up sending to CA server after $MAX_REQUEST_RETRY_TIMES retries." From 3761fb4377f2a50ba9c1a4f863671ba1afa8c5eb Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 8 Jul 2023 12:37:01 +0800 Subject: [PATCH 176/276] fix bug https://github.com/acmesh-official/acme.sh/issues/4442 --- acme.sh | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/acme.sh b/acme.sh index 0cc52131..37bef388 100755 --- a/acme.sh +++ b/acme.sh @@ -2116,6 +2116,7 @@ _send_signed_request() { if [ -z "$keyfile" ]; then keyfile="$ACCOUNT_KEY_PATH" fi + _debug "=======Begin Send Signed Request=======" _debug url "$url" _debug payload "$payload" @@ -4602,9 +4603,10 @@ issue() { _d="*.$_d" fi _debug2 _d "$_d" - _authorizations_map="$_d,$response + _authorizations_map="$_d,$response#$_authz_url $_authorizations_map" done + _debug2 _authorizations_map "$_authorizations_map" _index=0 @@ -4656,7 +4658,8 @@ $_authorizations_map" _on_issue_err "$_post_hook" return 1 fi - + _authz_url="$(echo "$_candidates" | sed "s/$_idn_d,//" | _egrep_o "#.*" | sed "s/^#//")" + _debug _authz_url "$_authz_url" if [ -z "$thumbprint" ]; then thumbprint="$(__calc_account_thumbprint)" fi @@ -4708,7 +4711,7 @@ $_authorizations_map" _debug keyauthorization "$keyauthorization" fi - dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot" + dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot$sep$_authz_url" _debug dvlist "$dvlist" vlist="$vlist$dvlist$dvsep" @@ -4725,6 +4728,7 @@ $_authorizations_map" keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2) vtype=$(echo "$ventry" | cut -d "$sep" -f 4) _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5) + _authz_url=$(echo "$ventry" | cut -d "$sep" -f 6) _debug d "$d" if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then _debug "$d is already verified, skip $vtype." @@ -4850,7 +4854,7 @@ $_authorizations_map" uri=$(echo "$ventry" | cut -d "$sep" -f 3) vtype=$(echo "$ventry" | cut -d "$sep" -f 4) _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5) - + _authz_url=$(echo "$ventry" | cut -d "$sep" -f 6) if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then _info "$d is already verified, skip $vtype." continue @@ -4860,6 +4864,7 @@ $_authorizations_map" _debug "d" "$d" _debug "keyauthorization" "$keyauthorization" _debug "uri" "$uri" + _debug "_authz_url" "$_authz_url" removelevel="" token="$(printf "%s" "$keyauthorization" | cut -d '.' -f 1)" @@ -4967,6 +4972,7 @@ $_authorizations_map" MAX_RETRY_TIMES=30 fi + _debug "Lets check the status of the authz" while true; do waittimes=$(_math "$waittimes" + 1) if [ "$waittimes" -ge "$MAX_RETRY_TIMES" ]; then @@ -5029,7 +5035,7 @@ $_authorizations_map" _sleep 2 _debug "checking" - _send_signed_request "$uri" + _send_signed_request "$_authz_url" if [ "$?" != "0" ]; then _err "$d:Verify error:$response" From 8fd3a64e3581e01909d1e781ab4a4a697b3f0f37 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 8 Jul 2023 12:51:56 +0800 Subject: [PATCH 177/276] fix https://github.com/acmesh-official/acme.sh/issues/4442 --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 37bef388..65b0a5b9 100755 --- a/acme.sh +++ b/acme.sh @@ -5020,9 +5020,9 @@ $_authorizations_map" break fi - if [ "$status" = "pending" ]; then + if _contains "$status" "pending"; then _info "Pending, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)" - elif [ "$status" = "processing" ]; then + elif _contains "$status" "processing"; then _info "Processing, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)" else _err "$d:Verify error:$response" From a7455d7edd0e81f34b8e9071286e201389728148 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 8 Jul 2023 14:11:51 +0800 Subject: [PATCH 178/276] fix https://github.com/acmesh-official/acme.sh/issues/4562#issuecomment-1598731384 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 65b0a5b9..7a9468fd 100755 --- a/acme.sh +++ b/acme.sh @@ -2278,7 +2278,7 @@ _setopt() { if [ ! -f "$__conf" ]; then touch "$__conf" fi - if [ -n "$(tail -c 1 <"$__conf")" ]; then + if [ -n "$(tail -c1 <"$__conf")" ]; then echo >>"$__conf" fi From ee50f254df99368e0afbefd522806615f0c46a85 Mon Sep 17 00:00:00 2001 From: Arnaud Launay <2205303+alaunay@users.noreply.github.com> Date: Sun, 9 Jul 2023 20:08:10 +0200 Subject: [PATCH 179/276] Add BookMyName API support --- dnsapi/dns_bookmyname.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_bookmyname.sh b/dnsapi/dns_bookmyname.sh index 7acdea02..62548fd0 100644 --- a/dnsapi/dns_bookmyname.sh +++ b/dnsapi/dns_bookmyname.sh @@ -13,15 +13,15 @@ # Please Read this guide first: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide -# BMN urls: -# https://BMN_USER:BMN_PASSWORD@www.bookmyname.com/dyndns/?hostname=_acme-challenge.domain.tld&type=txt&ttl=300&do=add&value="XXXXXXXX"' -# https://BMN_USER:BMN_PASSWORD@www.bookmyname.com/dyndns/?hostname=_acme-challenge.domain.tld&type=txt&ttl=300&do=remove&value="XXXXXXXX"' +# BookMyName urls: +# https://BOOKMYNAME_USERNAME:BOOKMYNAME_PASSWORD@www.bookmyname.com/dyndns/?hostname=_acme-challenge.domain.tld&type=txt&ttl=300&do=add&value="XXXXXXXX"' +# https://BOOKMYNAME_USERNAME:BOOKMYNAME_PASSWORD@www.bookmyname.com/dyndns/?hostname=_acme-challenge.domain.tld&type=txt&ttl=300&do=remove&value="XXXXXXXX"' # Output: #good: update done, cid 123456, domain id 456789, type txt, ip XXXXXXXX #good: remove done 1, cid 123456, domain id 456789, ttl 300, type txt, ip XXXXXXXX -# Be careful, BookMyName DNS servers can be slow to pick up changes; using dnssleep is thus advised. +# Be careful, BMN DNS servers can be slow to pick up changes; using dnssleep is thus advised. # Usage: # export BOOKMYNAME_USERNAME="ABCDE-FREE" From d86414febbaeeefe1ef563ada1882051ccd6c758 Mon Sep 17 00:00:00 2001 From: sg1888 Date: Tue, 11 Jul 2023 23:41:24 +0000 Subject: [PATCH 180/276] Excluded scopes for api key test --- deploy/panos.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 880e4cec..2bb9f08f 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -56,7 +56,9 @@ deployer() { if [ "$type" = 'keytest' ]; then _debug "**** Testing saved API Key ****" _H1="Content-Type: application/x-www-form-urlencoded" - content="type=commit&key=$_panos_key&action=partial&cmd=acmekeytest" + #Exclude all scopes for the empty commit + _exclude_scope="excludeexcludeexclude" + content="type=commit&key=$_panos_key&cmd=$_exclude_scopeacmekeytest" fi # Generate API Key From e69a19db5c555c8a23fb31e1be393d0f220341fa Mon Sep 17 00:00:00 2001 From: sg1888 Date: Tue, 11 Jul 2023 23:56:41 +0000 Subject: [PATCH 181/276] Incorporated partial commit to address issue #4198 --- deploy/panos.sh | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 2bb9f08f..f18482fc 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -36,8 +36,9 @@ parse_response() { message="PAN-OS Key could not be set." fi else - status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g') - message=$(echo "$1" | sed 's/^.*\(.*\)<\/result.*/\1/g') + status=$(echo "$1" | tr -d '\n' | sed 's/^.*"\([a-z]*\)".*/\1/g') + message=$(echo "$1" | tr -d '\n' | sed 's/.*\(\|\|\)\([^<]*\).*/\2/g') + _debug "Firewall message: $message" if [ "$type" = 'keytest' ] && [ "$status" != "success" ]; then _debug "**** API Key has EXPIRED or is INVALID ****" unset _panos_key @@ -58,7 +59,7 @@ deployer() { _H1="Content-Type: application/x-www-form-urlencoded" #Exclude all scopes for the empty commit _exclude_scope="excludeexcludeexclude" - content="type=commit&key=$_panos_key&cmd=$_exclude_scopeacmekeytest" + content="type=commit&action=partial&key=$_panos_key&cmd=$_exclude_scopeacmekeytest" fi # Generate API Key @@ -104,20 +105,21 @@ deployer() { if [ "$type" = 'commit' ]; then _debug "**** Committing changes ****" export _H1="Content-Type: application/x-www-form-urlencoded" - #Check for force commit + #Check for force commit - will commit ALL uncommited changes to the firewall. Use with caution! if [ "$FORCE" ]; then - cmd=$(printf "%s" "<$_panos_user>" | _url_encode) + _debug "Force switch detected. Committing ALL changes to the firewall." + cmd=$(printf "%s" "$_panos_user" | _url_encode) else - cmd=$(printf "%s" "<$_panos_user>" | _url_encode) + _exclude_scope="excludeexclude" + cmd=$(printf "%s" "$_exclude_scope$_panos_user" | _url_encode) fi - content="type=commit&key=$_panos_key&cmd=$cmd" + content="type=commit&action=partial&key=$_panos_key&cmd=$cmd" fi response=$(_post "$content" "$panos_url" "" "POST") parse_response "$response" "$type" # Saving response to variables response_status=$status - #DEBUG _debug response_status "$response_status" if [ "$response_status" = "success" ]; then _debug "Successfully deployed $type" From b556908cab48cf71ad577f912693316eea1a7078 Mon Sep 17 00:00:00 2001 From: sg1888 Date: Wed, 12 Jul 2023 00:03:21 +0000 Subject: [PATCH 182/276] Modified ECC file test --- deploy/panos.sh | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index f18482fc..e11a6eed 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -137,15 +137,10 @@ panos_deploy() { _ckey="$2" _cfullchain="$5" - # VALID ECC KEY CHECK - keysuffix=$(printf '%s' "$_ckey" | tail -c 8) - if [ "$keysuffix" = "_ecc.key" ] && [ ! -f "$_ckey" ]; then - _debug "The ECC key $_ckey doesn't exist. Attempting to strip '_ecc' from the key name" - _ckey=$(echo "$_ckey" | sed 's/\(.*\)_ecc.key$/\1.key/g') - if [ ! -f "$_ckey" ]; then - _err "Unable to find a valid key. Try issuing the certificate using RSA (non-ECC) encryption." - return 1 - fi + # VALID FILE CHECK + if [ ! -f "$_ckey" ] || [ ! -f "$_cfullchain" ]; then + _err "Unable to find a valid key and/or cert. If this is an ECDSA/ECC cert, use the --ecc flag when deploying." + return 1 fi # PANOS_HOST From dd958872a87bc4e383ea38aaed03919d0b753783 Mon Sep 17 00:00:00 2001 From: Steven Zhu Date: Fri, 14 Jul 2023 12:47:44 -0400 Subject: [PATCH 183/276] Fix SES region variable The last version do not save the SES region into the config file, breaking the notification hook. --- notify/aws_ses.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/notify/aws_ses.sh b/notify/aws_ses.sh index 571fd392..30db45ad 100644 --- a/notify/aws_ses.sh +++ b/notify/aws_ses.sh @@ -43,6 +43,7 @@ aws_ses_send() { _err "Please specify your region and try again. see https://docs.aws.amazon.com/general/latest/gr/ses.html" return 1 fi + _saveaccountconf_mutable AWS_SES_REGION "$AWS_SES_REGION" #save for future use, unless using a role which will be fetched as needed if [ -z "$_using_role" ]; then From edd1b60c3d39269dc1c5ff15ea842f1a0d3624f2 Mon Sep 17 00:00:00 2001 From: sg1888 Date: Tue, 18 Jul 2023 19:43:47 +0000 Subject: [PATCH 184/276] Removed ability to specify API key to facilitate future multiple host functionality. --- deploy/panos.sh | 47 ++++++++++++++++++----------------------------- 1 file changed, 18 insertions(+), 29 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index e11a6eed..27919a25 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -8,21 +8,13 @@ # Firewall admin with superuser and IP address is required. # # REQURED: -# export PANOS_HOST="" # required -# export PANOS_USER="" # required -# -# AND one of the two authenticiation methods: -# -# Method 1: Password (RECOMMENDED) +# export PANOS_HOST="" +# export PANOS_USER="" #User *MUST* have Commit and Import Permissions in XML API for Admin Role # export PANOS_PASS="" # -# Method 2: API KEY -# export PANOS_KEY="" -# -# -# The Password method will automatically generate a new API key if +# The script will automatically generate a new API key if # no key is found, or if a saved key has expired or is invalid. -# + # This function is to parse the XML response from the firewall parse_response() { @@ -53,13 +45,15 @@ deployer() { type=$1 # Types are keytest, keygen, cert, key, commit panos_url="https://$_panos_host/api/" - #Test API Key by performing an empty commit. + #Test API Key by performing a lookup if [ "$type" = 'keytest' ]; then _debug "**** Testing saved API Key ****" _H1="Content-Type: application/x-www-form-urlencoded" - #Exclude all scopes for the empty commit - _exclude_scope="excludeexcludeexclude" - content="type=commit&action=partial&key=$_panos_key&cmd=$_exclude_scopeacmekeytest" + # Get Version Info to test key + content="type=version&key=$_panos_key" + ## Exclude all scopes for the empty commit + #_exclude_scope="excludeexcludeexclude" + #content="type=commit&action=partial&key=$_panos_key&cmd=$_exclude_scopeacmekeytest" fi # Generate API Key @@ -170,22 +164,17 @@ panos_deploy() { _getdeployconf PANOS_PASS fi - # PANOS_KEY - if [ "$PANOS_KEY" ]; then - _debug "Detected ENV variable PANOS_KEY. Saving to file." - _savedeployconf PANOS_KEY "$PANOS_KEY" 1 - else - _debug "Attempting to load variable PANOS_KEY from file." - _getdeployconf PANOS_KEY - fi - #Store variables _panos_host=$PANOS_HOST - _panos_key=$PANOS_KEY _panos_user=$PANOS_USER _panos_pass=$PANOS_PASS - #Test API Key if found. If the key is invalid, the variable panos_key will be unset. + #Load saved keys + _getdeployconf PANOS_KEY + _panos_key=$PANOS_KEY + + + #Test API Key if found. If the key is invalid, the variable _panos_key will be unset. if [ "$_panos_host" ] && [ "$_panos_key" ]; then _debug "**** Testing API KEY ****" deployer keytest @@ -198,8 +187,8 @@ panos_deploy() { elif [ -z "$_panos_user" ]; then _err "No user found. If this is your first time deploying, please set PANOS_USER in ENV variables. You can delete it after you have successfully deployed the certs." return 1 - elif [ -z "$_panos_key" ] && { [ -z "$_panos_user" ] || [ -z "$_panos_pass" ]; }; then - _err "No pass OR valid API key found. If this is your first time deploying please set PANOS_PASS and/or PANOS_KEY in ENV variables. You can delete them after you have succesfully deployed the certs." + elif [ -z "$_panos_pass" ]; then + _err "No password found. If this is your first time deploying, please set PANOS_PASS in ENV variables. You can delete it after you have successfully deployed the certs." return 1 else # Generate a new API key if no valid API key is found From ae035deb92b1557832fa06e4ebecd0519df6c8b4 Mon Sep 17 00:00:00 2001 From: sg1888 Date: Tue, 18 Jul 2023 20:10:31 +0000 Subject: [PATCH 185/276] Fixed shell check errors --- deploy/panos.sh | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 27919a25..efc1a656 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -15,7 +15,6 @@ # The script will automatically generate a new API key if # no key is found, or if a saved key has expired or is invalid. - # This function is to parse the XML response from the firewall parse_response() { type=$2 @@ -130,6 +129,8 @@ panos_deploy() { _cdomain=$(echo "$1" | sed 's/*/WILDCARD_/g') #Wildcard Safe Filename _ckey="$2" _cfullchain="$5" + _regen_keys=false #Flag to regenerate keys if PANOS_USER or PANOS_PASS changes. + # VALID FILE CHECK if [ ! -f "$_ckey" ] || [ ! -f "$_cfullchain" ]; then @@ -164,15 +165,22 @@ panos_deploy() { _getdeployconf PANOS_PASS fi + # PANOS_KEY + _getdeployconf PANOS_KEY + if [ "$PANOS_KEY" ]; then + _debug "Detected saved key." + _panos_key=$PANOS_KEY + else + _debug "No key detected" + unset _panos_key + fi + + #Store variables _panos_host=$PANOS_HOST _panos_user=$PANOS_USER _panos_pass=$PANOS_PASS - #Load saved keys - _getdeployconf PANOS_KEY - _panos_key=$PANOS_KEY - #Test API Key if found. If the key is invalid, the variable _panos_key will be unset. if [ "$_panos_host" ] && [ "$_panos_key" ]; then From 02de281e40ecebd2e68a12d92066f44303b57348 Mon Sep 17 00:00:00 2001 From: sg1888 Date: Tue, 18 Jul 2023 20:15:46 +0000 Subject: [PATCH 186/276] Removed unused variable --- deploy/panos.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index efc1a656..9e48e4b3 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -129,7 +129,6 @@ panos_deploy() { _cdomain=$(echo "$1" | sed 's/*/WILDCARD_/g') #Wildcard Safe Filename _ckey="$2" _cfullchain="$5" - _regen_keys=false #Flag to regenerate keys if PANOS_USER or PANOS_PASS changes. # VALID FILE CHECK From 1984f44ffe1e192c4d0b66fd026df4aa29801684 Mon Sep 17 00:00:00 2001 From: sg1888 Date: Tue, 18 Jul 2023 20:18:12 +0000 Subject: [PATCH 187/276] Shell formatting --- deploy/panos.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 9e48e4b3..89458e5f 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -130,7 +130,6 @@ panos_deploy() { _ckey="$2" _cfullchain="$5" - # VALID FILE CHECK if [ ! -f "$_ckey" ] || [ ! -f "$_cfullchain" ]; then _err "Unable to find a valid key and/or cert. If this is an ECDSA/ECC cert, use the --ecc flag when deploying." @@ -174,13 +173,11 @@ panos_deploy() { unset _panos_key fi - #Store variables _panos_host=$PANOS_HOST _panos_user=$PANOS_USER _panos_pass=$PANOS_PASS - #Test API Key if found. If the key is invalid, the variable _panos_key will be unset. if [ "$_panos_host" ] && [ "$_panos_key" ]; then _debug "**** Testing API KEY ****" From c7f6f20c9d4ae05a5ce366d8f3f62cd3eb1b1710 Mon Sep 17 00:00:00 2001 From: Scruel Tao Date: Thu, 20 Jul 2023 02:48:29 +0800 Subject: [PATCH 188/276] Add SYNO_USE_TEMP_ADMIN variable & Fix broken logic 1. Fix the broken logic in (Sorry for including fix commit in same PR, I'm feeling quite tired and would like to go to sleep right away...) 2. Provides new method to obtain credential info for authentication, it will create a temp admin user if SYNO_USE_TEMP_ADMIN is set, instead of requiring the user's own credentials which will be saved in disk. I do really don't like to have plaintext credentials be saved in disk, and I noticed that you've spent a lot of time fighting with 2FA related stuffs, so why not just get rid of the whole old way. :) --- deploy/synology_dsm.sh | 89 +++++++++++++++++++++++++++++++----------- 1 file changed, 66 insertions(+), 23 deletions(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index 7398b350..d7dd1890 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -9,8 +9,11 @@ # Issues: https://github.com/acmesh-official/acme.sh/issues/2727 ################################################################################ # Usage: -# 1. export SYNO_Username="adminUser" -# 2. export SYNO_Password="adminPassword" +# - Create temp admin user automatically: +# export SYNO_USE_TEMP_ADMIN=1 +# - Or provide your own admin user credential: +# 1. export SYNO_Username="adminUser" +# 2. export SYNO_Password="adminPassword" # Optional exports (shown values are the defaults): # - export SYNO_Certificate="" to replace a specific certificate via description # - export SYNO_Scheme="http" @@ -22,6 +25,7 @@ ################################################################################ # Dependencies: # - jq & curl +# - synouser & synogroup (When available and SYNO_USE_TEMP_ADMIN is set) ################################################################################ # Return value: # 0 means success, otherwise error. @@ -38,6 +42,7 @@ synology_dsm_deploy() { _debug _cdomain "$_cdomain" # Get username & password, but don't save until we authenticated successfully + _getdeployconf SYNO_USE_TEMP_ADMIN _getdeployconf SYNO_Username _getdeployconf SYNO_Password _getdeployconf SYNO_Create @@ -45,12 +50,25 @@ synology_dsm_deploy() { _getdeployconf SYNO_TOTP_SECRET _getdeployconf SYNO_Device_Name _getdeployconf SYNO_Device_ID - if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then - _err "SYNO_Username & SYNO_Password must be set" - return 1 + + # Prepare temp admin user info if SYNO_USE_TEMP_ADMIN is set + if [ -n "${SYNO_USE_TEMP_ADMIN:-}" ]; then + if ! _exists synouser; then + if ! _exists synogroup; then + _err "Tools are missing for creating temp admin user, please set SYNO_Username & SYNO_Password instead." + return 1 + fi + fi + _debug "Setting temp admin user credential..." + SYNO_Username=sc-acmesh-tmp + SYNO_Password=`openssl rand -base64 16` + # Ignore 2FA-OTP settings which won't be needed. + SYNO_Device_Name= + SYNO_Device_ID= fi - if [ -n "${SYNO_Device_Name:-}" ] && [ -z "${SYNO_Device_ID:-}" ]; then - _err "SYNO_Device_Name set, but SYNO_Device_ID is empty" + + if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then + _err "You must set either SYNO_USE_TEMP_ADMIN, or set both SYNO_Username and SYNO_Password." return 1 fi _debug2 SYNO_Username "$SYNO_Username" @@ -69,6 +87,7 @@ synology_dsm_deploy() { [ -n "${SYNO_Scheme}" ] || SYNO_Scheme="http" [ -n "${SYNO_Hostname}" ] || SYNO_Hostname="localhost" [ -n "${SYNO_Port}" ] || SYNO_Port="5000" + _savedeployconf SYNO_USE_TEMP_ADMIN "$SYNO_USE_TEMP_ADMIN" _savedeployconf SYNO_Scheme "$SYNO_Scheme" _savedeployconf SYNO_Hostname "$SYNO_Hostname" _savedeployconf SYNO_Port "$SYNO_Port" @@ -106,13 +125,11 @@ synology_dsm_deploy() { _info "WARNING: Usage of SYNO_TOTP_SECRET is deprecated!" _info " See synology_dsm.sh script or ACME.sh Wiki page for details:" _info " https://github.com/acmesh-official/acme.sh/wiki/Synology-NAS-Guide" - DEPRECATED_otp_code="" - if _exists oathtool; then - DEPRECATED_otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)" - else + if ! _exists oathtool; then _err "oathtool could not be found, install oathtool to use SYNO_TOTP_SECRET" return 1 fi + DEPRECATED_otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)" if [ -n "$SYNO_DID" ]; then _H1="Cookie: did=$SYNO_DID" @@ -123,21 +140,30 @@ synology_dsm_deploy() { response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$DEPRECATED_otp_code&device_name=certrenewal&device_id=$SYNO_DID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes") _debug3 response "$response" # END - DEPRECATED, only kept for legacy compatibility reasons + # If SYNO_DeviceDevice_ID & SYNO_Device_Name both empty, just log in normally + elif [ -z "${SYNO_Device_ID:-}" ] && [ -z "${SYNO_Device_Name:-}" ]; then + if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then + _debug "Creating temp admin user in Synology DSM" + synouser --del "$SYNO_Username" >/dev/null 2>/dev/null + synouser --add "$SYNO_Username" "$SYNO_Password" "" 0 "" 0 >/dev/null + synogroup --memberadd administrators "$SYNO_Username" >/dev/null + fi + response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes") + _debug3 response "$response" # Get device ID if still empty first, otherwise log in right away - elif [ -z "${SYNO_Device_ID:-}" ]; then + elif [ -n "${SYNO_Device_Name:-}" ] && [ -z "${SYNO_Device_ID:-}" ]; then printf "Enter OTP code for user '%s': " "$SYNO_Username" read -r otp_code - if [ -z "${SYNO_Device_Name:-}" ]; then - printf "Enter device name or leave empty for default (CertRenewal): " - read -r SYNO_Device_Name - [ -n "${SYNO_Device_Name}" ] || SYNO_Device_Name="CertRenewal" - fi - response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&otp_code=$otp_code&enable_syno_token=yes&enable_device_token=yes&device_name=$SYNO_Device_Name") _debug3 response "$response" SYNO_Device_ID=$(echo "$response" | grep "device_id" | sed -n 's/.*"device_id" *: *"\([^"]*\).*/\1/p') _secure_debug2 SYNO_Device_ID "$SYNO_Device_ID" else + if [ -z "${SYNO_Device_Name:-}" ]; then + printf "Enter device name or leave empty for default (CertRenewal): " + read -r SYNO_Device_Name + [ -n "${SYNO_Device_Name}" ] || SYNO_Device_Name="CertRenewal" + fi response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&device_name=$SYNO_Device_Name&device_id=$SYNO_Device_ID") _debug3 response "$response" fi @@ -146,9 +172,12 @@ synology_dsm_deploy() { token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p') _debug "Session ID" "$sid" _debug SynoToken "$token" - if [ -z "$SYNO_DID" ] && [ -z "$SYNO_Device_ID" ] || [ -z "$sid" ] || [ -z "$token" ]; then + if [ -z "$sid" ] || [ -z "$token" ]; then _err "Unable to authenticate to $_base_url - check your username & password." - _err "If two-factor authentication is enabled for the user, set SYNO_Device_ID." + _err "If two-factor authentication is enabled for the user:" + _err "- set SYNO_Device_Name then input *correct* OTP-code manually" + _err "- get & set SYNO_Device_ID via your browser cookies" + _remove_temp_admin "$SYNO_USE_TEMP_ADMIN" "$SYNO_Username" return 1 fi @@ -159,8 +188,10 @@ synology_dsm_deploy() { # Now that we know the username & password are good, save them _savedeployconf SYNO_Username "$SYNO_Username" _savedeployconf SYNO_Password "$SYNO_Password" - _savedeployconf SYNO_Device_Name "$SYNO_Device_Name" - _savedeployconf SYNO_Device_ID "$SYNO_Device_ID" + if [ -z "${SYNO_USE_TEMP_ADMIN:-}" ]; then + _savedeployconf SYNO_Device_Name "$SYNO_Device_Name" + _savedeployconf SYNO_Device_ID "$SYNO_Device_ID" + fi _info "Getting certificates in Synology DSM" response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi") @@ -172,6 +203,7 @@ synology_dsm_deploy() { if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then _err "Unable to find certificate: $SYNO_Certificate & \$SYNO_Create is not set" + _remove_temp_admin "$SYNO_USE_TEMP_ADMIN" "$SYNO_Username" return 1 fi @@ -206,10 +238,11 @@ synology_dsm_deploy() { else _info "Restarting HTTP services failed" fi - + _remove_temp_admin "$SYNO_USE_TEMP_ADMIN" "$SYNO_Username" _logout return 0 else + _remove_temp_admin "$SYNO_USE_TEMP_ADMIN" "$SYNO_Username" _err "Unable to update certificate, error code $response" _logout return 1 @@ -222,3 +255,13 @@ _logout() { response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=logout") _debug3 response "$response" } + +_remove_temp_admin() { + flag=$1 + username=$2 + + if [ -n "${flag}" ]; then + _debug "Removing temp admin user in Synology DSM" + synouser --del "$username" >/dev/null + fi +} From 9e958f4e32794db65fa7fd938df2bcc27f7faaff Mon Sep 17 00:00:00 2001 From: Scruel Tao Date: Thu, 20 Jul 2023 13:09:21 +0800 Subject: [PATCH 189/276] Fix shellcheck --- deploy/synology_dsm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index d7dd1890..22e485ce 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -61,7 +61,7 @@ synology_dsm_deploy() { fi _debug "Setting temp admin user credential..." SYNO_Username=sc-acmesh-tmp - SYNO_Password=`openssl rand -base64 16` + SYNO_Password=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16) # Ignore 2FA-OTP settings which won't be needed. SYNO_Device_Name= SYNO_Device_ID= From cf86d57a9f61e9e2d759c8a44811c3ea6cb612c6 Mon Sep 17 00:00:00 2001 From: Scruel Tao Date: Thu, 20 Jul 2023 13:34:57 +0800 Subject: [PATCH 190/276] Fix for shfmt check --- deploy/synology_dsm.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index 22e485ce..b69916c7 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -66,7 +66,7 @@ synology_dsm_deploy() { SYNO_Device_Name= SYNO_Device_ID= fi - + if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then _err "You must set either SYNO_USE_TEMP_ADMIN, or set both SYNO_Username and SYNO_Password." return 1 @@ -104,8 +104,7 @@ synology_dsm_deploy() { _err "Do not use a backslash (\) in your certificate description" return 1 fi - - _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port" + _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port" _debug _base_url "$_base_url" _debug "Getting API version" @@ -259,7 +258,7 @@ _logout() { _remove_temp_admin() { flag=$1 username=$2 - + if [ -n "${flag}" ]; then _debug "Removing temp admin user in Synology DSM" synouser --del "$username" >/dev/null From ba468bb5e4156c6b914b8653abb2af9d4b2006b4 Mon Sep 17 00:00:00 2001 From: Scruel Tao Date: Thu, 20 Jul 2023 13:38:36 +0800 Subject: [PATCH 191/276] Fix for shfmt check --- deploy/synology_dsm.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index b69916c7..8dc99a85 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -104,7 +104,8 @@ synology_dsm_deploy() { _err "Do not use a backslash (\) in your certificate description" return 1 fi - _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port" + + _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port" _debug _base_url "$_base_url" _debug "Getting API version" From a9f631f404eaaeaa9a39ba14bb8236a4925db9e8 Mon Sep 17 00:00:00 2001 From: sg1888 Date: Fri, 21 Jul 2023 16:49:20 +0000 Subject: [PATCH 192/276] Added help verbiage for --ecc flag --- acme.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 7a9468fd..d356084c 100755 --- a/acme.sh +++ b/acme.sh @@ -1553,7 +1553,7 @@ createDomainKey() { createCSR() { _info "Creating csr" if [ -z "$1" ]; then - _usage "Usage: $PROJECT_ENTRY --create-csr --domain [--domain ...]" + _usage "Usage: $PROJECT_ENTRY --create-csr --domain [--domain ...] [--ecc]" return fi @@ -6936,7 +6936,8 @@ Parameters: --no-profile Only valid for '--install' command, which means: do not install aliases to user profile. --no-color Do not output color text. --force-color Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails. - --ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--to-pkcs12' and '--create-csr' + --ecc Specifies use of the ECC cert. Only valid for '--install-cert', '--renew', '--remove ', '--revoke', + '--deploy', '--to-pkcs8', '--to-pkcs12' and '--create-csr'. --csr Specifies the input csr. --pre-hook Command to be run before obtaining any certificates. --post-hook Command to be run after attempting to obtain/renew certificates. Runs regardless of whether obtain/renew succeeded or failed. From 2014ca9feb3758999338b31827acbe12c3ca2813 Mon Sep 17 00:00:00 2001 From: Malte Rabenseifner Date: Wed, 26 Jul 2023 15:36:11 +0200 Subject: [PATCH 193/276] Fix the API calls that get the list of domains that PLESK can manage --- dnsapi/dns_pleskxml.sh | 38 +++++++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_pleskxml.sh b/dnsapi/dns_pleskxml.sh index 799c374c..9cb0b1be 100644 --- a/dnsapi/dns_pleskxml.sh +++ b/dnsapi/dns_pleskxml.sh @@ -46,6 +46,10 @@ pleskxml_tplt_get_domains="< # Also used to test credentials and URI. # No params. +pleskxml_tplt_get_additional_domains="" +# Get a list of additional domains that PLESK can manage, so we can check root domain + host for acme.sh +# No params. + pleskxml_tplt_get_dns_records="%s" # Get all DNS records for a Plesk domain ID. # PARAM = Plesk domain id to query @@ -375,16 +379,44 @@ _pleskxml_get_root_domain() { return 1 fi - # Generate a crude list of domains known to this Plesk account. + # Generate a crude list of domains known to this Plesk account based on subscriptions. # We convert tags to so it'll flag on a hit with either or fields, # for non-Western character sets. # Output will be one line per known domain, containing 2 tages and a single tag # We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned. output="$(_api_response_split "$pleskxml_prettyprint_result" 'result' 'ok' | sed 's///g;s/<\/ascii-name>/<\/name>/g' | grep '' | grep '')" + debug_output="$(printf "$output" | sed -n 's:.*\(.*\).*:\1:p')" + + _debug 'Domains managed by Plesk server are:' + _debug "$debug_output" + + _debug "Querying Plesk server for list of additional managed domains..." + + _call_api "$pleskxml_tplt_get_additional_domains" + if [ "$pleskxml_retcode" -ne 0 ]; then + return 1 + fi + + # Generate a crude list of additional domains known to this Plesk account based on sites. + # We convert tags to so it'll flag on a hit with either or fields, + # for non-Western character sets. + # Output will be one line per known domain, containing 2 tages and a single tag + # We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned. - _debug 'Domains managed by Plesk server are (ignore the hacked output):' - _debug "$output" + output_additional="$(_api_response_split "$pleskxml_prettyprint_result" 'result' 'ok' | sed 's///g;s/<\/ascii-name>/<\/name>/g' | grep '' | grep '')" + debug_additional="$(printf "$output_additional" | sed -n 's:.*\(.*\).*:\1:p')" + + _debug 'Additional domains managed by Plesk server are:' + _debug "$debug_additional" + + # Concate the two outputs together. + + output="$(printf "$output $NEWLINE $output_additional")" + debug_output="$(printf "$output" | sed -n 's:.*\(.*\).*:\1:p')" + + _debug 'Domains (including additional) managed by Plesk server are:' + _debug "$debug_output" # loop and test if domain, or any parent domain, is managed by Plesk # Loop until we don't have any '.' in the string we're testing as a candidate Plesk-managed domain From 4d4b6edbc2e59c147b487306604de75e25657f1e Mon Sep 17 00:00:00 2001 From: samuel <53528911+samuel-jimenez@users.noreply.github.com> Date: Wed, 26 Jul 2023 10:29:38 -0500 Subject: [PATCH 194/276] Add DNSExit.com API support --- dnsapi/dns_dnsexit.sh | 185 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 dnsapi/dns_dnsexit.sh diff --git a/dnsapi/dns_dnsexit.sh b/dnsapi/dns_dnsexit.sh new file mode 100644 index 00000000..62d7d757 --- /dev/null +++ b/dnsapi/dns_dnsexit.sh @@ -0,0 +1,185 @@ +#!/usr/bin/env sh + +#use dns-01 at DNSExit.com + +#Author: Samuel Jimenez +#Report Bugs here: https://github.com/acmesh-official/acme.sh + +#DNSEXIT_API_KEY=ABCDEFGHIJ0123456789abcdefghij +#DNSEXIT_AUTH_USER=login@email.address +#DNSEXIT_AUTH_PASS=aStrongPassword +DNSEXIT_API_URL="https://api.dnsexit.com/dns/" +DNSEXIT_HOSTS_URL="https://update.dnsexit.com/ipupdate/hosts.jsp" + +######## Public functions ##################### +#Usage: dns_dnsexit_add _acme-challenge.*.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_dnsexit_add() { + fulldomain=$1 + txtvalue=$2 + _info "Using DNSExit.com" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + _debug 'Load account auth' + if ! get_account_info; then + return 1 + fi + + _debug 'First detect the root zone' + if ! _get_root "$fulldomain"; then + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + if ! _dnsexit_rest "{\"domain\":\"$_domain\",\"add\":{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":0,\"overwrite\":false}}"; then + _err "$response" + return 1 + fi + + _debug2 _response "$response" + return 0 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_dnsexit_rm() { + fulldomain=$1 + txtvalue=$2 + _info "Using DNSExit.com" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + _debug 'Load account auth' + if ! get_account_info; then + return 1 + fi + + _debug 'First detect the root zone' + if ! _get_root "$fulldomain"; then + _err "$response" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + if ! _dnsexit_rest "{\"domain\":\"$_domain\",\"delete\":{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\"}}"; then + _err "$response" + return 1 + fi + + _debug2 _response "$response" + return 0 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=1 + while true; do + _domain=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$_domain" + if [ -z "$_domain" ]; then + return 1 + fi + + _debug login "$DNSEXIT_AUTH_USER" + _debug password "$DNSEXIT_AUTH_PASS" + _debug domain "$_domain" + + _dnsexit_http "login=$DNSEXIT_AUTH_USER&password=$DNSEXIT_AUTH_PASS&domain=$_domain" + + if _contains "$response" "0=$_domain"; then + _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")" + return 0 + else + _debug "Go to next level of $_domain" + fi + i=$(_math "$i" + 1) + done + + return 1 +} + +_dnsexit_rest() { + m=POST + ep="" + data="$1" + _debug _dnsexit_rest "$ep" + _debug data "$data" + + api_key_trimmed=$(echo "$DNSEXIT_API_KEY" | tr -d '"') + + export _H1="apikey: $api_key_trimmed" + export _H2='Content-Type: application/json' + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$DNSEXIT_API_URL/$ep" "" "$m")" + else + response="$(_get "$DNSEXIT_API_URL/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "Error $ep" + return 1 + fi + + _debug2 response "$response" + return 0 +} + +_dnsexit_http() { + m=GET + param="$1" + _debug param "$param" + _debug get "$DNSEXIT_HOSTS_URL?$param" + + response="$(_get "$DNSEXIT_HOSTS_URL?$param")" + + _debug response "$response" + + if [ "$?" != "0" ]; then + _err "Error $param" + return 1 + fi + + _debug2 response "$response" + return 0 +} + +get_account_info() { + + DNSEXIT_API_KEY="${DNSEXIT_API_KEY:-$(_readaccountconf_mutable DNSEXIT_API_KEY)}" + if test -z "$DNSEXIT_API_KEY"; then + DNSEXIT_API_KEY='' + _err 'DNSEXIT_API_KEY was not exported' + return 1 + fi + + _saveaccountconf_mutable DNSEXIT_API_KEY "$DNSEXIT_API_KEY" + + DNSEXIT_AUTH_USER="${DNSEXIT_AUTH_USER:-$(_readaccountconf_mutable DNSEXIT_AUTH_USER)}" + if test -z "$DNSEXIT_AUTH_USER"; then + DNSEXIT_AUTH_USER="" + _err 'DNSEXIT_AUTH_USER was not exported' + return 1 + fi + + _saveaccountconf_mutable DNSEXIT_AUTH_USER "$DNSEXIT_AUTH_USER" + + DNSEXIT_AUTH_PASS="${DNSEXIT_AUTH_PASS:-$(_readaccountconf_mutable DNSEXIT_AUTH_PASS)}" + if test -z "$DNSEXIT_AUTH_PASS"; then + DNSEXIT_AUTH_PASS="" + _err 'DNSEXIT_AUTH_PASS was not exported' + return 1 + fi + + _saveaccountconf_mutable DNSEXIT_AUTH_PASS "$DNSEXIT_AUTH_PASS" + + return 0 +} From c48c8d07de31bbb65a5621d37b9ff6b056e7a8a9 Mon Sep 17 00:00:00 2001 From: Harald Kapper <4014716+hknet@users.noreply.github.com> Date: Thu, 27 Jul 2023 21:49:23 +0200 Subject: [PATCH 195/276] Update dns_kappernet.sh dns update waiting time is reduced now (new backend at kapper.net) --- dnsapi/dns_kappernet.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_kappernet.sh b/dnsapi/dns_kappernet.sh index 83a7e5f8..0a8951cb 100644 --- a/dnsapi/dns_kappernet.sh +++ b/dnsapi/dns_kappernet.sh @@ -45,8 +45,8 @@ dns_kappernet_add() { if _kappernet_api GET "action=new&subject=$_domain&data=$data"; then if _contains "$response" "{\"OK\":true"; then - _info "Waiting 120 seconds for DNS to spread the new record" - _sleep 120 + _info "Waiting 1 second for DNS to spread the new record" + _sleep 1 return 0 else _err "Error creating a TXT DNS Record: $fullhostname TXT $txtvalue" From a51025fe8f5c0bacfecb943d997806e55477ce3e Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 29 Jul 2023 15:32:50 +0800 Subject: [PATCH 196/276] fix https://github.com/acmesh-official/acme.sh/issues/3645 --- acme.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 7a9468fd..03c838ac 100755 --- a/acme.sh +++ b/acme.sh @@ -924,7 +924,9 @@ _sed_i() { } _egrep_o() { - if ! egrep -o "$1" 2>/dev/null; then + if _exists egrep; then + egrep -o "$1" 2>/dev/null; + else sed -n 's/.*\('"$1"'\).*/\1/p' fi } From 80006f47300bd0559729a2800ae014475f7499ce Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Sat, 29 Jul 2023 10:26:59 +0200 Subject: [PATCH 197/276] Added bug report url --- dnsapi/dns_artfiles.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_artfiles.sh b/dnsapi/dns_artfiles.sh index faf8c2ae..a762837e 100644 --- a/dnsapi/dns_artfiles.sh +++ b/dnsapi/dns_artfiles.sh @@ -5,7 +5,7 @@ ################################################################################ # Author: Martin Arndt, https://troublezone.net/ # Released: 2022-02-27 -# Issues: https://github.com/acmesh-official/acme.sh/issues/XXXX +# Issues: https://github.com/acmesh-official/acme.sh/issues/4718 ################################################################################ # Usage: # 1. export AF_API_USERNAME='api12345678' From 7f39cdc85660ad3d1fb6b2f6b70cc094fd093e29 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 29 Jul 2023 16:45:49 +0800 Subject: [PATCH 198/276] fix format --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 03c838ac..7605c396 100755 --- a/acme.sh +++ b/acme.sh @@ -925,7 +925,7 @@ _sed_i() { _egrep_o() { if _exists egrep; then - egrep -o "$1" 2>/dev/null; + egrep -o "$1" 2>/dev/null else sed -n 's/.*\('"$1"'\).*/\1/p' fi From 3b7be478aa7f5f257397e9cf8cccea3e1a2aa502 Mon Sep 17 00:00:00 2001 From: Malte Rabenseifner Date: Sat, 29 Jul 2023 11:27:33 +0200 Subject: [PATCH 199/276] Fix stuff from tests ShellCheck tests have brought up a couple of issues, that I was not aware of needed to be taken care. This should fix the tests. --- dnsapi/dns_pleskxml.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/dnsapi/dns_pleskxml.sh b/dnsapi/dns_pleskxml.sh index 9cb0b1be..81973e07 100644 --- a/dnsapi/dns_pleskxml.sh +++ b/dnsapi/dns_pleskxml.sh @@ -386,13 +386,13 @@ _pleskxml_get_root_domain() { # We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned. output="$(_api_response_split "$pleskxml_prettyprint_result" 'result' 'ok' | sed 's///g;s/<\/ascii-name>/<\/name>/g' | grep '' | grep '')" - debug_output="$(printf "$output" | sed -n 's:.*\(.*\).*:\1:p')" - + debug_output="$(printf "%s" "$output" | sed -n 's:.*\(.*\).*:\1:p')" + _debug 'Domains managed by Plesk server are:' - _debug "$debug_output" + _debug "$debug_output" _debug "Querying Plesk server for list of additional managed domains..." - + _call_api "$pleskxml_tplt_get_additional_domains" if [ "$pleskxml_retcode" -ne 0 ]; then return 1 @@ -405,18 +405,18 @@ _pleskxml_get_root_domain() { # We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned. output_additional="$(_api_response_split "$pleskxml_prettyprint_result" 'result' 'ok' | sed 's///g;s/<\/ascii-name>/<\/name>/g' | grep '' | grep '')" - debug_additional="$(printf "$output_additional" | sed -n 's:.*\(.*\).*:\1:p')" + debug_additional="$(printf "%s" "$output_additional" | sed -n 's:.*\(.*\).*:\1:p')" _debug 'Additional domains managed by Plesk server are:' _debug "$debug_additional" - + # Concate the two outputs together. - - output="$(printf "$output $NEWLINE $output_additional")" - debug_output="$(printf "$output" | sed -n 's:.*\(.*\).*:\1:p')" - + + output="$(printf "%s" "$output $NEWLINE $output_additional")" + debug_output="$(printf "%s" "$output" | sed -n 's:.*\(.*\).*:\1:p')" + _debug 'Domains (including additional) managed by Plesk server are:' - _debug "$debug_output" + _debug "$debug_output" # loop and test if domain, or any parent domain, is managed by Plesk # Loop until we don't have any '.' in the string we're testing as a candidate Plesk-managed domain From a7f3d413ef81782a43cf568ab7a136ffb7e9e5e5 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 29 Jul 2023 22:32:30 +0800 Subject: [PATCH 200/276] fix for solaris --- acme.sh | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 7605c396..c79cadfc 100755 --- a/acme.sh +++ b/acme.sh @@ -2103,9 +2103,20 @@ _head_n() { } _tail_n() { - if ! tail -n "$1" 2>/dev/null; then + if _is_solaris; then #fix for solaris tail -"$1" + else + tail -n "$1" + fi +} + +_tail_c() { + if _is_solaris; then + #fix for solaris + tail -"$1"c + else + tail -c "$1" fi } @@ -2280,7 +2291,7 @@ _setopt() { if [ ! -f "$__conf" ]; then touch "$__conf" fi - if [ -n "$(tail -c1 <"$__conf")" ]; then + if [ -n "$(_tail_c 1 <"$__conf")" ]; then echo >>"$__conf" fi From 6db8ae451ab3263570bdb2eb3b33d10c91f289c5 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 29 Jul 2023 23:17:20 +0800 Subject: [PATCH 201/276] fix for solaris --- acme.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index c79cadfc..3c9ba003 100755 --- a/acme.sh +++ b/acme.sh @@ -924,10 +924,10 @@ _sed_i() { } _egrep_o() { - if _exists egrep; then - egrep -o "$1" 2>/dev/null - else + if _is_solaris; then sed -n 's/.*\('"$1"'\).*/\1/p' + else + egrep -o "$1" fi } From 15ee036db17d13a8ec75275e0b7ef729a79dc9f2 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 29 Jul 2023 23:30:44 +0800 Subject: [PATCH 202/276] fix for solaris --- acme.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index 3c9ba003..75efde4c 100755 --- a/acme.sh +++ b/acme.sh @@ -923,11 +923,17 @@ _sed_i() { fi } +if [ "$(echo abc | egrep -o b 2>/dev/null)" = "b" ]; then + __USE_EGREP=1 +else + __USE_EGREP="" +fi + _egrep_o() { - if _is_solaris; then - sed -n 's/.*\('"$1"'\).*/\1/p' - else + if [ "$__USE_EGREP" ]; then egrep -o "$1" + else + sed -n 's/.*\('"$1"'\).*/\1/p' fi } From b6f62ac446ab9ff78f4a90c4330dc314678545c9 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 30 Jul 2023 10:58:22 +0800 Subject: [PATCH 203/276] fix for curl bugs nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation see https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2018342 --- .github/workflows/DragonFlyBSD.yml | 2 +- .github/workflows/OpenBSD.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DragonFlyBSD.yml b/.github/workflows/DragonFlyBSD.yml index 6daa9be4..5a0d81ba 100644 --- a/.github/workflows/DragonFlyBSD.yml +++ b/.github/workflows/DragonFlyBSD.yml @@ -62,7 +62,7 @@ jobs: nat: | "8080": "80" prepare: | - pkg install -y curl socat + pkg install -y curl socat libnghttp2 usesh: true run: | cd ../acmetest \ diff --git a/.github/workflows/OpenBSD.yml b/.github/workflows/OpenBSD.yml index 7746645a..745a9408 100644 --- a/.github/workflows/OpenBSD.yml +++ b/.github/workflows/OpenBSD.yml @@ -66,7 +66,7 @@ jobs: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' nat: | "8080": "80" - prepare: pkg_add socat curl wget + prepare: pkg_add socat curl wget libnghttp2 usesh: true copyback: false run: | From d52b38777aaf19bc49ef6edd5d23546ddd3a4f03 Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Wed, 9 Aug 2023 19:52:37 +0200 Subject: [PATCH 204/276] Fix Auth API access for DSM 6 --- deploy/synology_dsm.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index 7398b350..ba35d784 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -91,8 +91,10 @@ synology_dsm_deploy() { _debug "Getting API version" response=$(_get "$_base_url/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth") + api_path=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"path" *: *"\([0-9]*\)".*/\1/p') api_version=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"maxVersion" *: *\([0-9]*\).*/\1/p') _debug3 response "$response" + _debug3 api_path "$api_path" _debug3 api_version "$api_version" # Login, get the session ID & SynoToken from JSON @@ -133,12 +135,12 @@ synology_dsm_deploy() { [ -n "${SYNO_Device_Name}" ] || SYNO_Device_Name="CertRenewal" fi - response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&otp_code=$otp_code&enable_syno_token=yes&enable_device_token=yes&device_name=$SYNO_Device_Name") + response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&otp_code=$otp_code&enable_syno_token=yes&enable_device_token=yes&device_name=$SYNO_Device_Name") _debug3 response "$response" SYNO_Device_ID=$(echo "$response" | grep "device_id" | sed -n 's/.*"device_id" *: *"\([^"]*\).*/\1/p') _secure_debug2 SYNO_Device_ID "$SYNO_Device_ID" else - response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&device_name=$SYNO_Device_Name&device_id=$SYNO_Device_ID") + response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&device_name=$SYNO_Device_Name&device_id=$SYNO_Device_ID") _debug3 response "$response" fi From b793dbf977dbf5d6b6829d185e0b2a0fa130941a Mon Sep 17 00:00:00 2001 From: Martin Arndt <5111490+Eagle3386@users.noreply.github.com> Date: Fri, 11 Aug 2023 17:55:45 +0200 Subject: [PATCH 205/276] Fix device ID property name for DSM 6 --- deploy/synology_dsm.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index ba35d784..21c7ac9b 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -136,8 +136,11 @@ synology_dsm_deploy() { fi response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&otp_code=$otp_code&enable_syno_token=yes&enable_device_token=yes&device_name=$SYNO_Device_Name") - _debug3 response "$response" - SYNO_Device_ID=$(echo "$response" | grep "device_id" | sed -n 's/.*"device_id" *: *"\([^"]*\).*/\1/p') + _secure_debug3 response "$response" + + id_property='device_id' + [ "${api_version}" -gt '6' ] || id_property='did' + SYNO_Device_ID=$(echo "$response" | grep "$id_property" | sed -n 's/.*"'$id_property'" *: *"\([^"]*\).*/\1/p') _secure_debug2 SYNO_Device_ID "$SYNO_Device_ID" else response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&device_name=$SYNO_Device_Name&device_id=$SYNO_Device_ID") From 8d00f489cd6072d562dce05e7a43a5bdb0877113 Mon Sep 17 00:00:00 2001 From: Vito <35035879+vitoyucepi@users.noreply.github.com> Date: Sun, 20 Aug 2023 20:05:45 +0300 Subject: [PATCH 206/276] Remove excessive full stop from help --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 07aef029..70f1daac 100755 --- a/acme.sh +++ b/acme.sh @@ -6925,7 +6925,7 @@ Parameters: These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert: - --cert-file Path to copy the cert file to after issue/renew.. + --cert-file Path to copy the cert file to after issue/renew. --key-file Path to copy the key file to after issue/renew. --ca-file Path to copy the intermediate cert file to after issue/renew. --fullchain-file Path to copy the fullchain cert file to after issue/renew. From 13d31ecb7f195f623a9a4deff9c2eb3fc6aecaeb Mon Sep 17 00:00:00 2001 From: Nirjas Jakilim Date: Mon, 21 Aug 2023 12:28:50 +0600 Subject: [PATCH 207/276] fixed regex for nginx conf path Fixed the regex for nginx path configuration to fix grep: unrecognized option error --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 75efde4c..8c662486 100755 --- a/acme.sh +++ b/acme.sh @@ -3130,7 +3130,7 @@ _setNginx() { _err "nginx command is not found." return 1 fi - NGINX_CONF="$(nginx -V 2>&1 | _egrep_o "--conf-path=[^ ]* " | tr -d " ")" + NGINX_CONF="$(nginx -V 2>&1 | _egrep_o "\-\-conf-path=[^ ]* " | tr -d " ")" _debug NGINX_CONF "$NGINX_CONF" NGINX_CONF="$(echo "$NGINX_CONF" | cut -d = -f 2)" _debug NGINX_CONF "$NGINX_CONF" From 9143cd1485a4a0220897124fec78eb2ec45f81ec Mon Sep 17 00:00:00 2001 From: glocknerc <65351984+glocknerc@users.noreply.github.com> Date: Wed, 23 Aug 2023 14:07:07 +0200 Subject: [PATCH 208/276] Change grep to be case-insensitive when looking for Set-Cookie header since INWX change casing to lowercase --- dnsapi/dns_inwx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_inwx.sh b/dnsapi/dns_inwx.sh index ba789da9..e483c0e8 100755 --- a/dnsapi/dns_inwx.sh +++ b/dnsapi/dns_inwx.sh @@ -194,7 +194,7 @@ _inwx_login() { response="$(_post "$xml_content" "$INWX_Api" "" "POST")" - INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')") + INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')") _H1=$INWX_Cookie export _H1 export INWX_Cookie From 9b0b5bce9f79672dff5eb80dbb74a0ec4c88986f Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior Date: Mon, 28 Aug 2023 15:30:26 +0200 Subject: [PATCH 209/276] inwx: Be case insensitive while searching for the cookie. At least since 2023-08-25 the cookie is set via `set-cookie' instead the expecting `Set-Cookie' string. A month earlier it was working. Ignore the case while matching the cookie. Fixes: #4763 Signed-off-by: Sebastian Andrzej Siewior --- dnsapi/dns_inwx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_inwx.sh b/dnsapi/dns_inwx.sh index ba789da9..e483c0e8 100755 --- a/dnsapi/dns_inwx.sh +++ b/dnsapi/dns_inwx.sh @@ -194,7 +194,7 @@ _inwx_login() { response="$(_post "$xml_content" "$INWX_Api" "" "POST")" - INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')") + INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')") _H1=$INWX_Cookie export _H1 export INWX_Cookie From 089d35708b99fe326660c8d95ed30b5040532d40 Mon Sep 17 00:00:00 2001 From: KincaidYang <91786638+KincaidYang@users.noreply.github.com> Date: Sat, 2 Sep 2023 14:31:17 +0800 Subject: [PATCH 210/276] fix for curl bugs nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation see https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2018342 https://github.com/acmesh-official/acme.sh/commit/b6f62ac446ab9ff78f4a90c4330dc314678545c9 https://github.com/acmesh-official/acme.sh/issues/4775 --- .github/workflows/DNS.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 615e5d8b..a13cb51c 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -332,7 +332,7 @@ jobs: with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: | - pkg_add curl socat + pkg_add curl socat libnghttp2 usesh: true copyback: false run: | @@ -384,7 +384,7 @@ jobs: with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: | - pkg install -y curl socat + pkg install -y curl socat libnghttp2 usesh: true copyback: false run: | From 29a2920a2c585488ba1f81f9d459d86aab951f9e Mon Sep 17 00:00:00 2001 From: KincaidYang <91786638+KincaidYang@users.noreply.github.com> Date: Sat, 2 Sep 2023 14:49:43 +0800 Subject: [PATCH 211/276] Add dns_tencent.sh Adapt to Tencent Cloud (DNSPod) API 3.0 --- dnsapi/dns_tencent.sh | 201 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 201 insertions(+) create mode 100644 dnsapi/dns_tencent.sh diff --git a/dnsapi/dns_tencent.sh b/dnsapi/dns_tencent.sh new file mode 100644 index 00000000..30e33f03 --- /dev/null +++ b/dnsapi/dns_tencent.sh @@ -0,0 +1,201 @@ +#!/usr/bin/env sh +set -x +Tencent_API="https://dnspod.tencentcloudapi.com" + +#Tencent_SecretId="AKIDz8krbsJ5yKBZQpn74WFkmLPx3gnPhESA" +#Tencent_SecretKey="Gu5t9xGARNpq86cd98joQYCN3Cozk1qA" + +#Usage: dns_tencent_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_tencent_add() { + fulldomain=$1 + txtvalue=$2 + + Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}" + Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}" + if [ -z "$Tencent_SecretId" ] || [ -z "$Tencent_SecretKey" ]; then + Tencent_SecretId="" + Tencent_SecretKey="" + _err "You don't specify tencent api SecretId and SecretKey yet." + return 1 + fi + + #save the api SecretId and SecretKey to the account conf file. + _saveaccountconf_mutable Tencent_SecretId "$Tencent_SecretId" + _saveaccountconf_mutable Tencent_SecretKey "$Tencent_SecretKey" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + return 1 + fi + + _debug "Add record" + _add_record_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "CreateRecord" +} + +dns_tencent_rm() { + fulldomain=$1 + txtvalue=$2 + Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}" + Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + return 1 + fi + + _debug "Get record list" + sleep 30 + _check_exist_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "DescribeRecordFilterList" + + record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")" + _debug2 record_id "$record_id" + + if [ -z "$record_id" ]; then + _debug "record not found, skip" + else + _debug "Delete record" + _delete_record_query "$record_id" && _tencent_rest "DeleteRecord" + fi +} + +#################### Private functions below ################################## + +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + _describe_records_query "$h" "@" + if ! _tencent_rest "DescribeRecordList" "ignore"; then + return 1 + fi + + if _contains "$response" "\"TotalCount\":"; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") + _debug _sub_domain "$_sub_domain" + _domain="$h" + _debug _domain "$_domain" + return 0 + fi + p="$i" + i=$(_math "$i" + 1) + done + return 1 +} + +_tencent_rest() { + action=$1 + service="dnspod" + payload="${query}" + timestamp=$(date -u +%s) + + token=$(tencent_signature_v3 $service "$action" "$payload" "$timestamp") + version="2021-03-23" + + if ! response="$(tencent_api_request $service $version "$action" "$payload" "$timestamp")"; then + _err "Error <$1>" + return 1 + fi + + _debug2 response "$response" + if [ -z "$2" ]; then + message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")" + if [ "$message" ]; then + _err "$message" + return 1 + fi + fi +} + +_add_record_query() { + query="{\"Domain\":\"$1\",\"SubDomain\":\"$2\",\"RecordType\":\"TXT\",\"RecordLineId\":\"0\",\"RecordLine\":\"0\",\"Value\":\"$3\",\"TTL\":600}" +} + +_describe_records_query() { + query="{\"Domain\":\"$1\",\"Limit\":3000}" +} + +_delete_record_query() { + query="{\"Domain\":\"$_domain\",\"RecordId\":$1}" +} + +_check_exist_query() { + _domain="$1" + _subdomain="$2" + _value="$3" + query="{\"Domain\":\"$_domain\",\"SubDomain\":\"$_subdomain\",\"RecordValue\":\"$_value\"}" +} + +# shell client for tencent cloud api v3 | @author: rehiy + +tencent_sha256() { + printf %b "$@" | openssl dgst -sha256 -hex | sed 's/^.* //' +} + +tencent_hmac_sha256() { + k=$1 + shift + printf %b "$@" | openssl dgst -sha256 -hmac "$k" | sed 's/^.* //' +} + +tencent_hmac_sha256_hexkey() { + k=$1 + shift + printf %b "$@" | openssl dgst -sha256 -mac HMAC -macopt "hexkey:$k" | sed 's/^.* //' +} + +tencent_signature_v3() { + service=$1 + action=$(echo "$2" | tr '[:upper:]' '[:lower:]') + payload=${3:-'{}'} + timestamp=${4:-$(date +%s)} + + domain="$service.tencentcloudapi.com" + secretId=${Tencent_SecretId:-'tencent-cloud-secret-id'} + secretKey=${Tencent_SecretKey:-'tencent-cloud-secret-key'} + + algorithm='TC3-HMAC-SHA256' + date=$(date -u -d "@$timestamp" +%Y-%m-%d 2>/dev/null) + [ -z "$date" ] && date=$(date -u -r "$timestamp" +%Y-%m-%d) + + canonicalUri='/' + canonicalQuery='' + canonicalHeaders="content-type:application/json\nhost:$domain\nx-tc-action:$action\n" + + signedHeaders='content-type;host;x-tc-action' + canonicalRequest="POST\n$canonicalUri\n$canonicalQuery\n$canonicalHeaders\n$signedHeaders\n$(tencent_sha256 "$payload")" + + credentialScope="$date/$service/tc3_request" + stringToSign="$algorithm\n$timestamp\n$credentialScope\n$(tencent_sha256 "$canonicalRequest")" + + secretDate=$(tencent_hmac_sha256 "TC3$secretKey" "$date") + secretService=$(tencent_hmac_sha256_hexkey "$secretDate" "$service") + secretSigning=$(tencent_hmac_sha256_hexkey "$secretService" 'tc3_request') + signature=$(tencent_hmac_sha256_hexkey "$secretSigning" "$stringToSign") + + echo "$algorithm Credential=$secretId/$credentialScope, SignedHeaders=$signedHeaders, Signature=$signature" +} + +tencent_api_request() { + service=$1 + version=$2 + action=$3 + payload=${4:-'{}'} + timestamp=${5:-$(date +%s)} + + token=$(tencent_signature_v3 "$service" "$action" "$payload" "$timestamp") + + _H1="Content-Type: application/json" + _H2="Authorization: $token" + _H3="X-TC-Version: $version" + _H4="X-TC-Timestamp: $timestamp" + _H5="X-TC-Action: $action" + + _post "$payload" "$Tencent_API" "" "POST" "application/json" +} From e5b76ed4c4326c6ce039121c1ed78908aa450288 Mon Sep 17 00:00:00 2001 From: KincaidYang <91786638+KincaidYang@users.noreply.github.com> Date: Sat, 2 Sep 2023 15:13:37 +0800 Subject: [PATCH 212/276] Delete dnsapi/dns_tencent.sh --- dnsapi/dns_tencent.sh | 201 ------------------------------------------ 1 file changed, 201 deletions(-) delete mode 100644 dnsapi/dns_tencent.sh diff --git a/dnsapi/dns_tencent.sh b/dnsapi/dns_tencent.sh deleted file mode 100644 index 30e33f03..00000000 --- a/dnsapi/dns_tencent.sh +++ /dev/null @@ -1,201 +0,0 @@ -#!/usr/bin/env sh -set -x -Tencent_API="https://dnspod.tencentcloudapi.com" - -#Tencent_SecretId="AKIDz8krbsJ5yKBZQpn74WFkmLPx3gnPhESA" -#Tencent_SecretKey="Gu5t9xGARNpq86cd98joQYCN3Cozk1qA" - -#Usage: dns_tencent_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" -dns_tencent_add() { - fulldomain=$1 - txtvalue=$2 - - Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}" - Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}" - if [ -z "$Tencent_SecretId" ] || [ -z "$Tencent_SecretKey" ]; then - Tencent_SecretId="" - Tencent_SecretKey="" - _err "You don't specify tencent api SecretId and SecretKey yet." - return 1 - fi - - #save the api SecretId and SecretKey to the account conf file. - _saveaccountconf_mutable Tencent_SecretId "$Tencent_SecretId" - _saveaccountconf_mutable Tencent_SecretKey "$Tencent_SecretKey" - - _debug "First detect the root zone" - if ! _get_root "$fulldomain"; then - return 1 - fi - - _debug "Add record" - _add_record_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "CreateRecord" -} - -dns_tencent_rm() { - fulldomain=$1 - txtvalue=$2 - Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}" - Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}" - - _debug "First detect the root zone" - if ! _get_root "$fulldomain"; then - return 1 - fi - - _debug "Get record list" - sleep 30 - _check_exist_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "DescribeRecordFilterList" - - record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")" - _debug2 record_id "$record_id" - - if [ -z "$record_id" ]; then - _debug "record not found, skip" - else - _debug "Delete record" - _delete_record_query "$record_id" && _tencent_rest "DeleteRecord" - fi -} - -#################### Private functions below ################################## - -_get_root() { - domain=$1 - i=2 - p=1 - while true; do - h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) - if [ -z "$h" ]; then - #not valid - return 1 - fi - - _describe_records_query "$h" "@" - if ! _tencent_rest "DescribeRecordList" "ignore"; then - return 1 - fi - - if _contains "$response" "\"TotalCount\":"; then - _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") - _debug _sub_domain "$_sub_domain" - _domain="$h" - _debug _domain "$_domain" - return 0 - fi - p="$i" - i=$(_math "$i" + 1) - done - return 1 -} - -_tencent_rest() { - action=$1 - service="dnspod" - payload="${query}" - timestamp=$(date -u +%s) - - token=$(tencent_signature_v3 $service "$action" "$payload" "$timestamp") - version="2021-03-23" - - if ! response="$(tencent_api_request $service $version "$action" "$payload" "$timestamp")"; then - _err "Error <$1>" - return 1 - fi - - _debug2 response "$response" - if [ -z "$2" ]; then - message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")" - if [ "$message" ]; then - _err "$message" - return 1 - fi - fi -} - -_add_record_query() { - query="{\"Domain\":\"$1\",\"SubDomain\":\"$2\",\"RecordType\":\"TXT\",\"RecordLineId\":\"0\",\"RecordLine\":\"0\",\"Value\":\"$3\",\"TTL\":600}" -} - -_describe_records_query() { - query="{\"Domain\":\"$1\",\"Limit\":3000}" -} - -_delete_record_query() { - query="{\"Domain\":\"$_domain\",\"RecordId\":$1}" -} - -_check_exist_query() { - _domain="$1" - _subdomain="$2" - _value="$3" - query="{\"Domain\":\"$_domain\",\"SubDomain\":\"$_subdomain\",\"RecordValue\":\"$_value\"}" -} - -# shell client for tencent cloud api v3 | @author: rehiy - -tencent_sha256() { - printf %b "$@" | openssl dgst -sha256 -hex | sed 's/^.* //' -} - -tencent_hmac_sha256() { - k=$1 - shift - printf %b "$@" | openssl dgst -sha256 -hmac "$k" | sed 's/^.* //' -} - -tencent_hmac_sha256_hexkey() { - k=$1 - shift - printf %b "$@" | openssl dgst -sha256 -mac HMAC -macopt "hexkey:$k" | sed 's/^.* //' -} - -tencent_signature_v3() { - service=$1 - action=$(echo "$2" | tr '[:upper:]' '[:lower:]') - payload=${3:-'{}'} - timestamp=${4:-$(date +%s)} - - domain="$service.tencentcloudapi.com" - secretId=${Tencent_SecretId:-'tencent-cloud-secret-id'} - secretKey=${Tencent_SecretKey:-'tencent-cloud-secret-key'} - - algorithm='TC3-HMAC-SHA256' - date=$(date -u -d "@$timestamp" +%Y-%m-%d 2>/dev/null) - [ -z "$date" ] && date=$(date -u -r "$timestamp" +%Y-%m-%d) - - canonicalUri='/' - canonicalQuery='' - canonicalHeaders="content-type:application/json\nhost:$domain\nx-tc-action:$action\n" - - signedHeaders='content-type;host;x-tc-action' - canonicalRequest="POST\n$canonicalUri\n$canonicalQuery\n$canonicalHeaders\n$signedHeaders\n$(tencent_sha256 "$payload")" - - credentialScope="$date/$service/tc3_request" - stringToSign="$algorithm\n$timestamp\n$credentialScope\n$(tencent_sha256 "$canonicalRequest")" - - secretDate=$(tencent_hmac_sha256 "TC3$secretKey" "$date") - secretService=$(tencent_hmac_sha256_hexkey "$secretDate" "$service") - secretSigning=$(tencent_hmac_sha256_hexkey "$secretService" 'tc3_request') - signature=$(tencent_hmac_sha256_hexkey "$secretSigning" "$stringToSign") - - echo "$algorithm Credential=$secretId/$credentialScope, SignedHeaders=$signedHeaders, Signature=$signature" -} - -tencent_api_request() { - service=$1 - version=$2 - action=$3 - payload=${4:-'{}'} - timestamp=${5:-$(date +%s)} - - token=$(tencent_signature_v3 "$service" "$action" "$payload" "$timestamp") - - _H1="Content-Type: application/json" - _H2="Authorization: $token" - _H3="X-TC-Version: $version" - _H4="X-TC-Timestamp: $timestamp" - _H5="X-TC-Action: $action" - - _post "$payload" "$Tencent_API" "" "POST" "application/json" -} From b32d22731b00b723600e0de9f6b9fceb60952f37 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 2 Sep 2023 15:32:12 +0800 Subject: [PATCH 213/276] remove --- README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/README.md b/README.md index 73ff3321..717ecf5f 100644 --- a/README.md +++ b/README.md @@ -506,10 +506,6 @@ Support this project with your organization. Your logo will show up here with a -#### Sponsors - -[![quantumca-acmesh-logo](https://user-images.githubusercontent.com/8305679/183255712-634ee1db-bb61-4c03-bca0-bacce99e078c.svg)](https://www.quantumca.com.cn/?__utm_source=acmesh-donation) - # 19. License & Others From 8bdcd224862af85d99e682844e71122772c3eba7 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 2 Sep 2023 15:44:45 +0800 Subject: [PATCH 214/276] fix https://github.com/acmesh-official/acme.sh/issues/4746 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 70f1daac..a8256609 100755 --- a/acme.sh +++ b/acme.sh @@ -931,7 +931,7 @@ fi _egrep_o() { if [ "$__USE_EGREP" ]; then - egrep -o "$1" + egrep -o -- "$1" else sed -n 's/.*\('"$1"'\).*/\1/p' fi From 04946e992eb60a3cc85b4c9b0e0fe9a577ac1e5e Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 2 Sep 2023 17:15:17 +0800 Subject: [PATCH 215/276] change the default debug level to 2. --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 92faeb5e..7b61b109 100755 --- a/acme.sh +++ b/acme.sh @@ -107,7 +107,7 @@ DEFAULT_LOG_LEVEL="$LOG_LEVEL_1" DEBUG_LEVEL_1=1 DEBUG_LEVEL_2=2 DEBUG_LEVEL_3=3 -DEBUG_LEVEL_DEFAULT=$DEBUG_LEVEL_1 +DEBUG_LEVEL_DEFAULT=$DEBUG_LEVEL_2 DEBUG_LEVEL_NONE=0 DOH_CLOUDFLARE=1 @@ -6899,7 +6899,7 @@ Parameters: -f, --force Force install, force cert renewal or override sudo restrictions. --staging, --test Use staging server, for testing. - --debug [0|1|2|3] Output debug info. Defaults to 1 if argument is omitted. + --debug [0|1|2|3] Output debug info. Defaults to $DEBUG_LEVEL_DEFAULT if argument is omitted. --output-insecure Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for security. -w, --webroot Specifies the web root folder for web root mode. From c18364c75549e840a9db0025fc86947f4fdab114 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 2 Sep 2023 17:18:12 +0800 Subject: [PATCH 216/276] change default log level to 2 --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 7b61b109..4fab21d2 100755 --- a/acme.sh +++ b/acme.sh @@ -102,7 +102,7 @@ ECC_SUFFIX="${ECC_SEP}ecc" LOG_LEVEL_1=1 LOG_LEVEL_2=2 LOG_LEVEL_3=3 -DEFAULT_LOG_LEVEL="$LOG_LEVEL_1" +DEFAULT_LOG_LEVEL="$LOG_LEVEL_2" DEBUG_LEVEL_1=1 DEBUG_LEVEL_2=2 @@ -6917,7 +6917,7 @@ Parameters: -k, --keylength Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521. -ak, --accountkeylength Specifies the account key length: 2048, 3072, 4096 --log [file] Specifies the log file. Defaults to \"$DEFAULT_LOG_FILE\" if argument is omitted. - --log-level <1|2> Specifies the log level, default is 1. + --log-level <1|2> Specifies the log level, default is $DEFAULT_LOG_LEVEL. --syslog <0|3|6|7> Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug. --eab-kid Key Identifier for External Account Binding. --eab-hmac-key HMAC key for External Account Binding. From eed8a7f0788190d44e6a603bd49eb96c508fdb3c Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 2 Sep 2023 17:27:21 +0800 Subject: [PATCH 217/276] add more debug code https://github.com/acmesh-official/acme.sh/issues/4768 --- acme.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index 4fab21d2..54dfa9a5 100755 --- a/acme.sh +++ b/acme.sh @@ -5015,9 +5015,9 @@ $_authorizations_map" errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)" _debug2 errordetail "$errordetail" if [ "$errordetail" ]; then - _err "$d:Verify error:$errordetail" + _err "Invalid status, $d:Verify error detail:$errordetail" else - _err "$d:Verify error:$error" + _err "Invalid status, $d:Verify error:$error" fi if [ "$DEBUG" ]; then if [ "$vtype" = "$VTYPE_HTTP" ]; then @@ -5044,7 +5044,7 @@ $_authorizations_map" elif _contains "$status" "processing"; then _info "Processing, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)" else - _err "$d:Verify error:$response" + _err "Unknown status: $status, $d:Verify error:$response" _clearupwebbroot "$_currentRoot" "$removelevel" "$token" _clearup _on_issue_err "$_post_hook" "$vlist" @@ -5057,7 +5057,7 @@ $_authorizations_map" _send_signed_request "$_authz_url" if [ "$?" != "0" ]; then - _err "$d:Verify error:$response" + _err "Invalid code, $d:Verify error:$response" _clearupwebbroot "$_currentRoot" "$removelevel" "$token" _clearup _on_issue_err "$_post_hook" "$vlist" From 87dc4fe388244663055cea068b23c97632561544 Mon Sep 17 00:00:00 2001 From: KincaidYang <91786638+KincaidYang@users.noreply.github.com> Date: Sat, 2 Sep 2023 18:23:14 +0800 Subject: [PATCH 218/276] =?UTF-8?q?fix=20for=20curl=20bugs=20nghttp2=5Fopt?= =?UTF-8?q?ion=5Fset=5Fno=5Frfc9113=5Fleading=5Fand=5Ftrailing=5F=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In #4776, I mistakenly added libnghttp2 to NetBsd, and now it has been corrected and added to OpenBsd --- .github/workflows/DNS.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index a13cb51c..8bae3520 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -280,7 +280,7 @@ jobs: - uses: vmactions/openbsd-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' - prepare: pkg_add socat curl + prepare: pkg_add socat curl libnghttp2 usesh: true copyback: false run: | @@ -332,7 +332,7 @@ jobs: with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: | - pkg_add curl socat libnghttp2 + pkg_add curl socat usesh: true copyback: false run: | From 09b41aa66711777b90c8d6200b825330ffee2e09 Mon Sep 17 00:00:00 2001 From: KincaidYang <91786638+KincaidYang@users.noreply.github.com> Date: Sat, 2 Sep 2023 18:38:51 +0800 Subject: [PATCH 219/276] fix for nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation In #4776, I mistakenly added libnghttp2 to NetBSD, now for correction. --- .github/workflows/DNS.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 8bae3520..507755c9 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -280,7 +280,7 @@ jobs: - uses: vmactions/openbsd-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' - prepare: pkg_add socat curl libnghttp2 + prepare: pkg_add socat curl usesh: true copyback: false run: | From 3abcfd8fa926fb1ee03b45826f8a12644e63ff05 Mon Sep 17 00:00:00 2001 From: KincaidYang <91786638+KincaidYang@users.noreply.github.com> Date: Sat, 2 Sep 2023 18:47:59 +0800 Subject: [PATCH 220/276] Add dns_tencent.sh Adapt to Tencent Cloud (DNSPod) API 3.0 --- dnsapi/dns_tencent.sh | 210 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 210 insertions(+) create mode 100644 dnsapi/dns_tencent.sh diff --git a/dnsapi/dns_tencent.sh b/dnsapi/dns_tencent.sh new file mode 100644 index 00000000..b4b4cb24 --- /dev/null +++ b/dnsapi/dns_tencent.sh @@ -0,0 +1,210 @@ +#!/usr/bin/env sh +Tencent_API="https://dnspod.tencentcloudapi.com" + +#Tencent_SecretId="AKIDz81d2cd22cdcdc2dcd1cc1d1A" +#Tencent_SecretKey="Gu5t9abcabcaabcbabcbbbcbcbbccbbcb" + +#Usage: dns_tencent_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_tencent_add() { + fulldomain=$1 + txtvalue=$2 + + Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}" + Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}" + if [ -z "$Tencent_SecretId" ] || [ -z "$Tencent_SecretKey" ]; then + Tencent_SecretId="" + Tencent_SecretKey="" + _err "You don't specify tencent api SecretId and SecretKey yet." + return 1 + fi + + #save the api SecretId and SecretKey to the account conf file. + _saveaccountconf_mutable Tencent_SecretId "$Tencent_SecretId" + _saveaccountconf_mutable Tencent_SecretKey "$Tencent_SecretKey" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + return 1 + fi + + _debug "Add record" + _add_record_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "CreateRecord" +} + +dns_tencent_rm() { + fulldomain=$1 + txtvalue=$2 + Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}" + Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + return 1 + fi + + _debug "Get record list" + attempt=1 + max_attempts=5 + while [ -z "$record_id" ] && [ $attempt -le $max_attempts ]; do + _check_exist_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "DescribeRecordFilterList" + record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")" + _debug2 record_id "$record_id" + if [ -z "$record_id" ]; then + _debug "Due to TencentCloud API synchronization delay, record not found, waiting 10 seconds and retrying" + sleep 10 + attempt=$((attempt + 1)) + fi + done + + record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")" + _debug2 record_id "$record_id" + + if [ -z "$record_id" ]; then + _debug "record not found after $max_attempts attempts, skip" + else + _debug "Delete record" + _delete_record_query "$record_id" && _tencent_rest "DeleteRecord" + fi +} + +#################### Private functions below ################################## + +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + _describe_records_query "$h" "@" + if ! _tencent_rest "DescribeRecordList" "ignore"; then + return 1 + fi + + if _contains "$response" "\"TotalCount\":"; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") + _debug _sub_domain "$_sub_domain" + _domain="$h" + _debug _domain "$_domain" + return 0 + fi + p="$i" + i=$(_math "$i" + 1) + done + return 1 +} + +_tencent_rest() { + action=$1 + service="dnspod" + payload="${query}" + timestamp=$(date -u +%s) + + token=$(tencent_signature_v3 $service "$action" "$payload" "$timestamp") + version="2021-03-23" + + if ! response="$(tencent_api_request $service $version "$action" "$payload" "$timestamp")"; then + _err "Error <$1>" + return 1 + fi + + _debug2 response "$response" + if [ -z "$2" ]; then + message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")" + if [ "$message" ]; then + _err "$message" + return 1 + fi + fi +} + +_add_record_query() { + query="{\"Domain\":\"$1\",\"SubDomain\":\"$2\",\"RecordType\":\"TXT\",\"RecordLineId\":\"0\",\"RecordLine\":\"0\",\"Value\":\"$3\",\"TTL\":600}" +} + +_describe_records_query() { + query="{\"Domain\":\"$1\",\"Limit\":3000}" +} + +_delete_record_query() { + query="{\"Domain\":\"$_domain\",\"RecordId\":$1}" +} + +_check_exist_query() { + _domain="$1" + _subdomain="$2" + _value="$3" + query="{\"Domain\":\"$_domain\",\"SubDomain\":\"$_subdomain\",\"RecordValue\":\"$_value\"}" +} + +# shell client for tencent cloud api v3 | @author: rehiy + +tencent_sha256() { + printf %b "$@" | ${ACME_OPENSSL_BIN:-openssl} dgst -sha256 -hex | sed 's/^.* //' +} + +tencent_hmac_sha256() { + k=$1 + shift + printf %b "$@" | ${ACME_OPENSSL_BIN:-openssl} dgst -sha256 -hmac "$k" | sed 's/^.* //' +} + +tencent_hmac_sha256_hexkey() { + k=$1 + shift + printf %b "$@" | ${ACME_OPENSSL_BIN:-openssl} dgst -sha256 -mac HMAC -macopt "hexkey:$k" | sed 's/^.* //' +} + +tencent_signature_v3() { + service=$1 + action=$(echo "$2" | tr '[:upper:]' '[:lower:]') + payload=${3:-'{}'} + timestamp=${4:-$(date +%s)} + + domain="$service.tencentcloudapi.com" + secretId=${Tencent_SecretId:-'tencent-cloud-secret-id'} + secretKey=${Tencent_SecretKey:-'tencent-cloud-secret-key'} + + algorithm='TC3-HMAC-SHA256' + date=$(date -u -d "@$timestamp" +%Y-%m-%d 2>/dev/null) + [ -z "$date" ] && date=$(date -u -r "$timestamp" +%Y-%m-%d) + + canonicalUri='/' + canonicalQuery='' + canonicalHeaders="content-type:application/json\nhost:$domain\nx-tc-action:$action\n" + + signedHeaders='content-type;host;x-tc-action' + canonicalRequest="POST\n$canonicalUri\n$canonicalQuery\n$canonicalHeaders\n$signedHeaders\n$(tencent_sha256 "$payload")" + + credentialScope="$date/$service/tc3_request" + stringToSign="$algorithm\n$timestamp\n$credentialScope\n$(tencent_sha256 "$canonicalRequest")" + + secretDate=$(tencent_hmac_sha256 "TC3$secretKey" "$date") + secretService=$(tencent_hmac_sha256_hexkey "$secretDate" "$service") + secretSigning=$(tencent_hmac_sha256_hexkey "$secretService" 'tc3_request') + signature=$(tencent_hmac_sha256_hexkey "$secretSigning" "$stringToSign") + + echo "$algorithm Credential=$secretId/$credentialScope, SignedHeaders=$signedHeaders, Signature=$signature" +} + +tencent_api_request() { + service=$1 + version=$2 + action=$3 + payload=${4:-'{}'} + timestamp=${5:-$(date +%s)} + + token=$(tencent_signature_v3 "$service" "$action" "$payload" "$timestamp") + + _H1="Content-Type: application/json" + _H2="Authorization: $token" + _H3="X-TC-Version: $version" + _H4="X-TC-Timestamp: $timestamp" + _H5="X-TC-Action: $action" + + _post "$payload" "$Tencent_API" "" "POST" "application/json" +} From 27b1dd04c4d240d368d79216e84debbaeed813ae Mon Sep 17 00:00:00 2001 From: LJea Date: Sun, 3 Sep 2023 01:02:16 +0900 Subject: [PATCH 221/276] improve the compatibility Fixed an issue where some embedded devices could not obtain nanoseconds resulting in abnormal parameter coding --- dnsapi/dns_ali.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_ali.sh b/dnsapi/dns_ali.sh index c2105672..c69839dc 100755 --- a/dnsapi/dns_ali.sh +++ b/dnsapi/dns_ali.sh @@ -117,7 +117,7 @@ _ali_urlencode() { _ali_nonce() { #_head_n 1 Date: Sun, 3 Sep 2023 01:31:57 +0800 Subject: [PATCH 222/276] Following Neilpang's suggestions and project standards, replace some functions. --- dnsapi/dns_tencent.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/dnsapi/dns_tencent.sh b/dnsapi/dns_tencent.sh index b4b4cb24..746f00f0 100644 --- a/dnsapi/dns_tencent.sh +++ b/dnsapi/dns_tencent.sh @@ -51,7 +51,7 @@ dns_tencent_rm() { _debug2 record_id "$record_id" if [ -z "$record_id" ]; then _debug "Due to TencentCloud API synchronization delay, record not found, waiting 10 seconds and retrying" - sleep 10 + _sleep 10 attempt=$((attempt + 1)) fi done @@ -71,7 +71,7 @@ dns_tencent_rm() { _get_root() { domain=$1 - i=2 + i=1 p=1 while true; do h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) @@ -144,19 +144,20 @@ _check_exist_query() { # shell client for tencent cloud api v3 | @author: rehiy tencent_sha256() { - printf %b "$@" | ${ACME_OPENSSL_BIN:-openssl} dgst -sha256 -hex | sed 's/^.* //' + printf %b "$@" | _digest sha256 hex } tencent_hmac_sha256() { k=$1 shift - printf %b "$@" | ${ACME_OPENSSL_BIN:-openssl} dgst -sha256 -hmac "$k" | sed 's/^.* //' + hex_key=$(_ascii_hex "$k" | tr -d ' ') + printf %b "$@" | _hmac sha256 "$hex_key" hex } tencent_hmac_sha256_hexkey() { k=$1 shift - printf %b "$@" | ${ACME_OPENSSL_BIN:-openssl} dgst -sha256 -mac HMAC -macopt "hexkey:$k" | sed 's/^.* //' + printf %b "$@" | _hmac sha256 "$k" hex } tencent_signature_v3() { From e3c4c9265dfe2d2816e68dfe310d5f6fcda4f25b Mon Sep 17 00:00:00 2001 From: KincaidYang <91786638+KincaidYang@users.noreply.github.com> Date: Sun, 3 Sep 2023 21:21:05 +0800 Subject: [PATCH 223/276] Replace some functions. --- dnsapi/dns_tencent.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_tencent.sh b/dnsapi/dns_tencent.sh index 746f00f0..5cce4aeb 100644 --- a/dnsapi/dns_tencent.sh +++ b/dnsapi/dns_tencent.sh @@ -45,14 +45,14 @@ dns_tencent_rm() { _debug "Get record list" attempt=1 max_attempts=5 - while [ -z "$record_id" ] && [ $attempt -le $max_attempts ]; do + while [ -z "$record_id" ] && [ "$attempt" -le $max_attempts ]; do _check_exist_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "DescribeRecordFilterList" record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")" _debug2 record_id "$record_id" if [ -z "$record_id" ]; then _debug "Due to TencentCloud API synchronization delay, record not found, waiting 10 seconds and retrying" _sleep 10 - attempt=$((attempt + 1)) + attempt=$(_math "$attempt + 1") fi done @@ -162,7 +162,7 @@ tencent_hmac_sha256_hexkey() { tencent_signature_v3() { service=$1 - action=$(echo "$2" | tr '[:upper:]' '[:lower:]') + action=$(echo "$2" | _lower_case) payload=${3:-'{}'} timestamp=${4:-$(date +%s)} From 772bbdc862777cf06c649271c9319f45b9075313 Mon Sep 17 00:00:00 2001 From: KincaidYang <91786638+KincaidYang@users.noreply.github.com> Date: Wed, 6 Sep 2023 12:57:19 +0800 Subject: [PATCH 224/276] Replace some functions --- dnsapi/dns_tencent.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_tencent.sh b/dnsapi/dns_tencent.sh index 5cce4aeb..b926225b 100644 --- a/dnsapi/dns_tencent.sh +++ b/dnsapi/dns_tencent.sh @@ -150,7 +150,7 @@ tencent_sha256() { tencent_hmac_sha256() { k=$1 shift - hex_key=$(_ascii_hex "$k" | tr -d ' ') + hex_key=$(printf %b "$k" | _hex_dump | tr -d ' ') printf %b "$@" | _hmac sha256 "$hex_key" hex } @@ -183,6 +183,7 @@ tencent_signature_v3() { credentialScope="$date/$service/tc3_request" stringToSign="$algorithm\n$timestamp\n$credentialScope\n$(tencent_sha256 "$canonicalRequest")" + _debug "stringToSign: $stringToSign" secretDate=$(tencent_hmac_sha256 "TC3$secretKey" "$date") secretService=$(tencent_hmac_sha256_hexkey "$secretDate" "$service") From af534a73fc75cddf5a60f0ec1b13f79056b51940 Mon Sep 17 00:00:00 2001 From: KincaidYang <91786638+KincaidYang@users.noreply.github.com> Date: Wed, 6 Sep 2023 13:09:52 +0800 Subject: [PATCH 225/276] =?UTF-8?q?=E7=A7=BB=E9=99=A4=E9=83=A8=E5=88=86?= =?UTF-8?q?=E6=95=8F=E6=84=9Fdebug=E4=BF=A1=E6=81=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- dnsapi/dns_tencent.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/dnsapi/dns_tencent.sh b/dnsapi/dns_tencent.sh index b926225b..2f8d3b67 100644 --- a/dnsapi/dns_tencent.sh +++ b/dnsapi/dns_tencent.sh @@ -183,7 +183,6 @@ tencent_signature_v3() { credentialScope="$date/$service/tc3_request" stringToSign="$algorithm\n$timestamp\n$credentialScope\n$(tencent_sha256 "$canonicalRequest")" - _debug "stringToSign: $stringToSign" secretDate=$(tencent_hmac_sha256 "TC3$secretKey" "$date") secretService=$(tencent_hmac_sha256_hexkey "$secretDate" "$service") From ae4c186f55b10b26d9bb0528bc90893413bd967e Mon Sep 17 00:00:00 2001 From: Tobias Grave Date: Thu, 7 Sep 2023 08:40:46 +0200 Subject: [PATCH 226/276] Fix Variomedia API --- dnsapi/dns_variomedia.sh | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/dnsapi/dns_variomedia.sh b/dnsapi/dns_variomedia.sh index a35b8f0f..200b3f50 100644 --- a/dnsapi/dns_variomedia.sh +++ b/dnsapi/dns_variomedia.sh @@ -69,7 +69,7 @@ dns_variomedia_rm() { return 1 fi - _record_id="$(echo "$response" | cut -d '[' -f2 | cut -d']' -f1 | sed 's/},[ \t]*{/\},§\{/g' | tr § '\n' | grep "$_sub_domain" | grep "$txtvalue" | sed 's/^{//;s/}[,]?$//' | tr , '\n' | tr -d '\"' | grep ^id | cut -d : -f2 | tr -d ' ')" + _record_id="$(echo "$response" | sed -E 's/,"tags":\[[^]]*\]//g' | cut -d '[' -f2 | cut -d']' -f1 | sed 's/},[ \t]*{/\},§\{/g' | tr § '\n' | grep "$_sub_domain" | grep -- "$txtvalue" | sed 's/^{//;s/}[,]?$//' | tr , '\n' | tr -d '\"' | grep ^id | cut -d : -f2 | tr -d ' ')" _debug _record_id "$_record_id" if [ "$_record_id" ]; then _info "Successfully retrieved the record id for ACME challenge." @@ -93,11 +93,11 @@ dns_variomedia_rm() { # _sub_domain=_acme-challenge.www # _domain=domain.com _get_root() { - fulldomain=$1 - i=1 + domain=$1 + i=2 + p=1 while true; do - h=$(printf "%s" "$fulldomain" | cut -d . -f $i-100) - _debug h "$h" + h=$(printf "%s" "$domain" | cut -d . -f $i-100) if [ -z "$h" ]; then return 1 fi @@ -106,17 +106,14 @@ _get_root() { return 1 fi - if _startswith "$response" "\{\"data\":"; then - if _contains "$response" "\"id\":\"$h\""; then - _sub_domain="$(echo "$fulldomain" | sed "s/\\.$h\$//")" - _domain=$h - return 0 - fi + if _contains "$response" "\"id\":\"$h\""; then + _sub_domain=$(printf "%s" "$domain" | cut -d '.' -f 1-$p) + _domain="$h" + return 0 fi + p=$i i=$(_math "$i" + 1) done - - _debug "root domain not found" return 1 } From 29b2960805ac850a564e5ec6521720a3511a1771 Mon Sep 17 00:00:00 2001 From: Scruel Tao Date: Thu, 7 Sep 2023 15:01:37 +0800 Subject: [PATCH 227/276] Optimze comment & remove tail space --- deploy/synology_dsm.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index 15f961e2..455d9de4 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -19,7 +19,7 @@ # - export SYNO_Scheme="http" # - export SYNO_Hostname="localhost" # - export SYNO_Port="5000" -# - export SYNO_Create=1 to allow creating the certificate if it doesn't exist +# - export SYNO_Create=1 - to allow creating the certificate if it doesn't exist # - export SYNO_Device_Name="CertRenewal" - required if 2FA-OTP enabled # - export SYNO_Device_ID="" - required for skipping 2FA-OTP # 3. acme.sh --deploy --deploy-hook synology_dsm -d example.com @@ -191,7 +191,7 @@ synology_dsm_deploy() { _H1="X-SYNO-TOKEN: $token" export _H1 - _debug2 H1 "${_H1}" + _debug2 H1 "${_H1}" # Now that we know the username & password are good, save them _savedeployconf SYNO_Username "$SYNO_Username" From 1a08be0a3fca85413421cedcf598ac4d3f5ded04 Mon Sep 17 00:00:00 2001 From: Julien Furgerot Date: Mon, 11 Sep 2023 15:05:12 +0200 Subject: [PATCH 228/276] dns_gandi: implements personal access token in addition to the (deprecated) API key --- dnsapi/dns_gandi_livedns.sh | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_gandi_livedns.sh b/dnsapi/dns_gandi_livedns.sh index 931da883..f299779e 100644 --- a/dnsapi/dns_gandi_livedns.sh +++ b/dnsapi/dns_gandi_livedns.sh @@ -1,7 +1,8 @@ #!/usr/bin/env sh # Gandi LiveDNS v5 API -# https://doc.livedns.gandi.net/ +# https://api.gandi.net/docs/livedns/ +# https://api.gandi.net/docs/authentication/ for token + apikey (deprecated) authentication # currently under beta # # Requires GANDI API KEY set in GANDI_LIVEDNS_KEY set as environment variable @@ -19,13 +20,23 @@ dns_gandi_livedns_add() { fulldomain=$1 txtvalue=$2 - if [ -z "$GANDI_LIVEDNS_KEY" ]; then - _err "No API key specified for Gandi LiveDNS." - _err "Create your key and export it as GANDI_LIVEDNS_KEY" + if [ -z "$GANDI_LIVEDNS_KEY" -a -z "$GANDI_LIVEDNS_TOKEN" ]; then + _err "No Token or API key (deprecated) specified for Gandi LiveDNS." + _err "Create your token or key and export it as GANDI_LIVEDNS_KEY or GANDI_LIVEDNS_TOKEN respectively" return 1 fi - _saveaccountconf GANDI_LIVEDNS_KEY "$GANDI_LIVEDNS_KEY" + # Keep only one secret in configuration + if [ -n "$GANDI_LIVEDNS_TOKEN" ]; then + _saveaccountconf GANDI_LIVEDNS_TOKEN "$GANDI_LIVEDNS_TOKEN" + _clearaccountconf GANDI_LIVEDNS_KEY + elif [ -n "$GANDI_LIVEDNS_KEY" ]; then + _saveaccountconf GANDI_LIVEDNS_KEY "$GANDI_LIVEDNS_KEY" + _clearaccountconf GANDI_LIVEDNS_TOKEN + fi + + + _debug "First detect the root zone" if ! _get_root "$fulldomain"; then @@ -157,7 +168,12 @@ _gandi_livedns_rest() { _debug "$ep" export _H1="Content-Type: application/json" - export _H2="X-Api-Key: $GANDI_LIVEDNS_KEY" + + if [ -n "$GANDI_LIVEDNS_TOKEN" ]; then + export _H2="Authorization: Bearer $GANDI_LIVEDNS_TOKEN" + else + export _H2="X-Api-Key: $GANDI_LIVEDNS_KEY" + fi if [ "$m" = "GET" ]; then response="$(_get "$GANDI_LIVEDNS_API/$ep")" From 558e706bdeb395ce0164cb9b7a31078269413d33 Mon Sep 17 00:00:00 2001 From: Julien Furgerot Date: Tue, 12 Sep 2023 15:54:44 +0200 Subject: [PATCH 229/276] fix ci errors (shellcheck & shfmt) --- dnsapi/dns_gandi_livedns.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/dnsapi/dns_gandi_livedns.sh b/dnsapi/dns_gandi_livedns.sh index f299779e..14939d7c 100644 --- a/dnsapi/dns_gandi_livedns.sh +++ b/dnsapi/dns_gandi_livedns.sh @@ -20,7 +20,7 @@ dns_gandi_livedns_add() { fulldomain=$1 txtvalue=$2 - if [ -z "$GANDI_LIVEDNS_KEY" -a -z "$GANDI_LIVEDNS_TOKEN" ]; then + if [ -z "$GANDI_LIVEDNS_KEY" ] && [ -z "$GANDI_LIVEDNS_TOKEN" ]; then _err "No Token or API key (deprecated) specified for Gandi LiveDNS." _err "Create your token or key and export it as GANDI_LIVEDNS_KEY or GANDI_LIVEDNS_TOKEN respectively" return 1 @@ -35,9 +35,6 @@ dns_gandi_livedns_add() { _clearaccountconf GANDI_LIVEDNS_TOKEN fi - - - _debug "First detect the root zone" if ! _get_root "$fulldomain"; then _err "invalid domain" From dfd49e46ad268d6f1796cf850b0b353b667cc11d Mon Sep 17 00:00:00 2001 From: Tobias Grave Date: Thu, 14 Sep 2023 09:15:08 +0200 Subject: [PATCH 230/276] Fix root zone determination for Variomedia API --- dnsapi/dns_variomedia.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_variomedia.sh b/dnsapi/dns_variomedia.sh index 200b3f50..aa743807 100644 --- a/dnsapi/dns_variomedia.sh +++ b/dnsapi/dns_variomedia.sh @@ -94,7 +94,7 @@ dns_variomedia_rm() { # _domain=domain.com _get_root() { domain=$1 - i=2 + i=1 p=1 while true; do h=$(printf "%s" "$domain" | cut -d . -f $i-100) From 59f976dc48873787d089df34c3ebc092a14bc110 Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 20 Sep 2023 18:07:16 +0800 Subject: [PATCH 231/276] fix https://github.com/acmesh-official/acme.sh/issues/4798 --- acme.sh | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/acme.sh b/acme.sh index 067780d7..bce7a41d 100755 --- a/acme.sh +++ b/acme.sh @@ -2118,12 +2118,7 @@ _tail_n() { } _tail_c() { - if _is_solaris; then - #fix for solaris - tail -"$1"c - else - tail -c "$1" - fi + tail -c "$1" 2>/dev/null || tail -"$1"c } # url payload needbase64 keyfile From 87a7bde61813391e6c8379ae93c921bd68889c53 Mon Sep 17 00:00:00 2001 From: Romeo Dumitrescu Date: Mon, 25 Sep 2023 18:43:01 +0300 Subject: [PATCH 232/276] fix: Synology DSM API path regex Fix the regex for looking up the API path value from the Synology API query. --- deploy/synology_dsm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index 21c7ac9b..10da861a 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -91,7 +91,7 @@ synology_dsm_deploy() { _debug "Getting API version" response=$(_get "$_base_url/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth") - api_path=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"path" *: *"\([0-9]*\)".*/\1/p') + api_path=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"path" *: *"\([^"]*\)".*/\1/p') api_version=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"maxVersion" *: *\([0-9]*\).*/\1/p') _debug3 response "$response" _debug3 api_path "$api_path" From f2e1b589b5c5ff115fe9e8d87f4a926cd575b5ff Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 6 Oct 2023 20:01:28 +0800 Subject: [PATCH 233/276] start 3.0.8 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index bce7a41d..34291708 100755 --- a/acme.sh +++ b/acme.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -VER=3.0.7 +VER=3.0.8 PROJECT_NAME="acme.sh" From e15513bfdd6fb843f8b57be407bffe28bb12de6b Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 6 Oct 2023 20:05:39 +0800 Subject: [PATCH 234/276] fix format --- notify/mattermost.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/notify/mattermost.sh b/notify/mattermost.sh index 9037ae0d..f13f6ebc 100644 --- a/notify/mattermost.sh +++ b/notify/mattermost.sh @@ -38,7 +38,7 @@ mattermost_send() { _data="$_data\"message\": \"$_content\"}" export _H1="Authorization: Bearer $MATTERMOST_BOT_TOKEN" - + response="" if _post "$_data" "$MATTERMOST_API_URL" "" "POST" "application/json; charset=utf-8"; then MATTERMOST_RESULT_OK=$(echo "$response" | _egrep_o 'create_at') if [ "$?" = "0" ] && [ "$MATTERMOST_RESULT_OK" ]; then From fe890c62f4229c8696d85edfd2336130214135db Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 22 Oct 2023 23:07:00 +0800 Subject: [PATCH 235/276] fix https://github.com/acmesh-official/acme.sh/issues/4835 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 34291708..3fdaa804 100755 --- a/acme.sh +++ b/acme.sh @@ -931,7 +931,7 @@ fi _egrep_o() { if [ "$__USE_EGREP" ]; then - egrep -o -- "$1" + egrep -o -- "$1" 2>/dev/null else sed -n 's/.*\('"$1"'\).*/\1/p' fi From 8ca5ca6594227b473edc8882753371c6176e6f0e Mon Sep 17 00:00:00 2001 From: podguzovvasily Date: Tue, 24 Oct 2023 16:58:47 +0300 Subject: [PATCH 236/276] Update haproxy.sh resolved issue with HAProxy https://github.com/acmesh-official/acme.sh/issues/4788 according https://serversforhackers.com/c/letsencrypt-with-haproxy --- deploy/haproxy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/haproxy.sh b/deploy/haproxy.sh index c255059d..d638abb8 100644 --- a/deploy/haproxy.sh +++ b/deploy/haproxy.sh @@ -147,7 +147,7 @@ haproxy_deploy() { # Create a temporary PEM file _temppem="$(_mktemp)" _debug _temppem "${_temppem}" - cat "${_ckey}" "${_ccert}" "${_cca}" >"${_temppem}" + cat "${_ccert}" "${_cca}" "${_ckey}" >"${_temppem}" _ret="$?" # Check that we could create the temporary file From 00dbc3881fa377646115a237bb12193f13504973 Mon Sep 17 00:00:00 2001 From: Adnan RIHAN Date: Wed, 1 Nov 2023 20:02:16 +0100 Subject: [PATCH 237/276] Fixed variables --- deploy/proxmoxve.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy/proxmoxve.sh b/deploy/proxmoxve.sh index 216a8fc7..f9de590c 100644 --- a/deploy/proxmoxve.sh +++ b/deploy/proxmoxve.sh @@ -99,11 +99,11 @@ proxmoxve_deploy() { _proxmoxve_api_token_key="$DEPLOY_PROXMOXVE_API_TOKEN_KEY" _savedeployconf DEPLOY_PROXMOXVE_API_TOKEN_KEY "$DEPLOY_PROXMOXVE_API_TOKEN_KEY" fi - _debug2 DEPLOY_PROXMOXVE_API_TOKEN_KEY _proxmoxve_api_token_key + _debug2 DEPLOY_PROXMOXVE_API_TOKEN_KEY "$_proxmoxve_api_token_key" # PVE API Token header value. Used in "Authorization: PVEAPIToken". _proxmoxve_header_api_token="${_proxmoxve_user}@${_proxmoxve_user_realm}!${_proxmoxve_api_token_name}=${_proxmoxve_api_token_key}" - _debug2 "Auth Header" _proxmoxve_header_api_token + _debug2 "Auth Header" "$_proxmoxve_header_api_token" # Ugly. I hate putting heredocs inside functions because heredocs don't # account for whitespace correctly but it _does_ work and is several times @@ -124,8 +124,8 @@ HEREDOC ) _debug2 Payload "$_json_payload" - # Push certificates to server. - export _HTTPS_INSECURE=1 + _info "Push certificates to server" + export HTTPS_INSECURE=1 export _H1="Authorization: PVEAPIToken=${_proxmoxve_header_api_token}" _post "$_json_payload" "$_target_url" "" POST "application/json" From 199977be6a6785f7507f8ee21fe7d350979909e6 Mon Sep 17 00:00:00 2001 From: Gavin Leo Date: Mon, 30 Oct 2023 11:16:37 +0800 Subject: [PATCH 238/276] Fix https://github.com/acmesh-official/acme.sh/issues/4460 Update gcore API url. --- dnsapi/dns_gcore.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_gcore.sh b/dnsapi/dns_gcore.sh index d549a650..5f7f037e 100755 --- a/dnsapi/dns_gcore.sh +++ b/dnsapi/dns_gcore.sh @@ -4,8 +4,8 @@ #GCORE_Key='773$7b7adaf2a2b32bfb1b83787b4ff32a67eb178e3ada1af733e47b1411f2461f7f4fa7ed7138e2772a46124377bad7384b3bb8d87748f87b3f23db4b8bbe41b2bb' # -GCORE_Api="https://api.gcorelabs.com/dns/v2" -GCORE_Doc="https://apidocs.gcore.com/dns" +GCORE_Api="https://api.gcore.com/dns/v2" +GCORE_Doc="https://api.gcore.com/docs/dns" ######## Public functions ##################### From 8454ffa331905efc0e85f70a12a6c1a9dbf5c128 Mon Sep 17 00:00:00 2001 From: Matthew Robinson Date: Thu, 2 Nov 2023 08:30:44 -0700 Subject: [PATCH 239/276] Fix issue with similar domain names causing an error in selecting the proper root domain to add challenge records in --- dnsapi/dns_aws.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_aws.sh b/dnsapi/dns_aws.sh index 50c93260..bb0682a7 100755 --- a/dnsapi/dns_aws.sh +++ b/dnsapi/dns_aws.sh @@ -157,7 +157,7 @@ _get_root() { # iterate over names (a.b.c.d -> b.c.d -> c.d -> d) while true; do - h=$(printf "%s" "$domain" | cut -d . -f $i-100) + h=$(printf "%s" "$domain" | cut -d . -f $i-100 | sed 's/\./\\./g') _debug "Checking domain: $h" if [ -z "$h" ]; then _error "invalid domain" From 5342c7c82b4ef07e0921070d1b1392b094a3644e Mon Sep 17 00:00:00 2001 From: mrbaiwei Date: Fri, 3 Nov 2023 18:14:26 +0800 Subject: [PATCH 240/276] support West.cn Domain Signed-off-by: mrbaiwei --- dnsapi/dns_west.sh | 108 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 dnsapi/dns_west.sh diff --git a/dnsapi/dns_west.sh b/dnsapi/dns_west.sh new file mode 100644 index 00000000..6a9ebe5d --- /dev/null +++ b/dnsapi/dns_west.sh @@ -0,0 +1,108 @@ +#!/usr/bin/env sh + +# West.cn Domain api +# +#WEST_Username="uername" +# +#WEST_Key="sADDsdasdgdsf" + +REST_API="https://api.west.cn/API/v2" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_west_add() { + fulldomain=$1 + txtvalue=$2 + + WEST_Username="${WEST_Username:-$(_readaccountconf_mutable WEST_Username)}" + WEST_Key="${WEST_Key:-$(_readaccountconf_mutable WEST_Key)}" + if [ -z "$WEST_Username" ] || [ -z "$WEST_Key" ]; then + WEST_Username="" + WEST_Key="" + _err "You don't specify dnspod api key and key id yet." + _err "Please create you key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable WEST_Username "$WEST_Username" + _saveaccountconf_mutable WEST_Key "$WEST_Key" + + add_record "$fulldomain" "$txtvalue" +} + +#Usage: rm _acme-challenge.www.domain.com +dns_west_rm() { + fulldomain=$1 + txtvalue=$2 + + WEST_Username="${WEST_Username:-$(_readaccountconf_mutable WEST_Username)}" + WEST_Key="${WEST_Key:-$(_readaccountconf_mutable WEST_Key)}" + + if ! _rest POST "domain/dns/" "act=dnsrec.list&username=$WEST_Username&apikey=$WEST_Key&domain=$fulldomain&hostname=$fulldomain&record_type=TXT"; then + _err "Record.Lis error." + return 1 + fi + + if _contains "$response" 'no records'; then + _info "Don't need to remove." + return 0 + fi + + record_id=$(echo "$response" | tr "{" "\n" | grep -- "$txtvalue" | grep '^"record_id"' | cut -d : -f 2 | cut -d ',' -f 1) + _debug record_id "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id." + return 1 + fi + + if ! _rest POST "domain/dns/" "act=dnsrec.remove&username=$WEST_Username&apikey=$WEST_Key&domain=$fulldomain&hostname=$fulldomain&record_id=$record_id"; then + _err "Record.Remove error." + return 1 + fi + + _contains "$response" "success" + + +} + +#add the txt record. +#usage: add fulldomain txtvalue +add_record() { + fulldomain=$1 + txtvalue=$2 + + _info "Adding record" + + if ! _rest POST "domain/dns/" "act=dnsrec.add&username=$WEST_Username&apikey=$WEST_Key&domain=$fulldomain&hostname=$fulldomain&record_type=TXT&value=$txtvalue"; then + return 1 + fi + + _contains "$response" "success" +} + +#Usage: method URI data +_rest() { + m="$1" + ep="$2" + data="$3" + _debug "$ep" + url="$REST_API/$ep" + + _debug url "$url" + + if [ "$m" = "GET" ]; then + response="$(_get "$url" | tr -d '\r')" + else + _debug2 data "$data" + response="$(_post "$data" "$url" | tr -d '\r')" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} From 6ea09444ec792f2f4e690cc2fb479e669cae4e7e Mon Sep 17 00:00:00 2001 From: mrbaiwei Date: Sat, 4 Nov 2023 00:04:05 +0800 Subject: [PATCH 241/276] Update dns_west.sh Signed-off-by: mrbaiwei --- dnsapi/dns_west.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_west.sh b/dnsapi/dns_west.sh index 6a9ebe5d..1ef302ca 100644 --- a/dnsapi/dns_west.sh +++ b/dnsapi/dns_west.sh @@ -2,8 +2,8 @@ # West.cn Domain api # -#WEST_Username="uername" -# +#WEST_Username="username" +# set key at https://www.west.cn/manager/API/APIconfig.asp #WEST_Key="sADDsdasdgdsf" REST_API="https://api.west.cn/API/v2" @@ -63,8 +63,6 @@ dns_west_rm() { fi _contains "$response" "success" - - } #add the txt record. From feffbba6de593693dff8d5c87a7c021b21eadcf1 Mon Sep 17 00:00:00 2001 From: mrbaiwei Date: Sat, 4 Nov 2023 14:16:11 +0800 Subject: [PATCH 242/276] Update dns_west.sh Signed-off-by: mrbaiwei --- dnsapi/dns_west.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_west.sh b/dnsapi/dns_west.sh index 1ef302ca..afb50fad 100644 --- a/dnsapi/dns_west.sh +++ b/dnsapi/dns_west.sh @@ -20,8 +20,8 @@ dns_west_add() { if [ -z "$WEST_Username" ] || [ -z "$WEST_Key" ]; then WEST_Username="" WEST_Key="" - _err "You don't specify dnspod api key and key id yet." - _err "Please create you key and try again." + _err "You don't specify west api key and username yet." + _err "Please set you key and try again." return 1 fi @@ -41,7 +41,7 @@ dns_west_rm() { WEST_Key="${WEST_Key:-$(_readaccountconf_mutable WEST_Key)}" if ! _rest POST "domain/dns/" "act=dnsrec.list&username=$WEST_Username&apikey=$WEST_Key&domain=$fulldomain&hostname=$fulldomain&record_type=TXT"; then - _err "Record.Lis error." + _err "dnsrec.list error." return 1 fi @@ -58,7 +58,7 @@ dns_west_rm() { fi if ! _rest POST "domain/dns/" "act=dnsrec.remove&username=$WEST_Username&apikey=$WEST_Key&domain=$fulldomain&hostname=$fulldomain&record_id=$record_id"; then - _err "Record.Remove error." + _err "dnsrec.remove error." return 1 fi From 1cc3a13c497d8981dc7c6b700e0b38f8d0469262 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 4 Nov 2023 10:04:26 +0100 Subject: [PATCH 243/276] fix comments --- .github/workflows/pr_dns.yml | 3 ++- .github/workflows/pr_notify.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr_dns.yml b/.github/workflows/pr_dns.yml index 5faa9105..b627d3ab 100644 --- a/.github/workflows/pr_dns.yml +++ b/.github/workflows/pr_dns.yml @@ -22,9 +22,10 @@ jobs: owner: context.repo.owner, repo: context.repo.repo, body: `**Welcome** - Please make sure you're read our [DNS API Dev Guide](../wiki/DNS-API-Dev-Guide) and [DNS-API-Test](../wiki/DNS-API-Test). + Please make sure you've read our [DNS API Dev Guide](../wiki/DNS-API-Dev-Guide) and [DNS-API-Test](../wiki/DNS-API-Test). Then reply on this message, otherwise, your code will not be reviewed or merged. We look forward to reviewing your Pull request shortly ✨ + 注意: 必须通过了 [DNS-API-Test](../wiki/DNS-API-Test) 才会被 review. 无论是修改, 还是新加的 dns api, 都必须确保通过这个测试. ` }) diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml index 4844e297..3b0e3e4b 100644 --- a/.github/workflows/pr_notify.yml +++ b/.github/workflows/pr_notify.yml @@ -22,7 +22,7 @@ jobs: owner: context.repo.owner, repo: context.repo.repo, body: `**Welcome** - Please make sure you're read our [Code-of-conduct](../wiki/Code-of-conduct) and add the usage here: [notify](../wiki/notify). + Please make sure you've read our [Code-of-conduct](../wiki/Code-of-conduct) and add the usage here: [notify](../wiki/notify). Then reply on this message, otherwise, your code will not be reviewed or merged. We look forward to reviewing your Pull request shortly ✨ ` From a60d0c41087e3b79e60c0c0587c29a0de25c5dee Mon Sep 17 00:00:00 2001 From: mrbaiwei Date: Mon, 6 Nov 2023 11:25:09 +0800 Subject: [PATCH 244/276] Update dns_west_cn.sh Signed-off-by: mrbaiwei --- dnsapi/{dns_west.sh => dns_west_cn.sh} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename dnsapi/{dns_west.sh => dns_west_cn.sh} (96%) diff --git a/dnsapi/dns_west.sh b/dnsapi/dns_west_cn.sh similarity index 96% rename from dnsapi/dns_west.sh rename to dnsapi/dns_west_cn.sh index afb50fad..fa723b64 100644 --- a/dnsapi/dns_west.sh +++ b/dnsapi/dns_west_cn.sh @@ -3,15 +3,15 @@ # West.cn Domain api # #WEST_Username="username" -# set key at https://www.west.cn/manager/API/APIconfig.asp #WEST_Key="sADDsdasdgdsf" +#Set key at https://www.west.cn/manager/API/APIconfig.asp REST_API="https://api.west.cn/API/v2" ######## Public functions ##################### #Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" -dns_west_add() { +dns_west_cn_add() { fulldomain=$1 txtvalue=$2 @@ -33,7 +33,7 @@ dns_west_add() { } #Usage: rm _acme-challenge.www.domain.com -dns_west_rm() { +dns_west_cn_rm() { fulldomain=$1 txtvalue=$2 From eb99803b53de63bad45cf144621fe5a59892f2d8 Mon Sep 17 00:00:00 2001 From: mrbaiwei Date: Mon, 6 Nov 2023 13:18:36 +0800 Subject: [PATCH 245/276] Update west.cn domain api Signed-off-by: mrbaiwei --- dnsapi/dns_west_cn.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/dnsapi/dns_west_cn.sh b/dnsapi/dns_west_cn.sh index fa723b64..bff4598a 100644 --- a/dnsapi/dns_west_cn.sh +++ b/dnsapi/dns_west_cn.sh @@ -1,7 +1,6 @@ #!/usr/bin/env sh # West.cn Domain api -# #WEST_Username="username" #WEST_Key="sADDsdasdgdsf" #Set key at https://www.west.cn/manager/API/APIconfig.asp From bea71f34115428299b8c73fd6cc56dedc39697f7 Mon Sep 17 00:00:00 2001 From: mrbaiwei Date: Tue, 7 Nov 2023 07:20:25 +0800 Subject: [PATCH 246/276] Update dns_west_cn.sh Signed-off-by: mrbaiwei --- dnsapi/dns_west_cn.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_west_cn.sh b/dnsapi/dns_west_cn.sh index bff4598a..d0bb7d49 100644 --- a/dnsapi/dns_west_cn.sh +++ b/dnsapi/dns_west_cn.sh @@ -72,7 +72,7 @@ add_record() { _info "Adding record" - if ! _rest POST "domain/dns/" "act=dnsrec.add&username=$WEST_Username&apikey=$WEST_Key&domain=$fulldomain&hostname=$fulldomain&record_type=TXT&value=$txtvalue"; then + if ! _rest POST "domain/dns/" "act=dnsrec.add&username=$WEST_Username&apikey=$WEST_Key&domain=$fulldomain&hostname=$fulldomain&record_type=TXT&record_value=$txtvalue"; then return 1 fi From 15d10eeebcb03884ceddfe2df84d142f7fe43e8d Mon Sep 17 00:00:00 2001 From: Adrian Fedoreanu Date: Fri, 10 Nov 2023 08:22:28 +0100 Subject: [PATCH 247/276] dns_1984.hosting.sh: update login and account status URLs --- dnsapi/dns_1984hosting.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_1984hosting.sh b/dnsapi/dns_1984hosting.sh index 2c6b2e4f..e4ef2e4b 100755 --- a/dnsapi/dns_1984hosting.sh +++ b/dnsapi/dns_1984hosting.sh @@ -128,7 +128,7 @@ _1984hosting_login() { _debug "Login to 1984Hosting as user $One984HOSTING_Username." username=$(printf '%s' "$One984HOSTING_Username" | _url_encode) password=$(printf '%s' "$One984HOSTING_Password" | _url_encode) - url="https://1984.hosting/accounts/checkuserauth/" + url="https://1984.hosting/api/auth/" _get "https://1984.hosting/accounts/login/" | grep "csrfmiddlewaretoken" csrftoken="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')" @@ -185,7 +185,7 @@ _check_cookies() { return 1 fi - _authget "https://1984.hosting/accounts/loginstatus/" + _authget "https://1984.hosting/api/auth/" if _contains "$_response" '"ok": true'; then _debug "Cached cookies still valid." return 0 From 074cf00a7c0cd154a84522881f1386657aa7cc17 Mon Sep 17 00:00:00 2001 From: Sander Cox Date: Tue, 14 Nov 2023 11:28:24 +0100 Subject: [PATCH 248/276] Update dns_gcloud.sh rm logs record added The logs show record was added twice but the second time was actual the rm command thus the removal of the record! --- dnsapi/dns_gcloud.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_gcloud.sh b/dnsapi/dns_gcloud.sh index 2788ad59..dc82c09d 100755 --- a/dnsapi/dns_gcloud.sh +++ b/dnsapi/dns_gcloud.sh @@ -42,7 +42,7 @@ dns_gcloud_rm() { echo "$rrdatas" | grep -F -v -- "\"$txtvalue\"" | _dns_gcloud_add_rrs || return $? _dns_gcloud_execute_tr || return $? - _info "$fulldomain record added" + _info "$fulldomain record removed" } #################### Private functions below ################################## From f899d0d8ed620271756e590ba8c7b38ac19e6177 Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 20 Nov 2023 23:39:25 +0100 Subject: [PATCH 249/276] update --- .github/workflows/FreeBSD.yml | 6 +++--- .github/workflows/Linux.yml | 2 +- .github/workflows/MacOS.yml | 2 +- .github/workflows/NetBSD.yml | 6 +++--- .github/workflows/OpenBSD.yml | 6 +++--- .github/workflows/PebbleStrict.yml | 4 ++-- .github/workflows/Ubuntu.yml | 2 +- .github/workflows/Windows.yml | 2 +- .github/workflows/dockerhub.yml | 2 +- .github/workflows/shellcheck.yml | 4 ++-- 10 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/FreeBSD.yml b/.github/workflows/FreeBSD.yml index 0fa55fd4..b90c9ccd 100644 --- a/.github/workflows/FreeBSD.yml +++ b/.github/workflows/FreeBSD.yml @@ -41,7 +41,7 @@ jobs: # CA: "ZeroSSL RSA Domain Secure Site CA" # CA_EMAIL: "githubtest@acme.sh" # TEST_PREFERRED_CHAIN: "" - runs-on: macos-12 + runs-on: ubuntu-latest env: TEST_LOCAL: 1 TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} @@ -51,7 +51,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: vmactions/cf-tunnel@v0 id: tunnel with: @@ -61,7 +61,7 @@ jobs: run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/freebsd-vm@v0 + - uses: vmactions/freebsd-vm@v1 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' nat: | diff --git a/.github/workflows/Linux.yml b/.github/workflows/Linux.yml index 156fa5df..33e43483 100644 --- a/.github/workflows/Linux.yml +++ b/.github/workflows/Linux.yml @@ -33,7 +33,7 @@ jobs: TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 TEST_ACME_Server: "LetsEncrypt.org_test" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Clone acmetest run: | cd .. \ diff --git a/.github/workflows/MacOS.yml b/.github/workflows/MacOS.yml index c1f29769..c3f046ab 100644 --- a/.github/workflows/MacOS.yml +++ b/.github/workflows/MacOS.yml @@ -44,7 +44,7 @@ jobs: CA_EMAIL: ${{ matrix.CA_EMAIL }} TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install tools run: brew install socat - name: Clone acmetest diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index 25872c42..e9301860 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -36,7 +36,7 @@ jobs: # CA: "ZeroSSL RSA Domain Secure Site CA" # CA_EMAIL: "githubtest@acme.sh" # TEST_PREFERRED_CHAIN: "" - runs-on: macos-12 + runs-on: ubuntu-latest env: TEST_LOCAL: 1 TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} @@ -45,7 +45,7 @@ jobs: CA_EMAIL: ${{ matrix.CA_EMAIL }} TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: vmactions/cf-tunnel@v0 id: tunnel with: @@ -55,7 +55,7 @@ jobs: run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/netbsd-vm@v0 + - uses: vmactions/netbsd-vm@v1 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' nat: | diff --git a/.github/workflows/OpenBSD.yml b/.github/workflows/OpenBSD.yml index 745a9408..e141c47b 100644 --- a/.github/workflows/OpenBSD.yml +++ b/.github/workflows/OpenBSD.yml @@ -41,7 +41,7 @@ jobs: # CA: "ZeroSSL RSA Domain Secure Site CA" # CA_EMAIL: "githubtest@acme.sh" # TEST_PREFERRED_CHAIN: "" - runs-on: macos-12 + runs-on: ubuntu-latest env: TEST_LOCAL: 1 TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} @@ -51,7 +51,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: vmactions/cf-tunnel@v0 id: tunnel with: @@ -61,7 +61,7 @@ jobs: run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/openbsd-vm@v0 + - uses: vmactions/openbsd-vm@v1 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' nat: | diff --git a/.github/workflows/PebbleStrict.yml b/.github/workflows/PebbleStrict.yml index 9f3a98ce..3f8fdb62 100644 --- a/.github/workflows/PebbleStrict.yml +++ b/.github/workflows/PebbleStrict.yml @@ -33,7 +33,7 @@ jobs: TEST_CA: "Pebble Intermediate CA" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install tools run: sudo apt-get install -y socat - name: Run Pebble @@ -58,7 +58,7 @@ jobs: TEST_IPCERT: 1 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install tools run: sudo apt-get install -y socat - name: Run Pebble diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index 4bf2ba29..53cc1060 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -70,7 +70,7 @@ jobs: TestingDomain: ${{ matrix.TestingDomain }} ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install tools run: sudo apt-get install -y socat wget - name: Start StepCA diff --git a/.github/workflows/Windows.yml b/.github/workflows/Windows.yml index c02e2f77..61ef5ad8 100644 --- a/.github/workflows/Windows.yml +++ b/.github/workflows/Windows.yml @@ -49,7 +49,7 @@ jobs: - name: Set git to use LF run: | git config --global core.autocrlf false - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install cygwin base packages with chocolatey run: | choco config get cacheLocation diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index 48c44429..ea446d84 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -41,7 +41,7 @@ jobs: if: "contains(needs.CheckToken.outputs.hasToken, 'true')" steps: - name: checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index a5a08bbf..746727d4 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -22,7 +22,7 @@ jobs: ShellCheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install Shellcheck run: sudo apt-get install -y shellcheck - name: DoShellcheck @@ -31,7 +31,7 @@ jobs: shfmt: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install shfmt run: curl -sSL https://github.com/mvdan/sh/releases/download/v3.1.2/shfmt_v3.1.2_linux_amd64 -o ~/shfmt && chmod +x ~/shfmt - name: shfmt From f364d4fbefa8fca1b8e78745247d916a96241c5e Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 21 Nov 2023 08:45:54 +0100 Subject: [PATCH 250/276] fix --- .github/workflows/NetBSD.yml | 142 +++++++++++++++++------------------ 1 file changed, 71 insertions(+), 71 deletions(-) diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index e9301860..e5206913 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -1,71 +1,71 @@ -name: NetBSD -on: - push: - branches: - - '*' - paths: - - '*.sh' - - '.github/workflows/NetBSD.yml' - - pull_request: - branches: - - dev - paths: - - '*.sh' - - '.github/workflows/NetBSD.yml' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - - - - -jobs: - NetBSD: - strategy: - matrix: - include: - - TEST_ACME_Server: "LetsEncrypt.org_test" - CA_ECDSA: "" - CA: "" - CA_EMAIL: "" - TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 - #- TEST_ACME_Server: "ZeroSSL.com" - # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" - # CA: "ZeroSSL RSA Domain Secure Site CA" - # CA_EMAIL: "githubtest@acme.sh" - # TEST_PREFERRED_CHAIN: "" - runs-on: ubuntu-latest - env: - TEST_LOCAL: 1 - TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} - CA_ECDSA: ${{ matrix.CA_ECDSA }} - CA: ${{ matrix.CA }} - CA_EMAIL: ${{ matrix.CA_EMAIL }} - TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} - steps: - - uses: actions/checkout@v4 - - uses: vmactions/cf-tunnel@v0 - id: tunnel - with: - protocol: http - port: 8080 - - name: Set envs - run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - - name: Clone acmetest - run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/netbsd-vm@v1 - with: - envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' - nat: | - "8080": "80" - prepare: | - pkg_add curl socat - usesh: true - copyback: false - run: | - cd ../acmetest \ - && ./letest.sh - - +name: NetBSD +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/NetBSD.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/NetBSD.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + + + +jobs: + NetBSD: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + #- TEST_ACME_Server: "ZeroSSL.com" + # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + # CA: "ZeroSSL RSA Domain Secure Site CA" + # CA_EMAIL: "githubtest@acme.sh" + # TEST_PREFERRED_CHAIN: "" + runs-on: ubuntu-latest + env: + TEST_LOCAL: 1 + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + steps: + - uses: actions/checkout@v4 + - uses: vmactions/cf-tunnel@v0 + id: tunnel + with: + protocol: http + port: 8080 + - name: Set envs + run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/netbsd-vm@v1 + with: + envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' + nat: | + "8080": "80" + prepare: | + pkg_add curl socat + usesh: true + copyback: false + run: | + cd ../acmetest \ + && ./letest.sh + + From a4bd89c93857eeed29653978aee66da753119f95 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 21 Nov 2023 09:00:22 +0100 Subject: [PATCH 251/276] fix --- .github/workflows/NetBSD.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index e5206913..a5565d09 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -61,7 +61,7 @@ jobs: nat: | "8080": "80" prepare: | - pkg_add curl socat + /usr/sbin/pkg_add curl socat usesh: true copyback: false run: | From 3b7bc5a56ad5046b63c747923c510c1e6a51bb95 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 2 Dec 2023 22:50:59 +0100 Subject: [PATCH 252/276] update dragonflybsd-vm@v1 --- .github/workflows/DNS.yml | 32 +++---- .github/workflows/DragonFlyBSD.yml | 142 ++++++++++++++--------------- 2 files changed, 87 insertions(+), 87 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 507755c9..6e68df9c 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -65,7 +65,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Set env file @@ -113,7 +113,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install tools run: brew install socat - name: Clone acmetest @@ -164,7 +164,7 @@ jobs: - name: Set git to use LF run: | git config --global core.autocrlf false - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install cygwin base packages with chocolatey run: | choco config get cacheLocation @@ -204,7 +204,7 @@ jobs: FreeBSD: - runs-on: macos-12 + runs-on: ubuntu-latest needs: Windows env: TEST_DNS : ${{ secrets.TEST_DNS }} @@ -223,10 +223,10 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/freebsd-vm@v0 + - uses: vmactions/freebsd-vm@v1 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: pkg install -y socat curl @@ -255,7 +255,7 @@ jobs: OpenBSD: - runs-on: macos-12 + runs-on: ubuntu-latest needs: FreeBSD env: TEST_DNS : ${{ secrets.TEST_DNS }} @@ -274,10 +274,10 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/openbsd-vm@v0 + - uses: vmactions/openbsd-vm@v1 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: pkg_add socat curl @@ -306,7 +306,7 @@ jobs: NetBSD: - runs-on: macos-12 + runs-on: ubuntu-latest needs: OpenBSD env: TEST_DNS : ${{ secrets.TEST_DNS }} @@ -325,10 +325,10 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/netbsd-vm@v0 + - uses: vmactions/netbsd-vm@v1 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: | @@ -358,7 +358,7 @@ jobs: DragonFlyBSD: - runs-on: macos-12 + runs-on: ubuntu-latest needs: NetBSD env: TEST_DNS : ${{ secrets.TEST_DNS }} @@ -377,10 +377,10 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/dragonflybsd-vm@v0 + - uses: vmactions/dragonflybsd-vm@v1 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: | @@ -433,7 +433,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/solaris-vm@v0 diff --git a/.github/workflows/DragonFlyBSD.yml b/.github/workflows/DragonFlyBSD.yml index 5a0d81ba..3d4f650d 100644 --- a/.github/workflows/DragonFlyBSD.yml +++ b/.github/workflows/DragonFlyBSD.yml @@ -1,71 +1,71 @@ -name: DragonFlyBSD -on: - push: - branches: - - '*' - paths: - - '*.sh' - - '.github/workflows/DragonFlyBSD.yml' - - pull_request: - branches: - - dev - paths: - - '*.sh' - - '.github/workflows/DragonFlyBSD.yml' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - - - - -jobs: - DragonFlyBSD: - strategy: - matrix: - include: - - TEST_ACME_Server: "LetsEncrypt.org_test" - CA_ECDSA: "" - CA: "" - CA_EMAIL: "" - TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 - #- TEST_ACME_Server: "ZeroSSL.com" - # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" - # CA: "ZeroSSL RSA Domain Secure Site CA" - # CA_EMAIL: "githubtest@acme.sh" - # TEST_PREFERRED_CHAIN: "" - runs-on: macos-12 - env: - TEST_LOCAL: 1 - TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} - CA_ECDSA: ${{ matrix.CA_ECDSA }} - CA: ${{ matrix.CA }} - CA_EMAIL: ${{ matrix.CA_EMAIL }} - TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} - steps: - - uses: actions/checkout@v3 - - uses: vmactions/cf-tunnel@v0 - id: tunnel - with: - protocol: http - port: 8080 - - name: Set envs - run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - - name: Clone acmetest - run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/dragonflybsd-vm@v0 - with: - envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' - copyback: "false" - nat: | - "8080": "80" - prepare: | - pkg install -y curl socat libnghttp2 - usesh: true - run: | - cd ../acmetest \ - && ./letest.sh - - +name: DragonFlyBSD +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/DragonFlyBSD.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/DragonFlyBSD.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + + +jobs: + DragonFlyBSD: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + #- TEST_ACME_Server: "ZeroSSL.com" + # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + # CA: "ZeroSSL RSA Domain Secure Site CA" + # CA_EMAIL: "githubtest@acme.sh" + # TEST_PREFERRED_CHAIN: "" + runs-on: ubuntu-latest + env: + TEST_LOCAL: 1 + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} + steps: + - uses: actions/checkout@v4 + - uses: vmactions/cf-tunnel@v0 + id: tunnel + with: + protocol: http + port: 8080 + - name: Set envs + run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/dragonflybsd-vm@v1 + with: + envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' + copyback: "false" + nat: | + "8080": "80" + prepare: | + pkg install -y curl socat libnghttp2 + usesh: true + run: | + cd ../acmetest \ + && ./letest.sh + + From a12a3640a7a887bf3695acc08b1e29d4b2342242 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 3 Dec 2023 14:40:32 +0100 Subject: [PATCH 253/276] update --- .github/workflows/DragonFlyBSD.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DragonFlyBSD.yml b/.github/workflows/DragonFlyBSD.yml index 3d4f650d..f360f85c 100644 --- a/.github/workflows/DragonFlyBSD.yml +++ b/.github/workflows/DragonFlyBSD.yml @@ -57,13 +57,13 @@ jobs: run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/dragonflybsd-vm@v1 with: - envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' - copyback: "false" + envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' nat: | "8080": "80" prepare: | pkg install -y curl socat libnghttp2 usesh: true + copyback: false run: | cd ../acmetest \ && ./letest.sh From f71d8d7348934e8a4f6835431d74fdd5a1bce0f2 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 3 Dec 2023 14:44:23 +0100 Subject: [PATCH 254/276] minor --- .github/workflows/Solaris.yml | 148 +++++++++++++++++----------------- 1 file changed, 74 insertions(+), 74 deletions(-) diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index 34d31a59..4ae46d79 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -1,74 +1,74 @@ -name: Solaris -on: - push: - branches: - - '*' - paths: - - '*.sh' - - '.github/workflows/Solaris.yml' - - pull_request: - branches: - - dev - paths: - - '*.sh' - - '.github/workflows/Solaris.yml' - - - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - Solaris: - strategy: - matrix: - include: - - TEST_ACME_Server: "LetsEncrypt.org_test" - CA_ECDSA: "" - CA: "" - CA_EMAIL: "" - TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 - - TEST_ACME_Server: "LetsEncrypt.org_test" - CA_ECDSA: "" - CA: "" - CA_EMAIL: "" - TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 - ACME_USE_WGET: 1 - #- TEST_ACME_Server: "ZeroSSL.com" - # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" - # CA: "ZeroSSL RSA Domain Secure Site CA" - # CA_EMAIL: "githubtest@acme.sh" - # TEST_PREFERRED_CHAIN: "" - runs-on: macos-12 - env: - TEST_LOCAL: 1 - TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} - CA_ECDSA: ${{ matrix.CA_ECDSA }} - CA: ${{ matrix.CA }} - CA_EMAIL: ${{ matrix.CA_EMAIL }} - TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} - ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} - steps: - - uses: actions/checkout@v3 - - uses: vmactions/cf-tunnel@v0 - id: tunnel - with: - protocol: http - port: 8080 - - name: Set envs - run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - - name: Clone acmetest - run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/solaris-vm@v0 - with: - envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' - copyback: "false" - nat: | - "8080": "80" - prepare: pkgutil -y -i socat curl wget - run: | - cd ../acmetest \ - && ./letest.sh - +name: Solaris +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/Solaris.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/Solaris.yml' + + + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + Solaris: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + ACME_USE_WGET: 1 + #- TEST_ACME_Server: "ZeroSSL.com" + # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + # CA: "ZeroSSL RSA Domain Secure Site CA" + # CA_EMAIL: "githubtest@acme.sh" + # TEST_PREFERRED_CHAIN: "" + runs-on: macos-12 + env: + TEST_LOCAL: 1 + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} + steps: + - uses: actions/checkout@v4 + - uses: vmactions/cf-tunnel@v0 + id: tunnel + with: + protocol: http + port: 8080 + - name: Set envs + run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/solaris-vm@v0 + with: + envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' + copyback: "false" + nat: | + "8080": "80" + prepare: pkgutil -y -i socat curl wget + run: | + cd ../acmetest \ + && ./letest.sh + From 50f6a459cf66912a01738eaa8db69178f9be03fb Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 4 Dec 2023 09:41:39 +0100 Subject: [PATCH 255/276] update solaris --- .github/workflows/DNS.yml | 4 ++-- .github/workflows/Solaris.yml | 11 ++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 6e68df9c..95fad2d1 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -413,7 +413,7 @@ jobs: Solaris: - runs-on: macos-12 + runs-on: ubuntu-latest needs: DragonFlyBSD env: TEST_DNS : ${{ secrets.TEST_DNS }} @@ -436,7 +436,7 @@ jobs: - uses: actions/checkout@v4 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/solaris-vm@v0 + - uses: vmactions/solaris-vm@v1 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' copyback: false diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index 4ae46d79..bdd3f040 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -14,12 +14,12 @@ on: - '*.sh' - '.github/workflows/Solaris.yml' - - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true + + jobs: Solaris: strategy: @@ -41,7 +41,7 @@ jobs: # CA: "ZeroSSL RSA Domain Secure Site CA" # CA_EMAIL: "githubtest@acme.sh" # TEST_PREFERRED_CHAIN: "" - runs-on: macos-12 + runs-on: ubuntu-latest env: TEST_LOCAL: 1 TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} @@ -61,14 +61,15 @@ jobs: run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/solaris-vm@v0 + - uses: vmactions/solaris-vm@v1 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' - copyback: "false" nat: | "8080": "80" prepare: pkgutil -y -i socat curl wget + copyback: false run: | cd ../acmetest \ && ./letest.sh + From f0ac566c9369cbc64daf72c9c9449d20c181fb04 Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 4 Dec 2023 23:51:06 +0100 Subject: [PATCH 256/276] add Omnios --- .github/workflows/DNS.yml | 51 ++++++++++++++++++++++++ .github/workflows/Omnios.yml | 75 ++++++++++++++++++++++++++++++++++++ README.md | 2 +- 3 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/Omnios.yml diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 95fad2d1..9373fdaf 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -463,3 +463,54 @@ jobs: ./letest.sh + Omnios: + runs-on: ubuntu-latest + needs: DragonFlyBSD + env: + TEST_DNS : ${{ secrets.TEST_DNS }} + TestingDomain: ${{ secrets.TestingDomain }} + TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} + TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} + CASE: le_test_dnsapi + TEST_LOCAL: 1 + DEBUG: ${{ secrets.DEBUG }} + http_proxy: ${{ secrets.http_proxy }} + https_proxy: ${{ secrets.https_proxy }} + HTTPS_INSECURE: 1 # always set to 1 to ignore https error, since Omnios doesn't accept the expired ISRG X1 root + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} + steps: + - uses: actions/checkout@v4 + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/omnios-vm@v1 + with: + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + copyback: false + prepare: pkgutil -y -i socat + run: | + pkg set-mediator -v -I default@1.1 openssl + export PATH=/usr/gnu/bin:$PATH + if [ "${{ secrets.TokenName1}}" ] ; then + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" + fi + if [ "${{ secrets.TokenName2}}" ] ; then + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" + fi + if [ "${{ secrets.TokenName3}}" ] ; then + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" + fi + if [ "${{ secrets.TokenName4}}" ] ; then + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" + fi + if [ "${{ secrets.TokenName5}}" ] ; then + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" + fi + cd ../acmetest + ./letest.sh + + diff --git a/.github/workflows/Omnios.yml b/.github/workflows/Omnios.yml new file mode 100644 index 00000000..e3da0be8 --- /dev/null +++ b/.github/workflows/Omnios.yml @@ -0,0 +1,75 @@ +name: Omnios +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/Omnios.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/Omnios.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + + +jobs: + Omnios: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + ACME_USE_WGET: 1 + #- TEST_ACME_Server: "ZeroSSL.com" + # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + # CA: "ZeroSSL RSA Domain Secure Site CA" + # CA_EMAIL: "githubtest@acme.sh" + # TEST_PREFERRED_CHAIN: "" + runs-on: ubuntu-latest + env: + TEST_LOCAL: 1 + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} + steps: + - uses: actions/checkout@v4 + - uses: vmactions/cf-tunnel@v0 + id: tunnel + with: + protocol: http + port: 8080 + - name: Set envs + run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/omnios-vm@v1 + with: + envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' + nat: | + "8080": "80" + prepare: pkg install socat wget + copyback: false + run: | + cd ../acmetest \ + && ./letest.sh + + diff --git a/README.md b/README.md index 717ecf5f..a64ba4d7 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ [![Windows](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml) [![Solaris](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml) [![DragonFlyBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml) - +[![Omnios](https://github.com/acmesh-official/acme.sh/actions/workflows/Omnios.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Omnios.yml) ![Shellcheck](https://github.com/acmesh-official/acme.sh/workflows/Shellcheck/badge.svg) ![PebbleStrict](https://github.com/acmesh-official/acme.sh/workflows/PebbleStrict/badge.svg) From f4315e2c6f6ba22185fb92102ee592f824ef8a8e Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 5 Dec 2023 19:33:10 +0100 Subject: [PATCH 257/276] fix _date2time --- .github/workflows/DNS.yml | 4 ++-- acme.sh | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 9373fdaf..bf56c1d6 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -465,7 +465,7 @@ jobs: Omnios: runs-on: ubuntu-latest - needs: DragonFlyBSD + needs: Solaris env: TEST_DNS : ${{ secrets.TEST_DNS }} TestingDomain: ${{ secrets.TestingDomain }} @@ -491,7 +491,7 @@ jobs: with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' copyback: false - prepare: pkgutil -y -i socat + prepare: pkg install socat run: | pkg set-mediator -v -I default@1.1 openssl export PATH=/usr/gnu/bin:$PATH diff --git a/acme.sh b/acme.sh index 3fdaa804..75030acd 100755 --- a/acme.sh +++ b/acme.sh @@ -1795,6 +1795,10 @@ _date2time() { if date -u -j -f "%Y-%m-%d %H:%M:%S" "$(echo "$1" | tr -d "Z" | tr "T" ' ')" +"%s" 2>/dev/null; then return fi + #Omnios + if da="$(echo "$1" | tr -d "Z" | tr "T" ' ')" perl -MTime::Piece -e 'print Time::Piece->strptime($ENV{da}, "%Y-%m-%d %H:%M:%S")->epoch, "\n";' 2>/dev/null; then + return + fi _err "Can not parse _date2time $1" return 1 } From 8cb1b6b5d548c5561060087cd81cfd9c8f8ab2fa Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 5 Dec 2023 20:19:40 +0100 Subject: [PATCH 258/276] update --- README.md | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index a64ba4d7..9a5c106b 100644 --- a/README.md +++ b/README.md @@ -73,20 +73,21 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa) |7|[![OpenBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml)|OpenBSD |8|[![NetBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml)|NetBSD |9|[![DragonFlyBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml)|DragonFlyBSD -|10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)| Debian -|11|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|CentOS -|12|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|openSUSE -|13|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Alpine Linux (with curl) -|14|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Archlinux -|15|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|fedora -|16|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Kali Linux -|17|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Oracle Linux -|18|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Mageia -|19|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux -|10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|ClearLinux -|11|-----| Cloud Linux https://github.com/acmesh-official/acme.sh/issues/111 -|22|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT) -|23|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management) +|10|[![Omnios](https://github.com/acmesh-official/acme.sh/actions/workflows/Omnios.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Omnios.yml)|Omnios +|11|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)| Debian +|12|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|CentOS +|13|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|openSUSE +|14|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Alpine Linux (with curl) +|15|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Archlinux +|16|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|fedora +|17|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Kali Linux +|18|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Oracle Linux +|19|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Mageia +|10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux +|11|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|ClearLinux +|22|-----| Cloud Linux https://github.com/acmesh-official/acme.sh/issues/111 +|23|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT) +|24|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management) Check our [testing project](https://github.com/acmesh-official/acmetest): From f59a92589759de16bf7b639de027309c614dd458 Mon Sep 17 00:00:00 2001 From: LordDarkneo <40838306+LordDarkneo@users.noreply.github.com> Date: Fri, 22 Dec 2023 09:09:29 -0500 Subject: [PATCH 259/276] Update synology_dsm.sh Issue for lougout --- deploy/synology_dsm.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index 10da861a..5ada76de 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -223,7 +223,8 @@ synology_dsm_deploy() { #################### Private functions below ################################## _logout() { - # Logout to not occupy a permanent session, e.g. in DSM's "Connected Users" widget - response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=logout") + # Logout to not occupy a permanent session, e.g. in DSM's "Connected Users" widget + #Edit Darkneo - reuse previous variables to logout properly only for CERT user + response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=logout&_sid=$sid") _debug3 response "$response" } From 05696d443a59a205d5e0b1b2f06beef35c4cd0a3 Mon Sep 17 00:00:00 2001 From: LordDarkneo <40838306+LordDarkneo@users.noreply.github.com> Date: Fri, 22 Dec 2023 14:34:35 -0500 Subject: [PATCH 260/276] Update synology_dsm.sh #2727 issue when logging out on older version - using variables to unlog only for CERT user --- deploy/synology_dsm.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index 5ada76de..0dd4d49e 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -223,8 +223,7 @@ synology_dsm_deploy() { #################### Private functions below ################################## _logout() { - # Logout to not occupy a permanent session, e.g. in DSM's "Connected Users" widget - #Edit Darkneo - reuse previous variables to logout properly only for CERT user + # Logout SERT user only to not occupy a permanent session, e.g. in DSM's "Connected Users" widget (based on previous variables) response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=logout&_sid=$sid") _debug3 response "$response" } From 6992659ba9063fc3ed8d912ab0cf6d8e8a353d2c Mon Sep 17 00:00:00 2001 From: LordDarkneo <40838306+LordDarkneo@users.noreply.github.com> Date: Fri, 22 Dec 2023 14:36:52 -0500 Subject: [PATCH 261/276] Update synology_dsm.sh --- deploy/synology_dsm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index 0dd4d49e..1d945cad 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -223,7 +223,7 @@ synology_dsm_deploy() { #################### Private functions below ################################## _logout() { - # Logout SERT user only to not occupy a permanent session, e.g. in DSM's "Connected Users" widget (based on previous variables) + # Logout CERT user only to not occupy a permanent session, e.g. in DSM's "Connected Users" widget (based on previous variables) response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=logout&_sid=$sid") _debug3 response "$response" } From 3ca97d7258204c200eb1fdef32654aff5a23691a Mon Sep 17 00:00:00 2001 From: Dario Pilori Date: Thu, 4 Jan 2024 18:28:05 +0100 Subject: [PATCH 262/276] Remove whitespace in script name in routeros.sh deploy hook --- deploy/routeros.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy/routeros.sh b/deploy/routeros.sh index c4c9470d..d1779b8d 100644 --- a/deploy/routeros.sh +++ b/deploy/routeros.sh @@ -137,7 +137,7 @@ routeros_deploy() { return $_err_code fi - DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USERNAME \ + DEPLOY_SCRIPT_CMD="/system script add name=\"LECertDeploy-$_cdomain\" owner=$ROUTER_OS_USERNAME \ comment=\"generated by routeros deploy script in acme.sh\" \ source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\ \n/certificate remove [ find name=$_cdomain.cer_1 ];\ @@ -158,11 +158,11 @@ source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\ return $_err_code fi - if ! _ssh_remote_cmd "/system script run \"LE Cert Deploy - $_cdomain\""; then + if ! _ssh_remote_cmd "/system script run \"LECertDeploy-$_cdomain\""; then return $_err_code fi - if ! _ssh_remote_cmd "/system script remove \"LE Cert Deploy - $_cdomain\""; then + if ! _ssh_remote_cmd "/system script remove \"LECertDeploy-$_cdomain\""; then return $_err_code fi From b79c3f5cc4eff383f501ad31d60843b84a6b2b21 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 12 Jan 2024 20:36:49 +0100 Subject: [PATCH 263/276] fix pkg_add --- .github/workflows/DNS.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index bf56c1d6..7fd7c45c 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -332,7 +332,7 @@ jobs: with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: | - pkg_add curl socat + /usr/sbin/pkg_add curl socat usesh: true copyback: false run: | From 85e3ecfe0b47dd1dd0e2bd0f926d30d3eed230cd Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 13 Jan 2024 20:28:21 +0100 Subject: [PATCH 264/276] fix omnios --- .github/workflows/DNS.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 7fd7c45c..727ba315 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -493,8 +493,6 @@ jobs: copyback: false prepare: pkg install socat run: | - pkg set-mediator -v -I default@1.1 openssl - export PATH=/usr/gnu/bin:$PATH if [ "${{ secrets.TokenName1}}" ] ; then export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi From bfb41ce12327ccd49fd7ef0b4d077d2f1a6506e7 Mon Sep 17 00:00:00 2001 From: Robert Date: Fri, 12 Jan 2024 15:38:52 -0600 Subject: [PATCH 265/276] Fix acmesh-official#4836 (Switch to new Gandi LiveDNS API) 1. Updated LiveDNS API URL for the new API to allow Personal Access Tokens to work 2. Updated authorization header syntax to allow deprecated API Keys to work with the new API 3. Removed white space in JSON response parsing to match responses returned by the server --- dnsapi/dns_gandi_livedns.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_gandi_livedns.sh b/dnsapi/dns_gandi_livedns.sh index 14939d7c..6092f45c 100644 --- a/dnsapi/dns_gandi_livedns.sh +++ b/dnsapi/dns_gandi_livedns.sh @@ -13,7 +13,7 @@ # ######## Public functions ##################### -GANDI_LIVEDNS_API="https://dns.api.gandi.net/api/v5" +GANDI_LIVEDNS_API="https://api.gandi.net/v5/livedns" #Usage: dns_gandi_livedns_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_gandi_livedns_add() { @@ -78,7 +78,7 @@ dns_gandi_livedns_rm() { _gandi_livedns_rest PUT \ "domains/$_domain/records/$_sub_domain/TXT" \ "{\"rrset_ttl\": 300, \"rrset_values\": $_new_rrset_values}" && - _contains "$response" '{"message": "DNS Record Created"}' && + _contains "$response" '{"message":"DNS Record Created"}' && _info "Removing record $(__green "success")" } @@ -134,7 +134,7 @@ _dns_gandi_append_record() { _debug new_rrset_values "$_rrset_values" _gandi_livedns_rest PUT "domains/$_domain/records/$sub_domain/TXT" \ "{\"rrset_ttl\": 300, \"rrset_values\": $_rrset_values}" && - _contains "$response" '{"message": "DNS Record Created"}' && + _contains "$response" '{"message":"DNS Record Created"}' && _info "Adding record $(__green "success")" } @@ -144,11 +144,11 @@ _dns_gandi_existing_rrset_values() { if ! _gandi_livedns_rest GET "domains/$domain/records/$sub_domain"; then return 1 fi - if ! _contains "$response" '"rrset_type": "TXT"'; then + if ! _contains "$response" '"rrset_type":"TXT"'; then _debug "Does not have a _acme-challenge TXT record yet." return 1 fi - if _contains "$response" '"rrset_values": \[\]'; then + if _contains "$response" '"rrset_values":\[\]'; then _debug "Empty rrset_values for TXT record, no previous TXT record." return 1 fi @@ -169,7 +169,7 @@ _gandi_livedns_rest() { if [ -n "$GANDI_LIVEDNS_TOKEN" ]; then export _H2="Authorization: Bearer $GANDI_LIVEDNS_TOKEN" else - export _H2="X-Api-Key: $GANDI_LIVEDNS_KEY" + export _H2="Authorization: Apikey $GANDI_LIVEDNS_KEY" fi if [ "$m" = "GET" ]; then From f8dac5905ce49088995f4c12c36b5bb5842ffb16 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 3 Feb 2024 18:07:50 +0800 Subject: [PATCH 266/276] check the status of Order object and the Authorization object. --- acme.sh | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 75030acd..aa41a1d9 100755 --- a/acme.sh +++ b/acme.sh @@ -4515,7 +4515,7 @@ issue() { vlist="$Le_Vlist" _cleardomainconf "Le_Vlist" - _info "Getting domain auth token for each domain" + _debug "Getting domain auth token for each domain" sep='#' dvsep=',' if [ -z "$vlist" ]; then @@ -4571,12 +4571,22 @@ issue() { if [ "$_notAfter" ]; then _newOrderObj="$_newOrderObj,\"notAfter\": \"$_notAfter\"" fi + _debug "STEP 1, Ordering a Certificate" if ! _send_signed_request "$ACME_NEW_ORDER" "$_newOrderObj}"; then _err "Create new order error." _clearup _on_issue_err "$_post_hook" return 1 fi + if _contains "$response" "invalid"; then + if echo "$response" | _normalizeJson | grep '"status":"invalid"' >/dev/null 2>&1; then + _err "Create new order with invalid status." + _err "$response" + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + fi Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)" _debug Le_LinkOrder "$Le_LinkOrder" @@ -4601,6 +4611,7 @@ issue() { return 1 fi + _debug "STEP 2, Get the authorizations of each domain" #domain and authz map _authorizations_map="" for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do @@ -4609,6 +4620,7 @@ issue() { _err "get to authz error." _err "_authorizations_seg" "$_authorizations_seg" _err "_authz_url" "$_authz_url" + _err "$response" _clearup _on_issue_err "$_post_hook" return 1 @@ -4616,6 +4628,14 @@ issue() { response="$(echo "$response" | _normalizeJson)" _debug2 response "$response" + if echo "$response" | grep '"status":"invalid"' >/dev/null 2>&1; then + _err "get authz objec with invalid status, please try again later." + _err "_authorizations_seg" "$_authorizations_seg" + _err "$response" + _clearup + _on_issue_err "$_post_hook" + return 1 + fi _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2- | tr -d ' "')" if _contains "$response" "\"wildcard\" *: *true"; then _d="*.$_d" From 3dca67112d4df8d0124617053f1c2bf64e2a9aef Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 3 Feb 2024 18:39:58 +0800 Subject: [PATCH 267/276] fix netbsd --- .github/workflows/NetBSD.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index a5565d09..4574bef5 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -20,7 +20,6 @@ concurrency: - jobs: NetBSD: strategy: @@ -44,6 +43,7 @@ jobs: CA: ${{ matrix.CA }} CA_EMAIL: ${{ matrix.CA_EMAIL }} TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - uses: actions/checkout@v4 - uses: vmactions/cf-tunnel@v0 @@ -57,7 +57,7 @@ jobs: run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/netbsd-vm@v1 with: - envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' + envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' nat: | "8080": "80" prepare: | From 7ec692cdefb3ef3775c3a12e3fe46e147a89c75b Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 3 Feb 2024 23:59:48 +0800 Subject: [PATCH 268/276] fix socat for netbsd: listens to ipv4 by default. --- acme.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index aa41a1d9..270a0531 100755 --- a/acme.sh +++ b/acme.sh @@ -2499,10 +2499,10 @@ _startserver() { _debug Le_Listen_V6 "$Le_Listen_V6" _NC="socat" - if [ "$Le_Listen_V4" ]; then - _NC="$_NC -4" - elif [ "$Le_Listen_V6" ]; then + if [ "$Le_Listen_V6" ]; then _NC="$_NC -6" + else + _NC="$_NC -4" fi if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then From 802121d54a28b2a5636878331e494abb76e6ea1a Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 4 Feb 2024 11:42:28 +0800 Subject: [PATCH 269/276] show dns message on any branch --- .github/workflows/pr_dns.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pr_dns.yml b/.github/workflows/pr_dns.yml index b627d3ab..645597e8 100644 --- a/.github/workflows/pr_dns.yml +++ b/.github/workflows/pr_dns.yml @@ -4,8 +4,6 @@ on: pull_request_target: types: - opened - branches: - - 'dev' paths: - 'dnsapi/*.sh' From 99e5c159a7d0fe4cd22ee5fdff2de04f95d67017 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 4 Feb 2024 12:17:03 +0800 Subject: [PATCH 270/276] check socat "Permission denied" --- acme.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 270a0531..4a3b53a2 100755 --- a/acme.sh +++ b/acme.sh @@ -2519,12 +2519,21 @@ _startserver() { _content_len="$(printf "%s" "$content" | wc -c)" _debug _content_len "$_content_len" _debug "_NC" "$_NC $SOCAT_OPTIONS" + _socaterr="$(_mktemp)" $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; \ echo 'HTTP/1.0 200 OK'; \ echo 'Content-Length\: $_content_len'; \ echo ''; \ -printf '%s' '$content';" & +printf '%s' '$content';" 2>"$_socaterr" & serverproc="$!" + if [ -f "$_socaterr" ]; Then + if grep "Permission denied" "$_socaterr" >/dev/null; Then + _err "socat: $(cat $_socaterr)" + _err "Can not listen for user: $(whoami)" + _err "Maybe try with root again?" + return 1 + fi + fi } _stopserver() { From 0084cb7403f6310e005d99ec70443a7190aca8fb Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 4 Feb 2024 12:18:58 +0800 Subject: [PATCH 271/276] fix format --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 4a3b53a2..53ff9563 100755 --- a/acme.sh +++ b/acme.sh @@ -2527,7 +2527,7 @@ echo ''; \ printf '%s' '$content';" 2>"$_socaterr" & serverproc="$!" if [ -f "$_socaterr" ]; Then - if grep "Permission denied" "$_socaterr" >/dev/null; Then + if grep "Permission denied" "$_socaterr" >/dev/null; then _err "socat: $(cat $_socaterr)" _err "Can not listen for user: $(whoami)" _err "Maybe try with root again?" From 37e4f35c936621db5cab970ad77b638126458dea Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 4 Feb 2024 12:21:50 +0800 Subject: [PATCH 272/276] fix format --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 53ff9563..36bcbce2 100755 --- a/acme.sh +++ b/acme.sh @@ -2526,7 +2526,7 @@ echo 'Content-Length\: $_content_len'; \ echo ''; \ printf '%s' '$content';" 2>"$_socaterr" & serverproc="$!" - if [ -f "$_socaterr" ]; Then + if [ -f "$_socaterr" ]; then if grep "Permission denied" "$_socaterr" >/dev/null; then _err "socat: $(cat $_socaterr)" _err "Can not listen for user: $(whoami)" From bd6bbba9487d3cf0803e361b2f81307da9c5193a Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 4 Feb 2024 12:27:06 +0800 Subject: [PATCH 273/276] remove socaterr temp file --- acme.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/acme.sh b/acme.sh index 36bcbce2..320e22af 100755 --- a/acme.sh +++ b/acme.sh @@ -2531,6 +2531,7 @@ printf '%s' '$content';" 2>"$_socaterr" & _err "socat: $(cat $_socaterr)" _err "Can not listen for user: $(whoami)" _err "Maybe try with root again?" + rm -f "$_socaterr" return 1 fi fi From e04093efe2fd9418277260328e211d0cd2df8316 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 4 Feb 2024 12:31:34 +0800 Subject: [PATCH 274/276] remove socket err temp file --- acme.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/acme.sh b/acme.sh index 320e22af..38ccaade 100755 --- a/acme.sh +++ b/acme.sh @@ -2519,19 +2519,19 @@ _startserver() { _content_len="$(printf "%s" "$content" | wc -c)" _debug _content_len "$_content_len" _debug "_NC" "$_NC $SOCAT_OPTIONS" - _socaterr="$(_mktemp)" + export _SOCAT_ERR="$(_mktemp)" $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; \ echo 'HTTP/1.0 200 OK'; \ echo 'Content-Length\: $_content_len'; \ echo ''; \ -printf '%s' '$content';" 2>"$_socaterr" & +printf '%s' '$content';" 2>"$_SOCAT_ERR" & serverproc="$!" - if [ -f "$_socaterr" ]; then - if grep "Permission denied" "$_socaterr" >/dev/null; then - _err "socat: $(cat $_socaterr)" + if [ -f "$_SOCAT_ERR" ]; then + if grep "Permission denied" "$_SOCAT_ERR" >/dev/null; then + _err "socat: $(cat $_SOCAT_ERR)" _err "Can not listen for user: $(whoami)" _err "Maybe try with root again?" - rm -f "$_socaterr" + rm -f "$_SOCAT_ERR" return 1 fi fi @@ -2541,10 +2541,12 @@ _stopserver() { pid="$1" _debug "pid" "$pid" if [ -z "$pid" ]; then + rm -f "$_SOCAT_ERR" return fi kill $pid + rm -f "$_SOCAT_ERR" } From d76272f0ea102a67563b8728df56b7d8a0d18eb1 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 4 Feb 2024 12:35:07 +0800 Subject: [PATCH 275/276] fix message --- .github/workflows/pr_dns.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pr_dns.yml b/.github/workflows/pr_dns.yml index 645597e8..4d7a325d 100644 --- a/.github/workflows/pr_dns.yml +++ b/.github/workflows/pr_dns.yml @@ -20,6 +20,7 @@ jobs: owner: context.repo.owner, repo: context.repo.repo, body: `**Welcome** + First thing: don't send PR to the master branch, please send to the dev branch instead. Please make sure you've read our [DNS API Dev Guide](../wiki/DNS-API-Dev-Guide) and [DNS-API-Test](../wiki/DNS-API-Test). Then reply on this message, otherwise, your code will not be reviewed or merged. We look forward to reviewing your Pull request shortly ✨ From 10b4bb598a48613eaadebecd05a9cffc6e1f2e36 Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 12 Feb 2024 13:16:08 +0800 Subject: [PATCH 276/276] fix https://github.com/acmesh-official/acme.sh/issues/4995#issuecomment-1937486243 --- acme.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index 38ccaade..9c5b1481 100755 --- a/acme.sh +++ b/acme.sh @@ -3195,7 +3195,8 @@ _setNginx() { return 1 fi _info "Check the nginx conf before setting up." - if ! nginx -t >/dev/null; then + if ! nginx -t >/dev/null 2>&1; then + _err "It seems that nginx conf is not correct, cannot continue." return 1 fi @@ -3222,14 +3223,14 @@ location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" { fi _debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)" _info "nginx conf is done, let's check it again." - if ! nginx -t >/dev/null; then + if ! nginx -t >/dev/null 2>&1; then _err "It seems that nginx conf was broken, let's restore." cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF" return 1 fi _info "Reload nginx" - if ! nginx -s reload >/dev/null; then + if ! nginx -s reload >/dev/null 2>&1; then _err "It seems that nginx reload error, let's restore." cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF" return 1