@ -1,6 +1,6 @@
#!/usr/bin/env sh #!/usr/bin/env sh
VER = 3.0.5
VER = 3.0.8
PROJECT_NAME = "acme.sh" PROJECT_NAME = "acme.sh"
@ -53,8 +53,8 @@ CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$
DEFAULT_USER_AGENT = " $PROJECT_NAME / $VER ( $PROJECT ) " DEFAULT_USER_AGENT = " $PROJECT_NAME / $VER ( $PROJECT ) "
DEFAULT_ACCOUNT_KEY_LENGTH = 2048
DEFAULT_DOMAIN_KEY_LENGTH = 2048
DEFAULT_ACCOUNT_KEY_LENGTH = ec-256
DEFAULT_DOMAIN_KEY_LENGTH = ec-256
DEFAULT_OPENSSL_BIN = "openssl" DEFAULT_OPENSSL_BIN = "openssl"
@ -102,12 +102,12 @@ ECC_SUFFIX="${ECC_SEP}ecc"
LOG_LEVEL_1 = 1 LOG_LEVEL_1 = 1
LOG_LEVEL_2 = 2 LOG_LEVEL_2 = 2
LOG_LEVEL_3 = 3 LOG_LEVEL_3 = 3
DEFAULT_LOG_LEVEL = " $LOG_LEVEL_1 "
DEFAULT_LOG_LEVEL = " $LOG_LEVEL_2 "
DEBUG_LEVEL_1 = 1 DEBUG_LEVEL_1 = 1
DEBUG_LEVEL_2 = 2 DEBUG_LEVEL_2 = 2
DEBUG_LEVEL_3 = 3 DEBUG_LEVEL_3 = 3
DEBUG_LEVEL_DEFAULT = $DEBUG_LEVEL_1
DEBUG_LEVEL_DEFAULT = $DEBUG_LEVEL_2
DEBUG_LEVEL_NONE = 0 DEBUG_LEVEL_NONE = 0
DOH_CLOUDFLARE = 1 DOH_CLOUDFLARE = 1
@ -923,8 +923,16 @@ _sed_i() {
fi fi
} }
if [ " $( echo abc | egrep -o b 2>/dev/null) " = "b" ] ; then
__USE_EGREP = 1
else
__USE_EGREP = ""
fi
_egrep_o( ) { _egrep_o( ) {
if ! egrep -o " $1 " 2>/dev/null; then
if [ " $__USE_EGREP " ] ; then
egrep -o -- " $1 " 2>/dev/null
else
sed -n 's/.*\(' " $1 " '\).*/\1/p' sed -n 's/.*\(' " $1 " '\).*/\1/p'
fi fi
} }
@ -1553,7 +1561,7 @@ createDomainKey() {
createCSR( ) { createCSR( ) {
_info "Creating csr" _info "Creating csr"
if [ -z " $1 " ] ; then if [ -z " $1 " ] ; then
_usage " Usage: $PROJECT_ENTRY --create-csr --domain <domain.tld> [--domain <domain2.tld> ...] "
_usage " Usage: $PROJECT_ENTRY --create-csr --domain <domain.tld> [--domain <domain2.tld> ...] [--ecc] "
return return
fi fi
@ -1637,7 +1645,7 @@ _stat() {
#keyfile #keyfile
_isRSA( ) { _isRSA( ) {
keyfile = $1 keyfile = $1
if grep "BEGIN RSA PRIVATE KEY" " $keyfile " >/dev/null 2>& 1 || ${ ACME_OPENSSL_BIN :- openssl } rsa -in " $keyfile " -noout -text | grep "^publicExponent:" >/dev/null 2>& 1; then
if grep "BEGIN RSA PRIVATE KEY" " $keyfile " >/dev/null 2>& 1 || ${ ACME_OPENSSL_BIN :- openssl } rsa -in " $keyfile " -noout -text 2>& 1 | grep "^publicExponent:" 2>& 1 >/dev/null ; then
return 0 return 0
fi fi
return 1 return 1
@ -1646,7 +1654,7 @@ _isRSA() {
#keyfile #keyfile
_isEcc( ) { _isEcc( ) {
keyfile = $1 keyfile = $1
if grep "BEGIN EC PRIVATE KEY" " $keyfile " >/dev/null 2>& 1 || ${ ACME_OPENSSL_BIN :- openssl } ec -in " $keyfile " -noout -text 2>/dev/null | grep "^NIST CURVE:" >/dev/null 2>& 1; then
if grep "BEGIN EC PRIVATE KEY" " $keyfile " >/dev/null 2>& 1 || ${ ACME_OPENSSL_BIN :- openssl } ec -in " $keyfile " -noout -text 2>/dev/null | grep "^NIST CURVE:" 2>& 1 >/dev/null ; then
return 0 return 0
fi fi
return 1 return 1
@ -1744,7 +1752,7 @@ _calcjwk() {
_debug3 x64 " $x64 " _debug3 x64 " $x64 "
xend = $( _math " $xend " + 1) xend = $( _math " $xend " + 1)
y = " $( printf "%s" " $pubtext " | cut -d : -f " $xend " -10000 ) "
y = " $( printf "%s" " $pubtext " | cut -d : -f " $xend " -2048 ) "
_debug3 y " $y " _debug3 y " $y "
y64 = " $( printf "%s" " $y " | tr -d : | _h2b | _base64 | _url_replace) " y64 = " $( printf "%s" " $y " | tr -d : | _h2b | _base64 | _url_replace) "
@ -1787,6 +1795,10 @@ _date2time() {
if date -u -j -f "%Y-%m-%d %H:%M:%S" " $( echo " $1 " | tr -d "Z" | tr "T" ' ' ) " +"%s" 2>/dev/null; then if date -u -j -f "%Y-%m-%d %H:%M:%S" " $( echo " $1 " | tr -d "Z" | tr "T" ' ' ) " +"%s" 2>/dev/null; then
return return
fi fi
#Omnios
if da = " $( echo " $1 " | tr -d "Z" | tr "T" ' ' ) " perl -MTime::Piece -e 'print Time::Piece->strptime($ENV{da}, "%Y-%m-%d %H:%M:%S")->epoch, "\n";' 2>/dev/null; then
return
fi
_err " Can not parse _date2time $1 " _err " Can not parse _date2time $1 "
return 1 return 1
} }
@ -1852,9 +1864,15 @@ _inithttp() {
_ACME_CURL = " $_ACME_CURL --cacert $CA_BUNDLE " _ACME_CURL = " $_ACME_CURL --cacert $CA_BUNDLE "
fi fi
if _contains " $( curl --help 2>& 1) " "--globoff" ; then
if _contains " $( curl --help 2>& 1) " "--globoff" || _contains " $( curl --help curl 2>& 1) " "--globoff" ; then
_ACME_CURL = " $_ACME_CURL -g " _ACME_CURL = " $_ACME_CURL -g "
fi fi
#don't use --fail-with-body
##from curl 7.76: return fail on HTTP errors but keep the body
#if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then
# _ACME_CURL="$_ACME_CURL --fail-with-body "
#fi
fi fi
if [ -z " $_ACME_WGET " ] && _exists "wget" ; then if [ -z " $_ACME_WGET " ] && _exists "wget" ; then
@ -1872,11 +1890,11 @@ _inithttp() {
elif [ " $CA_BUNDLE " ] ; then elif [ " $CA_BUNDLE " ] ; then
_ACME_WGET = " $_ACME_WGET --ca-certificate= $CA_BUNDLE " _ACME_WGET = " $_ACME_WGET --ca-certificate= $CA_BUNDLE "
fi fi
fi
#from wget 1.14: do not skip body on 404 error
if [ " $_ACME_WGET " ] && _contains " $( $_ACME_WGET --help 2>& 1) " "--content-on-error" ; then
_ACME_WGET = " $_ACME_WGET --content-on-error "
#from wget 1.14: do not skip body on 404 error
if _contains " $( wget --help 2>& 1) " "--content-on-error" ; then
_ACME_WGET = " $_ACME_WGET --content-on-error "
fi
fi fi
__HTTP_INITIALIZED = 1 __HTTP_INITIALIZED = 1
@ -2058,7 +2076,7 @@ _get() {
fi fi
_debug "_WGET" " $_WGET " _debug "_WGET" " $_WGET "
if [ " $onlyheader " ] ; then if [ " $onlyheader " ] ; then
_wget_out = " $( $_WGET --user-agent= " $USER_AGENT " --header " $_H5 " --header " $_H4 " --header " $_H3 " --header " $_H2 " --header " $_H1 " -S -O /dev/null " $url " 2>& 1) "
_wget_out = " $( $_WGET --user-agent= " $USER_AGENT " --header " $_H5 " --header " $_H4 " --header " $_H3 " --header " $_H2 " --header " $_H1 " -S -O /dev/null " $url " 2>& 1) "
if _contains " $_WGET " " -d " ; then if _contains " $_WGET " " -d " ; then
# Demultiplex wget debug output # Demultiplex wget debug output
echo " $_wget_out " >& 2 echo " $_wget_out " >& 2
@ -2095,12 +2113,18 @@ _head_n() {
} }
_tail_n( ) { _tail_n( ) {
if ! tail -n " $1 " 2>/dev/null ; then
if _is_solaris ; then
#fix for solaris #fix for solaris
tail -" $1 " tail -" $1 "
else
tail -n " $1 "
fi fi
} }
_tail_c( ) {
tail -c " $1 " 2>/dev/null || tail -" $1 " c
}
# url payload needbase64 keyfile # url payload needbase64 keyfile
_send_signed_request( ) { _send_signed_request( ) {
url = $1 url = $1
@ -2110,6 +2134,7 @@ _send_signed_request() {
if [ -z " $keyfile " ] ; then if [ -z " $keyfile " ] ; then
keyfile = " $ACCOUNT_KEY_PATH " keyfile = " $ACCOUNT_KEY_PATH "
fi fi
_debug "=======Begin Send Signed Request======="
_debug url " $url " _debug url " $url "
_debug payload " $payload " _debug payload " $payload "
@ -2223,6 +2248,20 @@ _send_signed_request() {
_debug3 _body " $_body " _debug3 _body " $_body "
fi fi
_retryafter = $( echo " $responseHeaders " | grep -i "^Retry-After *: *[0-9]\+ *" | cut -d : -f 2 | tr -d ' ' | tr -d '\r' )
if [ " $code " = '503' ] ; then
_sleep_overload_retry_sec = $_retryafter
if [ -z " $_sleep_overload_retry_sec " ] ; then
_sleep_overload_retry_sec = 5
fi
if [ $_sleep_overload_retry_sec -le 600 ] ; then
_info " It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds. "
_sleep $_sleep_overload_retry_sec
continue
else
_info " The retryafter= $_retryafter is too large > 600, not retry anymore. "
fi
fi
if _contains " $_body " "JWS has invalid anti-replay nonce" || _contains " $_body " "JWS has an invalid anti-replay nonce" ; then if _contains " $_body " "JWS has invalid anti-replay nonce" || _contains " $_body " "JWS has an invalid anti-replay nonce" ; then
_info " It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds. " _info " It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds. "
_CACHED_NONCE = "" _CACHED_NONCE = ""
@ -2257,12 +2296,18 @@ _setopt() {
if [ ! -f " $__conf " ] ; then if [ ! -f " $__conf " ] ; then
touch " $__conf " touch " $__conf "
fi fi
if [ -n " $( _tail_c 1 <" $__conf " ) " ] ; then
echo >>" $__conf "
fi
if grep -n " ^ $__opt $__sep " " $__conf " >/dev/null; then if grep -n " ^ $__opt $__sep " " $__conf " >/dev/null; then
_debug3 OK _debug3 OK
if _contains " $__val " "&" ; then if _contains " $__val " "&" ; then
__val = " $( echo " $__val " | sed 's/&/\\&/g' ) " __val = " $( echo " $__val " | sed 's/&/\\&/g' ) "
fi fi
if _contains " $__val " "|" ; then
__val = " $( echo " $__val " | sed 's/|/\\|/g' ) "
fi
text = " $( cat " $__conf " ) " text = " $( cat " $__conf " ) "
printf -- "%s\n" " $text " | sed " s|^ $__opt $__sep .* $| $__opt $__sep $__val $__end | " >" $__conf " printf -- "%s\n" " $text " | sed " s|^ $__opt $__sep .* $| $__opt $__sep $__val $__end | " >" $__conf "
@ -2270,6 +2315,9 @@ _setopt() {
if _contains " $__val " "&" ; then if _contains " $__val " "&" ; then
__val = " $( echo " $__val " | sed 's/&/\\&/g' ) " __val = " $( echo " $__val " | sed 's/&/\\&/g' ) "
fi fi
if _contains " $__val " "|" ; then
__val = " $( echo " $__val " | sed 's/|/\\|/g' ) "
fi
text = " $( cat " $__conf " ) " text = " $( cat " $__conf " ) "
printf -- "%s\n" " $text " | sed " s|^# $__opt $__sep .* $| $__opt $__sep $__val $__end | " >" $__conf " printf -- "%s\n" " $text " | sed " s|^# $__opt $__sep .* $| $__opt $__sep $__val $__end | " >" $__conf "
@ -2343,6 +2391,26 @@ _readdomainconf() {
_read_conf " $DOMAIN_CONF " " $1 " _read_conf " $DOMAIN_CONF " " $1 "
} }
#_migratedomainconf oldkey newkey base64encode
_migratedomainconf( ) {
_old_key = " $1 "
_new_key = " $2 "
_b64encode = " $3 "
_value = $( _readdomainconf " $_old_key " )
if [ -z " $_value " ] ; then
return 1 # oldkey is not found
fi
_savedomainconf " $_new_key " " $_value " " $_b64encode "
_cleardomainconf " $_old_key "
_debug " Domain config $_old_key has been migrated to $_new_key "
}
#_migratedeployconf oldkey newkey base64encode
_migratedeployconf( ) {
_migratedomainconf " $1 " " SAVED_ $2 " " $3 " ||
_migratedomainconf " SAVED_ $1 " " SAVED_ $2 " " $3 " # try only when oldkey itself is not found
}
#key value base64encode #key value base64encode
_savedeployconf( ) { _savedeployconf( ) {
_savedomainconf " SAVED_ $1 " " $2 " " $3 " _savedomainconf " SAVED_ $1 " " $2 " " $3 "
@ -2357,12 +2425,14 @@ _getdeployconf() {
if [ " $_rac_value " ] ; then if [ " $_rac_value " ] ; then
if _startswith " $_rac_value " '"' && _endswith " $_rac_value " '"' ; then if _startswith " $_rac_value " '"' && _endswith " $_rac_value " '"' ; then
_debug2 "trim quotation marks" _debug2 "trim quotation marks"
eval " export $_rac_key = $_rac_value "
eval $_rac_key = $_rac_value
export $_rac_key
fi fi
return 0 # do nothing return 0 # do nothing
fi fi
_saved = $( _readdomainconf " SAVED_ $_rac_key " )
eval " export $_rac_key =\"\$_saved\" "
_saved = " $( _readdomainconf " SAVED_ $_rac_key " ) "
eval $_rac_key = \$ _saved
export $_rac_key
} }
#_saveaccountconf key value base64encode #_saveaccountconf key value base64encode
@ -2429,10 +2499,10 @@ _startserver() {
_debug Le_Listen_V6 " $Le_Listen_V6 " _debug Le_Listen_V6 " $Le_Listen_V6 "
_NC = "socat" _NC = "socat"
if [ " $Le_Listen_V4 " ] ; then
_NC = " $_NC -4 "
elif [ " $Le_Listen_V6 " ] ; then
if [ " $Le_Listen_V6 " ] ; then
_NC = " $_NC -6 " _NC = " $_NC -6 "
else
_NC = " $_NC -4 "
fi fi
if [ " $DEBUG " ] && [ " $DEBUG " -gt "1" ] ; then if [ " $DEBUG " ] && [ " $DEBUG " -gt "1" ] ; then
@ -2449,22 +2519,34 @@ _startserver() {
_content_len = " $( printf "%s" " $content " | wc -c) " _content_len = " $( printf "%s" " $content " | wc -c) "
_debug _content_len " $_content_len " _debug _content_len " $_content_len "
_debug "_NC" " $_NC $SOCAT_OPTIONS " _debug "_NC" " $_NC $SOCAT_OPTIONS "
export _SOCAT_ERR = " $( _mktemp) "
$_NC $SOCAT_OPTIONS SYSTEM:" sleep 1; \ $_NC $SOCAT_OPTIONS SYSTEM:" sleep 1; \
echo 'HTTP/1.0 200 OK' ; \ echo 'HTTP/1.0 200 OK' ; \
echo 'Content-Length\: $_content_len' ; \ echo 'Content-Length\: $_content_len' ; \
echo '' ; \ echo '' ; \
printf '%s' '$content' ; " &
printf '%s' '$content' ; " 2>" $_SOCAT_ERR " &
serverproc = " $! " serverproc = " $! "
if [ -f " $_SOCAT_ERR " ] ; then
if grep "Permission denied" " $_SOCAT_ERR " >/dev/null; then
_err " socat: $( cat $_SOCAT_ERR ) "
_err " Can not listen for user: $( whoami) "
_err "Maybe try with root again?"
rm -f " $_SOCAT_ERR "
return 1
fi
fi
} }
_stopserver( ) { _stopserver( ) {
pid = " $1 " pid = " $1 "
_debug "pid" " $pid " _debug "pid" " $pid "
if [ -z " $pid " ] ; then if [ -z " $pid " ] ; then
rm -f " $_SOCAT_ERR "
return return
fi fi
kill $pid kill $pid
rm -f " $_SOCAT_ERR "
} }
@ -2826,12 +2908,14 @@ _initpath() {
if _isEccKey " $_ilength " ; then if _isEccKey " $_ilength " ; then
DOMAIN_PATH = " $domainhomeecc " DOMAIN_PATH = " $domainhomeecc "
els e
elif [ -z " $__SELECTED_RSA_KEY " ] ; th en
if [ ! -d " $domainhome " ] && [ -d " $domainhomeecc " ] ; then if [ ! -d " $domainhome " ] && [ -d " $domainhomeecc " ] ; then
_info " The domain ' $domain ' seems to have a ECC cert already, please add ' $( __red "--ecc" ) ' parameter if you want to use that cert. "
_info " The domain ' $domain ' seems to have a ECC cert already, lets use ecc cert. "
DOMAIN_PATH = " $domainhomeecc "
fi fi
fi fi
_debug DOMAIN_PATH " $DOMAIN_PATH " _debug DOMAIN_PATH " $DOMAIN_PATH "
export DOMAIN_PATH
fi fi
if [ -z " $DOMAIN_BACKUP_PATH " ] ; then if [ -z " $DOMAIN_BACKUP_PATH " ] ; then
@ -2883,22 +2967,6 @@ _initpath() {
} }
_exec( ) {
if [ -z " $_EXEC_TEMP_ERR " ] ; then
_EXEC_TEMP_ERR = " $( _mktemp) "
fi
if [ " $_EXEC_TEMP_ERR " ] ; then
eval " $@ 2>> $_EXEC_TEMP_ERR "
else
eval " $@ "
fi
}
_exec_err( ) {
[ " $_EXEC_TEMP_ERR " ] && _err " $( cat " $_EXEC_TEMP_ERR " ) " && echo "" >" $_EXEC_TEMP_ERR "
}
_apachePath( ) { _apachePath( ) {
_APACHECTL = "apachectl" _APACHECTL = "apachectl"
if ! _exists apachectl; then if ! _exists apachectl; then
@ -2911,8 +2979,7 @@ _apachePath() {
fi fi
fi fi
if ! _exec $_APACHECTL -V >/dev/null; then
_exec_err
if ! $_APACHECTL -V >/dev/null; then
return 1 return 1
fi fi
@ -2964,8 +3031,7 @@ _restoreApache() {
cat " $APACHE_CONF_BACKUP_DIR / $httpdconfname " >" $httpdconf " cat " $APACHE_CONF_BACKUP_DIR / $httpdconfname " >" $httpdconf "
_debug " Restored: $httpdconf . " _debug " Restored: $httpdconf . "
if ! _exec $_APACHECTL -t; then
_exec_err
if ! $_APACHECTL -t; then
_err "Sorry, restore apache config error, please contact me." _err "Sorry, restore apache config error, please contact me."
return 1 return 1
fi fi
@ -2983,8 +3049,7 @@ _setApache() {
#test the conf first #test the conf first
_info "Checking if there is an error in the apache config file before starting." _info "Checking if there is an error in the apache config file before starting."
if ! _exec " $_APACHECTL " -t >/dev/null; then
_exec_err
if ! $_APACHECTL -t >/dev/null; then
_err "The apache config file has error, please fix it first, then try again." _err "The apache config file has error, please fix it first, then try again."
_err "Don't worry, there is nothing changed to your system." _err "Don't worry, there is nothing changed to your system."
return 1 return 1
@ -3045,8 +3110,7 @@ Allow from all
chmod 755 " $ACME_DIR " chmod 755 " $ACME_DIR "
fi fi
if ! _exec " $_APACHECTL " graceful; then
_exec_err
if ! $_APACHECTL graceful; then
_err " $_APACHECTL graceful error, please contact me. " _err " $_APACHECTL graceful error, please contact me. "
_restoreApache _restoreApache
return 1 return 1
@ -3077,7 +3141,7 @@ _setNginx() {
_err "nginx command is not found." _err "nginx command is not found."
return 1 return 1
fi fi
NGINX_CONF = " $( nginx -V 2>& 1 | _egrep_o "--conf-path=[^ ]* " | tr -d " " ) "
NGINX_CONF = " $( nginx -V 2>& 1 | _egrep_o "\ -\ -conf-path=[^ ]* " | tr -d " " ) "
_debug NGINX_CONF " $NGINX_CONF " _debug NGINX_CONF " $NGINX_CONF "
NGINX_CONF = " $( echo " $NGINX_CONF " | cut -d = -f 2) " NGINX_CONF = " $( echo " $NGINX_CONF " | cut -d = -f 2) "
_debug NGINX_CONF " $NGINX_CONF " _debug NGINX_CONF " $NGINX_CONF "
@ -3131,8 +3195,8 @@ _setNginx() {
return 1 return 1
fi fi
_info "Check the nginx conf before setting up." _info "Check the nginx conf before setting up."
if ! _exec "nginx -t" >/dev/null ; then
_exec_err
if ! nginx -t >/dev/null 2>& 1 ; then
_err "It seems that nginx conf is not correct, cannot continue."
return 1 return 1
fi fi
@ -3159,16 +3223,14 @@ location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" {
fi fi
_debug3 " Modified config: $( cat $FOUND_REAL_NGINX_CONF ) " _debug3 " Modified config: $( cat $FOUND_REAL_NGINX_CONF ) "
_info "nginx conf is done, let's check it again." _info "nginx conf is done, let's check it again."
if ! _exec "nginx -t" >/dev/null; then
_exec_err
if ! nginx -t >/dev/null 2>& 1; then
_err "It seems that nginx conf was broken, let's restore." _err "It seems that nginx conf was broken, let's restore."
cat " $_backup_conf " >" $FOUND_REAL_NGINX_CONF " cat " $_backup_conf " >" $FOUND_REAL_NGINX_CONF "
return 1 return 1
fi fi
_info "Reload nginx" _info "Reload nginx"
if ! _exec "nginx -s reload" >/dev/null; then
_exec_err
if ! nginx -s reload >/dev/null 2>& 1; then
_err "It seems that nginx reload error, let's restore." _err "It seems that nginx reload error, let's restore."
cat " $_backup_conf " >" $FOUND_REAL_NGINX_CONF " cat " $_backup_conf " >" $FOUND_REAL_NGINX_CONF "
return 1 return 1
@ -3293,8 +3355,7 @@ _restoreNginx() {
done done
_info "Reload nginx" _info "Reload nginx"
if ! _exec "nginx -s reload" >/dev/null; then
_exec_err
if ! nginx -s reload >/dev/null; then
_err "It seems that nginx reload error, please report bug." _err "It seems that nginx reload error, please report bug."
return 1 return 1
fi fi
@ -3986,7 +4047,7 @@ _ns_purge_cf() {
#checks if cf server is available #checks if cf server is available
_ns_is_available_cf( ) { _ns_is_available_cf( ) {
if _get "https://cloudflare-dns.com" "" 1 >/dev/null 2>& 1 ; then
if _get "https://cloudflare-dns.com" "" 10 >/dev/null; then
return 0 return 0
else else
return 1 return 1
@ -3994,7 +4055,7 @@ _ns_is_available_cf() {
} }
_ns_is_available_google( ) { _ns_is_available_google( ) {
if _get "https://dns.google" "" 1 >/dev/null 2>& 1 ; then
if _get "https://dns.google" "" 10 >/dev/null; then
return 0 return 0
else else
return 1 return 1
@ -4010,7 +4071,7 @@ _ns_lookup_google() {
} }
_ns_is_available_ali( ) { _ns_is_available_ali( ) {
if _get "https://dns.alidns.com" "" 1 >/dev/null 2>& 1 ; then
if _get "https://dns.alidns.com" "" 10 >/dev/null; then
return 0 return 0
else else
return 1 return 1
@ -4026,7 +4087,7 @@ _ns_lookup_ali() {
} }
_ns_is_available_dp( ) { _ns_is_available_dp( ) {
if _get "https://doh.pub" "" 1 >/dev/null 2>& 1 ; then
if _get "https://doh.pub" "" 10 >/dev/null; then
return 0 return 0
else else
return 1 return 1
@ -4041,8 +4102,7 @@ _ns_lookup_dp() {
_ns_lookup_impl " $_cf_ep " " $_cf_ld " " $_cf_ld_type " _ns_lookup_impl " $_cf_ep " " $_cf_ld " " $_cf_ld_type "
} }
#domain, type
_ns_lookup( ) {
_ns_select_doh( ) {
if [ -z " $DOH_USE " ] ; then if [ -z " $DOH_USE " ] ; then
_debug "Detect dns server first." _debug "Detect dns server first."
if _ns_is_available_cf; then if _ns_is_available_cf; then
@ -4061,7 +4121,11 @@ _ns_lookup() {
_err "No doh" _err "No doh"
fi fi
fi fi
}
#domain, type
_ns_lookup( ) {
_ns_select_doh
if [ " $DOH_USE " = " $DOH_CLOUDFLARE " ] || [ -z " $DOH_USE " ] ; then if [ " $DOH_USE " = " $DOH_CLOUDFLARE " ] || [ -z " $DOH_USE " ] ; then
_ns_lookup_cf " $@ " _ns_lookup_cf " $@ "
elif [ " $DOH_USE " = " $DOH_GOOGLE " ] ; then elif [ " $DOH_USE " = " $DOH_GOOGLE " ] ; then
@ -4084,6 +4148,7 @@ __check_txt() {
_debug "_c_txtdomain" " $_c_txtdomain " _debug "_c_txtdomain" " $_c_txtdomain "
_debug "_c_aliasdomain" " $_c_aliasdomain " _debug "_c_aliasdomain" " $_c_aliasdomain "
_debug "_c_txt" " $_c_txt " _debug "_c_txt" " $_c_txt "
_ns_select_doh
_answers = " $( _ns_lookup " $_c_aliasdomain " TXT) " _answers = " $( _ns_lookup " $_c_aliasdomain " TXT) "
_contains " $_answers " " $_c_txt " _contains " $_answers " " $_c_txt "
@ -4414,6 +4479,7 @@ issue() {
_debug "_saved_account_key_hash is not changed, skip register account." _debug "_saved_account_key_hash is not changed, skip register account."
fi fi
export Le_Next_Domain_Key = " $CERT_KEY_PATH .next "
if [ -f " $CSR_PATH " ] && [ ! -f " $CERT_KEY_PATH " ] ; then if [ -f " $CSR_PATH " ] && [ ! -f " $CERT_KEY_PATH " ] ; then
_info "Signing from existing CSR." _info "Signing from existing CSR."
else else
@ -4426,14 +4492,30 @@ issue() {
fi fi
_debug " Read key length: $_key " _debug " Read key length: $_key "
if [ ! -f " $CERT_KEY_PATH " ] || [ " $_key_length " != " $_key " ] || [ " $Le_ForceNewDomainKey " = "1" ] ; then if [ ! -f " $CERT_KEY_PATH " ] || [ " $_key_length " != " $_key " ] || [ " $Le_ForceNewDomainKey " = "1" ] ; then
if ! createDomainKey " $_main_domain " " $_key_length " ; then
_err "Create domain key error."
_clearup
_on_issue_err " $_post_hook "
if [ " $Le_ForceNewDomainKey " = "1" ] && [ -f " $Le_Next_Domain_Key " ] ; then
_info " Using pre generated key: $Le_Next_Domain_Key "
cat " $Le_Next_Domain_Key " >" $CERT_KEY_PATH "
echo "" >" $Le_Next_Domain_Key "
else
if ! createDomainKey " $_main_domain " " $_key_length " ; then
_err "Create domain key error."
_clearup
_on_issue_err " $_post_hook "
return 1
fi
fi
fi
if [ " $Le_ForceNewDomainKey " ] ; then
_info "Generate next pre-generate key."
if [ ! -e " $Le_Next_Domain_Key " ] ; then
touch " $Le_Next_Domain_Key "
chmod 600 " $Le_Next_Domain_Key "
fi
if ! _createkey " $_key_length " " $Le_Next_Domain_Key " ; then
_err "Can not pre generate domain key"
return 1 return 1
fi fi
fi fi
if ! _createcsr " $_main_domain " " $_alt_domains " " $CERT_KEY_PATH " " $CSR_PATH " " $DOMAIN_SSL_CONF " ; then if ! _createcsr " $_main_domain " " $_alt_domains " " $CERT_KEY_PATH " " $CSR_PATH " " $DOMAIN_SSL_CONF " ; then
_err "Create CSR error." _err "Create CSR error."
_clearup _clearup
@ -4446,7 +4528,7 @@ issue() {
vlist = " $Le_Vlist " vlist = " $Le_Vlist "
_cleardomainconf "Le_Vlist" _cleardomainconf "Le_Vlist"
_info "Getting domain auth token for each domain"
_debug "Getting domain auth token for each domain"
sep = '#' sep = '#'
dvsep = ',' dvsep = ','
if [ -z " $vlist " ] ; then if [ -z " $vlist " ] ; then
@ -4502,12 +4584,22 @@ issue() {
if [ " $_notAfter " ] ; then if [ " $_notAfter " ] ; then
_newOrderObj = " $_newOrderObj ,\"notAfter\": \" $_notAfter \" " _newOrderObj = " $_newOrderObj ,\"notAfter\": \" $_notAfter \" "
fi fi
_debug "STEP 1, Ordering a Certificate"
if ! _send_signed_request " $ACME_NEW_ORDER " " $_newOrderObj } " ; then if ! _send_signed_request " $ACME_NEW_ORDER " " $_newOrderObj } " ; then
_err "Create new order error." _err "Create new order error."
_clearup _clearup
_on_issue_err " $_post_hook " _on_issue_err " $_post_hook "
return 1 return 1
fi fi
if _contains " $response " "invalid" ; then
if echo " $response " | _normalizeJson | grep '"status":"invalid"' >/dev/null 2>& 1; then
_err "Create new order with invalid status."
_err " $response "
_clearup
_on_issue_err " $_post_hook "
return 1
fi
fi
Le_LinkOrder = " $( echo " $responseHeaders " | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-) " Le_LinkOrder = " $( echo " $responseHeaders " | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-) "
_debug Le_LinkOrder " $Le_LinkOrder " _debug Le_LinkOrder " $Le_LinkOrder "
@ -4532,6 +4624,7 @@ issue() {
return 1 return 1
fi fi
_debug "STEP 2, Get the authorizations of each domain"
#domain and authz map #domain and authz map
_authorizations_map = "" _authorizations_map = ""
for _authz_url in $( echo " $_authorizations_seg " | tr ',' ' ' ) ; do for _authz_url in $( echo " $_authorizations_seg " | tr ',' ' ' ) ; do
@ -4540,6 +4633,7 @@ issue() {
_err "get to authz error." _err "get to authz error."
_err "_authorizations_seg" " $_authorizations_seg " _err "_authorizations_seg" " $_authorizations_seg "
_err "_authz_url" " $_authz_url " _err "_authz_url" " $_authz_url "
_err " $response "
_clearup _clearup
_on_issue_err " $_post_hook " _on_issue_err " $_post_hook "
return 1 return 1
@ -4547,14 +4641,23 @@ issue() {
response = " $( echo " $response " | _normalizeJson) " response = " $( echo " $response " | _normalizeJson) "
_debug2 response " $response " _debug2 response " $response "
if echo " $response " | grep '"status":"invalid"' >/dev/null 2>& 1; then
_err "get authz objec with invalid status, please try again later."
_err "_authorizations_seg" " $_authorizations_seg "
_err " $response "
_clearup
_on_issue_err " $_post_hook "
return 1
fi
_d = " $( echo " $response " | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2- | tr -d ' "' ) " _d = " $( echo " $response " | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2- | tr -d ' "' ) "
if _contains " $response " "\"wildcard\" *: *true" ; then if _contains " $response " "\"wildcard\" *: *true" ; then
_d = " *. $_d " _d = " *. $_d "
fi fi
_debug2 _d " $_d " _debug2 _d " $_d "
_authorizations_map = " $_d , $response
_authorizations_map = " $_d , $response # $_authz_url
$_authorizations_map " $_authorizations_map "
done done
_debug2 _authorizations_map " $_authorizations_map " _debug2 _authorizations_map " $_authorizations_map "
_index = 0 _index = 0
@ -4606,33 +4709,32 @@ $_authorizations_map"
_on_issue_err " $_post_hook " _on_issue_err " $_post_hook "
return 1 return 1
fi fi
_authz_url = " $( echo " $_candidates " | sed " s/ $_idn_d ,// " | _egrep_o "#.*" | sed "s/^#//" ) "
_debug _authz_url " $_authz_url "
if [ -z " $thumbprint " ] ; then if [ -z " $thumbprint " ] ; then
thumbprint = " $( __calc_account_thumbprint) " thumbprint = " $( __calc_account_thumbprint) "
fi fi
keyauthorization = ""
if echo " $response " | grep '"status":"valid"' >/dev/null 2>& 1; then
_debug " $d is already valid. "
keyauthorization = " $STATE_VERIFIED "
_debug keyauthorization " $keyauthorization "
fi
entry = " $( echo " $response " | _egrep_o '[^\{]*"type":"' $vtype '"[^\}]*' ) " entry = " $( echo " $response " | _egrep_o '[^\{]*"type":"' $vtype '"[^\}]*' ) "
_debug entry " $entry " _debug entry " $entry "
keyauthorization = ""
if [ -z " $entry " ] ; then
if ! _startswith " $d " '*.' ; then
_debug "Not a wildcard domain, lets check whether the validation is already valid."
if echo " $response " | grep '"status":"valid"' >/dev/null 2>& 1; then
_debug " $d is already valid. "
keyauthorization = " $STATE_VERIFIED "
_debug keyauthorization " $keyauthorization "
fi
fi
if [ -z " $keyauthorization " ] ; then
_err " Error, can not get domain token entry $d for $vtype "
_supported_vtypes = " $( echo " $response " | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ' ) "
if [ " $_supported_vtypes " ] ; then
_err " The supported validation types are: $_supported_vtypes , but you specified: $vtype "
fi
_clearup
_on_issue_err " $_post_hook "
return 1
if [ -z " $keyauthorization " -a -z " $entry " ] ; then
_err " Error, can not get domain token entry $d for $vtype "
_supported_vtypes = " $( echo " $response " | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ' ) "
if [ " $_supported_vtypes " ] ; then
_err " The supported validation types are: $_supported_vtypes , but you specified: $vtype "
fi fi
_clearup
_on_issue_err " $_post_hook "
return 1
fi fi
if [ -z " $keyauthorization " ] ; then if [ -z " $keyauthorization " ] ; then
@ -4658,15 +4760,9 @@ $_authorizations_map"
fi fi
keyauthorization = " $token . $thumbprint " keyauthorization = " $token . $thumbprint "
_debug keyauthorization " $keyauthorization " _debug keyauthorization " $keyauthorization "
if printf "%s" " $response " | grep '"status":"valid"' >/dev/null 2>& 1; then
_debug " $d is already verified. "
keyauthorization = " $STATE_VERIFIED "
_debug keyauthorization " $keyauthorization "
fi
fi fi
dvlist = " $d $sep $keyauthorization $sep $uri $sep $vtype $sep $_currentRoot
dvlist = " $d $sep $keyauthorization $sep $uri $sep $vtype $sep $_currentRoot $sep $_authz_url "
_debug dvlist " $dvlist " _debug dvlist " $dvlist "
vlist = " $vlist $dvlist $dvsep " vlist = " $vlist $dvlist $dvsep "
@ -4683,6 +4779,7 @@ $_authorizations_map"
keyauthorization = $( echo " $ventry " | cut -d " $sep " -f 2) keyauthorization = $( echo " $ventry " | cut -d " $sep " -f 2)
vtype = $( echo " $ventry " | cut -d " $sep " -f 4) vtype = $( echo " $ventry " | cut -d " $sep " -f 4)
_currentRoot = $( echo " $ventry " | cut -d " $sep " -f 5) _currentRoot = $( echo " $ventry " | cut -d " $sep " -f 5)
_authz_url = $( echo " $ventry " | cut -d " $sep " -f 6)
_debug d " $d " _debug d " $d "
if [ " $keyauthorization " = " $STATE_VERIFIED " ] ; then if [ " $keyauthorization " = " $STATE_VERIFIED " ] ; then
_debug " $d is already verified, skip $vtype . " _debug " $d is already verified, skip $vtype . "
@ -4808,7 +4905,7 @@ $_authorizations_map"
uri = $( echo " $ventry " | cut -d " $sep " -f 3) uri = $( echo " $ventry " | cut -d " $sep " -f 3)
vtype = $( echo " $ventry " | cut -d " $sep " -f 4) vtype = $( echo " $ventry " | cut -d " $sep " -f 4)
_currentRoot = $( echo " $ventry " | cut -d " $sep " -f 5) _currentRoot = $( echo " $ventry " | cut -d " $sep " -f 5)
_authz_url = $( echo " $ventry " | cut -d " $sep " -f 6)
if [ " $keyauthorization " = " $STATE_VERIFIED " ] ; then if [ " $keyauthorization " = " $STATE_VERIFIED " ] ; then
_info " $d is already verified, skip $vtype . " _info " $d is already verified, skip $vtype . "
continue continue
@ -4818,6 +4915,7 @@ $_authorizations_map"
_debug "d" " $d " _debug "d" " $d "
_debug "keyauthorization" " $keyauthorization " _debug "keyauthorization" " $keyauthorization "
_debug "uri" " $uri " _debug "uri" " $uri "
_debug "_authz_url" " $_authz_url "
removelevel = "" removelevel = ""
token = " $( printf "%s" " $keyauthorization " | cut -d '.' -f 1) " token = " $( printf "%s" " $keyauthorization " | cut -d '.' -f 1) "
@ -4887,18 +4985,6 @@ $_authorizations_map"
if ! chmod a+r " $wellknown_path / $token " ; then if ! chmod a+r " $wellknown_path / $token " ; then
_debug "chmod failed, but we just continue." _debug "chmod failed, but we just continue."
fi fi
if [ ! " $usingApache " ] ; then
if webroot_owner = $( _stat " $_currentRoot " ) ; then
_debug " Changing owner/group of .well-known to $webroot_owner "
if ! _exec " chown -R \" $webroot_owner \" \" $_currentRoot /.well-known\" " ; then
_debug " $( cat " $_EXEC_TEMP_ERR " ) "
_exec_err >/dev/null 2>& 1
fi
else
_debug "not changing owner/group of webroot"
fi
fi
fi fi
elif [ " $vtype " = " $VTYPE_ALPN " ] ; then elif [ " $vtype " = " $VTYPE_ALPN " ] ; then
acmevalidationv1 = " $( printf "%s" " $keyauthorization " | _digest "sha256" "hex" ) " acmevalidationv1 = " $( printf "%s" " $keyauthorization " | _digest "sha256" "hex" ) "
@ -4937,6 +5023,7 @@ $_authorizations_map"
MAX_RETRY_TIMES = 30 MAX_RETRY_TIMES = 30
fi fi
_debug "Lets check the status of the authz"
while true; do while true; do
waittimes = $( _math " $waittimes " + 1) waittimes = $( _math " $waittimes " + 1)
if [ " $waittimes " -ge " $MAX_RETRY_TIMES " ] ; then if [ " $waittimes " -ge " $MAX_RETRY_TIMES " ] ; then
@ -4960,9 +5047,9 @@ $_authorizations_map"
errordetail = " $( echo " $error " | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4) " errordetail = " $( echo " $error " | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4) "
_debug2 errordetail " $errordetail " _debug2 errordetail " $errordetail "
if [ " $errordetail " ] ; then if [ " $errordetail " ] ; then
_err " $d :Verify error: $errordetail "
_err " Invalid status, $d :Verify error detail : $errordetail "
else else
_err " $d :Verify error: $error "
_err " Invalid status, $d :Verify error: $error "
fi fi
if [ " $DEBUG " ] ; then if [ " $DEBUG " ] ; then
if [ " $vtype " = " $VTYPE_HTTP " ] ; then if [ " $vtype " = " $VTYPE_HTTP " ] ; then
@ -4984,12 +5071,12 @@ $_authorizations_map"
break break
fi fi
if [ " $status " = ] ; then
if _contains " $status " ; then
_info " Pending, The CA is processing your order, please just wait. ( $waittimes / $MAX_RETRY_TIMES ) " _info " Pending, The CA is processing your order, please just wait. ( $waittimes / $MAX_RETRY_TIMES ) "
elif [ " $status " = ] ; then
elif _contains " $status " ; then
_info " Processing, The CA is processing your order, please just wait. ( $waittimes / $MAX_RETRY_TIMES ) " _info " Processing, The CA is processing your order, please just wait. ( $waittimes / $MAX_RETRY_TIMES ) "
else else
_err " $d :Verify error: $response "
_err " Unknown status: $status , $d :Verify error: $response "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token " _clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearup _clearup
_on_issue_err " $_post_hook " " $vlist " _on_issue_err " $_post_hook " " $vlist "
@ -4999,10 +5086,10 @@ $_authorizations_map"
_sleep 2 _sleep 2
_debug "checking" _debug "checking"
_send_signed_request " $uri "
_send_signed_request " $_authz_url "
if [ " $? " != "0" ] ; then if [ " $? " != "0" ] ; then
_err " $d :Verify error: $response "
_err " Invalid code, $d :Verify error: $response "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token " _clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearup _clearup
_on_issue_err " $_post_hook " " $vlist " _on_issue_err " $_post_hook " " $vlist "
@ -5169,6 +5256,9 @@ $_authorizations_map"
[ -f " $CA_CERT_PATH " ] && _info " The intermediate CA cert is in: $( __green " $CA_CERT_PATH " ) " [ -f " $CA_CERT_PATH " ] && _info " The intermediate CA cert is in: $( __green " $CA_CERT_PATH " ) "
[ -f " $CERT_FULLCHAIN_PATH " ] && _info " And the full chain certs is there: $( __green " $CERT_FULLCHAIN_PATH " ) " [ -f " $CERT_FULLCHAIN_PATH " ] && _info " And the full chain certs is there: $( __green " $CERT_FULLCHAIN_PATH " ) "
if [ " $Le_ForceNewDomainKey " ] && [ -e " $Le_Next_Domain_Key " ] ; then
_info " Your pre-generated next key for future cert key change is in: $( __green " $Le_Next_Domain_Key " ) "
fi
Le_CertCreateTime = $( _time) Le_CertCreateTime = $( _time)
_savedomainconf "Le_CertCreateTime" " $Le_CertCreateTime " _savedomainconf "Le_CertCreateTime" " $Le_CertCreateTime "
@ -5710,6 +5800,7 @@ deploy() {
return 1 return 1
fi fi
_debug2 DOMAIN_CONF " $DOMAIN_CONF "
. " $DOMAIN_CONF " . " $DOMAIN_CONF "
_savedomainconf Le_DeployHook " $_hooks " _savedomainconf Le_DeployHook " $_hooks "
@ -5743,7 +5834,8 @@ installcert() {
_savedomainconf "Le_RealKeyPath" " $_real_key " _savedomainconf "Le_RealKeyPath" " $_real_key "
_savedomainconf "Le_ReloadCmd" " $_reload_cmd " "base64" _savedomainconf "Le_ReloadCmd" " $_reload_cmd " "base64"
_savedomainconf "Le_RealFullChainPath" " $_real_fullchain " _savedomainconf "Le_RealFullChainPath" " $_real_fullchain "
export Le_ForceNewDomainKey = " $( _readdomainconf Le_ForceNewDomainKey) "
export Le_Next_Domain_Key
_installcert " $_main_domain " " $_real_cert " " $_real_key " " $_real_ca " " $_real_fullchain " " $_reload_cmd " _installcert " $_main_domain " " $_real_cert " " $_real_key " " $_real_ca " " $_real_fullchain " " $_reload_cmd "
} }
@ -5835,6 +5927,8 @@ _installcert() {
export CA_CERT_PATH export CA_CERT_PATH
export CERT_FULLCHAIN_PATH export CERT_FULLCHAIN_PATH
export Le_Domain = " $_main_domain " export Le_Domain = " $_main_domain "
export Le_ForceNewDomainKey
export Le_Next_Domain_Key
cd " $DOMAIN_PATH " && eval " $_reload_cmd " cd " $DOMAIN_PATH " && eval " $_reload_cmd "
) ; then ) ; then
_info " $( __green "Reload success" ) " _info " $( __green "Reload success" ) "
@ -5931,6 +6025,7 @@ installcronjob() {
fi fi
_t = $( _time) _t = $( _time)
random_minute = $( _math $_t % 60) random_minute = $( _math $_t % 60)
random_hour = $( _math $_t / 60 % 24)
if ! _exists " $_CRONTAB " && _exists "fcrontab" ; then if ! _exists " $_CRONTAB " && _exists "fcrontab" ; then
_CRONTAB = "fcrontab" _CRONTAB = "fcrontab"
@ -5955,16 +6050,14 @@ installcronjob() {
_info "Installing cron job" _info "Installing cron job"
if ! $_CRONTAB -l | grep " $PROJECT_ENTRY --cron " ; then if ! $_CRONTAB -l | grep " $PROJECT_ENTRY --cron " ; then
if _exists uname && uname -a | grep SunOS >/dev/null; then if _exists uname && uname -a | grep SunOS >/dev/null; then
$_CRONTAB -l | {
cat
echo " $random_minute 0 * * * $lesh --cron --home \" $LE_WORKING_DIR \" $_c_entry > /dev/null "
} | $_CRONTAB --
_CRONTAB_STDIN = " $_CRONTAB -- "
else else
$_CRONTAB -l | {
cat
echo " $random_minute 0 * * * $lesh --cron --home \" $LE_WORKING_DIR \" $_c_entry > /dev/null "
} | $_CRONTAB -
_CRONTAB_STDIN = " $_CRONTAB - "
fi fi
$_CRONTAB -l | {
cat
echo " $random_minute $random_hour * * * $lesh --cron --home \" $LE_WORKING_DIR \" $_c_entry > /dev/null "
} | $_CRONTAB_STDIN
fi fi
if [ " $? " != "0" ] ; then if [ " $? " != "0" ] ; then
_err "Install cron job failed. You need to manually renew your certs." _err "Install cron job failed. You need to manually renew your certs."
@ -6066,8 +6159,22 @@ revoke() {
uri = " ${ ACME_REVOKE_CERT } " uri = " ${ ACME_REVOKE_CERT } "
_info "Try account key first."
if _send_signed_request " $uri " " $data " "" " $ACCOUNT_KEY_PATH " ; then
if [ -z " $response " ] ; then
_info "Revoke success."
rm -f " $CERT_PATH "
cat " $CERT_KEY_PATH " >" $CERT_KEY_PATH .revoked "
cat " $CSR_PATH " >" $CSR_PATH .revoked "
return 0
else
_err "Revoke error."
_debug " $response "
fi
fi
if [ -f " $CERT_KEY_PATH " ] ; then if [ -f " $CERT_KEY_PATH " ] ; then
_info "Try domain key first."
_info "Try domain key."
if _send_signed_request " $uri " " $data " "" " $CERT_KEY_PATH " ; then if _send_signed_request " $uri " " $data " "" " $CERT_KEY_PATH " ; then
if [ -z " $response " ] ; then if [ -z " $response " ] ; then
_info "Revoke success." _info "Revoke success."
@ -6083,21 +6190,6 @@ revoke() {
else else
_info "Domain key file doesn't exist." _info "Domain key file doesn't exist."
fi fi
_info "Try account key."
if _send_signed_request " $uri " " $data " "" " $ACCOUNT_KEY_PATH " ; then
if [ -z " $response " ] ; then
_info "Revoke success."
rm -f " $CERT_PATH "
cat " $CERT_KEY_PATH " >" $CERT_KEY_PATH .revoked "
cat " $CSR_PATH " >" $CSR_PATH .revoked "
return 0
else
_err "Revoke error."
_debug " $response "
fi
fi
return 1 return 1
} }
@ -6671,6 +6763,13 @@ _send_notify() {
return 0 return 0
fi fi
_nsource = " $NOTIFY_SOURCE "
if [ -z " $_nsource " ] ; then
_nsource = " $( hostname) "
fi
_nsubject = " $_nsubject by $_nsource "
_send_err = 0 _send_err = 0
for _n_hook in $( echo " $_nhooks " | tr ',' " " ) ; do for _n_hook in $( echo " $_nhooks " | tr ',' " " ) ; do
_n_hook_file = " $( _findHook "" $_SUB_FOLDER_NOTIFY " $_n_hook " ) " _n_hook_file = " $( _findHook "" $_SUB_FOLDER_NOTIFY " $_n_hook " ) "
@ -6725,11 +6824,12 @@ setnotify() {
_nhook = " $1 " _nhook = " $1 "
_nlevel = " $2 " _nlevel = " $2 "
_nmode = " $3 " _nmode = " $3 "
_nsource = " $4 "
_initpath _initpath
if [ -z " $_nhook $_nlevel $_nmode ] ; then
_usage " Usage: $PROJECT_ENTRY --set-notify [--notify-hook <hookname>] [--notify-level <0|1|2|3>] [--notify-mode <0|1>] "
if [ -z " $_nhook $_nlevel $_nmode $_nsource ] ; then
_usage " Usage: $PROJECT_ENTRY --set-notify [--notify-hook <hookname>] [--notify-level <0|1|2|3>] [--notify-mode <0|1>] [--notify-source <hostname>] "
_usage " $_NOTIFY_WIKI " _usage " $_NOTIFY_WIKI "
return 1 return 1
fi fi
@ -6746,6 +6846,12 @@ setnotify() {
_saveaccountconf "NOTIFY_MODE" " $NOTIFY_MODE " _saveaccountconf "NOTIFY_MODE" " $NOTIFY_MODE "
fi fi
if [ " $_nsource " ] ; then
_info " Set notify source to: $_nsource "
export " NOTIFY_SOURCE= $_nsource "
_saveaccountconf "NOTIFY_SOURCE" " $NOTIFY_SOURCE "
fi
if [ " $_nhook " ] ; then if [ " $_nhook " ] ; then
_info " Set notify hook to: $_nhook " _info " Set notify hook to: $_nhook "
if [ " $_nhook " = " $NO_VALUE " ] ; then if [ " $_nhook " = " $NO_VALUE " ] ; then
@ -6824,7 +6930,7 @@ Parameters:
-f, --force Force install, force cert renewal or override sudo restrictions. -f, --force Force install, force cert renewal or override sudo restrictions.
--staging, --test Use staging server, for testing. --staging, --test Use staging server, for testing.
--debug [ 0| 1| 2| 3] Output debug info. Defaults to 1 if argument is omitted.
--debug [ 0| 1| 2| 3] Output debug info. Defaults to $DEBUG_LEVEL_DEFAULT if argument is omitted.
--output-insecure Output all the sensitive messages. --output-insecure Output all the sensitive messages.
By default all the credentials/sensitive messages are hidden from the output/debug/log for security. By default all the credentials/sensitive messages are hidden from the output/debug/log for security.
-w, --webroot <directory> Specifies the web root folder for web root mode. -w, --webroot <directory> Specifies the web root folder for web root mode.
@ -6842,7 +6948,7 @@ Parameters:
-k, --keylength <bits> Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521. -k, --keylength <bits> Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521.
-ak, --accountkeylength <bits> Specifies the account key length: 2048, 3072, 4096 -ak, --accountkeylength <bits> Specifies the account key length: 2048, 3072, 4096
--log [ file] Specifies the log file. Defaults to \" $DEFAULT_LOG_FILE \" if argument is omitted. --log [ file] Specifies the log file. Defaults to \" $DEFAULT_LOG_FILE \" if argument is omitted.
--log-level <1| 2> Specifies the log level, default is 1 .
--log-level <1| 2> Specifies the log level, default is $DEFAULT_LOG_LEVEL
--syslog <0| 3| 6| 7> Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug. --syslog <0| 3| 6| 7> Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.
--eab-kid <eab_key_id> Key Identifier for External Account Binding. --eab-kid <eab_key_id> Key Identifier for External Account Binding.
--eab-hmac-key <eab_hmac_key> HMAC key for External Account Binding. --eab-hmac-key <eab_hmac_key> HMAC key for External Account Binding.
@ -6850,7 +6956,7 @@ Parameters:
These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert: These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:
--cert-file <file> Path to copy the cert file to after issue/renew..
--cert-file <file> Path to copy the cert file to after issue/renew.
--key-file <file> Path to copy the key file to after issue/renew. --key-file <file> Path to copy the key file to after issue/renew.
--ca-file <file> Path to copy the intermediate cert file to after issue/renew. --ca-file <file> Path to copy the intermediate cert file to after issue/renew.
--fullchain-file <file> Path to copy the fullchain cert file to after issue/renew. --fullchain-file <file> Path to copy the fullchain cert file to after issue/renew.
@ -6880,7 +6986,8 @@ Parameters:
--no-profile Only valid for '--install' command, which means: do not install aliases to user profile. --no-profile Only valid for '--install' command, which means: do not install aliases to user profile.
--no-color Do not output color text. --no-color Do not output color text.
--force-color Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails. --force-color Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
--ecc Specifies to use the ECC cert. Valid for '--install-cert' , '--renew' , '--revoke' , '--to-pkcs12' and '--create-csr'
--ecc Specifies use of the ECC cert. Only valid for '--install-cert' , '--renew' , '--remove ' , '--revoke' ,
'--deploy' , '--to-pkcs8' , '--to-pkcs12' and '--create-csr' .
--csr <file> Specifies the input csr. --csr <file> Specifies the input csr.
--pre-hook <command> Command to be run before obtaining any certificates. --pre-hook <command> Command to be run before obtaining any certificates.
--post-hook <command> Command to be run after attempting to obtain/renew certificates. Runs regardless of whether obtain/renew succeeded or failed. --post-hook <command> Command to be run after attempting to obtain/renew certificates. Runs regardless of whether obtain/renew succeeded or failed.
@ -6906,6 +7013,7 @@ Parameters:
0: Bulk mode. Send all the domain' s notifications in one message( mail) . 0: Bulk mode. Send all the domain' s notifications in one message( mail) .
1: Cert mode. Send a message for every single cert. 1: Cert mode. Send a message for every single cert.
--notify-hook <hookname> Set the notify hook --notify-hook <hookname> Set the notify hook
--notify-source <server name> Set the server name in the notification message
--revoke-reason <0-10> The reason for revocation, can be used in conjunction with the '--revoke' command. --revoke-reason <0-10> The reason for revocation, can be used in conjunction with the '--revoke' command.
See: $_REVOKE_WIKI See: $_REVOKE_WIKI
@ -7063,7 +7171,9 @@ _selectServer() {
_getCAShortName( ) { _getCAShortName( ) {
caurl = " $1 " caurl = " $1 "
if [ -z " $caurl " ] ; then if [ -z " $caurl " ] ; then
caurl = " $DEFAULT_CA "
#use letsencrypt as default value if the Le_API is empty
#this case can only come from the old upgrading.
caurl = " $CA_LETSENCRYPT_V2 "
fi fi
if [ " $CA_SSLCOM_ECC " = " $caurl " ] ; then if [ " $CA_SSLCOM_ECC " = " $caurl " ] ; then
caurl = " $CA_SSLCOM_RSA " #just hack to get the short name caurl = " $CA_SSLCOM_RSA " #just hack to get the short name
@ -7180,6 +7290,7 @@ _process() {
_notify_hook = "" _notify_hook = ""
_notify_level = "" _notify_level = ""
_notify_mode = "" _notify_mode = ""
_notify_source = ""
_revoke_reason = "" _revoke_reason = ""
_eab_kid = "" _eab_kid = ""
_eab_hmac_key = "" _eab_hmac_key = ""
@ -7425,6 +7536,9 @@ _process() {
--keylength | -k) --keylength | -k)
_keylength = " $2 " _keylength = " $2 "
shift shift
if [ " $_keylength " ] && ! _isEccKey " $_keylength " ; then
export __SELECTED_RSA_KEY = 1
fi
; ; ; ;
-ak | --accountkeylength) -ak | --accountkeylength)
_accountkeylength = " $2 " _accountkeylength = " $2 "
@ -7460,7 +7574,7 @@ _process() {
shift shift
; ; ; ;
--home) --home)
export LE_WORKING_DIR = " $2 "
export LE_WORKING_DIR = " $( echo " $2 " | sed 's|/$||' ) "
shift shift
; ; ; ;
--cert-home | --certhome) --cert-home | --certhome)
@ -7672,6 +7786,15 @@ _process() {
_notify_mode = " $_nmode " _notify_mode = " $_nmode "
shift shift
; ; ; ;
--notify-source)
_nsource = " $2 "
if _startswith " $_nsource " "-" ; then
_err " ' $_nsource ' is not valid host name for ' $1 ' "
return 1
fi
_notify_source = " $_nsource "
shift
; ;
--revoke-reason) --revoke-reason)
_revoke_reason = " $2 " _revoke_reason = " $2 "
if _startswith " $_revoke_reason " "-" ; then if _startswith " $_revoke_reason " "-" ; then
@ -7826,7 +7949,7 @@ _process() {
createCSR " $_domain " " $_altdomains " " $_ecc " createCSR " $_domain " " $_altdomains " " $_ecc "
; ; ; ;
setnotify) setnotify)
setnotify " $_notify_hook " " $_notify_level " " $_notify_mode "
setnotify " $_notify_hook " " $_notify_level " " $_notify_mode " " $_notify_source "
; ; ; ;
setdefaultca) setdefaultca)
setdefaultca setdefaultca
Guilherme Pereira
11 months ago
GitHub