From 778ee02803098904be7dc5ec608665ad56060215 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Mon, 7 Nov 2022 23:43:37 +0100 Subject: [PATCH 01/10] update documentation for --cert-home Although the main use-case may be the --install command, this command also proves to be useful for the --signcsr and --issue commands. --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d6d8e48c..9d6dfecc 100755 --- a/acme.sh +++ b/acme.sh @@ -6897,7 +6897,7 @@ Parameters: --accountconf Specifies a customized account config file. --home Specifies the home dir for $PROJECT_NAME. - --cert-home Specifies the home dir to save all the certs, only valid for '--install' command. + --cert-home Specifies the home dir to save all the certs. --config-home Specifies the home dir to save all the configurations. --useragent Specifies the user agent string. it will be saved for future use too. -m, --email Specifies the account email, only valid for the '--install' and '--update-account' command. From 22dfedf6ae447404616102b14c01bdf9ddb70caf Mon Sep 17 00:00:00 2001 From: Kevin Locke Date: Mon, 13 Feb 2017 14:09:25 -0700 Subject: [PATCH 02/10] Avoid permissions errors for chown .well-known When acme.sh is run as a non-root user different from the owner of the webroot directory it is unable to change the owner of the files in .well-known to that user, causing permissions errors. Avoid this by making the files world-readable. These files should pose no disclosure risk since they are sent in cleartext during the HTTP Identifier Validation Challenge[1] and may already be exposed by directory enumeration, depending on server settings. AFAIK they should be safe to expose as world-readable in all cases. 1. https://ietf-wg-acme.github.io/acme/#rfc.section.7.2 Fixes Neilpang/acme.sh#32 Signed-off-by: Kevin Locke --- acme.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index 9842e3f1..3e1c85bd 100755 --- a/acme.sh +++ b/acme.sh @@ -5002,9 +5002,11 @@ $_authorizations_map" _debug "Writing token: $token to $wellknown_path/$token" - mkdir -p "$wellknown_path" - - if ! printf "%s" "$keyauthorization" >"$wellknown_path/$token"; then + # Ensure .well-known is visible to web server user/group + # https://github.com/Neilpang/acme.sh/pull/32 + if ! (umask ugo+rx && + mkdir -p "$wellknown_path" && + printf "%s" "$keyauthorization" >"$wellknown_path/$token"); then _err "$d: Cannot write token to file: $wellknown_path/$token" _clearupwebbroot "$_currentRoot" "$removelevel" "$token" _clearup From 6c555cb6663ff5903af9ae7149813c8095335206 Mon Sep 17 00:00:00 2001 From: Lindsay Zhou Date: Mon, 13 Jan 2025 10:22:46 +0800 Subject: [PATCH 03/10] fix regex of matching hetzner dns api error responses --- dnsapi/dns_hetzner.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) mode change 100644 => 100755 dnsapi/dns_hetzner.sh diff --git a/dnsapi/dns_hetzner.sh b/dnsapi/dns_hetzner.sh old mode 100644 new mode 100755 index 5a9cf2d9..f1bddc61 --- a/dnsapi/dns_hetzner.sh +++ b/dnsapi/dns_hetzner.sh @@ -212,7 +212,7 @@ _get_root() { _response_has_error() { unset _response_error - err_part="$(echo "$response" | _egrep_o '"error":{[^}]*}')" + err_part="$(echo "$response" | _egrep_o '"error":\{[^\}]*\}')" if [ -n "$err_part" ]; then err_code=$(echo "$err_part" | _egrep_o '"code":[0-9]+' | cut -d : -f 2) From f1dc79f0b51ca3e727d397c601a0cc85ab8d03b1 Mon Sep 17 00:00:00 2001 From: Martin Brodbeck Date: Thu, 20 Mar 2025 10:13:12 +0100 Subject: [PATCH 04/10] support NTFY_TOKEN --- notify/ntfy.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/notify/ntfy.sh b/notify/ntfy.sh index 650d1c74..21e39559 100644 --- a/notify/ntfy.sh +++ b/notify/ntfy.sh @@ -4,6 +4,7 @@ #NTFY_URL="https://ntfy.sh" #NTFY_TOPIC="xxxxxxxxxxxxx" +#NTFY_TOKEN="xxxxxxxxxxxxx" ntfy_send() { _subject="$1" @@ -23,6 +24,12 @@ ntfy_send() { _saveaccountconf_mutable NTFY_TOPIC "$NTFY_TOPIC" fi + NTFY_TOKEN="${NTFY_TOKEN:-$(_readaccountconf_mutable NTFY_TOKEN)}" + if [ "$NTFY_TOKEN" ]; then + _saveaccountconf_mutable NTFY_TOKEN "$NTFY_TOKEN" + export _H1="Authorization: Bearer $NTFY_TOKEN" + fi + _data="${_subject}. $_content" response="$(_post "$_data" "$NTFY_URL/$NTFY_TOPIC" "" "POST" "")" From 5c7b1cd5f2d2aaa7ba9810e81294bcabbfbfc3ad Mon Sep 17 00:00:00 2001 From: Sikro Date: Tue, 3 Dec 2024 15:07:37 +0800 Subject: [PATCH 05/10] add environment variable for notify/telegram.sh Since the server in mainland China cannot connect to Telegram, add the TELEGRAM_BOT_URLBASE environment variable Please add the proxy address you set. If this variable is not added, it will be the default value (https://api.telegram.org) --- notify/telegram.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/notify/telegram.sh b/notify/telegram.sh index cca8ee25..ccbd1533 100644 --- a/notify/telegram.sh +++ b/notify/telegram.sh @@ -4,6 +4,7 @@ #TELEGRAM_BOT_APITOKEN="" #TELEGRAM_BOT_CHATID="" +#TELEGRAM_BOT_URLBASE="" telegram_send() { _subject="$1" @@ -27,6 +28,12 @@ telegram_send() { fi _saveaccountconf_mutable TELEGRAM_BOT_CHATID "$TELEGRAM_BOT_CHATID" + TELEGRAM_BOT_URLBASE="${TELEGRAM_BOT_URLBASE:-$(_readaccountconf_mutable TELEGRAM_BOT_URLBASE)}" + if [ -z "$TELEGRAM_BOT_URLBASE" ]; then + TELEGRAM_BOT_URLBASE="https://api.telegram.org" + fi + _saveaccountconf_mutable TELEGRAM_BOT_URLBASE "$TELEGRAM_BOT_URLBASE" + _subject="$(printf "%s" "$_subject" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([_*[()~`>#+--=|{}.!]\)/\\\\\1/g')" _content="$(printf "%s" "$_content" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([_*[()~`>#+--=|{}.!]\)/\\\\\1/g')" _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)" @@ -38,7 +45,7 @@ telegram_send() { _debug "$_data" export _H1="Content-Type: application/json" - _telegram_bot_url="https://api.telegram.org/bot${TELEGRAM_BOT_APITOKEN}/sendMessage" + _telegram_bot_url="${TELEGRAM_BOT_URLBASE}/bot${TELEGRAM_BOT_APITOKEN}/sendMessage" if _post "$_data" "$_telegram_bot_url" >/dev/null; then # shellcheck disable=SC2154 _message=$(printf "%s\n" "$response" | sed -n 's/.*"ok":\([^,]*\).*/\1/p') From 8a27c902ff93ea3adb140e4fc1bcc2e71e4260d9 Mon Sep 17 00:00:00 2001 From: Szabolcs Magyar <699745+magyarsz@users.noreply.github.com> Date: Tue, 25 Mar 2025 19:29:12 +0100 Subject: [PATCH 06/10] Fix error message variable when reload cmd returns with an error --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 2cf681eb..dd21785d 100755 --- a/acme.sh +++ b/acme.sh @@ -5986,7 +5986,7 @@ _installcert() { ); then _info "$(__green "Reload successful")" else - _err "Reload error for: $Le_Domain" + _err "Reload error for: $_main_domain" fi fi From 93c19356d02503354eb0f60331dcb8876fa250c5 Mon Sep 17 00:00:00 2001 From: ms264556 <29752086+ms264556@users.noreply.github.com> Date: Thu, 27 Mar 2025 14:03:08 +1300 Subject: [PATCH 07/10] Don't deploy ECC certs to legacy Ruckus --- deploy/ruckus.sh | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/deploy/ruckus.sh b/deploy/ruckus.sh index f62e2fc0..d0fa4c3d 100755 --- a/deploy/ruckus.sh +++ b/deploy/ruckus.sh @@ -116,6 +116,30 @@ ruckus_deploy() { _H2="X-CSRF-Token: $(_response_header 'HTTP_X_CSRF_TOKEN')" export _H2 + if _isRSA "$_ckey" >/dev/null 2>&1; then + _debug "Using RSA certificate." + else + _info "Verifying ECC certificate support." + + _ul_version="$(_get_unleashed_version)" + if [ -z "$_ul_version" ]; then + _err "Your controller doesn't support ECC certificates. Please deploy an RSA certificate." + return 1 + fi + + _ul_version_major="$(echo "$_ul_version" | cut -d . -f 1)" + _ul_version_minor="$(echo "$_ul_version" | cut -d . -f 2)" + if [ "$_ul_version_major" -lt "200" ]; then + _err "ZoneDirector doesn't support ECC certificates. Please deploy an RSA certificate." + return 1 + elif [ "$_ul_version_minor" -lt "13" ]; then + _err "Unleashed $_ul_version_major.$_ul_version_minor doesn't support ECC certificates. Please deploy an RSA certificate or upgrade to Unleashed 200.13+." + return 1 + fi + + _debug "ECC certificates OK for Unleashed $_ul_version_major.$_ul_version_minor." + fi + _info "Uploading certificate" _post_upload "uploadcert" "$_cfullchain" @@ -145,6 +169,10 @@ _response_cookie() { _response_header 'Set-Cookie' | sed 's/;.*//' } +_get_unleashed_version() { + _post '' "$_base_url/_cmdstat.jsp" | _egrep_o "version-num=\"[^\"]*\"" | cut -d '"' -f 2 +} + _post_upload() { _post_action="$1" _post_file="$2" From a1de13657e79c5471dbc8fa3539ea39160937389 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 28 Mar 2025 20:50:08 +0100 Subject: [PATCH 08/10] minor, just copy necessary files --- Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3f400283..4d7d22b1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,7 +22,11 @@ ARG AUTO_UPGRADE=1 ENV AUTO_UPGRADE=$AUTO_UPGRADE #Install -COPY ./ /install_acme.sh/ +COPY ./acme.sh /install_acme.sh/acme.sh +COPY ./deploy /install_acme.sh/deploy +COPY ./dnsapi /install_acme.sh/dnsapi +COPY ./notify /install_acme.sh/notify + RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/ From 40b6db6a2715628aa977ed1853fe5256704010ae Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 29 Mar 2025 21:14:56 +0100 Subject: [PATCH 09/10] persist-credentials: false --- .github/workflows/dockerhub.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index 435fd6b5..49173b4b 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -44,6 +44,8 @@ jobs: steps: - name: checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up QEMU uses: docker/setup-qemu-action@v2 - name: Extract Docker metadata From 20c7bfaff21d0ca7b14385943f212931ccdfd7f8 Mon Sep 17 00:00:00 2001 From: Gontier Julien <52894530+Gontier-Julien@users.noreply.github.com> Date: Fri, 11 Apr 2025 20:09:03 +0200 Subject: [PATCH 10/10] Bump Alpine version from 3.17 to 3.21 Signed-off-by: Gontier Julien <52894530+Gontier-Julien@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4d7d22b1..7523f0af 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.17 +FROM alpine:3.21 RUN apk --no-cache add -f \ openssl \