committed by
							
								 GitHub
								GitHub
							
						
					
				
				
				  
				  No known key found for this signature in database
				  
				  	
						GPG Key ID: 4AEE18F83AFDEB23
				  	
				  
				
			
		
		
		
	
				 8 changed files with 534 additions and 48 deletions
			
			
		- 
					25deploy/haproxy.sh
- 
					2deploy/kong.sh
- 
					280deploy/lighttpd.sh
- 
					27deploy/ssh.sh
- 
					77dnsapi/dns_1984hosting.sh
- 
					8dnsapi/dns_netcup.sh
- 
					5dnsapi/dns_rackspace.sh
- 
					158dnsapi/dns_veesp.sh
| @ -0,0 +1,280 @@ | |||
| #!/usr/bin/env sh | |||
| 
 | |||
| # Script for acme.sh to deploy certificates to lighttpd | |||
| # | |||
| # The following variables can be exported: | |||
| # | |||
| # export DEPLOY_LIGHTTPD_PEM_NAME="${domain}.pem" | |||
| # | |||
| # Defines the name of the PEM file. | |||
| # Defaults to "<domain>.pem" | |||
| # | |||
| # export DEPLOY_LIGHTTPD_PEM_PATH="/etc/lighttpd" | |||
| # | |||
| # Defines location of PEM file for Lighttpd. | |||
| # Defaults to /etc/lighttpd | |||
| # | |||
| # export DEPLOY_LIGHTTPD_RELOAD="systemctl reload lighttpd" | |||
| # | |||
| # OPTIONAL: Reload command used post deploy | |||
| # This defaults to be a no-op (ie "true"). | |||
| # It is strongly recommended to set this something that makes sense | |||
| # for your distro. | |||
| # | |||
| # export DEPLOY_LIGHTTPD_ISSUER="yes" | |||
| # | |||
| # OPTIONAL: Places CA file as "${DEPLOY_LIGHTTPD_PEM}.issuer" | |||
| # Note: Required for OCSP stapling to work | |||
| # | |||
| # export DEPLOY_LIGHTTPD_BUNDLE="no" | |||
| # | |||
| # OPTIONAL: Deploy this certificate as part of a multi-cert bundle | |||
| # This adds a suffix to the certificate based on the certificate type | |||
| # eg RSA certificates will have .rsa as a suffix to the file name | |||
| # Lighttpd will load all certificates and provide one or the other | |||
| # depending on client capabilities | |||
| # Note: This functionality requires Lighttpd was compiled against | |||
| # a version of OpenSSL that supports this. | |||
| # | |||
| 
 | |||
| ########  Public functions ##################### | |||
| 
 | |||
| #domain keyfile certfile cafile fullchain | |||
| lighttpd_deploy() { | |||
|   _cdomain="$1" | |||
|   _ckey="$2" | |||
|   _ccert="$3" | |||
|   _cca="$4" | |||
|   _cfullchain="$5" | |||
| 
 | |||
|   # Some defaults | |||
|   DEPLOY_LIGHTTPD_PEM_PATH_DEFAULT="/etc/lighttpd" | |||
|   DEPLOY_LIGHTTPD_PEM_NAME_DEFAULT="${_cdomain}.pem" | |||
|   DEPLOY_LIGHTTPD_BUNDLE_DEFAULT="no" | |||
|   DEPLOY_LIGHTTPD_ISSUER_DEFAULT="yes" | |||
|   DEPLOY_LIGHTTPD_RELOAD_DEFAULT="true" | |||
| 
 | |||
|   _debug _cdomain "${_cdomain}" | |||
|   _debug _ckey "${_ckey}" | |||
|   _debug _ccert "${_ccert}" | |||
|   _debug _cca "${_cca}" | |||
|   _debug _cfullchain "${_cfullchain}" | |||
| 
 | |||
|   # PEM_PATH is optional. If not provided then assume "${DEPLOY_LIGHTTPD_PEM_PATH_DEFAULT}" | |||
|   _getdeployconf DEPLOY_LIGHTTPD_PEM_PATH | |||
|   _debug2 DEPLOY_LIGHTTPD_PEM_PATH "${DEPLOY_LIGHTTPD_PEM_PATH}" | |||
|   if [ -n "${DEPLOY_LIGHTTPD_PEM_PATH}" ]; then | |||
|     Le_Deploy_lighttpd_pem_path="${DEPLOY_LIGHTTPD_PEM_PATH}" | |||
|     _savedomainconf Le_Deploy_lighttpd_pem_path "${Le_Deploy_lighttpd_pem_path}" | |||
|   elif [ -z "${Le_Deploy_lighttpd_pem_path}" ]; then | |||
|     Le_Deploy_lighttpd_pem_path="${DEPLOY_LIGHTTPD_PEM_PATH_DEFAULT}" | |||
|   fi | |||
| 
 | |||
|   # Ensure PEM_PATH exists | |||
|   if [ -d "${Le_Deploy_lighttpd_pem_path}" ]; then | |||
|     _debug "PEM_PATH ${Le_Deploy_lighttpd_pem_path} exists" | |||
|   else | |||
|     _err "PEM_PATH ${Le_Deploy_lighttpd_pem_path} does not exist" | |||
|     return 1 | |||
|   fi | |||
| 
 | |||
|   # PEM_NAME is optional. If not provided then assume "${DEPLOY_LIGHTTPD_PEM_NAME_DEFAULT}" | |||
|   _getdeployconf DEPLOY_LIGHTTPD_PEM_NAME | |||
|   _debug2 DEPLOY_LIGHTTPD_PEM_NAME "${DEPLOY_LIGHTTPD_PEM_NAME}" | |||
|   if [ -n "${DEPLOY_LIGHTTPD_PEM_NAME}" ]; then | |||
|     Le_Deploy_lighttpd_pem_name="${DEPLOY_LIGHTTPD_PEM_NAME}" | |||
|     _savedomainconf Le_Deploy_lighttpd_pem_name "${Le_Deploy_lighttpd_pem_name}" | |||
|   elif [ -z "${Le_Deploy_lighttpd_pem_name}" ]; then | |||
|     Le_Deploy_lighttpd_pem_name="${DEPLOY_LIGHTTPD_PEM_NAME_DEFAULT}" | |||
|   fi | |||
| 
 | |||
|   # BUNDLE is optional. If not provided then assume "${DEPLOY_LIGHTTPD_BUNDLE_DEFAULT}" | |||
|   _getdeployconf DEPLOY_LIGHTTPD_BUNDLE | |||
|   _debug2 DEPLOY_LIGHTTPD_BUNDLE "${DEPLOY_LIGHTTPD_BUNDLE}" | |||
|   if [ -n "${DEPLOY_LIGHTTPD_BUNDLE}" ]; then | |||
|     Le_Deploy_lighttpd_bundle="${DEPLOY_LIGHTTPD_BUNDLE}" | |||
|     _savedomainconf Le_Deploy_lighttpd_bundle "${Le_Deploy_lighttpd_bundle}" | |||
|   elif [ -z "${Le_Deploy_lighttpd_bundle}" ]; then | |||
|     Le_Deploy_lighttpd_bundle="${DEPLOY_LIGHTTPD_BUNDLE_DEFAULT}" | |||
|   fi | |||
| 
 | |||
|   # ISSUER is optional. If not provided then assume "${DEPLOY_LIGHTTPD_ISSUER_DEFAULT}" | |||
|   _getdeployconf DEPLOY_LIGHTTPD_ISSUER | |||
|   _debug2 DEPLOY_LIGHTTPD_ISSUER "${DEPLOY_LIGHTTPD_ISSUER}" | |||
|   if [ -n "${DEPLOY_LIGHTTPD_ISSUER}" ]; then | |||
|     Le_Deploy_lighttpd_issuer="${DEPLOY_LIGHTTPD_ISSUER}" | |||
|     _savedomainconf Le_Deploy_lighttpd_issuer "${Le_Deploy_lighttpd_issuer}" | |||
|   elif [ -z "${Le_Deploy_lighttpd_issuer}" ]; then | |||
|     Le_Deploy_lighttpd_issuer="${DEPLOY_LIGHTTPD_ISSUER_DEFAULT}" | |||
|   fi | |||
| 
 | |||
|   # RELOAD is optional. If not provided then assume "${DEPLOY_LIGHTTPD_RELOAD_DEFAULT}" | |||
|   _getdeployconf DEPLOY_LIGHTTPD_RELOAD | |||
|   _debug2 DEPLOY_LIGHTTPD_RELOAD "${DEPLOY_LIGHTTPD_RELOAD}" | |||
|   if [ -n "${DEPLOY_LIGHTTPD_RELOAD}" ]; then | |||
|     Le_Deploy_lighttpd_reload="${DEPLOY_LIGHTTPD_RELOAD}" | |||
|     _savedomainconf Le_Deploy_lighttpd_reload "${Le_Deploy_lighttpd_reload}" | |||
|   elif [ -z "${Le_Deploy_lighttpd_reload}" ]; then | |||
|     Le_Deploy_lighttpd_reload="${DEPLOY_LIGHTTPD_RELOAD_DEFAULT}" | |||
|   fi | |||
| 
 | |||
|   # Set the suffix depending if we are creating a bundle or not | |||
|   if [ "${Le_Deploy_lighttpd_bundle}" = "yes" ]; then | |||
|     _info "Bundle creation requested" | |||
|     # Initialise $Le_Keylength if its not already set | |||
|     if [ -z "${Le_Keylength}" ]; then | |||
|       Le_Keylength="" | |||
|     fi | |||
|     if _isEccKey "${Le_Keylength}"; then | |||
|       _info "ECC key type detected" | |||
|       _suffix=".ecdsa" | |||
|     else | |||
|       _info "RSA key type detected" | |||
|       _suffix=".rsa" | |||
|     fi | |||
|   else | |||
|     _suffix="" | |||
|   fi | |||
|   _debug _suffix "${_suffix}" | |||
| 
 | |||
|   # Set variables for later | |||
|   _pem="${Le_Deploy_lighttpd_pem_path}/${Le_Deploy_lighttpd_pem_name}${_suffix}" | |||
|   _issuer="${_pem}.issuer" | |||
|   _ocsp="${_pem}.ocsp" | |||
|   _reload="${Le_Deploy_lighttpd_reload}" | |||
| 
 | |||
|   _info "Deploying PEM file" | |||
|   # Create a temporary PEM file | |||
|   _temppem="$(_mktemp)" | |||
|   _debug _temppem "${_temppem}" | |||
|   cat "${_ckey}" "${_ccert}" "${_cca}" >"${_temppem}" | |||
|   _ret="$?" | |||
| 
 | |||
|   # Check that we could create the temporary file | |||
|   if [ "${_ret}" != "0" ]; then | |||
|     _err "Error code ${_ret} returned during PEM file creation" | |||
|     [ -f "${_temppem}" ] && rm -f "${_temppem}" | |||
|     return ${_ret} | |||
|   fi | |||
| 
 | |||
|   # Move PEM file into place | |||
|   _info "Moving new certificate into place" | |||
|   _debug _pem "${_pem}" | |||
|   cat "${_temppem}" >"${_pem}" | |||
|   _ret=$? | |||
| 
 | |||
|   # Clean up temp file | |||
|   [ -f "${_temppem}" ] && rm -f "${_temppem}" | |||
| 
 | |||
|   # Deal with any failure of moving PEM file into place | |||
|   if [ "${_ret}" != "0" ]; then | |||
|     _err "Error code ${_ret} returned while moving new certificate into place" | |||
|     return ${_ret} | |||
|   fi | |||
| 
 | |||
|   # Update .issuer file if requested | |||
|   if [ "${Le_Deploy_lighttpd_issuer}" = "yes" ]; then | |||
|     _info "Updating .issuer file" | |||
|     _debug _issuer "${_issuer}" | |||
|     cat "${_cca}" >"${_issuer}" | |||
|     _ret="$?" | |||
| 
 | |||
|     if [ "${_ret}" != "0" ]; then | |||
|       _err "Error code ${_ret} returned while copying issuer/CA certificate into place" | |||
|       return ${_ret} | |||
|     fi | |||
|   else | |||
|     [ -f "${_issuer}" ] && _err "Issuer file update not requested but .issuer file exists" | |||
|   fi | |||
| 
 | |||
|   # Update .ocsp file if certificate was requested with --ocsp/--ocsp-must-staple option | |||
|   if [ -z "${Le_OCSP_Staple}" ]; then | |||
|     Le_OCSP_Staple="0" | |||
|   fi | |||
|   if [ "${Le_OCSP_Staple}" = "1" ]; then | |||
|     _info "Updating OCSP stapling info" | |||
|     _debug _ocsp "${_ocsp}" | |||
|     _info "Extracting OCSP URL" | |||
|     _ocsp_url=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -ocsp_uri -in "${_pem}") | |||
|     _debug _ocsp_url "${_ocsp_url}" | |||
| 
 | |||
|     # Only process OCSP if URL was present | |||
|     if [ "${_ocsp_url}" != "" ]; then | |||
|       # Extract the hostname from the OCSP URL | |||
|       _info "Extracting OCSP URL" | |||
|       _ocsp_host=$(echo "${_ocsp_url}" | cut -d/ -f3) | |||
|       _debug _ocsp_host "${_ocsp_host}" | |||
| 
 | |||
|       # Only process the certificate if we have a .issuer file | |||
|       if [ -r "${_issuer}" ]; then | |||
|         # Check if issuer cert is also a root CA cert | |||
|         _subjectdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10) | |||
|         _debug _subjectdn "${_subjectdn}" | |||
|         _issuerdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10) | |||
|         _debug _issuerdn "${_issuerdn}" | |||
|         _info "Requesting OCSP response" | |||
|         # If the issuer is a CA cert then our command line has "-CAfile" added | |||
|         if [ "${_subjectdn}" = "${_issuerdn}" ]; then | |||
|           _cafile_argument="-CAfile \"${_issuer}\"" | |||
|         else | |||
|           _cafile_argument="" | |||
|         fi | |||
|         _debug _cafile_argument "${_cafile_argument}" | |||
|         # if OpenSSL/LibreSSL is v1.1 or above, the format for the -header option has changed | |||
|         _openssl_version=$(${ACME_OPENSSL_BIN:-openssl} version | cut -d' ' -f2) | |||
|         _debug _openssl_version "${_openssl_version}" | |||
|         _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1) | |||
|         _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2) | |||
|         if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then | |||
|           _header_sep="=" | |||
|         else | |||
|           _header_sep=" " | |||
|         fi | |||
|         # Request the OCSP response from the issuer and store it | |||
|         _openssl_ocsp_cmd="${ACME_OPENSSL_BIN:-openssl} ocsp \ | |||
|           -issuer \"${_issuer}\" \ | |||
|           -cert \"${_pem}\" \ | |||
|           -url \"${_ocsp_url}\" \ | |||
|           -header Host${_header_sep}\"${_ocsp_host}\" \ | |||
|           -respout \"${_ocsp}\" \ | |||
|           -verify_other \"${_issuer}\" \ | |||
|           ${_cafile_argument} \ | |||
|           | grep -q \"${_pem}: good\"" | |||
|         _debug _openssl_ocsp_cmd "${_openssl_ocsp_cmd}" | |||
|         eval "${_openssl_ocsp_cmd}" | |||
|         _ret=$? | |||
|       else | |||
|         # Non fatal: No issuer file was present so no OCSP stapling file created | |||
|         _err "OCSP stapling in use but no .issuer file was present" | |||
|       fi | |||
|     else | |||
|       # Non fatal: No OCSP url was found int the certificate | |||
|       _err "OCSP update requested but no OCSP URL was found in certificate" | |||
|     fi | |||
| 
 | |||
|     # Non fatal: Check return code of openssl command | |||
|     if [ "${_ret}" != "0" ]; then | |||
|       _err "Updating OCSP stapling failed with return code ${_ret}" | |||
|     fi | |||
|   else | |||
|     # An OCSP file was already present but certificate did not have OCSP extension | |||
|     if [ -f "${_ocsp}" ]; then | |||
|       _err "OCSP was not requested but .ocsp file exists." | |||
|       # Could remove the file at this step, although Lighttpd just ignores it in this case | |||
|       # rm -f "${_ocsp}" || _err "Problem removing stale .ocsp file" | |||
|     fi | |||
|   fi | |||
| 
 | |||
|   # Reload Lighttpd | |||
|   _debug _reload "${_reload}" | |||
|   eval "${_reload}" | |||
|   _ret=$? | |||
|   if [ "${_ret}" != "0" ]; then | |||
|     _err "Error code ${_ret} during reload" | |||
|     return ${_ret} | |||
|   else | |||
|     _info "Reload successful" | |||
|   fi | |||
| 
 | |||
|   return 0 | |||
| } | |||
| @ -0,0 +1,158 @@ | |||
| #!/usr/bin/env sh | |||
| 
 | |||
| # bug reports to stepan@plyask.in | |||
| 
 | |||
| # | |||
| #     export VEESP_User="username" | |||
| #     export VEESP_Password="password" | |||
| 
 | |||
| VEESP_Api="https://secure.veesp.com/api" | |||
| 
 | |||
| ########  Public functions ##################### | |||
| 
 | |||
| #Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" | |||
| dns_veesp_add() { | |||
|   fulldomain=$1 | |||
|   txtvalue=$2 | |||
| 
 | |||
|   VEESP_Password="${VEESP_Password:-$(_readaccountconf_mutable VEESP_Password)}" | |||
|   VEESP_User="${VEESP_User:-$(_readaccountconf_mutable VEESP_User)}" | |||
|   VEESP_auth=$(printf "%s" "$VEESP_User:$VEESP_Password" | _base64) | |||
| 
 | |||
|   if [ -z "$VEESP_Password" ] || [ -z "$VEESP_User" ]; then | |||
|     VEESP_Password="" | |||
|     VEESP_User="" | |||
|     _err "You don't specify veesp api key and email yet." | |||
|     _err "Please create you key and try again." | |||
|     return 1 | |||
|   fi | |||
| 
 | |||
|   #save the api key and email to the account conf file. | |||
|   _saveaccountconf_mutable VEESP_Password "$VEESP_Password" | |||
|   _saveaccountconf_mutable VEESP_User "$VEESP_User" | |||
| 
 | |||
|   _debug "First detect the root zone" | |||
|   if ! _get_root "$fulldomain"; then | |||
|     _err "invalid domain" | |||
|     return 1 | |||
|   fi | |||
|   _debug _domain_id "$_domain_id" | |||
|   _debug _sub_domain "$_sub_domain" | |||
|   _debug _domain "$_domain" | |||
| 
 | |||
|   _info "Adding record" | |||
|   if VEESP_rest POST "service/$_service_id/dns/$_domain_id/records" "{\"name\":\"$fulldomain\",\"ttl\":1,\"priority\":0,\"type\":\"TXT\",\"content\":\"$txtvalue\"}"; then | |||
|     if _contains "$response" "\"success\":true"; then | |||
|       _info "Added" | |||
|       #todo: check if the record takes effect | |||
|       return 0 | |||
|     else | |||
|       _err "Add txt record error." | |||
|       return 1 | |||
|     fi | |||
|   fi | |||
| } | |||
| 
 | |||
| # Usage: fulldomain txtvalue | |||
| # Used to remove the txt record after validation | |||
| dns_veesp_rm() { | |||
|   fulldomain=$1 | |||
|   txtvalue=$2 | |||
| 
 | |||
|   VEESP_Password="${VEESP_Password:-$(_readaccountconf_mutable VEESP_Password)}" | |||
|   VEESP_User="${VEESP_User:-$(_readaccountconf_mutable VEESP_User)}" | |||
|   VEESP_auth=$(printf "%s" "$VEESP_User:$VEESP_Password" | _base64) | |||
| 
 | |||
|   _debug "First detect the root zone" | |||
|   if ! _get_root "$fulldomain"; then | |||
|     _err "invalid domain" | |||
|     return 1 | |||
|   fi | |||
|   _debug _domain_id "$_domain_id" | |||
|   _debug _sub_domain "$_sub_domain" | |||
|   _debug _domain "$_domain" | |||
| 
 | |||
|   _debug "Getting txt records" | |||
|   VEESP_rest GET "service/$_service_id/dns/$_domain_id" | |||
| 
 | |||
|   count=$(printf "%s\n" "$response" | _egrep_o "\"type\":\"TXT\",\"content\":\".\"$txtvalue.\"\"" | wc -l | tr -d " ") | |||
|   _debug count "$count" | |||
|   if [ "$count" = "0" ]; then | |||
|     _info "Don't need to remove." | |||
|   else | |||
|     record_id=$(printf "%s\n" "$response" | _egrep_o "{\"id\":[^}]*\"type\":\"TXT\",\"content\":\".\"$txtvalue.\"\"" | cut -d\" -f4) | |||
|     _debug "record_id" "$record_id" | |||
|     if [ -z "$record_id" ]; then | |||
|       _err "Can not get record id to remove." | |||
|       return 1 | |||
|     fi | |||
|     if ! VEESP_rest DELETE "service/$_service_id/dns/$_domain_id/records/$record_id"; then | |||
|       _err "Delete record error." | |||
|       return 1 | |||
|     fi | |||
|     _contains "$response" "\"success\":true" | |||
|   fi | |||
| } | |||
| 
 | |||
| ####################  Private functions below ################################## | |||
| #_acme-challenge.www.domain.com | |||
| #returns | |||
| # _sub_domain=_acme-challenge.www | |||
| # _domain=domain.com | |||
| # _domain_id=sdjkglgdfewsdfg | |||
| _get_root() { | |||
|   domain=$1 | |||
|   i=2 | |||
|   p=1 | |||
|   if ! VEESP_rest GET "dns"; then | |||
|     return 1 | |||
|   fi | |||
|   while true; do | |||
|     h=$(printf "%s" "$domain" | cut -d . -f $i-100) | |||
|     _debug h "$h" | |||
|     if [ -z "$h" ]; then | |||
|       #not valid | |||
|       return 1 | |||
|     fi | |||
| 
 | |||
|     if _contains "$response" "\"name\":\"$h\""; then | |||
|       _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"domain_id\":[^,]*,\"name\":\"$h\"" | cut -d : -f 2 | cut -d , -f 1 | cut -d '"' -f 2) | |||
|       _debug _domain_id "$_domain_id" | |||
|       _service_id=$(printf "%s\n" "$response" | _egrep_o "\"name\":\"$h\",\"service_id\":[^}]*" | cut -d : -f 3 | cut -d '"' -f 2) | |||
|       _debug _service_id "$_service_id" | |||
|       if [ "$_domain_id" ]; then | |||
|         _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) | |||
|         _domain="$h" | |||
|         return 0 | |||
|       fi | |||
|       return 1 | |||
|     fi | |||
|     p=$i | |||
|     i=$(_math "$i" + 1) | |||
|   done | |||
|   return 1 | |||
| } | |||
| 
 | |||
| VEESP_rest() { | |||
|   m=$1 | |||
|   ep="$2" | |||
|   data="$3" | |||
|   _debug "$ep" | |||
| 
 | |||
|   export _H1="Accept: application/json" | |||
|   export _H2="Authorization: Basic $VEESP_auth" | |||
|   if [ "$m" != "GET" ]; then | |||
|     _debug data "$data" | |||
|     export _H3="Content-Type: application/json" | |||
|     response="$(_post "$data" "$VEESP_Api/$ep" "" "$m")" | |||
|   else | |||
|     response="$(_get "$VEESP_Api/$ep")" | |||
|   fi | |||
| 
 | |||
|   if [ "$?" != "0" ]; then | |||
|     _err "error $ep" | |||
|     return 1 | |||
|   fi | |||
|   _debug2 response "$response" | |||
|   return 0 | |||
| } | |||
						Write
						Preview
					
					
					Loading…
					
					Cancel
						Save
					
		Reference in new issue