Merge branch 'acmesh-official:dev' into dev

4 days ago · 65292b010e
6 changed files with 298 additions and 8 deletions
--- a/8
+++ b/8
@ -15,6 +15,8 @@ RUN apk --no-cache add -f \
  jq \
  cronie

+ENV LE_WORKING_DIR=/acmebin
+
 ENV LE_CONFIG_HOME=/acme.sh

 ARG AUTO_UPGRADE=1
@ -30,7 +32,7 @@ COPY ./notify /install_acme.sh/notify
 RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/


-RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null#> /proc/1/fd/1 2>/proc/1/fd/2#' | crontab -
+RUN ln -s $LE_WORKING_DIR/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null#> /proc/1/fd/1 2>/proc/1/fd/2#' | crontab -

 RUN for verb in help \
  version \
@ -64,7 +66,7 @@ RUN for verb in help \
  set-default-ca \
  set-default-chain \
  ; do \
-    printf -- "%b" "#!/usr/bin/env sh\n/root/.acme.sh/acme.sh --${verb} --config-home /acme.sh \"\$@\"" >/usr/local/bin/--${verb} && chmod +x /usr/local/bin/--${verb} \
+    printf -- "%b" "#!/usr/bin/env sh\n$LE_WORKING_DIR/acme.sh --${verb} --config-home $LE_CONFIG_HOME \"\$@\"" >/usr/local/bin/--${verb} && chmod +x /usr/local/bin/--${verb} \
  ; done

 RUN printf "%b" '#!'"/usr/bin/env sh\n \
@ -72,7 +74,7 @@ if [ \"\$1\" = \"daemon\" ];  then \n \
 exec crond -n -s -m off \n \
 else \n \
 exec -- \"\$@\"\n \
-fi\n" >/entry.sh && chmod +x /entry.sh
+fi\n" >/entry.sh && chmod +x /entry.sh && chmod -R o+rwx $LE_WORKING_DIR && chmod -R o+rwx $LE_CONFIG_HOME

 VOLUME /acme.sh

--- a/README.md
+++ b/README.md
@ -523,3 +523,20 @@ Your donation makes **acme.sh** better:
 1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/)

 [Donate List](https://github.com/acmesh-official/acme.sh/wiki/Donate-list)
+
+# 21. About this repository
+
+> [!NOTE]
+> This repository is officially maintained by <strong>ZeroSSL</strong> as part of our commitment to providing secure and reliable SSL/TLS solutions. We welcome contributions and feedback from the community!  
+> For more information about our services, including free and paid SSL/TLS certificates, visit https://zerossl.com.
+>   
+> All donations made through this repository go directly to the original independent maintainer (Neil Pang), not to ZeroSSL.
+<p align="center">
+	<a href="https://zerossl.com.com">
+		<picture>
+			<source media="(prefers-color-scheme: dark)" srcset="https://zerossl.com/assets/images/zerossl_logo_white.svg">
+			<source media="(prefers-color-scheme: light)" srcset="https://zerossl.com/assets/images/zerossl_logo.svg">
+			<img src="https://zerossl.com/assets/images/zerossl_logo.svg" alt="ZeroSSL" width="256">
+		</picture>
+	</a>
+</p>
--- a/acme.sh
+++ b/acme.sh
@ -1,6 +1,6 @@
 #!/usr/bin/env sh

-VER=3.1.2
+VER=3.1.3

 PROJECT_NAME="acme.sh"

@ -5242,6 +5242,16 @@ $_authorizations_map"
        return 1
      fi
      break
+    elif _contains "$response" "\"ready\""; then
+      _info "Order status is 'ready', let's sleep and retry."
+      _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
+      _debug "_retryafter" "$_retryafter"
+      if [ "$_retryafter" ]; then
+        _info "Sleeping for $_retryafter seconds then retrying"
+        _sleep $_retryafter
+      else
+        _sleep 2
+      fi
    elif _contains "$response" "\"processing\""; then
      _info "Order status is 'processing', let's sleep and retry."
      _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
--- a/deploy/panos.sh
+++ b/deploy/panos.sh
@ -16,6 +16,7 @@
 #    export PANOS_TEMPLATE="" # Template Name of panorama managed devices
 #    export PANOS_TEMPLATE_STACK="" # set a Template Stack if certificate should also be pushed automatically
 #    export PANOS_VSYS="Shared"  # name of the vsys to import the certificate
+#    export PANOS_CERTNAME="" # use a custom certificate name to work around Panorama's 31-character limit
 #
 # The script will automatically generate a new API key if
 # no key is found, or if a saved key has expired or is invalid.
@ -89,7 +90,7 @@ deployer() {
    if [ "$type" = 'cert' ]; then
      panos_url="${panos_url}?type=import"
      content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\ncertificate"
-      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain"
+      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_panos_certname"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")"
@ -103,11 +104,11 @@ deployer() {
    if [ "$type" = 'key' ]; then
      panos_url="${panos_url}?type=import"
      content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\nprivate-key"
-      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain"
+      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_panos_certname"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456"
-      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cdomain.key")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
+      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_panos_certname.key")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
      if [ "$_panos_template" ]; then
        content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl\"\r\n\r\n$_panos_template"
      fi
@ -242,6 +243,15 @@ panos_deploy() {
    _getdeployconf PANOS_VSYS
  fi

+  # PANOS_CERTNAME
+  if [ "$PANOS_CERTNAME" ]; then
+    _debug "Detected ENV variable PANOS_CERTNAME. Saving to file."
+    _savedeployconf PANOS_CERTNAME "$PANOS_CERTNAME" 1
+  else
+    _debug "Attempting to load variable PANOS_CERTNAME from file."
+    _getdeployconf PANOS_CERTNAME
+  fi
+
  #Store variables
  _panos_host=$PANOS_HOST
  _panos_user=$PANOS_USER
@ -249,6 +259,7 @@ panos_deploy() {
  _panos_template=$PANOS_TEMPLATE
  _panos_template_stack=$PANOS_TEMPLATE_STACK
  _panos_vsys=$PANOS_VSYS
+  _panos_certname=$PANOS_CERTNAME

  #Test API Key if found.  If the key is invalid, the variable _panos_key will be unset.
  if [ "$_panos_host" ] && [ "$_panos_key" ]; then
@ -267,6 +278,12 @@ panos_deploy() {
    _err "No password found. If this is your first time deploying, please set PANOS_PASS in ENV variables. You can delete it after you have successfully deployed the certs."
    return 1
  else
+    # Use certificate name based on the first domain on the certificate if no custom certificate name is set
+    if [ -z "$_panos_certname" ]; then
+      _panos_certname="$_cdomain"
+      _savedeployconf PANOS_CERTNAME "$_panos_certname" 1
+    fi
+
    # Generate a new API key if no valid API key is found
    if [ -z "$_panos_key" ]; then
      _debug "**** Generating new PANOS API KEY ****"
--- a/dnsapi/dns_aws.sh
+++ b/dnsapi/dns_aws.sh
@ -161,7 +161,7 @@ _get_root() {
    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100 | sed 's/\./\\./g')
    _debug "Checking domain: $h"
    if [ -z "$h" ]; then
-      _error "invalid domain"
+      _err "invalid domain"
      return 1
    fi

--- a/dnsapi/dns_infoblox_uddi.sh
+++ b/dnsapi/dns_infoblox_uddi.sh
@ -0,0 +1,244 @@
+#!/usr/bin/env sh
+# shellcheck disable=SC2034
+dns_infoblox_uddi_info='Infoblox UDDI
+Site: Infoblox.com
+Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_infoblox_uddi
+Options:
+ Infoblox_UDDI_Key API Key for Infoblox UDDI
+ Infoblox_Portal URL, e.g. "csp.infoblox.com" or "csp.eu.infoblox.com"
+Issues: github.com/acmesh-official/acme.sh/issues
+Author: Stefan Riegel
+'
+
+Infoblox_UDDI_Api="https://"
+
+########  Public functions #####################
+
+#Usage: dns_infoblox_uddi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_infoblox_uddi_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  Infoblox_UDDI_Key="${Infoblox_UDDI_Key:-$(_readaccountconf_mutable Infoblox_UDDI_Key)}"
+  Infoblox_Portal="${Infoblox_Portal:-$(_readaccountconf_mutable Infoblox_Portal)}"
+
+  _info "Using Infoblox UDDI API"
+  _debug fulldomain "$fulldomain"
+  _debug txtvalue "$txtvalue"
+
+  if [ -z "$Infoblox_UDDI_Key" ] || [ -z "$Infoblox_Portal" ]; then
+    Infoblox_UDDI_Key=""
+    Infoblox_Portal=""
+    _err "You didn't specify the Infoblox UDDI key or server (Infoblox_UDDI_Key; Infoblox_Portal)."
+    _err "Please set them via EXPORT Infoblox_UDDI_Key=your_key, EXPORT Infoblox_Portal=csp.infoblox.com and try again."
+    return 1
+  fi
+
+  _saveaccountconf_mutable Infoblox_UDDI_Key "$Infoblox_UDDI_Key"
+  _saveaccountconf_mutable Infoblox_Portal "$Infoblox_Portal"
+
+  export _H1="Authorization: Token $Infoblox_UDDI_Key"
+  export _H2="Content-Type: application/json"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _domain_id "$_domain_id"
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  _debug "Getting existing txt records"
+  _infoblox_rest GET "dns/record?_filter=type%20eq%20'TXT'%20and%20name_in_zone%20eq%20'$_sub_domain'%20and%20zone%20eq%20'$_domain_id'"
+
+  _info "Adding record"
+  body="{\"type\":\"TXT\",\"name_in_zone\":\"$_sub_domain\",\"zone\":\"$_domain_id\",\"ttl\":120,\"inheritance_sources\":{\"ttl\":{\"action\":\"override\"}},\"rdata\":{\"text\":\"$txtvalue\"}}"
+
+  if _infoblox_rest POST "dns/record" "$body"; then
+    if _contains "$response" "$txtvalue"; then
+      _info "Added, OK"
+      return 0
+    elif _contains "$response" '"error"'; then
+      # Check if record already exists
+      if _contains "$response" "already exists" || _contains "$response" "duplicate"; then
+        _info "Already exists, OK"
+        return 0
+      else
+        _err "Add txt record error."
+        _err "Response: $response"
+        return 1
+      fi
+    else
+      _info "Added, OK"
+      return 0
+    fi
+  fi
+  _err "Add txt record error."
+  return 1
+}
+
+#Usage: dns_infoblox_uddi_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_infoblox_uddi_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  Infoblox_UDDI_Key="${Infoblox_UDDI_Key:-$(_readaccountconf_mutable Infoblox_UDDI_Key)}"
+  Infoblox_Portal="${Infoblox_Portal:-$(_readaccountconf_mutable Infoblox_Portal)}"
+
+  if [ -z "$Infoblox_UDDI_Key" ] || [ -z "$Infoblox_Portal" ]; then
+    _err "Credentials not found"
+    return 1
+  fi
+
+  _info "Using Infoblox UDDI API"
+  _debug fulldomain "$fulldomain"
+  _debug txtvalue "$txtvalue"
+
+  export _H1="Authorization: Token $Infoblox_UDDI_Key"
+  export _H2="Content-Type: application/json"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _domain_id "$_domain_id"
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  _debug "Getting txt records to delete"
+  # Filter by txtvalue to support wildcard certs (multiple TXT records)
+  filter="type%20eq%20'TXT'%20and%20name_in_zone%20eq%20'$_sub_domain'%20and%20zone%20eq%20'$_domain_id'%20and%20rdata.text%20eq%20'$txtvalue'"
+  _infoblox_rest GET "dns/record?_filter=$filter"
+
+  if ! _contains "$response" '"results"'; then
+    _info "Don't need to remove, record not found."
+    return 0
+  fi
+
+  record_id=$(echo "$response" | _egrep_o '"id":[[:space:]]*"[^"]*"' | _head_n 1 | cut -d '"' -f 4)
+  _debug "record_id" "$record_id"
+
+  if [ -z "$record_id" ]; then
+    _info "Don't need to remove, record not found."
+    return 0
+  fi
+
+  # Extract UUID from the full record ID (format: dns/record/uuid)
+  record_uuid=$(echo "$record_id" | sed 's|.*/||')
+  _debug "record_uuid" "$record_uuid"
+
+  if ! _infoblox_rest DELETE "dns/record/$record_uuid"; then
+    _err "Delete record error."
+    return 1
+  fi
+
+  _info "Removed record successfully"
+  return 0
+}
+
+####################  Private functions below ##################################
+
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+# _domain_id=dns/auth_zone/xxxx-xxxx
+_get_root() {
+  domain=$1
+  i=1
+  p=1
+
+  # Remove _acme-challenge prefix if present
+  domain_no_acme=$(echo "$domain" | sed 's/^_acme-challenge\.//')
+
+  while true; do
+    h=$(printf "%s" "$domain_no_acme" | cut -d . -f "$i"-100)
+    _debug h "$h"
+    if [ -z "$h" ]; then
+      # not valid
+      return 1
+    fi
+
+    # Query for the zone with both trailing dot and without
+    filter="fqdn%20eq%20'$h.'%20or%20fqdn%20eq%20'$h'"
+    if ! _infoblox_rest GET "dns/auth_zone?_filter=$filter"; then
+      # API error - don't continue if we get auth errors
+      if _contains "$response" "401" || _contains "$response" "Authorization"; then
+        _err "Authentication failed. Please check your Infoblox_UDDI_Key."
+        return 1
+      fi
+      # For other errors, continue to parent domain
+      p=$i
+      i=$((i + 1))
+      continue
+    fi
+
+    # Check if response contains results (even if empty)
+    if _contains "$response" '"results"'; then
+      # Extract zone ID - must match the pattern dns/auth_zone/...
+      zone_id=$(echo "$response" | _egrep_o '"id":[[:space:]]*"dns/auth_zone/[^"]*"' | _head_n 1 | cut -d '"' -f 4)
+      if [ -n "$zone_id" ]; then
+        # Found the zone
+        _domain="$h"
+        _domain_id="$zone_id"
+
+        # Calculate subdomain
+        if [ "$_domain" = "$domain" ]; then
+          _sub_domain=""
+        else
+          _cutlength=$((${#domain} - ${#_domain} - 1))
+          _sub_domain=$(printf "%s" "$domain" | cut -c "1-$_cutlength")
+        fi
+
+        return 0
+      fi
+    fi
+
+    p=$i
+    i=$((i + 1))
+  done
+
+  return 1
+}
+
+# _infoblox_rest GET "dns/record?_filter=..."
+# _infoblox_rest POST "dns/record" "{json body}"
+# _infoblox_rest DELETE "dns/record/uuid"
+_infoblox_rest() {
+  method=$1
+  ep="$2"
+  data="$3"
+
+  _debug "$ep"
+
+  # Ensure credentials are available (when called from _get_root)
+  Infoblox_UDDI_Key="${Infoblox_UDDI_Key:-$(_readaccountconf_mutable Infoblox_UDDI_Key)}"
+  Infoblox_Portal="${Infoblox_Portal:-$(_readaccountconf_mutable Infoblox_Portal)}"
+
+  Infoblox_UDDI_Api="https://$Infoblox_Portal/api/ddi/v1"
+  export _H1="Authorization: Token $Infoblox_UDDI_Key"
+  export _H2="Content-Type: application/json"
+
+  # Debug (masked)
+  _tok_len=$(printf "%s" "$Infoblox_UDDI_Key" | wc -c | tr -d ' \n')
+  _debug2 "Auth header set" "Token len=${_tok_len} on $Infoblox_Portal"
+
+  if [ "$method" != "GET" ]; then
+    _debug data "$data"
+    response="$(_post "$data" "$Infoblox_UDDI_Api/$ep" "" "$method")"
+  else
+    response="$(_get "$Infoblox_UDDI_Api/$ep")"
+  fi
+
+  _ret="$?"
+  _debug2 response "$response"
+
+  if [ "$_ret" != "0" ]; then
+    _err "Error: $ep"
+    return 1
+  fi
+
+  return 0
+}