diff --git a/.github/auto-comment.yml b/.github/auto-comment.yml
deleted file mode 100644
index 520b3ce3..00000000
--- a/.github/auto-comment.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-# Comment to a new issue.
-issuesOpened: >
- If this is a bug report, please upgrade to the latest code and try again:
-
- 如果有 bug, 请先更新到最新版试试:
-
- ```
- acme.sh --upgrade
- ```
-
- please also provide the log with `--debug 2`.
-
- 同时请提供调试输出 `--debug 2`
-
- see: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
-
- Without `--debug 2` log, your issue will NEVER get replied.
-
- 没有调试输出, 你的 issue 不会得到任何解答.
-
-
-pullRequestOpened: >
- First, NEVER send a PR to `master` branch, it will NEVER be accepted. Please send to the `dev` branch instead.
-
- If this is a PR to support new DNS API or new notification API, please read this guide first:
- https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide
-
- Please check the guide items one by one.
-
- Then add your usage here:
- https://github.com/acmesh-official/acme.sh/wiki/dnsapi
-
- Or some other wiki pages:
-
- https://github.com/acmesh-official/acme.sh/wiki/deployhooks
-
- https://github.com/acmesh-official/acme.sh/wiki/notify
-
-
-
diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml
index f8e501ed..46fd8283 100644
--- a/.github/workflows/DNS.yml
+++ b/.github/workflows/DNS.yml
@@ -37,7 +37,7 @@ jobs:
- name: "Read this: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test"
run: |
echo "Read this: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test"
- if [ "${{github.actor}}" != "Neilpang" ]; then
+ if [ "${{github.repository_owner}}" != "acmesh-official" ]; then
false
fi
@@ -49,6 +49,7 @@ jobs:
TEST_DNS : ${{ secrets.TEST_DNS }}
TestingDomain: ${{ secrets.TestingDomain }}
TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+ TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
CASE: le_test_dnsapi
TEST_LOCAL: 1
@@ -59,24 +60,24 @@ jobs:
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- name: Set env file
run: |
- cd ../acmetest
+ cd ../acmetest
if [ "${{ secrets.TokenName1}}" ] ; then
- echo "${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}" >> env.list
+ echo "${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}" >> docker.env
fi
if [ "${{ secrets.TokenName2}}" ] ; then
- echo "${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}" >> env.list
+ echo "${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}" >> docker.env
fi
if [ "${{ secrets.TokenName3}}" ] ; then
- echo "${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}" >> env.list
+ echo "${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}" >> docker.env
fi
if [ "${{ secrets.TokenName4}}" ] ; then
- echo "${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}" >> env.list
+ echo "${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}" >> docker.env
fi
if [ "${{ secrets.TokenName5}}" ] ; then
- echo "${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}" >> env.list
+ echo "${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}" >> docker.env
fi
- echo "TEST_DNS_NO_WILDCARD" >> env.list
- echo "TEST_DNS_SLEEP" >> env.list
+ echo "TEST_DNS_NO_WILDCARD" >> docker.env
+ echo "TEST_DNS_SLEEP" >> docker.env
- name: Run acmetest
run: cd ../acmetest && ./rundocker.sh testall
@@ -87,6 +88,7 @@ jobs:
TEST_DNS : ${{ secrets.TEST_DNS }}
TestingDomain: ${{ secrets.TestingDomain }}
TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+ TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
CASE: le_test_dnsapi
TEST_LOCAL: 1
@@ -124,6 +126,7 @@ jobs:
TEST_DNS : ${{ secrets.TEST_DNS }}
TestingDomain: ${{ secrets.TestingDomain }}
TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+ TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
CASE: le_test_dnsapi
TEST_LOCAL: 1
@@ -170,12 +173,13 @@ jobs:
./letest.sh
FreeBSD:
- runs-on: macos-latest
+ runs-on: macos-10.15
needs: Windows
env:
TEST_DNS : ${{ secrets.TEST_DNS }}
TestingDomain: ${{ secrets.TestingDomain }}
TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+ TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
CASE: le_test_dnsapi
TEST_LOCAL: 1
@@ -186,7 +190,7 @@ jobs:
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- uses: vmactions/freebsd-vm@v0.1.4
with:
- envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
+ envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
prepare: pkg install -y socat curl
usesh: true
run: |
@@ -209,12 +213,13 @@ jobs:
./letest.sh
Solaris:
- runs-on: macos-latest
+ runs-on: macos-10.15
needs: FreeBSD
env:
TEST_DNS : ${{ secrets.TEST_DNS }}
TestingDomain: ${{ secrets.TestingDomain }}
TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+ TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
CASE: le_test_dnsapi
TEST_LOCAL: 1
@@ -223,11 +228,13 @@ jobs:
- uses: actions/checkout@v2
- name: Clone acmetest
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- - uses: vmactions/solaris-vm@v0.0.3
+ - uses: vmactions/solaris-vm@v0.0.5
with:
- envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
- prepare: pkgutil -y -i socat curl
+ envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
+ prepare: pkgutil -y -i socat
run: |
+ pkg set-mediator -v -I default@1.1 openssl
+ export PATH=/usr/gnu/bin:$PATH
if [ "${{ secrets.TokenName1}}" ] ; then
export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
fi
@@ -245,5 +252,3 @@ jobs:
fi
cd ../acmetest
./letest.sh
-
-
diff --git a/.github/workflows/FreeBSD.yml b/.github/workflows/FreeBSD.yml
new file mode 100644
index 00000000..5d032769
--- /dev/null
+++ b/.github/workflows/FreeBSD.yml
@@ -0,0 +1,63 @@
+name: FreeBSD
+on:
+ push:
+ branches:
+ - '*'
+ paths:
+ - '*.sh'
+ - '.github/workflows/FreeBSD.yml'
+
+ pull_request:
+ branches:
+ - dev
+ paths:
+ - '*.sh'
+ - '.github/workflows/FreeBSD.yml'
+
+
+jobs:
+ FreeBSD:
+ strategy:
+ matrix:
+ include:
+ - TEST_ACME_Server: "LetsEncrypt.org_test"
+ CA_ECDSA: ""
+ CA: ""
+ CA_EMAIL: ""
+ TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+ - TEST_ACME_Server: "ZeroSSL.com"
+ CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+ CA: "ZeroSSL RSA Domain Secure Site CA"
+ CA_EMAIL: "githubtest@acme.sh"
+ TEST_PREFERRED_CHAIN: ""
+ runs-on: macos-10.15
+ env:
+ TEST_LOCAL: 1
+ TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+ CA_ECDSA: ${{ matrix.CA_ECDSA }}
+ CA: ${{ matrix.CA }}
+ CA_EMAIL: ${{ matrix.CA_EMAIL }}
+ TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+ steps:
+ - uses: actions/checkout@v2
+ - uses: vmactions/cf-tunnel@v0.0.3
+ id: tunnel
+ with:
+ protocol: http
+ port: 8080
+ - name: Set envs
+ run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
+ - name: Clone acmetest
+ run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
+ - uses: vmactions/freebsd-vm@v0.1.5
+ with:
+ envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN'
+ nat: |
+ "8080": "80"
+ prepare: pkg install -y socat curl
+ usesh: true
+ run: |
+ cd ../acmetest \
+ && ./letest.sh
+
+
diff --git a/.github/workflows/LetsEncrypt.yml b/.github/workflows/LetsEncrypt.yml
deleted file mode 100644
index ba9a5317..00000000
--- a/.github/workflows/LetsEncrypt.yml
+++ /dev/null
@@ -1,147 +0,0 @@
-name: LetsEncrypt
-on:
- push:
- branches:
- - '*'
- paths:
- - '**.sh'
- - '**.yml'
- pull_request:
- branches:
- - dev
- paths:
- - '**.sh'
- - '**.yml'
-
-
-jobs:
- CheckToken:
- runs-on: ubuntu-latest
- outputs:
- hasToken: ${{ steps.step_one.outputs.hasToken }}
- env:
- NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
- steps:
- - name: Set the value
- id: step_one
- run: |
- if [ "$NGROK_TOKEN" ] ; then
- echo "::set-output name=hasToken::true"
- else
- echo "::set-output name=hasToken::false"
- fi
- - name: Check the value
- run: echo ${{ steps.step_one.outputs.hasToken }}
-
- Ubuntu:
- runs-on: ubuntu-latest
- needs: CheckToken
- if: "contains(needs.CheckToken.outputs.hasToken, 'true')"
- env:
- NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
- TEST_LOCAL: 1
- steps:
- - uses: actions/checkout@v2
- - name: Install tools
- run: sudo apt-get install -y socat
- - name: Clone acmetest
- run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- - name: Run acmetest
- run: cd ../acmetest && sudo --preserve-env ./letest.sh
-
- MacOS:
- runs-on: macos-latest
- needs: Ubuntu
- env:
- NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
- TEST_LOCAL: 1
- steps:
- - uses: actions/checkout@v2
- - name: Install tools
- run: brew install socat
- - name: Clone acmetest
- run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- - name: Run acmetest
- run: cd ../acmetest && sudo --preserve-env ./letest.sh
-
- Windows:
- runs-on: windows-latest
- needs: MacOS
- env:
- NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
- TEST_LOCAL: 1
- #The 80 port is used by Windows server, we have to use a custom port, ngrok will also use this port.
- Le_HTTPPort: 8888
- steps:
- - name: Set git to use LF
- run: |
- git config --global core.autocrlf false
- - uses: actions/checkout@v2
- - name: Install cygwin base packages with chocolatey
- run: |
- choco config get cacheLocation
- choco install --no-progress cygwin
- shell: cmd
- - name: Install cygwin additional packages
- run: |
- C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git
- shell: cmd
- - name: Set ENV
- shell: cmd
- run: |
- echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin >> %GITHUB_ENV%
- - name: Check ENV
- shell: cmd
- run: |
- echo "PATH=%PATH%"
- - name: Clone acmetest
- shell: cmd
- run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- - name: Run acmetest
- shell: cmd
- run: cd ../acmetest && bash.exe -c ./letest.sh
-
- FreeBSD:
- runs-on: macos-latest
- needs: Windows
- env:
- NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
- TEST_LOCAL: 1
- steps:
- - uses: actions/checkout@v2
- - name: Clone acmetest
- run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- - uses: vmactions/freebsd-vm@v0.1.4
- with:
- envs: 'NGROK_TOKEN TEST_LOCAL'
- prepare: pkg install -y socat curl
- usesh: true
- run: |
- cd ../acmetest && ./letest.sh
-
- Solaris:
- runs-on: macos-latest
- needs: FreeBSD
- env:
- NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
- TEST_LOCAL: 1
- steps:
- - uses: actions/checkout@v2
- - uses: vmactions/ngrok-tunnel@v0.0.1
- id: ngrok
- with:
- protocol: http
- port: 8080
- - name: Set envs
- run: echo "TestingDomain=${{steps.ngrok.outputs.server}}" >> $GITHUB_ENV
- - name: Clone acmetest
- run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- - uses: vmactions/solaris-vm@v0.0.3
- with:
- envs: 'TEST_LOCAL TestingDomain'
- nat: |
- "8080": "80"
- prepare: pkgutil -y -i socat curl
- run: |
- cd ../acmetest && ./letest.sh
-
diff --git a/.github/workflows/Linux.yml b/.github/workflows/Linux.yml
new file mode 100644
index 00000000..7b24eac9
--- /dev/null
+++ b/.github/workflows/Linux.yml
@@ -0,0 +1,41 @@
+name: Linux
+on:
+ push:
+ branches:
+ - '*'
+ paths:
+ - '*.sh'
+ - '.github/workflows/Linux.yml'
+
+ pull_request:
+ branches:
+ - dev
+ paths:
+ - '*.sh'
+ - '.github/workflows/Linux.yml'
+
+
+
+jobs:
+ Linux:
+ strategy:
+ matrix:
+ os: ["ubuntu:latest", "debian:latest", "almalinux:latest", "fedora:latest", "centos:latest", "opensuse/leap:latest", "alpine:latest", "oraclelinux:8", "kalilinux/kali", "archlinux:latest", "mageia", "gentoo/stage3"]
+ runs-on: ubuntu-latest
+ env:
+ TEST_LOCAL: 1
+ TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+ steps:
+ - uses: actions/checkout@v2
+ - name: Clone acmetest
+ run: |
+ cd .. \
+ && git clone https://github.com/acmesh-official/acmetest.git \
+ && cp -r acme.sh acmetest/
+ - name: Run acmetest
+ run: |
+ cd ../acmetest \
+ && ./rundocker.sh testplat ${{ matrix.os }}
+
+
+
diff --git a/.github/workflows/MacOS.yml b/.github/workflows/MacOS.yml
new file mode 100644
index 00000000..4b529f6a
--- /dev/null
+++ b/.github/workflows/MacOS.yml
@@ -0,0 +1,55 @@
+name: MacOS
+on:
+ push:
+ branches:
+ - '*'
+ paths:
+ - '*.sh'
+ - '.github/workflows/MacOS.yml'
+
+ pull_request:
+ branches:
+ - dev
+ paths:
+ - '*.sh'
+ - '.github/workflows/MacOS.yml'
+
+
+jobs:
+ MacOS:
+ strategy:
+ matrix:
+ include:
+ - TEST_ACME_Server: "LetsEncrypt.org_test"
+ CA_ECDSA: ""
+ CA: ""
+ CA_EMAIL: ""
+ TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+ - TEST_ACME_Server: "ZeroSSL.com"
+ CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+ CA: "ZeroSSL RSA Domain Secure Site CA"
+ CA_EMAIL: "githubtest@acme.sh"
+ TEST_PREFERRED_CHAIN: ""
+ runs-on: macos-latest
+ env:
+ TEST_LOCAL: 1
+ TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+ CA_ECDSA: ${{ matrix.CA_ECDSA }}
+ CA: ${{ matrix.CA }}
+ CA_EMAIL: ${{ matrix.CA_EMAIL }}
+ TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+ steps:
+ - uses: actions/checkout@v2
+ - name: Install tools
+ run: brew install socat
+ - name: Clone acmetest
+ run: |
+ cd .. \
+ && git clone https://github.com/acmesh-official/acmetest.git \
+ && cp -r acme.sh acmetest/
+ - name: Run acmetest
+ run: |
+ cd ../acmetest \
+ && sudo --preserve-env ./letest.sh
+
+
diff --git a/.github/workflows/PebbleStrict.yml b/.github/workflows/PebbleStrict.yml
index 976e5373..c1ea1cd2 100644
--- a/.github/workflows/PebbleStrict.yml
+++ b/.github/workflows/PebbleStrict.yml
@@ -4,14 +4,14 @@ on:
branches:
- '*'
paths:
- - '**.sh'
- - '**.yml'
+ - '*.sh'
+ - '.github/workflows/PebbleStrict.yml'
pull_request:
branches:
- dev
paths:
- - '**.sh'
- - '**.yml'
+ - '*.sh'
+ - '.github/workflows/PebbleStrict.yml'
jobs:
PebbleStrict:
@@ -19,7 +19,7 @@ jobs:
env:
TestingDomain: example.com
TestingAltDomains: www.example.com
- ACME_DIRECTORY: https://localhost:14000/dir
+ TEST_ACME_Server: https://localhost:14000/dir
HTTPS_INSECURE: 1
Le_HTTPPort: 5002
TEST_LOCAL: 1
@@ -35,5 +35,28 @@ jobs:
run: curl --request POST --data '{"ip":"10.30.50.1"}' http://localhost:8055/set-default-ipv4
- name: Clone acmetest
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
+ - name: Run acmetest
+ run: cd ../acmetest && ./letest.sh
+
+ PebbleStrict_IPCert:
+ runs-on: ubuntu-latest
+ env:
+ TestingDomain: 10.30.50.1
+ ACME_DIRECTORY: https://localhost:14000/dir
+ HTTPS_INSECURE: 1
+ Le_HTTPPort: 5002
+ Le_TLSPort: 5001
+ TEST_LOCAL: 1
+ TEST_CA: "Pebble Intermediate CA"
+ TEST_IPCERT: 1
+
+ steps:
+ - uses: actions/checkout@v2
+ - name: Install tools
+ run: sudo apt-get install -y socat
+ - name: Run Pebble
+ run: cd .. && curl https://raw.githubusercontent.com/letsencrypt/pebble/master/docker-compose.yml >docker-compose.yml && docker-compose up -d
+ - name: Clone acmetest
+ run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- name: Run acmetest
run: cd ../acmetest && ./letest.sh
\ No newline at end of file
diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml
new file mode 100644
index 00000000..77fdcc9a
--- /dev/null
+++ b/.github/workflows/Solaris.yml
@@ -0,0 +1,61 @@
+name: Solaris
+on:
+ push:
+ branches:
+ - '*'
+ paths:
+ - '*.sh'
+ - '.github/workflows/Solaris.yml'
+
+ pull_request:
+ branches:
+ - dev
+ paths:
+ - '*.sh'
+ - '.github/workflows/Solaris.yml'
+
+
+jobs:
+ Solaris:
+ strategy:
+ matrix:
+ include:
+ - TEST_ACME_Server: "LetsEncrypt.org_test"
+ CA_ECDSA: ""
+ CA: ""
+ CA_EMAIL: ""
+ TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+ - TEST_ACME_Server: "ZeroSSL.com"
+ CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+ CA: "ZeroSSL RSA Domain Secure Site CA"
+ CA_EMAIL: "githubtest@acme.sh"
+ TEST_PREFERRED_CHAIN: ""
+ runs-on: macos-10.15
+ env:
+ TEST_LOCAL: 1
+ TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+ CA_ECDSA: ${{ matrix.CA_ECDSA }}
+ CA: ${{ matrix.CA }}
+ CA_EMAIL: ${{ matrix.CA_EMAIL }}
+ TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+ steps:
+ - uses: actions/checkout@v2
+ - uses: vmactions/cf-tunnel@v0.0.3
+ id: tunnel
+ with:
+ protocol: http
+ port: 8080
+ - name: Set envs
+ run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
+ - name: Clone acmetest
+ run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
+ - uses: vmactions/solaris-vm@v0.0.5
+ with:
+ envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN'
+ nat: |
+ "8080": "80"
+ prepare: pkgutil -y -i socat curl
+ run: |
+ cd ../acmetest \
+ && ./letest.sh
+
diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml
new file mode 100644
index 00000000..28b06541
--- /dev/null
+++ b/.github/workflows/Ubuntu.yml
@@ -0,0 +1,57 @@
+name: Ubuntu
+on:
+ push:
+ branches:
+ - '*'
+ paths:
+ - '*.sh'
+ - '.github/workflows/Ubuntu.yml'
+
+ pull_request:
+ branches:
+ - dev
+ paths:
+ - '*.sh'
+ - '.github/workflows/Ubuntu.yml'
+
+
+jobs:
+ Ubuntu:
+ strategy:
+ matrix:
+ include:
+ - TEST_ACME_Server: "LetsEncrypt.org_test"
+ CA_ECDSA: ""
+ CA: ""
+ CA_EMAIL: ""
+ TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+ - TEST_ACME_Server: "ZeroSSL.com"
+ CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+ CA: "ZeroSSL RSA Domain Secure Site CA"
+ CA_EMAIL: "githubtest@acme.sh"
+ TEST_PREFERRED_CHAIN: ""
+
+ runs-on: ubuntu-latest
+ env:
+ TEST_LOCAL: 1
+ TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+ CA_ECDSA: ${{ matrix.CA_ECDSA }}
+ CA: ${{ matrix.CA }}
+ CA_EMAIL: ${{ matrix.CA_EMAIL }}
+ NO_ECC_384: ${{ matrix.NO_ECC_384 }}
+ TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+ steps:
+ - uses: actions/checkout@v2
+ - name: Install tools
+ run: sudo apt-get install -y socat
+ - name: Clone acmetest
+ run: |
+ cd .. \
+ && git clone https://github.com/acmesh-official/acmetest.git \
+ && cp -r acme.sh acmetest/
+ - name: Run acmetest
+ run: |
+ cd ../acmetest \
+ && sudo --preserve-env ./letest.sh
+
+
diff --git a/.github/workflows/Windows.yml b/.github/workflows/Windows.yml
new file mode 100644
index 00000000..2d7eeeae
--- /dev/null
+++ b/.github/workflows/Windows.yml
@@ -0,0 +1,73 @@
+name: Windows
+on:
+ push:
+ branches:
+ - '*'
+ paths:
+ - '*.sh'
+ - '.github/workflows/Windows.yml'
+
+ pull_request:
+ branches:
+ - dev
+ paths:
+ - '*.sh'
+ - '.github/workflows/Windows.yml'
+
+
+jobs:
+ Windows:
+ strategy:
+ matrix:
+ include:
+ - TEST_ACME_Server: "LetsEncrypt.org_test"
+ CA_ECDSA: ""
+ CA: ""
+ CA_EMAIL: ""
+ TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+ - TEST_ACME_Server: "ZeroSSL.com"
+ CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+ CA: "ZeroSSL RSA Domain Secure Site CA"
+ CA_EMAIL: "githubtest@acme.sh"
+ TEST_PREFERRED_CHAIN: ""
+ runs-on: windows-latest
+ env:
+ TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+ CA_ECDSA: ${{ matrix.CA_ECDSA }}
+ CA: ${{ matrix.CA }}
+ CA_EMAIL: ${{ matrix.CA_EMAIL }}
+ TEST_LOCAL: 1
+ #The 80 port is used by Windows server, we have to use a custom port, tunnel will also use this port.
+ Le_HTTPPort: 8888
+ TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+ steps:
+ - name: Set git to use LF
+ run: |
+ git config --global core.autocrlf false
+ - uses: actions/checkout@v2
+ - name: Install cygwin base packages with chocolatey
+ run: |
+ choco config get cacheLocation
+ choco install --no-progress cygwin
+ shell: cmd
+ - name: Install cygwin additional packages
+ run: |
+ C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git,xxd
+ shell: cmd
+ - name: Set ENV
+ shell: cmd
+ run: |
+ echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin;%PATH% >> %GITHUB_ENV%
+ - name: Check ENV
+ shell: cmd
+ run: |
+ echo "PATH=%PATH%"
+ - name: Clone acmetest
+ shell: cmd
+ run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
+ - name: Run acmetest
+ shell: cmd
+ run: cd ../acmetest && bash.exe -c ./letest.sh
+
+
+
diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml
index 238fde3a..0c3aec0a 100644
--- a/.github/workflows/dockerhub.yml
+++ b/.github/workflows/dockerhub.yml
@@ -6,6 +6,11 @@ on:
- '*'
tags:
- '*'
+ paths:
+ - '**.sh'
+ - "Dockerfile"
+ - '.github/workflows/dockerhub.yml'
+
jobs:
CheckToken:
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index b22a2fd8..940a187d 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -5,13 +5,13 @@ on:
- '*'
paths:
- '**.sh'
- - '**.yml'
+ - '.github/workflows/shellcheck.yml'
pull_request:
branches:
- dev
paths:
- '**.sh'
- - '**.yml'
+ - '.github/workflows/shellcheck.yml'
jobs:
ShellCheck:
diff --git a/Dockerfile b/Dockerfile
index 4618efaf..0421da34 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,6 @@
-FROM alpine:3.12
+FROM alpine:3.15
-RUN apk update -f \
- && apk --no-cache add -f \
+RUN apk --no-cache add -f \
openssl \
openssh-client \
coreutils \
@@ -12,8 +11,7 @@ RUN apk update -f \
tzdata \
oath-toolkit-oathtool \
tar \
- libidn \
- && rm -rf /var/cache/apk/*
+ libidn
ENV LE_CONFIG_HOME /acme.sh
@@ -22,7 +20,7 @@ ARG AUTO_UPGRADE=1
ENV AUTO_UPGRADE $AUTO_UPGRADE
#Install
-ADD ./ /install_acme.sh/
+COPY ./ /install_acme.sh/
RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/
@@ -42,6 +40,7 @@ RUN for verb in help \
revoke \
remove \
list \
+ info \
showcsr \
install-cronjob \
uninstall-cronjob \
@@ -57,6 +56,7 @@ RUN for verb in help \
deactivate-account \
set-notify \
set-default-ca \
+ set-default-chain \
; do \
printf -- "%b" "#!/usr/bin/env sh\n/root/.acme.sh/acme.sh --${verb} --config-home /acme.sh \"\$@\"" >/usr/local/bin/--${verb} && chmod +x /usr/local/bin/--${verb} \
; done
diff --git a/README.md b/README.md
index edd6442f..91a18985 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,11 @@
# An ACME Shell script: acme.sh
-
+[](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml)
+[](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml)
+[](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml)
+[](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml)
+[](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml)
+
@@ -15,18 +20,18 @@
- An ACME protocol client written purely in Shell (Unix shell) language.
- Full ACME protocol implementation.
-- Support ACME v1 and ACME v2
-- Support ACME v2 wildcard certs
+- Support ECDSA certs
+- Support SAN and wildcard certs
- Simple, powerful and very easy to use. You only need 3 minutes to learn it.
- Bash, dash and sh compatible.
-- Purely written in Shell with no dependencies on python or the official Let's Encrypt client.
+- Purely written in Shell with no dependencies on python.
- Just one script to issue, renew and install your certificates automatically.
- DOES NOT require `root/sudoer` access.
-- Docker friendly
-- IPv6 support
+- Docker ready
+- IPv6 ready
- Cron job notifications for renewal or error etc.
-It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt.
+It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates.
Wiki: https://github.com/acmesh-official/acme.sh/wiki
@@ -57,37 +62,39 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
| NO | Status| Platform|
|----|-------|---------|
-|1|[](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)|Mac OSX
-|2|[](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)|Windows (cygwin with curl, openssl and crontab included)
-|3|[](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)|FreeBSD
-|4|[](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)|Solaris
-|5|[](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)| Ubuntu
-|6|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|pfsense
-|7|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|OpenBSD
-|8|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)| Debian
-|9|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|CentOS
-|10|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|openSUSE
-|11|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Alpine Linux (with curl)
-|12|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Archlinux
-|13|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|fedora
-|14|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Kali Linux
-|15|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Oracle Linux
-|16|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management)
-|17|-----| Cloud Linux https://github.com/acmesh-official/acme.sh/issues/111
-|18|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Mageia
-|19|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT)
-|20|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Gentoo Linux
-|21|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|ClearLinux
-
-For all build statuses, check our [weekly build project](https://github.com/acmesh-official/acmetest):
+|1|[](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml)|Mac OSX
+|2|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml)|Windows (cygwin with curl, openssl and crontab included)
+|3|[](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml)|FreeBSD
+|4|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml)|Solaris
+|5|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml)| Ubuntu
+|6|NA|pfsense
+|7|NA|OpenBSD
+|8|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)| Debian
+|9|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|CentOS
+|10|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|openSUSE
+|11|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Alpine Linux (with curl)
+|12|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Archlinux
+|13|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|fedora
+|14|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Kali Linux
+|15|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Oracle Linux
+|16|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Mageia
+|17|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux
+|18|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|ClearLinux
+|19|-----| Cloud Linux https://github.com/acmesh-official/acme.sh/issues/111
+|20|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT)
+|21|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management)
+
+
+Check our [testing project](https://github.com/acmesh-official/acmetest):
https://github.com/acmesh-official/acmetest
# Supported CA
-- Letsencrypt.org CA(default)
-- [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)
+- [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)(default)
+- Letsencrypt.org CA
- [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA)
+- [SSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA)
- [Pebble strict Mode](https://github.com/letsencrypt/pebble)
- Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA
@@ -469,7 +476,7 @@ TODO:
### Code Contributors
-This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
+This project exists thanks to all the people who contribute.
### Financial Contributors
diff --git a/acme.sh b/acme.sh
index 0ea93cf7..b25619bf 100755
--- a/acme.sh
+++ b/acme.sh
@@ -1,6 +1,6 @@
#!/usr/bin/env sh
-VER=2.8.9
+VER=3.0.2
PROJECT_NAME="acme.sh"
@@ -20,8 +20,7 @@ _SUB_FOLDER_DEPLOY="deploy"
_SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY"
-LETSENCRYPT_CA_V1="https://acme-v01.api.letsencrypt.org/directory"
-LETSENCRYPT_STAGING_CA_V1="https://acme-staging.api.letsencrypt.org/directory"
+CA_LETSENCRYPT_V1="https://acme-v01.api.letsencrypt.org/directory"
CA_LETSENCRYPT_V2="https://acme-v02.api.letsencrypt.org/directory"
CA_LETSENCRYPT_V2_TEST="https://acme-staging-v02.api.letsencrypt.org/directory"
@@ -32,18 +31,22 @@ CA_BUYPASS_TEST="https://api.test4.buypass.no/acme/directory"
CA_ZEROSSL="https://acme.zerossl.com/v2/DV90"
_ZERO_EAB_ENDPOINT="http://api.zerossl.com/acme/eab-credentials-email"
-DEFAULT_CA=$CA_LETSENCRYPT_V2
+CA_SSLCOM_RSA="https://acme.ssl.com/sslcom-dv-rsa"
+CA_SSLCOM_ECC="https://acme.ssl.com/sslcom-dv-ecc"
+
+DEFAULT_CA=$CA_ZEROSSL
DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST
CA_NAMES="
+ZeroSSL.com,zerossl
LetsEncrypt.org,letsencrypt
LetsEncrypt.org_test,letsencrypt_test,letsencrypttest
BuyPass.com,buypass
BuyPass.com_test,buypass_test,buypasstest
-ZeroSSL.com,zerossl
+SSL.com,sslcom
"
-CA_SERVERS="$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_ZEROSSL"
+CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_SSLCOM_RSA"
DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
@@ -56,6 +59,9 @@ VTYPE_HTTP="http-01"
VTYPE_DNS="dns-01"
VTYPE_ALPN="tls-alpn-01"
+ID_TYPE_DNS="dns"
+ID_TYPE_IP="ip"
+
LOCAL_ANY_ADDRESS="0.0.0.0"
DEFAULT_RENEW=60
@@ -74,8 +80,8 @@ NGINX="nginx:"
NGINX_START="#ACME_NGINX_START"
NGINX_END="#ACME_NGINX_END"
-BEGIN_CSR="-----BEGIN CERTIFICATE REQUEST-----"
-END_CSR="-----END CERTIFICATE REQUEST-----"
+BEGIN_CSR="-----BEGIN [NEW ]\{0,4\}CERTIFICATE REQUEST-----"
+END_CSR="-----END [NEW ]\{0,4\}CERTIFICATE REQUEST-----"
BEGIN_CERT="-----BEGIN CERTIFICATE-----"
END_CERT="-----END CERTIFICATE-----"
@@ -138,6 +144,8 @@ NOTIFY_MODE_CERT=1
NOTIFY_MODE_DEFAULT=$NOTIFY_MODE_BULK
+_BASE64_ENCODED_CFGS="Le_PreHook Le_PostHook Le_RenewHook Le_Preferred_Chain Le_ReloadCmd"
+
_DEBUG_WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh"
_PREPARE_LINK="https://github.com/acmesh-official/acme.sh/wiki/Install-preparations"
@@ -158,6 +166,8 @@ _REVOKE_WIKI="https://github.com/acmesh-official/acme.sh/wiki/revokecert"
_ZEROSSL_WIKI="https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA"
+_SSLCOM_WIKI="https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA"
+
_SERVER_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Server"
_PREFERRED_CHAIN_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain"
@@ -421,19 +431,27 @@ _secure_debug3() {
}
_upper_case() {
- # shellcheck disable=SC2018,SC2019
- tr 'a-z' 'A-Z'
+ if _is_solaris; then
+ tr '[:lower:]' '[:upper:]'
+ else
+ # shellcheck disable=SC2018,SC2019
+ tr 'a-z' 'A-Z'
+ fi
}
_lower_case() {
- # shellcheck disable=SC2018,SC2019
- tr 'A-Z' 'a-z'
+ if _is_solaris; then
+ tr '[:upper:]' '[:lower:]'
+ else
+ # shellcheck disable=SC2018,SC2019
+ tr 'A-Z' 'a-z'
+ fi
}
_startswith() {
_str="$1"
_sub="$2"
- echo "$_str" | grep "^$_sub" >/dev/null 2>&1
+ echo "$_str" | grep -- "^$_sub" >/dev/null 2>&1
}
_endswith() {
@@ -1213,23 +1231,31 @@ _createcsr() {
_debug2 csr "$csr"
_debug2 csrconf "$csrconf"
- printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf"
+ printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\n" >"$csrconf"
if [ "$acmeValidationv1" ]; then
domainlist="$(_idn "$domainlist")"
- printf -- "\nsubjectAltName=DNS:$domainlist" >>"$csrconf"
+ _debug2 domainlist "$domainlist"
+ alt=""
+ for dl in $(echo "$domainlist" | tr "," ' '); do
+ if [ "$alt" ]; then
+ alt="$alt,$(_getIdType "$dl" | _upper_case):$dl"
+ else
+ alt="$(_getIdType "$dl" | _upper_case):$dl"
+ fi
+ done
+ printf -- "\nsubjectAltName=$alt" >>"$csrconf"
elif [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
#single domain
_info "Single domain" "$domain"
- printf -- "\nsubjectAltName=DNS:$(_idn "$domain")" >>"$csrconf"
+ printf -- "\nsubjectAltName=$(_getIdType "$domain" | _upper_case):$(_idn "$domain")" >>"$csrconf"
else
domainlist="$(_idn "$domainlist")"
_debug2 domainlist "$domainlist"
- if _contains "$domainlist" ","; then
- alt="DNS:$(_idn "$domain"),DNS:$(echo "$domainlist" | sed "s/,,/,/g" | sed "s/,/,DNS:/g")"
- else
- alt="DNS:$(_idn "$domain"),DNS:$domainlist"
- fi
+ alt="$(_getIdType "$domain" | _upper_case):$(_idn "$domain")"
+ for dl in $(echo "$domainlist" | tr "," ' '); do
+ alt="$alt,$(_getIdType "$dl" | _upper_case):$dl"
+ done
#multi
_info "Multi domain" "$alt"
printf -- "\nsubjectAltName=$alt" >>"$csrconf"
@@ -1765,7 +1791,7 @@ _inithttp() {
if [ -z "$ACME_HTTP_NO_REDIRECTS" ]; then
_ACME_CURL="$_ACME_CURL -L "
fi
- if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
+ if [ "$DEBUG" ] && [ "$DEBUG" -ge 2 ]; then
_CURL_DUMP="$(_mktemp)"
_ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP "
fi
@@ -2072,17 +2098,15 @@ _send_signed_request() {
_sleep 2
continue
fi
- if [ "$ACME_VERSION" = "2" ]; then
- if [ "$url" = "$ACME_NEW_ACCOUNT" ]; then
- protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
- elif [ "$url" = "$ACME_REVOKE_CERT" ] && [ "$keyfile" != "$ACCOUNT_KEY_PATH" ]; then
- protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
- else
- protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"kid\": \"${ACCOUNT_URL}\""'}'
- fi
- else
+
+ if [ "$url" = "$ACME_NEW_ACCOUNT" ]; then
+ protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
+ elif [ "$url" = "$ACME_REVOKE_CERT" ] && [ "$keyfile" != "$ACCOUNT_KEY_PATH" ]; then
protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
+ else
+ protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"kid\": \"${ACCOUNT_URL}\""'}'
fi
+
_debug3 protected "$protected"
protected64="$(printf "%s" "$protected" | _base64 | _url_replace)"
@@ -2534,76 +2558,56 @@ __initHome() {
fi
}
+_clearAPI() {
+ ACME_NEW_ACCOUNT=""
+ ACME_KEY_CHANGE=""
+ ACME_NEW_AUTHZ=""
+ ACME_NEW_ORDER=""
+ ACME_REVOKE_CERT=""
+ ACME_NEW_NONCE=""
+ ACME_AGREEMENT=""
+}
+
#server
_initAPI() {
_api_server="${1:-$ACME_DIRECTORY}"
_debug "_init api for server: $_api_server"
- if [ -z "$ACME_NEW_ACCOUNT" ]; then
+ MAX_API_RETRY_TIMES=10
+ _sleep_retry_sec=10
+ _request_retry_times=0
+ while [ -z "$ACME_NEW_ACCOUNT" ] && [ "${_request_retry_times}" -lt "$MAX_API_RETRY_TIMES" ]; do
+ _request_retry_times=$(_math "$_request_retry_times" + 1)
response=$(_get "$_api_server")
if [ "$?" != "0" ]; then
_debug2 "response" "$response"
- _err "Can not init api."
- return 1
+ _info "Can not init api for: $_api_server."
+ _info "Sleep $_sleep_retry_sec and retry."
+ _sleep "$_sleep_retry_sec"
+ continue
fi
response=$(echo "$response" | _json_decode)
_debug2 "response" "$response"
- ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'key-change" *: *"[^"]*"' | cut -d '"' -f 3)
- if [ -z "$ACME_KEY_CHANGE" ]; then
- ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'keyChange" *: *"[^"]*"' | cut -d '"' -f 3)
- fi
+ ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'keyChange" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_KEY_CHANGE
- ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'new-authz" *: *"[^"]*"' | cut -d '"' -f 3)
- if [ -z "$ACME_NEW_AUTHZ" ]; then
- ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'newAuthz" *: *"[^"]*"' | cut -d '"' -f 3)
- fi
+ ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'newAuthz" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_NEW_AUTHZ
- ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3)
- ACME_NEW_ORDER_RES="new-cert"
- if [ -z "$ACME_NEW_ORDER" ]; then
- ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3)
- ACME_NEW_ORDER_RES="new-order"
- if [ -z "$ACME_NEW_ORDER" ]; then
- ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'newOrder" *: *"[^"]*"' | cut -d '"' -f 3)
- fi
- fi
+ ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'newOrder" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_NEW_ORDER
- export ACME_NEW_ORDER_RES
-
- ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3)
- ACME_NEW_ACCOUNT_RES="new-reg"
- if [ -z "$ACME_NEW_ACCOUNT" ]; then
- ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3)
- ACME_NEW_ACCOUNT_RES="new-account"
- if [ -z "$ACME_NEW_ACCOUNT" ]; then
- ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3)
- if [ "$ACME_NEW_ACCOUNT" ]; then
- export ACME_VERSION=2
- fi
- fi
- fi
+
+ ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_NEW_ACCOUNT
- export ACME_NEW_ACCOUNT_RES
- ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3)
- if [ -z "$ACME_REVOKE_CERT" ]; then
- ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3)
- fi
+ ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_REVOKE_CERT
- ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'new-nonce" *: *"[^"]*"' | cut -d '"' -f 3)
- if [ -z "$ACME_NEW_NONCE" ]; then
- ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'newNonce" *: *"[^"]*"' | cut -d '"' -f 3)
- fi
+ ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'newNonce" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_NEW_NONCE
- ACME_AGREEMENT=$(echo "$response" | _egrep_o 'terms-of-service" *: *"[^"]*"' | cut -d '"' -f 3)
- if [ -z "$ACME_AGREEMENT" ]; then
- ACME_AGREEMENT=$(echo "$response" | _egrep_o 'termsOfService" *: *"[^"]*"' | cut -d '"' -f 3)
- fi
+ ACME_AGREEMENT=$(echo "$response" | _egrep_o 'termsOfService" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_AGREEMENT
_debug "ACME_KEY_CHANGE" "$ACME_KEY_CHANGE"
@@ -2613,9 +2617,17 @@ _initAPI() {
_debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT"
_debug "ACME_AGREEMENT" "$ACME_AGREEMENT"
_debug "ACME_NEW_NONCE" "$ACME_NEW_NONCE"
- _debug "ACME_VERSION" "$ACME_VERSION"
-
+ if [ "$ACME_NEW_ACCOUNT" ] && [ "$ACME_NEW_ORDER" ]; then
+ return 0
+ fi
+ _info "Sleep $_sleep_retry_sec and retry."
+ _sleep "$_sleep_retry_sec"
+ done
+ if [ "$ACME_NEW_ACCOUNT" ] && [ "$ACME_NEW_ORDER" ]; then
+ return 0
fi
+ _err "Can not init api, for $_api_server"
+ return 1
}
#[domain] [keylength or isEcc flag]
@@ -2659,15 +2671,44 @@ _initpath() {
_ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)"
_debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST"
- CA_DIR="$CA_HOME/$_ACME_SERVER_HOST"
+ _ACME_SERVER_PATH="$(echo "$ACME_DIRECTORY" | cut -d : -f 2- | tr -s / | cut -d / -f 3-)"
+ _debug2 "_ACME_SERVER_PATH" "$_ACME_SERVER_PATH"
+ CA_DIR="$CA_HOME/$_ACME_SERVER_HOST/$_ACME_SERVER_PATH"
_DEFAULT_CA_CONF="$CA_DIR/ca.conf"
-
if [ -z "$CA_CONF" ]; then
CA_CONF="$_DEFAULT_CA_CONF"
fi
_debug3 CA_CONF "$CA_CONF"
+ _OLD_CADIR="$CA_HOME/$_ACME_SERVER_HOST"
+ _OLD_ACCOUNT_KEY="$_OLD_CADIR/account.key"
+ _OLD_ACCOUNT_JSON="$_OLD_CADIR/account.json"
+ _OLD_CA_CONF="$_OLD_CADIR/ca.conf"
+
+ _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
+ _DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
+ if [ -z "$ACCOUNT_KEY_PATH" ]; then
+ ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
+ if [ -f "$_OLD_ACCOUNT_KEY" ] && ! [ -f "$ACCOUNT_KEY_PATH" ]; then
+ mkdir -p "$CA_DIR"
+ mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
+ fi
+ fi
+
+ if [ -z "$ACCOUNT_JSON_PATH" ]; then
+ ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
+ if [ -f "$_OLD_ACCOUNT_JSON" ] && ! [ -f "$ACCOUNT_JSON_PATH" ]; then
+ mkdir -p "$CA_DIR"
+ mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
+ fi
+ fi
+
+ if [ -f "$_OLD_CA_CONF" ] && ! [ -f "$CA_CONF" ]; then
+ mkdir -p "$CA_DIR"
+ mv "$_OLD_CA_CONF" "$CA_CONF"
+ fi
+
if [ -f "$CA_CONF" ]; then
. "$CA_CONF"
fi
@@ -2688,19 +2729,6 @@ _initpath() {
HTTP_HEADER="$LE_CONFIG_HOME/http.header"
fi
- _OLD_ACCOUNT_KEY="$LE_WORKING_DIR/account.key"
- _OLD_ACCOUNT_JSON="$LE_WORKING_DIR/account.json"
-
- _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
- _DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
- if [ -z "$ACCOUNT_KEY_PATH" ]; then
- ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
- fi
-
- if [ -z "$ACCOUNT_JSON_PATH" ]; then
- ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
- fi
-
_DEFAULT_CERT_HOME="$LE_CONFIG_HOME"
if [ -z "$CERT_HOME" ]; then
CERT_HOME="$_DEFAULT_CERT_HOME"
@@ -3098,10 +3126,10 @@ _checkConf() {
_debug "Try include files"
for included in $(cat "$2" | tr "\t" " " | grep "^ *include *.*;" | sed "s/include //" | tr -d " ;"); do
_debug "check included $included"
- if !_startswith "$included" "/" && _exists dirname; then
- _relpath="$(dirname "$_c_file")"
+ if ! _startswith "$included" "/" && _exists dirname; then
+ _relpath="$(dirname "$2")"
_debug "_relpath" "$_relpath"
- included="$_relpath/included"
+ included="$_relpath/$included"
fi
if _checkConf "$1" "$included"; then
return 0
@@ -3313,6 +3341,8 @@ _on_before_issue() {
if [ "$_chk_pre_hook" ]; then
_info "Run pre hook:'$_chk_pre_hook'"
if ! (
+ export Le_Domain="$_chk_main_domain"
+ export Le_Alt="$_chk_alt_domains"
cd "$DOMAIN_PATH" && eval "$_chk_pre_hook"
); then
_err "Error when run pre hook."
@@ -3374,7 +3404,7 @@ _on_before_issue() {
_netprc="$(_ss "$_checkport" | grep "$_checkport")"
netprc="$(echo "$_netprc" | grep "$_checkaddr")"
if [ -z "$netprc" ]; then
- netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS")"
+ netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS:$_checkport")"
fi
if [ "$netprc" ]; then
_err "$netprc"
@@ -3531,15 +3561,6 @@ _regAccount() {
_initAPI
mkdir -p "$CA_DIR"
- if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
- _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
- mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
- fi
-
- if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
- _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
- mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
- fi
if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
if ! _create_account_key "$_reg_length"; then
@@ -3563,68 +3584,66 @@ _regAccount() {
if [ "$_email" ]; then
_savecaconf "CA_EMAIL" "$_email"
fi
- if [ "$ACME_VERSION" = "2" ]; then
- if [ "$ACME_DIRECTORY" = "$CA_ZEROSSL" ]; then
- if [ -z "$_eab_id" ] || [ -z "$_eab_hmac_key" ]; then
- _info "No EAB credentials found for ZeroSSL, let's get one"
- if [ -z "$_email" ]; then
- _err "Please provide a email address for ZeroSSL account."
- _err "See ZeroSSL usage: $_ZEROSSL_WIKI"
- return 1
- fi
- _eabresp=$(_post "email=$_email" $_ZERO_EAB_ENDPOINT)
- if [ "$?" != "0" ]; then
- _debug2 "$_eabresp"
- _err "Can not get EAB credentials from ZeroSSL."
- return 1
- fi
- _eab_id="$(echo "$_eabresp" | tr ',}' '\n' | grep '"eab_kid"' | cut -d : -f 2 | tr -d '"')"
- if [ -z "$_eab_id" ]; then
- _err "Can not resolve _eab_id"
- return 1
- fi
- _eab_hmac_key="$(echo "$_eabresp" | tr ',}' '\n' | grep '"eab_hmac_key"' | cut -d : -f 2 | tr -d '"')"
- if [ -z "$_eab_hmac_key" ]; then
- _err "Can not resolve _eab_hmac_key"
- return 1
- fi
- _savecaconf CA_EAB_KEY_ID "$_eab_id"
- _savecaconf CA_EAB_HMAC_KEY "$_eab_hmac_key"
+
+ if [ "$ACME_DIRECTORY" = "$CA_ZEROSSL" ]; then
+ if [ -z "$_eab_id" ] || [ -z "$_eab_hmac_key" ]; then
+ _info "No EAB credentials found for ZeroSSL, let's get one"
+ if [ -z "$_email" ]; then
+ _info "$(__green "$PROJECT_NAME is using ZeroSSL as default CA now.")"
+ _info "$(__green "Please update your account with an email address first.")"
+ _info "$(__green "$PROJECT_ENTRY --register-account -m my@example.com")"
+ _info "See: $(__green "$_ZEROSSL_WIKI")"
+ return 1
+ fi
+ _eabresp=$(_post "email=$_email" $_ZERO_EAB_ENDPOINT)
+ if [ "$?" != "0" ]; then
+ _debug2 "$_eabresp"
+ _err "Can not get EAB credentials from ZeroSSL."
+ return 1
+ fi
+ _secure_debug2 _eabresp "$_eabresp"
+ _eab_id="$(echo "$_eabresp" | tr ',}' '\n\n' | grep '"eab_kid"' | cut -d : -f 2 | tr -d '"')"
+ _secure_debug2 _eab_id "$_eab_id"
+ if [ -z "$_eab_id" ]; then
+ _err "Can not resolve _eab_id"
+ return 1
fi
+ _eab_hmac_key="$(echo "$_eabresp" | tr ',}' '\n\n' | grep '"eab_hmac_key"' | cut -d : -f 2 | tr -d '"')"
+ _secure_debug2 _eab_hmac_key "$_eab_hmac_key"
+ if [ -z "$_eab_hmac_key" ]; then
+ _err "Can not resolve _eab_hmac_key"
+ return 1
+ fi
+ _savecaconf CA_EAB_KEY_ID "$_eab_id"
+ _savecaconf CA_EAB_HMAC_KEY "$_eab_hmac_key"
fi
- if [ "$_eab_id" ] && [ "$_eab_hmac_key" ]; then
- eab_protected="{\"alg\":\"HS256\",\"kid\":\"$_eab_id\",\"url\":\"${ACME_NEW_ACCOUNT}\"}"
- _debug3 eab_protected "$eab_protected"
+ fi
+ if [ "$_eab_id" ] && [ "$_eab_hmac_key" ]; then
+ eab_protected="{\"alg\":\"HS256\",\"kid\":\"$_eab_id\",\"url\":\"${ACME_NEW_ACCOUNT}\"}"
+ _debug3 eab_protected "$eab_protected"
- eab_protected64=$(printf "%s" "$eab_protected" | _base64 | _url_replace)
- _debug3 eab_protected64 "$eab_protected64"
+ eab_protected64=$(printf "%s" "$eab_protected" | _base64 | _url_replace)
+ _debug3 eab_protected64 "$eab_protected64"
- eab_payload64=$(printf "%s" "$jwk" | _base64 | _url_replace)
- _debug3 eab_payload64 "$eab_payload64"
+ eab_payload64=$(printf "%s" "$jwk" | _base64 | _url_replace)
+ _debug3 eab_payload64 "$eab_payload64"
- eab_sign_t="$eab_protected64.$eab_payload64"
- _debug3 eab_sign_t "$eab_sign_t"
+ eab_sign_t="$eab_protected64.$eab_payload64"
+ _debug3 eab_sign_t "$eab_sign_t"
- key_hex="$(_durl_replace_base64 "$_eab_hmac_key" | _dbase64 | _hex_dump | tr -d ' ')"
- _debug3 key_hex "$key_hex"
+ key_hex="$(_durl_replace_base64 "$_eab_hmac_key" | _dbase64 multi | _hex_dump | tr -d ' ')"
+ _debug3 key_hex "$key_hex"
- eab_signature=$(printf "%s" "$eab_sign_t" | _hmac sha256 $key_hex | _base64 | _url_replace)
- _debug3 eab_signature "$eab_signature"
+ eab_signature=$(printf "%s" "$eab_sign_t" | _hmac sha256 $key_hex | _base64 | _url_replace)
+ _debug3 eab_signature "$eab_signature"
- externalBinding=",\"externalAccountBinding\":{\"protected\":\"$eab_protected64\", \"payload\":\"$eab_payload64\", \"signature\":\"$eab_signature\"}"
- _debug3 externalBinding "$externalBinding"
- fi
- if [ "$_email" ]; then
- email_sg="\"contact\": [\"mailto:$_email\"], "
- fi
- regjson="{$email_sg\"termsOfServiceAgreed\": true$externalBinding}"
- else
- _reg_res="$ACME_NEW_ACCOUNT_RES"
- regjson='{"resource": "'$_reg_res'", "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
- if [ "$_email" ]; then
- regjson='{"resource": "'$_reg_res'", "contact": ["mailto:'$_email'"], "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
- fi
+ externalBinding=",\"externalAccountBinding\":{\"protected\":\"$eab_protected64\", \"payload\":\"$eab_payload64\", \"signature\":\"$eab_signature\"}"
+ _debug3 externalBinding "$externalBinding"
+ fi
+ if [ "$_email" ]; then
+ email_sg="\"contact\": [\"mailto:$_email\"], "
fi
+ regjson="{$email_sg\"termsOfServiceAgreed\": true$externalBinding}"
_info "Registering account: $ACME_DIRECTORY"
@@ -3679,16 +3698,6 @@ _regAccount() {
updateaccount() {
_initpath
- if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
- _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
- mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
- fi
-
- if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
- _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
- mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
- fi
-
if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
_err "Account key is not found at: $ACCOUNT_KEY_PATH"
return 1
@@ -3709,20 +3718,13 @@ updateaccount() {
_initAPI
_email="$(_getAccountEmail)"
- if [ "$ACME_VERSION" = "2" ]; then
- if [ "$ACCOUNT_EMAIL" ]; then
- updjson='{"contact": ["mailto:'$_email'"]}'
- else
- updjson='{"contact": []}'
- fi
+
+ if [ "$ACCOUNT_EMAIL" ]; then
+ updjson='{"contact": ["mailto:'$_email'"]}'
else
- # ACMEv1: Updates happen the same way a registration is done.
- # https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-6.3
- _regAccount
- return
+ updjson='{"contact": []}'
fi
- # this part handles ACMEv2 account updates.
_send_signed_request "$_accUri" "$updjson"
if [ "$code" = '200' ]; then
@@ -3738,16 +3740,6 @@ updateaccount() {
deactivateaccount() {
_initpath
- if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
- _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
- mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
- fi
-
- if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
- _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
- mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
- fi
-
if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
_err "Account key is not found at: $ACCOUNT_KEY_PATH"
return 1
@@ -3767,11 +3759,8 @@ deactivateaccount() {
fi
_initAPI
- if [ "$ACME_VERSION" = "2" ]; then
- _djson="{\"status\":\"deactivated\"}"
- else
- _djson="{\"resource\": \"reg\", \"status\":\"deactivated\"}"
- fi
+ _djson="{\"status\":\"deactivated\"}"
+
if _send_signed_request "$_accUri" "$_djson" && _contains "$response" '"deactivated"'; then
_info "Deactivate account success for $_accUri."
_accid=$(echo "$response" | _egrep_o "\"id\" *: *[^,]*," | cut -d : -f 2 | tr -d ' ,')
@@ -3876,11 +3865,9 @@ __trigger_validation() {
_debug2 _t_key_authz "$_t_key_authz"
_t_vtype="$3"
_debug2 _t_vtype "$_t_vtype"
- if [ "$ACME_VERSION" = "2" ]; then
- _send_signed_request "$_t_url" "{}"
- else
- _send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"type\": \"$_t_vtype\", \"keyAuthorization\": \"$_t_key_authz\"}"
- fi
+
+ _send_signed_request "$_t_url" "{}"
+
}
#endpoint domain type
@@ -3963,7 +3950,7 @@ _ns_lookup_ali() {
}
_ns_is_available_dp() {
- if _get "https://dns.alidns.com" "" 1 >/dev/null 2>&1; then
+ if _get "https://doh.pub" "" 1 >/dev/null 2>&1; then
return 0
else
return 1
@@ -4146,6 +4133,41 @@ _match_issuer() {
_contains "$_rootissuer" "$_missuer"
}
+#ip
+_isIPv4() {
+ for seg in $(echo "$1" | tr '.' ' '); do
+ _debug2 seg "$seg"
+ if [ "$(echo "$seg" | tr -d [0-9])" ]; then
+ #not all number
+ return 1
+ fi
+ if [ $seg -ge 0 ] && [ $seg -lt 256 ]; then
+ continue
+ fi
+ return 1
+ done
+ return 0
+}
+
+#ip6
+_isIPv6() {
+ _contains "$1" ":"
+}
+
+#ip
+_isIP() {
+ _isIPv4 "$1" || _isIPv6 "$1"
+}
+
+#identifier
+_getIdType() {
+ if _isIP "$1"; then
+ echo "$ID_TYPE_IP"
+ else
+ echo "$ID_TYPE_DNS"
+ fi
+}
+
#webroot, domain domainlist keylength
issue() {
if [ -z "$2" ]; then
@@ -4183,6 +4205,10 @@ issue() {
if [ -z "$_ACME_IS_RENEW" ]; then
_initpath "$_main_domain" "$_key_length"
mkdir -p "$DOMAIN_PATH"
+ elif ! _hasfield "$_web_roots" "$W_DNS"; then
+ Le_OrderFinalize=""
+ Le_LinkOrder=""
+ Le_LinkCert=""
fi
if _hasfield "$_web_roots" "$W_DNS" && [ -z "$FORCE_DNS_MANUAL" ]; then
@@ -4190,10 +4216,6 @@ issue() {
return 1
fi
- _debug "Using ACME_DIRECTORY: $ACME_DIRECTORY"
-
- _initAPI
-
if [ -f "$DOMAIN_CONF" ]; then
Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
_debug Le_NextRenewTime "$Le_NextRenewTime"
@@ -4213,6 +4235,11 @@ issue() {
fi
fi
+ _debug "Using ACME_DIRECTORY: $ACME_DIRECTORY"
+ if ! _initAPI; then
+ return 1
+ fi
+
_savedomainconf "Le_Domain" "$_main_domain"
_savedomainconf "Le_Alt" "$_alt_domains"
_savedomainconf "Le_Webroot" "$_web_roots"
@@ -4296,74 +4323,72 @@ issue() {
sep='#'
dvsep=','
if [ -z "$vlist" ]; then
- if [ "$ACME_VERSION" = "2" ]; then
- #make new order request
- _identifiers="{\"type\":\"dns\",\"value\":\"$(_idn "$_main_domain")\"}"
- _w_index=1
- while true; do
- d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
- _w_index="$(_math "$_w_index" + 1)"
- _debug d "$d"
- if [ -z "$d" ]; then
- break
- fi
- _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$(_idn "$d")\"}"
- done
- _debug2 _identifiers "$_identifiers"
- if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
- _err "Create new order error."
- _clearup
- _on_issue_err "$_post_hook"
- return 1
- fi
- Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)"
- _debug Le_LinkOrder "$Le_LinkOrder"
- Le_OrderFinalize="$(echo "$response" | _egrep_o '"finalize" *: *"[^"]*"' | cut -d '"' -f 4)"
- _debug Le_OrderFinalize "$Le_OrderFinalize"
- if [ -z "$Le_OrderFinalize" ]; then
- _err "Create new order error. Le_OrderFinalize not found. $response"
- _clearup
- _on_issue_err "$_post_hook"
- return 1
+ #make new order request
+ _identifiers="{\"type\":\"$(_getIdType "$_main_domain")\",\"value\":\"$(_idn "$_main_domain")\"}"
+ _w_index=1
+ while true; do
+ d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
+ _w_index="$(_math "$_w_index" + 1)"
+ _debug d "$d"
+ if [ -z "$d" ]; then
+ break
fi
+ _identifiers="$_identifiers,{\"type\":\"$(_getIdType "$d")\",\"value\":\"$(_idn "$d")\"}"
+ done
+ _debug2 _identifiers "$_identifiers"
+ if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
+ _err "Create new order error."
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)"
+ _debug Le_LinkOrder "$Le_LinkOrder"
+ Le_OrderFinalize="$(echo "$response" | _egrep_o '"finalize" *: *"[^"]*"' | cut -d '"' -f 4)"
+ _debug Le_OrderFinalize "$Le_OrderFinalize"
+ if [ -z "$Le_OrderFinalize" ]; then
+ _err "Create new order error. Le_OrderFinalize not found. $response"
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
- #for dns manual mode
- _savedomainconf "Le_OrderFinalize" "$Le_OrderFinalize"
+ #for dns manual mode
+ _savedomainconf "Le_OrderFinalize" "$Le_OrderFinalize"
- _authorizations_seg="$(echo "$response" | _json_decode | _egrep_o '"authorizations" *: *\[[^\[]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
- _debug2 _authorizations_seg "$_authorizations_seg"
- if [ -z "$_authorizations_seg" ]; then
- _err "_authorizations_seg not found."
+ _authorizations_seg="$(echo "$response" | _json_decode | _egrep_o '"authorizations" *: *\[[^\[]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+ _debug2 _authorizations_seg "$_authorizations_seg"
+ if [ -z "$_authorizations_seg" ]; then
+ _err "_authorizations_seg not found."
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+
+ #domain and authz map
+ _authorizations_map=""
+ for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
+ _debug2 "_authz_url" "$_authz_url"
+ if ! _send_signed_request "$_authz_url"; then
+ _err "get to authz error."
+ _err "_authorizations_seg" "$_authorizations_seg"
+ _err "_authz_url" "$_authz_url"
_clearup
_on_issue_err "$_post_hook"
return 1
fi
- #domain and authz map
- _authorizations_map=""
- for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
- _debug2 "_authz_url" "$_authz_url"
- if ! _send_signed_request "$_authz_url"; then
- _err "get to authz error."
- _err "_authorizations_seg" "$_authorizations_seg"
- _err "_authz_url" "$_authz_url"
- _clearup
- _on_issue_err "$_post_hook"
- return 1
- fi
-
- response="$(echo "$response" | _normalizeJson)"
- _debug2 response "$response"
- _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2 | tr -d ' "')"
- if _contains "$response" "\"wildcard\" *: *true"; then
- _d="*.$_d"
- fi
- _debug2 _d "$_d"
- _authorizations_map="$_d,$response
+ response="$(echo "$response" | _normalizeJson)"
+ _debug2 response "$response"
+ _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2 | tr -d ' "')"
+ if _contains "$response" "\"wildcard\" *: *true"; then
+ _d="*.$_d"
+ fi
+ _debug2 _d "$_d"
+ _authorizations_map="$_d,$response
$_authorizations_map"
- done
- _debug2 _authorizations_map "$_authorizations_map"
- fi
+ done
+ _debug2 _authorizations_map "$_authorizations_map"
_index=0
_currentRoot=""
@@ -4394,33 +4419,25 @@ $_authorizations_map"
vtype="$VTYPE_ALPN"
fi
- if [ "$ACME_VERSION" = "2" ]; then
- _idn_d="$(_idn "$d")"
- _candidates="$(echo "$_authorizations_map" | grep -i "^$_idn_d,")"
- _debug2 _candidates "$_candidates"
- if [ "$(echo "$_candidates" | wc -l)" -gt 1 ]; then
- for _can in $_candidates; do
- if _startswith "$(echo "$_can" | tr '.' '|')" "$(echo "$_idn_d" | tr '.' '|'),"; then
- _candidates="$_can"
- break
- fi
- done
- fi
- response="$(echo "$_candidates" | sed "s/$_idn_d,//")"
- _debug2 "response" "$response"
- if [ -z "$response" ]; then
- _err "get to authz error."
- _err "_authorizations_map" "$_authorizations_map"
- _clearup
- _on_issue_err "$_post_hook"
- return 1
- fi
- else
- if ! __get_domain_new_authz "$d"; then
- _clearup
- _on_issue_err "$_post_hook"
- return 1
- fi
+ _idn_d="$(_idn "$d")"
+ _candidates="$(echo "$_authorizations_map" | grep -i "^$_idn_d,")"
+ _debug2 _candidates "$_candidates"
+ if [ "$(echo "$_candidates" | wc -l)" -gt 1 ]; then
+ for _can in $_candidates; do
+ if _startswith "$(echo "$_can" | tr '.' '|')" "$(echo "$_idn_d" | tr '.' '|'),"; then
+ _candidates="$_can"
+ break
+ fi
+ done
+ fi
+ response="$(echo "$_candidates" | sed "s/$_idn_d,//")"
+ _debug2 "response" "$response"
+ if [ -z "$response" ]; then
+ _err "get to authz error."
+ _err "_authorizations_map" "$_authorizations_map"
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
fi
if [ -z "$thumbprint" ]; then
@@ -4461,11 +4478,9 @@ $_authorizations_map"
_on_issue_err "$_post_hook"
return 1
fi
- if [ "$ACME_VERSION" = "2" ]; then
- uri="$(echo "$entry" | _egrep_o '"url":"[^"]*' | cut -d '"' -f 4 | _head_n 1)"
- else
- uri="$(echo "$entry" | _egrep_o '"uri":"[^"]*' | cut -d '"' -f 4)"
- fi
+
+ uri="$(echo "$entry" | _egrep_o '"url":"[^"]*' | cut -d '"' -f 4 | _head_n 1)"
+
_debug uri "$uri"
if [ -z "$uri" ]; then
@@ -4760,36 +4775,14 @@ $_authorizations_map"
return 1
fi
- _debug "sleep 2 secs to verify"
- sleep 2
- _debug "checking"
- if [ "$ACME_VERSION" = "2" ]; then
- _send_signed_request "$uri"
- else
- response="$(_get "$uri")"
- fi
- if [ "$?" != "0" ]; then
- _err "$d:Verify error:$response"
- _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
- _clearup
- _on_issue_err "$_post_hook" "$vlist"
- return 1
- fi
_debug2 original "$response"
response="$(echo "$response" | _normalizeJson)"
_debug2 response "$response"
status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
- if _contains "$status" "valid"; then
- _info "$(__green Success)"
- _stopserver "$serverproc"
- serverproc=""
- _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
- break
- fi
-
- if [ "$status" = "invalid" ]; then
+ _debug2 status "$status"
+ if _contains "$status" "invalid"; then
error="$(echo "$response" | _egrep_o '"error":\{[^\}]*')"
_debug2 error "$error"
errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)"
@@ -4811,10 +4804,18 @@ $_authorizations_map"
return 1
fi
+ if _contains "$status" "valid"; then
+ _info "$(__green Success)"
+ _stopserver "$serverproc"
+ serverproc=""
+ _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+ break
+ fi
+
if [ "$status" = "pending" ]; then
- _info "Pending"
+ _info "Pending, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)"
elif [ "$status" = "processing" ]; then
- _info "Processing"
+ _info "Processing, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)"
else
_err "$d:Verify error:$response"
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
@@ -4822,7 +4823,19 @@ $_authorizations_map"
_on_issue_err "$_post_hook" "$vlist"
return 1
fi
+ _debug "sleep 2 secs to verify again"
+ sleep 2
+ _debug "checking"
+ _send_signed_request "$uri"
+
+ if [ "$?" != "0" ]; then
+ _err "$d:Verify error:$response"
+ _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+ _clearup
+ _on_issue_err "$_post_hook" "$vlist"
+ return 1
+ fi
done
done
@@ -4831,150 +4844,129 @@ $_authorizations_map"
_info "Verify finished, start to sign."
der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
- if [ "$ACME_VERSION" = "2" ]; then
- _info "Lets finalize the order."
- _info "Le_OrderFinalize" "$Le_OrderFinalize"
- if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then
- _err "Sign failed."
- _on_issue_err "$_post_hook"
- return 1
- fi
- if [ "$code" != "200" ]; then
- _err "Sign failed, finalize code is not 200."
- _err "$response"
- _on_issue_err "$_post_hook"
- return 1
- fi
- if [ -z "$Le_LinkOrder" ]; then
- Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n \t" | cut -d ":" -f 2-)"
- fi
+ _info "Lets finalize the order."
+ _info "Le_OrderFinalize" "$Le_OrderFinalize"
+ if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then
+ _err "Sign failed."
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ if [ "$code" != "200" ]; then
+ _err "Sign failed, finalize code is not 200."
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ if [ -z "$Le_LinkOrder" ]; then
+ Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n \t" | cut -d ":" -f 2-)"
+ fi
- _savedomainconf "Le_LinkOrder" "$Le_LinkOrder"
+ _savedomainconf "Le_LinkOrder" "$Le_LinkOrder"
- _link_cert_retry=0
- _MAX_CERT_RETRY=30
- while [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do
- if _contains "$response" "\"status\":\"valid\""; then
- _debug "Order status is valid."
- Le_LinkCert="$(echo "$response" | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
- _debug Le_LinkCert "$Le_LinkCert"
- if [ -z "$Le_LinkCert" ]; then
- _err "Sign error, can not find Le_LinkCert"
- _err "$response"
- _on_issue_err "$_post_hook"
- return 1
- fi
- break
- elif _contains "$response" "\"processing\""; then
- _info "Order status is processing, lets sleep and retry."
- _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
- _debug "_retryafter" "$_retryafter"
- if [ "$_retryafter" ]; then
- _info "Retry after: $_retryafter"
- _sleep $_retryafter
- else
- _sleep 2
- fi
- else
- _err "Sign error, wrong status"
+ _link_cert_retry=0
+ _MAX_CERT_RETRY=30
+ while [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do
+ if _contains "$response" "\"status\":\"valid\""; then
+ _debug "Order status is valid."
+ Le_LinkCert="$(echo "$response" | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
+ _debug Le_LinkCert "$Le_LinkCert"
+ if [ -z "$Le_LinkCert" ]; then
+ _err "Sign error, can not find Le_LinkCert"
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
- #the order is processing, so we are going to poll order status
- if [ -z "$Le_LinkOrder" ]; then
- _err "Sign error, can not get order link location header"
- _err "responseHeaders" "$responseHeaders"
- _on_issue_err "$_post_hook"
- return 1
- fi
- _info "Polling order status: $Le_LinkOrder"
- if ! _send_signed_request "$Le_LinkOrder"; then
- _err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder."
- _err "$response"
- _on_issue_err "$_post_hook"
- return 1
+ break
+ elif _contains "$response" "\"processing\""; then
+ _info "Order status is processing, lets sleep and retry."
+ _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
+ _debug "_retryafter" "$_retryafter"
+ if [ "$_retryafter" ]; then
+ _info "Retry after: $_retryafter"
+ _sleep $_retryafter
+ else
+ _sleep 2
fi
- _link_cert_retry="$(_math $_link_cert_retry + 1)"
- done
-
- if [ -z "$Le_LinkCert" ]; then
- _err "Sign failed, can not get Le_LinkCert, retry time limit."
+ else
+ _err "Sign error, wrong status"
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
- _info "Downloading cert."
- _info "Le_LinkCert" "$Le_LinkCert"
- if ! _send_signed_request "$Le_LinkCert"; then
- _err "Sign failed, can not download cert:$Le_LinkCert."
+ #the order is processing, so we are going to poll order status
+ if [ -z "$Le_LinkOrder" ]; then
+ _err "Sign error, can not get order link location header"
+ _err "responseHeaders" "$responseHeaders"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ _info "Polling order status: $Le_LinkOrder"
+ if ! _send_signed_request "$Le_LinkOrder"; then
+ _err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder."
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
+ _link_cert_retry="$(_math $_link_cert_retry + 1)"
+ done
- echo "$response" >"$CERT_PATH"
- _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
+ if [ -z "$Le_LinkCert" ]; then
+ _err "Sign failed, can not get Le_LinkCert, retry time limit."
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ _info "Downloading cert."
+ _info "Le_LinkCert" "$Le_LinkCert"
+ if ! _send_signed_request "$Le_LinkCert"; then
+ _err "Sign failed, can not download cert:$Le_LinkCert."
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
- if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
- if [ "$DEBUG" ]; then
- _debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
- fi
- if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
- rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
- _debug2 "rels" "$rels"
- for rel in $rels; do
- _info "Try rel: $rel"
- if ! _send_signed_request "$rel"; then
- _err "Sign failed, can not download cert:$rel"
- _err "$response"
- continue
- fi
- _relcert="$CERT_PATH.alt"
- _relfullchain="$CERT_FULLCHAIN_PATH.alt"
- _relca="$CA_CERT_PATH.alt"
- echo "$response" >"$_relcert"
- _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
- if [ "$DEBUG" ]; then
- _debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
- fi
- if _match_issuer "$_relfullchain" "$_preferred_chain"; then
- _info "Matched issuer in: $rel"
- cat $_relcert >"$CERT_PATH"
- cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
- cat $_relca >"$CA_CERT_PATH"
- rm -f "$_relcert"
- rm -f "$_relfullchain"
- rm -f "$_relca"
- break
- fi
+ echo "$response" >"$CERT_PATH"
+ _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
+ if [ -z "$_preferred_chain" ]; then
+ _preferred_chain=$(_readcaconf DEFAULT_PREFERRED_CHAIN)
+ fi
+ if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
+ if [ "$DEBUG" ]; then
+ _debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
+ fi
+ if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
+ rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
+ _debug2 "rels" "$rels"
+ for rel in $rels; do
+ _info "Try rel: $rel"
+ if ! _send_signed_request "$rel"; then
+ _err "Sign failed, can not download cert:$rel"
+ _err "$response"
+ continue
+ fi
+ _relcert="$CERT_PATH.alt"
+ _relfullchain="$CERT_FULLCHAIN_PATH.alt"
+ _relca="$CA_CERT_PATH.alt"
+ echo "$response" >"$_relcert"
+ _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
+ if [ "$DEBUG" ]; then
+ _debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
+ fi
+ if _match_issuer "$_relfullchain" "$_preferred_chain"; then
+ _info "Matched issuer in: $rel"
+ cat $_relcert >"$CERT_PATH"
+ cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
+ cat $_relca >"$CA_CERT_PATH"
rm -f "$_relcert"
rm -f "$_relfullchain"
rm -f "$_relca"
- done
- fi
- fi
- else
- if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then
- _err "Sign failed. $response"
- _on_issue_err "$_post_hook"
- return 1
- fi
- _rcert="$response"
- Le_LinkCert="$(grep -i '^Location.*$' "$HTTP_HEADER" | _tail_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
- echo "$BEGIN_CERT" >"$CERT_PATH"
-
- #if ! _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH" ; then
- # _debug "Get cert failed. Let's try last response."
- # printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
- #fi
-
- if ! printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >>"$CERT_PATH"; then
- _debug "Try cert link."
- _get "$Le_LinkCert" | _base64 "multiline" >>"$CERT_PATH"
+ break
+ fi
+ rm -f "$_relcert"
+ rm -f "$_relfullchain"
+ rm -f "$_relca"
+ done
fi
-
- echo "$END_CERT" >>"$CERT_PATH"
fi
_debug "Le_LinkCert" "$Le_LinkCert"
@@ -4991,10 +4983,10 @@ $_authorizations_map"
_info "$(__green "Cert success.")"
cat "$CERT_PATH"
- _info "Your cert is in $(__green " $CERT_PATH ")"
+ _info "Your cert is in: $(__green "$CERT_PATH")"
if [ -f "$CERT_KEY_PATH" ]; then
- _info "Your cert key is in $(__green " $CERT_KEY_PATH ")"
+ _info "Your cert key is in: $(__green "$CERT_KEY_PATH")"
fi
if [ ! "$USER_PATH" ] || [ ! "$_ACME_IN_CRON" ]; then
@@ -5003,55 +4995,8 @@ $_authorizations_map"
fi
fi
- if [ "$ACME_VERSION" = "2" ]; then
- _debug "v2 chain."
- else
- cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
- Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
-
- if [ "$Le_LinkIssuer" ]; then
- if ! _contains "$Le_LinkIssuer" ":"; then
- _info "$(__red "Relative issuer link found.")"
- Le_LinkIssuer="$_ACME_SERVER_HOST$Le_LinkIssuer"
- fi
- _debug Le_LinkIssuer "$Le_LinkIssuer"
- _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
-
- _link_issuer_retry=0
- _MAX_ISSUER_RETRY=5
- while [ "$_link_issuer_retry" -lt "$_MAX_ISSUER_RETRY" ]; do
- _debug _link_issuer_retry "$_link_issuer_retry"
- if [ "$ACME_VERSION" = "2" ]; then
- if _send_signed_request "$Le_LinkIssuer"; then
- echo "$response" >"$CA_CERT_PATH"
- break
- fi
- else
- if _get "$Le_LinkIssuer" >"$CA_CERT_PATH.der"; then
- echo "$BEGIN_CERT" >"$CA_CERT_PATH"
- _base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH"
- echo "$END_CERT" >>"$CA_CERT_PATH"
- if ! _checkcert "$CA_CERT_PATH"; then
- _err "Can not get the ca cert."
- break
- fi
- cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH"
- rm -f "$CA_CERT_PATH.der"
- break
- fi
- fi
- _link_issuer_retry=$(_math $_link_issuer_retry + 1)
- _sleep "$_link_issuer_retry"
- done
- if [ "$_link_issuer_retry" = "$_MAX_ISSUER_RETRY" ]; then
- _err "Max retry for issuer ca cert is reached."
- fi
- else
- _debug "No Le_LinkIssuer header found."
- fi
- fi
- [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in $(__green " $CA_CERT_PATH ")"
- [ -f "$CERT_FULLCHAIN_PATH" ] && _info "And the full chain certs is there: $(__green " $CERT_FULLCHAIN_PATH ")"
+ [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in: $(__green "$CA_CERT_PATH")"
+ [ -f "$CERT_FULLCHAIN_PATH" ] && _info "And the full chain certs is there: $(__green "$CERT_FULLCHAIN_PATH")"
Le_CertCreateTime=$(_time)
_savedomainconf "Le_CertCreateTime" "$Le_CertCreateTime"
@@ -5149,7 +5094,7 @@ renew() {
_isEcc="$2"
_initpath "$Le_Domain" "$_isEcc"
-
+ _set_level=${NOTIFY_LEVEL:-$NOTIFY_LEVEL_DEFAULT}
_info "$(__green "Renew: '$Le_Domain'")"
if [ ! -f "$DOMAIN_CONF" ]; then
_info "'$Le_Domain' is not an issued domain, skip."
@@ -5162,17 +5107,16 @@ renew() {
. "$DOMAIN_CONF"
_debug Le_API "$Le_API"
-
- if [ "$Le_API" = "$LETSENCRYPT_CA_V1" ]; then
- _cleardomainconf Le_API
- Le_API="$DEFAULT_CA"
- fi
- if [ "$Le_API" = "$LETSENCRYPT_STAGING_CA_V1" ]; then
- _cleardomainconf Le_API
- Le_API="$DEFAULT_STAGING_CA"
+ if [ -z "$Le_API" ] || [ "$CA_LETSENCRYPT_V1" = "$Le_API" ]; then
+ #if this is from an old version, Le_API is empty,
+ #so, we force to use letsencrypt server
+ Le_API="$CA_LETSENCRYPT_V2"
fi
if [ "$Le_API" ]; then
+ if [ "$Le_API" != "$ACME_DIRECTORY" ]; then
+ _clearAPI
+ fi
export ACME_DIRECTORY="$Le_API"
#reload ca configs
ACCOUNT_KEY_PATH=""
@@ -5185,6 +5129,11 @@ renew() {
if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then
_info "Skip, Next renewal time is: $(__green "$Le_NextRenewTimeStr")"
_info "Add '$(__red '--force')' to force to renew."
+ if [ -z "$_ACME_IN_RENEWALL" ]; then
+ if [ $_set_level -ge $NOTIFY_LEVEL_SKIP ]; then
+ _send_notify "Renew $Le_Domain skipped" "Good, the cert is skipped." "$NOTIFY_HOOK" "$RENEW_SKIP"
+ fi
+ fi
return "$RENEW_SKIP"
fi
@@ -5211,6 +5160,17 @@ renew() {
fi
_ACME_IS_RENEW=""
+ if [ -z "$_ACME_IN_RENEWALL" ]; then
+ if [ "$res" = "0" ]; then
+ if [ $_set_level -ge $NOTIFY_LEVEL_RENEW ]; then
+ _send_notify "Renew $d success" "Good, the cert is renewed." "$NOTIFY_HOOK" 0
+ fi
+ else
+ if [ $_set_level -ge $NOTIFY_LEVEL_ERROR ]; then
+ _send_notify "Renew $d error" "There is an error." "$NOTIFY_HOOK" 1
+ fi
+ fi
+ fi
return "$res"
}
@@ -5228,6 +5188,7 @@ renewAll() {
_notify_code=$RENEW_SKIP
_set_level=${NOTIFY_LEVEL:-$NOTIFY_LEVEL_DEFAULT}
_debug "_set_level" "$_set_level"
+ export _ACME_IN_RENEWALL=1
for di in "${CERT_HOME}"/*.*/; do
_debug di "$di"
if ! [ -d "$di" ]; then
@@ -5250,13 +5211,13 @@ renewAll() {
_error_level="$NOTIFY_LEVEL_RENEW"
_notify_code=0
fi
- if [ "$_ACME_IN_CRON" ]; then
- if [ $_set_level -ge $NOTIFY_LEVEL_RENEW ]; then
- if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
- _send_notify "Renew $d success" "Good, the cert is renewed." "$NOTIFY_HOOK" 0
- fi
+
+ if [ $_set_level -ge $NOTIFY_LEVEL_RENEW ]; then
+ if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
+ _send_notify "Renew $d success" "Good, the cert is renewed." "$NOTIFY_HOOK" 0
fi
fi
+
_success_msg="${_success_msg} $d
"
elif [ "$rc" = "$RENEW_SKIP" ]; then
@@ -5264,13 +5225,13 @@ renewAll() {
_error_level="$NOTIFY_LEVEL_SKIP"
_notify_code=$RENEW_SKIP
fi
- if [ "$_ACME_IN_CRON" ]; then
- if [ $_set_level -ge $NOTIFY_LEVEL_SKIP ]; then
- if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
- _send_notify "Renew $d skipped" "Good, the cert is skipped." "$NOTIFY_HOOK" "$RENEW_SKIP"
- fi
+
+ if [ $_set_level -ge $NOTIFY_LEVEL_SKIP ]; then
+ if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
+ _send_notify "Renew $d skipped" "Good, the cert is skipped." "$NOTIFY_HOOK" "$RENEW_SKIP"
fi
fi
+
_info "Skipped $d"
_skipped_msg="${_skipped_msg} $d
"
@@ -5279,13 +5240,13 @@ renewAll() {
_error_level="$NOTIFY_LEVEL_ERROR"
_notify_code=1
fi
- if [ "$_ACME_IN_CRON" ]; then
- if [ $_set_level -ge $NOTIFY_LEVEL_ERROR ]; then
- if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
- _send_notify "Renew $d error" "There is an error." "$NOTIFY_HOOK" 1
- fi
+
+ if [ $_set_level -ge $NOTIFY_LEVEL_ERROR ]; then
+ if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
+ _send_notify "Renew $d error" "There is an error." "$NOTIFY_HOOK" 1
fi
fi
+
_error_msg="${_error_msg} $d
"
if [ "$_stopRenewOnError" ]; then
@@ -5300,7 +5261,7 @@ renewAll() {
done
_debug _error_level "$_error_level"
_debug _set_level "$_set_level"
- if [ "$_ACME_IN_CRON" ] && [ $_error_level -le $_set_level ]; then
+ if [ $_error_level -le $_set_level ]; then
if [ -z "$NOTIFY_MODE" ] || [ "$NOTIFY_MODE" = "$NOTIFY_MODE_BULK" ]; then
_msg_subject="Renew"
if [ "$_error_msg" ]; then
@@ -5386,9 +5347,6 @@ signcsr() {
return 1
fi
- if [ -z "$ACME_VERSION" ] && _contains "$_csrsubj,$_csrdomainlist" "*."; then
- export ACME_VERSION=2
- fi
_initpath "$_csrsubj" "$_csrkeylength"
mkdir -p "$DOMAIN_PATH"
@@ -5598,7 +5556,7 @@ _installcert() {
mkdir -p "$_backup_path"
if [ "$_real_cert" ]; then
- _info "Installing cert to:$_real_cert"
+ _info "Installing cert to: $_real_cert"
if [ -f "$_real_cert" ] && [ ! "$_ACME_IS_RENEW" ]; then
cp "$_real_cert" "$_backup_path/cert.bak"
fi
@@ -5606,7 +5564,7 @@ _installcert() {
fi
if [ "$_real_ca" ]; then
- _info "Installing CA to:$_real_ca"
+ _info "Installing CA to: $_real_ca"
if [ "$_real_ca" = "$_real_cert" ]; then
echo "" >>"$_real_ca"
cat "$CA_CERT_PATH" >>"$_real_ca" || return 1
@@ -5619,7 +5577,7 @@ _installcert() {
fi
if [ "$_real_key" ]; then
- _info "Installing key to:$_real_key"
+ _info "Installing key to: $_real_key"
if [ -f "$_real_key" ] && [ ! "$_ACME_IS_RENEW" ]; then
cp "$_real_key" "$_backup_path/key.bak"
fi
@@ -5632,7 +5590,7 @@ _installcert() {
fi
if [ "$_real_fullchain" ]; then
- _info "Installing full chain to:$_real_fullchain"
+ _info "Installing full chain to: $_real_fullchain"
if [ -f "$_real_fullchain" ] && [ ! "$_ACME_IS_RENEW" ]; then
cp "$_real_fullchain" "$_backup_path/fullchain.bak"
fi
@@ -5727,8 +5685,16 @@ installcronjob() {
if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ]; then
lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
else
- _err "Can not install cronjob, $PROJECT_ENTRY not found."
- return 1
+ _debug "_SCRIPT_" "$_SCRIPT_"
+ _script="$(_readlink "$_SCRIPT_")"
+ _debug _script "$_script"
+ if [ -f "$_script" ]; then
+ _info "Using the current script from: $_script"
+ lesh="$_script"
+ else
+ _err "Can not install cronjob, $PROJECT_ENTRY not found."
+ return 1
+ fi
fi
if [ "$_c_home" ]; then
_c_entry="--config-home \"$_c_home\" "
@@ -5800,7 +5766,7 @@ uninstallcronjob() {
_info "Removing cron job"
cr="$($_CRONTAB -l | grep "$PROJECT_ENTRY --cron")"
if [ "$cr" ]; then
- if _exists uname && uname -a | grep solaris >/dev/null; then
+ if _exists uname && uname -a | grep SunOS >/dev/null; then
$_CRONTAB -l | sed "/$PROJECT_ENTRY --cron/d" | $_CRONTAB --
else
$_CRONTAB -l | sed "/$PROJECT_ENTRY --cron/d" | $_CRONTAB -
@@ -5840,6 +5806,23 @@ revoke() {
return 1
fi
+ . "$DOMAIN_CONF"
+ _debug Le_API "$Le_API"
+
+ if [ "$Le_API" ]; then
+ if [ "$Le_API" != "$ACME_DIRECTORY" ]; then
+ _clearAPI
+ fi
+ export ACME_DIRECTORY="$Le_API"
+ #reload ca configs
+ ACCOUNT_KEY_PATH=""
+ ACCOUNT_JSON_PATH=""
+ CA_CONF=""
+ _debug3 "initpath again."
+ _initpath "$Le_Domain" "$_isEcc"
+ _initAPI
+ fi
+
cert="$(_getfile "${CERT_PATH}" "${BEGIN_CERT}" "${END_CERT}" | tr -d "\r\n" | _url_replace)"
if [ -z "$cert" ]; then
@@ -5849,11 +5832,8 @@ revoke() {
_initAPI
- if [ "$ACME_VERSION" = "2" ]; then
- data="{\"certificate\": \"$cert\",\"reason\":$_reason}"
- else
- data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
- fi
+ data="{\"certificate\": \"$cert\",\"reason\":$_reason}"
+
uri="${ACME_REVOKE_CERT}"
if [ -f "$CERT_KEY_PATH" ]; then
@@ -5922,60 +5902,62 @@ remove() {
_deactivate() {
_d_domain="$1"
_d_type="$2"
- _initpath
+ _initpath "$_d_domain" "$_d_type"
- if [ "$ACME_VERSION" = "2" ]; then
- _identifiers="{\"type\":\"dns\",\"value\":\"$_d_domain\"}"
- if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
- _err "Can not get domain new order."
- return 1
- fi
- _authorizations_seg="$(echo "$response" | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
- _debug2 _authorizations_seg "$_authorizations_seg"
- if [ -z "$_authorizations_seg" ]; then
- _err "_authorizations_seg not found."
- _clearup
- _on_issue_err "$_post_hook"
- return 1
- fi
+ . "$DOMAIN_CONF"
+ _debug Le_API "$Le_API"
- authzUri="$_authorizations_seg"
- _debug2 "authzUri" "$authzUri"
- if ! _send_signed_request "$authzUri"; then
- _err "get to authz error."
- _err "_authorizations_seg" "$_authorizations_seg"
- _err "authzUri" "$authzUri"
- _clearup
- _on_issue_err "$_post_hook"
- return 1
+ if [ "$Le_API" ]; then
+ if [ "$Le_API" != "$ACME_DIRECTORY" ]; then
+ _clearAPI
fi
+ export ACME_DIRECTORY="$Le_API"
+ #reload ca configs
+ ACCOUNT_KEY_PATH=""
+ ACCOUNT_JSON_PATH=""
+ CA_CONF=""
+ _debug3 "initpath again."
+ _initpath "$Le_Domain" "$_d_type"
+ _initAPI
+ fi
- response="$(echo "$response" | _normalizeJson)"
- _debug2 response "$response"
- _URL_NAME="url"
- else
- if ! __get_domain_new_authz "$_d_domain"; then
- _err "Can not get domain new authz token."
- return 1
- fi
+ _identifiers="{\"type\":\"$(_getIdType "$_d_domain")\",\"value\":\"$_d_domain\"}"
+ if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
+ _err "Can not get domain new order."
+ return 1
+ fi
+ _authorizations_seg="$(echo "$response" | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+ _debug2 _authorizations_seg "$_authorizations_seg"
+ if [ -z "$_authorizations_seg" ]; then
+ _err "_authorizations_seg not found."
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
- authzUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ':' -f 2- | tr -d "\r\n")"
- _debug "authzUri" "$authzUri"
- if [ "$code" ] && [ ! "$code" = '201' ]; then
- _err "new-authz error: $response"
- return 1
- fi
- _URL_NAME="uri"
+ authzUri="$_authorizations_seg"
+ _debug2 "authzUri" "$authzUri"
+ if ! _send_signed_request "$authzUri"; then
+ _err "get to authz error."
+ _err "_authorizations_seg" "$_authorizations_seg"
+ _err "authzUri" "$authzUri"
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
fi
- entries="$(echo "$response" | tr '][' '==' | _egrep_o "challenges\": *=[^=]*=" | tr '}{' '\n' | grep "\"status\": *\"valid\"")"
+ response="$(echo "$response" | _normalizeJson)"
+ _debug2 response "$response"
+ _URL_NAME="url"
+
+ entries="$(echo "$response" | tr '][' '==' | _egrep_o "challenges\": *=[^=]*=" | tr '}{' '\n\n' | grep "\"status\": *\"valid\"")"
if [ -z "$entries" ]; then
_info "No valid entries found."
if [ -z "$thumbprint" ]; then
thumbprint="$(__calc_account_thumbprint)"
fi
_debug "Trigger validation."
- vtype="$VTYPE_DNS"
+ vtype="$(_getIdType "$_d_domain")"
entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
_debug entry "$entry"
if [ -z "$entry" ]; then
@@ -6021,11 +6003,7 @@ _deactivate() {
_info "Deactivate: $_vtype"
- if [ "$ACME_VERSION" = "2" ]; then
- _djson="{\"status\":\"deactivated\"}"
- else
- _djson="{\"resource\": \"authz\", \"status\":\"deactivated\"}"
- fi
+ _djson="{\"status\":\"deactivated\"}"
if _send_signed_request "$authzUri" "$_djson" && _contains "$response" '"deactivated"'; then
_info "Deactivate: $_vtype success."
@@ -6571,6 +6549,7 @@ Commands:
--revoke Revoke a cert.
--remove Remove the cert from list of certs known to $PROJECT_NAME.
--list List all the certs.
+ --info Show the $PROJECT_NAME configs, or the configs for a domain with [-d domain] parameter.
--to-pkcs12 Export the certificate and key to a pfx file.
--to-pkcs8 Convert to pkcs8 format.
--sign-csr Issue a cert from an existing csr.
@@ -6588,6 +6567,8 @@ Commands:
--deactivate Deactivate the domain authz, professional use.
--set-default-ca Used with '--server', Set the default CA to use.
See: $_SERVER_WIKI
+ --set-default-chain Set the default preferred chain for a CA.
+ See: $_PREFERRED_CHAIN_WIKI
Parameters:
@@ -6736,7 +6717,7 @@ _getRepoHash() {
_hash_path=$1
shift
_hash_url="https://api.github.com/repos/acmesh-official/$PROJECT_NAME/git/refs/$_hash_path"
- _get $_hash_url | tr -d "\r\n" | tr '{},' '\n' | grep '"sha":' | cut -d '"' -f 4
+ _get $_hash_url | tr -d "\r\n" | tr '{},' '\n\n\n' | grep '"sha":' | cut -d '"' -f 4
}
_getUpgradeHash() {
@@ -6809,9 +6790,10 @@ _checkSudo() {
return 0
}
-#server
+#server #keylength
_selectServer() {
_server="$1"
+ _skeylength="$2"
_server_lower="$(echo "$_server" | _lower_case)"
_sindex=0
for snames in $CA_NAMES; do
@@ -6822,6 +6804,9 @@ _selectServer() {
if [ "$_server_lower" = "$sname" ]; then
_debug2 "_selectServer match $sname"
_serverdir="$(_getfield "$CA_SERVERS" $_sindex)"
+ if [ "$_serverdir" = "$CA_SSLCOM_RSA" ] && _isEccKey "$_skeylength"; then
+ _serverdir="$CA_SSLCOM_ECC"
+ fi
_debug "Selected server: $_serverdir"
ACME_DIRECTORY="$_serverdir"
export ACME_DIRECTORY
@@ -6839,6 +6824,9 @@ _getCAShortName() {
if [ -z "$caurl" ]; then
caurl="$DEFAULT_CA"
fi
+ if [ "$CA_SSLCOM_ECC" = "$caurl" ]; then
+ caurl="$CA_SSLCOM_RSA" #just hack to get the short name
+ fi
caurl_lower="$(echo $caurl | _lower_case)"
_sindex=0
for surl in $(echo "$CA_SERVERS" | _lower_case | tr , ' '); do
@@ -6867,6 +6855,40 @@ setdefaultca() {
_info "Changed default CA to: $(__green "$ACME_DIRECTORY")"
}
+#preferred-chain
+setdefaultchain() {
+ _initpath
+ _preferred_chain="$1"
+ if [ -z "$_preferred_chain" ]; then
+ _err "Please give a '--preferred-chain value' value."
+ return 1
+ fi
+ mkdir -p "$CA_DIR"
+ _savecaconf "DEFAULT_PREFERRED_CHAIN" "$_preferred_chain"
+}
+
+#domain ecc
+info() {
+ _domain="$1"
+ _ecc="$2"
+ _initpath
+ if [ -z "$_domain" ]; then
+ _debug "Show global configs"
+ echo "LE_WORKING_DIR=$LE_WORKING_DIR"
+ echo "LE_CONFIG_HOME=$LE_CONFIG_HOME"
+ cat "$ACCOUNT_CONF_PATH"
+ else
+ _debug "Show domain configs"
+ (
+ _initpath "$_domain" "$_ecc"
+ echo "DOMAIN_CONF=$DOMAIN_CONF"
+ for seg in $(cat $DOMAIN_CONF | cut -d = -f 1); do
+ echo "$seg=$(_readdomainconf "$seg")"
+ done
+ )
+ fi
+}
+
_process() {
_CMD=""
_domain=""
@@ -6976,6 +6998,9 @@ _process() {
--list)
_CMD="list"
;;
+ --info)
+ _CMD="info"
+ ;;
--install-cronjob | --installcronjob)
_CMD="installcronjob"
;;
@@ -7018,6 +7043,9 @@ _process() {
--set-default-ca)
_CMD="setdefaultca"
;;
+ --set-default-chain)
+ _CMD="setdefaultchain"
+ ;;
-d | --domain)
_dvalue="$2"
@@ -7031,10 +7059,6 @@ _process() {
return 1
fi
- if _startswith "$_dvalue" "*."; then
- _debug "Wildcard domain"
- export ACME_VERSION=2
- fi
if [ -z "$_domain" ]; then
_domain="$_dvalue"
else
@@ -7057,7 +7081,6 @@ _process() {
;;
--server)
_server="$2"
- _selectServer "$_server"
shift
;;
--debug)
@@ -7156,7 +7179,6 @@ _process() {
Le_DNSSleep="$_dnssleep"
shift
;;
-
--keylength | -k)
_keylength="$2"
shift
@@ -7165,7 +7187,6 @@ _process() {
_accountkeylength="$2"
shift
;;
-
--cert-file | --certpath)
_cert_file="$2"
shift
@@ -7429,6 +7450,10 @@ _process() {
shift 1
done
+ if [ "$_server" ]; then
+ _selectServer "$_server" "${_ecc:-$_keylength}"
+ fi
+
if [ "${_CMD}" != "install" ]; then
if [ "$__INTERACTIVE" ] && ! _checkSudo; then
if [ -z "$FORCE" ]; then
@@ -7527,6 +7552,9 @@ _process() {
list)
list "$_listraw" "$_domain"
;;
+ info)
+ info "$_domain" "$_ecc"
+ ;;
installcronjob) installcronjob "$_confighome" ;;
uninstallcronjob) uninstallcronjob ;;
cron) cron ;;
@@ -7551,6 +7579,9 @@ _process() {
setdefaultca)
setdefaultca
;;
+ setdefaultchain)
+ setdefaultchain "$_preferred_chain"
+ ;;
*)
if [ "$_CMD" ]; then
_err "Invalid command: $_CMD"
diff --git a/deploy/consul.sh b/deploy/consul.sh
new file mode 100644
index 00000000..f93fb452
--- /dev/null
+++ b/deploy/consul.sh
@@ -0,0 +1,98 @@
+#!/usr/bin/env sh
+
+# Here is a script to deploy cert to hashicorp consul using curl
+# (https://www.consul.io/)
+#
+# it requires following environment variables:
+#
+# CONSUL_PREFIX - this contains the prefix path in consul
+# CONSUL_HTTP_ADDR - consul requires this to find your consul server
+#
+# additionally, you need to ensure that CONSUL_HTTP_TOKEN is available
+# to access the consul server
+
+#returns 0 means success, otherwise error.
+
+######## Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+consul_deploy() {
+
+ _cdomain="$1"
+ _ckey="$2"
+ _ccert="$3"
+ _cca="$4"
+ _cfullchain="$5"
+
+ _debug _cdomain "$_cdomain"
+ _debug _ckey "$_ckey"
+ _debug _ccert "$_ccert"
+ _debug _cca "$_cca"
+ _debug _cfullchain "$_cfullchain"
+
+ # validate required env vars
+ _getdeployconf CONSUL_PREFIX
+ if [ -z "$CONSUL_PREFIX" ]; then
+ _err "CONSUL_PREFIX needs to be defined (contains prefix path in vault)"
+ return 1
+ fi
+ _savedeployconf CONSUL_PREFIX "$CONSUL_PREFIX"
+
+ _getdeployconf CONSUL_HTTP_ADDR
+ if [ -z "$CONSUL_HTTP_ADDR" ]; then
+ _err "CONSUL_HTTP_ADDR needs to be defined (contains consul connection address)"
+ return 1
+ fi
+ _savedeployconf CONSUL_HTTP_ADDR "$CONSUL_HTTP_ADDR"
+
+ CONSUL_CMD=$(command -v consul)
+
+ # force CLI, but the binary does not exist => error
+ if [ -n "$USE_CLI" ] && [ -z "$CONSUL_CMD" ]; then
+ _err "Cannot find the consul binary!"
+ return 1
+ fi
+
+ # use the CLI first
+ if [ -n "$USE_CLI" ] || [ -n "$CONSUL_CMD" ]; then
+ _info "Found consul binary, deploying with CLI"
+ consul_deploy_cli "$CONSUL_CMD" "$CONSUL_PREFIX"
+ else
+ _info "Did not find consul binary, deploying with API"
+ consul_deploy_api "$CONSUL_HTTP_ADDR" "$CONSUL_PREFIX" "$CONSUL_HTTP_TOKEN"
+ fi
+}
+
+consul_deploy_api() {
+ CONSUL_HTTP_ADDR="$1"
+ CONSUL_PREFIX="$2"
+ CONSUL_HTTP_TOKEN="$3"
+
+ URL="$CONSUL_HTTP_ADDR/v1/kv/$CONSUL_PREFIX"
+ export _H1="X-Consul-Token: $CONSUL_HTTP_TOKEN"
+
+ if [ -n "$FABIO" ]; then
+ _post "$(cat "$_cfullchain")" "$URL/${_cdomain}-cert.pem" '' "PUT" || return 1
+ _post "$(cat "$_ckey")" "$URL/${_cdomain}-key.pem" '' "PUT" || return 1
+ else
+ _post "$(cat "$_ccert")" "$URL/${_cdomain}/cert.pem" '' "PUT" || return 1
+ _post "$(cat "$_ckey")" "$URL/${_cdomain}/cert.key" '' "PUT" || return 1
+ _post "$(cat "$_cca")" "$URL/${_cdomain}/chain.pem" '' "PUT" || return 1
+ _post "$(cat "$_cfullchain")" "$URL/${_cdomain}/fullchain.pem" '' "PUT" || return 1
+ fi
+}
+
+consul_deploy_cli() {
+ CONSUL_CMD="$1"
+ CONSUL_PREFIX="$2"
+
+ if [ -n "$FABIO" ]; then
+ $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}-cert.pem" @"$_cfullchain" || return 1
+ $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}-key.pem" @"$_ckey" || return 1
+ else
+ $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
+ $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
+ $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
+ $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
+ fi
+}
diff --git a/deploy/fritzbox.sh b/deploy/fritzbox.sh
index 2ca7ab7d..416a4121 100644
--- a/deploy/fritzbox.sh
+++ b/deploy/fritzbox.sh
@@ -36,43 +36,51 @@ fritzbox_deploy() {
fi
fi
- _fritzbox_username="${DEPLOY_FRITZBOX_USERNAME}"
- _fritzbox_password="${DEPLOY_FRITZBOX_PASSWORD}"
- _fritzbox_url="${DEPLOY_FRITZBOX_URL}"
-
- _debug _fritzbox_url "$_fritzbox_url"
- _debug _fritzbox_username "$_fritzbox_username"
- _secure_debug _fritzbox_password "$_fritzbox_password"
- if [ -z "$_fritzbox_username" ]; then
+ # Clear traces of incorrectly stored values
+ _clearaccountconf DEPLOY_FRITZBOX_USERNAME
+ _clearaccountconf DEPLOY_FRITZBOX_PASSWORD
+ _clearaccountconf DEPLOY_FRITZBOX_URL
+
+ # Read config from saved values or env
+ _getdeployconf DEPLOY_FRITZBOX_USERNAME
+ _getdeployconf DEPLOY_FRITZBOX_PASSWORD
+ _getdeployconf DEPLOY_FRITZBOX_URL
+
+ _debug DEPLOY_FRITZBOX_URL "$DEPLOY_FRITZBOX_URL"
+ _debug DEPLOY_FRITZBOX_USERNAME "$DEPLOY_FRITZBOX_USERNAME"
+ _secure_debug DEPLOY_FRITZBOX_PASSWORD "$DEPLOY_FRITZBOX_PASSWORD"
+
+ if [ -z "$DEPLOY_FRITZBOX_USERNAME" ]; then
_err "FRITZ!Box username is not found, please define DEPLOY_FRITZBOX_USERNAME."
return 1
fi
- if [ -z "$_fritzbox_password" ]; then
+ if [ -z "$DEPLOY_FRITZBOX_PASSWORD" ]; then
_err "FRITZ!Box password is not found, please define DEPLOY_FRITZBOX_PASSWORD."
return 1
fi
- if [ -z "$_fritzbox_url" ]; then
+ if [ -z "$DEPLOY_FRITZBOX_URL" ]; then
_err "FRITZ!Box url is not found, please define DEPLOY_FRITZBOX_URL."
return 1
fi
- _saveaccountconf DEPLOY_FRITZBOX_USERNAME "${_fritzbox_username}"
- _saveaccountconf DEPLOY_FRITZBOX_PASSWORD "${_fritzbox_password}"
- _saveaccountconf DEPLOY_FRITZBOX_URL "${_fritzbox_url}"
+ # Save current values
+ _savedeployconf DEPLOY_FRITZBOX_USERNAME "$DEPLOY_FRITZBOX_USERNAME"
+ _savedeployconf DEPLOY_FRITZBOX_PASSWORD "$DEPLOY_FRITZBOX_PASSWORD"
+ _savedeployconf DEPLOY_FRITZBOX_URL "$DEPLOY_FRITZBOX_URL"
# Do not check for a valid SSL certificate, because initially the cert is not valid, so it could not install the LE generated certificate
export HTTPS_INSECURE=1
_info "Log in to the FRITZ!Box"
- _fritzbox_challenge="$(_get "${_fritzbox_url}/login_sid.lua" | sed -e 's/^.*//' -e 's/<\/Challenge>.*$//')"
+ _fritzbox_challenge="$(_get "${DEPLOY_FRITZBOX_URL}/login_sid.lua" | sed -e 's/^.*//' -e 's/<\/Challenge>.*$//')"
if _exists iconv; then
- _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | iconv -f ASCII -t UTF16LE | _digest md5 hex)"
+ _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${DEPLOY_FRITZBOX_PASSWORD}" | iconv -f ASCII -t UTF16LE | _digest md5 hex)"
elif _exists uconv; then
- _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | uconv -f ASCII -t UTF16LE | _digest md5 hex)"
+ _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${DEPLOY_FRITZBOX_PASSWORD}" | uconv -f ASCII -t UTF16LE | _digest md5 hex)"
else
- _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | perl -p -e 'use Encode qw/encode/; print encode("UTF-16LE","$_"); $_="";' | _digest md5 hex)"
+ _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${DEPLOY_FRITZBOX_PASSWORD}" | perl -p -e 'use Encode qw/encode/; print encode("UTF-16LE","$_"); $_="";' | _digest md5 hex)"
fi
- _fritzbox_sid="$(_get "${_fritzbox_url}/login_sid.lua?sid=0000000000000000&username=${_fritzbox_username}&response=${_fritzbox_challenge}-${_fritzbox_hash}" | sed -e 's/^.*//' -e 's/<\/SID>.*$//')"
+ _fritzbox_sid="$(_get "${DEPLOY_FRITZBOX_URL}/login_sid.lua?sid=0000000000000000&username=${DEPLOY_FRITZBOX_USERNAME}&response=${_fritzbox_challenge}-${_fritzbox_hash}" | sed -e 's/^.*//' -e 's/<\/SID>.*$//')"
if [ -z "${_fritzbox_sid}" ] || [ "${_fritzbox_sid}" = "0000000000000000" ]; then
_err "Logging in to the FRITZ!Box failed. Please check username, password and URL."
@@ -104,7 +112,7 @@ fritzbox_deploy() {
_info "Upload certificate to the FRITZ!Box"
export _H1="Content-type: multipart/form-data boundary=${_post_boundary}"
- _post "$(cat "${_post_request}")" "${_fritzbox_url}/cgi-bin/firmwarecfg" | grep SSL
+ _post "$(cat "${_post_request}")" "${DEPLOY_FRITZBOX_URL}/cgi-bin/firmwarecfg" | grep SSL
retval=$?
if [ $retval = 0 ]; then
diff --git a/deploy/gcore_cdn.sh b/deploy/gcore_cdn.sh
index a2a35f7b..f573a3aa 100644
--- a/deploy/gcore_cdn.sh
+++ b/deploy/gcore_cdn.sh
@@ -56,9 +56,9 @@ gcore_cdn_deploy() {
_request="{\"username\":\"$Le_Deploy_gcore_cdn_username\",\"password\":\"$Le_Deploy_gcore_cdn_password\"}"
_debug _request "$_request"
export _H1="Content-Type:application/json"
- _response=$(_post "$_request" "https://api.gcdn.co/auth/signin")
+ _response=$(_post "$_request" "https://api.gcdn.co/auth/jwt/login")
_debug _response "$_response"
- _regex=".*\"token\":\"\([-._0-9A-Za-z]*\)\".*$"
+ _regex=".*\"access\":\"\([-._0-9A-Za-z]*\)\".*$"
_debug _regex "$_regex"
_token=$(echo "$_response" | sed -n "s/$_regex/\1/p")
_debug _token "$_token"
@@ -72,12 +72,15 @@ gcore_cdn_deploy() {
export _H2="Authorization:Token $_token"
_response=$(_get "https://api.gcdn.co/resources")
_debug _response "$_response"
- _regex=".*(\"id\".*?\"cname\":\"$_cdomain\".*?})"
+ _regex="\"primary_resource\":null},"
+ _debug _regex "$_regex"
+ _response=$(echo "$_response" | sed "s/$_regex/$_regex\n/g")
+ _debug _response "$_response"
_regex="^.*\"cname\":\"$_cdomain\".*$"
_debug _regex "$_regex"
- _resource=$(echo "$_response" | sed 's/},{/},\n{/g' | _egrep_o "$_regex")
+ _resource=$(echo "$_response" | _egrep_o "$_regex")
_debug _resource "$_resource"
- _regex=".*\"id\":\([0-9]*\).*\"rules\".*$"
+ _regex=".*\"id\":\([0-9]*\).*$"
_debug _regex "$_regex"
_resourceId=$(echo "$_resource" | sed -n "s/$_regex/\1/p")
_debug _resourceId "$_resourceId"
diff --git a/deploy/haproxy.sh b/deploy/haproxy.sh
index 0a45ee07..c255059d 100644
--- a/deploy/haproxy.sh
+++ b/deploy/haproxy.sh
@@ -54,11 +54,6 @@ haproxy_deploy() {
DEPLOY_HAPROXY_ISSUER_DEFAULT="no"
DEPLOY_HAPROXY_RELOAD_DEFAULT="true"
- if [ -f "${DOMAIN_CONF}" ]; then
- # shellcheck disable=SC1090
- . "${DOMAIN_CONF}"
- fi
-
_debug _cdomain "${_cdomain}"
_debug _ckey "${_ckey}"
_debug _ccert "${_ccert}"
@@ -66,6 +61,8 @@ haproxy_deploy() {
_debug _cfullchain "${_cfullchain}"
# PEM_PATH is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}"
+ _getdeployconf DEPLOY_HAPROXY_PEM_PATH
+ _debug2 DEPLOY_HAPROXY_PEM_PATH "${DEPLOY_HAPROXY_PEM_PATH}"
if [ -n "${DEPLOY_HAPROXY_PEM_PATH}" ]; then
Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH}"
_savedomainconf Le_Deploy_haproxy_pem_path "${Le_Deploy_haproxy_pem_path}"
@@ -82,6 +79,8 @@ haproxy_deploy() {
fi
# PEM_NAME is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}"
+ _getdeployconf DEPLOY_HAPROXY_PEM_NAME
+ _debug2 DEPLOY_HAPROXY_PEM_NAME "${DEPLOY_HAPROXY_PEM_NAME}"
if [ -n "${DEPLOY_HAPROXY_PEM_NAME}" ]; then
Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME}"
_savedomainconf Le_Deploy_haproxy_pem_name "${Le_Deploy_haproxy_pem_name}"
@@ -90,6 +89,8 @@ haproxy_deploy() {
fi
# BUNDLE is optional. If not provided then assume "${DEPLOY_HAPROXY_BUNDLE_DEFAULT}"
+ _getdeployconf DEPLOY_HAPROXY_BUNDLE
+ _debug2 DEPLOY_HAPROXY_BUNDLE "${DEPLOY_HAPROXY_BUNDLE}"
if [ -n "${DEPLOY_HAPROXY_BUNDLE}" ]; then
Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE}"
_savedomainconf Le_Deploy_haproxy_bundle "${Le_Deploy_haproxy_bundle}"
@@ -98,6 +99,8 @@ haproxy_deploy() {
fi
# ISSUER is optional. If not provided then assume "${DEPLOY_HAPROXY_ISSUER_DEFAULT}"
+ _getdeployconf DEPLOY_HAPROXY_ISSUER
+ _debug2 DEPLOY_HAPROXY_ISSUER "${DEPLOY_HAPROXY_ISSUER}"
if [ -n "${DEPLOY_HAPROXY_ISSUER}" ]; then
Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER}"
_savedomainconf Le_Deploy_haproxy_issuer "${Le_Deploy_haproxy_issuer}"
@@ -106,6 +109,8 @@ haproxy_deploy() {
fi
# RELOAD is optional. If not provided then assume "${DEPLOY_HAPROXY_RELOAD_DEFAULT}"
+ _getdeployconf DEPLOY_HAPROXY_RELOAD
+ _debug2 DEPLOY_HAPROXY_RELOAD "${DEPLOY_HAPROXY_RELOAD}"
if [ -n "${DEPLOY_HAPROXY_RELOAD}" ]; then
Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD}"
_savedomainconf Le_Deploy_haproxy_reload "${Le_Deploy_haproxy_reload}"
@@ -190,7 +195,7 @@ haproxy_deploy() {
_info "Updating OCSP stapling info"
_debug _ocsp "${_ocsp}"
_info "Extracting OCSP URL"
- _ocsp_url=$(openssl x509 -noout -ocsp_uri -in "${_pem}")
+ _ocsp_url=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -ocsp_uri -in "${_pem}")
_debug _ocsp_url "${_ocsp_url}"
# Only process OCSP if URL was present
@@ -203,9 +208,9 @@ haproxy_deploy() {
# Only process the certificate if we have a .issuer file
if [ -r "${_issuer}" ]; then
# Check if issuer cert is also a root CA cert
- _subjectdn=$(openssl x509 -in "${_issuer}" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
+ _subjectdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
_debug _subjectdn "${_subjectdn}"
- _issuerdn=$(openssl x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
+ _issuerdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
_debug _issuerdn "${_issuerdn}"
_info "Requesting OCSP response"
# If the issuer is a CA cert then our command line has "-CAfile" added
@@ -216,7 +221,7 @@ haproxy_deploy() {
fi
_debug _cafile_argument "${_cafile_argument}"
# if OpenSSL/LibreSSL is v1.1 or above, the format for the -header option has changed
- _openssl_version=$(openssl version | cut -d' ' -f2)
+ _openssl_version=$(${ACME_OPENSSL_BIN:-openssl} version | cut -d' ' -f2)
_debug _openssl_version "${_openssl_version}"
_openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
_openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
@@ -226,7 +231,7 @@ haproxy_deploy() {
_header_sep=" "
fi
# Request the OCSP response from the issuer and store it
- _openssl_ocsp_cmd="openssl ocsp \
+ _openssl_ocsp_cmd="${ACME_OPENSSL_BIN:-openssl} ocsp \
-issuer \"${_issuer}\" \
-cert \"${_pem}\" \
-url \"${_ocsp_url}\" \
diff --git a/deploy/kong.sh b/deploy/kong.sh
index 1e1e310c..b8facedf 100755
--- a/deploy/kong.sh
+++ b/deploy/kong.sh
@@ -45,7 +45,7 @@ kong_deploy() {
#Generate data for request (Multipart/form-data with mixed content)
if [ -z "$ssl_uuid" ]; then
#set sni to domain
- content="--$delim${nl}Content-Disposition: form-data; name=\"snis\"${nl}${nl}$_cdomain"
+ content="--$delim${nl}Content-Disposition: form-data; name=\"snis[]\"${nl}${nl}$_cdomain"
fi
#add key
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
diff --git a/deploy/lighttpd.sh b/deploy/lighttpd.sh
new file mode 100644
index 00000000..71f64b96
--- /dev/null
+++ b/deploy/lighttpd.sh
@@ -0,0 +1,280 @@
+#!/usr/bin/env sh
+
+# Script for acme.sh to deploy certificates to lighttpd
+#
+# The following variables can be exported:
+#
+# export DEPLOY_LIGHTTPD_PEM_NAME="${domain}.pem"
+#
+# Defines the name of the PEM file.
+# Defaults to ".pem"
+#
+# export DEPLOY_LIGHTTPD_PEM_PATH="/etc/lighttpd"
+#
+# Defines location of PEM file for Lighttpd.
+# Defaults to /etc/lighttpd
+#
+# export DEPLOY_LIGHTTPD_RELOAD="systemctl reload lighttpd"
+#
+# OPTIONAL: Reload command used post deploy
+# This defaults to be a no-op (ie "true").
+# It is strongly recommended to set this something that makes sense
+# for your distro.
+#
+# export DEPLOY_LIGHTTPD_ISSUER="yes"
+#
+# OPTIONAL: Places CA file as "${DEPLOY_LIGHTTPD_PEM}.issuer"
+# Note: Required for OCSP stapling to work
+#
+# export DEPLOY_LIGHTTPD_BUNDLE="no"
+#
+# OPTIONAL: Deploy this certificate as part of a multi-cert bundle
+# This adds a suffix to the certificate based on the certificate type
+# eg RSA certificates will have .rsa as a suffix to the file name
+# Lighttpd will load all certificates and provide one or the other
+# depending on client capabilities
+# Note: This functionality requires Lighttpd was compiled against
+# a version of OpenSSL that supports this.
+#
+
+######## Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+lighttpd_deploy() {
+ _cdomain="$1"
+ _ckey="$2"
+ _ccert="$3"
+ _cca="$4"
+ _cfullchain="$5"
+
+ # Some defaults
+ DEPLOY_LIGHTTPD_PEM_PATH_DEFAULT="/etc/lighttpd"
+ DEPLOY_LIGHTTPD_PEM_NAME_DEFAULT="${_cdomain}.pem"
+ DEPLOY_LIGHTTPD_BUNDLE_DEFAULT="no"
+ DEPLOY_LIGHTTPD_ISSUER_DEFAULT="yes"
+ DEPLOY_LIGHTTPD_RELOAD_DEFAULT="true"
+
+ _debug _cdomain "${_cdomain}"
+ _debug _ckey "${_ckey}"
+ _debug _ccert "${_ccert}"
+ _debug _cca "${_cca}"
+ _debug _cfullchain "${_cfullchain}"
+
+ # PEM_PATH is optional. If not provided then assume "${DEPLOY_LIGHTTPD_PEM_PATH_DEFAULT}"
+ _getdeployconf DEPLOY_LIGHTTPD_PEM_PATH
+ _debug2 DEPLOY_LIGHTTPD_PEM_PATH "${DEPLOY_LIGHTTPD_PEM_PATH}"
+ if [ -n "${DEPLOY_LIGHTTPD_PEM_PATH}" ]; then
+ Le_Deploy_lighttpd_pem_path="${DEPLOY_LIGHTTPD_PEM_PATH}"
+ _savedomainconf Le_Deploy_lighttpd_pem_path "${Le_Deploy_lighttpd_pem_path}"
+ elif [ -z "${Le_Deploy_lighttpd_pem_path}" ]; then
+ Le_Deploy_lighttpd_pem_path="${DEPLOY_LIGHTTPD_PEM_PATH_DEFAULT}"
+ fi
+
+ # Ensure PEM_PATH exists
+ if [ -d "${Le_Deploy_lighttpd_pem_path}" ]; then
+ _debug "PEM_PATH ${Le_Deploy_lighttpd_pem_path} exists"
+ else
+ _err "PEM_PATH ${Le_Deploy_lighttpd_pem_path} does not exist"
+ return 1
+ fi
+
+ # PEM_NAME is optional. If not provided then assume "${DEPLOY_LIGHTTPD_PEM_NAME_DEFAULT}"
+ _getdeployconf DEPLOY_LIGHTTPD_PEM_NAME
+ _debug2 DEPLOY_LIGHTTPD_PEM_NAME "${DEPLOY_LIGHTTPD_PEM_NAME}"
+ if [ -n "${DEPLOY_LIGHTTPD_PEM_NAME}" ]; then
+ Le_Deploy_lighttpd_pem_name="${DEPLOY_LIGHTTPD_PEM_NAME}"
+ _savedomainconf Le_Deploy_lighttpd_pem_name "${Le_Deploy_lighttpd_pem_name}"
+ elif [ -z "${Le_Deploy_lighttpd_pem_name}" ]; then
+ Le_Deploy_lighttpd_pem_name="${DEPLOY_LIGHTTPD_PEM_NAME_DEFAULT}"
+ fi
+
+ # BUNDLE is optional. If not provided then assume "${DEPLOY_LIGHTTPD_BUNDLE_DEFAULT}"
+ _getdeployconf DEPLOY_LIGHTTPD_BUNDLE
+ _debug2 DEPLOY_LIGHTTPD_BUNDLE "${DEPLOY_LIGHTTPD_BUNDLE}"
+ if [ -n "${DEPLOY_LIGHTTPD_BUNDLE}" ]; then
+ Le_Deploy_lighttpd_bundle="${DEPLOY_LIGHTTPD_BUNDLE}"
+ _savedomainconf Le_Deploy_lighttpd_bundle "${Le_Deploy_lighttpd_bundle}"
+ elif [ -z "${Le_Deploy_lighttpd_bundle}" ]; then
+ Le_Deploy_lighttpd_bundle="${DEPLOY_LIGHTTPD_BUNDLE_DEFAULT}"
+ fi
+
+ # ISSUER is optional. If not provided then assume "${DEPLOY_LIGHTTPD_ISSUER_DEFAULT}"
+ _getdeployconf DEPLOY_LIGHTTPD_ISSUER
+ _debug2 DEPLOY_LIGHTTPD_ISSUER "${DEPLOY_LIGHTTPD_ISSUER}"
+ if [ -n "${DEPLOY_LIGHTTPD_ISSUER}" ]; then
+ Le_Deploy_lighttpd_issuer="${DEPLOY_LIGHTTPD_ISSUER}"
+ _savedomainconf Le_Deploy_lighttpd_issuer "${Le_Deploy_lighttpd_issuer}"
+ elif [ -z "${Le_Deploy_lighttpd_issuer}" ]; then
+ Le_Deploy_lighttpd_issuer="${DEPLOY_LIGHTTPD_ISSUER_DEFAULT}"
+ fi
+
+ # RELOAD is optional. If not provided then assume "${DEPLOY_LIGHTTPD_RELOAD_DEFAULT}"
+ _getdeployconf DEPLOY_LIGHTTPD_RELOAD
+ _debug2 DEPLOY_LIGHTTPD_RELOAD "${DEPLOY_LIGHTTPD_RELOAD}"
+ if [ -n "${DEPLOY_LIGHTTPD_RELOAD}" ]; then
+ Le_Deploy_lighttpd_reload="${DEPLOY_LIGHTTPD_RELOAD}"
+ _savedomainconf Le_Deploy_lighttpd_reload "${Le_Deploy_lighttpd_reload}"
+ elif [ -z "${Le_Deploy_lighttpd_reload}" ]; then
+ Le_Deploy_lighttpd_reload="${DEPLOY_LIGHTTPD_RELOAD_DEFAULT}"
+ fi
+
+ # Set the suffix depending if we are creating a bundle or not
+ if [ "${Le_Deploy_lighttpd_bundle}" = "yes" ]; then
+ _info "Bundle creation requested"
+ # Initialise $Le_Keylength if its not already set
+ if [ -z "${Le_Keylength}" ]; then
+ Le_Keylength=""
+ fi
+ if _isEccKey "${Le_Keylength}"; then
+ _info "ECC key type detected"
+ _suffix=".ecdsa"
+ else
+ _info "RSA key type detected"
+ _suffix=".rsa"
+ fi
+ else
+ _suffix=""
+ fi
+ _debug _suffix "${_suffix}"
+
+ # Set variables for later
+ _pem="${Le_Deploy_lighttpd_pem_path}/${Le_Deploy_lighttpd_pem_name}${_suffix}"
+ _issuer="${_pem}.issuer"
+ _ocsp="${_pem}.ocsp"
+ _reload="${Le_Deploy_lighttpd_reload}"
+
+ _info "Deploying PEM file"
+ # Create a temporary PEM file
+ _temppem="$(_mktemp)"
+ _debug _temppem "${_temppem}"
+ cat "${_ckey}" "${_ccert}" "${_cca}" >"${_temppem}"
+ _ret="$?"
+
+ # Check that we could create the temporary file
+ if [ "${_ret}" != "0" ]; then
+ _err "Error code ${_ret} returned during PEM file creation"
+ [ -f "${_temppem}" ] && rm -f "${_temppem}"
+ return ${_ret}
+ fi
+
+ # Move PEM file into place
+ _info "Moving new certificate into place"
+ _debug _pem "${_pem}"
+ cat "${_temppem}" >"${_pem}"
+ _ret=$?
+
+ # Clean up temp file
+ [ -f "${_temppem}" ] && rm -f "${_temppem}"
+
+ # Deal with any failure of moving PEM file into place
+ if [ "${_ret}" != "0" ]; then
+ _err "Error code ${_ret} returned while moving new certificate into place"
+ return ${_ret}
+ fi
+
+ # Update .issuer file if requested
+ if [ "${Le_Deploy_lighttpd_issuer}" = "yes" ]; then
+ _info "Updating .issuer file"
+ _debug _issuer "${_issuer}"
+ cat "${_cca}" >"${_issuer}"
+ _ret="$?"
+
+ if [ "${_ret}" != "0" ]; then
+ _err "Error code ${_ret} returned while copying issuer/CA certificate into place"
+ return ${_ret}
+ fi
+ else
+ [ -f "${_issuer}" ] && _err "Issuer file update not requested but .issuer file exists"
+ fi
+
+ # Update .ocsp file if certificate was requested with --ocsp/--ocsp-must-staple option
+ if [ -z "${Le_OCSP_Staple}" ]; then
+ Le_OCSP_Staple="0"
+ fi
+ if [ "${Le_OCSP_Staple}" = "1" ]; then
+ _info "Updating OCSP stapling info"
+ _debug _ocsp "${_ocsp}"
+ _info "Extracting OCSP URL"
+ _ocsp_url=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -ocsp_uri -in "${_pem}")
+ _debug _ocsp_url "${_ocsp_url}"
+
+ # Only process OCSP if URL was present
+ if [ "${_ocsp_url}" != "" ]; then
+ # Extract the hostname from the OCSP URL
+ _info "Extracting OCSP URL"
+ _ocsp_host=$(echo "${_ocsp_url}" | cut -d/ -f3)
+ _debug _ocsp_host "${_ocsp_host}"
+
+ # Only process the certificate if we have a .issuer file
+ if [ -r "${_issuer}" ]; then
+ # Check if issuer cert is also a root CA cert
+ _subjectdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
+ _debug _subjectdn "${_subjectdn}"
+ _issuerdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
+ _debug _issuerdn "${_issuerdn}"
+ _info "Requesting OCSP response"
+ # If the issuer is a CA cert then our command line has "-CAfile" added
+ if [ "${_subjectdn}" = "${_issuerdn}" ]; then
+ _cafile_argument="-CAfile \"${_issuer}\""
+ else
+ _cafile_argument=""
+ fi
+ _debug _cafile_argument "${_cafile_argument}"
+ # if OpenSSL/LibreSSL is v1.1 or above, the format for the -header option has changed
+ _openssl_version=$(${ACME_OPENSSL_BIN:-openssl} version | cut -d' ' -f2)
+ _debug _openssl_version "${_openssl_version}"
+ _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
+ _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
+ if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then
+ _header_sep="="
+ else
+ _header_sep=" "
+ fi
+ # Request the OCSP response from the issuer and store it
+ _openssl_ocsp_cmd="${ACME_OPENSSL_BIN:-openssl} ocsp \
+ -issuer \"${_issuer}\" \
+ -cert \"${_pem}\" \
+ -url \"${_ocsp_url}\" \
+ -header Host${_header_sep}\"${_ocsp_host}\" \
+ -respout \"${_ocsp}\" \
+ -verify_other \"${_issuer}\" \
+ ${_cafile_argument} \
+ | grep -q \"${_pem}: good\""
+ _debug _openssl_ocsp_cmd "${_openssl_ocsp_cmd}"
+ eval "${_openssl_ocsp_cmd}"
+ _ret=$?
+ else
+ # Non fatal: No issuer file was present so no OCSP stapling file created
+ _err "OCSP stapling in use but no .issuer file was present"
+ fi
+ else
+ # Non fatal: No OCSP url was found int the certificate
+ _err "OCSP update requested but no OCSP URL was found in certificate"
+ fi
+
+ # Non fatal: Check return code of openssl command
+ if [ "${_ret}" != "0" ]; then
+ _err "Updating OCSP stapling failed with return code ${_ret}"
+ fi
+ else
+ # An OCSP file was already present but certificate did not have OCSP extension
+ if [ -f "${_ocsp}" ]; then
+ _err "OCSP was not requested but .ocsp file exists."
+ # Could remove the file at this step, although Lighttpd just ignores it in this case
+ # rm -f "${_ocsp}" || _err "Problem removing stale .ocsp file"
+ fi
+ fi
+
+ # Reload Lighttpd
+ _debug _reload "${_reload}"
+ eval "${_reload}"
+ _ret=$?
+ if [ "${_ret}" != "0" ]; then
+ _err "Error code ${_ret} during reload"
+ return ${_ret}
+ else
+ _info "Reload successful"
+ fi
+
+ return 0
+}
diff --git a/deploy/ssh.sh b/deploy/ssh.sh
index 18de4aa6..89962621 100644
--- a/deploy/ssh.sh
+++ b/deploy/ssh.sh
@@ -35,11 +35,6 @@ ssh_deploy() {
_cfullchain="$5"
_deploy_ssh_servers=""
- if [ -f "$DOMAIN_CONF" ]; then
- # shellcheck disable=SC1090
- . "$DOMAIN_CONF"
- fi
-
_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
_debug _ccert "$_ccert"
@@ -47,6 +42,8 @@ ssh_deploy() {
_debug _cfullchain "$_cfullchain"
# USER is required to login by SSH to remote host.
+ _getdeployconf DEPLOY_SSH_USER
+ _debug2 DEPLOY_SSH_USER "$DEPLOY_SSH_USER"
if [ -z "$DEPLOY_SSH_USER" ]; then
if [ -z "$Le_Deploy_ssh_user" ]; then
_err "DEPLOY_SSH_USER not defined."
@@ -58,6 +55,8 @@ ssh_deploy() {
fi
# SERVER is optional. If not provided then use _cdomain
+ _getdeployconf DEPLOY_SSH_SERVER
+ _debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER"
if [ -n "$DEPLOY_SSH_SERVER" ]; then
Le_Deploy_ssh_server="$DEPLOY_SSH_SERVER"
_savedomainconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server"
@@ -66,6 +65,8 @@ ssh_deploy() {
fi
# CMD is optional. If not provided then use ssh
+ _getdeployconf DEPLOY_SSH_CMD
+ _debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD"
if [ -n "$DEPLOY_SSH_CMD" ]; then
Le_Deploy_ssh_cmd="$DEPLOY_SSH_CMD"
_savedomainconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd"
@@ -74,6 +75,8 @@ ssh_deploy() {
fi
# BACKUP is optional. If not provided then default to previously saved value or yes.
+ _getdeployconf DEPLOY_SSH_BACKUP
+ _debug2 DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP"
if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then
Le_Deploy_ssh_backup="no"
elif [ -z "$Le_Deploy_ssh_backup" ] || [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
@@ -82,6 +85,8 @@ ssh_deploy() {
_savedomainconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup"
# BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy
+ _getdeployconf DEPLOY_SSH_BACKUP_PATH
+ _debug2 DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH"
if [ -n "$DEPLOY_SSH_BACKUP_PATH" ]; then
Le_Deploy_ssh_backup_path="$DEPLOY_SSH_BACKUP_PATH"
elif [ -z "$Le_Deploy_ssh_backup_path" ]; then
@@ -91,6 +96,8 @@ ssh_deploy() {
# MULTI_CALL is optional. If not provided then default to previously saved
# value (which may be undefined... equivalent to "no").
+ _getdeployconf DEPLOY_SSH_MULTI_CALL
+ _debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL"
if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
Le_Deploy_ssh_multi_call="yes"
_savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call"
@@ -141,6 +148,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
# KEYFILE is optional.
# If provided then private key will be copied to provided filename.
+ _getdeployconf DEPLOY_SSH_KEYFILE
+ _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE"
if [ -n "$DEPLOY_SSH_KEYFILE" ]; then
Le_Deploy_ssh_keyfile="$DEPLOY_SSH_KEYFILE"
_savedomainconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile"
@@ -163,6 +172,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
# CERTFILE is optional.
# If provided then certificate will be copied or appended to provided filename.
+ _getdeployconf DEPLOY_SSH_CERTFILE
+ _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE"
if [ -n "$DEPLOY_SSH_CERTFILE" ]; then
Le_Deploy_ssh_certfile="$DEPLOY_SSH_CERTFILE"
_savedomainconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile"
@@ -189,6 +200,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
# CAFILE is optional.
# If provided then CA intermediate certificate will be copied or appended to provided filename.
+ _getdeployconf DEPLOY_SSH_CAFILE
+ _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE"
if [ -n "$DEPLOY_SSH_CAFILE" ]; then
Le_Deploy_ssh_cafile="$DEPLOY_SSH_CAFILE"
_savedomainconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile"
@@ -216,6 +229,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
# FULLCHAIN is optional.
# If provided then fullchain certificate will be copied or appended to provided filename.
+ _getdeployconf DEPLOY_SSH_FULLCHAIN
+ _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN"
if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then
Le_Deploy_ssh_fullchain="$DEPLOY_SSH_FULLCHAIN"
_savedomainconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain"
@@ -244,6 +259,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
# REMOTE_CMD is optional.
# If provided then this command will be executed on remote host.
+ _getdeployconf DEPLOY_SSH_REMOTE_CMD
+ _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD"
if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then
Le_Deploy_ssh_remote_cmd="$DEPLOY_SSH_REMOTE_CMD"
_savedomainconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd"
diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh
index 25d43efb..66e28f93 100644
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@@ -2,8 +2,7 @@
# Here is a script to deploy cert to Synology DSM
#
-# it requires the jq and curl are in the $PATH and the following
-# environment variables must be set:
+# It requires following environment variables:
#
# SYNO_Username - Synology Username to login (must be an administrator)
# SYNO_Password - Synology Password to login
@@ -16,6 +15,12 @@
# SYNO_Hostname - defaults to localhost
# SYNO_Port - defaults to 5000
# SYNO_DID - device ID to skip OTP - defaults to empty
+# SYNO_TOTP_SECRET - TOTP secret to generate OTP - defaults to empty
+#
+# Dependencies:
+# -------------
+# - jq and curl
+# - oathtool (When using 2 Factor Authentication and SYNO_TOTP_SECRET is set)
#
#returns 0 means success, otherwise error.
@@ -36,6 +41,7 @@ synology_dsm_deploy() {
_getdeployconf SYNO_Password
_getdeployconf SYNO_Create
_getdeployconf SYNO_DID
+ _getdeployconf SYNO_TOTP_SECRET
if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then
_err "SYNO_Username & SYNO_Password must be set"
return 1
@@ -66,6 +72,12 @@ synology_dsm_deploy() {
_getdeployconf SYNO_Certificate
_debug SYNO_Certificate "${SYNO_Certificate:-}"
+ # shellcheck disable=SC1003 # We are not trying to escape a single quote
+ if printf "%s" "$SYNO_Certificate" | grep '\\'; then
+ _err "Do not use a backslash (\) in your certificate description"
+ return 1
+ fi
+
_base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port"
_debug _base_url "$_base_url"
@@ -80,13 +92,18 @@ synology_dsm_deploy() {
encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)"
encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)"
+ otp_code=""
+ if [ -n "$SYNO_TOTP_SECRET" ]; then
+ otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)"
+ fi
+
if [ -n "$SYNO_DID" ]; then
_H1="Cookie: did=$SYNO_DID"
export _H1
_debug3 H1 "${_H1}"
fi
- response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
+ response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p')
_debug3 response "$response"
_debug token "$token"
@@ -94,6 +111,7 @@ synology_dsm_deploy() {
if [ -z "$token" ]; then
_err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme."
_err "Check your username and password."
+ _err "If two-factor authentication is enabled for the user, set SYNO_TOTP_SECRET."
return 1
fi
sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p')
@@ -106,11 +124,14 @@ synology_dsm_deploy() {
_savedeployconf SYNO_Username "$SYNO_Username"
_savedeployconf SYNO_Password "$SYNO_Password"
_savedeployconf SYNO_DID "$SYNO_DID"
+ _savedeployconf SYNO_TOTP_SECRET "$SYNO_TOTP_SECRET"
_info "Getting certificates in Synology DSM"
response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")
_debug3 response "$response"
- id=$(echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\"id\":\"\([^\"]*\).*/\1/p")
+ escaped_certificate="$(printf "%s" "$SYNO_Certificate" | sed 's/\([].*^$[]\)/\\\1/g;s/"/\\\\"/g')"
+ _debug escaped_certificate "$escaped_certificate"
+ id=$(echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\"id\":\"\([^\"]*\).*/\1/p")
_debug2 id "$id"
if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then
@@ -119,13 +140,7 @@ synology_dsm_deploy() {
fi
# we've verified this certificate description is a thing, so save it
- _savedeployconf SYNO_Certificate "$SYNO_Certificate"
-
- default=""
- if echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
- default=true
- fi
- _debug2 default "$default"
+ _savedeployconf SYNO_Certificate "$SYNO_Certificate" "base64"
_info "Generate form POST request"
nl="\0015\0012"
@@ -135,7 +150,12 @@ synology_dsm_deploy() {
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\0012"
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id"
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}"
- content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}${default}"
+ if echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
+ _debug2 default "this is the default certificate"
+ content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}true"
+ else
+ _debug2 default "this is NOT the default certificate"
+ fi
content="$content${nl}--$delim--${nl}"
content="$(printf "%b_" "$content")"
content="${content%_}" # protect trailing \n
diff --git a/dnsapi/dns_1984hosting.sh b/dnsapi/dns_1984hosting.sh
index d720c1c5..db0cbe15 100755
--- a/dnsapi/dns_1984hosting.sh
+++ b/dnsapi/dns_1984hosting.sh
@@ -46,7 +46,7 @@ dns_1984hosting_add() {
postdata="entry=new"
postdata="$postdata&type=TXT"
- postdata="$postdata&ttl=3600"
+ postdata="$postdata&ttl=900"
postdata="$postdata&zone=$_domain"
postdata="$postdata&host=$_sub_domain"
postdata="$postdata&rdata=%22$value%22"
@@ -59,7 +59,7 @@ dns_1984hosting_add() {
if _contains "$response" '"haserrors": true'; then
_err "1984Hosting failed to add TXT record for $_sub_domain bad RC from _post"
return 1
- elif _contains "$response" ""; then
+ elif _contains "$response" "html>"; then
_err "1984Hosting failed to add TXT record for $_sub_domain. Check $HTTP_HEADER file"
return 1
elif _contains "$response" '"auth": false'; then
@@ -93,20 +93,15 @@ dns_1984hosting_rm() {
fi
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"
-
_debug "Delete $fulldomain TXT record"
- url="https://management.1984hosting.com/domains"
- _htmlget "$url" "$_domain"
- _debug2 _response "$_response"
- zone_id="$(echo "$_response" | _egrep_o 'zone\/[0-9]+')"
- _debug2 zone_id "$zone_id"
- if [ -z "$zone_id" ]; then
- _err "Error getting zone_id for $1"
+ url="https://management.1984hosting.com/domains"
+ if ! _get_zone_id "$url" "$_domain"; then
+ _err "invalid zone" "$_domain"
return 1
fi
- _htmlget "$url/$zone_id" "$_sub_domain"
+ _htmlget "$url/$_zone_id" "$txtvalue"
_debug2 _response "$_response"
entry_id="$(echo "$_response" | _egrep_o 'entry_[0-9]+' | sed 's/entry_//')"
_debug2 entry_id "$entry_id"
@@ -135,7 +130,7 @@ dns_1984hosting_rm() {
_1984hosting_login() {
if ! _check_credentials; then return 1; fi
- if _check_cookie; then
+ if _check_cookies; then
_debug "Already logged in"
return 0
fi
@@ -145,14 +140,17 @@ _1984hosting_login() {
password=$(printf '%s' "$One984HOSTING_Password" | _url_encode)
url="https://management.1984hosting.com/accounts/checkuserauth/"
- response="$(_post "username=$username&password=$password&otpkey=" "$url")"
+ response="$(_post "username=$username&password=$password&otpkey=" $url)"
response="$(echo "$response" | _normalizeJson)"
_debug2 response "$response"
if _contains "$response" '"loggedin": true'; then
- One984HOSTING_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _tail_n 1 | _egrep_o 'sessionid=[^;]*;' | tr -d ';')"
- export One984HOSTING_COOKIE
- _saveaccountconf_mutable One984HOSTING_COOKIE "$One984HOSTING_COOKIE"
+ One984HOSTING_SESSIONID_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'sessionid=[^;]*;' | tr -d ';')"
+ One984HOSTING_CSRFTOKEN_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')"
+ export One984HOSTING_SESSIONID_COOKIE
+ export One984HOSTING_CSRFTOKEN_COOKIE
+ _saveaccountconf_mutable One984HOSTING_SESSIONID_COOKIE "$One984HOSTING_SESSIONID_COOKIE"
+ _saveaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE "$One984HOSTING_CSRFTOKEN_COOKIE"
return 0
fi
return 1
@@ -169,22 +167,24 @@ _check_credentials() {
return 0
}
-_check_cookie() {
- One984HOSTING_COOKIE="${One984HOSTING_COOKIE:-$(_readaccountconf_mutable One984HOSTING_COOKIE)}"
- if [ -z "$One984HOSTING_COOKIE" ]; then
- _debug "No cached cookie found"
+_check_cookies() {
+ One984HOSTING_SESSIONID_COOKIE="${One984HOSTING_SESSIONID_COOKIE:-$(_readaccountconf_mutable One984HOSTING_SESSIONID_COOKIE)}"
+ One984HOSTING_CSRFTOKEN_COOKIE="${One984HOSTING_CSRFTOKEN_COOKIE:-$(_readaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE)}"
+ if [ -z "$One984HOSTING_SESSIONID_COOKIE" ] || [ -z "$One984HOSTING_CSRFTOKEN_COOKIE" ]; then
+ _debug "No cached cookie(s) found"
return 1
fi
_authget "https://management.1984hosting.com/accounts/loginstatus/"
- response="$(echo "$_response" | _normalizeJson)"
if _contains "$response" '"ok": true'; then
- _debug "Cached cookie still valid"
+ _debug "Cached cookies still valid"
return 0
fi
- _debug "Cached cookie no longer valid"
- One984HOSTING_COOKIE=""
- _saveaccountconf_mutable One984HOSTING_COOKIE "$One984HOSTING_COOKIE"
+ _debug "Cached cookies no longer valid"
+ One984HOSTING_SESSIONID_COOKIE=""
+ One984HOSTING_CSRFTOKEN_COOKIE=""
+ _saveaccountconf_mutable One984HOSTING_SESSIONID_COOKIE "$One984HOSTING_SESSIONID_COOKIE"
+ _saveaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE "$One984HOSTING_CSRFTOKEN_COOKIE"
return 1
}
@@ -194,7 +194,7 @@ _check_cookie() {
# _domain=domain.com
_get_root() {
domain="$1"
- i=2
+ i=1
p=1
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
@@ -205,7 +205,7 @@ _get_root() {
fi
_authget "https://management.1984hosting.com/domains/soacheck/?zone=$h&nameserver=ns0.1984.is."
- if _contains "$_response" "serial"; then
+ if _contains "$_response" "serial" && ! _contains "$_response" "null"; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
_domain="$h"
return 0
@@ -216,21 +216,46 @@ _get_root() {
return 1
}
+#usage: _get_zone_id url domain.com
+#returns zone id for domain.com
+_get_zone_id() {
+ url=$1
+ domain=$2
+ _htmlget "$url" "$domain"
+ _debug2 _response "$_response"
+ _zone_id="$(echo "$_response" | _egrep_o 'zone\/[0-9]+' | _head_n 1)"
+ _debug2 _zone_id "$_zone_id"
+ if [ -z "$_zone_id" ]; then
+ _err "Error getting _zone_id for $2"
+ return 1
+ fi
+ return 0
+}
+
# add extra headers to request
_authget() {
- export _H1="Cookie: $One984HOSTING_COOKIE"
- _response=$(_get "$1")
+ export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE"
+ _response=$(_get "$1" | _normalizeJson)
+ _debug2 _response "$_response"
}
# truncate huge HTML response
# echo: Argument list too long
_htmlget() {
- export _H1="Cookie: $One984HOSTING_COOKIE"
- _response=$(_get "$1" | grep "$2" | _head_n 1)
+ export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE"
+ _response=$(_get "$1" | grep "$2")
+ if _contains "$_response" "@$2"; then
+ _response=$(echo "$_response" | grep -v "[@]" | _head_n 1)
+ fi
}
# add extra headers to request
_authpost() {
- export _H1="Cookie: $One984HOSTING_COOKIE"
+ url="https://management.1984hosting.com/domains"
+ _get_zone_id "$url" "$_domain"
+ csrf_header="$(echo "$One984HOSTING_CSRFTOKEN_COOKIE" | _egrep_o "=[^=][0-9a-zA-Z]*" | tr -d "=")"
+ export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE"
+ export _H2="Referer: https://management.1984hosting.com/domains/$_zone_id"
+ export _H3="X-CSRFToken: $csrf_header"
_response=$(_post "$1" "$2")
}
diff --git a/dnsapi/dns_aws.sh b/dnsapi/dns_aws.sh
index 068c337c..14a4594d 100755
--- a/dnsapi/dns_aws.sh
+++ b/dnsapi/dns_aws.sh
@@ -32,7 +32,7 @@ dns_aws_add() {
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
AWS_ACCESS_KEY_ID=""
AWS_SECRET_ACCESS_KEY=""
- _err "You haven't specifed the aws route53 api key id and and api key secret yet."
+ _err "You haven't specified the aws route53 api key id and and api key secret yet."
_err "Please create your key and try again. see $(__green $AWS_WIKI)"
return 1
fi
diff --git a/dnsapi/dns_azion.sh b/dnsapi/dns_azion.sh
new file mode 100644
index 00000000..f215686d
--- /dev/null
+++ b/dnsapi/dns_azion.sh
@@ -0,0 +1,204 @@
+#!/usr/bin/env sh
+
+#
+#AZION_Email=""
+#AZION_Password=""
+#
+
+AZION_Api="https://api.azionapi.net"
+
+######## Public functions ########
+
+# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+# Used to add txt record
+dns_azion_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _debug "Detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "Domain not found"
+ return 1
+ fi
+
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+ _debug _domain_id "$_domain_id"
+
+ _info "Add or update record"
+ _get_record "$_domain_id" "$_sub_domain"
+ if [ "$record_id" ]; then
+ _payload="{\"record_type\": \"TXT\", \"entry\": \"$_sub_domain\", \"answers_list\": [$answers_list, \"$txtvalue\"], \"ttl\": 20}"
+ if _azion_rest PUT "intelligent_dns/$_domain_id/records/$record_id" "$_payload"; then
+ if _contains "$response" "$txtvalue"; then
+ _info "Record updated."
+ return 0
+ fi
+ fi
+ else
+ _payload="{\"record_type\": \"TXT\", \"entry\": \"$_sub_domain\", \"answers_list\": [\"$txtvalue\"], \"ttl\": 20}"
+ if _azion_rest POST "intelligent_dns/$_domain_id/records" "$_payload"; then
+ if _contains "$response" "$txtvalue"; then
+ _info "Record added."
+ return 0
+ fi
+ fi
+ fi
+ _err "Failed to add or update record."
+ return 1
+}
+
+# Usage: fulldomain txtvalue
+# Used to remove the txt record after validation
+dns_azion_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _debug "Detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "Domain not found"
+ return 1
+ fi
+
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+ _debug _domain_id "$_domain_id"
+
+ _info "Removing record"
+ _get_record "$_domain_id" "$_sub_domain"
+ if [ "$record_id" ]; then
+ if _azion_rest DELETE "intelligent_dns/$_domain_id/records/$record_id"; then
+ _info "Record removed."
+ return 0
+ else
+ _err "Failed to remove record."
+ return 1
+ fi
+ else
+ _info "Record not found or already removed."
+ return 0
+ fi
+}
+
+#################### Private functions below ##################################
+# Usage: _acme-challenge.www.domain.com
+# returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+# _domain_id=sdjkglgdfewsdfg
+_get_root() {
+ domain=$1
+ i=1
+ p=1
+
+ if ! _azion_rest GET "intelligent_dns"; then
+ return 1
+ fi
+
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug h "$h"
+ if [ -z "$h" ]; then
+ # not valid
+ return 1
+ fi
+
+ if _contains "$response" "\"domain\":\"$h\""; then
+ _domain_id=$(echo "$response" | tr '{' "\n" | grep "\"domain\":\"$h\"" | _egrep_o "\"id\":[0-9]*" | _head_n 1 | cut -d : -f 2 | tr -d \")
+ _debug _domain_id "$_domain_id"
+ if [ "$_domain_id" ]; then
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain=$h
+ return 0
+ fi
+ return 1
+ fi
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+ return 1
+}
+
+_get_record() {
+ _domain_id=$1
+ _record=$2
+
+ if ! _azion_rest GET "intelligent_dns/$_domain_id/records"; then
+ return 1
+ fi
+
+ if _contains "$response" "\"entry\":\"$_record\""; then
+ _json_record=$(echo "$response" | tr '{' "\n" | grep "\"entry\":\"$_record\"")
+ if [ "$_json_record" ]; then
+ record_id=$(echo "$_json_record" | _egrep_o "\"record_id\":[0-9]*" | _head_n 1 | cut -d : -f 2 | tr -d \")
+ answers_list=$(echo "$_json_record" | _egrep_o "\"answers_list\":\[.*\]" | _head_n 1 | cut -d : -f 2 | tr -d \[\])
+ return 0
+ fi
+ return 1
+ fi
+ return 1
+}
+
+_get_token() {
+ AZION_Email="${AZION_Email:-$(_readaccountconf_mutable AZION_Email)}"
+ AZION_Password="${AZION_Password:-$(_readaccountconf_mutable AZION_Password)}"
+
+ if ! _contains "$AZION_Email" "@"; then
+ _err "It seems that the AZION_Email is not a valid email address. Revalidate your environments."
+ return 1
+ fi
+
+ if [ -z "$AZION_Email" ] || [ -z "$AZION_Password" ]; then
+ _err "You didn't specified a AZION_Email/AZION_Password to generate Azion token."
+ return 1
+ fi
+
+ _saveaccountconf_mutable AZION_Email "$AZION_Email"
+ _saveaccountconf_mutable AZION_Password "$AZION_Password"
+
+ _basic_auth=$(printf "%s:%s" "$AZION_Email" "$AZION_Password" | _base64)
+ _debug _basic_auth "$_basic_auth"
+
+ export _H1="Accept: application/json; version=3"
+ export _H2="Content-Type: application/json"
+ export _H3="Authorization: Basic $_basic_auth"
+
+ response="$(_post "" "$AZION_Api/tokens" "" "POST")"
+ if _contains "$response" "\"token\":\"" >/dev/null; then
+ _azion_token=$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")
+ export AZION_Token="$_azion_token"
+ else
+ _err "Failed to generate Azion token"
+ return 1
+ fi
+}
+
+_azion_rest() {
+ _method=$1
+ _uri="$2"
+ _data="$3"
+
+ if [ -z "$AZION_Token" ]; then
+ _get_token
+ fi
+ _debug2 token "$AZION_Token"
+
+ export _H1="Accept: application/json; version=3"
+ export _H2="Content-Type: application/json"
+ export _H3="Authorization: token $AZION_Token"
+
+ if [ "$_method" != "GET" ]; then
+ _debug _data "$_data"
+ response="$(_post "$_data" "$AZION_Api/$_uri" "" "$_method")"
+ else
+ response="$(_get "$AZION_Api/$_uri")"
+ fi
+
+ _debug2 response "$response"
+
+ if [ "$?" != "0" ]; then
+ _err "error $_method $_uri $_data"
+ return 1
+ fi
+ return 0
+}
diff --git a/dnsapi/dns_cpanel.sh b/dnsapi/dns_cpanel.sh
new file mode 100755
index 00000000..f91725a4
--- /dev/null
+++ b/dnsapi/dns_cpanel.sh
@@ -0,0 +1,159 @@
+#!/usr/bin/env sh
+#
+#Author: Bjarne Saltbaek
+#Report Bugs here: https://github.com/acmesh-official/acme.sh/issues/3732
+#
+#
+######## Public functions #####################
+#
+# Export CPANEL username,api token and hostname in the following variables
+#
+# cPanel_Username=username
+# cPanel_Apitoken=apitoken
+# cPanel_Hostname=hostname
+#
+# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+# Used to add txt record
+dns_cpanel_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _info "Adding TXT record to cPanel based system"
+ _debug fulldomain "$fulldomain"
+ _debug txtvalue "$txtvalue"
+ _debug cPanel_Username "$cPanel_Username"
+ _debug cPanel_Apitoken "$cPanel_Apitoken"
+ _debug cPanel_Hostname "$cPanel_Hostname"
+
+ if ! _cpanel_login; then
+ _err "cPanel Login failed for user $cPanel_Username. Check $HTTP_HEADER file"
+ return 1
+ fi
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "No matching root domain for $fulldomain found"
+ return 1
+ fi
+ # adding entry
+ _info "Adding the entry"
+ stripped_fulldomain=$(echo "$fulldomain" | sed "s/.$_domain//")
+ _debug "Adding $stripped_fulldomain to $_domain zone"
+ _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=add_zone_record&domain=$_domain&name=$stripped_fulldomain&type=TXT&txtdata=$txtvalue&ttl=1"
+ if _successful_update; then return 0; fi
+ _err "Couldn't create entry!"
+ return 1
+}
+
+# Usage: fulldomain txtvalue
+# Used to remove the txt record after validation
+dns_cpanel_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _info "Using cPanel based system"
+ _debug fulldomain "$fulldomain"
+ _debug txtvalue "$txtvalue"
+
+ if ! _cpanel_login; then
+ _err "cPanel Login failed for user $cPanel_Username. Check $HTTP_HEADER file"
+ return 1
+ fi
+
+ if ! _get_root; then
+ _err "No matching root domain for $fulldomain found"
+ return 1
+ fi
+
+ _findentry "$fulldomain" "$txtvalue"
+ if [ -z "$_id" ]; then
+ _info "Entry doesn't exist, nothing to delete"
+ return 0
+ fi
+ _debug "Deleting record..."
+ _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=remove_zone_record&domain=$_domain&line=$_id"
+ # removing entry
+ _debug "_result is: $_result"
+
+ if _successful_update; then return 0; fi
+ _err "Couldn't delete entry!"
+ return 1
+}
+
+#################### Private functions below ##################################
+
+_checkcredentials() {
+ cPanel_Username="${cPanel_Username:-$(_readaccountconf_mutable cPanel_Username)}"
+ cPanel_Apitoken="${cPanel_Apitoken:-$(_readaccountconf_mutable cPanel_Apitoken)}"
+ cPanel_Hostname="${cPanel_Hostname:-$(_readaccountconf_mutable cPanel_Hostname)}"
+
+ if [ -z "$cPanel_Username" ] || [ -z "$cPanel_Apitoken" ] || [ -z "$cPanel_Hostname" ]; then
+ cPanel_Username=""
+ cPanel_Apitoken=""
+ cPanel_Hostname=""
+ _err "You haven't specified cPanel username, apitoken and hostname yet."
+ _err "Please add credentials and try again."
+ return 1
+ fi
+ #save the credentials to the account conf file.
+ _saveaccountconf_mutable cPanel_Username "$cPanel_Username"
+ _saveaccountconf_mutable cPanel_Apitoken "$cPanel_Apitoken"
+ _saveaccountconf_mutable cPanel_Hostname "$cPanel_Hostname"
+ return 0
+}
+
+_cpanel_login() {
+ if ! _checkcredentials; then return 1; fi
+
+ if ! _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=CustInfo&cpanel_jsonapi_func=displaycontactinfo"; then
+ _err "cPanel login failed for user $cPanel_Username."
+ return 1
+ fi
+ return 0
+}
+
+_myget() {
+ #Adds auth header to request
+ export _H1="Authorization: cpanel $cPanel_Username:$cPanel_Apitoken"
+ _result=$(_get "$cPanel_Hostname/$1")
+}
+
+_get_root() {
+ _myget 'json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=fetchzones'
+ _domains=$(echo "$_result" | sed 's/.*\(zones.*\[\).*/\1/' | cut -d':' -f2 | sed 's/"//g' | sed 's/{//g')
+ _debug "_result is: $_result"
+ _debug "_domains is: $_domains"
+ if [ -z "$_domains" ]; then
+ _err "Primary domain list not found!"
+ return 1
+ fi
+ for _domain in $_domains; do
+ _debug "Checking if $fulldomain ends with $_domain"
+ if (_endswith "$fulldomain" "$_domain"); then
+ _debug "Root domain: $_domain"
+ return 0
+ fi
+ done
+ return 1
+}
+
+_successful_update() {
+ if (echo "$_result" | grep -q 'newserial'); then return 0; fi
+ return 1
+}
+
+_findentry() {
+ _debug "In _findentry"
+ #returns id of dns entry, if it exists
+ _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=fetchzone_records&domain=$_domain"
+ _id=$(echo "$_result" | sed "s/.*\(line.*$fulldomain.*$txtvalue\).*/\1/" | cut -d ':' -f 2 | cut -d ',' -f 1)
+ _debug "_result is: $_result"
+ _debug "fulldomain. is $fulldomain."
+ _debug "txtvalue is $txtvalue"
+ _debug "_id is: $_id"
+ if [ -n "$_id" ]; then
+ _debug "Entry found with _id=$_id"
+ return 0
+ fi
+ return 1
+}
diff --git a/dnsapi/dns_desec.sh b/dnsapi/dns_desec.sh
index f64660a8..495a6780 100644
--- a/dnsapi/dns_desec.sh
+++ b/dnsapi/dns_desec.sh
@@ -20,21 +20,17 @@ dns_desec_add() {
_debug txtvalue "$txtvalue"
DEDYN_TOKEN="${DEDYN_TOKEN:-$(_readaccountconf_mutable DEDYN_TOKEN)}"
- DEDYN_NAME="${DEDYN_NAME:-$(_readaccountconf_mutable DEDYN_NAME)}"
- if [ -z "$DEDYN_TOKEN" ] || [ -z "$DEDYN_NAME" ]; then
+ if [ -z "$DEDYN_TOKEN" ]; then
DEDYN_TOKEN=""
- DEDYN_NAME=""
- _err "You did not specify DEDYN_TOKEN and DEDYN_NAME yet."
+ _err "You did not specify DEDYN_TOKEN yet."
_err "Please create your key and try again."
_err "e.g."
_err "export DEDYN_TOKEN=d41d8cd98f00b204e9800998ecf8427e"
- _err "export DEDYN_NAME=foobar.dedyn.io"
return 1
fi
- #save the api token and name to the account conf file.
+ #save the api token to the account conf file.
_saveaccountconf_mutable DEDYN_TOKEN "$DEDYN_TOKEN"
- _saveaccountconf_mutable DEDYN_NAME "$DEDYN_NAME"
_debug "First detect the root zone"
if ! _get_root "$fulldomain" "$REST_API/"; then
@@ -47,7 +43,7 @@ dns_desec_add() {
# Get existing TXT record
_debug "Getting txt records"
txtvalues="\"\\\"$txtvalue\\\"\""
- _desec_rest GET "$REST_API/$DEDYN_NAME/rrsets/$_sub_domain/TXT/"
+ _desec_rest GET "$REST_API/$_domain/rrsets/$_sub_domain/TXT/"
if [ "$_code" = "200" ]; then
oldtxtvalues="$(echo "$response" | _egrep_o "\"records\":\\[\"\\S*\"\\]" | cut -d : -f 2 | tr -d "[]\\\\\"" | sed "s/,/ /g")"
@@ -63,7 +59,7 @@ dns_desec_add() {
_info "Adding record"
body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]"
- if _desec_rest PUT "$REST_API/$DEDYN_NAME/rrsets/" "$body"; then
+ if _desec_rest PUT "$REST_API/$_domain/rrsets/" "$body"; then
if _contains "$response" "$txtvalue"; then
_info "Added, OK"
return 0
@@ -87,16 +83,13 @@ dns_desec_rm() {
_debug txtvalue "$txtvalue"
DEDYN_TOKEN="${DEDYN_TOKEN:-$(_readaccountconf_mutable DEDYN_TOKEN)}"
- DEDYN_NAME="${DEDYN_NAME:-$(_readaccountconf_mutable DEDYN_NAME)}"
- if [ -z "$DEDYN_TOKEN" ] || [ -z "$DEDYN_NAME" ]; then
+ if [ -z "$DEDYN_TOKEN" ]; then
DEDYN_TOKEN=""
- DEDYN_NAME=""
- _err "You did not specify DEDYN_TOKEN and DEDYN_NAME yet."
+ _err "You did not specify DEDYN_TOKEN yet."
_err "Please create your key and try again."
_err "e.g."
_err "export DEDYN_TOKEN=d41d8cd98f00b204e9800998ecf8427e"
- _err "export DEDYN_NAME=foobar.dedyn.io"
return 1
fi
@@ -112,7 +105,7 @@ dns_desec_rm() {
# Get existing TXT record
_debug "Getting txt records"
txtvalues=""
- _desec_rest GET "$REST_API/$DEDYN_NAME/rrsets/$_sub_domain/TXT/"
+ _desec_rest GET "$REST_API/$_domain/rrsets/$_sub_domain/TXT/"
if [ "$_code" = "200" ]; then
oldtxtvalues="$(echo "$response" | _egrep_o "\"records\":\\[\"\\S*\"\\]" | cut -d : -f 2 | tr -d "[]\\\\\"" | sed "s/,/ /g")"
@@ -131,7 +124,7 @@ dns_desec_rm() {
_info "Deleting record"
body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]"
- _desec_rest PUT "$REST_API/$DEDYN_NAME/rrsets/" "$body"
+ _desec_rest PUT "$REST_API/$_domain/rrsets/" "$body"
if [ "$_code" = "200" ]; then
_info "Deleted, OK"
return 0
diff --git a/dnsapi/dns_gcloud.sh b/dnsapi/dns_gcloud.sh
index 03060a8c..d560996c 100755
--- a/dnsapi/dns_gcloud.sh
+++ b/dnsapi/dns_gcloud.sh
@@ -163,5 +163,8 @@ _dns_gcloud_get_rrdatas() {
return 1
fi
ttl=$(echo "$rrdatas" | cut -f1)
- rrdatas=$(echo "$rrdatas" | cut -f2 | sed 's/","/"\n"/g')
+ # starting with version 353.0.0 gcloud seems to
+ # separate records with a semicolon instead of commas
+ # see also https://cloud.google.com/sdk/docs/release-notes#35300_2021-08-17
+ rrdatas=$(echo "$rrdatas" | cut -f2 | sed 's/"[,;]"/"\n"/g')
}
diff --git a/dnsapi/dns_he.sh b/dnsapi/dns_he.sh
index ef09fa0a..bf4a5030 100755
--- a/dnsapi/dns_he.sh
+++ b/dnsapi/dns_he.sh
@@ -85,7 +85,7 @@ dns_he_rm() {
_debug "The txt record is not found, just skip"
return 0
fi
- _record_id="$(echo "$response" | tr -d "#" | sed "s//dev/null | ${ACME_OPENSSL_BIN:-openssl} md5 -c | cut -d = -f 2 | tr -d ' '
+
+}
+
+_signed_request() {
+
+ _sig_method="$1"
+ _sig_target="$2"
+ _sig_body="$3"
+ _return_field="$4"
+
+ _key_fingerprint=$(_fingerprint "$OCI_CLI_KEY")
+ _sig_host="dns.$OCI_CLI_REGION.oraclecloud.com"
+ _sig_keyId="$OCI_CLI_TENANCY/$OCI_CLI_USER/$_key_fingerprint"
+ _sig_alg="rsa-sha256"
+ _sig_version="1"
+ _sig_now="$(LC_ALL=C \date -u "+%a, %d %h %Y %H:%M:%S GMT")"
+
+ _request_method=$(printf %s "$_sig_method" | _lower_case)
+ _curl_method=$(printf %s "$_sig_method" | _upper_case)
+
+ _request_target="(request-target): $_request_method $_sig_target"
+ _date_header="date: $_sig_now"
+ _host_header="host: $_sig_host"
+
+ _string_to_sign="$_request_target\n$_date_header\n$_host_header"
+ _sig_headers="(request-target) date host"
+
+ if [ "$_sig_body" ]; then
+ _secure_debug3 _sig_body "$_sig_body"
+ _sig_body_sha256="x-content-sha256: $(printf %s "$_sig_body" | _digest sha256)"
+ _sig_body_type="content-type: application/json"
+ _sig_body_length="content-length: ${#_sig_body}"
+ _string_to_sign="$_string_to_sign\n$_sig_body_sha256\n$_sig_body_type\n$_sig_body_length"
+ _sig_headers="$_sig_headers x-content-sha256 content-type content-length"
+ fi
+
+ _tmp_file=$(_mktemp)
+ if [ -f "$_tmp_file" ]; then
+ printf '%s' "$OCI_CLI_KEY" >"$_tmp_file"
+ _signature=$(printf '%b' "$_string_to_sign" | _sign "$_tmp_file" sha256 | tr -d '\r\n')
+ rm -f "$_tmp_file"
+ fi
+
+ _signed_header="Authorization: Signature version=\"$_sig_version\",keyId=\"$_sig_keyId\",algorithm=\"$_sig_alg\",headers=\"$_sig_headers\",signature=\"$_signature\""
+ _secure_debug3 _signed_header "$_signed_header"
+
+ if [ "$_curl_method" = "GET" ]; then
+ export _H1="$_date_header"
+ export _H2="$_signed_header"
+ _response="$(_get "https://${_sig_host}${_sig_target}")"
+ elif [ "$_curl_method" = "PATCH" ]; then
+ export _H1="$_date_header"
+ export _H2="$_sig_body_sha256"
+ export _H3="$_sig_body_type"
+ export _H4="$_sig_body_length"
+ export _H5="$_signed_header"
+ _response="$(_post "$_sig_body" "https://${_sig_host}${_sig_target}" "" "PATCH")"
+ else
+ _err "Unable to process method: $_curl_method."
+ fi
+
+ _ret="$?"
+ if [ "$_return_field" ]; then
+ _response="$(echo "$_response" | sed 's/\\\"//g'))"
+ _return=$(echo "${_response}" | _egrep_o "\"$_return_field\"\\s*:\\s*\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d "\"")
+ else
+ _return="$_response"
+ fi
+
+ printf "%s" "$_return"
+ return $_ret
+
+}
+
+# file key [section]
+_readini() {
+ _file="$1"
+ _key="$2"
+ _section="${3:-DEFAULT}"
+
+ _start_n=$(grep -n '\['"$_section"']' "$_file" | cut -d : -f 1)
+ _debug3 _start_n "$_start_n"
+ if [ -z "$_start_n" ]; then
+ _err "Can not find section: $_section"
+ return 1
+ fi
+
+ _start_nn=$(_math "$_start_n" + 1)
+ _debug3 "_start_nn" "$_start_nn"
+
+ _left="$(sed -n "${_start_nn},99999p" "$_file")"
+ _debug3 _left "$_left"
+ _end="$(echo "$_left" | grep -n "^\[" | _head_n 1)"
+ _debug3 "_end" "$_end"
+ if [ "$_end" ]; then
+ _end_n=$(echo "$_end" | cut -d : -f 1)
+ _debug3 "_end_n" "$_end_n"
+ _seg_n=$(echo "$_left" | sed -n "1,${_end_n}p")
+ else
+ _seg_n="$_left"
+ fi
+
+ _debug3 "_seg_n" "$_seg_n"
+ _lineini="$(echo "$_seg_n" | grep "^ *$_key *= *")"
+ _inivalue="$(printf "%b" "$(eval "echo $_lineini | sed \"s/^ *${_key} *= *//g\"")")"
+ _debug2 _inivalue "$_inivalue"
+ echo "$_inivalue"
+
+}
diff --git a/dnsapi/dns_opnsense.sh b/dnsapi/dns_opnsense.sh
index 069f6c32..26a422f8 100755
--- a/dnsapi/dns_opnsense.sh
+++ b/dnsapi/dns_opnsense.sh
@@ -150,7 +150,7 @@ _get_root() {
return 1
fi
_debug h "$h"
- id=$(echo "$_domain_response" | _egrep_o "\"[^\"]*\":{\"enabled\":\"1\",\"type\":{\"master\":{\"value\":\"master\",\"selected\":1},\"slave\":{\"value\":\"slave\",\"selected\":0}},\"masterip\":\"[^\"]*\"(,\"allownotifyslave\":{\"\":{[^}]*}},|,)\"domainname\":\"${h}\"" | cut -d ':' -f 1 | cut -d '"' -f 2)
+ id=$(echo "$_domain_response" | _egrep_o "\"[^\"]*\":{\"enabled\":\"1\",\"type\":{\"master\":{\"value\":\"master\",\"selected\":1},\"slave\":{\"value\":\"slave\",\"selected\":0}},\"masterip\":{\"\":{[^}]*}}(,\"allownotifyslave\":{\"\":{[^}]*}},|,)\"domainname\":\"${h}\"" | cut -d ':' -f 1 | cut -d '"' -f 2)
if [ -n "$id" ]; then
_debug id "$id"
diff --git a/dnsapi/dns_ovh.sh b/dnsapi/dns_ovh.sh
index f6f9689a..e65babbd 100755
--- a/dnsapi/dns_ovh.sh
+++ b/dnsapi/dns_ovh.sh
@@ -261,7 +261,9 @@ _get_root() {
return 1
fi
- if ! _contains "$response" "This service does not exist" >/dev/null && ! _contains "$response" "NOT_GRANTED_CALL" >/dev/null; then
+ if ! _contains "$response" "This service does not exist" >/dev/null &&
+ ! _contains "$response" "This call has not been granted" >/dev/null &&
+ ! _contains "$response" "NOT_GRANTED_CALL" >/dev/null; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
_domain="$h"
return 0
diff --git a/dnsapi/dns_pdns.sh b/dnsapi/dns_pdns.sh
index 28b35492..6aa2e953 100755
--- a/dnsapi/dns_pdns.sh
+++ b/dnsapi/dns_pdns.sh
@@ -103,7 +103,7 @@ set_record() {
_build_record_string "$oldchallenge"
done
- if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}"; then
+ if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}" "application/json"; then
_err "Set txt record error."
return 1
fi
@@ -126,7 +126,7 @@ rm_record() {
if _contains "$_existing_challenges" "$txtvalue"; then
#Delete all challenges (PowerDNS API does not allow to delete content)
- if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"DELETE\", \"name\": \"$full.\", \"type\": \"TXT\"}]}"; then
+ if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"DELETE\", \"name\": \"$full.\", \"type\": \"TXT\"}]}" "application/json"; then
_err "Delete txt record error."
return 1
fi
@@ -140,7 +140,7 @@ rm_record() {
fi
done
#Recreate the existing challenges
- if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}"; then
+ if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}" "application/json"; then
_err "Set txt record error."
return 1
fi
@@ -203,12 +203,13 @@ _pdns_rest() {
method=$1
ep=$2
data=$3
+ ct=$4
export _H1="X-API-Key: $PDNS_Token"
if [ ! "$method" = "GET" ]; then
_debug data "$data"
- response="$(_post "$data" "$PDNS_Url$ep" "" "$method")"
+ response="$(_post "$data" "$PDNS_Url$ep" "" "$method" "$ct")"
else
response="$(_get "$PDNS_Url$ep")"
fi
diff --git a/dnsapi/dns_porkbun.sh b/dnsapi/dns_porkbun.sh
index 18da6b2f..ad4455b6 100644
--- a/dnsapi/dns_porkbun.sh
+++ b/dnsapi/dns_porkbun.sh
@@ -78,7 +78,7 @@ dns_porkbun_rm() {
if [ "$count" = "0" ]; then
_info "Don't need to remove."
else
- record_id=$(echo "$response" | tr '{' '\n' | grep "$txtvalue" | cut -d, -f1 | cut -d: -f2 | tr -d \")
+ record_id=$(echo "$response" | tr '{' '\n' | grep -- "$txtvalue" | cut -d, -f1 | cut -d: -f2 | tr -d \")
_debug "record_id" "$record_id"
if [ -z "$record_id" ]; then
_err "Can not get record id to remove."
@@ -110,8 +110,8 @@ _get_root() {
if _porkbun_rest POST "dns/retrieve/$h"; then
if _contains "$response" "\"status\":\"SUCCESS\""; then
- _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
_domain=$h
+ _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
return 0
else
_debug "Go to next level of $_domain"
diff --git a/dnsapi/dns_rackspace.sh b/dnsapi/dns_rackspace.sh
index 03e1fa68..b50d9168 100644
--- a/dnsapi/dns_rackspace.sh
+++ b/dnsapi/dns_rackspace.sh
@@ -7,6 +7,7 @@
RACKSPACE_Endpoint="https://dns.api.rackspacecloud.com/v1.0"
+# 20210923 - RS changed the fields in the API response; fix sed
# 20190213 - The name & id fields swapped in the API response; fix sed
# 20190101 - Duplicating file for new pull request to dev branch
# Original - tcocca:rackspace_dnsapi https://github.com/acmesh-official/acme.sh/pull/1297
@@ -79,8 +80,8 @@ _get_root_zone() {
_debug2 response "$response"
if _contains "$response" "\"name\":\"$h\"" >/dev/null; then
# Response looks like:
- # {"ttl":300,"accountId":12345,"id":1111111,"name":"example.com","emailAddress": ...
- _domain_id=$(echo "$response" | sed -n "s/^.*\"id\":\([^,]*\),\"name\":\"$h\",.*/\1/p")
+ # {"id":"12345","accountId":"1111111","name": "example.com","ttl":3600,"emailAddress": ...
+ _domain_id=$(echo "$response" | sed -n "s/^.*\"id\":\"\([^,]*\)\",\"accountId\":\"[0-9]*\",\"name\":\"$h\",.*/\1/p")
_debug2 domain_id "$_domain_id"
if [ -n "$_domain_id" ]; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
diff --git a/dnsapi/dns_simply.sh b/dnsapi/dns_simply.sh
index e0e05017..437e5e5c 100644
--- a/dnsapi/dns_simply.sh
+++ b/dnsapi/dns_simply.sh
@@ -1,15 +1,15 @@
#!/usr/bin/env sh
-#
+# API-integration for Simply.com (https://www.simply.com)
+
#SIMPLY_AccountName="accountname"
-#
#SIMPLY_ApiKey="apikey"
#
#SIMPLY_Api="https://api.simply.com/1/[ACCOUNTNAME]/[APIKEY]"
SIMPLY_Api_Default="https://api.simply.com/1"
#This is used for determining success of REST call
-SIMPLY_SUCCESS_CODE='"status": 200'
+SIMPLY_SUCCESS_CODE='"status":200'
######## Public functions #####################
#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
@@ -51,7 +51,7 @@ dns_simply_rm() {
_simply_save_config
- _debug "First detect the root zone"
+ _debug "Find the DNS zone"
if ! _get_root "$fulldomain"; then
_err "invalid domain"
@@ -77,8 +77,8 @@ dns_simply_rm() {
for record in $records; do
_debug record "$record"
- record_data=$(echo "$record" | cut -d "," -f 3 | sed 's/"//g' | grep "data" | cut -d ":" -f 2)
- record_type=$(echo "$record" | cut -d "," -f 4 | sed 's/"//g' | grep "type" | cut -d ":" -f 2)
+ record_data=$(echo "$record" | sed -n "s/.*\"data\":\"\([^\"]*\)\".*/\1/p")
+ record_type=$(echo "$record" | sed -n "s/.*\"type\":\"\([^\"]*\)\".*/\1/p")
_debug2 record_data "$record_data"
_debug2 record_type "$record_type"
@@ -151,7 +151,7 @@ _simply_save_config() {
_simply_get_all_records() {
domain=$1
- if ! _simply_rest GET "my/products/$domain/dns/records"; then
+ if ! _simply_rest GET "my/products/$domain/dns/records/"; then
return 1
fi
@@ -169,7 +169,7 @@ _get_root() {
return 1
fi
- if ! _simply_rest GET "my/products/$h/dns"; then
+ if ! _simply_rest GET "my/products/$h/dns/"; then
return 1
fi
@@ -193,7 +193,7 @@ _simply_add_record() {
data="{\"name\": \"$sub_domain\", \"type\":\"TXT\", \"data\": \"$txtval\", \"priority\":0, \"ttl\": 3600}"
- if ! _simply_rest POST "my/products/$domain/dns/records" "$data"; then
+ if ! _simply_rest POST "my/products/$domain/dns/records/" "$data"; then
_err "Adding record not successfull!"
return 1
fi
@@ -214,7 +214,7 @@ _simply_delete_record() {
_debug record_id "Delete record with id $record_id"
- if ! _simply_rest DELETE "my/products/$domain/dns/records/$record_id"; then
+ if ! _simply_rest DELETE "my/products/$domain/dns/records/$record_id/"; then
_err "Deleting record not successfull!"
return 1
fi
@@ -250,6 +250,8 @@ _simply_rest() {
return 1
fi
+ response="$(echo "$response" | _normalizeJson)"
+
_debug2 response "$response"
if _contains "$response" "Invalid account authorization"; then
diff --git a/dnsapi/dns_veesp.sh b/dnsapi/dns_veesp.sh
new file mode 100644
index 00000000..b8a41d00
--- /dev/null
+++ b/dnsapi/dns_veesp.sh
@@ -0,0 +1,158 @@
+#!/usr/bin/env sh
+
+# bug reports to stepan@plyask.in
+
+#
+# export VEESP_User="username"
+# export VEESP_Password="password"
+
+VEESP_Api="https://secure.veesp.com/api"
+
+######## Public functions #####################
+
+#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_veesp_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ VEESP_Password="${VEESP_Password:-$(_readaccountconf_mutable VEESP_Password)}"
+ VEESP_User="${VEESP_User:-$(_readaccountconf_mutable VEESP_User)}"
+ VEESP_auth=$(printf "%s" "$VEESP_User:$VEESP_Password" | _base64)
+
+ if [ -z "$VEESP_Password" ] || [ -z "$VEESP_User" ]; then
+ VEESP_Password=""
+ VEESP_User=""
+ _err "You don't specify veesp api key and email yet."
+ _err "Please create you key and try again."
+ return 1
+ fi
+
+ #save the api key and email to the account conf file.
+ _saveaccountconf_mutable VEESP_Password "$VEESP_Password"
+ _saveaccountconf_mutable VEESP_User "$VEESP_User"
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+ _debug _domain_id "$_domain_id"
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ _info "Adding record"
+ if VEESP_rest POST "service/$_service_id/dns/$_domain_id/records" "{\"name\":\"$fulldomain\",\"ttl\":1,\"priority\":0,\"type\":\"TXT\",\"content\":\"$txtvalue\"}"; then
+ if _contains "$response" "\"success\":true"; then
+ _info "Added"
+ #todo: check if the record takes effect
+ return 0
+ else
+ _err "Add txt record error."
+ return 1
+ fi
+ fi
+}
+
+# Usage: fulldomain txtvalue
+# Used to remove the txt record after validation
+dns_veesp_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ VEESP_Password="${VEESP_Password:-$(_readaccountconf_mutable VEESP_Password)}"
+ VEESP_User="${VEESP_User:-$(_readaccountconf_mutable VEESP_User)}"
+ VEESP_auth=$(printf "%s" "$VEESP_User:$VEESP_Password" | _base64)
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+ _debug _domain_id "$_domain_id"
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ _debug "Getting txt records"
+ VEESP_rest GET "service/$_service_id/dns/$_domain_id"
+
+ count=$(printf "%s\n" "$response" | _egrep_o "\"type\":\"TXT\",\"content\":\".\"$txtvalue.\"\"" | wc -l | tr -d " ")
+ _debug count "$count"
+ if [ "$count" = "0" ]; then
+ _info "Don't need to remove."
+ else
+ record_id=$(printf "%s\n" "$response" | _egrep_o "{\"id\":[^}]*\"type\":\"TXT\",\"content\":\".\"$txtvalue.\"\"" | cut -d\" -f4)
+ _debug "record_id" "$record_id"
+ if [ -z "$record_id" ]; then
+ _err "Can not get record id to remove."
+ return 1
+ fi
+ if ! VEESP_rest DELETE "service/$_service_id/dns/$_domain_id/records/$record_id"; then
+ _err "Delete record error."
+ return 1
+ fi
+ _contains "$response" "\"success\":true"
+ fi
+}
+
+#################### Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+# _domain_id=sdjkglgdfewsdfg
+_get_root() {
+ domain=$1
+ i=2
+ p=1
+ if ! VEESP_rest GET "dns"; then
+ return 1
+ fi
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug h "$h"
+ if [ -z "$h" ]; then
+ #not valid
+ return 1
+ fi
+
+ if _contains "$response" "\"name\":\"$h\""; then
+ _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"domain_id\":[^,]*,\"name\":\"$h\"" | cut -d : -f 2 | cut -d , -f 1 | cut -d '"' -f 2)
+ _debug _domain_id "$_domain_id"
+ _service_id=$(printf "%s\n" "$response" | _egrep_o "\"name\":\"$h\",\"service_id\":[^}]*" | cut -d : -f 3 | cut -d '"' -f 2)
+ _debug _service_id "$_service_id"
+ if [ "$_domain_id" ]; then
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain="$h"
+ return 0
+ fi
+ return 1
+ fi
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+ return 1
+}
+
+VEESP_rest() {
+ m=$1
+ ep="$2"
+ data="$3"
+ _debug "$ep"
+
+ export _H1="Accept: application/json"
+ export _H2="Authorization: Basic $VEESP_auth"
+ if [ "$m" != "GET" ]; then
+ _debug data "$data"
+ export _H3="Content-Type: application/json"
+ response="$(_post "$data" "$VEESP_Api/$ep" "" "$m")"
+ else
+ response="$(_get "$VEESP_Api/$ep")"
+ fi
+
+ if [ "$?" != "0" ]; then
+ _err "error $ep"
+ return 1
+ fi
+ _debug2 response "$response"
+ return 0
+}
diff --git a/dnsapi/dns_vultr.sh b/dnsapi/dns_vultr.sh
index c7b52e84..84857966 100644
--- a/dnsapi/dns_vultr.sh
+++ b/dnsapi/dns_vultr.sh
@@ -33,7 +33,7 @@ dns_vultr_add() {
_debug 'Getting txt records'
_vultr_rest GET "dns/records?domain=$_domain"
- if printf "%s\n" "$response" | grep "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
+ if printf "%s\n" "$response" | grep -- "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
_err 'Error'
return 1
fi
@@ -73,12 +73,12 @@ dns_vultr_rm() {
_debug 'Getting txt records'
_vultr_rest GET "dns/records?domain=$_domain"
- if printf "%s\n" "$response" | grep "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
+ if printf "%s\n" "$response" | grep -- "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
_err 'Error'
return 1
fi
- _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep "$txtvalue" | tr ',' '\n' | grep -i 'RECORDID' | cut -d : -f 2)"
+ _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'RECORDID' | cut -d : -f 2)"
_debug _record_id "$_record_id"
if [ "$_record_id" ]; then
_info "Successfully retrieved the record id for ACME challenge."
diff --git a/dnsapi/dns_world4you.sh b/dnsapi/dns_world4you.sh
index 9ab406f6..231c34b3 100644
--- a/dnsapi/dns_world4you.sh
+++ b/dnsapi/dns_world4you.sh
@@ -36,7 +36,6 @@ dns_world4you_add() {
export _H1="Cookie: W4YSESSID=$sessid"
form=$(_get "$WORLD4YOU_API/$paketnr/dns")
formiddp=$(echo "$form" | grep 'AddDnsRecordForm\[uniqueFormIdDP\]' | sed 's/^.*name="AddDnsRecordForm\[uniqueFormIdDP\]" value="\([^"]*\)".*$/\1/')
- formidttl=$(echo "$form" | grep 'AddDnsRecordForm\[uniqueFormIdTTL\]' | sed 's/^.*name="AddDnsRecordForm\[uniqueFormIdTTL\]" value="\([^"]*\)".*$/\1/')
form_token=$(echo "$form" | grep 'AddDnsRecordForm\[_token\]' | sed 's/^.*name="AddDnsRecordForm\[_token\]" value="\([^"]*\)".*$/\1/')
if [ -z "$formiddp" ]; then
_err "Unable to parse form"
@@ -45,9 +44,7 @@ dns_world4you_add() {
_resethttp
export ACME_HTTP_NO_REDIRECTS=1
- body="AddDnsRecordForm[name]=$RECORD&AddDnsRecordForm[dnsType][type]=TXT&\
-AddDnsRecordForm[value]=$value&AddDnsRecordForm[aktivPaket]=$paketnr&AddDnsRecordForm[uniqueFormIdDP]=$formiddp&\
-AddDnsRecordForm[uniqueFormIdTTL]=$formidttl&AddDnsRecordForm[_token]=$form_token"
+ body="AddDnsRecordForm[name]=$RECORD&AddDnsRecordForm[dnsType][type]=TXT&AddDnsRecordForm[value]=$value&AddDnsRecordForm[uniqueFormIdDP]=$formiddp&AddDnsRecordForm[_token]=$form_token"
_info "Adding record..."
ret=$(_post "$body" "$WORLD4YOU_API/$paketnr/dns" '' POST 'application/x-www-form-urlencoded')
_resethttp
@@ -101,7 +98,6 @@ dns_world4you_rm() {
form=$(_get "$WORLD4YOU_API/$paketnr/dns")
formiddp=$(echo "$form" | grep 'DeleteDnsRecordForm\[uniqueFormIdDP\]' | sed 's/^.*name="DeleteDnsRecordForm\[uniqueFormIdDP\]" value="\([^"]*\)".*$/\1/')
- formidttl=$(echo "$form" | grep 'DeleteDnsRecordForm\[uniqueFormIdTTL\]' | sed 's/^.*name="DeleteDnsRecordForm\[uniqueFormIdTTL\]" value="\([^"]*\)".*$/\1/')
form_token=$(echo "$form" | grep 'DeleteDnsRecordForm\[_token\]' | sed 's/^.*name="DeleteDnsRecordForm\[_token\]" value="\([^"]*\)".*$/\1/')
if [ -z "$formiddp" ]; then
_err "Unable to parse form"
@@ -113,11 +109,9 @@ dns_world4you_rm() {
_resethttp
export ACME_HTTP_NO_REDIRECTS=1
- body="DeleteDnsRecordForm[recordId]=$recordid&DeleteDnsRecordForm[aktivPaket]=$paketnr&\
-DeleteDnsRecordForm[uniqueFormIdDP]=$formiddp&DeleteDnsRecordForm[uniqueFormIdTTL]=$formidttl&\
-DeleteDnsRecordForm[_token]=$form_token"
+ body="DeleteDnsRecordForm[recordId]=$recordid&DeleteDnsRecordForm[uniqueFormIdDP]=$formiddp&DeleteDnsRecordForm[_token]=$form_token"
_info "Removing record..."
- ret=$(_post "$body" "$WORLD4YOU_API/$paketnr/deleteRecord" '' POST 'application/x-www-form-urlencoded')
+ ret=$(_post "$body" "$WORLD4YOU_API/$paketnr/dns/record/delete" '' POST 'application/x-www-form-urlencoded')
_resethttp
if _contains "$(_head_n 3 <"$HTTP_HEADER")" '302'; then
@@ -190,7 +184,7 @@ _get_paketnr() {
fqdn="$1"
form="$2"
- domains=$(echo "$form" | grep '^ *[A-Za-z0-9_\.-]*\.[A-Za-z0-9_-]*$' | sed 's/^\s*\(\S*\)$/\1/')
+ domains=$(echo "$form" | grep '^ *[A-Za-z0-9_\.-]*\.[A-Za-z0-9_-]*$' | sed 's/^ *\(.*\)$/\1/')
domain=''
for domain in $domains; do
if _contains "$fqdn" "$domain\$"; then
diff --git a/notify/bark.sh b/notify/bark.sh
new file mode 100644
index 00000000..bbd5bf34
--- /dev/null
+++ b/notify/bark.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env sh
+
+#Support iOS Bark Notification
+
+#BARK_API_URL="https://api.day.app/xxxx"
+#BARK_SOUND="yyyy"
+#BARK_GROUP="zzzz"
+
+# subject content statusCode
+bark_send() {
+ _subject="$1"
+ _content="$2"
+ _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+ _debug "_subject" "$_subject"
+ _debug "_content" "$_content"
+ _debug "_statusCode" "$_statusCode"
+
+ BARK_API_URL="${BARK_API_URL:-$(_readaccountconf_mutable BARK_API_URL)}"
+ if [ -z "$BARK_API_URL" ]; then
+ BARK_API_URL=""
+ _err "You didn't specify a Bark API URL BARK_API_URL yet."
+ _err "You can download Bark from App Store and get yours."
+ return 1
+ fi
+ _saveaccountconf_mutable BARK_API_URL "$BARK_API_URL"
+
+ BARK_SOUND="${BARK_SOUND:-$(_readaccountconf_mutable BARK_SOUND)}"
+ _saveaccountconf_mutable BARK_SOUND "$BARK_SOUND"
+
+ BARK_GROUP="${BARK_GROUP:-$(_readaccountconf_mutable BARK_GROUP)}"
+ if [ -z "$BARK_GROUP" ]; then
+ BARK_GROUP="ACME"
+ _info "The BARK_GROUP is not set, so use the default ACME as group name."
+ else
+ _saveaccountconf_mutable BARK_GROUP "$BARK_GROUP"
+ fi
+
+ _content=$(echo "$_content" | _url_encode)
+ _subject=$(echo "$_subject" | _url_encode)
+
+ response="$(_get "$BARK_API_URL/$_subject/$_content?sound=$BARK_SOUND&group=$BARK_GROUP")"
+
+ if [ "$?" = "0" ] && _contains "$response" "success"; then
+ _info "Bark API fired success."
+ return 0
+ fi
+
+ _err "Bark API fired error."
+ _err "$response"
+ return 1
+}
diff --git a/notify/feishu.sh b/notify/feishu.sh
new file mode 100644
index 00000000..18693c2d
--- /dev/null
+++ b/notify/feishu.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env sh
+
+#Support feishu webhooks api
+
+#required
+#FEISHU_WEBHOOK="xxxx"
+
+#optional
+#FEISHU_KEYWORD="yyyy"
+
+# subject content statusCode
+feishu_send() {
+ _subject="$1"
+ _content="$2"
+ _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+ _debug "_subject" "$_subject"
+ _debug "_content" "$_content"
+ _debug "_statusCode" "$_statusCode"
+
+ FEISHU_WEBHOOK="${FEISHU_WEBHOOK:-$(_readaccountconf_mutable FEISHU_WEBHOOK)}"
+ if [ -z "$FEISHU_WEBHOOK" ]; then
+ FEISHU_WEBHOOK=""
+ _err "You didn't specify a feishu webhooks FEISHU_WEBHOOK yet."
+ _err "You can get yours from https://www.feishu.cn"
+ return 1
+ fi
+ _saveaccountconf_mutable FEISHU_WEBHOOK "$FEISHU_WEBHOOK"
+
+ FEISHU_KEYWORD="${FEISHU_KEYWORD:-$(_readaccountconf_mutable FEISHU_KEYWORD)}"
+ if [ "$FEISHU_KEYWORD" ]; then
+ _saveaccountconf_mutable FEISHU_KEYWORD "$FEISHU_KEYWORD"
+ fi
+
+ _content=$(echo "$_content" | _json_encode)
+ _subject=$(echo "$_subject" | _json_encode)
+ _data="{\"msg_type\": \"text\", \"content\": {\"text\": \"[$FEISHU_KEYWORD]\n$_subject\n$_content\"}}"
+
+ response="$(_post "$_data" "$FEISHU_WEBHOOK" "" "POST" "application/json")"
+
+ if [ "$?" = "0" ] && _contains "$response" "StatusCode\":0"; then
+ _info "feishu webhooks event fired success."
+ return 0
+ fi
+
+ _err "feishu webhooks event fired error."
+ _err "$response"
+ return 1
+}
diff --git a/notify/mail.sh b/notify/mail.sh
index 2cbddb63..656dd371 100644
--- a/notify/mail.sh
+++ b/notify/mail.sh
@@ -62,7 +62,7 @@ mail_send() {
fi
contenttype="text/plain; charset=utf-8"
- subject="=?UTF-8?B?$(echo "$_subject" | _base64)?="
+ subject="=?UTF-8?B?$(printf -- "%b" "$_subject" | _base64)?="
result=$({ _mail_body | eval "$(_mail_cmnd)"; } 2>&1)
# shellcheck disable=SC2181
@@ -131,6 +131,7 @@ _mail_body() {
echo "To: $MAIL_TO"
echo "Subject: $subject"
echo "Content-Type: $contenttype"
+ echo "MIME-Version: 1.0"
echo
;;
esac
diff --git a/notify/pushbullet.sh b/notify/pushbullet.sh
new file mode 100644
index 00000000..ca997c84
--- /dev/null
+++ b/notify/pushbullet.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env sh
+
+#Support for pushbullet.com's api. Push notification, notification sync and message platform for multiple platforms
+#PUSHBULLET_TOKEN="" Required, pushbullet application token
+#PUSHBULLET_DEVICE="" Optional, Specific device, ignore to send to all devices
+
+PUSHBULLET_URI="https://api.pushbullet.com/v2/pushes"
+pushbullet_send() {
+ _subject="$1"
+ _content="$2"
+ _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+ _debug "_statusCode" "$_statusCode"
+
+ PUSHBULLET_TOKEN="${PUSHBULLET_TOKEN:-$(_readaccountconf_mutable PUSHBULLET_TOKEN)}"
+ if [ -z "$PUSHBULLET_TOKEN" ]; then
+ PUSHBULLET_TOKEN=""
+ _err "You didn't specify a Pushbullet application token yet."
+ return 1
+ fi
+ _saveaccountconf_mutable PUSHBULLET_TOKEN "$PUSHBULLET_TOKEN"
+
+ PUSHBULLET_DEVICE="${PUSHBULLET_DEVICE:-$(_readaccountconf_mutable PUSHBULLET_DEVICE)}"
+ if [ -z "$PUSHBULLET_DEVICE" ]; then
+ _clearaccountconf_mutable PUSHBULLET_DEVICE
+ else
+ _saveaccountconf_mutable PUSHBULLET_DEVICE "$PUSHBULLET_DEVICE"
+ fi
+
+ export _H1="Content-Type: application/json"
+ export _H2="Access-Token: ${PUSHBULLET_TOKEN}"
+ _content="$(printf "*%s*\n" "$_content" | _json_encode)"
+ _subject="$(printf "*%s*\n" "$_subject" | _json_encode)"
+ _data="{\"type\": \"note\",\"title\": \"${_subject}\",\"body\": \"${_content}\",\"device_iden\": \"${PUSHBULLET_DEVICE}\"}"
+ response="$(_post "$_data" "$PUSHBULLET_URI")"
+
+ if [ "$?" != "0" ] || _contains "$response" "\"error_code\""; then
+ _err "PUSHBULLET send error."
+ _err "$response"
+ return 1
+ fi
+
+ _info "PUSHBULLET send success."
+ return 0
+}
diff --git a/notify/sendgrid.sh b/notify/sendgrid.sh
index 0d5ea3b3..82d3f6c6 100644
--- a/notify/sendgrid.sh
+++ b/notify/sendgrid.sh
@@ -37,11 +37,19 @@ sendgrid_send() {
fi
_saveaccountconf_mutable SENDGRID_FROM "$SENDGRID_FROM"
+ SENDGRID_FROM_NAME="${SENDGRID_FROM_NAME:-$(_readaccountconf_mutable SENDGRID_FROM_NAME)}"
+ _saveaccountconf_mutable SENDGRID_FROM_NAME "$SENDGRID_FROM_NAME"
+
export _H1="Authorization: Bearer $SENDGRID_API_KEY"
export _H2="Content-Type: application/json"
_content="$(echo "$_content" | _json_encode)"
- _data="{\"personalizations\": [{\"to\": [{\"email\": \"$SENDGRID_TO\"}]}],\"from\": {\"email\": \"$SENDGRID_FROM\"},\"subject\": \"$_subject\",\"content\": [{\"type\": \"text/plain\", \"value\": \"$_content\"}]}"
+
+ if [ -z "$SENDGRID_FROM_NAME" ]; then
+ _data="{\"personalizations\": [{\"to\": [{\"email\": \"$SENDGRID_TO\"}]}],\"from\": {\"email\": \"$SENDGRID_FROM\"},\"subject\": \"$_subject\",\"content\": [{\"type\": \"text/plain\", \"value\": \"$_content\"}]}"
+ else
+ _data="{\"personalizations\": [{\"to\": [{\"email\": \"$SENDGRID_TO\"}]}],\"from\": {\"email\": \"$SENDGRID_FROM\", \"name\": \"$SENDGRID_FROM_NAME\"},\"subject\": \"$_subject\",\"content\": [{\"type\": \"text/plain\", \"value\": \"$_content\"}]}"
+ fi
response="$(_post "$_data" "https://api.sendgrid.com/v3/mail/send")"
if [ "$?" = "0" ] && [ -z "$response" ]; then
diff --git a/notify/telegram.sh b/notify/telegram.sh
index d16f3a98..454b4146 100644
--- a/notify/telegram.sh
+++ b/notify/telegram.sh
@@ -27,7 +27,7 @@ telegram_send() {
fi
_saveaccountconf_mutable TELEGRAM_BOT_CHATID "$TELEGRAM_BOT_CHATID"
- _content="$(printf "%s" "$_content" | sed -e 's/*/\\\\*/')"
+ _content="$(printf "%s" "$_content" | sed -e 's/\([_*`\[]\)/\\\\\1/g')"
_content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)"
_data="{\"text\": \"$_content\", "
_data="$_data\"chat_id\": \"$TELEGRAM_BOT_CHATID\", "