Browse Source

Merge remote-tracking branch 'upstream/master' into panos-ecc-fix

pull/4575/head
sg1888 1 year ago
parent
commit
832318fab1
  1. 4
      README.md
  2. 95
      acme.sh
  3. 27
      deploy/docker.sh
  4. 4
      dnsapi/dns_opnsense.sh
  5. 17
      dnsapi/dns_ovh.sh
  6. 22
      dnsapi/dns_pleskxml.sh

4
README.md

@ -51,14 +51,12 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
- [ruby-china.org](https://ruby-china.org/topics/31983) - [ruby-china.org](https://ruby-china.org/topics/31983)
- [Proxmox](https://pve.proxmox.com/wiki/Certificate_Management) - [Proxmox](https://pve.proxmox.com/wiki/Certificate_Management)
- [pfsense](https://github.com/pfsense/FreeBSD-ports/pull/89) - [pfsense](https://github.com/pfsense/FreeBSD-ports/pull/89)
- [webfaction](https://community.webfaction.com/questions/19988/using-letsencrypt)
- [Loadbalancer.org](https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty) - [Loadbalancer.org](https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty)
- [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709) - [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709)
- [Centminmod](https://centminmod.com/letsencrypt-acmetool-https.html) - [Centminmod](https://centminmod.com/letsencrypt-acmetool-https.html)
- [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297) - [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297)
- [archlinux](https://www.archlinux.org/packages/community/any/acme.sh)
- [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient) - [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient)
- [CentOS Web Panel](http://centos-webpanel.com/)
- [CentOS Web Panel](https://control-webpanel.com)
- [lnmp.org](https://lnmp.org/) - [lnmp.org](https://lnmp.org/)
- [more...](https://github.com/acmesh-official/acme.sh/wiki/Blogs-and-tutorials) - [more...](https://github.com/acmesh-official/acme.sh/wiki/Blogs-and-tutorials)

95
acme.sh

@ -2884,6 +2884,7 @@ _initpath() {
fi fi
fi fi
_debug DOMAIN_PATH "$DOMAIN_PATH" _debug DOMAIN_PATH "$DOMAIN_PATH"
export DOMAIN_PATH
fi fi
if [ -z "$DOMAIN_BACKUP_PATH" ]; then if [ -z "$DOMAIN_BACKUP_PATH" ]; then
@ -2935,22 +2936,6 @@ _initpath() {
} }
_exec() {
if [ -z "$_EXEC_TEMP_ERR" ]; then
_EXEC_TEMP_ERR="$(_mktemp)"
fi
if [ "$_EXEC_TEMP_ERR" ]; then
eval "$@ 2>>$_EXEC_TEMP_ERR"
else
eval "$@"
fi
}
_exec_err() {
[ "$_EXEC_TEMP_ERR" ] && _err "$(cat "$_EXEC_TEMP_ERR")" && echo "" >"$_EXEC_TEMP_ERR"
}
_apachePath() { _apachePath() {
_APACHECTL="apachectl" _APACHECTL="apachectl"
if ! _exists apachectl; then if ! _exists apachectl; then
@ -2963,8 +2948,7 @@ _apachePath() {
fi fi
fi fi
if ! _exec $_APACHECTL -V >/dev/null; then
_exec_err
if ! $_APACHECTL -V >/dev/null; then
return 1 return 1
fi fi
@ -3016,8 +3000,7 @@ _restoreApache() {
cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" >"$httpdconf" cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" >"$httpdconf"
_debug "Restored: $httpdconf." _debug "Restored: $httpdconf."
if ! _exec $_APACHECTL -t; then
_exec_err
if ! $_APACHECTL -t; then
_err "Sorry, restore apache config error, please contact me." _err "Sorry, restore apache config error, please contact me."
return 1 return 1
fi fi
@ -3035,8 +3018,7 @@ _setApache() {
#test the conf first #test the conf first
_info "Checking if there is an error in the apache config file before starting." _info "Checking if there is an error in the apache config file before starting."
if ! _exec "$_APACHECTL" -t >/dev/null; then
_exec_err
if ! $_APACHECTL -t >/dev/null; then
_err "The apache config file has error, please fix it first, then try again." _err "The apache config file has error, please fix it first, then try again."
_err "Don't worry, there is nothing changed to your system." _err "Don't worry, there is nothing changed to your system."
return 1 return 1
@ -3097,8 +3079,7 @@ Allow from all
chmod 755 "$ACME_DIR" chmod 755 "$ACME_DIR"
fi fi
if ! _exec "$_APACHECTL" graceful; then
_exec_err
if ! $_APACHECTL graceful; then
_err "$_APACHECTL graceful error, please contact me." _err "$_APACHECTL graceful error, please contact me."
_restoreApache _restoreApache
return 1 return 1
@ -3183,8 +3164,7 @@ _setNginx() {
return 1 return 1
fi fi
_info "Check the nginx conf before setting up." _info "Check the nginx conf before setting up."
if ! _exec "nginx -t" >/dev/null; then
_exec_err
if ! nginx -t >/dev/null; then
return 1 return 1
fi fi
@ -3211,16 +3191,14 @@ location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" {
fi fi
_debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)" _debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)"
_info "nginx conf is done, let's check it again." _info "nginx conf is done, let's check it again."
if ! _exec "nginx -t" >/dev/null; then
_exec_err
if ! nginx -t >/dev/null; then
_err "It seems that nginx conf was broken, let's restore." _err "It seems that nginx conf was broken, let's restore."
cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF" cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
return 1 return 1
fi fi
_info "Reload nginx" _info "Reload nginx"
if ! _exec "nginx -s reload" >/dev/null; then
_exec_err
if ! nginx -s reload >/dev/null; then
_err "It seems that nginx reload error, let's restore." _err "It seems that nginx reload error, let's restore."
cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF" cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
return 1 return 1
@ -3345,8 +3323,7 @@ _restoreNginx() {
done done
_info "Reload nginx" _info "Reload nginx"
if ! _exec "nginx -s reload" >/dev/null; then
_exec_err
if ! nginx -s reload >/dev/null; then
_err "It seems that nginx reload error, please report bug." _err "It seems that nginx reload error, please report bug."
return 1 return 1
fi fi
@ -4684,28 +4661,26 @@ $_authorizations_map"
thumbprint="$(__calc_account_thumbprint)" thumbprint="$(__calc_account_thumbprint)"
fi fi
keyauthorization=""
if echo "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
_debug "$d is already valid."
keyauthorization="$STATE_VERIFIED"
_debug keyauthorization "$keyauthorization"
fi
entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
_debug entry "$entry" _debug entry "$entry"
keyauthorization=""
if [ -z "$entry" ]; then
if ! _startswith "$d" '*.'; then
_debug "Not a wildcard domain, lets check whether the validation is already valid."
if echo "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
_debug "$d is already valid."
keyauthorization="$STATE_VERIFIED"
_debug keyauthorization "$keyauthorization"
fi
fi
if [ -z "$keyauthorization" ]; then
_err "Error, can not get domain token entry $d for $vtype"
_supported_vtypes="$(echo "$response" | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ')"
if [ "$_supported_vtypes" ]; then
_err "The supported validation types are: $_supported_vtypes, but you specified: $vtype"
fi
_clearup
_on_issue_err "$_post_hook"
return 1
if [ -z "$keyauthorization" -a -z "$entry" ]; then
_err "Error, can not get domain token entry $d for $vtype"
_supported_vtypes="$(echo "$response" | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ')"
if [ "$_supported_vtypes" ]; then
_err "The supported validation types are: $_supported_vtypes, but you specified: $vtype"
fi fi
_clearup
_on_issue_err "$_post_hook"
return 1
fi fi
if [ -z "$keyauthorization" ]; then if [ -z "$keyauthorization" ]; then
@ -4731,12 +4706,6 @@ $_authorizations_map"
fi fi
keyauthorization="$token.$thumbprint" keyauthorization="$token.$thumbprint"
_debug keyauthorization "$keyauthorization" _debug keyauthorization "$keyauthorization"
if printf "%s" "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
_debug "$d is already verified."
keyauthorization="$STATE_VERIFIED"
_debug keyauthorization "$keyauthorization"
fi
fi fi
dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot" dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"
@ -4960,18 +4929,6 @@ $_authorizations_map"
if ! chmod a+r "$wellknown_path/$token"; then if ! chmod a+r "$wellknown_path/$token"; then
_debug "chmod failed, but we just continue." _debug "chmod failed, but we just continue."
fi fi
if [ ! "$usingApache" ]; then
if webroot_owner=$(_stat "$_currentRoot"); then
_debug "Changing owner/group of .well-known to $webroot_owner"
if ! _exec "chown -R \"$webroot_owner\" \"$_currentRoot/.well-known\""; then
_debug "$(cat "$_EXEC_TEMP_ERR")"
_exec_err >/dev/null 2>&1
fi
else
_debug "not changing owner/group of webroot"
fi
fi
fi fi
elif [ "$vtype" = "$VTYPE_ALPN" ]; then elif [ "$vtype" = "$VTYPE_ALPN" ]; then
acmevalidationv1="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")" acmevalidationv1="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"

27
deploy/docker.sh

@ -273,16 +273,27 @@ _check_curl_version() {
_minor="$(_getfield "$_cversion" 2 '.')" _minor="$(_getfield "$_cversion" 2 '.')"
_debug2 "_minor" "$_minor" _debug2 "_minor" "$_minor"
if [ "$_major$_minor" -lt "740" ]; then
if [ "$_major" -ge "8" ]; then
#ok
return 0
fi
if [ "$_major" = "7" ]; then
if [ "$_minor" -lt "40" ]; then
_err "curl v$_cversion doesn't support unit socket"
_err "Please upgrade to curl 7.40 or later."
return 1
fi
if [ "$_minor" -lt "50" ]; then
_debug "Use short host name"
export _CURL_NO_HOST=1
else
export _CURL_NO_HOST=
fi
return 0
else
_err "curl v$_cversion doesn't support unit socket" _err "curl v$_cversion doesn't support unit socket"
_err "Please upgrade to curl 7.40 or later." _err "Please upgrade to curl 7.40 or later."
return 1 return 1
fi fi
if [ "$_major$_minor" -lt "750" ]; then
_debug "Use short host name"
export _CURL_NO_HOST=1
else
export _CURL_NO_HOST=
fi
return 0
} }

4
dnsapi/dns_opnsense.sh

@ -137,7 +137,7 @@ _get_root() {
domain=$1 domain=$1
i=2 i=2
p=1 p=1
if _opns_rest "GET" "/domain/searchMasterDomain"; then
if _opns_rest "GET" "/domain/searchPrimaryDomain"; then
_domain_response="$response" _domain_response="$response"
else else
return 1 return 1
@ -150,7 +150,7 @@ _get_root() {
return 1 return 1
fi fi
_debug h "$h" _debug h "$h"
id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"master\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"primary\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
if [ -n "$id" ]; then if [ -n "$id" ]; then
_debug id "$id" _debug id "$id"
_host=$(printf "%s" "$domain" | cut -d . -f 1-$p) _host=$(printf "%s" "$domain" | cut -d . -f 1-$p)

17
dnsapi/dns_ovh.sh

@ -14,6 +14,9 @@
#'ovh-eu' #'ovh-eu'
OVH_EU='https://eu.api.ovh.com/1.0' OVH_EU='https://eu.api.ovh.com/1.0'
#'ovh-us'
OVH_US='https://api.us.ovhcloud.com/1.0'
#'ovh-ca': #'ovh-ca':
OVH_CA='https://ca.api.ovh.com/1.0' OVH_CA='https://ca.api.ovh.com/1.0'
@ -29,9 +32,6 @@ SYS_EU='https://eu.api.soyoustart.com/1.0'
#'soyoustart-ca' #'soyoustart-ca'
SYS_CA='https://ca.api.soyoustart.com/1.0' SYS_CA='https://ca.api.soyoustart.com/1.0'
#'runabove-ca'
RAV_CA='https://api.runabove.com/1.0'
wiki="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-OVH-domain-api" wiki="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-OVH-domain-api"
ovh_success="https://github.com/acmesh-official/acme.sh/wiki/OVH-Success" ovh_success="https://github.com/acmesh-official/acme.sh/wiki/OVH-Success"
@ -45,6 +45,10 @@ _ovh_get_api() {
printf "%s" $OVH_EU printf "%s" $OVH_EU
return return
;; ;;
ovh-us | ovhus)
printf "%s" $OVH_US
return
;;
ovh-ca | ovhca) ovh-ca | ovhca)
printf "%s" $OVH_CA printf "%s" $OVH_CA
return return
@ -65,14 +69,15 @@ _ovh_get_api() {
printf "%s" $SYS_CA printf "%s" $SYS_CA
return return
;; ;;
runabove-ca | runaboveca)
printf "%s" $RAV_CA
# raw API url starts with https://
https*)
printf "%s" "$1"
return return
;; ;;
*) *)
_err "Unknown parameter : $1"
_err "Unknown endpoint : $1"
return 1 return 1
;; ;;
esac esac

22
dnsapi/dns_pleskxml.sh

@ -41,7 +41,7 @@ pleskxml_init_checks_done=0
NEWLINE='\ NEWLINE='\
' '
pleskxml_tplt_get_domains="<packet><customer><get-domain-list><filter/></get-domain-list></customer></packet>"
pleskxml_tplt_get_domains="<packet><webspace><get><filter/><dataset><gen_info/></dataset></get></webspace></packet>"
# Get a list of domains that PLESK can manage, so we can check root domain + host for acme.sh # Get a list of domains that PLESK can manage, so we can check root domain + host for acme.sh
# Also used to test credentials and URI. # Also used to test credentials and URI.
# No params. # No params.
@ -145,22 +145,25 @@ dns_pleskxml_rm() {
)" )"
if [ -z "$reclist" ]; then if [ -z "$reclist" ]; then
_err "No TXT records found for root domain ${root_domain_name} (Plesk domain ID ${root_domain_id}). Exiting."
_err "No TXT records found for root domain $fulldomain (Plesk domain ID ${root_domain_id}). Exiting."
return 1 return 1
fi fi
_debug "Got list of DNS TXT records for root domain '$root_domain_name':"
_debug "Got list of DNS TXT records for root Plesk domain ID ${root_domain_id} of root domain $fulldomain:"
_debug "$reclist" _debug "$reclist"
# Extracting the id of the TXT record for the full domain (NOT case-sensitive) and corresponding value
recid="$( recid="$(
_value "$reclist" | _value "$reclist" |
grep "<host>${fulldomain}.</host>" |
grep -i "<host>${fulldomain}.</host>" |
grep "<value>${txtvalue}</value>" | grep "<value>${txtvalue}</value>" |
sed 's/^.*<id>\([0-9]\{1,\}\)<\/id>.*$/\1/' sed 's/^.*<id>\([0-9]\{1,\}\)<\/id>.*$/\1/'
)" )"
_debug "Got id from line: $recid"
if ! _value "$recid" | grep '^[0-9]\{1,\}$' >/dev/null; then if ! _value "$recid" | grep '^[0-9]\{1,\}$' >/dev/null; then
_err "DNS records for root domain '${root_domain_name}' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'"
_err "DNS records for root domain '${fulldomain}.' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'"
_err "Cannot delete TXT record. Exiting." _err "Cannot delete TXT record. Exiting."
return 1 return 1
fi fi
@ -251,9 +254,12 @@ _call_api() {
# Detect any <status> that isn't "ok". None of the used calls should fail if the API is working correctly. # Detect any <status> that isn't "ok". None of the used calls should fail if the API is working correctly.
# Also detect if there simply aren't any status lines (null result?) and report that, as well. # Also detect if there simply aren't any status lines (null result?) and report that, as well.
# Remove <data></data> structure from result string, since it might contain <status> values that are related to the status of the domain and not to the API request
statuslines_count_total="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *<status>[^<]*</status> *$')"
statuslines_count_okay="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *<status>ok</status> *$')"
statuslines_count_total="$(echo "$pleskxml_prettyprint_result" | sed '/<data>/,/<\/data>/d' | grep -c '^ *<status>[^<]*</status> *$')"
statuslines_count_okay="$(echo "$pleskxml_prettyprint_result" | sed '/<data>/,/<\/data>/d' | grep -c '^ *<status>ok</status> *$')"
_debug "statuslines_count_total=$statuslines_count_total."
_debug "statuslines_count_okay=$statuslines_count_okay."
if [ -z "$statuslines_count_total" ]; then if [ -z "$statuslines_count_total" ]; then
@ -375,7 +381,7 @@ _pleskxml_get_root_domain() {
# Output will be one line per known domain, containing 2 <name> tages and a single <id> tag # Output will be one line per known domain, containing 2 <name> tages and a single <id> tag
# We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned. # We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned.
output="$(_api_response_split "$pleskxml_prettyprint_result" 'domain' '<type>domain</type>' | sed 's/<ascii-name>/<name>/g;s/<\/ascii-name>/<\/name>/g' | grep '<name>' | grep '<id>')"
output="$(_api_response_split "$pleskxml_prettyprint_result" 'result' '<status>ok</status>' | sed 's/<ascii-name>/<name>/g;s/<\/ascii-name>/<\/name>/g' | grep '<name>' | grep '<id>')"
_debug 'Domains managed by Plesk server are (ignore the hacked output):' _debug 'Domains managed by Plesk server are (ignore the hacked output):'
_debug "$output" _debug "$output"

Loading…
Cancel
Save