[](https://gitter.im/acme-sh/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
- An ACME protocol client written purely in Shell (Unix shell) language.
- Full ACME protocol implementation.
+- Support ACME v1 and ACME v2
+- Support ACME v2 wildcard certs
- Simple, powerful and very easy to use. You only need 3 minutes to learn it.
- Bash, dash and sh compatible.
- Simplest shell script for Let's Encrypt free certificate client.
@@ -11,19 +13,20 @@
- DOES NOT require `root/sudoer` access.
- Docker friendly
- IPv6 support
+- Cron job notifications for renewal or error etc.
It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt.
-Wiki: https://github.com/Neilpang/acme.sh/wiki
+Wiki: https://github.com/acmesh-official/acme.sh/wiki
-For Docker Fans: [acme.sh :two_hearts: Docker ](https://github.com/Neilpang/acme.sh/wiki/Run-acme.sh-in-docker)
+For Docker Fans: [acme.sh :two_hearts: Docker ](https://github.com/acmesh-official/acme.sh/wiki/Run-acme.sh-in-docker)
Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
-# [中文说明](https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E)
+# [中文说明](https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E)
-# Who are using **acme.sh**
+# Who:
- [FreeBSD.org](https://blog.crashed.org/letsencrypt-in-freebsd-org/)
- [ruby-china.org](https://ruby-china.org/topics/31983)
- [Proxmox](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer))
@@ -31,57 +34,67 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
- [webfaction](https://community.webfaction.com/questions/19988/using-letsencrypt)
- [Loadbalancer.org](https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty)
- [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709)
-- [Centminmod](http://centminmod.com/letsencrypt-acmetool-https.html)
+- [Centminmod](https://centminmod.com/letsencrypt-acmetool-https.html)
- [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297)
-- [archlinux](https://aur.archlinux.org/packages/acme.sh-git/)
+- [archlinux](https://www.archlinux.org/packages/community/any/acme.sh)
- [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient)
-- [more...](https://github.com/Neilpang/acme.sh/wiki/Blogs-and-tutorials)
+- [CentOS Web Panel](http://centos-webpanel.com/)
+- [lnmp.org](https://lnmp.org/)
+- [more...](https://github.com/acmesh-official/acme.sh/wiki/Blogs-and-tutorials)
# Tested OS
| NO | Status| Platform|
|----|-------|---------|
-|1|[](https://github.com/Neilpang/letest#here-are-the-latest-status)| Ubuntu
-|2|[](https://github.com/Neilpang/letest#here-are-the-latest-status)| Debian
-|3|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|CentOS
-|4|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Windows (cygwin with curl, openssl and crontab included)
-|5|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|FreeBSD
-|6|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|pfsense
-|7|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|openSUSE
-|8|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Alpine Linux (with curl)
-|9|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Archlinux
-|10|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|fedora
-|11|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Kali Linux
-|12|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Oracle Linux
-|13|[](https://github.com/Neilpang/letest#here-are-the-latest-status)| Proxmox https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration#Let.27s_Encrypt_using_acme.sh
-|14|-----| Cloud Linux https://github.com/Neilpang/le/issues/111
-|15|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|OpenBSD
-|16|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Mageia
-|17|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT)
-|18|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|SunOS/Solaris
-|19|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Gentoo Linux
-|20|[](https://travis-ci.org/Neilpang/acme.sh)|Mac OSX
-
-For all build statuses, check our [weekly build project](https://github.com/Neilpang/acmetest):
-
-https://github.com/Neilpang/acmetest
-
+|1|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Ubuntu
+|2|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Debian
+|3|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|CentOS
+|4|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|Windows (cygwin with curl, openssl and crontab included)
+|5|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|FreeBSD
+|6|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|pfsense
+|7|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|openSUSE
+|8|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|Alpine Linux (with curl)
+|9|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|Archlinux
+|10|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|fedora
+|11|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|Kali Linux
+|12|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|Oracle Linux
+|13|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration#Let.27s_Encrypt_using_acme.sh
+|14|-----| Cloud Linux https://github.com/acmesh-official/acme.sh/issues/111
+|15|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|OpenBSD
+|16|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|Mageia
+|17|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT)
+|18|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|SunOS/Solaris
+|19|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|Gentoo Linux
+|20|[](https://travis-ci.org/acmesh-official/acme.sh)|Mac OSX
+|21|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)|ClearLinux
+
+For all build statuses, check our [weekly build project](https://github.com/acmesh-official/acmetest):
+
+https://github.com/acmesh-official/acmetest
+
+# Supported CA
+
+- Letsencrypt.org CA(default)
+- [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA)
+- [Pebble strict Mode](https://github.com/letsencrypt/pebble)
# Supported modes
- Webroot mode
- Standalone mode
+- Standalone tls-alpn mode
- Apache mode
-- Nginx mode ( Beta )
+- Nginx mode
- DNS mode
-- [Stateless mode](https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode)
+- [DNS alias mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode)
+- [Stateless mode](https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode)
# 1. How to install
### 1. Install online
-Check this project: https://github.com/Neilpang/get.acme.sh
+Check this project: https://github.com/acmesh-official/get.acme.sh
```bash
curl https://get.acme.sh | sh
@@ -99,14 +112,14 @@ wget -O - https://get.acme.sh | sh
Clone this project and launch installation:
```bash
-git clone https://github.com/Neilpang/acme.sh.git
+git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install
```
You `don't have to be root` then, although `it is recommended`.
-Advanced Installation: https://github.com/Neilpang/acme.sh/wiki/How-to-install
+Advanced Installation: https://github.com/acmesh-official/acme.sh/wiki/How-to-install
The installer will perform 3 actions:
@@ -127,7 +140,7 @@ Ok, you are ready to issue certs now.
Show help message:
-```
+```sh
root@v1:~# acme.sh -h
```
@@ -164,16 +177,16 @@ You must have at least one domain there.
You must point and bind all the domains to the same webroot dir: `/home/wwwroot/example.com`.
-Generated/issued certs will be placed in `~/.acme.sh/example.com/`
+The certs will be placed in `~/.acme.sh/example.com/`
-The issued cert will be renewed automatically every **60** days.
+The certs will be renewed automatically every **60** days.
-More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
+More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
-# 3. Install the issued cert to Apache/Nginx etc.
+# 3. Install the cert to Apache/Nginx etc.
-After you issue a cert, you probably want to install/copy the cert to your Apache/Nginx or other servers.
+After the cert is generated, you probably want to install/copy the cert to your Apache/Nginx or other servers.
You **MUST** use this command to copy the certs to the target files, **DO NOT** use the certs files in **~/.acme.sh/** folder, they are for internal use only, the folder structure may change in the future.
**Apache** example:
@@ -195,13 +208,15 @@ acme.sh --install-cert -d example.com \
Only the domain is required, all the other parameters are optional.
-The ownership and permission info of existing files are preserved. You may want to precreate the files to have defined ownership and permission.
+The ownership and permission info of existing files are preserved. You can pre-create the files to define the ownership and permission.
-Install/copy the issued cert/key to the production Apache or Nginx path.
+Install/copy the cert/key to the production Apache or Nginx path.
The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`.
+**Please take care: The reloadcmd is very important. The cert can be automatically renewed, but, without a correct 'reloadcmd' the cert may not be flushed to your server(like nginx or apache), then your website will not be able to show renewed cert in 60 days.**
+
# 4. Use Standalone server to issue cert
**(requires you to be root/sudoer or have permission to listen on port 80 (TCP))**
@@ -212,22 +227,19 @@ Port `80` (TCP) **MUST** be free to listen on, otherwise you will be prompted to
acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com
```
-More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
-
+More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
-# 5. Use Standalone TLS server to issue cert
+# 5. Use Standalone ssl server to issue cert
**(requires you to be root/sudoer or have permission to listen on port 443 (TCP))**
-acme.sh supports `tls-sni-01` validation.
-
Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again.
```bash
-acme.sh --issue --tls -d example.com -d www.example.com -d cp.example.com
+acme.sh --issue --alpn -d example.com -d www.example.com -d cp.example.com
```
-More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
+More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
# 6. Use Apache mode
@@ -236,15 +248,19 @@ More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
If you are running a web server, Apache or Nginx, it is recommended to use the `Webroot mode`.
-Particularly, if you are running an Apache server, you should use Apache mode instead. This mode doesn't write any files to your web root folder.
+Particularly, if you are running an Apache server, you can use Apache mode instead. This mode doesn't write any files to your web root folder.
Just set string "apache" as the second argument and it will force use of apache plugin automatically.
-```
+```sh
acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com
```
-More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
+**This apache mode is only to issue the cert, it will not change your apache config files.
+You will need to configure your website config files to use the cert by yourself.
+We don't want to mess with your apache server, don't worry.**
+
+More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
# 7. Use Nginx mode
@@ -260,15 +276,31 @@ It will configure nginx server automatically to verify the domain and then resto
So, the config is not changed.
-```
+```sh
acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com
```
-More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
+**This nginx mode is only to issue the cert, it will not change your nginx config files.
+You will need to configure your website config files to use the cert by yourself.
+We don't want to mess with your nginx server, don't worry.**
+
+More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
+
+# 8. Automatic DNS API integration
+
+If your DNS provider supports API access, we can use that API to automatically issue the certs.
+
+You don't have to do anything manually!
+
+### Currently acme.sh supports most of the dns providers:
-# 8. Use DNS mode:
+https://github.com/acmesh-official/acme.sh/wiki/dnsapi
-Support the `dns-01` challenge.
+# 9. Use DNS manual mode:
+
+See: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode first.
+
+If your dns provider doesn't support any api access, you can add the txt record by your hand.
```bash
acme.sh --issue --dns -d example.com -d www.example.com -d cp.example.com
@@ -276,7 +308,7 @@ acme.sh --issue --dns -d example.com -d www.example.com -d cp.example.com
You should get an output like below:
-```
+```sh
Add the following txt record:
Domain:_acme-challenge.example.com
Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c
@@ -294,78 +326,19 @@ Then just rerun with `renew` argument:
acme.sh --renew -d example.com
```
-Ok, it's finished.
+Ok, it's done.
**Take care, this is dns manual mode, it can not be renewed automatically. you will have to add a new txt record to your domain by your hand when you renew your cert.**
**Please use dns api mode instead.**
-# 9. Automatic DNS API integration
-
-If your DNS provider supports API access, we can use that API to automatically issue the certs.
-
-You don't have to do anything manually!
-
-### Currently acme.sh supports:
-
-1. CloudFlare.com API
-1. DNSPod.cn API
-1. CloudXNS.com API
-1. GoDaddy.com API
-1. PowerDNS.com API
-1. OVH, kimsufi, soyoustart and runabove API
-1. nsupdate API
-1. LuaDNS.com API
-1. DNSMadeEasy.com API
-1. AWS Route 53
-1. aliyun.com(阿里云) API
-1. ISPConfig 3.1 API
-1. Alwaysdata.com API
-1. Linode.com API
-1. FreeDNS (https://freedns.afraid.org/)
-1. cyon.ch
-1. Domain-Offensive/Resellerinterface/Domainrobot API
-1. Gandi LiveDNS API
-1. Knot DNS API
-1. DigitalOcean API (native)
-1. ClouDNS.net API
-1. Infoblox NIOS API (https://www.infoblox.com/)
-1. VSCALE (https://vscale.io/)
-1. Dynu API (https://www.dynu.com)
-1. DNSimple API
-1. NS1.com API
-1. DuckDNS.org API
-1. Name.com API
-1. Dyn Managed DNS API
-1. Yandex PDD API (https://pdd.yandex.ru)
-1. Hurricane Electric DNS service (https://dns.he.net)
-1. UnoEuro API (https://www.unoeuro.com/)
-1. INWX (https://www.inwx.de/)
-1. Servercow (https://servercow.de)
-1. Namesilo (https://www.namesilo.com)
-1. InternetX autoDNS API (https://internetx.com)
-
-And:
-
-1. lexicon DNS API: https://github.com/Neilpang/acme.sh/wiki/How-to-use-lexicon-dns-api
- (DigitalOcean, DNSimple, DNSMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.)
-
-
-
-**More APIs coming soon...**
-
-If your DNS provider is not on the supported list above, you can write your own DNS API script easily. If you do, please consider submitting a [Pull Request](https://github.com/Neilpang/acme.sh/pulls) and contribute it to the project.
-
-For more details: [How to use DNS API](dnsapi)
-
-
# 10. Issue ECC certificates
`Let's Encrypt` can now issue **ECDSA** certificates.
And we support them too!
-Just set the `length` parameter with a prefix `ec-`.
+Just set the `keylength` parameter with a prefix `ec-`.
For example:
@@ -381,7 +354,7 @@ acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256
acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength ec-256
```
-Please look at the last parameter above.
+Please look at the `keylength` parameter above.
Valid values are:
@@ -390,36 +363,60 @@ Valid values are:
3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)**
-# 11. How to renew the issued certs
-No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days.
+# 11. Issue Wildcard certificates
-However, you can also force to renew any cert:
+It's simple, just give a wildcard domain as the `-d` parameter.
+```sh
+acme.sh --issue -d example.com -d '*.example.com' --dns dns_cf
```
+
+
+
+# 12. How to renew the certs
+
+No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days.
+
+However, you can also force to renew a cert:
+
+```sh
acme.sh --renew -d example.com --force
```
or, for ECC cert:
-```
+```sh
acme.sh --renew -d example.com --force --ecc
```
-# 12. How to upgrade `acme.sh`
+# 13. How to stop cert renewal
+
+To stop renewal of a cert, you can execute the following to remove the cert from the renewal list:
+
+```sh
+acme.sh --remove -d example.com [--ecc]
+```
+
+The cert/key file is not removed from the disk.
+
+You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself.
+
+
+# 14. How to upgrade `acme.sh`
acme.sh is in constant development, so it's strongly recommended to use the latest code.
You can update acme.sh to the latest code:
-```
+```sh
acme.sh --upgrade
```
You can also enable auto upgrade:
-```
+```sh
acme.sh --upgrade --auto-upgrade
```
@@ -427,42 +424,76 @@ Then **acme.sh** will be kept up to date automatically.
Disable auto upgrade:
-```
+```sh
acme.sh --upgrade --auto-upgrade 0
```
-# 13. Issue a cert from an existing CSR
+# 15. Issue a cert from an existing CSR
-https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR
+https://github.com/acmesh-official/acme.sh/wiki/Issue-a-cert-from-existing-CSR
-# 14. Under the Hood
+# 16. Send notifications in cronjob
+
+https://github.com/acmesh-official/acme.sh/wiki/notify
+
+
+# 17. Under the Hood
Speak ACME language using shell, directly to "Let's Encrypt".
TODO:
-# 15. Acknowledgments
+# 18. Acknowledgments
1. Acme-tiny: https://github.com/diafygi/acme-tiny
2. ACME protocol: https://github.com/ietf-wg-acme/acme
-3. Certbot: https://github.com/certbot/certbot
-# 16. License & Others
+## Contributors
+
+### Code Contributors
+
+This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
+
+
+### Financial Contributors
+
+Become a financial contributor and help us sustain our community. [[Contribute](https://opencollective.com/acmesh/contribute)]
+
+#### Individuals
+
+
+
+#### Organizations
+
+Support this project with your organization. Your logo will show up here with a link to your website. [[Contribute](https://opencollective.com/acmesh/contribute)]
+
+
+
+
+
+
+
+
+
+
+
+
+# 19. License & Others
License is GPLv3
Please Star and Fork me.
-[Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcome.
+[Issues](https://github.com/acmesh-official/acme.sh/issues) and [pull requests](https://github.com/acmesh-official/acme.sh/pulls) are welcome.
-# 17. Donate
+# 20. Donate
Your donation makes **acme.sh** better:
1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/)
-
-[Donate List](https://github.com/Neilpang/acme.sh/wiki/Donate-list)
+
+[Donate List](https://github.com/acmesh-official/acme.sh/wiki/Donate-list)
diff --git a/acme.sh b/acme.sh
index 48297c7d..97d71a22 100755
--- a/acme.sh
+++ b/acme.sh
@@ -1,20 +1,33 @@
#!/usr/bin/env sh
-VER=2.7.6
+VER=2.8.6
PROJECT_NAME="acme.sh"
PROJECT_ENTRY="acme.sh"
-PROJECT="https://github.com/Neilpang/$PROJECT_NAME"
+PROJECT="https://github.com/acmesh-official/$PROJECT_NAME"
DEFAULT_INSTALL_HOME="$HOME/.$PROJECT_NAME"
+
+_WINDOWS_SCHEDULER_NAME="$PROJECT_NAME.cron"
+
_SCRIPT_="$0"
-_SUB_FOLDERS="dnsapi deploy"
+_SUB_FOLDER_NOTIFY="notify"
+_SUB_FOLDER_DNSAPI="dnsapi"
+_SUB_FOLDER_DEPLOY="deploy"
-_OLD_CA_HOST="https://acme-v01.api.letsencrypt.org"
-DEFAULT_CA="https://acme-v01.api.letsencrypt.org/directory"
+_SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY"
+
+LETSENCRYPT_CA_V1="https://acme-v01.api.letsencrypt.org/directory"
+LETSENCRYPT_STAGING_CA_V1="https://acme-staging.api.letsencrypt.org/directory"
+
+LETSENCRYPT_CA_V2="https://acme-v02.api.letsencrypt.org/directory"
+LETSENCRYPT_STAGING_CA_V2="https://acme-staging-v02.api.letsencrypt.org/directory"
+
+DEFAULT_CA=$LETSENCRYPT_CA_V2
+DEFAULT_STAGING_CA=$LETSENCRYPT_STAGING_CA_V2
DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
DEFAULT_ACCOUNT_EMAIL=""
@@ -24,23 +37,22 @@ DEFAULT_DOMAIN_KEY_LENGTH=2048
DEFAULT_OPENSSL_BIN="openssl"
-STAGE_CA="https://acme-staging.api.letsencrypt.org/directory"
+_OLD_CA_HOST="https://acme-v01.api.letsencrypt.org"
_OLD_STAGE_CA_HOST="https://acme-staging.api.letsencrypt.org"
VTYPE_HTTP="http-01"
VTYPE_DNS="dns-01"
-VTYPE_TLS="tls-sni-01"
-#VTYPE_TLS2="tls-sni-02"
+VTYPE_ALPN="tls-alpn-01"
LOCAL_ANY_ADDRESS="0.0.0.0"
-MAX_RENEW=60
-
-DEFAULT_DNS_SLEEP=120
+DEFAULT_RENEW=60
NO_VALUE="no"
-W_TLS="tls"
+W_DNS="dns"
+W_ALPN="alpn"
+DNS_ALIAS_PREFIX="="
MODE_STATELESS="stateless"
@@ -56,8 +68,12 @@ END_CSR="-----END CERTIFICATE REQUEST-----"
BEGIN_CERT="-----BEGIN CERTIFICATE-----"
END_CERT="-----END CERTIFICATE-----"
+CONTENT_TYPE_JSON="application/jose+json"
RENEW_SKIP=2
+B64CONF_START="__ACME_BASE64__START_"
+B64CONF_END="__ACME_BASE64__END_"
+
ECC_SEP="_"
ECC_SUFFIX="${ECC_SEP}ecc"
@@ -72,6 +88,9 @@ DEBUG_LEVEL_3=3
DEBUG_LEVEL_DEFAULT=$DEBUG_LEVEL_1
DEBUG_LEVEL_NONE=0
+DOH_CLOUDFLARE=1
+DOH_GOOGLE=2
+
HIDDEN_VALUE="[hidden](please add '--output-insecure' to see this value)"
SYSLOG_ERROR="user.error"
@@ -93,42 +112,63 @@ SYSLOG_LEVEL_DEFAULT=$SYSLOG_LEVEL_ERROR
#none
SYSLOG_LEVEL_NONE=0
-_DEBUG_WIKI="https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh"
+NOTIFY_LEVEL_DISABLE=0
+NOTIFY_LEVEL_ERROR=1
+NOTIFY_LEVEL_RENEW=2
+NOTIFY_LEVEL_SKIP=3
+
+NOTIFY_LEVEL_DEFAULT=$NOTIFY_LEVEL_RENEW
+
+NOTIFY_MODE_BULK=0
+NOTIFY_MODE_CERT=1
+
+NOTIFY_MODE_DEFAULT=$NOTIFY_MODE_BULK
+
+_DEBUG_WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh"
+
+_PREPARE_LINK="https://github.com/acmesh-official/acme.sh/wiki/Install-preparations"
+
+_STATELESS_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode"
-_PREPARE_LINK="https://github.com/Neilpang/acme.sh/wiki/Install-preparations"
+_DNS_ALIAS_WIKI="https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode"
-_STATELESS_WIKI="https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode"
+_DNS_MANUAL_WIKI="https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode"
+
+_NOTIFY_WIKI="https://github.com/acmesh-official/acme.sh/wiki/notify"
+
+_SUDO_WIKI="https://github.com/acmesh-official/acme.sh/wiki/sudo"
+
+_REVOKE_WIKI="https://github.com/acmesh-official/acme.sh/wiki/revokecert"
_DNS_MANUAL_ERR="The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead."
_DNS_MANUAL_WARN="It seems that you are using dns manual mode. please take care: $_DNS_MANUAL_ERR"
+_DNS_MANUAL_ERROR="It seems that you are using dns manual mode. Read this link first: $_DNS_MANUAL_WIKI"
+
__INTERACTIVE=""
if [ -t 1 ]; then
__INTERACTIVE="1"
fi
__green() {
- if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
- printf '\033[1;31;32m'
+ if [ "${__INTERACTIVE}${ACME_NO_COLOR:-0}" = "10" -o "${ACME_FORCE_COLOR}" = "1" ]; then
+ printf '\33[1;32m%b\33[0m' "$1"
+ return
fi
printf -- "%b" "$1"
- if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
- printf '\033[0m'
- fi
}
__red() {
- if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
- printf '\033[1;31;40m'
+ if [ "${__INTERACTIVE}${ACME_NO_COLOR:-0}" = "10" -o "${ACME_FORCE_COLOR}" = "1" ]; then
+ printf '\33[1;31m%b\33[0m' "$1"
+ return
fi
printf -- "%b" "$1"
- if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
- printf '\033[0m'
- fi
}
_printargs() {
+ _exitstatus="$?"
if [ -z "$NO_TIMESTAMP" ] || [ "$NO_TIMESTAMP" = "0" ]; then
printf -- "%s" "[$(date)] "
fi
@@ -138,6 +178,8 @@ _printargs() {
printf -- "%s" "$1='$2'"
fi
printf "\n"
+ # return the saved exit status
+ return "$_exitstatus"
}
_dlg_versions() {
@@ -165,7 +207,7 @@ _dlg_versions() {
echo "socat:"
if _exists "socat"; then
- socat -h 2>&1
+ socat -V 2>&1
else
_debug "socat doesn't exists."
fi
@@ -173,6 +215,7 @@ _dlg_versions() {
#class
_syslog() {
+ _exitstatus="$?"
if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" = "$SYSLOG_LEVEL_NONE" ]; then
return
fi
@@ -186,6 +229,7 @@ _syslog() {
fi
fi
$__logger_i -t "$PROJECT_NAME" -p "$_logclass" "$(_printargs "$@")" >/dev/null 2>&1
+ return "$_exitstatus"
}
_log() {
@@ -221,6 +265,37 @@ _usage() {
printf "\n" >&2
}
+__debug_bash_helper() {
+ # At this point only do for --debug 3
+ if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -lt "$DEBUG_LEVEL_3" ]; then
+ return
+ fi
+ # Return extra debug info when running with bash, otherwise return empty
+ # string.
+ if [ -z "${BASH_VERSION}" ]; then
+ return
+ fi
+ # We are a bash shell at this point, return the filename, function name, and
+ # line number as a string
+ _dbh_saveIFS=$IFS
+ IFS=" "
+ # Must use eval or syntax error happens under dash. The eval should use
+ # single quotes as older versions of busybox had a bug with double quotes and
+ # eval.
+ # Use 'caller 1' as we want one level up the stack as we should be called
+ # by one of the _debug* functions
+ eval '_dbh_called=($(caller 1))'
+ IFS=$_dbh_saveIFS
+ eval '_dbh_file=${_dbh_called[2]}'
+ if [ -n "${_script_home}" ]; then
+ # Trim off the _script_home directory name
+ eval '_dbh_file=${_dbh_file#$_script_home/}'
+ fi
+ eval '_dbh_function=${_dbh_called[1]}'
+ eval '_dbh_lineno=${_dbh_called[0]}'
+ printf "%-40s " "$_dbh_file:${_dbh_function}:${_dbh_lineno}"
+}
+
_debug() {
if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_1" ]; then
_log "$@"
@@ -229,7 +304,8 @@ _debug() {
_syslog "$SYSLOG_DEBUG" "$@"
fi
if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_1" ]; then
- _printargs "$@" >&2
+ _bash_debug=$(__debug_bash_helper)
+ _printargs "${_bash_debug}$@" >&2
fi
}
@@ -262,7 +338,8 @@ _debug2() {
_syslog "$SYSLOG_DEBUG" "$@"
fi
if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then
- _printargs "$@" >&2
+ _bash_debug=$(__debug_bash_helper)
+ _printargs "${_bash_debug}$@" >&2
fi
}
@@ -294,7 +371,8 @@ _debug3() {
_syslog "$SYSLOG_DEBUG" "$@"
fi
if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_3" ]; then
- _printargs "$@" >&2
+ _bash_debug=$(__debug_bash_helper)
+ _printargs "${_bash_debug}$@" >&2
fi
}
@@ -763,6 +841,21 @@ _url_encode() {
done
}
+_json_encode() {
+ _j_str="$(sed 's/"/\\"/g' | sed "s/\r/\\r/g")"
+ _debug3 "_json_encode"
+ _debug3 "_j_str" "$_j_str"
+ echo "$_j_str" | _hex_dump | _lower_case | sed 's/0a/5c 6e/g' | tr -d ' ' | _h2b | tr -d "\r\n"
+}
+
+#from: http:\/\/ to http://
+_json_decode() {
+ _j_str="$(sed 's#\\/#/#g')"
+ _debug3 "_json_decode"
+ _debug3 "_j_str" "$_j_str"
+ echo "$_j_str"
+}
+
#options file
_sed_i() {
options="$1"
@@ -839,6 +932,16 @@ _dbase64() {
fi
}
+#file
+_checkcert() {
+ _cf="$1"
+ if [ "$DEBUG" ]; then
+ openssl x509 -noout -text -in "$_cf"
+ else
+ openssl x509 -noout -text -in "$_cf" >/dev/null 2>&1
+ fi
+}
+
#Usage: hashalg [outputhex]
#Output Base64-encoded digest
_digest() {
@@ -975,10 +1078,20 @@ _createkey() {
if _isEccKey "$length"; then
_debug "Using ec name: $eccname"
- ${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null >"$f"
+ if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null)"; then
+ echo "$_opkey" >"$f"
+ else
+ _err "error ecc key name: $eccname"
+ return 1
+ fi
else
_debug "Using RSA: $length"
- ${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null >"$f"
+ if _opkey="$(${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null)"; then
+ echo "$_opkey" >"$f"
+ else
+ _err "error rsa key: $length"
+ return 1
+ fi
fi
if [ "$?" != "0" ]; then
@@ -991,7 +1104,7 @@ _createkey() {
_is_idn() {
_is_idn_d="$1"
_debug2 _is_idn_d "$_is_idn_d"
- _idn_temp=$(printf "%s" "$_is_idn_d" | tr -d '0-9' | tr -d 'a-z' | tr -d 'A-Z' | tr -d '.,-')
+ _idn_temp=$(printf "%s" "$_is_idn_d" | tr -d '0-9' | tr -d 'a-z' | tr -d 'A-Z' | tr -d '*.,-_')
_debug2 _idn_temp "$_idn_temp"
[ "$_idn_temp" ]
}
@@ -1025,7 +1138,7 @@ _idn() {
fi
}
-#_createcsr cn san_list keyfile csrfile conf
+#_createcsr cn san_list keyfile csrfile conf acmeValidationv1
_createcsr() {
_debug _createcsr
domain="$1"
@@ -1033,6 +1146,7 @@ _createcsr() {
csrkey="$3"
csr="$4"
csrconf="$5"
+ acmeValidationv1="$6"
_debug2 domain "$domain"
_debug2 domainlist "$domainlist"
_debug2 csrkey "$csrkey"
@@ -1041,27 +1155,34 @@ _createcsr() {
printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf"
- if [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
+ if [ "$acmeValidationv1" ]; then
+ domainlist="$(_idn "$domainlist")"
+ printf -- "\nsubjectAltName=DNS:$domainlist" >>"$csrconf"
+ elif [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
#single domain
_info "Single domain" "$domain"
+ printf -- "\nsubjectAltName=DNS:$(_idn "$domain")" >>"$csrconf"
else
domainlist="$(_idn "$domainlist")"
_debug2 domainlist "$domainlist"
if _contains "$domainlist" ","; then
- alt="DNS:$(echo "$domainlist" | sed "s/,/,DNS:/g")"
+ alt="DNS:$(_idn "$domain"),DNS:$(echo "$domainlist" | sed "s/,,/,/g" | sed "s/,/,DNS:/g")"
else
- alt="DNS:$domainlist"
+ alt="DNS:$(_idn "$domain"),DNS:$domainlist"
fi
#multi
_info "Multi domain" "$alt"
printf -- "\nsubjectAltName=$alt" >>"$csrconf"
fi
- if [ "$Le_OCSP_Staple" ] || [ "$Le_OCSP_Stable" ]; then
+ if [ "$Le_OCSP_Staple" = "1" ]; then
_savedomainconf Le_OCSP_Staple "$Le_OCSP_Staple"
- _cleardomainconf Le_OCSP_Stable
printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >>"$csrconf"
fi
+ if [ "$acmeValidationv1" ]; then
+ printf "\n1.3.6.1.5.5.7.1.31=critical,DER:04:20:${acmeValidationv1}" >>"${csrconf}"
+ fi
+
_csr_cn="$(_idn "$domain")"
_debug2 _csr_cn "$_csr_cn"
if _contains "$(uname -a)" "MINGW"; then
@@ -1112,12 +1233,17 @@ _readSubjectAltNamesFromCSR() {
if _contains "$_dnsAltnames," "DNS:$_csrsubj,"; then
_debug "AltNames contains subject"
- _dnsAltnames="$(printf "%s" "$_dnsAltnames," | sed "s/DNS:$_csrsubj,//g")"
+ _excapedAlgnames="$(echo "$_dnsAltnames" | tr '*' '#')"
+ _debug _excapedAlgnames "$_excapedAlgnames"
+ _escapedSubject="$(echo "$_csrsubj" | tr '*' '#')"
+ _debug _escapedSubject "$_escapedSubject"
+ _dnsAltnames="$(echo "$_excapedAlgnames," | sed "s/DNS:$_escapedSubject,//g" | tr '#' '*' | sed "s/,\$//g")"
+ _debug _dnsAltnames "$_dnsAltnames"
else
_debug "AltNames doesn't contain subject"
fi
- printf "%s" "$_dnsAltnames" | sed "s/DNS://g"
+ echo "$_dnsAltnames" | sed "s/DNS://g"
}
#_csrfile
@@ -1155,7 +1281,7 @@ _ss() {
if _exists "netstat"; then
_debug "Using: netstat"
- if netstat -h 2>&1 | grep "\-p proto" >/dev/null; then
+ if netstat -help 2>&1 | grep "\-p proto" >/dev/null; then
#for windows version netstat tool
netstat -an -p tcp | grep "LISTENING" | grep ":$_port "
else
@@ -1268,12 +1394,19 @@ _create_account_key() {
_initpath
mkdir -p "$CA_DIR"
- if [ -f "$ACCOUNT_KEY_PATH" ]; then
+ if [ -s "$ACCOUNT_KEY_PATH" ]; then
_info "Account key exists, skip"
- return
+ return 0
else
#generate account key
- _createkey "$length" "$ACCOUNT_KEY_PATH"
+ if _createkey "$length" "$ACCOUNT_KEY_PATH"; then
+ chmod 600 "$ACCOUNT_KEY_PATH"
+ _info "Create account key ok."
+ return 0
+ else
+ _err "Create account key error."
+ return 1
+ fi
fi
}
@@ -1296,10 +1429,14 @@ createDomainKey() {
_initpath "$domain" "$_cdl"
- if [ ! -f "$CERT_KEY_PATH" ] || ([ "$FORCE" ] && ! [ "$IS_RENEW" ]) || [ "$Le_ForceNewDomainKey" = "1" ]; then
+ if [ ! -f "$CERT_KEY_PATH" ] || [ ! -s "$CERT_KEY_PATH" ] || ([ "$FORCE" ] && ! [ "$IS_RENEW" ]) || [ "$Le_ForceNewDomainKey" = "1" ]; then
if _createkey "$_cdl" "$CERT_KEY_PATH"; then
_savedomainconf Le_Keylength "$_cdl"
_info "The domain key is here: $(__green $CERT_KEY_PATH)"
+ return 0
+ else
+ _err "Can not create domain key"
+ return 1
fi
else
if [ "$IS_RENEW" ]; then
@@ -1347,17 +1484,17 @@ _url_replace() {
}
_time2str() {
- #Linux
- if date -u -d@"$1" 2>/dev/null; then
+ #BSD
+ if date -u -r "$1" 2>/dev/null; then
return
fi
- #BSD
- if date -u -r "$1" 2>/dev/null; then
+ #Linux
+ if date -u -d@"$1" 2>/dev/null; then
return
fi
- #Soaris
+ #Solaris
if _exists adb; then
_t_s_a=$(echo "0t${1}=Y" | adb)
echo "$_t_s_a"
@@ -1421,7 +1558,7 @@ _calcjwk() {
JWK_HEADER='{"alg": "RS256", "jwk": '$jwk'}'
JWK_HEADERPLACE_PART1='{"nonce": "'
- JWK_HEADERPLACE_PART2='", "alg": "RS256", "jwk": '$jwk'}'
+ JWK_HEADERPLACE_PART2='", "alg": "RS256"'
elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
_debug "EC key"
crv="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n")"
@@ -1490,9 +1627,10 @@ _calcjwk() {
JWK_HEADER='{"alg": "ES'$__ECC_KEY_LEN'", "jwk": '$jwk'}'
JWK_HEADERPLACE_PART1='{"nonce": "'
- JWK_HEADERPLACE_PART2='", "alg": "ES'$__ECC_KEY_LEN'", "jwk": '$jwk'}'
+ JWK_HEADERPLACE_PART2='", "alg": "ES'$__ECC_KEY_LEN'"'
else
- _err "Only RSA or EC key is supported."
+ _err "Only RSA or EC key is supported. keyfile=$keyfile"
+ _debug2 "$(cat "$keyfile")"
return 1
fi
@@ -1554,6 +1692,9 @@ _inithttp() {
_ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE "
fi
+ if _contains "$(curl --help 2>&1)" "--globoff"; then
+ _ACME_CURL="$_ACME_CURL -g "
+ fi
fi
if [ -z "$_ACME_WGET" ] && _exists "wget"; then
@@ -1577,19 +1718,21 @@ _inithttp() {
}
-# body url [needbase64] [POST|PUT]
+# body url [needbase64] [POST|PUT|DELETE] [ContentType]
_post() {
body="$1"
- url="$2"
+ _post_url="$2"
needbase64="$3"
httpmethod="$4"
+ _postContentType="$5"
if [ -z "$httpmethod" ]; then
httpmethod="POST"
fi
_debug $httpmethod
- _debug "url" "$url"
+ _debug "_post_url" "$_post_url"
_debug2 "body" "$body"
+ _debug2 "_postContentType" "$_postContentType"
_inithttp
@@ -1598,11 +1741,38 @@ _post() {
if [ "$HTTPS_INSECURE" ]; then
_CURL="$_CURL --insecure "
fi
+ if [ "$httpmethod" = "HEAD" ]; then
+ _CURL="$_CURL -I "
+ fi
_debug "_CURL" "$_CURL"
if [ "$needbase64" ]; then
- response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url" | _base64)"
+ if [ "$body" ]; then
+ if [ "$_postContentType" ]; then
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)"
+ else
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)"
+ fi
+ else
+ if [ "$_postContentType" ]; then
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url" | _base64)"
+ else
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url" | _base64)"
+ fi
+ fi
else
- response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url")"
+ if [ "$body" ]; then
+ if [ "$_postContentType" ]; then
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url")"
+ else
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url")"
+ fi
+ else
+ if [ "$_postContentType" ]; then
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url")"
+ else
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url")"
+ fi
+ fi
fi
_ret="$?"
if [ "$_ret" != "0" ]; then
@@ -1617,18 +1787,43 @@ _post() {
if [ "$HTTPS_INSECURE" ]; then
_WGET="$_WGET --no-check-certificate "
fi
+ if [ "$httpmethod" = "HEAD" ]; then
+ _WGET="$_WGET --read-timeout=3.0 --tries=2 "
+ fi
_debug "_WGET" "$_WGET"
if [ "$needbase64" ]; then
if [ "$httpmethod" = "POST" ]; then
- response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
+ if [ "$_postContentType" ]; then
+ response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
+ else
+ response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
+ fi
else
- response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
+ if [ "$_postContentType" ]; then
+ response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
+ else
+ response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
+ fi
fi
else
if [ "$httpmethod" = "POST" ]; then
- response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER")"
+ if [ "$_postContentType" ]; then
+ response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+ else
+ response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+ fi
+ elif [ "$httpmethod" = "HEAD" ]; then
+ if [ "$_postContentType" ]; then
+ response="$($_WGET --spider -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+ else
+ response="$($_WGET --spider -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+ fi
else
- response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER")"
+ if [ "$_postContentType" ]; then
+ response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+ else
+ response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+ fi
fi
fi
_ret="$?"
@@ -1656,7 +1851,7 @@ _get() {
onlyheader="$2"
t="$3"
_debug url "$url"
- _debug "timeout" "$t"
+ _debug "timeout=$t"
_inithttp
@@ -1739,44 +1934,66 @@ _send_signed_request() {
return 1
fi
+ __request_conent_type="$CONTENT_TYPE_JSON"
+
payload64=$(printf "%s" "$payload" | _base64 | _url_replace)
_debug3 payload64 "$payload64"
- MAX_REQUEST_RETRY_TIMES=5
+ MAX_REQUEST_RETRY_TIMES=20
+ _sleep_retry_sec=1
_request_retry_times=0
while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do
+ _request_retry_times=$(_math "$_request_retry_times" + 1)
_debug3 _request_retry_times "$_request_retry_times"
if [ -z "$_CACHED_NONCE" ]; then
_headers=""
if [ "$ACME_NEW_NONCE" ]; then
- _debug2 "Get nonce. ACME_NEW_NONCE" "$ACME_NEW_NONCE"
+ _debug2 "Get nonce with HEAD. ACME_NEW_NONCE" "$ACME_NEW_NONCE"
nonceurl="$ACME_NEW_NONCE"
- if _post "" "$nonceurl" "" "HEAD"; then
+ if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type" >/dev/null; then
_headers="$(cat "$HTTP_HEADER")"
+ _debug2 _headers "$_headers"
+ _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
fi
fi
- if [ -z "$_headers" ]; then
- _debug2 "Get nonce. ACME_DIRECTORY" "$ACME_DIRECTORY"
+ if [ -z "$_CACHED_NONCE" ]; then
+ _debug2 "Get nonce with GET. ACME_DIRECTORY" "$ACME_DIRECTORY"
nonceurl="$ACME_DIRECTORY"
_headers="$(_get "$nonceurl" "onlyheader")"
+ _debug2 _headers "$_headers"
+ _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
fi
-
+ if [ -z "$_CACHED_NONCE" ] && [ "$ACME_NEW_NONCE" ]; then
+ _debug2 "Get nonce with GET. ACME_NEW_NONCE" "$ACME_NEW_NONCE"
+ nonceurl="$ACME_NEW_NONCE"
+ _headers="$(_get "$nonceurl" "onlyheader")"
+ _debug2 _headers "$_headers"
+ _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
+ fi
+ _debug2 _CACHED_NONCE "$_CACHED_NONCE"
if [ "$?" != "0" ]; then
_err "Can not connect to $nonceurl to get nonce."
return 1
fi
-
- _debug2 _headers "$_headers"
-
- _CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
- _debug2 _CACHED_NONCE "$_CACHED_NONCE"
else
_debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE"
fi
nonce="$_CACHED_NONCE"
_debug2 nonce "$nonce"
-
- protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2"
+ if [ -z "$nonce" ]; then
+ _info "Could not get nonce, let's try again."
+ _sleep 2
+ continue
+ fi
+ if [ "$ACME_VERSION" = "2" ]; then
+ if [ "$url" = "$ACME_NEW_ACCOUNT" ] || [ "$url" = "$ACME_REVOKE_CERT" ]; then
+ protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
+ else
+ protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"kid\": \"${ACCOUNT_URL}\""'}'
+ fi
+ else
+ protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
+ fi
_debug3 protected "$protected"
protected64="$(printf "%s" "$protected" | _base64 | _url_replace)"
@@ -1791,42 +2008,49 @@ _send_signed_request() {
sig="$(printf "%s" "$_sig_t" | _url_replace)"
_debug3 sig "$sig"
- body="{\"header\": $JWK_HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
+ body="{\"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
_debug3 body "$body"
- response="$(_post "$body" "$url" "$needbase64")"
+ response="$(_post "$body" "$url" "$needbase64" "POST" "$__request_conent_type")"
_CACHED_NONCE=""
if [ "$?" != "0" ]; then
_err "Can not post to $url"
return 1
fi
- _debug2 original "$response"
- response="$(echo "$response" | _normalizeJson)"
responseHeaders="$(cat "$HTTP_HEADER")"
-
_debug2 responseHeaders "$responseHeaders"
- _debug2 response "$response"
+
code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
_debug code "$code"
- _CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
-
- _body="$response"
- if [ "$needbase64" ]; then
- _body="$(echo "$_body" | _dbase64)"
- _debug2 _body "$_body"
+ _debug2 original "$response"
+ if echo "$responseHeaders" | grep -i "Content-Type: *application/json" >/dev/null 2>&1; then
+ response="$(echo "$response" | _normalizeJson)"
fi
+ _debug2 response "$response"
- if _contains "$_body" "JWS has invalid anti-replay nonce"; then
- _info "It seems the CA server is busy now, let's wait and retry."
- _request_retry_times=$(_math "$_request_retry_times" + 1)
- _sleep 5
- continue
+ _CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
+
+ if ! _startswith "$code" "2"; then
+ _body="$response"
+ if [ "$needbase64" ]; then
+ _body="$(echo "$_body" | _dbase64 multiline)"
+ _debug3 _body "$_body"
+ fi
+
+ if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then
+ _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds."
+ _CACHED_NONCE=""
+ _sleep $_sleep_retry_sec
+ continue
+ fi
fi
- break
+ return 0
done
+ _info "Giving up sending to CA server after $MAX_REQUEST_RETRY_TIMES retries."
+ return 1
}
@@ -1867,12 +2091,16 @@ _setopt() {
_debug3 "$(grep -n "^$__opt$__sep" "$__conf")"
}
-#_save_conf file key value
+#_save_conf file key value base64encode
#save to conf
_save_conf() {
_s_c_f="$1"
_sdkey="$2"
_sdvalue="$3"
+ _b64encode="$4"
+ if [ "$_sdvalue" ] && [ "$_b64encode" ]; then
+ _sdvalue="${B64CONF_START}$(printf "%s" "${_sdvalue}" | _base64)${B64CONF_END}"
+ fi
if [ "$_s_c_f" ]; then
_setopt "$_s_c_f" "$_sdkey" "=" "'$_sdvalue'"
else
@@ -1897,19 +2125,23 @@ _read_conf() {
_r_c_f="$1"
_sdkey="$2"
if [ -f "$_r_c_f" ]; then
- (
+ _sdv="$(
eval "$(grep "^$_sdkey *=" "$_r_c_f")"
eval "printf \"%s\" \"\$$_sdkey\""
- )
+ )"
+ if _startswith "$_sdv" "${B64CONF_START}" && _endswith "$_sdv" "${B64CONF_END}"; then
+ _sdv="$(echo "$_sdv" | sed "s/${B64CONF_START}//" | sed "s/${B64CONF_END}//" | _dbase64)"
+ fi
+ printf "%s" "$_sdv"
else
_debug "config file is empty, can not read $_sdkey"
fi
}
-#_savedomainconf key value
+#_savedomainconf key value base64encode
#save to domain.conf
_savedomainconf() {
- _save_conf "$DOMAIN_CONF" "$1" "$2"
+ _save_conf "$DOMAIN_CONF" "$@"
}
#_cleardomainconf key
@@ -1922,14 +2154,36 @@ _readdomainconf() {
_read_conf "$DOMAIN_CONF" "$1"
}
-#_saveaccountconf key value
+#key value base64encode
+_savedeployconf() {
+ _savedomainconf "SAVED_$1" "$2" "$3"
+ #remove later
+ _cleardomainconf "$1"
+}
+
+#key
+_getdeployconf() {
+ _rac_key="$1"
+ _rac_value="$(eval echo \$"$_rac_key")"
+ if [ "$_rac_value" ]; then
+ if _startswith "$_rac_value" '"' && _endswith "$_rac_value" '"'; then
+ _debug2 "trim quotation marks"
+ eval "export $_rac_key=$_rac_value"
+ fi
+ return 0 # do nothing
+ fi
+ _saved=$(_readdomainconf "SAVED_$_rac_key")
+ eval "export $_rac_key=\"$_saved\""
+}
+
+#_saveaccountconf key value base64encode
_saveaccountconf() {
- _save_conf "$ACCOUNT_CONF_PATH" "$1" "$2"
+ _save_conf "$ACCOUNT_CONF_PATH" "$@"
}
-#key value
+#key value base64encode
_saveaccountconf_mutable() {
- _save_conf "$ACCOUNT_CONF_PATH" "SAVED_$1" "$2"
+ _save_conf "$ACCOUNT_CONF_PATH" "SAVED_$1" "$2" "$3"
#remove later
_clearaccountconf "$1"
}
@@ -1969,6 +2223,7 @@ _clearcaconf() {
_startserver() {
content="$1"
ncaddr="$2"
+ _debug "content" "$content"
_debug "ncaddr" "$ncaddr"
_debug "startserver: $$"
@@ -1984,9 +2239,25 @@ _startserver() {
_NC="$_NC -6"
fi
- _debug "_NC" "$_NC"
- #todo listen address
- $_NC TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork SYSTEM:"sleep 0.5; echo HTTP/1.1 200 OK; echo ; echo $content; echo;" &
+ if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then
+ _NC="$_NC -d -d -v"
+ fi
+
+ SOCAT_OPTIONS=TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork
+
+ #Adding bind to local-address
+ if [ "$ncaddr" ]; then
+ SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}"
+ fi
+
+ _content_len="$(printf "%s" "$content" | wc -c)"
+ _debug _content_len "$_content_len"
+ _debug "_NC" "$_NC $SOCAT_OPTIONS"
+ $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; \
+echo 'HTTP/1.0 200 OK'; \
+echo 'Content-Length\: $_content_len'; \
+echo ''; \
+printf -- '$content';" &
serverproc="$!"
}
@@ -2018,7 +2289,7 @@ _sleep() {
fi
}
-# _starttlsserver san_a san_b port content _ncaddr
+# _starttlsserver san_a san_b port content _ncaddr acmeValidationv1
_starttlsserver() {
_info "Starting tls server."
san_a="$1"
@@ -2026,10 +2297,12 @@ _starttlsserver() {
port="$3"
content="$4"
opaddr="$5"
+ acmeValidationv1="$6"
_debug san_a "$san_a"
_debug san_b "$san_b"
_debug port "$port"
+ _debug acmeValidationv1 "$acmeValidationv1"
#create key TLS_KEY
if ! _createkey "2048" "$TLS_KEY"; then
@@ -2042,7 +2315,7 @@ _starttlsserver() {
if [ "$san_b" ]; then
alt="$alt,$san_b"
fi
- if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF"; then
+ if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" "$acmeValidationv1"; then
_err "Create tls validation csr error."
return 1
fi
@@ -2068,6 +2341,10 @@ _starttlsserver() {
__S_OPENSSL="$__S_OPENSSL -6"
fi
+ if [ "$acmeValidationv1" ]; then
+ __S_OPENSSL="$__S_OPENSSL -alpn acme-tls/1"
+ fi
+
_debug "$__S_OPENSSL"
if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
$__S_OPENSSL -tlsextdebug &
@@ -2145,7 +2422,7 @@ __initHome() {
if [ -z "$ACCOUNT_CONF_PATH" ]; then
ACCOUNT_CONF_PATH="$_DEFAULT_ACCOUNT_CONF_PATH"
fi
-
+ _debug3 ACCOUNT_CONF_PATH "$ACCOUNT_CONF_PATH"
DEFAULT_LOG_FILE="$LE_CONFIG_HOME/$PROJECT_NAME.log"
DEFAULT_CA_HOME="$LE_CONFIG_HOME/ca"
@@ -2170,9 +2447,15 @@ _initAPI() {
_debug2 "response" "$response"
ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'key-change" *: *"[^"]*"' | cut -d '"' -f 3)
+ if [ -z "$ACME_KEY_CHANGE" ]; then
+ ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'keyChange" *: *"[^"]*"' | cut -d '"' -f 3)
+ fi
export ACME_KEY_CHANGE
ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'new-authz" *: *"[^"]*"' | cut -d '"' -f 3)
+ if [ -z "$ACME_NEW_AUTHZ" ]; then
+ ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'newAuthz" *: *"[^"]*"' | cut -d '"' -f 3)
+ fi
export ACME_NEW_AUTHZ
ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3)
@@ -2180,6 +2463,9 @@ _initAPI() {
if [ -z "$ACME_NEW_ORDER" ]; then
ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3)
ACME_NEW_ORDER_RES="new-order"
+ if [ -z "$ACME_NEW_ORDER" ]; then
+ ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'newOrder" *: *"[^"]*"' | cut -d '"' -f 3)
+ fi
fi
export ACME_NEW_ORDER
export ACME_NEW_ORDER_RES
@@ -2189,17 +2475,32 @@ _initAPI() {
if [ -z "$ACME_NEW_ACCOUNT" ]; then
ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3)
ACME_NEW_ACCOUNT_RES="new-account"
+ if [ -z "$ACME_NEW_ACCOUNT" ]; then
+ ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3)
+ if [ "$ACME_NEW_ACCOUNT" ]; then
+ export ACME_VERSION=2
+ fi
+ fi
fi
export ACME_NEW_ACCOUNT
export ACME_NEW_ACCOUNT_RES
ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3)
+ if [ -z "$ACME_REVOKE_CERT" ]; then
+ ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3)
+ fi
export ACME_REVOKE_CERT
ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'new-nonce" *: *"[^"]*"' | cut -d '"' -f 3)
+ if [ -z "$ACME_NEW_NONCE" ]; then
+ ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'newNonce" *: *"[^"]*"' | cut -d '"' -f 3)
+ fi
export ACME_NEW_NONCE
ACME_AGREEMENT=$(echo "$response" | _egrep_o 'terms-of-service" *: *"[^"]*"' | cut -d '"' -f 3)
+ if [ -z "$ACME_AGREEMENT" ]; then
+ ACME_AGREEMENT=$(echo "$response" | _egrep_o 'termsOfService" *: *"[^"]*"' | cut -d '"' -f 3)
+ fi
export ACME_AGREEMENT
_debug "ACME_KEY_CHANGE" "$ACME_KEY_CHANGE"
@@ -2208,12 +2509,16 @@ _initAPI() {
_debug "ACME_NEW_ACCOUNT" "$ACME_NEW_ACCOUNT"
_debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT"
_debug "ACME_AGREEMENT" "$ACME_AGREEMENT"
+ _debug "ACME_NEW_NONCE" "$ACME_NEW_NONCE"
+ _debug "ACME_VERSION" "$ACME_VERSION"
fi
}
#[domain] [keylength or isEcc flag]
_initpath() {
+ domain="$1"
+ _ilength="$2"
__initHome
@@ -2221,7 +2526,7 @@ _initpath() {
. "$ACCOUNT_CONF_PATH"
fi
- if [ "$IN_CRON" ]; then
+ if [ "$ACME_IN_CRON" ]; then
if [ ! "$_USER_PATH_EXPORTED" ]; then
_USER_PATH_EXPORTED=1
export PATH="$USER_PATH:$PATH"
@@ -2232,16 +2537,21 @@ _initpath() {
CA_HOME="$DEFAULT_CA_HOME"
fi
+ if [ "$ACME_VERSION" = "2" ]; then
+ DEFAULT_CA="$LETSENCRYPT_CA_V2"
+ DEFAULT_STAGING_CA="$LETSENCRYPT_STAGING_CA_V2"
+ fi
+
if [ -z "$ACME_DIRECTORY" ]; then
if [ -z "$STAGE" ]; then
ACME_DIRECTORY="$DEFAULT_CA"
else
- ACME_DIRECTORY="$STAGE_CA"
+ ACME_DIRECTORY="$DEFAULT_STAGING_CA"
_info "Using stage ACME_DIRECTORY: $ACME_DIRECTORY"
fi
fi
- _debug2 ACME_DIRECTORY "$ACME_DIRECTORY"
+ _debug ACME_DIRECTORY "$ACME_DIRECTORY"
_ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)"
_debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST"
@@ -2296,13 +2606,10 @@ _initpath() {
ACME_OPENSSL_BIN="$DEFAULT_OPENSSL_BIN"
fi
- if [ -z "$1" ]; then
+ if [ -z "$domain" ]; then
return 0
fi
- domain="$1"
- _ilength="$2"
-
if [ -z "$DOMAIN_PATH" ]; then
domainhome="$CERT_HOME/$domain"
domainhomeecc="$CERT_HOME/$domain$ECC_SUFFIX"
@@ -2566,6 +2873,11 @@ _setNginx() {
_debug NGINX_CONF "$NGINX_CONF"
NGINX_CONF="$(echo "$NGINX_CONF" | cut -d = -f 2)"
_debug NGINX_CONF "$NGINX_CONF"
+ if [ -z "$NGINX_CONF" ]; then
+ _err "Can not find nginx conf."
+ NGINX_CONF=""
+ return 1
+ fi
if [ ! -f "$NGINX_CONF" ]; then
_err "'$NGINX_CONF' doesn't exist."
NGINX_CONF=""
@@ -2711,9 +3023,9 @@ _isRealNginxConf() {
_left="$(sed -n "${_start_nn},99999p" "$2")"
_debug2 _left "$_left"
- if echo "$_left" | tr "\t" ' ' | grep -n "^ *server *" >/dev/null; then
- _end=$(echo "$_left" | tr "\t" ' ' | grep -n "^ *server *" | _head_n 1)
- _debug "_end" "$_end"
+ _end="$(echo "$_left" | tr "\t" ' ' | grep -n "^ *server *" | grep -v server_name | _head_n 1)"
+ _debug "_end" "$_end"
+ if [ "$_end" ]; then
_end_n=$(echo "$_end" | cut -d : -f 1)
_debug "_end_n" "$_end_n"
_seg_n=$(echo "$_left" | sed -n "1,${_end_n}p")
@@ -2726,7 +3038,7 @@ _isRealNginxConf() {
_skip_ssl=1
for _listen_i in $(echo "$_seg_n" | tr "\t" ' ' | grep "^ *listen" | tr -d " "); do
if [ "$_listen_i" ]; then
- if [ "$(echo "$_listen_i" | _egrep_o "listen.*ssl[ |;]")" ]; then
+ if [ "$(echo "$_listen_i" | _egrep_o "listen.*ssl")" ]; then
_debug2 "$_listen_i is ssl"
else
_debug2 "$_listen_i is plain text"
@@ -2792,37 +3104,40 @@ _clearup() {
_clearupdns() {
_debug "_clearupdns"
- if [ "$dnsadded" != 1 ] || [ -z "$vlist" ]; then
+ _debug "dns_entries" "$dns_entries"
+
+ if [ -z "$dns_entries" ]; then
_debug "skip dns."
return
fi
+ _info "Removing DNS records."
- ventries=$(echo "$vlist" | tr ',' ' ')
- for ventry in $ventries; do
- d=$(echo "$ventry" | cut -d "$sep" -f 1)
- keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
- vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
- _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
- txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _url_replace)"
- _debug txt "$txt"
- if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
- _debug "$d is already verified, skip $vtype."
- continue
- fi
-
- if [ "$vtype" != "$VTYPE_DNS" ]; then
- _info "Skip $d for $vtype"
- continue
+ for entry in $dns_entries; do
+ d=$(_getfield "$entry" 1)
+ txtdomain=$(_getfield "$entry" 2)
+ aliasDomain=$(_getfield "$entry" 3)
+ _currentRoot=$(_getfield "$entry" 4)
+ txt=$(_getfield "$entry" 5)
+ d_api=$(_getfield "$entry" 6)
+ _debug "d" "$d"
+ _debug "txtdomain" "$txtdomain"
+ _debug "aliasDomain" "$aliasDomain"
+ _debug "_currentRoot" "$_currentRoot"
+ _debug "txt" "$txt"
+ _debug "d_api" "$d_api"
+ if [ "$d_api" = "$txt" ]; then
+ d_api=""
fi
- d_api="$(_findHook "$d" dnsapi "$_currentRoot")"
- _debug d_api "$d_api"
-
if [ -z "$d_api" ]; then
_info "Not Found domain api file: $d_api"
continue
fi
+ if [ "$aliasDomain" ]; then
+ txtdomain="$aliasDomain"
+ fi
+
(
if ! . "$d_api"; then
_err "Load file $d_api error. Please check your api file and try again."
@@ -2834,13 +3149,12 @@ _clearupdns() {
_err "It seems that your api file doesn't define $rmcommand"
return 1
fi
-
- txtdomain="_acme-challenge.$d"
-
+ _info "Removing txt: $txt for domain: $txtdomain"
if ! $rmcommand "$txtdomain" "$txt"; then
_err "Error removing txt for domain:$txtdomain"
return 1
fi
+ _info "Removed: Success"
)
done
@@ -2884,6 +3198,8 @@ _on_before_issue() {
_chk_pre_hook="$4"
_chk_local_addr="$5"
_debug _on_before_issue
+ _debug _chk_main_domain "$_chk_main_domain"
+ _debug _chk_alt_domains "$_chk_alt_domains"
#run pre hook
if [ "$_chk_pre_hook" ]; then
_info "Run pre hook:'$_chk_pre_hook'"
@@ -2904,11 +3220,17 @@ _on_before_issue() {
_debug Le_LocalAddress "$_chk_local_addr"
- alldomains=$(echo "$_chk_main_domain,$_chk_alt_domains" | tr ',' ' ')
_index=1
_currentRoot=""
_addrIndex=1
- for d in $alldomains; do
+ _w_index=1
+ while true; do
+ d="$(echo "$_chk_main_domain,$_chk_alt_domains," | cut -d , -f "$_w_index")"
+ _w_index="$(_math "$_w_index" + 1)"
+ _debug d "$d"
+ if [ -z "$d" ]; then
+ break
+ fi
_debug "Check for domain" "$d"
_currentRoot="$(_getfield "$_chk_web_roots" $_index)"
_debug "_currentRoot" "$_currentRoot"
@@ -2918,12 +3240,13 @@ _on_before_issue() {
_info "Standalone mode."
if [ -z "$Le_HTTPPort" ]; then
Le_HTTPPort=80
+ _cleardomainconf "Le_HTTPPort"
else
_savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
fi
_checkport="$Le_HTTPPort"
- elif [ "$_currentRoot" = "$W_TLS" ]; then
- _info "Standalone tls mode."
+ elif [ "$_currentRoot" = "$W_ALPN" ]; then
+ _info "Standalone alpn mode."
if [ -z "$Le_TLSPort" ]; then
Le_TLSPort=443
else
@@ -2968,6 +3291,7 @@ _on_issue_err() {
_chk_post_hook="$1"
_chk_vlist="$2"
_debug _on_issue_err
+
if [ "$LOG_FILE" ]; then
_err "Please check log file for more details: $LOG_FILE"
else
@@ -3003,7 +3327,7 @@ _on_issue_err() {
)
fi
- if [ "$IS_RENEW" = "1" ] && _hasfield "$Le_Webroot" "dns"; then
+ if [ "$IS_RENEW" = "1" ] && _hasfield "$Le_Webroot" "$W_DNS"; then
_err "$_DNS_MANUAL_ERR"
fi
@@ -3017,10 +3341,16 @@ _on_issue_success() {
_chk_post_hook="$1"
_chk_renew_hook="$2"
_debug _on_issue_success
+
#run the post hook
if [ "$_chk_post_hook" ]; then
_info "Run post hook:'$_chk_post_hook'"
if ! (
+ export CERT_PATH
+ export CERT_KEY_PATH
+ export CA_CERT_PATH
+ export CERT_FULLCHAIN_PATH
+ export Le_Domain="$_main_domain"
cd "$DOMAIN_PATH" && eval "$_chk_post_hook"
); then
_err "Error when run post hook."
@@ -3032,6 +3362,11 @@ _on_issue_success() {
if [ "$IS_RENEW" ] && [ "$_chk_renew_hook" ]; then
_info "Run renew hook:'$_chk_renew_hook'"
if ! (
+ export CERT_PATH
+ export CERT_KEY_PATH
+ export CA_CERT_PATH
+ export CERT_FULLCHAIN_PATH
+ export Le_Domain="$_main_domain"
cd "$DOMAIN_PATH" && eval "$_chk_renew_hook"
); then
_err "Error when run renew hook."
@@ -3039,17 +3374,12 @@ _on_issue_success() {
fi
fi
- if _hasfield "$Le_Webroot" "dns"; then
+ if _hasfield "$Le_Webroot" "$W_DNS" && [ -z "$FORCE_DNS_MANUAL" ]; then
_err "$_DNS_MANUAL_WARN"
fi
}
-updateaccount() {
- _initpath
- _regAccount
-}
-
registeraccount() {
_reg_length="$1"
_initpath
@@ -3069,6 +3399,8 @@ _regAccount() {
_initpath
_reg_length="$1"
_debug3 _regAccount "$_regAccount"
+ _initAPI
+
mkdir -p "$CA_DIR"
if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
_info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
@@ -3090,11 +3422,18 @@ _regAccount() {
if ! _calcjwk "$ACCOUNT_KEY_PATH"; then
return 1
fi
- _initAPI
- _reg_res="$ACME_NEW_ACCOUNT_RES"
- regjson='{"resource": "'$_reg_res'", "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
- if [ "$ACCOUNT_EMAIL" ]; then
- regjson='{"resource": "'$_reg_res'", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
+
+ if [ "$ACME_VERSION" = "2" ]; then
+ regjson='{"termsOfServiceAgreed": true}'
+ if [ "$ACCOUNT_EMAIL" ]; then
+ regjson='{"contact": ["mailto:'$ACCOUNT_EMAIL'"], "termsOfServiceAgreed": true}'
+ fi
+ else
+ _reg_res="$ACME_NEW_ACCOUNT_RES"
+ regjson='{"resource": "'$_reg_res'", "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
+ if [ "$ACCOUNT_EMAIL" ]; then
+ regjson='{"resource": "'$_reg_res'", "contact": ["mailto:'$ACCOUNT_EMAIL'"], "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
+ fi
fi
_info "Registering account"
@@ -3107,18 +3446,24 @@ _regAccount() {
if [ "$code" = "" ] || [ "$code" = '201' ]; then
echo "$response" >"$ACCOUNT_JSON_PATH"
_info "Registered"
- elif [ "$code" = '409' ]; then
+ elif [ "$code" = '409' ] || [ "$code" = '200' ]; then
_info "Already registered"
else
_err "Register account Error: $response"
return 1
fi
- _accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
+ _debug2 responseHeaders "$responseHeaders"
+ _accUri="$(echo "$responseHeaders" | grep -i "^Location:" | _head_n 1 | cut -d ':' -f 2- | tr -d "\r\n ")"
_debug "_accUri" "$_accUri"
+ if [ -z "$_accUri" ]; then
+ _err "Can not find account id url."
+ _err "$responseHeaders"
+ return 1
+ fi
_savecaconf "ACCOUNT_URL" "$_accUri"
+ export ACCOUNT_URL="$_accUri"
- echo "$response" >"$ACCOUNT_JSON_PATH"
CA_KEY_HASH="$(__calcAccountKeyHash)"
_debug "Calc CA_KEY_HASH" "$CA_KEY_HASH"
_savecaconf CA_KEY_HASH "$CA_KEY_HASH"
@@ -3130,11 +3475,10 @@ _regAccount() {
ACCOUNT_THUMBPRINT="$(__calc_account_thumbprint)"
_info "ACCOUNT_THUMBPRINT" "$ACCOUNT_THUMBPRINT"
-
}
-#Implement deactivate account
-deactivateaccount() {
+#implement updateaccount
+updateaccount() {
_initpath
if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
@@ -3166,48 +3510,111 @@ deactivateaccount() {
fi
_initAPI
- if _send_signed_request "$_accUri" "{\"resource\": \"reg\", \"status\":\"deactivated\"}" && _contains "$response" '"deactivated"'; then
- _info "Deactivate account success for $_accUri."
- _accid=$(echo "$response" | _egrep_o "\"id\" *: *[^,]*," | cut -d : -f 2 | tr -d ' ,')
- elif [ "$code" = "403" ]; then
- _info "The account is already deactivated."
- _accid=$(_getfield "$_accUri" "999" "/")
+ if [ "$ACME_VERSION" = "2" ]; then
+ if [ "$ACCOUNT_EMAIL" ]; then
+ updjson='{"contact": ["mailto:'$ACCOUNT_EMAIL'"]}'
+ else
+ updjson='{"contact": []}'
+ fi
else
- _err "Deactivate: account failed for $_accUri."
- return 1
+ # ACMEv1: Updates happen the same way a registration is done.
+ # https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-6.3
+ _regAccount
+ return
fi
- _debug "Account id: $_accid"
- if [ "$_accid" ]; then
- _deactivated_account_path="$CA_DIR/deactivated/$_accid"
- _debug _deactivated_account_path "$_deactivated_account_path"
- if mkdir -p "$_deactivated_account_path"; then
- _info "Moving deactivated account info to $_deactivated_account_path/"
- mv "$CA_CONF" "$_deactivated_account_path/"
- mv "$ACCOUNT_JSON_PATH" "$_deactivated_account_path/"
- mv "$ACCOUNT_KEY_PATH" "$_deactivated_account_path/"
- else
- _err "Can not create dir: $_deactivated_account_path, try to remove the deactivated account key."
- rm -f "$CA_CONF"
- rm -f "$ACCOUNT_JSON_PATH"
- rm -f "$ACCOUNT_KEY_PATH"
- fi
+ # this part handles ACMEv2 account updates.
+ _send_signed_request "$_accUri" "$updjson"
+
+ if [ "$code" = '200' ]; then
+ echo "$response" >"$ACCOUNT_JSON_PATH"
+ _info "account update success for $_accUri."
+ else
+ _info "Error. The account was not updated."
+ return 1
fi
}
-# domain folder file
-_findHook() {
- _hookdomain="$1"
- _hookcat="$2"
- _hookname="$3"
+#Implement deactivate account
+deactivateaccount() {
+ _initpath
- if [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname" ]; then
- d_api="$_SCRIPT_HOME/$_hookcat/$_hookname"
- elif [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname.sh" ]; then
+ if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
+ _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
+ mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
+ fi
+
+ if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
+ _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
+ mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
+ fi
+
+ if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
+ _err "Account key is not found at: $ACCOUNT_KEY_PATH"
+ return 1
+ fi
+
+ _accUri=$(_readcaconf "ACCOUNT_URL")
+ _debug _accUri "$_accUri"
+
+ if [ -z "$_accUri" ]; then
+ _err "The account url is empty, please run '--update-account' first to update the account info first,"
+ _err "Then try again."
+ return 1
+ fi
+
+ if ! _calcjwk "$ACCOUNT_KEY_PATH"; then
+ return 1
+ fi
+ _initAPI
+
+ if [ "$ACME_VERSION" = "2" ]; then
+ _djson="{\"status\":\"deactivated\"}"
+ else
+ _djson="{\"resource\": \"reg\", \"status\":\"deactivated\"}"
+ fi
+ if _send_signed_request "$_accUri" "$_djson" && _contains "$response" '"deactivated"'; then
+ _info "Deactivate account success for $_accUri."
+ _accid=$(echo "$response" | _egrep_o "\"id\" *: *[^,]*," | cut -d : -f 2 | tr -d ' ,')
+ elif [ "$code" = "403" ]; then
+ _info "The account is already deactivated."
+ _accid=$(_getfield "$_accUri" "999" "/")
+ else
+ _err "Deactivate: account failed for $_accUri."
+ return 1
+ fi
+
+ _debug "Account id: $_accid"
+ if [ "$_accid" ]; then
+ _deactivated_account_path="$CA_DIR/deactivated/$_accid"
+ _debug _deactivated_account_path "$_deactivated_account_path"
+ if mkdir -p "$_deactivated_account_path"; then
+ _info "Moving deactivated account info to $_deactivated_account_path/"
+ mv "$CA_CONF" "$_deactivated_account_path/"
+ mv "$ACCOUNT_JSON_PATH" "$_deactivated_account_path/"
+ mv "$ACCOUNT_KEY_PATH" "$_deactivated_account_path/"
+ else
+ _err "Can not create dir: $_deactivated_account_path, try to remove the deactivated account key."
+ rm -f "$CA_CONF"
+ rm -f "$ACCOUNT_JSON_PATH"
+ rm -f "$ACCOUNT_KEY_PATH"
+ fi
+ fi
+}
+
+# domain folder file
+_findHook() {
+ _hookdomain="$1"
+ _hookcat="$2"
+ _hookname="$3"
+
+ if [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname" ]; then
+ d_api="$_SCRIPT_HOME/$_hookcat/$_hookname"
+ elif [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname.sh" ]; then
d_api="$_SCRIPT_HOME/$_hookcat/$_hookname.sh"
- elif [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname" ]; then
+ elif [ "$_hookdomain" ] && [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname" ]; then
d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname"
- elif [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname.sh" ]; then
+ elif [ "$_hookdomain" ] && [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname.sh" ]; then
d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname.sh"
elif [ -f "$LE_WORKING_DIR/$_hookname" ]; then
d_api="$LE_WORKING_DIR/$_hookname"
@@ -3254,7 +3661,7 @@ __get_domain_new_authz() {
_err "new-authz retry reach the max $_Max_new_authz_retry_times times."
fi
- if [ ! -z "$code" ] && [ ! "$code" = '201' ]; then
+ if [ "$code" ] && [ "$code" != '201' ]; then
_err "new-authz error: $response"
return 1
fi
@@ -3263,12 +3670,173 @@ __get_domain_new_authz() {
#uri keyAuthorization
__trigger_validation() {
- _debug2 "tigger domain validation."
+ _debug2 "Trigger domain validation."
_t_url="$1"
_debug2 _t_url "$_t_url"
_t_key_authz="$2"
_debug2 _t_key_authz "$_t_key_authz"
- _send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"keyAuthorization\": \"$_t_key_authz\"}"
+ _t_vtype="$3"
+ _debug2 _t_vtype "$_t_vtype"
+ if [ "$ACME_VERSION" = "2" ]; then
+ _send_signed_request "$_t_url" "{}"
+ else
+ _send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"type\": \"$_t_vtype\", \"keyAuthorization\": \"$_t_key_authz\"}"
+ fi
+}
+
+#endpoint domain type
+_ns_lookup_impl() {
+ _ns_ep="$1"
+ _ns_domain="$2"
+ _ns_type="$3"
+ _debug2 "_ns_ep" "$_ns_ep"
+ _debug2 "_ns_domain" "$_ns_domain"
+ _debug2 "_ns_type" "$_ns_type"
+
+ response="$(_H1="accept: application/dns-json" _get "$_ns_ep?name=$_ns_domain&type=$_ns_type")"
+ _ret=$?
+ _debug2 "response" "$response"
+ if [ "$_ret" != "0" ]; then
+ return $_ret
+ fi
+ _answers="$(echo "$response" | tr '{}' '<>' | _egrep_o '"Answer":\[[^]]*]' | tr '<>' '\n\n')"
+ _debug2 "_answers" "$_answers"
+ echo "$_answers"
+}
+
+#domain, type
+_ns_lookup_cf() {
+ _cf_ld="$1"
+ _cf_ld_type="$2"
+ _cf_ep="https://cloudflare-dns.com/dns-query"
+ _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
+}
+
+#domain, type
+_ns_purge_cf() {
+ _cf_d="$1"
+ _cf_d_type="$2"
+ _debug "Cloudflare purge $_cf_d_type record for domain $_cf_d"
+ _cf_purl="https://cloudflare-dns.com/api/v1/purge?domain=$_cf_d&type=$_cf_d_type"
+ response="$(_post "" "$_cf_purl")"
+ _debug2 response "$response"
+}
+
+#checks if cf server is available
+_ns_is_available_cf() {
+ if _get "https://cloudflare-dns.com" >/dev/null 2>&1; then
+ return 0
+ else
+ return 1
+ fi
+}
+
+#domain, type
+_ns_lookup_google() {
+ _cf_ld="$1"
+ _cf_ld_type="$2"
+ _cf_ep="https://dns.google/resolve"
+ _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
+}
+
+#domain, type
+_ns_lookup() {
+ if [ -z "$DOH_USE" ]; then
+ _debug "Detect dns server first."
+ if _ns_is_available_cf; then
+ _debug "Use cloudflare doh server"
+ export DOH_USE=$DOH_CLOUDFLARE
+ else
+ _debug "Use google doh server"
+ export DOH_USE=$DOH_GOOGLE
+ fi
+ fi
+
+ if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then
+ _ns_lookup_cf "$@"
+ else
+ _ns_lookup_google "$@"
+ fi
+
+}
+
+#txtdomain, alias, txt
+__check_txt() {
+ _c_txtdomain="$1"
+ _c_aliasdomain="$2"
+ _c_txt="$3"
+ _debug "_c_txtdomain" "$_c_txtdomain"
+ _debug "_c_aliasdomain" "$_c_aliasdomain"
+ _debug "_c_txt" "$_c_txt"
+ _answers="$(_ns_lookup "$_c_aliasdomain" TXT)"
+ _contains "$_answers" "$_c_txt"
+
+}
+
+#txtdomain
+__purge_txt() {
+ _p_txtdomain="$1"
+ _debug _p_txtdomain "$_p_txtdomain"
+ if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then
+ _ns_purge_cf "$_p_txtdomain" "TXT"
+ else
+ _debug "no purge api for google dns api, just sleep 5 secs"
+ _sleep 5
+ fi
+
+}
+
+#wait and check each dns entries
+_check_dns_entries() {
+ _success_txt=","
+ _end_time="$(_time)"
+ _end_time="$(_math "$_end_time" + 1200)" #let's check no more than 20 minutes.
+
+ while [ "$(_time)" -le "$_end_time" ]; do
+ _left=""
+ for entry in $dns_entries; do
+ d=$(_getfield "$entry" 1)
+ txtdomain=$(_getfield "$entry" 2)
+ txtdomain=$(_idn "$txtdomain")
+ aliasDomain=$(_getfield "$entry" 3)
+ aliasDomain=$(_idn "$aliasDomain")
+ txt=$(_getfield "$entry" 5)
+ d_api=$(_getfield "$entry" 6)
+ _debug "d" "$d"
+ _debug "txtdomain" "$txtdomain"
+ _debug "aliasDomain" "$aliasDomain"
+ _debug "txt" "$txt"
+ _debug "d_api" "$d_api"
+ _info "Checking $d for $aliasDomain"
+ if _contains "$_success_txt" ",$txt,"; then
+ _info "Already success, continue next one."
+ continue
+ fi
+
+ if __check_txt "$txtdomain" "$aliasDomain" "$txt"; then
+ _info "Domain $d '$aliasDomain' success."
+ _success_txt="$_success_txt,$txt,"
+ continue
+ fi
+ _left=1
+ _info "Not valid yet, let's wait 10 seconds and check next one."
+ __purge_txt "$txtdomain"
+ if [ "$txtdomain" != "$aliasDomain" ]; then
+ __purge_txt "$aliasDomain"
+ fi
+ _sleep 10
+ done
+ if [ "$_left" ]; then
+ _info "Let's wait 10 seconds and check again".
+ _sleep 10
+ else
+ _info "All success, let's return"
+ return 0
+ fi
+ done
+ _info "Timed out waiting for DNS."
+ return 1
+
}
#webroot, domain domainlist keylength
@@ -3284,10 +3852,14 @@ issue() {
_web_roots="$1"
_main_domain="$2"
_alt_domains="$3"
+
if _contains "$_main_domain" ","; then
_main_domain=$(echo "$2,$3" | cut -d , -f 1)
_alt_domains=$(echo "$2,$3" | cut -d , -f 2- | sed "s/,${NO_VALUE}$//")
fi
+ _debug _main_domain "$_main_domain"
+ _debug _alt_domains "$_alt_domains"
+
_key_length="$4"
_real_cert="$5"
_real_key="$6"
@@ -3298,7 +3870,7 @@ issue() {
_post_hook="${11}"
_renew_hook="${12}"
_local_addr="${13}"
-
+ _challenge_alias="${14}"
#remove these later.
if [ "$_web_roots" = "dns-cf" ]; then
_web_roots="dns_cf"
@@ -3315,6 +3887,11 @@ issue() {
mkdir -p "$DOMAIN_PATH"
fi
+ if _hasfield "$_web_roots" "$W_DNS" && [ -z "$FORCE_DNS_MANUAL" ]; then
+ _err "$_DNS_MANUAL_ERROR"
+ return 1
+ fi
+
_debug "Using ACME_DIRECTORY: $ACME_DIRECTORY"
_initAPI
@@ -3342,18 +3919,27 @@ issue() {
_savedomainconf "Le_Alt" "$_alt_domains"
_savedomainconf "Le_Webroot" "$_web_roots"
- _savedomainconf "Le_PreHook" "$_pre_hook"
- _savedomainconf "Le_PostHook" "$_post_hook"
- _savedomainconf "Le_RenewHook" "$_renew_hook"
+ _savedomainconf "Le_PreHook" "$_pre_hook" "base64"
+ _savedomainconf "Le_PostHook" "$_post_hook" "base64"
+ _savedomainconf "Le_RenewHook" "$_renew_hook" "base64"
if [ "$_local_addr" ]; then
_savedomainconf "Le_LocalAddress" "$_local_addr"
else
_cleardomainconf "Le_LocalAddress"
fi
+ if [ "$_challenge_alias" ]; then
+ _savedomainconf "Le_ChallengeAlias" "$_challenge_alias"
+ else
+ _cleardomainconf "Le_ChallengeAlias"
+ fi
- Le_API="$ACME_DIRECTORY"
- _savedomainconf "Le_API" "$Le_API"
+ if [ "$ACME_DIRECTORY" != "$DEFAULT_CA" ]; then
+ Le_API="$ACME_DIRECTORY"
+ _savedomainconf "Le_API" "$Le_API"
+ else
+ _cleardomainconf Le_API
+ fi
if [ "$_alt_domains" = "$NO_VALUE" ]; then
_alt_domains=""
@@ -3371,7 +3957,7 @@ issue() {
_saved_account_key_hash="$(_readcaconf "CA_KEY_HASH")"
_debug2 _saved_account_key_hash "$_saved_account_key_hash"
- if [ -z "$_saved_account_key_hash" ] || [ "$_saved_account_key_hash" != "$(__calcAccountKeyHash)" ]; then
+ if [ -z "$ACCOUNT_URL" ] || [ -z "$_saved_account_key_hash" ] || [ "$_saved_account_key_hash" != "$(__calcAccountKeyHash)" ]; then
if ! _regAccount "$_accountkeylength"; then
_on_issue_err "$_post_hook"
return 1
@@ -3405,64 +3991,197 @@ issue() {
_savedomainconf "Le_Keylength" "$_key_length"
vlist="$Le_Vlist"
-
+ _cleardomainconf "Le_Vlist"
_info "Getting domain auth token for each domain"
sep='#'
dvsep=','
if [ -z "$vlist" ]; then
- alldomains=$(echo "$_main_domain,$_alt_domains" | tr ',' ' ')
- _index=1
+ if [ "$ACME_VERSION" = "2" ]; then
+ #make new order request
+ _identifiers="{\"type\":\"dns\",\"value\":\"$(_idn "$_main_domain")\"}"
+ _w_index=1
+ while true; do
+ d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
+ _w_index="$(_math "$_w_index" + 1)"
+ _debug d "$d"
+ if [ -z "$d" ]; then
+ break
+ fi
+ _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$(_idn "$d")\"}"
+ done
+ _debug2 _identifiers "$_identifiers"
+ if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
+ _err "Create new order error."
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)"
+ _debug Le_LinkOrder "$Le_LinkOrder"
+ Le_OrderFinalize="$(echo "$response" | _egrep_o '"finalize" *: *"[^"]*"' | cut -d '"' -f 4)"
+ _debug Le_OrderFinalize "$Le_OrderFinalize"
+ if [ -z "$Le_OrderFinalize" ]; then
+ _err "Create new order error. Le_OrderFinalize not found. $response"
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+
+ #for dns manual mode
+ _savedomainconf "Le_OrderFinalize" "$Le_OrderFinalize"
+
+ _authorizations_seg="$(echo "$response" | _json_decode | _egrep_o '"authorizations" *: *\[[^\[]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+ _debug2 _authorizations_seg "$_authorizations_seg"
+ if [ -z "$_authorizations_seg" ]; then
+ _err "_authorizations_seg not found."
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+
+ #domain and authz map
+ _authorizations_map=""
+ for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
+ _debug2 "_authz_url" "$_authz_url"
+ if ! _send_signed_request "$_authz_url"; then
+ _err "get to authz error."
+ _err "_authorizations_seg" "$_authorizations_seg"
+ _err "_authz_url" "$_authz_url"
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+
+ response="$(echo "$response" | _normalizeJson)"
+ _debug2 response "$response"
+ _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2 | tr -d ' "')"
+ if _contains "$response" "\"wildcard\" *: *true"; then
+ _d="*.$_d"
+ fi
+ _debug2 _d "$_d"
+ _authorizations_map="$_d,$response
+$_authorizations_map"
+ done
+ _debug2 _authorizations_map "$_authorizations_map"
+ fi
+
+ _index=0
_currentRoot=""
- for d in $alldomains; do
+ _w_index=1
+ while true; do
+ d="$(echo "$_main_domain,$_alt_domains," | cut -d , -f "$_w_index")"
+ _w_index="$(_math "$_w_index" + 1)"
+ _debug d "$d"
+ if [ -z "$d" ]; then
+ break
+ fi
_info "Getting webroot for domain" "$d"
+ _index=$(_math $_index + 1)
_w="$(echo $_web_roots | cut -d , -f $_index)"
_debug _w "$_w"
if [ "$_w" ]; then
_currentRoot="$_w"
fi
_debug "_currentRoot" "$_currentRoot"
- _index=$(_math $_index + 1)
vtype="$VTYPE_HTTP"
- if _startswith "$_currentRoot" "dns"; then
+ #todo, v2 wildcard force to use dns
+ if _startswith "$_currentRoot" "$W_DNS"; then
vtype="$VTYPE_DNS"
fi
- if [ "$_currentRoot" = "$W_TLS" ]; then
- vtype="$VTYPE_TLS"
+ if [ "$_currentRoot" = "$W_ALPN" ]; then
+ vtype="$VTYPE_ALPN"
fi
- if ! __get_domain_new_authz "$d"; then
- _clearup
- _on_issue_err "$_post_hook"
- return 1
+ if [ "$ACME_VERSION" = "2" ]; then
+ _idn_d="$(_idn "$d")"
+ _candindates="$(echo "$_authorizations_map" | grep -i "^$_idn_d,")"
+ _debug2 _candindates "$_candindates"
+ if [ "$(echo "$_candindates" | wc -l)" -gt 1 ]; then
+ for _can in $_candindates; do
+ if _startswith "$(echo "$_can" | tr '.' '|')" "$(echo "$_idn_d" | tr '.' '|'),"; then
+ _candindates="$_can"
+ break
+ fi
+ done
+ fi
+ response="$(echo "$_candindates" | sed "s/$_idn_d,//")"
+ _debug2 "response" "$response"
+ if [ -z "$response" ]; then
+ _err "get to authz error."
+ _err "_authorizations_map" "$_authorizations_map"
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ else
+ if ! __get_domain_new_authz "$d"; then
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
fi
if [ -z "$thumbprint" ]; then
thumbprint="$(__calc_account_thumbprint)"
fi
- entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
+ entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
_debug entry "$entry"
+ keyauthorization=""
if [ -z "$entry" ]; then
- _err "Error, can not get domain token $d"
- _clearup
- _on_issue_err "$_post_hook"
- return 1
+ if ! _startswith "$d" '*.'; then
+ _debug "Not a wildcard domain, lets check whether the validation is already valid."
+ if echo "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
+ _debug "$d is already valid."
+ keyauthorization="$STATE_VERIFIED"
+ _debug keyauthorization "$keyauthorization"
+ fi
+ fi
+ if [ -z "$keyauthorization" ]; then
+ _err "Error, can not get domain token entry $d for $vtype"
+ _supported_vtypes="$(echo "$response" | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ')"
+ if [ "$_supported_vtypes" ]; then
+ _err "The supported validation types are: $_supported_vtypes, but you specified: $vtype"
+ fi
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
fi
- token="$(printf "%s\n" "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
- _debug token "$token"
- uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*' | cut -d '"' -f 4)"
- _debug uri "$uri"
+ if [ -z "$keyauthorization" ]; then
+ token="$(echo "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
+ _debug token "$token"
- keyauthorization="$token.$thumbprint"
- _debug keyauthorization "$keyauthorization"
+ if [ -z "$token" ]; then
+ _err "Error, can not get domain token $entry"
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ if [ "$ACME_VERSION" = "2" ]; then
+ uri="$(echo "$entry" | _egrep_o '"url":"[^"]*' | cut -d '"' -f 4 | _head_n 1)"
+ else
+ uri="$(echo "$entry" | _egrep_o '"uri":"[^"]*' | cut -d '"' -f 4)"
+ fi
+ _debug uri "$uri"
- if printf "%s" "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
- _debug "$d is already verified, skip."
- keyauthorization="$STATE_VERIFIED"
+ if [ -z "$uri" ]; then
+ _err "Error, can not get domain uri. $entry"
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ keyauthorization="$token.$thumbprint"
_debug keyauthorization "$keyauthorization"
+
+ if printf "%s" "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
+ _debug "$d is already verified."
+ keyauthorization="$STATE_VERIFIED"
+ _debug keyauthorization "$keyauthorization"
+ fi
fi
dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"
@@ -3473,33 +4192,59 @@ issue() {
done
_debug vlist "$vlist"
#add entry
+ dns_entries=""
dnsadded=""
ventries=$(echo "$vlist" | tr "$dvsep" ' ')
+ _alias_index=1
for ventry in $ventries; do
d=$(echo "$ventry" | cut -d "$sep" -f 1)
keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
_currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
-
+ _debug d "$d"
if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
_debug "$d is already verified, skip $vtype."
+ _alias_index="$(_math "$_alias_index" + 1)"
continue
fi
if [ "$vtype" = "$VTYPE_DNS" ]; then
dnsadded='0'
- txtdomain="_acme-challenge.$d"
+ _dns_root_d="$d"
+ if _startswith "$_dns_root_d" "*."; then
+ _dns_root_d="$(echo "$_dns_root_d" | sed 's/*.//')"
+ fi
+ _d_alias="$(_getfield "$_challenge_alias" "$_alias_index")"
+ _alias_index="$(_math "$_alias_index" + 1)"
+ _debug "_d_alias" "$_d_alias"
+ if [ "$_d_alias" ]; then
+ if _startswith "$_d_alias" "$DNS_ALIAS_PREFIX"; then
+ txtdomain="$(echo "$_d_alias" | sed "s/$DNS_ALIAS_PREFIX//")"
+ else
+ txtdomain="_acme-challenge.$_d_alias"
+ fi
+ dns_entry="${_dns_root_d}${dvsep}_acme-challenge.$_dns_root_d$dvsep$txtdomain$dvsep$_currentRoot"
+ else
+ txtdomain="_acme-challenge.$_dns_root_d"
+ dns_entry="${_dns_root_d}${dvsep}_acme-challenge.$_dns_root_d$dvsep$dvsep$_currentRoot"
+ fi
+
_debug txtdomain "$txtdomain"
txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _url_replace)"
_debug txt "$txt"
- d_api="$(_findHook "$d" dnsapi "$_currentRoot")"
-
+ d_api="$(_findHook "$_dns_root_d" $_SUB_FOLDER_DNSAPI "$_currentRoot")"
_debug d_api "$d_api"
+ dns_entry="$dns_entry$dvsep$txt${dvsep}$d_api"
+ _debug2 dns_entry "$dns_entry"
if [ "$d_api" ]; then
- _info "Found domain api file: $d_api"
+ _debug "Found domain api file: $d_api"
else
+ if [ "$_currentRoot" != "$W_DNS" ]; then
+ _err "Can not find dns api hook for: $_currentRoot"
+ _info "You need to add the txt record manually."
+ fi
_info "$(__red "Add the following TXT record:")"
_info "$(__red "Domain: '$(__green "$txtdomain")'")"
_info "$(__red "TXT value: '$(__green "$txt")'")"
@@ -3519,18 +4264,22 @@ issue() {
_err "It seems that your api file is not correct, it must have a function named: $addcommand"
return 1
fi
-
+ _info "Adding txt value: $txt for domain: $txtdomain"
if ! $addcommand "$txtdomain" "$txt"; then
_err "Error add txt for domain:$txtdomain"
return 1
fi
+ _info "The txt record is added: Success."
)
if [ "$?" != "0" ]; then
- _clearup
_on_issue_err "$_post_hook" "$vlist"
+ _clearup
return 1
fi
+ dns_entries="$dns_entries$dns_entry
+"
+ _debug2 "$dns_entries"
dnsadded='1'
fi
done
@@ -3538,23 +4287,29 @@ issue() {
if [ "$dnsadded" = '0' ]; then
_savedomainconf "Le_Vlist" "$vlist"
_debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit."
- _err "Please add the TXT records to the domains, and retry again."
- _clearup
+ _err "Please add the TXT records to the domains, and re-run with --renew."
_on_issue_err "$_post_hook"
+ _clearup
return 1
fi
fi
- if [ "$dnsadded" = '1' ]; then
+ if [ "$dns_entries" ]; then
if [ -z "$Le_DNSSleep" ]; then
- Le_DNSSleep="$DEFAULT_DNS_SLEEP"
+ _info "Let's check each dns records now. Sleep 20 seconds first."
+ _sleep 20
+ if ! _check_dns_entries; then
+ _err "check dns error."
+ _on_issue_err "$_post_hook"
+ _clearup
+ return 1
+ fi
else
_savedomainconf "Le_DNSSleep" "$Le_DNSSleep"
+ _info "Sleep $(__green $Le_DNSSleep) seconds for the txt records to take effect"
+ _sleep "$Le_DNSSleep"
fi
-
- _info "Sleep $(__green $Le_DNSSleep) seconds for the txt records to take effect"
- _sleep "$Le_DNSSleep"
fi
NGINX_RESTORE_VLIST=""
@@ -3574,7 +4329,7 @@ issue() {
continue
fi
- _info "Verifying:$d"
+ _info "Verifying: $d"
_debug "d" "$d"
_debug "keyauthorization" "$keyauthorization"
_debug "uri" "$uri"
@@ -3658,34 +4413,10 @@ issue() {
fi
fi
-
- elif [ "$vtype" = "$VTYPE_TLS" ]; then
- #create A
- #_hash_A="$(printf "%s" $token | _digest "sha256" "hex" )"
- #_debug2 _hash_A "$_hash_A"
- #_x="$(echo $_hash_A | cut -c 1-32)"
- #_debug2 _x "$_x"
- #_y="$(echo $_hash_A | cut -c 33-64)"
- #_debug2 _y "$_y"
- #_SAN_A="$_x.$_y.token.acme.invalid"
- #_debug2 _SAN_A "$_SAN_A"
-
- #create B
- _hash_B="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"
- _debug2 _hash_B "$_hash_B"
- _x="$(echo "$_hash_B" | cut -c 1-32)"
- _debug2 _x "$_x"
- _y="$(echo "$_hash_B" | cut -c 33-64)"
- _debug2 _y "$_y"
-
- #_SAN_B="$_x.$_y.ka.acme.invalid"
-
- _SAN_B="$_x.$_y.acme.invalid"
- _debug2 _SAN_B "$_SAN_B"
-
- _ncaddr="$(_getfield "$_local_addr" "$_ncIndex")"
- _ncIndex="$(_math "$_ncIndex" + 1)"
- if ! _starttlsserver "$_SAN_B" "$_SAN_A" "$Le_TLSPort" "$keyauthorization" "$_ncaddr"; then
+ elif [ "$vtype" = "$VTYPE_ALPN" ]; then
+ acmevalidationv1="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"
+ _debug acmevalidationv1 "$acmevalidationv1"
+ if ! _starttlsserver "$d" "" "$Le_TLSPort" "$keyauthorization" "$_ncaddr" "$acmevalidationv1"; then
_err "Start tls server error."
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
_clearup
@@ -3694,7 +4425,7 @@ issue() {
fi
fi
- if ! __trigger_validation "$uri" "$keyauthorization"; then
+ if ! __trigger_validation "$uri" "$keyauthorization" "$vtype"; then
_err "$d:Can not get challenge: $response"
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
_clearup
@@ -3702,12 +4433,16 @@ issue() {
return 1
fi
- if [ ! -z "$code" ] && [ ! "$code" = '202' ]; then
- _err "$d:Challenge error: $response"
- _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
- _clearup
- _on_issue_err "$_post_hook" "$vlist"
- return 1
+ if [ "$code" ] && [ "$code" != '202' ]; then
+ if [ "$code" = '200' ]; then
+ _debug "trigger validation code: $code"
+ else
+ _err "$d:Challenge error: $response"
+ _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+ _clearup
+ _on_issue_err "$_post_hook" "$vlist"
+ return 1
+ fi
fi
waittimes=0
@@ -3728,7 +4463,11 @@ issue() {
_debug "sleep 2 secs to verify"
sleep 2
_debug "checking"
- response="$(_get "$uri")"
+ if [ "$ACME_VERSION" = "2" ]; then
+ _send_signed_request "$uri"
+ else
+ response="$(_get "$uri")"
+ fi
if [ "$?" != "0" ]; then
_err "$d:Verify error:$response"
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
@@ -3751,7 +4490,7 @@ issue() {
fi
if [ "$status" = "invalid" ]; then
- error="$(echo "$response" | tr -d "\r\n" | _egrep_o '"error":\{[^\}]*')"
+ error="$(echo "$response" | _egrep_o '"error":\{[^\}]*')"
_debug2 error "$error"
errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)"
_debug2 errordetail "$errordetail"
@@ -3774,6 +4513,8 @@ issue() {
if [ "$status" = "pending" ]; then
_info "Pending"
+ elif [ "$status" = "processing" ]; then
+ _info "Processing"
else
_err "$d:Verify error:$response"
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
@@ -3790,18 +4531,99 @@ issue() {
_info "Verify finished, start to sign."
der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
- if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then
- _err "Sign failed."
- _on_issue_err "$_post_hook"
- return 1
- fi
+ if [ "$ACME_VERSION" = "2" ]; then
+ _info "Lets finalize the order, Le_OrderFinalize: $Le_OrderFinalize"
+ if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then
+ _err "Sign failed."
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ if [ "$code" != "200" ]; then
+ _err "Sign failed, finalize code is not 200."
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ if [ -z "$Le_LinkOrder" ]; then
+ Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n" | cut -d ":" -f 2-)"
+ fi
- _rcert="$response"
- Le_LinkCert="$(grep -i '^Location.*$' "$HTTP_HEADER" | _head_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
- _debug "Le_LinkCert" "$Le_LinkCert"
- _savedomainconf "Le_LinkCert" "$Le_LinkCert"
+ _savedomainconf "Le_LinkOrder" "$Le_LinkOrder"
- if [ "$Le_LinkCert" ]; then
+ _link_cert_retry=0
+ _MAX_CERT_RETRY=30
+ while [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do
+ if _contains "$response" "\"status\":\"valid\""; then
+ _debug "Order status is valid."
+ Le_LinkCert="$(echo "$response" | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
+ _debug Le_LinkCert "$Le_LinkCert"
+ if [ -z "$Le_LinkCert" ]; then
+ _err "Sign error, can not find Le_LinkCert"
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ break
+ elif _contains "$response" "\"processing\""; then
+ _info "Order status is processing, lets sleep and retry."
+ _sleep 2
+ else
+ _err "Sign error, wrong status"
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ #the order is processing, so we are going to poll order status
+ if [ -z "$Le_LinkOrder" ]; then
+ _err "Sign error, can not get order link location header"
+ _err "responseHeaders" "$responseHeaders"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ _info "Polling order status: $Le_LinkOrder"
+ if ! _send_signed_request "$Le_LinkOrder"; then
+ _err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder."
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ _link_cert_retry="$(_math $_link_cert_retry + 1)"
+ done
+
+ if [ -z "$Le_LinkCert" ]; then
+ _err "Sign failed, can not get Le_LinkCert, retry time limit."
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ _info "Download cert, Le_LinkCert: $Le_LinkCert"
+ if ! _send_signed_request "$Le_LinkCert"; then
+ _err "Sign failed, can not download cert:$Le_LinkCert."
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+
+ echo "$response" >"$CERT_PATH"
+
+ if [ "$(grep -- "$BEGIN_CERT" "$CERT_PATH" | wc -l)" -gt "1" ]; then
+ _debug "Found cert chain"
+ cat "$CERT_PATH" >"$CERT_FULLCHAIN_PATH"
+ _end_n="$(grep -n -- "$END_CERT" "$CERT_FULLCHAIN_PATH" | _head_n 1 | cut -d : -f 1)"
+ _debug _end_n "$_end_n"
+ sed -n "1,${_end_n}p" "$CERT_FULLCHAIN_PATH" >"$CERT_PATH"
+ _end_n="$(_math $_end_n + 1)"
+ sed -n "${_end_n},9999p" "$CERT_FULLCHAIN_PATH" >"$CA_CERT_PATH"
+ fi
+
+ else
+ if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then
+ _err "Sign failed. $response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ _rcert="$response"
+ Le_LinkCert="$(grep -i '^Location.*$' "$HTTP_HEADER" | _tail_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
echo "$BEGIN_CERT" >"$CERT_PATH"
#if ! _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH" ; then
@@ -3815,6 +4637,19 @@ issue() {
fi
echo "$END_CERT" >>"$CERT_PATH"
+ fi
+
+ _debug "Le_LinkCert" "$Le_LinkCert"
+ _savedomainconf "Le_LinkCert" "$Le_LinkCert"
+
+ if [ -z "$Le_LinkCert" ] || ! _checkcert "$CERT_PATH"; then
+ response="$(echo "$response" | _dbase64 "multiline" | tr -d '\0' | _normalizeJson)"
+ _err "Sign failed: $(echo "$response" | _egrep_o '"detail":"[^"]*"')"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+
+ if [ "$Le_LinkCert" ]; then
_info "$(__green "Cert success.")"
cat "$CERT_PATH"
@@ -3824,57 +4659,61 @@ issue() {
_info "Your cert key is in $(__green " $CERT_KEY_PATH ")"
fi
- cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
-
- if [ ! "$USER_PATH" ] || [ ! "$IN_CRON" ]; then
+ if [ ! "$USER_PATH" ] || [ ! "$ACME_IN_CRON" ]; then
USER_PATH="$PATH"
_saveaccountconf "USER_PATH" "$USER_PATH"
fi
fi
- if [ -z "$Le_LinkCert" ]; then
- response="$(echo "$response" | _dbase64 "multiline" | _normalizeJson)"
- _err "Sign failed: $(echo "$response" | _egrep_o '"detail":"[^"]*"')"
- _on_issue_err "$_post_hook"
- return 1
- fi
-
- _cleardomainconf "Le_Vlist"
+ if [ "$ACME_VERSION" = "2" ]; then
+ _debug "v2 chain."
+ else
+ cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
+ Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
- Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
- if ! _contains "$Le_LinkIssuer" ":"; then
- _info "$(__red "Relative issuer link found.")"
- Le_LinkIssuer="$_ACME_SERVER_HOST$Le_LinkIssuer"
- fi
- _debug Le_LinkIssuer "$Le_LinkIssuer"
- _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
-
- if [ "$Le_LinkIssuer" ]; then
- _link_issuer_retry=0
- _MAX_ISSUER_RETRY=5
- while [ "$_link_issuer_retry" -lt "$_MAX_ISSUER_RETRY" ]; do
- _debug _link_issuer_retry "$_link_issuer_retry"
- if _get "$Le_LinkIssuer" >"$CA_CERT_PATH.der"; then
- echo "$BEGIN_CERT" >"$CA_CERT_PATH"
- _base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH"
- echo "$END_CERT" >>"$CA_CERT_PATH"
-
- _info "The intermediate CA cert is in $(__green " $CA_CERT_PATH ")"
- cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH"
- _info "And the full chain certs is there: $(__green " $CERT_FULLCHAIN_PATH ")"
-
- rm -f "$CA_CERT_PATH.der"
- break
+ if [ "$Le_LinkIssuer" ]; then
+ if ! _contains "$Le_LinkIssuer" ":"; then
+ _info "$(__red "Relative issuer link found.")"
+ Le_LinkIssuer="$_ACME_SERVER_HOST$Le_LinkIssuer"
+ fi
+ _debug Le_LinkIssuer "$Le_LinkIssuer"
+ _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
+
+ _link_issuer_retry=0
+ _MAX_ISSUER_RETRY=5
+ while [ "$_link_issuer_retry" -lt "$_MAX_ISSUER_RETRY" ]; do
+ _debug _link_issuer_retry "$_link_issuer_retry"
+ if [ "$ACME_VERSION" = "2" ]; then
+ if _send_signed_request "$Le_LinkIssuer"; then
+ echo "$response" >"$CA_CERT_PATH"
+ break
+ fi
+ else
+ if _get "$Le_LinkIssuer" >"$CA_CERT_PATH.der"; then
+ echo "$BEGIN_CERT" >"$CA_CERT_PATH"
+ _base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH"
+ echo "$END_CERT" >>"$CA_CERT_PATH"
+ if ! _checkcert "$CA_CERT_PATH"; then
+ _err "Can not get the ca cert."
+ break
+ fi
+ cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH"
+ rm -f "$CA_CERT_PATH.der"
+ break
+ fi
+ fi
+ _link_issuer_retry=$(_math $_link_issuer_retry + 1)
+ _sleep "$_link_issuer_retry"
+ done
+ if [ "$_link_issuer_retry" = "$_MAX_ISSUER_RETRY" ]; then
+ _err "Max retry for issuer ca cert is reached."
fi
- _link_issuer_retry=$(_math $_link_issuer_retry + 1)
- _sleep "$_link_issuer_retry"
- done
- if [ "$_link_issuer_retry" = "$_MAX_ISSUER_RETRY" ]; then
- _err "Max retry for issuer ca cert is reached."
+ else
+ _debug "No Le_LinkIssuer header found."
fi
- else
- _debug "No Le_LinkIssuer header found."
fi
+ [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in $(__green " $CA_CERT_PATH ")"
+ [ -f "$CERT_FULLCHAIN_PATH" ] && _info "And the full chain certs is there: $(__green " $CERT_FULLCHAIN_PATH ")"
Le_CertCreateTime=$(_time)
_savedomainconf "Le_CertCreateTime" "$Le_CertCreateTime"
@@ -3882,8 +4721,8 @@ issue() {
Le_CertCreateTimeStr=$(date -u)
_savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr"
- if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ] || [ "$Le_RenewalDays" -gt "$MAX_RENEW" ]; then
- Le_RenewalDays="$MAX_RENEW"
+ if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ]; then
+ Le_RenewalDays="$DEFAULT_RENEW"
else
_savedomainconf "Le_RenewalDays" "$Le_RenewalDays"
fi
@@ -3928,20 +4767,21 @@ issue() {
Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400)
_savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
- if ! _on_issue_success "$_post_hook" "$_renew_hook"; then
- _err "Call hook error."
- return 1
- fi
-
if [ "$_real_cert$_real_key$_real_ca$_reload_cmd$_real_fullchain" ]; then
_savedomainconf "Le_RealCertPath" "$_real_cert"
_savedomainconf "Le_RealCACertPath" "$_real_ca"
_savedomainconf "Le_RealKeyPath" "$_real_key"
- _savedomainconf "Le_ReloadCmd" "$_reload_cmd"
+ _savedomainconf "Le_ReloadCmd" "$_reload_cmd" "base64"
_savedomainconf "Le_RealFullChainPath" "$_real_fullchain"
- _installcert "$_main_domain" "$_real_cert" "$_real_key" "$_real_ca" "$_real_fullchain" "$_reload_cmd"
+ if ! _installcert "$_main_domain" "$_real_cert" "$_real_key" "$_real_ca" "$_real_fullchain" "$_reload_cmd"; then
+ return 1
+ fi
fi
+ if ! _on_issue_success "$_post_hook" "$_renew_hook"; then
+ _err "Call hook error."
+ return 1
+ fi
}
#domain [isEcc]
@@ -3959,7 +4799,7 @@ renew() {
_info "$(__green "Renew: '$Le_Domain'")"
if [ ! -f "$DOMAIN_CONF" ]; then
_info "'$Le_Domain' is not a issued domain, skip."
- return 0
+ return $RENEW_SKIP
fi
if [ "$Le_RenewalDays" ]; then
@@ -3967,6 +4807,16 @@ renew() {
fi
. "$DOMAIN_CONF"
+ _debug Le_API "$Le_API"
+
+ if [ "$Le_API" = "$LETSENCRYPT_CA_V1" ]; then
+ _cleardomainconf Le_API
+ Le_API="$DEFAULT_CA"
+ fi
+ if [ "$Le_API" = "$LETSENCRYPT_STAGING_CA_V1" ]; then
+ _cleardomainconf Le_API
+ Le_API="$DEFAULT_STAGING_CA"
+ fi
if [ "$Le_API" ]; then
if [ "$_OLD_CA_HOST" = "$Le_API" ]; then
@@ -3974,7 +4824,7 @@ renew() {
_savedomainconf Le_API "$Le_API"
fi
if [ "$_OLD_STAGE_CA_HOST" = "$Le_API" ]; then
- export Le_API="$STAGE_CA"
+ export Le_API="$DEFAULT_STAGING_CA"
_savedomainconf Le_API "$Le_API"
fi
export ACME_DIRECTORY="$Le_API"
@@ -3992,13 +4842,17 @@ renew() {
return "$RENEW_SKIP"
fi
- if [ "$IN_CRON" = "1" ] && [ -z "$Le_CertCreateTime" ]; then
+ if [ "$ACME_IN_CRON" = "1" ] && [ -z "$Le_CertCreateTime" ]; then
_info "Skip invalid cert for: $Le_Domain"
- return 0
+ return $RENEW_SKIP
fi
IS_RENEW="1"
- issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress"
+ Le_ReloadCmd="$(_readdomainconf Le_ReloadCmd)"
+ Le_PreHook="$(_readdomainconf Le_PreHook)"
+ Le_PostHook="$(_readdomainconf Le_PostHook)"
+ Le_RenewHook="$(_readdomainconf Le_RenewHook)"
+ issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias"
res="$?"
if [ "$res" != "0" ]; then
return "$res"
@@ -4020,7 +4874,13 @@ renewAll() {
_stopRenewOnError="$1"
_debug "_stopRenewOnError" "$_stopRenewOnError"
_ret="0"
-
+ _success_msg=""
+ _error_msg=""
+ _skipped_msg=""
+ _error_level=$NOTIFY_LEVEL_SKIP
+ _notify_code=$RENEW_SKIP
+ _set_level=${NOTIFY_LEVEL:-$NOTIFY_LEVEL_DEFAULT}
+ _debug "_set_level" "$_set_level"
for di in "${CERT_HOME}"/*.*/; do
_debug di "$di"
if ! [ -d "$di" ]; then
@@ -4038,18 +4898,87 @@ renewAll() {
)
rc="$?"
_debug "Return code: $rc"
- if [ "$rc" != "0" ]; then
- if [ "$rc" = "$RENEW_SKIP" ]; then
- _info "Skipped $d"
- elif [ "$_stopRenewOnError" ]; then
+ if [ "$rc" = "0" ]; then
+ if [ $_error_level -gt $NOTIFY_LEVEL_RENEW ]; then
+ _error_level="$NOTIFY_LEVEL_RENEW"
+ _notify_code=0
+ fi
+ if [ "$ACME_IN_CRON" ]; then
+ if [ $_set_level -ge $NOTIFY_LEVEL_RENEW ]; then
+ if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
+ _send_notify "Renew $d success" "Good, the cert is renewed." "$NOTIFY_HOOK" 0
+ fi
+ fi
+ fi
+ _success_msg="${_success_msg} $d
+"
+ elif [ "$rc" = "$RENEW_SKIP" ]; then
+ if [ $_error_level -gt $NOTIFY_LEVEL_SKIP ]; then
+ _error_level="$NOTIFY_LEVEL_SKIP"
+ _notify_code=$RENEW_SKIP
+ fi
+ if [ "$ACME_IN_CRON" ]; then
+ if [ $_set_level -ge $NOTIFY_LEVEL_SKIP ]; then
+ if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
+ _send_notify "Renew $d skipped" "Good, the cert is skipped." "$NOTIFY_HOOK" "$RENEW_SKIP"
+ fi
+ fi
+ fi
+ _info "Skipped $d"
+ _skipped_msg="${_skipped_msg} $d
+"
+ else
+ if [ $_error_level -gt $NOTIFY_LEVEL_ERROR ]; then
+ _error_level="$NOTIFY_LEVEL_ERROR"
+ _notify_code=1
+ fi
+ if [ "$ACME_IN_CRON" ]; then
+ if [ $_set_level -ge $NOTIFY_LEVEL_ERROR ]; then
+ if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
+ _send_notify "Renew $d error" "There is an error." "$NOTIFY_HOOK" 1
+ fi
+ fi
+ fi
+ _error_msg="${_error_msg} $d
+"
+ if [ "$_stopRenewOnError" ]; then
_err "Error renew $d, stop now."
- return "$rc"
+ _ret="$rc"
+ break
else
_ret="$rc"
_err "Error renew $d."
fi
fi
done
+ _debug _error_level "$_error_level"
+ _debug _set_level "$_set_level"
+ if [ "$ACME_IN_CRON" ] && [ $_error_level -le $_set_level ]; then
+ if [ -z "$NOTIFY_MODE" ] || [ "$NOTIFY_MODE" = "$NOTIFY_MODE_BULK" ]; then
+ _msg_subject="Renew"
+ if [ "$_error_msg" ]; then
+ _msg_subject="${_msg_subject} Error"
+ _msg_data="Error certs:
+${_error_msg}
+"
+ fi
+ if [ "$_success_msg" ]; then
+ _msg_subject="${_msg_subject} Success"
+ _msg_data="${_msg_data}Success certs:
+${_success_msg}
+"
+ fi
+ if [ "$_skipped_msg" ]; then
+ _msg_subject="${_msg_subject} Skipped"
+ _msg_data="${_msg_data}Skipped certs:
+${_skipped_msg}
+"
+ fi
+
+ _send_notify "$_msg_subject" "$_msg_data" "$NOTIFY_HOOK" "$_notify_code"
+ fi
+ fi
+
return "$_ret"
}
@@ -4062,7 +4991,16 @@ signcsr() {
return 1
fi
- _initpath
+ _real_cert="$3"
+ _real_key="$4"
+ _real_ca="$5"
+ _reload_cmd="$6"
+ _real_fullchain="$7"
+ _pre_hook="${8}"
+ _post_hook="${9}"
+ _renew_hook="${10}"
+ _local_addr="${11}"
+ _challenge_alias="${12}"
_csrsubj=$(_readSubjectFromCSR "$_csrfile")
if [ "$?" != "0" ]; then
@@ -4100,13 +5038,16 @@ signcsr() {
return 1
fi
+ if [ -z "$ACME_VERSION" ] && _contains "$_csrsubj,$_csrdomainlist" "*."; then
+ export ACME_VERSION=2
+ fi
_initpath "$_csrsubj" "$_csrkeylength"
mkdir -p "$DOMAIN_PATH"
_info "Copy csr to: $CSR_PATH"
cp "$_csrfile" "$CSR_PATH"
- issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength"
+ issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias"
}
@@ -4153,18 +5094,14 @@ list() {
if [ "$_raw" ]; then
printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Created${_sep}Renew"
for di in "${CERT_HOME}"/*.*/; do
- if ! [ -d "$di" ]; then
- _debug "Not directory, skip: $di"
- continue
- fi
d=$(basename "$di")
_debug d "$d"
(
if _endswith "$d" "$ECC_SUFFIX"; then
- _isEcc=$(echo "$d" | cut -d "$ECC_SEP" -f 2)
+ _isEcc="ecc"
d=$(echo "$d" | cut -d "$ECC_SEP" -f 1)
fi
- _initpath "$d" "$_isEcc"
+ DOMAIN_CONF="$di/$d.conf"
if [ -f "$DOMAIN_CONF" ]; then
. "$DOMAIN_CONF"
printf "%s\n" "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr"
@@ -4186,7 +5123,7 @@ _deploy() {
_hooks="$2"
for _d_api in $(echo "$_hooks" | tr ',' " "); do
- _deployApi="$(_findHook "$_d" deploy "$_d_api")"
+ _deployApi="$(_findHook "$_d" $_SUB_FOLDER_DEPLOY "$_d_api")"
if [ -z "$_deployApi" ]; then
_err "The deploy hook $_d_api is not found."
return 1
@@ -4230,7 +5167,8 @@ deploy() {
_initpath "$_d" "$_isEcc"
if [ ! -d "$DOMAIN_PATH" ]; then
- _err "Domain is not valid:'$_d'"
+ _err "The domain '$_d' is not a cert name. You must use the cert name to specify the cert to install."
+ _err "Can not find path:'$DOMAIN_PATH'"
return 1
fi
@@ -4257,14 +5195,15 @@ installcert() {
_initpath "$_main_domain" "$_isEcc"
if [ ! -d "$DOMAIN_PATH" ]; then
- _err "Domain is not valid:'$_main_domain'"
+ _err "The domain '$_main_domain' is not a cert name. You must use the cert name to specify the cert to install."
+ _err "Can not find path:'$DOMAIN_PATH'"
return 1
fi
_savedomainconf "Le_RealCertPath" "$_real_cert"
_savedomainconf "Le_RealCACertPath" "$_real_ca"
_savedomainconf "Le_RealKeyPath" "$_real_key"
- _savedomainconf "Le_ReloadCmd" "$_reload_cmd"
+ _savedomainconf "Le_ReloadCmd" "$_reload_cmd" "base64"
_savedomainconf "Le_RealFullChainPath" "$_real_fullchain"
_installcert "$_main_domain" "$_real_cert" "$_real_key" "$_real_ca" "$_real_fullchain" "$_reload_cmd"
@@ -4304,19 +5243,19 @@ _installcert() {
if [ -f "$_real_cert" ] && [ ! "$IS_RENEW" ]; then
cp "$_real_cert" "$_backup_path/cert.bak"
fi
- cat "$CERT_PATH" >"$_real_cert"
+ cat "$CERT_PATH" >"$_real_cert" || return 1
fi
if [ "$_real_ca" ]; then
_info "Installing CA to:$_real_ca"
if [ "$_real_ca" = "$_real_cert" ]; then
echo "" >>"$_real_ca"
- cat "$CA_CERT_PATH" >>"$_real_ca"
+ cat "$CA_CERT_PATH" >>"$_real_ca" || return 1
else
if [ -f "$_real_ca" ] && [ ! "$IS_RENEW" ]; then
cp "$_real_ca" "$_backup_path/ca.bak"
fi
- cat "$CA_CERT_PATH" >"$_real_ca"
+ cat "$CA_CERT_PATH" >"$_real_ca" || return 1
fi
fi
@@ -4326,10 +5265,10 @@ _installcert() {
cp "$_real_key" "$_backup_path/key.bak"
fi
if [ -f "$_real_key" ]; then
- cat "$CERT_KEY_PATH" >"$_real_key"
+ cat "$CERT_KEY_PATH" >"$_real_key" || return 1
else
- cat "$CERT_KEY_PATH" >"$_real_key"
- chmod 700 "$_real_key"
+ cat "$CERT_KEY_PATH" >"$_real_key" || return 1
+ chmod 600 "$_real_key"
fi
fi
@@ -4338,7 +5277,7 @@ _installcert() {
if [ -f "$_real_fullchain" ] && [ ! "$IS_RENEW" ]; then
cp "$_real_fullchain" "$_backup_path/fullchain.bak"
fi
- cat "$CERT_FULLCHAIN_PATH" >"$_real_fullchain"
+ cat "$CERT_FULLCHAIN_PATH" >"$_real_fullchain" || return 1
fi
if [ "$_reload_cmd" ]; then
@@ -4348,7 +5287,7 @@ _installcert() {
export CERT_KEY_PATH
export CA_CERT_PATH
export CERT_FULLCHAIN_PATH
- export Le_Domain
+ export Le_Domain="$_main_domain"
cd "$DOMAIN_PATH" && eval "$_reload_cmd"
); then
_info "$(__green "Reload success")"
@@ -4359,35 +5298,107 @@ _installcert() {
}
+__read_password() {
+ unset _pp
+ prompt="Enter Password:"
+ while IFS= read -p "$prompt" -r -s -n 1 char; do
+ if [ "$char" = $'\0' ]; then
+ break
+ fi
+ prompt='*'
+ _pp="$_pp$char"
+ done
+ echo "$_pp"
+}
+
+_install_win_taskscheduler() {
+ _lesh="$1"
+ _centry="$2"
+ _randomminute="$3"
+ if ! _exists cygpath; then
+ _err "cygpath not found"
+ return 1
+ fi
+ if ! _exists schtasks; then
+ _err "schtasks.exe is not found, are you on Windows?"
+ return 1
+ fi
+ _winbash="$(cygpath -w $(which bash))"
+ _debug _winbash "$_winbash"
+ if [ -z "$_winbash" ]; then
+ _err "can not find bash path"
+ return 1
+ fi
+ _myname="$(whoami)"
+ _debug "_myname" "$_myname"
+ if [ -z "$_myname" ]; then
+ _err "can not find my user name"
+ return 1
+ fi
+ _debug "_lesh" "$_lesh"
+
+ _info "To install scheduler task in your Windows account, you must input your windows password."
+ _info "$PROJECT_NAME doesn't save your password."
+ _info "Please input your Windows password for: $(__green "$_myname")"
+ _password="$(__read_password)"
+ #SCHTASKS.exe '/create' '/SC' 'DAILY' '/TN' "$_WINDOWS_SCHEDULER_NAME" '/F' '/ST' "00:$_randomminute" '/RU' "$_myname" '/RP' "$_password" '/TR' "$_winbash -l -c '$_lesh --cron --home \"$LE_WORKING_DIR\" $_centry'" >/dev/null
+ echo SCHTASKS.exe '/create' '/SC' 'DAILY' '/TN' "$_WINDOWS_SCHEDULER_NAME" '/F' '/ST' "00:$_randomminute" '/RU' "$_myname" '/RP' "$_password" '/TR' "\"$_winbash -l -c '$_lesh --cron --home \"$LE_WORKING_DIR\" $_centry'\"" | cmd.exe >/dev/null
+ echo
+
+}
+
+_uninstall_win_taskscheduler() {
+ if ! _exists schtasks; then
+ _err "schtasks.exe is not found, are you on Windows?"
+ return 1
+ fi
+ if ! echo SCHTASKS /query /tn "$_WINDOWS_SCHEDULER_NAME" | cmd.exe >/dev/null; then
+ _debug "scheduler $_WINDOWS_SCHEDULER_NAME is not found."
+ else
+ _info "Removing $_WINDOWS_SCHEDULER_NAME"
+ echo SCHTASKS /delete /f /tn "$_WINDOWS_SCHEDULER_NAME" | cmd.exe >/dev/null
+ fi
+}
+
#confighome
installcronjob() {
_c_home="$1"
_initpath
_CRONTAB="crontab"
+ if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ]; then
+ lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
+ else
+ _err "Can not install cronjob, $PROJECT_ENTRY not found."
+ return 1
+ fi
+ if [ "$_c_home" ]; then
+ _c_entry="--config-home \"$_c_home\" "
+ fi
+ _t=$(_time)
+ random_minute=$(_math $_t % 60)
+
if ! _exists "$_CRONTAB" && _exists "fcrontab"; then
_CRONTAB="fcrontab"
fi
+
if ! _exists "$_CRONTAB"; then
+ if _exists cygpath && _exists schtasks.exe; then
+ _info "It seems you are on Windows, let's install Windows scheduler task."
+ if _install_win_taskscheduler "$lesh" "$_c_entry" "$random_minute"; then
+ _info "Install Windows scheduler task success."
+ return 0
+ else
+ _err "Install Windows scheduler task failed."
+ return 1
+ fi
+ fi
_err "crontab/fcrontab doesn't exist, so, we can not install cron jobs."
_err "All your certs will not be renewed automatically."
_err "You must add your own cron job to call '$PROJECT_ENTRY --cron' everyday."
return 1
fi
-
_info "Installing cron job"
if ! $_CRONTAB -l | grep "$PROJECT_ENTRY --cron"; then
- if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ]; then
- lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
- else
- _err "Can not install cronjob, $PROJECT_ENTRY not found."
- return 1
- fi
-
- if [ "$_c_home" ]; then
- _c_entry="--config-home \"$_c_home\" "
- fi
- _t=$(_time)
- random_minute=$(_math $_t % 60)
if _exists uname && uname -a | grep SunOS >/dev/null; then
$_CRONTAB -l | {
cat
@@ -4415,6 +5426,16 @@ uninstallcronjob() {
fi
if ! _exists "$_CRONTAB"; then
+ if _exists cygpath && _exists schtasks.exe; then
+ _info "It seems you are on Windows, let's uninstall Windows scheduler task."
+ if _uninstall_win_taskscheduler; then
+ _info "Uninstall Windows scheduler task success."
+ return 0
+ else
+ _err "Uninstall Windows scheduler task failed."
+ return 1
+ fi
+ fi
return
fi
_info "Removing cron job"
@@ -4436,6 +5457,7 @@ uninstallcronjob() {
}
+#domain isECC revokeReason
revoke() {
Le_Domain="$1"
if [ -z "$Le_Domain" ]; then
@@ -4444,7 +5466,10 @@ revoke() {
fi
_isEcc="$2"
-
+ _reason="$3"
+ if [ -z "$_reason" ]; then
+ _reason="0"
+ fi
_initpath "$Le_Domain" "$_isEcc"
if [ ! -f "$DOMAIN_CONF" ]; then
_err "$Le_Domain is not a issued domain, skip."
@@ -4465,7 +5490,11 @@ revoke() {
_initAPI
- data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
+ if [ "$ACME_VERSION" = "2" ]; then
+ data="{\"certificate\": \"$cert\",\"reason\":$_reason}"
+ else
+ data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
+ fi
uri="${ACME_REVOKE_CERT}"
if [ -f "$CERT_KEY_PATH" ]; then
@@ -4536,37 +5565,68 @@ _deactivate() {
_d_type="$2"
_initpath
- if ! __get_domain_new_authz "$_d_domain"; then
- _err "Can not get domain new authz token."
- return 1
- fi
+ if [ "$ACME_VERSION" = "2" ]; then
+ _identifiers="{\"type\":\"dns\",\"value\":\"$_d_domain\"}"
+ if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
+ _err "Can not get domain new order."
+ return 1
+ fi
+ _authorizations_seg="$(echo "$response" | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+ _debug2 _authorizations_seg "$_authorizations_seg"
+ if [ -z "$_authorizations_seg" ]; then
+ _err "_authorizations_seg not found."
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+
+ authzUri="$_authorizations_seg"
+ _debug2 "authzUri" "$authzUri"
+ if ! _send_signed_request "$authzUri"; then
+ _err "get to authz error."
+ _err "_authorizations_seg" "$_authorizations_seg"
+ _err "authzUri" "$authzUri"
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
- authzUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
- _debug "authzUri" "$authzUri"
+ response="$(echo "$response" | _normalizeJson)"
+ _debug2 response "$response"
+ _URL_NAME="url"
+ else
+ if ! __get_domain_new_authz "$_d_domain"; then
+ _err "Can not get domain new authz token."
+ return 1
+ fi
- if [ "$code" ] && [ ! "$code" = '201' ]; then
- _err "new-authz error: $response"
- return 1
+ authzUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ':' -f 2- | tr -d "\r\n")"
+ _debug "authzUri" "$authzUri"
+ if [ "$code" ] && [ ! "$code" = '201' ]; then
+ _err "new-authz error: $response"
+ return 1
+ fi
+ _URL_NAME="uri"
fi
- entries="$(echo "$response" | _egrep_o '{ *"type":"[^"]*", *"status": *"valid", *"uri"[^}]*')"
+ entries="$(echo "$response" | _egrep_o "{ *\"type\":\"[^\"]*\", *\"status\": *\"valid\", *\"$_URL_NAME\"[^}]*")"
if [ -z "$entries" ]; then
_info "No valid entries found."
if [ -z "$thumbprint" ]; then
thumbprint="$(__calc_account_thumbprint)"
fi
_debug "Trigger validation."
- vtype="$VTYPE_HTTP"
- entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
+ vtype="$VTYPE_DNS"
+ entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
_debug entry "$entry"
if [ -z "$entry" ]; then
_err "Error, can not get domain token $d"
return 1
fi
- token="$(printf "%s\n" "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
+ token="$(echo "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
_debug token "$token"
- uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*' | cut -d : -f 2,3 | tr -d '"')"
+ uri="$(echo "$entry" | _egrep_o "\"$_URL_NAME\":\"[^\"]*" | cut -d : -f 2,3 | tr -d '"')"
_debug uri "$uri"
keyauthorization="$token.$thumbprint"
@@ -4588,11 +5648,11 @@ _deactivate() {
break
fi
- _vtype="$(printf "%s\n" "$entry" | _egrep_o '"type": *"[^"]*"' | cut -d : -f 2 | tr -d '"')"
+ _vtype="$(echo "$entry" | _egrep_o '"type": *"[^"]*"' | cut -d : -f 2 | tr -d '"')"
_debug _vtype "$_vtype"
_info "Found $_vtype"
- uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*' | cut -d : -f 2,3 | tr -d '"')"
+ uri="$(echo "$entry" | _egrep_o "\"$_URL_NAME\":\"[^\"]*" | cut -d : -f 2,3 | tr -d '"')"
_debug uri "$uri"
if [ "$_d_type" ] && [ "$_d_type" != "$_vtype" ]; then
@@ -4602,7 +5662,13 @@ _deactivate() {
_info "Deactivate: $_vtype"
- if _send_signed_request "$authzUri" "{\"resource\": \"authz\", \"status\":\"deactivated\"}" && _contains "$response" '"deactivated"'; then
+ if [ "$ACME_VERSION" = "2" ]; then
+ _djson="{\"status\":\"deactivated\"}"
+ else
+ _djson="{\"resource\": \"authz\", \"status\":\"deactivated\"}"
+ fi
+
+ if _send_signed_request "$authzUri" "$_djson" && _contains "$response" '"deactivated"'; then
_info "Deactivate: $_vtype success."
else
_err "Can not deactivate $_vtype."
@@ -4701,13 +5767,17 @@ _precheck() {
if [ -z "$_nocron" ]; then
if ! _exists "crontab" && ! _exists "fcrontab"; then
- _err "It is recommended to install crontab first. try to install 'cron, crontab, crontabs or vixie-cron'."
- _err "We need to set cron job to renew the certs automatically."
- _err "Otherwise, your certs will not be able to be renewed automatically."
- if [ -z "$FORCE" ]; then
- _err "Please add '--force' and try install again to go without crontab."
- _err "./$PROJECT_ENTRY --install --force"
- return 1
+ if _exists cygpath && _exists schtasks.exe; then
+ _info "It seems you are on Windows, we will install Windows scheduler task."
+ else
+ _err "It is recommended to install crontab first. try to install 'cron, crontab, crontabs or vixie-cron'."
+ _err "We need to set cron job to renew the certs automatically."
+ _err "Otherwise, your certs will not be able to be renewed automatically."
+ if [ -z "$FORCE" ]; then
+ _err "Please add '--force' and try install again to go without crontab."
+ _err "./$PROJECT_ENTRY --install --force"
+ return 1
+ fi
fi
fi
fi
@@ -4803,7 +5873,7 @@ _installalias() {
}
-# nocron confighome
+# nocron confighome noprofile
install() {
if [ -z "$LE_WORKING_DIR" ]; then
@@ -4812,6 +5882,7 @@ install() {
_nocron="$1"
_c_home="$2"
+ _noprofile="$3"
if ! _initpath; then
_err "Install failed."
return 1
@@ -4820,7 +5891,7 @@ install() {
_debug "Skip install cron job"
fi
- if [ "$IN_CRON" != "1" ]; then
+ if [ "$ACME_IN_CRON" != "1" ]; then
if ! _precheck "$_nocron"; then
_err "Pre-check failed, can not install."
return 1
@@ -4877,7 +5948,7 @@ install() {
_info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
- if [ "$IN_CRON" != "1" ]; then
+ if [ "$ACME_IN_CRON" != "1" ] && [ -z "$_noprofile" ]; then
_installalias "$_c_home"
fi
@@ -4911,8 +5982,14 @@ install() {
if [ -z "$NO_DETECT_SH" ]; then
#Modify shebang
if _exists bash; then
+ _bash_path="$(bash -c "command -v bash 2>/dev/null")"
+ if [ -z "$_bash_path" ]; then
+ _bash_path="$(bash -c 'echo $SHELL')"
+ fi
+ fi
+ if [ "$_bash_path" ]; then
_info "Good, bash is found, so change the shebang to use bash as preferred."
- _shebang='#!'"$(env bash -c "command -v bash")"
+ _shebang='#!'"$_bash_path"
_setShebang "$LE_WORKING_DIR/$PROJECT_ENTRY" "$_shebang"
for subf in $_SUB_FOLDERS; do
if [ -d "$LE_WORKING_DIR/$subf" ]; then
@@ -4969,7 +6046,7 @@ _uninstallalias() {
}
cron() {
- export IN_CRON=1
+ export ACME_IN_CRON=1
_initpath
_info "$(__green "===Starting cron===")"
if [ "$AUTO_UPGRADE" = "1" ]; then
@@ -4990,7 +6067,7 @@ cron() {
fi
renewAll
_ret="$?"
- IN_CRON=""
+ ACME_IN_CRON=""
_info "$(__green "===End cron===")"
exit $_ret
}
@@ -5000,6 +6077,117 @@ version() {
echo "v$VER"
}
+# subject content hooks code
+_send_notify() {
+ _nsubject="$1"
+ _ncontent="$2"
+ _nhooks="$3"
+ _nerror="$4"
+
+ if [ "$NOTIFY_LEVEL" = "$NOTIFY_LEVEL_DISABLE" ]; then
+ _debug "The NOTIFY_LEVEL is $NOTIFY_LEVEL, disabled, just return."
+ return 0
+ fi
+
+ if [ -z "$_nhooks" ]; then
+ _debug "The NOTIFY_HOOK is empty, just return."
+ return 0
+ fi
+
+ _send_err=0
+ for _n_hook in $(echo "$_nhooks" | tr ',' " "); do
+ _n_hook_file="$(_findHook "" $_SUB_FOLDER_NOTIFY "$_n_hook")"
+ _info "Sending via: $_n_hook"
+ _debug "Found $_n_hook_file for $_n_hook"
+ if [ -z "$_n_hook_file" ]; then
+ _err "Can not find the hook file for $_n_hook"
+ continue
+ fi
+ if ! (
+ if ! . "$_n_hook_file"; then
+ _err "Load file $_n_hook_file error. Please check your api file and try again."
+ return 1
+ fi
+
+ d_command="${_n_hook}_send"
+ if ! _exists "$d_command"; then
+ _err "It seems that your api file is not correct, it must have a function named: $d_command"
+ return 1
+ fi
+
+ if ! $d_command "$_nsubject" "$_ncontent" "$_nerror"; then
+ _err "Error send message by $d_command"
+ return 1
+ fi
+
+ return 0
+ ); then
+ _err "Set $_n_hook_file error."
+ _send_err=1
+ else
+ _info "$_n_hook $(__green Success)"
+ fi
+ done
+ return $_send_err
+
+}
+
+# hook
+_set_notify_hook() {
+ _nhooks="$1"
+
+ _test_subject="Hello, this is a notification from $PROJECT_NAME"
+ _test_content="If you receive this message, your notification works."
+
+ _send_notify "$_test_subject" "$_test_content" "$_nhooks" 0
+
+}
+
+#[hook] [level] [mode]
+setnotify() {
+ _nhook="$1"
+ _nlevel="$2"
+ _nmode="$3"
+
+ _initpath
+
+ if [ -z "$_nhook$_nlevel$_nmode" ]; then
+ _usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook mailgun] [--notify-level $NOTIFY_LEVEL_DEFAULT] [--notify-mode $NOTIFY_MODE_DEFAULT]"
+ _usage "$_NOTIFY_WIKI"
+ return 1
+ fi
+
+ if [ "$_nlevel" ]; then
+ _info "Set notify level to: $_nlevel"
+ export "NOTIFY_LEVEL=$_nlevel"
+ _saveaccountconf "NOTIFY_LEVEL" "$NOTIFY_LEVEL"
+ fi
+
+ if [ "$_nmode" ]; then
+ _info "Set notify mode to: $_nmode"
+ export "NOTIFY_MODE=$_nmode"
+ _saveaccountconf "NOTIFY_MODE" "$NOTIFY_MODE"
+ fi
+
+ if [ "$_nhook" ]; then
+ _info "Set notify hook to: $_nhook"
+ if [ "$_nhook" = "$NO_VALUE" ]; then
+ _info "Clear notify hook"
+ _clearaccountconf "NOTIFY_HOOK"
+ else
+ if _set_notify_hook "$_nhook"; then
+ export NOTIFY_HOOK="$_nhook"
+ _saveaccountconf "NOTIFY_HOOK" "$NOTIFY_HOOK"
+ return 0
+ else
+ _err "Can not set notify hook to: $_nhook"
+ return 1
+ fi
+ fi
+ fi
+
+}
+
showhelp() {
_initpath
version
@@ -5017,7 +6205,7 @@ Commands:
--renew, -r Renew a cert.
--renew-all Renew all the certs.
--revoke Revoke a cert.
- --remove Remove the cert from $PROJECT
+ --remove Remove the cert from list of certs known to $PROJECT_NAME.
--list List all the certs.
--showcsr Show the content of a csr.
--install-cronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
@@ -5032,28 +6220,32 @@ Commands:
--create-domain-key Create an domain private key, professional use.
--createCSR, -ccsr Create CSR , professional use.
--deactivate Deactivate the domain authz, professional use.
+ --set-notify Set the cron notification hook, level or mode.
+
Parameters:
--domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
+ --challenge-alias domain.tld The challenge domain alias for DNS alias mode: $_DNS_ALIAS_WIKI
+ --domain-alias domain.tld The domain alias for DNS alias mode: $_DNS_ALIAS_WIKI
--force, -f Used to force to install or force to renew a cert immediately.
--staging, --test Use staging server, just for test.
--debug Output debug info.
- --output-insecure Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for secure.
+ --output-insecure Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for security.
--webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
--standalone Use standalone mode.
+ --alpn Use standalone alpn mode.
--stateless Use stateless mode, see: $_STATELESS_WIKI
- --tls Use standalone tls mode.
--apache Use apache mode.
--dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
- --dnssleep [$DEFAULT_DNS_SLEEP] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
+ --dnssleep 300 The time in seconds to wait for all the txt records to take effect in dns api mode. It's not necessary to use this by default, $PROJECT_NAME polls dns status automatically.
- --keylength, -k [2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
- --accountkeylength, -ak [2048] Specifies the account key length.
+ --keylength, -k [2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521.
+ --accountkeylength, -ak [2048] Specifies the account key length: 2048, 3072, 4096
--log [/path/to/logfile] Specifies the log file. The default is: \"$DEFAULT_LOG_FILE\" if you don't give a file path here.
--log-level 1|2 Specifies the log level, default is 1.
--syslog [0|3|6|7] Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.
- These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
+ These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:
--cert-file After issue/renew, the cert will be copied to this path.
--key-file After issue/renew, the key will be copied to this path.
@@ -5062,15 +6254,15 @@ Parameters:
--reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
- --server SERVER ACME Directory Resource URI. (default: https://acme-v01.api.letsencrypt.org/directory)
+ --server SERVER ACME Directory Resource URI. (default: $DEFAULT_CA)
--accountconf Specifies a customized account config file.
- --home Specifies the home dir for $PROJECT_NAME .
+ --home Specifies the home dir for $PROJECT_NAME.
--cert-home Specifies the home dir to save all the certs, only valid for '--install' command.
--config-home Specifies the home dir to save all the configurations.
--useragent Specifies the user agent string. it will be saved for future use too.
- --accountemail Specifies the account email for registering, Only valid for the '--install' command.
- --accountkey Specifies the account key path, Only valid for the '--install' command.
- --days Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days.
+ --accountemail Specifies the account email, only valid for the '--install' and '--update-account' command.
+ --accountkey Specifies the account key path, only valid for the '--install' command.
+ --days Specifies the days to renew the cert when using '--issue' command. The default value is $DEFAULT_RENEW days.
--httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
--tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
--local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
@@ -5080,7 +6272,9 @@ Parameters:
--ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate.
--ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl.
--nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
+ --noprofile Only valid for '--install' command, which means: do not install aliases to user profile.
--no-color Do not output color text.
+ --force-color Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
--csr Specifies the input csr.
--pre-hook Command to be run before obtaining any certificates.
@@ -5094,13 +6288,28 @@ Parameters:
--listen-v6 Force standalone/tls server to listen at ipv6.
--openssl-bin Specifies a custom openssl bin location.
--use-wget Force to use wget, if you have both curl and wget installed.
- "
+ --yes-I-know-dns-manual-mode-enough-go-ahead-please Force to use dns manual mode: $_DNS_MANUAL_WIKI
+ --branch, -b Only valid for '--upgrade' command, specifies the branch name to upgrade to.
+
+ --notify-level 0|1|2|3 Set the notification level: Default value is $NOTIFY_LEVEL_DEFAULT.
+ 0: disabled, no notification will be sent.
+ 1: send notifications only when there is an error.
+ 2: send notifications when a cert is successfully renewed, or there is an error.
+ 3: send notifications when a cert is skipped, renewed, or error.
+ --notify-mode 0|1 Set notification mode. Default value is $NOTIFY_MODE_DEFAULT.
+ 0: Bulk mode. Send all the domain's notifications in one message(mail).
+ 1: Cert mode. Send a message for every single cert.
+ --notify-hook [hookname] Set the notify hook
+ --revoke-reason [0-10] The reason for '--revoke' command. See: $_REVOKE_WIKI
+
+"
}
-# nocron
+# nocron noprofile
_installOnline() {
_info "Installing from online archive."
_nocron="$1"
+ _noprofile="$2"
if [ ! "$BRANCH" ]; then
BRANCH="master"
fi
@@ -5121,8 +6330,10 @@ _installOnline() {
cd "$PROJECT_NAME-$BRANCH"
chmod +x $PROJECT_ENTRY
- if ./$PROJECT_ENTRY install "$_nocron"; then
+ if ./$PROJECT_ENTRY install "$_nocron" "" "$_noprofile"; then
_info "Install success!"
+ _initpath
+ _saveaccountconf "UPGRADE_HASH" "$(_getUpgradeHash)"
fi
cd ..
@@ -5132,12 +6343,30 @@ _installOnline() {
)
}
+_getRepoHash() {
+ _hash_path=$1
+ shift
+ _hash_url="https://api.github.com/repos/acmesh-official/$PROJECT_NAME/git/refs/$_hash_path"
+ _get $_hash_url | tr -d "\r\n" | tr '{},' '\n' | grep '"sha":' | cut -d '"' -f 4
+}
+
+_getUpgradeHash() {
+ _b="$BRANCH"
+ if [ -z "$_b" ]; then
+ _b="master"
+ fi
+ _hash=$(_getRepoHash "heads/$_b")
+ if [ -z "$_hash" ]; then _hash=$(_getRepoHash "tags/$_b"); fi
+ echo $_hash
+}
+
upgrade() {
if (
_initpath
+ [ -z "$FORCE" ] && [ "$(_getUpgradeHash)" = "$(_readaccountconf "UPGRADE_HASH")" ] && _info "Already uptodate!" && exit 0
export LE_WORKING_DIR
cd "$LE_WORKING_DIR"
- _installOnline "nocron"
+ _installOnline "nocron" "noprofile"
); then
_info "Upgrade success!"
exit 0
@@ -5180,11 +6409,29 @@ _processAccountConf() {
}
+_checkSudo() {
+ if [ "$SUDO_GID" ] && [ "$SUDO_COMMAND" ] && [ "$SUDO_USER" ] && [ "$SUDO_UID" ]; then
+ if [ "$SUDO_USER" = "root" ] && [ "$SUDO_UID" = "0" ]; then
+ #it's root using sudo, no matter it's using sudo or not, just fine
+ return 0
+ fi
+ if [ "$SUDO_COMMAND" = "/bin/su" ] || [ "$SUDO_COMMAND" = "/bin/bash" ]; then
+ #it's a normal user doing "sudo su", or `sudo -i` or `sudo -s`
+ #fine
+ return 0
+ fi
+ #otherwise
+ return 1
+ fi
+ return 0
+}
+
_process() {
_CMD=""
_domain=""
_altdomains="$NO_VALUE"
_webroot=""
+ _challenge_alias=""
_keylength=""
_accountkeylength=""
_cert_file=""
@@ -5208,6 +6455,7 @@ _process() {
_ca_bundle=""
_ca_path=""
_nocron=""
+ _noprofile=""
_ecc=""
_csr=""
_pre_hook=""
@@ -5225,6 +6473,10 @@ _process() {
_syslog=""
_use_wget=""
_server=""
+ _notify_hook=""
+ _notify_level=""
+ _notify_mode=""
+ _revoke_reason=""
while [ ${#} -gt 0 ]; do
case "${1}" in
@@ -5311,6 +6563,9 @@ _process() {
--deactivate-account)
_CMD="deactivateaccount"
;;
+ --set-notify)
+ _CMD="setnotify"
+ ;;
--domain | -d)
_dvalue="$2"
@@ -5324,6 +6579,10 @@ _process() {
return 1
fi
+ if _startswith "$_dvalue" "*."; then
+ _debug "Wildcard domain"
+ export ACME_VERSION=2
+ fi
if [ -z "$_domain" ]; then
_domain="$_dvalue"
else
@@ -5370,6 +6629,16 @@ _process() {
fi
shift
;;
+ --challenge-alias)
+ cvalue="$2"
+ _challenge_alias="$_challenge_alias$cvalue,"
+ shift
+ ;;
+ --domain-alias)
+ cvalue="$DNS_ALIAS_PREFIX$2"
+ _challenge_alias="$_challenge_alias$cvalue,"
+ shift
+ ;;
--standalone)
wvalue="$NO_VALUE"
if [ -z "$_webroot" ]; then
@@ -5378,6 +6647,14 @@ _process() {
_webroot="$_webroot,$wvalue"
fi
;;
+ --alpn)
+ wvalue="$W_ALPN"
+ if [ -z "$_webroot" ]; then
+ _webroot="$wvalue"
+ else
+ _webroot="$_webroot,$wvalue"
+ fi
+ ;;
--stateless)
wvalue="$MODE_STATELESS"
if [ -z "$_webroot" ]; then
@@ -5401,14 +6678,10 @@ _process() {
;;
--nginx)
wvalue="$NGINX"
- if [ -z "$_webroot" ]; then
- _webroot="$wvalue"
- else
- _webroot="$_webroot,$wvalue"
+ if [ "$2" ] && ! _startswith "$2" "-"; then
+ wvalue="$NGINX$2"
+ shift
fi
- ;;
- --tls)
- wvalue="$W_TLS"
if [ -z "$_webroot" ]; then
_webroot="$wvalue"
else
@@ -5416,7 +6689,7 @@ _process() {
fi
;;
--dns)
- wvalue="dns"
+ wvalue="$W_DNS"
if [ "$2" ] && ! _startswith "$2" "-"; then
wvalue="$2"
shift
@@ -5515,7 +6788,6 @@ _process() {
Le_TLSPort="$_tlsport"
shift
;;
-
--listraw)
_listraw="raw"
;;
@@ -5539,9 +6811,15 @@ _process() {
--nocron)
_nocron="1"
;;
+ --noprofile)
+ _noprofile="1"
+ ;;
--no-color)
export ACME_NO_COLOR=1
;;
+ --force-color)
+ export ACME_FORCE_COLOR=1
+ ;;
--ecc)
_ecc="isEcc"
;;
@@ -5580,6 +6858,9 @@ _process() {
shift
fi
;;
+ --yes-I-know-dns-manual-mode-enough-go-ahead-please)
+ export FORCE_DNS_MANUAL=1
+ ;;
--log | --logfile)
_log="1"
_logfile="$2"
@@ -5633,6 +6914,49 @@ _process() {
_use_wget="1"
ACME_USE_WGET="1"
;;
+ --branch | -b)
+ export BRANCH="$2"
+ shift
+ ;;
+ --notify-hook)
+ _nhook="$2"
+ if _startswith "$_nhook" "-"; then
+ _err "'$_nhook' is not a hook name for '$1'"
+ return 1
+ fi
+ if [ "$_notify_hook" ]; then
+ _notify_hook="$_notify_hook,$_nhook"
+ else
+ _notify_hook="$_nhook"
+ fi
+ shift
+ ;;
+ --notify-level)
+ _nlevel="$2"
+ if _startswith "$_nlevel" "-"; then
+ _err "'$_nlevel' is not a integer for '$1'"
+ return 1
+ fi
+ _notify_level="$_nlevel"
+ shift
+ ;;
+ --notify-mode)
+ _nmode="$2"
+ if _startswith "$_nmode" "-"; then
+ _err "'$_nmode' is not a integer for '$1'"
+ return 1
+ fi
+ _notify_mode="$_nmode"
+ shift
+ ;;
+ --revoke-reason)
+ _revoke_reason="$2"
+ if _startswith "$_revoke_reason" "-"; then
+ _err "'$_revoke_reason' is not a integer for '$1'"
+ return 1
+ fi
+ shift
+ ;;
*)
_err "Unknown parameter : $1"
return 1
@@ -5643,6 +6967,14 @@ _process() {
done
if [ "${_CMD}" != "install" ]; then
+ if [ "$__INTERACTIVE" ] && ! _checkSudo; then
+ if [ -z "$FORCE" ]; then
+ #Use "echo" here, instead of _info. it's too early
+ echo "It seems that you are using sudo, please read this link first:"
+ echo "$_SUDO_WIKI"
+ return 1
+ fi
+ fi
__initHome
if [ "$_log" ]; then
if [ -z "$_logfile" ]; then
@@ -5685,19 +7017,19 @@ _process() {
_debug "Using server: $_server"
fi
fi
-
+ _debug "Running cmd: ${_CMD}"
case "${_CMD}" in
- install) install "$_nocron" "$_confighome" ;;
+ install) install "$_nocron" "$_confighome" "$_noprofile" ;;
uninstall) uninstall "$_nocron" ;;
upgrade) upgrade ;;
issue)
- issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
+ issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias"
;;
deploy)
deploy "$_domain" "$_deploy_hook" "$_ecc"
;;
signcsr)
- signcsr "$_csr" "$_webroot"
+ signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias"
;;
showcsr)
showcsr "$_csr" "$_domain"
@@ -5712,7 +7044,7 @@ _process() {
renewAll "$_stopRenewOnError"
;;
revoke)
- revoke "$_domain" "$_ecc"
+ revoke "$_domain" "$_ecc" "$_revoke_reason"
;;
remove)
remove "$_domain" "$_ecc"
@@ -5750,7 +7082,9 @@ _process() {
createCSR)
createCSR "$_domain" "$_altdomains" "$_ecc"
;;
-
+ setnotify)
+ setnotify "$_notify_hook" "$_notify_level" "$_notify_mode"
+ ;;
*)
if [ "$_CMD" ]; then
_err "Invalid command: $_CMD"
diff --git a/deploy/README.md b/deploy/README.md
index 3f6f1087..e3f239fa 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -1,118 +1,6 @@
# Using deploy api
-Before you can deploy your cert, you must [issue the cert first](https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert).
+deploy hook usage:
-Here are the scripts to deploy the certs/key to the server/services.
+https://github.com/acmesh-official/acme.sh/wiki/deployhooks
-## 1. Deploy the certs to your cpanel host
-
-If you want to deploy using cpanel UAPI see 7.
-
-(cpanel deploy hook is not finished yet, this is just an example.)
-
-
-
-Then you can deploy now:
-
-```sh
-export DEPLOY_CPANEL_USER=myusername
-export DEPLOY_CPANEL_PASSWORD=PASSWORD
-acme.sh --deploy -d example.com --deploy-hook cpanel
-```
-
-## 2. Deploy ssl cert on kong proxy engine based on api
-
-Before you can deploy your cert, you must [issue the cert first](https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert).
-Currently supports Kong-v0.10.x.
-
-```sh
-acme.sh --deploy -d ftp.example.com --deploy-hook kong
-```
-
-## 3. Deploy the cert to remote server through SSH access
-
-(TODO)
-
-## 4. Deploy the cert to local vsftpd server
-
-```sh
-acme.sh --deploy -d ftp.example.com --deploy-hook vsftpd
-```
-
-The default vsftpd conf file is `/etc/vsftpd.conf`, if your vsftpd conf is not in the default location, you can specify one:
-
-```sh
-export DEPLOY_VSFTPD_CONF="/etc/vsftpd.conf"
-
-acme.sh --deploy -d ftp.example.com --deploy-hook vsftpd
-```
-
-The default command to restart vsftpd server is `service vsftpd restart`, if it doesn't work, you can specify one:
-
-```sh
-export DEPLOY_VSFTPD_RELOAD="/etc/init.d/vsftpd restart"
-
-acme.sh --deploy -d ftp.example.com --deploy-hook vsftpd
-```
-
-## 5. Deploy the cert to local exim4 server
-
-```sh
-acme.sh --deploy -d ftp.example.com --deploy-hook exim4
-```
-
-The default exim4 conf file is `/etc/exim/exim.conf`, if your exim4 conf is not in the default location, you can specify one:
-
-```sh
-export DEPLOY_EXIM4_CONF="/etc/exim4/exim4.conf.template"
-
-acme.sh --deploy -d ftp.example.com --deploy-hook exim4
-```
-
-The default command to restart exim4 server is `service exim4 restart`, if it doesn't work, you can specify one:
-
-```sh
-export DEPLOY_EXIM4_RELOAD="/etc/init.d/exim4 restart"
-
-acme.sh --deploy -d ftp.example.com --deploy-hook exim4
-```
-
-## 6. Deploy the cert to OSX Keychain
-
-```sh
-acme.sh --deploy -d ftp.example.com --deploy-hook keychain
-```
-
-## 7. Deploy to cpanel host using UAPI
-
-This hook is using UAPI and works in cPanel & WHM version 56 or newer.
-```
-acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
-```
-DEPLOY_CPANEL_USER is required only if you run the script as root and it should contain cpanel username.
-```sh
-export DEPLOY_CPANEL_USER=username
-acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
-```
-Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separete certificate for each domain.
-
-## 8. Deploy the cert to your FRITZ!Box router
-
-You must specify the credentials that have administrative privileges on the FRITZ!Box in order to deploy the certificate, plus the URL of your FRITZ!Box, through the following environment variables:
-```sh
-$ export DEPLOY_FRITZBOX_USERNAME=my_username
-$ export DEPLOY_FRITZBOX_PASSWORD=the_password
-$ export DEPLOY_FRITZBOX_URL=https://fritzbox.example.com
-```
-
-After the first deployment, these values will be stored in your $HOME/.acme.sh/account.conf. You may now deploy the certificate like this:
-
-```sh
-acme.sh --deploy -d fritzbox.example.com --deploy-hook fritzbox
-```
-
-## 9. Deploy the cert to strongswan
-
-```sh
-acme.sh --deploy -d ftp.example.com --deploy-hook strongswan
-```
diff --git a/deploy/cpanel_uapi.sh b/deploy/cpanel_uapi.sh
index 4563b9c4..44844f79 100644
--- a/deploy/cpanel_uapi.sh
+++ b/deploy/cpanel_uapi.sh
@@ -2,8 +2,12 @@
# Here is the script to deploy the cert to your cpanel using the cpanel API.
# Uses command line uapi. --user option is needed only if run as root.
# Returns 0 when success.
-# Written by Santeri Kannisto