|
@ -1,10 +1,16 @@ |
|
|
#!/bin/sh |
|
|
#!/bin/sh |
|
|
|
|
|
|
|
|
#Here is a sample custom api script. |
|
|
|
|
|
#This file name is "myapi.sh" |
|
|
|
|
|
#So, here must be a method myapi_deploy() |
|
|
|
|
|
#Which will be called by acme.sh to deploy the cert |
|
|
|
|
|
#returns 0 means success, otherwise error. |
|
|
|
|
|
|
|
|
# This script deploys your cert to a s3 bucket. |
|
|
|
|
|
# export S3_BUCKET=acme |
|
|
|
|
|
# export S3_REGION=eu-central-1 |
|
|
|
|
|
# export AWS_PROFILE=default |
|
|
|
|
|
# export AWS_ACCESS_KEY_ID=exampleid |
|
|
|
|
|
# export AWS_SECRET_ACCESS_KEY=examplekey |
|
|
|
|
|
# |
|
|
|
|
|
# Checks to see if awscli present |
|
|
|
|
|
# If not, use curl + aws v4 signature to upload object |
|
|
|
|
|
# Make sure your keys have access to upload objects. |
|
|
|
|
|
# Also make sure your default region is correct, otherwise, override with $S3_REGION |
|
|
|
|
|
|
|
|
######## Public functions ##################### |
|
|
######## Public functions ##################### |
|
|
|
|
|
|
|
@ -23,12 +29,17 @@ s3_deploy() { |
|
|
return 1 |
|
|
return 1 |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
if [ -z "$AWS_PROFILE" ]; then |
|
|
|
|
|
AWS_PROFILE="default" |
|
|
|
|
|
fi |
|
|
|
|
|
|
|
|
if ! _exists aws; then |
|
|
if ! _exists aws; then |
|
|
_debug "AWS CLI not installed, defaulting to curl method" |
|
|
_debug "AWS CLI not installed, defaulting to curl method" |
|
|
_aws_cli_installed=0 |
|
|
_aws_cli_installed=0 |
|
|
else |
|
|
else |
|
|
_debug "AWS CLI installed, defaulting ignoring curl method" |
|
|
_debug "AWS CLI installed, defaulting ignoring curl method" |
|
|
_aws_cli_installed=1 |
|
|
_aws_cli_installed=1 |
|
|
|
|
|
S3_REGION="$(aws configure get region --profile ${AWS_PROFILE})" |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
if [ "$_aws_cli_installed" -eq "0" ] && ([ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]); then |
|
|
if [ "$_aws_cli_installed" -eq "0" ] && ([ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]); then |
|
@ -44,6 +55,7 @@ s3_deploy() { |
|
|
# Save s3 options if it's succesful (First run case) |
|
|
# Save s3 options if it's succesful (First run case) |
|
|
_saveaccountconf S3_BUCKET "$S3_BUCKET" |
|
|
_saveaccountconf S3_BUCKET "$S3_BUCKET" |
|
|
_saveaccountconf S3_REGION "$S3_REGION" |
|
|
_saveaccountconf S3_REGION "$S3_REGION" |
|
|
|
|
|
_saveaccountconf AWS_PROFILE "$AWS_PROFILE" |
|
|
|
|
|
|
|
|
_debug _cdomain "$_cdomain" |
|
|
_debug _cdomain "$_cdomain" |
|
|
_debug _ckey "$_ckey" |
|
|
_debug _ckey "$_ckey" |
|
@ -51,9 +63,13 @@ s3_deploy() { |
|
|
_debug _cca "$_cca" |
|
|
_debug _cca "$_cca" |
|
|
_debug _cfullchain "$_cfullchain" |
|
|
_debug _cfullchain "$_cfullchain" |
|
|
_debug S3_BUCKET "$S3_BUCKET" |
|
|
_debug S3_BUCKET "$S3_BUCKET" |
|
|
|
|
|
_debug AWS_PROFILE "$AWS_PROFILE" |
|
|
_secure_debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" |
|
|
_secure_debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" |
|
|
_secure_debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" |
|
|
_secure_debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" |
|
|
|
|
|
|
|
|
|
|
|
# REMOVE BEFORE COMMIT, ONLY FOR DEBUGGING |
|
|
|
|
|
_aws_cli_installed=1 |
|
|
|
|
|
|
|
|
_info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION" |
|
|
_info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION" |
|
|
|
|
|
|
|
|
if [ "$_aws_cli_installed" -eq "0" ]; then |
|
|
if [ "$_aws_cli_installed" -eq "0" ]; then |
|
@ -63,13 +79,13 @@ s3_deploy() { |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
# private |
|
|
# private |
|
|
_deploy_to_bucket $_ckey "$_cdomain/$_cdomain.key" |
|
|
|
|
|
|
|
|
_deploy_to_bucket "$_ckey" "$_cdomain/$_cdomain.key" |
|
|
# public |
|
|
# public |
|
|
_deploy_to_bucket $_ccert "$_cdomain/$_cdomain.cer" |
|
|
|
|
|
|
|
|
_deploy_to_bucket "$_ccert" "$_cdomain/$_cdomain.cer" |
|
|
# ca |
|
|
# ca |
|
|
_deploy_to_bucket $_cca "$_cdomain/ca.cer" |
|
|
|
|
|
|
|
|
_deploy_to_bucket "$_cca" "$_cdomain/ca.cer" |
|
|
# fullchain |
|
|
# fullchain |
|
|
_deploy_to_bucket $_cfullchain "$_cdomain/fullchain.cer" |
|
|
|
|
|
|
|
|
_deploy_to_bucket "$_cfullchain" "$_cdomain/fullchain.cer" |
|
|
|
|
|
|
|
|
return 0 |
|
|
return 0 |
|
|
|
|
|
|
|
@ -79,19 +95,16 @@ s3_deploy() { |
|
|
|
|
|
|
|
|
_deploy_to_bucket() { |
|
|
_deploy_to_bucket() { |
|
|
if [ "$_aws_cli_installed" -eq "0" ]; then |
|
|
if [ "$_aws_cli_installed" -eq "0" ]; then |
|
|
_deploy_with_curl $1 $2 |
|
|
|
|
|
|
|
|
_deploy_with_curl "$1" "$2" |
|
|
else |
|
|
else |
|
|
_deploy_with_awscli $1 $2 |
|
|
|
|
|
|
|
|
_deploy_with_awscli "$1" "$2" |
|
|
fi |
|
|
fi |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
_deploy_with_awscli() { |
|
|
_deploy_with_awscli() { |
|
|
file="$1" |
|
|
file="$1" |
|
|
bucket="$S3_BUCKET" |
|
|
|
|
|
prefix="$2" |
|
|
prefix="$2" |
|
|
region="$S3_REGION" |
|
|
|
|
|
|
|
|
|
|
|
aws s3 cp "$file" s3://"$bucket"/"$prefix" --region "$region" |
|
|
|
|
|
|
|
|
aws s3 cp "$file" s3://"$S3_BUCKET"/"$prefix" --region "$S3_REGION" --profile "$AWS_PROFILE" |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
_deploy_with_curl() { |
|
|
_deploy_with_curl() { |
|
@ -104,7 +117,7 @@ _deploy_with_curl() { |
|
|
timestamp="$(date -u "+%Y-%m-%d %H:%M:%S")" |
|
|
timestamp="$(date -u "+%Y-%m-%d %H:%M:%S")" |
|
|
signed_headers="date;host;x-amz-acl;x-amz-content-sha256;x-amz-date" |
|
|
signed_headers="date;host;x-amz-acl;x-amz-content-sha256;x-amz-date" |
|
|
|
|
|
|
|
|
if [[ $(uname) == "Darwin" ]]; then |
|
|
|
|
|
|
|
|
if [ "$(uname)" = "Darwin" ]; then |
|
|
iso_timestamp=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%dT%H%M%SZ") |
|
|
iso_timestamp=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%dT%H%M%SZ") |
|
|
date_scope=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%d") |
|
|
date_scope=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%d") |
|
|
date_header=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%a, %d %h %Y %T %Z") |
|
|
date_header=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%a, %d %h %Y %T %Z") |
|
@ -116,16 +129,23 @@ _deploy_with_curl() { |
|
|
|
|
|
|
|
|
_info "Uploading $S3_BUCKET/$prefix" |
|
|
_info "Uploading $S3_BUCKET/$prefix" |
|
|
|
|
|
|
|
|
export _H1="Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)" |
|
|
|
|
|
export _H2="Date:${date_header}" |
|
|
|
|
|
export _H3="x-amz-acl:${acl}" |
|
|
|
|
|
export _H4="x-amz-content-sha256:$(_payload_hash)" |
|
|
|
|
|
export _H5="x-amz-date:${iso_timestamp}" |
|
|
|
|
|
|
|
|
export _H1 |
|
|
|
|
|
export _H2 |
|
|
|
|
|
export _H3 |
|
|
|
|
|
export _H4 |
|
|
|
|
|
export _H5 |
|
|
|
|
|
|
|
|
response=$(_post "${file}" "https://${bucket}.s3.${region}.amazonaws.com/${prefix}") |
|
|
|
|
|
_debug2 response |
|
|
|
|
|
|
|
|
_H1="Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)" |
|
|
|
|
|
_H2="Date:${date_header}" |
|
|
|
|
|
_H3="x-amz-acl:${acl}" |
|
|
|
|
|
_H4="x-amz-content-sha256:$(_payload_hash)" |
|
|
|
|
|
_H5="x-amz-date:${iso_timestamp}" |
|
|
|
|
|
|
|
|
|
|
|
_debug2 "$(_post "${file}" "https://$bucket.s3.$region.amazonaws.com/$prefix")" |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
#################### Private functions below ################################## |
|
|
|
|
|
|
|
|
_payload_hash() { |
|
|
_payload_hash() { |
|
|
echo "$(shasum -ba 256 "$file")%% *" |
|
|
echo "$(shasum -ba 256 "$file")%% *" |
|
|
} |
|
|
} |
|
@ -141,7 +161,8 @@ _canonical_request() { |
|
|
echo "x-amz-date:${iso_timestamp}" |
|
|
echo "x-amz-date:${iso_timestamp}" |
|
|
echo "" |
|
|
echo "" |
|
|
echo "${signed_headers}" |
|
|
echo "${signed_headers}" |
|
|
printf "$(_payload_hash)" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
_payload_hash |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
_canonical_request_hash() { |
|
|
_canonical_request_hash() { |
|
@ -152,17 +173,17 @@ _string_to_sign() { |
|
|
echo "AWS4-HMAC-SHA256" |
|
|
echo "AWS4-HMAC-SHA256" |
|
|
echo "${iso_timestamp}" |
|
|
echo "${iso_timestamp}" |
|
|
echo "${date_scope}/${region}/s3/aws4_request" |
|
|
echo "${date_scope}/${region}/s3/aws4_request" |
|
|
printf "$(_canonical_request_hash)" |
|
|
|
|
|
|
|
|
_canonical_request_hash |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
_signature_key() { |
|
|
_signature_key() { |
|
|
secret_key=$(printf "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_dump) |
|
|
|
|
|
date_key=$(printf ${date_scope} | _hmac "sha256" "${secret_key}" | _hex_dump) |
|
|
|
|
|
region_key=$(printf ${region} | _hmac "sha256" "${date_key}" | _hex_dump) |
|
|
|
|
|
service_key=$(printf "s3" | _hmac "sha256" "${region_key}" | _hex_dump) |
|
|
|
|
|
printf "aws4_request" | _hmac "sha256" "${service_key}" | _hex_dump |
|
|
|
|
|
|
|
|
secret_key=$(echo "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_dump) |
|
|
|
|
|
date_key=$(echo "${date_scope}" | _hmac "sha256" "${secret_key}" hex | _hex_dump) |
|
|
|
|
|
region_key=$(echo "${region}" | _hmac "sha256" "${date_key}" hex | _hex_dump) |
|
|
|
|
|
service_key=$(echo "s3" | _hmac "sha256" "${region_key}" hex | _hex_dump) |
|
|
|
|
|
printf "aws4_request" | _hmac "sha256" "${service_key}" hex | _hex_dump |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
_signature() { |
|
|
_signature() { |
|
|
_string_to_sign | _hmac "sha256" $(_signature_key) | _hex_dump | sed "s/^.* //" |
|
|
|
|
|
|
|
|
_string_to_sign | _hmac "sha256" "$(_signature_key)" | _hex_dump | sed "s/^.* //" |
|
|
} |
|
|
} |