Mirror
/
acme.sh
mirror of https://github.com/acmesh-official/acme.sh.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge 79f357afca into 08246f7005

pull/6548/merge
Simon V. 2 days ago
committed by GitHub
parent
08246f7005 79f357afca
commit
9f9de12840
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
1 changed files with 110 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 110
      acme.sh

110
acme.sh
View File

@ -2328,6 +2328,25 @@ _send_signed_request() {
}
_calc_cert_id() {
_cf="$1"
_cert_serial=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -serial -in "$_cf" | cut -d '=' -f 2 | _h2b | _base64 | _url_replace)
_debug3 "Certificate Serial Number: $_cert_serial"
if [ -z "$_cert_serial" ]; then
_err "Failed to parse certificate Serial Number"
return 1
fi
_cert_authority_kid=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -text -in "$_cf" | grep -i "authority key id" -A 1 | _tail_n 1 | _egrep_o "[A-F0-9:]+" | tr -d ':' | _h2b | _base64 | _url_replace)
_debug3 "Certificate Authority Key Identifier: $_cert_authority_kid"
if [ -z "$_cert_authority_kid" ]; then
_err "Failed to parse certificate Authority Key Identifier"
return 1
fi
Le_RenewalInfoCertId="$_cert_authority_kid.$_cert_serial"
_debug2 "Certificate ID for Renewal Info: $Le_RenewalInfoCertId"
return 0
}
#setopt "file" "opt" "=" "value" [";"]
_setopt() {
__conf="$1"
@ -2770,6 +2789,7 @@ _clearAPI() {
ACME_KEY_CHANGE=""
ACME_NEW_AUTHZ=""
ACME_NEW_ORDER=""
ACME_RENEWAL_INFO=""
ACME_REVOKE_CERT=""
ACME_NEW_NONCE=""
ACME_AGREEMENT=""
@ -2808,6 +2828,9 @@ _initAPI() {
ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_NEW_ACCOUNT
ACME_RENEWAL_INFO=$(echo "$response" | _egrep_o 'renewalInfo" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_RENEWAL_INFO
ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_REVOKE_CERT
@ -2821,6 +2844,7 @@ _initAPI() {
_debug "ACME_NEW_AUTHZ" "$ACME_NEW_AUTHZ"
_debug "ACME_NEW_ORDER" "$ACME_NEW_ORDER"
_debug "ACME_NEW_ACCOUNT" "$ACME_NEW_ACCOUNT"
_debug "ACME_RENEWAL_INFO" "$ACME_RENEWAL_INFO"
_debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT"
_debug "ACME_AGREEMENT" "$ACME_AGREEMENT"
_debug "ACME_NEW_NONCE" "$ACME_NEW_NONCE"
@ -4318,6 +4342,48 @@ _get_chain_subjects() {
fi
}
_update_renewal_info() {
if [ -z "$ACME_RENEWAL_INFO" ]; then
_debug3 "Renewal Info is not supported for $Le_API."
return 1
fi
if [ -z "$Le_RenewalInfoCertId" ]; then
_debug3 "No Certificate Identifier found. Skipping ACME Renewal Info."
return 1
fi
if [ -z "$Le_EnableRenewalInfo" ] || [ "$Le_EnableRenewalInfo" -ne "1" ]; then
_debug3 "Renewal Info is not enabled."
_cleardomainconf "Le_RenewalInfoLastUpdate"
_cleardomainconf "Le_RenewalInfoLastUpdateStr"
_cleardomainconf "Le_RenewalInfoExplanation"
return 1
fi
response=$(_get "$ACME_RENEWAL_INFO/$Le_RenewalInfoCertId" | _json_decode | _normalizeJson)
if ! _contains "$response" "\"start\"" || ! _contains "$response" "\"end\""; then
_debug2 "Failed to parse Renewal Info."
return 1
fi
_renewal_info_start_time_str="$(echo $response | _egrep_o '"start":"[^"]+"' | cut -d '"' -f 4)"
_renewal_info_start_time="$(_date2time "$_renewal_info_start_time_str")"
_renewal_info_end_time_str="$(echo $response | _egrep_o '"end":"[^"]+"' | cut -d '"' -f 4)"
_renewal_info_end_time="$(_date2time "$_renewal_info_end_time_str")"
if [ $_renewal_info_start_time -gt $_renewal_info_end_time ]; then
_debug2 "Malformed Renewal Info."
return 1
fi
_savedomainconf "Le_NextRenewTime" "$_renewal_info_start_time"
_savedomainconf "Le_NextRenewTimeStr" "$_renewal_info_start_time_str"
if _contains "$response" "\"explanationURL\""; then
Le_RenewalInfoExplanation="$(echo $response | _egrep_o '"explanationURL":"[^"]+"' | cut -d '"' -f 4)"
export Le_RenewalInfoExplanation
fi
Le_RenewalInfoLastUpdate="$(_time)"
Le_RenewalInfoLastUpdateStr="$(_time2str "$Le_RenewalInfoLastUpdate")"
_savedomainconf "Le_RenewalInfoLastUpdate" "$Le_RenewalInfoLastUpdate"
_savedomainconf "Le_RenewalInfoLastUpdateStr" "$Le_RenewalInfoLastUpdateStr"
return 0
}
#cert issuer
_match_issuer() {
_cfile="$1"
@ -4647,6 +4713,10 @@ issue() {
if [ "$_notAfter" ]; then
_newOrderObj="$_newOrderObj,\"notAfter\": \"$_notAfter\""
fi
Le_RenewalInfoCertId=$(_readdomainconf "Le_RenewalInfoCertId")
if [ "$_ACME_IS_RENEW" ] && [ -n "$Le_EnableRenewalInfo" ] && [ "$Le_EnableRenewalInfo" -eq "1" ] && [ -n "$Le_RenewalInfoCertId" ]; then
_newOrderObj="$_newOrderObj,\"replaces\": \"$Le_RenewalInfoCertId\""
fi
if [ "$_certificate_profile" ]; then
_newOrderObj="$_newOrderObj,\"profile\": \"$_certificate_profile\""
fi
@ -5330,6 +5400,10 @@ $_authorizations_map"
_info "Your cert key is in: $(__green "$CERT_KEY_PATH")"
fi
if [ "$_ACME_IS_RENEW" ] && [ -n "$Le_EnableRenewalInfo" ] && [ "$Le_EnableRenewalInfo" -eq "1" ] && [ -n "$Le_RenewalInfoExplanation" ]; then
_info "More info on this renewal: $(__green "$Le_RenewalInfoExplanation")."
fi
if [ ! "$USER_PATH" ] || [ ! "$_ACME_IN_CRON" ]; then
USER_PATH="$PATH"
_saveaccountconf "USER_PATH" "$USER_PATH"
@ -5348,6 +5422,12 @@ $_authorizations_map"
Le_CertCreateTimeStr=$(_time2str "$Le_CertCreateTime")
_savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr"
if _calc_cert_id "$CERT_PATH"; then
_savedomainconf "Le_RenewalInfoCertId" "$Le_RenewalInfoCertId"
else
_cleardomainconf "Le_RenewalInfoCertId"
fi
if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ]; then
Le_RenewalDays="$DEFAULT_RENEW"
else
@ -5415,6 +5495,14 @@ $_authorizations_map"
_savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr"
_savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
if [ -z "$Le_EnableRenewalInfo" ] || [ "$Le_EnableRenewalInfo" -eq "1" ]; then
_savedomainconf "Le_EnableRenewalInfo" "1"
else
_savedomainconf "Le_EnableRenewalInfo" "0"
fi
Le_EnableRenewalInfo="$(_readdomainconf "Le_EnableRenewalInfo")"
_update_renewal_info
#convert to pkcs12
if [ "$Le_PFXPassword" ]; then
_toPkcs "$CERT_PFX_PATH" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$Le_PFXPassword"
@ -5482,6 +5570,15 @@ renew() {
. "$DOMAIN_CONF"
_debug Le_API "$Le_API"
ACME_DIRECTORY="$Le_API"
_initAPI
if _update_renewal_info; then
Le_NextRenewTime=$(_readdomainconf "Le_NextRenewTime")
Le_NextRenewTimeStr=$(_readdomainconf "Le_NextRenewTimeStr")
fi
_clearAPI
case "$Le_API" in
"$CA_LETSENCRYPT_V2_TEST")
_info "Switching back to $CA_LETSENCRYPT_V2"
@ -7111,6 +7208,9 @@ Parameters:
-m, --email <email> Specifies the account email, only valid for the '--install' and '--update-account' command.
--accountkey <file> Specifies the account key path, only valid for the '--install' command.
--days <ndays> Specifies the days to renew the cert when using '--issue' command. The default value is $DEFAULT_RENEW days.
--enable-ari <0|1> Enable/Disable ACME Renewal Info (ARI). Default value is: 1.
0: disabled. Local check only.
1: enabled. Ask the CA for Renewal Window.
--httpport <port> Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
--tlsport <port> Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
--local-address <ip> Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
@ -7399,6 +7499,7 @@ _process() {
_accountkey=""
_certhome=""
_confighome=""
_enable_ari=""
_httpport=""
_tlsport=""
_dnssleep=""
@ -7750,6 +7851,15 @@ _process() {
Le_RenewalDays="$_days"
shift
;;
--enable-ari)
_enable_ari="$2"
if [ -z "$_enable_ari" ] || _startswith "$_enable_ari" '-'; then
Le_EnableRenewalInfo="1"
else
shift
fi
Le_EnableRenewalInfo="$_enable_ari"
;;
--valid-from)
_valid_from="$2"
shift

Write Preview
Loading…
Cancel
Save