diff --git a/acme.sh b/acme.sh index 7caec290..a8dba963 100755 --- a/acme.sh +++ b/acme.sh @@ -2328,6 +2328,25 @@ _send_signed_request() { } +_calc_cert_id() { + _cf="$1" + _cert_serial=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -serial -in "$_cf" | cut -d '=' -f 2 | _h2b | _base64 | _url_replace) + _debug3 "Certificate Serial Number: $_cert_serial" + if [ -z "$_cert_serial" ]; then + _err "Failed to parse certificate Serial Number" + return 1 + fi + _cert_authority_kid=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -text -in "$_cf" | grep -i "authority key id" -A 1 | _tail_n 1 | _egrep_o "[A-F0-9:]+" | tr -d ':' | _h2b | _base64 | _url_replace) + _debug3 "Certificate Authority Key Identifier: $_cert_authority_kid" + if [ -z "$_cert_authority_kid" ]; then + _err "Failed to parse certificate Authority Key Identifier" + return 1 + fi + Le_RenewalInfoCertId="$_cert_authority_kid.$_cert_serial" + _debug2 "Certificate ID for Renewal Info: $Le_RenewalInfoCertId" + return 0 +} + #setopt "file" "opt" "=" "value" [";"] _setopt() { __conf="$1" @@ -2770,6 +2789,7 @@ _clearAPI() { ACME_KEY_CHANGE="" ACME_NEW_AUTHZ="" ACME_NEW_ORDER="" + ACME_RENEWAL_INFO="" ACME_REVOKE_CERT="" ACME_NEW_NONCE="" ACME_AGREEMENT="" @@ -2808,6 +2828,9 @@ _initAPI() { ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3) export ACME_NEW_ACCOUNT + ACME_RENEWAL_INFO=$(echo "$response" | _egrep_o 'renewalInfo" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_RENEWAL_INFO + ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3) export ACME_REVOKE_CERT @@ -2821,6 +2844,7 @@ _initAPI() { _debug "ACME_NEW_AUTHZ" "$ACME_NEW_AUTHZ" _debug "ACME_NEW_ORDER" "$ACME_NEW_ORDER" _debug "ACME_NEW_ACCOUNT" "$ACME_NEW_ACCOUNT" + _debug "ACME_RENEWAL_INFO" "$ACME_RENEWAL_INFO" _debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT" _debug "ACME_AGREEMENT" "$ACME_AGREEMENT" _debug "ACME_NEW_NONCE" "$ACME_NEW_NONCE" @@ -4318,6 +4342,48 @@ _get_chain_subjects() { fi } +_update_renewal_info() { + if [ -z "$ACME_RENEWAL_INFO" ]; then + _debug3 "Renewal Info is not supported for $Le_API." + return 1 + fi + if [ -z "$Le_RenewalInfoCertId" ]; then + _debug3 "No Certificate Identifier found. Skipping ACME Renewal Info." + return 1 + fi + if [ -z "$Le_EnableRenewalInfo" ] || [ "$Le_EnableRenewalInfo" -ne "1" ]; then + _debug3 "Renewal Info is not enabled." + _cleardomainconf "Le_RenewalInfoLastUpdate" + _cleardomainconf "Le_RenewalInfoLastUpdateStr" + _cleardomainconf "Le_RenewalInfoExplanation" + return 1 + fi + response=$(_get "$ACME_RENEWAL_INFO/$Le_RenewalInfoCertId" | _json_decode | _normalizeJson) + if ! _contains "$response" "\"start\"" || ! _contains "$response" "\"end\""; then + _debug2 "Failed to parse Renewal Info." + return 1 + fi + _renewal_info_start_time_str="$(echo $response | _egrep_o '"start":"[^"]+"' | cut -d '"' -f 4)" + _renewal_info_start_time="$(_date2time "$_renewal_info_start_time_str")" + _renewal_info_end_time_str="$(echo $response | _egrep_o '"end":"[^"]+"' | cut -d '"' -f 4)" + _renewal_info_end_time="$(_date2time "$_renewal_info_end_time_str")" + if [ $_renewal_info_start_time -gt $_renewal_info_end_time ]; then + _debug2 "Malformed Renewal Info." + return 1 + fi + _savedomainconf "Le_NextRenewTime" "$_renewal_info_start_time" + _savedomainconf "Le_NextRenewTimeStr" "$_renewal_info_start_time_str" + if _contains "$response" "\"explanationURL\""; then + Le_RenewalInfoExplanation="$(echo $response | _egrep_o '"explanationURL":"[^"]+"' | cut -d '"' -f 4)" + export Le_RenewalInfoExplanation + fi + Le_RenewalInfoLastUpdate="$(_time)" + Le_RenewalInfoLastUpdateStr="$(_time2str "$Le_RenewalInfoLastUpdate")" + _savedomainconf "Le_RenewalInfoLastUpdate" "$Le_RenewalInfoLastUpdate" + _savedomainconf "Le_RenewalInfoLastUpdateStr" "$Le_RenewalInfoLastUpdateStr" + return 0 +} + #cert issuer _match_issuer() { _cfile="$1" @@ -4647,6 +4713,10 @@ issue() { if [ "$_notAfter" ]; then _newOrderObj="$_newOrderObj,\"notAfter\": \"$_notAfter\"" fi + Le_RenewalInfoCertId=$(_readdomainconf "Le_RenewalInfoCertId") + if [ "$_ACME_IS_RENEW" ] && [ -n "$Le_EnableRenewalInfo" ] && [ "$Le_EnableRenewalInfo" -eq "1" ] && [ -n "$Le_RenewalInfoCertId" ]; then + _newOrderObj="$_newOrderObj,\"replaces\": \"$Le_RenewalInfoCertId\"" + fi if [ "$_certificate_profile" ]; then _newOrderObj="$_newOrderObj,\"profile\": \"$_certificate_profile\"" fi @@ -5330,6 +5400,10 @@ $_authorizations_map" _info "Your cert key is in: $(__green "$CERT_KEY_PATH")" fi + if [ "$_ACME_IS_RENEW" ] && [ -n "$Le_EnableRenewalInfo" ] && [ "$Le_EnableRenewalInfo" -eq "1" ] && [ -n "$Le_RenewalInfoExplanation" ]; then + _info "More info on this renewal: $(__green "$Le_RenewalInfoExplanation")." + fi + if [ ! "$USER_PATH" ] || [ ! "$_ACME_IN_CRON" ]; then USER_PATH="$PATH" _saveaccountconf "USER_PATH" "$USER_PATH" @@ -5348,6 +5422,12 @@ $_authorizations_map" Le_CertCreateTimeStr=$(_time2str "$Le_CertCreateTime") _savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr" + if _calc_cert_id "$CERT_PATH"; then + _savedomainconf "Le_RenewalInfoCertId" "$Le_RenewalInfoCertId" + else + _cleardomainconf "Le_RenewalInfoCertId" + fi + if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ]; then Le_RenewalDays="$DEFAULT_RENEW" else @@ -5415,6 +5495,14 @@ $_authorizations_map" _savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr" _savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime" + if [ -z "$Le_EnableRenewalInfo" ] || [ "$Le_EnableRenewalInfo" -eq "1" ]; then + _savedomainconf "Le_EnableRenewalInfo" "1" + else + _savedomainconf "Le_EnableRenewalInfo" "0" + fi + Le_EnableRenewalInfo="$(_readdomainconf "Le_EnableRenewalInfo")" + _update_renewal_info + #convert to pkcs12 if [ "$Le_PFXPassword" ]; then _toPkcs "$CERT_PFX_PATH" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$Le_PFXPassword" @@ -5482,6 +5570,15 @@ renew() { . "$DOMAIN_CONF" _debug Le_API "$Le_API" + ACME_DIRECTORY="$Le_API" + + _initAPI + if _update_renewal_info; then + Le_NextRenewTime=$(_readdomainconf "Le_NextRenewTime") + Le_NextRenewTimeStr=$(_readdomainconf "Le_NextRenewTimeStr") + fi + _clearAPI + case "$Le_API" in "$CA_LETSENCRYPT_V2_TEST") _info "Switching back to $CA_LETSENCRYPT_V2" @@ -7111,6 +7208,9 @@ Parameters: -m, --email Specifies the account email, only valid for the '--install' and '--update-account' command. --accountkey Specifies the account key path, only valid for the '--install' command. --days Specifies the days to renew the cert when using '--issue' command. The default value is $DEFAULT_RENEW days. + --enable-ari <0|1> Enable/Disable ACME Renewal Info (ARI). Default value is: 1. + 0: disabled. Local check only. + 1: enabled. Ask the CA for Renewal Window. --httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer. --tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer. --local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses. @@ -7399,6 +7499,7 @@ _process() { _accountkey="" _certhome="" _confighome="" + _enable_ari="" _httpport="" _tlsport="" _dnssleep="" @@ -7750,6 +7851,15 @@ _process() { Le_RenewalDays="$_days" shift ;; + --enable-ari) + _enable_ari="$2" + if [ -z "$_enable_ari" ] || _startswith "$_enable_ari" '-'; then + Le_EnableRenewalInfo="1" + else + shift + fi + Le_EnableRenewalInfo="$_enable_ari" + ;; --valid-from) _valid_from="$2" shift