From 20d23fcb92bcc58360089b8e0f3208c8291602aa Mon Sep 17 00:00:00 2001 From: fradev Date: Wed, 25 Aug 2021 16:55:36 +0200 Subject: [PATCH 01/96] Update ssh.sh Added scp mode for copy the certs --- deploy/ssh.sh | 229 ++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 201 insertions(+), 28 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 18de4aa6..b4a8140e 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -23,6 +23,8 @@ # export DEPLOY_SSH_BACKUP="" # yes or no, default to yes or previously saved value # export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" # path on remote system. Defaults to .acme_ssh_deploy # export DEPLOY_SSH_MULTI_CALL="" # yes or no, default to no or previously saved value +# export DEPLOY_SSH_USE_SCP="" yes or no , default to no +# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -T -q " # ######## Public functions ##################### @@ -73,6 +75,25 @@ ssh_deploy() { Le_Deploy_ssh_cmd="ssh -T" fi + # USE_SCP is optional. If not provided then default to previously saved + # value (which may be undefined... equivalent to "no"). + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + Le_Deploy_ssh_use_scp="yes" + _savedomainconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" + elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then + Le_Deploy_ssh_use_scp="" + _cleardomainconf Le_Deploy_ssh_use_scp + fi + + # SCP_CMD is optional. If not provided then use scp + if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then + Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" + _savedomainconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" + elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then + Le_Deploy_ssh_scp_cmd="scp -T" + fi + + # BACKUP is optional. If not provided then default to previously saved value or yes. if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then Le_Deploy_ssh_backup="no" @@ -99,6 +120,26 @@ ssh_deploy() { _cleardomainconf Le_Deploy_ssh_multi_call fi + # USE_SCP is optional. If not provided then default to previously saved + # value (which may be undefined... equivalent to "no"). + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + Le_Deploy_ssh_use_scp="yes" + _savedomainconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" + Le_Deploy_ssh_multi_call="yes" + _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then + Le_Deploy_ssh_use_scp="" + _cleardomainconf Le_Deploy_ssh_use_scp + fi + + # SCP_CMD is optional. If not provided then use scp + if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then + Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" + _savedomainconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" + elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then + Le_Deploy_ssh_scp_cmd="scp -T -q " + fi + _deploy_ssh_servers=$Le_Deploy_ssh_server for Le_Deploy_ssh_server in $_deploy_ssh_servers; do _ssh_deploy @@ -110,8 +151,16 @@ _ssh_deploy() { _cmdstr="" _backupprefix="" _backupdir="" + _local_cert_file="" + _local_ca_file="" + _local_full_file="" _info "Deploy certificates to remote server $Le_Deploy_ssh_user@$Le_Deploy_ssh_server" + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + _info "Using scp as alternate method for copying files. Multicall Mode is implicit" + Le_Deploy_ssh_multi_call="yes" + _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + fi if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" else @@ -149,15 +198,30 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d if [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_keyfile $_backupdir >/dev/null;" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi fi - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;" - _info "will copy private key to remote file $Le_Deploy_ssh_keyfile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - if ! _ssh_remote_cmd "$_cmdstr"; then - return $_err_code + + + # copy new key into file. + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + # scp the file + if ! _scp_remote_cmd "$_ckey" "$Le_Deploy_ssh_keyfile"; then + return $_err_code + fi + else + _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;" + _info "will copy private key to remote file $Le_Deploy_ssh_keyfile" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" fi - _cmdstr="" fi fi @@ -172,18 +236,40 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d if [ "$Le_Deploy_ssh_certfile" = "$Le_Deploy_ssh_keyfile" ]; then # if filename is same as previous file then append. _pipe=">>" + _local_cert_file=$(_mktemp) + cat $_ckey > $_local_cert_file + cat $_ccert >> $_local_cert_file elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi fi - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;" - _info "will copy certificate to remote file $Le_Deploy_ssh_certfile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - if ! _ssh_remote_cmd "$_cmdstr"; then - return $_err_code + + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + if -n $_local_cert_file ; then + if ! _scp_remote_cmd "$_local_cert_file" "$Le_Deploy_ssh_certfile"; then + return $_err_code + fi + else + if ! _scp_remote_cmd "$_ccert" "$Le_Deploy_ssh_certfile"; then + return $_err_code + fi + fi + else + # copy new certificate into file. + _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;" + _info "will copy certificate to remote file $Le_Deploy_ssh_certfile" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" fi - _cmdstr="" fi fi @@ -199,18 +285,47 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then # if filename is same as previous file then append. _pipe=">>" + _local_ca_file=$(_mktemp) + if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] ; then + cat $_ckey >> $_local_ca_file + fi + if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then + cat $_ccert >> $_local_ca_file + fi + + cat $_cca >> $_local_ca_file + elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir >/dev/null;" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi fi - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;" - _info "will copy CA file to remote file $Le_Deploy_ssh_cafile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - if ! _ssh_remote_cmd "$_cmdstr"; then - return $_err_code + + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + if -n $_local_ca_file ; then + if ! _scp_remote_cmd "$_local_ca_file" "$Le_Deploy_ssh_cafile"; then + return $_err_code + fi + else + if ! _scp_remote_cmd "$_cca" "$Le_Deploy_ssh_cafile"; then + return $_err_code + fi + fi + else + # copy new certificate into file. + _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;" + _info "will copy CA file to remote file $Le_Deploy_ssh_cafile" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" fi - _cmdstr="" fi fi @@ -227,20 +342,63 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then # if filename is same as previous file then append. _pipe=">>" + _local_full_file=$(_mktemp) + if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] ; then + cat $_ckey >> $_local_full_file + fi + if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ]; then + cat $_ccert >> $_local_full_file + fi + if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then + cat $_cca >> $_local_full_file + fi + cat $_cfullchain >> $_local_full_file + elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir >/dev/null;" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi fi - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;" - _info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - if ! _ssh_remote_cmd "$_cmdstr"; then - return $_err_code + + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + if -n $_local_full_file ; then + if ! _scp_remote_cmd "$_local_full_file" "$Le_Deploy_ssh_fullchain"; then + return $_err_code + fi + else + if ! _scp_remote_cmd "$_cfullchain" "$Le_Deploy_ssh_fullchain"; then + return $_err_code + fi + fi + else + # copy new certificate into file. + _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;" + _info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" fi - _cmdstr="" fi fi + # cleanup local files if any + + if [ -n "$_local_cert_file" ]; then + rm $_local_cert_file > /dev/null 1>&2 + fi + if [ -n "$_local_ca_file" ]; then + rm $_local_ca_file > /dev/null 1>&2 + fi + if [ -n "$_local_full_file" ]; then + rm $_local_full_file > /dev/null 1>&2 + fi + # REMOTE_CMD is optional. # If provided then this command will be executed on remote host. @@ -265,6 +423,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d return $_err_code fi fi + # cleanup in case all is ok return 0 } @@ -284,3 +443,17 @@ _ssh_remote_cmd() { return $_err_code } + +# cmd scp +_scp_remote_cmd() { + _secure_debug "Remote scp source $1 and destination $2 using : $Le_Deploy_ssh_scp_cmd" + _info "Submitting secure copy command : $Le_Deploy_ssh_scp_cmd" + $Le_Deploy_ssh_scp_cmd "$1" "$Le_Deploy_ssh_user"@"$Le_Deploy_ssh_server":"$2" + _err_code="$?" + + if [ "$_err_code" != "0" ]; then + _err "Error code $_err_code returned from scp" + fi + + return $_err_code +} From 613475ac264bf9cf48681bd11f72b4d2aa341e54 Mon Sep 17 00:00:00 2001 From: fradev Date: Mon, 30 Aug 2021 11:08:06 +0200 Subject: [PATCH 02/96] Update ssh.sh --- deploy/ssh.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index b4a8140e..3424055f 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -237,8 +237,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # if filename is same as previous file then append. _pipe=">>" _local_cert_file=$(_mktemp) - cat $_ckey > $_local_cert_file - cat $_ccert >> $_local_cert_file + cat "$_ckey" > "$_local_cert_file" + cat "$_ccert" >> "$_local_cert_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;" @@ -344,15 +344,15 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _pipe=">>" _local_full_file=$(_mktemp) if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] ; then - cat $_ckey >> $_local_full_file + cat "$_ckey" >> "$_local_full_file" fi if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ]; then - cat $_ccert >> $_local_full_file + cat "$_ccert" >> "$_local_full_file" fi if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then - cat $_cca >> $_local_full_file + cat "$_cca" >> "$_local_full_file" fi - cat $_cfullchain >> $_local_full_file + cat "$_cfullchain" >> "$_local_full_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. @@ -390,13 +390,13 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # cleanup local files if any if [ -n "$_local_cert_file" ]; then - rm $_local_cert_file > /dev/null 1>&2 + rm "$_local_cert_file" > /dev/null 1>&2 fi if [ -n "$_local_ca_file" ]; then - rm $_local_ca_file > /dev/null 1>&2 + rm "$_local_ca_file" > /dev/null 1>&2 fi if [ -n "$_local_full_file" ]; then - rm $_local_full_file > /dev/null 1>&2 + rm "$_local_full_file" > /dev/null 1>&2 fi From 4cda54774aeaae0f58352cff18dc243a69bdb9e9 Mon Sep 17 00:00:00 2001 From: fradev Date: Mon, 30 Aug 2021 11:17:03 +0200 Subject: [PATCH 03/96] Update ssh.sh SC2086 and SC2215 --- deploy/ssh.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 3424055f..8b91a055 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -251,7 +251,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if -n $_local_cert_file ; then + if [ -n "$_local_cert_file" ]; then if ! _scp_remote_cmd "$_local_cert_file" "$Le_Deploy_ssh_certfile"; then return $_err_code fi @@ -287,13 +287,13 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _pipe=">>" _local_ca_file=$(_mktemp) if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] ; then - cat $_ckey >> $_local_ca_file + cat "$_ckey" >> "$_local_ca_file" fi if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then - cat $_ccert >> $_local_ca_file + cat "$_ccert" >> "$_local_ca_file" fi - cat $_cca >> $_local_ca_file + cat "$_cca" >> "$_local_ca_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. @@ -307,7 +307,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if -n $_local_ca_file ; then + if [ -n "$_local_ca_file" ]; then if ! _scp_remote_cmd "$_local_ca_file" "$Le_Deploy_ssh_cafile"; then return $_err_code fi @@ -366,7 +366,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if -n $_local_full_file ; then + if [ -n "$_local_full_file" ] ; then if ! _scp_remote_cmd "$_local_full_file" "$Le_Deploy_ssh_fullchain"; then return $_err_code fi From 08d60fcbf26172a3277a8785b9e161b8d1aa6c23 Mon Sep 17 00:00:00 2001 From: fradev Date: Mon, 30 Aug 2021 11:32:07 +0200 Subject: [PATCH 04/96] Update ssh.sh shfmt formatting --- deploy/ssh.sh | 47 ++++++++++++++++++++++------------------------- 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 8b91a055..6039eefb 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -93,7 +93,6 @@ ssh_deploy() { Le_Deploy_ssh_scp_cmd="scp -T" fi - # BACKUP is optional. If not provided then default to previously saved value or yes. if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then Le_Deploy_ssh_backup="no" @@ -206,12 +205,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # copy new key into file. if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then # scp the file if ! _scp_remote_cmd "$_ckey" "$Le_Deploy_ssh_keyfile"; then - return $_err_code + return $_err_code fi else _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;" @@ -237,8 +235,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # if filename is same as previous file then append. _pipe=">>" _local_cert_file=$(_mktemp) - cat "$_ckey" > "$_local_cert_file" - cat "$_ccert" >> "$_local_cert_file" + cat "$_ckey" >"$_local_cert_file" + cat "$_ccert" >>"$_local_cert_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;" @@ -253,11 +251,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then if [ -n "$_local_cert_file" ]; then if ! _scp_remote_cmd "$_local_cert_file" "$Le_Deploy_ssh_certfile"; then - return $_err_code + return $_err_code fi else if ! _scp_remote_cmd "$_ccert" "$Le_Deploy_ssh_certfile"; then - return $_err_code + return $_err_code fi fi else @@ -286,14 +284,14 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # if filename is same as previous file then append. _pipe=">>" _local_ca_file=$(_mktemp) - if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] ; then - cat "$_ckey" >> "$_local_ca_file" + if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ]; then + cat "$_ckey" >>"$_local_ca_file" fi if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then - cat "$_ccert" >> "$_local_ca_file" + cat "$_ccert" >>"$_local_ca_file" fi - cat "$_cca" >> "$_local_ca_file" + cat "$_cca" >>"$_local_ca_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. @@ -309,11 +307,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then if [ -n "$_local_ca_file" ]; then if ! _scp_remote_cmd "$_local_ca_file" "$Le_Deploy_ssh_cafile"; then - return $_err_code + return $_err_code fi else if ! _scp_remote_cmd "$_cca" "$Le_Deploy_ssh_cafile"; then - return $_err_code + return $_err_code fi fi else @@ -343,16 +341,16 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # if filename is same as previous file then append. _pipe=">>" _local_full_file=$(_mktemp) - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] ; then - cat "$_ckey" >> "$_local_full_file" + if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ]; then + cat "$_ckey" >>"$_local_full_file" fi if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ]; then - cat "$_ccert" >> "$_local_full_file" + cat "$_ccert" >>"$_local_full_file" fi if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then - cat "$_cca" >> "$_local_full_file" + cat "$_cca" >>"$_local_full_file" fi - cat "$_cfullchain" >> "$_local_full_file" + cat "$_cfullchain" >>"$_local_full_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. @@ -366,13 +364,13 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if [ -n "$_local_full_file" ] ; then + if [ -n "$_local_full_file" ]; then if ! _scp_remote_cmd "$_local_full_file" "$Le_Deploy_ssh_fullchain"; then - return $_err_code + return $_err_code fi else if ! _scp_remote_cmd "$_cfullchain" "$Le_Deploy_ssh_fullchain"; then - return $_err_code + return $_err_code fi fi else @@ -390,16 +388,15 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # cleanup local files if any if [ -n "$_local_cert_file" ]; then - rm "$_local_cert_file" > /dev/null 1>&2 + rm "$_local_cert_file" >/dev/null 1>&2 fi if [ -n "$_local_ca_file" ]; then - rm "$_local_ca_file" > /dev/null 1>&2 + rm "$_local_ca_file" >/dev/null 1>&2 fi if [ -n "$_local_full_file" ]; then - rm "$_local_full_file" > /dev/null 1>&2 + rm "$_local_full_file" >/dev/null 1>&2 fi - # REMOTE_CMD is optional. # If provided then this command will be executed on remote host. if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then From b37bf06de87ab41d495e0a3156f538c5baf9c679 Mon Sep 17 00:00:00 2001 From: fradev Date: Tue, 1 Mar 2022 17:57:59 +0100 Subject: [PATCH 05/96] Update ssh.sh --- deploy/ssh.sh | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 604d8642..7d9e82e8 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -24,7 +24,7 @@ # export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" # path on remote system. Defaults to .acme_ssh_deploy # export DEPLOY_SSH_MULTI_CALL="" # yes or no, default to no or previously saved value # export DEPLOY_SSH_USE_SCP="" yes or no , default to no -# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -T -q " +# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q " # ######## Public functions ##################### @@ -53,7 +53,7 @@ ssh_deploy() { fi else Le_Deploy_ssh_user="$DEPLOY_SSH_USER" - _savedomainconf Le_Deploy_ssh_user "$Le_Deploy_ssh_user" + _savedeployconf Le_Deploy_ssh_user "$Le_Deploy_ssh_user" fi # SERVER is optional. If not provided then use _cdomain @@ -61,7 +61,7 @@ ssh_deploy() { _debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER" if [ -n "$DEPLOY_SSH_SERVER" ]; then Le_Deploy_ssh_server="$DEPLOY_SSH_SERVER" - _savedomainconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server" + _savedeployconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server" elif [ -z "$Le_Deploy_ssh_server" ]; then Le_Deploy_ssh_server="$_cdomain" fi @@ -71,7 +71,7 @@ ssh_deploy() { _debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD" if [ -n "$DEPLOY_SSH_CMD" ]; then Le_Deploy_ssh_cmd="$DEPLOY_SSH_CMD" - _savedomainconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd" + _savedeployconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd" elif [ -z "$Le_Deploy_ssh_cmd" ]; then Le_Deploy_ssh_cmd="ssh -T" fi @@ -80,7 +80,7 @@ ssh_deploy() { # value (which may be undefined... equivalent to "no"). if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then Le_Deploy_ssh_use_scp="yes" - _savedomainconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" + _savedeployconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then Le_Deploy_ssh_use_scp="" _cleardomainconf Le_Deploy_ssh_use_scp @@ -89,9 +89,9 @@ ssh_deploy() { # SCP_CMD is optional. If not provided then use scp if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" - _savedomainconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" + _savedeployconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then - Le_Deploy_ssh_scp_cmd="scp -T" + Le_Deploy_ssh_scp_cmd="scp -q" fi # BACKUP is optional. If not provided then default to previously saved value or yes. @@ -102,7 +102,7 @@ ssh_deploy() { elif [ -z "$Le_Deploy_ssh_backup" ] || [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then Le_Deploy_ssh_backup="yes" fi - _savedomainconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup" + _savedeployconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup" # BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy _getdeployconf DEPLOY_SSH_BACKUP_PATH @@ -112,7 +112,7 @@ ssh_deploy() { elif [ -z "$Le_Deploy_ssh_backup_path" ]; then Le_Deploy_ssh_backup_path=".acme_ssh_deploy" fi - _savedomainconf Le_Deploy_ssh_backup_path "$Le_Deploy_ssh_backup_path" + _savedeployconf Le_Deploy_ssh_backup_path "$Le_Deploy_ssh_backup_path" # MULTI_CALL is optional. If not provided then default to previously saved # value (which may be undefined... equivalent to "no"). @@ -120,7 +120,7 @@ ssh_deploy() { _debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL" if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then Le_Deploy_ssh_multi_call="yes" - _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" elif [ "$DEPLOY_SSH_MULTI_CALL" = "no" ]; then Le_Deploy_ssh_multi_call="" _cleardomainconf Le_Deploy_ssh_multi_call @@ -130,9 +130,9 @@ ssh_deploy() { # value (which may be undefined... equivalent to "no"). if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then Le_Deploy_ssh_use_scp="yes" - _savedomainconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" + _savedeployconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" Le_Deploy_ssh_multi_call="yes" - _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then Le_Deploy_ssh_use_scp="" _cleardomainconf Le_Deploy_ssh_use_scp @@ -141,7 +141,7 @@ ssh_deploy() { # SCP_CMD is optional. If not provided then use scp if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" - _savedomainconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" + _savedeployconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then Le_Deploy_ssh_scp_cmd="scp -T -q " fi @@ -165,7 +165,7 @@ _ssh_deploy() { if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then _info "Using scp as alternate method for copying files. Multicall Mode is implicit" Le_Deploy_ssh_multi_call="yes" - _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" fi if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" @@ -200,7 +200,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" if [ -n "$DEPLOY_SSH_KEYFILE" ]; then Le_Deploy_ssh_keyfile="$DEPLOY_SSH_KEYFILE" - _savedomainconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile" + _savedeployconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile" fi if [ -n "$Le_Deploy_ssh_keyfile" ]; then if [ "$Le_Deploy_ssh_backup" = "yes" ]; then @@ -238,7 +238,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" if [ -n "$DEPLOY_SSH_CERTFILE" ]; then Le_Deploy_ssh_certfile="$DEPLOY_SSH_CERTFILE" - _savedomainconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile" + _savedeployconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile" fi if [ -n "$Le_Deploy_ssh_certfile" ]; then _pipe=">" @@ -288,7 +288,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" if [ -n "$DEPLOY_SSH_CAFILE" ]; then Le_Deploy_ssh_cafile="$DEPLOY_SSH_CAFILE" - _savedomainconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile" + _savedeployconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile" fi if [ -n "$Le_Deploy_ssh_cafile" ]; then _pipe=">" @@ -346,7 +346,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then Le_Deploy_ssh_fullchain="$DEPLOY_SSH_FULLCHAIN" - _savedomainconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain" + _savedeployconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain" fi if [ -n "$Le_Deploy_ssh_fullchain" ]; then _pipe=">" @@ -418,7 +418,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then Le_Deploy_ssh_remote_cmd="$DEPLOY_SSH_REMOTE_CMD" - _savedomainconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd" + _savedeployconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd" fi if [ -n "$Le_Deploy_ssh_remote_cmd" ]; then _cmdstr="$_cmdstr $Le_Deploy_ssh_remote_cmd;" From 9fb5bb620d2ffa51eabb0354dfccc29ea9d88315 Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:13:24 +0800 Subject: [PATCH 06/96] refact ssh hook to use deploy config --- acme.sh | 20 +++ deploy/ssh.sh | 414 +++++++++++++++++++++++--------------------------- 2 files changed, 210 insertions(+), 224 deletions(-) diff --git a/acme.sh b/acme.sh index 260733a2..37c625d2 100755 --- a/acme.sh +++ b/acme.sh @@ -2332,6 +2332,26 @@ _readdomainconf() { _read_conf "$DOMAIN_CONF" "$1" } +#_migratedomainconf oldkey newkey base64encode +_migratedomainconf() { + _old_key="$1" + _new_key="$2" + _b64encode="$3" + _value=$(_readdomainconf "$_old_key") + if [ -z "$_value" ]; then + return 1 # oldkey is not found + fi + _savedomainconf "$_new_key" "$_value" "$_b64encode" + _cleardomainconf "$_old_key" + _debug "Domain config $_old_key has been migrated to $_new_key" +} + +#_migratedeployconf oldkey newkey base64encode +_migratedeployconf() { + _migratedomainconf "$1" "SAVED_$2" "$3" || + _migratedomainconf "SAVED_$1" "SAVED_$2" "$3" # try only when oldkey itself is not found +} + #key value base64encode _savedeployconf() { _savedomainconf "SAVED_$1" "$2" "$3" diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 7d9e82e8..73d71597 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -23,8 +23,8 @@ # export DEPLOY_SSH_BACKUP="" # yes or no, default to yes or previously saved value # export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" # path on remote system. Defaults to .acme_ssh_deploy # export DEPLOY_SSH_MULTI_CALL="" # yes or no, default to no or previously saved value -# export DEPLOY_SSH_USE_SCP="" yes or no , default to no -# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q " +# export DEPLOY_SSH_USE_SCP="" yes or no, default to no +# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q" # ######## Public functions ##################### @@ -44,110 +44,134 @@ ssh_deploy() { _debug _cfullchain "$_cfullchain" # USER is required to login by SSH to remote host. + _migratedeployconf Le_Deploy_ssh_user DEPLOY_SSH_USER _getdeployconf DEPLOY_SSH_USER _debug2 DEPLOY_SSH_USER "$DEPLOY_SSH_USER" if [ -z "$DEPLOY_SSH_USER" ]; then - if [ -z "$Le_Deploy_ssh_user" ]; then - _err "DEPLOY_SSH_USER not defined." - return 1 - fi - else - Le_Deploy_ssh_user="$DEPLOY_SSH_USER" - _savedeployconf Le_Deploy_ssh_user "$Le_Deploy_ssh_user" + _err "DEPLOY_SSH_USER not defined." + return 1 fi + _savedeployconf DEPLOY_SSH_USER "$DEPLOY_SSH_USER" # SERVER is optional. If not provided then use _cdomain + _migratedeployconf Le_Deploy_ssh_server DEPLOY_SSH_SERVER _getdeployconf DEPLOY_SSH_SERVER _debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER" - if [ -n "$DEPLOY_SSH_SERVER" ]; then - Le_Deploy_ssh_server="$DEPLOY_SSH_SERVER" - _savedeployconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server" - elif [ -z "$Le_Deploy_ssh_server" ]; then - Le_Deploy_ssh_server="$_cdomain" + if [ -z "$DEPLOY_SSH_SERVER" ]; then + DEPLOY_SSH_SERVER="$_cdomain" fi + _savedeployconf DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER" # CMD is optional. If not provided then use ssh + _migratedeployconf Le_Deploy_ssh_cmd DEPLOY_SSH_CMD _getdeployconf DEPLOY_SSH_CMD _debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD" - if [ -n "$DEPLOY_SSH_CMD" ]; then - Le_Deploy_ssh_cmd="$DEPLOY_SSH_CMD" - _savedeployconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd" - elif [ -z "$Le_Deploy_ssh_cmd" ]; then - Le_Deploy_ssh_cmd="ssh -T" - fi - - # USE_SCP is optional. If not provided then default to previously saved - # value (which may be undefined... equivalent to "no"). - if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then - Le_Deploy_ssh_use_scp="yes" - _savedeployconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" - elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then - Le_Deploy_ssh_use_scp="" - _cleardomainconf Le_Deploy_ssh_use_scp - fi - - # SCP_CMD is optional. If not provided then use scp - if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then - Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" - _savedeployconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" - elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then - Le_Deploy_ssh_scp_cmd="scp -q" + if [ -z "$DEPLOY_SSH_CMD" ]; then + DEPLOY_SSH_CMD="ssh -T" fi + _savedeployconf DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD" # BACKUP is optional. If not provided then default to previously saved value or yes. + _migratedeployconf Le_Deploy_ssh_backup DEPLOY_SSH_BACKUP _getdeployconf DEPLOY_SSH_BACKUP _debug2 DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP" - if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then - Le_Deploy_ssh_backup="no" - elif [ -z "$Le_Deploy_ssh_backup" ] || [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then - Le_Deploy_ssh_backup="yes" + if [ -z "$DEPLOY_SSH_BACKUP" ]; then + DEPLOY_SSH_BACKUP="yes" fi - _savedeployconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup" + _savedeployconf DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP" # BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy + _migratedeployconf Le_Deploy_ssh_backup_path DEPLOY_SSH_BACKUP_PATH _getdeployconf DEPLOY_SSH_BACKUP_PATH _debug2 DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH" - if [ -n "$DEPLOY_SSH_BACKUP_PATH" ]; then - Le_Deploy_ssh_backup_path="$DEPLOY_SSH_BACKUP_PATH" - elif [ -z "$Le_Deploy_ssh_backup_path" ]; then - Le_Deploy_ssh_backup_path=".acme_ssh_deploy" + if [ -z "$DEPLOY_SSH_BACKUP_PATH" ]; then + DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" fi - _savedeployconf Le_Deploy_ssh_backup_path "$Le_Deploy_ssh_backup_path" + _savedeployconf DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH" # MULTI_CALL is optional. If not provided then default to previously saved # value (which may be undefined... equivalent to "no"). + _migratedeployconf Le_Deploy_ssh_multi_call DEPLOY_SSH_MULTI_CALL _getdeployconf DEPLOY_SSH_MULTI_CALL _debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL" - if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then - Le_Deploy_ssh_multi_call="yes" - _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" - elif [ "$DEPLOY_SSH_MULTI_CALL" = "no" ]; then - Le_Deploy_ssh_multi_call="" - _cleardomainconf Le_Deploy_ssh_multi_call + if [ -z "$DEPLOY_SSH_MULTI_CALL" ]; then + DEPLOY_SSH_MULTI_CALL="no" + fi + _savedeployconf DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL" + + # KEYFILE is optional. + # If provided then private key will be copied to provided filename. + _migratedeployconf Le_Deploy_ssh_keyfile DEPLOY_SSH_KEYFILE + _getdeployconf DEPLOY_SSH_KEYFILE + _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" + if [ -n "$DEPLOY_SSH_KEYFILE" ]; then + _savedeployconf DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" + fi + + # CERTFILE is optional. + # If provided then certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_ssh_certfile DEPLOY_SSH_CERTFILE + _getdeployconf DEPLOY_SSH_CERTFILE + _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" + if [ -n "$DEPLOY_SSH_CERTFILE" ]; then + _savedeployconf DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" + fi + + # CAFILE is optional. + # If provided then CA intermediate certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_ssh_cafile DEPLOY_SSH_CAFILE + _getdeployconf DEPLOY_SSH_CAFILE + _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" + if [ -n "$DEPLOY_SSH_CAFILE" ]; then + _savedeployconf DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" + fi + + # FULLCHAIN is optional. + # If provided then fullchain certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_ssh_fullchain DEPLOY_SSH_FULLCHAIN + _getdeployconf DEPLOY_SSH_FULLCHAIN + _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" + if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then + _savedeployconf DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" + fi + + # REMOTE_CMD is optional. + # If provided then this command will be executed on remote host. + _migratedeployconf Le_Deploy_ssh_remote_cmd DEPLOY_SSH_REMOTE_CMD + _getdeployconf DEPLOY_SSH_REMOTE_CMD + _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" + if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then + _savedeployconf DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" fi # USE_SCP is optional. If not provided then default to previously saved # value (which may be undefined... equivalent to "no"). - if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then - Le_Deploy_ssh_use_scp="yes" - _savedeployconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" - Le_Deploy_ssh_multi_call="yes" - _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" - elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then - Le_Deploy_ssh_use_scp="" - _cleardomainconf Le_Deploy_ssh_use_scp + _getdeployconf DEPLOY_SSH_USE_SCP + _debug2 DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP" + if [ -z "$DEPLOY_SSH_USE_SCP" ]; then + DEPLOY_SSH_USE_SCP="no" fi + _savedeployconf DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP" # SCP_CMD is optional. If not provided then use scp - if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then - Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" - _savedeployconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" - elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then - Le_Deploy_ssh_scp_cmd="scp -T -q " + _getdeployconf DEPLOY_SSH_SCP_CMD + _debug2 DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD" + if [ -z "$DEPLOY_SSH_SCP_CMD" ]; then + DEPLOY_SSH_SCP_CMD="scp -q" + fi + _savedeployconf DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD" + + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + DEPLOY_SSH_MULTI_CALL="yes" + _info "Using scp as alternate method for copying files. Multicall Mode is implicit" + elif [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then + _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" + else + _info "Required commands batched and sent in single call to remote host" fi - _deploy_ssh_servers=$Le_Deploy_ssh_server - for Le_Deploy_ssh_server in $_deploy_ssh_servers; do + _deploy_ssh_servers=$DEPLOY_SSH_SERVER + for DEPLOY_SSH_SERVER in $_deploy_ssh_servers; do _ssh_deploy done } @@ -161,20 +185,10 @@ _ssh_deploy() { _local_ca_file="" _local_full_file="" - _info "Deploy certificates to remote server $Le_Deploy_ssh_user@$Le_Deploy_ssh_server" - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - _info "Using scp as alternate method for copying files. Multicall Mode is implicit" - Le_Deploy_ssh_multi_call="yes" - _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" - fi - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" - else - _info "Required commands batched and sent in single call to remote host" - fi + _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$DEPLOY_SSH_SERVER" - if [ "$Le_Deploy_ssh_backup" = "yes" ]; then - _backupprefix="$Le_Deploy_ssh_backup_path/$_cdomain-backup" + if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then + _backupprefix="$DEPLOY_SSH_BACKUP_PATH/$_cdomain-backup" _backupdir="$_backupprefix-$(_utc_date | tr ' ' '-')" # run cleanup on the backup directory, erase all older # than 180 days (15552000 seconds). @@ -186,7 +200,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _cmdstr="mkdir -p $_backupdir; $_cmdstr" _info "Backup of old certificate files will be placed in remote directory $_backupdir" _info "Backup directories erased after 180 days." - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -194,19 +208,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # KEYFILE is optional. - # If provided then private key will be copied to provided filename. - _getdeployconf DEPLOY_SSH_KEYFILE - _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" if [ -n "$DEPLOY_SSH_KEYFILE" ]; then - Le_Deploy_ssh_keyfile="$DEPLOY_SSH_KEYFILE" - _savedeployconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile" - fi - if [ -n "$Le_Deploy_ssh_keyfile" ]; then - if [ "$Le_Deploy_ssh_backup" = "yes" ]; then + if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then # backup file we are about to overwrite. - _cmdstr="$_cmdstr cp $Le_Deploy_ssh_keyfile $_backupdir >/dev/null;" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr cp $DEPLOY_SSH_KEYFILE $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -215,15 +221,16 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi # copy new key into file. - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then # scp the file - if ! _scp_remote_cmd "$_ckey" "$Le_Deploy_ssh_keyfile"; then + if ! _scp_remote_cmd "$_ckey" "$DEPLOY_SSH_KEYFILE"; then return $_err_code fi else - _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;" - _info "will copy private key to remote file $Le_Deploy_ssh_keyfile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $DEPLOY_SSH_KEYFILE;" + _info "will copy private key to remote file $DEPLOY_SSH_KEYFILE" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -232,26 +239,15 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # CERTFILE is optional. - # If provided then certificate will be copied or appended to provided filename. - _getdeployconf DEPLOY_SSH_CERTFILE - _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" if [ -n "$DEPLOY_SSH_CERTFILE" ]; then - Le_Deploy_ssh_certfile="$DEPLOY_SSH_CERTFILE" - _savedeployconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile" - fi - if [ -n "$Le_Deploy_ssh_certfile" ]; then _pipe=">" - if [ "$Le_Deploy_ssh_certfile" = "$Le_Deploy_ssh_keyfile" ]; then + if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then # if filename is same as previous file then append. _pipe=">>" - _local_cert_file=$(_mktemp) - cat "$_ckey" >"$_local_cert_file" - cat "$_ccert" >>"$_local_cert_file" - elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then + elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then # backup file we are about to overwrite. - _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr cp $DEPLOY_SSH_CERTFILE $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -259,21 +255,22 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if [ -n "$_local_cert_file" ]; then - if ! _scp_remote_cmd "$_local_cert_file" "$Le_Deploy_ssh_certfile"; then - return $_err_code - fi - else - if ! _scp_remote_cmd "$_ccert" "$Le_Deploy_ssh_certfile"; then - return $_err_code - fi + # copy new certificate into file. + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + # scp the file + _local_cert_file=$(_mktemp) + if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then + cat "$_ckey" >> "$_local_cert_file" + fi + cat "$_ccert" >> "$_local_cert_file" + if ! _scp_remote_cmd "$_local_cert_file" "$DEPLOY_SSH_CERTFILE"; then + return $_err_code fi else - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;" - _info "will copy certificate to remote file $Le_Deploy_ssh_certfile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $DEPLOY_SSH_CERTFILE;" + _info "will copy certificate to remote file $DEPLOY_SSH_CERTFILE" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -282,34 +279,16 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # CAFILE is optional. - # If provided then CA intermediate certificate will be copied or appended to provided filename. - _getdeployconf DEPLOY_SSH_CAFILE - _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" if [ -n "$DEPLOY_SSH_CAFILE" ]; then - Le_Deploy_ssh_cafile="$DEPLOY_SSH_CAFILE" - _savedeployconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile" - fi - if [ -n "$Le_Deploy_ssh_cafile" ]; then _pipe=">" - if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] || - [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then + if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ] || + [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then # if filename is same as previous file then append. _pipe=">>" - _local_ca_file=$(_mktemp) - if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ]; then - cat "$_ckey" >>"$_local_ca_file" - fi - if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then - cat "$_ccert" >>"$_local_ca_file" - fi - - cat "$_cca" >>"$_local_ca_file" - - elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then + elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then # backup file we are about to overwrite. - _cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir >/dev/null;" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr cp $DEPLOY_SSH_CAFILE $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -317,21 +296,25 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if [ -n "$_local_ca_file" ]; then - if ! _scp_remote_cmd "$_local_ca_file" "$Le_Deploy_ssh_cafile"; then - return $_err_code - fi - else - if ! _scp_remote_cmd "$_cca" "$Le_Deploy_ssh_cafile"; then - return $_err_code - fi + # copy new certificate into file. + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + # scp the file + _local_ca_file=$(_mktemp) + if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ]; then + cat "$_ckey" >> "$_local_ca_file" + fi + if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then + cat "$_ccert" >> "$_local_ca_file" + fi + cat "$_cca" >>"$_local_ca_file" + if ! _scp_remote_cmd "$_local_ca_file" "$DEPLOY_SSH_CAFILE"; then + return $_err_code fi else - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;" - _info "will copy CA file to remote file $Le_Deploy_ssh_cafile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $DEPLOY_SSH_CAFILE;" + _info "will copy CA file to remote file $DEPLOY_SSH_CAFILE" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -340,37 +323,17 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # FULLCHAIN is optional. - # If provided then fullchain certificate will be copied or appended to provided filename. - _getdeployconf DEPLOY_SSH_FULLCHAIN - _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then - Le_Deploy_ssh_fullchain="$DEPLOY_SSH_FULLCHAIN" - _savedeployconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain" - fi - if [ -n "$Le_Deploy_ssh_fullchain" ]; then _pipe=">" - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] || - [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ] || - [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ] || + [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ] || + [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then # if filename is same as previous file then append. _pipe=">>" - _local_full_file=$(_mktemp) - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ]; then - cat "$_ckey" >>"$_local_full_file" - fi - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ]; then - cat "$_ccert" >>"$_local_full_file" - fi - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then - cat "$_cca" >>"$_local_full_file" - fi - cat "$_cfullchain" >>"$_local_full_file" - - elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then + elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then # backup file we are about to overwrite. - _cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir >/dev/null;" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr cp $DEPLOY_SSH_FULLCHAIN $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_FULLCHAIN" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -378,21 +341,28 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if [ -n "$_local_full_file" ]; then - if ! _scp_remote_cmd "$_local_full_file" "$Le_Deploy_ssh_fullchain"; then - return $_err_code - fi - else - if ! _scp_remote_cmd "$_cfullchain" "$Le_Deploy_ssh_fullchain"; then - return $_err_code - fi + # copy new certificate into file. + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + # scp the file + _local_full_file=$(_mktemp) + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ]; then + cat "$_ckey" >> "$_local_full_file" + fi + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ]; then + cat "$_ccert" >> "$_local_full_file" + fi + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then + cat "$_cca" >> "$_local_full_file" + fi + cat "$_cfullchain" >> "$_local_full_file" + if ! _scp_remote_cmd "$_local_full_file" "$DEPLOY_SSH_FULLCHAIN"; then + return $_err_code fi else - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;" - _info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $DEPLOY_SSH_FULLCHAIN;" + _info "will copy fullchain to remote file $DEPLOY_SSH_FULLCHAIN" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -400,30 +370,22 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi fi - # cleanup local files if any - if [ -n "$_local_cert_file" ]; then - rm "$_local_cert_file" >/dev/null 1>&2 + # cleanup local files if any + if [ -f "$_local_cert_file" ]; then + rm -f "$_local_cert_file" fi - if [ -n "$_local_ca_file" ]; then - rm "$_local_ca_file" >/dev/null 1>&2 + if [ -f "$_local_ca_file" ]; then + rm -f "$_local_ca_file" fi - if [ -n "$_local_full_file" ]; then - rm "$_local_full_file" >/dev/null 1>&2 + if [ -f "$_local_full_file" ]; then + rm -f "$_local_full_file" fi - # REMOTE_CMD is optional. - # If provided then this command will be executed on remote host. - _getdeployconf DEPLOY_SSH_REMOTE_CMD - _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then - Le_Deploy_ssh_remote_cmd="$DEPLOY_SSH_REMOTE_CMD" - _savedeployconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd" - fi - if [ -n "$Le_Deploy_ssh_remote_cmd" ]; then - _cmdstr="$_cmdstr $Le_Deploy_ssh_remote_cmd;" - _info "Will execute remote command $Le_Deploy_ssh_remote_cmd" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr $DEPLOY_SSH_REMOTE_CMD;" + _info "Will execute remote command $DEPLOY_SSH_REMOTE_CMD" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -445,10 +407,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _ssh_remote_cmd() { _cmd="$1" _secure_debug "Remote commands to execute: $_cmd" - _info "Submitting sequence of commands to remote server by ssh" + _info "Submitting sequence of commands to remote server by $DEPLOY_SSH_CMD" + # quotations in bash cmd below intended. Squash travis spellcheck error # shellcheck disable=SC2029 - $Le_Deploy_ssh_cmd "$Le_Deploy_ssh_user@$Le_Deploy_ssh_server" sh -c "'$_cmd'" + $DEPLOY_SSH_CMD "$DEPLOY_SSH_USER@$DEPLOY_SSH_SERVER" sh -c "'$_cmd'" _err_code="$?" if [ "$_err_code" != "0" ]; then @@ -460,9 +423,12 @@ _ssh_remote_cmd() { # cmd scp _scp_remote_cmd() { - _secure_debug "Remote scp source $1 and destination $2 using : $Le_Deploy_ssh_scp_cmd" - _info "Submitting secure copy command : $Le_Deploy_ssh_scp_cmd" - $Le_Deploy_ssh_scp_cmd "$1" "$Le_Deploy_ssh_user"@"$Le_Deploy_ssh_server":"$2" + _src=$1 + _dest=$2 + _secure_debug "Remote copy source $_src to destination $_dest using: $DEPLOY_SSH_SCP_CMD" + _info "Submitting secure copy command: $DEPLOY_SSH_SCP_CMD" + + $DEPLOY_SSH_SCP_CMD "$_src" "$DEPLOY_SSH_USER"@"$DEPLOY_SSH_SERVER":"$_dest" _err_code="$?" if [ "$_err_code" != "0" ]; then From c8929ca0cb13abb2213cd5da7abd9bd1b140af9a Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:29:19 +0800 Subject: [PATCH 07/96] support specifying port for each host --- deploy/ssh.sh | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 73d71597..2de0d325 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -14,7 +14,7 @@ # The following examples are for QNAP NAS running QTS 4.2 # export DEPLOY_SSH_CMD="" # defaults to "ssh -T" # export DEPLOY_SSH_USER="admin" # required -# export DEPLOY_SSH_SERVER="qnap" # defaults to domain name +# export DEPLOY_SSH_SERVER="qnap" # defaults to domain name, support multiple servers with optional port (eg. "host1 host2:8022") # export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem" # export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem" # export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem" @@ -185,7 +185,12 @@ _ssh_deploy() { _local_ca_file="" _local_full_file="" - _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$DEPLOY_SSH_SERVER" + case $DEPLOY_SSH_SERVER in + (*:*) _host=${DEPLOY_SSH_SERVER%:*} _port=${DEPLOY_SSH_SERVER##*:};; + (*) _host=$DEPLOY_SSH_SERVER _port=;; + esac + + _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port" if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then _backupprefix="$DEPLOY_SSH_BACKUP_PATH/$_cdomain-backup" @@ -406,12 +411,18 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d #cmd _ssh_remote_cmd() { _cmd="$1" + + _ssh_cmd="$DEPLOY_SSH_CMD" + if [ -n "$_port" ]; then + _ssh_cmd="$_ssh_cmd -p $_port" + fi + _secure_debug "Remote commands to execute: $_cmd" - _info "Submitting sequence of commands to remote server by $DEPLOY_SSH_CMD" + _info "Submitting sequence of commands to remote server by $_ssh_cmd" # quotations in bash cmd below intended. Squash travis spellcheck error # shellcheck disable=SC2029 - $DEPLOY_SSH_CMD "$DEPLOY_SSH_USER@$DEPLOY_SSH_SERVER" sh -c "'$_cmd'" + $_ssh_cmd "$DEPLOY_SSH_USER@$_host" sh -c "'$_cmd'" _err_code="$?" if [ "$_err_code" != "0" ]; then @@ -425,10 +436,16 @@ _ssh_remote_cmd() { _scp_remote_cmd() { _src=$1 _dest=$2 - _secure_debug "Remote copy source $_src to destination $_dest using: $DEPLOY_SSH_SCP_CMD" - _info "Submitting secure copy command: $DEPLOY_SSH_SCP_CMD" - $DEPLOY_SSH_SCP_CMD "$_src" "$DEPLOY_SSH_USER"@"$DEPLOY_SSH_SERVER":"$_dest" + _scp_cmd="$DEPLOY_SSH_SCP_CMD" + if [ -n "$_port" ]; then + _scp_cmd="$_scp_cmd -P $_port" + fi + + _secure_debug "Remote copy source $_src to destination $_dest" + _info "Submitting secure copy by $_scp_cmd" + + $_scp_cmd "$_src" "$DEPLOY_SSH_USER"@"$_host":"$_dest" _err_code="$?" if [ "$_err_code" != "0" ]; then From f90cbb636a101625b118fbdb57b64f7d4d0bdabb Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:41:59 +0800 Subject: [PATCH 08/96] fix format --- acme.sh | 2 +- deploy/ssh.sh | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/acme.sh b/acme.sh index 37c625d2..4366501b 100755 --- a/acme.sh +++ b/acme.sh @@ -2349,7 +2349,7 @@ _migratedomainconf() { #_migratedeployconf oldkey newkey base64encode _migratedeployconf() { _migratedomainconf "$1" "SAVED_$2" "$3" || - _migratedomainconf "SAVED_$1" "SAVED_$2" "$3" # try only when oldkey itself is not found + _migratedomainconf "SAVED_$1" "SAVED_$2" "$3" # try only when oldkey itself is not found } #key value base64encode diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 2de0d325..d40bba43 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -186,8 +186,8 @@ _ssh_deploy() { _local_full_file="" case $DEPLOY_SSH_SERVER in - (*:*) _host=${DEPLOY_SSH_SERVER%:*} _port=${DEPLOY_SSH_SERVER##*:};; - (*) _host=$DEPLOY_SSH_SERVER _port=;; + *:*) _host=${DEPLOY_SSH_SERVER%:*} _port=${DEPLOY_SSH_SERVER##*:};; + *) _host=$DEPLOY_SSH_SERVER _port=;; esac _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port" @@ -265,9 +265,9 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # scp the file _local_cert_file=$(_mktemp) if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then - cat "$_ckey" >> "$_local_cert_file" + cat "$_ckey" >>"$_local_cert_file" fi - cat "$_ccert" >> "$_local_cert_file" + cat "$_ccert" >>"$_local_cert_file" if ! _scp_remote_cmd "$_local_cert_file" "$DEPLOY_SSH_CERTFILE"; then return $_err_code fi @@ -306,10 +306,10 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # scp the file _local_ca_file=$(_mktemp) if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ]; then - cat "$_ckey" >> "$_local_ca_file" + cat "$_ckey" >>"$_local_ca_file" fi if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then - cat "$_ccert" >> "$_local_ca_file" + cat "$_ccert" >>"$_local_ca_file" fi cat "$_cca" >>"$_local_ca_file" if ! _scp_remote_cmd "$_local_ca_file" "$DEPLOY_SSH_CAFILE"; then @@ -351,15 +351,15 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # scp the file _local_full_file=$(_mktemp) if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ]; then - cat "$_ckey" >> "$_local_full_file" + cat "$_ckey" >>"$_local_full_file" fi if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ]; then - cat "$_ccert" >> "$_local_full_file" + cat "$_ccert" >>"$_local_full_file" fi if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then - cat "$_cca" >> "$_local_full_file" + cat "$_cca" >>"$_local_full_file" fi - cat "$_cfullchain" >> "$_local_full_file" + cat "$_cfullchain" >>"$_local_full_file" if ! _scp_remote_cmd "$_local_full_file" "$DEPLOY_SSH_FULLCHAIN"; then return $_err_code fi From 74f28021e701c53665774c4861d68863775bb206 Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:49:40 +0800 Subject: [PATCH 09/96] fix format again --- deploy/ssh.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index d40bba43..074af84f 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -186,8 +186,14 @@ _ssh_deploy() { _local_full_file="" case $DEPLOY_SSH_SERVER in - *:*) _host=${DEPLOY_SSH_SERVER%:*} _port=${DEPLOY_SSH_SERVER##*:};; - *) _host=$DEPLOY_SSH_SERVER _port=;; + *:*) + _host=${DEPLOY_SSH_SERVER%:*} + _port=${DEPLOY_SSH_SERVER##*:} + ;; + *) + _host=$DEPLOY_SSH_SERVER + _port= + ;; esac _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port" From 3ce7d410c8ee18d4ed1049ccdc500a6624613df7 Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:59:02 +0800 Subject: [PATCH 10/96] improve doc comments --- deploy/ssh.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 074af84f..1aed7d3e 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -14,7 +14,7 @@ # The following examples are for QNAP NAS running QTS 4.2 # export DEPLOY_SSH_CMD="" # defaults to "ssh -T" # export DEPLOY_SSH_USER="admin" # required -# export DEPLOY_SSH_SERVER="qnap" # defaults to domain name, support multiple servers with optional port (eg. "host1 host2:8022") +# export DEPLOY_SSH_SERVER="host1 host2:8022 192.168.0.1:9022" # defaults to domain name, support multiple servers with optional port # export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem" # export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem" # export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem" From d2a9d731edbc5d6dcfc434560ba605bef9039ed2 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 May 2022 22:25:44 +0800 Subject: [PATCH 11/96] Update ssh.sh --- deploy/ssh.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 1aed7d3e..c66e2e19 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -170,7 +170,7 @@ ssh_deploy() { _info "Required commands batched and sent in single call to remote host" fi - _deploy_ssh_servers=$DEPLOY_SSH_SERVER + _deploy_ssh_servers="$DEPLOY_SSH_SERVER" for DEPLOY_SSH_SERVER in $_deploy_ssh_servers; do _ssh_deploy done From f4ed1b32b85d3cdf256168e698bc8e4261db7a3e Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Sat, 26 Nov 2022 18:12:11 +0330 Subject: [PATCH 12/96] Update dns_arvan.sh Update API URL --- dnsapi/dns_arvan.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index 4c9217e5..2118883b 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -2,7 +2,7 @@ #Arvan_Token="Apikey xxxx" -ARVAN_API_URL="https://napi.arvancloud.com/cdn/4.0/domains" +ARVAN_API_URL="https://napi.arvancloud.ir/cdn/4.0/domains" #Author: Vahid Fardi #Report Bugs here: https://github.com/Neilpang/acme.sh # @@ -18,7 +18,7 @@ dns_arvan_add() { if [ -z "$Arvan_Token" ]; then _err "You didn't specify \"Arvan_Token\" token yet." - _err "You can get yours from here https://npanel.arvancloud.com/profile/api-keys" + _err "You can get yours from here https://npanel.arvancloud.ir/profile/api-keys" return 1 fi #save the api token to the account conf file. From 9f942a6b65bda8c97dbd989549a0ced034cb6f42 Mon Sep 17 00:00:00 2001 From: Kiril Isakov Date: Sat, 26 Nov 2022 16:00:03 +0100 Subject: [PATCH 13/96] Trim trailing slash in `--home` argument's value # What's expected Since in `acme.sh` path strings are concatenated with a hardcoded slash in between, the left operand must never end with a trailing slash for the resulting path to be valid. Otherwise, obviously, the resulting path will have two adjacent slashes in the middle and will not be valid. # What actually happens Even though I cannot tell for each of the input params, I know this for sure for the the `--home` argument's value. If I run `acme.sh` with `--home` argument's value being a path ending in a trailing slash, ```sh acme.sh ... --debug ... --home /some/path/ ... -d somedomainna.me ... ``` I get the following (distinct) occurrencies of resulting invalid paths containing two adjacent slashes: ``` [...] Using config home:/some/path/ [...] DOMAIN_PATH='/some/path//somedomainna.me' [...] _CURL='curl --silent --dump-header /some/path//http.header -L -g ' [...] The domain key is here: /some/path//somedomainna.me/somedomainna.me.key [...] _CURL='curl --silent --dump-header /some/path//http.header -L -g -I ' [...] Your cert is in: /some/path//somedomainna.me/somedomainna.me.cer [...] Your cert key is in: /some/path//somedomainna.me/somedomainna.me.key [...] The intermediate CA cert is in: /some/path//somedomainna.me/ca.cer [...] And the full chain certs is there: /some/path//somedomainna.me/fullchain.cer ``` # Suggested fix Trim trailing slash in `--home` argument's value from the get-go. --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d6d8e48c..77f0b8c1 100755 --- a/acme.sh +++ b/acme.sh @@ -7496,7 +7496,7 @@ _process() { shift ;; --home) - export LE_WORKING_DIR="$2" + export LE_WORKING_DIR="${2%/}" shift ;; --cert-home | --certhome) From 4610204c831d39716d792bd975dbbda65ac06699 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Sun, 27 Nov 2022 10:21:24 +0330 Subject: [PATCH 14/96] Test CI --- dnsapi/dns_arvan.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index 2118883b..593e789f 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -1,10 +1,10 @@ #!/usr/bin/env sh -#Arvan_Token="Apikey xxxx" +# Arvan_Token="Apikey xxxx" ARVAN_API_URL="https://napi.arvancloud.ir/cdn/4.0/domains" -#Author: Vahid Fardi -#Report Bugs here: https://github.com/Neilpang/acme.sh +# Author: Vahid Fardi +# Report Bugs here: https://github.com/Neilpang/acme.sh # ######## Public functions ##################### From 264b9819ff92655c0714cc46e6a756201ffd9c9a Mon Sep 17 00:00:00 2001 From: Kiril Isakov Date: Sun, 27 Nov 2022 09:22:06 +0100 Subject: [PATCH 15/96] Replace the BASH parameter substitution mechanism (unsupported by sh) with standard commands (supported by sh) --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 77f0b8c1..714bd9bf 100755 --- a/acme.sh +++ b/acme.sh @@ -7496,7 +7496,7 @@ _process() { shift ;; --home) - export LE_WORKING_DIR="${2%/}" + export LE_WORKING_DIR="$(echo "$2" | sed 's|/$||')" shift ;; --cert-home | --certhome) From 04a5d794ac05acee31018a72d8e6df216a5f7e33 Mon Sep 17 00:00:00 2001 From: beartom <369622765@qq.com> Date: Sun, 27 Nov 2022 21:55:01 +0800 Subject: [PATCH 16/96] Update truenas.sh for certificate in chart release Update certificate in chart release of TrueCharts if any chart release Apps is using the same certificate as TrueNAS web UI. --- deploy/truenas.sh | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 84cfd5f4..3f36a56e 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -184,6 +184,30 @@ truenas_deploy() { _info "S3 certificate is not configured or is not the same as TrueNAS web UI" fi + +_info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required" + if _exists jq; then + _info "Query all chart release" + _release_list=$(_get "$_api_url/chart/release") + _related_name_list=$(printf "%s" $_release_list | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") + _release_length=$(printf "%s" $_related_name_list | jq -r "length") + _info "Found $_release_length related chart release in list: $_related_name_list" + for i in $(seq 0 $((_release_length-1))); + do + _release_name=$(echo $_related_name_list | jq -r ".[$i]") + _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name" + #Read the chart release configuration + _chart_config=$(printf "%s" $_release_list | jq -r ".[] | select(.name==\"$_release_name\")") + #Replace the old certificate id with the new one in path .config.ingress.main.tls[].scaleCert. Then update .config.ingress + _updated_chart_config=$(printf "%s" $_chart_config | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress " ) + _update_chart_result="$(_post "{\"values\" : { \"ingress\" : $_updated_chart_config } }" "$_api_url/chart/release/id/$_release_name" "" "PUT" "application/json")" + _debug3 _update_chart_result "$_update_chart_result" + done + else + _info "Tool 'jq' does not exists, skip chart release checking" + fi + + _info "Deleting old certificate" _delete_result="$(_post "" "$_api_url/certificate/id/$_active_cert_id" "" "DELETE" "application/json")" From c07db3aa14e28689ee673832cf147494fb2ae2d4 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Mon, 28 Nov 2022 16:09:17 +0330 Subject: [PATCH 17/96] add 'Accept' header --- dnsapi/dns_arvan.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index 593e789f..b8c9da35 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -141,10 +141,11 @@ _arvan_rest() { response="$(_post "$data" "$ARVAN_API_URL/$ep" "" "$mtd")" elif [ "$mtd" = "POST" ]; then export _H2="Content-Type: application/json" + export _H3="Accept: application/json" _debug data "$data" response="$(_post "$data" "$ARVAN_API_URL/$ep" "" "$mtd")" else response="$(_get "$ARVAN_API_URL/$ep$data")" fi return 0 -} +} \ No newline at end of file From eab9603921789b541a8d8527b833a50f313f1381 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Mon, 28 Nov 2022 16:11:17 +0330 Subject: [PATCH 18/96] Fix SH format --- dnsapi/dns_arvan.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index b8c9da35..71ef2387 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -148,4 +148,4 @@ _arvan_rest() { response="$(_get "$ARVAN_API_URL/$ep$data")" fi return 0 -} \ No newline at end of file +} From 0c0d1d4e5210bd5b03f91df789f2471b09e849c7 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Mon, 28 Nov 2022 16:22:25 +0330 Subject: [PATCH 19/96] Update duplicate message --- dnsapi/dns_arvan.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index 71ef2387..4ca5b685 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -40,7 +40,7 @@ dns_arvan_add() { _info "response id is $response" _info "Added, OK" return 0 - elif _contains "$response" "Record Data is Duplicated"; then + elif _contains "$response" "Record Data is duplicate"; then _info "Already exists, OK" return 0 else From bd2d0e6ad3c9dfad76cfe30e79d845fc62c8e228 Mon Sep 17 00:00:00 2001 From: beartom <369622765@qq.com> Date: Mon, 28 Nov 2022 20:59:10 +0800 Subject: [PATCH 20/96] Format Format --- deploy/truenas.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 3f36a56e..6b299f3a 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -185,7 +185,7 @@ truenas_deploy() { fi -_info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required" + _info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required" if _exists jq; then _info "Query all chart release" _release_list=$(_get "$_api_url/chart/release") From 5a0225d03365d1bc36c4c18570d28d2ef97cc99e Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Tue, 29 Nov 2022 12:21:49 +0330 Subject: [PATCH 21/96] Fix export problem for special values --- .github/workflows/DNS.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 17e98ae3..55dec225 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -121,19 +121,19 @@ jobs: - name: Run acmetest run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh From 257de15c738d05780321fd5131671e59e1294931 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Tue, 29 Nov 2022 13:45:04 +0330 Subject: [PATCH 22/96] Fix export problems --- .github/workflows/DNS.yml | 60 +++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 55dec225..615e5d8b 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -184,19 +184,19 @@ jobs: shell: bash run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -234,19 +234,19 @@ jobs: copyback: false run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -285,19 +285,19 @@ jobs: copyback: false run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -337,19 +337,19 @@ jobs: copyback: false run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -389,19 +389,19 @@ jobs: copyback: false run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -445,19 +445,19 @@ jobs: pkg set-mediator -v -I default@1.1 openssl export PATH=/usr/gnu/bin:$PATH if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh From 7d13146859552faf630205072a1fe337476436ba Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Tue, 29 Nov 2022 21:39:06 +0100 Subject: [PATCH 23/96] Added dns provider for ipv64.net --- dnsapi/dns_ipv64.sh | 150 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100755 dnsapi/dns_ipv64.sh diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh new file mode 100755 index 00000000..90207ba6 --- /dev/null +++ b/dnsapi/dns_ipv64.sh @@ -0,0 +1,150 @@ +#!/usr/bin/env sh + +#Created by Roman Lumetsberger, to use ipv64.net's API to add/remove text records +#2022/11/29 + +# Pass credentials before "acme.sh --issue --dns dns_ipv64 ..." +# -- +# export IPv64_Token="aaaaaaaaaaaaaaaaaaaaaaaaaa" +# -- +# + +IPv64_API="https://ipv64.net/api" + +######## Public functions ###################### + +#Usage: dns_ipv64_add _acme-challenge.domain.ipv64.net "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_ipv64_add() { + fulldomain=$1 + txtvalue=$2 + + IPv64_Token="${IPv64_Token:-$(_readaccountconf_mutable IPv64_Token)}" + if [ -z "$IPv64_Token" ]; then + _err "You must export variable: IPv64_Token" + _err "The API Key for your IPv64 account is necessary." + _err "You can look it up in your IPv64 account." + return 1 + fi + + # Now save the credentials. + _saveaccountconf_mutable IPv64_Token "$IPv64_Token" + + if ! _get_root "$fulldomain"; then + _err "invalid domain" "$fulldomain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # Now add the TXT record + _info "Trying to add TXT record" + if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then + _info "TXT record has been successfully added." + return 0 + else + _err "Errors happened during adding the TXT record, response=$_response" + return 1 + fi + +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_ipv64_rm() { + fulldomain=$1 + txtvalue=$2 + + IPv64_Token="${IPv64_Token:-$(_readaccountconf_mutable IPv64_Token)}" + if [ -z "$IPv64_Token" ]; then + _err "You must export variable: IPv64_Token" + _err "The API Key for your IPv64 account is necessary." + _err "You can look it up in your IPv64 account." + return 1 + fi + + if ! _get_root "$fulldomain"; then + _err "invalid domain" "$fulldomain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # Now delete the TXT record + _info "Trying to delete TXT record" + if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then + _info "TXT record has been successfully deleted." + return 0 + else + _err "Errors happened during deleting the TXT record, response=$_response" + return 1 + fi + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain="$1" + i=1 + p=1 + + _ipv64_get "get_domains" + domain_data=$_response + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + #if _contains "$domain_data" "\""$h"\"\:"; then + if _contains "$domain_data" "\"""$h""\"\:"; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") + _domain="$h" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +#send get request to api +# $1 has to set the api-function +_ipv64_get() { + url="$IPv64_API?$1" + export _H1="Authorization: Bearer $IPv64_Token" + + _response=$(_get "$url") + _response="$(echo "$_response" | _normalizeJson)" + + if _contains "$_response" "429 Too Many Requests"; then + _info "API throttled, sleeping to reset the limit" + _sleep 10 + _response=$(_get "$url") + _response="$(echo "$_response" | _normalizeJson)" + fi +} + +_ipv64_rest() { + url="$IPv64_API" + export _H1="Authorization: Bearer $IPv64_Token" + export _H2="Content-Type: application/x-www-form-urlencoded" + _response=$(_post "$2" "$url" "" "$1") + + if _contains "$_response" "429 Too Many Requests"; then + _info "API throttled, sleeping to reset the limit" + _sleep 10 + _response=$(_post "$2" "$url" "" "$1") + fi + + if ! _contains "$_response" "\"info\":\"success\""; then + return 1 + fi + _debug2 response "$_response" + return 0 +} From 91e387e8b9deae01b4a7dd45c70c08bf35ee3574 Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Wed, 30 Nov 2022 08:55:27 +0100 Subject: [PATCH 24/96] added doc for dns_ipv64_rm --- dnsapi/dns_ipv64.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index 90207ba6..9979be42 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -49,6 +49,7 @@ dns_ipv64_add() { } #Usage: fulldomain txtvalue +#Usage: dns_ipv64_rm _acme-challenge.domain.ipv64.net "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" #Remove the txt record after validation. dns_ipv64_rm() { fulldomain=$1 From a2af26635fe679af3892deffc671abe93c5f0b38 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 4 Dec 2022 15:05:30 +0800 Subject: [PATCH 25/96] use ecc cert --- acme.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 0b5c1614..62add812 100755 --- a/acme.sh +++ b/acme.sh @@ -2857,7 +2857,8 @@ _initpath() { DOMAIN_PATH="$domainhomeecc" else if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then - _info "The domain '$domain' seems to have a ECC cert already, please add '$(__red "--ecc")' parameter if you want to use that cert." + _info "The domain '$domain' seems to have a ECC cert already, lets use ecc cert." + DOMAIN_PATH="$domainhomeecc" fi fi _debug DOMAIN_PATH "$DOMAIN_PATH" From 160513c67189b252434ddc52346a0d58843d004a Mon Sep 17 00:00:00 2001 From: Zachary Peschke Date: Fri, 9 Dec 2022 09:47:19 -0700 Subject: [PATCH 26/96] Minor grammar fixes for gd --- dnsapi/dns_gd.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_gd.sh b/dnsapi/dns_gd.sh index 44c3d279..1729115e 100755 --- a/dnsapi/dns_gd.sh +++ b/dnsapi/dns_gd.sh @@ -22,8 +22,8 @@ dns_gd_add() { if [ -z "$GD_Key" ] || [ -z "$GD_Secret" ]; then GD_Key="" GD_Secret="" - _err "You don't specify godaddy api key and secret yet." - _err "Please create you key and try again." + _err "You didn't specify godaddy api key and secret yet." + _err "Please create your key and try again." return 1 fi @@ -46,7 +46,7 @@ dns_gd_add() { fi if _contains "$response" "$txtvalue"; then - _info "The record is existing, skip" + _info "This record already exists, skipping" return 0 fi From 764a4c99fac9f59f79638648d0499ef2e293ead5 Mon Sep 17 00:00:00 2001 From: plummer86 Date: Sun, 18 Dec 2022 22:32:49 +0000 Subject: [PATCH 27/96] Fix assignment to _wget_out --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d6d8e48c..02bc041c 100755 --- a/acme.sh +++ b/acme.sh @@ -2058,7 +2058,7 @@ _get() { fi _debug "_WGET" "$_WGET" if [ "$onlyheader" ]; then - _wget_out = "$($_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1)" + _wget_out="$($_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1)" if _contains "$_WGET" " -d "; then # Demultiplex wget debug output echo "$_wget_out" >&2 From 0cafc00c4fdac30032168450d97b468c23199f3c Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 17:22:12 +0800 Subject: [PATCH 28/96] append --fail-with-body argument to curl if supported --- acme.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/acme.sh b/acme.sh index f4afa397..5d80399f 100755 --- a/acme.sh +++ b/acme.sh @@ -1855,6 +1855,11 @@ _inithttp() { if _contains "$(curl --help 2>&1)" "--globoff"; then _ACME_CURL="$_ACME_CURL -g " fi + + #from curl 7.76: return fail on HTTP errors but keep the body + if [ "$_ACME_CURL" ] && _contains "$($_ACME_CURL --help http)" "--fail-with-body"; then + _ACME_CURL="$_ACME_CURL --fail-with-body " + fi fi if [ -z "$_ACME_WGET" ] && _exists "wget"; then From 057c95bd1c0ebcfb30d0ab36aa267fcc544a87f7 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 17:24:34 +0800 Subject: [PATCH 29/96] improve `wget --content-on-error` condition --- acme.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index 5d80399f..45dda74f 100755 --- a/acme.sh +++ b/acme.sh @@ -1877,11 +1877,11 @@ _inithttp() { elif [ "$CA_BUNDLE" ]; then _ACME_WGET="$_ACME_WGET --ca-certificate=$CA_BUNDLE " fi - fi - #from wget 1.14: do not skip body on 404 error - if [ "$_ACME_WGET" ] && _contains "$($_ACME_WGET --help 2>&1)" "--content-on-error"; then - _ACME_WGET="$_ACME_WGET --content-on-error " + #from wget 1.14: do not skip body on 404 error + if _contains "$(wget --help 2>&1)" "--content-on-error"; then + _ACME_WGET="$_ACME_WGET --content-on-error " + fi fi __HTTP_INITIALIZED=1 From 7154c9ee5dd07d29d85a949e4853d3482333a360 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 17:42:27 +0800 Subject: [PATCH 30/96] improve `curl --help` predication --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 45dda74f..999ef563 100755 --- a/acme.sh +++ b/acme.sh @@ -1852,12 +1852,12 @@ _inithttp() { _ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE " fi - if _contains "$(curl --help 2>&1)" "--globoff"; then + if _contains "$(curl --help curl 2>&1)" "--globoff"; then _ACME_CURL="$_ACME_CURL -g " fi #from curl 7.76: return fail on HTTP errors but keep the body - if [ "$_ACME_CURL" ] && _contains "$($_ACME_CURL --help http)" "--fail-with-body"; then + if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then _ACME_CURL="$_ACME_CURL --fail-with-body " fi fi From fe1bfe9ae16b03e6647f47ee62809ed8641bf51c Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 16:34:18 +0800 Subject: [PATCH 31/96] improve vault and vault_api deployhooks --- deploy/vault.sh | 75 +++++++++++++++++++++++++++++++++++++-------- deploy/vault_cli.sh | 43 +++++++++++++++++++++++++- 2 files changed, 105 insertions(+), 13 deletions(-) diff --git a/deploy/vault.sh b/deploy/vault.sh index 399abaee..2e4d0702 100644 --- a/deploy/vault.sh +++ b/deploy/vault.sh @@ -7,13 +7,16 @@ # # VAULT_PREFIX - this contains the prefix path in vault # VAULT_ADDR - vault requires this to find your vault server +# VAULT_SAVE_TOKEN - set to anything if you want to save the token +# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying +# VAULT_KV_V2 - set to anything if you are using v2 of the kv engine # # additionally, you need to ensure that VAULT_TOKEN is avialable # to access the vault server #returns 0 means success, otherwise error. -######## Public functions ##################### +######## Public functions ##################### #domain keyfile certfile cafile fullchain vault_deploy() { @@ -45,6 +48,24 @@ vault_deploy() { fi _savedeployconf VAULT_ADDR "$VAULT_ADDR" + _getdeployconf VAULT_SAVE_TOKEN + _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN" + + _getdeployconf VAULT_RENEW_TOKEN + _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN" + + _getdeployconf VAULT_KV_V2 + _savedeployconf VAULT_KV_V2 "$VAULT_KV_V2" + + _getdeployconf VAULT_TOKEN + if [ -z "$VAULT_TOKEN" ]; then + _err "VAULT_TOKEN needs to be defined" + return 1 + fi + if [ -n "$VAULT_SAVE_TOKEN" ]; then + _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" + fi + # JSON does not allow multiline strings. # So replacing new-lines with "\n" here _ckey=$(sed -z 's/\n/\\n/g' <"$2") @@ -52,26 +73,56 @@ vault_deploy() { _cca=$(sed -z 's/\n/\\n/g' <"$4") _cfullchain=$(sed -z 's/\n/\\n/g' <"$5") - URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain" export _H1="X-Vault-Token: $VAULT_TOKEN" + if [ -n "$VAULT_RENEW_TOKEN" ]; then + URL="$VAULT_ADDR/v1/auth/token/renew-self" + _info "Renew the token to default TTL" + if ! _post "" "$URL" >/dev/null; then + _err "Failed to renew the token" + return 1 + fi + fi + + URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain" + if [ -n "$FABIO" ]; then + _info "Writing certificate and key to $URL in Fabio mode" if [ -n "$VAULT_KV_V2" ]; then - _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" + _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1 else - _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" + _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" >/dev/null || return 1 fi else if [ -n "$VAULT_KV_V2" ]; then - _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" - _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" - _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" - _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" + _info "Writing certificate to $URL/cert.pem" + _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" >/dev/null || return 1 + _info "Writing key to $URL/cert.key" + _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" >/dev/null || return 1 + _info "Writing CA certificate to $URL/ca.pem" + _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/ca.pem" >/dev/null || return 1 + _info "Writing full-chain certificate to $URL/fullchain.pem" + _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" >/dev/null || return 1 else - _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" - _post "{\"value\": \"$_ckey\"}" "$URL/cert.key" - _post "{\"value\": \"$_cca\"}" "$URL/chain.pem" - _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" + _info "Writing certificate to $URL/cert.pem" + _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" >/dev/null || return 1 + _info "Writing key to $URL/cert.key" + _post "{\"value\": \"$_ckey\"}" "$URL/cert.key" >/dev/null || return 1 + _info "Writing CA certificate to $URL/ca.pem" + _post "{\"value\": \"$_cca\"}" "$URL/ca.pem" >/dev/null || return 1 + _info "Writing full-chain certificate to $URL/fullchain.pem" + _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" >/dev/null || return 1 + fi + + # To make it compatible with the wrong ca path `chain.pem` which was used in former versions + if _get "$URL/chain.pem" >/dev/null; then + _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" + _info "Updating CA certificate to $URL/chain.pem for backward compatibility" + if [ -n "$VAULT_KV_V2" ]; then + _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" >/dev/null || return 1 + else + _post "{\"value\": \"$_cca\"}" "$URL/chain.pem" >/dev/null || return 1 + fi fi fi diff --git a/deploy/vault_cli.sh b/deploy/vault_cli.sh index cbb8cc59..da6fe093 100644 --- a/deploy/vault_cli.sh +++ b/deploy/vault_cli.sh @@ -8,6 +8,8 @@ # # VAULT_PREFIX - this contains the prefix path in vault # VAULT_ADDR - vault requires this to find your vault server +# VAULT_SAVE_TOKEN - set to anything if you want to save the token +# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying # # additionally, you need to ensure that VAULT_TOKEN is avialable or # `vault auth` has applied the appropriate authorization for the vault binary @@ -33,15 +35,34 @@ vault_cli_deploy() { _debug _cfullchain "$_cfullchain" # validate required env vars + _getdeployconf VAULT_PREFIX if [ -z "$VAULT_PREFIX" ]; then _err "VAULT_PREFIX needs to be defined (contains prefix path in vault)" return 1 fi + _savedeployconf VAULT_PREFIX "$VAULT_PREFIX" + _getdeployconf VAULT_ADDR if [ -z "$VAULT_ADDR" ]; then _err "VAULT_ADDR needs to be defined (contains vault connection address)" return 1 fi + _savedeployconf VAULT_ADDR "$VAULT_ADDR" + + _getdeployconf VAULT_SAVE_TOKEN + _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN" + + _getdeployconf VAULT_RENEW_TOKEN + _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN" + + _getdeployconf VAULT_TOKEN + if [ -z "$VAULT_TOKEN" ]; then + _err "VAULT_TOKEN needs to be defined" + return 1 + fi + if [ -n "$VAULT_SAVE_TOKEN" ]; then + _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" + fi VAULT_CMD=$(command -v vault) if [ ! $? ]; then @@ -49,13 +70,33 @@ vault_cli_deploy() { return 1 fi + if [ -n "$VAULT_RENEW_TOKEN" ]; then + _info "Renew the token to default TTL" + if ! $VAULT_CMD token renew; then + _err "Failed to renew the token" + return 1 + fi + fi + if [ -n "$FABIO" ]; then + _info "Writing certificate and key to $URL in Fabio mode" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1 else + _info "Writing certificate to $URL/cert.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1 + _info "Writing key to $URL/cert.key" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1 - $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1 + _info "Writing CA certificate to $URL/ca.pem" + $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/ca.pem" value=@"$_cca" || return 1 + _info "Writing full-chain certificate to $URL/fullchain.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1 + + # To make it compatible with the wrong ca path `chain.pem` which was used in former versions + if $VAULT_CMD kv get "${VAULT_PREFIX}/${_cdomain}/chain.pem" >/dev/null; then + _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" + _info "Updating CA certificate to $URL/chain.pem for backward compatibility" + $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1 + fi fi } From b8d0d3c2429e2f33dceb9c94ad8e5273762be72a Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 19:17:37 +0800 Subject: [PATCH 32/96] improve chain.pem exists evaluating --- deploy/vault.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/vault.sh b/deploy/vault.sh index 2e4d0702..6c953fc6 100644 --- a/deploy/vault.sh +++ b/deploy/vault.sh @@ -115,7 +115,7 @@ vault_deploy() { fi # To make it compatible with the wrong ca path `chain.pem` which was used in former versions - if _get "$URL/chain.pem" >/dev/null; then + if _contains "$(_get "$URL/chain.pem")" "-----BEGIN CERTIFICATE-----"; then _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" _info "Updating CA certificate to $URL/chain.pem for backward compatibility" if [ -n "$VAULT_KV_V2" ]; then From ed63eb6833ab288b2a963255875bf9df99e39c79 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 19:32:06 +0800 Subject: [PATCH 33/96] migrate FABIO to VAULT_FABIO_MODE and persist it --- deploy/vault.sh | 4 +++- deploy/vault_cli.sh | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/deploy/vault.sh b/deploy/vault.sh index 6c953fc6..30e825eb 100644 --- a/deploy/vault.sh +++ b/deploy/vault.sh @@ -66,6 +66,8 @@ vault_deploy() { _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" fi + _migratedeployconf FABIO VAULT_FABIO_MODE + # JSON does not allow multiline strings. # So replacing new-lines with "\n" here _ckey=$(sed -z 's/\n/\\n/g' <"$2") @@ -86,7 +88,7 @@ vault_deploy() { URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain" - if [ -n "$FABIO" ]; then + if [ -n "$VAULT_FABIO_MODE" ]; then _info "Writing certificate and key to $URL in Fabio mode" if [ -n "$VAULT_KV_V2" ]; then _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1 diff --git a/deploy/vault_cli.sh b/deploy/vault_cli.sh index da6fe093..ecbffd23 100644 --- a/deploy/vault_cli.sh +++ b/deploy/vault_cli.sh @@ -64,6 +64,8 @@ vault_cli_deploy() { _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" fi + _migratedeployconf FABIO VAULT_FABIO_MODE + VAULT_CMD=$(command -v vault) if [ ! $? ]; then _err "cannot find vault binary!" @@ -78,7 +80,7 @@ vault_cli_deploy() { fi fi - if [ -n "$FABIO" ]; then + if [ -n "$VAULT_FABIO_MODE" ]; then _info "Writing certificate and key to $URL in Fabio mode" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1 else From 7b623f85cd9dcf49958b0431d397ff75bda2a189 Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 26 Dec 2022 21:43:02 +0800 Subject: [PATCH 34/96] minor --- .github/workflows/NetBSD.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index 33bcf23c..25872c42 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -61,7 +61,6 @@ jobs: nat: | "8080": "80" prepare: | - export PKG_PATH="https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/$(uname -p)/$(uname -r|cut -f '1 2' -d.)/All/" pkg_add curl socat usesh: true copyback: false From a2c64e79ff1b597b15d7bf7cb17aa627e7b7eb3f Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 26 Dec 2022 22:28:08 +0800 Subject: [PATCH 35/96] fix for openbsd --- acme.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index f4afa397..d8a46a6f 100755 --- a/acme.sh +++ b/acme.sh @@ -1637,7 +1637,7 @@ _stat() { #keyfile _isRSA() { keyfile=$1 - if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text | grep "^publicExponent:" >/dev/null 2>&1; then + if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text 2>&1 | grep "^publicExponent:" 2>&1 >/dev/null; then return 0 fi return 1 @@ -1646,7 +1646,7 @@ _isRSA() { #keyfile _isEcc() { keyfile=$1 - if grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" >/dev/null 2>&1; then + if grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" 2>&1 >/dev/null; then return 0 fi return 1 @@ -1744,7 +1744,7 @@ _calcjwk() { _debug3 x64 "$x64" xend=$(_math "$xend" + 1) - y="$(printf "%s" "$pubtext" | cut -d : -f "$xend"-10000)" + y="$(printf "%s" "$pubtext" | cut -d : -f "$xend"-2048)" _debug3 y "$y" y64="$(printf "%s" "$y" | tr -d : | _h2b | _base64 | _url_replace)" From 1ccfa96c2e2c78aaca1ba92549e62b9f52fa9461 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Wed, 28 Dec 2022 02:47:49 +0800 Subject: [PATCH 36/96] improve logging --- deploy/vault.sh | 4 ++-- deploy/vault_cli.sh | 16 ++++++++-------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/deploy/vault.sh b/deploy/vault.sh index 30e825eb..569faba2 100644 --- a/deploy/vault.sh +++ b/deploy/vault.sh @@ -79,9 +79,9 @@ vault_deploy() { if [ -n "$VAULT_RENEW_TOKEN" ]; then URL="$VAULT_ADDR/v1/auth/token/renew-self" - _info "Renew the token to default TTL" + _info "Renew the Vault token to default TTL" if ! _post "" "$URL" >/dev/null; then - _err "Failed to renew the token" + _err "Failed to renew the Vault token" return 1 fi fi diff --git a/deploy/vault_cli.sh b/deploy/vault_cli.sh index ecbffd23..3ebb8074 100644 --- a/deploy/vault_cli.sh +++ b/deploy/vault_cli.sh @@ -73,30 +73,30 @@ vault_cli_deploy() { fi if [ -n "$VAULT_RENEW_TOKEN" ]; then - _info "Renew the token to default TTL" + _info "Renew the Vault token to default TTL" if ! $VAULT_CMD token renew; then - _err "Failed to renew the token" + _err "Failed to renew the Vault token" return 1 fi fi if [ -n "$VAULT_FABIO_MODE" ]; then - _info "Writing certificate and key to $URL in Fabio mode" + _info "Writing certificate and key to ${VAULT_PREFIX}/${_cdomain} in Fabio mode" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1 else - _info "Writing certificate to $URL/cert.pem" + _info "Writing certificate to ${VAULT_PREFIX}/${_cdomain}/cert.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1 - _info "Writing key to $URL/cert.key" + _info "Writing key to ${VAULT_PREFIX}/${_cdomain}/cert.key" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1 - _info "Writing CA certificate to $URL/ca.pem" + _info "Writing CA certificate to ${VAULT_PREFIX}/${_cdomain}/ca.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/ca.pem" value=@"$_cca" || return 1 - _info "Writing full-chain certificate to $URL/fullchain.pem" + _info "Writing full-chain certificate to ${VAULT_PREFIX}/${_cdomain}/fullchain.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1 # To make it compatible with the wrong ca path `chain.pem` which was used in former versions if $VAULT_CMD kv get "${VAULT_PREFIX}/${_cdomain}/chain.pem" >/dev/null; then _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" - _info "Updating CA certificate to $URL/chain.pem for backward compatibility" + _info "Updating CA certificate to ${VAULT_PREFIX}/${_cdomain}/chain.pem for backward compatibility" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1 fi fi From 27f30631ed48636a02aeb4cbe67de8a68e0e3615 Mon Sep 17 00:00:00 2001 From: Gavin Leo Date: Sun, 27 Nov 2022 21:32:20 +0800 Subject: [PATCH 37/96] Add gcore dns support. https://apidocs.gcore.com/dns --- dnsapi/dns_gcore.sh | 187 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 187 insertions(+) create mode 100755 dnsapi/dns_gcore.sh diff --git a/dnsapi/dns_gcore.sh b/dnsapi/dns_gcore.sh new file mode 100755 index 00000000..d549a650 --- /dev/null +++ b/dnsapi/dns_gcore.sh @@ -0,0 +1,187 @@ +#!/usr/bin/env sh + +# +#GCORE_Key='773$7b7adaf2a2b32bfb1b83787b4ff32a67eb178e3ada1af733e47b1411f2461f7f4fa7ed7138e2772a46124377bad7384b3bb8d87748f87b3f23db4b8bbe41b2bb' +# + +GCORE_Api="https://api.gcorelabs.com/dns/v2" +GCORE_Doc="https://apidocs.gcore.com/dns" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_gcore_add() { + fulldomain=$1 + txtvalue=$2 + + GCORE_Key="${GCORE_Key:-$(_readaccountconf_mutable GCORE_Key)}" + + if [ -z "$GCORE_Key" ]; then + GCORE_Key="" + _err "You didn't specify a Gcore api key yet." + _err "You can get yours from here $GCORE_Doc" + return 1 + fi + + #save the api key to the account conf file. + _saveaccountconf_mutable GCORE_Key "$GCORE_Key" + + _debug "First detect the zone name" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _zone_name "$_zone_name" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _gcore_rest GET "zones/$_zone_name/$fulldomain/TXT" + payload="" + + if echo "$response" | grep "record is not found" >/dev/null; then + _info "Record doesn't exists" + payload="{\"resource_records\":[{\"content\":[\"$txtvalue\"],\"enabled\":true}],\"ttl\":120}" + elif echo "$response" | grep "$txtvalue" >/dev/null; then + _info "Already exists, OK" + return 0 + elif echo "$response" | tr -d " " | grep \"name\":\""$fulldomain"\",\"type\":\"TXT\" >/dev/null; then + _info "Record with mismatch txtvalue, try update it" + payload=$(echo "$response" | tr -d " " | sed 's/"updated_at":[0-9]\+,//g' | sed 's/"meta":{}}]}/"meta":{}},{"content":['\""$txtvalue"\"'],"enabled":true}]}/') + fi + + # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so + # we can not use updating anymore. + # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) + # _debug count "$count" + # if [ "$count" = "0" ]; then + _info "Adding record" + if _gcore_rest PUT "zones/$_zone_name/$fulldomain/TXT" "$payload"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + return 0 + elif _contains "$response" "rrset is already exists"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 +} + +#fulldomain txtvalue +dns_gcore_rm() { + fulldomain=$1 + txtvalue=$2 + + GCORE_Key="${GCORE_Key:-$(_readaccountconf_mutable GCORE_Key)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _zone_name "$_zone_name" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _gcore_rest GET "zones/$_zone_name/$fulldomain/TXT" + + if echo "$response" | grep "record is not found" >/dev/null; then + _info "No such txt recrod" + return 0 + fi + + if ! echo "$response" | tr -d " " | grep \"name\":\""$fulldomain"\",\"type\":\"TXT\" >/dev/null; then + _err "Error: $response" + return 1 + fi + + if ! echo "$response" | tr -d " " | grep \""$txtvalue"\" >/dev/null; then + _info "No such txt recrod" + return 0 + fi + + count="$(echo "$response" | grep -o "content" | wc -l)" + + if [ "$count" = "1" ]; then + if ! _gcore_rest DELETE "zones/$_zone_name/$fulldomain/TXT"; then + _err "Delete record error. $response" + return 1 + fi + return 0 + fi + + payload="$(echo "$response" | tr -d " " | sed 's/"updated_at":[0-9]\+,//g' | sed 's/{"id":[0-9]\+,"content":\["'"$txtvalue"'"\],"enabled":true,"meta":{}}//' | sed 's/\[,/\[/' | sed 's/,,/,/' | sed 's/,\]/\]/')" + if ! _gcore_rest PUT "zones/$_zone_name/$fulldomain/TXT" "$payload"; then + _err "Delete record error. $response" + fi +} + +#################### Private functions below ################################## +#_acme-challenge.sub.domain.com +#returns +# _sub_domain=_acme-challenge.sub or _acme-challenge +# _domain=domain.com +# _zone_name=domain.com or sub.domain.com +_get_root() { + domain=$1 + i=1 + p=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _gcore_rest GET "zones/$h"; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\""; then + _zone_name=$h + if [ "$_zone_name" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_gcore_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + key_trimmed=$(echo "$GCORE_Key" | tr -d '"') + + export _H1="Content-Type: application/json" + export _H2="Authorization: APIKey $key_trimmed" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$GCORE_Api/$ep" "" "$m")" + else + response="$(_get "$GCORE_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} From 1bfd3642e829bcd90b5c5e43371f975eb525165e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=B0=E9=9B=AA=E6=AE=87=E7=92=83=E9=99=8C=E6=A2=A6?= Date: Thu, 19 Jan 2023 10:19:05 +0800 Subject: [PATCH 38/96] Update gcore_cdn.sh --- deploy/gcore_cdn.sh | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/deploy/gcore_cdn.sh b/deploy/gcore_cdn.sh index f573a3aa..fd17cc25 100644 --- a/deploy/gcore_cdn.sh +++ b/deploy/gcore_cdn.sh @@ -1,10 +1,11 @@ #!/usr/bin/env sh -# Here is the script to deploy the cert to G-Core CDN service (https://gcorelabs.com/ru/) using the G-Core Labs API (https://docs.gcorelabs.com/cdn/). +# Here is the script to deploy the cert to G-Core CDN service (https://gcore.com/) using the G-Core Labs API (https://apidocs.gcore.com/cdn). # Returns 0 when success. # # Written by temoffey # Public domain, 2019 +# Update by DreamOfIce in 2023 #export DEPLOY_GCORE_CDN_USERNAME=myusername #export DEPLOY_GCORE_CDN_PASSWORD=mypassword @@ -56,7 +57,7 @@ gcore_cdn_deploy() { _request="{\"username\":\"$Le_Deploy_gcore_cdn_username\",\"password\":\"$Le_Deploy_gcore_cdn_password\"}" _debug _request "$_request" export _H1="Content-Type:application/json" - _response=$(_post "$_request" "https://api.gcdn.co/auth/jwt/login") + _response=$(_post "$_request" "https://api.gcore.com/auth/jwt/login") _debug _response "$_response" _regex=".*\"access\":\"\([-._0-9A-Za-z]*\)\".*$" _debug _regex "$_regex" @@ -69,8 +70,8 @@ gcore_cdn_deploy() { fi _info "Find CDN resource with cname $_cdomain" - export _H2="Authorization:Token $_token" - _response=$(_get "https://api.gcdn.co/resources") + export _H2="Authorization:Bearer $_token" + _response=$(_get "https://api.gcore.com/cdn/resources") _debug _response "$_response" _regex="\"primary_resource\":null}," _debug _regex "$_regex" @@ -102,7 +103,7 @@ gcore_cdn_deploy() { _date=$(date "+%d.%m.%Y %H:%M:%S") _request="{\"name\":\"$_cdomain ($_date)\",\"sslCertificate\":\"$_fullchain\",\"sslPrivateKey\":\"$_key\"}" _debug _request "$_request" - _response=$(_post "$_request" "https://api.gcdn.co/sslData") + _response=$(_post "$_request" "https://api.gcore.com/cdn/sslData") _debug _response "$_response" _regex=".*\"id\":\([0-9]*\).*$" _debug _regex "$_regex" @@ -117,7 +118,7 @@ gcore_cdn_deploy() { _info "Update CDN resource" _request="{\"originGroup\":$_originGroup,\"sslData\":$_sslDataAdd}" _debug _request "$_request" - _response=$(_post "$_request" "https://api.gcdn.co/resources/$_resourceId" '' "PUT") + _response=$(_post "$_request" "https://api.gcore.com/cdn/resources/$_resourceId" '' "PUT") _debug _response "$_response" _regex=".*\"sslData\":\([0-9]*\).*$" _debug _regex "$_regex" @@ -133,7 +134,7 @@ gcore_cdn_deploy() { _info "Not found old SSL certificate" else _info "Delete old SSL certificate" - _response=$(_post '' "https://api.gcdn.co/sslData/$_sslDataOld" '' "DELETE") + _response=$(_post '' "https://api.gcore.com/cdn/sslData/$_sslDataOld" '' "DELETE") _debug _response "$_response" fi From 7bbdd1f839c2bb1556a81b97636730f788457947 Mon Sep 17 00:00:00 2001 From: Vladislav Sharapov Date: Fri, 20 Jan 2023 23:43:15 +0400 Subject: [PATCH 39/96] fix(dns_openstack): fix argparse error Add equal sign to '--record' option to fix argparse error occurring when ACME token starts with '-'. --- dnsapi/dns_openstack.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_openstack.sh b/dnsapi/dns_openstack.sh index 38619e6f..fcc1dc2e 100755 --- a/dnsapi/dns_openstack.sh +++ b/dnsapi/dns_openstack.sh @@ -57,16 +57,16 @@ _dns_openstack_create_recordset() { if [ -z "$_recordset_id" ]; then _info "Creating a new recordset" - if ! _recordset_id=$(openstack recordset create -c id -f value --type TXT --record "$txtvalue" "$_zone_id" "$fulldomain."); then + if ! _recordset_id=$(openstack recordset create -c id -f value --type TXT --record="$txtvalue" "$_zone_id" "$fulldomain."); then _err "No recordset ID found after create" return 1 fi else _info "Updating existing recordset" - # Build new list of --record args for update - _record_args="--record $txtvalue" + # Build new list of --record= args for update + _record_args="--record=$txtvalue" for _rec in $_records; do - _record_args="$_record_args --record $_rec" + _record_args="$_record_args --record=$_rec" done # shellcheck disable=SC2086 if ! _recordset_id=$(openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain."); then @@ -107,13 +107,13 @@ _dns_openstack_delete_recordset() { fi else _info "Found existing records, updating recordset" - # Build new list of --record args for update + # Build new list of --record= args for update _record_args="" for _rec in $_records; do if [ "$_rec" = "$txtvalue" ]; then continue fi - _record_args="$_record_args --record $_rec" + _record_args="$_record_args --record=$_rec" done # shellcheck disable=SC2086 if ! openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain." >/dev/null; then From bf50fce5bd2bcd58582e6768350de96aeb881d90 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 15:17:21 +0800 Subject: [PATCH 40/96] fix https://github.com/acmesh-official/acme.sh/issues/4470 --- acme.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index d8a46a6f..7683495b 100755 --- a/acme.sh +++ b/acme.sh @@ -2386,12 +2386,14 @@ _getdeployconf() { if [ "$_rac_value" ]; then if _startswith "$_rac_value" '"' && _endswith "$_rac_value" '"'; then _debug2 "trim quotation marks" - eval "export $_rac_key=$_rac_value" + eval $_rac_key=$_rac_value + export $_rac_key fi return 0 # do nothing fi - _saved=$(_readdomainconf "SAVED_$_rac_key") - eval "export $_rac_key=\"\$_saved\"" + _saved="$(_readdomainconf "SAVED_$_rac_key")" + eval $_rac_key="$_saved" + export $_rac_key } #_saveaccountconf key value base64encode From 6c0a7144f677a0d3cc14c45e91c1104191e0dbe2 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 15:45:25 +0800 Subject: [PATCH 41/96] fix https://github.com/acmesh-official/acme.sh/issues/4445 --- acme.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 7683495b..cfef7ee6 100755 --- a/acme.sh +++ b/acme.sh @@ -7122,7 +7122,9 @@ _selectServer() { _getCAShortName() { caurl="$1" if [ -z "$caurl" ]; then - caurl="$DEFAULT_CA" + #use letsencrypt as default value if the Le_API is empty + #this case can only come from the old upgrading. + caurl="$CA_LETSENCRYPT_V2" fi if [ "$CA_SSLCOM_ECC" = "$caurl" ]; then caurl="$CA_SSLCOM_RSA" #just hack to get the short name From b99c9980576a72c776e37aedaaea3ebd2f9e8f5d Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 16:13:42 +0800 Subject: [PATCH 42/96] fix https://github.com/acmesh-official/acme.sh/issues/4463 --- acme.sh | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index cfef7ee6..c6c16056 100755 --- a/acme.sh +++ b/acme.sh @@ -6730,6 +6730,13 @@ _send_notify() { return 0 fi + _nsource="$NOTIFY_SOURCE" + if [ -z "$_nsource" ]; then + _nsource="$(hostname)" + fi + + _nsubject="$_nsubject by $_nsource" + _send_err=0 for _n_hook in $(echo "$_nhooks" | tr ',' " "); do _n_hook_file="$(_findHook "" $_SUB_FOLDER_NOTIFY "$_n_hook")" @@ -6784,11 +6791,12 @@ setnotify() { _nhook="$1" _nlevel="$2" _nmode="$3" + _nsource="$4" _initpath if [ -z "$_nhook$_nlevel$_nmode" ]; then - _usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook ] [--notify-level <0|1|2|3>] [--notify-mode <0|1>]" + _usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook ] [--notify-level <0|1|2|3>] [--notify-mode <0|1>] [--notify-source ]" _usage "$_NOTIFY_WIKI" return 1 fi @@ -6805,6 +6813,12 @@ setnotify() { _saveaccountconf "NOTIFY_MODE" "$NOTIFY_MODE" fi + if [ "$_nsource" ]; then + _info "Set notify source to: $_nsource" + export "NOTIFY_SOURCE=$_nsource" + _saveaccountconf "NOTIFY_SOURCE" "$NOTIFY_SOURCE" + fi + if [ "$_nhook" ]; then _info "Set notify hook to: $_nhook" if [ "$_nhook" = "$NO_VALUE" ]; then @@ -6965,6 +6979,7 @@ Parameters: 0: Bulk mode. Send all the domain's notifications in one message(mail). 1: Cert mode. Send a message for every single cert. --notify-hook Set the notify hook + --notify-source Set the server name in the notification message --revoke-reason <0-10> The reason for revocation, can be used in conjunction with the '--revoke' command. See: $_REVOKE_WIKI @@ -7241,6 +7256,7 @@ _process() { _notify_hook="" _notify_level="" _notify_mode="" + _notify_source="" _revoke_reason="" _eab_kid="" _eab_hmac_key="" @@ -7733,6 +7749,15 @@ _process() { _notify_mode="$_nmode" shift ;; + --notify-source) + _nsource="$2" + if _startswith "$_nsource" "-"; then + _err "'$_nsource' is not valid host name for '$1'" + return 1 + fi + _notify_source="$_nsource" + shift + ;; --revoke-reason) _revoke_reason="$2" if _startswith "$_revoke_reason" "-"; then @@ -7887,7 +7912,7 @@ _process() { createCSR "$_domain" "$_altdomains" "$_ecc" ;; setnotify) - setnotify "$_notify_hook" "$_notify_level" "$_notify_mode" + setnotify "$_notify_hook" "$_notify_level" "$_notify_mode" "$_notify_source" ;; setdefaultca) setdefaultca From ab2305e259e1e0854ce096a6f84d6a82045f1137 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 16:42:10 +0800 Subject: [PATCH 43/96] fix stepca --- .github/workflows/Ubuntu.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index a6ec714c..df1a816b 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -80,8 +80,9 @@ jobs: -p 9000:9000 \ -e "DOCKER_STEPCA_INIT_NAME=Smallstep" \ -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \ + -e "DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT=true" \ --name stepca \ - smallstep/step-ca \ + smallstep/step-ca:0.23.1 \ && sleep 5 && docker exec stepca step ca provisioner add acme --type ACME \ && docker exec stepca kill -1 1 \ && docker exec stepca cat /home/step/certs/root_ca.crt | sudo bash -c "cat - >>/etc/ssl/certs/ca-certificates.crt" From 015a9b9271c956255879eb3320c9f99602056c22 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 16:45:12 +0800 Subject: [PATCH 44/96] fix notify --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index c6c16056..74a855f9 100755 --- a/acme.sh +++ b/acme.sh @@ -6795,7 +6795,7 @@ setnotify() { _initpath - if [ -z "$_nhook$_nlevel$_nmode" ]; then + if [ -z "$_nhook$_nlevel$_nmode$_nsource" ]; then _usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook ] [--notify-level <0|1|2|3>] [--notify-mode <0|1>] [--notify-source ]" _usage "$_NOTIFY_WIKI" return 1 From deb63b4adfe09f6603654d59a8c6ecc2af34e506 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 17:58:46 +0800 Subject: [PATCH 45/96] fix stepca --- .github/workflows/Ubuntu.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index df1a816b..22c8b2c5 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -81,9 +81,13 @@ jobs: -e "DOCKER_STEPCA_INIT_NAME=Smallstep" \ -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \ -e "DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT=true" \ + -e "DOCKER_STEPCA_INIT_PASSWORD=test" \ --name stepca \ - smallstep/step-ca:0.23.1 \ - && sleep 5 && docker exec stepca step ca provisioner add acme --type ACME \ + smallstep/step-ca:0.23.1 + + sleep 5 + docker exec stepca bash -c "echo test >test" + docker exec -it stepca step ca provisioner add acme --type ACME --admin-subject step --admin-password-file=/home/step/test \ && docker exec stepca kill -1 1 \ && docker exec stepca cat /home/step/certs/root_ca.crt | sudo bash -c "cat - >>/etc/ssl/certs/ca-certificates.crt" - name: Clone acmetest From 6748c55c04109099c3755313801e8503615364d5 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 18:00:09 +0800 Subject: [PATCH 46/96] fix stepca --- .github/workflows/Ubuntu.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index 22c8b2c5..4bf2ba29 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -86,8 +86,8 @@ jobs: smallstep/step-ca:0.23.1 sleep 5 - docker exec stepca bash -c "echo test >test" - docker exec -it stepca step ca provisioner add acme --type ACME --admin-subject step --admin-password-file=/home/step/test \ + docker exec stepca bash -c "echo test >test" \ + && docker exec stepca step ca provisioner add acme --type ACME --admin-subject step --admin-password-file=/home/step/test \ && docker exec stepca kill -1 1 \ && docker exec stepca cat /home/step/certs/root_ca.crt | sudo bash -c "cat - >>/etc/ssl/certs/ca-certificates.crt" - name: Clone acmetest From 16bdc7d0a33a791e6629a4cb38e6b8ff6b6908d0 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 27 Jan 2023 11:44:06 +0800 Subject: [PATCH 47/96] fix from OpenAI https://github.com/acmesh-official/acme.sh/issues/992 https://github.com/acmesh-official/acme.sh/pull/2609 --- Dockerfile | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 79fd1d89..7b50f080 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.16.3 +FROM alpine:3.17 RUN apk --no-cache add -f \ openssl \ @@ -12,7 +12,8 @@ RUN apk --no-cache add -f \ oath-toolkit-oathtool \ tar \ libidn \ - jq + jq \ + cronie ENV LE_CONFIG_HOME /acme.sh @@ -64,12 +65,10 @@ RUN for verb in help \ RUN printf "%b" '#!'"/usr/bin/env sh\n \ if [ \"\$1\" = \"daemon\" ]; then \n \ - trap \"echo stop && killall crond && exit 0\" SIGTERM SIGINT \n \ - crond && sleep infinity &\n \ - wait \n \ + exec crond -n \n \ else \n \ exec -- \"\$@\"\n \ -fi" >/entry.sh && chmod +x /entry.sh +fi\n" >/entry.sh && chmod +x /entry.sh VOLUME /acme.sh From 5a59c3903650672d05cfc6ffdbf4d3bfae1b0c3a Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 15:24:21 +0800 Subject: [PATCH 48/96] fix format --- deploy/truenas.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 6b299f3a..60dbb1b5 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -184,22 +184,21 @@ truenas_deploy() { _info "S3 certificate is not configured or is not the same as TrueNAS web UI" fi - _info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required" if _exists jq; then _info "Query all chart release" _release_list=$(_get "$_api_url/chart/release") - _related_name_list=$(printf "%s" $_release_list | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") + _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") _release_length=$(printf "%s" $_related_name_list | jq -r "length") _info "Found $_release_length related chart release in list: $_related_name_list" for i in $(seq 0 $((_release_length-1))); do - _release_name=$(echo $_related_name_list | jq -r ".[$i]") + _release_name=$(echo "$_related_name_list" | jq -r ".[$i]") _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name" #Read the chart release configuration - _chart_config=$(printf "%s" $_release_list | jq -r ".[] | select(.name==\"$_release_name\")") + _chart_config=$(printf "%s" "$_release_list" | jq -r ".[] | select(.name==\"$_release_name\")") #Replace the old certificate id with the new one in path .config.ingress.main.tls[].scaleCert. Then update .config.ingress - _updated_chart_config=$(printf "%s" $_chart_config | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress " ) + _updated_chart_config=$(printf "%s" "$_chart_config" | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress " ) _update_chart_result="$(_post "{\"values\" : { \"ingress\" : $_updated_chart_config } }" "$_api_url/chart/release/id/$_release_name" "" "PUT" "application/json")" _debug3 _update_chart_result "$_update_chart_result" done @@ -207,7 +206,6 @@ truenas_deploy() { _info "Tool 'jq' does not exists, skip chart release checking" fi - _info "Deleting old certificate" _delete_result="$(_post "" "$_api_url/certificate/id/$_active_cert_id" "" "DELETE" "application/json")" From 41b6f18a5d1b7805dc5c56ecb7abc2baa9a852f8 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 15:25:50 +0800 Subject: [PATCH 49/96] fix format --- deploy/truenas.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 60dbb1b5..f9e540f7 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -191,14 +191,13 @@ truenas_deploy() { _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") _release_length=$(printf "%s" $_related_name_list | jq -r "length") _info "Found $_release_length related chart release in list: $_related_name_list" - for i in $(seq 0 $((_release_length-1))); - do + for i in $(seq 0 $((_release_length-1))); do _release_name=$(echo "$_related_name_list" | jq -r ".[$i]") _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name" #Read the chart release configuration _chart_config=$(printf "%s" "$_release_list" | jq -r ".[] | select(.name==\"$_release_name\")") #Replace the old certificate id with the new one in path .config.ingress.main.tls[].scaleCert. Then update .config.ingress - _updated_chart_config=$(printf "%s" "$_chart_config" | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress " ) + _updated_chart_config=$(printf "%s" "$_chart_config" | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress ") _update_chart_result="$(_post "{\"values\" : { \"ingress\" : $_updated_chart_config } }" "$_api_url/chart/release/id/$_release_name" "" "PUT" "application/json")" _debug3 _update_chart_result "$_update_chart_result" done From e3b688c9d87d74a493a189c874c1c3c6864b503d Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 15:26:54 +0800 Subject: [PATCH 50/96] fix format --- deploy/truenas.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index f9e540f7..88b24684 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -191,7 +191,7 @@ truenas_deploy() { _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") _release_length=$(printf "%s" $_related_name_list | jq -r "length") _info "Found $_release_length related chart release in list: $_related_name_list" - for i in $(seq 0 $((_release_length-1))); do + for i in $(seq 0 $((_release_length - 1))); do _release_name=$(echo "$_related_name_list" | jq -r ".[$i]") _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name" #Read the chart release configuration From 2690c05781096875af7a30efd31c37a38ff8d84e Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 15:28:06 +0800 Subject: [PATCH 51/96] fix format --- deploy/truenas.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 88b24684..c79e6dac 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -189,7 +189,7 @@ truenas_deploy() { _info "Query all chart release" _release_list=$(_get "$_api_url/chart/release") _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") - _release_length=$(printf "%s" $_related_name_list | jq -r "length") + _release_length=$(printf "%s" "$_related_name_list" | jq -r "length") _info "Found $_release_length related chart release in list: $_related_name_list" for i in $(seq 0 $((_release_length - 1))); do _release_name=$(echo "$_related_name_list" | jq -r ".[$i]") From aa9cbf7c551dfe75bc6b806c101ab004afe7b759 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 16:18:27 +0800 Subject: [PATCH 52/96] fix https://github.com/acmesh-official/acme.sh/issues/992 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7b50f080..d9c243b8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -65,7 +65,7 @@ RUN for verb in help \ RUN printf "%b" '#!'"/usr/bin/env sh\n \ if [ \"\$1\" = \"daemon\" ]; then \n \ - exec crond -n \n \ + exec crond -n -s -m off \n \ else \n \ exec -- \"\$@\"\n \ fi\n" >/entry.sh && chmod +x /entry.sh From 01249d0cb9a43c528cb1e410ee50b68e292a4a0d Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 16:24:27 +0800 Subject: [PATCH 53/96] fix warning --- .github/workflows/dockerhub.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index bd2c01aa..e60d6f7f 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -28,9 +28,9 @@ jobs: id: step_one run: | if [ "$DOCKER_PASSWORD" ] ; then - echo "::set-output name=hasToken::true" + echo "hasToken=true" >>$GITHUB_OUTPUT else - echo "::set-output name=hasToken::false" + echo "hasToken=false" >>$GITHUB_OUTPUT fi - name: Check the value run: echo ${{ steps.step_one.outputs.hasToken }} From a5b04a032896d92e2cd96d75d159e7471b0f7cb0 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Sat, 28 Jan 2023 17:19:04 +0800 Subject: [PATCH 54/96] ensure `curl --help` backward compatible --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 999ef563..c8a62f1d 100755 --- a/acme.sh +++ b/acme.sh @@ -1852,7 +1852,7 @@ _inithttp() { _ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE " fi - if _contains "$(curl --help curl 2>&1)" "--globoff"; then + if _contains "$(curl --help 2>&1)" "--globoff" || _contains "$(curl --help curl 2>&1)" "--globoff"; then _ACME_CURL="$_ACME_CURL -g " fi From ba9d146d6c615ab5ec4ede949602880246d17d05 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 17:29:03 +0800 Subject: [PATCH 55/96] fix https://github.com/acmesh-official/acme.sh/issues/992 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d9c243b8..2ad50e6a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,7 +26,7 @@ COPY ./ /install_acme.sh/ RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/ -RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null##' | crontab - +RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null#> /proc/1/fd/1 2>/proc/1/fd/2#' | crontab - RUN for verb in help \ version \ From f537c606f730318021d6f297b59d6314ad9702e7 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 29 Jan 2023 11:13:23 +0800 Subject: [PATCH 56/96] fix warnings --- .github/workflows/dockerhub.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index e60d6f7f..48c44429 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -43,9 +43,9 @@ jobs: - name: checkout code uses: actions/checkout@v3 - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2 - name: login to docker hub run: | echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin From c2344f3717d1c5d57a207c7cca2a60f97d4b48bf Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 30 Jan 2023 14:39:03 +0800 Subject: [PATCH 57/96] add log for doh https://github.com/acmesh-official/acme.sh/issues/4481 --- acme.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index 53387117..cd509cbc 100755 --- a/acme.sh +++ b/acme.sh @@ -4023,7 +4023,7 @@ _ns_purge_cf() { #checks if cf server is available _ns_is_available_cf() { - if _get "https://cloudflare-dns.com" "" 1 >/dev/null 2>&1; then + if _get "https://cloudflare-dns.com" "" 10 >/dev/null; then return 0 else return 1 @@ -4031,7 +4031,7 @@ _ns_is_available_cf() { } _ns_is_available_google() { - if _get "https://dns.google" "" 1 >/dev/null 2>&1; then + if _get "https://dns.google" "" 10 >/dev/null; then return 0 else return 1 @@ -4047,7 +4047,7 @@ _ns_lookup_google() { } _ns_is_available_ali() { - if _get "https://dns.alidns.com" "" 1 >/dev/null 2>&1; then + if _get "https://dns.alidns.com" "" 10 >/dev/null; then return 0 else return 1 @@ -4063,7 +4063,7 @@ _ns_lookup_ali() { } _ns_is_available_dp() { - if _get "https://doh.pub" "" 1 >/dev/null 2>&1; then + if _get "https://doh.pub" "" 10 >/dev/null; then return 0 else return 1 From 7b5d94d0622e2fde9cacf7a18f578dabb5f559c9 Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Tue, 31 Jan 2023 11:10:42 +0100 Subject: [PATCH 58/96] convert domain and subdomain to lower case --- dnsapi/dns_ipv64.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index 9979be42..afa6df5a 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -36,6 +36,10 @@ dns_ipv64_add() { _debug _sub_domain "$_sub_domain" _debug _domain "$_domain" + # convert to lower case + _domain = $(echo "$_domain" | tr '[:upper:]' '[:lower:]') + _sub_domain = $(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]') + # Now add the TXT record _info "Trying to add TXT record" if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then @@ -70,6 +74,10 @@ dns_ipv64_rm() { _debug _sub_domain "$_sub_domain" _debug _domain "$_domain" + # convert to lower case + _domain = $(echo "$_domain" | tr '[:upper:]' '[:lower:]') + _sub_domain = $(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]') + # Now delete the TXT record _info "Trying to delete TXT record" if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then From 553d861b8ae823f624a41979aec7965cbaefe921 Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Tue, 31 Jan 2023 11:17:33 +0100 Subject: [PATCH 59/96] fix shell check and formatting --- dnsapi/dns_ipv64.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index afa6df5a..489df5c9 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -37,9 +37,8 @@ dns_ipv64_add() { _debug _domain "$_domain" # convert to lower case - _domain = $(echo "$_domain" | tr '[:upper:]' '[:lower:]') - _sub_domain = $(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]') - + _domain="$(echo "$_domain" | tr '[:upper:]' '[:lower:]')" + _sub_domain="$(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]')" # Now add the TXT record _info "Trying to add TXT record" if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then @@ -75,9 +74,8 @@ dns_ipv64_rm() { _debug _domain "$_domain" # convert to lower case - _domain = $(echo "$_domain" | tr '[:upper:]' '[:lower:]') - _sub_domain = $(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]') - + _domain="$(echo "$_domain" | tr '[:upper:]' '[:lower:]')" + _sub_domain="$(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]')" # Now delete the TXT record _info "Trying to delete TXT record" if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then From 59dab6eac746946db8d846ba0edb565b88a22f41 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 3 Feb 2023 09:55:51 +0800 Subject: [PATCH 60/96] fix https://github.com/acmesh-official/acme.sh/issues/4485#issuecomment-1414022376 https://github.com/acmesh-official/acme.sh/issues/4483#issuecomment-1414460122 --- acme.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index cd509cbc..d9a8ea38 100755 --- a/acme.sh +++ b/acme.sh @@ -1856,10 +1856,11 @@ _inithttp() { _ACME_CURL="$_ACME_CURL -g " fi - #from curl 7.76: return fail on HTTP errors but keep the body - if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then - _ACME_CURL="$_ACME_CURL --fail-with-body " - fi + # don't use --fail-with-body + ##from curl 7.76: return fail on HTTP errors but keep the body + #if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then + # _ACME_CURL="$_ACME_CURL --fail-with-body " + #fi fi if [ -z "$_ACME_WGET" ] && _exists "wget"; then From 3cf8f7874542e31f339a2ee09ab85fac83862b37 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 3 Feb 2023 09:57:56 +0800 Subject: [PATCH 61/96] fix format --- acme.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/acme.sh b/acme.sh index d9a8ea38..f512356a 100755 --- a/acme.sh +++ b/acme.sh @@ -1856,11 +1856,11 @@ _inithttp() { _ACME_CURL="$_ACME_CURL -g " fi - # don't use --fail-with-body - ##from curl 7.76: return fail on HTTP errors but keep the body - #if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then - # _ACME_CURL="$_ACME_CURL --fail-with-body " - #fi +#don't use --fail-with-body +##from curl 7.76: return fail on HTTP errors but keep the body +#if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then +# _ACME_CURL="$_ACME_CURL --fail-with-body " +#fi fi if [ -z "$_ACME_WGET" ] && _exists "wget"; then From a5fbf3fb806dd32fda16b7442b28e52dd20b58d8 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 3 Feb 2023 09:59:42 +0800 Subject: [PATCH 62/96] fix format --- acme.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/acme.sh b/acme.sh index f512356a..1df8a053 100755 --- a/acme.sh +++ b/acme.sh @@ -1856,11 +1856,11 @@ _inithttp() { _ACME_CURL="$_ACME_CURL -g " fi -#don't use --fail-with-body -##from curl 7.76: return fail on HTTP errors but keep the body -#if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then -# _ACME_CURL="$_ACME_CURL --fail-with-body " -#fi + #don't use --fail-with-body + ##from curl 7.76: return fail on HTTP errors but keep the body + #if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then + # _ACME_CURL="$_ACME_CURL --fail-with-body " + #fi fi if [ -z "$_ACME_WGET" ] && _exists "wget"; then From d6cf15368a3ee70845cd49b41dda0234bd04e1a8 Mon Sep 17 00:00:00 2001 From: Aleksandr Kunin Date: Wed, 24 Aug 2022 08:41:54 +0700 Subject: [PATCH 63/96] Vultr DNS: fix "grep: repetition-operator operand invalid" on FreeBSD --- dnsapi/dns_vultr.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_vultr.sh b/dnsapi/dns_vultr.sh index 58f14be1..54e5b6ce 100644 --- a/dnsapi/dns_vultr.sh +++ b/dnsapi/dns_vultr.sh @@ -78,7 +78,7 @@ dns_vultr_rm() { return 1 fi - _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'id' | cut -d : -f 2)" + _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'id' | cut -d : -f 2 | tr -d '"')" _debug _record_id "$_record_id" if [ "$_record_id" ]; then _info "Successfully retrieved the record id for ACME challenge." @@ -116,7 +116,7 @@ _get_root() { return 1 fi - if printf "%s\n" "$response" | grep '^\{.*\}' >/dev/null; then + if printf "%s\n" "$response" | grep -E '^\{.*\}' >/dev/null; then if _contains "$response" "\"domain\":\"$_domain\""; then _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")" return 0 From 05a2eb3df46a3fcbdb59039ed35141a3d38e985e Mon Sep 17 00:00:00 2001 From: dharp Date: Tue, 21 Feb 2023 10:19:07 -0600 Subject: [PATCH 64/96] add additional debug statement for DOMAIN_CONF --- acme.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/acme.sh b/acme.sh index 1df8a053..76830473 100755 --- a/acme.sh +++ b/acme.sh @@ -5772,6 +5772,7 @@ deploy() { return 1 fi + _debug2 DOMAIN_CONF "$DOMAIN_CONF" . "$DOMAIN_CONF" _savedomainconf Le_DeployHook "$_hooks" From c0639c66087cb25a684dc3862d3c22ab7704bd1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=20=7C=20Anton=20R=C3=B6hm?= <18481195+AnTheMaker@users.noreply.github.com> Date: Thu, 23 Feb 2023 23:29:46 +0100 Subject: [PATCH 65/96] Create first version of Nanelo DNS API integration [create dnsapi/dns_nanelo.sh] --- dnsapi/dns_nanelo.sh | 59 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 dnsapi/dns_nanelo.sh diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh new file mode 100644 index 00000000..a3cea3b1 --- /dev/null +++ b/dnsapi/dns_nanelo.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env sh + +# Official DNS API for Nanelo.com + +# Provide the required API Key like this: +# NANELO_TOKEN="FmD408PdqT1E269gUK57" + +NANELO_API="https://api.nanelo.com/v1/" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_nanelo_add() { + fulldomain=$1 + txtvalue=$2 + + NANELO_TOKEN="${NANELO_TOKEN:-$(_readaccountconf_mutable NANELO_TOKEN)}" + if [ -z "$NANELO_TOKEN" ]; then + NANELO_TOKEN="" + _err "You didn't configure a Nanelo API Key yet." + _err "Please set NANELO_TOKEN and try again." + _err "Login to Nanelo.com and go to Settings > API Keys to get a Key" + return 1 + fi + _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" + + _info "Adding TXT record to ${fulldomain}" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?type=TXT&name=${fulldomain}&value=${txtvalue}")" + if _contains "${response}" 'success'; then + return 0 + fi + _err "Could not create resource record, check logs" + _err "${response}" + return 1 +} + +dns_nanelo_rm() { + fulldomain=$1 + txtvalue=$2 + + NANELO_TOKEN="${NANELO_TOKEN:-$(_readaccountconf_mutable NANELO_TOKEN)}" + if [ -z "$NANELO_TOKEN" ]; then + NANELO_TOKEN="" + _err "You didn't configure a Nanelo API Key yet." + _err "Please set NANELO_TOKEN and try again." + _err "Login to Nanelo.com and go to Settings > API Keys to get a Key" + return 1 + fi + _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" + + _info "Deleting resource record $fulldomain" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?type=TXT&name=${fulldomain}&value=${txtvalue}")" + if _contains "${response}" 'success'; then + return 0 + fi + _err "Could not delete resource record, check logs" + _err "${response}" + return 1 +} From d3fefd223d5b7f9c4f1e43bea85d63ec1e532bdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=20=7C=20Anton=20R=C3=B6hm?= <18481195+AnTheMaker@users.noreply.github.com> Date: Fri, 24 Feb 2023 00:01:39 +0100 Subject: [PATCH 66/96] improve output --- dnsapi/dns_nanelo.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh index a3cea3b1..2a22ecdb 100644 --- a/dnsapi/dns_nanelo.sh +++ b/dnsapi/dns_nanelo.sh @@ -9,7 +9,7 @@ NANELO_API="https://api.nanelo.com/v1/" ######## Public functions ##################### -#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_nanelo_add() { fulldomain=$1 txtvalue=$2 @@ -29,7 +29,7 @@ dns_nanelo_add() { if _contains "${response}" 'success'; then return 0 fi - _err "Could not create resource record, check logs" + _err "Could not create resource record, please check the logs" _err "${response}" return 1 } @@ -53,7 +53,7 @@ dns_nanelo_rm() { if _contains "${response}" 'success'; then return 0 fi - _err "Could not delete resource record, check logs" + _err "Could not delete resource record, please check the logs" _err "${response}" return 1 } From 06e12a30e74042f3ee34a65b1197a3f20ca2adfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=20=7C=20Anton=20R=C3=B6hm?= <18481195+AnTheMaker@users.noreply.github.com> Date: Fri, 24 Feb 2023 00:13:21 +0100 Subject: [PATCH 67/96] reduce nanelo dns ttl --- dnsapi/dns_nanelo.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh index 2a22ecdb..8ccc8c29 100644 --- a/dnsapi/dns_nanelo.sh +++ b/dnsapi/dns_nanelo.sh @@ -25,7 +25,7 @@ dns_nanelo_add() { _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" _info "Adding TXT record to ${fulldomain}" - response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?type=TXT&name=${fulldomain}&value=${txtvalue}")" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")" if _contains "${response}" 'success'; then return 0 fi @@ -49,7 +49,7 @@ dns_nanelo_rm() { _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" _info "Deleting resource record $fulldomain" - response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?type=TXT&name=${fulldomain}&value=${txtvalue}")" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")" if _contains "${response}" 'success'; then return 0 fi From 7dd12044dee65b3731d90e838a40afe21cef93a6 Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Sat, 25 Feb 2023 11:18:33 +0000 Subject: [PATCH 68/96] use _lower_case function --- dnsapi/dns_ipv64.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index 489df5c9..b50b8663 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -37,8 +37,8 @@ dns_ipv64_add() { _debug _domain "$_domain" # convert to lower case - _domain="$(echo "$_domain" | tr '[:upper:]' '[:lower:]')" - _sub_domain="$(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]')" + _domain="$(echo "$_domain" | _lower_case')" + _sub_domain="$(echo "$_sub_domain" | _lower_case)" # Now add the TXT record _info "Trying to add TXT record" if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then @@ -74,8 +74,8 @@ dns_ipv64_rm() { _debug _domain "$_domain" # convert to lower case - _domain="$(echo "$_domain" | tr '[:upper:]' '[:lower:]')" - _sub_domain="$(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]')" + _domain="$(echo "$_domain" | _lower_case)" + _sub_domain="$(echo "$_sub_domain" | _lower_case)" # Now delete the TXT record _info "Trying to delete TXT record" if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then From df14b153974228d23ffe8396e8f2d32ab488ba9d Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Sat, 25 Feb 2023 11:22:27 +0000 Subject: [PATCH 69/96] fix quote --- dnsapi/dns_ipv64.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index b50b8663..54470119 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -37,7 +37,7 @@ dns_ipv64_add() { _debug _domain "$_domain" # convert to lower case - _domain="$(echo "$_domain" | _lower_case')" + _domain="$(echo "$_domain" | _lower_case)" _sub_domain="$(echo "$_sub_domain" | _lower_case)" # Now add the TXT record _info "Trying to add TXT record" From 1522b713da92e1f267208a4a35935e3abc687b15 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 28 Feb 2023 21:08:15 -0500 Subject: [PATCH 70/96] Use grep -E instead of expr expr was printing `expr: warning: '^.*[<>"]': using '^' as the first character of a basic regular expression is not portable;` --- notify/smtp.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/notify/smtp.sh b/notify/smtp.sh index 293c665e..f5ebebca 100644 --- a/notify/smtp.sh +++ b/notify/smtp.sh @@ -169,7 +169,7 @@ _clean_email_header() { # email _email_has_display_name() { _email="$1" - expr "$_email" : '^.*[<>"]' >/dev/null + echo "$_email" | grep -q -E '^.*[<>"]' } ## @@ -249,7 +249,7 @@ _mime_encoded_word() { _text="$1" # (regex character ranges like [a-z] can be locale-dependent; enumerate ASCII chars to avoid that) _ascii='] $`"'"[!#%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ~^_abcdefghijklmnopqrstuvwxyz{|}~-" - if expr "$_text" : "^.*[^$_ascii]" >/dev/null; then + if echo "$_text" | grep -q -E "^.*[^$_ascii]"; then # At least one non-ASCII char; convert entire thing to encoded word printf "%s" "=?UTF-8?B?$(printf "%s" "$_text" | _base64)?=" else From 15f96b72390c6137239e73fd81ec9f17fe33f6d1 Mon Sep 17 00:00:00 2001 From: Markus Hoffrogge Date: Thu, 2 Mar 2023 00:02:13 +0100 Subject: [PATCH 71/96] Fix to handle LE overload status 503 appropriately - LE HTTP response status 503 is not an error, it must be handled via sleep and retry - s. https://community.letsencrypt.org/t/new-service-busy-responses-beginning-during-high-load/184174 fixes #4530 --- acme.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/acme.sh b/acme.sh index 1df8a053..af2d0dfb 100755 --- a/acme.sh +++ b/acme.sh @@ -2229,6 +2229,12 @@ _send_signed_request() { _debug3 _body "$_body" fi + if [ "$code" = '503' ]; then + _sleep_overload_retry_sec=3 + _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." + _sleep $_sleep_overload_retry_sec + continue + fi if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds." _CACHED_NONCE="" From 982c54b60504eb4cc83f31b651d936d4b04b1d75 Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 2 Mar 2023 18:06:09 +0800 Subject: [PATCH 72/96] fix https://github.com/acmesh-official/acme.sh/issues/4530 --- acme.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index af2d0dfb..a6f3b905 100755 --- a/acme.sh +++ b/acme.sh @@ -2230,7 +2230,11 @@ _send_signed_request() { fi if [ "$code" = '503' ]; then - _sleep_overload_retry_sec=3 + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + _sleep_overload_retry_sec=$_retryafter + if [ -z "$_sleep_overload_retry_sec" ]; then + _sleep_overload_retry_sec=5 + fi _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." _sleep $_sleep_overload_retry_sec continue From cb8b341fb4ded4c993c812b40441d3978eb73b0f Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 2 Mar 2023 18:10:38 +0800 Subject: [PATCH 73/96] fix https://github.com/acmesh-official/acme.sh/issues/4530 --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index a6f3b905..f5f403ce 100755 --- a/acme.sh +++ b/acme.sh @@ -2229,8 +2229,8 @@ _send_signed_request() { _debug3 _body "$_body" fi - if [ "$code" = '503' ]; then - _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + if [ "$code" = '503' ] || [ "$_retryafter" ]; then _sleep_overload_retry_sec=$_retryafter if [ -z "$_sleep_overload_retry_sec" ]; then _sleep_overload_retry_sec=5 From 20cfc4ac668b1ec360553ef5c86b0edeb0c69a30 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 4 Mar 2023 21:22:17 +0800 Subject: [PATCH 74/96] fix https://github.com/acmesh-official/acme.sh/issues/4535 --- acme.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index f5f403ce..e2006868 100755 --- a/acme.sh +++ b/acme.sh @@ -2873,7 +2873,7 @@ _initpath() { if _isEccKey "$_ilength"; then DOMAIN_PATH="$domainhomeecc" - else + elif [ -z "$__SELECTED_RSA_KEY" ] if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then _info "The domain '$domain' seems to have a ECC cert already, lets use ecc cert." DOMAIN_PATH="$domainhomeecc" @@ -7518,6 +7518,9 @@ _process() { --keylength | -k) _keylength="$2" shift + if [ "$_keylength" ] && ! _isEccKey "$_keylength"; then + export __SELECTED_RSA_KEY=1 + fi ;; -ak | --accountkeylength) _accountkeylength="$2" From ce629e8e70b6438573b97c4d3ffe2a6c87a4b295 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 4 Mar 2023 21:23:31 +0800 Subject: [PATCH 75/96] fix typo --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e2006868..5d73cdb6 100755 --- a/acme.sh +++ b/acme.sh @@ -2873,7 +2873,7 @@ _initpath() { if _isEccKey "$_ilength"; then DOMAIN_PATH="$domainhomeecc" - elif [ -z "$__SELECTED_RSA_KEY" ] + elif [ -z "$__SELECTED_RSA_KEY" ]; then if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then _info "The domain '$domain' seems to have a ECC cert already, lets use ecc cert." DOMAIN_PATH="$domainhomeecc" From dde1bab1a83c17ceb69c453741de1b17e5576969 Mon Sep 17 00:00:00 2001 From: Hobby-Student <6012744+Hobby-Student@users.noreply.github.com> Date: Mon, 6 Mar 2023 20:18:15 +0100 Subject: [PATCH 76/96] improve deletion of records --- dnsapi/dns_kas.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_kas.sh b/dnsapi/dns_kas.sh index 053abd21..87025fcf 100755 --- a/dnsapi/dns_kas.sh +++ b/dnsapi/dns_kas.sh @@ -215,7 +215,7 @@ _get_record_id() { return 1 fi - _record_id="$(echo "$response" | tr -d '\n\r' | sed "s//\n/g" | grep -i "$_record_name" | grep -i ">TXT<" | sed "s/record_id<\/key>/=>/g" | sed "s/<\/value><\/item>/\n/g" | grep "=>" | sed "s/=>//g")" + _record_id="$(echo "$response" | tr -d '\n\r' | sed "s//\n/g" | grep -i "$_record_name" | grep -i ">TXT<" | sed "s/record_id<\/key>/=>/g" | grep -i "$_txtvalue" | sed "s/<\/value><\/item>/\n/g" | grep "=>" | sed "s/=>//g")" _debug "[KAS] -> Record Id: " "$_record_id" return 0 } @@ -278,4 +278,4 @@ _callAPI() { response="$(_post "$data" "$KAS_Api" "" "POST" "$contentType")" _debug2 "[KAS] -> Response" "$response" echo "$response" -} +} \ No newline at end of file From dea8a08b64d8f7b51923bfe2ff01464f032e1928 Mon Sep 17 00:00:00 2001 From: Hobby-Student <6012744+Hobby-Student@users.noreply.github.com> Date: Mon, 6 Mar 2023 20:36:53 +0100 Subject: [PATCH 77/96] added missing new line at EOF --- dnsapi/dns_kas.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_kas.sh b/dnsapi/dns_kas.sh index 87025fcf..1253cf27 100755 --- a/dnsapi/dns_kas.sh +++ b/dnsapi/dns_kas.sh @@ -278,4 +278,4 @@ _callAPI() { response="$(_post "$data" "$KAS_Api" "" "POST" "$contentType")" _debug2 "[KAS] -> Response" "$response" echo "$response" -} \ No newline at end of file +} From acbd8bce21a0f63cc9bdd4b87b3427355b5a5f5e Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 09:48:13 +0800 Subject: [PATCH 78/96] feat: add retry count for removing record set This avoids infinite loop when something went wrong and throws a error --- dnsapi/dns_huaweicloud.sh | 60 ++++++++++++++++++++++++++++++++------- 1 file changed, 50 insertions(+), 10 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index ceda9258..b1bb61dc 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -98,19 +98,59 @@ dns_huaweicloud_rm() { fi _debug "Zone ID is:" "${zoneid}" + _recursive_rm_record "${token}" "${fulldomain}" "${zoneid}" "${record_id}" + ret="$?" + if [ "${ret}" != "0" ]; then + _err "dns_api(dns_huaweicloud): Error removing record." + return 1 + fi + + return 0 +} + +################### Private functions below ################################## + + +# _recursive_rm_record +# remove all records from the record set +# +# _token=$1 +# _domain=$2 +# _zoneid=$3 +# _record_id=$4 +# +# Returns 0 on success +_recursive_rm_record() { + _token=$1 + _domain=$2 + _zoneid=$3 + _record_id=$4 + + # Most likely to have problems will huaweicloud side if more than 50 attempts but still cannot fully remove the record set + # Maybe can be removed manually in the dashboard + _retry_cnt=50 + # Remove all records # Therotically HuaweiCloud does not allow more than one record set # But remove them recurringly to increase robusty - while [ "${record_id}" != "0" ]; do + + while [ "${_record_id}" != "0" && "${_retry_cnt}" != "0" ]; do _debug "Removing Record" - _rm_record "${token}" "${zoneid}" "${record_id}" - record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")" + _retry_cnt=$((${_retry_cnt} - 1)) + _rm_record "${_token}" "${_zoneid}" "${_record_id}" + _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${_zoneid}")" + _debug2 "Checking record exists: record_id=${_record_id}" done + + # Check if retry count is reached + if [ "${_retry_cnt}" == "0" ]; then + _debug "Failed to remove record after 50 attempts, please try removing it manually in the dashboard" + return 1 + fi + return 0 } -################### Private functions below ################################## - # _get_zoneid # # _token=$1 @@ -216,11 +256,11 @@ _add_record() { _debug "Record Set ID is:" "${_record_id}" # Remove all records - while [ "${_record_id}" != "0" ]; do - _debug "Removing Record" - _rm_record "${_token}" "${zoneid}" "${_record_id}" - _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${zoneid}")" - done + _recursive_rm_record "${token}" "${_domain}" "${_zoneid}" "${_record_id}" + ret="$?" + if [ "${ret}" != "0" ]; then + return 1 + fi # Add brand new records with all old and new records export _H2="Content-Type: application/json" From 0cce2d60985b112fa4ef31672cec880ff4a01740 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 09:57:39 +0800 Subject: [PATCH 79/96] fix: fix shellcheck --- dnsapi/dns_huaweicloud.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index b1bb61dc..54f18226 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -98,6 +98,7 @@ dns_huaweicloud_rm() { fi _debug "Zone ID is:" "${zoneid}" + record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")" _recursive_rm_record "${token}" "${fulldomain}" "${zoneid}" "${record_id}" ret="$?" if [ "${ret}" != "0" ]; then @@ -134,16 +135,16 @@ _recursive_rm_record() { # Therotically HuaweiCloud does not allow more than one record set # But remove them recurringly to increase robusty - while [ "${_record_id}" != "0" && "${_retry_cnt}" != "0" ]; do + while [ "${_record_id}" != "0" ] && [ "${_retry_cnt}" != "0" ]; do _debug "Removing Record" - _retry_cnt=$((${_retry_cnt} - 1)) + _retry_cnt=$((_retry_cnt - 1)) _rm_record "${_token}" "${_zoneid}" "${_record_id}" _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${_zoneid}")" _debug2 "Checking record exists: record_id=${_record_id}" done # Check if retry count is reached - if [ "${_retry_cnt}" == "0" ]; then + if [ "${_retry_cnt}" = "0" ]; then _debug "Failed to remove record after 50 attempts, please try removing it manually in the dashboard" return 1 fi @@ -164,7 +165,7 @@ _get_zoneid() { i=1 while true; do - h=$(printf "%s" "${_domain_string}" | cut -d . -f $i-100) + h=$(printf "%s" "${_domain_string}" | cut -d . -f "$i"-100) if [ -z "$h" ]; then #not valid return 1 From 4dba84d09e129ea1a69c4158cbbce133e32e1562 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 10:01:20 +0800 Subject: [PATCH 80/96] fix: fix shfmt --- dnsapi/dns_huaweicloud.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index 54f18226..1869a756 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -105,16 +105,15 @@ dns_huaweicloud_rm() { _err "dns_api(dns_huaweicloud): Error removing record." return 1 fi - + return 0 } ################### Private functions below ################################## - # _recursive_rm_record # remove all records from the record set -# +# # _token=$1 # _domain=$2 # _zoneid=$3 From e9366f8c7635858f0bf875786fb00e0df93b412a Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 10:56:10 +0800 Subject: [PATCH 81/96] fix: fix huaweicloud existing record 400 --- dnsapi/dns_huaweicloud.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index 1869a756..401390dc 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -246,8 +246,7 @@ _add_record() { \"type\": \"TXT\", \"ttl\": 1, \"records\": [ - ${_exist_record}, - \"\\\"${_txtvalue}\\\"\" + ${_exist_record},\"\\\"${_txtvalue}\\\"\" ] }" fi From bddde60522ebb25314568b157b56d7185a97bbca Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 11:27:08 +0800 Subject: [PATCH 82/96] fix: use update instead of remove then add --- dnsapi/dns_huaweicloud.sh | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index 401390dc..cad9f425 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -254,19 +254,16 @@ _add_record() { _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${zoneid}")" _debug "Record Set ID is:" "${_record_id}" - # Remove all records - _recursive_rm_record "${token}" "${_domain}" "${_zoneid}" "${_record_id}" - ret="$?" - if [ "${ret}" != "0" ]; then - return 1 - fi - # Add brand new records with all old and new records export _H2="Content-Type: application/json" export _H1="X-Auth-Token: ${_token}" _debug2 "${_post_body}" - _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null + if [ -z "${_exist_record}" ]; then + _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null + else + _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets/{$_record_id}" false "PUT" >/dev/null + fi _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" if [ "$_code" != "202" ]; then _err "dns_huaweicloud: http code ${_code}" From 7560c64f46f3ad19ec185c7337241d1753f47d09 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 11:30:32 +0800 Subject: [PATCH 83/96] fix: fix typo --- dnsapi/dns_huaweicloud.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index cad9f425..766123c2 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -261,9 +261,9 @@ _add_record() { _debug2 "${_post_body}" if [ -z "${_exist_record}" ]; then _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null - else - _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets/{$_record_id}" false "PUT" >/dev/null - fi + else + _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets/${_record_id}" false "PUT" >/dev/null + fi _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" if [ "$_code" != "202" ]; then _err "dns_huaweicloud: http code ${_code}" From 1f777a94a7cf22e95b6545c4ece8bbc1eea647a8 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 17:50:44 +0800 Subject: [PATCH 84/96] fix: change some debug comments --- dnsapi/dns_huaweicloud.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index 766123c2..c8601f34 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -175,11 +175,11 @@ _get_zoneid() { if _contains "${response}" '"id"'; then zoneidlist=$(echo "${response}" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | tr -d " ") zonenamelist=$(echo "${response}" | _egrep_o "\"name\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | tr -d " ") - _debug2 "Return Zone ID(s):" "${zoneidlist}" - _debug2 "Return Zone Name(s):" "${zonenamelist}" + _debug2 "Returned Zone ID(s):" "${zoneidlist}" + _debug2 "Returned Zone Name(s):" "${zonenamelist}" zoneidnum=0 zoneidcount=$(echo "${zoneidlist}" | grep -c '^') - _debug "Retund Zone ID(s) Count:" "${zoneidcount}" + _debug "Returned Zone ID(s) Count:" "${zoneidcount}" while [ "${zoneidnum}" -lt "${zoneidcount}" ]; do zoneidnum=$(_math "$zoneidnum" + 1) _zoneid=$(echo "${zoneidlist}" | sed -n "${zoneidnum}p") From 70f4cad2ca9ed671c3a3d55a53913d8aed49871b Mon Sep 17 00:00:00 2001 From: Markus Hoffrogge Date: Tue, 7 Mar 2023 13:22:46 +0100 Subject: [PATCH 85/96] Fix Retry-After handling - closes #4543 --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 5d73cdb6..b7d9129d 100755 --- a/acme.sh +++ b/acme.sh @@ -2229,8 +2229,8 @@ _send_signed_request() { _debug3 _body "$_body" fi - _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') - if [ "$code" = '503' ] || [ "$_retryafter" ]; then + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *: *[0-9]\+ *" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + if [ "$code" = '503' ]; then _sleep_overload_retry_sec=$_retryafter if [ -z "$_sleep_overload_retry_sec" ]; then _sleep_overload_retry_sec=5 From 2d8c0c0131f56924aaee10078da9ca076fbf69f5 Mon Sep 17 00:00:00 2001 From: Alex Leigh Date: Tue, 7 Mar 2023 02:31:27 -0800 Subject: [PATCH 86/96] Add support for Google Domains DNS API. https://domains.google/learn/gts-acme/ This is an ACME API for Google Domains customers, which is different from the Google Cloud Domains API for Google Cloud customers. --- dnsapi/dns_googledomains.sh | 173 ++++++++++++++++++++++++++++++++++++ 1 file changed, 173 insertions(+) create mode 100755 dnsapi/dns_googledomains.sh diff --git a/dnsapi/dns_googledomains.sh b/dnsapi/dns_googledomains.sh new file mode 100755 index 00000000..63e3073b --- /dev/null +++ b/dnsapi/dns_googledomains.sh @@ -0,0 +1,173 @@ +#!/usr/bin/env sh + +# Author: Alex Leigh +# Created: 2023-03-02 + +#GOOGLEDOMAINS_ACCESS_TOKEN="xxxx" +#GOOGLEDOMAINS_ZONE="xxxx" +GOOGLEDOMAINS_API="https://acmedns.googleapis.com/v1/acmeChallengeSets" + +######## Public functions ######## + +#Usage: dns_googledomains_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_googledomains_add() { + fulldomain=$1 + txtvalue=$2 + + _info "Invoking Google Domains ACME DNS API." + + if ! _dns_googledomains_setup; then + return 1 + fi + + zone="$(_dns_googledomains_get_zone "$fulldomain")" + if [ -z "$zone" ]; then + _err "Could not find a Google Domains-managed zone containing the requested domain." + return 1 + fi + + _debug zone "$zone" + _debug txtvalue "$txtvalue" + + _info "Adding TXT record for $fulldomain." + if _dns_googledomains_api "$zone" ":rotateChallenges" "{\"accessToken\":\"$GOOGLEDOMAINS_ACCESS_TOKEN\",\"recordsToAdd\":[{\"fqdn\":\"$fulldomain\",\"digest\":\"$txtvalue\"}],\"keepExpiredRecords\":true}"; then + if _contains "$response" "$txtvalue"; then + _info "TXT record added." + return 0 + else + _err "Error adding TXT record." + return 1 + fi + fi + + _err "Error adding TXT record." + return 1 +} + +#Usage: dns_googledomains_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_googledomains_rm() { + fulldomain=$1 + txtvalue=$2 + + _info "Invoking Google Domains ACME DNS API." + + if ! _dns_googledomains_setup; then + return 1 + fi + + zone="$(_dns_googledomains_get_zone "$fulldomain")" + if [ -z "$zone" ]; then + _err "Could not find a Google Domains-managed domain based on request." + return 1 + fi + + _debug zone "$zone" + _debug txtvalue "$txtvalue" + + _info "Removing TXT record for $fulldomain." + if _dns_googledomains_api "$zone" ":rotateChallenges" "{\"accessToken\":\"$GOOGLEDOMAINS_ACCESS_TOKEN\",\"recordsToRemove\":[{\"fqdn\":\"$fulldomain\",\"digest\":\"$txtvalue\"}],\"keepExpiredRecords\":true}"; then + if _contains "$response" "$txtvalue"; then + _err "Error removing TXT record." + return 1 + else + _info "TXT record removed." + return 0 + fi + fi + + _err "Error removing TXT record." + return 1 +} + +######## Private functions ######## + +_dns_googledomains_setup() { + if [ -n "$GOOGLEDOMAINS_SETUP_COMPLETED" ]; then + return 0 + fi + + GOOGLEDOMAINS_ACCESS_TOKEN="${GOOGLEDOMAINS_ACCESS_TOKEN:-$(_readaccountconf_mutable GOOGLEDOMAINS_ACCESS_TOKEN)}" + GOOGLEDOMAINS_ZONE="${GOOGLEDOMAINS_ZONE:-$(_readaccountconf_mutable GOOGLEDOMAINS_ZONE)}" + + if [ -z "$GOOGLEDOMAINS_ACCESS_TOKEN" ]; then + GOOGLEDOMAINS_ACCESS_TOKEN="" + _err "Google Domains access token was not specified." + _err "Please visit Google Domains Security settings to provision an ACME DNS API access token." + return 1 + fi + + if [ "$GOOGLEDOMAINS_ZONE" ]; then + _savedomainconf GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN" + _savedomainconf GOOGLEDOMAINS_ZONE "$GOOGLEDOMAINS_ZONE" + else + _saveaccountconf_mutable GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN" + _clearaccountconf_mutable GOOGLEDOMAINS_ZONE + _clearaccountconf GOOGLEDOMAINS_ZONE + fi + + _debug GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN" + _debug GOOGLEDOMAINS_ZONE "$GOOGLEDOMAINS_ZONE" + + GOOGLEDOMAINS_SETUP_COMPLETED=1 + return 0 +} + +_dns_googledomains_get_zone() { + domain=$1 + + # Use zone directly if provided + if [ "$GOOGLEDOMAINS_ZONE" ]; then + if ! _dns_googledomains_api "$GOOGLEDOMAINS_ZONE"; then + return 1 + fi + + echo "$GOOGLEDOMAINS_ZONE" + return 0 + fi + + i=2 + while true; do + curr=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug curr "$curr" + + if [ -z "$curr" ]; then + return 1 + fi + + if _dns_googledomains_api "$curr"; then + echo "$curr" + return 0 + fi + + i=$(_math "$i" + 1) + done + + return 1 +} + +_dns_googledomains_api() { + zone=$1 + apimethod=$2 + data="$3" + + if [ -z "$data" ]; then + response="$(_get "$GOOGLEDOMAINS_API/$zone$apimethod")" + else + _debug data "$data" + export _H1="Content-Type: application/json" + response="$(_post "$data" "$GOOGLEDOMAINS_API/$zone$apimethod")" + fi + + _debug response "$response" + + if [ "$?" != "0" ]; then + _err "Error" + return 1 + fi + + if _contains "$response" "\"error\": {"; then + return 1 + fi + + return 0 +} From ae3e5dbf2c4c8f53f5705f00387f24d36abc7a06 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Sun, 12 Mar 2023 12:41:29 +0800 Subject: [PATCH 87/96] fix: fix DomainName not retreived properly Co-Authored-By: idawnlight --- dnsapi/dns_huaweicloud.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index c8601f34..b61c1d43 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -23,7 +23,7 @@ dns_huaweicloud_add() { HUAWEICLOUD_Username="${HUAWEICLOUD_Username:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}" HUAWEICLOUD_Password="${HUAWEICLOUD_Password:-$(_readaccountconf_mutable HUAWEICLOUD_Password)}" - HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}" + HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_DomainName)}" # Check information if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_DomainName}" ]; then @@ -74,7 +74,7 @@ dns_huaweicloud_rm() { HUAWEICLOUD_Username="${HUAWEICLOUD_Username:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}" HUAWEICLOUD_Password="${HUAWEICLOUD_Password:-$(_readaccountconf_mutable HUAWEICLOUD_Password)}" - HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}" + HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_DomainName)}" # Check information if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_DomainName}" ]; then From 42a5cd961dc22f655d732167aabebf8725a84784 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 17 Mar 2023 17:21:10 +0800 Subject: [PATCH 88/96] fix https://github.com/acmesh-official/acme.sh/issues/4530#issuecomment-1473395845 --- acme.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index b7d9129d..e89662cd 100755 --- a/acme.sh +++ b/acme.sh @@ -2235,9 +2235,13 @@ _send_signed_request() { if [ -z "$_sleep_overload_retry_sec" ]; then _sleep_overload_retry_sec=5 fi - _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." - _sleep $_sleep_overload_retry_sec - continue + if [ $_sleep_overload_retry_sec -le 600 ]; then + _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." + _sleep $_sleep_overload_retry_sec + continue + else + _info "The retryafter=$_retryafter is too large > 600, not retry anymore." + fi fi if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds." From 7ef2533b98ae0566fc5775c32aa5ebfcfb3b724b Mon Sep 17 00:00:00 2001 From: imlonghao Date: Tue, 28 Mar 2023 22:34:04 +0800 Subject: [PATCH 89/96] fix(cloudns): fix grep when record start with hyphen symbol --- dnsapi/dns_cloudns.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_cloudns.sh b/dnsapi/dns_cloudns.sh index b03fd579..8d7fd437 100755 --- a/dnsapi/dns_cloudns.sh +++ b/dnsapi/dns_cloudns.sh @@ -78,7 +78,7 @@ dns_cloudns_rm() { return 1 fi - for i in $(echo "$response" | tr '{' "\n" | grep "$record"); do + for i in $(echo "$response" | tr '{' "\n" | grep -- "$record"); do record_id=$(echo "$i" | tr ',' "\n" | grep -E '^"id"' | sed -re 's/^\"id\"\:\"([0-9]+)\"$/\1/g') if [ -n "$record_id" ]; then From dc1f36da4348dfb9e737ad8121d5150c6e2c96d9 Mon Sep 17 00:00:00 2001 From: David Schramm Date: Sat, 1 Apr 2023 09:25:19 +0200 Subject: [PATCH 90/96] prevent whitespace splitting --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e89662cd..33721de5 100755 --- a/acme.sh +++ b/acme.sh @@ -2412,7 +2412,7 @@ _getdeployconf() { return 0 # do nothing fi _saved="$(_readdomainconf "SAVED_$_rac_key")" - eval $_rac_key="$_saved" + eval $_rac_key=\$_saved export $_rac_key } From dcdbe2fbb8d13579c0178b77822d29fc24520a4d Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 2 Apr 2023 12:04:58 +0800 Subject: [PATCH 91/96] fix https://github.com/acmesh-official/acme.sh/pull/4577 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e89662cd..fa350584 100755 --- a/acme.sh +++ b/acme.sh @@ -2412,7 +2412,7 @@ _getdeployconf() { return 0 # do nothing fi _saved="$(_readdomainconf "SAVED_$_rac_key")" - eval $_rac_key="$_saved" + eval $_rac_key=\"$_saved\" export $_rac_key } From a570fda1cb179476405370c94ddefa88dfd7a830 Mon Sep 17 00:00:00 2001 From: David Schramm Date: Sun, 2 Apr 2023 17:30:47 +0200 Subject: [PATCH 92/96] prevent whitespace splitting --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index fa350584..33721de5 100755 --- a/acme.sh +++ b/acme.sh @@ -2412,7 +2412,7 @@ _getdeployconf() { return 0 # do nothing fi _saved="$(_readdomainconf "SAVED_$_rac_key")" - eval $_rac_key=\"$_saved\" + eval $_rac_key=\$_saved export $_rac_key } From f66a29d1c3d450641f88c74de04a8967ef0d6cec Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 20 Apr 2023 18:07:59 +0800 Subject: [PATCH 93/96] fix https://github.com/acmesh-official/acme.sh/issues/4606 --- acme.sh | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/acme.sh b/acme.sh index 8b519f1f..d5caee4d 100755 --- a/acme.sh +++ b/acme.sh @@ -6146,8 +6146,22 @@ revoke() { uri="${ACME_REVOKE_CERT}" + _info "Try account key first." + if _send_signed_request "$uri" "$data" "" "$ACCOUNT_KEY_PATH"; then + if [ -z "$response" ]; then + _info "Revoke success." + rm -f "$CERT_PATH" + cat "$CERT_KEY_PATH" >"$CERT_KEY_PATH.revoked" + cat "$CSR_PATH" >"$CSR_PATH.revoked" + return 0 + else + _err "Revoke error." + _debug "$response" + fi + fi + if [ -f "$CERT_KEY_PATH" ]; then - _info "Try domain key first." + _info "Try domain key." if _send_signed_request "$uri" "$data" "" "$CERT_KEY_PATH"; then if [ -z "$response" ]; then _info "Revoke success." @@ -6163,21 +6177,6 @@ revoke() { else _info "Domain key file doesn't exist." fi - - _info "Try account key." - - if _send_signed_request "$uri" "$data" "" "$ACCOUNT_KEY_PATH"; then - if [ -z "$response" ]; then - _info "Revoke success." - rm -f "$CERT_PATH" - cat "$CERT_KEY_PATH" >"$CERT_KEY_PATH.revoked" - cat "$CSR_PATH" >"$CSR_PATH.revoked" - return 0 - else - _err "Revoke error." - _debug "$response" - fi - fi return 1 } From 84e4181ed74f26e2dbd78666f999eafa4642930f Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 20 Apr 2023 18:11:55 +0800 Subject: [PATCH 94/96] fix https://github.com/acmesh-official/acme.sh/issues/4604 --- dnsapi/dns_leaseweb.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_leaseweb.sh b/dnsapi/dns_leaseweb.sh index 63f81869..4cd3a8f8 100644 --- a/dnsapi/dns_leaseweb.sh +++ b/dnsapi/dns_leaseweb.sh @@ -6,7 +6,7 @@ #See https://developer.leaseweb.com for more information. ######## Public functions ##################### -LSW_API="https://api.leaseweb.com/hosting/v2/domains/" +LSW_API="https://api.leaseweb.com/hosting/v2/domains" #Usage: dns_leaseweb_add _acme-challenge.www.domain.com dns_leaseweb_add() { From a7bc2293c0874129b3daf297905fa6c11eeb9d5b Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 23 Apr 2023 13:16:12 +0800 Subject: [PATCH 95/96] fix https://github.com/acmesh-official/acme.sh/issues/4612#issuecomment-1518929996 --- deploy/docker.sh | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/deploy/docker.sh b/deploy/docker.sh index 3aa1b2cd..457e29ab 100755 --- a/deploy/docker.sh +++ b/deploy/docker.sh @@ -273,16 +273,27 @@ _check_curl_version() { _minor="$(_getfield "$_cversion" 2 '.')" _debug2 "_minor" "$_minor" - if [ "$_major$_minor" -lt "740" ]; then + if [ "$_major" -ge "8" ]; then + #ok + return 0; + fi + if [ "$_major" = "7" ]; then + if [ "$_minor" -lt "40" ]; then + _err "curl v$_cversion doesn't support unit socket" + _err "Please upgrade to curl 7.40 or later." + return 1 + fi + if [ "$_minor" -lt "50" ]; then + _debug "Use short host name" + export _CURL_NO_HOST=1 + else + export _CURL_NO_HOST= + fi + return 0 + else _err "curl v$_cversion doesn't support unit socket" _err "Please upgrade to curl 7.40 or later." return 1 fi - if [ "$_major$_minor" -lt "750" ]; then - _debug "Use short host name" - export _CURL_NO_HOST=1 - else - export _CURL_NO_HOST= - fi - return 0 + } From b937665b90d742ea5432c135b3cfc18eecf33014 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 23 Apr 2023 13:18:17 +0800 Subject: [PATCH 96/96] minor --- deploy/docker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/docker.sh b/deploy/docker.sh index 457e29ab..c9815d5b 100755 --- a/deploy/docker.sh +++ b/deploy/docker.sh @@ -275,7 +275,7 @@ _check_curl_version() { if [ "$_major" -ge "8" ]; then #ok - return 0; + return 0 fi if [ "$_major" = "7" ]; then if [ "$_minor" -lt "40" ]; then