From 20d23fcb92bcc58360089b8e0f3208c8291602aa Mon Sep 17 00:00:00 2001 From: fradev Date: Wed, 25 Aug 2021 16:55:36 +0200 Subject: [PATCH 001/209] Update ssh.sh Added scp mode for copy the certs --- deploy/ssh.sh | 229 ++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 201 insertions(+), 28 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 18de4aa6..b4a8140e 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -23,6 +23,8 @@ # export DEPLOY_SSH_BACKUP="" # yes or no, default to yes or previously saved value # export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" # path on remote system. Defaults to .acme_ssh_deploy # export DEPLOY_SSH_MULTI_CALL="" # yes or no, default to no or previously saved value +# export DEPLOY_SSH_USE_SCP="" yes or no , default to no +# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -T -q " # ######## Public functions ##################### @@ -73,6 +75,25 @@ ssh_deploy() { Le_Deploy_ssh_cmd="ssh -T" fi + # USE_SCP is optional. If not provided then default to previously saved + # value (which may be undefined... equivalent to "no"). + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + Le_Deploy_ssh_use_scp="yes" + _savedomainconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" + elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then + Le_Deploy_ssh_use_scp="" + _cleardomainconf Le_Deploy_ssh_use_scp + fi + + # SCP_CMD is optional. If not provided then use scp + if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then + Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" + _savedomainconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" + elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then + Le_Deploy_ssh_scp_cmd="scp -T" + fi + + # BACKUP is optional. If not provided then default to previously saved value or yes. if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then Le_Deploy_ssh_backup="no" @@ -99,6 +120,26 @@ ssh_deploy() { _cleardomainconf Le_Deploy_ssh_multi_call fi + # USE_SCP is optional. If not provided then default to previously saved + # value (which may be undefined... equivalent to "no"). + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + Le_Deploy_ssh_use_scp="yes" + _savedomainconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" + Le_Deploy_ssh_multi_call="yes" + _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then + Le_Deploy_ssh_use_scp="" + _cleardomainconf Le_Deploy_ssh_use_scp + fi + + # SCP_CMD is optional. If not provided then use scp + if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then + Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" + _savedomainconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" + elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then + Le_Deploy_ssh_scp_cmd="scp -T -q " + fi + _deploy_ssh_servers=$Le_Deploy_ssh_server for Le_Deploy_ssh_server in $_deploy_ssh_servers; do _ssh_deploy @@ -110,8 +151,16 @@ _ssh_deploy() { _cmdstr="" _backupprefix="" _backupdir="" + _local_cert_file="" + _local_ca_file="" + _local_full_file="" _info "Deploy certificates to remote server $Le_Deploy_ssh_user@$Le_Deploy_ssh_server" + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + _info "Using scp as alternate method for copying files. Multicall Mode is implicit" + Le_Deploy_ssh_multi_call="yes" + _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + fi if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" else @@ -149,15 +198,30 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d if [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_keyfile $_backupdir >/dev/null;" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi fi - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;" - _info "will copy private key to remote file $Le_Deploy_ssh_keyfile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - if ! _ssh_remote_cmd "$_cmdstr"; then - return $_err_code + + + # copy new key into file. + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + # scp the file + if ! _scp_remote_cmd "$_ckey" "$Le_Deploy_ssh_keyfile"; then + return $_err_code + fi + else + _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;" + _info "will copy private key to remote file $Le_Deploy_ssh_keyfile" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" fi - _cmdstr="" fi fi @@ -172,18 +236,40 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d if [ "$Le_Deploy_ssh_certfile" = "$Le_Deploy_ssh_keyfile" ]; then # if filename is same as previous file then append. _pipe=">>" + _local_cert_file=$(_mktemp) + cat $_ckey > $_local_cert_file + cat $_ccert >> $_local_cert_file elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi fi - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;" - _info "will copy certificate to remote file $Le_Deploy_ssh_certfile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - if ! _ssh_remote_cmd "$_cmdstr"; then - return $_err_code + + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + if -n $_local_cert_file ; then + if ! _scp_remote_cmd "$_local_cert_file" "$Le_Deploy_ssh_certfile"; then + return $_err_code + fi + else + if ! _scp_remote_cmd "$_ccert" "$Le_Deploy_ssh_certfile"; then + return $_err_code + fi + fi + else + # copy new certificate into file. + _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;" + _info "will copy certificate to remote file $Le_Deploy_ssh_certfile" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" fi - _cmdstr="" fi fi @@ -199,18 +285,47 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then # if filename is same as previous file then append. _pipe=">>" + _local_ca_file=$(_mktemp) + if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] ; then + cat $_ckey >> $_local_ca_file + fi + if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then + cat $_ccert >> $_local_ca_file + fi + + cat $_cca >> $_local_ca_file + elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir >/dev/null;" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi fi - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;" - _info "will copy CA file to remote file $Le_Deploy_ssh_cafile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - if ! _ssh_remote_cmd "$_cmdstr"; then - return $_err_code + + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + if -n $_local_ca_file ; then + if ! _scp_remote_cmd "$_local_ca_file" "$Le_Deploy_ssh_cafile"; then + return $_err_code + fi + else + if ! _scp_remote_cmd "$_cca" "$Le_Deploy_ssh_cafile"; then + return $_err_code + fi + fi + else + # copy new certificate into file. + _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;" + _info "will copy CA file to remote file $Le_Deploy_ssh_cafile" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" fi - _cmdstr="" fi fi @@ -227,20 +342,63 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then # if filename is same as previous file then append. _pipe=">>" + _local_full_file=$(_mktemp) + if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] ; then + cat $_ckey >> $_local_full_file + fi + if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ]; then + cat $_ccert >> $_local_full_file + fi + if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then + cat $_cca >> $_local_full_file + fi + cat $_cfullchain >> $_local_full_file + elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir >/dev/null;" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi fi - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;" - _info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - if ! _ssh_remote_cmd "$_cmdstr"; then - return $_err_code + + if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + if -n $_local_full_file ; then + if ! _scp_remote_cmd "$_local_full_file" "$Le_Deploy_ssh_fullchain"; then + return $_err_code + fi + else + if ! _scp_remote_cmd "$_cfullchain" "$Le_Deploy_ssh_fullchain"; then + return $_err_code + fi + fi + else + # copy new certificate into file. + _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;" + _info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain" + if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" fi - _cmdstr="" fi fi + # cleanup local files if any + + if [ -n "$_local_cert_file" ]; then + rm $_local_cert_file > /dev/null 1>&2 + fi + if [ -n "$_local_ca_file" ]; then + rm $_local_ca_file > /dev/null 1>&2 + fi + if [ -n "$_local_full_file" ]; then + rm $_local_full_file > /dev/null 1>&2 + fi + # REMOTE_CMD is optional. # If provided then this command will be executed on remote host. @@ -265,6 +423,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d return $_err_code fi fi + # cleanup in case all is ok return 0 } @@ -284,3 +443,17 @@ _ssh_remote_cmd() { return $_err_code } + +# cmd scp +_scp_remote_cmd() { + _secure_debug "Remote scp source $1 and destination $2 using : $Le_Deploy_ssh_scp_cmd" + _info "Submitting secure copy command : $Le_Deploy_ssh_scp_cmd" + $Le_Deploy_ssh_scp_cmd "$1" "$Le_Deploy_ssh_user"@"$Le_Deploy_ssh_server":"$2" + _err_code="$?" + + if [ "$_err_code" != "0" ]; then + _err "Error code $_err_code returned from scp" + fi + + return $_err_code +} From 613475ac264bf9cf48681bd11f72b4d2aa341e54 Mon Sep 17 00:00:00 2001 From: fradev Date: Mon, 30 Aug 2021 11:08:06 +0200 Subject: [PATCH 002/209] Update ssh.sh --- deploy/ssh.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index b4a8140e..3424055f 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -237,8 +237,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # if filename is same as previous file then append. _pipe=">>" _local_cert_file=$(_mktemp) - cat $_ckey > $_local_cert_file - cat $_ccert >> $_local_cert_file + cat "$_ckey" > "$_local_cert_file" + cat "$_ccert" >> "$_local_cert_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;" @@ -344,15 +344,15 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _pipe=">>" _local_full_file=$(_mktemp) if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] ; then - cat $_ckey >> $_local_full_file + cat "$_ckey" >> "$_local_full_file" fi if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ]; then - cat $_ccert >> $_local_full_file + cat "$_ccert" >> "$_local_full_file" fi if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then - cat $_cca >> $_local_full_file + cat "$_cca" >> "$_local_full_file" fi - cat $_cfullchain >> $_local_full_file + cat "$_cfullchain" >> "$_local_full_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. @@ -390,13 +390,13 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # cleanup local files if any if [ -n "$_local_cert_file" ]; then - rm $_local_cert_file > /dev/null 1>&2 + rm "$_local_cert_file" > /dev/null 1>&2 fi if [ -n "$_local_ca_file" ]; then - rm $_local_ca_file > /dev/null 1>&2 + rm "$_local_ca_file" > /dev/null 1>&2 fi if [ -n "$_local_full_file" ]; then - rm $_local_full_file > /dev/null 1>&2 + rm "$_local_full_file" > /dev/null 1>&2 fi From 4cda54774aeaae0f58352cff18dc243a69bdb9e9 Mon Sep 17 00:00:00 2001 From: fradev Date: Mon, 30 Aug 2021 11:17:03 +0200 Subject: [PATCH 003/209] Update ssh.sh SC2086 and SC2215 --- deploy/ssh.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 3424055f..8b91a055 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -251,7 +251,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if -n $_local_cert_file ; then + if [ -n "$_local_cert_file" ]; then if ! _scp_remote_cmd "$_local_cert_file" "$Le_Deploy_ssh_certfile"; then return $_err_code fi @@ -287,13 +287,13 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _pipe=">>" _local_ca_file=$(_mktemp) if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] ; then - cat $_ckey >> $_local_ca_file + cat "$_ckey" >> "$_local_ca_file" fi if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then - cat $_ccert >> $_local_ca_file + cat "$_ccert" >> "$_local_ca_file" fi - cat $_cca >> $_local_ca_file + cat "$_cca" >> "$_local_ca_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. @@ -307,7 +307,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if -n $_local_ca_file ; then + if [ -n "$_local_ca_file" ]; then if ! _scp_remote_cmd "$_local_ca_file" "$Le_Deploy_ssh_cafile"; then return $_err_code fi @@ -366,7 +366,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if -n $_local_full_file ; then + if [ -n "$_local_full_file" ] ; then if ! _scp_remote_cmd "$_local_full_file" "$Le_Deploy_ssh_fullchain"; then return $_err_code fi From 08d60fcbf26172a3277a8785b9e161b8d1aa6c23 Mon Sep 17 00:00:00 2001 From: fradev Date: Mon, 30 Aug 2021 11:32:07 +0200 Subject: [PATCH 004/209] Update ssh.sh shfmt formatting --- deploy/ssh.sh | 47 ++++++++++++++++++++++------------------------- 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 8b91a055..6039eefb 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -93,7 +93,6 @@ ssh_deploy() { Le_Deploy_ssh_scp_cmd="scp -T" fi - # BACKUP is optional. If not provided then default to previously saved value or yes. if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then Le_Deploy_ssh_backup="no" @@ -206,12 +205,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # copy new key into file. if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then # scp the file if ! _scp_remote_cmd "$_ckey" "$Le_Deploy_ssh_keyfile"; then - return $_err_code + return $_err_code fi else _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;" @@ -237,8 +235,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # if filename is same as previous file then append. _pipe=">>" _local_cert_file=$(_mktemp) - cat "$_ckey" > "$_local_cert_file" - cat "$_ccert" >> "$_local_cert_file" + cat "$_ckey" >"$_local_cert_file" + cat "$_ccert" >>"$_local_cert_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;" @@ -253,11 +251,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then if [ -n "$_local_cert_file" ]; then if ! _scp_remote_cmd "$_local_cert_file" "$Le_Deploy_ssh_certfile"; then - return $_err_code + return $_err_code fi else if ! _scp_remote_cmd "$_ccert" "$Le_Deploy_ssh_certfile"; then - return $_err_code + return $_err_code fi fi else @@ -286,14 +284,14 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # if filename is same as previous file then append. _pipe=">>" _local_ca_file=$(_mktemp) - if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] ; then - cat "$_ckey" >> "$_local_ca_file" + if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ]; then + cat "$_ckey" >>"$_local_ca_file" fi if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then - cat "$_ccert" >> "$_local_ca_file" + cat "$_ccert" >>"$_local_ca_file" fi - cat "$_cca" >> "$_local_ca_file" + cat "$_cca" >>"$_local_ca_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. @@ -309,11 +307,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then if [ -n "$_local_ca_file" ]; then if ! _scp_remote_cmd "$_local_ca_file" "$Le_Deploy_ssh_cafile"; then - return $_err_code + return $_err_code fi else if ! _scp_remote_cmd "$_cca" "$Le_Deploy_ssh_cafile"; then - return $_err_code + return $_err_code fi fi else @@ -343,16 +341,16 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # if filename is same as previous file then append. _pipe=">>" _local_full_file=$(_mktemp) - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] ; then - cat "$_ckey" >> "$_local_full_file" + if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ]; then + cat "$_ckey" >>"$_local_full_file" fi if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ]; then - cat "$_ccert" >> "$_local_full_file" + cat "$_ccert" >>"$_local_full_file" fi if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then - cat "$_cca" >> "$_local_full_file" + cat "$_cca" >>"$_local_full_file" fi - cat "$_cfullchain" >> "$_local_full_file" + cat "$_cfullchain" >>"$_local_full_file" elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then # backup file we are about to overwrite. @@ -366,13 +364,13 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if [ -n "$_local_full_file" ] ; then + if [ -n "$_local_full_file" ]; then if ! _scp_remote_cmd "$_local_full_file" "$Le_Deploy_ssh_fullchain"; then - return $_err_code + return $_err_code fi else if ! _scp_remote_cmd "$_cfullchain" "$Le_Deploy_ssh_fullchain"; then - return $_err_code + return $_err_code fi fi else @@ -390,16 +388,15 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # cleanup local files if any if [ -n "$_local_cert_file" ]; then - rm "$_local_cert_file" > /dev/null 1>&2 + rm "$_local_cert_file" >/dev/null 1>&2 fi if [ -n "$_local_ca_file" ]; then - rm "$_local_ca_file" > /dev/null 1>&2 + rm "$_local_ca_file" >/dev/null 1>&2 fi if [ -n "$_local_full_file" ]; then - rm "$_local_full_file" > /dev/null 1>&2 + rm "$_local_full_file" >/dev/null 1>&2 fi - # REMOTE_CMD is optional. # If provided then this command will be executed on remote host. if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then From 21ef3b0ecf622d8209b2ac04c6c9e137f952b679 Mon Sep 17 00:00:00 2001 From: wacki4 Date: Sat, 16 Oct 2021 14:08:03 +0200 Subject: [PATCH 005/209] Update dns_opnsense.sh Update for opnsense regards to error in #3735 --- dnsapi/dns_opnsense.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_opnsense.sh b/dnsapi/dns_opnsense.sh index 069f6c32..63723f5a 100755 --- a/dnsapi/dns_opnsense.sh +++ b/dnsapi/dns_opnsense.sh @@ -150,7 +150,7 @@ _get_root() { return 1 fi _debug h "$h" - id=$(echo "$_domain_response" | _egrep_o "\"[^\"]*\":{\"enabled\":\"1\",\"type\":{\"master\":{\"value\":\"master\",\"selected\":1},\"slave\":{\"value\":\"slave\",\"selected\":0}},\"masterip\":\"[^\"]*\"(,\"allownotifyslave\":{\"\":{[^}]*}},|,)\"domainname\":\"${h}\"" | cut -d ':' -f 1 | cut -d '"' -f 2) + id=$(echo "$_domain_response" | _egrep_o "\"[^\"]*\":{\"enabled\":\"1\",\"type\":{\"master\":{\"value\":\"master\",\"selected\":1},\"slave\":{\"value\":\"slave\",\"selected\":0}},\"masterip\":{.*}(,\"allownotifyslave\":{\"\":{[^}]*}},|,)\"domainname\":\"${h}\"" | cut -d ':' -f 1 | cut -d '"' -f 2) if [ -n "$id" ]; then _debug id "$id" From 00b6c6a437d2d11bbbf29c228f308d51d206b3de Mon Sep 17 00:00:00 2001 From: wacki4 Date: Sat, 16 Oct 2021 16:57:12 +0200 Subject: [PATCH 006/209] Update dns_opnsense.sh Correction when having many zones. --- dnsapi/dns_opnsense.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_opnsense.sh b/dnsapi/dns_opnsense.sh index 63723f5a..26a422f8 100755 --- a/dnsapi/dns_opnsense.sh +++ b/dnsapi/dns_opnsense.sh @@ -150,7 +150,7 @@ _get_root() { return 1 fi _debug h "$h" - id=$(echo "$_domain_response" | _egrep_o "\"[^\"]*\":{\"enabled\":\"1\",\"type\":{\"master\":{\"value\":\"master\",\"selected\":1},\"slave\":{\"value\":\"slave\",\"selected\":0}},\"masterip\":{.*}(,\"allownotifyslave\":{\"\":{[^}]*}},|,)\"domainname\":\"${h}\"" | cut -d ':' -f 1 | cut -d '"' -f 2) + id=$(echo "$_domain_response" | _egrep_o "\"[^\"]*\":{\"enabled\":\"1\",\"type\":{\"master\":{\"value\":\"master\",\"selected\":1},\"slave\":{\"value\":\"slave\",\"selected\":0}},\"masterip\":{\"\":{[^}]*}}(,\"allownotifyslave\":{\"\":{[^}]*}},|,)\"domainname\":\"${h}\"" | cut -d ':' -f 1 | cut -d '"' -f 2) if [ -n "$id" ]; then _debug id "$id" From ccd3d96942803905c5b650800314ecd510a1da0a Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 5 Dec 2021 16:15:39 +0800 Subject: [PATCH 007/209] upgrade Solaris --- .github/workflows/DNS.yml | 2 +- .github/workflows/Solaris.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 56781fff..2b15e14c 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -223,7 +223,7 @@ jobs: - uses: actions/checkout@v2 - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/solaris-vm@v0.0.3 + - uses: vmactions/solaris-vm@v0.0.4 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: pkgutil -y -i socat diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index 4df10099..a5f5bc7d 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -40,7 +40,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - uses: actions/checkout@v2 - - uses: vmactions/cf-tunnel@v0.0.3 + - uses: vmactions/cf-tunnel@v0.0.4 id: tunnel with: protocol: http From f66d9e1a2272fb960f2923b1440bfb6c8d00151f Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 5 Dec 2021 18:23:19 +0800 Subject: [PATCH 008/209] fix for OpenBSD7 https://github.com/acmesh-official/acme.sh/issues/3833 --- acme.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d2e8b04d..96392f5b 100755 --- a/acme.sh +++ b/acme.sh @@ -4196,7 +4196,12 @@ _match_issuer() { #ip _isIPv4() { for seg in $(echo "$1" | tr '.' ' '); do - if [ $seg -ge 0 ] 2>/dev/null && [ $seg -le 255 ] 2>/dev/null; then + _debug2 seg "$seg" + if [ "$(echo "$seg" | tr -d [0-9])" ]; then + #not all number + return 1 + fi + if [ $seg -ge 0 ] && [ $seg -lt 256 ]; then continue fi return 1 From bdf8bf391c3f5f0cdbd7078984caf3b4a69790e4 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 5 Dec 2021 21:05:18 +0800 Subject: [PATCH 009/209] pass TEST_DNS_NO_SUBDOMAIN --- .github/workflows/DNS.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 2b15e14c..47bbc48f 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -49,6 +49,7 @@ jobs: TEST_DNS : ${{ secrets.TEST_DNS }} TestingDomain: ${{ secrets.TestingDomain }} TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} CASE: le_test_dnsapi TEST_LOCAL: 1 From 66da6f18e362bb6604c7f219778e9c29a75051a4 Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 6 Dec 2021 22:03:38 +0800 Subject: [PATCH 010/209] add TEST_DNS_NO_SUBDOMAIN --- .github/workflows/DNS.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 47bbc48f..fc3886f2 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -88,6 +88,7 @@ jobs: TEST_DNS : ${{ secrets.TEST_DNS }} TestingDomain: ${{ secrets.TestingDomain }} TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} CASE: le_test_dnsapi TEST_LOCAL: 1 @@ -125,6 +126,7 @@ jobs: TEST_DNS : ${{ secrets.TEST_DNS }} TestingDomain: ${{ secrets.TestingDomain }} TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} CASE: le_test_dnsapi TEST_LOCAL: 1 @@ -177,6 +179,7 @@ jobs: TEST_DNS : ${{ secrets.TEST_DNS }} TestingDomain: ${{ secrets.TestingDomain }} TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} CASE: le_test_dnsapi TEST_LOCAL: 1 @@ -187,7 +190,7 @@ jobs: run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/freebsd-vm@v0.1.4 with: - envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: pkg install -y socat curl usesh: true run: | @@ -216,6 +219,7 @@ jobs: TEST_DNS : ${{ secrets.TEST_DNS }} TestingDomain: ${{ secrets.TestingDomain }} TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} CASE: le_test_dnsapi TEST_LOCAL: 1 @@ -226,7 +230,7 @@ jobs: run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/solaris-vm@v0.0.4 with: - envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: pkgutil -y -i socat run: | pkg set-mediator -v -I default@1.1 openssl From 225707c877cad8d9ab7fd5c4f40d3750be727e7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Mei=C3=9Fner?= Date: Sun, 12 Dec 2021 14:17:13 +0100 Subject: [PATCH 011/209] [dns_knot] Use key command instead of command line argument to transmit dns key data. --- dnsapi/dns_knot.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_knot.sh b/dnsapi/dns_knot.sh index 094a6981..729a89cb 100644 --- a/dnsapi/dns_knot.sh +++ b/dnsapi/dns_knot.sh @@ -19,8 +19,9 @@ dns_knot_add() { _info "Adding ${fulldomain}. 60 TXT \"${txtvalue}\"" - knsupdate -y "${KNOT_KEY}" < Date: Mon, 13 Dec 2021 20:04:23 +0800 Subject: [PATCH 012/209] fix tunnel version --- .github/workflows/Solaris.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index a5f5bc7d..f0f2f670 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -40,7 +40,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - uses: actions/checkout@v2 - - uses: vmactions/cf-tunnel@v0.0.4 + - uses: vmactions/cf-tunnel@v0.0.3 id: tunnel with: protocol: http @@ -49,7 +49,7 @@ jobs: run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/solaris-vm@v0.0.3 + - uses: vmactions/solaris-vm@v0.0.4 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' nat: | From 342bce216826eaebdda0aa48cde4271e65285e0d Mon Sep 17 00:00:00 2001 From: Joel Pearson Date: Mon, 13 Dec 2021 17:15:49 +1100 Subject: [PATCH 013/209] Allow optional "NEW" in CSR header and footer When generating a CSR in Windows it seems to create a CSR header that looks like "-----BEGIN NEW CERTIFICATE REQUEST-----", but the addition of "NEW" breaks the parsing of the CSR. Making "NEW " optional fixes the problem. Apparently certbot is tolerant of both forms, see: https://community.letsencrypt.org/t/error-parsing-certificate-request-resolved/40039/6 for more information. --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 96392f5b..87322a69 100755 --- a/acme.sh +++ b/acme.sh @@ -80,8 +80,8 @@ NGINX="nginx:" NGINX_START="#ACME_NGINX_START" NGINX_END="#ACME_NGINX_END" -BEGIN_CSR="-----BEGIN CERTIFICATE REQUEST-----" -END_CSR="-----END CERTIFICATE REQUEST-----" +BEGIN_CSR="-----BEGIN [NEW ]\{0,4\}CERTIFICATE REQUEST-----" +END_CSR="-----END [NEW ]\{0,4\}CERTIFICATE REQUEST-----" BEGIN_CERT="-----BEGIN CERTIFICATE-----" END_CERT="-----END CERTIFICATE-----" From 3105235a7a14b003e791780fb865ca7065457a45 Mon Sep 17 00:00:00 2001 From: Christian Burmeister Date: Tue, 21 Dec 2021 22:20:42 +0100 Subject: [PATCH 014/209] Update Dockerfile - alpine:3.12 -> alpine:3.15 The support for the base image alpine:3.12 will expire in 4 months (https://endoflife.date/alpine), so it would make sense to upgrade to the current version alpine:3.15. I was able to create the acme.sh image with the new alpine:3.15 version without errors and also create and deploy a certificate, but further testing would be useful. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index fb842c83..4046c726 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.12 +FROM alpine:3.15 RUN apk --no-cache add -f \ openssl \ From 052b45a5101a42a592596a88ed989c6b36f813e2 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 25 Dec 2021 09:57:58 +0800 Subject: [PATCH 015/209] upgrade solaris vm --- .github/workflows/DNS.yml | 2 +- .github/workflows/Solaris.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index fc3886f2..32d97614 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -228,7 +228,7 @@ jobs: - uses: actions/checkout@v2 - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/solaris-vm@v0.0.4 + - uses: vmactions/solaris-vm@v0.0.5 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: pkgutil -y -i socat diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index f0f2f670..77fdcc9a 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -49,7 +49,7 @@ jobs: run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/solaris-vm@v0.0.4 + - uses: vmactions/solaris-vm@v0.0.5 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' nat: | From 9769afb944e791f5f8625aa8b890dca129bf8d5b Mon Sep 17 00:00:00 2001 From: racitup Date: Fri, 10 Dec 2021 01:10:41 +0000 Subject: [PATCH 016/209] feat: Mythic Beasts DNS API script --- dnsapi/dns_mythic_beasts.sh | 230 ++++++++++++++++++++++++++++++++++++ 1 file changed, 230 insertions(+) create mode 100755 dnsapi/dns_mythic_beasts.sh diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh new file mode 100755 index 00000000..2d1b6551 --- /dev/null +++ b/dnsapi/dns_mythic_beasts.sh @@ -0,0 +1,230 @@ +#!/usr/bin/env sh +# Mythic Beasts is a long-standing UK service provider using standards-based OAuth2 authentication +# To test: ./acme.sh --dns dns_mythic_beasts --test --debug 1 --output-insecure --issue --domain domain.com +# Cannot retest once cert is issued +# OAuth2 tokens only valid for 300 seconds so we do not store +# NOTE: This will remove all TXT records matching the fulldomain, not just the added ones (_acme-challenge.www.domain.com) + +# Test OAuth2 credentials +#MB_AK="aaaaaaaaaaaaaaaa" +#MB_AS="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" + +# URLs +MB_API='https://api.mythic-beasts.com/dns/v2/zones' +MB_AUTH='https://auth.mythic-beasts.com/login' + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_mythic_beasts_add() { + fulldomain=$1 + txtvalue=$2 + + _info "MYTHIC BEASTS Adding record $fulldomain = $txtvalue" + if ! _initAuth; then + return 1 + fi + + if ! _get_root "$fulldomain"; then + return 1 + fi + + # method path body_data + if _mb_rest POST "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then + + if _contains "$response" "1 records added"; then + _info "Added, verifying..." + # Max 120 seconds to publish + for i in $(seq 1 6); do + # Retry on error + if ! _mb_rest GET "$_domain/records/$_sub_domain/TXT?verify"; then + _sleep 20 + else + _info "Record published!" + return 0 + fi + done + + else + _err "\n$response" + fi + + fi + _err "Add txt record error." + return 1 +} + +#Usage: rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_mythic_beasts_rm() { + fulldomain=$1 + txtvalue=$2 + + _info "MYTHIC BEASTS Removing record $fulldomain = $txtvalue" + if ! _initAuth; then + return 1 + fi + + if ! _get_root "$fulldomain"; then + return 1 + fi + + # method path body_data + if _mb_rest DELETE "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then + _info "Record removed" + return 0 + fi + _err "Remove txt record error." + return 1 +} + +#################### Private functions below ################################## + +#Possible formats: +# _acme-challenge.www.example.com +# _acme-challenge.example.com +# _acme-challenge.example.co.uk +# _acme-challenge.www.example.co.uk +# _acme-challenge.sub1.sub2.www.example.co.uk +# sub1.sub2.example.co.uk +# example.com +# example.co.uk +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=1 + p=1 + + _debug "Detect the root zone" + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + _err "Domain exhausted" + return 1 + fi + + # Use the status errors to find the domain, continue on 403 Access denied + # method path body_data + _mb_rest GET "$h/records" + ret="$?" + if [ "$ret" -eq 0 ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + return 0 + elif [ "$ret" -eq 1 ]; then + return 1 + fi + + p=$i + i=$(_math "$i" + 1) + + if [ "$i" -gt 50 ]; then + break + fi + done + _err "Domain too long" + return 1 +} + +_initAuth() { + MB_AK="${MB_AK:-$(_readaccountconf_mutable MB_AK)}" + MB_AS="${MB_AS:-$(_readaccountconf_mutable MB_AS)}" + + if [ -z "$MB_AK" ] || [ -z "$MB_AS" ]; then + MB_AK="" + MB_AS="" + _err "Please specify an OAuth2 Key & Secret" + return 1 + fi + + _saveaccountconf_mutable MB_AK "$MB_AK" + _saveaccountconf_mutable MB_AS "$MB_AS" + + if ! _oauth2; then + return 1 + fi + + _info "Checking authentication" + _secure_debug access_token "$MB_TK" + _sleep 1 + + # GET a list of zones + # method path body_data + if ! _mb_rest GET ""; then + _err "The token is invalid" + return 1 + fi + _info "Token OK" + return 0 +} + +_oauth2() { + # HTTP Basic Authentication + _H1="Authorization: Basic $(echo "$MB_AK:$MB_AS" | _base64)" + _H2="Accepts: application/json" + export _H1 _H2 + body="grant_type=client_credentials" + + _info "Getting OAuth2 token..." + # body url [needbase64] [POST|PUT|DELETE] [ContentType] + response="$(_post "$body" "$MB_AUTH" "" "POST" "application/x-www-form-urlencoded")" + if _contains "$response" "\"token_type\":\"bearer\""; then + MB_TK="$(echo "$response" | _egrep_o "access_token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')" + if [ -z "$MB_TK" ]; then + _err "Unable to get access_token" + _err "\n$response" + return 1 + fi + else + _err "OAuth2 token_type not Bearer" + _err "\n$response" + return 1 + fi + _debug2 response "$response" + return 0 +} + +# method path body_data +_mb_rest() { + # URL encoded body for single API operations + m="$1" + ep="$2" + data="$3" + + if [ -z "$ep" ]; then + _mb_url="$MB_API" + else + _mb_url="$MB_API/$ep" + fi + + _H1="Authorization: Bearer $MB_TK" + _H2="Accepts: application/json" + export _H1 _H2 + if [ "$data" ] || [ "$m" = "POST" ] || [ "$m" = "PUT" ] || [ "$m" = "DELETE" ]; then + # body url [needbase64] [POST|PUT|DELETE] [ContentType] + response="$(_post "data=$data" "$_mb_url" "" "$m" "application/x-www-form-urlencoded")" + else + response="$(_get "$_mb_url")" + fi + + if [ "$?" != "0" ]; then + _err "Request error" + return 1 + fi + + header="$(cat "$HTTP_HEADER")" + status="$(echo "$header" | _egrep_o "^HTTP[^ ]* .*$" | cut -d " " -f 2-100 | tr -d "\f\n")" + code="$(echo "$status" | _egrep_o "^[0-9]*")" + if [ "$code" -ge 400 ] || _contains "$response" "\"error\"" || _contains "$response" "invalid_client"; then + _err "error $status" + _err "\n$response" + _debug "\n$header" + return 2 + fi + + _debug2 response "$response" + return 0 +} From 962ce380cdc3ff74d956b5eb8a6d6a4103f19f4f Mon Sep 17 00:00:00 2001 From: racitup Date: Mon, 20 Dec 2021 00:31:15 +0000 Subject: [PATCH 017/209] fix: floating token for github --- dnsapi/dns_mythic_beasts.sh | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh index 2d1b6551..3cff3b02 100755 --- a/dnsapi/dns_mythic_beasts.sh +++ b/dnsapi/dns_mythic_beasts.sh @@ -161,7 +161,20 @@ _initAuth() { return 0 } +# Github appears to use an outbound proxy for requests which means subsequent requests may not have the same +# source IP. The standard Mythic Beasts OAuth2 tokens are tied to an IP, meaning github test requests fail +# authentication. This works arounds this by using an undocumented MB API to obtain a token not tied to an +# IP just for the github tests. _oauth2() { + printenv + if [ -z "$TEST_DNS_SLEEP" ]; then + return _oauth2_std + else + return _oauth2_github + fi +} + +_oauth2_std() { # HTTP Basic Authentication _H1="Authorization: Basic $(echo "$MB_AK:$MB_AS" | _base64)" _H2="Accepts: application/json" @@ -187,6 +200,24 @@ _oauth2() { return 0 } +_oauth2_github() { + _H1="Accepts: application/json" + export _H1 + body="{\"login\":{\"handle\":$MB_AK,\"pass\":$MB_AS,\"floating\":1}}" + + _info "Getting Floating token..." + # body url [needbase64] [POST|PUT|DELETE] [ContentType] + response="$(_post "$body" "$MB_AUTH" "" "POST" "application/json")" + MB_TK="$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')" + if [ -z "$MB_TK" ]; then + _err "Unable to get access_token" + _err "\n$response" + return 1 + fi + _debug2 response "$response" + return 0 +} + # method path body_data _mb_rest() { # URL encoded body for single API operations From bf66df2a291aa503bbf47a670d50d00fb7d8c259 Mon Sep 17 00:00:00 2001 From: racitup Date: Mon, 20 Dec 2021 00:35:14 +0000 Subject: [PATCH 018/209] fix: correct return value --- dnsapi/dns_mythic_beasts.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh index 3cff3b02..9de5d34c 100755 --- a/dnsapi/dns_mythic_beasts.sh +++ b/dnsapi/dns_mythic_beasts.sh @@ -168,10 +168,11 @@ _initAuth() { _oauth2() { printenv if [ -z "$TEST_DNS_SLEEP" ]; then - return _oauth2_std + _oauth2_std else - return _oauth2_github + _oauth2_github fi + return $? } _oauth2_std() { From 9c4ac24a66bea1f2ef1c6ea40441fba84e663f07 Mon Sep 17 00:00:00 2001 From: racitup Date: Mon, 20 Dec 2021 00:50:33 +0000 Subject: [PATCH 019/209] fix: debugging --- dnsapi/dns_mythic_beasts.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh index 9de5d34c..96230bf1 100755 --- a/dnsapi/dns_mythic_beasts.sh +++ b/dnsapi/dns_mythic_beasts.sh @@ -166,7 +166,7 @@ _initAuth() { # authentication. This works arounds this by using an undocumented MB API to obtain a token not tied to an # IP just for the github tests. _oauth2() { - printenv + _info "$(printenv)" if [ -z "$TEST_DNS_SLEEP" ]; then _oauth2_std else @@ -211,7 +211,7 @@ _oauth2_github() { response="$(_post "$body" "$MB_AUTH" "" "POST" "application/json")" MB_TK="$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')" if [ -z "$MB_TK" ]; then - _err "Unable to get access_token" + _err "Unable to get token" _err "\n$response" return 1 fi From 6351b5d0dc6a30e77ff3191f71f5f3bc66fc3cd3 Mon Sep 17 00:00:00 2001 From: racitup Date: Mon, 20 Dec 2021 00:58:37 +0000 Subject: [PATCH 020/209] fix: github switch --- dnsapi/dns_mythic_beasts.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh index 96230bf1..8956ec36 100755 --- a/dnsapi/dns_mythic_beasts.sh +++ b/dnsapi/dns_mythic_beasts.sh @@ -166,8 +166,8 @@ _initAuth() { # authentication. This works arounds this by using an undocumented MB API to obtain a token not tied to an # IP just for the github tests. _oauth2() { - _info "$(printenv)" - if [ -z "$TEST_DNS_SLEEP" ]; then + _info "DOMAIN: $TEST_DNS" + if [ "$TEST_DNS" != "dns_mythic_beasts" ]; then _oauth2_std else _oauth2_github From d940f17390785693a68bb414b0dd8318a6693460 Mon Sep 17 00:00:00 2001 From: racitup Date: Mon, 20 Dec 2021 01:09:02 +0000 Subject: [PATCH 021/209] fix: token request body quoting --- dnsapi/dns_mythic_beasts.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh index 8956ec36..77eed04f 100755 --- a/dnsapi/dns_mythic_beasts.sh +++ b/dnsapi/dns_mythic_beasts.sh @@ -166,7 +166,6 @@ _initAuth() { # authentication. This works arounds this by using an undocumented MB API to obtain a token not tied to an # IP just for the github tests. _oauth2() { - _info "DOMAIN: $TEST_DNS" if [ "$TEST_DNS" != "dns_mythic_beasts" ]; then _oauth2_std else @@ -204,7 +203,7 @@ _oauth2_std() { _oauth2_github() { _H1="Accepts: application/json" export _H1 - body="{\"login\":{\"handle\":$MB_AK,\"pass\":$MB_AS,\"floating\":1}}" + body="{\"login\":{\"handle\":\"$MB_AK\",\"pass\":\"$MB_AS\",\"floating\":1}}" _info "Getting Floating token..." # body url [needbase64] [POST|PUT|DELETE] [ContentType] From ce47ccecc4b290609728f50b89d270579664c7fe Mon Sep 17 00:00:00 2001 From: racitup Date: Tue, 28 Dec 2021 14:45:02 +0000 Subject: [PATCH 022/209] fix: Neilpang review --- dnsapi/dns_mythic_beasts.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh index 77eed04f..294ae84c 100755 --- a/dnsapi/dns_mythic_beasts.sh +++ b/dnsapi/dns_mythic_beasts.sh @@ -163,13 +163,13 @@ _initAuth() { # Github appears to use an outbound proxy for requests which means subsequent requests may not have the same # source IP. The standard Mythic Beasts OAuth2 tokens are tied to an IP, meaning github test requests fail -# authentication. This works arounds this by using an undocumented MB API to obtain a token not tied to an +# authentication. This is a work around using an undocumented MB API to obtain a token not tied to an # IP just for the github tests. _oauth2() { - if [ "$TEST_DNS" != "dns_mythic_beasts" ]; then - _oauth2_std - else + if [ "$GITHUB_ACTIONS" = "true" ]; then _oauth2_github + else + _oauth2_std fi return $? } From 424cc46db0c138037106a7a51ad504cfba0b646f Mon Sep 17 00:00:00 2001 From: Viktor G Date: Thu, 30 Dec 2021 18:06:17 +0300 Subject: [PATCH 023/209] DNS-ISPConfig ISPC_Api_Insecure argument check fix --- dnsapi/dns_ispconfig.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_ispconfig.sh b/dnsapi/dns_ispconfig.sh index e68ddd49..765e0eb5 100755 --- a/dnsapi/dns_ispconfig.sh +++ b/dnsapi/dns_ispconfig.sh @@ -32,7 +32,7 @@ dns_ispconfig_rm() { #################### Private functions below ################################## _ISPC_credentials() { - if [ -z "${ISPC_User}" ] || [ -z "$ISPC_Password" ] || [ -z "${ISPC_Api}" ] || [ -z "${ISPC_Api_Insecure}" ]; then + if [ -z "${ISPC_User}" ] || [ -z "$ISPC_Password" ] || [ -z "${ISPC_Api}" ] || [ -n "${ISPC_Api_Insecure}" ]; then ISPC_User="" ISPC_Password="" ISPC_Api="" From 82e8792737ef88c527e75e51260fb25c53ccb5ec Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 3 Jan 2022 11:20:53 +0800 Subject: [PATCH 024/209] send notifications for renew command https://github.com/acmesh-official/acme.sh/issues/3869#issuecomment-1003546762 --- acme.sh | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/acme.sh b/acme.sh index 96392f5b..65ed2fd4 100755 --- a/acme.sh +++ b/acme.sh @@ -5254,13 +5254,13 @@ renewAll() { _error_level="$NOTIFY_LEVEL_RENEW" _notify_code=0 fi - if [ "$_ACME_IN_CRON" ]; then - if [ $_set_level -ge $NOTIFY_LEVEL_RENEW ]; then - if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then - _send_notify "Renew $d success" "Good, the cert is renewed." "$NOTIFY_HOOK" 0 - fi + + if [ $_set_level -ge $NOTIFY_LEVEL_RENEW ]; then + if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then + _send_notify "Renew $d success" "Good, the cert is renewed." "$NOTIFY_HOOK" 0 fi fi + _success_msg="${_success_msg} $d " elif [ "$rc" = "$RENEW_SKIP" ]; then @@ -5268,13 +5268,13 @@ renewAll() { _error_level="$NOTIFY_LEVEL_SKIP" _notify_code=$RENEW_SKIP fi - if [ "$_ACME_IN_CRON" ]; then - if [ $_set_level -ge $NOTIFY_LEVEL_SKIP ]; then - if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then - _send_notify "Renew $d skipped" "Good, the cert is skipped." "$NOTIFY_HOOK" "$RENEW_SKIP" - fi + + if [ $_set_level -ge $NOTIFY_LEVEL_SKIP ]; then + if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then + _send_notify "Renew $d skipped" "Good, the cert is skipped." "$NOTIFY_HOOK" "$RENEW_SKIP" fi fi + _info "Skipped $d" _skipped_msg="${_skipped_msg} $d " @@ -5283,13 +5283,13 @@ renewAll() { _error_level="$NOTIFY_LEVEL_ERROR" _notify_code=1 fi - if [ "$_ACME_IN_CRON" ]; then - if [ $_set_level -ge $NOTIFY_LEVEL_ERROR ]; then - if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then - _send_notify "Renew $d error" "There is an error." "$NOTIFY_HOOK" 1 - fi + + if [ $_set_level -ge $NOTIFY_LEVEL_ERROR ]; then + if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then + _send_notify "Renew $d error" "There is an error." "$NOTIFY_HOOK" 1 fi fi + _error_msg="${_error_msg} $d " if [ "$_stopRenewOnError" ]; then @@ -5304,7 +5304,7 @@ renewAll() { done _debug _error_level "$_error_level" _debug _set_level "$_set_level" - if [ "$_ACME_IN_CRON" ] && [ $_error_level -le $_set_level ]; then + if [ $_error_level -le $_set_level ]; then if [ -z "$NOTIFY_MODE" ] || [ "$NOTIFY_MODE" = "$NOTIFY_MODE_BULK" ]; then _msg_subject="Renew" if [ "$_error_msg" ]; then From eeee30ca03ab5ea4e402a3043aa13d082199da7b Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 3 Jan 2022 11:46:12 +0800 Subject: [PATCH 025/209] fix https://github.com/acmesh-official/acme.sh/issues/3869 --- acme.sh | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 65ed2fd4..9fc44610 100755 --- a/acme.sh +++ b/acme.sh @@ -5154,7 +5154,7 @@ renew() { _isEcc="$2" _initpath "$Le_Domain" "$_isEcc" - + _set_level=${NOTIFY_LEVEL:-$NOTIFY_LEVEL_DEFAULT} _info "$(__green "Renew: '$Le_Domain'")" if [ ! -f "$DOMAIN_CONF" ]; then _info "'$Le_Domain' is not an issued domain, skip." @@ -5189,6 +5189,11 @@ renew() { if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then _info "Skip, Next renewal time is: $(__green "$Le_NextRenewTimeStr")" _info "Add '$(__red '--force')' to force to renew." + if [ -z "$_ACME_IN_RENEWALL" ]; then + if [ $_set_level -ge $NOTIFY_LEVEL_SKIP ]; then + _send_notify "Renew $Le_Domain skipped" "Good, the cert is skipped." "$NOTIFY_HOOK" "$RENEW_SKIP" + fi + fi return "$RENEW_SKIP" fi @@ -5215,6 +5220,17 @@ renew() { fi _ACME_IS_RENEW="" + if [ -z "$_ACME_IN_RENEWALL" ]; then + if [ "$res" = "0" ]; then + if [ $_set_level -ge $NOTIFY_LEVEL_RENEW ]; then + _send_notify "Renew $d success" "Good, the cert is renewed." "$NOTIFY_HOOK" 0 + fi + else + if [ $_set_level -ge $NOTIFY_LEVEL_ERROR ]; then + _send_notify "Renew $d error" "There is an error." "$NOTIFY_HOOK" 1 + fi + fi + fi return "$res" } @@ -5232,6 +5248,7 @@ renewAll() { _notify_code=$RENEW_SKIP _set_level=${NOTIFY_LEVEL:-$NOTIFY_LEVEL_DEFAULT} _debug "_set_level" "$_set_level" + export _ACME_IN_RENEWALL=1 for di in "${CERT_HOME}"/*.*/; do _debug di "$di" if ! [ -d "$di" ]; then From dd2a4205787eaa9efad352d3903f25480ea49c92 Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 3 Jan 2022 12:38:59 +0800 Subject: [PATCH 026/209] add `--info` command to show the global configs or domain configs. https://github.com/acmesh-official/acme.sh/issues/2444 --- Dockerfile | 1 + acme.sh | 31 +++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/Dockerfile b/Dockerfile index 4046c726..0421da34 100644 --- a/Dockerfile +++ b/Dockerfile @@ -40,6 +40,7 @@ RUN for verb in help \ revoke \ remove \ list \ + info \ showcsr \ install-cronjob \ uninstall-cronjob \ diff --git a/acme.sh b/acme.sh index 9fc44610..fe4dc1bd 100755 --- a/acme.sh +++ b/acme.sh @@ -144,6 +144,8 @@ NOTIFY_MODE_CERT=1 NOTIFY_MODE_DEFAULT=$NOTIFY_MODE_BULK +_BASE64_ENCODED_CFGS="Le_PreHook Le_PostHook Le_RenewHook Le_Preferred_Chain Le_ReloadCmd" + _DEBUG_WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh" _PREPARE_LINK="https://github.com/acmesh-official/acme.sh/wiki/Install-preparations" @@ -6609,6 +6611,7 @@ Commands: --revoke Revoke a cert. --remove Remove the cert from list of certs known to $PROJECT_NAME. --list List all the certs. + --info Show the $PROJECT_NAME configs, or the configs for a domain with [-d domain] parameter. --to-pkcs12 Export the certificate and key to a pfx file. --to-pkcs8 Convert to pkcs8 format. --sign-csr Issue a cert from an existing csr. @@ -6926,6 +6929,28 @@ setdefaultchain() { _savecaconf "DEFAULT_PREFERRED_CHAIN" "$_preferred_chain" } +#domain ecc +info() { + _domain="$1" + _ecc="$2" + _initpath + if [ -z "$_domain" ]; then + _debug "Show global configs" + echo "LE_WORKING_DIR=$LE_WORKING_DIR" + echo "LE_CONFIG_HOME=$LE_CONFIG_HOME" + cat "$ACCOUNT_CONF_PATH" + else + _debug "Show domain configs" + ( + _initpath "$_domain" "$_ecc" + echo "DOMAIN_CONF=$DOMAIN_CONF" + for seg in $(cat $DOMAIN_CONF | cut -d = -f 1); do + echo "$seg=$(_readdomainconf "$seg")" + done + ) + fi +} + _process() { _CMD="" _domain="" @@ -7035,6 +7060,9 @@ _process() { --list) _CMD="list" ;; + --info) + _CMD="info" + ;; --install-cronjob | --installcronjob) _CMD="installcronjob" ;; @@ -7586,6 +7614,9 @@ _process() { list) list "$_listraw" "$_domain" ;; + info) + info "$_domain" "$_ecc" + ;; installcronjob) installcronjob "$_confighome" ;; uninstallcronjob) uninstallcronjob ;; cron) cron ;; From dbd5bef0380a366773d5758dca023a51c3982d33 Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 3 Jan 2022 13:41:57 +0800 Subject: [PATCH 027/209] fix gentoo image --- .github/workflows/Linux.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Linux.yml b/.github/workflows/Linux.yml index cba708b3..7b24eac9 100644 --- a/.github/workflows/Linux.yml +++ b/.github/workflows/Linux.yml @@ -20,7 +20,7 @@ jobs: Linux: strategy: matrix: - os: ["ubuntu:latest", "debian:latest", "almalinux:latest", "fedora:latest", "centos:latest", "opensuse/leap:latest", "alpine:latest", "oraclelinux:8", "kalilinux/kali", "archlinux:latest", "mageia", "gentoo/stage3-amd64"] + os: ["ubuntu:latest", "debian:latest", "almalinux:latest", "fedora:latest", "centos:latest", "opensuse/leap:latest", "alpine:latest", "oraclelinux:8", "kalilinux/kali", "archlinux:latest", "mageia", "gentoo/stage3"] runs-on: ubuntu-latest env: TEST_LOCAL: 1 From cc5cfc7525491c31ad224783fea440d30fb15554 Mon Sep 17 00:00:00 2001 From: Marvo2011 Date: Wed, 5 Jan 2022 15:03:32 +0100 Subject: [PATCH 028/209] Added Selfhost DNS API +ShellCheck +ACME v2 compatible Example: - Fist create 2 new TXT records on _acme-challenge.example.com - Now note the ID in (...) from the edit page behind "_acme-challenge.example.com" export SELFHOSTDNS_USERNAME=myname export SELFHOSTDNS_PASSWORD=mypass export SELFHOSTDNS_RID=id_of_txt_record export SELFHOSTDNS_RID2=id_of_second_txt_record acme.sh --issue -d example.com --dns dns_selfhost --- dnsapi/dns_selfhost.sh | 55 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 dnsapi/dns_selfhost.sh diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh new file mode 100644 index 00000000..d7dfcca4 --- /dev/null +++ b/dnsapi/dns_selfhost.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env sh +# +# Author: Marvin Edeler +# Report Bugs here: https://github.com/Marvo2011/acme.sh/issues/1 + +dns_selfhost_add() { + domain=$1 + txt=$2 + _info "Calling acme-dns on selfhost" + _debug fulldomain "$domain" + _debug txtvalue "$txt" + + SELFHOSTDNS_UPDATE_URL="https://selfhost.de/cgi-bin/api.pl" + SELFHOSTDNS_USERNAME="${SELFHOSTDNS_USERNAME:-$(_readaccountconf_mutable SELFHOSTDNS_USERNAME)}" + SELFHOSTDNS_PASSWORD="${SELFHOSTDNS_PASSWORD:-$(_readaccountconf_mutable SELFHOSTDNS_PASSWORD)}" + SELFHOSTDNS_RID="${SELFHOSTDNS_RID:-$(_readaccountconf_mutable SELFHOSTDNS_RID)}" + SELFHOSTDNS_RID2="${SELFHOSTDNS_RID2:-$(_readaccountconf_mutable SELFHOSTDNS_RID2)}" + SELFHOSTDNS_LAST_SLOT="$(_readaccountconf_mutable SELFHOSTDNS_LAST_SLOT)" + + if test -z "$SELFHOSTDNS_LAST_SLOT"; then + SELFHOSTDNS_LAST_SLOT=1 + fi + + _saveaccountconf_mutable SELFHOSTDNS_USERNAME "$SELFHOSTDNS_USERNAME" + _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD" + _saveaccountconf_mutable SELFHOSTDNS_RID "$SELFHOSTDNS_RID" + _saveaccountconf_mutable SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" + + if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then + rid=$SELFHOSTDNS_RID + SELFHOSTDNS_LAST_SLOT=1 + else + rid=$SELFHOSTDNS_RID2 + SELFHOSTDNS_LAST_SLOT=2 + fi + + _saveaccountconf_mutable SELFHOSTDNS_LAST_SLOT "$SELFHOSTDNS_LAST_SLOT" + + _info "Trying to add $txt on selfhost for rid: $rid" + + data="?username=$SELFHOSTDNS_USERNAME&password=$SELFHOSTDNS_PASSWORD&rid=$rid&content=$txt" + response="$(_get "$SELFHOSTDNS_UPDATE_URL$data")" + + if ! echo "$response" | grep "200 OK" >/dev/null; then + _err "Invalid response of acme-dns for selfhost" + return 1 + fi +} + +dns_acmedns_rm() { + domain=$1 + txt=$2 + _debug fulldomain "$domain" + _debug txtvalue "$txt" +} From 62dad721fceba8782903726349ee22dfff2400e4 Mon Sep 17 00:00:00 2001 From: Marvo2011 Date: Sun, 9 Jan 2022 11:04:15 +0100 Subject: [PATCH 029/209] Start ShellCheck and CI Test --- dnsapi/dns_selfhost.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index d7dfcca4..8c6e9a91 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -2,6 +2,7 @@ # # Author: Marvin Edeler # Report Bugs here: https://github.com/Marvo2011/acme.sh/issues/1 +# Last Edit: 09.01.2022 dns_selfhost_add() { domain=$1 From 2982e9943e522773dd7e84d5f7252c0d6051b0d8 Mon Sep 17 00:00:00 2001 From: Marvo2011 Date: Thu, 17 Feb 2022 19:02:35 +0100 Subject: [PATCH 030/209] Add custom option to map multidomain RIDs --- dnsapi/dns_selfhost.sh | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 8c6e9a91..1ebc6596 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -2,7 +2,7 @@ # # Author: Marvin Edeler # Report Bugs here: https://github.com/Marvo2011/acme.sh/issues/1 -# Last Edit: 09.01.2022 +# Last Edit: 17.02.2022 dns_selfhost_add() { domain=$1 @@ -14,6 +14,7 @@ dns_selfhost_add() { SELFHOSTDNS_UPDATE_URL="https://selfhost.de/cgi-bin/api.pl" SELFHOSTDNS_USERNAME="${SELFHOSTDNS_USERNAME:-$(_readaccountconf_mutable SELFHOSTDNS_USERNAME)}" SELFHOSTDNS_PASSWORD="${SELFHOSTDNS_PASSWORD:-$(_readaccountconf_mutable SELFHOSTDNS_PASSWORD)}" + SELFHOSTDNS_MAP="${SELFHOSTDNS_MAP:-$(_readaccountconf_mutable SELFHOSTDNS_MAP)}" SELFHOSTDNS_RID="${SELFHOSTDNS_RID:-$(_readaccountconf_mutable SELFHOSTDNS_RID)}" SELFHOSTDNS_RID2="${SELFHOSTDNS_RID2:-$(_readaccountconf_mutable SELFHOSTDNS_RID2)}" SELFHOSTDNS_LAST_SLOT="$(_readaccountconf_mutable SELFHOSTDNS_LAST_SLOT)" @@ -24,15 +25,19 @@ dns_selfhost_add() { _saveaccountconf_mutable SELFHOSTDNS_USERNAME "$SELFHOSTDNS_USERNAME" _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD" + _saveaccountconf_mutable SELFHOSTDNS_MAP "$SELFHOSTDNS_MAP" _saveaccountconf_mutable SELFHOSTDNS_RID "$SELFHOSTDNS_RID" _saveaccountconf_mutable SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" - if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then - rid=$SELFHOSTDNS_RID - SELFHOSTDNS_LAST_SLOT=1 - else - rid=$SELFHOSTDNS_RID2 - SELFHOSTDNS_LAST_SLOT=2 + rid=$(echo $SELFHOSTDNS_MAP | grep -Eoi "$domain:(\d+)" | tr -d "$domain:") + if test -z "$rid"; then + if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then + rid=$SELFHOSTDNS_RID + SELFHOSTDNS_LAST_SLOT=1 + else + rid=$SELFHOSTDNS_RID2 + SELFHOSTDNS_LAST_SLOT=2 + fi fi _saveaccountconf_mutable SELFHOSTDNS_LAST_SLOT "$SELFHOSTDNS_LAST_SLOT" From 947085025882a0dda7ea7297e4320bef385e1ff1 Mon Sep 17 00:00:00 2001 From: Marvo2011 Date: Thu, 17 Feb 2022 19:08:58 +0100 Subject: [PATCH 031/209] Fix shellcheck, use double quote --- dnsapi/dns_selfhost.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 1ebc6596..7ad92e20 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -29,7 +29,7 @@ dns_selfhost_add() { _saveaccountconf_mutable SELFHOSTDNS_RID "$SELFHOSTDNS_RID" _saveaccountconf_mutable SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" - rid=$(echo $SELFHOSTDNS_MAP | grep -Eoi "$domain:(\d+)" | tr -d "$domain:") + rid=$(echo "$SELFHOSTDNS_MAP" | grep -Eoi "$domain:(\d+)" | tr -d "$domain:") if test -z "$rid"; then if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then rid=$SELFHOSTDNS_RID From ac0dd90c37db0105fc07b16c41ffebfc245ee738 Mon Sep 17 00:00:00 2001 From: Marvo2011 Date: Thu, 17 Feb 2022 19:30:56 +0100 Subject: [PATCH 032/209] Fix shfmt --- dnsapi/dns_selfhost.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 7ad92e20..d5ecd278 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -29,7 +29,8 @@ dns_selfhost_add() { _saveaccountconf_mutable SELFHOSTDNS_RID "$SELFHOSTDNS_RID" _saveaccountconf_mutable SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" - rid=$(echo "$SELFHOSTDNS_MAP" | grep -Eoi "$domain:(\d+)" | tr -d "$domain:") + rid=$(echo "$SELFHOSTDNS_MAP" | grep -Eoi "$domain:(\d+)" | tr -d "$domain:") + if test -z "$rid"; then if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then rid=$SELFHOSTDNS_RID From b37bf06de87ab41d495e0a3156f538c5baf9c679 Mon Sep 17 00:00:00 2001 From: fradev Date: Tue, 1 Mar 2022 17:57:59 +0100 Subject: [PATCH 033/209] Update ssh.sh --- deploy/ssh.sh | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 604d8642..7d9e82e8 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -24,7 +24,7 @@ # export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" # path on remote system. Defaults to .acme_ssh_deploy # export DEPLOY_SSH_MULTI_CALL="" # yes or no, default to no or previously saved value # export DEPLOY_SSH_USE_SCP="" yes or no , default to no -# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -T -q " +# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q " # ######## Public functions ##################### @@ -53,7 +53,7 @@ ssh_deploy() { fi else Le_Deploy_ssh_user="$DEPLOY_SSH_USER" - _savedomainconf Le_Deploy_ssh_user "$Le_Deploy_ssh_user" + _savedeployconf Le_Deploy_ssh_user "$Le_Deploy_ssh_user" fi # SERVER is optional. If not provided then use _cdomain @@ -61,7 +61,7 @@ ssh_deploy() { _debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER" if [ -n "$DEPLOY_SSH_SERVER" ]; then Le_Deploy_ssh_server="$DEPLOY_SSH_SERVER" - _savedomainconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server" + _savedeployconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server" elif [ -z "$Le_Deploy_ssh_server" ]; then Le_Deploy_ssh_server="$_cdomain" fi @@ -71,7 +71,7 @@ ssh_deploy() { _debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD" if [ -n "$DEPLOY_SSH_CMD" ]; then Le_Deploy_ssh_cmd="$DEPLOY_SSH_CMD" - _savedomainconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd" + _savedeployconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd" elif [ -z "$Le_Deploy_ssh_cmd" ]; then Le_Deploy_ssh_cmd="ssh -T" fi @@ -80,7 +80,7 @@ ssh_deploy() { # value (which may be undefined... equivalent to "no"). if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then Le_Deploy_ssh_use_scp="yes" - _savedomainconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" + _savedeployconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then Le_Deploy_ssh_use_scp="" _cleardomainconf Le_Deploy_ssh_use_scp @@ -89,9 +89,9 @@ ssh_deploy() { # SCP_CMD is optional. If not provided then use scp if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" - _savedomainconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" + _savedeployconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then - Le_Deploy_ssh_scp_cmd="scp -T" + Le_Deploy_ssh_scp_cmd="scp -q" fi # BACKUP is optional. If not provided then default to previously saved value or yes. @@ -102,7 +102,7 @@ ssh_deploy() { elif [ -z "$Le_Deploy_ssh_backup" ] || [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then Le_Deploy_ssh_backup="yes" fi - _savedomainconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup" + _savedeployconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup" # BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy _getdeployconf DEPLOY_SSH_BACKUP_PATH @@ -112,7 +112,7 @@ ssh_deploy() { elif [ -z "$Le_Deploy_ssh_backup_path" ]; then Le_Deploy_ssh_backup_path=".acme_ssh_deploy" fi - _savedomainconf Le_Deploy_ssh_backup_path "$Le_Deploy_ssh_backup_path" + _savedeployconf Le_Deploy_ssh_backup_path "$Le_Deploy_ssh_backup_path" # MULTI_CALL is optional. If not provided then default to previously saved # value (which may be undefined... equivalent to "no"). @@ -120,7 +120,7 @@ ssh_deploy() { _debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL" if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then Le_Deploy_ssh_multi_call="yes" - _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" elif [ "$DEPLOY_SSH_MULTI_CALL" = "no" ]; then Le_Deploy_ssh_multi_call="" _cleardomainconf Le_Deploy_ssh_multi_call @@ -130,9 +130,9 @@ ssh_deploy() { # value (which may be undefined... equivalent to "no"). if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then Le_Deploy_ssh_use_scp="yes" - _savedomainconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" + _savedeployconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" Le_Deploy_ssh_multi_call="yes" - _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then Le_Deploy_ssh_use_scp="" _cleardomainconf Le_Deploy_ssh_use_scp @@ -141,7 +141,7 @@ ssh_deploy() { # SCP_CMD is optional. If not provided then use scp if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" - _savedomainconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" + _savedeployconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then Le_Deploy_ssh_scp_cmd="scp -T -q " fi @@ -165,7 +165,7 @@ _ssh_deploy() { if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then _info "Using scp as alternate method for copying files. Multicall Mode is implicit" Le_Deploy_ssh_multi_call="yes" - _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" + _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" fi if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" @@ -200,7 +200,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" if [ -n "$DEPLOY_SSH_KEYFILE" ]; then Le_Deploy_ssh_keyfile="$DEPLOY_SSH_KEYFILE" - _savedomainconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile" + _savedeployconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile" fi if [ -n "$Le_Deploy_ssh_keyfile" ]; then if [ "$Le_Deploy_ssh_backup" = "yes" ]; then @@ -238,7 +238,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" if [ -n "$DEPLOY_SSH_CERTFILE" ]; then Le_Deploy_ssh_certfile="$DEPLOY_SSH_CERTFILE" - _savedomainconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile" + _savedeployconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile" fi if [ -n "$Le_Deploy_ssh_certfile" ]; then _pipe=">" @@ -288,7 +288,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" if [ -n "$DEPLOY_SSH_CAFILE" ]; then Le_Deploy_ssh_cafile="$DEPLOY_SSH_CAFILE" - _savedomainconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile" + _savedeployconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile" fi if [ -n "$Le_Deploy_ssh_cafile" ]; then _pipe=">" @@ -346,7 +346,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then Le_Deploy_ssh_fullchain="$DEPLOY_SSH_FULLCHAIN" - _savedomainconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain" + _savedeployconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain" fi if [ -n "$Le_Deploy_ssh_fullchain" ]; then _pipe=">" @@ -418,7 +418,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then Le_Deploy_ssh_remote_cmd="$DEPLOY_SSH_REMOTE_CMD" - _savedomainconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd" + _savedeployconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd" fi if [ -n "$Le_Deploy_ssh_remote_cmd" ]; then _cmdstr="$_cmdstr $Le_Deploy_ssh_remote_cmd;" From d6c68f1a843f28cb2a451890d07bee63d53b9e72 Mon Sep 17 00:00:00 2001 From: Marvo2011 Date: Mon, 28 Mar 2022 13:03:02 +0200 Subject: [PATCH 034/209] Rename delete function, add info --- dnsapi/dns_selfhost.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index d5ecd278..d51608c9 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -54,9 +54,10 @@ dns_selfhost_add() { fi } -dns_acmedns_rm() { +dns_selfhost_rm() { domain=$1 txt=$2 _debug fulldomain "$domain" _debug txtvalue "$txt" + _info "Creating and removing of records is not supported by selfhost API, will not delete anything." } From 96d45cc34162347b236a3cbb252aec3f4246bbe2 Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Fri, 29 Apr 2022 22:23:39 +0200 Subject: [PATCH 035/209] Added variable checks --- dnsapi/dns_selfhost.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index d51608c9..601fca52 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -19,6 +19,11 @@ dns_selfhost_add() { SELFHOSTDNS_RID2="${SELFHOSTDNS_RID2:-$(_readaccountconf_mutable SELFHOSTDNS_RID2)}" SELFHOSTDNS_LAST_SLOT="$(_readaccountconf_mutable SELFHOSTDNS_LAST_SLOT)" + if [ -z "${SELFHOSTDNS_USERNAME:-}" ] || [ -z "${SELFHOSTDNS_PASSWORD:-}" ]; then + _err "SELFHOSTDNS_USERNAME and SELFHOSTDNS_PASSWORD must be set" + return 1 + fi + if test -z "$SELFHOSTDNS_LAST_SLOT"; then SELFHOSTDNS_LAST_SLOT=1 fi @@ -41,6 +46,11 @@ dns_selfhost_add() { fi fi + if test -z "$rid"; then + _err "SELFHOSTDNS_RID and SELFHOSTDNS_RID2, or SELFHOSTDNS_MAP must be set" + return 1 + fi + _saveaccountconf_mutable SELFHOSTDNS_LAST_SLOT "$SELFHOSTDNS_LAST_SLOT" _info "Trying to add $txt on selfhost for rid: $rid" From 610c3cf6811f4f152b5959ee451eae1f6e3fb929 Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Fri, 29 Apr 2022 22:26:36 +0200 Subject: [PATCH 036/209] Save domain dependent values in domain.conf after successfull use --- dnsapi/dns_selfhost.sh | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 601fca52..47e2f24c 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -12,12 +12,15 @@ dns_selfhost_add() { _debug txtvalue "$txt" SELFHOSTDNS_UPDATE_URL="https://selfhost.de/cgi-bin/api.pl" + + # Get values, but don't save until we successfully validated SELFHOSTDNS_USERNAME="${SELFHOSTDNS_USERNAME:-$(_readaccountconf_mutable SELFHOSTDNS_USERNAME)}" SELFHOSTDNS_PASSWORD="${SELFHOSTDNS_PASSWORD:-$(_readaccountconf_mutable SELFHOSTDNS_PASSWORD)}" - SELFHOSTDNS_MAP="${SELFHOSTDNS_MAP:-$(_readaccountconf_mutable SELFHOSTDNS_MAP)}" - SELFHOSTDNS_RID="${SELFHOSTDNS_RID:-$(_readaccountconf_mutable SELFHOSTDNS_RID)}" - SELFHOSTDNS_RID2="${SELFHOSTDNS_RID2:-$(_readaccountconf_mutable SELFHOSTDNS_RID2)}" - SELFHOSTDNS_LAST_SLOT="$(_readaccountconf_mutable SELFHOSTDNS_LAST_SLOT)" + # These values are domain dependent, so read them from there + _getdeployconf SELFHOSTDNS_MAP + _getdeployconf SELFHOSTDNS_RID + _getdeployconf SELFHOSTDNS_RID2 + _getdeployconf SELFHOSTDNS_LAST_SLOT if [ -z "${SELFHOSTDNS_USERNAME:-}" ] || [ -z "${SELFHOSTDNS_PASSWORD:-}" ]; then _err "SELFHOSTDNS_USERNAME and SELFHOSTDNS_PASSWORD must be set" @@ -28,12 +31,6 @@ dns_selfhost_add() { SELFHOSTDNS_LAST_SLOT=1 fi - _saveaccountconf_mutable SELFHOSTDNS_USERNAME "$SELFHOSTDNS_USERNAME" - _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD" - _saveaccountconf_mutable SELFHOSTDNS_MAP "$SELFHOSTDNS_MAP" - _saveaccountconf_mutable SELFHOSTDNS_RID "$SELFHOSTDNS_RID" - _saveaccountconf_mutable SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" - rid=$(echo "$SELFHOSTDNS_MAP" | grep -Eoi "$domain:(\d+)" | tr -d "$domain:") if test -z "$rid"; then @@ -51,8 +48,6 @@ dns_selfhost_add() { return 1 fi - _saveaccountconf_mutable SELFHOSTDNS_LAST_SLOT "$SELFHOSTDNS_LAST_SLOT" - _info "Trying to add $txt on selfhost for rid: $rid" data="?username=$SELFHOSTDNS_USERNAME&password=$SELFHOSTDNS_PASSWORD&rid=$rid&content=$txt" @@ -62,6 +57,15 @@ dns_selfhost_add() { _err "Invalid response of acme-dns for selfhost" return 1 fi + + # Now that we know the values are good, save them + _saveaccountconf_mutable SELFHOSTDNS_USERNAME "$SELFHOSTDNS_USERNAME" + _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD" + # These values are domain dependent, so store them there + _savedeployconf SELFHOSTDNS_MAP "$SELFHOSTDNS_MAP" + _savedeployconf SELFHOSTDNS_RID "$SELFHOSTDNS_RID" + _savedeployconf SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" + _savedeployconf SELFHOSTDNS_LAST_SLOT "$SELFHOSTDNS_LAST_SLOT" } dns_selfhost_rm() { From 1cbd5485e7d80fd184d3048972cc79e71ac1fffa Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Fri, 29 Apr 2022 22:53:36 +0200 Subject: [PATCH 037/209] Pseudo commit tp trigger Github Actions --- dnsapi/dns_selfhost.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 47e2f24c..33159c48 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -75,3 +75,4 @@ dns_selfhost_rm() { _debug txtvalue "$txt" _info "Creating and removing of records is not supported by selfhost API, will not delete anything." } + From 227eac10f1549f71e57e63721219cb8ba38e3062 Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Fri, 29 Apr 2022 23:05:46 +0200 Subject: [PATCH 038/209] Fix shfmt --- dnsapi/dns_selfhost.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 33159c48..47e2f24c 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -75,4 +75,3 @@ dns_selfhost_rm() { _debug txtvalue "$txt" _info "Creating and removing of records is not supported by selfhost API, will not delete anything." } - From 6aebaf6f47b0825cd8d6cc247214607ae7de25aa Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 5 Dec 2021 16:15:39 +0800 Subject: [PATCH 039/209] upgrade Solaris --- .github/workflows/Solaris.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index f8a3826c..567a22f9 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -40,7 +40,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - uses: actions/checkout@v2 - - uses: vmactions/cf-tunnel@v0.0.3 + - uses: vmactions/cf-tunnel@v0.0.4 id: tunnel with: protocol: http From 18de21f723605f4c8bc718dd1d126add2a47a205 Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 13 Dec 2021 20:04:23 +0800 Subject: [PATCH 040/209] fix tunnel version --- .github/workflows/Solaris.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index 567a22f9..f8a3826c 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -40,7 +40,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - uses: actions/checkout@v2 - - uses: vmactions/cf-tunnel@v0.0.4 + - uses: vmactions/cf-tunnel@v0.0.3 id: tunnel with: protocol: http From 3d312e2140652ad826617a4cdaa23626a0a9129c Mon Sep 17 00:00:00 2001 From: Marvo2011 Date: Wed, 5 Jan 2022 15:03:32 +0100 Subject: [PATCH 041/209] Added Selfhost DNS API +ShellCheck +ACME v2 compatible Example: - Fist create 2 new TXT records on _acme-challenge.example.com - Now note the ID in (...) from the edit page behind "_acme-challenge.example.com" export SELFHOSTDNS_USERNAME=myname export SELFHOSTDNS_PASSWORD=mypass export SELFHOSTDNS_RID=id_of_txt_record export SELFHOSTDNS_RID2=id_of_second_txt_record acme.sh --issue -d example.com --dns dns_selfhost --- dnsapi/dns_selfhost.sh | 55 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 dnsapi/dns_selfhost.sh diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh new file mode 100644 index 00000000..d7dfcca4 --- /dev/null +++ b/dnsapi/dns_selfhost.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env sh +# +# Author: Marvin Edeler +# Report Bugs here: https://github.com/Marvo2011/acme.sh/issues/1 + +dns_selfhost_add() { + domain=$1 + txt=$2 + _info "Calling acme-dns on selfhost" + _debug fulldomain "$domain" + _debug txtvalue "$txt" + + SELFHOSTDNS_UPDATE_URL="https://selfhost.de/cgi-bin/api.pl" + SELFHOSTDNS_USERNAME="${SELFHOSTDNS_USERNAME:-$(_readaccountconf_mutable SELFHOSTDNS_USERNAME)}" + SELFHOSTDNS_PASSWORD="${SELFHOSTDNS_PASSWORD:-$(_readaccountconf_mutable SELFHOSTDNS_PASSWORD)}" + SELFHOSTDNS_RID="${SELFHOSTDNS_RID:-$(_readaccountconf_mutable SELFHOSTDNS_RID)}" + SELFHOSTDNS_RID2="${SELFHOSTDNS_RID2:-$(_readaccountconf_mutable SELFHOSTDNS_RID2)}" + SELFHOSTDNS_LAST_SLOT="$(_readaccountconf_mutable SELFHOSTDNS_LAST_SLOT)" + + if test -z "$SELFHOSTDNS_LAST_SLOT"; then + SELFHOSTDNS_LAST_SLOT=1 + fi + + _saveaccountconf_mutable SELFHOSTDNS_USERNAME "$SELFHOSTDNS_USERNAME" + _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD" + _saveaccountconf_mutable SELFHOSTDNS_RID "$SELFHOSTDNS_RID" + _saveaccountconf_mutable SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" + + if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then + rid=$SELFHOSTDNS_RID + SELFHOSTDNS_LAST_SLOT=1 + else + rid=$SELFHOSTDNS_RID2 + SELFHOSTDNS_LAST_SLOT=2 + fi + + _saveaccountconf_mutable SELFHOSTDNS_LAST_SLOT "$SELFHOSTDNS_LAST_SLOT" + + _info "Trying to add $txt on selfhost for rid: $rid" + + data="?username=$SELFHOSTDNS_USERNAME&password=$SELFHOSTDNS_PASSWORD&rid=$rid&content=$txt" + response="$(_get "$SELFHOSTDNS_UPDATE_URL$data")" + + if ! echo "$response" | grep "200 OK" >/dev/null; then + _err "Invalid response of acme-dns for selfhost" + return 1 + fi +} + +dns_acmedns_rm() { + domain=$1 + txt=$2 + _debug fulldomain "$domain" + _debug txtvalue "$txt" +} From e717c9dba248f141c37b614a6c53b2d699ff3591 Mon Sep 17 00:00:00 2001 From: Marvo2011 Date: Sun, 9 Jan 2022 11:04:15 +0100 Subject: [PATCH 042/209] Start ShellCheck and CI Test --- dnsapi/dns_selfhost.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index d7dfcca4..8c6e9a91 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -2,6 +2,7 @@ # # Author: Marvin Edeler # Report Bugs here: https://github.com/Marvo2011/acme.sh/issues/1 +# Last Edit: 09.01.2022 dns_selfhost_add() { domain=$1 From 77d606df34590e0b36233d759f7f595ab42d16c5 Mon Sep 17 00:00:00 2001 From: Marvo2011 Date: Thu, 17 Feb 2022 19:02:35 +0100 Subject: [PATCH 043/209] Add custom option to map multidomain RIDs --- dnsapi/dns_selfhost.sh | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 8c6e9a91..1ebc6596 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -2,7 +2,7 @@ # # Author: Marvin Edeler # Report Bugs here: https://github.com/Marvo2011/acme.sh/issues/1 -# Last Edit: 09.01.2022 +# Last Edit: 17.02.2022 dns_selfhost_add() { domain=$1 @@ -14,6 +14,7 @@ dns_selfhost_add() { SELFHOSTDNS_UPDATE_URL="https://selfhost.de/cgi-bin/api.pl" SELFHOSTDNS_USERNAME="${SELFHOSTDNS_USERNAME:-$(_readaccountconf_mutable SELFHOSTDNS_USERNAME)}" SELFHOSTDNS_PASSWORD="${SELFHOSTDNS_PASSWORD:-$(_readaccountconf_mutable SELFHOSTDNS_PASSWORD)}" + SELFHOSTDNS_MAP="${SELFHOSTDNS_MAP:-$(_readaccountconf_mutable SELFHOSTDNS_MAP)}" SELFHOSTDNS_RID="${SELFHOSTDNS_RID:-$(_readaccountconf_mutable SELFHOSTDNS_RID)}" SELFHOSTDNS_RID2="${SELFHOSTDNS_RID2:-$(_readaccountconf_mutable SELFHOSTDNS_RID2)}" SELFHOSTDNS_LAST_SLOT="$(_readaccountconf_mutable SELFHOSTDNS_LAST_SLOT)" @@ -24,15 +25,19 @@ dns_selfhost_add() { _saveaccountconf_mutable SELFHOSTDNS_USERNAME "$SELFHOSTDNS_USERNAME" _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD" + _saveaccountconf_mutable SELFHOSTDNS_MAP "$SELFHOSTDNS_MAP" _saveaccountconf_mutable SELFHOSTDNS_RID "$SELFHOSTDNS_RID" _saveaccountconf_mutable SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" - if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then - rid=$SELFHOSTDNS_RID - SELFHOSTDNS_LAST_SLOT=1 - else - rid=$SELFHOSTDNS_RID2 - SELFHOSTDNS_LAST_SLOT=2 + rid=$(echo $SELFHOSTDNS_MAP | grep -Eoi "$domain:(\d+)" | tr -d "$domain:") + if test -z "$rid"; then + if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then + rid=$SELFHOSTDNS_RID + SELFHOSTDNS_LAST_SLOT=1 + else + rid=$SELFHOSTDNS_RID2 + SELFHOSTDNS_LAST_SLOT=2 + fi fi _saveaccountconf_mutable SELFHOSTDNS_LAST_SLOT "$SELFHOSTDNS_LAST_SLOT" From c23c40df8a5c27fbe130afc007913ba3b312583c Mon Sep 17 00:00:00 2001 From: Marvo2011 Date: Thu, 17 Feb 2022 19:08:58 +0100 Subject: [PATCH 044/209] Fix shellcheck, use double quote --- dnsapi/dns_selfhost.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 1ebc6596..7ad92e20 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -29,7 +29,7 @@ dns_selfhost_add() { _saveaccountconf_mutable SELFHOSTDNS_RID "$SELFHOSTDNS_RID" _saveaccountconf_mutable SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" - rid=$(echo $SELFHOSTDNS_MAP | grep -Eoi "$domain:(\d+)" | tr -d "$domain:") + rid=$(echo "$SELFHOSTDNS_MAP" | grep -Eoi "$domain:(\d+)" | tr -d "$domain:") if test -z "$rid"; then if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then rid=$SELFHOSTDNS_RID From ef8cb11707e2c1351563ebddd10e22f1e4ce5935 Mon Sep 17 00:00:00 2001 From: Marvo2011 Date: Thu, 17 Feb 2022 19:30:56 +0100 Subject: [PATCH 045/209] Fix shfmt --- dnsapi/dns_selfhost.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 7ad92e20..d5ecd278 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -29,7 +29,8 @@ dns_selfhost_add() { _saveaccountconf_mutable SELFHOSTDNS_RID "$SELFHOSTDNS_RID" _saveaccountconf_mutable SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" - rid=$(echo "$SELFHOSTDNS_MAP" | grep -Eoi "$domain:(\d+)" | tr -d "$domain:") + rid=$(echo "$SELFHOSTDNS_MAP" | grep -Eoi "$domain:(\d+)" | tr -d "$domain:") + if test -z "$rid"; then if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then rid=$SELFHOSTDNS_RID From 1054325b2dcd61ecdf55b2aad213f9878d38c530 Mon Sep 17 00:00:00 2001 From: Marvo2011 Date: Mon, 28 Mar 2022 13:03:02 +0200 Subject: [PATCH 046/209] Rename delete function, add info --- dnsapi/dns_selfhost.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index d5ecd278..d51608c9 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -54,9 +54,10 @@ dns_selfhost_add() { fi } -dns_acmedns_rm() { +dns_selfhost_rm() { domain=$1 txt=$2 _debug fulldomain "$domain" _debug txtvalue "$txt" + _info "Creating and removing of records is not supported by selfhost API, will not delete anything." } From 9bf37fde027dba6f03e7942a6398e50256d206e7 Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Fri, 29 Apr 2022 22:23:39 +0200 Subject: [PATCH 047/209] Added variable checks --- dnsapi/dns_selfhost.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index d51608c9..601fca52 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -19,6 +19,11 @@ dns_selfhost_add() { SELFHOSTDNS_RID2="${SELFHOSTDNS_RID2:-$(_readaccountconf_mutable SELFHOSTDNS_RID2)}" SELFHOSTDNS_LAST_SLOT="$(_readaccountconf_mutable SELFHOSTDNS_LAST_SLOT)" + if [ -z "${SELFHOSTDNS_USERNAME:-}" ] || [ -z "${SELFHOSTDNS_PASSWORD:-}" ]; then + _err "SELFHOSTDNS_USERNAME and SELFHOSTDNS_PASSWORD must be set" + return 1 + fi + if test -z "$SELFHOSTDNS_LAST_SLOT"; then SELFHOSTDNS_LAST_SLOT=1 fi @@ -41,6 +46,11 @@ dns_selfhost_add() { fi fi + if test -z "$rid"; then + _err "SELFHOSTDNS_RID and SELFHOSTDNS_RID2, or SELFHOSTDNS_MAP must be set" + return 1 + fi + _saveaccountconf_mutable SELFHOSTDNS_LAST_SLOT "$SELFHOSTDNS_LAST_SLOT" _info "Trying to add $txt on selfhost for rid: $rid" From b07e479840817af8adde56265c81e0267dc7f477 Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Fri, 29 Apr 2022 22:26:36 +0200 Subject: [PATCH 048/209] Save domain dependent values in domain.conf after successfull use --- dnsapi/dns_selfhost.sh | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 601fca52..47e2f24c 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -12,12 +12,15 @@ dns_selfhost_add() { _debug txtvalue "$txt" SELFHOSTDNS_UPDATE_URL="https://selfhost.de/cgi-bin/api.pl" + + # Get values, but don't save until we successfully validated SELFHOSTDNS_USERNAME="${SELFHOSTDNS_USERNAME:-$(_readaccountconf_mutable SELFHOSTDNS_USERNAME)}" SELFHOSTDNS_PASSWORD="${SELFHOSTDNS_PASSWORD:-$(_readaccountconf_mutable SELFHOSTDNS_PASSWORD)}" - SELFHOSTDNS_MAP="${SELFHOSTDNS_MAP:-$(_readaccountconf_mutable SELFHOSTDNS_MAP)}" - SELFHOSTDNS_RID="${SELFHOSTDNS_RID:-$(_readaccountconf_mutable SELFHOSTDNS_RID)}" - SELFHOSTDNS_RID2="${SELFHOSTDNS_RID2:-$(_readaccountconf_mutable SELFHOSTDNS_RID2)}" - SELFHOSTDNS_LAST_SLOT="$(_readaccountconf_mutable SELFHOSTDNS_LAST_SLOT)" + # These values are domain dependent, so read them from there + _getdeployconf SELFHOSTDNS_MAP + _getdeployconf SELFHOSTDNS_RID + _getdeployconf SELFHOSTDNS_RID2 + _getdeployconf SELFHOSTDNS_LAST_SLOT if [ -z "${SELFHOSTDNS_USERNAME:-}" ] || [ -z "${SELFHOSTDNS_PASSWORD:-}" ]; then _err "SELFHOSTDNS_USERNAME and SELFHOSTDNS_PASSWORD must be set" @@ -28,12 +31,6 @@ dns_selfhost_add() { SELFHOSTDNS_LAST_SLOT=1 fi - _saveaccountconf_mutable SELFHOSTDNS_USERNAME "$SELFHOSTDNS_USERNAME" - _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD" - _saveaccountconf_mutable SELFHOSTDNS_MAP "$SELFHOSTDNS_MAP" - _saveaccountconf_mutable SELFHOSTDNS_RID "$SELFHOSTDNS_RID" - _saveaccountconf_mutable SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" - rid=$(echo "$SELFHOSTDNS_MAP" | grep -Eoi "$domain:(\d+)" | tr -d "$domain:") if test -z "$rid"; then @@ -51,8 +48,6 @@ dns_selfhost_add() { return 1 fi - _saveaccountconf_mutable SELFHOSTDNS_LAST_SLOT "$SELFHOSTDNS_LAST_SLOT" - _info "Trying to add $txt on selfhost for rid: $rid" data="?username=$SELFHOSTDNS_USERNAME&password=$SELFHOSTDNS_PASSWORD&rid=$rid&content=$txt" @@ -62,6 +57,15 @@ dns_selfhost_add() { _err "Invalid response of acme-dns for selfhost" return 1 fi + + # Now that we know the values are good, save them + _saveaccountconf_mutable SELFHOSTDNS_USERNAME "$SELFHOSTDNS_USERNAME" + _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD" + # These values are domain dependent, so store them there + _savedeployconf SELFHOSTDNS_MAP "$SELFHOSTDNS_MAP" + _savedeployconf SELFHOSTDNS_RID "$SELFHOSTDNS_RID" + _savedeployconf SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" + _savedeployconf SELFHOSTDNS_LAST_SLOT "$SELFHOSTDNS_LAST_SLOT" } dns_selfhost_rm() { From 199d846acba357f11908dfc4219668dca5e9a459 Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Fri, 29 Apr 2022 22:53:36 +0200 Subject: [PATCH 049/209] Pseudo commit tp trigger Github Actions --- dnsapi/dns_selfhost.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 47e2f24c..33159c48 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -75,3 +75,4 @@ dns_selfhost_rm() { _debug txtvalue "$txt" _info "Creating and removing of records is not supported by selfhost API, will not delete anything." } + From fe3523f47a0f05173ac2b1ac1620cbc3c671e9da Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Fri, 29 Apr 2022 23:05:46 +0200 Subject: [PATCH 050/209] Fix shfmt --- dnsapi/dns_selfhost.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 33159c48..47e2f24c 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -75,4 +75,3 @@ dns_selfhost_rm() { _debug txtvalue "$txt" _info "Creating and removing of records is not supported by selfhost API, will not delete anything." } - From 2cf72bad30766960149c7111495cf1e1af6e6883 Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Tue, 10 May 2022 07:09:31 +0200 Subject: [PATCH 051/209] domain lookup for DNS_MAP changed. --- dnsapi/dns_selfhost.sh | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 47e2f24c..7fa685fa 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -4,11 +4,13 @@ # Report Bugs here: https://github.com/Marvo2011/acme.sh/issues/1 # Last Edit: 17.02.2022 +DNS_CHALLENGE_PREFIX_ESCAPED="_acme-challenge\." + dns_selfhost_add() { - domain=$1 + fulldomain=$1 txt=$2 _info "Calling acme-dns on selfhost" - _debug fulldomain "$domain" + _debug fulldomain "$fulldomain" _debug txtvalue "$txt" SELFHOSTDNS_UPDATE_URL="https://selfhost.de/cgi-bin/api.pl" @@ -31,7 +33,16 @@ dns_selfhost_add() { SELFHOSTDNS_LAST_SLOT=1 fi - rid=$(echo "$SELFHOSTDNS_MAP" | grep -Eoi "$domain:(\d+)" | tr -d "$domain:") + # cut DNS_CHALLENGE_PREFIX_ESCAPED from fulldomain if present at the beginning of the string + lookupdomain=$(echo "$fulldomain" | sed "s/^$DNS_CHALLENGE_PREFIX_ESCAPED//") + _debug lookupdomain "$lookupdomain" + + # get the RID for lookupdomain or fulldomain from SELFHOSTDNS_MAP + # only match full domains (at the beginning of the string or with a leading whitespace), + # e.g. don't match mytest.example.com or sub.test.example.com for test.example.com + # replace the whole string with the RID (matching group 3) for assignment + # if the domain is defined multiple times only the last occurance will be matched + rid=$(echo "$SELFHOSTDNS_MAP" | sed -n "s/\(^\|^.*\s\)\($lookupdomain:\|$fulldomain:\)\([0-9][0-9]*\)\(.*\)/\3/Ip") if test -z "$rid"; then if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then @@ -69,9 +80,9 @@ dns_selfhost_add() { } dns_selfhost_rm() { - domain=$1 + fulldomain=$1 txt=$2 - _debug fulldomain "$domain" + _debug fulldomain "$fulldomain" _debug txtvalue "$txt" _info "Creating and removing of records is not supported by selfhost API, will not delete anything." } From 9fb5bb620d2ffa51eabb0354dfccc29ea9d88315 Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:13:24 +0800 Subject: [PATCH 052/209] refact ssh hook to use deploy config --- acme.sh | 20 +++ deploy/ssh.sh | 414 +++++++++++++++++++++++--------------------------- 2 files changed, 210 insertions(+), 224 deletions(-) diff --git a/acme.sh b/acme.sh index 260733a2..37c625d2 100755 --- a/acme.sh +++ b/acme.sh @@ -2332,6 +2332,26 @@ _readdomainconf() { _read_conf "$DOMAIN_CONF" "$1" } +#_migratedomainconf oldkey newkey base64encode +_migratedomainconf() { + _old_key="$1" + _new_key="$2" + _b64encode="$3" + _value=$(_readdomainconf "$_old_key") + if [ -z "$_value" ]; then + return 1 # oldkey is not found + fi + _savedomainconf "$_new_key" "$_value" "$_b64encode" + _cleardomainconf "$_old_key" + _debug "Domain config $_old_key has been migrated to $_new_key" +} + +#_migratedeployconf oldkey newkey base64encode +_migratedeployconf() { + _migratedomainconf "$1" "SAVED_$2" "$3" || + _migratedomainconf "SAVED_$1" "SAVED_$2" "$3" # try only when oldkey itself is not found +} + #key value base64encode _savedeployconf() { _savedomainconf "SAVED_$1" "$2" "$3" diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 7d9e82e8..73d71597 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -23,8 +23,8 @@ # export DEPLOY_SSH_BACKUP="" # yes or no, default to yes or previously saved value # export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" # path on remote system. Defaults to .acme_ssh_deploy # export DEPLOY_SSH_MULTI_CALL="" # yes or no, default to no or previously saved value -# export DEPLOY_SSH_USE_SCP="" yes or no , default to no -# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q " +# export DEPLOY_SSH_USE_SCP="" yes or no, default to no +# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q" # ######## Public functions ##################### @@ -44,110 +44,134 @@ ssh_deploy() { _debug _cfullchain "$_cfullchain" # USER is required to login by SSH to remote host. + _migratedeployconf Le_Deploy_ssh_user DEPLOY_SSH_USER _getdeployconf DEPLOY_SSH_USER _debug2 DEPLOY_SSH_USER "$DEPLOY_SSH_USER" if [ -z "$DEPLOY_SSH_USER" ]; then - if [ -z "$Le_Deploy_ssh_user" ]; then - _err "DEPLOY_SSH_USER not defined." - return 1 - fi - else - Le_Deploy_ssh_user="$DEPLOY_SSH_USER" - _savedeployconf Le_Deploy_ssh_user "$Le_Deploy_ssh_user" + _err "DEPLOY_SSH_USER not defined." + return 1 fi + _savedeployconf DEPLOY_SSH_USER "$DEPLOY_SSH_USER" # SERVER is optional. If not provided then use _cdomain + _migratedeployconf Le_Deploy_ssh_server DEPLOY_SSH_SERVER _getdeployconf DEPLOY_SSH_SERVER _debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER" - if [ -n "$DEPLOY_SSH_SERVER" ]; then - Le_Deploy_ssh_server="$DEPLOY_SSH_SERVER" - _savedeployconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server" - elif [ -z "$Le_Deploy_ssh_server" ]; then - Le_Deploy_ssh_server="$_cdomain" + if [ -z "$DEPLOY_SSH_SERVER" ]; then + DEPLOY_SSH_SERVER="$_cdomain" fi + _savedeployconf DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER" # CMD is optional. If not provided then use ssh + _migratedeployconf Le_Deploy_ssh_cmd DEPLOY_SSH_CMD _getdeployconf DEPLOY_SSH_CMD _debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD" - if [ -n "$DEPLOY_SSH_CMD" ]; then - Le_Deploy_ssh_cmd="$DEPLOY_SSH_CMD" - _savedeployconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd" - elif [ -z "$Le_Deploy_ssh_cmd" ]; then - Le_Deploy_ssh_cmd="ssh -T" - fi - - # USE_SCP is optional. If not provided then default to previously saved - # value (which may be undefined... equivalent to "no"). - if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then - Le_Deploy_ssh_use_scp="yes" - _savedeployconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" - elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then - Le_Deploy_ssh_use_scp="" - _cleardomainconf Le_Deploy_ssh_use_scp - fi - - # SCP_CMD is optional. If not provided then use scp - if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then - Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" - _savedeployconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" - elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then - Le_Deploy_ssh_scp_cmd="scp -q" + if [ -z "$DEPLOY_SSH_CMD" ]; then + DEPLOY_SSH_CMD="ssh -T" fi + _savedeployconf DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD" # BACKUP is optional. If not provided then default to previously saved value or yes. + _migratedeployconf Le_Deploy_ssh_backup DEPLOY_SSH_BACKUP _getdeployconf DEPLOY_SSH_BACKUP _debug2 DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP" - if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then - Le_Deploy_ssh_backup="no" - elif [ -z "$Le_Deploy_ssh_backup" ] || [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then - Le_Deploy_ssh_backup="yes" + if [ -z "$DEPLOY_SSH_BACKUP" ]; then + DEPLOY_SSH_BACKUP="yes" fi - _savedeployconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup" + _savedeployconf DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP" # BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy + _migratedeployconf Le_Deploy_ssh_backup_path DEPLOY_SSH_BACKUP_PATH _getdeployconf DEPLOY_SSH_BACKUP_PATH _debug2 DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH" - if [ -n "$DEPLOY_SSH_BACKUP_PATH" ]; then - Le_Deploy_ssh_backup_path="$DEPLOY_SSH_BACKUP_PATH" - elif [ -z "$Le_Deploy_ssh_backup_path" ]; then - Le_Deploy_ssh_backup_path=".acme_ssh_deploy" + if [ -z "$DEPLOY_SSH_BACKUP_PATH" ]; then + DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" fi - _savedeployconf Le_Deploy_ssh_backup_path "$Le_Deploy_ssh_backup_path" + _savedeployconf DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH" # MULTI_CALL is optional. If not provided then default to previously saved # value (which may be undefined... equivalent to "no"). + _migratedeployconf Le_Deploy_ssh_multi_call DEPLOY_SSH_MULTI_CALL _getdeployconf DEPLOY_SSH_MULTI_CALL _debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL" - if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then - Le_Deploy_ssh_multi_call="yes" - _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" - elif [ "$DEPLOY_SSH_MULTI_CALL" = "no" ]; then - Le_Deploy_ssh_multi_call="" - _cleardomainconf Le_Deploy_ssh_multi_call + if [ -z "$DEPLOY_SSH_MULTI_CALL" ]; then + DEPLOY_SSH_MULTI_CALL="no" + fi + _savedeployconf DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL" + + # KEYFILE is optional. + # If provided then private key will be copied to provided filename. + _migratedeployconf Le_Deploy_ssh_keyfile DEPLOY_SSH_KEYFILE + _getdeployconf DEPLOY_SSH_KEYFILE + _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" + if [ -n "$DEPLOY_SSH_KEYFILE" ]; then + _savedeployconf DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" + fi + + # CERTFILE is optional. + # If provided then certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_ssh_certfile DEPLOY_SSH_CERTFILE + _getdeployconf DEPLOY_SSH_CERTFILE + _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" + if [ -n "$DEPLOY_SSH_CERTFILE" ]; then + _savedeployconf DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" + fi + + # CAFILE is optional. + # If provided then CA intermediate certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_ssh_cafile DEPLOY_SSH_CAFILE + _getdeployconf DEPLOY_SSH_CAFILE + _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" + if [ -n "$DEPLOY_SSH_CAFILE" ]; then + _savedeployconf DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" + fi + + # FULLCHAIN is optional. + # If provided then fullchain certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_ssh_fullchain DEPLOY_SSH_FULLCHAIN + _getdeployconf DEPLOY_SSH_FULLCHAIN + _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" + if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then + _savedeployconf DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" + fi + + # REMOTE_CMD is optional. + # If provided then this command will be executed on remote host. + _migratedeployconf Le_Deploy_ssh_remote_cmd DEPLOY_SSH_REMOTE_CMD + _getdeployconf DEPLOY_SSH_REMOTE_CMD + _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" + if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then + _savedeployconf DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" fi # USE_SCP is optional. If not provided then default to previously saved # value (which may be undefined... equivalent to "no"). - if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then - Le_Deploy_ssh_use_scp="yes" - _savedeployconf Le_Deploy_ssh_use_scp "$Le_Deploy_ssh_use_scp" - Le_Deploy_ssh_multi_call="yes" - _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" - elif [ "$DEPLOY_SSH_USE_SCP" = "no" ]; then - Le_Deploy_ssh_use_scp="" - _cleardomainconf Le_Deploy_ssh_use_scp + _getdeployconf DEPLOY_SSH_USE_SCP + _debug2 DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP" + if [ -z "$DEPLOY_SSH_USE_SCP" ]; then + DEPLOY_SSH_USE_SCP="no" fi + _savedeployconf DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP" # SCP_CMD is optional. If not provided then use scp - if [ -n "$DEPLOY_SSH_SCP_CMD" ]; then - Le_Deploy_ssh_scp_cmd="$DEPLOY_SSH_SCP_CMD" - _savedeployconf Le_Deploy_ssh_scp_cmd "$Le_Deploy_ssh_scp_cmd" - elif [ -z "$Le_Deploy_ssh_scp_cmd" ]; then - Le_Deploy_ssh_scp_cmd="scp -T -q " + _getdeployconf DEPLOY_SSH_SCP_CMD + _debug2 DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD" + if [ -z "$DEPLOY_SSH_SCP_CMD" ]; then + DEPLOY_SSH_SCP_CMD="scp -q" + fi + _savedeployconf DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD" + + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + DEPLOY_SSH_MULTI_CALL="yes" + _info "Using scp as alternate method for copying files. Multicall Mode is implicit" + elif [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then + _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" + else + _info "Required commands batched and sent in single call to remote host" fi - _deploy_ssh_servers=$Le_Deploy_ssh_server - for Le_Deploy_ssh_server in $_deploy_ssh_servers; do + _deploy_ssh_servers=$DEPLOY_SSH_SERVER + for DEPLOY_SSH_SERVER in $_deploy_ssh_servers; do _ssh_deploy done } @@ -161,20 +185,10 @@ _ssh_deploy() { _local_ca_file="" _local_full_file="" - _info "Deploy certificates to remote server $Le_Deploy_ssh_user@$Le_Deploy_ssh_server" - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - _info "Using scp as alternate method for copying files. Multicall Mode is implicit" - Le_Deploy_ssh_multi_call="yes" - _savedeployconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call" - fi - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then - _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" - else - _info "Required commands batched and sent in single call to remote host" - fi + _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$DEPLOY_SSH_SERVER" - if [ "$Le_Deploy_ssh_backup" = "yes" ]; then - _backupprefix="$Le_Deploy_ssh_backup_path/$_cdomain-backup" + if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then + _backupprefix="$DEPLOY_SSH_BACKUP_PATH/$_cdomain-backup" _backupdir="$_backupprefix-$(_utc_date | tr ' ' '-')" # run cleanup on the backup directory, erase all older # than 180 days (15552000 seconds). @@ -186,7 +200,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _cmdstr="mkdir -p $_backupdir; $_cmdstr" _info "Backup of old certificate files will be placed in remote directory $_backupdir" _info "Backup directories erased after 180 days." - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -194,19 +208,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # KEYFILE is optional. - # If provided then private key will be copied to provided filename. - _getdeployconf DEPLOY_SSH_KEYFILE - _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" if [ -n "$DEPLOY_SSH_KEYFILE" ]; then - Le_Deploy_ssh_keyfile="$DEPLOY_SSH_KEYFILE" - _savedeployconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile" - fi - if [ -n "$Le_Deploy_ssh_keyfile" ]; then - if [ "$Le_Deploy_ssh_backup" = "yes" ]; then + if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then # backup file we are about to overwrite. - _cmdstr="$_cmdstr cp $Le_Deploy_ssh_keyfile $_backupdir >/dev/null;" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr cp $DEPLOY_SSH_KEYFILE $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -215,15 +221,16 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi # copy new key into file. - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then # scp the file - if ! _scp_remote_cmd "$_ckey" "$Le_Deploy_ssh_keyfile"; then + if ! _scp_remote_cmd "$_ckey" "$DEPLOY_SSH_KEYFILE"; then return $_err_code fi else - _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;" - _info "will copy private key to remote file $Le_Deploy_ssh_keyfile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $DEPLOY_SSH_KEYFILE;" + _info "will copy private key to remote file $DEPLOY_SSH_KEYFILE" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -232,26 +239,15 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # CERTFILE is optional. - # If provided then certificate will be copied or appended to provided filename. - _getdeployconf DEPLOY_SSH_CERTFILE - _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" if [ -n "$DEPLOY_SSH_CERTFILE" ]; then - Le_Deploy_ssh_certfile="$DEPLOY_SSH_CERTFILE" - _savedeployconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile" - fi - if [ -n "$Le_Deploy_ssh_certfile" ]; then _pipe=">" - if [ "$Le_Deploy_ssh_certfile" = "$Le_Deploy_ssh_keyfile" ]; then + if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then # if filename is same as previous file then append. _pipe=">>" - _local_cert_file=$(_mktemp) - cat "$_ckey" >"$_local_cert_file" - cat "$_ccert" >>"$_local_cert_file" - elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then + elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then # backup file we are about to overwrite. - _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr cp $DEPLOY_SSH_CERTFILE $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -259,21 +255,22 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if [ -n "$_local_cert_file" ]; then - if ! _scp_remote_cmd "$_local_cert_file" "$Le_Deploy_ssh_certfile"; then - return $_err_code - fi - else - if ! _scp_remote_cmd "$_ccert" "$Le_Deploy_ssh_certfile"; then - return $_err_code - fi + # copy new certificate into file. + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + # scp the file + _local_cert_file=$(_mktemp) + if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then + cat "$_ckey" >> "$_local_cert_file" + fi + cat "$_ccert" >> "$_local_cert_file" + if ! _scp_remote_cmd "$_local_cert_file" "$DEPLOY_SSH_CERTFILE"; then + return $_err_code fi else - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;" - _info "will copy certificate to remote file $Le_Deploy_ssh_certfile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $DEPLOY_SSH_CERTFILE;" + _info "will copy certificate to remote file $DEPLOY_SSH_CERTFILE" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -282,34 +279,16 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # CAFILE is optional. - # If provided then CA intermediate certificate will be copied or appended to provided filename. - _getdeployconf DEPLOY_SSH_CAFILE - _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" if [ -n "$DEPLOY_SSH_CAFILE" ]; then - Le_Deploy_ssh_cafile="$DEPLOY_SSH_CAFILE" - _savedeployconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile" - fi - if [ -n "$Le_Deploy_ssh_cafile" ]; then _pipe=">" - if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] || - [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then + if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ] || + [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then # if filename is same as previous file then append. _pipe=">>" - _local_ca_file=$(_mktemp) - if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ]; then - cat "$_ckey" >>"$_local_ca_file" - fi - if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then - cat "$_ccert" >>"$_local_ca_file" - fi - - cat "$_cca" >>"$_local_ca_file" - - elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then + elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then # backup file we are about to overwrite. - _cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir >/dev/null;" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr cp $DEPLOY_SSH_CAFILE $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -317,21 +296,25 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if [ -n "$_local_ca_file" ]; then - if ! _scp_remote_cmd "$_local_ca_file" "$Le_Deploy_ssh_cafile"; then - return $_err_code - fi - else - if ! _scp_remote_cmd "$_cca" "$Le_Deploy_ssh_cafile"; then - return $_err_code - fi + # copy new certificate into file. + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + # scp the file + _local_ca_file=$(_mktemp) + if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ]; then + cat "$_ckey" >> "$_local_ca_file" + fi + if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then + cat "$_ccert" >> "$_local_ca_file" + fi + cat "$_cca" >>"$_local_ca_file" + if ! _scp_remote_cmd "$_local_ca_file" "$DEPLOY_SSH_CAFILE"; then + return $_err_code fi else - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;" - _info "will copy CA file to remote file $Le_Deploy_ssh_cafile" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $DEPLOY_SSH_CAFILE;" + _info "will copy CA file to remote file $DEPLOY_SSH_CAFILE" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -340,37 +323,17 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - # FULLCHAIN is optional. - # If provided then fullchain certificate will be copied or appended to provided filename. - _getdeployconf DEPLOY_SSH_FULLCHAIN - _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then - Le_Deploy_ssh_fullchain="$DEPLOY_SSH_FULLCHAIN" - _savedeployconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain" - fi - if [ -n "$Le_Deploy_ssh_fullchain" ]; then _pipe=">" - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] || - [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ] || - [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ] || + [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ] || + [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then # if filename is same as previous file then append. _pipe=">>" - _local_full_file=$(_mktemp) - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ]; then - cat "$_ckey" >>"$_local_full_file" - fi - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ]; then - cat "$_ccert" >>"$_local_full_file" - fi - if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then - cat "$_cca" >>"$_local_full_file" - fi - cat "$_cfullchain" >>"$_local_full_file" - - elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then + elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then # backup file we are about to overwrite. - _cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir >/dev/null;" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr cp $DEPLOY_SSH_FULLCHAIN $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_FULLCHAIN" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -378,21 +341,28 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi - if [ "$Le_Deploy_ssh_use_scp" = "yes" ]; then - if [ -n "$_local_full_file" ]; then - if ! _scp_remote_cmd "$_local_full_file" "$Le_Deploy_ssh_fullchain"; then - return $_err_code - fi - else - if ! _scp_remote_cmd "$_cfullchain" "$Le_Deploy_ssh_fullchain"; then - return $_err_code - fi + # copy new certificate into file. + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + # scp the file + _local_full_file=$(_mktemp) + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ]; then + cat "$_ckey" >> "$_local_full_file" + fi + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ]; then + cat "$_ccert" >> "$_local_full_file" + fi + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then + cat "$_cca" >> "$_local_full_file" + fi + cat "$_cfullchain" >> "$_local_full_file" + if ! _scp_remote_cmd "$_local_full_file" "$DEPLOY_SSH_FULLCHAIN"; then + return $_err_code fi else - # copy new certificate into file. - _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;" - _info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $DEPLOY_SSH_FULLCHAIN;" + _info "will copy fullchain to remote file $DEPLOY_SSH_FULLCHAIN" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -400,30 +370,22 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d fi fi fi - # cleanup local files if any - if [ -n "$_local_cert_file" ]; then - rm "$_local_cert_file" >/dev/null 1>&2 + # cleanup local files if any + if [ -f "$_local_cert_file" ]; then + rm -f "$_local_cert_file" fi - if [ -n "$_local_ca_file" ]; then - rm "$_local_ca_file" >/dev/null 1>&2 + if [ -f "$_local_ca_file" ]; then + rm -f "$_local_ca_file" fi - if [ -n "$_local_full_file" ]; then - rm "$_local_full_file" >/dev/null 1>&2 + if [ -f "$_local_full_file" ]; then + rm -f "$_local_full_file" fi - # REMOTE_CMD is optional. - # If provided then this command will be executed on remote host. - _getdeployconf DEPLOY_SSH_REMOTE_CMD - _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then - Le_Deploy_ssh_remote_cmd="$DEPLOY_SSH_REMOTE_CMD" - _savedeployconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd" - fi - if [ -n "$Le_Deploy_ssh_remote_cmd" ]; then - _cmdstr="$_cmdstr $Le_Deploy_ssh_remote_cmd;" - _info "Will execute remote command $Le_Deploy_ssh_remote_cmd" - if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then + _cmdstr="$_cmdstr $DEPLOY_SSH_REMOTE_CMD;" + _info "Will execute remote command $DEPLOY_SSH_REMOTE_CMD" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then if ! _ssh_remote_cmd "$_cmdstr"; then return $_err_code fi @@ -445,10 +407,11 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d _ssh_remote_cmd() { _cmd="$1" _secure_debug "Remote commands to execute: $_cmd" - _info "Submitting sequence of commands to remote server by ssh" + _info "Submitting sequence of commands to remote server by $DEPLOY_SSH_CMD" + # quotations in bash cmd below intended. Squash travis spellcheck error # shellcheck disable=SC2029 - $Le_Deploy_ssh_cmd "$Le_Deploy_ssh_user@$Le_Deploy_ssh_server" sh -c "'$_cmd'" + $DEPLOY_SSH_CMD "$DEPLOY_SSH_USER@$DEPLOY_SSH_SERVER" sh -c "'$_cmd'" _err_code="$?" if [ "$_err_code" != "0" ]; then @@ -460,9 +423,12 @@ _ssh_remote_cmd() { # cmd scp _scp_remote_cmd() { - _secure_debug "Remote scp source $1 and destination $2 using : $Le_Deploy_ssh_scp_cmd" - _info "Submitting secure copy command : $Le_Deploy_ssh_scp_cmd" - $Le_Deploy_ssh_scp_cmd "$1" "$Le_Deploy_ssh_user"@"$Le_Deploy_ssh_server":"$2" + _src=$1 + _dest=$2 + _secure_debug "Remote copy source $_src to destination $_dest using: $DEPLOY_SSH_SCP_CMD" + _info "Submitting secure copy command: $DEPLOY_SSH_SCP_CMD" + + $DEPLOY_SSH_SCP_CMD "$_src" "$DEPLOY_SSH_USER"@"$DEPLOY_SSH_SERVER":"$_dest" _err_code="$?" if [ "$_err_code" != "0" ]; then From c8929ca0cb13abb2213cd5da7abd9bd1b140af9a Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:29:19 +0800 Subject: [PATCH 053/209] support specifying port for each host --- deploy/ssh.sh | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 73d71597..2de0d325 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -14,7 +14,7 @@ # The following examples are for QNAP NAS running QTS 4.2 # export DEPLOY_SSH_CMD="" # defaults to "ssh -T" # export DEPLOY_SSH_USER="admin" # required -# export DEPLOY_SSH_SERVER="qnap" # defaults to domain name +# export DEPLOY_SSH_SERVER="qnap" # defaults to domain name, support multiple servers with optional port (eg. "host1 host2:8022") # export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem" # export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem" # export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem" @@ -185,7 +185,12 @@ _ssh_deploy() { _local_ca_file="" _local_full_file="" - _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$DEPLOY_SSH_SERVER" + case $DEPLOY_SSH_SERVER in + (*:*) _host=${DEPLOY_SSH_SERVER%:*} _port=${DEPLOY_SSH_SERVER##*:};; + (*) _host=$DEPLOY_SSH_SERVER _port=;; + esac + + _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port" if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then _backupprefix="$DEPLOY_SSH_BACKUP_PATH/$_cdomain-backup" @@ -406,12 +411,18 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d #cmd _ssh_remote_cmd() { _cmd="$1" + + _ssh_cmd="$DEPLOY_SSH_CMD" + if [ -n "$_port" ]; then + _ssh_cmd="$_ssh_cmd -p $_port" + fi + _secure_debug "Remote commands to execute: $_cmd" - _info "Submitting sequence of commands to remote server by $DEPLOY_SSH_CMD" + _info "Submitting sequence of commands to remote server by $_ssh_cmd" # quotations in bash cmd below intended. Squash travis spellcheck error # shellcheck disable=SC2029 - $DEPLOY_SSH_CMD "$DEPLOY_SSH_USER@$DEPLOY_SSH_SERVER" sh -c "'$_cmd'" + $_ssh_cmd "$DEPLOY_SSH_USER@$_host" sh -c "'$_cmd'" _err_code="$?" if [ "$_err_code" != "0" ]; then @@ -425,10 +436,16 @@ _ssh_remote_cmd() { _scp_remote_cmd() { _src=$1 _dest=$2 - _secure_debug "Remote copy source $_src to destination $_dest using: $DEPLOY_SSH_SCP_CMD" - _info "Submitting secure copy command: $DEPLOY_SSH_SCP_CMD" - $DEPLOY_SSH_SCP_CMD "$_src" "$DEPLOY_SSH_USER"@"$DEPLOY_SSH_SERVER":"$_dest" + _scp_cmd="$DEPLOY_SSH_SCP_CMD" + if [ -n "$_port" ]; then + _scp_cmd="$_scp_cmd -P $_port" + fi + + _secure_debug "Remote copy source $_src to destination $_dest" + _info "Submitting secure copy by $_scp_cmd" + + $_scp_cmd "$_src" "$DEPLOY_SSH_USER"@"$_host":"$_dest" _err_code="$?" if [ "$_err_code" != "0" ]; then From f90cbb636a101625b118fbdb57b64f7d4d0bdabb Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:41:59 +0800 Subject: [PATCH 054/209] fix format --- acme.sh | 2 +- deploy/ssh.sh | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/acme.sh b/acme.sh index 37c625d2..4366501b 100755 --- a/acme.sh +++ b/acme.sh @@ -2349,7 +2349,7 @@ _migratedomainconf() { #_migratedeployconf oldkey newkey base64encode _migratedeployconf() { _migratedomainconf "$1" "SAVED_$2" "$3" || - _migratedomainconf "SAVED_$1" "SAVED_$2" "$3" # try only when oldkey itself is not found + _migratedomainconf "SAVED_$1" "SAVED_$2" "$3" # try only when oldkey itself is not found } #key value base64encode diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 2de0d325..d40bba43 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -186,8 +186,8 @@ _ssh_deploy() { _local_full_file="" case $DEPLOY_SSH_SERVER in - (*:*) _host=${DEPLOY_SSH_SERVER%:*} _port=${DEPLOY_SSH_SERVER##*:};; - (*) _host=$DEPLOY_SSH_SERVER _port=;; + *:*) _host=${DEPLOY_SSH_SERVER%:*} _port=${DEPLOY_SSH_SERVER##*:};; + *) _host=$DEPLOY_SSH_SERVER _port=;; esac _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port" @@ -265,9 +265,9 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # scp the file _local_cert_file=$(_mktemp) if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then - cat "$_ckey" >> "$_local_cert_file" + cat "$_ckey" >>"$_local_cert_file" fi - cat "$_ccert" >> "$_local_cert_file" + cat "$_ccert" >>"$_local_cert_file" if ! _scp_remote_cmd "$_local_cert_file" "$DEPLOY_SSH_CERTFILE"; then return $_err_code fi @@ -306,10 +306,10 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # scp the file _local_ca_file=$(_mktemp) if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ]; then - cat "$_ckey" >> "$_local_ca_file" + cat "$_ckey" >>"$_local_ca_file" fi if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then - cat "$_ccert" >> "$_local_ca_file" + cat "$_ccert" >>"$_local_ca_file" fi cat "$_cca" >>"$_local_ca_file" if ! _scp_remote_cmd "$_local_ca_file" "$DEPLOY_SSH_CAFILE"; then @@ -351,15 +351,15 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d # scp the file _local_full_file=$(_mktemp) if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ]; then - cat "$_ckey" >> "$_local_full_file" + cat "$_ckey" >>"$_local_full_file" fi if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ]; then - cat "$_ccert" >> "$_local_full_file" + cat "$_ccert" >>"$_local_full_file" fi if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then - cat "$_cca" >> "$_local_full_file" + cat "$_cca" >>"$_local_full_file" fi - cat "$_cfullchain" >> "$_local_full_file" + cat "$_cfullchain" >>"$_local_full_file" if ! _scp_remote_cmd "$_local_full_file" "$DEPLOY_SSH_FULLCHAIN"; then return $_err_code fi From 74f28021e701c53665774c4861d68863775bb206 Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:49:40 +0800 Subject: [PATCH 055/209] fix format again --- deploy/ssh.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index d40bba43..074af84f 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -186,8 +186,14 @@ _ssh_deploy() { _local_full_file="" case $DEPLOY_SSH_SERVER in - *:*) _host=${DEPLOY_SSH_SERVER%:*} _port=${DEPLOY_SSH_SERVER##*:};; - *) _host=$DEPLOY_SSH_SERVER _port=;; + *:*) + _host=${DEPLOY_SSH_SERVER%:*} + _port=${DEPLOY_SSH_SERVER##*:} + ;; + *) + _host=$DEPLOY_SSH_SERVER + _port= + ;; esac _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port" From 3ce7d410c8ee18d4ed1049ccdc500a6624613df7 Mon Sep 17 00:00:00 2001 From: PM Extra Date: Sat, 14 May 2022 22:59:02 +0800 Subject: [PATCH 056/209] improve doc comments --- deploy/ssh.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 074af84f..1aed7d3e 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -14,7 +14,7 @@ # The following examples are for QNAP NAS running QTS 4.2 # export DEPLOY_SSH_CMD="" # defaults to "ssh -T" # export DEPLOY_SSH_USER="admin" # required -# export DEPLOY_SSH_SERVER="qnap" # defaults to domain name, support multiple servers with optional port (eg. "host1 host2:8022") +# export DEPLOY_SSH_SERVER="host1 host2:8022 192.168.0.1:9022" # defaults to domain name, support multiple servers with optional port # export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem" # export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem" # export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem" From d4cf03c9fd0c5dbfaf2292c0f5552382ee4640a0 Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Wed, 18 May 2022 11:48:48 +0200 Subject: [PATCH 057/209] changes due to inkompabilities of some distros --- dnsapi/dns_selfhost.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 7fa685fa..b4284f51 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -42,7 +42,7 @@ dns_selfhost_add() { # e.g. don't match mytest.example.com or sub.test.example.com for test.example.com # replace the whole string with the RID (matching group 3) for assignment # if the domain is defined multiple times only the last occurance will be matched - rid=$(echo "$SELFHOSTDNS_MAP" | sed -n "s/\(^\|^.*\s\)\($lookupdomain:\|$fulldomain:\)\([0-9][0-9]*\)\(.*\)/\3/Ip") + rid=$(echo "$SELFHOSTDNS_MAP" | sed -E "s/(^|^.*[[:space:]])($lookupdomain:|$fulldomain:)([0-9][0-9]*)(.*)/\3/") if test -z "$rid"; then if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then From d2a9d731edbc5d6dcfc434560ba605bef9039ed2 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 May 2022 22:25:44 +0800 Subject: [PATCH 058/209] Update ssh.sh --- deploy/ssh.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/ssh.sh b/deploy/ssh.sh index 1aed7d3e..c66e2e19 100644 --- a/deploy/ssh.sh +++ b/deploy/ssh.sh @@ -170,7 +170,7 @@ ssh_deploy() { _info "Required commands batched and sent in single call to remote host" fi - _deploy_ssh_servers=$DEPLOY_SSH_SERVER + _deploy_ssh_servers="$DEPLOY_SSH_SERVER" for DEPLOY_SSH_SERVER in $_deploy_ssh_servers; do _ssh_deploy done From c485011ed1d714540163013f14418dce937dbac1 Mon Sep 17 00:00:00 2001 From: Bjarne Saltbaek Date: Sat, 16 Jul 2022 14:16:03 +0200 Subject: [PATCH 059/209] Multidomain patch suggestion from Sandeep Mittal --- dnsapi/dns_cpanel.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_cpanel.sh b/dnsapi/dns_cpanel.sh index f91725a4..0c9def67 100755 --- a/dnsapi/dns_cpanel.sh +++ b/dnsapi/dns_cpanel.sh @@ -120,7 +120,7 @@ _myget() { _get_root() { _myget 'json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=fetchzones' - _domains=$(echo "$_result" | sed 's/.*\(zones.*\[\).*/\1/' | cut -d':' -f2 | sed 's/"//g' | sed 's/{//g') + _domains=$(echo "$_result" | _egrep_o '"[a-z0-9\.\-]*":\["; cPanel first' | cut -d':' -f1 | sed 's/"//g' | sed 's/{//g') _debug "_result is: $_result" _debug "_domains is: $_domains" if [ -z "$_domains" ]; then @@ -146,7 +146,7 @@ _findentry() { _debug "In _findentry" #returns id of dns entry, if it exists _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=fetchzone_records&domain=$_domain" - _id=$(echo "$_result" | sed "s/.*\(line.*$fulldomain.*$txtvalue\).*/\1/" | cut -d ':' -f 2 | cut -d ',' -f 1) + _id=$(echo "$_result" | sed -e "s/},{/},\n{/g" | grep "$fulldomain" | grep "$txtvalue" | _egrep_o 'line":[0-9]+' | cut -d ':' -f 2) _debug "_result is: $_result" _debug "fulldomain. is $fulldomain." _debug "txtvalue is $txtvalue" From 2fb9c923f4c3ffad2806f4ef6a941466b417f83e Mon Sep 17 00:00:00 2001 From: Bjarne Saltbaek Date: Sat, 16 Jul 2022 14:35:49 +0200 Subject: [PATCH 060/209] push for re-test --- dnsapi/dns_cpanel.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_cpanel.sh b/dnsapi/dns_cpanel.sh index 0c9def67..053b3ff3 100755 --- a/dnsapi/dns_cpanel.sh +++ b/dnsapi/dns_cpanel.sh @@ -13,6 +13,7 @@ # cPanel_Hostname=hostname # # Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" + # Used to add txt record dns_cpanel_add() { fulldomain=$1 From 7122a960fa1c4e33ca22d0afd98063df0a89757e Mon Sep 17 00:00:00 2001 From: Dennis Koot Date: Tue, 26 Jul 2022 11:33:50 +0200 Subject: [PATCH 061/209] make ip-whitelisting configurable for DNS TransIP and download keyfile if it is an url --- dnsapi/dns_transip.sh | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_transip.sh b/dnsapi/dns_transip.sh index 23debe0d..64a256ec 100644 --- a/dnsapi/dns_transip.sh +++ b/dnsapi/dns_transip.sh @@ -1,7 +1,6 @@ #!/usr/bin/env sh TRANSIP_Api_Url="https://api.transip.nl/v6" TRANSIP_Token_Read_Only="false" -TRANSIP_Token_Global_Key="false" TRANSIP_Token_Expiration="30 minutes" # You can't reuse a label token, so we leave this empty normally TRANSIP_Token_Label="" @@ -96,7 +95,11 @@ _transip_get_token() { nonce=$(echo "TRANSIP$(_time)" | _digest sha1 hex | cut -c 1-32) _debug nonce "$nonce" - data="{\"login\":\"${TRANSIP_Username}\",\"nonce\":\"${nonce}\",\"read_only\":\"${TRANSIP_Token_Read_Only}\",\"expiration_time\":\"${TRANSIP_Token_Expiration}\",\"label\":\"${TRANSIP_Token_Label}\",\"global_key\":\"${TRANSIP_Token_Global_Key}\"}" + # make IP whitelisting configurable + TRANSIP_Token_Global_Key="${TRANSIP_Token_Global_Key:-$(_readaccountconf_mutable TRANSIP_Token_Global_Key)}" + _saveaccountconf_mutable TRANSIP_Token_Global_Key "$TRANSIP_Token_Global_Key" + + data="{\"login\":\"${TRANSIP_Username}\",\"nonce\":\"${nonce}\",\"read_only\":\"${TRANSIP_Token_Read_Only}\",\"expiration_time\":\"${TRANSIP_Token_Expiration}\",\"label\":\"${TRANSIP_Token_Label}\",\"global_key\":\"${TRANSIP_Token_Global_Key:-false}\"}" _debug data "$data" #_signature=$(printf "%s" "$data" | openssl dgst -sha512 -sign "$TRANSIP_Key_File" | _base64) @@ -139,6 +142,18 @@ _transip_setup() { _saveaccountconf_mutable TRANSIP_Username "$TRANSIP_Username" _saveaccountconf_mutable TRANSIP_Key_File "$TRANSIP_Key_File" + # download key file if it's an URL + if _startswith "$TRANSIP_Key_File" "http"; then + _debug "download transip key file" + TRANSIP_Key_URL=$TRANSIP_Key_File + TRANSIP_Key_File="$(_mktemp)" + chmod 600 "$TRANSIP_Key_File" + if ! _get "$TRANSIP_Key_URL" >"$TRANSIP_Key_File"; then + _err "Error getting key file from : $TRANSIP_Key_URL" + return 1 + fi + fi + if [ -f "$TRANSIP_Key_File" ]; then if ! grep "BEGIN PRIVATE KEY" "$TRANSIP_Key_File" >/dev/null 2>&1; then _err "Key file doesn't seem to be a valid key: ${TRANSIP_Key_File}" @@ -156,6 +171,12 @@ _transip_setup() { fi fi + if [ -n "${TRANSIP_Key_URL}" ]; then + _debug "delete transip key file" + rm "${TRANSIP_Key_File}" + TRANSIP_Key_File=$TRANSIP_Key_URL + fi + _get_root "$fulldomain" || return 1 return 0 From b44ba0d21a8bfbc60708c8afa7477af9e0ef19cc Mon Sep 17 00:00:00 2001 From: Danny Tix Date: Tue, 16 Aug 2022 23:08:04 -0800 Subject: [PATCH 062/209] Add wildcard deployment to cpanel_uapi --- deploy/cpanel_uapi.sh | 185 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 167 insertions(+), 18 deletions(-) diff --git a/deploy/cpanel_uapi.sh b/deploy/cpanel_uapi.sh index 44844f79..eea96248 100644 --- a/deploy/cpanel_uapi.sh +++ b/deploy/cpanel_uapi.sh @@ -3,18 +3,29 @@ # Uses command line uapi. --user option is needed only if run as root. # Returns 0 when success. # +# Configure DEPLOY_CPANEL_AUTO_<...> options to enable or restrict automatic +# detection of deployment targets through UAPI (if not set, defaults below are used.) +# - ENABLED : 'true' for multi-site / wildcard capability; otherwise single-site mode. +# - NOMATCH : 'true' to allow deployment to sites that do not match the certificate. +# - INCLUDE : Comma-separated list - sites must match this field. +# - EXCLUDE : Comma-separated list - sites must NOT match this field. +# INCLUDE/EXCLUDE both support non-lexical, glob-style matches using '*' +# # Please note that I am no longer using Github. If you want to report an issue # or contact me, visit https://forum.webseodesigners.com/web-design-seo-and-hosting-f16/ # # Written by Santeri Kannisto # Public domain, 2017-2018 - -#export DEPLOY_CPANEL_USER=myusername +# +# export DEPLOY_CPANEL_USER=myusername +# export DEPLOY_CPANEL_AUTO_ENABLED='true' +# export DEPLOY_CPANEL_AUTO_NOMATCH='false' +# export DEPLOY_CPANEL_AUTO_INCLUDE='*' +# export DEPLOY_CPANEL_AUTO_EXCLUDE='' ######## Public functions ##################### #domain keyfile certfile cafile fullchain - cpanel_uapi_deploy() { _cdomain="$1" _ckey="$2" @@ -22,6 +33,9 @@ cpanel_uapi_deploy() { _cca="$4" _cfullchain="$5" + # re-declare vars inherited from acme.sh but not passed to make ShellCheck happy + : "${Le_Alt:=""}" + _debug _cdomain "$_cdomain" _debug _ckey "$_ckey" _debug _ccert "$_ccert" @@ -32,31 +46,166 @@ cpanel_uapi_deploy() { _err "The command uapi is not found." return 1 fi + + # declare useful constants + uapi_error_response='status: 0' + # read cert and key files and urlencode both _cert=$(_url_encode <"$_ccert") _key=$(_url_encode <"$_ckey") - _debug _cert "$_cert" - _debug _key "$_key" + _debug2 _cert "$_cert" + _debug2 _key "$_key" if [ "$(id -u)" = 0 ]; then - if [ -z "$DEPLOY_CPANEL_USER" ]; then + _getdeployconf DEPLOY_CPANEL_USER + # fallback to _readdomainconf for old installs + if [ -z "${DEPLOY_CPANEL_USER:=$(_readdomainconf DEPLOY_CPANEL_USER)}" ]; then _err "It seems that you are root, please define the target user name: export DEPLOY_CPANEL_USER=username" return 1 fi - _savedomainconf DEPLOY_CPANEL_USER "$DEPLOY_CPANEL_USER" - _response=$(uapi --user="$DEPLOY_CPANEL_USER" SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key") - else - _response=$(uapi SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key") + _debug DEPLOY_CPANEL_USER "$DEPLOY_CPANEL_USER" + _savedeployconf DEPLOY_CPANEL_USER "$DEPLOY_CPANEL_USER" + + _uapi_user="$DEPLOY_CPANEL_USER" fi - error_response="status: 0" - if test "${_response#*$error_response}" != "$_response"; then - _err "Error in deploying certificate:" - _err "$_response" - return 1 + + # Load all AUTO envars and set defaults - see above for usage + __cpanel_initautoparam ENABLED 'true' + __cpanel_initautoparam NOMATCH 'false' + __cpanel_initautoparam INCLUDE '*' + __cpanel_initautoparam EXCLUDE '' + + # Auto mode + if [ "$DEPLOY_CPANEL_AUTO_ENABLED" = "true" ]; then + # call API for site config + _response=$(uapi DomainInfo list_domains) + # exit if error in response + if [ -z "$_response" ] || [ "${_response#*"$uapi_error_response"}" != "$_response" ]; then + _err "Error in deploying certificate - cannot retrieve sitelist:" + _err "\n$_response" + return 1 + fi + + # parse response to create site list + sitelist=$(__cpanel_parse_response "$_response") + _debug "UAPI sites found: $sitelist" + + # filter sitelist using configured domains + # skip if NOMATCH is "true" + if [ "$DEPLOY_CPANEL_AUTO_NOMATCH" = "true" ]; then + _debug "DEPLOY_CPANEL_AUTO_NOMATCH is true" + _info "UAPI nomatch mode is enabled - Will not validate sites are valid for the certificate" + else + _debug "DEPLOY_CPANEL_AUTO_NOMATCH is false" + d="$(echo "${Le_Alt}," | sed -e "s/^$_cdomain,//" -e "s/,$_cdomain,/,/")" + d="$(echo "$_cdomain,$d" | tr ',' '\n' | sed -e 's/\./\\./g' -e 's/\*/\[\^\.\]\*/g')" + sitelist="$(echo "$sitelist" | grep -ix "$d")" + _debug2 "Matched UAPI sites: $sitelist" + fi + + # filter sites that do not match $DEPLOY_CPANEL_AUTO_INCLUDE + _info "Applying sitelist filter DEPLOY_CPANEL_AUTO_INCLUDE: $DEPLOY_CPANEL_AUTO_INCLUDE" + sitelist="$(echo "$sitelist" | grep -ix "$(echo "$DEPLOY_CPANEL_AUTO_INCLUDE" | tr ',' '\n' | sed -e 's/\./\\./g' -e 's/\*/\.\*/g')")" + _debug2 "Remaining sites: $sitelist" + + # filter sites that match $DEPLOY_CPANEL_AUTO_EXCLUDE + _info "Applying sitelist filter DEPLOY_CPANEL_AUTO_EXCLUDE: $DEPLOY_CPANEL_AUTO_EXCLUDE" + sitelist="$(echo "$sitelist" | grep -vix "$(echo "$DEPLOY_CPANEL_AUTO_EXCLUDE" | tr ',' '\n' | sed -e 's/\./\\./g' -e 's/\*/\.\*/g')")" + _debug2 "Remaining sites: $sitelist" + + # counter for success / failure check + successes=0 + if [ -n "$sitelist" ]; then + sitetotal="$(echo "$sitelist" | wc -l)" + _debug "$sitetotal sites to deploy" + else + sitetotal=0 + _debug "No sites to deploy" + fi + + # for each site: call uapi to publish cert and log result. Only return failure if all fail + for site in $sitelist; do + # call uapi to publish cert, check response for errors and log them. + if [ -n "$_uapi_user" ]; then + _response=$(uapi --user="$_uapi_user" SSL install_ssl domain="$site" cert="$_cert" key="$_key") + else + _response=$(uapi SSL install_ssl domain="$site" cert="$_cert" key="$_key") + fi + if [ "${_response#*"$uapi_error_response"}" != "$_response" ]; then + _err "Error in deploying certificate to $site:" + _err "$_response" + else + successes=$((successes + 1)) + _debug "$_response" + _info "Succcessfully deployed to $site" + fi + done + + # Raise error if all updates fail + if [ "$sitetotal" -gt 0 ] && [ "$successes" -eq 0 ]; then + _err "Could not deploy to any of $sitetotal sites via UAPI" + _debug "successes: $successes, sitetotal: $sitetotal" + return 1 + fi + + _info "Successfully deployed certificate to $successes of $sitetotal sites via UAPI" + return 0 + else + # "classic" mode - will only try to deploy to the primary domain; will not check UAPI first + if [ -n "$_uapi_user" ]; then + _response=$(uapi --user="$_uapi_user" SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key") + else + _response=$(uapi SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key") + fi + + if [ "${_response#*"$uapi_error_response"}" != "$_response" ]; then + _err "Error in deploying certificate:" + _err "$_response" + return 1 + fi + + _debug response "$_response" + _info "Certificate successfully deployed" + return 0 fi +} + +######## Private functions ##################### + +# Internal utility to process YML from UAPI - only looks at main_domain and sub_domains +#[response] +__cpanel_parse_response() { + if [ $# -gt 0 ]; then resp="$*"; else resp="$(cat)"; fi + + echo "$resp" | + sed -En \ + -e 's/\r$//' \ + -e 's/^( *)([_.[:alnum:]]+) *: *(.*)/\1,\2,\3/p' \ + -e 's/^( *)- (.*)/\1,-,\2/p' | + awk -F, '{ + level = length($1)/2; + section[level] = $2; + for (i in section) {if (i > level) {delete section[i]}} + if (length($3) > 0) { + prefix=""; + for (i=0; i < level; i++) + { prefix = (prefix)(section[i])("/") } + printf("%s%s=%s\n", prefix, $2, $3); + } + }' | + sed -En -e 's/^result\/data\/(main_domain|sub_domains\/-)=(.*)$/\2/p' +} + +# Load parameter by prefix+name - fallback to default if not set, and save to config +#pname pdefault +__cpanel_initautoparam() { + pname="$1" + pdefault="$2" + pkey="DEPLOY_CPANEL_AUTO_$pname" - _debug response "$_response" - _info "Certificate successfully deployed" - return 0 + _getdeployconf "$pkey" + [ -n "$(eval echo "\"\$$pkey\"")" ] || eval "$pkey=\"$pdefault\"" + _debug2 "$pkey" "$(eval echo "\"\$$pkey\"")" + _savedeployconf "$pkey" "$(eval echo "\"\$$pkey\"")" } From dcf9c467c386e49c606aa98069f63efd8bc32309 Mon Sep 17 00:00:00 2001 From: Monius Date: Sat, 20 Aug 2022 19:37:51 +0800 Subject: [PATCH 063/209] fix issue, when profile not end with newline --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e8228e30..aecef894 100755 --- a/acme.sh +++ b/acme.sh @@ -6371,7 +6371,7 @@ _installalias() { if [ "$_profile" ]; then _debug "Found profile: $_profile" _info "Installing alias to '$_profile'" - _setopt "$_profile" ". \"$_envfile\"" + _setopt "$_profile" "\n. \"$_envfile\"" _info "OK, Close and reopen your terminal to start using $PROJECT_NAME" else _info "No profile is found, you will need to go into $LE_WORKING_DIR to use $PROJECT_NAME" From f2634b44cdd4bc38cfd9838ca6cb2e975bd4c25a Mon Sep 17 00:00:00 2001 From: Monius Date: Sun, 21 Aug 2022 12:26:37 +0800 Subject: [PATCH 064/209] add EOF, if $__conf not end with one --- acme.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index aecef894..ec4f90b7 100755 --- a/acme.sh +++ b/acme.sh @@ -2239,7 +2239,11 @@ _setopt() { if [ ! -f "$__conf" ]; then touch "$__conf" fi - + if [ -n "$(tail -c 1 <"$__conf")" ]; then + _debug3 No New Line + echo >>"$__conf" + fi + if grep -n "^$__opt$__sep" "$__conf" >/dev/null; then _debug3 OK if _contains "$__val" "&"; then @@ -6371,7 +6375,7 @@ _installalias() { if [ "$_profile" ]; then _debug "Found profile: $_profile" _info "Installing alias to '$_profile'" - _setopt "$_profile" "\n. \"$_envfile\"" + _setopt "$_profile" ". \"$_envfile\"" _info "OK, Close and reopen your terminal to start using $PROJECT_NAME" else _info "No profile is found, you will need to go into $LE_WORKING_DIR to use $PROJECT_NAME" From 6502a71083de93cef288992b00f8d38f4d35c9a4 Mon Sep 17 00:00:00 2001 From: Monius Date: Mon, 22 Aug 2022 05:26:12 +0800 Subject: [PATCH 065/209] fix, but remove debug info --- acme.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/acme.sh b/acme.sh index ec4f90b7..882aaf03 100755 --- a/acme.sh +++ b/acme.sh @@ -2240,7 +2240,6 @@ _setopt() { touch "$__conf" fi if [ -n "$(tail -c 1 <"$__conf")" ]; then - _debug3 No New Line echo >>"$__conf" fi From 734c9a1aa5d697c9ae63a73326d2138ab4f60e65 Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Sun, 21 Aug 2022 14:29:16 +0200 Subject: [PATCH 066/209] Dns Challenge prefix removed. SELFHOSTDNS_MAP entries must be fullpath incl. prefix --- dnsapi/dns_selfhost.sh | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index b4284f51..628afe8d 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -4,8 +4,6 @@ # Report Bugs here: https://github.com/Marvo2011/acme.sh/issues/1 # Last Edit: 17.02.2022 -DNS_CHALLENGE_PREFIX_ESCAPED="_acme-challenge\." - dns_selfhost_add() { fulldomain=$1 txt=$2 @@ -33,16 +31,12 @@ dns_selfhost_add() { SELFHOSTDNS_LAST_SLOT=1 fi - # cut DNS_CHALLENGE_PREFIX_ESCAPED from fulldomain if present at the beginning of the string - lookupdomain=$(echo "$fulldomain" | sed "s/^$DNS_CHALLENGE_PREFIX_ESCAPED//") - _debug lookupdomain "$lookupdomain" - - # get the RID for lookupdomain or fulldomain from SELFHOSTDNS_MAP + # get the RID for fulldomain from SELFHOSTDNS_MAP # only match full domains (at the beginning of the string or with a leading whitespace), # e.g. don't match mytest.example.com or sub.test.example.com for test.example.com # replace the whole string with the RID (matching group 3) for assignment # if the domain is defined multiple times only the last occurance will be matched - rid=$(echo "$SELFHOSTDNS_MAP" | sed -E "s/(^|^.*[[:space:]])($lookupdomain:|$fulldomain:)([0-9][0-9]*)(.*)/\3/") + rid=$(echo "$SELFHOSTDNS_MAP" | sed -E "s/(^|^.*[[:space:]])($fulldomain:)([0-9][0-9]*)(.*)/\3/") if test -z "$rid"; then if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then From b9256a1ba727022ad02a0ef771df43303ee7ed85 Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Sun, 21 Aug 2022 23:23:47 +0200 Subject: [PATCH 067/209] changed from *deployconf to *domainconf --- dnsapi/dns_selfhost.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 628afe8d..4171cb3c 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -17,10 +17,10 @@ dns_selfhost_add() { SELFHOSTDNS_USERNAME="${SELFHOSTDNS_USERNAME:-$(_readaccountconf_mutable SELFHOSTDNS_USERNAME)}" SELFHOSTDNS_PASSWORD="${SELFHOSTDNS_PASSWORD:-$(_readaccountconf_mutable SELFHOSTDNS_PASSWORD)}" # These values are domain dependent, so read them from there - _getdeployconf SELFHOSTDNS_MAP - _getdeployconf SELFHOSTDNS_RID - _getdeployconf SELFHOSTDNS_RID2 - _getdeployconf SELFHOSTDNS_LAST_SLOT + SELFHOSTDNS_MAP="${SELFHOSTDNS_MAP:-$(_readdomainconf SELFHOSTDNS_MAP)}" + SELFHOSTDNS_RID="${SELFHOSTDNS_RID:-$(_readdomainconf SELFHOSTDNS_RID)}" + SELFHOSTDNS_RID2="${SELFHOSTDNS_RID2:-$(_readdomainconf SELFHOSTDNS_RID2)}" + SELFHOSTDNS_LAST_SLOT="${SELFHOSTDNS_LAST_SLOT:-$(_readdomainconf SELFHOSTDNS_LAST_SLOT)}" if [ -z "${SELFHOSTDNS_USERNAME:-}" ] || [ -z "${SELFHOSTDNS_PASSWORD:-}" ]; then _err "SELFHOSTDNS_USERNAME and SELFHOSTDNS_PASSWORD must be set" @@ -67,10 +67,10 @@ dns_selfhost_add() { _saveaccountconf_mutable SELFHOSTDNS_USERNAME "$SELFHOSTDNS_USERNAME" _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD" # These values are domain dependent, so store them there - _savedeployconf SELFHOSTDNS_MAP "$SELFHOSTDNS_MAP" - _savedeployconf SELFHOSTDNS_RID "$SELFHOSTDNS_RID" - _savedeployconf SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" - _savedeployconf SELFHOSTDNS_LAST_SLOT "$SELFHOSTDNS_LAST_SLOT" + _savedomainconf SELFHOSTDNS_MAP "$SELFHOSTDNS_MAP" + _savedomainconf SELFHOSTDNS_RID "$SELFHOSTDNS_RID" + _savedomainconf SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" + _savedomainconf SELFHOSTDNS_LAST_SLOT "$SELFHOSTDNS_LAST_SLOT" } dns_selfhost_rm() { From 35ec3adadc82836918d9854fe671300c382e209c Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Mon, 22 Aug 2022 00:53:32 +0200 Subject: [PATCH 068/209] only use SELFHOSTDNS_MAP for configuration of RIDs. detect wildcard domain for use of additional RID --- dnsapi/dns_selfhost.sh | 45 +++++++++++++++++++----------------------- 1 file changed, 20 insertions(+), 25 deletions(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 4171cb3c..c63f81d7 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -10,6 +10,7 @@ dns_selfhost_add() { _info "Calling acme-dns on selfhost" _debug fulldomain "$fulldomain" _debug txtvalue "$txt" + _debug domain "$d" SELFHOSTDNS_UPDATE_URL="https://selfhost.de/cgi-bin/api.pl" @@ -18,39 +19,36 @@ dns_selfhost_add() { SELFHOSTDNS_PASSWORD="${SELFHOSTDNS_PASSWORD:-$(_readaccountconf_mutable SELFHOSTDNS_PASSWORD)}" # These values are domain dependent, so read them from there SELFHOSTDNS_MAP="${SELFHOSTDNS_MAP:-$(_readdomainconf SELFHOSTDNS_MAP)}" - SELFHOSTDNS_RID="${SELFHOSTDNS_RID:-$(_readdomainconf SELFHOSTDNS_RID)}" - SELFHOSTDNS_RID2="${SELFHOSTDNS_RID2:-$(_readdomainconf SELFHOSTDNS_RID2)}" - SELFHOSTDNS_LAST_SLOT="${SELFHOSTDNS_LAST_SLOT:-$(_readdomainconf SELFHOSTDNS_LAST_SLOT)}" if [ -z "${SELFHOSTDNS_USERNAME:-}" ] || [ -z "${SELFHOSTDNS_PASSWORD:-}" ]; then _err "SELFHOSTDNS_USERNAME and SELFHOSTDNS_PASSWORD must be set" return 1 fi - if test -z "$SELFHOSTDNS_LAST_SLOT"; then - SELFHOSTDNS_LAST_SLOT=1 - fi - - # get the RID for fulldomain from SELFHOSTDNS_MAP + # get the domain entry from SELFHOSTDNS_MAP # only match full domains (at the beginning of the string or with a leading whitespace), # e.g. don't match mytest.example.com or sub.test.example.com for test.example.com - # replace the whole string with the RID (matching group 3) for assignment # if the domain is defined multiple times only the last occurance will be matched - rid=$(echo "$SELFHOSTDNS_MAP" | sed -E "s/(^|^.*[[:space:]])($fulldomain:)([0-9][0-9]*)(.*)/\3/") - - if test -z "$rid"; then - if [ $SELFHOSTDNS_LAST_SLOT = "2" ]; then - rid=$SELFHOSTDNS_RID - SELFHOSTDNS_LAST_SLOT=1 - else - rid=$SELFHOSTDNS_RID2 - SELFHOSTDNS_LAST_SLOT=2 - fi + mapEntry=$(echo "$SELFHOSTDNS_MAP" | sed -n -E "s/(^|^.*[[:space:]])($fulldomain)(:[[:digit:]]+)([:]?[[:digit:]]*)(.*)/\2\3\4/p") + _debug mapEntry $mapEntry + if test -z "$mapEntry"; then + _err "SELFHOSTDNS_MAP must contain the fulldomain incl. prefix and at least one RID" + return 1 fi - if test -z "$rid"; then - _err "SELFHOSTDNS_RID and SELFHOSTDNS_RID2, or SELFHOSTDNS_MAP must be set" - return 1 + # get the RIDs from the map entry + rid1=$(echo "$mapEntry" | cut -d: -f2) + _debug rid1 $rid1 + rid2=$(echo "$mapEntry" | cut -d: -f3) + _debug rid2 $rid2 + + rid=$rid1 + # check for wildcard domain and use rid2 if set + if _startswith "$d" '*.'; then + _debug2 "wildcard domain" + if ! test -z "$rid2"; then + rid=$rid2 + fi fi _info "Trying to add $txt on selfhost for rid: $rid" @@ -68,9 +66,6 @@ dns_selfhost_add() { _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD" # These values are domain dependent, so store them there _savedomainconf SELFHOSTDNS_MAP "$SELFHOSTDNS_MAP" - _savedomainconf SELFHOSTDNS_RID "$SELFHOSTDNS_RID" - _savedomainconf SELFHOSTDNS_RID2 "$SELFHOSTDNS_RID2" - _savedomainconf SELFHOSTDNS_LAST_SLOT "$SELFHOSTDNS_LAST_SLOT" } dns_selfhost_rm() { From 281951a86bed68de20ae1cec96bfbe24ef64e181 Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Mon, 22 Aug 2022 06:51:17 +0200 Subject: [PATCH 069/209] ShellCheck fixed --- dnsapi/dns_selfhost.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index c63f81d7..f8c8d314 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -30,7 +30,7 @@ dns_selfhost_add() { # e.g. don't match mytest.example.com or sub.test.example.com for test.example.com # if the domain is defined multiple times only the last occurance will be matched mapEntry=$(echo "$SELFHOSTDNS_MAP" | sed -n -E "s/(^|^.*[[:space:]])($fulldomain)(:[[:digit:]]+)([:]?[[:digit:]]*)(.*)/\2\3\4/p") - _debug mapEntry $mapEntry + _debug mapEntry "$mapEntry" if test -z "$mapEntry"; then _err "SELFHOSTDNS_MAP must contain the fulldomain incl. prefix and at least one RID" return 1 @@ -38,16 +38,16 @@ dns_selfhost_add() { # get the RIDs from the map entry rid1=$(echo "$mapEntry" | cut -d: -f2) - _debug rid1 $rid1 + _debug rid1 "$rid1" rid2=$(echo "$mapEntry" | cut -d: -f3) - _debug rid2 $rid2 + _debug rid2 "$rid2" rid=$rid1 # check for wildcard domain and use rid2 if set if _startswith "$d" '*.'; then _debug2 "wildcard domain" if ! test -z "$rid2"; then - rid=$rid2 + rid="$rid2" fi fi From 5a604bfdeec85bf0e578d73f57e7c6bb4ae91409 Mon Sep 17 00:00:00 2001 From: Monius Date: Mon, 22 Aug 2022 15:16:30 +0800 Subject: [PATCH 070/209] shfmt check? --- acme.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 882aaf03..11814b6e 100755 --- a/acme.sh +++ b/acme.sh @@ -2239,10 +2239,11 @@ _setopt() { if [ ! -f "$__conf" ]; then touch "$__conf" fi + if [ -n "$(tail -c 1 <"$__conf")" ]; then echo >>"$__conf" fi - + if grep -n "^$__opt$__sep" "$__conf" >/dev/null; then _debug3 OK if _contains "$__val" "&"; then From fc336e3733ba62250cf7c7c649b5dbf827e84322 Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Tue, 23 Aug 2022 00:04:41 +0200 Subject: [PATCH 071/209] fixed RID usage for wildcard domains --- dnsapi/dns_selfhost.sh | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index f8c8d314..d2d3cf60 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -10,7 +10,6 @@ dns_selfhost_add() { _info "Calling acme-dns on selfhost" _debug fulldomain "$fulldomain" _debug txtvalue "$txt" - _debug domain "$d" SELFHOSTDNS_UPDATE_URL="https://selfhost.de/cgi-bin/api.pl" @@ -19,6 +18,10 @@ dns_selfhost_add() { SELFHOSTDNS_PASSWORD="${SELFHOSTDNS_PASSWORD:-$(_readaccountconf_mutable SELFHOSTDNS_PASSWORD)}" # These values are domain dependent, so read them from there SELFHOSTDNS_MAP="${SELFHOSTDNS_MAP:-$(_readdomainconf SELFHOSTDNS_MAP)}" + # Selfhost api can't dynamically add TXT record, + # so we have to store the last used RID of the domain to support a second RID for wildcard domains + # (format: ';fulldomainA:lastRid;;fulldomainB:lastRid;...') + SELFHOSTDNS_MAP_LAST_USED_INTERNAL=$(_readdomainconf SELFHOSTDNS_MAP_LAST_USED_INTERNAL) if [ -z "${SELFHOSTDNS_USERNAME:-}" ] || [ -z "${SELFHOSTDNS_PASSWORD:-}" ]; then _err "SELFHOSTDNS_USERNAME and SELFHOSTDNS_PASSWORD must be set" @@ -30,7 +33,7 @@ dns_selfhost_add() { # e.g. don't match mytest.example.com or sub.test.example.com for test.example.com # if the domain is defined multiple times only the last occurance will be matched mapEntry=$(echo "$SELFHOSTDNS_MAP" | sed -n -E "s/(^|^.*[[:space:]])($fulldomain)(:[[:digit:]]+)([:]?[[:digit:]]*)(.*)/\2\3\4/p") - _debug mapEntry "$mapEntry" + _debug2 mapEntry "$mapEntry" if test -z "$mapEntry"; then _err "SELFHOSTDNS_MAP must contain the fulldomain incl. prefix and at least one RID" return 1 @@ -38,19 +41,27 @@ dns_selfhost_add() { # get the RIDs from the map entry rid1=$(echo "$mapEntry" | cut -d: -f2) - _debug rid1 "$rid1" rid2=$(echo "$mapEntry" | cut -d: -f3) - _debug rid2 "$rid2" - rid=$rid1 - # check for wildcard domain and use rid2 if set - if _startswith "$d" '*.'; then - _debug2 "wildcard domain" - if ! test -z "$rid2"; then - rid="$rid2" - fi + # read last used rid domain + lastUsedRidForDomainEntry=$(echo "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL" | sed -n -E "s/.*(;$fulldomain:[[:digit:]]+;).*/\1/p") + _debug2 lastUsedRidForDomainEntry "$lastUsedRidForDomainEntry" + lastUsedRidForDomain=$(echo "$lastUsedRidForDomainEntry" | tr -d ";" | cut -d: -f2) + + rid="$rid1" + if [ "$lastUsedRidForDomain" = "$rid" ] && ! test -z "$rid2"; then + rid="$rid2" + fi + + if ! test -z "$lastUsedRidForDomainEntry"; then + # replace last used rid entry for domain + SELFHOSTDNS_MAP_LAST_USED_INTERNAL=$(echo "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL" | sed -n -E "s/$lastUsedRidForDomainEntry/;$fulldomain:$rid;/p") + else + # add last used rid entry for domain + SELFHOSTDNS_MAP_LAST_USED_INTERNAL="$SELFHOSTDNS_MAP_LAST_USED_INTERNAL"";$fulldomain:$rid;" fi + _info "Trying to add $txt on selfhost for rid: $rid" data="?username=$SELFHOSTDNS_USERNAME&password=$SELFHOSTDNS_PASSWORD&rid=$rid&content=$txt" @@ -66,6 +77,7 @@ dns_selfhost_add() { _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD" # These values are domain dependent, so store them there _savedomainconf SELFHOSTDNS_MAP "$SELFHOSTDNS_MAP" + _savedomainconf SELFHOSTDNS_MAP_LAST_USED_INTERNAL "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL" } dns_selfhost_rm() { From c94f9f21afcbc5f3e7f05545c95c6c278236df83 Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Tue, 23 Aug 2022 00:28:52 +0200 Subject: [PATCH 072/209] fixed shfmt --- dnsapi/dns_selfhost.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index d2d3cf60..ea301788 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -18,7 +18,7 @@ dns_selfhost_add() { SELFHOSTDNS_PASSWORD="${SELFHOSTDNS_PASSWORD:-$(_readaccountconf_mutable SELFHOSTDNS_PASSWORD)}" # These values are domain dependent, so read them from there SELFHOSTDNS_MAP="${SELFHOSTDNS_MAP:-$(_readdomainconf SELFHOSTDNS_MAP)}" - # Selfhost api can't dynamically add TXT record, + # Selfhost api can't dynamically add TXT record, # so we have to store the last used RID of the domain to support a second RID for wildcard domains # (format: ';fulldomainA:lastRid;;fulldomainB:lastRid;...') SELFHOSTDNS_MAP_LAST_USED_INTERNAL=$(_readdomainconf SELFHOSTDNS_MAP_LAST_USED_INTERNAL) @@ -56,12 +56,11 @@ dns_selfhost_add() { if ! test -z "$lastUsedRidForDomainEntry"; then # replace last used rid entry for domain SELFHOSTDNS_MAP_LAST_USED_INTERNAL=$(echo "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL" | sed -n -E "s/$lastUsedRidForDomainEntry/;$fulldomain:$rid;/p") - else + else # add last used rid entry for domain SELFHOSTDNS_MAP_LAST_USED_INTERNAL="$SELFHOSTDNS_MAP_LAST_USED_INTERNAL"";$fulldomain:$rid;" fi - _info "Trying to add $txt on selfhost for rid: $rid" data="?username=$SELFHOSTDNS_USERNAME&password=$SELFHOSTDNS_PASSWORD&rid=$rid&content=$txt" From b95f836256ca2c7b57d74c1a4a9b524fc92255bc Mon Sep 17 00:00:00 2001 From: Monius Date: Tue, 23 Aug 2022 06:30:09 +0800 Subject: [PATCH 073/209] final try --- acme.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/acme.sh b/acme.sh index 11814b6e..bb6863c7 100755 --- a/acme.sh +++ b/acme.sh @@ -2239,7 +2239,6 @@ _setopt() { if [ ! -f "$__conf" ]; then touch "$__conf" fi - if [ -n "$(tail -c 1 <"$__conf")" ]; then echo >>"$__conf" fi From ec53b27dfe7bcc030c4e4e6613a7bb902eac018f Mon Sep 17 00:00:00 2001 From: Viktor Sokhan Date: Wed, 24 Aug 2022 13:48:10 +0700 Subject: [PATCH 074/209] Add dns_yc.sh --- dnsapi/dns_yc.sh | 259 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 259 insertions(+) create mode 100644 dnsapi/dns_yc.sh diff --git a/dnsapi/dns_yc.sh b/dnsapi/dns_yc.sh new file mode 100644 index 00000000..74a605b5 --- /dev/null +++ b/dnsapi/dns_yc.sh @@ -0,0 +1,259 @@ +#!/usr/bin/env sh + +#YC_Zone_ID="" # DNS Zone ID +#YC_Folder_ID="" # YC Folder ID +#YC_SA_ID="" # Service Account ID +#YC_SA_Key_ID="" # Service Account IAM Key ID +#YC_SA_Key_File_Path="/path/to/private.key" # Path to private.key use instead of PEM +#YC_SA_Key_File_PEM="" # Content of private.key use instead of Path +YC_Api="https://dns.api.cloud.yandex.net/dns/v1" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_yc_add() { + fulldomain="$(echo "$1". | _lower_case)" # Add dot at end of domain name + txtvalue=$2 + + if ["$YC_SA_Key_File_PEM"]; then + YC_SA_Key_File="<(echo '$YC_SA_Key_File_PEM')" + else + YC_SA_Key_File=$YC_SA_Key_File_Path + fi + + YC_Zone_ID="${YC_Zone_ID:-$(_readaccountconf_mutable YC_Zone_ID)}" + YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}" + YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}" + YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}" + YC_SA_Key_File="${YC_SA_Key_File:-$(_readaccountconf_mutable YC_SA_Key_File)}" + + if [ "$YC_SA_ID" ] && [ "$YC_SA_Key_ID" ] && [ "$YC_SA_Key_File" ]; then + if [ -f "$YC_SA_Key_File" ]; then + if _isRSA "$YC_SA_Key_File" >/dev/null 2>&1; then + if [ "$YC_Zone_ID" ]; then + _savedomainconf YC_Zone_ID "$YC_Zone_ID" + _savedomainconf YC_SA_ID "$YC_SA_ID" + _savedomainconf YC_SA_Key_ID "$YC_SA_Key_ID" + _savedomainconf YC_SA_Key_File "$YC_SA_Key_File" + elif [ "$YC_Folder_ID" ]; then + _savedomainconf YC_Folder_ID "$YC_Folder_ID" + _saveaccountconf_mutable YC_SA_ID "$YC_SA_ID" + _saveaccountconf_mutable YC_SA_Key_ID "$YC_SA_Key_ID" + _saveaccountconf_mutable YC_SA_Key_File "$YC_SA_Key_File" + _clearaccountconf_mutable YC_Zone_ID + _clearaccountconf YC_Zone_ID + else + _err "You didn't specify a Yandex Cloud Zone ID or Folder ID yet." + return 1 + fi + else + _err "YC_SA_Key_File not a RSA file(_isRSA function return false)." + return 1 + fi + else + _err "YC_SA_Key_File not found in path $YC_SA_Key_File." + return 1 + fi + else + _clearaccountconf YC_Zone_ID + _clearaccountconf YC_Folder_ID + _clearaccountconf YC_SA_ID + _clearaccountconf YC_SA_Key_ID + _clearaccountconf YC_SA_Key_File + _err "You didn't specify a YC_SA_ID or YC_SA_Key_ID or YC_SA_Key_File." + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + if ! _yc_rest GET "zones/${_domain_id}:getRecordSet?type=TXT&name=$_sub_domain"; then + _err "Error: $response" + return 1 + fi + + _info "Adding record" + if _yc_rest POST "zones/$_domain_id:upsertRecordSets" "{\"merges\": [ { \"name\":\"$_sub_domain\",\"type\":\"TXT\",\"ttl\":\"120\",\"data\":[\"$txtvalue\"]}]}"; then + if _contains "$response" "\"done\": true"; then + _info "Added, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 + +} + +#fulldomain txtvalue +dns_yc_rm() { + fulldomain="$(echo "$1". | _lower_case)" # Add dot at end of domain name + txtvalue=$2 + + YC_Zone_ID="${YC_Zone_ID:-$(_readaccountconf_mutable YC_Zone_ID)}" + YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}" + YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}" + YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}" + YC_SA_Key_File="${YC_SA_Key_File:-$(_readaccountconf_mutable YC_SA_Key_File)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + if _yc_rest GET "zones/${_domain_id}:getRecordSet?type=TXT&name=$_sub_domain"; then + exists_txtvalue=$(echo "$response" | _normalizeJson | _egrep_o "\"data\".*\][^,]*" | _egrep_o "[^:]*$") + _debug exists_txtvalue "$exists_txtvalue" + else + _err "Error: $response" + return 1 + fi + + if _yc_rest POST "zones/$_domain_id:updateRecordSets" "{\"deletions\": [ { \"name\":\"$_sub_domain\",\"type\":\"TXT\",\"ttl\":\"120\",\"data\":$exists_txtvalue}]}"; then + if _contains "$response" "\"done\": true"; then + _info "Delete, OK" + return 0 + else + _err "Delete record error." + return 1 + fi + fi + _err "Delete record error." + return 1 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=1 + p=1 + + # Use Zone ID directly if provided + if [ "$YC_Zone_ID" ]; then + if ! _yc_rest GET "zones/$YC_Zone_ID"; then + return 1 + else + if echo "$response" | tr -d " " | grep \"id\":\"$YC_Zone_ID\" >/dev/null; then + _domain=$(echo "$response" | _egrep_o "\"zone\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ") + if [ "$_domain" ]; then + _cutlength=$((${#domain} - ${#_domain})) + _sub_domain=$(printf "%s" "$domain" | cut -c "1-$_cutlength") + _domain_id=$YC_Zone_ID + return 0 + else + return 1 + fi + else + return 1 + fi + fi + fi + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + if [ "$YC_Folder_ID" ]; then + if ! _yc_rest GET "zones?folderId=$YC_Folder_ID"; then + return 1 + fi + else + echo "You didn't specify a Yandex Cloud Folder ID." + return 1 + fi + if _contains "$response" "\"zone\": \"$h\""; then + _domain_id=$(echo "$response" | _normalizeJson | _egrep_o "[^{]*\"zone\":\"$h\"[^}]*" | _egrep_o "\"id\"[^,]*" | _egrep_o "[^:]*$" | tr -d '"') + _debug _domain_id "$_domain_id" + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_yc_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + if [ ! "$YC_Token" ]; then + _debug "Login" + _yc_login + else + _debug "Token already exists. Skip Login." + fi + + token_trimmed=$(echo "$YC_Token" | tr -d '"') + + export _H1="Content-Type: application/json" + export _H2="Authorization: Bearer $token_trimmed" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$YC_Api/$ep" "" "$m")" + else + response="$(_get "$YC_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} + +_yc_login() { + header=$(echo "{\"typ\":\"JWT\",\"alg\":\"PS256\",\"kid\":\"$YC_SA_Key_ID\"}" | _normalizeJson | _base64 | _url_replace) + _debug header "$header" + + _current_timestamp=$(_time) + _expire_timestamp=$(_math $_current_timestamp + 1200) # 20 minutes + payload=$(echo "{\"iss\":\"$YC_SA_ID\",\"aud\":\"https://iam.api.cloud.yandex.net/iam/v1/tokens\",\"iat\":$_current_timestamp,\"exp\":$_expire_timestamp}" | _normalizeJson | _base64 | _url_replace) + _debug payload "$payload" + + #signature=$(printf "%s.%s" "$header" "$payload" | ${ACME_OPENSSL_BIN:-openssl} dgst -sign "$YC_SA_Key_File -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _base64 | _url_replace ) + _signature=$(printf "%s.%s" "$header" "$payload" | _sign "$YC_SA_Key_File" "sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _url_replace) + _debug2 _signature "$_signature" + + _jwt=$(printf "{\"jwt\": \"%s.%s.%s\"}" "$header" "$payload" "$_signature") + _debug2 _jwt "$_jwt" + + export _H1="Content-Type: application/json" + _iam_response="$(_post "$_jwt" "https://iam.api.cloud.yandex.net/iam/v1/tokens" "" "POST")" + _debug3 _iam_response "$(echo "$_iam_response" | _normalizeJson)" + + YC_Token="$(echo "$_iam_response" | _normalizeJson | _egrep_o "\"iamToken\"[^,]*" | _egrep_o "[^:]*$" | tr -d '"')" + _debug3 YC_Token + + return 0 +} From 43503a20e571b354877a9246bc13c3514275cf20 Mon Sep 17 00:00:00 2001 From: Viktor Sokhan Date: Wed, 24 Aug 2022 14:12:57 +0700 Subject: [PATCH 075/209] Fix --- dnsapi/dns_yc.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_yc.sh b/dnsapi/dns_yc.sh index 74a605b5..9f9c3e5e 100644 --- a/dnsapi/dns_yc.sh +++ b/dnsapi/dns_yc.sh @@ -5,7 +5,7 @@ #YC_SA_ID="" # Service Account ID #YC_SA_Key_ID="" # Service Account IAM Key ID #YC_SA_Key_File_Path="/path/to/private.key" # Path to private.key use instead of PEM -#YC_SA_Key_File_PEM="" # Content of private.key use instead of Path +#YC_SA_Key_File_PEM_b64="" # Base64 content of private.key use instead of Path YC_Api="https://dns.api.cloud.yandex.net/dns/v1" ######## Public functions ##################### @@ -15,8 +15,8 @@ dns_yc_add() { fulldomain="$(echo "$1". | _lower_case)" # Add dot at end of domain name txtvalue=$2 - if ["$YC_SA_Key_File_PEM"]; then - YC_SA_Key_File="<(echo '$YC_SA_Key_File_PEM')" + if ["$YC_SA_Key_File_PEM_b64"]; then + YC_SA_Key_File="<(echo '$YC_SA_Key_File_PEM_b64' | _dbase64 )" else YC_SA_Key_File=$YC_SA_Key_File_Path fi From 90623142e16f1423ac1be1cd8bb1cbdc95ce03b1 Mon Sep 17 00:00:00 2001 From: Viktor Sokhan Date: Wed, 24 Aug 2022 16:40:27 +0700 Subject: [PATCH 076/209] Fix --- dnsapi/dns_yc.sh | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/dnsapi/dns_yc.sh b/dnsapi/dns_yc.sh index 9f9c3e5e..bce9aa63 100644 --- a/dnsapi/dns_yc.sh +++ b/dnsapi/dns_yc.sh @@ -4,8 +4,8 @@ #YC_Folder_ID="" # YC Folder ID #YC_SA_ID="" # Service Account ID #YC_SA_Key_ID="" # Service Account IAM Key ID -#YC_SA_Key_File_Path="/path/to/private.key" # Path to private.key use instead of PEM -#YC_SA_Key_File_PEM_b64="" # Base64 content of private.key use instead of Path +#YC_SA_Key_File_Path="/path/to/private.key" # Path to private.key use instead of YC_SA_Key_File_PEM_b64 +#YC_SA_Key_File_PEM_b64="" # Base64 content of private.key use instead of YC_SA_Key_File_Path YC_Api="https://dns.api.cloud.yandex.net/dns/v1" ######## Public functions ##################### @@ -15,18 +15,23 @@ dns_yc_add() { fulldomain="$(echo "$1". | _lower_case)" # Add dot at end of domain name txtvalue=$2 - if ["$YC_SA_Key_File_PEM_b64"]; then - YC_SA_Key_File="<(echo '$YC_SA_Key_File_PEM_b64' | _dbase64 )" + YC_SA_Key_File_PEM_b64="${YC_SA_Key_File_PEM_b64:-$(_readaccountconf_mutable YC_SA_Key_File_PEM_b64)}" + YC_SA_Key_File_Path="${YC_SA_Key_File_Path:-$(_readaccountconf_mutable YC_SA_Key_File_Path)}" + + if [ "$YC_SA_Key_File_PEM_b64" ]; then + echo "$YC_SA_Key_File_PEM_b64" | _dbase64 > private.key + YC_SA_Key_File="private.key" + _savedomainconf YC_SA_Key_File_PEM_b64 "$YC_SA_Key_File_PEM_b64" else - YC_SA_Key_File=$YC_SA_Key_File_Path + YC_SA_Key_File="$YC_SA_Key_File_Path" + _savedomainconf YC_SA_Key_File_Path "$YC_SA_Key_File_Path" fi YC_Zone_ID="${YC_Zone_ID:-$(_readaccountconf_mutable YC_Zone_ID)}" YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}" YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}" YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}" - YC_SA_Key_File="${YC_SA_Key_File:-$(_readaccountconf_mutable YC_SA_Key_File)}" - + if [ "$YC_SA_ID" ] && [ "$YC_SA_Key_ID" ] && [ "$YC_SA_Key_File" ]; then if [ -f "$YC_SA_Key_File" ]; then if _isRSA "$YC_SA_Key_File" >/dev/null 2>&1; then @@ -34,12 +39,10 @@ dns_yc_add() { _savedomainconf YC_Zone_ID "$YC_Zone_ID" _savedomainconf YC_SA_ID "$YC_SA_ID" _savedomainconf YC_SA_Key_ID "$YC_SA_Key_ID" - _savedomainconf YC_SA_Key_File "$YC_SA_Key_File" elif [ "$YC_Folder_ID" ]; then _savedomainconf YC_Folder_ID "$YC_Folder_ID" _saveaccountconf_mutable YC_SA_ID "$YC_SA_ID" _saveaccountconf_mutable YC_SA_Key_ID "$YC_SA_Key_ID" - _saveaccountconf_mutable YC_SA_Key_File "$YC_SA_Key_File" _clearaccountconf_mutable YC_Zone_ID _clearaccountconf YC_Zone_ID else @@ -59,7 +62,8 @@ dns_yc_add() { _clearaccountconf YC_Folder_ID _clearaccountconf YC_SA_ID _clearaccountconf YC_SA_Key_ID - _clearaccountconf YC_SA_Key_File + _clearaccountconf YC_SA_Key_File_PEM_b64 + _clearaccountconf YC_SA_Key_File_Path _err "You didn't specify a YC_SA_ID or YC_SA_Key_ID or YC_SA_Key_File." return 1 fi @@ -103,7 +107,6 @@ dns_yc_rm() { YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}" YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}" YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}" - YC_SA_Key_File="${YC_SA_Key_File:-$(_readaccountconf_mutable YC_SA_Key_File)}" _debug "First detect the root zone" if ! _get_root "$fulldomain"; then @@ -244,6 +247,8 @@ _yc_login() { #signature=$(printf "%s.%s" "$header" "$payload" | ${ACME_OPENSSL_BIN:-openssl} dgst -sign "$YC_SA_Key_File -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _base64 | _url_replace ) _signature=$(printf "%s.%s" "$header" "$payload" | _sign "$YC_SA_Key_File" "sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _url_replace) _debug2 _signature "$_signature" + + rm -rf "$YC_SA_Key_File" _jwt=$(printf "{\"jwt\": \"%s.%s.%s\"}" "$header" "$payload" "$_signature") _debug2 _jwt "$_jwt" From 53117b2f4cead0b78b58242c21b44ff44bd062b9 Mon Sep 17 00:00:00 2001 From: Klaus Frank Date: Wed, 17 Aug 2022 16:48:02 +0200 Subject: [PATCH 077/209] Fix missing HTTP_HEADER for _get with wget Save http header to file for _get with wget. --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 428c016f..31a2cb03 100755 --- a/acme.sh +++ b/acme.sh @@ -2054,7 +2054,7 @@ _get() { if [ "$onlyheader" ]; then $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1 | sed 's/^[ ]*//g' else - $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -O - "$url" + $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O - "$url" 2>"$HTTP_HEADER" fi ret=$? if [ "$ret" = "8" ]; then From 713b7338ea1a77c1ca33c46b6212b13914cf48dd Mon Sep 17 00:00:00 2001 From: Klaus Frank Date: Wed, 17 Aug 2022 20:01:02 +0200 Subject: [PATCH 078/209] demultiplex wget debug output --- acme.sh | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 31a2cb03..0130f004 100755 --- a/acme.sh +++ b/acme.sh @@ -1999,7 +1999,13 @@ _post() { if [ "$_ret" != "0" ]; then _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret" fi - _sed_i "s/^ *//g" "$HTTP_HEADER" + if echo $_WGET | grep -q " -d " 2> /dev/null; then + # Demultiplex wget debug output + cat "$HTTP_HEADER" >&2 + _sed_i '/^[^[:space:]][^[:space:]]/d; /^[[:space:]]*$/d' "$HTTP_HEADER" + fi + # remove leading whitespaces from header to match curl format + _sed_i 's/^[[:space:]][[:space:]]//g' "$HTTP_HEADER" else _ret="$?" _err "Neither curl nor wget is found, can not do $httpmethod." @@ -2052,9 +2058,21 @@ _get() { fi _debug "_WGET" "$_WGET" if [ "$onlyheader" ]; then - $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1 | sed 's/^[ ]*//g' + _wget_out = "$($_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1)" + if echo $_WGET | grep -q " -d " 2> /dev/null; then + # Demultiplex wget debug output + echo "$_wget_out" >&2 + echo "$_wget_out" | sed '/^[^[:space:]][^[:space:]]/d; /^[[:space:]]*$/d; s/^[[:space:]][[:space:]]//g' - + fi else $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O - "$url" 2>"$HTTP_HEADER" + if echo $_WGET | grep -q " -d " 2> /dev/null; then + # Demultiplex wget debug output + cat "$HTTP_HEADER" >&2 + _sed_i '/^[^[:space:]][^[:space:]]/d; /^[[:space:]]*$/d' "$HTTP_HEADER" + fi + # remove leading whitespaces from header to match curl format + _sed_i 's/^[[:space:]][[:space:]]//g' "$HTTP_HEADER" fi ret=$? if [ "$ret" = "8" ]; then From 864315f6d19b12ec514698094c3dc987c0128d26 Mon Sep 17 00:00:00 2001 From: Klaus Frank Date: Sun, 21 Aug 2022 01:55:47 +0200 Subject: [PATCH 079/209] Use literal space Replace [[:space:]] with " " --- acme.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/acme.sh b/acme.sh index 0130f004..c9146d87 100755 --- a/acme.sh +++ b/acme.sh @@ -2002,10 +2002,10 @@ _post() { if echo $_WGET | grep -q " -d " 2> /dev/null; then # Demultiplex wget debug output cat "$HTTP_HEADER" >&2 - _sed_i '/^[^[:space:]][^[:space:]]/d; /^[[:space:]]*$/d' "$HTTP_HEADER" + _sed_i '/^[^ ][^ ]/d; /^ *$/d' "$HTTP_HEADER" fi # remove leading whitespaces from header to match curl format - _sed_i 's/^[[:space:]][[:space:]]//g' "$HTTP_HEADER" + _sed_i 's/^ //g' "$HTTP_HEADER" else _ret="$?" _err "Neither curl nor wget is found, can not do $httpmethod." @@ -2062,17 +2062,17 @@ _get() { if echo $_WGET | grep -q " -d " 2> /dev/null; then # Demultiplex wget debug output echo "$_wget_out" >&2 - echo "$_wget_out" | sed '/^[^[:space:]][^[:space:]]/d; /^[[:space:]]*$/d; s/^[[:space:]][[:space:]]//g' - + echo "$_wget_out" | sed '/^[^ ][^ ]/d; /^ *$/d; s/^ //g' - fi else $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O - "$url" 2>"$HTTP_HEADER" if echo $_WGET | grep -q " -d " 2> /dev/null; then # Demultiplex wget debug output cat "$HTTP_HEADER" >&2 - _sed_i '/^[^[:space:]][^[:space:]]/d; /^[[:space:]]*$/d' "$HTTP_HEADER" + _sed_i '/^[^ ][^ ]/d; /^ *$/d' "$HTTP_HEADER" fi # remove leading whitespaces from header to match curl format - _sed_i 's/^[[:space:]][[:space:]]//g' "$HTTP_HEADER" + _sed_i 's/^ //g' "$HTTP_HEADER" fi ret=$? if [ "$ret" = "8" ]; then From 4e5d4b969538094f2d3306a23c84c773e2717f08 Mon Sep 17 00:00:00 2001 From: Viktor Sokhan Date: Thu, 25 Aug 2022 13:43:06 +0700 Subject: [PATCH 080/209] Fix shellcheck and shfmt --- dnsapi/dns_yc.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/dnsapi/dns_yc.sh b/dnsapi/dns_yc.sh index bce9aa63..ec3bbc87 100644 --- a/dnsapi/dns_yc.sh +++ b/dnsapi/dns_yc.sh @@ -19,7 +19,7 @@ dns_yc_add() { YC_SA_Key_File_Path="${YC_SA_Key_File_Path:-$(_readaccountconf_mutable YC_SA_Key_File_Path)}" if [ "$YC_SA_Key_File_PEM_b64" ]; then - echo "$YC_SA_Key_File_PEM_b64" | _dbase64 > private.key + echo "$YC_SA_Key_File_PEM_b64" | _dbase64 >private.key YC_SA_Key_File="private.key" _savedomainconf YC_SA_Key_File_PEM_b64 "$YC_SA_Key_File_PEM_b64" else @@ -155,7 +155,7 @@ _get_root() { if ! _yc_rest GET "zones/$YC_Zone_ID"; then return 1 else - if echo "$response" | tr -d " " | grep \"id\":\"$YC_Zone_ID\" >/dev/null; then + if echo "$response" | tr -d " " | _egrep_o "\"id\":\"$YC_Zone_ID\"" >/dev/null; then _domain=$(echo "$response" | _egrep_o "\"zone\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ") if [ "$_domain" ]; then _cutlength=$((${#domain} - ${#_domain})) @@ -238,16 +238,16 @@ _yc_rest() { _yc_login() { header=$(echo "{\"typ\":\"JWT\",\"alg\":\"PS256\",\"kid\":\"$YC_SA_Key_ID\"}" | _normalizeJson | _base64 | _url_replace) _debug header "$header" - + _current_timestamp=$(_time) - _expire_timestamp=$(_math $_current_timestamp + 1200) # 20 minutes + _expire_timestamp=$(_math "$_current_timestamp" + 1200) # 20 minutes payload=$(echo "{\"iss\":\"$YC_SA_ID\",\"aud\":\"https://iam.api.cloud.yandex.net/iam/v1/tokens\",\"iat\":$_current_timestamp,\"exp\":$_expire_timestamp}" | _normalizeJson | _base64 | _url_replace) _debug payload "$payload" #signature=$(printf "%s.%s" "$header" "$payload" | ${ACME_OPENSSL_BIN:-openssl} dgst -sign "$YC_SA_Key_File -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _base64 | _url_replace ) _signature=$(printf "%s.%s" "$header" "$payload" | _sign "$YC_SA_Key_File" "sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _url_replace) _debug2 _signature "$_signature" - + rm -rf "$YC_SA_Key_File" _jwt=$(printf "{\"jwt\": \"%s.%s.%s\"}" "$header" "$payload" "$_signature") From f9320fff8ff71c9bc7a4d228bb8943ed9a1ae7eb Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Sat, 27 Aug 2022 01:17:53 +0200 Subject: [PATCH 081/209] Changed lastUsedRidForDomainEntry seperator to space --- dnsapi/dns_selfhost.sh | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index ea301788..4c94576b 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -20,7 +20,7 @@ dns_selfhost_add() { SELFHOSTDNS_MAP="${SELFHOSTDNS_MAP:-$(_readdomainconf SELFHOSTDNS_MAP)}" # Selfhost api can't dynamically add TXT record, # so we have to store the last used RID of the domain to support a second RID for wildcard domains - # (format: ';fulldomainA:lastRid;;fulldomainB:lastRid;...') + # (format: 'fulldomainA:lastRid fulldomainB:lastRid ...') SELFHOSTDNS_MAP_LAST_USED_INTERNAL=$(_readdomainconf SELFHOSTDNS_MAP_LAST_USED_INTERNAL) if [ -z "${SELFHOSTDNS_USERNAME:-}" ] || [ -z "${SELFHOSTDNS_PASSWORD:-}" ]; then @@ -44,21 +44,26 @@ dns_selfhost_add() { rid2=$(echo "$mapEntry" | cut -d: -f3) # read last used rid domain - lastUsedRidForDomainEntry=$(echo "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL" | sed -n -E "s/.*(;$fulldomain:[[:digit:]]+;).*/\1/p") + lastUsedRidForDomainEntry=$(echo "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL" | sed -n -E "s/(^|^.*[[:space:]])($fulldomain:[[:digit:]]+)(.*)/\2/p") _debug2 lastUsedRidForDomainEntry "$lastUsedRidForDomainEntry" - lastUsedRidForDomain=$(echo "$lastUsedRidForDomainEntry" | tr -d ";" | cut -d: -f2) + lastUsedRidForDomain=$(echo "$lastUsedRidForDomainEntry" | cut -d: -f2) rid="$rid1" if [ "$lastUsedRidForDomain" = "$rid" ] && ! test -z "$rid2"; then rid="$rid2" fi + newLastUsedRidForDomainEntry="$fulldomain:$rid" if ! test -z "$lastUsedRidForDomainEntry"; then # replace last used rid entry for domain - SELFHOSTDNS_MAP_LAST_USED_INTERNAL=$(echo "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL" | sed -n -E "s/$lastUsedRidForDomainEntry/;$fulldomain:$rid;/p") + SELFHOSTDNS_MAP_LAST_USED_INTERNAL=$(echo "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL" | sed -n -E "s/$lastUsedRidForDomainEntry/$newLastUsedRidForDomainEntry/p") else # add last used rid entry for domain - SELFHOSTDNS_MAP_LAST_USED_INTERNAL="$SELFHOSTDNS_MAP_LAST_USED_INTERNAL"";$fulldomain:$rid;" + if test -z "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL"; then + SELFHOSTDNS_MAP_LAST_USED_INTERNAL="$newLastUsedRidForDomainEntry" + else + SELFHOSTDNS_MAP_LAST_USED_INTERNAL="$SELFHOSTDNS_MAP_LAST_USED_INTERNAL $newLastUsedRidForDomainEntry" + fi fi _info "Trying to add $txt on selfhost for rid: $rid" From 7a1f94bc20d2eb80ca05a78fb798d5ff0e2022cf Mon Sep 17 00:00:00 2001 From: AlvinSchiller <103769832+AlvinSchiller@users.noreply.github.com> Date: Sun, 28 Aug 2022 20:44:17 +0200 Subject: [PATCH 082/209] set newLastUsedRidForDomainEntry after request was successfull --- dnsapi/dns_selfhost.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/dnsapi/dns_selfhost.sh b/dnsapi/dns_selfhost.sh index 4c94576b..a6ef1f94 100644 --- a/dnsapi/dns_selfhost.sh +++ b/dnsapi/dns_selfhost.sh @@ -53,6 +53,17 @@ dns_selfhost_add() { rid="$rid2" fi + _info "Trying to add $txt on selfhost for rid: $rid" + + data="?username=$SELFHOSTDNS_USERNAME&password=$SELFHOSTDNS_PASSWORD&rid=$rid&content=$txt" + response="$(_get "$SELFHOSTDNS_UPDATE_URL$data")" + + if ! echo "$response" | grep "200 OK" >/dev/null; then + _err "Invalid response of acme-dns for selfhost" + return 1 + fi + + # write last used rid domain newLastUsedRidForDomainEntry="$fulldomain:$rid" if ! test -z "$lastUsedRidForDomainEntry"; then # replace last used rid entry for domain @@ -66,16 +77,6 @@ dns_selfhost_add() { fi fi - _info "Trying to add $txt on selfhost for rid: $rid" - - data="?username=$SELFHOSTDNS_USERNAME&password=$SELFHOSTDNS_PASSWORD&rid=$rid&content=$txt" - response="$(_get "$SELFHOSTDNS_UPDATE_URL$data")" - - if ! echo "$response" | grep "200 OK" >/dev/null; then - _err "Invalid response of acme-dns for selfhost" - return 1 - fi - # Now that we know the values are good, save them _saveaccountconf_mutable SELFHOSTDNS_USERNAME "$SELFHOSTDNS_USERNAME" _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD" From dd707242efa70e0440edc2a9214d6113b95b9751 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 3 Sep 2022 21:11:16 +0800 Subject: [PATCH 083/209] the envs are moved to acmetest --- .github/workflows/DNS.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 057972f6..5aedfe8a 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -81,9 +81,7 @@ jobs: if [ "${{ secrets.TokenName5}}" ] ; then echo "${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}" >> docker.env fi - echo "TEST_DNS_NO_WILDCARD" >> docker.env - echo "http_proxy" >> docker.env - echo "https_proxy" >> docker.env + - name: Run acmetest run: cd ../acmetest && ./rundocker.sh testall From 5d6d0c6176c1be41c8729478bc7fe5e3fc787823 Mon Sep 17 00:00:00 2001 From: Lorenz Stechauner Date: Mon, 5 Sep 2022 13:19:34 +0200 Subject: [PATCH 084/209] World4You: fix paketnr parsing Signed-off-by: Lorenz Stechauner --- dnsapi/dns_world4you.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_world4you.sh b/dnsapi/dns_world4you.sh index a0a83c37..dfda4efd 100644 --- a/dnsapi/dns_world4you.sh +++ b/dnsapi/dns_world4you.sh @@ -195,7 +195,7 @@ _get_paketnr() { fqdn="$1" form="$2" - domains=$(echo "$form" | grep 'header-paket-domain' | sed 's/<[^>]*>//g' | sed 's/^.*>\([^>]*\)$/\1/') + domains=$(echo "$form" | grep '
    ' | sed 's/
  • ]*>/ /g' | sed 's/^.*>\([^>]*\)$/\1/') domain='' for domain in $domains; do if _contains "$fqdn" "$domain\$"; then @@ -210,7 +210,7 @@ _get_paketnr() { TLD="$domain" _debug domain "$domain" RECORD=$(echo "$fqdn" | cut -c"1-$((${#fqdn} - ${#TLD} - 1))") - PAKETNR=$(echo "$form" | grep "data-textfilter=\".* $domain " | _tail_n 1 | sed "s|.*$WORLD4YOU_API/\\([0-9]*\\)/.*|\\1|") + PAKETNR=$(echo "$domains" | grep "$domain" | sed 's/^[^,]*, *\([0-9]*\).*$/\1/') return 0 } From 9fb14eef0e6d74d8121b99702f573046c9b34243 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 6 Sep 2022 20:33:51 +0800 Subject: [PATCH 085/209] support "secrets.HTTPS_INSECURE" for solaris --- .github/workflows/DNS.yml | 49 ++++++++++++++++++++------------------- 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 5aedfe8a..47f9a358 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -234,9 +234,9 @@ jobs: - Solaris: + OpenBSD: runs-on: macos-12 - needs: FreeBSD + needs: Solaris env: TEST_DNS : ${{ secrets.TEST_DNS }} TestingDomain: ${{ secrets.TestingDomain }} @@ -252,14 +252,13 @@ jobs: - uses: actions/checkout@v2 - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/solaris-vm@v0 + - uses: vmactions/openbsd-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + prepare: pkg_add socat curl + usesh: true copyback: false - prepare: pkgutil -y -i socat run: | - pkg set-mediator -v -I default@1.1 openssl - export PATH=/usr/gnu/bin:$PATH if [ "${{ secrets.TokenName1}}" ] ; then export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} fi @@ -281,9 +280,9 @@ jobs: - OpenBSD: + NetBSD: runs-on: macos-12 - needs: Solaris + needs: OpenBSD env: TEST_DNS : ${{ secrets.TEST_DNS }} TestingDomain: ${{ secrets.TestingDomain }} @@ -299,10 +298,11 @@ jobs: - uses: actions/checkout@v2 - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/openbsd-vm@v0 + - uses: vmactions/netbsd-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' - prepare: pkg_add socat curl + prepare: | + pkg_add curl socat usesh: true copyback: false run: | @@ -327,9 +327,9 @@ jobs: - NetBSD: + DragonFlyBSD: runs-on: macos-12 - needs: OpenBSD + needs: NetBSD env: TEST_DNS : ${{ secrets.TEST_DNS }} TestingDomain: ${{ secrets.TestingDomain }} @@ -345,11 +345,11 @@ jobs: - uses: actions/checkout@v2 - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/netbsd-vm@v0 + - uses: vmactions/dragonflybsd-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: | - pkg_add curl socat + pkg install -y curl socat usesh: true copyback: false run: | @@ -374,9 +374,12 @@ jobs: - DragonFlyBSD: + + + + Solaris: runs-on: macos-12 - needs: NetBSD + needs: FreeBSD env: TEST_DNS : ${{ secrets.TEST_DNS }} TestingDomain: ${{ secrets.TestingDomain }} @@ -388,18 +391,19 @@ jobs: DEBUG: ${{ secrets.DEBUG }} http_proxy: ${{ secrets.http_proxy }} https_proxy: ${{ secrets.https_proxy }} + HTTPS_INSECURE: ${{ secrets.HTTPS_INSECURE }} steps: - uses: actions/checkout@v2 - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/dragonflybsd-vm@v0 + - uses: vmactions/solaris-vm@v0 with: - envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' - prepare: | - pkg install -y curl socat - usesh: true + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' copyback: false + prepare: pkgutil -y -i socat run: | + pkg set-mediator -v -I default@1.1 openssl + export PATH=/usr/gnu/bin:$PATH if [ "${{ secrets.TokenName1}}" ] ; then export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} fi @@ -419,6 +423,3 @@ jobs: ./letest.sh - - - From 35fb1f8585becbc2071a56d7271560936cf04965 Mon Sep 17 00:00:00 2001 From: Shane Bishop Date: Tue, 6 Sep 2022 07:35:06 -0600 Subject: [PATCH 086/209] Create dns_bunny.sh --- dnsapi/dns_bunny.sh | 250 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 250 insertions(+) create mode 100644 dnsapi/dns_bunny.sh diff --git a/dnsapi/dns_bunny.sh b/dnsapi/dns_bunny.sh new file mode 100644 index 00000000..d2aba440 --- /dev/null +++ b/dnsapi/dns_bunny.sh @@ -0,0 +1,250 @@ +#!/bin/bash + +## Will be called by acme.sh to add the TXT record to via the Bunny DNS API. +## returns 0 means success, otherwise error. + +## Author: nosilver4u +## GitHub: https://github.com/nosilver4u/acme.sh + +## +## Environment Variables Required: +## +## BUNNY_API_KEY="75310dc4-ca77-9ac3-9a19-f6355db573b49ce92ae1-2655-3ebd-61ac-3a3ae34834cc" +## + +##################### Public functions ##################### + +## Create the text record for validation. +## Usage: fulldomain txtvalue +## EG: "_acme-challenge.www.other.domain.com" "XKrxpRBosdq0HG9i01zxXp5CPBs" +dns_bunny_add() { + fulldomain="$(echo "$1" | _lower_case)" + txtvalue=$2 + + BUNNY_API_KEY="${BUNNY_API_KEY:-$(_readaccountconf_mutable BUNNY_API_KEY)}" + # Check if API Key is set + if [ -z "$BUNNY_API_KEY" ]; then + BUNNY_API_KEY="" + _err "You did not specify Bunny.net API key." + _err "Please export BUNNY_API_KEY and try again." + return 1 + fi + + _info "Using Bunny.net dns validation - add record" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + ## save the env vars (key and domain split location) for later automated use + _saveaccountconf_mutable BUNNY_API_KEY "$BUNNY_API_KEY" + + ## split the domain for Bunny API + if ! _get_base_domain "$fulldomain"; then + _err "domain not found in your account for addition" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + _debug _domain_id "$_domain_id" + + ## Set the header with our post type and auth key + export _H1="Accept: application/json" + export _H2="AccessKey: $BUNNY_API_KEY" + export _H3="Content-Type: application/json" + PURL="https://api.bunny.net/dnszone/$_domain_id/records" + PBODY='{"Id":'$_domain_id',"Type":3,"Name":"'$_sub_domain'","Value":"'$txtvalue'","ttl":120}' + + _debug PURL "$PURL" + _debug PBODY "$PBODY" + + ## the create request - POST + ## args: BODY, URL, [need64, httpmethod] + response="$(_post "$PBODY" "$PURL" "" "PUT")" + + ## check response + if [ "$?" != "0" ]; then + _err "error in response: $response" + return 1 + fi + _debug2 response "$response" + + ## finished correctly + return 0 +} + +## Remove the txt record after validation. +## Usage: fulldomain txtvalue +## EG: "_acme-challenge.www.other.domain.com" "XKrxpRBosdq0HG9i01zxXp5CPBs" +dns_bunny_rm() { + fulldomain="$(echo "$1" | _lower_case)" + txtvalue=$2 + + BUNNY_API_KEY="${BUNNY_API_KEY:-$(_readaccountconf_mutable BUNNY_API_KEY)}" + # Check if API Key Exists + if [ -z "$BUNNY_API_KEY" ]; then + BUNNY_API_KEY="" + _err "You did not specify Bunny.net API key." + _err "Please export BUNNY_API_KEY and try again." + return 1 + fi + + _info "Using Bunny.net dns validation - remove record" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + ## split the domain for Bunny API + if ! _get_base_domain "$fulldomain"; then + _err "Domain not found in your account for TXT record removal" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + _debug _domain_id "$_domain_id" + + ## Set the header with our post type and key auth key + export _H1="Accept: application/json" + export _H2="AccessKey: $BUNNY_API_KEY" + ## get URL for the list of DNS records + GURL="https://api.bunny.net/dnszone/$_domain_id" + + ## 1) Get the domain/zone records + ## the fetch request - GET + ## args: URL, [onlyheader, timeout] + domain_list="$(_get "$GURL")" + + ## check response + if [ "$?" != "0" ]; then + _err "error in domain_list response: $domain_list" + return 1 + fi + _debug2 domain_list "$domain_list" + + ## 2) search through records + ## check for what we are looking for: "Type":3,"Value":"$txtvalue","Name":"$_sub_domain" + record="$(echo "$domain_list" | _egrep_o "\"Id\"\s*\:\s*\"*[0-9]+\"*,\s*\"Type\"[^}]*\"Value\"\s*\:\s*\"$txtvalue\"[^}]*\"Name\"\s*\:\s*\"$_sub_domain\"")" + + if [ -n "$record" ]; then + + ## We found records + rec_ids="$(echo "$record" | _egrep_o "Id\"\s*\:\s*\"*[0-9]+" | _egrep_o "[0-9]+")" + _debug rec_ids "$rec_ids" + if [ -n "$rec_ids" ]; then + echo "$rec_ids" | while IFS= read -r rec_id; do + ## delete the record + ## delete URL for removing the one we dont want + DURL="https://api.bunny.net/dnszone/$_domain_id/records/$rec_id" + + ## the removal request - DELETE + ## args: BODY, URL, [need64, httpmethod] + response="$(_post "" "$DURL" "" "DELETE")" + + ## check response (sort of) + if [ "$?" != "0" ]; then + _err "error in remove response: $response" + return 1 + fi + _debug2 response "$response" + + done + fi + fi + + ## finished correctly + return 0 +} + +##################### Private functions below ##################### + +## Split the domain provided into the "base domain" and the "start prefix". +## This function searches for the longest subdomain in your account +## for the full domain given and splits it into the base domain (zone) +## and the prefix/record to be added/removed +## USAGE: fulldomain +## EG: "_acme-challenge.two.three.four.domain.com" +## returns +## _sub_domain="_acme-challenge.two" +## _domain="three.four.domain.com" *IF* zone "three.four.domain.com" exists +## _domain_id=234 +## if only "domain.com" exists it will return +## _sub_domain="_acme-challenge.two.three.four" +## _domain="domain.com" +## _domain_id=234 +_get_base_domain() { + # args + fulldomain="$(echo "$1" | _lower_case)" + _debug fulldomain "$fulldomain" + + # domain max legal length = 253 + MAX_DOM=255 + page=1 + + ## get a list of domains for the account to check thru + ## Set the headers + export _H1="Accept: application/json" + export _H2="AccessKey: $BUNNY_API_KEY" + _debug BUNNY_API_KEY "$BUNNY_API_KEY" + ## get URL for the list of domains + ## may get: "links":{"pages":{"last":".../v2/domains/DOM/records?page=2","next":".../v2/domains/DOM/records?page=2"}} + DOMURL="https://api.bunny.net/dnszone" + + ## while we dont have a matching domain we keep going + while [ -z "$found" ]; do + ## get the domain list (current page) + domain_list="$(_get "$DOMURL")" + + ## check response + if [ "$?" != "0" ]; then + _err "error in domain_list response: $domain_list" + return 1 + fi + _debug2 domain_list "$domain_list" + + ## for each shortening of our $fulldomain, check if it exists in the $domain_list + ## can never start on 1 (aka whole $fulldomain) as $fulldomain starts with "_acme-challenge" + i=2 + while [ $i -gt 0 ]; do + ## get next longest domain + _domain=$(printf "%s" "$fulldomain" | cut -d . -f "$i"-"$MAX_DOM") + ## check we got something back from our cut (or are we at the end) + if [ -z "$_domain" ]; then + break + fi + ## we got part of a domain back - grep it out + found="$(echo "$domain_list" | _egrep_o "\"Id\"\s*:\s*\"*[0-9]+\"*,\s*\"Domain\"\s*\:\s*\"$_domain\"")" + ## check if it exists + if [ -n "$found" ]; then + ## exists - exit loop returning the parts + sub_point=$(_math $i - 1) + _sub_domain=$(printf "%s" "$fulldomain" | cut -d . -f 1-"$sub_point") + _domain_id="$(echo "$found" | _egrep_o "Id\"\s*\:\s*\"*[0-9]+" | _egrep_o "[0-9]+")" + _debug _domain_id "$_domain_id" + _debug _domain "$_domain" + _debug _sub_domain "$_sub_domain" + found="" + return 0 + fi + ## increment cut point $i + i=$(_math $i + 1) + done + + if [ -z "$found" ]; then + page=$(_math $page + 1) + nextpage="https://api.bunny.net/dnszone?page=$page" + ## Find the next page if we don't have a match. + hasnextpage="$(echo "$domain_list" | _egrep_o "\"HasMoreItems\"\s*:\s*true")" + if [ -z "$hasnextpage" ]; then + _err "No record and no nextpage in Bunny.net domain search." + found="" + return 1 + fi + _debug2 nextpage "$nextpage" + DOMURL="$nextpage" + fi + + done + + ## We went through the entire domain zone list and didn't find one that matched. + ## If we ever get here, something is broken in the code... + _err "Domain not found in Bunny.net account, but we should never get here!" + found="" + return 1 +} From 025e0e8093e8dbbd47030097a41b5f01d5a4ce19 Mon Sep 17 00:00:00 2001 From: Shane Bishop Date: Tue, 6 Sep 2022 11:38:15 -0600 Subject: [PATCH 087/209] fix the shebang --- dnsapi/dns_bunny.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_bunny.sh b/dnsapi/dns_bunny.sh index d2aba440..718efe02 100644 --- a/dnsapi/dns_bunny.sh +++ b/dnsapi/dns_bunny.sh @@ -1,6 +1,6 @@ -#!/bin/bash +#!/usr/bin/env sh -## Will be called by acme.sh to add the TXT record to via the Bunny DNS API. +## Will be called by acme.sh to add the TXT record via the Bunny DNS API. ## returns 0 means success, otherwise error. ## Author: nosilver4u From 5c00afc6febdb831129bc9f276f91bc017d27d21 Mon Sep 17 00:00:00 2001 From: Bjarke Bruun Date: Wed, 7 Sep 2022 03:46:28 +0200 Subject: [PATCH 088/209] Fix for multiple TLDs in DNS API --- dnsapi/dns_dnsservices.sh | 66 ++++++++++++++++++++++++--------------- 1 file changed, 40 insertions(+), 26 deletions(-) diff --git a/dnsapi/dns_dnsservices.sh b/dnsapi/dns_dnsservices.sh index 9f2220fe..008153a4 100755 --- a/dnsapi/dns_dnsservices.sh +++ b/dnsapi/dns_dnsservices.sh @@ -13,8 +13,8 @@ DNSServices_API=https://dns.services/api #Usage: dns_dnsservices_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_dnsservices_add() { - fulldomain=$1 - txtvalue=$2 + fulldomain="$1" + txtvalue="$2" _info "Using dns.services to create ACME DNS challenge" _debug2 add_fulldomain "$fulldomain" @@ -61,8 +61,8 @@ dns_dnsservices_add() { #Usage: fulldomain txtvalue #Description: Remove the txt record after validation. dns_dnsservices_rm() { - fulldomain=$1 - txtvalue=$2 + fulldomain="$1" + txtvalue="$2" _info "Using dns.services to remove DNS record $fulldomain TXT $txtvalue" _debug rm_fulldomain "$fulldomain" @@ -117,36 +117,40 @@ _setup_headers() { } _get_root() { - domain=$1 + domain="$1" _debug2 _get_root "Get the root domain of ${domain} for DNS API" # Setup _get() and _post() headers #_setup_headers result=$(_H1="$_H1" _H2="$_H2" _get "$DNSServices_API/dns") + result2="$(printf "%s\n" "$result" | tr '[' '\n' | grep '"name"')" + result3="$(printf "%s\n" "$result2" | tr '}' '\n' | grep '"name"' | sed "s,^\,,,g" | sed "s,$,},g")" + useResult="" _debug2 _get_root "Got the following root domain(s) $result" _debug2 _get_root "- JSON: $result" - if [ "$(echo "$result" | grep -c '"name"')" -gt "1" ]; then + if [ "$(printf "%s\n" "$result" | tr '}' '\n' | grep -c '"name"')" -gt "1" ]; then checkMultiZones="true" _debug2 _get_root "- multiple zones found" else checkMultiZones="false" - + _debug2 _get_root "- single zone found" fi # Find/isolate the root zone to work with in createRecord() and deleteRecord() rootZone="" if [ "$checkMultiZones" = "true" ]; then - rootZone=$(for zone in $(echo "$result" | tr -d '\n' ' '); do - if [ "$(echo "$domain" | grep "$zone")" != "" ]; then - _debug2 _get_root "- trying to figure out if $zone is in $domain" - echo "$zone" - break - fi - done) + #rootZone=$(for x in $(printf "%s" "${result3}" | tr ',' '\n' | sed -n 's/.*"name":"\(.*\)",.*/\1/p'); do if [ "$(echo "$domain" | grep "$x")" != "" ]; then echo "$x"; fi; done) + rootZone=$(for x in $(printf "%s\n" "${result3}" | tr ',' '\n' | grep name | cut -d'"' -f4); do if [ "$(echo "$domain" | grep "$x")" != "" ]; then echo "$x"; fi; done) + if [ "$rootZone" != "" ]; then + _debug2 _rootZone "- root zone for $domain is $rootZone" + else + _err "Could not find root zone for $domain, is it correctly typed?" + return 1 + fi else - rootZone=$(echo "$result" | _egrep_o '"name":"[^"]*' | cut -d'"' -f4) + rootZone=$(echo "$result" | tr '}' '\n' | _egrep_o '"name":"[^"]*' | cut -d'"' -f4) _debug2 _get_root "- only found 1 domain in API: $rootZone" fi @@ -155,14 +159,18 @@ _get_root() { return 1 fi + # Make sure we use the correct API zone data + useResult="$(printf "%s\n" "${result3}" tr ',' '\n' | grep "$rootZone")" + _debug2 _useResult "useResult=$useResult" + # Setup variables used by other functions to communicate with DNS.Services API - #zoneInfo=$(echo "$result" | sed "s,\"zones,\n&,g" | grep zones | cut -d'[' -f2 | cut -d']' -f1 | tr '}' '\n' | grep "\"$rootZone\"") - zoneInfo=$(echo "$result" | sed -E 's,.*(zones)(.*),\1\2,g' | sed -E 's,^(.*"name":")([^"]*)"(.*)$,\2,g' | grep "\"$rootZone\"") + #zoneInfo=$(printf "%s\n" "$useResult" | sed -E 's,.*(zones)(.*),\1\2,g' | sed -E 's,^(.*"name":")([^"]*)"(.*)$,\2,g') + zoneInfo=$(printf "%s\n" "$useResult" | tr ',' '\n' | grep '"name"' | cut -d'"' -f4) rootZoneName="$rootZone" - subDomainName="$(echo "$domain" | sed "s,\.$rootZone,,g")" - subDomainNameClean="$(echo "$domain" | sed "s,_acme-challenge.,,g")" - rootZoneDomainID=$(echo "$result" | sed -E 's,.*(zones)(.*),\1\2,g' | sed -E 's,^(.*"domain_id":")([^"]*)"(.*)$,\2,g') - rootZoneServiceID=$(echo "$result" | sed -E 's,.*(zones)(.*),\1\2,g' | sed -E 's,^(.*"service_id":")([^"]*)"(.*)$,\2,g') + subDomainName="$(printf "%s\n" "$domain" | sed "s,\.$rootZone,,g")" + subDomainNameClean="$(printf "%s\n" "$domain" | sed "s,_acme-challenge.,,g")" + rootZoneDomainID=$(printf "%s\n" "$useResult" | tr ',' '\n' | grep domain_id | cut -d'"' -f4) + rootZoneServiceID=$(printf "%s\n" "$useResult" | tr ',' '\n' | grep service_id | cut -d'"' -f4) _debug2 _zoneInfo "Zone info from API : $zoneInfo" _debug2 _get_root "Root zone name : $rootZoneName" @@ -175,13 +183,17 @@ _get_root() { } createRecord() { - fulldomain=$1 + fulldomain="$1" txtvalue="$2" # Get root domain information - needed for DNS.Services API communication if [ -z "$rootZoneName" ] || [ -z "$rootZoneDomainID" ] || [ -z "$rootZoneServiceID" ]; then _get_root "$fulldomain" fi + if [ -z "$rootZoneName" ] || [ -z "$rootZoneDomainID" ] || [ -z "$rootZoneServiceID" ]; then + _err "Something happend - could not get the API zone information" + return 1 + fi _debug2 createRecord "CNAME TXT value is: $txtvalue" @@ -203,8 +215,8 @@ createRecord() { } deleteRecord() { - fulldomain=$1 - txtvalue=$2 + fulldomain="$1" + txtvalue="$2" _log deleteRecord "Deleting $fulldomain TXT $txtvalue record" @@ -213,8 +225,10 @@ deleteRecord() { fi result="$(_H1="$_H1" _H2="$_H2" _get "$DNSServices_API/service/$rootZoneServiceID/dns/$rootZoneDomainID")" - recordInfo="$(echo "$result" | sed -e 's/:{/:{\n/g' -e 's/},/\n},\n/g' | grep "${txtvalue}")" - recordID="$(echo "$recordInfo" | sed -e 's/:{/:{\n/g' -e 's/},/\n},\n/g' | grep "${txtvalue}" | sed -E 's,.*(zones)(.*),\1\2,g' | sed -E 's,^(.*"id":")([^"]*)"(.*)$,\2,g')" + #recordInfo="$(echo "$result" | sed -e 's/:{/:{\n/g' -e 's/},/\n},\n/g' | grep "${txtvalue}")" + #recordID="$(echo "$recordInfo" | sed -e 's/:{/:{\n/g' -e 's/},/\n},\n/g' | grep "${txtvalue}" | sed -E 's,.*(zones)(.*),\1\2,g' | sed -E 's,^(.*"id":")([^"]*)"(.*)$,\2,g')" + recordID="$(printf "%s\n" "$result" | tr '}' '\n' | grep -- "$txtvalue" | tr ',' '\n' | grep '"id"' | cut -d'"' -f4)" + _debug2 _recordID "recordID used for deletion of record: $recordID" if [ -z "$recordID" ]; then _info "Record $fulldomain TXT $txtvalue not found or already deleted" From 4b0a7a6e1f9432cee07a3b86deec00173a2e54a0 Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 7 Sep 2022 18:15:21 +0800 Subject: [PATCH 089/209] Update dns_bunny.sh `i` should start with `1`. In dns alias mode, the fulldomain doesn't have a `_acme-challenge` prefix. --- dnsapi/dns_bunny.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/dnsapi/dns_bunny.sh b/dnsapi/dns_bunny.sh index 718efe02..a9b1ea5a 100644 --- a/dnsapi/dns_bunny.sh +++ b/dnsapi/dns_bunny.sh @@ -198,9 +198,7 @@ _get_base_domain() { fi _debug2 domain_list "$domain_list" - ## for each shortening of our $fulldomain, check if it exists in the $domain_list - ## can never start on 1 (aka whole $fulldomain) as $fulldomain starts with "_acme-challenge" - i=2 + i=1 while [ $i -gt 0 ]; do ## get next longest domain _domain=$(printf "%s" "$fulldomain" | cut -d . -f "$i"-"$MAX_DOM") From 4ea7f3cda5bd64fd0af69e2ccdc7c2be25f2da31 Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 7 Sep 2022 18:20:09 +0800 Subject: [PATCH 090/209] ignore https error for solaris --- .github/workflows/DNS.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 47f9a358..a7369265 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -236,7 +236,7 @@ jobs: OpenBSD: runs-on: macos-12 - needs: Solaris + needs: FreeBSD env: TEST_DNS : ${{ secrets.TEST_DNS }} TestingDomain: ${{ secrets.TestingDomain }} @@ -379,7 +379,7 @@ jobs: Solaris: runs-on: macos-12 - needs: FreeBSD + needs: DragonFlyBSD env: TEST_DNS : ${{ secrets.TEST_DNS }} TestingDomain: ${{ secrets.TestingDomain }} @@ -391,7 +391,7 @@ jobs: DEBUG: ${{ secrets.DEBUG }} http_proxy: ${{ secrets.http_proxy }} https_proxy: ${{ secrets.https_proxy }} - HTTPS_INSECURE: ${{ secrets.HTTPS_INSECURE }} + HTTPS_INSECURE: 1 # always set to 1 to ignore https error, sincc Solaris doesn't accept the expired ISRG X1 root steps: - uses: actions/checkout@v2 - name: Clone acmetest From 47e60cefe3119fc89931e232058d5807ae2ef68d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kevin=20K=C3=B6llmann?= Date: Wed, 7 Sep 2022 13:07:04 +0200 Subject: [PATCH 091/209] Use new searchMasterDomain API endpoint --- dnsapi/dns_opnsense.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_opnsense.sh b/dnsapi/dns_opnsense.sh index 96d4b788..1c5988d2 100755 --- a/dnsapi/dns_opnsense.sh +++ b/dnsapi/dns_opnsense.sh @@ -137,7 +137,7 @@ _get_root() { domain=$1 i=2 p=1 - if _opns_rest "GET" "/domain/searchDomain"; then + if _opns_rest "GET" "/domain/searchMasterDomain"; then _domain_response="$response" else return 1 From 69aeb70cc3b149597c0525e65117b2bfa9999326 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kevin=20K=C3=B6llmann?= Date: Wed, 7 Sep 2022 13:07:29 +0200 Subject: [PATCH 092/209] Slightly modify regex to conform to new API response format --- dnsapi/dns_opnsense.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_opnsense.sh b/dnsapi/dns_opnsense.sh index 1c5988d2..c2806a1b 100755 --- a/dnsapi/dns_opnsense.sh +++ b/dnsapi/dns_opnsense.sh @@ -150,7 +150,7 @@ _get_root() { return 1 fi _debug h "$h" - id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"master\",[^.]*,\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2) + id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"master\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2) if [ -n "$id" ]; then _debug id "$id" _host=$(printf "%s" "$domain" | cut -d . -f 1-$p) From b3df1a2bf83bcbea3106547c75ae3d84c9895225 Mon Sep 17 00:00:00 2001 From: Shane Bishop Date: Wed, 7 Sep 2022 13:42:30 -0600 Subject: [PATCH 093/209] 'i' should start with 1 Since domain alias mode won't have the '_acme-challenge' prefix. --- dnsapi/dns_dgon.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/dnsapi/dns_dgon.sh b/dnsapi/dns_dgon.sh index ac14da48..259f4d39 100755 --- a/dnsapi/dns_dgon.sh +++ b/dnsapi/dns_dgon.sh @@ -205,9 +205,7 @@ _get_base_domain() { fi _debug2 domain_list "$domain_list" - ## for each shortening of our $fulldomain, check if it exists in the $domain_list - ## can never start on 1 (aka whole $fulldomain) as $fulldomain starts with "_acme-challenge" - i=2 + i=1 while [ $i -gt 0 ]; do ## get next longest domain _domain=$(printf "%s" "$fulldomain" | cut -d . -f "$i"-"$MAX_DOM") From dcc9624c15e32cb5d9d90cf381c7789d9242b7d1 Mon Sep 17 00:00:00 2001 From: Shane Bishop Date: Wed, 7 Sep 2022 15:37:49 -0600 Subject: [PATCH 094/209] Update dns_dgon.sh Make sure to initialize 'found' so that it isn't contaminated from previous commands/requests. --- dnsapi/dns_dgon.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_dgon.sh b/dnsapi/dns_dgon.sh index 259f4d39..afe1b32e 100755 --- a/dnsapi/dns_dgon.sh +++ b/dnsapi/dns_dgon.sh @@ -192,6 +192,7 @@ _get_base_domain() { ## get URL for the list of domains ## may get: "links":{"pages":{"last":".../v2/domains/DOM/records?page=2","next":".../v2/domains/DOM/records?page=2"}} DOMURL="https://api.digitalocean.com/v2/domains" + found="" ## while we dont have a matching domain we keep going while [ -z "$found" ]; do From 8601267b900a65ed5341a77993e3150e591ce872 Mon Sep 17 00:00:00 2001 From: neil Date: Thu, 8 Sep 2022 21:56:37 +0800 Subject: [PATCH 095/209] fix https://github.com/acmesh-official/acme.sh/issues/4301 --- acme.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index 428c016f..0d61e2b5 100755 --- a/acme.sh +++ b/acme.sh @@ -7442,17 +7442,17 @@ _process() { shift ;; --home) - LE_WORKING_DIR="$2" + export LE_WORKING_DIR="$2" shift ;; --cert-home | --certhome) _certhome="$2" - CERT_HOME="$_certhome" + export CERT_HOME="$_certhome" shift ;; --config-home) _confighome="$2" - LE_CONFIG_HOME="$_confighome" + export LE_CONFIG_HOME="$_confighome" shift ;; --useragent) From 0a47f48191064680b6fce97b0d05f8805f4a8727 Mon Sep 17 00:00:00 2001 From: neil Date: Thu, 8 Sep 2022 22:09:39 +0800 Subject: [PATCH 096/209] fix https://github.com/acmesh-official/acme.sh/issues/4301 --- acme.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index 0d61e2b5..6420d06f 100755 --- a/acme.sh +++ b/acme.sh @@ -2561,7 +2561,7 @@ __initHome() { _script_home="$(dirname "$_script")" _debug "_script_home" "$_script_home" if [ -d "$_script_home" ]; then - _SCRIPT_HOME="$_script_home" + export _SCRIPT_HOME="$_script_home" else _err "It seems the script home is not correct:$_script_home" fi @@ -6557,7 +6557,7 @@ install() { if [ "$_accountemail" ]; then _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail" fi - + _saveaccountconf "UPGRADE_HASH" "$(_getUpgradeHash)" _info OK } @@ -6921,8 +6921,6 @@ installOnline() { chmod +x $PROJECT_ENTRY if ./$PROJECT_ENTRY --install "$@"; then _info "Install success!" - _initpath - _saveaccountconf "UPGRADE_HASH" "$(_getUpgradeHash)" fi cd .. From 60bcee8c1d6cdec6884a558ee20a6e8579e56483 Mon Sep 17 00:00:00 2001 From: Svante Richter Date: Sat, 10 Sep 2022 20:15:55 +0200 Subject: [PATCH 097/209] Add rage4 dns api --- dnsapi/dns_rage4.sh | 115 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100755 dnsapi/dns_rage4.sh diff --git a/dnsapi/dns_rage4.sh b/dnsapi/dns_rage4.sh new file mode 100755 index 00000000..4af4541d --- /dev/null +++ b/dnsapi/dns_rage4.sh @@ -0,0 +1,115 @@ +#!/usr/bin/env sh + +# +#RAGE4_TOKEN="sdfsdfsdfljlbjkljlkjsdfoiwje" +# +#RAGE4_USERNAME="xxxx@sss.com" + +RAGE4_Api="https://rage4.com/rapi/" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_rage4_add() { + fulldomain=$1 + txtvalue=$2 + + unquotedtxtvalue=$(echo "$txtvalue" | tr -d \") + + RAGE4_USERNAME="${RAGE4_USERNAME:-$(_readaccountconf_mutable RAGE4_USERNAME)}" + RAGE4_TOKEN="${RAGE4_TOKEN:-$(_readaccountconf_mutable RAGE4_TOKEN)}" + + if [ -z "$RAGE4_USERNAME" ] || [ -z "$RAGE4_TOKEN" ]; then + RAGE4_USERNAME="" + RAGE4_TOKEN="" + _err "You didn't specify a Rage4 api token and username yet." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable RAGE4_USERNAME "$RAGE4_USERNAME" + _saveaccountconf_mutable RAGE4_TOKEN "$RAGE4_TOKEN" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + + _rage4_rest "createrecord/?id=$_domain_id&name=$fulldomain&content=$unquotedtxtvalue&type=TXT&active=true&ttl=1" + return 0 +} + +#fulldomain txtvalue +dns_rage4_rm() { + fulldomain=$1 + txtvalue=$2 + + RAGE4_USERNAME="${RAGE4_USERNAME:-$(_readaccountconf_mutable RAGE4_USERNAME)}" + RAGE4_TOKEN="${RAGE4_TOKEN:-$(_readaccountconf_mutable RAGE4_TOKEN)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + + _debug "Getting txt records" + _rage4_rest "getrecords/?id=${_domain_id}" + + _record_id=$(echo "$response" | sed -rn 's/.*"id":([[:digit:]]+)[^\}]*'"$txtvalue"'.*/\1/p') + _rage4_rest "deleterecord/?id=${_record_id}" + return 0 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + + if ! _rage4_rest "getdomains"; then + return 1 + fi + _debug _get_root_domain "$domain" + + for line in $(echo "$response" | tr '}' '\n'); do + __domain=$(echo "$line" | sed -rn 's/.*"name":"([^"]*)",.*/\1/p') + __domain_id=$(echo "$line" | sed -rn 's/.*"id":([^,]*),.*/\1/p') + if [ "$domain" != "${domain%"$__domain"*}" ]; then + _domain_id="$__domain_id" + break + fi + done + + if [ -z "$_domain_id" ]; then + return 1 + fi + + return 0 +} + +_rage4_rest() { + ep="$1" + _debug "$ep" + + username_trimmed=$(echo "$RAGE4_USERNAME" | tr -d '"') + token_trimmed=$(echo "$RAGE4_TOKEN" | tr -d '"') + auth=$(printf '%s:%s' "$username_trimmed" "$token_trimmed" | _base64) + + export _H1="Content-Type: application/json" + export _H2="Authorization: Basic $auth" + + response="$(_get "$RAGE4_Api$ep")" + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} From 4e9749f655735ef0cf27ce51eb808cdf194f28f7 Mon Sep 17 00:00:00 2001 From: Marc Date: Fri, 16 Sep 2022 14:10:10 +0800 Subject: [PATCH 098/209] Prevent erasure of saved access token --- dnsapi/dns_netlify.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/dnsapi/dns_netlify.sh b/dnsapi/dns_netlify.sh index 65e803c5..0e5dc327 100644 --- a/dnsapi/dns_netlify.sh +++ b/dnsapi/dns_netlify.sh @@ -18,15 +18,15 @@ dns_netlify_add() { NETLIFY_ACCESS_TOKEN="" _err "Please specify your Netlify Access Token and try again." return 1 + else + _saveaccountconf_mutable NETLIFY_ACCESS_TOKEN "$NETLIFY_ACCESS_TOKEN" fi _info "Using Netlify" _debug fulldomain "$fulldomain" _debug txtvalue "$txtvalue" - _saveaccountconf_mutable NETLIFY_ACCESS_TOKEN "$NETLIFY_ACCESS_TOKEN" - - if ! _get_root "$fulldomain" "$accesstoken"; then + if ! _get_root "$fulldomain"; then _err "invalid domain" return 1 fi @@ -62,9 +62,9 @@ dns_netlify_rm() { _debug txtdomain "$txtdomain" _debug txt "$txt" - _saveaccountconf_mutable NETLIFY_ACCESS_TOKEN "$NETLIFY_ACCESS_TOKEN" + NETLIFY_ACCESS_TOKEN="${NETLIFY_ACCESS_TOKEN:-$(_readaccountconf_mutable NETLIFY_ACCESS_TOKEN)}" - if ! _get_root "$txtdomain" "$accesstoken"; then + if ! _get_root "$txtdomain"; then _err "invalid domain" return 1 fi From c2a7e384ba5ad8e5c0ef8e4ac69f7c620fe1f80b Mon Sep 17 00:00:00 2001 From: Klaus Frank Date: Sun, 18 Sep 2022 22:03:52 +0200 Subject: [PATCH 099/209] Fix linting issue --- acme.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index 906dedfc..6c916ed8 100755 --- a/acme.sh +++ b/acme.sh @@ -1999,7 +1999,7 @@ _post() { if [ "$_ret" != "0" ]; then _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret" fi - if echo $_WGET | grep -q " -d " 2> /dev/null; then + if echo $_WGET | grep -q " -d " 2>/dev/null; then # Demultiplex wget debug output cat "$HTTP_HEADER" >&2 _sed_i '/^[^ ][^ ]/d; /^ *$/d' "$HTTP_HEADER" @@ -2059,14 +2059,14 @@ _get() { _debug "_WGET" "$_WGET" if [ "$onlyheader" ]; then _wget_out = "$($_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1)" - if echo $_WGET | grep -q " -d " 2> /dev/null; then + if echo $_WGET | grep -q " -d " 2>/dev/null; then # Demultiplex wget debug output echo "$_wget_out" >&2 echo "$_wget_out" | sed '/^[^ ][^ ]/d; /^ *$/d; s/^ //g' - fi else $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O - "$url" 2>"$HTTP_HEADER" - if echo $_WGET | grep -q " -d " 2> /dev/null; then + if echo $_WGET | grep -q " -d " 2>/dev/null; then # Demultiplex wget debug output cat "$HTTP_HEADER" >&2 _sed_i '/^[^ ][^ ]/d; /^ *$/d' "$HTTP_HEADER" From e947870da956b42f6d84abb0088c75886d27dd06 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 23 Sep 2022 22:39:53 +0800 Subject: [PATCH 100/209] minor --- dnsapi/dns_gcloud.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_gcloud.sh b/dnsapi/dns_gcloud.sh index bda5cbd7..2788ad59 100755 --- a/dnsapi/dns_gcloud.sh +++ b/dnsapi/dns_gcloud.sh @@ -39,7 +39,7 @@ dns_gcloud_rm() { _dns_gcloud_start_tr || return $? _dns_gcloud_get_rrdatas || return $? echo "$rrdatas" | _dns_gcloud_remove_rrs || return $? - echo "$rrdatas" | grep -F -v "\"$txtvalue\"" | _dns_gcloud_add_rrs || return $? + echo "$rrdatas" | grep -F -v -- "\"$txtvalue\"" | _dns_gcloud_add_rrs || return $? _dns_gcloud_execute_tr || return $? _info "$fulldomain record added" From dd207e1f02f3995c69fa6dcb8cdd9c7c86a7917d Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 24 Sep 2022 22:00:39 +0800 Subject: [PATCH 101/209] fix https://github.com/acmesh-official/acme.sh/issues/4285 --- acme.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 6420d06f..8edd7a19 100755 --- a/acme.sh +++ b/acme.sh @@ -4866,7 +4866,9 @@ $_authorizations_map" _on_issue_err "$_post_hook" "$vlist" return 1 fi - + if ! chmod a+r "$wellknown_path/$token"; then + _debug "chmod failed, but we just continue." + fi if [ ! "$usingApache" ]; then if webroot_owner=$(_stat "$_currentRoot"); then _debug "Changing owner/group of .well-known to $webroot_owner" From ef26075a1c575ed02f3bad419461cf141cba900d Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 24 Sep 2022 23:58:44 +0800 Subject: [PATCH 102/209] export TokenName --- .github/workflows/DNS.yml | 52 ++++++++++++++++++++++++++++++++++----- 1 file changed, 46 insertions(+), 6 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index a7369265..be44c09b 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -59,6 +59,11 @@ jobs: DEBUG: ${{ secrets.DEBUG }} http_proxy: ${{ secrets.http_proxy }} https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} steps: - uses: actions/checkout@v2 - name: Clone acmetest @@ -102,6 +107,11 @@ jobs: DEBUG: ${{ secrets.DEBUG }} http_proxy: ${{ secrets.http_proxy }} https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} steps: - uses: actions/checkout@v2 - name: Install tools @@ -145,6 +155,11 @@ jobs: DEBUG: ${{ secrets.DEBUG }} http_proxy: ${{ secrets.http_proxy }} https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} steps: - name: Set git to use LF run: | @@ -202,13 +217,18 @@ jobs: DEBUG: ${{ secrets.DEBUG }} http_proxy: ${{ secrets.http_proxy }} https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} steps: - uses: actions/checkout@v2 - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/freebsd-vm@v0 with: - envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: pkg install -y socat curl usesh: true copyback: false @@ -248,13 +268,18 @@ jobs: DEBUG: ${{ secrets.DEBUG }} http_proxy: ${{ secrets.http_proxy }} https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} steps: - uses: actions/checkout@v2 - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/openbsd-vm@v0 with: - envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: pkg_add socat curl usesh: true copyback: false @@ -294,13 +319,18 @@ jobs: DEBUG: ${{ secrets.DEBUG }} http_proxy: ${{ secrets.http_proxy }} https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} steps: - uses: actions/checkout@v2 - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/netbsd-vm@v0 with: - envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: | pkg_add curl socat usesh: true @@ -341,13 +371,18 @@ jobs: DEBUG: ${{ secrets.DEBUG }} http_proxy: ${{ secrets.http_proxy }} https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} steps: - uses: actions/checkout@v2 - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/dragonflybsd-vm@v0 with: - envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: | pkg install -y curl socat usesh: true @@ -391,14 +426,19 @@ jobs: DEBUG: ${{ secrets.DEBUG }} http_proxy: ${{ secrets.http_proxy }} https_proxy: ${{ secrets.https_proxy }} - HTTPS_INSECURE: 1 # always set to 1 to ignore https error, sincc Solaris doesn't accept the expired ISRG X1 root + HTTPS_INSECURE: 1 # always set to 1 to ignore https error, since Solaris doesn't accept the expired ISRG X1 root + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} steps: - uses: actions/checkout@v2 - name: Clone acmetest run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/solaris-vm@v0 with: - envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' copyback: false prepare: pkgutil -y -i socat run: | From 41dbf1ddac7ada00c7b83688594b95b2b40b2ad9 Mon Sep 17 00:00:00 2001 From: Klaus Frank Date: Tue, 27 Sep 2022 22:47:35 +0200 Subject: [PATCH 103/209] use _contains instead of grep --- acme.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index 6c916ed8..a593898b 100755 --- a/acme.sh +++ b/acme.sh @@ -1999,7 +1999,7 @@ _post() { if [ "$_ret" != "0" ]; then _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret" fi - if echo $_WGET | grep -q " -d " 2>/dev/null; then + if _contains "$_WGET" " -d "; then # Demultiplex wget debug output cat "$HTTP_HEADER" >&2 _sed_i '/^[^ ][^ ]/d; /^ *$/d' "$HTTP_HEADER" @@ -2059,14 +2059,14 @@ _get() { _debug "_WGET" "$_WGET" if [ "$onlyheader" ]; then _wget_out = "$($_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1)" - if echo $_WGET | grep -q " -d " 2>/dev/null; then + if _contains "$_WGET" " -d "; then # Demultiplex wget debug output echo "$_wget_out" >&2 echo "$_wget_out" | sed '/^[^ ][^ ]/d; /^ *$/d; s/^ //g' - fi else $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O - "$url" 2>"$HTTP_HEADER" - if echo $_WGET | grep -q " -d " 2>/dev/null; then + if _contains "$_WGET" " -d "; then # Demultiplex wget debug output cat "$HTTP_HEADER" >&2 _sed_i '/^[^ ][^ ]/d; /^ *$/d' "$HTTP_HEADER" From c541a2e5de69038d56a899e8b03247409b39a513 Mon Sep 17 00:00:00 2001 From: srirams <638940+srirams@users.noreply.github.com> Date: Wed, 28 Sep 2022 18:22:13 -0500 Subject: [PATCH 104/209] add addon_domans --- deploy/cpanel_uapi.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/cpanel_uapi.sh b/deploy/cpanel_uapi.sh index eea96248..fd36a915 100644 --- a/deploy/cpanel_uapi.sh +++ b/deploy/cpanel_uapi.sh @@ -194,7 +194,7 @@ __cpanel_parse_response() { printf("%s%s=%s\n", prefix, $2, $3); } }' | - sed -En -e 's/^result\/data\/(main_domain|sub_domains\/-)=(.*)$/\2/p' + sed -En -e 's/^result\/data\/(main_domain|sub_domains\/-|addon_domains\/-)=(.*)$/\2/p' } # Load parameter by prefix+name - fallback to default if not set, and save to config From a7dd86de71400c48127038ba61603dfdf52133ca Mon Sep 17 00:00:00 2001 From: Markus Lippert Date: Thu, 29 Sep 2022 12:22:45 +0200 Subject: [PATCH 105/209] fix(deploy-synology_dsm): support DID with DSM 7 --- deploy/synology_dsm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index f30f82c0..c31a5df0 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -108,7 +108,7 @@ synology_dsm_deploy() { _debug3 H1 "${_H1}" fi - response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code" "$_base_url/webapi/auth.cgi?enable_syno_token=yes") + response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code&device_name=certrenewal&device_id=$SYNO_DID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes") token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p') _debug3 response "$response" _debug token "$token" From d761bdc1b1b3de398fff2cf3625f6a2b1f0249c8 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 30 Sep 2022 18:03:47 +0800 Subject: [PATCH 106/209] minor, just indent usage --- acme.sh | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/acme.sh b/acme.sh index 8edd7a19..adecf79b 100755 --- a/acme.sh +++ b/acme.sh @@ -6790,37 +6790,37 @@ Commands: Parameters: -d, --domain Specifies a domain, used to issue, renew or revoke etc. --challenge-alias The challenge domain alias for DNS alias mode. - See: $_DNS_ALIAS_WIKI + See: $_DNS_ALIAS_WIKI --domain-alias The domain alias for DNS alias mode. - See: $_DNS_ALIAS_WIKI + See: $_DNS_ALIAS_WIKI --preferred-chain If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. - If no match, the default offered chain will be used. (default: empty) - See: $_PREFERRED_CHAIN_WIKI + If no match, the default offered chain will be used. (default: empty) + See: $_PREFERRED_CHAIN_WIKI --valid-to Request the NotAfter field of the cert. - See: $_VALIDITY_WIKI + See: $_VALIDITY_WIKI --valid-from Request the NotBefore field of the cert. - See: $_VALIDITY_WIKI + See: $_VALIDITY_WIKI -f, --force Force install, force cert renewal or override sudo restrictions. --staging, --test Use staging server, for testing. --debug [0|1|2|3] Output debug info. Defaults to 1 if argument is omitted. --output-insecure Output all the sensitive messages. - By default all the credentials/sensitive messages are hidden from the output/debug/log for security. + By default all the credentials/sensitive messages are hidden from the output/debug/log for security. -w, --webroot Specifies the web root folder for web root mode. --standalone Use standalone mode. --alpn Use standalone alpn mode. --stateless Use stateless mode. - See: $_STATELESS_WIKI + See: $_STATELESS_WIKI --apache Use apache mode. --dns [dns_hook] Use dns manual mode or dns api. Defaults to manual mode when argument is omitted. - See: $_DNS_API_WIKI + See: $_DNS_API_WIKI --dnssleep The time in seconds to wait for all the txt records to propagate in dns api mode. - It's not necessary to use this by default, $PROJECT_NAME polls dns status by DOH automatically. + It's not necessary to use this by default, $PROJECT_NAME polls dns status by DOH automatically. -k, --keylength Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521. -ak, --accountkeylength Specifies the account key length: 2048, 3072, 4096 --log [file] Specifies the log file. Defaults to \"$DEFAULT_LOG_FILE\" if argument is omitted. @@ -6839,7 +6839,7 @@ Parameters: --reloadcmd Command to execute after issue/renew to reload the server. --server ACME Directory Resource URI. (default: $DEFAULT_CA) - See: $_SERVER_WIKI + See: $_SERVER_WIKI --accountconf Specifies a customized account config file. --home Specifies the home dir for $PROJECT_NAME. @@ -6858,7 +6858,7 @@ Parameters: --ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate. --ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl. --no-cron Only valid for '--install' command, which means: do not install the default cron job. - In this case, the certs will not be renewed automatically. + In this case, the certs will not be renewed automatically. --no-profile Only valid for '--install' command, which means: do not install aliases to user profile. --no-color Do not output color text. --force-color Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails. @@ -6876,20 +6876,20 @@ Parameters: --openssl-bin Specifies a custom openssl bin location. --use-wget Force to use wget, if you have both curl and wget installed. --yes-I-know-dns-manual-mode-enough-go-ahead-please Force use of dns manual mode. - See: $_DNS_MANUAL_WIKI + See: $_DNS_MANUAL_WIKI -b, --branch Only valid for '--upgrade' command, specifies the branch name to upgrade to. --notify-level <0|1|2|3> Set the notification level: Default value is $NOTIFY_LEVEL_DEFAULT. - 0: disabled, no notification will be sent. - 1: send notifications only when there is an error. - 2: send notifications when a cert is successfully renewed, or there is an error. - 3: send notifications when a cert is skipped, renewed, or error. + 0: disabled, no notification will be sent. + 1: send notifications only when there is an error. + 2: send notifications when a cert is successfully renewed, or there is an error. + 3: send notifications when a cert is skipped, renewed, or error. --notify-mode <0|1> Set notification mode. Default value is $NOTIFY_MODE_DEFAULT. - 0: Bulk mode. Send all the domain's notifications in one message(mail). - 1: Cert mode. Send a message for every single cert. + 0: Bulk mode. Send all the domain's notifications in one message(mail). + 1: Cert mode. Send a message for every single cert. --notify-hook Set the notify hook --revoke-reason <0-10> The reason for revocation, can be used in conjunction with the '--revoke' command. - See: $_REVOKE_WIKI + See: $_REVOKE_WIKI --password Add a password to exported pfx file. Use with --to-pkcs12. From 45090fc897d6767873174b336d9b4ead9e09147a Mon Sep 17 00:00:00 2001 From: Bjarne Saltbaek Date: Sat, 1 Oct 2022 14:58:12 +0200 Subject: [PATCH 107/209] Better way to catch success or failure --- dnsapi/dns_cpanel.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_cpanel.sh b/dnsapi/dns_cpanel.sh index 053b3ff3..d31e702d 100755 --- a/dnsapi/dns_cpanel.sh +++ b/dnsapi/dns_cpanel.sh @@ -139,7 +139,7 @@ _get_root() { } _successful_update() { - if (echo "$_result" | grep -q 'newserial'); then return 0; fi + if (echo "$_result" | _egrep_o 'data":\[[^]]*]' | grep -q '"newserial":null'); then return 1; fi return 1 } From 9feeba8d4b3448d06a73c29c9e4070db3263e58d Mon Sep 17 00:00:00 2001 From: Bjarne Saltbaek Date: Sat, 1 Oct 2022 15:19:02 +0200 Subject: [PATCH 108/209] Forgot to apply the changed default return value --- dnsapi/dns_cpanel.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_cpanel.sh b/dnsapi/dns_cpanel.sh index d31e702d..f6126bcb 100755 --- a/dnsapi/dns_cpanel.sh +++ b/dnsapi/dns_cpanel.sh @@ -140,7 +140,7 @@ _get_root() { _successful_update() { if (echo "$_result" | _egrep_o 'data":\[[^]]*]' | grep -q '"newserial":null'); then return 1; fi - return 1 + return 0 } _findentry() { From 2c90d220b83f3e24a80c99d8448c5d3582b33487 Mon Sep 17 00:00:00 2001 From: sasburg Date: Sat, 1 Oct 2022 17:47:13 -0700 Subject: [PATCH 109/209] Updated comment to reflect the change to function --- deploy/cpanel_uapi.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/cpanel_uapi.sh b/deploy/cpanel_uapi.sh index fd36a915..38032b56 100644 --- a/deploy/cpanel_uapi.sh +++ b/deploy/cpanel_uapi.sh @@ -173,7 +173,7 @@ cpanel_uapi_deploy() { ######## Private functions ##################### -# Internal utility to process YML from UAPI - only looks at main_domain and sub_domains +# Internal utility to process YML from UAPI - only looks at main_domain, sub_domains and addon domains #[response] __cpanel_parse_response() { if [ $# -gt 0 ]; then resp="$*"; else resp="$(cat)"; fi From e02f07d3568d411b453b2855072d16bea5e96e82 Mon Sep 17 00:00:00 2001 From: sasburg Date: Sat, 1 Oct 2022 18:11:46 -0700 Subject: [PATCH 110/209] add parked_domans --- deploy/cpanel_uapi.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/cpanel_uapi.sh b/deploy/cpanel_uapi.sh index 38032b56..e5381b61 100644 --- a/deploy/cpanel_uapi.sh +++ b/deploy/cpanel_uapi.sh @@ -173,7 +173,7 @@ cpanel_uapi_deploy() { ######## Private functions ##################### -# Internal utility to process YML from UAPI - only looks at main_domain, sub_domains and addon domains +# Internal utility to process YML from UAPI - looks at main_domain, sub_domains, addon domains and parked domains #[response] __cpanel_parse_response() { if [ $# -gt 0 ]; then resp="$*"; else resp="$(cat)"; fi @@ -194,7 +194,7 @@ __cpanel_parse_response() { printf("%s%s=%s\n", prefix, $2, $3); } }' | - sed -En -e 's/^result\/data\/(main_domain|sub_domains\/-|addon_domains\/-)=(.*)$/\2/p' + sed -En -e 's/^result\/data\/(main_domain|sub_domains\/-|addon_domains\/-|parked_domains\/-)=(.*)$/\2/p' } # Load parameter by prefix+name - fallback to default if not set, and save to config From f8ca6d98337a2eb1dbfcde8f730241eb46884a94 Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 5 Oct 2022 13:14:25 +0800 Subject: [PATCH 111/209] fix https://github.com/acmesh-official/acme.sh/issues/1335 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index f308e027..701da6eb 100755 --- a/acme.sh +++ b/acme.sh @@ -1235,7 +1235,7 @@ _createcsr() { _debug2 csr "$csr" _debug2 csrconf "$csrconf" - printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\n" >"$csrconf" + printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\nextendedKeyUsage=serverAuth,clientAuth\n" >"$csrconf" if [ "$acmeValidationv1" ]; then domainlist="$(_idn "$domainlist")" From 666c716bdae095252f75d6d58dd694baffee42e9 Mon Sep 17 00:00:00 2001 From: Adam Tao Date: Tue, 11 Oct 2022 20:36:09 +0800 Subject: [PATCH 112/209] Fix error during saving conf There might be '|' in __val (e.g., SYNO_Password), which will cause that all content of the conf file is cleared. Fix it by escaping '|' manually. Signed-off-by: Adam Tao --- acme.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/acme.sh b/acme.sh index e1ee3867..1ba2c6a5 100755 --- a/acme.sh +++ b/acme.sh @@ -2266,6 +2266,9 @@ _setopt() { if _contains "$__val" "&"; then __val="$(echo "$__val" | sed 's/&/\\&/g')" fi + if _contains "$__val" "|"; then + __val="$(echo "$__val" | sed 's/|/\\|/g')" + fi text="$(cat "$__conf")" printf -- "%s\n" "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf" @@ -2273,6 +2276,9 @@ _setopt() { if _contains "$__val" "&"; then __val="$(echo "$__val" | sed 's/&/\\&/g')" fi + if _contains "$__val" "|"; then + __val="$(echo "$__val" | sed 's/|/\\|/g')" + fi text="$(cat "$__conf")" printf -- "%s\n" "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf" From 1c16931e260d0dec38ee8c8857c5f33960adceb4 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 16 Oct 2022 16:06:01 +0800 Subject: [PATCH 113/209] add Le_Next_Domain_Key for tlsa fix https://github.com/acmesh-official/acme.sh/issues/3096 Usage: https://github.com/acmesh-official/acme.sh/wiki/tlsa-next-key --- acme.sh | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/acme.sh b/acme.sh index 1ba2c6a5..1ee76307 100755 --- a/acme.sh +++ b/acme.sh @@ -4423,6 +4423,7 @@ issue() { _debug "_saved_account_key_hash is not changed, skip register account." fi + export Le_Next_Domain_Key="$CERT_KEY_PATH.next" if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ]; then _info "Signing from existing CSR." else @@ -4435,14 +4436,30 @@ issue() { fi _debug "Read key length:$_key" if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ] || [ "$Le_ForceNewDomainKey" = "1" ]; then - if ! createDomainKey "$_main_domain" "$_key_length"; then - _err "Create domain key error." - _clearup - _on_issue_err "$_post_hook" + if [ "$Le_ForceNewDomainKey" = "1" ] && [ -f "$Le_Next_Domain_Key" ]; then + _info "Using pre generated key: $Le_Next_Domain_Key" + cat "$Le_Next_Domain_Key" >"$CERT_KEY_PATH" + echo "" >"$Le_Next_Domain_Key" + else + if ! createDomainKey "$_main_domain" "$_key_length"; then + _err "Create domain key error." + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + fi + fi + if [ "$Le_ForceNewDomainKey" ]; then + _info "Generate next pre-generate key." + if [ ! -e "$Le_Next_Domain_Key" ]; then + touch "$Le_Next_Domain_Key" + chmod 600 "$Le_Next_Domain_Key" + fi + if ! _createkey "$_key_length" "$Le_Next_Domain_Key"; then + _err "Can not pre generate domain key" return 1 fi fi - if ! _createcsr "$_main_domain" "$_alt_domains" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"; then _err "Create CSR error." _clearup @@ -5178,6 +5195,9 @@ $_authorizations_map" [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in: $(__green "$CA_CERT_PATH")" [ -f "$CERT_FULLCHAIN_PATH" ] && _info "And the full chain certs is there: $(__green "$CERT_FULLCHAIN_PATH")" + if [ "$Le_ForceNewDomainKey" ] && [ -e "$Le_Next_Domain_Key" ]; then + _info "Your pre-generated next key for future cert key change is in: $(__green "$Le_Next_Domain_Key")" + fi Le_CertCreateTime=$(_time) _savedomainconf "Le_CertCreateTime" "$Le_CertCreateTime" @@ -5752,7 +5772,8 @@ installcert() { _savedomainconf "Le_RealKeyPath" "$_real_key" _savedomainconf "Le_ReloadCmd" "$_reload_cmd" "base64" _savedomainconf "Le_RealFullChainPath" "$_real_fullchain" - + export Le_ForceNewDomainKey="$(_readdomainconf Le_ForceNewDomainKey)" + export Le_Next_Domain_Key _installcert "$_main_domain" "$_real_cert" "$_real_key" "$_real_ca" "$_real_fullchain" "$_reload_cmd" } @@ -5844,6 +5865,8 @@ _installcert() { export CA_CERT_PATH export CERT_FULLCHAIN_PATH export Le_Domain="$_main_domain" + export Le_ForceNewDomainKey + export Le_Next_Domain_Key cd "$DOMAIN_PATH" && eval "$_reload_cmd" ); then _info "$(__green "Reload success")" From 3c933158c888785494c177bf7e83aa4c25c56633 Mon Sep 17 00:00:00 2001 From: Peter Dave Hello Date: Mon, 17 Oct 2022 16:45:48 +0800 Subject: [PATCH 114/209] Use encrypted https instead of plain-text http when we can --- .github/workflows/DNS.yml | 2 +- .github/workflows/NetBSD.yml | 2 +- .github/workflows/Windows.yml | 2 +- dnsapi/dns_acmeproxy.sh | 2 +- dnsapi/dns_gandi_livedns.sh | 2 +- dnsapi/dns_kinghost.sh | 2 +- dnsapi/dns_leaseweb.sh | 2 +- dnsapi/dns_namecheap.sh | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index be44c09b..c13e3087 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -172,7 +172,7 @@ jobs: shell: cmd - name: Install cygwin additional packages run: | - C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git + C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s https://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git shell: cmd - name: Set ENV shell: cmd diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index 10952778..9eee1668 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -61,7 +61,7 @@ jobs: nat: | "8080": "80" prepare: | - export PKG_PATH="http://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/$(uname -p)/$(uname -r|cut -f '1 2' -d.)/All/" + export PKG_PATH="https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/$(uname -p)/$(uname -r|cut -f '1 2' -d.)/All/" pkg_add curl socat usesh: true copyback: false diff --git a/.github/workflows/Windows.yml b/.github/workflows/Windows.yml index 3b7bf2eb..773ceee3 100644 --- a/.github/workflows/Windows.yml +++ b/.github/workflows/Windows.yml @@ -57,7 +57,7 @@ jobs: shell: cmd - name: Install cygwin additional packages run: | - C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git,xxd + C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s https://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git,xxd shell: cmd - name: Set ENV shell: cmd diff --git a/dnsapi/dns_acmeproxy.sh b/dnsapi/dns_acmeproxy.sh index d4a0e172..9d5533f9 100644 --- a/dnsapi/dns_acmeproxy.sh +++ b/dnsapi/dns_acmeproxy.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -## Acmeproxy DNS provider to be used with acmeproxy (http://github.com/mdbraber/acmeproxy) +## Acmeproxy DNS provider to be used with acmeproxy (https://github.com/mdbraber/acmeproxy) ## API integration by Maarten den Braber ## ## Report any bugs via https://github.com/mdbraber/acme.sh diff --git a/dnsapi/dns_gandi_livedns.sh b/dnsapi/dns_gandi_livedns.sh index 87119521..931da883 100644 --- a/dnsapi/dns_gandi_livedns.sh +++ b/dnsapi/dns_gandi_livedns.sh @@ -1,7 +1,7 @@ #!/usr/bin/env sh # Gandi LiveDNS v5 API -# http://doc.livedns.gandi.net/ +# https://doc.livedns.gandi.net/ # currently under beta # # Requires GANDI API KEY set in GANDI_LIVEDNS_KEY set as environment variable diff --git a/dnsapi/dns_kinghost.sh b/dnsapi/dns_kinghost.sh index 6253c71d..f640242f 100644 --- a/dnsapi/dns_kinghost.sh +++ b/dnsapi/dns_kinghost.sh @@ -2,7 +2,7 @@ ############################################################ # KingHost API support # -# http://api.kinghost.net/doc/ # +# https://api.kinghost.net/doc/ # # # # Author: Felipe Keller Braz # # Report Bugs here: https://github.com/kinghost/acme.sh # diff --git a/dnsapi/dns_leaseweb.sh b/dnsapi/dns_leaseweb.sh index a1d9e749..63f81869 100644 --- a/dnsapi/dns_leaseweb.sh +++ b/dnsapi/dns_leaseweb.sh @@ -3,7 +3,7 @@ #Author: Rolph Haspers #Utilize leaseweb.com API to finish dns-01 verifications. #Requires a Leaseweb API Key (export LSW_Key="Your Key") -#See http://developer.leaseweb.com for more information. +#See https://developer.leaseweb.com for more information. ######## Public functions ##################### LSW_API="https://api.leaseweb.com/hosting/v2/domains/" diff --git a/dnsapi/dns_namecheap.sh b/dnsapi/dns_namecheap.sh index dcd87723..a5f667a9 100755 --- a/dnsapi/dns_namecheap.sh +++ b/dnsapi/dns_namecheap.sh @@ -82,7 +82,7 @@ _get_root() { _debug "Failed domain lookup via domains.getList api call. Trying domain lookup via domains.dns.getHosts api." # The above "getList" api will only return hosts *owned* by the calling user. However, if the calling # user is not the owner, but still has administrative rights, we must query the getHosts api directly. - # See this comment and the official namecheap response: http://disq.us/p/1q6v9x9 + # See this comment and the official namecheap response: https://disq.us/p/1q6v9x9 if ! _get_root_by_getHosts "$fulldomain"; then return 1 fi From 424da018782cf0c6f10ba2f8093a0898257cf899 Mon Sep 17 00:00:00 2001 From: Peter Dave Hello Date: Mon, 17 Oct 2022 18:49:10 +0800 Subject: [PATCH 115/209] Reduce acmetest git clone depth to speed up CI pipeline --- .github/workflows/DNS.yml | 16 ++++++++-------- .github/workflows/DragonFlyBSD.yml | 2 +- .github/workflows/FreeBSD.yml | 2 +- .github/workflows/Linux.yml | 2 +- .github/workflows/MacOS.yml | 2 +- .github/workflows/NetBSD.yml | 2 +- .github/workflows/OpenBSD.yml | 2 +- .github/workflows/PebbleStrict.yml | 4 ++-- .github/workflows/Solaris.yml | 2 +- .github/workflows/Ubuntu.yml | 2 +- .github/workflows/Windows.yml | 2 +- 11 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index be44c09b..37397da8 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -67,7 +67,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Set env file run: | cd ../acmetest @@ -117,7 +117,7 @@ jobs: - name: Install tools run: brew install socat - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest run: | if [ "${{ secrets.TokenName1}}" ] ; then @@ -179,7 +179,7 @@ jobs: run: | echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin >> %GITHUB_ENV% - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest shell: bash run: | @@ -225,7 +225,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/freebsd-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' @@ -276,7 +276,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/openbsd-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' @@ -327,7 +327,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/netbsd-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' @@ -379,7 +379,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/dragonflybsd-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' @@ -435,7 +435,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/solaris-vm@v0 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' diff --git a/.github/workflows/DragonFlyBSD.yml b/.github/workflows/DragonFlyBSD.yml index 8581db47..2dff172a 100644 --- a/.github/workflows/DragonFlyBSD.yml +++ b/.github/workflows/DragonFlyBSD.yml @@ -54,7 +54,7 @@ jobs: - name: Set envs run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/dragonflybsd-vm@v0 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' diff --git a/.github/workflows/FreeBSD.yml b/.github/workflows/FreeBSD.yml index 795ddc75..c9f1d623 100644 --- a/.github/workflows/FreeBSD.yml +++ b/.github/workflows/FreeBSD.yml @@ -60,7 +60,7 @@ jobs: - name: Set envs run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/freebsd-vm@v0 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' diff --git a/.github/workflows/Linux.yml b/.github/workflows/Linux.yml index 238b3016..d5c98a31 100644 --- a/.github/workflows/Linux.yml +++ b/.github/workflows/Linux.yml @@ -37,7 +37,7 @@ jobs: - name: Clone acmetest run: | cd .. \ - && git clone https://github.com/acmesh-official/acmetest.git \ + && git clone --depth=1 https://github.com/acmesh-official/acmetest.git \ && cp -r acme.sh acmetest/ - name: Run acmetest run: | diff --git a/.github/workflows/MacOS.yml b/.github/workflows/MacOS.yml index 69fb09f7..1a0b4488 100644 --- a/.github/workflows/MacOS.yml +++ b/.github/workflows/MacOS.yml @@ -50,7 +50,7 @@ jobs: - name: Clone acmetest run: | cd .. \ - && git clone https://github.com/acmesh-official/acmetest.git \ + && git clone --depth=1 https://github.com/acmesh-official/acmetest.git \ && cp -r acme.sh acmetest/ - name: Run acmetest run: | diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index 10952778..781e8fe0 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -54,7 +54,7 @@ jobs: - name: Set envs run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/netbsd-vm@v0 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' diff --git a/.github/workflows/OpenBSD.yml b/.github/workflows/OpenBSD.yml index 9c21daa1..da46424a 100644 --- a/.github/workflows/OpenBSD.yml +++ b/.github/workflows/OpenBSD.yml @@ -60,7 +60,7 @@ jobs: - name: Set envs run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/openbsd-vm@v0 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' diff --git a/.github/workflows/PebbleStrict.yml b/.github/workflows/PebbleStrict.yml index 7417b8b0..1740fc3f 100644 --- a/.github/workflows/PebbleStrict.yml +++ b/.github/workflows/PebbleStrict.yml @@ -41,7 +41,7 @@ jobs: - name: Set up Pebble run: curl --request POST --data '{"ip":"10.30.50.1"}' http://localhost:8055/set-default-ipv4 - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest run: cd ../acmetest && ./letest.sh @@ -67,6 +67,6 @@ jobs: -e PEBBLE_VA_ALWAYS_VALID=1 \ -p 14000:14000 -p 15000:15000 letsencrypt/pebble:latest pebble -config /test/config/pebble-config.json -strict - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest run: cd ../acmetest && ./letest.sh \ No newline at end of file diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index 3a86d3dc..3488f78f 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -60,7 +60,7 @@ jobs: - name: Set envs run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/solaris-vm@v0 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index 664ba92c..0a2ec971 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -88,7 +88,7 @@ jobs: - name: Clone acmetest run: | cd .. \ - && git clone https://github.com/acmesh-official/acmetest.git \ + && git clone --depth=1 https://github.com/acmesh-official/acmetest.git \ && cp -r acme.sh acmetest/ - name: Run acmetest run: | diff --git a/.github/workflows/Windows.yml b/.github/workflows/Windows.yml index 3b7bf2eb..81e646e5 100644 --- a/.github/workflows/Windows.yml +++ b/.github/workflows/Windows.yml @@ -69,7 +69,7 @@ jobs: echo "PATH=%PATH%" - name: Clone acmetest shell: cmd - run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest shell: cmd run: cd ../acmetest && bash.exe -c ./letest.sh From c9a55f395bf17d5545604c3ef88193246ade1cb6 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 29 Oct 2022 10:08:42 +0800 Subject: [PATCH 116/209] fix doh https://github.com/acmesh-official/acme.sh/issues/4369 --- acme.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 1ee76307..d6d8e48c 100755 --- a/acme.sh +++ b/acme.sh @@ -4050,8 +4050,7 @@ _ns_lookup_dp() { _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type" } -#domain, type -_ns_lookup() { +_ns_select_doh() { if [ -z "$DOH_USE" ]; then _debug "Detect dns server first." if _ns_is_available_cf; then @@ -4070,7 +4069,11 @@ _ns_lookup() { _err "No doh" fi fi +} +#domain, type +_ns_lookup() { + _ns_select_doh if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then _ns_lookup_cf "$@" elif [ "$DOH_USE" = "$DOH_GOOGLE" ]; then @@ -4093,6 +4096,7 @@ __check_txt() { _debug "_c_txtdomain" "$_c_txtdomain" _debug "_c_aliasdomain" "$_c_aliasdomain" _debug "_c_txt" "$_c_txt" + _ns_select_doh _answers="$(_ns_lookup "$_c_aliasdomain" TXT)" _contains "$_answers" "$_c_txt" From d102943a324ba85992c8a7703152f2aedf35bbcc Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 7 Nov 2022 22:36:40 +0800 Subject: [PATCH 117/209] upgrade actions/checkout@v3 --- .github/workflows/DNS.yml | 16 ++++++++-------- .github/workflows/DragonFlyBSD.yml | 2 +- .github/workflows/FreeBSD.yml | 2 +- .github/workflows/Linux.yml | 2 +- .github/workflows/MacOS.yml | 2 +- .github/workflows/NetBSD.yml | 2 +- .github/workflows/OpenBSD.yml | 2 +- .github/workflows/PebbleStrict.yml | 4 ++-- .github/workflows/Solaris.yml | 2 +- .github/workflows/Ubuntu.yml | 2 +- .github/workflows/Windows.yml | 2 +- .github/workflows/dockerhub.yml | 2 +- 12 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index dd031efd..17e98ae3 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -65,7 +65,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Set env file @@ -113,7 +113,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install tools run: brew install socat - name: Clone acmetest @@ -164,7 +164,7 @@ jobs: - name: Set git to use LF run: | git config --global core.autocrlf false - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install cygwin base packages with chocolatey run: | choco config get cacheLocation @@ -223,7 +223,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/freebsd-vm@v0 @@ -274,7 +274,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/openbsd-vm@v0 @@ -325,7 +325,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/netbsd-vm@v0 @@ -377,7 +377,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/dragonflybsd-vm@v0 @@ -433,7 +433,7 @@ jobs: TokenName4: ${{ secrets.TokenName4}} TokenName5: ${{ secrets.TokenName5}} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - uses: vmactions/solaris-vm@v0 diff --git a/.github/workflows/DragonFlyBSD.yml b/.github/workflows/DragonFlyBSD.yml index 2dff172a..46a572f0 100644 --- a/.github/workflows/DragonFlyBSD.yml +++ b/.github/workflows/DragonFlyBSD.yml @@ -45,7 +45,7 @@ jobs: CA_EMAIL: ${{ matrix.CA_EMAIL }} TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: vmactions/cf-tunnel@v0.0.3 id: tunnel with: diff --git a/.github/workflows/FreeBSD.yml b/.github/workflows/FreeBSD.yml index c9f1d623..d83c5d84 100644 --- a/.github/workflows/FreeBSD.yml +++ b/.github/workflows/FreeBSD.yml @@ -51,7 +51,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: vmactions/cf-tunnel@v0.0.3 id: tunnel with: diff --git a/.github/workflows/Linux.yml b/.github/workflows/Linux.yml index d5c98a31..156fa5df 100644 --- a/.github/workflows/Linux.yml +++ b/.github/workflows/Linux.yml @@ -33,7 +33,7 @@ jobs: TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 TEST_ACME_Server: "LetsEncrypt.org_test" steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Clone acmetest run: | cd .. \ diff --git a/.github/workflows/MacOS.yml b/.github/workflows/MacOS.yml index 1a0b4488..c1f29769 100644 --- a/.github/workflows/MacOS.yml +++ b/.github/workflows/MacOS.yml @@ -44,7 +44,7 @@ jobs: CA_EMAIL: ${{ matrix.CA_EMAIL }} TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install tools run: brew install socat - name: Clone acmetest diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index 136640a2..e0cb5586 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -45,7 +45,7 @@ jobs: CA_EMAIL: ${{ matrix.CA_EMAIL }} TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: vmactions/cf-tunnel@v0.0.3 id: tunnel with: diff --git a/.github/workflows/OpenBSD.yml b/.github/workflows/OpenBSD.yml index da46424a..f87ec207 100644 --- a/.github/workflows/OpenBSD.yml +++ b/.github/workflows/OpenBSD.yml @@ -51,7 +51,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: vmactions/cf-tunnel@v0.0.3 id: tunnel with: diff --git a/.github/workflows/PebbleStrict.yml b/.github/workflows/PebbleStrict.yml index 1740fc3f..9f3a98ce 100644 --- a/.github/workflows/PebbleStrict.yml +++ b/.github/workflows/PebbleStrict.yml @@ -33,7 +33,7 @@ jobs: TEST_CA: "Pebble Intermediate CA" steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install tools run: sudo apt-get install -y socat - name: Run Pebble @@ -58,7 +58,7 @@ jobs: TEST_IPCERT: 1 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install tools run: sudo apt-get install -y socat - name: Run Pebble diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index 3488f78f..e1aea253 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -51,7 +51,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: vmactions/cf-tunnel@v0.0.3 id: tunnel with: diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index 0a2ec971..a6ec714c 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -70,7 +70,7 @@ jobs: TestingDomain: ${{ matrix.TestingDomain }} ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install tools run: sudo apt-get install -y socat wget - name: Start StepCA diff --git a/.github/workflows/Windows.yml b/.github/workflows/Windows.yml index e5dfb172..c02e2f77 100644 --- a/.github/workflows/Windows.yml +++ b/.github/workflows/Windows.yml @@ -49,7 +49,7 @@ jobs: - name: Set git to use LF run: | git config --global core.autocrlf false - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install cygwin base packages with chocolatey run: | choco config get cacheLocation diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index 4d9f34b3..bd2c01aa 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -41,7 +41,7 @@ jobs: if: "contains(needs.CheckToken.outputs.hasToken, 'true')" steps: - name: checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set up QEMU uses: docker/setup-qemu-action@v1 - name: Set up Docker Buildx From 5a51454d136bb23eeb7d7fa6ca20bed00bfde7fd Mon Sep 17 00:00:00 2001 From: Jan Wagner Date: Thu, 17 Nov 2022 15:20:11 +0100 Subject: [PATCH 118/209] Update Alpine to 1.16.3 With #4399 applied we can pick minor versions safely. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 049649f6..79fd1d89 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.15 +FROM alpine:3.16.3 RUN apk --no-cache add -f \ openssl \ From cdb238e41ce572647433880f3e3a4dd683990f3e Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:12:52 +0800 Subject: [PATCH 119/209] fix cf-tunnel --- .github/workflows/DragonFlyBSD.yml | 2 +- .github/workflows/FreeBSD.yml | 2 +- .github/workflows/NetBSD.yml | 2 +- .github/workflows/OpenBSD.yml | 2 +- .github/workflows/Solaris.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/DragonFlyBSD.yml b/.github/workflows/DragonFlyBSD.yml index 46a572f0..6daa9be4 100644 --- a/.github/workflows/DragonFlyBSD.yml +++ b/.github/workflows/DragonFlyBSD.yml @@ -46,7 +46,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - uses: actions/checkout@v3 - - uses: vmactions/cf-tunnel@v0.0.3 + - uses: vmactions/cf-tunnel@v0 id: tunnel with: protocol: http diff --git a/.github/workflows/FreeBSD.yml b/.github/workflows/FreeBSD.yml index d83c5d84..0fa55fd4 100644 --- a/.github/workflows/FreeBSD.yml +++ b/.github/workflows/FreeBSD.yml @@ -52,7 +52,7 @@ jobs: ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - uses: actions/checkout@v3 - - uses: vmactions/cf-tunnel@v0.0.3 + - uses: vmactions/cf-tunnel@v0 id: tunnel with: protocol: http diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index e0cb5586..33bcf23c 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -46,7 +46,7 @@ jobs: TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} steps: - uses: actions/checkout@v3 - - uses: vmactions/cf-tunnel@v0.0.3 + - uses: vmactions/cf-tunnel@v0 id: tunnel with: protocol: http diff --git a/.github/workflows/OpenBSD.yml b/.github/workflows/OpenBSD.yml index f87ec207..7746645a 100644 --- a/.github/workflows/OpenBSD.yml +++ b/.github/workflows/OpenBSD.yml @@ -52,7 +52,7 @@ jobs: ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - uses: actions/checkout@v3 - - uses: vmactions/cf-tunnel@v0.0.3 + - uses: vmactions/cf-tunnel@v0 id: tunnel with: protocol: http diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index e1aea253..34d31a59 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -52,7 +52,7 @@ jobs: ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} steps: - uses: actions/checkout@v3 - - uses: vmactions/cf-tunnel@v0.0.3 + - uses: vmactions/cf-tunnel@v0 id: tunnel with: protocol: http From 60315e5b91507802371253be2d4cf5c8ebc079fd Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:28:17 +0800 Subject: [PATCH 120/209] fix shellcheck warnings --- deploy/gitlab.sh | 2 +- dnsapi/dns_dynv6.sh | 8 ++++---- dnsapi/dns_edgedns.sh | 2 +- dnsapi/dns_infomaniak.sh | 4 ++-- dnsapi/dns_servercow.sh | 2 +- dnsapi/dns_vultr.sh | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/deploy/gitlab.sh b/deploy/gitlab.sh index ba2d3122..d8a93ad2 100644 --- a/deploy/gitlab.sh +++ b/deploy/gitlab.sh @@ -67,7 +67,7 @@ gitlab_deploy() { error_response="error" - if test "${_response#*$error_response}" != "$_response"; then + if test ${_response#*"$error_response"} != "$_response"; then _err "Error in deploying certificate:" _err "$_response" return 1 diff --git a/dnsapi/dns_dynv6.sh b/dnsapi/dns_dynv6.sh index 9efc9aeb..739eccf9 100644 --- a/dnsapi/dns_dynv6.sh +++ b/dnsapi/dns_dynv6.sh @@ -94,8 +94,8 @@ _get_domain() { _your_hosts="$(echo "$_your_hosts" | awk '/\./ {print $1}')" for l in $_your_hosts; do #echo "host: $l" - if test "${_full_domain#*$l}" != "$_full_domain"; then - _record="${_full_domain%.$l}" + if test ${_full_domain#*"$l"} != "$_full_domain"; then + _record=${_full_domain%."$l"} _host=$l _debug "The host is $_host and the record $_record" return 0 @@ -143,7 +143,7 @@ _dns_dynv6_add_http() { return 1 fi _get_zone_name "$_zone_id" - record="${fulldomain%%.$_zone_name}" + record=${fulldomain%%."$_zone_name"} _set_record TXT "$record" "$txtvalue" if _contains "$response" "$txtvalue"; then _info "Successfully added record" @@ -161,7 +161,7 @@ _dns_dynv6_rm_http() { return 1 fi _get_zone_name "$_zone_id" - record="${fulldomain%%.$_zone_name}" + record=${fulldomain%%."$_zone_name"} _get_record_id "$_zone_id" "$record" "$txtvalue" _del_record "$_zone_id" "$_record_id" if [ -z "$response" ]; then diff --git a/dnsapi/dns_edgedns.sh b/dnsapi/dns_edgedns.sh index 11c132fa..27650eb1 100755 --- a/dnsapi/dns_edgedns.sh +++ b/dnsapi/dns_edgedns.sh @@ -418,7 +418,7 @@ _edgedns_make_data_to_sign() { _secure_debug2 "hdr" "$hdr" _edgedns_make_content_hash path="$(echo "$_request_url_path" | tr -d "\n\r" | sed 's/https\?:\/\///')" - path="${path#*$AKAMAI_HOST}" + path=${path#*"$AKAMAI_HOST"} _debug "hier path" "$path" # dont expose headers to sign so use MT string _mdata="$(printf "%s\thttps\t%s\t%s\t%s\t%s\t%s" "$_request_method" "$AKAMAI_HOST" "$path" "" "$_hash" "$hdr")" diff --git a/dnsapi/dns_infomaniak.sh b/dnsapi/dns_infomaniak.sh index 765cf39d..a005132c 100755 --- a/dnsapi/dns_infomaniak.sh +++ b/dnsapi/dns_infomaniak.sh @@ -76,7 +76,7 @@ dns_infomaniak_add() { domain_id=${zone_and_id#* } # extract first part of domain - key=${fulldomain%.$zone} + key=${fulldomain%."$zone"} _debug "zone:$zone id:$domain_id key:$key" @@ -149,7 +149,7 @@ dns_infomaniak_rm() { domain_id=${zone_and_id#* } # extract first part of domain - key=${fulldomain%.$zone} + key=${fulldomain%."$zone"} _debug "zone:$zone id:$domain_id key:$key" diff --git a/dnsapi/dns_servercow.sh b/dnsapi/dns_servercow.sh index f70a2294..52137905 100755 --- a/dnsapi/dns_servercow.sh +++ b/dnsapi/dns_servercow.sh @@ -53,7 +53,7 @@ dns_servercow_add() { if printf -- "%s" "$response" | grep "{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\"" >/dev/null; then _info "A txt record with the same name already exists." # trim the string on the left - txtvalue_old=${response#*{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\",\"content\":\"} + txtvalue_old=${response#*{\"name\":\""$_sub_domain"\",\"ttl\":20,\"type\":\"TXT\",\"content\":\"} # trim the string on the right txtvalue_old=${txtvalue_old%%\"*} diff --git a/dnsapi/dns_vultr.sh b/dnsapi/dns_vultr.sh index bd925fdb..58f14be1 100644 --- a/dnsapi/dns_vultr.sh +++ b/dnsapi/dns_vultr.sh @@ -139,7 +139,7 @@ _vultr_rest() { data="$3" _debug "$ep" - api_key_trimmed=$(echo $VULTR_API_KEY | tr -d '"') + api_key_trimmed=$(echo "$VULTR_API_KEY" | tr -d '"') export _H1="Authorization: Bearer $api_key_trimmed" export _H2='Content-Type: application/json' From e275cb1efd295f3d688569fec2b467d894830b44 Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:33:29 +0800 Subject: [PATCH 121/209] fix shellcheck warnings --- .github/workflows/shellcheck.yml | 2 +- deploy/gitlab.sh | 2 +- dnsapi/dns_dynv6.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index d628ea93..9beb5489 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -26,7 +26,7 @@ jobs: - name: Install Shellcheck run: sudo apt-get install -y shellcheck - name: DoShellcheck - run: shellcheck -V && shellcheck -e SC2181 **/*.sh && echo "shellcheck OK" + run: shellcheck -V && shellcheck -e SC2181 -e SC2089 **/*.sh && echo "shellcheck OK" shfmt: runs-on: ubuntu-latest diff --git a/deploy/gitlab.sh b/deploy/gitlab.sh index d8a93ad2..595b6d20 100644 --- a/deploy/gitlab.sh +++ b/deploy/gitlab.sh @@ -67,7 +67,7 @@ gitlab_deploy() { error_response="error" - if test ${_response#*"$error_response"} != "$_response"; then + if test "${_response#*"$error_response"}" != "$_response"; then _err "Error in deploying certificate:" _err "$_response" return 1 diff --git a/dnsapi/dns_dynv6.sh b/dnsapi/dns_dynv6.sh index 739eccf9..90814b1b 100644 --- a/dnsapi/dns_dynv6.sh +++ b/dnsapi/dns_dynv6.sh @@ -94,7 +94,7 @@ _get_domain() { _your_hosts="$(echo "$_your_hosts" | awk '/\./ {print $1}')" for l in $_your_hosts; do #echo "host: $l" - if test ${_full_domain#*"$l"} != "$_full_domain"; then + if test "${_full_domain#*"$l"}" != "$_full_domain"; then _record=${_full_domain%."$l"} _host=$l _debug "The host is $_host and the record $_record" From e684abdacde657ea2a22ecc627e4d63b209131d3 Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:34:58 +0800 Subject: [PATCH 122/209] fix checkout --- .github/workflows/shellcheck.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 9beb5489..a5a08bbf 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -22,7 +22,7 @@ jobs: ShellCheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install Shellcheck run: sudo apt-get install -y shellcheck - name: DoShellcheck @@ -31,7 +31,7 @@ jobs: shfmt: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install shfmt run: curl -sSL https://github.com/mvdan/sh/releases/download/v3.1.2/shfmt_v3.1.2_linux_amd64 -o ~/shfmt && chmod +x ~/shfmt - name: shfmt From 3a1c6d84f0f4609e98239512357599cade4c807f Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:40:34 +0800 Subject: [PATCH 123/209] fix shellcheck warnings --- dnsapi/dns_oci.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_oci.sh b/dnsapi/dns_oci.sh index 18d74410..3b81143f 100644 --- a/dnsapi/dns_oci.sh +++ b/dnsapi/dns_oci.sh @@ -265,6 +265,7 @@ _signed_request() { _response="$(_get "https://${_sig_host}${_sig_target}")" elif [ "$_curl_method" = "PATCH" ]; then export _H1="$_date_header" + # shellcheck disable=SC2090 export _H2="$_sig_body_sha256" export _H3="$_sig_body_type" export _H4="$_sig_body_length" From 7a756ebc4d08e60d5a127b220505d27fb54fe358 Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:55:19 +0800 Subject: [PATCH 124/209] start v3.0.6 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d6d8e48c..4d4aceb1 100755 --- a/acme.sh +++ b/acme.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -VER=3.0.5 +VER=3.0.6 PROJECT_NAME="acme.sh" From ec0e871592d286b8cd4e1d407411f0ba17c775e6 Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 23 Nov 2022 21:57:38 +0800 Subject: [PATCH 125/209] Use ec-256 as default key length fix https://github.com/acmesh-official/acme.sh/issues/2350#issuecomment-1324029469 --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 4d4aceb1..c1a576a5 100755 --- a/acme.sh +++ b/acme.sh @@ -53,8 +53,8 @@ CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$ DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)" -DEFAULT_ACCOUNT_KEY_LENGTH=2048 -DEFAULT_DOMAIN_KEY_LENGTH=2048 +DEFAULT_ACCOUNT_KEY_LENGTH=ec-256 +DEFAULT_DOMAIN_KEY_LENGTH=ec-256 DEFAULT_OPENSSL_BIN="openssl" From f4ed1b32b85d3cdf256168e698bc8e4261db7a3e Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Sat, 26 Nov 2022 18:12:11 +0330 Subject: [PATCH 126/209] Update dns_arvan.sh Update API URL --- dnsapi/dns_arvan.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index 4c9217e5..2118883b 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -2,7 +2,7 @@ #Arvan_Token="Apikey xxxx" -ARVAN_API_URL="https://napi.arvancloud.com/cdn/4.0/domains" +ARVAN_API_URL="https://napi.arvancloud.ir/cdn/4.0/domains" #Author: Vahid Fardi #Report Bugs here: https://github.com/Neilpang/acme.sh # @@ -18,7 +18,7 @@ dns_arvan_add() { if [ -z "$Arvan_Token" ]; then _err "You didn't specify \"Arvan_Token\" token yet." - _err "You can get yours from here https://npanel.arvancloud.com/profile/api-keys" + _err "You can get yours from here https://npanel.arvancloud.ir/profile/api-keys" return 1 fi #save the api token to the account conf file. From 9f942a6b65bda8c97dbd989549a0ced034cb6f42 Mon Sep 17 00:00:00 2001 From: Kiril Isakov Date: Sat, 26 Nov 2022 16:00:03 +0100 Subject: [PATCH 127/209] Trim trailing slash in `--home` argument's value # What's expected Since in `acme.sh` path strings are concatenated with a hardcoded slash in between, the left operand must never end with a trailing slash for the resulting path to be valid. Otherwise, obviously, the resulting path will have two adjacent slashes in the middle and will not be valid. # What actually happens Even though I cannot tell for each of the input params, I know this for sure for the the `--home` argument's value. If I run `acme.sh` with `--home` argument's value being a path ending in a trailing slash, ```sh acme.sh ... --debug ... --home /some/path/ ... -d somedomainna.me ... ``` I get the following (distinct) occurrencies of resulting invalid paths containing two adjacent slashes: ``` [...] Using config home:/some/path/ [...] DOMAIN_PATH='/some/path//somedomainna.me' [...] _CURL='curl --silent --dump-header /some/path//http.header -L -g ' [...] The domain key is here: /some/path//somedomainna.me/somedomainna.me.key [...] _CURL='curl --silent --dump-header /some/path//http.header -L -g -I ' [...] Your cert is in: /some/path//somedomainna.me/somedomainna.me.cer [...] Your cert key is in: /some/path//somedomainna.me/somedomainna.me.key [...] The intermediate CA cert is in: /some/path//somedomainna.me/ca.cer [...] And the full chain certs is there: /some/path//somedomainna.me/fullchain.cer ``` # Suggested fix Trim trailing slash in `--home` argument's value from the get-go. --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d6d8e48c..77f0b8c1 100755 --- a/acme.sh +++ b/acme.sh @@ -7496,7 +7496,7 @@ _process() { shift ;; --home) - export LE_WORKING_DIR="$2" + export LE_WORKING_DIR="${2%/}" shift ;; --cert-home | --certhome) From ecf1f17cf4088cfab6e891a7002c445fa4bb6a8e Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 27 Nov 2022 11:10:14 +0800 Subject: [PATCH 128/209] update key type --- README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 30e6e554..15bc4089 100644 --- a/README.md +++ b/README.md @@ -361,10 +361,6 @@ Ok, it's done. # 10. Issue ECC certificates -`Let's Encrypt` can now issue **ECDSA** certificates. - -And we support them too! - Just set the `keylength` parameter with a prefix `ec-`. For example: @@ -385,10 +381,12 @@ Please look at the `keylength` parameter above. Valid values are: -1. **ec-256 (prime256v1, "ECDSA P-256")** +1. **ec-256 (prime256v1, "ECDSA P-256", which is the default key type)** 2. **ec-384 (secp384r1, "ECDSA P-384")** 3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)** - +4. **2048 (RSA2048)** +5. **3072 (RSA3072)** +6. **4096 (RSA4096)** # 11. Issue Wildcard certificates From 4610204c831d39716d792bd975dbbda65ac06699 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Sun, 27 Nov 2022 10:21:24 +0330 Subject: [PATCH 129/209] Test CI --- dnsapi/dns_arvan.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index 2118883b..593e789f 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -1,10 +1,10 @@ #!/usr/bin/env sh -#Arvan_Token="Apikey xxxx" +# Arvan_Token="Apikey xxxx" ARVAN_API_URL="https://napi.arvancloud.ir/cdn/4.0/domains" -#Author: Vahid Fardi -#Report Bugs here: https://github.com/Neilpang/acme.sh +# Author: Vahid Fardi +# Report Bugs here: https://github.com/Neilpang/acme.sh # ######## Public functions ##################### From 264b9819ff92655c0714cc46e6a756201ffd9c9a Mon Sep 17 00:00:00 2001 From: Kiril Isakov Date: Sun, 27 Nov 2022 09:22:06 +0100 Subject: [PATCH 130/209] Replace the BASH parameter substitution mechanism (unsupported by sh) with standard commands (supported by sh) --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 77f0b8c1..714bd9bf 100755 --- a/acme.sh +++ b/acme.sh @@ -7496,7 +7496,7 @@ _process() { shift ;; --home) - export LE_WORKING_DIR="${2%/}" + export LE_WORKING_DIR="$(echo "$2" | sed 's|/$||')" shift ;; --cert-home | --certhome) From 04a5d794ac05acee31018a72d8e6df216a5f7e33 Mon Sep 17 00:00:00 2001 From: beartom <369622765@qq.com> Date: Sun, 27 Nov 2022 21:55:01 +0800 Subject: [PATCH 131/209] Update truenas.sh for certificate in chart release Update certificate in chart release of TrueCharts if any chart release Apps is using the same certificate as TrueNAS web UI. --- deploy/truenas.sh | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 84cfd5f4..3f36a56e 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -184,6 +184,30 @@ truenas_deploy() { _info "S3 certificate is not configured or is not the same as TrueNAS web UI" fi + +_info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required" + if _exists jq; then + _info "Query all chart release" + _release_list=$(_get "$_api_url/chart/release") + _related_name_list=$(printf "%s" $_release_list | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") + _release_length=$(printf "%s" $_related_name_list | jq -r "length") + _info "Found $_release_length related chart release in list: $_related_name_list" + for i in $(seq 0 $((_release_length-1))); + do + _release_name=$(echo $_related_name_list | jq -r ".[$i]") + _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name" + #Read the chart release configuration + _chart_config=$(printf "%s" $_release_list | jq -r ".[] | select(.name==\"$_release_name\")") + #Replace the old certificate id with the new one in path .config.ingress.main.tls[].scaleCert. Then update .config.ingress + _updated_chart_config=$(printf "%s" $_chart_config | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress " ) + _update_chart_result="$(_post "{\"values\" : { \"ingress\" : $_updated_chart_config } }" "$_api_url/chart/release/id/$_release_name" "" "PUT" "application/json")" + _debug3 _update_chart_result "$_update_chart_result" + done + else + _info "Tool 'jq' does not exists, skip chart release checking" + fi + + _info "Deleting old certificate" _delete_result="$(_post "" "$_api_url/certificate/id/$_active_cert_id" "" "DELETE" "application/json")" From c07db3aa14e28689ee673832cf147494fb2ae2d4 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Mon, 28 Nov 2022 16:09:17 +0330 Subject: [PATCH 132/209] add 'Accept' header --- dnsapi/dns_arvan.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index 593e789f..b8c9da35 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -141,10 +141,11 @@ _arvan_rest() { response="$(_post "$data" "$ARVAN_API_URL/$ep" "" "$mtd")" elif [ "$mtd" = "POST" ]; then export _H2="Content-Type: application/json" + export _H3="Accept: application/json" _debug data "$data" response="$(_post "$data" "$ARVAN_API_URL/$ep" "" "$mtd")" else response="$(_get "$ARVAN_API_URL/$ep$data")" fi return 0 -} +} \ No newline at end of file From eab9603921789b541a8d8527b833a50f313f1381 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Mon, 28 Nov 2022 16:11:17 +0330 Subject: [PATCH 133/209] Fix SH format --- dnsapi/dns_arvan.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index b8c9da35..71ef2387 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -148,4 +148,4 @@ _arvan_rest() { response="$(_get "$ARVAN_API_URL/$ep$data")" fi return 0 -} \ No newline at end of file +} From 0c0d1d4e5210bd5b03f91df789f2471b09e849c7 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Mon, 28 Nov 2022 16:22:25 +0330 Subject: [PATCH 134/209] Update duplicate message --- dnsapi/dns_arvan.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh index 71ef2387..4ca5b685 100644 --- a/dnsapi/dns_arvan.sh +++ b/dnsapi/dns_arvan.sh @@ -40,7 +40,7 @@ dns_arvan_add() { _info "response id is $response" _info "Added, OK" return 0 - elif _contains "$response" "Record Data is Duplicated"; then + elif _contains "$response" "Record Data is duplicate"; then _info "Already exists, OK" return 0 else From bd2d0e6ad3c9dfad76cfe30e79d845fc62c8e228 Mon Sep 17 00:00:00 2001 From: beartom <369622765@qq.com> Date: Mon, 28 Nov 2022 20:59:10 +0800 Subject: [PATCH 135/209] Format Format --- deploy/truenas.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 3f36a56e..6b299f3a 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -185,7 +185,7 @@ truenas_deploy() { fi -_info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required" + _info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required" if _exists jq; then _info "Query all chart release" _release_list=$(_get "$_api_url/chart/release") From 5a0225d03365d1bc36c4c18570d28d2ef97cc99e Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Tue, 29 Nov 2022 12:21:49 +0330 Subject: [PATCH 136/209] Fix export problem for special values --- .github/workflows/DNS.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 17e98ae3..55dec225 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -121,19 +121,19 @@ jobs: - name: Run acmetest run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh From 257de15c738d05780321fd5131671e59e1294931 Mon Sep 17 00:00:00 2001 From: Arash Hatami Date: Tue, 29 Nov 2022 13:45:04 +0330 Subject: [PATCH 137/209] Fix export problems --- .github/workflows/DNS.yml | 60 +++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 55dec225..615e5d8b 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -184,19 +184,19 @@ jobs: shell: bash run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -234,19 +234,19 @@ jobs: copyback: false run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -285,19 +285,19 @@ jobs: copyback: false run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -337,19 +337,19 @@ jobs: copyback: false run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -389,19 +389,19 @@ jobs: copyback: false run: | if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh @@ -445,19 +445,19 @@ jobs: pkg set-mediator -v -I default@1.1 openssl export PATH=/usr/gnu/bin:$PATH if [ "${{ secrets.TokenName1}}" ] ; then - export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" fi if [ "${{ secrets.TokenName2}}" ] ; then - export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}} + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" fi if [ "${{ secrets.TokenName3}}" ] ; then - export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}} + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" fi if [ "${{ secrets.TokenName4}}" ] ; then - export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}} + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" fi if [ "${{ secrets.TokenName5}}" ] ; then - export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}} + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" fi cd ../acmetest ./letest.sh From 7d13146859552faf630205072a1fe337476436ba Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Tue, 29 Nov 2022 21:39:06 +0100 Subject: [PATCH 138/209] Added dns provider for ipv64.net --- dnsapi/dns_ipv64.sh | 150 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100755 dnsapi/dns_ipv64.sh diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh new file mode 100755 index 00000000..90207ba6 --- /dev/null +++ b/dnsapi/dns_ipv64.sh @@ -0,0 +1,150 @@ +#!/usr/bin/env sh + +#Created by Roman Lumetsberger, to use ipv64.net's API to add/remove text records +#2022/11/29 + +# Pass credentials before "acme.sh --issue --dns dns_ipv64 ..." +# -- +# export IPv64_Token="aaaaaaaaaaaaaaaaaaaaaaaaaa" +# -- +# + +IPv64_API="https://ipv64.net/api" + +######## Public functions ###################### + +#Usage: dns_ipv64_add _acme-challenge.domain.ipv64.net "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_ipv64_add() { + fulldomain=$1 + txtvalue=$2 + + IPv64_Token="${IPv64_Token:-$(_readaccountconf_mutable IPv64_Token)}" + if [ -z "$IPv64_Token" ]; then + _err "You must export variable: IPv64_Token" + _err "The API Key for your IPv64 account is necessary." + _err "You can look it up in your IPv64 account." + return 1 + fi + + # Now save the credentials. + _saveaccountconf_mutable IPv64_Token "$IPv64_Token" + + if ! _get_root "$fulldomain"; then + _err "invalid domain" "$fulldomain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # Now add the TXT record + _info "Trying to add TXT record" + if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then + _info "TXT record has been successfully added." + return 0 + else + _err "Errors happened during adding the TXT record, response=$_response" + return 1 + fi + +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_ipv64_rm() { + fulldomain=$1 + txtvalue=$2 + + IPv64_Token="${IPv64_Token:-$(_readaccountconf_mutable IPv64_Token)}" + if [ -z "$IPv64_Token" ]; then + _err "You must export variable: IPv64_Token" + _err "The API Key for your IPv64 account is necessary." + _err "You can look it up in your IPv64 account." + return 1 + fi + + if ! _get_root "$fulldomain"; then + _err "invalid domain" "$fulldomain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # Now delete the TXT record + _info "Trying to delete TXT record" + if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then + _info "TXT record has been successfully deleted." + return 0 + else + _err "Errors happened during deleting the TXT record, response=$_response" + return 1 + fi + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain="$1" + i=1 + p=1 + + _ipv64_get "get_domains" + domain_data=$_response + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + #if _contains "$domain_data" "\""$h"\"\:"; then + if _contains "$domain_data" "\"""$h""\"\:"; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") + _domain="$h" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +#send get request to api +# $1 has to set the api-function +_ipv64_get() { + url="$IPv64_API?$1" + export _H1="Authorization: Bearer $IPv64_Token" + + _response=$(_get "$url") + _response="$(echo "$_response" | _normalizeJson)" + + if _contains "$_response" "429 Too Many Requests"; then + _info "API throttled, sleeping to reset the limit" + _sleep 10 + _response=$(_get "$url") + _response="$(echo "$_response" | _normalizeJson)" + fi +} + +_ipv64_rest() { + url="$IPv64_API" + export _H1="Authorization: Bearer $IPv64_Token" + export _H2="Content-Type: application/x-www-form-urlencoded" + _response=$(_post "$2" "$url" "" "$1") + + if _contains "$_response" "429 Too Many Requests"; then + _info "API throttled, sleeping to reset the limit" + _sleep 10 + _response=$(_post "$2" "$url" "" "$1") + fi + + if ! _contains "$_response" "\"info\":\"success\""; then + return 1 + fi + _debug2 response "$_response" + return 0 +} From 91e387e8b9deae01b4a7dd45c70c08bf35ee3574 Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Wed, 30 Nov 2022 08:55:27 +0100 Subject: [PATCH 139/209] added doc for dns_ipv64_rm --- dnsapi/dns_ipv64.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index 90207ba6..9979be42 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -49,6 +49,7 @@ dns_ipv64_add() { } #Usage: fulldomain txtvalue +#Usage: dns_ipv64_rm _acme-challenge.domain.ipv64.net "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" #Remove the txt record after validation. dns_ipv64_rm() { fulldomain=$1 From a2af26635fe679af3892deffc671abe93c5f0b38 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 4 Dec 2022 15:05:30 +0800 Subject: [PATCH 140/209] use ecc cert --- acme.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 0b5c1614..62add812 100755 --- a/acme.sh +++ b/acme.sh @@ -2857,7 +2857,8 @@ _initpath() { DOMAIN_PATH="$domainhomeecc" else if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then - _info "The domain '$domain' seems to have a ECC cert already, please add '$(__red "--ecc")' parameter if you want to use that cert." + _info "The domain '$domain' seems to have a ECC cert already, lets use ecc cert." + DOMAIN_PATH="$domainhomeecc" fi fi _debug DOMAIN_PATH "$DOMAIN_PATH" From 160513c67189b252434ddc52346a0d58843d004a Mon Sep 17 00:00:00 2001 From: Zachary Peschke Date: Fri, 9 Dec 2022 09:47:19 -0700 Subject: [PATCH 141/209] Minor grammar fixes for gd --- dnsapi/dns_gd.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_gd.sh b/dnsapi/dns_gd.sh index 44c3d279..1729115e 100755 --- a/dnsapi/dns_gd.sh +++ b/dnsapi/dns_gd.sh @@ -22,8 +22,8 @@ dns_gd_add() { if [ -z "$GD_Key" ] || [ -z "$GD_Secret" ]; then GD_Key="" GD_Secret="" - _err "You don't specify godaddy api key and secret yet." - _err "Please create you key and try again." + _err "You didn't specify godaddy api key and secret yet." + _err "Please create your key and try again." return 1 fi @@ -46,7 +46,7 @@ dns_gd_add() { fi if _contains "$response" "$txtvalue"; then - _info "The record is existing, skip" + _info "This record already exists, skipping" return 0 fi From 764a4c99fac9f59f79638648d0499ef2e293ead5 Mon Sep 17 00:00:00 2001 From: plummer86 Date: Sun, 18 Dec 2022 22:32:49 +0000 Subject: [PATCH 142/209] Fix assignment to _wget_out --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d6d8e48c..02bc041c 100755 --- a/acme.sh +++ b/acme.sh @@ -2058,7 +2058,7 @@ _get() { fi _debug "_WGET" "$_WGET" if [ "$onlyheader" ]; then - _wget_out = "$($_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1)" + _wget_out="$($_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1)" if _contains "$_WGET" " -d "; then # Demultiplex wget debug output echo "$_wget_out" >&2 From 0cafc00c4fdac30032168450d97b468c23199f3c Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 17:22:12 +0800 Subject: [PATCH 143/209] append --fail-with-body argument to curl if supported --- acme.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/acme.sh b/acme.sh index f4afa397..5d80399f 100755 --- a/acme.sh +++ b/acme.sh @@ -1855,6 +1855,11 @@ _inithttp() { if _contains "$(curl --help 2>&1)" "--globoff"; then _ACME_CURL="$_ACME_CURL -g " fi + + #from curl 7.76: return fail on HTTP errors but keep the body + if [ "$_ACME_CURL" ] && _contains "$($_ACME_CURL --help http)" "--fail-with-body"; then + _ACME_CURL="$_ACME_CURL --fail-with-body " + fi fi if [ -z "$_ACME_WGET" ] && _exists "wget"; then From 057c95bd1c0ebcfb30d0ab36aa267fcc544a87f7 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 17:24:34 +0800 Subject: [PATCH 144/209] improve `wget --content-on-error` condition --- acme.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index 5d80399f..45dda74f 100755 --- a/acme.sh +++ b/acme.sh @@ -1877,11 +1877,11 @@ _inithttp() { elif [ "$CA_BUNDLE" ]; then _ACME_WGET="$_ACME_WGET --ca-certificate=$CA_BUNDLE " fi - fi - #from wget 1.14: do not skip body on 404 error - if [ "$_ACME_WGET" ] && _contains "$($_ACME_WGET --help 2>&1)" "--content-on-error"; then - _ACME_WGET="$_ACME_WGET --content-on-error " + #from wget 1.14: do not skip body on 404 error + if _contains "$(wget --help 2>&1)" "--content-on-error"; then + _ACME_WGET="$_ACME_WGET --content-on-error " + fi fi __HTTP_INITIALIZED=1 From 7154c9ee5dd07d29d85a949e4853d3482333a360 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 17:42:27 +0800 Subject: [PATCH 145/209] improve `curl --help` predication --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 45dda74f..999ef563 100755 --- a/acme.sh +++ b/acme.sh @@ -1852,12 +1852,12 @@ _inithttp() { _ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE " fi - if _contains "$(curl --help 2>&1)" "--globoff"; then + if _contains "$(curl --help curl 2>&1)" "--globoff"; then _ACME_CURL="$_ACME_CURL -g " fi #from curl 7.76: return fail on HTTP errors but keep the body - if [ "$_ACME_CURL" ] && _contains "$($_ACME_CURL --help http)" "--fail-with-body"; then + if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then _ACME_CURL="$_ACME_CURL --fail-with-body " fi fi From fe1bfe9ae16b03e6647f47ee62809ed8641bf51c Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 16:34:18 +0800 Subject: [PATCH 146/209] improve vault and vault_api deployhooks --- deploy/vault.sh | 75 +++++++++++++++++++++++++++++++++++++-------- deploy/vault_cli.sh | 43 +++++++++++++++++++++++++- 2 files changed, 105 insertions(+), 13 deletions(-) diff --git a/deploy/vault.sh b/deploy/vault.sh index 399abaee..2e4d0702 100644 --- a/deploy/vault.sh +++ b/deploy/vault.sh @@ -7,13 +7,16 @@ # # VAULT_PREFIX - this contains the prefix path in vault # VAULT_ADDR - vault requires this to find your vault server +# VAULT_SAVE_TOKEN - set to anything if you want to save the token +# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying +# VAULT_KV_V2 - set to anything if you are using v2 of the kv engine # # additionally, you need to ensure that VAULT_TOKEN is avialable # to access the vault server #returns 0 means success, otherwise error. -######## Public functions ##################### +######## Public functions ##################### #domain keyfile certfile cafile fullchain vault_deploy() { @@ -45,6 +48,24 @@ vault_deploy() { fi _savedeployconf VAULT_ADDR "$VAULT_ADDR" + _getdeployconf VAULT_SAVE_TOKEN + _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN" + + _getdeployconf VAULT_RENEW_TOKEN + _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN" + + _getdeployconf VAULT_KV_V2 + _savedeployconf VAULT_KV_V2 "$VAULT_KV_V2" + + _getdeployconf VAULT_TOKEN + if [ -z "$VAULT_TOKEN" ]; then + _err "VAULT_TOKEN needs to be defined" + return 1 + fi + if [ -n "$VAULT_SAVE_TOKEN" ]; then + _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" + fi + # JSON does not allow multiline strings. # So replacing new-lines with "\n" here _ckey=$(sed -z 's/\n/\\n/g' <"$2") @@ -52,26 +73,56 @@ vault_deploy() { _cca=$(sed -z 's/\n/\\n/g' <"$4") _cfullchain=$(sed -z 's/\n/\\n/g' <"$5") - URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain" export _H1="X-Vault-Token: $VAULT_TOKEN" + if [ -n "$VAULT_RENEW_TOKEN" ]; then + URL="$VAULT_ADDR/v1/auth/token/renew-self" + _info "Renew the token to default TTL" + if ! _post "" "$URL" >/dev/null; then + _err "Failed to renew the token" + return 1 + fi + fi + + URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain" + if [ -n "$FABIO" ]; then + _info "Writing certificate and key to $URL in Fabio mode" if [ -n "$VAULT_KV_V2" ]; then - _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" + _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1 else - _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" + _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" >/dev/null || return 1 fi else if [ -n "$VAULT_KV_V2" ]; then - _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" - _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" - _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" - _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" + _info "Writing certificate to $URL/cert.pem" + _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" >/dev/null || return 1 + _info "Writing key to $URL/cert.key" + _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" >/dev/null || return 1 + _info "Writing CA certificate to $URL/ca.pem" + _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/ca.pem" >/dev/null || return 1 + _info "Writing full-chain certificate to $URL/fullchain.pem" + _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" >/dev/null || return 1 else - _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" - _post "{\"value\": \"$_ckey\"}" "$URL/cert.key" - _post "{\"value\": \"$_cca\"}" "$URL/chain.pem" - _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" + _info "Writing certificate to $URL/cert.pem" + _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" >/dev/null || return 1 + _info "Writing key to $URL/cert.key" + _post "{\"value\": \"$_ckey\"}" "$URL/cert.key" >/dev/null || return 1 + _info "Writing CA certificate to $URL/ca.pem" + _post "{\"value\": \"$_cca\"}" "$URL/ca.pem" >/dev/null || return 1 + _info "Writing full-chain certificate to $URL/fullchain.pem" + _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" >/dev/null || return 1 + fi + + # To make it compatible with the wrong ca path `chain.pem` which was used in former versions + if _get "$URL/chain.pem" >/dev/null; then + _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" + _info "Updating CA certificate to $URL/chain.pem for backward compatibility" + if [ -n "$VAULT_KV_V2" ]; then + _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" >/dev/null || return 1 + else + _post "{\"value\": \"$_cca\"}" "$URL/chain.pem" >/dev/null || return 1 + fi fi fi diff --git a/deploy/vault_cli.sh b/deploy/vault_cli.sh index cbb8cc59..da6fe093 100644 --- a/deploy/vault_cli.sh +++ b/deploy/vault_cli.sh @@ -8,6 +8,8 @@ # # VAULT_PREFIX - this contains the prefix path in vault # VAULT_ADDR - vault requires this to find your vault server +# VAULT_SAVE_TOKEN - set to anything if you want to save the token +# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying # # additionally, you need to ensure that VAULT_TOKEN is avialable or # `vault auth` has applied the appropriate authorization for the vault binary @@ -33,15 +35,34 @@ vault_cli_deploy() { _debug _cfullchain "$_cfullchain" # validate required env vars + _getdeployconf VAULT_PREFIX if [ -z "$VAULT_PREFIX" ]; then _err "VAULT_PREFIX needs to be defined (contains prefix path in vault)" return 1 fi + _savedeployconf VAULT_PREFIX "$VAULT_PREFIX" + _getdeployconf VAULT_ADDR if [ -z "$VAULT_ADDR" ]; then _err "VAULT_ADDR needs to be defined (contains vault connection address)" return 1 fi + _savedeployconf VAULT_ADDR "$VAULT_ADDR" + + _getdeployconf VAULT_SAVE_TOKEN + _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN" + + _getdeployconf VAULT_RENEW_TOKEN + _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN" + + _getdeployconf VAULT_TOKEN + if [ -z "$VAULT_TOKEN" ]; then + _err "VAULT_TOKEN needs to be defined" + return 1 + fi + if [ -n "$VAULT_SAVE_TOKEN" ]; then + _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" + fi VAULT_CMD=$(command -v vault) if [ ! $? ]; then @@ -49,13 +70,33 @@ vault_cli_deploy() { return 1 fi + if [ -n "$VAULT_RENEW_TOKEN" ]; then + _info "Renew the token to default TTL" + if ! $VAULT_CMD token renew; then + _err "Failed to renew the token" + return 1 + fi + fi + if [ -n "$FABIO" ]; then + _info "Writing certificate and key to $URL in Fabio mode" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1 else + _info "Writing certificate to $URL/cert.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1 + _info "Writing key to $URL/cert.key" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1 - $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1 + _info "Writing CA certificate to $URL/ca.pem" + $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/ca.pem" value=@"$_cca" || return 1 + _info "Writing full-chain certificate to $URL/fullchain.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1 + + # To make it compatible with the wrong ca path `chain.pem` which was used in former versions + if $VAULT_CMD kv get "${VAULT_PREFIX}/${_cdomain}/chain.pem" >/dev/null; then + _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" + _info "Updating CA certificate to $URL/chain.pem for backward compatibility" + $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1 + fi fi } From b8d0d3c2429e2f33dceb9c94ad8e5273762be72a Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 19:17:37 +0800 Subject: [PATCH 147/209] improve chain.pem exists evaluating --- deploy/vault.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/vault.sh b/deploy/vault.sh index 2e4d0702..6c953fc6 100644 --- a/deploy/vault.sh +++ b/deploy/vault.sh @@ -115,7 +115,7 @@ vault_deploy() { fi # To make it compatible with the wrong ca path `chain.pem` which was used in former versions - if _get "$URL/chain.pem" >/dev/null; then + if _contains "$(_get "$URL/chain.pem")" "-----BEGIN CERTIFICATE-----"; then _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" _info "Updating CA certificate to $URL/chain.pem for backward compatibility" if [ -n "$VAULT_KV_V2" ]; then From ed63eb6833ab288b2a963255875bf9df99e39c79 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 23 Dec 2022 19:32:06 +0800 Subject: [PATCH 148/209] migrate FABIO to VAULT_FABIO_MODE and persist it --- deploy/vault.sh | 4 +++- deploy/vault_cli.sh | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/deploy/vault.sh b/deploy/vault.sh index 6c953fc6..30e825eb 100644 --- a/deploy/vault.sh +++ b/deploy/vault.sh @@ -66,6 +66,8 @@ vault_deploy() { _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" fi + _migratedeployconf FABIO VAULT_FABIO_MODE + # JSON does not allow multiline strings. # So replacing new-lines with "\n" here _ckey=$(sed -z 's/\n/\\n/g' <"$2") @@ -86,7 +88,7 @@ vault_deploy() { URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain" - if [ -n "$FABIO" ]; then + if [ -n "$VAULT_FABIO_MODE" ]; then _info "Writing certificate and key to $URL in Fabio mode" if [ -n "$VAULT_KV_V2" ]; then _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1 diff --git a/deploy/vault_cli.sh b/deploy/vault_cli.sh index da6fe093..ecbffd23 100644 --- a/deploy/vault_cli.sh +++ b/deploy/vault_cli.sh @@ -64,6 +64,8 @@ vault_cli_deploy() { _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" fi + _migratedeployconf FABIO VAULT_FABIO_MODE + VAULT_CMD=$(command -v vault) if [ ! $? ]; then _err "cannot find vault binary!" @@ -78,7 +80,7 @@ vault_cli_deploy() { fi fi - if [ -n "$FABIO" ]; then + if [ -n "$VAULT_FABIO_MODE" ]; then _info "Writing certificate and key to $URL in Fabio mode" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1 else From 7b623f85cd9dcf49958b0431d397ff75bda2a189 Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 26 Dec 2022 21:43:02 +0800 Subject: [PATCH 149/209] minor --- .github/workflows/NetBSD.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index 33bcf23c..25872c42 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -61,7 +61,6 @@ jobs: nat: | "8080": "80" prepare: | - export PKG_PATH="https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/$(uname -p)/$(uname -r|cut -f '1 2' -d.)/All/" pkg_add curl socat usesh: true copyback: false From a2c64e79ff1b597b15d7bf7cb17aa627e7b7eb3f Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 26 Dec 2022 22:28:08 +0800 Subject: [PATCH 150/209] fix for openbsd --- acme.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index f4afa397..d8a46a6f 100755 --- a/acme.sh +++ b/acme.sh @@ -1637,7 +1637,7 @@ _stat() { #keyfile _isRSA() { keyfile=$1 - if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text | grep "^publicExponent:" >/dev/null 2>&1; then + if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text 2>&1 | grep "^publicExponent:" 2>&1 >/dev/null; then return 0 fi return 1 @@ -1646,7 +1646,7 @@ _isRSA() { #keyfile _isEcc() { keyfile=$1 - if grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" >/dev/null 2>&1; then + if grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" 2>&1 >/dev/null; then return 0 fi return 1 @@ -1744,7 +1744,7 @@ _calcjwk() { _debug3 x64 "$x64" xend=$(_math "$xend" + 1) - y="$(printf "%s" "$pubtext" | cut -d : -f "$xend"-10000)" + y="$(printf "%s" "$pubtext" | cut -d : -f "$xend"-2048)" _debug3 y "$y" y64="$(printf "%s" "$y" | tr -d : | _h2b | _base64 | _url_replace)" From 1ccfa96c2e2c78aaca1ba92549e62b9f52fa9461 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Wed, 28 Dec 2022 02:47:49 +0800 Subject: [PATCH 151/209] improve logging --- deploy/vault.sh | 4 ++-- deploy/vault_cli.sh | 16 ++++++++-------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/deploy/vault.sh b/deploy/vault.sh index 30e825eb..569faba2 100644 --- a/deploy/vault.sh +++ b/deploy/vault.sh @@ -79,9 +79,9 @@ vault_deploy() { if [ -n "$VAULT_RENEW_TOKEN" ]; then URL="$VAULT_ADDR/v1/auth/token/renew-self" - _info "Renew the token to default TTL" + _info "Renew the Vault token to default TTL" if ! _post "" "$URL" >/dev/null; then - _err "Failed to renew the token" + _err "Failed to renew the Vault token" return 1 fi fi diff --git a/deploy/vault_cli.sh b/deploy/vault_cli.sh index ecbffd23..3ebb8074 100644 --- a/deploy/vault_cli.sh +++ b/deploy/vault_cli.sh @@ -73,30 +73,30 @@ vault_cli_deploy() { fi if [ -n "$VAULT_RENEW_TOKEN" ]; then - _info "Renew the token to default TTL" + _info "Renew the Vault token to default TTL" if ! $VAULT_CMD token renew; then - _err "Failed to renew the token" + _err "Failed to renew the Vault token" return 1 fi fi if [ -n "$VAULT_FABIO_MODE" ]; then - _info "Writing certificate and key to $URL in Fabio mode" + _info "Writing certificate and key to ${VAULT_PREFIX}/${_cdomain} in Fabio mode" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1 else - _info "Writing certificate to $URL/cert.pem" + _info "Writing certificate to ${VAULT_PREFIX}/${_cdomain}/cert.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1 - _info "Writing key to $URL/cert.key" + _info "Writing key to ${VAULT_PREFIX}/${_cdomain}/cert.key" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1 - _info "Writing CA certificate to $URL/ca.pem" + _info "Writing CA certificate to ${VAULT_PREFIX}/${_cdomain}/ca.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/ca.pem" value=@"$_cca" || return 1 - _info "Writing full-chain certificate to $URL/fullchain.pem" + _info "Writing full-chain certificate to ${VAULT_PREFIX}/${_cdomain}/fullchain.pem" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1 # To make it compatible with the wrong ca path `chain.pem` which was used in former versions if $VAULT_CMD kv get "${VAULT_PREFIX}/${_cdomain}/chain.pem" >/dev/null; then _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" - _info "Updating CA certificate to $URL/chain.pem for backward compatibility" + _info "Updating CA certificate to ${VAULT_PREFIX}/${_cdomain}/chain.pem for backward compatibility" $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1 fi fi From 27f30631ed48636a02aeb4cbe67de8a68e0e3615 Mon Sep 17 00:00:00 2001 From: Gavin Leo Date: Sun, 27 Nov 2022 21:32:20 +0800 Subject: [PATCH 152/209] Add gcore dns support. https://apidocs.gcore.com/dns --- dnsapi/dns_gcore.sh | 187 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 187 insertions(+) create mode 100755 dnsapi/dns_gcore.sh diff --git a/dnsapi/dns_gcore.sh b/dnsapi/dns_gcore.sh new file mode 100755 index 00000000..d549a650 --- /dev/null +++ b/dnsapi/dns_gcore.sh @@ -0,0 +1,187 @@ +#!/usr/bin/env sh + +# +#GCORE_Key='773$7b7adaf2a2b32bfb1b83787b4ff32a67eb178e3ada1af733e47b1411f2461f7f4fa7ed7138e2772a46124377bad7384b3bb8d87748f87b3f23db4b8bbe41b2bb' +# + +GCORE_Api="https://api.gcorelabs.com/dns/v2" +GCORE_Doc="https://apidocs.gcore.com/dns" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_gcore_add() { + fulldomain=$1 + txtvalue=$2 + + GCORE_Key="${GCORE_Key:-$(_readaccountconf_mutable GCORE_Key)}" + + if [ -z "$GCORE_Key" ]; then + GCORE_Key="" + _err "You didn't specify a Gcore api key yet." + _err "You can get yours from here $GCORE_Doc" + return 1 + fi + + #save the api key to the account conf file. + _saveaccountconf_mutable GCORE_Key "$GCORE_Key" + + _debug "First detect the zone name" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _zone_name "$_zone_name" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _gcore_rest GET "zones/$_zone_name/$fulldomain/TXT" + payload="" + + if echo "$response" | grep "record is not found" >/dev/null; then + _info "Record doesn't exists" + payload="{\"resource_records\":[{\"content\":[\"$txtvalue\"],\"enabled\":true}],\"ttl\":120}" + elif echo "$response" | grep "$txtvalue" >/dev/null; then + _info "Already exists, OK" + return 0 + elif echo "$response" | tr -d " " | grep \"name\":\""$fulldomain"\",\"type\":\"TXT\" >/dev/null; then + _info "Record with mismatch txtvalue, try update it" + payload=$(echo "$response" | tr -d " " | sed 's/"updated_at":[0-9]\+,//g' | sed 's/"meta":{}}]}/"meta":{}},{"content":['\""$txtvalue"\"'],"enabled":true}]}/') + fi + + # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so + # we can not use updating anymore. + # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) + # _debug count "$count" + # if [ "$count" = "0" ]; then + _info "Adding record" + if _gcore_rest PUT "zones/$_zone_name/$fulldomain/TXT" "$payload"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + return 0 + elif _contains "$response" "rrset is already exists"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 +} + +#fulldomain txtvalue +dns_gcore_rm() { + fulldomain=$1 + txtvalue=$2 + + GCORE_Key="${GCORE_Key:-$(_readaccountconf_mutable GCORE_Key)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _zone_name "$_zone_name" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _gcore_rest GET "zones/$_zone_name/$fulldomain/TXT" + + if echo "$response" | grep "record is not found" >/dev/null; then + _info "No such txt recrod" + return 0 + fi + + if ! echo "$response" | tr -d " " | grep \"name\":\""$fulldomain"\",\"type\":\"TXT\" >/dev/null; then + _err "Error: $response" + return 1 + fi + + if ! echo "$response" | tr -d " " | grep \""$txtvalue"\" >/dev/null; then + _info "No such txt recrod" + return 0 + fi + + count="$(echo "$response" | grep -o "content" | wc -l)" + + if [ "$count" = "1" ]; then + if ! _gcore_rest DELETE "zones/$_zone_name/$fulldomain/TXT"; then + _err "Delete record error. $response" + return 1 + fi + return 0 + fi + + payload="$(echo "$response" | tr -d " " | sed 's/"updated_at":[0-9]\+,//g' | sed 's/{"id":[0-9]\+,"content":\["'"$txtvalue"'"\],"enabled":true,"meta":{}}//' | sed 's/\[,/\[/' | sed 's/,,/,/' | sed 's/,\]/\]/')" + if ! _gcore_rest PUT "zones/$_zone_name/$fulldomain/TXT" "$payload"; then + _err "Delete record error. $response" + fi +} + +#################### Private functions below ################################## +#_acme-challenge.sub.domain.com +#returns +# _sub_domain=_acme-challenge.sub or _acme-challenge +# _domain=domain.com +# _zone_name=domain.com or sub.domain.com +_get_root() { + domain=$1 + i=1 + p=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _gcore_rest GET "zones/$h"; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\""; then + _zone_name=$h + if [ "$_zone_name" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_gcore_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + key_trimmed=$(echo "$GCORE_Key" | tr -d '"') + + export _H1="Content-Type: application/json" + export _H2="Authorization: APIKey $key_trimmed" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$GCORE_Api/$ep" "" "$m")" + else + response="$(_get "$GCORE_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} From 1bfd3642e829bcd90b5c5e43371f975eb525165e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=B0=E9=9B=AA=E6=AE=87=E7=92=83=E9=99=8C=E6=A2=A6?= Date: Thu, 19 Jan 2023 10:19:05 +0800 Subject: [PATCH 153/209] Update gcore_cdn.sh --- deploy/gcore_cdn.sh | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/deploy/gcore_cdn.sh b/deploy/gcore_cdn.sh index f573a3aa..fd17cc25 100644 --- a/deploy/gcore_cdn.sh +++ b/deploy/gcore_cdn.sh @@ -1,10 +1,11 @@ #!/usr/bin/env sh -# Here is the script to deploy the cert to G-Core CDN service (https://gcorelabs.com/ru/) using the G-Core Labs API (https://docs.gcorelabs.com/cdn/). +# Here is the script to deploy the cert to G-Core CDN service (https://gcore.com/) using the G-Core Labs API (https://apidocs.gcore.com/cdn). # Returns 0 when success. # # Written by temoffey # Public domain, 2019 +# Update by DreamOfIce in 2023 #export DEPLOY_GCORE_CDN_USERNAME=myusername #export DEPLOY_GCORE_CDN_PASSWORD=mypassword @@ -56,7 +57,7 @@ gcore_cdn_deploy() { _request="{\"username\":\"$Le_Deploy_gcore_cdn_username\",\"password\":\"$Le_Deploy_gcore_cdn_password\"}" _debug _request "$_request" export _H1="Content-Type:application/json" - _response=$(_post "$_request" "https://api.gcdn.co/auth/jwt/login") + _response=$(_post "$_request" "https://api.gcore.com/auth/jwt/login") _debug _response "$_response" _regex=".*\"access\":\"\([-._0-9A-Za-z]*\)\".*$" _debug _regex "$_regex" @@ -69,8 +70,8 @@ gcore_cdn_deploy() { fi _info "Find CDN resource with cname $_cdomain" - export _H2="Authorization:Token $_token" - _response=$(_get "https://api.gcdn.co/resources") + export _H2="Authorization:Bearer $_token" + _response=$(_get "https://api.gcore.com/cdn/resources") _debug _response "$_response" _regex="\"primary_resource\":null}," _debug _regex "$_regex" @@ -102,7 +103,7 @@ gcore_cdn_deploy() { _date=$(date "+%d.%m.%Y %H:%M:%S") _request="{\"name\":\"$_cdomain ($_date)\",\"sslCertificate\":\"$_fullchain\",\"sslPrivateKey\":\"$_key\"}" _debug _request "$_request" - _response=$(_post "$_request" "https://api.gcdn.co/sslData") + _response=$(_post "$_request" "https://api.gcore.com/cdn/sslData") _debug _response "$_response" _regex=".*\"id\":\([0-9]*\).*$" _debug _regex "$_regex" @@ -117,7 +118,7 @@ gcore_cdn_deploy() { _info "Update CDN resource" _request="{\"originGroup\":$_originGroup,\"sslData\":$_sslDataAdd}" _debug _request "$_request" - _response=$(_post "$_request" "https://api.gcdn.co/resources/$_resourceId" '' "PUT") + _response=$(_post "$_request" "https://api.gcore.com/cdn/resources/$_resourceId" '' "PUT") _debug _response "$_response" _regex=".*\"sslData\":\([0-9]*\).*$" _debug _regex "$_regex" @@ -133,7 +134,7 @@ gcore_cdn_deploy() { _info "Not found old SSL certificate" else _info "Delete old SSL certificate" - _response=$(_post '' "https://api.gcdn.co/sslData/$_sslDataOld" '' "DELETE") + _response=$(_post '' "https://api.gcore.com/cdn/sslData/$_sslDataOld" '' "DELETE") _debug _response "$_response" fi From 7bbdd1f839c2bb1556a81b97636730f788457947 Mon Sep 17 00:00:00 2001 From: Vladislav Sharapov Date: Fri, 20 Jan 2023 23:43:15 +0400 Subject: [PATCH 154/209] fix(dns_openstack): fix argparse error Add equal sign to '--record' option to fix argparse error occurring when ACME token starts with '-'. --- dnsapi/dns_openstack.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_openstack.sh b/dnsapi/dns_openstack.sh index 38619e6f..fcc1dc2e 100755 --- a/dnsapi/dns_openstack.sh +++ b/dnsapi/dns_openstack.sh @@ -57,16 +57,16 @@ _dns_openstack_create_recordset() { if [ -z "$_recordset_id" ]; then _info "Creating a new recordset" - if ! _recordset_id=$(openstack recordset create -c id -f value --type TXT --record "$txtvalue" "$_zone_id" "$fulldomain."); then + if ! _recordset_id=$(openstack recordset create -c id -f value --type TXT --record="$txtvalue" "$_zone_id" "$fulldomain."); then _err "No recordset ID found after create" return 1 fi else _info "Updating existing recordset" - # Build new list of --record args for update - _record_args="--record $txtvalue" + # Build new list of --record= args for update + _record_args="--record=$txtvalue" for _rec in $_records; do - _record_args="$_record_args --record $_rec" + _record_args="$_record_args --record=$_rec" done # shellcheck disable=SC2086 if ! _recordset_id=$(openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain."); then @@ -107,13 +107,13 @@ _dns_openstack_delete_recordset() { fi else _info "Found existing records, updating recordset" - # Build new list of --record args for update + # Build new list of --record= args for update _record_args="" for _rec in $_records; do if [ "$_rec" = "$txtvalue" ]; then continue fi - _record_args="$_record_args --record $_rec" + _record_args="$_record_args --record=$_rec" done # shellcheck disable=SC2086 if ! openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain." >/dev/null; then From bf50fce5bd2bcd58582e6768350de96aeb881d90 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 15:17:21 +0800 Subject: [PATCH 155/209] fix https://github.com/acmesh-official/acme.sh/issues/4470 --- acme.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index d8a46a6f..7683495b 100755 --- a/acme.sh +++ b/acme.sh @@ -2386,12 +2386,14 @@ _getdeployconf() { if [ "$_rac_value" ]; then if _startswith "$_rac_value" '"' && _endswith "$_rac_value" '"'; then _debug2 "trim quotation marks" - eval "export $_rac_key=$_rac_value" + eval $_rac_key=$_rac_value + export $_rac_key fi return 0 # do nothing fi - _saved=$(_readdomainconf "SAVED_$_rac_key") - eval "export $_rac_key=\"\$_saved\"" + _saved="$(_readdomainconf "SAVED_$_rac_key")" + eval $_rac_key="$_saved" + export $_rac_key } #_saveaccountconf key value base64encode From 6c0a7144f677a0d3cc14c45e91c1104191e0dbe2 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 15:45:25 +0800 Subject: [PATCH 156/209] fix https://github.com/acmesh-official/acme.sh/issues/4445 --- acme.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 7683495b..cfef7ee6 100755 --- a/acme.sh +++ b/acme.sh @@ -7122,7 +7122,9 @@ _selectServer() { _getCAShortName() { caurl="$1" if [ -z "$caurl" ]; then - caurl="$DEFAULT_CA" + #use letsencrypt as default value if the Le_API is empty + #this case can only come from the old upgrading. + caurl="$CA_LETSENCRYPT_V2" fi if [ "$CA_SSLCOM_ECC" = "$caurl" ]; then caurl="$CA_SSLCOM_RSA" #just hack to get the short name From b99c9980576a72c776e37aedaaea3ebd2f9e8f5d Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 16:13:42 +0800 Subject: [PATCH 157/209] fix https://github.com/acmesh-official/acme.sh/issues/4463 --- acme.sh | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index cfef7ee6..c6c16056 100755 --- a/acme.sh +++ b/acme.sh @@ -6730,6 +6730,13 @@ _send_notify() { return 0 fi + _nsource="$NOTIFY_SOURCE" + if [ -z "$_nsource" ]; then + _nsource="$(hostname)" + fi + + _nsubject="$_nsubject by $_nsource" + _send_err=0 for _n_hook in $(echo "$_nhooks" | tr ',' " "); do _n_hook_file="$(_findHook "" $_SUB_FOLDER_NOTIFY "$_n_hook")" @@ -6784,11 +6791,12 @@ setnotify() { _nhook="$1" _nlevel="$2" _nmode="$3" + _nsource="$4" _initpath if [ -z "$_nhook$_nlevel$_nmode" ]; then - _usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook ] [--notify-level <0|1|2|3>] [--notify-mode <0|1>]" + _usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook ] [--notify-level <0|1|2|3>] [--notify-mode <0|1>] [--notify-source ]" _usage "$_NOTIFY_WIKI" return 1 fi @@ -6805,6 +6813,12 @@ setnotify() { _saveaccountconf "NOTIFY_MODE" "$NOTIFY_MODE" fi + if [ "$_nsource" ]; then + _info "Set notify source to: $_nsource" + export "NOTIFY_SOURCE=$_nsource" + _saveaccountconf "NOTIFY_SOURCE" "$NOTIFY_SOURCE" + fi + if [ "$_nhook" ]; then _info "Set notify hook to: $_nhook" if [ "$_nhook" = "$NO_VALUE" ]; then @@ -6965,6 +6979,7 @@ Parameters: 0: Bulk mode. Send all the domain's notifications in one message(mail). 1: Cert mode. Send a message for every single cert. --notify-hook Set the notify hook + --notify-source Set the server name in the notification message --revoke-reason <0-10> The reason for revocation, can be used in conjunction with the '--revoke' command. See: $_REVOKE_WIKI @@ -7241,6 +7256,7 @@ _process() { _notify_hook="" _notify_level="" _notify_mode="" + _notify_source="" _revoke_reason="" _eab_kid="" _eab_hmac_key="" @@ -7733,6 +7749,15 @@ _process() { _notify_mode="$_nmode" shift ;; + --notify-source) + _nsource="$2" + if _startswith "$_nsource" "-"; then + _err "'$_nsource' is not valid host name for '$1'" + return 1 + fi + _notify_source="$_nsource" + shift + ;; --revoke-reason) _revoke_reason="$2" if _startswith "$_revoke_reason" "-"; then @@ -7887,7 +7912,7 @@ _process() { createCSR "$_domain" "$_altdomains" "$_ecc" ;; setnotify) - setnotify "$_notify_hook" "$_notify_level" "$_notify_mode" + setnotify "$_notify_hook" "$_notify_level" "$_notify_mode" "$_notify_source" ;; setdefaultca) setdefaultca From ab2305e259e1e0854ce096a6f84d6a82045f1137 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 16:42:10 +0800 Subject: [PATCH 158/209] fix stepca --- .github/workflows/Ubuntu.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index a6ec714c..df1a816b 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -80,8 +80,9 @@ jobs: -p 9000:9000 \ -e "DOCKER_STEPCA_INIT_NAME=Smallstep" \ -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \ + -e "DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT=true" \ --name stepca \ - smallstep/step-ca \ + smallstep/step-ca:0.23.1 \ && sleep 5 && docker exec stepca step ca provisioner add acme --type ACME \ && docker exec stepca kill -1 1 \ && docker exec stepca cat /home/step/certs/root_ca.crt | sudo bash -c "cat - >>/etc/ssl/certs/ca-certificates.crt" From 015a9b9271c956255879eb3320c9f99602056c22 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 16:45:12 +0800 Subject: [PATCH 159/209] fix notify --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index c6c16056..74a855f9 100755 --- a/acme.sh +++ b/acme.sh @@ -6795,7 +6795,7 @@ setnotify() { _initpath - if [ -z "$_nhook$_nlevel$_nmode" ]; then + if [ -z "$_nhook$_nlevel$_nmode$_nsource" ]; then _usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook ] [--notify-level <0|1|2|3>] [--notify-mode <0|1>] [--notify-source ]" _usage "$_NOTIFY_WIKI" return 1 From deb63b4adfe09f6603654d59a8c6ecc2af34e506 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 17:58:46 +0800 Subject: [PATCH 160/209] fix stepca --- .github/workflows/Ubuntu.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index df1a816b..22c8b2c5 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -81,9 +81,13 @@ jobs: -e "DOCKER_STEPCA_INIT_NAME=Smallstep" \ -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \ -e "DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT=true" \ + -e "DOCKER_STEPCA_INIT_PASSWORD=test" \ --name stepca \ - smallstep/step-ca:0.23.1 \ - && sleep 5 && docker exec stepca step ca provisioner add acme --type ACME \ + smallstep/step-ca:0.23.1 + + sleep 5 + docker exec stepca bash -c "echo test >test" + docker exec -it stepca step ca provisioner add acme --type ACME --admin-subject step --admin-password-file=/home/step/test \ && docker exec stepca kill -1 1 \ && docker exec stepca cat /home/step/certs/root_ca.crt | sudo bash -c "cat - >>/etc/ssl/certs/ca-certificates.crt" - name: Clone acmetest From 6748c55c04109099c3755313801e8503615364d5 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 24 Jan 2023 18:00:09 +0800 Subject: [PATCH 161/209] fix stepca --- .github/workflows/Ubuntu.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml index 22c8b2c5..4bf2ba29 100644 --- a/.github/workflows/Ubuntu.yml +++ b/.github/workflows/Ubuntu.yml @@ -86,8 +86,8 @@ jobs: smallstep/step-ca:0.23.1 sleep 5 - docker exec stepca bash -c "echo test >test" - docker exec -it stepca step ca provisioner add acme --type ACME --admin-subject step --admin-password-file=/home/step/test \ + docker exec stepca bash -c "echo test >test" \ + && docker exec stepca step ca provisioner add acme --type ACME --admin-subject step --admin-password-file=/home/step/test \ && docker exec stepca kill -1 1 \ && docker exec stepca cat /home/step/certs/root_ca.crt | sudo bash -c "cat - >>/etc/ssl/certs/ca-certificates.crt" - name: Clone acmetest From 16bdc7d0a33a791e6629a4cb38e6b8ff6b6908d0 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 27 Jan 2023 11:44:06 +0800 Subject: [PATCH 162/209] fix from OpenAI https://github.com/acmesh-official/acme.sh/issues/992 https://github.com/acmesh-official/acme.sh/pull/2609 --- Dockerfile | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 79fd1d89..7b50f080 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.16.3 +FROM alpine:3.17 RUN apk --no-cache add -f \ openssl \ @@ -12,7 +12,8 @@ RUN apk --no-cache add -f \ oath-toolkit-oathtool \ tar \ libidn \ - jq + jq \ + cronie ENV LE_CONFIG_HOME /acme.sh @@ -64,12 +65,10 @@ RUN for verb in help \ RUN printf "%b" '#!'"/usr/bin/env sh\n \ if [ \"\$1\" = \"daemon\" ]; then \n \ - trap \"echo stop && killall crond && exit 0\" SIGTERM SIGINT \n \ - crond && sleep infinity &\n \ - wait \n \ + exec crond -n \n \ else \n \ exec -- \"\$@\"\n \ -fi" >/entry.sh && chmod +x /entry.sh +fi\n" >/entry.sh && chmod +x /entry.sh VOLUME /acme.sh From 5a59c3903650672d05cfc6ffdbf4d3bfae1b0c3a Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 15:24:21 +0800 Subject: [PATCH 163/209] fix format --- deploy/truenas.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 6b299f3a..60dbb1b5 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -184,22 +184,21 @@ truenas_deploy() { _info "S3 certificate is not configured or is not the same as TrueNAS web UI" fi - _info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required" if _exists jq; then _info "Query all chart release" _release_list=$(_get "$_api_url/chart/release") - _related_name_list=$(printf "%s" $_release_list | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") + _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") _release_length=$(printf "%s" $_related_name_list | jq -r "length") _info "Found $_release_length related chart release in list: $_related_name_list" for i in $(seq 0 $((_release_length-1))); do - _release_name=$(echo $_related_name_list | jq -r ".[$i]") + _release_name=$(echo "$_related_name_list" | jq -r ".[$i]") _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name" #Read the chart release configuration - _chart_config=$(printf "%s" $_release_list | jq -r ".[] | select(.name==\"$_release_name\")") + _chart_config=$(printf "%s" "$_release_list" | jq -r ".[] | select(.name==\"$_release_name\")") #Replace the old certificate id with the new one in path .config.ingress.main.tls[].scaleCert. Then update .config.ingress - _updated_chart_config=$(printf "%s" $_chart_config | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress " ) + _updated_chart_config=$(printf "%s" "$_chart_config" | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress " ) _update_chart_result="$(_post "{\"values\" : { \"ingress\" : $_updated_chart_config } }" "$_api_url/chart/release/id/$_release_name" "" "PUT" "application/json")" _debug3 _update_chart_result "$_update_chart_result" done @@ -207,7 +206,6 @@ truenas_deploy() { _info "Tool 'jq' does not exists, skip chart release checking" fi - _info "Deleting old certificate" _delete_result="$(_post "" "$_api_url/certificate/id/$_active_cert_id" "" "DELETE" "application/json")" From 41b6f18a5d1b7805dc5c56ecb7abc2baa9a852f8 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 15:25:50 +0800 Subject: [PATCH 164/209] fix format --- deploy/truenas.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 60dbb1b5..f9e540f7 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -191,14 +191,13 @@ truenas_deploy() { _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") _release_length=$(printf "%s" $_related_name_list | jq -r "length") _info "Found $_release_length related chart release in list: $_related_name_list" - for i in $(seq 0 $((_release_length-1))); - do + for i in $(seq 0 $((_release_length-1))); do _release_name=$(echo "$_related_name_list" | jq -r ".[$i]") _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name" #Read the chart release configuration _chart_config=$(printf "%s" "$_release_list" | jq -r ".[] | select(.name==\"$_release_name\")") #Replace the old certificate id with the new one in path .config.ingress.main.tls[].scaleCert. Then update .config.ingress - _updated_chart_config=$(printf "%s" "$_chart_config" | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress " ) + _updated_chart_config=$(printf "%s" "$_chart_config" | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress ") _update_chart_result="$(_post "{\"values\" : { \"ingress\" : $_updated_chart_config } }" "$_api_url/chart/release/id/$_release_name" "" "PUT" "application/json")" _debug3 _update_chart_result "$_update_chart_result" done From e3b688c9d87d74a493a189c874c1c3c6864b503d Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 15:26:54 +0800 Subject: [PATCH 165/209] fix format --- deploy/truenas.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index f9e540f7..88b24684 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -191,7 +191,7 @@ truenas_deploy() { _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") _release_length=$(printf "%s" $_related_name_list | jq -r "length") _info "Found $_release_length related chart release in list: $_related_name_list" - for i in $(seq 0 $((_release_length-1))); do + for i in $(seq 0 $((_release_length - 1))); do _release_name=$(echo "$_related_name_list" | jq -r ".[$i]") _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name" #Read the chart release configuration From 2690c05781096875af7a30efd31c37a38ff8d84e Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 15:28:06 +0800 Subject: [PATCH 166/209] fix format --- deploy/truenas.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/truenas.sh b/deploy/truenas.sh index 88b24684..c79e6dac 100644 --- a/deploy/truenas.sh +++ b/deploy/truenas.sh @@ -189,7 +189,7 @@ truenas_deploy() { _info "Query all chart release" _release_list=$(_get "$_api_url/chart/release") _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") - _release_length=$(printf "%s" $_related_name_list | jq -r "length") + _release_length=$(printf "%s" "$_related_name_list" | jq -r "length") _info "Found $_release_length related chart release in list: $_related_name_list" for i in $(seq 0 $((_release_length - 1))); do _release_name=$(echo "$_related_name_list" | jq -r ".[$i]") From aa9cbf7c551dfe75bc6b806c101ab004afe7b759 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 16:18:27 +0800 Subject: [PATCH 167/209] fix https://github.com/acmesh-official/acme.sh/issues/992 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7b50f080..d9c243b8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -65,7 +65,7 @@ RUN for verb in help \ RUN printf "%b" '#!'"/usr/bin/env sh\n \ if [ \"\$1\" = \"daemon\" ]; then \n \ - exec crond -n \n \ + exec crond -n -s -m off \n \ else \n \ exec -- \"\$@\"\n \ fi\n" >/entry.sh && chmod +x /entry.sh From 01249d0cb9a43c528cb1e410ee50b68e292a4a0d Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 16:24:27 +0800 Subject: [PATCH 168/209] fix warning --- .github/workflows/dockerhub.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index bd2c01aa..e60d6f7f 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -28,9 +28,9 @@ jobs: id: step_one run: | if [ "$DOCKER_PASSWORD" ] ; then - echo "::set-output name=hasToken::true" + echo "hasToken=true" >>$GITHUB_OUTPUT else - echo "::set-output name=hasToken::false" + echo "hasToken=false" >>$GITHUB_OUTPUT fi - name: Check the value run: echo ${{ steps.step_one.outputs.hasToken }} From a5b04a032896d92e2cd96d75d159e7471b0f7cb0 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Sat, 28 Jan 2023 17:19:04 +0800 Subject: [PATCH 169/209] ensure `curl --help` backward compatible --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 999ef563..c8a62f1d 100755 --- a/acme.sh +++ b/acme.sh @@ -1852,7 +1852,7 @@ _inithttp() { _ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE " fi - if _contains "$(curl --help curl 2>&1)" "--globoff"; then + if _contains "$(curl --help 2>&1)" "--globoff" || _contains "$(curl --help curl 2>&1)" "--globoff"; then _ACME_CURL="$_ACME_CURL -g " fi From ba9d146d6c615ab5ec4ede949602880246d17d05 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 28 Jan 2023 17:29:03 +0800 Subject: [PATCH 170/209] fix https://github.com/acmesh-official/acme.sh/issues/992 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d9c243b8..2ad50e6a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,7 +26,7 @@ COPY ./ /install_acme.sh/ RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/ -RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null##' | crontab - +RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null#> /proc/1/fd/1 2>/proc/1/fd/2#' | crontab - RUN for verb in help \ version \ From f537c606f730318021d6f297b59d6314ad9702e7 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 29 Jan 2023 11:13:23 +0800 Subject: [PATCH 171/209] fix warnings --- .github/workflows/dockerhub.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index e60d6f7f..48c44429 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -43,9 +43,9 @@ jobs: - name: checkout code uses: actions/checkout@v3 - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2 - name: login to docker hub run: | echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin From c2344f3717d1c5d57a207c7cca2a60f97d4b48bf Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 30 Jan 2023 14:39:03 +0800 Subject: [PATCH 172/209] add log for doh https://github.com/acmesh-official/acme.sh/issues/4481 --- acme.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index 53387117..cd509cbc 100755 --- a/acme.sh +++ b/acme.sh @@ -4023,7 +4023,7 @@ _ns_purge_cf() { #checks if cf server is available _ns_is_available_cf() { - if _get "https://cloudflare-dns.com" "" 1 >/dev/null 2>&1; then + if _get "https://cloudflare-dns.com" "" 10 >/dev/null; then return 0 else return 1 @@ -4031,7 +4031,7 @@ _ns_is_available_cf() { } _ns_is_available_google() { - if _get "https://dns.google" "" 1 >/dev/null 2>&1; then + if _get "https://dns.google" "" 10 >/dev/null; then return 0 else return 1 @@ -4047,7 +4047,7 @@ _ns_lookup_google() { } _ns_is_available_ali() { - if _get "https://dns.alidns.com" "" 1 >/dev/null 2>&1; then + if _get "https://dns.alidns.com" "" 10 >/dev/null; then return 0 else return 1 @@ -4063,7 +4063,7 @@ _ns_lookup_ali() { } _ns_is_available_dp() { - if _get "https://doh.pub" "" 1 >/dev/null 2>&1; then + if _get "https://doh.pub" "" 10 >/dev/null; then return 0 else return 1 From 7b5d94d0622e2fde9cacf7a18f578dabb5f559c9 Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Tue, 31 Jan 2023 11:10:42 +0100 Subject: [PATCH 173/209] convert domain and subdomain to lower case --- dnsapi/dns_ipv64.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index 9979be42..afa6df5a 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -36,6 +36,10 @@ dns_ipv64_add() { _debug _sub_domain "$_sub_domain" _debug _domain "$_domain" + # convert to lower case + _domain = $(echo "$_domain" | tr '[:upper:]' '[:lower:]') + _sub_domain = $(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]') + # Now add the TXT record _info "Trying to add TXT record" if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then @@ -70,6 +74,10 @@ dns_ipv64_rm() { _debug _sub_domain "$_sub_domain" _debug _domain "$_domain" + # convert to lower case + _domain = $(echo "$_domain" | tr '[:upper:]' '[:lower:]') + _sub_domain = $(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]') + # Now delete the TXT record _info "Trying to delete TXT record" if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then From 553d861b8ae823f624a41979aec7965cbaefe921 Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Tue, 31 Jan 2023 11:17:33 +0100 Subject: [PATCH 174/209] fix shell check and formatting --- dnsapi/dns_ipv64.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index afa6df5a..489df5c9 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -37,9 +37,8 @@ dns_ipv64_add() { _debug _domain "$_domain" # convert to lower case - _domain = $(echo "$_domain" | tr '[:upper:]' '[:lower:]') - _sub_domain = $(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]') - + _domain="$(echo "$_domain" | tr '[:upper:]' '[:lower:]')" + _sub_domain="$(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]')" # Now add the TXT record _info "Trying to add TXT record" if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then @@ -75,9 +74,8 @@ dns_ipv64_rm() { _debug _domain "$_domain" # convert to lower case - _domain = $(echo "$_domain" | tr '[:upper:]' '[:lower:]') - _sub_domain = $(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]') - + _domain="$(echo "$_domain" | tr '[:upper:]' '[:lower:]')" + _sub_domain="$(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]')" # Now delete the TXT record _info "Trying to delete TXT record" if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then From 59dab6eac746946db8d846ba0edb565b88a22f41 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 3 Feb 2023 09:55:51 +0800 Subject: [PATCH 175/209] fix https://github.com/acmesh-official/acme.sh/issues/4485#issuecomment-1414022376 https://github.com/acmesh-official/acme.sh/issues/4483#issuecomment-1414460122 --- acme.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index cd509cbc..d9a8ea38 100755 --- a/acme.sh +++ b/acme.sh @@ -1856,10 +1856,11 @@ _inithttp() { _ACME_CURL="$_ACME_CURL -g " fi - #from curl 7.76: return fail on HTTP errors but keep the body - if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then - _ACME_CURL="$_ACME_CURL --fail-with-body " - fi + # don't use --fail-with-body + ##from curl 7.76: return fail on HTTP errors but keep the body + #if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then + # _ACME_CURL="$_ACME_CURL --fail-with-body " + #fi fi if [ -z "$_ACME_WGET" ] && _exists "wget"; then From 3cf8f7874542e31f339a2ee09ab85fac83862b37 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 3 Feb 2023 09:57:56 +0800 Subject: [PATCH 176/209] fix format --- acme.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/acme.sh b/acme.sh index d9a8ea38..f512356a 100755 --- a/acme.sh +++ b/acme.sh @@ -1856,11 +1856,11 @@ _inithttp() { _ACME_CURL="$_ACME_CURL -g " fi - # don't use --fail-with-body - ##from curl 7.76: return fail on HTTP errors but keep the body - #if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then - # _ACME_CURL="$_ACME_CURL --fail-with-body " - #fi +#don't use --fail-with-body +##from curl 7.76: return fail on HTTP errors but keep the body +#if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then +# _ACME_CURL="$_ACME_CURL --fail-with-body " +#fi fi if [ -z "$_ACME_WGET" ] && _exists "wget"; then From a5fbf3fb806dd32fda16b7442b28e52dd20b58d8 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 3 Feb 2023 09:59:42 +0800 Subject: [PATCH 177/209] fix format --- acme.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/acme.sh b/acme.sh index f512356a..1df8a053 100755 --- a/acme.sh +++ b/acme.sh @@ -1856,11 +1856,11 @@ _inithttp() { _ACME_CURL="$_ACME_CURL -g " fi -#don't use --fail-with-body -##from curl 7.76: return fail on HTTP errors but keep the body -#if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then -# _ACME_CURL="$_ACME_CURL --fail-with-body " -#fi + #don't use --fail-with-body + ##from curl 7.76: return fail on HTTP errors but keep the body + #if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then + # _ACME_CURL="$_ACME_CURL --fail-with-body " + #fi fi if [ -z "$_ACME_WGET" ] && _exists "wget"; then From d6cf15368a3ee70845cd49b41dda0234bd04e1a8 Mon Sep 17 00:00:00 2001 From: Aleksandr Kunin Date: Wed, 24 Aug 2022 08:41:54 +0700 Subject: [PATCH 178/209] Vultr DNS: fix "grep: repetition-operator operand invalid" on FreeBSD --- dnsapi/dns_vultr.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_vultr.sh b/dnsapi/dns_vultr.sh index 58f14be1..54e5b6ce 100644 --- a/dnsapi/dns_vultr.sh +++ b/dnsapi/dns_vultr.sh @@ -78,7 +78,7 @@ dns_vultr_rm() { return 1 fi - _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'id' | cut -d : -f 2)" + _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'id' | cut -d : -f 2 | tr -d '"')" _debug _record_id "$_record_id" if [ "$_record_id" ]; then _info "Successfully retrieved the record id for ACME challenge." @@ -116,7 +116,7 @@ _get_root() { return 1 fi - if printf "%s\n" "$response" | grep '^\{.*\}' >/dev/null; then + if printf "%s\n" "$response" | grep -E '^\{.*\}' >/dev/null; then if _contains "$response" "\"domain\":\"$_domain\""; then _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")" return 0 From 05a2eb3df46a3fcbdb59039ed35141a3d38e985e Mon Sep 17 00:00:00 2001 From: dharp Date: Tue, 21 Feb 2023 10:19:07 -0600 Subject: [PATCH 179/209] add additional debug statement for DOMAIN_CONF --- acme.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/acme.sh b/acme.sh index 1df8a053..76830473 100755 --- a/acme.sh +++ b/acme.sh @@ -5772,6 +5772,7 @@ deploy() { return 1 fi + _debug2 DOMAIN_CONF "$DOMAIN_CONF" . "$DOMAIN_CONF" _savedomainconf Le_DeployHook "$_hooks" From c0639c66087cb25a684dc3862d3c22ab7704bd1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=20=7C=20Anton=20R=C3=B6hm?= <18481195+AnTheMaker@users.noreply.github.com> Date: Thu, 23 Feb 2023 23:29:46 +0100 Subject: [PATCH 180/209] Create first version of Nanelo DNS API integration [create dnsapi/dns_nanelo.sh] --- dnsapi/dns_nanelo.sh | 59 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 dnsapi/dns_nanelo.sh diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh new file mode 100644 index 00000000..a3cea3b1 --- /dev/null +++ b/dnsapi/dns_nanelo.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env sh + +# Official DNS API for Nanelo.com + +# Provide the required API Key like this: +# NANELO_TOKEN="FmD408PdqT1E269gUK57" + +NANELO_API="https://api.nanelo.com/v1/" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_nanelo_add() { + fulldomain=$1 + txtvalue=$2 + + NANELO_TOKEN="${NANELO_TOKEN:-$(_readaccountconf_mutable NANELO_TOKEN)}" + if [ -z "$NANELO_TOKEN" ]; then + NANELO_TOKEN="" + _err "You didn't configure a Nanelo API Key yet." + _err "Please set NANELO_TOKEN and try again." + _err "Login to Nanelo.com and go to Settings > API Keys to get a Key" + return 1 + fi + _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" + + _info "Adding TXT record to ${fulldomain}" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?type=TXT&name=${fulldomain}&value=${txtvalue}")" + if _contains "${response}" 'success'; then + return 0 + fi + _err "Could not create resource record, check logs" + _err "${response}" + return 1 +} + +dns_nanelo_rm() { + fulldomain=$1 + txtvalue=$2 + + NANELO_TOKEN="${NANELO_TOKEN:-$(_readaccountconf_mutable NANELO_TOKEN)}" + if [ -z "$NANELO_TOKEN" ]; then + NANELO_TOKEN="" + _err "You didn't configure a Nanelo API Key yet." + _err "Please set NANELO_TOKEN and try again." + _err "Login to Nanelo.com and go to Settings > API Keys to get a Key" + return 1 + fi + _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" + + _info "Deleting resource record $fulldomain" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?type=TXT&name=${fulldomain}&value=${txtvalue}")" + if _contains "${response}" 'success'; then + return 0 + fi + _err "Could not delete resource record, check logs" + _err "${response}" + return 1 +} From d3fefd223d5b7f9c4f1e43bea85d63ec1e532bdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=20=7C=20Anton=20R=C3=B6hm?= <18481195+AnTheMaker@users.noreply.github.com> Date: Fri, 24 Feb 2023 00:01:39 +0100 Subject: [PATCH 181/209] improve output --- dnsapi/dns_nanelo.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh index a3cea3b1..2a22ecdb 100644 --- a/dnsapi/dns_nanelo.sh +++ b/dnsapi/dns_nanelo.sh @@ -9,7 +9,7 @@ NANELO_API="https://api.nanelo.com/v1/" ######## Public functions ##################### -#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_nanelo_add() { fulldomain=$1 txtvalue=$2 @@ -29,7 +29,7 @@ dns_nanelo_add() { if _contains "${response}" 'success'; then return 0 fi - _err "Could not create resource record, check logs" + _err "Could not create resource record, please check the logs" _err "${response}" return 1 } @@ -53,7 +53,7 @@ dns_nanelo_rm() { if _contains "${response}" 'success'; then return 0 fi - _err "Could not delete resource record, check logs" + _err "Could not delete resource record, please check the logs" _err "${response}" return 1 } From 06e12a30e74042f3ee34a65b1197a3f20ca2adfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=20=7C=20Anton=20R=C3=B6hm?= <18481195+AnTheMaker@users.noreply.github.com> Date: Fri, 24 Feb 2023 00:13:21 +0100 Subject: [PATCH 182/209] reduce nanelo dns ttl --- dnsapi/dns_nanelo.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh index 2a22ecdb..8ccc8c29 100644 --- a/dnsapi/dns_nanelo.sh +++ b/dnsapi/dns_nanelo.sh @@ -25,7 +25,7 @@ dns_nanelo_add() { _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" _info "Adding TXT record to ${fulldomain}" - response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?type=TXT&name=${fulldomain}&value=${txtvalue}")" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")" if _contains "${response}" 'success'; then return 0 fi @@ -49,7 +49,7 @@ dns_nanelo_rm() { _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" _info "Deleting resource record $fulldomain" - response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?type=TXT&name=${fulldomain}&value=${txtvalue}")" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")" if _contains "${response}" 'success'; then return 0 fi From 7dd12044dee65b3731d90e838a40afe21cef93a6 Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Sat, 25 Feb 2023 11:18:33 +0000 Subject: [PATCH 183/209] use _lower_case function --- dnsapi/dns_ipv64.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index 489df5c9..b50b8663 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -37,8 +37,8 @@ dns_ipv64_add() { _debug _domain "$_domain" # convert to lower case - _domain="$(echo "$_domain" | tr '[:upper:]' '[:lower:]')" - _sub_domain="$(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]')" + _domain="$(echo "$_domain" | _lower_case')" + _sub_domain="$(echo "$_sub_domain" | _lower_case)" # Now add the TXT record _info "Trying to add TXT record" if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then @@ -74,8 +74,8 @@ dns_ipv64_rm() { _debug _domain "$_domain" # convert to lower case - _domain="$(echo "$_domain" | tr '[:upper:]' '[:lower:]')" - _sub_domain="$(echo "$_sub_domain" | tr '[:upper:]' '[:lower:]')" + _domain="$(echo "$_domain" | _lower_case)" + _sub_domain="$(echo "$_sub_domain" | _lower_case)" # Now delete the TXT record _info "Trying to delete TXT record" if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then From df14b153974228d23ffe8396e8f2d32ab488ba9d Mon Sep 17 00:00:00 2001 From: Roman Lumetsberger Date: Sat, 25 Feb 2023 11:22:27 +0000 Subject: [PATCH 184/209] fix quote --- dnsapi/dns_ipv64.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_ipv64.sh b/dnsapi/dns_ipv64.sh index b50b8663..54470119 100755 --- a/dnsapi/dns_ipv64.sh +++ b/dnsapi/dns_ipv64.sh @@ -37,7 +37,7 @@ dns_ipv64_add() { _debug _domain "$_domain" # convert to lower case - _domain="$(echo "$_domain" | _lower_case')" + _domain="$(echo "$_domain" | _lower_case)" _sub_domain="$(echo "$_sub_domain" | _lower_case)" # Now add the TXT record _info "Trying to add TXT record" From 1522b713da92e1f267208a4a35935e3abc687b15 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 28 Feb 2023 21:08:15 -0500 Subject: [PATCH 185/209] Use grep -E instead of expr expr was printing `expr: warning: '^.*[<>"]': using '^' as the first character of a basic regular expression is not portable;` --- notify/smtp.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/notify/smtp.sh b/notify/smtp.sh index 293c665e..f5ebebca 100644 --- a/notify/smtp.sh +++ b/notify/smtp.sh @@ -169,7 +169,7 @@ _clean_email_header() { # email _email_has_display_name() { _email="$1" - expr "$_email" : '^.*[<>"]' >/dev/null + echo "$_email" | grep -q -E '^.*[<>"]' } ## @@ -249,7 +249,7 @@ _mime_encoded_word() { _text="$1" # (regex character ranges like [a-z] can be locale-dependent; enumerate ASCII chars to avoid that) _ascii='] $`"'"[!#%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ~^_abcdefghijklmnopqrstuvwxyz{|}~-" - if expr "$_text" : "^.*[^$_ascii]" >/dev/null; then + if echo "$_text" | grep -q -E "^.*[^$_ascii]"; then # At least one non-ASCII char; convert entire thing to encoded word printf "%s" "=?UTF-8?B?$(printf "%s" "$_text" | _base64)?=" else From 15f96b72390c6137239e73fd81ec9f17fe33f6d1 Mon Sep 17 00:00:00 2001 From: Markus Hoffrogge Date: Thu, 2 Mar 2023 00:02:13 +0100 Subject: [PATCH 186/209] Fix to handle LE overload status 503 appropriately - LE HTTP response status 503 is not an error, it must be handled via sleep and retry - s. https://community.letsencrypt.org/t/new-service-busy-responses-beginning-during-high-load/184174 fixes #4530 --- acme.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/acme.sh b/acme.sh index 1df8a053..af2d0dfb 100755 --- a/acme.sh +++ b/acme.sh @@ -2229,6 +2229,12 @@ _send_signed_request() { _debug3 _body "$_body" fi + if [ "$code" = '503' ]; then + _sleep_overload_retry_sec=3 + _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." + _sleep $_sleep_overload_retry_sec + continue + fi if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds." _CACHED_NONCE="" From 982c54b60504eb4cc83f31b651d936d4b04b1d75 Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 2 Mar 2023 18:06:09 +0800 Subject: [PATCH 187/209] fix https://github.com/acmesh-official/acme.sh/issues/4530 --- acme.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index af2d0dfb..a6f3b905 100755 --- a/acme.sh +++ b/acme.sh @@ -2230,7 +2230,11 @@ _send_signed_request() { fi if [ "$code" = '503' ]; then - _sleep_overload_retry_sec=3 + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + _sleep_overload_retry_sec=$_retryafter + if [ -z "$_sleep_overload_retry_sec" ]; then + _sleep_overload_retry_sec=5 + fi _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." _sleep $_sleep_overload_retry_sec continue From cb8b341fb4ded4c993c812b40441d3978eb73b0f Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 2 Mar 2023 18:10:38 +0800 Subject: [PATCH 188/209] fix https://github.com/acmesh-official/acme.sh/issues/4530 --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index a6f3b905..f5f403ce 100755 --- a/acme.sh +++ b/acme.sh @@ -2229,8 +2229,8 @@ _send_signed_request() { _debug3 _body "$_body" fi - if [ "$code" = '503' ]; then - _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + if [ "$code" = '503' ] || [ "$_retryafter" ]; then _sleep_overload_retry_sec=$_retryafter if [ -z "$_sleep_overload_retry_sec" ]; then _sleep_overload_retry_sec=5 From 20cfc4ac668b1ec360553ef5c86b0edeb0c69a30 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 4 Mar 2023 21:22:17 +0800 Subject: [PATCH 189/209] fix https://github.com/acmesh-official/acme.sh/issues/4535 --- acme.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index f5f403ce..e2006868 100755 --- a/acme.sh +++ b/acme.sh @@ -2873,7 +2873,7 @@ _initpath() { if _isEccKey "$_ilength"; then DOMAIN_PATH="$domainhomeecc" - else + elif [ -z "$__SELECTED_RSA_KEY" ] if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then _info "The domain '$domain' seems to have a ECC cert already, lets use ecc cert." DOMAIN_PATH="$domainhomeecc" @@ -7518,6 +7518,9 @@ _process() { --keylength | -k) _keylength="$2" shift + if [ "$_keylength" ] && ! _isEccKey "$_keylength"; then + export __SELECTED_RSA_KEY=1 + fi ;; -ak | --accountkeylength) _accountkeylength="$2" From ce629e8e70b6438573b97c4d3ffe2a6c87a4b295 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 4 Mar 2023 21:23:31 +0800 Subject: [PATCH 190/209] fix typo --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e2006868..5d73cdb6 100755 --- a/acme.sh +++ b/acme.sh @@ -2873,7 +2873,7 @@ _initpath() { if _isEccKey "$_ilength"; then DOMAIN_PATH="$domainhomeecc" - elif [ -z "$__SELECTED_RSA_KEY" ] + elif [ -z "$__SELECTED_RSA_KEY" ]; then if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then _info "The domain '$domain' seems to have a ECC cert already, lets use ecc cert." DOMAIN_PATH="$domainhomeecc" From dde1bab1a83c17ceb69c453741de1b17e5576969 Mon Sep 17 00:00:00 2001 From: Hobby-Student <6012744+Hobby-Student@users.noreply.github.com> Date: Mon, 6 Mar 2023 20:18:15 +0100 Subject: [PATCH 191/209] improve deletion of records --- dnsapi/dns_kas.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_kas.sh b/dnsapi/dns_kas.sh index 053abd21..87025fcf 100755 --- a/dnsapi/dns_kas.sh +++ b/dnsapi/dns_kas.sh @@ -215,7 +215,7 @@ _get_record_id() { return 1 fi - _record_id="$(echo "$response" | tr -d '\n\r' | sed "s//\n/g" | grep -i "$_record_name" | grep -i ">TXT<" | sed "s/record_id<\/key>/=>/g" | sed "s/<\/value><\/item>/\n/g" | grep "=>" | sed "s/=>//g")" + _record_id="$(echo "$response" | tr -d '\n\r' | sed "s//\n/g" | grep -i "$_record_name" | grep -i ">TXT<" | sed "s/record_id<\/key>/=>/g" | grep -i "$_txtvalue" | sed "s/<\/value><\/item>/\n/g" | grep "=>" | sed "s/=>//g")" _debug "[KAS] -> Record Id: " "$_record_id" return 0 } @@ -278,4 +278,4 @@ _callAPI() { response="$(_post "$data" "$KAS_Api" "" "POST" "$contentType")" _debug2 "[KAS] -> Response" "$response" echo "$response" -} +} \ No newline at end of file From dea8a08b64d8f7b51923bfe2ff01464f032e1928 Mon Sep 17 00:00:00 2001 From: Hobby-Student <6012744+Hobby-Student@users.noreply.github.com> Date: Mon, 6 Mar 2023 20:36:53 +0100 Subject: [PATCH 192/209] added missing new line at EOF --- dnsapi/dns_kas.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_kas.sh b/dnsapi/dns_kas.sh index 87025fcf..1253cf27 100755 --- a/dnsapi/dns_kas.sh +++ b/dnsapi/dns_kas.sh @@ -278,4 +278,4 @@ _callAPI() { response="$(_post "$data" "$KAS_Api" "" "POST" "$contentType")" _debug2 "[KAS] -> Response" "$response" echo "$response" -} \ No newline at end of file +} From acbd8bce21a0f63cc9bdd4b87b3427355b5a5f5e Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 09:48:13 +0800 Subject: [PATCH 193/209] feat: add retry count for removing record set This avoids infinite loop when something went wrong and throws a error --- dnsapi/dns_huaweicloud.sh | 60 ++++++++++++++++++++++++++++++++------- 1 file changed, 50 insertions(+), 10 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index ceda9258..b1bb61dc 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -98,19 +98,59 @@ dns_huaweicloud_rm() { fi _debug "Zone ID is:" "${zoneid}" + _recursive_rm_record "${token}" "${fulldomain}" "${zoneid}" "${record_id}" + ret="$?" + if [ "${ret}" != "0" ]; then + _err "dns_api(dns_huaweicloud): Error removing record." + return 1 + fi + + return 0 +} + +################### Private functions below ################################## + + +# _recursive_rm_record +# remove all records from the record set +# +# _token=$1 +# _domain=$2 +# _zoneid=$3 +# _record_id=$4 +# +# Returns 0 on success +_recursive_rm_record() { + _token=$1 + _domain=$2 + _zoneid=$3 + _record_id=$4 + + # Most likely to have problems will huaweicloud side if more than 50 attempts but still cannot fully remove the record set + # Maybe can be removed manually in the dashboard + _retry_cnt=50 + # Remove all records # Therotically HuaweiCloud does not allow more than one record set # But remove them recurringly to increase robusty - while [ "${record_id}" != "0" ]; do + + while [ "${_record_id}" != "0" && "${_retry_cnt}" != "0" ]; do _debug "Removing Record" - _rm_record "${token}" "${zoneid}" "${record_id}" - record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")" + _retry_cnt=$((${_retry_cnt} - 1)) + _rm_record "${_token}" "${_zoneid}" "${_record_id}" + _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${_zoneid}")" + _debug2 "Checking record exists: record_id=${_record_id}" done + + # Check if retry count is reached + if [ "${_retry_cnt}" == "0" ]; then + _debug "Failed to remove record after 50 attempts, please try removing it manually in the dashboard" + return 1 + fi + return 0 } -################### Private functions below ################################## - # _get_zoneid # # _token=$1 @@ -216,11 +256,11 @@ _add_record() { _debug "Record Set ID is:" "${_record_id}" # Remove all records - while [ "${_record_id}" != "0" ]; do - _debug "Removing Record" - _rm_record "${_token}" "${zoneid}" "${_record_id}" - _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${zoneid}")" - done + _recursive_rm_record "${token}" "${_domain}" "${_zoneid}" "${_record_id}" + ret="$?" + if [ "${ret}" != "0" ]; then + return 1 + fi # Add brand new records with all old and new records export _H2="Content-Type: application/json" From 0cce2d60985b112fa4ef31672cec880ff4a01740 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 09:57:39 +0800 Subject: [PATCH 194/209] fix: fix shellcheck --- dnsapi/dns_huaweicloud.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index b1bb61dc..54f18226 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -98,6 +98,7 @@ dns_huaweicloud_rm() { fi _debug "Zone ID is:" "${zoneid}" + record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")" _recursive_rm_record "${token}" "${fulldomain}" "${zoneid}" "${record_id}" ret="$?" if [ "${ret}" != "0" ]; then @@ -134,16 +135,16 @@ _recursive_rm_record() { # Therotically HuaweiCloud does not allow more than one record set # But remove them recurringly to increase robusty - while [ "${_record_id}" != "0" && "${_retry_cnt}" != "0" ]; do + while [ "${_record_id}" != "0" ] && [ "${_retry_cnt}" != "0" ]; do _debug "Removing Record" - _retry_cnt=$((${_retry_cnt} - 1)) + _retry_cnt=$((_retry_cnt - 1)) _rm_record "${_token}" "${_zoneid}" "${_record_id}" _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${_zoneid}")" _debug2 "Checking record exists: record_id=${_record_id}" done # Check if retry count is reached - if [ "${_retry_cnt}" == "0" ]; then + if [ "${_retry_cnt}" = "0" ]; then _debug "Failed to remove record after 50 attempts, please try removing it manually in the dashboard" return 1 fi @@ -164,7 +165,7 @@ _get_zoneid() { i=1 while true; do - h=$(printf "%s" "${_domain_string}" | cut -d . -f $i-100) + h=$(printf "%s" "${_domain_string}" | cut -d . -f "$i"-100) if [ -z "$h" ]; then #not valid return 1 From 4dba84d09e129ea1a69c4158cbbce133e32e1562 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 10:01:20 +0800 Subject: [PATCH 195/209] fix: fix shfmt --- dnsapi/dns_huaweicloud.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index 54f18226..1869a756 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -105,16 +105,15 @@ dns_huaweicloud_rm() { _err "dns_api(dns_huaweicloud): Error removing record." return 1 fi - + return 0 } ################### Private functions below ################################## - # _recursive_rm_record # remove all records from the record set -# +# # _token=$1 # _domain=$2 # _zoneid=$3 From e9366f8c7635858f0bf875786fb00e0df93b412a Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 10:56:10 +0800 Subject: [PATCH 196/209] fix: fix huaweicloud existing record 400 --- dnsapi/dns_huaweicloud.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index 1869a756..401390dc 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -246,8 +246,7 @@ _add_record() { \"type\": \"TXT\", \"ttl\": 1, \"records\": [ - ${_exist_record}, - \"\\\"${_txtvalue}\\\"\" + ${_exist_record},\"\\\"${_txtvalue}\\\"\" ] }" fi From bddde60522ebb25314568b157b56d7185a97bbca Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 11:27:08 +0800 Subject: [PATCH 197/209] fix: use update instead of remove then add --- dnsapi/dns_huaweicloud.sh | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index 401390dc..cad9f425 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -254,19 +254,16 @@ _add_record() { _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${zoneid}")" _debug "Record Set ID is:" "${_record_id}" - # Remove all records - _recursive_rm_record "${token}" "${_domain}" "${_zoneid}" "${_record_id}" - ret="$?" - if [ "${ret}" != "0" ]; then - return 1 - fi - # Add brand new records with all old and new records export _H2="Content-Type: application/json" export _H1="X-Auth-Token: ${_token}" _debug2 "${_post_body}" - _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null + if [ -z "${_exist_record}" ]; then + _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null + else + _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets/{$_record_id}" false "PUT" >/dev/null + fi _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" if [ "$_code" != "202" ]; then _err "dns_huaweicloud: http code ${_code}" From 7560c64f46f3ad19ec185c7337241d1753f47d09 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 11:30:32 +0800 Subject: [PATCH 198/209] fix: fix typo --- dnsapi/dns_huaweicloud.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index cad9f425..766123c2 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -261,9 +261,9 @@ _add_record() { _debug2 "${_post_body}" if [ -z "${_exist_record}" ]; then _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null - else - _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets/{$_record_id}" false "PUT" >/dev/null - fi + else + _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets/${_record_id}" false "PUT" >/dev/null + fi _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" if [ "$_code" != "202" ]; then _err "dns_huaweicloud: http code ${_code}" From 1f777a94a7cf22e95b6545c4ece8bbc1eea647a8 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Tue, 7 Mar 2023 17:50:44 +0800 Subject: [PATCH 199/209] fix: change some debug comments --- dnsapi/dns_huaweicloud.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index 766123c2..c8601f34 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -175,11 +175,11 @@ _get_zoneid() { if _contains "${response}" '"id"'; then zoneidlist=$(echo "${response}" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | tr -d " ") zonenamelist=$(echo "${response}" | _egrep_o "\"name\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | tr -d " ") - _debug2 "Return Zone ID(s):" "${zoneidlist}" - _debug2 "Return Zone Name(s):" "${zonenamelist}" + _debug2 "Returned Zone ID(s):" "${zoneidlist}" + _debug2 "Returned Zone Name(s):" "${zonenamelist}" zoneidnum=0 zoneidcount=$(echo "${zoneidlist}" | grep -c '^') - _debug "Retund Zone ID(s) Count:" "${zoneidcount}" + _debug "Returned Zone ID(s) Count:" "${zoneidcount}" while [ "${zoneidnum}" -lt "${zoneidcount}" ]; do zoneidnum=$(_math "$zoneidnum" + 1) _zoneid=$(echo "${zoneidlist}" | sed -n "${zoneidnum}p") From 70f4cad2ca9ed671c3a3d55a53913d8aed49871b Mon Sep 17 00:00:00 2001 From: Markus Hoffrogge Date: Tue, 7 Mar 2023 13:22:46 +0100 Subject: [PATCH 200/209] Fix Retry-After handling - closes #4543 --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 5d73cdb6..b7d9129d 100755 --- a/acme.sh +++ b/acme.sh @@ -2229,8 +2229,8 @@ _send_signed_request() { _debug3 _body "$_body" fi - _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') - if [ "$code" = '503' ] || [ "$_retryafter" ]; then + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *: *[0-9]\+ *" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + if [ "$code" = '503' ]; then _sleep_overload_retry_sec=$_retryafter if [ -z "$_sleep_overload_retry_sec" ]; then _sleep_overload_retry_sec=5 From 2d8c0c0131f56924aaee10078da9ca076fbf69f5 Mon Sep 17 00:00:00 2001 From: Alex Leigh Date: Tue, 7 Mar 2023 02:31:27 -0800 Subject: [PATCH 201/209] Add support for Google Domains DNS API. https://domains.google/learn/gts-acme/ This is an ACME API for Google Domains customers, which is different from the Google Cloud Domains API for Google Cloud customers. --- dnsapi/dns_googledomains.sh | 173 ++++++++++++++++++++++++++++++++++++ 1 file changed, 173 insertions(+) create mode 100755 dnsapi/dns_googledomains.sh diff --git a/dnsapi/dns_googledomains.sh b/dnsapi/dns_googledomains.sh new file mode 100755 index 00000000..63e3073b --- /dev/null +++ b/dnsapi/dns_googledomains.sh @@ -0,0 +1,173 @@ +#!/usr/bin/env sh + +# Author: Alex Leigh +# Created: 2023-03-02 + +#GOOGLEDOMAINS_ACCESS_TOKEN="xxxx" +#GOOGLEDOMAINS_ZONE="xxxx" +GOOGLEDOMAINS_API="https://acmedns.googleapis.com/v1/acmeChallengeSets" + +######## Public functions ######## + +#Usage: dns_googledomains_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_googledomains_add() { + fulldomain=$1 + txtvalue=$2 + + _info "Invoking Google Domains ACME DNS API." + + if ! _dns_googledomains_setup; then + return 1 + fi + + zone="$(_dns_googledomains_get_zone "$fulldomain")" + if [ -z "$zone" ]; then + _err "Could not find a Google Domains-managed zone containing the requested domain." + return 1 + fi + + _debug zone "$zone" + _debug txtvalue "$txtvalue" + + _info "Adding TXT record for $fulldomain." + if _dns_googledomains_api "$zone" ":rotateChallenges" "{\"accessToken\":\"$GOOGLEDOMAINS_ACCESS_TOKEN\",\"recordsToAdd\":[{\"fqdn\":\"$fulldomain\",\"digest\":\"$txtvalue\"}],\"keepExpiredRecords\":true}"; then + if _contains "$response" "$txtvalue"; then + _info "TXT record added." + return 0 + else + _err "Error adding TXT record." + return 1 + fi + fi + + _err "Error adding TXT record." + return 1 +} + +#Usage: dns_googledomains_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_googledomains_rm() { + fulldomain=$1 + txtvalue=$2 + + _info "Invoking Google Domains ACME DNS API." + + if ! _dns_googledomains_setup; then + return 1 + fi + + zone="$(_dns_googledomains_get_zone "$fulldomain")" + if [ -z "$zone" ]; then + _err "Could not find a Google Domains-managed domain based on request." + return 1 + fi + + _debug zone "$zone" + _debug txtvalue "$txtvalue" + + _info "Removing TXT record for $fulldomain." + if _dns_googledomains_api "$zone" ":rotateChallenges" "{\"accessToken\":\"$GOOGLEDOMAINS_ACCESS_TOKEN\",\"recordsToRemove\":[{\"fqdn\":\"$fulldomain\",\"digest\":\"$txtvalue\"}],\"keepExpiredRecords\":true}"; then + if _contains "$response" "$txtvalue"; then + _err "Error removing TXT record." + return 1 + else + _info "TXT record removed." + return 0 + fi + fi + + _err "Error removing TXT record." + return 1 +} + +######## Private functions ######## + +_dns_googledomains_setup() { + if [ -n "$GOOGLEDOMAINS_SETUP_COMPLETED" ]; then + return 0 + fi + + GOOGLEDOMAINS_ACCESS_TOKEN="${GOOGLEDOMAINS_ACCESS_TOKEN:-$(_readaccountconf_mutable GOOGLEDOMAINS_ACCESS_TOKEN)}" + GOOGLEDOMAINS_ZONE="${GOOGLEDOMAINS_ZONE:-$(_readaccountconf_mutable GOOGLEDOMAINS_ZONE)}" + + if [ -z "$GOOGLEDOMAINS_ACCESS_TOKEN" ]; then + GOOGLEDOMAINS_ACCESS_TOKEN="" + _err "Google Domains access token was not specified." + _err "Please visit Google Domains Security settings to provision an ACME DNS API access token." + return 1 + fi + + if [ "$GOOGLEDOMAINS_ZONE" ]; then + _savedomainconf GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN" + _savedomainconf GOOGLEDOMAINS_ZONE "$GOOGLEDOMAINS_ZONE" + else + _saveaccountconf_mutable GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN" + _clearaccountconf_mutable GOOGLEDOMAINS_ZONE + _clearaccountconf GOOGLEDOMAINS_ZONE + fi + + _debug GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN" + _debug GOOGLEDOMAINS_ZONE "$GOOGLEDOMAINS_ZONE" + + GOOGLEDOMAINS_SETUP_COMPLETED=1 + return 0 +} + +_dns_googledomains_get_zone() { + domain=$1 + + # Use zone directly if provided + if [ "$GOOGLEDOMAINS_ZONE" ]; then + if ! _dns_googledomains_api "$GOOGLEDOMAINS_ZONE"; then + return 1 + fi + + echo "$GOOGLEDOMAINS_ZONE" + return 0 + fi + + i=2 + while true; do + curr=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug curr "$curr" + + if [ -z "$curr" ]; then + return 1 + fi + + if _dns_googledomains_api "$curr"; then + echo "$curr" + return 0 + fi + + i=$(_math "$i" + 1) + done + + return 1 +} + +_dns_googledomains_api() { + zone=$1 + apimethod=$2 + data="$3" + + if [ -z "$data" ]; then + response="$(_get "$GOOGLEDOMAINS_API/$zone$apimethod")" + else + _debug data "$data" + export _H1="Content-Type: application/json" + response="$(_post "$data" "$GOOGLEDOMAINS_API/$zone$apimethod")" + fi + + _debug response "$response" + + if [ "$?" != "0" ]; then + _err "Error" + return 1 + fi + + if _contains "$response" "\"error\": {"; then + return 1 + fi + + return 0 +} From ae3e5dbf2c4c8f53f5705f00387f24d36abc7a06 Mon Sep 17 00:00:00 2001 From: Easton Man Date: Sun, 12 Mar 2023 12:41:29 +0800 Subject: [PATCH 202/209] fix: fix DomainName not retreived properly Co-Authored-By: idawnlight --- dnsapi/dns_huaweicloud.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_huaweicloud.sh b/dnsapi/dns_huaweicloud.sh index c8601f34..b61c1d43 100644 --- a/dnsapi/dns_huaweicloud.sh +++ b/dnsapi/dns_huaweicloud.sh @@ -23,7 +23,7 @@ dns_huaweicloud_add() { HUAWEICLOUD_Username="${HUAWEICLOUD_Username:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}" HUAWEICLOUD_Password="${HUAWEICLOUD_Password:-$(_readaccountconf_mutable HUAWEICLOUD_Password)}" - HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}" + HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_DomainName)}" # Check information if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_DomainName}" ]; then @@ -74,7 +74,7 @@ dns_huaweicloud_rm() { HUAWEICLOUD_Username="${HUAWEICLOUD_Username:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}" HUAWEICLOUD_Password="${HUAWEICLOUD_Password:-$(_readaccountconf_mutable HUAWEICLOUD_Password)}" - HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}" + HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_DomainName)}" # Check information if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_DomainName}" ]; then From 42a5cd961dc22f655d732167aabebf8725a84784 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 17 Mar 2023 17:21:10 +0800 Subject: [PATCH 203/209] fix https://github.com/acmesh-official/acme.sh/issues/4530#issuecomment-1473395845 --- acme.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index b7d9129d..e89662cd 100755 --- a/acme.sh +++ b/acme.sh @@ -2235,9 +2235,13 @@ _send_signed_request() { if [ -z "$_sleep_overload_retry_sec" ]; then _sleep_overload_retry_sec=5 fi - _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." - _sleep $_sleep_overload_retry_sec - continue + if [ $_sleep_overload_retry_sec -le 600 ]; then + _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." + _sleep $_sleep_overload_retry_sec + continue + else + _info "The retryafter=$_retryafter is too large > 600, not retry anymore." + fi fi if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds." From 7ef2533b98ae0566fc5775c32aa5ebfcfb3b724b Mon Sep 17 00:00:00 2001 From: imlonghao Date: Tue, 28 Mar 2023 22:34:04 +0800 Subject: [PATCH 204/209] fix(cloudns): fix grep when record start with hyphen symbol --- dnsapi/dns_cloudns.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_cloudns.sh b/dnsapi/dns_cloudns.sh index b03fd579..8d7fd437 100755 --- a/dnsapi/dns_cloudns.sh +++ b/dnsapi/dns_cloudns.sh @@ -78,7 +78,7 @@ dns_cloudns_rm() { return 1 fi - for i in $(echo "$response" | tr '{' "\n" | grep "$record"); do + for i in $(echo "$response" | tr '{' "\n" | grep -- "$record"); do record_id=$(echo "$i" | tr ',' "\n" | grep -E '^"id"' | sed -re 's/^\"id\"\:\"([0-9]+)\"$/\1/g') if [ -n "$record_id" ]; then From dc1f36da4348dfb9e737ad8121d5150c6e2c96d9 Mon Sep 17 00:00:00 2001 From: David Schramm Date: Sat, 1 Apr 2023 09:25:19 +0200 Subject: [PATCH 205/209] prevent whitespace splitting --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e89662cd..33721de5 100755 --- a/acme.sh +++ b/acme.sh @@ -2412,7 +2412,7 @@ _getdeployconf() { return 0 # do nothing fi _saved="$(_readdomainconf "SAVED_$_rac_key")" - eval $_rac_key="$_saved" + eval $_rac_key=\$_saved export $_rac_key } From dcdbe2fbb8d13579c0178b77822d29fc24520a4d Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 2 Apr 2023 12:04:58 +0800 Subject: [PATCH 206/209] fix https://github.com/acmesh-official/acme.sh/pull/4577 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e89662cd..fa350584 100755 --- a/acme.sh +++ b/acme.sh @@ -2412,7 +2412,7 @@ _getdeployconf() { return 0 # do nothing fi _saved="$(_readdomainconf "SAVED_$_rac_key")" - eval $_rac_key="$_saved" + eval $_rac_key=\"$_saved\" export $_rac_key } From a570fda1cb179476405370c94ddefa88dfd7a830 Mon Sep 17 00:00:00 2001 From: David Schramm Date: Sun, 2 Apr 2023 17:30:47 +0200 Subject: [PATCH 207/209] prevent whitespace splitting --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index fa350584..33721de5 100755 --- a/acme.sh +++ b/acme.sh @@ -2412,7 +2412,7 @@ _getdeployconf() { return 0 # do nothing fi _saved="$(_readdomainconf "SAVED_$_rac_key")" - eval $_rac_key=\"$_saved\" + eval $_rac_key=\$_saved export $_rac_key } From f66a29d1c3d450641f88c74de04a8967ef0d6cec Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 20 Apr 2023 18:07:59 +0800 Subject: [PATCH 208/209] fix https://github.com/acmesh-official/acme.sh/issues/4606 --- acme.sh | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/acme.sh b/acme.sh index 8b519f1f..d5caee4d 100755 --- a/acme.sh +++ b/acme.sh @@ -6146,8 +6146,22 @@ revoke() { uri="${ACME_REVOKE_CERT}" + _info "Try account key first." + if _send_signed_request "$uri" "$data" "" "$ACCOUNT_KEY_PATH"; then + if [ -z "$response" ]; then + _info "Revoke success." + rm -f "$CERT_PATH" + cat "$CERT_KEY_PATH" >"$CERT_KEY_PATH.revoked" + cat "$CSR_PATH" >"$CSR_PATH.revoked" + return 0 + else + _err "Revoke error." + _debug "$response" + fi + fi + if [ -f "$CERT_KEY_PATH" ]; then - _info "Try domain key first." + _info "Try domain key." if _send_signed_request "$uri" "$data" "" "$CERT_KEY_PATH"; then if [ -z "$response" ]; then _info "Revoke success." @@ -6163,21 +6177,6 @@ revoke() { else _info "Domain key file doesn't exist." fi - - _info "Try account key." - - if _send_signed_request "$uri" "$data" "" "$ACCOUNT_KEY_PATH"; then - if [ -z "$response" ]; then - _info "Revoke success." - rm -f "$CERT_PATH" - cat "$CERT_KEY_PATH" >"$CERT_KEY_PATH.revoked" - cat "$CSR_PATH" >"$CSR_PATH.revoked" - return 0 - else - _err "Revoke error." - _debug "$response" - fi - fi return 1 } From 84e4181ed74f26e2dbd78666f999eafa4642930f Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 20 Apr 2023 18:11:55 +0800 Subject: [PATCH 209/209] fix https://github.com/acmesh-official/acme.sh/issues/4604 --- dnsapi/dns_leaseweb.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_leaseweb.sh b/dnsapi/dns_leaseweb.sh index 63f81869..4cd3a8f8 100644 --- a/dnsapi/dns_leaseweb.sh +++ b/dnsapi/dns_leaseweb.sh @@ -6,7 +6,7 @@ #See https://developer.leaseweb.com for more information. ######## Public functions ##################### -LSW_API="https://api.leaseweb.com/hosting/v2/domains/" +LSW_API="https://api.leaseweb.com/hosting/v2/domains" #Usage: dns_leaseweb_add _acme-challenge.www.domain.com dns_leaseweb_add() {