Merge c7106b5407 into eb00852a71

6 days ago · cee0c885f2
5 changed files with 509 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -114,6 +114,7 @@ https://github.com/acmesh-official/acmetest
 - DNS mode
 - [DNS alias mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode)
 - [Stateless mode](https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode)
+- [HTTP API mode](https://github.com/acmesh-official/acme.sh/wiki/HTTP-API)


 # 1. How to install
@ -358,7 +359,30 @@ Ok, it's done.

 **Please use dns api mode instead.**

-# 10. Issue ECC certificates
+# 10. Use HTTP API mode
+
+If you want to deploy the challenge files using an external method like SCP or FTPS, you can use the HTTP API mode:
+
+```bash
+acme.sh --issue -d example.com --httpapi scp
+```
+
+You'll need to configure the required environment variables first:
+
+```bash
+# For SCP plugin
+export HTTP_SCP_USER="username"
+export HTTP_SCP_HOST="example.com"
+export HTTP_SCP_PATH="/var/www/html"
+```
+
+Available HTTP API plugins:
+- `scp`: Deploy challenge files via SCP
+- `ftps`: Deploy challenge files via FTPS
+
+More information: [HTTP API mode](https://github.com/acmesh-official/acme.sh/wiki/HTTP-API)
+
+# 11. Issue ECC certificates

 Just set the `keylength` parameter with a prefix `ec-`.

@ -388,7 +412,7 @@ Valid values are:
 6. **4096   (RSA4096)**


-# 11. Issue Wildcard certificates
+# 12. Issue Wildcard certificates

 It's simple, just give a wildcard domain as the `-d` parameter.

@ -398,7 +422,7 @@ acme.sh  --issue -d example.com  -d '*.example.com'  --dns dns_cf



-# 12. How to renew the certs
+# 13. How to renew the certs

 No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days.

@ -415,7 +439,7 @@ acme.sh --renew -d example.com --force --ecc
 ```


-# 13. How to stop cert renewal
+# 14. How to stop cert renewal

 To stop renewal of a cert, you can execute the following to remove the cert from the renewal list:

@ -428,7 +452,7 @@ The cert/key file is not removed from the disk.
 You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself.


-# 14. How to upgrade `acme.sh`
+# 15. How to upgrade `acme.sh`

 acme.sh is in constant development, so it's strongly recommended to use the latest code.

@ -453,24 +477,24 @@ acme.sh --upgrade --auto-upgrade 0
 ```


-# 15. Issue a cert from an existing CSR
+# 16. Issue a cert from an existing CSR

 https://github.com/acmesh-official/acme.sh/wiki/Issue-a-cert-from-existing-CSR


-# 16. Send notifications in cronjob
+# 17. Send notifications in cronjob

 https://github.com/acmesh-official/acme.sh/wiki/notify


-# 17. Under the Hood
+# 18. Under the Hood

 Speak ACME language using shell, directly to "Let's Encrypt".

 TODO:


-# 18. Acknowledgments
+# 19. Acknowledgments

 1. Acme-tiny: https://github.com/diafygi/acme-tiny
 2. ACME protocol: https://github.com/ietf-wg-acme/acme
@ -508,7 +532,7 @@ Support this project with your organization. Your logo will show up here with a



-# 19. License & Others
+# 20. License & Others

 License is GPLv3

@ -517,7 +541,7 @@ Please Star and Fork me.
 [Issues](https://github.com/acmesh-official/acme.sh/issues) and [pull requests](https://github.com/acmesh-official/acme.sh/pulls) are welcome.


-# 20. Donate
+# 21. Donate
 Your donation makes **acme.sh** better:

 1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/)
--- a/acme.sh
+++ b/acme.sh
@ -17,8 +17,9 @@ _SCRIPT_="$0"
 _SUB_FOLDER_NOTIFY="notify"
 _SUB_FOLDER_DNSAPI="dnsapi"
 _SUB_FOLDER_DEPLOY="deploy"
+_SUB_FOLDER_HTTPAPI="httpapi"

-_SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY"
+_SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY $_SUB_FOLDER_HTTPAPI"

 CA_LETSENCRYPT_V2="https://acme-v02.api.letsencrypt.org/directory"
 CA_LETSENCRYPT_V2_TEST="https://acme-staging-v02.api.letsencrypt.org/directory"
@ -72,6 +73,7 @@ DEFAULT_RENEW=60
 NO_VALUE="no"

 W_DNS="dns"
+W_HTTPAPI="http"
 W_ALPN="alpn"
 DNS_ALIAS_PREFIX="="

@ -3396,6 +3398,7 @@ _restoreNginx() {
 _clearup() {
  _stopserver "$serverproc"
  serverproc=""
+  _cleanup_http_entries
  _restoreApache
  _restoreNginx
  _clearupdns
@ -3407,6 +3410,42 @@ _clearup() {
  fi
 }

+_cleanup_http_entries() {
+  if [ -z "$_http_entries" ]; then
+    _debug "_cleanup_http_entries: No HTTP entries to clean up"
+    return 0
+  fi
+  _debug "Cleaning up HTTP entries: $_http_entries"
+
+  entries=$(echo "$_http_entries" | tr "$dvsep" ' ')
+  for entry in $entries; do
+    d=$(echo "$entry" | cut -d "$sep" -f 1)
+    token=$(echo "$entry" | cut -d "$sep" -f 2)
+    keyauthorization=$(echo "$entry" | cut -d "$sep" -f 3)
+    _httpapi=$(echo "$entry" | cut -d "$sep" -f 4)
+
+    _debug "Removing HTTP challenge for $d using $_httpapi"
+
+    h_api="$(_findHook "$d" $_SUB_FOLDER_HTTPAPI "$_httpapi")"
+    if [ "$h_api" ]; then
+      if ! . "$h_api"; then
+        _err "Error loading HTTP API file: $h_api"
+        continue
+      fi
+
+      _remove_fn="${_httpapi}_rm"
+      if ! _exists "$_remove_fn"; then
+        _err "HTTP API file doesn't implement removal function: $_remove_fn"
+        continue
+      fi
+
+      if ! "$_remove_fn" "$d" "$token" "$keyauthorization"; then
+        _err "Error removing HTTP challenge for domain: $d"
+      fi
+    fi
+  done
+}
+
 _clearupdns() {
  _debug "_clearupdns"
  _debug "dns_entries" "$dns_entries"
@ -4987,6 +5026,56 @@ $_authorizations_map"
          NGINX_RESTORE_VLIST="$d$sep$_realConf$sep$_backup$dvsep$NGINX_RESTORE_VLIST"
        fi
        _sleep 1
+      elif _startswith "$_currentRoot" "http_"; then
+        _info "Using HTTP API validation for domain: $d"
+        _httpapi="$(echo "$_currentRoot" | cut -d "_" -f 2-)"
+        h_api="$(_findHook "$d" $_SUB_FOLDER_HTTPAPI "$_currentRoot")"
+        _debug h_api "$h_api"
+
+        if [ "$h_api" ]; then
+          _debug "Found domain HTTP API file: $h_api"
+          if ! . "$h_api"; then
+            _err "Error loading HTTP API file: $h_api"
+            _cleanup_http_entries
+            _clearup
+            _on_issue_err "$_post_hook" "$vlist"
+            return 1
+          fi
+
+          _deploy_fn="${_currentRoot}_deploy"
+          if ! _exists "$_deploy_fn"; then
+            _err "HTTP API file doesn't implement deployment function: $_deploy_fn"
+            _cleanup_http_entries
+            _clearup
+            _on_issue_err "$_post_hook" "$vlist"
+            return 1
+          fi
+
+          if ! "$_deploy_fn" "$d" "$token" "$keyauthorization"; then
+            _err "Error deploying HTTP challenge for domain: $d"
+            _cleanup_http_entries
+            _clearup
+            _on_issue_err "$_post_hook" "$vlist"
+            return 1
+          fi
+
+          _http_entries="${_http_entries}${d}${sep}${token}${sep}${keyauthorization}${sep}${_currentRoot}${dvsep}"
+        else
+          # Fall back to normal webroot challenge if no hook is found
+          _info "No HTTP API hook found for $_currentRoot, falling back to normal validation"
+          if [ "$_currentRoot" = "apache" ]; then
+            wellknown_path="$ACME_DIR"
+          else
+            wellknown_path="$_currentRoot/.well-known/acme-challenge"
+            if [ ! -d "$_currentRoot/.well-known" ]; then
+              removelevel='1'
+            elif [ ! -d "$_currentRoot/.well-known/acme-challenge" ]; then
+              removelevel='2'
+            else
+              removelevel='3'
+            fi
+          fi
+        fi
      else
        if [ "$_currentRoot" = "apache" ]; then
          wellknown_path="$ACME_DIR"
@ -7080,6 +7169,7 @@ Parameters:

  --password <password>             Add a password to exported pfx file. Use with --to-pkcs12.

+  --http-api <provider>             Use HTTP API for challenge validation

 "
 }
@ -7358,6 +7448,7 @@ _process() {
  _preferred_chain=""
  _valid_from=""
  _valid_to=""
+  _http_api=""
  while [ ${#} -gt 0 ]; do
    case "${1}" in

@ -7880,6 +7971,18 @@ _process() {
      _preferred_chain="$2"
      shift
      ;;
+    --http-api)
+      wvalue="$W_HTTPAPI"
+      if [ "$2" ] && ! _startswith "$2" "-"; then
+        wvalue="$2"
+        shift
+      fi
+      if [ -z "$_webroot" ]; then
+        _webroot="$wvalue"
+      else
+        _webroot="$_webroot,$wvalue"
+      fi
+      ;;
    *)
      _err "Unknown parameter: $1"
      return 1
--- a/httpapi/README.md
+++ b/httpapi/README.md
@ -0,0 +1,116 @@
+# HTTP API Validation Plugin
+
+This directory contains plugins for acme.sh's HTTP API validation system. These plugins allow you to deploy ACME HTTP-01 challenge files to remote servers using various methods without requiring direct filesystem access.
+
+## Usage
+
+To use an HTTP API validation plugin, there are two ways to specify it:
+
+### Method 1: Using the `--webroot` parameter with the plugin name prefix:
+
+```bash
+acme.sh --issue -d example.com --webroot http_scp
+```
+
+### Method 2: Using the dedicated `--http-api` parameter:
+
+```bash
+acme.sh --issue -d example.com --http-api http_scp
+```
+
+The second method is preferred as it's more explicit about the validation method being used.
+
+## Available Plugins
+
+- `http_scp`: Deploy challenge files via SCP to a remote web server
+- `http_local`: Deploy challenge files to a local directory (for testing)
+
+## Using HTTP API Plugins
+
+Before using an HTTP API plugin, you need to set the required environment variables:
+
+```bash
+# For SCP plugin
+export HTTP_SCP_USER="username"
+export HTTP_SCP_HOST="example.com"
+export HTTP_SCP_PATH="/var/www/html"
+# Optional
+export HTTP_SCP_PORT="22"
+export HTTP_SCP_KEY="/path/to/ssh/key"
+
+# For Local plugin
+export HTTP_LOCAL_DIR="/var/www/html"
+export HTTP_LOCAL_MKDIR="true"  # Create directory if it doesn't exist
+export HTTP_LOCAL_VERIFY="true"  # Simple curl verification
+
+# Then issue your certificate
+acme.sh --issue -d example.com --http-api http_scp
+```
+
+These environment variables will be saved to your account configuration for future use.
+
+## Creating Your Own Plugin
+
+Plugins are shell scripts with at least two functions:
+
+1. `<plugin-name>_deploy`: Deploy the challenge file
+2. `<plugin-name>_rm`: Remove the challenge file
+
+Here's a minimal example:
+
+```bash
+#!/usr/bin/env sh
+
+# Deploy the challenge file
+http_myplugin_deploy() {
+  local domain="$1"
+  local token="$2"
+  local keyauthorization="$3"
+
+  # Deploy the challenge file to your web server
+  # ...
+
+  return 0  # Return 0 for success, non-zero for failure
+}
+
+# Remove the challenge file
+http_myplugin_rm() {
+  local domain="$1"
+  local token="$2"
+  
+  # Remove the challenge file
+  # ...
+  
+  return 0  # Return 0 for success, non-zero for failure
+}
+```
+
+## Plugin Configuration
+
+Typically, plugins will need configuration settings like server addresses, credentials, etc. These should be provided as environment variables:
+
+```bash
+export HTTP_MYPLUGIN_HOST="example.com"
+export HTTP_MYPLUGIN_USER="username"
+export HTTP_MYPLUGIN_PASSWORD="password"
+# etc...
+
+acme.sh --issue -d example.com --http-api http_myplugin
+```
+
+Alternatively, you can save these values in your acme.sh account configuration file for future use.
+
+## Example: Using the SCP Plugin
+
+```bash
+# Set required environment variables
+export HTTP_SCP_USER="username"
+export HTTP_SCP_HOST="remote.server.com"
+export HTTP_SCP_PATH="/var/www/html"
+# Optional:
+export HTTP_SCP_PORT="22"
+export HTTP_SCP_KEY="/path/to/ssh/key"
+
+# Issue certificate using SCP validation
+acme.sh --issue -d example.com --http-api http_scp
+```
--- a/httpapi/http_local.sh
+++ b/httpapi/http_local.sh
@ -0,0 +1,119 @@
+#!/usr/bin/env sh
+
+http_local_info='Local filesystem HTTP-01 validation plugin
+Site: Local filesystem
+Docs: github.com/acmesh-official/acme.sh/wiki/HTTP-API
+Options:
+ HTTP_LOCAL_DIR Directory to copy challenge to
+ HTTP_LOCAL_MKDIR Create directory if it doesnt exist (true/false)
+ HTTP_LOCAL_VERIFY Verify challenge file is accessible via HTTPS (true/false, default: false)
+'
+
+#Here we implement local filesystem-based http validation
+
+#Returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+#Usage: http_local_deploy domain token keyauthorization
+http_local_deploy() {
+  _cdomain="$1"
+  _ctoken="$2"
+  _ckey="$3"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ctoken "$_ctoken"
+
+  _getconfig
+  if [ "$?" != "0" ]; then
+    return 1
+  fi
+
+  _info "Deploying challenge file to local directory"
+  _wellknown_path="$HTTP_LOCAL_DIR/.well-known/acme-challenge"
+
+  # Create directory if needed
+  if [ "$HTTP_LOCAL_MKDIR" = "true" ]; then
+    _debug "Creating directory $_wellknown_path"
+    mkdir -p "$_wellknown_path"
+  fi
+
+  # Create temporary file with token content
+  _tempcontent="$(_mktemp)"
+  if [ "$?" != "0" ]; then
+    _err "Failed to create temporary file"
+    return 1
+  fi
+
+  echo "$_ckey" > "$_tempcontent"
+
+  # Copy challenge file
+  _info "Copying challenge file"
+  if ! cp "$_tempcontent" "$_wellknown_path/$_ctoken"; then
+    _err "Failed to copy challenge file"
+    rm -f "$_tempcontent"
+    return 1
+  fi
+
+  rm -f "$_tempcontent"
+
+  # Verify the file is accessible via HTTPS if enabled
+  if [ "$HTTP_LOCAL_VERIFY" != "false" ]; then
+    _info "Verifying challenge file is accessible via HTTPS"
+    _verify_url="https://$_cdomain/.well-known/acme-challenge/$_ctoken"
+    _debug "Verifying URL: $_verify_url"
+
+    # Try to access the file with curl, ignoring SSL certificate verification
+    if ! curl -k -s -o /dev/null -w "%{http_code}" "$_verify_url" | grep -q "200"; then
+      _err "Challenge file is not accessible via HTTPS at $_verify_url"
+      return 1
+    fi
+  else
+    _debug "Skipping HTTPS verification as HTTP_LOCAL_VERIFY is set to false"
+  fi
+
+  return 0
+}
+
+#Usage: http_local_rm domain token
+http_local_rm() {
+  _cdomain="$1"
+  _ctoken="$2"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ctoken "$_ctoken"
+
+  _getconfig
+  if [ "$?" != "0" ]; then
+    return 1
+  fi
+
+  _info "Removing challenge file from local directory"
+  _wellknown_path="$HTTP_LOCAL_DIR/.well-known/acme-challenge"
+
+  # Remove challenge file
+  _info "Removing challenge file"
+  if ! rm -f "$_wellknown_path/$_ctoken"; then
+    _err "Failed to remove challenge file"
+    return 1
+  fi
+
+  return 0
+}
+
+_getconfig() {
+  if [ -z "$HTTP_LOCAL_DIR" ]; then
+    _err "HTTP_LOCAL_DIR is not defined"
+    return 1
+  fi
+
+  if [ -z "$HTTP_LOCAL_MKDIR" ]; then
+    HTTP_LOCAL_MKDIR="false"
+  fi
+
+  if [ -z "$HTTP_LOCAL_VERIFY" ]; then
+    HTTP_LOCAL_VERIFY="false"
+  fi
+
+  return 0
+}
--- a/httpapi/http_scp.sh
+++ b/httpapi/http_scp.sh
@ -0,0 +1,135 @@
+#!/usr/bin/env sh
+
+http_scp_info='SCP HTTP-01 validation plugin
+Site: github.com/acmesh-official/acme.sh/wiki/HTTP-API
+Docs: github.com/acmesh-official/acme.sh/wiki/HTTP-API#http_scp
+Options:
+ HTTP_SCP_USER Username for SSH/SCP
+ HTTP_SCP_HOST Remote host
+ HTTP_SCP_PATH Remote webroot path
+ HTTP_SCP_PORT SSH port (optional)
+ HTTP_SCP_KEY SSH private key path (optional)
+'
+
+#Here we implement scp-based http validation
+
+#Returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+#Usage: http_scp_deploy domain token keyauthorization
+http_scp_deploy() {
+  _cdomain="$1"
+  _ctoken="$2"
+  _ckey="$3"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ctoken "$_ctoken"
+
+  _getconfig
+  if [ "$?" != "0" ]; then
+    return 1
+  fi
+
+  _info "Deploying challenge file to remote server using SCP"
+  _wellknown_path="$HTTP_SCP_PATH/.well-known/acme-challenge"
+
+  # Create temporary file with token content
+  _tempcontent="$(_mktemp)"
+  if [ "$?" != "0" ]; then
+    _err "Failed to create temporary file"
+    return 1
+  fi
+
+  echo "$_ckey" > "$_tempcontent"
+
+  # Prepare SSH options
+  _scp_options=""
+  if [ -n "$HTTP_SCP_KEY" ]; then
+    _scp_options="$_scp_options -i $HTTP_SCP_KEY"
+  fi
+
+  if [ -n "$HTTP_SCP_PORT" ]; then
+    _scp_options="$_scp_options -P $HTTP_SCP_PORT"
+  fi
+  _scp_options="$_scp_options -o StrictHostKeyChecking=no"
+
+  # Create challenge directory if it doesn't exist
+  _info "Creating challenge directory on remote server"
+  # shellcheck disable=SC2029  # We intentionally want client-side expansion of _wellknown_path
+  if ! ssh $HTTP_SCP_USER@$HTTP_SCP_HOST $_scp_options "mkdir -p ${_wellknown_path}"; then
+    _err "Failed to create challenge directory on remote server"
+    rm -f "$_tempcontent"
+    return 1
+  fi
+
+  # Upload challenge file
+  _info "Uploading challenge file"
+  if ! scp $_scp_options "$_tempcontent" $HTTP_SCP_USER@$HTTP_SCP_HOST:"${_wellknown_path}/${_ctoken}"; then
+    _err "Failed to upload challenge file"
+    rm -f "$_tempcontent"
+    return 1
+  fi
+
+  rm -f "$_tempcontent"
+  return 0
+}
+
+#Usage: http_scp_rm domain token
+http_scp_rm() {
+  _cdomain="$1"
+  _ctoken="$2"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ctoken "$_ctoken"
+
+  _getconfig
+  if [ "$?" != "0" ]; then
+    return 1
+  fi
+
+  _info "Removing challenge file from remote server"
+  _wellknown_path="$HTTP_SCP_PATH/.well-known/acme-challenge"
+
+  # Prepare SSH options
+  _scp_options=""
+  if [ -n "$HTTP_SCP_KEY" ]; then
+    _scp_options="$_scp_options -i $HTTP_SCP_KEY"
+  fi
+
+  if [ -n "$HTTP_SCP_PORT" ]; then
+    _scp_options="$_scp_options -p $HTTP_SCP_PORT"
+  else
+    _scp_options="$_scp_options -p 22"
+  fi
+  _scp_options="$_scp_options -o StrictHostKeyChecking=no"
+
+  # Remove challenge file
+  _info "Removing challenge file from remote server"
+  # shellcheck disable=SC2029  # We intentionally want client-side expansion of _wellknown_path and _ctoken
+  if ! ssh $HTTP_SCP_USER@$HTTP_SCP_HOST $_scp_options "rm -f ${_wellknown_path}/${_ctoken}"; then
+    _err "Failed to remove challenge file from remote server"
+    return 1
+  fi
+
+  return 0
+}
+
+_getconfig() {
+  if [ -z "$HTTP_SCP_USER" ]; then
+    _err "HTTP_SCP_USER is not defined"
+    return 1
+  fi
+
+  if [ -z "$HTTP_SCP_HOST" ]; then
+    _err "HTTP_SCP_HOST is not defined"
+    return 1
+  fi
+
+  if [ -z "$HTTP_SCP_PATH" ]; then
+    _err "HTTP_SCP_PATH is not defined"
+    return 1
+  fi
+
+  return 0
+}