Merge pull request #5290 from acmesh-official/dev

sync
2 months ago · fc7f86104e
8 changed files with 190 additions and 44 deletions
--- a/acme.sh
+++ b/acme.sh
@ -1,6 +1,6 @@
 #!/usr/bin/env sh

-VER=3.0.8
+VER=3.0.9

 PROJECT_NAME="acme.sh"

@ -2361,7 +2361,7 @@ _clear_conf() {
  _sdkey="$2"
  if [ "$_c_c_f" ]; then
    _conf_data="$(cat "$_c_c_f")"
-    echo "$_conf_data" | sed "s/^$_sdkey *=.*$//" >"$_c_c_f"
+    echo "$_conf_data" | sed "/^$_sdkey *=.*$/d" >"$_c_c_f"
  else
    _err "Config file is empty, cannot clear"
  fi
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@ -113,9 +113,9 @@ synology_dsm_deploy() {

  # Default values for scheme, hostname and port
  # Defaulting to localhost and http, because it's localhost…
-  [ -n "$SYNO_SCHEME" ] || SYNO_SCHEME="http"
-  [ -n "$SYNO_HOSTNAME" ] || SYNO_HOSTNAME="localhost"
-  [ -n "$SYNO_PORT" ] || SYNO_PORT="5000"
+  [ -n "$SYNO_SCHEME" ] || SYNO_SCHEME=http
+  [ -n "$SYNO_HOSTNAME" ] || SYNO_HOSTNAME=localhost
+  [ -n "$SYNO_PORT" ] || SYNO_PORT=5000
  _savedeployconf SYNO_SCHEME "$SYNO_SCHEME"
  _savedeployconf SYNO_HOSTNAME "$SYNO_HOSTNAME"
  _savedeployconf SYNO_PORT "$SYNO_PORT"
--- a/deploy/unifi.sh
+++ b/deploy/unifi.sh
@ -5,6 +5,15 @@
 #   - self-hosted Unifi Controller
 #   - Unifi Cloud Key (Gen1/2/2+)
 #   - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
+#   - Unifi Dream Machine
+#       This has not been tested on other "all-in-one" devices such as
+#       UDM Pro or Unifi Express.
+#
+#       OS Version v2.0.0+
+#       Network Application version 7.0.0+
+#       OS version ~3.1 removed java and keytool from the UnifiOS.
+#       Using PKCS12 format keystore appears to work fine.
+#
 # Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359

 #returns 0 means success, otherwise error.
@ -74,14 +83,16 @@ unifi_deploy() {
  _reload_cmd=""

  # Unifi Controller environment (self hosted or any Cloud Key) --
-  # auto-detect by file /usr/lib/unifi/data/keystore:
+  # auto-detect by file /usr/lib/unifi/data/keystore
  _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
  if [ -f "$_unifi_keystore" ]; then
-    _info "Installing certificate for Unifi Controller (Java keystore)"
    _debug _unifi_keystore "$_unifi_keystore"
    if ! _exists keytool; then
-      _err "keytool not found"
-      return 1
+      _do_keytool=0
+      _info "Installing certificate for Unifi Controller (PKCS12 keystore)."
+    else
+      _do_keytool=1
+      _info "Installing certificate for Unifi Controller (Java keystore)"
    fi
    if [ ! -w "$_unifi_keystore" ]; then
      _err "The file $_unifi_keystore is not writable, please change the permission."
@ -92,6 +103,7 @@ unifi_deploy() {

    _debug "Generate import pkcs12"
    _import_pkcs12="$(_mktemp)"
+    _debug "_toPkcs $_import_pkcs12 $_ckey $_ccert $_cca $_unifi_keypass unifi root"
    _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
    # shellcheck disable=SC2181
    if [ "$?" != "0" ]; then
@ -99,22 +111,57 @@ unifi_deploy() {
      return 1
    fi

-    _debug "Import into keystore: $_unifi_keystore"
-    if keytool -importkeystore \
-      -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
-      -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
-      -alias unifi -noprompt; then
-      _debug "Import keystore success!"
-      rm "$_import_pkcs12"
+    # Save the existing keystore in case something goes wrong.
+    mv -f "${_unifi_keystore}" "${_unifi_keystore}"_original
+    _info "Previous keystore saved to ${_unifi_keystore}_original."
+
+    if [ "$_do_keytool" -eq 1 ]; then
+      _debug "Import into keystore: $_unifi_keystore"
+      if keytool -importkeystore \
+        -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
+        -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
+        -alias unifi -noprompt; then
+        _debug "Import keystore success!"
+      else
+        _err "Error importing into Unifi Java keystore."
+        _err "Please re-run with --debug and report a bug."
+        _info "Restoring original keystore."
+        mv -f "${_unifi_keystore}"_original "${_unifi_keystore}"
+        rm "$_import_pkcs12"
+        return 1
+      fi
    else
-      _err "Error importing into Unifi Java keystore."
-      _err "Please re-run with --debug and report a bug."
-      rm "$_import_pkcs12"
-      return 1
+      _debug "Copying new keystore to $_unifi_keystore"
+      cp -f "$_import_pkcs12" "$_unifi_keystore"
+    fi
+
+    # Update unifi service for certificate cipher compatibility
+    if ${ACME_OPENSSL_BIN:-openssl} pkcs12 \
+      -in "$_import_pkcs12" \
+      -password pass:aircontrolenterprise \
+      -nokeys | ${ACME_OPENSSL_BIN:-openssl} x509 -text \
+      -noout | grep -i "signature" | grep -iq ecdsa >/dev/null 2>&1; then
+      cp -f /usr/lib/unifi/data/system.properties /usr/lib/unifi/data/system.properties_original
+      _info "Updating system configuration for cipher compatibility."
+      _info "Saved original system config to /usr/lib/unifi/data/system.properties_original"
+      sed -i '/unifi\.https\.ciphers/d' /usr/lib/unifi/data/system.properties
+      echo "unifi.https.ciphers=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256" >>/usr/lib/unifi/data/system.properties
+      sed -i '/unifi\.https\.sslEnabledProtocols/d' /usr/lib/unifi/data/system.properties
+      echo "unifi.https.sslEnabledProtocols=TLSv1.3,TLSv1.2" >>/usr/lib/unifi/data/system.properties
+      _info "System configuration updated."
    fi

+    rm "$_import_pkcs12"
+
+    # Restarting unifi-core will bring up unifi, doing it out of order results in
+    # a certificate error, and breaks wifiman.
+    # Restart if we aren't doing unifi-core, otherwise stop for later restart.
    if systemctl -q is-active unifi; then
-      _reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart"
+      if [ ! -f "${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}/unifi-core.key" ]; then
+        _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi"
+      else
+        _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl stop unifi"
+      fi
    fi
    _services_updated="${_services_updated} unifi"
    _info "Install Unifi Controller certificate success!"
@ -165,6 +212,11 @@ unifi_deploy() {
      return 1
    fi

+    # Save the existing certs in case something goes wrong.
+    cp -f "${_unifi_core_config}"/unifi-core.crt "${_unifi_core_config}"/unifi-core_original.crt
+    cp -f "${_unifi_core_config}"/unifi-core.key "${_unifi_core_config}"/unifi-core_original.key
+    _info "Previous certificate and key saved to ${_unifi_core_config}/unifi-core_original.crt/key."
+
    cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
    cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"

--- a/dnsapi/dns_dynv6.sh
+++ b/dnsapi/dns_dynv6.sh
@ -16,8 +16,8 @@ dynv6_api="https://dynv6.com/api/v2"
 # Please Read this guide first: https://github.com/Neilpang/acme.sh/wiki/DNS-API-Dev-Guide
 #Usage: dns_dynv6_add  _acme-challenge.www.domain.com  "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_dynv6_add() {
-  fulldomain=$1
-  txtvalue=$2
+  fulldomain="$(echo "$1" | _lower_case)"
+  txtvalue="$2"
  _info "Using dynv6 api"
  _debug fulldomain "$fulldomain"
  _debug txtvalue "$txtvalue"
@ -50,8 +50,8 @@ dns_dynv6_add() {
 #Usage: fulldomain txtvalue
 #Remove the txt record after validation.
 dns_dynv6_rm() {
-  fulldomain=$1
-  txtvalue=$2
+  fulldomain="$(echo "$1" | _lower_case)"
+  txtvalue="$2"
  _info "Using dynv6 API"
  _debug fulldomain "$fulldomain"
  _debug txtvalue "$txtvalue"
@ -206,7 +206,7 @@ _get_zone_id() {
    return 1
  fi

-  zone_id="$(echo "$response" | tr '}' '\n' | grep "$selected" | tr ',' '\n' | grep id | tr -d '"')"
+  zone_id="$(echo "$response" | tr '}' '\n' | grep "$selected" | tr ',' '\n' | grep '"id":' | tr -d '"')"
  _zone_id="${zone_id#id:}"
  _debug "zone id: $_zone_id"
 }
--- a/dnsapi/dns_inwx.sh
+++ b/dnsapi/dns_inwx.sh
@ -163,6 +163,15 @@ _inwx_check_cookie() {
  return 1
 }

+_htmlEscape() {
+  _s="$1"
+  _s=$(echo "$_s" | sed "s/&/&amp;/g")
+  _s=$(echo "$_s" | sed "s/</\&lt;/g")
+  _s=$(echo "$_s" | sed "s/>/\&gt;/g")
+  _s=$(echo "$_s" | sed 's/"/\&quot;/g')
+  printf -- %s "$_s"
+}
+
 _inwx_login() {

  if _inwx_check_cookie; then
@ -170,6 +179,8 @@ _inwx_login() {
    return 0
  fi

+  XML_PASS=$(_htmlEscape "$INWX_Password")
+
  xml_content=$(printf '<?xml version="1.0" encoding="UTF-8"?>
  <methodCall>
  <methodName>account.login</methodName>
@ -193,7 +204,7 @@ _inwx_login() {
    </value>
   </param>
  </params>
-  </methodCall>' "$INWX_User" "$INWX_Password")
+  </methodCall>' "$INWX_User" "$XML_PASS")

  response="$(_post "$xml_content" "$INWX_Api" "" "POST")"

--- a/dnsapi/dns_ispconfig.sh
+++ b/dnsapi/dns_ispconfig.sh
@ -14,6 +14,8 @@ Options:
 # User must provide login data and URL to the ISPConfig installation incl. port.
 # The remote user in ISPConfig must have access to:
 # - DNS txt Functions
+# - DNS zone functions
+# - Client functions

 ########  Public functions #####################

--- a/dnsapi/dns_nsupdate.sh
+++ b/dnsapi/dns_nsupdate.sh
@ -39,13 +39,15 @@ dns_nsupdate_add() {
  [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d"
  [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D"
  if [ -z "${NSUPDATE_ZONE}" ]; then
-    nsupdate -k "${NSUPDATE_KEY}" $nsdebug "${NSUPDATE_OPT}" <<EOF
+    #shellcheck disable=SC2086
+    nsupdate -k "${NSUPDATE_KEY}" $nsdebug $NSUPDATE_OPT <<EOF
 server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT}
 update add ${fulldomain}. 60 in txt "${txtvalue}"
 send
 EOF
  else
-    nsupdate -k "${NSUPDATE_KEY}" $nsdebug "${NSUPDATE_OPT}" <<EOF
+    #shellcheck disable=SC2086
+    nsupdate -k "${NSUPDATE_KEY}" $nsdebug $NSUPDATE_OPT <<EOF
 server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT}
 zone ${NSUPDATE_ZONE}.
 update add ${fulldomain}. 60 in txt "${txtvalue}"
@ -77,13 +79,15 @@ dns_nsupdate_rm() {
  [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d"
  [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D"
  if [ -z "${NSUPDATE_ZONE}" ]; then
-    nsupdate -k "${NSUPDATE_KEY}" $nsdebug "${NSUPDATE_OPT}" <<EOF
+    #shellcheck disable=SC2086
+    nsupdate -k "${NSUPDATE_KEY}" $nsdebug $NSUPDATE_OPT <<EOF
 server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT}
 update delete ${fulldomain}. txt
 send
 EOF
  else
-    nsupdate -k "${NSUPDATE_KEY}" $nsdebug "${NSUPDATE_OPT}" <<EOF
+    #shellcheck disable=SC2086
+    nsupdate -k "${NSUPDATE_KEY}" $nsdebug $NSUPDATE_OPT <<EOF
 server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT}
 zone ${NSUPDATE_ZONE}.
 update delete ${fulldomain}. txt
--- a/notify/bark.sh
+++ b/notify/bark.sh
@ -1,32 +1,40 @@
 #!/usr/bin/env sh

-#Support iOS Bark Notification
+# Support iOS Bark Notification

-#BARK_API_URL="https://api.day.app/xxxx"
-#BARK_SOUND="yyyy"
-#BARK_GROUP="zzzz"
+# Every parameter explained: https://github.com/Finb/bark-server/blob/master/docs/API_V2.md#push

-# subject  content statusCode
+# BARK_API_URL="https://api.day.app/xxxx" (required)
+# BARK_GROUP="ACME" (optional)
+# BARK_SOUND="alarm" (optional)
+# BARK_LEVEL="active" (optional)
+# BARK_BADGE=0 (optional)
+# BARK_AUTOMATICALLYCOPY="1" (optional)
+# BARK_COPY="My clipboard Content" (optional)
+# BARK_ICON="https://example.com/icon.png" (optional)
+# BARK_ISARCHIVE="1" (optional)
+# BARK_URL="https://example.com" (optional)
+
+# subject content statusCode
 bark_send() {
  _subject="$1"
  _content="$2"
-  _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+  _statusCode="$3" # 0: success, 1: error, 2: skipped
  _debug "_subject" "$_subject"
  _debug "_content" "$_content"
  _debug "_statusCode" "$_statusCode"

+  _content=$(echo "$_content" | _url_encode)
+  _subject=$(echo "$_subject" | _url_encode)
+
  BARK_API_URL="${BARK_API_URL:-$(_readaccountconf_mutable BARK_API_URL)}"
  if [ -z "$BARK_API_URL" ]; then
-    BARK_API_URL=""
    _err "You didn't specify a Bark API URL BARK_API_URL yet."
    _err "You can download Bark from App Store and get yours."
    return 1
  fi
  _saveaccountconf_mutable BARK_API_URL "$BARK_API_URL"

-  BARK_SOUND="${BARK_SOUND:-$(_readaccountconf_mutable BARK_SOUND)}"
-  _saveaccountconf_mutable BARK_SOUND "$BARK_SOUND"
-
  BARK_GROUP="${BARK_GROUP:-$(_readaccountconf_mutable BARK_GROUP)}"
  if [ -z "$BARK_GROUP" ]; then
    BARK_GROUP="ACME"
@ -35,10 +43,79 @@ bark_send() {
    _saveaccountconf_mutable BARK_GROUP "$BARK_GROUP"
  fi

-  _content=$(echo "$_content" | _url_encode)
-  _subject=$(echo "$_subject" | _url_encode)
+  BARK_SOUND="${BARK_SOUND:-$(_readaccountconf_mutable BARK_SOUND)}"
+  if [ -n "$BARK_SOUND" ]; then
+    _saveaccountconf_mutable BARK_SOUND "$BARK_SOUND"
+  fi
+
+  BARK_LEVEL="${BARK_LEVEL:-$(_readaccountconf_mutable BARK_LEVEL)}"
+  if [ -n "$BARK_LEVEL" ]; then
+    _saveaccountconf_mutable BARK_LEVEL "$BARK_LEVEL"
+  fi
+
+  BARK_BADGE="${BARK_BADGE:-$(_readaccountconf_mutable BARK_BADGE)}"
+  if [ -n "$BARK_BADGE" ]; then
+    _saveaccountconf_mutable BARK_BADGE "$BARK_BADGE"
+  fi
+
+  BARK_AUTOMATICALLYCOPY="${BARK_AUTOMATICALLYCOPY:-$(_readaccountconf_mutable BARK_AUTOMATICALLYCOPY)}"
+  if [ -n "$BARK_AUTOMATICALLYCOPY" ]; then
+    _saveaccountconf_mutable BARK_AUTOMATICALLYCOPY "$BARK_AUTOMATICALLYCOPY"
+  fi
+
+  BARK_COPY="${BARK_COPY:-$(_readaccountconf_mutable BARK_COPY)}"
+  if [ -n "$BARK_COPY" ]; then
+    _saveaccountconf_mutable BARK_COPY "$BARK_COPY"
+  fi
+
+  BARK_ICON="${BARK_ICON:-$(_readaccountconf_mutable BARK_ICON)}"
+  if [ -n "$BARK_ICON" ]; then
+    _saveaccountconf_mutable BARK_ICON "$BARK_ICON"
+  fi
+
+  BARK_ISARCHIVE="${BARK_ISARCHIVE:-$(_readaccountconf_mutable BARK_ISARCHIVE)}"
+  if [ -n "$BARK_ISARCHIVE" ]; then
+    _saveaccountconf_mutable BARK_ISARCHIVE "$BARK_ISARCHIVE"
+  fi
+
+  BARK_URL="${BARK_URL:-$(_readaccountconf_mutable BARK_URL)}"
+  if [ -n "$BARK_URL" ]; then
+    _saveaccountconf_mutable BARK_URL "$BARK_URL"
+  fi
+
+  _params=""
+
+  if [ -n "$BARK_SOUND" ]; then
+    _params="$_params&sound=$BARK_SOUND"
+  fi
+  if [ -n "$BARK_GROUP" ]; then
+    _params="$_params&group=$BARK_GROUP"
+  fi
+  if [ -n "$BARK_LEVEL" ]; then
+    _params="$_params&level=$BARK_LEVEL"
+  fi
+  if [ -n "$BARK_BADGE" ]; then
+    _params="$_params&badge=$BARK_BADGE"
+  fi
+  if [ -n "$BARK_AUTOMATICALLYCOPY" ]; then
+    _params="$_params&automaticallyCopy=$BARK_AUTOMATICALLYCOPY"
+  fi
+  if [ -n "$BARK_COPY" ]; then
+    _params="$_params&copy=$BARK_COPY"
+  fi
+  if [ -n "$BARK_ICON" ]; then
+    _params="$_params&icon=$BARK_ICON"
+  fi
+  if [ -n "$BARK_ISARCHIVE" ]; then
+    _params="$_params&isArchive=$BARK_ISARCHIVE"
+  fi
+  if [ -n "$BARK_URL" ]; then
+    _params="$_params&url=$BARK_URL"
+  fi
+
+  _params=$(echo "$_params" | sed 's/^&//') # remove leading '&' if exists

-  response="$(_get "$BARK_API_URL/$_subject/$_content?sound=$BARK_SOUND&group=$BARK_GROUP")"
+  response="$(_get "$BARK_API_URL/$_subject/$_content?$_params")"

  if [ "$?" = "0" ] && _contains "$response" "success"; then
    _info "Bark API fired success."