Previously the deploy hook config was stored in the account config.
This seems odd and adds unnecessary limitations to the hook.
Now we're using the correct _*deployconf() functions to read and
write the deploy hook config.
This escapes special characters used in POSIX sed to prevent mismatches.
e.g. `SYNO_Certficiate=*.example.com` would not match a description of
"*.example.com" and would look to match any number of double quotes (the
last character in the sed regex prior to certificate description),
followed by any single character, followed by "example", followed by any
character, followed by "com".
After this change, it will properly match `*.example.com` and not
`""zexamplefcom`.
Additionally we now store the certificate description as base64 encoded
to prevent issues with single quotes.
Tested on DSM 7.0-41222 (VDSM) and DSM 6.2.4-25556 (DS1515+).
As noted by @buxm, previous fix didn't work for all versions of DSM 6.
The better fix appears to be simply not outputting the "as_default"
parameter unless we are doing something with the default certificate.
For some DSM installs, it appears that setting the "default" flag to the
string "false" actually sets it to true. This causes Synology to set
the last updated certificate to be the default certificate. Using an
empty string appears to still be accepted as a false-y value for DSMs
where this isn't happening and corrects the behavior in the cases that
it was.
Credit to @Run-King for identifying the fix and @buxm for reporting.
When using vault_cli with a kv2 path, it isn't working. I have the following error:
```
WARNING! The following warnings were returned from Vault:
* Invalid path for a versioned K/V secrets engine. See the API docs for the
appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put'
for this operation.
```
The new way to write data is to use `vault kv put`, it is compatible with kv1 and kv2.
Ref: https://www.vaultproject.io/docs/commands#reading-and-writing-data
```
The original version of K/V used the common read and write operations. A more advanced K/V Version 2 engine was released in Vault 0.10 and introduced the kv get and kv put commands.
```
* fix: unifi deploy hook also update Cloud Key nginx certs
When running on a Unifi Cloud Key device, also deploy to
/etc/ssl/private/cloudkey.{crt,key} and reload nginx. This
makes the new cert available for the Cloud Key management
app running via nginx on port 443 (as well as the port 8443
Unifi Controller app the deploy hook already supported).
Fixes#3326
* Improve settings documentation comments
* Improve Cloud Key pre-flight error messaging
* Fix typo
* Add support for UnifiOS (Cloud Key Gen2)
Since UnifiOS does not use the Java keystore (like a Unifi
Controller or Cloud Key Gen1 deploy), this also reworks
the settings validation and error messaging somewhat.
* PR review fixes
* Detect unsupported Cloud Key java keystore location
* Don't try to restart inactive services
(and remove extra spaces from reload command)
* Clean up error messages and internal variables
* Change to _getdeployconf/_savedeployconf
* Switch from cp to cat to preserve file permissions
* change arvan api script
* change Author name
* change name actor
* Updated --preferred-chain to issue ISRG properly
To support different openssl crl2pkcs7 help cli format
* dnsapi/pdns: also normalize json response in detecting root zone
* Chain (#3408)
* fix https://github.com/acmesh-official/acme.sh/issues/3384
match the issuer to the root CA cert subject
* fix format
* fix https://github.com/acmesh-official/acme.sh/issues/3384
* remove the alt files. https://github.com/acmesh-official/acme.sh/issues/3384
* upgrade freebsd and solaris
* duckdns - fix "integer expression expected" errors (#3397)
* fix "integer expression expected" errors
* duckdns fix
* Update dns_duckdns.sh
* Update dns_duckdns.sh
* Implement smtp notify hook
Support notifications via direct SMTP server connection.
Uses Python (2.7.x or 3.4+) to communicate with SMTP server.
* Make shfmt happy
(I'm open to better ways of formatting the heredoc
that embeds the Python script.)
* Only save config if send is successful
* Add instructions for reporting bugs
* Prep for curl or Python; clean up SMTP_* variable usage
* Implement curl version of smtp notify-hook
* More than one blank line is an abomination, apparently
I will not try to use whitespace to group code visually
* Fix: Unifi deploy hook support Unifi Cloud Key (#3327)
* fix: unifi deploy hook also update Cloud Key nginx certs
When running on a Unifi Cloud Key device, also deploy to
/etc/ssl/private/cloudkey.{crt,key} and reload nginx. This
makes the new cert available for the Cloud Key management
app running via nginx on port 443 (as well as the port 8443
Unifi Controller app the deploy hook already supported).
Fixes#3326
* Improve settings documentation comments
* Improve Cloud Key pre-flight error messaging
* Fix typo
* Add support for UnifiOS (Cloud Key Gen2)
Since UnifiOS does not use the Java keystore (like a Unifi
Controller or Cloud Key Gen1 deploy), this also reworks
the settings validation and error messaging somewhat.
* PR review fixes
* Detect unsupported Cloud Key java keystore location
* Don't try to restart inactive services
(and remove extra spaces from reload command)
* Clean up error messages and internal variables
* Change to _getdeployconf/_savedeployconf
* Switch from cp to cat to preserve file permissions
* feat: add huaweicloud error handling
* fix: fix freebsd and solaris
* support openssl 3.0
fix https://github.com/acmesh-official/acme.sh/issues/3399
* make the fix for rsa key only
* Use PROJECT_NAME and VER for X-Mailer header
Also add X-Mailer header to Python version
* Add _clearaccountconf_mutable()
* Rework read/save config to not save default values
Add and use _readaccountconf_mutable_default and
_saveaccountconf_mutable_default helpers to capture
common default value handling.
New approach also eliminates need for separate
underscore-prefixed version of each conf var.
* Implement _rfc2822_date helper
* Clean email headers and warn on unsupported address format
Just in case, make sure CR or NL don't end up in
an email header.
* Clarify _readaccountconf_mutable_default
* Add Date email header in Python implementation
* Use email.policy.default in Python 3 implementation
Improves standards compatibility and utf-8 handling
in Python 3.3-3.8. (email.policy.default becomes the
default in Python 3.9.)
* Prefer Python to curl when both available
* Change default SMTP_SECURE to "tls"
Secure by default. Also try to minimize configuration errors.
(Many ESPs/ISPs require STARTTLS, and most support it.)
* Update dns_dp.sh
没有encode中文字符会导致提交失败
* No need to include EC parameters explicitly with the private key.
(they are embedded)
* Fixes response handling and thereby allow issuing of subdomain certs
* Adds comment
* fix https://github.com/acmesh-official/acme.sh/issues/3402
* dnsapi/ionos: Use POST instead of PATCH for adding TXT record
The API now supports a POST route for adding records. Therefore
checking for already existing records and including them in a PATCH
request is no longer necessary.
* fix https://github.com/acmesh-official/acme.sh/issues/3433
* fix https://github.com/acmesh-official/acme.sh/issues/3019
* fix format
* Update dns_servercow.sh to support wildcard certs
Updated dns_servercow.sh to support txt records with multiple entries. This supports wildcard certificates that require txt records with the same name and different contents.
* Update dns_servercow.sh to support wildcard certs
Updated dns_servercow.sh to support txt records with multiple entries. This supports wildcard certificates that require txt records with the same name and different contents.
* fix https://github.com/acmesh-official/acme.sh/issues/3312
* fix format
* feat: add dns_porkbun
* fix: prevent rate limit
Co-authored-by: Vahid Fardi <vahid.fardi@snapp.cab>
Co-authored-by: neil <github@neilpang.com>
Co-authored-by: Gnought <1684105+gnought@users.noreply.github.com>
Co-authored-by: manuel <manuel@mausz.at>
Co-authored-by: jerrm <jerrm@users.noreply.github.com>
Co-authored-by: medmunds <medmunds@gmail.com>
Co-authored-by: Mike Edmunds <github@to.mikeedmunds.com>
Co-authored-by: Easton Man <manyang.me@outlook.com>
Co-authored-by: czeming <loser_wind@163.com>
Co-authored-by: Geert Hendrickx <geert@hendrickx.be>
Co-authored-by: Kristian Johansson <kristian.johansson86@gmail.com>
Co-authored-by: Lukas Brocke <lukas@brocke.net>
Co-authored-by: anom-human <80478363+anom-human@users.noreply.github.com>
Co-authored-by: neil <win10@neilpang.com>
Co-authored-by: Quentin Dreyer <quentin.dreyer@rgsystem.com>
* fix: unifi deploy hook also update Cloud Key nginx certs
When running on a Unifi Cloud Key device, also deploy to
/etc/ssl/private/cloudkey.{crt,key} and reload nginx. This
makes the new cert available for the Cloud Key management
app running via nginx on port 443 (as well as the port 8443
Unifi Controller app the deploy hook already supported).
Fixes#3326
* Improve settings documentation comments
* Improve Cloud Key pre-flight error messaging
* Fix typo
* Add support for UnifiOS (Cloud Key Gen2)
Since UnifiOS does not use the Java keystore (like a Unifi
Controller or Cloud Key Gen1 deploy), this also reworks
the settings validation and error messaging somewhat.
* PR review fixes
* Detect unsupported Cloud Key java keystore location
* Don't try to restart inactive services
(and remove extra spaces from reload command)
* Clean up error messages and internal variables
* Change to _getdeployconf/_savedeployconf
* Switch from cp to cat to preserve file permissions
Small changes for DSM 6:
All fields (except enable_syno_token as explained below) must either be in the GET params or the POST params, you can't mix GET and POST params
enable_syno_token=yes must be in both the GET and POST params.
If enable_syno_token=yes is only in the POST fields, then DSM6 returns a synotoken of --------. If enable_syno_token=yes is only in the GET params, then it returns no synotoken at all. It must be in both to work.
Need to use /webapi/auth.cgi instead of /webapi/entry.cgi
Verified with DSM 6.2.3-25426 Update 2 and DSM 7.0-40850
This allows us to get the cookie and the token (as it appears to be only in the body in DSM 7.) HTTP_HEADERS is only guarenteed to be output with POST for both wget and curl.
I have modified the following things:
Originally, "/data/assets/ssl/" is always appended to the varialbe ${_mailcow_path}. Since I use acme.sh as docker container, I only want to include the mailcow-ssl directory in the acem.sh container and not the complete mailcow directory. So now it is checked if the file generate_config.sh is in the directory (then it is the mailcow root directory, see https://github.com/mailcow/mailcow-dockerized) and only then "/data/assets/ssl/" is appended, in all other cases the passed variable is taken over unchanged.
Because of the RP mailcow/mailcow-dockerized#2443 I have extended the script with ECC certificates.
I adapted the reboot commands as described in the mailcow manual (https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ssl/#how-to-use-your-own-certificate).
This provider relies on the the python-openstackclient and
python-designateclient tools be installed and working, with
either password or application credentials loaded in your env.