2016-11-20 14:57:07 +00:00
#!/usr/bin/env sh
#
#AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje"
#
#AWS_SECRET_ACCESS_KEY="xxxxxxx"
#This is the Amazon Route53 api wrapper for acme.sh
2019-10-28 13:32:08 +00:00
#All `_sleep` commands are included to avoid Route53 throttling, see
2019-10-25 19:05:15 +00:00
#https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-requests
2016-11-20 14:57:07 +00:00
AWS_HOST = "route53.amazonaws.com"
AWS_URL = " https:// $AWS_HOST "
2020-01-30 04:06:39 +00:00
AWS_WIKI = "https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Amazon-Route53-API"
2016-11-20 14:57:07 +00:00
######## Public functions #####################
#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_aws_add( ) {
fulldomain = $1
txtvalue = $2
2018-02-20 00:34:55 +00:00
AWS_ACCESS_KEY_ID = " ${ AWS_ACCESS_KEY_ID :- $( _readaccountconf_mutable AWS_ACCESS_KEY_ID) } "
AWS_SECRET_ACCESS_KEY = " ${ AWS_SECRET_ACCESS_KEY :- $( _readaccountconf_mutable AWS_SECRET_ACCESS_KEY) } "
2020-02-24 23:14:40 +00:00
AWS_DNS_SLOWRATE = " ${ AWS_DNS_SLOWRATE :- $( _readaccountconf_mutable AWS_DNS_SLOWRATE) } "
2018-02-20 00:34:55 +00:00
if [ -z " $AWS_ACCESS_KEY_ID " ] || [ -z " $AWS_SECRET_ACCESS_KEY " ] ; then
2018-02-20 14:55:05 +00:00
_use_container_role || _use_instance_role
2018-02-19 17:48:54 +00:00
fi
2016-11-20 14:57:07 +00:00
if [ -z " $AWS_ACCESS_KEY_ID " ] || [ -z " $AWS_SECRET_ACCESS_KEY " ] ; then
AWS_ACCESS_KEY_ID = ""
AWS_SECRET_ACCESS_KEY = ""
2021-08-02 17:36:59 +00:00
_err "You haven't specified the aws route53 api key id and and api key secret yet."
2018-01-15 11:48:57 +00:00
_err " Please create your key and try again. see $( __green $AWS_WIKI ) "
2016-11-20 14:57:07 +00:00
return 1
fi
2018-02-20 00:34:55 +00:00
#save for future use, unless using a role which will be fetched as needed
2018-02-20 12:40:24 +00:00
if [ -z " $_using_role " ] ; then
2018-02-19 17:48:54 +00:00
_saveaccountconf_mutable AWS_ACCESS_KEY_ID " $AWS_ACCESS_KEY_ID "
_saveaccountconf_mutable AWS_SECRET_ACCESS_KEY " $AWS_SECRET_ACCESS_KEY "
2020-02-24 23:14:40 +00:00
_saveaccountconf_mutable AWS_DNS_SLOWRATE " $AWS_DNS_SLOWRATE "
2018-02-19 17:48:54 +00:00
fi
2016-11-20 14:57:07 +00:00
_debug "First detect the root zone"
if ! _get_root " $fulldomain " ; then
_err "invalid domain"
2019-10-28 13:32:08 +00:00
_sleep 1
2016-11-20 14:57:07 +00:00
return 1
fi
_debug _domain_id " $_domain_id "
_debug _sub_domain " $_sub_domain "
_debug _domain " $_domain "
2019-05-21 10:21:54 +00:00
_info " Getting existing records for $fulldomain "
2018-02-13 14:17:20 +00:00
if ! aws_rest GET " 2013-04-01 $_domain_id /rrset " " name= $fulldomain &type=TXT " ; then
2019-10-28 13:32:08 +00:00
_sleep 1
2018-02-13 14:17:20 +00:00
return 1
fi
if _contains " $response " " <Name> $fulldomain .</Name> " ; then
2018-02-14 11:39:47 +00:00
_resource_record = " $( echo " $response " | sed 's/<ResourceRecordSet>/"/g' | tr '"' "\n" | grep " <Name> $fulldomain .</Name> " | _egrep_o "<ResourceRecords.*</ResourceRecords>" | sed "s/<ResourceRecords>//" | sed "s#</ResourceRecords>##" ) "
2018-02-13 14:17:20 +00:00
_debug "_resource_record" " $_resource_record "
else
_debug "single new add"
fi
if [ " $_resource_record " ] && _contains " $response " " $txtvalue " ; then
2018-08-07 11:35:08 +00:00
_info "The TXT record already exists. Skipping."
2019-10-28 13:32:08 +00:00
_sleep 1
2018-02-13 14:17:20 +00:00
return 0
fi
_debug "Adding records"
_aws_tmpl_xml = " <ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>UPSERT</Action><ResourceRecordSet><Name> $fulldomain </Name><Type>TXT</Type><TTL>300</TTL><ResourceRecords> $_resource_record <ResourceRecord><Value>\" $txtvalue \"</Value></ResourceRecord></ResourceRecords></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest> "
2016-11-20 15:04:28 +00:00
2016-11-20 14:57:07 +00:00
if aws_rest POST " 2013-04-01 $_domain_id /rrset/ " "" " $_aws_tmpl_xml " && _contains " $response " "ChangeResourceRecordSetsResponse" ; then
2018-08-07 11:35:08 +00:00
_info "TXT record updated successfully."
2020-02-24 23:14:40 +00:00
if [ -n " $AWS_DNS_SLOWRATE " ] ; then
_info " Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds "
_sleep " $AWS_DNS_SLOWRATE "
2019-11-22 10:20:25 +00:00
else
_sleep 1
2019-03-29 14:12:50 +00:00
fi
2019-11-22 10:20:25 +00:00
2016-11-20 14:57:07 +00:00
return 0
fi
2019-10-28 13:32:08 +00:00
_sleep 1
2016-11-20 15:04:28 +00:00
return 1
2016-11-20 14:57:07 +00:00
}
2016-12-06 08:52:02 +00:00
#fulldomain txtvalue
2016-11-20 14:57:07 +00:00
dns_aws_rm( ) {
fulldomain = $1
2016-12-06 08:52:02 +00:00
txtvalue = $2
2018-02-20 00:34:55 +00:00
AWS_ACCESS_KEY_ID = " ${ AWS_ACCESS_KEY_ID :- $( _readaccountconf_mutable AWS_ACCESS_KEY_ID) } "
AWS_SECRET_ACCESS_KEY = " ${ AWS_SECRET_ACCESS_KEY :- $( _readaccountconf_mutable AWS_SECRET_ACCESS_KEY) } "
2020-02-24 23:14:40 +00:00
AWS_DNS_SLOWRATE = " ${ AWS_DNS_SLOWRATE :- $( _readaccountconf_mutable AWS_DNS_SLOWRATE) } "
2018-02-20 00:34:55 +00:00
if [ -z " $AWS_ACCESS_KEY_ID " ] || [ -z " $AWS_SECRET_ACCESS_KEY " ] ; then
2018-02-20 14:55:05 +00:00
_use_container_role || _use_instance_role
2018-02-19 17:48:54 +00:00
fi
2016-12-06 08:52:02 +00:00
_debug "First detect the root zone"
if ! _get_root " $fulldomain " ; then
_err "invalid domain"
2019-10-28 13:32:08 +00:00
_sleep 1
2016-12-06 08:52:02 +00:00
return 1
fi
_debug _domain_id " $_domain_id "
_debug _sub_domain " $_sub_domain "
_debug _domain " $_domain "
2018-08-07 11:35:08 +00:00
_info " Getting existing records for $fulldomain "
2018-02-13 14:17:20 +00:00
if ! aws_rest GET " 2013-04-01 $_domain_id /rrset " " name= $fulldomain &type=TXT " ; then
2019-10-28 13:32:08 +00:00
_sleep 1
2018-02-13 14:17:20 +00:00
return 1
fi
if _contains " $response " " <Name> $fulldomain .</Name> " ; then
2018-02-14 11:39:47 +00:00
_resource_record = " $( echo " $response " | sed 's/<ResourceRecordSet>/"/g' | tr '"' "\n" | grep " <Name> $fulldomain .</Name> " | _egrep_o "<ResourceRecords.*</ResourceRecords>" | sed "s/<ResourceRecords>//" | sed "s#</ResourceRecords>##" ) "
2018-02-13 14:17:20 +00:00
_debug "_resource_record" " $_resource_record "
else
2018-08-07 11:35:08 +00:00
_debug "no records exist, skip"
2019-10-28 13:32:08 +00:00
_sleep 1
2018-02-13 14:17:20 +00:00
return 0
fi
_aws_tmpl_xml = " <ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>DELETE</Action><ResourceRecordSet><ResourceRecords> $_resource_record </ResourceRecords><Name> $fulldomain .</Name><Type>TXT</Type><TTL>300</TTL></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest> "
2016-12-06 08:52:02 +00:00
if aws_rest POST " 2013-04-01 $_domain_id /rrset/ " "" " $_aws_tmpl_xml " && _contains " $response " "ChangeResourceRecordSetsResponse" ; then
2018-08-07 11:35:08 +00:00
_info "TXT record deleted successfully."
2020-02-24 23:14:40 +00:00
if [ -n " $AWS_DNS_SLOWRATE " ] ; then
_info " Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds "
_sleep " $AWS_DNS_SLOWRATE "
2019-11-22 10:20:25 +00:00
else
_sleep 1
2019-03-29 14:39:32 +00:00
fi
2019-11-22 10:20:25 +00:00
2016-12-06 08:52:02 +00:00
return 0
fi
2019-10-28 13:32:08 +00:00
_sleep 1
2016-12-06 08:52:02 +00:00
return 1
2016-11-20 14:57:07 +00:00
}
2016-12-14 20:32:24 +00:00
#################### Private functions below ##################################
2016-11-20 14:57:07 +00:00
_get_root( ) {
2022-05-12 09:36:19 +00:00
domain = $1
2022-05-12 08:51:15 +00:00
i = 1
2016-11-20 14:57:07 +00:00
p = 1
2016-11-20 15:04:28 +00:00
2022-06-05 13:46:42 +00:00
# iterate over names (a.b.c.d -> b.c.d -> c.d -> d)
2022-06-04 18:24:33 +00:00
while true; do
h = $( printf "%s" " $domain " | cut -d . -f $i -100)
_debug " Checking domain: $h "
if [ -z " $h " ] ; then
_error "invalid domain"
return 1
fi
2016-11-20 14:57:07 +00:00
2022-06-05 13:46:42 +00:00
# iterate over paginated result for list_hosted_zones
2022-06-04 18:24:33 +00:00
aws_rest GET "2013-04-01/hostedzone"
while true; do
2016-11-20 14:57:07 +00:00
if _contains " $response " " <Name> $h .</Name> " ; then
2022-05-12 17:57:32 +00:00
hostedzone = " $( echo " $response " | tr -d '\n' | sed 's/<HostedZone>/#&/g' | tr '#' '\n' | _egrep_o " <HostedZone><Id>[^<]*<.Id><Name> $h .<.Name>.*<PrivateZone>false<.PrivateZone>.*<.HostedZone> " ) "
2016-11-20 14:57:07 +00:00
_debug hostedzone " $hostedzone "
2017-10-11 12:34:56 +00:00
if [ " $hostedzone " ] ; then
_domain_id = $( printf "%s\n" " $hostedzone " | _egrep_o "<Id>.*<.Id>" | head -n 1 | _egrep_o ">.*<" | tr -d "<>" )
if [ " $_domain_id " ] ; then
_sub_domain = $( printf "%s" " $domain " | cut -d . -f 1-$p )
_domain = $h
return 0
fi
2018-08-07 11:35:08 +00:00
_err " Can't find domain with id: $h "
2016-11-20 14:57:07 +00:00
return 1
fi
fi
2022-06-04 18:24:33 +00:00
if _contains " $response " "<IsTruncated>true</IsTruncated>" && _contains " $response " "<NextMarker>" ; then
_debug "IsTruncated"
_nextMarker = " $( echo " $response " | _egrep_o "<NextMarker>.*</NextMarker>" | cut -d '>' -f 2 | cut -d '<' -f 1) "
_debug "NextMarker" " $_nextMarker "
else
break
fi
_debug " Checking domain: $h - Next Page "
aws_rest GET "2013-04-01/hostedzone" " marker= $_nextMarker "
2016-11-20 14:57:07 +00:00
done
2022-06-04 18:24:33 +00:00
p = $i
i = $( _math " $i " + 1)
done
2016-11-20 14:57:07 +00:00
return 1
}
2018-02-20 14:55:05 +00:00
_use_container_role( ) {
# automatically set if running inside ECS
if [ -z " $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI " ] ; then
_debug "No ECS environment variable detected"
return 1
fi
_use_metadata " 169.254.170.2 $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI "
}
2018-02-19 17:48:54 +00:00
_use_instance_role( ) {
2018-02-20 12:40:24 +00:00
_url = "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
_debug "_url" " $_url "
if ! _get " $_url " true 1 | _head_n 1 | grep -Fq 200; then
2018-02-20 14:55:05 +00:00
_debug "Unable to fetch IAM role from instance metadata"
return 1
2018-02-19 17:48:54 +00:00
fi
2018-02-20 12:40:24 +00:00
_aws_role = $( _get " $_url " "" 1)
2018-02-19 17:48:54 +00:00
_debug "_aws_role" " $_aws_role "
2018-02-20 14:55:05 +00:00
_use_metadata " $_url $_aws_role "
}
_use_metadata( ) {
2018-02-19 17:48:54 +00:00
_aws_creds = " $(
2020-08-17 14:18:20 +00:00
_get " $1 " "" 1 |
_normalizeJson |
tr '{,}' '\n' |
while read -r _line; do
2018-02-19 17:48:54 +00:00
_key = " $( echo " ${ _line %% : * } " | tr -d '"' ) "
_value = " ${ _line #* : } "
_debug3 "_key" " $_key "
_secure_debug3 "_value" " $_value "
case " $_key " in
2020-08-17 14:18:20 +00:00
AccessKeyId) echo " AWS_ACCESS_KEY_ID= $_value " ; ;
SecretAccessKey) echo " AWS_SECRET_ACCESS_KEY= $_value " ; ;
Token) echo " AWS_SESSION_TOKEN= $_value " ; ;
2018-02-19 17:48:54 +00:00
esac
2020-08-17 14:18:20 +00:00
done |
paste -sd' ' -
2018-02-19 17:48:54 +00:00
) "
_secure_debug "_aws_creds" " $_aws_creds "
2018-02-20 14:55:05 +00:00
if [ -z " $_aws_creds " ] ; then
return 1
fi
2018-02-19 17:48:54 +00:00
eval " $_aws_creds "
2018-02-20 12:40:24 +00:00
_using_role = true
2018-02-19 17:48:54 +00:00
}
2016-11-20 14:57:07 +00:00
#method uri qstr data
aws_rest( ) {
mtd = " $1 "
ep = " $2 "
qsr = " $3 "
data = " $4 "
_debug mtd " $mtd "
_debug ep " $ep "
_debug qsr " $qsr "
_debug data " $data "
CanonicalURI = " / $ep "
_debug2 CanonicalURI " $CanonicalURI "
CanonicalQueryString = " $qsr "
_debug2 CanonicalQueryString " $CanonicalQueryString "
RequestDate = " $( date -u +"%Y%m%dT%H%M%SZ" ) "
_debug2 RequestDate " $RequestDate "
#RequestDate="20161120T141056Z" ##############
2017-01-09 16:04:09 +00:00
export _H1 = " x-amz-date: $RequestDate "
2016-11-20 14:57:07 +00:00
aws_host = " $AWS_HOST "
CanonicalHeaders = " host: $aws_host \nx-amz-date: $RequestDate \n "
SignedHeaders = "host;x-amz-date"
2017-01-06 02:27:55 +00:00
if [ -n " $AWS_SESSION_TOKEN " ] ; then
2017-03-15 14:52:57 +00:00
export _H3 = " x-amz-security-token: $AWS_SESSION_TOKEN "
2017-01-06 02:27:55 +00:00
CanonicalHeaders = " ${ CanonicalHeaders } x-amz-security-token: $AWS_SESSION_TOKEN \n "
SignedHeaders = " ${ SignedHeaders } ;x-amz-security-token "
fi
_debug2 CanonicalHeaders " $CanonicalHeaders "
2016-11-20 14:57:07 +00:00
_debug2 SignedHeaders " $SignedHeaders "
RequestPayload = " $data "
_debug2 RequestPayload " $RequestPayload "
Hash = "sha256"
CanonicalRequest = " $mtd \n $CanonicalURI \n $CanonicalQueryString \n $CanonicalHeaders \n $SignedHeaders \n $( printf "%s" " $RequestPayload " | _digest " $Hash " hex) "
_debug2 CanonicalRequest " $CanonicalRequest "
2016-11-20 15:09:57 +00:00
2016-11-20 15:04:28 +00:00
HashedCanonicalRequest = " $( printf " $CanonicalRequest %s " | _digest " $Hash " hex) "
2016-11-20 14:57:07 +00:00
_debug2 HashedCanonicalRequest " $HashedCanonicalRequest "
Algorithm = "AWS4-HMAC-SHA256"
_debug2 Algorithm " $Algorithm "
2016-11-20 15:04:28 +00:00
RequestDateOnly = " $( echo " $RequestDate " | cut -c 1-8) "
2016-11-20 14:57:07 +00:00
_debug2 RequestDateOnly " $RequestDateOnly "
Region = "us-east-1"
Service = "route53"
CredentialScope = " $RequestDateOnly / $Region / $Service /aws4_request "
_debug2 CredentialScope " $CredentialScope "
StringToSign = " $Algorithm \n $RequestDate \n $CredentialScope \n $HashedCanonicalRequest "
_debug2 StringToSign " $StringToSign "
kSecret = " AWS4 $AWS_SECRET_ACCESS_KEY "
#kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################
2017-02-19 05:24:00 +00:00
_secure_debug2 kSecret " $kSecret "
2016-11-20 14:57:07 +00:00
2017-01-31 06:04:40 +00:00
kSecretH = " $( printf "%s" " $kSecret " | _hex_dump | tr -d " " ) "
2017-02-19 05:24:00 +00:00
_secure_debug2 kSecretH " $kSecretH "
2016-11-20 14:57:07 +00:00
kDateH = " $( printf " $RequestDateOnly %s " | _hmac " $Hash " " $kSecretH " hex) "
_debug2 kDateH " $kDateH "
kRegionH = " $( printf " $Region %s " | _hmac " $Hash " " $kDateH " hex) "
_debug2 kRegionH " $kRegionH "
kServiceH = " $( printf " $Service %s " | _hmac " $Hash " " $kRegionH " hex) "
_debug2 kServiceH " $kServiceH "
2017-07-08 01:20:12 +00:00
kSigningH = " $( printf "%s" "aws4_request" | _hmac " $Hash " " $kServiceH " hex) "
2016-11-20 14:57:07 +00:00
_debug2 kSigningH " $kSigningH "
signature = " $( printf " $StringToSign %s " | _hmac " $Hash " " $kSigningH " hex) "
_debug2 signature " $signature "
Authorization = " $Algorithm Credential= $AWS_ACCESS_KEY_ID / $CredentialScope , SignedHeaders= $SignedHeaders , Signature= $signature "
_debug2 Authorization " $Authorization "
2017-03-15 14:52:57 +00:00
_H2 = " Authorization: $Authorization "
_debug _H2 " $_H2 "
2016-11-20 14:57:07 +00:00
2017-04-04 06:34:23 +00:00
url = " $AWS_URL / $ep "
if [ " $qsr " ] ; then
url = " $AWS_URL / $ep ? $qsr "
fi
2016-11-20 14:57:07 +00:00
if [ " $mtd " = "GET" ] ; then
response = " $( _get " $url " ) "
else
response = " $( _post " $data " " $url " ) "
fi
_ret = " $? "
2018-02-13 14:17:20 +00:00
_debug2 response " $response "
2016-11-20 14:57:07 +00:00
if [ " $_ret " = "0" ] ; then
if _contains " $response " "<ErrorResponse" ; then
_err " Response error: $response "
return 1
fi
fi
2016-11-20 15:09:57 +00:00
2016-11-20 14:57:07 +00:00
return " $_ret "
}