From 148f869becd09518d015881763ab3f2ba98bfa2c Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 27 Apr 2017 22:21:59 +0800 Subject: [PATCH 01/49] fix https://github.com/Neilpang/acme.sh/issues/805 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 3506bdb9..56e1ea49 100755 --- a/acme.sh +++ b/acme.sh @@ -1108,7 +1108,7 @@ _readKeyLengthFromCSR() { echo "$_outcsr" | tr "\t" " " | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' ' else _debug "RSA CSR" - echo "$_outcsr" | tr "\t" " " | _egrep_o "(^ *|RSA )Public.Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1 + echo "$_outcsr" | tr "\t" " " | (_egrep_o "^ *Public.Key:.*" || _egrep_o "RSA Public.Key:.*") | cut -d '(' -f 2 | cut -d ' ' -f 1 fi } From fa93d68b085dd5cef9f09fba8de665b31d0a5665 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 20 May 2017 11:02:48 +0800 Subject: [PATCH 02/49] promote performance --- acme.sh | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/acme.sh b/acme.sh index 8edf2c61..17062806 100755 --- a/acme.sh +++ b/acme.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -VER=2.6.9 +VER=2.7.0 PROJECT_NAME="acme.sh" @@ -450,31 +450,35 @@ _h2b() { fi hex=$(cat) - i=1 - j=2 + ic="" + jc="" _debug2 _URGLY_PRINTF "$_URGLY_PRINTF" if [ -z "$_URGLY_PRINTF" ]; then - while true; do - h="$(printf "%s" "$hex" | cut -c $i-$j)" - if [ -z "$h" ]; then - break - fi - printf "\x$h%s" - i="$(_math "$i" + 2)" - j="$(_math "$j" + 2)" - done + if _exists xargs; then + _debug2 "xargs" + echo "$hex" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf + else + for h in $(echo "$hex" | sed 's/\([0-9A-F]\{2\}\)/ \1/gI') + do + if [ -z "$h" ]; then + break + fi + printf "\x$h%s" + done + fi else - while true; do - ic="$(printf "%s" "$hex" | cut -c $i)" - jc="$(printf "%s" "$hex" | cut -c $j)" - if [ -z "$ic$jc" ]; then - break + for c in $(echo "$hex" | sed 's/\([0-9A-F]\)/ \1/gI') + do + if [ -z "$ic" ]; then + ic=$c + continue fi + jc=$c ic="$(_h_char_2_dec "$ic")" jc="$(_h_char_2_dec "$jc")" printf '\'"$(printf "%o" "$(_math "$ic" \* 16 + $jc)")""%s" - i="$(_math "$i" + 2)" - j="$(_math "$j" + 2)" + ic="" + jc="" done fi From ed3dda7da960072f48370a25dd5beaccb7302cf2 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 20 May 2017 11:15:26 +0800 Subject: [PATCH 03/49] fix format --- acme.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index 17062806..f255c43f 100755 --- a/acme.sh +++ b/acme.sh @@ -458,8 +458,7 @@ _h2b() { _debug2 "xargs" echo "$hex" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf else - for h in $(echo "$hex" | sed 's/\([0-9A-F]\{2\}\)/ \1/gI') - do + for h in $(echo "$hex" | sed 's/\([0-9A-F]\{2\}\)/ \1/gI'); do if [ -z "$h" ]; then break fi @@ -467,8 +466,7 @@ _h2b() { done fi else - for c in $(echo "$hex" | sed 's/\([0-9A-F]\)/ \1/gI') - do + for c in $(echo "$hex" | sed 's/\([0-9A-F]\)/ \1/gI'); do if [ -z "$ic" ]; then ic=$c continue From 486e77f474d1da05bc9201a7446b12dc4abc38b4 Mon Sep 17 00:00:00 2001 From: Jean-Tiare Le Bigot Date: Mon, 22 May 2017 14:13:39 +0200 Subject: [PATCH 04/49] Support OVH credentials scoped to a specific zone When creating OVH API credentials, one can scope them to a specific subset of routes. Specifically, this allows to limit acme.sh to a specific zone as the zone is part of the URL. This is an important security/safety net feature. --- dnsapi/dns_ovh.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_ovh.sh b/dnsapi/dns_ovh.sh index 6c1edb4d..eaa90bdf 100755 --- a/dnsapi/dns_ovh.sh +++ b/dnsapi/dns_ovh.sh @@ -238,7 +238,7 @@ _get_root() { return 1 fi - if ! _contains "$response" "This service does not exist" >/dev/null; then + if ! _contains "$response" "This service does not exist" >/dev/null && ! _contains "$response" "NOT_GRANTED_CALL" >/dev/null; then _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) _domain="$h" return 0 From 7eea9533e895f405d2fbbbb110a42d8f74967127 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Mon, 22 May 2017 14:53:26 -0500 Subject: [PATCH 05/49] Update README.md Fix usage documentation for dns_nsupdate. The NSUPDATE_KEY env needs to be a path to a file. --- dnsapi/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/README.md b/dnsapi/README.md index dff62399..5dca829a 100644 --- a/dnsapi/README.md +++ b/dnsapi/README.md @@ -140,7 +140,7 @@ Finally, make the DNS server and update Key available to `acme.sh` ``` export NSUPDATE_SERVER="dns.example.com" -export NSUPDATE_KEY="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==" +export NSUPDATE_KEY="/path/to/your/nsupdate.key" ``` Ok, let's issue a cert now: From aa66dfff57b17e1fe1d37f1389be5a768a85116e Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 25 May 2017 21:06:59 +0800 Subject: [PATCH 06/49] fix doc --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index afdda8a8..8ddadf57 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa) |19|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/gentoo-stage3-amd64.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Gentoo Linux |20|[![Build Status](https://travis-ci.org/Neilpang/acme.sh.svg?branch=master)](https://travis-ci.org/Neilpang/acme.sh)|Mac OSX -For all build statuses, check our [daily build project](https://github.com/Neilpang/acmetest): +For all build statuses, check our [weekly build project](https://github.com/Neilpang/acmetest): https://github.com/Neilpang/acmetest From ded4469efe8a61e94d4878c80420cac414c4e6d2 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 26 May 2017 14:58:52 +0800 Subject: [PATCH 07/49] fix for openbsd, sed doesn't support `I` option. --- acme.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index f255c43f..737d6a7c 100755 --- a/acme.sh +++ b/acme.sh @@ -456,9 +456,9 @@ _h2b() { if [ -z "$_URGLY_PRINTF" ]; then if _exists xargs; then _debug2 "xargs" - echo "$hex" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf + echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/g' | xargs printf else - for h in $(echo "$hex" | sed 's/\([0-9A-F]\{2\}\)/ \1/gI'); do + for h in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/ \1/g'); do if [ -z "$h" ]; then break fi @@ -466,7 +466,7 @@ _h2b() { done fi else - for c in $(echo "$hex" | sed 's/\([0-9A-F]\)/ \1/gI'); do + for c in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\)/ \1/g'); do if [ -z "$ic" ]; then ic=$c continue From 6185244754718adbe99e564886a443f803a31583 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 27 May 2017 19:28:12 +0800 Subject: [PATCH 08/49] fix doc --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8ddadf57..13188982 100644 --- a/README.md +++ b/README.md @@ -199,7 +199,7 @@ The ownership and permission info of existing files are preserved. You may want Install/copy the issued cert/key to the production Apache or Nginx path. -The cert will be `renewed every **60** days by default` (which is configurable). Once the cert is renewed, the Apache/Nginx service will be restarted automatically by the command: `service apache2 restart` or `service nginx restart`. +The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`. # 4. Use Standalone server to issue cert From f8bcfeb2ab7b1c4486309b673b557c4ad2ea5df7 Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 29 May 2017 17:07:59 +0800 Subject: [PATCH 09/49] fix xargs issue for freebsd https://github.com/Neilpang/acme.sh/issues/865#issuecomment-304599955 --- acme.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 737d6a7c..60f0fd48 100755 --- a/acme.sh +++ b/acme.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -VER=2.7.0 +VER=2.7.1 PROJECT_NAME="acme.sh" @@ -443,6 +443,11 @@ if [ "$(printf '\x41')" != 'A' ]; then _URGLY_PRINTF=1 fi +_ESCAPE_XARGS="" +if [ "$(printf %s '\\x41' | xargs printf)" == 'A' ]; then + _ESCAPE_XARGS=1 +fi + _h2b() { if _exists xxd; then xxd -r -p @@ -454,7 +459,7 @@ _h2b() { jc="" _debug2 _URGLY_PRINTF "$_URGLY_PRINTF" if [ -z "$_URGLY_PRINTF" ]; then - if _exists xargs; then + if [ "$_ESCAPE_XARGS" ] && _exists xargs; then _debug2 "xargs" echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/g' | xargs printf else From 8a420dd853667db64ca1ac4e6618fd5040c5e89d Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 29 May 2017 17:17:14 +0800 Subject: [PATCH 10/49] fix https://github.com/Neilpang/acme.sh/issues/865#issuecomment-304599955 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 60f0fd48..5f500045 100755 --- a/acme.sh +++ b/acme.sh @@ -444,7 +444,7 @@ if [ "$(printf '\x41')" != 'A' ]; then fi _ESCAPE_XARGS="" -if [ "$(printf %s '\\x41' | xargs printf)" == 'A' ]; then +if [ "$(printf %s '\\x41' | xargs printf)" = 'A' ]; then _ESCAPE_XARGS=1 fi From df711b0ea2a4ee2737392d68bf7df815f47cc737 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 4 Jun 2017 22:04:43 +0800 Subject: [PATCH 11/49] minor, add debug info --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 5f500045..4261d322 100755 --- a/acme.sh +++ b/acme.sh @@ -2579,7 +2579,7 @@ location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" { _err "write nginx conf error, but don't worry, the file is restored." return 1 fi - + _debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)" _info "nginx conf is done, let's check it again." if ! _exec "nginx -t" >/dev/null; then _exec_err From 674790a511803c062c64dcc6999f378f9939fd37 Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 5 Jun 2017 22:14:58 +0800 Subject: [PATCH 12/49] add more detect for nginx mode --- acme.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 4261d322..64bcf844 100755 --- a/acme.sh +++ b/acme.sh @@ -2665,7 +2665,8 @@ _isRealNginxConf() { _debug "_seg_n" "$_seg_n" - if [ "$(echo "$_seg_n" | _egrep_o "^ *ssl *on *;")" ]; then + if [ "$(echo "$_seg_n" | _egrep_o "^ *ssl *on *;")" ] + || [ "$(echo "$_seg_n" | _egrep_o "listen .* ssl[ |;]")" ]; then _debug "ssl on, skip" return 1 fi From 7c67e3d7e231cc80ed6f5b86618ebc9db17da21a Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 5 Jun 2017 22:18:03 +0800 Subject: [PATCH 13/49] fix typo --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 64bcf844..437706d3 100755 --- a/acme.sh +++ b/acme.sh @@ -2665,7 +2665,7 @@ _isRealNginxConf() { _debug "_seg_n" "$_seg_n" - if [ "$(echo "$_seg_n" | _egrep_o "^ *ssl *on *;")" ] + if [ "$(echo "$_seg_n" | _egrep_o "^ *ssl *on *;")" ] \ || [ "$(echo "$_seg_n" | _egrep_o "listen .* ssl[ |;]")" ]; then _debug "ssl on, skip" return 1 From 241cfc4342177e8ebd3bedcd842f09ebc4783400 Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 5 Jun 2017 22:29:21 +0800 Subject: [PATCH 14/49] fix nginx mode issue for multiple entries --- acme.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index 437706d3..efe68c18 100755 --- a/acme.sh +++ b/acme.sh @@ -2668,10 +2668,11 @@ _isRealNginxConf() { if [ "$(echo "$_seg_n" | _egrep_o "^ *ssl *on *;")" ] \ || [ "$(echo "$_seg_n" | _egrep_o "listen .* ssl[ |;]")" ]; then _debug "ssl on, skip" - return 1 - fi - FOUND_REAL_NGINX_CONF_LN=$_fln - return 0 + else + FOUND_REAL_NGINX_CONF_LN=$_fln + _debug3 "found FOUND_REAL_NGINX_CONF_LN" "$FOUND_REAL_NGINX_CONF_LN" + return 0 + fi fi done fi From 450efea191cc177cfaea01b4c50ce5fdef0fc2a0 Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 5 Jun 2017 22:55:16 +0800 Subject: [PATCH 15/49] fix format --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index efe68c18..ffbc69b5 100755 --- a/acme.sh +++ b/acme.sh @@ -2672,7 +2672,7 @@ _isRealNginxConf() { FOUND_REAL_NGINX_CONF_LN=$_fln _debug3 "found FOUND_REAL_NGINX_CONF_LN" "$FOUND_REAL_NGINX_CONF_LN" return 0 - fi + fi fi done fi From 8e845d9f2196a43c4423aa9e6419ad87d8072ded Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 6 Jun 2017 10:08:09 +0800 Subject: [PATCH 16/49] make install command respect LE_CONFIG_HOME env --- acme.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/acme.sh b/acme.sh index ffbc69b5..2e069244 100755 --- a/acme.sh +++ b/acme.sh @@ -4640,6 +4640,11 @@ install() { return 1 fi + if [ -z "$_c_home" ] && [ "$LE_CONFIG_HOME" != "$LE_WORKING_DIR" ]; then + _info "Using config home: $LE_CONFIG_HOME" + _c_home="$LE_CONFIG_HOME" + fi + #convert from le if [ -d "$HOME/.le" ]; then for envfile in "le.env" "le.sh.env"; do From 0b52645bb6afad03cb3c5fcab57e160ecadbf41b Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Thu, 8 Jun 2017 13:32:05 +0200 Subject: [PATCH 17/49] added view variable to infoblox integration script --- dnsapi/dns_infoblox.sh | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/dnsapi/dns_infoblox.sh b/dnsapi/dns_infoblox.sh index 3846e62e..7bb0b5a4 100644 --- a/dnsapi/dns_infoblox.sh +++ b/dnsapi/dns_infoblox.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/bin/bash ## Infoblox API integration by Jason Keller and Elijah Tenai ## @@ -9,7 +9,7 @@ dns_infoblox_add() { ## Nothing to see here, just some housekeeping fulldomain=$1 txtvalue=$2 - baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue" + baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=$Infoblox_View" _info "Using Infoblox API" _debug fulldomain "$fulldomain" @@ -19,11 +19,15 @@ dns_infoblox_add() { if [ -z "$Infoblox_Creds" ] || [ -z "$Infoblox_Server" ]; then Infoblox_Creds="" Infoblox_Server="" - _err "You didn't specify the credentials or server yet (Infoblox_Creds and Infoblox_Server)." - _err "Please set them via EXPORT ([username:password] and [ip or hostname]) and try again." + _err "You didn't specify the credentials, server or infoblox view yet (Infoblox_Creds, Infoblox_Server and Infoblox_View)." + _err "Please set them via EXPORT ([username:password], [ip or hostname]) and try again." return 1 fi + if [ -z "$Infoblox_View" ]; then + Infoblox_View="default" + fi + ## Save the credentials to the account file _saveaccountconf Infoblox_Creds "$Infoblox_Creds" _saveaccountconf Infoblox_Server "$Infoblox_Server" @@ -39,7 +43,7 @@ dns_infoblox_add() { result=$(_post "" "$baseurlnObject" "" "POST") ## Let's see if we get something intelligible back from the unit - if echo "$result" | egrep 'record:txt/.*:.*/default'; then + if echo "$result" | egrep "record:txt/.*:.*/${Infoblox_View}"; then _info "Successfully created the txt record" return 0 else @@ -68,18 +72,18 @@ dns_infoblox_rm() { export _H2="Authorization: Basic $Infoblox_CredsEncoded" ## Does the record exist? Let's check. - baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&_return_type=xml-pretty" + baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=$Infoblox_View&_return_type=xml-pretty" result=$(_get "$baseurlnObject") ## Let's see if we get something intelligible back from the grid if echo "$result" | egrep 'record:txt/.*:.*/default'; then ## Extract the object reference - objRef=$(printf "%b" "$result" | _egrep_o 'record:txt/.*:.*/default') + objRef=$(printf "%b" "$result" | _egrep_o "record:txt/.*:.*/${Infoblox_View}") objRmUrl="https://$Infoblox_Server/wapi/v2.2.2/$objRef" ## Delete them! All the stale records! rmResult=$(_post "" "$objRmUrl" "" "DELETE") ## Let's see if that worked - if echo "$rmResult" | egrep 'record:txt/.*:.*/default'; then + if echo "$rmResult" | egrep "record:txt/.*:.*/${Infoblox_View}"; then _info "Successfully deleted $objRef" return 0 else @@ -94,4 +98,4 @@ dns_infoblox_rm() { fi } -#################### Private functions below ################################## +#################### Private functions below ################################## \ No newline at end of file From 0bd4a4f98fcb8c1b8816e2b8a90322e826aa2050 Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Thu, 8 Jun 2017 13:34:29 +0200 Subject: [PATCH 18/49] formated for sh instead of bash --- dnsapi/dns_infoblox.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_infoblox.sh b/dnsapi/dns_infoblox.sh index 7bb0b5a4..a88b4c02 100644 --- a/dnsapi/dns_infoblox.sh +++ b/dnsapi/dns_infoblox.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/env sh ## Infoblox API integration by Jason Keller and Elijah Tenai ## @@ -43,7 +43,7 @@ dns_infoblox_add() { result=$(_post "" "$baseurlnObject" "" "POST") ## Let's see if we get something intelligible back from the unit - if echo "$result" | egrep "record:txt/.*:.*/${Infoblox_View}"; then + if echo "$result" | egrep "record:txt/.*:.*/$Infoblox_View"; then _info "Successfully created the txt record" return 0 else @@ -78,12 +78,12 @@ dns_infoblox_rm() { ## Let's see if we get something intelligible back from the grid if echo "$result" | egrep 'record:txt/.*:.*/default'; then ## Extract the object reference - objRef=$(printf "%b" "$result" | _egrep_o "record:txt/.*:.*/${Infoblox_View}") + objRef=$(printf "%b" "$result" | _egrep_o "record:txt/.*:.*/$Infoblox_View") objRmUrl="https://$Infoblox_Server/wapi/v2.2.2/$objRef" ## Delete them! All the stale records! rmResult=$(_post "" "$objRmUrl" "" "DELETE") ## Let's see if that worked - if echo "$rmResult" | egrep "record:txt/.*:.*/${Infoblox_View}"; then + if echo "$rmResult" | egrep "record:txt/.*:.*/$Infoblox_View"; then _info "Successfully deleted $objRef" return 0 else From b6f00ea241b7d42eedbafb9e5b208465b5b7572a Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Thu, 8 Jun 2017 13:35:27 +0200 Subject: [PATCH 19/49] changed path to env --- dnsapi/dns_infoblox.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_infoblox.sh b/dnsapi/dns_infoblox.sh index a88b4c02..5a00bfd4 100644 --- a/dnsapi/dns_infoblox.sh +++ b/dnsapi/dns_infoblox.sh @@ -1,4 +1,4 @@ -#!/bin/env sh +#!/usr/bin/env sh ## Infoblox API integration by Jason Keller and Elijah Tenai ## From eef4acd07d5dcad20e5bbf9335dc556969a7c156 Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 14 Jun 2017 23:25:20 +0800 Subject: [PATCH 20/49] fix https://github.com/Neilpang/acme.sh/issues/874 --- dnsapi/dns_dynu.sh | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/dnsapi/dns_dynu.sh b/dnsapi/dns_dynu.sh index f6eabde2..17a1cdb0 100644 --- a/dnsapi/dns_dynu.sh +++ b/dnsapi/dns_dynu.sh @@ -122,18 +122,30 @@ dns_dynu_rm() { # _domain_name=domain.com _get_root() { domain=$1 - if ! _dynu_rest GET "dns/getroot/$domain"; then - return 1 - fi + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi - if ! _contains "$response" "domain_name"; then - _debug "Domain name not found." - return 1 - fi + if ! _dynu_rest GET "dns/get/$h"; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\"" >/dev/null; then + _domain_name=$h + _node=$(printf "%s" "$domain" | cut -d . -f 1-$p) + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 - _domain_name=$(printf "%s" "$response" | tr -d "{}" | cut -d , -f 1 | cut -d : -f 2 | cut -d '"' -f 2) - _node=$(printf "%s" "$response" | tr -d "{}" | cut -d , -f 3 | cut -d : -f 2 | cut -d '"' -f 2) - return 0 } _get_recordid() { From 3b74ac841ec8b8cd6ffbcc1c0b1c314f4010b9a4 Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Wed, 14 Jun 2017 23:52:48 +0200 Subject: [PATCH 21/49] save Infoblox_View to account config --- dnsapi/dns_infoblox.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_infoblox.sh b/dnsapi/dns_infoblox.sh index 5a00bfd4..78c49767 100644 --- a/dnsapi/dns_infoblox.sh +++ b/dnsapi/dns_infoblox.sh @@ -31,6 +31,7 @@ dns_infoblox_add() { ## Save the credentials to the account file _saveaccountconf Infoblox_Creds "$Infoblox_Creds" _saveaccountconf Infoblox_Server "$Infoblox_Server" + _saveaccountconf Infoblox_View "$Infoblox_View" ## Base64 encode the credentials Infoblox_CredsEncoded=$(printf "%b" "$Infoblox_Creds" | _base64) From b73f5a4e94704fa80f1240ab9a61ed81838cfc60 Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Thu, 15 Jun 2017 00:16:26 +0200 Subject: [PATCH 22/49] missed one egrep command --- dnsapi/dns_infoblox.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_infoblox.sh b/dnsapi/dns_infoblox.sh index 78c49767..da274bdb 100644 --- a/dnsapi/dns_infoblox.sh +++ b/dnsapi/dns_infoblox.sh @@ -77,7 +77,7 @@ dns_infoblox_rm() { result=$(_get "$baseurlnObject") ## Let's see if we get something intelligible back from the grid - if echo "$result" | egrep 'record:txt/.*:.*/default'; then + if echo "$result" | egrep "record:txt/.*:.*/$Infoblox_View"; then ## Extract the object reference objRef=$(printf "%b" "$result" | _egrep_o "record:txt/.*:.*/$Infoblox_View") objRmUrl="https://$Infoblox_Server/wapi/v2.2.2/$objRef" From 65b22b493cc55f6969d56886c372f92fb1268ff2 Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 15 Jun 2017 21:26:14 +0800 Subject: [PATCH 23/49] minor, debug info --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index ffbc69b5..8b31f9ac 100755 --- a/acme.sh +++ b/acme.sh @@ -2723,7 +2723,7 @@ _clearup() { _clearupdns() { _debug "_clearupdns" if [ "$dnsadded" != 1 ] || [ -z "$vlist" ]; then - _debug "Dns not added, skip." + _debug "skip dns." return fi From 326c386b2e9675e2719e9e1ee45d0d436640d4e5 Mon Sep 17 00:00:00 2001 From: neilpang Date: Thu, 15 Jun 2017 21:44:10 +0800 Subject: [PATCH 24/49] add debug message --- acme.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/acme.sh b/acme.sh index f36ea2ed..d57aacc6 100755 --- a/acme.sh +++ b/acme.sh @@ -151,6 +151,13 @@ _dlg_versions() { echo "apache doesn't exists." fi + echo "nginx:" + if _exists "nginx"; then + nginx -V 2>&1 + else + echo "nginx doesn't exists." + fi + echo "nc:" if _exists "nc"; then nc -h 2>&1 From f3dc5dd12fbe4b369595a90a8a048d23158f3cc4 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 16 Jun 2017 21:45:14 +0800 Subject: [PATCH 25/49] fix https://github.com/Neilpang/acme.sh/issues/881#issuecomment-309026385 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d57aacc6..ad700667 100755 --- a/acme.sh +++ b/acme.sh @@ -1733,7 +1733,7 @@ _send_signed_request() { nonce="$_CACHED_NONCE" _debug2 nonce "$nonce" - protected="$JWK_HEADERPLACE_PART1$nonce$JWK_HEADERPLACE_PART2" + protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2" _debug3 protected "$protected" protected64="$(printf "%s" "$protected" | _base64 | _url_replace)" From fcc0aef7f4b9da6a0cccda482b7a94a8cb3e3836 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 16 Jun 2017 22:41:33 +0800 Subject: [PATCH 26/49] start 2.7.2 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index ad700667..84de9824 100755 --- a/acme.sh +++ b/acme.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -VER=2.7.1 +VER=2.7.2 PROJECT_NAME="acme.sh" From 2a188905daa83d645ddba3ec6034231e7e51941a Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 17 Jun 2017 15:49:45 +0800 Subject: [PATCH 27/49] support `--server` --- acme.sh | 104 +++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 85 insertions(+), 19 deletions(-) diff --git a/acme.sh b/acme.sh index 84de9824..70381336 100755 --- a/acme.sh +++ b/acme.sh @@ -13,7 +13,8 @@ _SCRIPT_="$0" _SUB_FOLDERS="dnsapi deploy" -DEFAULT_CA="https://acme-v01.api.letsencrypt.org" +_OLD_CA_HOST="https://acme-v01.api.letsencrypt.org" +DEFAULT_CA="https://acme-v01.api.letsencrypt.org/directory" DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)" @@ -24,7 +25,7 @@ DEFAULT_DOMAIN_KEY_LENGTH=2048 DEFAULT_OPENSSL_BIN="openssl" -STAGE_CA="https://acme-staging.api.letsencrypt.org" +STAGE_CA="https://acme-staging.api.letsencrypt.org/directory" VTYPE_HTTP="http-01" VTYPE_DNS="dns-01" @@ -1714,8 +1715,8 @@ _send_signed_request() { while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do _debug3 _request_retry_times "$_request_retry_times" if [ -z "$_CACHED_NONCE" ]; then - _debug2 "Get nonce." - nonceurl="$API/directory" + _debug2 "Get nonce. ACME_DIRECTORY" "$ACME_DIRECTORY" + nonceurl="$ACME_DIRECTORY" _headers="$(_get "$nonceurl" "onlyheader")" if [ "$?" != "0" ]; then @@ -2169,6 +2170,53 @@ __initHome() { fi } +#server +_initAPI() { + _api_server="${1:-$ACME_DIRECTORY}" + _debug "_init api for server: $_api_server" + + if [ "$_api_server" = "$DEFAULT_CA" ]; then + #just for performance, hardcode the default entry points + export ACME_KEY_CHANGE="https://acme-v01.api.letsencrypt.org/acme/key-change" + export ACME_NEW_AUTHZ="https://acme-v01.api.letsencrypt.org/acme/new-authz" + export ACME_NEW_CERT="https://acme-v01.api.letsencrypt.org/acme/new-cert" + export ACME_NEW_REG="https://acme-v01.api.letsencrypt.org/acme/new-reg" + export ACME_REVOKE_CERT="https://acme-v01.api.letsencrypt.org/acme/revoke-cert" + fi + + if [ -z "$ACME_KEY_CHANGE" ]; then + response=$(_get "$_api_server") + if [ "$?" != "0" ]; then + _debug2 "response" "$response" + _err "Can not init api." + return 1 + fi + _debug2 "response" "$response" + + ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'key-change" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_KEY_CHANGE + + ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'new-authz" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_NEW_AUTHZ + + ACME_NEW_CERT=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_NEW_CERT + + ACME_NEW_REG=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_NEW_REG + + ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_REVOKE_CERT + + fi + + _debug "ACME_KEY_CHANGE" "$ACME_KEY_CHANGE" + _debug "ACME_NEW_AUTHZ" "$ACME_NEW_AUTHZ" + _debug "ACME_NEW_CERT" "$ACME_NEW_CERT" + _debug "ACME_NEW_REG" "$ACME_NEW_REG" + _debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT" +} + #[domain] [keylength] _initpath() { @@ -2189,17 +2237,19 @@ _initpath() { CA_HOME="$DEFAULT_CA_HOME" fi - if [ -z "$API" ]; then + if [ -z "$ACME_DIRECTORY" ]; then if [ -z "$STAGE" ]; then - API="$DEFAULT_CA" + ACME_DIRECTORY="$DEFAULT_CA" else - API="$STAGE_CA" - _info "Using stage api:$API" + ACME_DIRECTORY="$STAGE_CA" + _info "Using stage ACME_DIRECTORY: $ACME_DIRECTORY" fi fi - _API_HOST="$(echo "$API" | cut -d : -f 2 | tr -d '/')" - CA_DIR="$CA_HOME/$_API_HOST" + _ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -d '/')" + _debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST" + + CA_DIR="$CA_HOME/$_ACME_SERVER_HOST" _DEFAULT_CA_CONF="$CA_DIR/ca.conf" @@ -3020,7 +3070,7 @@ _regAccount() { if ! _calcjwk "$ACCOUNT_KEY_PATH"; then return 1 fi - + _initAPI _updateTos="" _reg_res="new-reg" while true; do @@ -3035,7 +3085,7 @@ _regAccount() { if [ -z "$_updateTos" ]; then _info "Registering account" - if ! _send_signed_request "$API/acme/new-reg" "$regjson"; then + if ! _send_signed_request "${ACME_NEW_REG}" "$regjson"; then _err "Register account Error: $response" return 1 fi @@ -3126,7 +3176,7 @@ __get_domain_new_authz() { _authz_i=0 while [ "$_authz_i" -lt "$_Max_new_authz_retry_times" ]; do _debug "Try new-authz for the $_authz_i time." - if ! _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$(_idn "$_gdnd")\"}}"; then + if ! _send_signed_request "${ACME_NEW_AUTHZ}" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$(_idn "$_gdnd")\"}}"; then _err "Can not get domain new authz." return 1 fi @@ -3204,13 +3254,16 @@ issue() { if [ "$_web_roots" = "dns-cx" ]; then _web_roots="dns_cx" fi - _debug "Using api: $API" if [ ! "$IS_RENEW" ]; then _initpath "$_main_domain" "$_key_length" mkdir -p "$DOMAIN_PATH" fi + _debug "Using ACME_DIRECTORY: $ACME_DIRECTORY" + + _initAPI + if [ -f "$DOMAIN_CONF" ]; then Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime) _debug Le_NextRenewTime "$Le_NextRenewTime" @@ -3244,7 +3297,7 @@ issue() { _cleardomainconf "Le_LocalAddress" fi - Le_API="$API" + Le_API="$ACME_DIRECTORY" _savedomainconf "Le_API" "$Le_API" if [ "$_alt_domains" = "$NO_VALUE" ]; then @@ -3683,7 +3736,7 @@ issue() { _info "Verify finished, start to sign." der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)" - if ! _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then + if ! _send_signed_request "${ACME_NEW_CERT}" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then _err "Sign failed." _on_issue_err "$_post_hook" return 1 @@ -3736,7 +3789,8 @@ issue() { Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>') if ! _contains "$Le_LinkIssuer" ":"; then - Le_LinkIssuer="$API$Le_LinkIssuer" + _info "$(__red "Relative issuer link found.")" + Le_LinkIssuer="$_ACME_SERVER_HOST$Le_LinkIssuer" fi _debug Le_LinkIssuer "$Le_LinkIssuer" _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer" @@ -3852,7 +3906,11 @@ renew() { . "$DOMAIN_CONF" if [ "$Le_API" ]; then - API="$Le_API" + if [ "$_OLD_CA_HOST" = "$Le_API" ]; then + export Le_API="$DEFAULT_CA" + _savedomainconf Le_API "$Le_API" + fi + export ACME_DIRECTORY="$Le_API" #reload ca configs ACCOUNT_KEY_PATH="" ACCOUNT_JSON_PATH="" @@ -4315,8 +4373,10 @@ revoke() { return 1 fi + _initAPI + data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}" - uri="$API/acme/revoke-cert" + uri="${ACME_REVOKE_CERT}" if [ -f "$CERT_KEY_PATH" ]; then _info "Try domain key first." @@ -4875,6 +4935,7 @@ Parameters: --reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server. + --server SERVER ACME Directory Resource URI. (default: https://acme-v01.api.letsencrypt.org/directory) --accountconf Specifies a customized account config file. --home Specifies the home dir for $PROJECT_NAME . --cert-home Specifies the home dir to save all the certs, only valid for '--install' command. @@ -5150,6 +5211,11 @@ _process() { --staging | --test) STAGE="1" ;; + --server) + ACME_DIRECTORY="$2" + export ACME_DIRECTORY + shift + ;; --debug) if [ -z "$2" ] || _startswith "$2" "-"; then DEBUG="$DEBUG_LEVEL_DEFAULT" From f8c1d97a258f8c8769facee5432a78cfc4dabefb Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 17 Jun 2017 15:59:27 +0800 Subject: [PATCH 28/49] fix format --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 70381336..2c2130d5 100755 --- a/acme.sh +++ b/acme.sh @@ -2174,7 +2174,7 @@ __initHome() { _initAPI() { _api_server="${1:-$ACME_DIRECTORY}" _debug "_init api for server: $_api_server" - + if [ "$_api_server" = "$DEFAULT_CA" ]; then #just for performance, hardcode the default entry points export ACME_KEY_CHANGE="https://acme-v01.api.letsencrypt.org/acme/key-change" From 287623df58d0603056e560a7c046585237dfe249 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 17 Jun 2017 16:20:32 +0800 Subject: [PATCH 29/49] fix for deactivate function --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 2c2130d5..e1e66d85 100755 --- a/acme.sh +++ b/acme.sh @@ -3171,7 +3171,7 @@ _findHook() { __get_domain_new_authz() { _gdnd="$1" _info "Getting new-authz for domain" "$_gdnd" - + _initAPI _Max_new_authz_retry_times=5 _authz_i=0 while [ "$_authz_i" -lt "$_Max_new_authz_retry_times" ]; do From cbb74c984fa52d44137cf9f62421e4422312c991 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 17 Jun 2017 16:30:04 +0800 Subject: [PATCH 30/49] minor --- acme.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/acme.sh b/acme.sh index e1e66d85..27d1cc49 100755 --- a/acme.sh +++ b/acme.sh @@ -4508,6 +4508,7 @@ deactivate() { _d_domain_list="$1" _d_type="$2" _initpath + _initAPI _debug _d_domain_list "$_d_domain_list" if [ -z "$(echo $_d_domain_list | cut -d , -f 1)" ]; then _usage "Usage: $PROJECT_ENTRY --deactivate -d domain.com [-d domain.com]" From ce59fc6c102ec113921c1a20b81a487316e2db79 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 17 Jun 2017 17:15:37 +0800 Subject: [PATCH 31/49] fix renew for stage cert --- acme.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/acme.sh b/acme.sh index 27d1cc49..d2c8cf24 100755 --- a/acme.sh +++ b/acme.sh @@ -26,6 +26,7 @@ DEFAULT_DOMAIN_KEY_LENGTH=2048 DEFAULT_OPENSSL_BIN="openssl" STAGE_CA="https://acme-staging.api.letsencrypt.org/directory" +_OLD_STAGE_CA_HOST="https://acme-staging.api.letsencrypt.org" VTYPE_HTTP="http-01" VTYPE_DNS="dns-01" @@ -3910,6 +3911,10 @@ renew() { export Le_API="$DEFAULT_CA" _savedomainconf Le_API "$Le_API" fi + if [ "$_OLD_STAGE_CA_HOST" = "$Le_API" ]; then + export Le_API="$STAGE_CA" + _savedomainconf Le_API "$Le_API" + fi export ACME_DIRECTORY="$Le_API" #reload ca configs ACCOUNT_KEY_PATH="" From 0a301cdd21f37a1b22da6c5709d82c3b526703e8 Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Sat, 17 Jun 2017 11:28:49 +0200 Subject: [PATCH 32/49] added new line at the end of the file --- dnsapi/dns_infoblox.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_infoblox.sh b/dnsapi/dns_infoblox.sh index da274bdb..06ac87ec 100644 --- a/dnsapi/dns_infoblox.sh +++ b/dnsapi/dns_infoblox.sh @@ -99,4 +99,4 @@ dns_infoblox_rm() { fi } -#################### Private functions below ################################## \ No newline at end of file +#################### Private functions below ################################## From 395fbbfd14737e7a70322ff0c1e3fe8d0e2161cf Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 17 Jun 2017 20:49:45 +0800 Subject: [PATCH 33/49] fix cron --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4cb33139..5254bd11 100644 --- a/Dockerfile +++ b/Dockerfile @@ -50,7 +50,7 @@ RUN for verb in help \ RUN printf "%b" '#!'"/usr/bin/env sh\n \ if [ \"\$1\" = \"daemon\" ]; then \n \ - crond; tail -f /dev/null;\n \ + crond -f\n \ else \n \ /root/.acme.sh/acme.sh --config-home /acme.sh \"\$@\"\n \ fi" >/entry.sh && chmod +x /entry.sh From b9a972bccd0935b4042db950cb4f86bbd07afec4 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 18 Jun 2017 09:52:59 +0800 Subject: [PATCH 34/49] fix openssl 1.1.0 for https://github.com/Neilpang/acme.sh/issues/888 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 84de9824..e79680c0 100755 --- a/acme.sh +++ b/acme.sh @@ -1093,7 +1093,7 @@ _readSubjectFromCSR() { _usage "_readSubjectFromCSR mycsr.csr" return 1 fi - ${ACME_OPENSSL_BIN:-openssl} req -noout -in "$_csrfile" -subject | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n' + ${ACME_OPENSSL_BIN:-openssl} req -noout -in "$_csrfile" -subject | tr ',' "\n" | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d ' \n' } #_csrfile From b963dadc14579609671793b4aa348433a5d345fd Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 18 Jun 2017 10:07:23 +0800 Subject: [PATCH 35/49] fix format --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e79680c0..8c067fd2 100755 --- a/acme.sh +++ b/acme.sh @@ -1093,7 +1093,7 @@ _readSubjectFromCSR() { _usage "_readSubjectFromCSR mycsr.csr" return 1 fi - ${ACME_OPENSSL_BIN:-openssl} req -noout -in "$_csrfile" -subject | tr ',' "\n" | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d ' \n' + ${ACME_OPENSSL_BIN:-openssl} req -noout -in "$_csrfile" -subject | tr ',' "\n" | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d ' \n' } #_csrfile From 2c9ed4c565c90833e38fc838a14455c8da8f55f8 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 18 Jun 2017 10:18:20 +0800 Subject: [PATCH 36/49] check invalid subject cn in the csr fix https://github.com/Neilpang/acme.sh/issues/805 --- acme.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/acme.sh b/acme.sh index 8c067fd2..9ff8001f 100755 --- a/acme.sh +++ b/acme.sh @@ -3940,6 +3940,10 @@ signcsr() { return 1 fi _debug _csrsubj "$_csrsubj" + if _contains "$_csrsubj" ' ' || ! _contains "$_csrsubj" '.'; then + _info "It seems that the subject: $_csrsubj is not a valid domain name. Drop it." + _csrsubj="" + fi _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile") if [ "$?" != "0" ]; then From 08b4e1a744000db29a0014de86684701602575c1 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 18 Jun 2017 22:13:33 +0800 Subject: [PATCH 37/49] add ACME_NO_COLOR and `--no-color` not to ouput color text --- acme.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index 1ddec824..f20d935f 100755 --- a/acme.sh +++ b/acme.sh @@ -104,21 +104,21 @@ if [ -t 1 ]; then fi __green() { - if [ "$__INTERACTIVE" ]; then + if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then printf '\033[1;31;32m' fi printf -- "%b" "$1" - if [ "$__INTERACTIVE" ]; then + if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then printf '\033[0m' fi } __red() { - if [ "$__INTERACTIVE" ]; then + if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then printf '\033[1;31;40m' fi printf -- "%b" "$1" - if [ "$__INTERACTIVE" ]; then + if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then printf '\033[0m' fi } @@ -4896,6 +4896,7 @@ Parameters: --ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate. --ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl. --nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically. + --no-color Do not output color text. --ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR' --csr Specifies the input csr. --pre-hook Command to be run before obtaining any certificates. @@ -5343,6 +5344,9 @@ _process() { --nocron) _nocron="1" ;; + --no-color) + export ACME_NO_COLOR=1 + ;; --ecc) _ecc="isEcc" ;; From 8afec596aabe4795036b7387e092c7cb4cd6995b Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 19 Jun 2017 20:05:43 +0800 Subject: [PATCH 38/49] fix https://github.com/Neilpang/acme.sh/issues/882#issuecomment-309383956 --- acme.sh | 46 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 32 insertions(+), 14 deletions(-) diff --git a/acme.sh b/acme.sh index d2c8cf24..c9c58074 100755 --- a/acme.sh +++ b/acme.sh @@ -1716,9 +1716,18 @@ _send_signed_request() { while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do _debug3 _request_retry_times "$_request_retry_times" if [ -z "$_CACHED_NONCE" ]; then - _debug2 "Get nonce. ACME_DIRECTORY" "$ACME_DIRECTORY" - nonceurl="$ACME_DIRECTORY" - _headers="$(_get "$nonceurl" "onlyheader")" + if [ "$ACME_NEW_NONCE" ]; then + _debug2 "Get nonce. ACME_NEW_NONCE" "$ACME_NEW_NONCE" + nonceurl="$ACME_NEW_NONCE" + if _post "" "$nonceurl" "" "HEAD"; then + _headers="$(cat "$HTTP_HEADER")" + fi + fi + if [ -z "$_headers" ]; then + _debug2 "Get nonce. ACME_DIRECTORY" "$ACME_DIRECTORY" + nonceurl="$ACME_DIRECTORY" + _headers="$(_get "$nonceurl" "onlyheader")" + fi if [ "$?" != "0" ]; then _err "Can not connect to $nonceurl to get nonce." @@ -2180,12 +2189,12 @@ _initAPI() { #just for performance, hardcode the default entry points export ACME_KEY_CHANGE="https://acme-v01.api.letsencrypt.org/acme/key-change" export ACME_NEW_AUTHZ="https://acme-v01.api.letsencrypt.org/acme/new-authz" - export ACME_NEW_CERT="https://acme-v01.api.letsencrypt.org/acme/new-cert" - export ACME_NEW_REG="https://acme-v01.api.letsencrypt.org/acme/new-reg" + export ACME_NEW_ORDER="https://acme-v01.api.letsencrypt.org/acme/new-cert" + export ACME_NEW_ACCOUNT="https://acme-v01.api.letsencrypt.org/acme/new-reg" export ACME_REVOKE_CERT="https://acme-v01.api.letsencrypt.org/acme/revoke-cert" fi - if [ -z "$ACME_KEY_CHANGE" ]; then + if [ -z "$ACME_NEW_ACCOUNT" ]; then response=$(_get "$_api_server") if [ "$?" != "0" ]; then _debug2 "response" "$response" @@ -2200,21 +2209,30 @@ _initAPI() { ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'new-authz" *: *"[^"]*"' | cut -d '"' -f 3) export ACME_NEW_AUTHZ - ACME_NEW_CERT=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3) - export ACME_NEW_CERT + ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3) + if [ -z "$ACME_NEW_ORDER" ]; then + ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3) + fi + export ACME_NEW_ORDER - ACME_NEW_REG=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3) - export ACME_NEW_REG + ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3) + if [ -z "$ACME_NEW_ACCOUNT" ]; then + ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3) + fi + export ACME_NEW_ACCOUNT ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3) export ACME_REVOKE_CERT + ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'new-nonce" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_NEW_NONCE + fi _debug "ACME_KEY_CHANGE" "$ACME_KEY_CHANGE" _debug "ACME_NEW_AUTHZ" "$ACME_NEW_AUTHZ" - _debug "ACME_NEW_CERT" "$ACME_NEW_CERT" - _debug "ACME_NEW_REG" "$ACME_NEW_REG" + _debug "ACME_NEW_ORDER" "$ACME_NEW_ORDER" + _debug "ACME_NEW_ACCOUNT" "$ACME_NEW_ACCOUNT" _debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT" } @@ -3086,7 +3104,7 @@ _regAccount() { if [ -z "$_updateTos" ]; then _info "Registering account" - if ! _send_signed_request "${ACME_NEW_REG}" "$regjson"; then + if ! _send_signed_request "${ACME_NEW_ACCOUNT}" "$regjson"; then _err "Register account Error: $response" return 1 fi @@ -3737,7 +3755,7 @@ issue() { _info "Verify finished, start to sign." der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)" - if ! _send_signed_request "${ACME_NEW_CERT}" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then + if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then _err "Sign failed." _on_issue_err "$_post_hook" return 1 From 87f3dc4558dbdb0f54a0adf6d9f2df093bbb6985 Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 19 Jun 2017 20:19:30 +0800 Subject: [PATCH 39/49] fix server host --- acme.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index c9c58074..18ed71a7 100755 --- a/acme.sh +++ b/acme.sh @@ -2265,7 +2265,7 @@ _initpath() { fi fi - _ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -d '/')" + _ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)" _debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST" CA_DIR="$CA_HOME/$_ACME_SERVER_HOST" @@ -5119,6 +5119,7 @@ _process() { _openssl_bin="" _syslog="" _use_wget="" + _server="" while [ ${#} -gt 0 ]; do case "${1}" in @@ -5237,6 +5238,7 @@ _process() { ;; --server) ACME_DIRECTORY="$2" + _server="$ACME_DIRECTORY" export ACME_DIRECTORY shift ;; @@ -5560,6 +5562,9 @@ _process() { if [ "$DEBUG" ]; then version + if [ "$_server" ]; then + _debug "Using server: $_server" + fi fi case "${_CMD}" in From 1d384e3192a4ace6d3ef708d43e65e0015cd2e1d Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 19 Jun 2017 20:24:31 +0800 Subject: [PATCH 40/49] minor --- acme.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/acme.sh b/acme.sh index 18ed71a7..428340d2 100755 --- a/acme.sh +++ b/acme.sh @@ -1716,6 +1716,7 @@ _send_signed_request() { while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do _debug3 _request_retry_times "$_request_retry_times" if [ -z "$_CACHED_NONCE" ]; then + _headers="" if [ "$ACME_NEW_NONCE" ]; then _debug2 "Get nonce. ACME_NEW_NONCE" "$ACME_NEW_NONCE" nonceurl="$ACME_NEW_NONCE" From 48d9a8c18051ecd8bcd2922b14b0f83e99804663 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 17 Jun 2017 15:49:45 +0800 Subject: [PATCH 41/49] support `--server` --- acme.sh | 104 +++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 85 insertions(+), 19 deletions(-) diff --git a/acme.sh b/acme.sh index f20d935f..ebee1e95 100755 --- a/acme.sh +++ b/acme.sh @@ -13,7 +13,8 @@ _SCRIPT_="$0" _SUB_FOLDERS="dnsapi deploy" -DEFAULT_CA="https://acme-v01.api.letsencrypt.org" +_OLD_CA_HOST="https://acme-v01.api.letsencrypt.org" +DEFAULT_CA="https://acme-v01.api.letsencrypt.org/directory" DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)" @@ -24,7 +25,7 @@ DEFAULT_DOMAIN_KEY_LENGTH=2048 DEFAULT_OPENSSL_BIN="openssl" -STAGE_CA="https://acme-staging.api.letsencrypt.org" +STAGE_CA="https://acme-staging.api.letsencrypt.org/directory" VTYPE_HTTP="http-01" VTYPE_DNS="dns-01" @@ -1714,8 +1715,8 @@ _send_signed_request() { while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do _debug3 _request_retry_times "$_request_retry_times" if [ -z "$_CACHED_NONCE" ]; then - _debug2 "Get nonce." - nonceurl="$API/directory" + _debug2 "Get nonce. ACME_DIRECTORY" "$ACME_DIRECTORY" + nonceurl="$ACME_DIRECTORY" _headers="$(_get "$nonceurl" "onlyheader")" if [ "$?" != "0" ]; then @@ -2169,6 +2170,53 @@ __initHome() { fi } +#server +_initAPI() { + _api_server="${1:-$ACME_DIRECTORY}" + _debug "_init api for server: $_api_server" + + if [ "$_api_server" = "$DEFAULT_CA" ]; then + #just for performance, hardcode the default entry points + export ACME_KEY_CHANGE="https://acme-v01.api.letsencrypt.org/acme/key-change" + export ACME_NEW_AUTHZ="https://acme-v01.api.letsencrypt.org/acme/new-authz" + export ACME_NEW_CERT="https://acme-v01.api.letsencrypt.org/acme/new-cert" + export ACME_NEW_REG="https://acme-v01.api.letsencrypt.org/acme/new-reg" + export ACME_REVOKE_CERT="https://acme-v01.api.letsencrypt.org/acme/revoke-cert" + fi + + if [ -z "$ACME_KEY_CHANGE" ]; then + response=$(_get "$_api_server") + if [ "$?" != "0" ]; then + _debug2 "response" "$response" + _err "Can not init api." + return 1 + fi + _debug2 "response" "$response" + + ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'key-change" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_KEY_CHANGE + + ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'new-authz" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_NEW_AUTHZ + + ACME_NEW_CERT=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_NEW_CERT + + ACME_NEW_REG=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_NEW_REG + + ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_REVOKE_CERT + + fi + + _debug "ACME_KEY_CHANGE" "$ACME_KEY_CHANGE" + _debug "ACME_NEW_AUTHZ" "$ACME_NEW_AUTHZ" + _debug "ACME_NEW_CERT" "$ACME_NEW_CERT" + _debug "ACME_NEW_REG" "$ACME_NEW_REG" + _debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT" +} + #[domain] [keylength] _initpath() { @@ -2189,17 +2237,19 @@ _initpath() { CA_HOME="$DEFAULT_CA_HOME" fi - if [ -z "$API" ]; then + if [ -z "$ACME_DIRECTORY" ]; then if [ -z "$STAGE" ]; then - API="$DEFAULT_CA" + ACME_DIRECTORY="$DEFAULT_CA" else - API="$STAGE_CA" - _info "Using stage api:$API" + ACME_DIRECTORY="$STAGE_CA" + _info "Using stage ACME_DIRECTORY: $ACME_DIRECTORY" fi fi - _API_HOST="$(echo "$API" | cut -d : -f 2 | tr -d '/')" - CA_DIR="$CA_HOME/$_API_HOST" + _ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -d '/')" + _debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST" + + CA_DIR="$CA_HOME/$_ACME_SERVER_HOST" _DEFAULT_CA_CONF="$CA_DIR/ca.conf" @@ -3020,7 +3070,7 @@ _regAccount() { if ! _calcjwk "$ACCOUNT_KEY_PATH"; then return 1 fi - + _initAPI _updateTos="" _reg_res="new-reg" while true; do @@ -3035,7 +3085,7 @@ _regAccount() { if [ -z "$_updateTos" ]; then _info "Registering account" - if ! _send_signed_request "$API/acme/new-reg" "$regjson"; then + if ! _send_signed_request "${ACME_NEW_REG}" "$regjson"; then _err "Register account Error: $response" return 1 fi @@ -3126,7 +3176,7 @@ __get_domain_new_authz() { _authz_i=0 while [ "$_authz_i" -lt "$_Max_new_authz_retry_times" ]; do _debug "Try new-authz for the $_authz_i time." - if ! _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$(_idn "$_gdnd")\"}}"; then + if ! _send_signed_request "${ACME_NEW_AUTHZ}" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$(_idn "$_gdnd")\"}}"; then _err "Can not get domain new authz." return 1 fi @@ -3204,13 +3254,16 @@ issue() { if [ "$_web_roots" = "dns-cx" ]; then _web_roots="dns_cx" fi - _debug "Using api: $API" if [ ! "$IS_RENEW" ]; then _initpath "$_main_domain" "$_key_length" mkdir -p "$DOMAIN_PATH" fi + _debug "Using ACME_DIRECTORY: $ACME_DIRECTORY" + + _initAPI + if [ -f "$DOMAIN_CONF" ]; then Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime) _debug Le_NextRenewTime "$Le_NextRenewTime" @@ -3244,7 +3297,7 @@ issue() { _cleardomainconf "Le_LocalAddress" fi - Le_API="$API" + Le_API="$ACME_DIRECTORY" _savedomainconf "Le_API" "$Le_API" if [ "$_alt_domains" = "$NO_VALUE" ]; then @@ -3683,7 +3736,7 @@ issue() { _info "Verify finished, start to sign." der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)" - if ! _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then + if ! _send_signed_request "${ACME_NEW_CERT}" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then _err "Sign failed." _on_issue_err "$_post_hook" return 1 @@ -3736,7 +3789,8 @@ issue() { Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>') if ! _contains "$Le_LinkIssuer" ":"; then - Le_LinkIssuer="$API$Le_LinkIssuer" + _info "$(__red "Relative issuer link found.")" + Le_LinkIssuer="$_ACME_SERVER_HOST$Le_LinkIssuer" fi _debug Le_LinkIssuer "$Le_LinkIssuer" _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer" @@ -3852,7 +3906,11 @@ renew() { . "$DOMAIN_CONF" if [ "$Le_API" ]; then - API="$Le_API" + if [ "$_OLD_CA_HOST" = "$Le_API" ]; then + export Le_API="$DEFAULT_CA" + _savedomainconf Le_API "$Le_API" + fi + export ACME_DIRECTORY="$Le_API" #reload ca configs ACCOUNT_KEY_PATH="" ACCOUNT_JSON_PATH="" @@ -4319,8 +4377,10 @@ revoke() { return 1 fi + _initAPI + data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}" - uri="$API/acme/revoke-cert" + uri="${ACME_REVOKE_CERT}" if [ -f "$CERT_KEY_PATH" ]; then _info "Try domain key first." @@ -4879,6 +4939,7 @@ Parameters: --reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server. + --server SERVER ACME Directory Resource URI. (default: https://acme-v01.api.letsencrypt.org/directory) --accountconf Specifies a customized account config file. --home Specifies the home dir for $PROJECT_NAME . --cert-home Specifies the home dir to save all the certs, only valid for '--install' command. @@ -5155,6 +5216,11 @@ _process() { --staging | --test) STAGE="1" ;; + --server) + ACME_DIRECTORY="$2" + export ACME_DIRECTORY + shift + ;; --debug) if [ -z "$2" ] || _startswith "$2" "-"; then DEBUG="$DEBUG_LEVEL_DEFAULT" From 4cee14f3c5503699ffb9c19cc5eb81d9b11265d4 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 17 Jun 2017 15:59:27 +0800 Subject: [PATCH 42/49] fix format --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index ebee1e95..676a7201 100755 --- a/acme.sh +++ b/acme.sh @@ -2174,7 +2174,7 @@ __initHome() { _initAPI() { _api_server="${1:-$ACME_DIRECTORY}" _debug "_init api for server: $_api_server" - + if [ "$_api_server" = "$DEFAULT_CA" ]; then #just for performance, hardcode the default entry points export ACME_KEY_CHANGE="https://acme-v01.api.letsencrypt.org/acme/key-change" From 40ef86f475dcefcc46d3997869079aa0fb3d000e Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 17 Jun 2017 16:20:32 +0800 Subject: [PATCH 43/49] fix for deactivate function --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 676a7201..b1ddb500 100755 --- a/acme.sh +++ b/acme.sh @@ -3171,7 +3171,7 @@ _findHook() { __get_domain_new_authz() { _gdnd="$1" _info "Getting new-authz for domain" "$_gdnd" - + _initAPI _Max_new_authz_retry_times=5 _authz_i=0 while [ "$_authz_i" -lt "$_Max_new_authz_retry_times" ]; do From a3bdaa85f2c944c828ee74e94669bef4d2f80649 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 17 Jun 2017 16:30:04 +0800 Subject: [PATCH 44/49] minor --- acme.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/acme.sh b/acme.sh index b1ddb500..43929203 100755 --- a/acme.sh +++ b/acme.sh @@ -4512,6 +4512,7 @@ deactivate() { _d_domain_list="$1" _d_type="$2" _initpath + _initAPI _debug _d_domain_list "$_d_domain_list" if [ -z "$(echo $_d_domain_list | cut -d , -f 1)" ]; then _usage "Usage: $PROJECT_ENTRY --deactivate -d domain.com [-d domain.com]" From 4a2ac7bd2ec2f95bd4974e751dbcac49e8c4e402 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 17 Jun 2017 17:15:37 +0800 Subject: [PATCH 45/49] fix renew for stage cert --- acme.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/acme.sh b/acme.sh index 43929203..2ee7740c 100755 --- a/acme.sh +++ b/acme.sh @@ -26,6 +26,7 @@ DEFAULT_DOMAIN_KEY_LENGTH=2048 DEFAULT_OPENSSL_BIN="openssl" STAGE_CA="https://acme-staging.api.letsencrypt.org/directory" +_OLD_STAGE_CA_HOST="https://acme-staging.api.letsencrypt.org" VTYPE_HTTP="http-01" VTYPE_DNS="dns-01" @@ -3910,6 +3911,10 @@ renew() { export Le_API="$DEFAULT_CA" _savedomainconf Le_API "$Le_API" fi + if [ "$_OLD_STAGE_CA_HOST" = "$Le_API" ]; then + export Le_API="$STAGE_CA" + _savedomainconf Le_API "$Le_API" + fi export ACME_DIRECTORY="$Le_API" #reload ca configs ACCOUNT_KEY_PATH="" From cae50e16a71bdf921b9a1bd4708625cf8471278f Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 19 Jun 2017 20:05:43 +0800 Subject: [PATCH 46/49] fix https://github.com/Neilpang/acme.sh/issues/882#issuecomment-309383956 --- acme.sh | 46 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 32 insertions(+), 14 deletions(-) diff --git a/acme.sh b/acme.sh index 2ee7740c..81668480 100755 --- a/acme.sh +++ b/acme.sh @@ -1716,9 +1716,18 @@ _send_signed_request() { while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do _debug3 _request_retry_times "$_request_retry_times" if [ -z "$_CACHED_NONCE" ]; then - _debug2 "Get nonce. ACME_DIRECTORY" "$ACME_DIRECTORY" - nonceurl="$ACME_DIRECTORY" - _headers="$(_get "$nonceurl" "onlyheader")" + if [ "$ACME_NEW_NONCE" ]; then + _debug2 "Get nonce. ACME_NEW_NONCE" "$ACME_NEW_NONCE" + nonceurl="$ACME_NEW_NONCE" + if _post "" "$nonceurl" "" "HEAD"; then + _headers="$(cat "$HTTP_HEADER")" + fi + fi + if [ -z "$_headers" ]; then + _debug2 "Get nonce. ACME_DIRECTORY" "$ACME_DIRECTORY" + nonceurl="$ACME_DIRECTORY" + _headers="$(_get "$nonceurl" "onlyheader")" + fi if [ "$?" != "0" ]; then _err "Can not connect to $nonceurl to get nonce." @@ -2180,12 +2189,12 @@ _initAPI() { #just for performance, hardcode the default entry points export ACME_KEY_CHANGE="https://acme-v01.api.letsencrypt.org/acme/key-change" export ACME_NEW_AUTHZ="https://acme-v01.api.letsencrypt.org/acme/new-authz" - export ACME_NEW_CERT="https://acme-v01.api.letsencrypt.org/acme/new-cert" - export ACME_NEW_REG="https://acme-v01.api.letsencrypt.org/acme/new-reg" + export ACME_NEW_ORDER="https://acme-v01.api.letsencrypt.org/acme/new-cert" + export ACME_NEW_ACCOUNT="https://acme-v01.api.letsencrypt.org/acme/new-reg" export ACME_REVOKE_CERT="https://acme-v01.api.letsencrypt.org/acme/revoke-cert" fi - if [ -z "$ACME_KEY_CHANGE" ]; then + if [ -z "$ACME_NEW_ACCOUNT" ]; then response=$(_get "$_api_server") if [ "$?" != "0" ]; then _debug2 "response" "$response" @@ -2200,21 +2209,30 @@ _initAPI() { ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'new-authz" *: *"[^"]*"' | cut -d '"' -f 3) export ACME_NEW_AUTHZ - ACME_NEW_CERT=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3) - export ACME_NEW_CERT + ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3) + if [ -z "$ACME_NEW_ORDER" ]; then + ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3) + fi + export ACME_NEW_ORDER - ACME_NEW_REG=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3) - export ACME_NEW_REG + ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3) + if [ -z "$ACME_NEW_ACCOUNT" ]; then + ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3) + fi + export ACME_NEW_ACCOUNT ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3) export ACME_REVOKE_CERT + ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'new-nonce" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_NEW_NONCE + fi _debug "ACME_KEY_CHANGE" "$ACME_KEY_CHANGE" _debug "ACME_NEW_AUTHZ" "$ACME_NEW_AUTHZ" - _debug "ACME_NEW_CERT" "$ACME_NEW_CERT" - _debug "ACME_NEW_REG" "$ACME_NEW_REG" + _debug "ACME_NEW_ORDER" "$ACME_NEW_ORDER" + _debug "ACME_NEW_ACCOUNT" "$ACME_NEW_ACCOUNT" _debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT" } @@ -3086,7 +3104,7 @@ _regAccount() { if [ -z "$_updateTos" ]; then _info "Registering account" - if ! _send_signed_request "${ACME_NEW_REG}" "$regjson"; then + if ! _send_signed_request "${ACME_NEW_ACCOUNT}" "$regjson"; then _err "Register account Error: $response" return 1 fi @@ -3737,7 +3755,7 @@ issue() { _info "Verify finished, start to sign." der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)" - if ! _send_signed_request "${ACME_NEW_CERT}" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then + if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then _err "Sign failed." _on_issue_err "$_post_hook" return 1 From 98394f99b5649be9df419fd3bed5bfef4658971c Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 19 Jun 2017 20:19:30 +0800 Subject: [PATCH 47/49] fix server host --- acme.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 81668480..a9a9c040 100755 --- a/acme.sh +++ b/acme.sh @@ -2265,7 +2265,7 @@ _initpath() { fi fi - _ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -d '/')" + _ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)" _debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST" CA_DIR="$CA_HOME/$_ACME_SERVER_HOST" @@ -5124,6 +5124,7 @@ _process() { _openssl_bin="" _syslog="" _use_wget="" + _server="" while [ ${#} -gt 0 ]; do case "${1}" in @@ -5242,6 +5243,7 @@ _process() { ;; --server) ACME_DIRECTORY="$2" + _server="$ACME_DIRECTORY" export ACME_DIRECTORY shift ;; @@ -5568,6 +5570,9 @@ _process() { if [ "$DEBUG" ]; then version + if [ "$_server" ]; then + _debug "Using server: $_server" + fi fi case "${_CMD}" in From 8f01919f62513ad4daa08db2d292de1040381351 Mon Sep 17 00:00:00 2001 From: neilpang Date: Mon, 19 Jun 2017 20:24:31 +0800 Subject: [PATCH 48/49] minor --- acme.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/acme.sh b/acme.sh index a9a9c040..dea5b4a7 100755 --- a/acme.sh +++ b/acme.sh @@ -1716,6 +1716,7 @@ _send_signed_request() { while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do _debug3 _request_retry_times "$_request_retry_times" if [ -z "$_CACHED_NONCE" ]; then + _headers="" if [ "$ACME_NEW_NONCE" ]; then _debug2 "Get nonce. ACME_NEW_NONCE" "$ACME_NEW_NONCE" nonceurl="$ACME_NEW_NONCE" From 88ada806863aaaf3b0037573715d3bd589b3cafe Mon Sep 17 00:00:00 2001 From: neilpang Date: Tue, 20 Jun 2017 21:51:18 +0800 Subject: [PATCH 49/49] step to 2.7.3 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index dea5b4a7..09cc9fd4 100755 --- a/acme.sh +++ b/acme.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -VER=2.7.2 +VER=2.7.3 PROJECT_NAME="acme.sh"