Merge pull request #4006 from acmesh-official/dev

sync
2022-03-30 23:03:44 +08:00 · 2022-03-30 23:03:44 +08:00 · 6145465823
parent 9ebb2ac2e4 fb5091a388
commit 6145465823
6 changed files with 192 additions and 43 deletions
--- a/acme.sh
+++ b/acme.sh
@ -34,6 +34,9 @@ _ZERO_EAB_ENDPOINT="https://api.zerossl.com/acme/eab-credentials-email"
 CA_SSLCOM_RSA="https://acme.ssl.com/sslcom-dv-rsa"
 CA_SSLCOM_ECC="https://acme.ssl.com/sslcom-dv-ecc"

+CA_GOOGLE="https://dv.acme-v02.api.pki.goog/directory"
+CA_GOOGLE_TEST="https://dv.acme-v02.test-api.pki.goog/directory"
+
 DEFAULT_CA=$CA_ZEROSSL
 DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST

@ -44,9 +47,11 @@ LetsEncrypt.org_test,letsencrypt_test,letsencrypttest
 BuyPass.com,buypass
 BuyPass.com_test,buypass_test,buypasstest
 SSL.com,sslcom
+Google.com,google
+Google.com_test,googletest,google_test
 "

-CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_SSLCOM_RSA"
+CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_SSLCOM_RSA,$CA_GOOGLE,$CA_GOOGLE_TEST"

 DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"

@ -1845,7 +1850,9 @@ _inithttp() {
      _ACME_WGET="$_ACME_WGET --max-redirect 0 "
    fi
    if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
-      _ACME_WGET="$_ACME_WGET -d "
+      if [ "$_ACME_WGET" ] && _contains "$($_ACME_WGET --help 2>&1)" "--debug"; then
+        _ACME_WGET="$_ACME_WGET -d "
+      fi
    fi
    if [ "$CA_PATH" ]; then
      _ACME_WGET="$_ACME_WGET --ca-directory=$CA_PATH "
--- a/deploy/routeros.sh
+++ b/deploy/routeros.sh
@ -70,6 +70,7 @@ routeros_deploy() {
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"
+  _err_code=0

  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
@ -126,11 +127,17 @@ routeros_deploy() {
  _savedeployconf ROUTER_OS_SCP_CMD "$ROUTER_OS_SCP_CMD"
  _savedeployconf ROUTER_OS_ADDITIONAL_SERVICES "$ROUTER_OS_ADDITIONAL_SERVICES"

-  _info "Trying to push key '$_ckey' to router"
-  $ROUTER_OS_SCP_CMD "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"
-  _info "Trying to push cert '$_cfullchain' to router"
-  $ROUTER_OS_SCP_CMD "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"
-  DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USER \
+  # push key to routeros
+  if ! _scp_certificate "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"; then
+    return $_err_code
+  fi
+
+  # push certificate chain to routeros
+  if ! _scp_certificate "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"; then
+    return $_err_code
+  fi
+
+  DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USERNAME \
 comment=\"generated by routeros deploy script in acme.sh\" \
 source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
 \n/certificate remove [ find name=$_cdomain.cer_1 ];\
@ -146,12 +153,51 @@ source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
 \n$ROUTER_OS_ADDITIONAL_SERVICES;\
 \n\"
 "
-  # shellcheck disable=SC2029
-  $ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$DEPLOY_SCRIPT_CMD"
-  # shellcheck disable=SC2029
-  $ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script run \"LE Cert Deploy - $_cdomain\""
-  # shellcheck disable=SC2029
-  $ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script remove \"LE Cert Deploy - $_cdomain\""
+
+  if ! _ssh_remote_cmd "$DEPLOY_SCRIPT_CMD"; then
+    return $_err_code
+  fi
+
+  if ! _ssh_remote_cmd "/system script run \"LE Cert Deploy - $_cdomain\""; then
+    return $_err_code
+  fi
+
+  if ! _ssh_remote_cmd "/system script remove \"LE Cert Deploy - $_cdomain\""; then
+    return $_err_code
+  fi

  return 0
 }
+
+# inspired by deploy/ssh.sh
+_ssh_remote_cmd() {
+  _cmd="$1"
+  _secure_debug "Remote commands to execute: $_cmd"
+  _info "Submitting sequence of commands to routeros"
+  # quotations in bash cmd below intended.  Squash travis spellcheck error
+  # shellcheck disable=SC2029
+  $ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$_cmd"
+  _err_code="$?"
+
+  if [ "$_err_code" != "0" ]; then
+    _err "Error code $_err_code returned from routeros"
+  fi
+
+  return $_err_code
+}
+
+_scp_certificate() {
+  _src="$1"
+  _dst="$2"
+  _secure_debug "scp '$_src' to '$_dst'"
+  _info "Push key '$_src' to routeros"
+
+  $ROUTER_OS_SCP_CMD "$_src" "$_dst"
+  _err_code="$?"
+
+  if [ "$_err_code" != "0" ]; then
+    _err "Error code $_err_code returned from scp"
+  fi
+
+  return $_err_code
+}
--- a/deploy/truenas.sh
+++ b/deploy/truenas.sh
@ -38,7 +38,7 @@ truenas_deploy() {
  _getdeployconf DEPLOY_TRUENAS_APIKEY

  if [ -z "$DEPLOY_TRUENAS_APIKEY" ]; then
-    _err "TrueNAS Api Key is not found, please define DEPLOY_TRUENAS_APIKEY."
+    _err "TrueNAS API key not found, please set the DEPLOY_TRUENAS_APIKEY environment variable."
    return 1
  fi
  _secure_debug2 DEPLOY_TRUENAS_APIKEY "$DEPLOY_TRUENAS_APIKEY"
@ -62,15 +62,14 @@ truenas_deploy() {

  _info "Testing Connection TrueNAS"
  _response=$(_get "$_api_url/system/state")
-  _info "TrueNAS System State: $_response."
+  _info "TrueNAS system state: $_response."

  if [ -z "$_response" ]; then
    _err "Unable to authenticate to $_api_url."
-    _err 'Check your Connection and set DEPLOY_TRUENAS_HOSTNAME="192.168.178.x".'
-    _err 'or'
-    _err 'set DEPLOY_TRUENAS_HOSTNAME="<truenas_dnsname>".'
-    _err 'Check your Connection and set DEPLOY_TRUENAS_SCHEME="https".'
-    _err "Check your Api Key."
+    _err 'Check your connection settings are correct, e.g.'
+    _err 'DEPLOY_TRUENAS_HOSTNAME="192.168.x.y" or DEPLOY_TRUENAS_HOSTNAME="truenas.example.com".'
+    _err 'DEPLOY_TRUENAS_SCHEME="https" or DEPLOY_TRUENAS_SCHEME="http".'
+    _err "Verify your TrueNAS API key is valid and set correctly, e.g. DEPLOY_TRUENAS_APIKEY=xxxx...."
    return 1
  fi

@ -78,7 +77,7 @@ truenas_deploy() {
  _savedeployconf DEPLOY_TRUENAS_HOSTNAME "$DEPLOY_TRUENAS_HOSTNAME"
  _savedeployconf DEPLOY_TRUENAS_SCHEME "$DEPLOY_TRUENAS_SCHEME"

-  _info "Getting active certificate from TrueNAS"
+  _info "Getting current active certificate from TrueNAS"
  _response=$(_get "$_api_url/system/general")
  _active_cert_id=$(echo "$_response" | grep -B2 '"name":' | grep 'id' | tr -d -- '"id: ,')
  _active_cert_name=$(echo "$_response" | grep '"name":' | sed -n 's/.*: "\(.\{1,\}\)",$/\1/p')
@ -88,14 +87,14 @@ truenas_deploy() {
  _debug Active_UI_http_redirect "$_param_httpsredirect"

  if [ "$DEPLOY_TRUENAS_SCHEME" = "http" ] && [ "$_param_httpsredirect" = "true" ]; then
-    _info "http Redirect active"
+    _info "HTTP->HTTPS redirection is enabled"
    _info "Setting DEPLOY_TRUENAS_SCHEME to 'https'"
    DEPLOY_TRUENAS_SCHEME="https"
    _api_url="$DEPLOY_TRUENAS_SCHEME://$DEPLOY_TRUENAS_HOSTNAME/api/v2.0"
    _savedeployconf DEPLOY_TRUENAS_SCHEME "$DEPLOY_TRUENAS_SCHEME"
  fi

-  _info "Upload new certifikate to TrueNAS"
+  _info "Uploading new certificate to TrueNAS"
  _certname="Letsencrypt_$(_utc_date | tr ' ' '_' | tr -d -- ':')"
  _debug3 _certname "$_certname"

@ -104,30 +103,30 @@ truenas_deploy() {

  _debug3 _add_cert_result "$_add_cert_result"

-  _info "Getting Certificate list to get new Cert ID"
+  _info "Fetching list of installed certificates"
  _cert_list=$(_get "$_api_url/system/general/ui_certificate_choices")
  _cert_id=$(echo "$_cert_list" | grep "$_certname" | sed -n 's/.*"\([0-9]\{1,\}\)".*$/\1/p')

  _debug3 _cert_id "$_cert_id"

-  _info "Activate Certificate ID: $_cert_id"
+  _info "Current activate certificate ID: $_cert_id"
  _activateData="{\"ui_certificate\": \"${_cert_id}\"}"
  _activate_result="$(_post "$_activateData" "$_api_url/system/general" "" "PUT" "application/json")"

  _debug3 _activate_result "$_activate_result"

-  _info "Check if WebDAV certificate is the same as the WEB UI"
+  _info "Checking if WebDAV certificate is the same as the TrueNAS web UI"
  _webdav_list=$(_get "$_api_url/webdav")
  _webdav_cert_id=$(echo "$_webdav_list" | grep '"certssl":' | tr -d -- '"certsl: ,')

  if [ "$_webdav_cert_id" = "$_active_cert_id" ]; then
-    _info "Update the WebDAV Certificate"
+    _info "Updating the WebDAV certificate"
    _debug _webdav_cert_id "$_webdav_cert_id"
    _webdav_data="{\"certssl\": \"${_cert_id}\"}"
    _activate_webdav_cert="$(_post "$_webdav_data" "$_api_url/webdav" "" "PUT" "application/json")"
-    _webdav_new_cert_id=$(echo "$_activate_webdav_cert" | _json_decode | sed -n 's/.*: \([0-9]\{1,\}\) }$/\1/p')
+    _webdav_new_cert_id=$(echo "$_activate_webdav_cert" | _json_decode | grep '"certssl":' | sed -n 's/.*: \([0-9]\{1,\}\),\{0,1\}$/\1/p')
    if [ "$_webdav_new_cert_id" -eq "$_cert_id" ]; then
-      _info "WebDAV Certificate update successfully"
+      _info "WebDAV certificate updated successfully"
    else
      _err "Unable to set WebDAV certificate"
      _debug3 _activate_webdav_cert "$_activate_webdav_cert"
@ -136,21 +135,21 @@ truenas_deploy() {
    fi
    _debug3 _webdav_new_cert_id "$_webdav_new_cert_id"
  else
-    _info "WebDAV certificate not set or not the same as Web UI"
+    _info "WebDAV certificate is not configured or is not the same as TrueNAS web UI"
  fi

-  _info "Check if FTP certificate is the same as the WEB UI"
+  _info "Checking if FTP certificate is the same as the TrueNAS web UI"
  _ftp_list=$(_get "$_api_url/ftp")
  _ftp_cert_id=$(echo "$_ftp_list" | grep '"ssltls_certificate":' | tr -d -- '"certislfa:_ ,')

  if [ "$_ftp_cert_id" = "$_active_cert_id" ]; then
-    _info "Update the FTP Certificate"
+    _info "Updating the FTP certificate"
    _debug _ftp_cert_id "$_ftp_cert_id"
    _ftp_data="{\"ssltls_certificate\": \"${_cert_id}\"}"
    _activate_ftp_cert="$(_post "$_ftp_data" "$_api_url/ftp" "" "PUT" "application/json")"
-    _ftp_new_cert_id=$(echo "$_activate_ftp_cert" | _json_decode | sed -n 's/.*: \([0-9]\{1,\}\) }$/\1/p')
+    _ftp_new_cert_id=$(echo "$_activate_ftp_cert" | _json_decode | grep '"ssltls_certificate":' | sed -n 's/.*: \([0-9]\{1,\}\),\{0,1\}$/\1/p')
    if [ "$_ftp_new_cert_id" -eq "$_cert_id" ]; then
-      _info "FTP Certificate update successfully"
+      _info "FTP certificate updated successfully"
    else
      _err "Unable to set FTP certificate"
      _debug3 _activate_ftp_cert "$_activate_ftp_cert"
@ -159,22 +158,45 @@ truenas_deploy() {
    fi
    _debug3 _activate_ftp_cert "$_activate_ftp_cert"
  else
-    _info "FTP certificate not set or not the same as Web UI"
+    _info "FTP certificate is not configured or is not the same as TrueNAS web UI"
  fi

-  _info "Delete old Certificate"
+  _info "Checking if S3 certificate is the same as the TrueNAS web UI"
+  _s3_list=$(_get "$_api_url/s3")
+  _s3_cert_id=$(echo "$_s3_list" | grep '"certificate":' | tr -d -- '"certifa:_ ,')
+
+  if [ "$_s3_cert_id" = "$_active_cert_id" ]; then
+    _info "Updating the S3 certificate"
+    _debug _s3_cert_id "$_s3_cert_id"
+    _s3_data="{\"certificate\": \"${_cert_id}\"}"
+    _activate_s3_cert="$(_post "$_s3_data" "$_api_url/s3" "" "PUT" "application/json")"
+    _s3_new_cert_id=$(echo "$_activate_s3_cert" | _json_decode | grep '"certificate":' | sed -n 's/.*: \([0-9]\{1,\}\),\{0,1\}$/\1/p')
+    if [ "$_s3_new_cert_id" -eq "$_cert_id" ]; then
+      _info "S3 certificate updated successfully"
+    else
+      _err "Unable to set S3 certificate"
+      _debug3 _activate_s3_cert "$_activate_s3_cert"
+      _debug3 _s3_new_cert_id "$_s3_new_cert_id"
+      return 1
+    fi
+    _debug3 _activate_s3_cert "$_activate_s3_cert"
+  else
+    _info "S3 certificate is not configured or is not the same as TrueNAS web UI"
+  fi
+
+  _info "Deleting old certificate"
  _delete_result="$(_post "" "$_api_url/certificate/id/$_active_cert_id" "" "DELETE" "application/json")"

  _debug3 _delete_result "$_delete_result"

-  _info "Reload WebUI from TrueNAS"
+  _info "Reloading TrueNAS web UI"
  _restart_UI=$(_get "$_api_url/system/general/ui_restart")
  _debug2 _restart_UI "$_restart_UI"

  if [ -n "$_add_cert_result" ] && [ -n "$_activate_result" ]; then
    return 0
  else
-    _err "Certupdate was not succesfull, please use --debug"
+    _err "Certificate update was not succesful, please try again with --debug"
    return 1
  fi
 }
--- a/dnsapi/dns_geoscaling.sh
+++ b/dnsapi/dns_geoscaling.sh
@ -58,6 +58,17 @@ dns_geoscaling_rm() {
  txt_value=$2
  _info "Cleaning up after DNS-01 Geoscaling DNS2 hook"

+  GEOSCALING_Username="${GEOSCALING_Username:-$(_readaccountconf_mutable GEOSCALING_Username)}"
+  GEOSCALING_Password="${GEOSCALING_Password:-$(_readaccountconf_mutable GEOSCALING_Password)}"
+  if [ -z "$GEOSCALING_Username" ] || [ -z "$GEOSCALING_Password" ]; then
+    GEOSCALING_Username=
+    GEOSCALING_Password=
+    _err "No auth details provided. Please set user credentials using the \$GEOSCALING_Username and \$GEOSCALING_Password environment variables."
+    return 1
+  fi
+  _saveaccountconf_mutable GEOSCALING_Username "${GEOSCALING_Username}"
+  _saveaccountconf_mutable GEOSCALING_Password "${GEOSCALING_Password}"
+
  # fills in the $zone_id
  find_zone "${full_domain}" || return 1
  _debug "Zone id '${zone_id}' will be used."
--- a/dnsapi/dns_simply.sh
+++ b/dnsapi/dns_simply.sh
@ -5,8 +5,8 @@
 #SIMPLY_AccountName="accountname"
 #SIMPLY_ApiKey="apikey"
 #
-#SIMPLY_Api="https://api.simply.com/1/[ACCOUNTNAME]/[APIKEY]"
-SIMPLY_Api_Default="https://api.simply.com/1"
+#SIMPLY_Api="https://api.simply.com/2/"
+SIMPLY_Api_Default="https://api.simply.com/2"

 #This is used for determining success of REST call
 SIMPLY_SUCCESS_CODE='"status":200'
@ -237,12 +237,18 @@ _simply_rest() {
  _debug2 ep "$ep"
  _debug2 m "$m"

-  export _H1="Content-Type: application/json"
+  basicauth=$(printf "%s:%s" "$SIMPLY_AccountName" "$SIMPLY_ApiKey" | _base64)
+
+  if [ "$basicauth" ]; then
+    export _H1="Authorization: Basic $basicauth"
+  fi
+
+  export _H2="Content-Type: application/json"

  if [ "$m" != "GET" ]; then
-    response="$(_post "$data" "$SIMPLY_Api/$SIMPLY_AccountName/$SIMPLY_ApiKey/$ep" "" "$m")"
+    response="$(_post "$data" "$SIMPLY_Api/$ep" "" "$m")"
  else
-    response="$(_get "$SIMPLY_Api/$SIMPLY_AccountName/$SIMPLY_ApiKey/$ep")"
+    response="$(_get "$SIMPLY_Api/$ep")"
  fi

  if [ "$?" != "0" ]; then
--- a/notify/discord.sh
+++ b/notify/discord.sh
@ -0,0 +1,57 @@
+#!/usr/bin/env sh
+
+#Support Discord webhooks
+
+# Required:
+#DISCORD_WEBHOOK_URL=""
+# Optional:
+#DISCORD_USERNAME=""
+#DISCORD_AVATAR_URL=""
+
+discord_send() {
+  _subject="$1"
+  _content="$2"
+  _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+  _debug "_statusCode" "$_statusCode"
+
+  DISCORD_WEBHOOK_URL="${DISCORD_WEBHOOK_URL:-$(_readaccountconf_mutable DISCORD_WEBHOOK_URL)}"
+  if [ -z "$DISCORD_WEBHOOK_URL" ]; then
+    DISCORD_WEBHOOK_URL=""
+    _err "You didn't specify a Discord webhook url DISCORD_WEBHOOK_URL yet."
+    return 1
+  fi
+  _saveaccountconf_mutable DISCORD_WEBHOOK_URL "$DISCORD_WEBHOOK_URL"
+
+  DISCORD_USERNAME="${DISCORD_USERNAME:-$(_readaccountconf_mutable DISCORD_USERNAME)}"
+  if [ "$DISCORD_USERNAME" ]; then
+    _saveaccountconf_mutable DISCORD_USERNAME "$DISCORD_USERNAME"
+  fi
+
+  DISCORD_AVATAR_URL="${DISCORD_AVATAR_URL:-$(_readaccountconf_mutable DISCORD_AVATAR_URL)}"
+  if [ "$DISCORD_AVATAR_URL" ]; then
+    _saveaccountconf_mutable DISCORD_AVATAR_URL "$DISCORD_AVATAR_URL"
+  fi
+
+  export _H1="Content-Type: application/json"
+
+  _content="$(printf "**%s**\n%s" "$_subject" "$_content" | _json_encode)"
+  _data="{\"content\": \"$_content\" "
+  if [ "$DISCORD_USERNAME" ]; then
+    _data="$_data, \"username\": \"$DISCORD_USERNAME\" "
+  fi
+  if [ "$DISCORD_AVATAR_URL" ]; then
+    _data="$_data, \"avatar_url\": \"$DISCORD_AVATAR_URL\" "
+  fi
+  _data="$_data}"
+
+  if _post "$_data" "$DISCORD_WEBHOOK_URL?wait=true"; then
+    # shellcheck disable=SC2154
+    if [ "$response" ]; then
+      _info "discord send success."
+      return 0
+    fi
+  fi
+  _err "discord send error."
+  _err "$response"
+  return 1
+}