mirror of
https://github.com/plantroon/acme.sh.git
synced 2024-11-17 20:01:46 +00:00
Merge remote-tracking branch 'upstream/master' into ssh-deploy
This commit is contained in:
commit
89f66ebf6d
11
README.md
11
README.md
@ -161,17 +161,17 @@ You **MUST** use this command to copy the certs to the target files, **DO NOT**
|
|||||||
**Apache** example:
|
**Apache** example:
|
||||||
```bash
|
```bash
|
||||||
acme.sh --install-cert -d example.com \
|
acme.sh --install-cert -d example.com \
|
||||||
--certpath /path/to/certfile/in/apache/cert.pem \
|
--cert-file /path/to/certfile/in/apache/cert.pem \
|
||||||
--keypath /path/to/keyfile/in/apache/key.pem \
|
--key-file /path/to/keyfile/in/apache/key.pem \
|
||||||
--fullchainpath /path/to/fullchain/certfile/apache/fullchain.pem \
|
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
|
||||||
--reloadcmd "service apache2 force-reload"
|
--reloadcmd "service apache2 force-reload"
|
||||||
```
|
```
|
||||||
|
|
||||||
**Nginx** example:
|
**Nginx** example:
|
||||||
```bash
|
```bash
|
||||||
acme.sh --install-cert -d example.com \
|
acme.sh --install-cert -d example.com \
|
||||||
--keypath /path/to/keyfile/in/nginx/key.pem \
|
--key-file /path/to/keyfile/in/nginx/key.pem \
|
||||||
--fullchainpath /path/to/fullchain/nginx/cert.pem \
|
--fullchain-file /path/to/fullchain/nginx/cert.pem \
|
||||||
--reloadcmd "service nginx force-reload"
|
--reloadcmd "service nginx force-reload"
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -310,6 +310,7 @@ You don't have to do anything manually!
|
|||||||
1. Knot DNS API
|
1. Knot DNS API
|
||||||
1. DigitalOcean API (native)
|
1. DigitalOcean API (native)
|
||||||
1. ClouDNS.net API
|
1. ClouDNS.net API
|
||||||
|
1. Infoblox NIOS API (https://www.infoblox.com/)
|
||||||
|
|
||||||
**More APIs coming soon...**
|
**More APIs coming soon...**
|
||||||
|
|
||||||
|
61
acme.sh
61
acme.sh
@ -1483,7 +1483,9 @@ _inithttp() {
|
|||||||
_ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP "
|
_ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP "
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$CA_BUNDLE" ]; then
|
if [ "$CA_PATH" ]; then
|
||||||
|
_ACME_CURL="$_ACME_CURL --capath $CA_PATH "
|
||||||
|
elif [ "$CA_BUNDLE" ]; then
|
||||||
_ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE "
|
_ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE "
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -1494,8 +1496,10 @@ _inithttp() {
|
|||||||
if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
|
if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
|
||||||
_ACME_WGET="$_ACME_WGET -d "
|
_ACME_WGET="$_ACME_WGET -d "
|
||||||
fi
|
fi
|
||||||
if [ "$CA_BUNDLE" ]; then
|
if [ "$CA_PATH" ]; then
|
||||||
_ACME_WGET="$_ACME_WGET --ca-certificate $CA_BUNDLE "
|
_ACME_WGET="$_ACME_WGET --ca-directory=$CA_PATH "
|
||||||
|
elif [ "$CA_BUNDLE" ]; then
|
||||||
|
_ACME_WGET="$_ACME_WGET --ca-certificate=$CA_BUNDLE "
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3707,6 +3711,12 @@ issue() {
|
|||||||
_clearaccountconf "CA_BUNDLE"
|
_clearaccountconf "CA_BUNDLE"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$CA_PATH" ]; then
|
||||||
|
_saveaccountconf CA_PATH "$CA_PATH"
|
||||||
|
else
|
||||||
|
_clearaccountconf "CA_PATH"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$HTTPS_INSECURE" ]; then
|
if [ "$HTTPS_INSECURE" ]; then
|
||||||
_saveaccountconf HTTPS_INSECURE "$HTTPS_INSECURE"
|
_saveaccountconf HTTPS_INSECURE "$HTTPS_INSECURE"
|
||||||
else
|
else
|
||||||
@ -4025,7 +4035,7 @@ deploy() {
|
|||||||
installcert() {
|
installcert() {
|
||||||
_main_domain="$1"
|
_main_domain="$1"
|
||||||
if [ -z "$_main_domain" ]; then
|
if [ -z "$_main_domain" ]; then
|
||||||
_usage "Usage: $PROJECT_ENTRY --installcert -d domain.com [--ecc] [--certpath cert-file-path] [--keypath key-file-path] [--capath ca-cert-file-path] [ --reloadCmd reloadCmd] [--fullchainpath fullchain-path]"
|
_usage "Usage: $PROJECT_ENTRY --installcert -d domain.com [--ecc] [--cert-file cert-file-path] [--key-file key-file-path] [--ca-file ca-cert-file-path] [ --reloadCmd reloadCmd] [--fullchain-file fullchain-path]"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -4775,10 +4785,10 @@ Parameters:
|
|||||||
|
|
||||||
These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
|
These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
|
||||||
|
|
||||||
--certpath /path/to/real/cert/file After issue/renew, the cert will be copied to this path.
|
--cert-file After issue/renew, the cert will be copied to this path.
|
||||||
--keypath /path/to/real/key/file After issue/renew, the key will be copied to this path.
|
--key-file After issue/renew, the key will be copied to this path.
|
||||||
--capath /path/to/real/ca/file After issue/renew, the intermediate cert will be copied to this path.
|
--ca-file After issue/renew, the intermediate cert will be copied to this path.
|
||||||
--fullchainpath /path/to/fullchain/file After issue/renew, the fullchain cert will be copied to this path.
|
--fullchain-file After issue/renew, the fullchain cert will be copied to this path.
|
||||||
|
|
||||||
--reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
|
--reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
|
||||||
|
|
||||||
@ -4797,6 +4807,7 @@ Parameters:
|
|||||||
--stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal.
|
--stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal.
|
||||||
--insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
|
--insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
|
||||||
--ca-bundle Specifices the path to the CA certificate bundle to verify api server's certificate.
|
--ca-bundle Specifices the path to the CA certificate bundle to verify api server's certificate.
|
||||||
|
--ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl.
|
||||||
--nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
|
--nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
|
||||||
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
|
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
|
||||||
--csr Specifies the input csr.
|
--csr Specifies the input csr.
|
||||||
@ -4903,10 +4914,10 @@ _process() {
|
|||||||
_webroot=""
|
_webroot=""
|
||||||
_keylength=""
|
_keylength=""
|
||||||
_accountkeylength=""
|
_accountkeylength=""
|
||||||
_certpath=""
|
_cert_file=""
|
||||||
_keypath=""
|
_key_file=""
|
||||||
_capath=""
|
_ca_file=""
|
||||||
_fullchainpath=""
|
_fullchain_file=""
|
||||||
_reloadcmd=""
|
_reloadcmd=""
|
||||||
_password=""
|
_password=""
|
||||||
_accountconf=""
|
_accountconf=""
|
||||||
@ -4922,6 +4933,7 @@ _process() {
|
|||||||
_stopRenewOnError=""
|
_stopRenewOnError=""
|
||||||
#_insecure=""
|
#_insecure=""
|
||||||
_ca_bundle=""
|
_ca_bundle=""
|
||||||
|
_ca_path=""
|
||||||
_nocron=""
|
_nocron=""
|
||||||
_ecc=""
|
_ecc=""
|
||||||
_csr=""
|
_csr=""
|
||||||
@ -5147,20 +5159,20 @@ _process() {
|
|||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
|
|
||||||
--certpath)
|
--cert-file | --certpath)
|
||||||
_certpath="$2"
|
_cert_file="$2"
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
--keypath)
|
--key-file | --keypath)
|
||||||
_keypath="$2"
|
_key_file="$2"
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
--capath)
|
--ca-file | --capath)
|
||||||
_capath="$2"
|
_ca_file="$2"
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
--fullchainpath)
|
--fullchain-file | --fullchainpath)
|
||||||
_fullchainpath="$2"
|
_fullchain_file="$2"
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
--reloadcmd | --reloadCmd)
|
--reloadcmd | --reloadCmd)
|
||||||
@ -5236,6 +5248,11 @@ _process() {
|
|||||||
CA_BUNDLE="$_ca_bundle"
|
CA_BUNDLE="$_ca_bundle"
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
|
--ca-path)
|
||||||
|
_ca_path="$2"
|
||||||
|
CA_PATH="$_ca_path"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
--nocron)
|
--nocron)
|
||||||
_nocron="1"
|
_nocron="1"
|
||||||
;;
|
;;
|
||||||
@ -5377,7 +5394,7 @@ _process() {
|
|||||||
uninstall) uninstall "$_nocron" ;;
|
uninstall) uninstall "$_nocron" ;;
|
||||||
upgrade) upgrade ;;
|
upgrade) upgrade ;;
|
||||||
issue)
|
issue)
|
||||||
issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
|
issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
|
||||||
;;
|
;;
|
||||||
deploy)
|
deploy)
|
||||||
deploy "$_domain" "$_deploy_hook" "$_ecc"
|
deploy "$_domain" "$_deploy_hook" "$_ecc"
|
||||||
@ -5389,7 +5406,7 @@ _process() {
|
|||||||
showcsr "$_csr" "$_domain"
|
showcsr "$_csr" "$_domain"
|
||||||
;;
|
;;
|
||||||
installcert)
|
installcert)
|
||||||
installcert "$_domain" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_ecc"
|
installcert "$_domain" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_ecc"
|
||||||
;;
|
;;
|
||||||
renew)
|
renew)
|
||||||
renew "$_domain" "$_ecc"
|
renew "$_domain" "$_ecc"
|
||||||
|
@ -421,6 +421,23 @@ Ok, let's issue a cert now:
|
|||||||
acme.sh --issue --dns dns_cloudns -d example.com -d www.example.com
|
acme.sh --issue --dns dns_cloudns -d example.com -d www.example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## 22. Use Infoblox API
|
||||||
|
|
||||||
|
First you need to create/obtain API credentials on your Infoblox appliance.
|
||||||
|
|
||||||
|
```
|
||||||
|
export Infoblox_Creds="username:password"
|
||||||
|
export Infoblox_Server="ip or fqdn of infoblox appliance"
|
||||||
|
```
|
||||||
|
|
||||||
|
Ok, let's issue a cert now:
|
||||||
|
```
|
||||||
|
acme.sh --issue --dns dns_infoblox -d example.com -d www.example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
Note: This script will automatically create and delete the ephemeral txt record.
|
||||||
|
The `Infoblox_Creds` and `Infoblox_Server` will be saved in `~/.acme.sh/account.conf` and will be reused when needed.
|
||||||
|
|
||||||
# Use custom API
|
# Use custom API
|
||||||
|
|
||||||
If your API is not supported yet, you can write your own DNS API.
|
If your API is not supported yet, you can write your own DNS API.
|
||||||
|
97
dnsapi/dns_infoblox.sh
Normal file
97
dnsapi/dns_infoblox.sh
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
## Infoblox API integration by Jason Keller and Elijah Tenai
|
||||||
|
##
|
||||||
|
## Report any bugs via https://github.com/jasonkeller/acme.sh
|
||||||
|
|
||||||
|
dns_infoblox_add() {
|
||||||
|
|
||||||
|
## Nothing to see here, just some housekeeping
|
||||||
|
fulldomain=$1
|
||||||
|
txtvalue=$2
|
||||||
|
baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue"
|
||||||
|
|
||||||
|
_info "Using Infoblox API"
|
||||||
|
_debug fulldomain "$fulldomain"
|
||||||
|
_debug txtvalue "$txtvalue"
|
||||||
|
|
||||||
|
## Check for the credentials
|
||||||
|
if [ -z "$Infoblox_Creds" ] || [ -z "$Infoblox_Server" ]; then
|
||||||
|
Infoblox_Creds=""
|
||||||
|
Infoblox_Server=""
|
||||||
|
_err "You didn't specify the credentials or server yet (Infoblox_Creds and Infoblox_Server)."
|
||||||
|
_err "Please set them via EXPORT ([username:password] and [ip or hostname]) and try again."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
## Save the credentials to the account file
|
||||||
|
_saveaccountconf Infoblox_Creds "$Infoblox_Creds"
|
||||||
|
_saveaccountconf Infoblox_Server "$Infoblox_Server"
|
||||||
|
|
||||||
|
## Base64 encode the credentials
|
||||||
|
Infoblox_CredsEncoded=$(printf "%b" "$Infoblox_Creds" | _base64)
|
||||||
|
|
||||||
|
## Construct the HTTP Authorization header
|
||||||
|
export _H1="Accept-Language:en-US"
|
||||||
|
export _H2="Authorization: Basic $Infoblox_CredsEncoded"
|
||||||
|
|
||||||
|
## Add the challenge record to the Infoblox grid member
|
||||||
|
result=$(_post "" "$baseurlnObject" "" "POST")
|
||||||
|
|
||||||
|
## Let's see if we get something intelligible back from the unit
|
||||||
|
if echo "$result" | egrep 'record:txt/.*:.*/default'; then
|
||||||
|
_info "Successfully created the txt record"
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
_err "Error encountered during record addition"
|
||||||
|
_err "$result"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
dns_infoblox_rm() {
|
||||||
|
|
||||||
|
## Nothing to see here, just some housekeeping
|
||||||
|
fulldomain=$1
|
||||||
|
txtvalue=$2
|
||||||
|
|
||||||
|
_info "Using Infoblox API"
|
||||||
|
_debug fulldomain "$fulldomain"
|
||||||
|
_debug txtvalue "$txtvalue"
|
||||||
|
|
||||||
|
## Base64 encode the credentials
|
||||||
|
Infoblox_CredsEncoded=$(printf "%b" "$Infoblox_Creds" | _base64)
|
||||||
|
|
||||||
|
## Construct the HTTP Authorization header
|
||||||
|
export _H1="Accept-Language:en-US"
|
||||||
|
export _H2="Authorization: Basic $Infoblox_CredsEncoded"
|
||||||
|
|
||||||
|
## Does the record exist? Let's check.
|
||||||
|
baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&_return_type=xml-pretty"
|
||||||
|
result=$(_get "$baseurlnObject")
|
||||||
|
|
||||||
|
## Let's see if we get something intelligible back from the grid
|
||||||
|
if echo "$result" | egrep 'record:txt/.*:.*/default'; then
|
||||||
|
## Extract the object reference
|
||||||
|
objRef=$(printf "%b" "$result" | _egrep_o 'record:txt/.*:.*/default')
|
||||||
|
objRmUrl="https://$Infoblox_Server/wapi/v2.2.2/$objRef"
|
||||||
|
## Delete them! All the stale records!
|
||||||
|
rmResult=$(_post "" "$objRmUrl" "" "DELETE")
|
||||||
|
## Let's see if that worked
|
||||||
|
if echo "$rmResult" | egrep 'record:txt/.*:.*/default'; then
|
||||||
|
_info "Successfully deleted $objRef"
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
_err "Error occurred during txt record delete"
|
||||||
|
_err "$rmResult"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
_err "Record to delete didn't match an existing record"
|
||||||
|
_err "$result"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
#################### Private functions below ##################################
|
Loading…
Reference in New Issue
Block a user