[](https://gitter.im/acme-sh/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
- An ACME protocol client written purely in Shell (Unix shell) language.
- Full ACME protocol implementation.
- Support ACME v1 and ACME v2
@@ -13,6 +13,7 @@
- DOES NOT require `root/sudoer` access.
- Docker friendly
- IPv6 support
+- Cron job notifications for renewal or error etc.
It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt.
@@ -33,9 +34,9 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
- [webfaction](https://community.webfaction.com/questions/19988/using-letsencrypt)
- [Loadbalancer.org](https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty)
- [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709)
-- [Centminmod](http://centminmod.com/letsencrypt-acmetool-https.html)
+- [Centminmod](https://centminmod.com/letsencrypt-acmetool-https.html)
- [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297)
-- [archlinux](https://aur.archlinux.org/packages/acme.sh-git/)
+- [archlinux](https://www.archlinux.org/packages/community/any/acme.sh)
- [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient)
- [CentOS Web Panel](http://centos-webpanel.com/)
- [lnmp.org](https://lnmp.org/)
@@ -45,36 +46,42 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
| NO | Status| Platform|
|----|-------|---------|
-|1|[](https://github.com/Neilpang/letest#here-are-the-latest-status)| Ubuntu
-|2|[](https://github.com/Neilpang/letest#here-are-the-latest-status)| Debian
-|3|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|CentOS
-|4|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Windows (cygwin with curl, openssl and crontab included)
-|5|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|FreeBSD
-|6|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|pfsense
-|7|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|openSUSE
-|8|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Alpine Linux (with curl)
-|9|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Archlinux
-|10|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|fedora
-|11|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Kali Linux
-|12|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Oracle Linux
-|13|[](https://github.com/Neilpang/letest#here-are-the-latest-status)| Proxmox https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration#Let.27s_Encrypt_using_acme.sh
+|1|[](https://github.com/Neilpang/letest#here-are-the-latest-status)| Ubuntu
+|2|[](https://github.com/Neilpang/letest#here-are-the-latest-status)| Debian
+|3|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|CentOS
+|4|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Windows (cygwin with curl, openssl and crontab included)
+|5|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|FreeBSD
+|6|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|pfsense
+|7|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|openSUSE
+|8|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Alpine Linux (with curl)
+|9|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Archlinux
+|10|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|fedora
+|11|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Kali Linux
+|12|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Oracle Linux
+|13|[](https://github.com/Neilpang/letest#here-are-the-latest-status)| Proxmox https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration#Let.27s_Encrypt_using_acme.sh
|14|-----| Cloud Linux https://github.com/Neilpang/le/issues/111
-|15|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|OpenBSD
-|16|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Mageia
+|15|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|OpenBSD
+|16|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Mageia
|17|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT)
-|18|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|SunOS/Solaris
-|19|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Gentoo Linux
+|18|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|SunOS/Solaris
+|19|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Gentoo Linux
|20|[](https://travis-ci.org/Neilpang/acme.sh)|Mac OSX
For all build statuses, check our [weekly build project](https://github.com/Neilpang/acmetest):
https://github.com/Neilpang/acmetest
+# Supported CA
+
+- Letsencrypt.org CA(default)
+- [BuyPass.com CA](https://github.com/Neilpang/acme.sh/wiki/BuyPass.com-CA)
+- [Pebble strict Mode](https://github.com/letsencrypt/pebble)
# Supported modes
- Webroot mode
- Standalone mode
+- Standalone tls-alpn mode
- Apache mode
- Nginx mode
- DNS mode
@@ -221,8 +228,20 @@ acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
+# 5. Use Standalone ssl server to issue cert
-# 5. Use Apache mode
+**(requires you to be root/sudoer or have permission to listen on port 443 (TCP))**
+
+Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again.
+
+```bash
+acme.sh --issue --alpn -d example.com -d www.example.com -d cp.example.com
+```
+
+More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
+
+
+# 6. Use Apache mode
**(requires you to be root/sudoer, since it is required to interact with Apache server)**
@@ -236,13 +255,13 @@ Just set string "apache" as the second argument and it will force use of apache
acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com
```
-**This apache mode is only to issue the cert, it will not change your apache config files.
+**This apache mode is only to issue the cert, it will not change your apache config files.
You will need to configure your website config files to use the cert by yourself.
We don't want to mess your apache server, don't worry.**
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
-# 6. Use Nginx mode
+# 7. Use Nginx mode
**(requires you to be root/sudoer, since it is required to interact with Nginx server)**
@@ -260,81 +279,23 @@ So, the config is not changed.
acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com
```
-**This nginx mode is only to issue the cert, it will not change your nginx config files.
+**This nginx mode is only to issue the cert, it will not change your nginx config files.
You will need to configure your website config files to use the cert by yourself.
We don't want to mess your nginx server, don't worry.**
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
-# 7. Automatic DNS API integration
+# 8. Automatic DNS API integration
If your DNS provider supports API access, we can use that API to automatically issue the certs.
You don't have to do anything manually!
-### Currently acme.sh supports:
+### Currently acme.sh supports most of the dns providers:
-1. CloudFlare.com API
-1. DNSPod.cn API
-1. CloudXNS.com API
-1. GoDaddy.com API
-1. PowerDNS.com API
-1. OVH, kimsufi, soyoustart and runabove API
-1. nsupdate API
-1. LuaDNS.com API
-1. DNSMadeEasy.com API
-1. AWS Route 53
-1. aliyun.com(阿里云) API
-1. ISPConfig 3.1 API
-1. Alwaysdata.com API
-1. Linode.com API
-1. FreeDNS (https://freedns.afraid.org/)
-1. cyon.ch
-1. Domain-Offensive/Resellerinterface/Domainrobot API
-1. Gandi LiveDNS API
-1. Knot DNS API
-1. DigitalOcean API (native)
-1. ClouDNS.net API
-1. Infoblox NIOS API (https://www.infoblox.com/)
-1. VSCALE (https://vscale.io/)
-1. Dynu API (https://www.dynu.com)
-1. DNSimple API
-1. NS1.com API
-1. DuckDNS.org API
-1. Name.com API
-1. Dyn Managed DNS API
-1. Yandex PDD API (https://pdd.yandex.ru)
-1. Hurricane Electric DNS service (https://dns.he.net)
-1. UnoEuro API (https://www.unoeuro.com/)
-1. INWX (https://www.inwx.de/)
-1. Servercow (https://servercow.de)
-1. Namesilo (https://www.namesilo.com)
-1. InternetX autoDNS API (https://internetx.com)
-1. Azure DNS
-1. selectel.com(selectel.ru) DNS API
-1. zonomi.com DNS API
-1. DreamHost.com API
-1. DirectAdmin API
-1. KingHost (https://www.kinghost.com.br/)
-1. Zilore (https://zilore.com)
-1. Loopia.se API
-1. acme-dns (https://github.com/joohoi/acme-dns)
-1. TELE3 (https://www.tele3.cz)
-1. All-inkl/Kasserver API (https://all-inkl.com)
+https://github.com/Neilpang/acme.sh/wiki/dnsapi
-And:
-
-**lexicon DNS API: https://github.com/Neilpang/acme.sh/wiki/How-to-use-lexicon-dns-api
- (DigitalOcean, DNSimple, DNSMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.)**
-
-
-**More APIs coming soon...**
-
-If your DNS provider is not on the supported list above, you can write your own DNS API script easily. If you do, please consider submitting a [Pull Request](https://github.com/Neilpang/acme.sh/pulls) and contribute it to the project.
-
-For more details: [How to use DNS API](dnsapi)
-
-# 8. Use DNS manual mode:
+# 9. Use DNS manual mode:
See: https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode first.
@@ -370,7 +331,7 @@ Ok, it's done.
**Please use dns api mode instead.**
-# 9. Issue ECC certificates
+# 10. Issue ECC certificates
`Let's Encrypt` can now issue **ECDSA** certificates.
@@ -402,7 +363,7 @@ Valid values are:
-# 10. Issue Wildcard certificates
+# 11. Issue Wildcard certificates
It's simple, just give a wildcard domain as the `-d` parameter.
@@ -412,7 +373,7 @@ acme.sh --issue -d example.com -d '*.example.com' --dns dns_cf
-# 11. How to renew the certs
+# 12. How to renew the certs
No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days.
@@ -429,7 +390,7 @@ acme.sh --renew -d example.com --force --ecc
```
-# 12. How to stop cert renewal
+# 13. How to stop cert renewal
To stop renewal of a cert, you can execute the following to remove the cert from the renewal list:
@@ -442,7 +403,7 @@ The cert/key file is not removed from the disk.
You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself.
-# 13. How to upgrade `acme.sh`
+# 14. How to upgrade `acme.sh`
acme.sh is in constant development, so it's strongly recommended to use the latest code.
@@ -467,25 +428,60 @@ acme.sh --upgrade --auto-upgrade 0
```
-# 14. Issue a cert from an existing CSR
+# 15. Issue a cert from an existing CSR
https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR
-# 15. Under the Hood
+# 16. Send notifications in cronjob
+
+https://github.com/Neilpang/acme.sh/wiki/notify
+
+
+# 17. Under the Hood
Speak ACME language using shell, directly to "Let's Encrypt".
TODO:
-# 16. Acknowledgments
+# 18. Acknowledgments
1. Acme-tiny: https://github.com/diafygi/acme-tiny
2. ACME protocol: https://github.com/ietf-wg-acme/acme
-# 17. License & Others
+## Contributors
+
+### Code Contributors
+
+This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
+
+
+### Financial Contributors
+
+Become a financial contributor and help us sustain our community. [[Contribute](https://opencollective.com/acmesh/contribute)]
+
+#### Individuals
+
+
+
+#### Organizations
+
+Support this project with your organization. Your logo will show up here with a link to your website. [[Contribute](https://opencollective.com/acmesh/contribute)]
+
+
+
+
+
+
+
+
+
+
+
+
+# 19. License & Others
License is GPLv3
@@ -494,9 +490,9 @@ Please Star and Fork me.
[Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcome.
-# 18. Donate
+# 20. Donate
Your donation makes **acme.sh** better:
1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/)
-
+
[Donate List](https://github.com/Neilpang/acme.sh/wiki/Donate-list)
diff --git a/acme.sh b/acme.sh
index 713170b7..81a20b0b 100755
--- a/acme.sh
+++ b/acme.sh
@@ -1,6 +1,6 @@
#!/usr/bin/env sh
-VER=2.7.9
+VER=2.8.4
PROJECT_NAME="acme.sh"
@@ -9,9 +9,16 @@ PROJECT_ENTRY="acme.sh"
PROJECT="https://github.com/Neilpang/$PROJECT_NAME"
DEFAULT_INSTALL_HOME="$HOME/.$PROJECT_NAME"
+
+_WINDOWS_SCHEDULER_NAME="$PROJECT_NAME.cron"
+
_SCRIPT_="$0"
-_SUB_FOLDERS="dnsapi deploy"
+_SUB_FOLDER_NOTIFY="notify"
+_SUB_FOLDER_DNSAPI="dnsapi"
+_SUB_FOLDER_DEPLOY="deploy"
+
+_SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY"
LETSENCRYPT_CA_V1="https://acme-v01.api.letsencrypt.org/directory"
LETSENCRYPT_STAGING_CA_V1="https://acme-staging.api.letsencrypt.org/directory"
@@ -19,8 +26,8 @@ LETSENCRYPT_STAGING_CA_V1="https://acme-staging.api.letsencrypt.org/directory"
LETSENCRYPT_CA_V2="https://acme-v02.api.letsencrypt.org/directory"
LETSENCRYPT_STAGING_CA_V2="https://acme-staging-v02.api.letsencrypt.org/directory"
-DEFAULT_CA=$LETSENCRYPT_CA_V1
-DEFAULT_STAGING_CA=$LETSENCRYPT_STAGING_CA_V1
+DEFAULT_CA=$LETSENCRYPT_CA_V2
+DEFAULT_STAGING_CA=$LETSENCRYPT_STAGING_CA_V2
DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
DEFAULT_ACCOUNT_EMAIL=""
@@ -35,19 +42,18 @@ _OLD_STAGE_CA_HOST="https://acme-staging.api.letsencrypt.org"
VTYPE_HTTP="http-01"
VTYPE_DNS="dns-01"
-VTYPE_TLS="tls-sni-01"
-VTYPE_TLS2="tls-sni-02"
+VTYPE_ALPN="tls-alpn-01"
LOCAL_ANY_ADDRESS="0.0.0.0"
-MAX_RENEW=60
+DEFAULT_RENEW=60
DEFAULT_DNS_SLEEP=120
NO_VALUE="no"
-W_TLS="tls"
W_DNS="dns"
+W_ALPN="alpn"
DNS_ALIAS_PREFIX="="
MODE_STATELESS="stateless"
@@ -67,6 +73,9 @@ END_CERT="-----END CERTIFICATE-----"
CONTENT_TYPE_JSON="application/jose+json"
RENEW_SKIP=2
+B64CONF_START="__ACME_BASE64__START_"
+B64CONF_END="__ACME_BASE64__END_"
+
ECC_SEP="_"
ECC_SUFFIX="${ECC_SEP}ecc"
@@ -81,6 +90,9 @@ DEBUG_LEVEL_3=3
DEBUG_LEVEL_DEFAULT=$DEBUG_LEVEL_1
DEBUG_LEVEL_NONE=0
+DOH_CLOUDFLARE=1
+DOH_GOOGLE=2
+
HIDDEN_VALUE="[hidden](please add '--output-insecure' to see this value)"
SYSLOG_ERROR="user.error"
@@ -102,6 +114,18 @@ SYSLOG_LEVEL_DEFAULT=$SYSLOG_LEVEL_ERROR
#none
SYSLOG_LEVEL_NONE=0
+NOTIFY_LEVEL_DISABLE=0
+NOTIFY_LEVEL_ERROR=1
+NOTIFY_LEVEL_RENEW=2
+NOTIFY_LEVEL_SKIP=3
+
+NOTIFY_LEVEL_DEFAULT=$NOTIFY_LEVEL_RENEW
+
+NOTIFY_MODE_BULK=0
+NOTIFY_MODE_CERT=1
+
+NOTIFY_MODE_DEFAULT=$NOTIFY_MODE_BULK
+
_DEBUG_WIKI="https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh"
_PREPARE_LINK="https://github.com/Neilpang/acme.sh/wiki/Install-preparations"
@@ -112,6 +136,10 @@ _DNS_ALIAS_WIKI="https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode"
_DNS_MANUAL_WIKI="https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode"
+_NOTIFY_WIKI="https://github.com/Neilpang/acme.sh/wiki/notify"
+
+_SUDO_WIKI="https://github.com/Neilpang/acme.sh/wiki/sudo"
+
_DNS_MANUAL_ERR="The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead."
_DNS_MANUAL_WARN="It seems that you are using dns manual mode. please take care: $_DNS_MANUAL_ERR"
@@ -124,26 +152,23 @@ if [ -t 1 ]; then
fi
__green() {
- if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" -o "${ACME_FORCE_COLOR}" = "1" ]; then
- printf '\033[1;31;32m'
+ if [ "${__INTERACTIVE}${ACME_NO_COLOR:-0}" = "10" -o "${ACME_FORCE_COLOR}" = "1" ]; then
+ printf '\33[1;32m%b\33[0m' "$1"
+ return
fi
printf -- "%b" "$1"
- if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" -o "${ACME_FORCE_COLOR}" = "1" ]; then
- printf '\033[0m'
- fi
}
__red() {
- if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" -o "${ACME_FORCE_COLOR}" = "1" ]; then
- printf '\033[1;31;40m'
+ if [ "${__INTERACTIVE}${ACME_NO_COLOR:-0}" = "10" -o "${ACME_FORCE_COLOR}" = "1" ]; then
+ printf '\33[1;31m%b\33[0m' "$1"
+ return
fi
printf -- "%b" "$1"
- if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" -o "${ACME_FORCE_COLOR}" = "1" ]; then
- printf '\033[0m'
- fi
}
_printargs() {
+ _exitstatus="$?"
if [ -z "$NO_TIMESTAMP" ] || [ "$NO_TIMESTAMP" = "0" ]; then
printf -- "%s" "[$(date)] "
fi
@@ -153,6 +178,8 @@ _printargs() {
printf -- "%s" "$1='$2'"
fi
printf "\n"
+ # return the saved exit status
+ return "$_exitstatus"
}
_dlg_versions() {
@@ -188,6 +215,7 @@ _dlg_versions() {
#class
_syslog() {
+ _exitstatus="$?"
if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" = "$SYSLOG_LEVEL_NONE" ]; then
return
fi
@@ -201,6 +229,7 @@ _syslog() {
fi
fi
$__logger_i -t "$PROJECT_NAME" -p "$_logclass" "$(_printargs "$@")" >/dev/null 2>&1
+ return "$_exitstatus"
}
_log() {
@@ -236,6 +265,37 @@ _usage() {
printf "\n" >&2
}
+__debug_bash_helper() {
+ # At this point only do for --debug 3
+ if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -lt "$DEBUG_LEVEL_3" ]; then
+ echo ""
+ return
+ fi
+ # Return extra debug info when running with bash, otherwise return empty
+ # string.
+ if [ -z "${BASH_VERSION}" ]; then
+ echo ""
+ return
+ fi
+ # We are a bash shell at this point, return the filename, function name, and
+ # line number as a string
+ _dbh_saveIFS=$IFS
+ IFS=" "
+ # Must use eval or syntax error happens under dash
+ # Use 'caller 1' as we want one level up the stack as we should be called
+ # by one of the _debug* functions
+ eval "_dbh_called=($(caller 1))"
+ IFS=$_dbh_saveIFS
+ _dbh_file=${_dbh_called[2]}
+ if [ -n "${_script_home}" ]; then
+ # Trim off the _script_home directory name
+ _dbh_file=${_dbh_file#$_script_home/}
+ fi
+ _dbh_function=${_dbh_called[1]}
+ _dbh_lineno=${_dbh_called[0]}
+ printf "%-40s " "$_dbh_file:${_dbh_function}:${_dbh_lineno}"
+}
+
_debug() {
if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_1" ]; then
_log "$@"
@@ -244,7 +304,8 @@ _debug() {
_syslog "$SYSLOG_DEBUG" "$@"
fi
if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_1" ]; then
- _printargs "$@" >&2
+ _bash_debug=$(__debug_bash_helper)
+ _printargs "${_bash_debug}$@" >&2
fi
}
@@ -277,7 +338,8 @@ _debug2() {
_syslog "$SYSLOG_DEBUG" "$@"
fi
if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then
- _printargs "$@" >&2
+ _bash_debug=$(__debug_bash_helper)
+ _printargs "${_bash_debug}$@" >&2
fi
}
@@ -309,7 +371,8 @@ _debug3() {
_syslog "$SYSLOG_DEBUG" "$@"
fi
if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_3" ]; then
- _printargs "$@" >&2
+ _bash_debug=$(__debug_bash_helper)
+ _printargs "${_bash_debug}$@" >&2
fi
}
@@ -778,6 +841,13 @@ _url_encode() {
done
}
+_json_encode() {
+ _j_str="$(sed 's/"/\\"/g' | sed "s/\r/\\r/g")"
+ _debug3 "_json_encode"
+ _debug3 "_j_str" "$_j_str"
+ echo "$_j_str" | _hex_dump | _lower_case | sed 's/0a/5c 6e/g' | tr -d ' ' | _h2b | tr -d "\r\n"
+}
+
#options file
_sed_i() {
options="$1"
@@ -1000,10 +1070,20 @@ _createkey() {
if _isEccKey "$length"; then
_debug "Using ec name: $eccname"
- ${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null >"$f"
+ if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null)"; then
+ echo "$_opkey" >"$f"
+ else
+ _err "error ecc key name: $eccname"
+ return 1
+ fi
else
_debug "Using RSA: $length"
- ${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null >"$f"
+ if _opkey="$(${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null)"; then
+ echo "$_opkey" >"$f"
+ else
+ _err "error rsa key: $length"
+ return 1
+ fi
fi
if [ "$?" != "0" ]; then
@@ -1016,7 +1096,7 @@ _createkey() {
_is_idn() {
_is_idn_d="$1"
_debug2 _is_idn_d "$_is_idn_d"
- _idn_temp=$(printf "%s" "$_is_idn_d" | tr -d '0-9' | tr -d 'a-z' | tr -d 'A-Z' | tr -d '*.,-')
+ _idn_temp=$(printf "%s" "$_is_idn_d" | tr -d '0-9' | tr -d 'a-z' | tr -d 'A-Z' | tr -d '*.,-_')
_debug2 _idn_temp "$_idn_temp"
[ "$_idn_temp" ]
}
@@ -1050,7 +1130,7 @@ _idn() {
fi
}
-#_createcsr cn san_list keyfile csrfile conf
+#_createcsr cn san_list keyfile csrfile conf acmeValidationv1
_createcsr() {
_debug _createcsr
domain="$1"
@@ -1058,6 +1138,7 @@ _createcsr() {
csrkey="$3"
csr="$4"
csrconf="$5"
+ acmeValidationv1="$6"
_debug2 domain "$domain"
_debug2 domainlist "$domainlist"
_debug2 csrkey "$csrkey"
@@ -1066,17 +1147,20 @@ _createcsr() {
printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf"
- if [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
+ if [ "$acmeValidationv1" ]; then
+ domainlist="$(_idn "$domainlist")"
+ printf -- "\nsubjectAltName=DNS:$domainlist" >>"$csrconf"
+ elif [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
#single domain
_info "Single domain" "$domain"
- printf -- "\nsubjectAltName=DNS:$domain" >>"$csrconf"
+ printf -- "\nsubjectAltName=DNS:$(_idn "$domain")" >>"$csrconf"
else
domainlist="$(_idn "$domainlist")"
_debug2 domainlist "$domainlist"
if _contains "$domainlist" ","; then
- alt="DNS:$domain,DNS:$(echo "$domainlist" | sed "s/,,/,/g" | sed "s/,/,DNS:/g")"
+ alt="DNS:$(_idn "$domain"),DNS:$(echo "$domainlist" | sed "s/,,/,/g" | sed "s/,/,DNS:/g")"
else
- alt="DNS:$domain,DNS:$domainlist"
+ alt="DNS:$(_idn "$domain"),DNS:$domainlist"
fi
#multi
_info "Multi domain" "$alt"
@@ -1088,6 +1172,10 @@ _createcsr() {
printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >>"$csrconf"
fi
+ if [ "$acmeValidationv1" ]; then
+ printf "\n1.3.6.1.5.5.7.1.31=critical,DER:04:20:${acmeValidationv1}" >>"${csrconf}"
+ fi
+
_csr_cn="$(_idn "$domain")"
_debug2 _csr_cn "$_csr_cn"
if _contains "$(uname -a)" "MINGW"; then
@@ -1138,12 +1226,17 @@ _readSubjectAltNamesFromCSR() {
if _contains "$_dnsAltnames," "DNS:$_csrsubj,"; then
_debug "AltNames contains subject"
- _dnsAltnames="$(printf "%s" "$_dnsAltnames," | sed "s/DNS:$_csrsubj,//g")"
+ _excapedAlgnames="$(echo "$_dnsAltnames" | tr '*' '#')"
+ _debug _excapedAlgnames "$_excapedAlgnames"
+ _escapedSubject="$(echo "$_csrsubj" | tr '*' '#')"
+ _debug _escapedSubject "$_escapedSubject"
+ _dnsAltnames="$(echo "$_excapedAlgnames," | sed "s/DNS:$_escapedSubject,//g" | tr '#' '*' | sed "s/,\$//g")"
+ _debug _dnsAltnames "$_dnsAltnames"
else
_debug "AltNames doesn't contain subject"
fi
- printf "%s" "$_dnsAltnames" | sed "s/DNS://g"
+ echo "$_dnsAltnames" | sed "s/DNS://g"
}
#_csrfile
@@ -1181,7 +1274,7 @@ _ss() {
if _exists "netstat"; then
_debug "Using: netstat"
- if netstat -h 2>&1 | grep "\-p proto" >/dev/null; then
+ if netstat -help 2>&1 | grep "\-p proto" >/dev/null; then
#for windows version netstat tool
netstat -an -p tcp | grep "LISTENING" | grep ":$_port "
else
@@ -1294,13 +1387,19 @@ _create_account_key() {
_initpath
mkdir -p "$CA_DIR"
- if [ -f "$ACCOUNT_KEY_PATH" ]; then
+ if [ -s "$ACCOUNT_KEY_PATH" ]; then
_info "Account key exists, skip"
- return
+ return 0
else
#generate account key
- _createkey "$length" "$ACCOUNT_KEY_PATH"
- chmod 600 "$ACCOUNT_KEY_PATH"
+ if _createkey "$length" "$ACCOUNT_KEY_PATH"; then
+ chmod 600 "$ACCOUNT_KEY_PATH"
+ _info "Create account key ok."
+ return 0
+ else
+ _err "Create account key error."
+ return 1
+ fi
fi
}
@@ -1323,10 +1422,14 @@ createDomainKey() {
_initpath "$domain" "$_cdl"
- if [ ! -f "$CERT_KEY_PATH" ] || ([ "$FORCE" ] && ! [ "$IS_RENEW" ]) || [ "$Le_ForceNewDomainKey" = "1" ]; then
+ if [ ! -f "$CERT_KEY_PATH" ] || [ ! -s "$CERT_KEY_PATH" ] || ([ "$FORCE" ] && ! [ "$IS_RENEW" ]) || [ "$Le_ForceNewDomainKey" = "1" ]; then
if _createkey "$_cdl" "$CERT_KEY_PATH"; then
_savedomainconf Le_Keylength "$_cdl"
_info "The domain key is here: $(__green $CERT_KEY_PATH)"
+ return 0
+ else
+ _err "Can not create domain key"
+ return 1
fi
else
if [ "$IS_RENEW" ]; then
@@ -1374,17 +1477,17 @@ _url_replace() {
}
_time2str() {
- #Linux
- if date -u -d@"$1" 2>/dev/null; then
- return
- fi
-
#BSD
if date -u -r "$1" 2>/dev/null; then
return
fi
- #Soaris
+ #Linux
+ if date -u -d@"$1" 2>/dev/null; then
+ return
+ fi
+
+ #Solaris
if _exists adb; then
_t_s_a=$(echo "0t${1}=Y" | adb)
echo "$_t_s_a"
@@ -1519,7 +1622,8 @@ _calcjwk() {
JWK_HEADERPLACE_PART1='{"nonce": "'
JWK_HEADERPLACE_PART2='", "alg": "ES'$__ECC_KEY_LEN'"'
else
- _err "Only RSA or EC key is supported."
+ _err "Only RSA or EC key is supported. keyfile=$keyfile"
+ _debug2 "$(cat "$keyfile")"
return 1
fi
@@ -1607,7 +1711,7 @@ _inithttp() {
}
-# body url [needbase64] [POST|PUT] [ContentType]
+# body url [needbase64] [POST|PUT|DELETE] [ContentType]
_post() {
body="$1"
_post_url="$2"
@@ -1630,18 +1734,37 @@ _post() {
if [ "$HTTPS_INSECURE" ]; then
_CURL="$_CURL --insecure "
fi
+ if [ "$httpmethod" = "HEAD" ]; then
+ _CURL="$_CURL -I "
+ fi
_debug "_CURL" "$_CURL"
if [ "$needbase64" ]; then
- if [ "$_postContentType" ]; then
- response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)"
+ if [ "$body" ]; then
+ if [ "$_postContentType" ]; then
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)"
+ else
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)"
+ fi
else
- response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)"
+ if [ "$_postContentType" ]; then
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url" | _base64)"
+ else
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url" | _base64)"
+ fi
fi
else
- if [ "$_postContentType" ]; then
- response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url")"
+ if [ "$body" ]; then
+ if [ "$_postContentType" ]; then
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url")"
+ else
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url")"
+ fi
else
- response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url")"
+ if [ "$_postContentType" ]; then
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url")"
+ else
+ response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url")"
+ fi
fi
fi
_ret="$?"
@@ -1657,6 +1780,9 @@ _post() {
if [ "$HTTPS_INSECURE" ]; then
_WGET="$_WGET --no-check-certificate "
fi
+ if [ "$httpmethod" = "HEAD" ]; then
+ _WGET="$_WGET --read-timeout=3.0 --tries=2 "
+ fi
_debug "_WGET" "$_WGET"
if [ "$needbase64" ]; then
if [ "$httpmethod" = "POST" ]; then
@@ -1679,6 +1805,12 @@ _post() {
else
response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
fi
+ elif [ "$httpmethod" = "HEAD" ]; then
+ if [ "$_postContentType" ]; then
+ response="$($_WGET --spider -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+ else
+ response="$($_WGET --spider -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+ fi
else
if [ "$_postContentType" ]; then
response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
@@ -1795,15 +1927,13 @@ _send_signed_request() {
return 1
fi
- if [ "$ACME_VERSION" = "2" ]; then
- __request_conent_type="$CONTENT_TYPE_JSON"
- else
- __request_conent_type=""
- fi
+ __request_conent_type="$CONTENT_TYPE_JSON"
+
payload64=$(printf "%s" "$payload" | _base64 | _url_replace)
_debug3 payload64 "$payload64"
- MAX_REQUEST_RETRY_TIMES=5
+ MAX_REQUEST_RETRY_TIMES=20
+ _sleep_retry_sec=1
_request_retry_times=0
while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do
_request_retry_times=$(_math "$_request_retry_times" + 1)
@@ -1811,27 +1941,33 @@ _send_signed_request() {
if [ -z "$_CACHED_NONCE" ]; then
_headers=""
if [ "$ACME_NEW_NONCE" ]; then
- _debug2 "Get nonce. ACME_NEW_NONCE" "$ACME_NEW_NONCE"
+ _debug2 "Get nonce with HEAD. ACME_NEW_NONCE" "$ACME_NEW_NONCE"
nonceurl="$ACME_NEW_NONCE"
- if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type"; then
+ if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type" >/dev/null; then
_headers="$(cat "$HTTP_HEADER")"
+ _debug2 _headers "$_headers"
+ _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
fi
fi
- if [ -z "$_headers" ]; then
- _debug2 "Get nonce. ACME_DIRECTORY" "$ACME_DIRECTORY"
+ if [ -z "$_CACHED_NONCE" ]; then
+ _debug2 "Get nonce with GET. ACME_DIRECTORY" "$ACME_DIRECTORY"
nonceurl="$ACME_DIRECTORY"
_headers="$(_get "$nonceurl" "onlyheader")"
+ _debug2 _headers "$_headers"
+ _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
fi
-
+ if [ -z "$_CACHED_NONCE" ] && [ "$ACME_NEW_NONCE" ]; then
+ _debug2 "Get nonce with GET. ACME_NEW_NONCE" "$ACME_NEW_NONCE"
+ nonceurl="$ACME_NEW_NONCE"
+ _headers="$(_get "$nonceurl" "onlyheader")"
+ _debug2 _headers "$_headers"
+ _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
+ fi
+ _debug2 _CACHED_NONCE "$_CACHED_NONCE"
if [ "$?" != "0" ]; then
_err "Can not connect to $nonceurl to get nonce."
return 1
fi
-
- _debug2 _headers "$_headers"
-
- _CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
- _debug2 _CACHED_NONCE "$_CACHED_NONCE"
else
_debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE"
fi
@@ -1865,11 +2001,7 @@ _send_signed_request() {
sig="$(printf "%s" "$_sig_t" | _url_replace)"
_debug3 sig "$sig"
- if [ "$ACME_VERSION" = "2" ]; then
- body="{\"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
- else
- body="{\"header\": $JWK_HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
- fi
+ body="{\"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
_debug3 body "$body"
response="$(_post "$body" "$url" "$needbase64" "POST" "$__request_conent_type")"
@@ -1879,28 +2011,34 @@ _send_signed_request() {
_err "Can not post to $url"
return 1
fi
- _debug2 original "$response"
- response="$(echo "$response" | _normalizeJson)"
responseHeaders="$(cat "$HTTP_HEADER")"
-
_debug2 responseHeaders "$responseHeaders"
- _debug2 response "$response"
+
code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
_debug code "$code"
- _CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
-
- _body="$response"
- if [ "$needbase64" ]; then
- _body="$(echo "$_body" | _dbase64 | tr -d '\0')"
- _debug3 _body "$_body"
+ _debug2 original "$response"
+ if echo "$responseHeaders" | grep -i "Content-Type: application/json" >/dev/null 2>&1; then
+ response="$(echo "$response" | _normalizeJson)"
fi
+ _debug2 response "$response"
- if _contains "$_body" "JWS has invalid anti-replay nonce"; then
- _info "It seems the CA server is busy now, let's wait and retry."
- _sleep 5
- continue
+ _CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
+
+ if ! _startswith "$code" "2"; then
+ _body="$response"
+ if [ "$needbase64" ]; then
+ _body="$(echo "$_body" | _dbase64 multiline)"
+ _debug3 _body "$_body"
+ fi
+
+ if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then
+ _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds."
+ _CACHED_NONCE=""
+ _sleep $_sleep_retry_sec
+ continue
+ fi
fi
break
done
@@ -1944,12 +2082,16 @@ _setopt() {
_debug3 "$(grep -n "^$__opt$__sep" "$__conf")"
}
-#_save_conf file key value
+#_save_conf file key value base64encode
#save to conf
_save_conf() {
_s_c_f="$1"
_sdkey="$2"
_sdvalue="$3"
+ _b64encode="$4"
+ if [ "$_sdvalue" ] && [ "$_b64encode" ]; then
+ _sdvalue="${B64CONF_START}$(printf "%s" "${_sdvalue}" | _base64)${B64CONF_END}"
+ fi
if [ "$_s_c_f" ]; then
_setopt "$_s_c_f" "$_sdkey" "=" "'$_sdvalue'"
else
@@ -1974,19 +2116,23 @@ _read_conf() {
_r_c_f="$1"
_sdkey="$2"
if [ -f "$_r_c_f" ]; then
- (
+ _sdv="$(
eval "$(grep "^$_sdkey *=" "$_r_c_f")"
eval "printf \"%s\" \"\$$_sdkey\""
- )
+ )"
+ if _startswith "$_sdv" "${B64CONF_START}" && _endswith "$_sdv" "${B64CONF_END}"; then
+ _sdv="$(echo "$_sdv" | sed "s/${B64CONF_START}//" | sed "s/${B64CONF_END}//" | _dbase64)"
+ fi
+ printf "%s" "$_sdv"
else
_debug "config file is empty, can not read $_sdkey"
fi
}
-#_savedomainconf key value
+#_savedomainconf key value base64encode
#save to domain.conf
_savedomainconf() {
- _save_conf "$DOMAIN_CONF" "$1" "$2"
+ _save_conf "$DOMAIN_CONF" "$@"
}
#_cleardomainconf key
@@ -1999,14 +2145,36 @@ _readdomainconf() {
_read_conf "$DOMAIN_CONF" "$1"
}
-#_saveaccountconf key value
-_saveaccountconf() {
- _save_conf "$ACCOUNT_CONF_PATH" "$1" "$2"
+#key value base64encode
+_savedeployconf() {
+ _savedomainconf "SAVED_$1" "$2" "$3"
+ #remove later
+ _cleardomainconf "$1"
}
-#key value
+#key
+_getdeployconf() {
+ _rac_key="$1"
+ _rac_value="$(eval echo \$"$_rac_key")"
+ if [ "$_rac_value" ]; then
+ if _startswith "$_rac_value" '"' && _endswith "$_rac_value" '"'; then
+ _debug2 "trim quotation marks"
+ eval "export $_rac_key=$_rac_value"
+ fi
+ return 0 # do nothing
+ fi
+ _saved=$(_readdomainconf "SAVED_$_rac_key")
+ eval "export $_rac_key=$_saved"
+}
+
+#_saveaccountconf key value base64encode
+_saveaccountconf() {
+ _save_conf "$ACCOUNT_CONF_PATH" "$@"
+}
+
+#key value base64encode
_saveaccountconf_mutable() {
- _save_conf "$ACCOUNT_CONF_PATH" "SAVED_$1" "$2"
+ _save_conf "$ACCOUNT_CONF_PATH" "SAVED_$1" "$2" "$3"
#remove later
_clearaccountconf "$1"
}
@@ -2046,6 +2214,7 @@ _clearcaconf() {
_startserver() {
content="$1"
ncaddr="$2"
+ _debug "content" "$content"
_debug "ncaddr" "$ncaddr"
_debug "startserver: $$"
@@ -2072,8 +2241,14 @@ _startserver() {
SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}"
fi
+ _content_len="$(printf "%s" "$content" | wc -c)"
+ _debug _content_len "$_content_len"
_debug "_NC" "$_NC $SOCAT_OPTIONS"
- $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; echo HTTP/1.0 200 OK; echo ; echo $content; echo;" &
+ $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; \
+echo 'HTTP/1.0 200 OK'; \
+echo 'Content-Length\: $_content_len'; \
+echo ''; \
+printf -- '$content';" &
serverproc="$!"
}
@@ -2105,7 +2280,7 @@ _sleep() {
fi
}
-# _starttlsserver san_a san_b port content _ncaddr
+# _starttlsserver san_a san_b port content _ncaddr acmeValidationv1
_starttlsserver() {
_info "Starting tls server."
san_a="$1"
@@ -2113,10 +2288,12 @@ _starttlsserver() {
port="$3"
content="$4"
opaddr="$5"
+ acmeValidationv1="$6"
_debug san_a "$san_a"
_debug san_b "$san_b"
_debug port "$port"
+ _debug acmeValidationv1 "$acmeValidationv1"
#create key TLS_KEY
if ! _createkey "2048" "$TLS_KEY"; then
@@ -2129,7 +2306,7 @@ _starttlsserver() {
if [ "$san_b" ]; then
alt="$alt,$san_b"
fi
- if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF"; then
+ if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" "$acmeValidationv1"; then
_err "Create tls validation csr error."
return 1
fi
@@ -2155,6 +2332,10 @@ _starttlsserver() {
__S_OPENSSL="$__S_OPENSSL -6"
fi
+ if [ "$acmeValidationv1" ]; then
+ __S_OPENSSL="$__S_OPENSSL -alpn acme-tls/1"
+ fi
+
_debug "$__S_OPENSSL"
if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
$__S_OPENSSL -tlsextdebug &
@@ -2336,7 +2517,7 @@ _initpath() {
. "$ACCOUNT_CONF_PATH"
fi
- if [ "$IN_CRON" ]; then
+ if [ "$ACME_IN_CRON" ]; then
if [ ! "$_USER_PATH_EXPORTED" ]; then
_USER_PATH_EXPORTED=1
export PATH="$USER_PATH:$PATH"
@@ -2683,6 +2864,11 @@ _setNginx() {
_debug NGINX_CONF "$NGINX_CONF"
NGINX_CONF="$(echo "$NGINX_CONF" | cut -d = -f 2)"
_debug NGINX_CONF "$NGINX_CONF"
+ if [ -z "$NGINX_CONF" ]; then
+ _err "Can not find nginx conf."
+ NGINX_CONF=""
+ return 1
+ fi
if [ ! -f "$NGINX_CONF" ]; then
_err "'$NGINX_CONF' doesn't exist."
NGINX_CONF=""
@@ -2843,7 +3029,7 @@ _isRealNginxConf() {
_skip_ssl=1
for _listen_i in $(echo "$_seg_n" | tr "\t" ' ' | grep "^ *listen" | tr -d " "); do
if [ "$_listen_i" ]; then
- if [ "$(echo "$_listen_i" | _egrep_o "listen.*ssl[ |;]")" ]; then
+ if [ "$(echo "$_listen_i" | _egrep_o "listen.*ssl")" ]; then
_debug2 "$_listen_i is ssl"
else
_debug2 "$_listen_i is plain text"
@@ -2909,38 +3095,40 @@ _clearup() {
_clearupdns() {
_debug "_clearupdns"
- if [ "$dnsadded" != 1 ] || [ -z "$vlist" ]; then
+ _debug "dns_entries" "$dns_entries"
+
+ if [ -z "$dns_entries" ]; then
_debug "skip dns."
return
fi
_info "Removing DNS records."
- ventries=$(echo "$vlist" | tr ',' ' ')
- _alias_index=1
- for ventry in $ventries; do
- d=$(echo "$ventry" | cut -d "$sep" -f 1)
- keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
- vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
- _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
- txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _url_replace)"
- _debug txt "$txt"
- if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
- _debug "$d is already verified, skip $vtype."
- continue
- fi
- if [ "$vtype" != "$VTYPE_DNS" ]; then
- _debug "Skip $d for $vtype"
- continue
+ for entry in $dns_entries; do
+ d=$(_getfield "$entry" 1)
+ txtdomain=$(_getfield "$entry" 2)
+ aliasDomain=$(_getfield "$entry" 3)
+ _currentRoot=$(_getfield "$entry" 4)
+ txt=$(_getfield "$entry" 5)
+ d_api=$(_getfield "$entry" 6)
+ _debug "d" "$d"
+ _debug "txtdomain" "$txtdomain"
+ _debug "aliasDomain" "$aliasDomain"
+ _debug "_currentRoot" "$_currentRoot"
+ _debug "txt" "$txt"
+ _debug "d_api" "$d_api"
+ if [ "$d_api" = "$txt" ]; then
+ d_api=""
fi
- d_api="$(_findHook "$d" dnsapi "$_currentRoot")"
- _debug d_api "$d_api"
-
if [ -z "$d_api" ]; then
_info "Not Found domain api file: $d_api"
continue
fi
+ if [ "$aliasDomain" ]; then
+ txtdomain="$aliasDomain"
+ fi
+
(
if ! . "$d_api"; then
_err "Load file $d_api error. Please check your api file and try again."
@@ -2952,29 +3140,12 @@ _clearupdns() {
_err "It seems that your api file doesn't define $rmcommand"
return 1
fi
-
- _dns_root_d="$d"
- if _startswith "$_dns_root_d" "*."; then
- _dns_root_d="$(echo "$_dns_root_d" | sed 's/*.//')"
- fi
-
- _d_alias="$(_getfield "$_challenge_alias" "$_alias_index")"
- _alias_index="$(_math "$_alias_index" + 1)"
- _debug "_d_alias" "$_d_alias"
- if [ "$_d_alias" ]; then
- if _startswith "$_d_alias" "$DNS_ALIAS_PREFIX"; then
- txtdomain="$(echo "$_d_alias" | sed "s/$DNS_ALIAS_PREFIX//")"
- else
- txtdomain="_acme-challenge.$_d_alias"
- fi
- else
- txtdomain="_acme-challenge.$_dns_root_d"
- fi
-
+ _info "Removing txt: $txt for domain: $txtdomain"
if ! $rmcommand "$txtdomain" "$txt"; then
_err "Error removing txt for domain:$txtdomain"
return 1
fi
+ _info "Removed: Success"
)
done
@@ -3060,12 +3231,13 @@ _on_before_issue() {
_info "Standalone mode."
if [ -z "$Le_HTTPPort" ]; then
Le_HTTPPort=80
+ _cleardomainconf "Le_HTTPPort"
else
_savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
fi
_checkport="$Le_HTTPPort"
- elif [ "$_currentRoot" = "$W_TLS" ]; then
- _info "Standalone tls mode."
+ elif [ "$_currentRoot" = "$W_ALPN" ]; then
+ _info "Standalone alpn mode."
if [ -z "$Le_TLSPort" ]; then
Le_TLSPort=443
else
@@ -3160,10 +3332,16 @@ _on_issue_success() {
_chk_post_hook="$1"
_chk_renew_hook="$2"
_debug _on_issue_success
+
#run the post hook
if [ "$_chk_post_hook" ]; then
_info "Run post hook:'$_chk_post_hook'"
if ! (
+ export CERT_PATH
+ export CERT_KEY_PATH
+ export CA_CERT_PATH
+ export CERT_FULLCHAIN_PATH
+ export Le_Domain="$_main_domain"
cd "$DOMAIN_PATH" && eval "$_chk_post_hook"
); then
_err "Error when run post hook."
@@ -3175,6 +3353,11 @@ _on_issue_success() {
if [ "$IS_RENEW" ] && [ "$_chk_renew_hook" ]; then
_info "Run renew hook:'$_chk_renew_hook'"
if ! (
+ export CERT_PATH
+ export CERT_KEY_PATH
+ export CA_CERT_PATH
+ export CERT_FULLCHAIN_PATH
+ export Le_Domain="$_main_domain"
cd "$DOMAIN_PATH" && eval "$_chk_renew_hook"
); then
_err "Error when run renew hook."
@@ -3188,11 +3371,6 @@ _on_issue_success() {
}
-updateaccount() {
- _initpath
- _regAccount
-}
-
registeraccount() {
_reg_length="$1"
_initpath
@@ -3267,7 +3445,7 @@ _regAccount() {
fi
_debug2 responseHeaders "$responseHeaders"
- _accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
+ _accUri="$(echo "$responseHeaders" | grep -i "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
_debug "_accUri" "$_accUri"
if [ -z "$_accUri" ]; then
_err "Can not find account id url."
@@ -3290,6 +3468,61 @@ _regAccount() {
_info "ACCOUNT_THUMBPRINT" "$ACCOUNT_THUMBPRINT"
}
+#implement updateaccount
+updateaccount() {
+ _initpath
+
+ if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
+ _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
+ mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
+ fi
+
+ if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
+ _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
+ mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
+ fi
+
+ if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
+ _err "Account key is not found at: $ACCOUNT_KEY_PATH"
+ return 1
+ fi
+
+ _accUri=$(_readcaconf "ACCOUNT_URL")
+ _debug _accUri "$_accUri"
+
+ if [ -z "$_accUri" ]; then
+ _err "The account url is empty, please run '--update-account' first to update the account info first,"
+ _err "Then try again."
+ return 1
+ fi
+
+ if ! _calcjwk "$ACCOUNT_KEY_PATH"; then
+ return 1
+ fi
+ _initAPI
+
+ if [ "$ACME_VERSION" = "2" ]; then
+ if [ "$ACCOUNT_EMAIL" ]; then
+ updjson='{"contact": ["mailto: '$ACCOUNT_EMAIL'"]}'
+ fi
+ else
+ # ACMEv1: Updates happen the same way a registration is done.
+ # https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-6.3
+ _regAccount
+ return
+ fi
+
+ # this part handles ACMEv2 account updates.
+ _send_signed_request "$_accUri" "$updjson"
+
+ if [ "$code" = '200' ]; then
+ _info "account update success for $_accUri."
+ else
+ _info "Error. The account was not updated."
+ return 1
+ fi
+}
+
#Implement deactivate account
deactivateaccount() {
_initpath
@@ -3367,9 +3600,9 @@ _findHook() {
d_api="$_SCRIPT_HOME/$_hookcat/$_hookname"
elif [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname.sh" ]; then
d_api="$_SCRIPT_HOME/$_hookcat/$_hookname.sh"
- elif [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname" ]; then
+ elif [ "$_hookdomain" ] && [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname" ]; then
d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname"
- elif [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname.sh" ]; then
+ elif [ "$_hookdomain" ] && [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname.sh" ]; then
d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname.sh"
elif [ -f "$LE_WORKING_DIR/$_hookname" ]; then
d_api="$LE_WORKING_DIR/$_hookname"
@@ -3425,18 +3658,173 @@ __get_domain_new_authz() {
#uri keyAuthorization
__trigger_validation() {
- _debug2 "tigger domain validation."
+ _debug2 "Trigger domain validation."
_t_url="$1"
_debug2 _t_url "$_t_url"
_t_key_authz="$2"
_debug2 _t_key_authz "$_t_key_authz"
+ _t_vtype="$3"
+ _debug2 _t_vtype "$_t_vtype"
if [ "$ACME_VERSION" = "2" ]; then
- _send_signed_request "$_t_url" "{\"keyAuthorization\": \"$_t_key_authz\"}"
+ _send_signed_request "$_t_url" "{}"
else
- _send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"keyAuthorization\": \"$_t_key_authz\"}"
+ _send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"type\": \"$_t_vtype\", \"keyAuthorization\": \"$_t_key_authz\"}"
fi
}
+#endpoint domain type
+_ns_lookup_impl() {
+ _ns_ep="$1"
+ _ns_domain="$2"
+ _ns_type="$3"
+ _debug2 "_ns_ep" "$_ns_ep"
+ _debug2 "_ns_domain" "$_ns_domain"
+ _debug2 "_ns_type" "$_ns_type"
+
+ response="$(_H1="accept: application/dns-json" _get "$_ns_ep?name=$_ns_domain&type=$_ns_type")"
+ _ret=$?
+ _debug2 "response" "$response"
+ if [ "$_ret" != "0" ]; then
+ return $_ret
+ fi
+ _answers="$(echo "$response" | tr '{}' '<>' | _egrep_o '"Answer":\[[^]]*]' | tr '<>' '\n\n')"
+ _debug2 "_answers" "$_answers"
+ echo "$_answers"
+}
+
+#domain, type
+_ns_lookup_cf() {
+ _cf_ld="$1"
+ _cf_ld_type="$2"
+ _cf_ep="https://cloudflare-dns.com/dns-query"
+ _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
+}
+
+#domain, type
+_ns_purge_cf() {
+ _cf_d="$1"
+ _cf_d_type="$2"
+ _debug "Cloudflare purge $_cf_d_type record for domain $_cf_d"
+ _cf_purl="https://cloudflare-dns.com/api/v1/purge?domain=$_cf_d&type=$_cf_d_type"
+ response="$(_post "" "$_cf_purl")"
+ _debug2 response "$response"
+}
+
+#checks if cf server is available
+_ns_is_available_cf() {
+ if _get "https://cloudflare-dns.com" >/dev/null 2>&1; then
+ return 0
+ else
+ return 1
+ fi
+}
+
+#domain, type
+_ns_lookup_google() {
+ _cf_ld="$1"
+ _cf_ld_type="$2"
+ _cf_ep="https://dns.google/resolve"
+ _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
+}
+
+#domain, type
+_ns_lookup() {
+ if [ -z "$DOH_USE" ]; then
+ _debug "Detect dns server first."
+ if _ns_is_available_cf; then
+ _debug "Use cloudflare doh server"
+ export DOH_USE=$DOH_CLOUDFLARE
+ else
+ _debug "Use google doh server"
+ export DOH_USE=$DOH_GOOGLE
+ fi
+ fi
+
+ if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then
+ _ns_lookup_cf "$@"
+ else
+ _ns_lookup_google "$@"
+ fi
+
+}
+
+#txtdomain, alias, txt
+__check_txt() {
+ _c_txtdomain="$1"
+ _c_aliasdomain="$2"
+ _c_txt="$3"
+ _debug "_c_txtdomain" "$_c_txtdomain"
+ _debug "_c_aliasdomain" "$_c_aliasdomain"
+ _debug "_c_txt" "$_c_txt"
+ _answers="$(_ns_lookup "$_c_aliasdomain" TXT)"
+ _contains "$_answers" "$_c_txt"
+
+}
+
+#txtdomain
+__purge_txt() {
+ _p_txtdomain="$1"
+ _debug _p_txtdomain "$_p_txtdomain"
+ if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then
+ _ns_purge_cf "$_p_txtdomain" "TXT"
+ else
+ _debug "no purge api for google dns api, just sleep 5 secs"
+ _sleep 5
+ fi
+
+}
+
+#wait and check each dns entries
+_check_dns_entries() {
+ _success_txt=","
+ _end_time="$(_time)"
+ _end_time="$(_math "$_end_time" + 1200)" #let's check no more than 20 minutes.
+
+ while [ "$(_time)" -le "$_end_time" ]; do
+ _left=""
+ for entry in $dns_entries; do
+ d=$(_getfield "$entry" 1)
+ txtdomain=$(_getfield "$entry" 2)
+ txtdomain=$(_idn "$txtdomain")
+ aliasDomain=$(_getfield "$entry" 3)
+ aliasDomain=$(_idn "$aliasDomain")
+ txt=$(_getfield "$entry" 5)
+ d_api=$(_getfield "$entry" 6)
+ _debug "d" "$d"
+ _debug "txtdomain" "$txtdomain"
+ _debug "aliasDomain" "$aliasDomain"
+ _debug "txt" "$txt"
+ _debug "d_api" "$d_api"
+ _info "Checking $d for $aliasDomain"
+ if _contains "$_success_txt" ",$txt,"; then
+ _info "Already success, continue next one."
+ continue
+ fi
+
+ if __check_txt "$txtdomain" "$aliasDomain" "$txt"; then
+ _info "Domain $d '$aliasDomain' success."
+ _success_txt="$_success_txt,$txt,"
+ continue
+ fi
+ _left=1
+ _info "Not valid yet, let's wait 10 seconds and check next one."
+ __purge_txt "$txtdomain"
+ if [ "$txtdomain" != "$aliasDomain" ]; then
+ __purge_txt "$aliasDomain"
+ fi
+ _sleep 10
+ done
+ if [ "$_left" ]; then
+ _info "Let's wait 10 seconds and check again".
+ _sleep 10
+ else
+ _info "All success, let's return"
+ break
+ fi
+ done
+
+}
+
#webroot, domain domainlist keylength
issue() {
if [ -z "$2" ]; then
@@ -3517,9 +3905,9 @@ issue() {
_savedomainconf "Le_Alt" "$_alt_domains"
_savedomainconf "Le_Webroot" "$_web_roots"
- _savedomainconf "Le_PreHook" "$_pre_hook"
- _savedomainconf "Le_PostHook" "$_post_hook"
- _savedomainconf "Le_RenewHook" "$_renew_hook"
+ _savedomainconf "Le_PreHook" "$_pre_hook" "base64"
+ _savedomainconf "Le_PostHook" "$_post_hook" "base64"
+ _savedomainconf "Le_RenewHook" "$_renew_hook" "base64"
if [ "$_local_addr" ]; then
_savedomainconf "Le_LocalAddress" "$_local_addr"
@@ -3532,8 +3920,12 @@ issue() {
_cleardomainconf "Le_ChallengeAlias"
fi
- Le_API="$ACME_DIRECTORY"
- _savedomainconf "Le_API" "$Le_API"
+ if [ "$ACME_DIRECTORY" != "$DEFAULT_CA" ]; then
+ Le_API="$ACME_DIRECTORY"
+ _savedomainconf "Le_API" "$Le_API"
+ else
+ _cleardomainconf Le_API
+ fi
if [ "$_alt_domains" = "$NO_VALUE" ]; then
_alt_domains=""
@@ -3585,14 +3977,14 @@ issue() {
_savedomainconf "Le_Keylength" "$_key_length"
vlist="$Le_Vlist"
-
+ _cleardomainconf "Le_Vlist"
_info "Getting domain auth token for each domain"
sep='#'
dvsep=','
if [ -z "$vlist" ]; then
if [ "$ACME_VERSION" = "2" ]; then
#make new order request
- _identifiers="{\"type\":\"dns\",\"value\":\"$_main_domain\"}"
+ _identifiers="{\"type\":\"dns\",\"value\":\"$(_idn "$_main_domain")\"}"
_w_index=1
while true; do
d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
@@ -3601,7 +3993,7 @@ issue() {
if [ -z "$d" ]; then
break
fi
- _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$d\"}"
+ _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$(_idn "$d")\"}"
done
_debug2 _identifiers "$_identifiers"
if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
@@ -3610,8 +4002,9 @@ issue() {
_on_issue_err "$_post_hook"
return 1
fi
-
- Le_OrderFinalize="$(echo "$response" | tr -d '\r\n' | _egrep_o '"finalize" *: *"[^"]*"' | cut -d '"' -f 4)"
+ Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
+ _debug Le_LinkOrder "$Le_LinkOrder"
+ Le_OrderFinalize="$(echo "$response" | _egrep_o '"finalize" *: *"[^"]*"' | cut -d '"' -f 4)"
_debug Le_OrderFinalize "$Le_OrderFinalize"
if [ -z "$Le_OrderFinalize" ]; then
_err "Create new order error. Le_OrderFinalize not found. $response"
@@ -3623,7 +4016,7 @@ issue() {
#for dns manual mode
_savedomainconf "Le_OrderFinalize" "$Le_OrderFinalize"
- _authorizations_seg="$(echo "$response" | tr -d '\r\n' | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+ _authorizations_seg="$(echo "$response" | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
_debug2 _authorizations_seg "$_authorizations_seg"
if [ -z "$_authorizations_seg" ]; then
_err "_authorizations_seg not found."
@@ -3636,7 +4029,7 @@ issue() {
_authorizations_map=""
for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
_debug2 "_authz_url" "$_authz_url"
- if ! response="$(_get "$_authz_url")"; then
+ if ! _send_signed_request "$_authz_url"; then
_err "get to authz error."
_err "_authorizations_seg" "$_authorizations_seg"
_err "_authz_url" "$_authz_url"
@@ -3683,16 +4076,23 @@ $_authorizations_map"
vtype="$VTYPE_DNS"
fi
- if [ "$_currentRoot" = "$W_TLS" ]; then
- if [ "$ACME_VERSION" = "2" ]; then
- vtype="$VTYPE_TLS2"
- else
- vtype="$VTYPE_TLS"
- fi
+ if [ "$_currentRoot" = "$W_ALPN" ]; then
+ vtype="$VTYPE_ALPN"
fi
if [ "$ACME_VERSION" = "2" ]; then
- response="$(echo "$_authorizations_map" | grep "^$d," | sed "s/$d,//")"
+ _idn_d="$(_idn "$d")"
+ _candindates="$(echo "$_authorizations_map" | grep "^$_idn_d,")"
+ _debug2 _candindates "$_candindates"
+ if [ "$(echo "$_candindates" | wc -l)" -gt 1 ]; then
+ for _can in $_candindates; do
+ if _startswith "$(echo "$_can" | tr '.' '|')" "$(echo "$_idn_d" | tr '.' '|'),"; then
+ _candindates="$_can"
+ break
+ fi
+ done
+ fi
+ response="$(echo "$_candindates" | sed "s/$_idn_d,//")"
_debug2 "response" "$response"
if [ -z "$response" ]; then
_err "get to authz error."
@@ -3713,7 +4113,7 @@ $_authorizations_map"
thumbprint="$(__calc_account_thumbprint)"
fi
- entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
+ entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
_debug entry "$entry"
if [ -z "$entry" ]; then
_err "Error, can not get domain token entry $d"
@@ -3725,7 +4125,7 @@ $_authorizations_map"
_on_issue_err "$_post_hook"
return 1
fi
- token="$(printf "%s\n" "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
+ token="$(echo "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
_debug token "$token"
if [ -z "$token" ]; then
@@ -3735,9 +4135,9 @@ $_authorizations_map"
return 1
fi
if [ "$ACME_VERSION" = "2" ]; then
- uri="$(printf "%s\n" "$entry" | _egrep_o '"url":"[^"]*' | cut -d '"' -f 4 | _head_n 1)"
+ uri="$(echo "$entry" | _egrep_o '"url":"[^"]*' | cut -d '"' -f 4 | _head_n 1)"
else
- uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*' | cut -d '"' -f 4)"
+ uri="$(echo "$entry" | _egrep_o '"uri":"[^"]*' | cut -d '"' -f 4)"
fi
_debug uri "$uri"
@@ -3764,6 +4164,7 @@ $_authorizations_map"
done
_debug vlist "$vlist"
#add entry
+ dns_entries=""
dnsadded=""
ventries=$(echo "$vlist" | tr "$dvsep" ' ')
_alias_index=1
@@ -3775,6 +4176,7 @@ $_authorizations_map"
_debug d "$d"
if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
_debug "$d is already verified, skip $vtype."
+ _alias_index="$(_math "$_alias_index" + 1)"
continue
fi
@@ -3793,19 +4195,23 @@ $_authorizations_map"
else
txtdomain="_acme-challenge.$_d_alias"
fi
+ dns_entry="${_dns_root_d}${dvsep}_acme-challenge.$_dns_root_d$dvsep$txtdomain$dvsep$_currentRoot"
else
txtdomain="_acme-challenge.$_dns_root_d"
+ dns_entry="${_dns_root_d}${dvsep}_acme-challenge.$_dns_root_d$dvsep$dvsep$_currentRoot"
fi
+
_debug txtdomain "$txtdomain"
txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _url_replace)"
_debug txt "$txt"
- d_api="$(_findHook "$_dns_root_d" dnsapi "$_currentRoot")"
-
+ d_api="$(_findHook "$_dns_root_d" $_SUB_FOLDER_DNSAPI "$_currentRoot")"
_debug d_api "$d_api"
+ dns_entry="$dns_entry$dvsep$txt${dvsep}$d_api"
+ _debug2 dns_entry "$dns_entry"
if [ "$d_api" ]; then
- _info "Found domain api file: $d_api"
+ _debug "Found domain api file: $d_api"
else
if [ "$_currentRoot" != "$W_DNS" ]; then
_err "Can not find dns api hook for: $_currentRoot"
@@ -3830,18 +4236,22 @@ $_authorizations_map"
_err "It seems that your api file is not correct, it must have a function named: $addcommand"
return 1
fi
-
+ _info "Adding txt value: $txt for domain: $txtdomain"
if ! $addcommand "$txtdomain" "$txt"; then
_err "Error add txt for domain:$txtdomain"
return 1
fi
+ _info "The txt record is added: Success."
)
if [ "$?" != "0" ]; then
- _clearup
_on_issue_err "$_post_hook" "$vlist"
+ _clearup
return 1
fi
+ dns_entries="$dns_entries$dns_entry
+"
+ _debug2 "$dns_entries"
dnsadded='1'
fi
done
@@ -3850,22 +4260,28 @@ $_authorizations_map"
_savedomainconf "Le_Vlist" "$vlist"
_debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit."
_err "Please add the TXT records to the domains, and re-run with --renew."
- _clearup
_on_issue_err "$_post_hook"
+ _clearup
return 1
fi
fi
- if [ "$dnsadded" = '1' ]; then
+ if [ "$dns_entries" ]; then
if [ -z "$Le_DNSSleep" ]; then
- Le_DNSSleep="$DEFAULT_DNS_SLEEP"
+ _info "Let's check each dns records now. Sleep 20 seconds first."
+ _sleep 20
+ if ! _check_dns_entries; then
+ _err "check dns error."
+ _on_issue_err "$_post_hook"
+ _clearup
+ return 1
+ fi
else
_savedomainconf "Le_DNSSleep" "$Le_DNSSleep"
+ _info "Sleep $(__green $Le_DNSSleep) seconds for the txt records to take effect"
+ _sleep "$Le_DNSSleep"
fi
-
- _info "Sleep $(__green $Le_DNSSleep) seconds for the txt records to take effect"
- _sleep "$Le_DNSSleep"
fi
NGINX_RESTORE_VLIST=""
@@ -3885,7 +4301,7 @@ $_authorizations_map"
continue
fi
- _info "Verifying:$d"
+ _info "Verifying: $d"
_debug "d" "$d"
_debug "keyauthorization" "$keyauthorization"
_debug "uri" "$uri"
@@ -3969,34 +4385,10 @@ $_authorizations_map"
fi
fi
-
- elif [ "$vtype" = "$VTYPE_TLS" ]; then
- #create A
- #_hash_A="$(printf "%s" $token | _digest "sha256" "hex" )"
- #_debug2 _hash_A "$_hash_A"
- #_x="$(echo $_hash_A | cut -c 1-32)"
- #_debug2 _x "$_x"
- #_y="$(echo $_hash_A | cut -c 33-64)"
- #_debug2 _y "$_y"
- #_SAN_A="$_x.$_y.token.acme.invalid"
- #_debug2 _SAN_A "$_SAN_A"
-
- #create B
- _hash_B="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"
- _debug2 _hash_B "$_hash_B"
- _x="$(echo "$_hash_B" | cut -c 1-32)"
- _debug2 _x "$_x"
- _y="$(echo "$_hash_B" | cut -c 33-64)"
- _debug2 _y "$_y"
-
- #_SAN_B="$_x.$_y.ka.acme.invalid"
-
- _SAN_B="$_x.$_y.acme.invalid"
- _debug2 _SAN_B "$_SAN_B"
-
- _ncaddr="$(_getfield "$_local_addr" "$_ncIndex")"
- _ncIndex="$(_math "$_ncIndex" + 1)"
- if ! _starttlsserver "$_SAN_B" "$_SAN_A" "$Le_TLSPort" "$keyauthorization" "$_ncaddr"; then
+ elif [ "$vtype" = "$VTYPE_ALPN" ]; then
+ acmevalidationv1="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"
+ _debug acmevalidationv1 "$acmevalidationv1"
+ if ! _starttlsserver "$d" "" "$Le_TLSPort" "$keyauthorization" "$_ncaddr" "$acmevalidationv1"; then
_err "Start tls server error."
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
_clearup
@@ -4005,7 +4397,7 @@ $_authorizations_map"
fi
fi
- if ! __trigger_validation "$uri" "$keyauthorization"; then
+ if ! __trigger_validation "$uri" "$keyauthorization" "$vtype"; then
_err "$d:Can not get challenge: $response"
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
_clearup
@@ -4014,7 +4406,7 @@ $_authorizations_map"
fi
if [ "$code" ] && [ "$code" != '202' ]; then
- if [ "$ACME_VERSION" = "2" ] && [ "$code" = '200' ]; then
+ if [ "$code" = '200' ]; then
_debug "trigger validation code: $code"
else
_err "$d:Challenge error: $response"
@@ -4043,7 +4435,11 @@ $_authorizations_map"
_debug "sleep 2 secs to verify"
sleep 2
_debug "checking"
- response="$(_get "$uri")"
+ if [ "$ACME_VERSION" = "2" ]; then
+ _send_signed_request "$uri"
+ else
+ response="$(_get "$uri")"
+ fi
if [ "$?" != "0" ]; then
_err "$d:Verify error:$response"
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
@@ -4066,7 +4462,7 @@ $_authorizations_map"
fi
if [ "$status" = "invalid" ]; then
- error="$(echo "$response" | tr -d "\r\n" | _egrep_o '"error":\{[^\}]*')"
+ error="$(echo "$response" | _egrep_o '"error":\{[^\}]*')"
_debug2 error "$error"
errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)"
_debug2 errordetail "$errordetail"
@@ -4089,6 +4485,8 @@ $_authorizations_map"
if [ "$status" = "pending" ]; then
_info "Pending"
+ elif [ "$status" = "processing" ]; then
+ _info "Processing"
else
_err "$d:Verify error:$response"
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
@@ -4106,26 +4504,80 @@ $_authorizations_map"
der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
if [ "$ACME_VERSION" = "2" ]; then
+ _info "Lets finalize the order, Le_OrderFinalize: $Le_OrderFinalize"
if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then
_err "Sign failed."
_on_issue_err "$_post_hook"
return 1
fi
if [ "$code" != "200" ]; then
- _err "Sign failed, code is not 200."
+ _err "Sign failed, finalize code is not 200."
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
- Le_LinkCert="$(echo "$response" | tr -d '\r\n' | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
+ if [ -z "$Le_LinkOrder" ]; then
+ Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
+ fi
- if ! _get "$Le_LinkCert" >"$CERT_PATH"; then
+ _savedomainconf "Le_LinkOrder" "$Le_LinkOrder"
+
+ _link_cert_retry=0
+ _MAX_CERT_RETRY=5
+ while [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do
+ if _contains "$response" "\"status\":\"valid\""; then
+ _debug "Order status is valid."
+ Le_LinkCert="$(echo "$response" | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
+ _debug Le_LinkCert "$Le_LinkCert"
+ if [ -z "$Le_LinkCert" ]; then
+ _err "Sign error, can not find Le_LinkCert"
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ break
+ elif _contains "$response" "\"processing\""; then
+ _info "Order status is processing, lets sleep and retry."
+ _sleep 2
+ else
+ _err "Sign error, wrong status"
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ #the order is processing, so we are going to poll order status
+ if [ -z "$Le_LinkOrder" ]; then
+ _err "Sign error, can not get order link location header"
+ _err "responseHeaders" "$responseHeaders"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ _info "Polling order status: $Le_LinkOrder"
+ if ! _send_signed_request "$Le_LinkOrder"; then
+ _err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder."
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ _link_cert_retry="$(_math $_link_cert_retry + 1)"
+ done
+
+ if [ -z "$Le_LinkCert" ]; then
+ _err "Sign failed, can not get Le_LinkCert, retry time limit."
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ _info "Download cert, Le_LinkCert: $Le_LinkCert"
+ if ! _send_signed_request "$Le_LinkCert"; then
_err "Sign failed, can not download cert:$Le_LinkCert."
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
+ echo "$response" >"$CERT_PATH"
+
if [ "$(grep -- "$BEGIN_CERT" "$CERT_PATH" | wc -l)" -gt "1" ]; then
_debug "Found cert chain"
cat "$CERT_PATH" >"$CERT_FULLCHAIN_PATH"
@@ -4135,6 +4587,7 @@ $_authorizations_map"
_end_n="$(_math $_end_n + 1)"
sed -n "${_end_n},9999p" "$CERT_FULLCHAIN_PATH" >"$CA_CERT_PATH"
fi
+
else
if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then
_err "Sign failed. $response"
@@ -4178,14 +4631,12 @@ $_authorizations_map"
_info "Your cert key is in $(__green " $CERT_KEY_PATH ")"
fi
- if [ ! "$USER_PATH" ] || [ ! "$IN_CRON" ]; then
+ if [ ! "$USER_PATH" ] || [ ! "$ACME_IN_CRON" ]; then
USER_PATH="$PATH"
_saveaccountconf "USER_PATH" "$USER_PATH"
fi
fi
- _cleardomainconf "Le_Vlist"
-
if [ "$ACME_VERSION" = "2" ]; then
_debug "v2 chain."
else
@@ -4205,7 +4656,8 @@ $_authorizations_map"
while [ "$_link_issuer_retry" -lt "$_MAX_ISSUER_RETRY" ]; do
_debug _link_issuer_retry "$_link_issuer_retry"
if [ "$ACME_VERSION" = "2" ]; then
- if _get "$Le_LinkIssuer" >"$CA_CERT_PATH"; then
+ if _send_signed_request "$Le_LinkIssuer"; then
+ echo "$response" >"$CA_CERT_PATH"
break
fi
else
@@ -4241,8 +4693,8 @@ $_authorizations_map"
Le_CertCreateTimeStr=$(date -u)
_savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr"
- if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ] || [ "$Le_RenewalDays" -gt "$MAX_RENEW" ]; then
- Le_RenewalDays="$MAX_RENEW"
+ if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ]; then
+ Le_RenewalDays="$DEFAULT_RENEW"
else
_savedomainconf "Le_RenewalDays" "$Le_RenewalDays"
fi
@@ -4291,7 +4743,7 @@ $_authorizations_map"
_savedomainconf "Le_RealCertPath" "$_real_cert"
_savedomainconf "Le_RealCACertPath" "$_real_ca"
_savedomainconf "Le_RealKeyPath" "$_real_key"
- _savedomainconf "Le_ReloadCmd" "$_reload_cmd"
+ _savedomainconf "Le_ReloadCmd" "$_reload_cmd" "base64"
_savedomainconf "Le_RealFullChainPath" "$_real_fullchain"
if ! _installcert "$_main_domain" "$_real_cert" "$_real_key" "$_real_ca" "$_real_fullchain" "$_reload_cmd"; then
return 1
@@ -4319,7 +4771,7 @@ renew() {
_info "$(__green "Renew: '$Le_Domain'")"
if [ ! -f "$DOMAIN_CONF" ]; then
_info "'$Le_Domain' is not a issued domain, skip."
- return 0
+ return $RENEW_SKIP
fi
if [ "$Le_RenewalDays" ]; then
@@ -4328,6 +4780,16 @@ renew() {
. "$DOMAIN_CONF"
_debug Le_API "$Le_API"
+
+ if [ "$Le_API" = "$LETSENCRYPT_CA_V1" ]; then
+ _cleardomainconf Le_API
+ Le_API="$DEFAULT_CA"
+ fi
+ if [ "$Le_API" = "$LETSENCRYPT_STAGING_CA_V1" ]; then
+ _cleardomainconf Le_API
+ Le_API="$DEFAULT_STAGING_CA"
+ fi
+
if [ "$Le_API" ]; then
if [ "$_OLD_CA_HOST" = "$Le_API" ]; then
export Le_API="$DEFAULT_CA"
@@ -4352,12 +4814,16 @@ renew() {
return "$RENEW_SKIP"
fi
- if [ "$IN_CRON" = "1" ] && [ -z "$Le_CertCreateTime" ]; then
+ if [ "$ACME_IN_CRON" = "1" ] && [ -z "$Le_CertCreateTime" ]; then
_info "Skip invalid cert for: $Le_Domain"
- return 0
+ return $RENEW_SKIP
fi
IS_RENEW="1"
+ Le_ReloadCmd="$(_readdomainconf Le_ReloadCmd)"
+ Le_PreHook="$(_readdomainconf Le_PreHook)"
+ Le_PostHook="$(_readdomainconf Le_PostHook)"
+ Le_RenewHook="$(_readdomainconf Le_RenewHook)"
issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias"
res="$?"
if [ "$res" != "0" ]; then
@@ -4380,7 +4846,13 @@ renewAll() {
_stopRenewOnError="$1"
_debug "_stopRenewOnError" "$_stopRenewOnError"
_ret="0"
-
+ _success_msg=""
+ _error_msg=""
+ _skipped_msg=""
+ _error_level=$NOTIFY_LEVEL_SKIP
+ _notify_code=$RENEW_SKIP
+ _set_level=${NOTIFY_LEVEL:-$NOTIFY_LEVEL_DEFAULT}
+ _debug "_set_level" "$_set_level"
for di in "${CERT_HOME}"/*.*/; do
_debug di "$di"
if ! [ -d "$di" ]; then
@@ -4398,18 +4870,87 @@ renewAll() {
)
rc="$?"
_debug "Return code: $rc"
- if [ "$rc" != "0" ]; then
- if [ "$rc" = "$RENEW_SKIP" ]; then
- _info "Skipped $d"
- elif [ "$_stopRenewOnError" ]; then
+ if [ "$rc" = "0" ]; then
+ if [ $_error_level -gt $NOTIFY_LEVEL_RENEW ]; then
+ _error_level="$NOTIFY_LEVEL_RENEW"
+ _notify_code=0
+ fi
+ if [ "$ACME_IN_CRON" ]; then
+ if [ $_set_level -ge $NOTIFY_LEVEL_RENEW ]; then
+ if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
+ _send_notify "Renew $d success" "Good, the cert is renewed." "$NOTIFY_HOOK" 0
+ fi
+ fi
+ fi
+ _success_msg="${_success_msg} $d
+"
+ elif [ "$rc" = "$RENEW_SKIP" ]; then
+ if [ $_error_level -gt $NOTIFY_LEVEL_SKIP ]; then
+ _error_level="$NOTIFY_LEVEL_SKIP"
+ _notify_code=$RENEW_SKIP
+ fi
+ if [ "$ACME_IN_CRON" ]; then
+ if [ $_set_level -ge $NOTIFY_LEVEL_SKIP ]; then
+ if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
+ _send_notify "Renew $d skipped" "Good, the cert is skipped." "$NOTIFY_HOOK" "$RENEW_SKIP"
+ fi
+ fi
+ fi
+ _info "Skipped $d"
+ _skipped_msg="${_skipped_msg} $d
+"
+ else
+ if [ $_error_level -gt $NOTIFY_LEVEL_ERROR ]; then
+ _error_level="$NOTIFY_LEVEL_ERROR"
+ _notify_code=1
+ fi
+ if [ "$ACME_IN_CRON" ]; then
+ if [ $_set_level -ge $NOTIFY_LEVEL_ERROR ]; then
+ if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
+ _send_notify "Renew $d error" "There is an error." "$NOTIFY_HOOK" 1
+ fi
+ fi
+ fi
+ _error_msg="${_error_msg} $d
+"
+ if [ "$_stopRenewOnError" ]; then
_err "Error renew $d, stop now."
- return "$rc"
+ _ret="$rc"
+ break
else
_ret="$rc"
_err "Error renew $d."
fi
fi
done
+ _debug _error_level "$_error_level"
+ _debug _set_level "$_set_level"
+ if [ "$ACME_IN_CRON" ] && [ $_error_level -le $_set_level ]; then
+ if [ -z "$NOTIFY_MODE" ] || [ "$NOTIFY_MODE" = "$NOTIFY_MODE_BULK" ]; then
+ _msg_subject="Renew"
+ if [ "$_error_msg" ]; then
+ _msg_subject="${_msg_subject} Error"
+ _msg_data="Error certs:
+${_error_msg}
+"
+ fi
+ if [ "$_success_msg" ]; then
+ _msg_subject="${_msg_subject} Success"
+ _msg_data="${_msg_data}Success certs:
+${_success_msg}
+"
+ fi
+ if [ "$_skipped_msg" ]; then
+ _msg_subject="${_msg_subject} Skipped"
+ _msg_data="${_msg_data}Skipped certs:
+${_skipped_msg}
+"
+ fi
+
+ _send_notify "$_msg_subject" "$_msg_data" "$NOTIFY_HOOK" "$_notify_code"
+ fi
+ fi
+
return "$_ret"
}
@@ -4525,18 +5066,14 @@ list() {
if [ "$_raw" ]; then
printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Created${_sep}Renew"
for di in "${CERT_HOME}"/*.*/; do
- if ! [ -d "$di" ]; then
- _debug "Not directory, skip: $di"
- continue
- fi
d=$(basename "$di")
_debug d "$d"
(
if _endswith "$d" "$ECC_SUFFIX"; then
- _isEcc=$(echo "$d" | cut -d "$ECC_SEP" -f 2)
+ _isEcc="ecc"
d=$(echo "$d" | cut -d "$ECC_SEP" -f 1)
fi
- _initpath "$d" "$_isEcc"
+ DOMAIN_CONF="$di/$d.conf"
if [ -f "$DOMAIN_CONF" ]; then
. "$DOMAIN_CONF"
printf "%s\n" "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr"
@@ -4558,7 +5095,7 @@ _deploy() {
_hooks="$2"
for _d_api in $(echo "$_hooks" | tr ',' " "); do
- _deployApi="$(_findHook "$_d" deploy "$_d_api")"
+ _deployApi="$(_findHook "$_d" $_SUB_FOLDER_DEPLOY "$_d_api")"
if [ -z "$_deployApi" ]; then
_err "The deploy hook $_d_api is not found."
return 1
@@ -4602,7 +5139,8 @@ deploy() {
_initpath "$_d" "$_isEcc"
if [ ! -d "$DOMAIN_PATH" ]; then
- _err "Domain is not valid:'$_d'"
+ _err "The domain '$_d' is not a cert name. You must use the cert name to specify the cert to install."
+ _err "Can not find path:'$DOMAIN_PATH'"
return 1
fi
@@ -4629,14 +5167,15 @@ installcert() {
_initpath "$_main_domain" "$_isEcc"
if [ ! -d "$DOMAIN_PATH" ]; then
- _err "Domain is not valid:'$_main_domain'"
+ _err "The domain '$_main_domain' is not a cert name. You must use the cert name to specify the cert to install."
+ _err "Can not find path:'$DOMAIN_PATH'"
return 1
fi
_savedomainconf "Le_RealCertPath" "$_real_cert"
_savedomainconf "Le_RealCACertPath" "$_real_ca"
_savedomainconf "Le_RealKeyPath" "$_real_key"
- _savedomainconf "Le_ReloadCmd" "$_reload_cmd"
+ _savedomainconf "Le_ReloadCmd" "$_reload_cmd" "base64"
_savedomainconf "Le_RealFullChainPath" "$_real_fullchain"
_installcert "$_main_domain" "$_real_cert" "$_real_key" "$_real_ca" "$_real_fullchain" "$_reload_cmd"
@@ -4720,7 +5259,7 @@ _installcert() {
export CERT_KEY_PATH
export CA_CERT_PATH
export CERT_FULLCHAIN_PATH
- export Le_Domain
+ export Le_Domain="$_main_domain"
cd "$DOMAIN_PATH" && eval "$_reload_cmd"
); then
_info "$(__green "Reload success")"
@@ -4731,35 +5270,107 @@ _installcert() {
}
+__read_password() {
+ unset _pp
+ prompt="Enter Password:"
+ while IFS= read -p "$prompt" -r -s -n 1 char; do
+ if [ "$char" = $'\0' ]; then
+ break
+ fi
+ prompt='*'
+ _pp="$_pp$char"
+ done
+ echo "$_pp"
+}
+
+_install_win_taskscheduler() {
+ _lesh="$1"
+ _centry="$2"
+ _randomminute="$3"
+ if ! _exists cygpath; then
+ _err "cygpath not found"
+ return 1
+ fi
+ if ! _exists schtasks; then
+ _err "schtasks.exe is not found, are you on Windows?"
+ return 1
+ fi
+ _winbash="$(cygpath -w $(which bash))"
+ _debug _winbash "$_winbash"
+ if [ -z "$_winbash" ]; then
+ _err "can not find bash path"
+ return 1
+ fi
+ _myname="$(whoami)"
+ _debug "_myname" "$_myname"
+ if [ -z "$_myname" ]; then
+ _err "can not find my user name"
+ return 1
+ fi
+ _debug "_lesh" "$_lesh"
+
+ _info "To install scheduler task in your Windows account, you must input your windows password."
+ _info "$PROJECT_NAME doesn't save your password."
+ _info "Please input your Windows password for: $(__green "$_myname")"
+ _password="$(__read_password)"
+ #SCHTASKS.exe '/create' '/SC' 'DAILY' '/TN' "$_WINDOWS_SCHEDULER_NAME" '/F' '/ST' "00:$_randomminute" '/RU' "$_myname" '/RP' "$_password" '/TR' "$_winbash -l -c '$_lesh --cron --home \"$LE_WORKING_DIR\" $_centry'" >/dev/null
+ echo SCHTASKS.exe '/create' '/SC' 'DAILY' '/TN' "$_WINDOWS_SCHEDULER_NAME" '/F' '/ST' "00:$_randomminute" '/RU' "$_myname" '/RP' "$_password" '/TR' "\"$_winbash -l -c '$_lesh --cron --home \"$LE_WORKING_DIR\" $_centry'\"" | cmd.exe >/dev/null
+ echo
+
+}
+
+_uninstall_win_taskscheduler() {
+ if ! _exists schtasks; then
+ _err "schtasks.exe is not found, are you on Windows?"
+ return 1
+ fi
+ if ! echo SCHTASKS /query /tn "$_WINDOWS_SCHEDULER_NAME" | cmd.exe >/dev/null; then
+ _debug "scheduler $_WINDOWS_SCHEDULER_NAME is not found."
+ else
+ _info "Removing $_WINDOWS_SCHEDULER_NAME"
+ echo SCHTASKS /delete /f /tn "$_WINDOWS_SCHEDULER_NAME" | cmd.exe >/dev/null
+ fi
+}
+
#confighome
installcronjob() {
_c_home="$1"
_initpath
_CRONTAB="crontab"
+ if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ]; then
+ lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
+ else
+ _err "Can not install cronjob, $PROJECT_ENTRY not found."
+ return 1
+ fi
+ if [ "$_c_home" ]; then
+ _c_entry="--config-home \"$_c_home\" "
+ fi
+ _t=$(_time)
+ random_minute=$(_math $_t % 60)
+
if ! _exists "$_CRONTAB" && _exists "fcrontab"; then
_CRONTAB="fcrontab"
fi
+
if ! _exists "$_CRONTAB"; then
+ if _exists cygpath && _exists schtasks.exe; then
+ _info "It seems you are on Windows, let's install Windows scheduler task."
+ if _install_win_taskscheduler "$lesh" "$_c_entry" "$random_minute"; then
+ _info "Install Windows scheduler task success."
+ return 0
+ else
+ _err "Install Windows scheduler task failed."
+ return 1
+ fi
+ fi
_err "crontab/fcrontab doesn't exist, so, we can not install cron jobs."
_err "All your certs will not be renewed automatically."
_err "You must add your own cron job to call '$PROJECT_ENTRY --cron' everyday."
return 1
fi
-
_info "Installing cron job"
if ! $_CRONTAB -l | grep "$PROJECT_ENTRY --cron"; then
- if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ]; then
- lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
- else
- _err "Can not install cronjob, $PROJECT_ENTRY not found."
- return 1
- fi
-
- if [ "$_c_home" ]; then
- _c_entry="--config-home \"$_c_home\" "
- fi
- _t=$(_time)
- random_minute=$(_math $_t % 60)
if _exists uname && uname -a | grep SunOS >/dev/null; then
$_CRONTAB -l | {
cat
@@ -4787,6 +5398,16 @@ uninstallcronjob() {
fi
if ! _exists "$_CRONTAB"; then
+ if _exists cygpath && _exists schtasks.exe; then
+ _info "It seems you are on Windows, let's uninstall Windows scheduler task."
+ if _uninstall_win_taskscheduler; then
+ _info "Uninstall Windows scheduler task success."
+ return 0
+ else
+ _err "Uninstall Windows scheduler task failed."
+ return 1
+ fi
+ fi
return
fi
_info "Removing cron job"
@@ -4918,7 +5539,7 @@ _deactivate() {
_err "Can not get domain new order."
return 1
fi
- _authorizations_seg="$(echo "$response" | tr -d '\r\n' | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+ _authorizations_seg="$(echo "$response" | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
_debug2 _authorizations_seg "$_authorizations_seg"
if [ -z "$_authorizations_seg" ]; then
_err "_authorizations_seg not found."
@@ -4929,7 +5550,7 @@ _deactivate() {
authzUri="$_authorizations_seg"
_debug2 "authzUri" "$authzUri"
- if ! response="$(_get "$authzUri")"; then
+ if ! _send_signed_request "$authzUri"; then
_err "get to authz error."
_err "_authorizations_seg" "$_authorizations_seg"
_err "authzUri" "$authzUri"
@@ -4964,16 +5585,16 @@ _deactivate() {
fi
_debug "Trigger validation."
vtype="$VTYPE_DNS"
- entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
+ entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
_debug entry "$entry"
if [ -z "$entry" ]; then
_err "Error, can not get domain token $d"
return 1
fi
- token="$(printf "%s\n" "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
+ token="$(echo "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
_debug token "$token"
- uri="$(printf "%s\n" "$entry" | _egrep_o "\"$_URL_NAME\":\"[^\"]*" | cut -d : -f 2,3 | tr -d '"')"
+ uri="$(echo "$entry" | _egrep_o "\"$_URL_NAME\":\"[^\"]*" | cut -d : -f 2,3 | tr -d '"')"
_debug uri "$uri"
keyauthorization="$token.$thumbprint"
@@ -4995,11 +5616,11 @@ _deactivate() {
break
fi
- _vtype="$(printf "%s\n" "$entry" | _egrep_o '"type": *"[^"]*"' | cut -d : -f 2 | tr -d '"')"
+ _vtype="$(echo "$entry" | _egrep_o '"type": *"[^"]*"' | cut -d : -f 2 | tr -d '"')"
_debug _vtype "$_vtype"
_info "Found $_vtype"
- uri="$(printf "%s\n" "$entry" | _egrep_o "\"$_URL_NAME\":\"[^\"]*" | cut -d : -f 2,3 | tr -d '"')"
+ uri="$(echo "$entry" | _egrep_o "\"$_URL_NAME\":\"[^\"]*" | cut -d : -f 2,3 | tr -d '"')"
_debug uri "$uri"
if [ "$_d_type" ] && [ "$_d_type" != "$_vtype" ]; then
@@ -5114,13 +5735,17 @@ _precheck() {
if [ -z "$_nocron" ]; then
if ! _exists "crontab" && ! _exists "fcrontab"; then
- _err "It is recommended to install crontab first. try to install 'cron, crontab, crontabs or vixie-cron'."
- _err "We need to set cron job to renew the certs automatically."
- _err "Otherwise, your certs will not be able to be renewed automatically."
- if [ -z "$FORCE" ]; then
- _err "Please add '--force' and try install again to go without crontab."
- _err "./$PROJECT_ENTRY --install --force"
- return 1
+ if _exists cygpath && _exists schtasks.exe; then
+ _info "It seems you are on Windows, we will install Windows scheduler task."
+ else
+ _err "It is recommended to install crontab first. try to install 'cron, crontab, crontabs or vixie-cron'."
+ _err "We need to set cron job to renew the certs automatically."
+ _err "Otherwise, your certs will not be able to be renewed automatically."
+ if [ -z "$FORCE" ]; then
+ _err "Please add '--force' and try install again to go without crontab."
+ _err "./$PROJECT_ENTRY --install --force"
+ return 1
+ fi
fi
fi
fi
@@ -5234,7 +5859,7 @@ install() {
_debug "Skip install cron job"
fi
- if [ "$IN_CRON" != "1" ]; then
+ if [ "$ACME_IN_CRON" != "1" ]; then
if ! _precheck "$_nocron"; then
_err "Pre-check failed, can not install."
return 1
@@ -5291,7 +5916,7 @@ install() {
_info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
- if [ "$IN_CRON" != "1" ] && [ -z "$_noprofile" ]; then
+ if [ "$ACME_IN_CRON" != "1" ] && [ -z "$_noprofile" ]; then
_installalias "$_c_home"
fi
@@ -5389,7 +6014,7 @@ _uninstallalias() {
}
cron() {
- export IN_CRON=1
+ export ACME_IN_CRON=1
_initpath
_info "$(__green "===Starting cron===")"
if [ "$AUTO_UPGRADE" = "1" ]; then
@@ -5410,7 +6035,7 @@ cron() {
fi
renewAll
_ret="$?"
- IN_CRON=""
+ ACME_IN_CRON=""
_info "$(__green "===End cron===")"
exit $_ret
}
@@ -5420,6 +6045,117 @@ version() {
echo "v$VER"
}
+# subject content hooks code
+_send_notify() {
+ _nsubject="$1"
+ _ncontent="$2"
+ _nhooks="$3"
+ _nerror="$4"
+
+ if [ "$NOTIFY_LEVEL" = "$NOTIFY_LEVEL_DISABLE" ]; then
+ _debug "The NOTIFY_LEVEL is $NOTIFY_LEVEL, disabled, just return."
+ return 0
+ fi
+
+ if [ -z "$_nhooks" ]; then
+ _debug "The NOTIFY_HOOK is empty, just return."
+ return 0
+ fi
+
+ _send_err=0
+ for _n_hook in $(echo "$_nhooks" | tr ',' " "); do
+ _n_hook_file="$(_findHook "" $_SUB_FOLDER_NOTIFY "$_n_hook")"
+ _info "Sending via: $_n_hook"
+ _debug "Found $_n_hook_file for $_n_hook"
+ if [ -z "$_n_hook_file" ]; then
+ _err "Can not find the hook file for $_n_hook"
+ continue
+ fi
+ if ! (
+ if ! . "$_n_hook_file"; then
+ _err "Load file $_n_hook_file error. Please check your api file and try again."
+ return 1
+ fi
+
+ d_command="${_n_hook}_send"
+ if ! _exists "$d_command"; then
+ _err "It seems that your api file is not correct, it must have a function named: $d_command"
+ return 1
+ fi
+
+ if ! $d_command "$_nsubject" "$_ncontent" "$_nerror"; then
+ _err "Error send message by $d_command"
+ return 1
+ fi
+
+ return 0
+ ); then
+ _err "Set $_n_hook_file error."
+ _send_err=1
+ else
+ _info "$_n_hook $(__green Success)"
+ fi
+ done
+ return $_send_err
+
+}
+
+# hook
+_set_notify_hook() {
+ _nhooks="$1"
+
+ _test_subject="Hello, this is a notification from $PROJECT_NAME"
+ _test_content="If you receive this message, your notification works."
+
+ _send_notify "$_test_subject" "$_test_content" "$_nhooks" 0
+
+}
+
+#[hook] [level] [mode]
+setnotify() {
+ _nhook="$1"
+ _nlevel="$2"
+ _nmode="$3"
+
+ _initpath
+
+ if [ -z "$_nhook$_nlevel$_nmode" ]; then
+ _usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook mailgun] [--notify-level $NOTIFY_LEVEL_DEFAULT] [--notify-mode $NOTIFY_MODE_DEFAULT]"
+ _usage "$_NOTIFY_WIKI"
+ return 1
+ fi
+
+ if [ "$_nlevel" ]; then
+ _info "Set notify level to: $_nlevel"
+ export "NOTIFY_LEVEL=$_nlevel"
+ _saveaccountconf "NOTIFY_LEVEL" "$NOTIFY_LEVEL"
+ fi
+
+ if [ "$_nmode" ]; then
+ _info "Set notify mode to: $_nmode"
+ export "NOTIFY_MODE=$_nmode"
+ _saveaccountconf "NOTIFY_MODE" "$NOTIFY_MODE"
+ fi
+
+ if [ "$_nhook" ]; then
+ _info "Set notify hook to: $_nhook"
+ if [ "$_nhook" = "$NO_VALUE" ]; then
+ _info "Clear notify hook"
+ _clearaccountconf "NOTIFY_HOOK"
+ else
+ if _set_notify_hook "$_nhook"; then
+ export NOTIFY_HOOK="$_nhook"
+ _saveaccountconf "NOTIFY_HOOK" "$NOTIFY_HOOK"
+ return 0
+ else
+ _err "Can not set notify hook to: $_nhook"
+ return 1
+ fi
+ fi
+ fi
+
+}
+
showhelp() {
_initpath
version
@@ -5452,6 +6188,8 @@ Commands:
--create-domain-key Create an domain private key, professional use.
--createCSR, -ccsr Create CSR , professional use.
--deactivate Deactivate the domain authz, professional use.
+ --set-notify Set the cron notification hook, level or mode.
+
Parameters:
--domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
@@ -5463,6 +6201,7 @@ Parameters:
--output-insecure Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for secure.
--webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
--standalone Use standalone mode.
+ --alpn Use standalone alpn mode.
--stateless Use stateless mode, see: $_STATELESS_WIKI
--apache Use apache mode.
--dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
@@ -5474,7 +6213,7 @@ Parameters:
--log-level 1|2 Specifies the log level, default is 1.
--syslog [0|3|6|7] Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.
- These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
+ These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:
--cert-file After issue/renew, the cert will be copied to this path.
--key-file After issue/renew, the key will be copied to this path.
@@ -5485,14 +6224,15 @@ Parameters:
--server SERVER ACME Directory Resource URI. (default: https://acme-v01.api.letsencrypt.org/directory)
--accountconf Specifies a customized account config file.
- --home Specifies the home dir for $PROJECT_NAME .
+ --home Specifies the home dir for $PROJECT_NAME.
--cert-home Specifies the home dir to save all the certs, only valid for '--install' command.
--config-home Specifies the home dir to save all the configurations.
--useragent Specifies the user agent string. it will be saved for future use too.
--accountemail Specifies the account email, only valid for the '--install' and '--update-account' command.
--accountkey Specifies the account key path, only valid for the '--install' command.
- --days Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days.
+ --days Specifies the days to renew the cert when using '--issue' command. The default value is $DEFAULT_RENEW days.
--httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
+ --tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
--local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
--listraw Only used for '--list' command, list the certs in raw format.
--stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal.
@@ -5500,6 +6240,7 @@ Parameters:
--ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate.
--ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl.
--nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
+ --noprofile Only valid for '--install' command, which means: do not install aliases to user profile.
--no-color Do not output color text.
--force-color Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
@@ -5517,7 +6258,18 @@ Parameters:
--use-wget Force to use wget, if you have both curl and wget installed.
--yes-I-know-dns-manual-mode-enough-go-ahead-please Force to use dns manual mode: $_DNS_MANUAL_WIKI
--branch, -b Only valid for '--upgrade' command, specifies the branch name to upgrade to.
- "
+
+ --notify-level 0|1|2|3 Set the notification level: Default value is $NOTIFY_LEVEL_DEFAULT.
+ 0: disabled, no notification will be sent.
+ 1: send notifications only when there is an error.
+ 2: send notifications when a cert is successfully renewed, or there is an error.
+ 3: send notifications when a cert is skipped, renewed, or error.
+ --notify-mode 0|1 Set notification mode. Default value is $NOTIFY_MODE_DEFAULT.
+ 0: Bulk mode. Send all the domain's notifications in one message(mail).
+ 1: Cert mode. Send a message for every single cert.
+ --notify-hook [hookname] Set the notify hook
+
+"
}
# nocron noprofile
@@ -5604,6 +6356,23 @@ _processAccountConf() {
}
+_checkSudo() {
+ if [ "$SUDO_GID" ] && [ "$SUDO_COMMAND" ] && [ "$SUDO_USER" ] && [ "$SUDO_UID" ]; then
+ if [ "$SUDO_USER" = "root" ] && [ "$SUDO_UID" = "0" ]; then
+ #it's root using sudo, no matter it's using sudo or not, just fine
+ return 0
+ fi
+ if [ "$SUDO_COMMAND" = "/bin/su" ] || [ "$SUDO_COMMAND" = "/bin/bash" ]; then
+ #it's a normal user doing "sudo su", or `sudo -i` or `sudo -s`
+ #fine
+ return 0
+ fi
+ #otherwise
+ return 1
+ fi
+ return 0
+}
+
_process() {
_CMD=""
_domain=""
@@ -5633,6 +6402,7 @@ _process() {
_ca_bundle=""
_ca_path=""
_nocron=""
+ _noprofile=""
_ecc=""
_csr=""
_pre_hook=""
@@ -5650,6 +6420,9 @@ _process() {
_syslog=""
_use_wget=""
_server=""
+ _notify_hook=""
+ _notify_level=""
+ _notify_mode=""
while [ ${#} -gt 0 ]; do
case "${1}" in
@@ -5736,6 +6509,9 @@ _process() {
--deactivate-account)
_CMD="deactivateaccount"
;;
+ --set-notify)
+ _CMD="setnotify"
+ ;;
--domain | -d)
_dvalue="$2"
@@ -5817,6 +6593,14 @@ _process() {
_webroot="$_webroot,$wvalue"
fi
;;
+ --alpn)
+ wvalue="$W_ALPN"
+ if [ -z "$_webroot" ]; then
+ _webroot="$wvalue"
+ else
+ _webroot="$_webroot,$wvalue"
+ fi
+ ;;
--stateless)
wvalue="$MODE_STATELESS"
if [ -z "$_webroot" ]; then
@@ -5840,6 +6624,10 @@ _process() {
;;
--nginx)
wvalue="$NGINX"
+ if [ "$2" ] && ! _startswith "$2" "-"; then
+ wvalue="$NGINX$2"
+ shift
+ fi
if [ -z "$_webroot" ]; then
_webroot="$wvalue"
else
@@ -5941,6 +6729,11 @@ _process() {
Le_HTTPPort="$_httpport"
shift
;;
+ --tlsport)
+ _tlsport="$2"
+ Le_TLSPort="$_tlsport"
+ shift
+ ;;
--listraw)
_listraw="raw"
;;
@@ -5964,6 +6757,9 @@ _process() {
--nocron)
_nocron="1"
;;
+ --noprofile)
+ _noprofile="1"
+ ;;
--no-color)
export ACME_NO_COLOR=1
;;
@@ -6068,6 +6864,37 @@ _process() {
export BRANCH="$2"
shift
;;
+ --notify-hook)
+ _nhook="$2"
+ if _startswith "$_nhook" "-"; then
+ _err "'$_nhook' is not a hook name for '$1'"
+ return 1
+ fi
+ if [ "$_notify_hook" ]; then
+ _notify_hook="$_notify_hook,$_nhook"
+ else
+ _notify_hook="$_nhook"
+ fi
+ shift
+ ;;
+ --notify-level)
+ _nlevel="$2"
+ if _startswith "$_nlevel" "-"; then
+ _err "'$_nlevel' is not a integer for '$1'"
+ return 1
+ fi
+ _notify_level="$_nlevel"
+ shift
+ ;;
+ --notify-mode)
+ _nmode="$2"
+ if _startswith "$_nmode" "-"; then
+ _err "'$_nmode' is not a integer for '$1'"
+ return 1
+ fi
+ _notify_mode="$_nmode"
+ shift
+ ;;
*)
_err "Unknown parameter : $1"
return 1
@@ -6078,6 +6905,14 @@ _process() {
done
if [ "${_CMD}" != "install" ]; then
+ if [ "$__INTERACTIVE" ] && ! _checkSudo; then
+ if [ -z "$FORCE" ]; then
+ #Use "echo" here, instead of _info. it's too early
+ echo "It seems that you are using sudo, please read this link first:"
+ echo "$_SUDO_WIKI"
+ return 1
+ fi
+ fi
__initHome
if [ "$_log" ]; then
if [ -z "$_logfile" ]; then
@@ -6120,9 +6955,9 @@ _process() {
_debug "Using server: $_server"
fi
fi
-
+ _debug "Running cmd: ${_CMD}"
case "${_CMD}" in
- install) install "$_nocron" "$_confighome" ;;
+ install) install "$_nocron" "$_confighome" "$_noprofile" ;;
uninstall) uninstall "$_nocron" ;;
upgrade) upgrade ;;
issue)
@@ -6185,7 +7020,9 @@ _process() {
createCSR)
createCSR "$_domain" "$_altdomains" "$_ecc"
;;
-
+ setnotify)
+ setnotify "$_notify_hook" "$_notify_level" "$_notify_mode"
+ ;;
*)
if [ "$_CMD" ]; then
_err "Invalid command: $_CMD"
diff --git a/deploy/README.md b/deploy/README.md
index 0b820dff..fc633ad7 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -1,257 +1,6 @@
# Using deploy api
-Before you can deploy your cert, you must [issue the cert first](https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert).
+deploy hook usage:
-Here are the scripts to deploy the certs/key to the server/services.
+https://github.com/Neilpang/acme.sh/wiki/deployhooks
-## 1. Deploy the certs to your cpanel host
-
-If you want to deploy using cpanel UAPI see 7.
-
-(cpanel deploy hook is not finished yet, this is just an example.)
-
-
-
-Then you can deploy now:
-
-```sh
-export DEPLOY_CPANEL_USER=myusername
-export DEPLOY_CPANEL_PASSWORD=PASSWORD
-acme.sh --deploy -d example.com --deploy-hook cpanel
-```
-
-## 2. Deploy ssl cert on kong proxy engine based on api
-
-Before you can deploy your cert, you must [issue the cert first](https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert).
-Currently supports Kong-v0.10.x.
-
-```sh
-acme.sh --deploy -d ftp.example.com --deploy-hook kong
-```
-
-## 3. Deploy the cert to remote server through SSH access
-
-The ssh deploy plugin allows you to deploy certificates to a remote host
-using SSH command to connect to the remote server. The ssh plugin is invoked
-with the following command...
-
-```sh
-acme.sh --deploy -d example.com --deploy-hook ssh
-```
-Prior to running this for the first time you must tell the plugin where
-and how to deploy the certificates. This is done by exporting the following
-environment variables. This is not required for subsequent runs as the
-values are stored by acme.sh in the domain configuration files.
-
-Required...
-```
-export DEPLOY_SSH_USER=username
-```
-Optional...
-```
-export DEPLOY_SSH_CMD=custom ssh command
-export DEPLOY_SSH_SERVER=url or ip address of remote host
-export DEPLOY_SSH_KEYFILE=filename for private key
-export DEPLOY_SSH_CERTFILE=filename for certificate file
-export DEPLOY_SSH_CAFILE=filename for intermediate CA file
-export DEPLOY_SSH_FULLCHAIN=filename for fullchain file
-export DEPLOY_SSH_REMOTE_CMD=command to execute on remote host
-export DEPLOY_SSH_BACKUP=yes or no
-```
-
-**DEPLOY_SSH_USER**
-Username at the remote host that SSH will login with. Note that
-SSH must be able to login to remote host without a password... SSH Keys
-must have been exchanged with the remote host. Validate and test that you
-can login to USER@URL from the host running acme.sh before using this script.
-
-The USER@URL at the remote server must also have has permissions to write to
-the target location of the certificate files and to execute any commands
-(e.g. to stop/start services).
-
-**DEPLOY_SSH_CMD**
-You can customize the ssh command used to connect to the remote host. For example
-if you need to connect to a specific port at the remote server you can set this
-to, for example, "ssh -p 22" or to use `sshpass` to provide password inline
-instead of exchanging ssh keys (this is not recommended, using keys is
-more secure).
-
-**DEPLOY_SSH_SERVER**
-URL or IP Address of the remote server. If not provided then the domain
-name provided on the acme.sh --deploy command line is used.
-
-**DEPLOY_SSH_KEYFILE**
-Target filename for the private key issued by LetsEncrypt.
-
-**DEPLOY_SSH_CERTFILE**
-Target filename for the certificate issued by LetsEncrypt.
-If this is the same as the previous filename (for keyfile) then it is
-appended to the same file.
-
-**DEPLOY_SSH_CAFILE**
-Target filename for the CA intermediate certificate issued by LetsEncrypt.
-If this is the same as a previous filename (for keyfile or certfile) then
-it is appended to the same file.
-
-**DEPLOY_SSH_FULLCHAIN**
-Target filename for the fullchain certificate issued by LetsEncrypt.
-If this is the same as a previous filename (for keyfile, certfile or
-cafile) then it is appended to the same file.
-
-**DEPLOY_SSH_REMOTE_CMD**
-Command to execute on the remote server after copying any certificates. This
-could be any additional command required for example to stop and restart
-the service.
-
-**DEPLOY_SSH_BACKUP**
-Before writing a certificate file to the remote server the existing
-certificate will be copied to a backup directory on the remote server.
-These are placed in a hidden directory in the home directory of the SSH
-user
-```sh
-~/.acme_ssh_deploy/[domain name]-backup-[timestamp]
-```
-Any backups older than 180 days will be deleted when new certificates
-are deployed. This defaults to "yes" set to "no" to disable backup.
-
-###Examples using SSH deploy
-The following example illustrates deploying certificates to a QNAP NAS
-(tested with QTS version 4.2.3)
-
-```sh
-export DEPLOY_SSH_USER="admin"
-export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem"
-export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem"
-export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem"
-export DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart"
-
-acme.sh --deploy -d qnap.example.com --deploy-hook ssh
-```
-Note how in this example both the private key and certificate point to
-the same file. This will result in the certificate being appended
-to the same file as the private key... a common requirement of several
-services.
-
-The next example illustrates deploying certificates to a Unifi
-Controller (tested with version 5.4.11).
-
-```sh
-export DEPLOY_SSH_USER="root"
-export DEPLOY_SSH_KEYFILE="/var/lib/unifi/unifi.example.com.key"
-export DEPLOY_SSH_FULLCHAIN="/var/lib/unifi/unifi.example.com.cer"
-export DEPLOY_SSH_REMOTE_CMD="openssl pkcs12 -export \
- -inkey /var/lib/unifi/unifi.example.com.key \
- -in /var/lib/unifi/unifi.example.com.cer \
- -out /var/lib/unifi/unifi.example.com.p12 \
- -name ubnt -password pass:temppass \
- && keytool -importkeystore -deststorepass aircontrolenterprise \
- -destkeypass aircontrolenterprise \
- -destkeystore /var/lib/unifi/keystore \
- -srckeystore /var/lib/unifi/unifi.example.com.p12 \
- -srcstoretype PKCS12 -srcstorepass temppass -alias ubnt -noprompt \
- && service unifi restart"
-
-acme.sh --deploy -d unifi.example.com --deploy-hook ssh
-```
-In this example we execute several commands on the remote host
-after the certificate files have been copied... to generate a pkcs12 file
-compatible with Unifi, to import it into the Unifi keystore and then finally
-to restart the service.
-
-Note also that once the certificate is imported
-into the keystore the individual certificate files are no longer
-required. We could if we desired delete those files immediately. If we
-do that then we should disable backup at the remote host (as there are
-no files to backup -- they were erased during deployment). For example...
-```sh
-export DEPLOY_SSH_BACKUP=no
-# modify the end of the remote command...
-&& rm /var/lib/unifi/unifi.example.com.key \
- /var/lib/unifi/unifi.example.com.cer \
- /var/lib/unifi/unifi.example.com.p12 \
-&& service unifi restart
-```
-
-## 4. Deploy the cert to local vsftpd server
-
-```sh
-acme.sh --deploy -d ftp.example.com --deploy-hook vsftpd
-```
-
-The default vsftpd conf file is `/etc/vsftpd.conf`, if your vsftpd conf is not in the default location, you can specify one:
-
-```sh
-export DEPLOY_VSFTPD_CONF="/etc/vsftpd.conf"
-
-acme.sh --deploy -d ftp.example.com --deploy-hook vsftpd
-```
-
-The default command to restart vsftpd server is `service vsftpd restart`, if it doesn't work, you can specify one:
-
-```sh
-export DEPLOY_VSFTPD_RELOAD="/etc/init.d/vsftpd restart"
-
-acme.sh --deploy -d ftp.example.com --deploy-hook vsftpd
-```
-
-## 5. Deploy the cert to local exim4 server
-
-```sh
-acme.sh --deploy -d ftp.example.com --deploy-hook exim4
-```
-
-The default exim4 conf file is `/etc/exim/exim.conf`, if your exim4 conf is not in the default location, you can specify one:
-
-```sh
-export DEPLOY_EXIM4_CONF="/etc/exim4/exim4.conf.template"
-
-acme.sh --deploy -d ftp.example.com --deploy-hook exim4
-```
-
-The default command to restart exim4 server is `service exim4 restart`, if it doesn't work, you can specify one:
-
-```sh
-export DEPLOY_EXIM4_RELOAD="/etc/init.d/exim4 restart"
-
-acme.sh --deploy -d ftp.example.com --deploy-hook exim4
-```
-
-## 6. Deploy the cert to OSX Keychain
-
-```sh
-acme.sh --deploy -d ftp.example.com --deploy-hook keychain
-```
-
-## 7. Deploy to cpanel host using UAPI
-
-This hook is using UAPI and works in cPanel & WHM version 56 or newer.
-```
-acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
-```
-DEPLOY_CPANEL_USER is required only if you run the script as root and it should contain cpanel username.
-```sh
-export DEPLOY_CPANEL_USER=username
-acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
-```
-Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separate certificate for each domain.
-
-## 8. Deploy the cert to your FRITZ!Box router
-
-You must specify the credentials that have administrative privileges on the FRITZ!Box in order to deploy the certificate, plus the URL of your FRITZ!Box, through the following environment variables:
-```sh
-$ export DEPLOY_FRITZBOX_USERNAME=my_username
-$ export DEPLOY_FRITZBOX_PASSWORD=the_password
-$ export DEPLOY_FRITZBOX_URL=https://fritzbox.example.com
-```
-
-After the first deployment, these values will be stored in your $HOME/.acme.sh/account.conf. You may now deploy the certificate like this:
-
-```sh
-acme.sh --deploy -d fritzbox.example.com --deploy-hook fritzbox
-```
-
-## 9. Deploy the cert to strongswan
-
-```sh
-acme.sh --deploy -d ftp.example.com --deploy-hook strongswan
-```
diff --git a/deploy/cpanel_uapi.sh b/deploy/cpanel_uapi.sh
index 4563b9c4..44844f79 100644
--- a/deploy/cpanel_uapi.sh
+++ b/deploy/cpanel_uapi.sh
@@ -2,8 +2,12 @@
# Here is the script to deploy the cert to your cpanel using the cpanel API.
# Uses command line uapi. --user option is needed only if run as root.
# Returns 0 when success.
-# Written by Santeri Kannisto