plantroon/acme.sh
1
0
Fork 0
mirror of https://github.com/plantroon/acme.sh.git synced 2024-11-17 20:01:46 +00:00
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into ssh-deploy

Browse Source
This commit is contained in:
David Kerr 2017-04-05 16:47:56 -04:00
commit fd1598017a
14 changed files with 174 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
Dockerfile Normal file
View File

@ -0,0 +1,52 @@
FROM alpine
RUN apk update -f \
&& apk --no-cache add -f \
openssl \
curl \
netcat-openbsd
ENV LE_CONFIG_HOME /acme.sh
ENV AUTO_UPGRADE 1
#Install
RUN mkdir -p /install_acme.sh/
ADD ./ /install_acme.sh/
RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh)
RUN rm -rf /install_acme.sh/
RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh
RUN for verb in help \
version \
install \
uninstall \
upgrade \
issue \
signcsr \
deploy \
install-cert \
renew \
renew-all \
revoke \
remove \
list \
showcsr \
install-cronjob \
uninstall-cronjob \
cron \
toPkcs \
toPkcs8 \
update-account \
register-account \
create-account-key \
create-domain-key \
createCSR \
deactivate \
; do \
printf -- "%b" "#!/usr/bin/env sh\n/root/.acme.sh/acme.sh --${verb} --config-home /acme.sh \"\$@\"" >/usr/local/bin/--${verb} && chmod +x /usr/local/bin/--${verb} \
; done
ENTRYPOINT ["/root/.acme.sh/acme.sh", "--config-home", "/acme.sh"]
CMD ["--help"]

4
README.md
View File

@ -7,11 +7,13 @@
- Purely written in Shell with no dependencies on python or the official Let's Encrypt client. - Purely written in Shell with no dependencies on python or the official Let's Encrypt client.
- Just one script to issue, renew and install your certificates automatically. - Just one script to issue, renew and install your certificates automatically.
- DOES NOT require `root/sudoer` access. - DOES NOT require `root/sudoer` access.
- Docker friendly
It's probably the `easiest&smallest&smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt. It's probably the `easiest&smallest&smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt.
Wiki: https://github.com/Neilpang/acme.sh/wiki Wiki: https://github.com/Neilpang/acme.sh/wiki
For Docker Fans: [acme.sh :two_hearts: Docker ](https://github.com/Neilpang/acme.sh/wiki/Run-acme.sh-in-docker)
Twitter: [@neilpangxa](https://twitter.com/neilpangxa) Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
@ -329,7 +331,7 @@ Just set the `length` parameter with a prefix `ec-`.
For example: For example:
### Single domain ECC cerfiticate ### Single domain ECC certificate
```bash ```bash
acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256 acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256

127
acme.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env sh #!/usr/bin/env sh
VER=2.6.7 VER=2.6.8
PROJECT_NAME="acme.sh" PROJECT_NAME="acme.sh"
@ -107,7 +107,7 @@ __green() {
if [ "$__INTERACTIVE" ]; then if [ "$__INTERACTIVE" ]; then
printf '\033[1;31;32m' printf '\033[1;31;32m'
fi fi
printf -- "$1" printf -- "%b" "$1"
if [ "$__INTERACTIVE" ]; then if [ "$__INTERACTIVE" ]; then
printf '\033[0m' printf '\033[0m'
fi fi
@ -117,7 +117,7 @@ __red() {
if [ "$__INTERACTIVE" ]; then if [ "$__INTERACTIVE" ]; then
printf '\033[1;31;40m' printf '\033[1;31;40m'
fi fi
printf -- "$1" printf -- "%b" "$1"
if [ "$__INTERACTIVE" ]; then if [ "$__INTERACTIVE" ]; then
printf '\033[0m' printf '\033[0m'
fi fi
@ -138,8 +138,8 @@ _printargs() {
_dlg_versions() { _dlg_versions() {
echo "Diagnosis versions: " echo "Diagnosis versions: "
echo "openssl:$ACME_OPENSSL_BIN" echo "openssl:$ACME_OPENSSL_BIN"
if _exists "$ACME_OPENSSL_BIN"; then if _exists "${ACME_OPENSSL_BIN:-openssl}"; then
$ACME_OPENSSL_BIN version 2>&1 ${ACME_OPENSSL_BIN:-openssl} version 2>&1
else else
echo "$ACME_OPENSSL_BIN doesn't exists." echo "$ACME_OPENSSL_BIN doesn't exists."
fi fi
@ -340,7 +340,7 @@ _hasfield() {
_sep="," _sep=","
fi fi
for f in $(echo "$_str" | tr ',' ' '); do for f in $(echo "$_str" | tr "$_sep" ' '); do
if [ "$f" = "$_field" ]; then if [ "$f" = "$_field" ]; then
_debug2 "'$_str' contains '$_field'" _debug2 "'$_str' contains '$_field'"
return 0 #contains ok return 0 #contains ok
@ -790,19 +790,19 @@ _base64() {
[ "" ] #urgly [ "" ] #urgly
if [ "$1" ]; then if [ "$1" ]; then
_debug3 "base64 multiline:'$1'" _debug3 "base64 multiline:'$1'"
$ACME_OPENSSL_BIN base64 -e ${ACME_OPENSSL_BIN:-openssl} base64 -e
else else
_debug3 "base64 single line." _debug3 "base64 single line."
$ACME_OPENSSL_BIN base64 -e | tr -d '\r\n' ${ACME_OPENSSL_BIN:-openssl} base64 -e | tr -d '\r\n'
fi fi
} }
#Usage: multiline #Usage: multiline
_dbase64() { _dbase64() {
if [ "$1" ]; then if [ "$1" ]; then
$ACME_OPENSSL_BIN base64 -d -A ${ACME_OPENSSL_BIN:-openssl} base64 -d -A
else else
$ACME_OPENSSL_BIN base64 -d ${ACME_OPENSSL_BIN:-openssl} base64 -d
fi fi
} }
@ -819,9 +819,9 @@ _digest() {
if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ] || [ "$alg" = "md5" ]; then if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ] || [ "$alg" = "md5" ]; then
if [ "$outputhex" ]; then if [ "$outputhex" ]; then
$ACME_OPENSSL_BIN dgst -"$alg" -hex | cut -d = -f 2 | tr -d ' ' ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hex | cut -d = -f 2 | tr -d ' '
else else
$ACME_OPENSSL_BIN dgst -"$alg" -binary | _base64 ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -binary | _base64
fi fi
else else
_err "$alg is not supported yet" _err "$alg is not supported yet"
@ -844,9 +844,9 @@ _hmac() {
if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ]; then if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ]; then
if [ "$outputhex" ]; then if [ "$outputhex" ]; then
($ACME_OPENSSL_BIN dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" 2>/dev/null || $ACME_OPENSSL_BIN dgst -"$alg" -hmac "$(printf "%s" "$secret_hex" | _h2b)") | cut -d = -f 2 | tr -d ' ' (${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" 2>/dev/null || ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hmac "$(printf "%s" "$secret_hex" | _h2b)") | cut -d = -f 2 | tr -d ' '
else else
$ACME_OPENSSL_BIN dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" -binary 2>/dev/null || $ACME_OPENSSL_BIN dgst -"$alg" -hmac "$(printf "%s" "$secret_hex" | _h2b)" -binary ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" -binary 2>/dev/null || ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hmac "$(printf "%s" "$secret_hex" | _h2b)" -binary
fi fi
else else
_err "$alg is not supported yet" _err "$alg is not supported yet"
@ -865,7 +865,7 @@ _sign() {
return 1 return 1
fi fi
_sign_openssl="$ACME_OPENSSL_BIN dgst -sign $keyfile " _sign_openssl="${ACME_OPENSSL_BIN:-openssl} dgst -sign $keyfile "
if [ "$alg" = "sha256" ]; then if [ "$alg" = "sha256" ]; then
_sign_openssl="$_sign_openssl -$alg" _sign_openssl="$_sign_openssl -$alg"
else else
@ -876,10 +876,10 @@ _sign() {
if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
$_sign_openssl | _base64 $_sign_openssl | _base64
elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
if ! _signedECText="$($_sign_openssl | $ACME_OPENSSL_BIN asn1parse -inform DER)"; then if ! _signedECText="$($_sign_openssl | ${ACME_OPENSSL_BIN:-openssl} asn1parse -inform DER)"; then
_err "Sign failed: $_sign_openssl" _err "Sign failed: $_sign_openssl"
_err "Key file: $keyfile" _err "Key file: $keyfile"
_err "Key content:$(wc -l <"$keyfile") lises" _err "Key content:$(wc -l <"$keyfile") lines"
return 1 return 1
fi fi
_debug3 "_signedECText" "$_signedECText" _debug3 "_signedECText" "$_signedECText"
@ -948,10 +948,10 @@ _createkey() {
if _isEccKey "$length"; then if _isEccKey "$length"; then
_debug "Using ec name: $eccname" _debug "Using ec name: $eccname"
$ACME_OPENSSL_BIN ecparam -name "$eccname" -genkey 2>/dev/null >"$f" ${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null >"$f"
else else
_debug "Using RSA: $length" _debug "Using RSA: $length"
$ACME_OPENSSL_BIN genrsa "$length" 2>/dev/null >"$f" ${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null >"$f"
fi fi
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
@ -1038,9 +1038,9 @@ _createcsr() {
_csr_cn="$(_idn "$domain")" _csr_cn="$(_idn "$domain")"
_debug2 _csr_cn "$_csr_cn" _debug2 _csr_cn "$_csr_cn"
if _contains "$(uname -a)" "MINGW"; then if _contains "$(uname -a)" "MINGW"; then
$ACME_OPENSSL_BIN req -new -sha256 -key "$csrkey" -subj "//CN=$_csr_cn" -config "$csrconf" -out "$csr" ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "//CN=$_csr_cn" -config "$csrconf" -out "$csr"
else else
$ACME_OPENSSL_BIN req -new -sha256 -key "$csrkey" -subj "/CN=$_csr_cn" -config "$csrconf" -out "$csr" ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "/CN=$_csr_cn" -config "$csrconf" -out "$csr"
fi fi
} }
@ -1052,7 +1052,7 @@ _signcsr() {
cert="$4" cert="$4"
_debug "_signcsr" _debug "_signcsr"
_msg="$($ACME_OPENSSL_BIN x509 -req -days 365 -in "$csr" -signkey "$key" -extensions v3_req -extfile "$conf" -out "$cert" 2>&1)" _msg="$(${ACME_OPENSSL_BIN:-openssl} x509 -req -days 365 -in "$csr" -signkey "$key" -extensions v3_req -extfile "$conf" -out "$cert" 2>&1)"
_ret="$?" _ret="$?"
_debug "$_msg" _debug "$_msg"
return $_ret return $_ret
@ -1065,7 +1065,7 @@ _readSubjectFromCSR() {
_usage "_readSubjectFromCSR mycsr.csr" _usage "_readSubjectFromCSR mycsr.csr"
return 1 return 1
fi fi
$ACME_OPENSSL_BIN req -noout -in "$_csrfile" -subject | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n' ${ACME_OPENSSL_BIN:-openssl} req -noout -in "$_csrfile" -subject | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n'
} }
#_csrfile #_csrfile
@ -1080,7 +1080,7 @@ _readSubjectAltNamesFromCSR() {
_csrsubj="$(_readSubjectFromCSR "$_csrfile")" _csrsubj="$(_readSubjectFromCSR "$_csrfile")"
_debug _csrsubj "$_csrsubj" _debug _csrsubj "$_csrsubj"
_dnsAltnames="$($ACME_OPENSSL_BIN req -noout -text -in "$_csrfile" | grep "^ *DNS:.*" | tr -d ' \n')" _dnsAltnames="$(${ACME_OPENSSL_BIN:-openssl} req -noout -text -in "$_csrfile" | grep "^ *DNS:.*" | tr -d ' \n')"
_debug _dnsAltnames "$_dnsAltnames" _debug _dnsAltnames "$_dnsAltnames"
if _contains "$_dnsAltnames," "DNS:$_csrsubj,"; then if _contains "$_dnsAltnames," "DNS:$_csrsubj,"; then
@ -1101,7 +1101,8 @@ _readKeyLengthFromCSR() {
return 1 return 1
fi fi
_outcsr="$($ACME_OPENSSL_BIN req -noout -text -in "$_csrfile")" _outcsr="$(${ACME_OPENSSL_BIN:-openssl} req -noout -text -in "$_csrfile")"
_debug2 _outcsr "$_outcsr"
if _contains "$_outcsr" "Public Key Algorithm: id-ecPublicKey"; then if _contains "$_outcsr" "Public Key Algorithm: id-ecPublicKey"; then
_debug "ECC CSR" _debug "ECC CSR"
echo "$_outcsr" | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' ' echo "$_outcsr" | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
@ -1159,9 +1160,9 @@ toPkcs() {
_initpath "$domain" "$_isEcc" _initpath "$domain" "$_isEcc"
if [ "$pfxPassword" ]; then if [ "$pfxPassword" ]; then
$ACME_OPENSSL_BIN pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH" -password "pass:$pfxPassword" ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH" -password "pass:$pfxPassword"
else else
$ACME_OPENSSL_BIN pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH" ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH"
fi fi
if [ "$?" = "0" ]; then if [ "$?" = "0" ]; then
@ -1183,7 +1184,7 @@ toPkcs8() {
_initpath "$domain" "$_isEcc" _initpath "$domain" "$_isEcc"
$ACME_OPENSSL_BIN pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$CERT_KEY_PATH" -out "$CERT_PKCS8_PATH" ${ACME_OPENSSL_BIN:-openssl} pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$CERT_KEY_PATH" -out "$CERT_PKCS8_PATH"
if [ "$?" = "0" ]; then if [ "$?" = "0" ]; then
_info "Success, $CERT_PKCS8_PATH" _info "Success, $CERT_PKCS8_PATH"
@ -1344,7 +1345,7 @@ _calcjwk() {
if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
_debug "RSA key" _debug "RSA key"
pub_exp=$($ACME_OPENSSL_BIN rsa -in "$keyfile" -noout -text | grep "^publicExponent:" | cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1) pub_exp=$(${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text | grep "^publicExponent:" | cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1)
if [ "${#pub_exp}" = "5" ]; then if [ "${#pub_exp}" = "5" ]; then
pub_exp=0$pub_exp pub_exp=0$pub_exp
fi fi
@ -1353,7 +1354,7 @@ _calcjwk() {
e=$(echo "$pub_exp" | _h2b | _base64) e=$(echo "$pub_exp" | _h2b | _base64)
_debug3 e "$e" _debug3 e "$e"
modulus=$($ACME_OPENSSL_BIN rsa -in "$keyfile" -modulus -noout | cut -d '=' -f 2) modulus=$(${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -modulus -noout | cut -d '=' -f 2)
_debug3 modulus "$modulus" _debug3 modulus "$modulus"
n="$(printf "%s" "$modulus" | _h2b | _base64 | _url_replace)" n="$(printf "%s" "$modulus" | _h2b | _base64 | _url_replace)"
_debug3 n "$n" _debug3 n "$n"
@ -1366,12 +1367,12 @@ _calcjwk() {
JWK_HEADERPLACE_PART2='", "alg": "RS256", "jwk": '$jwk'}' JWK_HEADERPLACE_PART2='", "alg": "RS256", "jwk": '$jwk'}'
elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
_debug "EC key" _debug "EC key"
crv="$($ACME_OPENSSL_BIN ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n")" crv="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n")"
_debug3 crv "$crv" _debug3 crv "$crv"
if [ -z "$crv" ]; then if [ -z "$crv" ]; then
_debug "Let's try ASN1 OID" _debug "Let's try ASN1 OID"
crv_oid="$($ACME_OPENSSL_BIN ec -in "$keyfile" -noout -text 2>/dev/null | grep "^ASN1 OID:" | cut -d ":" -f 2 | tr -d " \r\n")" crv_oid="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^ASN1 OID:" | cut -d ":" -f 2 | tr -d " \r\n")"
_debug3 crv_oid "$crv_oid" _debug3 crv_oid "$crv_oid"
case "${crv_oid}" in case "${crv_oid}" in
"prime256v1") "prime256v1")
@ -1391,15 +1392,15 @@ _calcjwk() {
_debug3 crv "$crv" _debug3 crv "$crv"
fi fi
pubi="$($ACME_OPENSSL_BIN ec -in "$keyfile" -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1)" pubi="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1)"
pubi=$(_math "$pubi" + 1) pubi=$(_math "$pubi" + 1)
_debug3 pubi "$pubi" _debug3 pubi "$pubi"
pubj="$($ACME_OPENSSL_BIN ec -in "$keyfile" -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1)" pubj="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1)"
pubj=$(_math "$pubj" - 1) pubj=$(_math "$pubj" - 1)
_debug3 pubj "$pubj" _debug3 pubj "$pubj"
pubtext="$($ACME_OPENSSL_BIN ec -in "$keyfile" -noout -text 2>/dev/null | sed -n "$pubi,${pubj}p" | tr -d " \n\r")" pubtext="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | sed -n "$pubi,${pubj}p" | tr -d " \n\r")"
_debug3 pubtext "$pubtext" _debug3 pubtext "$pubtext"
xlen="$(printf "%s" "$pubtext" | tr -d ':' | wc -c)" xlen="$(printf "%s" "$pubtext" | tr -d ':' | wc -c)"
@ -2017,7 +2018,7 @@ _starttlsserver() {
return 1 return 1
fi fi
__S_OPENSSL="$ACME_OPENSSL_BIN s_server -cert $TLS_CERT -key $TLS_KEY " __S_OPENSSL="${ACME_OPENSSL_BIN:-openssl} s_server -cert $TLS_CERT -key $TLS_KEY "
if [ "$opaddr" ]; then if [ "$opaddr" ]; then
__S_OPENSSL="$__S_OPENSSL -accept $opaddr:$port" __S_OPENSSL="$__S_OPENSSL -accept $opaddr:$port"
else else
@ -2258,16 +2259,16 @@ _initpath() {
fi fi
if [ -z "$TLS_CONF" ]; then if [ -z "$TLS_CONF" ]; then
TLS_CONF="$DOMAIN_PATH/tls.valdation.conf" TLS_CONF="$DOMAIN_PATH/tls.validation.conf"
fi fi
if [ -z "$TLS_CERT" ]; then if [ -z "$TLS_CERT" ]; then
TLS_CERT="$DOMAIN_PATH/tls.valdation.cert" TLS_CERT="$DOMAIN_PATH/tls.validation.cert"
fi fi
if [ -z "$TLS_KEY" ]; then if [ -z "$TLS_KEY" ]; then
TLS_KEY="$DOMAIN_PATH/tls.valdation.key" TLS_KEY="$DOMAIN_PATH/tls.validation.key"
fi fi
if [ -z "$TLS_CSR" ]; then if [ -z "$TLS_CSR" ]; then
TLS_CSR="$DOMAIN_PATH/tls.valdation.csr" TLS_CSR="$DOMAIN_PATH/tls.validation.csr"
fi fi
} }
@ -2385,7 +2386,7 @@ _setApache() {
_debug "Backup apache config file" "$httpdconf" _debug "Backup apache config file" "$httpdconf"
if ! cp "$httpdconf" "$APACHE_CONF_BACKUP_DIR/"; then if ! cp "$httpdconf" "$APACHE_CONF_BACKUP_DIR/"; then
_err "Can not backup apache config file, so abort. Don't worry, the apache config is not changed." _err "Can not backup apache config file, so abort. Don't worry, the apache config is not changed."
_err "This might be a bug of $PROJECT_NAME , pleae report issue: $PROJECT" _err "This might be a bug of $PROJECT_NAME , please report issue: $PROJECT"
return 1 return 1
fi fi
_info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname" _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname"
@ -2883,7 +2884,7 @@ _on_issue_err() {
uri=$(echo "$ventry" | cut -d "$sep" -f 3) uri=$(echo "$ventry" | cut -d "$sep" -f 3)
vtype=$(echo "$ventry" | cut -d "$sep" -f 4) vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
_currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5) _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
__trigger_validaton "$uri" "$keyauthorization" __trigger_validation "$uri" "$keyauthorization"
done done
) )
fi fi
@ -3105,7 +3106,7 @@ __get_domain_new_authz() {
} }
#uri keyAuthorization #uri keyAuthorization
__trigger_validaton() { __trigger_validation() {
_debug2 "tigger domain validation." _debug2 "tigger domain validation."
_t_url="$1" _t_url="$1"
_debug2 _t_url "$_t_url" _debug2 _t_url "$_t_url"
@ -3120,6 +3121,10 @@ issue() {
_usage "Usage: $PROJECT_ENTRY --issue -d a.com -w /path/to/webroot/a.com/ " _usage "Usage: $PROJECT_ENTRY --issue -d a.com -w /path/to/webroot/a.com/ "
return 1 return 1
fi fi
if [ -z "$1" ]; then
_usage "Please specify at least one validation method: '--webroot', '--standalone', '--apache', '--nginx' or '--dns' etc."
return 1
fi
_web_roots="$1" _web_roots="$1"
_main_domain="$2" _main_domain="$2"
_alt_domains="$3" _alt_domains="$3"
@ -3490,7 +3495,7 @@ issue() {
_exec_err >/dev/null 2>&1 _exec_err >/dev/null 2>&1
fi fi
else else
_debug "not chaning owner/group of webroot" _debug "not changing owner/group of webroot"
fi fi
fi fi
@ -3531,7 +3536,7 @@ issue() {
fi fi
fi fi
if ! __trigger_validaton "$uri" "$keyauthorization"; then if ! __trigger_validation "$uri" "$keyauthorization"; then
_err "$d:Can not get challenge: $response" _err "$d:Can not get challenge: $response"
_clearupwebbroot "$_currentRoot" "$removelevel" "$token" _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
_clearup _clearup
@ -3635,6 +3640,7 @@ issue() {
_rcert="$response" _rcert="$response"
Le_LinkCert="$(grep -i '^Location.*$' "$HTTP_HEADER" | _head_n 1 | tr -d "\r\n" | cut -d " " -f 2)" Le_LinkCert="$(grep -i '^Location.*$' "$HTTP_HEADER" | _head_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
_debug "Le_LinkCert" "$Le_LinkCert"
_savedomainconf "Le_LinkCert" "$Le_LinkCert" _savedomainconf "Le_LinkCert" "$Le_LinkCert"
if [ "$Le_LinkCert" ]; then if [ "$Le_LinkCert" ]; then
@ -3681,16 +3687,34 @@ issue() {
if ! _contains "$Le_LinkIssuer" ":"; then if ! _contains "$Le_LinkIssuer" ":"; then
Le_LinkIssuer="$API$Le_LinkIssuer" Le_LinkIssuer="$API$Le_LinkIssuer"
fi fi
_debug Le_LinkIssuer "$Le_LinkIssuer"
_savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer" _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
if [ "$Le_LinkIssuer" ]; then if [ "$Le_LinkIssuer" ]; then
_link_issuer_retry=0
_MAX_ISSUER_RETRY=5
while [ "$_link_issuer_retry" -lt "$_MAX_ISSUER_RETRY" ]; do
_debug _link_issuer_retry "$_link_issuer_retry"
if _get "$Le_LinkIssuer" >"$CA_CERT_PATH.der"; then
echo "$BEGIN_CERT" >"$CA_CERT_PATH" echo "$BEGIN_CERT" >"$CA_CERT_PATH"
_get "$Le_LinkIssuer" | _base64 "multiline" >>"$CA_CERT_PATH" _base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH"
echo "$END_CERT" >>"$CA_CERT_PATH" echo "$END_CERT" >>"$CA_CERT_PATH"
_info "The intermediate CA cert is in $(__green " $CA_CERT_PATH ")" _info "The intermediate CA cert is in $(__green " $CA_CERT_PATH ")"
cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH" cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH"
_info "And the full chain certs is there: $(__green " $CERT_FULLCHAIN_PATH ")" _info "And the full chain certs is there: $(__green " $CERT_FULLCHAIN_PATH ")"
rm -f "$CA_CERT_PATH.der"
break
fi
_link_issuer_retry=$(_math $_link_issuer_retry + 1)
_sleep "$_link_issuer_retry"
done
if [ "$_link_issuer_retry" = "$_MAX_ISSUER_RETRY" ]; then
_err "Max retry for issuer ca cert is reached."
fi
else
_debug "No Le_LinkIssuer header found."
fi fi
Le_CertCreateTime=$(_time) Le_CertCreateTime=$(_time)
@ -4134,6 +4158,7 @@ _installcert() {
export CERT_KEY_PATH export CERT_KEY_PATH
export CA_CERT_PATH export CA_CERT_PATH
export CERT_FULLCHAIN_PATH export CERT_FULLCHAIN_PATH
export Le_Domain
cd "$DOMAIN_PATH" && eval "$_reload_cmd" cd "$DOMAIN_PATH" && eval "$_reload_cmd"
); then ); then
_info "$(__green "Reload success")" _info "$(__green "Reload success")"
@ -4462,7 +4487,7 @@ _precheck() {
fi fi
fi fi
if ! _exists "$ACME_OPENSSL_BIN"; then if ! _exists "${ACME_OPENSSL_BIN:-openssl}"; then
_err "Please install openssl first. ACME_OPENSSL_BIN=$ACME_OPENSSL_BIN" _err "Please install openssl first. ACME_OPENSSL_BIN=$ACME_OPENSSL_BIN"
_err "We need openssl to generate keys." _err "We need openssl to generate keys."
return 1 return 1
@ -4704,6 +4729,7 @@ _uninstallalias() {
cron() { cron() {
IN_CRON=1 IN_CRON=1
_initpath _initpath
_info "$(__green "===Starting cron===")"
if [ "$AUTO_UPGRADE" = "1" ]; then if [ "$AUTO_UPGRADE" = "1" ]; then
export LE_WORKING_DIR export LE_WORKING_DIR
( (
@ -4723,6 +4749,7 @@ cron() {
renewAll renewAll
_ret="$?" _ret="$?"
IN_CRON="" IN_CRON=""
_info "$(__green "===End cron===")"
exit $_ret exit $_ret
} }
@ -4806,13 +4833,13 @@ Parameters:
--listraw Only used for '--list' command, list the certs in raw format. --listraw Only used for '--list' command, list the certs in raw format.
--stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal. --stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal.
--insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted. --insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
--ca-bundle Specifices the path to the CA certificate bundle to verify api server's certificate. --ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate.
--ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl. --ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl.
--nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically. --nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR' --ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
--csr Specifies the input csr. --csr Specifies the input csr.
--pre-hook Command to be run before obtaining any certificates. --pre-hook Command to be run before obtaining any certificates.
--post-hook Command to be run after attempting to obtain/renew certificates. No matter the obain/renew is success or failed. --post-hook Command to be run after attempting to obtain/renew certificates. No matter the obtain/renew is success or failed.
--renew-hook Command to be run once for each successfully renewed certificate. --renew-hook Command to be run once for each successfully renewed certificate.
--deploy-hook The hook file to deploy cert --deploy-hook The hook file to deploy cert
--ocsp-must-staple, --ocsp Generate ocsp must Staple extension. --ocsp-must-staple, --ocsp Generate ocsp must Staple extension.

4
deploy/exim4.sh
View File

@ -79,7 +79,7 @@ exim4_deploy() {
_info "Restore conf success" _info "Restore conf success"
eval "$_reload" eval "$_reload"
else else
_err "Opps, error restore exim4 conf, please report bug to us." _err "Oops, error restore exim4 conf, please report bug to us."
fi fi
return 1 return 1
fi fi
@ -105,7 +105,7 @@ exim4_deploy() {
_info "Restore conf success" _info "Restore conf success"
eval "$_reload" eval "$_reload"
else else
_err "Opps, error restore exim4 conf, please report bug to us." _err "Oops, error restore exim4 conf, please report bug to us."
fi fi
return 1 return 1
fi fi

4
deploy/kong.sh
View File

@ -43,7 +43,7 @@ kong_deploy() {
#Save kong url if it's succesful (First run case) #Save kong url if it's succesful (First run case)
_saveaccountconf KONG_URL "$KONG_URL" _saveaccountconf KONG_URL "$KONG_URL"
#Generate DEIM #Generate DEIM
delim="-----MultipartDelimeter$(date "+%s%N")" delim="-----MultipartDelimiter$(date "+%s%N")"
nl="\015\012" nl="\015\012"
#Set Header #Set Header
_H1="Content-Type: multipart/form-data; boundary=$delim" _H1="Content-Type: multipart/form-data; boundary=$delim"
@ -72,7 +72,7 @@ kong_deploy() {
response=$(_post "$content" "$KONG_URL/apis/$uuid/plugins/$ssl_uuid" "" "PATCH") response=$(_post "$content" "$KONG_URL/apis/$uuid/plugins/$ssl_uuid" "" "PATCH")
fi fi
if ! [ "$(echo "$response" | _egrep_o "ssl")" = "ssl" ]; then if ! [ "$(echo "$response" | _egrep_o "ssl")" = "ssl" ]; then
_err "An error occured with cert upload. Check response:" _err "An error occurred with cert upload. Check response:"
_err "$response" _err "$response"
return 1 return 1
fi fi

4
deploy/vsftpd.sh
View File

@ -76,7 +76,7 @@ vsftpd_deploy() {
_info "Restore conf success" _info "Restore conf success"
eval "$_reload" eval "$_reload"
else else
_err "Opps, error restore vsftpd conf, please report bug to us." _err "Oops, error restore vsftpd conf, please report bug to us."
fi fi
return 1 return 1
fi fi
@ -102,7 +102,7 @@ vsftpd_deploy() {
_info "Restore conf success" _info "Restore conf success"
eval "$_reload" eval "$_reload"
else else
_err "Opps, error restore vsftpd conf, please report bug to us." _err "Oops, error restore vsftpd conf, please report bug to us."
fi fi
return 1 return 1
fi fi

2
dnsapi/README.md
View File

@ -302,7 +302,7 @@ acme.sh --issue --dns dns_freedns -d example.com -d www.example.com
``` ```
Note that you cannot use acme.sh automatic DNS validation for FreeDNS public domains or for a subdomain that Note that you cannot use acme.sh automatic DNS validation for FreeDNS public domains or for a subdomain that
you create under a FreeDNS public domain. You must own the top level domain in order to automaitcally you create under a FreeDNS public domain. You must own the top level domain in order to automatically
validate with acme.sh at FreeDNS. validate with acme.sh at FreeDNS.
## 16. Use cyon.ch ## 16. Use cyon.ch

16
dnsapi/dns_aws.sh
View File

@ -88,6 +88,19 @@ _get_root() {
while true; do while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100) h=$(printf "%s" "$domain" | cut -d . -f $i-100)
if [ -z "$h" ]; then if [ -z "$h" ]; then
if _contains "$response" "<IsTruncated>true</IsTruncated>" && _contains "$response" "<NextMarker>"; then
_debug "IsTruncated"
_nextMarker="$(echo "$response" | _egrep_o "<NextMarker>.*</NextMarker>" | cut -d '>' -f 2 | cut -d '<' -f 1)"
_debug "NextMarker" "$_nextMarker"
if aws_rest GET "2013-04-01/hostedzone" "marker=$_nextMarker"; then
_debug "Truncated request OK"
i=2
p=1
continue
else
_err "Truncated request error."
fi
fi
#not valid #not valid
return 1 return 1
fi fi
@ -208,6 +221,9 @@ aws_rest() {
_debug _H2 "$_H2" _debug _H2 "$_H2"
url="$AWS_URL/$ep" url="$AWS_URL/$ep"
if [ "$qsr" ]; then
url="$AWS_URL/$ep?$qsr"
fi
if [ "$mtd" = "GET" ]; then if [ "$mtd" = "GET" ]; then
response="$(_get "$url")" response="$(_get "$url")"

2
dnsapi/dns_cyon.sh
View File

@ -50,7 +50,7 @@ _cyon_load_credentials() {
fi fi
if [ -z "${CY_Username}" ] || [ -z "${CY_Password}" ]; then if [ -z "${CY_Username}" ] || [ -z "${CY_Password}" ]; then
# Dummy entries to satify script checker. # Dummy entries to satisfy script checker.
CY_Username="" CY_Username=""
CY_Password="" CY_Password=""
CY_OTP_Secret="" CY_OTP_Secret=""

2
dnsapi/dns_dgon.sh
View File

@ -158,7 +158,7 @@ _get_base_domain() {
export _H2="Authorization: Bearer $DO_API_KEY" export _H2="Authorization: Bearer $DO_API_KEY"
_debug DO_API_KEY "$DO_API_KEY" _debug DO_API_KEY "$DO_API_KEY"
## get URL for the list of domains ## get URL for the list of domains
## havent seen this request paginated, tested with 18 domains (more requres manual requests with DO) ## havent seen this request paginated, tested with 18 domains (more requires manual requests with DO)
DOMURL="https://api.digitalocean.com/v2/domains" DOMURL="https://api.digitalocean.com/v2/domains"
## get the domain list (DO gives basically a full XFER!) ## get the domain list (DO gives basically a full XFER!)

18
dnsapi/dns_freedns.sh
View File

@ -10,7 +10,7 @@
# #
######## Public functions ##################### ######## Public functions #####################
# Export FreeDNS userid and password in folowing variables... # Export FreeDNS userid and password in following variables...
# FREEDNS_User=username # FREEDNS_User=username
# FREEDNS_Password=password # FREEDNS_Password=password
# login cookie is saved in acme account config file so userid / pw # login cookie is saved in acme account config file so userid / pw
@ -53,7 +53,7 @@ dns_freedns_add() {
i="$(_math "$i" - 1)" i="$(_math "$i" - 1)"
sub_domain="$(echo "$fulldomain" | cut -d. -f -"$i")" sub_domain="$(echo "$fulldomain" | cut -d. -f -"$i")"
# Sometimes FreeDNS does not reurn the subdomain page but rather # Sometimes FreeDNS does not return the subdomain page but rather
# returns a page regarding becoming a premium member. This usually # returns a page regarding becoming a premium member. This usually
# happens after a period of inactivity. Immediately trying again # happens after a period of inactivity. Immediately trying again
# returns the correct subdomain page. So, we will try twice to # returns the correct subdomain page. So, we will try twice to
@ -65,7 +65,7 @@ dns_freedns_add() {
htmlpage="$(_freedns_retrieve_subdomain_page "$FREEDNS_COOKIE")" htmlpage="$(_freedns_retrieve_subdomain_page "$FREEDNS_COOKIE")"
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
if [ "$using_cached_cookies" = "true" ]; then if [ "$using_cached_cookies" = "true" ]; then
_err "Has your FreeDNS username and password channged? If so..." _err "Has your FreeDNS username and password changed? If so..."
_err "Please export as FREEDNS_User / FREEDNS_Password and try again." _err "Please export as FREEDNS_User / FREEDNS_Password and try again."
fi fi
return 1 return 1
@ -112,7 +112,7 @@ dns_freedns_add() {
# not produce accurate results as the value field is truncated # not produce accurate results as the value field is truncated
# on this webpage. To get full value we would need to load # on this webpage. To get full value we would need to load
# another page. However we don't really need this so long as # another page. However we don't really need this so long as
# there is only one TXT record for the acme chalenge subdomain. # there is only one TXT record for the acme challenge subdomain.
DNSvalue="$(echo "$line" | cut -d ',' -f 4 | sed 's/^[^&quot;]*&quot;//;s/&quot;.*//;s/<\/td>.*//')" DNSvalue="$(echo "$line" | cut -d ',' -f 4 | sed 's/^[^&quot;]*&quot;//;s/&quot;.*//;s/<\/td>.*//')"
if [ $found != 0 ]; then if [ $found != 0 ]; then
break break
@ -192,11 +192,11 @@ dns_freedns_rm() {
# Need to read cookie from conf file again in case new value set # Need to read cookie from conf file again in case new value set
# during login to FreeDNS when TXT record was created. # during login to FreeDNS when TXT record was created.
# acme.sh does not have a _readaccountconf() fuction # acme.sh does not have a _readaccountconf() function
FREEDNS_COOKIE="$(_read_conf "$ACCOUNT_CONF_PATH" "FREEDNS_COOKIE")" FREEDNS_COOKIE="$(_read_conf "$ACCOUNT_CONF_PATH" "FREEDNS_COOKIE")"
_debug "FreeDNS login cookies: $FREEDNS_COOKIE" _debug "FreeDNS login cookies: $FREEDNS_COOKIE"
# Sometimes FreeDNS does not reurn the subdomain page but rather # Sometimes FreeDNS does not return the subdomain page but rather
# returns a page regarding becoming a premium member. This usually # returns a page regarding becoming a premium member. This usually
# happens after a period of inactivity. Immediately trying again # happens after a period of inactivity. Immediately trying again
# returns the correct subdomain page. So, we will try twice to # returns the correct subdomain page. So, we will try twice to
@ -302,12 +302,12 @@ _freedns_retrieve_subdomain_page() {
export _H2="Accept-Language:en-US" export _H2="Accept-Language:en-US"
url="https://freedns.afraid.org/subdomain/" url="https://freedns.afraid.org/subdomain/"
_debug "Retrieve subdmoain page from FreeDNS" _debug "Retrieve subdomain page from FreeDNS"
htmlpage="$(_get "$url")" htmlpage="$(_get "$url")"
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
_err "FreeDNS retrieve subdomins failed bad RC from _get" _err "FreeDNS retrieve subdomains failed bad RC from _get"
return 1 return 1
elif [ -z "$htmlpage" ]; then elif [ -z "$htmlpage" ]; then
_err "FreeDNS returned empty subdomain page" _err "FreeDNS returned empty subdomain page"
@ -341,7 +341,7 @@ _freedns_add_txt_record() {
return 1 return 1
elif _contains "$htmlpage" "security code was incorrect"; then elif _contains "$htmlpage" "security code was incorrect"; then
_debug "$htmlpage" _debug "$htmlpage"
_err "FreeDNS failed to add TXT record for $subdomain as FreeDNS requested seurity code" _err "FreeDNS failed to add TXT record for $subdomain as FreeDNS requested security code"
_err "Note that you cannot use automatic DNS validation for FreeDNS public domains" _err "Note that you cannot use automatic DNS validation for FreeDNS public domains"
return 1 return 1
fi fi

2
dnsapi/dns_gandi_livedns.sh
View File

@ -19,7 +19,7 @@ dns_gandi_livedns_add() {
txtvalue=$2 txtvalue=$2
if [ -z "$GANDI_LIVEDNS_KEY" ]; then if [ -z "$GANDI_LIVEDNS_KEY" ]; then
_err "No API key specifed for Gandi LiveDNS." _err "No API key specified for Gandi LiveDNS."
_err "Create your key and export it as GANDI_LIVEDNS_KEY" _err "Create your key and export it as GANDI_LIVEDNS_KEY"
return 1 return 1
fi fi

2
dnsapi/dns_ovh.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env sh #!/usr/bin/env sh
#Applcation Key #Application Key
#OVH_AK="sdfsdfsdfljlbjkljlkjsdfoiwje" #OVH_AK="sdfsdfsdfljlbjkljlkjsdfoiwje"
# #
#Application Secret #Application Secret

2
dnsapi/dns_pdns.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env sh #!/usr/bin/env sh
#PowerDNS Emdedded API #PowerDNS Embedded API
#https://doc.powerdns.com/md/httpapi/api_spec/ #https://doc.powerdns.com/md/httpapi/api_spec/
# #
#PDNS_Url="http://ns.example.com:8081" #PDNS_Url="http://ns.example.com:8081"