mirror of
https://github.com/plantroon/acme.sh.git
synced 2025-01-27 13:49:50 +00:00
Merge remote-tracking branch 'upstream/master' into ssh-deploy
This commit is contained in:
commit
19aa2ccf4d
@ -50,7 +50,7 @@ RUN for verb in help \
|
|||||||
|
|
||||||
RUN printf "%b" '#!'"/usr/bin/env sh\n \
|
RUN printf "%b" '#!'"/usr/bin/env sh\n \
|
||||||
if [ \"\$1\" = \"daemon\" ]; then \n \
|
if [ \"\$1\" = \"daemon\" ]; then \n \
|
||||||
crond; tail -f /dev/null;\n \
|
crond -f\n \
|
||||||
else \n \
|
else \n \
|
||||||
/root/.acme.sh/acme.sh --config-home /acme.sh \"\$@\"\n \
|
/root/.acme.sh/acme.sh --config-home /acme.sh \"\$@\"\n \
|
||||||
fi" >/entry.sh && chmod +x /entry.sh
|
fi" >/entry.sh && chmod +x /entry.sh
|
||||||
|
@ -62,7 +62,7 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
|
|||||||
|19|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/gentoo-stage3-amd64.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Gentoo Linux
|
|19|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/gentoo-stage3-amd64.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Gentoo Linux
|
||||||
|20|[![Build Status](https://travis-ci.org/Neilpang/acme.sh.svg?branch=master)](https://travis-ci.org/Neilpang/acme.sh)|Mac OSX
|
|20|[![Build Status](https://travis-ci.org/Neilpang/acme.sh.svg?branch=master)](https://travis-ci.org/Neilpang/acme.sh)|Mac OSX
|
||||||
|
|
||||||
For all build statuses, check our [daily build project](https://github.com/Neilpang/acmetest):
|
For all build statuses, check our [weekly build project](https://github.com/Neilpang/acmetest):
|
||||||
|
|
||||||
https://github.com/Neilpang/acmetest
|
https://github.com/Neilpang/acmetest
|
||||||
|
|
||||||
@ -199,7 +199,7 @@ The ownership and permission info of existing files are preserved. You may want
|
|||||||
|
|
||||||
Install/copy the issued cert/key to the production Apache or Nginx path.
|
Install/copy the issued cert/key to the production Apache or Nginx path.
|
||||||
|
|
||||||
The cert will be `renewed every **60** days by default` (which is configurable). Once the cert is renewed, the Apache/Nginx service will be restarted automatically by the command: `service apache2 restart` or `service nginx restart`.
|
The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`.
|
||||||
|
|
||||||
|
|
||||||
# 4. Use Standalone server to issue cert
|
# 4. Use Standalone server to issue cert
|
||||||
|
231
acme.sh
231
acme.sh
@ -1,6 +1,6 @@
|
|||||||
#!/usr/bin/env sh
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
VER=2.6.9
|
VER=2.7.3
|
||||||
|
|
||||||
PROJECT_NAME="acme.sh"
|
PROJECT_NAME="acme.sh"
|
||||||
|
|
||||||
@ -13,7 +13,8 @@ _SCRIPT_="$0"
|
|||||||
|
|
||||||
_SUB_FOLDERS="dnsapi deploy"
|
_SUB_FOLDERS="dnsapi deploy"
|
||||||
|
|
||||||
DEFAULT_CA="https://acme-v01.api.letsencrypt.org"
|
_OLD_CA_HOST="https://acme-v01.api.letsencrypt.org"
|
||||||
|
DEFAULT_CA="https://acme-v01.api.letsencrypt.org/directory"
|
||||||
DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
|
DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
|
||||||
|
|
||||||
DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
|
DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
|
||||||
@ -24,7 +25,8 @@ DEFAULT_DOMAIN_KEY_LENGTH=2048
|
|||||||
|
|
||||||
DEFAULT_OPENSSL_BIN="openssl"
|
DEFAULT_OPENSSL_BIN="openssl"
|
||||||
|
|
||||||
STAGE_CA="https://acme-staging.api.letsencrypt.org"
|
STAGE_CA="https://acme-staging.api.letsencrypt.org/directory"
|
||||||
|
_OLD_STAGE_CA_HOST="https://acme-staging.api.letsencrypt.org"
|
||||||
|
|
||||||
VTYPE_HTTP="http-01"
|
VTYPE_HTTP="http-01"
|
||||||
VTYPE_DNS="dns-01"
|
VTYPE_DNS="dns-01"
|
||||||
@ -104,21 +106,21 @@ if [ -t 1 ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
__green() {
|
__green() {
|
||||||
if [ "$__INTERACTIVE" ]; then
|
if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
|
||||||
printf '\033[1;31;32m'
|
printf '\033[1;31;32m'
|
||||||
fi
|
fi
|
||||||
printf -- "%b" "$1"
|
printf -- "%b" "$1"
|
||||||
if [ "$__INTERACTIVE" ]; then
|
if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
|
||||||
printf '\033[0m'
|
printf '\033[0m'
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
__red() {
|
__red() {
|
||||||
if [ "$__INTERACTIVE" ]; then
|
if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
|
||||||
printf '\033[1;31;40m'
|
printf '\033[1;31;40m'
|
||||||
fi
|
fi
|
||||||
printf -- "%b" "$1"
|
printf -- "%b" "$1"
|
||||||
if [ "$__INTERACTIVE" ]; then
|
if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
|
||||||
printf '\033[0m'
|
printf '\033[0m'
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@ -151,6 +153,13 @@ _dlg_versions() {
|
|||||||
echo "apache doesn't exists."
|
echo "apache doesn't exists."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
echo "nginx:"
|
||||||
|
if _exists "nginx"; then
|
||||||
|
nginx -V 2>&1
|
||||||
|
else
|
||||||
|
echo "nginx doesn't exists."
|
||||||
|
fi
|
||||||
|
|
||||||
echo "nc:"
|
echo "nc:"
|
||||||
if _exists "nc"; then
|
if _exists "nc"; then
|
||||||
nc -h 2>&1
|
nc -h 2>&1
|
||||||
@ -443,6 +452,11 @@ if [ "$(printf '\x41')" != 'A' ]; then
|
|||||||
_URGLY_PRINTF=1
|
_URGLY_PRINTF=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
_ESCAPE_XARGS=""
|
||||||
|
if [ "$(printf %s '\\x41' | xargs printf)" = 'A' ]; then
|
||||||
|
_ESCAPE_XARGS=1
|
||||||
|
fi
|
||||||
|
|
||||||
_h2b() {
|
_h2b() {
|
||||||
if _exists xxd; then
|
if _exists xxd; then
|
||||||
xxd -r -p
|
xxd -r -p
|
||||||
@ -450,31 +464,33 @@ _h2b() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
hex=$(cat)
|
hex=$(cat)
|
||||||
i=1
|
ic=""
|
||||||
j=2
|
jc=""
|
||||||
_debug2 _URGLY_PRINTF "$_URGLY_PRINTF"
|
_debug2 _URGLY_PRINTF "$_URGLY_PRINTF"
|
||||||
if [ -z "$_URGLY_PRINTF" ]; then
|
if [ -z "$_URGLY_PRINTF" ]; then
|
||||||
while true; do
|
if [ "$_ESCAPE_XARGS" ] && _exists xargs; then
|
||||||
h="$(printf "%s" "$hex" | cut -c $i-$j)"
|
_debug2 "xargs"
|
||||||
if [ -z "$h" ]; then
|
echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/g' | xargs printf
|
||||||
break
|
else
|
||||||
fi
|
for h in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/ \1/g'); do
|
||||||
printf "\x$h%s"
|
if [ -z "$h" ]; then
|
||||||
i="$(_math "$i" + 2)"
|
break
|
||||||
j="$(_math "$j" + 2)"
|
fi
|
||||||
done
|
printf "\x$h%s"
|
||||||
|
done
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
while true; do
|
for c in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\)/ \1/g'); do
|
||||||
ic="$(printf "%s" "$hex" | cut -c $i)"
|
if [ -z "$ic" ]; then
|
||||||
jc="$(printf "%s" "$hex" | cut -c $j)"
|
ic=$c
|
||||||
if [ -z "$ic$jc" ]; then
|
continue
|
||||||
break
|
|
||||||
fi
|
fi
|
||||||
|
jc=$c
|
||||||
ic="$(_h_char_2_dec "$ic")"
|
ic="$(_h_char_2_dec "$ic")"
|
||||||
jc="$(_h_char_2_dec "$jc")"
|
jc="$(_h_char_2_dec "$jc")"
|
||||||
printf '\'"$(printf "%o" "$(_math "$ic" \* 16 + $jc)")""%s"
|
printf '\'"$(printf "%o" "$(_math "$ic" \* 16 + $jc)")""%s"
|
||||||
i="$(_math "$i" + 2)"
|
ic=""
|
||||||
j="$(_math "$j" + 2)"
|
jc=""
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -1079,7 +1095,7 @@ _readSubjectFromCSR() {
|
|||||||
_usage "_readSubjectFromCSR mycsr.csr"
|
_usage "_readSubjectFromCSR mycsr.csr"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
${ACME_OPENSSL_BIN:-openssl} req -noout -in "$_csrfile" -subject | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n'
|
${ACME_OPENSSL_BIN:-openssl} req -noout -in "$_csrfile" -subject | tr ',' "\n" | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d ' \n'
|
||||||
}
|
}
|
||||||
|
|
||||||
#_csrfile
|
#_csrfile
|
||||||
@ -1122,7 +1138,7 @@ _readKeyLengthFromCSR() {
|
|||||||
echo "$_outcsr" | tr "\t" " " | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
|
echo "$_outcsr" | tr "\t" " " | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
|
||||||
else
|
else
|
||||||
_debug "RSA CSR"
|
_debug "RSA CSR"
|
||||||
echo "$_outcsr" | tr "\t" " " | _egrep_o "(^ *|RSA )Public.Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1
|
echo "$_outcsr" | tr "\t" " " | (_egrep_o "^ *Public.Key:.*" || _egrep_o "RSA Public.Key:.*") | cut -d '(' -f 2 | cut -d ' ' -f 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1700,9 +1716,19 @@ _send_signed_request() {
|
|||||||
while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do
|
while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do
|
||||||
_debug3 _request_retry_times "$_request_retry_times"
|
_debug3 _request_retry_times "$_request_retry_times"
|
||||||
if [ -z "$_CACHED_NONCE" ]; then
|
if [ -z "$_CACHED_NONCE" ]; then
|
||||||
_debug2 "Get nonce."
|
_headers=""
|
||||||
nonceurl="$API/directory"
|
if [ "$ACME_NEW_NONCE" ]; then
|
||||||
_headers="$(_get "$nonceurl" "onlyheader")"
|
_debug2 "Get nonce. ACME_NEW_NONCE" "$ACME_NEW_NONCE"
|
||||||
|
nonceurl="$ACME_NEW_NONCE"
|
||||||
|
if _post "" "$nonceurl" "" "HEAD"; then
|
||||||
|
_headers="$(cat "$HTTP_HEADER")"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ -z "$_headers" ]; then
|
||||||
|
_debug2 "Get nonce. ACME_DIRECTORY" "$ACME_DIRECTORY"
|
||||||
|
nonceurl="$ACME_DIRECTORY"
|
||||||
|
_headers="$(_get "$nonceurl" "onlyheader")"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$?" != "0" ]; then
|
if [ "$?" != "0" ]; then
|
||||||
_err "Can not connect to $nonceurl to get nonce."
|
_err "Can not connect to $nonceurl to get nonce."
|
||||||
@ -1719,7 +1745,7 @@ _send_signed_request() {
|
|||||||
nonce="$_CACHED_NONCE"
|
nonce="$_CACHED_NONCE"
|
||||||
_debug2 nonce "$nonce"
|
_debug2 nonce "$nonce"
|
||||||
|
|
||||||
protected="$JWK_HEADERPLACE_PART1$nonce$JWK_HEADERPLACE_PART2"
|
protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2"
|
||||||
_debug3 protected "$protected"
|
_debug3 protected "$protected"
|
||||||
|
|
||||||
protected64="$(printf "%s" "$protected" | _base64 | _url_replace)"
|
protected64="$(printf "%s" "$protected" | _base64 | _url_replace)"
|
||||||
@ -2155,6 +2181,62 @@ __initHome() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#server
|
||||||
|
_initAPI() {
|
||||||
|
_api_server="${1:-$ACME_DIRECTORY}"
|
||||||
|
_debug "_init api for server: $_api_server"
|
||||||
|
|
||||||
|
if [ "$_api_server" = "$DEFAULT_CA" ]; then
|
||||||
|
#just for performance, hardcode the default entry points
|
||||||
|
export ACME_KEY_CHANGE="https://acme-v01.api.letsencrypt.org/acme/key-change"
|
||||||
|
export ACME_NEW_AUTHZ="https://acme-v01.api.letsencrypt.org/acme/new-authz"
|
||||||
|
export ACME_NEW_ORDER="https://acme-v01.api.letsencrypt.org/acme/new-cert"
|
||||||
|
export ACME_NEW_ACCOUNT="https://acme-v01.api.letsencrypt.org/acme/new-reg"
|
||||||
|
export ACME_REVOKE_CERT="https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$ACME_NEW_ACCOUNT" ]; then
|
||||||
|
response=$(_get "$_api_server")
|
||||||
|
if [ "$?" != "0" ]; then
|
||||||
|
_debug2 "response" "$response"
|
||||||
|
_err "Can not init api."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
_debug2 "response" "$response"
|
||||||
|
|
||||||
|
ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'key-change" *: *"[^"]*"' | cut -d '"' -f 3)
|
||||||
|
export ACME_KEY_CHANGE
|
||||||
|
|
||||||
|
ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'new-authz" *: *"[^"]*"' | cut -d '"' -f 3)
|
||||||
|
export ACME_NEW_AUTHZ
|
||||||
|
|
||||||
|
ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3)
|
||||||
|
if [ -z "$ACME_NEW_ORDER" ]; then
|
||||||
|
ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3)
|
||||||
|
fi
|
||||||
|
export ACME_NEW_ORDER
|
||||||
|
|
||||||
|
ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3)
|
||||||
|
if [ -z "$ACME_NEW_ACCOUNT" ]; then
|
||||||
|
ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3)
|
||||||
|
fi
|
||||||
|
export ACME_NEW_ACCOUNT
|
||||||
|
|
||||||
|
ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3)
|
||||||
|
export ACME_REVOKE_CERT
|
||||||
|
|
||||||
|
ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'new-nonce" *: *"[^"]*"' | cut -d '"' -f 3)
|
||||||
|
export ACME_NEW_NONCE
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
_debug "ACME_KEY_CHANGE" "$ACME_KEY_CHANGE"
|
||||||
|
_debug "ACME_NEW_AUTHZ" "$ACME_NEW_AUTHZ"
|
||||||
|
_debug "ACME_NEW_ORDER" "$ACME_NEW_ORDER"
|
||||||
|
_debug "ACME_NEW_ACCOUNT" "$ACME_NEW_ACCOUNT"
|
||||||
|
_debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT"
|
||||||
|
}
|
||||||
|
|
||||||
#[domain] [keylength]
|
#[domain] [keylength]
|
||||||
_initpath() {
|
_initpath() {
|
||||||
|
|
||||||
@ -2175,17 +2257,19 @@ _initpath() {
|
|||||||
CA_HOME="$DEFAULT_CA_HOME"
|
CA_HOME="$DEFAULT_CA_HOME"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$API" ]; then
|
if [ -z "$ACME_DIRECTORY" ]; then
|
||||||
if [ -z "$STAGE" ]; then
|
if [ -z "$STAGE" ]; then
|
||||||
API="$DEFAULT_CA"
|
ACME_DIRECTORY="$DEFAULT_CA"
|
||||||
else
|
else
|
||||||
API="$STAGE_CA"
|
ACME_DIRECTORY="$STAGE_CA"
|
||||||
_info "Using stage api:$API"
|
_info "Using stage ACME_DIRECTORY: $ACME_DIRECTORY"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
_API_HOST="$(echo "$API" | cut -d : -f 2 | tr -d '/')"
|
_ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)"
|
||||||
CA_DIR="$CA_HOME/$_API_HOST"
|
_debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST"
|
||||||
|
|
||||||
|
CA_DIR="$CA_HOME/$_ACME_SERVER_HOST"
|
||||||
|
|
||||||
_DEFAULT_CA_CONF="$CA_DIR/ca.conf"
|
_DEFAULT_CA_CONF="$CA_DIR/ca.conf"
|
||||||
|
|
||||||
@ -2572,7 +2656,7 @@ location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" {
|
|||||||
_err "write nginx conf error, but don't worry, the file is restored."
|
_err "write nginx conf error, but don't worry, the file is restored."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
_debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)"
|
||||||
_info "nginx conf is done, let's check it again."
|
_info "nginx conf is done, let's check it again."
|
||||||
if ! _exec "nginx -t" >/dev/null; then
|
if ! _exec "nginx -t" >/dev/null; then
|
||||||
_exec_err
|
_exec_err
|
||||||
@ -2658,12 +2742,14 @@ _isRealNginxConf() {
|
|||||||
|
|
||||||
_debug "_seg_n" "$_seg_n"
|
_debug "_seg_n" "$_seg_n"
|
||||||
|
|
||||||
if [ "$(echo "$_seg_n" | _egrep_o "^ *ssl *on *;")" ]; then
|
if [ "$(echo "$_seg_n" | _egrep_o "^ *ssl *on *;")" ] \
|
||||||
|
|| [ "$(echo "$_seg_n" | _egrep_o "listen .* ssl[ |;]")" ]; then
|
||||||
_debug "ssl on, skip"
|
_debug "ssl on, skip"
|
||||||
return 1
|
else
|
||||||
|
FOUND_REAL_NGINX_CONF_LN=$_fln
|
||||||
|
_debug3 "found FOUND_REAL_NGINX_CONF_LN" "$FOUND_REAL_NGINX_CONF_LN"
|
||||||
|
return 0
|
||||||
fi
|
fi
|
||||||
FOUND_REAL_NGINX_CONF_LN=$_fln
|
|
||||||
return 0
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -2714,7 +2800,7 @@ _clearup() {
|
|||||||
_clearupdns() {
|
_clearupdns() {
|
||||||
_debug "_clearupdns"
|
_debug "_clearupdns"
|
||||||
if [ "$dnsadded" != 1 ] || [ -z "$vlist" ]; then
|
if [ "$dnsadded" != 1 ] || [ -z "$vlist" ]; then
|
||||||
_debug "Dns not added, skip."
|
_debug "skip dns."
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3004,7 +3090,7 @@ _regAccount() {
|
|||||||
if ! _calcjwk "$ACCOUNT_KEY_PATH"; then
|
if ! _calcjwk "$ACCOUNT_KEY_PATH"; then
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
_initAPI
|
||||||
_updateTos=""
|
_updateTos=""
|
||||||
_reg_res="new-reg"
|
_reg_res="new-reg"
|
||||||
while true; do
|
while true; do
|
||||||
@ -3019,7 +3105,7 @@ _regAccount() {
|
|||||||
if [ -z "$_updateTos" ]; then
|
if [ -z "$_updateTos" ]; then
|
||||||
_info "Registering account"
|
_info "Registering account"
|
||||||
|
|
||||||
if ! _send_signed_request "$API/acme/new-reg" "$regjson"; then
|
if ! _send_signed_request "${ACME_NEW_ACCOUNT}" "$regjson"; then
|
||||||
_err "Register account Error: $response"
|
_err "Register account Error: $response"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -3105,12 +3191,12 @@ _findHook() {
|
|||||||
__get_domain_new_authz() {
|
__get_domain_new_authz() {
|
||||||
_gdnd="$1"
|
_gdnd="$1"
|
||||||
_info "Getting new-authz for domain" "$_gdnd"
|
_info "Getting new-authz for domain" "$_gdnd"
|
||||||
|
_initAPI
|
||||||
_Max_new_authz_retry_times=5
|
_Max_new_authz_retry_times=5
|
||||||
_authz_i=0
|
_authz_i=0
|
||||||
while [ "$_authz_i" -lt "$_Max_new_authz_retry_times" ]; do
|
while [ "$_authz_i" -lt "$_Max_new_authz_retry_times" ]; do
|
||||||
_debug "Try new-authz for the $_authz_i time."
|
_debug "Try new-authz for the $_authz_i time."
|
||||||
if ! _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$(_idn "$_gdnd")\"}}"; then
|
if ! _send_signed_request "${ACME_NEW_AUTHZ}" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$(_idn "$_gdnd")\"}}"; then
|
||||||
_err "Can not get domain new authz."
|
_err "Can not get domain new authz."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -3188,13 +3274,16 @@ issue() {
|
|||||||
if [ "$_web_roots" = "dns-cx" ]; then
|
if [ "$_web_roots" = "dns-cx" ]; then
|
||||||
_web_roots="dns_cx"
|
_web_roots="dns_cx"
|
||||||
fi
|
fi
|
||||||
_debug "Using api: $API"
|
|
||||||
|
|
||||||
if [ ! "$IS_RENEW" ]; then
|
if [ ! "$IS_RENEW" ]; then
|
||||||
_initpath "$_main_domain" "$_key_length"
|
_initpath "$_main_domain" "$_key_length"
|
||||||
mkdir -p "$DOMAIN_PATH"
|
mkdir -p "$DOMAIN_PATH"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
_debug "Using ACME_DIRECTORY: $ACME_DIRECTORY"
|
||||||
|
|
||||||
|
_initAPI
|
||||||
|
|
||||||
if [ -f "$DOMAIN_CONF" ]; then
|
if [ -f "$DOMAIN_CONF" ]; then
|
||||||
Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
|
Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
|
||||||
_debug Le_NextRenewTime "$Le_NextRenewTime"
|
_debug Le_NextRenewTime "$Le_NextRenewTime"
|
||||||
@ -3228,7 +3317,7 @@ issue() {
|
|||||||
_cleardomainconf "Le_LocalAddress"
|
_cleardomainconf "Le_LocalAddress"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Le_API="$API"
|
Le_API="$ACME_DIRECTORY"
|
||||||
_savedomainconf "Le_API" "$Le_API"
|
_savedomainconf "Le_API" "$Le_API"
|
||||||
|
|
||||||
if [ "$_alt_domains" = "$NO_VALUE" ]; then
|
if [ "$_alt_domains" = "$NO_VALUE" ]; then
|
||||||
@ -3667,7 +3756,7 @@ issue() {
|
|||||||
_info "Verify finished, start to sign."
|
_info "Verify finished, start to sign."
|
||||||
der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
|
der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
|
||||||
|
|
||||||
if ! _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then
|
if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then
|
||||||
_err "Sign failed."
|
_err "Sign failed."
|
||||||
_on_issue_err "$_post_hook"
|
_on_issue_err "$_post_hook"
|
||||||
return 1
|
return 1
|
||||||
@ -3720,7 +3809,8 @@ issue() {
|
|||||||
|
|
||||||
Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
|
Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
|
||||||
if ! _contains "$Le_LinkIssuer" ":"; then
|
if ! _contains "$Le_LinkIssuer" ":"; then
|
||||||
Le_LinkIssuer="$API$Le_LinkIssuer"
|
_info "$(__red "Relative issuer link found.")"
|
||||||
|
Le_LinkIssuer="$_ACME_SERVER_HOST$Le_LinkIssuer"
|
||||||
fi
|
fi
|
||||||
_debug Le_LinkIssuer "$Le_LinkIssuer"
|
_debug Le_LinkIssuer "$Le_LinkIssuer"
|
||||||
_savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
|
_savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
|
||||||
@ -3836,7 +3926,15 @@ renew() {
|
|||||||
. "$DOMAIN_CONF"
|
. "$DOMAIN_CONF"
|
||||||
|
|
||||||
if [ "$Le_API" ]; then
|
if [ "$Le_API" ]; then
|
||||||
API="$Le_API"
|
if [ "$_OLD_CA_HOST" = "$Le_API" ]; then
|
||||||
|
export Le_API="$DEFAULT_CA"
|
||||||
|
_savedomainconf Le_API "$Le_API"
|
||||||
|
fi
|
||||||
|
if [ "$_OLD_STAGE_CA_HOST" = "$Le_API" ]; then
|
||||||
|
export Le_API="$STAGE_CA"
|
||||||
|
_savedomainconf Le_API "$Le_API"
|
||||||
|
fi
|
||||||
|
export ACME_DIRECTORY="$Le_API"
|
||||||
#reload ca configs
|
#reload ca configs
|
||||||
ACCOUNT_KEY_PATH=""
|
ACCOUNT_KEY_PATH=""
|
||||||
ACCOUNT_JSON_PATH=""
|
ACCOUNT_JSON_PATH=""
|
||||||
@ -3924,6 +4022,10 @@ signcsr() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
_debug _csrsubj "$_csrsubj"
|
_debug _csrsubj "$_csrsubj"
|
||||||
|
if _contains "$_csrsubj" ' ' || ! _contains "$_csrsubj" '.'; then
|
||||||
|
_info "It seems that the subject: $_csrsubj is not a valid domain name. Drop it."
|
||||||
|
_csrsubj=""
|
||||||
|
fi
|
||||||
|
|
||||||
_csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
|
_csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
|
||||||
if [ "$?" != "0" ]; then
|
if [ "$?" != "0" ]; then
|
||||||
@ -4299,8 +4401,10 @@ revoke() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
_initAPI
|
||||||
|
|
||||||
data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
|
data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
|
||||||
uri="$API/acme/revoke-cert"
|
uri="${ACME_REVOKE_CERT}"
|
||||||
|
|
||||||
if [ -f "$CERT_KEY_PATH" ]; then
|
if [ -f "$CERT_KEY_PATH" ]; then
|
||||||
_info "Try domain key first."
|
_info "Try domain key first."
|
||||||
@ -4432,6 +4536,7 @@ deactivate() {
|
|||||||
_d_domain_list="$1"
|
_d_domain_list="$1"
|
||||||
_d_type="$2"
|
_d_type="$2"
|
||||||
_initpath
|
_initpath
|
||||||
|
_initAPI
|
||||||
_debug _d_domain_list "$_d_domain_list"
|
_debug _d_domain_list "$_d_domain_list"
|
||||||
if [ -z "$(echo $_d_domain_list | cut -d , -f 1)" ]; then
|
if [ -z "$(echo $_d_domain_list | cut -d , -f 1)" ]; then
|
||||||
_usage "Usage: $PROJECT_ENTRY --deactivate -d domain.com [-d domain.com]"
|
_usage "Usage: $PROJECT_ENTRY --deactivate -d domain.com [-d domain.com]"
|
||||||
@ -4631,6 +4736,11 @@ install() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -z "$_c_home" ] && [ "$LE_CONFIG_HOME" != "$LE_WORKING_DIR" ]; then
|
||||||
|
_info "Using config home: $LE_CONFIG_HOME"
|
||||||
|
_c_home="$LE_CONFIG_HOME"
|
||||||
|
fi
|
||||||
|
|
||||||
#convert from le
|
#convert from le
|
||||||
if [ -d "$HOME/.le" ]; then
|
if [ -d "$HOME/.le" ]; then
|
||||||
for envfile in "le.env" "le.sh.env"; do
|
for envfile in "le.env" "le.sh.env"; do
|
||||||
@ -4854,6 +4964,7 @@ Parameters:
|
|||||||
|
|
||||||
--reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
|
--reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
|
||||||
|
|
||||||
|
--server SERVER ACME Directory Resource URI. (default: https://acme-v01.api.letsencrypt.org/directory)
|
||||||
--accountconf Specifies a customized account config file.
|
--accountconf Specifies a customized account config file.
|
||||||
--home Specifies the home dir for $PROJECT_NAME .
|
--home Specifies the home dir for $PROJECT_NAME .
|
||||||
--cert-home Specifies the home dir to save all the certs, only valid for '--install' command.
|
--cert-home Specifies the home dir to save all the certs, only valid for '--install' command.
|
||||||
@ -4871,6 +4982,7 @@ Parameters:
|
|||||||
--ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate.
|
--ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate.
|
||||||
--ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl.
|
--ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl.
|
||||||
--nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
|
--nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
|
||||||
|
--no-color Do not output color text.
|
||||||
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
|
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
|
||||||
--csr Specifies the input csr.
|
--csr Specifies the input csr.
|
||||||
--pre-hook Command to be run before obtaining any certificates.
|
--pre-hook Command to be run before obtaining any certificates.
|
||||||
@ -5013,6 +5125,7 @@ _process() {
|
|||||||
_openssl_bin=""
|
_openssl_bin=""
|
||||||
_syslog=""
|
_syslog=""
|
||||||
_use_wget=""
|
_use_wget=""
|
||||||
|
_server=""
|
||||||
while [ ${#} -gt 0 ]; do
|
while [ ${#} -gt 0 ]; do
|
||||||
case "${1}" in
|
case "${1}" in
|
||||||
|
|
||||||
@ -5129,6 +5242,12 @@ _process() {
|
|||||||
--staging | --test)
|
--staging | --test)
|
||||||
STAGE="1"
|
STAGE="1"
|
||||||
;;
|
;;
|
||||||
|
--server)
|
||||||
|
ACME_DIRECTORY="$2"
|
||||||
|
_server="$ACME_DIRECTORY"
|
||||||
|
export ACME_DIRECTORY
|
||||||
|
shift
|
||||||
|
;;
|
||||||
--debug)
|
--debug)
|
||||||
if [ -z "$2" ] || _startswith "$2" "-"; then
|
if [ -z "$2" ] || _startswith "$2" "-"; then
|
||||||
DEBUG="$DEBUG_LEVEL_DEFAULT"
|
DEBUG="$DEBUG_LEVEL_DEFAULT"
|
||||||
@ -5318,6 +5437,9 @@ _process() {
|
|||||||
--nocron)
|
--nocron)
|
||||||
_nocron="1"
|
_nocron="1"
|
||||||
;;
|
;;
|
||||||
|
--no-color)
|
||||||
|
export ACME_NO_COLOR=1
|
||||||
|
;;
|
||||||
--ecc)
|
--ecc)
|
||||||
_ecc="isEcc"
|
_ecc="isEcc"
|
||||||
;;
|
;;
|
||||||
@ -5449,6 +5571,9 @@ _process() {
|
|||||||
|
|
||||||
if [ "$DEBUG" ]; then
|
if [ "$DEBUG" ]; then
|
||||||
version
|
version
|
||||||
|
if [ "$_server" ]; then
|
||||||
|
_debug "Using server: $_server"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case "${_CMD}" in
|
case "${_CMD}" in
|
||||||
|
@ -140,7 +140,7 @@ Finally, make the DNS server and update Key available to `acme.sh`
|
|||||||
|
|
||||||
```
|
```
|
||||||
export NSUPDATE_SERVER="dns.example.com"
|
export NSUPDATE_SERVER="dns.example.com"
|
||||||
export NSUPDATE_KEY="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=="
|
export NSUPDATE_KEY="/path/to/your/nsupdate.key"
|
||||||
```
|
```
|
||||||
|
|
||||||
Ok, let's issue a cert now:
|
Ok, let's issue a cert now:
|
||||||
|
@ -122,18 +122,30 @@ dns_dynu_rm() {
|
|||||||
# _domain_name=domain.com
|
# _domain_name=domain.com
|
||||||
_get_root() {
|
_get_root() {
|
||||||
domain=$1
|
domain=$1
|
||||||
if ! _dynu_rest GET "dns/getroot/$domain"; then
|
i=2
|
||||||
return 1
|
p=1
|
||||||
fi
|
while true; do
|
||||||
|
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
|
||||||
|
_debug h "$h"
|
||||||
|
if [ -z "$h" ]; then
|
||||||
|
#not valid
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
if ! _contains "$response" "domain_name"; then
|
if ! _dynu_rest GET "dns/get/$h"; then
|
||||||
_debug "Domain name not found."
|
return 1
|
||||||
return 1
|
fi
|
||||||
fi
|
|
||||||
|
if _contains "$response" "\"name\":\"$h\"" >/dev/null; then
|
||||||
|
_domain_name=$h
|
||||||
|
_node=$(printf "%s" "$domain" | cut -d . -f 1-$p)
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
p=$i
|
||||||
|
i=$(_math "$i" + 1)
|
||||||
|
done
|
||||||
|
return 1
|
||||||
|
|
||||||
_domain_name=$(printf "%s" "$response" | tr -d "{}" | cut -d , -f 1 | cut -d : -f 2 | cut -d '"' -f 2)
|
|
||||||
_node=$(printf "%s" "$response" | tr -d "{}" | cut -d , -f 3 | cut -d : -f 2 | cut -d '"' -f 2)
|
|
||||||
return 0
|
|
||||||
}
|
}
|
||||||
|
|
||||||
_get_recordid() {
|
_get_recordid() {
|
||||||
|
@ -9,7 +9,7 @@ dns_infoblox_add() {
|
|||||||
## Nothing to see here, just some housekeeping
|
## Nothing to see here, just some housekeeping
|
||||||
fulldomain=$1
|
fulldomain=$1
|
||||||
txtvalue=$2
|
txtvalue=$2
|
||||||
baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue"
|
baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=$Infoblox_View"
|
||||||
|
|
||||||
_info "Using Infoblox API"
|
_info "Using Infoblox API"
|
||||||
_debug fulldomain "$fulldomain"
|
_debug fulldomain "$fulldomain"
|
||||||
@ -19,14 +19,19 @@ dns_infoblox_add() {
|
|||||||
if [ -z "$Infoblox_Creds" ] || [ -z "$Infoblox_Server" ]; then
|
if [ -z "$Infoblox_Creds" ] || [ -z "$Infoblox_Server" ]; then
|
||||||
Infoblox_Creds=""
|
Infoblox_Creds=""
|
||||||
Infoblox_Server=""
|
Infoblox_Server=""
|
||||||
_err "You didn't specify the credentials or server yet (Infoblox_Creds and Infoblox_Server)."
|
_err "You didn't specify the credentials, server or infoblox view yet (Infoblox_Creds, Infoblox_Server and Infoblox_View)."
|
||||||
_err "Please set them via EXPORT ([username:password] and [ip or hostname]) and try again."
|
_err "Please set them via EXPORT ([username:password], [ip or hostname]) and try again."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -z "$Infoblox_View" ]; then
|
||||||
|
Infoblox_View="default"
|
||||||
|
fi
|
||||||
|
|
||||||
## Save the credentials to the account file
|
## Save the credentials to the account file
|
||||||
_saveaccountconf Infoblox_Creds "$Infoblox_Creds"
|
_saveaccountconf Infoblox_Creds "$Infoblox_Creds"
|
||||||
_saveaccountconf Infoblox_Server "$Infoblox_Server"
|
_saveaccountconf Infoblox_Server "$Infoblox_Server"
|
||||||
|
_saveaccountconf Infoblox_View "$Infoblox_View"
|
||||||
|
|
||||||
## Base64 encode the credentials
|
## Base64 encode the credentials
|
||||||
Infoblox_CredsEncoded=$(printf "%b" "$Infoblox_Creds" | _base64)
|
Infoblox_CredsEncoded=$(printf "%b" "$Infoblox_Creds" | _base64)
|
||||||
@ -39,7 +44,7 @@ dns_infoblox_add() {
|
|||||||
result=$(_post "" "$baseurlnObject" "" "POST")
|
result=$(_post "" "$baseurlnObject" "" "POST")
|
||||||
|
|
||||||
## Let's see if we get something intelligible back from the unit
|
## Let's see if we get something intelligible back from the unit
|
||||||
if echo "$result" | egrep 'record:txt/.*:.*/default'; then
|
if echo "$result" | egrep "record:txt/.*:.*/$Infoblox_View"; then
|
||||||
_info "Successfully created the txt record"
|
_info "Successfully created the txt record"
|
||||||
return 0
|
return 0
|
||||||
else
|
else
|
||||||
@ -68,18 +73,18 @@ dns_infoblox_rm() {
|
|||||||
export _H2="Authorization: Basic $Infoblox_CredsEncoded"
|
export _H2="Authorization: Basic $Infoblox_CredsEncoded"
|
||||||
|
|
||||||
## Does the record exist? Let's check.
|
## Does the record exist? Let's check.
|
||||||
baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&_return_type=xml-pretty"
|
baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=$Infoblox_View&_return_type=xml-pretty"
|
||||||
result=$(_get "$baseurlnObject")
|
result=$(_get "$baseurlnObject")
|
||||||
|
|
||||||
## Let's see if we get something intelligible back from the grid
|
## Let's see if we get something intelligible back from the grid
|
||||||
if echo "$result" | egrep 'record:txt/.*:.*/default'; then
|
if echo "$result" | egrep "record:txt/.*:.*/$Infoblox_View"; then
|
||||||
## Extract the object reference
|
## Extract the object reference
|
||||||
objRef=$(printf "%b" "$result" | _egrep_o 'record:txt/.*:.*/default')
|
objRef=$(printf "%b" "$result" | _egrep_o "record:txt/.*:.*/$Infoblox_View")
|
||||||
objRmUrl="https://$Infoblox_Server/wapi/v2.2.2/$objRef"
|
objRmUrl="https://$Infoblox_Server/wapi/v2.2.2/$objRef"
|
||||||
## Delete them! All the stale records!
|
## Delete them! All the stale records!
|
||||||
rmResult=$(_post "" "$objRmUrl" "" "DELETE")
|
rmResult=$(_post "" "$objRmUrl" "" "DELETE")
|
||||||
## Let's see if that worked
|
## Let's see if that worked
|
||||||
if echo "$rmResult" | egrep 'record:txt/.*:.*/default'; then
|
if echo "$rmResult" | egrep "record:txt/.*:.*/$Infoblox_View"; then
|
||||||
_info "Successfully deleted $objRef"
|
_info "Successfully deleted $objRef"
|
||||||
return 0
|
return 0
|
||||||
else
|
else
|
||||||
|
@ -238,7 +238,7 @@ _get_root() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! _contains "$response" "This service does not exist" >/dev/null; then
|
if ! _contains "$response" "This service does not exist" >/dev/null && ! _contains "$response" "NOT_GRANTED_CALL" >/dev/null; then
|
||||||
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
|
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
|
||||||
_domain="$h"
|
_domain="$h"
|
||||||
return 0
|
return 0
|
||||||
|
Loading…
x
Reference in New Issue
Block a user