mirror of
https://github.com/plantroon/acme.sh.git
synced 2024-11-10 08:21:49 +00:00
commit
1a27172f20
@ -4,7 +4,7 @@ Before you can deploy your cert, you must [issue the cert first](https://github.
|
|||||||
|
|
||||||
Here are the scripts to deploy the certs/key to the server/services.
|
Here are the scripts to deploy the certs/key to the server/services.
|
||||||
|
|
||||||
## 1. Deploy the certs to your cpanel host.
|
## 1. Deploy the certs to your cpanel host
|
||||||
|
|
||||||
If you want to deploy using cpanel UAPI see 7.
|
If you want to deploy using cpanel UAPI see 7.
|
||||||
|
|
||||||
@ -20,7 +20,7 @@ export DEPLOY_CPANEL_PASSWORD=PASSWORD
|
|||||||
acme.sh --deploy -d example.com --deploy-hook cpanel
|
acme.sh --deploy -d example.com --deploy-hook cpanel
|
||||||
```
|
```
|
||||||
|
|
||||||
## 2. Deploy ssl cert on kong proxy engine based on api.
|
## 2. Deploy ssl cert on kong proxy engine based on api
|
||||||
|
|
||||||
Before you can deploy your cert, you must [issue the cert first](https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert).
|
Before you can deploy your cert, you must [issue the cert first](https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert).
|
||||||
Currently supports Kong-v0.10.x.
|
Currently supports Kong-v0.10.x.
|
||||||
@ -29,11 +29,11 @@ Currently supports Kong-v0.10.x.
|
|||||||
acme.sh --deploy -d ftp.example.com --deploy-hook kong
|
acme.sh --deploy -d ftp.example.com --deploy-hook kong
|
||||||
```
|
```
|
||||||
|
|
||||||
## 3. Deploy the cert to remote server through SSH access.
|
## 3. Deploy the cert to remote server through SSH access
|
||||||
|
|
||||||
(TODO)
|
(TODO)
|
||||||
|
|
||||||
## 4. Deploy the cert to local vsftpd server.
|
## 4. Deploy the cert to local vsftpd server
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
acme.sh --deploy -d ftp.example.com --deploy-hook vsftpd
|
acme.sh --deploy -d ftp.example.com --deploy-hook vsftpd
|
||||||
@ -55,7 +55,7 @@ export DEPLOY_VSFTPD_RELOAD="/etc/init.d/vsftpd restart"
|
|||||||
acme.sh --deploy -d ftp.example.com --deploy-hook vsftpd
|
acme.sh --deploy -d ftp.example.com --deploy-hook vsftpd
|
||||||
```
|
```
|
||||||
|
|
||||||
## 5. Deploy the cert to local exim4 server.
|
## 5. Deploy the cert to local exim4 server
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
acme.sh --deploy -d ftp.example.com --deploy-hook exim4
|
acme.sh --deploy -d ftp.example.com --deploy-hook exim4
|
||||||
@ -96,7 +96,23 @@ acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
|
|||||||
```
|
```
|
||||||
Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separete certificate for each domain.
|
Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separete certificate for each domain.
|
||||||
|
|
||||||
|
## 8. Deploy the cert to your FRITZ!Box router
|
||||||
|
|
||||||
|
You must specify the credentials that have administrative privileges on the FRITZ!Box in order to deploy the certificate, plus the URL of your FRITZ!Box, through the following environment variables:
|
||||||
|
```sh
|
||||||
|
$ export DEPLOY_FRITZBOX_USERNAME=my_username
|
||||||
|
$ export DEPLOY_FRITZBOX_PASSWORD=the_password
|
||||||
|
$ export DEPLOY_FRITZBOX_URL=https://fritzbox.example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
After the first deployment, these values will be stored in your $HOME/.acme.sh/account.conf. You may now deploy the certificate like this:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
acme.sh --deploy -d fritzbox.example.com --deploy-hook fritzbox
|
||||||
|
```
|
||||||
|
|
||||||
|
## 9. Deploy the cert to strongswan
|
||||||
|
|
||||||
|
```sh
|
||||||
|
acme.sh --deploy -d ftp.example.com --deploy-hook strongswan
|
||||||
|
```
|
||||||
|
108
deploy/fritzbox.sh
Normal file
108
deploy/fritzbox.sh
Normal file
@ -0,0 +1,108 @@
|
|||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
#Here is a script to deploy cert to an AVM FRITZ!Box router.
|
||||||
|
|
||||||
|
#returns 0 means success, otherwise error.
|
||||||
|
|
||||||
|
#DEPLOY_FRITZBOX_USERNAME="username"
|
||||||
|
#DEPLOY_FRITZBOX_PASSWORD="password"
|
||||||
|
#DEPLOY_FRITZBOX_URL="https://fritz.box"
|
||||||
|
|
||||||
|
# Kudos to wikrie at Github for his FRITZ!Box update script:
|
||||||
|
# https://gist.github.com/wikrie/f1d5747a714e0a34d0582981f7cb4cfb
|
||||||
|
|
||||||
|
######## Public functions #####################
|
||||||
|
|
||||||
|
#domain keyfile certfile cafile fullchain
|
||||||
|
fritzbox_deploy() {
|
||||||
|
_cdomain="$1"
|
||||||
|
_ckey="$2"
|
||||||
|
_ccert="$3"
|
||||||
|
_cca="$4"
|
||||||
|
_cfullchain="$5"
|
||||||
|
|
||||||
|
_debug _cdomain "$_cdomain"
|
||||||
|
_debug _ckey "$_ckey"
|
||||||
|
_debug _ccert "$_ccert"
|
||||||
|
_debug _cca "$_cca"
|
||||||
|
_debug _cfullchain "$_cfullchain"
|
||||||
|
|
||||||
|
if ! _exists iconv; then
|
||||||
|
_err "iconv not found"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
_fritzbox_username="${DEPLOY_FRITZBOX_USERNAME}"
|
||||||
|
_fritzbox_password="${DEPLOY_FRITZBOX_PASSWORD}"
|
||||||
|
_fritzbox_url="${DEPLOY_FRITZBOX_URL}"
|
||||||
|
|
||||||
|
_debug _fritzbox_url "$_fritzbox_url"
|
||||||
|
_debug _fritzbox_username "$_fritzbox_username"
|
||||||
|
_secure_debug _fritzbox_password "$_fritzbox_password"
|
||||||
|
if [ -z "$_fritzbox_username" ]; then
|
||||||
|
_err "FRITZ!Box username is not found, please define DEPLOY_FRITZBOX_USERNAME."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
if [ -z "$_fritzbox_password" ]; then
|
||||||
|
_err "FRITZ!Box password is not found, please define DEPLOY_FRITZBOX_PASSWORD."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
if [ -z "$_fritzbox_url" ]; then
|
||||||
|
_err "FRITZ!Box url is not found, please define DEPLOY_FRITZBOX_URL."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
_saveaccountconf DEPLOY_FRITZBOX_USERNAME "${_fritzbox_username}"
|
||||||
|
_saveaccountconf DEPLOY_FRITZBOX_PASSWORD "${_fritzbox_password}"
|
||||||
|
_saveaccountconf DEPLOY_FRITZBOX_URL "${_fritzbox_url}"
|
||||||
|
|
||||||
|
# Do not check for a valid SSL certificate, because initially the cert is not valid, so it could not install the LE generated certificate
|
||||||
|
export HTTPS_INSECURE=1
|
||||||
|
|
||||||
|
_info "Log in to the FRITZ!Box"
|
||||||
|
_fritzbox_challenge="$(_get "${_fritzbox_url}/login_sid.lua" | sed -e 's/^.*<Challenge>//' -e 's/<\/Challenge>.*$//')"
|
||||||
|
_fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | iconv -f ASCII -t UTF16LE | md5sum | awk '{print $1}')"
|
||||||
|
_fritzbox_sid="$(_get "${_fritzbox_url}/login_sid.lua?sid=0000000000000000&username=${_fritzbox_username}&response=${_fritzbox_challenge}-${_fritzbox_hash}" | sed -e 's/^.*<SID>//' -e 's/<\/SID>.*$//')"
|
||||||
|
|
||||||
|
if [ -z "${_fritzbox_sid}" ] || [ "${_fritzbox_sid}" = "0000000000000000" ]; then
|
||||||
|
_err "Logging in to the FRITZ!Box failed. Please check username, password and URL."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
_info "Generate form POST request"
|
||||||
|
_post_request="$(_mktemp)"
|
||||||
|
_post_boundary="---------------------------$(date +%Y%m%d%H%M%S)"
|
||||||
|
# _CERTPASSWORD_ is unset because Let's Encrypt certificates don't have a password. But if they ever do, here's the place to use it!
|
||||||
|
_CERTPASSWORD_=
|
||||||
|
{
|
||||||
|
printf -- "--"
|
||||||
|
printf -- "%s\r\n" "${_post_boundary}"
|
||||||
|
printf "Content-Disposition: form-data; name=\"sid\"\r\n\r\n%s\r\n" "${_fritzbox_sid}"
|
||||||
|
printf -- "--"
|
||||||
|
printf -- "%s\r\n" "${_post_boundary}"
|
||||||
|
printf "Content-Disposition: form-data; name=\"BoxCertPassword\"\r\n\r\n%s\r\n" "${_CERTPASSWORD_}"
|
||||||
|
printf -- "--"
|
||||||
|
printf -- "%s\r\n" "${_post_boundary}"
|
||||||
|
printf "Content-Disposition: form-data; name=\"BoxCertImportFile\"; filename=\"BoxCert.pem\"\r\n"
|
||||||
|
printf "Content-Type: application/octet-stream\r\n\r\n"
|
||||||
|
cat "${_ckey}" "${_cfullchain}"
|
||||||
|
printf "\r\n"
|
||||||
|
printf -- "--"
|
||||||
|
printf -- "%s--" "${_post_boundary}"
|
||||||
|
} >>"${_post_request}"
|
||||||
|
|
||||||
|
_info "Upload certificate to the FRITZ!Box"
|
||||||
|
|
||||||
|
export _H1="Content-type: multipart/form-data boundary=${_post_boundary}"
|
||||||
|
_post "$(cat "${_post_request}")" "${_fritzbox_url}/cgi-bin/firmwarecfg" | grep SSL
|
||||||
|
|
||||||
|
retval=$?
|
||||||
|
if [ $retval = 0 ]; then
|
||||||
|
_info "Upload successful"
|
||||||
|
else
|
||||||
|
_err "Upload failed"
|
||||||
|
fi
|
||||||
|
rm "${_post_request}"
|
||||||
|
|
||||||
|
return $retval
|
||||||
|
}
|
32
deploy/strongswan.sh
Normal file
32
deploy/strongswan.sh
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
#Here is a sample custom api script.
|
||||||
|
#This file name is "myapi.sh"
|
||||||
|
#So, here must be a method myapi_deploy()
|
||||||
|
#Which will be called by acme.sh to deploy the cert
|
||||||
|
#returns 0 means success, otherwise error.
|
||||||
|
|
||||||
|
######## Public functions #####################
|
||||||
|
|
||||||
|
#domain keyfile certfile cafile fullchain
|
||||||
|
strongswan_deploy() {
|
||||||
|
_cdomain="$1"
|
||||||
|
_ckey="$2"
|
||||||
|
_ccert="$3"
|
||||||
|
_cca="$4"
|
||||||
|
_cfullchain="$5"
|
||||||
|
|
||||||
|
_debug _cdomain "$_cdomain"
|
||||||
|
_debug _ckey "$_ckey"
|
||||||
|
_debug _ccert "$_ccert"
|
||||||
|
_debug _cca "$_cca"
|
||||||
|
_debug _cfullchain "$_cfullchain"
|
||||||
|
|
||||||
|
cat "$_ckey" >"/etc/ipsec.d/private/$(basename "$_ckey")"
|
||||||
|
cat "$_ccert" >"/etc/ipsec.d/certs/$(basename "$_ccert")"
|
||||||
|
cat "$_cca" >"/etc/ipsec.d/cacerts/$(basename "$_cca")"
|
||||||
|
cat "$_cfullchain" >"/etc/ipsec.d/cacerts/$(basename "$_cfullchain")"
|
||||||
|
|
||||||
|
ipsec reload
|
||||||
|
|
||||||
|
}
|
@ -96,6 +96,16 @@ _dns_cloudns_init_check() {
|
|||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
CLOUDNS_AUTH_ID="${CLOUDNS_AUTH_ID:-$(_readaccountconf_mutable CLOUDNS_AUTH_ID)}"
|
||||||
|
CLOUDNS_AUTH_PASSWORD="${CLOUDNS_AUTH_PASSWORD:-$(_readaccountconf_mutable CLOUDNS_AUTH_PASSWORD)}"
|
||||||
|
if [ -z "$CLOUDNS_AUTH_ID" ] || [ -z "$CLOUDNS_AUTH_PASSWORD" ]; then
|
||||||
|
CLOUDNS_AUTH_ID=""
|
||||||
|
CLOUDNS_AUTH_PASSWORD=""
|
||||||
|
_err "You don't specify cloudns api id and password yet."
|
||||||
|
_err "Please create you id and password and try again."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -z "$CLOUDNS_AUTH_ID" ]; then
|
if [ -z "$CLOUDNS_AUTH_ID" ]; then
|
||||||
_err "CLOUDNS_AUTH_ID is not configured"
|
_err "CLOUDNS_AUTH_ID is not configured"
|
||||||
return 1
|
return 1
|
||||||
@ -113,6 +123,10 @@ _dns_cloudns_init_check() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
#save the api id and password to the account conf file.
|
||||||
|
_saveaccountconf_mutable CLOUDNS_AUTH_ID "$CLOUDNS_AUTH_ID"
|
||||||
|
_saveaccountconf_mutable CLOUDNS_AUTH_PASSWORD "$CLOUDNS_AUTH_PASSWORD"
|
||||||
|
|
||||||
CLOUDNS_INIT_CHECK_COMPLETED=1
|
CLOUDNS_INIT_CHECK_COMPLETED=1
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
|
Loading…
Reference in New Issue
Block a user