Merge branch 'dev' into deploy-fritzbox

This commit is contained in:
Manuel Friedli 2017-09-12 11:32:54 +02:00
commit 3536cd336d
5 changed files with 51 additions and 106 deletions

View File

@ -18,7 +18,7 @@ addons:
install: install:
- if [ "$TRAVIS_OS_NAME" = 'osx' ]; then - if [ "$TRAVIS_OS_NAME" = 'osx' ]; then
brew update && brew install openssl; brew update && brew install openssl socat;
brew info openssl; brew info openssl;
ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/; ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/;
ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/; ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/;
@ -30,6 +30,7 @@ install:
openssl version 2>&1 || true; openssl version 2>&1 || true;
$ACME_OPENSSL_BIN version 2>&1 || true; $ACME_OPENSSL_BIN version 2>&1 || true;
export PATH="$_old_path"; export PATH="$_old_path";
else sudo apt-get install socat;
fi fi
script: script:

View File

@ -4,7 +4,7 @@ RUN apk update -f \
&& apk --no-cache add -f \ && apk --no-cache add -f \
openssl \ openssl \
curl \ curl \
netcat-openbsd \ socat \
&& rm -rf /var/cache/apk/* && rm -rf /var/cache/apk/*
ENV LE_CONFIG_HOME /acme.sh ENV LE_CONFIG_HOME /acme.sh

137
acme.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env sh #!/usr/bin/env sh
VER=2.7.3 VER=2.7.4
PROJECT_NAME="acme.sh" PROJECT_NAME="acme.sh"
@ -164,11 +164,11 @@ _dlg_versions() {
echo "nginx doesn't exists." echo "nginx doesn't exists."
fi fi
echo "nc:" echo "socat:"
if _exists "nc"; then if _exists "socat"; then
nc -h 2>&1 socat -h 2>&1
else else
_debug "nc doesn't exists." _debug "socat doesn't exists."
fi fi
} }
@ -1814,7 +1814,13 @@ _send_signed_request() {
_CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" _CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
if _contains "$response" "JWS has invalid anti-replay nonce"; then _body="$response"
if [ "$needbase64" ]; then
_body="$(echo "$_body" | _dbase64)"
_debug2 _body "$_body"
fi
if _contains "$_body" "JWS has invalid anti-replay nonce"; then
_info "It seems the CA server is busy now, let's wait and retry." _info "It seems the CA server is busy now, let's wait and retry."
_request_retry_times=$(_math "$_request_retry_times" + 1) _request_retry_times=$(_math "$_request_retry_times" + 1)
_sleep 5 _sleep 5
@ -1967,68 +1973,22 @@ _startserver() {
_debug "ncaddr" "$ncaddr" _debug "ncaddr" "$ncaddr"
_debug "startserver: $$" _debug "startserver: $$"
nchelp="$(nc -h 2>&1)"
_debug Le_HTTPPort "$Le_HTTPPort" _debug Le_HTTPPort "$Le_HTTPPort"
_debug Le_Listen_V4 "$Le_Listen_V4" _debug Le_Listen_V4 "$Le_Listen_V4"
_debug Le_Listen_V6 "$Le_Listen_V6" _debug Le_Listen_V6 "$Le_Listen_V6"
_NC="nc"
_NC="socat"
if [ "$Le_Listen_V4" ]; then if [ "$Le_Listen_V4" ]; then
_NC="$_NC -4" _NC="$_NC -4"
elif [ "$Le_Listen_V6" ]; then elif [ "$Le_Listen_V6" ]; then
_NC="$_NC -6" _NC="$_NC -6"
fi fi
if [ "$Le_Listen_V4$Le_Listen_V6$ncaddr" ]; then
if ! _contains "$nchelp" "-4"; then
_err "The nc doesn't support '-4', '-6' or local-address, please install 'netcat-openbsd' and try again."
_err "See $(__green $_PREPARE_LINK)"
return 1
fi
fi
if echo "$nchelp" | grep "\-q[ ,]" >/dev/null; then
_NC="$_NC -q 1 -l $ncaddr"
else
if echo "$nchelp" | grep "GNU netcat" >/dev/null && echo "$nchelp" | grep "\-c, \-\-close" >/dev/null; then
_NC="$_NC -c -l $ncaddr"
elif echo "$nchelp" | grep "\-N" | grep "Shutdown the network socket after EOF on stdin" >/dev/null; then
_NC="$_NC -N -l $ncaddr"
else
_NC="$_NC -l $ncaddr"
fi
fi
_debug "_NC" "$_NC" _debug "_NC" "$_NC"
#todo listen address
#for centos ncat $_NC TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork SYSTEM:"sleep 0.5; echo HTTP/1.1 200 OK'; echo ; echo $content; echo;" &
if _contains "$nchelp" "nmap.org"; then serverproc="$!"
_debug "Using ncat: nmap.org"
if ! _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC \"$Le_HTTPPort\" >&2"; then
_exec_err
return 1
fi
if [ "$DEBUG" ]; then
_exec_err
fi
return
fi
# while true ; do
if ! _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC -p \"$Le_HTTPPort\" >&2"; then
_exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC \"$Le_HTTPPort\" >&2"
fi
if [ "$?" != "0" ]; then
_err "nc listen error."
_exec_err
exit 1
fi
if [ "$DEBUG" ]; then
_exec_err
fi
# done
} }
_stopserver() { _stopserver() {
@ -2038,25 +1998,8 @@ _stopserver() {
return return
fi fi
_debug2 "Le_HTTPPort" "$Le_HTTPPort" kill $pid
if [ "$Le_HTTPPort" ]; then
if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
_get "http://localhost:$Le_HTTPPort" "" 1
else
_get "http://localhost:$Le_HTTPPort" "" 1 >/dev/null 2>&1
fi
fi
_debug2 "Le_TLSPort" "$Le_TLSPort"
if [ "$Le_TLSPort" ]; then
if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
_get "https://localhost:$Le_TLSPort" "" 1
_get "https://localhost:$Le_TLSPort" "" 1
else
_get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
_get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
fi
fi
} }
# sleep sec # sleep sec
@ -2111,12 +2054,7 @@ _starttlsserver() {
return 1 return 1
fi fi
__S_OPENSSL="${ACME_OPENSSL_BIN:-openssl} s_server -cert $TLS_CERT -key $TLS_KEY " __S_OPENSSL="socat"
if [ "$opaddr" ]; then
__S_OPENSSL="$__S_OPENSSL -accept $opaddr:$port"
else
__S_OPENSSL="$__S_OPENSSL -accept $port"
fi
_debug Le_Listen_V4 "$Le_Listen_V4" _debug Le_Listen_V4 "$Le_Listen_V4"
_debug Le_Listen_V6 "$Le_Listen_V6" _debug Le_Listen_V6 "$Le_Listen_V6"
@ -2127,12 +2065,9 @@ _starttlsserver() {
fi fi
_debug "$__S_OPENSSL" _debug "$__S_OPENSSL"
if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
(printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL -tlsextdebug) &
else
(printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL >/dev/null 2>&1) &
fi
#todo listen address
$__S_OPENSSL openssl-listen:$port,cert=$TLS_CERT,key=$TLS_KEY,verify=0,reuseaddr,fork SYSTEM:"sleep 0.5; echo HTTP/1.1 200 OK'; echo ; echo $content; echo;" &
serverproc="$!" serverproc="$!"
sleep 1 sleep 1
_debug serverproc "$serverproc" _debug serverproc "$serverproc"
@ -2943,8 +2878,8 @@ _on_before_issue() {
fi fi
if _hasfield "$_chk_web_roots" "$NO_VALUE"; then if _hasfield "$_chk_web_roots" "$NO_VALUE"; then
if ! _exists "nc"; then if ! _exists "socat"; then
_err "Please install netcat(nc) tools first." _err "Please install socat tools first."
return 1 return 1
fi fi
fi fi
@ -3665,13 +3600,12 @@ issue() {
_info "Standalone mode server" _info "Standalone mode server"
_ncaddr="$(_getfield "$_local_addr" "$_ncIndex")" _ncaddr="$(_getfield "$_local_addr" "$_ncIndex")"
_ncIndex="$(_math $_ncIndex + 1)" _ncIndex="$(_math $_ncIndex + 1)"
_startserver "$keyauthorization" "$_ncaddr" & _startserver "$keyauthorization" "$_ncaddr"
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
_clearup _clearup
_on_issue_err "$_post_hook" "$vlist" _on_issue_err "$_post_hook" "$vlist"
return 1 return 1
fi fi
serverproc="$!"
sleep 1 sleep 1
_debug serverproc "$serverproc" _debug serverproc "$serverproc"
elif [ "$_currentRoot" = "$MODE_STATELESS" ]; then elif [ "$_currentRoot" = "$MODE_STATELESS" ]; then
@ -4006,7 +3940,10 @@ issue() {
Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400) Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400)
_savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime" _savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
_on_issue_success "$_post_hook" "$_renew_hook" if ! _on_issue_success "$_post_hook" "$_renew_hook"; then
_err "Call hook error."
return 1
fi
if [ "$_real_cert$_real_key$_real_ca$_reload_cmd$_real_fullchain" ]; then if [ "$_real_cert$_real_key$_real_ca$_reload_cmd$_real_fullchain" ]; then
_savedomainconf "Le_RealCertPath" "$_real_cert" _savedomainconf "Le_RealCertPath" "$_real_cert"
@ -4788,9 +4725,9 @@ _precheck() {
return 1 return 1
fi fi
if ! _exists "nc"; then if ! _exists "socat"; then
_err "It is recommended to install nc first, try to install 'nc' or 'netcat'." _err "It is recommended to install socat first."
_err "We use nc for standalone server if you use standalone mode." _err "We use socat for standalone server if you use standalone mode."
_err "If you don't use standalone mode, just ignore this warning." _err "If you don't use standalone mode, just ignore this warning."
fi fi
@ -4890,9 +4827,11 @@ install() {
_debug "Skip install cron job" _debug "Skip install cron job"
fi fi
if ! _precheck "$_nocron"; then if [ "$IN_CRON" != "1" ]; then
_err "Pre-check failed, can not install." if ! _precheck "$_nocron"; then
return 1 _err "Pre-check failed, can not install."
return 1
fi
fi fi
if [ -z "$_c_home" ] && [ "$LE_CONFIG_HOME" != "$LE_WORKING_DIR" ]; then if [ -z "$_c_home" ] && [ "$LE_CONFIG_HOME" != "$LE_WORKING_DIR" ]; then
@ -4945,7 +4884,9 @@ install() {
_info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY" _info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
_installalias "$_c_home" if [ "$IN_CRON" != "1" ]; then
_installalias "$_c_home"
fi
for subf in $_SUB_FOLDERS; do for subf in $_SUB_FOLDERS; do
if [ -d "$subf" ]; then if [ -d "$subf" ]; then
@ -5035,7 +4976,7 @@ _uninstallalias() {
} }
cron() { cron() {
IN_CRON=1 export IN_CRON=1
_initpath _initpath
_info "$(__green "===Starting cron===")" _info "$(__green "===Starting cron===")"
if [ "$AUTO_UPGRADE" = "1" ]; then if [ "$AUTO_UPGRADE" = "1" ]; then

View File

@ -6,6 +6,8 @@ Here are the scripts to deploy the certs/key to the server/services.
## 1. Deploy the certs to your cpanel host. ## 1. Deploy the certs to your cpanel host.
If you want to deploy using cpanel UAPI see 7.
(cpanel deploy hook is not finished yet, this is just an example.) (cpanel deploy hook is not finished yet, this is just an example.)
@ -81,18 +83,19 @@ acme.sh --deploy -d ftp.example.com --deploy-hook exim4
acme.sh --deploy -d ftp.example.com --deploy-hook keychain acme.sh --deploy -d ftp.example.com --deploy-hook keychain
``` ```
## 7. Deploy to cpanel host. ## 7. Deploy to cpanel host using UAPI
This hook is using UAPI and works in cPanel & WHM version 56 or newer.
``` ```
acme.sh --deploy -d example.com --deploy-hook cpanel_uapi acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
``` ```
DEPLOY_CPANEL_USER is required only if you run the script as root and it should contain cpanel username.
If you are login as root, please specify the username to deploy cert to:
```sh ```sh
export DEPLOY_CPANEL_USER=username export DEPLOY_CPANEL_USER=username
acme.sh --deploy -d example.com --deploy-hook cpanel_uapi acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
``` ```
Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separete certificate for each domain.
## 8. Deploy the cert to your FRITZ!Box router ## 8. Deploy the cert to your FRITZ!Box router
You must specify the credentials that have administrative privileges on the FRITZ!Box in order to deploy the certificate, plus the URL of your FRITZ!Box, through the following environment variables: You must specify the credentials that have administrative privileges on the FRITZ!Box in order to deploy the certificate, plus the URL of your FRITZ!Box, through the following environment variables:

View File

@ -47,7 +47,7 @@ dns_he_add() {
response="$(_post "$body" "https://dns.he.net/")" response="$(_post "$body" "https://dns.he.net/")"
exit_code="$?" exit_code="$?"
if [ "$exit_code" -eq 0 ]; then if [ "$exit_code" -eq 0 ]; then
_info "TXT record added successfuly." _info "TXT record added successfully."
else else
_err "Couldn't add the TXT record." _err "Couldn't add the TXT record."
fi fi
@ -96,7 +96,7 @@ dns_he_rm() {
>/dev/null >/dev/null
exit_code="$?" exit_code="$?"
if [ "$exit_code" -eq 0 ]; then if [ "$exit_code" -eq 0 ]; then
_info "Record removed successfuly." _info "Record removed successfully."
else else
_err "Could not clean (remove) up the record. Please go to HE administration interface and clean it by hand." _err "Could not clean (remove) up the record. Please go to HE administration interface and clean it by hand."
return "$exit_code" return "$exit_code"