mirror of
https://github.com/plantroon/acme.sh.git
synced 2024-11-08 23:41:45 +00:00
Merge branch 'dev' into deploy-fritzbox
This commit is contained in:
commit
3536cd336d
@ -18,7 +18,7 @@ addons:
|
||||
|
||||
install:
|
||||
- if [ "$TRAVIS_OS_NAME" = 'osx' ]; then
|
||||
brew update && brew install openssl;
|
||||
brew update && brew install openssl socat;
|
||||
brew info openssl;
|
||||
ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/;
|
||||
ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/;
|
||||
@ -30,6 +30,7 @@ install:
|
||||
openssl version 2>&1 || true;
|
||||
$ACME_OPENSSL_BIN version 2>&1 || true;
|
||||
export PATH="$_old_path";
|
||||
else sudo apt-get install socat;
|
||||
fi
|
||||
|
||||
script:
|
||||
|
@ -4,7 +4,7 @@ RUN apk update -f \
|
||||
&& apk --no-cache add -f \
|
||||
openssl \
|
||||
curl \
|
||||
netcat-openbsd \
|
||||
socat \
|
||||
&& rm -rf /var/cache/apk/*
|
||||
|
||||
ENV LE_CONFIG_HOME /acme.sh
|
||||
|
129
acme.sh
129
acme.sh
@ -1,6 +1,6 @@
|
||||
#!/usr/bin/env sh
|
||||
|
||||
VER=2.7.3
|
||||
VER=2.7.4
|
||||
|
||||
PROJECT_NAME="acme.sh"
|
||||
|
||||
@ -164,11 +164,11 @@ _dlg_versions() {
|
||||
echo "nginx doesn't exists."
|
||||
fi
|
||||
|
||||
echo "nc:"
|
||||
if _exists "nc"; then
|
||||
nc -h 2>&1
|
||||
echo "socat:"
|
||||
if _exists "socat"; then
|
||||
socat -h 2>&1
|
||||
else
|
||||
_debug "nc doesn't exists."
|
||||
_debug "socat doesn't exists."
|
||||
fi
|
||||
}
|
||||
|
||||
@ -1814,7 +1814,13 @@ _send_signed_request() {
|
||||
|
||||
_CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
|
||||
|
||||
if _contains "$response" "JWS has invalid anti-replay nonce"; then
|
||||
_body="$response"
|
||||
if [ "$needbase64" ]; then
|
||||
_body="$(echo "$_body" | _dbase64)"
|
||||
_debug2 _body "$_body"
|
||||
fi
|
||||
|
||||
if _contains "$_body" "JWS has invalid anti-replay nonce"; then
|
||||
_info "It seems the CA server is busy now, let's wait and retry."
|
||||
_request_retry_times=$(_math "$_request_retry_times" + 1)
|
||||
_sleep 5
|
||||
@ -1967,68 +1973,22 @@ _startserver() {
|
||||
_debug "ncaddr" "$ncaddr"
|
||||
|
||||
_debug "startserver: $$"
|
||||
nchelp="$(nc -h 2>&1)"
|
||||
|
||||
_debug Le_HTTPPort "$Le_HTTPPort"
|
||||
_debug Le_Listen_V4 "$Le_Listen_V4"
|
||||
_debug Le_Listen_V6 "$Le_Listen_V6"
|
||||
_NC="nc"
|
||||
|
||||
_NC="socat"
|
||||
if [ "$Le_Listen_V4" ]; then
|
||||
_NC="$_NC -4"
|
||||
elif [ "$Le_Listen_V6" ]; then
|
||||
_NC="$_NC -6"
|
||||
fi
|
||||
|
||||
if [ "$Le_Listen_V4$Le_Listen_V6$ncaddr" ]; then
|
||||
if ! _contains "$nchelp" "-4"; then
|
||||
_err "The nc doesn't support '-4', '-6' or local-address, please install 'netcat-openbsd' and try again."
|
||||
_err "See $(__green $_PREPARE_LINK)"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if echo "$nchelp" | grep "\-q[ ,]" >/dev/null; then
|
||||
_NC="$_NC -q 1 -l $ncaddr"
|
||||
else
|
||||
if echo "$nchelp" | grep "GNU netcat" >/dev/null && echo "$nchelp" | grep "\-c, \-\-close" >/dev/null; then
|
||||
_NC="$_NC -c -l $ncaddr"
|
||||
elif echo "$nchelp" | grep "\-N" | grep "Shutdown the network socket after EOF on stdin" >/dev/null; then
|
||||
_NC="$_NC -N -l $ncaddr"
|
||||
else
|
||||
_NC="$_NC -l $ncaddr"
|
||||
fi
|
||||
fi
|
||||
|
||||
_debug "_NC" "$_NC"
|
||||
|
||||
#for centos ncat
|
||||
if _contains "$nchelp" "nmap.org"; then
|
||||
_debug "Using ncat: nmap.org"
|
||||
if ! _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC \"$Le_HTTPPort\" >&2"; then
|
||||
_exec_err
|
||||
return 1
|
||||
fi
|
||||
if [ "$DEBUG" ]; then
|
||||
_exec_err
|
||||
fi
|
||||
return
|
||||
fi
|
||||
|
||||
# while true ; do
|
||||
if ! _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC -p \"$Le_HTTPPort\" >&2"; then
|
||||
_exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC \"$Le_HTTPPort\" >&2"
|
||||
fi
|
||||
|
||||
if [ "$?" != "0" ]; then
|
||||
_err "nc listen error."
|
||||
_exec_err
|
||||
exit 1
|
||||
fi
|
||||
if [ "$DEBUG" ]; then
|
||||
_exec_err
|
||||
fi
|
||||
# done
|
||||
#todo listen address
|
||||
$_NC TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork SYSTEM:"sleep 0.5; echo HTTP/1.1 200 OK'; echo ; echo $content; echo;" &
|
||||
serverproc="$!"
|
||||
}
|
||||
|
||||
_stopserver() {
|
||||
@ -2038,25 +1998,8 @@ _stopserver() {
|
||||
return
|
||||
fi
|
||||
|
||||
_debug2 "Le_HTTPPort" "$Le_HTTPPort"
|
||||
if [ "$Le_HTTPPort" ]; then
|
||||
if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
|
||||
_get "http://localhost:$Le_HTTPPort" "" 1
|
||||
else
|
||||
_get "http://localhost:$Le_HTTPPort" "" 1 >/dev/null 2>&1
|
||||
fi
|
||||
fi
|
||||
kill $pid
|
||||
|
||||
_debug2 "Le_TLSPort" "$Le_TLSPort"
|
||||
if [ "$Le_TLSPort" ]; then
|
||||
if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
|
||||
_get "https://localhost:$Le_TLSPort" "" 1
|
||||
_get "https://localhost:$Le_TLSPort" "" 1
|
||||
else
|
||||
_get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
|
||||
_get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# sleep sec
|
||||
@ -2111,12 +2054,7 @@ _starttlsserver() {
|
||||
return 1
|
||||
fi
|
||||
|
||||
__S_OPENSSL="${ACME_OPENSSL_BIN:-openssl} s_server -cert $TLS_CERT -key $TLS_KEY "
|
||||
if [ "$opaddr" ]; then
|
||||
__S_OPENSSL="$__S_OPENSSL -accept $opaddr:$port"
|
||||
else
|
||||
__S_OPENSSL="$__S_OPENSSL -accept $port"
|
||||
fi
|
||||
__S_OPENSSL="socat"
|
||||
|
||||
_debug Le_Listen_V4 "$Le_Listen_V4"
|
||||
_debug Le_Listen_V6 "$Le_Listen_V6"
|
||||
@ -2127,12 +2065,9 @@ _starttlsserver() {
|
||||
fi
|
||||
|
||||
_debug "$__S_OPENSSL"
|
||||
if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
|
||||
(printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL -tlsextdebug) &
|
||||
else
|
||||
(printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL >/dev/null 2>&1) &
|
||||
fi
|
||||
|
||||
#todo listen address
|
||||
$__S_OPENSSL openssl-listen:$port,cert=$TLS_CERT,key=$TLS_KEY,verify=0,reuseaddr,fork SYSTEM:"sleep 0.5; echo HTTP/1.1 200 OK'; echo ; echo $content; echo;" &
|
||||
serverproc="$!"
|
||||
sleep 1
|
||||
_debug serverproc "$serverproc"
|
||||
@ -2943,8 +2878,8 @@ _on_before_issue() {
|
||||
fi
|
||||
|
||||
if _hasfield "$_chk_web_roots" "$NO_VALUE"; then
|
||||
if ! _exists "nc"; then
|
||||
_err "Please install netcat(nc) tools first."
|
||||
if ! _exists "socat"; then
|
||||
_err "Please install socat tools first."
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
@ -3665,13 +3600,12 @@ issue() {
|
||||
_info "Standalone mode server"
|
||||
_ncaddr="$(_getfield "$_local_addr" "$_ncIndex")"
|
||||
_ncIndex="$(_math $_ncIndex + 1)"
|
||||
_startserver "$keyauthorization" "$_ncaddr" &
|
||||
_startserver "$keyauthorization" "$_ncaddr"
|
||||
if [ "$?" != "0" ]; then
|
||||
_clearup
|
||||
_on_issue_err "$_post_hook" "$vlist"
|
||||
return 1
|
||||
fi
|
||||
serverproc="$!"
|
||||
sleep 1
|
||||
_debug serverproc "$serverproc"
|
||||
elif [ "$_currentRoot" = "$MODE_STATELESS" ]; then
|
||||
@ -4006,7 +3940,10 @@ issue() {
|
||||
Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400)
|
||||
_savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
|
||||
|
||||
_on_issue_success "$_post_hook" "$_renew_hook"
|
||||
if ! _on_issue_success "$_post_hook" "$_renew_hook"; then
|
||||
_err "Call hook error."
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ "$_real_cert$_real_key$_real_ca$_reload_cmd$_real_fullchain" ]; then
|
||||
_savedomainconf "Le_RealCertPath" "$_real_cert"
|
||||
@ -4788,9 +4725,9 @@ _precheck() {
|
||||
return 1
|
||||
fi
|
||||
|
||||
if ! _exists "nc"; then
|
||||
_err "It is recommended to install nc first, try to install 'nc' or 'netcat'."
|
||||
_err "We use nc for standalone server if you use standalone mode."
|
||||
if ! _exists "socat"; then
|
||||
_err "It is recommended to install socat first."
|
||||
_err "We use socat for standalone server if you use standalone mode."
|
||||
_err "If you don't use standalone mode, just ignore this warning."
|
||||
fi
|
||||
|
||||
@ -4890,10 +4827,12 @@ install() {
|
||||
_debug "Skip install cron job"
|
||||
fi
|
||||
|
||||
if [ "$IN_CRON" != "1" ]; then
|
||||
if ! _precheck "$_nocron"; then
|
||||
_err "Pre-check failed, can not install."
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$_c_home" ] && [ "$LE_CONFIG_HOME" != "$LE_WORKING_DIR" ]; then
|
||||
_info "Using config home: $LE_CONFIG_HOME"
|
||||
@ -4945,7 +4884,9 @@ install() {
|
||||
|
||||
_info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
|
||||
|
||||
if [ "$IN_CRON" != "1" ]; then
|
||||
_installalias "$_c_home"
|
||||
fi
|
||||
|
||||
for subf in $_SUB_FOLDERS; do
|
||||
if [ -d "$subf" ]; then
|
||||
@ -5035,7 +4976,7 @@ _uninstallalias() {
|
||||
}
|
||||
|
||||
cron() {
|
||||
IN_CRON=1
|
||||
export IN_CRON=1
|
||||
_initpath
|
||||
_info "$(__green "===Starting cron===")"
|
||||
if [ "$AUTO_UPGRADE" = "1" ]; then
|
||||
|
@ -6,6 +6,8 @@ Here are the scripts to deploy the certs/key to the server/services.
|
||||
|
||||
## 1. Deploy the certs to your cpanel host.
|
||||
|
||||
If you want to deploy using cpanel UAPI see 7.
|
||||
|
||||
(cpanel deploy hook is not finished yet, this is just an example.)
|
||||
|
||||
|
||||
@ -81,18 +83,19 @@ acme.sh --deploy -d ftp.example.com --deploy-hook exim4
|
||||
acme.sh --deploy -d ftp.example.com --deploy-hook keychain
|
||||
```
|
||||
|
||||
## 7. Deploy to cpanel host.
|
||||
## 7. Deploy to cpanel host using UAPI
|
||||
|
||||
This hook is using UAPI and works in cPanel & WHM version 56 or newer.
|
||||
```
|
||||
acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
|
||||
```
|
||||
|
||||
If you are login as root, please specify the username to deploy cert to:
|
||||
|
||||
DEPLOY_CPANEL_USER is required only if you run the script as root and it should contain cpanel username.
|
||||
```sh
|
||||
export DEPLOY_CPANEL_USER=username
|
||||
acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
|
||||
```
|
||||
Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separete certificate for each domain.
|
||||
|
||||
## 8. Deploy the cert to your FRITZ!Box router
|
||||
|
||||
You must specify the credentials that have administrative privileges on the FRITZ!Box in order to deploy the certificate, plus the URL of your FRITZ!Box, through the following environment variables:
|
||||
|
@ -47,7 +47,7 @@ dns_he_add() {
|
||||
response="$(_post "$body" "https://dns.he.net/")"
|
||||
exit_code="$?"
|
||||
if [ "$exit_code" -eq 0 ]; then
|
||||
_info "TXT record added successfuly."
|
||||
_info "TXT record added successfully."
|
||||
else
|
||||
_err "Couldn't add the TXT record."
|
||||
fi
|
||||
@ -96,7 +96,7 @@ dns_he_rm() {
|
||||
>/dev/null
|
||||
exit_code="$?"
|
||||
if [ "$exit_code" -eq 0 ]; then
|
||||
_info "Record removed successfuly."
|
||||
_info "Record removed successfully."
|
||||
else
|
||||
_err "Could not clean (remove) up the record. Please go to HE administration interface and clean it by hand."
|
||||
return "$exit_code"
|
||||
|
Loading…
Reference in New Issue
Block a user