mirror of
https://github.com/plantroon/acme.sh.git
synced 2024-12-29 08:21:45 +00:00
Merge remote-tracking branch 'upstream/master' into ssh-deploy
This commit is contained in:
commit
89f66ebf6d
11
README.md
11
README.md
@ -161,17 +161,17 @@ You **MUST** use this command to copy the certs to the target files, **DO NOT**
|
||||
**Apache** example:
|
||||
```bash
|
||||
acme.sh --install-cert -d example.com \
|
||||
--certpath /path/to/certfile/in/apache/cert.pem \
|
||||
--keypath /path/to/keyfile/in/apache/key.pem \
|
||||
--fullchainpath /path/to/fullchain/certfile/apache/fullchain.pem \
|
||||
--cert-file /path/to/certfile/in/apache/cert.pem \
|
||||
--key-file /path/to/keyfile/in/apache/key.pem \
|
||||
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
|
||||
--reloadcmd "service apache2 force-reload"
|
||||
```
|
||||
|
||||
**Nginx** example:
|
||||
```bash
|
||||
acme.sh --install-cert -d example.com \
|
||||
--keypath /path/to/keyfile/in/nginx/key.pem \
|
||||
--fullchainpath /path/to/fullchain/nginx/cert.pem \
|
||||
--key-file /path/to/keyfile/in/nginx/key.pem \
|
||||
--fullchain-file /path/to/fullchain/nginx/cert.pem \
|
||||
--reloadcmd "service nginx force-reload"
|
||||
```
|
||||
|
||||
@ -310,6 +310,7 @@ You don't have to do anything manually!
|
||||
1. Knot DNS API
|
||||
1. DigitalOcean API (native)
|
||||
1. ClouDNS.net API
|
||||
1. Infoblox NIOS API (https://www.infoblox.com/)
|
||||
|
||||
**More APIs coming soon...**
|
||||
|
||||
|
61
acme.sh
61
acme.sh
@ -1483,7 +1483,9 @@ _inithttp() {
|
||||
_ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP "
|
||||
fi
|
||||
|
||||
if [ "$CA_BUNDLE" ]; then
|
||||
if [ "$CA_PATH" ]; then
|
||||
_ACME_CURL="$_ACME_CURL --capath $CA_PATH "
|
||||
elif [ "$CA_BUNDLE" ]; then
|
||||
_ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE "
|
||||
fi
|
||||
|
||||
@ -1494,8 +1496,10 @@ _inithttp() {
|
||||
if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
|
||||
_ACME_WGET="$_ACME_WGET -d "
|
||||
fi
|
||||
if [ "$CA_BUNDLE" ]; then
|
||||
_ACME_WGET="$_ACME_WGET --ca-certificate $CA_BUNDLE "
|
||||
if [ "$CA_PATH" ]; then
|
||||
_ACME_WGET="$_ACME_WGET --ca-directory=$CA_PATH "
|
||||
elif [ "$CA_BUNDLE" ]; then
|
||||
_ACME_WGET="$_ACME_WGET --ca-certificate=$CA_BUNDLE "
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -3707,6 +3711,12 @@ issue() {
|
||||
_clearaccountconf "CA_BUNDLE"
|
||||
fi
|
||||
|
||||
if [ "$CA_PATH" ]; then
|
||||
_saveaccountconf CA_PATH "$CA_PATH"
|
||||
else
|
||||
_clearaccountconf "CA_PATH"
|
||||
fi
|
||||
|
||||
if [ "$HTTPS_INSECURE" ]; then
|
||||
_saveaccountconf HTTPS_INSECURE "$HTTPS_INSECURE"
|
||||
else
|
||||
@ -4025,7 +4035,7 @@ deploy() {
|
||||
installcert() {
|
||||
_main_domain="$1"
|
||||
if [ -z "$_main_domain" ]; then
|
||||
_usage "Usage: $PROJECT_ENTRY --installcert -d domain.com [--ecc] [--certpath cert-file-path] [--keypath key-file-path] [--capath ca-cert-file-path] [ --reloadCmd reloadCmd] [--fullchainpath fullchain-path]"
|
||||
_usage "Usage: $PROJECT_ENTRY --installcert -d domain.com [--ecc] [--cert-file cert-file-path] [--key-file key-file-path] [--ca-file ca-cert-file-path] [ --reloadCmd reloadCmd] [--fullchain-file fullchain-path]"
|
||||
return 1
|
||||
fi
|
||||
|
||||
@ -4775,10 +4785,10 @@ Parameters:
|
||||
|
||||
These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
|
||||
|
||||
--certpath /path/to/real/cert/file After issue/renew, the cert will be copied to this path.
|
||||
--keypath /path/to/real/key/file After issue/renew, the key will be copied to this path.
|
||||
--capath /path/to/real/ca/file After issue/renew, the intermediate cert will be copied to this path.
|
||||
--fullchainpath /path/to/fullchain/file After issue/renew, the fullchain cert will be copied to this path.
|
||||
--cert-file After issue/renew, the cert will be copied to this path.
|
||||
--key-file After issue/renew, the key will be copied to this path.
|
||||
--ca-file After issue/renew, the intermediate cert will be copied to this path.
|
||||
--fullchain-file After issue/renew, the fullchain cert will be copied to this path.
|
||||
|
||||
--reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
|
||||
|
||||
@ -4797,6 +4807,7 @@ Parameters:
|
||||
--stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal.
|
||||
--insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
|
||||
--ca-bundle Specifices the path to the CA certificate bundle to verify api server's certificate.
|
||||
--ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl.
|
||||
--nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
|
||||
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
|
||||
--csr Specifies the input csr.
|
||||
@ -4903,10 +4914,10 @@ _process() {
|
||||
_webroot=""
|
||||
_keylength=""
|
||||
_accountkeylength=""
|
||||
_certpath=""
|
||||
_keypath=""
|
||||
_capath=""
|
||||
_fullchainpath=""
|
||||
_cert_file=""
|
||||
_key_file=""
|
||||
_ca_file=""
|
||||
_fullchain_file=""
|
||||
_reloadcmd=""
|
||||
_password=""
|
||||
_accountconf=""
|
||||
@ -4922,6 +4933,7 @@ _process() {
|
||||
_stopRenewOnError=""
|
||||
#_insecure=""
|
||||
_ca_bundle=""
|
||||
_ca_path=""
|
||||
_nocron=""
|
||||
_ecc=""
|
||||
_csr=""
|
||||
@ -5147,20 +5159,20 @@ _process() {
|
||||
shift
|
||||
;;
|
||||
|
||||
--certpath)
|
||||
_certpath="$2"
|
||||
--cert-file | --certpath)
|
||||
_cert_file="$2"
|
||||
shift
|
||||
;;
|
||||
--keypath)
|
||||
_keypath="$2"
|
||||
--key-file | --keypath)
|
||||
_key_file="$2"
|
||||
shift
|
||||
;;
|
||||
--capath)
|
||||
_capath="$2"
|
||||
--ca-file | --capath)
|
||||
_ca_file="$2"
|
||||
shift
|
||||
;;
|
||||
--fullchainpath)
|
||||
_fullchainpath="$2"
|
||||
--fullchain-file | --fullchainpath)
|
||||
_fullchain_file="$2"
|
||||
shift
|
||||
;;
|
||||
--reloadcmd | --reloadCmd)
|
||||
@ -5236,6 +5248,11 @@ _process() {
|
||||
CA_BUNDLE="$_ca_bundle"
|
||||
shift
|
||||
;;
|
||||
--ca-path)
|
||||
_ca_path="$2"
|
||||
CA_PATH="$_ca_path"
|
||||
shift
|
||||
;;
|
||||
--nocron)
|
||||
_nocron="1"
|
||||
;;
|
||||
@ -5377,7 +5394,7 @@ _process() {
|
||||
uninstall) uninstall "$_nocron" ;;
|
||||
upgrade) upgrade ;;
|
||||
issue)
|
||||
issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
|
||||
issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
|
||||
;;
|
||||
deploy)
|
||||
deploy "$_domain" "$_deploy_hook" "$_ecc"
|
||||
@ -5389,7 +5406,7 @@ _process() {
|
||||
showcsr "$_csr" "$_domain"
|
||||
;;
|
||||
installcert)
|
||||
installcert "$_domain" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_ecc"
|
||||
installcert "$_domain" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_ecc"
|
||||
;;
|
||||
renew)
|
||||
renew "$_domain" "$_ecc"
|
||||
|
@ -421,6 +421,23 @@ Ok, let's issue a cert now:
|
||||
acme.sh --issue --dns dns_cloudns -d example.com -d www.example.com
|
||||
```
|
||||
|
||||
## 22. Use Infoblox API
|
||||
|
||||
First you need to create/obtain API credentials on your Infoblox appliance.
|
||||
|
||||
```
|
||||
export Infoblox_Creds="username:password"
|
||||
export Infoblox_Server="ip or fqdn of infoblox appliance"
|
||||
```
|
||||
|
||||
Ok, let's issue a cert now:
|
||||
```
|
||||
acme.sh --issue --dns dns_infoblox -d example.com -d www.example.com
|
||||
```
|
||||
|
||||
Note: This script will automatically create and delete the ephemeral txt record.
|
||||
The `Infoblox_Creds` and `Infoblox_Server` will be saved in `~/.acme.sh/account.conf` and will be reused when needed.
|
||||
|
||||
# Use custom API
|
||||
|
||||
If your API is not supported yet, you can write your own DNS API.
|
||||
|
97
dnsapi/dns_infoblox.sh
Normal file
97
dnsapi/dns_infoblox.sh
Normal file
@ -0,0 +1,97 @@
|
||||
#!/usr/bin/env sh
|
||||
|
||||
## Infoblox API integration by Jason Keller and Elijah Tenai
|
||||
##
|
||||
## Report any bugs via https://github.com/jasonkeller/acme.sh
|
||||
|
||||
dns_infoblox_add() {
|
||||
|
||||
## Nothing to see here, just some housekeeping
|
||||
fulldomain=$1
|
||||
txtvalue=$2
|
||||
baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue"
|
||||
|
||||
_info "Using Infoblox API"
|
||||
_debug fulldomain "$fulldomain"
|
||||
_debug txtvalue "$txtvalue"
|
||||
|
||||
## Check for the credentials
|
||||
if [ -z "$Infoblox_Creds" ] || [ -z "$Infoblox_Server" ]; then
|
||||
Infoblox_Creds=""
|
||||
Infoblox_Server=""
|
||||
_err "You didn't specify the credentials or server yet (Infoblox_Creds and Infoblox_Server)."
|
||||
_err "Please set them via EXPORT ([username:password] and [ip or hostname]) and try again."
|
||||
return 1
|
||||
fi
|
||||
|
||||
## Save the credentials to the account file
|
||||
_saveaccountconf Infoblox_Creds "$Infoblox_Creds"
|
||||
_saveaccountconf Infoblox_Server "$Infoblox_Server"
|
||||
|
||||
## Base64 encode the credentials
|
||||
Infoblox_CredsEncoded=$(printf "%b" "$Infoblox_Creds" | _base64)
|
||||
|
||||
## Construct the HTTP Authorization header
|
||||
export _H1="Accept-Language:en-US"
|
||||
export _H2="Authorization: Basic $Infoblox_CredsEncoded"
|
||||
|
||||
## Add the challenge record to the Infoblox grid member
|
||||
result=$(_post "" "$baseurlnObject" "" "POST")
|
||||
|
||||
## Let's see if we get something intelligible back from the unit
|
||||
if echo "$result" | egrep 'record:txt/.*:.*/default'; then
|
||||
_info "Successfully created the txt record"
|
||||
return 0
|
||||
else
|
||||
_err "Error encountered during record addition"
|
||||
_err "$result"
|
||||
return 1
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
dns_infoblox_rm() {
|
||||
|
||||
## Nothing to see here, just some housekeeping
|
||||
fulldomain=$1
|
||||
txtvalue=$2
|
||||
|
||||
_info "Using Infoblox API"
|
||||
_debug fulldomain "$fulldomain"
|
||||
_debug txtvalue "$txtvalue"
|
||||
|
||||
## Base64 encode the credentials
|
||||
Infoblox_CredsEncoded=$(printf "%b" "$Infoblox_Creds" | _base64)
|
||||
|
||||
## Construct the HTTP Authorization header
|
||||
export _H1="Accept-Language:en-US"
|
||||
export _H2="Authorization: Basic $Infoblox_CredsEncoded"
|
||||
|
||||
## Does the record exist? Let's check.
|
||||
baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&_return_type=xml-pretty"
|
||||
result=$(_get "$baseurlnObject")
|
||||
|
||||
## Let's see if we get something intelligible back from the grid
|
||||
if echo "$result" | egrep 'record:txt/.*:.*/default'; then
|
||||
## Extract the object reference
|
||||
objRef=$(printf "%b" "$result" | _egrep_o 'record:txt/.*:.*/default')
|
||||
objRmUrl="https://$Infoblox_Server/wapi/v2.2.2/$objRef"
|
||||
## Delete them! All the stale records!
|
||||
rmResult=$(_post "" "$objRmUrl" "" "DELETE")
|
||||
## Let's see if that worked
|
||||
if echo "$rmResult" | egrep 'record:txt/.*:.*/default'; then
|
||||
_info "Successfully deleted $objRef"
|
||||
return 0
|
||||
else
|
||||
_err "Error occurred during txt record delete"
|
||||
_err "$rmResult"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
_err "Record to delete didn't match an existing record"
|
||||
_err "$result"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
#################### Private functions below ##################################
|
Loading…
Reference in New Issue
Block a user