plantroon/acme.sh
1
0
Fork 0
mirror of https://github.com/plantroon/acme.sh.git synced 2024-11-12 17:31:47 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'dev' into all-inkl-kasserver-dns-script

Browse Source
This commit is contained in:
Martin Kammerlander 2018-03-16 14:49:02 +01:00
commit 8c634d8323
6 changed files with 154 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
README.md
View File

@ -37,6 +37,8 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
- [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297) - [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297)
- [archlinux](https://aur.archlinux.org/packages/acme.sh-git/) - [archlinux](https://aur.archlinux.org/packages/acme.sh-git/)
- [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient) - [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient)
- [CentOS Web Panel](http://centos-webpanel.com/)
- [lnmp.org](https://lnmp.org/)
- [more...](https://github.com/Neilpang/acme.sh/wiki/Blogs-and-tutorials) - [more...](https://github.com/Neilpang/acme.sh/wiki/Blogs-and-tutorials)
# Tested OS # Tested OS
@ -220,22 +222,7 @@ acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
# 5. Use Standalone TLS server to issue cert # 5. Use Apache mode
**(requires you to be root/sudoer or have permission to listen on port 443 (TCP))**
acme.sh supports `tls-sni-01` validation.
Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again.
```bash
acme.sh --issue --tls -d example.com -d www.example.com -d cp.example.com
```
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
# 6. Use Apache mode
**(requires you to be root/sudoer, since it is required to interact with Apache server)** **(requires you to be root/sudoer, since it is required to interact with Apache server)**
@ -255,7 +242,7 @@ We don't want to mess your apache server, don't worry.**
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
# 7. Use Nginx mode # 6. Use Nginx mode
**(requires you to be root/sudoer, since it is required to interact with Nginx server)** **(requires you to be root/sudoer, since it is required to interact with Nginx server)**
@ -279,7 +266,7 @@ We don't want to mess your nginx server, don't worry.**
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
# 8. Automatic DNS API integration # 7. Automatic DNS API integration
If your DNS provider supports API access, we can use that API to automatically issue the certs. If your DNS provider supports API access, we can use that API to automatically issue the certs.
@ -343,7 +330,7 @@ If your DNS provider is not on the supported list above, you can write your own
For more details: [How to use DNS API](dnsapi) For more details: [How to use DNS API](dnsapi)
# 9. Use DNS manual mode: # 8. Use DNS manual mode:
If your dns provider doesn't support any api access, you can add the txt record by your hand. If your dns provider doesn't support any api access, you can add the txt record by your hand.
@ -377,7 +364,7 @@ Ok, it's done.
**Please use dns api mode instead.** **Please use dns api mode instead.**
# 10. Issue ECC certificates # 9. Issue ECC certificates
`Let's Encrypt` can now issue **ECDSA** certificates. `Let's Encrypt` can now issue **ECDSA** certificates.
@ -409,7 +396,7 @@ Valid values are:
# 11. Issue Wildcard certificates # 10. Issue Wildcard certificates
It's simple, just give a wildcard domain as the `-d` parameter. It's simple, just give a wildcard domain as the `-d` parameter.
@ -419,7 +406,7 @@ acme.sh --issue -d example.com -d *.example.com --dns dns_cf
# 12. How to renew the certs # 11. How to renew the certs
No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days. No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days.
@ -436,7 +423,7 @@ acme.sh --renew -d example.com --force --ecc
``` ```
# 13. How to stop cert renewal # 12. How to stop cert renewal
To stop renewal of a cert, you can execute the following to remove the cert from the renewal list: To stop renewal of a cert, you can execute the following to remove the cert from the renewal list:
@ -449,7 +436,7 @@ The cert/key file is not removed from the disk.
You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself. You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself.
# 14. How to upgrade `acme.sh` # 13. How to upgrade `acme.sh`
acme.sh is in constant development, so it's strongly recommended to use the latest code. acme.sh is in constant development, so it's strongly recommended to use the latest code.
@ -474,25 +461,25 @@ acme.sh --upgrade --auto-upgrade 0
``` ```
# 15. Issue a cert from an existing CSR # 14. Issue a cert from an existing CSR
https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR
# 16. Under the Hood # 15. Under the Hood
Speak ACME language using shell, directly to "Let's Encrypt". Speak ACME language using shell, directly to "Let's Encrypt".
TODO: TODO:
# 17. Acknowledgments # 16. Acknowledgments
1. Acme-tiny: https://github.com/diafygi/acme-tiny 1. Acme-tiny: https://github.com/diafygi/acme-tiny
2. ACME protocol: https://github.com/ietf-wg-acme/acme 2. ACME protocol: https://github.com/ietf-wg-acme/acme
# 18. License & Others # 17. License & Others
License is GPLv3 License is GPLv3
@ -501,7 +488,7 @@ Please Star and Fork me.
[Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcome. [Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcome.
# 19. Donate # 18. Donate
Your donation makes **acme.sh** better: Your donation makes **acme.sh** better:
1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/) 1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/)

80
acme.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env sh #!/usr/bin/env sh
VER=2.7.7 VER=2.7.8
PROJECT_NAME="acme.sh" PROJECT_NAME="acme.sh"
@ -47,6 +47,7 @@ DEFAULT_DNS_SLEEP=120
NO_VALUE="no" NO_VALUE="no"
W_TLS="tls" W_TLS="tls"
W_DNS="dns"
DNS_ALIAS_PREFIX="=" DNS_ALIAS_PREFIX="="
MODE_STATELESS="stateless" MODE_STATELESS="stateless"
@ -2341,7 +2342,7 @@ _initpath() {
fi fi
fi fi
_debug2 ACME_DIRECTORY "$ACME_DIRECTORY" _debug ACME_DIRECTORY "$ACME_DIRECTORY"
_ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)" _ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)"
_debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST" _debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST"
@ -2998,6 +2999,8 @@ _on_before_issue() {
_chk_pre_hook="$4" _chk_pre_hook="$4"
_chk_local_addr="$5" _chk_local_addr="$5"
_debug _on_before_issue _debug _on_before_issue
_debug _chk_main_domain "$_chk_main_domain"
_debug _chk_alt_domains "$_chk_alt_domains"
#run pre hook #run pre hook
if [ "$_chk_pre_hook" ]; then if [ "$_chk_pre_hook" ]; then
_info "Run pre hook:'$_chk_pre_hook'" _info "Run pre hook:'$_chk_pre_hook'"
@ -3018,11 +3021,17 @@ _on_before_issue() {
_debug Le_LocalAddress "$_chk_local_addr" _debug Le_LocalAddress "$_chk_local_addr"
alldomains=$(echo "$_chk_main_domain,$_chk_alt_domains" | tr ',' ' ')
_index=1 _index=1
_currentRoot="" _currentRoot=""
_addrIndex=1 _addrIndex=1
for d in $alldomains; do _w_index=1
while true; do
d="$(echo "$_chk_main_domain,$_chk_alt_domains," | cut -d , -f "$_w_index")"
_w_index="$(_math "$_w_index" + 1)"
_debug d "$d"
if [ -z "$d" ]; then
break
fi
_debug "Check for domain" "$d" _debug "Check for domain" "$d"
_currentRoot="$(_getfield "$_chk_web_roots" $_index)" _currentRoot="$(_getfield "$_chk_web_roots" $_index)"
_debug "_currentRoot" "$_currentRoot" _debug "_currentRoot" "$_currentRoot"
@ -3118,7 +3127,7 @@ _on_issue_err() {
) )
fi fi
if [ "$IS_RENEW" = "1" ] && _hasfield "$Le_Webroot" "dns"; then if [ "$IS_RENEW" = "1" ] && _hasfield "$Le_Webroot" "$W_DNS"; then
_err "$_DNS_MANUAL_ERR" _err "$_DNS_MANUAL_ERR"
fi fi
@ -3154,7 +3163,7 @@ _on_issue_success() {
fi fi
fi fi
if _hasfield "$Le_Webroot" "dns"; then if _hasfield "$Le_Webroot" "$W_DNS"; then
_err "$_DNS_MANUAL_WARN" _err "$_DNS_MANUAL_WARN"
fi fi
@ -3421,6 +3430,9 @@ issue() {
_main_domain=$(echo "$2,$3" | cut -d , -f 1) _main_domain=$(echo "$2,$3" | cut -d , -f 1)
_alt_domains=$(echo "$2,$3" | cut -d , -f 2- | sed "s/,${NO_VALUE}$//") _alt_domains=$(echo "$2,$3" | cut -d , -f 2- | sed "s/,${NO_VALUE}$//")
fi fi
_debug _main_domain "$_main_domain"
_debug _alt_domains "$_alt_domains"
_key_length="$4" _key_length="$4"
_real_cert="$5" _real_cert="$5"
_real_key="$6" _real_key="$6"
@ -3551,10 +3563,15 @@ issue() {
if [ "$ACME_VERSION" = "2" ]; then if [ "$ACME_VERSION" = "2" ]; then
#make new order request #make new order request
_identifiers="{\"type\":\"dns\",\"value\":\"$_main_domain\"}" _identifiers="{\"type\":\"dns\",\"value\":\"$_main_domain\"}"
for d in $(echo "$_alt_domains" | tr ',' ' '); do _w_index=1
if [ "$d" ]; then while true; do
_identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$d\"}" d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
_w_index="$(_math "$_w_index" + 1)"
_debug d "$d"
if [ -z "$d" ]; then
break
fi fi
_identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$d\"}"
done done
_debug2 _identifiers "$_identifiers" _debug2 _identifiers "$_identifiers"
if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
@ -3591,6 +3608,8 @@ issue() {
_debug2 "_authz_url" "$_authz_url" _debug2 "_authz_url" "$_authz_url"
if ! response="$(_get "$_authz_url")"; then if ! response="$(_get "$_authz_url")"; then
_err "get to authz error." _err "get to authz error."
_err "_authorizations_seg" "$_authorizations_seg"
_err "_authz_url" "$_authz_url"
_clearup _clearup
_on_issue_err "$_post_hook" _on_issue_err "$_post_hook"
return 1 return 1
@ -3609,10 +3628,16 @@ $_authorizations_map"
_debug2 _authorizations_map "$_authorizations_map" _debug2 _authorizations_map "$_authorizations_map"
fi fi
alldomains=$(echo "$_main_domain,$_alt_domains" | tr ',' ' ')
_index=0 _index=0
_currentRoot="" _currentRoot=""
for d in $alldomains; do _w_index=1
while true; do
d="$(echo "$_main_domain,$_alt_domains," | cut -d , -f "$_w_index")"
_w_index="$(_math "$_w_index" + 1)"
_debug d "$d"
if [ -z "$d" ]; then
break
fi
_info "Getting webroot for domain" "$d" _info "Getting webroot for domain" "$d"
_index=$(_math $_index + 1) _index=$(_math $_index + 1)
_w="$(echo $_web_roots | cut -d , -f $_index)" _w="$(echo $_web_roots | cut -d , -f $_index)"
@ -3624,7 +3649,7 @@ $_authorizations_map"
vtype="$VTYPE_HTTP" vtype="$VTYPE_HTTP"
#todo, v2 wildcard force to use dns #todo, v2 wildcard force to use dns
if _startswith "$_currentRoot" "dns"; then if _startswith "$_currentRoot" "$W_DNS"; then
vtype="$VTYPE_DNS" vtype="$VTYPE_DNS"
fi fi
@ -3641,6 +3666,7 @@ $_authorizations_map"
_debug2 "response" "$response" _debug2 "response" "$response"
if [ -z "$response" ]; then if [ -z "$response" ]; then
_err "get to authz error." _err "get to authz error."
_err "_authorizations_map" "$_authorizations_map"
_clearup _clearup
_on_issue_err "$_post_hook" _on_issue_err "$_post_hook"
return 1 return 1
@ -3751,6 +3777,10 @@ $_authorizations_map"
if [ "$d_api" ]; then if [ "$d_api" ]; then
_info "Found domain api file: $d_api" _info "Found domain api file: $d_api"
else else
if [ "$_currentRoot" != "$W_DNS" ]; then
_err "Can not find dns api hook for: $_currentRoot"
_info "You need to add the txt record manually."
fi
_info "$(__red "Add the following TXT record:")" _info "$(__red "Add the following TXT record:")"
_info "$(__red "Domain: '$(__green "$txtdomain")'")" _info "$(__red "Domain: '$(__green "$txtdomain")'")"
_info "$(__red "TXT value: '$(__green "$txt")'")" _info "$(__red "TXT value: '$(__green "$txt")'")"
@ -3789,7 +3819,7 @@ $_authorizations_map"
if [ "$dnsadded" = '0' ]; then if [ "$dnsadded" = '0' ]; then
_savedomainconf "Le_Vlist" "$vlist" _savedomainconf "Le_Vlist" "$vlist"
_debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit." _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit."
_err "Please add the TXT records to the domains, and retry again." _err "Please add the TXT records to the domains, and re-run with --renew."
_clearup _clearup
_on_issue_err "$_post_hook" _on_issue_err "$_post_hook"
return 1 return 1
@ -4151,7 +4181,7 @@ $_authorizations_map"
echo "$BEGIN_CERT" >"$CA_CERT_PATH" echo "$BEGIN_CERT" >"$CA_CERT_PATH"
_base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH" _base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH"
echo "$END_CERT" >>"$CA_CERT_PATH" echo "$END_CERT" >>"$CA_CERT_PATH"
if !_checkcert "$CA_CERT_PATH"; then if ! _checkcert "$CA_CERT_PATH"; then
_err "Can not get the ca cert." _err "Can not get the ca cert."
break break
fi fi
@ -4264,7 +4294,7 @@ renew() {
fi fi
. "$DOMAIN_CONF" . "$DOMAIN_CONF"
_debug Le_API "$Le_API"
if [ "$Le_API" ]; then if [ "$Le_API" ]; then
if [ "$_OLD_CA_HOST" = "$Le_API" ]; then if [ "$_OLD_CA_HOST" = "$Le_API" ]; then
export Le_API="$DEFAULT_CA" export Le_API="$DEFAULT_CA"
@ -4868,6 +4898,8 @@ _deactivate() {
_debug2 "authzUri" "$authzUri" _debug2 "authzUri" "$authzUri"
if ! response="$(_get "$authzUri")"; then if ! response="$(_get "$authzUri")"; then
_err "get to authz error." _err "get to authz error."
_err "_authorizations_seg" "$_authorizations_seg"
_err "authzUri" "$authzUri"
_clearup _clearup
_on_issue_err "$_post_hook" _on_issue_err "$_post_hook"
return 1 return 1
@ -5399,7 +5431,6 @@ Parameters:
--webroot, -w /path/to/webroot Specifies the web root folder for web root mode. --webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
--standalone Use standalone mode. --standalone Use standalone mode.
--stateless Use stateless mode, see: $_STATELESS_WIKI --stateless Use stateless mode, see: $_STATELESS_WIKI
--tls Use standalone tls mode.
--apache Use apache mode. --apache Use apache mode.
--dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api. --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
--dnssleep [$DEFAULT_DNS_SLEEP] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds. --dnssleep [$DEFAULT_DNS_SLEEP] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
@ -5429,7 +5460,6 @@ Parameters:
--accountkey Specifies the account key path, Only valid for the '--install' command. --accountkey Specifies the account key path, Only valid for the '--install' command.
--days Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days. --days Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days.
--httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer. --httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
--tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
--local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses. --local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
--listraw Only used for '--list' command, list the certs in raw format. --listraw Only used for '--list' command, list the certs in raw format.
--stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal. --stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal.
@ -5780,16 +5810,8 @@ _process() {
_webroot="$_webroot,$wvalue" _webroot="$_webroot,$wvalue"
fi fi
;; ;;
--tls)
wvalue="$W_TLS"
if [ -z "$_webroot" ]; then
_webroot="$wvalue"
else
_webroot="$_webroot,$wvalue"
fi
;;
--dns) --dns)
wvalue="dns" wvalue="$W_DNS"
if [ "$2" ] && ! _startswith "$2" "-"; then if [ "$2" ] && ! _startswith "$2" "-"; then
wvalue="$2" wvalue="$2"
shift shift
@ -5883,12 +5905,6 @@ _process() {
Le_HTTPPort="$_httpport" Le_HTTPPort="$_httpport"
shift shift
;; ;;
--tlsport)
_tlsport="$2"
Le_TLSPort="$_tlsport"
shift
;;
--listraw) --listraw)
_listraw="raw" _listraw="raw"
;; ;;

8
dnsapi/dns_azure.sh
View File

@ -99,6 +99,7 @@ dns_azure_add() {
_azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken" _azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken"
if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then
_info "validation value added" _info "validation value added"
return 0
else else
_err "error adding validation value ($_code)" _err "error adding validation value ($_code)"
return 1 return 1
@ -194,6 +195,7 @@ dns_azure_rm() {
_azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken" _azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken"
if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then
_info "validation value removed" _info "validation value removed"
return 0
else else
_err "error removing validation value ($_code)" _err "error removing validation value ($_code)"
return 1 return 1
@ -226,6 +228,7 @@ _azure_rest() {
else else
response="$(_get "$ep")" response="$(_get "$ep")"
fi fi
_ret="$?"
_secure_debug2 "response $response" _secure_debug2 "response $response"
_code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")" _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
_debug "http response code $_code" _debug "http response code $_code"
@ -236,7 +239,7 @@ _azure_rest() {
return 1 return 1
fi fi
# See https://docs.microsoft.com/en-us/azure/architecture/best-practices/retry-service-specific#general-rest-and-retry-guidelines for retryable HTTP codes # See https://docs.microsoft.com/en-us/azure/architecture/best-practices/retry-service-specific#general-rest-and-retry-guidelines for retryable HTTP codes
if [ "$?" != "0" ] || [ -z "$_code" ] || [ "$_code" = "408" ] || [ "$_code" = "500" ] || [ "$_code" = "503" ] || [ "$_code" = "504" ]; then if [ "$_ret" != "0" ] || [ -z "$_code" ] || [ "$_code" = "408" ] || [ "$_code" = "500" ] || [ "$_code" = "503" ] || [ "$_code" = "504" ]; then
_request_retry_times="$(_math "$_request_retry_times" + 1)" _request_retry_times="$(_math "$_request_retry_times" + 1)"
_info "REST call error $_code retrying $ep in $_request_retry_times s" _info "REST call error $_code retrying $ep in $_request_retry_times s"
_sleep "$_request_retry_times" _sleep "$_request_retry_times"
@ -281,6 +284,7 @@ _azure_getaccess_token() {
body="resource=$(printf "%s" 'https://management.core.windows.net/' | _url_encode)&client_id=$(printf "%s" "$clientID" | _url_encode)&client_secret=$(printf "%s" "$clientSecret" | _url_encode)&grant_type=client_credentials" body="resource=$(printf "%s" 'https://management.core.windows.net/' | _url_encode)&client_id=$(printf "%s" "$clientID" | _url_encode)&client_secret=$(printf "%s" "$clientSecret" | _url_encode)&grant_type=client_credentials"
_secure_debug2 "data $body" _secure_debug2 "data $body"
response="$(_post "$body" "https://login.microsoftonline.com/$tenantID/oauth2/token" "" "POST")" response="$(_post "$body" "https://login.microsoftonline.com/$tenantID/oauth2/token" "" "POST")"
_ret="$?"
_secure_debug2 "response $response" _secure_debug2 "response $response"
response="$(echo "$response" | _normalizeJson)" response="$(echo "$response" | _normalizeJson)"
accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \") accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
@ -290,7 +294,7 @@ _azure_getaccess_token() {
_err "no acccess token received. Check your Azure settings see $WIKI" _err "no acccess token received. Check your Azure settings see $WIKI"
return 1 return 1
fi fi
if [ "$?" != "0" ]; then if [ "$_ret" != "0" ]; then
_err "error $response" _err "error $response"
return 1 return 1
fi fi

8
dnsapi/dns_cf.sh
View File

@ -19,8 +19,8 @@ dns_cf_add() {
if [ -z "$CF_Key" ] || [ -z "$CF_Email" ]; then if [ -z "$CF_Key" ] || [ -z "$CF_Email" ]; then
CF_Key="" CF_Key=""
CF_Email="" CF_Email=""
_err "You don't specify cloudflare api key and email yet." _err "You didn't specify a cloudflare api key and email yet."
_err "Please create you key and try again." _err "Please create the key and try again."
return 1 return 1
fi fi
@ -94,8 +94,8 @@ dns_cf_rm() {
if [ -z "$CF_Key" ] || [ -z "$CF_Email" ]; then if [ -z "$CF_Key" ] || [ -z "$CF_Email" ]; then
CF_Key="" CF_Key=""
CF_Email="" CF_Email=""
_err "You don't specify cloudflare api key and email yet." _err "You didn't specify a cloudflare api key and email yet."
_err "Please create you key and try again." _err "Please create the key and try again."
return 1 return 1
fi fi

30
dnsapi/dns_dgon.sh
View File

@ -20,12 +20,22 @@
dns_dgon_add() { dns_dgon_add() {
fulldomain="$(echo "$1" | _lower_case)" fulldomain="$(echo "$1" | _lower_case)"
txtvalue=$2 txtvalue=$2
DO_API_KEY="${DO_API_KEY:-$(_readaccountconf_mutable DO_API_KEY)}"
# Check if API Key Exist
if [ -z "$DO_API_KEY" ]; then
DO_API_KEY=""
_err "You did not specify DigitalOcean API key."
_err "Please export DO_API_KEY and try again."
return 1
fi
_info "Using digitalocean dns validation - add record" _info "Using digitalocean dns validation - add record"
_debug fulldomain "$fulldomain" _debug fulldomain "$fulldomain"
_debug txtvalue "$txtvalue" _debug txtvalue "$txtvalue"
## save the env vars (key and domain split location) for later automated use ## save the env vars (key and domain split location) for later automated use
_saveaccountconf DO_API_KEY "$DO_API_KEY" _saveaccountconf_mutable DO_API_KEY "$DO_API_KEY"
## split the domain for DO API ## split the domain for DO API
if ! _get_base_domain "$fulldomain"; then if ! _get_base_domain "$fulldomain"; then
@ -39,7 +49,7 @@ dns_dgon_add() {
export _H1="Content-Type: application/json" export _H1="Content-Type: application/json"
export _H2="Authorization: Bearer $DO_API_KEY" export _H2="Authorization: Bearer $DO_API_KEY"
PURL='https://api.digitalocean.com/v2/domains/'$_domain'/records' PURL='https://api.digitalocean.com/v2/domains/'$_domain'/records'
PBODY='{"type":"TXT","name":"'$_sub_domain'","data":"'$txtvalue'"}' PBODY='{"type":"TXT","name":"'$_sub_domain'","data":"'$txtvalue'","ttl":120}'
_debug PURL "$PURL" _debug PURL "$PURL"
_debug PBODY "$PBODY" _debug PBODY "$PBODY"
@ -65,6 +75,16 @@ dns_dgon_add() {
dns_dgon_rm() { dns_dgon_rm() {
fulldomain="$(echo "$1" | _lower_case)" fulldomain="$(echo "$1" | _lower_case)"
txtvalue=$2 txtvalue=$2
DO_API_KEY="${DO_API_KEY:-$(_readaccountconf_mutable DO_API_KEY)}"
# Check if API Key Exist
if [ -z "$DO_API_KEY" ]; then
DO_API_KEY=""
_err "You did not specify DigitalOcean API key."
_err "Please export DO_API_KEY and try again."
return 1
fi
_info "Using digitalocean dns validation - remove record" _info "Using digitalocean dns validation - remove record"
_debug fulldomain "$fulldomain" _debug fulldomain "$fulldomain"
_debug txtvalue "$txtvalue" _debug txtvalue "$txtvalue"
@ -92,11 +112,11 @@ dns_dgon_rm() {
domain_list="$(_get "$GURL")" domain_list="$(_get "$GURL")"
## 2) find record ## 2) find record
## check for what we are looing for: "type":"A","name":"$_sub_domain" ## check for what we are looing for: "type":"A","name":"$_sub_domain"
record="$(echo "$domain_list" | _egrep_o "\"id\"\s*\:\s*\"*\d+\"*[^}]*\"name\"\s*\:\s*\"$_sub_domain\"[^}]*\"data\"\s*\:\s*\"$txtvalue\"")" record="$(echo "$domain_list" | _egrep_o "\"id\"\s*\:\s*\"*[0-9]+\"*[^}]*\"name\"\s*\:\s*\"$_sub_domain\"[^}]*\"data\"\s*\:\s*\"$txtvalue\"")"
## 3) check record and get next page ## 3) check record and get next page
if [ -z "$record" ]; then if [ -z "$record" ]; then
## find the next page if we dont have a match ## find the next page if we dont have a match
nextpage="$(echo "$domain_list" | _egrep_o "\"links\".*" | _egrep_o "\"next\".*" | _egrep_o "http.*page\=\d+")" nextpage="$(echo "$domain_list" | _egrep_o "\"links\".*" | _egrep_o "\"next\".*" | _egrep_o "http.*page\=[0-9]+")"
if [ -z "$nextpage" ]; then if [ -z "$nextpage" ]; then
_err "no record and no nextpage in digital ocean DNS removal" _err "no record and no nextpage in digital ocean DNS removal"
return 1 return 1
@ -108,7 +128,7 @@ dns_dgon_rm() {
done done
## we found the record ## we found the record
rec_id="$(echo "$record" | _egrep_o "id\"\s*\:\s*\"*\d+" | _egrep_o "\d+")" rec_id="$(echo "$record" | _egrep_o "id\"\s*\:\s*\"*[0-9]+" | _egrep_o "[0-9]+")"
_debug rec_id "$rec_id" _debug rec_id "$rec_id"
## delete the record ## delete the record

146
dnsapi/dns_freedns.sh
View File

@ -53,8 +53,9 @@ dns_freedns_add() {
i="$(_math "$i" - 1)" i="$(_math "$i" - 1)"
sub_domain="$(echo "$fulldomain" | cut -d. -f -"$i")" sub_domain="$(echo "$fulldomain" | cut -d. -f -"$i")"
_debug top_domain "$top_domain" _debug "top_domain: $top_domain"
_debug sub_domain "$sub_domain" _debug "sub_domain: $sub_domain"
# Sometimes FreeDNS does not return the subdomain page but rather # Sometimes FreeDNS does not return the subdomain page but rather
# returns a page regarding becoming a premium member. This usually # returns a page regarding becoming a premium member. This usually
# happens after a period of inactivity. Immediately trying again # happens after a period of inactivity. Immediately trying again
@ -63,6 +64,7 @@ dns_freedns_add() {
attempts=2 attempts=2
while [ "$attempts" -gt "0" ]; do while [ "$attempts" -gt "0" ]; do
attempts="$(_math "$attempts" - 1)" attempts="$(_math "$attempts" - 1)"
htmlpage="$(_freedns_retrieve_subdomain_page "$FREEDNS_COOKIE")" htmlpage="$(_freedns_retrieve_subdomain_page "$FREEDNS_COOKIE")"
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
if [ "$using_cached_cookies" = "true" ]; then if [ "$using_cached_cookies" = "true" ]; then
@ -71,10 +73,9 @@ dns_freedns_add() {
fi fi
return 1 return 1
fi fi
_debug2 htmlpage "$htmlpage"
subdomain_csv="$(echo "$htmlpage" | tr -d "\n\r" | _egrep_o '<form .*</form>' | sed 's/<tr>/@<tr>/g' | tr '@' '\n' | grep edit.php | grep "$top_domain")" subdomain_csv="$(echo "$htmlpage" | tr -d "\n\r" | _egrep_o '<form .*</form>' | sed 's/<tr>/@<tr>/g' | tr '@' '\n' | grep edit.php | grep "$top_domain")"
_debug2 subdomain_csv "$subdomain_csv" _debug3 "subdomain_csv: $subdomain_csv"
# The above beauty ends with striping out rows that do not have an # The above beauty ends with striping out rows that do not have an
# href to edit.php and do not have the top domain we are looking for. # href to edit.php and do not have the top domain we are looking for.
@ -85,55 +86,25 @@ dns_freedns_add() {
lines="$(echo "$subdomain_csv" | wc -l)" lines="$(echo "$subdomain_csv" | wc -l)"
i=0 i=0
found=0 found=0
DNSdomainid=""
while [ "$i" -lt "$lines" ]; do while [ "$i" -lt "$lines" ]; do
i="$(_math "$i" + 1)" i="$(_math "$i" + 1)"
line="$(echo "$subdomain_csv" | sed -n "${i}p")" line="$(echo "$subdomain_csv" | sed -n "${i}p")"
_debug2 line "$line" _debug2 "line: $line"
if [ $found = 0 ] && _contains "$line" "<td>$top_domain</td>"; then if [ $found = 0 ] && _contains "$line" "<td>$top_domain</td>"; then
# this line will contain DNSdomainid for the top_domain # this line will contain DNSdomainid for the top_domain
DNSdomainid="$(echo "$line" | _egrep_o "edit_domain_id *= *.*>" | cut -d = -f 2 | cut -d '>' -f 1)" DNSdomainid="$(echo "$line" | _egrep_o "edit_domain_id *= *.*>" | cut -d = -f 2 | cut -d '>' -f 1)"
_debug2 DNSdomainid "$DNSdomainid" _debug2 "DNSdomainid: $DNSdomainid"
found=1 found=1
else break
# lines contain DNS records for all subdomains
DNSname="$(echo "$line" | _egrep_o 'edit.php.*</a>' | cut -d '>' -f 2 | cut -d '<' -f 1)"
_debug2 DNSname "$DNSname"
DNStype="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '4p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
_debug2 DNStype "$DNStype"
if [ "$DNSname" = "$fulldomain" ] && [ "$DNStype" = "TXT" ]; then
DNSdataid="$(echo "$line" | _egrep_o 'data_id=.*' | cut -d = -f 2 | cut -d '>' -f 1)"
# Now get current value for the TXT record. This method may
# not produce accurate results as the value field is truncated
# on this webpage. To get full value we would need to load
# another page. However we don't really need this so long as
# there is only one TXT record for the acme challenge subdomain.
DNSvalue="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '5p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
_debug2 DNSvalue "$DNSvalue"
if [ $found != 0 ]; then
break
# we are breaking out of the loop at the first match of DNS name
# and DNS type (if we are past finding the domainid). This assumes
# that there is only ever one TXT record for the LetsEncrypt/acme
# challenge subdomain. This seems to be a reasonable assumption
# as the acme client deletes the TXT record on successful validation.
fi
else
DNSname=""
DNStype=""
fi
fi fi
done done
_debug "DNSname: $DNSname DNStype: $DNStype DNSdomainid: $DNSdomainid DNSdataid: $DNSdataid"
_debug "DNSvalue: $DNSvalue"
if [ -z "$DNSdomainid" ]; then if [ -z "$DNSdomainid" ]; then
# If domain ID is empty then something went wrong (top level # If domain ID is empty then something went wrong (top level
# domain not found at FreeDNS). # domain not found at FreeDNS).
if [ "$attempts" = "0" ]; then if [ "$attempts" = "0" ]; then
# exhausted maximum retry attempts # exhausted maximum retry attempts
_debug "$htmlpage"
_debug "$subdomain_csv"
_err "Domain $top_domain not found at FreeDNS" _err "Domain $top_domain not found at FreeDNS"
return 1 return 1
fi fi
@ -145,33 +116,10 @@ dns_freedns_add() {
_info "Retry loading subdomain page ($attempts attempts remaining)" _info "Retry loading subdomain page ($attempts attempts remaining)"
done done
if [ -z "$DNSdataid" ]; then # Add in new TXT record with the value provided
# If data ID is empty then specific subdomain does not exist yet, need _debug "Adding TXT record for $fulldomain, $txtvalue"
# to create it this should always be the case as the acme client _freedns_add_txt_record "$FREEDNS_COOKIE" "$DNSdomainid" "$sub_domain" "$txtvalue"
# deletes the entry after domain is validated. return $?
_freedns_add_txt_record "$FREEDNS_COOKIE" "$DNSdomainid" "$sub_domain" "$txtvalue"
return $?
else
if [ "$txtvalue" = "$DNSvalue" ]; then
# if value in TXT record matches value requested then DNS record
# does not need to be updated. But...
# Testing value match fails. Website is truncating the value field.
# So for now we will always go down the else path. Though in theory
# should never come here anyway as the acme client deletes
# the TXT record on successful validation, so we should not even
# have found a TXT record !!
_info "No update necessary for $fulldomain at FreeDNS"
return 0
else
# Delete the old TXT record (with the wrong value)
if _freedns_delete_txt_record "$FREEDNS_COOKIE" "$DNSdataid"; then
# And add in new TXT record with the value provided
_freedns_add_txt_record "$FREEDNS_COOKIE" "$DNSdomainid" "$sub_domain" "$txtvalue"
fi
return $?
fi
fi
return 0
} }
#Usage: fulldomain txtvalue #Usage: fulldomain txtvalue
@ -205,7 +153,7 @@ dns_freedns_rm() {
fi fi
subdomain_csv="$(echo "$htmlpage" | tr -d "\n\r" | _egrep_o '<form .*</form>' | sed 's/<tr>/@<tr>/g' | tr '@' '\n' | grep edit.php | grep "$fulldomain")" subdomain_csv="$(echo "$htmlpage" | tr -d "\n\r" | _egrep_o '<form .*</form>' | sed 's/<tr>/@<tr>/g' | tr '@' '\n' | grep edit.php | grep "$fulldomain")"
_debug2 subdomain_csv "$subdomain_csv" _debug3 "subdomain_csv: $subdomain_csv"
# The above beauty ends with striping out rows that do not have an # The above beauty ends with striping out rows that do not have an
# href to edit.php and do not have the domain name we are looking for. # href to edit.php and do not have the domain name we are looking for.
@ -216,35 +164,51 @@ dns_freedns_rm() {
lines="$(echo "$subdomain_csv" | wc -l)" lines="$(echo "$subdomain_csv" | wc -l)"
i=0 i=0
found=0 found=0
DNSdataid=""
while [ "$i" -lt "$lines" ]; do while [ "$i" -lt "$lines" ]; do
i="$(_math "$i" + 1)" i="$(_math "$i" + 1)"
line="$(echo "$subdomain_csv" | sed -n "${i}p")" line="$(echo "$subdomain_csv" | sed -n "${i}p")"
_debug2 line "$line" _debug3 "line: $line"
DNSname="$(echo "$line" | _egrep_o 'edit.php.*</a>' | cut -d '>' -f 2 | cut -d '<' -f 1)" DNSname="$(echo "$line" | _egrep_o 'edit.php.*</a>' | cut -d '>' -f 2 | cut -d '<' -f 1)"
_debug2 DNSname "$DNSname" _debug2 "DNSname: $DNSname"
DNStype="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '4p' | cut -d '>' -f 2 | cut -d '<' -f 1)" if [ "$DNSname" = "$fulldomain" ]; then
_debug2 DNStype "$DNStype" DNStype="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '4p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
if [ "$DNSname" = "$fulldomain" ] && [ "$DNStype" = "TXT" ]; then _debug2 "DNStype: $DNStype"
DNSdataid="$(echo "$line" | _egrep_o 'data_id=.*' | cut -d = -f 2 | cut -d '>' -f 1)" if [ "$DNStype" = "TXT" ]; then
_debug2 DNSdataid "$DNSdataid" DNSdataid="$(echo "$line" | _egrep_o 'data_id=.*' | cut -d = -f 2 | cut -d '>' -f 1)"
DNSvalue="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '5p' | cut -d '>' -f 2 | cut -d '<' -f 1)" _debug2 "DNSdataid: $DNSdataid"
_debug2 DNSvalue "$DNSvalue" DNSvalue="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '5p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
# if [ "$DNSvalue" = "$txtvalue" ]; then if _startswith "$DNSvalue" "&quot;"; then
# Testing value match fails. Website is truncating the value # remove the quotation from the start
# field. So for now we will assume that there is only one TXT DNSvalue="$(echo "$DNSvalue" | cut -c 7-)"
# field for the sub domain and just delete it. Currently this fi
# is a safe assumption. if _endswith "$DNSvalue" "..."; then
_freedns_delete_txt_record "$FREEDNS_COOKIE" "$DNSdataid" # value was truncated, remove the dot dot dot from the end
return $? DNSvalue="$(echo "$DNSvalue" | sed 's/...$//')"
# fi elif _endswith "$DNSvalue" "&quot;"; then
# else remove the closing quotation from the end
DNSvalue="$(echo "$DNSvalue" | sed 's/......$//')"
fi
_debug2 "DNSvalue: $DNSvalue"
if [ -n "$DNSdataid" ] && _startswith "$txtvalue" "$DNSvalue"; then
# Found a match. But note... Website is truncating the
# value field so we are only testing that part that is not
# truncated. This should be accurate enough.
_debug "Deleting TXT record for $fulldomain, $txtvalue"
_freedns_delete_txt_record "$FREEDNS_COOKIE" "$DNSdataid"
return $?
fi
fi
fi fi
done done
done done
# If we get this far we did not find a match (after two attempts) # If we get this far we did not find a match (after two attempts)
# Not necessarily an error, but log anyway. # Not necessarily an error, but log anyway.
_debug2 "$subdomain_csv" _debug3 "$subdomain_csv"
_info "Cannot delete TXT record for $fulldomain/$txtvalue. Does not exist at FreeDNS" _info "Cannot delete TXT record for $fulldomain, $txtvalue. Does not exist at FreeDNS"
return 0 return 0
} }
@ -272,7 +236,7 @@ _freedns_login() {
# if cookies is not empty then logon successful # if cookies is not empty then logon successful
if [ -z "$cookies" ]; then if [ -z "$cookies" ]; then
_debug "$htmlpage" _debug3 "htmlpage: $htmlpage"
_err "FreeDNS login failed for user $username. Check $HTTP_HEADER file" _err "FreeDNS login failed for user $username. Check $HTTP_HEADER file"
return 1 return 1
fi fi
@ -301,7 +265,7 @@ _freedns_retrieve_subdomain_page() {
return 1 return 1
fi fi
_debug2 "$htmlpage" _debug3 "htmlpage: $htmlpage"
printf "%s" "$htmlpage" printf "%s" "$htmlpage"
return 0 return 0
@ -323,17 +287,17 @@ _freedns_add_txt_record() {
_err "FreeDNS failed to add TXT record for $subdomain bad RC from _post" _err "FreeDNS failed to add TXT record for $subdomain bad RC from _post"
return 1 return 1
elif ! grep "200 OK" "$HTTP_HEADER" >/dev/null; then elif ! grep "200 OK" "$HTTP_HEADER" >/dev/null; then
_debug "$htmlpage" _debug3 "htmlpage: $htmlpage"
_err "FreeDNS failed to add TXT record for $subdomain. Check $HTTP_HEADER file" _err "FreeDNS failed to add TXT record for $subdomain. Check $HTTP_HEADER file"
return 1 return 1
elif _contains "$htmlpage" "security code was incorrect"; then elif _contains "$htmlpage" "security code was incorrect"; then
_debug "$htmlpage" _debug3 "htmlpage: $htmlpage"
_err "FreeDNS failed to add TXT record for $subdomain as FreeDNS requested security code" _err "FreeDNS failed to add TXT record for $subdomain as FreeDNS requested security code"
_err "Note that you cannot use automatic DNS validation for FreeDNS public domains" _err "Note that you cannot use automatic DNS validation for FreeDNS public domains"
return 1 return 1
fi fi
_debug2 "$htmlpage" _debug3 "htmlpage: $htmlpage"
_info "Added acme challenge TXT record for $fulldomain at FreeDNS" _info "Added acme challenge TXT record for $fulldomain at FreeDNS"
return 0 return 0
} }
@ -352,7 +316,7 @@ _freedns_delete_txt_record() {
_err "FreeDNS failed to delete TXT record for $data_id bad RC from _get" _err "FreeDNS failed to delete TXT record for $data_id bad RC from _get"
return 1 return 1
elif ! _contains "$htmlheader" "200 OK"; then elif ! _contains "$htmlheader" "200 OK"; then
_debug "$htmlheader" _debug2 "htmlheader: $htmlheader"
_err "FreeDNS failed to delete TXT record $data_id" _err "FreeDNS failed to delete TXT record $data_id"
return 1 return 1
fi fi