mirror of
https://github.com/plantroon/acme.sh.git
synced 2024-12-24 14:11:42 +00:00
Merge branch 'dev' into all-inkl-kasserver-dns-script
This commit is contained in:
commit
8c634d8323
45
README.md
45
README.md
@ -37,6 +37,8 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
|
||||
- [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297)
|
||||
- [archlinux](https://aur.archlinux.org/packages/acme.sh-git/)
|
||||
- [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient)
|
||||
- [CentOS Web Panel](http://centos-webpanel.com/)
|
||||
- [lnmp.org](https://lnmp.org/)
|
||||
- [more...](https://github.com/Neilpang/acme.sh/wiki/Blogs-and-tutorials)
|
||||
|
||||
# Tested OS
|
||||
@ -220,22 +222,7 @@ acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com
|
||||
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
|
||||
|
||||
|
||||
# 5. Use Standalone TLS server to issue cert
|
||||
|
||||
**(requires you to be root/sudoer or have permission to listen on port 443 (TCP))**
|
||||
|
||||
acme.sh supports `tls-sni-01` validation.
|
||||
|
||||
Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again.
|
||||
|
||||
```bash
|
||||
acme.sh --issue --tls -d example.com -d www.example.com -d cp.example.com
|
||||
```
|
||||
|
||||
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
|
||||
|
||||
|
||||
# 6. Use Apache mode
|
||||
# 5. Use Apache mode
|
||||
|
||||
**(requires you to be root/sudoer, since it is required to interact with Apache server)**
|
||||
|
||||
@ -255,7 +242,7 @@ We don't want to mess your apache server, don't worry.**
|
||||
|
||||
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
|
||||
|
||||
# 7. Use Nginx mode
|
||||
# 6. Use Nginx mode
|
||||
|
||||
**(requires you to be root/sudoer, since it is required to interact with Nginx server)**
|
||||
|
||||
@ -279,7 +266,7 @@ We don't want to mess your nginx server, don't worry.**
|
||||
|
||||
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
|
||||
|
||||
# 8. Automatic DNS API integration
|
||||
# 7. Automatic DNS API integration
|
||||
|
||||
If your DNS provider supports API access, we can use that API to automatically issue the certs.
|
||||
|
||||
@ -343,7 +330,7 @@ If your DNS provider is not on the supported list above, you can write your own
|
||||
|
||||
For more details: [How to use DNS API](dnsapi)
|
||||
|
||||
# 9. Use DNS manual mode:
|
||||
# 8. Use DNS manual mode:
|
||||
|
||||
If your dns provider doesn't support any api access, you can add the txt record by your hand.
|
||||
|
||||
@ -377,7 +364,7 @@ Ok, it's done.
|
||||
|
||||
**Please use dns api mode instead.**
|
||||
|
||||
# 10. Issue ECC certificates
|
||||
# 9. Issue ECC certificates
|
||||
|
||||
`Let's Encrypt` can now issue **ECDSA** certificates.
|
||||
|
||||
@ -409,7 +396,7 @@ Valid values are:
|
||||
|
||||
|
||||
|
||||
# 11. Issue Wildcard certificates
|
||||
# 10. Issue Wildcard certificates
|
||||
|
||||
It's simple, just give a wildcard domain as the `-d` parameter.
|
||||
|
||||
@ -419,7 +406,7 @@ acme.sh --issue -d example.com -d *.example.com --dns dns_cf
|
||||
|
||||
|
||||
|
||||
# 12. How to renew the certs
|
||||
# 11. How to renew the certs
|
||||
|
||||
No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days.
|
||||
|
||||
@ -436,7 +423,7 @@ acme.sh --renew -d example.com --force --ecc
|
||||
```
|
||||
|
||||
|
||||
# 13. How to stop cert renewal
|
||||
# 12. How to stop cert renewal
|
||||
|
||||
To stop renewal of a cert, you can execute the following to remove the cert from the renewal list:
|
||||
|
||||
@ -449,7 +436,7 @@ The cert/key file is not removed from the disk.
|
||||
You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself.
|
||||
|
||||
|
||||
# 14. How to upgrade `acme.sh`
|
||||
# 13. How to upgrade `acme.sh`
|
||||
|
||||
acme.sh is in constant development, so it's strongly recommended to use the latest code.
|
||||
|
||||
@ -474,25 +461,25 @@ acme.sh --upgrade --auto-upgrade 0
|
||||
```
|
||||
|
||||
|
||||
# 15. Issue a cert from an existing CSR
|
||||
# 14. Issue a cert from an existing CSR
|
||||
|
||||
https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR
|
||||
|
||||
|
||||
# 16. Under the Hood
|
||||
# 15. Under the Hood
|
||||
|
||||
Speak ACME language using shell, directly to "Let's Encrypt".
|
||||
|
||||
TODO:
|
||||
|
||||
|
||||
# 17. Acknowledgments
|
||||
# 16. Acknowledgments
|
||||
|
||||
1. Acme-tiny: https://github.com/diafygi/acme-tiny
|
||||
2. ACME protocol: https://github.com/ietf-wg-acme/acme
|
||||
|
||||
|
||||
# 18. License & Others
|
||||
# 17. License & Others
|
||||
|
||||
License is GPLv3
|
||||
|
||||
@ -501,7 +488,7 @@ Please Star and Fork me.
|
||||
[Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcome.
|
||||
|
||||
|
||||
# 19. Donate
|
||||
# 18. Donate
|
||||
Your donation makes **acme.sh** better:
|
||||
|
||||
1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/)
|
||||
|
80
acme.sh
80
acme.sh
@ -1,6 +1,6 @@
|
||||
#!/usr/bin/env sh
|
||||
|
||||
VER=2.7.7
|
||||
VER=2.7.8
|
||||
|
||||
PROJECT_NAME="acme.sh"
|
||||
|
||||
@ -47,6 +47,7 @@ DEFAULT_DNS_SLEEP=120
|
||||
NO_VALUE="no"
|
||||
|
||||
W_TLS="tls"
|
||||
W_DNS="dns"
|
||||
DNS_ALIAS_PREFIX="="
|
||||
|
||||
MODE_STATELESS="stateless"
|
||||
@ -2341,7 +2342,7 @@ _initpath() {
|
||||
fi
|
||||
fi
|
||||
|
||||
_debug2 ACME_DIRECTORY "$ACME_DIRECTORY"
|
||||
_debug ACME_DIRECTORY "$ACME_DIRECTORY"
|
||||
_ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)"
|
||||
_debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST"
|
||||
|
||||
@ -2998,6 +2999,8 @@ _on_before_issue() {
|
||||
_chk_pre_hook="$4"
|
||||
_chk_local_addr="$5"
|
||||
_debug _on_before_issue
|
||||
_debug _chk_main_domain "$_chk_main_domain"
|
||||
_debug _chk_alt_domains "$_chk_alt_domains"
|
||||
#run pre hook
|
||||
if [ "$_chk_pre_hook" ]; then
|
||||
_info "Run pre hook:'$_chk_pre_hook'"
|
||||
@ -3018,11 +3021,17 @@ _on_before_issue() {
|
||||
|
||||
_debug Le_LocalAddress "$_chk_local_addr"
|
||||
|
||||
alldomains=$(echo "$_chk_main_domain,$_chk_alt_domains" | tr ',' ' ')
|
||||
_index=1
|
||||
_currentRoot=""
|
||||
_addrIndex=1
|
||||
for d in $alldomains; do
|
||||
_w_index=1
|
||||
while true; do
|
||||
d="$(echo "$_chk_main_domain,$_chk_alt_domains," | cut -d , -f "$_w_index")"
|
||||
_w_index="$(_math "$_w_index" + 1)"
|
||||
_debug d "$d"
|
||||
if [ -z "$d" ]; then
|
||||
break
|
||||
fi
|
||||
_debug "Check for domain" "$d"
|
||||
_currentRoot="$(_getfield "$_chk_web_roots" $_index)"
|
||||
_debug "_currentRoot" "$_currentRoot"
|
||||
@ -3118,7 +3127,7 @@ _on_issue_err() {
|
||||
)
|
||||
fi
|
||||
|
||||
if [ "$IS_RENEW" = "1" ] && _hasfield "$Le_Webroot" "dns"; then
|
||||
if [ "$IS_RENEW" = "1" ] && _hasfield "$Le_Webroot" "$W_DNS"; then
|
||||
_err "$_DNS_MANUAL_ERR"
|
||||
fi
|
||||
|
||||
@ -3154,7 +3163,7 @@ _on_issue_success() {
|
||||
fi
|
||||
fi
|
||||
|
||||
if _hasfield "$Le_Webroot" "dns"; then
|
||||
if _hasfield "$Le_Webroot" "$W_DNS"; then
|
||||
_err "$_DNS_MANUAL_WARN"
|
||||
fi
|
||||
|
||||
@ -3421,6 +3430,9 @@ issue() {
|
||||
_main_domain=$(echo "$2,$3" | cut -d , -f 1)
|
||||
_alt_domains=$(echo "$2,$3" | cut -d , -f 2- | sed "s/,${NO_VALUE}$//")
|
||||
fi
|
||||
_debug _main_domain "$_main_domain"
|
||||
_debug _alt_domains "$_alt_domains"
|
||||
|
||||
_key_length="$4"
|
||||
_real_cert="$5"
|
||||
_real_key="$6"
|
||||
@ -3551,10 +3563,15 @@ issue() {
|
||||
if [ "$ACME_VERSION" = "2" ]; then
|
||||
#make new order request
|
||||
_identifiers="{\"type\":\"dns\",\"value\":\"$_main_domain\"}"
|
||||
for d in $(echo "$_alt_domains" | tr ',' ' '); do
|
||||
if [ "$d" ]; then
|
||||
_identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$d\"}"
|
||||
_w_index=1
|
||||
while true; do
|
||||
d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
|
||||
_w_index="$(_math "$_w_index" + 1)"
|
||||
_debug d "$d"
|
||||
if [ -z "$d" ]; then
|
||||
break
|
||||
fi
|
||||
_identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$d\"}"
|
||||
done
|
||||
_debug2 _identifiers "$_identifiers"
|
||||
if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
|
||||
@ -3591,6 +3608,8 @@ issue() {
|
||||
_debug2 "_authz_url" "$_authz_url"
|
||||
if ! response="$(_get "$_authz_url")"; then
|
||||
_err "get to authz error."
|
||||
_err "_authorizations_seg" "$_authorizations_seg"
|
||||
_err "_authz_url" "$_authz_url"
|
||||
_clearup
|
||||
_on_issue_err "$_post_hook"
|
||||
return 1
|
||||
@ -3609,10 +3628,16 @@ $_authorizations_map"
|
||||
_debug2 _authorizations_map "$_authorizations_map"
|
||||
fi
|
||||
|
||||
alldomains=$(echo "$_main_domain,$_alt_domains" | tr ',' ' ')
|
||||
_index=0
|
||||
_currentRoot=""
|
||||
for d in $alldomains; do
|
||||
_w_index=1
|
||||
while true; do
|
||||
d="$(echo "$_main_domain,$_alt_domains," | cut -d , -f "$_w_index")"
|
||||
_w_index="$(_math "$_w_index" + 1)"
|
||||
_debug d "$d"
|
||||
if [ -z "$d" ]; then
|
||||
break
|
||||
fi
|
||||
_info "Getting webroot for domain" "$d"
|
||||
_index=$(_math $_index + 1)
|
||||
_w="$(echo $_web_roots | cut -d , -f $_index)"
|
||||
@ -3624,7 +3649,7 @@ $_authorizations_map"
|
||||
|
||||
vtype="$VTYPE_HTTP"
|
||||
#todo, v2 wildcard force to use dns
|
||||
if _startswith "$_currentRoot" "dns"; then
|
||||
if _startswith "$_currentRoot" "$W_DNS"; then
|
||||
vtype="$VTYPE_DNS"
|
||||
fi
|
||||
|
||||
@ -3641,6 +3666,7 @@ $_authorizations_map"
|
||||
_debug2 "response" "$response"
|
||||
if [ -z "$response" ]; then
|
||||
_err "get to authz error."
|
||||
_err "_authorizations_map" "$_authorizations_map"
|
||||
_clearup
|
||||
_on_issue_err "$_post_hook"
|
||||
return 1
|
||||
@ -3751,6 +3777,10 @@ $_authorizations_map"
|
||||
if [ "$d_api" ]; then
|
||||
_info "Found domain api file: $d_api"
|
||||
else
|
||||
if [ "$_currentRoot" != "$W_DNS" ]; then
|
||||
_err "Can not find dns api hook for: $_currentRoot"
|
||||
_info "You need to add the txt record manually."
|
||||
fi
|
||||
_info "$(__red "Add the following TXT record:")"
|
||||
_info "$(__red "Domain: '$(__green "$txtdomain")'")"
|
||||
_info "$(__red "TXT value: '$(__green "$txt")'")"
|
||||
@ -3789,7 +3819,7 @@ $_authorizations_map"
|
||||
if [ "$dnsadded" = '0' ]; then
|
||||
_savedomainconf "Le_Vlist" "$vlist"
|
||||
_debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit."
|
||||
_err "Please add the TXT records to the domains, and retry again."
|
||||
_err "Please add the TXT records to the domains, and re-run with --renew."
|
||||
_clearup
|
||||
_on_issue_err "$_post_hook"
|
||||
return 1
|
||||
@ -4151,7 +4181,7 @@ $_authorizations_map"
|
||||
echo "$BEGIN_CERT" >"$CA_CERT_PATH"
|
||||
_base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH"
|
||||
echo "$END_CERT" >>"$CA_CERT_PATH"
|
||||
if !_checkcert "$CA_CERT_PATH"; then
|
||||
if ! _checkcert "$CA_CERT_PATH"; then
|
||||
_err "Can not get the ca cert."
|
||||
break
|
||||
fi
|
||||
@ -4264,7 +4294,7 @@ renew() {
|
||||
fi
|
||||
|
||||
. "$DOMAIN_CONF"
|
||||
|
||||
_debug Le_API "$Le_API"
|
||||
if [ "$Le_API" ]; then
|
||||
if [ "$_OLD_CA_HOST" = "$Le_API" ]; then
|
||||
export Le_API="$DEFAULT_CA"
|
||||
@ -4868,6 +4898,8 @@ _deactivate() {
|
||||
_debug2 "authzUri" "$authzUri"
|
||||
if ! response="$(_get "$authzUri")"; then
|
||||
_err "get to authz error."
|
||||
_err "_authorizations_seg" "$_authorizations_seg"
|
||||
_err "authzUri" "$authzUri"
|
||||
_clearup
|
||||
_on_issue_err "$_post_hook"
|
||||
return 1
|
||||
@ -5399,7 +5431,6 @@ Parameters:
|
||||
--webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
|
||||
--standalone Use standalone mode.
|
||||
--stateless Use stateless mode, see: $_STATELESS_WIKI
|
||||
--tls Use standalone tls mode.
|
||||
--apache Use apache mode.
|
||||
--dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
|
||||
--dnssleep [$DEFAULT_DNS_SLEEP] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
|
||||
@ -5429,7 +5460,6 @@ Parameters:
|
||||
--accountkey Specifies the account key path, Only valid for the '--install' command.
|
||||
--days Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days.
|
||||
--httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
|
||||
--tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
|
||||
--local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
|
||||
--listraw Only used for '--list' command, list the certs in raw format.
|
||||
--stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal.
|
||||
@ -5780,16 +5810,8 @@ _process() {
|
||||
_webroot="$_webroot,$wvalue"
|
||||
fi
|
||||
;;
|
||||
--tls)
|
||||
wvalue="$W_TLS"
|
||||
if [ -z "$_webroot" ]; then
|
||||
_webroot="$wvalue"
|
||||
else
|
||||
_webroot="$_webroot,$wvalue"
|
||||
fi
|
||||
;;
|
||||
--dns)
|
||||
wvalue="dns"
|
||||
wvalue="$W_DNS"
|
||||
if [ "$2" ] && ! _startswith "$2" "-"; then
|
||||
wvalue="$2"
|
||||
shift
|
||||
@ -5883,12 +5905,6 @@ _process() {
|
||||
Le_HTTPPort="$_httpport"
|
||||
shift
|
||||
;;
|
||||
--tlsport)
|
||||
_tlsport="$2"
|
||||
Le_TLSPort="$_tlsport"
|
||||
shift
|
||||
;;
|
||||
|
||||
--listraw)
|
||||
_listraw="raw"
|
||||
;;
|
||||
|
@ -99,6 +99,7 @@ dns_azure_add() {
|
||||
_azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken"
|
||||
if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then
|
||||
_info "validation value added"
|
||||
return 0
|
||||
else
|
||||
_err "error adding validation value ($_code)"
|
||||
return 1
|
||||
@ -194,6 +195,7 @@ dns_azure_rm() {
|
||||
_azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken"
|
||||
if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then
|
||||
_info "validation value removed"
|
||||
return 0
|
||||
else
|
||||
_err "error removing validation value ($_code)"
|
||||
return 1
|
||||
@ -226,6 +228,7 @@ _azure_rest() {
|
||||
else
|
||||
response="$(_get "$ep")"
|
||||
fi
|
||||
_ret="$?"
|
||||
_secure_debug2 "response $response"
|
||||
_code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
|
||||
_debug "http response code $_code"
|
||||
@ -236,7 +239,7 @@ _azure_rest() {
|
||||
return 1
|
||||
fi
|
||||
# See https://docs.microsoft.com/en-us/azure/architecture/best-practices/retry-service-specific#general-rest-and-retry-guidelines for retryable HTTP codes
|
||||
if [ "$?" != "0" ] || [ -z "$_code" ] || [ "$_code" = "408" ] || [ "$_code" = "500" ] || [ "$_code" = "503" ] || [ "$_code" = "504" ]; then
|
||||
if [ "$_ret" != "0" ] || [ -z "$_code" ] || [ "$_code" = "408" ] || [ "$_code" = "500" ] || [ "$_code" = "503" ] || [ "$_code" = "504" ]; then
|
||||
_request_retry_times="$(_math "$_request_retry_times" + 1)"
|
||||
_info "REST call error $_code retrying $ep in $_request_retry_times s"
|
||||
_sleep "$_request_retry_times"
|
||||
@ -281,6 +284,7 @@ _azure_getaccess_token() {
|
||||
body="resource=$(printf "%s" 'https://management.core.windows.net/' | _url_encode)&client_id=$(printf "%s" "$clientID" | _url_encode)&client_secret=$(printf "%s" "$clientSecret" | _url_encode)&grant_type=client_credentials"
|
||||
_secure_debug2 "data $body"
|
||||
response="$(_post "$body" "https://login.microsoftonline.com/$tenantID/oauth2/token" "" "POST")"
|
||||
_ret="$?"
|
||||
_secure_debug2 "response $response"
|
||||
response="$(echo "$response" | _normalizeJson)"
|
||||
accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
|
||||
@ -290,7 +294,7 @@ _azure_getaccess_token() {
|
||||
_err "no acccess token received. Check your Azure settings see $WIKI"
|
||||
return 1
|
||||
fi
|
||||
if [ "$?" != "0" ]; then
|
||||
if [ "$_ret" != "0" ]; then
|
||||
_err "error $response"
|
||||
return 1
|
||||
fi
|
||||
|
@ -19,8 +19,8 @@ dns_cf_add() {
|
||||
if [ -z "$CF_Key" ] || [ -z "$CF_Email" ]; then
|
||||
CF_Key=""
|
||||
CF_Email=""
|
||||
_err "You don't specify cloudflare api key and email yet."
|
||||
_err "Please create you key and try again."
|
||||
_err "You didn't specify a cloudflare api key and email yet."
|
||||
_err "Please create the key and try again."
|
||||
return 1
|
||||
fi
|
||||
|
||||
@ -94,8 +94,8 @@ dns_cf_rm() {
|
||||
if [ -z "$CF_Key" ] || [ -z "$CF_Email" ]; then
|
||||
CF_Key=""
|
||||
CF_Email=""
|
||||
_err "You don't specify cloudflare api key and email yet."
|
||||
_err "Please create you key and try again."
|
||||
_err "You didn't specify a cloudflare api key and email yet."
|
||||
_err "Please create the key and try again."
|
||||
return 1
|
||||
fi
|
||||
|
||||
|
@ -20,12 +20,22 @@
|
||||
dns_dgon_add() {
|
||||
fulldomain="$(echo "$1" | _lower_case)"
|
||||
txtvalue=$2
|
||||
|
||||
DO_API_KEY="${DO_API_KEY:-$(_readaccountconf_mutable DO_API_KEY)}"
|
||||
# Check if API Key Exist
|
||||
if [ -z "$DO_API_KEY" ]; then
|
||||
DO_API_KEY=""
|
||||
_err "You did not specify DigitalOcean API key."
|
||||
_err "Please export DO_API_KEY and try again."
|
||||
return 1
|
||||
fi
|
||||
|
||||
_info "Using digitalocean dns validation - add record"
|
||||
_debug fulldomain "$fulldomain"
|
||||
_debug txtvalue "$txtvalue"
|
||||
|
||||
## save the env vars (key and domain split location) for later automated use
|
||||
_saveaccountconf DO_API_KEY "$DO_API_KEY"
|
||||
_saveaccountconf_mutable DO_API_KEY "$DO_API_KEY"
|
||||
|
||||
## split the domain for DO API
|
||||
if ! _get_base_domain "$fulldomain"; then
|
||||
@ -39,7 +49,7 @@ dns_dgon_add() {
|
||||
export _H1="Content-Type: application/json"
|
||||
export _H2="Authorization: Bearer $DO_API_KEY"
|
||||
PURL='https://api.digitalocean.com/v2/domains/'$_domain'/records'
|
||||
PBODY='{"type":"TXT","name":"'$_sub_domain'","data":"'$txtvalue'"}'
|
||||
PBODY='{"type":"TXT","name":"'$_sub_domain'","data":"'$txtvalue'","ttl":120}'
|
||||
|
||||
_debug PURL "$PURL"
|
||||
_debug PBODY "$PBODY"
|
||||
@ -65,6 +75,16 @@ dns_dgon_add() {
|
||||
dns_dgon_rm() {
|
||||
fulldomain="$(echo "$1" | _lower_case)"
|
||||
txtvalue=$2
|
||||
|
||||
DO_API_KEY="${DO_API_KEY:-$(_readaccountconf_mutable DO_API_KEY)}"
|
||||
# Check if API Key Exist
|
||||
if [ -z "$DO_API_KEY" ]; then
|
||||
DO_API_KEY=""
|
||||
_err "You did not specify DigitalOcean API key."
|
||||
_err "Please export DO_API_KEY and try again."
|
||||
return 1
|
||||
fi
|
||||
|
||||
_info "Using digitalocean dns validation - remove record"
|
||||
_debug fulldomain "$fulldomain"
|
||||
_debug txtvalue "$txtvalue"
|
||||
@ -92,11 +112,11 @@ dns_dgon_rm() {
|
||||
domain_list="$(_get "$GURL")"
|
||||
## 2) find record
|
||||
## check for what we are looing for: "type":"A","name":"$_sub_domain"
|
||||
record="$(echo "$domain_list" | _egrep_o "\"id\"\s*\:\s*\"*\d+\"*[^}]*\"name\"\s*\:\s*\"$_sub_domain\"[^}]*\"data\"\s*\:\s*\"$txtvalue\"")"
|
||||
record="$(echo "$domain_list" | _egrep_o "\"id\"\s*\:\s*\"*[0-9]+\"*[^}]*\"name\"\s*\:\s*\"$_sub_domain\"[^}]*\"data\"\s*\:\s*\"$txtvalue\"")"
|
||||
## 3) check record and get next page
|
||||
if [ -z "$record" ]; then
|
||||
## find the next page if we dont have a match
|
||||
nextpage="$(echo "$domain_list" | _egrep_o "\"links\".*" | _egrep_o "\"next\".*" | _egrep_o "http.*page\=\d+")"
|
||||
nextpage="$(echo "$domain_list" | _egrep_o "\"links\".*" | _egrep_o "\"next\".*" | _egrep_o "http.*page\=[0-9]+")"
|
||||
if [ -z "$nextpage" ]; then
|
||||
_err "no record and no nextpage in digital ocean DNS removal"
|
||||
return 1
|
||||
@ -108,7 +128,7 @@ dns_dgon_rm() {
|
||||
done
|
||||
|
||||
## we found the record
|
||||
rec_id="$(echo "$record" | _egrep_o "id\"\s*\:\s*\"*\d+" | _egrep_o "\d+")"
|
||||
rec_id="$(echo "$record" | _egrep_o "id\"\s*\:\s*\"*[0-9]+" | _egrep_o "[0-9]+")"
|
||||
_debug rec_id "$rec_id"
|
||||
|
||||
## delete the record
|
||||
|
@ -53,8 +53,9 @@ dns_freedns_add() {
|
||||
i="$(_math "$i" - 1)"
|
||||
sub_domain="$(echo "$fulldomain" | cut -d. -f -"$i")"
|
||||
|
||||
_debug top_domain "$top_domain"
|
||||
_debug sub_domain "$sub_domain"
|
||||
_debug "top_domain: $top_domain"
|
||||
_debug "sub_domain: $sub_domain"
|
||||
|
||||
# Sometimes FreeDNS does not return the subdomain page but rather
|
||||
# returns a page regarding becoming a premium member. This usually
|
||||
# happens after a period of inactivity. Immediately trying again
|
||||
@ -63,6 +64,7 @@ dns_freedns_add() {
|
||||
attempts=2
|
||||
while [ "$attempts" -gt "0" ]; do
|
||||
attempts="$(_math "$attempts" - 1)"
|
||||
|
||||
htmlpage="$(_freedns_retrieve_subdomain_page "$FREEDNS_COOKIE")"
|
||||
if [ "$?" != "0" ]; then
|
||||
if [ "$using_cached_cookies" = "true" ]; then
|
||||
@ -71,10 +73,9 @@ dns_freedns_add() {
|
||||
fi
|
||||
return 1
|
||||
fi
|
||||
_debug2 htmlpage "$htmlpage"
|
||||
|
||||
subdomain_csv="$(echo "$htmlpage" | tr -d "\n\r" | _egrep_o '<form .*</form>' | sed 's/<tr>/@<tr>/g' | tr '@' '\n' | grep edit.php | grep "$top_domain")"
|
||||
_debug2 subdomain_csv "$subdomain_csv"
|
||||
_debug3 "subdomain_csv: $subdomain_csv"
|
||||
|
||||
# The above beauty ends with striping out rows that do not have an
|
||||
# href to edit.php and do not have the top domain we are looking for.
|
||||
@ -85,55 +86,25 @@ dns_freedns_add() {
|
||||
lines="$(echo "$subdomain_csv" | wc -l)"
|
||||
i=0
|
||||
found=0
|
||||
DNSdomainid=""
|
||||
while [ "$i" -lt "$lines" ]; do
|
||||
i="$(_math "$i" + 1)"
|
||||
line="$(echo "$subdomain_csv" | sed -n "${i}p")"
|
||||
_debug2 line "$line"
|
||||
_debug2 "line: $line"
|
||||
if [ $found = 0 ] && _contains "$line" "<td>$top_domain</td>"; then
|
||||
# this line will contain DNSdomainid for the top_domain
|
||||
DNSdomainid="$(echo "$line" | _egrep_o "edit_domain_id *= *.*>" | cut -d = -f 2 | cut -d '>' -f 1)"
|
||||
_debug2 DNSdomainid "$DNSdomainid"
|
||||
_debug2 "DNSdomainid: $DNSdomainid"
|
||||
found=1
|
||||
else
|
||||
# lines contain DNS records for all subdomains
|
||||
DNSname="$(echo "$line" | _egrep_o 'edit.php.*</a>' | cut -d '>' -f 2 | cut -d '<' -f 1)"
|
||||
_debug2 DNSname "$DNSname"
|
||||
DNStype="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '4p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
|
||||
_debug2 DNStype "$DNStype"
|
||||
if [ "$DNSname" = "$fulldomain" ] && [ "$DNStype" = "TXT" ]; then
|
||||
DNSdataid="$(echo "$line" | _egrep_o 'data_id=.*' | cut -d = -f 2 | cut -d '>' -f 1)"
|
||||
# Now get current value for the TXT record. This method may
|
||||
# not produce accurate results as the value field is truncated
|
||||
# on this webpage. To get full value we would need to load
|
||||
# another page. However we don't really need this so long as
|
||||
# there is only one TXT record for the acme challenge subdomain.
|
||||
DNSvalue="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '5p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
|
||||
_debug2 DNSvalue "$DNSvalue"
|
||||
if [ $found != 0 ]; then
|
||||
break
|
||||
# we are breaking out of the loop at the first match of DNS name
|
||||
# and DNS type (if we are past finding the domainid). This assumes
|
||||
# that there is only ever one TXT record for the LetsEncrypt/acme
|
||||
# challenge subdomain. This seems to be a reasonable assumption
|
||||
# as the acme client deletes the TXT record on successful validation.
|
||||
fi
|
||||
else
|
||||
DNSname=""
|
||||
DNStype=""
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
_debug "DNSname: $DNSname DNStype: $DNStype DNSdomainid: $DNSdomainid DNSdataid: $DNSdataid"
|
||||
_debug "DNSvalue: $DNSvalue"
|
||||
|
||||
if [ -z "$DNSdomainid" ]; then
|
||||
# If domain ID is empty then something went wrong (top level
|
||||
# domain not found at FreeDNS).
|
||||
if [ "$attempts" = "0" ]; then
|
||||
# exhausted maximum retry attempts
|
||||
_debug "$htmlpage"
|
||||
_debug "$subdomain_csv"
|
||||
_err "Domain $top_domain not found at FreeDNS"
|
||||
return 1
|
||||
fi
|
||||
@ -145,33 +116,10 @@ dns_freedns_add() {
|
||||
_info "Retry loading subdomain page ($attempts attempts remaining)"
|
||||
done
|
||||
|
||||
if [ -z "$DNSdataid" ]; then
|
||||
# If data ID is empty then specific subdomain does not exist yet, need
|
||||
# to create it this should always be the case as the acme client
|
||||
# deletes the entry after domain is validated.
|
||||
# Add in new TXT record with the value provided
|
||||
_debug "Adding TXT record for $fulldomain, $txtvalue"
|
||||
_freedns_add_txt_record "$FREEDNS_COOKIE" "$DNSdomainid" "$sub_domain" "$txtvalue"
|
||||
return $?
|
||||
else
|
||||
if [ "$txtvalue" = "$DNSvalue" ]; then
|
||||
# if value in TXT record matches value requested then DNS record
|
||||
# does not need to be updated. But...
|
||||
# Testing value match fails. Website is truncating the value field.
|
||||
# So for now we will always go down the else path. Though in theory
|
||||
# should never come here anyway as the acme client deletes
|
||||
# the TXT record on successful validation, so we should not even
|
||||
# have found a TXT record !!
|
||||
_info "No update necessary for $fulldomain at FreeDNS"
|
||||
return 0
|
||||
else
|
||||
# Delete the old TXT record (with the wrong value)
|
||||
if _freedns_delete_txt_record "$FREEDNS_COOKIE" "$DNSdataid"; then
|
||||
# And add in new TXT record with the value provided
|
||||
_freedns_add_txt_record "$FREEDNS_COOKIE" "$DNSdomainid" "$sub_domain" "$txtvalue"
|
||||
fi
|
||||
return $?
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
#Usage: fulldomain txtvalue
|
||||
@ -205,7 +153,7 @@ dns_freedns_rm() {
|
||||
fi
|
||||
|
||||
subdomain_csv="$(echo "$htmlpage" | tr -d "\n\r" | _egrep_o '<form .*</form>' | sed 's/<tr>/@<tr>/g' | tr '@' '\n' | grep edit.php | grep "$fulldomain")"
|
||||
_debug2 subdomain_csv "$subdomain_csv"
|
||||
_debug3 "subdomain_csv: $subdomain_csv"
|
||||
|
||||
# The above beauty ends with striping out rows that do not have an
|
||||
# href to edit.php and do not have the domain name we are looking for.
|
||||
@ -216,35 +164,51 @@ dns_freedns_rm() {
|
||||
lines="$(echo "$subdomain_csv" | wc -l)"
|
||||
i=0
|
||||
found=0
|
||||
DNSdataid=""
|
||||
while [ "$i" -lt "$lines" ]; do
|
||||
i="$(_math "$i" + 1)"
|
||||
line="$(echo "$subdomain_csv" | sed -n "${i}p")"
|
||||
_debug2 line "$line"
|
||||
_debug3 "line: $line"
|
||||
DNSname="$(echo "$line" | _egrep_o 'edit.php.*</a>' | cut -d '>' -f 2 | cut -d '<' -f 1)"
|
||||
_debug2 DNSname "$DNSname"
|
||||
_debug2 "DNSname: $DNSname"
|
||||
if [ "$DNSname" = "$fulldomain" ]; then
|
||||
DNStype="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '4p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
|
||||
_debug2 DNStype "$DNStype"
|
||||
if [ "$DNSname" = "$fulldomain" ] && [ "$DNStype" = "TXT" ]; then
|
||||
_debug2 "DNStype: $DNStype"
|
||||
if [ "$DNStype" = "TXT" ]; then
|
||||
DNSdataid="$(echo "$line" | _egrep_o 'data_id=.*' | cut -d = -f 2 | cut -d '>' -f 1)"
|
||||
_debug2 DNSdataid "$DNSdataid"
|
||||
_debug2 "DNSdataid: $DNSdataid"
|
||||
DNSvalue="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '5p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
|
||||
_debug2 DNSvalue "$DNSvalue"
|
||||
# if [ "$DNSvalue" = "$txtvalue" ]; then
|
||||
# Testing value match fails. Website is truncating the value
|
||||
# field. So for now we will assume that there is only one TXT
|
||||
# field for the sub domain and just delete it. Currently this
|
||||
# is a safe assumption.
|
||||
if _startswith "$DNSvalue" """; then
|
||||
# remove the quotation from the start
|
||||
DNSvalue="$(echo "$DNSvalue" | cut -c 7-)"
|
||||
fi
|
||||
if _endswith "$DNSvalue" "..."; then
|
||||
# value was truncated, remove the dot dot dot from the end
|
||||
DNSvalue="$(echo "$DNSvalue" | sed 's/...$//')"
|
||||
elif _endswith "$DNSvalue" """; then
|
||||
# else remove the closing quotation from the end
|
||||
DNSvalue="$(echo "$DNSvalue" | sed 's/......$//')"
|
||||
fi
|
||||
_debug2 "DNSvalue: $DNSvalue"
|
||||
|
||||
if [ -n "$DNSdataid" ] && _startswith "$txtvalue" "$DNSvalue"; then
|
||||
# Found a match. But note... Website is truncating the
|
||||
# value field so we are only testing that part that is not
|
||||
# truncated. This should be accurate enough.
|
||||
_debug "Deleting TXT record for $fulldomain, $txtvalue"
|
||||
_freedns_delete_txt_record "$FREEDNS_COOKIE" "$DNSdataid"
|
||||
return $?
|
||||
# fi
|
||||
fi
|
||||
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
# If we get this far we did not find a match (after two attempts)
|
||||
# Not necessarily an error, but log anyway.
|
||||
_debug2 "$subdomain_csv"
|
||||
_info "Cannot delete TXT record for $fulldomain/$txtvalue. Does not exist at FreeDNS"
|
||||
_debug3 "$subdomain_csv"
|
||||
_info "Cannot delete TXT record for $fulldomain, $txtvalue. Does not exist at FreeDNS"
|
||||
return 0
|
||||
}
|
||||
|
||||
@ -272,7 +236,7 @@ _freedns_login() {
|
||||
|
||||
# if cookies is not empty then logon successful
|
||||
if [ -z "$cookies" ]; then
|
||||
_debug "$htmlpage"
|
||||
_debug3 "htmlpage: $htmlpage"
|
||||
_err "FreeDNS login failed for user $username. Check $HTTP_HEADER file"
|
||||
return 1
|
||||
fi
|
||||
@ -301,7 +265,7 @@ _freedns_retrieve_subdomain_page() {
|
||||
return 1
|
||||
fi
|
||||
|
||||
_debug2 "$htmlpage"
|
||||
_debug3 "htmlpage: $htmlpage"
|
||||
|
||||
printf "%s" "$htmlpage"
|
||||
return 0
|
||||
@ -323,17 +287,17 @@ _freedns_add_txt_record() {
|
||||
_err "FreeDNS failed to add TXT record for $subdomain bad RC from _post"
|
||||
return 1
|
||||
elif ! grep "200 OK" "$HTTP_HEADER" >/dev/null; then
|
||||
_debug "$htmlpage"
|
||||
_debug3 "htmlpage: $htmlpage"
|
||||
_err "FreeDNS failed to add TXT record for $subdomain. Check $HTTP_HEADER file"
|
||||
return 1
|
||||
elif _contains "$htmlpage" "security code was incorrect"; then
|
||||
_debug "$htmlpage"
|
||||
_debug3 "htmlpage: $htmlpage"
|
||||
_err "FreeDNS failed to add TXT record for $subdomain as FreeDNS requested security code"
|
||||
_err "Note that you cannot use automatic DNS validation for FreeDNS public domains"
|
||||
return 1
|
||||
fi
|
||||
|
||||
_debug2 "$htmlpage"
|
||||
_debug3 "htmlpage: $htmlpage"
|
||||
_info "Added acme challenge TXT record for $fulldomain at FreeDNS"
|
||||
return 0
|
||||
}
|
||||
@ -352,7 +316,7 @@ _freedns_delete_txt_record() {
|
||||
_err "FreeDNS failed to delete TXT record for $data_id bad RC from _get"
|
||||
return 1
|
||||
elif ! _contains "$htmlheader" "200 OK"; then
|
||||
_debug "$htmlheader"
|
||||
_debug2 "htmlheader: $htmlheader"
|
||||
_err "FreeDNS failed to delete TXT record $data_id"
|
||||
return 1
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user