Merge pull request #1332 from Neilpang/dev

sync

README.md

@@ -327,6 +327,7 @@ You don't have to do anything manually!
 1. selectel.com(selectel.ru) DNS API
 1. zonomi.com DNS API
 1. DreamHost.com API
+1. DirectAdmin API
 
 
 And: 

acme.sh

@@ -4078,7 +4078,9 @@ $_authorizations_map"
       _info "Your cert key is in $(__green " $CERT_KEY_PATH ")"
     fi
 
-    cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
+    if [ "$ACME_VERSION" != "2" ]; then
+      cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
+    fi
 
     if [ ! "$USER_PATH" ] || [ ! "$IN_CRON" ]; then
       USER_PATH="$PATH"

deploy/README.md

@@ -114,8 +114,8 @@ user
 Any backups older than 180 days will be deleted when new certificates
 are deployed.  This defaults to "yes" set to "no" to disable backup.
 
-###Eamples using SSH deploy
-The following example illustrates deploying certifcates to a QNAP NAS
+###Examples using SSH deploy
+The following example illustrates deploying certificates to a QNAP NAS
 (tested with QTS version 4.2.3)
 
 ```sh
@@ -132,8 +132,8 @@ the same file.  This will result in the certificate being appended
 to the same file as the private key... a common requirement of several
 services.
 
-The next example illustates deploying certificates to a Unifi
-Contolller (tested with version 5.4.11).
+The next example illustrates deploying certificates to a Unifi
+Controller (tested with version 5.4.11).
 
 ```sh
 export DEPLOY_SSH_USER="root"
@@ -153,9 +153,9 @@ export DEPLOY_SSH_REMOTE_CMD="openssl pkcs12 -export \
 
 acme.sh --deploy -d unifi.example.com --deploy-hook ssh
 ```
-In this exmple we execute several commands on the remote host
+In this example we execute several commands on the remote host
 after the certificate files have been copied... to generate a pkcs12 file
-compatible with Unifi, to import it into the Unifi keystore and then finaly
+compatible with Unifi, to import it into the Unifi keystore and then finally
 to restart the service.
 
 Note also that once the certificate is imported
@@ -233,7 +233,7 @@ DEPLOY_CPANEL_USER is required only if you run the script as root and it should
 export DEPLOY_CPANEL_USER=username
 acme.sh  --deploy  -d example.com  --deploy-hook cpanel_uapi
 ```
-Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separete certificate for each domain. 
+Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separate certificate for each domain. 
 
 ## 8. Deploy the cert to your FRITZ!Box router
 

dnsapi/README.md

@@ -354,7 +354,7 @@ acme.sh --issue --dns dns_gandi_livedns -d example.com -d www.example.com
 First, generate a TSIG key for updating the zone.
 
 ```
-keymgr tsig generate acme_key algorithm hmac-sha512 > /etc/knot/acme.key
+keymgr tsig generate -t acme_key hmac-sha512 > /etc/knot/acme.key
 ```
 
 Include this key in your knot configuration file.
@@ -757,6 +757,34 @@ acme.sh --issue --dns dns_dreamhost -d example.com -d www.example.com
 The 'DH_API_KEY' will be saved in `~/.acme.sh/account.conf` and will
 be reused when needed.
 
+## 41. Use DirectAdmin API
+The DirectAdmin interface has it's own Let's encrypt functionality, but this
+script can be used to generate certificates for names which are not hosted on
+DirectAdmin
+
+User must provide login data and URL to the DirectAdmin incl. port.
+You can create an user which only has access to
+
+- CMD_API_DNS_CONTROL
+- CMD_API_SHOW_DOMAINS
+
+By using the Login Keys function.
+See also https://www.directadmin.com/api.php and https://www.directadmin.com/features.php?id=1298
+
+```
+export DA_Api="https://remoteUser:remotePassword@da.domain.tld:8443"
+export DA_Api_Insecure=1
+```
+Set `DA_Api_Insecure` to 1 for insecure and 0 for secure -> difference is whether ssl cert is checked for validity (0) or whether it is just accepted (1)
+
+Ok, let's issue a cert now:
+```
+acme.sh --issue --dns dns_da -d example.com -d www.example.com
+```
+
+The `DA_Api` and `DA_Api_Insecure` will be saved in `~/.acme.sh/account.conf` and will be reused when needed.
+
+
 # Use custom API
 
 If your API is not supported yet, you can write your own DNS API.

dnsapi/dns_da.sh

@@ -0,0 +1,184 @@
+#!/usr/bin/env sh
+# -*- mode: sh; tab-width: 2; indent-tabs-mode: s; coding: utf-8 -*-
+# vim: et ts=2 sw=2
+#
+# DirectAdmin 1.41.0 API
+# The DirectAdmin interface has it's own Let's encrypt functionality, but this
+# script can be used to generate certificates for names which are not hosted on
+# DirectAdmin
+#
+# User must provide login data and URL to DirectAdmin incl. port.
+# You can create login key, by using the Login Keys function
+# ( https://da.example.com:8443/CMD_LOGIN_KEYS ), which only has access to 
+# - CMD_API_DNS_CONTROL
+# - CMD_API_SHOW_DOMAINS
+#
+# See also https://www.directadmin.com/api.php and
+# https://www.directadmin.com/features.php?id=1298
+#
+# Report bugs to https://github.com/TigerP/acme.sh/issues
+#
+# Values to export:
+# export DA_Api="https://remoteUser:remotePassword@da.example.com:8443"
+# export DA_Api_Insecure=1
+#
+# Set DA_Api_Insecure to 1 for insecure and 0 for secure -> difference is
+# whether ssl cert is checked for validity (0) or whether it is just accepted
+# (1)
+#
+########  Public functions #####################
+
+# Usage: dns_myapi_add  _acme-challenge.www.example.com  "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+# Used to add txt record
+dns_da_add() {
+  fulldomain="${1}"
+  txtvalue="${2}"
+  _debug "Calling: dns_da_add() '${fulldomain}' '${txtvalue}'"
+  _DA_credentials && _DA_getDomainInfo && _DA_addTxt
+}
+
+# Usage: dns_da_rm  _acme-challenge.www.example.com  "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+# Used to remove the txt record after validation
+dns_da_rm() {
+  fulldomain="${1}"
+  txtvalue="${2}"
+  _debug "Calling: dns_da_rm() '${fulldomain}' '${txtvalue}'"
+  _DA_credentials && _DA_getDomainInfo && _DA_rmTxt
+}
+
+####################  Private functions below ##################################
+# Usage: _DA_credentials
+# It will check if the needed settings are available
+_DA_credentials() {
+  DA_Api="${DA_Api:-$(_readaccountconf_mutable DA_Api)}"
+  DA_Api_Insecure="${DA_Api_Insecure:-$(_readaccountconf_mutable DA_Api_Insecure)}"
+  if [ -z "${DA_Api}" ] || [ -z "${DA_Api_Insecure}" ]; then
+    DA_Api=""
+    DA_Api_Insecure=""
+    _err "You haven't specified the DirectAdmin Login data, URL and whether you want check the DirectAdmin SSL cert. Please try again."
+    return 1
+  else
+    _saveaccountconf_mutable DA_Api "${DA_Api}"
+    _saveaccountconf_mutable DA_Api_Insecure "${DA_Api_Insecure}"
+    # Set whether curl should use secure or insecure mode
+    export HTTPS_INSECURE="${DA_Api_Insecure}"
+  fi
+}
+
+# Usage: _get_root _acme-challenge.www.example.com
+# Split the full domain to a domain and subdomain
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=example.com
+_get_root() {
+  domain=$1
+  i=2
+  p=1
+  # Get a list of all the domains
+  # response will contain "list[]=example.com&list[]=example.org"
+  _da_api CMD_API_SHOW_DOMAINS "" "${domain}"
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _debug h "$h"
+    if [ -z "$h" ]; then
+      # not valid
+      _debug "The given domain $h is not valid"
+      return 1
+    fi
+    if _contains "$response" "$h" >/dev/null; then
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _domain=$h
+      return 0
+    fi
+    p=$i
+    i=$(_math "$i" + 1)
+  done
+  _debug "Stop on 100"
+  return 1
+}
+
+# Usage: _da_api CMD_API_* data example.com
+# Use the DirectAdmin API and check the result
+# returns
+#  response="error=0&text=Result text&details="
+_da_api() {
+  cmd=$1
+  data=$2
+  domain=$3
+  _debug "$domain; $data"
+  response="$(_post "$data" "$DA_Api/$cmd" "" "POST")"
+
+  if [ "$?" != "0" ]; then
+    _err "error $cmd"
+    return 1
+  fi
+  _debug response "$response"
+
+  case "${cmd}" in
+    CMD_API_DNS_CONTROL)
+      # Parse the result in general
+      # error=0&text=Records Deleted&details=
+      # error=1&text=Cannot View Dns Record&details=No domain provided
+      err_field="$(_getfield "$response" 1 '&')"
+      txt_field="$(_getfield "$response" 2 '&')"
+      details_field="$(_getfield "$response" 3 '&')"
+      error="$(_getfield "$err_field" 2 '=')"
+      text="$(_getfield "$txt_field" 2 '=')"
+      details="$(_getfield "$details_field" 2 '=')"
+      _debug "error: ${error}, text: ${text}, details: ${details}"
+      if [ "$error" != "0" ]; then
+        _err "error $response"
+        return 1
+      fi
+      ;;
+    CMD_API_SHOW_DOMAINS) ;;
+  esac
+  return 0
+}
+
+# Usage: _DA_getDomainInfo
+# Get the root zone if possible
+_DA_getDomainInfo() {
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  else
+    _debug "The root domain: $_domain"
+    _debug "The sub domain: $_sub_domain"
+  fi
+  return 0
+}
+
+# Usage: _DA_addTxt
+# Use the API to add a record
+_DA_addTxt() {
+  curData="domain=${_domain}&action=add&type=TXT&name=${_sub_domain}&value=\"${txtvalue}\""
+  _debug "Calling _DA_addTxt: '${curData}' '${DA_Api}/CMD_API_DNS_CONTROL'"
+  _da_api CMD_API_DNS_CONTROL "${curData}" "${_domain}"
+  _debug "Result of _DA_addTxt: '$response'"
+  if _contains "${response}" 'error=0'; then
+    _debug "Add TXT succeeded"
+    return 0
+  fi
+  _debug "Add TXT failed"
+  return 1
+}
+
+# Usage: _DA_rmTxt
+# Use the API to remove a record
+_DA_rmTxt() {
+  curData="domain=${_domain}&action=select&txtrecs0=name=${_sub_domain}&value=\"${txtvalue}\""
+  _debug "Calling _DA_rmTxt: '${curData}' '${DA_Api}/CMD_API_DNS_CONTROL'"
+  if _da_api CMD_API_DNS_CONTROL "${curData}" "${_domain}"; then
+    _debug "Result of _DA_rmTxt: '$response'"
+  else
+    _err "Result of _DA_rmTxt: '$response'"
+  fi
+  if _contains "${response}" 'error=0'; then
+    _debug "RM TXT succeeded"
+    return 0
+  fi
+  _debug "RM TXT failed"
+  return 1
+}

dnsapi/dns_namecom.sh

@@ -1,11 +1,12 @@
 #!/usr/bin/env sh
 
-#Author: RaidneII
+#Author: RaidenII
 #Created 06/28/2017
+#Updated 03/01/2018, rewrote to support name.com API v4
 #Utilize name.com API to finish dns-01 verifications.
 ########  Public functions #####################
 
-Namecom_API="https://api.name.com/api"
+Namecom_API="https://api.name.com/v4"
 
 #Usage: dns_namecom_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_namecom_add() {
@@ -39,21 +40,18 @@ dns_namecom_add() {
   # Find domain in domain list.
   if ! _namecom_get_root "$fulldomain"; then
     _err "Unable to find domain specified."
-    _namecom_logout
     return 1
   fi
 
   # Add TXT record.
-  _namecom_addtxt_json="{\"hostname\":\"$_sub_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":\"300\",\"priority\":\"10\"}"
-  if _namecom_rest POST "dns/create/$_domain" "$_namecom_addtxt_json"; then
-    retcode=$(printf "%s\n" "$response" | _egrep_o "\"code\":100")
-    if [ "$retcode" ]; then
+  _namecom_addtxt_json="{\"host\":\"$_sub_domain\",\"type\":\"TXT\",\"answer\":\"$txtvalue\",\"ttl\":\"300\"}"
+  if _namecom_rest POST "domains/$_domain/records" "$_namecom_addtxt_json"; then
+    _retvalue=$(printf "%s\n" "$response" | _egrep_o "\"$_sub_domain\"")
+    if [ "$_retvalue" ]; then
       _info "Successfully added TXT record, ready for validation."
-      _namecom_logout
       return 0
     else
       _err "Unable to add the DNS record."
-      _namecom_logout
       return 1
     fi
   fi
@@ -72,37 +70,28 @@ dns_namecom_rm() {
   # Find domain in domain list.
   if ! _namecom_get_root "$fulldomain"; then
     _err "Unable to find domain specified."
-    _namecom_logout
     return 1
   fi
 
   # Get the record id.
-  if _namecom_rest GET "dns/list/$_domain"; then
-    retcode=$(printf "%s\n" "$response" | _egrep_o "\"code\":100")
-    if [ "$retcode" ]; then
-      _record_id=$(printf "%s\n" "$response" | _egrep_o "\"record_id\":\"[0-9]+\",\"name\":\"$fulldomain\",\"type\":\"TXT\"" | cut -d \" -f 4)
-      _debug record_id "$_record_id"
+  if _namecom_rest GET "domains/$_domain/records"; then
+    _record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]+,\"domainName\":\"$_domain\",\"host\":\"$_sub_domain\",\"fqdn\":\"$fulldomain.\",\"type\":\"TXT\",\"answer\":\"$txtvalue\"" | cut -d \" -f 3 | _egrep_o [0-9]+)
+    _debug record_id "$_record_id"
+    if [ "$_record_id" ]; then
       _info "Successfully retrieved the record id for ACME challenge."
     else
       _err "Unable to retrieve the record id."
-      _namecom_logout
       return 1
     fi
   fi
 
   # Remove the DNS record using record id.
-  _namecom_rmtxt_json="{\"record_id\":\"$_record_id\"}"
-  if _namecom_rest POST "dns/delete/$_domain" "$_namecom_rmtxt_json"; then
-    retcode=$(printf "%s\n" "$response" | _egrep_o "\"code\":100")
-    if [ "$retcode" ]; then
-      _info "Successfully removed the TXT record."
-      _namecom_logout
-      return 0
-    else
-      _err "Unable to remove the DNS record."
-      _namecom_logout
-      return 1
-    fi
+  if _namecom_rest DELETE "domains/$_domain/records/$_record_id"; then
+    _info "Successfully removed the TXT record."
+    return 0
+  else
+    _err "Unable to delete record id."
+    return 1
   fi
 }
 
@@ -112,8 +101,9 @@ _namecom_rest() {
   param=$2
   data=$3
 
-  export _H1="Content-Type: application/json"
-  export _H2="Api-Session-Token: $sessionkey"
+  export _H1="Authorization: Basic $_namecom_auth"
+  export _H2="Content-Type: application/json"
+
   if [ "$method" != "GET" ]; then
     response="$(_post "$data" "$Namecom_API/$param" "" "$method")"
   else
@@ -130,20 +120,15 @@ _namecom_rest() {
 }
 
 _namecom_login() {
-  namecom_login_json="{\"username\":\"$Namecom_Username\",\"api_token\":\"$Namecom_Token\"}"
+  # Auth string
+  # Name.com API v4 uses http basic auth to authenticate
+  # need to convert the token for http auth
+  _namecom_auth=$(printf "%s:%s" "$Namecom_Username" "$Namecom_Token" | base64)
 
-  if _namecom_rest POST "login" "$namecom_login_json"; then
-    retcode=$(printf "%s\n" "$response" | _egrep_o "\"code\":100")
+  if _namecom_rest GET "hello"; then
+    retcode=$(printf "%s\n" "$response" | _egrep_o "\"username\"\:\"$Namecom_Username\"")
     if [ "$retcode" ]; then
-      _info "Successfully logged in. Fetching session token..."
-      sessionkey=$(printf "%s\n" "$response" | _egrep_o "\"session_token\":\".+" | cut -d \" -f 4)
-      if [ ! -z "$sessionkey" ]; then
-        _debug sessionkey "$sessionkey"
-        _info "Session key obtained."
-      else
-        _err "Unable to get session key."
-        return 1
-      fi
+      _info "Successfully logged in."
     else
       _err "Logging in failed."
       return 1
@@ -151,24 +136,12 @@ _namecom_login() {
   fi
 }
 
-_namecom_logout() {
-  if _namecom_rest GET "logout"; then
-    retcode=$(printf "%s\n" "$response" | _egrep_o "\"code\":100")
-    if [ "$retcode" ]; then
-      _info "Successfully logged out."
-    else
-      _err "Error logging out."
-      return 1
-    fi
-  fi
-}
-
 _namecom_get_root() {
   domain=$1
   i=2
   p=1
 
-  if ! _namecom_rest GET "domain/list"; then
+  if ! _namecom_rest GET "domains"; then
     return 1
   fi