Merge pull request #2746 from acmesh-official/dev

sync
2024-11-10 00:11:45 +00:00 · 2020-02-22 13:34:01 +08:00 · 2020-02-22 13:34:01 +08:00 · c70681712d
commit c70681712d
parent c768581829 80ca6de531
4 changed files with 56 additions and 27 deletions
--- a/README.md
+++ b/README.md
@ -257,7 +257,7 @@ acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com

 **This apache mode is only to issue the cert, it will not change your apache config files.
 You will need to configure your website config files to use the cert by yourself.
-We don't want to mess your apache server, don't worry.**
+We don't want to mess with your apache server, don't worry.**

 More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert

@ -281,7 +281,7 @@ acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com

 **This nginx mode is only to issue the cert, it will not change your nginx config files.
 You will need to configure your website config files to use the cert by yourself.
-We don't want to mess your nginx server, don't worry.**
+We don't want to mess with your nginx server, don't worry.**

 More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert

--- a/acme.sh
+++ b/acme.sh
@ -207,7 +207,7 @@ _dlg_versions() {

  echo "socat:"
  if _exists "socat"; then
-    socat -h 2>&1
+    socat -V 2>&1
  else
    _debug "socat doesn't exists."
  fi
--- a/deploy/haproxy.sh
+++ b/deploy/haproxy.sh
@ -208,33 +208,37 @@ haproxy_deploy() {
        _issuerdn=$(openssl x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
        _debug _issuerdn "${_issuerdn}"
        _info "Requesting OCSP response"
-        # Request the OCSP response from the issuer and store it
+        # If the issuer is a CA cert then our command line has "-CAfile" added
        if [ "${_subjectdn}" = "${_issuerdn}" ]; then
-          # If the issuer is a CA cert then our command line has "-CAfile" added
-          openssl ocsp \
-            -issuer "${_issuer}" \
-            -cert "${_pem}" \
-            -url "${_ocsp_url}" \
-            -header Host "${_ocsp_host}" \
-            -respout "${_ocsp}" \
-            -verify_other "${_issuer}" \
-            -no_nonce \
-            -CAfile "${_issuer}" \
-            | grep -q "${_pem}: good"
-          _ret=$?
+          _cafile_argument="-CAfile \"${_issuer}\""
        else
-          # Issuer is not a root CA so no "-CAfile" option
-          openssl ocsp \
-            -issuer "${_issuer}" \
-            -cert "${_pem}" \
-            -url "${_ocsp_url}" \
-            -header Host "${_ocsp_host}" \
-            -respout "${_ocsp}" \
-            -verify_other "${_issuer}" \
-            -no_nonce \
-            | grep -q "${_pem}: good"
-          _ret=$?
+          _cafile_argument=""
        fi
+        _debug _cafile_argument "${_cafile_argument}"
+        # if OpenSSL/LibreSSL is v1.1 or above, the format for the -header option has changed
+        _openssl_version=$(openssl version | cut -d' ' -f2)
+        _debug _openssl_version "${_openssl_version}"
+        _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
+        _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
+        if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then
+          _header_sep="="
+        else
+          _header_sep=" "
+        fi
+        # Request the OCSP response from the issuer and store it
+        _openssl_ocsp_cmd="openssl ocsp \
+          -issuer \"${_issuer}\" \
+          -cert \"${_pem}\" \
+          -url \"${_ocsp_url}\" \
+          -header Host${_header_sep}\"${_ocsp_host}\" \
+          -respout \"${_ocsp}\" \
+          -verify_other \"${_issuer}\" \
+          -no_nonce \
+          ${_cafile_argument} \
+          | grep -q \"${_pem}: good\""
+        _debug _openssl_ocsp_cmd "${_openssl_ocsp_cmd}"
+        eval "${_openssl_ocsp_cmd}"
+        _ret=$?
      else
        # Non fatal: No issuer file was present so no OCSP stapling file created
        _err "OCSP stapling in use but no .issuer file was present"
--- a/dnsapi/dns_cf.sh
+++ b/dnsapi/dns_cf.sh
@ -7,6 +7,7 @@

 #CF_Token="xxxx"
 #CF_Account_ID="xxxx"
+#CF_Zone_ID="xxxx"

 CF_Api="https://api.cloudflare.com/client/v4"

@ -19,12 +20,14 @@ dns_cf_add() {

  CF_Token="${CF_Token:-$(_readaccountconf_mutable CF_Token)}"
  CF_Account_ID="${CF_Account_ID:-$(_readaccountconf_mutable CF_Account_ID)}"
+  CF_Zone_ID="${CF_Zone_ID:-$(_readaccountconf_mutable CF_Zone_ID)}"
  CF_Key="${CF_Key:-$(_readaccountconf_mutable CF_Key)}"
  CF_Email="${CF_Email:-$(_readaccountconf_mutable CF_Email)}"

  if [ "$CF_Token" ]; then
    _saveaccountconf_mutable CF_Token "$CF_Token"
    _saveaccountconf_mutable CF_Account_ID "$CF_Account_ID"
+    _saveaccountconf_mutable CF_Zone_ID "$CF_Zone_ID"
  else
    if [ -z "$CF_Key" ] || [ -z "$CF_Email" ]; then
      CF_Key=""
@ -141,6 +144,28 @@ _get_root() {
  domain=$1
  i=1
  p=1
+
+  # Use Zone ID directly if provided
+  if [ "$CF_Zone_ID" ]; then
+    if ! _cf_rest GET "zones/$CF_Zone_ID"; then
+      return 1
+    else
+      if _contains "$response" '"success":true'; then
+        _domain=$(printf "%s\n" "$response" | _egrep_o "\"name\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | head -n 1)
+        if [ "$_domain" ]; then
+          _cutlength=$((${#domain} - ${#_domain} - 1))
+          _sub_domain=$(printf "%s" "$domain" | cut -c "1-$_cutlength")
+          _domain_id=$CF_Zone_ID
+          return 0
+        else
+          return 1
+        fi
+      else
+        return 1
+      fi
+    fi
+  fi
+
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    _debug h "$h"