From d404e92d16f5ee7d6506f19d3c13cc114c4737da Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 24 Sep 2016 23:53:53 +0800 Subject: [PATCH] Fetch agreement tos dynamically, fix https://github.com/Neilpang/acme.sh/issues/253 --- acme.sh | 160 ++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 102 insertions(+), 58 deletions(-) diff --git a/acme.sh b/acme.sh index 831f5ae2..fba3caaa 100755 --- a/acme.sh +++ b/acme.sh @@ -48,9 +48,6 @@ RENEW_SKIP=2 ECC_SEP="_" ECC_SUFFIX="${ECC_SEP}ecc" -if [ -z "$AGREEMENT" ] ; then - AGREEMENT="$DEFAULT_AGREEMENT" -fi __INTERACTIVE="" if [ -t 1 ] ; then @@ -1767,6 +1764,93 @@ _on_issue_success() { } + +_regAccount() { + _initpath + if [ ! -f "$ACCOUNT_KEY_PATH" ] ; then + _acck="no" + if [ "$Le_Keylength" ] ; then + _acck="$Le_Keylength" + fi + if ! createAccountKey "$_acck" ; then + _err "Create account key error." + return 1 + fi + fi + + if ! _calcjwk "$ACCOUNT_KEY_PATH" ; then + return 1 + fi + + _updateTos="" + _reg_res="new-reg" + while true ; + do + _debug AGREEMENT "$AGREEMENT" + accountkey_json=$(printf "%s" "$jwk" | tr -d ' ' ) + thumbprint=$(printf "%s" "$accountkey_json" | _digest "sha256" | _urlencode) + + regjson='{"resource": "'$_reg_res'", "agreement": "'$AGREEMENT'"}' + + if [ "$ACCOUNT_EMAIL" ] ; then + regjson='{"resource": "'$_reg_res'", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}' + fi + + if [ -z "$_updateTos" ] ; then + _info "Registering account" + + if ! _send_signed_request "$API/acme/new-reg" "$regjson" ; then + _err "Register account Error: $response" + return 1 + fi + + if [ "$code" = "" ] || [ "$code" = '201' ] ; then + echo "$response" > $LE_WORKING_DIR/account.json + _info "Registered" + elif [ "$code" = '409' ] ; then + _info "Already registered" + else + _err "Register account Error: $response" + return 1 + fi + + _accUri="$(echo "$responseHeaders" | grep "^Location:" | cut -d ' ' -f 2| tr -d "\r\n")" + _debug "_accUri" "$_accUri" + ACCOUNT_URL="$_accUri" + _saveaccountconf ACCOUNT_URL "$ACCOUNT_URL" + + _tos="$(echo "$responseHeaders" | grep "^Link:.*rel=\"terms-of-service\"" | _egrep_o "<.*>" | tr -d '<>')" + _debug "_tos" "$_tos" + if [ -z "$_tos" ] ; then + _debug "Use default tos: $DEFAULT_AGREEMENT" + _tos="$DEFAULT_AGREEMENT" + fi + if [ "$_tos" != "$AGREEMENT" ]; then + _updateTos=1 + AGREEMENT="$_tos" + _reg_res="reg" + continue + fi + + else + _debug "Update tos: $_tos" + if ! _send_signed_request "$_accUri" "$regjson" ; then + _err "Update tos error." + return 1 + fi + if [ "$code" = '202' ] ; then + _debug "Update tos success." + else + _err "Update tos error." + return 1 + fi + fi + return 0 + done + +} + + #webroot, domain domainlist keylength issue() { if [ -z "$2" ] ; then @@ -1826,69 +1910,21 @@ issue() { Le_Alt="" fi + if [ "$Le_Keylength" = "$NO_VALUE" ] ; then + Le_Keylength="" + fi + if ! _on_before_issue ; then _err "_on_before_issue." return 1 fi - if [ ! -f "$ACCOUNT_KEY_PATH" ] ; then - _acck="$NO_VALUE" - if [ "$Le_Keylength" ] ; then - _acck="$Le_Keylength" - fi - if ! createAccountKey "$_acck" ; then - _err "Create account key error." - if [ "$usingApache" ] ; then - _restoreApache - fi - _on_issue_err - return 1 - fi - fi - - if ! _calcjwk "$ACCOUNT_KEY_PATH" ; then - if [ "$usingApache" ] ; then - _restoreApache - fi + if ! _regAccount ; then _on_issue_err return 1 fi - accountkey_json=$(printf "%s" "$jwk" | tr -d ' ' ) - thumbprint=$(printf "%s" "$accountkey_json" | _digest "sha256" | _urlencode) - - regjson='{"resource": "new-reg", "agreement": "'$AGREEMENT'"}' - if [ "$ACCOUNT_EMAIL" ] ; then - regjson='{"resource": "new-reg", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}' - fi - - accountkeyhash="$(cat "$ACCOUNT_KEY_PATH" | _digest "sha256" )" - accountkeyhash="$(echo $accountkeyhash$API$regjson | _digest "sha256" )" - if [ "$accountkeyhash" != "$ACCOUNT_KEY_HASH" ] ; then - _info "Registering account" - _send_signed_request "$API/acme/new-reg" "$regjson" - if [ "$code" = "" ] || [ "$code" = '201' ] ; then - _info "Registered" - echo "$response" > $LE_WORKING_DIR/account.json - elif [ "$code" = '409' ] ; then - _info "Already registered" - else - _err "Register account Error: $response" - _clearup - _on_issue_err - return 1 - fi - ACCOUNT_KEY_HASH="$accountkeyhash" - _saveaccountconf "ACCOUNT_KEY_HASH" "$ACCOUNT_KEY_HASH" - else - _info "Skip register account key" - fi - if [ "$Le_Keylength" = "$NO_VALUE" ] ; then - Le_Keylength="" - fi - - if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ] ; then _info "Signing from existing CSR." else @@ -2301,13 +2337,18 @@ issue() { return 1 fi - + _rcert="$response" Le_LinkCert="$(grep -i '^Location.*$' $HTTP_HEADER | head -1 | tr -d "\r\n" | cut -d " " -f 2)" _savedomainconf "Le_LinkCert" "$Le_LinkCert" if [ "$Le_LinkCert" ] ; then echo "$BEGIN_CERT" > "$CERT_PATH" - _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH" + + if ! _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH" ; then + _debug "Get cert failed. Let's try last response." + printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH" + fi + echo "$END_CERT" >> "$CERT_PATH" _info "$(__green "Cert success.")" cat "$CERT_PATH" @@ -2918,6 +2959,9 @@ _initconf() { #ACCOUNT_KEY_PATH=\"/path/to/account.key\" #CERT_HOME=\"/path/to/cert/home\" +#ACCOUNT_URL=\"\" + + #LOG_FILE=\"$DEFAULT_LOG_FILE\" #AUTO_UPGRADE=\"1\"