* support pebble
* support async finalize order
This commit is contained in:
neil 2019-02-27 20:36:13 +08:00 committed by GitHub
parent ec54074392
commit e7f7e96d58
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

88
acme.sh
View File

@ -1827,23 +1827,29 @@ _send_signed_request() {
nonceurl="$ACME_NEW_NONCE" nonceurl="$ACME_NEW_NONCE"
if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type"; then if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type"; then
_headers="$(cat "$HTTP_HEADER")" _headers="$(cat "$HTTP_HEADER")"
_debug2 _headers "$_headers"
_CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
fi fi
fi fi
if [ -z "$_headers" ]; then if [ -z "$_CACHED_NONCE" ]; then
_debug2 "Get nonce with GET. ACME_DIRECTORY" "$ACME_DIRECTORY" _debug2 "Get nonce with GET. ACME_DIRECTORY" "$ACME_DIRECTORY"
nonceurl="$ACME_DIRECTORY" nonceurl="$ACME_DIRECTORY"
_headers="$(_get "$nonceurl" "onlyheader")" _headers="$(_get "$nonceurl" "onlyheader")"
_debug2 _headers "$_headers"
_CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
fi fi
if [ -z "$_CACHED_NONCE" ] && [ "$ACME_NEW_NONCE" ]; then
_debug2 "Get nonce with GET. ACME_NEW_NONCE" "$ACME_NEW_NONCE"
nonceurl="$ACME_NEW_NONCE"
_headers="$(_get "$nonceurl" "onlyheader")"
_debug2 _headers "$_headers"
_CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
fi
_debug2 _CACHED_NONCE "$_CACHED_NONCE"
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
_err "Can not connect to $nonceurl to get nonce." _err "Can not connect to $nonceurl to get nonce."
return 1 return 1
fi fi
_debug2 _headers "$_headers"
_CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
_debug2 _CACHED_NONCE "$_CACHED_NONCE"
else else
_debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE" _debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE"
fi fi
@ -2060,6 +2066,7 @@ _clearcaconf() {
_startserver() { _startserver() {
content="$1" content="$1"
ncaddr="$2" ncaddr="$2"
_debug "content" "$content"
_debug "ncaddr" "$ncaddr" _debug "ncaddr" "$ncaddr"
_debug "startserver: $$" _debug "startserver: $$"
@ -2086,8 +2093,14 @@ _startserver() {
SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}" SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}"
fi fi
_content_len="$(printf "%s" "$content" | wc -c)"
_debug _content_len "$_content_len"
_debug "_NC" "$_NC $SOCAT_OPTIONS" _debug "_NC" "$_NC $SOCAT_OPTIONS"
$_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; echo HTTP/1.0 200 OK; echo ; echo $content; echo;" & $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; \
echo 'HTTP/1.0 200 OK'; \
echo 'Content-Length\: $_content_len'; \
echo ''; \
printf '$content';" &
serverproc="$!" serverproc="$!"
} }
@ -3062,6 +3075,7 @@ _on_before_issue() {
_info "Standalone mode." _info "Standalone mode."
if [ -z "$Le_HTTPPort" ]; then if [ -z "$Le_HTTPPort" ]; then
Le_HTTPPort=80 Le_HTTPPort=80
_cleardomainconf "Le_HTTPPort"
else else
_savedomainconf "Le_HTTPPort" "$Le_HTTPPort" _savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
fi fi
@ -3269,7 +3283,7 @@ _regAccount() {
fi fi
_debug2 responseHeaders "$responseHeaders" _debug2 responseHeaders "$responseHeaders"
_accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")" _accUri="$(echo "$responseHeaders" | grep -i "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
_debug "_accUri" "$_accUri" _debug "_accUri" "$_accUri"
if [ -z "$_accUri" ]; then if [ -z "$_accUri" ]; then
_err "Can not find account id url." _err "Can not find account id url."
@ -3435,7 +3449,7 @@ __trigger_validation() {
_t_vtype="$3" _t_vtype="$3"
_debug2 _t_vtype "$_t_vtype" _debug2 _t_vtype "$_t_vtype"
if [ "$ACME_VERSION" = "2" ]; then if [ "$ACME_VERSION" = "2" ]; then
_send_signed_request "$_t_url" "{\"keyAuthorization\": \"$_t_key_authz\"}" _send_signed_request "$_t_url" "{}"
else else
_send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"type\": \"$_t_vtype\", \"keyAuthorization\": \"$_t_key_authz\"}" _send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"type\": \"$_t_vtype\", \"keyAuthorization\": \"$_t_key_authz\"}"
fi fi
@ -4205,20 +4219,66 @@ $_authorizations_map"
der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)" der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
if [ "$ACME_VERSION" = "2" ]; then if [ "$ACME_VERSION" = "2" ]; then
_info "Lets finalize the order, Le_OrderFinalize: $Le_OrderFinalize"
if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then
_err "Sign failed." _err "Sign failed."
_on_issue_err "$_post_hook" _on_issue_err "$_post_hook"
return 1 return 1
fi fi
if [ "$code" != "200" ]; then if [ "$code" != "200" ]; then
_err "Sign failed, code is not 200." _err "Sign failed, finalize code is not 200."
_err "$response" _err "$response"
_on_issue_err "$_post_hook" _on_issue_err "$_post_hook"
return 1 return 1
fi fi
Le_LinkCert="$(echo "$response" | tr -d '\r\n' | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)" Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
if [ -z "$Le_LinkOrder" ]; then
_err "Sign error, can not get order link location header"
_err "responseHeaders" "$responseHeaders"
_on_issue_err "$_post_hook"
return 1
fi
_savedomainconf "Le_LinkOrder" "$Le_LinkOrder"
_tempSignedResponse="$response" _link_cert_retry=0
_MAX_CERT_RETRY=5
while [ -z "$Le_LinkCert" ] && [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do
if _contains "$response" "\"status\":\"valid\""; then
_debug "Order status is valid."
Le_LinkCert="$(echo "$response" | tr -d '\r\n' | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
_debug Le_LinkCert "$Le_LinkCert"
if [ -z "$Le_LinkCert" ]; then
_err "Sign error, can not find Le_LinkCert"
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
break
elif _contains "$response" "\"processing\""; then
_info "Order status is processing, lets sleep and retry."
_sleep 2
else
_err "Sign error, wrong status"
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
if ! _send_signed_request "$Le_LinkOrder"; then
_err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder."
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
_link_cert_retry="$(_math $_link_cert_retry + 1)"
done
if [ -z "$Le_LinkCert" ]; then
_err "Sign failed, can not get Le_LinkCert, retry time limit."
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
_info "Download cert, Le_LinkCert: $Le_LinkCert"
if ! _send_signed_request "$Le_LinkCert"; then if ! _send_signed_request "$Le_LinkCert"; then
_err "Sign failed, can not download cert:$Le_LinkCert." _err "Sign failed, can not download cert:$Le_LinkCert."
_err "$response" _err "$response"
@ -4237,7 +4297,7 @@ $_authorizations_map"
_end_n="$(_math $_end_n + 1)" _end_n="$(_math $_end_n + 1)"
sed -n "${_end_n},9999p" "$CERT_FULLCHAIN_PATH" >"$CA_CERT_PATH" sed -n "${_end_n},9999p" "$CERT_FULLCHAIN_PATH" >"$CA_CERT_PATH"
fi fi
response="$_tempSignedResponse"
else else
if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then
_err "Sign failed. $response" _err "Sign failed. $response"