From 06ca590ec8f58edee69a0487208f2743cec9e4a9 Mon Sep 17 00:00:00 2001 From: Alvise Bruniera Date: Wed, 14 May 2025 23:59:16 +0200 Subject: [PATCH 1/4] Add SFTP deploy hook --- deploy/sftp.sh | 139 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 deploy/sftp.sh diff --git a/deploy/sftp.sh b/deploy/sftp.sh new file mode 100644 index 00000000..4d36e263 --- /dev/null +++ b/deploy/sftp.sh @@ -0,0 +1,139 @@ +#!/usr/bin/env sh + +# Script to deploy certificates to remote server by SFTP +# Note that SFTP must be able to login to remote host without a password... +# SSH Keys must have been exchanged with the remote host. Validate and +# test that you can login to USER@SERVER from the host running acme.sh before +# using this script. +# +# The following variables exported from environment will be used. +# If not set then values previously saved in .conf file are used. +# +# Only a host is required. All others are optional. +# +# export DEPLOY_SFTP_HOSTS="192.168.0.1:22 admin@ssh.server.somewhere localhost" # required, multiple hosts allowed +# export DEPLOY_SFTP_KEYFILE="/etc/stunnel/stunnel.pem" # defaults to ~/acme_sftp_deploy//.key +# export DEPLOY_SFTP_CERTFILE="/etc/stunnel/stunnel.pem" ~/acme_sftp_deploy//.cer +# export DEPLOY_SFTP_CAFILE="/etc/stunnel/uca.pem" ~/acme_sftp_deploy//ca.cer +# export DEPLOY_SFTP_FULLCHAIN="" ~/acme_sftp_deploy//fullchain.cer + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +sftp_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + # HOSTS is required to login by sftp to remote host. + _migratedeployconf Le_Deploy_sftp_hosts DEPLOY_SFTP_HOSTS + _getdeployconf DEPLOY_SFTP_HOSTS + _debug2 DEPLOY_SFTP_HOSTS "$DEPLOY_SFTP_HOSTS" + if [ -z "$DEPLOY_SFTP_HOSTS" ]; then + _err "DEPLOY_SFTP_HOSTS not defined." + return 1 + fi + _savedeployconf DEPLOY_SFTP_HOSTS "$DEPLOY_SFTP_HOSTS" + + # KEYFILE is optional. + # If provided then private key will be copied to provided filename. + _migratedeployconf Le_Deploy_sftp_keyfile DEPLOY_SFTP_KEYFILE + _getdeployconf DEPLOY_SFTP_KEYFILE + _debug2 DEPLOY_SFTP_KEYFILE "$DEPLOY_SFTP_KEYFILE" + if [ -n "$DEPLOY_SFTP_KEYFILE" ]; then + _savedeployconf DEPLOY_SFTP_KEYFILE "$DEPLOY_SFTP_KEYFILE" + fi + + # CERTFILE is optional. + # If provided then certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_sftp_certfile DEPLOY_SFTP_CERTFILE + _getdeployconf DEPLOY_SFTP_CERTFILE + _debug2 DEPLOY_SFTP_CERTFILE "$DEPLOY_SFTP_CERTFILE" + if [ -n "$DEPLOY_SFTP_CERTFILE" ]; then + _savedeployconf DEPLOY_SFTP_CERTFILE "$DEPLOY_SFTP_CERTFILE" + fi + + # CAFILE is optional. + # If provided then CA intermediate certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_sftp_cafile DEPLOY_SFTP_CAFILE + _getdeployconf DEPLOY_SFTP_CAFILE + _debug2 DEPLOY_SFTP_CAFILE "$DEPLOY_SFTP_CAFILE" + if [ -n "$DEPLOY_SFTP_CAFILE" ]; then + _savedeployconf DEPLOY_SFTP_CAFILE "$DEPLOY_SFTP_CAFILE" + fi + + # FULLCHAIN is optional. + # If provided then fullchain certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_sftp_fullchain DEPLOY_SFTP_FULLCHAIN + _getdeployconf DEPLOY_SFTP_FULLCHAIN + _debug2 DEPLOY_SFTP_FULLCHAIN "$DEPLOY_SFTP_FULLCHAIN" + if [ -n "$DEPLOY_SFTP_FULLCHAIN" ]; then + _savedeployconf DEPLOY_SFTP_FULLCHAIN "$DEPLOY_SFTP_FULLCHAIN" + fi + + # Remote key file location, default ~/acme_sftp_deploy/domain/domain.key + _ckey_path=".acme_sftp_deploy/$_cdomain/$_cdomain.key" + if [ -n "$DEPLOY_SFTP_KEYFILE" ]; then + _ckey_path="$DEPLOY_SFTP_KEYFILE" + fi + _debug _ckey_path "$_ckey_path" + + # Remote cert file location, default ~/acme_sftp_deploy/domain/domain.cer + _ccert_path=".acme_sftp_deploy/$_cdomain/$_cdomain.cer" + if [ -n "$DEPLOY_SFTP_CERTFILE" ]; then + _ccert_path="$DEPLOY_SFTP_CERTFILE" + fi + _debug _ccert_path "$_ccert_path" + + # Remote intermediate CA file location, default ~/acme_sftp_deploy/domain/ca.cer + _cca_path=".acme_sftp_deploy/$_cdomain/ca.cer" + if [ -n "$DEPLOY_SFTP_CAFILE" ]; then + _cca_path="$DEPLOY_SFTP_CAFILE" + fi + _debug _cca_path "$_cca_path" + + # Remote key file location, default ~/acme_sftp_deploy/domain/fullchain.cer + _cfullchain_path=".acme_sftp_deploy/$_cdomain/fullchain.cer" + if [ -n "$DEPLOY_SFTP_FULLCHAIN" ]; then + _cfullchain_path="$DEPLOY_SFTP_FULLCHAIN" + fi + _debug _cfullchain_path "$_cfullchain_path" + + # Remote host, required non-empty but already checked before + _sftp_hosts=$DEPLOY_SFTP_HOSTS + _debug _sftp_hosts "$_sftp_hosts" + + # Initialize return value at 0 + _error_code=0 + + # Always loop at least once + for _sftp_host in $_sftp_hosts ; do + sftp "$_sftp_host"\ +< Date: Thu, 15 May 2025 00:47:10 +0200 Subject: [PATCH 2/4] Fix missing newline at end of file --- deploy/sftp.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/sftp.sh b/deploy/sftp.sh index 4d36e263..2cd22d30 100644 --- a/deploy/sftp.sh +++ b/deploy/sftp.sh @@ -136,4 +136,4 @@ EOF # Return 1 if any upload failed return "$_error_code" -} \ No newline at end of file +} From adf66cb8c1c264d59bebe1ab8c099bf4374d3354 Mon Sep 17 00:00:00 2001 From: Alvise Bruniera Date: Thu, 29 May 2025 11:42:15 +0200 Subject: [PATCH 3/4] Quoted argoments in sftp heredoc --- deploy/sftp.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy/sftp.sh b/deploy/sftp.sh index 2cd22d30..9ece92cb 100644 --- a/deploy/sftp.sh +++ b/deploy/sftp.sh @@ -118,10 +118,10 @@ sftp_deploy() { for _sftp_host in $_sftp_hosts ; do sftp "$_sftp_host"\ < Date: Thu, 29 May 2025 11:56:51 +0200 Subject: [PATCH 4/4] removed unnecessary migration of configuration from sftp.sh --- deploy/sftp.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/deploy/sftp.sh b/deploy/sftp.sh index 9ece92cb..66100e26 100644 --- a/deploy/sftp.sh +++ b/deploy/sftp.sh @@ -34,7 +34,6 @@ sftp_deploy() { _debug _cfullchain "$_cfullchain" # HOSTS is required to login by sftp to remote host. - _migratedeployconf Le_Deploy_sftp_hosts DEPLOY_SFTP_HOSTS _getdeployconf DEPLOY_SFTP_HOSTS _debug2 DEPLOY_SFTP_HOSTS "$DEPLOY_SFTP_HOSTS" if [ -z "$DEPLOY_SFTP_HOSTS" ]; then @@ -45,7 +44,6 @@ sftp_deploy() { # KEYFILE is optional. # If provided then private key will be copied to provided filename. - _migratedeployconf Le_Deploy_sftp_keyfile DEPLOY_SFTP_KEYFILE _getdeployconf DEPLOY_SFTP_KEYFILE _debug2 DEPLOY_SFTP_KEYFILE "$DEPLOY_SFTP_KEYFILE" if [ -n "$DEPLOY_SFTP_KEYFILE" ]; then @@ -54,7 +52,6 @@ sftp_deploy() { # CERTFILE is optional. # If provided then certificate will be copied or appended to provided filename. - _migratedeployconf Le_Deploy_sftp_certfile DEPLOY_SFTP_CERTFILE _getdeployconf DEPLOY_SFTP_CERTFILE _debug2 DEPLOY_SFTP_CERTFILE "$DEPLOY_SFTP_CERTFILE" if [ -n "$DEPLOY_SFTP_CERTFILE" ]; then @@ -63,7 +60,6 @@ sftp_deploy() { # CAFILE is optional. # If provided then CA intermediate certificate will be copied or appended to provided filename. - _migratedeployconf Le_Deploy_sftp_cafile DEPLOY_SFTP_CAFILE _getdeployconf DEPLOY_SFTP_CAFILE _debug2 DEPLOY_SFTP_CAFILE "$DEPLOY_SFTP_CAFILE" if [ -n "$DEPLOY_SFTP_CAFILE" ]; then @@ -72,7 +68,6 @@ sftp_deploy() { # FULLCHAIN is optional. # If provided then fullchain certificate will be copied or appended to provided filename. - _migratedeployconf Le_Deploy_sftp_fullchain DEPLOY_SFTP_FULLCHAIN _getdeployconf DEPLOY_SFTP_FULLCHAIN _debug2 DEPLOY_SFTP_FULLCHAIN "$DEPLOY_SFTP_FULLCHAIN" if [ -n "$DEPLOY_SFTP_FULLCHAIN" ]; then