Merge branch 'dev'

.github/ISSUE_TEMPLATE.md

@@ -5,7 +5,7 @@
 如何调试 https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
 
 If it is a bug report:
-- make sure you are able to repro it on the latest released version. 
+- make sure you are able to repro it on the latest released version.
 You can install the latest version by: `acme.sh --upgrade`
 
 - Search the existing issues.

.travis.yml

@@ -28,11 +28,11 @@ script:
   - if [ "$TRAVIS_OS_NAME" = "linux" ]; then shellcheck -V ; fi
   - if [ "$TRAVIS_OS_NAME" = "linux" ]; then shellcheck -e SC2181 **/*.sh && echo "shellcheck OK" ; fi
   - cd ..
-  - git clone https://github.com/Neilpang/acmetest.git && cp -r acme.sh acmetest/ && cd acmetest
+  - git clone --depth 1 https://github.com/Neilpang/acmetest.git && cp -r acme.sh acmetest/ && cd acmetest
   - if [ "$TRAVIS_OS_NAME" = "linux" -a "$NGROK_TOKEN" ]; then sudo TEST_LOCAL="$TEST_LOCAL" NGROK_TOKEN="$NGROK_TOKEN" ./rundocker.sh testplat ubuntu:latest ; fi
   - if [ "$TRAVIS_OS_NAME" = "osx" -a "$NGROK_TOKEN" ]; then sudo TEST_LOCAL="$TEST_LOCAL" NGROK_TOKEN="$NGROK_TOKEN" ACME_OPENSSL_BIN="$ACME_OPENSSL_BIN" ./letest.sh ; fi
 
 matrix:
   fast_finish: true
-  
-  
+
+

acme.sh

@@ -178,7 +178,7 @@ _printargs() {
     printf -- "%s" "$1='$2'"
   fi
   printf "\n"
-  # return the saved exit status 
+  # return the saved exit status
   return "$_exitstatus"
 }
 
@@ -3678,7 +3678,7 @@ _ns_purge_cf() {
 
 #checks if cf server is available
 _ns_is_available_cf() {
-  if _get "https://cloudflare-dns.com"; then
+  if _get "https://cloudflare-dns.com" >/dev/null 2>&1; then
     return 0
   else
     return 1
@@ -6215,7 +6215,7 @@ Parameters:
   --branch, -b                      Only valid for '--upgrade' command, specifies the branch name to upgrade to.
 
   --notify-level  0|1|2|3           Set the notification level:  Default value is $NOTIFY_LEVEL_DEFAULT.
-                                     0: disabled, no notification will be sent. 
+                                     0: disabled, no notification will be sent.
                                      1: send notifications only when there is an error.
                                      2: send notifications when a cert is successfully renewed, or there is an error.
                                      3: send notifications when a cert is skipped, renewed, or error.

deploy/qiniu.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-# Script to create certificate to qiniu.com 
+# Script to create certificate to qiniu.com
 #
 # This deployment required following variables
 # export QINIU_AK="QINIUACCESSKEY"

deploy/routeros.sh

@@ -85,7 +85,7 @@ routeros_deploy() {
   scp "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"
   _info "Trying to push cert '$_cfullchain' to router"
   scp "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"
-  DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=admin policy=ftp,read,write,password,sensitive 
+  DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=admin policy=ftp,read,write,password,sensitive
 source=\"## generated by routeros deploy script in acme.sh
 \n/certificate remove [ find name=$_cdomain.cer_0 ]
 \n/certificate remove [ find name=$_cdomain.cer_1 ]

deploy/vault_cli.sh

@@ -2,10 +2,10 @@
 
 # Here is a script to deploy cert to hashicorp vault
 # (https://www.vaultproject.io/)
-# 
+#
 # it requires the vault binary to be available in PATH, and the following
 # environment variables:
-# 
+#
 # VAULT_PREFIX - this contains the prefix path in vault
 # VAULT_ADDR - vault requires this to find your vault server
 #

dnsapi/dns_da.sh

@@ -9,7 +9,7 @@
 #
 # User must provide login data and URL to DirectAdmin incl. port.
 # You can create login key, by using the Login Keys function
-# ( https://da.example.com:8443/CMD_LOGIN_KEYS ), which only has access to 
+# ( https://da.example.com:8443/CMD_LOGIN_KEYS ), which only has access to
 # - CMD_API_DNS_CONTROL
 # - CMD_API_SHOW_DOMAINS
 #

dnsapi/dns_doapi.sh

@@ -1,11 +1,11 @@
 #!/usr/bin/env sh
 
 # Official Let's Encrypt API for do.de / Domain-Offensive
-# 
+#
 # This is different from the dns_do adapter, because dns_do is only usable for enterprise customers
 # This API is also available to private customers/individuals
-# 
-# Provide the required LetsEncrypt token like this: 
+#
+# Provide the required LetsEncrypt token like this:
 # DO_LETOKEN="FmD408PdqT1E269gUK57"
 
 DO_API="https://www.do.de/api/letsencrypt"

dnsapi/dns_durabledns.sh

@@ -147,11 +147,11 @@ _dd_soap() {
 
   # build SOAP XML
   _xml='<?xml version="1.0" encoding="utf-8"?>
-<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" 
-xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" 
-xmlns:tns="urn:'$_urn'" 
-xmlns:types="urn:'$_urn'/encodedTypes" 
-xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
+xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
+xmlns:tns="urn:'$_urn'"
+xmlns:types="urn:'$_urn'/encodedTypes"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema">
   <soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'"$body"'</soap:Body>
 </soap:Envelope>'

dnsapi/dns_euserv.sh

@@ -127,7 +127,7 @@ dns_euserv_rm() {
   else
     # find XML block where txtvalue is in. The record_id is allways prior this line!
     _endLine=$(echo "$response" | grep -n '>dns_record_content<.*>'"$txtvalue"'<' | cut -d ':' -f 1)
-    # record_id is the last <name> Tag with a number before the row _endLine, identified by </name><value><struct> 
+    # record_id is the last <name> Tag with a number before the row _endLine, identified by </name><value><struct>
     _record_id=$(echo "$response" | sed -n '1,'"$_endLine"'p' | grep '</name><value><struct>' | _tail_n 1 | sed 's/.*<name>\([0-9]*\)<\/name>.*/\1/')
     _info "Deleting record"
     _euserv_delete_record "$_record_id"

dnsapi/dns_freedns.sh

@@ -359,7 +359,7 @@ _freedns_data_id() {
     # before each table row <tr>
     # search for the record type withing each row (e.g. TXT)
     # search for the domain within each row (which is within a <a..>
-    # </a> anchor. And finally extract the domain ID.         
+    # </a> anchor. And finally extract the domain ID.
     if [ -n "$data_id" ]; then
       printf "%s" "$data_id"
       return 0

dnsapi/dns_me.sh

@@ -2,7 +2,7 @@
 
 # bug reports to dev@1e.ca
 
-# ME_Key=qmlkdjflmkqdjf	
+# ME_Key=qmlkdjflmkqdjf
 # ME_Secret=qmsdlkqmlksdvnnpae
 
 ME_Api=https://api.dnsmadeeasy.com/V2.0/dns/managed

dnsapi/dns_namecheap.sh

@@ -3,10 +3,10 @@
 # Namecheap API
 # https://www.namecheap.com/support/api/intro.aspx
 #
-# Requires Namecheap API key set in 
-#NAMECHEAP_API_KEY, 
+# Requires Namecheap API key set in
+#NAMECHEAP_API_KEY,
 #NAMECHEAP_USERNAME,
-#NAMECHEAP_SOURCEIP 
+#NAMECHEAP_SOURCEIP
 # Due to Namecheap's API limitation all the records of your domain will be read and re applied, make sure to have a backup of your records you could apply if any issue would arise.
 
 ########  Public functions #####################

dnsapi/dns_nsupdate.sh

@@ -27,7 +27,7 @@ dns_nsupdate_add() {
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D"
   if [ -z "${NSUPDATE_ZONE}" ]; then
     nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
-server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT} 
+server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT}
 update add ${fulldomain}. 60 in txt "${txtvalue}"
 send
 EOF
@@ -64,7 +64,7 @@ dns_nsupdate_rm() {
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D"
   if [ -z "${NSUPDATE_ZONE}" ]; then
     nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
-server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT} 
+server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT}
 update delete ${fulldomain}. txt
 send
 EOF

dnsapi/dns_rcode0.sh

@@ -0,0 +1,224 @@
+#!/usr/bin/env sh
+
+#Rcode0 API Integration
+#https://my.rcodezero.at/api-doc
+#
+# log into https://my.rcodezero.at/enableapi and  get your ACME API Token (the ACME API token has limited
+# access to the REST calls needed for acme.sh only)
+#
+#RCODE0_URL="https://my.rcodezero.at"
+#RCODE0_API_TOKEN="0123456789ABCDEF"
+#RCODE0_TTL=60
+
+DEFAULT_RCODE0_URL="https://my.rcodezero.at"
+DEFAULT_RCODE0_TTL=60
+
+########  Public functions #####################
+#Usage: add _acme-challenge.www.domain.com "123456789ABCDEF0000000000000000000000000000000000000"
+#fulldomain
+#txtvalue
+dns_rcode0_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  RCODE0_API_TOKEN="${RCODE0_API_TOKEN:-$(_readaccountconf_mutable RCODE0_API_TOKEN)}"
+  RCODE0_URL="${RCODE0_URL:-$(_readaccountconf_mutable RCODE0_URL)}"
+  RCODE0_TTL="${RCODE0_TTL:-$(_readaccountconf_mutable RCODE0_TTL)}"
+
+  if [ -z "$RCODE0_URL" ]; then
+    RCODE0_URL="$DEFAULT_RCODE0_URL"
+  fi
+
+  if [ -z "$RCODE0_API_TOKEN" ]; then
+    RCODE0_API_TOKEN=""
+    _err "Missing Rcode0 ACME API Token."
+    _err "Please login and create your token at httsp://my.rcodezero.at/enableapi and try again."
+    return 1
+  fi
+
+  if [ -z "$RCODE0_TTL" ]; then
+    RCODE0_TTL="$DEFAULT_RCODE0_TTL"
+  fi
+
+  #save the token to the account conf file.
+  _saveaccountconf_mutable RCODE0_API_TOKEN "$RCODE0_API_TOKEN"
+
+  if [ "$RCODE0_URL" != "$DEFAULT_RCODE0_URL" ]; then
+    _saveaccountconf_mutable RCODE0_URL "$RCODE0_URL"
+  fi
+
+  if [ "$RCODE0_TTL" != "$DEFAULT_RCODE0_TTL" ]; then
+    _saveaccountconf_mutable RCODE0_TTL "$RCODE0_TTL"
+  fi
+
+  _debug "Detect root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "No 'MASTER' zone for $fulldomain found at RcodeZero Anycast."
+    return 1
+  fi
+  _debug _domain "$_domain"
+
+  _debug "Adding record"
+
+  _record_string=""
+  _build_record_string "$txtvalue"
+  _list_existingchallenges
+  for oldchallenge in $_existing_challenges; do
+    _build_record_string "$oldchallenge"
+  done
+
+  _debug "Challenges: $_existing_challenges"
+
+  if [ -z "$_existing_challenges" ]; then
+    if ! _rcode0_rest "PATCH" "/api/v1/acme/zones/$_domain/rrsets" "[{\"changetype\": \"add\", \"name\": \"$fulldomain.\", \"type\": \"TXT\", \"ttl\": $RCODE0_TTL, \"records\": [$_record_string]}]"; then
+      _err "Add txt record error."
+      return 1
+    fi
+  else
+    # try update in case a records exists (need for wildcard certs)
+    if ! _rcode0_rest "PATCH" "/api/v1/acme/zones/$_domain/rrsets" "[{\"changetype\": \"update\", \"name\": \"$fulldomain.\", \"type\": \"TXT\", \"ttl\": $RCODE0_TTL, \"records\": [$_record_string]}]"; then
+      _err "Set txt record error."
+      return 1
+    fi
+  fi
+
+  return 0
+}
+
+#fulldomain txtvalue
+dns_rcode0_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  RCODE0_API_TOKEN="${RCODE0_API_TOKEN:-$(_readaccountconf_mutable RCODE0_API_TOKEN)}"
+  RCODE0_URL="${RCODE0_URL:-$(_readaccountconf_mutable RCODE0_URL)}"
+  RCODE0_TTL="${RCODE0_TTL:-$(_readaccountconf_mutable RCODE0_TTL)}"
+
+  if [ -z "$RCODE0_URL" ]; then
+    RCODE0_URL="$DEFAULT_RCODE0_URL"
+  fi
+
+  if [ -z "$RCODE0_API_TOKEN" ]; then
+    RCODE0_API_TOKEN=""
+    _err "Missing Rcode0 API Token."
+    _err "Please login and create your token at httsp://my.rcodezero.at/enableapi and try again."
+    return 1
+  fi
+
+  #save the api addr and key to the account conf file.
+  _saveaccountconf_mutable RCODE0_URL "$RCODE0_URL"
+  _saveaccountconf_mutable RCODE0_API_TOKEN "$RCODE0_API_TOKEN"
+
+  if [ "$RCODE0_TTL" != "$DEFAULT_RCODE0_TTL" ]; then
+    _saveaccountconf_mutable RCODE0_TTL "$RCODE0_TTL"
+  fi
+
+  if [ -z "$RCODE0_TTL" ]; then
+    RCODE0_TTL="$DEFAULT_RCODE0_TTL"
+  fi
+
+  _debug "Detect root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+
+  _debug "Remove record"
+
+  #Enumerate existing acme challenges
+  _list_existingchallenges
+
+  if _contains "$_existing_challenges" "$txtvalue"; then
+    #Delete all challenges (PowerDNS API does not allow to delete content)
+    if ! _rcode0_rest "PATCH" "/api/v1/acme/zones/$_domain/rrsets" "[{\"changetype\": \"delete\", \"name\": \"$fulldomain.\", \"type\": \"TXT\"}]"; then
+      _err "Delete txt record error."
+      return 1
+    fi
+    _record_string=""
+    #If the only existing challenge was the challenge to delete: nothing to do
+    if ! [ "$_existing_challenges" = "$txtvalue" ]; then
+      for oldchallenge in $_existing_challenges; do
+        #Build up the challenges to re-add, ommitting the one what should be deleted
+        if ! [ "$oldchallenge" = "$txtvalue" ]; then
+          _build_record_string "$oldchallenge"
+        fi
+      done
+      #Recreate the existing challenges
+      if ! _rcode0_rest "PATCH" "/api/v1/acme/zones/$_domain/rrsets" "[{\"changetype\": \"update\", \"name\": \"$fulldomain.\", \"type\": \"TXT\", \"ttl\": $RCODE0_TTL, \"records\": [$_record_string]}]"; then
+        _err "Set txt record error."
+        return 1
+      fi
+    fi
+  else
+    _info "Record not found, nothing to remove"
+  fi
+
+  return 0
+}
+
+####################  Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _domain=domain.com
+_get_root() {
+  domain=$1
+  i=1
+
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+
+    _debug "try to find: $h"
+    if _rcode0_rest "GET" "/api/v1/acme/zones/$h"; then
+      if [ "$response" = "[\"found\"]" ]; then
+        _domain="$h"
+        if [ -z "$h" ]; then
+          _domain="=2E"
+        fi
+        return 0
+      elif [ "$response" = "[\"not a master domain\"]" ]; then
+        return 1
+      fi
+    fi
+
+    if [ -z "$h" ]; then
+      return 1
+    fi
+    i=$(_math $i + 1)
+  done
+  _debug "no matching domain for $domain found"
+
+  return 1
+}
+
+_rcode0_rest() {
+  method=$1
+  ep=$2
+  data=$3
+
+  export _H1="Authorization: Bearer $RCODE0_API_TOKEN"
+
+  if [ ! "$method" = "GET" ]; then
+    _debug data "$data"
+    response="$(_post "$data" "$RCODE0_URL$ep" "" "$method")"
+  else
+    response="$(_get "$RCODE0_URL$ep")"
+  fi
+
+  if [ "$?" != "0" ]; then
+    _err "error $ep"
+    return 1
+  fi
+  _debug2 response "$response"
+
+  return 0
+}
+
+_build_record_string() {
+  _record_string="${_record_string:+${_record_string}, }{\"content\": \"\\\"${1}\\\"\", \"disabled\": false}"
+}
+
+_list_existingchallenges() {
+  _rcode0_rest "GET" "/api/v1/acme/zones/$_domain/rrsets"
+  _existing_challenges=$(echo "$response" | _normalizeJson | _egrep_o "\"name\":\"${fulldomain}[^]]*}" | _egrep_o 'content\":\"\\"[^\\]*' | sed -n 's/^content":"\\"//p')
+  _debug2 "$_existing_challenges"
+}