yacloud/acme.sh
1
0
Fork 0
mirror of https://github.com/acmesh-official/acme.sh.git synced 2025-06-18 08:22:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

create concatenated files to accommodate different install requirements

Browse Source
This commit is contained in:
Andrew vonderLuft 2016-03-12 13:40:11 -08:00
parent f89d991d0f
commit 4bb155521e
1 changed files with 153 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

292
le.sh
View File

@ -19,7 +19,7 @@ _debug() {
if [ -z "$DEBUG" ] ; then if [ -z "$DEBUG" ] ; then
return return
fi fi
if [ -z "$2" ] ; then if [ -z "$2" ] ; then
echo $1 echo $1
else else
@ -63,27 +63,27 @@ _base64() {
openssl base64 -e | tr -d '\n' openssl base64 -e | tr -d '\n'
} }
#domain [2048] #domain [2048]
createAccountKey() { createAccountKey() {
_info "Creating account key" _info "Creating account key"
if [ -z "$1" ] ; then if [ -z "$1" ] ; then
echo Usage: createAccountKey account-domain [2048] echo Usage: createAccountKey account-domain [2048]
return return
fi fi
account=$1 account=$1
length=$2 length=$2
if [[ "$length" == "ec-"* ]] ; then if [[ "$length" == "ec-"* ]] ; then
length=2048 length=2048
fi fi
if [ -z "$2" ] ; then if [ -z "$2" ] ; then
_info "Use default length 2048" _info "Use default length 2048"
length=2048 length=2048
fi fi
_initpath _initpath
if [ -f "$ACCOUNT_KEY_PATH" ] ; then if [ -f "$ACCOUNT_KEY_PATH" ] ; then
_info "Account key exists, skip" _info "Account key exists, skip"
return return
@ -101,7 +101,7 @@ createDomainKey() {
echo Usage: createDomainKey domain [2048] echo Usage: createDomainKey domain [2048]
return return
fi fi
domain=$1 domain=$1
length=$2 length=$2
isec="" isec=""
@ -132,10 +132,10 @@ createDomainKey() {
fi fi
_info "Using ec name: $eccname" _info "Using ec name: $eccname"
fi fi
_initpath $domain _initpath $domain
if [ ! -f "$CERT_KEY_PATH" ] || ( [ "$FORCE" ] && ! [ "$IS_RENEW" ] ); then if [ ! -f "$CERT_KEY_PATH" ] || ( [ "$FORCE" ] && ! [ "$IS_RENEW" ] ); then
#generate account key #generate account key
if [ "$isec" ] ; then if [ "$isec" ] ; then
openssl ecparam -name $eccname -genkey 2>/dev/null > "$CERT_KEY_PATH" openssl ecparam -name $eccname -genkey 2>/dev/null > "$CERT_KEY_PATH"
@ -164,14 +164,14 @@ createCSR() {
fi fi
domain=$1 domain=$1
_initpath $domain _initpath $domain
domainlist=$2 domainlist=$2
if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && ! [ "$FORCE" ]; then if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && ! [ "$FORCE" ]; then
_info "CSR exists, skip" _info "CSR exists, skip"
return return
fi fi
if [ -z "$domainlist" ] ; then if [ -z "$domainlist" ] ; then
#single domain #single domain
_info "Single domain" $domain _info "Single domain" $domain
@ -179,7 +179,7 @@ createCSR() {
openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" -config "$DOMAIN_SSL_CONF" -out "$CSR_PATH" openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" -config "$DOMAIN_SSL_CONF" -out "$CSR_PATH"
else else
alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")" alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")"
#multi #multi
_info "Multi domain" "$alt" _info "Multi domain" "$alt"
printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\n[SAN]\nsubjectAltName=$alt" > "$DOMAIN_SSL_CONF" printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\n[SAN]\nsubjectAltName=$alt" > "$DOMAIN_SSL_CONF"
openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" -reqexts SAN -config "$DOMAIN_SSL_CONF" -out "$CSR_PATH" openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" -reqexts SAN -config "$DOMAIN_SSL_CONF" -out "$CSR_PATH"
@ -197,12 +197,12 @@ _time2str() {
if date -u -d@$1 2>/dev/null ; then if date -u -d@$1 2>/dev/null ; then
return return
fi fi
#Linux #Linux
if date -u -r $1 2>/dev/null ; then if date -u -r $1 2>/dev/null ; then
return return
fi fi
} }
_stat() { _stat() {
@ -210,7 +210,7 @@ _stat() {
if stat -c '%U:%G' "$1" 2>/dev/null ; then if stat -c '%U:%G' "$1" 2>/dev/null ; then
return return
fi fi
#BSD #BSD
if stat -f '%Su:%Sg' "$1" 2>/dev/null ; then if stat -f '%Su:%Sg' "$1" 2>/dev/null ; then
return return
@ -221,10 +221,10 @@ _send_signed_request() {
url=$1 url=$1
payload=$2 payload=$2
needbase64=$3 needbase64=$3
_debug url $url _debug url $url
_debug payload "$payload" _debug payload "$payload"
CURL_HEADER="$LE_WORKING_DIR/curl.header" CURL_HEADER="$LE_WORKING_DIR/curl.header"
dp="$LE_WORKING_DIR/curl.dump" dp="$LE_WORKING_DIR/curl.dump"
CURL="curl --silent --dump-header $CURL_HEADER " CURL="curl --silent --dump-header $CURL_HEADER "
@ -233,24 +233,24 @@ _send_signed_request() {
fi fi
payload64=$(echo -n $payload | _base64 | _b64) payload64=$(echo -n $payload | _base64 | _b64)
_debug payload64 $payload64 _debug payload64 $payload64
nonceurl="$API/directory" nonceurl="$API/directory"
nonce="$($CURL -I $nonceurl | grep -o "^Replay-Nonce:.*$" | tr -d "\r\n" | cut -d ' ' -f 2)" nonce="$($CURL -I $nonceurl | grep -o "^Replay-Nonce:.*$" | tr -d "\r\n" | cut -d ' ' -f 2)"
_debug nonce "$nonce" _debug nonce "$nonce"
protected="$(printf "$HEADERPLACE" | sed "s/NONCE/$nonce/" )" protected="$(printf "$HEADERPLACE" | sed "s/NONCE/$nonce/" )"
_debug protected "$protected" _debug protected "$protected"
protected64="$(printf "$protected" | _base64 | _b64)" protected64="$(printf "$protected" | _base64 | _b64)"
_debug protected64 "$protected64" _debug protected64 "$protected64"
sig=$(echo -n "$protected64.$payload64" | openssl dgst -sha256 -sign $ACCOUNT_KEY_PATH | _base64 | _b64) sig=$(echo -n "$protected64.$payload64" | openssl dgst -sha256 -sign $ACCOUNT_KEY_PATH | _base64 | _b64)
_debug sig "$sig" _debug sig "$sig"
body="{\"header\": $HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}" body="{\"header\": $HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
_debug body "$body" _debug body "$body"
if [ "$needbase64" ] ; then if [ "$needbase64" ] ; then
response="$($CURL -X POST --data "$body" $url | _base64)" response="$($CURL -X POST --data "$body" $url | _base64)"
else else
@ -258,7 +258,7 @@ _send_signed_request() {
fi fi
responseHeaders="$(cat $CURL_HEADER)" responseHeaders="$(cat $CURL_HEADER)"
_debug responseHeaders "$responseHeaders" _debug responseHeaders "$responseHeaders"
_debug response "$response" _debug response "$response"
code="$(grep ^HTTP $CURL_HEADER | tail -1 | cut -d " " -f 2 | tr -d "\r\n" )" code="$(grep ^HTTP $CURL_HEADER | tail -1 | cut -d " " -f 2 | tr -d "\r\n" )"
@ -284,7 +284,7 @@ _setopt() {
__sep="$3" __sep="$3"
__val="$4" __val="$4"
__end="$5" __end="$5"
if [ -z "$__opt" ] ; then if [ -z "$__opt" ] ; then
echo usage: _setopt '"file" "opt" "=" "value" [";"]' echo usage: _setopt '"file" "opt" "=" "value" [";"]'
return return
fi fi
@ -340,13 +340,13 @@ _saveaccountconf() {
_startserver() { _startserver() {
content="$1" content="$1"
_NC="nc -q 1 -l" _NC="nc -q 1 -l"
nchelp="$(nc -h 2>&1)" nchelp="$(nc -h 2>&1)"
#centos #centos
if echo "$nchelp" | grep "nmap.org/ncat" >/dev/null ; then if echo "$nchelp" | grep "nmap.org/ncat" >/dev/null ; then
_NC="nc -l" _NC="nc -l"
fi fi
#debian #debian
ncver="$(nc --version 2>&1)" ncver="$(nc --version 2>&1)"
if echo "$ncver" | grep "http://www.deepspace6.net" > /dev/null ; then if echo "$ncver" | grep "http://www.deepspace6.net" > /dev/null ; then
@ -373,11 +373,11 @@ _initpath() {
if [ -z "$LE_WORKING_DIR" ]; then if [ -z "$LE_WORKING_DIR" ]; then
LE_WORKING_DIR=$HOME/.le LE_WORKING_DIR=$HOME/.le
fi fi
if [ -z "$ACCOUNT_CONF_PATH" ] ; then if [ -z "$ACCOUNT_CONF_PATH" ] ; then
ACCOUNT_CONF_PATH="$LE_WORKING_DIR/account.conf" ACCOUNT_CONF_PATH="$LE_WORKING_DIR/account.conf"
fi fi
if [ -f "$ACCOUNT_CONF_PATH" ] ; then if [ -f "$ACCOUNT_CONF_PATH" ] ; then
source "$ACCOUNT_CONF_PATH" source "$ACCOUNT_CONF_PATH"
fi fi
@ -388,23 +388,23 @@ _initpath() {
else else
API="$STAGE_CA" API="$STAGE_CA"
_info "Using stage api:$API" _info "Using stage api:$API"
fi fi
fi fi
if [ -z "$ACME_DIR" ] ; then if [ -z "$ACME_DIR" ] ; then
ACME_DIR="/home/.acme" ACME_DIR="/home/.acme"
fi fi
if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then
APACHE_CONF_BACKUP_DIR="$LE_WORKING_DIR/" APACHE_CONF_BACKUP_DIR="$LE_WORKING_DIR/"
fi fi
domain="$1" domain="$1"
if ! mkdir -p "$LE_WORKING_DIR" ; then if ! mkdir -p "$LE_WORKING_DIR" ; then
_err "Can not craete working dir: $LE_WORKING_DIR" _err "Can not craete working dir: $LE_WORKING_DIR"
return 1 return 1
fi fi
if [ -z "$ACCOUNT_KEY_PATH" ] ; then if [ -z "$ACCOUNT_KEY_PATH" ] ; then
ACCOUNT_KEY_PATH="$LE_WORKING_DIR/account.key" ACCOUNT_KEY_PATH="$LE_WORKING_DIR/account.key"
fi fi
@ -412,7 +412,7 @@ _initpath() {
if [ -z "$domain" ] ; then if [ -z "$domain" ] ; then
return 0 return 0
fi fi
domainhome="$LE_WORKING_DIR/$domain" domainhome="$LE_WORKING_DIR/$domain"
mkdir -p "$domainhome" mkdir -p "$domainhome"
@ -422,15 +422,15 @@ _initpath() {
if [ -z "$DOMAIN_CONF" ] ; then if [ -z "$DOMAIN_CONF" ] ; then
DOMAIN_CONF="$domainhome/$domain.conf" DOMAIN_CONF="$domainhome/$domain.conf"
fi fi
if [ -z "$DOMAIN_SSL_CONF" ] ; then if [ -z "$DOMAIN_SSL_CONF" ] ; then
DOMAIN_SSL_CONF="$domainhome/$domain.ssl.conf" DOMAIN_SSL_CONF="$domainhome/$domain.ssl.conf"
fi fi
if [ -z "$CSR_PATH" ] ; then if [ -z "$CSR_PATH" ] ; then
CSR_PATH="$domainhome/$domain.csr" CSR_PATH="$domainhome/$domain.csr"
fi fi
if [ -z "$CERT_KEY_PATH" ] ; then if [ -z "$CERT_KEY_PATH" ] ; then
CERT_KEY_PATH="$domainhome/$domain.key" CERT_KEY_PATH="$domainhome/$domain.key"
fi fi
if [ -z "$CERT_PATH" ] ; then if [ -z "$CERT_PATH" ] ; then
@ -439,7 +439,12 @@ _initpath() {
if [ -z "$CA_CERT_PATH" ] ; then if [ -z "$CA_CERT_PATH" ] ; then
CA_CERT_PATH="$domainhome/ca.cer" CA_CERT_PATH="$domainhome/ca.cer"
fi fi
if [ -z "$KEY_CERT_PATH" ] ; then
KEY_CERT_PATH="$domainhome/$domain/key_cert.cer"
fi
if [ -z "$KEY_CERT_CA_PATH" ] ; then
KEY_CERT_CA_PATH="$domainhome/$domain/key_cert_ca.cer"
fi
} }
@ -462,19 +467,19 @@ _restoreApache() {
if ! _apachePath ; then if ! _apachePath ; then
return 1 return 1
fi fi
if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ] ; then if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ] ; then
_debug "No config file to restore." _debug "No config file to restore."
return 0 return 0
fi fi
cp -p "$APACHE_CONF_BACKUP_DIR/$httpdconfname" "$httpdconf" cp -p "$APACHE_CONF_BACKUP_DIR/$httpdconfname" "$httpdconf"
if ! apachectl -t ; then if ! apachectl -t ; then
_err "Sorry, restore apache config error, please contact me." _err "Sorry, restore apache config error, please contact me."
return 1; return 1;
fi fi
rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname"
return 0 return 0
} }
_setApache() { _setApache() {
@ -489,7 +494,7 @@ _setApache() {
_info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname" _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname"
_info "In case there is an error that can not be restored automatically, you may try restore it yourself." _info "In case there is an error that can not be restored automatically, you may try restore it yourself."
_info "The backup file will be deleted on sucess, just forget it." _info "The backup file will be deleted on sucess, just forget it."
#add alias #add alias
echo " echo "
Alias /.well-known/acme-challenge $ACME_DIR Alias /.well-known/acme-challenge $ACME_DIR
@ -498,18 +503,18 @@ Alias /.well-known/acme-challenge $ACME_DIR
Require all granted Require all granted
</Directory> </Directory>
" >> $httpdconf " >> $httpdconf
if ! apachectl -t ; then if ! apachectl -t ; then
_err "Sorry, apache config error, please contact me." _err "Sorry, apache config error, please contact me."
_restoreApache _restoreApache
return 1; return 1;
fi fi
if [ ! -d "$ACME_DIR" ] ; then if [ ! -d "$ACME_DIR" ] ; then
mkdir -p "$ACME_DIR" mkdir -p "$ACME_DIR"
chmod 755 "$ACME_DIR" chmod 755 "$ACME_DIR"
fi fi
if ! apachectl graceful ; then if ! apachectl graceful ; then
_err "Sorry, apachectl graceful error, please contact me." _err "Sorry, apachectl graceful error, please contact me."
_restoreApache _restoreApache
@ -532,7 +537,7 @@ _clearupwebbroot() {
_debug "no webroot specified, skip" _debug "no webroot specified, skip"
return 0 return 0
fi fi
if [ "$2" == '1' ] ; then if [ "$2" == '1' ] ; then
_debug "remove $__webroot/.well-known" _debug "remove $__webroot/.well-known"
rm -rf "$__webroot/.well-known" rm -rf "$__webroot/.well-known"
@ -545,7 +550,7 @@ _clearupwebbroot() {
else else
_info "Skip for removelevel:$2" _info "Skip for removelevel:$2"
fi fi
return 0 return 0
} }
@ -564,17 +569,17 @@ issue() {
Le_RealCACertPath="$7" Le_RealCACertPath="$7"
Le_ReloadCmd="$8" Le_ReloadCmd="$8"
_initpath $Le_Domain _initpath $Le_Domain
if [ -f "$DOMAIN_CONF" ] ; then if [ -f "$DOMAIN_CONF" ] ; then
Le_NextRenewTime=$(grep "^Le_NextRenewTime=" "$DOMAIN_CONF" | cut -d '=' -f 2) Le_NextRenewTime=$(grep "^Le_NextRenewTime=" "$DOMAIN_CONF" | cut -d '=' -f 2)
if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then
_info "Skip, Next renewal time is: $(grep "^Le_NextRenewTimeStr" "$DOMAIN_CONF" | cut -d '=' -f 2)" _info "Skip, Next renewal time is: $(grep "^Le_NextRenewTimeStr" "$DOMAIN_CONF" | cut -d '=' -f 2)"
return 2 return 2
fi fi
fi fi
if [ "$Le_Alt" == "no" ] ; then if [ "$Le_Alt" == "no" ] ; then
Le_Alt="" Le_Alt=""
fi fi
@ -593,7 +598,7 @@ issue() {
if [ "$Le_ReloadCmd" == "no" ] ; then if [ "$Le_ReloadCmd" == "no" ] ; then
Le_ReloadCmd="" Le_ReloadCmd=""
fi fi
_setopt "$DOMAIN_CONF" "Le_Domain" "=" "$Le_Domain" _setopt "$DOMAIN_CONF" "Le_Domain" "=" "$Le_Domain"
_setopt "$DOMAIN_CONF" "Le_Alt" "=" "$Le_Alt" _setopt "$DOMAIN_CONF" "Le_Alt" "=" "$Le_Alt"
_setopt "$DOMAIN_CONF" "Le_Webroot" "=" "$Le_Webroot" _setopt "$DOMAIN_CONF" "Le_Webroot" "=" "$Le_Webroot"
@ -602,19 +607,19 @@ issue() {
_setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\"" _setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\""
_setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\"" _setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\""
_setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\"" _setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\""
if [ "$Le_Webroot" == "no" ] ; then if [ "$Le_Webroot" == "no" ] ; then
_info "Standalone mode." _info "Standalone mode."
if ! command -v "nc" > /dev/null ; then if ! command -v "nc" > /dev/null ; then
_err "Please install netcat(nc) tools first." _err "Please install netcat(nc) tools first."
return 1 return 1
fi fi
if [ -z "$Le_HTTPPort" ] ; then if [ -z "$Le_HTTPPort" ] ; then
Le_HTTPPort=80 Le_HTTPPort=80
fi fi
_setopt "$DOMAIN_CONF" "Le_HTTPPort" "=" "$Le_HTTPPort" _setopt "$DOMAIN_CONF" "Le_HTTPPort" "=" "$Le_HTTPPort"
netprc="$(ss -ntpl | grep :$Le_HTTPPort" ")" netprc="$(ss -ntpl | grep :$Le_HTTPPort" ")"
if [ "$netprc" ] ; then if [ "$netprc" ] ; then
_err "$netprc" _err "$netprc"
@ -623,7 +628,7 @@ issue() {
return 1 return 1
fi fi
fi fi
if [ "$Le_Webroot" == "apache" ] ; then if [ "$Le_Webroot" == "apache" ] ; then
if ! _setApache ; then if ! _setApache ; then
_err "set up apache error. Report error to me." _err "set up apache error. Report error to me."
@ -633,14 +638,14 @@ issue() {
else else
usingApache="" usingApache=""
fi fi
createAccountKey $Le_Domain $Le_Keylength createAccountKey $Le_Domain $Le_Keylength
if ! createDomainKey $Le_Domain $Le_Keylength ; then if ! createDomainKey $Le_Domain $Le_Keylength ; then
_err "Create domain key error." _err "Create domain key error."
return 1 return 1
fi fi
if ! createCSR $Le_Domain $Le_Alt ; then if ! createCSR $Le_Domain $Le_Alt ; then
_err "Create CSR error." _err "Create CSR error."
return 1 return 1
@ -651,30 +656,30 @@ issue() {
pub_exp=0$pub_exp pub_exp=0$pub_exp
fi fi
_debug pub_exp "$pub_exp" _debug pub_exp "$pub_exp"
e=$(echo $pub_exp | _h2b | _base64) e=$(echo $pub_exp | _h2b | _base64)
_debug e "$e" _debug e "$e"
modulus=$(openssl rsa -in $ACCOUNT_KEY_PATH -modulus -noout | cut -d '=' -f 2 ) modulus=$(openssl rsa -in $ACCOUNT_KEY_PATH -modulus -noout | cut -d '=' -f 2 )
n=$(echo $modulus| _h2b | _base64 | _b64 ) n=$(echo $modulus| _h2b | _base64 | _b64 )
jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}' jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}'
HEADER='{"alg": "RS256", "jwk": '$jwk'}' HEADER='{"alg": "RS256", "jwk": '$jwk'}'
HEADERPLACE='{"nonce": "NONCE", "alg": "RS256", "jwk": '$jwk'}' HEADERPLACE='{"nonce": "NONCE", "alg": "RS256", "jwk": '$jwk'}'
_debug HEADER "$HEADER" _debug HEADER "$HEADER"
accountkey_json=$(echo -n "$jwk" | tr -d ' ' ) accountkey_json=$(echo -n "$jwk" | tr -d ' ' )
thumbprint=$(echo -n "$accountkey_json" | openssl dgst -sha256 -binary | _base64 | _b64) thumbprint=$(echo -n "$accountkey_json" | openssl dgst -sha256 -binary | _base64 | _b64)
_info "Registering account" _info "Registering account"
regjson='{"resource": "new-reg", "agreement": "'$AGREEMENT'"}' regjson='{"resource": "new-reg", "agreement": "'$AGREEMENT'"}'
if [ "$ACCOUNT_EMAIL" ] ; then if [ "$ACCOUNT_EMAIL" ] ; then
regjson='{"resource": "new-reg", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}' regjson='{"resource": "new-reg", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}'
fi fi
_send_signed_request "$API/acme/new-reg" "$regjson" _send_signed_request "$API/acme/new-reg" "$regjson"
if [ "$code" == "" ] || [ "$code" == '201' ] ; then if [ "$code" == "" ] || [ "$code" == '201' ] ; then
_info "Registered" _info "Registered"
echo $response > $LE_WORKING_DIR/account.json echo $response > $LE_WORKING_DIR/account.json
@ -685,20 +690,20 @@ issue() {
_clearup _clearup
return 1 return 1
fi fi
vtype="$VTYPE_HTTP" vtype="$VTYPE_HTTP"
if [[ "$Le_Webroot" == "dns"* ]] ; then if [[ "$Le_Webroot" == "dns"* ]] ; then
vtype="$VTYPE_DNS" vtype="$VTYPE_DNS"
fi fi
vlist="$Le_Vlist" vlist="$Le_Vlist"
# verify each domain # verify each domain
_info "Verify each domain" _info "Verify each domain"
sep='#' sep='#'
if [ -z "$vlist" ] ; then if [ -z "$vlist" ] ; then
alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' ) alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' )
for d in $alldomains for d in $alldomains
do do
_info "Getting token for domain" $d _info "Getting token for domain" $d
_send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$d\"}}" _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$d\"}}"
if [ ! -z "$code" ] && [ ! "$code" == '201' ] ; then if [ ! -z "$code" ] && [ ! "$code" == '201' ] ; then
@ -712,16 +717,16 @@ issue() {
token="$(printf "$entry" | egrep -o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')" token="$(printf "$entry" | egrep -o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
_debug token $token _debug token $token
uri="$(printf "$entry" | egrep -o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )" uri="$(printf "$entry" | egrep -o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )"
_debug uri $uri _debug uri $uri
keyauthorization="$token.$thumbprint" keyauthorization="$token.$thumbprint"
_debug keyauthorization "$keyauthorization" _debug keyauthorization "$keyauthorization"
dvlist="$d$sep$keyauthorization$sep$uri" dvlist="$d$sep$keyauthorization$sep$uri"
_debug dvlist "$dvlist" _debug dvlist "$dvlist"
vlist="$vlist$dvlist," vlist="$vlist$dvlist,"
done done
@ -757,7 +762,7 @@ issue() {
d_api="$LE_WORKING_DIR/dnsapi/$Le_Webroot.sh" d_api="$LE_WORKING_DIR/dnsapi/$Le_Webroot.sh"
fi fi
_debug d_api "$d_api" _debug d_api "$d_api"
if [ "$d_api" ]; then if [ "$d_api" ]; then
_info "Found domain api file: $d_api" _info "Found domain api file: $d_api"
else else
@ -773,13 +778,13 @@ issue() {
_err "Load file $d_api error. Please check your api file and try again." _err "Load file $d_api error. Please check your api file and try again."
return 1 return 1
fi fi
addcommand="$Le_Webroot-add" addcommand="$Le_Webroot-add"
if ! command -v $addcommand ; then if ! command -v $addcommand ; then
_err "It seems that your api file is not correct, it must have a function named: $Le_Webroot" _err "It seems that your api file is not correct, it must have a function named: $Le_Webroot"
return 1 return 1
fi fi
if ! $addcommand $txtdomain $txt ; then if ! $addcommand $txtdomain $txt ; then
_err "Error add txt for domain:$txtdomain" _err "Error add txt for domain:$txtdomain"
return 1 return 1
@ -794,14 +799,14 @@ issue() {
_err "Please add the TXT records to the domains, and retry again." _err "Please add the TXT records to the domains, and retry again."
return 1 return 1
fi fi
fi fi
if [ "$dnsadded" == '1' ] ; then if [ "$dnsadded" == '1' ] ; then
_info "Sleep 60 seconds for the txt records to take effect" _info "Sleep 60 seconds for the txt records to take effect"
sleep 60 sleep 60
fi fi
_debug "ok, let's start to verify" _debug "ok, let's start to verify"
ventries=$(echo "$vlist" | tr ',' ' ' ) ventries=$(echo "$vlist" | tr ',' ' ' )
for ventry in $ventries for ventry in $ventries
@ -827,15 +832,15 @@ issue() {
wellknown_path="$Le_Webroot/.well-known/acme-challenge" wellknown_path="$Le_Webroot/.well-known/acme-challenge"
fi fi
_debug wellknown_path "$wellknown_path" _debug wellknown_path "$wellknown_path"
if [ ! -d "$Le_Webroot/.well-known" ] ; then if [ ! -d "$Le_Webroot/.well-known" ] ; then
removelevel='1' removelevel='1'
elif [ ! -d "$Le_Webroot/.well-known/acme-challenge" ] ; then elif [ ! -d "$Le_Webroot/.well-known/acme-challenge" ] ; then
removelevel='2' removelevel='2'
else else
removelevel='3' removelevel='3'
fi fi
token="$(echo -e -n "$keyauthorization" | cut -d '.' -f 1)" token="$(echo -e -n "$keyauthorization" | cut -d '.' -f 1)"
_debug "writing token:$token to $wellknown_path/$token" _debug "writing token:$token to $wellknown_path/$token"
@ -845,31 +850,31 @@ issue() {
webroot_owner=$(_stat $Le_Webroot) webroot_owner=$(_stat $Le_Webroot)
_debug "Changing owner/group of .well-known to $webroot_owner" _debug "Changing owner/group of .well-known to $webroot_owner"
chown -R $webroot_owner "$Le_Webroot/.well-known" chown -R $webroot_owner "$Le_Webroot/.well-known"
fi fi
fi fi
_send_signed_request $uri "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}" _send_signed_request $uri "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}"
if [ ! -z "$code" ] && [ ! "$code" == '202' ] ; then if [ ! -z "$code" ] && [ ! "$code" == '202' ] ; then
_err "$d:Challenge error: $resource" _err "$d:Challenge error: $resource"
_clearupwebbroot "$Le_Webroot" "$removelevel" "$token" _clearupwebbroot "$Le_Webroot" "$removelevel" "$token"
_clearup _clearup
return 1 return 1
fi fi
while [ "1" ] ; do while [ "1" ] ; do
_debug "sleep 5 secs to verify" _debug "sleep 5 secs to verify"
sleep 5 sleep 5
_debug "checking" _debug "checking"
if ! _get $uri ; then if ! _get $uri ; then
_err "$d:Verify error:$resource" _err "$d:Verify error:$resource"
_clearupwebbroot "$Le_Webroot" "$removelevel" "$token" _clearupwebbroot "$Le_Webroot" "$removelevel" "$token"
_clearup _clearup
return 1 return 1
fi fi
status=$(echo $response | egrep -o '"status":"[^"]+"' | cut -d : -f 2 | tr -d '"') status=$(echo $response | egrep -o '"status":"[^"]+"' | cut -d : -f 2 | tr -d '"')
if [ "$status" == "valid" ] ; then if [ "$status" == "valid" ] ; then
_info "Success" _info "Success"
@ -878,7 +883,7 @@ issue() {
_clearupwebbroot "$Le_Webroot" "$removelevel" "$token" _clearupwebbroot "$Le_Webroot" "$removelevel" "$token"
break; break;
fi fi
if [ "$status" == "invalid" ] ; then if [ "$status" == "invalid" ] ; then
error=$(echo $response | egrep -o '"error":{[^}]*}' | grep -o '"detail":"[^"]*"' | cut -d '"' -f 4) error=$(echo $response | egrep -o '"error":{[^}]*}' | grep -o '"detail":"[^"]*"' | cut -d '"' -f 4)
_err "$d:Verify error:$error" _err "$d:Verify error:$error"
@ -886,26 +891,26 @@ issue() {
_clearup _clearup
return 1; return 1;
fi fi
if [ "$status" == "pending" ] ; then if [ "$status" == "pending" ] ; then
_info "Pending" _info "Pending"
else else
_err "$d:Verify error:$response" _err "$d:Verify error:$response"
_clearupwebbroot "$Le_Webroot" "$removelevel" "$token" _clearupwebbroot "$Le_Webroot" "$removelevel" "$token"
_clearup _clearup
return 1 return 1
fi fi
done done
done done
_clearup _clearup
_info "Verify finished, start to sign." _info "Verify finished, start to sign."
der="$(openssl req -in $CSR_PATH -outform DER | _base64 | _b64)" der="$(openssl req -in $CSR_PATH -outform DER | _base64 | _b64)"
_send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64" _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"
Le_LinkCert="$(grep -i -o '^Location.*$' $CURL_HEADER | tr -d "\r\n" | cut -d " " -f 2)" Le_LinkCert="$(grep -i -o '^Location.*$' $CURL_HEADER | tr -d "\r\n" | cut -d " " -f 2)"
_setopt "$DOMAIN_CONF" "Le_LinkCert" "=" "$Le_LinkCert" _setopt "$DOMAIN_CONF" "Le_LinkCert" "=" "$Le_LinkCert"
@ -915,44 +920,51 @@ issue() {
echo -----END CERTIFICATE----- >> "$CERT_PATH" echo -----END CERTIFICATE----- >> "$CERT_PATH"
_info "Cert success." _info "Cert success."
cat "$CERT_PATH" cat "$CERT_PATH"
_info "Your cert is in $CERT_PATH" _info "Your cert is in $CERT_PATH"
cat "$Le_RealKeyPath" > "$KEY_CERT_PATH"
cat "$CERT_PATH" >> "$KEY_CERT_PATH"
cat "$KEY_CERT_PATH" > "$KEY_CERT_CA_PATH"
cat "$Le_RealCACertPath" >> "$KEY_CERT_CA_PATH"
fi fi
if [ -z "$Le_LinkCert" ] ; then if [ -z "$Le_LinkCert" ] ; then
response="$(echo $response | openssl base64 -d -A)" response="$(echo $response | openssl base64 -d -A)"
_err "Sign failed: $(echo "$response" | grep -o '"detail":"[^"]*"')" _err "Sign failed: $(echo "$response" | grep -o '"detail":"[^"]*"')"
return 1 return 1
fi fi
_setopt "$DOMAIN_CONF" 'Le_Vlist' '=' "\"\"" _setopt "$DOMAIN_CONF" 'Le_Vlist' '=' "\"\""
Le_LinkIssuer=$(grep -i '^Link' $CURL_HEADER | cut -d " " -f 2| cut -d ';' -f 1 | tr -d '<>' ) Le_LinkIssuer=$(grep -i '^Link' $CURL_HEADER | cut -d " " -f 2| cut -d ';' -f 1 | tr -d '<>' )
_setopt "$DOMAIN_CONF" "Le_LinkIssuer" "=" "$Le_LinkIssuer" _setopt "$DOMAIN_CONF" "Le_LinkIssuer" "=" "$Le_LinkIssuer"
if [ "$Le_LinkIssuer" ] ; then if [ "$Le_LinkIssuer" ] ; then
echo -----BEGIN CERTIFICATE----- > "$CA_CERT_PATH" echo -----BEGIN CERTIFICATE----- > "$CA_CERT_PATH"
curl --silent "$Le_LinkIssuer" | openssl base64 -e >> "$CA_CERT_PATH" curl --silent "$Le_LinkIssuer" | openssl base64 -e >> "$CA_CERT_PATH"
echo -----END CERTIFICATE----- >> "$CA_CERT_PATH" echo -----END CERTIFICATE----- >> "$CA_CERT_PATH"
_info "The intermediate CA cert is in $CA_CERT_PATH" _info "The intermediate CA cert is in $CA_CERT_PATH"
fi fi
Le_CertCreateTime=$(date -u "+%s") Le_CertCreateTime=$(date -u "+%s")
_setopt "$DOMAIN_CONF" "Le_CertCreateTime" "=" "$Le_CertCreateTime" _setopt "$DOMAIN_CONF" "Le_CertCreateTime" "=" "$Le_CertCreateTime"
Le_CertCreateTimeStr=$(date -u ) Le_CertCreateTimeStr=$(date -u )
_setopt "$DOMAIN_CONF" "Le_CertCreateTimeStr" "=" "\"$Le_CertCreateTimeStr\"" _setopt "$DOMAIN_CONF" "Le_CertCreateTimeStr" "=" "\"$Le_CertCreateTimeStr\""
if [ ! "$Le_RenewalDays" ] ; then if [ ! "$Le_RenewalDays" ] ; then
Le_RenewalDays=80 Le_RenewalDays=80
fi fi
_setopt "$DOMAIN_CONF" "Le_RenewalDays" "=" "$Le_RenewalDays" _setopt "$DOMAIN_CONF" "Le_RenewalDays" "=" "$Le_RenewalDays"
let "Le_NextRenewTime=Le_CertCreateTime+Le_RenewalDays*24*60*60" let "Le_NextRenewTime=Le_CertCreateTime+Le_RenewalDays*24*60*60"
_setopt "$DOMAIN_CONF" "Le_NextRenewTime" "=" "$Le_NextRenewTime" _setopt "$DOMAIN_CONF" "Le_NextRenewTime" "=" "$Le_NextRenewTime"
Le_NextRenewTimeStr=$( _time2str $Le_NextRenewTime ) Le_NextRenewTimeStr=$( _time2str $Le_NextRenewTime )
_setopt "$DOMAIN_CONF" "Le_NextRenewTimeStr" "=" "\"$Le_NextRenewTimeStr\"" _setopt "$DOMAIN_CONF" "Le_NextRenewTimeStr" "=" "\"$Le_NextRenewTimeStr\""
@ -974,13 +986,13 @@ renew() {
_info "$Le_Domain is not a issued domain, skip." _info "$Le_Domain is not a issued domain, skip."
return 0; return 0;
fi fi
source "$DOMAIN_CONF" source "$DOMAIN_CONF"
if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then
_info "Skip, Next renewal time is: $Le_NextRenewTimeStr" _info "Skip, Next renewal time is: $Le_NextRenewTimeStr"
return 2 return 2
fi fi
IS_RENEW="1" IS_RENEW="1"
issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd"
local res=$? local res=$?
@ -992,11 +1004,11 @@ renew() {
renewAll() { renewAll() {
_initpath _initpath
_info "renewAll" _info "renewAll"
for d in $(ls -F $LE_WORKING_DIR | grep [^.].*[.].*/$ ) ; do for d in $(ls -F $LE_WORKING_DIR | grep [^.].*[.].*/$ ) ; do
d=$(echo $d | cut -d '/' -f 1) d=$(echo $d | cut -d '/' -f 1)
_info "renew $d" _info "renew $d"
Le_LinkCert="" Le_LinkCert=""
Le_Domain="" Le_Domain=""
Le_Alt="" Le_Alt=""
@ -1012,11 +1024,11 @@ renewAll() {
Le_RealCertPath="" Le_RealCertPath=""
Le_RealKeyPath="" Le_RealKeyPath=""
Le_RealCACertPath="" Le_RealCACertPath=""
Le_ReloadCmd="" Le_ReloadCmd=""
DOMAIN_PATH="" DOMAIN_PATH=""
DOMAIN_CONF="" DOMAIN_CONF=""
DOMAIN_SSL_CONF="" DOMAIN_SSL_CONF=""
@ -1024,13 +1036,15 @@ renewAll() {
CERT_KEY_PATH="" CERT_KEY_PATH=""
CERT_PATH="" CERT_PATH=""
CA_CERT_PATH="" CA_CERT_PATH=""
KEY_CERT_PATH=""
KEY_CERT_CA_PATH=""
ACCOUNT_KEY_PATH="" ACCOUNT_KEY_PATH=""
wellknown_path="" wellknown_path=""
renew "$d" renew "$d"
done done
} }
installcert() { installcert() {
@ -1051,14 +1065,14 @@ installcert() {
_setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\"" _setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\""
_setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\"" _setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\""
_setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\"" _setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\""
if [ "$Le_RealCertPath" ] ; then if [ "$Le_RealCertPath" ] ; then
if [ -f "$Le_RealCertPath" ] ; then if [ -f "$Le_RealCertPath" ] ; then
cp -p "$Le_RealCertPath" "$Le_RealCertPath".bak cp -p "$Le_RealCertPath" "$Le_RealCertPath".bak
fi fi
cat "$CERT_PATH" > "$Le_RealCertPath" cat "$CERT_PATH" > "$Le_RealCertPath"
fi fi
if [ "$Le_RealCACertPath" ] ; then if [ "$Le_RealCACertPath" ] ; then
if [ -f "$Le_RealCACertPath" ] ; then if [ -f "$Le_RealCACertPath" ] ; then
cp -p "$Le_RealCACertPath" "$Le_RealCACertPath".bak cp -p "$Le_RealCACertPath" "$Le_RealCACertPath".bak
@ -1089,7 +1103,7 @@ installcert() {
installcronjob() { installcronjob() {
_initpath _initpath
_info "Installing cron job" _info "Installing cron job"
if ! crontab -l | grep 'le.sh cron' ; then if ! crontab -l | grep 'le.sh cron' ; then
if [ -f "$LE_WORKING_DIR/le.sh" ] ; then if [ -f "$LE_WORKING_DIR/le.sh" ] ; then
lesh="\"$LE_WORKING_DIR\"/le.sh" lesh="\"$LE_WORKING_DIR\"/le.sh"
else else
@ -1109,13 +1123,13 @@ installcronjob() {
uninstallcronjob() { uninstallcronjob() {
_info "Removing cron job" _info "Removing cron job"
cr="$(crontab -l | grep 'le.sh cron')" cr="$(crontab -l | grep 'le.sh cron')"
if [ "$cr" ] ; then if [ "$cr" ] ; then
crontab -l | sed "/le.sh cron/d" | crontab - crontab -l | sed "/le.sh cron/d" | crontab -
LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 6 | cut -d '=' -f 2 | tr -d '"')" LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 6 | cut -d '=' -f 2 | tr -d '"')"
_info LE_WORKING_DIR "$LE_WORKING_DIR" _info LE_WORKING_DIR "$LE_WORKING_DIR"
fi fi
_initpath _initpath
} }
@ -1200,14 +1214,14 @@ install() {
_err "Install failed." _err "Install failed."
return 1 return 1
fi fi
#check if there is sudo installed, AND if the current user is a sudoer. #check if there is sudo installed, AND if the current user is a sudoer.
if command -v sudo > /dev/null ; then if command -v sudo > /dev/null ; then
if [ "$(sudo -n uptime 2>&1|grep "load"|wc -l)" != "0" ] ; then if [ "$(sudo -n uptime 2>&1|grep "load"|wc -l)" != "0" ] ; then
SUDO=sudo SUDO=sudo
fi fi
fi fi
if command -v yum > /dev/null ; then if command -v yum > /dev/null ; then
YUM="1" YUM="1"
INSTALL="$SUDO yum install -y " INSTALL="$SUDO yum install -y "
@ -1220,7 +1234,7 @@ install() {
_err "$INSTALL curl" _err "$INSTALL curl"
return 1 return 1
fi fi
if ! command -v "crontab" > /dev/null ; then if ! command -v "crontab" > /dev/null ; then
_err "Please install crontab first." _err "Please install crontab first."
if [ "$YUM" ] ; then if [ "$YUM" ] ; then
@ -1230,7 +1244,7 @@ install() {
fi fi
return 1 return 1
fi fi
if ! command -v "openssl" > /dev/null ; then if ! command -v "openssl" > /dev/null ; then
_err "Please install openssl first." _err "Please install openssl first."
_err "$INSTALL openssl" _err "$INSTALL openssl"
@ -1251,7 +1265,7 @@ install() {
_profile="$(_detect_profile)" _profile="$(_detect_profile)"
if [ "$_profile" ] ; then if [ "$_profile" ] ; then
_debug "Found profile: $_profile" _debug "Found profile: $_profile"
echo "LE_WORKING_DIR=$LE_WORKING_DIR echo "LE_WORKING_DIR=$LE_WORKING_DIR
alias le=\"$LE_WORKING_DIR/le.sh\" alias le=\"$LE_WORKING_DIR/le.sh\"
alias le.sh=\"$LE_WORKING_DIR/le.sh\" alias le.sh=\"$LE_WORKING_DIR/le.sh\"
@ -1265,14 +1279,14 @@ alias le.sh=\"$LE_WORKING_DIR/le.sh\"
mkdir -p $LE_WORKING_DIR/dnsapi mkdir -p $LE_WORKING_DIR/dnsapi
cp dnsapi/* $LE_WORKING_DIR/dnsapi/ cp dnsapi/* $LE_WORKING_DIR/dnsapi/
#to keep compatible mv the .acc file to .key file #to keep compatible mv the .acc file to .key file
if [ -f "$LE_WORKING_DIR/account.acc" ] ; then if [ -f "$LE_WORKING_DIR/account.acc" ] ; then
mv "$LE_WORKING_DIR/account.acc" "$LE_WORKING_DIR/account.key" mv "$LE_WORKING_DIR/account.acc" "$LE_WORKING_DIR/account.key"
fi fi
installcronjob installcronjob
if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then
_initconf _initconf
fi fi