diff --git a/.github/auto-comment.yml b/.github/auto-comment.yml
deleted file mode 100644
index 520b3ce3..00000000
--- a/.github/auto-comment.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-# Comment to a new issue.
-issuesOpened: >
- If this is a bug report, please upgrade to the latest code and try again:
-
- 如果有 bug, 请先更新到最新版试试:
-
- ```
- acme.sh --upgrade
- ```
-
- please also provide the log with `--debug 2`.
-
- 同时请提供调试输出 `--debug 2`
-
- see: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
-
- Without `--debug 2` log, your issue will NEVER get replied.
-
- 没有调试输出, 你的 issue 不会得到任何解答.
-
-
-pullRequestOpened: >
- First, NEVER send a PR to `master` branch, it will NEVER be accepted. Please send to the `dev` branch instead.
-
- If this is a PR to support new DNS API or new notification API, please read this guide first:
- https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide
-
- Please check the guide items one by one.
-
- Then add your usage here:
- https://github.com/acmesh-official/acme.sh/wiki/dnsapi
-
- Or some other wiki pages:
-
- https://github.com/acmesh-official/acme.sh/wiki/deployhooks
-
- https://github.com/acmesh-official/acme.sh/wiki/notify
-
-
-
diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml
index 5dc2d453..46fd8283 100644
--- a/.github/workflows/DNS.yml
+++ b/.github/workflows/DNS.yml
@@ -37,7 +37,7 @@ jobs:
- name: "Read this: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test"
run: |
echo "Read this: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test"
- if [ "${{github.actor}}" != "Neilpang" ]; then
+ if [ "${{github.repository_owner}}" != "acmesh-official" ]; then
false
fi
@@ -49,6 +49,7 @@ jobs:
TEST_DNS : ${{ secrets.TEST_DNS }}
TestingDomain: ${{ secrets.TestingDomain }}
TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+ TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
CASE: le_test_dnsapi
TEST_LOCAL: 1
@@ -59,24 +60,24 @@ jobs:
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- name: Set env file
run: |
- cd ../acmetest
+ cd ../acmetest
if [ "${{ secrets.TokenName1}}" ] ; then
- echo "${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}" >> env.list
+ echo "${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}" >> docker.env
fi
if [ "${{ secrets.TokenName2}}" ] ; then
- echo "${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}" >> env.list
+ echo "${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}" >> docker.env
fi
if [ "${{ secrets.TokenName3}}" ] ; then
- echo "${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}" >> env.list
+ echo "${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}" >> docker.env
fi
if [ "${{ secrets.TokenName4}}" ] ; then
- echo "${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}" >> env.list
+ echo "${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}" >> docker.env
fi
if [ "${{ secrets.TokenName5}}" ] ; then
- echo "${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}" >> env.list
+ echo "${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}" >> docker.env
fi
- echo "TEST_DNS_NO_WILDCARD" >> env.list
- echo "TEST_DNS_SLEEP" >> env.list
+ echo "TEST_DNS_NO_WILDCARD" >> docker.env
+ echo "TEST_DNS_SLEEP" >> docker.env
- name: Run acmetest
run: cd ../acmetest && ./rundocker.sh testall
@@ -87,6 +88,7 @@ jobs:
TEST_DNS : ${{ secrets.TEST_DNS }}
TestingDomain: ${{ secrets.TestingDomain }}
TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+ TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
CASE: le_test_dnsapi
TEST_LOCAL: 1
@@ -124,6 +126,7 @@ jobs:
TEST_DNS : ${{ secrets.TEST_DNS }}
TestingDomain: ${{ secrets.TestingDomain }}
TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+ TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
CASE: le_test_dnsapi
TEST_LOCAL: 1
@@ -170,12 +173,13 @@ jobs:
./letest.sh
FreeBSD:
- runs-on: macos-latest
+ runs-on: macos-10.15
needs: Windows
env:
TEST_DNS : ${{ secrets.TEST_DNS }}
TestingDomain: ${{ secrets.TestingDomain }}
TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+ TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
CASE: le_test_dnsapi
TEST_LOCAL: 1
@@ -184,9 +188,9 @@ jobs:
- uses: actions/checkout@v2
- name: Clone acmetest
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- - uses: vmactions/freebsd-vm@v0.0.7
+ - uses: vmactions/freebsd-vm@v0.1.4
with:
- envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
+ envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
prepare: pkg install -y socat curl
usesh: true
run: |
@@ -209,12 +213,13 @@ jobs:
./letest.sh
Solaris:
- runs-on: macos-latest
+ runs-on: macos-10.15
needs: FreeBSD
env:
TEST_DNS : ${{ secrets.TEST_DNS }}
TestingDomain: ${{ secrets.TestingDomain }}
TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+ TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
CASE: le_test_dnsapi
TEST_LOCAL: 1
@@ -223,11 +228,13 @@ jobs:
- uses: actions/checkout@v2
- name: Clone acmetest
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- - uses: vmactions/solaris-vm@v0.0.1
+ - uses: vmactions/solaris-vm@v0.0.5
with:
- envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
- prepare: pkgutil -y -i socat curl
+ envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
+ prepare: pkgutil -y -i socat
run: |
+ pkg set-mediator -v -I default@1.1 openssl
+ export PATH=/usr/gnu/bin:$PATH
if [ "${{ secrets.TokenName1}}" ] ; then
export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
fi
@@ -245,5 +252,3 @@ jobs:
fi
cd ../acmetest
./letest.sh
-
-
diff --git a/.github/workflows/FreeBSD.yml b/.github/workflows/FreeBSD.yml
new file mode 100644
index 00000000..5d032769
--- /dev/null
+++ b/.github/workflows/FreeBSD.yml
@@ -0,0 +1,63 @@
+name: FreeBSD
+on:
+ push:
+ branches:
+ - '*'
+ paths:
+ - '*.sh'
+ - '.github/workflows/FreeBSD.yml'
+
+ pull_request:
+ branches:
+ - dev
+ paths:
+ - '*.sh'
+ - '.github/workflows/FreeBSD.yml'
+
+
+jobs:
+ FreeBSD:
+ strategy:
+ matrix:
+ include:
+ - TEST_ACME_Server: "LetsEncrypt.org_test"
+ CA_ECDSA: ""
+ CA: ""
+ CA_EMAIL: ""
+ TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+ - TEST_ACME_Server: "ZeroSSL.com"
+ CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+ CA: "ZeroSSL RSA Domain Secure Site CA"
+ CA_EMAIL: "githubtest@acme.sh"
+ TEST_PREFERRED_CHAIN: ""
+ runs-on: macos-10.15
+ env:
+ TEST_LOCAL: 1
+ TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+ CA_ECDSA: ${{ matrix.CA_ECDSA }}
+ CA: ${{ matrix.CA }}
+ CA_EMAIL: ${{ matrix.CA_EMAIL }}
+ TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+ steps:
+ - uses: actions/checkout@v2
+ - uses: vmactions/cf-tunnel@v0.0.3
+ id: tunnel
+ with:
+ protocol: http
+ port: 8080
+ - name: Set envs
+ run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
+ - name: Clone acmetest
+ run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
+ - uses: vmactions/freebsd-vm@v0.1.5
+ with:
+ envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN'
+ nat: |
+ "8080": "80"
+ prepare: pkg install -y socat curl
+ usesh: true
+ run: |
+ cd ../acmetest \
+ && ./letest.sh
+
+
diff --git a/.github/workflows/LetsEncrypt.yml b/.github/workflows/LetsEncrypt.yml
deleted file mode 100644
index 8d0c4eb0..00000000
--- a/.github/workflows/LetsEncrypt.yml
+++ /dev/null
@@ -1,147 +0,0 @@
-name: LetsEncrypt
-on:
- push:
- branches:
- - '*'
- paths:
- - '**.sh'
- - '**.yml'
- pull_request:
- branches:
- - dev
- paths:
- - '**.sh'
- - '**.yml'
-
-
-jobs:
- CheckToken:
- runs-on: ubuntu-latest
- outputs:
- hasToken: ${{ steps.step_one.outputs.hasToken }}
- env:
- NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
- steps:
- - name: Set the value
- id: step_one
- run: |
- if [ "$NGROK_TOKEN" ] ; then
- echo "::set-output name=hasToken::true"
- else
- echo "::set-output name=hasToken::false"
- fi
- - name: Check the value
- run: echo ${{ steps.step_one.outputs.hasToken }}
-
- Ubuntu:
- runs-on: ubuntu-latest
- needs: CheckToken
- if: "contains(needs.CheckToken.outputs.hasToken, 'true')"
- env:
- NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
- TEST_LOCAL: 1
- steps:
- - uses: actions/checkout@v2
- - name: Install tools
- run: sudo apt-get install -y socat
- - name: Clone acmetest
- run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- - name: Run acmetest
- run: cd ../acmetest && sudo --preserve-env ./letest.sh
-
- MacOS:
- runs-on: macos-latest
- needs: Ubuntu
- env:
- NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
- TEST_LOCAL: 1
- steps:
- - uses: actions/checkout@v2
- - name: Install tools
- run: brew install socat
- - name: Clone acmetest
- run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- - name: Run acmetest
- run: cd ../acmetest && sudo --preserve-env ./letest.sh
-
- Windows:
- runs-on: windows-latest
- needs: MacOS
- env:
- NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
- TEST_LOCAL: 1
- #The 80 port is used by Windows server, we have to use a custom port, ngrok will also use this port.
- Le_HTTPPort: 8888
- steps:
- - name: Set git to use LF
- run: |
- git config --global core.autocrlf false
- - uses: actions/checkout@v2
- - name: Install cygwin base packages with chocolatey
- run: |
- choco config get cacheLocation
- choco install --no-progress cygwin
- shell: cmd
- - name: Install cygwin additional packages
- run: |
- C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git
- shell: cmd
- - name: Set ENV
- shell: cmd
- run: |
- echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin >> %GITHUB_ENV%
- - name: Check ENV
- shell: cmd
- run: |
- echo "PATH=%PATH%"
- - name: Clone acmetest
- shell: cmd
- run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- - name: Run acmetest
- shell: cmd
- run: cd ../acmetest && bash.exe -c ./letest.sh
-
- FreeBSD:
- runs-on: macos-latest
- needs: Windows
- env:
- NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
- TEST_LOCAL: 1
- steps:
- - uses: actions/checkout@v2
- - name: Clone acmetest
- run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- - uses: vmactions/freebsd-vm@v0.0.7
- with:
- envs: 'NGROK_TOKEN TEST_LOCAL'
- prepare: pkg install -y socat curl
- usesh: true
- run: |
- cd ../acmetest && ./letest.sh
-
- Solaris:
- runs-on: macos-latest
- needs: FreeBSD
- env:
- NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
- TEST_LOCAL: 1
- steps:
- - uses: actions/checkout@v2
- - uses: vmactions/ngrok-tunnel@v0.0.1
- id: ngrok
- with:
- protocol: http
- port: 8080
- - name: Set envs
- run: echo "TestingDomain=${{steps.ngrok.outputs.server}}" >> $GITHUB_ENV
- - name: Clone acmetest
- run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- - uses: vmactions/solaris-vm@v0.0.1
- with:
- envs: 'TEST_LOCAL TestingDomain'
- nat: |
- "8080": "80"
- prepare: pkgutil -y -i socat curl
- run: |
- cd ../acmetest && ./letest.sh
-
diff --git a/.github/workflows/Linux.yml b/.github/workflows/Linux.yml
new file mode 100644
index 00000000..63e3136c
--- /dev/null
+++ b/.github/workflows/Linux.yml
@@ -0,0 +1,41 @@
+name: Linux
+on:
+ push:
+ branches:
+ - '*'
+ paths:
+ - '*.sh'
+ - '.github/workflows/Linux.yml'
+
+ pull_request:
+ branches:
+ - dev
+ paths:
+ - '*.sh'
+ - '.github/workflows/Linux.yml'
+
+
+
+jobs:
+ Linux:
+ strategy:
+ matrix:
+ os: ["ubuntu:latest", "debian:latest", "almalinux:latest", "fedora:latest", "centos:7", "opensuse/leap:latest", "alpine:latest", "oraclelinux:8", "kalilinux/kali", "archlinux:latest", "mageia", "gentoo/stage3"]
+ runs-on: ubuntu-latest
+ env:
+ TEST_LOCAL: 1
+ TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+ steps:
+ - uses: actions/checkout@v2
+ - name: Clone acmetest
+ run: |
+ cd .. \
+ && git clone https://github.com/acmesh-official/acmetest.git \
+ && cp -r acme.sh acmetest/
+ - name: Run acmetest
+ run: |
+ cd ../acmetest \
+ && ./rundocker.sh testplat ${{ matrix.os }}
+
+
+
diff --git a/.github/workflows/MacOS.yml b/.github/workflows/MacOS.yml
new file mode 100644
index 00000000..4b529f6a
--- /dev/null
+++ b/.github/workflows/MacOS.yml
@@ -0,0 +1,55 @@
+name: MacOS
+on:
+ push:
+ branches:
+ - '*'
+ paths:
+ - '*.sh'
+ - '.github/workflows/MacOS.yml'
+
+ pull_request:
+ branches:
+ - dev
+ paths:
+ - '*.sh'
+ - '.github/workflows/MacOS.yml'
+
+
+jobs:
+ MacOS:
+ strategy:
+ matrix:
+ include:
+ - TEST_ACME_Server: "LetsEncrypt.org_test"
+ CA_ECDSA: ""
+ CA: ""
+ CA_EMAIL: ""
+ TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+ - TEST_ACME_Server: "ZeroSSL.com"
+ CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+ CA: "ZeroSSL RSA Domain Secure Site CA"
+ CA_EMAIL: "githubtest@acme.sh"
+ TEST_PREFERRED_CHAIN: ""
+ runs-on: macos-latest
+ env:
+ TEST_LOCAL: 1
+ TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+ CA_ECDSA: ${{ matrix.CA_ECDSA }}
+ CA: ${{ matrix.CA }}
+ CA_EMAIL: ${{ matrix.CA_EMAIL }}
+ TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+ steps:
+ - uses: actions/checkout@v2
+ - name: Install tools
+ run: brew install socat
+ - name: Clone acmetest
+ run: |
+ cd .. \
+ && git clone https://github.com/acmesh-official/acmetest.git \
+ && cp -r acme.sh acmetest/
+ - name: Run acmetest
+ run: |
+ cd ../acmetest \
+ && sudo --preserve-env ./letest.sh
+
+
diff --git a/.github/workflows/PebbleStrict.yml b/.github/workflows/PebbleStrict.yml
index 976e5373..c1ea1cd2 100644
--- a/.github/workflows/PebbleStrict.yml
+++ b/.github/workflows/PebbleStrict.yml
@@ -4,14 +4,14 @@ on:
branches:
- '*'
paths:
- - '**.sh'
- - '**.yml'
+ - '*.sh'
+ - '.github/workflows/PebbleStrict.yml'
pull_request:
branches:
- dev
paths:
- - '**.sh'
- - '**.yml'
+ - '*.sh'
+ - '.github/workflows/PebbleStrict.yml'
jobs:
PebbleStrict:
@@ -19,7 +19,7 @@ jobs:
env:
TestingDomain: example.com
TestingAltDomains: www.example.com
- ACME_DIRECTORY: https://localhost:14000/dir
+ TEST_ACME_Server: https://localhost:14000/dir
HTTPS_INSECURE: 1
Le_HTTPPort: 5002
TEST_LOCAL: 1
@@ -35,5 +35,28 @@ jobs:
run: curl --request POST --data '{"ip":"10.30.50.1"}' http://localhost:8055/set-default-ipv4
- name: Clone acmetest
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
+ - name: Run acmetest
+ run: cd ../acmetest && ./letest.sh
+
+ PebbleStrict_IPCert:
+ runs-on: ubuntu-latest
+ env:
+ TestingDomain: 10.30.50.1
+ ACME_DIRECTORY: https://localhost:14000/dir
+ HTTPS_INSECURE: 1
+ Le_HTTPPort: 5002
+ Le_TLSPort: 5001
+ TEST_LOCAL: 1
+ TEST_CA: "Pebble Intermediate CA"
+ TEST_IPCERT: 1
+
+ steps:
+ - uses: actions/checkout@v2
+ - name: Install tools
+ run: sudo apt-get install -y socat
+ - name: Run Pebble
+ run: cd .. && curl https://raw.githubusercontent.com/letsencrypt/pebble/master/docker-compose.yml >docker-compose.yml && docker-compose up -d
+ - name: Clone acmetest
+ run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- name: Run acmetest
run: cd ../acmetest && ./letest.sh
\ No newline at end of file
diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml
new file mode 100644
index 00000000..77fdcc9a
--- /dev/null
+++ b/.github/workflows/Solaris.yml
@@ -0,0 +1,61 @@
+name: Solaris
+on:
+ push:
+ branches:
+ - '*'
+ paths:
+ - '*.sh'
+ - '.github/workflows/Solaris.yml'
+
+ pull_request:
+ branches:
+ - dev
+ paths:
+ - '*.sh'
+ - '.github/workflows/Solaris.yml'
+
+
+jobs:
+ Solaris:
+ strategy:
+ matrix:
+ include:
+ - TEST_ACME_Server: "LetsEncrypt.org_test"
+ CA_ECDSA: ""
+ CA: ""
+ CA_EMAIL: ""
+ TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+ - TEST_ACME_Server: "ZeroSSL.com"
+ CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+ CA: "ZeroSSL RSA Domain Secure Site CA"
+ CA_EMAIL: "githubtest@acme.sh"
+ TEST_PREFERRED_CHAIN: ""
+ runs-on: macos-10.15
+ env:
+ TEST_LOCAL: 1
+ TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+ CA_ECDSA: ${{ matrix.CA_ECDSA }}
+ CA: ${{ matrix.CA }}
+ CA_EMAIL: ${{ matrix.CA_EMAIL }}
+ TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+ steps:
+ - uses: actions/checkout@v2
+ - uses: vmactions/cf-tunnel@v0.0.3
+ id: tunnel
+ with:
+ protocol: http
+ port: 8080
+ - name: Set envs
+ run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
+ - name: Clone acmetest
+ run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
+ - uses: vmactions/solaris-vm@v0.0.5
+ with:
+ envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN'
+ nat: |
+ "8080": "80"
+ prepare: pkgutil -y -i socat curl
+ run: |
+ cd ../acmetest \
+ && ./letest.sh
+
diff --git a/.github/workflows/Ubuntu.yml b/.github/workflows/Ubuntu.yml
new file mode 100644
index 00000000..4540580c
--- /dev/null
+++ b/.github/workflows/Ubuntu.yml
@@ -0,0 +1,86 @@
+name: Ubuntu
+on:
+ push:
+ branches:
+ - '*'
+ paths:
+ - '*.sh'
+ - '.github/workflows/Ubuntu.yml'
+
+ pull_request:
+ branches:
+ - dev
+ paths:
+ - '*.sh'
+ - '.github/workflows/Ubuntu.yml'
+
+
+jobs:
+ Ubuntu:
+ strategy:
+ matrix:
+ include:
+ - TEST_ACME_Server: "LetsEncrypt.org_test"
+ CA_ECDSA: ""
+ CA: ""
+ CA_EMAIL: ""
+ TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+ - TEST_ACME_Server: "ZeroSSL.com"
+ CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+ CA: "ZeroSSL RSA Domain Secure Site CA"
+ CA_EMAIL: "githubtest@acme.sh"
+ TEST_PREFERRED_CHAIN: ""
+ - TEST_ACME_Server: "https://localhost:9000/acme/acme/directory"
+ CA_ECDSA: "Smallstep Intermediate CA"
+ CA: "Smallstep Intermediate CA"
+ CA_EMAIL: ""
+ TEST_PREFERRED_CHAIN: ""
+ NO_REVOKE: 1
+ - TEST_ACME_Server: "https://localhost:9000/acme/acme/directory"
+ CA_ECDSA: "Smallstep Intermediate CA"
+ CA: "Smallstep Intermediate CA"
+ CA_EMAIL: ""
+ TEST_PREFERRED_CHAIN: ""
+ NO_REVOKE: 1
+ TEST_IPCERT: 1
+ TestingDomain: "172.17.0.1"
+
+ runs-on: ubuntu-latest
+ env:
+ TEST_LOCAL: 1
+ TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+ CA_ECDSA: ${{ matrix.CA_ECDSA }}
+ CA: ${{ matrix.CA }}
+ CA_EMAIL: ${{ matrix.CA_EMAIL }}
+ NO_ECC_384: ${{ matrix.NO_ECC_384 }}
+ TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+ NO_REVOKE: ${{ matrix.NO_REVOKE }}
+ TEST_IPCERT: ${{ matrix.TEST_IPCERT }}
+ TestingDomain: ${{ matrix.TestingDomain }}
+ steps:
+ - uses: actions/checkout@v2
+ - name: Install tools
+ run: sudo apt-get install -y socat
+ - name: Start StepCA
+ if: ${{ matrix.TEST_ACME_Server=='https://localhost:9000/acme/acme/directory' }}
+ run: |
+ docker run --rm -d \
+ -p 9000:9000 \
+ -e "DOCKER_STEPCA_INIT_NAME=Smallstep" \
+ -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \
+ --name stepca \
+ smallstep/step-ca \
+ && sleep 5 && docker exec stepca step ca provisioner add acme --type ACME \
+ && docker exec stepca kill -1 1 \
+ && docker exec stepca cat /home/step/certs/root_ca.crt | sudo bash -c "cat - >>/etc/ssl/certs/ca-certificates.crt"
+ - name: Clone acmetest
+ run: |
+ cd .. \
+ && git clone https://github.com/acmesh-official/acmetest.git \
+ && cp -r acme.sh acmetest/
+ - name: Run acmetest
+ run: |
+ cd ../acmetest \
+ && sudo --preserve-env ./letest.sh
+
+
diff --git a/.github/workflows/Windows.yml b/.github/workflows/Windows.yml
new file mode 100644
index 00000000..2d7eeeae
--- /dev/null
+++ b/.github/workflows/Windows.yml
@@ -0,0 +1,73 @@
+name: Windows
+on:
+ push:
+ branches:
+ - '*'
+ paths:
+ - '*.sh'
+ - '.github/workflows/Windows.yml'
+
+ pull_request:
+ branches:
+ - dev
+ paths:
+ - '*.sh'
+ - '.github/workflows/Windows.yml'
+
+
+jobs:
+ Windows:
+ strategy:
+ matrix:
+ include:
+ - TEST_ACME_Server: "LetsEncrypt.org_test"
+ CA_ECDSA: ""
+ CA: ""
+ CA_EMAIL: ""
+ TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+ - TEST_ACME_Server: "ZeroSSL.com"
+ CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+ CA: "ZeroSSL RSA Domain Secure Site CA"
+ CA_EMAIL: "githubtest@acme.sh"
+ TEST_PREFERRED_CHAIN: ""
+ runs-on: windows-latest
+ env:
+ TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+ CA_ECDSA: ${{ matrix.CA_ECDSA }}
+ CA: ${{ matrix.CA }}
+ CA_EMAIL: ${{ matrix.CA_EMAIL }}
+ TEST_LOCAL: 1
+ #The 80 port is used by Windows server, we have to use a custom port, tunnel will also use this port.
+ Le_HTTPPort: 8888
+ TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+ steps:
+ - name: Set git to use LF
+ run: |
+ git config --global core.autocrlf false
+ - uses: actions/checkout@v2
+ - name: Install cygwin base packages with chocolatey
+ run: |
+ choco config get cacheLocation
+ choco install --no-progress cygwin
+ shell: cmd
+ - name: Install cygwin additional packages
+ run: |
+ C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git,xxd
+ shell: cmd
+ - name: Set ENV
+ shell: cmd
+ run: |
+ echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin;%PATH% >> %GITHUB_ENV%
+ - name: Check ENV
+ shell: cmd
+ run: |
+ echo "PATH=%PATH%"
+ - name: Clone acmetest
+ shell: cmd
+ run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
+ - name: Run acmetest
+ shell: cmd
+ run: cd ../acmetest && bash.exe -c ./letest.sh
+
+
+
diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml
index 89915af7..0c3aec0a 100644
--- a/.github/workflows/dockerhub.yml
+++ b/.github/workflows/dockerhub.yml
@@ -6,6 +6,11 @@ on:
- '*'
tags:
- '*'
+ paths:
+ - '**.sh'
+ - "Dockerfile"
+ - '.github/workflows/dockerhub.yml'
+
jobs:
CheckToken:
@@ -33,12 +38,10 @@ jobs:
steps:
- name: checkout code
uses: actions/checkout@v2
- - name: install buildx
- id: buildx
- uses: crazy-max/ghaction-docker-buildx@v3
- with:
- buildx-version: latest
- qemu-version: latest
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v1
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v1
- name: login to docker hub
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index b22a2fd8..940a187d 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -5,13 +5,13 @@ on:
- '*'
paths:
- '**.sh'
- - '**.yml'
+ - '.github/workflows/shellcheck.yml'
pull_request:
branches:
- dev
paths:
- '**.sh'
- - '**.yml'
+ - '.github/workflows/shellcheck.yml'
jobs:
ShellCheck:
diff --git a/Dockerfile b/Dockerfile
index 6b382242..fa11ea8a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,6 @@
-FROM alpine:3.12
+FROM alpine:3.15
-RUN apk update -f \
- && apk --no-cache add -f \
+RUN apk --no-cache add -f \
openssl \
openssh-client \
coreutils \
@@ -12,7 +11,8 @@ RUN apk update -f \
tzdata \
oath-toolkit-oathtool \
tar \
- && rm -rf /var/cache/apk/*
+ libidn \
+ jq
ENV LE_CONFIG_HOME /acme.sh
@@ -21,7 +21,7 @@ ARG AUTO_UPGRADE=1
ENV AUTO_UPGRADE $AUTO_UPGRADE
#Install
-ADD ./ /install_acme.sh/
+COPY ./ /install_acme.sh/
RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/
@@ -41,6 +41,7 @@ RUN for verb in help \
revoke \
remove \
list \
+ info \
showcsr \
install-cronjob \
uninstall-cronjob \
@@ -56,6 +57,7 @@ RUN for verb in help \
deactivate-account \
set-notify \
set-default-ca \
+ set-default-chain \
; do \
printf -- "%b" "#!/usr/bin/env sh\n/root/.acme.sh/acme.sh --${verb} --config-home /acme.sh \"\$@\"" >/usr/local/bin/--${verb} && chmod +x /usr/local/bin/--${verb} \
; done
diff --git a/README.md b/README.md
index cd747666..4a12d46a 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,11 @@
# An ACME Shell script: acme.sh
-
+[](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml)
+[](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml)
+[](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml)
+[](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml)
+[](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml)
+
@@ -15,18 +20,18 @@
- An ACME protocol client written purely in Shell (Unix shell) language.
- Full ACME protocol implementation.
-- Support ACME v1 and ACME v2
-- Support ACME v2 wildcard certs
+- Support ECDSA certs
+- Support SAN and wildcard certs
- Simple, powerful and very easy to use. You only need 3 minutes to learn it.
- Bash, dash and sh compatible.
-- Purely written in Shell with no dependencies on python or the official Let's Encrypt client.
+- Purely written in Shell with no dependencies on python.
- Just one script to issue, renew and install your certificates automatically.
- DOES NOT require `root/sudoer` access.
-- Docker friendly
-- IPv6 support
+- Docker ready
+- IPv6 ready
- Cron job notifications for renewal or error etc.
-It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt.
+It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates.
Wiki: https://github.com/acmesh-official/acme.sh/wiki
@@ -57,38 +62,42 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
| NO | Status| Platform|
|----|-------|---------|
-|1|[](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)|Mac OSX
-|2|[](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)|Windows (cygwin with curl, openssl and crontab included)
-|3|[](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)|FreeBSD
-|4|[](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)|Solaris
-|5|[](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)| Ubuntu
-|6|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|pfsense
-|7|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|OpenBSD
-|8|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)| Debian
-|9|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|CentOS
-|10|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|openSUSE
-|11|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Alpine Linux (with curl)
-|12|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Archlinux
-|13|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|fedora
-|14|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Kali Linux
-|15|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Oracle Linux
-|16|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management)
-|17|-----| Cloud Linux https://github.com/acmesh-official/acme.sh/issues/111
-|18|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Mageia
-|19|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT)
-|20|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Gentoo Linux
-|21|[](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|ClearLinux
+|1|[](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml)|Mac OSX
+|2|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml)|Windows (cygwin with curl, openssl and crontab included)
+|3|[](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml)|FreeBSD
+|4|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml)|Solaris
+|5|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml)| Ubuntu
+|6|NA|pfsense
+|7|NA|OpenBSD
+|8|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)| Debian
+|9|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|CentOS
+|10|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|openSUSE
+|11|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Alpine Linux (with curl)
+|12|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Archlinux
+|13|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|fedora
+|14|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Kali Linux
+|15|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Oracle Linux
+|16|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Mageia
+|17|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux
+|18|[](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|ClearLinux
+|19|-----| Cloud Linux https://github.com/acmesh-official/acme.sh/issues/111
+|20|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT)
+|21|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management)
-For all build statuses, check our [weekly build project](https://github.com/acmesh-official/acmetest):
+
+Check our [testing project](https://github.com/acmesh-official/acmetest):
https://github.com/acmesh-official/acmetest
# Supported CA
-- Letsencrypt.org CA(default)
-- [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)
+- [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)(default)
+- Letsencrypt.org CA
- [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA)
+- [SSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA)
+- [Google.com Public CA](https://github.com/acmesh-official/acme.sh/wiki/Google-Public-CA)
- [Pebble strict Mode](https://github.com/letsencrypt/pebble)
+- Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA
# Supported modes
@@ -109,13 +118,13 @@ https://github.com/acmesh-official/acmetest
Check this project: https://github.com/acmesh-official/get.acme.sh
```bash
-curl https://get.acme.sh | sh
+curl https://get.acme.sh | sh -s email=my@example.com
```
Or:
```bash
-wget -O - https://get.acme.sh | sh
+wget -O - https://get.acme.sh | sh -s email=my@example.com
```
@@ -126,7 +135,7 @@ Clone this project and launch installation:
```bash
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
-./acme.sh --install
+./acme.sh --install -m my@example.com
```
You `don't have to be root` then, although `it is recommended`.
@@ -468,7 +477,7 @@ TODO:
### Code Contributors
-This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
+This project exists thanks to all the people who contribute.
### Financial Contributors
diff --git a/acme.sh b/acme.sh
index dcbe3c9d..25e7ad20 100755
--- a/acme.sh
+++ b/acme.sh
@@ -1,6 +1,6 @@
#!/usr/bin/env sh
-VER=2.8.8
+VER=3.0.3
PROJECT_NAME="acme.sh"
@@ -20,8 +20,7 @@ _SUB_FOLDER_DEPLOY="deploy"
_SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY"
-LETSENCRYPT_CA_V1="https://acme-v01.api.letsencrypt.org/directory"
-LETSENCRYPT_STAGING_CA_V1="https://acme-staging.api.letsencrypt.org/directory"
+CA_LETSENCRYPT_V1="https://acme-v01.api.letsencrypt.org/directory"
CA_LETSENCRYPT_V2="https://acme-v02.api.letsencrypt.org/directory"
CA_LETSENCRYPT_V2_TEST="https://acme-staging-v02.api.letsencrypt.org/directory"
@@ -30,20 +29,29 @@ CA_BUYPASS="https://api.buypass.com/acme/directory"
CA_BUYPASS_TEST="https://api.test4.buypass.no/acme/directory"
CA_ZEROSSL="https://acme.zerossl.com/v2/DV90"
-_ZERO_EAB_ENDPOINT="http://api.zerossl.com/acme/eab-credentials-email"
+_ZERO_EAB_ENDPOINT="https://api.zerossl.com/acme/eab-credentials-email"
-DEFAULT_CA=$CA_LETSENCRYPT_V2
+CA_SSLCOM_RSA="https://acme.ssl.com/sslcom-dv-rsa"
+CA_SSLCOM_ECC="https://acme.ssl.com/sslcom-dv-ecc"
+
+CA_GOOGLE="https://dv.acme-v02.api.pki.goog/directory"
+CA_GOOGLE_TEST="https://dv.acme-v02.test-api.pki.goog/directory"
+
+DEFAULT_CA=$CA_ZEROSSL
DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST
CA_NAMES="
+ZeroSSL.com,zerossl
LetsEncrypt.org,letsencrypt
LetsEncrypt.org_test,letsencrypt_test,letsencrypttest
BuyPass.com,buypass
BuyPass.com_test,buypass_test,buypasstest
-ZeroSSL.com,zerossl
+SSL.com,sslcom
+Google.com,google
+Google.com_test,googletest,google_test
"
-CA_SERVERS="$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_ZEROSSL"
+CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_SSLCOM_RSA,$CA_GOOGLE,$CA_GOOGLE_TEST"
DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
@@ -56,6 +64,9 @@ VTYPE_HTTP="http-01"
VTYPE_DNS="dns-01"
VTYPE_ALPN="tls-alpn-01"
+ID_TYPE_DNS="dns"
+ID_TYPE_IP="ip"
+
LOCAL_ANY_ADDRESS="0.0.0.0"
DEFAULT_RENEW=60
@@ -74,8 +85,8 @@ NGINX="nginx:"
NGINX_START="#ACME_NGINX_START"
NGINX_END="#ACME_NGINX_END"
-BEGIN_CSR="-----BEGIN CERTIFICATE REQUEST-----"
-END_CSR="-----END CERTIFICATE REQUEST-----"
+BEGIN_CSR="-----BEGIN [NEW ]\{0,4\}CERTIFICATE REQUEST-----"
+END_CSR="-----END [NEW ]\{0,4\}CERTIFICATE REQUEST-----"
BEGIN_CERT="-----BEGIN CERTIFICATE-----"
END_CERT="-----END CERTIFICATE-----"
@@ -102,6 +113,8 @@ DEBUG_LEVEL_NONE=0
DOH_CLOUDFLARE=1
DOH_GOOGLE=2
+DOH_ALI=3
+DOH_DP=4
HIDDEN_VALUE="[hidden](please add '--output-insecure' to see this value)"
@@ -136,6 +149,8 @@ NOTIFY_MODE_CERT=1
NOTIFY_MODE_DEFAULT=$NOTIFY_MODE_BULK
+_BASE64_ENCODED_CFGS="Le_PreHook Le_PostHook Le_RenewHook Le_Preferred_Chain Le_ReloadCmd"
+
_DEBUG_WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh"
_PREPARE_LINK="https://github.com/acmesh-official/acme.sh/wiki/Install-preparations"
@@ -156,10 +171,16 @@ _REVOKE_WIKI="https://github.com/acmesh-official/acme.sh/wiki/revokecert"
_ZEROSSL_WIKI="https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA"
+_SSLCOM_WIKI="https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA"
+
_SERVER_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Server"
_PREFERRED_CHAIN_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain"
+_VALIDITY_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Validity"
+
+_DNSCHECK_WIKI="https://github.com/acmesh-official/acme.sh/wiki/dnscheck"
+
_DNS_MANUAL_ERR="The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead."
_DNS_MANUAL_WARN="It seems that you are using dns manual mode. please take care: $_DNS_MANUAL_ERR"
@@ -417,19 +438,27 @@ _secure_debug3() {
}
_upper_case() {
- # shellcheck disable=SC2018,SC2019
- tr 'a-z' 'A-Z'
+ if _is_solaris; then
+ tr '[:lower:]' '[:upper:]'
+ else
+ # shellcheck disable=SC2018,SC2019
+ tr 'a-z' 'A-Z'
+ fi
}
_lower_case() {
- # shellcheck disable=SC2018,SC2019
- tr 'A-Z' 'a-z'
+ if _is_solaris; then
+ tr '[:upper:]' '[:lower:]'
+ else
+ # shellcheck disable=SC2018,SC2019
+ tr 'A-Z' 'a-z'
+ fi
}
_startswith() {
_str="$1"
_sub="$2"
- echo "$_str" | grep "^$_sub" >/dev/null 2>&1
+ echo "$_str" | grep -- "^$_sub" >/dev/null 2>&1
}
_endswith() {
@@ -560,8 +589,16 @@ if _exists xargs && [ "$(printf %s '\\x41' | xargs printf)" = 'A' ]; then
fi
_h2b() {
- if _exists xxd && xxd -r -p 2>/dev/null; then
- return
+ if _exists xxd; then
+ if _contains "$(xxd --help 2>&1)" "assumes -c30"; then
+ if xxd -r -p -c 9999 2>/dev/null; then
+ return
+ fi
+ else
+ if xxd -r -p 2>/dev/null; then
+ return
+ fi
+ fi
fi
hex=$(cat)
@@ -1023,9 +1060,9 @@ _sign() {
_sign_openssl="${ACME_OPENSSL_BIN:-openssl} dgst -sign $keyfile "
- if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || grep "BEGIN PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
+ if _isRSA "$keyfile" >/dev/null 2>&1; then
$_sign_openssl -$alg | _base64
- elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
+ elif _isEcc "$keyfile" >/dev/null 2>&1; then
if ! _signedECText="$($_sign_openssl -sha$__ECC_KEY_LEN | ${ACME_OPENSSL_BIN:-openssl} asn1parse -inform DER)"; then
_err "Sign failed: $_sign_openssl"
_err "Key file: $keyfile"
@@ -1111,18 +1148,24 @@ _createkey() {
_debug "Use length $length"
- if ! touch "$f" >/dev/null 2>&1; then
- _f_path="$(dirname "$f")"
- _debug _f_path "$_f_path"
- if ! mkdir -p "$_f_path"; then
- _err "Can not create path: $_f_path"
+ if ! [ -e "$f" ]; then
+ if ! touch "$f" >/dev/null 2>&1; then
+ _f_path="$(dirname "$f")"
+ _debug _f_path "$_f_path"
+ if ! mkdir -p "$_f_path"; then
+ _err "Can not create path: $_f_path"
+ return 1
+ fi
+ fi
+ if ! touch "$f" >/dev/null 2>&1; then
return 1
fi
+ chmod 600 "$f"
fi
if _isEccKey "$length"; then
_debug "Using ec name: $eccname"
- if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null)"; then
+ if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -noout -genkey 2>/dev/null)"; then
echo "$_opkey" >"$f"
else
_err "error ecc key name: $eccname"
@@ -1130,7 +1173,11 @@ _createkey() {
fi
else
_debug "Using RSA: $length"
- if _opkey="$(${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null)"; then
+ __traditional=""
+ if _contains "$(${ACME_OPENSSL_BIN:-openssl} help genrsa 2>&1)" "-traditional"; then
+ __traditional="-traditional"
+ fi
+ if _opkey="$(${ACME_OPENSSL_BIN:-openssl} genrsa $__traditional "$length" 2>/dev/null)"; then
echo "$_opkey" >"$f"
else
_err "error rsa key: $length"
@@ -1197,23 +1244,32 @@ _createcsr() {
_debug2 csr "$csr"
_debug2 csrconf "$csrconf"
- printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf"
+ printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\n" >"$csrconf"
if [ "$acmeValidationv1" ]; then
domainlist="$(_idn "$domainlist")"
- printf -- "\nsubjectAltName=DNS:$domainlist" >>"$csrconf"
+ _debug2 domainlist "$domainlist"
+ alt=""
+ for dl in $(echo "$domainlist" | tr "," ' '); do
+ if [ "$alt" ]; then
+ alt="$alt,$(_getIdType "$dl" | _upper_case):$dl"
+ else
+ alt="$(_getIdType "$dl" | _upper_case):$dl"
+ fi
+ done
+ printf -- "\nsubjectAltName=$alt" >>"$csrconf"
elif [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
#single domain
_info "Single domain" "$domain"
- printf -- "\nsubjectAltName=DNS:$(_idn "$domain")" >>"$csrconf"
+ printf -- "\nsubjectAltName=$(_getIdType "$domain" | _upper_case):$(_idn "$domain")" >>"$csrconf"
else
domainlist="$(_idn "$domainlist")"
_debug2 domainlist "$domainlist"
- if _contains "$domainlist" ","; then
- alt="DNS:$(_idn "$domain"),DNS:$(echo "$domainlist" | sed "s/,,/,/g" | sed "s/,/,DNS:/g")"
- else
- alt="DNS:$(_idn "$domain"),DNS:$domainlist"
- fi
+ alt="$(_getIdType "$domain" | _upper_case):$(_idn "$domain")"
+ for dl in $(echo "'$domainlist'" | sed "s/,/' '/g"); do
+ dl=$(echo "$dl" | tr -d "'")
+ alt="$alt,$(_getIdType "$dl" | _upper_case):$dl"
+ done
#multi
_info "Multi domain" "$alt"
printf -- "\nsubjectAltName=$alt" >>"$csrconf"
@@ -1230,9 +1286,17 @@ _createcsr() {
_csr_cn="$(_idn "$domain")"
_debug2 _csr_cn "$_csr_cn"
if _contains "$(uname -a)" "MINGW"; then
- ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "//CN=$_csr_cn" -config "$csrconf" -out "$csr"
+ if _isIP "$_csr_cn"; then
+ ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "//O=$PROJECT_NAME" -config "$csrconf" -out "$csr"
+ else
+ ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "//CN=$_csr_cn" -config "$csrconf" -out "$csr"
+ fi
else
- ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "/CN=$_csr_cn" -config "$csrconf" -out "$csr"
+ if _isIP "$_csr_cn"; then
+ ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "/O=$PROJECT_NAME" -config "$csrconf" -out "$csr"
+ else
+ ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "/CN=$_csr_cn" -config "$csrconf" -out "$csr"
+ fi
fi
}
@@ -1444,7 +1508,6 @@ _create_account_key() {
else
#generate account key
if _createkey "$length" "$ACCOUNT_KEY_PATH"; then
- chmod 600 "$ACCOUNT_KEY_PATH"
_info "Create account key ok."
return 0
else
@@ -1542,23 +1605,22 @@ _durl_replace_base64() {
_time2str() {
#BSD
- if date -u -r "$1" 2>/dev/null; then
+ if date -u -r "$1" -j "+%Y-%m-%dT%H:%M:%SZ" 2>/dev/null; then
return
fi
#Linux
- if date -u -d@"$1" 2>/dev/null; then
+ if date -u --date=@"$1" "+%Y-%m-%dT%H:%M:%SZ" 2>/dev/null; then
return
fi
#Solaris
- if _exists adb; then
- _t_s_a=$(echo "0t${1}=Y" | adb)
- echo "$_t_s_a"
+ if printf "%(%Y-%m-%dT%H:%M:%SZ)T\n" $1 2>/dev/null; then
+ return
fi
#Busybox
- if echo "$1" | awk '{ print strftime("%c", $0); }' 2>/dev/null; then
+ if echo "$1" | awk '{ print strftime("%Y-%m-%dT%H:%M:%SZ", $0); }' 2>/dev/null; then
return
fi
}
@@ -1581,6 +1643,24 @@ _stat() {
return 1 #error, 'stat' not found
}
+#keyfile
+_isRSA() {
+ keyfile=$1
+ if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text | grep "^publicExponent:" >/dev/null 2>&1; then
+ return 0
+ fi
+ return 1
+}
+
+#keyfile
+_isEcc() {
+ keyfile=$1
+ if grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" >/dev/null 2>&1; then
+ return 0
+ fi
+ return 1
+}
+
#keyfile
_calcjwk() {
keyfile="$1"
@@ -1594,7 +1674,7 @@ _calcjwk() {
return 0
fi
- if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
+ if _isRSA "$keyfile"; then
_debug "RSA key"
pub_exp=$(${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text | grep "^publicExponent:" | cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1)
if [ "${#pub_exp}" = "5" ]; then
@@ -1616,7 +1696,7 @@ _calcjwk() {
JWK_HEADER='{"alg": "RS256", "jwk": '$jwk'}'
JWK_HEADERPLACE_PART1='{"nonce": "'
JWK_HEADERPLACE_PART2='", "alg": "RS256"'
- elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
+ elif _isEcc "$keyfile"; then
_debug "EC key"
crv="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n")"
_debug3 crv "$crv"
@@ -1699,6 +1779,27 @@ _time() {
date -u "+%s"
}
+#support 2 formats:
+# 2022-04-01 08:10:33 to 1648800633
+#or 2022-04-01T08:10:33Z to 1648800633
+_date2time() {
+ #Linux
+ if date -u -d "$(echo "$1" | tr -d "Z" | tr "T" ' ')" +"%s" 2>/dev/null; then
+ return
+ fi
+
+ #Solaris
+ if gdate -u -d "$(echo "$1" | tr -d "Z" | tr "T" ' ')" +"%s" 2>/dev/null; then
+ return
+ fi
+ #Mac/BSD
+ if date -u -j -f "%Y-%m-%d %H:%M:%S" "$(echo "$1" | tr -d "Z" | tr "T" ' ')" +"%s" 2>/dev/null; then
+ return
+ fi
+ _err "Can not parse _date2time $1"
+ return 1
+}
+
_utc_date() {
date -u "+%Y-%m-%d %H:%M:%S"
}
@@ -1749,7 +1850,7 @@ _inithttp() {
if [ -z "$ACME_HTTP_NO_REDIRECTS" ]; then
_ACME_CURL="$_ACME_CURL -L "
fi
- if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
+ if [ "$DEBUG" ] && [ "$DEBUG" -ge 2 ]; then
_CURL_DUMP="$(_mktemp)"
_ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP "
fi
@@ -1771,7 +1872,9 @@ _inithttp() {
_ACME_WGET="$_ACME_WGET --max-redirect 0 "
fi
if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
- _ACME_WGET="$_ACME_WGET -d "
+ if [ "$_ACME_WGET" ] && _contains "$($_ACME_WGET --help 2>&1)" "--debug"; then
+ _ACME_WGET="$_ACME_WGET -d "
+ fi
fi
if [ "$CA_PATH" ]; then
_ACME_WGET="$_ACME_WGET --ca-directory=$CA_PATH "
@@ -2024,7 +2127,7 @@ _send_signed_request() {
if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type" >/dev/null; then
_headers="$(cat "$HTTP_HEADER")"
_debug2 _headers "$_headers"
- _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
+ _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2 | cut -d , -f 1)"
fi
fi
if [ -z "$_CACHED_NONCE" ]; then
@@ -2056,17 +2159,15 @@ _send_signed_request() {
_sleep 2
continue
fi
- if [ "$ACME_VERSION" = "2" ]; then
- if [ "$url" = "$ACME_NEW_ACCOUNT" ]; then
- protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
- elif [ "$url" = "$ACME_REVOKE_CERT" ] && [ "$keyfile" != "$ACCOUNT_KEY_PATH" ]; then
- protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
- else
- protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"kid\": \"${ACCOUNT_URL}\""'}'
- fi
- else
+
+ if [ "$url" = "$ACME_NEW_ACCOUNT" ]; then
protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
+ elif [ "$url" = "$ACME_REVOKE_CERT" ] && [ "$keyfile" != "$ACCOUNT_KEY_PATH" ]; then
+ protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
+ else
+ protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"kid\": \"${ACCOUNT_URL}\""'}'
fi
+
_debug3 protected "$protected"
protected64="$(printf "%s" "$protected" | _base64 | _url_replace)"
@@ -2104,7 +2205,7 @@ _send_signed_request() {
fi
_debug2 response "$response"
- _CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
+ _CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2 | cut -d , -f 1)"
if ! _startswith "$code" "2"; then
_body="$response"
@@ -2119,6 +2220,12 @@ _send_signed_request() {
_sleep $_sleep_retry_sec
continue
fi
+ if _contains "$_body" "The Replay Nonce is not recognized"; then
+ _info "The replay Nonce is not valid, let's get a new one, Sleeping $_sleep_retry_sec seconds."
+ _CACHED_NONCE=""
+ _sleep $_sleep_retry_sec
+ continue
+ fi
fi
return 0
done
@@ -2246,7 +2353,7 @@ _getdeployconf() {
return 0 # do nothing
fi
_saved=$(_readdomainconf "SAVED_$_rac_key")
- eval "export $_rac_key=\"$_saved\""
+ eval "export $_rac_key=\"\$_saved\""
}
#_saveaccountconf key value base64encode
@@ -2277,6 +2384,13 @@ _clearaccountconf() {
_clear_conf "$ACCOUNT_CONF_PATH" "$1"
}
+#key
+_clearaccountconf_mutable() {
+ _clearaccountconf "SAVED_$1"
+ #remove later
+ _clearaccountconf "$1"
+}
+
#_savecaconf key value
_savecaconf() {
_save_conf "$CA_CONF" "$1" "$2"
@@ -2330,7 +2444,7 @@ _startserver() {
echo 'HTTP/1.0 200 OK'; \
echo 'Content-Length\: $_content_len'; \
echo ''; \
-printf -- '$content';" &
+printf '%s' '$content';" &
serverproc="$!"
}
@@ -2505,76 +2619,56 @@ __initHome() {
fi
}
+_clearAPI() {
+ ACME_NEW_ACCOUNT=""
+ ACME_KEY_CHANGE=""
+ ACME_NEW_AUTHZ=""
+ ACME_NEW_ORDER=""
+ ACME_REVOKE_CERT=""
+ ACME_NEW_NONCE=""
+ ACME_AGREEMENT=""
+}
+
#server
_initAPI() {
_api_server="${1:-$ACME_DIRECTORY}"
_debug "_init api for server: $_api_server"
- if [ -z "$ACME_NEW_ACCOUNT" ]; then
+ MAX_API_RETRY_TIMES=10
+ _sleep_retry_sec=10
+ _request_retry_times=0
+ while [ -z "$ACME_NEW_ACCOUNT" ] && [ "${_request_retry_times}" -lt "$MAX_API_RETRY_TIMES" ]; do
+ _request_retry_times=$(_math "$_request_retry_times" + 1)
response=$(_get "$_api_server")
if [ "$?" != "0" ]; then
_debug2 "response" "$response"
- _err "Can not init api."
- return 1
+ _info "Can not init api for: $_api_server."
+ _info "Sleep $_sleep_retry_sec and retry."
+ _sleep "$_sleep_retry_sec"
+ continue
fi
response=$(echo "$response" | _json_decode)
_debug2 "response" "$response"
- ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'key-change" *: *"[^"]*"' | cut -d '"' -f 3)
- if [ -z "$ACME_KEY_CHANGE" ]; then
- ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'keyChange" *: *"[^"]*"' | cut -d '"' -f 3)
- fi
+ ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'keyChange" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_KEY_CHANGE
- ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'new-authz" *: *"[^"]*"' | cut -d '"' -f 3)
- if [ -z "$ACME_NEW_AUTHZ" ]; then
- ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'newAuthz" *: *"[^"]*"' | cut -d '"' -f 3)
- fi
+ ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'newAuthz" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_NEW_AUTHZ
- ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3)
- ACME_NEW_ORDER_RES="new-cert"
- if [ -z "$ACME_NEW_ORDER" ]; then
- ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3)
- ACME_NEW_ORDER_RES="new-order"
- if [ -z "$ACME_NEW_ORDER" ]; then
- ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'newOrder" *: *"[^"]*"' | cut -d '"' -f 3)
- fi
- fi
+ ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'newOrder" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_NEW_ORDER
- export ACME_NEW_ORDER_RES
- ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3)
- ACME_NEW_ACCOUNT_RES="new-reg"
- if [ -z "$ACME_NEW_ACCOUNT" ]; then
- ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3)
- ACME_NEW_ACCOUNT_RES="new-account"
- if [ -z "$ACME_NEW_ACCOUNT" ]; then
- ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3)
- if [ "$ACME_NEW_ACCOUNT" ]; then
- export ACME_VERSION=2
- fi
- fi
- fi
+ ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_NEW_ACCOUNT
- export ACME_NEW_ACCOUNT_RES
- ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3)
- if [ -z "$ACME_REVOKE_CERT" ]; then
- ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3)
- fi
+ ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_REVOKE_CERT
- ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'new-nonce" *: *"[^"]*"' | cut -d '"' -f 3)
- if [ -z "$ACME_NEW_NONCE" ]; then
- ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'newNonce" *: *"[^"]*"' | cut -d '"' -f 3)
- fi
+ ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'newNonce" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_NEW_NONCE
- ACME_AGREEMENT=$(echo "$response" | _egrep_o 'terms-of-service" *: *"[^"]*"' | cut -d '"' -f 3)
- if [ -z "$ACME_AGREEMENT" ]; then
- ACME_AGREEMENT=$(echo "$response" | _egrep_o 'termsOfService" *: *"[^"]*"' | cut -d '"' -f 3)
- fi
+ ACME_AGREEMENT=$(echo "$response" | _egrep_o 'termsOfService" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_AGREEMENT
_debug "ACME_KEY_CHANGE" "$ACME_KEY_CHANGE"
@@ -2584,9 +2678,17 @@ _initAPI() {
_debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT"
_debug "ACME_AGREEMENT" "$ACME_AGREEMENT"
_debug "ACME_NEW_NONCE" "$ACME_NEW_NONCE"
- _debug "ACME_VERSION" "$ACME_VERSION"
-
+ if [ "$ACME_NEW_ACCOUNT" ] && [ "$ACME_NEW_ORDER" ]; then
+ return 0
+ fi
+ _info "Sleep $_sleep_retry_sec and retry."
+ _sleep "$_sleep_retry_sec"
+ done
+ if [ "$ACME_NEW_ACCOUNT" ] && [ "$ACME_NEW_ORDER" ]; then
+ return 0
fi
+ _err "Can not init api, for $_api_server"
+ return 1
}
#[domain] [keylength or isEcc flag]
@@ -2630,15 +2732,44 @@ _initpath() {
_ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)"
_debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST"
- CA_DIR="$CA_HOME/$_ACME_SERVER_HOST"
+ _ACME_SERVER_PATH="$(echo "$ACME_DIRECTORY" | cut -d : -f 2- | tr -s / | cut -d / -f 3-)"
+ _debug2 "_ACME_SERVER_PATH" "$_ACME_SERVER_PATH"
+ CA_DIR="$CA_HOME/$_ACME_SERVER_HOST/$_ACME_SERVER_PATH"
_DEFAULT_CA_CONF="$CA_DIR/ca.conf"
-
if [ -z "$CA_CONF" ]; then
CA_CONF="$_DEFAULT_CA_CONF"
fi
_debug3 CA_CONF "$CA_CONF"
+ _OLD_CADIR="$CA_HOME/$_ACME_SERVER_HOST"
+ _OLD_ACCOUNT_KEY="$_OLD_CADIR/account.key"
+ _OLD_ACCOUNT_JSON="$_OLD_CADIR/account.json"
+ _OLD_CA_CONF="$_OLD_CADIR/ca.conf"
+
+ _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
+ _DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
+ if [ -z "$ACCOUNT_KEY_PATH" ]; then
+ ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
+ if [ -f "$_OLD_ACCOUNT_KEY" ] && ! [ -f "$ACCOUNT_KEY_PATH" ]; then
+ mkdir -p "$CA_DIR"
+ mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
+ fi
+ fi
+
+ if [ -z "$ACCOUNT_JSON_PATH" ]; then
+ ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
+ if [ -f "$_OLD_ACCOUNT_JSON" ] && ! [ -f "$ACCOUNT_JSON_PATH" ]; then
+ mkdir -p "$CA_DIR"
+ mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
+ fi
+ fi
+
+ if [ -f "$_OLD_CA_CONF" ] && ! [ -f "$CA_CONF" ]; then
+ mkdir -p "$CA_DIR"
+ mv "$_OLD_CA_CONF" "$CA_CONF"
+ fi
+
if [ -f "$CA_CONF" ]; then
. "$CA_CONF"
fi
@@ -2659,19 +2790,6 @@ _initpath() {
HTTP_HEADER="$LE_CONFIG_HOME/http.header"
fi
- _OLD_ACCOUNT_KEY="$LE_WORKING_DIR/account.key"
- _OLD_ACCOUNT_JSON="$LE_WORKING_DIR/account.json"
-
- _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
- _DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
- if [ -z "$ACCOUNT_KEY_PATH" ]; then
- ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
- fi
-
- if [ -z "$ACCOUNT_JSON_PATH" ]; then
- ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
- fi
-
_DEFAULT_CERT_HOME="$LE_CONFIG_HOME"
if [ -z "$CERT_HOME" ]; then
CERT_HOME="$_DEFAULT_CERT_HOME"
@@ -3069,6 +3187,11 @@ _checkConf() {
_debug "Try include files"
for included in $(cat "$2" | tr "\t" " " | grep "^ *include *.*;" | sed "s/include //" | tr -d " ;"); do
_debug "check included $included"
+ if ! _startswith "$included" "/" && _exists dirname; then
+ _relpath="$(dirname "$2")"
+ _debug "_relpath" "$_relpath"
+ included="$_relpath/$included"
+ fi
if _checkConf "$1" "$included"; then
return 0
fi
@@ -3279,6 +3402,8 @@ _on_before_issue() {
if [ "$_chk_pre_hook" ]; then
_info "Run pre hook:'$_chk_pre_hook'"
if ! (
+ export Le_Domain="$_chk_main_domain"
+ export Le_Alt="$_chk_alt_domains"
cd "$DOMAIN_PATH" && eval "$_chk_pre_hook"
); then
_err "Error when run pre hook."
@@ -3340,7 +3465,7 @@ _on_before_issue() {
_netprc="$(_ss "$_checkport" | grep "$_checkport")"
netprc="$(echo "$_netprc" | grep "$_checkaddr")"
if [ -z "$netprc" ]; then
- netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS")"
+ netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS:$_checkport")"
fi
if [ "$netprc" ]; then
_err "$netprc"
@@ -3497,15 +3622,6 @@ _regAccount() {
_initAPI
mkdir -p "$CA_DIR"
- if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
- _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
- mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
- fi
-
- if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
- _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
- mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
- fi
if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
if ! _create_account_key "$_reg_length"; then
@@ -3529,68 +3645,66 @@ _regAccount() {
if [ "$_email" ]; then
_savecaconf "CA_EMAIL" "$_email"
fi
- if [ "$ACME_VERSION" = "2" ]; then
- if [ "$ACME_DIRECTORY" = "$CA_ZEROSSL" ]; then
- if [ -z "$_eab_id" ] || [ -z "$_eab_hmac_key" ]; then
- _info "No EAB credentials found for ZeroSSL, let's get one"
- if [ -z "$_email" ]; then
- _err "Please provide a email address for ZeroSSL account."
- _err "See ZeroSSL usage: $_ZEROSSL_WIKI"
- return 1
- fi
- _eabresp=$(_post "email=$_email" $_ZERO_EAB_ENDPOINT)
- if [ "$?" != "0" ]; then
- _debug2 "$_eabresp"
- _err "Can not get EAB credentials from ZeroSSL."
- return 1
- fi
- _eab_id="$(echo "$_eabresp" | tr ',}' '\n' | grep '"eab_kid"' | cut -d : -f 2 | tr -d '"')"
- if [ -z "$_eab_id" ]; then
- _err "Can not resolve _eab_id"
- return 1
- fi
- _eab_hmac_key="$(echo "$_eabresp" | tr ',}' '\n' | grep '"eab_hmac_key"' | cut -d : -f 2 | tr -d '"')"
- if [ -z "$_eab_hmac_key" ]; then
- _err "Can not resolve _eab_hmac_key"
- return 1
- fi
- _savecaconf CA_EAB_KEY_ID "$_eab_id"
- _savecaconf CA_EAB_HMAC_KEY "$_eab_hmac_key"
+
+ if [ "$ACME_DIRECTORY" = "$CA_ZEROSSL" ]; then
+ if [ -z "$_eab_id" ] || [ -z "$_eab_hmac_key" ]; then
+ _info "No EAB credentials found for ZeroSSL, let's get one"
+ if [ -z "$_email" ]; then
+ _info "$(__green "$PROJECT_NAME is using ZeroSSL as default CA now.")"
+ _info "$(__green "Please update your account with an email address first.")"
+ _info "$(__green "$PROJECT_ENTRY --register-account -m my@example.com")"
+ _info "See: $(__green "$_ZEROSSL_WIKI")"
+ return 1
fi
- fi
- if [ "$_eab_id" ] && [ "$_eab_hmac_key" ]; then
- eab_protected="{\"alg\":\"HS256\",\"kid\":\"$_eab_id\",\"url\":\"${ACME_NEW_ACCOUNT}\"}"
- _debug3 eab_protected "$eab_protected"
-
- eab_protected64=$(printf "%s" "$eab_protected" | _base64 | _url_replace)
- _debug3 eab_protected64 "$eab_protected64"
-
- eab_payload64=$(printf "%s" "$jwk" | _base64 | _url_replace)
- _debug3 eab_payload64 "$eab_payload64"
-
- eab_sign_t="$eab_protected64.$eab_payload64"
- _debug3 eab_sign_t "$eab_sign_t"
-
- key_hex="$(_durl_replace_base64 "$_eab_hmac_key" | _dbase64 | _hex_dump | tr -d ' ')"
- _debug3 key_hex "$key_hex"
-
- eab_signature=$(printf "%s" "$eab_sign_t" | _hmac sha256 $key_hex | _base64 | _url_replace)
- _debug3 eab_signature "$eab_signature"
-
- externalBinding=",\"externalAccountBinding\":{\"protected\":\"$eab_protected64\", \"payload\":\"$eab_payload64\", \"signature\":\"$eab_signature\"}"
- _debug3 externalBinding "$externalBinding"
- fi
- if [ "$_email" ]; then
- email_sg="\"contact\": [\"mailto:$_email\"], "
- fi
- regjson="{$email_sg\"termsOfServiceAgreed\": true$externalBinding}"
- else
- _reg_res="$ACME_NEW_ACCOUNT_RES"
- regjson='{"resource": "'$_reg_res'", "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
- if [ "$_email" ]; then
- regjson='{"resource": "'$_reg_res'", "contact": ["mailto:'$_email'"], "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
+ _eabresp=$(_post "email=$_email" $_ZERO_EAB_ENDPOINT)
+ if [ "$?" != "0" ]; then
+ _debug2 "$_eabresp"
+ _err "Can not get EAB credentials from ZeroSSL."
+ return 1
+ fi
+ _secure_debug2 _eabresp "$_eabresp"
+ _eab_id="$(echo "$_eabresp" | tr ',}' '\n\n' | grep '"eab_kid"' | cut -d : -f 2 | tr -d '"')"
+ _secure_debug2 _eab_id "$_eab_id"
+ if [ -z "$_eab_id" ]; then
+ _err "Can not resolve _eab_id"
+ return 1
+ fi
+ _eab_hmac_key="$(echo "$_eabresp" | tr ',}' '\n\n' | grep '"eab_hmac_key"' | cut -d : -f 2 | tr -d '"')"
+ _secure_debug2 _eab_hmac_key "$_eab_hmac_key"
+ if [ -z "$_eab_hmac_key" ]; then
+ _err "Can not resolve _eab_hmac_key"
+ return 1
+ fi
+ _savecaconf CA_EAB_KEY_ID "$_eab_id"
+ _savecaconf CA_EAB_HMAC_KEY "$_eab_hmac_key"
fi
fi
+ if [ "$_eab_id" ] && [ "$_eab_hmac_key" ]; then
+ eab_protected="{\"alg\":\"HS256\",\"kid\":\"$_eab_id\",\"url\":\"${ACME_NEW_ACCOUNT}\"}"
+ _debug3 eab_protected "$eab_protected"
+
+ eab_protected64=$(printf "%s" "$eab_protected" | _base64 | _url_replace)
+ _debug3 eab_protected64 "$eab_protected64"
+
+ eab_payload64=$(printf "%s" "$jwk" | _base64 | _url_replace)
+ _debug3 eab_payload64 "$eab_payload64"
+
+ eab_sign_t="$eab_protected64.$eab_payload64"
+ _debug3 eab_sign_t "$eab_sign_t"
+
+ key_hex="$(_durl_replace_base64 "$_eab_hmac_key" | _dbase64 multi | _hex_dump | tr -d ' ')"
+ _debug3 key_hex "$key_hex"
+
+ eab_signature=$(printf "%s" "$eab_sign_t" | _hmac sha256 $key_hex | _base64 | _url_replace)
+ _debug3 eab_signature "$eab_signature"
+
+ externalBinding=",\"externalAccountBinding\":{\"protected\":\"$eab_protected64\", \"payload\":\"$eab_payload64\", \"signature\":\"$eab_signature\"}"
+ _debug3 externalBinding "$externalBinding"
+ fi
+ if [ "$_email" ]; then
+ email_sg="\"contact\": [\"mailto:$_email\"], "
+ fi
+ regjson="{$email_sg\"termsOfServiceAgreed\": true$externalBinding}"
_info "Registering account: $ACME_DIRECTORY"
@@ -3645,16 +3759,6 @@ _regAccount() {
updateaccount() {
_initpath
- if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
- _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
- mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
- fi
-
- if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
- _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
- mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
- fi
-
if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
_err "Account key is not found at: $ACCOUNT_KEY_PATH"
return 1
@@ -3675,25 +3779,18 @@ updateaccount() {
_initAPI
_email="$(_getAccountEmail)"
- if [ "$ACME_VERSION" = "2" ]; then
- if [ "$ACCOUNT_EMAIL" ]; then
- updjson='{"contact": ["mailto:'$_email'"]}'
- else
- updjson='{"contact": []}'
- fi
+
+ if [ "$_email" ]; then
+ updjson='{"contact": ["mailto:'$_email'"]}'
else
- # ACMEv1: Updates happen the same way a registration is done.
- # https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-6.3
- _regAccount
- return
+ updjson='{"contact": []}'
fi
- # this part handles ACMEv2 account updates.
_send_signed_request "$_accUri" "$updjson"
if [ "$code" = '200' ]; then
echo "$response" >"$ACCOUNT_JSON_PATH"
- _info "account update success for $_accUri."
+ _info "Account update success for $_accUri."
else
_info "Error. The account was not updated."
return 1
@@ -3704,16 +3801,6 @@ updateaccount() {
deactivateaccount() {
_initpath
- if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
- _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
- mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
- fi
-
- if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
- _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
- mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
- fi
-
if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
_err "Account key is not found at: $ACCOUNT_KEY_PATH"
return 1
@@ -3733,11 +3820,8 @@ deactivateaccount() {
fi
_initAPI
- if [ "$ACME_VERSION" = "2" ]; then
- _djson="{\"status\":\"deactivated\"}"
- else
- _djson="{\"resource\": \"reg\", \"status\":\"deactivated\"}"
- fi
+ _djson="{\"status\":\"deactivated\"}"
+
if _send_signed_request "$_accUri" "$_djson" && _contains "$response" '"deactivated"'; then
_info "Deactivate account success for $_accUri."
_accid=$(echo "$response" | _egrep_o "\"id\" *: *[^,]*," | cut -d : -f 2 | tr -d ' ,')
@@ -3842,11 +3926,9 @@ __trigger_validation() {
_debug2 _t_key_authz "$_t_key_authz"
_t_vtype="$3"
_debug2 _t_vtype "$_t_vtype"
- if [ "$ACME_VERSION" = "2" ]; then
- _send_signed_request "$_t_url" "{}"
- else
- _send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"type\": \"$_t_vtype\", \"keyAuthorization\": \"$_t_key_authz\"}"
- fi
+
+ _send_signed_request "$_t_url" "{}"
+
}
#endpoint domain type
@@ -3889,7 +3971,15 @@ _ns_purge_cf() {
#checks if cf server is available
_ns_is_available_cf() {
- if _get "https://cloudflare-dns.com" >/dev/null 2>&1; then
+ if _get "https://cloudflare-dns.com" "" 1 >/dev/null 2>&1; then
+ return 0
+ else
+ return 1
+ fi
+}
+
+_ns_is_available_google() {
+ if _get "https://dns.google" "" 1 >/dev/null 2>&1; then
return 0
else
return 1
@@ -3904,6 +3994,38 @@ _ns_lookup_google() {
_ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
}
+_ns_is_available_ali() {
+ if _get "https://dns.alidns.com" "" 1 >/dev/null 2>&1; then
+ return 0
+ else
+ return 1
+ fi
+}
+
+#domain, type
+_ns_lookup_ali() {
+ _cf_ld="$1"
+ _cf_ld_type="$2"
+ _cf_ep="https://dns.alidns.com/resolve"
+ _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
+}
+
+_ns_is_available_dp() {
+ if _get "https://doh.pub" "" 1 >/dev/null 2>&1; then
+ return 0
+ else
+ return 1
+ fi
+}
+
+#dnspod
+_ns_lookup_dp() {
+ _cf_ld="$1"
+ _cf_ld_type="$2"
+ _cf_ep="https://doh.pub/dns-query"
+ _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
+}
+
#domain, type
_ns_lookup() {
if [ -z "$DOH_USE" ]; then
@@ -3911,16 +4033,30 @@ _ns_lookup() {
if _ns_is_available_cf; then
_debug "Use cloudflare doh server"
export DOH_USE=$DOH_CLOUDFLARE
- else
+ elif _ns_is_available_google; then
_debug "Use google doh server"
export DOH_USE=$DOH_GOOGLE
+ elif _ns_is_available_ali; then
+ _debug "Use aliyun doh server"
+ export DOH_USE=$DOH_ALI
+ elif _ns_is_available_dp; then
+ _debug "Use dns pod doh server"
+ export DOH_USE=$DOH_DP
+ else
+ _err "No doh"
fi
fi
if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then
_ns_lookup_cf "$@"
- else
+ elif [ "$DOH_USE" = "$DOH_GOOGLE" ]; then
_ns_lookup_google "$@"
+ elif [ "$DOH_USE" = "$DOH_ALI" ]; then
+ _ns_lookup_ali "$@"
+ elif [ "$DOH_USE" = "$DOH_DP" ]; then
+ _ns_lookup_dp "$@"
+ else
+ _err "Unknown doh provider: DOH_USE=$DOH_USE"
fi
}
@@ -3945,7 +4081,7 @@ __purge_txt() {
if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then
_ns_purge_cf "$_p_txtdomain" "TXT"
else
- _debug "no purge api for google dns api, just sleep 5 secs"
+ _debug "no purge api for this doh api, just sleep 5 secs"
_sleep 5
fi
@@ -3958,6 +4094,8 @@ _check_dns_entries() {
_end_time="$(_math "$_end_time" + 1200)" #let's check no more than 20 minutes.
while [ "$(_time)" -le "$_end_time" ]; do
+ _info "You can use '--dnssleep' to disable public dns checks."
+ _info "See: $_DNSCHECK_WIKI"
_left=""
for entry in $dns_entries; do
d=$(_getfield "$entry" 1)
@@ -4005,12 +4143,42 @@ _check_dns_entries() {
}
#file
-_get_cert_issuers() {
+_get_chain_issuers() {
_cfile="$1"
- if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
- ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+ if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
+ ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
else
- ${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+ _cindex=1
+ for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
+ _endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
+ _debug2 "_startn" "$_startn"
+ _debug2 "_endn" "$_endn"
+ if [ "$DEBUG" ]; then
+ _debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
+ fi
+ sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
+ _cindex=$(_math $_cindex + 1)
+ done
+ fi
+}
+
+#
+_get_chain_subjects() {
+ _cfile="$1"
+ if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
+ ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+ else
+ _cindex=1
+ for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
+ _endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
+ _debug2 "_startn" "$_startn"
+ _debug2 "_endn" "$_endn"
+ if [ "$DEBUG" ]; then
+ _debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
+ fi
+ sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
+ _cindex=$(_math $_cindex + 1)
+ done
fi
}
@@ -4018,14 +4186,81 @@ _get_cert_issuers() {
_match_issuer() {
_cfile="$1"
_missuer="$2"
- _fissuers="$(_get_cert_issuers $_cfile)"
+ _fissuers="$(_get_chain_issuers $_cfile)"
_debug2 _fissuers "$_fissuers"
- if _contains "$_fissuers" "$_missuer"; then
- return 0
- fi
- _fissuers="$(echo "$_fissuers" | _lower_case)"
+ _rootissuer="$(echo "$_fissuers" | _lower_case | _tail_n 1)"
+ _debug2 _rootissuer "$_rootissuer"
_missuer="$(echo "$_missuer" | _lower_case)"
- _contains "$_fissuers" "$_missuer"
+ _contains "$_rootissuer" "$_missuer"
+}
+
+#ip
+_isIPv4() {
+ for seg in $(echo "$1" | tr '.' ' '); do
+ _debug2 seg "$seg"
+ if [ "$(echo "$seg" | tr -d [0-9])" ]; then
+ #not all number
+ return 1
+ fi
+ if [ $seg -ge 0 ] && [ $seg -lt 256 ]; then
+ continue
+ fi
+ return 1
+ done
+ return 0
+}
+
+#ip6
+_isIPv6() {
+ _contains "$1" ":"
+}
+
+#ip
+_isIP() {
+ _isIPv4 "$1" || _isIPv6 "$1"
+}
+
+#identifier
+_getIdType() {
+ if _isIP "$1"; then
+ echo "$ID_TYPE_IP"
+ else
+ echo "$ID_TYPE_DNS"
+ fi
+}
+
+# beginTime dateTo
+# beginTime is full string format("2022-04-01T08:10:33Z"), beginTime can be empty, to use current time
+# dateTo can be ether in full string format("2022-04-01T08:10:33Z") or in delta format(+5d or +20h)
+_convertValidaty() {
+ _beginTime="$1"
+ _dateTo="$2"
+ _debug2 "_beginTime" "$_beginTime"
+ _debug2 "_dateTo" "$_dateTo"
+
+ if _startswith "$_dateTo" "+"; then
+ _v_begin=$(_time)
+ if [ "$_beginTime" ]; then
+ _v_begin="$(_date2time "$_beginTime")"
+ fi
+ _debug2 "_v_begin" "$_v_begin"
+ if _endswith "$_dateTo" "h"; then
+ _v_end=$(_math "$_v_begin + 60 * 60 * $(echo "$_dateTo" | tr -d '+h')")
+ elif _endswith "$_dateTo" "d"; then
+ _v_end=$(_math "$_v_begin + 60 * 60 * 24 * $(echo "$_dateTo" | tr -d '+d')")
+ else
+ _err "Not recognized format for _dateTo: $_dateTo"
+ return 1
+ fi
+ _debug2 "_v_end" "$_v_end"
+ _time2str "$_v_end"
+ else
+ if [ "$(_time)" -gt "$(_date2time "$_dateTo")" ]; then
+ _err "The validaty to is in the past: _dateTo = $_dateTo"
+ return 1
+ fi
+ echo "$_dateTo"
+ fi
}
#webroot, domain domainlist keylength
@@ -4061,10 +4296,16 @@ issue() {
_local_addr="${13}"
_challenge_alias="${14}"
_preferred_chain="${15}"
+ _valid_from="${16}"
+ _valid_to="${17}"
if [ -z "$_ACME_IS_RENEW" ]; then
_initpath "$_main_domain" "$_key_length"
mkdir -p "$DOMAIN_PATH"
+ elif ! _hasfield "$_web_roots" "$W_DNS"; then
+ Le_OrderFinalize=""
+ Le_LinkOrder=""
+ Le_LinkCert=""
fi
if _hasfield "$_web_roots" "$W_DNS" && [ -z "$FORCE_DNS_MANUAL" ]; then
@@ -4072,10 +4313,6 @@ issue() {
return 1
fi
- _debug "Using ACME_DIRECTORY: $ACME_DIRECTORY"
-
- _initAPI
-
if [ -f "$DOMAIN_CONF" ]; then
Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
_debug Le_NextRenewTime "$Le_NextRenewTime"
@@ -4084,7 +4321,13 @@ issue() {
_debug _saved_domain "$_saved_domain"
_saved_alt=$(_readdomainconf Le_Alt)
_debug _saved_alt "$_saved_alt"
- if [ "$_saved_domain,$_saved_alt" = "$_main_domain,$_alt_domains" ]; then
+ _normized_saved_domains="$(echo "$_saved_domain,$_saved_alt" | tr "," "\n" | sort | tr '\n' ',')"
+ _debug _normized_saved_domains "$_normized_saved_domains"
+
+ _normized_domains="$(echo "$_main_domain,$_alt_domains" | tr "," "\n" | sort | tr '\n' ',')"
+ _debug _normized_domains "$_normized_domains"
+
+ if [ "$_normized_saved_domains" = "$_normized_domains" ]; then
_info "Domains not changed."
_info "Skip, Next renewal time is: $(__green "$(_readdomainconf Le_NextRenewTimeStr)")"
_info "Add '$(__red '--force')' to force to renew."
@@ -4095,6 +4338,11 @@ issue() {
fi
fi
+ _debug "Using ACME_DIRECTORY: $ACME_DIRECTORY"
+ if ! _initAPI; then
+ return 1
+ fi
+
_savedomainconf "Le_Domain" "$_main_domain"
_savedomainconf "Le_Alt" "$_alt_domains"
_savedomainconf "Le_Webroot" "$_web_roots"
@@ -4178,74 +4426,112 @@ issue() {
sep='#'
dvsep=','
if [ -z "$vlist" ]; then
- if [ "$ACME_VERSION" = "2" ]; then
- #make new order request
- _identifiers="{\"type\":\"dns\",\"value\":\"$(_idn "$_main_domain")\"}"
- _w_index=1
- while true; do
- d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
- _w_index="$(_math "$_w_index" + 1)"
- _debug d "$d"
- if [ -z "$d" ]; then
- break
- fi
- _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$(_idn "$d")\"}"
- done
- _debug2 _identifiers "$_identifiers"
- if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
- _err "Create new order error."
- _clearup
- _on_issue_err "$_post_hook"
+ #make new order request
+ _identifiers="{\"type\":\"$(_getIdType "$_main_domain")\",\"value\":\"$(_idn "$_main_domain")\"}"
+ _w_index=1
+ while true; do
+ d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
+ _w_index="$(_math "$_w_index" + 1)"
+ _debug d "$d"
+ if [ -z "$d" ]; then
+ break
+ fi
+ _identifiers="$_identifiers,{\"type\":\"$(_getIdType "$d")\",\"value\":\"$(_idn "$d")\"}"
+ done
+ _debug2 _identifiers "$_identifiers"
+ _notBefore=""
+ _notAfter=""
+
+ if [ "$_valid_from" ]; then
+ _savedomainconf "Le_Valid_From" "$_valid_from"
+ _debug2 "_valid_from" "$_valid_from"
+ _notBefore="$(_convertValidaty "" "$_valid_from")"
+ if [ "$?" != "0" ]; then
+ _err "Can not parse _valid_from: $_valid_from"
return 1
fi
- Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)"
- _debug Le_LinkOrder "$Le_LinkOrder"
- Le_OrderFinalize="$(echo "$response" | _egrep_o '"finalize" *: *"[^"]*"' | cut -d '"' -f 4)"
- _debug Le_OrderFinalize "$Le_OrderFinalize"
- if [ -z "$Le_OrderFinalize" ]; then
- _err "Create new order error. Le_OrderFinalize not found. $response"
- _clearup
- _on_issue_err "$_post_hook"
- return 1
+ if [ "$(_time)" -gt "$(_date2time "$_notBefore")" ]; then
+ _notBefore=""
fi
-
- #for dns manual mode
- _savedomainconf "Le_OrderFinalize" "$Le_OrderFinalize"
-
- _authorizations_seg="$(echo "$response" | _json_decode | _egrep_o '"authorizations" *: *\[[^\[]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
- _debug2 _authorizations_seg "$_authorizations_seg"
- if [ -z "$_authorizations_seg" ]; then
- _err "_authorizations_seg not found."
- _clearup
- _on_issue_err "$_post_hook"
- return 1
- fi
-
- #domain and authz map
- _authorizations_map=""
- for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
- _debug2 "_authz_url" "$_authz_url"
- if ! _send_signed_request "$_authz_url"; then
- _err "get to authz error."
- _err "_authorizations_seg" "$_authorizations_seg"
- _err "_authz_url" "$_authz_url"
- _clearup
- _on_issue_err "$_post_hook"
- return 1
- fi
-
- response="$(echo "$response" | _normalizeJson)"
- _debug2 response "$response"
- _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2 | tr -d ' "')"
- if _contains "$response" "\"wildcard\" *: *true"; then
- _d="*.$_d"
- fi
- _debug2 _d "$_d"
- _authorizations_map="$_d,$response
-$_authorizations_map"
- done
- _debug2 _authorizations_map "$_authorizations_map"
+ else
+ _cleardomainconf "Le_Valid_From"
fi
+ _debug2 _notBefore "$_notBefore"
+
+ if [ "$_valid_to" ]; then
+ _debug2 "_valid_to" "$_valid_to"
+ _savedomainconf "Le_Valid_To" "$_valid_to"
+ _notAfter="$(_convertValidaty "$_notBefore" "$_valid_to")"
+ if [ "$?" != "0" ]; then
+ _err "Can not parse _valid_to: $_valid_to"
+ return 1
+ fi
+ else
+ _cleardomainconf "Le_Valid_To"
+ fi
+ _debug2 "_notAfter" "$_notAfter"
+
+ _newOrderObj="{\"identifiers\": [$_identifiers]"
+ if [ "$_notBefore" ]; then
+ _newOrderObj="$_newOrderObj,\"notBefore\": \"$_notBefore\""
+ fi
+ if [ "$_notAfter" ]; then
+ _newOrderObj="$_newOrderObj,\"notAfter\": \"$_notAfter\""
+ fi
+ if ! _send_signed_request "$ACME_NEW_ORDER" "$_newOrderObj}"; then
+ _err "Create new order error."
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+
+ Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)"
+ _debug Le_LinkOrder "$Le_LinkOrder"
+ Le_OrderFinalize="$(echo "$response" | _egrep_o '"finalize" *: *"[^"]*"' | cut -d '"' -f 4)"
+ _debug Le_OrderFinalize "$Le_OrderFinalize"
+ if [ -z "$Le_OrderFinalize" ]; then
+ _err "Create new order error. Le_OrderFinalize not found. $response"
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+
+ #for dns manual mode
+ _savedomainconf "Le_OrderFinalize" "$Le_OrderFinalize"
+
+ _authorizations_seg="$(echo "$response" | _json_decode | _egrep_o '"authorizations" *: *\[[^\[]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+ _debug2 _authorizations_seg "$_authorizations_seg"
+ if [ -z "$_authorizations_seg" ]; then
+ _err "_authorizations_seg not found."
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+
+ #domain and authz map
+ _authorizations_map=""
+ for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
+ _debug2 "_authz_url" "$_authz_url"
+ if ! _send_signed_request "$_authz_url"; then
+ _err "get to authz error."
+ _err "_authorizations_seg" "$_authorizations_seg"
+ _err "_authz_url" "$_authz_url"
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+
+ response="$(echo "$response" | _normalizeJson)"
+ _debug2 response "$response"
+ _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2 | tr -d ' "')"
+ if _contains "$response" "\"wildcard\" *: *true"; then
+ _d="*.$_d"
+ fi
+ _debug2 _d "$_d"
+ _authorizations_map="$_d,$response
+$_authorizations_map"
+ done
+ _debug2 _authorizations_map "$_authorizations_map"
_index=0
_currentRoot=""
@@ -4276,33 +4562,25 @@ $_authorizations_map"
vtype="$VTYPE_ALPN"
fi
- if [ "$ACME_VERSION" = "2" ]; then
- _idn_d="$(_idn "$d")"
- _candidates="$(echo "$_authorizations_map" | grep -i "^$_idn_d,")"
- _debug2 _candidates "$_candidates"
- if [ "$(echo "$_candidates" | wc -l)" -gt 1 ]; then
- for _can in $_candidates; do
- if _startswith "$(echo "$_can" | tr '.' '|')" "$(echo "$_idn_d" | tr '.' '|'),"; then
- _candidates="$_can"
- break
- fi
- done
- fi
- response="$(echo "$_candidates" | sed "s/$_idn_d,//")"
- _debug2 "response" "$response"
- if [ -z "$response" ]; then
- _err "get to authz error."
- _err "_authorizations_map" "$_authorizations_map"
- _clearup
- _on_issue_err "$_post_hook"
- return 1
- fi
- else
- if ! __get_domain_new_authz "$d"; then
- _clearup
- _on_issue_err "$_post_hook"
- return 1
- fi
+ _idn_d="$(_idn "$d")"
+ _candidates="$(echo "$_authorizations_map" | grep -i "^$_idn_d,")"
+ _debug2 _candidates "$_candidates"
+ if [ "$(echo "$_candidates" | wc -l)" -gt 1 ]; then
+ for _can in $_candidates; do
+ if _startswith "$(echo "$_can" | tr '.' '|')" "$(echo "$_idn_d" | tr '.' '|'),"; then
+ _candidates="$_can"
+ break
+ fi
+ done
+ fi
+ response="$(echo "$_candidates" | sed "s/$_idn_d,//")"
+ _debug2 "response" "$response"
+ if [ -z "$response" ]; then
+ _err "get to authz error."
+ _err "_authorizations_map" "$_authorizations_map"
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
fi
if [ -z "$thumbprint" ]; then
@@ -4343,11 +4621,9 @@ $_authorizations_map"
_on_issue_err "$_post_hook"
return 1
fi
- if [ "$ACME_VERSION" = "2" ]; then
- uri="$(echo "$entry" | _egrep_o '"url":"[^"]*' | cut -d '"' -f 4 | _head_n 1)"
- else
- uri="$(echo "$entry" | _egrep_o '"uri":"[^"]*' | cut -d '"' -f 4)"
- fi
+
+ uri="$(echo "$entry" | _egrep_o '"url":"[^"]*' | cut -d '"' -f 4 | _head_n 1)"
+
_debug uri "$uri"
if [ -z "$uri" ]; then
@@ -4642,36 +4918,14 @@ $_authorizations_map"
return 1
fi
- _debug "sleep 2 secs to verify"
- sleep 2
- _debug "checking"
- if [ "$ACME_VERSION" = "2" ]; then
- _send_signed_request "$uri"
- else
- response="$(_get "$uri")"
- fi
- if [ "$?" != "0" ]; then
- _err "$d:Verify error:$response"
- _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
- _clearup
- _on_issue_err "$_post_hook" "$vlist"
- return 1
- fi
_debug2 original "$response"
response="$(echo "$response" | _normalizeJson)"
_debug2 response "$response"
status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
- if [ "$status" = "valid" ]; then
- _info "$(__green Success)"
- _stopserver "$serverproc"
- serverproc=""
- _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
- break
- fi
-
- if [ "$status" = "invalid" ]; then
+ _debug2 status "$status"
+ if _contains "$status" "invalid"; then
error="$(echo "$response" | _egrep_o '"error":\{[^\}]*')"
_debug2 error "$error"
errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)"
@@ -4693,10 +4947,18 @@ $_authorizations_map"
return 1
fi
+ if _contains "$status" "valid"; then
+ _info "$(__green Success)"
+ _stopserver "$serverproc"
+ serverproc=""
+ _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+ break
+ fi
+
if [ "$status" = "pending" ]; then
- _info "Pending"
+ _info "Pending, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)"
elif [ "$status" = "processing" ]; then
- _info "Processing"
+ _info "Processing, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)"
else
_err "$d:Verify error:$response"
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
@@ -4704,7 +4966,19 @@ $_authorizations_map"
_on_issue_err "$_post_hook" "$vlist"
return 1
fi
+ _debug "sleep 2 secs to verify again"
+ sleep 2
+ _debug "checking"
+ _send_signed_request "$uri"
+
+ if [ "$?" != "0" ]; then
+ _err "$d:Verify error:$response"
+ _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+ _clearup
+ _on_issue_err "$_post_hook" "$vlist"
+ return 1
+ fi
done
done
@@ -4713,138 +4987,129 @@ $_authorizations_map"
_info "Verify finished, start to sign."
der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
- if [ "$ACME_VERSION" = "2" ]; then
- _info "Lets finalize the order."
- _info "Le_OrderFinalize" "$Le_OrderFinalize"
- if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then
- _err "Sign failed."
- _on_issue_err "$_post_hook"
- return 1
- fi
- if [ "$code" != "200" ]; then
- _err "Sign failed, finalize code is not 200."
- _err "$response"
- _on_issue_err "$_post_hook"
- return 1
- fi
- if [ -z "$Le_LinkOrder" ]; then
- Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n \t" | cut -d ":" -f 2-)"
- fi
+ _info "Lets finalize the order."
+ _info "Le_OrderFinalize" "$Le_OrderFinalize"
+ if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then
+ _err "Sign failed."
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ if [ "$code" != "200" ]; then
+ _err "Sign failed, finalize code is not 200."
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ if [ -z "$Le_LinkOrder" ]; then
+ Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n \t" | cut -d ":" -f 2-)"
+ fi
- _savedomainconf "Le_LinkOrder" "$Le_LinkOrder"
+ _savedomainconf "Le_LinkOrder" "$Le_LinkOrder"
- _link_cert_retry=0
- _MAX_CERT_RETRY=30
- while [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do
- if _contains "$response" "\"status\":\"valid\""; then
- _debug "Order status is valid."
- Le_LinkCert="$(echo "$response" | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
- _debug Le_LinkCert "$Le_LinkCert"
- if [ -z "$Le_LinkCert" ]; then
- _err "Sign error, can not find Le_LinkCert"
- _err "$response"
- _on_issue_err "$_post_hook"
- return 1
- fi
- break
- elif _contains "$response" "\"processing\""; then
- _info "Order status is processing, lets sleep and retry."
- _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
- _debug "_retryafter" "$_retryafter"
- if [ "$_retryafter" ]; then
- _info "Retry after: $_retryafter"
- _sleep $_retryafter
- else
- _sleep 2
- fi
+ _link_cert_retry=0
+ _MAX_CERT_RETRY=30
+ while [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do
+ if _contains "$response" "\"status\":\"valid\""; then
+ _debug "Order status is valid."
+ Le_LinkCert="$(echo "$response" | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
+ _debug Le_LinkCert "$Le_LinkCert"
+ if [ -z "$Le_LinkCert" ]; then
+ _err "Sign error, can not find Le_LinkCert"
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ break
+ elif _contains "$response" "\"processing\""; then
+ _info "Order status is processing, lets sleep and retry."
+ _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
+ _debug "_retryafter" "$_retryafter"
+ if [ "$_retryafter" ]; then
+ _info "Retry after: $_retryafter"
+ _sleep $_retryafter
else
- _err "Sign error, wrong status"
- _err "$response"
- _on_issue_err "$_post_hook"
- return 1
+ _sleep 2
fi
- #the order is processing, so we are going to poll order status
- if [ -z "$Le_LinkOrder" ]; then
- _err "Sign error, can not get order link location header"
- _err "responseHeaders" "$responseHeaders"
- _on_issue_err "$_post_hook"
- return 1
- fi
- _info "Polling order status: $Le_LinkOrder"
- if ! _send_signed_request "$Le_LinkOrder"; then
- _err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder."
- _err "$response"
- _on_issue_err "$_post_hook"
- return 1
- fi
- _link_cert_retry="$(_math $_link_cert_retry + 1)"
- done
-
- if [ -z "$Le_LinkCert" ]; then
- _err "Sign failed, can not get Le_LinkCert, retry time limit."
+ else
+ _err "Sign error, wrong status"
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
- _info "Downloading cert."
- _info "Le_LinkCert" "$Le_LinkCert"
- if ! _send_signed_request "$Le_LinkCert"; then
- _err "Sign failed, can not download cert:$Le_LinkCert."
+ #the order is processing, so we are going to poll order status
+ if [ -z "$Le_LinkOrder" ]; then
+ _err "Sign error, can not get order link location header"
+ _err "responseHeaders" "$responseHeaders"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ _info "Polling order status: $Le_LinkOrder"
+ if ! _send_signed_request "$Le_LinkOrder"; then
+ _err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder."
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
+ _link_cert_retry="$(_math $_link_cert_retry + 1)"
+ done
- echo "$response" >"$CERT_PATH"
- _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
+ if [ -z "$Le_LinkCert" ]; then
+ _err "Sign failed, can not get Le_LinkCert, retry time limit."
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+ _info "Downloading cert."
+ _info "Le_LinkCert" "$Le_LinkCert"
+ if ! _send_signed_request "$Le_LinkCert"; then
+ _err "Sign failed, can not download cert:$Le_LinkCert."
+ _err "$response"
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
- if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
- if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
- rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
- _debug2 "rels" "$rels"
- for rel in $rels; do
- _info "Try rel: $rel"
- if ! _send_signed_request "$rel"; then
- _err "Sign failed, can not download cert:$rel"
- _err "$response"
- continue
- fi
- _relcert="$CERT_PATH.alt"
- _relfullchain="$CERT_FULLCHAIN_PATH.alt"
- _relca="$CA_CERT_PATH.alt"
- echo "$response" >"$_relcert"
- _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
- if _match_issuer "$_relfullchain" "$_preferred_chain"; then
- _info "Matched issuer in: $rel"
- cat $_relcert >"$CERT_PATH"
- cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
- cat $_relca >"$CA_CERT_PATH"
- break
- fi
- done
- fi
+ echo "$response" >"$CERT_PATH"
+ _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
+ if [ -z "$_preferred_chain" ]; then
+ _preferred_chain=$(_readcaconf DEFAULT_PREFERRED_CHAIN)
+ fi
+ if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
+ if [ "$DEBUG" ]; then
+ _debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
fi
- else
- if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then
- _err "Sign failed. $response"
- _on_issue_err "$_post_hook"
- return 1
+ if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
+ rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
+ _debug2 "rels" "$rels"
+ for rel in $rels; do
+ _info "Try rel: $rel"
+ if ! _send_signed_request "$rel"; then
+ _err "Sign failed, can not download cert:$rel"
+ _err "$response"
+ continue
+ fi
+ _relcert="$CERT_PATH.alt"
+ _relfullchain="$CERT_FULLCHAIN_PATH.alt"
+ _relca="$CA_CERT_PATH.alt"
+ echo "$response" >"$_relcert"
+ _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
+ if [ "$DEBUG" ]; then
+ _debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
+ fi
+ if _match_issuer "$_relfullchain" "$_preferred_chain"; then
+ _info "Matched issuer in: $rel"
+ cat $_relcert >"$CERT_PATH"
+ cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
+ cat $_relca >"$CA_CERT_PATH"
+ rm -f "$_relcert"
+ rm -f "$_relfullchain"
+ rm -f "$_relca"
+ break
+ fi
+ rm -f "$_relcert"
+ rm -f "$_relfullchain"
+ rm -f "$_relca"
+ done
fi
- _rcert="$response"
- Le_LinkCert="$(grep -i '^Location.*$' "$HTTP_HEADER" | _tail_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
- echo "$BEGIN_CERT" >"$CERT_PATH"
-
- #if ! _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH" ; then
- # _debug "Get cert failed. Let's try last response."
- # printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
- #fi
-
- if ! printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >>"$CERT_PATH"; then
- _debug "Try cert link."
- _get "$Le_LinkCert" | _base64 "multiline" >>"$CERT_PATH"
- fi
-
- echo "$END_CERT" >>"$CERT_PATH"
fi
_debug "Le_LinkCert" "$Le_LinkCert"
@@ -4861,10 +5126,10 @@ $_authorizations_map"
_info "$(__green "Cert success.")"
cat "$CERT_PATH"
- _info "Your cert is in $(__green " $CERT_PATH ")"
+ _info "Your cert is in: $(__green "$CERT_PATH")"
if [ -f "$CERT_KEY_PATH" ]; then
- _info "Your cert key is in $(__green " $CERT_KEY_PATH ")"
+ _info "Your cert key is in: $(__green "$CERT_KEY_PATH")"
fi
if [ ! "$USER_PATH" ] || [ ! "$_ACME_IN_CRON" ]; then
@@ -4873,55 +5138,8 @@ $_authorizations_map"
fi
fi
- if [ "$ACME_VERSION" = "2" ]; then
- _debug "v2 chain."
- else
- cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
- Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
-
- if [ "$Le_LinkIssuer" ]; then
- if ! _contains "$Le_LinkIssuer" ":"; then
- _info "$(__red "Relative issuer link found.")"
- Le_LinkIssuer="$_ACME_SERVER_HOST$Le_LinkIssuer"
- fi
- _debug Le_LinkIssuer "$Le_LinkIssuer"
- _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
-
- _link_issuer_retry=0
- _MAX_ISSUER_RETRY=5
- while [ "$_link_issuer_retry" -lt "$_MAX_ISSUER_RETRY" ]; do
- _debug _link_issuer_retry "$_link_issuer_retry"
- if [ "$ACME_VERSION" = "2" ]; then
- if _send_signed_request "$Le_LinkIssuer"; then
- echo "$response" >"$CA_CERT_PATH"
- break
- fi
- else
- if _get "$Le_LinkIssuer" >"$CA_CERT_PATH.der"; then
- echo "$BEGIN_CERT" >"$CA_CERT_PATH"
- _base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH"
- echo "$END_CERT" >>"$CA_CERT_PATH"
- if ! _checkcert "$CA_CERT_PATH"; then
- _err "Can not get the ca cert."
- break
- fi
- cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH"
- rm -f "$CA_CERT_PATH.der"
- break
- fi
- fi
- _link_issuer_retry=$(_math $_link_issuer_retry + 1)
- _sleep "$_link_issuer_retry"
- done
- if [ "$_link_issuer_retry" = "$_MAX_ISSUER_RETRY" ]; then
- _err "Max retry for issuer ca cert is reached."
- fi
- else
- _debug "No Le_LinkIssuer header found."
- fi
- fi
- [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in $(__green " $CA_CERT_PATH ")"
- [ -f "$CERT_FULLCHAIN_PATH" ] && _info "And the full chain certs is there: $(__green " $CERT_FULLCHAIN_PATH ")"
+ [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in: $(__green "$CA_CERT_PATH")"
+ [ -f "$CERT_FULLCHAIN_PATH" ] && _info "And the full chain certs is there: $(__green "$CERT_FULLCHAIN_PATH")"
Le_CertCreateTime=$(_time)
_savedomainconf "Le_CertCreateTime" "$Le_CertCreateTime"
@@ -4966,13 +5184,15 @@ $_authorizations_map"
else
_cleardomainconf Le_ForceNewDomainKey
fi
-
- Le_NextRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60)
-
- Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
+ if [ "$_notAfter" ]; then
+ Le_NextRenewTime=$(_date2time "$_notAfter")
+ Le_NextRenewTimeStr="$_notAfter"
+ else
+ Le_NextRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60)
+ Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
+ Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400)
+ fi
_savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr"
-
- Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400)
_savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
if [ "$_real_cert$_real_key$_real_ca$_reload_cmd$_real_fullchain" ]; then
@@ -5019,7 +5239,7 @@ renew() {
_isEcc="$2"
_initpath "$Le_Domain" "$_isEcc"
-
+ _set_level=${NOTIFY_LEVEL:-$NOTIFY_LEVEL_DEFAULT}
_info "$(__green "Renew: '$Le_Domain'")"
if [ ! -f "$DOMAIN_CONF" ]; then
_info "'$Le_Domain' is not an issued domain, skip."
@@ -5032,17 +5252,16 @@ renew() {
. "$DOMAIN_CONF"
_debug Le_API "$Le_API"
-
- if [ "$Le_API" = "$LETSENCRYPT_CA_V1" ]; then
- _cleardomainconf Le_API
- Le_API="$DEFAULT_CA"
- fi
- if [ "$Le_API" = "$LETSENCRYPT_STAGING_CA_V1" ]; then
- _cleardomainconf Le_API
- Le_API="$DEFAULT_STAGING_CA"
+ if [ -z "$Le_API" ] || [ "$CA_LETSENCRYPT_V1" = "$Le_API" ]; then
+ #if this is from an old version, Le_API is empty,
+ #so, we force to use letsencrypt server
+ Le_API="$CA_LETSENCRYPT_V2"
fi
if [ "$Le_API" ]; then
+ if [ "$Le_API" != "$ACME_DIRECTORY" ]; then
+ _clearAPI
+ fi
export ACME_DIRECTORY="$Le_API"
#reload ca configs
ACCOUNT_KEY_PATH=""
@@ -5055,6 +5274,11 @@ renew() {
if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then
_info "Skip, Next renewal time is: $(__green "$Le_NextRenewTimeStr")"
_info "Add '$(__red '--force')' to force to renew."
+ if [ -z "$_ACME_IN_RENEWALL" ]; then
+ if [ $_set_level -ge $NOTIFY_LEVEL_SKIP ]; then
+ _send_notify "Renew $Le_Domain skipped" "Good, the cert is skipped." "$NOTIFY_HOOK" "$RENEW_SKIP"
+ fi
+ fi
return "$RENEW_SKIP"
fi
@@ -5069,7 +5293,7 @@ renew() {
Le_PostHook="$(_readdomainconf Le_PostHook)"
Le_RenewHook="$(_readdomainconf Le_RenewHook)"
Le_Preferred_Chain="$(_readdomainconf Le_Preferred_Chain)"
- issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias" "$Le_Preferred_Chain"
+ issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias" "$Le_Preferred_Chain" "$Le_Valid_From" "$Le_Valid_To"
res="$?"
if [ "$res" != "0" ]; then
return "$res"
@@ -5081,6 +5305,17 @@ renew() {
fi
_ACME_IS_RENEW=""
+ if [ -z "$_ACME_IN_RENEWALL" ]; then
+ if [ "$res" = "0" ]; then
+ if [ $_set_level -ge $NOTIFY_LEVEL_RENEW ]; then
+ _send_notify "Renew $d success" "Good, the cert is renewed." "$NOTIFY_HOOK" 0
+ fi
+ else
+ if [ $_set_level -ge $NOTIFY_LEVEL_ERROR ]; then
+ _send_notify "Renew $d error" "There is an error." "$NOTIFY_HOOK" 1
+ fi
+ fi
+ fi
return "$res"
}
@@ -5098,6 +5333,7 @@ renewAll() {
_notify_code=$RENEW_SKIP
_set_level=${NOTIFY_LEVEL:-$NOTIFY_LEVEL_DEFAULT}
_debug "_set_level" "$_set_level"
+ export _ACME_IN_RENEWALL=1
for di in "${CERT_HOME}"/*.*/; do
_debug di "$di"
if ! [ -d "$di" ]; then
@@ -5120,13 +5356,13 @@ renewAll() {
_error_level="$NOTIFY_LEVEL_RENEW"
_notify_code=0
fi
- if [ "$_ACME_IN_CRON" ]; then
- if [ $_set_level -ge $NOTIFY_LEVEL_RENEW ]; then
- if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
- _send_notify "Renew $d success" "Good, the cert is renewed." "$NOTIFY_HOOK" 0
- fi
+
+ if [ $_set_level -ge $NOTIFY_LEVEL_RENEW ]; then
+ if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
+ _send_notify "Renew $d success" "Good, the cert is renewed." "$NOTIFY_HOOK" 0
fi
fi
+
_success_msg="${_success_msg} $d
"
elif [ "$rc" = "$RENEW_SKIP" ]; then
@@ -5134,13 +5370,13 @@ renewAll() {
_error_level="$NOTIFY_LEVEL_SKIP"
_notify_code=$RENEW_SKIP
fi
- if [ "$_ACME_IN_CRON" ]; then
- if [ $_set_level -ge $NOTIFY_LEVEL_SKIP ]; then
- if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
- _send_notify "Renew $d skipped" "Good, the cert is skipped." "$NOTIFY_HOOK" "$RENEW_SKIP"
- fi
+
+ if [ $_set_level -ge $NOTIFY_LEVEL_SKIP ]; then
+ if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
+ _send_notify "Renew $d skipped" "Good, the cert is skipped." "$NOTIFY_HOOK" "$RENEW_SKIP"
fi
fi
+
_info "Skipped $d"
_skipped_msg="${_skipped_msg} $d
"
@@ -5149,13 +5385,13 @@ renewAll() {
_error_level="$NOTIFY_LEVEL_ERROR"
_notify_code=1
fi
- if [ "$_ACME_IN_CRON" ]; then
- if [ $_set_level -ge $NOTIFY_LEVEL_ERROR ]; then
- if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
- _send_notify "Renew $d error" "There is an error." "$NOTIFY_HOOK" 1
- fi
+
+ if [ $_set_level -ge $NOTIFY_LEVEL_ERROR ]; then
+ if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then
+ _send_notify "Renew $d error" "There is an error." "$NOTIFY_HOOK" 1
fi
fi
+
_error_msg="${_error_msg} $d
"
if [ "$_stopRenewOnError" ]; then
@@ -5170,7 +5406,7 @@ renewAll() {
done
_debug _error_level "$_error_level"
_debug _set_level "$_set_level"
- if [ "$_ACME_IN_CRON" ] && [ $_error_level -le $_set_level ]; then
+ if [ $_error_level -le $_set_level ]; then
if [ -z "$NOTIFY_MODE" ] || [ "$NOTIFY_MODE" = "$NOTIFY_MODE_BULK" ]; then
_msg_subject="Renew"
if [ "$_error_msg" ]; then
@@ -5218,6 +5454,7 @@ signcsr() {
_renew_hook="${10}"
_local_addr="${11}"
_challenge_alias="${12}"
+ _preferred_chain="${13}"
_csrsubj=$(_readSubjectFromCSR "$_csrfile")
if [ "$?" != "0" ]; then
@@ -5255,16 +5492,13 @@ signcsr() {
return 1
fi
- if [ -z "$ACME_VERSION" ] && _contains "$_csrsubj,$_csrdomainlist" "*."; then
- export ACME_VERSION=2
- fi
_initpath "$_csrsubj" "$_csrkeylength"
mkdir -p "$DOMAIN_PATH"
_info "Copy csr to: $CSR_PATH"
cp "$_csrfile" "$CSR_PATH"
- issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias"
+ issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias" "$_preferred_chain"
}
@@ -5467,7 +5701,7 @@ _installcert() {
mkdir -p "$_backup_path"
if [ "$_real_cert" ]; then
- _info "Installing cert to:$_real_cert"
+ _info "Installing cert to: $_real_cert"
if [ -f "$_real_cert" ] && [ ! "$_ACME_IS_RENEW" ]; then
cp "$_real_cert" "$_backup_path/cert.bak"
fi
@@ -5475,7 +5709,7 @@ _installcert() {
fi
if [ "$_real_ca" ]; then
- _info "Installing CA to:$_real_ca"
+ _info "Installing CA to: $_real_ca"
if [ "$_real_ca" = "$_real_cert" ]; then
echo "" >>"$_real_ca"
cat "$CA_CERT_PATH" >>"$_real_ca" || return 1
@@ -5488,20 +5722,21 @@ _installcert() {
fi
if [ "$_real_key" ]; then
- _info "Installing key to:$_real_key"
+ _info "Installing key to: $_real_key"
if [ -f "$_real_key" ] && [ ! "$_ACME_IS_RENEW" ]; then
cp "$_real_key" "$_backup_path/key.bak"
fi
if [ -f "$_real_key" ]; then
cat "$CERT_KEY_PATH" >"$_real_key" || return 1
else
- cat "$CERT_KEY_PATH" >"$_real_key" || return 1
+ touch "$_real_key" || return 1
chmod 600 "$_real_key"
+ cat "$CERT_KEY_PATH" >"$_real_key" || return 1
fi
fi
if [ "$_real_fullchain" ]; then
- _info "Installing full chain to:$_real_fullchain"
+ _info "Installing full chain to: $_real_fullchain"
if [ -f "$_real_fullchain" ] && [ ! "$_ACME_IS_RENEW" ]; then
cp "$_real_fullchain" "$_backup_path/fullchain.bak"
fi
@@ -5596,8 +5831,16 @@ installcronjob() {
if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ]; then
lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
else
- _err "Can not install cronjob, $PROJECT_ENTRY not found."
- return 1
+ _debug "_SCRIPT_" "$_SCRIPT_"
+ _script="$(_readlink "$_SCRIPT_")"
+ _debug _script "$_script"
+ if [ -f "$_script" ]; then
+ _info "Using the current script from: $_script"
+ lesh="$_script"
+ else
+ _err "Can not install cronjob, $PROJECT_ENTRY not found."
+ return 1
+ fi
fi
if [ "$_c_home" ]; then
_c_entry="--config-home \"$_c_home\" "
@@ -5669,7 +5912,7 @@ uninstallcronjob() {
_info "Removing cron job"
cr="$($_CRONTAB -l | grep "$PROJECT_ENTRY --cron")"
if [ "$cr" ]; then
- if _exists uname && uname -a | grep solaris >/dev/null; then
+ if _exists uname && uname -a | grep SunOS >/dev/null; then
$_CRONTAB -l | sed "/$PROJECT_ENTRY --cron/d" | $_CRONTAB --
else
$_CRONTAB -l | sed "/$PROJECT_ENTRY --cron/d" | $_CRONTAB -
@@ -5709,6 +5952,23 @@ revoke() {
return 1
fi
+ . "$DOMAIN_CONF"
+ _debug Le_API "$Le_API"
+
+ if [ "$Le_API" ]; then
+ if [ "$Le_API" != "$ACME_DIRECTORY" ]; then
+ _clearAPI
+ fi
+ export ACME_DIRECTORY="$Le_API"
+ #reload ca configs
+ ACCOUNT_KEY_PATH=""
+ ACCOUNT_JSON_PATH=""
+ CA_CONF=""
+ _debug3 "initpath again."
+ _initpath "$Le_Domain" "$_isEcc"
+ _initAPI
+ fi
+
cert="$(_getfile "${CERT_PATH}" "${BEGIN_CERT}" "${END_CERT}" | tr -d "\r\n" | _url_replace)"
if [ -z "$cert" ]; then
@@ -5718,11 +5978,8 @@ revoke() {
_initAPI
- if [ "$ACME_VERSION" = "2" ]; then
- data="{\"certificate\": \"$cert\",\"reason\":$_reason}"
- else
- data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
- fi
+ data="{\"certificate\": \"$cert\",\"reason\":$_reason}"
+
uri="${ACME_REVOKE_CERT}"
if [ -f "$CERT_KEY_PATH" ]; then
@@ -5791,60 +6048,62 @@ remove() {
_deactivate() {
_d_domain="$1"
_d_type="$2"
- _initpath
+ _initpath "$_d_domain" "$_d_type"
- if [ "$ACME_VERSION" = "2" ]; then
- _identifiers="{\"type\":\"dns\",\"value\":\"$_d_domain\"}"
- if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
- _err "Can not get domain new order."
- return 1
- fi
- _authorizations_seg="$(echo "$response" | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
- _debug2 _authorizations_seg "$_authorizations_seg"
- if [ -z "$_authorizations_seg" ]; then
- _err "_authorizations_seg not found."
- _clearup
- _on_issue_err "$_post_hook"
- return 1
- fi
+ . "$DOMAIN_CONF"
+ _debug Le_API "$Le_API"
- authzUri="$_authorizations_seg"
- _debug2 "authzUri" "$authzUri"
- if ! _send_signed_request "$authzUri"; then
- _err "get to authz error."
- _err "_authorizations_seg" "$_authorizations_seg"
- _err "authzUri" "$authzUri"
- _clearup
- _on_issue_err "$_post_hook"
- return 1
+ if [ "$Le_API" ]; then
+ if [ "$Le_API" != "$ACME_DIRECTORY" ]; then
+ _clearAPI
fi
-
- response="$(echo "$response" | _normalizeJson)"
- _debug2 response "$response"
- _URL_NAME="url"
- else
- if ! __get_domain_new_authz "$_d_domain"; then
- _err "Can not get domain new authz token."
- return 1
- fi
-
- authzUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ':' -f 2- | tr -d "\r\n")"
- _debug "authzUri" "$authzUri"
- if [ "$code" ] && [ ! "$code" = '201' ]; then
- _err "new-authz error: $response"
- return 1
- fi
- _URL_NAME="uri"
+ export ACME_DIRECTORY="$Le_API"
+ #reload ca configs
+ ACCOUNT_KEY_PATH=""
+ ACCOUNT_JSON_PATH=""
+ CA_CONF=""
+ _debug3 "initpath again."
+ _initpath "$Le_Domain" "$_d_type"
+ _initAPI
fi
- entries="$(echo "$response" | tr '][' '==' | _egrep_o "challenges\": *=[^=]*=" | tr '}{' '\n' | grep "\"status\": *\"valid\"")"
+ _identifiers="{\"type\":\"$(_getIdType "$_d_domain")\",\"value\":\"$_d_domain\"}"
+ if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
+ _err "Can not get domain new order."
+ return 1
+ fi
+ _authorizations_seg="$(echo "$response" | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+ _debug2 _authorizations_seg "$_authorizations_seg"
+ if [ -z "$_authorizations_seg" ]; then
+ _err "_authorizations_seg not found."
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+
+ authzUri="$_authorizations_seg"
+ _debug2 "authzUri" "$authzUri"
+ if ! _send_signed_request "$authzUri"; then
+ _err "get to authz error."
+ _err "_authorizations_seg" "$_authorizations_seg"
+ _err "authzUri" "$authzUri"
+ _clearup
+ _on_issue_err "$_post_hook"
+ return 1
+ fi
+
+ response="$(echo "$response" | _normalizeJson)"
+ _debug2 response "$response"
+ _URL_NAME="url"
+
+ entries="$(echo "$response" | tr '][' '==' | _egrep_o "challenges\": *=[^=]*=" | tr '}{' '\n\n' | grep "\"status\": *\"valid\"")"
if [ -z "$entries" ]; then
_info "No valid entries found."
if [ -z "$thumbprint" ]; then
thumbprint="$(__calc_account_thumbprint)"
fi
_debug "Trigger validation."
- vtype="$VTYPE_DNS"
+ vtype="$(_getIdType "$_d_domain")"
entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
_debug entry "$entry"
if [ -z "$entry" ]; then
@@ -5890,11 +6149,7 @@ _deactivate() {
_info "Deactivate: $_vtype"
- if [ "$ACME_VERSION" = "2" ]; then
- _djson="{\"status\":\"deactivated\"}"
- else
- _djson="{\"resource\": \"authz\", \"status\":\"deactivated\"}"
- fi
+ _djson="{\"status\":\"deactivated\"}"
if _send_signed_request "$authzUri" "$_djson" && _contains "$response" '"deactivated"'; then
_info "Deactivate: $_vtype success."
@@ -6101,7 +6356,7 @@ _installalias() {
}
-# nocron confighome noprofile
+# nocron confighome noprofile accountemail
install() {
if [ -z "$LE_WORKING_DIR" ]; then
@@ -6111,6 +6366,8 @@ install() {
_nocron="$1"
_c_home="$2"
_noprofile="$3"
+ _accountemail="$4"
+
if ! _initpath; then
_err "Install failed."
return 1
@@ -6229,6 +6486,10 @@ install() {
fi
fi
+ if [ "$_accountemail" ]; then
+ _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail"
+ fi
+
_info OK
}
@@ -6434,6 +6695,7 @@ Commands:
--revoke Revoke a cert.
--remove Remove the cert from list of certs known to $PROJECT_NAME.
--list List all the certs.
+ --info Show the $PROJECT_NAME configs, or the configs for a domain with [-d domain] parameter.
--to-pkcs12 Export the certificate and key to a pfx file.
--to-pkcs8 Convert to pkcs8 format.
--sign-csr Issue a cert from an existing csr.
@@ -6451,6 +6713,8 @@ Commands:
--deactivate Deactivate the domain authz, professional use.
--set-default-ca Used with '--server', Set the default CA to use.
See: $_SERVER_WIKI
+ --set-default-chain Set the default preferred chain for a CA.
+ See: $_PREFERRED_CHAIN_WIKI
Parameters:
@@ -6465,6 +6729,11 @@ Parameters:
If no match, the default offered chain will be used. (default: empty)
See: $_PREFERRED_CHAIN_WIKI
+ --valid-to Request the NotAfter field of the cert.
+ See: $_VALIDITY_WIKI
+ --valid-from Request the NotBefore field of the cert.
+ See: $_VALIDITY_WIKI
+
-f, --force Force install, force cert renewal or override sudo restrictions.
--staging, --test Use staging server, for testing.
--debug [0|1|2|3] Output debug info. Defaults to 1 if argument is omitted.
@@ -6507,7 +6776,7 @@ Parameters:
--cert-home Specifies the home dir to save all the certs, only valid for '--install' command.
--config-home Specifies the home dir to save all the configurations.
--useragent Specifies the user agent string. it will be saved for future use too.
- -m, --accountemail Specifies the account email, only valid for the '--install' and '--update-account' command.
+ -m, --email Specifies the account email, only valid for the '--install' and '--update-account' command.
--accountkey Specifies the account key path, only valid for the '--install' command.
--days Specifies the days to renew the cert when using '--issue' command. The default value is $DEFAULT_RENEW days.
--httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
@@ -6518,9 +6787,9 @@ Parameters:
--insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
--ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate.
--ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl.
- --nocron Only valid for '--install' command, which means: do not install the default cron job.
+ --no-cron Only valid for '--install' command, which means: do not install the default cron job.
In this case, the certs will not be renewed automatically.
- --noprofile Only valid for '--install' command, which means: do not install aliases to user profile.
+ --no-profile Only valid for '--install' command, which means: do not install aliases to user profile.
--no-color Do not output color text.
--force-color Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--to-pkcs12' and '--create-csr'
@@ -6558,18 +6827,17 @@ Parameters:
"
}
-# nocron noprofile
-_installOnline() {
+installOnline() {
_info "Installing from online archive."
- _nocron="$1"
- _noprofile="$2"
- if [ ! "$BRANCH" ]; then
- BRANCH="master"
+
+ _branch="$BRANCH"
+ if [ -z "$_branch" ]; then
+ _branch="master"
fi
- target="$PROJECT/archive/$BRANCH.tar.gz"
+ target="$PROJECT/archive/$_branch.tar.gz"
_info "Downloading $target"
- localname="$BRANCH.tar.gz"
+ localname="$_branch.tar.gz"
if ! _get "$target" >$localname; then
_err "Download error."
return 1
@@ -6581,9 +6849,9 @@ _installOnline() {
exit 1
fi
- cd "$PROJECT_NAME-$BRANCH"
+ cd "$PROJECT_NAME-$_branch"
chmod +x $PROJECT_ENTRY
- if ./$PROJECT_ENTRY install "$_nocron" "" "$_noprofile"; then
+ if ./$PROJECT_ENTRY --install "$@"; then
_info "Install success!"
_initpath
_saveaccountconf "UPGRADE_HASH" "$(_getUpgradeHash)"
@@ -6591,7 +6859,7 @@ _installOnline() {
cd ..
- rm -rf "$PROJECT_NAME-$BRANCH"
+ rm -rf "$PROJECT_NAME-$_branch"
rm -f "$localname"
)
}
@@ -6600,7 +6868,7 @@ _getRepoHash() {
_hash_path=$1
shift
_hash_url="https://api.github.com/repos/acmesh-official/$PROJECT_NAME/git/refs/$_hash_path"
- _get $_hash_url | tr -d "\r\n" | tr '{},' '\n' | grep '"sha":' | cut -d '"' -f 4
+ _get $_hash_url | tr -d "\r\n" | tr '{},' '\n\n\n' | grep '"sha":' | cut -d '"' -f 4
}
_getUpgradeHash() {
@@ -6619,7 +6887,7 @@ upgrade() {
[ -z "$FORCE" ] && [ "$(_getUpgradeHash)" = "$(_readaccountconf "UPGRADE_HASH")" ] && _info "Already uptodate!" && exit 0
export LE_WORKING_DIR
cd "$LE_WORKING_DIR"
- _installOnline "nocron" "noprofile"
+ installOnline "--nocron" "--noprofile"
); then
_info "Upgrade success!"
exit 0
@@ -6673,9 +6941,10 @@ _checkSudo() {
return 0
}
-#server
+#server #keylength
_selectServer() {
_server="$1"
+ _skeylength="$2"
_server_lower="$(echo "$_server" | _lower_case)"
_sindex=0
for snames in $CA_NAMES; do
@@ -6686,6 +6955,9 @@ _selectServer() {
if [ "$_server_lower" = "$sname" ]; then
_debug2 "_selectServer match $sname"
_serverdir="$(_getfield "$CA_SERVERS" $_sindex)"
+ if [ "$_serverdir" = "$CA_SSLCOM_RSA" ] && _isEccKey "$_skeylength"; then
+ _serverdir="$CA_SSLCOM_ECC"
+ fi
_debug "Selected server: $_serverdir"
ACME_DIRECTORY="$_serverdir"
export ACME_DIRECTORY
@@ -6703,6 +6975,9 @@ _getCAShortName() {
if [ -z "$caurl" ]; then
caurl="$DEFAULT_CA"
fi
+ if [ "$CA_SSLCOM_ECC" = "$caurl" ]; then
+ caurl="$CA_SSLCOM_RSA" #just hack to get the short name
+ fi
caurl_lower="$(echo $caurl | _lower_case)"
_sindex=0
for surl in $(echo "$CA_SERVERS" | _lower_case | tr , ' '); do
@@ -6731,6 +7006,40 @@ setdefaultca() {
_info "Changed default CA to: $(__green "$ACME_DIRECTORY")"
}
+#preferred-chain
+setdefaultchain() {
+ _initpath
+ _preferred_chain="$1"
+ if [ -z "$_preferred_chain" ]; then
+ _err "Please give a '--preferred-chain value' value."
+ return 1
+ fi
+ mkdir -p "$CA_DIR"
+ _savecaconf "DEFAULT_PREFERRED_CHAIN" "$_preferred_chain"
+}
+
+#domain ecc
+info() {
+ _domain="$1"
+ _ecc="$2"
+ _initpath
+ if [ -z "$_domain" ]; then
+ _debug "Show global configs"
+ echo "LE_WORKING_DIR=$LE_WORKING_DIR"
+ echo "LE_CONFIG_HOME=$LE_CONFIG_HOME"
+ cat "$ACCOUNT_CONF_PATH"
+ else
+ _debug "Show domain configs"
+ (
+ _initpath "$_domain" "$_ecc"
+ echo "DOMAIN_CONF=$DOMAIN_CONF"
+ for seg in $(cat $DOMAIN_CONF | cut -d = -f 1); do
+ echo "$seg=$(_readdomainconf "$seg")"
+ done
+ )
+ fi
+}
+
_process() {
_CMD=""
_domain=""
@@ -6785,6 +7094,8 @@ _process() {
_eab_kid=""
_eab_hmac_key=""
_preferred_chain=""
+ _valid_from=""
+ _valid_to=""
while [ ${#} -gt 0 ]; do
case "${1}" in
@@ -6799,6 +7110,11 @@ _process() {
--install)
_CMD="install"
;;
+ --install-online)
+ shift
+ installOnline "$@"
+ return
+ ;;
--uninstall)
_CMD="uninstall"
;;
@@ -6835,6 +7151,9 @@ _process() {
--list)
_CMD="list"
;;
+ --info)
+ _CMD="info"
+ ;;
--install-cronjob | --installcronjob)
_CMD="installcronjob"
;;
@@ -6877,6 +7196,9 @@ _process() {
--set-default-ca)
_CMD="setdefaultca"
;;
+ --set-default-chain)
+ _CMD="setdefaultchain"
+ ;;
-d | --domain)
_dvalue="$2"
@@ -6890,10 +7212,6 @@ _process() {
return 1
fi
- if _startswith "$_dvalue" "*."; then
- _debug "Wildcard domain"
- export ACME_VERSION=2
- fi
if [ -z "$_domain" ]; then
_domain="$_dvalue"
else
@@ -6916,7 +7234,6 @@ _process() {
;;
--server)
_server="$2"
- _selectServer "$_server"
shift
;;
--debug)
@@ -7015,7 +7332,6 @@ _process() {
Le_DNSSleep="$_dnssleep"
shift
;;
-
--keylength | -k)
_keylength="$2"
shift
@@ -7024,7 +7340,6 @@ _process() {
_accountkeylength="$2"
shift
;;
-
--cert-file | --certpath)
_cert_file="$2"
shift
@@ -7073,9 +7388,9 @@ _process() {
USER_AGENT="$_useragent"
shift
;;
- -m | --accountemail)
+ -m | --email | --accountemail)
_accountemail="$2"
- ACCOUNT_EMAIL="$_accountemail"
+ export ACCOUNT_EMAIL="$_accountemail"
shift
;;
--accountkey)
@@ -7088,6 +7403,14 @@ _process() {
Le_RenewalDays="$_days"
shift
;;
+ --valid-from)
+ _valid_from="$2"
+ shift
+ ;;
+ --valid-to)
+ _valid_to="$2"
+ shift
+ ;;
--httpport)
_httpport="$2"
Le_HTTPPort="$_httpport"
@@ -7118,10 +7441,10 @@ _process() {
CA_PATH="$_ca_path"
shift
;;
- --nocron)
+ --no-cron | --nocron)
_nocron="1"
;;
- --noprofile)
+ --no-profile | --noprofile)
_noprofile="1"
;;
--no-color)
@@ -7288,6 +7611,10 @@ _process() {
shift 1
done
+ if [ "$_server" ]; then
+ _selectServer "$_server" "${_ecc:-$_keylength}"
+ fi
+
if [ "${_CMD}" != "install" ]; then
if [ "$__INTERACTIVE" ] && ! _checkSudo; then
if [ -z "$FORCE" ]; then
@@ -7341,17 +7668,17 @@ _process() {
fi
_debug "Running cmd: ${_CMD}"
case "${_CMD}" in
- install) install "$_nocron" "$_confighome" "$_noprofile" ;;
+ install) install "$_nocron" "$_confighome" "$_noprofile" "$_accountemail" ;;
uninstall) uninstall "$_nocron" ;;
upgrade) upgrade ;;
issue)
- issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain"
+ issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain" "$_valid_from" "$_valid_to"
;;
deploy)
deploy "$_domain" "$_deploy_hook" "$_ecc"
;;
signcsr)
- signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias"
+ signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain"
;;
showcsr)
showcsr "$_csr" "$_domain"
@@ -7386,6 +7713,9 @@ _process() {
list)
list "$_listraw" "$_domain"
;;
+ info)
+ info "$_domain" "$_ecc"
+ ;;
installcronjob) installcronjob "$_confighome" ;;
uninstallcronjob) uninstallcronjob ;;
cron) cron ;;
@@ -7410,6 +7740,9 @@ _process() {
setdefaultca)
setdefaultca
;;
+ setdefaultchain)
+ setdefaultchain "$_preferred_chain"
+ ;;
*)
if [ "$_CMD" ]; then
_err "Invalid command: $_CMD"
@@ -7454,12 +7787,6 @@ _process() {
}
-if [ "$INSTALLONLINE" ]; then
- INSTALLONLINE=""
- _installOnline
- exit
-fi
-
main() {
[ -z "$1" ] && showhelp && return
if _startswith "$1" '-'; then _process "$@"; else "$@"; fi
diff --git a/deploy/cleverreach.sh b/deploy/cleverreach.sh
index 552d8149..a460a139 100644
--- a/deploy/cleverreach.sh
+++ b/deploy/cleverreach.sh
@@ -17,6 +17,8 @@ cleverreach_deploy() {
_cca="$4"
_cfullchain="$5"
+ _rest_endpoint="https://rest.cleverreach.com"
+
_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
_debug _ccert "$_ccert"
@@ -25,6 +27,7 @@ cleverreach_deploy() {
_getdeployconf DEPLOY_CLEVERREACH_CLIENT_ID
_getdeployconf DEPLOY_CLEVERREACH_CLIENT_SECRET
+ _getdeployconf DEPLOY_CLEVERREACH_SUBCLIENT_ID
if [ -z "${DEPLOY_CLEVERREACH_CLIENT_ID}" ]; then
_err "CleverReach Client ID is not found, please define DEPLOY_CLEVERREACH_CLIENT_ID."
@@ -37,11 +40,12 @@ cleverreach_deploy() {
_savedeployconf DEPLOY_CLEVERREACH_CLIENT_ID "${DEPLOY_CLEVERREACH_CLIENT_ID}"
_savedeployconf DEPLOY_CLEVERREACH_CLIENT_SECRET "${DEPLOY_CLEVERREACH_CLIENT_SECRET}"
+ _savedeployconf DEPLOY_CLEVERREACH_SUBCLIENT_ID "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}"
_info "Obtaining a CleverReach access token"
_data="{\"grant_type\": \"client_credentials\", \"client_id\": \"${DEPLOY_CLEVERREACH_CLIENT_ID}\", \"client_secret\": \"${DEPLOY_CLEVERREACH_CLIENT_SECRET}\"}"
- _auth_result="$(_post "$_data" "https://rest.cleverreach.com/oauth/token.php" "" "POST" "application/json")"
+ _auth_result="$(_post "$_data" "$_rest_endpoint/oauth/token.php" "" "POST" "application/json")"
_debug _data "$_data"
_debug _auth_result "$_auth_result"
@@ -50,14 +54,32 @@ cleverreach_deploy() {
_debug _regex "$_regex"
_access_token=$(echo "$_auth_result" | _json_decode | sed -n "s/$_regex/\1/p")
+ _debug _subclient "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}"
+
+ if [ -n "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}" ]; then
+ _info "Obtaining token for sub-client ${DEPLOY_CLEVERREACH_SUBCLIENT_ID}"
+ export _H1="Authorization: Bearer ${_access_token}"
+ _subclient_token_result="$(_get "$_rest_endpoint/v3/clients/$DEPLOY_CLEVERREACH_SUBCLIENT_ID/token")"
+ _access_token=$(echo "$_subclient_token_result" | sed -n "s/\"//p")
+
+ _debug _subclient_token_result "$_access_token"
+
+ _info "Destroying parent token at CleverReach, as it not needed anymore"
+ _destroy_result="$(_post "" "$_rest_endpoint/v3/oauth/token.json" "" "DELETE" "application/json")"
+ _debug _destroy_result "$_destroy_result"
+ fi
+
_info "Uploading certificate and key to CleverReach"
_certData="{\"cert\":\"$(_json_encode <"$_cfullchain")\", \"key\":\"$(_json_encode <"$_ckey")\"}"
export _H1="Authorization: Bearer ${_access_token}"
- _add_cert_result="$(_post "$_certData" "https://rest.cleverreach.com/v3/ssl" "" "POST" "application/json")"
+ _add_cert_result="$(_post "$_certData" "$_rest_endpoint/v3/ssl" "" "POST" "application/json")"
- _debug "Destroying token at CleverReach"
- _post "" "https://rest.cleverreach.com/v3/oauth/token.json" "" "DELETE" "application/json"
+ if [ -z "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}" ]; then
+ _info "Destroying token at CleverReach, as it not needed anymore"
+ _destroy_result="$(_post "" "$_rest_endpoint/v3/oauth/token.json" "" "DELETE" "application/json")"
+ _debug _destroy_result "$_destroy_result"
+ fi
if ! echo "$_add_cert_result" | grep '"error":' >/dev/null; then
_info "Uploaded certificate successfully"
diff --git a/deploy/consul.sh b/deploy/consul.sh
new file mode 100644
index 00000000..f93fb452
--- /dev/null
+++ b/deploy/consul.sh
@@ -0,0 +1,98 @@
+#!/usr/bin/env sh
+
+# Here is a script to deploy cert to hashicorp consul using curl
+# (https://www.consul.io/)
+#
+# it requires following environment variables:
+#
+# CONSUL_PREFIX - this contains the prefix path in consul
+# CONSUL_HTTP_ADDR - consul requires this to find your consul server
+#
+# additionally, you need to ensure that CONSUL_HTTP_TOKEN is available
+# to access the consul server
+
+#returns 0 means success, otherwise error.
+
+######## Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+consul_deploy() {
+
+ _cdomain="$1"
+ _ckey="$2"
+ _ccert="$3"
+ _cca="$4"
+ _cfullchain="$5"
+
+ _debug _cdomain "$_cdomain"
+ _debug _ckey "$_ckey"
+ _debug _ccert "$_ccert"
+ _debug _cca "$_cca"
+ _debug _cfullchain "$_cfullchain"
+
+ # validate required env vars
+ _getdeployconf CONSUL_PREFIX
+ if [ -z "$CONSUL_PREFIX" ]; then
+ _err "CONSUL_PREFIX needs to be defined (contains prefix path in vault)"
+ return 1
+ fi
+ _savedeployconf CONSUL_PREFIX "$CONSUL_PREFIX"
+
+ _getdeployconf CONSUL_HTTP_ADDR
+ if [ -z "$CONSUL_HTTP_ADDR" ]; then
+ _err "CONSUL_HTTP_ADDR needs to be defined (contains consul connection address)"
+ return 1
+ fi
+ _savedeployconf CONSUL_HTTP_ADDR "$CONSUL_HTTP_ADDR"
+
+ CONSUL_CMD=$(command -v consul)
+
+ # force CLI, but the binary does not exist => error
+ if [ -n "$USE_CLI" ] && [ -z "$CONSUL_CMD" ]; then
+ _err "Cannot find the consul binary!"
+ return 1
+ fi
+
+ # use the CLI first
+ if [ -n "$USE_CLI" ] || [ -n "$CONSUL_CMD" ]; then
+ _info "Found consul binary, deploying with CLI"
+ consul_deploy_cli "$CONSUL_CMD" "$CONSUL_PREFIX"
+ else
+ _info "Did not find consul binary, deploying with API"
+ consul_deploy_api "$CONSUL_HTTP_ADDR" "$CONSUL_PREFIX" "$CONSUL_HTTP_TOKEN"
+ fi
+}
+
+consul_deploy_api() {
+ CONSUL_HTTP_ADDR="$1"
+ CONSUL_PREFIX="$2"
+ CONSUL_HTTP_TOKEN="$3"
+
+ URL="$CONSUL_HTTP_ADDR/v1/kv/$CONSUL_PREFIX"
+ export _H1="X-Consul-Token: $CONSUL_HTTP_TOKEN"
+
+ if [ -n "$FABIO" ]; then
+ _post "$(cat "$_cfullchain")" "$URL/${_cdomain}-cert.pem" '' "PUT" || return 1
+ _post "$(cat "$_ckey")" "$URL/${_cdomain}-key.pem" '' "PUT" || return 1
+ else
+ _post "$(cat "$_ccert")" "$URL/${_cdomain}/cert.pem" '' "PUT" || return 1
+ _post "$(cat "$_ckey")" "$URL/${_cdomain}/cert.key" '' "PUT" || return 1
+ _post "$(cat "$_cca")" "$URL/${_cdomain}/chain.pem" '' "PUT" || return 1
+ _post "$(cat "$_cfullchain")" "$URL/${_cdomain}/fullchain.pem" '' "PUT" || return 1
+ fi
+}
+
+consul_deploy_cli() {
+ CONSUL_CMD="$1"
+ CONSUL_PREFIX="$2"
+
+ if [ -n "$FABIO" ]; then
+ $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}-cert.pem" @"$_cfullchain" || return 1
+ $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}-key.pem" @"$_ckey" || return 1
+ else
+ $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
+ $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
+ $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
+ $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
+ fi
+}
diff --git a/deploy/docker.sh b/deploy/docker.sh
index 451d5d00..3aa1b2cd 100755
--- a/deploy/docker.sh
+++ b/deploy/docker.sh
@@ -275,6 +275,7 @@ _check_curl_version() {
if [ "$_major$_minor" -lt "740" ]; then
_err "curl v$_cversion doesn't support unit socket"
+ _err "Please upgrade to curl 7.40 or later."
return 1
fi
if [ "$_major$_minor" -lt "750" ]; then
diff --git a/deploy/fritzbox.sh b/deploy/fritzbox.sh
index 2ca7ab7d..416a4121 100644
--- a/deploy/fritzbox.sh
+++ b/deploy/fritzbox.sh
@@ -36,43 +36,51 @@ fritzbox_deploy() {
fi
fi
- _fritzbox_username="${DEPLOY_FRITZBOX_USERNAME}"
- _fritzbox_password="${DEPLOY_FRITZBOX_PASSWORD}"
- _fritzbox_url="${DEPLOY_FRITZBOX_URL}"
+ # Clear traces of incorrectly stored values
+ _clearaccountconf DEPLOY_FRITZBOX_USERNAME
+ _clearaccountconf DEPLOY_FRITZBOX_PASSWORD
+ _clearaccountconf DEPLOY_FRITZBOX_URL
- _debug _fritzbox_url "$_fritzbox_url"
- _debug _fritzbox_username "$_fritzbox_username"
- _secure_debug _fritzbox_password "$_fritzbox_password"
- if [ -z "$_fritzbox_username" ]; then
+ # Read config from saved values or env
+ _getdeployconf DEPLOY_FRITZBOX_USERNAME
+ _getdeployconf DEPLOY_FRITZBOX_PASSWORD
+ _getdeployconf DEPLOY_FRITZBOX_URL
+
+ _debug DEPLOY_FRITZBOX_URL "$DEPLOY_FRITZBOX_URL"
+ _debug DEPLOY_FRITZBOX_USERNAME "$DEPLOY_FRITZBOX_USERNAME"
+ _secure_debug DEPLOY_FRITZBOX_PASSWORD "$DEPLOY_FRITZBOX_PASSWORD"
+
+ if [ -z "$DEPLOY_FRITZBOX_USERNAME" ]; then
_err "FRITZ!Box username is not found, please define DEPLOY_FRITZBOX_USERNAME."
return 1
fi
- if [ -z "$_fritzbox_password" ]; then
+ if [ -z "$DEPLOY_FRITZBOX_PASSWORD" ]; then
_err "FRITZ!Box password is not found, please define DEPLOY_FRITZBOX_PASSWORD."
return 1
fi
- if [ -z "$_fritzbox_url" ]; then
+ if [ -z "$DEPLOY_FRITZBOX_URL" ]; then
_err "FRITZ!Box url is not found, please define DEPLOY_FRITZBOX_URL."
return 1
fi
- _saveaccountconf DEPLOY_FRITZBOX_USERNAME "${_fritzbox_username}"
- _saveaccountconf DEPLOY_FRITZBOX_PASSWORD "${_fritzbox_password}"
- _saveaccountconf DEPLOY_FRITZBOX_URL "${_fritzbox_url}"
+ # Save current values
+ _savedeployconf DEPLOY_FRITZBOX_USERNAME "$DEPLOY_FRITZBOX_USERNAME"
+ _savedeployconf DEPLOY_FRITZBOX_PASSWORD "$DEPLOY_FRITZBOX_PASSWORD"
+ _savedeployconf DEPLOY_FRITZBOX_URL "$DEPLOY_FRITZBOX_URL"
# Do not check for a valid SSL certificate, because initially the cert is not valid, so it could not install the LE generated certificate
export HTTPS_INSECURE=1
_info "Log in to the FRITZ!Box"
- _fritzbox_challenge="$(_get "${_fritzbox_url}/login_sid.lua" | sed -e 's/^.*//' -e 's/<\/Challenge>.*$//')"
+ _fritzbox_challenge="$(_get "${DEPLOY_FRITZBOX_URL}/login_sid.lua" | sed -e 's/^.*//' -e 's/<\/Challenge>.*$//')"
if _exists iconv; then
- _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | iconv -f ASCII -t UTF16LE | _digest md5 hex)"
+ _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${DEPLOY_FRITZBOX_PASSWORD}" | iconv -f ASCII -t UTF16LE | _digest md5 hex)"
elif _exists uconv; then
- _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | uconv -f ASCII -t UTF16LE | _digest md5 hex)"
+ _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${DEPLOY_FRITZBOX_PASSWORD}" | uconv -f ASCII -t UTF16LE | _digest md5 hex)"
else
- _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | perl -p -e 'use Encode qw/encode/; print encode("UTF-16LE","$_"); $_="";' | _digest md5 hex)"
+ _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${DEPLOY_FRITZBOX_PASSWORD}" | perl -p -e 'use Encode qw/encode/; print encode("UTF-16LE","$_"); $_="";' | _digest md5 hex)"
fi
- _fritzbox_sid="$(_get "${_fritzbox_url}/login_sid.lua?sid=0000000000000000&username=${_fritzbox_username}&response=${_fritzbox_challenge}-${_fritzbox_hash}" | sed -e 's/^.*//' -e 's/<\/SID>.*$//')"
+ _fritzbox_sid="$(_get "${DEPLOY_FRITZBOX_URL}/login_sid.lua?sid=0000000000000000&username=${DEPLOY_FRITZBOX_USERNAME}&response=${_fritzbox_challenge}-${_fritzbox_hash}" | sed -e 's/^.*//' -e 's/<\/SID>.*$//')"
if [ -z "${_fritzbox_sid}" ] || [ "${_fritzbox_sid}" = "0000000000000000" ]; then
_err "Logging in to the FRITZ!Box failed. Please check username, password and URL."
@@ -104,7 +112,7 @@ fritzbox_deploy() {
_info "Upload certificate to the FRITZ!Box"
export _H1="Content-type: multipart/form-data boundary=${_post_boundary}"
- _post "$(cat "${_post_request}")" "${_fritzbox_url}/cgi-bin/firmwarecfg" | grep SSL
+ _post "$(cat "${_post_request}")" "${DEPLOY_FRITZBOX_URL}/cgi-bin/firmwarecfg" | grep SSL
retval=$?
if [ $retval = 0 ]; then
diff --git a/deploy/gcore_cdn.sh b/deploy/gcore_cdn.sh
index a2a35f7b..f573a3aa 100644
--- a/deploy/gcore_cdn.sh
+++ b/deploy/gcore_cdn.sh
@@ -56,9 +56,9 @@ gcore_cdn_deploy() {
_request="{\"username\":\"$Le_Deploy_gcore_cdn_username\",\"password\":\"$Le_Deploy_gcore_cdn_password\"}"
_debug _request "$_request"
export _H1="Content-Type:application/json"
- _response=$(_post "$_request" "https://api.gcdn.co/auth/signin")
+ _response=$(_post "$_request" "https://api.gcdn.co/auth/jwt/login")
_debug _response "$_response"
- _regex=".*\"token\":\"\([-._0-9A-Za-z]*\)\".*$"
+ _regex=".*\"access\":\"\([-._0-9A-Za-z]*\)\".*$"
_debug _regex "$_regex"
_token=$(echo "$_response" | sed -n "s/$_regex/\1/p")
_debug _token "$_token"
@@ -72,12 +72,15 @@ gcore_cdn_deploy() {
export _H2="Authorization:Token $_token"
_response=$(_get "https://api.gcdn.co/resources")
_debug _response "$_response"
- _regex=".*(\"id\".*?\"cname\":\"$_cdomain\".*?})"
+ _regex="\"primary_resource\":null},"
+ _debug _regex "$_regex"
+ _response=$(echo "$_response" | sed "s/$_regex/$_regex\n/g")
+ _debug _response "$_response"
_regex="^.*\"cname\":\"$_cdomain\".*$"
_debug _regex "$_regex"
- _resource=$(echo "$_response" | sed 's/},{/},\n{/g' | _egrep_o "$_regex")
+ _resource=$(echo "$_response" | _egrep_o "$_regex")
_debug _resource "$_resource"
- _regex=".*\"id\":\([0-9]*\).*\"rules\".*$"
+ _regex=".*\"id\":\([0-9]*\).*$"
_debug _regex "$_regex"
_resourceId=$(echo "$_resource" | sed -n "s/$_regex/\1/p")
_debug _resourceId "$_resourceId"
diff --git a/deploy/haproxy.sh b/deploy/haproxy.sh
index 0a45ee07..c255059d 100644
--- a/deploy/haproxy.sh
+++ b/deploy/haproxy.sh
@@ -54,11 +54,6 @@ haproxy_deploy() {
DEPLOY_HAPROXY_ISSUER_DEFAULT="no"
DEPLOY_HAPROXY_RELOAD_DEFAULT="true"
- if [ -f "${DOMAIN_CONF}" ]; then
- # shellcheck disable=SC1090
- . "${DOMAIN_CONF}"
- fi
-
_debug _cdomain "${_cdomain}"
_debug _ckey "${_ckey}"
_debug _ccert "${_ccert}"
@@ -66,6 +61,8 @@ haproxy_deploy() {
_debug _cfullchain "${_cfullchain}"
# PEM_PATH is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}"
+ _getdeployconf DEPLOY_HAPROXY_PEM_PATH
+ _debug2 DEPLOY_HAPROXY_PEM_PATH "${DEPLOY_HAPROXY_PEM_PATH}"
if [ -n "${DEPLOY_HAPROXY_PEM_PATH}" ]; then
Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH}"
_savedomainconf Le_Deploy_haproxy_pem_path "${Le_Deploy_haproxy_pem_path}"
@@ -82,6 +79,8 @@ haproxy_deploy() {
fi
# PEM_NAME is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}"
+ _getdeployconf DEPLOY_HAPROXY_PEM_NAME
+ _debug2 DEPLOY_HAPROXY_PEM_NAME "${DEPLOY_HAPROXY_PEM_NAME}"
if [ -n "${DEPLOY_HAPROXY_PEM_NAME}" ]; then
Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME}"
_savedomainconf Le_Deploy_haproxy_pem_name "${Le_Deploy_haproxy_pem_name}"
@@ -90,6 +89,8 @@ haproxy_deploy() {
fi
# BUNDLE is optional. If not provided then assume "${DEPLOY_HAPROXY_BUNDLE_DEFAULT}"
+ _getdeployconf DEPLOY_HAPROXY_BUNDLE
+ _debug2 DEPLOY_HAPROXY_BUNDLE "${DEPLOY_HAPROXY_BUNDLE}"
if [ -n "${DEPLOY_HAPROXY_BUNDLE}" ]; then
Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE}"
_savedomainconf Le_Deploy_haproxy_bundle "${Le_Deploy_haproxy_bundle}"
@@ -98,6 +99,8 @@ haproxy_deploy() {
fi
# ISSUER is optional. If not provided then assume "${DEPLOY_HAPROXY_ISSUER_DEFAULT}"
+ _getdeployconf DEPLOY_HAPROXY_ISSUER
+ _debug2 DEPLOY_HAPROXY_ISSUER "${DEPLOY_HAPROXY_ISSUER}"
if [ -n "${DEPLOY_HAPROXY_ISSUER}" ]; then
Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER}"
_savedomainconf Le_Deploy_haproxy_issuer "${Le_Deploy_haproxy_issuer}"
@@ -106,6 +109,8 @@ haproxy_deploy() {
fi
# RELOAD is optional. If not provided then assume "${DEPLOY_HAPROXY_RELOAD_DEFAULT}"
+ _getdeployconf DEPLOY_HAPROXY_RELOAD
+ _debug2 DEPLOY_HAPROXY_RELOAD "${DEPLOY_HAPROXY_RELOAD}"
if [ -n "${DEPLOY_HAPROXY_RELOAD}" ]; then
Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD}"
_savedomainconf Le_Deploy_haproxy_reload "${Le_Deploy_haproxy_reload}"
@@ -190,7 +195,7 @@ haproxy_deploy() {
_info "Updating OCSP stapling info"
_debug _ocsp "${_ocsp}"
_info "Extracting OCSP URL"
- _ocsp_url=$(openssl x509 -noout -ocsp_uri -in "${_pem}")
+ _ocsp_url=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -ocsp_uri -in "${_pem}")
_debug _ocsp_url "${_ocsp_url}"
# Only process OCSP if URL was present
@@ -203,9 +208,9 @@ haproxy_deploy() {
# Only process the certificate if we have a .issuer file
if [ -r "${_issuer}" ]; then
# Check if issuer cert is also a root CA cert
- _subjectdn=$(openssl x509 -in "${_issuer}" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
+ _subjectdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
_debug _subjectdn "${_subjectdn}"
- _issuerdn=$(openssl x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
+ _issuerdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
_debug _issuerdn "${_issuerdn}"
_info "Requesting OCSP response"
# If the issuer is a CA cert then our command line has "-CAfile" added
@@ -216,7 +221,7 @@ haproxy_deploy() {
fi
_debug _cafile_argument "${_cafile_argument}"
# if OpenSSL/LibreSSL is v1.1 or above, the format for the -header option has changed
- _openssl_version=$(openssl version | cut -d' ' -f2)
+ _openssl_version=$(${ACME_OPENSSL_BIN:-openssl} version | cut -d' ' -f2)
_debug _openssl_version "${_openssl_version}"
_openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
_openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
@@ -226,7 +231,7 @@ haproxy_deploy() {
_header_sep=" "
fi
# Request the OCSP response from the issuer and store it
- _openssl_ocsp_cmd="openssl ocsp \
+ _openssl_ocsp_cmd="${ACME_OPENSSL_BIN:-openssl} ocsp \
-issuer \"${_issuer}\" \
-cert \"${_pem}\" \
-url \"${_ocsp_url}\" \
diff --git a/deploy/kong.sh b/deploy/kong.sh
index 1e1e310c..b8facedf 100755
--- a/deploy/kong.sh
+++ b/deploy/kong.sh
@@ -45,7 +45,7 @@ kong_deploy() {
#Generate data for request (Multipart/form-data with mixed content)
if [ -z "$ssl_uuid" ]; then
#set sni to domain
- content="--$delim${nl}Content-Disposition: form-data; name=\"snis\"${nl}${nl}$_cdomain"
+ content="--$delim${nl}Content-Disposition: form-data; name=\"snis[]\"${nl}${nl}$_cdomain"
fi
#add key
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
diff --git a/deploy/lighttpd.sh b/deploy/lighttpd.sh
new file mode 100644
index 00000000..71f64b96
--- /dev/null
+++ b/deploy/lighttpd.sh
@@ -0,0 +1,280 @@
+#!/usr/bin/env sh
+
+# Script for acme.sh to deploy certificates to lighttpd
+#
+# The following variables can be exported:
+#
+# export DEPLOY_LIGHTTPD_PEM_NAME="${domain}.pem"
+#
+# Defines the name of the PEM file.
+# Defaults to ".pem"
+#
+# export DEPLOY_LIGHTTPD_PEM_PATH="/etc/lighttpd"
+#
+# Defines location of PEM file for Lighttpd.
+# Defaults to /etc/lighttpd
+#
+# export DEPLOY_LIGHTTPD_RELOAD="systemctl reload lighttpd"
+#
+# OPTIONAL: Reload command used post deploy
+# This defaults to be a no-op (ie "true").
+# It is strongly recommended to set this something that makes sense
+# for your distro.
+#
+# export DEPLOY_LIGHTTPD_ISSUER="yes"
+#
+# OPTIONAL: Places CA file as "${DEPLOY_LIGHTTPD_PEM}.issuer"
+# Note: Required for OCSP stapling to work
+#
+# export DEPLOY_LIGHTTPD_BUNDLE="no"
+#
+# OPTIONAL: Deploy this certificate as part of a multi-cert bundle
+# This adds a suffix to the certificate based on the certificate type
+# eg RSA certificates will have .rsa as a suffix to the file name
+# Lighttpd will load all certificates and provide one or the other
+# depending on client capabilities
+# Note: This functionality requires Lighttpd was compiled against
+# a version of OpenSSL that supports this.
+#
+
+######## Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+lighttpd_deploy() {
+ _cdomain="$1"
+ _ckey="$2"
+ _ccert="$3"
+ _cca="$4"
+ _cfullchain="$5"
+
+ # Some defaults
+ DEPLOY_LIGHTTPD_PEM_PATH_DEFAULT="/etc/lighttpd"
+ DEPLOY_LIGHTTPD_PEM_NAME_DEFAULT="${_cdomain}.pem"
+ DEPLOY_LIGHTTPD_BUNDLE_DEFAULT="no"
+ DEPLOY_LIGHTTPD_ISSUER_DEFAULT="yes"
+ DEPLOY_LIGHTTPD_RELOAD_DEFAULT="true"
+
+ _debug _cdomain "${_cdomain}"
+ _debug _ckey "${_ckey}"
+ _debug _ccert "${_ccert}"
+ _debug _cca "${_cca}"
+ _debug _cfullchain "${_cfullchain}"
+
+ # PEM_PATH is optional. If not provided then assume "${DEPLOY_LIGHTTPD_PEM_PATH_DEFAULT}"
+ _getdeployconf DEPLOY_LIGHTTPD_PEM_PATH
+ _debug2 DEPLOY_LIGHTTPD_PEM_PATH "${DEPLOY_LIGHTTPD_PEM_PATH}"
+ if [ -n "${DEPLOY_LIGHTTPD_PEM_PATH}" ]; then
+ Le_Deploy_lighttpd_pem_path="${DEPLOY_LIGHTTPD_PEM_PATH}"
+ _savedomainconf Le_Deploy_lighttpd_pem_path "${Le_Deploy_lighttpd_pem_path}"
+ elif [ -z "${Le_Deploy_lighttpd_pem_path}" ]; then
+ Le_Deploy_lighttpd_pem_path="${DEPLOY_LIGHTTPD_PEM_PATH_DEFAULT}"
+ fi
+
+ # Ensure PEM_PATH exists
+ if [ -d "${Le_Deploy_lighttpd_pem_path}" ]; then
+ _debug "PEM_PATH ${Le_Deploy_lighttpd_pem_path} exists"
+ else
+ _err "PEM_PATH ${Le_Deploy_lighttpd_pem_path} does not exist"
+ return 1
+ fi
+
+ # PEM_NAME is optional. If not provided then assume "${DEPLOY_LIGHTTPD_PEM_NAME_DEFAULT}"
+ _getdeployconf DEPLOY_LIGHTTPD_PEM_NAME
+ _debug2 DEPLOY_LIGHTTPD_PEM_NAME "${DEPLOY_LIGHTTPD_PEM_NAME}"
+ if [ -n "${DEPLOY_LIGHTTPD_PEM_NAME}" ]; then
+ Le_Deploy_lighttpd_pem_name="${DEPLOY_LIGHTTPD_PEM_NAME}"
+ _savedomainconf Le_Deploy_lighttpd_pem_name "${Le_Deploy_lighttpd_pem_name}"
+ elif [ -z "${Le_Deploy_lighttpd_pem_name}" ]; then
+ Le_Deploy_lighttpd_pem_name="${DEPLOY_LIGHTTPD_PEM_NAME_DEFAULT}"
+ fi
+
+ # BUNDLE is optional. If not provided then assume "${DEPLOY_LIGHTTPD_BUNDLE_DEFAULT}"
+ _getdeployconf DEPLOY_LIGHTTPD_BUNDLE
+ _debug2 DEPLOY_LIGHTTPD_BUNDLE "${DEPLOY_LIGHTTPD_BUNDLE}"
+ if [ -n "${DEPLOY_LIGHTTPD_BUNDLE}" ]; then
+ Le_Deploy_lighttpd_bundle="${DEPLOY_LIGHTTPD_BUNDLE}"
+ _savedomainconf Le_Deploy_lighttpd_bundle "${Le_Deploy_lighttpd_bundle}"
+ elif [ -z "${Le_Deploy_lighttpd_bundle}" ]; then
+ Le_Deploy_lighttpd_bundle="${DEPLOY_LIGHTTPD_BUNDLE_DEFAULT}"
+ fi
+
+ # ISSUER is optional. If not provided then assume "${DEPLOY_LIGHTTPD_ISSUER_DEFAULT}"
+ _getdeployconf DEPLOY_LIGHTTPD_ISSUER
+ _debug2 DEPLOY_LIGHTTPD_ISSUER "${DEPLOY_LIGHTTPD_ISSUER}"
+ if [ -n "${DEPLOY_LIGHTTPD_ISSUER}" ]; then
+ Le_Deploy_lighttpd_issuer="${DEPLOY_LIGHTTPD_ISSUER}"
+ _savedomainconf Le_Deploy_lighttpd_issuer "${Le_Deploy_lighttpd_issuer}"
+ elif [ -z "${Le_Deploy_lighttpd_issuer}" ]; then
+ Le_Deploy_lighttpd_issuer="${DEPLOY_LIGHTTPD_ISSUER_DEFAULT}"
+ fi
+
+ # RELOAD is optional. If not provided then assume "${DEPLOY_LIGHTTPD_RELOAD_DEFAULT}"
+ _getdeployconf DEPLOY_LIGHTTPD_RELOAD
+ _debug2 DEPLOY_LIGHTTPD_RELOAD "${DEPLOY_LIGHTTPD_RELOAD}"
+ if [ -n "${DEPLOY_LIGHTTPD_RELOAD}" ]; then
+ Le_Deploy_lighttpd_reload="${DEPLOY_LIGHTTPD_RELOAD}"
+ _savedomainconf Le_Deploy_lighttpd_reload "${Le_Deploy_lighttpd_reload}"
+ elif [ -z "${Le_Deploy_lighttpd_reload}" ]; then
+ Le_Deploy_lighttpd_reload="${DEPLOY_LIGHTTPD_RELOAD_DEFAULT}"
+ fi
+
+ # Set the suffix depending if we are creating a bundle or not
+ if [ "${Le_Deploy_lighttpd_bundle}" = "yes" ]; then
+ _info "Bundle creation requested"
+ # Initialise $Le_Keylength if its not already set
+ if [ -z "${Le_Keylength}" ]; then
+ Le_Keylength=""
+ fi
+ if _isEccKey "${Le_Keylength}"; then
+ _info "ECC key type detected"
+ _suffix=".ecdsa"
+ else
+ _info "RSA key type detected"
+ _suffix=".rsa"
+ fi
+ else
+ _suffix=""
+ fi
+ _debug _suffix "${_suffix}"
+
+ # Set variables for later
+ _pem="${Le_Deploy_lighttpd_pem_path}/${Le_Deploy_lighttpd_pem_name}${_suffix}"
+ _issuer="${_pem}.issuer"
+ _ocsp="${_pem}.ocsp"
+ _reload="${Le_Deploy_lighttpd_reload}"
+
+ _info "Deploying PEM file"
+ # Create a temporary PEM file
+ _temppem="$(_mktemp)"
+ _debug _temppem "${_temppem}"
+ cat "${_ckey}" "${_ccert}" "${_cca}" >"${_temppem}"
+ _ret="$?"
+
+ # Check that we could create the temporary file
+ if [ "${_ret}" != "0" ]; then
+ _err "Error code ${_ret} returned during PEM file creation"
+ [ -f "${_temppem}" ] && rm -f "${_temppem}"
+ return ${_ret}
+ fi
+
+ # Move PEM file into place
+ _info "Moving new certificate into place"
+ _debug _pem "${_pem}"
+ cat "${_temppem}" >"${_pem}"
+ _ret=$?
+
+ # Clean up temp file
+ [ -f "${_temppem}" ] && rm -f "${_temppem}"
+
+ # Deal with any failure of moving PEM file into place
+ if [ "${_ret}" != "0" ]; then
+ _err "Error code ${_ret} returned while moving new certificate into place"
+ return ${_ret}
+ fi
+
+ # Update .issuer file if requested
+ if [ "${Le_Deploy_lighttpd_issuer}" = "yes" ]; then
+ _info "Updating .issuer file"
+ _debug _issuer "${_issuer}"
+ cat "${_cca}" >"${_issuer}"
+ _ret="$?"
+
+ if [ "${_ret}" != "0" ]; then
+ _err "Error code ${_ret} returned while copying issuer/CA certificate into place"
+ return ${_ret}
+ fi
+ else
+ [ -f "${_issuer}" ] && _err "Issuer file update not requested but .issuer file exists"
+ fi
+
+ # Update .ocsp file if certificate was requested with --ocsp/--ocsp-must-staple option
+ if [ -z "${Le_OCSP_Staple}" ]; then
+ Le_OCSP_Staple="0"
+ fi
+ if [ "${Le_OCSP_Staple}" = "1" ]; then
+ _info "Updating OCSP stapling info"
+ _debug _ocsp "${_ocsp}"
+ _info "Extracting OCSP URL"
+ _ocsp_url=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -ocsp_uri -in "${_pem}")
+ _debug _ocsp_url "${_ocsp_url}"
+
+ # Only process OCSP if URL was present
+ if [ "${_ocsp_url}" != "" ]; then
+ # Extract the hostname from the OCSP URL
+ _info "Extracting OCSP URL"
+ _ocsp_host=$(echo "${_ocsp_url}" | cut -d/ -f3)
+ _debug _ocsp_host "${_ocsp_host}"
+
+ # Only process the certificate if we have a .issuer file
+ if [ -r "${_issuer}" ]; then
+ # Check if issuer cert is also a root CA cert
+ _subjectdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
+ _debug _subjectdn "${_subjectdn}"
+ _issuerdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
+ _debug _issuerdn "${_issuerdn}"
+ _info "Requesting OCSP response"
+ # If the issuer is a CA cert then our command line has "-CAfile" added
+ if [ "${_subjectdn}" = "${_issuerdn}" ]; then
+ _cafile_argument="-CAfile \"${_issuer}\""
+ else
+ _cafile_argument=""
+ fi
+ _debug _cafile_argument "${_cafile_argument}"
+ # if OpenSSL/LibreSSL is v1.1 or above, the format for the -header option has changed
+ _openssl_version=$(${ACME_OPENSSL_BIN:-openssl} version | cut -d' ' -f2)
+ _debug _openssl_version "${_openssl_version}"
+ _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
+ _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
+ if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then
+ _header_sep="="
+ else
+ _header_sep=" "
+ fi
+ # Request the OCSP response from the issuer and store it
+ _openssl_ocsp_cmd="${ACME_OPENSSL_BIN:-openssl} ocsp \
+ -issuer \"${_issuer}\" \
+ -cert \"${_pem}\" \
+ -url \"${_ocsp_url}\" \
+ -header Host${_header_sep}\"${_ocsp_host}\" \
+ -respout \"${_ocsp}\" \
+ -verify_other \"${_issuer}\" \
+ ${_cafile_argument} \
+ | grep -q \"${_pem}: good\""
+ _debug _openssl_ocsp_cmd "${_openssl_ocsp_cmd}"
+ eval "${_openssl_ocsp_cmd}"
+ _ret=$?
+ else
+ # Non fatal: No issuer file was present so no OCSP stapling file created
+ _err "OCSP stapling in use but no .issuer file was present"
+ fi
+ else
+ # Non fatal: No OCSP url was found int the certificate
+ _err "OCSP update requested but no OCSP URL was found in certificate"
+ fi
+
+ # Non fatal: Check return code of openssl command
+ if [ "${_ret}" != "0" ]; then
+ _err "Updating OCSP stapling failed with return code ${_ret}"
+ fi
+ else
+ # An OCSP file was already present but certificate did not have OCSP extension
+ if [ -f "${_ocsp}" ]; then
+ _err "OCSP was not requested but .ocsp file exists."
+ # Could remove the file at this step, although Lighttpd just ignores it in this case
+ # rm -f "${_ocsp}" || _err "Problem removing stale .ocsp file"
+ fi
+ fi
+
+ # Reload Lighttpd
+ _debug _reload "${_reload}"
+ eval "${_reload}"
+ _ret=$?
+ if [ "${_ret}" != "0" ]; then
+ _err "Error code ${_ret} during reload"
+ return ${_ret}
+ else
+ _info "Reload successful"
+ fi
+
+ return 0
+}
diff --git a/deploy/mailcow.sh b/deploy/mailcow.sh
index 3a806e83..c3535e7e 100644
--- a/deploy/mailcow.sh
+++ b/deploy/mailcow.sh
@@ -27,26 +27,43 @@ mailcow_deploy() {
return 1
fi
- _ssl_path="${_mailcow_path}/data/assets/ssl/"
+ #Tests if _ssl_path is the mailcow root directory.
+ if [ -f "${_mailcow_path}/generate_config.sh" ]; then
+ _ssl_path="${_mailcow_path}/data/assets/ssl/"
+ else
+ _ssl_path="${_mailcow_path}"
+ fi
+
if [ ! -d "$_ssl_path" ]; then
_err "Cannot find mailcow ssl path: $_ssl_path"
return 1
fi
+ # ECC or RSA
+ if [ -z "${Le_Keylength}" ]; then
+ Le_Keylength=""
+ fi
+ if _isEccKey "${Le_Keylength}"; then
+ _info "ECC key type detected"
+ _cert_name_prefix="ecdsa-"
+ else
+ _info "RSA key type detected"
+ _cert_name_prefix=""
+ fi
_info "Copying key and cert"
- _real_key="$_ssl_path/key.pem"
+ _real_key="$_ssl_path/${_cert_name_prefix}key.pem"
if ! cat "$_ckey" >"$_real_key"; then
_err "Error: write key file to: $_real_key"
return 1
fi
- _real_fullchain="$_ssl_path/cert.pem"
+ _real_fullchain="$_ssl_path/${_cert_name_prefix}cert.pem"
if ! cat "$_cfullchain" >"$_real_fullchain"; then
_err "Error: write cert file to: $_real_fullchain"
return 1
fi
- DEFAULT_MAILCOW_RELOAD="cd ${_mailcow_path} && docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow"
+ DEFAULT_MAILCOW_RELOAD="docker restart $(docker ps -qaf name=postfix-mailcow); docker restart $(docker ps -qaf name=nginx-mailcow); docker restart $(docker ps -qaf name=dovecot-mailcow)"
_reload="${DEPLOY_MAILCOW_RELOAD:-$DEFAULT_MAILCOW_RELOAD}"
_info "Run reload: $_reload"
diff --git a/deploy/openmediavault.sh b/deploy/openmediavault.sh
new file mode 100644
index 00000000..cfc2d332
--- /dev/null
+++ b/deploy/openmediavault.sh
@@ -0,0 +1,156 @@
+#!/usr/bin/env sh
+
+# This deploy hook is tested on OpenMediaVault 5.x. It supports both local and remote deployment.
+# The way it works is that if a cert with the matching domain name is not found, it will firstly create a dummy cert to get its uuid, and then replace it with your cert.
+#
+# DEPLOY_OMV_WEBUI_ADMIN - This is OMV web gui admin account. Default value is admin. It's required as the user parameter (-u) for the omv-rpc command.
+# DEPLOY_OMV_HOST and DEPLOY_OMV_SSH_USER are optional. They are used for remote deployment through ssh (support public key authentication only). Per design, OMV web gui admin doesn't have ssh permission, so another account is needed for ssh.
+#
+# returns 0 means success, otherwise error.
+
+######## Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+openmediavault_deploy() {
+ _cdomain="$1"
+ _ckey="$2"
+ _ccert="$3"
+ _cca="$4"
+ _cfullchain="$5"
+
+ _debug _cdomain "$_cdomain"
+ _debug _ckey "$_ckey"
+ _debug _ccert "$_ccert"
+ _debug _cca "$_cca"
+ _debug _cfullchain "$_cfullchain"
+
+ _getdeployconf DEPLOY_OMV_WEBUI_ADMIN
+
+ if [ -z "$DEPLOY_OMV_WEBUI_ADMIN" ]; then
+ DEPLOY_OMV_WEBUI_ADMIN="admin"
+ fi
+
+ _savedeployconf DEPLOY_OMV_WEBUI_ADMIN "$DEPLOY_OMV_WEBUI_ADMIN"
+
+ _getdeployconf DEPLOY_OMV_HOST
+ _getdeployconf DEPLOY_OMV_SSH_USER
+
+ if [ -n "$DEPLOY_OMV_HOST" ] && [ -n "$DEPLOY_OMV_SSH_USER" ]; then
+ _info "[OMV deploy-hook] Deploy certificate remotely through ssh."
+ _savedeployconf DEPLOY_OMV_HOST "$DEPLOY_OMV_HOST"
+ _savedeployconf DEPLOY_OMV_SSH_USER "$DEPLOY_OMV_SSH_USER"
+ else
+ _info "[OMV deploy-hook] Deploy certificate locally."
+ fi
+
+ if [ -n "$DEPLOY_OMV_HOST" ] && [ -n "$DEPLOY_OMV_SSH_USER" ]; then
+
+ _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'CertificateMgmt' 'getList' '{\"start\": 0, \"limit\": -1}' | jq -r '.data[] | select(.name==\"/CN='$_cdomain'\") | .uuid'"
+ # shellcheck disable=SC2029
+ _uuid=$(ssh "$DEPLOY_OMV_SSH_USER@$DEPLOY_OMV_HOST" "$_command")
+ _debug _command "$_command"
+
+ if [ -z "$_uuid" ]; then
+ _info "[OMV deploy-hook] Domain $_cdomain has no certificate in openmediavault, creating it!"
+ _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'CertificateMgmt' 'create' '{\"cn\": \"test.example.com\", \"size\": 4096, \"days\": 3650, \"c\": \"\", \"st\": \"\", \"l\": \"\", \"o\": \"\", \"ou\": \"\", \"email\": \"\"}' | jq -r '.uuid'"
+ # shellcheck disable=SC2029
+ _uuid=$(ssh "$DEPLOY_OMV_SSH_USER@$DEPLOY_OMV_HOST" "$_command")
+ _debug _command "$_command"
+
+ if [ -z "$_uuid" ]; then
+ _err "[OMV deploy-hook] An error occured while creating the certificate"
+ return 1
+ fi
+ fi
+
+ _info "[OMV deploy-hook] Domain $_cdomain has uuid: $_uuid"
+ _fullchain=$(jq <"$_cfullchain" -aRs .)
+ _key=$(jq <"$_ckey" -aRs .)
+
+ _debug _fullchain "$_fullchain"
+ _debug _key "$_key"
+
+ _info "[OMV deploy-hook] Updating key and certificate in openmediavault"
+ _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'CertificateMgmt' 'set' '{\"uuid\":\"$_uuid\", \"certificate\":$_fullchain, \"privatekey\":$_key, \"comment\":\"acme.sh deployed $(date)\"}'"
+ # shellcheck disable=SC2029
+ _result=$(ssh "$DEPLOY_OMV_SSH_USER@$DEPLOY_OMV_HOST" "$_command")
+
+ _debug _command "$_command"
+ _debug _result "$_result"
+
+ _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'WebGui' 'setSettings' \$(omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'WebGui' 'getSettings' | jq -c '.sslcertificateref=\"$_uuid\"')"
+ # shellcheck disable=SC2029
+ _result=$(ssh "$DEPLOY_OMV_SSH_USER@$DEPLOY_OMV_HOST" "$_command")
+
+ _debug _command "$_command"
+ _debug _result "$_result"
+
+ _info "[OMV deploy-hook] Asking openmediavault to apply changes... (this could take some time, hang in there)"
+ _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'Config' 'applyChanges' '{\"modules\":[], \"force\": false}'"
+ # shellcheck disable=SC2029
+ _result=$(ssh "$DEPLOY_OMV_SSH_USER@$DEPLOY_OMV_HOST" "$_command")
+
+ _debug _command "$_command"
+ _debug _result "$_result"
+
+ _info "[OMV deploy-hook] Asking nginx to reload"
+ _command="nginx -s reload"
+ # shellcheck disable=SC2029
+ _result=$(ssh "$DEPLOY_OMV_SSH_USER@$DEPLOY_OMV_HOST" "$_command")
+
+ _debug _command "$_command"
+ _debug _result "$_result"
+
+ else
+
+ # shellcheck disable=SC2086
+ _uuid=$(omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'CertificateMgmt' 'getList' '{"start": 0, "limit": -1}' | jq -r '.data[] | select(.name=="/CN='$_cdomain'") | .uuid')
+ if [ -z "$_uuid" ]; then
+ _info "[OMV deploy-hook] Domain $_cdomain has no certificate in openmediavault, creating it!"
+ # shellcheck disable=SC2086
+ _uuid=$(omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'CertificateMgmt' 'create' '{"cn": "test.example.com", "size": 4096, "days": 3650, "c": "", "st": "", "l": "", "o": "", "ou": "", "email": ""}' | jq -r '.uuid')
+
+ if [ -z "$_uuid" ]; then
+ _err "[OMB deploy-hook] An error occured while creating the certificate"
+ return 1
+ fi
+ fi
+
+ _info "[OMV deploy-hook] Domain $_cdomain has uuid: $_uuid"
+ _fullchain=$(jq <"$_cfullchain" -aRs .)
+ _key=$(jq <"$_ckey" -aRs .)
+
+ _debug _fullchain "$_fullchain"
+ _debug _key "$_key"
+
+ _info "[OMV deploy-hook] Updating key and certificate in openmediavault"
+ _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'CertificateMgmt' 'set' '{\"uuid\":\"$_uuid\", \"certificate\":$_fullchain, \"privatekey\":$_key, \"comment\":\"acme.sh deployed $(date)\"}'"
+ _result=$(eval "$_command")
+
+ _debug _command "$_command"
+ _debug _result "$_result"
+
+ _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'WebGui' 'setSettings' \$(omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'WebGui' 'getSettings' | jq -c '.sslcertificateref=\"$_uuid\"')"
+ _result=$(eval "$_command")
+
+ _debug _command "$_command"
+ _debug _result "$_result"
+
+ _info "[OMV deploy-hook] Asking openmediavault to apply changes... (this could take some time, hang in there)"
+ _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'Config' 'applyChanges' '{\"modules\":[], \"force\": false}'"
+ _result=$(eval "$_command")
+
+ _debug _command "$_command"
+ _debug _result "$_result"
+
+ _info "[OMV deploy-hook] Asking nginx to reload"
+ _command="nginx -s reload"
+ _result=$(eval "$_command")
+
+ _debug _command "$_command"
+ _debug _result "$_result"
+
+ fi
+
+ return 0
+}
diff --git a/deploy/peplink.sh b/deploy/peplink.sh
new file mode 100644
index 00000000..c4bd6242
--- /dev/null
+++ b/deploy/peplink.sh
@@ -0,0 +1,123 @@
+#!/usr/bin/env sh
+
+# Script to deploy cert to Peplink Routers
+#
+# The following environment variables must be set:
+#
+# PEPLINK_Hostname - Peplink hostname
+# PEPLINK_Username - Peplink username to login
+# PEPLINK_Password - Peplink password to login
+#
+# The following environmental variables may be set if you don't like their
+# default values:
+#
+# PEPLINK_Certtype - Certificate type to target for replacement
+# defaults to "webadmin", can be one of:
+# * "chub" (ContentHub)
+# * "openvpn" (OpenVPN CA)
+# * "portal" (Captive Portal SSL)
+# * "webadmin" (Web Admin SSL)
+# * "webproxy" (Proxy Root CA)
+# * "wwan_ca" (Wi-Fi WAN CA)
+# * "wwan_client" (Wi-Fi WAN Client)
+# PEPLINK_Scheme - defaults to "https"
+# PEPLINK_Port - defaults to "443"
+#
+#returns 0 means success, otherwise error.
+
+######## Public functions #####################
+
+_peplink_get_cookie_data() {
+ grep -i "\W$1=" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o "$1=[^;]*;" | tr -d ';'
+}
+
+#domain keyfile certfile cafile fullchain
+peplink_deploy() {
+
+ _cdomain="$1"
+ _ckey="$2"
+ _cfullchain="$5"
+
+ _debug _cdomain "$_cdomain"
+ _debug _cfullchain "$_cfullchain"
+ _debug _ckey "$_ckey"
+
+ # Get Hostname, Username and Password, but don't save until we successfully authenticate
+ _getdeployconf PEPLINK_Hostname
+ _getdeployconf PEPLINK_Username
+ _getdeployconf PEPLINK_Password
+ if [ -z "${PEPLINK_Hostname:-}" ] || [ -z "${PEPLINK_Username:-}" ] || [ -z "${PEPLINK_Password:-}" ]; then
+ _err "PEPLINK_Hostname & PEPLINK_Username & PEPLINK_Password must be set"
+ return 1
+ fi
+ _debug2 PEPLINK_Hostname "$PEPLINK_Hostname"
+ _debug2 PEPLINK_Username "$PEPLINK_Username"
+ _secure_debug2 PEPLINK_Password "$PEPLINK_Password"
+
+ # Optional certificate type, scheme, and port for Peplink
+ _getdeployconf PEPLINK_Certtype
+ _getdeployconf PEPLINK_Scheme
+ _getdeployconf PEPLINK_Port
+
+ # Don't save the certificate type until we verify it exists and is supported
+ _savedeployconf PEPLINK_Scheme "$PEPLINK_Scheme"
+ _savedeployconf PEPLINK_Port "$PEPLINK_Port"
+
+ # Default vaules for certificate type, scheme, and port
+ [ -n "${PEPLINK_Certtype}" ] || PEPLINK_Certtype="webadmin"
+ [ -n "${PEPLINK_Scheme}" ] || PEPLINK_Scheme="https"
+ [ -n "${PEPLINK_Port}" ] || PEPLINK_Port="443"
+
+ _debug2 PEPLINK_Certtype "$PEPLINK_Certtype"
+ _debug2 PEPLINK_Scheme "$PEPLINK_Scheme"
+ _debug2 PEPLINK_Port "$PEPLINK_Port"
+
+ _base_url="$PEPLINK_Scheme://$PEPLINK_Hostname:$PEPLINK_Port"
+ _debug _base_url "$_base_url"
+
+ # Login, get the auth token from the cookie
+ _info "Logging into $PEPLINK_Hostname:$PEPLINK_Port"
+ encoded_username="$(printf "%s" "$PEPLINK_Username" | _url_encode)"
+ encoded_password="$(printf "%s" "$PEPLINK_Password" | _url_encode)"
+ response=$(_post "func=login&username=$encoded_username&password=$encoded_password" "$_base_url/cgi-bin/MANGA/api.cgi")
+ auth_token=$(_peplink_get_cookie_data "bauth" <"$HTTP_HEADER")
+ _debug3 response "$response"
+ _debug auth_token "$auth_token"
+
+ if [ -z "$auth_token" ]; then
+ _err "Unable to authenticate to $PEPLINK_Hostname:$PEPLINK_Port using $PEPLINK_Scheme."
+ _err "Check your username and password."
+ return 1
+ fi
+
+ _H1="Cookie: $auth_token"
+ export _H1
+ _debug2 H1 "${_H1}"
+
+ # Now that we know the hostnameusername and password are good, save them
+ _savedeployconf PEPLINK_Hostname "$PEPLINK_Hostname"
+ _savedeployconf PEPLINK_Username "$PEPLINK_Username"
+ _savedeployconf PEPLINK_Password "$PEPLINK_Password"
+
+ _info "Generate form POST request"
+
+ encoded_key="$(_url_encode <"$_ckey")"
+ encoded_fullchain="$(_url_encode <"$_cfullchain")"
+ body="cert_type=$PEPLINK_Certtype&cert_uid=§ion=CERT_modify&key_pem=$encoded_key&key_pem_passphrase=&key_pem_passphrase_confirm=&cert_pem=$encoded_fullchain"
+ _debug3 body "$body"
+
+ _info "Upload $PEPLINK_Certtype certificate to the Peplink"
+
+ response=$(_post "$body" "$_base_url/cgi-bin/MANGA/admin.cgi")
+ _debug3 response "$response"
+
+ if echo "$response" | grep 'Success' >/dev/null; then
+ # We've verified this certificate type is valid, so save it
+ _savedeployconf PEPLINK_Certtype "$PEPLINK_Certtype"
+ _info "Certificate was updated"
+ return 0
+ else
+ _err "Unable to update certificate, error code $response"
+ return 1
+ fi
+}
diff --git a/deploy/routeros.sh b/deploy/routeros.sh
index 2f349999..c4c9470d 100644
--- a/deploy/routeros.sh
+++ b/deploy/routeros.sh
@@ -23,6 +23,7 @@
# ```sh
# export ROUTER_OS_USERNAME=certuser
# export ROUTER_OS_HOST=router.example.com
+# export ROUTER_OS_PORT=22
#
# acme.sh --deploy -d ftp.example.com --deploy-hook routeros
# ```
@@ -48,6 +49,16 @@
# One optional thing to do as well is to create a script that updates
# all the required services and run that script in a single command.
#
+# To adopt parameters to `scp` and/or `ssh` set the optional
+# `ROUTER_OS_SSH_CMD` and `ROUTER_OS_SCP_CMD` variables accordingly,
+# see ssh(1) and scp(1) for parameters to those commands.
+#
+# Example:
+# ```ssh
+# export ROUTER_OS_SSH_CMD="ssh -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts"
+# export ROUTER_OS_SCP_CMD="scp -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts"
+# ````
+#
# returns 0 means success, otherwise error.
######## Public functions #####################
@@ -59,6 +70,7 @@ routeros_deploy() {
_ccert="$3"
_cca="$4"
_cfullchain="$5"
+ _err_code=0
_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
@@ -66,29 +78,70 @@ routeros_deploy() {
_debug _cca "$_cca"
_debug _cfullchain "$_cfullchain"
+ _getdeployconf ROUTER_OS_HOST
+
if [ -z "$ROUTER_OS_HOST" ]; then
_debug "Using _cdomain as ROUTER_OS_HOST, please set if not correct."
ROUTER_OS_HOST="$_cdomain"
fi
+ _getdeployconf ROUTER_OS_USERNAME
+
if [ -z "$ROUTER_OS_USERNAME" ]; then
_err "Need to set the env variable ROUTER_OS_USERNAME"
return 1
fi
+ _getdeployconf ROUTER_OS_PORT
+
+ if [ -z "$ROUTER_OS_PORT" ]; then
+ _debug "Using default port 22 as ROUTER_OS_PORT, please set if not correct."
+ ROUTER_OS_PORT=22
+ fi
+
+ _getdeployconf ROUTER_OS_SSH_CMD
+
+ if [ -z "$ROUTER_OS_SSH_CMD" ]; then
+ _debug "Use default ssh setup."
+ ROUTER_OS_SSH_CMD="ssh -p $ROUTER_OS_PORT"
+ fi
+
+ _getdeployconf ROUTER_OS_SCP_CMD
+
+ if [ -z "$ROUTER_OS_SCP_CMD" ]; then
+ _debug "USe default scp setup."
+ ROUTER_OS_SCP_CMD="scp -P $ROUTER_OS_PORT"
+ fi
+
+ _getdeployconf ROUTER_OS_ADDITIONAL_SERVICES
+
if [ -z "$ROUTER_OS_ADDITIONAL_SERVICES" ]; then
_debug "Not enabling additional services"
ROUTER_OS_ADDITIONAL_SERVICES=""
fi
- _info "Trying to push key '$_ckey' to router"
- scp "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"
- _info "Trying to push cert '$_cfullchain' to router"
- scp "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"
- DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=admin policy=ftp,read,write,password,sensitive \
-source=\"## generated by routeros deploy script in acme.sh;\
-\n/certificate remove [ find name=$_cdomain.cer_0 ];\
+ _savedeployconf ROUTER_OS_HOST "$ROUTER_OS_HOST"
+ _savedeployconf ROUTER_OS_USERNAME "$ROUTER_OS_USERNAME"
+ _savedeployconf ROUTER_OS_PORT "$ROUTER_OS_PORT"
+ _savedeployconf ROUTER_OS_SSH_CMD "$ROUTER_OS_SSH_CMD"
+ _savedeployconf ROUTER_OS_SCP_CMD "$ROUTER_OS_SCP_CMD"
+ _savedeployconf ROUTER_OS_ADDITIONAL_SERVICES "$ROUTER_OS_ADDITIONAL_SERVICES"
+
+ # push key to routeros
+ if ! _scp_certificate "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"; then
+ return $_err_code
+ fi
+
+ # push certificate chain to routeros
+ if ! _scp_certificate "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"; then
+ return $_err_code
+ fi
+
+ DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USERNAME \
+comment=\"generated by routeros deploy script in acme.sh\" \
+source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
\n/certificate remove [ find name=$_cdomain.cer_1 ];\
+\n/certificate remove [ find name=$_cdomain.cer_2 ];\
\ndelay 1;\
\n/certificate import file-name=$_cdomain.cer passphrase=\\\"\\\";\
\n/certificate import file-name=$_cdomain.key passphrase=\\\"\\\";\
@@ -100,12 +153,51 @@ source=\"## generated by routeros deploy script in acme.sh;\
\n$ROUTER_OS_ADDITIONAL_SERVICES;\
\n\"
"
- # shellcheck disable=SC2029
- ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$DEPLOY_SCRIPT_CMD"
- # shellcheck disable=SC2029
- ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script run \"LE Cert Deploy - $_cdomain\""
- # shellcheck disable=SC2029
- ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script remove \"LE Cert Deploy - $_cdomain\""
+
+ if ! _ssh_remote_cmd "$DEPLOY_SCRIPT_CMD"; then
+ return $_err_code
+ fi
+
+ if ! _ssh_remote_cmd "/system script run \"LE Cert Deploy - $_cdomain\""; then
+ return $_err_code
+ fi
+
+ if ! _ssh_remote_cmd "/system script remove \"LE Cert Deploy - $_cdomain\""; then
+ return $_err_code
+ fi
return 0
}
+
+# inspired by deploy/ssh.sh
+_ssh_remote_cmd() {
+ _cmd="$1"
+ _secure_debug "Remote commands to execute: $_cmd"
+ _info "Submitting sequence of commands to routeros"
+ # quotations in bash cmd below intended. Squash travis spellcheck error
+ # shellcheck disable=SC2029
+ $ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$_cmd"
+ _err_code="$?"
+
+ if [ "$_err_code" != "0" ]; then
+ _err "Error code $_err_code returned from routeros"
+ fi
+
+ return $_err_code
+}
+
+_scp_certificate() {
+ _src="$1"
+ _dst="$2"
+ _secure_debug "scp '$_src' to '$_dst'"
+ _info "Push key '$_src' to routeros"
+
+ $ROUTER_OS_SCP_CMD "$_src" "$_dst"
+ _err_code="$?"
+
+ if [ "$_err_code" != "0" ]; then
+ _err "Error code $_err_code returned from scp"
+ fi
+
+ return $_err_code
+}
diff --git a/deploy/ssh.sh b/deploy/ssh.sh
index 18de4aa6..89962621 100644
--- a/deploy/ssh.sh
+++ b/deploy/ssh.sh
@@ -35,11 +35,6 @@ ssh_deploy() {
_cfullchain="$5"
_deploy_ssh_servers=""
- if [ -f "$DOMAIN_CONF" ]; then
- # shellcheck disable=SC1090
- . "$DOMAIN_CONF"
- fi
-
_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
_debug _ccert "$_ccert"
@@ -47,6 +42,8 @@ ssh_deploy() {
_debug _cfullchain "$_cfullchain"
# USER is required to login by SSH to remote host.
+ _getdeployconf DEPLOY_SSH_USER
+ _debug2 DEPLOY_SSH_USER "$DEPLOY_SSH_USER"
if [ -z "$DEPLOY_SSH_USER" ]; then
if [ -z "$Le_Deploy_ssh_user" ]; then
_err "DEPLOY_SSH_USER not defined."
@@ -58,6 +55,8 @@ ssh_deploy() {
fi
# SERVER is optional. If not provided then use _cdomain
+ _getdeployconf DEPLOY_SSH_SERVER
+ _debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER"
if [ -n "$DEPLOY_SSH_SERVER" ]; then
Le_Deploy_ssh_server="$DEPLOY_SSH_SERVER"
_savedomainconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server"
@@ -66,6 +65,8 @@ ssh_deploy() {
fi
# CMD is optional. If not provided then use ssh
+ _getdeployconf DEPLOY_SSH_CMD
+ _debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD"
if [ -n "$DEPLOY_SSH_CMD" ]; then
Le_Deploy_ssh_cmd="$DEPLOY_SSH_CMD"
_savedomainconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd"
@@ -74,6 +75,8 @@ ssh_deploy() {
fi
# BACKUP is optional. If not provided then default to previously saved value or yes.
+ _getdeployconf DEPLOY_SSH_BACKUP
+ _debug2 DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP"
if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then
Le_Deploy_ssh_backup="no"
elif [ -z "$Le_Deploy_ssh_backup" ] || [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
@@ -82,6 +85,8 @@ ssh_deploy() {
_savedomainconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup"
# BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy
+ _getdeployconf DEPLOY_SSH_BACKUP_PATH
+ _debug2 DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH"
if [ -n "$DEPLOY_SSH_BACKUP_PATH" ]; then
Le_Deploy_ssh_backup_path="$DEPLOY_SSH_BACKUP_PATH"
elif [ -z "$Le_Deploy_ssh_backup_path" ]; then
@@ -91,6 +96,8 @@ ssh_deploy() {
# MULTI_CALL is optional. If not provided then default to previously saved
# value (which may be undefined... equivalent to "no").
+ _getdeployconf DEPLOY_SSH_MULTI_CALL
+ _debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL"
if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
Le_Deploy_ssh_multi_call="yes"
_savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call"
@@ -141,6 +148,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
# KEYFILE is optional.
# If provided then private key will be copied to provided filename.
+ _getdeployconf DEPLOY_SSH_KEYFILE
+ _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE"
if [ -n "$DEPLOY_SSH_KEYFILE" ]; then
Le_Deploy_ssh_keyfile="$DEPLOY_SSH_KEYFILE"
_savedomainconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile"
@@ -163,6 +172,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
# CERTFILE is optional.
# If provided then certificate will be copied or appended to provided filename.
+ _getdeployconf DEPLOY_SSH_CERTFILE
+ _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE"
if [ -n "$DEPLOY_SSH_CERTFILE" ]; then
Le_Deploy_ssh_certfile="$DEPLOY_SSH_CERTFILE"
_savedomainconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile"
@@ -189,6 +200,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
# CAFILE is optional.
# If provided then CA intermediate certificate will be copied or appended to provided filename.
+ _getdeployconf DEPLOY_SSH_CAFILE
+ _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE"
if [ -n "$DEPLOY_SSH_CAFILE" ]; then
Le_Deploy_ssh_cafile="$DEPLOY_SSH_CAFILE"
_savedomainconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile"
@@ -216,6 +229,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
# FULLCHAIN is optional.
# If provided then fullchain certificate will be copied or appended to provided filename.
+ _getdeployconf DEPLOY_SSH_FULLCHAIN
+ _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN"
if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then
Le_Deploy_ssh_fullchain="$DEPLOY_SSH_FULLCHAIN"
_savedomainconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain"
@@ -244,6 +259,8 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
# REMOTE_CMD is optional.
# If provided then this command will be executed on remote host.
+ _getdeployconf DEPLOY_SSH_REMOTE_CMD
+ _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD"
if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then
Le_Deploy_ssh_remote_cmd="$DEPLOY_SSH_REMOTE_CMD"
_savedomainconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd"
diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh
index 2ec0ceb3..f30f82c0 100644
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@@ -2,8 +2,7 @@
# Here is a script to deploy cert to Synology DSM
#
-# it requires the jq and curl are in the $PATH and the following
-# environment variables must be set:
+# It requires following environment variables:
#
# SYNO_Username - Synology Username to login (must be an administrator)
# SYNO_Password - Synology Password to login
@@ -16,15 +15,17 @@
# SYNO_Hostname - defaults to localhost
# SYNO_Port - defaults to 5000
# SYNO_DID - device ID to skip OTP - defaults to empty
+# SYNO_TOTP_SECRET - TOTP secret to generate OTP - defaults to empty
+#
+# Dependencies:
+# -------------
+# - jq and curl
+# - oathtool (When using 2 Factor Authentication and SYNO_TOTP_SECRET is set)
#
#returns 0 means success, otherwise error.
######## Public functions #####################
-_syno_get_cookie_data() {
- grep -i "\W$1=" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o "$1=[^;]*;" | tr -d ';'
-}
-
#domain keyfile certfile cafile fullchain
synology_dsm_deploy() {
@@ -40,6 +41,7 @@ synology_dsm_deploy() {
_getdeployconf SYNO_Password
_getdeployconf SYNO_Create
_getdeployconf SYNO_DID
+ _getdeployconf SYNO_TOTP_SECRET
if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then
_err "SYNO_Username & SYNO_Password must be set"
return 1
@@ -70,41 +72,71 @@ synology_dsm_deploy() {
_getdeployconf SYNO_Certificate
_debug SYNO_Certificate "${SYNO_Certificate:-}"
+ # shellcheck disable=SC1003 # We are not trying to escape a single quote
+ if printf "%s" "$SYNO_Certificate" | grep '\\'; then
+ _err "Do not use a backslash (\) in your certificate description"
+ return 1
+ fi
+
_base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port"
_debug _base_url "$_base_url"
+ _debug "Getting API version"
+ response=$(_get "$_base_url/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth")
+ api_version=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"maxVersion" *: *\([0-9]*\).*/\1/p')
+ _debug3 response "$response"
+ _debug3 api_version "$api_version"
+
# Login, get the token from JSON and session id from cookie
_info "Logging into $SYNO_Hostname:$SYNO_Port"
encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)"
encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)"
- encoded_did="$(printf "%s" "$SYNO_DID" | _url_encode)"
- response=$(_get "$_base_url/webman/login.cgi?username=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&device_id=$encoded_did" 1)
- token=$(echo "$response" | grep -i "X-SYNO-TOKEN:" | sed -n 's/^X-SYNO-TOKEN: \(.*\)$/\1/pI' | tr -d "\r\n")
+
+ otp_code=""
+ if [ -n "$SYNO_TOTP_SECRET" ]; then
+ if _exists oathtool; then
+ otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)"
+ else
+ _err "oathtool could not be found, install oathtool to use SYNO_TOTP_SECRET"
+ return 1
+ fi
+ fi
+
+ if [ -n "$SYNO_DID" ]; then
+ _H1="Cookie: did=$SYNO_DID"
+ export _H1
+ _debug3 H1 "${_H1}"
+ fi
+
+ response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
+ token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p')
_debug3 response "$response"
_debug token "$token"
if [ -z "$token" ]; then
_err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme."
_err "Check your username and password."
+ _err "If two-factor authentication is enabled for the user, set SYNO_TOTP_SECRET."
return 1
fi
+ sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p')
- _H1="Cookie: $(echo "$response" | _syno_get_cookie_data "id"); $(echo "$response" | _syno_get_cookie_data "smid")"
- _H2="X-SYNO-TOKEN: $token"
+ _H1="X-SYNO-TOKEN: $token"
export _H1
- export _H2
_debug2 H1 "${_H1}"
- _debug2 H2 "${_H2}"
# Now that we know the username and password are good, save them
_savedeployconf SYNO_Username "$SYNO_Username"
_savedeployconf SYNO_Password "$SYNO_Password"
_savedeployconf SYNO_DID "$SYNO_DID"
+ _savedeployconf SYNO_TOTP_SECRET "$SYNO_TOTP_SECRET"
_info "Getting certificates in Synology DSM"
- response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1" "$_base_url/webapi/entry.cgi")
+ response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")
_debug3 response "$response"
- id=$(echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\"id\":\"\([^\"]*\).*/\1/p")
+ escaped_certificate="$(printf "%s" "$SYNO_Certificate" | sed 's/\([].*^$[]\)/\\\1/g;s/"/\\\\"/g')"
+ _debug escaped_certificate "$escaped_certificate"
+ id=$(echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\"id\":\"\([^\"]*\).*/\1/p")
_debug2 id "$id"
if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then
@@ -113,13 +145,7 @@ synology_dsm_deploy() {
fi
# we've verified this certificate description is a thing, so save it
- _savedeployconf SYNO_Certificate "$SYNO_Certificate"
-
- default=false
- if echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
- default=true
- fi
- _debug2 default "$default"
+ _savedeployconf SYNO_Certificate "$SYNO_Certificate" "base64"
_info "Generate form POST request"
nl="\0015\0012"
@@ -129,13 +155,18 @@ synology_dsm_deploy() {
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\0012"
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id"
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}"
- content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}${default}"
+ if echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
+ _debug2 default "this is the default certificate"
+ content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}true"
+ else
+ _debug2 default "this is NOT the default certificate"
+ fi
content="$content${nl}--$delim--${nl}"
content="$(printf "%b_" "$content")"
content="${content%_}" # protect trailing \n
_info "Upload certificate to the Synology DSM"
- response=$(_post "$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token" "" "POST" "multipart/form-data; boundary=${delim}")
+ response=$(_post "$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token&_sid=$sid" "" "POST" "multipart/form-data; boundary=${delim}")
_debug3 response "$response"
if ! echo "$response" | grep '"error":' >/dev/null; then
diff --git a/deploy/truenas.sh b/deploy/truenas.sh
new file mode 100644
index 00000000..84cfd5f4
--- /dev/null
+++ b/deploy/truenas.sh
@@ -0,0 +1,202 @@
+#!/usr/bin/env sh
+
+# Here is a scipt to deploy the cert to your TrueNAS using the REST API.
+# https://www.truenas.com/docs/hub/additional-topics/api/rest_api.html
+#
+# Written by Frank Plass github@f-plass.de
+# https://github.com/danb35/deploy-freenas/blob/master/deploy_freenas.py
+# Thanks to danb35 for your template!
+#
+# Following environment variables must be set:
+#
+# export DEPLOY_TRUENAS_APIKEY="HTTPS redirection is enabled"
+ _info "Setting DEPLOY_TRUENAS_SCHEME to 'https'"
+ DEPLOY_TRUENAS_SCHEME="https"
+ _api_url="$DEPLOY_TRUENAS_SCHEME://$DEPLOY_TRUENAS_HOSTNAME/api/v2.0"
+ _savedeployconf DEPLOY_TRUENAS_SCHEME "$DEPLOY_TRUENAS_SCHEME"
+ fi
+
+ _info "Uploading new certificate to TrueNAS"
+ _certname="Letsencrypt_$(_utc_date | tr ' ' '_' | tr -d -- ':')"
+ _debug3 _certname "$_certname"
+
+ _certData="{\"create_type\": \"CERTIFICATE_CREATE_IMPORTED\", \"name\": \"${_certname}\", \"certificate\": \"$(_json_encode <"$_cfullchain")\", \"privatekey\": \"$(_json_encode <"$_ckey")\"}"
+ _add_cert_result="$(_post "$_certData" "$_api_url/certificate" "" "POST" "application/json")"
+
+ _debug3 _add_cert_result "$_add_cert_result"
+
+ _info "Fetching list of installed certificates"
+ _cert_list=$(_get "$_api_url/system/general/ui_certificate_choices")
+ _cert_id=$(echo "$_cert_list" | grep "$_certname" | sed -n 's/.*"\([0-9]\{1,\}\)".*$/\1/p')
+
+ _debug3 _cert_id "$_cert_id"
+
+ _info "Current activate certificate ID: $_cert_id"
+ _activateData="{\"ui_certificate\": \"${_cert_id}\"}"
+ _activate_result="$(_post "$_activateData" "$_api_url/system/general" "" "PUT" "application/json")"
+
+ _debug3 _activate_result "$_activate_result"
+
+ _info "Checking if WebDAV certificate is the same as the TrueNAS web UI"
+ _webdav_list=$(_get "$_api_url/webdav")
+ _webdav_cert_id=$(echo "$_webdav_list" | grep '"certssl":' | tr -d -- '"certsl: ,')
+
+ if [ "$_webdav_cert_id" = "$_active_cert_id" ]; then
+ _info "Updating the WebDAV certificate"
+ _debug _webdav_cert_id "$_webdav_cert_id"
+ _webdav_data="{\"certssl\": \"${_cert_id}\"}"
+ _activate_webdav_cert="$(_post "$_webdav_data" "$_api_url/webdav" "" "PUT" "application/json")"
+ _webdav_new_cert_id=$(echo "$_activate_webdav_cert" | _json_decode | grep '"certssl":' | sed -n 's/.*: \([0-9]\{1,\}\),\{0,1\}$/\1/p')
+ if [ "$_webdav_new_cert_id" -eq "$_cert_id" ]; then
+ _info "WebDAV certificate updated successfully"
+ else
+ _err "Unable to set WebDAV certificate"
+ _debug3 _activate_webdav_cert "$_activate_webdav_cert"
+ _debug3 _webdav_new_cert_id "$_webdav_new_cert_id"
+ return 1
+ fi
+ _debug3 _webdav_new_cert_id "$_webdav_new_cert_id"
+ else
+ _info "WebDAV certificate is not configured or is not the same as TrueNAS web UI"
+ fi
+
+ _info "Checking if FTP certificate is the same as the TrueNAS web UI"
+ _ftp_list=$(_get "$_api_url/ftp")
+ _ftp_cert_id=$(echo "$_ftp_list" | grep '"ssltls_certificate":' | tr -d -- '"certislfa:_ ,')
+
+ if [ "$_ftp_cert_id" = "$_active_cert_id" ]; then
+ _info "Updating the FTP certificate"
+ _debug _ftp_cert_id "$_ftp_cert_id"
+ _ftp_data="{\"ssltls_certificate\": \"${_cert_id}\"}"
+ _activate_ftp_cert="$(_post "$_ftp_data" "$_api_url/ftp" "" "PUT" "application/json")"
+ _ftp_new_cert_id=$(echo "$_activate_ftp_cert" | _json_decode | grep '"ssltls_certificate":' | sed -n 's/.*: \([0-9]\{1,\}\),\{0,1\}$/\1/p')
+ if [ "$_ftp_new_cert_id" -eq "$_cert_id" ]; then
+ _info "FTP certificate updated successfully"
+ else
+ _err "Unable to set FTP certificate"
+ _debug3 _activate_ftp_cert "$_activate_ftp_cert"
+ _debug3 _ftp_new_cert_id "$_ftp_new_cert_id"
+ return 1
+ fi
+ _debug3 _activate_ftp_cert "$_activate_ftp_cert"
+ else
+ _info "FTP certificate is not configured or is not the same as TrueNAS web UI"
+ fi
+
+ _info "Checking if S3 certificate is the same as the TrueNAS web UI"
+ _s3_list=$(_get "$_api_url/s3")
+ _s3_cert_id=$(echo "$_s3_list" | grep '"certificate":' | tr -d -- '"certifa:_ ,')
+
+ if [ "$_s3_cert_id" = "$_active_cert_id" ]; then
+ _info "Updating the S3 certificate"
+ _debug _s3_cert_id "$_s3_cert_id"
+ _s3_data="{\"certificate\": \"${_cert_id}\"}"
+ _activate_s3_cert="$(_post "$_s3_data" "$_api_url/s3" "" "PUT" "application/json")"
+ _s3_new_cert_id=$(echo "$_activate_s3_cert" | _json_decode | grep '"certificate":' | sed -n 's/.*: \([0-9]\{1,\}\),\{0,1\}$/\1/p')
+ if [ "$_s3_new_cert_id" -eq "$_cert_id" ]; then
+ _info "S3 certificate updated successfully"
+ else
+ _err "Unable to set S3 certificate"
+ _debug3 _activate_s3_cert "$_activate_s3_cert"
+ _debug3 _s3_new_cert_id "$_s3_new_cert_id"
+ return 1
+ fi
+ _debug3 _activate_s3_cert "$_activate_s3_cert"
+ else
+ _info "S3 certificate is not configured or is not the same as TrueNAS web UI"
+ fi
+
+ _info "Deleting old certificate"
+ _delete_result="$(_post "" "$_api_url/certificate/id/$_active_cert_id" "" "DELETE" "application/json")"
+
+ _debug3 _delete_result "$_delete_result"
+
+ _info "Reloading TrueNAS web UI"
+ _restart_UI=$(_get "$_api_url/system/general/ui_restart")
+ _debug2 _restart_UI "$_restart_UI"
+
+ if [ -n "$_add_cert_result" ] && [ -n "$_activate_result" ]; then
+ return 0
+ else
+ _err "Certificate update was not succesful, please try again with --debug"
+ return 1
+ fi
+}
diff --git a/deploy/unifi.sh b/deploy/unifi.sh
index 184aa62e..a864135e 100644
--- a/deploy/unifi.sh
+++ b/deploy/unifi.sh
@@ -1,12 +1,43 @@
#!/usr/bin/env sh
-#Here is a script to deploy cert to unifi server.
+# Here is a script to deploy cert on a Unifi Controller or Cloud Key device.
+# It supports:
+# - self-hosted Unifi Controller
+# - Unifi Cloud Key (Gen1/2/2+)
+# - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
+# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359
#returns 0 means success, otherwise error.
+# The deploy-hook automatically detects standard Unifi installations
+# for each of the supported environments. Most users should not need
+# to set any of these variables, but if you are running a self-hosted
+# Controller with custom locations, set these as necessary before running
+# the deploy hook. (Defaults shown below.)
+#
+# Settings for Unifi Controller:
+# Location of Java keystore or unifi.keystore.jks file:
#DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
+# Keystore password (built into Unifi Controller, not a user-set password):
#DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
+# Command to restart Unifi Controller:
#DEPLOY_UNIFI_RELOAD="service unifi restart"
+#
+# Settings for Unifi Cloud Key Gen1 (nginx admin pages):
+# Directory where cloudkey.crt and cloudkey.key live:
+#DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
+# Command to restart maintenance pages and Controller
+# (same setting as above, default is updated when running on Cloud Key Gen1):
+#DEPLOY_UNIFI_RELOAD="service nginx restart && service unifi restart"
+#
+# Settings for UnifiOS (Cloud Key Gen2):
+# Directory where unifi-core.crt and unifi-core.key live:
+#DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/"
+# Command to restart unifi-core:
+#DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core"
+#
+# At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR,
+# or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs.
######## Public functions #####################
@@ -24,77 +55,160 @@ unifi_deploy() {
_debug _cca "$_cca"
_debug _cfullchain "$_cfullchain"
- if ! _exists keytool; then
- _err "keytool not found"
- return 1
- fi
+ _getdeployconf DEPLOY_UNIFI_KEYSTORE
+ _getdeployconf DEPLOY_UNIFI_KEYPASS
+ _getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
+ _getdeployconf DEPLOY_UNIFI_CORE_CONFIG
+ _getdeployconf DEPLOY_UNIFI_RELOAD
- DEFAULT_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
- _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-$DEFAULT_UNIFI_KEYSTORE}"
- DEFAULT_UNIFI_KEYPASS="aircontrolenterprise"
- _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-$DEFAULT_UNIFI_KEYPASS}"
- DEFAULT_UNIFI_RELOAD="service unifi restart"
- _reload="${DEPLOY_UNIFI_RELOAD:-$DEFAULT_UNIFI_RELOAD}"
+ _debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
+ _debug2 DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
+ _debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
+ _debug2 DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
+ _debug2 DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
- _debug _unifi_keystore "$_unifi_keystore"
- if [ ! -f "$_unifi_keystore" ]; then
- if [ -z "$DEPLOY_UNIFI_KEYSTORE" ]; then
- _err "unifi keystore is not found, please define DEPLOY_UNIFI_KEYSTORE"
- return 1
- else
- _err "It seems that the specified unifi keystore is not valid, please check."
+ # Space-separated list of environments detected and installed:
+ _services_updated=""
+
+ # Default reload commands accumulated as we auto-detect environments:
+ _reload_cmd=""
+
+ # Unifi Controller environment (self hosted or any Cloud Key) --
+ # auto-detect by file /usr/lib/unifi/data/keystore:
+ _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
+ if [ -f "$_unifi_keystore" ]; then
+ _info "Installing certificate for Unifi Controller (Java keystore)"
+ _debug _unifi_keystore "$_unifi_keystore"
+ if ! _exists keytool; then
+ _err "keytool not found"
return 1
fi
- fi
- if [ ! -w "$_unifi_keystore" ]; then
- _err "The file $_unifi_keystore is not writable, please change the permission."
+ if [ ! -w "$_unifi_keystore" ]; then
+ _err "The file $_unifi_keystore is not writable, please change the permission."
+ return 1
+ fi
+
+ _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-aircontrolenterprise}"
+
+ _debug "Generate import pkcs12"
+ _import_pkcs12="$(_mktemp)"
+ _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
+ # shellcheck disable=SC2181
+ if [ "$?" != "0" ]; then
+ _err "Error generating pkcs12. Please re-run with --debug and report a bug."
+ return 1
+ fi
+
+ _debug "Import into keystore: $_unifi_keystore"
+ if keytool -importkeystore \
+ -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
+ -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
+ -alias unifi -noprompt; then
+ _debug "Import keystore success!"
+ rm "$_import_pkcs12"
+ else
+ _err "Error importing into Unifi Java keystore."
+ _err "Please re-run with --debug and report a bug."
+ rm "$_import_pkcs12"
+ return 1
+ fi
+
+ if systemctl -q is-active unifi; then
+ _reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart"
+ fi
+ _services_updated="${_services_updated} unifi"
+ _info "Install Unifi Controller certificate success!"
+ elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
+ _err "The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check."
return 1
fi
- _info "Generate import pkcs12"
- _import_pkcs12="$(_mktemp)"
- _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
- if [ "$?" != "0" ]; then
- _err "Oops, error creating import pkcs12, please report bug to us."
+ # Cloud Key environment (non-UnifiOS -- nginx serves admin pages) --
+ # auto-detect by file /etc/ssl/private/cloudkey.key:
+ _cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-/etc/ssl/private}"
+ if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then
+ _info "Installing certificate for Cloud Key Gen1 (nginx admin pages)"
+ _debug _cloudkey_certdir "$_cloudkey_certdir"
+ if [ ! -w "$_cloudkey_certdir" ]; then
+ _err "The directory $_cloudkey_certdir is not writable; please check permissions."
+ return 1
+ fi
+ # Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks.
+ # Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was
+ # updated above), but if not, we don't know how to handle this installation:
+ if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then
+ _err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'"
+ return 1
+ fi
+
+ cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt"
+ cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key"
+ (cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks)
+
+ if systemctl -q is-active nginx; then
+ _reload_cmd="${_reload_cmd:+$_reload_cmd && }service nginx restart"
+ fi
+ _info "Install Cloud Key Gen1 certificate success!"
+ _services_updated="${_services_updated} nginx"
+ elif [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then
+ _err "The specified DEPLOY_UNIFI_CLOUDKEY_CERTDIR='$DEPLOY_UNIFI_CLOUDKEY_CERTDIR' is not valid, please check."
return 1
fi
- _info "Modify unifi keystore: $_unifi_keystore"
- if keytool -importkeystore \
- -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
- -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
- -alias unifi -noprompt; then
- _info "Import keystore success!"
- rm "$_import_pkcs12"
- else
- _err "Import unifi keystore error, please report bug to us."
- rm "$_import_pkcs12"
+ # UnifiOS environment -- auto-detect by /data/unifi-core/config/unifi-core.key:
+ _unifi_core_config="${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}"
+ if [ -f "${_unifi_core_config}/unifi-core.key" ]; then
+ _info "Installing certificate for UnifiOS"
+ _debug _unifi_core_config "$_unifi_core_config"
+ if [ ! -w "$_unifi_core_config" ]; then
+ _err "The directory $_unifi_core_config is not writable; please check permissions."
+ return 1
+ fi
+
+ cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
+ cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"
+
+ if systemctl -q is-active unifi-core; then
+ _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core"
+ fi
+ _info "Install UnifiOS certificate success!"
+ _services_updated="${_services_updated} unifi-core"
+ elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then
+ _err "The specified DEPLOY_UNIFI_CORE_CONFIG='$DEPLOY_UNIFI_CORE_CONFIG' is not valid, please check."
return 1
fi
- _info "Run reload: $_reload"
- if eval "$_reload"; then
+ if [ -z "$_services_updated" ]; then
+ # None of the Unifi environments were auto-detected, so no deployment has occurred
+ # (and none of DEPLOY_UNIFI_{KEYSTORE,CLOUDKEY_CERTDIR,CORE_CONFIG} were set).
+ _err "Unable to detect Unifi environment in standard location."
+ _err "(This deploy hook must be run on the Unifi device, not a remote machine.)"
+ _err "For non-standard Unifi installations, set DEPLOY_UNIFI_KEYSTORE,"
+ _err "DEPLOY_UNIFI_CLOUDKEY_CERTDIR, and/or DEPLOY_UNIFI_CORE_CONFIG as appropriate."
+ return 1
+ fi
+
+ _reload_cmd="${DEPLOY_UNIFI_RELOAD:-$_reload_cmd}"
+ if [ -z "$_reload_cmd" ]; then
+ _err "Certificates were installed for services:${_services_updated},"
+ _err "but none appear to be active. Please set DEPLOY_UNIFI_RELOAD"
+ _err "to a command that will restart the necessary services."
+ return 1
+ fi
+ _info "Reload services (this may take some time): $_reload_cmd"
+ if eval "$_reload_cmd"; then
_info "Reload success!"
- if [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
- _savedomainconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
- else
- _cleardomainconf DEPLOY_UNIFI_KEYSTORE
- fi
- if [ "$DEPLOY_UNIFI_KEYPASS" ]; then
- _savedomainconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
- else
- _cleardomainconf DEPLOY_UNIFI_KEYPASS
- fi
- if [ "$DEPLOY_UNIFI_RELOAD" ]; then
- _savedomainconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
- else
- _cleardomainconf DEPLOY_UNIFI_RELOAD
- fi
- return 0
else
_err "Reload error"
return 1
fi
- return 0
+ # Successful, so save all (non-default) config:
+ _savedeployconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
+ _savedeployconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
+ _savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
+ _savedeployconf DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
+ _savedeployconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
+
+ return 0
}
diff --git a/deploy/vault.sh b/deploy/vault.sh
index 70c80444..399abaee 100644
--- a/deploy/vault.sh
+++ b/deploy/vault.sh
@@ -56,12 +56,23 @@ vault_deploy() {
export _H1="X-Vault-Token: $VAULT_TOKEN"
if [ -n "$FABIO" ]; then
- _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL"
+ if [ -n "$VAULT_KV_V2" ]; then
+ _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL"
+ else
+ _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL"
+ fi
else
- _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem"
- _post "{\"value\": \"$_ckey\"}" "$URL/cert.key"
- _post "{\"value\": \"$_cca\"}" "$URL/chain.pem"
- _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem"
+ if [ -n "$VAULT_KV_V2" ]; then
+ _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem"
+ _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key"
+ _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem"
+ _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem"
+ else
+ _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem"
+ _post "{\"value\": \"$_ckey\"}" "$URL/cert.key"
+ _post "{\"value\": \"$_cca\"}" "$URL/chain.pem"
+ _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem"
+ fi
fi
}
diff --git a/deploy/vault_cli.sh b/deploy/vault_cli.sh
index 8b854137..cbb8cc59 100644
--- a/deploy/vault_cli.sh
+++ b/deploy/vault_cli.sh
@@ -50,12 +50,12 @@ vault_cli_deploy() {
fi
if [ -n "$FABIO" ]; then
- $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
+ $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
else
- $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
- $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
- $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
- $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
+ $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
+ $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
+ $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
+ $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
fi
}
diff --git a/dnsapi/dns_1984hosting.sh b/dnsapi/dns_1984hosting.sh
index d720c1c5..db0cbe15 100755
--- a/dnsapi/dns_1984hosting.sh
+++ b/dnsapi/dns_1984hosting.sh
@@ -46,7 +46,7 @@ dns_1984hosting_add() {
postdata="entry=new"
postdata="$postdata&type=TXT"
- postdata="$postdata&ttl=3600"
+ postdata="$postdata&ttl=900"
postdata="$postdata&zone=$_domain"
postdata="$postdata&host=$_sub_domain"
postdata="$postdata&rdata=%22$value%22"
@@ -59,7 +59,7 @@ dns_1984hosting_add() {
if _contains "$response" '"haserrors": true'; then
_err "1984Hosting failed to add TXT record for $_sub_domain bad RC from _post"
return 1
- elif _contains "$response" ""; then
+ elif _contains "$response" "html>"; then
_err "1984Hosting failed to add TXT record for $_sub_domain. Check $HTTP_HEADER file"
return 1
elif _contains "$response" '"auth": false'; then
@@ -93,20 +93,15 @@ dns_1984hosting_rm() {
fi
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"
-
_debug "Delete $fulldomain TXT record"
- url="https://management.1984hosting.com/domains"
- _htmlget "$url" "$_domain"
- _debug2 _response "$_response"
- zone_id="$(echo "$_response" | _egrep_o 'zone\/[0-9]+')"
- _debug2 zone_id "$zone_id"
- if [ -z "$zone_id" ]; then
- _err "Error getting zone_id for $1"
+ url="https://management.1984hosting.com/domains"
+ if ! _get_zone_id "$url" "$_domain"; then
+ _err "invalid zone" "$_domain"
return 1
fi
- _htmlget "$url/$zone_id" "$_sub_domain"
+ _htmlget "$url/$_zone_id" "$txtvalue"
_debug2 _response "$_response"
entry_id="$(echo "$_response" | _egrep_o 'entry_[0-9]+' | sed 's/entry_//')"
_debug2 entry_id "$entry_id"
@@ -135,7 +130,7 @@ dns_1984hosting_rm() {
_1984hosting_login() {
if ! _check_credentials; then return 1; fi
- if _check_cookie; then
+ if _check_cookies; then
_debug "Already logged in"
return 0
fi
@@ -145,14 +140,17 @@ _1984hosting_login() {
password=$(printf '%s' "$One984HOSTING_Password" | _url_encode)
url="https://management.1984hosting.com/accounts/checkuserauth/"
- response="$(_post "username=$username&password=$password&otpkey=" "$url")"
+ response="$(_post "username=$username&password=$password&otpkey=" $url)"
response="$(echo "$response" | _normalizeJson)"
_debug2 response "$response"
if _contains "$response" '"loggedin": true'; then
- One984HOSTING_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _tail_n 1 | _egrep_o 'sessionid=[^;]*;' | tr -d ';')"
- export One984HOSTING_COOKIE
- _saveaccountconf_mutable One984HOSTING_COOKIE "$One984HOSTING_COOKIE"
+ One984HOSTING_SESSIONID_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'sessionid=[^;]*;' | tr -d ';')"
+ One984HOSTING_CSRFTOKEN_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')"
+ export One984HOSTING_SESSIONID_COOKIE
+ export One984HOSTING_CSRFTOKEN_COOKIE
+ _saveaccountconf_mutable One984HOSTING_SESSIONID_COOKIE "$One984HOSTING_SESSIONID_COOKIE"
+ _saveaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE "$One984HOSTING_CSRFTOKEN_COOKIE"
return 0
fi
return 1
@@ -169,22 +167,24 @@ _check_credentials() {
return 0
}
-_check_cookie() {
- One984HOSTING_COOKIE="${One984HOSTING_COOKIE:-$(_readaccountconf_mutable One984HOSTING_COOKIE)}"
- if [ -z "$One984HOSTING_COOKIE" ]; then
- _debug "No cached cookie found"
+_check_cookies() {
+ One984HOSTING_SESSIONID_COOKIE="${One984HOSTING_SESSIONID_COOKIE:-$(_readaccountconf_mutable One984HOSTING_SESSIONID_COOKIE)}"
+ One984HOSTING_CSRFTOKEN_COOKIE="${One984HOSTING_CSRFTOKEN_COOKIE:-$(_readaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE)}"
+ if [ -z "$One984HOSTING_SESSIONID_COOKIE" ] || [ -z "$One984HOSTING_CSRFTOKEN_COOKIE" ]; then
+ _debug "No cached cookie(s) found"
return 1
fi
_authget "https://management.1984hosting.com/accounts/loginstatus/"
- response="$(echo "$_response" | _normalizeJson)"
if _contains "$response" '"ok": true'; then
- _debug "Cached cookie still valid"
+ _debug "Cached cookies still valid"
return 0
fi
- _debug "Cached cookie no longer valid"
- One984HOSTING_COOKIE=""
- _saveaccountconf_mutable One984HOSTING_COOKIE "$One984HOSTING_COOKIE"
+ _debug "Cached cookies no longer valid"
+ One984HOSTING_SESSIONID_COOKIE=""
+ One984HOSTING_CSRFTOKEN_COOKIE=""
+ _saveaccountconf_mutable One984HOSTING_SESSIONID_COOKIE "$One984HOSTING_SESSIONID_COOKIE"
+ _saveaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE "$One984HOSTING_CSRFTOKEN_COOKIE"
return 1
}
@@ -194,7 +194,7 @@ _check_cookie() {
# _domain=domain.com
_get_root() {
domain="$1"
- i=2
+ i=1
p=1
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
@@ -205,7 +205,7 @@ _get_root() {
fi
_authget "https://management.1984hosting.com/domains/soacheck/?zone=$h&nameserver=ns0.1984.is."
- if _contains "$_response" "serial"; then
+ if _contains "$_response" "serial" && ! _contains "$_response" "null"; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
_domain="$h"
return 0
@@ -216,21 +216,46 @@ _get_root() {
return 1
}
+#usage: _get_zone_id url domain.com
+#returns zone id for domain.com
+_get_zone_id() {
+ url=$1
+ domain=$2
+ _htmlget "$url" "$domain"
+ _debug2 _response "$_response"
+ _zone_id="$(echo "$_response" | _egrep_o 'zone\/[0-9]+' | _head_n 1)"
+ _debug2 _zone_id "$_zone_id"
+ if [ -z "$_zone_id" ]; then
+ _err "Error getting _zone_id for $2"
+ return 1
+ fi
+ return 0
+}
+
# add extra headers to request
_authget() {
- export _H1="Cookie: $One984HOSTING_COOKIE"
- _response=$(_get "$1")
+ export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE"
+ _response=$(_get "$1" | _normalizeJson)
+ _debug2 _response "$_response"
}
# truncate huge HTML response
# echo: Argument list too long
_htmlget() {
- export _H1="Cookie: $One984HOSTING_COOKIE"
- _response=$(_get "$1" | grep "$2" | _head_n 1)
+ export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE"
+ _response=$(_get "$1" | grep "$2")
+ if _contains "$_response" "@$2"; then
+ _response=$(echo "$_response" | grep -v "[@]" | _head_n 1)
+ fi
}
# add extra headers to request
_authpost() {
- export _H1="Cookie: $One984HOSTING_COOKIE"
+ url="https://management.1984hosting.com/domains"
+ _get_zone_id "$url" "$_domain"
+ csrf_header="$(echo "$One984HOSTING_CSRFTOKEN_COOKIE" | _egrep_o "=[^=][0-9a-zA-Z]*" | tr -d "=")"
+ export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE"
+ export _H2="Referer: https://management.1984hosting.com/domains/$_zone_id"
+ export _H3="X-CSRFToken: $csrf_header"
_response=$(_post "$1" "$2")
}
diff --git a/dnsapi/dns_acmedns.sh b/dnsapi/dns_acmedns.sh
old mode 100644
new mode 100755
index 9b3efa48..057f9742
--- a/dnsapi/dns_acmedns.sh
+++ b/dnsapi/dns_acmedns.sh
@@ -1,31 +1,70 @@
#!/usr/bin/env sh
#
#Author: Wolfgang Ebner
-#Report Bugs here: https://github.com/webner/acme.sh
+#Author: Sven Neubuaer
+#Report Bugs here: https://github.com/dampfklon/acme.sh
+#
+# Usage:
+# export ACMEDNS_BASE_URL="https://auth.acme-dns.io"
+#
+# You can optionally define an already existing account:
+#
+# export ACMEDNS_USERNAME=""
+# export ACMEDNS_PASSWORD=""
+# export ACMEDNS_SUBDOMAIN=""
#
######## Public functions #####################
#Usage: dns_acmedns_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+# Used to add txt record
dns_acmedns_add() {
fulldomain=$1
txtvalue=$2
_info "Using acme-dns"
- _debug fulldomain "$fulldomain"
- _debug txtvalue "$txtvalue"
+ _debug "fulldomain $fulldomain"
+ _debug "txtvalue $txtvalue"
- ACMEDNS_UPDATE_URL="${ACMEDNS_UPDATE_URL:-$(_readaccountconf_mutable ACMEDNS_UPDATE_URL)}"
+ #for compatiblity from account conf
ACMEDNS_USERNAME="${ACMEDNS_USERNAME:-$(_readaccountconf_mutable ACMEDNS_USERNAME)}"
+ _clearaccountconf_mutable ACMEDNS_USERNAME
ACMEDNS_PASSWORD="${ACMEDNS_PASSWORD:-$(_readaccountconf_mutable ACMEDNS_PASSWORD)}"
+ _clearaccountconf_mutable ACMEDNS_PASSWORD
ACMEDNS_SUBDOMAIN="${ACMEDNS_SUBDOMAIN:-$(_readaccountconf_mutable ACMEDNS_SUBDOMAIN)}"
+ _clearaccountconf_mutable ACMEDNS_SUBDOMAIN
- if [ "$ACMEDNS_UPDATE_URL" = "" ]; then
- ACMEDNS_UPDATE_URL="https://auth.acme-dns.io/update"
+ ACMEDNS_BASE_URL="${ACMEDNS_BASE_URL:-$(_readdomainconf ACMEDNS_BASE_URL)}"
+ ACMEDNS_USERNAME="${ACMEDNS_USERNAME:-$(_readdomainconf ACMEDNS_USERNAME)}"
+ ACMEDNS_PASSWORD="${ACMEDNS_PASSWORD:-$(_readdomainconf ACMEDNS_PASSWORD)}"
+ ACMEDNS_SUBDOMAIN="${ACMEDNS_SUBDOMAIN:-$(_readdomainconf ACMEDNS_SUBDOMAIN)}"
+
+ if [ "$ACMEDNS_BASE_URL" = "" ]; then
+ ACMEDNS_BASE_URL="https://auth.acme-dns.io"
fi
- _saveaccountconf_mutable ACMEDNS_UPDATE_URL "$ACMEDNS_UPDATE_URL"
- _saveaccountconf_mutable ACMEDNS_USERNAME "$ACMEDNS_USERNAME"
- _saveaccountconf_mutable ACMEDNS_PASSWORD "$ACMEDNS_PASSWORD"
- _saveaccountconf_mutable ACMEDNS_SUBDOMAIN "$ACMEDNS_SUBDOMAIN"
+ ACMEDNS_UPDATE_URL="$ACMEDNS_BASE_URL/update"
+ ACMEDNS_REGISTER_URL="$ACMEDNS_BASE_URL/register"
+
+ if [ -z "$ACMEDNS_USERNAME" ] || [ -z "$ACMEDNS_PASSWORD" ]; then
+ response="$(_post "" "$ACMEDNS_REGISTER_URL" "" "POST")"
+ _debug response "$response"
+ ACMEDNS_USERNAME=$(echo "$response" | sed -n 's/^{.*\"username\":[ ]*\"\([^\"]*\)\".*}/\1/p')
+ _debug "received username: $ACMEDNS_USERNAME"
+ ACMEDNS_PASSWORD=$(echo "$response" | sed -n 's/^{.*\"password\":[ ]*\"\([^\"]*\)\".*}/\1/p')
+ _debug "received password: $ACMEDNS_PASSWORD"
+ ACMEDNS_SUBDOMAIN=$(echo "$response" | sed -n 's/^{.*\"subdomain\":[ ]*\"\([^\"]*\)\".*}/\1/p')
+ _debug "received subdomain: $ACMEDNS_SUBDOMAIN"
+ ACMEDNS_FULLDOMAIN=$(echo "$response" | sed -n 's/^{.*\"fulldomain\":[ ]*\"\([^\"]*\)\".*}/\1/p')
+ _info "##########################################################"
+ _info "# Create $fulldomain CNAME $ACMEDNS_FULLDOMAIN DNS entry #"
+ _info "##########################################################"
+ _info "Press enter to continue... "
+ read -r _
+ fi
+
+ _savedomainconf ACMEDNS_BASE_URL "$ACMEDNS_BASE_URL"
+ _savedomainconf ACMEDNS_USERNAME "$ACMEDNS_USERNAME"
+ _savedomainconf ACMEDNS_PASSWORD "$ACMEDNS_PASSWORD"
+ _savedomainconf ACMEDNS_SUBDOMAIN "$ACMEDNS_SUBDOMAIN"
export _H1="X-Api-User: $ACMEDNS_USERNAME"
export _H2="X-Api-Key: $ACMEDNS_PASSWORD"
@@ -48,8 +87,8 @@ dns_acmedns_rm() {
fulldomain=$1
txtvalue=$2
_info "Using acme-dns"
- _debug fulldomain "$fulldomain"
- _debug txtvalue "$txtvalue"
+ _debug "fulldomain $fulldomain"
+ _debug "txtvalue $txtvalue"
}
#################### Private functions below ##################################
diff --git a/dnsapi/dns_arvan.sh b/dnsapi/dns_arvan.sh
index ca1f56c7..4c9217e5 100644
--- a/dnsapi/dns_arvan.sh
+++ b/dnsapi/dns_arvan.sh
@@ -1,10 +1,9 @@
#!/usr/bin/env sh
-#Arvan_Token="xxxx"
+#Arvan_Token="Apikey xxxx"
ARVAN_API_URL="https://napi.arvancloud.com/cdn/4.0/domains"
-
-#Author: Ehsan Aliakbar
+#Author: Vahid Fardi
#Report Bugs here: https://github.com/Neilpang/acme.sh
#
######## Public functions #####################
@@ -38,6 +37,7 @@ dns_arvan_add() {
_info "Adding record"
if _arvan_rest POST "$_domain/dns-records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":{\"text\":\"$txtvalue\"},\"ttl\":120}"; then
if _contains "$response" "$txtvalue"; then
+ _info "response id is $response"
_info "Added, OK"
return 0
elif _contains "$response" "Record Data is Duplicated"; then
@@ -49,7 +49,7 @@ dns_arvan_add() {
fi
fi
_err "Add txt record error."
- return 1
+ return 0
}
#Usage: fulldomain txtvalue
@@ -73,33 +73,21 @@ dns_arvan_rm() {
_debug _domain "$_domain"
_debug "Getting txt records"
- shorted_txtvalue=$(printf "%s" "$txtvalue" | cut -d "-" -d "_" -f1)
- _arvan_rest GET "${_domain}/dns-records?search=$shorted_txtvalue"
-
+ _arvan_rest GET "${_domain}/dns-records"
if ! printf "%s" "$response" | grep \"current_page\":1 >/dev/null; then
_err "Error on Arvan Api"
_err "Please create a github issue with debbug log"
return 1
fi
- count=$(printf "%s\n" "$response" | _egrep_o "\"total\":[^,]*" | cut -d : -f 2)
- _debug count "$count"
- if [ "$count" = "0" ]; then
- _info "Don't need to remove."
- else
- record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | head -n 1)
- _debug "record_id" "$record_id"
- if [ -z "$record_id" ]; then
- _err "Can not get record id to remove."
- return 1
- fi
- if ! _arvan_rest "DELETE" "${_domain}/dns-records/$record_id"; then
- _err "Delete record error."
- return 1
- fi
- _debug "$response"
- _contains "$response" 'dns record deleted'
+ _record_id=$(echo "$response" | _egrep_o ".\"id\":\"[^\"]*\",\"type\":\"txt\",\"name\":\"_acme-challenge\",\"value\":{\"text\":\"$txtvalue\"}" | cut -d : -f 2 | cut -d , -f 1 | tr -d \")
+ if ! _arvan_rest "DELETE" "${_domain}/dns-records/${_record_id}"; then
+ _err "Error on Arvan Api"
+ return 1
fi
+ _debug "$response"
+ _contains "$response" 'dns record deleted'
+ return 0
}
#################### Private functions below ##################################
@@ -111,7 +99,7 @@ dns_arvan_rm() {
# _domain_id=sdjkglgdfewsdfg
_get_root() {
domain=$1
- i=1
+ i=2
p=1
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
@@ -121,12 +109,11 @@ _get_root() {
return 1
fi
- if ! _arvan_rest GET "?search=$h"; then
+ if ! _arvan_rest GET "$h"; then
return 1
fi
-
- if _contains "$response" "\"domain\":\"$h\"" || _contains "$response" '"total":1'; then
- _domain_id=$(echo "$response" | _egrep_o "\[.\"id\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
+ if _contains "$response" "\"domain\":\"$h\""; then
+ _domain_id=$(echo "$response" | cut -d : -f 3 | cut -d , -f 1 | tr -d \")
if [ "$_domain_id" ]; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
_domain=$h
@@ -146,7 +133,6 @@ _arvan_rest() {
data="$3"
token_trimmed=$(echo "$Arvan_Token" | tr -d '"')
-
export _H1="Authorization: $token_trimmed"
if [ "$mtd" = "DELETE" ]; then
@@ -160,4 +146,5 @@ _arvan_rest() {
else
response="$(_get "$ARVAN_API_URL/$ep$data")"
fi
+ return 0
}
diff --git a/dnsapi/dns_aurora.sh b/dnsapi/dns_aurora.sh
new file mode 100644
index 00000000..00f44739
--- /dev/null
+++ b/dnsapi/dns_aurora.sh
@@ -0,0 +1,171 @@
+#!/usr/bin/env sh
+
+#
+#AURORA_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
+#
+#AURORA_Secret="sdfsdfsdfljlbjkljlkjsdfoiwje"
+
+AURORA_Api="https://api.auroradns.eu"
+
+######## Public functions #####################
+
+#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_aurora_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ AURORA_Key="${AURORA_Key:-$(_readaccountconf_mutable AURORA_Key)}"
+ AURORA_Secret="${AURORA_Secret:-$(_readaccountconf_mutable AURORA_Secret)}"
+
+ if [ -z "$AURORA_Key" ] || [ -z "$AURORA_Secret" ]; then
+ AURORA_Key=""
+ AURORA_Secret=""
+ _err "You didn't specify an Aurora api key and secret yet."
+ _err "You can get yours from here https://cp.pcextreme.nl/auroradns/users."
+ return 1
+ fi
+
+ #save the api key and secret to the account conf file.
+ _saveaccountconf_mutable AURORA_Key "$AURORA_Key"
+ _saveaccountconf_mutable AURORA_Secret "$AURORA_Secret"
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+ _debug _domain_id "$_domain_id"
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ _info "Adding record"
+ if _aurora_rest POST "zones/$_domain_id/records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":300}"; then
+ if _contains "$response" "$txtvalue"; then
+ _info "Added, OK"
+ return 0
+ elif _contains "$response" "RecordExistsError"; then
+ _info "Already exists, OK"
+ return 0
+ else
+ _err "Add txt record error."
+ return 1
+ fi
+ fi
+ _err "Add txt record error."
+ return 1
+
+}
+
+#fulldomain txtvalue
+dns_aurora_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ AURORA_Key="${AURORA_Key:-$(_readaccountconf_mutable AURORA_Key)}"
+ AURORA_Secret="${AURORA_Secret:-$(_readaccountconf_mutable AURORA_Secret)}"
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+ _debug _domain_id "$_domain_id"
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ _debug "Getting records"
+ _aurora_rest GET "zones/${_domain_id}/records"
+
+ if ! _contains "$response" "$txtvalue"; then
+ _info "Don't need to remove."
+ else
+ records=$(echo "$response" | _normalizeJson | tr -d "[]" | sed "s/},{/}|{/g" | tr "|" "\n")
+ if [ "$(echo "$records" | wc -l)" -le 2 ]; then
+ _err "Can not parse records."
+ return 1
+ fi
+ record_id=$(echo "$records" | grep "\"type\": *\"TXT\"" | grep "\"name\": *\"$_sub_domain\"" | grep "\"content\": *\"$txtvalue\"" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ")
+ _debug "record_id" "$record_id"
+ if [ -z "$record_id" ]; then
+ _err "Can not get record id to remove."
+ return 1
+ fi
+ if ! _aurora_rest DELETE "zones/$_domain_id/records/$record_id"; then
+ _err "Delete record error."
+ return 1
+ fi
+ fi
+ return 0
+
+}
+
+#################### Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+# _domain_id=sdjkglgdfewsdfg
+_get_root() {
+ domain=$1
+ i=1
+ p=1
+
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug h "$h"
+ if [ -z "$h" ]; then
+ #not valid
+ return 1
+ fi
+
+ if ! _aurora_rest GET "zones/$h"; then
+ return 1
+ fi
+
+ if _contains "$response" "\"name\": \"$h\""; then
+ _domain_id=$(echo "$response" | _normalizeJson | tr -d "{}" | tr "," "\n" | grep "\"id\": *\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ")
+ _debug _domain_id "$_domain_id"
+ if [ "$_domain_id" ]; then
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain=$h
+ return 0
+ fi
+ return 1
+ fi
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+ return 1
+}
+
+_aurora_rest() {
+ m=$1
+ ep="$2"
+ data="$3"
+ _debug "$ep"
+
+ key_trimmed=$(echo "$AURORA_Key" | tr -d '"')
+ secret_trimmed=$(echo "$AURORA_Secret" | tr -d '"')
+
+ timestamp=$(date -u +"%Y%m%dT%H%M%SZ")
+ signature=$(printf "%s/%s%s" "$m" "$ep" "$timestamp" | _hmac sha256 "$(printf "%s" "$secret_trimmed" | _hex_dump | tr -d " ")" | _base64)
+ authorization=$(printf "AuroraDNSv1 %s" "$(printf "%s:%s" "$key_trimmed" "$signature" | _base64)")
+
+ export _H1="Content-Type: application/json; charset=UTF-8"
+ export _H2="X-AuroraDNS-Date: $timestamp"
+ export _H3="Authorization: $authorization"
+
+ if [ "$m" != "GET" ]; then
+ _debug data "$data"
+ response="$(_post "$data" "$AURORA_Api/$ep" "" "$m")"
+ else
+ response="$(_get "$AURORA_Api/$ep")"
+ fi
+
+ if [ "$?" != "0" ]; then
+ _err "error $ep"
+ return 1
+ fi
+ _debug2 response "$response"
+ return 0
+}
diff --git a/dnsapi/dns_aws.sh b/dnsapi/dns_aws.sh
index 068c337c..14a4594d 100755
--- a/dnsapi/dns_aws.sh
+++ b/dnsapi/dns_aws.sh
@@ -32,7 +32,7 @@ dns_aws_add() {
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
AWS_ACCESS_KEY_ID=""
AWS_SECRET_ACCESS_KEY=""
- _err "You haven't specifed the aws route53 api key id and and api key secret yet."
+ _err "You haven't specified the aws route53 api key id and and api key secret yet."
_err "Please create your key and try again. see $(__green $AWS_WIKI)"
return 1
fi
diff --git a/dnsapi/dns_azion.sh b/dnsapi/dns_azion.sh
new file mode 100644
index 00000000..f215686d
--- /dev/null
+++ b/dnsapi/dns_azion.sh
@@ -0,0 +1,204 @@
+#!/usr/bin/env sh
+
+#
+#AZION_Email=""
+#AZION_Password=""
+#
+
+AZION_Api="https://api.azionapi.net"
+
+######## Public functions ########
+
+# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+# Used to add txt record
+dns_azion_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _debug "Detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "Domain not found"
+ return 1
+ fi
+
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+ _debug _domain_id "$_domain_id"
+
+ _info "Add or update record"
+ _get_record "$_domain_id" "$_sub_domain"
+ if [ "$record_id" ]; then
+ _payload="{\"record_type\": \"TXT\", \"entry\": \"$_sub_domain\", \"answers_list\": [$answers_list, \"$txtvalue\"], \"ttl\": 20}"
+ if _azion_rest PUT "intelligent_dns/$_domain_id/records/$record_id" "$_payload"; then
+ if _contains "$response" "$txtvalue"; then
+ _info "Record updated."
+ return 0
+ fi
+ fi
+ else
+ _payload="{\"record_type\": \"TXT\", \"entry\": \"$_sub_domain\", \"answers_list\": [\"$txtvalue\"], \"ttl\": 20}"
+ if _azion_rest POST "intelligent_dns/$_domain_id/records" "$_payload"; then
+ if _contains "$response" "$txtvalue"; then
+ _info "Record added."
+ return 0
+ fi
+ fi
+ fi
+ _err "Failed to add or update record."
+ return 1
+}
+
+# Usage: fulldomain txtvalue
+# Used to remove the txt record after validation
+dns_azion_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _debug "Detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "Domain not found"
+ return 1
+ fi
+
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+ _debug _domain_id "$_domain_id"
+
+ _info "Removing record"
+ _get_record "$_domain_id" "$_sub_domain"
+ if [ "$record_id" ]; then
+ if _azion_rest DELETE "intelligent_dns/$_domain_id/records/$record_id"; then
+ _info "Record removed."
+ return 0
+ else
+ _err "Failed to remove record."
+ return 1
+ fi
+ else
+ _info "Record not found or already removed."
+ return 0
+ fi
+}
+
+#################### Private functions below ##################################
+# Usage: _acme-challenge.www.domain.com
+# returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+# _domain_id=sdjkglgdfewsdfg
+_get_root() {
+ domain=$1
+ i=1
+ p=1
+
+ if ! _azion_rest GET "intelligent_dns"; then
+ return 1
+ fi
+
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug h "$h"
+ if [ -z "$h" ]; then
+ # not valid
+ return 1
+ fi
+
+ if _contains "$response" "\"domain\":\"$h\""; then
+ _domain_id=$(echo "$response" | tr '{' "\n" | grep "\"domain\":\"$h\"" | _egrep_o "\"id\":[0-9]*" | _head_n 1 | cut -d : -f 2 | tr -d \")
+ _debug _domain_id "$_domain_id"
+ if [ "$_domain_id" ]; then
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain=$h
+ return 0
+ fi
+ return 1
+ fi
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+ return 1
+}
+
+_get_record() {
+ _domain_id=$1
+ _record=$2
+
+ if ! _azion_rest GET "intelligent_dns/$_domain_id/records"; then
+ return 1
+ fi
+
+ if _contains "$response" "\"entry\":\"$_record\""; then
+ _json_record=$(echo "$response" | tr '{' "\n" | grep "\"entry\":\"$_record\"")
+ if [ "$_json_record" ]; then
+ record_id=$(echo "$_json_record" | _egrep_o "\"record_id\":[0-9]*" | _head_n 1 | cut -d : -f 2 | tr -d \")
+ answers_list=$(echo "$_json_record" | _egrep_o "\"answers_list\":\[.*\]" | _head_n 1 | cut -d : -f 2 | tr -d \[\])
+ return 0
+ fi
+ return 1
+ fi
+ return 1
+}
+
+_get_token() {
+ AZION_Email="${AZION_Email:-$(_readaccountconf_mutable AZION_Email)}"
+ AZION_Password="${AZION_Password:-$(_readaccountconf_mutable AZION_Password)}"
+
+ if ! _contains "$AZION_Email" "@"; then
+ _err "It seems that the AZION_Email is not a valid email address. Revalidate your environments."
+ return 1
+ fi
+
+ if [ -z "$AZION_Email" ] || [ -z "$AZION_Password" ]; then
+ _err "You didn't specified a AZION_Email/AZION_Password to generate Azion token."
+ return 1
+ fi
+
+ _saveaccountconf_mutable AZION_Email "$AZION_Email"
+ _saveaccountconf_mutable AZION_Password "$AZION_Password"
+
+ _basic_auth=$(printf "%s:%s" "$AZION_Email" "$AZION_Password" | _base64)
+ _debug _basic_auth "$_basic_auth"
+
+ export _H1="Accept: application/json; version=3"
+ export _H2="Content-Type: application/json"
+ export _H3="Authorization: Basic $_basic_auth"
+
+ response="$(_post "" "$AZION_Api/tokens" "" "POST")"
+ if _contains "$response" "\"token\":\"" >/dev/null; then
+ _azion_token=$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")
+ export AZION_Token="$_azion_token"
+ else
+ _err "Failed to generate Azion token"
+ return 1
+ fi
+}
+
+_azion_rest() {
+ _method=$1
+ _uri="$2"
+ _data="$3"
+
+ if [ -z "$AZION_Token" ]; then
+ _get_token
+ fi
+ _debug2 token "$AZION_Token"
+
+ export _H1="Accept: application/json; version=3"
+ export _H2="Content-Type: application/json"
+ export _H3="Authorization: token $AZION_Token"
+
+ if [ "$_method" != "GET" ]; then
+ _debug _data "$_data"
+ response="$(_post "$_data" "$AZION_Api/$_uri" "" "$_method")"
+ else
+ response="$(_get "$AZION_Api/$_uri")"
+ fi
+
+ _debug2 response "$response"
+
+ if [ "$?" != "0" ]; then
+ _err "error $_method $_uri $_data"
+ return 1
+ fi
+ return 0
+}
diff --git a/dnsapi/dns_azure.sh b/dnsapi/dns_azure.sh
index ce8a3fa7..1c33c13a 100644
--- a/dnsapi/dns_azure.sh
+++ b/dnsapi/dns_azure.sh
@@ -9,57 +9,72 @@ WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Azure-DNS"
#
# Ref: https://docs.microsoft.com/en-us/rest/api/dns/recordsets/createorupdate
#
+
dns_azure_add() {
fulldomain=$1
txtvalue=$2
AZUREDNS_SUBSCRIPTIONID="${AZUREDNS_SUBSCRIPTIONID:-$(_readaccountconf_mutable AZUREDNS_SUBSCRIPTIONID)}"
- AZUREDNS_TENANTID="${AZUREDNS_TENANTID:-$(_readaccountconf_mutable AZUREDNS_TENANTID)}"
- AZUREDNS_APPID="${AZUREDNS_APPID:-$(_readaccountconf_mutable AZUREDNS_APPID)}"
- AZUREDNS_CLIENTSECRET="${AZUREDNS_CLIENTSECRET:-$(_readaccountconf_mutable AZUREDNS_CLIENTSECRET)}"
-
if [ -z "$AZUREDNS_SUBSCRIPTIONID" ]; then
AZUREDNS_SUBSCRIPTIONID=""
AZUREDNS_TENANTID=""
AZUREDNS_APPID=""
AZUREDNS_CLIENTSECRET=""
- _err "You didn't specify the Azure Subscription ID "
+ _err "You didn't specify the Azure Subscription ID"
return 1
fi
-
- if [ -z "$AZUREDNS_TENANTID" ]; then
- AZUREDNS_SUBSCRIPTIONID=""
- AZUREDNS_TENANTID=""
- AZUREDNS_APPID=""
- AZUREDNS_CLIENTSECRET=""
- _err "You didn't specify the Azure Tenant ID "
- return 1
- fi
-
- if [ -z "$AZUREDNS_APPID" ]; then
- AZUREDNS_SUBSCRIPTIONID=""
- AZUREDNS_TENANTID=""
- AZUREDNS_APPID=""
- AZUREDNS_CLIENTSECRET=""
- _err "You didn't specify the Azure App ID"
- return 1
- fi
-
- if [ -z "$AZUREDNS_CLIENTSECRET" ]; then
- AZUREDNS_SUBSCRIPTIONID=""
- AZUREDNS_TENANTID=""
- AZUREDNS_APPID=""
- AZUREDNS_CLIENTSECRET=""
- _err "You didn't specify the Azure Client Secret"
- return 1
- fi
- #save account details to account conf file.
+ #save subscription id to account conf file.
_saveaccountconf_mutable AZUREDNS_SUBSCRIPTIONID "$AZUREDNS_SUBSCRIPTIONID"
- _saveaccountconf_mutable AZUREDNS_TENANTID "$AZUREDNS_TENANTID"
- _saveaccountconf_mutable AZUREDNS_APPID "$AZUREDNS_APPID"
- _saveaccountconf_mutable AZUREDNS_CLIENTSECRET "$AZUREDNS_CLIENTSECRET"
- accesstoken=$(_azure_getaccess_token "$AZUREDNS_TENANTID" "$AZUREDNS_APPID" "$AZUREDNS_CLIENTSECRET")
+ AZUREDNS_MANAGEDIDENTITY="${AZUREDNS_MANAGEDIDENTITY:-$(_readaccountconf_mutable AZUREDNS_MANAGEDIDENTITY)}"
+ if [ "$AZUREDNS_MANAGEDIDENTITY" = true ]; then
+ _info "Using Azure managed identity"
+ #save managed identity as preferred authentication method, clear service principal credentials from conf file.
+ _saveaccountconf_mutable AZUREDNS_MANAGEDIDENTITY "$AZUREDNS_MANAGEDIDENTITY"
+ _saveaccountconf_mutable AZUREDNS_TENANTID ""
+ _saveaccountconf_mutable AZUREDNS_APPID ""
+ _saveaccountconf_mutable AZUREDNS_CLIENTSECRET ""
+ else
+ _info "You didn't ask to use Azure managed identity, checking service principal credentials"
+ AZUREDNS_TENANTID="${AZUREDNS_TENANTID:-$(_readaccountconf_mutable AZUREDNS_TENANTID)}"
+ AZUREDNS_APPID="${AZUREDNS_APPID:-$(_readaccountconf_mutable AZUREDNS_APPID)}"
+ AZUREDNS_CLIENTSECRET="${AZUREDNS_CLIENTSECRET:-$(_readaccountconf_mutable AZUREDNS_CLIENTSECRET)}"
+
+ if [ -z "$AZUREDNS_TENANTID" ]; then
+ AZUREDNS_SUBSCRIPTIONID=""
+ AZUREDNS_TENANTID=""
+ AZUREDNS_APPID=""
+ AZUREDNS_CLIENTSECRET=""
+ _err "You didn't specify the Azure Tenant ID "
+ return 1
+ fi
+
+ if [ -z "$AZUREDNS_APPID" ]; then
+ AZUREDNS_SUBSCRIPTIONID=""
+ AZUREDNS_TENANTID=""
+ AZUREDNS_APPID=""
+ AZUREDNS_CLIENTSECRET=""
+ _err "You didn't specify the Azure App ID"
+ return 1
+ fi
+
+ if [ -z "$AZUREDNS_CLIENTSECRET" ]; then
+ AZUREDNS_SUBSCRIPTIONID=""
+ AZUREDNS_TENANTID=""
+ AZUREDNS_APPID=""
+ AZUREDNS_CLIENTSECRET=""
+ _err "You didn't specify the Azure Client Secret"
+ return 1
+ fi
+
+ #save account details to account conf file, don't opt in for azure manages identity check.
+ _saveaccountconf_mutable AZUREDNS_MANAGEDIDENTITY "false"
+ _saveaccountconf_mutable AZUREDNS_TENANTID "$AZUREDNS_TENANTID"
+ _saveaccountconf_mutable AZUREDNS_APPID "$AZUREDNS_APPID"
+ _saveaccountconf_mutable AZUREDNS_CLIENTSECRET "$AZUREDNS_CLIENTSECRET"
+ fi
+
+ accesstoken=$(_azure_getaccess_token "$AZUREDNS_MANAGEDIDENTITY" "$AZUREDNS_TENANTID" "$AZUREDNS_APPID" "$AZUREDNS_CLIENTSECRET")
if ! _get_root "$fulldomain" "$AZUREDNS_SUBSCRIPTIONID" "$accesstoken"; then
_err "invalid domain"
@@ -116,10 +131,6 @@ dns_azure_rm() {
txtvalue=$2
AZUREDNS_SUBSCRIPTIONID="${AZUREDNS_SUBSCRIPTIONID:-$(_readaccountconf_mutable AZUREDNS_SUBSCRIPTIONID)}"
- AZUREDNS_TENANTID="${AZUREDNS_TENANTID:-$(_readaccountconf_mutable AZUREDNS_TENANTID)}"
- AZUREDNS_APPID="${AZUREDNS_APPID:-$(_readaccountconf_mutable AZUREDNS_APPID)}"
- AZUREDNS_CLIENTSECRET="${AZUREDNS_CLIENTSECRET:-$(_readaccountconf_mutable AZUREDNS_CLIENTSECRET)}"
-
if [ -z "$AZUREDNS_SUBSCRIPTIONID" ]; then
AZUREDNS_SUBSCRIPTIONID=""
AZUREDNS_TENANTID=""
@@ -129,34 +140,44 @@ dns_azure_rm() {
return 1
fi
- if [ -z "$AZUREDNS_TENANTID" ]; then
- AZUREDNS_SUBSCRIPTIONID=""
- AZUREDNS_TENANTID=""
- AZUREDNS_APPID=""
- AZUREDNS_CLIENTSECRET=""
- _err "You didn't specify the Azure Tenant ID "
- return 1
+ AZUREDNS_MANAGEDIDENTITY="${AZUREDNS_MANAGEDIDENTITY:-$(_readaccountconf_mutable AZUREDNS_MANAGEDIDENTITY)}"
+ if [ "$AZUREDNS_MANAGEDIDENTITY" = true ]; then
+ _info "Using Azure managed identity"
+ else
+ _info "You didn't ask to use Azure managed identity, checking service principal credentials"
+ AZUREDNS_TENANTID="${AZUREDNS_TENANTID:-$(_readaccountconf_mutable AZUREDNS_TENANTID)}"
+ AZUREDNS_APPID="${AZUREDNS_APPID:-$(_readaccountconf_mutable AZUREDNS_APPID)}"
+ AZUREDNS_CLIENTSECRET="${AZUREDNS_CLIENTSECRET:-$(_readaccountconf_mutable AZUREDNS_CLIENTSECRET)}"
+
+ if [ -z "$AZUREDNS_TENANTID" ]; then
+ AZUREDNS_SUBSCRIPTIONID=""
+ AZUREDNS_TENANTID=""
+ AZUREDNS_APPID=""
+ AZUREDNS_CLIENTSECRET=""
+ _err "You didn't specify the Azure Tenant ID "
+ return 1
+ fi
+
+ if [ -z "$AZUREDNS_APPID" ]; then
+ AZUREDNS_SUBSCRIPTIONID=""
+ AZUREDNS_TENANTID=""
+ AZUREDNS_APPID=""
+ AZUREDNS_CLIENTSECRET=""
+ _err "You didn't specify the Azure App ID"
+ return 1
+ fi
+
+ if [ -z "$AZUREDNS_CLIENTSECRET" ]; then
+ AZUREDNS_SUBSCRIPTIONID=""
+ AZUREDNS_TENANTID=""
+ AZUREDNS_APPID=""
+ AZUREDNS_CLIENTSECRET=""
+ _err "You didn't specify the Azure Client Secret"
+ return 1
+ fi
fi
- if [ -z "$AZUREDNS_APPID" ]; then
- AZUREDNS_SUBSCRIPTIONID=""
- AZUREDNS_TENANTID=""
- AZUREDNS_APPID=""
- AZUREDNS_CLIENTSECRET=""
- _err "You didn't specify the Azure App ID"
- return 1
- fi
-
- if [ -z "$AZUREDNS_CLIENTSECRET" ]; then
- AZUREDNS_SUBSCRIPTIONID=""
- AZUREDNS_TENANTID=""
- AZUREDNS_APPID=""
- AZUREDNS_CLIENTSECRET=""
- _err "You didn't specify the Azure Client Secret"
- return 1
- fi
-
- accesstoken=$(_azure_getaccess_token "$AZUREDNS_TENANTID" "$AZUREDNS_APPID" "$AZUREDNS_CLIENTSECRET")
+ accesstoken=$(_azure_getaccess_token "$AZUREDNS_MANAGEDIDENTITY" "$AZUREDNS_TENANTID" "$AZUREDNS_APPID" "$AZUREDNS_CLIENTSECRET")
if ! _get_root "$fulldomain" "$AZUREDNS_SUBSCRIPTIONID" "$accesstoken"; then
_err "invalid domain"
@@ -258,9 +279,10 @@ _azure_rest() {
## Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#request-an-access-token
_azure_getaccess_token() {
- tenantID=$1
- clientID=$2
- clientSecret=$3
+ managedIdentity=$1
+ tenantID=$2
+ clientID=$3
+ clientSecret=$4
accesstoken="${AZUREDNS_BEARERTOKEN:-$(_readaccountconf_mutable AZUREDNS_BEARERTOKEN)}"
expires_on="${AZUREDNS_TOKENVALIDTO:-$(_readaccountconf_mutable AZUREDNS_TOKENVALIDTO)}"
@@ -278,17 +300,25 @@ _azure_getaccess_token() {
fi
_debug "getting new bearer token"
- export _H1="accept: application/json"
- export _H2="Content-Type: application/x-www-form-urlencoded"
-
- body="resource=$(printf "%s" 'https://management.core.windows.net/' | _url_encode)&client_id=$(printf "%s" "$clientID" | _url_encode)&client_secret=$(printf "%s" "$clientSecret" | _url_encode)&grant_type=client_credentials"
- _secure_debug2 "data $body"
- response="$(_post "$body" "https://login.microsoftonline.com/$tenantID/oauth2/token" "" "POST")"
- _ret="$?"
- _secure_debug2 "response $response"
- response="$(echo "$response" | _normalizeJson)"
- accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
- expires_on=$(echo "$response" | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
+ if [ "$managedIdentity" = true ]; then
+ # https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
+ export _H1="Metadata: true"
+ response="$(_get http://169.254.169.254/metadata/identity/oauth2/token\?api-version=2018-02-01\&resource=https://management.azure.com/)"
+ response="$(echo "$response" | _normalizeJson)"
+ accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
+ expires_on=$(echo "$response" | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
+ else
+ export _H1="accept: application/json"
+ export _H2="Content-Type: application/x-www-form-urlencoded"
+ body="resource=$(printf "%s" 'https://management.core.windows.net/' | _url_encode)&client_id=$(printf "%s" "$clientID" | _url_encode)&client_secret=$(printf "%s" "$clientSecret" | _url_encode)&grant_type=client_credentials"
+ _secure_debug2 "data $body"
+ response="$(_post "$body" "https://login.microsoftonline.com/$tenantID/oauth2/token" "" "POST")"
+ _ret="$?"
+ _secure_debug2 "response $response"
+ response="$(echo "$response" | _normalizeJson)"
+ accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
+ expires_on=$(echo "$response" | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
+ fi
if [ -z "$accesstoken" ]; then
_err "no acccess token received. Check your Azure settings see $WIKI"
diff --git a/dnsapi/dns_cf.sh b/dnsapi/dns_cf.sh
index 36799dcd..c2430086 100755
--- a/dnsapi/dns_cf.sh
+++ b/dnsapi/dns_cf.sh
@@ -25,9 +25,15 @@ dns_cf_add() {
CF_Email="${CF_Email:-$(_readaccountconf_mutable CF_Email)}"
if [ "$CF_Token" ]; then
- _saveaccountconf_mutable CF_Token "$CF_Token"
- _saveaccountconf_mutable CF_Account_ID "$CF_Account_ID"
- _saveaccountconf_mutable CF_Zone_ID "$CF_Zone_ID"
+ if [ "$CF_Zone_ID" ]; then
+ _savedomainconf CF_Token "$CF_Token"
+ _savedomainconf CF_Account_ID "$CF_Account_ID"
+ _savedomainconf CF_Zone_ID "$CF_Zone_ID"
+ else
+ _saveaccountconf_mutable CF_Token "$CF_Token"
+ _saveaccountconf_mutable CF_Account_ID "$CF_Account_ID"
+ _saveaccountconf_mutable CF_Zone_ID "$CF_Zone_ID"
+ fi
else
if [ -z "$CF_Key" ] || [ -z "$CF_Email" ]; then
CF_Key=""
diff --git a/dnsapi/dns_cloudns.sh b/dnsapi/dns_cloudns.sh
index 381d17ec..b03fd579 100755
--- a/dnsapi/dns_cloudns.sh
+++ b/dnsapi/dns_cloudns.sh
@@ -2,11 +2,14 @@
# Author: Boyan Peychev
# Repository: https://github.com/ClouDNS/acme.sh/
+# Editor: I Komang Suryadana
#CLOUDNS_AUTH_ID=XXXXX
#CLOUDNS_SUB_AUTH_ID=XXXXX
#CLOUDNS_AUTH_PASSWORD="YYYYYYYYY"
CLOUDNS_API="https://api.cloudns.net"
+DOMAIN_TYPE=
+DOMAIN_MASTER=
######## Public functions #####################
@@ -61,6 +64,15 @@ dns_cloudns_rm() {
host="$(echo "$1" | sed "s/\.$zone\$//")"
record=$2
+ _dns_cloudns_get_zone_info "$zone"
+
+ _debug "Type" "$DOMAIN_TYPE"
+ _debug "Cloud Master" "$DOMAIN_MASTER"
+ if _contains "$DOMAIN_TYPE" "cloud"; then
+ zone=$DOMAIN_MASTER
+ fi
+ _debug "ZONE" "$zone"
+
_dns_cloudns_http_api_call "dns/records.json" "domain-name=$zone&host=$host&type=TXT"
if ! _contains "$response" "\"id\":"; then
return 1
@@ -134,6 +146,18 @@ _dns_cloudns_init_check() {
return 0
}
+_dns_cloudns_get_zone_info() {
+ zone=$1
+ _dns_cloudns_http_api_call "dns/get-zone-info.json" "domain-name=$zone"
+ if ! _contains "$response" "\"status\":\"Failed\""; then
+ DOMAIN_TYPE=$(echo "$response" | _egrep_o '"type":"[^"]*"' | cut -d : -f 2 | tr -d '"')
+ if _contains "$DOMAIN_TYPE" "cloud"; then
+ DOMAIN_MASTER=$(echo "$response" | _egrep_o '"cloud-master":"[^"]*"' | cut -d : -f 2 | tr -d '"')
+ fi
+ fi
+ return 0
+}
+
_dns_cloudns_get_zone_name() {
i=2
while true; do
diff --git a/dnsapi/dns_constellix.sh b/dnsapi/dns_constellix.sh
index 42df710d..69d216f0 100644
--- a/dnsapi/dns_constellix.sh
+++ b/dnsapi/dns_constellix.sh
@@ -30,16 +30,41 @@ dns_constellix_add() {
return 1
fi
- _info "Adding TXT record"
- if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"add\":true,\"set\":{\"name\":\"${_sub_domain}\",\"ttl\":120,\"roundRobin\":[{\"value\":\"${txtvalue}\"}]}}]"; then
- if printf -- "%s" "$response" | grep "{\"success\":\"1 record(s) added, 0 record(s) updated, 0 record(s) deleted\"}" >/dev/null; then
- _info "Added"
- return 0
+ # The TXT record might already exist when working with wildcard certificates. In that case, update the record by adding the new value.
+ _debug "Search TXT record"
+ if _constellix_rest GET "domains/${_domain_id}/records/TXT/search?exact=${_sub_domain}"; then
+ if printf -- "%s" "$response" | grep "{\"errors\":\[\"Requested record was not found\"\]}" >/dev/null; then
+ _info "Adding TXT record"
+ if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"add\":true,\"set\":{\"name\":\"${_sub_domain}\",\"ttl\":60,\"roundRobin\":[{\"value\":\"${txtvalue}\"}]}}]"; then
+ if printf -- "%s" "$response" | grep "{\"success\":\"1 record(s) added, 0 record(s) updated, 0 record(s) deleted\"}" >/dev/null; then
+ _info "Added"
+ return 0
+ else
+ _err "Error adding TXT record"
+ fi
+ fi
else
- _err "Error adding TXT record"
- return 1
+ _record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]*" | cut -d ':' -f 2)
+ if _constellix_rest GET "domains/${_domain_id}/records/TXT/${_record_id}"; then
+ _new_rr_values=$(printf "%s\n" "$response" | _egrep_o '"roundRobin":\[[^]]*\]' | sed "s/\]$/,{\"value\":\"${txtvalue}\"}]/")
+ _debug _new_rr_values "$_new_rr_values"
+ _info "Updating TXT record"
+ if _constellix_rest PUT "domains/${_domain_id}/records/TXT/${_record_id}" "{\"name\":\"${_sub_domain}\",\"ttl\":60,${_new_rr_values}}"; then
+ if printf -- "%s" "$response" | grep "{\"success\":\"Record.*updated successfully\"}" >/dev/null; then
+ _info "Updated"
+ return 0
+ elif printf -- "%s" "$response" | grep "{\"errors\":\[\"Contents are identical\"\]}" >/dev/null; then
+ _info "Already exists, no need to update"
+ return 0
+ else
+ _err "Error updating TXT record"
+ fi
+ fi
+ fi
fi
fi
+
+ return 1
}
# Usage: fulldomain txtvalue
@@ -61,16 +86,26 @@ dns_constellix_rm() {
return 1
fi
- _info "Removing TXT record"
- if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"delete\":true,\"filter\":{\"field\":\"name\",\"op\":\"eq\",\"value\":\"${_sub_domain}\"}}]"; then
- if printf -- "%s" "$response" | grep "{\"success\":\"0 record(s) added, 0 record(s) updated, 1 record(s) deleted\"}" >/dev/null; then
+ # The TXT record might have been removed already when working with some wildcard certificates.
+ _debug "Search TXT record"
+ if _constellix_rest GET "domains/${_domain_id}/records/TXT/search?exact=${_sub_domain}"; then
+ if printf -- "%s" "$response" | grep "{\"errors\":\[\"Requested record was not found\"\]}" >/dev/null; then
_info "Removed"
return 0
else
- _err "Error removing TXT record"
- return 1
+ _info "Removing TXT record"
+ if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"delete\":true,\"filter\":{\"field\":\"name\",\"op\":\"eq\",\"value\":\"${_sub_domain}\"}}]"; then
+ if printf -- "%s" "$response" | grep "{\"success\":\"0 record(s) added, 0 record(s) updated, 1 record(s) deleted\"}" >/dev/null; then
+ _info "Removed"
+ return 0
+ else
+ _err "Error removing TXT record"
+ fi
+ fi
fi
fi
+
+ return 1
}
#################### Private functions below ##################################
@@ -91,7 +126,7 @@ _get_root() {
fi
if _contains "$response" "\"name\":\"$h\""; then
- _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]+" | cut -d ':' -f 2)
+ _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]*" | cut -d ':' -f 2)
if [ "$_domain_id" ]; then
_sub_domain=$(printf "%s" "$domain" | cut -d '.' -f 1-$p)
_domain="$h"
diff --git a/dnsapi/dns_cpanel.sh b/dnsapi/dns_cpanel.sh
new file mode 100755
index 00000000..f91725a4
--- /dev/null
+++ b/dnsapi/dns_cpanel.sh
@@ -0,0 +1,159 @@
+#!/usr/bin/env sh
+#
+#Author: Bjarne Saltbaek
+#Report Bugs here: https://github.com/acmesh-official/acme.sh/issues/3732
+#
+#
+######## Public functions #####################
+#
+# Export CPANEL username,api token and hostname in the following variables
+#
+# cPanel_Username=username
+# cPanel_Apitoken=apitoken
+# cPanel_Hostname=hostname
+#
+# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+# Used to add txt record
+dns_cpanel_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _info "Adding TXT record to cPanel based system"
+ _debug fulldomain "$fulldomain"
+ _debug txtvalue "$txtvalue"
+ _debug cPanel_Username "$cPanel_Username"
+ _debug cPanel_Apitoken "$cPanel_Apitoken"
+ _debug cPanel_Hostname "$cPanel_Hostname"
+
+ if ! _cpanel_login; then
+ _err "cPanel Login failed for user $cPanel_Username. Check $HTTP_HEADER file"
+ return 1
+ fi
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "No matching root domain for $fulldomain found"
+ return 1
+ fi
+ # adding entry
+ _info "Adding the entry"
+ stripped_fulldomain=$(echo "$fulldomain" | sed "s/.$_domain//")
+ _debug "Adding $stripped_fulldomain to $_domain zone"
+ _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=add_zone_record&domain=$_domain&name=$stripped_fulldomain&type=TXT&txtdata=$txtvalue&ttl=1"
+ if _successful_update; then return 0; fi
+ _err "Couldn't create entry!"
+ return 1
+}
+
+# Usage: fulldomain txtvalue
+# Used to remove the txt record after validation
+dns_cpanel_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _info "Using cPanel based system"
+ _debug fulldomain "$fulldomain"
+ _debug txtvalue "$txtvalue"
+
+ if ! _cpanel_login; then
+ _err "cPanel Login failed for user $cPanel_Username. Check $HTTP_HEADER file"
+ return 1
+ fi
+
+ if ! _get_root; then
+ _err "No matching root domain for $fulldomain found"
+ return 1
+ fi
+
+ _findentry "$fulldomain" "$txtvalue"
+ if [ -z "$_id" ]; then
+ _info "Entry doesn't exist, nothing to delete"
+ return 0
+ fi
+ _debug "Deleting record..."
+ _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=remove_zone_record&domain=$_domain&line=$_id"
+ # removing entry
+ _debug "_result is: $_result"
+
+ if _successful_update; then return 0; fi
+ _err "Couldn't delete entry!"
+ return 1
+}
+
+#################### Private functions below ##################################
+
+_checkcredentials() {
+ cPanel_Username="${cPanel_Username:-$(_readaccountconf_mutable cPanel_Username)}"
+ cPanel_Apitoken="${cPanel_Apitoken:-$(_readaccountconf_mutable cPanel_Apitoken)}"
+ cPanel_Hostname="${cPanel_Hostname:-$(_readaccountconf_mutable cPanel_Hostname)}"
+
+ if [ -z "$cPanel_Username" ] || [ -z "$cPanel_Apitoken" ] || [ -z "$cPanel_Hostname" ]; then
+ cPanel_Username=""
+ cPanel_Apitoken=""
+ cPanel_Hostname=""
+ _err "You haven't specified cPanel username, apitoken and hostname yet."
+ _err "Please add credentials and try again."
+ return 1
+ fi
+ #save the credentials to the account conf file.
+ _saveaccountconf_mutable cPanel_Username "$cPanel_Username"
+ _saveaccountconf_mutable cPanel_Apitoken "$cPanel_Apitoken"
+ _saveaccountconf_mutable cPanel_Hostname "$cPanel_Hostname"
+ return 0
+}
+
+_cpanel_login() {
+ if ! _checkcredentials; then return 1; fi
+
+ if ! _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=CustInfo&cpanel_jsonapi_func=displaycontactinfo"; then
+ _err "cPanel login failed for user $cPanel_Username."
+ return 1
+ fi
+ return 0
+}
+
+_myget() {
+ #Adds auth header to request
+ export _H1="Authorization: cpanel $cPanel_Username:$cPanel_Apitoken"
+ _result=$(_get "$cPanel_Hostname/$1")
+}
+
+_get_root() {
+ _myget 'json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=fetchzones'
+ _domains=$(echo "$_result" | sed 's/.*\(zones.*\[\).*/\1/' | cut -d':' -f2 | sed 's/"//g' | sed 's/{//g')
+ _debug "_result is: $_result"
+ _debug "_domains is: $_domains"
+ if [ -z "$_domains" ]; then
+ _err "Primary domain list not found!"
+ return 1
+ fi
+ for _domain in $_domains; do
+ _debug "Checking if $fulldomain ends with $_domain"
+ if (_endswith "$fulldomain" "$_domain"); then
+ _debug "Root domain: $_domain"
+ return 0
+ fi
+ done
+ return 1
+}
+
+_successful_update() {
+ if (echo "$_result" | grep -q 'newserial'); then return 0; fi
+ return 1
+}
+
+_findentry() {
+ _debug "In _findentry"
+ #returns id of dns entry, if it exists
+ _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=fetchzone_records&domain=$_domain"
+ _id=$(echo "$_result" | sed "s/.*\(line.*$fulldomain.*$txtvalue\).*/\1/" | cut -d ':' -f 2 | cut -d ',' -f 1)
+ _debug "_result is: $_result"
+ _debug "fulldomain. is $fulldomain."
+ _debug "txtvalue is $txtvalue"
+ _debug "_id is: $_id"
+ if [ -n "$_id" ]; then
+ _debug "Entry found with _id=$_id"
+ return 0
+ fi
+ return 1
+}
diff --git a/dnsapi/dns_curanet.sh b/dnsapi/dns_curanet.sh
new file mode 100644
index 00000000..4b39f365
--- /dev/null
+++ b/dnsapi/dns_curanet.sh
@@ -0,0 +1,159 @@
+#!/usr/bin/env sh
+
+#Script to use with curanet.dk, scannet.dk, wannafind.dk, dandomain.dk DNS management.
+#Requires api credentials with scope: dns
+#Author: Peter L. Hansen
+#Version 1.0
+
+CURANET_REST_URL="https://api.curanet.dk/dns/v1/Domains"
+CURANET_AUTH_URL="https://apiauth.dk.team.blue/auth/realms/Curanet/protocol/openid-connect/token"
+CURANET_ACCESS_TOKEN=""
+
+######## Public functions #####################
+
+#Usage: dns_curanet_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_curanet_add() {
+ fulldomain=$1
+ txtvalue=$2
+ _info "Using curanet"
+ _debug fulldomain "$fulldomain"
+ _debug txtvalue "$txtvalue"
+
+ CURANET_AUTHCLIENTID="${CURANET_AUTHCLIENTID:-$(_readaccountconf_mutable CURANET_AUTHCLIENTID)}"
+ CURANET_AUTHSECRET="${CURANET_AUTHSECRET:-$(_readaccountconf_mutable CURANET_AUTHSECRET)}"
+ if [ -z "$CURANET_AUTHCLIENTID" ] || [ -z "$CURANET_AUTHSECRET" ]; then
+ CURANET_AUTHCLIENTID=""
+ CURANET_AUTHSECRET=""
+ _err "You don't specify curanet api client and secret."
+ _err "Please create your auth info and try again."
+ return 1
+ fi
+
+ #save the credentials to the account conf file.
+ _saveaccountconf_mutable CURANET_AUTHCLIENTID "$CURANET_AUTHCLIENTID"
+ _saveaccountconf_mutable CURANET_AUTHSECRET "$CURANET_AUTHSECRET"
+
+ if ! _get_token; then
+ _err "Unable to get token"
+ return 1
+ fi
+
+ if ! _get_root "$fulldomain"; then
+ _err "Invalid domain"
+ return 1
+ fi
+
+ export _H1="Content-Type: application/json-patch+json"
+ export _H2="Accept: application/json"
+ export _H3="Authorization: Bearer $CURANET_ACCESS_TOKEN"
+ data="{\"name\": \"$fulldomain\",\"type\": \"TXT\",\"ttl\": 60,\"priority\": 0,\"data\": \"$txtvalue\"}"
+ response="$(_post "$data" "$CURANET_REST_URL/${_domain}/Records" "" "")"
+
+ if _contains "$response" "$txtvalue"; then
+ _debug "TXT record added OK"
+ else
+ _err "Unable to add TXT record"
+ return 1
+ fi
+
+ return 0
+}
+
+#Usage: fulldomain txtvalue
+#Remove the txt record after validation.
+dns_curanet_rm() {
+ fulldomain=$1
+ txtvalue=$2
+ _info "Using curanet"
+ _debug fulldomain "$fulldomain"
+ _debug txtvalue "$txtvalue"
+
+ CURANET_AUTHCLIENTID="${CURANET_AUTHCLIENTID:-$(_readaccountconf_mutable CURANET_AUTHCLIENTID)}"
+ CURANET_AUTHSECRET="${CURANET_AUTHSECRET:-$(_readaccountconf_mutable CURANET_AUTHSECRET)}"
+
+ if ! _get_token; then
+ _err "Unable to get token"
+ return 1
+ fi
+
+ if ! _get_root "$fulldomain"; then
+ _err "Invalid domain"
+ return 1
+ fi
+
+ _debug "Getting current record list to identify TXT to delete"
+
+ export _H1="Content-Type: application/json"
+ export _H2="Accept: application/json"
+ export _H3="Authorization: Bearer $CURANET_ACCESS_TOKEN"
+
+ response="$(_get "$CURANET_REST_URL/${_domain}/Records" "" "")"
+
+ if ! _contains "$response" "$txtvalue"; then
+ _err "Unable to delete record (does not contain $txtvalue )"
+ return 1
+ fi
+
+ recordid=$(echo "$response" | _egrep_o "{\"id\":[0-9]+,\"name\":\"$fulldomain\",\"type\":\"TXT\",\"ttl\":60,\"priority\":0,\"data\":\"..$txtvalue" | _egrep_o "id\":[0-9]+" | cut -c 5-)
+
+ if [ -z "$recordid" ]; then
+ _err "Unable to get recordid"
+ _debug "regex {\"id\":[0-9]+,\"name\":\"$fulldomain\",\"type\":\"TXT\",\"ttl\":60,\"priority\":0,\"data\":\"..$txtvalue"
+ _debug "response $response"
+ return 1
+ fi
+
+ _debug "Deleting recordID $recordid"
+ response="$(_post "" "$CURANET_REST_URL/${_domain}/Records/$recordid" "" "DELETE")"
+ return 0
+}
+
+#################### Private functions below ##################################
+
+_get_token() {
+ response="$(_post "grant_type=client_credentials&client_id=$CURANET_AUTHCLIENTID&client_secret=$CURANET_AUTHSECRET&scope=dns" "$CURANET_AUTH_URL" "" "")"
+ if ! _contains "$response" "access_token"; then
+ _err "Unable get access token"
+ return 1
+ fi
+ CURANET_ACCESS_TOKEN=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]+" | cut -c 17-)
+
+ if [ -z "$CURANET_ACCESS_TOKEN" ]; then
+ _err "Unable to get token"
+ return 1
+ fi
+
+ return 0
+
+}
+
+#_acme-challenge.www.domain.com
+#returns
+# _domain=domain.com
+# _domain_id=sdjkglgdfewsdfg
+_get_root() {
+ domain=$1
+ i=1
+
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug h "$h"
+ if [ -z "$h" ]; then
+ #not valid
+ return 1
+ fi
+
+ export _H1="Content-Type: application/json"
+ export _H2="Accept: application/json"
+ export _H3="Authorization: Bearer $CURANET_ACCESS_TOKEN"
+ response="$(_get "$CURANET_REST_URL/$h/Records" "" "")"
+
+ if [ ! "$(echo "$response" | _egrep_o "Entity not found")" ]; then
+ _domain=$h
+ return 0
+ fi
+
+ i=$(_math "$i" + 1)
+ done
+ return 1
+}
diff --git a/dnsapi/dns_ddnss.sh b/dnsapi/dns_ddnss.sh
index ecc4f174..b9da33ff 100644
--- a/dnsapi/dns_ddnss.sh
+++ b/dnsapi/dns_ddnss.sh
@@ -12,7 +12,7 @@
# --
#
-DDNSS_DNS_API="https://ip4.ddnss.de/upd.php"
+DDNSS_DNS_API="https://ddnss.de/upd.php"
######## Public functions #####################
@@ -77,7 +77,7 @@ dns_ddnss_rm() {
# Now remove the TXT record from DDNS DNS
_info "Trying to remove TXT record"
- if _ddnss_rest GET "key=$DDNSS_Token&host=$_ddnss_domain&txtm=1&txt=."; then
+ if _ddnss_rest GET "key=$DDNSS_Token&host=$_ddnss_domain&txtm=2"; then
if [ "$response" = "Updated 1 hostname." ]; then
_info "TXT record has been successfully removed from your DDNSS domain."
return 0
diff --git a/dnsapi/dns_desec.sh b/dnsapi/dns_desec.sh
index f64660a8..495a6780 100644
--- a/dnsapi/dns_desec.sh
+++ b/dnsapi/dns_desec.sh
@@ -20,21 +20,17 @@ dns_desec_add() {
_debug txtvalue "$txtvalue"
DEDYN_TOKEN="${DEDYN_TOKEN:-$(_readaccountconf_mutable DEDYN_TOKEN)}"
- DEDYN_NAME="${DEDYN_NAME:-$(_readaccountconf_mutable DEDYN_NAME)}"
- if [ -z "$DEDYN_TOKEN" ] || [ -z "$DEDYN_NAME" ]; then
+ if [ -z "$DEDYN_TOKEN" ]; then
DEDYN_TOKEN=""
- DEDYN_NAME=""
- _err "You did not specify DEDYN_TOKEN and DEDYN_NAME yet."
+ _err "You did not specify DEDYN_TOKEN yet."
_err "Please create your key and try again."
_err "e.g."
_err "export DEDYN_TOKEN=d41d8cd98f00b204e9800998ecf8427e"
- _err "export DEDYN_NAME=foobar.dedyn.io"
return 1
fi
- #save the api token and name to the account conf file.
+ #save the api token to the account conf file.
_saveaccountconf_mutable DEDYN_TOKEN "$DEDYN_TOKEN"
- _saveaccountconf_mutable DEDYN_NAME "$DEDYN_NAME"
_debug "First detect the root zone"
if ! _get_root "$fulldomain" "$REST_API/"; then
@@ -47,7 +43,7 @@ dns_desec_add() {
# Get existing TXT record
_debug "Getting txt records"
txtvalues="\"\\\"$txtvalue\\\"\""
- _desec_rest GET "$REST_API/$DEDYN_NAME/rrsets/$_sub_domain/TXT/"
+ _desec_rest GET "$REST_API/$_domain/rrsets/$_sub_domain/TXT/"
if [ "$_code" = "200" ]; then
oldtxtvalues="$(echo "$response" | _egrep_o "\"records\":\\[\"\\S*\"\\]" | cut -d : -f 2 | tr -d "[]\\\\\"" | sed "s/,/ /g")"
@@ -63,7 +59,7 @@ dns_desec_add() {
_info "Adding record"
body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]"
- if _desec_rest PUT "$REST_API/$DEDYN_NAME/rrsets/" "$body"; then
+ if _desec_rest PUT "$REST_API/$_domain/rrsets/" "$body"; then
if _contains "$response" "$txtvalue"; then
_info "Added, OK"
return 0
@@ -87,16 +83,13 @@ dns_desec_rm() {
_debug txtvalue "$txtvalue"
DEDYN_TOKEN="${DEDYN_TOKEN:-$(_readaccountconf_mutable DEDYN_TOKEN)}"
- DEDYN_NAME="${DEDYN_NAME:-$(_readaccountconf_mutable DEDYN_NAME)}"
- if [ -z "$DEDYN_TOKEN" ] || [ -z "$DEDYN_NAME" ]; then
+ if [ -z "$DEDYN_TOKEN" ]; then
DEDYN_TOKEN=""
- DEDYN_NAME=""
- _err "You did not specify DEDYN_TOKEN and DEDYN_NAME yet."
+ _err "You did not specify DEDYN_TOKEN yet."
_err "Please create your key and try again."
_err "e.g."
_err "export DEDYN_TOKEN=d41d8cd98f00b204e9800998ecf8427e"
- _err "export DEDYN_NAME=foobar.dedyn.io"
return 1
fi
@@ -112,7 +105,7 @@ dns_desec_rm() {
# Get existing TXT record
_debug "Getting txt records"
txtvalues=""
- _desec_rest GET "$REST_API/$DEDYN_NAME/rrsets/$_sub_domain/TXT/"
+ _desec_rest GET "$REST_API/$_domain/rrsets/$_sub_domain/TXT/"
if [ "$_code" = "200" ]; then
oldtxtvalues="$(echo "$response" | _egrep_o "\"records\":\\[\"\\S*\"\\]" | cut -d : -f 2 | tr -d "[]\\\\\"" | sed "s/,/ /g")"
@@ -131,7 +124,7 @@ dns_desec_rm() {
_info "Deleting record"
body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]"
- _desec_rest PUT "$REST_API/$DEDYN_NAME/rrsets/" "$body"
+ _desec_rest PUT "$REST_API/$_domain/rrsets/" "$body"
if [ "$_code" = "200" ]; then
_info "Deleted, OK"
return 0
diff --git a/dnsapi/dns_dnshome.sh b/dnsapi/dns_dnshome.sh
new file mode 100755
index 00000000..99608769
--- /dev/null
+++ b/dnsapi/dns_dnshome.sh
@@ -0,0 +1,87 @@
+#!/usr/bin/env sh
+
+# dnsHome.de API for acme.sh
+#
+# This Script adds the necessary TXT record to a Subdomain
+#
+# Author dnsHome.de (https://github.com/dnsHome-de)
+#
+# Report Bugs to https://github.com/acmesh-official/acme.sh/issues/3819
+#
+# export DNSHOME_Subdomain=""
+# export DNSHOME_SubdomainPassword=""
+
+# Usage: add subdomain.ddnsdomain.tld "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+# Used to add txt record
+dns_dnshome_add() {
+ txtvalue=$2
+
+ DNSHOME_Subdomain="${DNSHOME_Subdomain:-$(_readdomainconf DNSHOME_Subdomain)}"
+ DNSHOME_SubdomainPassword="${DNSHOME_SubdomainPassword:-$(_readdomainconf DNSHOME_SubdomainPassword)}"
+
+ if [ -z "$DNSHOME_Subdomain" ] || [ -z "$DNSHOME_SubdomainPassword" ]; then
+ DNSHOME_Subdomain=""
+ DNSHOME_SubdomainPassword=""
+ _err "Please specify/export your dnsHome.de Subdomain and Password"
+ return 1
+ fi
+
+ #save the credentials to the account conf file.
+ _savedomainconf DNSHOME_Subdomain "$DNSHOME_Subdomain"
+ _savedomainconf DNSHOME_SubdomainPassword "$DNSHOME_SubdomainPassword"
+
+ DNSHOME_Api="https://$DNSHOME_Subdomain:$DNSHOME_SubdomainPassword@www.dnshome.de/dyndns.php"
+
+ _DNSHOME_rest POST "acme=add&txt=$txtvalue"
+ if ! echo "$response" | grep 'successfully' >/dev/null; then
+ _err "Error"
+ _err "$response"
+ return 1
+ fi
+
+ return 0
+}
+
+# Usage: txtvalue
+# Used to remove the txt record after validation
+dns_dnshome_rm() {
+ txtvalue=$2
+
+ DNSHOME_Subdomain="${DNSHOME_Subdomain:-$(_readdomainconf DNSHOME_Subdomain)}"
+ DNSHOME_SubdomainPassword="${DNSHOME_SubdomainPassword:-$(_readdomainconf DNSHOME_SubdomainPassword)}"
+
+ DNSHOME_Api="https://$DNSHOME_Subdomain:$DNSHOME_SubdomainPassword@www.dnshome.de/dyndns.php"
+
+ if [ -z "$DNSHOME_Subdomain" ] || [ -z "$DNSHOME_SubdomainPassword" ]; then
+ DNSHOME_Subdomain=""
+ DNSHOME_SubdomainPassword=""
+ _err "Please specify/export your dnsHome.de Subdomain and Password"
+ return 1
+ fi
+
+ _DNSHOME_rest POST "acme=rm&txt=$txtvalue"
+ if ! echo "$response" | grep 'successfully' >/dev/null; then
+ _err "Error"
+ _err "$response"
+ return 1
+ fi
+
+ return 0
+}
+
+#################### Private functions below ##################################
+_DNSHOME_rest() {
+ method=$1
+ data="$2"
+ _debug "$data"
+
+ _debug data "$data"
+ response="$(_post "$data" "$DNSHOME_Api" "" "$method")"
+
+ if [ "$?" != "0" ]; then
+ _err "error $data"
+ return 1
+ fi
+ _debug2 response "$response"
+ return 0
+}
diff --git a/dnsapi/dns_dp.sh b/dnsapi/dns_dp.sh
index 033fa5aa..9b8b7a8b 100755
--- a/dnsapi/dns_dp.sh
+++ b/dnsapi/dns_dp.sh
@@ -89,7 +89,7 @@ add_record() {
_info "Adding record"
- if ! _rest POST "Record.Create" "login_token=$DP_Id,$DP_Key&format=json&lang=en&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=默认"; then
+ if ! _rest POST "Record.Create" "login_token=$DP_Id,$DP_Key&format=json&lang=en&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=%E9%BB%98%E8%AE%A4"; then
return 1
fi
diff --git a/dnsapi/dns_dpi.sh b/dnsapi/dns_dpi.sh
index 9cbf4d51..2955effd 100755
--- a/dnsapi/dns_dpi.sh
+++ b/dnsapi/dns_dpi.sh
@@ -53,7 +53,7 @@ dns_dpi_rm() {
return 1
fi
- if ! _rest POST "Record.List" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain"; then
+ if ! _rest POST "Record.List" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain"; then
_err "Record.Lis error."
return 1
fi
@@ -63,14 +63,14 @@ dns_dpi_rm() {
return 0
fi
- record_id=$(echo "$response" | _egrep_o '{[^{]*"value":"'"$txtvalue"'"' | cut -d , -f 1 | cut -d : -f 2 | tr -d \")
+ record_id=$(echo "$response" | tr "{" "\n" | grep -- "$txtvalue" | grep '^"id"' | cut -d : -f 2 | cut -d '"' -f 2)
_debug record_id "$record_id"
if [ -z "$record_id" ]; then
_err "Can not get record id."
return 1
fi
- if ! _rest POST "Record.Remove" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&record_id=$record_id"; then
+ if ! _rest POST "Record.Remove" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&record_id=$record_id"; then
_err "Record.Remove error."
return 1
fi
@@ -89,7 +89,7 @@ add_record() {
_info "Adding record"
- if ! _rest POST "Record.Create" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=default"; then
+ if ! _rest POST "Record.Create" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=default"; then
return 1
fi
@@ -113,7 +113,7 @@ _get_root() {
return 1
fi
- if ! _rest POST "Domain.Info" "user_token=$DPI_Id,$DPI_Key&format=json&domain=$h"; then
+ if ! _rest POST "Domain.Info" "login_token=$DPI_Id,$DPI_Key&format=json&domain=$h"; then
return 1
fi
diff --git a/dnsapi/dns_duckdns.sh b/dnsapi/dns_duckdns.sh
index f0af2741..d6e1dbdc 100755
--- a/dnsapi/dns_duckdns.sh
+++ b/dnsapi/dns_duckdns.sh
@@ -12,7 +12,7 @@
DuckDNS_API="https://www.duckdns.org/update"
-######## Public functions #####################
+######## Public functions ######################
#Usage: dns_duckdns_add _acme-challenge.domain.duckdns.org "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_duckdns_add() {
@@ -96,7 +96,7 @@ dns_duckdns_rm() {
_duckdns_get_domain() {
# We'll extract the domain/username from full domain
- _duckdns_domain="$(printf "%s" "$fulldomain" | _lower_case | _egrep_o '^(_acme-challenge\.)?[a-z0-9-]*\.duckdns\.org' | sed 's/^\(_acme-challenge\.\)\?\([a-z0-9-]*\)\.duckdns\.org/\2/')"
+ _duckdns_domain="$(printf "%s" "$fulldomain" | _lower_case | _egrep_o '^(_acme-challenge\.)?([a-z0-9-]+\.)+duckdns\.org' | sed -n 's/^\([^.]\{1,\}\.\)*\([a-z0-9-]\{1,\}\)\.duckdns\.org$/\2/p;')"
if [ -z "$_duckdns_domain" ]; then
_err "Error extracting the domain."
@@ -112,7 +112,7 @@ _duckdns_rest() {
param="$2"
_debug param "$param"
url="$DuckDNS_API?$param"
- if [ "$DEBUG" -gt 0 ]; then
+ if [ -n "$DEBUG" ] && [ "$DEBUG" -gt 0 ]; then
url="$url&verbose=true"
fi
_debug url "$url"
@@ -121,7 +121,7 @@ _duckdns_rest() {
if [ "$method" = "GET" ]; then
response="$(_get "$url")"
_debug2 response "$response"
- if [ "$DEBUG" -gt 0 ] && _contains "$response" "UPDATED" && _contains "$response" "OK"; then
+ if [ -n "$DEBUG" ] && [ "$DEBUG" -gt 0 ] && _contains "$response" "UPDATED" && _contains "$response" "OK"; then
response="OK"
fi
else
diff --git a/dnsapi/dns_gcloud.sh b/dnsapi/dns_gcloud.sh
index 03060a8c..d560996c 100755
--- a/dnsapi/dns_gcloud.sh
+++ b/dnsapi/dns_gcloud.sh
@@ -163,5 +163,8 @@ _dns_gcloud_get_rrdatas() {
return 1
fi
ttl=$(echo "$rrdatas" | cut -f1)
- rrdatas=$(echo "$rrdatas" | cut -f2 | sed 's/","/"\n"/g')
+ # starting with version 353.0.0 gcloud seems to
+ # separate records with a semicolon instead of commas
+ # see also https://cloud.google.com/sdk/docs/release-notes#35300_2021-08-17
+ rrdatas=$(echo "$rrdatas" | cut -f2 | sed 's/"[,;]"/"\n"/g')
}
diff --git a/dnsapi/dns_geoscaling.sh b/dnsapi/dns_geoscaling.sh
new file mode 100755
index 00000000..6ccf4daf
--- /dev/null
+++ b/dnsapi/dns_geoscaling.sh
@@ -0,0 +1,232 @@
+#!/usr/bin/env sh
+
+########################################################################
+# Geoscaling hook script for acme.sh
+#
+# Environment variables:
+#
+# - $GEOSCALING_Username (your Geoscaling username - this is usually NOT an amail address)
+# - $GEOSCALING_Password (your Geoscaling password)
+
+#-- dns_geoscaling_add() - Add TXT record --------------------------------------
+# Usage: dns_geoscaling_add _acme-challenge.subdomain.domain.com "XyZ123..."
+
+dns_geoscaling_add() {
+ full_domain=$1
+ txt_value=$2
+ _info "Using DNS-01 Geoscaling DNS2 hook"
+
+ GEOSCALING_Username="${GEOSCALING_Username:-$(_readaccountconf_mutable GEOSCALING_Username)}"
+ GEOSCALING_Password="${GEOSCALING_Password:-$(_readaccountconf_mutable GEOSCALING_Password)}"
+ if [ -z "$GEOSCALING_Username" ] || [ -z "$GEOSCALING_Password" ]; then
+ GEOSCALING_Username=
+ GEOSCALING_Password=
+ _err "No auth details provided. Please set user credentials using the \$GEOSCALING_Username and \$GEOSCALING_Password environment variables."
+ return 1
+ fi
+ _saveaccountconf_mutable GEOSCALING_Username "${GEOSCALING_Username}"
+ _saveaccountconf_mutable GEOSCALING_Password "${GEOSCALING_Password}"
+
+ # Fills in the $zone_id and $zone_name
+ find_zone "${full_domain}" || return 1
+ _debug "Zone id '${zone_id}' will be used."
+
+ # We're logged in here
+
+ # we should add ${full_domain} minus the trailing ${zone_name}
+
+ prefix=$(echo "${full_domain}" | sed "s|\\.${zone_name}\$||")
+
+ body="id=${zone_id}&name=${prefix}&type=TXT&content=${txt_value}&ttl=300&prio=0"
+
+ do_post "$body" "https://www.geoscaling.com/dns2/ajax/add_record.php"
+ exit_code="$?"
+ if [ "${exit_code}" -eq 0 ]; then
+ _info "TXT record added successfully."
+ else
+ _err "Couldn't add the TXT record."
+ fi
+ do_logout
+ return "${exit_code}"
+}
+
+#-- dns_geoscaling_rm() - Remove TXT record ------------------------------------
+# Usage: dns_geoscaling_rm _acme-challenge.subdomain.domain.com "XyZ123..."
+
+dns_geoscaling_rm() {
+ full_domain=$1
+ txt_value=$2
+ _info "Cleaning up after DNS-01 Geoscaling DNS2 hook"
+
+ GEOSCALING_Username="${GEOSCALING_Username:-$(_readaccountconf_mutable GEOSCALING_Username)}"
+ GEOSCALING_Password="${GEOSCALING_Password:-$(_readaccountconf_mutable GEOSCALING_Password)}"
+ if [ -z "$GEOSCALING_Username" ] || [ -z "$GEOSCALING_Password" ]; then
+ GEOSCALING_Username=
+ GEOSCALING_Password=
+ _err "No auth details provided. Please set user credentials using the \$GEOSCALING_Username and \$GEOSCALING_Password environment variables."
+ return 1
+ fi
+ _saveaccountconf_mutable GEOSCALING_Username "${GEOSCALING_Username}"
+ _saveaccountconf_mutable GEOSCALING_Password "${GEOSCALING_Password}"
+
+ # fills in the $zone_id
+ find_zone "${full_domain}" || return 1
+ _debug "Zone id '${zone_id}' will be used."
+
+ # Here we're logged in
+ # Find the record id to clean
+
+ # get the domain
+ response=$(do_get "https://www.geoscaling.com/dns2/index.php?module=domain&id=${zone_id}")
+ _debug2 "response" "$response"
+
+ table="$(echo "${response}" | tr -d '\n' | sed 's|.*Basic Records
.*||')"
+ _debug2 table "${table}"
+ names=$(echo "${table}" | _egrep_o 'id="[0-9]+\.name">[^<]*' | sed 's|||; s|.*>||')
+ ids=$(echo "${table}" | _egrep_o 'id="[0-9]+\.name">[^<]*' | sed 's|\.name">.*||; s|id="||')
+ types=$(echo "${table}" | _egrep_o 'id="[0-9]+\.type">[^<]*' | sed 's|||; s|.*>||')
+ values=$(echo "${table}" | _egrep_o 'id="[0-9]+\.content">[^<]*' | sed 's|||; s|.*>||')
+
+ _debug2 names "${names}"
+ _debug2 ids "${ids}"
+ _debug2 types "${types}"
+ _debug2 values "${values}"
+
+ # look for line whose name is ${full_domain}, whose type is TXT, and whose value is ${txt_value}
+ line_num="$(echo "${values}" | grep -F -n -- "${txt_value}" | _head_n 1 | cut -d ':' -f 1)"
+ _debug2 line_num "${line_num}"
+ found_id=
+ if [ -n "$line_num" ]; then
+ type=$(echo "${types}" | sed -n "${line_num}p")
+ name=$(echo "${names}" | sed -n "${line_num}p")
+ id=$(echo "${ids}" | sed -n "${line_num}p")
+
+ _debug2 type "$type"
+ _debug2 name "$name"
+ _debug2 id "$id"
+ _debug2 full_domain "$full_domain"
+
+ if [ "${type}" = "TXT" ] && [ "${name}" = "${full_domain}" ]; then
+ found_id=${id}
+ fi
+ fi
+
+ if [ "${found_id}" = "" ]; then
+ _err "Can not find record id."
+ return 0
+ fi
+
+ # Remove the record
+ body="id=${zone_id}&record_id=${found_id}"
+ response=$(do_post "$body" "https://www.geoscaling.com/dns2/ajax/delete_record.php")
+ exit_code="$?"
+ if [ "$exit_code" -eq 0 ]; then
+ _info "Record removed successfully."
+ else
+ _err "Could not clean (remove) up the record. Please go to Geoscaling administration interface and clean it by hand."
+ fi
+ do_logout
+ return "${exit_code}"
+}
+
+########################## PRIVATE FUNCTIONS ###########################
+
+do_get() {
+ _url=$1
+ export _H1="Cookie: $geoscaling_phpsessid_cookie"
+ _get "${_url}"
+}
+
+do_post() {
+ _body=$1
+ _url=$2
+ export _H1="Cookie: $geoscaling_phpsessid_cookie"
+ _post "${_body}" "${_url}"
+}
+
+do_login() {
+
+ _info "Logging in..."
+
+ username_encoded="$(printf "%s" "${GEOSCALING_Username}" | _url_encode)"
+ password_encoded="$(printf "%s" "${GEOSCALING_Password}" | _url_encode)"
+ body="username=${username_encoded}&password=${password_encoded}"
+
+ response=$(_post "$body" "https://www.geoscaling.com/dns2/index.php?module=auth")
+ _debug2 response "${response}"
+
+ #retcode=$(grep '^HTTP[^ ]*' "${HTTP_HEADER}" | _head_n 1 | _egrep_o '[0-9]+$')
+ retcode=$(grep '^HTTP[^ ]*' "${HTTP_HEADER}" | _head_n 1 | cut -d ' ' -f 2)
+
+ if [ "$retcode" != "302" ]; then
+ _err "Geoscaling login failed for user ${GEOSCALING_Username}. Check ${HTTP_HEADER} file"
+ return 1
+ fi
+
+ geoscaling_phpsessid_cookie="$(grep -i '^set-cookie:' "${HTTP_HEADER}" | _egrep_o 'PHPSESSID=[^;]*;' | tr -d ';')"
+ return 0
+
+}
+
+do_logout() {
+ _info "Logging out."
+ response="$(do_get "https://www.geoscaling.com/dns2/index.php?module=auth")"
+ _debug2 response "$response"
+ return 0
+}
+
+find_zone() {
+ domain="$1"
+
+ # do login
+ do_login || return 1
+
+ # get zones
+ response="$(do_get "https://www.geoscaling.com/dns2/index.php?module=domains")"
+
+ table="$(echo "${response}" | tr -d '\n' | sed 's|.*Your domains
.*||')"
+ _debug2 table "${table}"
+ zone_names="$(echo "${table}" | _egrep_o '[^<]*' | sed 's|||;s|||')"
+ _debug2 _matches "${zone_names}"
+ # Zone names and zone IDs are in same order
+ zone_ids=$(echo "${table}" | _egrep_o '' | sed 's|.*id=||;s|. .*||')
+
+ _debug2 "These are the zones on this Geoscaling account:"
+ _debug2 "zone_names" "${zone_names}"
+ _debug2 "And these are their respective IDs:"
+ _debug2 "zone_ids" "${zone_ids}"
+ if [ -z "${zone_names}" ] || [ -z "${zone_ids}" ]; then
+ _err "Can not get zone names or IDs."
+ return 1
+ fi
+ # Walk through all possible zone names
+ strip_counter=1
+ while true; do
+ attempted_zone=$(echo "${domain}" | cut -d . -f ${strip_counter}-)
+
+ # All possible zone names have been tried
+ if [ -z "${attempted_zone}" ]; then
+ _err "No zone for domain '${domain}' found."
+ return 1
+ fi
+
+ _debug "Looking for zone '${attempted_zone}'"
+
+ line_num="$(echo "${zone_names}" | grep -n "^${attempted_zone}\$" | _head_n 1 | cut -d : -f 1)"
+ _debug2 line_num "${line_num}"
+ if [ "$line_num" ]; then
+ zone_id=$(echo "${zone_ids}" | sed -n "${line_num}p")
+ zone_name=$(echo "${zone_names}" | sed -n "${line_num}p")
+ if [ -z "${zone_id}" ]; then
+ _err "Can not find zone id."
+ return 1
+ fi
+ _debug "Found relevant zone '${attempted_zone}' with id '${zone_id}' - will be used for domain '${domain}'."
+ return 0
+ fi
+
+ _debug "Zone '${attempted_zone}' doesn't exist, let's try a less specific zone."
+ strip_counter=$(_math "${strip_counter}" + 1)
+ done
+}
+# vim: et:ts=2:sw=2:
diff --git a/dnsapi/dns_he.sh b/dnsapi/dns_he.sh
index ef09fa0a..bf4a5030 100755
--- a/dnsapi/dns_he.sh
+++ b/dnsapi/dns_he.sh
@@ -85,7 +85,7 @@ dns_he_rm() {
_debug "The txt record is not found, just skip"
return 0
fi
- _record_id="$(echo "$response" | tr -d "#" | sed "s//dev/null
_code=$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")
_token=$(grep "^X-Subject-Token" "$HTTP_HEADER" | cut -d " " -f 2-)
- _debug2 "${_code}"
+ _secure_debug "${_code}"
printf "%s" "${_token}"
return 0
}
diff --git a/dnsapi/dns_infoblox.sh b/dnsapi/dns_infoblox.sh
index 4cbb2146..6bfd36ee 100644
--- a/dnsapi/dns_infoblox.sh
+++ b/dnsapi/dns_infoblox.sh
@@ -9,7 +9,6 @@ dns_infoblox_add() {
## Nothing to see here, just some housekeeping
fulldomain=$1
txtvalue=$2
- baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=$Infoblox_View"
_info "Using Infoblox API"
_debug fulldomain "$fulldomain"
@@ -19,12 +18,13 @@ dns_infoblox_add() {
if [ -z "$Infoblox_Creds" ] || [ -z "$Infoblox_Server" ]; then
Infoblox_Creds=""
Infoblox_Server=""
- _err "You didn't specify the credentials, server or infoblox view yet (Infoblox_Creds, Infoblox_Server and Infoblox_View)."
- _err "Please set them via EXPORT ([username:password], [ip or hostname]) and try again."
+ _err "You didn't specify the Infoblox credentials or server (Infoblox_Creds; Infoblox_Server)."
+ _err "Please set them via EXPORT Infoblox_Creds=username:password or EXPORT Infoblox_server=ip/hostname and try again."
return 1
fi
if [ -z "$Infoblox_View" ]; then
+ _info "No Infoblox_View set, using fallback value 'default'"
Infoblox_View="default"
fi
@@ -33,6 +33,9 @@ dns_infoblox_add() {
_saveaccountconf Infoblox_Server "$Infoblox_Server"
_saveaccountconf Infoblox_View "$Infoblox_View"
+ ## URLencode Infoblox View to deal with e.g. spaces
+ Infoblox_ViewEncoded=$(printf "%b" "$Infoblox_View" | _url_encode)
+
## Base64 encode the credentials
Infoblox_CredsEncoded=$(printf "%b" "$Infoblox_Creds" | _base64)
@@ -40,11 +43,14 @@ dns_infoblox_add() {
export _H1="Accept-Language:en-US"
export _H2="Authorization: Basic $Infoblox_CredsEncoded"
+ ## Construct the request URL
+ baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=${Infoblox_ViewEncoded}"
+
## Add the challenge record to the Infoblox grid member
result="$(_post "" "$baseurlnObject" "" "POST")"
## Let's see if we get something intelligible back from the unit
- if [ "$(echo "$result" | _egrep_o "record:txt/.*:.*/$Infoblox_View")" ]; then
+ if [ "$(echo "$result" | _egrep_o "record:txt/.*:.*/${Infoblox_ViewEncoded}")" ]; then
_info "Successfully created the txt record"
return 0
else
@@ -65,6 +71,9 @@ dns_infoblox_rm() {
_debug fulldomain "$fulldomain"
_debug txtvalue "$txtvalue"
+ ## URLencode Infoblox View to deal with e.g. spaces
+ Infoblox_ViewEncoded=$(printf "%b" "$Infoblox_View" | _url_encode)
+
## Base64 encode the credentials
Infoblox_CredsEncoded="$(printf "%b" "$Infoblox_Creds" | _base64)"
@@ -73,18 +82,18 @@ dns_infoblox_rm() {
export _H2="Authorization: Basic $Infoblox_CredsEncoded"
## Does the record exist? Let's check.
- baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=$Infoblox_View&_return_type=xml-pretty"
+ baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=${Infoblox_ViewEncoded}&_return_type=xml-pretty"
result="$(_get "$baseurlnObject")"
## Let's see if we get something intelligible back from the grid
- if [ "$(echo "$result" | _egrep_o "record:txt/.*:.*/$Infoblox_View")" ]; then
+ if [ "$(echo "$result" | _egrep_o "record:txt/.*:.*/${Infoblox_ViewEncoded}")" ]; then
## Extract the object reference
- objRef="$(printf "%b" "$result" | _egrep_o "record:txt/.*:.*/$Infoblox_View")"
+ objRef="$(printf "%b" "$result" | _egrep_o "record:txt/.*:.*/${Infoblox_ViewEncoded}")"
objRmUrl="https://$Infoblox_Server/wapi/v2.2.2/$objRef"
## Delete them! All the stale records!
rmResult="$(_post "" "$objRmUrl" "" "DELETE")"
## Let's see if that worked
- if [ "$(echo "$rmResult" | _egrep_o "record:txt/.*:.*/$Infoblox_View")" ]; then
+ if [ "$(echo "$rmResult" | _egrep_o "record:txt/.*:.*/${Infoblox_ViewEncoded}")" ]; then
_info "Successfully deleted $objRef"
return 0
else
diff --git a/dnsapi/dns_ionos.sh b/dnsapi/dns_ionos.sh
new file mode 100755
index 00000000..c2c431bb
--- /dev/null
+++ b/dnsapi/dns_ionos.sh
@@ -0,0 +1,163 @@
+#!/usr/bin/env sh
+
+# Supports IONOS DNS API Beta v1.0.0
+#
+# Usage:
+# Export IONOS_PREFIX and IONOS_SECRET before calling acme.sh:
+#
+# $ export IONOS_PREFIX="..."
+# $ export IONOS_SECRET="..."
+#
+# $ acme.sh --issue --dns dns_ionos ...
+
+IONOS_API="https://api.hosting.ionos.com/dns"
+IONOS_ROUTE_ZONES="/v1/zones"
+
+IONOS_TXT_TTL=60 # minimum accepted by API
+IONOS_TXT_PRIO=10
+
+dns_ionos_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ if ! _ionos_init; then
+ return 1
+ fi
+
+ _body="[{\"name\":\"$_sub_domain.$_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":$IONOS_TXT_TTL,\"prio\":$IONOS_TXT_PRIO,\"disabled\":false}]"
+
+ if _ionos_rest POST "$IONOS_ROUTE_ZONES/$_zone_id/records" "$_body" && [ -z "$response" ]; then
+ _info "TXT record has been created successfully."
+ return 0
+ fi
+
+ return 1
+}
+
+dns_ionos_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ if ! _ionos_init; then
+ return 1
+ fi
+
+ if ! _ionos_get_record "$fulldomain" "$_zone_id" "$txtvalue"; then
+ _err "Could not find _acme-challenge TXT record."
+ return 1
+ fi
+
+ if _ionos_rest DELETE "$IONOS_ROUTE_ZONES/$_zone_id/records/$_record_id" && [ -z "$response" ]; then
+ _info "TXT record has been deleted successfully."
+ return 0
+ fi
+
+ return 1
+}
+
+_ionos_init() {
+ IONOS_PREFIX="${IONOS_PREFIX:-$(_readaccountconf_mutable IONOS_PREFIX)}"
+ IONOS_SECRET="${IONOS_SECRET:-$(_readaccountconf_mutable IONOS_SECRET)}"
+
+ if [ -z "$IONOS_PREFIX" ] || [ -z "$IONOS_SECRET" ]; then
+ _err "You didn't specify an IONOS api prefix and secret yet."
+ _err "Read https://beta.developer.hosting.ionos.de/docs/getstarted to learn how to get a prefix and secret."
+ _err ""
+ _err "Then set them before calling acme.sh:"
+ _err "\$ export IONOS_PREFIX=\"...\""
+ _err "\$ export IONOS_SECRET=\"...\""
+ _err "\$ acme.sh --issue -d ... --dns dns_ionos"
+ return 1
+ fi
+
+ _saveaccountconf_mutable IONOS_PREFIX "$IONOS_PREFIX"
+ _saveaccountconf_mutable IONOS_SECRET "$IONOS_SECRET"
+
+ if ! _get_root "$fulldomain"; then
+ _err "Cannot find this domain in your IONOS account."
+ return 1
+ fi
+}
+
+_get_root() {
+ domain=$1
+ i=1
+ p=1
+
+ if _ionos_rest GET "$IONOS_ROUTE_ZONES"; then
+ response="$(echo "$response" | tr -d "\n")"
+
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ if [ -z "$h" ]; then
+ return 1
+ fi
+
+ _zone="$(echo "$response" | _egrep_o "\"name\":\"$h\".*\}")"
+ if [ "$_zone" ]; then
+ _zone_id=$(printf "%s\n" "$_zone" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"')
+ if [ "$_zone_id" ]; then
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain=$h
+
+ return 0
+ fi
+
+ return 1
+ fi
+
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+ fi
+
+ return 1
+}
+
+_ionos_get_record() {
+ fulldomain=$1
+ zone_id=$2
+ txtrecord=$3
+
+ if _ionos_rest GET "$IONOS_ROUTE_ZONES/$zone_id?recordName=$fulldomain&recordType=TXT"; then
+ response="$(echo "$response" | tr -d "\n")"
+
+ _record="$(echo "$response" | _egrep_o "\"name\":\"$fulldomain\"[^\}]*\"type\":\"TXT\"[^\}]*\"content\":\"\\\\\"$txtrecord\\\\\"\".*\}")"
+ if [ "$_record" ]; then
+ _record_id=$(printf "%s\n" "$_record" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"')
+
+ return 0
+ fi
+ fi
+
+ return 1
+}
+
+_ionos_rest() {
+ method="$1"
+ route="$2"
+ data="$3"
+
+ IONOS_API_KEY="$(printf "%s.%s" "$IONOS_PREFIX" "$IONOS_SECRET")"
+
+ export _H1="X-API-Key: $IONOS_API_KEY"
+
+ if [ "$method" != "GET" ]; then
+ export _H2="Accept: application/json"
+ export _H3="Content-Type: application/json"
+
+ response="$(_post "$data" "$IONOS_API$route" "" "$method" "application/json")"
+ else
+ export _H2="Accept: */*"
+ export _H3=
+ response="$(_get "$IONOS_API$route")"
+ fi
+
+ if [ "$?" != "0" ]; then
+ _err "Error $route: $response"
+ return 1
+ fi
+ _debug2 "response" "$response"
+
+ return 0
+}
diff --git a/dnsapi/dns_ispconfig.sh b/dnsapi/dns_ispconfig.sh
index bd1e0391..e68ddd49 100755
--- a/dnsapi/dns_ispconfig.sh
+++ b/dnsapi/dns_ispconfig.sh
@@ -75,7 +75,7 @@ _ISPC_getZoneInfo() {
# suffix . needed for zone -> domain.tld.
curData="{\"session_id\":\"${sessionID}\",\"primary_id\":{\"origin\":\"${curZone}.\"}}"
curResult="$(_post "${curData}" "${ISPC_Api}?dns_zone_get")"
- _debug "Calling _ISPC_getZoneInfo: '${curData}' '${ISPC_Api}?login'"
+ _debug "Calling _ISPC_getZoneInfo: '${curData}' '${ISPC_Api}?dns_zone_get'"
_debug "Result of _ISPC_getZoneInfo: '$curResult'"
if _contains "${curResult}" '"id":"'; then
zoneFound=true
@@ -110,18 +110,32 @@ _ISPC_getZoneInfo() {
;;
*) _info "Retrieved Zone ID" ;;
esac
- client_id=$(echo "${curResult}" | _egrep_o "sys_userid.*" | cut -d ':' -f 2 | cut -d '"' -f 2)
- _debug "Client ID: '${client_id}'"
- case "${client_id}" in
+ sys_userid=$(echo "${curResult}" | _egrep_o "sys_userid.*" | cut -d ':' -f 2 | cut -d '"' -f 2)
+ _debug "SYS User ID: '${sys_userid}'"
+ case "${sys_userid}" in
'' | *[!0-9]*)
- _err "Client ID is not numeric."
+ _err "SYS User ID is not numeric."
return 1
;;
- *) _info "Retrieved Client ID." ;;
+ *) _info "Retrieved SYS User ID." ;;
esac
zoneFound=""
zoneEnd=""
fi
+ # Need to get client_id as it is different from sys_userid
+ curData="{\"session_id\":\"${sessionID}\",\"sys_userid\":\"${sys_userid}\"}"
+ curResult="$(_post "${curData}" "${ISPC_Api}?client_get_id")"
+ _debug "Calling _ISPC_ClientGetID: '${curData}' '${ISPC_Api}?client_get_id'"
+ _debug "Result of _ISPC_ClientGetID: '$curResult'"
+ client_id=$(echo "${curResult}" | _egrep_o "response.*" | cut -d ':' -f 2 | cut -d '"' -f 2 | tr -d '{}')
+ _debug "Client ID: '${client_id}'"
+ case "${client_id}" in
+ '' | *[!0-9]*)
+ _err "Client ID is not numeric."
+ return 1
+ ;;
+ *) _info "Retrieved Client ID." ;;
+ esac
}
_ISPC_addTxt() {
diff --git a/dnsapi/dns_knot.sh b/dnsapi/dns_knot.sh
index 094a6981..729a89cb 100644
--- a/dnsapi/dns_knot.sh
+++ b/dnsapi/dns_knot.sh
@@ -19,8 +19,9 @@ dns_knot_add() {
_info "Adding ${fulldomain}. 60 TXT \"${txtvalue}\""
- knsupdate -y "${KNOT_KEY}" <%s
- ' "$LOOPIA_User" "$LOOPIA_Password" "$_domain" "$_sub_domain")
+ ' "$LOOPIA_User" "$Encoded_Password" "$_domain" "$_sub_domain")
response="$(_post "$xml_content" "$LOOPIA_Api" "" "POST")"
if ! _contains "$response" "OK"; then
- _err "Error could not get txt records"
+ err_response=$(echo "$response" | grep -oPm1 "(?<=)[^<]+")
+ _err "Error could not get txt records: $err_response"
return 1
fi
}
@@ -101,6 +106,12 @@ _loopia_load_config() {
return 1
fi
+ if _contains "$LOOPIA_Password" "'" || _contains "$LOOPIA_Password" '"'; then
+ _err "Password contains quoute or double quoute and this is not supported by dns_loopia.sh"
+ return 1
+ fi
+
+ Encoded_Password=$(_xml_encode "$LOOPIA_Password")
return 0
}
@@ -133,11 +144,12 @@ _loopia_get_records() {
%s
- ' $LOOPIA_User $LOOPIA_Password "$domain" "$sub_domain")
+ ' "$LOOPIA_User" "$Encoded_Password" "$domain" "$sub_domain")
response="$(_post "$xml_content" "$LOOPIA_Api" "" "POST")"
if ! _contains "$response" ""; then
- _err "Error"
+ err_response=$(echo "$response" | grep -oPm1 "(?<=)[^<]+")
+ _err "Error: $err_response"
return 1
fi
return 0
@@ -162,7 +174,7 @@ _get_root() {
%s
- ' $LOOPIA_User $LOOPIA_Password)
+ ' "$LOOPIA_User" "$Encoded_Password")
response="$(_post "$xml_content" "$LOOPIA_Api" "" "POST")"
while true; do
@@ -206,32 +218,35 @@ _loopia_add_record() {
%s
-
-
- type
- TXT
-
-
- priority
- 0
-
-
- ttl
- 300
-
-
- rdata
- %s
-
-
+
+
+
+ type
+ TXT
+
+
+ priority
+ 0
+
+
+ ttl
+ 300
+
+
+ rdata
+ %s
+
+
+
- ' $LOOPIA_User $LOOPIA_Password "$domain" "$sub_domain" "$txtval")
+ ' "$LOOPIA_User" "$Encoded_Password" "$domain" "$sub_domain" "$txtval")
response="$(_post "$xml_content" "$LOOPIA_Api" "" "POST")"
if ! _contains "$response" "OK"; then
- _err "Error"
+ err_response=$(echo "$response" | grep -oPm1 "(?<=)[^<]+")
+ _err "Error: $err_response"
return 1
fi
return 0
@@ -255,7 +270,7 @@ _sub_domain_exists() {
%s
- ' $LOOPIA_User $LOOPIA_Password "$domain")
+ ' "$LOOPIA_User" "$Encoded_Password" "$domain")
response="$(_post "$xml_content" "$LOOPIA_Api" "" "POST")"
@@ -290,13 +305,22 @@ _loopia_add_sub_domain() {
%s
- ' $LOOPIA_User $LOOPIA_Password "$domain" "$sub_domain")
+ ' "$LOOPIA_User" "$Encoded_Password" "$domain" "$sub_domain")
response="$(_post "$xml_content" "$LOOPIA_Api" "" "POST")"
if ! _contains "$response" "OK"; then
- _err "Error"
+ err_response=$(echo "$response" | grep -oPm1 "(?<=)[^<]+")
+ _err "Error: $err_response"
return 1
fi
return 0
}
+
+_xml_encode() {
+ encoded_string=$1
+ encoded_string=$(echo "$encoded_string" | sed 's/&/\&/')
+ encoded_string=$(echo "$encoded_string" | sed 's//\>/')
+ printf "%s" "$encoded_string"
+}
diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh
new file mode 100755
index 00000000..294ae84c
--- /dev/null
+++ b/dnsapi/dns_mythic_beasts.sh
@@ -0,0 +1,261 @@
+#!/usr/bin/env sh
+# Mythic Beasts is a long-standing UK service provider using standards-based OAuth2 authentication
+# To test: ./acme.sh --dns dns_mythic_beasts --test --debug 1 --output-insecure --issue --domain domain.com
+# Cannot retest once cert is issued
+# OAuth2 tokens only valid for 300 seconds so we do not store
+# NOTE: This will remove all TXT records matching the fulldomain, not just the added ones (_acme-challenge.www.domain.com)
+
+# Test OAuth2 credentials
+#MB_AK="aaaaaaaaaaaaaaaa"
+#MB_AS="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+
+# URLs
+MB_API='https://api.mythic-beasts.com/dns/v2/zones'
+MB_AUTH='https://auth.mythic-beasts.com/login'
+
+######## Public functions #####################
+
+#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_mythic_beasts_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _info "MYTHIC BEASTS Adding record $fulldomain = $txtvalue"
+ if ! _initAuth; then
+ return 1
+ fi
+
+ if ! _get_root "$fulldomain"; then
+ return 1
+ fi
+
+ # method path body_data
+ if _mb_rest POST "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then
+
+ if _contains "$response" "1 records added"; then
+ _info "Added, verifying..."
+ # Max 120 seconds to publish
+ for i in $(seq 1 6); do
+ # Retry on error
+ if ! _mb_rest GET "$_domain/records/$_sub_domain/TXT?verify"; then
+ _sleep 20
+ else
+ _info "Record published!"
+ return 0
+ fi
+ done
+
+ else
+ _err "\n$response"
+ fi
+
+ fi
+ _err "Add txt record error."
+ return 1
+}
+
+#Usage: rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_mythic_beasts_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _info "MYTHIC BEASTS Removing record $fulldomain = $txtvalue"
+ if ! _initAuth; then
+ return 1
+ fi
+
+ if ! _get_root "$fulldomain"; then
+ return 1
+ fi
+
+ # method path body_data
+ if _mb_rest DELETE "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then
+ _info "Record removed"
+ return 0
+ fi
+ _err "Remove txt record error."
+ return 1
+}
+
+#################### Private functions below ##################################
+
+#Possible formats:
+# _acme-challenge.www.example.com
+# _acme-challenge.example.com
+# _acme-challenge.example.co.uk
+# _acme-challenge.www.example.co.uk
+# _acme-challenge.sub1.sub2.www.example.co.uk
+# sub1.sub2.example.co.uk
+# example.com
+# example.co.uk
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+_get_root() {
+ domain=$1
+ i=1
+ p=1
+
+ _debug "Detect the root zone"
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ if [ -z "$h" ]; then
+ _err "Domain exhausted"
+ return 1
+ fi
+
+ # Use the status errors to find the domain, continue on 403 Access denied
+ # method path body_data
+ _mb_rest GET "$h/records"
+ ret="$?"
+ if [ "$ret" -eq 0 ]; then
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain="$h"
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+ return 0
+ elif [ "$ret" -eq 1 ]; then
+ return 1
+ fi
+
+ p=$i
+ i=$(_math "$i" + 1)
+
+ if [ "$i" -gt 50 ]; then
+ break
+ fi
+ done
+ _err "Domain too long"
+ return 1
+}
+
+_initAuth() {
+ MB_AK="${MB_AK:-$(_readaccountconf_mutable MB_AK)}"
+ MB_AS="${MB_AS:-$(_readaccountconf_mutable MB_AS)}"
+
+ if [ -z "$MB_AK" ] || [ -z "$MB_AS" ]; then
+ MB_AK=""
+ MB_AS=""
+ _err "Please specify an OAuth2 Key & Secret"
+ return 1
+ fi
+
+ _saveaccountconf_mutable MB_AK "$MB_AK"
+ _saveaccountconf_mutable MB_AS "$MB_AS"
+
+ if ! _oauth2; then
+ return 1
+ fi
+
+ _info "Checking authentication"
+ _secure_debug access_token "$MB_TK"
+ _sleep 1
+
+ # GET a list of zones
+ # method path body_data
+ if ! _mb_rest GET ""; then
+ _err "The token is invalid"
+ return 1
+ fi
+ _info "Token OK"
+ return 0
+}
+
+# Github appears to use an outbound proxy for requests which means subsequent requests may not have the same
+# source IP. The standard Mythic Beasts OAuth2 tokens are tied to an IP, meaning github test requests fail
+# authentication. This is a work around using an undocumented MB API to obtain a token not tied to an
+# IP just for the github tests.
+_oauth2() {
+ if [ "$GITHUB_ACTIONS" = "true" ]; then
+ _oauth2_github
+ else
+ _oauth2_std
+ fi
+ return $?
+}
+
+_oauth2_std() {
+ # HTTP Basic Authentication
+ _H1="Authorization: Basic $(echo "$MB_AK:$MB_AS" | _base64)"
+ _H2="Accepts: application/json"
+ export _H1 _H2
+ body="grant_type=client_credentials"
+
+ _info "Getting OAuth2 token..."
+ # body url [needbase64] [POST|PUT|DELETE] [ContentType]
+ response="$(_post "$body" "$MB_AUTH" "" "POST" "application/x-www-form-urlencoded")"
+ if _contains "$response" "\"token_type\":\"bearer\""; then
+ MB_TK="$(echo "$response" | _egrep_o "access_token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')"
+ if [ -z "$MB_TK" ]; then
+ _err "Unable to get access_token"
+ _err "\n$response"
+ return 1
+ fi
+ else
+ _err "OAuth2 token_type not Bearer"
+ _err "\n$response"
+ return 1
+ fi
+ _debug2 response "$response"
+ return 0
+}
+
+_oauth2_github() {
+ _H1="Accepts: application/json"
+ export _H1
+ body="{\"login\":{\"handle\":\"$MB_AK\",\"pass\":\"$MB_AS\",\"floating\":1}}"
+
+ _info "Getting Floating token..."
+ # body url [needbase64] [POST|PUT|DELETE] [ContentType]
+ response="$(_post "$body" "$MB_AUTH" "" "POST" "application/json")"
+ MB_TK="$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')"
+ if [ -z "$MB_TK" ]; then
+ _err "Unable to get token"
+ _err "\n$response"
+ return 1
+ fi
+ _debug2 response "$response"
+ return 0
+}
+
+# method path body_data
+_mb_rest() {
+ # URL encoded body for single API operations
+ m="$1"
+ ep="$2"
+ data="$3"
+
+ if [ -z "$ep" ]; then
+ _mb_url="$MB_API"
+ else
+ _mb_url="$MB_API/$ep"
+ fi
+
+ _H1="Authorization: Bearer $MB_TK"
+ _H2="Accepts: application/json"
+ export _H1 _H2
+ if [ "$data" ] || [ "$m" = "POST" ] || [ "$m" = "PUT" ] || [ "$m" = "DELETE" ]; then
+ # body url [needbase64] [POST|PUT|DELETE] [ContentType]
+ response="$(_post "data=$data" "$_mb_url" "" "$m" "application/x-www-form-urlencoded")"
+ else
+ response="$(_get "$_mb_url")"
+ fi
+
+ if [ "$?" != "0" ]; then
+ _err "Request error"
+ return 1
+ fi
+
+ header="$(cat "$HTTP_HEADER")"
+ status="$(echo "$header" | _egrep_o "^HTTP[^ ]* .*$" | cut -d " " -f 2-100 | tr -d "\f\n")"
+ code="$(echo "$status" | _egrep_o "^[0-9]*")"
+ if [ "$code" -ge 400 ] || _contains "$response" "\"error\"" || _contains "$response" "invalid_client"; then
+ _err "error $status"
+ _err "\n$response"
+ _debug "\n$header"
+ return 2
+ fi
+
+ _debug2 response "$response"
+ return 0
+}
diff --git a/dnsapi/dns_namecheap.sh b/dnsapi/dns_namecheap.sh
index 2e389265..d15d6b0e 100755
--- a/dnsapi/dns_namecheap.sh
+++ b/dnsapi/dns_namecheap.sh
@@ -157,7 +157,7 @@ _namecheap_set_publicip() {
if [ -z "$NAMECHEAP_SOURCEIP" ]; then
_err "No Source IP specified for Namecheap API."
- _err "Use your public ip address or an url to retrieve it (e.g. https://ipconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
+ _err "Use your public ip address or an url to retrieve it (e.g. https://ifconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
return 1
else
_saveaccountconf NAMECHEAP_SOURCEIP "$NAMECHEAP_SOURCEIP"
@@ -175,7 +175,7 @@ _namecheap_set_publicip() {
_publicip=$(_get "$addr")
else
_err "No Source IP specified for Namecheap API."
- _err "Use your public ip address or an url to retrieve it (e.g. https://ipconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
+ _err "Use your public ip address or an url to retrieve it (e.g. https://ifconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
return 1
fi
fi
@@ -208,7 +208,7 @@ _namecheap_parse_host() {
_hostid=$(echo "$_host" | _egrep_o ' HostId="[^"]*' | cut -d '"' -f 2)
_hostname=$(echo "$_host" | _egrep_o ' Name="[^"]*' | cut -d '"' -f 2)
_hosttype=$(echo "$_host" | _egrep_o ' Type="[^"]*' | cut -d '"' -f 2)
- _hostaddress=$(echo "$_host" | _egrep_o ' Address="[^"]*' | cut -d '"' -f 2)
+ _hostaddress=$(echo "$_host" | _egrep_o ' Address="[^"]*' | cut -d '"' -f 2 | _xml_decode)
_hostmxpref=$(echo "$_host" | _egrep_o ' MXPref="[^"]*' | cut -d '"' -f 2)
_hostttl=$(echo "$_host" | _egrep_o ' TTL="[^"]*' | cut -d '"' -f 2)
@@ -405,3 +405,7 @@ _namecheap_set_tld_sld() {
done
}
+
+_xml_decode() {
+ sed 's/"/"/g'
+}
diff --git a/dnsapi/dns_netcup.sh b/dnsapi/dns_netcup.sh
index d519e4f7..776fa02d 100644
--- a/dnsapi/dns_netcup.sh
+++ b/dnsapi/dns_netcup.sh
@@ -119,16 +119,16 @@ login() {
tmp=$(_post "{\"action\": \"login\", \"param\": {\"apikey\": \"$NC_Apikey\", \"apipassword\": \"$NC_Apipw\", \"customernumber\": \"$NC_CID\"}}" "$end" "" "POST")
sid=$(echo "$tmp" | tr '{}' '\n' | grep apisessionid | cut -d '"' -f 4)
_debug "$tmp"
- if [ "$(_getfield "$msg" "4" | sed s/\"status\":\"//g | sed s/\"//g)" != "success" ]; then
- _err "$msg"
+ if [ "$(_getfield "$tmp" "4" | sed s/\"status\":\"//g | sed s/\"//g)" != "success" ]; then
+ _err "$tmp"
return 1
fi
}
logout() {
tmp=$(_post "{\"action\": \"logout\", \"param\": {\"apikey\": \"$NC_Apikey\", \"apisessionid\": \"$sid\", \"customernumber\": \"$NC_CID\"}}" "$end" "" "POST")
_debug "$tmp"
- if [ "$(_getfield "$msg" "4" | sed s/\"status\":\"//g | sed s/\"//g)" != "success" ]; then
- _err "$msg"
+ if [ "$(_getfield "$tmp" "4" | sed s/\"status\":\"//g | sed s/\"//g)" != "success" ]; then
+ _err "$tmp"
return 1
fi
}
diff --git a/dnsapi/dns_nsd.sh b/dnsapi/dns_nsd.sh
index 83cc4cac..0d29a485 100644
--- a/dnsapi/dns_nsd.sh
+++ b/dnsapi/dns_nsd.sh
@@ -51,7 +51,7 @@ dns_nsd_rm() {
Nsd_ZoneFile="${Nsd_ZoneFile:-$(_readdomainconf Nsd_ZoneFile)}"
Nsd_Command="${Nsd_Command:-$(_readdomainconf Nsd_Command)}"
- sed -i "/$fulldomain. $ttlvalue IN TXT \"$txtvalue\"/d" "$Nsd_ZoneFile"
+ _sed_i "/$fulldomain. $ttlvalue IN TXT \"$txtvalue\"/d" "$Nsd_ZoneFile"
_info "Removed TXT record for $fulldomain"
_debug "Running $Nsd_Command"
if eval "$Nsd_Command"; then
diff --git a/dnsapi/dns_oci.sh b/dnsapi/dns_oci.sh
new file mode 100644
index 00000000..eb006120
--- /dev/null
+++ b/dnsapi/dns_oci.sh
@@ -0,0 +1,324 @@
+#!/usr/bin/env sh
+#
+# Acme.sh DNS API plugin for Oracle Cloud Infrastructure
+# Copyright (c) 2021, Oracle and/or its affiliates
+#
+# The plugin will automatically use the default profile from an OCI SDK and CLI
+# configuration file, if it exists.
+#
+# Alternatively, set the following environment variables:
+# - OCI_CLI_TENANCY : OCID of tenancy that contains the target DNS zone
+# - OCI_CLI_USER : OCID of user with permission to add/remove records from zones
+# - OCI_CLI_REGION : Should point to the tenancy home region
+#
+# One of the following two variables is required:
+# - OCI_CLI_KEY_FILE: Path to private API signing key file in PEM format; or
+# - OCI_CLI_KEY : The private API signing key in PEM format
+#
+# NOTE: using an encrypted private key that needs a passphrase is not supported.
+#
+
+dns_oci_add() {
+ _fqdn="$1"
+ _rdata="$2"
+
+ if _get_oci_zone; then
+
+ _add_record_body="{\"items\":[{\"domain\":\"${_sub_domain}.${_domain}\",\"rdata\":\"$_rdata\",\"rtype\":\"TXT\",\"ttl\": 30,\"operation\":\"ADD\"}]}"
+ response=$(_signed_request "PATCH" "/20180115/zones/${_domain}/records" "$_add_record_body")
+ if [ "$response" ]; then
+ _info "Success: added TXT record for ${_sub_domain}.${_domain}."
+ else
+ _err "Error: failed to add TXT record for ${_sub_domain}.${_domain}."
+ _err "Check that the user has permission to add records to this zone."
+ return 1
+ fi
+
+ else
+ return 1
+ fi
+
+}
+
+dns_oci_rm() {
+ _fqdn="$1"
+ _rdata="$2"
+
+ if _get_oci_zone; then
+
+ _remove_record_body="{\"items\":[{\"domain\":\"${_sub_domain}.${_domain}\",\"rdata\":\"$_rdata\",\"rtype\":\"TXT\",\"operation\":\"REMOVE\"}]}"
+ response=$(_signed_request "PATCH" "/20180115/zones/${_domain}/records" "$_remove_record_body")
+ if [ "$response" ]; then
+ _info "Success: removed TXT record for ${_sub_domain}.${_domain}."
+ else
+ _err "Error: failed to remove TXT record for ${_sub_domain}.${_domain}."
+ _err "Check that the user has permission to remove records from this zone."
+ return 1
+ fi
+
+ else
+ return 1
+ fi
+
+}
+
+#################### Private functions below ##################################
+_get_oci_zone() {
+
+ if ! _oci_config; then
+ return 1
+ fi
+
+ if ! _get_zone "$_fqdn"; then
+ _err "Error: DNS Zone not found for $_fqdn in $OCI_CLI_TENANCY"
+ return 1
+ fi
+
+ return 0
+
+}
+
+_oci_config() {
+
+ _DEFAULT_OCI_CLI_CONFIG_FILE="$HOME/.oci/config"
+ OCI_CLI_CONFIG_FILE="${OCI_CLI_CONFIG_FILE:-$(_readaccountconf_mutable OCI_CLI_CONFIG_FILE)}"
+
+ if [ -z "$OCI_CLI_CONFIG_FILE" ]; then
+ OCI_CLI_CONFIG_FILE="$_DEFAULT_OCI_CLI_CONFIG_FILE"
+ fi
+
+ if [ "$_DEFAULT_OCI_CLI_CONFIG_FILE" != "$OCI_CLI_CONFIG_FILE" ]; then
+ _saveaccountconf_mutable OCI_CLI_CONFIG_FILE "$OCI_CLI_CONFIG_FILE"
+ else
+ _clearaccountconf_mutable OCI_CLI_CONFIG_FILE
+ fi
+
+ _DEFAULT_OCI_CLI_PROFILE="DEFAULT"
+ OCI_CLI_PROFILE="${OCI_CLI_PROFILE:-$(_readaccountconf_mutable OCI_CLI_PROFILE)}"
+ if [ "$_DEFAULT_OCI_CLI_PROFILE" != "$OCI_CLI_PROFILE" ]; then
+ _saveaccountconf_mutable OCI_CLI_PROFILE "$OCI_CLI_PROFILE"
+ else
+ OCI_CLI_PROFILE="$_DEFAULT_OCI_CLI_PROFILE"
+ _clearaccountconf_mutable OCI_CLI_PROFILE
+ fi
+
+ OCI_CLI_TENANCY="${OCI_CLI_TENANCY:-$(_readaccountconf_mutable OCI_CLI_TENANCY)}"
+ if [ "$OCI_CLI_TENANCY" ]; then
+ _saveaccountconf_mutable OCI_CLI_TENANCY "$OCI_CLI_TENANCY"
+ elif [ -f "$OCI_CLI_CONFIG_FILE" ]; then
+ _debug "Reading OCI_CLI_TENANCY value from: $OCI_CLI_CONFIG_FILE"
+ OCI_CLI_TENANCY="${OCI_CLI_TENANCY:-$(_readini "$OCI_CLI_CONFIG_FILE" tenancy "$OCI_CLI_PROFILE")}"
+ fi
+
+ if [ -z "$OCI_CLI_TENANCY" ]; then
+ _err "Error: unable to read OCI_CLI_TENANCY from config file or environment variable."
+ return 1
+ fi
+
+ OCI_CLI_USER="${OCI_CLI_USER:-$(_readaccountconf_mutable OCI_CLI_USER)}"
+ if [ "$OCI_CLI_USER" ]; then
+ _saveaccountconf_mutable OCI_CLI_USER "$OCI_CLI_USER"
+ elif [ -f "$OCI_CLI_CONFIG_FILE" ]; then
+ _debug "Reading OCI_CLI_USER value from: $OCI_CLI_CONFIG_FILE"
+ OCI_CLI_USER="${OCI_CLI_USER:-$(_readini "$OCI_CLI_CONFIG_FILE" user "$OCI_CLI_PROFILE")}"
+ fi
+ if [ -z "$OCI_CLI_USER" ]; then
+ _err "Error: unable to read OCI_CLI_USER from config file or environment variable."
+ return 1
+ fi
+
+ OCI_CLI_REGION="${OCI_CLI_REGION:-$(_readaccountconf_mutable OCI_CLI_REGION)}"
+ if [ "$OCI_CLI_REGION" ]; then
+ _saveaccountconf_mutable OCI_CLI_REGION "$OCI_CLI_REGION"
+ elif [ -f "$OCI_CLI_CONFIG_FILE" ]; then
+ _debug "Reading OCI_CLI_REGION value from: $OCI_CLI_CONFIG_FILE"
+ OCI_CLI_REGION="${OCI_CLI_REGION:-$(_readini "$OCI_CLI_CONFIG_FILE" region "$OCI_CLI_PROFILE")}"
+ fi
+ if [ -z "$OCI_CLI_REGION" ]; then
+ _err "Error: unable to read OCI_CLI_REGION from config file or environment variable."
+ return 1
+ fi
+
+ OCI_CLI_KEY="${OCI_CLI_KEY:-$(_readaccountconf_mutable OCI_CLI_KEY)}"
+ if [ -z "$OCI_CLI_KEY" ]; then
+ _clearaccountconf_mutable OCI_CLI_KEY
+ OCI_CLI_KEY_FILE="${OCI_CLI_KEY_FILE:-$(_readini "$OCI_CLI_CONFIG_FILE" key_file "$OCI_CLI_PROFILE")}"
+ if [ "$OCI_CLI_KEY_FILE" ] && [ -f "$OCI_CLI_KEY_FILE" ]; then
+ _debug "Reading OCI_CLI_KEY value from: $OCI_CLI_KEY_FILE"
+ OCI_CLI_KEY=$(_base64 <"$OCI_CLI_KEY_FILE")
+ _saveaccountconf_mutable OCI_CLI_KEY "$OCI_CLI_KEY"
+ fi
+ else
+ _saveaccountconf_mutable OCI_CLI_KEY "$OCI_CLI_KEY"
+ fi
+
+ if [ -z "$OCI_CLI_KEY_FILE" ] && [ -z "$OCI_CLI_KEY" ]; then
+ _err "Error: unable to find key file path in OCI config file or OCI_CLI_KEY_FILE."
+ _err "Error: unable to load private API signing key from OCI_CLI_KEY."
+ return 1
+ fi
+
+ if [ "$(printf "%s\n" "$OCI_CLI_KEY" | wc -l)" -eq 1 ]; then
+ OCI_CLI_KEY=$(printf "%s" "$OCI_CLI_KEY" | _dbase64 multiline)
+ fi
+
+ return 0
+
+}
+
+# _get_zone(): retrieves the Zone name and OCID
+#
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+# _domain_ociid=ocid1.dns-zone.oc1..
+_get_zone() {
+ domain=$1
+ i=1
+ p=1
+
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug h "$h"
+ if [ -z "$h" ]; then
+ # not valid
+ return 1
+ fi
+
+ _domain_id=$(_signed_request "GET" "/20180115/zones/$h" "" "id")
+ if [ "$_domain_id" ]; then
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain=$h
+
+ _debug _domain_id "$_domain_id"
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+ return 0
+ fi
+
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+ return 1
+
+}
+
+#Usage: privatekey
+#Output MD5 fingerprint
+_fingerprint() {
+
+ pkey="$1"
+ if [ -z "$pkey" ]; then
+ _usage "Usage: _fingerprint privkey"
+ return 1
+ fi
+
+ printf "%s" "$pkey" | ${ACME_OPENSSL_BIN:-openssl} rsa -pubout -outform DER 2>/dev/null | ${ACME_OPENSSL_BIN:-openssl} md5 -c | cut -d = -f 2 | tr -d ' '
+
+}
+
+_signed_request() {
+
+ _sig_method="$1"
+ _sig_target="$2"
+ _sig_body="$3"
+ _return_field="$4"
+
+ _key_fingerprint=$(_fingerprint "$OCI_CLI_KEY")
+ _sig_host="dns.$OCI_CLI_REGION.oraclecloud.com"
+ _sig_keyId="$OCI_CLI_TENANCY/$OCI_CLI_USER/$_key_fingerprint"
+ _sig_alg="rsa-sha256"
+ _sig_version="1"
+ _sig_now="$(LC_ALL=C \date -u "+%a, %d %h %Y %H:%M:%S GMT")"
+
+ _request_method=$(printf %s "$_sig_method" | _lower_case)
+ _curl_method=$(printf %s "$_sig_method" | _upper_case)
+
+ _request_target="(request-target): $_request_method $_sig_target"
+ _date_header="date: $_sig_now"
+ _host_header="host: $_sig_host"
+
+ _string_to_sign="$_request_target\n$_date_header\n$_host_header"
+ _sig_headers="(request-target) date host"
+
+ if [ "$_sig_body" ]; then
+ _secure_debug3 _sig_body "$_sig_body"
+ _sig_body_sha256="x-content-sha256: $(printf %s "$_sig_body" | _digest sha256)"
+ _sig_body_type="content-type: application/json"
+ _sig_body_length="content-length: ${#_sig_body}"
+ _string_to_sign="$_string_to_sign\n$_sig_body_sha256\n$_sig_body_type\n$_sig_body_length"
+ _sig_headers="$_sig_headers x-content-sha256 content-type content-length"
+ fi
+
+ _tmp_file=$(_mktemp)
+ if [ -f "$_tmp_file" ]; then
+ printf '%s' "$OCI_CLI_KEY" >"$_tmp_file"
+ _signature=$(printf '%b' "$_string_to_sign" | _sign "$_tmp_file" sha256 | tr -d '\r\n')
+ rm -f "$_tmp_file"
+ fi
+
+ _signed_header="Authorization: Signature version=\"$_sig_version\",keyId=\"$_sig_keyId\",algorithm=\"$_sig_alg\",headers=\"$_sig_headers\",signature=\"$_signature\""
+ _secure_debug3 _signed_header "$_signed_header"
+
+ if [ "$_curl_method" = "GET" ]; then
+ export _H1="$_date_header"
+ export _H2="$_signed_header"
+ _response="$(_get "https://${_sig_host}${_sig_target}")"
+ elif [ "$_curl_method" = "PATCH" ]; then
+ export _H1="$_date_header"
+ export _H2="$_sig_body_sha256"
+ export _H3="$_sig_body_type"
+ export _H4="$_sig_body_length"
+ export _H5="$_signed_header"
+ _response="$(_post "$_sig_body" "https://${_sig_host}${_sig_target}" "" "PATCH")"
+ else
+ _err "Unable to process method: $_curl_method."
+ fi
+
+ _ret="$?"
+ if [ "$_return_field" ]; then
+ _response="$(echo "$_response" | sed 's/\\\"//g'))"
+ _return=$(echo "${_response}" | _egrep_o "\"$_return_field\"\\s*:\\s*\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d "\"")
+ else
+ _return="$_response"
+ fi
+
+ printf "%s" "$_return"
+ return $_ret
+
+}
+
+# file key [section]
+_readini() {
+ _file="$1"
+ _key="$2"
+ _section="${3:-DEFAULT}"
+
+ _start_n=$(grep -n '\['"$_section"']' "$_file" | cut -d : -f 1)
+ _debug3 _start_n "$_start_n"
+ if [ -z "$_start_n" ]; then
+ _err "Can not find section: $_section"
+ return 1
+ fi
+
+ _start_nn=$(_math "$_start_n" + 1)
+ _debug3 "_start_nn" "$_start_nn"
+
+ _left="$(sed -n "${_start_nn},99999p" "$_file")"
+ _debug3 _left "$_left"
+ _end="$(echo "$_left" | grep -n "^\[" | _head_n 1)"
+ _debug3 "_end" "$_end"
+ if [ "$_end" ]; then
+ _end_n=$(echo "$_end" | cut -d : -f 1)
+ _debug3 "_end_n" "$_end_n"
+ _seg_n=$(echo "$_left" | sed -n "1,${_end_n}p")
+ else
+ _seg_n="$_left"
+ fi
+
+ _debug3 "_seg_n" "$_seg_n"
+ _lineini="$(echo "$_seg_n" | grep "^ *$_key *= *")"
+ _inivalue="$(printf "%b" "$(eval "echo $_lineini | sed \"s/^ *${_key} *= *//g\"")")"
+ _debug2 _inivalue "$_inivalue"
+ echo "$_inivalue"
+
+}
diff --git a/dnsapi/dns_one.sh b/dnsapi/dns_one.sh
index 890cc804..1565b767 100644
--- a/dnsapi/dns_one.sh
+++ b/dnsapi/dns_one.sh
@@ -1,22 +1,9 @@
#!/usr/bin/env sh
-# -*- mode: sh; tab-width: 2; indent-tabs-mode: s; coding: utf-8 -*-
-
# one.com ui wrapper for acme.sh
-# Author: github: @diseq
-# Created: 2019-02-17
-# Fixed by: @der-berni
-# Modified: 2020-04-07
-#
-# Use ONECOM_KeepCnameProxy to keep the CNAME DNS record
-# export ONECOM_KeepCnameProxy="1"
+
#
# export ONECOM_User="username"
# export ONECOM_Password="password"
-#
-# Usage:
-# acme.sh --issue --dns dns_one -d example.com
-#
-# only single domain supported atm
dns_one_add() {
fulldomain=$1
@@ -36,27 +23,9 @@ dns_one_add() {
subdomain="${_sub_domain}"
maindomain=${_domain}
- useProxy=0
- if [ "${_sub_domain}" = "_acme-challenge" ]; then
- subdomain="proxy${_sub_domain}"
- useProxy=1
- fi
-
_debug subdomain "$subdomain"
_debug maindomain "$maindomain"
- if [ $useProxy -eq 1 ]; then
- #Check if the CNAME exists
- _dns_one_getrecord "CNAME" "$_sub_domain" "$subdomain.$maindomain"
- if [ -z "$id" ]; then
- _info "$(__red "Add CNAME Proxy record: '$(__green "\"$_sub_domain\" => \"$subdomain.$maindomain\"")'")"
- _dns_one_addrecord "CNAME" "$_sub_domain" "$subdomain.$maindomain"
-
- _info "Not valid yet, let's wait 1 hour to take effect."
- _sleep 3600
- fi
- fi
-
#Check if the TXT exists
_dns_one_getrecord "TXT" "$subdomain" "$txtvalue"
if [ -n "$id" ]; then
@@ -92,26 +61,8 @@ dns_one_rm() {
subdomain="${_sub_domain}"
maindomain=${_domain}
- useProxy=0
- if [ "${_sub_domain}" = "_acme-challenge" ]; then
- subdomain="proxy${_sub_domain}"
- useProxy=1
- fi
-
_debug subdomain "$subdomain"
_debug maindomain "$maindomain"
- if [ $useProxy -eq 1 ]; then
- if [ "$ONECOM_KeepCnameProxy" = "1" ]; then
- _info "$(__red "Keeping CNAME Proxy record: '$(__green "\"$_sub_domain\" => \"$subdomain.$maindomain\"")'")"
- else
- #Check if the CNAME exists
- _dns_one_getrecord "CNAME" "$_sub_domain" "$subdomain.$maindomain"
- if [ -n "$id" ]; then
- _info "$(__red "Removing CNAME Proxy record: '$(__green "\"$_sub_domain\" => \"$subdomain.$maindomain\"")'")"
- _dns_one_delrecord "$id"
- fi
- fi
- fi
#Check if the TXT exists
_dns_one_getrecord "TXT" "$subdomain" "$txtvalue"
@@ -136,7 +87,7 @@ dns_one_rm() {
# _domain=domain.com
_get_root() {
domain="$1"
- i=2
+ i=1
p=1
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
@@ -163,8 +114,6 @@ _get_root() {
_dns_one_login() {
# get credentials
- ONECOM_KeepCnameProxy="${ONECOM_KeepCnameProxy:-$(_readaccountconf_mutable ONECOM_KeepCnameProxy)}"
- ONECOM_KeepCnameProxy="${ONECOM_KeepCnameProxy:-0}"
ONECOM_User="${ONECOM_User:-$(_readaccountconf_mutable ONECOM_User)}"
ONECOM_Password="${ONECOM_Password:-$(_readaccountconf_mutable ONECOM_Password)}"
if [ -z "$ONECOM_User" ] || [ -z "$ONECOM_Password" ]; then
@@ -176,7 +125,6 @@ _dns_one_login() {
fi
#save the api key and email to the account conf file.
- _saveaccountconf_mutable ONECOM_KeepCnameProxy "$ONECOM_KeepCnameProxy"
_saveaccountconf_mutable ONECOM_User "$ONECOM_User"
_saveaccountconf_mutable ONECOM_Password "$ONECOM_Password"
diff --git a/dnsapi/dns_opnsense.sh b/dnsapi/dns_opnsense.sh
index 069f6c32..eb95902f 100755
--- a/dnsapi/dns_opnsense.sh
+++ b/dnsapi/dns_opnsense.sh
@@ -150,8 +150,7 @@ _get_root() {
return 1
fi
_debug h "$h"
- id=$(echo "$_domain_response" | _egrep_o "\"[^\"]*\":{\"enabled\":\"1\",\"type\":{\"master\":{\"value\":\"master\",\"selected\":1},\"slave\":{\"value\":\"slave\",\"selected\":0}},\"masterip\":\"[^\"]*\"(,\"allownotifyslave\":{\"\":{[^}]*}},|,)\"domainname\":\"${h}\"" | cut -d ':' -f 1 | cut -d '"' -f 2)
-
+ id=$(echo "$_domain_response" | _egrep_o "\"[^\"]*\":{\"enabled\":\"1\",\"type\":{\"master\":{\"value\":\"master\",\"selected\":1},\"slave\":{\"value\":\"slave\",\"selected\":0}},\"masterip\":{\"[^\"]*\":{[^}]*}},\"transferkeyalgo\":{[^{]*{[^{]*{[^{]*{[^{]*{[^{]*{[^{]*{[^{]*{[^}]*}},\"transferkey\":\"[^\"]*\"(,\"allownotifyslave\":{\"\":{[^}]*}},|,)\"domainname\":\"${h}\"" | cut -d ':' -f 1 | cut -d '"' -f 2)
if [ -n "$id" ]; then
_debug id "$id"
_host=$(printf "%s" "$domain" | cut -d . -f 1-$p)
diff --git a/dnsapi/dns_ovh.sh b/dnsapi/dns_ovh.sh
index f6f9689a..e65babbd 100755
--- a/dnsapi/dns_ovh.sh
+++ b/dnsapi/dns_ovh.sh
@@ -261,7 +261,9 @@ _get_root() {
return 1
fi
- if ! _contains "$response" "This service does not exist" >/dev/null && ! _contains "$response" "NOT_GRANTED_CALL" >/dev/null; then
+ if ! _contains "$response" "This service does not exist" >/dev/null &&
+ ! _contains "$response" "This call has not been granted" >/dev/null &&
+ ! _contains "$response" "NOT_GRANTED_CALL" >/dev/null; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
_domain="$h"
return 0
diff --git a/dnsapi/dns_pdns.sh b/dnsapi/dns_pdns.sh
index 8f07e8c4..6aa2e953 100755
--- a/dnsapi/dns_pdns.sh
+++ b/dnsapi/dns_pdns.sh
@@ -103,7 +103,7 @@ set_record() {
_build_record_string "$oldchallenge"
done
- if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}"; then
+ if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}" "application/json"; then
_err "Set txt record error."
return 1
fi
@@ -126,7 +126,7 @@ rm_record() {
if _contains "$_existing_challenges" "$txtvalue"; then
#Delete all challenges (PowerDNS API does not allow to delete content)
- if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"DELETE\", \"name\": \"$full.\", \"type\": \"TXT\"}]}"; then
+ if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"DELETE\", \"name\": \"$full.\", \"type\": \"TXT\"}]}" "application/json"; then
_err "Delete txt record error."
return 1
fi
@@ -140,7 +140,7 @@ rm_record() {
fi
done
#Recreate the existing challenges
- if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}"; then
+ if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}" "application/json"; then
_err "Set txt record error."
return 1
fi
@@ -175,13 +175,13 @@ _get_root() {
i=1
if _pdns_rest "GET" "/api/v1/servers/$PDNS_ServerId/zones"; then
- _zones_response="$response"
+ _zones_response=$(echo "$response" | _normalizeJson)
fi
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
- if _contains "$_zones_response" "\"name\": \"$h.\""; then
+ if _contains "$_zones_response" "\"name\":\"$h.\""; then
_domain="$h."
if [ -z "$h" ]; then
_domain="=2E"
@@ -203,12 +203,13 @@ _pdns_rest() {
method=$1
ep=$2
data=$3
+ ct=$4
export _H1="X-API-Key: $PDNS_Token"
if [ ! "$method" = "GET" ]; then
_debug data "$data"
- response="$(_post "$data" "$PDNS_Url$ep" "" "$method")"
+ response="$(_post "$data" "$PDNS_Url$ep" "" "$method" "$ct")"
else
response="$(_get "$PDNS_Url$ep")"
fi
diff --git a/dnsapi/dns_porkbun.sh b/dnsapi/dns_porkbun.sh
new file mode 100644
index 00000000..ad4455b6
--- /dev/null
+++ b/dnsapi/dns_porkbun.sh
@@ -0,0 +1,157 @@
+#!/usr/bin/env sh
+
+#
+#PORKBUN_API_KEY="pk1_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+#PORKBUN_SECRET_API_KEY="sk1_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+
+PORKBUN_Api="https://porkbun.com/api/json/v3"
+
+######## Public functions #####################
+
+#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_porkbun_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ PORKBUN_API_KEY="${PORKBUN_API_KEY:-$(_readaccountconf_mutable PORKBUN_API_KEY)}"
+ PORKBUN_SECRET_API_KEY="${PORKBUN_SECRET_API_KEY:-$(_readaccountconf_mutable PORKBUN_SECRET_API_KEY)}"
+
+ if [ -z "$PORKBUN_API_KEY" ] || [ -z "$PORKBUN_SECRET_API_KEY" ]; then
+ PORKBUN_API_KEY=''
+ PORKBUN_SECRET_API_KEY=''
+ _err "You didn't specify a Porkbun api key and secret api key yet."
+ _err "You can get yours from here https://porkbun.com/account/api."
+ return 1
+ fi
+
+ #save the credentials to the account conf file.
+ _saveaccountconf_mutable PORKBUN_API_KEY "$PORKBUN_API_KEY"
+ _saveaccountconf_mutable PORKBUN_SECRET_API_KEY "$PORKBUN_SECRET_API_KEY"
+
+ _debug 'First detect the root zone'
+ if ! _get_root "$fulldomain"; then
+ return 1
+ fi
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so
+ # we can not use updating anymore.
+ # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2)
+ # _debug count "$count"
+ # if [ "$count" = "0" ]; then
+ _info "Adding record"
+ if _porkbun_rest POST "dns/create/$_domain" "{\"name\":\"$_sub_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":120}"; then
+ if _contains "$response" '\"status\":"SUCCESS"'; then
+ _info "Added, OK"
+ return 0
+ elif _contains "$response" "The record already exists"; then
+ _info "Already exists, OK"
+ return 0
+ else
+ _err "Add txt record error. ($response)"
+ return 1
+ fi
+ fi
+ _err "Add txt record error."
+ return 1
+
+}
+
+#fulldomain txtvalue
+dns_porkbun_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ PORKBUN_API_KEY="${PORKBUN_API_KEY:-$(_readaccountconf_mutable PORKBUN_API_KEY)}"
+ PORKBUN_SECRET_API_KEY="${PORKBUN_SECRET_API_KEY:-$(_readaccountconf_mutable PORKBUN_SECRET_API_KEY)}"
+
+ _debug 'First detect the root zone'
+ if ! _get_root "$fulldomain"; then
+ return 1
+ fi
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ count=$(echo "$response" | _egrep_o "\"count\": *[^,]*" | cut -d : -f 2 | tr -d " ")
+ _debug count "$count"
+ if [ "$count" = "0" ]; then
+ _info "Don't need to remove."
+ else
+ record_id=$(echo "$response" | tr '{' '\n' | grep -- "$txtvalue" | cut -d, -f1 | cut -d: -f2 | tr -d \")
+ _debug "record_id" "$record_id"
+ if [ -z "$record_id" ]; then
+ _err "Can not get record id to remove."
+ return 1
+ fi
+ if ! _porkbun_rest POST "dns/delete/$_domain/$record_id"; then
+ _err "Delete record error."
+ return 1
+ fi
+ echo "$response" | tr -d " " | grep '\"status\":"SUCCESS"' >/dev/null
+ fi
+
+}
+
+#################### Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+_get_root() {
+ domain=$1
+ i=1
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug h "$h"
+ if [ -z "$h" ]; then
+ return 1
+ fi
+
+ if _porkbun_rest POST "dns/retrieve/$h"; then
+ if _contains "$response" "\"status\":\"SUCCESS\""; then
+ _domain=$h
+ _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
+ return 0
+ else
+ _debug "Go to next level of $_domain"
+ fi
+ else
+ _debug "Go to next level of $_domain"
+ fi
+ i=$(_math "$i" + 1)
+ done
+
+ return 1
+}
+
+_porkbun_rest() {
+ m=$1
+ ep="$2"
+ data="$3"
+ _debug "$ep"
+
+ api_key_trimmed=$(echo "$PORKBUN_API_KEY" | tr -d '"')
+ secret_api_key_trimmed=$(echo "$PORKBUN_SECRET_API_KEY" | tr -d '"')
+
+ test -z "$data" && data="{" || data="$(echo $data | cut -d'}' -f1),"
+ data="$data\"apikey\":\"$api_key_trimmed\",\"secretapikey\":\"$secret_api_key_trimmed\"}"
+
+ export _H1="Content-Type: application/json"
+
+ if [ "$m" != "GET" ]; then
+ _debug data "$data"
+ response="$(_post "$data" "$PORKBUN_Api/$ep" "" "$m")"
+ else
+ response="$(_get "$PORKBUN_Api/$ep")"
+ fi
+
+ _sleep 3 # prevent rate limit
+
+ if [ "$?" != "0" ]; then
+ _err "error $ep"
+ return 1
+ fi
+ _debug2 response "$response"
+ return 0
+}
diff --git a/dnsapi/dns_rackcorp.sh b/dnsapi/dns_rackcorp.sh
new file mode 100644
index 00000000..6aabfddc
--- /dev/null
+++ b/dnsapi/dns_rackcorp.sh
@@ -0,0 +1,156 @@
+#!/usr/bin/env sh
+
+# Provider: RackCorp (www.rackcorp.com)
+# Author: Stephen Dendtler (sdendtler@rackcorp.com)
+# Report Bugs here: https://github.com/senjoo/acme.sh
+# Alternate email contact: support@rackcorp.com
+#
+# You'll need an API key (Portal: ADMINISTRATION -> API)
+# Set the environment variables as below:
+#
+# export RACKCORP_APIUUID="UUIDHERE"
+# export RACKCORP_APISECRET="SECRETHERE"
+#
+
+RACKCORP_API_ENDPOINT="https://api.rackcorp.net/api/rest/v2.4/json.php"
+
+######## Public functions #####################
+
+dns_rackcorp_add() {
+ fulldomain="$1"
+ txtvalue="$2"
+
+ _debug fulldomain="$fulldomain"
+ _debug txtvalue="$txtvalue"
+
+ if ! _rackcorp_validate; then
+ return 1
+ fi
+
+ _debug "Searching for root zone"
+ if ! _get_root "$fulldomain"; then
+ return 1
+ fi
+ _debug _lookup "$_lookup"
+ _debug _domain "$_domain"
+
+ _info "Creating TXT record."
+
+ if ! _rackcorp_api dns.record.create "\"name\":\"$_domain\",\"type\":\"TXT\",\"lookup\":\"$_lookup\",\"data\":\"$txtvalue\",\"ttl\":300"; then
+ return 1
+ fi
+
+ return 0
+}
+
+#Usage: fulldomain txtvalue
+#Remove the txt record after validation.
+dns_rackcorp_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _debug fulldomain="$fulldomain"
+ _debug txtvalue="$txtvalue"
+
+ if ! _rackcorp_validate; then
+ return 1
+ fi
+
+ _debug "Searching for root zone"
+ if ! _get_root "$fulldomain"; then
+ return 1
+ fi
+ _debug _lookup "$_lookup"
+ _debug _domain "$_domain"
+
+ _info "Creating TXT record."
+
+ if ! _rackcorp_api dns.record.delete "\"name\":\"$_domain\",\"type\":\"TXT\",\"lookup\":\"$_lookup\",\"data\":\"$txtvalue\""; then
+ return 1
+ fi
+
+ return 0
+}
+
+#################### Private functions below ##################################
+#_acme-challenge.domain.com
+#returns
+# _lookup=_acme-challenge
+# _domain=domain.com
+_get_root() {
+ domain=$1
+ i=1
+ p=1
+ if ! _rackcorp_api dns.domain.getall "\"name\":\"$domain\""; then
+ return 1
+ fi
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug searchhost "$h"
+ if [ -z "$h" ]; then
+ _err "Could not find domain for record $domain in RackCorp using the provided credentials"
+ #not valid
+ return 1
+ fi
+
+ _rackcorp_api dns.domain.getall "\"exactName\":\"$h\""
+
+ if _contains "$response" "\"matches\":1"; then
+ if _contains "$response" "\"name\":\"$h\""; then
+ _lookup=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain="$h"
+ return 0
+ fi
+ fi
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+
+ return 1
+}
+
+_rackcorp_validate() {
+ RACKCORP_APIUUID="${RACKCORP_APIUUID:-$(_readaccountconf_mutable RACKCORP_APIUUID)}"
+ if [ -z "$RACKCORP_APIUUID" ]; then
+ RACKCORP_APIUUID=""
+ _err "You require a RackCorp API UUID (export RACKCORP_APIUUID=\"\")"
+ _err "Please login to the portal and create an API key and try again."
+ return 1
+ fi
+
+ _saveaccountconf_mutable RACKCORP_APIUUID "$RACKCORP_APIUUID"
+
+ RACKCORP_APISECRET="${RACKCORP_APISECRET:-$(_readaccountconf_mutable RACKCORP_APISECRET)}"
+ if [ -z "$RACKCORP_APISECRET" ]; then
+ RACKCORP_APISECRET=""
+ _err "You require a RackCorp API secret (export RACKCORP_APISECRET=\"\")"
+ _err "Please login to the portal and create an API key and try again."
+ return 1
+ fi
+
+ _saveaccountconf_mutable RACKCORP_APISECRET "$RACKCORP_APISECRET"
+
+ return 0
+}
+_rackcorp_api() {
+ _rackcorpcmd=$1
+ _rackcorpinputdata=$2
+ _debug cmd "$_rackcorpcmd $_rackcorpinputdata"
+
+ export _H1="Accept: application/json"
+ response="$(_post "{\"APIUUID\":\"$RACKCORP_APIUUID\",\"APISECRET\":\"$RACKCORP_APISECRET\",\"cmd\":\"$_rackcorpcmd\",$_rackcorpinputdata}" "$RACKCORP_API_ENDPOINT" "" "POST")"
+
+ if [ "$?" != "0" ]; then
+ _err "error $response"
+ return 1
+ fi
+ _debug2 response "$response"
+ if _contains "$response" "\"code\":\"OK\""; then
+ _debug code "OK"
+ else
+ _debug code "FAILED"
+ response=""
+ return 1
+ fi
+ return 0
+}
diff --git a/dnsapi/dns_rackspace.sh b/dnsapi/dns_rackspace.sh
index 03e1fa68..b50d9168 100644
--- a/dnsapi/dns_rackspace.sh
+++ b/dnsapi/dns_rackspace.sh
@@ -7,6 +7,7 @@
RACKSPACE_Endpoint="https://dns.api.rackspacecloud.com/v1.0"
+# 20210923 - RS changed the fields in the API response; fix sed
# 20190213 - The name & id fields swapped in the API response; fix sed
# 20190101 - Duplicating file for new pull request to dev branch
# Original - tcocca:rackspace_dnsapi https://github.com/acmesh-official/acme.sh/pull/1297
@@ -79,8 +80,8 @@ _get_root_zone() {
_debug2 response "$response"
if _contains "$response" "\"name\":\"$h\"" >/dev/null; then
# Response looks like:
- # {"ttl":300,"accountId":12345,"id":1111111,"name":"example.com","emailAddress": ...
- _domain_id=$(echo "$response" | sed -n "s/^.*\"id\":\([^,]*\),\"name\":\"$h\",.*/\1/p")
+ # {"id":"12345","accountId":"1111111","name": "example.com","ttl":3600,"emailAddress": ...
+ _domain_id=$(echo "$response" | sed -n "s/^.*\"id\":\"\([^,]*\)\",\"accountId\":\"[0-9]*\",\"name\":\"$h\",.*/\1/p")
_debug2 domain_id "$_domain_id"
if [ -n "$_domain_id" ]; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
diff --git a/dnsapi/dns_regru.sh b/dnsapi/dns_regru.sh
index 29f758ea..2a1ebaa5 100644
--- a/dnsapi/dns_regru.sh
+++ b/dnsapi/dns_regru.sh
@@ -92,9 +92,10 @@ _get_root() {
domains_list=$(echo "${response}" | grep dname | sed -r "s/.*dname=\"([^\"]+)\".*/\\1/g")
for ITEM in ${domains_list}; do
+ IDN_ITEM="$(_idn "${ITEM}")"
case "${domain}" in
- *${ITEM}*)
- _domain=${ITEM}
+ *${IDN_ITEM}*)
+ _domain=${IDN_ITEM}
_debug _domain "${_domain}"
return 0
;;
diff --git a/dnsapi/dns_scaleway.sh b/dnsapi/dns_scaleway.sh
new file mode 100755
index 00000000..a0a0f318
--- /dev/null
+++ b/dnsapi/dns_scaleway.sh
@@ -0,0 +1,176 @@
+#!/usr/bin/env sh
+
+# Scaleway API
+# https://developers.scaleway.com/en/products/domain/dns/api/
+#
+# Requires Scaleway API token set in SCALEWAY_API_TOKEN
+
+######## Public functions #####################
+
+SCALEWAY_API="https://api.scaleway.com/domain/v2beta1"
+
+#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_scaleway_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ if ! _scaleway_check_config; then
+ return 1
+ fi
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ _info "Adding record"
+ _scaleway_create_TXT_record "$_domain" "$_sub_domain" "$txtvalue"
+ if _contains "$response" "records"; then
+ return 0
+ else
+ _err error "$response"
+ return 1
+ fi
+ _info "Record added."
+
+ return 0
+}
+
+dns_scaleway_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ if ! _scaleway_check_config; then
+ return 1
+ fi
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ _info "Deleting record"
+ _scaleway_delete_TXT_record "$_domain" "$_sub_domain" "$txtvalue"
+ if _contains "$response" "records"; then
+ return 0
+ else
+ _err error "$response"
+ return 1
+ fi
+ _info "Record deleted."
+
+ return 0
+}
+
+#################### Private functions below ##################################
+
+_scaleway_check_config() {
+ SCALEWAY_API_TOKEN="${SCALEWAY_API_TOKEN:-$(_readaccountconf_mutable SCALEWAY_API_TOKEN)}"
+ if [ -z "$SCALEWAY_API_TOKEN" ]; then
+ _err "No API key specified for Scaleway API."
+ _err "Create your key and export it as SCALEWAY_API_TOKEN"
+ return 1
+ fi
+ if ! _scaleway_rest GET "dns-zones"; then
+ _err "Invalid API key specified for Scaleway API."
+ return 1
+ fi
+
+ _saveaccountconf_mutable SCALEWAY_API_TOKEN "$SCALEWAY_API_TOKEN"
+
+ return 0
+}
+
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+_get_root() {
+ domain=$1
+ i=1
+ p=1
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ if [ -z "$h" ]; then
+ #not valid
+ return 1
+ fi
+
+ _scaleway_rest GET "dns-zones/$h/records"
+
+ if ! _contains "$response" "subdomain not found" >/dev/null; then
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain="$h"
+ return 0
+ fi
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+ _err "Unable to retrive DNS zone matching this domain"
+ return 1
+}
+
+# this function add a TXT record
+_scaleway_create_TXT_record() {
+ txt_zone=$1
+ txt_name=$2
+ txt_value=$3
+
+ _scaleway_rest PATCH "dns-zones/$txt_zone/records" "{\"return_all_records\":false,\"changes\":[{\"add\":{\"records\":[{\"name\":\"$txt_name\",\"data\":\"$txt_value\",\"type\":\"TXT\",\"ttl\":60}]}}]}"
+
+ if _contains "$response" "records"; then
+ return 0
+ else
+ _err "error1 $response"
+ return 1
+ fi
+}
+
+# this function delete a TXT record based on name and content
+_scaleway_delete_TXT_record() {
+ txt_zone=$1
+ txt_name=$2
+ txt_value=$3
+
+ _scaleway_rest PATCH "dns-zones/$txt_zone/records" "{\"return_all_records\":false,\"changes\":[{\"delete\":{\"id_fields\":{\"name\":\"$txt_name\",\"data\":\"$txt_value\",\"type\":\"TXT\"}}}]}"
+
+ if _contains "$response" "records"; then
+ return 0
+ else
+ _err "error2 $response"
+ return 1
+ fi
+}
+
+_scaleway_rest() {
+ m=$1
+ ep="$2"
+ data="$3"
+ _debug "$ep"
+ _scaleway_url="$SCALEWAY_API/$ep"
+ _debug2 _scaleway_url "$_scaleway_url"
+ export _H1="x-auth-token: $SCALEWAY_API_TOKEN"
+ export _H2="Accept: application/json"
+ export _H3="Content-Type: application/json"
+
+ if [ "$data" ] || [ "$m" != "GET" ]; then
+ _debug data "$data"
+ response="$(_post "$data" "$_scaleway_url" "" "$m")"
+ else
+ response="$(_get "$_scaleway_url")"
+ fi
+ if [ "$?" != "0" ] || _contains "$response" "denied_authentication" || _contains "$response" "Method not allowed" || _contains "$response" "json parse error: unexpected EOF"; then
+ _err "error $response"
+ return 1
+ fi
+ _debug2 response "$response"
+ return 0
+}
diff --git a/dnsapi/dns_servercow.sh b/dnsapi/dns_servercow.sh
index e73d85b0..f70a2294 100755
--- a/dnsapi/dns_servercow.sh
+++ b/dnsapi/dns_servercow.sh
@@ -49,16 +49,42 @@ dns_servercow_add() {
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"
- if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":20}"; then
- if printf -- "%s" "$response" | grep "ok" >/dev/null; then
- _info "Added, OK"
- return 0
- else
- _err "add txt record error."
- return 1
+ # check whether a txt record already exists for the subdomain
+ if printf -- "%s" "$response" | grep "{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\"" >/dev/null; then
+ _info "A txt record with the same name already exists."
+ # trim the string on the left
+ txtvalue_old=${response#*{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\",\"content\":\"}
+ # trim the string on the right
+ txtvalue_old=${txtvalue_old%%\"*}
+
+ _debug txtvalue_old "$txtvalue_old"
+
+ _info "Add the new txtvalue to the existing txt record."
+ if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":[\"$txtvalue\",\"$txtvalue_old\"],\"ttl\":20}"; then
+ if printf -- "%s" "$response" | grep "ok" >/dev/null; then
+ _info "Added additional txtvalue, OK"
+ return 0
+ else
+ _err "add txt record error."
+ return 1
+ fi
fi
+ _err "add txt record error."
+ return 1
+ else
+ _info "There is no txt record with the name yet."
+ if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":20}"; then
+ if printf -- "%s" "$response" | grep "ok" >/dev/null; then
+ _info "Added, OK"
+ return 0
+ else
+ _err "add txt record error."
+ return 1
+ fi
+ fi
+ _err "add txt record error."
+ return 1
fi
- _err "add txt record error."
return 1
}
diff --git a/dnsapi/dns_simply.sh b/dnsapi/dns_simply.sh
new file mode 100644
index 00000000..6a8d0e18
--- /dev/null
+++ b/dnsapi/dns_simply.sh
@@ -0,0 +1,269 @@
+#!/usr/bin/env sh
+
+# API-integration for Simply.com (https://www.simply.com)
+
+#SIMPLY_AccountName="accountname"
+#SIMPLY_ApiKey="apikey"
+#
+#SIMPLY_Api="https://api.simply.com/2/"
+SIMPLY_Api_Default="https://api.simply.com/2"
+
+#This is used for determining success of REST call
+SIMPLY_SUCCESS_CODE='"status":200'
+
+######## Public functions #####################
+#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_simply_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ if ! _simply_load_config; then
+ return 1
+ fi
+
+ _simply_save_config
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ _info "Adding record"
+
+ if ! _simply_add_record "$_domain" "$_sub_domain" "$txtvalue"; then
+ _err "Could not add DNS record"
+ return 1
+ fi
+ return 0
+}
+
+dns_simply_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ if ! _simply_load_config; then
+ return 1
+ fi
+
+ _simply_save_config
+
+ _debug "Find the DNS zone"
+
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+ _debug txtvalue "$txtvalue"
+
+ _info "Getting all existing records"
+
+ if ! _simply_get_all_records "$_domain"; then
+ _err "invalid domain"
+ return 1
+ fi
+
+ records=$(echo "$response" | tr '{' "\n" | grep 'record_id\|type\|data\|\name' | sed 's/\"record_id/;\"record_id/' | tr "\n" ' ' | tr -d ' ' | tr ';' ' ')
+
+ nr_of_deleted_records=0
+ _info "Fetching txt record"
+
+ for record in $records; do
+ _debug record "$record"
+
+ record_data=$(echo "$record" | sed -n "s/.*\"data\":\"\([^\"]*\)\".*/\1/p")
+ record_type=$(echo "$record" | sed -n "s/.*\"type\":\"\([^\"]*\)\".*/\1/p")
+
+ _debug2 record_data "$record_data"
+ _debug2 record_type "$record_type"
+
+ if [ "$record_data" = "$txtvalue" ] && [ "$record_type" = "TXT" ]; then
+
+ record_id=$(echo "$record" | cut -d "," -f 1 | grep "record_id" | cut -d ":" -f 2)
+
+ _info "Deleting record $record"
+ _debug2 record_id "$record_id"
+
+ if [ "$record_id" -gt 0 ]; then
+
+ if ! _simply_delete_record "$_domain" "$_sub_domain" "$record_id"; then
+ _err "Record with id $record_id could not be deleted"
+ return 1
+ fi
+
+ nr_of_deleted_records=1
+ break
+ else
+ _err "Fetching record_id could not be done, this should not happen, exiting function. Failing record is $record"
+ break
+ fi
+ fi
+
+ done
+
+ if [ "$nr_of_deleted_records" -eq 0 ]; then
+ _err "No record deleted, the DNS record needs to be removed manually."
+ else
+ _info "Deleted $nr_of_deleted_records record"
+ fi
+
+ return 0
+}
+
+#################### Private functions below ##################################
+
+_simply_load_config() {
+ SIMPLY_Api="${SIMPLY_Api:-$(_readaccountconf_mutable SIMPLY_Api)}"
+ SIMPLY_AccountName="${SIMPLY_AccountName:-$(_readaccountconf_mutable SIMPLY_AccountName)}"
+ SIMPLY_ApiKey="${SIMPLY_ApiKey:-$(_readaccountconf_mutable SIMPLY_ApiKey)}"
+
+ if [ -z "$SIMPLY_Api" ]; then
+ SIMPLY_Api="$SIMPLY_Api_Default"
+ fi
+
+ if [ -z "$SIMPLY_AccountName" ] || [ -z "$SIMPLY_ApiKey" ]; then
+ SIMPLY_AccountName=""
+ SIMPLY_ApiKey=""
+
+ _err "A valid Simply API account and apikey not provided."
+ _err "Please provide a valid API user and try again."
+
+ return 1
+ fi
+
+ return 0
+}
+
+_simply_save_config() {
+ if [ "$SIMPLY_Api" != "$SIMPLY_Api_Default" ]; then
+ _saveaccountconf_mutable SIMPLY_Api "$SIMPLY_Api"
+ fi
+ _saveaccountconf_mutable SIMPLY_AccountName "$SIMPLY_AccountName"
+ _saveaccountconf_mutable SIMPLY_ApiKey "$SIMPLY_ApiKey"
+}
+
+_simply_get_all_records() {
+ domain=$1
+
+ if ! _simply_rest GET "my/products/$domain/dns/records/"; then
+ return 1
+ fi
+
+ return 0
+}
+
+_get_root() {
+ domain=$1
+ i=2
+ p=1
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ if [ -z "$h" ]; then
+ #not valid
+ return 1
+ fi
+
+ if ! _simply_rest GET "my/products/$h/dns/"; then
+ return 1
+ fi
+
+ if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then
+ _debug "$h not found"
+ else
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain="$h"
+ return 0
+ fi
+ p="$i"
+ i=$(_math "$i" + 1)
+ done
+ return 1
+}
+
+_simply_add_record() {
+ domain=$1
+ sub_domain=$2
+ txtval=$3
+
+ data="{\"name\": \"$sub_domain\", \"type\":\"TXT\", \"data\": \"$txtval\", \"priority\":0, \"ttl\": 3600}"
+
+ if ! _simply_rest POST "my/products/$domain/dns/records/" "$data"; then
+ _err "Adding record not successfull!"
+ return 1
+ fi
+
+ if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then
+ _err "Call to API not sucessfull, see below message for more details"
+ _err "$response"
+ return 1
+ fi
+
+ return 0
+}
+
+_simply_delete_record() {
+ domain=$1
+ sub_domain=$2
+ record_id=$3
+
+ _debug record_id "Delete record with id $record_id"
+
+ if ! _simply_rest DELETE "my/products/$domain/dns/records/$record_id/"; then
+ _err "Deleting record not successfull!"
+ return 1
+ fi
+
+ if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then
+ _err "Call to API not sucessfull, see below message for more details"
+ _err "$response"
+ return 1
+ fi
+
+ return 0
+}
+
+_simply_rest() {
+ m=$1
+ ep="$2"
+ data="$3"
+
+ _debug2 data "$data"
+ _debug2 ep "$ep"
+ _debug2 m "$m"
+
+ basicauth=$(printf "%s:%s" "$SIMPLY_AccountName" "$SIMPLY_ApiKey" | _base64)
+
+ if [ "$basicauth" ]; then
+ export _H1="Authorization: Basic $basicauth"
+ fi
+
+ export _H2="Content-Type: application/json"
+
+ if [ "$m" != "GET" ]; then
+ response="$(_post "$data" "$SIMPLY_Api/$ep" "" "$m")"
+ else
+ response="$(_get "$SIMPLY_Api/$ep")"
+ fi
+
+ if [ "$?" != "0" ]; then
+ _err "error $ep"
+ return 1
+ fi
+
+ response="$(echo "$response" | _normalizeJson)"
+
+ _debug2 response "$response"
+
+ if _contains "$response" "Invalid account authorization"; then
+ _err "It seems that your api key or accountnumber is not correct."
+ return 1
+ fi
+
+ return 0
+}
diff --git a/dnsapi/dns_udr.sh b/dnsapi/dns_udr.sh
new file mode 100644
index 00000000..caada826
--- /dev/null
+++ b/dnsapi/dns_udr.sh
@@ -0,0 +1,160 @@
+#!/usr/bin/env sh
+
+# united-domains Reselling (https://www.ud-reselling.com/) DNS API
+# Author: Andreas Scherer (https://github.com/andischerer)
+# Created: 2021-02-01
+#
+# Set the environment variables as below:
+#
+# export UDR_USER="your_username_goes_here"
+# export UDR_PASS="some_password_goes_here"
+#
+
+UDR_API="https://api.domainreselling.de/api/call.cgi"
+UDR_TTL="30"
+
+######## Public functions #####################
+
+#Usage: add _acme-challenge.www.domain.com "some_long_string_of_characters_go_here_from_lets_encrypt"
+dns_udr_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ UDR_USER="${UDR_USER:-$(_readaccountconf_mutable UDR_USER)}"
+ UDR_PASS="${UDR_PASS:-$(_readaccountconf_mutable UDR_PASS)}"
+ if [ -z "$UDR_USER" ] || [ -z "$UDR_PASS" ]; then
+ UDR_USER=""
+ UDR_PASS=""
+ _err "You didn't specify an UD-Reselling username and password yet"
+ return 1
+ fi
+ # save the username and password to the account conf file.
+ _saveaccountconf_mutable UDR_USER "$UDR_USER"
+ _saveaccountconf_mutable UDR_PASS "$UDR_PASS"
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+
+ _debug _dnszone "${_dnszone}"
+
+ _debug "Getting txt records"
+ if ! _udr_rest "QueryDNSZoneRRList" "dnszone=${_dnszone}"; then
+ return 1
+ fi
+
+ rr="${fulldomain}. ${UDR_TTL} IN TXT ${txtvalue}"
+ _debug resource_record "${rr}"
+ if _contains "$response" "$rr" >/dev/null; then
+ _err "Error, it would appear that this record already exists. Please review existing TXT records for this domain."
+ return 1
+ fi
+
+ _info "Adding record"
+ if ! _udr_rest "UpdateDNSZone" "dnszone=${_dnszone}&addrr0=${rr}"; then
+ _err "Adding the record did not succeed, please verify/check."
+ return 1
+ fi
+
+ _info "Added, OK"
+ return 0
+}
+
+dns_udr_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ UDR_USER="${UDR_USER:-$(_readaccountconf_mutable UDR_USER)}"
+ UDR_PASS="${UDR_PASS:-$(_readaccountconf_mutable UDR_PASS)}"
+ if [ -z "$UDR_USER" ] || [ -z "$UDR_PASS" ]; then
+ UDR_USER=""
+ UDR_PASS=""
+ _err "You didn't specify an UD-Reselling username and password yet"
+ return 1
+ fi
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+ _debug _dnszone "${_dnszone}"
+
+ _debug "Getting txt records"
+ if ! _udr_rest "QueryDNSZoneRRList" "dnszone=${_dnszone}"; then
+ return 1
+ fi
+
+ rr="${fulldomain}. ${UDR_TTL} IN TXT ${txtvalue}"
+ _debug resource_record "${rr}"
+ if _contains "$response" "$rr" >/dev/null; then
+ if ! _udr_rest "UpdateDNSZone" "dnszone=${_dnszone}&delrr0=${rr}"; then
+ _err "Deleting the record did not succeed, please verify/check."
+ return 1
+ fi
+ _info "Removed, OK"
+ return 0
+ else
+ _info "Text record is not present, will not delete anything."
+ return 0
+ fi
+}
+
+#################### Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+_get_root() {
+ domain=$1
+ i=1
+
+ if ! _udr_rest "QueryDNSZoneList" ""; then
+ return 1
+ fi
+
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug h "$h"
+
+ if [ -z "$h" ]; then
+ #not valid
+ return 1
+ fi
+
+ if _contains "${response}" "${h}." >/dev/null; then
+ _dnszone=$(echo "$response" | _egrep_o "${h}")
+ if [ "$_dnszone" ]; then
+ return 0
+ fi
+ return 1
+ fi
+ i=$(_math "$i" + 1)
+ done
+ return 1
+}
+
+_udr_rest() {
+ if [ -n "$2" ]; then
+ data="command=$1&$2"
+ else
+ data="command=$1"
+ fi
+
+ _debug data "${data}"
+ response="$(_post "${data}" "${UDR_API}?s_login=${UDR_USER}&s_pw=${UDR_PASS}" "" "POST")"
+
+ _code=$(echo "$response" | _egrep_o "code = ([0-9]+)" | _head_n 1 | cut -d = -f 2 | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
+ _description=$(echo "$response" | _egrep_o "description = .*" | _head_n 1 | cut -d = -f 2 | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
+
+ _debug response_code "$_code"
+ _debug response_description "$_description"
+
+ if [ ! "$_code" = "200" ]; then
+ _err "DNS-API-Error: $_description"
+ return 1
+ fi
+
+ return 0
+}
diff --git a/dnsapi/dns_veesp.sh b/dnsapi/dns_veesp.sh
new file mode 100644
index 00000000..b8a41d00
--- /dev/null
+++ b/dnsapi/dns_veesp.sh
@@ -0,0 +1,158 @@
+#!/usr/bin/env sh
+
+# bug reports to stepan@plyask.in
+
+#
+# export VEESP_User="username"
+# export VEESP_Password="password"
+
+VEESP_Api="https://secure.veesp.com/api"
+
+######## Public functions #####################
+
+#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_veesp_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ VEESP_Password="${VEESP_Password:-$(_readaccountconf_mutable VEESP_Password)}"
+ VEESP_User="${VEESP_User:-$(_readaccountconf_mutable VEESP_User)}"
+ VEESP_auth=$(printf "%s" "$VEESP_User:$VEESP_Password" | _base64)
+
+ if [ -z "$VEESP_Password" ] || [ -z "$VEESP_User" ]; then
+ VEESP_Password=""
+ VEESP_User=""
+ _err "You don't specify veesp api key and email yet."
+ _err "Please create you key and try again."
+ return 1
+ fi
+
+ #save the api key and email to the account conf file.
+ _saveaccountconf_mutable VEESP_Password "$VEESP_Password"
+ _saveaccountconf_mutable VEESP_User "$VEESP_User"
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+ _debug _domain_id "$_domain_id"
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ _info "Adding record"
+ if VEESP_rest POST "service/$_service_id/dns/$_domain_id/records" "{\"name\":\"$fulldomain\",\"ttl\":1,\"priority\":0,\"type\":\"TXT\",\"content\":\"$txtvalue\"}"; then
+ if _contains "$response" "\"success\":true"; then
+ _info "Added"
+ #todo: check if the record takes effect
+ return 0
+ else
+ _err "Add txt record error."
+ return 1
+ fi
+ fi
+}
+
+# Usage: fulldomain txtvalue
+# Used to remove the txt record after validation
+dns_veesp_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ VEESP_Password="${VEESP_Password:-$(_readaccountconf_mutable VEESP_Password)}"
+ VEESP_User="${VEESP_User:-$(_readaccountconf_mutable VEESP_User)}"
+ VEESP_auth=$(printf "%s" "$VEESP_User:$VEESP_Password" | _base64)
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+ _debug _domain_id "$_domain_id"
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ _debug "Getting txt records"
+ VEESP_rest GET "service/$_service_id/dns/$_domain_id"
+
+ count=$(printf "%s\n" "$response" | _egrep_o "\"type\":\"TXT\",\"content\":\".\"$txtvalue.\"\"" | wc -l | tr -d " ")
+ _debug count "$count"
+ if [ "$count" = "0" ]; then
+ _info "Don't need to remove."
+ else
+ record_id=$(printf "%s\n" "$response" | _egrep_o "{\"id\":[^}]*\"type\":\"TXT\",\"content\":\".\"$txtvalue.\"\"" | cut -d\" -f4)
+ _debug "record_id" "$record_id"
+ if [ -z "$record_id" ]; then
+ _err "Can not get record id to remove."
+ return 1
+ fi
+ if ! VEESP_rest DELETE "service/$_service_id/dns/$_domain_id/records/$record_id"; then
+ _err "Delete record error."
+ return 1
+ fi
+ _contains "$response" "\"success\":true"
+ fi
+}
+
+#################### Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+# _domain_id=sdjkglgdfewsdfg
+_get_root() {
+ domain=$1
+ i=2
+ p=1
+ if ! VEESP_rest GET "dns"; then
+ return 1
+ fi
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug h "$h"
+ if [ -z "$h" ]; then
+ #not valid
+ return 1
+ fi
+
+ if _contains "$response" "\"name\":\"$h\""; then
+ _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"domain_id\":[^,]*,\"name\":\"$h\"" | cut -d : -f 2 | cut -d , -f 1 | cut -d '"' -f 2)
+ _debug _domain_id "$_domain_id"
+ _service_id=$(printf "%s\n" "$response" | _egrep_o "\"name\":\"$h\",\"service_id\":[^}]*" | cut -d : -f 3 | cut -d '"' -f 2)
+ _debug _service_id "$_service_id"
+ if [ "$_domain_id" ]; then
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain="$h"
+ return 0
+ fi
+ return 1
+ fi
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+ return 1
+}
+
+VEESP_rest() {
+ m=$1
+ ep="$2"
+ data="$3"
+ _debug "$ep"
+
+ export _H1="Accept: application/json"
+ export _H2="Authorization: Basic $VEESP_auth"
+ if [ "$m" != "GET" ]; then
+ _debug data "$data"
+ export _H3="Content-Type: application/json"
+ response="$(_post "$data" "$VEESP_Api/$ep" "" "$m")"
+ else
+ response="$(_get "$VEESP_Api/$ep")"
+ fi
+
+ if [ "$?" != "0" ]; then
+ _err "error $ep"
+ return 1
+ fi
+ _debug2 response "$response"
+ return 0
+}
diff --git a/dnsapi/dns_vultr.sh b/dnsapi/dns_vultr.sh
index c7b52e84..84857966 100644
--- a/dnsapi/dns_vultr.sh
+++ b/dnsapi/dns_vultr.sh
@@ -33,7 +33,7 @@ dns_vultr_add() {
_debug 'Getting txt records'
_vultr_rest GET "dns/records?domain=$_domain"
- if printf "%s\n" "$response" | grep "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
+ if printf "%s\n" "$response" | grep -- "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
_err 'Error'
return 1
fi
@@ -73,12 +73,12 @@ dns_vultr_rm() {
_debug 'Getting txt records'
_vultr_rest GET "dns/records?domain=$_domain"
- if printf "%s\n" "$response" | grep "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
+ if printf "%s\n" "$response" | grep -- "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
_err 'Error'
return 1
fi
- _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep "$txtvalue" | tr ',' '\n' | grep -i 'RECORDID' | cut -d : -f 2)"
+ _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'RECORDID' | cut -d : -f 2)"
_debug _record_id "$_record_id"
if [ "$_record_id" ]; then
_info "Successfully retrieved the record id for ACME challenge."
diff --git a/dnsapi/dns_websupport.sh b/dnsapi/dns_websupport.sh
new file mode 100644
index 00000000..e824c9c0
--- /dev/null
+++ b/dnsapi/dns_websupport.sh
@@ -0,0 +1,207 @@
+#!/usr/bin/env sh
+
+# Acme.sh DNS API wrapper for websupport.sk
+#
+# Original author: trgo.sk (https://github.com/trgosk)
+# Tweaks by: akulumbeg (https://github.com/akulumbeg)
+# Report Bugs here: https://github.com/akulumbeg/acme.sh
+
+# Requirements: API Key and Secret from https://admin.websupport.sk/en/auth/apiKey
+#
+# WS_ApiKey="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+# (called "Identifier" in the WS Admin)
+#
+# WS_ApiSecret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+# (called "Secret key" in the WS Admin)
+
+WS_Api="https://rest.websupport.sk"
+
+######## Public functions #####################
+
+dns_websupport_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ WS_ApiKey="${WS_ApiKey:-$(_readaccountconf_mutable WS_ApiKey)}"
+ WS_ApiSecret="${WS_ApiSecret:-$(_readaccountconf_mutable WS_ApiSecret)}"
+
+ if [ "$WS_ApiKey" ] && [ "$WS_ApiSecret" ]; then
+ _saveaccountconf_mutable WS_ApiKey "$WS_ApiKey"
+ _saveaccountconf_mutable WS_ApiSecret "$WS_ApiSecret"
+ else
+ WS_ApiKey=""
+ WS_ApiSecret=""
+ _err "You did not specify the API Key and/or API Secret"
+ _err "You can get the API login credentials from https://admin.websupport.sk/en/auth/apiKey"
+ return 1
+ fi
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so
+ # we can not use updating anymore.
+ # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2)
+ # _debug count "$count"
+ # if [ "$count" = "0" ]; then
+ _info "Adding record"
+ if _ws_rest POST "/v1/user/self/zone/$_domain/record" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":120}"; then
+ if _contains "$response" "$txtvalue"; then
+ _info "Added, OK"
+ return 0
+ elif _contains "$response" "The record already exists"; then
+ _info "Already exists, OK"
+ return 0
+ else
+ _err "Add txt record error."
+ return 1
+ fi
+ fi
+ _err "Add txt record error."
+ return 1
+
+}
+
+dns_websupport_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _debug2 fulldomain "$fulldomain"
+ _debug2 txtvalue "$txtvalue"
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ _debug "Getting txt records"
+ _ws_rest GET "/v1/user/self/zone/$_domain/record"
+
+ if [ "$(printf "%s" "$response" | tr -d " " | grep -c \"items\")" -lt "1" ]; then
+ _err "Error: $response"
+ return 1
+ fi
+
+ record_line="$(_get_from_array "$response" "$txtvalue")"
+ _debug record_line "$record_line"
+ if [ -z "$record_line" ]; then
+ _info "Don't need to remove."
+ else
+ record_id=$(echo "$record_line" | _egrep_o "\"id\": *[^,]*" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ")
+ _debug "record_id" "$record_id"
+ if [ -z "$record_id" ]; then
+ _err "Can not get record id to remove."
+ return 1
+ fi
+ if ! _ws_rest DELETE "/v1/user/self/zone/$_domain/record/$record_id"; then
+ _err "Delete record error."
+ return 1
+ fi
+ if [ "$(printf "%s" "$response" | tr -d " " | grep -c \"success\")" -lt "1" ]; then
+ return 1
+ else
+ return 0
+ fi
+ fi
+
+}
+
+#################### Private Functions ##################################
+
+_get_root() {
+ domain=$1
+ i=1
+ p=1
+
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug h "$h"
+ if [ -z "$h" ]; then
+ #not valid
+ return 1
+ fi
+
+ if ! _ws_rest GET "/v1/user/self/zone"; then
+ return 1
+ fi
+
+ if _contains "$response" "\"name\":\"$h\""; then
+ _domain_id=$(echo "$response" | _egrep_o "\[.\"id\": *[^,]*" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ")
+ if [ "$_domain_id" ]; then
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain=$h
+ return 0
+ fi
+ return 1
+ fi
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+ return 1
+}
+
+_ws_rest() {
+ me=$1
+ pa="$2"
+ da="$3"
+
+ _debug2 api_key "$WS_ApiKey"
+ _debug2 api_secret "$WS_ApiSecret"
+
+ timestamp=$(_time)
+ datez="$(_utc_date | sed "s/ /T/" | sed "s/$/+0000/")"
+ canonical_request="${me} ${pa} ${timestamp}"
+ signature_hash=$(printf "%s" "$canonical_request" | _hmac sha1 "$(printf "%s" "$WS_ApiSecret" | _hex_dump | tr -d " ")" hex)
+ basicauth="$(printf "%s:%s" "$WS_ApiKey" "$signature_hash" | _base64)"
+
+ _debug2 method "$me"
+ _debug2 path "$pa"
+ _debug2 data "$da"
+ _debug2 timestamp "$timestamp"
+ _debug2 datez "$datez"
+ _debug2 canonical_request "$canonical_request"
+ _debug2 signature_hash "$signature_hash"
+ _debug2 basicauth "$basicauth"
+
+ export _H1="Accept: application/json"
+ export _H2="Content-Type: application/json"
+ export _H3="Authorization: Basic ${basicauth}"
+ export _H4="Date: ${datez}"
+
+ _debug2 H1 "$_H1"
+ _debug2 H2 "$_H2"
+ _debug2 H3 "$_H3"
+ _debug2 H4 "$_H4"
+
+ if [ "$me" != "GET" ]; then
+ _debug2 "${me} $WS_Api${pa}"
+ _debug data "$da"
+ response="$(_post "$da" "${WS_Api}${pa}" "" "$me")"
+ else
+ _debug2 "GET $WS_Api${pa}"
+ response="$(_get "$WS_Api${pa}")"
+ fi
+
+ _debug2 response "$response"
+ return "$?"
+}
+
+_get_from_array() {
+ va="$1"
+ fi="$2"
+ for i in $(echo "$va" | sed "s/{/ /g"); do
+ if _contains "$i" "$fi"; then
+ echo "$i"
+ break
+ fi
+ done
+}
diff --git a/dnsapi/dns_world4you.sh b/dnsapi/dns_world4you.sh
index 24b8dd68..fd124754 100644
--- a/dnsapi/dns_world4you.sh
+++ b/dnsapi/dns_world4you.sh
@@ -24,7 +24,7 @@ dns_world4you_add() {
fi
export _H1="Cookie: W4YSESSID=$sessid"
- form=$(_get "$WORLD4YOU_API/dashboard/paketuebersicht")
+ form=$(_get "$WORLD4YOU_API/")
_get_paketnr "$fqdn" "$form"
paketnr="$PAKETNR"
if [ -z "$paketnr" ]; then
@@ -36,7 +36,6 @@ dns_world4you_add() {
export _H1="Cookie: W4YSESSID=$sessid"
form=$(_get "$WORLD4YOU_API/$paketnr/dns")
formiddp=$(echo "$form" | grep 'AddDnsRecordForm\[uniqueFormIdDP\]' | sed 's/^.*name="AddDnsRecordForm\[uniqueFormIdDP\]" value="\([^"]*\)".*$/\1/')
- formidttl=$(echo "$form" | grep 'AddDnsRecordForm\[uniqueFormIdTTL\]' | sed 's/^.*name="AddDnsRecordForm\[uniqueFormIdTTL\]" value="\([^"]*\)".*$/\1/')
form_token=$(echo "$form" | grep 'AddDnsRecordForm\[_token\]' | sed 's/^.*name="AddDnsRecordForm\[_token\]" value="\([^"]*\)".*$/\1/')
if [ -z "$formiddp" ]; then
_err "Unable to parse form"
@@ -45,24 +44,31 @@ dns_world4you_add() {
_resethttp
export ACME_HTTP_NO_REDIRECTS=1
- body="AddDnsRecordForm[name]=$RECORD&AddDnsRecordForm[dnsType][type]=TXT&\
-AddDnsRecordForm[value]=$value&AddDnsRecordForm[aktivPaket]=$paketnr&AddDnsRecordForm[uniqueFormIdDP]=$formiddp&\
-AddDnsRecordForm[uniqueFormIdTTL]=$formidttl&AddDnsRecordForm[_token]=$form_token"
+ body="AddDnsRecordForm[name]=$RECORD&AddDnsRecordForm[dnsType][type]=TXT&AddDnsRecordForm[value]=$value&AddDnsRecordForm[uniqueFormIdDP]=$formiddp&AddDnsRecordForm[_token]=$form_token"
_info "Adding record..."
ret=$(_post "$body" "$WORLD4YOU_API/$paketnr/dns" '' POST 'application/x-www-form-urlencoded')
_resethttp
- if grep '302' >/dev/null <"$HTTP_HEADER"; then
+ if _contains "$(_head_n 3 <"$HTTP_HEADER")" '302'; then
res=$(_get "$WORLD4YOU_API/$paketnr/dns")
if _contains "$res" "successfully"; then
return 0
else
msg=$(echo "$res" | tr '\n' '\t' | sed 's/.*[^\t]*\t *\([^\t]*\)\t.*/\1/')
+ if _contains "$msg" '^<\!DOCTYPE html>'; then
+ msg='Unknown error'
+ fi
_err "Unable to add record: $msg"
+ if _contains "$msg" '^<\!DOCTYPE html>'; then
+ echo "$ret" >'error-01.html'
+ echo "$res" >'error-02.html'
+ _err "View error-01.html and error-02.html for debugging"
+ fi
return 1
fi
else
- _err "$(_head_n 1 <"$HTTP_HEADER")"
+ _err "$(_head_n 3 <"$HTTP_HEADER")"
+ _err "View $HTTP_HEADER for debugging"
return 1
fi
}
@@ -81,7 +87,7 @@ dns_world4you_rm() {
fi
export _H1="Cookie: W4YSESSID=$sessid"
- form=$(_get "$WORLD4YOU_API/dashboard/paketuebersicht")
+ form=$(_get "$WORLD4YOU_API/")
_get_paketnr "$fqdn" "$form"
paketnr="$PAKETNR"
if [ -z "$paketnr" ]; then
@@ -92,7 +98,6 @@ dns_world4you_rm() {
form=$(_get "$WORLD4YOU_API/$paketnr/dns")
formiddp=$(echo "$form" | grep 'DeleteDnsRecordForm\[uniqueFormIdDP\]' | sed 's/^.*name="DeleteDnsRecordForm\[uniqueFormIdDP\]" value="\([^"]*\)".*$/\1/')
- formidttl=$(echo "$form" | grep 'DeleteDnsRecordForm\[uniqueFormIdTTL\]' | sed 's/^.*name="DeleteDnsRecordForm\[uniqueFormIdTTL\]" value="\([^"]*\)".*$/\1/')
form_token=$(echo "$form" | grep 'DeleteDnsRecordForm\[_token\]' | sed 's/^.*name="DeleteDnsRecordForm\[_token\]" value="\([^"]*\)".*$/\1/')
if [ -z "$formiddp" ]; then
_err "Unable to parse form"
@@ -104,24 +109,31 @@ dns_world4you_rm() {
_resethttp
export ACME_HTTP_NO_REDIRECTS=1
- body="DeleteDnsRecordForm[recordId]=$recordid&DeleteDnsRecordForm[aktivPaket]=$paketnr&\
-DeleteDnsRecordForm[uniqueFormIdDP]=$formiddp&DeleteDnsRecordForm[uniqueFormIdTTL]=$formidttl&\
-DeleteDnsRecordForm[_token]=$form_token"
+ body="DeleteDnsRecordForm[recordId]=$recordid&DeleteDnsRecordForm[uniqueFormIdDP]=$formiddp&DeleteDnsRecordForm[_token]=$form_token"
_info "Removing record..."
- ret=$(_post "$body" "$WORLD4YOU_API/$paketnr/deleteRecord" '' POST 'application/x-www-form-urlencoded')
+ ret=$(_post "$body" "$WORLD4YOU_API/$paketnr/dns/record/delete" '' POST 'application/x-www-form-urlencoded')
_resethttp
- if grep '302' >/dev/null <"$HTTP_HEADER"; then
+ if _contains "$(_head_n 3 <"$HTTP_HEADER")" '302'; then
res=$(_get "$WORLD4YOU_API/$paketnr/dns")
if _contains "$res" "successfully"; then
return 0
else
msg=$(echo "$res" | tr '\n' '\t' | sed 's/.*[^\t]*\t *\([^\t]*\)\t.*/\1/')
+ if _contains "$msg" '^<\!DOCTYPE html>'; then
+ msg='Unknown error'
+ fi
_err "Unable to remove record: $msg"
+ if _contains "$msg" '^<\!DOCTYPE html>'; then
+ echo "$ret" >'error-01.html'
+ echo "$res" >'error-02.html'
+ _err "View error-01.html and error-02.html for debugging"
+ fi
return 1
fi
else
- _err "$(_head_n 1 <"$HTTP_HEADER")"
+ _err "$(_head_n 3 <"$HTTP_HEADER")"
+ _err "View $HTTP_HEADER for debugging"
return 1
fi
}
@@ -172,10 +184,10 @@ _get_paketnr() {
fqdn="$1"
form="$2"
- domains=$(echo "$form" | grep '^ *[A-Za-z0-9_\.-]*\.[A-Za-z0-9_-]*$' | sed 's/^\s*\(\S*\)$/\1/')
+ domains=$(echo "$form" | grep 'header-paket-domain' | sed 's/<[^>]*>//g' | sed 's/^.*>\([^>]*\)$/\1/')
domain=''
for domain in $domains; do
- if echo "$fqdn" | grep "$domain\$" >/dev/null; then
+ if _contains "$fqdn" "$domain\$"; then
break
fi
domain=''
@@ -185,7 +197,8 @@ _get_paketnr() {
fi
TLD="$domain"
+ _debug domain "$domain"
RECORD=$(echo "$fqdn" | cut -c"1-$((${#fqdn} - ${#TLD} - 1))")
- PAKETNR=$(echo "$form" | grep "data-textfilter=\" $domain " | _head_n 1 | sed 's/^.* \([0-9]*\) .*$/\1/')
+ PAKETNR=$(echo "$form" | grep "data-textfilter=\".* $domain " | _head_n 1 | sed 's/^.* \([0-9]*\) .*$/\1/')
return 0
}
diff --git a/notify/bark.sh b/notify/bark.sh
new file mode 100644
index 00000000..bbd5bf34
--- /dev/null
+++ b/notify/bark.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env sh
+
+#Support iOS Bark Notification
+
+#BARK_API_URL="https://api.day.app/xxxx"
+#BARK_SOUND="yyyy"
+#BARK_GROUP="zzzz"
+
+# subject content statusCode
+bark_send() {
+ _subject="$1"
+ _content="$2"
+ _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+ _debug "_subject" "$_subject"
+ _debug "_content" "$_content"
+ _debug "_statusCode" "$_statusCode"
+
+ BARK_API_URL="${BARK_API_URL:-$(_readaccountconf_mutable BARK_API_URL)}"
+ if [ -z "$BARK_API_URL" ]; then
+ BARK_API_URL=""
+ _err "You didn't specify a Bark API URL BARK_API_URL yet."
+ _err "You can download Bark from App Store and get yours."
+ return 1
+ fi
+ _saveaccountconf_mutable BARK_API_URL "$BARK_API_URL"
+
+ BARK_SOUND="${BARK_SOUND:-$(_readaccountconf_mutable BARK_SOUND)}"
+ _saveaccountconf_mutable BARK_SOUND "$BARK_SOUND"
+
+ BARK_GROUP="${BARK_GROUP:-$(_readaccountconf_mutable BARK_GROUP)}"
+ if [ -z "$BARK_GROUP" ]; then
+ BARK_GROUP="ACME"
+ _info "The BARK_GROUP is not set, so use the default ACME as group name."
+ else
+ _saveaccountconf_mutable BARK_GROUP "$BARK_GROUP"
+ fi
+
+ _content=$(echo "$_content" | _url_encode)
+ _subject=$(echo "$_subject" | _url_encode)
+
+ response="$(_get "$BARK_API_URL/$_subject/$_content?sound=$BARK_SOUND&group=$BARK_GROUP")"
+
+ if [ "$?" = "0" ] && _contains "$response" "success"; then
+ _info "Bark API fired success."
+ return 0
+ fi
+
+ _err "Bark API fired error."
+ _err "$response"
+ return 1
+}
diff --git a/notify/discord.sh b/notify/discord.sh
new file mode 100644
index 00000000..58362a4e
--- /dev/null
+++ b/notify/discord.sh
@@ -0,0 +1,57 @@
+#!/usr/bin/env sh
+
+#Support Discord webhooks
+
+# Required:
+#DISCORD_WEBHOOK_URL=""
+# Optional:
+#DISCORD_USERNAME=""
+#DISCORD_AVATAR_URL=""
+
+discord_send() {
+ _subject="$1"
+ _content="$2"
+ _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+ _debug "_statusCode" "$_statusCode"
+
+ DISCORD_WEBHOOK_URL="${DISCORD_WEBHOOK_URL:-$(_readaccountconf_mutable DISCORD_WEBHOOK_URL)}"
+ if [ -z "$DISCORD_WEBHOOK_URL" ]; then
+ DISCORD_WEBHOOK_URL=""
+ _err "You didn't specify a Discord webhook url DISCORD_WEBHOOK_URL yet."
+ return 1
+ fi
+ _saveaccountconf_mutable DISCORD_WEBHOOK_URL "$DISCORD_WEBHOOK_URL"
+
+ DISCORD_USERNAME="${DISCORD_USERNAME:-$(_readaccountconf_mutable DISCORD_USERNAME)}"
+ if [ "$DISCORD_USERNAME" ]; then
+ _saveaccountconf_mutable DISCORD_USERNAME "$DISCORD_USERNAME"
+ fi
+
+ DISCORD_AVATAR_URL="${DISCORD_AVATAR_URL:-$(_readaccountconf_mutable DISCORD_AVATAR_URL)}"
+ if [ "$DISCORD_AVATAR_URL" ]; then
+ _saveaccountconf_mutable DISCORD_AVATAR_URL "$DISCORD_AVATAR_URL"
+ fi
+
+ export _H1="Content-Type: application/json"
+
+ _content="$(printf "**%s**\n%s" "$_subject" "$_content" | _json_encode)"
+ _data="{\"content\": \"$_content\" "
+ if [ "$DISCORD_USERNAME" ]; then
+ _data="$_data, \"username\": \"$DISCORD_USERNAME\" "
+ fi
+ if [ "$DISCORD_AVATAR_URL" ]; then
+ _data="$_data, \"avatar_url\": \"$DISCORD_AVATAR_URL\" "
+ fi
+ _data="$_data}"
+
+ if _post "$_data" "$DISCORD_WEBHOOK_URL?wait=true"; then
+ # shellcheck disable=SC2154
+ if [ "$response" ]; then
+ _info "discord send success."
+ return 0
+ fi
+ fi
+ _err "discord send error."
+ _err "$response"
+ return 1
+}
diff --git a/notify/feishu.sh b/notify/feishu.sh
new file mode 100644
index 00000000..18693c2d
--- /dev/null
+++ b/notify/feishu.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env sh
+
+#Support feishu webhooks api
+
+#required
+#FEISHU_WEBHOOK="xxxx"
+
+#optional
+#FEISHU_KEYWORD="yyyy"
+
+# subject content statusCode
+feishu_send() {
+ _subject="$1"
+ _content="$2"
+ _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+ _debug "_subject" "$_subject"
+ _debug "_content" "$_content"
+ _debug "_statusCode" "$_statusCode"
+
+ FEISHU_WEBHOOK="${FEISHU_WEBHOOK:-$(_readaccountconf_mutable FEISHU_WEBHOOK)}"
+ if [ -z "$FEISHU_WEBHOOK" ]; then
+ FEISHU_WEBHOOK=""
+ _err "You didn't specify a feishu webhooks FEISHU_WEBHOOK yet."
+ _err "You can get yours from https://www.feishu.cn"
+ return 1
+ fi
+ _saveaccountconf_mutable FEISHU_WEBHOOK "$FEISHU_WEBHOOK"
+
+ FEISHU_KEYWORD="${FEISHU_KEYWORD:-$(_readaccountconf_mutable FEISHU_KEYWORD)}"
+ if [ "$FEISHU_KEYWORD" ]; then
+ _saveaccountconf_mutable FEISHU_KEYWORD "$FEISHU_KEYWORD"
+ fi
+
+ _content=$(echo "$_content" | _json_encode)
+ _subject=$(echo "$_subject" | _json_encode)
+ _data="{\"msg_type\": \"text\", \"content\": {\"text\": \"[$FEISHU_KEYWORD]\n$_subject\n$_content\"}}"
+
+ response="$(_post "$_data" "$FEISHU_WEBHOOK" "" "POST" "application/json")"
+
+ if [ "$?" = "0" ] && _contains "$response" "StatusCode\":0"; then
+ _info "feishu webhooks event fired success."
+ return 0
+ fi
+
+ _err "feishu webhooks event fired error."
+ _err "$response"
+ return 1
+}
diff --git a/notify/gotify.sh b/notify/gotify.sh
new file mode 100644
index 00000000..e370bc21
--- /dev/null
+++ b/notify/gotify.sh
@@ -0,0 +1,62 @@
+#!/usr/bin/env sh
+
+#Support Gotify
+
+#GOTIFY_URL="https://gotify.example.com"
+#GOTIFY_TOKEN="123456789ABCDEF"
+
+#optional
+#GOTIFY_PRIORITY=0
+
+# subject content statusCode
+gotify_send() {
+ _subject="$1"
+ _content="$2"
+ _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+ _debug "_subject" "$_subject"
+ _debug "_content" "$_content"
+ _debug "_statusCode" "$_statusCode"
+
+ GOTIFY_URL="${GOTIFY_URL:-$(_readaccountconf_mutable GOTIFY_URL)}"
+ if [ -z "$GOTIFY_URL" ]; then
+ GOTIFY_URL=""
+ _err "You didn't specify the gotify server url GOTIFY_URL."
+ return 1
+ fi
+ _saveaccountconf_mutable GOTIFY_URL "$GOTIFY_URL"
+
+ GOTIFY_TOKEN="${GOTIFY_TOKEN:-$(_readaccountconf_mutable GOTIFY_TOKEN)}"
+ if [ -z "$GOTIFY_TOKEN" ]; then
+ GOTIFY_TOKEN=""
+ _err "You didn't specify the gotify token GOTIFY_TOKEN."
+ return 1
+ fi
+ _saveaccountconf_mutable GOTIFY_TOKEN "$GOTIFY_TOKEN"
+
+ GOTIFY_PRIORITY="${GOTIFY_PRIORITY:-$(_readaccountconf_mutable GOTIFY_PRIORITY)}"
+ if [ -z "$GOTIFY_PRIORITY" ]; then
+ GOTIFY_PRIORITY=0
+ else
+ _saveaccountconf_mutable GOTIFY_PRIORITY "$GOTIFY_PRIORITY"
+ fi
+
+ export _H1="X-Gotify-Key: ${GOTIFY_TOKEN}"
+ export _H2="Content-Type: application/json"
+
+ _content=$(echo "$_content" | _json_encode)
+ _subject=$(echo "$_subject" | _json_encode)
+
+ _data="{\"title\": \"${_subject}\", \"message\": \"${_content}\", \"priority\": ${GOTIFY_PRIORITY}}"
+
+ response="$(_post "${_data}" "${GOTIFY_URL}/message" "" "POST" "application/json")"
+
+ if [ "$?" != "0" ]; then
+ _err "Failed to send message"
+ _err "$response"
+ return 1
+ fi
+
+ _debug2 response "$response"
+
+ return 0
+}
diff --git a/notify/mail.sh b/notify/mail.sh
index d33fd0d2..656dd371 100644
--- a/notify/mail.sh
+++ b/notify/mail.sh
@@ -62,7 +62,7 @@ mail_send() {
fi
contenttype="text/plain; charset=utf-8"
- subject="=?UTF-8?B?$(echo "$_subject" | _base64)?="
+ subject="=?UTF-8?B?$(printf -- "%b" "$_subject" | _base64)?="
result=$({ _mail_body | eval "$(_mail_cmnd)"; } 2>&1)
# shellcheck disable=SC2181
@@ -79,7 +79,7 @@ mail_send() {
_mail_bin() {
_MAIL_BIN=""
- for b in "$MAIL_BIN" sendmail ssmtp mutt mail msmtp; do
+ for b in $MAIL_BIN sendmail ssmtp mutt mail msmtp; do
if _exists "$b"; then
_MAIL_BIN="$b"
break
@@ -131,6 +131,7 @@ _mail_body() {
echo "To: $MAIL_TO"
echo "Subject: $subject"
echo "Content-Type: $contenttype"
+ echo "MIME-Version: 1.0"
echo
;;
esac
diff --git a/notify/pushbullet.sh b/notify/pushbullet.sh
new file mode 100644
index 00000000..ca997c84
--- /dev/null
+++ b/notify/pushbullet.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env sh
+
+#Support for pushbullet.com's api. Push notification, notification sync and message platform for multiple platforms
+#PUSHBULLET_TOKEN="" Required, pushbullet application token
+#PUSHBULLET_DEVICE="" Optional, Specific device, ignore to send to all devices
+
+PUSHBULLET_URI="https://api.pushbullet.com/v2/pushes"
+pushbullet_send() {
+ _subject="$1"
+ _content="$2"
+ _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+ _debug "_statusCode" "$_statusCode"
+
+ PUSHBULLET_TOKEN="${PUSHBULLET_TOKEN:-$(_readaccountconf_mutable PUSHBULLET_TOKEN)}"
+ if [ -z "$PUSHBULLET_TOKEN" ]; then
+ PUSHBULLET_TOKEN=""
+ _err "You didn't specify a Pushbullet application token yet."
+ return 1
+ fi
+ _saveaccountconf_mutable PUSHBULLET_TOKEN "$PUSHBULLET_TOKEN"
+
+ PUSHBULLET_DEVICE="${PUSHBULLET_DEVICE:-$(_readaccountconf_mutable PUSHBULLET_DEVICE)}"
+ if [ -z "$PUSHBULLET_DEVICE" ]; then
+ _clearaccountconf_mutable PUSHBULLET_DEVICE
+ else
+ _saveaccountconf_mutable PUSHBULLET_DEVICE "$PUSHBULLET_DEVICE"
+ fi
+
+ export _H1="Content-Type: application/json"
+ export _H2="Access-Token: ${PUSHBULLET_TOKEN}"
+ _content="$(printf "*%s*\n" "$_content" | _json_encode)"
+ _subject="$(printf "*%s*\n" "$_subject" | _json_encode)"
+ _data="{\"type\": \"note\",\"title\": \"${_subject}\",\"body\": \"${_content}\",\"device_iden\": \"${PUSHBULLET_DEVICE}\"}"
+ response="$(_post "$_data" "$PUSHBULLET_URI")"
+
+ if [ "$?" != "0" ] || _contains "$response" "\"error_code\""; then
+ _err "PUSHBULLET send error."
+ _err "$response"
+ return 1
+ fi
+
+ _info "PUSHBULLET send success."
+ return 0
+}
diff --git a/notify/sendgrid.sh b/notify/sendgrid.sh
index 0d5ea3b3..82d3f6c6 100644
--- a/notify/sendgrid.sh
+++ b/notify/sendgrid.sh
@@ -37,11 +37,19 @@ sendgrid_send() {
fi
_saveaccountconf_mutable SENDGRID_FROM "$SENDGRID_FROM"
+ SENDGRID_FROM_NAME="${SENDGRID_FROM_NAME:-$(_readaccountconf_mutable SENDGRID_FROM_NAME)}"
+ _saveaccountconf_mutable SENDGRID_FROM_NAME "$SENDGRID_FROM_NAME"
+
export _H1="Authorization: Bearer $SENDGRID_API_KEY"
export _H2="Content-Type: application/json"
_content="$(echo "$_content" | _json_encode)"
- _data="{\"personalizations\": [{\"to\": [{\"email\": \"$SENDGRID_TO\"}]}],\"from\": {\"email\": \"$SENDGRID_FROM\"},\"subject\": \"$_subject\",\"content\": [{\"type\": \"text/plain\", \"value\": \"$_content\"}]}"
+
+ if [ -z "$SENDGRID_FROM_NAME" ]; then
+ _data="{\"personalizations\": [{\"to\": [{\"email\": \"$SENDGRID_TO\"}]}],\"from\": {\"email\": \"$SENDGRID_FROM\"},\"subject\": \"$_subject\",\"content\": [{\"type\": \"text/plain\", \"value\": \"$_content\"}]}"
+ else
+ _data="{\"personalizations\": [{\"to\": [{\"email\": \"$SENDGRID_TO\"}]}],\"from\": {\"email\": \"$SENDGRID_FROM\", \"name\": \"$SENDGRID_FROM_NAME\"},\"subject\": \"$_subject\",\"content\": [{\"type\": \"text/plain\", \"value\": \"$_content\"}]}"
+ fi
response="$(_post "$_data" "https://api.sendgrid.com/v3/mail/send")"
if [ "$?" = "0" ] && [ -z "$response" ]; then
diff --git a/notify/smtp.sh b/notify/smtp.sh
index 6aa37ca3..293c665e 100644
--- a/notify/smtp.sh
+++ b/notify/smtp.sh
@@ -2,14 +2,398 @@
# support smtp
-smtp_send() {
- _subject="$1"
- _content="$2"
- _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
- _debug "_subject" "$_subject"
- _debug "_content" "$_content"
- _debug "_statusCode" "$_statusCode"
+# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3358
- _err "Not implemented yet."
- return 1
+# This implementation uses either curl or Python (3 or 2.7).
+# (See also the "mail" notify hook, which supports other ways to send mail.)
+
+# SMTP_FROM="from@example.com" # required
+# SMTP_TO="to@example.com" # required
+# SMTP_HOST="smtp.example.com" # required
+# SMTP_PORT="25" # defaults to 25, 465 or 587 depending on SMTP_SECURE
+# SMTP_SECURE="tls" # one of "none", "ssl" (implicit TLS, TLS Wrapper), "tls" (explicit TLS, STARTTLS)
+# SMTP_USERNAME="" # set if SMTP server requires login
+# SMTP_PASSWORD="" # set if SMTP server requires login
+# SMTP_TIMEOUT="30" # seconds for SMTP operations to timeout
+# SMTP_BIN="/path/to/python_or_curl" # default finds first of python3, python2.7, python, pypy3, pypy, curl on PATH
+
+SMTP_SECURE_DEFAULT="tls"
+SMTP_TIMEOUT_DEFAULT="30"
+
+# subject content statuscode
+smtp_send() {
+ SMTP_SUBJECT="$1"
+ SMTP_CONTENT="$2"
+ # UNUSED: _statusCode="$3" # 0: success, 1: error 2($RENEW_SKIP): skipped
+
+ # Load and validate config:
+ SMTP_BIN="$(_readaccountconf_mutable_default SMTP_BIN)"
+ if [ -n "$SMTP_BIN" ] && ! _exists "$SMTP_BIN"; then
+ _err "SMTP_BIN '$SMTP_BIN' does not exist."
+ return 1
+ fi
+ if [ -z "$SMTP_BIN" ]; then
+ # Look for a command that can communicate with an SMTP server.
+ # (Please don't add sendmail, ssmtp, mutt, mail, or msmtp here.
+ # Those are already handled by the "mail" notify hook.)
+ for cmd in python3 python2.7 python pypy3 pypy curl; do
+ if _exists "$cmd"; then
+ SMTP_BIN="$cmd"
+ break
+ fi
+ done
+ if [ -z "$SMTP_BIN" ]; then
+ _err "The smtp notify-hook requires curl or Python, but can't find any."
+ _err 'If you have one of them, define SMTP_BIN="/path/to/curl_or_python".'
+ _err 'Otherwise, see if you can use the "mail" notify-hook instead.'
+ return 1
+ fi
+ fi
+ _debug SMTP_BIN "$SMTP_BIN"
+ _saveaccountconf_mutable_default SMTP_BIN "$SMTP_BIN"
+
+ SMTP_FROM="$(_readaccountconf_mutable_default SMTP_FROM)"
+ SMTP_FROM="$(_clean_email_header "$SMTP_FROM")"
+ if [ -z "$SMTP_FROM" ]; then
+ _err "You must define SMTP_FROM as the sender email address."
+ return 1
+ fi
+ if _email_has_display_name "$SMTP_FROM"; then
+ _err "SMTP_FROM must be only a simple email address (sender@example.com)."
+ _err "Change your SMTP_FROM='$SMTP_FROM' to remove the display name."
+ return 1
+ fi
+ _debug SMTP_FROM "$SMTP_FROM"
+ _saveaccountconf_mutable_default SMTP_FROM "$SMTP_FROM"
+
+ SMTP_TO="$(_readaccountconf_mutable_default SMTP_TO)"
+ SMTP_TO="$(_clean_email_header "$SMTP_TO")"
+ if [ -z "$SMTP_TO" ]; then
+ _err "You must define SMTP_TO as the recipient email address(es)."
+ return 1
+ fi
+ if _email_has_display_name "$SMTP_TO"; then
+ _err "SMTP_TO must be only simple email addresses (to@example.com,to2@example.com)."
+ _err "Change your SMTP_TO='$SMTP_TO' to remove the display name(s)."
+ return 1
+ fi
+ _debug SMTP_TO "$SMTP_TO"
+ _saveaccountconf_mutable_default SMTP_TO "$SMTP_TO"
+
+ SMTP_HOST="$(_readaccountconf_mutable_default SMTP_HOST)"
+ if [ -z "$SMTP_HOST" ]; then
+ _err "You must define SMTP_HOST as the SMTP server hostname."
+ return 1
+ fi
+ _debug SMTP_HOST "$SMTP_HOST"
+ _saveaccountconf_mutable_default SMTP_HOST "$SMTP_HOST"
+
+ SMTP_SECURE="$(_readaccountconf_mutable_default SMTP_SECURE "$SMTP_SECURE_DEFAULT")"
+ case "$SMTP_SECURE" in
+ "none") smtp_port_default="25" ;;
+ "ssl") smtp_port_default="465" ;;
+ "tls") smtp_port_default="587" ;;
+ *)
+ _err "Invalid SMTP_SECURE='$SMTP_SECURE'. It must be 'ssl', 'tls' or 'none'."
+ return 1
+ ;;
+ esac
+ _debug SMTP_SECURE "$SMTP_SECURE"
+ _saveaccountconf_mutable_default SMTP_SECURE "$SMTP_SECURE" "$SMTP_SECURE_DEFAULT"
+
+ SMTP_PORT="$(_readaccountconf_mutable_default SMTP_PORT "$smtp_port_default")"
+ case "$SMTP_PORT" in
+ *[!0-9]*)
+ _err "Invalid SMTP_PORT='$SMTP_PORT'. It must be a port number."
+ return 1
+ ;;
+ esac
+ _debug SMTP_PORT "$SMTP_PORT"
+ _saveaccountconf_mutable_default SMTP_PORT "$SMTP_PORT" "$smtp_port_default"
+
+ SMTP_USERNAME="$(_readaccountconf_mutable_default SMTP_USERNAME)"
+ _debug SMTP_USERNAME "$SMTP_USERNAME"
+ _saveaccountconf_mutable_default SMTP_USERNAME "$SMTP_USERNAME"
+
+ SMTP_PASSWORD="$(_readaccountconf_mutable_default SMTP_PASSWORD)"
+ _secure_debug SMTP_PASSWORD "$SMTP_PASSWORD"
+ _saveaccountconf_mutable_default SMTP_PASSWORD "$SMTP_PASSWORD"
+
+ SMTP_TIMEOUT="$(_readaccountconf_mutable_default SMTP_TIMEOUT "$SMTP_TIMEOUT_DEFAULT")"
+ _debug SMTP_TIMEOUT "$SMTP_TIMEOUT"
+ _saveaccountconf_mutable_default SMTP_TIMEOUT "$SMTP_TIMEOUT" "$SMTP_TIMEOUT_DEFAULT"
+
+ SMTP_X_MAILER="$(_clean_email_header "$PROJECT_NAME $VER --notify-hook smtp")"
+
+ # Run with --debug 2 (or above) to echo the transcript of the SMTP session.
+ # Careful: this may include SMTP_PASSWORD in plaintext!
+ if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then
+ SMTP_SHOW_TRANSCRIPT="True"
+ else
+ SMTP_SHOW_TRANSCRIPT=""
+ fi
+
+ SMTP_SUBJECT=$(_clean_email_header "$SMTP_SUBJECT")
+ _debug SMTP_SUBJECT "$SMTP_SUBJECT"
+ _debug SMTP_CONTENT "$SMTP_CONTENT"
+
+ # Send the message:
+ case "$(basename "$SMTP_BIN")" in
+ curl) _smtp_send=_smtp_send_curl ;;
+ py*) _smtp_send=_smtp_send_python ;;
+ *)
+ _err "Can't figure out how to invoke '$SMTP_BIN'."
+ _err "Check your SMTP_BIN setting."
+ return 1
+ ;;
+ esac
+
+ if ! smtp_output="$($_smtp_send)"; then
+ _err "Error sending message with $SMTP_BIN."
+ if [ -n "$smtp_output" ]; then
+ _err "$smtp_output"
+ fi
+ return 1
+ fi
+
+ return 0
+}
+
+# Strip CR and NL from text to prevent MIME header injection
+# text
+_clean_email_header() {
+ printf "%s" "$(echo "$1" | tr -d "\r\n")"
+}
+
+# Simple check for display name in an email address (< > or ")
+# email
+_email_has_display_name() {
+ _email="$1"
+ expr "$_email" : '^.*[<>"]' >/dev/null
+}
+
+##
+## curl smtp sending
+##
+
+# Send the message via curl using SMTP_* variables
+_smtp_send_curl() {
+ # Build curl args in $@
+ case "$SMTP_SECURE" in
+ none)
+ set -- --url "smtp://${SMTP_HOST}:${SMTP_PORT}"
+ ;;
+ ssl)
+ set -- --url "smtps://${SMTP_HOST}:${SMTP_PORT}"
+ ;;
+ tls)
+ set -- --url "smtp://${SMTP_HOST}:${SMTP_PORT}" --ssl-reqd
+ ;;
+ *)
+ # This will only occur if someone adds a new SMTP_SECURE option above
+ # without updating this code for it.
+ _err "Unhandled SMTP_SECURE='$SMTP_SECURE' in _smtp_send_curl"
+ _err "Please re-run with --debug and report a bug."
+ return 1
+ ;;
+ esac
+
+ set -- "$@" \
+ --upload-file - \
+ --mail-from "$SMTP_FROM" \
+ --max-time "$SMTP_TIMEOUT"
+
+ # Burst comma-separated $SMTP_TO into individual --mail-rcpt args.
+ _to="${SMTP_TO},"
+ while [ -n "$_to" ]; do
+ _rcpt="${_to%%,*}"
+ _to="${_to#*,}"
+ set -- "$@" --mail-rcpt "$_rcpt"
+ done
+
+ _smtp_login="${SMTP_USERNAME}:${SMTP_PASSWORD}"
+ if [ "$_smtp_login" != ":" ]; then
+ set -- "$@" --user "$_smtp_login"
+ fi
+
+ if [ "$SMTP_SHOW_TRANSCRIPT" = "True" ]; then
+ set -- "$@" --verbose
+ else
+ set -- "$@" --silent --show-error
+ fi
+
+ raw_message="$(_smtp_raw_message)"
+
+ _debug2 "curl command:" "$SMTP_BIN" "$*"
+ _debug2 "raw_message:\n$raw_message"
+
+ echo "$raw_message" | "$SMTP_BIN" "$@"
+}
+
+# Output an RFC-822 / RFC-5322 email message using SMTP_* variables.
+# (This assumes variables have already been cleaned for use in email headers.)
+_smtp_raw_message() {
+ echo "From: $SMTP_FROM"
+ echo "To: $SMTP_TO"
+ echo "Subject: $(_mime_encoded_word "$SMTP_SUBJECT")"
+ echo "Date: $(_rfc2822_date)"
+ echo "Content-Type: text/plain; charset=utf-8"
+ echo "X-Mailer: $SMTP_X_MAILER"
+ echo
+ echo "$SMTP_CONTENT"
+}
+
+# Convert text to RFC-2047 MIME "encoded word" format if it contains non-ASCII chars
+# text
+_mime_encoded_word() {
+ _text="$1"
+ # (regex character ranges like [a-z] can be locale-dependent; enumerate ASCII chars to avoid that)
+ _ascii='] $`"'"[!#%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ~^_abcdefghijklmnopqrstuvwxyz{|}~-"
+ if expr "$_text" : "^.*[^$_ascii]" >/dev/null; then
+ # At least one non-ASCII char; convert entire thing to encoded word
+ printf "%s" "=?UTF-8?B?$(printf "%s" "$_text" | _base64)?="
+ else
+ # Just printable ASCII, no conversion needed
+ printf "%s" "$_text"
+ fi
+}
+
+# Output current date in RFC-2822 Section 3.3 format as required in email headers
+# (e.g., "Mon, 15 Feb 2021 14:22:01 -0800")
+_rfc2822_date() {
+ # Notes:
+ # - this is deliberately not UTC, because it "SHOULD express local time" per spec
+ # - the spec requires weekday and month in the C locale (English), not localized
+ # - this date format specifier has been tested on Linux, Mac, Solaris and FreeBSD
+ _old_lc_time="$LC_TIME"
+ LC_TIME=C
+ date +'%a, %-d %b %Y %H:%M:%S %z'
+ LC_TIME="$_old_lc_time"
+}
+
+##
+## Python smtp sending
+##
+
+# Send the message via Python using SMTP_* variables
+_smtp_send_python() {
+ _debug "Python version" "$("$SMTP_BIN" --version 2>&1)"
+
+ # language=Python
+ "$SMTP_BIN" </dev/null; then
+ # shellcheck disable=SC2154
+ _message=$(printf "%s\n" "$response" | sed -n 's/.*"ok":\([^,]*\).*/\1/p')
+ if [ "$_message" = "true" ]; then
+ _info "telegram send success."
+ return 0
+ fi
+ fi
+ _err "telegram send error."
+ _err "$response"
+ return 1
+}
diff --git a/notify/weixin_work.sh b/notify/weixin_work.sh
new file mode 100644
index 00000000..bf3e9ad6
--- /dev/null
+++ b/notify/weixin_work.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env sh
+
+#Support weixin work webhooks api
+
+#WEIXIN_WORK_WEBHOOK="xxxx"
+
+#optional
+#WEIXIN_WORK_KEYWORD="yyyy"
+
+#`WEIXIN_WORK_SIGNING_KEY`="SEC08ffdbd403cbc3fc8a65xxxxxxxxxxxxxxxxxxxx"
+
+# subject content statusCode
+weixin_work_send() {
+ _subject="$1"
+ _content="$2"
+ _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+ _debug "_subject" "$_subject"
+ _debug "_content" "$_content"
+ _debug "_statusCode" "$_statusCode"
+
+ WEIXIN_WORK_WEBHOOK="${WEIXIN_WORK_WEBHOOK:-$(_readaccountconf_mutable WEIXIN_WORK_WEBHOOK)}"
+ if [ -z "$WEIXIN_WORK_WEBHOOK" ]; then
+ WEIXIN_WORK_WEBHOOK=""
+ _err "You didn't specify a weixin_work webhooks WEIXIN_WORK_WEBHOOK yet."
+ _err "You can get yours from https://work.weixin.qq.com/api/doc/90000/90136/91770"
+ return 1
+ fi
+ _saveaccountconf_mutable WEIXIN_WORK_WEBHOOK "$WEIXIN_WORK_WEBHOOK"
+
+ WEIXIN_WORK_KEYWORD="${WEIXIN_WORK_KEYWORD:-$(_readaccountconf_mutable WEIXIN_WORK_KEYWORD)}"
+ if [ "$WEIXIN_WORK_KEYWORD" ]; then
+ _saveaccountconf_mutable WEIXIN_WORK_KEYWORD "$WEIXIN_WORK_KEYWORD"
+ fi
+
+ _content=$(echo "$_content" | _json_encode)
+ _subject=$(echo "$_subject" | _json_encode)
+ _data="{\"msgtype\": \"text\", \"text\": {\"content\": \"[$WEIXIN_WORK_KEYWORD]\n$_subject\n$_content\"}}"
+
+ response="$(_post "$_data" "$WEIXIN_WORK_WEBHOOK" "" "POST" "application/json")"
+
+ if [ "$?" = "0" ] && _contains "$response" "errmsg\":\"ok"; then
+ _info "weixin_work webhooks event fired success."
+ return 0
+ fi
+
+ _err "weixin_work webhooks event fired error."
+ _err "$response"
+ return 1
+}