You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

5554 lines
139 KiB

9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
9 years ago
8 years ago
9 years ago
8 years ago
  1. #!/usr/bin/env sh
  2. VER=2.6.9
  3. PROJECT_NAME="acme.sh"
  4. PROJECT_ENTRY="acme.sh"
  5. PROJECT="https://github.com/Neilpang/$PROJECT_NAME"
  6. DEFAULT_INSTALL_HOME="$HOME/.$PROJECT_NAME"
  7. _SCRIPT_="$0"
  8. _SUB_FOLDERS="dnsapi deploy"
  9. DEFAULT_CA="https://acme-v01.api.letsencrypt.org"
  10. DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
  11. DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
  12. DEFAULT_ACCOUNT_EMAIL=""
  13. DEFAULT_ACCOUNT_KEY_LENGTH=2048
  14. DEFAULT_DOMAIN_KEY_LENGTH=2048
  15. DEFAULT_OPENSSL_BIN="openssl"
  16. STAGE_CA="https://acme-staging.api.letsencrypt.org"
  17. VTYPE_HTTP="http-01"
  18. VTYPE_DNS="dns-01"
  19. VTYPE_TLS="tls-sni-01"
  20. #VTYPE_TLS2="tls-sni-02"
  21. LOCAL_ANY_ADDRESS="0.0.0.0"
  22. MAX_RENEW=60
  23. DEFAULT_DNS_SLEEP=120
  24. NO_VALUE="no"
  25. W_TLS="tls"
  26. MODE_STATELESS="stateless"
  27. STATE_VERIFIED="verified_ok"
  28. NGINX="nginx:"
  29. NGINX_START="#ACME_NGINX_START"
  30. NGINX_END="#ACME_NGINX_END"
  31. BEGIN_CSR="-----BEGIN CERTIFICATE REQUEST-----"
  32. END_CSR="-----END CERTIFICATE REQUEST-----"
  33. BEGIN_CERT="-----BEGIN CERTIFICATE-----"
  34. END_CERT="-----END CERTIFICATE-----"
  35. RENEW_SKIP=2
  36. ECC_SEP="_"
  37. ECC_SUFFIX="${ECC_SEP}ecc"
  38. LOG_LEVEL_1=1
  39. LOG_LEVEL_2=2
  40. LOG_LEVEL_3=3
  41. DEFAULT_LOG_LEVEL="$LOG_LEVEL_1"
  42. DEBUG_LEVEL_1=1
  43. DEBUG_LEVEL_2=2
  44. DEBUG_LEVEL_3=3
  45. DEBUG_LEVEL_DEFAULT=$DEBUG_LEVEL_1
  46. DEBUG_LEVEL_NONE=0
  47. HIDDEN_VALUE="[hidden](please add '--output-insecure' to see this value)"
  48. SYSLOG_ERROR="user.error"
  49. SYSLOG_INFO="user.info"
  50. SYSLOG_DEBUG="user.debug"
  51. #error
  52. SYSLOG_LEVEL_ERROR=3
  53. #info
  54. SYSLOG_LEVEL_INFO=6
  55. #debug
  56. SYSLOG_LEVEL_DEBUG=7
  57. #debug2
  58. SYSLOG_LEVEL_DEBUG_2=8
  59. #debug3
  60. SYSLOG_LEVEL_DEBUG_3=9
  61. SYSLOG_LEVEL_DEFAULT=$SYSLOG_LEVEL_ERROR
  62. #none
  63. SYSLOG_LEVEL_NONE=0
  64. _DEBUG_WIKI="https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh"
  65. _PREPARE_LINK="https://github.com/Neilpang/acme.sh/wiki/Install-preparations"
  66. _STATELESS_WIKI="https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode"
  67. __INTERACTIVE=""
  68. if [ -t 1 ]; then
  69. __INTERACTIVE="1"
  70. fi
  71. __green() {
  72. if [ "$__INTERACTIVE" ]; then
  73. printf '\033[1;31;32m'
  74. fi
  75. printf -- "%b" "$1"
  76. if [ "$__INTERACTIVE" ]; then
  77. printf '\033[0m'
  78. fi
  79. }
  80. __red() {
  81. if [ "$__INTERACTIVE" ]; then
  82. printf '\033[1;31;40m'
  83. fi
  84. printf -- "%b" "$1"
  85. if [ "$__INTERACTIVE" ]; then
  86. printf '\033[0m'
  87. fi
  88. }
  89. _printargs() {
  90. if [ -z "$NO_TIMESTAMP" ] || [ "$NO_TIMESTAMP" = "0" ]; then
  91. printf -- "%s" "[$(date)] "
  92. fi
  93. if [ -z "$2" ]; then
  94. printf -- "%s" "$1"
  95. else
  96. printf -- "%s" "$1='$2'"
  97. fi
  98. printf "\n"
  99. }
  100. _dlg_versions() {
  101. echo "Diagnosis versions: "
  102. echo "openssl:$ACME_OPENSSL_BIN"
  103. if _exists "${ACME_OPENSSL_BIN:-openssl}"; then
  104. ${ACME_OPENSSL_BIN:-openssl} version 2>&1
  105. else
  106. echo "$ACME_OPENSSL_BIN doesn't exists."
  107. fi
  108. echo "apache:"
  109. if [ "$_APACHECTL" ] && _exists "$_APACHECTL"; then
  110. $_APACHECTL -V 2>&1
  111. else
  112. echo "apache doesn't exists."
  113. fi
  114. echo "nc:"
  115. if _exists "nc"; then
  116. nc -h 2>&1
  117. else
  118. _debug "nc doesn't exists."
  119. fi
  120. }
  121. #class
  122. _syslog() {
  123. if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" = "$SYSLOG_LEVEL_NONE" ]; then
  124. return
  125. fi
  126. _logclass="$1"
  127. shift
  128. logger -i -t "$PROJECT_NAME" -p "$_logclass" "$(_printargs "$@")" >/dev/null 2>&1
  129. }
  130. _log() {
  131. [ -z "$LOG_FILE" ] && return
  132. _printargs "$@" >>"$LOG_FILE"
  133. }
  134. _info() {
  135. _log "$@"
  136. if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_INFO" ]; then
  137. _syslog "$SYSLOG_INFO" "$@"
  138. fi
  139. _printargs "$@"
  140. }
  141. _err() {
  142. _syslog "$SYSLOG_ERROR" "$@"
  143. _log "$@"
  144. if [ -z "$NO_TIMESTAMP" ] || [ "$NO_TIMESTAMP" = "0" ]; then
  145. printf -- "%s" "[$(date)] " >&2
  146. fi
  147. if [ -z "$2" ]; then
  148. __red "$1" >&2
  149. else
  150. __red "$1='$2'" >&2
  151. fi
  152. printf "\n" >&2
  153. return 1
  154. }
  155. _usage() {
  156. __red "$@" >&2
  157. printf "\n" >&2
  158. }
  159. _debug() {
  160. if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_1" ]; then
  161. _log "$@"
  162. fi
  163. if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG" ]; then
  164. _syslog "$SYSLOG_DEBUG" "$@"
  165. fi
  166. if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_1" ]; then
  167. _printargs "$@" >&2
  168. fi
  169. }
  170. #output the sensitive messages
  171. _secure_debug() {
  172. if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_1" ]; then
  173. if [ "$OUTPUT_INSECURE" = "1" ]; then
  174. _log "$@"
  175. else
  176. _log "$1" "$HIDDEN_VALUE"
  177. fi
  178. fi
  179. if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG" ]; then
  180. _syslog "$SYSLOG_DEBUG" "$1" "$HIDDEN_VALUE"
  181. fi
  182. if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_1" ]; then
  183. if [ "$OUTPUT_INSECURE" = "1" ]; then
  184. _printargs "$@" >&2
  185. else
  186. _printargs "$1" "$HIDDEN_VALUE" >&2
  187. fi
  188. fi
  189. }
  190. _debug2() {
  191. if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_2" ]; then
  192. _log "$@"
  193. fi
  194. if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_2" ]; then
  195. _syslog "$SYSLOG_DEBUG" "$@"
  196. fi
  197. if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then
  198. _printargs "$@" >&2
  199. fi
  200. }
  201. _secure_debug2() {
  202. if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_2" ]; then
  203. if [ "$OUTPUT_INSECURE" = "1" ]; then
  204. _log "$@"
  205. else
  206. _log "$1" "$HIDDEN_VALUE"
  207. fi
  208. fi
  209. if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_2" ]; then
  210. _syslog "$SYSLOG_DEBUG" "$1" "$HIDDEN_VALUE"
  211. fi
  212. if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then
  213. if [ "$OUTPUT_INSECURE" = "1" ]; then
  214. _printargs "$@" >&2
  215. else
  216. _printargs "$1" "$HIDDEN_VALUE" >&2
  217. fi
  218. fi
  219. }
  220. _debug3() {
  221. if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_3" ]; then
  222. _log "$@"
  223. fi
  224. if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_3" ]; then
  225. _syslog "$SYSLOG_DEBUG" "$@"
  226. fi
  227. if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_3" ]; then
  228. _printargs "$@" >&2
  229. fi
  230. }
  231. _secure_debug3() {
  232. if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_3" ]; then
  233. if [ "$OUTPUT_INSECURE" = "1" ]; then
  234. _log "$@"
  235. else
  236. _log "$1" "$HIDDEN_VALUE"
  237. fi
  238. fi
  239. if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_3" ]; then
  240. _syslog "$SYSLOG_DEBUG" "$1" "$HIDDEN_VALUE"
  241. fi
  242. if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_3" ]; then
  243. if [ "$OUTPUT_INSECURE" = "1" ]; then
  244. _printargs "$@" >&2
  245. else
  246. _printargs "$1" "$HIDDEN_VALUE" >&2
  247. fi
  248. fi
  249. }
  250. _upper_case() {
  251. # shellcheck disable=SC2018,SC2019
  252. tr 'a-z' 'A-Z'
  253. }
  254. _lower_case() {
  255. # shellcheck disable=SC2018,SC2019
  256. tr 'A-Z' 'a-z'
  257. }
  258. _startswith() {
  259. _str="$1"
  260. _sub="$2"
  261. echo "$_str" | grep "^$_sub" >/dev/null 2>&1
  262. }
  263. _endswith() {
  264. _str="$1"
  265. _sub="$2"
  266. echo "$_str" | grep -- "$_sub\$" >/dev/null 2>&1
  267. }
  268. _contains() {
  269. _str="$1"
  270. _sub="$2"
  271. echo "$_str" | grep -- "$_sub" >/dev/null 2>&1
  272. }
  273. _hasfield() {
  274. _str="$1"
  275. _field="$2"
  276. _sep="$3"
  277. if [ -z "$_field" ]; then
  278. _usage "Usage: str field [sep]"
  279. return 1
  280. fi
  281. if [ -z "$_sep" ]; then
  282. _sep=","
  283. fi
  284. for f in $(echo "$_str" | tr "$_sep" ' '); do
  285. if [ "$f" = "$_field" ]; then
  286. _debug2 "'$_str' contains '$_field'"
  287. return 0 #contains ok
  288. fi
  289. done
  290. _debug2 "'$_str' does not contain '$_field'"
  291. return 1 #not contains
  292. }
  293. _getfield() {
  294. _str="$1"
  295. _findex="$2"
  296. _sep="$3"
  297. if [ -z "$_findex" ]; then
  298. _usage "Usage: str field [sep]"
  299. return 1
  300. fi
  301. if [ -z "$_sep" ]; then
  302. _sep=","
  303. fi
  304. _ffi="$_findex"
  305. while [ "$_ffi" -gt "0" ]; do
  306. _fv="$(echo "$_str" | cut -d "$_sep" -f "$_ffi")"
  307. if [ "$_fv" ]; then
  308. printf -- "%s" "$_fv"
  309. return 0
  310. fi
  311. _ffi="$(_math "$_ffi" - 1)"
  312. done
  313. printf -- "%s" "$_str"
  314. }
  315. _exists() {
  316. cmd="$1"
  317. if [ -z "$cmd" ]; then
  318. _usage "Usage: _exists cmd"
  319. return 1
  320. fi
  321. if eval type type >/dev/null 2>&1; then
  322. eval type "$cmd" >/dev/null 2>&1
  323. elif command >/dev/null 2>&1; then
  324. command -v "$cmd" >/dev/null 2>&1
  325. else
  326. which "$cmd" >/dev/null 2>&1
  327. fi
  328. ret="$?"
  329. _debug3 "$cmd exists=$ret"
  330. return $ret
  331. }
  332. #a + b
  333. _math() {
  334. _m_opts="$@"
  335. printf "%s" "$(($_m_opts))"
  336. }
  337. _h_char_2_dec() {
  338. _ch=$1
  339. case "${_ch}" in
  340. a | A)
  341. printf "10"
  342. ;;
  343. b | B)
  344. printf "11"
  345. ;;
  346. c | C)
  347. printf "12"
  348. ;;
  349. d | D)
  350. printf "13"
  351. ;;
  352. e | E)
  353. printf "14"
  354. ;;
  355. f | F)
  356. printf "15"
  357. ;;
  358. *)
  359. printf "%s" "$_ch"
  360. ;;
  361. esac
  362. }
  363. _URGLY_PRINTF=""
  364. if [ "$(printf '\x41')" != 'A' ]; then
  365. _URGLY_PRINTF=1
  366. fi
  367. _h2b() {
  368. hex=$(cat)
  369. i=1
  370. j=2
  371. _debug3 _URGLY_PRINTF "$_URGLY_PRINTF"
  372. while true; do
  373. if [ -z "$_URGLY_PRINTF" ]; then
  374. h="$(printf "%s" "$hex" | cut -c $i-$j)"
  375. if [ -z "$h" ]; then
  376. break
  377. fi
  378. printf "\x$h%s"
  379. else
  380. ic="$(printf "%s" "$hex" | cut -c $i)"
  381. jc="$(printf "%s" "$hex" | cut -c $j)"
  382. if [ -z "$ic$jc" ]; then
  383. break
  384. fi
  385. ic="$(_h_char_2_dec "$ic")"
  386. jc="$(_h_char_2_dec "$jc")"
  387. printf '\'"$(printf "%o" "$(_math "$ic" \* 16 + $jc)")""%s"
  388. fi
  389. i="$(_math "$i" + 2)"
  390. j="$(_math "$j" + 2)"
  391. done
  392. }
  393. _is_solaris() {
  394. _contains "${__OS__:=$(uname -a)}" "solaris" || _contains "${__OS__:=$(uname -a)}" "SunOS"
  395. }
  396. #_ascii_hex str
  397. #this can only process ascii chars, should only be used when od command is missing as a backup way.
  398. _ascii_hex() {
  399. _debug2 "Using _ascii_hex"
  400. _str="$1"
  401. _str_len=${#_str}
  402. _h_i=1
  403. while [ "$_h_i" -le "$_str_len" ]; do
  404. _str_c="$(printf "%s" "$_str" | cut -c "$_h_i")"
  405. printf " %02x" "'$_str_c"
  406. _h_i="$(_math "$_h_i" + 1)"
  407. done
  408. }
  409. #stdin output hexstr splited by one space
  410. #input:"abc"
  411. #output: " 61 62 63"
  412. _hex_dump() {
  413. if _exists od; then
  414. od -A n -v -t x1 | tr -s " " | sed 's/ $//' | tr -d "\r\t\n"
  415. elif _exists hexdump; then
  416. _debug3 "using hexdump"
  417. hexdump -v -e '/1 ""' -e '/1 " %02x" ""'
  418. elif _exists xxd; then
  419. _debug3 "using xxd"
  420. xxd -ps -c 20 -i | sed "s/ 0x/ /g" | tr -d ",\n" | tr -s " "
  421. else
  422. _debug3 "using _ascii_hex"
  423. str=$(cat)
  424. _ascii_hex "$str"
  425. fi
  426. }
  427. #url encode, no-preserved chars
  428. #A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
  429. #41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a
  430. #a b c d e f g h i j k l m n o p q r s t u v w x y z
  431. #61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a
  432. #0 1 2 3 4 5 6 7 8 9 - _ . ~
  433. #30 31 32 33 34 35 36 37 38 39 2d 5f 2e 7e
  434. #stdin stdout
  435. _url_encode() {
  436. _hex_str=$(_hex_dump)
  437. _debug3 "_url_encode"
  438. _debug3 "_hex_str" "$_hex_str"
  439. for _hex_code in $_hex_str; do
  440. #upper case
  441. case "${_hex_code}" in
  442. "41")
  443. printf "%s" "A"
  444. ;;
  445. "42")
  446. printf "%s" "B"
  447. ;;
  448. "43")
  449. printf "%s" "C"
  450. ;;
  451. "44")
  452. printf "%s" "D"
  453. ;;
  454. "45")
  455. printf "%s" "E"
  456. ;;
  457. "46")
  458. printf "%s" "F"
  459. ;;
  460. "47")
  461. printf "%s" "G"
  462. ;;
  463. "48")
  464. printf "%s" "H"
  465. ;;
  466. "49")
  467. printf "%s" "I"
  468. ;;
  469. "4a")
  470. printf "%s" "J"
  471. ;;
  472. "4b")
  473. printf "%s" "K"
  474. ;;
  475. "4c")
  476. printf "%s" "L"
  477. ;;
  478. "4d")
  479. printf "%s" "M"
  480. ;;
  481. "4e")
  482. printf "%s" "N"
  483. ;;
  484. "4f")
  485. printf "%s" "O"
  486. ;;
  487. "50")
  488. printf "%s" "P"
  489. ;;
  490. "51")
  491. printf "%s" "Q"
  492. ;;
  493. "52")
  494. printf "%s" "R"
  495. ;;
  496. "53")
  497. printf "%s" "S"
  498. ;;
  499. "54")
  500. printf "%s" "T"
  501. ;;
  502. "55")
  503. printf "%s" "U"
  504. ;;
  505. "56")
  506. printf "%s" "V"
  507. ;;
  508. "57")
  509. printf "%s" "W"
  510. ;;
  511. "58")
  512. printf "%s" "X"
  513. ;;
  514. "59")
  515. printf "%s" "Y"
  516. ;;
  517. "5a")
  518. printf "%s" "Z"
  519. ;;
  520. #lower case
  521. "61")
  522. printf "%s" "a"
  523. ;;
  524. "62")
  525. printf "%s" "b"
  526. ;;
  527. "63")
  528. printf "%s" "c"
  529. ;;
  530. "64")
  531. printf "%s" "d"
  532. ;;
  533. "65")
  534. printf "%s" "e"
  535. ;;
  536. "66")
  537. printf "%s" "f"
  538. ;;
  539. "67")
  540. printf "%s" "g"
  541. ;;
  542. "68")
  543. printf "%s" "h"
  544. ;;
  545. "69")
  546. printf "%s" "i"
  547. ;;
  548. "6a")
  549. printf "%s" "j"
  550. ;;
  551. "6b")
  552. printf "%s" "k"
  553. ;;
  554. "6c")
  555. printf "%s" "l"
  556. ;;
  557. "6d")
  558. printf "%s" "m"
  559. ;;
  560. "6e")
  561. printf "%s" "n"
  562. ;;
  563. "6f")
  564. printf "%s" "o"
  565. ;;
  566. "70")
  567. printf "%s" "p"
  568. ;;
  569. "71")
  570. printf "%s" "q"
  571. ;;
  572. "72")
  573. printf "%s" "r"
  574. ;;
  575. "73")
  576. printf "%s" "s"
  577. ;;
  578. "74")
  579. printf "%s" "t"
  580. ;;
  581. "75")
  582. printf "%s" "u"
  583. ;;
  584. "76")
  585. printf "%s" "v"
  586. ;;
  587. "77")
  588. printf "%s" "w"
  589. ;;
  590. "78")
  591. printf "%s" "x"
  592. ;;
  593. "79")
  594. printf "%s" "y"
  595. ;;
  596. "7a")
  597. printf "%s" "z"
  598. ;;
  599. #numbers
  600. "30")
  601. printf "%s" "0"
  602. ;;
  603. "31")
  604. printf "%s" "1"
  605. ;;
  606. "32")
  607. printf "%s" "2"
  608. ;;
  609. "33")
  610. printf "%s" "3"
  611. ;;
  612. "34")
  613. printf "%s" "4"
  614. ;;
  615. "35")
  616. printf "%s" "5"
  617. ;;
  618. "36")
  619. printf "%s" "6"
  620. ;;
  621. "37")
  622. printf "%s" "7"
  623. ;;
  624. "38")
  625. printf "%s" "8"
  626. ;;
  627. "39")
  628. printf "%s" "9"
  629. ;;
  630. "2d")
  631. printf "%s" "-"
  632. ;;
  633. "5f")
  634. printf "%s" "_"
  635. ;;
  636. "2e")
  637. printf "%s" "."
  638. ;;
  639. "7e")
  640. printf "%s" "~"
  641. ;;
  642. #other hex
  643. *)
  644. printf '%%%s' "$_hex_code"
  645. ;;
  646. esac
  647. done
  648. }
  649. #options file
  650. _sed_i() {
  651. options="$1"
  652. filename="$2"
  653. if [ -z "$filename" ]; then
  654. _usage "Usage:_sed_i options filename"
  655. return 1
  656. fi
  657. _debug2 options "$options"
  658. if sed -h 2>&1 | grep "\-i\[SUFFIX]" >/dev/null 2>&1; then
  659. _debug "Using sed -i"
  660. sed -i "$options" "$filename"
  661. else
  662. _debug "No -i support in sed"
  663. text="$(cat "$filename")"
  664. echo "$text" | sed "$options" >"$filename"
  665. fi
  666. }
  667. _egrep_o() {
  668. if ! egrep -o "$1" 2>/dev/null; then
  669. sed -n 's/.*\('"$1"'\).*/\1/p'
  670. fi
  671. }
  672. #Usage: file startline endline
  673. _getfile() {
  674. filename="$1"
  675. startline="$2"
  676. endline="$3"
  677. if [ -z "$endline" ]; then
  678. _usage "Usage: file startline endline"
  679. return 1
  680. fi
  681. i="$(grep -n -- "$startline" "$filename" | cut -d : -f 1)"
  682. if [ -z "$i" ]; then
  683. _err "Can not find start line: $startline"
  684. return 1
  685. fi
  686. i="$(_math "$i" + 1)"
  687. _debug i "$i"
  688. j="$(grep -n -- "$endline" "$filename" | cut -d : -f 1)"
  689. if [ -z "$j" ]; then
  690. _err "Can not find end line: $endline"
  691. return 1
  692. fi
  693. j="$(_math "$j" - 1)"
  694. _debug j "$j"
  695. sed -n "$i,${j}p" "$filename"
  696. }
  697. #Usage: multiline
  698. _base64() {
  699. [ "" ] #urgly
  700. if [ "$1" ]; then
  701. _debug3 "base64 multiline:'$1'"
  702. ${ACME_OPENSSL_BIN:-openssl} base64 -e
  703. else
  704. _debug3 "base64 single line."
  705. ${ACME_OPENSSL_BIN:-openssl} base64 -e | tr -d '\r\n'
  706. fi
  707. }
  708. #Usage: multiline
  709. _dbase64() {
  710. if [ "$1" ]; then
  711. ${ACME_OPENSSL_BIN:-openssl} base64 -d -A
  712. else
  713. ${ACME_OPENSSL_BIN:-openssl} base64 -d
  714. fi
  715. }
  716. #Usage: hashalg [outputhex]
  717. #Output Base64-encoded digest
  718. _digest() {
  719. alg="$1"
  720. if [ -z "$alg" ]; then
  721. _usage "Usage: _digest hashalg"
  722. return 1
  723. fi
  724. outputhex="$2"
  725. if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ] || [ "$alg" = "md5" ]; then
  726. if [ "$outputhex" ]; then
  727. ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hex | cut -d = -f 2 | tr -d ' '
  728. else
  729. ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -binary | _base64
  730. fi
  731. else
  732. _err "$alg is not supported yet"
  733. return 1
  734. fi
  735. }
  736. #Usage: hashalg secret_hex [outputhex]
  737. #Output binary hmac
  738. _hmac() {
  739. alg="$1"
  740. secret_hex="$2"
  741. outputhex="$3"
  742. if [ -z "$secret_hex" ]; then
  743. _usage "Usage: _hmac hashalg secret [outputhex]"
  744. return 1
  745. fi
  746. if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ]; then
  747. if [ "$outputhex" ]; then
  748. (${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" 2>/dev/null || ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hmac "$(printf "%s" "$secret_hex" | _h2b)") | cut -d = -f 2 | tr -d ' '
  749. else
  750. ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" -binary 2>/dev/null || ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hmac "$(printf "%s" "$secret_hex" | _h2b)" -binary
  751. fi
  752. else
  753. _err "$alg is not supported yet"
  754. return 1
  755. fi
  756. }
  757. #Usage: keyfile hashalg
  758. #Output: Base64-encoded signature value
  759. _sign() {
  760. keyfile="$1"
  761. alg="$2"
  762. if [ -z "$alg" ]; then
  763. _usage "Usage: _sign keyfile hashalg"
  764. return 1
  765. fi
  766. _sign_openssl="${ACME_OPENSSL_BIN:-openssl} dgst -sign $keyfile "
  767. if [ "$alg" = "sha256" ]; then
  768. _sign_openssl="$_sign_openssl -$alg"
  769. else
  770. _err "$alg is not supported yet"
  771. return 1
  772. fi
  773. if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
  774. $_sign_openssl | _base64
  775. elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
  776. if ! _signedECText="$($_sign_openssl | ${ACME_OPENSSL_BIN:-openssl} asn1parse -inform DER)"; then
  777. _err "Sign failed: $_sign_openssl"
  778. _err "Key file: $keyfile"
  779. _err "Key content:$(wc -l <"$keyfile") lines"
  780. return 1
  781. fi
  782. _debug3 "_signedECText" "$_signedECText"
  783. _ec_r="$(echo "$_signedECText" | _head_n 2 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")"
  784. _debug3 "_ec_r" "$_ec_r"
  785. _ec_s="$(echo "$_signedECText" | _head_n 3 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")"
  786. _debug3 "_ec_s" "$_ec_s"
  787. printf "%s" "$_ec_r$_ec_s" | _h2b | _base64
  788. else
  789. _err "Unknown key file format."
  790. return 1
  791. fi
  792. }
  793. #keylength
  794. _isEccKey() {
  795. _length="$1"
  796. if [ -z "$_length" ]; then
  797. return 1
  798. fi
  799. [ "$_length" != "1024" ] \
  800. && [ "$_length" != "2048" ] \
  801. && [ "$_length" != "3072" ] \
  802. && [ "$_length" != "4096" ] \
  803. && [ "$_length" != "8192" ]
  804. }
  805. # _createkey 2048|ec-256 file
  806. _createkey() {
  807. length="$1"
  808. f="$2"
  809. _debug2 "_createkey for file:$f"
  810. eccname="$length"
  811. if _startswith "$length" "ec-"; then
  812. length=$(printf "%s" "$length" | cut -d '-' -f 2-100)
  813. if [ "$length" = "256" ]; then
  814. eccname="prime256v1"
  815. fi
  816. if [ "$length" = "384" ]; then
  817. eccname="secp384r1"
  818. fi
  819. if [ "$length" = "521" ]; then
  820. eccname="secp521r1"
  821. fi
  822. fi
  823. if [ -z "$length" ]; then
  824. length=2048
  825. fi
  826. _debug "Use length $length"
  827. if ! touch "$f" >/dev/null 2>&1; then
  828. _f_path="$(dirname "$f")"
  829. _debug _f_path "$_f_path"
  830. if ! mkdir -p "$_f_path"; then
  831. _err "Can not create path: $_f_path"
  832. return 1
  833. fi
  834. fi
  835. if _isEccKey "$length"; then
  836. _debug "Using ec name: $eccname"
  837. ${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null >"$f"
  838. else
  839. _debug "Using RSA: $length"
  840. ${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null >"$f"
  841. fi
  842. if [ "$?" != "0" ]; then
  843. _err "Create key error."
  844. return 1
  845. fi
  846. }
  847. #domain
  848. _is_idn() {
  849. _is_idn_d="$1"
  850. _debug2 _is_idn_d "$_is_idn_d"
  851. _idn_temp=$(printf "%s" "$_is_idn_d" | tr -d '0-9' | tr -d 'a-z' | tr -d 'A-Z' | tr -d '.,-')
  852. _debug2 _idn_temp "$_idn_temp"
  853. [ "$_idn_temp" ]
  854. }
  855. #aa.com
  856. #aa.com,bb.com,cc.com
  857. _idn() {
  858. __idn_d="$1"
  859. if ! _is_idn "$__idn_d"; then
  860. printf "%s" "$__idn_d"
  861. return 0
  862. fi
  863. if _exists idn; then
  864. if _contains "$__idn_d" ','; then
  865. _i_first="1"
  866. for f in $(echo "$__idn_d" | tr ',' ' '); do
  867. [ -z "$f" ] && continue
  868. if [ -z "$_i_first" ]; then
  869. printf "%s" ","
  870. else
  871. _i_first=""
  872. fi
  873. idn --quiet "$f" | tr -d "\r\n"
  874. done
  875. else
  876. idn "$__idn_d" | tr -d "\r\n"
  877. fi
  878. else
  879. _err "Please install idn to process IDN names."
  880. fi
  881. }
  882. #_createcsr cn san_list keyfile csrfile conf
  883. _createcsr() {
  884. _debug _createcsr
  885. domain="$1"
  886. domainlist="$2"
  887. csrkey="$3"
  888. csr="$4"
  889. csrconf="$5"
  890. _debug2 domain "$domain"
  891. _debug2 domainlist "$domainlist"
  892. _debug2 csrkey "$csrkey"
  893. _debug2 csr "$csr"
  894. _debug2 csrconf "$csrconf"
  895. printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf"
  896. if [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
  897. #single domain
  898. _info "Single domain" "$domain"
  899. else
  900. domainlist="$(_idn "$domainlist")"
  901. _debug2 domainlist "$domainlist"
  902. if _contains "$domainlist" ","; then
  903. alt="DNS:$(echo "$domainlist" | sed "s/,/,DNS:/g")"
  904. else
  905. alt="DNS:$domainlist"
  906. fi
  907. #multi
  908. _info "Multi domain" "$alt"
  909. printf -- "\nsubjectAltName=$alt" >>"$csrconf"
  910. fi
  911. if [ "$Le_OCSP_Staple" ] || [ "$Le_OCSP_Stable" ]; then
  912. _savedomainconf Le_OCSP_Staple "$Le_OCSP_Staple"
  913. _cleardomainconf Le_OCSP_Stable
  914. printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >>"$csrconf"
  915. fi
  916. _csr_cn="$(_idn "$domain")"
  917. _debug2 _csr_cn "$_csr_cn"
  918. if _contains "$(uname -a)" "MINGW"; then
  919. ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "//CN=$_csr_cn" -config "$csrconf" -out "$csr"
  920. else
  921. ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "/CN=$_csr_cn" -config "$csrconf" -out "$csr"
  922. fi
  923. }
  924. #_signcsr key csr conf cert
  925. _signcsr() {
  926. key="$1"
  927. csr="$2"
  928. conf="$3"
  929. cert="$4"
  930. _debug "_signcsr"
  931. _msg="$(${ACME_OPENSSL_BIN:-openssl} x509 -req -days 365 -in "$csr" -signkey "$key" -extensions v3_req -extfile "$conf" -out "$cert" 2>&1)"
  932. _ret="$?"
  933. _debug "$_msg"
  934. return $_ret
  935. }
  936. #_csrfile
  937. _readSubjectFromCSR() {
  938. _csrfile="$1"
  939. if [ -z "$_csrfile" ]; then
  940. _usage "_readSubjectFromCSR mycsr.csr"
  941. return 1
  942. fi
  943. ${ACME_OPENSSL_BIN:-openssl} req -noout -in "$_csrfile" -subject | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n'
  944. }
  945. #_csrfile
  946. #echo comma separated domain list
  947. _readSubjectAltNamesFromCSR() {
  948. _csrfile="$1"
  949. if [ -z "$_csrfile" ]; then
  950. _usage "_readSubjectAltNamesFromCSR mycsr.csr"
  951. return 1
  952. fi
  953. _csrsubj="$(_readSubjectFromCSR "$_csrfile")"
  954. _debug _csrsubj "$_csrsubj"
  955. _dnsAltnames="$(${ACME_OPENSSL_BIN:-openssl} req -noout -text -in "$_csrfile" | grep "^ *DNS:.*" | tr -d ' \n')"
  956. _debug _dnsAltnames "$_dnsAltnames"
  957. if _contains "$_dnsAltnames," "DNS:$_csrsubj,"; then
  958. _debug "AltNames contains subject"
  959. _dnsAltnames="$(printf "%s" "$_dnsAltnames," | sed "s/DNS:$_csrsubj,//g")"
  960. else
  961. _debug "AltNames doesn't contain subject"
  962. fi
  963. printf "%s" "$_dnsAltnames" | sed "s/DNS://g"
  964. }
  965. #_csrfile
  966. _readKeyLengthFromCSR() {
  967. _csrfile="$1"
  968. if [ -z "$_csrfile" ]; then
  969. _usage "_readKeyLengthFromCSR mycsr.csr"
  970. return 1
  971. fi
  972. _outcsr="$(${ACME_OPENSSL_BIN:-openssl} req -noout -text -in "$_csrfile")"
  973. _debug2 _outcsr "$_outcsr"
  974. if _contains "$_outcsr" "Public Key Algorithm: id-ecPublicKey"; then
  975. _debug "ECC CSR"
  976. echo "$_outcsr" | tr "\t" " " | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
  977. else
  978. _debug "RSA CSR"
  979. echo "$_outcsr" | tr "\t" " " | _egrep_o "(^ *|RSA )Public.Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1
  980. fi
  981. }
  982. _ss() {
  983. _port="$1"
  984. if _exists "ss"; then
  985. _debug "Using: ss"
  986. ss -ntpl | grep ":$_port "
  987. return 0
  988. fi
  989. if _exists "netstat"; then
  990. _debug "Using: netstat"
  991. if netstat -h 2>&1 | grep "\-p proto" >/dev/null; then
  992. #for windows version netstat tool
  993. netstat -an -p tcp | grep "LISTENING" | grep ":$_port "
  994. else
  995. if netstat -help 2>&1 | grep "\-p protocol" >/dev/null; then
  996. netstat -an -p tcp | grep LISTEN | grep ":$_port "
  997. elif netstat -help 2>&1 | grep -- '-P protocol' >/dev/null; then
  998. #for solaris
  999. netstat -an -P tcp | grep "\.$_port " | grep "LISTEN"
  1000. elif netstat -help 2>&1 | grep "\-p" >/dev/null; then
  1001. #for full linux
  1002. netstat -ntpl | grep ":$_port "
  1003. else
  1004. #for busybox (embedded linux; no pid support)
  1005. netstat -ntl 2>/dev/null | grep ":$_port "
  1006. fi
  1007. fi
  1008. return 0
  1009. fi
  1010. return 1
  1011. }
  1012. #domain [password] [isEcc]
  1013. toPkcs() {
  1014. domain="$1"
  1015. pfxPassword="$2"
  1016. if [ -z "$domain" ]; then
  1017. _usage "Usage: $PROJECT_ENTRY --toPkcs -d domain [--password pfx-password]"
  1018. return 1
  1019. fi
  1020. _isEcc="$3"
  1021. _initpath "$domain" "$_isEcc"
  1022. if [ "$pfxPassword" ]; then
  1023. ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH" -password "pass:$pfxPassword"
  1024. else
  1025. ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH"
  1026. fi
  1027. if [ "$?" = "0" ]; then
  1028. _info "Success, Pfx is exported to: $CERT_PFX_PATH"
  1029. fi
  1030. }
  1031. #domain [isEcc]
  1032. toPkcs8() {
  1033. domain="$1"
  1034. if [ -z "$domain" ]; then
  1035. _usage "Usage: $PROJECT_ENTRY --toPkcs8 -d domain [--ecc]"
  1036. return 1
  1037. fi
  1038. _isEcc="$2"
  1039. _initpath "$domain" "$_isEcc"
  1040. ${ACME_OPENSSL_BIN:-openssl} pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$CERT_KEY_PATH" -out "$CERT_PKCS8_PATH"
  1041. if [ "$?" = "0" ]; then
  1042. _info "Success, $CERT_PKCS8_PATH"
  1043. fi
  1044. }
  1045. #[2048]
  1046. createAccountKey() {
  1047. _info "Creating account key"
  1048. if [ -z "$1" ]; then
  1049. _usage "Usage: $PROJECT_ENTRY --createAccountKey --accountkeylength 2048"
  1050. return
  1051. fi
  1052. length=$1
  1053. _create_account_key "$length"
  1054. }
  1055. _create_account_key() {
  1056. length=$1
  1057. if [ -z "$length" ] || [ "$length" = "$NO_VALUE" ]; then
  1058. _debug "Use default length $DEFAULT_ACCOUNT_KEY_LENGTH"
  1059. length="$DEFAULT_ACCOUNT_KEY_LENGTH"
  1060. fi
  1061. _debug length "$length"
  1062. _initpath
  1063. mkdir -p "$CA_DIR"
  1064. if [ -f "$ACCOUNT_KEY_PATH" ]; then
  1065. _info "Account key exists, skip"
  1066. return
  1067. else
  1068. #generate account key
  1069. _createkey "$length" "$ACCOUNT_KEY_PATH"
  1070. fi
  1071. }
  1072. #domain [length]
  1073. createDomainKey() {
  1074. _info "Creating domain key"
  1075. if [ -z "$1" ]; then
  1076. _usage "Usage: $PROJECT_ENTRY --createDomainKey -d domain.com [ --keylength 2048 ]"
  1077. return
  1078. fi
  1079. domain=$1
  1080. length=$2
  1081. if [ -z "$length" ]; then
  1082. _debug "Use DEFAULT_DOMAIN_KEY_LENGTH=$DEFAULT_DOMAIN_KEY_LENGTH"
  1083. length="$DEFAULT_DOMAIN_KEY_LENGTH"
  1084. fi
  1085. _initpath "$domain" "$length"
  1086. if [ ! -f "$CERT_KEY_PATH" ] || ([ "$FORCE" ] && ! [ "$IS_RENEW" ]); then
  1087. _createkey "$length" "$CERT_KEY_PATH"
  1088. else
  1089. if [ "$IS_RENEW" ]; then
  1090. _info "Domain key exists, skip"
  1091. return 0
  1092. else
  1093. _err "Domain key exists, do you want to overwrite the key?"
  1094. _err "Add '--force', and try again."
  1095. return 1
  1096. fi
  1097. fi
  1098. }
  1099. # domain domainlist isEcc
  1100. createCSR() {
  1101. _info "Creating csr"
  1102. if [ -z "$1" ]; then
  1103. _usage "Usage: $PROJECT_ENTRY --createCSR -d domain1.com [-d domain2.com -d domain3.com ... ]"
  1104. return
  1105. fi
  1106. domain="$1"
  1107. domainlist="$2"
  1108. _isEcc="$3"
  1109. _initpath "$domain" "$_isEcc"
  1110. if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && [ -z "$FORCE" ]; then
  1111. _info "CSR exists, skip"
  1112. return
  1113. fi
  1114. if [ ! -f "$CERT_KEY_PATH" ]; then
  1115. _err "The key file is not found: $CERT_KEY_PATH"
  1116. _err "Please create the key file first."
  1117. return 1
  1118. fi
  1119. _createcsr "$domain" "$domainlist" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"
  1120. }
  1121. _url_replace() {
  1122. tr '/+' '_-' | tr -d '= '
  1123. }
  1124. _time2str() {
  1125. #Linux
  1126. if date -u -d@"$1" 2>/dev/null; then
  1127. return
  1128. fi
  1129. #BSD
  1130. if date -u -r "$1" 2>/dev/null; then
  1131. return
  1132. fi
  1133. #Soaris
  1134. if _exists adb; then
  1135. _t_s_a=$(echo "0t${1}=Y" | adb)
  1136. echo "$_t_s_a"
  1137. fi
  1138. }
  1139. _normalizeJson() {
  1140. sed "s/\" *: *\([\"{\[]\)/\":\1/g" | sed "s/^ *\([^ ]\)/\1/" | tr -d "\r\n"
  1141. }
  1142. _stat() {
  1143. #Linux
  1144. if stat -c '%U:%G' "$1" 2>/dev/null; then
  1145. return
  1146. fi
  1147. #BSD
  1148. if stat -f '%Su:%Sg' "$1" 2>/dev/null; then
  1149. return
  1150. fi
  1151. return 1 #error, 'stat' not found
  1152. }
  1153. #keyfile
  1154. _calcjwk() {
  1155. keyfile="$1"
  1156. if [ -z "$keyfile" ]; then
  1157. _usage "Usage: _calcjwk keyfile"
  1158. return 1
  1159. fi
  1160. if [ "$JWK_HEADER" ] && [ "$__CACHED_JWK_KEY_FILE" = "$keyfile" ]; then
  1161. _debug2 "Use cached jwk for file: $__CACHED_JWK_KEY_FILE"
  1162. return 0
  1163. fi
  1164. if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
  1165. _debug "RSA key"
  1166. pub_exp=$(${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text | grep "^publicExponent:" | cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1)
  1167. if [ "${#pub_exp}" = "5" ]; then
  1168. pub_exp=0$pub_exp
  1169. fi
  1170. _debug3 pub_exp "$pub_exp"
  1171. e=$(echo "$pub_exp" | _h2b | _base64)
  1172. _debug3 e "$e"
  1173. modulus=$(${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -modulus -noout | cut -d '=' -f 2)
  1174. _debug3 modulus "$modulus"
  1175. n="$(printf "%s" "$modulus" | _h2b | _base64 | _url_replace)"
  1176. _debug3 n "$n"
  1177. jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}'
  1178. _debug3 jwk "$jwk"
  1179. JWK_HEADER='{"alg": "RS256", "jwk": '$jwk'}'
  1180. JWK_HEADERPLACE_PART1='{"nonce": "'
  1181. JWK_HEADERPLACE_PART2='", "alg": "RS256", "jwk": '$jwk'}'
  1182. elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
  1183. _debug "EC key"
  1184. crv="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n")"
  1185. _debug3 crv "$crv"
  1186. if [ -z "$crv" ]; then
  1187. _debug "Let's try ASN1 OID"
  1188. crv_oid="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^ASN1 OID:" | cut -d ":" -f 2 | tr -d " \r\n")"
  1189. _debug3 crv_oid "$crv_oid"
  1190. case "${crv_oid}" in
  1191. "prime256v1")
  1192. crv="P-256"
  1193. ;;
  1194. "secp384r1")
  1195. crv="P-384"
  1196. ;;
  1197. "secp521r1")
  1198. crv="P-521"
  1199. ;;
  1200. *)
  1201. _err "ECC oid : $crv_oid"
  1202. return 1
  1203. ;;
  1204. esac
  1205. _debug3 crv "$crv"
  1206. fi
  1207. pubi="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1)"
  1208. pubi=$(_math "$pubi" + 1)
  1209. _debug3 pubi "$pubi"
  1210. pubj="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1)"
  1211. pubj=$(_math "$pubj" - 1)
  1212. _debug3 pubj "$pubj"
  1213. pubtext="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | sed -n "$pubi,${pubj}p" | tr -d " \n\r")"
  1214. _debug3 pubtext "$pubtext"
  1215. xlen="$(printf "%s" "$pubtext" | tr -d ':' | wc -c)"
  1216. xlen=$(_math "$xlen" / 4)
  1217. _debug3 xlen "$xlen"
  1218. xend=$(_math "$xlen" + 1)
  1219. x="$(printf "%s" "$pubtext" | cut -d : -f 2-"$xend")"
  1220. _debug3 x "$x"
  1221. x64="$(printf "%s" "$x" | tr -d : | _h2b | _base64 | _url_replace)"
  1222. _debug3 x64 "$x64"
  1223. xend=$(_math "$xend" + 1)
  1224. y="$(printf "%s" "$pubtext" | cut -d : -f "$xend"-10000)"
  1225. _debug3 y "$y"
  1226. y64="$(printf "%s" "$y" | tr -d : | _h2b | _base64 | _url_replace)"
  1227. _debug3 y64 "$y64"
  1228. jwk='{"crv": "'$crv'", "kty": "EC", "x": "'$x64'", "y": "'$y64'"}'
  1229. _debug3 jwk "$jwk"
  1230. JWK_HEADER='{"alg": "ES256", "jwk": '$jwk'}'
  1231. JWK_HEADERPLACE_PART1='{"nonce": "'
  1232. JWK_HEADERPLACE_PART2='", "alg": "ES256", "jwk": '$jwk'}'
  1233. else
  1234. _err "Only RSA or EC key is supported."
  1235. return 1
  1236. fi
  1237. _debug3 JWK_HEADER "$JWK_HEADER"
  1238. __CACHED_JWK_KEY_FILE="$keyfile"
  1239. }
  1240. _time() {
  1241. date -u "+%s"
  1242. }
  1243. _utc_date() {
  1244. date -u "+%Y-%m-%d %H:%M:%S"
  1245. }
  1246. _mktemp() {
  1247. if _exists mktemp; then
  1248. if mktemp 2>/dev/null; then
  1249. return 0
  1250. elif _contains "$(mktemp 2>&1)" "-t prefix" && mktemp -t "$PROJECT_NAME" 2>/dev/null; then
  1251. #for Mac osx
  1252. return 0
  1253. fi
  1254. fi
  1255. if [ -d "/tmp" ]; then
  1256. echo "/tmp/${PROJECT_NAME}wefADf24sf.$(_time).tmp"
  1257. return 0
  1258. elif [ "$LE_TEMP_DIR" ] && mkdir -p "$LE_TEMP_DIR"; then
  1259. echo "/$LE_TEMP_DIR/wefADf24sf.$(_time).tmp"
  1260. return 0
  1261. fi
  1262. _err "Can not create temp file."
  1263. }
  1264. _inithttp() {
  1265. if [ -z "$HTTP_HEADER" ] || ! touch "$HTTP_HEADER"; then
  1266. HTTP_HEADER="$(_mktemp)"
  1267. _debug2 HTTP_HEADER "$HTTP_HEADER"
  1268. fi
  1269. if [ "$__HTTP_INITIALIZED" ]; then
  1270. if [ "$_ACME_CURL$_ACME_WGET" ]; then
  1271. _debug2 "Http already initialized."
  1272. return 0
  1273. fi
  1274. fi
  1275. if [ -z "$_ACME_CURL" ] && _exists "curl"; then
  1276. _ACME_CURL="curl -L --silent --dump-header $HTTP_HEADER "
  1277. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  1278. _CURL_DUMP="$(_mktemp)"
  1279. _ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP "
  1280. fi
  1281. if [ "$CA_PATH" ]; then
  1282. _ACME_CURL="$_ACME_CURL --capath $CA_PATH "
  1283. elif [ "$CA_BUNDLE" ]; then
  1284. _ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE "
  1285. fi
  1286. fi
  1287. if [ -z "$_ACME_WGET" ] && _exists "wget"; then
  1288. _ACME_WGET="wget -q"
  1289. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  1290. _ACME_WGET="$_ACME_WGET -d "
  1291. fi
  1292. if [ "$CA_PATH" ]; then
  1293. _ACME_WGET="$_ACME_WGET --ca-directory=$CA_PATH "
  1294. elif [ "$CA_BUNDLE" ]; then
  1295. _ACME_WGET="$_ACME_WGET --ca-certificate=$CA_BUNDLE "
  1296. fi
  1297. fi
  1298. #from wget 1.14: do not skip body on 404 error
  1299. if [ "$_ACME_WGET" ] && _contains "$($_ACME_WGET --help 2>&1)" "--content-on-error"; then
  1300. _ACME_WGET="$_ACME_WGET --content-on-error "
  1301. fi
  1302. __HTTP_INITIALIZED=1
  1303. }
  1304. # body url [needbase64] [POST|PUT]
  1305. _post() {
  1306. body="$1"
  1307. url="$2"
  1308. needbase64="$3"
  1309. httpmethod="$4"
  1310. if [ -z "$httpmethod" ]; then
  1311. httpmethod="POST"
  1312. fi
  1313. _debug $httpmethod
  1314. _debug "url" "$url"
  1315. _debug2 "body" "$body"
  1316. _inithttp
  1317. if [ "$_ACME_CURL" ] && [ "${ACME_USE_WGET:-0}" = "0" ]; then
  1318. _CURL="$_ACME_CURL"
  1319. if [ "$HTTPS_INSECURE" ]; then
  1320. _CURL="$_CURL --insecure "
  1321. fi
  1322. _debug "_CURL" "$_CURL"
  1323. if [ "$needbase64" ]; then
  1324. response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url" | _base64)"
  1325. else
  1326. response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url")"
  1327. fi
  1328. _ret="$?"
  1329. if [ "$_ret" != "0" ]; then
  1330. _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $_ret"
  1331. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  1332. _err "Here is the curl dump log:"
  1333. _err "$(cat "$_CURL_DUMP")"
  1334. fi
  1335. fi
  1336. elif [ "$_ACME_WGET" ]; then
  1337. _WGET="$_ACME_WGET"
  1338. if [ "$HTTPS_INSECURE" ]; then
  1339. _WGET="$_WGET --no-check-certificate "
  1340. fi
  1341. _debug "_WGET" "$_WGET"
  1342. if [ "$needbase64" ]; then
  1343. if [ "$httpmethod" = "POST" ]; then
  1344. response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
  1345. else
  1346. response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
  1347. fi
  1348. else
  1349. if [ "$httpmethod" = "POST" ]; then
  1350. response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER")"
  1351. else
  1352. response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER")"
  1353. fi
  1354. fi
  1355. _ret="$?"
  1356. if [ "$_ret" = "8" ]; then
  1357. _ret=0
  1358. _debug "wget returns 8, the server returns a 'Bad request' response, lets process the response later."
  1359. fi
  1360. if [ "$_ret" != "0" ]; then
  1361. _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret"
  1362. fi
  1363. _sed_i "s/^ *//g" "$HTTP_HEADER"
  1364. else
  1365. _ret="$?"
  1366. _err "Neither curl nor wget is found, can not do $httpmethod."
  1367. fi
  1368. _debug "_ret" "$_ret"
  1369. printf "%s" "$response"
  1370. return $_ret
  1371. }
  1372. # url getheader timeout
  1373. _get() {
  1374. _debug GET
  1375. url="$1"
  1376. onlyheader="$2"
  1377. t="$3"
  1378. _debug url "$url"
  1379. _debug "timeout" "$t"
  1380. _inithttp
  1381. if [ "$_ACME_CURL" ] && [ "${ACME_USE_WGET:-0}" = "0" ]; then
  1382. _CURL="$_ACME_CURL"
  1383. if [ "$HTTPS_INSECURE" ]; then
  1384. _CURL="$_CURL --insecure "
  1385. fi
  1386. if [ "$t" ]; then
  1387. _CURL="$_CURL --connect-timeout $t"
  1388. fi
  1389. _debug "_CURL" "$_CURL"
  1390. if [ "$onlyheader" ]; then
  1391. $_CURL -I --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url"
  1392. else
  1393. $_CURL --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url"
  1394. fi
  1395. ret=$?
  1396. if [ "$ret" != "0" ]; then
  1397. _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $ret"
  1398. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  1399. _err "Here is the curl dump log:"
  1400. _err "$(cat "$_CURL_DUMP")"
  1401. fi
  1402. fi
  1403. elif [ "$_ACME_WGET" ]; then
  1404. _WGET="$_ACME_WGET"
  1405. if [ "$HTTPS_INSECURE" ]; then
  1406. _WGET="$_WGET --no-check-certificate "
  1407. fi
  1408. if [ "$t" ]; then
  1409. _WGET="$_WGET --timeout=$t"
  1410. fi
  1411. _debug "_WGET" "$_WGET"
  1412. if [ "$onlyheader" ]; then
  1413. $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1 | sed 's/^[ ]*//g'
  1414. else
  1415. $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -O - "$url"
  1416. fi
  1417. ret=$?
  1418. if [ "$ret" = "8" ]; then
  1419. ret=0
  1420. _debug "wget returns 8, the server returns a 'Bad request' response, lets process the response later."
  1421. fi
  1422. if [ "$ret" != "0" ]; then
  1423. _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $ret"
  1424. fi
  1425. else
  1426. ret=$?
  1427. _err "Neither curl nor wget is found, can not do GET."
  1428. fi
  1429. _debug "ret" "$ret"
  1430. return $ret
  1431. }
  1432. _head_n() {
  1433. head -n "$1"
  1434. }
  1435. _tail_n() {
  1436. if ! tail -n "$1" 2>/dev/null; then
  1437. #fix for solaris
  1438. tail -"$1"
  1439. fi
  1440. }
  1441. # url payload needbase64 keyfile
  1442. _send_signed_request() {
  1443. url=$1
  1444. payload=$2
  1445. needbase64=$3
  1446. keyfile=$4
  1447. if [ -z "$keyfile" ]; then
  1448. keyfile="$ACCOUNT_KEY_PATH"
  1449. fi
  1450. _debug url "$url"
  1451. _debug payload "$payload"
  1452. if ! _calcjwk "$keyfile"; then
  1453. return 1
  1454. fi
  1455. payload64=$(printf "%s" "$payload" | _base64 | _url_replace)
  1456. _debug3 payload64 "$payload64"
  1457. MAX_REQUEST_RETRY_TIMES=5
  1458. _request_retry_times=0
  1459. while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do
  1460. _debug3 _request_retry_times "$_request_retry_times"
  1461. if [ -z "$_CACHED_NONCE" ]; then
  1462. _debug2 "Get nonce."
  1463. nonceurl="$API/directory"
  1464. _headers="$(_get "$nonceurl" "onlyheader")"
  1465. if [ "$?" != "0" ]; then
  1466. _err "Can not connect to $nonceurl to get nonce."
  1467. return 1
  1468. fi
  1469. _debug2 _headers "$_headers"
  1470. _CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
  1471. _debug2 _CACHED_NONCE "$_CACHED_NONCE"
  1472. else
  1473. _debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE"
  1474. fi
  1475. nonce="$_CACHED_NONCE"
  1476. _debug2 nonce "$nonce"
  1477. protected="$JWK_HEADERPLACE_PART1$nonce$JWK_HEADERPLACE_PART2"
  1478. _debug3 protected "$protected"
  1479. protected64="$(printf "%s" "$protected" | _base64 | _url_replace)"
  1480. _debug3 protected64 "$protected64"
  1481. if ! _sig_t="$(printf "%s" "$protected64.$payload64" | _sign "$keyfile" "sha256")"; then
  1482. _err "Sign request failed."
  1483. return 1
  1484. fi
  1485. _debug3 _sig_t "$_sig_t"
  1486. sig="$(printf "%s" "$_sig_t" | _url_replace)"
  1487. _debug3 sig "$sig"
  1488. body="{\"header\": $JWK_HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
  1489. _debug3 body "$body"
  1490. response="$(_post "$body" "$url" "$needbase64")"
  1491. _CACHED_NONCE=""
  1492. if [ "$?" != "0" ]; then
  1493. _err "Can not post to $url"
  1494. return 1
  1495. fi
  1496. _debug2 original "$response"
  1497. response="$(echo "$response" | _normalizeJson)"
  1498. responseHeaders="$(cat "$HTTP_HEADER")"
  1499. _debug2 responseHeaders "$responseHeaders"
  1500. _debug2 response "$response"
  1501. code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
  1502. _debug code "$code"
  1503. _CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
  1504. if _contains "$response" "JWS has invalid anti-replay nonce"; then
  1505. _info "It seems the CA server is busy now, let's wait and retry."
  1506. _request_retry_times=$(_math "$_request_retry_times" + 1)
  1507. _sleep 5
  1508. continue
  1509. fi
  1510. break
  1511. done
  1512. }
  1513. #setopt "file" "opt" "=" "value" [";"]
  1514. _setopt() {
  1515. __conf="$1"
  1516. __opt="$2"
  1517. __sep="$3"
  1518. __val="$4"
  1519. __end="$5"
  1520. if [ -z "$__opt" ]; then
  1521. _usage usage: _setopt '"file" "opt" "=" "value" [";"]'
  1522. return
  1523. fi
  1524. if [ ! -f "$__conf" ]; then
  1525. touch "$__conf"
  1526. fi
  1527. if grep -n "^$__opt$__sep" "$__conf" >/dev/null; then
  1528. _debug3 OK
  1529. if _contains "$__val" "&"; then
  1530. __val="$(echo "$__val" | sed 's/&/\\&/g')"
  1531. fi
  1532. text="$(cat "$__conf")"
  1533. printf -- "%s\n" "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf"
  1534. elif grep -n "^#$__opt$__sep" "$__conf" >/dev/null; then
  1535. if _contains "$__val" "&"; then
  1536. __val="$(echo "$__val" | sed 's/&/\\&/g')"
  1537. fi
  1538. text="$(cat "$__conf")"
  1539. printf -- "%s\n" "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf"
  1540. else
  1541. _debug3 APP
  1542. echo "$__opt$__sep$__val$__end" >>"$__conf"
  1543. fi
  1544. _debug3 "$(grep -n "^$__opt$__sep" "$__conf")"
  1545. }
  1546. #_save_conf file key value
  1547. #save to conf
  1548. _save_conf() {
  1549. _s_c_f="$1"
  1550. _sdkey="$2"
  1551. _sdvalue="$3"
  1552. if [ "$_s_c_f" ]; then
  1553. _setopt "$_s_c_f" "$_sdkey" "=" "'$_sdvalue'"
  1554. else
  1555. _err "config file is empty, can not save $_sdkey=$_sdvalue"
  1556. fi
  1557. }
  1558. #_clear_conf file key
  1559. _clear_conf() {
  1560. _c_c_f="$1"
  1561. _sdkey="$2"
  1562. if [ "$_c_c_f" ]; then
  1563. _conf_data="$(cat "$_c_c_f")"
  1564. echo "$_conf_data" | sed "s/^$_sdkey *=.*$//" >"$_c_c_f"
  1565. else
  1566. _err "config file is empty, can not clear"
  1567. fi
  1568. }
  1569. #_read_conf file key
  1570. _read_conf() {
  1571. _r_c_f="$1"
  1572. _sdkey="$2"
  1573. if [ -f "$_r_c_f" ]; then
  1574. (
  1575. eval "$(grep "^$_sdkey *=" "$_r_c_f")"
  1576. eval "printf \"%s\" \"\$$_sdkey\""
  1577. )
  1578. else
  1579. _debug "config file is empty, can not read $_sdkey"
  1580. fi
  1581. }
  1582. #_savedomainconf key value
  1583. #save to domain.conf
  1584. _savedomainconf() {
  1585. _save_conf "$DOMAIN_CONF" "$1" "$2"
  1586. }
  1587. #_cleardomainconf key
  1588. _cleardomainconf() {
  1589. _clear_conf "$DOMAIN_CONF" "$1"
  1590. }
  1591. #_readdomainconf key
  1592. _readdomainconf() {
  1593. _read_conf "$DOMAIN_CONF" "$1"
  1594. }
  1595. #_saveaccountconf key value
  1596. _saveaccountconf() {
  1597. _save_conf "$ACCOUNT_CONF_PATH" "$1" "$2"
  1598. }
  1599. #key value
  1600. _saveaccountconf_mutable() {
  1601. _save_conf "$ACCOUNT_CONF_PATH" "SAVED_$1" "$2"
  1602. #remove later
  1603. _clearaccountconf "$1"
  1604. }
  1605. #key
  1606. _readaccountconf() {
  1607. _read_conf "$ACCOUNT_CONF_PATH" "$1"
  1608. }
  1609. #key
  1610. _readaccountconf_mutable() {
  1611. _rac_key="$1"
  1612. _readaccountconf "SAVED_$_rac_key"
  1613. }
  1614. #_clearaccountconf key
  1615. _clearaccountconf() {
  1616. _clear_conf "$ACCOUNT_CONF_PATH" "$1"
  1617. }
  1618. #_savecaconf key value
  1619. _savecaconf() {
  1620. _save_conf "$CA_CONF" "$1" "$2"
  1621. }
  1622. #_readcaconf key
  1623. _readcaconf() {
  1624. _read_conf "$CA_CONF" "$1"
  1625. }
  1626. #_clearaccountconf key
  1627. _clearcaconf() {
  1628. _clear_conf "$CA_CONF" "$1"
  1629. }
  1630. # content localaddress
  1631. _startserver() {
  1632. content="$1"
  1633. ncaddr="$2"
  1634. _debug "ncaddr" "$ncaddr"
  1635. _debug "startserver: $$"
  1636. nchelp="$(nc -h 2>&1)"
  1637. _debug Le_HTTPPort "$Le_HTTPPort"
  1638. _debug Le_Listen_V4 "$Le_Listen_V4"
  1639. _debug Le_Listen_V6 "$Le_Listen_V6"
  1640. _NC="nc"
  1641. if [ "$Le_Listen_V4" ]; then
  1642. _NC="$_NC -4"
  1643. elif [ "$Le_Listen_V6" ]; then
  1644. _NC="$_NC -6"
  1645. fi
  1646. if [ "$Le_Listen_V4$Le_Listen_V6$ncaddr" ]; then
  1647. if ! _contains "$nchelp" "-4"; then
  1648. _err "The nc doesn't support '-4', '-6' or local-address, please install 'netcat-openbsd' and try again."
  1649. _err "See $(__green $_PREPARE_LINK)"
  1650. return 1
  1651. fi
  1652. fi
  1653. if echo "$nchelp" | grep "\-q[ ,]" >/dev/null; then
  1654. _NC="$_NC -q 1 -l $ncaddr"
  1655. else
  1656. if echo "$nchelp" | grep "GNU netcat" >/dev/null && echo "$nchelp" | grep "\-c, \-\-close" >/dev/null; then
  1657. _NC="$_NC -c -l $ncaddr"
  1658. elif echo "$nchelp" | grep "\-N" | grep "Shutdown the network socket after EOF on stdin" >/dev/null; then
  1659. _NC="$_NC -N -l $ncaddr"
  1660. else
  1661. _NC="$_NC -l $ncaddr"
  1662. fi
  1663. fi
  1664. _debug "_NC" "$_NC"
  1665. #for centos ncat
  1666. if _contains "$nchelp" "nmap.org"; then
  1667. _debug "Using ncat: nmap.org"
  1668. if ! _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC \"$Le_HTTPPort\" >&2"; then
  1669. _exec_err
  1670. return 1
  1671. fi
  1672. if [ "$DEBUG" ]; then
  1673. _exec_err
  1674. fi
  1675. return
  1676. fi
  1677. # while true ; do
  1678. if ! _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC -p \"$Le_HTTPPort\" >&2"; then
  1679. _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC \"$Le_HTTPPort\" >&2"
  1680. fi
  1681. if [ "$?" != "0" ]; then
  1682. _err "nc listen error."
  1683. _exec_err
  1684. exit 1
  1685. fi
  1686. if [ "$DEBUG" ]; then
  1687. _exec_err
  1688. fi
  1689. # done
  1690. }
  1691. _stopserver() {
  1692. pid="$1"
  1693. _debug "pid" "$pid"
  1694. if [ -z "$pid" ]; then
  1695. return
  1696. fi
  1697. _debug2 "Le_HTTPPort" "$Le_HTTPPort"
  1698. if [ "$Le_HTTPPort" ]; then
  1699. if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
  1700. _get "http://localhost:$Le_HTTPPort" "" 1
  1701. else
  1702. _get "http://localhost:$Le_HTTPPort" "" 1 >/dev/null 2>&1
  1703. fi
  1704. fi
  1705. _debug2 "Le_TLSPort" "$Le_TLSPort"
  1706. if [ "$Le_TLSPort" ]; then
  1707. if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
  1708. _get "https://localhost:$Le_TLSPort" "" 1
  1709. _get "https://localhost:$Le_TLSPort" "" 1
  1710. else
  1711. _get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
  1712. _get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
  1713. fi
  1714. fi
  1715. }
  1716. # sleep sec
  1717. _sleep() {
  1718. _sleep_sec="$1"
  1719. if [ "$__INTERACTIVE" ]; then
  1720. _sleep_c="$_sleep_sec"
  1721. while [ "$_sleep_c" -ge "0" ]; do
  1722. printf "\r \r"
  1723. __green "$_sleep_c"
  1724. _sleep_c="$(_math "$_sleep_c" - 1)"
  1725. sleep 1
  1726. done
  1727. printf "\r"
  1728. else
  1729. sleep "$_sleep_sec"
  1730. fi
  1731. }
  1732. # _starttlsserver san_a san_b port content _ncaddr
  1733. _starttlsserver() {
  1734. _info "Starting tls server."
  1735. san_a="$1"
  1736. san_b="$2"
  1737. port="$3"
  1738. content="$4"
  1739. opaddr="$5"
  1740. _debug san_a "$san_a"
  1741. _debug san_b "$san_b"
  1742. _debug port "$port"
  1743. #create key TLS_KEY
  1744. if ! _createkey "2048" "$TLS_KEY"; then
  1745. _err "Create tls validation key error."
  1746. return 1
  1747. fi
  1748. #create csr
  1749. alt="$san_a"
  1750. if [ "$san_b" ]; then
  1751. alt="$alt,$san_b"
  1752. fi
  1753. if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF"; then
  1754. _err "Create tls validation csr error."
  1755. return 1
  1756. fi
  1757. #self signed
  1758. if ! _signcsr "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" "$TLS_CERT"; then
  1759. _err "Create tls validation cert error."
  1760. return 1
  1761. fi
  1762. __S_OPENSSL="${ACME_OPENSSL_BIN:-openssl} s_server -cert $TLS_CERT -key $TLS_KEY "
  1763. if [ "$opaddr" ]; then
  1764. __S_OPENSSL="$__S_OPENSSL -accept $opaddr:$port"
  1765. else
  1766. __S_OPENSSL="$__S_OPENSSL -accept $port"
  1767. fi
  1768. _debug Le_Listen_V4 "$Le_Listen_V4"
  1769. _debug Le_Listen_V6 "$Le_Listen_V6"
  1770. if [ "$Le_Listen_V4" ]; then
  1771. __S_OPENSSL="$__S_OPENSSL -4"
  1772. elif [ "$Le_Listen_V6" ]; then
  1773. __S_OPENSSL="$__S_OPENSSL -6"
  1774. fi
  1775. _debug "$__S_OPENSSL"
  1776. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
  1777. (printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL -tlsextdebug) &
  1778. else
  1779. (printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL >/dev/null 2>&1) &
  1780. fi
  1781. serverproc="$!"
  1782. sleep 1
  1783. _debug serverproc "$serverproc"
  1784. }
  1785. #file
  1786. _readlink() {
  1787. _rf="$1"
  1788. if ! readlink -f "$_rf" 2>/dev/null; then
  1789. if _startswith "$_rf" "/"; then
  1790. echo "$_rf"
  1791. return 0
  1792. fi
  1793. echo "$(pwd)/$_rf" | _conapath
  1794. fi
  1795. }
  1796. _conapath() {
  1797. sed "s#/\./#/#g"
  1798. }
  1799. __initHome() {
  1800. if [ -z "$_SCRIPT_HOME" ]; then
  1801. if _exists readlink && _exists dirname; then
  1802. _debug "Lets find script dir."
  1803. _debug "_SCRIPT_" "$_SCRIPT_"
  1804. _script="$(_readlink "$_SCRIPT_")"
  1805. _debug "_script" "$_script"
  1806. _script_home="$(dirname "$_script")"
  1807. _debug "_script_home" "$_script_home"
  1808. if [ -d "$_script_home" ]; then
  1809. _SCRIPT_HOME="$_script_home"
  1810. else
  1811. _err "It seems the script home is not correct:$_script_home"
  1812. fi
  1813. fi
  1814. fi
  1815. # if [ -z "$LE_WORKING_DIR" ]; then
  1816. # if [ -f "$DEFAULT_INSTALL_HOME/account.conf" ]; then
  1817. # _debug "It seems that $PROJECT_NAME is already installed in $DEFAULT_INSTALL_HOME"
  1818. # LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  1819. # else
  1820. # LE_WORKING_DIR="$_SCRIPT_HOME"
  1821. # fi
  1822. # fi
  1823. if [ -z "$LE_WORKING_DIR" ]; then
  1824. _debug "Using default home:$DEFAULT_INSTALL_HOME"
  1825. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  1826. fi
  1827. export LE_WORKING_DIR
  1828. if [ -z "$LE_CONFIG_HOME" ]; then
  1829. LE_CONFIG_HOME="$LE_WORKING_DIR"
  1830. fi
  1831. _debug "Using config home:$LE_CONFIG_HOME"
  1832. export LE_CONFIG_HOME
  1833. _DEFAULT_ACCOUNT_CONF_PATH="$LE_CONFIG_HOME/account.conf"
  1834. if [ -z "$ACCOUNT_CONF_PATH" ]; then
  1835. if [ -f "$_DEFAULT_ACCOUNT_CONF_PATH" ]; then
  1836. . "$_DEFAULT_ACCOUNT_CONF_PATH"
  1837. fi
  1838. fi
  1839. if [ -z "$ACCOUNT_CONF_PATH" ]; then
  1840. ACCOUNT_CONF_PATH="$_DEFAULT_ACCOUNT_CONF_PATH"
  1841. fi
  1842. DEFAULT_LOG_FILE="$LE_CONFIG_HOME/$PROJECT_NAME.log"
  1843. DEFAULT_CA_HOME="$LE_CONFIG_HOME/ca"
  1844. if [ -z "$LE_TEMP_DIR" ]; then
  1845. LE_TEMP_DIR="$LE_CONFIG_HOME/tmp"
  1846. fi
  1847. }
  1848. #[domain] [keylength]
  1849. _initpath() {
  1850. __initHome
  1851. if [ -f "$ACCOUNT_CONF_PATH" ]; then
  1852. . "$ACCOUNT_CONF_PATH"
  1853. fi
  1854. if [ "$IN_CRON" ]; then
  1855. if [ ! "$_USER_PATH_EXPORTED" ]; then
  1856. _USER_PATH_EXPORTED=1
  1857. export PATH="$USER_PATH:$PATH"
  1858. fi
  1859. fi
  1860. if [ -z "$CA_HOME" ]; then
  1861. CA_HOME="$DEFAULT_CA_HOME"
  1862. fi
  1863. if [ -z "$API" ]; then
  1864. if [ -z "$STAGE" ]; then
  1865. API="$DEFAULT_CA"
  1866. else
  1867. API="$STAGE_CA"
  1868. _info "Using stage api:$API"
  1869. fi
  1870. fi
  1871. _API_HOST="$(echo "$API" | cut -d : -f 2 | tr -d '/')"
  1872. CA_DIR="$CA_HOME/$_API_HOST"
  1873. _DEFAULT_CA_CONF="$CA_DIR/ca.conf"
  1874. if [ -z "$CA_CONF" ]; then
  1875. CA_CONF="$_DEFAULT_CA_CONF"
  1876. fi
  1877. _debug3 CA_CONF "$CA_CONF"
  1878. if [ -f "$CA_CONF" ]; then
  1879. . "$CA_CONF"
  1880. fi
  1881. if [ -z "$ACME_DIR" ]; then
  1882. ACME_DIR="/home/.acme"
  1883. fi
  1884. if [ -z "$APACHE_CONF_BACKUP_DIR" ]; then
  1885. APACHE_CONF_BACKUP_DIR="$LE_CONFIG_HOME"
  1886. fi
  1887. if [ -z "$USER_AGENT" ]; then
  1888. USER_AGENT="$DEFAULT_USER_AGENT"
  1889. fi
  1890. if [ -z "$HTTP_HEADER" ]; then
  1891. HTTP_HEADER="$LE_CONFIG_HOME/http.header"
  1892. fi
  1893. _OLD_ACCOUNT_KEY="$LE_WORKING_DIR/account.key"
  1894. _OLD_ACCOUNT_JSON="$LE_WORKING_DIR/account.json"
  1895. _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
  1896. _DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
  1897. if [ -z "$ACCOUNT_KEY_PATH" ]; then
  1898. ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
  1899. fi
  1900. if [ -z "$ACCOUNT_JSON_PATH" ]; then
  1901. ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
  1902. fi
  1903. _DEFAULT_CERT_HOME="$LE_CONFIG_HOME"
  1904. if [ -z "$CERT_HOME" ]; then
  1905. CERT_HOME="$_DEFAULT_CERT_HOME"
  1906. fi
  1907. if [ -z "$ACME_OPENSSL_BIN" ] || [ ! -f "$ACME_OPENSSL_BIN" ] || [ ! -x "$ACME_OPENSSL_BIN" ]; then
  1908. ACME_OPENSSL_BIN="$DEFAULT_OPENSSL_BIN"
  1909. fi
  1910. if [ -z "$1" ]; then
  1911. return 0
  1912. fi
  1913. domain="$1"
  1914. _ilength="$2"
  1915. if [ -z "$DOMAIN_PATH" ]; then
  1916. domainhome="$CERT_HOME/$domain"
  1917. domainhomeecc="$CERT_HOME/$domain$ECC_SUFFIX"
  1918. DOMAIN_PATH="$domainhome"
  1919. if _isEccKey "$_ilength"; then
  1920. DOMAIN_PATH="$domainhomeecc"
  1921. else
  1922. if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then
  1923. _info "The domain '$domain' seems to have a ECC cert already, please add '$(__red "--ecc")' parameter if you want to use that cert."
  1924. fi
  1925. fi
  1926. _debug DOMAIN_PATH "$DOMAIN_PATH"
  1927. fi
  1928. if [ -z "$DOMAIN_BACKUP_PATH" ]; then
  1929. DOMAIN_BACKUP_PATH="$DOMAIN_PATH/backup"
  1930. fi
  1931. if [ -z "$DOMAIN_CONF" ]; then
  1932. DOMAIN_CONF="$DOMAIN_PATH/$domain.conf"
  1933. fi
  1934. if [ -z "$DOMAIN_SSL_CONF" ]; then
  1935. DOMAIN_SSL_CONF="$DOMAIN_PATH/$domain.csr.conf"
  1936. fi
  1937. if [ -z "$CSR_PATH" ]; then
  1938. CSR_PATH="$DOMAIN_PATH/$domain.csr"
  1939. fi
  1940. if [ -z "$CERT_KEY_PATH" ]; then
  1941. CERT_KEY_PATH="$DOMAIN_PATH/$domain.key"
  1942. fi
  1943. if [ -z "$CERT_PATH" ]; then
  1944. CERT_PATH="$DOMAIN_PATH/$domain.cer"
  1945. fi
  1946. if [ -z "$CA_CERT_PATH" ]; then
  1947. CA_CERT_PATH="$DOMAIN_PATH/ca.cer"
  1948. fi
  1949. if [ -z "$CERT_FULLCHAIN_PATH" ]; then
  1950. CERT_FULLCHAIN_PATH="$DOMAIN_PATH/fullchain.cer"
  1951. fi
  1952. if [ -z "$CERT_PFX_PATH" ]; then
  1953. CERT_PFX_PATH="$DOMAIN_PATH/$domain.pfx"
  1954. fi
  1955. if [ -z "$CERT_PKCS8_PATH" ]; then
  1956. CERT_PKCS8_PATH="$DOMAIN_PATH/$domain.pkcs8"
  1957. fi
  1958. if [ -z "$TLS_CONF" ]; then
  1959. TLS_CONF="$DOMAIN_PATH/tls.validation.conf"
  1960. fi
  1961. if [ -z "$TLS_CERT" ]; then
  1962. TLS_CERT="$DOMAIN_PATH/tls.validation.cert"
  1963. fi
  1964. if [ -z "$TLS_KEY" ]; then
  1965. TLS_KEY="$DOMAIN_PATH/tls.validation.key"
  1966. fi
  1967. if [ -z "$TLS_CSR" ]; then
  1968. TLS_CSR="$DOMAIN_PATH/tls.validation.csr"
  1969. fi
  1970. }
  1971. _exec() {
  1972. if [ -z "$_EXEC_TEMP_ERR" ]; then
  1973. _EXEC_TEMP_ERR="$(_mktemp)"
  1974. fi
  1975. if [ "$_EXEC_TEMP_ERR" ]; then
  1976. eval "$@ 2>>$_EXEC_TEMP_ERR"
  1977. else
  1978. eval "$@"
  1979. fi
  1980. }
  1981. _exec_err() {
  1982. [ "$_EXEC_TEMP_ERR" ] && _err "$(cat "$_EXEC_TEMP_ERR")" && echo "" >"$_EXEC_TEMP_ERR"
  1983. }
  1984. _apachePath() {
  1985. _APACHECTL="apachectl"
  1986. if ! _exists apachectl; then
  1987. if _exists apache2ctl; then
  1988. _APACHECTL="apache2ctl"
  1989. else
  1990. _err "'apachectl not found. It seems that apache is not installed, or you are not root user.'"
  1991. _err "Please use webroot mode to try again."
  1992. return 1
  1993. fi
  1994. fi
  1995. if ! _exec $_APACHECTL -V >/dev/null; then
  1996. _exec_err
  1997. return 1
  1998. fi
  1999. if [ "$APACHE_HTTPD_CONF" ]; then
  2000. _saveaccountconf APACHE_HTTPD_CONF "$APACHE_HTTPD_CONF"
  2001. httpdconf="$APACHE_HTTPD_CONF"
  2002. httpdconfname="$(basename "$httpdconfname")"
  2003. else
  2004. httpdconfname="$($_APACHECTL -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | tr -d '"')"
  2005. _debug httpdconfname "$httpdconfname"
  2006. if [ -z "$httpdconfname" ]; then
  2007. _err "Can not read apache config file."
  2008. return 1
  2009. fi
  2010. if _startswith "$httpdconfname" '/'; then
  2011. httpdconf="$httpdconfname"
  2012. httpdconfname="$(basename "$httpdconfname")"
  2013. else
  2014. httpdroot="$($_APACHECTL -V | grep HTTPD_ROOT= | cut -d = -f 2 | tr -d '"')"
  2015. _debug httpdroot "$httpdroot"
  2016. httpdconf="$httpdroot/$httpdconfname"
  2017. httpdconfname="$(basename "$httpdconfname")"
  2018. fi
  2019. fi
  2020. _debug httpdconf "$httpdconf"
  2021. _debug httpdconfname "$httpdconfname"
  2022. if [ ! -f "$httpdconf" ]; then
  2023. _err "Apache Config file not found" "$httpdconf"
  2024. return 1
  2025. fi
  2026. return 0
  2027. }
  2028. _restoreApache() {
  2029. if [ -z "$usingApache" ]; then
  2030. return 0
  2031. fi
  2032. _initpath
  2033. if ! _apachePath; then
  2034. return 1
  2035. fi
  2036. if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ]; then
  2037. _debug "No config file to restore."
  2038. return 0
  2039. fi
  2040. cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" >"$httpdconf"
  2041. _debug "Restored: $httpdconf."
  2042. if ! _exec $_APACHECTL -t; then
  2043. _exec_err
  2044. _err "Sorry, restore apache config error, please contact me."
  2045. return 1
  2046. fi
  2047. _debug "Restored successfully."
  2048. rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname"
  2049. return 0
  2050. }
  2051. _setApache() {
  2052. _initpath
  2053. if ! _apachePath; then
  2054. return 1
  2055. fi
  2056. #test the conf first
  2057. _info "Checking if there is an error in the apache config file before starting."
  2058. if ! _exec "$_APACHECTL" -t >/dev/null; then
  2059. _exec_err
  2060. _err "The apache config file has error, please fix it first, then try again."
  2061. _err "Don't worry, there is nothing changed to your system."
  2062. return 1
  2063. else
  2064. _info "OK"
  2065. fi
  2066. #backup the conf
  2067. _debug "Backup apache config file" "$httpdconf"
  2068. if ! cp "$httpdconf" "$APACHE_CONF_BACKUP_DIR/"; then
  2069. _err "Can not backup apache config file, so abort. Don't worry, the apache config is not changed."
  2070. _err "This might be a bug of $PROJECT_NAME , please report issue: $PROJECT"
  2071. return 1
  2072. fi
  2073. _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname"
  2074. _info "In case there is an error that can not be restored automatically, you may try restore it yourself."
  2075. _info "The backup file will be deleted on success, just forget it."
  2076. #add alias
  2077. apacheVer="$($_APACHECTL -V | grep "Server version:" | cut -d : -f 2 | cut -d " " -f 2 | cut -d '/' -f 2)"
  2078. _debug "apacheVer" "$apacheVer"
  2079. apacheMajer="$(echo "$apacheVer" | cut -d . -f 1)"
  2080. apacheMinor="$(echo "$apacheVer" | cut -d . -f 2)"
  2081. if [ "$apacheVer" ] && [ "$apacheMajer$apacheMinor" -ge "24" ]; then
  2082. echo "
  2083. Alias /.well-known/acme-challenge $ACME_DIR
  2084. <Directory $ACME_DIR >
  2085. Require all granted
  2086. </Directory>
  2087. " >>"$httpdconf"
  2088. else
  2089. echo "
  2090. Alias /.well-known/acme-challenge $ACME_DIR
  2091. <Directory $ACME_DIR >
  2092. Order allow,deny
  2093. Allow from all
  2094. </Directory>
  2095. " >>"$httpdconf"
  2096. fi
  2097. _msg="$($_APACHECTL -t 2>&1)"
  2098. if [ "$?" != "0" ]; then
  2099. _err "Sorry, apache config error"
  2100. if _restoreApache; then
  2101. _err "The apache config file is restored."
  2102. else
  2103. _err "Sorry, The apache config file can not be restored, please report bug."
  2104. fi
  2105. return 1
  2106. fi
  2107. if [ ! -d "$ACME_DIR" ]; then
  2108. mkdir -p "$ACME_DIR"
  2109. chmod 755 "$ACME_DIR"
  2110. fi
  2111. if ! _exec "$_APACHECTL" graceful; then
  2112. _exec_err
  2113. _err "$_APACHECTL graceful error, please contact me."
  2114. _restoreApache
  2115. return 1
  2116. fi
  2117. usingApache="1"
  2118. return 0
  2119. }
  2120. #find the real nginx conf file
  2121. #backup
  2122. #set the nginx conf
  2123. #returns the real nginx conf file
  2124. _setNginx() {
  2125. _d="$1"
  2126. _croot="$2"
  2127. _thumbpt="$3"
  2128. if ! _exists "nginx"; then
  2129. _err "nginx command is not found."
  2130. return 1
  2131. fi
  2132. FOUND_REAL_NGINX_CONF=""
  2133. FOUND_REAL_NGINX_CONF_LN=""
  2134. BACKUP_NGINX_CONF=""
  2135. _debug _croot "$_croot"
  2136. _start_f="$(echo "$_croot" | cut -d : -f 2)"
  2137. _debug _start_f "$_start_f"
  2138. if [ -z "$_start_f" ]; then
  2139. _debug "find start conf from nginx command"
  2140. if [ -z "$NGINX_CONF" ]; then
  2141. NGINX_CONF="$(nginx -V 2>&1 | _egrep_o "--conf-path=[^ ]* " | tr -d " ")"
  2142. _debug NGINX_CONF "$NGINX_CONF"
  2143. NGINX_CONF="$(echo "$NGINX_CONF" | cut -d = -f 2)"
  2144. _debug NGINX_CONF "$NGINX_CONF"
  2145. if [ ! -f "$NGINX_CONF" ]; then
  2146. _err "'$NGINX_CONF' doesn't exist."
  2147. NGINX_CONF=""
  2148. return 1
  2149. fi
  2150. _debug "Found nginx conf file:$NGINX_CONF"
  2151. fi
  2152. _start_f="$NGINX_CONF"
  2153. fi
  2154. _debug "Start detect nginx conf for $_d from:$_start_f"
  2155. if ! _checkConf "$_d" "$_start_f"; then
  2156. _err "Can not find conf file for domain $d"
  2157. return 1
  2158. fi
  2159. _info "Found conf file: $FOUND_REAL_NGINX_CONF"
  2160. _ln=$FOUND_REAL_NGINX_CONF_LN
  2161. _debug "_ln" "$_ln"
  2162. _lnn=$(_math $_ln + 1)
  2163. _debug _lnn "$_lnn"
  2164. _start_tag="$(sed -n "$_lnn,${_lnn}p" "$FOUND_REAL_NGINX_CONF")"
  2165. _debug "_start_tag" "$_start_tag"
  2166. if [ "$_start_tag" = "$NGINX_START" ]; then
  2167. _info "The domain $_d is already configured, skip"
  2168. FOUND_REAL_NGINX_CONF=""
  2169. return 0
  2170. fi
  2171. mkdir -p "$DOMAIN_BACKUP_PATH"
  2172. _backup_conf="$DOMAIN_BACKUP_PATH/$_d.nginx.conf"
  2173. _debug _backup_conf "$_backup_conf"
  2174. BACKUP_NGINX_CONF="$_backup_conf"
  2175. _info "Backup $FOUND_REAL_NGINX_CONF to $_backup_conf"
  2176. if ! cp "$FOUND_REAL_NGINX_CONF" "$_backup_conf"; then
  2177. _err "backup error."
  2178. FOUND_REAL_NGINX_CONF=""
  2179. return 1
  2180. fi
  2181. _info "Check the nginx conf before setting up."
  2182. if ! _exec "nginx -t" >/dev/null; then
  2183. _exec_err
  2184. return 1
  2185. fi
  2186. _info "OK, Set up nginx config file"
  2187. if ! sed -n "1,${_ln}p" "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"; then
  2188. cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
  2189. _err "write nginx conf error, but don't worry, the file is restored to the original version."
  2190. return 1
  2191. fi
  2192. echo "$NGINX_START
  2193. location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" {
  2194. default_type text/plain;
  2195. return 200 \"\$1.$_thumbpt\";
  2196. }
  2197. #NGINX_START
  2198. " >>"$FOUND_REAL_NGINX_CONF"
  2199. if ! sed -n "${_lnn},99999p" "$_backup_conf" >>"$FOUND_REAL_NGINX_CONF"; then
  2200. cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
  2201. _err "write nginx conf error, but don't worry, the file is restored."
  2202. return 1
  2203. fi
  2204. _info "nginx conf is done, let's check it again."
  2205. if ! _exec "nginx -t" >/dev/null; then
  2206. _exec_err
  2207. _err "It seems that nginx conf was broken, let's restore."
  2208. cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
  2209. return 1
  2210. fi
  2211. _info "Reload nginx"
  2212. if ! _exec "nginx -s reload" >/dev/null; then
  2213. _exec_err
  2214. _err "It seems that nginx reload error, let's restore."
  2215. cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
  2216. return 1
  2217. fi
  2218. return 0
  2219. }
  2220. #d , conf
  2221. _checkConf() {
  2222. _d="$1"
  2223. _c_file="$2"
  2224. _debug "Start _checkConf from:$_c_file"
  2225. if [ ! -f "$2" ] && ! echo "$2" | grep '*$' >/dev/null && echo "$2" | grep '*' >/dev/null; then
  2226. _debug "wildcard"
  2227. for _w_f in $2; do
  2228. if [ -f "$_w_f" ] && _checkConf "$1" "$_w_f"; then
  2229. return 0
  2230. fi
  2231. done
  2232. #not found
  2233. return 1
  2234. elif [ -f "$2" ]; then
  2235. _debug "single"
  2236. if _isRealNginxConf "$1" "$2"; then
  2237. _debug "$2 is found."
  2238. FOUND_REAL_NGINX_CONF="$2"
  2239. return 0
  2240. fi
  2241. if cat "$2" | tr "\t" " " | grep "^ *include *.*;" >/dev/null; then
  2242. _debug "Try include files"
  2243. for included in $(cat "$2" | tr "\t" " " | grep "^ *include *.*;" | sed "s/include //" | tr -d " ;"); do
  2244. _debug "check included $included"
  2245. if _checkConf "$1" "$included"; then
  2246. return 0
  2247. fi
  2248. done
  2249. fi
  2250. return 1
  2251. else
  2252. _debug "$2 not found."
  2253. return 1
  2254. fi
  2255. return 1
  2256. }
  2257. #d , conf
  2258. _isRealNginxConf() {
  2259. _debug "_isRealNginxConf $1 $2"
  2260. if [ -f "$2" ]; then
  2261. for _fln in $(grep -n "^ *server_name.* $1" "$2" | cut -d : -f 1); do
  2262. _debug _fln "$_fln"
  2263. if [ "$_fln" ]; then
  2264. _start=$(cat "$2" | _head_n "$_fln" | grep -n "^ *server *{" | _tail_n 1)
  2265. _debug "_start" "$_start"
  2266. _start_n=$(echo "$_start" | cut -d : -f 1)
  2267. _start_nn=$(_math $_start_n + 1)
  2268. _debug "_start_n" "$_start_n"
  2269. _debug "_start_nn" "$_start_nn"
  2270. _left="$(sed -n "${_start_nn},99999p" "$2")"
  2271. _debug2 _left "$_left"
  2272. if echo "$_left" | grep -n "^ *server *{" >/dev/null; then
  2273. _end=$(echo "$_left" | grep -n "^ *server *{" | _head_n 1)
  2274. _debug "_end" "$_end"
  2275. _end_n=$(echo "$_end" | cut -d : -f 1)
  2276. _debug "_end_n" "$_end_n"
  2277. _seg_n=$(echo "$_left" | sed -n "1,${_end_n}p")
  2278. else
  2279. _seg_n="$_left"
  2280. fi
  2281. _debug "_seg_n" "$_seg_n"
  2282. if [ "$(echo "$_seg_n" | _egrep_o "^ *ssl *on *;")" ]; then
  2283. _debug "ssl on, skip"
  2284. return 1
  2285. fi
  2286. FOUND_REAL_NGINX_CONF_LN=$_fln
  2287. return 0
  2288. fi
  2289. done
  2290. fi
  2291. return 1
  2292. }
  2293. #restore all the nginx conf
  2294. _restoreNginx() {
  2295. if [ -z "$NGINX_RESTORE_VLIST" ]; then
  2296. _debug "No need to restore nginx, skip."
  2297. return
  2298. fi
  2299. _debug "_restoreNginx"
  2300. _debug "NGINX_RESTORE_VLIST" "$NGINX_RESTORE_VLIST"
  2301. for ng_entry in $(echo "$NGINX_RESTORE_VLIST" | tr "$dvsep" ' '); do
  2302. _debug "ng_entry" "$ng_entry"
  2303. _nd=$(echo "$ng_entry" | cut -d "$sep" -f 1)
  2304. _ngconf=$(echo "$ng_entry" | cut -d "$sep" -f 2)
  2305. _ngbackupconf=$(echo "$ng_entry" | cut -d "$sep" -f 3)
  2306. _info "Restoring from $_ngbackupconf to $_ngconf"
  2307. cat "$_ngbackupconf" >"$_ngconf"
  2308. done
  2309. _info "Reload nginx"
  2310. if ! _exec "nginx -s reload" >/dev/null; then
  2311. _exec_err
  2312. _err "It seems that nginx reload error, please report bug."
  2313. return 1
  2314. fi
  2315. return 0
  2316. }
  2317. _clearup() {
  2318. _stopserver "$serverproc"
  2319. serverproc=""
  2320. _restoreApache
  2321. _restoreNginx
  2322. _clearupdns
  2323. if [ -z "$DEBUG" ]; then
  2324. rm -f "$TLS_CONF"
  2325. rm -f "$TLS_CERT"
  2326. rm -f "$TLS_KEY"
  2327. rm -f "$TLS_CSR"
  2328. fi
  2329. }
  2330. _clearupdns() {
  2331. _debug "_clearupdns"
  2332. if [ "$dnsadded" != 1 ] || [ -z "$vlist" ]; then
  2333. _debug "Dns not added, skip."
  2334. return
  2335. fi
  2336. ventries=$(echo "$vlist" | tr ',' ' ')
  2337. for ventry in $ventries; do
  2338. d=$(echo "$ventry" | cut -d "$sep" -f 1)
  2339. keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
  2340. vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
  2341. _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
  2342. txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _url_replace)"
  2343. _debug txt "$txt"
  2344. if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
  2345. _debug "$d is already verified, skip $vtype."
  2346. continue
  2347. fi
  2348. if [ "$vtype" != "$VTYPE_DNS" ]; then
  2349. _info "Skip $d for $vtype"
  2350. continue
  2351. fi
  2352. d_api="$(_findHook "$d" dnsapi "$_currentRoot")"
  2353. _debug d_api "$d_api"
  2354. if [ -z "$d_api" ]; then
  2355. _info "Not Found domain api file: $d_api"
  2356. continue
  2357. fi
  2358. (
  2359. if ! . "$d_api"; then
  2360. _err "Load file $d_api error. Please check your api file and try again."
  2361. return 1
  2362. fi
  2363. rmcommand="${_currentRoot}_rm"
  2364. if ! _exists "$rmcommand"; then
  2365. _err "It seems that your api file doesn't define $rmcommand"
  2366. return 1
  2367. fi
  2368. txtdomain="_acme-challenge.$d"
  2369. if ! $rmcommand "$txtdomain" "$txt"; then
  2370. _err "Error removing txt for domain:$txtdomain"
  2371. return 1
  2372. fi
  2373. )
  2374. done
  2375. }
  2376. # webroot removelevel tokenfile
  2377. _clearupwebbroot() {
  2378. __webroot="$1"
  2379. if [ -z "$__webroot" ]; then
  2380. _debug "no webroot specified, skip"
  2381. return 0
  2382. fi
  2383. _rmpath=""
  2384. if [ "$2" = '1' ]; then
  2385. _rmpath="$__webroot/.well-known"
  2386. elif [ "$2" = '2' ]; then
  2387. _rmpath="$__webroot/.well-known/acme-challenge"
  2388. elif [ "$2" = '3' ]; then
  2389. _rmpath="$__webroot/.well-known/acme-challenge/$3"
  2390. else
  2391. _debug "Skip for removelevel:$2"
  2392. fi
  2393. if [ "$_rmpath" ]; then
  2394. if [ "$DEBUG" ]; then
  2395. _debug "Debugging, skip removing: $_rmpath"
  2396. else
  2397. rm -rf "$_rmpath"
  2398. fi
  2399. fi
  2400. return 0
  2401. }
  2402. _on_before_issue() {
  2403. _chk_web_roots="$1"
  2404. _chk_main_domain="$2"
  2405. _chk_alt_domains="$3"
  2406. _chk_pre_hook="$4"
  2407. _chk_local_addr="$5"
  2408. _debug _on_before_issue
  2409. #run pre hook
  2410. if [ "$_chk_pre_hook" ]; then
  2411. _info "Run pre hook:'$_chk_pre_hook'"
  2412. if ! (
  2413. cd "$DOMAIN_PATH" && eval "$_chk_pre_hook"
  2414. ); then
  2415. _err "Error when run pre hook."
  2416. return 1
  2417. fi
  2418. fi
  2419. if _hasfield "$_chk_web_roots" "$NO_VALUE"; then
  2420. if ! _exists "nc"; then
  2421. _err "Please install netcat(nc) tools first."
  2422. return 1
  2423. fi
  2424. fi
  2425. _debug Le_LocalAddress "$_chk_local_addr"
  2426. alldomains=$(echo "$_chk_main_domain,$_chk_alt_domains" | tr ',' ' ')
  2427. _index=1
  2428. _currentRoot=""
  2429. _addrIndex=1
  2430. for d in $alldomains; do
  2431. _debug "Check for domain" "$d"
  2432. _currentRoot="$(_getfield "$_chk_web_roots" $_index)"
  2433. _debug "_currentRoot" "$_currentRoot"
  2434. _index=$(_math $_index + 1)
  2435. _checkport=""
  2436. if [ "$_currentRoot" = "$NO_VALUE" ]; then
  2437. _info "Standalone mode."
  2438. if [ -z "$Le_HTTPPort" ]; then
  2439. Le_HTTPPort=80
  2440. else
  2441. _savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
  2442. fi
  2443. _checkport="$Le_HTTPPort"
  2444. elif [ "$_currentRoot" = "$W_TLS" ]; then
  2445. _info "Standalone tls mode."
  2446. if [ -z "$Le_TLSPort" ]; then
  2447. Le_TLSPort=443
  2448. else
  2449. _savedomainconf "Le_TLSPort" "$Le_TLSPort"
  2450. fi
  2451. _checkport="$Le_TLSPort"
  2452. fi
  2453. if [ "$_checkport" ]; then
  2454. _debug _checkport "$_checkport"
  2455. _checkaddr="$(_getfield "$_chk_local_addr" $_addrIndex)"
  2456. _debug _checkaddr "$_checkaddr"
  2457. _addrIndex="$(_math $_addrIndex + 1)"
  2458. _netprc="$(_ss "$_checkport" | grep "$_checkport")"
  2459. netprc="$(echo "$_netprc" | grep "$_checkaddr")"
  2460. if [ -z "$netprc" ]; then
  2461. netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS")"
  2462. fi
  2463. if [ "$netprc" ]; then
  2464. _err "$netprc"
  2465. _err "tcp port $_checkport is already used by $(echo "$netprc" | cut -d : -f 4)"
  2466. _err "Please stop it first"
  2467. return 1
  2468. fi
  2469. fi
  2470. done
  2471. if _hasfield "$_chk_web_roots" "apache"; then
  2472. if ! _setApache; then
  2473. _err "set up apache error. Report error to me."
  2474. return 1
  2475. fi
  2476. else
  2477. usingApache=""
  2478. fi
  2479. }
  2480. _on_issue_err() {
  2481. _chk_post_hook="$1"
  2482. _chk_vlist="$2"
  2483. _debug _on_issue_err
  2484. if [ "$LOG_FILE" ]; then
  2485. _err "Please check log file for more details: $LOG_FILE"
  2486. else
  2487. _err "Please add '--debug' or '--log' to check more details."
  2488. _err "See: $_DEBUG_WIKI"
  2489. fi
  2490. #run the post hook
  2491. if [ "$_chk_post_hook" ]; then
  2492. _info "Run post hook:'$_chk_post_hook'"
  2493. if ! (
  2494. cd "$DOMAIN_PATH" && eval "$_chk_post_hook"
  2495. ); then
  2496. _err "Error when run post hook."
  2497. return 1
  2498. fi
  2499. fi
  2500. #trigger the validation to flush the pending authz
  2501. if [ "$_chk_vlist" ]; then
  2502. (
  2503. _debug2 "_chk_vlist" "$_chk_vlist"
  2504. _debug2 "start to deactivate authz"
  2505. ventries=$(echo "$_chk_vlist" | tr "$dvsep" ' ')
  2506. for ventry in $ventries; do
  2507. d=$(echo "$ventry" | cut -d "$sep" -f 1)
  2508. keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
  2509. uri=$(echo "$ventry" | cut -d "$sep" -f 3)
  2510. vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
  2511. _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
  2512. __trigger_validation "$uri" "$keyauthorization"
  2513. done
  2514. )
  2515. fi
  2516. if [ "$DEBUG" ] && [ "$DEBUG" -gt "0" ]; then
  2517. _debug "$(_dlg_versions)"
  2518. fi
  2519. }
  2520. _on_issue_success() {
  2521. _chk_post_hook="$1"
  2522. _chk_renew_hook="$2"
  2523. _debug _on_issue_success
  2524. #run the post hook
  2525. if [ "$_chk_post_hook" ]; then
  2526. _info "Run post hook:'$_chk_post_hook'"
  2527. if ! (
  2528. cd "$DOMAIN_PATH" && eval "$_chk_post_hook"
  2529. ); then
  2530. _err "Error when run post hook."
  2531. return 1
  2532. fi
  2533. fi
  2534. #run renew hook
  2535. if [ "$IS_RENEW" ] && [ "$_chk_renew_hook" ]; then
  2536. _info "Run renew hook:'$_chk_renew_hook'"
  2537. if ! (
  2538. cd "$DOMAIN_PATH" && eval "$_chk_renew_hook"
  2539. ); then
  2540. _err "Error when run renew hook."
  2541. return 1
  2542. fi
  2543. fi
  2544. }
  2545. updateaccount() {
  2546. _initpath
  2547. _regAccount
  2548. }
  2549. registeraccount() {
  2550. _reg_length="$1"
  2551. _initpath
  2552. _regAccount "$_reg_length"
  2553. }
  2554. __calcAccountKeyHash() {
  2555. [ -f "$ACCOUNT_KEY_PATH" ] && _digest sha256 <"$ACCOUNT_KEY_PATH"
  2556. }
  2557. __calc_account_thumbprint() {
  2558. printf "%s" "$jwk" | tr -d ' ' | _digest "sha256" | _url_replace
  2559. }
  2560. #keylength
  2561. _regAccount() {
  2562. _initpath
  2563. _reg_length="$1"
  2564. if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
  2565. mkdir -p "$CA_DIR"
  2566. _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
  2567. mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
  2568. fi
  2569. if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
  2570. mkdir -p "$CA_DIR"
  2571. _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
  2572. mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
  2573. fi
  2574. if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
  2575. if ! _create_account_key "$_reg_length"; then
  2576. _err "Create account key error."
  2577. return 1
  2578. fi
  2579. fi
  2580. if ! _calcjwk "$ACCOUNT_KEY_PATH"; then
  2581. return 1
  2582. fi
  2583. _updateTos=""
  2584. _reg_res="new-reg"
  2585. while true; do
  2586. _debug AGREEMENT "$AGREEMENT"
  2587. regjson='{"resource": "'$_reg_res'", "agreement": "'$AGREEMENT'"}'
  2588. if [ "$ACCOUNT_EMAIL" ]; then
  2589. regjson='{"resource": "'$_reg_res'", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}'
  2590. fi
  2591. if [ -z "$_updateTos" ]; then
  2592. _info "Registering account"
  2593. if ! _send_signed_request "$API/acme/new-reg" "$regjson"; then
  2594. _err "Register account Error: $response"
  2595. return 1
  2596. fi
  2597. if [ "$code" = "" ] || [ "$code" = '201' ]; then
  2598. echo "$response" >"$ACCOUNT_JSON_PATH"
  2599. _info "Registered"
  2600. elif [ "$code" = '409' ]; then
  2601. _info "Already registered"
  2602. else
  2603. _err "Register account Error: $response"
  2604. return 1
  2605. fi
  2606. _accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
  2607. _debug "_accUri" "$_accUri"
  2608. _tos="$(echo "$responseHeaders" | grep "^Link:.*rel=\"terms-of-service\"" | _head_n 1 | _egrep_o "<.*>" | tr -d '<>')"
  2609. _debug "_tos" "$_tos"
  2610. if [ -z "$_tos" ]; then
  2611. _debug "Use default tos: $DEFAULT_AGREEMENT"
  2612. _tos="$DEFAULT_AGREEMENT"
  2613. fi
  2614. if [ "$_tos" != "$AGREEMENT" ]; then
  2615. _updateTos=1
  2616. AGREEMENT="$_tos"
  2617. _reg_res="reg"
  2618. continue
  2619. fi
  2620. else
  2621. _debug "Update tos: $_tos"
  2622. if ! _send_signed_request "$_accUri" "$regjson"; then
  2623. _err "Update tos error."
  2624. return 1
  2625. fi
  2626. if [ "$code" = '202' ]; then
  2627. _info "Update success."
  2628. CA_KEY_HASH="$(__calcAccountKeyHash)"
  2629. _debug "Calc CA_KEY_HASH" "$CA_KEY_HASH"
  2630. _savecaconf CA_KEY_HASH "$CA_KEY_HASH"
  2631. else
  2632. _err "Update account error."
  2633. return 1
  2634. fi
  2635. fi
  2636. ACCOUNT_THUMBPRINT="$(__calc_account_thumbprint)"
  2637. _info "ACCOUNT_THUMBPRINT" "$ACCOUNT_THUMBPRINT"
  2638. return 0
  2639. done
  2640. }
  2641. # domain folder file
  2642. _findHook() {
  2643. _hookdomain="$1"
  2644. _hookcat="$2"
  2645. _hookname="$3"
  2646. if [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname" ]; then
  2647. d_api="$_SCRIPT_HOME/$_hookcat/$_hookname"
  2648. elif [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname.sh" ]; then
  2649. d_api="$_SCRIPT_HOME/$_hookcat/$_hookname.sh"
  2650. elif [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname" ]; then
  2651. d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname"
  2652. elif [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname.sh" ]; then
  2653. d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname.sh"
  2654. elif [ -f "$LE_WORKING_DIR/$_hookname" ]; then
  2655. d_api="$LE_WORKING_DIR/$_hookname"
  2656. elif [ -f "$LE_WORKING_DIR/$_hookname.sh" ]; then
  2657. d_api="$LE_WORKING_DIR/$_hookname.sh"
  2658. elif [ -f "$LE_WORKING_DIR/$_hookcat/$_hookname" ]; then
  2659. d_api="$LE_WORKING_DIR/$_hookcat/$_hookname"
  2660. elif [ -f "$LE_WORKING_DIR/$_hookcat/$_hookname.sh" ]; then
  2661. d_api="$LE_WORKING_DIR/$_hookcat/$_hookname.sh"
  2662. fi
  2663. printf "%s" "$d_api"
  2664. }
  2665. #domain
  2666. __get_domain_new_authz() {
  2667. _gdnd="$1"
  2668. _info "Getting new-authz for domain" "$_gdnd"
  2669. _Max_new_authz_retry_times=5
  2670. _authz_i=0
  2671. while [ "$_authz_i" -lt "$_Max_new_authz_retry_times" ]; do
  2672. _debug "Try new-authz for the $_authz_i time."
  2673. if ! _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$(_idn "$_gdnd")\"}}"; then
  2674. _err "Can not get domain new authz."
  2675. return 1
  2676. fi
  2677. if _contains "$response" "No registration exists matching provided key"; then
  2678. _err "It seems there is an error, but it's recovered now, please try again."
  2679. _err "If you see this message for a second time, please report bug: $(__green "$PROJECT")"
  2680. _clearcaconf "CA_KEY_HASH"
  2681. break
  2682. fi
  2683. if ! _contains "$response" "An error occurred while processing your request"; then
  2684. _info "The new-authz request is ok."
  2685. break
  2686. fi
  2687. _authz_i="$(_math "$_authz_i" + 1)"
  2688. _info "The server is busy, Sleep $_authz_i to retry."
  2689. _sleep "$_authz_i"
  2690. done
  2691. if [ "$_authz_i" = "$_Max_new_authz_retry_times" ]; then
  2692. _err "new-authz retry reach the max $_Max_new_authz_retry_times times."
  2693. fi
  2694. if [ ! -z "$code" ] && [ ! "$code" = '201' ]; then
  2695. _err "new-authz error: $response"
  2696. return 1
  2697. fi
  2698. }
  2699. #uri keyAuthorization
  2700. __trigger_validation() {
  2701. _debug2 "tigger domain validation."
  2702. _t_url="$1"
  2703. _debug2 _t_url "$_t_url"
  2704. _t_key_authz="$2"
  2705. _debug2 _t_key_authz "$_t_key_authz"
  2706. _send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"keyAuthorization\": \"$_t_key_authz\"}"
  2707. }
  2708. #webroot, domain domainlist keylength
  2709. issue() {
  2710. if [ -z "$2" ]; then
  2711. _usage "Usage: $PROJECT_ENTRY --issue -d a.com -w /path/to/webroot/a.com/ "
  2712. return 1
  2713. fi
  2714. if [ -z "$1" ]; then
  2715. _usage "Please specify at least one validation method: '--webroot', '--standalone', '--apache', '--nginx' or '--dns' etc."
  2716. return 1
  2717. fi
  2718. _web_roots="$1"
  2719. _main_domain="$2"
  2720. _alt_domains="$3"
  2721. if _contains "$_main_domain" ","; then
  2722. _main_domain=$(echo "$2,$3" | cut -d , -f 1)
  2723. _alt_domains=$(echo "$2,$3" | cut -d , -f 2- | sed "s/,${NO_VALUE}$//")
  2724. fi
  2725. _key_length="$4"
  2726. _real_cert="$5"
  2727. _real_key="$6"
  2728. _real_ca="$7"
  2729. _reload_cmd="$8"
  2730. _real_fullchain="$9"
  2731. _pre_hook="${10}"
  2732. _post_hook="${11}"
  2733. _renew_hook="${12}"
  2734. _local_addr="${13}"
  2735. #remove these later.
  2736. if [ "$_web_roots" = "dns-cf" ]; then
  2737. _web_roots="dns_cf"
  2738. fi
  2739. if [ "$_web_roots" = "dns-dp" ]; then
  2740. _web_roots="dns_dp"
  2741. fi
  2742. if [ "$_web_roots" = "dns-cx" ]; then
  2743. _web_roots="dns_cx"
  2744. fi
  2745. _debug "Using api: $API"
  2746. if [ ! "$IS_RENEW" ]; then
  2747. _initpath "$_main_domain" "$_key_length"
  2748. mkdir -p "$DOMAIN_PATH"
  2749. fi
  2750. if [ -f "$DOMAIN_CONF" ]; then
  2751. Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
  2752. _debug Le_NextRenewTime "$Le_NextRenewTime"
  2753. if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then
  2754. _saved_domain=$(_readdomainconf Le_Domain)
  2755. _debug _saved_domain "$_saved_domain"
  2756. _saved_alt=$(_readdomainconf Le_Alt)
  2757. _debug _saved_alt "$_saved_alt"
  2758. if [ "$_saved_domain,$_saved_alt" = "$_main_domain,$_alt_domains" ]; then
  2759. _info "Domains not changed."
  2760. _info "Skip, Next renewal time is: $(__green "$(_readdomainconf Le_NextRenewTimeStr)")"
  2761. _info "Add '$(__red '--force')' to force to renew."
  2762. return $RENEW_SKIP
  2763. else
  2764. _info "Domains have changed."
  2765. fi
  2766. fi
  2767. fi
  2768. _savedomainconf "Le_Domain" "$_main_domain"
  2769. _savedomainconf "Le_Alt" "$_alt_domains"
  2770. _savedomainconf "Le_Webroot" "$_web_roots"
  2771. _savedomainconf "Le_PreHook" "$_pre_hook"
  2772. _savedomainconf "Le_PostHook" "$_post_hook"
  2773. _savedomainconf "Le_RenewHook" "$_renew_hook"
  2774. if [ "$_local_addr" ]; then
  2775. _savedomainconf "Le_LocalAddress" "$_local_addr"
  2776. else
  2777. _cleardomainconf "Le_LocalAddress"
  2778. fi
  2779. Le_API="$API"
  2780. _savedomainconf "Le_API" "$Le_API"
  2781. if [ "$_alt_domains" = "$NO_VALUE" ]; then
  2782. _alt_domains=""
  2783. fi
  2784. if [ "$_key_length" = "$NO_VALUE" ]; then
  2785. _key_length=""
  2786. fi
  2787. if ! _on_before_issue "$_web_roots" "$_main_domain" "$_alt_domains" "$_pre_hook" "$_local_addr"; then
  2788. _err "_on_before_issue."
  2789. return 1
  2790. fi
  2791. _saved_account_key_hash="$(_readcaconf "CA_KEY_HASH")"
  2792. _debug2 _saved_account_key_hash "$_saved_account_key_hash"
  2793. if [ -z "$_saved_account_key_hash" ] || [ "$_saved_account_key_hash" != "$(__calcAccountKeyHash)" ]; then
  2794. if ! _regAccount "$_accountkeylength"; then
  2795. _on_issue_err "$_post_hook"
  2796. return 1
  2797. fi
  2798. else
  2799. _debug "_saved_account_key_hash is not changed, skip register account."
  2800. fi
  2801. if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ]; then
  2802. _info "Signing from existing CSR."
  2803. else
  2804. _key=$(_readdomainconf Le_Keylength)
  2805. _debug "Read key length:$_key"
  2806. if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ]; then
  2807. if ! createDomainKey "$_main_domain" "$_key_length"; then
  2808. _err "Create domain key error."
  2809. _clearup
  2810. _on_issue_err "$_post_hook"
  2811. return 1
  2812. fi
  2813. fi
  2814. if ! _createcsr "$_main_domain" "$_alt_domains" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"; then
  2815. _err "Create CSR error."
  2816. _clearup
  2817. _on_issue_err "$_post_hook"
  2818. return 1
  2819. fi
  2820. fi
  2821. _savedomainconf "Le_Keylength" "$_key_length"
  2822. vlist="$Le_Vlist"
  2823. _info "Getting domain auth token for each domain"
  2824. sep='#'
  2825. dvsep=','
  2826. if [ -z "$vlist" ]; then
  2827. alldomains=$(echo "$_main_domain,$_alt_domains" | tr ',' ' ')
  2828. _index=1
  2829. _currentRoot=""
  2830. for d in $alldomains; do
  2831. _info "Getting webroot for domain" "$d"
  2832. _w="$(echo $_web_roots | cut -d , -f $_index)"
  2833. _debug _w "$_w"
  2834. if [ "$_w" ]; then
  2835. _currentRoot="$_w"
  2836. fi
  2837. _debug "_currentRoot" "$_currentRoot"
  2838. _index=$(_math $_index + 1)
  2839. vtype="$VTYPE_HTTP"
  2840. if _startswith "$_currentRoot" "dns"; then
  2841. vtype="$VTYPE_DNS"
  2842. fi
  2843. if [ "$_currentRoot" = "$W_TLS" ]; then
  2844. vtype="$VTYPE_TLS"
  2845. fi
  2846. if ! __get_domain_new_authz "$d"; then
  2847. _clearup
  2848. _on_issue_err "$_post_hook"
  2849. return 1
  2850. fi
  2851. if [ -z "$thumbprint" ]; then
  2852. thumbprint="$(__calc_account_thumbprint)"
  2853. fi
  2854. entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
  2855. _debug entry "$entry"
  2856. if [ -z "$entry" ]; then
  2857. _err "Error, can not get domain token $d"
  2858. _clearup
  2859. _on_issue_err "$_post_hook"
  2860. return 1
  2861. fi
  2862. token="$(printf "%s\n" "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
  2863. _debug token "$token"
  2864. uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*' | cut -d : -f 2,3 | tr -d '"')"
  2865. _debug uri "$uri"
  2866. keyauthorization="$token.$thumbprint"
  2867. _debug keyauthorization "$keyauthorization"
  2868. if printf "%s" "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
  2869. _debug "$d is already verified, skip."
  2870. keyauthorization="$STATE_VERIFIED"
  2871. _debug keyauthorization "$keyauthorization"
  2872. fi
  2873. dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"
  2874. _debug dvlist "$dvlist"
  2875. vlist="$vlist$dvlist$dvsep"
  2876. done
  2877. _debug vlist "$vlist"
  2878. #add entry
  2879. dnsadded=""
  2880. ventries=$(echo "$vlist" | tr "$dvsep" ' ')
  2881. for ventry in $ventries; do
  2882. d=$(echo "$ventry" | cut -d "$sep" -f 1)
  2883. keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
  2884. vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
  2885. _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
  2886. if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
  2887. _debug "$d is already verified, skip $vtype."
  2888. continue
  2889. fi
  2890. if [ "$vtype" = "$VTYPE_DNS" ]; then
  2891. dnsadded='0'
  2892. txtdomain="_acme-challenge.$d"
  2893. _debug txtdomain "$txtdomain"
  2894. txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _url_replace)"
  2895. _debug txt "$txt"
  2896. d_api="$(_findHook "$d" dnsapi "$_currentRoot")"
  2897. _debug d_api "$d_api"
  2898. if [ "$d_api" ]; then
  2899. _info "Found domain api file: $d_api"
  2900. else
  2901. _err "Add the following TXT record:"
  2902. _err "Domain: '$(__green "$txtdomain")'"
  2903. _err "TXT value: '$(__green "$txt")'"
  2904. _err "Please be aware that you prepend _acme-challenge. before your domain"
  2905. _err "so the resulting subdomain will be: $txtdomain"
  2906. continue
  2907. fi
  2908. (
  2909. if ! . "$d_api"; then
  2910. _err "Load file $d_api error. Please check your api file and try again."
  2911. return 1
  2912. fi
  2913. addcommand="${_currentRoot}_add"
  2914. if ! _exists "$addcommand"; then
  2915. _err "It seems that your api file is not correct, it must have a function named: $addcommand"
  2916. return 1
  2917. fi
  2918. if ! $addcommand "$txtdomain" "$txt"; then
  2919. _err "Error add txt for domain:$txtdomain"
  2920. return 1
  2921. fi
  2922. )
  2923. if [ "$?" != "0" ]; then
  2924. _clearup
  2925. _on_issue_err "$_post_hook"
  2926. return 1
  2927. fi
  2928. dnsadded='1'
  2929. fi
  2930. done
  2931. if [ "$dnsadded" = '0' ]; then
  2932. _savedomainconf "Le_Vlist" "$vlist"
  2933. _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit."
  2934. _err "Please add the TXT records to the domains, and retry again."
  2935. _clearup
  2936. _on_issue_err "$_post_hook"
  2937. return 1
  2938. fi
  2939. fi
  2940. if [ "$dnsadded" = '1' ]; then
  2941. if [ -z "$Le_DNSSleep" ]; then
  2942. Le_DNSSleep="$DEFAULT_DNS_SLEEP"
  2943. else
  2944. _savedomainconf "Le_DNSSleep" "$Le_DNSSleep"
  2945. fi
  2946. _info "Sleep $(__green $Le_DNSSleep) seconds for the txt records to take effect"
  2947. _sleep "$Le_DNSSleep"
  2948. fi
  2949. NGINX_RESTORE_VLIST=""
  2950. _debug "ok, let's start to verify"
  2951. _ncIndex=1
  2952. ventries=$(echo "$vlist" | tr "$dvsep" ' ')
  2953. for ventry in $ventries; do
  2954. d=$(echo "$ventry" | cut -d "$sep" -f 1)
  2955. keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
  2956. uri=$(echo "$ventry" | cut -d "$sep" -f 3)
  2957. vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
  2958. _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
  2959. if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
  2960. _info "$d is already verified, skip $vtype."
  2961. continue
  2962. fi
  2963. _info "Verifying:$d"
  2964. _debug "d" "$d"
  2965. _debug "keyauthorization" "$keyauthorization"
  2966. _debug "uri" "$uri"
  2967. removelevel=""
  2968. token="$(printf "%s" "$keyauthorization" | cut -d '.' -f 1)"
  2969. _debug "_currentRoot" "$_currentRoot"
  2970. if [ "$vtype" = "$VTYPE_HTTP" ]; then
  2971. if [ "$_currentRoot" = "$NO_VALUE" ]; then
  2972. _info "Standalone mode server"
  2973. _ncaddr="$(_getfield "$_local_addr" "$_ncIndex")"
  2974. _ncIndex="$(_math $_ncIndex + 1)"
  2975. _startserver "$keyauthorization" "$_ncaddr" &
  2976. if [ "$?" != "0" ]; then
  2977. _clearup
  2978. _on_issue_err "$_post_hook" "$vlist"
  2979. return 1
  2980. fi
  2981. serverproc="$!"
  2982. sleep 1
  2983. _debug serverproc "$serverproc"
  2984. elif [ "$_currentRoot" = "$MODE_STATELESS" ]; then
  2985. _info "Stateless mode for domain:$d"
  2986. _sleep 1
  2987. elif _startswith "$_currentRoot" "$NGINX"; then
  2988. _info "Nginx mode for domain:$d"
  2989. #set up nginx server
  2990. FOUND_REAL_NGINX_CONF=""
  2991. BACKUP_NGINX_CONF=""
  2992. if ! _setNginx "$d" "$_currentRoot" "$thumbprint"; then
  2993. _clearup
  2994. _on_issue_err "$_post_hook" "$vlist"
  2995. return 1
  2996. fi
  2997. if [ "$FOUND_REAL_NGINX_CONF" ]; then
  2998. _realConf="$FOUND_REAL_NGINX_CONF"
  2999. _backup="$BACKUP_NGINX_CONF"
  3000. _debug _realConf "$_realConf"
  3001. NGINX_RESTORE_VLIST="$d$sep$_realConf$sep$_backup$dvsep$NGINX_RESTORE_VLIST"
  3002. fi
  3003. _sleep 1
  3004. else
  3005. if [ "$_currentRoot" = "apache" ]; then
  3006. wellknown_path="$ACME_DIR"
  3007. else
  3008. wellknown_path="$_currentRoot/.well-known/acme-challenge"
  3009. if [ ! -d "$_currentRoot/.well-known" ]; then
  3010. removelevel='1'
  3011. elif [ ! -d "$_currentRoot/.well-known/acme-challenge" ]; then
  3012. removelevel='2'
  3013. else
  3014. removelevel='3'
  3015. fi
  3016. fi
  3017. _debug wellknown_path "$wellknown_path"
  3018. _debug "writing token:$token to $wellknown_path/$token"
  3019. mkdir -p "$wellknown_path"
  3020. if ! printf "%s" "$keyauthorization" >"$wellknown_path/$token"; then
  3021. _err "$d:Can not write token to file : $wellknown_path/$token"
  3022. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  3023. _clearup
  3024. _on_issue_err "$_post_hook" "$vlist"
  3025. return 1
  3026. fi
  3027. if [ ! "$usingApache" ]; then
  3028. if webroot_owner=$(_stat "$_currentRoot"); then
  3029. _debug "Changing owner/group of .well-known to $webroot_owner"
  3030. if ! _exec "chown -R \"$webroot_owner\" \"$_currentRoot/.well-known\""; then
  3031. _debug "$(cat "$_EXEC_TEMP_ERR")"
  3032. _exec_err >/dev/null 2>&1
  3033. fi
  3034. else
  3035. _debug "not changing owner/group of webroot"
  3036. fi
  3037. fi
  3038. fi
  3039. elif [ "$vtype" = "$VTYPE_TLS" ]; then
  3040. #create A
  3041. #_hash_A="$(printf "%s" $token | _digest "sha256" "hex" )"
  3042. #_debug2 _hash_A "$_hash_A"
  3043. #_x="$(echo $_hash_A | cut -c 1-32)"
  3044. #_debug2 _x "$_x"
  3045. #_y="$(echo $_hash_A | cut -c 33-64)"
  3046. #_debug2 _y "$_y"
  3047. #_SAN_A="$_x.$_y.token.acme.invalid"
  3048. #_debug2 _SAN_A "$_SAN_A"
  3049. #create B
  3050. _hash_B="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"
  3051. _debug2 _hash_B "$_hash_B"
  3052. _x="$(echo "$_hash_B" | cut -c 1-32)"
  3053. _debug2 _x "$_x"
  3054. _y="$(echo "$_hash_B" | cut -c 33-64)"
  3055. _debug2 _y "$_y"
  3056. #_SAN_B="$_x.$_y.ka.acme.invalid"
  3057. _SAN_B="$_x.$_y.acme.invalid"
  3058. _debug2 _SAN_B "$_SAN_B"
  3059. _ncaddr="$(_getfield "$_local_addr" "$_ncIndex")"
  3060. _ncIndex="$(_math "$_ncIndex" + 1)"
  3061. if ! _starttlsserver "$_SAN_B" "$_SAN_A" "$Le_TLSPort" "$keyauthorization" "$_ncaddr"; then
  3062. _err "Start tls server error."
  3063. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  3064. _clearup
  3065. _on_issue_err "$_post_hook" "$vlist"
  3066. return 1
  3067. fi
  3068. fi
  3069. if ! __trigger_validation "$uri" "$keyauthorization"; then
  3070. _err "$d:Can not get challenge: $response"
  3071. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  3072. _clearup
  3073. _on_issue_err "$_post_hook" "$vlist"
  3074. return 1
  3075. fi
  3076. if [ ! -z "$code" ] && [ ! "$code" = '202' ]; then
  3077. _err "$d:Challenge error: $response"
  3078. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  3079. _clearup
  3080. _on_issue_err "$_post_hook" "$vlist"
  3081. return 1
  3082. fi
  3083. waittimes=0
  3084. if [ -z "$MAX_RETRY_TIMES" ]; then
  3085. MAX_RETRY_TIMES=30
  3086. fi
  3087. while true; do
  3088. waittimes=$(_math "$waittimes" + 1)
  3089. if [ "$waittimes" -ge "$MAX_RETRY_TIMES" ]; then
  3090. _err "$d:Timeout"
  3091. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  3092. _clearup
  3093. _on_issue_err "$_post_hook" "$vlist"
  3094. return 1
  3095. fi
  3096. _debug "sleep 2 secs to verify"
  3097. sleep 2
  3098. _debug "checking"
  3099. response="$(_get "$uri")"
  3100. if [ "$?" != "0" ]; then
  3101. _err "$d:Verify error:$response"
  3102. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  3103. _clearup
  3104. _on_issue_err "$_post_hook" "$vlist"
  3105. return 1
  3106. fi
  3107. _debug2 original "$response"
  3108. response="$(echo "$response" | _normalizeJson)"
  3109. _debug2 response "$response"
  3110. status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
  3111. if [ "$status" = "valid" ]; then
  3112. _info "$(__green Success)"
  3113. _stopserver "$serverproc"
  3114. serverproc=""
  3115. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  3116. break
  3117. fi
  3118. if [ "$status" = "invalid" ]; then
  3119. error="$(echo "$response" | tr -d "\r\n" | _egrep_o '"error":\{[^\}]*')"
  3120. _debug2 error "$error"
  3121. errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)"
  3122. _debug2 errordetail "$errordetail"
  3123. if [ "$errordetail" ]; then
  3124. _err "$d:Verify error:$errordetail"
  3125. else
  3126. _err "$d:Verify error:$error"
  3127. fi
  3128. if [ "$DEBUG" ]; then
  3129. if [ "$vtype" = "$VTYPE_HTTP" ]; then
  3130. _debug "Debug: get token url."
  3131. _get "http://$d/.well-known/acme-challenge/$token" "" 1
  3132. fi
  3133. fi
  3134. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  3135. _clearup
  3136. _on_issue_err "$_post_hook" "$vlist"
  3137. return 1
  3138. fi
  3139. if [ "$status" = "pending" ]; then
  3140. _info "Pending"
  3141. else
  3142. _err "$d:Verify error:$response"
  3143. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  3144. _clearup
  3145. _on_issue_err "$_post_hook" "$vlist"
  3146. return 1
  3147. fi
  3148. done
  3149. done
  3150. _clearup
  3151. _info "Verify finished, start to sign."
  3152. der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
  3153. if ! _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then
  3154. _err "Sign failed."
  3155. _on_issue_err "$_post_hook"
  3156. return 1
  3157. fi
  3158. _rcert="$response"
  3159. Le_LinkCert="$(grep -i '^Location.*$' "$HTTP_HEADER" | _head_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
  3160. _debug "Le_LinkCert" "$Le_LinkCert"
  3161. _savedomainconf "Le_LinkCert" "$Le_LinkCert"
  3162. if [ "$Le_LinkCert" ]; then
  3163. echo "$BEGIN_CERT" >"$CERT_PATH"
  3164. #if ! _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH" ; then
  3165. # _debug "Get cert failed. Let's try last response."
  3166. # printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
  3167. #fi
  3168. if ! printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >>"$CERT_PATH"; then
  3169. _debug "Try cert link."
  3170. _get "$Le_LinkCert" | _base64 "multiline" >>"$CERT_PATH"
  3171. fi
  3172. echo "$END_CERT" >>"$CERT_PATH"
  3173. _info "$(__green "Cert success.")"
  3174. cat "$CERT_PATH"
  3175. _info "Your cert is in $(__green " $CERT_PATH ")"
  3176. if [ -f "$CERT_KEY_PATH" ]; then
  3177. _info "Your cert key is in $(__green " $CERT_KEY_PATH ")"
  3178. fi
  3179. cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
  3180. if [ ! "$USER_PATH" ] || [ ! "$IN_CRON" ]; then
  3181. USER_PATH="$PATH"
  3182. _saveaccountconf "USER_PATH" "$USER_PATH"
  3183. fi
  3184. fi
  3185. if [ -z "$Le_LinkCert" ]; then
  3186. response="$(echo "$response" | _dbase64 "multiline" | _normalizeJson)"
  3187. _err "Sign failed: $(echo "$response" | _egrep_o '"detail":"[^"]*"')"
  3188. _on_issue_err "$_post_hook"
  3189. return 1
  3190. fi
  3191. _cleardomainconf "Le_Vlist"
  3192. Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
  3193. if ! _contains "$Le_LinkIssuer" ":"; then
  3194. Le_LinkIssuer="$API$Le_LinkIssuer"
  3195. fi
  3196. _debug Le_LinkIssuer "$Le_LinkIssuer"
  3197. _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
  3198. if [ "$Le_LinkIssuer" ]; then
  3199. _link_issuer_retry=0
  3200. _MAX_ISSUER_RETRY=5
  3201. while [ "$_link_issuer_retry" -lt "$_MAX_ISSUER_RETRY" ]; do
  3202. _debug _link_issuer_retry "$_link_issuer_retry"
  3203. if _get "$Le_LinkIssuer" >"$CA_CERT_PATH.der"; then
  3204. echo "$BEGIN_CERT" >"$CA_CERT_PATH"
  3205. _base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH"
  3206. echo "$END_CERT" >>"$CA_CERT_PATH"
  3207. _info "The intermediate CA cert is in $(__green " $CA_CERT_PATH ")"
  3208. cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH"
  3209. _info "And the full chain certs is there: $(__green " $CERT_FULLCHAIN_PATH ")"
  3210. rm -f "$CA_CERT_PATH.der"
  3211. break
  3212. fi
  3213. _link_issuer_retry=$(_math $_link_issuer_retry + 1)
  3214. _sleep "$_link_issuer_retry"
  3215. done
  3216. if [ "$_link_issuer_retry" = "$_MAX_ISSUER_RETRY" ]; then
  3217. _err "Max retry for issuer ca cert is reached."
  3218. fi
  3219. else
  3220. _debug "No Le_LinkIssuer header found."
  3221. fi
  3222. Le_CertCreateTime=$(_time)
  3223. _savedomainconf "Le_CertCreateTime" "$Le_CertCreateTime"
  3224. Le_CertCreateTimeStr=$(date -u)
  3225. _savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr"
  3226. if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ] || [ "$Le_RenewalDays" -gt "$MAX_RENEW" ]; then
  3227. Le_RenewalDays="$MAX_RENEW"
  3228. else
  3229. _savedomainconf "Le_RenewalDays" "$Le_RenewalDays"
  3230. fi
  3231. if [ "$CA_BUNDLE" ]; then
  3232. _saveaccountconf CA_BUNDLE "$CA_BUNDLE"
  3233. else
  3234. _clearaccountconf "CA_BUNDLE"
  3235. fi
  3236. if [ "$CA_PATH" ]; then
  3237. _saveaccountconf CA_PATH "$CA_PATH"
  3238. else
  3239. _clearaccountconf "CA_PATH"
  3240. fi
  3241. if [ "$HTTPS_INSECURE" ]; then
  3242. _saveaccountconf HTTPS_INSECURE "$HTTPS_INSECURE"
  3243. else
  3244. _clearaccountconf "HTTPS_INSECURE"
  3245. fi
  3246. if [ "$Le_Listen_V4" ]; then
  3247. _savedomainconf "Le_Listen_V4" "$Le_Listen_V4"
  3248. _cleardomainconf Le_Listen_V6
  3249. elif [ "$Le_Listen_V6" ]; then
  3250. _savedomainconf "Le_Listen_V6" "$Le_Listen_V6"
  3251. _cleardomainconf Le_Listen_V4
  3252. fi
  3253. Le_NextRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60)
  3254. Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
  3255. _savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr"
  3256. Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400)
  3257. _savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
  3258. _on_issue_success "$_post_hook" "$_renew_hook"
  3259. if [ "$_real_cert$_real_key$_real_ca$_reload_cmd$_real_fullchain" ]; then
  3260. _savedomainconf "Le_RealCertPath" "$_real_cert"
  3261. _savedomainconf "Le_RealCACertPath" "$_real_ca"
  3262. _savedomainconf "Le_RealKeyPath" "$_real_key"
  3263. _savedomainconf "Le_ReloadCmd" "$_reload_cmd"
  3264. _savedomainconf "Le_RealFullChainPath" "$_real_fullchain"
  3265. _installcert "$_main_domain" "$_real_cert" "$_real_key" "$_real_ca" "$_real_fullchain" "$_reload_cmd"
  3266. fi
  3267. }
  3268. #domain [isEcc]
  3269. renew() {
  3270. Le_Domain="$1"
  3271. if [ -z "$Le_Domain" ]; then
  3272. _usage "Usage: $PROJECT_ENTRY --renew -d domain.com [--ecc]"
  3273. return 1
  3274. fi
  3275. _isEcc="$2"
  3276. _initpath "$Le_Domain" "$_isEcc"
  3277. _info "$(__green "Renew: '$Le_Domain'")"
  3278. if [ ! -f "$DOMAIN_CONF" ]; then
  3279. _info "'$Le_Domain' is not a issued domain, skip."
  3280. return 0
  3281. fi
  3282. if [ "$Le_RenewalDays" ]; then
  3283. _savedomainconf Le_RenewalDays "$Le_RenewalDays"
  3284. fi
  3285. . "$DOMAIN_CONF"
  3286. if [ "$Le_API" ]; then
  3287. API="$Le_API"
  3288. #reload ca configs
  3289. ACCOUNT_KEY_PATH=""
  3290. ACCOUNT_JSON_PATH=""
  3291. CA_CONF=""
  3292. _debug3 "initpath again."
  3293. _initpath "$Le_Domain" "$_isEcc"
  3294. fi
  3295. if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then
  3296. _info "Skip, Next renewal time is: $(__green "$Le_NextRenewTimeStr")"
  3297. _info "Add '$(__red '--force')' to force to renew."
  3298. return "$RENEW_SKIP"
  3299. fi
  3300. IS_RENEW="1"
  3301. issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress"
  3302. res="$?"
  3303. if [ "$res" != "0" ]; then
  3304. return "$res"
  3305. fi
  3306. if [ "$Le_DeployHook" ]; then
  3307. _deploy "$Le_Domain" "$Le_DeployHook"
  3308. res="$?"
  3309. fi
  3310. IS_RENEW=""
  3311. return "$res"
  3312. }
  3313. #renewAll [stopRenewOnError]
  3314. renewAll() {
  3315. _initpath
  3316. _stopRenewOnError="$1"
  3317. _debug "_stopRenewOnError" "$_stopRenewOnError"
  3318. _ret="0"
  3319. for di in "${CERT_HOME}"/*.*/; do
  3320. _debug di "$di"
  3321. if ! [ -d "$di" ]; then
  3322. _debug "Not directory, skip: $di"
  3323. continue
  3324. fi
  3325. d=$(basename "$di")
  3326. _debug d "$d"
  3327. (
  3328. if _endswith "$d" "$ECC_SUFFIX"; then
  3329. _isEcc=$(echo "$d" | cut -d "$ECC_SEP" -f 2)
  3330. d=$(echo "$d" | cut -d "$ECC_SEP" -f 1)
  3331. fi
  3332. renew "$d" "$_isEcc"
  3333. )
  3334. rc="$?"
  3335. _debug "Return code: $rc"
  3336. if [ "$rc" != "0" ]; then
  3337. if [ "$rc" = "$RENEW_SKIP" ]; then
  3338. _info "Skipped $d"
  3339. elif [ "$_stopRenewOnError" ]; then
  3340. _err "Error renew $d, stop now."
  3341. return "$rc"
  3342. else
  3343. _ret="$rc"
  3344. _err "Error renew $d."
  3345. fi
  3346. fi
  3347. done
  3348. return "$_ret"
  3349. }
  3350. #csr webroot
  3351. signcsr() {
  3352. _csrfile="$1"
  3353. _csrW="$2"
  3354. if [ -z "$_csrfile" ] || [ -z "$_csrW" ]; then
  3355. _usage "Usage: $PROJECT_ENTRY --signcsr --csr mycsr.csr -w /path/to/webroot/a.com/ "
  3356. return 1
  3357. fi
  3358. _initpath
  3359. _csrsubj=$(_readSubjectFromCSR "$_csrfile")
  3360. if [ "$?" != "0" ]; then
  3361. _err "Can not read subject from csr: $_csrfile"
  3362. return 1
  3363. fi
  3364. _debug _csrsubj "$_csrsubj"
  3365. _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
  3366. if [ "$?" != "0" ]; then
  3367. _err "Can not read domain list from csr: $_csrfile"
  3368. return 1
  3369. fi
  3370. _debug "_csrdomainlist" "$_csrdomainlist"
  3371. if [ -z "$_csrsubj" ]; then
  3372. _csrsubj="$(_getfield "$_csrdomainlist" 1)"
  3373. _debug _csrsubj "$_csrsubj"
  3374. _csrdomainlist="$(echo "$_csrdomainlist" | cut -d , -f 2-)"
  3375. _debug "_csrdomainlist" "$_csrdomainlist"
  3376. fi
  3377. if [ -z "$_csrsubj" ]; then
  3378. _err "Can not read subject from csr: $_csrfile"
  3379. return 1
  3380. fi
  3381. _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
  3382. if [ "$?" != "0" ] || [ -z "$_csrkeylength" ]; then
  3383. _err "Can not read key length from csr: $_csrfile"
  3384. return 1
  3385. fi
  3386. _initpath "$_csrsubj" "$_csrkeylength"
  3387. mkdir -p "$DOMAIN_PATH"
  3388. _info "Copy csr to: $CSR_PATH"
  3389. cp "$_csrfile" "$CSR_PATH"
  3390. issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength"
  3391. }
  3392. showcsr() {
  3393. _csrfile="$1"
  3394. _csrd="$2"
  3395. if [ -z "$_csrfile" ] && [ -z "$_csrd" ]; then
  3396. _usage "Usage: $PROJECT_ENTRY --showcsr --csr mycsr.csr"
  3397. return 1
  3398. fi
  3399. _initpath
  3400. _csrsubj=$(_readSubjectFromCSR "$_csrfile")
  3401. if [ "$?" != "0" ] || [ -z "$_csrsubj" ]; then
  3402. _err "Can not read subject from csr: $_csrfile"
  3403. return 1
  3404. fi
  3405. _info "Subject=$_csrsubj"
  3406. _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
  3407. if [ "$?" != "0" ]; then
  3408. _err "Can not read domain list from csr: $_csrfile"
  3409. return 1
  3410. fi
  3411. _debug "_csrdomainlist" "$_csrdomainlist"
  3412. _info "SubjectAltNames=$_csrdomainlist"
  3413. _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
  3414. if [ "$?" != "0" ] || [ -z "$_csrkeylength" ]; then
  3415. _err "Can not read key length from csr: $_csrfile"
  3416. return 1
  3417. fi
  3418. _info "KeyLength=$_csrkeylength"
  3419. }
  3420. list() {
  3421. _raw="$1"
  3422. _initpath
  3423. _sep="|"
  3424. if [ "$_raw" ]; then
  3425. printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Created${_sep}Renew"
  3426. for di in "${CERT_HOME}"/*.*/; do
  3427. if ! [ -d "$di" ]; then
  3428. _debug "Not directory, skip: $di"
  3429. continue
  3430. fi
  3431. d=$(basename "$di")
  3432. _debug d "$d"
  3433. (
  3434. if _endswith "$d" "$ECC_SUFFIX"; then
  3435. _isEcc=$(echo "$d" | cut -d "$ECC_SEP" -f 2)
  3436. d=$(echo "$d" | cut -d "$ECC_SEP" -f 1)
  3437. fi
  3438. _initpath "$d" "$_isEcc"
  3439. if [ -f "$DOMAIN_CONF" ]; then
  3440. . "$DOMAIN_CONF"
  3441. printf "%s\n" "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr"
  3442. fi
  3443. )
  3444. done
  3445. else
  3446. if _exists column; then
  3447. list "raw" | column -t -s "$_sep"
  3448. else
  3449. list "raw" | tr "$_sep" '\t'
  3450. fi
  3451. fi
  3452. }
  3453. _deploy() {
  3454. _d="$1"
  3455. _hooks="$2"
  3456. for _d_api in $(echo "$_hooks" | tr ',' " "); do
  3457. _deployApi="$(_findHook "$_d" deploy "$_d_api")"
  3458. if [ -z "$_deployApi" ]; then
  3459. _err "The deploy hook $_d_api is not found."
  3460. return 1
  3461. fi
  3462. _debug _deployApi "$_deployApi"
  3463. if ! (
  3464. if ! . "$_deployApi"; then
  3465. _err "Load file $_deployApi error. Please check your api file and try again."
  3466. return 1
  3467. fi
  3468. d_command="${_d_api}_deploy"
  3469. if ! _exists "$d_command"; then
  3470. _err "It seems that your api file is not correct, it must have a function named: $d_command"
  3471. return 1
  3472. fi
  3473. if ! $d_command "$_d" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$CERT_FULLCHAIN_PATH"; then
  3474. _err "Error deploy for domain:$_d"
  3475. return 1
  3476. fi
  3477. ); then
  3478. _err "Deploy error."
  3479. return 1
  3480. else
  3481. _info "$(__green Success)"
  3482. fi
  3483. done
  3484. }
  3485. #domain hooks
  3486. deploy() {
  3487. _d="$1"
  3488. _hooks="$2"
  3489. _isEcc="$3"
  3490. if [ -z "$_hooks" ]; then
  3491. _usage "Usage: $PROJECT_ENTRY --deploy -d domain.com --deploy-hook cpanel [--ecc] "
  3492. return 1
  3493. fi
  3494. _initpath "$_d" "$_isEcc"
  3495. if [ ! -d "$DOMAIN_PATH" ]; then
  3496. _err "Domain is not valid:'$_d'"
  3497. return 1
  3498. fi
  3499. . "$DOMAIN_CONF"
  3500. _savedomainconf Le_DeployHook "$_hooks"
  3501. _deploy "$_d" "$_hooks"
  3502. }
  3503. installcert() {
  3504. _main_domain="$1"
  3505. if [ -z "$_main_domain" ]; then
  3506. _usage "Usage: $PROJECT_ENTRY --installcert -d domain.com [--ecc] [--cert-file cert-file-path] [--key-file key-file-path] [--ca-file ca-cert-file-path] [ --reloadCmd reloadCmd] [--fullchain-file fullchain-path]"
  3507. return 1
  3508. fi
  3509. _real_cert="$2"
  3510. _real_key="$3"
  3511. _real_ca="$4"
  3512. _reload_cmd="$5"
  3513. _real_fullchain="$6"
  3514. _isEcc="$7"
  3515. _initpath "$_main_domain" "$_isEcc"
  3516. if [ ! -d "$DOMAIN_PATH" ]; then
  3517. _err "Domain is not valid:'$_main_domain'"
  3518. return 1
  3519. fi
  3520. _savedomainconf "Le_RealCertPath" "$_real_cert"
  3521. _savedomainconf "Le_RealCACertPath" "$_real_ca"
  3522. _savedomainconf "Le_RealKeyPath" "$_real_key"
  3523. _savedomainconf "Le_ReloadCmd" "$_reload_cmd"
  3524. _savedomainconf "Le_RealFullChainPath" "$_real_fullchain"
  3525. _installcert "$_main_domain" "$_real_cert" "$_real_key" "$_real_ca" "$_real_fullchain" "$_reload_cmd"
  3526. }
  3527. #domain cert key ca fullchain reloadcmd backup-prefix
  3528. _installcert() {
  3529. _main_domain="$1"
  3530. _real_cert="$2"
  3531. _real_key="$3"
  3532. _real_ca="$4"
  3533. _real_fullchain="$5"
  3534. _reload_cmd="$6"
  3535. _backup_prefix="$7"
  3536. if [ "$_real_cert" = "$NO_VALUE" ]; then
  3537. _real_cert=""
  3538. fi
  3539. if [ "$_real_key" = "$NO_VALUE" ]; then
  3540. _real_key=""
  3541. fi
  3542. if [ "$_real_ca" = "$NO_VALUE" ]; then
  3543. _real_ca=""
  3544. fi
  3545. if [ "$_reload_cmd" = "$NO_VALUE" ]; then
  3546. _reload_cmd=""
  3547. fi
  3548. if [ "$_real_fullchain" = "$NO_VALUE" ]; then
  3549. _real_fullchain=""
  3550. fi
  3551. _backup_path="$DOMAIN_BACKUP_PATH/$_backup_prefix"
  3552. mkdir -p "$_backup_path"
  3553. if [ "$_real_cert" ]; then
  3554. _info "Installing cert to:$_real_cert"
  3555. if [ -f "$_real_cert" ] && [ ! "$IS_RENEW" ]; then
  3556. cp "$_real_cert" "$_backup_path/cert.bak"
  3557. fi
  3558. cat "$CERT_PATH" >"$_real_cert"
  3559. fi
  3560. if [ "$_real_ca" ]; then
  3561. _info "Installing CA to:$_real_ca"
  3562. if [ "$_real_ca" = "$_real_cert" ]; then
  3563. echo "" >>"$_real_ca"
  3564. cat "$CA_CERT_PATH" >>"$_real_ca"
  3565. else
  3566. if [ -f "$_real_ca" ] && [ ! "$IS_RENEW" ]; then
  3567. cp "$_real_ca" "$_backup_path/ca.bak"
  3568. fi
  3569. cat "$CA_CERT_PATH" >"$_real_ca"
  3570. fi
  3571. fi
  3572. if [ "$_real_key" ]; then
  3573. _info "Installing key to:$_real_key"
  3574. if [ -f "$_real_key" ] && [ ! "$IS_RENEW" ]; then
  3575. cp "$_real_key" "$_backup_path/key.bak"
  3576. fi
  3577. cat "$CERT_KEY_PATH" >"$_real_key"
  3578. fi
  3579. if [ "$_real_fullchain" ]; then
  3580. _info "Installing full chain to:$_real_fullchain"
  3581. if [ -f "$_real_fullchain" ] && [ ! "$IS_RENEW" ]; then
  3582. cp "$_real_fullchain" "$_backup_path/fullchain.bak"
  3583. fi
  3584. cat "$CERT_FULLCHAIN_PATH" >"$_real_fullchain"
  3585. fi
  3586. if [ "$_reload_cmd" ]; then
  3587. _info "Run reload cmd: $_reload_cmd"
  3588. if (
  3589. export CERT_PATH
  3590. export CERT_KEY_PATH
  3591. export CA_CERT_PATH
  3592. export CERT_FULLCHAIN_PATH
  3593. export Le_Domain
  3594. cd "$DOMAIN_PATH" && eval "$_reload_cmd"
  3595. ); then
  3596. _info "$(__green "Reload success")"
  3597. else
  3598. _err "Reload error for :$Le_Domain"
  3599. fi
  3600. fi
  3601. }
  3602. #confighome
  3603. installcronjob() {
  3604. _c_home="$1"
  3605. _initpath
  3606. if ! _exists "crontab"; then
  3607. _err "crontab doesn't exist, so, we can not install cron jobs."
  3608. _err "All your certs will not be renewed automatically."
  3609. _err "You must add your own cron job to call '$PROJECT_ENTRY --cron' everyday."
  3610. return 1
  3611. fi
  3612. _info "Installing cron job"
  3613. if ! crontab -l | grep "$PROJECT_ENTRY --cron"; then
  3614. if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ]; then
  3615. lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
  3616. else
  3617. _err "Can not install cronjob, $PROJECT_ENTRY not found."
  3618. return 1
  3619. fi
  3620. if [ "$_c_home" ]; then
  3621. _c_entry="--config-home \"$_c_home\" "
  3622. fi
  3623. _t=$(_time)
  3624. random_minute=$(_math $_t % 60)
  3625. if _exists uname && uname -a | grep SunOS >/dev/null; then
  3626. crontab -l | {
  3627. cat
  3628. echo "$random_minute 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null"
  3629. } | crontab --
  3630. else
  3631. crontab -l | {
  3632. cat
  3633. echo "$random_minute 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null"
  3634. } | crontab -
  3635. fi
  3636. fi
  3637. if [ "$?" != "0" ]; then
  3638. _err "Install cron job failed. You need to manually renew your certs."
  3639. _err "Or you can add cronjob by yourself:"
  3640. _err "$lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"
  3641. return 1
  3642. fi
  3643. }
  3644. uninstallcronjob() {
  3645. if ! _exists "crontab"; then
  3646. return
  3647. fi
  3648. _info "Removing cron job"
  3649. cr="$(crontab -l | grep "$PROJECT_ENTRY --cron")"
  3650. if [ "$cr" ]; then
  3651. if _exists uname && uname -a | grep solaris >/dev/null; then
  3652. crontab -l | sed "/$PROJECT_ENTRY --cron/d" | crontab --
  3653. else
  3654. crontab -l | sed "/$PROJECT_ENTRY --cron/d" | crontab -
  3655. fi
  3656. LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 9 | tr -d '"')"
  3657. _info LE_WORKING_DIR "$LE_WORKING_DIR"
  3658. if _contains "$cr" "--config-home"; then
  3659. LE_CONFIG_HOME="$(echo "$cr" | cut -d ' ' -f 11 | tr -d '"')"
  3660. _debug LE_CONFIG_HOME "$LE_CONFIG_HOME"
  3661. fi
  3662. fi
  3663. _initpath
  3664. }
  3665. revoke() {
  3666. Le_Domain="$1"
  3667. if [ -z "$Le_Domain" ]; then
  3668. _usage "Usage: $PROJECT_ENTRY --revoke -d domain.com [--ecc]"
  3669. return 1
  3670. fi
  3671. _isEcc="$2"
  3672. _initpath "$Le_Domain" "$_isEcc"
  3673. if [ ! -f "$DOMAIN_CONF" ]; then
  3674. _err "$Le_Domain is not a issued domain, skip."
  3675. return 1
  3676. fi
  3677. if [ ! -f "$CERT_PATH" ]; then
  3678. _err "Cert for $Le_Domain $CERT_PATH is not found, skip."
  3679. return 1
  3680. fi
  3681. cert="$(_getfile "${CERT_PATH}" "${BEGIN_CERT}" "${END_CERT}" | tr -d "\r\n" | _url_replace)"
  3682. if [ -z "$cert" ]; then
  3683. _err "Cert for $Le_Domain is empty found, skip."
  3684. return 1
  3685. fi
  3686. data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
  3687. uri="$API/acme/revoke-cert"
  3688. if [ -f "$CERT_KEY_PATH" ]; then
  3689. _info "Try domain key first."
  3690. if _send_signed_request "$uri" "$data" "" "$CERT_KEY_PATH"; then
  3691. if [ -z "$response" ]; then
  3692. _info "Revoke success."
  3693. rm -f "$CERT_PATH"
  3694. return 0
  3695. else
  3696. _err "Revoke error by domain key."
  3697. _err "$response"
  3698. fi
  3699. fi
  3700. else
  3701. _info "Domain key file doesn't exists."
  3702. fi
  3703. _info "Try account key."
  3704. if _send_signed_request "$uri" "$data" "" "$ACCOUNT_KEY_PATH"; then
  3705. if [ -z "$response" ]; then
  3706. _info "Revoke success."
  3707. rm -f "$CERT_PATH"
  3708. return 0
  3709. else
  3710. _err "Revoke error."
  3711. _debug "$response"
  3712. fi
  3713. fi
  3714. return 1
  3715. }
  3716. #domain ecc
  3717. remove() {
  3718. Le_Domain="$1"
  3719. if [ -z "$Le_Domain" ]; then
  3720. _usage "Usage: $PROJECT_ENTRY --remove -d domain.com [--ecc]"
  3721. return 1
  3722. fi
  3723. _isEcc="$2"
  3724. _initpath "$Le_Domain" "$_isEcc"
  3725. _removed_conf="$DOMAIN_CONF.removed"
  3726. if [ ! -f "$DOMAIN_CONF" ]; then
  3727. if [ -f "$_removed_conf" ]; then
  3728. _err "$Le_Domain is already removed, You can remove the folder by yourself: $DOMAIN_PATH"
  3729. else
  3730. _err "$Le_Domain is not a issued domain, skip."
  3731. fi
  3732. return 1
  3733. fi
  3734. if mv "$DOMAIN_CONF" "$_removed_conf"; then
  3735. _info "$Le_Domain is removed, the key and cert files are in $(__green $DOMAIN_PATH)"
  3736. _info "You can remove them by yourself."
  3737. return 0
  3738. else
  3739. _err "Remove $Le_Domain failed."
  3740. return 1
  3741. fi
  3742. }
  3743. #domain vtype
  3744. _deactivate() {
  3745. _d_domain="$1"
  3746. _d_type="$2"
  3747. _initpath
  3748. _d_i=0
  3749. _d_max_retry=9
  3750. while [ "$_d_i" -lt "$_d_max_retry" ]; do
  3751. _info "Deactivate: $_d_domain"
  3752. _d_i="$(_math $_d_i + 1)"
  3753. if ! __get_domain_new_authz "$_d_domain"; then
  3754. _err "Can not get domain new authz token."
  3755. return 1
  3756. fi
  3757. authzUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
  3758. _debug "authzUri" "$authzUri"
  3759. if [ ! -z "$code" ] && [ ! "$code" = '201' ]; then
  3760. _err "new-authz error: $response"
  3761. return 1
  3762. fi
  3763. entry="$(printf "%s\n" "$response" | _egrep_o '{"type":"[^"]*","status":"valid","uri"[^}]*')"
  3764. _debug entry "$entry"
  3765. if [ -z "$entry" ]; then
  3766. _info "No more valid entry found."
  3767. break
  3768. fi
  3769. _vtype="$(printf "%s\n" "$entry" | _egrep_o '"type": *"[^"]*"' | cut -d : -f 2 | tr -d '"')"
  3770. _debug _vtype "$_vtype"
  3771. _info "Found $_vtype"
  3772. uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*' | cut -d : -f 2,3 | tr -d '"')"
  3773. _debug uri "$uri"
  3774. if [ "$_d_type" ] && [ "$_d_type" != "$_vtype" ]; then
  3775. _info "Skip $_vtype"
  3776. continue
  3777. fi
  3778. _info "Deactivate: $_vtype"
  3779. if ! _send_signed_request "$authzUri" "{\"resource\": \"authz\", \"status\":\"deactivated\"}"; then
  3780. _err "Can not deactivate $_vtype."
  3781. return 1
  3782. fi
  3783. _info "Deactivate: $_vtype success."
  3784. done
  3785. _debug "$_d_i"
  3786. if [ "$_d_i" -lt "$_d_max_retry" ]; then
  3787. _info "Deactivated success!"
  3788. else
  3789. _err "Deactivate failed."
  3790. fi
  3791. }
  3792. deactivate() {
  3793. _d_domain_list="$1"
  3794. _d_type="$2"
  3795. _initpath
  3796. _debug _d_domain_list "$_d_domain_list"
  3797. if [ -z "$(echo $_d_domain_list | cut -d , -f 1)" ]; then
  3798. _usage "Usage: $PROJECT_ENTRY --deactivate -d domain.com [-d domain.com]"
  3799. return 1
  3800. fi
  3801. for _d_dm in $(echo "$_d_domain_list" | tr ',' ' '); do
  3802. if [ -z "$_d_dm" ] || [ "$_d_dm" = "$NO_VALUE" ]; then
  3803. continue
  3804. fi
  3805. if ! _deactivate "$_d_dm" "$_d_type"; then
  3806. return 1
  3807. fi
  3808. done
  3809. }
  3810. # Detect profile file if not specified as environment variable
  3811. _detect_profile() {
  3812. if [ -n "$PROFILE" -a -f "$PROFILE" ]; then
  3813. echo "$PROFILE"
  3814. return
  3815. fi
  3816. DETECTED_PROFILE=''
  3817. SHELLTYPE="$(basename "/$SHELL")"
  3818. if [ "$SHELLTYPE" = "bash" ]; then
  3819. if [ -f "$HOME/.bashrc" ]; then
  3820. DETECTED_PROFILE="$HOME/.bashrc"
  3821. elif [ -f "$HOME/.bash_profile" ]; then
  3822. DETECTED_PROFILE="$HOME/.bash_profile"
  3823. fi
  3824. elif [ "$SHELLTYPE" = "zsh" ]; then
  3825. DETECTED_PROFILE="$HOME/.zshrc"
  3826. fi
  3827. if [ -z "$DETECTED_PROFILE" ]; then
  3828. if [ -f "$HOME/.profile" ]; then
  3829. DETECTED_PROFILE="$HOME/.profile"
  3830. elif [ -f "$HOME/.bashrc" ]; then
  3831. DETECTED_PROFILE="$HOME/.bashrc"
  3832. elif [ -f "$HOME/.bash_profile" ]; then
  3833. DETECTED_PROFILE="$HOME/.bash_profile"
  3834. elif [ -f "$HOME/.zshrc" ]; then
  3835. DETECTED_PROFILE="$HOME/.zshrc"
  3836. fi
  3837. fi
  3838. if [ ! -z "$DETECTED_PROFILE" ]; then
  3839. echo "$DETECTED_PROFILE"
  3840. fi
  3841. }
  3842. _initconf() {
  3843. _initpath
  3844. if [ ! -f "$ACCOUNT_CONF_PATH" ]; then
  3845. echo "
  3846. #LOG_FILE=\"$DEFAULT_LOG_FILE\"
  3847. #LOG_LEVEL=1
  3848. #AUTO_UPGRADE=\"1\"
  3849. #NO_TIMESTAMP=1
  3850. " >"$ACCOUNT_CONF_PATH"
  3851. fi
  3852. }
  3853. # nocron
  3854. _precheck() {
  3855. _nocron="$1"
  3856. if ! _exists "curl" && ! _exists "wget"; then
  3857. _err "Please install curl or wget first, we need to access http resources."
  3858. return 1
  3859. fi
  3860. if [ -z "$_nocron" ]; then
  3861. if ! _exists "crontab"; then
  3862. _err "It is recommended to install crontab first. try to install 'cron, crontab, crontabs or vixie-cron'."
  3863. _err "We need to set cron job to renew the certs automatically."
  3864. _err "Otherwise, your certs will not be able to be renewed automatically."
  3865. if [ -z "$FORCE" ]; then
  3866. _err "Please add '--force' and try install again to go without crontab."
  3867. _err "./$PROJECT_ENTRY --install --force"
  3868. return 1
  3869. fi
  3870. fi
  3871. fi
  3872. if ! _exists "${ACME_OPENSSL_BIN:-openssl}"; then
  3873. _err "Please install openssl first. ACME_OPENSSL_BIN=$ACME_OPENSSL_BIN"
  3874. _err "We need openssl to generate keys."
  3875. return 1
  3876. fi
  3877. if ! _exists "nc"; then
  3878. _err "It is recommended to install nc first, try to install 'nc' or 'netcat'."
  3879. _err "We use nc for standalone server if you use standalone mode."
  3880. _err "If you don't use standalone mode, just ignore this warning."
  3881. fi
  3882. return 0
  3883. }
  3884. _setShebang() {
  3885. _file="$1"
  3886. _shebang="$2"
  3887. if [ -z "$_shebang" ]; then
  3888. _usage "Usage: file shebang"
  3889. return 1
  3890. fi
  3891. cp "$_file" "$_file.tmp"
  3892. echo "$_shebang" >"$_file"
  3893. sed -n 2,99999p "$_file.tmp" >>"$_file"
  3894. rm -f "$_file.tmp"
  3895. }
  3896. #confighome
  3897. _installalias() {
  3898. _c_home="$1"
  3899. _initpath
  3900. _envfile="$LE_WORKING_DIR/$PROJECT_ENTRY.env"
  3901. if [ "$_upgrading" ] && [ "$_upgrading" = "1" ]; then
  3902. echo "$(cat "$_envfile")" | sed "s|^LE_WORKING_DIR.*$||" >"$_envfile"
  3903. echo "$(cat "$_envfile")" | sed "s|^alias le.*$||" >"$_envfile"
  3904. echo "$(cat "$_envfile")" | sed "s|^alias le.sh.*$||" >"$_envfile"
  3905. fi
  3906. if [ "$_c_home" ]; then
  3907. _c_entry=" --config-home '$_c_home'"
  3908. fi
  3909. _setopt "$_envfile" "export LE_WORKING_DIR" "=" "\"$LE_WORKING_DIR\""
  3910. if [ "$_c_home" ]; then
  3911. _setopt "$_envfile" "export LE_CONFIG_HOME" "=" "\"$LE_CONFIG_HOME\""
  3912. fi
  3913. _setopt "$_envfile" "alias $PROJECT_ENTRY" "=" "\"$LE_WORKING_DIR/$PROJECT_ENTRY$_c_entry\""
  3914. _profile="$(_detect_profile)"
  3915. if [ "$_profile" ]; then
  3916. _debug "Found profile: $_profile"
  3917. _info "Installing alias to '$_profile'"
  3918. _setopt "$_profile" ". \"$_envfile\""
  3919. _info "OK, Close and reopen your terminal to start using $PROJECT_NAME"
  3920. else
  3921. _info "No profile is found, you will need to go into $LE_WORKING_DIR to use $PROJECT_NAME"
  3922. fi
  3923. #for csh
  3924. _cshfile="$LE_WORKING_DIR/$PROJECT_ENTRY.csh"
  3925. _csh_profile="$HOME/.cshrc"
  3926. if [ -f "$_csh_profile" ]; then
  3927. _info "Installing alias to '$_csh_profile'"
  3928. _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
  3929. if [ "$_c_home" ]; then
  3930. _setopt "$_cshfile" "setenv LE_CONFIG_HOME" " " "\"$LE_CONFIG_HOME\""
  3931. fi
  3932. _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY$_c_entry\""
  3933. _setopt "$_csh_profile" "source \"$_cshfile\""
  3934. fi
  3935. #for tcsh
  3936. _tcsh_profile="$HOME/.tcshrc"
  3937. if [ -f "$_tcsh_profile" ]; then
  3938. _info "Installing alias to '$_tcsh_profile'"
  3939. _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
  3940. if [ "$_c_home" ]; then
  3941. _setopt "$_cshfile" "setenv LE_CONFIG_HOME" " " "\"$LE_CONFIG_HOME\""
  3942. fi
  3943. _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY$_c_entry\""
  3944. _setopt "$_tcsh_profile" "source \"$_cshfile\""
  3945. fi
  3946. }
  3947. # nocron confighome
  3948. install() {
  3949. if [ -z "$LE_WORKING_DIR" ]; then
  3950. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  3951. fi
  3952. _nocron="$1"
  3953. _c_home="$2"
  3954. if ! _initpath; then
  3955. _err "Install failed."
  3956. return 1
  3957. fi
  3958. if [ "$_nocron" ]; then
  3959. _debug "Skip install cron job"
  3960. fi
  3961. if ! _precheck "$_nocron"; then
  3962. _err "Pre-check failed, can not install."
  3963. return 1
  3964. fi
  3965. #convert from le
  3966. if [ -d "$HOME/.le" ]; then
  3967. for envfile in "le.env" "le.sh.env"; do
  3968. if [ -f "$HOME/.le/$envfile" ]; then
  3969. if grep "le.sh" "$HOME/.le/$envfile" >/dev/null; then
  3970. _upgrading="1"
  3971. _info "You are upgrading from le.sh"
  3972. _info "Renaming \"$HOME/.le\" to $LE_WORKING_DIR"
  3973. mv "$HOME/.le" "$LE_WORKING_DIR"
  3974. mv "$LE_WORKING_DIR/$envfile" "$LE_WORKING_DIR/$PROJECT_ENTRY.env"
  3975. break
  3976. fi
  3977. fi
  3978. done
  3979. fi
  3980. _info "Installing to $LE_WORKING_DIR"
  3981. if ! mkdir -p "$LE_WORKING_DIR"; then
  3982. _err "Can not create working dir: $LE_WORKING_DIR"
  3983. return 1
  3984. fi
  3985. chmod 700 "$LE_WORKING_DIR"
  3986. if ! mkdir -p "$LE_CONFIG_HOME"; then
  3987. _err "Can not create config dir: $LE_CONFIG_HOME"
  3988. return 1
  3989. fi
  3990. chmod 700 "$LE_CONFIG_HOME"
  3991. cp "$PROJECT_ENTRY" "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/$PROJECT_ENTRY"
  3992. if [ "$?" != "0" ]; then
  3993. _err "Install failed, can not copy $PROJECT_ENTRY"
  3994. return 1
  3995. fi
  3996. _info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
  3997. _installalias "$_c_home"
  3998. for subf in $_SUB_FOLDERS; do
  3999. if [ -d "$subf" ]; then
  4000. mkdir -p "$LE_WORKING_DIR/$subf"
  4001. cp "$subf"/* "$LE_WORKING_DIR"/"$subf"/
  4002. fi
  4003. done
  4004. if [ ! -f "$ACCOUNT_CONF_PATH" ]; then
  4005. _initconf
  4006. fi
  4007. if [ "$_DEFAULT_ACCOUNT_CONF_PATH" != "$ACCOUNT_CONF_PATH" ]; then
  4008. _setopt "$_DEFAULT_ACCOUNT_CONF_PATH" "ACCOUNT_CONF_PATH" "=" "\"$ACCOUNT_CONF_PATH\""
  4009. fi
  4010. if [ "$_DEFAULT_CERT_HOME" != "$CERT_HOME" ]; then
  4011. _saveaccountconf "CERT_HOME" "$CERT_HOME"
  4012. fi
  4013. if [ "$_DEFAULT_ACCOUNT_KEY_PATH" != "$ACCOUNT_KEY_PATH" ]; then
  4014. _saveaccountconf "ACCOUNT_KEY_PATH" "$ACCOUNT_KEY_PATH"
  4015. fi
  4016. if [ -z "$_nocron" ]; then
  4017. installcronjob "$_c_home"
  4018. fi
  4019. if [ -z "$NO_DETECT_SH" ]; then
  4020. #Modify shebang
  4021. if _exists bash; then
  4022. _info "Good, bash is found, so change the shebang to use bash as preferred."
  4023. _shebang='#!'"$(env bash -c "command -v bash")"
  4024. _setShebang "$LE_WORKING_DIR/$PROJECT_ENTRY" "$_shebang"
  4025. for subf in $_SUB_FOLDERS; do
  4026. if [ -d "$LE_WORKING_DIR/$subf" ]; then
  4027. for _apifile in "$LE_WORKING_DIR/$subf/"*.sh; do
  4028. _setShebang "$_apifile" "$_shebang"
  4029. done
  4030. fi
  4031. done
  4032. fi
  4033. fi
  4034. _info OK
  4035. }
  4036. # nocron
  4037. uninstall() {
  4038. _nocron="$1"
  4039. if [ -z "$_nocron" ]; then
  4040. uninstallcronjob
  4041. fi
  4042. _initpath
  4043. _uninstallalias
  4044. rm -f "$LE_WORKING_DIR/$PROJECT_ENTRY"
  4045. _info "The keys and certs are in \"$(__green "$LE_CONFIG_HOME")\", you can remove them by yourself."
  4046. }
  4047. _uninstallalias() {
  4048. _initpath
  4049. _profile="$(_detect_profile)"
  4050. if [ "$_profile" ]; then
  4051. _info "Uninstalling alias from: '$_profile'"
  4052. text="$(cat "$_profile")"
  4053. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.env\"$||" >"$_profile"
  4054. fi
  4055. _csh_profile="$HOME/.cshrc"
  4056. if [ -f "$_csh_profile" ]; then
  4057. _info "Uninstalling alias from: '$_csh_profile'"
  4058. text="$(cat "$_csh_profile")"
  4059. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" >"$_csh_profile"
  4060. fi
  4061. _tcsh_profile="$HOME/.tcshrc"
  4062. if [ -f "$_tcsh_profile" ]; then
  4063. _info "Uninstalling alias from: '$_csh_profile'"
  4064. text="$(cat "$_tcsh_profile")"
  4065. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" >"$_tcsh_profile"
  4066. fi
  4067. }
  4068. cron() {
  4069. IN_CRON=1
  4070. _initpath
  4071. _info "$(__green "===Starting cron===")"
  4072. if [ "$AUTO_UPGRADE" = "1" ]; then
  4073. export LE_WORKING_DIR
  4074. (
  4075. if ! upgrade; then
  4076. _err "Cron:Upgrade failed!"
  4077. return 1
  4078. fi
  4079. )
  4080. . "$LE_WORKING_DIR/$PROJECT_ENTRY" >/dev/null
  4081. if [ -t 1 ]; then
  4082. __INTERACTIVE="1"
  4083. fi
  4084. _info "Auto upgraded to: $VER"
  4085. fi
  4086. renewAll
  4087. _ret="$?"
  4088. IN_CRON=""
  4089. _info "$(__green "===End cron===")"
  4090. exit $_ret
  4091. }
  4092. version() {
  4093. echo "$PROJECT"
  4094. echo "v$VER"
  4095. }
  4096. showhelp() {
  4097. _initpath
  4098. version
  4099. echo "Usage: $PROJECT_ENTRY command ...[parameters]....
  4100. Commands:
  4101. --help, -h Show this help message.
  4102. --version, -v Show version info.
  4103. --install Install $PROJECT_NAME to your system.
  4104. --uninstall Uninstall $PROJECT_NAME, and uninstall the cron job.
  4105. --upgrade Upgrade $PROJECT_NAME to the latest code from $PROJECT.
  4106. --issue Issue a cert.
  4107. --signcsr Issue a cert from an existing csr.
  4108. --deploy Deploy the cert to your server.
  4109. --install-cert Install the issued cert to apache/nginx or any other server.
  4110. --renew, -r Renew a cert.
  4111. --renew-all Renew all the certs.
  4112. --revoke Revoke a cert.
  4113. --remove Remove the cert from $PROJECT
  4114. --list List all the certs.
  4115. --showcsr Show the content of a csr.
  4116. --install-cronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
  4117. --uninstall-cronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
  4118. --cron Run cron job to renew all the certs.
  4119. --toPkcs Export the certificate and key to a pfx file.
  4120. --toPkcs8 Convert to pkcs8 format.
  4121. --update-account Update account info.
  4122. --register-account Register account key.
  4123. --create-account-key Create an account private key, professional use.
  4124. --create-domain-key Create an domain private key, professional use.
  4125. --createCSR, -ccsr Create CSR , professional use.
  4126. --deactivate Deactivate the domain authz, professional use.
  4127. Parameters:
  4128. --domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
  4129. --force, -f Used to force to install or force to renew a cert immediately.
  4130. --staging, --test Use staging server, just for test.
  4131. --debug Output debug info.
  4132. --output-insecure Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for secure.
  4133. --webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
  4134. --standalone Use standalone mode.
  4135. --stateless Use stateless mode, see: $_STATELESS_WIKI
  4136. --tls Use standalone tls mode.
  4137. --apache Use apache mode.
  4138. --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
  4139. --dnssleep [$DEFAULT_DNS_SLEEP] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
  4140. --keylength, -k [2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
  4141. --accountkeylength, -ak [2048] Specifies the account key length.
  4142. --log [/path/to/logfile] Specifies the log file. The default is: \"$DEFAULT_LOG_FILE\" if you don't give a file path here.
  4143. --log-level 1|2 Specifies the log level, default is 1.
  4144. --syslog [0|3|6|7] Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.
  4145. These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
  4146. --cert-file After issue/renew, the cert will be copied to this path.
  4147. --key-file After issue/renew, the key will be copied to this path.
  4148. --ca-file After issue/renew, the intermediate cert will be copied to this path.
  4149. --fullchain-file After issue/renew, the fullchain cert will be copied to this path.
  4150. --reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
  4151. --accountconf Specifies a customized account config file.
  4152. --home Specifies the home dir for $PROJECT_NAME .
  4153. --cert-home Specifies the home dir to save all the certs, only valid for '--install' command.
  4154. --config-home Specifies the home dir to save all the configurations.
  4155. --useragent Specifies the user agent string. it will be saved for future use too.
  4156. --accountemail Specifies the account email for registering, Only valid for the '--install' command.
  4157. --accountkey Specifies the account key path, Only valid for the '--install' command.
  4158. --days Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days.
  4159. --httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
  4160. --tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
  4161. --local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
  4162. --listraw Only used for '--list' command, list the certs in raw format.
  4163. --stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal.
  4164. --insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
  4165. --ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate.
  4166. --ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl.
  4167. --nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
  4168. --ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
  4169. --csr Specifies the input csr.
  4170. --pre-hook Command to be run before obtaining any certificates.
  4171. --post-hook Command to be run after attempting to obtain/renew certificates. No matter the obtain/renew is success or failed.
  4172. --renew-hook Command to be run once for each successfully renewed certificate.
  4173. --deploy-hook The hook file to deploy cert
  4174. --ocsp-must-staple, --ocsp Generate ocsp must Staple extension.
  4175. --auto-upgrade [0|1] Valid for '--upgrade' command, indicating whether to upgrade automatically in future.
  4176. --listen-v4 Force standalone/tls server to listen at ipv4.
  4177. --listen-v6 Force standalone/tls server to listen at ipv6.
  4178. --openssl-bin Specifies a custom openssl bin location.
  4179. --use-wget Force to use wget, if you have both curl and wget installed.
  4180. "
  4181. }
  4182. # nocron
  4183. _installOnline() {
  4184. _info "Installing from online archive."
  4185. _nocron="$1"
  4186. if [ ! "$BRANCH" ]; then
  4187. BRANCH="master"
  4188. fi
  4189. target="$PROJECT/archive/$BRANCH.tar.gz"
  4190. _info "Downloading $target"
  4191. localname="$BRANCH.tar.gz"
  4192. if ! _get "$target" >$localname; then
  4193. _err "Download error."
  4194. return 1
  4195. fi
  4196. (
  4197. _info "Extracting $localname"
  4198. if ! (tar xzf $localname || gtar xzf $localname); then
  4199. _err "Extraction error."
  4200. exit 1
  4201. fi
  4202. cd "$PROJECT_NAME-$BRANCH"
  4203. chmod +x $PROJECT_ENTRY
  4204. if ./$PROJECT_ENTRY install "$_nocron"; then
  4205. _info "Install success!"
  4206. fi
  4207. cd ..
  4208. rm -rf "$PROJECT_NAME-$BRANCH"
  4209. rm -f "$localname"
  4210. )
  4211. }
  4212. upgrade() {
  4213. if (
  4214. _initpath
  4215. export LE_WORKING_DIR
  4216. cd "$LE_WORKING_DIR"
  4217. _installOnline "nocron"
  4218. ); then
  4219. _info "Upgrade success!"
  4220. exit 0
  4221. else
  4222. _err "Upgrade failed!"
  4223. exit 1
  4224. fi
  4225. }
  4226. _processAccountConf() {
  4227. if [ "$_useragent" ]; then
  4228. _saveaccountconf "USER_AGENT" "$_useragent"
  4229. elif [ "$USER_AGENT" ] && [ "$USER_AGENT" != "$DEFAULT_USER_AGENT" ]; then
  4230. _saveaccountconf "USER_AGENT" "$USER_AGENT"
  4231. fi
  4232. if [ "$_accountemail" ]; then
  4233. _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail"
  4234. elif [ "$ACCOUNT_EMAIL" ] && [ "$ACCOUNT_EMAIL" != "$DEFAULT_ACCOUNT_EMAIL" ]; then
  4235. _saveaccountconf "ACCOUNT_EMAIL" "$ACCOUNT_EMAIL"
  4236. fi
  4237. if [ "$_openssl_bin" ]; then
  4238. _saveaccountconf "ACME_OPENSSL_BIN" "$_openssl_bin"
  4239. elif [ "$ACME_OPENSSL_BIN" ] && [ "$ACME_OPENSSL_BIN" != "$DEFAULT_OPENSSL_BIN" ]; then
  4240. _saveaccountconf "ACME_OPENSSL_BIN" "$ACME_OPENSSL_BIN"
  4241. fi
  4242. if [ "$_auto_upgrade" ]; then
  4243. _saveaccountconf "AUTO_UPGRADE" "$_auto_upgrade"
  4244. elif [ "$AUTO_UPGRADE" ]; then
  4245. _saveaccountconf "AUTO_UPGRADE" "$AUTO_UPGRADE"
  4246. fi
  4247. if [ "$_use_wget" ]; then
  4248. _saveaccountconf "ACME_USE_WGET" "$_use_wget"
  4249. elif [ "$ACME_USE_WGET" ]; then
  4250. _saveaccountconf "ACME_USE_WGET" "$ACME_USE_WGET"
  4251. fi
  4252. }
  4253. _process() {
  4254. _CMD=""
  4255. _domain=""
  4256. _altdomains="$NO_VALUE"
  4257. _webroot=""
  4258. _keylength=""
  4259. _accountkeylength=""
  4260. _cert_file=""
  4261. _key_file=""
  4262. _ca_file=""
  4263. _fullchain_file=""
  4264. _reloadcmd=""
  4265. _password=""
  4266. _accountconf=""
  4267. _useragent=""
  4268. _accountemail=""
  4269. _accountkey=""
  4270. _certhome=""
  4271. _confighome=""
  4272. _httpport=""
  4273. _tlsport=""
  4274. _dnssleep=""
  4275. _listraw=""
  4276. _stopRenewOnError=""
  4277. #_insecure=""
  4278. _ca_bundle=""
  4279. _ca_path=""
  4280. _nocron=""
  4281. _ecc=""
  4282. _csr=""
  4283. _pre_hook=""
  4284. _post_hook=""
  4285. _renew_hook=""
  4286. _deploy_hook=""
  4287. _logfile=""
  4288. _log=""
  4289. _local_address=""
  4290. _log_level=""
  4291. _auto_upgrade=""
  4292. _listen_v4=""
  4293. _listen_v6=""
  4294. _openssl_bin=""
  4295. _syslog=""
  4296. _use_wget=""
  4297. while [ ${#} -gt 0 ]; do
  4298. case "${1}" in
  4299. --help | -h)
  4300. showhelp
  4301. return
  4302. ;;
  4303. --version | -v)
  4304. version
  4305. return
  4306. ;;
  4307. --install)
  4308. _CMD="install"
  4309. ;;
  4310. --uninstall)
  4311. _CMD="uninstall"
  4312. ;;
  4313. --upgrade)
  4314. _CMD="upgrade"
  4315. ;;
  4316. --issue)
  4317. _CMD="issue"
  4318. ;;
  4319. --deploy)
  4320. _CMD="deploy"
  4321. ;;
  4322. --signcsr)
  4323. _CMD="signcsr"
  4324. ;;
  4325. --showcsr)
  4326. _CMD="showcsr"
  4327. ;;
  4328. --installcert | -i | --install-cert)
  4329. _CMD="installcert"
  4330. ;;
  4331. --renew | -r)
  4332. _CMD="renew"
  4333. ;;
  4334. --renewAll | --renewall | --renew-all)
  4335. _CMD="renewAll"
  4336. ;;
  4337. --revoke)
  4338. _CMD="revoke"
  4339. ;;
  4340. --remove)
  4341. _CMD="remove"
  4342. ;;
  4343. --list)
  4344. _CMD="list"
  4345. ;;
  4346. --installcronjob | --install-cronjob)
  4347. _CMD="installcronjob"
  4348. ;;
  4349. --uninstallcronjob | --uninstall-cronjob)
  4350. _CMD="uninstallcronjob"
  4351. ;;
  4352. --cron)
  4353. _CMD="cron"
  4354. ;;
  4355. --toPkcs)
  4356. _CMD="toPkcs"
  4357. ;;
  4358. --toPkcs8)
  4359. _CMD="toPkcs8"
  4360. ;;
  4361. --createAccountKey | --createaccountkey | -cak | --create-account-key)
  4362. _CMD="createAccountKey"
  4363. ;;
  4364. --createDomainKey | --createdomainkey | -cdk | --create-domain-key)
  4365. _CMD="createDomainKey"
  4366. ;;
  4367. --createCSR | --createcsr | -ccr)
  4368. _CMD="createCSR"
  4369. ;;
  4370. --deactivate)
  4371. _CMD="deactivate"
  4372. ;;
  4373. --updateaccount | --update-account)
  4374. _CMD="updateaccount"
  4375. ;;
  4376. --registeraccount | --register-account)
  4377. _CMD="registeraccount"
  4378. ;;
  4379. --domain | -d)
  4380. _dvalue="$2"
  4381. if [ "$_dvalue" ]; then
  4382. if _startswith "$_dvalue" "-"; then
  4383. _err "'$_dvalue' is not a valid domain for parameter '$1'"
  4384. return 1
  4385. fi
  4386. if _is_idn "$_dvalue" && ! _exists idn; then
  4387. _err "It seems that $_dvalue is an IDN( Internationalized Domain Names), please install 'idn' command first."
  4388. return 1
  4389. fi
  4390. if [ -z "$_domain" ]; then
  4391. _domain="$_dvalue"
  4392. else
  4393. if [ "$_altdomains" = "$NO_VALUE" ]; then
  4394. _altdomains="$_dvalue"
  4395. else
  4396. _altdomains="$_altdomains,$_dvalue"
  4397. fi
  4398. fi
  4399. fi
  4400. shift
  4401. ;;
  4402. --force | -f)
  4403. FORCE="1"
  4404. ;;
  4405. --staging | --test)
  4406. STAGE="1"
  4407. ;;
  4408. --debug)
  4409. if [ -z "$2" ] || _startswith "$2" "-"; then
  4410. DEBUG="$DEBUG_LEVEL_DEFAULT"
  4411. else
  4412. DEBUG="$2"
  4413. shift
  4414. fi
  4415. ;;
  4416. --output-insecure)
  4417. export OUTPUT_INSECURE=1
  4418. ;;
  4419. --webroot | -w)
  4420. wvalue="$2"
  4421. if [ -z "$_webroot" ]; then
  4422. _webroot="$wvalue"
  4423. else
  4424. _webroot="$_webroot,$wvalue"
  4425. fi
  4426. shift
  4427. ;;
  4428. --standalone)
  4429. wvalue="$NO_VALUE"
  4430. if [ -z "$_webroot" ]; then
  4431. _webroot="$wvalue"
  4432. else
  4433. _webroot="$_webroot,$wvalue"
  4434. fi
  4435. ;;
  4436. --stateless)
  4437. wvalue="$MODE_STATELESS"
  4438. if [ -z "$_webroot" ]; then
  4439. _webroot="$wvalue"
  4440. else
  4441. _webroot="$_webroot,$wvalue"
  4442. fi
  4443. ;;
  4444. --local-address)
  4445. lvalue="$2"
  4446. _local_address="$_local_address$lvalue,"
  4447. shift
  4448. ;;
  4449. --apache)
  4450. wvalue="apache"
  4451. if [ -z "$_webroot" ]; then
  4452. _webroot="$wvalue"
  4453. else
  4454. _webroot="$_webroot,$wvalue"
  4455. fi
  4456. ;;
  4457. --nginx)
  4458. wvalue="$NGINX"
  4459. if [ -z "$_webroot" ]; then
  4460. _webroot="$wvalue"
  4461. else
  4462. _webroot="$_webroot,$wvalue"
  4463. fi
  4464. ;;
  4465. --tls)
  4466. wvalue="$W_TLS"
  4467. if [ -z "$_webroot" ]; then
  4468. _webroot="$wvalue"
  4469. else
  4470. _webroot="$_webroot,$wvalue"
  4471. fi
  4472. ;;
  4473. --dns)
  4474. wvalue="dns"
  4475. if ! _startswith "$2" "-"; then
  4476. wvalue="$2"
  4477. shift
  4478. fi
  4479. if [ -z "$_webroot" ]; then
  4480. _webroot="$wvalue"
  4481. else
  4482. _webroot="$_webroot,$wvalue"
  4483. fi
  4484. ;;
  4485. --dnssleep)
  4486. _dnssleep="$2"
  4487. Le_DNSSleep="$_dnssleep"
  4488. shift
  4489. ;;
  4490. --keylength | -k)
  4491. _keylength="$2"
  4492. shift
  4493. ;;
  4494. --accountkeylength | -ak)
  4495. _accountkeylength="$2"
  4496. shift
  4497. ;;
  4498. --cert-file | --certpath)
  4499. _cert_file="$2"
  4500. shift
  4501. ;;
  4502. --key-file | --keypath)
  4503. _key_file="$2"
  4504. shift
  4505. ;;
  4506. --ca-file | --capath)
  4507. _ca_file="$2"
  4508. shift
  4509. ;;
  4510. --fullchain-file | --fullchainpath)
  4511. _fullchain_file="$2"
  4512. shift
  4513. ;;
  4514. --reloadcmd | --reloadCmd)
  4515. _reloadcmd="$2"
  4516. shift
  4517. ;;
  4518. --password)
  4519. _password="$2"
  4520. shift
  4521. ;;
  4522. --accountconf)
  4523. _accountconf="$2"
  4524. ACCOUNT_CONF_PATH="$_accountconf"
  4525. shift
  4526. ;;
  4527. --home)
  4528. LE_WORKING_DIR="$2"
  4529. shift
  4530. ;;
  4531. --certhome | --cert-home)
  4532. _certhome="$2"
  4533. CERT_HOME="$_certhome"
  4534. shift
  4535. ;;
  4536. --config-home)
  4537. _confighome="$2"
  4538. LE_CONFIG_HOME="$_confighome"
  4539. shift
  4540. ;;
  4541. --useragent)
  4542. _useragent="$2"
  4543. USER_AGENT="$_useragent"
  4544. shift
  4545. ;;
  4546. --accountemail)
  4547. _accountemail="$2"
  4548. ACCOUNT_EMAIL="$_accountemail"
  4549. shift
  4550. ;;
  4551. --accountkey)
  4552. _accountkey="$2"
  4553. ACCOUNT_KEY_PATH="$_accountkey"
  4554. shift
  4555. ;;
  4556. --days)
  4557. _days="$2"
  4558. Le_RenewalDays="$_days"
  4559. shift
  4560. ;;
  4561. --httpport)
  4562. _httpport="$2"
  4563. Le_HTTPPort="$_httpport"
  4564. shift
  4565. ;;
  4566. --tlsport)
  4567. _tlsport="$2"
  4568. Le_TLSPort="$_tlsport"
  4569. shift
  4570. ;;
  4571. --listraw)
  4572. _listraw="raw"
  4573. ;;
  4574. --stopRenewOnError | --stoprenewonerror | -se)
  4575. _stopRenewOnError="1"
  4576. ;;
  4577. --insecure)
  4578. #_insecure="1"
  4579. HTTPS_INSECURE="1"
  4580. ;;
  4581. --ca-bundle)
  4582. _ca_bundle="$(_readlink -f "$2")"
  4583. CA_BUNDLE="$_ca_bundle"
  4584. shift
  4585. ;;
  4586. --ca-path)
  4587. _ca_path="$2"
  4588. CA_PATH="$_ca_path"
  4589. shift
  4590. ;;
  4591. --nocron)
  4592. _nocron="1"
  4593. ;;
  4594. --ecc)
  4595. _ecc="isEcc"
  4596. ;;
  4597. --csr)
  4598. _csr="$2"
  4599. shift
  4600. ;;
  4601. --pre-hook)
  4602. _pre_hook="$2"
  4603. shift
  4604. ;;
  4605. --post-hook)
  4606. _post_hook="$2"
  4607. shift
  4608. ;;
  4609. --renew-hook)
  4610. _renew_hook="$2"
  4611. shift
  4612. ;;
  4613. --deploy-hook)
  4614. if [ -z "$2" ] || _startswith "$2" "-"; then
  4615. _usage "Please specify a value for '--deploy-hook'"
  4616. return 1
  4617. fi
  4618. _deploy_hook="$_deploy_hook$2,"
  4619. shift
  4620. ;;
  4621. --ocsp-must-staple | --ocsp)
  4622. Le_OCSP_Staple="1"
  4623. ;;
  4624. --log | --logfile)
  4625. _log="1"
  4626. _logfile="$2"
  4627. if _startswith "$_logfile" '-'; then
  4628. _logfile=""
  4629. else
  4630. shift
  4631. fi
  4632. LOG_FILE="$_logfile"
  4633. if [ -z "$LOG_LEVEL" ]; then
  4634. LOG_LEVEL="$DEFAULT_LOG_LEVEL"
  4635. fi
  4636. ;;
  4637. --log-level)
  4638. _log_level="$2"
  4639. LOG_LEVEL="$_log_level"
  4640. shift
  4641. ;;
  4642. --syslog)
  4643. if ! _startswith "$2" '-'; then
  4644. _syslog="$2"
  4645. shift
  4646. fi
  4647. if [ -z "$_syslog" ]; then
  4648. _syslog="$SYSLOG_LEVEL_DEFAULT"
  4649. fi
  4650. ;;
  4651. --auto-upgrade)
  4652. _auto_upgrade="$2"
  4653. if [ -z "$_auto_upgrade" ] || _startswith "$_auto_upgrade" '-'; then
  4654. _auto_upgrade="1"
  4655. else
  4656. shift
  4657. fi
  4658. AUTO_UPGRADE="$_auto_upgrade"
  4659. ;;
  4660. --listen-v4)
  4661. _listen_v4="1"
  4662. Le_Listen_V4="$_listen_v4"
  4663. ;;
  4664. --listen-v6)
  4665. _listen_v6="1"
  4666. Le_Listen_V6="$_listen_v6"
  4667. ;;
  4668. --openssl-bin)
  4669. _openssl_bin="$2"
  4670. ACME_OPENSSL_BIN="$_openssl_bin"
  4671. shift
  4672. ;;
  4673. --use-wget)
  4674. _use_wget="1"
  4675. ACME_USE_WGET="1"
  4676. ;;
  4677. *)
  4678. _err "Unknown parameter : $1"
  4679. return 1
  4680. ;;
  4681. esac
  4682. shift 1
  4683. done
  4684. if [ "${_CMD}" != "install" ]; then
  4685. __initHome
  4686. if [ "$_log" ]; then
  4687. if [ -z "$_logfile" ]; then
  4688. _logfile="$DEFAULT_LOG_FILE"
  4689. fi
  4690. fi
  4691. if [ "$_logfile" ]; then
  4692. _saveaccountconf "LOG_FILE" "$_logfile"
  4693. LOG_FILE="$_logfile"
  4694. fi
  4695. if [ "$_log_level" ]; then
  4696. _saveaccountconf "LOG_LEVEL" "$_log_level"
  4697. LOG_LEVEL="$_log_level"
  4698. fi
  4699. if [ "$_syslog" ]; then
  4700. if _exists logger; then
  4701. if [ "$_syslog" = "0" ]; then
  4702. _clearaccountconf "SYS_LOG"
  4703. else
  4704. _saveaccountconf "SYS_LOG" "$_syslog"
  4705. fi
  4706. SYS_LOG="$_syslog"
  4707. else
  4708. _err "The 'logger' command is not found, can not enable syslog."
  4709. _clearaccountconf "SYS_LOG"
  4710. SYS_LOG=""
  4711. fi
  4712. fi
  4713. _processAccountConf
  4714. fi
  4715. _debug2 LE_WORKING_DIR "$LE_WORKING_DIR"
  4716. if [ "$DEBUG" ]; then
  4717. version
  4718. fi
  4719. case "${_CMD}" in
  4720. install) install "$_nocron" "$_confighome" ;;
  4721. uninstall) uninstall "$_nocron" ;;
  4722. upgrade) upgrade ;;
  4723. issue)
  4724. issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
  4725. ;;
  4726. deploy)
  4727. deploy "$_domain" "$_deploy_hook" "$_ecc"
  4728. ;;
  4729. signcsr)
  4730. signcsr "$_csr" "$_webroot"
  4731. ;;
  4732. showcsr)
  4733. showcsr "$_csr" "$_domain"
  4734. ;;
  4735. installcert)
  4736. installcert "$_domain" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_ecc"
  4737. ;;
  4738. renew)
  4739. renew "$_domain" "$_ecc"
  4740. ;;
  4741. renewAll)
  4742. renewAll "$_stopRenewOnError"
  4743. ;;
  4744. revoke)
  4745. revoke "$_domain" "$_ecc"
  4746. ;;
  4747. remove)
  4748. remove "$_domain" "$_ecc"
  4749. ;;
  4750. deactivate)
  4751. deactivate "$_domain,$_altdomains"
  4752. ;;
  4753. registeraccount)
  4754. registeraccount "$_accountkeylength"
  4755. ;;
  4756. updateaccount)
  4757. updateaccount
  4758. ;;
  4759. list)
  4760. list "$_listraw"
  4761. ;;
  4762. installcronjob) installcronjob "$_confighome" ;;
  4763. uninstallcronjob) uninstallcronjob ;;
  4764. cron) cron ;;
  4765. toPkcs)
  4766. toPkcs "$_domain" "$_password" "$_ecc"
  4767. ;;
  4768. toPkcs8)
  4769. toPkcs8 "$_domain" "$_ecc"
  4770. ;;
  4771. createAccountKey)
  4772. createAccountKey "$_accountkeylength"
  4773. ;;
  4774. createDomainKey)
  4775. createDomainKey "$_domain" "$_keylength"
  4776. ;;
  4777. createCSR)
  4778. createCSR "$_domain" "$_altdomains" "$_ecc"
  4779. ;;
  4780. *)
  4781. if [ "$_CMD" ]; then
  4782. _err "Invalid command: $_CMD"
  4783. fi
  4784. showhelp
  4785. return 1
  4786. ;;
  4787. esac
  4788. _ret="$?"
  4789. if [ "$_ret" != "0" ]; then
  4790. return $_ret
  4791. fi
  4792. if [ "${_CMD}" = "install" ]; then
  4793. if [ "$_log" ]; then
  4794. if [ -z "$LOG_FILE" ]; then
  4795. LOG_FILE="$DEFAULT_LOG_FILE"
  4796. fi
  4797. _saveaccountconf "LOG_FILE" "$LOG_FILE"
  4798. fi
  4799. if [ "$_log_level" ]; then
  4800. _saveaccountconf "LOG_LEVEL" "$_log_level"
  4801. fi
  4802. if [ "$_syslog" ]; then
  4803. if _exists logger; then
  4804. if [ "$_syslog" = "0" ]; then
  4805. _clearaccountconf "SYS_LOG"
  4806. else
  4807. _saveaccountconf "SYS_LOG" "$_syslog"
  4808. fi
  4809. else
  4810. _err "The 'logger' command is not found, can not enable syslog."
  4811. _clearaccountconf "SYS_LOG"
  4812. SYS_LOG=""
  4813. fi
  4814. fi
  4815. _processAccountConf
  4816. fi
  4817. }
  4818. if [ "$INSTALLONLINE" ]; then
  4819. INSTALLONLINE=""
  4820. _installOnline
  4821. exit
  4822. fi
  4823. main() {
  4824. [ -z "$1" ] && showhelp && return
  4825. if _startswith "$1" '-'; then _process "$@"; else "$@"; fi
  4826. }
  4827. main "$@"