You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

4090 lines
101 KiB

9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
8 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
  1. #!/usr/bin/env sh
  2. VER=2.6.0
  3. PROJECT_NAME="acme.sh"
  4. PROJECT_ENTRY="acme.sh"
  5. PROJECT="https://github.com/Neilpang/$PROJECT_NAME"
  6. DEFAULT_INSTALL_HOME="$HOME/.$PROJECT_NAME"
  7. _SCRIPT_="$0"
  8. DEFAULT_CA="https://acme-v01.api.letsencrypt.org"
  9. DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
  10. DEFAULT_USER_AGENT="$PROJECT_ENTRY client v$VER : $PROJECT"
  11. DEFAULT_ACCOUNT_EMAIL=""
  12. STAGE_CA="https://acme-staging.api.letsencrypt.org"
  13. VTYPE_HTTP="http-01"
  14. VTYPE_DNS="dns-01"
  15. VTYPE_TLS="tls-sni-01"
  16. VTYPE_TLS2="tls-sni-02"
  17. LOCAL_ANY_ADDRESS="0.0.0.0"
  18. MAX_RENEW=60
  19. DEFAULT_DNS_SLEEP=120
  20. NO_VALUE="no"
  21. W_TLS="tls"
  22. STATE_VERIFIED="verified_ok"
  23. BEGIN_CSR="-----BEGIN CERTIFICATE REQUEST-----"
  24. END_CSR="-----END CERTIFICATE REQUEST-----"
  25. BEGIN_CERT="-----BEGIN CERTIFICATE-----"
  26. END_CERT="-----END CERTIFICATE-----"
  27. RENEW_SKIP=2
  28. ECC_SEP="_"
  29. ECC_SUFFIX="${ECC_SEP}ecc"
  30. LOG_LEVEL_1=1
  31. LOG_LEVEL_2=2
  32. LOG_LEVEL_3=3
  33. DEFAULT_LOG_LEVEL="$LOG_LEVEL_1"
  34. _DEBUG_WIKI="https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh"
  35. __INTERACTIVE=""
  36. if [ -t 1 ] ; then
  37. __INTERACTIVE="1"
  38. fi
  39. __green() {
  40. if [ "$__INTERACTIVE" ] ; then
  41. printf '\033[1;31;32m'
  42. fi
  43. printf -- "$1"
  44. if [ "$__INTERACTIVE" ] ; then
  45. printf '\033[0m'
  46. fi
  47. }
  48. __red() {
  49. if [ "$__INTERACTIVE" ] ; then
  50. printf '\033[1;31;40m'
  51. fi
  52. printf -- "$1"
  53. if [ "$__INTERACTIVE" ] ; then
  54. printf '\033[0m'
  55. fi
  56. }
  57. _printargs() {
  58. if [ -z "$2" ] ; then
  59. printf -- "[$(date)] $1"
  60. else
  61. printf -- "[$(date)] $1='$2'"
  62. fi
  63. printf "\n"
  64. }
  65. _log() {
  66. [ -z "$LOG_FILE" ] && return
  67. _printargs "$@" >> "$LOG_FILE"
  68. }
  69. _info() {
  70. _log "$@"
  71. _printargs "$@"
  72. }
  73. _err() {
  74. _log "$@"
  75. printf -- "[$(date)] " >&2
  76. if [ -z "$2" ] ; then
  77. __red "$1" >&2
  78. else
  79. __red "$1='$2'" >&2
  80. fi
  81. printf "\n" >&2
  82. return 1
  83. }
  84. _usage() {
  85. __red "$@" >&2
  86. printf "\n" >&2
  87. }
  88. _debug() {
  89. if [ -z "$LOG_LEVEL" ] || [ "$LOG_LEVEL" -ge "$LOG_LEVEL_1" ] ; then
  90. _log "$@"
  91. fi
  92. if [ -z "$DEBUG" ] ; then
  93. return
  94. fi
  95. _printargs "$@" >&2
  96. }
  97. _debug2() {
  98. if [ "$LOG_LEVEL" ] && [ "$LOG_LEVEL" -ge "$LOG_LEVEL_2" ] ; then
  99. _log "$@"
  100. fi
  101. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  102. _debug "$@"
  103. fi
  104. }
  105. _debug3() {
  106. if [ "$LOG_LEVEL" ] && [ "$LOG_LEVEL" -ge "$LOG_LEVEL_3" ] ; then
  107. _log "$@"
  108. fi
  109. if [ "$DEBUG" ] && [ "$DEBUG" -ge "3" ] ; then
  110. _debug "$@"
  111. fi
  112. }
  113. _startswith(){
  114. _str="$1"
  115. _sub="$2"
  116. echo "$_str" | grep "^$_sub" >/dev/null 2>&1
  117. }
  118. _endswith(){
  119. _str="$1"
  120. _sub="$2"
  121. echo "$_str" | grep -- "$_sub\$" >/dev/null 2>&1
  122. }
  123. _contains(){
  124. _str="$1"
  125. _sub="$2"
  126. echo "$_str" | grep -- "$_sub" >/dev/null 2>&1
  127. }
  128. _hasfield() {
  129. _str="$1"
  130. _field="$2"
  131. _sep="$3"
  132. if [ -z "$_field" ] ; then
  133. _usage "Usage: str field [sep]"
  134. return 1
  135. fi
  136. if [ -z "$_sep" ] ; then
  137. _sep=","
  138. fi
  139. for f in $(echo "$_str" | tr ',' ' ') ; do
  140. if [ "$f" = "$_field" ] ; then
  141. _debug2 "'$_str' contains '$_field'"
  142. return 0 #contains ok
  143. fi
  144. done
  145. _debug2 "'$_str' does not contain '$_field'"
  146. return 1 #not contains
  147. }
  148. _getfield(){
  149. _str="$1"
  150. _findex="$2"
  151. _sep="$3"
  152. if [ -z "$_findex" ] ; then
  153. _usage "Usage: str field [sep]"
  154. return 1
  155. fi
  156. if [ -z "$_sep" ] ; then
  157. _sep=","
  158. fi
  159. _ffi=$_findex
  160. while [ "$_ffi" -gt "0" ]
  161. do
  162. _fv="$(echo "$_str" | cut -d $_sep -f $_ffi)"
  163. if [ "$_fv" ] ; then
  164. printf -- "%s" "$_fv"
  165. return 0
  166. fi
  167. _ffi="$(_math $_ffi - 1)"
  168. done
  169. printf -- "%s" "$_str"
  170. }
  171. _exists(){
  172. cmd="$1"
  173. if [ -z "$cmd" ] ; then
  174. _usage "Usage: _exists cmd"
  175. return 1
  176. fi
  177. if type command >/dev/null 2>&1 ; then
  178. command -v "$cmd" >/dev/null 2>&1
  179. else
  180. type "$cmd" >/dev/null 2>&1
  181. fi
  182. ret="$?"
  183. _debug3 "$cmd exists=$ret"
  184. return $ret
  185. }
  186. #a + b
  187. _math(){
  188. expr "$@"
  189. }
  190. _h_char_2_dec() {
  191. _ch=$1
  192. case "${_ch}" in
  193. a|A)
  194. printf "10"
  195. ;;
  196. b|B)
  197. printf "11"
  198. ;;
  199. c|C)
  200. printf "12"
  201. ;;
  202. d|D)
  203. printf "13"
  204. ;;
  205. e|E)
  206. printf "14"
  207. ;;
  208. f|F)
  209. printf "15"
  210. ;;
  211. *)
  212. printf "%s" "$_ch"
  213. ;;
  214. esac
  215. }
  216. _URGLY_PRINTF=""
  217. if [ "$(printf '\x41')" != 'A' ] ; then
  218. _URGLY_PRINTF=1
  219. fi
  220. _h2b() {
  221. hex=$(cat)
  222. i=1
  223. j=2
  224. if _exists let ; then
  225. uselet="1"
  226. fi
  227. _debug3 uselet "$uselet"
  228. _debug3 _URGLY_PRINTF "$_URGLY_PRINTF"
  229. while true ; do
  230. if [ -z "$_URGLY_PRINTF" ] ; then
  231. h="$(printf $hex | cut -c $i-$j)"
  232. if [ -z "$h" ] ; then
  233. break;
  234. fi
  235. printf "\x$h"
  236. else
  237. ic="$(printf $hex | cut -c $i)"
  238. jc="$(printf $hex | cut -c $j)"
  239. if [ -z "$ic$jc" ] ; then
  240. break;
  241. fi
  242. ic="$(_h_char_2_dec "$ic")"
  243. jc="$(_h_char_2_dec "$jc")"
  244. printf '\'"$(printf %o "$(_math $ic \* 16 + $jc)")"
  245. fi
  246. if [ "$uselet" ] ; then
  247. let "i+=2" >/dev/null
  248. let "j+=2" >/dev/null
  249. else
  250. i="$(_math $i + 2)"
  251. j="$(_math $j + 2)"
  252. fi
  253. done
  254. }
  255. #options file
  256. _sed_i() {
  257. options="$1"
  258. filename="$2"
  259. if [ -z "$filename" ] ; then
  260. _usage "Usage:_sed_i options filename"
  261. return 1
  262. fi
  263. _debug2 options "$options"
  264. if sed -h 2>&1 | grep "\-i\[SUFFIX]" >/dev/null 2>&1; then
  265. _debug "Using sed -i"
  266. sed -i "$options" "$filename"
  267. else
  268. _debug "No -i support in sed"
  269. text="$(cat "$filename")"
  270. echo "$text" | sed "$options" > "$filename"
  271. fi
  272. }
  273. _egrep_o() {
  274. if _contains "$(egrep -o 2>&1)" "egrep: illegal option -- o" ; then
  275. sed -n 's/.*\('"$1"'\).*/\1/p'
  276. else
  277. egrep -o "$1"
  278. fi
  279. }
  280. #Usage: file startline endline
  281. _getfile() {
  282. filename="$1"
  283. startline="$2"
  284. endline="$3"
  285. if [ -z "$endline" ] ; then
  286. _usage "Usage: file startline endline"
  287. return 1
  288. fi
  289. i="$(grep -n -- "$startline" "$filename" | cut -d : -f 1)"
  290. if [ -z "$i" ] ; then
  291. _err "Can not find start line: $startline"
  292. return 1
  293. fi
  294. i="$(_math "$i" + 1)"
  295. _debug i "$i"
  296. j="$(grep -n -- "$endline" "$filename" | cut -d : -f 1)"
  297. if [ -z "$j" ] ; then
  298. _err "Can not find end line: $endline"
  299. return 1
  300. fi
  301. j="$(_math "$j" - 1)"
  302. _debug j "$j"
  303. sed -n "$i,${j}p" "$filename"
  304. }
  305. #Usage: multiline
  306. _base64() {
  307. if [ "$1" ] ; then
  308. openssl base64 -e
  309. else
  310. openssl base64 -e | tr -d '\r\n'
  311. fi
  312. }
  313. #Usage: multiline
  314. _dbase64() {
  315. if [ "$1" ] ; then
  316. openssl base64 -d -A
  317. else
  318. openssl base64 -d
  319. fi
  320. }
  321. #Usage: hashalg [outputhex]
  322. #Output Base64-encoded digest
  323. _digest() {
  324. alg="$1"
  325. if [ -z "$alg" ] ; then
  326. _usage "Usage: _digest hashalg"
  327. return 1
  328. fi
  329. outputhex="$2"
  330. if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ]; then
  331. if [ "$outputhex" ] ; then
  332. openssl dgst -$alg -hex | cut -d = -f 2 | tr -d ' '
  333. else
  334. openssl dgst -$alg -binary | _base64
  335. fi
  336. else
  337. _err "$alg is not supported yet"
  338. return 1
  339. fi
  340. }
  341. #Usage: keyfile hashalg
  342. #Output: Base64-encoded signature value
  343. _sign() {
  344. keyfile="$1"
  345. alg="$2"
  346. if [ -z "$alg" ] ; then
  347. _usage "Usage: _sign keyfile hashalg"
  348. return 1
  349. fi
  350. if [ "$alg" = "sha256" ] ; then
  351. openssl dgst -sha256 -sign "$keyfile" | _base64
  352. else
  353. _err "$alg is not supported yet"
  354. return 1
  355. fi
  356. }
  357. #keylength
  358. _isEccKey() {
  359. _length="$1"
  360. if [ -z "$_length" ] ;then
  361. return 1
  362. fi
  363. [ "$_length" != "1024" ] \
  364. && [ "$_length" != "2048" ] \
  365. && [ "$_length" != "3072" ] \
  366. && [ "$_length" != "4096" ] \
  367. && [ "$_length" != "8192" ]
  368. }
  369. # _createkey 2048|ec-256 file
  370. _createkey() {
  371. length="$1"
  372. f="$2"
  373. eccname="$length"
  374. if _startswith "$length" "ec-" ; then
  375. length=$(printf $length | cut -d '-' -f 2-100)
  376. if [ "$length" = "256" ] ; then
  377. eccname="prime256v1"
  378. fi
  379. if [ "$length" = "384" ] ; then
  380. eccname="secp384r1"
  381. fi
  382. if [ "$length" = "521" ] ; then
  383. eccname="secp521r1"
  384. fi
  385. fi
  386. if [ -z "$length" ] ; then
  387. length=2048
  388. fi
  389. _debug "Use length $length"
  390. if _isEccKey "$length" ; then
  391. _debug "Using ec name: $eccname"
  392. openssl ecparam -name $eccname -genkey 2>/dev/null > "$f"
  393. else
  394. _debug "Using RSA: $length"
  395. openssl genrsa $length 2>/dev/null > "$f"
  396. fi
  397. if [ "$?" != "0" ] ; then
  398. _err "Create key error."
  399. return 1
  400. fi
  401. }
  402. #_createcsr cn san_list keyfile csrfile conf
  403. _createcsr() {
  404. _debug _createcsr
  405. domain="$1"
  406. domainlist="$2"
  407. csrkey="$3"
  408. csr="$4"
  409. csrconf="$5"
  410. _debug2 domain "$domain"
  411. _debug2 domainlist "$domainlist"
  412. _debug2 csrkey "$csrkey"
  413. _debug2 csr "$csr"
  414. _debug2 csrconf "$csrconf"
  415. printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" > "$csrconf"
  416. if [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
  417. #single domain
  418. _info "Single domain" "$domain"
  419. else
  420. if _contains "$domainlist" "," ; then
  421. alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")"
  422. else
  423. alt="DNS:$domainlist"
  424. fi
  425. #multi
  426. _info "Multi domain" "$alt"
  427. printf -- "\nsubjectAltName=$alt" >> "$csrconf"
  428. fi
  429. if [ "$Le_OCSP_Stable" ] ; then
  430. _savedomainconf Le_OCSP_Stable "$Le_OCSP_Stable"
  431. printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >> "$csrconf"
  432. fi
  433. openssl req -new -sha256 -key "$csrkey" -subj "/CN=$domain" -config "$csrconf" -out "$csr"
  434. }
  435. #_signcsr key csr conf cert
  436. _signcsr() {
  437. key="$1"
  438. csr="$2"
  439. conf="$3"
  440. cert="$4"
  441. _debug "_signcsr"
  442. _msg="$(openssl x509 -req -days 365 -in "$csr" -signkey "$key" -extensions v3_req -extfile "$conf" -out "$cert" 2>&1)"
  443. _ret="$?"
  444. _debug "$_msg"
  445. return $_ret
  446. }
  447. #_csrfile
  448. _readSubjectFromCSR() {
  449. _csrfile="$1"
  450. if [ -z "$_csrfile" ] ; then
  451. _usage "_readSubjectFromCSR mycsr.csr"
  452. return 1
  453. fi
  454. openssl req -noout -in "$_csrfile" -subject | _egrep_o "CN=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n'
  455. }
  456. #_csrfile
  457. #echo comma separated domain list
  458. _readSubjectAltNamesFromCSR() {
  459. _csrfile="$1"
  460. if [ -z "$_csrfile" ] ; then
  461. _usage "_readSubjectAltNamesFromCSR mycsr.csr"
  462. return 1
  463. fi
  464. _csrsubj="$(_readSubjectFromCSR "$_csrfile")"
  465. _debug _csrsubj "$_csrsubj"
  466. _dnsAltnames="$(openssl req -noout -text -in "$_csrfile" | grep "^ *DNS:.*" | tr -d ' \n')"
  467. _debug _dnsAltnames "$_dnsAltnames"
  468. if _contains "$_dnsAltnames," "DNS:$_csrsubj," ; then
  469. _debug "AltNames contains subject"
  470. _dnsAltnames="$(printf "%s" "$_dnsAltnames," | sed "s/DNS:$_csrsubj,//g")"
  471. else
  472. _debug "AltNames doesn't contain subject"
  473. fi
  474. printf "%s" "$_dnsAltnames" | sed "s/DNS://g"
  475. }
  476. #_csrfile
  477. _readKeyLengthFromCSR() {
  478. _csrfile="$1"
  479. if [ -z "$_csrfile" ] ; then
  480. _usage "_readKeyLengthFromCSR mycsr.csr"
  481. return 1
  482. fi
  483. _outcsr="$(openssl req -noout -text -in "$_csrfile")"
  484. if _contains "$_outcsr" "Public Key Algorithm: id-ecPublicKey" ; then
  485. _debug "ECC CSR"
  486. echo "$_outcsr" | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
  487. else
  488. _debug "RSA CSR"
  489. echo "$_outcsr" | _egrep_o "^ *Public-Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1
  490. fi
  491. }
  492. _ss() {
  493. _port="$1"
  494. if _exists "ss" ; then
  495. _debug "Using: ss"
  496. ss -ntpl | grep ":$_port "
  497. return 0
  498. fi
  499. if _exists "netstat" ; then
  500. _debug "Using: netstat"
  501. if netstat -h 2>&1 | grep "\-p proto" >/dev/null ; then
  502. #for windows version netstat tool
  503. netstat -an -p tcp | grep "LISTENING" | grep ":$_port "
  504. else
  505. if netstat -help 2>&1 | grep "\-p protocol" >/dev/null ; then
  506. netstat -an -p tcp | grep LISTEN | grep ":$_port "
  507. elif netstat -help 2>&1 | grep -- '-P protocol' >/dev/null ; then
  508. #for solaris
  509. netstat -an -P tcp | grep "\.$_port " | grep "LISTEN"
  510. else
  511. netstat -ntpl | grep ":$_port "
  512. fi
  513. fi
  514. return 0
  515. fi
  516. return 1
  517. }
  518. #domain [password] [isEcc]
  519. toPkcs() {
  520. domain="$1"
  521. pfxPassword="$2"
  522. if [ -z "$domain" ] ; then
  523. _usage "Usage: $PROJECT_ENTRY --toPkcs -d domain [--password pfx-password]"
  524. return 1
  525. fi
  526. _isEcc="$3"
  527. _initpath "$domain" "$_isEcc"
  528. if [ "$pfxPassword" ] ; then
  529. openssl pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH" -password "pass:$pfxPassword"
  530. else
  531. openssl pkcs12 -export -out "$CERT_PFX_PATH" -inkey "$CERT_KEY_PATH" -in "$CERT_PATH" -certfile "$CA_CERT_PATH"
  532. fi
  533. if [ "$?" = "0" ] ; then
  534. _info "Success, Pfx is exported to: $CERT_PFX_PATH"
  535. fi
  536. }
  537. #[2048]
  538. createAccountKey() {
  539. _info "Creating account key"
  540. if [ -z "$1" ] ; then
  541. _usage "Usage: $PROJECT_ENTRY --createAccountKey --accountkeylength 2048"
  542. return
  543. fi
  544. length=$1
  545. if _isEccKey "$length" ; then
  546. length=2048
  547. fi
  548. if [ -z "$length" ] || [ "$length" = "$NO_VALUE" ] ; then
  549. _debug "Use default length 2048"
  550. length=2048
  551. fi
  552. _debug length "$length"
  553. _initpath
  554. if [ -f "$ACCOUNT_KEY_PATH" ] ; then
  555. _info "Account key exists, skip"
  556. return
  557. else
  558. #generate account key
  559. _createkey "$length" "$ACCOUNT_KEY_PATH"
  560. fi
  561. }
  562. #domain [length]
  563. createDomainKey() {
  564. _info "Creating domain key"
  565. if [ -z "$1" ] ; then
  566. _usage "Usage: $PROJECT_ENTRY --createDomainKey -d domain.com [ --keylength 2048 ]"
  567. return
  568. fi
  569. domain=$1
  570. length=$2
  571. _initpath $domain "$length"
  572. if [ ! -f "$CERT_KEY_PATH" ] || ( [ "$FORCE" ] && ! [ "$IS_RENEW" ] ); then
  573. _createkey "$length" "$CERT_KEY_PATH"
  574. else
  575. if [ "$IS_RENEW" ] ; then
  576. _info "Domain key exists, skip"
  577. return 0
  578. else
  579. _err "Domain key exists, do you want to overwrite the key?"
  580. _err "Add '--force', and try again."
  581. return 1
  582. fi
  583. fi
  584. }
  585. # domain domainlist isEcc
  586. createCSR() {
  587. _info "Creating csr"
  588. if [ -z "$1" ] ; then
  589. _usage "Usage: $PROJECT_ENTRY --createCSR -d domain1.com [-d domain2.com -d domain3.com ... ]"
  590. return
  591. fi
  592. domain="$1"
  593. domainlist="$2"
  594. _isEcc="$3"
  595. _initpath "$domain" "$_isEcc"
  596. if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && [ -z "$FORCE" ]; then
  597. _info "CSR exists, skip"
  598. return
  599. fi
  600. if [ ! -f "$CERT_KEY_PATH" ] ; then
  601. _err "The key file is not found: $CERT_KEY_PATH"
  602. _err "Please create the key file first."
  603. return 1
  604. fi
  605. _createcsr "$domain" "$domainlist" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"
  606. }
  607. _urlencode() {
  608. __n=$(cat)
  609. echo $__n | tr '/+' '_-' | tr -d '= '
  610. }
  611. _time2str() {
  612. #BSD
  613. if date -u -d@$1 2>/dev/null ; then
  614. return
  615. fi
  616. #Linux
  617. if date -u -r $1 2>/dev/null ; then
  618. return
  619. fi
  620. #Soaris
  621. if _exists adb ; then
  622. echo $(echo "0t${1}=Y" | adb)
  623. fi
  624. }
  625. _normalizeJson() {
  626. sed "s/\" *: *\([\"{\[]\)/\":\1/g" | sed "s/^ *\([^ ]\)/\1/" | tr -d "\r\n"
  627. }
  628. _stat() {
  629. #Linux
  630. if stat -c '%U:%G' "$1" 2>/dev/null ; then
  631. return
  632. fi
  633. #BSD
  634. if stat -f '%Su:%Sg' "$1" 2>/dev/null ; then
  635. return
  636. fi
  637. return 1; #error, 'stat' not found
  638. }
  639. #keyfile
  640. _calcjwk() {
  641. keyfile="$1"
  642. if [ -z "$keyfile" ] ; then
  643. _usage "Usage: _calcjwk keyfile"
  644. return 1
  645. fi
  646. EC_SIGN=""
  647. if grep "BEGIN RSA PRIVATE KEY" "$keyfile" > /dev/null 2>&1 ; then
  648. _debug "RSA key"
  649. pub_exp=$(openssl rsa -in $keyfile -noout -text | grep "^publicExponent:"| cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1)
  650. if [ "${#pub_exp}" = "5" ] ; then
  651. pub_exp=0$pub_exp
  652. fi
  653. _debug3 pub_exp "$pub_exp"
  654. e=$(echo $pub_exp | _h2b | _base64)
  655. _debug3 e "$e"
  656. modulus=$(openssl rsa -in $keyfile -modulus -noout | cut -d '=' -f 2 )
  657. _debug3 modulus "$modulus"
  658. n="$(printf "%s" "$modulus"| _h2b | _base64 | _urlencode )"
  659. jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}'
  660. _debug3 jwk "$jwk"
  661. HEADER='{"alg": "RS256", "jwk": '$jwk'}'
  662. HEADERPLACE_PART1='{"nonce": "'
  663. HEADERPLACE_PART2='", "alg": "RS256", "jwk": '$jwk'}'
  664. elif grep "BEGIN EC PRIVATE KEY" "$keyfile" > /dev/null 2>&1 ; then
  665. _debug "EC key"
  666. EC_SIGN="1"
  667. crv="$(openssl ec -in $keyfile -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n")"
  668. _debug3 crv "$crv"
  669. pubi="$(openssl ec -in $keyfile -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1)"
  670. pubi=$(_math $pubi + 1)
  671. _debug3 pubi "$pubi"
  672. pubj="$(openssl ec -in $keyfile -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1)"
  673. pubj=$(_math $pubj + 1)
  674. _debug3 pubj "$pubj"
  675. pubtext="$(openssl ec -in $keyfile -noout -text 2>/dev/null | sed -n "$pubi,${pubj}p" | tr -d " \n\r")"
  676. _debug3 pubtext "$pubtext"
  677. xlen="$(printf "$pubtext" | tr -d ':' | wc -c)"
  678. xlen=$(_math $xlen / 4)
  679. _debug3 xlen "$xlen"
  680. xend=$(_math "$xend" + 1)
  681. x="$(printf $pubtext | cut -d : -f 2-$xend)"
  682. _debug3 x "$x"
  683. x64="$(printf $x | tr -d : | _h2b | _base64 | _urlencode)"
  684. _debug3 x64 "$x64"
  685. xend=$(_math "$xend" + 1)
  686. y="$(printf $pubtext | cut -d : -f $xend-10000)"
  687. _debug3 y "$y"
  688. y64="$(printf $y | tr -d : | _h2b | _base64 | _urlencode)"
  689. _debug3 y64 "$y64"
  690. jwk='{"kty": "EC", "crv": "'$crv'", "x": "'$x64'", "y": "'$y64'"}'
  691. _debug3 jwk "$jwk"
  692. HEADER='{"alg": "ES256", "jwk": '$jwk'}'
  693. HEADERPLACE_PART1='{"nonce": "'
  694. HEADERPLACE_PART2='", "alg": "ES256", "jwk": '$jwk'}'
  695. else
  696. _err "Only RSA or EC key is supported."
  697. return 1
  698. fi
  699. _debug3 HEADER "$HEADER"
  700. }
  701. _time() {
  702. date -u "+%s"
  703. }
  704. _mktemp() {
  705. if _exists mktemp ; then
  706. if mktemp 2>/dev/null ; then
  707. return
  708. elif _contains "$(mktemp 2>&1)" "-t prefix" && mktemp -t "$PROJECT_NAME" 2>/dev/null ; then
  709. #for Mac osx
  710. return
  711. fi
  712. fi
  713. if [ -d "/tmp" ] ; then
  714. echo "/tmp/${PROJECT_NAME}wefADf24sf.$(_time).tmp"
  715. return 0
  716. fi
  717. _err "Can not create temp file."
  718. }
  719. _inithttp() {
  720. if [ -z "$HTTP_HEADER" ] || ! touch "$HTTP_HEADER" ; then
  721. HTTP_HEADER="$(_mktemp)"
  722. _debug2 HTTP_HEADER "$HTTP_HEADER"
  723. fi
  724. if [ -z "$CURL" ] ; then
  725. CURL="curl -L --silent --dump-header $HTTP_HEADER "
  726. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  727. _CURL_DUMP="$(_mktemp)"
  728. CURL="$CURL --trace-ascii $_CURL_DUMP "
  729. fi
  730. if [ "$CA_BUNDLE" ] ; then
  731. CURL="$CURL --cacert $CA_BUNDLE "
  732. fi
  733. if [ "$HTTPS_INSECURE" ] ; then
  734. CURL="$CURL --insecure "
  735. fi
  736. fi
  737. if [ -z "$WGET" ] ; then
  738. WGET="wget -q"
  739. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  740. WGET="$WGET -d "
  741. fi
  742. if [ "$CA_BUNDLE" ] ; then
  743. WGET="$WGET --ca-certificate $CA_BUNDLE "
  744. fi
  745. if [ "$HTTPS_INSECURE" ] ; then
  746. WGET="$WGET --no-check-certificate "
  747. fi
  748. fi
  749. }
  750. # body url [needbase64] [POST|PUT]
  751. _post() {
  752. body="$1"
  753. url="$2"
  754. needbase64="$3"
  755. httpmethod="$4"
  756. if [ -z "$httpmethod" ] ; then
  757. httpmethod="POST"
  758. fi
  759. _debug $httpmethod
  760. _debug "url" "$url"
  761. _debug2 "body" "$body"
  762. _inithttp
  763. if _exists "curl" ; then
  764. _CURL="$CURL"
  765. _debug "_CURL" "$_CURL"
  766. if [ "$needbase64" ] ; then
  767. response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url" | _base64)"
  768. else
  769. response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url" )"
  770. fi
  771. _ret="$?"
  772. if [ "$_ret" != "0" ] ; then
  773. _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $_ret"
  774. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  775. _err "Here is the curl dump log:"
  776. _err "$(cat "$_CURL_DUMP")"
  777. fi
  778. fi
  779. elif _exists "wget" ; then
  780. _debug "WGET" "$WGET"
  781. if [ "$needbase64" ] ; then
  782. if [ "$httpmethod"="POST" ] ; then
  783. response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
  784. else
  785. response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)"
  786. fi
  787. else
  788. if [ "$httpmethod"="POST" ] ; then
  789. response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER")"
  790. else
  791. response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER")"
  792. fi
  793. fi
  794. _ret="$?"
  795. if [ "$_ret" = "8" ] ; then
  796. _ret=0
  797. _debug "wget returns 8, the server returns a 'Bad request' respons, lets process the response later."
  798. fi
  799. if [ "$_ret" != "0" ] ; then
  800. _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret"
  801. fi
  802. _sed_i "s/^ *//g" "$HTTP_HEADER"
  803. else
  804. _ret="$?"
  805. _err "Neither curl nor wget is found, can not do $httpmethod."
  806. fi
  807. _debug "_ret" "$_ret"
  808. printf "%s" "$response"
  809. return $_ret
  810. }
  811. # url getheader timeout
  812. _get() {
  813. _debug GET
  814. url="$1"
  815. onlyheader="$2"
  816. t="$3"
  817. _debug url $url
  818. _debug "timeout" "$t"
  819. _inithttp
  820. if _exists "curl" ; then
  821. _CURL="$CURL"
  822. if [ "$t" ] ; then
  823. _CURL="$_CURL --connect-timeout $t"
  824. fi
  825. _debug "_CURL" "$_CURL"
  826. if [ "$onlyheader" ] ; then
  827. $_CURL -I --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" $url
  828. else
  829. $_CURL --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" $url
  830. fi
  831. ret=$?
  832. if [ "$ret" != "0" ] ; then
  833. _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $ret"
  834. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  835. _err "Here is the curl dump log:"
  836. _err "$(cat "$_CURL_DUMP")"
  837. fi
  838. fi
  839. elif _exists "wget" ; then
  840. _WGET="$WGET"
  841. if [ "$t" ] ; then
  842. _WGET="$_WGET --timeout=$t"
  843. fi
  844. _debug "_WGET" "$_WGET"
  845. if [ "$onlyheader" ] ; then
  846. $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null $url 2>&1 | sed 's/^[ ]*//g'
  847. else
  848. $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -O - $url
  849. fi
  850. ret=$?
  851. if [ "$_ret" = "8" ] ; then
  852. _ret=0
  853. _debug "wget returns 8, the server returns a 'Bad request' respons, lets process the response later."
  854. fi
  855. if [ "$ret" != "0" ] ; then
  856. _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $ret"
  857. fi
  858. else
  859. ret=$?
  860. _err "Neither curl nor wget is found, can not do GET."
  861. fi
  862. _debug "ret" "$ret"
  863. return $ret
  864. }
  865. _head_n() {
  866. head -n $1
  867. }
  868. _tail_n() {
  869. if ! tail -n $1 2>/dev/null ; then
  870. #fix for solaris
  871. tail -$1
  872. fi
  873. }
  874. # url payload needbase64 keyfile
  875. _send_signed_request() {
  876. url=$1
  877. payload=$2
  878. needbase64=$3
  879. keyfile=$4
  880. if [ -z "$keyfile" ] ; then
  881. keyfile="$ACCOUNT_KEY_PATH"
  882. fi
  883. _debug url $url
  884. _debug payload "$payload"
  885. if ! _calcjwk "$keyfile" ; then
  886. return 1
  887. fi
  888. payload64=$(printf "%s" "$payload" | _base64 | _urlencode)
  889. _debug3 payload64 $payload64
  890. nonceurl="$API/directory"
  891. _headers="$(_get $nonceurl "onlyheader")"
  892. if [ "$?" != "0" ] ; then
  893. _err "Can not connect to $nonceurl to get nonce."
  894. return 1
  895. fi
  896. _debug3 _headers "$_headers"
  897. nonce="$( echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
  898. _debug3 nonce "$nonce"
  899. protected="$HEADERPLACE_PART1$nonce$HEADERPLACE_PART2"
  900. _debug3 protected "$protected"
  901. protected64="$(printf "$protected" | _base64 | _urlencode)"
  902. _debug3 protected64 "$protected64"
  903. sig=$(printf "%s" "$protected64.$payload64" | _sign "$keyfile" "sha256" | _urlencode)
  904. _debug3 sig "$sig"
  905. body="{\"header\": $HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
  906. _debug3 body "$body"
  907. response="$(_post "$body" $url "$needbase64")"
  908. if [ "$?" != "0" ] ; then
  909. _err "Can not post to $url"
  910. return 1
  911. fi
  912. _debug2 original "$response"
  913. response="$( echo "$response" | _normalizeJson )"
  914. responseHeaders="$(cat $HTTP_HEADER)"
  915. _debug2 responseHeaders "$responseHeaders"
  916. _debug2 response "$response"
  917. code="$(grep "^HTTP" $HTTP_HEADER | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n" )"
  918. _debug code $code
  919. }
  920. #setopt "file" "opt" "=" "value" [";"]
  921. _setopt() {
  922. __conf="$1"
  923. __opt="$2"
  924. __sep="$3"
  925. __val="$4"
  926. __end="$5"
  927. if [ -z "$__opt" ] ; then
  928. _usage usage: _setopt '"file" "opt" "=" "value" [";"]'
  929. return
  930. fi
  931. if [ ! -f "$__conf" ] ; then
  932. touch "$__conf"
  933. fi
  934. if grep -n "^$__opt$__sep" "$__conf" > /dev/null ; then
  935. _debug3 OK
  936. if _contains "$__val" "&" ; then
  937. __val="$(echo $__val | sed 's/&/\\&/g')"
  938. fi
  939. text="$(cat $__conf)"
  940. echo "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf"
  941. elif grep -n "^#$__opt$__sep" "$__conf" > /dev/null ; then
  942. if _contains "$__val" "&" ; then
  943. __val="$(echo $__val | sed 's/&/\\&/g')"
  944. fi
  945. text="$(cat $__conf)"
  946. echo "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf"
  947. else
  948. _debug3 APP
  949. echo "$__opt$__sep$__val$__end" >> "$__conf"
  950. fi
  951. _debug2 "$(grep -n "^$__opt$__sep" $__conf)"
  952. }
  953. #_savedomainconf key value
  954. #save to domain.conf
  955. _savedomainconf() {
  956. _sdkey="$1"
  957. _sdvalue="$2"
  958. if [ "$DOMAIN_CONF" ] ; then
  959. _setopt "$DOMAIN_CONF" "$_sdkey" "=" "\"$_sdvalue\""
  960. else
  961. _err "DOMAIN_CONF is empty, can not save $_sdkey=$_sdvalue"
  962. fi
  963. }
  964. #_cleardomainconf key
  965. _cleardomainconf() {
  966. _sdkey="$1"
  967. if [ "$DOMAIN_CONF" ] ; then
  968. _sed_i "s/^$_sdkey.*$//" "$DOMAIN_CONF"
  969. else
  970. _err "DOMAIN_CONF is empty, can not save $_sdkey=$value"
  971. fi
  972. }
  973. #_readdomainconf key
  974. _readdomainconf() {
  975. _sdkey="$1"
  976. if [ "$DOMAIN_CONF" ] ; then
  977. (
  978. eval $(grep "^$_sdkey *=" "$DOMAIN_CONF")
  979. eval "printf \"%s\" \"\$$_sdkey\""
  980. )
  981. else
  982. _err "DOMAIN_CONF is empty, can not read $_sdkey"
  983. fi
  984. }
  985. #_saveaccountconf key value
  986. _saveaccountconf() {
  987. _sckey="$1"
  988. _scvalue="$2"
  989. if [ "$ACCOUNT_CONF_PATH" ] ; then
  990. _setopt "$ACCOUNT_CONF_PATH" "$_sckey" "=" "\"$_scvalue\""
  991. else
  992. _err "ACCOUNT_CONF_PATH is empty, can not save $_sckey=$_scvalue"
  993. fi
  994. }
  995. #_clearaccountconf key
  996. _clearaccountconf() {
  997. _scvalue="$1"
  998. if [ "$ACCOUNT_CONF_PATH" ] ; then
  999. _sed_i "s/^$_scvalue.*$//" "$ACCOUNT_CONF_PATH"
  1000. else
  1001. _err "ACCOUNT_CONF_PATH is empty, can not clear $_scvalue"
  1002. fi
  1003. }
  1004. # content localaddress
  1005. _startserver() {
  1006. content="$1"
  1007. ncaddr="$2"
  1008. _debug "ncaddr" "$ncaddr"
  1009. _debug "startserver: $$"
  1010. nchelp="$(nc -h 2>&1)"
  1011. _debug Le_HTTPPort "$Le_HTTPPort"
  1012. _debug Le_Listen_V4 "$Le_Listen_V4"
  1013. _debug Le_Listen_V6 "$Le_Listen_V6"
  1014. _NC="nc"
  1015. if [ "$Le_Listen_V4" ] ; then
  1016. _NC="$_NC -4"
  1017. elif [ "$Le_Listen_V6" ] ; then
  1018. _NC="$_NC -6"
  1019. fi
  1020. if echo "$nchelp" | grep "\-q[ ,]" >/dev/null ; then
  1021. _NC="$_NC -q 1 -l $ncaddr"
  1022. else
  1023. if echo "$nchelp" | grep "GNU netcat" >/dev/null && echo "$nchelp" | grep "\-c, \-\-close" >/dev/null ; then
  1024. _NC="$_NC -c -l $ncaddr"
  1025. elif echo "$nchelp" | grep "\-N" |grep "Shutdown the network socket after EOF on stdin" >/dev/null ; then
  1026. _NC="$_NC -N -l $ncaddr"
  1027. else
  1028. _NC="$_NC -l $ncaddr"
  1029. fi
  1030. fi
  1031. _debug "_NC" "$_NC"
  1032. # while true ; do
  1033. if [ "$DEBUG" ] ; then
  1034. if ! printf "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC $Le_HTTPPort ; then
  1035. printf "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -p $Le_HTTPPort ;
  1036. fi
  1037. else
  1038. if ! printf "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC $Le_HTTPPort > /dev/null 2>&1; then
  1039. printf "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -p $Le_HTTPPort > /dev/null 2>&1
  1040. fi
  1041. fi
  1042. if [ "$?" != "0" ] ; then
  1043. _err "nc listen error."
  1044. exit 1
  1045. fi
  1046. # done
  1047. }
  1048. _stopserver(){
  1049. pid="$1"
  1050. _debug "pid" "$pid"
  1051. if [ -z "$pid" ] ; then
  1052. return
  1053. fi
  1054. _debug2 "Le_HTTPPort" "$Le_HTTPPort"
  1055. if [ "$Le_HTTPPort" ] ; then
  1056. if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ] ; then
  1057. _get "http://localhost:$Le_HTTPPort" "" 1
  1058. else
  1059. _get "http://localhost:$Le_HTTPPort" "" 1 >/dev/null 2>&1
  1060. fi
  1061. fi
  1062. _debug2 "Le_TLSPort" "$Le_TLSPort"
  1063. if [ "$Le_TLSPort" ] ; then
  1064. if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ] ; then
  1065. _get "https://localhost:$Le_TLSPort" "" 1
  1066. _get "https://localhost:$Le_TLSPort" "" 1
  1067. else
  1068. _get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
  1069. _get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
  1070. fi
  1071. fi
  1072. }
  1073. # sleep sec
  1074. _sleep() {
  1075. _sleep_sec="$1"
  1076. if [ "$__INTERACTIVE" ] ; then
  1077. _sleep_c="$_sleep_sec"
  1078. while [ "$_sleep_c" -ge "0" ] ;
  1079. do
  1080. printf "\r \r"
  1081. __green "$_sleep_c"
  1082. _sleep_c="$(_math $_sleep_c - 1)"
  1083. sleep 1
  1084. done
  1085. printf "\r"
  1086. else
  1087. sleep "$_sleep_sec"
  1088. fi
  1089. }
  1090. # _starttlsserver san_a san_b port content _ncaddr
  1091. _starttlsserver() {
  1092. _info "Starting tls server."
  1093. san_a="$1"
  1094. san_b="$2"
  1095. port="$3"
  1096. content="$4"
  1097. opaddr="$5"
  1098. _debug san_a "$san_a"
  1099. _debug san_b "$san_b"
  1100. _debug port "$port"
  1101. #create key TLS_KEY
  1102. if ! _createkey "2048" "$TLS_KEY" ; then
  1103. _err "Create tls validation key error."
  1104. return 1
  1105. fi
  1106. #create csr
  1107. alt="$san_a"
  1108. if [ "$san_b" ] ; then
  1109. alt="$alt,$san_b"
  1110. fi
  1111. if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" ; then
  1112. _err "Create tls validation csr error."
  1113. return 1
  1114. fi
  1115. #self signed
  1116. if ! _signcsr "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" "$TLS_CERT" ; then
  1117. _err "Create tls validation cert error."
  1118. return 1
  1119. fi
  1120. __S_OPENSSL="openssl s_server -cert $TLS_CERT -key $TLS_KEY "
  1121. if [ "$opaddr" ] ; then
  1122. __S_OPENSSL="$__S_OPENSSL -accept $opaddr:$port"
  1123. else
  1124. __S_OPENSSL="$__S_OPENSSL -accept $port"
  1125. fi
  1126. _debug Le_Listen_V4 "$Le_Listen_V4"
  1127. _debug Le_Listen_V6 "$Le_Listen_V6"
  1128. if [ "$Le_Listen_V4" ] ; then
  1129. __S_OPENSSL="$__S_OPENSSL -4"
  1130. elif [ "$Le_Listen_V6" ] ; then
  1131. __S_OPENSSL="$__S_OPENSSL -6"
  1132. fi
  1133. #start openssl
  1134. _debug "$__S_OPENSSL"
  1135. if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
  1136. (printf "HTTP/1.1 200 OK\r\n\r\n$content" | $__S_OPENSSL -tlsextdebug ) &
  1137. else
  1138. (printf "HTTP/1.1 200 OK\r\n\r\n$content" | $__S_OPENSSL >/dev/null 2>&1) &
  1139. fi
  1140. serverproc="$!"
  1141. sleep 2
  1142. _debug serverproc $serverproc
  1143. }
  1144. #file
  1145. _readlink() {
  1146. _rf="$1"
  1147. if ! readlink -f "$_rf" 2>/dev/null; then
  1148. if _startswith "$_rf" "\./$PROJECT_ENTRY" ; then
  1149. printf -- "%s" "$(pwd)/$PROJECT_ENTRY"
  1150. return 0
  1151. fi
  1152. readlink "$_rf"
  1153. fi
  1154. }
  1155. __initHome() {
  1156. if [ -z "$_SCRIPT_HOME" ] ; then
  1157. if _exists readlink && _exists dirname ; then
  1158. _debug "Lets find script dir."
  1159. _debug "_SCRIPT_" "$_SCRIPT_"
  1160. _script="$(_readlink "$_SCRIPT_")"
  1161. _debug "_script" "$_script"
  1162. _script_home="$(dirname "$_script")"
  1163. _debug "_script_home" "$_script_home"
  1164. if [ -d "$_script_home" ] ; then
  1165. _SCRIPT_HOME="$_script_home"
  1166. else
  1167. _err "It seems the script home is not correct:$_script_home"
  1168. fi
  1169. fi
  1170. fi
  1171. if [ -z "$LE_WORKING_DIR" ] ; then
  1172. if [ -f "$DEFAULT_INSTALL_HOME/account.conf" ] ; then
  1173. _debug "It seems that $PROJECT_NAME is already installed in $DEFAULT_INSTALL_HOME"
  1174. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  1175. else
  1176. LE_WORKING_DIR="$_SCRIPT_HOME"
  1177. fi
  1178. fi
  1179. if [ -z "$LE_WORKING_DIR" ] ; then
  1180. _debug "Using default home:$DEFAULT_INSTALL_HOME"
  1181. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  1182. fi
  1183. export LE_WORKING_DIR
  1184. _DEFAULT_ACCOUNT_CONF_PATH="$LE_WORKING_DIR/account.conf"
  1185. if [ -z "$ACCOUNT_CONF_PATH" ] ; then
  1186. if [ -f "$_DEFAULT_ACCOUNT_CONF_PATH" ] ; then
  1187. . "$_DEFAULT_ACCOUNT_CONF_PATH"
  1188. fi
  1189. fi
  1190. if [ -z "$ACCOUNT_CONF_PATH" ] ; then
  1191. ACCOUNT_CONF_PATH="$_DEFAULT_ACCOUNT_CONF_PATH"
  1192. fi
  1193. DEFAULT_LOG_FILE="$LE_WORKING_DIR/$PROJECT_NAME.log"
  1194. DEFAULT_CA_HOME="$LE_WORKING_DIR/ca"
  1195. }
  1196. #[domain] [keylength]
  1197. _initpath() {
  1198. __initHome
  1199. if [ -f "$ACCOUNT_CONF_PATH" ] ; then
  1200. . "$ACCOUNT_CONF_PATH"
  1201. fi
  1202. if [ "$IN_CRON" ] ; then
  1203. if [ ! "$_USER_PATH_EXPORTED" ] ; then
  1204. _USER_PATH_EXPORTED=1
  1205. export PATH="$USER_PATH:$PATH"
  1206. fi
  1207. fi
  1208. if [ -z "$CA_HOME" ] ; then
  1209. CA_HOME="$DEFAULT_CA_HOME"
  1210. fi
  1211. if [ -z "$API" ] ; then
  1212. if [ -z "$STAGE" ] ; then
  1213. API="$DEFAULT_CA"
  1214. else
  1215. API="$STAGE_CA"
  1216. _info "Using stage api:$API"
  1217. fi
  1218. fi
  1219. _API_HOST="$(echo "$API" | cut -d : -f 2 | tr -d '/')"
  1220. CA_DIR="$CA_HOME/$_API_HOST"
  1221. _DEFAULT_CA_CONF="$CA_DIR/ca.conf"
  1222. if [ -z "$CA_CONF" ] ; then
  1223. CA_CONF="$_DEFAULT_CA_CONF"
  1224. fi
  1225. if [ -f "$CA_CONF" ] ; then
  1226. . "$CA_CONF"
  1227. fi
  1228. if [ -z "$ACME_DIR" ] ; then
  1229. ACME_DIR="/home/.acme"
  1230. fi
  1231. if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then
  1232. APACHE_CONF_BACKUP_DIR="$LE_WORKING_DIR"
  1233. fi
  1234. if [ -z "$USER_AGENT" ] ; then
  1235. USER_AGENT="$DEFAULT_USER_AGENT"
  1236. fi
  1237. if [ -z "$HTTP_HEADER" ] ; then
  1238. HTTP_HEADER="$LE_WORKING_DIR/http.header"
  1239. fi
  1240. _OLD_ACCOUNT_KEY="$LE_WORKING_DIR/account.key"
  1241. _OLD_ACCOUNT_JSON="$LE_WORKING_DIR/account.json"
  1242. _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
  1243. _DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
  1244. if [ -z "$ACCOUNT_KEY_PATH" ] ; then
  1245. ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
  1246. fi
  1247. if [ -z "$ACCOUNT_JSON_PATH" ] ; then
  1248. ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
  1249. fi
  1250. _DEFAULT_CERT_HOME="$LE_WORKING_DIR"
  1251. if [ -z "$CERT_HOME" ] ; then
  1252. CERT_HOME="$_DEFAULT_CERT_HOME"
  1253. fi
  1254. if [ -z "$1" ] ; then
  1255. return 0
  1256. fi
  1257. mkdir -p "$CA_DIR"
  1258. domain="$1"
  1259. _ilength="$2"
  1260. if [ -z "$DOMAIN_PATH" ] ; then
  1261. domainhome="$CERT_HOME/$domain"
  1262. domainhomeecc="$CERT_HOME/$domain$ECC_SUFFIX"
  1263. DOMAIN_PATH="$domainhome"
  1264. if _isEccKey "$_ilength" ; then
  1265. DOMAIN_PATH="$domainhomeecc"
  1266. else
  1267. if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ] ; then
  1268. _info "The domain '$domain' seems to have a ECC cert already, please add '$(__red "--ecc")' parameter if you want to use that cert."
  1269. fi
  1270. fi
  1271. _debug DOMAIN_PATH "$DOMAIN_PATH"
  1272. fi
  1273. if [ ! -d "$DOMAIN_PATH" ] ; then
  1274. if ! mkdir -p "$DOMAIN_PATH" ; then
  1275. _err "Can not create domain path: $DOMAIN_PATH"
  1276. return 1
  1277. fi
  1278. fi
  1279. if [ -z "$DOMAIN_CONF" ] ; then
  1280. DOMAIN_CONF="$DOMAIN_PATH/$domain.conf"
  1281. fi
  1282. if [ -z "$DOMAIN_SSL_CONF" ] ; then
  1283. DOMAIN_SSL_CONF="$DOMAIN_PATH/$domain.csr.conf"
  1284. fi
  1285. if [ -z "$CSR_PATH" ] ; then
  1286. CSR_PATH="$DOMAIN_PATH/$domain.csr"
  1287. fi
  1288. if [ -z "$CERT_KEY_PATH" ] ; then
  1289. CERT_KEY_PATH="$DOMAIN_PATH/$domain.key"
  1290. fi
  1291. if [ -z "$CERT_PATH" ] ; then
  1292. CERT_PATH="$DOMAIN_PATH/$domain.cer"
  1293. fi
  1294. if [ -z "$CA_CERT_PATH" ] ; then
  1295. CA_CERT_PATH="$DOMAIN_PATH/ca.cer"
  1296. fi
  1297. if [ -z "$CERT_FULLCHAIN_PATH" ] ; then
  1298. CERT_FULLCHAIN_PATH="$DOMAIN_PATH/fullchain.cer"
  1299. fi
  1300. if [ -z "$CERT_PFX_PATH" ] ; then
  1301. CERT_PFX_PATH="$DOMAIN_PATH/$domain.pfx"
  1302. fi
  1303. if [ -z "$TLS_CONF" ] ; then
  1304. TLS_CONF="$DOMAIN_PATH/tls.valdation.conf"
  1305. fi
  1306. if [ -z "$TLS_CERT" ] ; then
  1307. TLS_CERT="$DOMAIN_PATH/tls.valdation.cert"
  1308. fi
  1309. if [ -z "$TLS_KEY" ] ; then
  1310. TLS_KEY="$DOMAIN_PATH/tls.valdation.key"
  1311. fi
  1312. if [ -z "$TLS_CSR" ] ; then
  1313. TLS_CSR="$DOMAIN_PATH/tls.valdation.csr"
  1314. fi
  1315. }
  1316. _apachePath() {
  1317. _APACHECTL="apachectl"
  1318. if ! _exists apachectl ; then
  1319. if _exists apache2ctl ; then
  1320. _APACHECTL="apache2ctl"
  1321. else
  1322. _err "'apachectl not found. It seems that apache is not installed, or you are not root user.'"
  1323. _err "Please use webroot mode to try again."
  1324. return 1
  1325. fi
  1326. fi
  1327. httpdconfname="$($_APACHECTL -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | tr -d '"' )"
  1328. _debug httpdconfname "$httpdconfname"
  1329. if _startswith "$httpdconfname" '/' ; then
  1330. httpdconf="$httpdconfname"
  1331. httpdconfname="$(basename $httpdconfname)"
  1332. else
  1333. httpdroot="$($_APACHECTL -V | grep HTTPD_ROOT= | cut -d = -f 2 | tr -d '"' )"
  1334. _debug httpdroot "$httpdroot"
  1335. httpdconf="$httpdroot/$httpdconfname"
  1336. httpdconfname="$(basename $httpdconfname)"
  1337. fi
  1338. _debug httpdconf "$httpdconf"
  1339. _debug httpdconfname "$httpdconfname"
  1340. if [ ! -f "$httpdconf" ] ; then
  1341. _err "Apache Config file not found" "$httpdconf"
  1342. return 1
  1343. fi
  1344. return 0
  1345. }
  1346. _restoreApache() {
  1347. if [ -z "$usingApache" ] ; then
  1348. return 0
  1349. fi
  1350. _initpath
  1351. if ! _apachePath ; then
  1352. return 1
  1353. fi
  1354. if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ] ; then
  1355. _debug "No config file to restore."
  1356. return 0
  1357. fi
  1358. cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" > "$httpdconf"
  1359. _debug "Restored: $httpdconf."
  1360. if ! $_APACHECTL -t >/dev/null 2>&1 ; then
  1361. _err "Sorry, restore apache config error, please contact me."
  1362. return 1;
  1363. fi
  1364. _debug "Restored successfully."
  1365. rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname"
  1366. return 0
  1367. }
  1368. _setApache() {
  1369. _initpath
  1370. if ! _apachePath ; then
  1371. return 1
  1372. fi
  1373. #test the conf first
  1374. _info "Checking if there is an error in the apache config file before starting."
  1375. _msg="$($_APACHECTL -t 2>&1 )"
  1376. if [ "$?" != "0" ] ; then
  1377. _err "Sorry, apache config file has error, please fix it first, then try again."
  1378. _err "Don't worry, there is nothing changed to your system."
  1379. _err "$_msg"
  1380. return 1;
  1381. else
  1382. _info "OK"
  1383. fi
  1384. #backup the conf
  1385. _debug "Backup apache config file" "$httpdconf"
  1386. if ! cp "$httpdconf" "$APACHE_CONF_BACKUP_DIR/" ; then
  1387. _err "Can not backup apache config file, so abort. Don't worry, the apache config is not changed."
  1388. _err "This might be a bug of $PROJECT_NAME , pleae report issue: $PROJECT"
  1389. return 1
  1390. fi
  1391. _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname"
  1392. _info "In case there is an error that can not be restored automatically, you may try restore it yourself."
  1393. _info "The backup file will be deleted on sucess, just forget it."
  1394. #add alias
  1395. apacheVer="$($_APACHECTL -V | grep "Server version:" | cut -d : -f 2 | cut -d " " -f 2 | cut -d '/' -f 2 )"
  1396. _debug "apacheVer" "$apacheVer"
  1397. apacheMajer="$(echo "$apacheVer" | cut -d . -f 1)"
  1398. apacheMinor="$(echo "$apacheVer" | cut -d . -f 2)"
  1399. if [ "$apacheVer" ] && [ "$apacheMajer$apacheMinor" -ge "24" ] ; then
  1400. echo "
  1401. Alias /.well-known/acme-challenge $ACME_DIR
  1402. <Directory $ACME_DIR >
  1403. Require all granted
  1404. </Directory>
  1405. " >> "$httpdconf"
  1406. else
  1407. echo "
  1408. Alias /.well-known/acme-challenge $ACME_DIR
  1409. <Directory $ACME_DIR >
  1410. Order allow,deny
  1411. Allow from all
  1412. </Directory>
  1413. " >> "$httpdconf"
  1414. fi
  1415. _msg="$($_APACHECTL -t 2>&1 )"
  1416. if [ "$?" != "0" ] ; then
  1417. _err "Sorry, apache config error"
  1418. if _restoreApache ; then
  1419. _err "The apache config file is restored."
  1420. else
  1421. _err "Sorry, The apache config file can not be restored, please report bug."
  1422. fi
  1423. return 1;
  1424. fi
  1425. if [ ! -d "$ACME_DIR" ] ; then
  1426. mkdir -p "$ACME_DIR"
  1427. chmod 755 "$ACME_DIR"
  1428. fi
  1429. if ! $_APACHECTL graceful ; then
  1430. _err "Sorry, $_APACHECTL graceful error, please contact me."
  1431. _restoreApache
  1432. return 1;
  1433. fi
  1434. usingApache="1"
  1435. return 0
  1436. }
  1437. _clearup() {
  1438. _stopserver $serverproc
  1439. serverproc=""
  1440. _restoreApache
  1441. if [ -z "$DEBUG" ] ; then
  1442. rm -f "$TLS_CONF"
  1443. rm -f "$TLS_CERT"
  1444. rm -f "$TLS_KEY"
  1445. rm -f "$TLS_CSR"
  1446. fi
  1447. }
  1448. # webroot removelevel tokenfile
  1449. _clearupwebbroot() {
  1450. __webroot="$1"
  1451. if [ -z "$__webroot" ] ; then
  1452. _debug "no webroot specified, skip"
  1453. return 0
  1454. fi
  1455. _rmpath=""
  1456. if [ "$2" = '1' ] ; then
  1457. _rmpath="$__webroot/.well-known"
  1458. elif [ "$2" = '2' ] ; then
  1459. _rmpath="$__webroot/.well-known/acme-challenge"
  1460. elif [ "$2" = '3' ] ; then
  1461. _rmpath="$__webroot/.well-known/acme-challenge/$3"
  1462. else
  1463. _debug "Skip for removelevel:$2"
  1464. fi
  1465. if [ "$_rmpath" ] ; then
  1466. if [ "$DEBUG" ] ; then
  1467. _debug "Debugging, skip removing: $_rmpath"
  1468. else
  1469. rm -rf "$_rmpath"
  1470. fi
  1471. fi
  1472. return 0
  1473. }
  1474. _on_before_issue() {
  1475. _debug _on_before_issue
  1476. if _hasfield "$Le_Webroot" "$NO_VALUE" ; then
  1477. if ! _exists "nc" ; then
  1478. _err "Please install netcat(nc) tools first."
  1479. return 1
  1480. fi
  1481. elif ! _hasfield "$Le_Webroot" "$W_TLS" ; then
  1482. #no need to check anymore
  1483. return 0
  1484. fi
  1485. _debug Le_LocalAddress "$Le_LocalAddress"
  1486. alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' )
  1487. _index=1
  1488. _currentRoot=""
  1489. _addrIndex=1
  1490. for d in $alldomains
  1491. do
  1492. _debug "Check for domain" $d
  1493. _currentRoot="$(_getfield "$Le_Webroot" $_index)"
  1494. _debug "_currentRoot" "$_currentRoot"
  1495. _index=$(_math $_index + 1)
  1496. _checkport=""
  1497. if [ "$_currentRoot" = "$NO_VALUE" ] ; then
  1498. _info "Standalone mode."
  1499. if [ -z "$Le_HTTPPort" ] ; then
  1500. Le_HTTPPort=80
  1501. else
  1502. _savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
  1503. fi
  1504. _checkport="$Le_HTTPPort"
  1505. elif [ "$_currentRoot" = "$W_TLS" ] ; then
  1506. _info "Standalone tls mode."
  1507. if [ -z "$Le_TLSPort" ] ; then
  1508. Le_TLSPort=443
  1509. else
  1510. _savedomainconf "Le_TLSPort" "$Le_TLSPort"
  1511. fi
  1512. _checkport="$Le_TLSPort"
  1513. fi
  1514. if [ "$_checkport" ] ; then
  1515. _debug _checkport "$_checkport"
  1516. _checkaddr="$(_getfield "$Le_LocalAddress" $_addrIndex)"
  1517. _debug _checkaddr "$_checkaddr"
  1518. _addrIndex="$(_math $_addrIndex + 1)"
  1519. _netprc="$(_ss "$_checkport" | grep "$_checkport")"
  1520. netprc="$(echo "$_netprc" | grep "$_checkaddr")"
  1521. if [ -z "$netprc" ] ; then
  1522. netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS")"
  1523. fi
  1524. if [ "$netprc" ] ; then
  1525. _err "$netprc"
  1526. _err "tcp port $_checkport is already used by $(echo "$netprc" | cut -d : -f 4)"
  1527. _err "Please stop it first"
  1528. return 1
  1529. fi
  1530. fi
  1531. done
  1532. if _hasfield "$Le_Webroot" "apache" ; then
  1533. if ! _setApache ; then
  1534. _err "set up apache error. Report error to me."
  1535. return 1
  1536. fi
  1537. else
  1538. usingApache=""
  1539. fi
  1540. #run pre hook
  1541. if [ "$Le_PreHook" ] ; then
  1542. _info "Run pre hook:'$Le_PreHook'"
  1543. if ! (
  1544. cd "$DOMAIN_PATH" && eval "$Le_PreHook"
  1545. ) ; then
  1546. _err "Error when run pre hook."
  1547. return 1
  1548. fi
  1549. fi
  1550. }
  1551. _on_issue_err() {
  1552. _debug _on_issue_err
  1553. if [ "$LOG_FILE" ] ; then
  1554. _err "Please check log file for more details: $LOG_FILE"
  1555. else
  1556. _err "Please use add '--debug' or '--log' to check more details."
  1557. _err "See: $_DEBUG_WIKI"
  1558. fi
  1559. #run the post hook
  1560. if [ "$Le_PostHook" ] ; then
  1561. _info "Run post hook:'$Le_PostHook'"
  1562. if ! (
  1563. cd "$DOMAIN_PATH" && eval "$Le_PostHook"
  1564. ) ; then
  1565. _err "Error when run post hook."
  1566. return 1
  1567. fi
  1568. fi
  1569. }
  1570. _on_issue_success() {
  1571. _debug _on_issue_success
  1572. #run the post hook
  1573. if [ "$Le_PostHook" ] ; then
  1574. _info "Run post hook:'$Le_PostHook'"
  1575. if ! (
  1576. cd "$DOMAIN_PATH" && eval "$Le_PostHook"
  1577. ) ; then
  1578. _err "Error when run post hook."
  1579. return 1
  1580. fi
  1581. fi
  1582. #run renew hook
  1583. if [ "$IS_RENEW" ] && [ "$Le_RenewHook" ] ; then
  1584. _info "Run renew hook:'$Le_RenewHook'"
  1585. if ! (
  1586. cd "$DOMAIN_PATH" && eval "$Le_RenewHook"
  1587. ) ; then
  1588. _err "Error when run renew hook."
  1589. return 1
  1590. fi
  1591. fi
  1592. }
  1593. updateaccount() {
  1594. _initpath
  1595. _regAccount
  1596. }
  1597. registeraccount() {
  1598. _initpath
  1599. _regAccount
  1600. }
  1601. _regAccount() {
  1602. _initpath
  1603. if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
  1604. _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
  1605. mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
  1606. fi
  1607. if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
  1608. _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
  1609. mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
  1610. fi
  1611. if [ ! -f "$ACCOUNT_KEY_PATH" ] ; then
  1612. _acck="no"
  1613. if [ "$Le_Keylength" ] ; then
  1614. _acck="$Le_Keylength"
  1615. fi
  1616. if ! createAccountKey "$_acck" ; then
  1617. _err "Create account key error."
  1618. return 1
  1619. fi
  1620. fi
  1621. if ! _calcjwk "$ACCOUNT_KEY_PATH" ; then
  1622. return 1
  1623. fi
  1624. _updateTos=""
  1625. _reg_res="new-reg"
  1626. while true ;
  1627. do
  1628. _debug AGREEMENT "$AGREEMENT"
  1629. accountkey_json=$(printf "%s" "$jwk" | tr -d ' ' )
  1630. thumbprint=$(printf "%s" "$accountkey_json" | _digest "sha256" | _urlencode)
  1631. regjson='{"resource": "'$_reg_res'", "agreement": "'$AGREEMENT'"}'
  1632. if [ "$ACCOUNT_EMAIL" ] ; then
  1633. regjson='{"resource": "'$_reg_res'", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}'
  1634. fi
  1635. if [ -z "$_updateTos" ] ; then
  1636. _info "Registering account"
  1637. if ! _send_signed_request "$API/acme/new-reg" "$regjson" ; then
  1638. _err "Register account Error: $response"
  1639. return 1
  1640. fi
  1641. if [ "$code" = "" ] || [ "$code" = '201' ] ; then
  1642. echo "$response" > $ACCOUNT_JSON_PATH
  1643. _info "Registered"
  1644. elif [ "$code" = '409' ] ; then
  1645. _info "Already registered"
  1646. else
  1647. _err "Register account Error: $response"
  1648. return 1
  1649. fi
  1650. _accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2| tr -d "\r\n")"
  1651. _debug "_accUri" "$_accUri"
  1652. _tos="$(echo "$responseHeaders" | grep "^Link:.*rel=\"terms-of-service\"" | _head_n 1 | _egrep_o "<.*>" | tr -d '<>')"
  1653. _debug "_tos" "$_tos"
  1654. if [ -z "$_tos" ] ; then
  1655. _debug "Use default tos: $DEFAULT_AGREEMENT"
  1656. _tos="$DEFAULT_AGREEMENT"
  1657. fi
  1658. if [ "$_tos" != "$AGREEMENT" ]; then
  1659. _updateTos=1
  1660. AGREEMENT="$_tos"
  1661. _reg_res="reg"
  1662. continue
  1663. fi
  1664. else
  1665. _debug "Update tos: $_tos"
  1666. if ! _send_signed_request "$_accUri" "$regjson" ; then
  1667. _err "Update tos error."
  1668. return 1
  1669. fi
  1670. if [ "$code" = '202' ] ; then
  1671. _info "Update success."
  1672. else
  1673. _err "Update error."
  1674. return 1
  1675. fi
  1676. fi
  1677. return 0
  1678. done
  1679. }
  1680. #webroot, domain domainlist keylength
  1681. issue() {
  1682. if [ -z "$2" ] ; then
  1683. _usage "Usage: $PROJECT_ENTRY --issue -d a.com -w /path/to/webroot/a.com/ "
  1684. return 1
  1685. fi
  1686. Le_Webroot="$1"
  1687. Le_Domain="$2"
  1688. Le_Alt="$3"
  1689. Le_Keylength="$4"
  1690. Le_RealCertPath="$5"
  1691. Le_RealKeyPath="$6"
  1692. Le_RealCACertPath="$7"
  1693. Le_ReloadCmd="$8"
  1694. Le_RealFullChainPath="$9"
  1695. Le_PreHook="${10}"
  1696. Le_PostHook="${11}"
  1697. Le_RenewHook="${12}"
  1698. Le_LocalAddress="${13}"
  1699. #remove these later.
  1700. if [ "$Le_Webroot" = "dns-cf" ] ; then
  1701. Le_Webroot="dns_cf"
  1702. fi
  1703. if [ "$Le_Webroot" = "dns-dp" ] ; then
  1704. Le_Webroot="dns_dp"
  1705. fi
  1706. if [ "$Le_Webroot" = "dns-cx" ] ; then
  1707. Le_Webroot="dns_cx"
  1708. fi
  1709. _debug "Using api: $API"
  1710. if [ ! "$IS_RENEW" ] ; then
  1711. _initpath $Le_Domain "$Le_Keylength"
  1712. mkdir -p "$DOMAIN_PATH"
  1713. fi
  1714. if [ -f "$DOMAIN_CONF" ] ; then
  1715. Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
  1716. _debug Le_NextRenewTime "$Le_NextRenewTime"
  1717. if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ $(_time) -lt $Le_NextRenewTime ] ; then
  1718. _saved_domain=$(_readdomainconf Le_Domain)
  1719. _debug _saved_domain "$_saved_domain"
  1720. _saved_alt=$(_readdomainconf Le_Alt)
  1721. _debug _saved_alt "$_saved_alt"
  1722. if [ "$_saved_domain,$_saved_alt" = "$Le_Domain,$Le_Alt" ] ; then
  1723. _info "Domains not changed."
  1724. _info "Skip, Next renewal time is: $(__green "$(_readdomainconf Le_NextRenewTimeStr)")"
  1725. _info "Add '$(__red '--force')' to force to renew."
  1726. return $RENEW_SKIP
  1727. else
  1728. _info "Domains have changed."
  1729. fi
  1730. fi
  1731. fi
  1732. _savedomainconf "Le_Domain" "$Le_Domain"
  1733. _savedomainconf "Le_Alt" "$Le_Alt"
  1734. _savedomainconf "Le_Webroot" "$Le_Webroot"
  1735. _savedomainconf "Le_PreHook" "$Le_PreHook"
  1736. _savedomainconf "Le_PostHook" "$Le_PostHook"
  1737. _savedomainconf "Le_RenewHook" "$Le_RenewHook"
  1738. _savedomainconf "Le_LocalAddress" "$Le_LocalAddress"
  1739. Le_API="$API"
  1740. _savedomainconf "Le_API" "$Le_API"
  1741. if [ "$Le_Alt" = "$NO_VALUE" ] ; then
  1742. Le_Alt=""
  1743. fi
  1744. if [ "$Le_Keylength" = "$NO_VALUE" ] ; then
  1745. Le_Keylength=""
  1746. fi
  1747. if ! _on_before_issue ; then
  1748. _err "_on_before_issue."
  1749. return 1
  1750. fi
  1751. if ! _regAccount ; then
  1752. _on_issue_err
  1753. return 1
  1754. fi
  1755. if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ] ; then
  1756. _info "Signing from existing CSR."
  1757. else
  1758. _key=$(_readdomainconf Le_Keylength)
  1759. _debug "Read key length:$_key"
  1760. if [ ! -f "$CERT_KEY_PATH" ] || [ "$Le_Keylength" != "$_key" ] ; then
  1761. if ! createDomainKey $Le_Domain $Le_Keylength ; then
  1762. _err "Create domain key error."
  1763. _clearup
  1764. _on_issue_err
  1765. return 1
  1766. fi
  1767. fi
  1768. if ! _createcsr "$Le_Domain" "$Le_Alt" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF" ; then
  1769. _err "Create CSR error."
  1770. _clearup
  1771. _on_issue_err
  1772. return 1
  1773. fi
  1774. fi
  1775. _savedomainconf "Le_Keylength" "$Le_Keylength"
  1776. vlist="$Le_Vlist"
  1777. # verify each domain
  1778. _info "Verify each domain"
  1779. sep='#'
  1780. if [ -z "$vlist" ] ; then
  1781. alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' )
  1782. _index=1
  1783. _currentRoot=""
  1784. for d in $alldomains
  1785. do
  1786. _info "Getting webroot for domain" $d
  1787. _w="$(echo $Le_Webroot | cut -d , -f $_index)"
  1788. _info _w "$_w"
  1789. if [ "$_w" ] ; then
  1790. _currentRoot="$_w"
  1791. fi
  1792. _debug "_currentRoot" "$_currentRoot"
  1793. _index=$(_math $_index + 1)
  1794. vtype="$VTYPE_HTTP"
  1795. if _startswith "$_currentRoot" "dns" ; then
  1796. vtype="$VTYPE_DNS"
  1797. fi
  1798. if [ "$_currentRoot" = "$W_TLS" ] ; then
  1799. vtype="$VTYPE_TLS"
  1800. fi
  1801. _info "Getting new-authz for domain" $d
  1802. if ! _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$d\"}}" ; then
  1803. _err "Can not get domain token."
  1804. _clearup
  1805. _on_issue_err
  1806. return 1
  1807. fi
  1808. if [ ! -z "$code" ] && [ ! "$code" = '201' ] ; then
  1809. _err "new-authz error: $response"
  1810. _clearup
  1811. _on_issue_err
  1812. return 1
  1813. fi
  1814. entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
  1815. _debug entry "$entry"
  1816. if [ -z "$entry" ] ; then
  1817. _err "Error, can not get domain token $d"
  1818. _clearup
  1819. _on_issue_err
  1820. return 1
  1821. fi
  1822. token="$(printf "%s\n" "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
  1823. _debug token $token
  1824. uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )"
  1825. _debug uri $uri
  1826. keyauthorization="$token.$thumbprint"
  1827. _debug keyauthorization "$keyauthorization"
  1828. if printf "$response" | grep '"status":"valid"' >/dev/null 2>&1 ; then
  1829. _info "$d is already verified, skip."
  1830. keyauthorization=$STATE_VERIFIED
  1831. _debug keyauthorization "$keyauthorization"
  1832. fi
  1833. dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"
  1834. _debug dvlist "$dvlist"
  1835. vlist="$vlist$dvlist,"
  1836. done
  1837. #add entry
  1838. dnsadded=""
  1839. ventries=$(echo "$vlist" | tr ',' ' ' )
  1840. for ventry in $ventries
  1841. do
  1842. d=$(echo $ventry | cut -d $sep -f 1)
  1843. keyauthorization=$(echo $ventry | cut -d $sep -f 2)
  1844. vtype=$(echo $ventry | cut -d $sep -f 4)
  1845. _currentRoot=$(echo $ventry | cut -d $sep -f 5)
  1846. if [ "$keyauthorization" = "$STATE_VERIFIED" ] ; then
  1847. _info "$d is already verified, skip $vtype."
  1848. continue
  1849. fi
  1850. if [ "$vtype" = "$VTYPE_DNS" ] ; then
  1851. dnsadded='0'
  1852. txtdomain="_acme-challenge.$d"
  1853. _debug txtdomain "$txtdomain"
  1854. txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _urlencode)"
  1855. _debug txt "$txt"
  1856. #dns
  1857. #1. check use api
  1858. d_api=""
  1859. if [ -f "$LE_WORKING_DIR/$d/$_currentRoot" ] ; then
  1860. d_api="$LE_WORKING_DIR/$d/$_currentRoot"
  1861. elif [ -f "$LE_WORKING_DIR/$d/$_currentRoot.sh" ] ; then
  1862. d_api="$LE_WORKING_DIR/$d/$_currentRoot.sh"
  1863. elif [ -f "$LE_WORKING_DIR/$_currentRoot" ] ; then
  1864. d_api="$LE_WORKING_DIR/$_currentRoot"
  1865. elif [ -f "$LE_WORKING_DIR/$_currentRoot.sh" ] ; then
  1866. d_api="$LE_WORKING_DIR/$_currentRoot.sh"
  1867. elif [ -f "$LE_WORKING_DIR/dnsapi/$_currentRoot" ] ; then
  1868. d_api="$LE_WORKING_DIR/dnsapi/$_currentRoot"
  1869. elif [ -f "$LE_WORKING_DIR/dnsapi/$_currentRoot.sh" ] ; then
  1870. d_api="$LE_WORKING_DIR/dnsapi/$_currentRoot.sh"
  1871. fi
  1872. _debug d_api "$d_api"
  1873. if [ "$d_api" ] ; then
  1874. _info "Found domain api file: $d_api"
  1875. else
  1876. _err "Add the following TXT record:"
  1877. _err "Domain: '$(__green $txtdomain)'"
  1878. _err "TXT value: '$(__green $txt)'"
  1879. _err "Please be aware that you prepend _acme-challenge. before your domain"
  1880. _err "so the resulting subdomain will be: $txtdomain"
  1881. continue
  1882. fi
  1883. (
  1884. if ! . $d_api ; then
  1885. _err "Load file $d_api error. Please check your api file and try again."
  1886. return 1
  1887. fi
  1888. addcommand="${_currentRoot}_add"
  1889. if ! _exists $addcommand ; then
  1890. _err "It seems that your api file is not correct, it must have a function named: $addcommand"
  1891. return 1
  1892. fi
  1893. if ! $addcommand $txtdomain $txt ; then
  1894. _err "Error add txt for domain:$txtdomain"
  1895. return 1
  1896. fi
  1897. )
  1898. if [ "$?" != "0" ] ; then
  1899. _clearup
  1900. _on_issue_err
  1901. return 1
  1902. fi
  1903. dnsadded='1'
  1904. fi
  1905. done
  1906. if [ "$dnsadded" = '0' ] ; then
  1907. _savedomainconf "Le_Vlist" "$vlist"
  1908. _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit."
  1909. _err "Please add the TXT records to the domains, and retry again."
  1910. _clearup
  1911. _on_issue_err
  1912. return 1
  1913. fi
  1914. fi
  1915. if [ "$dnsadded" = '1' ] ; then
  1916. if [ -z "$Le_DNSSleep" ] ; then
  1917. Le_DNSSleep=$DEFAULT_DNS_SLEEP
  1918. else
  1919. _savedomainconf "Le_DNSSleep" "$Le_DNSSleep"
  1920. fi
  1921. _info "Sleep $(__green $Le_DNSSleep) seconds for the txt records to take effect"
  1922. _sleep $Le_DNSSleep
  1923. fi
  1924. _debug "ok, let's start to verify"
  1925. _ncIndex=1
  1926. ventries=$(echo "$vlist" | tr ',' ' ' )
  1927. for ventry in $ventries
  1928. do
  1929. d=$(echo $ventry | cut -d $sep -f 1)
  1930. keyauthorization=$(echo $ventry | cut -d $sep -f 2)
  1931. uri=$(echo $ventry | cut -d $sep -f 3)
  1932. vtype=$(echo $ventry | cut -d $sep -f 4)
  1933. _currentRoot=$(echo $ventry | cut -d $sep -f 5)
  1934. if [ "$keyauthorization" = "$STATE_VERIFIED" ] ; then
  1935. _info "$d is already verified, skip $vtype."
  1936. continue
  1937. fi
  1938. _info "Verifying:$d"
  1939. _debug "d" "$d"
  1940. _debug "keyauthorization" "$keyauthorization"
  1941. _debug "uri" "$uri"
  1942. removelevel=""
  1943. token="$(printf "%s" "$keyauthorization" | cut -d '.' -f 1)"
  1944. _debug "_currentRoot" "$_currentRoot"
  1945. if [ "$vtype" = "$VTYPE_HTTP" ] ; then
  1946. if [ "$_currentRoot" = "$NO_VALUE" ] ; then
  1947. _info "Standalone mode server"
  1948. _ncaddr="$(_getfield "$Le_LocalAddress" "$_ncIndex" )"
  1949. _ncIndex="$(_math $_ncIndex + 1)"
  1950. _startserver "$keyauthorization" "$_ncaddr" &
  1951. if [ "$?" != "0" ] ; then
  1952. _clearup
  1953. _on_issue_err
  1954. return 1
  1955. fi
  1956. serverproc="$!"
  1957. sleep 2
  1958. _debug serverproc $serverproc
  1959. else
  1960. if [ "$_currentRoot" = "apache" ] ; then
  1961. wellknown_path="$ACME_DIR"
  1962. else
  1963. wellknown_path="$_currentRoot/.well-known/acme-challenge"
  1964. if [ ! -d "$_currentRoot/.well-known" ] ; then
  1965. removelevel='1'
  1966. elif [ ! -d "$_currentRoot/.well-known/acme-challenge" ] ; then
  1967. removelevel='2'
  1968. else
  1969. removelevel='3'
  1970. fi
  1971. fi
  1972. _debug wellknown_path "$wellknown_path"
  1973. _debug "writing token:$token to $wellknown_path/$token"
  1974. mkdir -p "$wellknown_path"
  1975. printf "%s" "$keyauthorization" > "$wellknown_path/$token"
  1976. if [ ! "$usingApache" ] ; then
  1977. if webroot_owner=$(_stat $_currentRoot) ; then
  1978. _debug "Changing owner/group of .well-known to $webroot_owner"
  1979. chown -R $webroot_owner "$_currentRoot/.well-known"
  1980. else
  1981. _debug "not chaning owner/group of webroot";
  1982. fi
  1983. fi
  1984. fi
  1985. elif [ "$vtype" = "$VTYPE_TLS" ] ; then
  1986. #create A
  1987. #_hash_A="$(printf "%s" $token | _digest "sha256" "hex" )"
  1988. #_debug2 _hash_A "$_hash_A"
  1989. #_x="$(echo $_hash_A | cut -c 1-32)"
  1990. #_debug2 _x "$_x"
  1991. #_y="$(echo $_hash_A | cut -c 33-64)"
  1992. #_debug2 _y "$_y"
  1993. #_SAN_A="$_x.$_y.token.acme.invalid"
  1994. #_debug2 _SAN_A "$_SAN_A"
  1995. #create B
  1996. _hash_B="$(printf "%s" $keyauthorization | _digest "sha256" "hex" )"
  1997. _debug2 _hash_B "$_hash_B"
  1998. _x="$(echo $_hash_B | cut -c 1-32)"
  1999. _debug2 _x "$_x"
  2000. _y="$(echo $_hash_B | cut -c 33-64)"
  2001. _debug2 _y "$_y"
  2002. #_SAN_B="$_x.$_y.ka.acme.invalid"
  2003. _SAN_B="$_x.$_y.acme.invalid"
  2004. _debug2 _SAN_B "$_SAN_B"
  2005. _ncaddr="$(_getfield "$Le_LocalAddress" "$_ncIndex" )"
  2006. _ncIndex="$(_math $_ncIndex + 1)"
  2007. if ! _starttlsserver "$_SAN_B" "$_SAN_A" "$Le_TLSPort" "$keyauthorization" "$_ncaddr"; then
  2008. _err "Start tls server error."
  2009. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2010. _clearup
  2011. _on_issue_err
  2012. return 1
  2013. fi
  2014. fi
  2015. if ! _send_signed_request $uri "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}" ; then
  2016. _err "$d:Can not get challenge: $response"
  2017. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2018. _clearup
  2019. _on_issue_err
  2020. return 1
  2021. fi
  2022. if [ ! -z "$code" ] && [ ! "$code" = '202' ] ; then
  2023. _err "$d:Challenge error: $response"
  2024. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2025. _clearup
  2026. _on_issue_err
  2027. return 1
  2028. fi
  2029. waittimes=0
  2030. if [ -z "$MAX_RETRY_TIMES" ] ; then
  2031. MAX_RETRY_TIMES=30
  2032. fi
  2033. while true ; do
  2034. waittimes=$(_math $waittimes + 1)
  2035. if [ "$waittimes" -ge "$MAX_RETRY_TIMES" ] ; then
  2036. _err "$d:Timeout"
  2037. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2038. _clearup
  2039. _on_issue_err
  2040. return 1
  2041. fi
  2042. _debug "sleep 5 secs to verify"
  2043. sleep 5
  2044. _debug "checking"
  2045. response="$(_get $uri)"
  2046. if [ "$?" != "0" ] ; then
  2047. _err "$d:Verify error:$response"
  2048. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2049. _clearup
  2050. _on_issue_err
  2051. return 1
  2052. fi
  2053. _debug2 original "$response"
  2054. response="$(echo "$response" | _normalizeJson )"
  2055. _debug2 response "$response"
  2056. status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
  2057. if [ "$status" = "valid" ] ; then
  2058. _info "Success"
  2059. _stopserver $serverproc
  2060. serverproc=""
  2061. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2062. break;
  2063. fi
  2064. if [ "$status" = "invalid" ] ; then
  2065. error="$(echo "$response" | tr -d "\r\n" | _egrep_o '"error":\{[^\}]*')"
  2066. _debug2 error "$error"
  2067. errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)"
  2068. _debug2 errordetail "$errordetail"
  2069. if [ "$errordetail" ] ; then
  2070. _err "$d:Verify error:$errordetail"
  2071. else
  2072. _err "$d:Verify error:$error"
  2073. fi
  2074. if [ "$DEBUG" ] ; then
  2075. if [ "$vtype" = "$VTYPE_HTTP" ] ; then
  2076. _debug "Debug: get token url."
  2077. _get "http://$d/.well-known/acme-challenge/$token" "" 1
  2078. fi
  2079. fi
  2080. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2081. _clearup
  2082. _on_issue_err
  2083. return 1;
  2084. fi
  2085. if [ "$status" = "pending" ] ; then
  2086. _info "Pending"
  2087. else
  2088. _err "$d:Verify error:$response"
  2089. _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
  2090. _clearup
  2091. _on_issue_err
  2092. return 1
  2093. fi
  2094. done
  2095. done
  2096. _clearup
  2097. _info "Verify finished, start to sign."
  2098. der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _urlencode)"
  2099. if ! _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64" ; then
  2100. _err "Sign failed."
  2101. _on_issue_err
  2102. return 1
  2103. fi
  2104. _rcert="$response"
  2105. Le_LinkCert="$(grep -i '^Location.*$' $HTTP_HEADER | _head_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
  2106. _savedomainconf "Le_LinkCert" "$Le_LinkCert"
  2107. if [ "$Le_LinkCert" ] ; then
  2108. echo "$BEGIN_CERT" > "$CERT_PATH"
  2109. if ! _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH" ; then
  2110. _debug "Get cert failed. Let's try last response."
  2111. printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
  2112. fi
  2113. echo "$END_CERT" >> "$CERT_PATH"
  2114. _info "$(__green "Cert success.")"
  2115. cat "$CERT_PATH"
  2116. _info "Your cert is in $( __green " $CERT_PATH ")"
  2117. if [ -f "$CERT_KEY_PATH" ] ; then
  2118. _info "Your cert key is in $( __green " $CERT_KEY_PATH ")"
  2119. fi
  2120. cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
  2121. if [ ! "$USER_PATH" ] || [ ! "$IN_CRON" ] ; then
  2122. USER_PATH="$PATH"
  2123. _saveaccountconf "USER_PATH" "$USER_PATH"
  2124. fi
  2125. fi
  2126. if [ -z "$Le_LinkCert" ] ; then
  2127. response="$(echo $response | _dbase64 "multiline" | _normalizeJson )"
  2128. _err "Sign failed: $(echo "$response" | _egrep_o '"detail":"[^"]*"')"
  2129. _on_issue_err
  2130. return 1
  2131. fi
  2132. _cleardomainconf "Le_Vlist"
  2133. Le_LinkIssuer=$(grep -i '^Link' $HTTP_HEADER | _head_n 1 | cut -d " " -f 2| cut -d ';' -f 1 | tr -d '<>' )
  2134. if ! _contains "$Le_LinkIssuer" ":" ; then
  2135. Le_LinkIssuer="$API$Le_LinkIssuer"
  2136. fi
  2137. _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
  2138. if [ "$Le_LinkIssuer" ] ; then
  2139. echo "$BEGIN_CERT" > "$CA_CERT_PATH"
  2140. _get "$Le_LinkIssuer" | _base64 "multiline" >> "$CA_CERT_PATH"
  2141. echo "$END_CERT" >> "$CA_CERT_PATH"
  2142. _info "The intermediate CA cert is in $( __green " $CA_CERT_PATH ")"
  2143. cat "$CA_CERT_PATH" >> "$CERT_FULLCHAIN_PATH"
  2144. _info "And the full chain certs is there: $( __green " $CERT_FULLCHAIN_PATH ")"
  2145. fi
  2146. Le_CertCreateTime=$(_time)
  2147. _savedomainconf "Le_CertCreateTime" "$Le_CertCreateTime"
  2148. Le_CertCreateTimeStr=$(date -u )
  2149. _savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr"
  2150. if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ] || [ "$Le_RenewalDays" -gt "$MAX_RENEW" ] ; then
  2151. Le_RenewalDays=$MAX_RENEW
  2152. else
  2153. _savedomainconf "Le_RenewalDays" "$Le_RenewalDays"
  2154. fi
  2155. if [ "$CA_BUNDLE" ] ; then
  2156. _saveaccountconf CA_BUNDLE "$CA_BUNDLE"
  2157. else
  2158. _clearaccountconf "CA_BUNDLE"
  2159. fi
  2160. if [ "$HTTPS_INSECURE" ] ; then
  2161. _saveaccountconf HTTPS_INSECURE "$HTTPS_INSECURE"
  2162. else
  2163. _clearaccountconf "HTTPS_INSECURE"
  2164. fi
  2165. if [ "$Le_Listen_V4" ] ; then
  2166. _savedomainconf "Le_Listen_V4" "$Le_Listen_V4"
  2167. _cleardomainconf Le_Listen_V6
  2168. elif [ "$Le_Listen_V6" ] ; then
  2169. _savedomainconf "Le_Listen_V6" "$Le_Listen_V6"
  2170. _cleardomainconf Le_Listen_V4
  2171. fi
  2172. Le_NextRenewTime=$(_math $Le_CertCreateTime + $Le_RenewalDays \* 24 \* 60 \* 60)
  2173. Le_NextRenewTimeStr=$( _time2str $Le_NextRenewTime )
  2174. _savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr"
  2175. Le_NextRenewTime=$(_math $Le_NextRenewTime - 86400)
  2176. _savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
  2177. _on_issue_success
  2178. if [ "$Le_RealCertPath$Le_RealKeyPath$Le_RealCACertPath$Le_ReloadCmd$Le_RealFullChainPath" ] ; then
  2179. _installcert
  2180. fi
  2181. }
  2182. #domain [isEcc]
  2183. renew() {
  2184. Le_Domain="$1"
  2185. if [ -z "$Le_Domain" ] ; then
  2186. _usage "Usage: $PROJECT_ENTRY --renew -d domain.com [--ecc]"
  2187. return 1
  2188. fi
  2189. _isEcc="$2"
  2190. _initpath $Le_Domain "$_isEcc"
  2191. _info "$(__green "Renew: '$Le_Domain'")"
  2192. if [ ! -f "$DOMAIN_CONF" ] ; then
  2193. _info "'$Le_Domain' is not a issued domain, skip."
  2194. return 0;
  2195. fi
  2196. if [ "$Le_RenewalDays" ] ; then
  2197. _savedomainconf Le_RenewalDays "$Le_RenewalDays"
  2198. fi
  2199. . "$DOMAIN_CONF"
  2200. if [ "$Le_API" ] ; then
  2201. API="$Le_API"
  2202. fi
  2203. if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ] ; then
  2204. _info "Skip, Next renewal time is: $(__green "$Le_NextRenewTimeStr")"
  2205. _info "Add '$(__red '--force')' to force to renew."
  2206. return $RENEW_SKIP
  2207. fi
  2208. IS_RENEW="1"
  2209. issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress"
  2210. res=$?
  2211. IS_RENEW=""
  2212. return $res
  2213. }
  2214. #renewAll [stopRenewOnError]
  2215. renewAll() {
  2216. _initpath
  2217. _stopRenewOnError="$1"
  2218. _debug "_stopRenewOnError" "$_stopRenewOnError"
  2219. _ret="0"
  2220. for d in $(ls -F ${CERT_HOME}/ | grep [^.].*[.].*/$ ) ; do
  2221. d=$(echo $d | cut -d '/' -f 1)
  2222. (
  2223. if _endswith $d "$ECC_SUFFIX" ; then
  2224. _isEcc=$(echo $d | cut -d "$ECC_SEP" -f 2)
  2225. d=$(echo $d | cut -d "$ECC_SEP" -f 1)
  2226. fi
  2227. renew "$d" "$_isEcc"
  2228. )
  2229. rc="$?"
  2230. _debug "Return code: $rc"
  2231. if [ "$rc" != "0" ] ; then
  2232. if [ "$rc" = "$RENEW_SKIP" ] ; then
  2233. _info "Skipped $d"
  2234. elif [ "$_stopRenewOnError" ] ; then
  2235. _err "Error renew $d, stop now."
  2236. return $rc
  2237. else
  2238. _ret="$rc"
  2239. _err "Error renew $d, Go ahead to next one."
  2240. fi
  2241. fi
  2242. done
  2243. return $_ret
  2244. }
  2245. #csr webroot
  2246. signcsr(){
  2247. _csrfile="$1"
  2248. _csrW="$2"
  2249. if [ -z "$_csrfile" ] || [ -z "$_csrW" ]; then
  2250. _usage "Usage: $PROJECT_ENTRY --signcsr --csr mycsr.csr -w /path/to/webroot/a.com/ "
  2251. return 1
  2252. fi
  2253. _initpath
  2254. _csrsubj=$(_readSubjectFromCSR "$_csrfile")
  2255. if [ "$?" != "0" ] ; then
  2256. _err "Can not read subject from csr: $_csrfile"
  2257. return 1
  2258. fi
  2259. _debug _csrsubj "$_csrsubj"
  2260. _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
  2261. if [ "$?" != "0" ] ; then
  2262. _err "Can not read domain list from csr: $_csrfile"
  2263. return 1
  2264. fi
  2265. _debug "_csrdomainlist" "$_csrdomainlist"
  2266. if [ -z "$_csrsubj" ] ; then
  2267. _csrsubj="$(_getfield "$_csrdomainlist" 1)"
  2268. _debug _csrsubj "$_csrsubj"
  2269. _csrdomainlist="$(echo "$_csrdomainlist" | cut -d , -f 2-)"
  2270. _debug "_csrdomainlist" "$_csrdomainlist"
  2271. fi
  2272. if [ -z "$_csrsubj" ] ; then
  2273. _err "Can not read subject from csr: $_csrfile"
  2274. return 1
  2275. fi
  2276. _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
  2277. if [ "$?" != "0" ] || [ -z "$_csrkeylength" ] ; then
  2278. _err "Can not read key length from csr: $_csrfile"
  2279. return 1
  2280. fi
  2281. _initpath "$_csrsubj" "$_csrkeylength"
  2282. mkdir -p "$DOMAIN_PATH"
  2283. _info "Copy csr to: $CSR_PATH"
  2284. cp "$_csrfile" "$CSR_PATH"
  2285. issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength"
  2286. }
  2287. showcsr() {
  2288. _csrfile="$1"
  2289. _csrd="$2"
  2290. if [ -z "$_csrfile" ] && [ -z "$_csrd" ]; then
  2291. _usage "Usage: $PROJECT_ENTRY --showcsr --csr mycsr.csr"
  2292. return 1
  2293. fi
  2294. _initpath
  2295. _csrsubj=$(_readSubjectFromCSR "$_csrfile")
  2296. if [ "$?" != "0" ] || [ -z "$_csrsubj" ] ; then
  2297. _err "Can not read subject from csr: $_csrfile"
  2298. return 1
  2299. fi
  2300. _info "Subject=$_csrsubj"
  2301. _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
  2302. if [ "$?" != "0" ] ; then
  2303. _err "Can not read domain list from csr: $_csrfile"
  2304. return 1
  2305. fi
  2306. _debug "_csrdomainlist" "$_csrdomainlist"
  2307. _info "SubjectAltNames=$_csrdomainlist"
  2308. _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
  2309. if [ "$?" != "0" ] || [ -z "$_csrkeylength" ] ; then
  2310. _err "Can not read key length from csr: $_csrfile"
  2311. return 1
  2312. fi
  2313. _info "KeyLength=$_csrkeylength"
  2314. }
  2315. list() {
  2316. _raw="$1"
  2317. _initpath
  2318. _sep="|"
  2319. if [ "$_raw" ] ; then
  2320. printf "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Created${_sep}Renew\n"
  2321. for d in $(ls -F ${CERT_HOME}/ | grep [^.].*[.].*/$ ) ; do
  2322. d=$(echo $d | cut -d '/' -f 1)
  2323. (
  2324. if _endswith $d "$ECC_SUFFIX" ; then
  2325. _isEcc=$(echo $d | cut -d "$ECC_SEP" -f 2)
  2326. d=$(echo $d | cut -d "$ECC_SEP" -f 1)
  2327. fi
  2328. _initpath $d "$_isEcc"
  2329. if [ -f "$DOMAIN_CONF" ] ; then
  2330. . "$DOMAIN_CONF"
  2331. printf "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr\n"
  2332. fi
  2333. )
  2334. done
  2335. else
  2336. if _exists column ; then
  2337. list "raw" | column -t -s "$_sep"
  2338. else
  2339. list "raw" | tr "$_sep" '\t'
  2340. fi
  2341. fi
  2342. }
  2343. installcert() {
  2344. Le_Domain="$1"
  2345. if [ -z "$Le_Domain" ] ; then
  2346. _usage "Usage: $PROJECT_ENTRY --installcert -d domain.com [--ecc] [--certpath cert-file-path] [--keypath key-file-path] [--capath ca-cert-file-path] [ --reloadCmd reloadCmd] [--fullchainpath fullchain-path]"
  2347. return 1
  2348. fi
  2349. Le_RealCertPath="$2"
  2350. Le_RealKeyPath="$3"
  2351. Le_RealCACertPath="$4"
  2352. Le_ReloadCmd="$5"
  2353. Le_RealFullChainPath="$6"
  2354. _isEcc="$7"
  2355. _initpath $Le_Domain "$_isEcc"
  2356. if [ ! -d "$DOMAIN_PATH" ] ; then
  2357. _err "Domain is not valid:'$Le_Domain'"
  2358. return 1
  2359. fi
  2360. _installcert
  2361. }
  2362. _installcert() {
  2363. _savedomainconf "Le_RealCertPath" "$Le_RealCertPath"
  2364. _savedomainconf "Le_RealCACertPath" "$Le_RealCACertPath"
  2365. _savedomainconf "Le_RealKeyPath" "$Le_RealKeyPath"
  2366. _savedomainconf "Le_ReloadCmd" "$Le_ReloadCmd"
  2367. _savedomainconf "Le_RealFullChainPath" "$Le_RealFullChainPath"
  2368. if [ "$Le_RealCertPath" = "$NO_VALUE" ] ; then
  2369. Le_RealCertPath=""
  2370. fi
  2371. if [ "$Le_RealKeyPath" = "$NO_VALUE" ] ; then
  2372. Le_RealKeyPath=""
  2373. fi
  2374. if [ "$Le_RealCACertPath" = "$NO_VALUE" ] ; then
  2375. Le_RealCACertPath=""
  2376. fi
  2377. if [ "$Le_ReloadCmd" = "$NO_VALUE" ] ; then
  2378. Le_ReloadCmd=""
  2379. fi
  2380. if [ "$Le_RealFullChainPath" = "$NO_VALUE" ] ; then
  2381. Le_RealFullChainPath=""
  2382. fi
  2383. _installed="0"
  2384. if [ "$Le_RealCertPath" ] ; then
  2385. _installed=1
  2386. _info "Installing cert to:$Le_RealCertPath"
  2387. if [ -f "$Le_RealCertPath" ] && [ ! "$IS_RENEW" ] ; then
  2388. cp "$Le_RealCertPath" "$Le_RealCertPath".bak
  2389. fi
  2390. cat "$CERT_PATH" > "$Le_RealCertPath"
  2391. fi
  2392. if [ "$Le_RealCACertPath" ] ; then
  2393. _installed=1
  2394. _info "Installing CA to:$Le_RealCACertPath"
  2395. if [ "$Le_RealCACertPath" = "$Le_RealCertPath" ] ; then
  2396. echo "" >> "$Le_RealCACertPath"
  2397. cat "$CA_CERT_PATH" >> "$Le_RealCACertPath"
  2398. else
  2399. if [ -f "$Le_RealCACertPath" ] && [ ! "$IS_RENEW" ] ; then
  2400. cp "$Le_RealCACertPath" "$Le_RealCACertPath".bak
  2401. fi
  2402. cat "$CA_CERT_PATH" > "$Le_RealCACertPath"
  2403. fi
  2404. fi
  2405. if [ "$Le_RealKeyPath" ] ; then
  2406. _installed=1
  2407. _info "Installing key to:$Le_RealKeyPath"
  2408. if [ -f "$Le_RealKeyPath" ] && [ ! "$IS_RENEW" ] ; then
  2409. cp "$Le_RealKeyPath" "$Le_RealKeyPath".bak
  2410. fi
  2411. cat "$CERT_KEY_PATH" > "$Le_RealKeyPath"
  2412. fi
  2413. if [ "$Le_RealFullChainPath" ] ; then
  2414. _installed=1
  2415. _info "Installing full chain to:$Le_RealFullChainPath"
  2416. if [ -f "$Le_RealFullChainPath" ] && [ ! "$IS_RENEW" ] ; then
  2417. cp "$Le_RealFullChainPath" "$Le_RealFullChainPath".bak
  2418. fi
  2419. cat "$CERT_FULLCHAIN_PATH" > "$Le_RealFullChainPath"
  2420. fi
  2421. if [ "$Le_ReloadCmd" ] ; then
  2422. _installed=1
  2423. _info "Run Le_ReloadCmd: $Le_ReloadCmd"
  2424. if (cd "$DOMAIN_PATH" && eval "$Le_ReloadCmd") ; then
  2425. _info "$(__green "Reload success")"
  2426. else
  2427. _err "Reload error for :$Le_Domain"
  2428. fi
  2429. fi
  2430. }
  2431. installcronjob() {
  2432. _initpath
  2433. if ! _exists "crontab" ; then
  2434. _err "crontab doesn't exist, so, we can not install cron jobs."
  2435. _err "All your certs will not be renewed automatically."
  2436. _err "You must add your own cron job to call '$PROJECT_ENTRY --cron' everyday."
  2437. return 1
  2438. fi
  2439. _info "Installing cron job"
  2440. if ! crontab -l | grep "$PROJECT_ENTRY --cron" ; then
  2441. if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ] ; then
  2442. lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
  2443. else
  2444. _err "Can not install cronjob, $PROJECT_ENTRY not found."
  2445. return 1
  2446. fi
  2447. if _exists uname && uname -a | grep solaris >/dev/null ; then
  2448. crontab -l | { cat; echo "0 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"; } | crontab --
  2449. else
  2450. crontab -l | { cat; echo "0 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"; } | crontab -
  2451. fi
  2452. fi
  2453. if [ "$?" != "0" ] ; then
  2454. _err "Install cron job failed. You need to manually renew your certs."
  2455. _err "Or you can add cronjob by yourself:"
  2456. _err "$lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"
  2457. return 1
  2458. fi
  2459. }
  2460. uninstallcronjob() {
  2461. if ! _exists "crontab" ; then
  2462. return
  2463. fi
  2464. _info "Removing cron job"
  2465. cr="$(crontab -l | grep "$PROJECT_ENTRY --cron")"
  2466. if [ "$cr" ] ; then
  2467. if _exists uname && uname -a | grep solaris >/dev/null ; then
  2468. crontab -l | sed "/$PROJECT_ENTRY --cron/d" | crontab --
  2469. else
  2470. crontab -l | sed "/$PROJECT_ENTRY --cron/d" | crontab -
  2471. fi
  2472. LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 9 | tr -d '"')"
  2473. _info LE_WORKING_DIR "$LE_WORKING_DIR"
  2474. fi
  2475. _initpath
  2476. }
  2477. revoke() {
  2478. Le_Domain="$1"
  2479. if [ -z "$Le_Domain" ] ; then
  2480. _usage "Usage: $PROJECT_ENTRY --revoke -d domain.com"
  2481. return 1
  2482. fi
  2483. _isEcc="$2"
  2484. _initpath $Le_Domain "$_isEcc"
  2485. if [ ! -f "$DOMAIN_CONF" ] ; then
  2486. _err "$Le_Domain is not a issued domain, skip."
  2487. return 1;
  2488. fi
  2489. if [ ! -f "$CERT_PATH" ] ; then
  2490. _err "Cert for $Le_Domain $CERT_PATH is not found, skip."
  2491. return 1
  2492. fi
  2493. cert="$(_getfile "${CERT_PATH}" "${BEGIN_CERT}" "${END_CERT}"| tr -d "\r\n" | _urlencode)"
  2494. if [ -z "$cert" ] ; then
  2495. _err "Cert for $Le_Domain is empty found, skip."
  2496. return 1
  2497. fi
  2498. data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
  2499. uri="$API/acme/revoke-cert"
  2500. _info "Try domain key first."
  2501. if _send_signed_request $uri "$data" "" "$CERT_KEY_PATH"; then
  2502. if [ -z "$response" ] ; then
  2503. _info "Revoke success."
  2504. rm -f $CERT_PATH
  2505. return 0
  2506. else
  2507. _err "Revoke error by domain key."
  2508. _err "$response"
  2509. fi
  2510. fi
  2511. _info "Then try account key."
  2512. if _send_signed_request $uri "$data" "" "$ACCOUNT_KEY_PATH" ; then
  2513. if [ -z "$response" ] ; then
  2514. _info "Revoke success."
  2515. rm -f $CERT_PATH
  2516. return 0
  2517. else
  2518. _err "Revoke error."
  2519. _debug "$response"
  2520. fi
  2521. fi
  2522. return 1
  2523. }
  2524. #domain vtype
  2525. _deactivate() {
  2526. _d_domain="$1"
  2527. _d_type="$2"
  2528. _initpath
  2529. _d_i=0
  2530. _d_max_retry=9
  2531. while [ "$_d_i" -lt "$_d_max_retry" ] ;
  2532. do
  2533. _info "Deactivate: $_d_domain"
  2534. _d_i="$(_math $_d_i + 1)"
  2535. if ! _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$_d_domain\"}}" ; then
  2536. _err "Can not get domain token."
  2537. return 1
  2538. fi
  2539. authzUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
  2540. _debug "authzUri" "$authzUri"
  2541. if [ ! -z "$code" ] && [ ! "$code" = '201' ] ; then
  2542. _err "new-authz error: $response"
  2543. return 1
  2544. fi
  2545. entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"status":"valid","uri"[^\}]*')"
  2546. _debug entry "$entry"
  2547. if [ -z "$entry" ] ; then
  2548. _info "No more valid entry found."
  2549. break
  2550. fi
  2551. _vtype="$(printf "%s\n" "$entry" | _egrep_o '"type": *"[^"]*"' | cut -d : -f 2 | tr -d '"')"
  2552. _debug _vtype $_vtype
  2553. _info "Found $_vtype"
  2554. uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )"
  2555. _debug uri $uri
  2556. if [ "$_d_type" ] && [ "$_d_type" != "$_vtype" ] ; then
  2557. _info "Skip $_vtype"
  2558. continue
  2559. fi
  2560. _info "Deactivate: $_vtype"
  2561. if ! _send_signed_request "$authzUri" "{\"resource\": \"authz\", \"status\":\"deactivated\"}" ; then
  2562. _err "Can not deactivate $_vtype."
  2563. return 1
  2564. fi
  2565. _info "Deactivate: $_vtype success."
  2566. done
  2567. _debug "$_d_i"
  2568. if [ "$_d_i" -lt "$_d_max_retry" ] ; then
  2569. _info "Deactivated success!"
  2570. else
  2571. _err "Deactivate failed."
  2572. fi
  2573. }
  2574. deactivate() {
  2575. _d_domain_list="$1"
  2576. _d_type="$2"
  2577. _initpath
  2578. _debug _d_domain_list "$_d_domain_list"
  2579. if [ -z "$(echo $_d_domain_list | cut -d , -f 1 )" ] ; then
  2580. _usage "Usage: $PROJECT_ENTRY --deactivate -d domain.com [-d domain.com]"
  2581. return 1
  2582. fi
  2583. for _d_dm in $(echo "$_d_domain_list" | tr ',' ' ' ) ;
  2584. do
  2585. if [ -z "$_d_dm" ] || [ "$_d_dm" = "$NO_VALUE" ] ; then
  2586. continue
  2587. fi
  2588. if ! _deactivate "$_d_dm" $_d_type ; then
  2589. return 1
  2590. fi
  2591. done
  2592. }
  2593. # Detect profile file if not specified as environment variable
  2594. _detect_profile() {
  2595. if [ -n "$PROFILE" -a -f "$PROFILE" ] ; then
  2596. echo "$PROFILE"
  2597. return
  2598. fi
  2599. DETECTED_PROFILE=''
  2600. SHELLTYPE="$(basename "/$SHELL")"
  2601. if [ "$SHELLTYPE" = "bash" ] ; then
  2602. if [ -f "$HOME/.bashrc" ] ; then
  2603. DETECTED_PROFILE="$HOME/.bashrc"
  2604. elif [ -f "$HOME/.bash_profile" ] ; then
  2605. DETECTED_PROFILE="$HOME/.bash_profile"
  2606. fi
  2607. elif [ "$SHELLTYPE" = "zsh" ] ; then
  2608. DETECTED_PROFILE="$HOME/.zshrc"
  2609. fi
  2610. if [ -z "$DETECTED_PROFILE" ] ; then
  2611. if [ -f "$HOME/.profile" ] ; then
  2612. DETECTED_PROFILE="$HOME/.profile"
  2613. elif [ -f "$HOME/.bashrc" ] ; then
  2614. DETECTED_PROFILE="$HOME/.bashrc"
  2615. elif [ -f "$HOME/.bash_profile" ] ; then
  2616. DETECTED_PROFILE="$HOME/.bash_profile"
  2617. elif [ -f "$HOME/.zshrc" ] ; then
  2618. DETECTED_PROFILE="$HOME/.zshrc"
  2619. fi
  2620. fi
  2621. if [ ! -z "$DETECTED_PROFILE" ] ; then
  2622. echo "$DETECTED_PROFILE"
  2623. fi
  2624. }
  2625. _initconf() {
  2626. _initpath
  2627. if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then
  2628. echo "#ACCOUNT_CONF_PATH=xxxx
  2629. #Account configurations:
  2630. #Here are the supported macros, uncomment them to make them take effect.
  2631. #ACCOUNT_EMAIL=aaa@aaa.com # the account email used to register account.
  2632. #ACCOUNT_KEY_PATH=\"/path/to/account.key\"
  2633. #CERT_HOME=\"/path/to/cert/home\"
  2634. #LOG_FILE=\"$DEFAULT_LOG_FILE\"
  2635. #LOG_LEVEL=1
  2636. #AUTO_UPGRADE=\"1\"
  2637. #STAGE=1 # Use the staging api
  2638. #FORCE=1 # Force to issue cert
  2639. #DEBUG=1 # Debug mode
  2640. #USER_AGENT=\"$USER_AGENT\"
  2641. #USER_PATH=""
  2642. #dns api
  2643. #######################
  2644. #Cloudflare:
  2645. #api key
  2646. #CF_Key=\"sdfsdfsdfljlbjkljlkjsdfoiwje\"
  2647. #account email
  2648. #CF_Email=\"xxxx@sss.com\"
  2649. #######################
  2650. #Dnspod.cn:
  2651. #api key id
  2652. #DP_Id=\"1234\"
  2653. #api key
  2654. #DP_Key=\"sADDsdasdgdsf\"
  2655. #######################
  2656. #Cloudxns.com:
  2657. #CX_Key=\"1234\"
  2658. #
  2659. #CX_Secret=\"sADDsdasdgdsf\"
  2660. #######################
  2661. #Godaddy.com:
  2662. #GD_Key=\"sdfdsgdgdfdasfds\"
  2663. #
  2664. #GD_Secret=\"sADDsdasdfsdfdssdgdsf\"
  2665. #######################
  2666. #PowerDNS:
  2667. #PDNS_Url=\"http://ns.example.com:8081\"
  2668. #PDNS_ServerId=\"localhost\"
  2669. #PDNS_Token=\"0123456789ABCDEF\"
  2670. #PDNS_Ttl=60
  2671. " > $ACCOUNT_CONF_PATH
  2672. fi
  2673. }
  2674. # nocron
  2675. _precheck() {
  2676. _nocron="$1"
  2677. if ! _exists "curl" && ! _exists "wget"; then
  2678. _err "Please install curl or wget first, we need to access http resources."
  2679. return 1
  2680. fi
  2681. if [ -z "$_nocron" ] ; then
  2682. if ! _exists "crontab" ; then
  2683. _err "It is recommended to install crontab first. try to install 'cron, crontab, crontabs or vixie-cron'."
  2684. _err "We need to set cron job to renew the certs automatically."
  2685. _err "Otherwise, your certs will not be able to be renewed automatically."
  2686. if [ -z "$FORCE" ] ; then
  2687. _err "Please add '--force' and try install again to go without crontab."
  2688. _err "./$PROJECT_ENTRY --install --force"
  2689. return 1
  2690. fi
  2691. fi
  2692. fi
  2693. if ! _exists "openssl" ; then
  2694. _err "Please install openssl first."
  2695. _err "We need openssl to generate keys."
  2696. return 1
  2697. fi
  2698. if ! _exists "nc" ; then
  2699. _err "It is recommended to install nc first, try to install 'nc' or 'netcat'."
  2700. _err "We use nc for standalone server if you use standalone mode."
  2701. _err "If you don't use standalone mode, just ignore this warning."
  2702. fi
  2703. return 0
  2704. }
  2705. _setShebang() {
  2706. _file="$1"
  2707. _shebang="$2"
  2708. if [ -z "$_shebang" ] ; then
  2709. _usage "Usage: file shebang"
  2710. return 1
  2711. fi
  2712. cp "$_file" "$_file.tmp"
  2713. echo "$_shebang" > "$_file"
  2714. sed -n 2,99999p "$_file.tmp" >> "$_file"
  2715. rm -f "$_file.tmp"
  2716. }
  2717. _installalias() {
  2718. _initpath
  2719. _envfile="$LE_WORKING_DIR/$PROJECT_ENTRY.env"
  2720. if [ "$_upgrading" ] && [ "$_upgrading" = "1" ] ; then
  2721. echo "$(cat $_envfile)" | sed "s|^LE_WORKING_DIR.*$||" > "$_envfile"
  2722. echo "$(cat $_envfile)" | sed "s|^alias le.*$||" > "$_envfile"
  2723. echo "$(cat $_envfile)" | sed "s|^alias le.sh.*$||" > "$_envfile"
  2724. fi
  2725. _setopt "$_envfile" "export LE_WORKING_DIR" "=" "\"$LE_WORKING_DIR\""
  2726. _setopt "$_envfile" "alias $PROJECT_ENTRY" "=" "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  2727. _profile="$(_detect_profile)"
  2728. if [ "$_profile" ] ; then
  2729. _debug "Found profile: $_profile"
  2730. _setopt "$_profile" ". \"$_envfile\""
  2731. _info "OK, Close and reopen your terminal to start using $PROJECT_NAME"
  2732. else
  2733. _info "No profile is found, you will need to go into $LE_WORKING_DIR to use $PROJECT_NAME"
  2734. fi
  2735. #for csh
  2736. _cshfile="$LE_WORKING_DIR/$PROJECT_ENTRY.csh"
  2737. _csh_profile="$HOME/.cshrc"
  2738. if [ -f "$_csh_profile" ] ; then
  2739. _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
  2740. _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  2741. _setopt "$_csh_profile" "source \"$_cshfile\""
  2742. fi
  2743. #for tcsh
  2744. _tcsh_profile="$HOME/.tcshrc"
  2745. if [ -f "$_tcsh_profile" ] ; then
  2746. _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
  2747. _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY\""
  2748. _setopt "$_tcsh_profile" "source \"$_cshfile\""
  2749. fi
  2750. }
  2751. # nocron
  2752. install() {
  2753. if [ -z "$LE_WORKING_DIR" ] ; then
  2754. LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
  2755. fi
  2756. _nocron="$1"
  2757. if ! _initpath ; then
  2758. _err "Install failed."
  2759. return 1
  2760. fi
  2761. if [ "$_nocron" ] ; then
  2762. _debug "Skip install cron job"
  2763. fi
  2764. if ! _precheck "$_nocron" ; then
  2765. _err "Pre-check failed, can not install."
  2766. return 1
  2767. fi
  2768. #convert from le
  2769. if [ -d "$HOME/.le" ] ; then
  2770. for envfile in "le.env" "le.sh.env"
  2771. do
  2772. if [ -f "$HOME/.le/$envfile" ] ; then
  2773. if grep "le.sh" "$HOME/.le/$envfile" >/dev/null ; then
  2774. _upgrading="1"
  2775. _info "You are upgrading from le.sh"
  2776. _info "Renaming \"$HOME/.le\" to $LE_WORKING_DIR"
  2777. mv "$HOME/.le" "$LE_WORKING_DIR"
  2778. mv "$LE_WORKING_DIR/$envfile" "$LE_WORKING_DIR/$PROJECT_ENTRY.env"
  2779. break;
  2780. fi
  2781. fi
  2782. done
  2783. fi
  2784. _info "Installing to $LE_WORKING_DIR"
  2785. if ! mkdir -p "$LE_WORKING_DIR" ; then
  2786. _err "Can not create working dir: $LE_WORKING_DIR"
  2787. return 1
  2788. fi
  2789. chmod 700 "$LE_WORKING_DIR"
  2790. cp $PROJECT_ENTRY "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/$PROJECT_ENTRY"
  2791. if [ "$?" != "0" ] ; then
  2792. _err "Install failed, can not copy $PROJECT_ENTRY"
  2793. return 1
  2794. fi
  2795. _info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
  2796. _installalias
  2797. if [ -d "dnsapi" ] ; then
  2798. mkdir -p $LE_WORKING_DIR/dnsapi
  2799. cp dnsapi/* $LE_WORKING_DIR/dnsapi/
  2800. fi
  2801. if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then
  2802. _initconf
  2803. fi
  2804. if [ "$_DEFAULT_ACCOUNT_CONF_PATH" != "$ACCOUNT_CONF_PATH" ] ; then
  2805. _setopt "$_DEFAULT_ACCOUNT_CONF_PATH" "ACCOUNT_CONF_PATH" "=" "\"$ACCOUNT_CONF_PATH\""
  2806. fi
  2807. if [ "$_DEFAULT_CERT_HOME" != "$CERT_HOME" ] ; then
  2808. _saveaccountconf "CERT_HOME" "$CERT_HOME"
  2809. fi
  2810. if [ "$_DEFAULT_ACCOUNT_KEY_PATH" != "$ACCOUNT_KEY_PATH" ] ; then
  2811. _saveaccountconf "ACCOUNT_KEY_PATH" "$ACCOUNT_KEY_PATH"
  2812. fi
  2813. if [ -z "$_nocron" ] ; then
  2814. installcronjob
  2815. fi
  2816. if [ -z "$NO_DETECT_SH" ] ; then
  2817. #Modify shebang
  2818. if _exists bash ; then
  2819. _info "Good, bash is found, so change the shebang to use bash as prefered."
  2820. _shebang='#!/usr/bin/env bash'
  2821. _setShebang "$LE_WORKING_DIR/$PROJECT_ENTRY" "$_shebang"
  2822. if [ -d "$LE_WORKING_DIR/dnsapi" ] ; then
  2823. for _apifile in $(ls "$LE_WORKING_DIR/dnsapi/"*.sh) ; do
  2824. _setShebang "$_apifile" "$_shebang"
  2825. done
  2826. fi
  2827. fi
  2828. fi
  2829. _info OK
  2830. }
  2831. # nocron
  2832. uninstall() {
  2833. _nocron="$1"
  2834. if [ -z "$_nocron" ] ; then
  2835. uninstallcronjob
  2836. fi
  2837. _initpath
  2838. _profile="$(_detect_profile)"
  2839. if [ "$_profile" ] ; then
  2840. text="$(cat $_profile)"
  2841. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.env\"$||" > "$_profile"
  2842. fi
  2843. _csh_profile="$HOME/.cshrc"
  2844. if [ -f "$_csh_profile" ] ; then
  2845. text="$(cat $_csh_profile)"
  2846. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" > "$_csh_profile"
  2847. fi
  2848. _tcsh_profile="$HOME/.tcshrc"
  2849. if [ -f "$_tcsh_profile" ] ; then
  2850. text="$(cat $_tcsh_profile)"
  2851. echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" > "$_tcsh_profile"
  2852. fi
  2853. rm -f $LE_WORKING_DIR/$PROJECT_ENTRY
  2854. _info "The keys and certs are in $LE_WORKING_DIR, you can remove them by yourself."
  2855. }
  2856. cron() {
  2857. IN_CRON=1
  2858. _initpath
  2859. if [ "$AUTO_UPGRADE" = "1" ] ; then
  2860. export LE_WORKING_DIR
  2861. (
  2862. if ! upgrade ; then
  2863. _err "Cron:Upgrade failed!"
  2864. return 1
  2865. fi
  2866. )
  2867. . $LE_WORKING_DIR/$PROJECT_ENTRY >/dev/null
  2868. if [ -t 1 ] ; then
  2869. __INTERACTIVE="1"
  2870. fi
  2871. _info "Auto upgraded to: $VER"
  2872. fi
  2873. renewAll
  2874. _ret="$?"
  2875. IN_CRON=""
  2876. exit $_ret
  2877. }
  2878. version() {
  2879. echo "$PROJECT"
  2880. echo "v$VER"
  2881. }
  2882. showhelp() {
  2883. _initpath
  2884. version
  2885. echo "Usage: $PROJECT_ENTRY command ...[parameters]....
  2886. Commands:
  2887. --help, -h Show this help message.
  2888. --version, -v Show version info.
  2889. --install Install $PROJECT_NAME to your system.
  2890. --uninstall Uninstall $PROJECT_NAME, and uninstall the cron job.
  2891. --upgrade Upgrade $PROJECT_NAME to the latest code from $PROJECT .
  2892. --issue Issue a cert.
  2893. --signcsr Issue a cert from an existing csr.
  2894. --installcert Install the issued cert to apache/nginx or any other server.
  2895. --renew, -r Renew a cert.
  2896. --renewAll Renew all the certs.
  2897. --revoke Revoke a cert.
  2898. --list List all the certs.
  2899. --showcsr Show the content of a csr.
  2900. --installcronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
  2901. --uninstallcronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
  2902. --cron Run cron job to renew all the certs.
  2903. --toPkcs Export the certificate and key to a pfx file.
  2904. --updateaccount Update account info.
  2905. --registeraccount Register account key.
  2906. --createAccountKey, -cak Create an account private key, professional use.
  2907. --createDomainKey, -cdk Create an domain private key, professional use.
  2908. --createCSR, -ccsr Create CSR , professional use.
  2909. --deactivate Deactivate the domain authz, professional use.
  2910. Parameters:
  2911. --domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
  2912. --force, -f Used to force to install or force to renew a cert immediately.
  2913. --staging, --test Use staging server, just for test.
  2914. --debug Output debug info.
  2915. --webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
  2916. --standalone Use standalone mode.
  2917. --tls Use standalone tls mode.
  2918. --apache Use apache mode.
  2919. --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
  2920. --dnssleep [$DEFAULT_DNS_SLEEP] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
  2921. --keylength, -k [2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
  2922. --accountkeylength, -ak [2048] Specifies the account key length.
  2923. --log [/path/to/logfile] Specifies the log file. The default is: \"$DEFAULT_LOG_FILE\" if you don't give a file path here.
  2924. --log-level 1|2 Specifies the log level, default is 1.
  2925. These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
  2926. --certpath /path/to/real/cert/file After issue/renew, the cert will be copied to this path.
  2927. --keypath /path/to/real/key/file After issue/renew, the key will be copied to this path.
  2928. --capath /path/to/real/ca/file After issue/renew, the intermediate cert will be copied to this path.
  2929. --fullchainpath /path/to/fullchain/file After issue/renew, the fullchain cert will be copied to this path.
  2930. --reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
  2931. --accountconf Specifies a customized account config file.
  2932. --home Specifies the home dir for $PROJECT_NAME .
  2933. --certhome Specifies the home dir to save all the certs, only valid for '--install' command.
  2934. --useragent Specifies the user agent string. it will be saved for future use too.
  2935. --accountemail Specifies the account email for registering, Only valid for the '--install' command.
  2936. --accountkey Specifies the account key path, Only valid for the '--install' command.
  2937. --days Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days.
  2938. --httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
  2939. --tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
  2940. --local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
  2941. --listraw Only used for '--list' command, list the certs in raw format.
  2942. --stopRenewOnError, -se Only valid for '--renewall' command. Stop if one cert has error in renewal.
  2943. --insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
  2944. --ca-bundle Specifices the path to the CA certificate bundle to verify api server's certificate.
  2945. --nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
  2946. --ecc Specifies to use the ECC cert. Valid for '--installcert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
  2947. --csr Specifies the input csr.
  2948. --pre-hook Command to be run before obtaining any certificates.
  2949. --post-hook Command to be run after attempting to obtain/renew certificates. No matter the obain/renew is success or failed.
  2950. --renew-hook Command to be run once for each successfully renewed certificate.
  2951. --ocsp-must-staple, --ocsp Generate ocsp must Staple extension.
  2952. --auto-upgrade [0|1] Valid for '--upgrade' command, indicating whether to upgrade automatically in future.
  2953. --listen-v4 Force standalone/tls server to listen at ipv4.
  2954. --listen-v6 Force standalone/tls server to listen at ipv6.
  2955. "
  2956. }
  2957. # nocron
  2958. _installOnline() {
  2959. _info "Installing from online archive."
  2960. _nocron="$1"
  2961. if [ ! "$BRANCH" ] ; then
  2962. BRANCH="master"
  2963. fi
  2964. target="$PROJECT/archive/$BRANCH.tar.gz"
  2965. _info "Downloading $target"
  2966. localname="$BRANCH.tar.gz"
  2967. if ! _get "$target" > $localname ; then
  2968. _err "Download error."
  2969. return 1
  2970. fi
  2971. (
  2972. _info "Extracting $localname"
  2973. tar xzf $localname
  2974. cd "$PROJECT_NAME-$BRANCH"
  2975. chmod +x $PROJECT_ENTRY
  2976. if ./$PROJECT_ENTRY install "$_nocron" ; then
  2977. _info "Install success!"
  2978. fi
  2979. cd ..
  2980. rm -rf "$PROJECT_NAME-$BRANCH"
  2981. rm -f "$localname"
  2982. )
  2983. }
  2984. upgrade() {
  2985. if (
  2986. _initpath
  2987. export LE_WORKING_DIR
  2988. cd "$LE_WORKING_DIR"
  2989. _installOnline "nocron"
  2990. ) ; then
  2991. _info "Upgrade success!"
  2992. exit 0
  2993. else
  2994. _err "Upgrade failed!"
  2995. exit 1
  2996. fi
  2997. }
  2998. _processAccountConf() {
  2999. if [ "$_useragent" ] ; then
  3000. _saveaccountconf "USER_AGENT" "$_useragent"
  3001. elif [ "$USER_AGENT" ] && [ "$USER_AGENT" != "$DEFAULT_USER_AGENT" ] ; then
  3002. _saveaccountconf "USER_AGENT" "$USER_AGENT"
  3003. fi
  3004. if [ "$_accountemail" ] ; then
  3005. _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail"
  3006. elif [ "$ACCOUNT_EMAIL" ] && [ "$ACCOUNT_EMAIL" != "$DEFAULT_ACCOUNT_EMAIL" ] ; then
  3007. _saveaccountconf "ACCOUNT_EMAIL" "$ACCOUNT_EMAIL"
  3008. fi
  3009. if [ "$_auto_upgrade" ] ; then
  3010. _saveaccountconf "AUTO_UPGRADE" "$_auto_upgrade"
  3011. elif [ "$AUTO_UPGRADE" ] ; then
  3012. _saveaccountconf "AUTO_UPGRADE" "$AUTO_UPGRADE"
  3013. fi
  3014. }
  3015. _process() {
  3016. _CMD=""
  3017. _domain=""
  3018. _altdomains="$NO_VALUE"
  3019. _webroot=""
  3020. _keylength=""
  3021. _accountkeylength=""
  3022. _certpath=""
  3023. _keypath=""
  3024. _capath=""
  3025. _fullchainpath=""
  3026. _reloadcmd=""
  3027. _password=""
  3028. _accountconf=""
  3029. _useragent=""
  3030. _accountemail=""
  3031. _accountkey=""
  3032. _certhome=""
  3033. _httpport=""
  3034. _tlsport=""
  3035. _dnssleep=""
  3036. _listraw=""
  3037. _stopRenewOnError=""
  3038. _insecure=""
  3039. _ca_bundle=""
  3040. _nocron=""
  3041. _ecc=""
  3042. _csr=""
  3043. _pre_hook=""
  3044. _post_hook=""
  3045. _renew_hook=""
  3046. _logfile=""
  3047. _log=""
  3048. _local_address=""
  3049. _log_level=""
  3050. _auto_upgrade=""
  3051. _listen_v4=""
  3052. _listen_v6=""
  3053. while [ ${#} -gt 0 ] ; do
  3054. case "${1}" in
  3055. --help|-h)
  3056. showhelp
  3057. return
  3058. ;;
  3059. --version|-v)
  3060. version
  3061. return
  3062. ;;
  3063. --install)
  3064. _CMD="install"
  3065. ;;
  3066. --uninstall)
  3067. _CMD="uninstall"
  3068. ;;
  3069. --upgrade)
  3070. _CMD="upgrade"
  3071. ;;
  3072. --issue)
  3073. _CMD="issue"
  3074. ;;
  3075. --signcsr)
  3076. _CMD="signcsr"
  3077. ;;
  3078. --showcsr)
  3079. _CMD="showcsr"
  3080. ;;
  3081. --installcert|-i)
  3082. _CMD="installcert"
  3083. ;;
  3084. --renew|-r)
  3085. _CMD="renew"
  3086. ;;
  3087. --renewAll|--renewall)
  3088. _CMD="renewAll"
  3089. ;;
  3090. --revoke)
  3091. _CMD="revoke"
  3092. ;;
  3093. --list)
  3094. _CMD="list"
  3095. ;;
  3096. --installcronjob)
  3097. _CMD="installcronjob"
  3098. ;;
  3099. --uninstallcronjob)
  3100. _CMD="uninstallcronjob"
  3101. ;;
  3102. --cron)
  3103. _CMD="cron"
  3104. ;;
  3105. --toPkcs)
  3106. _CMD="toPkcs"
  3107. ;;
  3108. --createAccountKey|--createaccountkey|-cak)
  3109. _CMD="createAccountKey"
  3110. ;;
  3111. --createDomainKey|--createdomainkey|-cdk)
  3112. _CMD="createDomainKey"
  3113. ;;
  3114. --createCSR|--createcsr|-ccr)
  3115. _CMD="createCSR"
  3116. ;;
  3117. --deactivate)
  3118. _CMD="deactivate"
  3119. ;;
  3120. --updateaccount)
  3121. _CMD="updateaccount"
  3122. ;;
  3123. --registeraccount)
  3124. _CMD="registeraccount"
  3125. ;;
  3126. --domain|-d)
  3127. _dvalue="$2"
  3128. if [ "$_dvalue" ] ; then
  3129. if _startswith "$_dvalue" "-" ; then
  3130. _err "'$_dvalue' is not a valid domain for parameter '$1'"
  3131. return 1
  3132. fi
  3133. if [ -z "$_domain" ] ; then
  3134. _domain="$_dvalue"
  3135. else
  3136. if [ "$_altdomains" = "$NO_VALUE" ] ; then
  3137. _altdomains="$_dvalue"
  3138. else
  3139. _altdomains="$_altdomains,$_dvalue"
  3140. fi
  3141. fi
  3142. fi
  3143. shift
  3144. ;;
  3145. --force|-f)
  3146. FORCE="1"
  3147. ;;
  3148. --staging|--test)
  3149. STAGE="1"
  3150. ;;
  3151. --debug)
  3152. if [ -z "$2" ] || _startswith "$2" "-" ; then
  3153. DEBUG="1"
  3154. else
  3155. DEBUG="$2"
  3156. shift
  3157. fi
  3158. ;;
  3159. --webroot|-w)
  3160. wvalue="$2"
  3161. if [ -z "$_webroot" ] ; then
  3162. _webroot="$wvalue"
  3163. else
  3164. _webroot="$_webroot,$wvalue"
  3165. fi
  3166. shift
  3167. ;;
  3168. --standalone)
  3169. wvalue="$NO_VALUE"
  3170. if [ -z "$_webroot" ] ; then
  3171. _webroot="$wvalue"
  3172. else
  3173. _webroot="$_webroot,$wvalue"
  3174. fi
  3175. ;;
  3176. --local-address)
  3177. lvalue="$2"
  3178. _local_address="$_local_address$lvalue,"
  3179. shift
  3180. ;;
  3181. --apache)
  3182. wvalue="apache"
  3183. if [ -z "$_webroot" ] ; then
  3184. _webroot="$wvalue"
  3185. else
  3186. _webroot="$_webroot,$wvalue"
  3187. fi
  3188. ;;
  3189. --tls)
  3190. wvalue="$W_TLS"
  3191. if [ -z "$_webroot" ] ; then
  3192. _webroot="$wvalue"
  3193. else
  3194. _webroot="$_webroot,$wvalue"
  3195. fi
  3196. ;;
  3197. --dns)
  3198. wvalue="dns"
  3199. if ! _startswith "$2" "-" ; then
  3200. wvalue="$2"
  3201. shift
  3202. fi
  3203. if [ -z "$_webroot" ] ; then
  3204. _webroot="$wvalue"
  3205. else
  3206. _webroot="$_webroot,$wvalue"
  3207. fi
  3208. ;;
  3209. --dnssleep)
  3210. _dnssleep="$2"
  3211. Le_DNSSleep="$_dnssleep"
  3212. shift
  3213. ;;
  3214. --keylength|-k)
  3215. _keylength="$2"
  3216. if [ "$_accountkeylength" = "$NO_VALUE" ] ; then
  3217. _accountkeylength="$2"
  3218. fi
  3219. shift
  3220. ;;
  3221. --accountkeylength|-ak)
  3222. _accountkeylength="$2"
  3223. shift
  3224. ;;
  3225. --certpath)
  3226. _certpath="$2"
  3227. shift
  3228. ;;
  3229. --keypath)
  3230. _keypath="$2"
  3231. shift
  3232. ;;
  3233. --capath)
  3234. _capath="$2"
  3235. shift
  3236. ;;
  3237. --fullchainpath)
  3238. _fullchainpath="$2"
  3239. shift
  3240. ;;
  3241. --reloadcmd|--reloadCmd)
  3242. _reloadcmd="$2"
  3243. shift
  3244. ;;
  3245. --password)
  3246. _password="$2"
  3247. shift
  3248. ;;
  3249. --accountconf)
  3250. _accountconf="$2"
  3251. ACCOUNT_CONF_PATH="$_accountconf"
  3252. shift
  3253. ;;
  3254. --home)
  3255. LE_WORKING_DIR="$2"
  3256. shift
  3257. ;;
  3258. --certhome)
  3259. _certhome="$2"
  3260. CERT_HOME="$_certhome"
  3261. shift
  3262. ;;
  3263. --useragent)
  3264. _useragent="$2"
  3265. USER_AGENT="$_useragent"
  3266. shift
  3267. ;;
  3268. --accountemail )
  3269. _accountemail="$2"
  3270. ACCOUNT_EMAIL="$_accountemail"
  3271. shift
  3272. ;;
  3273. --accountkey )
  3274. _accountkey="$2"
  3275. ACCOUNT_KEY_PATH="$_accountkey"
  3276. shift
  3277. ;;
  3278. --days )
  3279. _days="$2"
  3280. Le_RenewalDays="$_days"
  3281. shift
  3282. ;;
  3283. --httpport )
  3284. _httpport="$2"
  3285. Le_HTTPPort="$_httpport"
  3286. shift
  3287. ;;
  3288. --tlsport )
  3289. _tlsport="$2"
  3290. Le_TLSPort="$_tlsport"
  3291. shift
  3292. ;;
  3293. --listraw )
  3294. _listraw="raw"
  3295. ;;
  3296. --stopRenewOnError|--stoprenewonerror|-se )
  3297. _stopRenewOnError="1"
  3298. ;;
  3299. --insecure)
  3300. _insecure="1"
  3301. HTTPS_INSECURE="1"
  3302. ;;
  3303. --ca-bundle)
  3304. _ca_bundle="$(readlink -f $2)"
  3305. CA_BUNDLE="$_ca_bundle"
  3306. shift
  3307. ;;
  3308. --nocron)
  3309. _nocron="1"
  3310. ;;
  3311. --ecc)
  3312. _ecc="isEcc"
  3313. ;;
  3314. --csr)
  3315. _csr="$2"
  3316. shift
  3317. ;;
  3318. --pre-hook)
  3319. _pre_hook="$2"
  3320. shift
  3321. ;;
  3322. --post-hook)
  3323. _post_hook="$2"
  3324. shift
  3325. ;;
  3326. --renew-hook)
  3327. _renew_hook="$2"
  3328. shift
  3329. ;;
  3330. --ocsp-must-staple|--ocsp)
  3331. Le_OCSP_Stable="1"
  3332. ;;
  3333. --log|--logfile)
  3334. _log="1"
  3335. _logfile="$2"
  3336. if _startswith "$_logfile" '-' ; then
  3337. _logfile=""
  3338. else
  3339. shift
  3340. fi
  3341. LOG_FILE="$_logfile"
  3342. if [ -z "$LOG_LEVEL" ] ; then
  3343. LOG_LEVEL="$DEFAULT_LOG_LEVEL"
  3344. fi
  3345. ;;
  3346. --log-level)
  3347. _log_level="$2"
  3348. LOG_LEVEL="$_log_level"
  3349. shift
  3350. ;;
  3351. --auto-upgrade)
  3352. _auto_upgrade="$2"
  3353. if [ -z "$_auto_upgrade" ] || _startswith "$_auto_upgrade" '-' ; then
  3354. _auto_upgrade="1"
  3355. else
  3356. shift
  3357. fi
  3358. AUTO_UPGRADE="$_auto_upgrade"
  3359. ;;
  3360. --listen-v4)
  3361. _listen_v4="1"
  3362. Le_Listen_V4="$_listen_v4"
  3363. ;;
  3364. --listen-v6)
  3365. _listen_v6="1"
  3366. Le_Listen_V6="$_listen_v6"
  3367. ;;
  3368. *)
  3369. _err "Unknown parameter : $1"
  3370. return 1
  3371. ;;
  3372. esac
  3373. shift 1
  3374. done
  3375. if [ "${_CMD}" != "install" ] ; then
  3376. __initHome
  3377. if [ "$_log" ]; then
  3378. if [ -z "$_logfile" ] ; then
  3379. _logfile="$DEFAULT_LOG_FILE"
  3380. fi
  3381. fi
  3382. if [ "$_logfile" ] ; then
  3383. _saveaccountconf "LOG_FILE" "$_logfile"
  3384. LOG_FILE="$_logfile"
  3385. fi
  3386. if [ "$_log_level" ] ; then
  3387. _saveaccountconf "LOG_LEVEL" "$_log_level"
  3388. LOG_LEVEL="$_log_level"
  3389. fi
  3390. _processAccountConf
  3391. fi
  3392. if [ "$DEBUG" ] ; then
  3393. version
  3394. fi
  3395. case "${_CMD}" in
  3396. install) install "$_nocron" ;;
  3397. uninstall) uninstall "$_nocron" ;;
  3398. upgrade) upgrade ;;
  3399. issue)
  3400. issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
  3401. ;;
  3402. signcsr)
  3403. signcsr "$_csr" "$_webroot"
  3404. ;;
  3405. showcsr)
  3406. showcsr "$_csr" "$_domain"
  3407. ;;
  3408. installcert)
  3409. installcert "$_domain" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_ecc"
  3410. ;;
  3411. renew)
  3412. renew "$_domain" "$_ecc"
  3413. ;;
  3414. renewAll)
  3415. renewAll "$_stopRenewOnError"
  3416. ;;
  3417. revoke)
  3418. revoke "$_domain" "$_ecc"
  3419. ;;
  3420. deactivate)
  3421. deactivate "$_domain,$_altdomains"
  3422. ;;
  3423. registeraccount)
  3424. registeraccount
  3425. ;;
  3426. updateaccount)
  3427. updateaccount
  3428. ;;
  3429. list)
  3430. list "$_listraw"
  3431. ;;
  3432. installcronjob) installcronjob ;;
  3433. uninstallcronjob) uninstallcronjob ;;
  3434. cron) cron ;;
  3435. toPkcs)
  3436. toPkcs "$_domain" "$_password" "$_ecc"
  3437. ;;
  3438. createAccountKey)
  3439. createAccountKey "$_accountkeylength"
  3440. ;;
  3441. createDomainKey)
  3442. createDomainKey "$_domain" "$_keylength"
  3443. ;;
  3444. createCSR)
  3445. createCSR "$_domain" "$_altdomains" "$_ecc"
  3446. ;;
  3447. *)
  3448. _err "Invalid command: $_CMD"
  3449. showhelp;
  3450. return 1
  3451. ;;
  3452. esac
  3453. _ret="$?"
  3454. if [ "$_ret" != "0" ] ; then
  3455. return $_ret
  3456. fi
  3457. if [ "${_CMD}" = "install" ] ; then
  3458. if [ "$_log" ] ; then
  3459. if [ -z "$LOG_FILE" ] ; then
  3460. LOG_FILE="$DEFAULT_LOG_FILE"
  3461. fi
  3462. _saveaccountconf "LOG_FILE" "$LOG_FILE"
  3463. fi
  3464. if [ "$_log_level" ] ; then
  3465. _saveaccountconf "LOG_LEVEL" "$_log_level"
  3466. fi
  3467. _processAccountConf
  3468. fi
  3469. }
  3470. if [ "$INSTALLONLINE" ] ; then
  3471. INSTALLONLINE=""
  3472. _installOnline $BRANCH
  3473. exit
  3474. fi
  3475. main() {
  3476. [ -z "$1" ] && showhelp && return
  3477. if _startswith "$1" '-' ; then _process "$@"; else "$@";fi
  3478. }
  3479. main "$@"