forked from Github/acme.sh
David Kerr
8 years ago
9 changed files with 430 additions and 12 deletions
-
14README.md
-
20acme.sh
-
6deploy/README.md
-
31deploy/keychain.sh
-
58dnsapi/README.md
-
6dnsapi/dns_aws.sh
-
7dnsapi/dns_cx.sh
-
205dnsapi/dns_dgon.sh
-
95dnsapi/dns_knot.sh
@ -0,0 +1,31 @@ |
|||||
|
#!/usr/bin/env sh |
||||
|
|
||||
|
#Here is a sample custom api script. |
||||
|
#This file name is "myapi.sh" |
||||
|
#So, here must be a method myapi_deploy() |
||||
|
#Which will be called by acme.sh to deploy the cert |
||||
|
#returns 0 means success, otherwise error. |
||||
|
|
||||
|
######## Public functions ##################### |
||||
|
|
||||
|
#domain keyfile certfile cafile fullchain |
||||
|
keychain_deploy() { |
||||
|
_cdomain="$1" |
||||
|
_ckey="$2" |
||||
|
_ccert="$3" |
||||
|
_cca="$4" |
||||
|
_cfullchain="$5" |
||||
|
|
||||
|
_debug _cdomain "$_cdomain" |
||||
|
_debug _ckey "$_ckey" |
||||
|
_debug _ccert "$_ccert" |
||||
|
_debug _cca "$_cca" |
||||
|
_debug _cfullchain "$_cfullchain" |
||||
|
|
||||
|
/usr/bin/security import "$_ckey" -k "/Library/Keychains/System.keychain" |
||||
|
/usr/bin/security import "$_ccert" -k "/Library/Keychains/System.keychain" |
||||
|
/usr/bin/security import "$_cca" -k "/Library/Keychains/System.keychain" |
||||
|
/usr/bin/security import "$_cfullchain" -k "/Library/Keychains/System.keychain" |
||||
|
|
||||
|
return 0 |
||||
|
} |
@ -0,0 +1,205 @@ |
|||||
|
#!/usr/bin/env sh |
||||
|
|
||||
|
## Will be called by acme.sh to add the txt record to your api system. |
||||
|
## returns 0 means success, otherwise error. |
||||
|
|
||||
|
## Author: thewer <github at thewer.com> |
||||
|
## GitHub: https://github.com/gitwer/acme.sh |
||||
|
|
||||
|
## |
||||
|
## Environment Variables Required: |
||||
|
## |
||||
|
## DO_API_KEY="75310dc4ca779ac39a19f6355db573b49ce92ae126553ebd61ac3a3ae34834cc" |
||||
|
## |
||||
|
|
||||
|
##################### Public functions ##################### |
||||
|
|
||||
|
## Create the text record for validation. |
||||
|
## Usage: fulldomain txtvalue |
||||
|
## EG: "_acme-challenge.www.other.domain.com" "XKrxpRBosdq0HG9i01zxXp5CPBs" |
||||
|
dns_dgon_add() { |
||||
|
fulldomain="$(echo "$1" | _lower_case)" |
||||
|
txtvalue=$2 |
||||
|
_info "Using digitalocean dns validation - add record" |
||||
|
_debug fulldomain "$fulldomain" |
||||
|
_debug txtvalue "$txtvalue" |
||||
|
|
||||
|
## save the env vars (key and domain split location) for later automated use |
||||
|
_saveaccountconf DO_API_KEY "$DO_API_KEY" |
||||
|
|
||||
|
## split the domain for DO API |
||||
|
if ! _get_base_domain "$fulldomain"; then |
||||
|
_err "domain not found in your account for addition" |
||||
|
return 1 |
||||
|
fi |
||||
|
_debug _sub_domain "$_sub_domain" |
||||
|
_debug _domain "$_domain" |
||||
|
|
||||
|
## Set the header with our post type and key auth key |
||||
|
export _H1="Content-Type: application/json" |
||||
|
export _H2="Authorization: Bearer $DO_API_KEY" |
||||
|
PURL='https://api.digitalocean.com/v2/domains/'$_domain'/records' |
||||
|
PBODY='{"type":"TXT","name":"'$_sub_domain'","data":"'$txtvalue'"}' |
||||
|
|
||||
|
_debug PURL "$PURL" |
||||
|
_debug PBODY "$PBODY" |
||||
|
|
||||
|
## the create request - post |
||||
|
## args: BODY, URL, [need64, httpmethod] |
||||
|
response="$(_post "$PBODY" "$PURL")" |
||||
|
|
||||
|
## check response |
||||
|
if [ "$?" != "0" ]; then |
||||
|
_err "error in response: $response" |
||||
|
return 1 |
||||
|
fi |
||||
|
_debug2 response "$response" |
||||
|
|
||||
|
## finished correctly |
||||
|
return 0 |
||||
|
} |
||||
|
|
||||
|
## Remove the txt record after validation. |
||||
|
## Usage: fulldomain txtvalue |
||||
|
## EG: "_acme-challenge.www.other.domain.com" "XKrxpRBosdq0HG9i01zxXp5CPBs" |
||||
|
dns_dgon_rm() { |
||||
|
fulldomain="$(echo "$1" | _lower_case)" |
||||
|
txtvalue=$2 |
||||
|
_info "Using digitalocean dns validation - remove record" |
||||
|
_debug fulldomain "$fulldomain" |
||||
|
_debug txtvalue "$txtvalue" |
||||
|
|
||||
|
## split the domain for DO API |
||||
|
if ! _get_base_domain "$fulldomain"; then |
||||
|
_err "domain not found in your account for removal" |
||||
|
return 1 |
||||
|
fi |
||||
|
_debug _sub_domain "$_sub_domain" |
||||
|
_debug _domain "$_domain" |
||||
|
|
||||
|
## Set the header with our post type and key auth key |
||||
|
export _H1="Content-Type: application/json" |
||||
|
export _H2="Authorization: Bearer $DO_API_KEY" |
||||
|
## get URL for the list of domains |
||||
|
## may get: "links":{"pages":{"last":".../v2/domains/DOM/records?page=2","next":".../v2/domains/DOM/records?page=2"}} |
||||
|
GURL="https://api.digitalocean.com/v2/domains/$_domain/records" |
||||
|
|
||||
|
## while we dont have a record ID we keep going |
||||
|
while [ -z "$record" ]; do |
||||
|
## 1) get the URL |
||||
|
## the create request - get |
||||
|
## args: URL, [onlyheader, timeout] |
||||
|
domain_list="$(_get "$GURL")" |
||||
|
## 2) find record |
||||
|
## check for what we are looing for: "type":"A","name":"$_sub_domain" |
||||
|
record="$(echo "$domain_list" | _egrep_o "\"id\"\s*\:\s*\"*\d+\"*[^}]*\"name\"\s*\:\s*\"$_sub_domain\"[^}]*\"data\"\s*\:\s*\"$txtvalue\"")" |
||||
|
## 3) check record and get next page |
||||
|
if [ -z "$record" ]; then |
||||
|
## find the next page if we dont have a match |
||||
|
nextpage="$(echo "$domain_list" | _egrep_o "\"links\".*" | _egrep_o "\"next\".*" | _egrep_o "http.*page\=\d+")" |
||||
|
if [ -z "$nextpage" ]; then |
||||
|
_err "no record and no nextpage in digital ocean DNS removal" |
||||
|
return 1 |
||||
|
fi |
||||
|
_debug2 nextpage "$nextpage" |
||||
|
GURL="$nextpage" |
||||
|
fi |
||||
|
## we break out of the loop when we have a record |
||||
|
done |
||||
|
|
||||
|
## we found the record |
||||
|
rec_id="$(echo "$record" | _egrep_o "id\"\s*\:\s*\"*\d+" | _egrep_o "\d+")" |
||||
|
_debug rec_id "$rec_id" |
||||
|
|
||||
|
## delete the record |
||||
|
## delete URL for removing the one we dont want |
||||
|
DURL="https://api.digitalocean.com/v2/domains/$_domain/records/$rec_id" |
||||
|
|
||||
|
## the create request - delete |
||||
|
## args: BODY, URL, [need64, httpmethod] |
||||
|
response="$(_post "" "$DURL" "" "DELETE")" |
||||
|
|
||||
|
## check response (sort of) |
||||
|
if [ "$?" != "0" ]; then |
||||
|
_err "error in remove response: $response" |
||||
|
return 1 |
||||
|
fi |
||||
|
_debug2 response "$response" |
||||
|
|
||||
|
## finished correctly |
||||
|
return 0 |
||||
|
} |
||||
|
|
||||
|
##################### Private functions below ##################### |
||||
|
|
||||
|
## Split the domain provided into the "bade domain" and the "start prefix". |
||||
|
## This function searches for the longest subdomain in your account |
||||
|
## for the full domain given and splits it into the base domain (zone) |
||||
|
## and the prefix/record to be added/removed |
||||
|
## USAGE: fulldomain |
||||
|
## EG: "_acme-challenge.two.three.four.domain.com" |
||||
|
## returns |
||||
|
## _sub_domain="_acme-challenge.two" |
||||
|
## _domain="three.four.domain.com" *IF* zone "three.four.domain.com" exists |
||||
|
## if only "domain.com" exists it will return |
||||
|
## _sub_domain="_acme-challenge.two.three.four" |
||||
|
## _domain="domain.com" |
||||
|
_get_base_domain() { |
||||
|
# args |
||||
|
fulldomain="$(echo "$1" | tr '[:upper:]' '[:lower:]')" |
||||
|
_debug fulldomain "$fulldomain" |
||||
|
|
||||
|
# domain max legal length = 253 |
||||
|
MAX_DOM=255 |
||||
|
|
||||
|
## get a list of domains for the account to check thru |
||||
|
## Set the headers |
||||
|
export _H1="Content-Type: application/json" |
||||
|
export _H2="Authorization: Bearer $DO_API_KEY" |
||||
|
_debug DO_API_KEY "$DO_API_KEY" |
||||
|
## get URL for the list of domains |
||||
|
## havent seen this request paginated, tested with 18 domains (more requres manual requests with DO) |
||||
|
DOMURL="https://api.digitalocean.com/v2/domains" |
||||
|
|
||||
|
## get the domain list (DO gives basically a full XFER!) |
||||
|
domain_list="$(_get "$DOMURL")" |
||||
|
|
||||
|
## check response |
||||
|
if [ "$?" != "0" ]; then |
||||
|
_err "error in domain_list response: $domain_list" |
||||
|
return 1 |
||||
|
fi |
||||
|
_debug2 domain_list "$domain_list" |
||||
|
|
||||
|
## for each shortening of our $fulldomain, check if it exists in the $domain_list |
||||
|
## can never start on 1 (aka whole $fulldomain) as $fulldomain starts with "_acme-challenge" |
||||
|
i=2 |
||||
|
while [ $i -gt 0 ]; do |
||||
|
## get next longest domain |
||||
|
_domain=$(printf "%s" "$fulldomain" | cut -d . -f "$i"-"$MAX_DOM") |
||||
|
## check we got something back from our cut (or are we at the end) |
||||
|
if [ -z "$_domain" ]; then |
||||
|
## we got to the end of the domain - invalid domain |
||||
|
_err "domain not found in DigitalOcean account" |
||||
|
return 1 |
||||
|
fi |
||||
|
## we got part of a domain back - grep it out |
||||
|
found="$(echo "$domain_list" | _egrep_o "\"name\"\s*\:\s*\"$_domain\"")" |
||||
|
## check if it exists |
||||
|
if [ ! -z "$found" ]; then |
||||
|
## exists - exit loop returning the parts |
||||
|
sub_point=$(_math $i - 1) |
||||
|
_sub_domain=$(printf "%s" "$fulldomain" | cut -d . -f 1-"$sub_point") |
||||
|
_debug _domain "$_domain" |
||||
|
_debug _sub_domain "$_sub_domain" |
||||
|
return 0 |
||||
|
fi |
||||
|
## increment cut point $i |
||||
|
i=$(_math $i + 1) |
||||
|
done |
||||
|
|
||||
|
## we went through the entire domain zone list and dint find one that matched |
||||
|
## doesnt look like we can add in the record |
||||
|
_err "domain not found in DigitalOcean account, but we should never get here" |
||||
|
return 1 |
||||
|
} |
@ -0,0 +1,95 @@ |
|||||
|
#!/usr/bin/env sh |
||||
|
|
||||
|
######## Public functions ##################### |
||||
|
|
||||
|
#Usage: dns_knot_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" |
||||
|
dns_knot_add() { |
||||
|
fulldomain=$1 |
||||
|
txtvalue=$2 |
||||
|
_checkKey || return 1 |
||||
|
[ -n "${KNOT_SERVER}" ] || KNOT_SERVER="localhost" |
||||
|
# save the dns server and key to the account.conf file. |
||||
|
_saveaccountconf KNOT_SERVER "${KNOT_SERVER}" |
||||
|
_saveaccountconf KNOT_KEY "${KNOT_KEY}" |
||||
|
|
||||
|
if ! _get_root "$fulldomain"; then |
||||
|
_err "Domain does not exist." |
||||
|
return 1 |
||||
|
fi |
||||
|
|
||||
|
_info "Adding ${fulldomain}. 60 TXT \"${txtvalue}\"" |
||||
|
|
||||
|
knsupdate -y "${KNOT_KEY}" <<EOF |
||||
|
server ${KNOT_SERVER} |
||||
|
zone ${_domain}. |
||||
|
update add ${fulldomain}. 60 TXT "${txtvalue}" |
||||
|
send |
||||
|
quit |
||||
|
EOF |
||||
|
|
||||
|
if [ $? -ne 0 ]; then |
||||
|
_err "Error updating domain." |
||||
|
return 1 |
||||
|
fi |
||||
|
|
||||
|
_info "Domain TXT record successfully added." |
||||
|
return 0 |
||||
|
} |
||||
|
|
||||
|
#Usage: dns_knot_rm _acme-challenge.www.domain.com |
||||
|
dns_knot_rm() { |
||||
|
fulldomain=$1 |
||||
|
_checkKey || return 1 |
||||
|
[ -n "${KNOT_SERVER}" ] || KNOT_SERVER="localhost" |
||||
|
|
||||
|
if ! _get_root "$fulldomain"; then |
||||
|
_err "Domain does not exist." |
||||
|
return 1 |
||||
|
fi |
||||
|
|
||||
|
_info "Removing ${fulldomain}. TXT" |
||||
|
|
||||
|
knsupdate -y "${KNOT_KEY}" <<EOF |
||||
|
server ${KNOT_SERVER} |
||||
|
zone ${_domain}. |
||||
|
update del ${fulldomain}. TXT |
||||
|
send |
||||
|
quit |
||||
|
EOF |
||||
|
|
||||
|
if [ $? -ne 0 ]; then |
||||
|
_err "error updating domain" |
||||
|
return 1 |
||||
|
fi |
||||
|
|
||||
|
_info "Domain TXT record successfully deleted." |
||||
|
return 0 |
||||
|
} |
||||
|
|
||||
|
#################### Private functions below ################################## |
||||
|
# _acme-challenge.www.domain.com |
||||
|
# returns |
||||
|
# _domain=domain.com |
||||
|
_get_root() { |
||||
|
domain=$1 |
||||
|
i="$(echo "$fulldomain" | tr '.' ' ' | wc -w)" |
||||
|
i=$(_math "$i" - 1) |
||||
|
|
||||
|
while true; do |
||||
|
h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) |
||||
|
if [ -z "$h" ]; then |
||||
|
return 1 |
||||
|
fi |
||||
|
_domain="$h" |
||||
|
return 0 |
||||
|
done |
||||
|
_debug "$domain not found" |
||||
|
return 1 |
||||
|
} |
||||
|
|
||||
|
_checkKey() { |
||||
|
if [ -z "${KNOT_KEY}" ]; then |
||||
|
_err "You must specify a TSIG key to authenticate the request." |
||||
|
return 1 |
||||
|
fi |
||||
|
} |
Write
Preview
Loading…
Cancel
Save
Reference in new issue