Browse Source

Merge remote-tracking branch 'upstream/master' into ssh-deploy

dnsconf
dkerr64 8 years ago
parent
commit
19aa2ccf4d
  1. 2
      Dockerfile
  2. 4
      README.md
  3. 231
      acme.sh
  4. 2
      dnsapi/README.md
  5. 32
      dnsapi/dns_dynu.sh
  6. 21
      dnsapi/dns_infoblox.sh
  7. 2
      dnsapi/dns_ovh.sh

2
Dockerfile

@ -50,7 +50,7 @@ RUN for verb in help \
RUN printf "%b" '#!'"/usr/bin/env sh\n \ RUN printf "%b" '#!'"/usr/bin/env sh\n \
if [ \"\$1\" = \"daemon\" ]; then \n \ if [ \"\$1\" = \"daemon\" ]; then \n \
crond; tail -f /dev/null;\n \
crond -f\n \
else \n \ else \n \
/root/.acme.sh/acme.sh --config-home /acme.sh \"\$@\"\n \ /root/.acme.sh/acme.sh --config-home /acme.sh \"\$@\"\n \
fi" >/entry.sh && chmod +x /entry.sh fi" >/entry.sh && chmod +x /entry.sh

4
README.md

@ -62,7 +62,7 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
|19|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/gentoo-stage3-amd64.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Gentoo Linux |19|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/gentoo-stage3-amd64.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Gentoo Linux
|20|[![Build Status](https://travis-ci.org/Neilpang/acme.sh.svg?branch=master)](https://travis-ci.org/Neilpang/acme.sh)|Mac OSX |20|[![Build Status](https://travis-ci.org/Neilpang/acme.sh.svg?branch=master)](https://travis-ci.org/Neilpang/acme.sh)|Mac OSX
For all build statuses, check our [daily build project](https://github.com/Neilpang/acmetest):
For all build statuses, check our [weekly build project](https://github.com/Neilpang/acmetest):
https://github.com/Neilpang/acmetest https://github.com/Neilpang/acmetest
@ -199,7 +199,7 @@ The ownership and permission info of existing files are preserved. You may want
Install/copy the issued cert/key to the production Apache or Nginx path. Install/copy the issued cert/key to the production Apache or Nginx path.
The cert will be `renewed every **60** days by default` (which is configurable). Once the cert is renewed, the Apache/Nginx service will be restarted automatically by the command: `service apache2 restart` or `service nginx restart`.
The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`.
# 4. Use Standalone server to issue cert # 4. Use Standalone server to issue cert

231
acme.sh

@ -1,6 +1,6 @@
#!/usr/bin/env sh #!/usr/bin/env sh
VER=2.6.9
VER=2.7.3
PROJECT_NAME="acme.sh" PROJECT_NAME="acme.sh"
@ -13,7 +13,8 @@ _SCRIPT_="$0"
_SUB_FOLDERS="dnsapi deploy" _SUB_FOLDERS="dnsapi deploy"
DEFAULT_CA="https://acme-v01.api.letsencrypt.org"
_OLD_CA_HOST="https://acme-v01.api.letsencrypt.org"
DEFAULT_CA="https://acme-v01.api.letsencrypt.org/directory"
DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)" DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
@ -24,7 +25,8 @@ DEFAULT_DOMAIN_KEY_LENGTH=2048
DEFAULT_OPENSSL_BIN="openssl" DEFAULT_OPENSSL_BIN="openssl"
STAGE_CA="https://acme-staging.api.letsencrypt.org"
STAGE_CA="https://acme-staging.api.letsencrypt.org/directory"
_OLD_STAGE_CA_HOST="https://acme-staging.api.letsencrypt.org"
VTYPE_HTTP="http-01" VTYPE_HTTP="http-01"
VTYPE_DNS="dns-01" VTYPE_DNS="dns-01"
@ -104,21 +106,21 @@ if [ -t 1 ]; then
fi fi
__green() { __green() {
if [ "$__INTERACTIVE" ]; then
if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
printf '\033[1;31;32m' printf '\033[1;31;32m'
fi fi
printf -- "%b" "$1" printf -- "%b" "$1"
if [ "$__INTERACTIVE" ]; then
if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
printf '\033[0m' printf '\033[0m'
fi fi
} }
__red() { __red() {
if [ "$__INTERACTIVE" ]; then
if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
printf '\033[1;31;40m' printf '\033[1;31;40m'
fi fi
printf -- "%b" "$1" printf -- "%b" "$1"
if [ "$__INTERACTIVE" ]; then
if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
printf '\033[0m' printf '\033[0m'
fi fi
} }
@ -151,6 +153,13 @@ _dlg_versions() {
echo "apache doesn't exists." echo "apache doesn't exists."
fi fi
echo "nginx:"
if _exists "nginx"; then
nginx -V 2>&1
else
echo "nginx doesn't exists."
fi
echo "nc:" echo "nc:"
if _exists "nc"; then if _exists "nc"; then
nc -h 2>&1 nc -h 2>&1
@ -443,6 +452,11 @@ if [ "$(printf '\x41')" != 'A' ]; then
_URGLY_PRINTF=1 _URGLY_PRINTF=1
fi fi
_ESCAPE_XARGS=""
if [ "$(printf %s '\\x41' | xargs printf)" = 'A' ]; then
_ESCAPE_XARGS=1
fi
_h2b() { _h2b() {
if _exists xxd; then if _exists xxd; then
xxd -r -p xxd -r -p
@ -450,31 +464,33 @@ _h2b() {
fi fi
hex=$(cat) hex=$(cat)
i=1
j=2
ic=""
jc=""
_debug2 _URGLY_PRINTF "$_URGLY_PRINTF" _debug2 _URGLY_PRINTF "$_URGLY_PRINTF"
if [ -z "$_URGLY_PRINTF" ]; then if [ -z "$_URGLY_PRINTF" ]; then
while true; do
h="$(printf "%s" "$hex" | cut -c $i-$j)"
if [ -z "$h" ]; then
break
fi
printf "\x$h%s"
i="$(_math "$i" + 2)"
j="$(_math "$j" + 2)"
done
if [ "$_ESCAPE_XARGS" ] && _exists xargs; then
_debug2 "xargs"
echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/g' | xargs printf
else
for h in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/ \1/g'); do
if [ -z "$h" ]; then
break
fi
printf "\x$h%s"
done
fi
else else
while true; do
ic="$(printf "%s" "$hex" | cut -c $i)"
jc="$(printf "%s" "$hex" | cut -c $j)"
if [ -z "$ic$jc" ]; then
break
for c in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\)/ \1/g'); do
if [ -z "$ic" ]; then
ic=$c
continue
fi fi
jc=$c
ic="$(_h_char_2_dec "$ic")" ic="$(_h_char_2_dec "$ic")"
jc="$(_h_char_2_dec "$jc")" jc="$(_h_char_2_dec "$jc")"
printf '\'"$(printf "%o" "$(_math "$ic" \* 16 + $jc)")""%s" printf '\'"$(printf "%o" "$(_math "$ic" \* 16 + $jc)")""%s"
i="$(_math "$i" + 2)"
j="$(_math "$j" + 2)"
ic=""
jc=""
done done
fi fi
@ -1079,7 +1095,7 @@ _readSubjectFromCSR() {
_usage "_readSubjectFromCSR mycsr.csr" _usage "_readSubjectFromCSR mycsr.csr"
return 1 return 1
fi fi
${ACME_OPENSSL_BIN:-openssl} req -noout -in "$_csrfile" -subject | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n'
${ACME_OPENSSL_BIN:-openssl} req -noout -in "$_csrfile" -subject | tr ',' "\n" | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d ' \n'
} }
#_csrfile #_csrfile
@ -1122,7 +1138,7 @@ _readKeyLengthFromCSR() {
echo "$_outcsr" | tr "\t" " " | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' ' echo "$_outcsr" | tr "\t" " " | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
else else
_debug "RSA CSR" _debug "RSA CSR"
echo "$_outcsr" | tr "\t" " " | _egrep_o "(^ *|RSA )Public.Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1
echo "$_outcsr" | tr "\t" " " | (_egrep_o "^ *Public.Key:.*" || _egrep_o "RSA Public.Key:.*") | cut -d '(' -f 2 | cut -d ' ' -f 1
fi fi
} }
@ -1700,9 +1716,19 @@ _send_signed_request() {
while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do
_debug3 _request_retry_times "$_request_retry_times" _debug3 _request_retry_times "$_request_retry_times"
if [ -z "$_CACHED_NONCE" ]; then if [ -z "$_CACHED_NONCE" ]; then
_debug2 "Get nonce."
nonceurl="$API/directory"
_headers="$(_get "$nonceurl" "onlyheader")"
_headers=""
if [ "$ACME_NEW_NONCE" ]; then
_debug2 "Get nonce. ACME_NEW_NONCE" "$ACME_NEW_NONCE"
nonceurl="$ACME_NEW_NONCE"
if _post "" "$nonceurl" "" "HEAD"; then
_headers="$(cat "$HTTP_HEADER")"
fi
fi
if [ -z "$_headers" ]; then
_debug2 "Get nonce. ACME_DIRECTORY" "$ACME_DIRECTORY"
nonceurl="$ACME_DIRECTORY"
_headers="$(_get "$nonceurl" "onlyheader")"
fi
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
_err "Can not connect to $nonceurl to get nonce." _err "Can not connect to $nonceurl to get nonce."
@ -1719,7 +1745,7 @@ _send_signed_request() {
nonce="$_CACHED_NONCE" nonce="$_CACHED_NONCE"
_debug2 nonce "$nonce" _debug2 nonce "$nonce"
protected="$JWK_HEADERPLACE_PART1$nonce$JWK_HEADERPLACE_PART2"
protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2"
_debug3 protected "$protected" _debug3 protected "$protected"
protected64="$(printf "%s" "$protected" | _base64 | _url_replace)" protected64="$(printf "%s" "$protected" | _base64 | _url_replace)"
@ -2155,6 +2181,62 @@ __initHome() {
fi fi
} }
#server
_initAPI() {
_api_server="${1:-$ACME_DIRECTORY}"
_debug "_init api for server: $_api_server"
if [ "$_api_server" = "$DEFAULT_CA" ]; then
#just for performance, hardcode the default entry points
export ACME_KEY_CHANGE="https://acme-v01.api.letsencrypt.org/acme/key-change"
export ACME_NEW_AUTHZ="https://acme-v01.api.letsencrypt.org/acme/new-authz"
export ACME_NEW_ORDER="https://acme-v01.api.letsencrypt.org/acme/new-cert"
export ACME_NEW_ACCOUNT="https://acme-v01.api.letsencrypt.org/acme/new-reg"
export ACME_REVOKE_CERT="https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
fi
if [ -z "$ACME_NEW_ACCOUNT" ]; then
response=$(_get "$_api_server")
if [ "$?" != "0" ]; then
_debug2 "response" "$response"
_err "Can not init api."
return 1
fi
_debug2 "response" "$response"
ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'key-change" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_KEY_CHANGE
ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'new-authz" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_NEW_AUTHZ
ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3)
if [ -z "$ACME_NEW_ORDER" ]; then
ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3)
fi
export ACME_NEW_ORDER
ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3)
if [ -z "$ACME_NEW_ACCOUNT" ]; then
ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3)
fi
export ACME_NEW_ACCOUNT
ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_REVOKE_CERT
ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'new-nonce" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_NEW_NONCE
fi
_debug "ACME_KEY_CHANGE" "$ACME_KEY_CHANGE"
_debug "ACME_NEW_AUTHZ" "$ACME_NEW_AUTHZ"
_debug "ACME_NEW_ORDER" "$ACME_NEW_ORDER"
_debug "ACME_NEW_ACCOUNT" "$ACME_NEW_ACCOUNT"
_debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT"
}
#[domain] [keylength] #[domain] [keylength]
_initpath() { _initpath() {
@ -2175,17 +2257,19 @@ _initpath() {
CA_HOME="$DEFAULT_CA_HOME" CA_HOME="$DEFAULT_CA_HOME"
fi fi
if [ -z "$API" ]; then
if [ -z "$ACME_DIRECTORY" ]; then
if [ -z "$STAGE" ]; then if [ -z "$STAGE" ]; then
API="$DEFAULT_CA"
ACME_DIRECTORY="$DEFAULT_CA"
else else
API="$STAGE_CA"
_info "Using stage api:$API"
ACME_DIRECTORY="$STAGE_CA"
_info "Using stage ACME_DIRECTORY: $ACME_DIRECTORY"
fi fi
fi fi
_API_HOST="$(echo "$API" | cut -d : -f 2 | tr -d '/')"
CA_DIR="$CA_HOME/$_API_HOST"
_ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)"
_debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST"
CA_DIR="$CA_HOME/$_ACME_SERVER_HOST"
_DEFAULT_CA_CONF="$CA_DIR/ca.conf" _DEFAULT_CA_CONF="$CA_DIR/ca.conf"
@ -2572,7 +2656,7 @@ location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" {
_err "write nginx conf error, but don't worry, the file is restored." _err "write nginx conf error, but don't worry, the file is restored."
return 1 return 1
fi fi
_debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)"
_info "nginx conf is done, let's check it again." _info "nginx conf is done, let's check it again."
if ! _exec "nginx -t" >/dev/null; then if ! _exec "nginx -t" >/dev/null; then
_exec_err _exec_err
@ -2658,12 +2742,14 @@ _isRealNginxConf() {
_debug "_seg_n" "$_seg_n" _debug "_seg_n" "$_seg_n"
if [ "$(echo "$_seg_n" | _egrep_o "^ *ssl *on *;")" ]; then
if [ "$(echo "$_seg_n" | _egrep_o "^ *ssl *on *;")" ] \
|| [ "$(echo "$_seg_n" | _egrep_o "listen .* ssl[ |;]")" ]; then
_debug "ssl on, skip" _debug "ssl on, skip"
return 1
else
FOUND_REAL_NGINX_CONF_LN=$_fln
_debug3 "found FOUND_REAL_NGINX_CONF_LN" "$FOUND_REAL_NGINX_CONF_LN"
return 0
fi fi
FOUND_REAL_NGINX_CONF_LN=$_fln
return 0
fi fi
done done
fi fi
@ -2714,7 +2800,7 @@ _clearup() {
_clearupdns() { _clearupdns() {
_debug "_clearupdns" _debug "_clearupdns"
if [ "$dnsadded" != 1 ] || [ -z "$vlist" ]; then if [ "$dnsadded" != 1 ] || [ -z "$vlist" ]; then
_debug "Dns not added, skip."
_debug "skip dns."
return return
fi fi
@ -3004,7 +3090,7 @@ _regAccount() {
if ! _calcjwk "$ACCOUNT_KEY_PATH"; then if ! _calcjwk "$ACCOUNT_KEY_PATH"; then
return 1 return 1
fi fi
_initAPI
_updateTos="" _updateTos=""
_reg_res="new-reg" _reg_res="new-reg"
while true; do while true; do
@ -3019,7 +3105,7 @@ _regAccount() {
if [ -z "$_updateTos" ]; then if [ -z "$_updateTos" ]; then
_info "Registering account" _info "Registering account"
if ! _send_signed_request "$API/acme/new-reg" "$regjson"; then
if ! _send_signed_request "${ACME_NEW_ACCOUNT}" "$regjson"; then
_err "Register account Error: $response" _err "Register account Error: $response"
return 1 return 1
fi fi
@ -3105,12 +3191,12 @@ _findHook() {
__get_domain_new_authz() { __get_domain_new_authz() {
_gdnd="$1" _gdnd="$1"
_info "Getting new-authz for domain" "$_gdnd" _info "Getting new-authz for domain" "$_gdnd"
_initAPI
_Max_new_authz_retry_times=5 _Max_new_authz_retry_times=5
_authz_i=0 _authz_i=0
while [ "$_authz_i" -lt "$_Max_new_authz_retry_times" ]; do while [ "$_authz_i" -lt "$_Max_new_authz_retry_times" ]; do
_debug "Try new-authz for the $_authz_i time." _debug "Try new-authz for the $_authz_i time."
if ! _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$(_idn "$_gdnd")\"}}"; then
if ! _send_signed_request "${ACME_NEW_AUTHZ}" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$(_idn "$_gdnd")\"}}"; then
_err "Can not get domain new authz." _err "Can not get domain new authz."
return 1 return 1
fi fi
@ -3188,13 +3274,16 @@ issue() {
if [ "$_web_roots" = "dns-cx" ]; then if [ "$_web_roots" = "dns-cx" ]; then
_web_roots="dns_cx" _web_roots="dns_cx"
fi fi
_debug "Using api: $API"
if [ ! "$IS_RENEW" ]; then if [ ! "$IS_RENEW" ]; then
_initpath "$_main_domain" "$_key_length" _initpath "$_main_domain" "$_key_length"
mkdir -p "$DOMAIN_PATH" mkdir -p "$DOMAIN_PATH"
fi fi
_debug "Using ACME_DIRECTORY: $ACME_DIRECTORY"
_initAPI
if [ -f "$DOMAIN_CONF" ]; then if [ -f "$DOMAIN_CONF" ]; then
Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime) Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
_debug Le_NextRenewTime "$Le_NextRenewTime" _debug Le_NextRenewTime "$Le_NextRenewTime"
@ -3228,7 +3317,7 @@ issue() {
_cleardomainconf "Le_LocalAddress" _cleardomainconf "Le_LocalAddress"
fi fi
Le_API="$API"
Le_API="$ACME_DIRECTORY"
_savedomainconf "Le_API" "$Le_API" _savedomainconf "Le_API" "$Le_API"
if [ "$_alt_domains" = "$NO_VALUE" ]; then if [ "$_alt_domains" = "$NO_VALUE" ]; then
@ -3667,7 +3756,7 @@ issue() {
_info "Verify finished, start to sign." _info "Verify finished, start to sign."
der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)" der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
if ! _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then
if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then
_err "Sign failed." _err "Sign failed."
_on_issue_err "$_post_hook" _on_issue_err "$_post_hook"
return 1 return 1
@ -3720,7 +3809,8 @@ issue() {
Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>') Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
if ! _contains "$Le_LinkIssuer" ":"; then if ! _contains "$Le_LinkIssuer" ":"; then
Le_LinkIssuer="$API$Le_LinkIssuer"
_info "$(__red "Relative issuer link found.")"
Le_LinkIssuer="$_ACME_SERVER_HOST$Le_LinkIssuer"
fi fi
_debug Le_LinkIssuer "$Le_LinkIssuer" _debug Le_LinkIssuer "$Le_LinkIssuer"
_savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer" _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
@ -3836,7 +3926,15 @@ renew() {
. "$DOMAIN_CONF" . "$DOMAIN_CONF"
if [ "$Le_API" ]; then if [ "$Le_API" ]; then
API="$Le_API"
if [ "$_OLD_CA_HOST" = "$Le_API" ]; then
export Le_API="$DEFAULT_CA"
_savedomainconf Le_API "$Le_API"
fi
if [ "$_OLD_STAGE_CA_HOST" = "$Le_API" ]; then
export Le_API="$STAGE_CA"
_savedomainconf Le_API "$Le_API"
fi
export ACME_DIRECTORY="$Le_API"
#reload ca configs #reload ca configs
ACCOUNT_KEY_PATH="" ACCOUNT_KEY_PATH=""
ACCOUNT_JSON_PATH="" ACCOUNT_JSON_PATH=""
@ -3924,6 +4022,10 @@ signcsr() {
return 1 return 1
fi fi
_debug _csrsubj "$_csrsubj" _debug _csrsubj "$_csrsubj"
if _contains "$_csrsubj" ' ' || ! _contains "$_csrsubj" '.'; then
_info "It seems that the subject: $_csrsubj is not a valid domain name. Drop it."
_csrsubj=""
fi
_csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile") _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
@ -4299,8 +4401,10 @@ revoke() {
return 1 return 1
fi fi
_initAPI
data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}" data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
uri="$API/acme/revoke-cert"
uri="${ACME_REVOKE_CERT}"
if [ -f "$CERT_KEY_PATH" ]; then if [ -f "$CERT_KEY_PATH" ]; then
_info "Try domain key first." _info "Try domain key first."
@ -4432,6 +4536,7 @@ deactivate() {
_d_domain_list="$1" _d_domain_list="$1"
_d_type="$2" _d_type="$2"
_initpath _initpath
_initAPI
_debug _d_domain_list "$_d_domain_list" _debug _d_domain_list "$_d_domain_list"
if [ -z "$(echo $_d_domain_list | cut -d , -f 1)" ]; then if [ -z "$(echo $_d_domain_list | cut -d , -f 1)" ]; then
_usage "Usage: $PROJECT_ENTRY --deactivate -d domain.com [-d domain.com]" _usage "Usage: $PROJECT_ENTRY --deactivate -d domain.com [-d domain.com]"
@ -4631,6 +4736,11 @@ install() {
return 1 return 1
fi fi
if [ -z "$_c_home" ] && [ "$LE_CONFIG_HOME" != "$LE_WORKING_DIR" ]; then
_info "Using config home: $LE_CONFIG_HOME"
_c_home="$LE_CONFIG_HOME"
fi
#convert from le #convert from le
if [ -d "$HOME/.le" ]; then if [ -d "$HOME/.le" ]; then
for envfile in "le.env" "le.sh.env"; do for envfile in "le.env" "le.sh.env"; do
@ -4854,6 +4964,7 @@ Parameters:
--reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server. --reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
--server SERVER ACME Directory Resource URI. (default: https://acme-v01.api.letsencrypt.org/directory)
--accountconf Specifies a customized account config file. --accountconf Specifies a customized account config file.
--home Specifies the home dir for $PROJECT_NAME . --home Specifies the home dir for $PROJECT_NAME .
--cert-home Specifies the home dir to save all the certs, only valid for '--install' command. --cert-home Specifies the home dir to save all the certs, only valid for '--install' command.
@ -4871,6 +4982,7 @@ Parameters:
--ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate. --ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate.
--ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl. --ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl.
--nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically. --nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
--no-color Do not output color text.
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR' --ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
--csr Specifies the input csr. --csr Specifies the input csr.
--pre-hook Command to be run before obtaining any certificates. --pre-hook Command to be run before obtaining any certificates.
@ -5013,6 +5125,7 @@ _process() {
_openssl_bin="" _openssl_bin=""
_syslog="" _syslog=""
_use_wget="" _use_wget=""
_server=""
while [ ${#} -gt 0 ]; do while [ ${#} -gt 0 ]; do
case "${1}" in case "${1}" in
@ -5129,6 +5242,12 @@ _process() {
--staging | --test) --staging | --test)
STAGE="1" STAGE="1"
;; ;;
--server)
ACME_DIRECTORY="$2"
_server="$ACME_DIRECTORY"
export ACME_DIRECTORY
shift
;;
--debug) --debug)
if [ -z "$2" ] || _startswith "$2" "-"; then if [ -z "$2" ] || _startswith "$2" "-"; then
DEBUG="$DEBUG_LEVEL_DEFAULT" DEBUG="$DEBUG_LEVEL_DEFAULT"
@ -5318,6 +5437,9 @@ _process() {
--nocron) --nocron)
_nocron="1" _nocron="1"
;; ;;
--no-color)
export ACME_NO_COLOR=1
;;
--ecc) --ecc)
_ecc="isEcc" _ecc="isEcc"
;; ;;
@ -5449,6 +5571,9 @@ _process() {
if [ "$DEBUG" ]; then if [ "$DEBUG" ]; then
version version
if [ "$_server" ]; then
_debug "Using server: $_server"
fi
fi fi
case "${_CMD}" in case "${_CMD}" in

2
dnsapi/README.md

@ -140,7 +140,7 @@ Finally, make the DNS server and update Key available to `acme.sh`
``` ```
export NSUPDATE_SERVER="dns.example.com" export NSUPDATE_SERVER="dns.example.com"
export NSUPDATE_KEY="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=="
export NSUPDATE_KEY="/path/to/your/nsupdate.key"
``` ```
Ok, let's issue a cert now: Ok, let's issue a cert now:

32
dnsapi/dns_dynu.sh

@ -122,18 +122,30 @@ dns_dynu_rm() {
# _domain_name=domain.com # _domain_name=domain.com
_get_root() { _get_root() {
domain=$1 domain=$1
if ! _dynu_rest GET "dns/getroot/$domain"; then
return 1
fi
i=2
p=1
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
_debug h "$h"
if [ -z "$h" ]; then
#not valid
return 1
fi
if ! _contains "$response" "domain_name"; then
_debug "Domain name not found."
return 1
fi
if ! _dynu_rest GET "dns/get/$h"; then
return 1
fi
if _contains "$response" "\"name\":\"$h\"" >/dev/null; then
_domain_name=$h
_node=$(printf "%s" "$domain" | cut -d . -f 1-$p)
return 0
fi
p=$i
i=$(_math "$i" + 1)
done
return 1
_domain_name=$(printf "%s" "$response" | tr -d "{}" | cut -d , -f 1 | cut -d : -f 2 | cut -d '"' -f 2)
_node=$(printf "%s" "$response" | tr -d "{}" | cut -d , -f 3 | cut -d : -f 2 | cut -d '"' -f 2)
return 0
} }
_get_recordid() { _get_recordid() {

21
dnsapi/dns_infoblox.sh

@ -9,7 +9,7 @@ dns_infoblox_add() {
## Nothing to see here, just some housekeeping ## Nothing to see here, just some housekeeping
fulldomain=$1 fulldomain=$1
txtvalue=$2 txtvalue=$2
baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue"
baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=$Infoblox_View"
_info "Using Infoblox API" _info "Using Infoblox API"
_debug fulldomain "$fulldomain" _debug fulldomain "$fulldomain"
@ -19,14 +19,19 @@ dns_infoblox_add() {
if [ -z "$Infoblox_Creds" ] || [ -z "$Infoblox_Server" ]; then if [ -z "$Infoblox_Creds" ] || [ -z "$Infoblox_Server" ]; then
Infoblox_Creds="" Infoblox_Creds=""
Infoblox_Server="" Infoblox_Server=""
_err "You didn't specify the credentials or server yet (Infoblox_Creds and Infoblox_Server)."
_err "Please set them via EXPORT ([username:password] and [ip or hostname]) and try again."
_err "You didn't specify the credentials, server or infoblox view yet (Infoblox_Creds, Infoblox_Server and Infoblox_View)."
_err "Please set them via EXPORT ([username:password], [ip or hostname]) and try again."
return 1 return 1
fi fi
if [ -z "$Infoblox_View" ]; then
Infoblox_View="default"
fi
## Save the credentials to the account file ## Save the credentials to the account file
_saveaccountconf Infoblox_Creds "$Infoblox_Creds" _saveaccountconf Infoblox_Creds "$Infoblox_Creds"
_saveaccountconf Infoblox_Server "$Infoblox_Server" _saveaccountconf Infoblox_Server "$Infoblox_Server"
_saveaccountconf Infoblox_View "$Infoblox_View"
## Base64 encode the credentials ## Base64 encode the credentials
Infoblox_CredsEncoded=$(printf "%b" "$Infoblox_Creds" | _base64) Infoblox_CredsEncoded=$(printf "%b" "$Infoblox_Creds" | _base64)
@ -39,7 +44,7 @@ dns_infoblox_add() {
result=$(_post "" "$baseurlnObject" "" "POST") result=$(_post "" "$baseurlnObject" "" "POST")
## Let's see if we get something intelligible back from the unit ## Let's see if we get something intelligible back from the unit
if echo "$result" | egrep 'record:txt/.*:.*/default'; then
if echo "$result" | egrep "record:txt/.*:.*/$Infoblox_View"; then
_info "Successfully created the txt record" _info "Successfully created the txt record"
return 0 return 0
else else
@ -68,18 +73,18 @@ dns_infoblox_rm() {
export _H2="Authorization: Basic $Infoblox_CredsEncoded" export _H2="Authorization: Basic $Infoblox_CredsEncoded"
## Does the record exist? Let's check. ## Does the record exist? Let's check.
baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&_return_type=xml-pretty"
baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=$Infoblox_View&_return_type=xml-pretty"
result=$(_get "$baseurlnObject") result=$(_get "$baseurlnObject")
## Let's see if we get something intelligible back from the grid ## Let's see if we get something intelligible back from the grid
if echo "$result" | egrep 'record:txt/.*:.*/default'; then
if echo "$result" | egrep "record:txt/.*:.*/$Infoblox_View"; then
## Extract the object reference ## Extract the object reference
objRef=$(printf "%b" "$result" | _egrep_o 'record:txt/.*:.*/default')
objRef=$(printf "%b" "$result" | _egrep_o "record:txt/.*:.*/$Infoblox_View")
objRmUrl="https://$Infoblox_Server/wapi/v2.2.2/$objRef" objRmUrl="https://$Infoblox_Server/wapi/v2.2.2/$objRef"
## Delete them! All the stale records! ## Delete them! All the stale records!
rmResult=$(_post "" "$objRmUrl" "" "DELETE") rmResult=$(_post "" "$objRmUrl" "" "DELETE")
## Let's see if that worked ## Let's see if that worked
if echo "$rmResult" | egrep 'record:txt/.*:.*/default'; then
if echo "$rmResult" | egrep "record:txt/.*:.*/$Infoblox_View"; then
_info "Successfully deleted $objRef" _info "Successfully deleted $objRef"
return 0 return 0
else else

2
dnsapi/dns_ovh.sh

@ -238,7 +238,7 @@ _get_root() {
return 1 return 1
fi fi
if ! _contains "$response" "This service does not exist" >/dev/null; then
if ! _contains "$response" "This service does not exist" >/dev/null && ! _contains "$response" "NOT_GRANTED_CALL" >/dev/null; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
_domain="$h" _domain="$h"
return 0 return 0

Loading…
Cancel
Save