From 9a76ef2f325e6ba982151dcdf52379e385713d77 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 9 Jan 2016 23:26:11 +0800 Subject: [PATCH 1/5] apache plugin --- le.sh | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 106 insertions(+), 6 deletions(-) diff --git a/le.sh b/le.sh index c49b93f..c40754e 100755 --- a/le.sh +++ b/le.sh @@ -234,7 +234,7 @@ _stopserver() { _initpath() { if [ -z "$WORKING_DIR" ]; then - WORKING_DIR=~/.le + WORKING_DIR=$HOME/.le fi domain="$1" @@ -256,8 +256,95 @@ _initpath() { CERT_PATH="$WORKING_DIR/$domain/$domain.cer" CA_CERT_PATH="$WORKING_DIR/$domain/ca.cer" + + if [ -z "$ACME_DIR" ] ; then + ACME_DIR="/home/.acme" + fi + + if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then + APACHE_CONF_BACKUP_DIR="$WORKING_DIR/" + fi + +} + + +_apachePath() { + httpdroot="$(apachectl -V | grep HTTPD_ROOT= | cut -d = -f 2 | sed s/\"//g)" + httpdconfname="$(apachectl -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | sed s/\"//g)" + httpdconf="$httpdroot/$httpdconfname" + if [ ! -f $httpdconf ] ; then + _err "Apache Config file not found" $httpdconf + return 1 + fi + return 0 } +_restoreApache() { + if ! _apachePath ; then + return 1 + fi + + if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ] ; then + _debug "No config file to restore." + return 0 + fi + + cp -p "$APACHE_CONF_BACKUP_DIR/$httpdconfname" "$httpdconf" + if ! apachectl -t ; then + _err "Sorry, restore apache config error, please contact me." + _restoreApache + return 1; + fi + rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" + return 0 +} + +_setApache() { + if ! _apachePath ; then + return 1 + fi + + #backup the conf + _debug "Backup apache config file" $httpdconf + cp -p $httpdconf $APACHE_CONF_BACKUP_DIR/ + _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname" + _info "In case there is an error that can not be restored automatically, you may try restore it yourself." + _info "The backup file will be deleted on sucess, just forget it." + + #add alias + echo " +Alias /.well-known/acme-challenge/ $ACME_DIR + + +Order allow,deny +Allow from all + + " >> $httpdconf + + if ! apachectl -t ; then + _err "Sorry, apache config error, please contact me." + _restoreApache + return 1; + fi + + if [ ! -d "$ACME_DIR" ] ; then + mkdir -p "$ACME_DIR" + chmod 755 "$ACME_DIR" + fi + + if ! apachectl graceful ; then + _err "Sorry, apachectl graceful error, please contact me." + _restoreApache + return 1; + fi + + return 0 +} + +_clearup () { + _stopserver $serverproc + _restoreApache +} issue() { if [ -z "$1" ] ; then @@ -330,6 +417,14 @@ issue() { return 1 fi fi + + if [ "$Le_Webroot" == "apache" ] ; then + if ! _setApache ; then + _err "set up apache error. Report error to me." + return 1 + fi + wellknown_path="$ACME_DIR" + fi createAccountKey $Le_Domain $Le_Keylength @@ -373,6 +468,7 @@ issue() { _info "Already registered" else _err "Register account Error." + _clearup return 1 fi @@ -388,6 +484,7 @@ issue() { if [ ! -z "$code" ] && [ ! "$code" == '201' ] ; then _err "new-authz error: $response" + _clearup return 1 fi @@ -410,7 +507,9 @@ issue() { sleep 2 _debug serverproc $serverproc else - wellknown_path="$Le_Webroot/.well-known/acme-challenge" + if [ -z "$wellknown_path" ] ; then + wellknown_path="$Le_Webroot/.well-known/acme-challenge" + fi _debug wellknown_path "$wellknown_path" mkdir -p "$wellknown_path" @@ -425,7 +524,7 @@ issue() { if [ ! -z "$code" ] && [ ! "$code" == '202' ] ; then _err "$d:Challenge error: $resource" - _stopserver $serverproc + _clearup return 1 fi @@ -436,7 +535,7 @@ issue() { if ! _get $uri ; then _err "$d:Verify error:$resource" - _stopserver $serverproc + _clearup return 1 fi @@ -449,7 +548,7 @@ issue() { if [ "$status" == "invalid" ] ; then error=$(echo $response | egrep -o '"error":{[^}]*}' | grep -o '"detail":"[^"]*"' | cut -d '"' -f 4) _err "$d:Verify error:$error" - _stopserver $serverproc + _clearup return 1; fi @@ -457,7 +556,7 @@ issue() { _info "Pending" else _err "$d:Verify error:$response" - _stopserver $serverproc + _clearup return 1 fi @@ -488,6 +587,7 @@ issue() { if [ -z "$Le_LinkCert" ] ; then response="$(echo $response | base64 -d)" _err "Sign failed: $(echo "$response" | grep -o '"detail":"[^"]*"')" + _clearup return 1 fi From b7b8311c3d6d6a5786a37458a502499ef20ea8ae Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 9 Jan 2016 23:36:25 +0800 Subject: [PATCH 2/5] minor --- le.sh | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/le.sh b/le.sh index c40754e..2a34742 100755 --- a/le.sh +++ b/le.sh @@ -237,6 +237,14 @@ _initpath() { WORKING_DIR=$HOME/.le fi + if [ -z "$ACME_DIR" ] ; then + ACME_DIR="/home/.acme" + fi + + if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then + APACHE_CONF_BACKUP_DIR="$WORKING_DIR/" + fi + domain="$1" mkdir -p "$WORKING_DIR" ACCOUNT_KEY_PATH="$WORKING_DIR/account.acc" @@ -257,13 +265,7 @@ _initpath() { CA_CERT_PATH="$WORKING_DIR/$domain/ca.cer" - if [ -z "$ACME_DIR" ] ; then - ACME_DIR="/home/.acme" - fi - - if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then - APACHE_CONF_BACKUP_DIR="$WORKING_DIR/" - fi + } @@ -280,6 +282,7 @@ _apachePath() { } _restoreApache() { + _initpath if ! _apachePath ; then return 1 fi @@ -300,6 +303,7 @@ _restoreApache() { } _setApache() { + _initpath if ! _apachePath ; then return 1 fi From ed68afac3960fc84f2bd8df3e170710eeb8ccd13 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 10 Jan 2016 10:31:09 +0800 Subject: [PATCH 3/5] fix --- le.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/le.sh b/le.sh index 2a34742..c67100c 100755 --- a/le.sh +++ b/le.sh @@ -317,7 +317,7 @@ _setApache() { #add alias echo " -Alias /.well-known/acme-challenge/ $ACME_DIR +Alias /.well-known/acme-challenge $ACME_DIR Order allow,deny From 4c1e55841309de61bb3ac5852f33d32b546a2bf9 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 10 Jan 2016 10:49:12 +0800 Subject: [PATCH 4/5] minor --- le.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/le.sh b/le.sh index c67100c..4c76aeb 100755 --- a/le.sh +++ b/le.sh @@ -1,6 +1,6 @@ #!/bin/bash - +PROJECT="https://github.com/Neilpang/le" DEFAULT_CA="https://acme-v01.api.letsencrypt.org" DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" @@ -295,7 +295,6 @@ _restoreApache() { cp -p "$APACHE_CONF_BACKUP_DIR/$httpdconfname" "$httpdconf" if ! apachectl -t ; then _err "Sorry, restore apache config error, please contact me." - _restoreApache return 1; fi rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" From 2c75b3fd6bdca05feb6f22ef1cbf1994cfdc6999 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 10 Jan 2016 10:59:51 +0800 Subject: [PATCH 5/5] usage for Apache mode --- README.md | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ce59cc2..710eab9 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,12 @@ # le Simplest shell script for LetsEncrypt free Certificate client -This is a shell version from https://github.com/diafygi/acme-tiny - Pure written in bash, no dependencies to python , acme-tiny or LetsEncrypt official client (https://github.com/letsencrypt/letsencrypt) Just one script, to issue, renew your certificates automatically. +This is a shell version from https://github.com/diafygi/acme-tiny, but without any dependencies. + Probably it's the smallest&easiest&smartest shell script to automatically issue&renew the free certificates from LetsEncrypt. @@ -15,6 +15,11 @@ Probably it's the smallest&easiest&smartest shell script to automatically issue 2. CentOS +#Supported Mode +1. Webroot mode +2. Standalone mode +3. Apache mode + #How to use 1. Clone this project: https://github.com/Neilpang/le.git @@ -37,7 +42,7 @@ root@xvm:~# le Usage: issue|renew|renewAll|createAccountKey|createDomainKey|createCSR|install|uninstall root@xvm:~# le issue -Usage: le issue webroot|no a.com [www.a.com,b.com,c.com]|no [key-length]|no [cert-file-path]|no [key-file-path]|no [ca-cert-file-path]|no [reloadCmd]|no +Usage: le issue webroot|no|apache a.com [www.a.com,b.com,c.com]|no [key-length]|no [cert-file-path]|no [key-file-path]|no [ca-cert-file-path]|no [reloadCmd]|no ``` @@ -77,6 +82,17 @@ The tcp `80` port must be free to listen, otherwise you will be prompted to free le issue no aa.com www.aa.com,cp.aa.com ``` +# Use Apache mode: +If you are running a web server, apache or nginx, it its recommended to use the Webroot mode. +Particularly, if you are running an apache server, you can use apache mode instead. Which doesn't write any file to your web root folder. + +Just set string "apache" to the first argument, it will use apache plugin automatically. + +``` +le issue apache aa.com www.aa.com +``` +All the other arguments are the same with previous. + #Under the Hood