Browse Source

Merge branch 'dev' into deploy-fritzbox

cron
Manuel Friedli 7 years ago
parent
commit
3536cd336d
  1. 3
      .travis.yml
  2. 2
      Dockerfile
  3. 129
      acme.sh
  4. 11
      deploy/README.md
  5. 4
      dnsapi/dns_he.sh

3
.travis.yml

@ -18,7 +18,7 @@ addons:
install:
- if [ "$TRAVIS_OS_NAME" = 'osx' ]; then
brew update && brew install openssl;
brew update && brew install openssl socat;
brew info openssl;
ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/;
ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/;
@ -30,6 +30,7 @@ install:
openssl version 2>&1 || true;
$ACME_OPENSSL_BIN version 2>&1 || true;
export PATH="$_old_path";
else sudo apt-get install socat;
fi
script:

2
Dockerfile

@ -4,7 +4,7 @@ RUN apk update -f \
&& apk --no-cache add -f \
openssl \
curl \
netcat-openbsd \
socat \
&& rm -rf /var/cache/apk/*
ENV LE_CONFIG_HOME /acme.sh

129
acme.sh

@ -1,6 +1,6 @@
#!/usr/bin/env sh
VER=2.7.3
VER=2.7.4
PROJECT_NAME="acme.sh"
@ -164,11 +164,11 @@ _dlg_versions() {
echo "nginx doesn't exists."
fi
echo "nc:"
if _exists "nc"; then
nc -h 2>&1
echo "socat:"
if _exists "socat"; then
socat -h 2>&1
else
_debug "nc doesn't exists."
_debug "socat doesn't exists."
fi
}
@ -1814,7 +1814,13 @@ _send_signed_request() {
_CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
if _contains "$response" "JWS has invalid anti-replay nonce"; then
_body="$response"
if [ "$needbase64" ]; then
_body="$(echo "$_body" | _dbase64)"
_debug2 _body "$_body"
fi
if _contains "$_body" "JWS has invalid anti-replay nonce"; then
_info "It seems the CA server is busy now, let's wait and retry."
_request_retry_times=$(_math "$_request_retry_times" + 1)
_sleep 5
@ -1967,68 +1973,22 @@ _startserver() {
_debug "ncaddr" "$ncaddr"
_debug "startserver: $$"
nchelp="$(nc -h 2>&1)"
_debug Le_HTTPPort "$Le_HTTPPort"
_debug Le_Listen_V4 "$Le_Listen_V4"
_debug Le_Listen_V6 "$Le_Listen_V6"
_NC="nc"
_NC="socat"
if [ "$Le_Listen_V4" ]; then
_NC="$_NC -4"
elif [ "$Le_Listen_V6" ]; then
_NC="$_NC -6"
fi
if [ "$Le_Listen_V4$Le_Listen_V6$ncaddr" ]; then
if ! _contains "$nchelp" "-4"; then
_err "The nc doesn't support '-4', '-6' or local-address, please install 'netcat-openbsd' and try again."
_err "See $(__green $_PREPARE_LINK)"
return 1
fi
fi
if echo "$nchelp" | grep "\-q[ ,]" >/dev/null; then
_NC="$_NC -q 1 -l $ncaddr"
else
if echo "$nchelp" | grep "GNU netcat" >/dev/null && echo "$nchelp" | grep "\-c, \-\-close" >/dev/null; then
_NC="$_NC -c -l $ncaddr"
elif echo "$nchelp" | grep "\-N" | grep "Shutdown the network socket after EOF on stdin" >/dev/null; then
_NC="$_NC -N -l $ncaddr"
else
_NC="$_NC -l $ncaddr"
fi
fi
_debug "_NC" "$_NC"
#for centos ncat
if _contains "$nchelp" "nmap.org"; then
_debug "Using ncat: nmap.org"
if ! _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC \"$Le_HTTPPort\" >&2"; then
_exec_err
return 1
fi
if [ "$DEBUG" ]; then
_exec_err
fi
return
fi
# while true ; do
if ! _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC -p \"$Le_HTTPPort\" >&2"; then
_exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC \"$Le_HTTPPort\" >&2"
fi
if [ "$?" != "0" ]; then
_err "nc listen error."
_exec_err
exit 1
fi
if [ "$DEBUG" ]; then
_exec_err
fi
# done
#todo listen address
$_NC TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork SYSTEM:"sleep 0.5; echo HTTP/1.1 200 OK'; echo ; echo $content; echo;" &
serverproc="$!"
}
_stopserver() {
@ -2038,25 +1998,8 @@ _stopserver() {
return
fi
_debug2 "Le_HTTPPort" "$Le_HTTPPort"
if [ "$Le_HTTPPort" ]; then
if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
_get "http://localhost:$Le_HTTPPort" "" 1
else
_get "http://localhost:$Le_HTTPPort" "" 1 >/dev/null 2>&1
fi
fi
kill $pid
_debug2 "Le_TLSPort" "$Le_TLSPort"
if [ "$Le_TLSPort" ]; then
if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
_get "https://localhost:$Le_TLSPort" "" 1
_get "https://localhost:$Le_TLSPort" "" 1
else
_get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
_get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
fi
fi
}
# sleep sec
@ -2111,12 +2054,7 @@ _starttlsserver() {
return 1
fi
__S_OPENSSL="${ACME_OPENSSL_BIN:-openssl} s_server -cert $TLS_CERT -key $TLS_KEY "
if [ "$opaddr" ]; then
__S_OPENSSL="$__S_OPENSSL -accept $opaddr:$port"
else
__S_OPENSSL="$__S_OPENSSL -accept $port"
fi
__S_OPENSSL="socat"
_debug Le_Listen_V4 "$Le_Listen_V4"
_debug Le_Listen_V6 "$Le_Listen_V6"
@ -2127,12 +2065,9 @@ _starttlsserver() {
fi
_debug "$__S_OPENSSL"
if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
(printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL -tlsextdebug) &
else
(printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL >/dev/null 2>&1) &
fi
#todo listen address
$__S_OPENSSL openssl-listen:$port,cert=$TLS_CERT,key=$TLS_KEY,verify=0,reuseaddr,fork SYSTEM:"sleep 0.5; echo HTTP/1.1 200 OK'; echo ; echo $content; echo;" &
serverproc="$!"
sleep 1
_debug serverproc "$serverproc"
@ -2943,8 +2878,8 @@ _on_before_issue() {
fi
if _hasfield "$_chk_web_roots" "$NO_VALUE"; then
if ! _exists "nc"; then
_err "Please install netcat(nc) tools first."
if ! _exists "socat"; then
_err "Please install socat tools first."
return 1
fi
fi
@ -3665,13 +3600,12 @@ issue() {
_info "Standalone mode server"
_ncaddr="$(_getfield "$_local_addr" "$_ncIndex")"
_ncIndex="$(_math $_ncIndex + 1)"
_startserver "$keyauthorization" "$_ncaddr" &
_startserver "$keyauthorization" "$_ncaddr"
if [ "$?" != "0" ]; then
_clearup
_on_issue_err "$_post_hook" "$vlist"
return 1
fi
serverproc="$!"
sleep 1
_debug serverproc "$serverproc"
elif [ "$_currentRoot" = "$MODE_STATELESS" ]; then
@ -4006,7 +3940,10 @@ issue() {
Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400)
_savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
_on_issue_success "$_post_hook" "$_renew_hook"
if ! _on_issue_success "$_post_hook" "$_renew_hook"; then
_err "Call hook error."
return 1
fi
if [ "$_real_cert$_real_key$_real_ca$_reload_cmd$_real_fullchain" ]; then
_savedomainconf "Le_RealCertPath" "$_real_cert"
@ -4788,9 +4725,9 @@ _precheck() {
return 1
fi
if ! _exists "nc"; then
_err "It is recommended to install nc first, try to install 'nc' or 'netcat'."
_err "We use nc for standalone server if you use standalone mode."
if ! _exists "socat"; then
_err "It is recommended to install socat first."
_err "We use socat for standalone server if you use standalone mode."
_err "If you don't use standalone mode, just ignore this warning."
fi
@ -4890,10 +4827,12 @@ install() {
_debug "Skip install cron job"
fi
if [ "$IN_CRON" != "1" ]; then
if ! _precheck "$_nocron"; then
_err "Pre-check failed, can not install."
return 1
fi
fi
if [ -z "$_c_home" ] && [ "$LE_CONFIG_HOME" != "$LE_WORKING_DIR" ]; then
_info "Using config home: $LE_CONFIG_HOME"
@ -4945,7 +4884,9 @@ install() {
_info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
if [ "$IN_CRON" != "1" ]; then
_installalias "$_c_home"
fi
for subf in $_SUB_FOLDERS; do
if [ -d "$subf" ]; then
@ -5035,7 +4976,7 @@ _uninstallalias() {
}
cron() {
IN_CRON=1
export IN_CRON=1
_initpath
_info "$(__green "===Starting cron===")"
if [ "$AUTO_UPGRADE" = "1" ]; then

11
deploy/README.md

@ -6,6 +6,8 @@ Here are the scripts to deploy the certs/key to the server/services.
## 1. Deploy the certs to your cpanel host.
If you want to deploy using cpanel UAPI see 7.
(cpanel deploy hook is not finished yet, this is just an example.)
@ -81,18 +83,19 @@ acme.sh --deploy -d ftp.example.com --deploy-hook exim4
acme.sh --deploy -d ftp.example.com --deploy-hook keychain
```
## 7. Deploy to cpanel host.
## 7. Deploy to cpanel host using UAPI
This hook is using UAPI and works in cPanel & WHM version 56 or newer.
```
acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
```
If you are login as root, please specify the username to deploy cert to:
DEPLOY_CPANEL_USER is required only if you run the script as root and it should contain cpanel username.
```sh
export DEPLOY_CPANEL_USER=username
acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
```
Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separete certificate for each domain.
## 8. Deploy the cert to your FRITZ!Box router
You must specify the credentials that have administrative privileges on the FRITZ!Box in order to deploy the certificate, plus the URL of your FRITZ!Box, through the following environment variables:

4
dnsapi/dns_he.sh

@ -47,7 +47,7 @@ dns_he_add() {
response="$(_post "$body" "https://dns.he.net/")"
exit_code="$?"
if [ "$exit_code" -eq 0 ]; then
_info "TXT record added successfuly."
_info "TXT record added successfully."
else
_err "Couldn't add the TXT record."
fi
@ -96,7 +96,7 @@ dns_he_rm() {
>/dev/null
exit_code="$?"
if [ "$exit_code" -eq 0 ]; then
_info "Record removed successfuly."
_info "Record removed successfully."
else
_err "Could not clean (remove) up the record. Please go to HE administration interface and clean it by hand."
return "$exit_code"

Loading…
Cancel
Save