From e75b56073b3e412d0b85c94527a632a6de5913f1 Mon Sep 17 00:00:00 2001 From: MaomiHz Date: Mon, 11 Dec 2017 16:03:02 -0600 Subject: [PATCH 01/22] Fix digitalocean api not remove record --- dnsapi/dns_dgon.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_dgon.sh b/dnsapi/dns_dgon.sh index 7e1f1fe..1dc1a85 100755 --- a/dnsapi/dns_dgon.sh +++ b/dnsapi/dns_dgon.sh @@ -92,11 +92,11 @@ dns_dgon_rm() { domain_list="$(_get "$GURL")" ## 2) find record ## check for what we are looing for: "type":"A","name":"$_sub_domain" - record="$(echo "$domain_list" | _egrep_o "\"id\"\s*\:\s*\"*\d+\"*[^}]*\"name\"\s*\:\s*\"$_sub_domain\"[^}]*\"data\"\s*\:\s*\"$txtvalue\"")" + record="$(echo "$domain_list" | _egrep_o "\"id\"\s*\:\s*\"*[[:digit:]]+\"*[^}]*\"name\"\s*\:\s*\"$_sub_domain\"[^}]*\"data\"\s*\:\s*\"$txtvalue\"")" ## 3) check record and get next page if [ -z "$record" ]; then ## find the next page if we dont have a match - nextpage="$(echo "$domain_list" | _egrep_o "\"links\".*" | _egrep_o "\"next\".*" | _egrep_o "http.*page\=\d+")" + nextpage="$(echo "$domain_list" | _egrep_o "\"links\".*" | _egrep_o "\"next\".*" | _egrep_o "http.*page\=[[:digit:]]+")" if [ -z "$nextpage" ]; then _err "no record and no nextpage in digital ocean DNS removal" return 1 @@ -108,7 +108,7 @@ dns_dgon_rm() { done ## we found the record - rec_id="$(echo "$record" | _egrep_o "id\"\s*\:\s*\"*\d+" | _egrep_o "\d+")" + rec_id="$(echo "$record" | _egrep_o "id\"\s*\:\s*\"*[[:digit:]]+" | _egrep_o "[[:digit:]]+")" _debug rec_id "$rec_id" ## delete the record From 9c4f7aa6889a2883028673e7276b8c2b15dfaf5b Mon Sep 17 00:00:00 2001 From: MaomiHz Date: Mon, 11 Dec 2017 16:20:27 -0600 Subject: [PATCH 02/22] check for env var exist in DigitalOcean API --- dnsapi/dns_dgon.sh | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_dgon.sh b/dnsapi/dns_dgon.sh index 1dc1a85..5761334 100755 --- a/dnsapi/dns_dgon.sh +++ b/dnsapi/dns_dgon.sh @@ -20,12 +20,22 @@ dns_dgon_add() { fulldomain="$(echo "$1" | _lower_case)" txtvalue=$2 + + DO_API_KEY="${DO_API_KEY:-$(_readaccountconf_mutable DO_API_KEY)}" + # Check if API Key Exist + if [ -z "$DO_API_KEY" ]; then + DO_API_KEY="" + _err "You did not specify DigitalOcean API key." + _err "Please export DO_API_KEY and try again." + return 1 + fi + _info "Using digitalocean dns validation - add record" _debug fulldomain "$fulldomain" _debug txtvalue "$txtvalue" ## save the env vars (key and domain split location) for later automated use - _saveaccountconf DO_API_KEY "$DO_API_KEY" + _saveaccountconf_mutable DO_API_KEY "$DO_API_KEY" ## split the domain for DO API if ! _get_base_domain "$fulldomain"; then @@ -39,7 +49,7 @@ dns_dgon_add() { export _H1="Content-Type: application/json" export _H2="Authorization: Bearer $DO_API_KEY" PURL='https://api.digitalocean.com/v2/domains/'$_domain'/records' - PBODY='{"type":"TXT","name":"'$_sub_domain'","data":"'$txtvalue'"}' + PBODY='{"type":"TXT","name":"'$_sub_domain'","data":"'$txtvalue'","ttl":120}' _debug PURL "$PURL" _debug PBODY "$PBODY" @@ -65,6 +75,16 @@ dns_dgon_add() { dns_dgon_rm() { fulldomain="$(echo "$1" | _lower_case)" txtvalue=$2 + + DO_API_KEY="${DO_API_KEY:-$(_readaccountconf_mutable DO_API_KEY)}" + # Check if API Key Exist + if [ -z "$DO_API_KEY" ]; then + DO_API_KEY="" + _err "You did not specify DigitalOcean API key." + _err "Please export DO_API_KEY and try again." + return 1 + fi + _info "Using digitalocean dns validation - remove record" _debug fulldomain "$fulldomain" _debug txtvalue "$txtvalue" From c1f8ffa3861f93d624674732180f60ac1db768ed Mon Sep 17 00:00:00 2001 From: MaomiHz Date: Wed, 17 Jan 2018 21:39:13 -0600 Subject: [PATCH 03/22] Use [0-9] instead --- dnsapi/dns_dgon.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_dgon.sh b/dnsapi/dns_dgon.sh index 5761334..5d38ef7 100755 --- a/dnsapi/dns_dgon.sh +++ b/dnsapi/dns_dgon.sh @@ -112,11 +112,11 @@ dns_dgon_rm() { domain_list="$(_get "$GURL")" ## 2) find record ## check for what we are looing for: "type":"A","name":"$_sub_domain" - record="$(echo "$domain_list" | _egrep_o "\"id\"\s*\:\s*\"*[[:digit:]]+\"*[^}]*\"name\"\s*\:\s*\"$_sub_domain\"[^}]*\"data\"\s*\:\s*\"$txtvalue\"")" + record="$(echo "$domain_list" | _egrep_o "\"id\"\s*\:\s*\"*[0-9]+\"*[^}]*\"name\"\s*\:\s*\"$_sub_domain\"[^}]*\"data\"\s*\:\s*\"$txtvalue\"")" ## 3) check record and get next page if [ -z "$record" ]; then ## find the next page if we dont have a match - nextpage="$(echo "$domain_list" | _egrep_o "\"links\".*" | _egrep_o "\"next\".*" | _egrep_o "http.*page\=[[:digit:]]+")" + nextpage="$(echo "$domain_list" | _egrep_o "\"links\".*" | _egrep_o "\"next\".*" | _egrep_o "http.*page\=[0-9]+")" if [ -z "$nextpage" ]; then _err "no record and no nextpage in digital ocean DNS removal" return 1 @@ -128,7 +128,7 @@ dns_dgon_rm() { done ## we found the record - rec_id="$(echo "$record" | _egrep_o "id\"\s*\:\s*\"*[[:digit:]]+" | _egrep_o "[[:digit:]]+")" + rec_id="$(echo "$record" | _egrep_o "id\"\s*\:\s*\"*[0-9]+" | _egrep_o "[0-9]+")" _debug rec_id "$rec_id" ## delete the record From e3ddb677e174c033282c78e50e1135a10380c8a8 Mon Sep 17 00:00:00 2001 From: David Kerr Date: Fri, 9 Mar 2018 16:39:08 -0500 Subject: [PATCH 04/22] Adding support for API v2 (multiple TXT records) --- dnsapi/dns_freedns.sh | 146 ++++++++++++++++-------------------------- 1 file changed, 55 insertions(+), 91 deletions(-) diff --git a/dnsapi/dns_freedns.sh b/dnsapi/dns_freedns.sh index afd8b79..1f03791 100755 --- a/dnsapi/dns_freedns.sh +++ b/dnsapi/dns_freedns.sh @@ -53,8 +53,9 @@ dns_freedns_add() { i="$(_math "$i" - 1)" sub_domain="$(echo "$fulldomain" | cut -d. -f -"$i")" - _debug top_domain "$top_domain" - _debug sub_domain "$sub_domain" + _debug "top_domain: $top_domain" + _debug "sub_domain: $sub_domain" + # Sometimes FreeDNS does not return the subdomain page but rather # returns a page regarding becoming a premium member. This usually # happens after a period of inactivity. Immediately trying again @@ -63,6 +64,7 @@ dns_freedns_add() { attempts=2 while [ "$attempts" -gt "0" ]; do attempts="$(_math "$attempts" - 1)" + htmlpage="$(_freedns_retrieve_subdomain_page "$FREEDNS_COOKIE")" if [ "$?" != "0" ]; then if [ "$using_cached_cookies" = "true" ]; then @@ -71,10 +73,9 @@ dns_freedns_add() { fi return 1 fi - _debug2 htmlpage "$htmlpage" subdomain_csv="$(echo "$htmlpage" | tr -d "\n\r" | _egrep_o '
' | sed 's//@/g' | tr '@' '\n' | grep edit.php | grep "$top_domain")" - _debug2 subdomain_csv "$subdomain_csv" + _debug3 "subdomain_csv: $subdomain_csv" # The above beauty ends with striping out rows that do not have an # href to edit.php and do not have the top domain we are looking for. @@ -85,55 +86,25 @@ dns_freedns_add() { lines="$(echo "$subdomain_csv" | wc -l)" i=0 found=0 + DNSdomainid="" while [ "$i" -lt "$lines" ]; do i="$(_math "$i" + 1)" line="$(echo "$subdomain_csv" | sed -n "${i}p")" - _debug2 line "$line" + _debug2 "line $line" if [ $found = 0 ] && _contains "$line" "$top_domain"; then # this line will contain DNSdomainid for the top_domain DNSdomainid="$(echo "$line" | _egrep_o "edit_domain_id *= *.*>" | cut -d = -f 2 | cut -d '>' -f 1)" - _debug2 DNSdomainid "$DNSdomainid" + _debug2 "DNSdomainid: $DNSdomainid" found=1 - else - # lines contain DNS records for all subdomains - DNSname="$(echo "$line" | _egrep_o 'edit.php.*' | cut -d '>' -f 2 | cut -d '<' -f 1)" - _debug2 DNSname "$DNSname" - DNStype="$(echo "$line" | sed 's/' -f 2 | cut -d '<' -f 1)" - _debug2 DNStype "$DNStype" - if [ "$DNSname" = "$fulldomain" ] && [ "$DNStype" = "TXT" ]; then - DNSdataid="$(echo "$line" | _egrep_o 'data_id=.*' | cut -d = -f 2 | cut -d '>' -f 1)" - # Now get current value for the TXT record. This method may - # not produce accurate results as the value field is truncated - # on this webpage. To get full value we would need to load - # another page. However we don't really need this so long as - # there is only one TXT record for the acme challenge subdomain. - DNSvalue="$(echo "$line" | sed 's/' -f 2 | cut -d '<' -f 1)" - _debug2 DNSvalue "$DNSvalue" - if [ $found != 0 ]; then - break - # we are breaking out of the loop at the first match of DNS name - # and DNS type (if we are past finding the domainid). This assumes - # that there is only ever one TXT record for the LetsEncrypt/acme - # challenge subdomain. This seems to be a reasonable assumption - # as the acme client deletes the TXT record on successful validation. - fi - else - DNSname="" - DNStype="" - fi + break; fi done - _debug "DNSname: $DNSname DNStype: $DNStype DNSdomainid: $DNSdomainid DNSdataid: $DNSdataid" - _debug "DNSvalue: $DNSvalue" - if [ -z "$DNSdomainid" ]; then # If domain ID is empty then something went wrong (top level # domain not found at FreeDNS). if [ "$attempts" = "0" ]; then # exhausted maximum retry attempts - _debug "$htmlpage" - _debug "$subdomain_csv" _err "Domain $top_domain not found at FreeDNS" return 1 fi @@ -145,33 +116,10 @@ dns_freedns_add() { _info "Retry loading subdomain page ($attempts attempts remaining)" done - if [ -z "$DNSdataid" ]; then - # If data ID is empty then specific subdomain does not exist yet, need - # to create it this should always be the case as the acme client - # deletes the entry after domain is validated. - _freedns_add_txt_record "$FREEDNS_COOKIE" "$DNSdomainid" "$sub_domain" "$txtvalue" - return $? - else - if [ "$txtvalue" = "$DNSvalue" ]; then - # if value in TXT record matches value requested then DNS record - # does not need to be updated. But... - # Testing value match fails. Website is truncating the value field. - # So for now we will always go down the else path. Though in theory - # should never come here anyway as the acme client deletes - # the TXT record on successful validation, so we should not even - # have found a TXT record !! - _info "No update necessary for $fulldomain at FreeDNS" - return 0 - else - # Delete the old TXT record (with the wrong value) - if _freedns_delete_txt_record "$FREEDNS_COOKIE" "$DNSdataid"; then - # And add in new TXT record with the value provided - _freedns_add_txt_record "$FREEDNS_COOKIE" "$DNSdomainid" "$sub_domain" "$txtvalue" - fi - return $? - fi - fi - return 0 + # Add in new TXT record with the value provided + _debug "Adding TXT record for $fulldomain, $txtvalue" + _freedns_add_txt_record "$FREEDNS_COOKIE" "$DNSdomainid" "$sub_domain" "$txtvalue" + return $? } #Usage: fulldomain txtvalue @@ -205,7 +153,7 @@ dns_freedns_rm() { fi subdomain_csv="$(echo "$htmlpage" | tr -d "\n\r" | _egrep_o '' | sed 's//@/g' | tr '@' '\n' | grep edit.php | grep "$fulldomain")" - _debug2 subdomain_csv "$subdomain_csv" + _debug3 "subdomain_csv: $subdomain_csv" # The above beauty ends with striping out rows that do not have an # href to edit.php and do not have the domain name we are looking for. @@ -216,35 +164,51 @@ dns_freedns_rm() { lines="$(echo "$subdomain_csv" | wc -l)" i=0 found=0 + DNSdataid="" while [ "$i" -lt "$lines" ]; do i="$(_math "$i" + 1)" line="$(echo "$subdomain_csv" | sed -n "${i}p")" - _debug2 line "$line" + _debug3 "line: $line" DNSname="$(echo "$line" | _egrep_o 'edit.php.*' | cut -d '>' -f 2 | cut -d '<' -f 1)" - _debug2 DNSname "$DNSname" - DNStype="$(echo "$line" | sed 's/' -f 2 | cut -d '<' -f 1)" - _debug2 DNStype "$DNStype" - if [ "$DNSname" = "$fulldomain" ] && [ "$DNStype" = "TXT" ]; then - DNSdataid="$(echo "$line" | _egrep_o 'data_id=.*' | cut -d = -f 2 | cut -d '>' -f 1)" - _debug2 DNSdataid "$DNSdataid" - DNSvalue="$(echo "$line" | sed 's/' -f 2 | cut -d '<' -f 1)" - _debug2 DNSvalue "$DNSvalue" - # if [ "$DNSvalue" = "$txtvalue" ]; then - # Testing value match fails. Website is truncating the value - # field. So for now we will assume that there is only one TXT - # field for the sub domain and just delete it. Currently this - # is a safe assumption. - _freedns_delete_txt_record "$FREEDNS_COOKIE" "$DNSdataid" - return $? - # fi + _debug2 "DNSname: $DNSname" + if [ "$DNSname" = "$fulldomain" ]; then + DNStype="$(echo "$line" | sed 's/' -f 2 | cut -d '<' -f 1)" + _debug2 "DNStype: $DNStype" + if [ "$DNStype" = "TXT" ]; then + DNSdataid="$(echo "$line" | _egrep_o 'data_id=.*' | cut -d = -f 2 | cut -d '>' -f 1)" + _debug2 "DNSdataid: $DNSdataid" + DNSvalue="$(echo "$line" | sed 's/' -f 2 | cut -d '<' -f 1)" + if _startswith "$DNSvalue" """; then + # remove the quotation from the start + DNSvalue="$(echo "$DNSvalue" | cut -c 7-)" + fi + if _endswith "$DNSvalue" "..."; then + # value was truncated, remove the dot dot dot from the end + DNSvalue="$(echo "$DNSvalue" | sed 's/...$//')" + elif _endswith "$DNSvalue" """; then + # else remove the closing quotation from the end + DNSvalue="$(echo "$DNSvalue" | sed 's/......$//')" + fi + _debug2 "DNSvalue: $DNSvalue" + + if [ -n "$DNSdataid" ] && _startswith "$txtvalue" "$DNSvalue"; then + # Found a match. But note... Website is truncating the + # value field so we are only testing that part that is not + # truncated. This should be accurate enough. + _debug "Deleting TXT record for $fulldomain, $txtvalue" + _freedns_delete_txt_record "$FREEDNS_COOKIE" "$DNSdataid" + return $? + fi + + fi fi done done # If we get this far we did not find a match (after two attempts) # Not necessarily an error, but log anyway. - _debug2 "$subdomain_csv" - _info "Cannot delete TXT record for $fulldomain/$txtvalue. Does not exist at FreeDNS" + _debug3 "$subdomain_csv" + _info "Cannot delete TXT record for $fulldomain, $txtvalue. Does not exist at FreeDNS" return 0 } @@ -272,7 +236,7 @@ _freedns_login() { # if cookies is not empty then logon successful if [ -z "$cookies" ]; then - _debug "$htmlpage" + _debug3 "htmlpage: $htmlpage" _err "FreeDNS login failed for user $username. Check $HTTP_HEADER file" return 1 fi @@ -301,7 +265,7 @@ _freedns_retrieve_subdomain_page() { return 1 fi - _debug2 "$htmlpage" + _debug3 "htmlpage: $htmlpage" printf "%s" "$htmlpage" return 0 @@ -323,17 +287,17 @@ _freedns_add_txt_record() { _err "FreeDNS failed to add TXT record for $subdomain bad RC from _post" return 1 elif ! grep "200 OK" "$HTTP_HEADER" >/dev/null; then - _debug "$htmlpage" + _debug3 "htmlpage: $htmlpage" _err "FreeDNS failed to add TXT record for $subdomain. Check $HTTP_HEADER file" return 1 elif _contains "$htmlpage" "security code was incorrect"; then - _debug "$htmlpage" + _debug3 "htmlpage: $htmlpage" _err "FreeDNS failed to add TXT record for $subdomain as FreeDNS requested security code" _err "Note that you cannot use automatic DNS validation for FreeDNS public domains" return 1 fi - _debug2 "$htmlpage" + _debug3 "htmlpage: $htmlpage" _info "Added acme challenge TXT record for $fulldomain at FreeDNS" return 0 } @@ -352,7 +316,7 @@ _freedns_delete_txt_record() { _err "FreeDNS failed to delete TXT record for $data_id bad RC from _get" return 1 elif ! _contains "$htmlheader" "200 OK"; then - _debug "$htmlheader" + _debug2 "htmlheader: $htmlheader" _err "FreeDNS failed to delete TXT record $data_id" return 1 fi From 62dd3a5380eaffd76edf0ad558e14cd494ac236d Mon Sep 17 00:00:00 2001 From: David Kerr Date: Fri, 9 Mar 2018 16:54:42 -0500 Subject: [PATCH 05/22] Fix Travis CI errors. --- dnsapi/dns_freedns.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_freedns.sh b/dnsapi/dns_freedns.sh index 1f03791..0d8fae7 100755 --- a/dnsapi/dns_freedns.sh +++ b/dnsapi/dns_freedns.sh @@ -90,13 +90,13 @@ dns_freedns_add() { while [ "$i" -lt "$lines" ]; do i="$(_math "$i" + 1)" line="$(echo "$subdomain_csv" | sed -n "${i}p")" - _debug2 "line $line" + _debug2 "line: $line" if [ $found = 0 ] && _contains "$line" "$top_domain"; then # this line will contain DNSdomainid for the top_domain DNSdomainid="$(echo "$line" | _egrep_o "edit_domain_id *= *.*>" | cut -d = -f 2 | cut -d '>' -f 1)" _debug2 "DNSdomainid: $DNSdomainid" found=1 - break; + break fi done @@ -191,7 +191,7 @@ dns_freedns_rm() { fi _debug2 "DNSvalue: $DNSvalue" - if [ -n "$DNSdataid" ] && _startswith "$txtvalue" "$DNSvalue"; then + if [ -n "$DNSdataid" ] && _startswith "$txtvalue" "$DNSvalue"; then # Found a match. But note... Website is truncating the # value field so we are only testing that part that is not # truncated. This should be accurate enough. From a5a0e564dd5682ca12bdcd66dd2d9cd6e9afb9be Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 10 Mar 2018 10:33:33 +0800 Subject: [PATCH 06/22] fix https://github.com/Neilpang/acme.sh/issues/1322 --- acme.sh | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/acme.sh b/acme.sh index 0fe6b81..2a3138c 100755 --- a/acme.sh +++ b/acme.sh @@ -5399,7 +5399,6 @@ Parameters: --webroot, -w /path/to/webroot Specifies the web root folder for web root mode. --standalone Use standalone mode. --stateless Use stateless mode, see: $_STATELESS_WIKI - --tls Use standalone tls mode. --apache Use apache mode. --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api. --dnssleep [$DEFAULT_DNS_SLEEP] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds. @@ -5429,7 +5428,6 @@ Parameters: --accountkey Specifies the account key path, Only valid for the '--install' command. --days Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days. --httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer. - --tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer. --local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses. --listraw Only used for '--list' command, list the certs in raw format. --stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal. @@ -5780,14 +5778,6 @@ _process() { _webroot="$_webroot,$wvalue" fi ;; - --tls) - wvalue="$W_TLS" - if [ -z "$_webroot" ]; then - _webroot="$wvalue" - else - _webroot="$_webroot,$wvalue" - fi - ;; --dns) wvalue="dns" if [ "$2" ] && ! _startswith "$2" "-"; then @@ -5883,12 +5873,6 @@ _process() { Le_HTTPPort="$_httpport" shift ;; - --tlsport) - _tlsport="$2" - Le_TLSPort="$_tlsport" - shift - ;; - --listraw) _listraw="raw" ;; From 224e0c298a6de49fa41754839855ffaf256578d8 Mon Sep 17 00:00:00 2001 From: martgras Date: Mon, 12 Mar 2018 10:27:56 +0100 Subject: [PATCH 07/22] Fix missing success return value from dns_azure_add/rm --- dnsapi/dns_azure.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_azure.sh b/dnsapi/dns_azure.sh index 677a9f7..e0d9516 100644 --- a/dnsapi/dns_azure.sh +++ b/dnsapi/dns_azure.sh @@ -99,6 +99,7 @@ dns_azure_add() { _azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken" if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then _info "validation value added" + return 0 else _err "error adding validation value ($_code)" return 1 @@ -194,6 +195,7 @@ dns_azure_rm() { _azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken" if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then _info "validation value removed" + return 0 else _err "error removing validation value ($_code)" return 1 @@ -226,6 +228,7 @@ _azure_rest() { else response="$(_get "$ep")" fi + _ret="$?" _secure_debug2 "response $response" _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")" _debug "http response code $_code" @@ -236,7 +239,7 @@ _azure_rest() { return 1 fi # See https://docs.microsoft.com/en-us/azure/architecture/best-practices/retry-service-specific#general-rest-and-retry-guidelines for retryable HTTP codes - if [ "$?" != "0" ] || [ -z "$_code" ] || [ "$_code" = "408" ] || [ "$_code" = "500" ] || [ "$_code" = "503" ] || [ "$_code" = "504" ]; then + if [ "$_ret" != "0" ] || [ -z "$_code" ] || [ "$_code" = "408" ] || [ "$_code" = "500" ] || [ "$_code" = "503" ] || [ "$_code" = "504" ]; then _request_retry_times="$(_math "$_request_retry_times" + 1)" _info "REST call error $_code retrying $ep in $_request_retry_times s" _sleep "$_request_retry_times" @@ -281,6 +284,7 @@ _azure_getaccess_token() { body="resource=$(printf "%s" 'https://management.core.windows.net/' | _url_encode)&client_id=$(printf "%s" "$clientID" | _url_encode)&client_secret=$(printf "%s" "$clientSecret" | _url_encode)&grant_type=client_credentials" _secure_debug2 "data $body" response="$(_post "$body" "https://login.microsoftonline.com/$tenantID/oauth2/token" "" "POST")" + _ret="$?" _secure_debug2 "response $response" response="$(echo "$response" | _normalizeJson)" accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \") @@ -290,7 +294,7 @@ _azure_getaccess_token() { _err "no acccess token received. Check your Azure settings see $WIKI" return 1 fi - if [ "$?" != "0" ]; then + if [ "$_ret" != "0" ]; then _err "error $response" return 1 fi From 0f120c41f1649d1b0a704a439927b47ab214aae8 Mon Sep 17 00:00:00 2001 From: anabis <7274563+anabis@users.noreply.github.com> Date: Wed, 14 Mar 2018 11:05:57 +0100 Subject: [PATCH 08/22] fix syntax error missing space --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 2a3138c..5d9b63c 100755 --- a/acme.sh +++ b/acme.sh @@ -4151,7 +4151,7 @@ $_authorizations_map" echo "$BEGIN_CERT" >"$CA_CERT_PATH" _base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH" echo "$END_CERT" >>"$CA_CERT_PATH" - if !_checkcert "$CA_CERT_PATH"; then + if ! _checkcert "$CA_CERT_PATH"; then _err "Can not get the ca cert." break fi From 749c0e51e681c77fe10f38c083332c5c71969cb9 Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 14 Mar 2018 19:42:02 +0800 Subject: [PATCH 09/22] start 2.7.8 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 2a3138c..151b8e9 100755 --- a/acme.sh +++ b/acme.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -VER=2.7.7 +VER=2.7.8 PROJECT_NAME="acme.sh" From c5f1cca3a0057e17ca817c8260027d4895e5d4f4 Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 14 Mar 2018 20:30:51 +0800 Subject: [PATCH 10/22] fix https://github.com/Neilpang/acme.sh/issues/1372 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 439e038..178852a 100755 --- a/acme.sh +++ b/acme.sh @@ -4264,7 +4264,7 @@ renew() { fi . "$DOMAIN_CONF" - + _debug Le_API "$Le_API" if [ "$Le_API" ]; then if [ "$_OLD_CA_HOST" = "$Le_API" ]; then export Le_API="$DEFAULT_CA" From 664446631f0601d21a607cb0e76ba06d4acb3536 Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 14 Mar 2018 20:52:18 +0800 Subject: [PATCH 11/22] add debug info --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 178852a..2898beb 100755 --- a/acme.sh +++ b/acme.sh @@ -2341,7 +2341,7 @@ _initpath() { fi fi - _debug2 ACME_DIRECTORY "$ACME_DIRECTORY" + _debug ACME_DIRECTORY "$ACME_DIRECTORY" _ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)" _debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST" From 3881f22192ac16f298e2d5dd603971e4450124c2 Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 14 Mar 2018 21:20:27 +0800 Subject: [PATCH 12/22] fix https://github.com/Neilpang/acme.sh/issues/1375 add more info --- acme.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index 2898beb..337d8b9 100755 --- a/acme.sh +++ b/acme.sh @@ -47,6 +47,7 @@ DEFAULT_DNS_SLEEP=120 NO_VALUE="no" W_TLS="tls" +W_DNS="dns" DNS_ALIAS_PREFIX="=" MODE_STATELESS="stateless" @@ -3118,7 +3119,7 @@ _on_issue_err() { ) fi - if [ "$IS_RENEW" = "1" ] && _hasfield "$Le_Webroot" "dns"; then + if [ "$IS_RENEW" = "1" ] && _hasfield "$Le_Webroot" "$W_DNS"; then _err "$_DNS_MANUAL_ERR" fi @@ -3154,7 +3155,7 @@ _on_issue_success() { fi fi - if _hasfield "$Le_Webroot" "dns"; then + if _hasfield "$Le_Webroot" "$W_DNS"; then _err "$_DNS_MANUAL_WARN" fi @@ -3624,7 +3625,7 @@ $_authorizations_map" vtype="$VTYPE_HTTP" #todo, v2 wildcard force to use dns - if _startswith "$_currentRoot" "dns"; then + if _startswith "$_currentRoot" "$W_DNS"; then vtype="$VTYPE_DNS" fi @@ -3751,6 +3752,10 @@ $_authorizations_map" if [ "$d_api" ]; then _info "Found domain api file: $d_api" else + if [ "$_currentRoot" != "$W_DNS" ]; then + _err "Can not find dns api hook for: $_currentRoot" + _info "You need to add the txt record manually." + fi _info "$(__red "Add the following TXT record:")" _info "$(__red "Domain: '$(__green "$txtdomain")'")" _info "$(__red "TXT value: '$(__green "$txt")'")" @@ -5779,7 +5784,7 @@ _process() { fi ;; --dns) - wvalue="dns" + wvalue="$W_DNS" if [ "$2" ] && ! _startswith "$2" "-"; then wvalue="$2" shift From 263c38caecbcf735e94646cb3483381680233960 Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 14 Mar 2018 21:27:29 +0800 Subject: [PATCH 13/22] add more debug info --- acme.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/acme.sh b/acme.sh index 337d8b9..e65b74a 100755 --- a/acme.sh +++ b/acme.sh @@ -3592,6 +3592,8 @@ issue() { _debug2 "_authz_url" "$_authz_url" if ! response="$(_get "$_authz_url")"; then _err "get to authz error." + _err "_authorizations_seg" "$_authorizations_seg" + _err "_authz_url" "$_authz_url" _clearup _on_issue_err "$_post_hook" return 1 @@ -3642,6 +3644,7 @@ $_authorizations_map" _debug2 "response" "$response" if [ -z "$response" ]; then _err "get to authz error." + _err "_authorizations_map" "$_authorizations_map" _clearup _on_issue_err "$_post_hook" return 1 @@ -4873,6 +4876,8 @@ _deactivate() { _debug2 "authzUri" "$authzUri" if ! response="$(_get "$authzUri")"; then _err "get to authz error." + _err "_authorizations_seg" "$_authorizations_seg" + _err "authzUri" "$authzUri" _clearup _on_issue_err "$_post_hook" return 1 From 674b50889e30cbbb10eea33fd4a0ace9e259d51e Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 14 Mar 2018 21:42:12 +0800 Subject: [PATCH 14/22] fix wildcard domains --- acme.sh | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index e65b74a..16f82fd 100755 --- a/acme.sh +++ b/acme.sh @@ -3422,6 +3422,9 @@ issue() { _main_domain=$(echo "$2,$3" | cut -d , -f 1) _alt_domains=$(echo "$2,$3" | cut -d , -f 2- | sed "s/,${NO_VALUE}$//") fi + _debug _main_domain "$_main_domain" + _debug _alt_domains "$_alt_domains" + _key_length="$4" _real_cert="$5" _real_key="$6" @@ -3552,10 +3555,15 @@ issue() { if [ "$ACME_VERSION" = "2" ]; then #make new order request _identifiers="{\"type\":\"dns\",\"value\":\"$_main_domain\"}" - for d in $(echo "$_alt_domains" | tr ',' ' '); do - if [ "$d" ]; then - _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$d\"}" + while true; do + _w_index=1 + d="$(echo "$$_alt_domains" | cut -d , -f "$_w_index")" + _w_index="$(_math "$_w_index" + 1)" + _debug d "$d" + if [ -z "$d" ]; then + break fi + _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$d\"}" done _debug2 _identifiers "$_identifiers" if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then From dd17124ec6eb5d89a68c515bfa4972b5c6e6a4dc Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 14 Mar 2018 21:45:16 +0800 Subject: [PATCH 15/22] fix error --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 16f82fd..1fb9b47 100755 --- a/acme.sh +++ b/acme.sh @@ -3557,7 +3557,7 @@ issue() { _identifiers="{\"type\":\"dns\",\"value\":\"$_main_domain\"}" while true; do _w_index=1 - d="$(echo "$$_alt_domains" | cut -d , -f "$_w_index")" + d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")" _w_index="$(_math "$_w_index" + 1)" _debug d "$d" if [ -z "$d" ]; then From 88bbe55b859fef97d18a2d7a67dfee297e41b40f Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 14 Mar 2018 21:54:32 +0800 Subject: [PATCH 16/22] fix wrong wildcard domain interpretation --- acme.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 1fb9b47..fecc1b5 100755 --- a/acme.sh +++ b/acme.sh @@ -3620,10 +3620,16 @@ $_authorizations_map" _debug2 _authorizations_map "$_authorizations_map" fi - alldomains=$(echo "$_main_domain,$_alt_domains" | tr ',' ' ') _index=0 _currentRoot="" - for d in $alldomains; do + while true; do + _w_index=1 + d="$(echo "$_main_domain,$_alt_domains," | cut -d , -f "$_w_index")" + _w_index="$(_math "$_w_index" + 1)" + _debug d "$d" + if [ -z "$d" ]; then + break + fi _info "Getting webroot for domain" "$d" _index=$(_math $_index + 1) _w="$(echo $_web_roots | cut -d , -f $_index)" From 931d19eece68266299e492f680ae37747edaa0e8 Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 14 Mar 2018 21:56:40 +0800 Subject: [PATCH 17/22] fix for wildcard domain interpretation --- acme.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index fecc1b5..4710947 100755 --- a/acme.sh +++ b/acme.sh @@ -3019,11 +3019,17 @@ _on_before_issue() { _debug Le_LocalAddress "$_chk_local_addr" - alldomains=$(echo "$_chk_main_domain,$_chk_alt_domains" | tr ',' ' ') _index=1 _currentRoot="" _addrIndex=1 - for d in $alldomains; do + while true; do + _w_index=1 + d="$(echo "$_chk_main_domain,$_chk_alt_domains," | cut -d , -f "$_w_index")" + _w_index="$(_math "$_w_index" + 1)" + _debug d "$d" + if [ -z "$d" ]; then + break + fi _debug "Check for domain" "$d" _currentRoot="$(_getfield "$_chk_web_roots" $_index)" _debug "_currentRoot" "$_currentRoot" From 38f1b4d205c67a6b75084956759d2d0d321aadf7 Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 14 Mar 2018 22:03:58 +0800 Subject: [PATCH 18/22] fix wildcard interpretation --- acme.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index 4710947..e7c40c0 100755 --- a/acme.sh +++ b/acme.sh @@ -2999,6 +2999,8 @@ _on_before_issue() { _chk_pre_hook="$4" _chk_local_addr="$5" _debug _on_before_issue + _debug _chk_main_domain "$_chk_main_domain" + _debug _chk_alt_domains "$_chk_alt_domains" #run pre hook if [ "$_chk_pre_hook" ]; then _info "Run pre hook:'$_chk_pre_hook'" @@ -3022,8 +3024,8 @@ _on_before_issue() { _index=1 _currentRoot="" _addrIndex=1 + _w_index=1 while true; do - _w_index=1 d="$(echo "$_chk_main_domain,$_chk_alt_domains," | cut -d , -f "$_w_index")" _w_index="$(_math "$_w_index" + 1)" _debug d "$d" @@ -3561,8 +3563,8 @@ issue() { if [ "$ACME_VERSION" = "2" ]; then #make new order request _identifiers="{\"type\":\"dns\",\"value\":\"$_main_domain\"}" + _w_index=1 while true; do - _w_index=1 d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")" _w_index="$(_math "$_w_index" + 1)" _debug d "$d" @@ -3628,8 +3630,8 @@ $_authorizations_map" _index=0 _currentRoot="" + _w_index=1 while true; do - _w_index=1 d="$(echo "$_main_domain,$_alt_domains," | cut -d , -f "$_w_index")" _w_index="$(_math "$_w_index" + 1)" _debug d "$d" From 28d83d42e2a629d308afddc0cb2526c42bea192d Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 14 Mar 2018 22:09:34 +0800 Subject: [PATCH 19/22] remove tls mode from doc https://github.com/Neilpang/acme.sh/issues/1322 --- README.md | 43 ++++++++++++++----------------------------- 1 file changed, 14 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index bfcb477..5471c57 100644 --- a/README.md +++ b/README.md @@ -220,22 +220,7 @@ acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert -# 5. Use Standalone TLS server to issue cert - -**(requires you to be root/sudoer or have permission to listen on port 443 (TCP))** - -acme.sh supports `tls-sni-01` validation. - -Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. - -```bash -acme.sh --issue --tls -d example.com -d www.example.com -d cp.example.com -``` - -More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert - - -# 6. Use Apache mode +# 5. Use Apache mode **(requires you to be root/sudoer, since it is required to interact with Apache server)** @@ -255,7 +240,7 @@ We don't want to mess your apache server, don't worry.** More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert -# 7. Use Nginx mode +# 6. Use Nginx mode **(requires you to be root/sudoer, since it is required to interact with Nginx server)** @@ -279,7 +264,7 @@ We don't want to mess your nginx server, don't worry.** More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert -# 8. Automatic DNS API integration +# 7. Automatic DNS API integration If your DNS provider supports API access, we can use that API to automatically issue the certs. @@ -342,7 +327,7 @@ If your DNS provider is not on the supported list above, you can write your own For more details: [How to use DNS API](dnsapi) -# 9. Use DNS manual mode: +# 8. Use DNS manual mode: If your dns provider doesn't support any api access, you can add the txt record by your hand. @@ -376,7 +361,7 @@ Ok, it's done. **Please use dns api mode instead.** -# 10. Issue ECC certificates +# 9. Issue ECC certificates `Let's Encrypt` can now issue **ECDSA** certificates. @@ -408,7 +393,7 @@ Valid values are: -# 11. Issue Wildcard certificates +# 10. Issue Wildcard certificates It's simple, just give a wildcard domain as the `-d` parameter. @@ -418,7 +403,7 @@ acme.sh --issue -d example.com -d *.example.com --dns dns_cf -# 12. How to renew the certs +# 11. How to renew the certs No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days. @@ -435,7 +420,7 @@ acme.sh --renew -d example.com --force --ecc ``` -# 13. How to stop cert renewal +# 12. How to stop cert renewal To stop renewal of a cert, you can execute the following to remove the cert from the renewal list: @@ -448,7 +433,7 @@ The cert/key file is not removed from the disk. You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself. -# 14. How to upgrade `acme.sh` +# 13. How to upgrade `acme.sh` acme.sh is in constant development, so it's strongly recommended to use the latest code. @@ -473,25 +458,25 @@ acme.sh --upgrade --auto-upgrade 0 ``` -# 15. Issue a cert from an existing CSR +# 14. Issue a cert from an existing CSR https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR -# 16. Under the Hood +# 15. Under the Hood Speak ACME language using shell, directly to "Let's Encrypt". TODO: -# 17. Acknowledgments +# 16. Acknowledgments 1. Acme-tiny: https://github.com/diafygi/acme-tiny 2. ACME protocol: https://github.com/ietf-wg-acme/acme -# 18. License & Others +# 17. License & Others License is GPLv3 @@ -500,7 +485,7 @@ Please Star and Fork me. [Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcome. -# 19. Donate +# 18. Donate Your donation makes **acme.sh** better: 1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/) From 6b26d2b62de49e59517f7f5a0d14c4c91cb6dc2a Mon Sep 17 00:00:00 2001 From: Rid Date: Thu, 15 Mar 2018 09:50:54 +0000 Subject: [PATCH 20/22] Fixed grammatical errors --- dnsapi/dns_cf.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_cf.sh b/dnsapi/dns_cf.sh index 68264a4..3595b9b 100755 --- a/dnsapi/dns_cf.sh +++ b/dnsapi/dns_cf.sh @@ -19,8 +19,8 @@ dns_cf_add() { if [ -z "$CF_Key" ] || [ -z "$CF_Email" ]; then CF_Key="" CF_Email="" - _err "You don't specify cloudflare api key and email yet." - _err "Please create you key and try again." + _err "You didn't specify a cloudflare api key and email yet." + _err "Please create the key and try again." return 1 fi @@ -94,8 +94,8 @@ dns_cf_rm() { if [ -z "$CF_Key" ] || [ -z "$CF_Email" ]; then CF_Key="" CF_Email="" - _err "You don't specify cloudflare api key and email yet." - _err "Please create you key and try again." + _err "You didn't specify a cloudflare api key and email yet." + _err "Please create the key and try again." return 1 fi From a8b62261f6a02a6601d0fec235325e48deccbd05 Mon Sep 17 00:00:00 2001 From: "Claus F. Strasburger" Date: Fri, 16 Mar 2018 11:21:03 +0100 Subject: [PATCH 21/22] Documentation: what to do when using dns-manual Change the hint that tells you how to use DNS manual (second run needs to be --renew) --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e7c40c0..79717ad 100755 --- a/acme.sh +++ b/acme.sh @@ -3819,7 +3819,7 @@ $_authorizations_map" if [ "$dnsadded" = '0' ]; then _savedomainconf "Le_Vlist" "$vlist" _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit." - _err "Please add the TXT records to the domains, and retry again." + _err "Please add the TXT records to the domains, and re-run with --renew." _clearup _on_issue_err "$_post_hook" return 1 From a5c1c30368a176ec76dcb2c379ca82a24d95ab5b Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 16 Mar 2018 21:29:38 +0800 Subject: [PATCH 22/22] update doc --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 5471c57..2898629 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,8 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa) - [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297) - [archlinux](https://aur.archlinux.org/packages/acme.sh-git/) - [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient) +- [CentOS Web Panel](http://centos-webpanel.com/) +- [lnmp.org](https://lnmp.org/) - [more...](https://github.com/Neilpang/acme.sh/wiki/Blogs-and-tutorials) # Tested OS