@ -137,16 +137,16 @@ _printargs() {
_dlg_versions( ) {
_dlg_versions( ) {
echo "Diagnosis versions: "
echo "Diagnosis versions: "
echo " openssl: $OPENSSL_BIN "
if _exists " $OPENSSL_BIN " ; then
$OPENSSL_BIN version 2>& 1
echo " openssl: $ACME_ OPENSSL_BIN "
if _exists " $ACME_ OPENSSL_BIN " ; then
$ACME_ OPENSSL_BIN version 2>& 1
else
else
echo " $OPENSSL_BIN doesn't exists. "
echo " $ACME_ OPENSSL_BIN doesn't exists. "
fi
fi
echo "apache:"
echo "apache:"
if [ " $_APACHECTL " ] && _exists " $_APACHECTL " ; then
if [ " $_APACHECTL " ] && _exists " $_APACHECTL " ; then
_APACHECTL -V 2>& 1
$ _APACHECTL -V 2>& 1
else
else
echo "apache doesn't exists."
echo "apache doesn't exists."
fi
fi
@ -780,19 +780,19 @@ _base64() {
[ "" ] #urgly
[ "" ] #urgly
if [ " $1 " ] ; then
if [ " $1 " ] ; then
_debug3 " base64 multiline:' $1 ' "
_debug3 " base64 multiline:' $1 ' "
$OPENSSL_BIN base64 -e
$ACME_ OPENSSL_BIN base64 -e
else
else
_debug3 "base64 single line."
_debug3 "base64 single line."
$OPENSSL_BIN base64 -e | tr -d '\r\n'
$ACME_ OPENSSL_BIN base64 -e | tr -d '\r\n'
fi
fi
}
}
#Usage: multiline
#Usage: multiline
_dbase64( ) {
_dbase64( ) {
if [ " $1 " ] ; then
if [ " $1 " ] ; then
$OPENSSL_BIN base64 -d -A
$ACME_ OPENSSL_BIN base64 -d -A
else
else
$OPENSSL_BIN base64 -d
$ACME_ OPENSSL_BIN base64 -d
fi
fi
}
}
@ -809,9 +809,9 @@ _digest() {
if [ " $alg " = "sha256" ] || [ " $alg " = "sha1" ] || [ " $alg " = "md5" ] ; then
if [ " $alg " = "sha256" ] || [ " $alg " = "sha1" ] || [ " $alg " = "md5" ] ; then
if [ " $outputhex " ] ; then
if [ " $outputhex " ] ; then
$OPENSSL_BIN dgst -" $alg " -hex | cut -d = -f 2 | tr -d ' '
$ACME_ OPENSSL_BIN dgst -" $alg " -hex | cut -d = -f 2 | tr -d ' '
else
else
$OPENSSL_BIN dgst -" $alg " -binary | _base64
$ACME_ OPENSSL_BIN dgst -" $alg " -binary | _base64
fi
fi
else
else
_err " $alg is not supported yet "
_err " $alg is not supported yet "
@ -834,9 +834,9 @@ _hmac() {
if [ " $alg " = "sha256" ] || [ " $alg " = "sha1" ] ; then
if [ " $alg " = "sha256" ] || [ " $alg " = "sha1" ] ; then
if [ " $outputhex " ] ; then
if [ " $outputhex " ] ; then
( $OPENSSL_BIN dgst -" $alg " -mac HMAC -macopt " hexkey: $secret_hex " 2>/dev/null || $OPENSSL_BIN dgst -" $alg " -hmac " $( printf "%s" " $secret_hex " | _h2b) " ) | cut -d = -f 2 | tr -d ' '
( $ACME_ OPENSSL_BIN dgst -" $alg " -mac HMAC -macopt " hexkey: $secret_hex " 2>/dev/null || $ACME_ OPENSSL_BIN dgst -" $alg " -hmac " $( printf "%s" " $secret_hex " | _h2b) " ) | cut -d = -f 2 | tr -d ' '
else
else
$OPENSSL_BIN dgst -" $alg " -mac HMAC -macopt " hexkey: $secret_hex " -binary 2>/dev/null || $OPENSSL_BIN dgst -" $alg " -hmac " $( printf "%s" " $secret_hex " | _h2b) " -binary
$ACME_ OPENSSL_BIN dgst -" $alg " -mac HMAC -macopt " hexkey: $secret_hex " -binary 2>/dev/null || $ACME_ OPENSSL_BIN dgst -" $alg " -hmac " $( printf "%s" " $secret_hex " | _h2b) " -binary
fi
fi
else
else
_err " $alg is not supported yet "
_err " $alg is not supported yet "
@ -855,7 +855,7 @@ _sign() {
return 1
return 1
fi
fi
_sign_openssl = " $OPENSSL_BIN dgst -sign $keyfile "
_sign_openssl = " $ACME_ OPENSSL_BIN dgst -sign $keyfile "
if [ " $alg " = "sha256" ] ; then
if [ " $alg " = "sha256" ] ; then
_sign_openssl = " $_sign_openssl - $alg "
_sign_openssl = " $_sign_openssl - $alg "
else
else
@ -866,7 +866,7 @@ _sign() {
if grep "BEGIN RSA PRIVATE KEY" " $keyfile " >/dev/null 2>& 1; then
if grep "BEGIN RSA PRIVATE KEY" " $keyfile " >/dev/null 2>& 1; then
$_sign_openssl | _base64
$_sign_openssl | _base64
elif grep "BEGIN EC PRIVATE KEY" " $keyfile " >/dev/null 2>& 1; then
elif grep "BEGIN EC PRIVATE KEY" " $keyfile " >/dev/null 2>& 1; then
if ! _signedECText = " $( $_sign_openssl | $OPENSSL_BIN asn1parse -inform DER) " ; then
if ! _signedECText = " $( $_sign_openssl | $ACME_ OPENSSL_BIN asn1parse -inform DER) " ; then
_err " Sign failed: $_sign_openssl "
_err " Sign failed: $_sign_openssl "
_err " Key file: $keyfile "
_err " Key file: $keyfile "
_err " Key content: $( wc -l <" $keyfile " ) lises "
_err " Key content: $( wc -l <" $keyfile " ) lises "
@ -927,12 +927,21 @@ _createkey() {
_debug " Use length $length "
_debug " Use length $length "
if ! touch " $f " >/dev/null 2>& 1; then
_f_path = " $( dirname " $f " ) "
_debug _f_path " $_f_path "
if ! mkdir -p " $_f_path " ; then
_err " Can not create path: $_f_path "
return 1
fi
fi
if _isEccKey " $length " ; then
if _isEccKey " $length " ; then
_debug " Using ec name: $eccname "
_debug " Using ec name: $eccname "
$OPENSSL_BIN ecparam -name " $eccname " -genkey 2>/dev/null >" $f "
$ACME_ OPENSSL_BIN ecparam -name " $eccname " -genkey 2>/dev/null >" $f "
else
else
_debug " Using RSA: $length "
_debug " Using RSA: $length "
$OPENSSL_BIN genrsa " $length " 2>/dev/null >" $f "
$ACME_ OPENSSL_BIN genrsa " $length " 2>/dev/null >" $f "
fi
fi
if [ " $? " != "0" ] ; then
if [ " $? " != "0" ] ; then
@ -1019,9 +1028,9 @@ _createcsr() {
_csr_cn = " $( _idn " $domain " ) "
_csr_cn = " $( _idn " $domain " ) "
_debug2 _csr_cn " $_csr_cn "
_debug2 _csr_cn " $_csr_cn "
if _contains " $( uname -a) " "MINGW" ; then
if _contains " $( uname -a) " "MINGW" ; then
$OPENSSL_BIN req -new -sha256 -key " $csrkey " -subj " //CN= $_csr_cn " -config " $csrconf " -out " $csr "
$ACME_ OPENSSL_BIN req -new -sha256 -key " $csrkey " -subj " //CN= $_csr_cn " -config " $csrconf " -out " $csr "
else
else
$OPENSSL_BIN req -new -sha256 -key " $csrkey " -subj " /CN= $_csr_cn " -config " $csrconf " -out " $csr "
$ACME_ OPENSSL_BIN req -new -sha256 -key " $csrkey " -subj " /CN= $_csr_cn " -config " $csrconf " -out " $csr "
fi
fi
}
}
@ -1033,7 +1042,7 @@ _signcsr() {
cert = " $4 "
cert = " $4 "
_debug "_signcsr"
_debug "_signcsr"
_msg = " $( $OPENSSL_BIN x509 -req -days 365 -in " $csr " -signkey " $key " -extensions v3_req -extfile " $conf " -out " $cert " 2>& 1) "
_msg = " $( $ACME_ OPENSSL_BIN x509 -req -days 365 -in " $csr " -signkey " $key " -extensions v3_req -extfile " $conf " -out " $cert " 2>& 1) "
_ret = " $? "
_ret = " $? "
_debug " $_msg "
_debug " $_msg "
return $_ret
return $_ret
@ -1046,7 +1055,7 @@ _readSubjectFromCSR() {
_usage "_readSubjectFromCSR mycsr.csr"
_usage "_readSubjectFromCSR mycsr.csr"
return 1
return 1
fi
fi
$OPENSSL_BIN req -noout -in " $_csrfile " -subject | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n'
$ACME_ OPENSSL_BIN req -noout -in " $_csrfile " -subject | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n'
}
}
#_csrfile
#_csrfile
@ -1061,7 +1070,7 @@ _readSubjectAltNamesFromCSR() {
_csrsubj = " $( _readSubjectFromCSR " $_csrfile " ) "
_csrsubj = " $( _readSubjectFromCSR " $_csrfile " ) "
_debug _csrsubj " $_csrsubj "
_debug _csrsubj " $_csrsubj "
_dnsAltnames = " $( $OPENSSL_BIN req -noout -text -in " $_csrfile " | grep "^ *DNS:.*" | tr -d ' \n' ) "
_dnsAltnames = " $( $ACME_ OPENSSL_BIN req -noout -text -in " $_csrfile " | grep "^ *DNS:.*" | tr -d ' \n' ) "
_debug _dnsAltnames " $_dnsAltnames "
_debug _dnsAltnames " $_dnsAltnames "
if _contains " $_dnsAltnames , " " DNS: $_csrsubj , " ; then
if _contains " $_dnsAltnames , " " DNS: $_csrsubj , " ; then
@ -1082,7 +1091,7 @@ _readKeyLengthFromCSR() {
return 1
return 1
fi
fi
_outcsr = " $( $OPENSSL_BIN req -noout -text -in " $_csrfile " ) "
_outcsr = " $( $ACME_ OPENSSL_BIN req -noout -text -in " $_csrfile " ) "
if _contains " $_outcsr " "Public Key Algorithm: id-ecPublicKey" ; then
if _contains " $_outcsr " "Public Key Algorithm: id-ecPublicKey" ; then
_debug "ECC CSR"
_debug "ECC CSR"
echo " $_outcsr " | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
echo " $_outcsr " | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
@ -1136,9 +1145,9 @@ toPkcs() {
_initpath " $domain " " $_isEcc "
_initpath " $domain " " $_isEcc "
if [ " $pfxPassword " ] ; then
if [ " $pfxPassword " ] ; then
$OPENSSL_BIN pkcs12 -export -out " $CERT_PFX_PATH " -inkey " $CERT_KEY_PATH " -in " $CERT_PATH " -certfile " $CA_CERT_PATH " -password " pass: $pfxPassword "
$ACME_ OPENSSL_BIN pkcs12 -export -out " $CERT_PFX_PATH " -inkey " $CERT_KEY_PATH " -in " $CERT_PATH " -certfile " $CA_CERT_PATH " -password " pass: $pfxPassword "
else
else
$OPENSSL_BIN pkcs12 -export -out " $CERT_PFX_PATH " -inkey " $CERT_KEY_PATH " -in " $CERT_PATH " -certfile " $CA_CERT_PATH "
$ACME_ OPENSSL_BIN pkcs12 -export -out " $CERT_PFX_PATH " -inkey " $CERT_KEY_PATH " -in " $CERT_PATH " -certfile " $CA_CERT_PATH "
fi
fi
if [ " $? " = "0" ] ; then
if [ " $? " = "0" ] ; then
@ -1147,6 +1156,27 @@ toPkcs() {
}
}
#domain [isEcc]
toPkcs8( ) {
domain = " $1 "
if [ -z " $domain " ] ; then
_usage " Usage: $PROJECT_ENTRY --toPkcs8 -d domain [--ecc] "
return 1
fi
_isEcc = " $2 "
_initpath " $domain " " $_isEcc "
$ACME_OPENSSL_BIN pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in " $CERT_KEY_PATH " -out " $CERT_PKCS8_PATH "
if [ " $? " = "0" ] ; then
_info " Success, $CERT_PKCS8_PATH "
fi
}
#[2048]
#[2048]
createAccountKey( ) {
createAccountKey( ) {
_info "Creating account key"
_info "Creating account key"
@ -1249,12 +1279,12 @@ _url_replace() {
}
}
_time2str( ) {
_time2str( ) {
#BSD
#Linux
if date -u -d@" $1 " 2>/dev/null; then
if date -u -d@" $1 " 2>/dev/null; then
return
return
fi
fi
#Linux
#BSD
if date -u -r " $1 " 2>/dev/null; then
if date -u -r " $1 " 2>/dev/null; then
return
return
fi
fi
@ -1300,7 +1330,7 @@ _calcjwk() {
if grep "BEGIN RSA PRIVATE KEY" " $keyfile " >/dev/null 2>& 1; then
if grep "BEGIN RSA PRIVATE KEY" " $keyfile " >/dev/null 2>& 1; then
_debug "RSA key"
_debug "RSA key"
pub_exp = $( $OPENSSL_BIN rsa -in " $keyfile " -noout -text | grep "^publicExponent:" | cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1)
pub_exp = $( $ACME_ OPENSSL_BIN rsa -in " $keyfile " -noout -text | grep "^publicExponent:" | cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1)
if [ " ${# pub_exp } " = "5" ] ; then
if [ " ${# pub_exp } " = "5" ] ; then
pub_exp = 0$pub_exp
pub_exp = 0$pub_exp
fi
fi
@ -1309,7 +1339,7 @@ _calcjwk() {
e = $( echo " $pub_exp " | _h2b | _base64)
e = $( echo " $pub_exp " | _h2b | _base64)
_debug3 e " $e "
_debug3 e " $e "
modulus = $( $OPENSSL_BIN rsa -in " $keyfile " -modulus -noout | cut -d '=' -f 2)
modulus = $( $ACME_ OPENSSL_BIN rsa -in " $keyfile " -modulus -noout | cut -d '=' -f 2)
_debug3 modulus " $modulus "
_debug3 modulus " $modulus "
n = " $( printf "%s" " $modulus " | _h2b | _base64 | _url_replace) "
n = " $( printf "%s" " $modulus " | _h2b | _base64 | _url_replace) "
_debug3 n " $n "
_debug3 n " $n "
@ -1322,12 +1352,12 @@ _calcjwk() {
JWK_HEADERPLACE_PART2 = '", "alg": "RS256", "jwk": ' $jwk '}'
JWK_HEADERPLACE_PART2 = '", "alg": "RS256", "jwk": ' $jwk '}'
elif grep "BEGIN EC PRIVATE KEY" " $keyfile " >/dev/null 2>& 1; then
elif grep "BEGIN EC PRIVATE KEY" " $keyfile " >/dev/null 2>& 1; then
_debug "EC key"
_debug "EC key"
crv = " $( $OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n" ) "
crv = " $( $ACME_ OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n" ) "
_debug3 crv " $crv "
_debug3 crv " $crv "
if [ -z " $crv " ] ; then
if [ -z " $crv " ] ; then
_debug "Let's try ASN1 OID"
_debug "Let's try ASN1 OID"
crv_oid = " $( $OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | grep "^ASN1 OID:" | cut -d ":" -f 2 | tr -d " \r\n" ) "
crv_oid = " $( $ACME_ OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | grep "^ASN1 OID:" | cut -d ":" -f 2 | tr -d " \r\n" ) "
_debug3 crv_oid " $crv_oid "
_debug3 crv_oid " $crv_oid "
case " ${ crv_oid } " in
case " ${ crv_oid } " in
"prime256v1" )
"prime256v1" )
@ -1347,15 +1377,15 @@ _calcjwk() {
_debug3 crv " $crv "
_debug3 crv " $crv "
fi
fi
pubi = " $( $OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1) "
pubi = " $( $ACME_ OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1) "
pubi = $( _math " $pubi " + 1)
pubi = $( _math " $pubi " + 1)
_debug3 pubi " $pubi "
_debug3 pubi " $pubi "
pubj = " $( $OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1) "
pubj = " $( $ACME_ OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1) "
pubj = $( _math " $pubj " - 1)
pubj = $( _math " $pubj " - 1)
_debug3 pubj " $pubj "
_debug3 pubj " $pubj "
pubtext = " $( $OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | sed -n " $pubi , ${ pubj } p " | tr -d " \n\r" ) "
pubtext = " $( $ACME_ OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | sed -n " $pubi , ${ pubj } p " | tr -d " \n\r" ) "
_debug3 pubtext " $pubtext "
_debug3 pubtext " $pubtext "
xlen = " $( printf "%s" " $pubtext " | tr -d ':' | wc -c) "
xlen = " $( printf "%s" " $pubtext " | tr -d ':' | wc -c) "
@ -1455,6 +1485,11 @@ _inithttp() {
fi
fi
fi
fi
#from wget 1.14: do not skip body on 404 error
if [ " $_ACME_WGET " ] && _contains " $( $_ACME_WGET --help 2>& 1) " "--content-on-error" ; then
_ACME_WGET = " $_ACME_WGET --content-on-error "
fi
__HTTP_INITIALIZED = 1
__HTTP_INITIALIZED = 1
}
}
@ -1475,7 +1510,7 @@ _post() {
_inithttp
_inithttp
if [ " $_ACME_CURL " ] ; then
if [ " $_ACME_CURL " ] && [ " ${ ACME_USE_WGET :- 0 } " = "0" ] ; then
_CURL = " $_ACME_CURL "
_CURL = " $_ACME_CURL "
if [ " $HTTPS_INSECURE " ] ; then
if [ " $HTTPS_INSECURE " ] ; then
_CURL = " $_CURL --insecure "
_CURL = " $_CURL --insecure "
@ -1516,7 +1551,7 @@ _post() {
_ret = " $? "
_ret = " $? "
if [ " $_ret " = "8" ] ; then
if [ " $_ret " = "8" ] ; then
_ret = 0
_ret = 0
_debug "wget returns 8, the server returns a 'Bad request' respons, lets process the response later."
_debug "wget returns 8, the server returns a 'Bad request' response , lets process the response later."
fi
fi
if [ " $_ret " != "0" ] ; then
if [ " $_ret " != "0" ] ; then
_err " Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret "
_err " Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret "
@ -1542,7 +1577,7 @@ _get() {
_inithttp
_inithttp
if [ " $_ACME_CURL " ] ; then
if [ " $_ACME_CURL " ] && [ " ${ ACME_USE_WGET :- 0 } " = "0" ] ; then
_CURL = " $_ACME_CURL "
_CURL = " $_ACME_CURL "
if [ " $HTTPS_INSECURE " ] ; then
if [ " $HTTPS_INSECURE " ] ; then
_CURL = " $_CURL --insecure "
_CURL = " $_CURL --insecure "
@ -1579,9 +1614,9 @@ _get() {
$_WGET --user-agent= " $USER_AGENT " --header " $_H5 " --header " $_H4 " --header " $_H3 " --header " $_H2 " --header " $_H1 " -O - " $url "
$_WGET --user-agent= " $USER_AGENT " --header " $_H5 " --header " $_H4 " --header " $_H3 " --header " $_H2 " --header " $_H1 " -O - " $url "
fi
fi
ret = $?
ret = $?
if [ " $_ ret " = "8" ] ; then
_ ret= 0
_debug "wget returns 8, the server returns a 'Bad request' respons, lets process the response later."
if [ " $ret " = "8" ] ; then
ret = 0
_debug "wget returns 8, the server returns a 'Bad request' response , lets process the response later."
fi
fi
if [ " $ret " != "0" ] ; then
if [ " $ret " != "0" ] ; then
_err " Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $ret "
_err " Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $ret "
@ -1964,7 +1999,7 @@ _starttlsserver() {
return 1
return 1
fi
fi
__S_OPENSSL = " $OPENSSL_BIN s_server -cert $TLS_CERT -key $TLS_KEY "
__S_OPENSSL = " $ACME_ OPENSSL_BIN s_server -cert $TLS_CERT -key $TLS_KEY "
if [ " $opaddr " ] ; then
if [ " $opaddr " ] ; then
__S_OPENSSL = " $__S_OPENSSL -accept $opaddr : $port "
__S_OPENSSL = " $__S_OPENSSL -accept $opaddr : $port "
else
else
@ -2143,8 +2178,8 @@ _initpath() {
CERT_HOME = " $_DEFAULT_CERT_HOME "
CERT_HOME = " $_DEFAULT_CERT_HOME "
fi
fi
if [ -z " $OPENSSL_BIN " ] ; then
OPENSSL_BIN = " $DEFAULT_OPENSSL_BIN "
if [ -z " $ACME_OPENSSL_BIN " ] || [ ! -f " $ACME_OPENSSL_BIN " ] || [ ! -x " $ACME_ OPENSSL_BIN " ] ; then
ACME_ OPENSSL_BIN= " $DEFAULT_OPENSSL_BIN "
fi
fi
if [ -z " $1 " ] ; then
if [ -z " $1 " ] ; then
@ -2200,6 +2235,9 @@ _initpath() {
if [ -z " $CERT_PFX_PATH " ] ; then
if [ -z " $CERT_PFX_PATH " ] ; then
CERT_PFX_PATH = " $DOMAIN_PATH / $domain .pfx "
CERT_PFX_PATH = " $DOMAIN_PATH / $domain .pfx "
fi
fi
if [ -z " $CERT_PKCS8_PATH " ] ; then
CERT_PKCS8_PATH = " $DOMAIN_PATH / $domain .pkcs8 "
fi
if [ -z " $TLS_CONF " ] ; then
if [ -z " $TLS_CONF " ] ; then
TLS_CONF = " $DOMAIN_PATH /tls.valdation.conf "
TLS_CONF = " $DOMAIN_PATH /tls.valdation.conf "
@ -2795,6 +2833,7 @@ _on_before_issue() {
_on_issue_err( ) {
_on_issue_err( ) {
_chk_post_hook = " $1 "
_chk_post_hook = " $1 "
_chk_vlist = " $2 "
_debug _on_issue_err
_debug _on_issue_err
if [ " $LOG_FILE " ] ; then
if [ " $LOG_FILE " ] ; then
_err " Please check log file for more details: $LOG_FILE "
_err " Please check log file for more details: $LOG_FILE "
@ -2803,10 +2842,6 @@ _on_issue_err() {
_err " See: $_DEBUG_WIKI "
_err " See: $_DEBUG_WIKI "
fi
fi
if [ " $DEBUG " ] && [ " $DEBUG " -gt "0" ] ; then
_debug " $( _dlg_versions) "
fi
#run the post hook
#run the post hook
if [ " $_chk_post_hook " ] ; then
if [ " $_chk_post_hook " ] ; then
_info " Run post hook:' $_chk_post_hook ' "
_info " Run post hook:' $_chk_post_hook ' "
@ -2817,6 +2852,28 @@ _on_issue_err() {
return 1
return 1
fi
fi
fi
fi
#trigger the validation to flush the pending authz
if [ " $_chk_vlist " ] ; then
(
_debug2 "_chk_vlist" " $_chk_vlist "
_debug2 "start to deactivate authz"
ventries = $( echo " $_chk_vlist " | tr " $dvsep " ' ' )
for ventry in $ventries ; do
d = $( echo " $ventry " | cut -d " $sep " -f 1)
keyauthorization = $( echo " $ventry " | cut -d " $sep " -f 2)
uri = $( echo " $ventry " | cut -d " $sep " -f 3)
vtype = $( echo " $ventry " | cut -d " $sep " -f 4)
_currentRoot = $( echo " $ventry " | cut -d " $sep " -f 5)
__trigger_validaton " $uri " " $keyauthorization "
done
)
fi
if [ " $DEBUG " ] && [ " $DEBUG " -gt "0" ] ; then
_debug " $( _dlg_versions) "
fi
}
}
_on_issue_success( ) {
_on_issue_success( ) {
@ -3029,6 +3086,16 @@ __get_domain_new_authz() {
}
}
#uri keyAuthorization
__trigger_validaton( ) {
_debug2 "tigger domain validation."
_t_url = " $1 "
_debug2 _t_url " $_t_url "
_t_key_authz = " $2 "
_debug2 _t_key_authz " $_t_key_authz "
_send_signed_request " $_t_url " " {\"resource\": \"challenge\", \"keyAuthorization\": \" $_t_key_authz \"} "
}
#webroot, domain domainlist keylength
#webroot, domain domainlist keylength
issue( ) {
issue( ) {
if [ -z " $2 " ] ; then
if [ -z " $2 " ] ; then
@ -3342,7 +3409,7 @@ issue() {
_startserver " $keyauthorization " " $_ncaddr " &
_startserver " $keyauthorization " " $_ncaddr " &
if [ " $? " != "0" ] ; then
if [ " $? " != "0" ] ; then
_clearup
_clearup
_on_issue_err " $_post_hook "
_on_issue_err " $_post_hook " " $vlist "
return 1
return 1
fi
fi
serverproc = " $! "
serverproc = " $! "
@ -3358,7 +3425,7 @@ issue() {
BACKUP_NGINX_CONF = ""
BACKUP_NGINX_CONF = ""
if ! _setNginx " $d " " $_currentRoot " " $thumbprint " ; then
if ! _setNginx " $d " " $_currentRoot " " $thumbprint " ; then
_clearup
_clearup
_on_issue_err " $_post_hook "
_on_issue_err " $_post_hook " " $vlist "
return 1
return 1
fi
fi
@ -3393,7 +3460,7 @@ issue() {
_err " $d :Can not write token to file : $wellknown_path / $token "
_err " $d :Can not write token to file : $wellknown_path / $token "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearup
_clearup
_on_issue_err " $_post_hook "
_on_issue_err " $_post_hook " " $vlist "
return 1
return 1
fi
fi
@ -3438,16 +3505,16 @@ issue() {
_err "Start tls server error."
_err "Start tls server error."
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearup
_clearup
_on_issue_err " $_post_hook "
_on_issue_err " $_post_hook " " $vlist "
return 1
return 1
fi
fi
fi
fi
if ! _send_signed_request " $uri " " {\"resource\": \"challenge\", \"keyAuthorization\": \" $keyauthorization \"} " ; then
if ! __trigger_validaton " $uri " " $keyauthorization " ; then
_err " $d :Can not get challenge: $response "
_err " $d :Can not get challenge: $response "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearup
_clearup
_on_issue_err " $_post_hook "
_on_issue_err " $_post_hook " " $vlist "
return 1
return 1
fi
fi
@ -3455,7 +3522,7 @@ issue() {
_err " $d :Challenge error: $response "
_err " $d :Challenge error: $response "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearup
_clearup
_on_issue_err " $_post_hook "
_on_issue_err " $_post_hook " " $vlist "
return 1
return 1
fi
fi
@ -3470,7 +3537,7 @@ issue() {
_err " $d :Timeout "
_err " $d :Timeout "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearup
_clearup
_on_issue_err
_on_issue_err " $_post_hook " " $vlist "
return 1
return 1
fi
fi
@ -3482,7 +3549,7 @@ issue() {
_err " $d :Verify error: $response "
_err " $d :Verify error: $response "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearup
_clearup
_on_issue_err " $_post_hook "
_on_issue_err " $_post_hook " " $vlist "
return 1
return 1
fi
fi
_debug2 original " $response "
_debug2 original " $response "
@ -3517,7 +3584,7 @@ issue() {
fi
fi
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearup
_clearup
_on_issue_err " $_post_hook "
_on_issue_err " $_post_hook " " $vlist "
return 1
return 1
fi
fi
@ -3527,7 +3594,7 @@ issue() {
_err " $d :Verify error: $response "
_err " $d :Verify error: $response "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearup
_clearup
_on_issue_err " $_post_hook "
_on_issue_err " $_post_hook " " $vlist "
return 1
return 1
fi
fi
@ -3653,7 +3720,7 @@ issue() {
_savedomainconf "Le_RealKeyPath" " $_real_key "
_savedomainconf "Le_RealKeyPath" " $_real_key "
_savedomainconf "Le_ReloadCmd" " $_reload_cmd "
_savedomainconf "Le_ReloadCmd" " $_reload_cmd "
_savedomainconf "Le_RealFullChainPath" " $_real_fullchain "
_savedomainconf "Le_RealFullChainPath" " $_real_fullchain "
_installcert " $_main_domain " " $_real_cert " " $_real_key " " $_real_ca " " $_reload_cmd " " $_real_fullchain "
_installcert " $_main_domain " " $_real_cert " " $_real_key " " $_real_ca " " $_real_fullchain " " $_reload_cmd "
fi
fi
}
}
@ -3964,16 +4031,18 @@ installcert() {
_savedomainconf "Le_ReloadCmd" " $_reload_cmd "
_savedomainconf "Le_ReloadCmd" " $_reload_cmd "
_savedomainconf "Le_RealFullChainPath" " $_real_fullchain "
_savedomainconf "Le_RealFullChainPath" " $_real_fullchain "
_installcert " $_main_domain " " $_real_cert " " $_real_key " " $_real_ca " " $_reload_cmd " " $_real_fullchain "
_installcert " $_main_domain " " $_real_cert " " $_real_key " " $_real_ca " " $_real_fullchain " " $_reload_cmd "
}
}
#domain cert key ca fullchain reloadcmd backup-prefix
_installcert( ) {
_installcert( ) {
_main_domain = " $1 "
_main_domain = " $1 "
_real_cert = " $2 "
_real_cert = " $2 "
_real_key = " $3 "
_real_key = " $3 "
_real_ca = " $4 "
_real_ca = " $4 "
_reload_cmd = " $5 "
_real_fullchain = " $6 "
_real_fullchain = " $5 "
_reload_cmd = " $6 "
_backup_prefix = " $7 "
if [ " $_real_cert " = " $NO_VALUE " ] ; then
if [ " $_real_cert " = " $NO_VALUE " ] ; then
_real_cert = ""
_real_cert = ""
@ -3991,11 +4060,13 @@ _installcert() {
_real_fullchain = ""
_real_fullchain = ""
fi
fi
_backup_path = " $DOMAIN_BACKUP_PATH / $_backup_prefix "
mkdir -p " $_backup_path "
if [ " $_real_cert " ] ; then
if [ " $_real_cert " ] ; then
_info " Installing cert to: $_real_cert "
_info " Installing cert to: $_real_cert "
if [ -f " $_real_cert " ] && [ ! " $IS_RENEW " ] ; then
if [ -f " $_real_cert " ] && [ ! " $IS_RENEW " ] ; then
mkdir -p " $DOMAIN_BACKUP_PATH "
cp " $_real_cert " " $DOMAIN_BACKUP_PATH /cert.bak "
cp " $_real_cert " " $_backup_path /cert.bak "
fi
fi
cat " $CERT_PATH " >" $_real_cert "
cat " $CERT_PATH " >" $_real_cert "
fi
fi
@ -4007,8 +4078,7 @@ _installcert() {
cat " $CA_CERT_PATH " >>" $_real_ca "
cat " $CA_CERT_PATH " >>" $_real_ca "
else
else
if [ -f " $_real_ca " ] && [ ! " $IS_RENEW " ] ; then
if [ -f " $_real_ca " ] && [ ! " $IS_RENEW " ] ; then
mkdir -p " $DOMAIN_BACKUP_PATH "
cp " $_real_ca " " $DOMAIN_BACKUP_PATH /ca.bak "
cp " $_real_ca " " $_backup_path /ca.bak "
fi
fi
cat " $CA_CERT_PATH " >" $_real_ca "
cat " $CA_CERT_PATH " >" $_real_ca "
fi
fi
@ -4017,8 +4087,7 @@ _installcert() {
if [ " $_real_key " ] ; then
if [ " $_real_key " ] ; then
_info " Installing key to: $_real_key "
_info " Installing key to: $_real_key "
if [ -f " $_real_key " ] && [ ! " $IS_RENEW " ] ; then
if [ -f " $_real_key " ] && [ ! " $IS_RENEW " ] ; then
mkdir -p " $DOMAIN_BACKUP_PATH "
cp " $_real_key " " $DOMAIN_BACKUP_PATH /key.bak "
cp " $_real_key " " $_backup_path /key.bak "
fi
fi
cat " $CERT_KEY_PATH " >" $_real_key "
cat " $CERT_KEY_PATH " >" $_real_key "
fi
fi
@ -4026,8 +4095,7 @@ _installcert() {
if [ " $_real_fullchain " ] ; then
if [ " $_real_fullchain " ] ; then
_info " Installing full chain to: $_real_fullchain "
_info " Installing full chain to: $_real_fullchain "
if [ -f " $_real_fullchain " ] && [ ! " $IS_RENEW " ] ; then
if [ -f " $_real_fullchain " ] && [ ! " $IS_RENEW " ] ; then
mkdir -p " $DOMAIN_BACKUP_PATH "
cp " $_real_fullchain " " $DOMAIN_BACKUP_PATH /fullchain.bak "
cp " $_real_fullchain " " $_backup_path /fullchain.bak "
fi
fi
cat " $CERT_FULLCHAIN_PATH " >" $_real_fullchain "
cat " $CERT_FULLCHAIN_PATH " >" $_real_fullchain "
fi
fi
@ -4367,8 +4435,8 @@ _precheck() {
fi
fi
fi
fi
if ! _exists " $OPENSSL_BIN " ; then
_err "Please install openssl first."
if ! _exists " $ACME_ OPENSSL_BIN " ; then
_err " Please install openssl first. ACME_OPENSSL_BIN= $ACME_OPENSSL_BIN "
_err "We need openssl to generate keys."
_err "We need openssl to generate keys."
return 1
return 1
fi
fi
@ -4660,6 +4728,7 @@ Commands:
--uninstall-cronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
--uninstall-cronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
--cron Run cron job to renew all the certs.
--cron Run cron job to renew all the certs.
--toPkcs Export the certificate and key to a pfx file.
--toPkcs Export the certificate and key to a pfx file.
--toPkcs8 Convert to pkcs8 format.
--update-account Update account info.
--update-account Update account info.
--register-account Register account key.
--register-account Register account key.
--create-account-key Create an account private key, professional use.
--create-account-key Create an account private key, professional use.
@ -4723,6 +4792,7 @@ Parameters:
--listen-v4 Force standalone/tls server to listen at ipv4.
--listen-v4 Force standalone/tls server to listen at ipv4.
--listen-v6 Force standalone/tls server to listen at ipv6.
--listen-v6 Force standalone/tls server to listen at ipv6.
--openssl-bin Specifies a custom openssl bin location.
--openssl-bin Specifies a custom openssl bin location.
--use-wget Force to use wget, if you have both curl and wget installed.
"
"
}
}
@ -4790,9 +4860,9 @@ _processAccountConf() {
fi
fi
if [ " $_openssl_bin " ] ; then
if [ " $_openssl_bin " ] ; then
_saveaccountconf "OPENSSL_BIN" " $_openssl_bin "
elif [ " $OPENSSL_BIN " ] && [ " $OPENSSL_BIN " != " $DEFAULT_OPENSSL_BIN " ] ; then
_saveaccountconf "OPENSSL_BIN" " $OPENSSL_BIN "
_saveaccountconf "ACME_ OPENSSL_BIN" " $_openssl_bin "
elif [ " $ACME_ OPENSSL_BIN " ] && [ " $ACME_ OPENSSL_BIN " != " $DEFAULT_OPENSSL_BIN " ] ; then
_saveaccountconf "ACME_ OPENSSL_BIN" " $ACME_ OPENSSL_BIN "
fi
fi
if [ " $_auto_upgrade " ] ; then
if [ " $_auto_upgrade " ] ; then
@ -4801,6 +4871,12 @@ _processAccountConf() {
_saveaccountconf "AUTO_UPGRADE" " $AUTO_UPGRADE "
_saveaccountconf "AUTO_UPGRADE" " $AUTO_UPGRADE "
fi
fi
if [ " $_use_wget " ] ; then
_saveaccountconf "ACME_USE_WGET" " $_use_wget "
elif [ " $ACME_USE_WGET " ] ; then
_saveaccountconf "ACME_USE_WGET" " $ACME_USE_WGET "
fi
}
}
_process( ) {
_process( ) {
@ -4845,6 +4921,7 @@ _process() {
_listen_v6 = ""
_listen_v6 = ""
_openssl_bin = ""
_openssl_bin = ""
_syslog = ""
_syslog = ""
_use_wget = ""
while [ ${# } -gt 0 ] ; do
while [ ${# } -gt 0 ] ; do
case " ${ 1 } " in
case " ${ 1 } " in
@ -4907,6 +4984,9 @@ _process() {
--toPkcs)
--toPkcs)
_CMD = "toPkcs"
_CMD = "toPkcs"
; ;
; ;
--toPkcs8)
_CMD = "toPkcs8"
; ;
--createAccountKey | --createaccountkey | -cak | --create-account-key)
--createAccountKey | --createaccountkey | -cak | --create-account-key)
_CMD = "createAccountKey"
_CMD = "createAccountKey"
; ;
; ;
@ -5218,7 +5298,12 @@ _process() {
; ;
; ;
--openssl-bin)
--openssl-bin)
_openssl_bin = " $2 "
_openssl_bin = " $2 "
OPENSSL_BIN = " $_openssl_bin "
ACME_OPENSSL_BIN = " $_openssl_bin "
shift
; ;
--use-wget)
_use_wget = "1"
ACME_USE_WGET = "1"
; ;
; ;
*)
*)
_err " Unknown parameter : $1 "
_err " Unknown parameter : $1 "
@ -5319,6 +5404,9 @@ _process() {
toPkcs)
toPkcs)
toPkcs " $_domain " " $_password " " $_ecc "
toPkcs " $_domain " " $_password " " $_ecc "
; ;
; ;
toPkcs8)
toPkcs8 " $_domain " " $_ecc "
; ;
createAccountKey)
createAccountKey)
createAccountKey " $_accountkeylength "
createAccountKey " $_accountkeylength "
; ;
; ;