Merge pull request #3565 from acmesh-official/dev

Dev
This commit is contained in:
neil 2021-06-21 23:42:23 +08:00 committed by GitHub
commit 068076c0d5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 393 additions and 69 deletions

View File

@ -59,7 +59,7 @@ jobs:
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
- name: Set env file - name: Set env file
run: | run: |
cd ../acmetest cd ../acmetest
if [ "${{ secrets.TokenName1}}" ] ; then if [ "${{ secrets.TokenName1}}" ] ; then
echo "${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}" >> env.list echo "${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}" >> env.list
fi fi
@ -75,7 +75,7 @@ jobs:
if [ "${{ secrets.TokenName5}}" ] ; then if [ "${{ secrets.TokenName5}}" ] ; then
echo "${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}" >> env.list echo "${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}" >> env.list
fi fi
echo "TEST_DNS_NO_WILDCARD" >> env.list echo "TEST_DNS_NO_WILDCARD" >> env.list
echo "TEST_DNS_SLEEP" >> env.list echo "TEST_DNS_SLEEP" >> env.list
- name: Run acmetest - name: Run acmetest
run: cd ../acmetest && ./rundocker.sh testall run: cd ../acmetest && ./rundocker.sh testall
@ -226,8 +226,10 @@ jobs:
- uses: vmactions/solaris-vm@v0.0.3 - uses: vmactions/solaris-vm@v0.0.3
with: with:
envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
prepare: pkgutil -y -i socat curl prepare: pkgutil -y -i socat
run: | run: |
pkg set-mediator -v -I default@1.1 openssl
export PATH=/usr/gnu/bin:$PATH
if [ "${{ secrets.TokenName1}}" ] ; then if [ "${{ secrets.TokenName1}}" ] ; then
export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}} export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
fi fi
@ -245,5 +247,3 @@ jobs:
fi fi
cd ../acmetest cd ../acmetest
./letest.sh ./letest.sh

View File

@ -4,13 +4,14 @@ on:
branches: branches:
- '*' - '*'
paths: paths:
- '**.sh' - '*.sh'
- '**.yml' - '**.yml'
pull_request: pull_request:
branches: branches:
- dev - dev
paths: paths:
- '**.sh' - '*.sh'
- '**.yml' - '**.yml'

View File

@ -4,16 +4,18 @@ on:
branches: branches:
- '*' - '*'
paths: paths:
- '**.sh' - '*.sh'
- '**.yml' - '**.yml'
pull_request: pull_request:
branches: branches:
- dev - dev
paths: paths:
- '**.sh' - '*.sh'
- '**.yml' - '**.yml'
jobs: jobs:
Linux: Linux:
strategy: strategy:

View File

@ -4,13 +4,13 @@ on:
branches: branches:
- '*' - '*'
paths: paths:
- '**.sh' - '*.sh'
- '**.yml' - '**.yml'
pull_request: pull_request:
branches: branches:
- dev - dev
paths: paths:
- '**.sh' - '*.sh'
- '**.yml' - '**.yml'
jobs: jobs:

View File

@ -1,7 +1,6 @@
FROM alpine:3.12 FROM alpine:3.12
RUN apk update -f \ RUN apk --no-cache add -f \
&& apk --no-cache add -f \
openssl \ openssl \
openssh-client \ openssh-client \
coreutils \ coreutils \
@ -12,8 +11,7 @@ RUN apk update -f \
tzdata \ tzdata \
oath-toolkit-oathtool \ oath-toolkit-oathtool \
tar \ tar \
libidn \ libidn
&& rm -rf /var/cache/apk/*
ENV LE_CONFIG_HOME /acme.sh ENV LE_CONFIG_HOME /acme.sh
@ -22,7 +20,7 @@ ARG AUTO_UPGRADE=1
ENV AUTO_UPGRADE $AUTO_UPGRADE ENV AUTO_UPGRADE $AUTO_UPGRADE
#Install #Install
ADD ./ /install_acme.sh/ COPY ./ /install_acme.sh/
RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/ RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/

View File

@ -88,6 +88,7 @@ https://github.com/acmesh-official/acmetest
- [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)(default) - [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)(default)
- Letsencrypt.org CA - Letsencrypt.org CA
- [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA) - [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA)
- [SSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA)
- [Pebble strict Mode](https://github.com/letsencrypt/pebble) - [Pebble strict Mode](https://github.com/letsencrypt/pebble)
- Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA - Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA
@ -469,7 +470,7 @@ TODO:
### Code Contributors ### Code Contributors
This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)]. This project exists thanks to all the people who contribute.
<a href="https://github.com/acmesh-official/acme.sh/graphs/contributors"><img src="https://opencollective.com/acmesh/contributors.svg?width=890&button=false" /></a> <a href="https://github.com/acmesh-official/acme.sh/graphs/contributors"><img src="https://opencollective.com/acmesh/contributors.svg?width=890&button=false" /></a>
### Financial Contributors ### Financial Contributors

100
acme.sh
View File

@ -29,18 +29,22 @@ CA_BUYPASS_TEST="https://api.test4.buypass.no/acme/directory"
CA_ZEROSSL="https://acme.zerossl.com/v2/DV90" CA_ZEROSSL="https://acme.zerossl.com/v2/DV90"
_ZERO_EAB_ENDPOINT="http://api.zerossl.com/acme/eab-credentials-email" _ZERO_EAB_ENDPOINT="http://api.zerossl.com/acme/eab-credentials-email"
CA_SSLCOM_RSA="https://acme.ssl.com/sslcom-dv-rsa"
CA_SSLCOM_ECC="https://acme.ssl.com/sslcom-dv-ecc"
DEFAULT_CA=$CA_ZEROSSL DEFAULT_CA=$CA_ZEROSSL
DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST
CA_NAMES=" CA_NAMES="
ZeroSSL.com,zerossl
LetsEncrypt.org,letsencrypt LetsEncrypt.org,letsencrypt
LetsEncrypt.org_test,letsencrypt_test,letsencrypttest LetsEncrypt.org_test,letsencrypt_test,letsencrypttest
BuyPass.com,buypass BuyPass.com,buypass
BuyPass.com_test,buypass_test,buypasstest BuyPass.com_test,buypass_test,buypasstest
ZeroSSL.com,zerossl SSL.com,sslcom
" "
CA_SERVERS="$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_ZEROSSL" CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_SSLCOM_RSA"
DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)" DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
@ -155,6 +159,8 @@ _REVOKE_WIKI="https://github.com/acmesh-official/acme.sh/wiki/revokecert"
_ZEROSSL_WIKI="https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA" _ZEROSSL_WIKI="https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA"
_SSLCOM_WIKI="https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA"
_SERVER_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Server" _SERVER_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Server"
_PREFERRED_CHAIN_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain" _PREFERRED_CHAIN_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain"
@ -1210,7 +1216,7 @@ _createcsr() {
_debug2 csr "$csr" _debug2 csr "$csr"
_debug2 csrconf "$csrconf" _debug2 csrconf "$csrconf"
printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf" printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\n" >"$csrconf"
if [ "$acmeValidationv1" ]; then if [ "$acmeValidationv1" ]; then
domainlist="$(_idn "$domainlist")" domainlist="$(_idn "$domainlist")"
@ -2617,15 +2623,44 @@ _initpath() {
_ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)" _ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)"
_debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST" _debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST"
CA_DIR="$CA_HOME/$_ACME_SERVER_HOST" _ACME_SERVER_PATH="$(echo "$ACME_DIRECTORY" | cut -d : -f 2- | tr -s / | cut -d / -f 3-)"
_debug2 "_ACME_SERVER_PATH" "$_ACME_SERVER_PATH"
CA_DIR="$CA_HOME/$_ACME_SERVER_HOST/$_ACME_SERVER_PATH"
_DEFAULT_CA_CONF="$CA_DIR/ca.conf" _DEFAULT_CA_CONF="$CA_DIR/ca.conf"
if [ -z "$CA_CONF" ]; then if [ -z "$CA_CONF" ]; then
CA_CONF="$_DEFAULT_CA_CONF" CA_CONF="$_DEFAULT_CA_CONF"
fi fi
_debug3 CA_CONF "$CA_CONF" _debug3 CA_CONF "$CA_CONF"
_OLD_CADIR="$CA_HOME/$_ACME_SERVER_HOST"
_OLD_ACCOUNT_KEY="$_OLD_CADIR/account.key"
_OLD_ACCOUNT_JSON="$_OLD_CADIR/account.json"
_OLD_CA_CONF="$_OLD_CADIR/ca.conf"
_DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
_DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
if [ -z "$ACCOUNT_KEY_PATH" ]; then
ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
if [ -f "$_OLD_ACCOUNT_KEY" ] && ! [ -f "$ACCOUNT_KEY_PATH" ]; then
mkdir -p "$CA_DIR"
mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
fi
fi
if [ -z "$ACCOUNT_JSON_PATH" ]; then
ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
if [ -f "$_OLD_ACCOUNT_JSON" ] && ! [ -f "$ACCOUNT_JSON_PATH" ]; then
mkdir -p "$CA_DIR"
mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
fi
fi
if [ -f "$_OLD_CA_CONF" ] && ! [ -f "$CA_CONF" ]; then
mkdir -p "$CA_DIR"
mv "$_OLD_CA_CONF" "$CA_CONF"
fi
if [ -f "$CA_CONF" ]; then if [ -f "$CA_CONF" ]; then
. "$CA_CONF" . "$CA_CONF"
fi fi
@ -2646,19 +2681,6 @@ _initpath() {
HTTP_HEADER="$LE_CONFIG_HOME/http.header" HTTP_HEADER="$LE_CONFIG_HOME/http.header"
fi fi
_OLD_ACCOUNT_KEY="$LE_WORKING_DIR/account.key"
_OLD_ACCOUNT_JSON="$LE_WORKING_DIR/account.json"
_DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
_DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
if [ -z "$ACCOUNT_KEY_PATH" ]; then
ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
fi
if [ -z "$ACCOUNT_JSON_PATH" ]; then
ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
fi
_DEFAULT_CERT_HOME="$LE_CONFIG_HOME" _DEFAULT_CERT_HOME="$LE_CONFIG_HOME"
if [ -z "$CERT_HOME" ]; then if [ -z "$CERT_HOME" ]; then
CERT_HOME="$_DEFAULT_CERT_HOME" CERT_HOME="$_DEFAULT_CERT_HOME"
@ -3489,15 +3511,6 @@ _regAccount() {
_initAPI _initAPI
mkdir -p "$CA_DIR" mkdir -p "$CA_DIR"
if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
_info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
fi
if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
_info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
fi
if [ ! -f "$ACCOUNT_KEY_PATH" ]; then if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
if ! _create_account_key "$_reg_length"; then if ! _create_account_key "$_reg_length"; then
@ -3635,16 +3648,6 @@ _regAccount() {
updateaccount() { updateaccount() {
_initpath _initpath
if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
_info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
fi
if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
_info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
fi
if [ ! -f "$ACCOUNT_KEY_PATH" ]; then if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
_err "Account key is not found at: $ACCOUNT_KEY_PATH" _err "Account key is not found at: $ACCOUNT_KEY_PATH"
return 1 return 1
@ -3687,16 +3690,6 @@ updateaccount() {
deactivateaccount() { deactivateaccount() {
_initpath _initpath
if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
_info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
fi
if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
_info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
fi
if [ ! -f "$ACCOUNT_KEY_PATH" ]; then if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
_err "Account key is not found at: $ACCOUNT_KEY_PATH" _err "Account key is not found at: $ACCOUNT_KEY_PATH"
return 1 return 1
@ -6638,9 +6631,10 @@ _checkSudo() {
return 0 return 0
} }
#server #server #keylength
_selectServer() { _selectServer() {
_server="$1" _server="$1"
_skeylength="$2"
_server_lower="$(echo "$_server" | _lower_case)" _server_lower="$(echo "$_server" | _lower_case)"
_sindex=0 _sindex=0
for snames in $CA_NAMES; do for snames in $CA_NAMES; do
@ -6651,6 +6645,9 @@ _selectServer() {
if [ "$_server_lower" = "$sname" ]; then if [ "$_server_lower" = "$sname" ]; then
_debug2 "_selectServer match $sname" _debug2 "_selectServer match $sname"
_serverdir="$(_getfield "$CA_SERVERS" $_sindex)" _serverdir="$(_getfield "$CA_SERVERS" $_sindex)"
if [ "$_serverdir" = "$CA_SSLCOM_RSA" ] && _isEccKey "$_skeylength"; then
_serverdir="$CA_SSLCOM_ECC"
fi
_debug "Selected server: $_serverdir" _debug "Selected server: $_serverdir"
ACME_DIRECTORY="$_serverdir" ACME_DIRECTORY="$_serverdir"
export ACME_DIRECTORY export ACME_DIRECTORY
@ -6882,7 +6879,6 @@ _process() {
;; ;;
--server) --server)
_server="$2" _server="$2"
_selectServer "$_server"
shift shift
;; ;;
--debug) --debug)
@ -6981,7 +6977,6 @@ _process() {
Le_DNSSleep="$_dnssleep" Le_DNSSleep="$_dnssleep"
shift shift
;; ;;
--keylength | -k) --keylength | -k)
_keylength="$2" _keylength="$2"
shift shift
@ -6990,7 +6985,6 @@ _process() {
_accountkeylength="$2" _accountkeylength="$2"
shift shift
;; ;;
--cert-file | --certpath) --cert-file | --certpath)
_cert_file="$2" _cert_file="$2"
shift shift
@ -7254,6 +7248,10 @@ _process() {
shift 1 shift 1
done done
if [ "$_server" ]; then
_selectServer "$_server" "${_ecc:-$_keylength}"
fi
if [ "${_CMD}" != "install" ]; then if [ "${_CMD}" != "install" ]; then
if [ "$__INTERACTIVE" ] && ! _checkSudo; then if [ "$__INTERACTIVE" ] && ! _checkSudo; then
if [ -z "$FORCE" ]; then if [ -z "$FORCE" ]; then

View File

@ -51,7 +51,7 @@ dns_nsd_rm() {
Nsd_ZoneFile="${Nsd_ZoneFile:-$(_readdomainconf Nsd_ZoneFile)}" Nsd_ZoneFile="${Nsd_ZoneFile:-$(_readdomainconf Nsd_ZoneFile)}"
Nsd_Command="${Nsd_Command:-$(_readdomainconf Nsd_Command)}" Nsd_Command="${Nsd_Command:-$(_readdomainconf Nsd_Command)}"
sed -i "/$fulldomain. $ttlvalue IN TXT \"$txtvalue\"/d" "$Nsd_ZoneFile" _sed_i "/$fulldomain. $ttlvalue IN TXT \"$txtvalue\"/d" "$Nsd_ZoneFile"
_info "Removed TXT record for $fulldomain" _info "Removed TXT record for $fulldomain"
_debug "Running $Nsd_Command" _debug "Running $Nsd_Command"
if eval "$Nsd_Command"; then if eval "$Nsd_Command"; then

324
dnsapi/dns_oci.sh Normal file
View File

@ -0,0 +1,324 @@
#!/usr/bin/env sh
#
# Acme.sh DNS API plugin for Oracle Cloud Infrastructure
# Copyright (c) 2021, Oracle and/or its affiliates
#
# The plugin will automatically use the default profile from an OCI SDK and CLI
# configuration file, if it exists.
#
# Alternatively, set the following environment variables:
# - OCI_CLI_TENANCY : OCID of tenancy that contains the target DNS zone
# - OCI_CLI_USER : OCID of user with permission to add/remove records from zones
# - OCI_CLI_REGION : Should point to the tenancy home region
#
# One of the following two variables is required:
# - OCI_CLI_KEY_FILE: Path to private API signing key file in PEM format; or
# - OCI_CLI_KEY : The private API signing key in PEM format
#
# NOTE: using an encrypted private key that needs a passphrase is not supported.
#
dns_oci_add() {
_fqdn="$1"
_rdata="$2"
if _get_oci_zone; then
_add_record_body="{\"items\":[{\"domain\":\"${_sub_domain}.${_domain}\",\"rdata\":\"$_rdata\",\"rtype\":\"TXT\",\"ttl\": 30,\"operation\":\"ADD\"}]}"
response=$(_signed_request "PATCH" "/20180115/zones/${_domain}/records" "$_add_record_body")
if [ "$response" ]; then
_info "Success: added TXT record for ${_sub_domain}.${_domain}."
else
_err "Error: failed to add TXT record for ${_sub_domain}.${_domain}."
_err "Check that the user has permission to add records to this zone."
return 1
fi
else
return 1
fi
}
dns_oci_rm() {
_fqdn="$1"
_rdata="$2"
if _get_oci_zone; then
_remove_record_body="{\"items\":[{\"domain\":\"${_sub_domain}.${_domain}\",\"rdata\":\"$_rdata\",\"rtype\":\"TXT\",\"operation\":\"REMOVE\"}]}"
response=$(_signed_request "PATCH" "/20180115/zones/${_domain}/records" "$_remove_record_body")
if [ "$response" ]; then
_info "Success: removed TXT record for ${_sub_domain}.${_domain}."
else
_err "Error: failed to remove TXT record for ${_sub_domain}.${_domain}."
_err "Check that the user has permission to remove records from this zone."
return 1
fi
else
return 1
fi
}
#################### Private functions below ##################################
_get_oci_zone() {
if ! _oci_config; then
return 1
fi
if ! _get_zone "$_fqdn"; then
_err "Error: DNS Zone not found for $_fqdn in $OCI_CLI_TENANCY"
return 1
fi
return 0
}
_oci_config() {
_DEFAULT_OCI_CLI_CONFIG_FILE="$HOME/.oci/config"
OCI_CLI_CONFIG_FILE="${OCI_CLI_CONFIG_FILE:-$(_readaccountconf_mutable OCI_CLI_CONFIG_FILE)}"
if [ -z "$OCI_CLI_CONFIG_FILE" ]; then
OCI_CLI_CONFIG_FILE="$_DEFAULT_OCI_CLI_CONFIG_FILE"
fi
if [ "$_DEFAULT_OCI_CLI_CONFIG_FILE" != "$OCI_CLI_CONFIG_FILE" ]; then
_saveaccountconf_mutable OCI_CLI_CONFIG_FILE "$OCI_CLI_CONFIG_FILE"
else
_clearaccountconf_mutable OCI_CLI_CONFIG_FILE
fi
_DEFAULT_OCI_CLI_PROFILE="DEFAULT"
OCI_CLI_PROFILE="${OCI_CLI_PROFILE:-$(_readaccountconf_mutable OCI_CLI_PROFILE)}"
if [ "$_DEFAULT_OCI_CLI_PROFILE" != "$OCI_CLI_PROFILE" ]; then
_saveaccountconf_mutable OCI_CLI_PROFILE "$OCI_CLI_PROFILE"
else
OCI_CLI_PROFILE="$_DEFAULT_OCI_CLI_PROFILE"
_clearaccountconf_mutable OCI_CLI_PROFILE
fi
OCI_CLI_TENANCY="${OCI_CLI_TENANCY:-$(_readaccountconf_mutable OCI_CLI_TENANCY)}"
if [ "$OCI_CLI_TENANCY" ]; then
_saveaccountconf_mutable OCI_CLI_TENANCY "$OCI_CLI_TENANCY"
elif [ -f "$OCI_CLI_CONFIG_FILE" ]; then
_debug "Reading OCI_CLI_TENANCY value from: $OCI_CLI_CONFIG_FILE"
OCI_CLI_TENANCY="${OCI_CLI_TENANCY:-$(_readini "$OCI_CLI_CONFIG_FILE" tenancy "$OCI_CLI_PROFILE")}"
fi
if [ -z "$OCI_CLI_TENANCY" ]; then
_err "Error: unable to read OCI_CLI_TENANCY from config file or environment variable."
return 1
fi
OCI_CLI_USER="${OCI_CLI_USER:-$(_readaccountconf_mutable OCI_CLI_USER)}"
if [ "$OCI_CLI_USER" ]; then
_saveaccountconf_mutable OCI_CLI_USER "$OCI_CLI_USER"
elif [ -f "$OCI_CLI_CONFIG_FILE" ]; then
_debug "Reading OCI_CLI_USER value from: $OCI_CLI_CONFIG_FILE"
OCI_CLI_USER="${OCI_CLI_USER:-$(_readini "$OCI_CLI_CONFIG_FILE" user "$OCI_CLI_PROFILE")}"
fi
if [ -z "$OCI_CLI_USER" ]; then
_err "Error: unable to read OCI_CLI_USER from config file or environment variable."
return 1
fi
OCI_CLI_REGION="${OCI_CLI_REGION:-$(_readaccountconf_mutable OCI_CLI_REGION)}"
if [ "$OCI_CLI_REGION" ]; then
_saveaccountconf_mutable OCI_CLI_REGION "$OCI_CLI_REGION"
elif [ -f "$OCI_CLI_CONFIG_FILE" ]; then
_debug "Reading OCI_CLI_REGION value from: $OCI_CLI_CONFIG_FILE"
OCI_CLI_REGION="${OCI_CLI_REGION:-$(_readini "$OCI_CLI_CONFIG_FILE" region "$OCI_CLI_PROFILE")}"
fi
if [ -z "$OCI_CLI_REGION" ]; then
_err "Error: unable to read OCI_CLI_REGION from config file or environment variable."
return 1
fi
OCI_CLI_KEY="${OCI_CLI_KEY:-$(_readaccountconf_mutable OCI_CLI_KEY)}"
if [ -z "$OCI_CLI_KEY" ]; then
_clearaccountconf_mutable OCI_CLI_KEY
OCI_CLI_KEY_FILE="${OCI_CLI_KEY_FILE:-$(_readini "$OCI_CLI_CONFIG_FILE" key_file "$OCI_CLI_PROFILE")}"
if [ "$OCI_CLI_KEY_FILE" ] && [ -f "$OCI_CLI_KEY_FILE" ]; then
_debug "Reading OCI_CLI_KEY value from: $OCI_CLI_KEY_FILE"
OCI_CLI_KEY=$(_base64 <"$OCI_CLI_KEY_FILE")
_saveaccountconf_mutable OCI_CLI_KEY "$OCI_CLI_KEY"
fi
else
_saveaccountconf_mutable OCI_CLI_KEY "$OCI_CLI_KEY"
fi
if [ -z "$OCI_CLI_KEY_FILE" ] && [ -z "$OCI_CLI_KEY" ]; then
_err "Error: unable to find key file path in OCI config file or OCI_CLI_KEY_FILE."
_err "Error: unable to load private API signing key from OCI_CLI_KEY."
return 1
fi
if [ "$(printf "%s\n" "$OCI_CLI_KEY" | wc -l)" -eq 1 ]; then
OCI_CLI_KEY=$(printf "%s" "$OCI_CLI_KEY" | _dbase64 multiline)
fi
return 0
}
# _get_zone(): retrieves the Zone name and OCID
#
# _sub_domain=_acme-challenge.www
# _domain=domain.com
# _domain_ociid=ocid1.dns-zone.oc1..
_get_zone() {
domain=$1
i=1
p=1
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
_debug h "$h"
if [ -z "$h" ]; then
# not valid
return 1
fi
_domain_id=$(_signed_request "GET" "/20180115/zones/$h" "" "id")
if [ "$_domain_id" ]; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
_domain=$h
_debug _domain_id "$_domain_id"
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"
return 0
fi
p=$i
i=$(_math "$i" + 1)
done
return 1
}
#Usage: privatekey
#Output MD5 fingerprint
_fingerprint() {
pkey="$1"
if [ -z "$pkey" ]; then
_usage "Usage: _fingerprint privkey"
return 1
fi
printf "%s" "$pkey" | ${ACME_OPENSSL_BIN:-openssl} rsa -pubout -outform DER 2>/dev/null | ${ACME_OPENSSL_BIN:-openssl} md5 -c | cut -d = -f 2 | tr -d ' '
}
_signed_request() {
_sig_method="$1"
_sig_target="$2"
_sig_body="$3"
_return_field="$4"
_key_fingerprint=$(_fingerprint "$OCI_CLI_KEY")
_sig_host="dns.$OCI_CLI_REGION.oraclecloud.com"
_sig_keyId="$OCI_CLI_TENANCY/$OCI_CLI_USER/$_key_fingerprint"
_sig_alg="rsa-sha256"
_sig_version="1"
_sig_now="$(LC_ALL=C \date -u "+%a, %d %h %Y %H:%M:%S GMT")"
_request_method=$(printf %s "$_sig_method" | _lower_case)
_curl_method=$(printf %s "$_sig_method" | _upper_case)
_request_target="(request-target): $_request_method $_sig_target"
_date_header="date: $_sig_now"
_host_header="host: $_sig_host"
_string_to_sign="$_request_target\n$_date_header\n$_host_header"
_sig_headers="(request-target) date host"
if [ "$_sig_body" ]; then
_secure_debug3 _sig_body "$_sig_body"
_sig_body_sha256="x-content-sha256: $(printf %s "$_sig_body" | _digest sha256)"
_sig_body_type="content-type: application/json"
_sig_body_length="content-length: ${#_sig_body}"
_string_to_sign="$_string_to_sign\n$_sig_body_sha256\n$_sig_body_type\n$_sig_body_length"
_sig_headers="$_sig_headers x-content-sha256 content-type content-length"
fi
_tmp_file=$(_mktemp)
if [ -f "$_tmp_file" ]; then
printf '%s' "$OCI_CLI_KEY" >"$_tmp_file"
_signature=$(printf '%b' "$_string_to_sign" | _sign "$_tmp_file" sha256 | tr -d '\r\n')
rm -f "$_tmp_file"
fi
_signed_header="Authorization: Signature version=\"$_sig_version\",keyId=\"$_sig_keyId\",algorithm=\"$_sig_alg\",headers=\"$_sig_headers\",signature=\"$_signature\""
_secure_debug3 _signed_header "$_signed_header"
if [ "$_curl_method" = "GET" ]; then
export _H1="$_date_header"
export _H2="$_signed_header"
_response="$(_get "https://${_sig_host}${_sig_target}")"
elif [ "$_curl_method" = "PATCH" ]; then
export _H1="$_date_header"
export _H2="$_sig_body_sha256"
export _H3="$_sig_body_type"
export _H4="$_sig_body_length"
export _H5="$_signed_header"
_response="$(_post "$_sig_body" "https://${_sig_host}${_sig_target}" "" "PATCH")"
else
_err "Unable to process method: $_curl_method."
fi
_ret="$?"
if [ "$_return_field" ]; then
_response="$(echo "$_response" | sed 's/\\\"//g'))"
_return=$(echo "${_response}" | _egrep_o "\"$_return_field\"\\s*:\\s*\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d "\"")
else
_return="$_response"
fi
printf "%s" "$_return"
return $_ret
}
# file key [section]
_readini() {
_file="$1"
_key="$2"
_section="${3:-DEFAULT}"
_start_n=$(grep -n '\['"$_section"']' "$_file" | cut -d : -f 1)
_debug3 _start_n "$_start_n"
if [ -z "$_start_n" ]; then
_err "Can not find section: $_section"
return 1
fi
_start_nn=$(_math "$_start_n" + 1)
_debug3 "_start_nn" "$_start_nn"
_left="$(sed -n "${_start_nn},99999p" "$_file")"
_debug3 _left "$_left"
_end="$(echo "$_left" | grep -n "^\[" | _head_n 1)"
_debug3 "_end" "$_end"
if [ "$_end" ]; then
_end_n=$(echo "$_end" | cut -d : -f 1)
_debug3 "_end_n" "$_end_n"
_seg_n=$(echo "$_left" | sed -n "1,${_end_n}p")
else
_seg_n="$_left"
fi
_debug3 "_seg_n" "$_seg_n"
_lineini="$(echo "$_seg_n" | grep "^ *$_key *= *")"
_inivalue="$(printf "%b" "$(eval "echo $_lineini | sed \"s/^ *${_key} *= *//g\"")")"
_debug2 _inivalue "$_inivalue"
echo "$_inivalue"
}