mirror of
https://github.com/plantroon/acme.sh.git
synced 2024-12-22 21:21:42 +00:00
support tls-alpn-01 https://github.com/Neilpang/acme.sh/issues/1675#issuecomment-447857756
This commit is contained in:
parent
2b9ebd6662
commit
08681f4a8b
50
acme.sh
50
acme.sh
@ -37,6 +37,7 @@ VTYPE_HTTP="http-01"
|
|||||||
VTYPE_DNS="dns-01"
|
VTYPE_DNS="dns-01"
|
||||||
VTYPE_TLS="tls-sni-01"
|
VTYPE_TLS="tls-sni-01"
|
||||||
VTYPE_TLS2="tls-sni-02"
|
VTYPE_TLS2="tls-sni-02"
|
||||||
|
VTYPE_ALPN="tls-alpn-01"
|
||||||
|
|
||||||
LOCAL_ANY_ADDRESS="0.0.0.0"
|
LOCAL_ANY_ADDRESS="0.0.0.0"
|
||||||
|
|
||||||
@ -48,6 +49,7 @@ NO_VALUE="no"
|
|||||||
|
|
||||||
W_TLS="tls"
|
W_TLS="tls"
|
||||||
W_DNS="dns"
|
W_DNS="dns"
|
||||||
|
W_ALPN="alpn"
|
||||||
DNS_ALIAS_PREFIX="="
|
DNS_ALIAS_PREFIX="="
|
||||||
|
|
||||||
MODE_STATELESS="stateless"
|
MODE_STATELESS="stateless"
|
||||||
@ -1046,7 +1048,7 @@ _idn() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#_createcsr cn san_list keyfile csrfile conf
|
#_createcsr cn san_list keyfile csrfile conf acmeValidationv1
|
||||||
_createcsr() {
|
_createcsr() {
|
||||||
_debug _createcsr
|
_debug _createcsr
|
||||||
domain="$1"
|
domain="$1"
|
||||||
@ -1054,6 +1056,7 @@ _createcsr() {
|
|||||||
csrkey="$3"
|
csrkey="$3"
|
||||||
csr="$4"
|
csr="$4"
|
||||||
csrconf="$5"
|
csrconf="$5"
|
||||||
|
acmeValidationv1="$6"
|
||||||
_debug2 domain "$domain"
|
_debug2 domain "$domain"
|
||||||
_debug2 domainlist "$domainlist"
|
_debug2 domainlist "$domainlist"
|
||||||
_debug2 csrkey "$csrkey"
|
_debug2 csrkey "$csrkey"
|
||||||
@ -1062,7 +1065,9 @@ _createcsr() {
|
|||||||
|
|
||||||
printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf"
|
printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf"
|
||||||
|
|
||||||
if [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
|
if [ "$acmeValidationv1" ]; then
|
||||||
|
printf -- "\nsubjectAltName=DNS:$domainlist" >>"$csrconf"
|
||||||
|
elif [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
|
||||||
#single domain
|
#single domain
|
||||||
_info "Single domain" "$domain"
|
_info "Single domain" "$domain"
|
||||||
printf -- "\nsubjectAltName=DNS:$domain" >>"$csrconf"
|
printf -- "\nsubjectAltName=DNS:$domain" >>"$csrconf"
|
||||||
@ -1084,6 +1089,10 @@ _createcsr() {
|
|||||||
printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >>"$csrconf"
|
printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >>"$csrconf"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$acmeValidationv1" ]; then
|
||||||
|
printf "\n1.3.6.1.5.5.7.1.30.1=critical,DER:04:20:${acmeValidationv1}" >> "${csrconf}"
|
||||||
|
fi
|
||||||
|
|
||||||
_csr_cn="$(_idn "$domain")"
|
_csr_cn="$(_idn "$domain")"
|
||||||
_debug2 _csr_cn "$_csr_cn"
|
_debug2 _csr_cn "$_csr_cn"
|
||||||
if _contains "$(uname -a)" "MINGW"; then
|
if _contains "$(uname -a)" "MINGW"; then
|
||||||
@ -2107,7 +2116,7 @@ _sleep() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# _starttlsserver san_a san_b port content _ncaddr
|
# _starttlsserver san_a san_b port content _ncaddr acmeValidationv1
|
||||||
_starttlsserver() {
|
_starttlsserver() {
|
||||||
_info "Starting tls server."
|
_info "Starting tls server."
|
||||||
san_a="$1"
|
san_a="$1"
|
||||||
@ -2115,10 +2124,12 @@ _starttlsserver() {
|
|||||||
port="$3"
|
port="$3"
|
||||||
content="$4"
|
content="$4"
|
||||||
opaddr="$5"
|
opaddr="$5"
|
||||||
|
acmeValidationv1="$6"
|
||||||
|
|
||||||
_debug san_a "$san_a"
|
_debug san_a "$san_a"
|
||||||
_debug san_b "$san_b"
|
_debug san_b "$san_b"
|
||||||
_debug port "$port"
|
_debug port "$port"
|
||||||
|
_debug acmeValidationv1 "$acmeValidationv1"
|
||||||
|
|
||||||
#create key TLS_KEY
|
#create key TLS_KEY
|
||||||
if ! _createkey "2048" "$TLS_KEY"; then
|
if ! _createkey "2048" "$TLS_KEY"; then
|
||||||
@ -2131,7 +2142,7 @@ _starttlsserver() {
|
|||||||
if [ "$san_b" ]; then
|
if [ "$san_b" ]; then
|
||||||
alt="$alt,$san_b"
|
alt="$alt,$san_b"
|
||||||
fi
|
fi
|
||||||
if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF"; then
|
if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" "$acmeValidationv1"; then
|
||||||
_err "Create tls validation csr error."
|
_err "Create tls validation csr error."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -2157,6 +2168,10 @@ _starttlsserver() {
|
|||||||
__S_OPENSSL="$__S_OPENSSL -6"
|
__S_OPENSSL="$__S_OPENSSL -6"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$acmeValidationv1" ]; then
|
||||||
|
__S_OPENSSL="$__S_OPENSSL -alpn acme-tls/1"
|
||||||
|
fi
|
||||||
|
|
||||||
_debug "$__S_OPENSSL"
|
_debug "$__S_OPENSSL"
|
||||||
if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
|
if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
|
||||||
$__S_OPENSSL -tlsextdebug &
|
$__S_OPENSSL -tlsextdebug &
|
||||||
@ -3067,8 +3082,8 @@ _on_before_issue() {
|
|||||||
_savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
|
_savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
|
||||||
fi
|
fi
|
||||||
_checkport="$Le_HTTPPort"
|
_checkport="$Le_HTTPPort"
|
||||||
elif [ "$_currentRoot" = "$W_TLS" ]; then
|
elif [ "$_currentRoot" = "$W_TLS" ] || [ "$_currentRoot" = "$W_ALPN" ]; then
|
||||||
_info "Standalone tls mode."
|
_info "Standalone tls/alpn mode."
|
||||||
if [ -z "$Le_TLSPort" ]; then
|
if [ -z "$Le_TLSPort" ]; then
|
||||||
Le_TLSPort=443
|
Le_TLSPort=443
|
||||||
else
|
else
|
||||||
@ -3694,6 +3709,10 @@ $_authorizations_map"
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$_currentRoot" = "$W_ALPN" ]; then
|
||||||
|
vtype="$VTYPE_ALPN"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$ACME_VERSION" = "2" ]; then
|
if [ "$ACME_VERSION" = "2" ]; then
|
||||||
response="$(echo "$_authorizations_map" | grep "^$d," | sed "s/$d,//")"
|
response="$(echo "$_authorizations_map" | grep "^$d," | sed "s/$d,//")"
|
||||||
_debug2 "response" "$response"
|
_debug2 "response" "$response"
|
||||||
@ -4007,6 +4026,16 @@ $_authorizations_map"
|
|||||||
_on_issue_err "$_post_hook" "$vlist"
|
_on_issue_err "$_post_hook" "$vlist"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
elif [ "$vtype" = "$VTYPE_ALPN" ]; then
|
||||||
|
acmevalidationv1="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"
|
||||||
|
_debug acmevalidationv1 "$acmevalidationv1"
|
||||||
|
if ! _starttlsserver "$d" "" "$Le_TLSPort" "$keyauthorization" "$_ncaddr" "$acmevalidationv1"; then
|
||||||
|
_err "Start tls server error."
|
||||||
|
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
|
||||||
|
_clearup
|
||||||
|
_on_issue_err "$_post_hook" "$vlist"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! __trigger_validation "$uri" "$keyauthorization"; then
|
if ! __trigger_validation "$uri" "$keyauthorization"; then
|
||||||
@ -5469,6 +5498,7 @@ Parameters:
|
|||||||
--output-insecure Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for secure.
|
--output-insecure Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for secure.
|
||||||
--webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
|
--webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
|
||||||
--standalone Use standalone mode.
|
--standalone Use standalone mode.
|
||||||
|
--alpn Use standalone alpn mode.
|
||||||
--stateless Use stateless mode, see: $_STATELESS_WIKI
|
--stateless Use stateless mode, see: $_STATELESS_WIKI
|
||||||
--apache Use apache mode.
|
--apache Use apache mode.
|
||||||
--dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
|
--dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
|
||||||
@ -5823,6 +5853,14 @@ _process() {
|
|||||||
_webroot="$_webroot,$wvalue"
|
_webroot="$_webroot,$wvalue"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
--alpn)
|
||||||
|
wvalue="$W_ALPN"
|
||||||
|
if [ -z "$_webroot" ]; then
|
||||||
|
_webroot="$wvalue"
|
||||||
|
else
|
||||||
|
_webroot="$_webroot,$wvalue"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
--stateless)
|
--stateless)
|
||||||
wvalue="$MODE_STATELESS"
|
wvalue="$MODE_STATELESS"
|
||||||
if [ -z "$_webroot" ]; then
|
if [ -z "$_webroot" ]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user