mirror of
https://github.com/plantroon/acme.sh.git
synced 2024-12-22 21:21:42 +00:00
Merge branch 'dev' into deploy-fritzbox
This commit is contained in:
commit
3536cd336d
@ -18,7 +18,7 @@ addons:
|
|||||||
|
|
||||||
install:
|
install:
|
||||||
- if [ "$TRAVIS_OS_NAME" = 'osx' ]; then
|
- if [ "$TRAVIS_OS_NAME" = 'osx' ]; then
|
||||||
brew update && brew install openssl;
|
brew update && brew install openssl socat;
|
||||||
brew info openssl;
|
brew info openssl;
|
||||||
ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/;
|
ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/;
|
||||||
ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/;
|
ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/;
|
||||||
@ -30,6 +30,7 @@ install:
|
|||||||
openssl version 2>&1 || true;
|
openssl version 2>&1 || true;
|
||||||
$ACME_OPENSSL_BIN version 2>&1 || true;
|
$ACME_OPENSSL_BIN version 2>&1 || true;
|
||||||
export PATH="$_old_path";
|
export PATH="$_old_path";
|
||||||
|
else sudo apt-get install socat;
|
||||||
fi
|
fi
|
||||||
|
|
||||||
script:
|
script:
|
||||||
|
@ -4,7 +4,7 @@ RUN apk update -f \
|
|||||||
&& apk --no-cache add -f \
|
&& apk --no-cache add -f \
|
||||||
openssl \
|
openssl \
|
||||||
curl \
|
curl \
|
||||||
netcat-openbsd \
|
socat \
|
||||||
&& rm -rf /var/cache/apk/*
|
&& rm -rf /var/cache/apk/*
|
||||||
|
|
||||||
ENV LE_CONFIG_HOME /acme.sh
|
ENV LE_CONFIG_HOME /acme.sh
|
||||||
|
129
acme.sh
129
acme.sh
@ -1,6 +1,6 @@
|
|||||||
#!/usr/bin/env sh
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
VER=2.7.3
|
VER=2.7.4
|
||||||
|
|
||||||
PROJECT_NAME="acme.sh"
|
PROJECT_NAME="acme.sh"
|
||||||
|
|
||||||
@ -164,11 +164,11 @@ _dlg_versions() {
|
|||||||
echo "nginx doesn't exists."
|
echo "nginx doesn't exists."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "nc:"
|
echo "socat:"
|
||||||
if _exists "nc"; then
|
if _exists "socat"; then
|
||||||
nc -h 2>&1
|
socat -h 2>&1
|
||||||
else
|
else
|
||||||
_debug "nc doesn't exists."
|
_debug "socat doesn't exists."
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1814,7 +1814,13 @@ _send_signed_request() {
|
|||||||
|
|
||||||
_CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
|
_CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
|
||||||
|
|
||||||
if _contains "$response" "JWS has invalid anti-replay nonce"; then
|
_body="$response"
|
||||||
|
if [ "$needbase64" ]; then
|
||||||
|
_body="$(echo "$_body" | _dbase64)"
|
||||||
|
_debug2 _body "$_body"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if _contains "$_body" "JWS has invalid anti-replay nonce"; then
|
||||||
_info "It seems the CA server is busy now, let's wait and retry."
|
_info "It seems the CA server is busy now, let's wait and retry."
|
||||||
_request_retry_times=$(_math "$_request_retry_times" + 1)
|
_request_retry_times=$(_math "$_request_retry_times" + 1)
|
||||||
_sleep 5
|
_sleep 5
|
||||||
@ -1967,68 +1973,22 @@ _startserver() {
|
|||||||
_debug "ncaddr" "$ncaddr"
|
_debug "ncaddr" "$ncaddr"
|
||||||
|
|
||||||
_debug "startserver: $$"
|
_debug "startserver: $$"
|
||||||
nchelp="$(nc -h 2>&1)"
|
|
||||||
|
|
||||||
_debug Le_HTTPPort "$Le_HTTPPort"
|
_debug Le_HTTPPort "$Le_HTTPPort"
|
||||||
_debug Le_Listen_V4 "$Le_Listen_V4"
|
_debug Le_Listen_V4 "$Le_Listen_V4"
|
||||||
_debug Le_Listen_V6 "$Le_Listen_V6"
|
_debug Le_Listen_V6 "$Le_Listen_V6"
|
||||||
_NC="nc"
|
|
||||||
|
|
||||||
|
_NC="socat"
|
||||||
if [ "$Le_Listen_V4" ]; then
|
if [ "$Le_Listen_V4" ]; then
|
||||||
_NC="$_NC -4"
|
_NC="$_NC -4"
|
||||||
elif [ "$Le_Listen_V6" ]; then
|
elif [ "$Le_Listen_V6" ]; then
|
||||||
_NC="$_NC -6"
|
_NC="$_NC -6"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$Le_Listen_V4$Le_Listen_V6$ncaddr" ]; then
|
|
||||||
if ! _contains "$nchelp" "-4"; then
|
|
||||||
_err "The nc doesn't support '-4', '-6' or local-address, please install 'netcat-openbsd' and try again."
|
|
||||||
_err "See $(__green $_PREPARE_LINK)"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if echo "$nchelp" | grep "\-q[ ,]" >/dev/null; then
|
|
||||||
_NC="$_NC -q 1 -l $ncaddr"
|
|
||||||
else
|
|
||||||
if echo "$nchelp" | grep "GNU netcat" >/dev/null && echo "$nchelp" | grep "\-c, \-\-close" >/dev/null; then
|
|
||||||
_NC="$_NC -c -l $ncaddr"
|
|
||||||
elif echo "$nchelp" | grep "\-N" | grep "Shutdown the network socket after EOF on stdin" >/dev/null; then
|
|
||||||
_NC="$_NC -N -l $ncaddr"
|
|
||||||
else
|
|
||||||
_NC="$_NC -l $ncaddr"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
_debug "_NC" "$_NC"
|
_debug "_NC" "$_NC"
|
||||||
|
#todo listen address
|
||||||
#for centos ncat
|
$_NC TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork SYSTEM:"sleep 0.5; echo HTTP/1.1 200 OK'; echo ; echo $content; echo;" &
|
||||||
if _contains "$nchelp" "nmap.org"; then
|
serverproc="$!"
|
||||||
_debug "Using ncat: nmap.org"
|
|
||||||
if ! _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC \"$Le_HTTPPort\" >&2"; then
|
|
||||||
_exec_err
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
if [ "$DEBUG" ]; then
|
|
||||||
_exec_err
|
|
||||||
fi
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
|
|
||||||
# while true ; do
|
|
||||||
if ! _exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC -p \"$Le_HTTPPort\" >&2"; then
|
|
||||||
_exec "printf \"%s\r\n\r\n%s\" \"HTTP/1.1 200 OK\" \"$content\" | $_NC \"$Le_HTTPPort\" >&2"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$?" != "0" ]; then
|
|
||||||
_err "nc listen error."
|
|
||||||
_exec_err
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
if [ "$DEBUG" ]; then
|
|
||||||
_exec_err
|
|
||||||
fi
|
|
||||||
# done
|
|
||||||
}
|
}
|
||||||
|
|
||||||
_stopserver() {
|
_stopserver() {
|
||||||
@ -2038,25 +1998,8 @@ _stopserver() {
|
|||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
_debug2 "Le_HTTPPort" "$Le_HTTPPort"
|
kill $pid
|
||||||
if [ "$Le_HTTPPort" ]; then
|
|
||||||
if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
|
|
||||||
_get "http://localhost:$Le_HTTPPort" "" 1
|
|
||||||
else
|
|
||||||
_get "http://localhost:$Le_HTTPPort" "" 1 >/dev/null 2>&1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
_debug2 "Le_TLSPort" "$Le_TLSPort"
|
|
||||||
if [ "$Le_TLSPort" ]; then
|
|
||||||
if [ "$DEBUG" ] && [ "$DEBUG" -gt "3" ]; then
|
|
||||||
_get "https://localhost:$Le_TLSPort" "" 1
|
|
||||||
_get "https://localhost:$Le_TLSPort" "" 1
|
|
||||||
else
|
|
||||||
_get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
|
|
||||||
_get "https://localhost:$Le_TLSPort" "" 1 >/dev/null 2>&1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# sleep sec
|
# sleep sec
|
||||||
@ -2111,12 +2054,7 @@ _starttlsserver() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
__S_OPENSSL="${ACME_OPENSSL_BIN:-openssl} s_server -cert $TLS_CERT -key $TLS_KEY "
|
__S_OPENSSL="socat"
|
||||||
if [ "$opaddr" ]; then
|
|
||||||
__S_OPENSSL="$__S_OPENSSL -accept $opaddr:$port"
|
|
||||||
else
|
|
||||||
__S_OPENSSL="$__S_OPENSSL -accept $port"
|
|
||||||
fi
|
|
||||||
|
|
||||||
_debug Le_Listen_V4 "$Le_Listen_V4"
|
_debug Le_Listen_V4 "$Le_Listen_V4"
|
||||||
_debug Le_Listen_V6 "$Le_Listen_V6"
|
_debug Le_Listen_V6 "$Le_Listen_V6"
|
||||||
@ -2127,12 +2065,9 @@ _starttlsserver() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
_debug "$__S_OPENSSL"
|
_debug "$__S_OPENSSL"
|
||||||
if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
|
|
||||||
(printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL -tlsextdebug) &
|
|
||||||
else
|
|
||||||
(printf "%s\r\n\r\n%s" "HTTP/1.1 200 OK" "$content" | $__S_OPENSSL >/dev/null 2>&1) &
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
#todo listen address
|
||||||
|
$__S_OPENSSL openssl-listen:$port,cert=$TLS_CERT,key=$TLS_KEY,verify=0,reuseaddr,fork SYSTEM:"sleep 0.5; echo HTTP/1.1 200 OK'; echo ; echo $content; echo;" &
|
||||||
serverproc="$!"
|
serverproc="$!"
|
||||||
sleep 1
|
sleep 1
|
||||||
_debug serverproc "$serverproc"
|
_debug serverproc "$serverproc"
|
||||||
@ -2943,8 +2878,8 @@ _on_before_issue() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if _hasfield "$_chk_web_roots" "$NO_VALUE"; then
|
if _hasfield "$_chk_web_roots" "$NO_VALUE"; then
|
||||||
if ! _exists "nc"; then
|
if ! _exists "socat"; then
|
||||||
_err "Please install netcat(nc) tools first."
|
_err "Please install socat tools first."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -3665,13 +3600,12 @@ issue() {
|
|||||||
_info "Standalone mode server"
|
_info "Standalone mode server"
|
||||||
_ncaddr="$(_getfield "$_local_addr" "$_ncIndex")"
|
_ncaddr="$(_getfield "$_local_addr" "$_ncIndex")"
|
||||||
_ncIndex="$(_math $_ncIndex + 1)"
|
_ncIndex="$(_math $_ncIndex + 1)"
|
||||||
_startserver "$keyauthorization" "$_ncaddr" &
|
_startserver "$keyauthorization" "$_ncaddr"
|
||||||
if [ "$?" != "0" ]; then
|
if [ "$?" != "0" ]; then
|
||||||
_clearup
|
_clearup
|
||||||
_on_issue_err "$_post_hook" "$vlist"
|
_on_issue_err "$_post_hook" "$vlist"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
serverproc="$!"
|
|
||||||
sleep 1
|
sleep 1
|
||||||
_debug serverproc "$serverproc"
|
_debug serverproc "$serverproc"
|
||||||
elif [ "$_currentRoot" = "$MODE_STATELESS" ]; then
|
elif [ "$_currentRoot" = "$MODE_STATELESS" ]; then
|
||||||
@ -4006,7 +3940,10 @@ issue() {
|
|||||||
Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400)
|
Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400)
|
||||||
_savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
|
_savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
|
||||||
|
|
||||||
_on_issue_success "$_post_hook" "$_renew_hook"
|
if ! _on_issue_success "$_post_hook" "$_renew_hook"; then
|
||||||
|
_err "Call hook error."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$_real_cert$_real_key$_real_ca$_reload_cmd$_real_fullchain" ]; then
|
if [ "$_real_cert$_real_key$_real_ca$_reload_cmd$_real_fullchain" ]; then
|
||||||
_savedomainconf "Le_RealCertPath" "$_real_cert"
|
_savedomainconf "Le_RealCertPath" "$_real_cert"
|
||||||
@ -4788,9 +4725,9 @@ _precheck() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! _exists "nc"; then
|
if ! _exists "socat"; then
|
||||||
_err "It is recommended to install nc first, try to install 'nc' or 'netcat'."
|
_err "It is recommended to install socat first."
|
||||||
_err "We use nc for standalone server if you use standalone mode."
|
_err "We use socat for standalone server if you use standalone mode."
|
||||||
_err "If you don't use standalone mode, just ignore this warning."
|
_err "If you don't use standalone mode, just ignore this warning."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -4890,10 +4827,12 @@ install() {
|
|||||||
_debug "Skip install cron job"
|
_debug "Skip install cron job"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$IN_CRON" != "1" ]; then
|
||||||
if ! _precheck "$_nocron"; then
|
if ! _precheck "$_nocron"; then
|
||||||
_err "Pre-check failed, can not install."
|
_err "Pre-check failed, can not install."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -z "$_c_home" ] && [ "$LE_CONFIG_HOME" != "$LE_WORKING_DIR" ]; then
|
if [ -z "$_c_home" ] && [ "$LE_CONFIG_HOME" != "$LE_WORKING_DIR" ]; then
|
||||||
_info "Using config home: $LE_CONFIG_HOME"
|
_info "Using config home: $LE_CONFIG_HOME"
|
||||||
@ -4945,7 +4884,9 @@ install() {
|
|||||||
|
|
||||||
_info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
|
_info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
|
||||||
|
|
||||||
|
if [ "$IN_CRON" != "1" ]; then
|
||||||
_installalias "$_c_home"
|
_installalias "$_c_home"
|
||||||
|
fi
|
||||||
|
|
||||||
for subf in $_SUB_FOLDERS; do
|
for subf in $_SUB_FOLDERS; do
|
||||||
if [ -d "$subf" ]; then
|
if [ -d "$subf" ]; then
|
||||||
@ -5035,7 +4976,7 @@ _uninstallalias() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
cron() {
|
cron() {
|
||||||
IN_CRON=1
|
export IN_CRON=1
|
||||||
_initpath
|
_initpath
|
||||||
_info "$(__green "===Starting cron===")"
|
_info "$(__green "===Starting cron===")"
|
||||||
if [ "$AUTO_UPGRADE" = "1" ]; then
|
if [ "$AUTO_UPGRADE" = "1" ]; then
|
||||||
|
@ -6,6 +6,8 @@ Here are the scripts to deploy the certs/key to the server/services.
|
|||||||
|
|
||||||
## 1. Deploy the certs to your cpanel host.
|
## 1. Deploy the certs to your cpanel host.
|
||||||
|
|
||||||
|
If you want to deploy using cpanel UAPI see 7.
|
||||||
|
|
||||||
(cpanel deploy hook is not finished yet, this is just an example.)
|
(cpanel deploy hook is not finished yet, this is just an example.)
|
||||||
|
|
||||||
|
|
||||||
@ -81,18 +83,19 @@ acme.sh --deploy -d ftp.example.com --deploy-hook exim4
|
|||||||
acme.sh --deploy -d ftp.example.com --deploy-hook keychain
|
acme.sh --deploy -d ftp.example.com --deploy-hook keychain
|
||||||
```
|
```
|
||||||
|
|
||||||
## 7. Deploy to cpanel host.
|
## 7. Deploy to cpanel host using UAPI
|
||||||
|
|
||||||
|
This hook is using UAPI and works in cPanel & WHM version 56 or newer.
|
||||||
```
|
```
|
||||||
acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
|
acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
|
||||||
```
|
```
|
||||||
|
DEPLOY_CPANEL_USER is required only if you run the script as root and it should contain cpanel username.
|
||||||
If you are login as root, please specify the username to deploy cert to:
|
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
export DEPLOY_CPANEL_USER=username
|
export DEPLOY_CPANEL_USER=username
|
||||||
acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
|
acme.sh --deploy -d example.com --deploy-hook cpanel_uapi
|
||||||
```
|
```
|
||||||
|
Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separete certificate for each domain.
|
||||||
|
|
||||||
## 8. Deploy the cert to your FRITZ!Box router
|
## 8. Deploy the cert to your FRITZ!Box router
|
||||||
|
|
||||||
You must specify the credentials that have administrative privileges on the FRITZ!Box in order to deploy the certificate, plus the URL of your FRITZ!Box, through the following environment variables:
|
You must specify the credentials that have administrative privileges on the FRITZ!Box in order to deploy the certificate, plus the URL of your FRITZ!Box, through the following environment variables:
|
||||||
|
@ -47,7 +47,7 @@ dns_he_add() {
|
|||||||
response="$(_post "$body" "https://dns.he.net/")"
|
response="$(_post "$body" "https://dns.he.net/")"
|
||||||
exit_code="$?"
|
exit_code="$?"
|
||||||
if [ "$exit_code" -eq 0 ]; then
|
if [ "$exit_code" -eq 0 ]; then
|
||||||
_info "TXT record added successfuly."
|
_info "TXT record added successfully."
|
||||||
else
|
else
|
||||||
_err "Couldn't add the TXT record."
|
_err "Couldn't add the TXT record."
|
||||||
fi
|
fi
|
||||||
@ -96,7 +96,7 @@ dns_he_rm() {
|
|||||||
>/dev/null
|
>/dev/null
|
||||||
exit_code="$?"
|
exit_code="$?"
|
||||||
if [ "$exit_code" -eq 0 ]; then
|
if [ "$exit_code" -eq 0 ]; then
|
||||||
_info "Record removed successfuly."
|
_info "Record removed successfully."
|
||||||
else
|
else
|
||||||
_err "Could not clean (remove) up the record. Please go to HE administration interface and clean it by hand."
|
_err "Could not clean (remove) up the record. Please go to HE administration interface and clean it by hand."
|
||||||
return "$exit_code"
|
return "$exit_code"
|
||||||
|
Loading…
Reference in New Issue
Block a user