Merge remote-tracking branch 'upstream/master'

2018-02-24 09:09:00 +01:00 · 2018-02-24 09:09:00 +01:00 · 6baa6d488b
parent e26f9b8095 432037d20d
commit 6baa6d488b
5 changed files with 72 additions and 67 deletions
--- a/README.md
+++ b/README.md
@ -25,7 +25,7 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
 # [中文说明](https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E)
-# Who are using **acme.sh**
+# Who:
 - [FreeBSD.org](https://blog.crashed.org/letsencrypt-in-freebsd-org/)
 - [ruby-china.org](https://ruby-china.org/topics/31983)
 - [Proxmox](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer))
@ -74,7 +74,7 @@ https://github.com/Neilpang/acmetest
 - Webroot mode
 - Standalone mode
 - Apache mode
- Nginx mode ( Beta )
+- Nginx mode
 - DNS mode
 - [Stateless mode](https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode)
@ -204,6 +204,8 @@ Install/copy the cert/key to the production Apache or Nginx path.
 The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`.
 **Please take care:  The reloadcmd is very important. The cert can be automatically renewed, but, without a correct 'reloadcmd' the cert may not be flushed to your server(like nginx or apache), then your website will not be able to show renewwed cert in 60 days.**
 # 4. Use Standalone server to issue cert
 **(requires you to be root/sudoer or have permission to listen on port 80 (TCP))**
@ -238,7 +240,7 @@ More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
 If you are running a web server, Apache or Nginx, it is recommended to use the `Webroot mode`.
-Particularly, if you are running an Apache server, you should use Apache mode instead. This mode doesn't write any files to your web root folder.
+Particularly, if you are running an Apache server, you can use Apache mode instead. This mode doesn't write any files to your web root folder.
 Just set string "apache" as the second argument and it will force use of apache plugin automatically.
@ -246,6 +248,10 @@ Just set string "apache" as the second argument and it will force use of apache
 acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com
 ```
 **This apache mode is only to issue the cert, it will not change your apache config files. 
 You will need to configure your website config files to use the cert by yourself.
 We don't want to mess your apache server, don't worry.**
 More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
 # 7. Use Nginx mode
@ -266,6 +272,10 @@ So, the config is not changed.
 acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com
 ```
 **This nginx mode is only to issue the cert, it will not change your nginx config files. 
 You will need to configure your website config files to use the cert by yourself.
 We don't want to mess your nginx server, don't worry.**
 More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
 # 8. Automatic DNS API integration
@ -332,7 +342,7 @@ For more details: [How to use DNS API](dnsapi)
 # 9. Use DNS manual mode:
-If your dns provider doesn't support any api access, you will have to add the txt record by your hand.
+If your dns provider doesn't support any api access, you can add the txt record by your hand.
 ```bash
 acme.sh --issue --dns -d example.com -d www.example.com -d cp.example.com
@ -370,7 +380,7 @@ Ok, it's done.
 And we support them too!
-Just set the `length` parameter with a prefix `ec-`.
+Just set the `keylength` parameter with a prefix `ec-`.
 For example:
@ -386,7 +396,7 @@ acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256
 acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength ec-256
 ```
-Please look at the last parameter above.
+Please look at the `keylength` parameter above.
 Valid values are:
--- a/acme.sh
+++ b/acme.sh
@ -1281,6 +1281,7 @@ _create_account_key() {
  else
    #generate account key
    _createkey "$length" "$ACCOUNT_KEY_PATH"
    chmod 600 "$ACCOUNT_KEY_PATH"
  fi
 }
@ -1838,7 +1839,7 @@ _send_signed_request() {
    _body="$response"
    if [ "$needbase64" ]; then
      _body="$(echo "$_body" | _dbase64)"
-      _debug2 _body "$_body"
+      _debug3 _body "$_body"
    fi
    if _contains "$_body" "JWS has invalid anti-replay nonce"; then
@ -2006,9 +2007,19 @@ _startserver() {
    _NC="$_NC -6"
  fi
-  _debug "_NC" "$_NC"
+  if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then
-  #todo  listen address
+    _NC="$_NC -d -d -v"
-  $_NC TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork SYSTEM:"sleep 0.5; echo HTTP/1.1 200 OK; echo ; echo  $content; echo;" &
+  fi
  SOCAT_OPTIONS=TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork
  #Adding bind to local-address
  if [ "$ncaddr" ]; then
    SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}"
  fi
  _debug "_NC" "$_NC $SOCAT_OPTIONS"
  $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; echo HTTP/1.0 200 OK; echo ; echo  $content; echo;" &
  serverproc="$!"
 }
@ -5062,7 +5073,7 @@ _installalias() {
 }
-# nocron confighome
+# nocron confighome noprofile
 install() {
  if [ -z "$LE_WORKING_DIR" ]; then
@ -5071,6 +5082,7 @@ install() {
  _nocron="$1"
  _c_home="$2"
  _noprofile="$3"
  if ! _initpath; then
    _err "Install failed."
    return 1
@ -5136,7 +5148,7 @@ install() {
  _info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
-  if [ "$IN_CRON" != "1" ]; then
+  if [ "$IN_CRON" != "1" ] && [ -z "$_noprofile" ]; then
    _installalias "$_c_home"
  fi
@ -5362,10 +5374,11 @@ Parameters:
  "
 }
-# nocron
+# nocron noprofile
 _installOnline() {
  _info "Installing from online archive."
  _nocron="$1"
  _noprofile="$2"
  if [ ! "$BRANCH" ]; then
    BRANCH="master"
  fi
@ -5386,7 +5399,7 @@ _installOnline() {
    cd "$PROJECT_NAME-$BRANCH"
    chmod +x $PROJECT_ENTRY
-    if ./$PROJECT_ENTRY install "$_nocron"; then
+    if ./$PROJECT_ENTRY install "$_nocron" "" "$_noprofile"; then
      _info "Install success!"
    fi
@ -5402,7 +5415,7 @@ upgrade() {
    _initpath
    export LE_WORKING_DIR
    cd "$LE_WORKING_DIR"
-    _installOnline "nocron"
+    _installOnline "nocron" "noprofile"
  ); then
    _info "Upgrade success!"
    exit 0
--- a/deploy/strongswan.sh
+++ b/deploy/strongswan.sh
@ -22,6 +22,8 @@ strongswan_deploy() {
    _ipsec=/usr/sbin/ipsec
  elif [ -x /usr/sbin/strongswan ]; then
    _ipsec=/usr/sbin/strongswan
  elif [ -x /usr/local/sbin/ipsec ]; then
    _ipsec=/usr/local/sbin/ipsec
  else
    _err "no strongswan or ipsec command is detected"
    return 1
--- a/dnsapi/dns_he.sh
+++ b/dnsapi/dns_he.sh
@ -75,17 +75,19 @@ dns_he_rm() {
  body="$body&hosted_dns_zoneid=$_zone_id"
  body="$body&menu=edit_zone"
  body="$body&hosted_dns_editzone="
  domain_regex="$(echo "$_full_domain" | sed 's/\./\\./g')" # escape dots
  _record_id=$(_post "$body" "https://dns.he.net/" \
    | tr -d '\n' \
    | _egrep_o "data=\"&quot;${_txt_value}&quot;([^>]+>){6}[^<]+<[^;]+;deleteRecord\('[0-9]+','${domain_regex}','TXT'\)" \
    | _egrep_o "[0-9]+','${domain_regex}','TXT'\)$" \
    | _egrep_o "^[0-9]+"
  )
  # The series of egreps above could have been done a bit shorter but
  #  I wanted to double-check whether it's the correct record (in case
  #  HE changes their website somehow).
  response="$(_post "$body" "https://dns.he.net/")"
  _debug2 "response" "$response"
  if ! _contains "$response" "$_txt_value"; then
    _debug "The txt record is not found, just skip"
    return 0
  fi
  _record_id="$(echo "$response" | tr -d "#" | sed "s/<tr/#<tr/g" | tr -d "\n" | tr "#" "\n" | grep "$_full_domain" | grep '"dns_tr"' | grep "$_txt_value" | cut -d '"' -f 4)"
  _debug2 _record_id "$_record_id"
  if [ -z "$_record_id" ]; then
    _err "Can not find record id"
    return 1
  fi
  # Remove the record
  body="email=${HE_Username}&pass=${HE_Password}"
  body="$body&menu=edit_zone"
@ -108,41 +110,26 @@ dns_he_rm() {
 ########################## PRIVATE FUNCTIONS ###########################
 #-- _find_zone() -------------------------------------------------------
 # Returns the most specific zone found in administration interface.
 #
 # Example:
 #
 # _find_zone first.second.third.co.uk
 #
 # ... will return the first zone that exists in admin out of these:
 # - "first.second.third.co.uk"
 # - "second.third.co.uk"
 # - "third.co.uk"
 # - "co.uk" <-- unlikely
 # - "uk"    <-'
 #
 # (another approach would be something like this:
 #   https://github.com/hlandau/acme/blob/master/_doc/dns.hook
 #   - that's better if there are multiple pages. It's so much simpler.
 # )
 _find_zone() {
  _domain="$1"
  body="email=${HE_Username}&pass=${HE_Password}"
-  _matches=$(_post "$body" "https://dns.he.net/" \
+  response="$(_post "$body" "https://dns.he.net/")"
-    | _egrep_o "delete_dom.*name=\"[^\"]+\" value=\"[0-9]+"
+  _debug2 response "$response"
-  )
+  _table="$(echo "$response" | tr -d "#" | sed "s/<table/#<table/g" | tr -d "\n" | tr "#" "\n" | grep 'id="domains_table"')"
  _debug2 _table "$_table"
  _matches="$(echo "$_table" | sed "s/<tr/#<tr/g" | tr "#" "\n" | grep 'alt="edit"' | tr -d " " | sed "s/<td/#<td/g" | tr "#" "\n" | sed -n 3p)"
  _debug2 _matches "$_matches"
  # Zone names and zone IDs are in same order
-  _zone_ids=$(echo "$_matches" | cut -d '"' -f 5)
+  _zone_ids=$(echo "$_matches" | _egrep_o "hosted_dns_zoneid=[0-9]*&" | cut -d = -f 2 | tr -d '&')
-  _zone_names=$(echo "$_matches" | cut -d '"' -f 3)
+  _zone_names=$(echo "$_matches" | _egrep_o "name=.*onclick" | cut -d '"' -f 2)
  _debug2 "These are the zones on this HE account:"
  _debug2 "$_zone_names"
  _debug2 "And these are their respective IDs:"
  _debug2 "$_zone_ids"
-
+  if [ -z "$_zone_names" ] || [ -z "$_zone_ids" ]; then
    _err "Can not get zone names."
    return 1
  fi
  # Walk through all possible zone names
  _strip_counter=1
  while true; do
@ -156,17 +143,10 @@ _find_zone() {
    _debug "Looking for zone \"${_attempted_zone}\""
-    # Take care of "." and only match whole lines. Note that grep -F
+    line_num="$(echo "$_zone_names" | grep -n "$_attempted_zone" | cut -d : -f 1)"
    # cannot be used because there's no way to make it match whole
    # lines.
    regex="^$(echo "$_attempted_zone" | sed 's/\./\\./g')$"
    line_num=$(echo "$_zone_names" \
      | grep -n "$regex" \
      | cut -d : -f 1
    )
-    if [ -n "$line_num" ]; then
+    if [ "$line_num" ]; then
-      _zone_id=$(echo "$_zone_ids" | sed "${line_num}q;d")
+      _zone_id=$(echo "$_zone_ids" | sed -n "${line_num}p")
      _debug "Found relevant zone \"$_attempted_zone\" with id \"$_zone_id\" - will be used for domain \"$_domain\"."
      return 0
    fi
--- a/dnsapi/dns_yandex.sh
+++ b/dnsapi/dns_yandex.sh
@ -16,7 +16,7 @@ dns_yandex_add() {
  _PDD_credentials || return 1
  export _H1="PddToken: $PDD_Token"
-  curDomain=$(_PDD_get_domain "$fulldomain")
+  _PDD_get_domain "$fulldomain"
  _debug "Found suitable domain in pdd: $curDomain"
  curData="domain=${curDomain}&type=TXT&subdomain=${curSubdomain}&ttl=360&content=${txtvalue}"
  curUri="https://pddimp.yandex.ru/api2/admin/dns/add"
@ -33,7 +33,7 @@ dns_yandex_rm() {
  record_id=$(pdd_get_record_id "${fulldomain}")
  _debug "Result: $record_id"
-  curDomain=$(_PDD_get_domain "$fulldomain")
+  _PDD_get_domain "$fulldomain"
  _debug "Found suitable domain in pdd: $curDomain"
  curUri="https://pddimp.yandex.ru/api2/admin/dns/del"
@ -72,8 +72,8 @@ _PDD_get_domain() {
      if [ "$d" = "$__t" ]; then
        p=$(_math $k - 1)
        curSubdomain="$(echo "$fulldomain" | cut -d . -f "1-$p")"
-        echo "$__t"
+        curDomain="$__t"
-        return
+        return 0
      fi
    done
    k=$(_math $k + 1)
@ -96,7 +96,7 @@ _PDD_credentials() {
 pdd_get_record_id() {
  fulldomain="${1}"
-  curDomain=$(_PDD_get_domain "$fulldomain")
+  _PDD_get_domain "$fulldomain"
  _debug "Found suitable domain in pdd: $curDomain"
  curUri="https://pddimp.yandex.ru/api2/admin/dns/list?domain=${curDomain}"