From 875625b1477b4e82513c4e9576f3030ee792fc52 Mon Sep 17 00:00:00 2001
From: neilpang <neil@neilpang.com>
Date: Sat, 10 Feb 2018 10:45:29 +0800
Subject: [PATCH] Support domain alias mode

---
 README.md |  1 +
 acme.sh   | 63 ++++++++++++++++++++++++++++++++++++++++++++++---------
 2 files changed, 54 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index c66b7f6c..ef699080 100644
--- a/README.md
+++ b/README.md
@@ -76,6 +76,7 @@ https://github.com/Neilpang/acmetest
 - Apache mode
 - Nginx mode ( Beta )
 - DNS mode
+- [DNS alias mode](https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode)
 - [Stateless mode](https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode)
 
 
diff --git a/acme.sh b/acme.sh
index 907ab30d..46e58d90 100755
--- a/acme.sh
+++ b/acme.sh
@@ -105,6 +105,8 @@ _PREPARE_LINK="https://github.com/Neilpang/acme.sh/wiki/Install-preparations"
 
 _STATELESS_WIKI="https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode"
 
+_DNS_ALIAS_WIKI="https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode"
+
 _DNS_MANUAL_ERR="The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead."
 
 _DNS_MANUAL_WARN="It seems that you are using dns manual mode. please take care: $_DNS_MANUAL_ERR"
@@ -2845,8 +2847,9 @@ _clearupdns() {
     _debug "skip dns."
     return
   fi
-
+  _info "Removing DNS records."
   ventries=$(echo "$vlist" | tr ',' ' ')
+  _alias_index=1
   for ventry in $ventries; do
     d=$(echo "$ventry" | cut -d "$sep" -f 1)
     keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
@@ -2860,7 +2863,7 @@ _clearupdns() {
     fi
 
     if [ "$vtype" != "$VTYPE_DNS" ]; then
-      _info "Skip $d for $vtype"
+      _debug "Skip $d for $vtype"
       continue
     fi
 
@@ -2888,7 +2891,15 @@ _clearupdns() {
       if _startswith "$_dns_root_d" "*."; then
         _dns_root_d="$(echo "$_dns_root_d" | sed 's/*.//')"
       fi
-      txtdomain="_acme-challenge.$_dns_root_d"
+
+      _d_alias="$(_getfield "$_challenge_alias" "$_alias_index")"
+      _alias_index="$(_math "$_alias_index" + 1)"
+      _debug "_d_alias" "$_d_alias"
+      if [ "$_d_alias" ]; then
+        txtdomain="_acme-challenge.$_d_alias"
+      else
+        txtdomain="_acme-challenge.$_dns_root_d"
+      fi
 
       if ! $rmcommand "$txtdomain" "$txt"; then
         _err "Error removing txt for domain:$txtdomain"
@@ -3370,7 +3381,7 @@ issue() {
   _post_hook="${11}"
   _renew_hook="${12}"
   _local_addr="${13}"
-
+  _challenge_alias="${14}"
   #remove these later.
   if [ "$_web_roots" = "dns-cf" ]; then
     _web_roots="dns_cf"
@@ -3423,7 +3434,13 @@ issue() {
   else
     _cleardomainconf "Le_LocalAddress"
   fi
-
+  if [ "$_challenge_alias" ]; then
+    _savedomainconf "Le_ChallengeAlias" "$_challenge_alias"
+  else
+    _cleardomainconf "Le_ChallengeAlias"
+  fi
+  
+  
   Le_API="$ACME_DIRECTORY"
   _savedomainconf "Le_API" "$Le_API"
 
@@ -3640,6 +3657,7 @@ $_authorizations_map"
     #add entry
     dnsadded=""
     ventries=$(echo "$vlist" | tr "$dvsep" ' ')
+    _alias_index=1;
     for ventry in $ventries; do
       d=$(echo "$ventry" | cut -d "$sep" -f 1)
       keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
@@ -3657,7 +3675,14 @@ $_authorizations_map"
         if _startswith "$_dns_root_d" "*."; then
           _dns_root_d="$(echo "$_dns_root_d" | sed 's/*.//')"
         fi
-        txtdomain="_acme-challenge.$_dns_root_d"
+        _d_alias="$(_getfield "$_challenge_alias" "$_alias_index")"
+        _alias_index="$(_math "$_alias_index" + 1)"
+        _debug "_d_alias" "$_d_alias"
+        if [ "$_d_alias" ]; then
+          txtdomain="_acme-challenge.$_d_alias"
+        else
+          txtdomain="_acme-challenge.$_dns_root_d"
+        fi
         _debug txtdomain "$txtdomain"
         txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _url_replace)"
         _debug txt "$txt"
@@ -4210,7 +4235,7 @@ renew() {
   fi
 
   IS_RENEW="1"
-  issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress"
+  issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias"
   res="$?"
   if [ "$res" != "0" ]; then
     return "$res"
@@ -4274,6 +4299,17 @@ signcsr() {
     return 1
   fi
 
+  _real_cert="$3"
+  _real_key="$4"
+  _real_ca="$5"
+  _reload_cmd="$6"
+  _real_fullchain="$7"
+  _pre_hook="${8}"
+  _post_hook="${9}"
+  _renew_hook="${10}"
+  _local_addr="${11}"
+  _challenge_alias="${12}"
+
   _csrsubj=$(_readSubjectFromCSR "$_csrfile")
   if [ "$?" != "0" ]; then
     _err "Can not read subject from csr: $_csrfile"
@@ -4319,7 +4355,7 @@ signcsr() {
   _info "Copy csr to: $CSR_PATH"
   cp "$_csrfile" "$CSR_PATH"
 
-  issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength"
+  issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias"
 
 }
 
@@ -5293,6 +5329,7 @@ Commands:
 
 Parameters:
   --domain, -d   domain.tld         Specifies a domain, used to issue, renew or revoke etc.
+  --challenge-alias domain.tld      The domain alis for DNS alias mode: $_DNS_ALIAS_WIKI
   --force, -f                       Used to force to install or force to renew a cert immediately.
   --staging, --test                 Use staging server, just for test.
   --debug                           Output debug info.
@@ -5443,6 +5480,7 @@ _process() {
   _domain=""
   _altdomains="$NO_VALUE"
   _webroot=""
+  _challenge_alias=""
   _keylength=""
   _accountkeylength=""
   _cert_file=""
@@ -5632,6 +5670,11 @@ _process() {
         fi
         shift
         ;;
+      --challenge-alias)
+        cvalue="$2"
+        _challenge_alias="$_challenge_alias$cvalue,"
+        shift
+        ;;
       --standalone)
         wvalue="$NO_VALUE"
         if [ -z "$_webroot" ]; then
@@ -5953,13 +5996,13 @@ _process() {
     uninstall) uninstall "$_nocron" ;;
     upgrade) upgrade ;;
     issue)
-      issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
+      issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias"
       ;;
     deploy)
       deploy "$_domain" "$_deploy_hook" "$_ecc"
       ;;
     signcsr)
-      signcsr "$_csr" "$_webroot"
+      signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias"
       ;;
     showcsr)
       showcsr "$_csr" "$_domain"