mirror of
https://github.com/plantroon/acme.sh.git
synced 2024-11-19 12:51:45 +00:00
commit
979e10f9d5
4
.github/workflows/LetsEncrypt.yml
vendored
4
.github/workflows/LetsEncrypt.yml
vendored
@ -111,7 +111,7 @@ jobs:
|
|||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
- name: Clone acmetest
|
- name: Clone acmetest
|
||||||
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
|
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
|
||||||
- uses: vmactions/freebsd-vm@v0.0.7
|
- uses: vmactions/freebsd-vm@v0.1.2
|
||||||
with:
|
with:
|
||||||
envs: 'NGROK_TOKEN TEST_LOCAL'
|
envs: 'NGROK_TOKEN TEST_LOCAL'
|
||||||
prepare: pkg install -y socat curl
|
prepare: pkg install -y socat curl
|
||||||
@ -136,7 +136,7 @@ jobs:
|
|||||||
run: echo "TestingDomain=${{steps.ngrok.outputs.server}}" >> $GITHUB_ENV
|
run: echo "TestingDomain=${{steps.ngrok.outputs.server}}" >> $GITHUB_ENV
|
||||||
- name: Clone acmetest
|
- name: Clone acmetest
|
||||||
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
|
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
|
||||||
- uses: vmactions/solaris-vm@v0.0.1
|
- uses: vmactions/solaris-vm@v0.0.3
|
||||||
with:
|
with:
|
||||||
envs: 'TEST_LOCAL TestingDomain'
|
envs: 'TEST_LOCAL TestingDomain'
|
||||||
nat: |
|
nat: |
|
||||||
|
60
acme.sh
60
acme.sh
@ -4009,12 +4009,42 @@ _check_dns_entries() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#file
|
#file
|
||||||
_get_cert_issuers() {
|
_get_chain_issuers() {
|
||||||
_cfile="$1"
|
_cfile="$1"
|
||||||
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
|
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
|
||||||
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
||||||
else
|
else
|
||||||
${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
_cindex=1
|
||||||
|
for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
|
||||||
|
_endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
|
||||||
|
_debug2 "_startn" "$_startn"
|
||||||
|
_debug2 "_endn" "$_endn"
|
||||||
|
if [ "$DEBUG" ]; then
|
||||||
|
_debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
|
||||||
|
fi
|
||||||
|
sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
|
||||||
|
_cindex=$(_math $_cindex + 1)
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
_get_chain_subjects() {
|
||||||
|
_cfile="$1"
|
||||||
|
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
|
||||||
|
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
||||||
|
else
|
||||||
|
_cindex=1
|
||||||
|
for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
|
||||||
|
_endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
|
||||||
|
_debug2 "_startn" "$_startn"
|
||||||
|
_debug2 "_endn" "$_endn"
|
||||||
|
if [ "$DEBUG" ]; then
|
||||||
|
_debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
|
||||||
|
fi
|
||||||
|
sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
|
||||||
|
_cindex=$(_math $_cindex + 1)
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4022,14 +4052,12 @@ _get_cert_issuers() {
|
|||||||
_match_issuer() {
|
_match_issuer() {
|
||||||
_cfile="$1"
|
_cfile="$1"
|
||||||
_missuer="$2"
|
_missuer="$2"
|
||||||
_fissuers="$(_get_cert_issuers $_cfile)"
|
_fissuers="$(_get_chain_issuers $_cfile)"
|
||||||
_debug2 _fissuers "$_fissuers"
|
_debug2 _fissuers "$_fissuers"
|
||||||
if _contains "$_fissuers" "$_missuer"; then
|
_rootissuer="$(echo "$_fissuers" | _lower_case | _tail_n 1)"
|
||||||
return 0
|
_debug2 _rootissuer "$_rootissuer"
|
||||||
fi
|
|
||||||
_fissuers="$(echo "$_fissuers" | _lower_case)"
|
|
||||||
_missuer="$(echo "$_missuer" | _lower_case)"
|
_missuer="$(echo "$_missuer" | _lower_case)"
|
||||||
_contains "$_fissuers" "$_missuer"
|
_contains "$_rootissuer" "$_missuer"
|
||||||
}
|
}
|
||||||
|
|
||||||
#webroot, domain domainlist keylength
|
#webroot, domain domainlist keylength
|
||||||
@ -4803,6 +4831,9 @@ $_authorizations_map"
|
|||||||
_split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
|
_split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
|
||||||
|
|
||||||
if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
|
if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
|
||||||
|
if [ "$DEBUG" ]; then
|
||||||
|
_debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
|
||||||
|
fi
|
||||||
if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
|
if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
|
||||||
rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
|
rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
|
||||||
_debug2 "rels" "$rels"
|
_debug2 "rels" "$rels"
|
||||||
@ -4818,13 +4849,22 @@ $_authorizations_map"
|
|||||||
_relca="$CA_CERT_PATH.alt"
|
_relca="$CA_CERT_PATH.alt"
|
||||||
echo "$response" >"$_relcert"
|
echo "$response" >"$_relcert"
|
||||||
_split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
|
_split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
|
||||||
|
if [ "$DEBUG" ]; then
|
||||||
|
_debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
|
||||||
|
fi
|
||||||
if _match_issuer "$_relfullchain" "$_preferred_chain"; then
|
if _match_issuer "$_relfullchain" "$_preferred_chain"; then
|
||||||
_info "Matched issuer in: $rel"
|
_info "Matched issuer in: $rel"
|
||||||
cat $_relcert >"$CERT_PATH"
|
cat $_relcert >"$CERT_PATH"
|
||||||
cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
|
cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
|
||||||
cat $_relca >"$CA_CERT_PATH"
|
cat $_relca >"$CA_CERT_PATH"
|
||||||
|
rm -f "$_relcert"
|
||||||
|
rm -f "$_relfullchain"
|
||||||
|
rm -f "$_relca"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
|
rm -f "$_relcert"
|
||||||
|
rm -f "$_relfullchain"
|
||||||
|
rm -f "$_relca"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
200
deploy/unifi.sh
200
deploy/unifi.sh
@ -1,12 +1,43 @@
|
|||||||
#!/usr/bin/env sh
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
#Here is a script to deploy cert to unifi server.
|
# Here is a script to deploy cert on a Unifi Controller or Cloud Key device.
|
||||||
|
# It supports:
|
||||||
|
# - self-hosted Unifi Controller
|
||||||
|
# - Unifi Cloud Key (Gen1/2/2+)
|
||||||
|
# - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
|
||||||
|
# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359
|
||||||
|
|
||||||
#returns 0 means success, otherwise error.
|
#returns 0 means success, otherwise error.
|
||||||
|
|
||||||
|
# The deploy-hook automatically detects standard Unifi installations
|
||||||
|
# for each of the supported environments. Most users should not need
|
||||||
|
# to set any of these variables, but if you are running a self-hosted
|
||||||
|
# Controller with custom locations, set these as necessary before running
|
||||||
|
# the deploy hook. (Defaults shown below.)
|
||||||
|
#
|
||||||
|
# Settings for Unifi Controller:
|
||||||
|
# Location of Java keystore or unifi.keystore.jks file:
|
||||||
#DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
|
#DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
|
||||||
|
# Keystore password (built into Unifi Controller, not a user-set password):
|
||||||
#DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
|
#DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
|
||||||
|
# Command to restart Unifi Controller:
|
||||||
#DEPLOY_UNIFI_RELOAD="service unifi restart"
|
#DEPLOY_UNIFI_RELOAD="service unifi restart"
|
||||||
|
#
|
||||||
|
# Settings for Unifi Cloud Key Gen1 (nginx admin pages):
|
||||||
|
# Directory where cloudkey.crt and cloudkey.key live:
|
||||||
|
#DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
|
||||||
|
# Command to restart maintenance pages and Controller
|
||||||
|
# (same setting as above, default is updated when running on Cloud Key Gen1):
|
||||||
|
#DEPLOY_UNIFI_RELOAD="service nginx restart && service unifi restart"
|
||||||
|
#
|
||||||
|
# Settings for UnifiOS (Cloud Key Gen2):
|
||||||
|
# Directory where unifi-core.crt and unifi-core.key live:
|
||||||
|
#DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/"
|
||||||
|
# Command to restart unifi-core:
|
||||||
|
#DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core"
|
||||||
|
#
|
||||||
|
# At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR,
|
||||||
|
# or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs.
|
||||||
|
|
||||||
######## Public functions #####################
|
######## Public functions #####################
|
||||||
|
|
||||||
@ -24,77 +55,160 @@ unifi_deploy() {
|
|||||||
_debug _cca "$_cca"
|
_debug _cca "$_cca"
|
||||||
_debug _cfullchain "$_cfullchain"
|
_debug _cfullchain "$_cfullchain"
|
||||||
|
|
||||||
|
_getdeployconf DEPLOY_UNIFI_KEYSTORE
|
||||||
|
_getdeployconf DEPLOY_UNIFI_KEYPASS
|
||||||
|
_getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
|
||||||
|
_getdeployconf DEPLOY_UNIFI_CORE_CONFIG
|
||||||
|
_getdeployconf DEPLOY_UNIFI_RELOAD
|
||||||
|
|
||||||
|
_debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
|
||||||
|
_debug2 DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
|
||||||
|
_debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
|
||||||
|
_debug2 DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
|
||||||
|
_debug2 DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
|
||||||
|
|
||||||
|
# Space-separated list of environments detected and installed:
|
||||||
|
_services_updated=""
|
||||||
|
|
||||||
|
# Default reload commands accumulated as we auto-detect environments:
|
||||||
|
_reload_cmd=""
|
||||||
|
|
||||||
|
# Unifi Controller environment (self hosted or any Cloud Key) --
|
||||||
|
# auto-detect by file /usr/lib/unifi/data/keystore:
|
||||||
|
_unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
|
||||||
|
if [ -f "$_unifi_keystore" ]; then
|
||||||
|
_info "Installing certificate for Unifi Controller (Java keystore)"
|
||||||
|
_debug _unifi_keystore "$_unifi_keystore"
|
||||||
if ! _exists keytool; then
|
if ! _exists keytool; then
|
||||||
_err "keytool not found"
|
_err "keytool not found"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
DEFAULT_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
|
|
||||||
_unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-$DEFAULT_UNIFI_KEYSTORE}"
|
|
||||||
DEFAULT_UNIFI_KEYPASS="aircontrolenterprise"
|
|
||||||
_unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-$DEFAULT_UNIFI_KEYPASS}"
|
|
||||||
DEFAULT_UNIFI_RELOAD="service unifi restart"
|
|
||||||
_reload="${DEPLOY_UNIFI_RELOAD:-$DEFAULT_UNIFI_RELOAD}"
|
|
||||||
|
|
||||||
_debug _unifi_keystore "$_unifi_keystore"
|
|
||||||
if [ ! -f "$_unifi_keystore" ]; then
|
|
||||||
if [ -z "$DEPLOY_UNIFI_KEYSTORE" ]; then
|
|
||||||
_err "unifi keystore is not found, please define DEPLOY_UNIFI_KEYSTORE"
|
|
||||||
return 1
|
|
||||||
else
|
|
||||||
_err "It seems that the specified unifi keystore is not valid, please check."
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
if [ ! -w "$_unifi_keystore" ]; then
|
if [ ! -w "$_unifi_keystore" ]; then
|
||||||
_err "The file $_unifi_keystore is not writable, please change the permission."
|
_err "The file $_unifi_keystore is not writable, please change the permission."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
_info "Generate import pkcs12"
|
_unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-aircontrolenterprise}"
|
||||||
|
|
||||||
|
_debug "Generate import pkcs12"
|
||||||
_import_pkcs12="$(_mktemp)"
|
_import_pkcs12="$(_mktemp)"
|
||||||
_toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
|
_toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
|
||||||
|
# shellcheck disable=SC2181
|
||||||
if [ "$?" != "0" ]; then
|
if [ "$?" != "0" ]; then
|
||||||
_err "Oops, error creating import pkcs12, please report bug to us."
|
_err "Error generating pkcs12. Please re-run with --debug and report a bug."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
_info "Modify unifi keystore: $_unifi_keystore"
|
_debug "Import into keystore: $_unifi_keystore"
|
||||||
if keytool -importkeystore \
|
if keytool -importkeystore \
|
||||||
-deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
|
-deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
|
||||||
-srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
|
-srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
|
||||||
-alias unifi -noprompt; then
|
-alias unifi -noprompt; then
|
||||||
_info "Import keystore success!"
|
_debug "Import keystore success!"
|
||||||
rm "$_import_pkcs12"
|
rm "$_import_pkcs12"
|
||||||
else
|
else
|
||||||
_err "Import unifi keystore error, please report bug to us."
|
_err "Error importing into Unifi Java keystore."
|
||||||
|
_err "Please re-run with --debug and report a bug."
|
||||||
rm "$_import_pkcs12"
|
rm "$_import_pkcs12"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
_info "Run reload: $_reload"
|
if systemctl -q is-active unifi; then
|
||||||
if eval "$_reload"; then
|
_reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart"
|
||||||
|
fi
|
||||||
|
_services_updated="${_services_updated} unifi"
|
||||||
|
_info "Install Unifi Controller certificate success!"
|
||||||
|
elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
|
||||||
|
_err "The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Cloud Key environment (non-UnifiOS -- nginx serves admin pages) --
|
||||||
|
# auto-detect by file /etc/ssl/private/cloudkey.key:
|
||||||
|
_cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-/etc/ssl/private}"
|
||||||
|
if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then
|
||||||
|
_info "Installing certificate for Cloud Key Gen1 (nginx admin pages)"
|
||||||
|
_debug _cloudkey_certdir "$_cloudkey_certdir"
|
||||||
|
if [ ! -w "$_cloudkey_certdir" ]; then
|
||||||
|
_err "The directory $_cloudkey_certdir is not writable; please check permissions."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
# Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks.
|
||||||
|
# Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was
|
||||||
|
# updated above), but if not, we don't know how to handle this installation:
|
||||||
|
if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then
|
||||||
|
_err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt"
|
||||||
|
cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key"
|
||||||
|
(cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks)
|
||||||
|
|
||||||
|
if systemctl -q is-active nginx; then
|
||||||
|
_reload_cmd="${_reload_cmd:+$_reload_cmd && }service nginx restart"
|
||||||
|
fi
|
||||||
|
_info "Install Cloud Key Gen1 certificate success!"
|
||||||
|
_services_updated="${_services_updated} nginx"
|
||||||
|
elif [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then
|
||||||
|
_err "The specified DEPLOY_UNIFI_CLOUDKEY_CERTDIR='$DEPLOY_UNIFI_CLOUDKEY_CERTDIR' is not valid, please check."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# UnifiOS environment -- auto-detect by /data/unifi-core/config/unifi-core.key:
|
||||||
|
_unifi_core_config="${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}"
|
||||||
|
if [ -f "${_unifi_core_config}/unifi-core.key" ]; then
|
||||||
|
_info "Installing certificate for UnifiOS"
|
||||||
|
_debug _unifi_core_config "$_unifi_core_config"
|
||||||
|
if [ ! -w "$_unifi_core_config" ]; then
|
||||||
|
_err "The directory $_unifi_core_config is not writable; please check permissions."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
|
||||||
|
cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"
|
||||||
|
|
||||||
|
if systemctl -q is-active unifi-core; then
|
||||||
|
_reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core"
|
||||||
|
fi
|
||||||
|
_info "Install UnifiOS certificate success!"
|
||||||
|
_services_updated="${_services_updated} unifi-core"
|
||||||
|
elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then
|
||||||
|
_err "The specified DEPLOY_UNIFI_CORE_CONFIG='$DEPLOY_UNIFI_CORE_CONFIG' is not valid, please check."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$_services_updated" ]; then
|
||||||
|
# None of the Unifi environments were auto-detected, so no deployment has occurred
|
||||||
|
# (and none of DEPLOY_UNIFI_{KEYSTORE,CLOUDKEY_CERTDIR,CORE_CONFIG} were set).
|
||||||
|
_err "Unable to detect Unifi environment in standard location."
|
||||||
|
_err "(This deploy hook must be run on the Unifi device, not a remote machine.)"
|
||||||
|
_err "For non-standard Unifi installations, set DEPLOY_UNIFI_KEYSTORE,"
|
||||||
|
_err "DEPLOY_UNIFI_CLOUDKEY_CERTDIR, and/or DEPLOY_UNIFI_CORE_CONFIG as appropriate."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
_reload_cmd="${DEPLOY_UNIFI_RELOAD:-$_reload_cmd}"
|
||||||
|
if [ -z "$_reload_cmd" ]; then
|
||||||
|
_err "Certificates were installed for services:${_services_updated},"
|
||||||
|
_err "but none appear to be active. Please set DEPLOY_UNIFI_RELOAD"
|
||||||
|
_err "to a command that will restart the necessary services."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
_info "Reload services (this may take some time): $_reload_cmd"
|
||||||
|
if eval "$_reload_cmd"; then
|
||||||
_info "Reload success!"
|
_info "Reload success!"
|
||||||
if [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
|
|
||||||
_savedomainconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
|
|
||||||
else
|
|
||||||
_cleardomainconf DEPLOY_UNIFI_KEYSTORE
|
|
||||||
fi
|
|
||||||
if [ "$DEPLOY_UNIFI_KEYPASS" ]; then
|
|
||||||
_savedomainconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
|
|
||||||
else
|
|
||||||
_cleardomainconf DEPLOY_UNIFI_KEYPASS
|
|
||||||
fi
|
|
||||||
if [ "$DEPLOY_UNIFI_RELOAD" ]; then
|
|
||||||
_savedomainconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
|
|
||||||
else
|
|
||||||
_cleardomainconf DEPLOY_UNIFI_RELOAD
|
|
||||||
fi
|
|
||||||
return 0
|
|
||||||
else
|
else
|
||||||
_err "Reload error"
|
_err "Reload error"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
return 0
|
|
||||||
|
|
||||||
|
# Successful, so save all (non-default) config:
|
||||||
|
_savedeployconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
|
||||||
|
_savedeployconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
|
||||||
|
_savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
|
||||||
|
_savedeployconf DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
|
||||||
|
_savedeployconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
|
||||||
|
|
||||||
|
return 0
|
||||||
}
|
}
|
||||||
|
@ -1,10 +1,9 @@
|
|||||||
#!/usr/bin/env sh
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
#Arvan_Token="xxxx"
|
#Arvan_Token="Apikey xxxx"
|
||||||
|
|
||||||
ARVAN_API_URL="https://napi.arvancloud.com/cdn/4.0/domains"
|
ARVAN_API_URL="https://napi.arvancloud.com/cdn/4.0/domains"
|
||||||
|
#Author: Vahid Fardi
|
||||||
#Author: Ehsan Aliakbar
|
|
||||||
#Report Bugs here: https://github.com/Neilpang/acme.sh
|
#Report Bugs here: https://github.com/Neilpang/acme.sh
|
||||||
#
|
#
|
||||||
######## Public functions #####################
|
######## Public functions #####################
|
||||||
@ -38,6 +37,7 @@ dns_arvan_add() {
|
|||||||
_info "Adding record"
|
_info "Adding record"
|
||||||
if _arvan_rest POST "$_domain/dns-records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":{\"text\":\"$txtvalue\"},\"ttl\":120}"; then
|
if _arvan_rest POST "$_domain/dns-records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":{\"text\":\"$txtvalue\"},\"ttl\":120}"; then
|
||||||
if _contains "$response" "$txtvalue"; then
|
if _contains "$response" "$txtvalue"; then
|
||||||
|
_info "response id is $response"
|
||||||
_info "Added, OK"
|
_info "Added, OK"
|
||||||
return 0
|
return 0
|
||||||
elif _contains "$response" "Record Data is Duplicated"; then
|
elif _contains "$response" "Record Data is Duplicated"; then
|
||||||
@ -49,7 +49,7 @@ dns_arvan_add() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
_err "Add txt record error."
|
_err "Add txt record error."
|
||||||
return 1
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
#Usage: fulldomain txtvalue
|
#Usage: fulldomain txtvalue
|
||||||
@ -73,33 +73,21 @@ dns_arvan_rm() {
|
|||||||
_debug _domain "$_domain"
|
_debug _domain "$_domain"
|
||||||
|
|
||||||
_debug "Getting txt records"
|
_debug "Getting txt records"
|
||||||
shorted_txtvalue=$(printf "%s" "$txtvalue" | cut -d "-" -d "_" -f1)
|
_arvan_rest GET "${_domain}/dns-records"
|
||||||
_arvan_rest GET "${_domain}/dns-records?search=$shorted_txtvalue"
|
|
||||||
|
|
||||||
if ! printf "%s" "$response" | grep \"current_page\":1 >/dev/null; then
|
if ! printf "%s" "$response" | grep \"current_page\":1 >/dev/null; then
|
||||||
_err "Error on Arvan Api"
|
_err "Error on Arvan Api"
|
||||||
_err "Please create a github issue with debbug log"
|
_err "Please create a github issue with debbug log"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
count=$(printf "%s\n" "$response" | _egrep_o "\"total\":[^,]*" | cut -d : -f 2)
|
_record_id=$(echo "$response" | _egrep_o ".\"id\":\"[^\"]*\",\"type\":\"txt\",\"name\":\"_acme-challenge\",\"value\":{\"text\":\"$txtvalue\"}" | cut -d : -f 2 | cut -d , -f 1 | tr -d \")
|
||||||
_debug count "$count"
|
if ! _arvan_rest "DELETE" "${_domain}/dns-records/${_record_id}"; then
|
||||||
if [ "$count" = "0" ]; then
|
_err "Error on Arvan Api"
|
||||||
_info "Don't need to remove."
|
|
||||||
else
|
|
||||||
record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | head -n 1)
|
|
||||||
_debug "record_id" "$record_id"
|
|
||||||
if [ -z "$record_id" ]; then
|
|
||||||
_err "Can not get record id to remove."
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
if ! _arvan_rest "DELETE" "${_domain}/dns-records/$record_id"; then
|
|
||||||
_err "Delete record error."
|
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
_debug "$response"
|
_debug "$response"
|
||||||
_contains "$response" 'dns record deleted'
|
_contains "$response" 'dns record deleted'
|
||||||
fi
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
#################### Private functions below ##################################
|
#################### Private functions below ##################################
|
||||||
@ -111,7 +99,7 @@ dns_arvan_rm() {
|
|||||||
# _domain_id=sdjkglgdfewsdfg
|
# _domain_id=sdjkglgdfewsdfg
|
||||||
_get_root() {
|
_get_root() {
|
||||||
domain=$1
|
domain=$1
|
||||||
i=1
|
i=2
|
||||||
p=1
|
p=1
|
||||||
while true; do
|
while true; do
|
||||||
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
|
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
|
||||||
@ -121,12 +109,11 @@ _get_root() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! _arvan_rest GET "?search=$h"; then
|
if ! _arvan_rest GET "$h"; then
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
if _contains "$response" "\"domain\":\"$h\""; then
|
||||||
if _contains "$response" "\"domain\":\"$h\"" || _contains "$response" '"total":1'; then
|
_domain_id=$(echo "$response" | cut -d : -f 3 | cut -d , -f 1 | tr -d \")
|
||||||
_domain_id=$(echo "$response" | _egrep_o "\[.\"id\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
|
|
||||||
if [ "$_domain_id" ]; then
|
if [ "$_domain_id" ]; then
|
||||||
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
|
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
|
||||||
_domain=$h
|
_domain=$h
|
||||||
@ -146,7 +133,6 @@ _arvan_rest() {
|
|||||||
data="$3"
|
data="$3"
|
||||||
|
|
||||||
token_trimmed=$(echo "$Arvan_Token" | tr -d '"')
|
token_trimmed=$(echo "$Arvan_Token" | tr -d '"')
|
||||||
|
|
||||||
export _H1="Authorization: $token_trimmed"
|
export _H1="Authorization: $token_trimmed"
|
||||||
|
|
||||||
if [ "$mtd" = "DELETE" ]; then
|
if [ "$mtd" = "DELETE" ]; then
|
||||||
@ -160,4 +146,5 @@ _arvan_rest() {
|
|||||||
else
|
else
|
||||||
response="$(_get "$ARVAN_API_URL/$ep$data")"
|
response="$(_get "$ARVAN_API_URL/$ep$data")"
|
||||||
fi
|
fi
|
||||||
|
return 0
|
||||||
}
|
}
|
||||||
|
@ -12,7 +12,7 @@
|
|||||||
|
|
||||||
DuckDNS_API="https://www.duckdns.org/update"
|
DuckDNS_API="https://www.duckdns.org/update"
|
||||||
|
|
||||||
######## Public functions #####################
|
######## Public functions ######################
|
||||||
|
|
||||||
#Usage: dns_duckdns_add _acme-challenge.domain.duckdns.org "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
|
#Usage: dns_duckdns_add _acme-challenge.domain.duckdns.org "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
|
||||||
dns_duckdns_add() {
|
dns_duckdns_add() {
|
||||||
@ -112,7 +112,7 @@ _duckdns_rest() {
|
|||||||
param="$2"
|
param="$2"
|
||||||
_debug param "$param"
|
_debug param "$param"
|
||||||
url="$DuckDNS_API?$param"
|
url="$DuckDNS_API?$param"
|
||||||
if [ "$DEBUG" -gt 0 ]; then
|
if [ -n "$DEBUG" ] && [ "$DEBUG" -gt 0 ]; then
|
||||||
url="$url&verbose=true"
|
url="$url&verbose=true"
|
||||||
fi
|
fi
|
||||||
_debug url "$url"
|
_debug url "$url"
|
||||||
@ -121,7 +121,7 @@ _duckdns_rest() {
|
|||||||
if [ "$method" = "GET" ]; then
|
if [ "$method" = "GET" ]; then
|
||||||
response="$(_get "$url")"
|
response="$(_get "$url")"
|
||||||
_debug2 response "$response"
|
_debug2 response "$response"
|
||||||
if [ "$DEBUG" -gt 0 ] && _contains "$response" "UPDATED" && _contains "$response" "OK"; then
|
if [ -n "$DEBUG" ] && [ "$DEBUG" -gt 0 ] && _contains "$response" "UPDATED" && _contains "$response" "OK"; then
|
||||||
response="OK"
|
response="OK"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
|
@ -175,7 +175,7 @@ _get_root() {
|
|||||||
i=1
|
i=1
|
||||||
|
|
||||||
if _pdns_rest "GET" "/api/v1/servers/$PDNS_ServerId/zones"; then
|
if _pdns_rest "GET" "/api/v1/servers/$PDNS_ServerId/zones"; then
|
||||||
_zones_response="$response"
|
_zones_response=$(echo "$response" | _normalizeJson)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
while true; do
|
while true; do
|
||||||
|
Loading…
Reference in New Issue
Block a user