Merge pull request #918 from Neilpang/dev

Dev
This commit is contained in:
neil 2017-07-02 19:20:59 +08:00 committed by GitHub
commit d55c3faaeb

113
acme.sh
View File

@ -366,6 +366,7 @@ _hasfield() {
return 1 #not contains return 1 #not contains
} }
# str index [sep]
_getfield() { _getfield() {
_str="$1" _str="$1"
_findex="$2" _findex="$2"
@ -1281,7 +1282,7 @@ createDomainKey() {
_initpath "$domain" "$_cdl" _initpath "$domain" "$_cdl"
if [ ! -f "$CERT_KEY_PATH" ] || ([ "$FORCE" ] && ! [ "$IS_RENEW" ]); then if [ ! -f "$CERT_KEY_PATH" ] || ([ "$FORCE" ] && ! [ "$IS_RENEW" ]) || [ "$Le_ForceNewDomainKey" = "1" ]; then
if _createkey "$_cdl" "$CERT_KEY_PATH"; then if _createkey "$_cdl" "$CERT_KEY_PATH"; then
_savedomainconf Le_Keylength "$_cdl" _savedomainconf Le_Keylength "$_cdl"
_info "The domain key is here: $(__green $CERT_KEY_PATH)" _info "The domain key is here: $(__green $CERT_KEY_PATH)"
@ -2196,7 +2197,9 @@ _initAPI() {
export ACME_KEY_CHANGE="https://acme-v01.api.letsencrypt.org/acme/key-change" export ACME_KEY_CHANGE="https://acme-v01.api.letsencrypt.org/acme/key-change"
export ACME_NEW_AUTHZ="https://acme-v01.api.letsencrypt.org/acme/new-authz" export ACME_NEW_AUTHZ="https://acme-v01.api.letsencrypt.org/acme/new-authz"
export ACME_NEW_ORDER="https://acme-v01.api.letsencrypt.org/acme/new-cert" export ACME_NEW_ORDER="https://acme-v01.api.letsencrypt.org/acme/new-cert"
export ACME_NEW_ORDER_RES="new-cert"
export ACME_NEW_ACCOUNT="https://acme-v01.api.letsencrypt.org/acme/new-reg" export ACME_NEW_ACCOUNT="https://acme-v01.api.letsencrypt.org/acme/new-reg"
export ACME_NEW_ACCOUNT_RES="new-reg"
export ACME_REVOKE_CERT="https://acme-v01.api.letsencrypt.org/acme/revoke-cert" export ACME_REVOKE_CERT="https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
fi fi
@ -2216,16 +2219,22 @@ _initAPI() {
export ACME_NEW_AUTHZ export ACME_NEW_AUTHZ
ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3) ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3)
ACME_NEW_ORDER_RES="new-cert"
if [ -z "$ACME_NEW_ORDER" ]; then if [ -z "$ACME_NEW_ORDER" ]; then
ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3) ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3)
ACME_NEW_ORDER_RES="new-order"
fi fi
export ACME_NEW_ORDER export ACME_NEW_ORDER
export ACME_NEW_ORDER_RES
ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3) ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3)
ACME_NEW_ACCOUNT_RES="new-reg"
if [ -z "$ACME_NEW_ACCOUNT" ]; then if [ -z "$ACME_NEW_ACCOUNT" ]; then
ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3) ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3)
ACME_NEW_ACCOUNT_RES="new-account"
fi fi
export ACME_NEW_ACCOUNT export ACME_NEW_ACCOUNT
export ACME_NEW_ACCOUNT_RES
ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3) ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3)
export ACME_REVOKE_CERT export ACME_REVOKE_CERT
@ -3073,14 +3082,13 @@ _regAccount() {
_initpath _initpath
_reg_length="$1" _reg_length="$1"
if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
mkdir -p "$CA_DIR" mkdir -p "$CA_DIR"
if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
_info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH" _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH" mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
fi fi
if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
mkdir -p "$CA_DIR"
_info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH" _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH" mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
fi fi
@ -3097,7 +3105,7 @@ _regAccount() {
fi fi
_initAPI _initAPI
_updateTos="" _updateTos=""
_reg_res="new-reg" _reg_res="$ACME_NEW_ACCOUNT_RES"
while true; do while true; do
_debug AGREEMENT "$AGREEMENT" _debug AGREEMENT "$AGREEMENT"
@ -3127,7 +3135,7 @@ _regAccount() {
_accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")" _accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
_debug "_accUri" "$_accUri" _debug "_accUri" "$_accUri"
_savecaconf "ACCOUNT_URL" "$_accUri"
_tos="$(echo "$responseHeaders" | grep "^Link:.*rel=\"terms-of-service\"" | _head_n 1 | _egrep_o "<.*>" | tr -d '<>')" _tos="$(echo "$responseHeaders" | grep "^Link:.*rel=\"terms-of-service\"" | _head_n 1 | _egrep_o "<.*>" | tr -d '<>')"
_debug "_tos" "$_tos" _debug "_tos" "$_tos"
if [ -z "$_tos" ]; then if [ -z "$_tos" ]; then
@ -3148,11 +3156,14 @@ _regAccount() {
return 1 return 1
fi fi
if [ "$code" = '202' ]; then if [ "$code" = '202' ]; then
_info "Update success." _info "Update account tos info success."
CA_KEY_HASH="$(__calcAccountKeyHash)" CA_KEY_HASH="$(__calcAccountKeyHash)"
_debug "Calc CA_KEY_HASH" "$CA_KEY_HASH" _debug "Calc CA_KEY_HASH" "$CA_KEY_HASH"
_savecaconf CA_KEY_HASH "$CA_KEY_HASH" _savecaconf CA_KEY_HASH "$CA_KEY_HASH"
elif [ "$code" = '403' ]; then
_err "It seems that the account key is already deactivated, please use a new account key."
return 1
else else
_err "Update account error." _err "Update account error."
return 1 return 1
@ -3165,6 +3176,68 @@ _regAccount() {
} }
#Implement deactivate account
deactivateaccount() {
_initpath
if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
_info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
fi
if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
_info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
fi
if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
_err "Account key is not found at: $ACCOUNT_KEY_PATH"
return 1
fi
_accUri=$(_readcaconf "ACCOUNT_URL")
_debug _accUri "$_accUri"
if [ -z "$_accUri" ]; then
_err "The account url is empty, please run '--update-account' first to update the account info first,"
_err "Then try again."
return 1
fi
if ! _calcjwk "$ACCOUNT_KEY_PATH"; then
return 1
fi
_initAPI
if _send_signed_request "$_accUri" "{\"resource\": \"reg\", \"status\":\"deactivated\"}" && _contains "$response" '"deactivated"'; then
_info "Deactivate account success for $_accUri."
_accid=$(echo "$response" | _egrep_o "\"id\" *: *[^,]*," | cut -d : -f 2 | tr -d ' ,')
elif [ "$code" = "403" ]; then
_info "The account is already deactivated."
_accid=$(_getfield "$_accUri" "999" "/")
else
_err "Deactivate: account failed for $_accUri."
return 1
fi
_debug "Account id: $_accid"
if [ "$_accid" ]; then
_deactivated_account_path="$CA_DIR/deactivated/$_accid"
_debug _deactivated_account_path "$_deactivated_account_path"
if mkdir -p "$_deactivated_account_path"; then
_info "Moving deactivated account info to $_deactivated_account_path/"
mv "$CA_CONF" "$_deactivated_account_path/"
mv "$ACCOUNT_JSON_PATH" "$_deactivated_account_path/"
mv "$ACCOUNT_KEY_PATH" "$_deactivated_account_path/"
else
_err "Can not create dir: $_deactivated_account_path, try to remove the deactivated account key."
rm -f "$CA_CONF"
rm -f "$ACCOUNT_JSON_PATH"
rm -f "$ACCOUNT_KEY_PATH"
fi
fi
}
# domain folder file # domain folder file
_findHook() { _findHook() {
_hookdomain="$1" _hookdomain="$1"
@ -3355,7 +3428,7 @@ issue() {
else else
_key=$(_readdomainconf Le_Keylength) _key=$(_readdomainconf Le_Keylength)
_debug "Read key length:$_key" _debug "Read key length:$_key"
if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ]; then if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ] || [ "$Le_ForceNewDomainKey" = "1" ]; then
if ! createDomainKey "$_main_domain" "$_key_length"; then if ! createDomainKey "$_main_domain" "$_key_length"; then
_err "Create domain key error." _err "Create domain key error."
_clearup _clearup
@ -3761,7 +3834,7 @@ issue() {
_info "Verify finished, start to sign." _info "Verify finished, start to sign."
der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)" der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then
_err "Sign failed." _err "Sign failed."
_on_issue_err "$_post_hook" _on_issue_err "$_post_hook"
return 1 return 1
@ -3885,6 +3958,12 @@ issue() {
_cleardomainconf Le_Listen_V4 _cleardomainconf Le_Listen_V4
fi fi
if [ "$Le_ForceNewDomainKey" = "1" ]; then
_savedomainconf "Le_ForceNewDomainKey" "$Le_ForceNewDomainKey"
else
_cleardomainconf Le_ForceNewDomainKey
fi
Le_NextRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60) Le_NextRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60)
Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime") Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
@ -4614,9 +4693,7 @@ _detect_profile() {
fi fi
fi fi
if [ ! -z "$DETECTED_PROFILE" ]; then
echo "$DETECTED_PROFILE" echo "$DETECTED_PROFILE"
fi
} }
_initconf() { _initconf() {
@ -4968,6 +5045,7 @@ Commands:
--toPkcs8 Convert to pkcs8 format. --toPkcs8 Convert to pkcs8 format.
--update-account Update account info. --update-account Update account info.
--register-account Register account key. --register-account Register account key.
--deactivate-account Deactivate the account.
--create-account-key Create an account private key, professional use. --create-account-key Create an account private key, professional use.
--create-domain-key Create an domain private key, professional use. --create-domain-key Create an domain private key, professional use.
--createCSR, -ccsr Create CSR , professional use. --createCSR, -ccsr Create CSR , professional use.
@ -5028,6 +5106,7 @@ Parameters:
--renew-hook Command to be run once for each successfully renewed certificate. --renew-hook Command to be run once for each successfully renewed certificate.
--deploy-hook The hook file to deploy cert --deploy-hook The hook file to deploy cert
--ocsp-must-staple, --ocsp Generate ocsp must Staple extension. --ocsp-must-staple, --ocsp Generate ocsp must Staple extension.
--always-force-new-domain-key Generate new domain key when renewal. Otherwise, the domain key is not changed by default.
--auto-upgrade [0|1] Valid for '--upgrade' command, indicating whether to upgrade automatically in future. --auto-upgrade [0|1] Valid for '--upgrade' command, indicating whether to upgrade automatically in future.
--listen-v4 Force standalone/tls server to listen at ipv4. --listen-v4 Force standalone/tls server to listen at ipv4.
--listen-v6 Force standalone/tls server to listen at ipv6. --listen-v6 Force standalone/tls server to listen at ipv6.
@ -5247,6 +5326,9 @@ _process() {
--registeraccount | --register-account) --registeraccount | --register-account)
_CMD="registeraccount" _CMD="registeraccount"
;; ;;
--deactivate-account)
_CMD="deactivateaccount"
;;
--domain | -d) --domain | -d)
_dvalue="$2" _dvalue="$2"
@ -5508,6 +5590,14 @@ _process() {
--ocsp-must-staple | --ocsp) --ocsp-must-staple | --ocsp)
Le_OCSP_Staple="1" Le_OCSP_Staple="1"
;; ;;
--always-force-new-domain-key)
if [ -z "$2" ] || _startswith "$2" "-"; then
Le_ForceNewDomainKey=1
else
Le_ForceNewDomainKey="$2"
shift
fi
;;
--log | --logfile) --log | --logfile)
_log="1" _log="1"
_logfile="$2" _logfile="$2"
@ -5654,6 +5744,9 @@ _process() {
updateaccount) updateaccount)
updateaccount updateaccount
;; ;;
deactivateaccount)
deactivateaccount
;;
list) list)
list "$_listraw" list "$_listraw"
;; ;;