Merge remote-tracking branch 'upstream/master' into ssh-deploy

This commit is contained in:
David Kerr 2017-02-11 14:37:02 -05:00
commit e925ab0999
6 changed files with 142 additions and 22 deletions

View File

@ -1,4 +1,6 @@
<!-- <!--
请确保已经更新到最新的代码, 然后贴上来 `--debug 2` 的调试输出. 没有调试输出,我帮不了你.
如何调试 https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
If it is a bug report: If it is a bug report:
- make sure you are able to repro it on the latest released version. - make sure you are able to repro it on the latest released version.
@ -8,13 +10,11 @@ You can install the latest version by: `acme.sh --upgrade`
- Refer to the [WIKI](https://wiki.acme.sh). - Refer to the [WIKI](https://wiki.acme.sh).
- Debug info [Debug](https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh). - Debug info [Debug](https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh).
--> -->
Steps to reproduce Steps to reproduce
------------------ ------------------
Debug log Debug log
----------------- -----------------

View File

@ -147,7 +147,7 @@ You **MUST** use this command to copy the certs to the target files, **DO NOT**
**Apache** example: **Apache** example:
```bash ```bash
acme.sh --installcert -d example.com \ acme.sh --install-cert -d example.com \
--certpath /path/to/certfile/in/apache/cert.pem \ --certpath /path/to/certfile/in/apache/cert.pem \
--keypath /path/to/keyfile/in/apache/key.pem \ --keypath /path/to/keyfile/in/apache/key.pem \
--fullchainpath /path/to/fullchain/certfile/apache/fullchain.pem \ --fullchainpath /path/to/fullchain/certfile/apache/fullchain.pem \
@ -156,7 +156,7 @@ acme.sh --installcert -d example.com \
**Nginx** example: **Nginx** example:
```bash ```bash
acme.sh --installcert -d example.com \ acme.sh --install-cert -d example.com \
--keypath /path/to/keyfile/in/nginx/key.pem \ --keypath /path/to/keyfile/in/nginx/key.pem \
--fullchainpath /path/to/fullchain/nginx/cert.pem \ --fullchainpath /path/to/fullchain/nginx/cert.pem \
--reloadcmd "service nginx force-reload" --reloadcmd "service nginx force-reload"

99
acme.sh
View File

@ -61,6 +61,10 @@ LOG_LEVEL_2=2
LOG_LEVEL_3=3 LOG_LEVEL_3=3
DEFAULT_LOG_LEVEL="$LOG_LEVEL_1" DEFAULT_LOG_LEVEL="$LOG_LEVEL_1"
SYSLOG_INFO="user.info"
SYSLOG_ERROR="user.error"
SYSLOG_DEBUG="user.debug"
_DEBUG_WIKI="https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh" _DEBUG_WIKI="https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh"
_PREPARE_LINK="https://github.com/Neilpang/acme.sh/wiki/Install-preparations" _PREPARE_LINK="https://github.com/Neilpang/acme.sh/wiki/Install-preparations"
@ -128,18 +132,30 @@ _dlg_versions() {
fi fi
} }
#class
_syslog() {
if [ -z "$SYS_LOG" ] || [ "$SYS_LOG" = "0" ]; then
return
fi
_logclass="$1"
shift
logger -i -t "$PROJECT_NAME" -p "$_logclass" "$(_printargs "$@")" >/dev/null 2>&1
}
_log() { _log() {
_syslog "$@"
[ -z "$LOG_FILE" ] && return [ -z "$LOG_FILE" ] && return
shift
_printargs "$@" >>"$LOG_FILE" _printargs "$@" >>"$LOG_FILE"
} }
_info() { _info() {
_log "$@" _log "$SYSLOG_INFO" "$@"
_printargs "$@" _printargs "$@"
} }
_err() { _err() {
_log "$@" _log "$SYSLOG_ERROR" "$@"
if [ -z "$NO_TIMESTAMP" ] || [ "$NO_TIMESTAMP" = "0" ]; then if [ -z "$NO_TIMESTAMP" ] || [ "$NO_TIMESTAMP" = "0" ]; then
printf -- "%s" "[$(date)] " >&2 printf -- "%s" "[$(date)] " >&2
fi fi
@ -159,7 +175,7 @@ _usage() {
_debug() { _debug() {
if [ -z "$LOG_LEVEL" ] || [ "$LOG_LEVEL" -ge "$LOG_LEVEL_1" ]; then if [ -z "$LOG_LEVEL" ] || [ "$LOG_LEVEL" -ge "$LOG_LEVEL_1" ]; then
_log "$@" _log "$SYSLOG_DEBUG" "$@"
fi fi
if [ -z "$DEBUG" ]; then if [ -z "$DEBUG" ]; then
return return
@ -169,19 +185,19 @@ _debug() {
_debug2() { _debug2() {
if [ "$LOG_LEVEL" ] && [ "$LOG_LEVEL" -ge "$LOG_LEVEL_2" ]; then if [ "$LOG_LEVEL" ] && [ "$LOG_LEVEL" -ge "$LOG_LEVEL_2" ]; then
_log "$@" _log "$SYSLOG_DEBUG" "$@"
fi fi
if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
_debug "$@" _printargs "$@" >&2
fi fi
} }
_debug3() { _debug3() {
if [ "$LOG_LEVEL" ] && [ "$LOG_LEVEL" -ge "$LOG_LEVEL_3" ]; then if [ "$LOG_LEVEL" ] && [ "$LOG_LEVEL" -ge "$LOG_LEVEL_3" ]; then
_log "$@" _log "$SYSLOG_DEBUG" "$@"
fi fi
if [ "$DEBUG" ] && [ "$DEBUG" -ge "3" ]; then if [ "$DEBUG" ] && [ "$DEBUG" -ge "3" ]; then
_debug "$@" _printargs "$@" >&2
fi fi
} }
@ -364,8 +380,16 @@ _ascii_hex() {
#input:"abc" #input:"abc"
#output: " 61 62 63" #output: " 61 62 63"
_hex_dump() { _hex_dump() {
#in wired some system, the od command is missing. if _exists od; then
if ! od -A n -v -t x1 | tr -d "\r\t" | tr -s " " | sed "s/ $//" | tr -d "\n" 2>/dev/null; then od -A n -v -t x1 | tr -s " " | sed 's/ $//' | tr -d "\r\t\n"
elif _exists hexdump; then
_debug3 "using hexdump"
hexdump -v -e '/1 ""' -e '/1 " %02x" ""'
elif _exists xxd; then
_debug3 "using xxd"
xxd -ps -c 20 -i | sed "s/ 0x/ /g" | tr -d ",\n" | tr -s " "
else
_debug3 "using _ascii_hex"
str=$(cat) str=$(cat)
_ascii_hex "$str" _ascii_hex "$str"
fi fi
@ -896,7 +920,11 @@ _createcsr() {
_csr_cn="$(_idn "$domain")" _csr_cn="$(_idn "$domain")"
_debug2 _csr_cn "$_csr_cn" _debug2 _csr_cn "$_csr_cn"
$OPENSSL_BIN req -new -sha256 -key "$csrkey" -subj "/CN=$_csr_cn" -config "$csrconf" -out "$csr" if _contains "$(uname -a)" "MINGW"; then
$OPENSSL_BIN req -new -sha256 -key "$csrkey" -subj "//CN=$_csr_cn" -config "$csrconf" -out "$csr"
else
$OPENSSL_BIN req -new -sha256 -key "$csrkey" -subj "/CN=$_csr_cn" -config "$csrconf" -out "$csr"
fi
} }
#_signcsr key csr conf cert #_signcsr key csr conf cert
@ -4234,7 +4262,7 @@ Commands:
--version, -v Show version info. --version, -v Show version info.
--install Install $PROJECT_NAME to your system. --install Install $PROJECT_NAME to your system.
--uninstall Uninstall $PROJECT_NAME, and uninstall the cron job. --uninstall Uninstall $PROJECT_NAME, and uninstall the cron job.
--upgrade Upgrade $PROJECT_NAME to the latest code from $PROJECT . --upgrade Upgrade $PROJECT_NAME to the latest code from $PROJECT.
--issue Issue a cert. --issue Issue a cert.
--signcsr Issue a cert from an existing csr. --signcsr Issue a cert from an existing csr.
--deploy Deploy the cert to your server. --deploy Deploy the cert to your server.
@ -4251,8 +4279,8 @@ Commands:
--toPkcs Export the certificate and key to a pfx file. --toPkcs Export the certificate and key to a pfx file.
--update-account Update account info. --update-account Update account info.
--register-account Register account key. --register-account Register account key.
--createAccountKey, -cak Create an account private key, professional use. --create-account-key Create an account private key, professional use.
--createDomainKey, -cdk Create an domain private key, professional use. --create-domain-key Create an domain private key, professional use.
--createCSR, -ccsr Create CSR , professional use. --createCSR, -ccsr Create CSR , professional use.
--deactivate Deactivate the domain authz, professional use. --deactivate Deactivate the domain authz, professional use.
@ -4274,6 +4302,7 @@ Parameters:
--accountkeylength, -ak [2048] Specifies the account key length. --accountkeylength, -ak [2048] Specifies the account key length.
--log [/path/to/logfile] Specifies the log file. The default is: \"$DEFAULT_LOG_FILE\" if you don't give a file path here. --log [/path/to/logfile] Specifies the log file. The default is: \"$DEFAULT_LOG_FILE\" if you don't give a file path here.
--log-level 1|2 Specifies the log level, default is 1. --log-level 1|2 Specifies the log level, default is 1.
--syslog [1|0] Enable/Disable syslog.
These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert: These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
@ -4432,6 +4461,7 @@ _process() {
_listen_v4="" _listen_v4=""
_listen_v6="" _listen_v6=""
_openssl_bin="" _openssl_bin=""
_syslog=""
while [ ${#} -gt 0 ]; do while [ ${#} -gt 0 ]; do
case "${1}" in case "${1}" in
@ -4494,10 +4524,10 @@ _process() {
--toPkcs) --toPkcs)
_CMD="toPkcs" _CMD="toPkcs"
;; ;;
--createAccountKey | --createaccountkey | -cak) --createAccountKey | --createaccountkey | -cak | --create-account-key)
_CMD="createAccountKey" _CMD="createAccountKey"
;; ;;
--createDomainKey | --createdomainkey | -cdk) --createDomainKey | --createdomainkey | -cdk | --create-domain-key)
_CMD="createDomainKey" _CMD="createDomainKey"
;; ;;
--createCSR | --createcsr | -ccr) --createCSR | --createcsr | -ccr)
@ -4762,6 +4792,15 @@ _process() {
LOG_LEVEL="$_log_level" LOG_LEVEL="$_log_level"
shift shift
;; ;;
--syslog)
if ! _startswith "$2" '-'; then
_syslog="$2"
shift
fi
if [ -z "$_syslog" ]; then
_syslog="1"
fi
;;
--auto-upgrade) --auto-upgrade)
_auto_upgrade="$2" _auto_upgrade="$2"
if [ -z "$_auto_upgrade" ] || _startswith "$_auto_upgrade" '-'; then if [ -z "$_auto_upgrade" ] || _startswith "$_auto_upgrade" '-'; then
@ -4809,6 +4848,21 @@ _process() {
LOG_LEVEL="$_log_level" LOG_LEVEL="$_log_level"
fi fi
if [ "$_syslog" ]; then
if _exists logger; then
if [ "$_syslog" = "0" ]; then
_clearaccountconf "SYS_LOG"
else
_saveaccountconf "SYS_LOG" "$_syslog"
fi
SYS_LOG="$_syslog"
else
_err "The 'logger' command is not found, can not enable syslog."
_clearaccountconf "SYS_LOG"
SYS_LOG=""
fi
fi
_processAccountConf _processAccountConf
fi fi
@ -4901,6 +4955,21 @@ _process() {
if [ "$_log_level" ]; then if [ "$_log_level" ]; then
_saveaccountconf "LOG_LEVEL" "$_log_level" _saveaccountconf "LOG_LEVEL" "$_log_level"
fi fi
if [ "$_syslog" ]; then
if _exists logger; then
if [ "$_syslog" = "0" ]; then
_clearaccountconf "SYS_LOG"
else
_saveaccountconf "SYS_LOG" "$_syslog"
fi
else
_err "The 'logger' command is not found, can not enable syslog."
_clearaccountconf "SYS_LOG"
SYS_LOG=""
fi
fi
_processAccountConf _processAccountConf
fi fi

View File

@ -1,6 +1,28 @@
#Using deploy api # Using deploy api
#Using the ssh deploy plugin Here are the scripts to deploy the certs/key to the server/services.
## 1. Deploy the certs to your cpanel host.
(cpanel deploy hook is not finished yet, this is just an example.)
Before you can deploy your cert, you must [issue the cert first](https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert).
Then you can deploy now:
```sh
export DEPLOY_CPANEL_USER=myusername
export DEPLOY_CPANEL_PASSWORD=PASSWORD
acme.sh --deploy -d example.com --deploy --deploy-hook cpanel
```
## 2. Deploy ssl cert on kong proxy engine based on api.
Before you can deploy your cert, you must [issue the cert first](https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert).
(TODO)
## 3. Deploy the cert to remote server through SSH access.
The ssh deploy plugin allows you to deploy certificates to a remote host The ssh deploy plugin allows you to deploy certificates to a remote host
using SSH command to connect to the remote server. The ssh plugin is invoked using SSH command to connect to the remote server. The ssh plugin is invoked

29
deploy/cpanel.sh Normal file
View File

@ -0,0 +1,29 @@
#!/usr/bin/env sh
#Here is the script to deploy the cert to your cpanel account by the cpanel APIs.
#returns 0 means success, otherwise error.
#export DEPLOY_CPANEL_USER=myusername
#export DEPLOY_CPANEL_PASSWORD=PASSWORD
######## Public functions #####################
#domain keyfile certfile cafile fullchain
cpanel_deploy() {
_cdomain="$1"
_ckey="$2"
_ccert="$3"
_cca="$4"
_cfullchain="$5"
_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
_debug _ccert "$_ccert"
_debug _cca "$_cca"
_debug _cfullchain "$_cfullchain"
_err "Not implemented yet"
return 1
}

View File

@ -93,7 +93,7 @@ _get_root() {
fi fi
if _contains "$response" "<Name>$h.</Name>"; then if _contains "$response" "<Name>$h.</Name>"; then
hostedzone="$(echo "$response" | _egrep_o "<HostedZone><Id>[^<]*<.Id><Name>$h.<.Name>.*<.HostedZone>")" hostedzone="$(echo "$response" | sed 's/<HostedZone>/#&/g' | tr '#' '\n' | _egrep_o "<HostedZone><Id>[^<]*<.Id><Name>$h.<.Name>.*<.HostedZone>")"
_debug hostedzone "$hostedzone" _debug hostedzone "$hostedzone"
if [ -z "$hostedzone" ]; then if [ -z "$hostedzone" ]; then
_err "Error, can not get hostedzone." _err "Error, can not get hostedzone."