From ea455f73528b8c9481ca31f3ec557527797bc03a Mon Sep 17 00:00:00 2001 From: theit8514 Date: Mon, 7 Mar 2016 17:09:02 -0500 Subject: [PATCH 01/13] Add post-renew hook for executing commands when certificate was renewed successfully. --- le.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/le.sh b/le.sh index 136d0a32..eec523a4 100755 --- a/le.sh +++ b/le.sh @@ -389,6 +389,9 @@ _initpath() { domainhome="$LE_WORKING_DIR/$domain" mkdir -p "$domainhome" + if [ -z "$DOMAIN_PATH" ] ; then + DOMAIN_PATH="$domainhome" + fi if [ -z "$DOMAIN_CONF" ] ; then DOMAIN_CONF="$domainhome/$Le_Domain.conf" fi @@ -409,6 +412,9 @@ _initpath() { if [ -z "$CA_CERT_PATH" ] ; then CA_CERT_PATH="$domainhome/ca.cer" fi + if [ -z "$POST_RENEW_PATH" ] ; then + POST_RENEW_PATH="$domainhome/post-renew.sh" + fi } @@ -956,6 +962,9 @@ renew() { local res=$? IS_RENEW="" + if [ -x "$POST_RENEW_PATH" -a "$res" -eq "0" ] ; then + (cd $DOMAIN_PATH && exec $POST_RENEW_PATH) + fi return $res } @@ -988,12 +997,14 @@ renewAll() { Le_ReloadCmd="" DOMAIN_CONF="" + DOMAIN_PATH="" DOMAIN_SSL_CONF="" CSR_PATH="" CERT_KEY_PATH="" CERT_PATH="" CA_CERT_PATH="" ACCOUNT_KEY_PATH="" + POST_RENEW_PATH="" wellknown_path="" From eef38fccfe9b60ee52474e5f298ca9d10f288215 Mon Sep 17 00:00:00 2001 From: theit8514 Date: Mon, 7 Mar 2016 22:27:08 -0500 Subject: [PATCH 02/13] Modified code for Le_ReloadCmd --- le.sh | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/le.sh b/le.sh index eec523a4..36092ec4 100755 --- a/le.sh +++ b/le.sh @@ -412,9 +412,6 @@ _initpath() { if [ -z "$CA_CERT_PATH" ] ; then CA_CERT_PATH="$domainhome/ca.cer" fi - if [ -z "$POST_RENEW_PATH" ] ; then - POST_RENEW_PATH="$domainhome/post-renew.sh" - fi } @@ -962,9 +959,6 @@ renew() { local res=$? IS_RENEW="" - if [ -x "$POST_RENEW_PATH" -a "$res" -eq "0" ] ; then - (cd $DOMAIN_PATH && exec $POST_RENEW_PATH) - fi return $res } @@ -996,15 +990,14 @@ renewAll() { Le_ReloadCmd="" - DOMAIN_CONF="" DOMAIN_PATH="" + DOMAIN_CONF="" DOMAIN_SSL_CONF="" CSR_PATH="" CERT_KEY_PATH="" CERT_PATH="" CA_CERT_PATH="" ACCOUNT_KEY_PATH="" - POST_RENEW_PATH="" wellknown_path="" @@ -1061,7 +1054,7 @@ installcert() { if [ "$Le_ReloadCmd" ] ; then _info "Run Le_ReloadCmd: $Le_ReloadCmd" - eval $Le_ReloadCmd + (cd $DOMAIN_PATH && eval $Le_ReloadCmd) fi } From f8029e2e75408caec7ac6c15f7a81a45547f7abc Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 8 Mar 2016 20:18:24 +0800 Subject: [PATCH 03/13] minor --- le.sh | 2602 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 1301 insertions(+), 1301 deletions(-) diff --git a/le.sh b/le.sh index 36092ec4..1b3768d1 100755 --- a/le.sh +++ b/le.sh @@ -1,1301 +1,1301 @@ -#!/usr/bin/env bash -VER=1.1.8 -PROJECT="https://github.com/Neilpang/le" - -DEFAULT_CA="https://acme-v01.api.letsencrypt.org" -DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" - -STAGE_CA="https://acme-staging.api.letsencrypt.org" - -VTYPE_HTTP="http-01" -VTYPE_DNS="dns-01" - -if [ -z "$AGREEMENT" ] ; then - AGREEMENT="$DEFAULT_AGREEMENT" -fi - -_debug() { - - if [ -z "$DEBUG" ] ; then - return - fi - - if [ -z "$2" ] ; then - echo $1 - else - echo "$1"="$2" - fi -} - -_info() { - if [ -z "$2" ] ; then - echo "$1" - else - echo "$1"="$2" - fi -} - -_err() { - if [ -z "$2" ] ; then - echo "$1" >&2 - else - echo "$1"="$2" >&2 - fi - return 1 -} - -_h2b() { - hex=$(cat) - i=1 - j=2 - while [ '1' ] ; do - h=$(printf $hex | cut -c $i-$j) - if [ -z "$h" ] ; then - break; - fi - printf "\x$h" - let "i+=2" - let "j+=2" - done -} - -_base64() { - openssl base64 -e | tr -d '\n' -} - -#domain [2048] -createAccountKey() { - _info "Creating account key" - if [ -z "$1" ] ; then - echo Usage: createAccountKey account-domain [2048] - return - fi - - account=$1 - length=$2 - - if [[ "$length" == "ec-"* ]] ; then - length=2048 - fi - - if [ -z "$2" ] ; then - _info "Use default length 2048" - length=2048 - fi - _initpath - - if [ -f "$ACCOUNT_KEY_PATH" ] ; then - _info "Account key exists, skip" - return - else - #generate account key - openssl genrsa $length > "$ACCOUNT_KEY_PATH" - fi - -} - -#domain length -createDomainKey() { - _info "Creating domain key" - if [ -z "$1" ] ; then - echo Usage: createDomainKey domain [2048] - return - fi - - domain=$1 - length=$2 - isec="" - if [[ "$length" == "ec-"* ]] ; then - isec="1" - length=$(printf $length | cut -d '-' -f 2-100) - eccname="$length" - fi - - if [ -z "$length" ] ; then - if [ "$isec" ] ; then - length=256 - else - length=2048 - fi - fi - _info "Use length $length" - - if [ "$isec" ] ; then - if [ "$length" == "256" ] ; then - eccname="prime256v1" - fi - if [ "$length" == "384" ] ; then - eccname="secp384r1" - fi - if [ "$length" == "521" ] ; then - eccname="secp521r1" - fi - _info "Using ec name: $eccname" - fi - - _initpath $domain - - if [ ! -f "$CERT_KEY_PATH" ] || ( [ "$FORCE" ] && ! [ "$IS_RENEW" ] ); then - #generate account key - if [ "$isec" ] ; then - openssl ecparam -name $eccname -genkey 2>/dev/null > "$CERT_KEY_PATH" - else - openssl genrsa $length 2>/dev/null > "$CERT_KEY_PATH" - fi - else - if [ "$IS_RENEW" ] ; then - _info "Domain key exists, skip" - return 0 - else - _err "Domain key exists, do you want to overwrite the key?" - _err "Set FORCE=1, and try again." - return 1 - fi - fi - -} - -# domain domainlist -createCSR() { - _info "Creating csr" - if [ -z "$1" ] ; then - echo Usage: $0 domain [domainlist] - return - fi - domain=$1 - _initpath $domain - - domainlist=$2 - - if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && ! [ "$FORCE" ]; then - _info "CSR exists, skip" - return - fi - - if [ -z "$domainlist" ] ; then - #single domain - _info "Single domain" $domain - openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" > "$CSR_PATH" - else - alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")" - #multi - _info "Multi domain" "$alt" - printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\n[SAN]\nsubjectAltName=$alt" > "$DOMAIN_SSL_CONF" - openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" -reqexts SAN -config "$DOMAIN_SSL_CONF" -out "$CSR_PATH" - fi - -} - -_b64() { - __n=$(cat) - echo $__n | tr '/+' '_-' | tr -d '= ' -} - -_time2str() { - #BSD - if date -u -d@$1 2>/dev/null ; then - return - fi - - #Linux - if date -u -r $1 2>/dev/null ; then - return - fi - -} - -_send_signed_request() { - url=$1 - payload=$2 - needbase64=$3 - - _debug url $url - _debug payload "$payload" - - CURL_HEADER="$LE_WORKING_DIR/curl.header" - dp="$LE_WORKING_DIR/curl.dump" - CURL="curl --silent --dump-header $CURL_HEADER " - if [ "$DEBUG" ] ; then - CURL="$CURL --trace-ascii $dp " - fi - payload64=$(echo -n $payload | _base64 | _b64) - _debug payload64 $payload64 - - nonceurl="$API/directory" - nonce="$($CURL -I $nonceurl | grep -o "^Replay-Nonce:.*$" | tr -d "\r\n" | cut -d ' ' -f 2)" - - _debug nonce "$nonce" - - protected="$(printf "$HEADERPLACE" | sed "s/NONCE/$nonce/" )" - _debug protected "$protected" - - protected64="$(printf "$protected" | _base64 | _b64)" - _debug protected64 "$protected64" - - sig=$(echo -n "$protected64.$payload64" | openssl dgst -sha256 -sign $ACCOUNT_KEY_PATH | _base64 | _b64) - _debug sig "$sig" - - body="{\"header\": $HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}" - _debug body "$body" - - if [ "$needbase64" ] ; then - response="$($CURL -X POST --data "$body" $url | _base64)" - else - response="$($CURL -X POST --data "$body" $url)" - fi - - responseHeaders="$(cat $CURL_HEADER)" - - _debug responseHeaders "$responseHeaders" - _debug response "$response" - code="$(grep ^HTTP $CURL_HEADER | tail -1 | cut -d " " -f 2 | tr -d "\r\n" )" - _debug code $code - -} - -_get() { - url="$1" - _debug url $url - response="$(curl --silent $url)" - ret=$? - _debug response "$response" - code="$(echo $response | grep -o '"status":[0-9]\+' | cut -d : -f 2)" - _debug code $code - return $ret -} - -#setopt "file" "opt" "=" "value" [";"] -_setopt() { - __conf="$1" - __opt="$2" - __sep="$3" - __val="$4" - __end="$5" - if [ -z "$__opt" ] ; then - echo usage: _setopt '"file" "opt" "=" "value" [";"]' - return - fi - if [ ! -f "$__conf" ] ; then - touch "$__conf" - fi - - if grep -H -n "^$__opt$__sep" "$__conf" > /dev/null ; then - _debug OK - if [[ "$__val" == *"&"* ]] ; then - __val="$(echo $__val | sed 's/&/\\&/g')" - fi - text="$(cat $__conf)" - printf "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" - - elif grep -H -n "^#$__opt$__sep" "$__conf" > /dev/null ; then - if [[ "$__val" == *"&"* ]] ; then - __val="$(echo $__val | sed 's/&/\\&/g')" - fi - text="$(cat $__conf)" - printf "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" - - else - _debug APP - echo "$__opt$__sep$__val$__end" >> "$__conf" - fi - _debug "$(grep -H -n "^$__opt$__sep" $__conf)" -} - -#_savedomainconf key value -#save to domain.conf -_savedomainconf() { - key="$1" - value="$2" - if [ "$DOMAIN_CONF" ] ; then - _setopt $DOMAIN_CONF "$key" "=" "$value" - else - _err "DOMAIN_CONF is empty, can not save $key=$value" - fi -} - -#_saveaccountconf key value -_saveaccountconf() { - key="$1" - value="$2" - if [ "$ACCOUNT_CONF_PATH" ] ; then - _setopt $ACCOUNT_CONF_PATH "$key" "=" "$value" - else - _err "ACCOUNT_CONF_PATH is empty, can not save $key=$value" - fi -} - -_startserver() { - content="$1" - _NC="nc -q 1" - if nc -h 2>&1 | grep "nmap.org/ncat" >/dev/null ; then - _NC="nc" - fi -# while true ; do - if [ "$DEBUG" ] ; then - echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -l -p $Le_HTTPPort -vv - else - echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -l -p $Le_HTTPPort > /dev/null - fi -# done -} - -_stopserver() { - pid="$1" - -} - -_initpath() { - - if [ -z "$LE_WORKING_DIR" ]; then - LE_WORKING_DIR=$HOME/.le - fi - - if [ -z "$ACCOUNT_CONF_PATH" ] ; then - ACCOUNT_CONF_PATH="$LE_WORKING_DIR/account.conf" - fi - - if [ -f "$ACCOUNT_CONF_PATH" ] ; then - source "$ACCOUNT_CONF_PATH" - fi - - if [ -z "$API" ] ; then - if [ -z "$STAGE" ] ; then - API="$DEFAULT_CA" - else - API="$STAGE_CA" - _info "Using stage api:$API" - fi - fi - - if [ -z "$ACME_DIR" ] ; then - ACME_DIR="/home/.acme" - fi - - if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then - APACHE_CONF_BACKUP_DIR="$LE_WORKING_DIR/" - fi - - domain="$1" - mkdir -p "$LE_WORKING_DIR" - - if [ -z "$ACCOUNT_KEY_PATH" ] ; then - ACCOUNT_KEY_PATH="$LE_WORKING_DIR/account.key" - fi - - if [ -z "$domain" ] ; then - return 0 - fi - - domainhome="$LE_WORKING_DIR/$domain" - mkdir -p "$domainhome" - - if [ -z "$DOMAIN_PATH" ] ; then - DOMAIN_PATH="$domainhome" - fi - if [ -z "$DOMAIN_CONF" ] ; then - DOMAIN_CONF="$domainhome/$Le_Domain.conf" - fi - - if [ -z "$DOMAIN_SSL_CONF" ] ; then - DOMAIN_SSL_CONF="$domainhome/$Le_Domain.ssl.conf" - fi - - if [ -z "$CSR_PATH" ] ; then - CSR_PATH="$domainhome/$domain.csr" - fi - if [ -z "$CERT_KEY_PATH" ] ; then - CERT_KEY_PATH="$domainhome/$domain.key" - fi - if [ -z "$CERT_PATH" ] ; then - CERT_PATH="$domainhome/$domain.cer" - fi - if [ -z "$CA_CERT_PATH" ] ; then - CA_CERT_PATH="$domainhome/ca.cer" - fi - -} - - -_apachePath() { - httpdroot="$(apachectl -V | grep HTTPD_ROOT= | cut -d = -f 2 | tr -d '"' )" - httpdconfname="$(apachectl -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | tr -d '"' )" - httpdconf="$httpdroot/$httpdconfname" - if [ ! -f $httpdconf ] ; then - _err "Apache Config file not found" $httpdconf - return 1 - fi - return 0 -} - -_restoreApache() { - if [ -z "$usingApache" ] ; then - return 0 - fi - _initpath - if ! _apachePath ; then - return 1 - fi - - if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ] ; then - _debug "No config file to restore." - return 0 - fi - - cp -p "$APACHE_CONF_BACKUP_DIR/$httpdconfname" "$httpdconf" - if ! apachectl -t ; then - _err "Sorry, restore apache config error, please contact me." - return 1; - fi - rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" - return 0 -} - -_setApache() { - _initpath - if ! _apachePath ; then - return 1 - fi - - #backup the conf - _debug "Backup apache config file" $httpdconf - cp -p $httpdconf $APACHE_CONF_BACKUP_DIR/ - _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname" - _info "In case there is an error that can not be restored automatically, you may try restore it yourself." - _info "The backup file will be deleted on sucess, just forget it." - - #add alias - echo " -Alias /.well-known/acme-challenge $ACME_DIR - - -Require all granted - - " >> $httpdconf - - if ! apachectl -t ; then - _err "Sorry, apache config error, please contact me." - _restoreApache - return 1; - fi - - if [ ! -d "$ACME_DIR" ] ; then - mkdir -p "$ACME_DIR" - chmod 755 "$ACME_DIR" - fi - - if ! apachectl graceful ; then - _err "Sorry, apachectl graceful error, please contact me." - _restoreApache - return 1; - fi - usingApache="1" - return 0 -} - -_clearup () { - _stopserver $serverproc - serverproc="" - _restoreApache -} - -# webroot removelevel tokenfile -_clearupwebbroot() { - __webroot="$1" - if [ -z "$__webroot" ] ; then - _debug "no webroot specified, skip" - return 0 - fi - - if [ "$2" == '1' ] ; then - _debug "remove $__webroot/.well-known" - rm -rf "$__webroot/.well-known" - elif [ "$2" == '2' ] ; then - _debug "remove $__webroot/.well-known/acme-challenge" - rm -rf "$__webroot/.well-known/acme-challenge" - elif [ "$2" == '3' ] ; then - _debug "remove $__webroot/.well-known/acme-challenge/$3" - rm -rf "$__webroot/.well-known/acme-challenge/$3" - else - _info "Skip for removelevel:$2" - fi - - return 0 - -} - -issue() { - if [ -z "$2" ] ; then - _err "Usage: le issue webroot|no|apache|dns a.com [www.a.com,b.com,c.com]|no [key-length]|no" - return 1 - fi - Le_Webroot="$1" - Le_Domain="$2" - Le_Alt="$3" - Le_Keylength="$4" - Le_RealCertPath="$5" - Le_RealKeyPath="$6" - Le_RealCACertPath="$7" - Le_ReloadCmd="$8" - - - _initpath $Le_Domain - - if [ -f "$DOMAIN_CONF" ] ; then - Le_NextRenewTime=$(grep "^Le_NextRenewTime=" "$DOMAIN_CONF" | cut -d '=' -f 2) - if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then - _info "Skip, Next renewal time is: $(grep "^Le_NextRenewTimeStr" "$DOMAIN_CONF" | cut -d '=' -f 2)" - return 2 - fi - fi - - if [ "$Le_Alt" == "no" ] ; then - Le_Alt="" - fi - if [ "$Le_Keylength" == "no" ] ; then - Le_Keylength="" - fi - if [ "$Le_RealCertPath" == "no" ] ; then - Le_RealCertPath="" - fi - if [ "$Le_RealKeyPath" == "no" ] ; then - Le_RealKeyPath="" - fi - if [ "$Le_RealCACertPath" == "no" ] ; then - Le_RealCACertPath="" - fi - if [ "$Le_ReloadCmd" == "no" ] ; then - Le_ReloadCmd="" - fi - - _setopt "$DOMAIN_CONF" "Le_Domain" "=" "$Le_Domain" - _setopt "$DOMAIN_CONF" "Le_Alt" "=" "$Le_Alt" - _setopt "$DOMAIN_CONF" "Le_Webroot" "=" "$Le_Webroot" - _setopt "$DOMAIN_CONF" "Le_Keylength" "=" "$Le_Keylength" - _setopt "$DOMAIN_CONF" "Le_RealCertPath" "=" "\"$Le_RealCertPath\"" - _setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\"" - _setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\"" - _setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\"" - - if [ "$Le_Webroot" == "no" ] ; then - _info "Standalone mode." - if ! command -v "nc" > /dev/null ; then - _err "Please install netcat(nc) tools first." - return 1 - fi - - if [ -z "$Le_HTTPPort" ] ; then - Le_HTTPPort=80 - fi - _setopt "$DOMAIN_CONF" "Le_HTTPPort" "=" "$Le_HTTPPort" - - netprc="$(ss -ntpl | grep :$Le_HTTPPort" ")" - if [ "$netprc" ] ; then - _err "$netprc" - _err "tcp port $Le_HTTPPort is already used by $(echo "$netprc" | cut -d : -f 4)" - _err "Please stop it first" - return 1 - fi - fi - - if [ "$Le_Webroot" == "apache" ] ; then - if ! _setApache ; then - _err "set up apache error. Report error to me." - return 1 - fi - wellknown_path="$ACME_DIR" - else - usingApache="" - fi - - createAccountKey $Le_Domain $Le_Keylength - - if ! createDomainKey $Le_Domain $Le_Keylength ; then - _err "Create domain key error." - return 1 - fi - - if ! createCSR $Le_Domain $Le_Alt ; then - _err "Create CSR error." - return 1 - fi - - pub_exp=$(openssl rsa -in $ACCOUNT_KEY_PATH -noout -text | grep "^publicExponent:"| cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1) - if [ "${#pub_exp}" == "5" ] ; then - pub_exp=0$pub_exp - fi - _debug pub_exp "$pub_exp" - - e=$(echo $pub_exp | _h2b | _base64) - _debug e "$e" - - modulus=$(openssl rsa -in $ACCOUNT_KEY_PATH -modulus -noout | cut -d '=' -f 2 ) - n=$(echo $modulus| _h2b | _base64 | _b64 ) - - jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}' - - HEADER='{"alg": "RS256", "jwk": '$jwk'}' - HEADERPLACE='{"nonce": "NONCE", "alg": "RS256", "jwk": '$jwk'}' - _debug HEADER "$HEADER" - - accountkey_json=$(echo -n "$jwk" | tr -d ' ' ) - thumbprint=$(echo -n "$accountkey_json" | openssl dgst -sha256 -binary | _base64 | _b64) - - - _info "Registering account" - regjson='{"resource": "new-reg", "agreement": "'$AGREEMENT'"}' - if [ "$ACCOUNT_EMAIL" ] ; then - regjson='{"resource": "new-reg", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}' - fi - _send_signed_request "$API/acme/new-reg" "$regjson" - - if [ "$code" == "" ] || [ "$code" == '201' ] ; then - _info "Registered" - echo $response > $LE_WORKING_DIR/account.json - elif [ "$code" == '409' ] ; then - _info "Already registered" - else - _err "Register account Error." - _clearup - return 1 - fi - - vtype="$VTYPE_HTTP" - if [[ "$Le_Webroot" == "dns"* ]] ; then - vtype="$VTYPE_DNS" - fi - - vlist="$Le_Vlist" - # verify each domain - _info "Verify each domain" - sep='#' - if [ -z "$vlist" ] ; then - alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' ) - for d in $alldomains - do - _info "Getting token for domain" $d - _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$d\"}}" - if [ ! -z "$code" ] && [ ! "$code" == '201' ] ; then - _err "new-authz error: $response" - _clearup - return 1 - fi - - entry="$(printf $response | egrep -o '{[^{]*"type":"'$vtype'"[^}]*')" - _debug entry "$entry" - - token="$(printf "$entry" | egrep -o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')" - _debug token $token - - uri="$(printf "$entry" | egrep -o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )" - _debug uri $uri - - keyauthorization="$token.$thumbprint" - _debug keyauthorization "$keyauthorization" - - dvlist="$d$sep$keyauthorization$sep$uri" - _debug dvlist "$dvlist" - - vlist="$vlist$dvlist," - - done - - #add entry - dnsadded="" - ventries=$(echo "$vlist" | tr ',' ' ' ) - for ventry in $ventries - do - d=$(echo $ventry | cut -d $sep -f 1) - keyauthorization=$(echo $ventry | cut -d $sep -f 2) - - if [ "$vtype" == "$VTYPE_DNS" ] ; then - dnsadded='0' - txtdomain="_acme-challenge.$d" - _debug txtdomain "$txtdomain" - txt="$(echo -e -n $keyauthorization | openssl dgst -sha256 -binary | _base64 | _b64)" - _debug txt "$txt" - #dns - #1. check use api - d_api="" - if [ -f "$LE_WORKING_DIR/$d/$Le_Webroot" ] ; then - d_api="$LE_WORKING_DIR/$d/$Le_Webroot" - elif [ -f "$LE_WORKING_DIR/$d/$Le_Webroot.sh" ] ; then - d_api="$LE_WORKING_DIR/$d/$Le_Webroot.sh" - elif [ -f "$LE_WORKING_DIR/$Le_Webroot" ] ; then - d_api="$LE_WORKING_DIR/$Le_Webroot" - elif [ -f "$LE_WORKING_DIR/$Le_Webroot.sh" ] ; then - d_api="$LE_WORKING_DIR/$Le_Webroot.sh" - elif [ -f "$LE_WORKING_DIR/dnsapi/$Le_Webroot" ] ; then - d_api="$LE_WORKING_DIR/dnsapi/$Le_Webroot" - elif [ -f "$LE_WORKING_DIR/dnsapi/$Le_Webroot.sh" ] ; then - d_api="$LE_WORKING_DIR/dnsapi/$Le_Webroot.sh" - fi - _debug d_api "$d_api" - - if [ "$d_api" ]; then - _info "Found domain api file: $d_api" - else - _err "Add the following TXT record:" - _err "Domain: $txtdomain" - _err "TXT value: $txt" - _err "Please be aware that you prepend _acme-challenge. before your domain" - _err "so the resulting subdomain will be: $txtdomain" - continue - fi - - if ! source $d_api ; then - _err "Load file $d_api error. Please check your api file and try again." - return 1 - fi - - addcommand="$Le_Webroot-add" - if ! command -v $addcommand ; then - _err "It seems that your api file is not correct, it must have a function named: $Le_Webroot" - return 1 - fi - - if ! $addcommand $txtdomain $txt ; then - _err "Error add txt for domain:$txtdomain" - return 1 - fi - dnsadded='1' - fi - done - - if [ "$dnsadded" == '0' ] ; then - _setopt "$DOMAIN_CONF" "Le_Vlist" "=" "\"$vlist\"" - _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit." - _err "Please add the TXT records to the domains, and retry again." - return 1 - fi - - fi - - if [ "$dnsadded" == '1' ] ; then - _info "Sleep 60 seconds for the txt records to take effect" - sleep 60 - fi - - _debug "ok, let's start to verify" - ventries=$(echo "$vlist" | tr ',' ' ' ) - for ventry in $ventries - do - d=$(echo $ventry | cut -d $sep -f 1) - keyauthorization=$(echo $ventry | cut -d $sep -f 2) - uri=$(echo $ventry | cut -d $sep -f 3) - _info "Verifying:$d" - _debug "d" "$d" - _debug "keyauthorization" "$keyauthorization" - _debug "uri" "$uri" - removelevel="" - token="" - if [ "$vtype" == "$VTYPE_HTTP" ] ; then - if [ "$Le_Webroot" == "no" ] ; then - _info "Standalone mode server" - _startserver "$keyauthorization" & - serverproc="$!" - sleep 2 - _debug serverproc $serverproc - else - if [ -z "$wellknown_path" ] ; then - wellknown_path="$Le_Webroot/.well-known/acme-challenge" - fi - _debug wellknown_path "$wellknown_path" - - if [ ! -d "$Le_Webroot/.well-known" ] ; then - removelevel='1' - elif [ ! -d "$Le_Webroot/.well-known/acme-challenge" ] ; then - removelevel='2' - else - removelevel='3' - fi - - token="$(echo -e -n "$keyauthorization" | cut -d '.' -f 1)" - _debug "writing token:$token to $wellknown_path/$token" - - mkdir -p "$wellknown_path" - echo -n "$keyauthorization" > "$wellknown_path/$token" - - webroot_owner=$(stat -c '%U:%G' $Le_Webroot) - _debug "Changing owner/group of .well-known to $webroot_owner" - chown -R $webroot_owner "$Le_Webroot/.well-known" - - fi - fi - - _send_signed_request $uri "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}" - - if [ ! -z "$code" ] && [ ! "$code" == '202' ] ; then - _err "$d:Challenge error: $resource" - _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" - _clearup - return 1 - fi - - while [ "1" ] ; do - _debug "sleep 5 secs to verify" - sleep 5 - _debug "checking" - - if ! _get $uri ; then - _err "$d:Verify error:$resource" - _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" - _clearup - return 1 - fi - - status=$(echo $response | egrep -o '"status":"[^"]+"' | cut -d : -f 2 | tr -d '"') - if [ "$status" == "valid" ] ; then - _info "Success" - _stopserver $serverproc - serverproc="" - _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" - break; - fi - - if [ "$status" == "invalid" ] ; then - error=$(echo $response | egrep -o '"error":{[^}]*}' | grep -o '"detail":"[^"]*"' | cut -d '"' -f 4) - _err "$d:Verify error:$error" - _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" - _clearup - return 1; - fi - - if [ "$status" == "pending" ] ; then - _info "Pending" - else - _err "$d:Verify error:$response" - _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" - _clearup - return 1 - fi - - done - - done - - _clearup - _info "Verify finished, start to sign." - der="$(openssl req -in $CSR_PATH -outform DER | _base64 | _b64)" - _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64" - - - Le_LinkCert="$(grep -i -o '^Location.*$' $CURL_HEADER | tr -d "\r\n" | cut -d " " -f 2)" - _setopt "$DOMAIN_CONF" "Le_LinkCert" "=" "$Le_LinkCert" - - if [ "$Le_LinkCert" ] ; then - echo -----BEGIN CERTIFICATE----- > "$CERT_PATH" - curl --silent "$Le_LinkCert" | openssl base64 -e >> "$CERT_PATH" - echo -----END CERTIFICATE----- >> "$CERT_PATH" - _info "Cert success." - cat "$CERT_PATH" - - _info "Your cert is in $CERT_PATH" - fi - - - if [ -z "$Le_LinkCert" ] ; then - response="$(echo $response | openssl base64 -d -A)" - _err "Sign failed: $(echo "$response" | grep -o '"detail":"[^"]*"')" - return 1 - fi - - _setopt "$DOMAIN_CONF" 'Le_Vlist' '=' "\"\"" - - Le_LinkIssuer=$(grep -i '^Link' $CURL_HEADER | cut -d " " -f 2| cut -d ';' -f 1 | tr -d '<>' ) - _setopt "$DOMAIN_CONF" "Le_LinkIssuer" "=" "$Le_LinkIssuer" - - if [ "$Le_LinkIssuer" ] ; then - echo -----BEGIN CERTIFICATE----- > "$CA_CERT_PATH" - curl --silent "$Le_LinkIssuer" | openssl base64 -e >> "$CA_CERT_PATH" - echo -----END CERTIFICATE----- >> "$CA_CERT_PATH" - _info "The intermediate CA cert is in $CA_CERT_PATH" - fi - - Le_CertCreateTime=$(date -u "+%s") - _setopt "$DOMAIN_CONF" "Le_CertCreateTime" "=" "$Le_CertCreateTime" - - Le_CertCreateTimeStr=$(date -u ) - _setopt "$DOMAIN_CONF" "Le_CertCreateTimeStr" "=" "\"$Le_CertCreateTimeStr\"" - - if [ ! "$Le_RenewalDays" ] ; then - Le_RenewalDays=80 - fi - - _setopt "$DOMAIN_CONF" "Le_RenewalDays" "=" "$Le_RenewalDays" - - let "Le_NextRenewTime=Le_CertCreateTime+Le_RenewalDays*24*60*60" - _setopt "$DOMAIN_CONF" "Le_NextRenewTime" "=" "$Le_NextRenewTime" - - Le_NextRenewTimeStr=$( _time2str $Le_NextRenewTime ) - _setopt "$DOMAIN_CONF" "Le_NextRenewTimeStr" "=" "\"$Le_NextRenewTimeStr\"" - - - installcert $Le_Domain "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" - -} - -renew() { - Le_Domain="$1" - if [ -z "$Le_Domain" ] ; then - _err "Usage: $0 domain.com" - return 1 - fi - - _initpath $Le_Domain - - if [ ! -f "$DOMAIN_CONF" ] ; then - _info "$Le_Domain is not a issued domain, skip." - return 0; - fi - - source "$DOMAIN_CONF" - if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then - _info "Skip, Next renewal time is: $Le_NextRenewTimeStr" - return 2 - fi - - IS_RENEW="1" - issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" - local res=$? - IS_RENEW="" - - return $res -} - -renewAll() { - _initpath - _info "renewAll" - - for d in $(ls -F $LE_WORKING_DIR | grep [^.].*[.].*/$ ) ; do - d=$(echo $d | cut -d '/' -f 1) - _info "renew $d" - - Le_LinkCert="" - Le_Domain="" - Le_Alt="" - Le_Webroot="" - Le_Keylength="" - Le_LinkIssuer="" - - Le_CertCreateTime="" - Le_CertCreateTimeStr="" - Le_RenewalDays="" - Le_NextRenewTime="" - Le_NextRenewTimeStr="" - - Le_RealCertPath="" - Le_RealKeyPath="" - - Le_RealCACertPath="" - - Le_ReloadCmd="" - - DOMAIN_PATH="" - DOMAIN_CONF="" - DOMAIN_SSL_CONF="" - CSR_PATH="" - CERT_KEY_PATH="" - CERT_PATH="" - CA_CERT_PATH="" - ACCOUNT_KEY_PATH="" - - wellknown_path="" - - renew "$d" - done - -} - -installcert() { - Le_Domain="$1" - if [ -z "$Le_Domain" ] ; then - _err "Usage: $0 domain.com [cert-file-path]|no [key-file-path]|no [ca-cert-file-path]|no [reloadCmd]|no" - return 1 - fi - - Le_RealCertPath="$2" - Le_RealKeyPath="$3" - Le_RealCACertPath="$4" - Le_ReloadCmd="$5" - - _initpath $Le_Domain - - _setopt "$DOMAIN_CONF" "Le_RealCertPath" "=" "\"$Le_RealCertPath\"" - _setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\"" - _setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\"" - _setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\"" - - if [ "$Le_RealCertPath" ] ; then - if [ -f "$Le_RealCertPath" ] ; then - cp -p "$Le_RealCertPath" "$Le_RealCertPath".bak - fi - cat "$CERT_PATH" > "$Le_RealCertPath" - fi - - if [ "$Le_RealCACertPath" ] ; then - if [ -f "$Le_RealCACertPath" ] ; then - cp -p "$Le_RealCACertPath" "$Le_RealCACertPath".bak - fi - if [ "$Le_RealCACertPath" == "$Le_RealCertPath" ] ; then - echo "" >> "$Le_RealCACertPath" - cat "$CA_CERT_PATH" >> "$Le_RealCACertPath" - else - cat "$CA_CERT_PATH" > "$Le_RealCACertPath" - fi - fi - - - if [ "$Le_RealKeyPath" ] ; then - if [ -f "$Le_RealKeyPath" ] ; then - cp -p "$Le_RealKeyPath" "$Le_RealKeyPath".bak - fi - cat "$CERT_KEY_PATH" > "$Le_RealKeyPath" - fi - - if [ "$Le_ReloadCmd" ] ; then - _info "Run Le_ReloadCmd: $Le_ReloadCmd" - (cd $DOMAIN_PATH && eval $Le_ReloadCmd) - fi - -} - -installcronjob() { - _initpath - _info "Installing cron job" - if ! crontab -l | grep 'le.sh cron' ; then - if [ -f "$LE_WORKING_DIR/le.sh" ] ; then - lesh="\"$LE_WORKING_DIR\"/le.sh" - else - _err "Can not install cronjob, le.sh not found." - return 1 - fi - crontab -l | { cat; echo "0 0 * * * LE_WORKING_DIR=\"$LE_WORKING_DIR\" $lesh cron > /dev/null"; } | crontab - - fi - return 0 -} - -uninstallcronjob() { - _info "Removing cron job" - cr="$(crontab -l | grep 'le.sh cron')" - if [ "$cr" ] ; then - crontab -l | sed "/le.sh cron/d" | crontab - - LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 6 | cut -d '=' -f 2 | tr -d '"')" - _info LE_WORKING_DIR "$LE_WORKING_DIR" - fi - _initpath - -} - - -# Detect profile file if not specified as environment variable -_detect_profile() { - if [ -n "$PROFILE" -a -f "$PROFILE" ]; then - echo "$PROFILE" - return - fi - - local DETECTED_PROFILE - DETECTED_PROFILE='' - local SHELLTYPE - SHELLTYPE="$(basename "/$SHELL")" - - if [ "$SHELLTYPE" = "bash" ]; then - if [ -f "$HOME/.bashrc" ]; then - DETECTED_PROFILE="$HOME/.bashrc" - elif [ -f "$HOME/.bash_profile" ]; then - DETECTED_PROFILE="$HOME/.bash_profile" - fi - elif [ "$SHELLTYPE" = "zsh" ]; then - DETECTED_PROFILE="$HOME/.zshrc" - fi - - if [ -z "$DETECTED_PROFILE" ]; then - if [ -f "$HOME/.profile" ]; then - DETECTED_PROFILE="$HOME/.profile" - elif [ -f "$HOME/.bashrc" ]; then - DETECTED_PROFILE="$HOME/.bashrc" - elif [ -f "$HOME/.bash_profile" ]; then - DETECTED_PROFILE="$HOME/.bash_profile" - elif [ -f "$HOME/.zshrc" ]; then - DETECTED_PROFILE="$HOME/.zshrc" - fi - fi - - if [ ! -z "$DETECTED_PROFILE" ]; then - echo "$DETECTED_PROFILE" - fi -} - -_initconf() { - _initpath - if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then - echo "#Account configurations: -#Here are the supported macros, uncomment them to make them take effect. -#ACCOUNT_EMAIL=aaa@aaa.com # the account email used to register account. - -#STAGE=1 # Use the staging api -#FORCE=1 # Force to issue cert -#DEBUG=1 # Debug mode - -#dns api -####################### -#Cloudflare: -#api key -#CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" -#account email -#CF_Email="xxxx@sss.com" - -####################### -#Dnspod.cn: -#api key id -#DP_Id="1234" -#api key -#DP_Key="sADDsdasdgdsf" - -####################### -#Cloudxns.com: -#CX_Key="1234" -# -#CX_Secret="sADDsdasdgdsf" - - " > $ACCOUNT_CONF_PATH - fi -} - -install() { - _initpath - - #check if there is sudo installed, AND if the current user is a sudoer. - if command -v sudo > /dev/null ; then - if [ "$(sudo -n uptime 2>&1|grep "load"|wc -l)" != "0" ] ; then - SUDO=sudo - fi - fi - - if command -v yum > /dev/null ; then - YUM="1" - INSTALL="$SUDO yum install -y " - elif command -v apt-get > /dev/null ; then - INSTALL="$SUDO apt-get install -y " - fi - - if ! command -v "curl" > /dev/null ; then - _err "Please install curl first." - _err "$INSTALL curl" - return 1 - fi - - if ! command -v "crontab" > /dev/null ; then - _err "Please install crontab first." - if [ "$YUM" ] ; then - _err "$INSTALL crontabs" - else - _err "$INSTALL crontab" - fi - return 1 - fi - - if ! command -v "openssl" > /dev/null ; then - _err "Please install openssl first." - _err "$INSTALL openssl" - return 1 - fi - - _info "Installing to $LE_WORKING_DIR" - - _info "Installed to $LE_WORKING_DIR/le.sh" - cp le.sh $LE_WORKING_DIR/ - chmod +x $LE_WORKING_DIR/le.sh - - _profile="$(_detect_profile)" - if [ "$_profile" ] ; then - _debug "Found profile: $_profile" - - echo "LE_WORKING_DIR=$LE_WORKING_DIR -alias le=\"$LE_WORKING_DIR/le.sh\" -alias le.sh=\"$LE_WORKING_DIR/le.sh\" - " > "$LE_WORKING_DIR/le.env" - - _setopt "$_profile" "source \"$LE_WORKING_DIR/le.env\"" - _info "OK, Close and reopen your terminal to start using le" - else - _info "No profile is found, you will need to go into $LE_WORKING_DIR to use le.sh" - fi - - mkdir -p $LE_WORKING_DIR/dnsapi - cp dnsapi/* $LE_WORKING_DIR/dnsapi/ - - #to keep compatible mv the .acc file to .key file - if [ -f "$LE_WORKING_DIR/account.acc" ] ; then - mv "$LE_WORKING_DIR/account.acc" "$LE_WORKING_DIR/account.key" - fi - - installcronjob - - if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then - _initconf - fi - _info OK -} - -uninstall() { - uninstallcronjob - _initpath - - _profile="$(_detect_profile)" - if [ "$_profile" ] ; then - sed -i /le.env/d "$_profile" - fi - - rm -f $LE_WORKING_DIR/le.sh - _info "The keys and certs are in $LE_WORKING_DIR, you can remove them by yourself." - -} - -cron() { - renewAll -} - -version() { - _info "$PROJECT" - _info "v$VER" -} - -showhelp() { - version - echo "Usage: le.sh [command] ...[args].... -Avalible commands: - -install: - Install le.sh to your system. -issue: - Issue a cert. -installcert: - Install the issued cert to apache/nginx or any other server. -renew: - Renew a cert. -renewAll: - Renew all the certs. -uninstall: - Uninstall le.sh, and uninstall the cron job. -version: - Show version info. -installcronjob: - Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job. -uninstallcronjob: - Uninstall the cron job. The 'uninstall' command can do this automatically. -createAccountKey: - Create an account private key, professional use. -createDomainKey: - Create an domain private key, professional use. -createCSR: - Create CSR , professional use. - " -} - - -if [ -z "$1" ] ; then - showhelp -else - "$@" -fi +#!/usr/bin/env bash +VER=1.1.8 +PROJECT="https://github.com/Neilpang/le" + +DEFAULT_CA="https://acme-v01.api.letsencrypt.org" +DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" + +STAGE_CA="https://acme-staging.api.letsencrypt.org" + +VTYPE_HTTP="http-01" +VTYPE_DNS="dns-01" + +if [ -z "$AGREEMENT" ] ; then + AGREEMENT="$DEFAULT_AGREEMENT" +fi + +_debug() { + + if [ -z "$DEBUG" ] ; then + return + fi + + if [ -z "$2" ] ; then + echo $1 + else + echo "$1"="$2" + fi +} + +_info() { + if [ -z "$2" ] ; then + echo "$1" + else + echo "$1"="$2" + fi +} + +_err() { + if [ -z "$2" ] ; then + echo "$1" >&2 + else + echo "$1"="$2" >&2 + fi + return 1 +} + +_h2b() { + hex=$(cat) + i=1 + j=2 + while [ '1' ] ; do + h=$(printf $hex | cut -c $i-$j) + if [ -z "$h" ] ; then + break; + fi + printf "\x$h" + let "i+=2" + let "j+=2" + done +} + +_base64() { + openssl base64 -e | tr -d '\n' +} + +#domain [2048] +createAccountKey() { + _info "Creating account key" + if [ -z "$1" ] ; then + echo Usage: createAccountKey account-domain [2048] + return + fi + + account=$1 + length=$2 + + if [[ "$length" == "ec-"* ]] ; then + length=2048 + fi + + if [ -z "$2" ] ; then + _info "Use default length 2048" + length=2048 + fi + _initpath + + if [ -f "$ACCOUNT_KEY_PATH" ] ; then + _info "Account key exists, skip" + return + else + #generate account key + openssl genrsa $length > "$ACCOUNT_KEY_PATH" + fi + +} + +#domain length +createDomainKey() { + _info "Creating domain key" + if [ -z "$1" ] ; then + echo Usage: createDomainKey domain [2048] + return + fi + + domain=$1 + length=$2 + isec="" + if [[ "$length" == "ec-"* ]] ; then + isec="1" + length=$(printf $length | cut -d '-' -f 2-100) + eccname="$length" + fi + + if [ -z "$length" ] ; then + if [ "$isec" ] ; then + length=256 + else + length=2048 + fi + fi + _info "Use length $length" + + if [ "$isec" ] ; then + if [ "$length" == "256" ] ; then + eccname="prime256v1" + fi + if [ "$length" == "384" ] ; then + eccname="secp384r1" + fi + if [ "$length" == "521" ] ; then + eccname="secp521r1" + fi + _info "Using ec name: $eccname" + fi + + _initpath $domain + + if [ ! -f "$CERT_KEY_PATH" ] || ( [ "$FORCE" ] && ! [ "$IS_RENEW" ] ); then + #generate account key + if [ "$isec" ] ; then + openssl ecparam -name $eccname -genkey 2>/dev/null > "$CERT_KEY_PATH" + else + openssl genrsa $length 2>/dev/null > "$CERT_KEY_PATH" + fi + else + if [ "$IS_RENEW" ] ; then + _info "Domain key exists, skip" + return 0 + else + _err "Domain key exists, do you want to overwrite the key?" + _err "Set FORCE=1, and try again." + return 1 + fi + fi + +} + +# domain domainlist +createCSR() { + _info "Creating csr" + if [ -z "$1" ] ; then + echo Usage: $0 domain [domainlist] + return + fi + domain=$1 + _initpath $domain + + domainlist=$2 + + if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && ! [ "$FORCE" ]; then + _info "CSR exists, skip" + return + fi + + if [ -z "$domainlist" ] ; then + #single domain + _info "Single domain" $domain + openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" > "$CSR_PATH" + else + alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")" + #multi + _info "Multi domain" "$alt" + printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\n[SAN]\nsubjectAltName=$alt" > "$DOMAIN_SSL_CONF" + openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" -reqexts SAN -config "$DOMAIN_SSL_CONF" -out "$CSR_PATH" + fi + +} + +_b64() { + __n=$(cat) + echo $__n | tr '/+' '_-' | tr -d '= ' +} + +_time2str() { + #BSD + if date -u -d@$1 2>/dev/null ; then + return + fi + + #Linux + if date -u -r $1 2>/dev/null ; then + return + fi + +} + +_send_signed_request() { + url=$1 + payload=$2 + needbase64=$3 + + _debug url $url + _debug payload "$payload" + + CURL_HEADER="$LE_WORKING_DIR/curl.header" + dp="$LE_WORKING_DIR/curl.dump" + CURL="curl --silent --dump-header $CURL_HEADER " + if [ "$DEBUG" ] ; then + CURL="$CURL --trace-ascii $dp " + fi + payload64=$(echo -n $payload | _base64 | _b64) + _debug payload64 $payload64 + + nonceurl="$API/directory" + nonce="$($CURL -I $nonceurl | grep -o "^Replay-Nonce:.*$" | tr -d "\r\n" | cut -d ' ' -f 2)" + + _debug nonce "$nonce" + + protected="$(printf "$HEADERPLACE" | sed "s/NONCE/$nonce/" )" + _debug protected "$protected" + + protected64="$(printf "$protected" | _base64 | _b64)" + _debug protected64 "$protected64" + + sig=$(echo -n "$protected64.$payload64" | openssl dgst -sha256 -sign $ACCOUNT_KEY_PATH | _base64 | _b64) + _debug sig "$sig" + + body="{\"header\": $HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}" + _debug body "$body" + + if [ "$needbase64" ] ; then + response="$($CURL -X POST --data "$body" $url | _base64)" + else + response="$($CURL -X POST --data "$body" $url)" + fi + + responseHeaders="$(cat $CURL_HEADER)" + + _debug responseHeaders "$responseHeaders" + _debug response "$response" + code="$(grep ^HTTP $CURL_HEADER | tail -1 | cut -d " " -f 2 | tr -d "\r\n" )" + _debug code $code + +} + +_get() { + url="$1" + _debug url $url + response="$(curl --silent $url)" + ret=$? + _debug response "$response" + code="$(echo $response | grep -o '"status":[0-9]\+' | cut -d : -f 2)" + _debug code $code + return $ret +} + +#setopt "file" "opt" "=" "value" [";"] +_setopt() { + __conf="$1" + __opt="$2" + __sep="$3" + __val="$4" + __end="$5" + if [ -z "$__opt" ] ; then + echo usage: _setopt '"file" "opt" "=" "value" [";"]' + return + fi + if [ ! -f "$__conf" ] ; then + touch "$__conf" + fi + + if grep -H -n "^$__opt$__sep" "$__conf" > /dev/null ; then + _debug OK + if [[ "$__val" == *"&"* ]] ; then + __val="$(echo $__val | sed 's/&/\\&/g')" + fi + text="$(cat $__conf)" + printf "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" + + elif grep -H -n "^#$__opt$__sep" "$__conf" > /dev/null ; then + if [[ "$__val" == *"&"* ]] ; then + __val="$(echo $__val | sed 's/&/\\&/g')" + fi + text="$(cat $__conf)" + printf "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" + + else + _debug APP + echo "$__opt$__sep$__val$__end" >> "$__conf" + fi + _debug "$(grep -H -n "^$__opt$__sep" $__conf)" +} + +#_savedomainconf key value +#save to domain.conf +_savedomainconf() { + key="$1" + value="$2" + if [ "$DOMAIN_CONF" ] ; then + _setopt $DOMAIN_CONF "$key" "=" "$value" + else + _err "DOMAIN_CONF is empty, can not save $key=$value" + fi +} + +#_saveaccountconf key value +_saveaccountconf() { + key="$1" + value="$2" + if [ "$ACCOUNT_CONF_PATH" ] ; then + _setopt $ACCOUNT_CONF_PATH "$key" "=" "$value" + else + _err "ACCOUNT_CONF_PATH is empty, can not save $key=$value" + fi +} + +_startserver() { + content="$1" + _NC="nc -q 1" + if nc -h 2>&1 | grep "nmap.org/ncat" >/dev/null ; then + _NC="nc" + fi +# while true ; do + if [ "$DEBUG" ] ; then + echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -l -p $Le_HTTPPort -vv + else + echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -l -p $Le_HTTPPort > /dev/null + fi +# done +} + +_stopserver() { + pid="$1" + +} + +_initpath() { + + if [ -z "$LE_WORKING_DIR" ]; then + LE_WORKING_DIR=$HOME/.le + fi + + if [ -z "$ACCOUNT_CONF_PATH" ] ; then + ACCOUNT_CONF_PATH="$LE_WORKING_DIR/account.conf" + fi + + if [ -f "$ACCOUNT_CONF_PATH" ] ; then + source "$ACCOUNT_CONF_PATH" + fi + + if [ -z "$API" ] ; then + if [ -z "$STAGE" ] ; then + API="$DEFAULT_CA" + else + API="$STAGE_CA" + _info "Using stage api:$API" + fi + fi + + if [ -z "$ACME_DIR" ] ; then + ACME_DIR="/home/.acme" + fi + + if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then + APACHE_CONF_BACKUP_DIR="$LE_WORKING_DIR/" + fi + + domain="$1" + mkdir -p "$LE_WORKING_DIR" + + if [ -z "$ACCOUNT_KEY_PATH" ] ; then + ACCOUNT_KEY_PATH="$LE_WORKING_DIR/account.key" + fi + + if [ -z "$domain" ] ; then + return 0 + fi + + domainhome="$LE_WORKING_DIR/$domain" + mkdir -p "$domainhome" + + if [ -z "$DOMAIN_PATH" ] ; then + DOMAIN_PATH="$domainhome" + fi + if [ -z "$DOMAIN_CONF" ] ; then + DOMAIN_CONF="$domainhome/$Le_Domain.conf" + fi + + if [ -z "$DOMAIN_SSL_CONF" ] ; then + DOMAIN_SSL_CONF="$domainhome/$Le_Domain.ssl.conf" + fi + + if [ -z "$CSR_PATH" ] ; then + CSR_PATH="$domainhome/$domain.csr" + fi + if [ -z "$CERT_KEY_PATH" ] ; then + CERT_KEY_PATH="$domainhome/$domain.key" + fi + if [ -z "$CERT_PATH" ] ; then + CERT_PATH="$domainhome/$domain.cer" + fi + if [ -z "$CA_CERT_PATH" ] ; then + CA_CERT_PATH="$domainhome/ca.cer" + fi + +} + + +_apachePath() { + httpdroot="$(apachectl -V | grep HTTPD_ROOT= | cut -d = -f 2 | tr -d '"' )" + httpdconfname="$(apachectl -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | tr -d '"' )" + httpdconf="$httpdroot/$httpdconfname" + if [ ! -f $httpdconf ] ; then + _err "Apache Config file not found" $httpdconf + return 1 + fi + return 0 +} + +_restoreApache() { + if [ -z "$usingApache" ] ; then + return 0 + fi + _initpath + if ! _apachePath ; then + return 1 + fi + + if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ] ; then + _debug "No config file to restore." + return 0 + fi + + cp -p "$APACHE_CONF_BACKUP_DIR/$httpdconfname" "$httpdconf" + if ! apachectl -t ; then + _err "Sorry, restore apache config error, please contact me." + return 1; + fi + rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" + return 0 +} + +_setApache() { + _initpath + if ! _apachePath ; then + return 1 + fi + + #backup the conf + _debug "Backup apache config file" $httpdconf + cp -p $httpdconf $APACHE_CONF_BACKUP_DIR/ + _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname" + _info "In case there is an error that can not be restored automatically, you may try restore it yourself." + _info "The backup file will be deleted on sucess, just forget it." + + #add alias + echo " +Alias /.well-known/acme-challenge $ACME_DIR + + +Require all granted + + " >> $httpdconf + + if ! apachectl -t ; then + _err "Sorry, apache config error, please contact me." + _restoreApache + return 1; + fi + + if [ ! -d "$ACME_DIR" ] ; then + mkdir -p "$ACME_DIR" + chmod 755 "$ACME_DIR" + fi + + if ! apachectl graceful ; then + _err "Sorry, apachectl graceful error, please contact me." + _restoreApache + return 1; + fi + usingApache="1" + return 0 +} + +_clearup () { + _stopserver $serverproc + serverproc="" + _restoreApache +} + +# webroot removelevel tokenfile +_clearupwebbroot() { + __webroot="$1" + if [ -z "$__webroot" ] ; then + _debug "no webroot specified, skip" + return 0 + fi + + if [ "$2" == '1' ] ; then + _debug "remove $__webroot/.well-known" + rm -rf "$__webroot/.well-known" + elif [ "$2" == '2' ] ; then + _debug "remove $__webroot/.well-known/acme-challenge" + rm -rf "$__webroot/.well-known/acme-challenge" + elif [ "$2" == '3' ] ; then + _debug "remove $__webroot/.well-known/acme-challenge/$3" + rm -rf "$__webroot/.well-known/acme-challenge/$3" + else + _info "Skip for removelevel:$2" + fi + + return 0 + +} + +issue() { + if [ -z "$2" ] ; then + _err "Usage: le issue webroot|no|apache|dns a.com [www.a.com,b.com,c.com]|no [key-length]|no" + return 1 + fi + Le_Webroot="$1" + Le_Domain="$2" + Le_Alt="$3" + Le_Keylength="$4" + Le_RealCertPath="$5" + Le_RealKeyPath="$6" + Le_RealCACertPath="$7" + Le_ReloadCmd="$8" + + + _initpath $Le_Domain + + if [ -f "$DOMAIN_CONF" ] ; then + Le_NextRenewTime=$(grep "^Le_NextRenewTime=" "$DOMAIN_CONF" | cut -d '=' -f 2) + if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then + _info "Skip, Next renewal time is: $(grep "^Le_NextRenewTimeStr" "$DOMAIN_CONF" | cut -d '=' -f 2)" + return 2 + fi + fi + + if [ "$Le_Alt" == "no" ] ; then + Le_Alt="" + fi + if [ "$Le_Keylength" == "no" ] ; then + Le_Keylength="" + fi + if [ "$Le_RealCertPath" == "no" ] ; then + Le_RealCertPath="" + fi + if [ "$Le_RealKeyPath" == "no" ] ; then + Le_RealKeyPath="" + fi + if [ "$Le_RealCACertPath" == "no" ] ; then + Le_RealCACertPath="" + fi + if [ "$Le_ReloadCmd" == "no" ] ; then + Le_ReloadCmd="" + fi + + _setopt "$DOMAIN_CONF" "Le_Domain" "=" "$Le_Domain" + _setopt "$DOMAIN_CONF" "Le_Alt" "=" "$Le_Alt" + _setopt "$DOMAIN_CONF" "Le_Webroot" "=" "$Le_Webroot" + _setopt "$DOMAIN_CONF" "Le_Keylength" "=" "$Le_Keylength" + _setopt "$DOMAIN_CONF" "Le_RealCertPath" "=" "\"$Le_RealCertPath\"" + _setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\"" + _setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\"" + _setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\"" + + if [ "$Le_Webroot" == "no" ] ; then + _info "Standalone mode." + if ! command -v "nc" > /dev/null ; then + _err "Please install netcat(nc) tools first." + return 1 + fi + + if [ -z "$Le_HTTPPort" ] ; then + Le_HTTPPort=80 + fi + _setopt "$DOMAIN_CONF" "Le_HTTPPort" "=" "$Le_HTTPPort" + + netprc="$(ss -ntpl | grep :$Le_HTTPPort" ")" + if [ "$netprc" ] ; then + _err "$netprc" + _err "tcp port $Le_HTTPPort is already used by $(echo "$netprc" | cut -d : -f 4)" + _err "Please stop it first" + return 1 + fi + fi + + if [ "$Le_Webroot" == "apache" ] ; then + if ! _setApache ; then + _err "set up apache error. Report error to me." + return 1 + fi + wellknown_path="$ACME_DIR" + else + usingApache="" + fi + + createAccountKey $Le_Domain $Le_Keylength + + if ! createDomainKey $Le_Domain $Le_Keylength ; then + _err "Create domain key error." + return 1 + fi + + if ! createCSR $Le_Domain $Le_Alt ; then + _err "Create CSR error." + return 1 + fi + + pub_exp=$(openssl rsa -in $ACCOUNT_KEY_PATH -noout -text | grep "^publicExponent:"| cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1) + if [ "${#pub_exp}" == "5" ] ; then + pub_exp=0$pub_exp + fi + _debug pub_exp "$pub_exp" + + e=$(echo $pub_exp | _h2b | _base64) + _debug e "$e" + + modulus=$(openssl rsa -in $ACCOUNT_KEY_PATH -modulus -noout | cut -d '=' -f 2 ) + n=$(echo $modulus| _h2b | _base64 | _b64 ) + + jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}' + + HEADER='{"alg": "RS256", "jwk": '$jwk'}' + HEADERPLACE='{"nonce": "NONCE", "alg": "RS256", "jwk": '$jwk'}' + _debug HEADER "$HEADER" + + accountkey_json=$(echo -n "$jwk" | tr -d ' ' ) + thumbprint=$(echo -n "$accountkey_json" | openssl dgst -sha256 -binary | _base64 | _b64) + + + _info "Registering account" + regjson='{"resource": "new-reg", "agreement": "'$AGREEMENT'"}' + if [ "$ACCOUNT_EMAIL" ] ; then + regjson='{"resource": "new-reg", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}' + fi + _send_signed_request "$API/acme/new-reg" "$regjson" + + if [ "$code" == "" ] || [ "$code" == '201' ] ; then + _info "Registered" + echo $response > $LE_WORKING_DIR/account.json + elif [ "$code" == '409' ] ; then + _info "Already registered" + else + _err "Register account Error." + _clearup + return 1 + fi + + vtype="$VTYPE_HTTP" + if [[ "$Le_Webroot" == "dns"* ]] ; then + vtype="$VTYPE_DNS" + fi + + vlist="$Le_Vlist" + # verify each domain + _info "Verify each domain" + sep='#' + if [ -z "$vlist" ] ; then + alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' ) + for d in $alldomains + do + _info "Getting token for domain" $d + _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$d\"}}" + if [ ! -z "$code" ] && [ ! "$code" == '201' ] ; then + _err "new-authz error: $response" + _clearup + return 1 + fi + + entry="$(printf $response | egrep -o '{[^{]*"type":"'$vtype'"[^}]*')" + _debug entry "$entry" + + token="$(printf "$entry" | egrep -o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')" + _debug token $token + + uri="$(printf "$entry" | egrep -o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )" + _debug uri $uri + + keyauthorization="$token.$thumbprint" + _debug keyauthorization "$keyauthorization" + + dvlist="$d$sep$keyauthorization$sep$uri" + _debug dvlist "$dvlist" + + vlist="$vlist$dvlist," + + done + + #add entry + dnsadded="" + ventries=$(echo "$vlist" | tr ',' ' ' ) + for ventry in $ventries + do + d=$(echo $ventry | cut -d $sep -f 1) + keyauthorization=$(echo $ventry | cut -d $sep -f 2) + + if [ "$vtype" == "$VTYPE_DNS" ] ; then + dnsadded='0' + txtdomain="_acme-challenge.$d" + _debug txtdomain "$txtdomain" + txt="$(echo -e -n $keyauthorization | openssl dgst -sha256 -binary | _base64 | _b64)" + _debug txt "$txt" + #dns + #1. check use api + d_api="" + if [ -f "$LE_WORKING_DIR/$d/$Le_Webroot" ] ; then + d_api="$LE_WORKING_DIR/$d/$Le_Webroot" + elif [ -f "$LE_WORKING_DIR/$d/$Le_Webroot.sh" ] ; then + d_api="$LE_WORKING_DIR/$d/$Le_Webroot.sh" + elif [ -f "$LE_WORKING_DIR/$Le_Webroot" ] ; then + d_api="$LE_WORKING_DIR/$Le_Webroot" + elif [ -f "$LE_WORKING_DIR/$Le_Webroot.sh" ] ; then + d_api="$LE_WORKING_DIR/$Le_Webroot.sh" + elif [ -f "$LE_WORKING_DIR/dnsapi/$Le_Webroot" ] ; then + d_api="$LE_WORKING_DIR/dnsapi/$Le_Webroot" + elif [ -f "$LE_WORKING_DIR/dnsapi/$Le_Webroot.sh" ] ; then + d_api="$LE_WORKING_DIR/dnsapi/$Le_Webroot.sh" + fi + _debug d_api "$d_api" + + if [ "$d_api" ]; then + _info "Found domain api file: $d_api" + else + _err "Add the following TXT record:" + _err "Domain: $txtdomain" + _err "TXT value: $txt" + _err "Please be aware that you prepend _acme-challenge. before your domain" + _err "so the resulting subdomain will be: $txtdomain" + continue + fi + + if ! source $d_api ; then + _err "Load file $d_api error. Please check your api file and try again." + return 1 + fi + + addcommand="$Le_Webroot-add" + if ! command -v $addcommand ; then + _err "It seems that your api file is not correct, it must have a function named: $Le_Webroot" + return 1 + fi + + if ! $addcommand $txtdomain $txt ; then + _err "Error add txt for domain:$txtdomain" + return 1 + fi + dnsadded='1' + fi + done + + if [ "$dnsadded" == '0' ] ; then + _setopt "$DOMAIN_CONF" "Le_Vlist" "=" "\"$vlist\"" + _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit." + _err "Please add the TXT records to the domains, and retry again." + return 1 + fi + + fi + + if [ "$dnsadded" == '1' ] ; then + _info "Sleep 60 seconds for the txt records to take effect" + sleep 60 + fi + + _debug "ok, let's start to verify" + ventries=$(echo "$vlist" | tr ',' ' ' ) + for ventry in $ventries + do + d=$(echo $ventry | cut -d $sep -f 1) + keyauthorization=$(echo $ventry | cut -d $sep -f 2) + uri=$(echo $ventry | cut -d $sep -f 3) + _info "Verifying:$d" + _debug "d" "$d" + _debug "keyauthorization" "$keyauthorization" + _debug "uri" "$uri" + removelevel="" + token="" + if [ "$vtype" == "$VTYPE_HTTP" ] ; then + if [ "$Le_Webroot" == "no" ] ; then + _info "Standalone mode server" + _startserver "$keyauthorization" & + serverproc="$!" + sleep 2 + _debug serverproc $serverproc + else + if [ -z "$wellknown_path" ] ; then + wellknown_path="$Le_Webroot/.well-known/acme-challenge" + fi + _debug wellknown_path "$wellknown_path" + + if [ ! -d "$Le_Webroot/.well-known" ] ; then + removelevel='1' + elif [ ! -d "$Le_Webroot/.well-known/acme-challenge" ] ; then + removelevel='2' + else + removelevel='3' + fi + + token="$(echo -e -n "$keyauthorization" | cut -d '.' -f 1)" + _debug "writing token:$token to $wellknown_path/$token" + + mkdir -p "$wellknown_path" + echo -n "$keyauthorization" > "$wellknown_path/$token" + + webroot_owner=$(stat -c '%U:%G' $Le_Webroot) + _debug "Changing owner/group of .well-known to $webroot_owner" + chown -R $webroot_owner "$Le_Webroot/.well-known" + + fi + fi + + _send_signed_request $uri "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}" + + if [ ! -z "$code" ] && [ ! "$code" == '202' ] ; then + _err "$d:Challenge error: $resource" + _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" + _clearup + return 1 + fi + + while [ "1" ] ; do + _debug "sleep 5 secs to verify" + sleep 5 + _debug "checking" + + if ! _get $uri ; then + _err "$d:Verify error:$resource" + _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" + _clearup + return 1 + fi + + status=$(echo $response | egrep -o '"status":"[^"]+"' | cut -d : -f 2 | tr -d '"') + if [ "$status" == "valid" ] ; then + _info "Success" + _stopserver $serverproc + serverproc="" + _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" + break; + fi + + if [ "$status" == "invalid" ] ; then + error=$(echo $response | egrep -o '"error":{[^}]*}' | grep -o '"detail":"[^"]*"' | cut -d '"' -f 4) + _err "$d:Verify error:$error" + _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" + _clearup + return 1; + fi + + if [ "$status" == "pending" ] ; then + _info "Pending" + else + _err "$d:Verify error:$response" + _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" + _clearup + return 1 + fi + + done + + done + + _clearup + _info "Verify finished, start to sign." + der="$(openssl req -in $CSR_PATH -outform DER | _base64 | _b64)" + _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64" + + + Le_LinkCert="$(grep -i -o '^Location.*$' $CURL_HEADER | tr -d "\r\n" | cut -d " " -f 2)" + _setopt "$DOMAIN_CONF" "Le_LinkCert" "=" "$Le_LinkCert" + + if [ "$Le_LinkCert" ] ; then + echo -----BEGIN CERTIFICATE----- > "$CERT_PATH" + curl --silent "$Le_LinkCert" | openssl base64 -e >> "$CERT_PATH" + echo -----END CERTIFICATE----- >> "$CERT_PATH" + _info "Cert success." + cat "$CERT_PATH" + + _info "Your cert is in $CERT_PATH" + fi + + + if [ -z "$Le_LinkCert" ] ; then + response="$(echo $response | openssl base64 -d -A)" + _err "Sign failed: $(echo "$response" | grep -o '"detail":"[^"]*"')" + return 1 + fi + + _setopt "$DOMAIN_CONF" 'Le_Vlist' '=' "\"\"" + + Le_LinkIssuer=$(grep -i '^Link' $CURL_HEADER | cut -d " " -f 2| cut -d ';' -f 1 | tr -d '<>' ) + _setopt "$DOMAIN_CONF" "Le_LinkIssuer" "=" "$Le_LinkIssuer" + + if [ "$Le_LinkIssuer" ] ; then + echo -----BEGIN CERTIFICATE----- > "$CA_CERT_PATH" + curl --silent "$Le_LinkIssuer" | openssl base64 -e >> "$CA_CERT_PATH" + echo -----END CERTIFICATE----- >> "$CA_CERT_PATH" + _info "The intermediate CA cert is in $CA_CERT_PATH" + fi + + Le_CertCreateTime=$(date -u "+%s") + _setopt "$DOMAIN_CONF" "Le_CertCreateTime" "=" "$Le_CertCreateTime" + + Le_CertCreateTimeStr=$(date -u ) + _setopt "$DOMAIN_CONF" "Le_CertCreateTimeStr" "=" "\"$Le_CertCreateTimeStr\"" + + if [ ! "$Le_RenewalDays" ] ; then + Le_RenewalDays=80 + fi + + _setopt "$DOMAIN_CONF" "Le_RenewalDays" "=" "$Le_RenewalDays" + + let "Le_NextRenewTime=Le_CertCreateTime+Le_RenewalDays*24*60*60" + _setopt "$DOMAIN_CONF" "Le_NextRenewTime" "=" "$Le_NextRenewTime" + + Le_NextRenewTimeStr=$( _time2str $Le_NextRenewTime ) + _setopt "$DOMAIN_CONF" "Le_NextRenewTimeStr" "=" "\"$Le_NextRenewTimeStr\"" + + + installcert $Le_Domain "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" + +} + +renew() { + Le_Domain="$1" + if [ -z "$Le_Domain" ] ; then + _err "Usage: $0 domain.com" + return 1 + fi + + _initpath $Le_Domain + + if [ ! -f "$DOMAIN_CONF" ] ; then + _info "$Le_Domain is not a issued domain, skip." + return 0; + fi + + source "$DOMAIN_CONF" + if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then + _info "Skip, Next renewal time is: $Le_NextRenewTimeStr" + return 2 + fi + + IS_RENEW="1" + issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" + local res=$? + IS_RENEW="" + + return $res +} + +renewAll() { + _initpath + _info "renewAll" + + for d in $(ls -F $LE_WORKING_DIR | grep [^.].*[.].*/$ ) ; do + d=$(echo $d | cut -d '/' -f 1) + _info "renew $d" + + Le_LinkCert="" + Le_Domain="" + Le_Alt="" + Le_Webroot="" + Le_Keylength="" + Le_LinkIssuer="" + + Le_CertCreateTime="" + Le_CertCreateTimeStr="" + Le_RenewalDays="" + Le_NextRenewTime="" + Le_NextRenewTimeStr="" + + Le_RealCertPath="" + Le_RealKeyPath="" + + Le_RealCACertPath="" + + Le_ReloadCmd="" + + DOMAIN_PATH="" + DOMAIN_CONF="" + DOMAIN_SSL_CONF="" + CSR_PATH="" + CERT_KEY_PATH="" + CERT_PATH="" + CA_CERT_PATH="" + ACCOUNT_KEY_PATH="" + + wellknown_path="" + + renew "$d" + done + +} + +installcert() { + Le_Domain="$1" + if [ -z "$Le_Domain" ] ; then + _err "Usage: $0 domain.com [cert-file-path]|no [key-file-path]|no [ca-cert-file-path]|no [reloadCmd]|no" + return 1 + fi + + Le_RealCertPath="$2" + Le_RealKeyPath="$3" + Le_RealCACertPath="$4" + Le_ReloadCmd="$5" + + _initpath $Le_Domain + + _setopt "$DOMAIN_CONF" "Le_RealCertPath" "=" "\"$Le_RealCertPath\"" + _setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\"" + _setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\"" + _setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\"" + + if [ "$Le_RealCertPath" ] ; then + if [ -f "$Le_RealCertPath" ] ; then + cp -p "$Le_RealCertPath" "$Le_RealCertPath".bak + fi + cat "$CERT_PATH" > "$Le_RealCertPath" + fi + + if [ "$Le_RealCACertPath" ] ; then + if [ -f "$Le_RealCACertPath" ] ; then + cp -p "$Le_RealCACertPath" "$Le_RealCACertPath".bak + fi + if [ "$Le_RealCACertPath" == "$Le_RealCertPath" ] ; then + echo "" >> "$Le_RealCACertPath" + cat "$CA_CERT_PATH" >> "$Le_RealCACertPath" + else + cat "$CA_CERT_PATH" > "$Le_RealCACertPath" + fi + fi + + + if [ "$Le_RealKeyPath" ] ; then + if [ -f "$Le_RealKeyPath" ] ; then + cp -p "$Le_RealKeyPath" "$Le_RealKeyPath".bak + fi + cat "$CERT_KEY_PATH" > "$Le_RealKeyPath" + fi + + if [ "$Le_ReloadCmd" ] ; then + _info "Run Le_ReloadCmd: $Le_ReloadCmd" + (cd "$DOMAIN_PATH" && eval "$Le_ReloadCmd") + fi + +} + +installcronjob() { + _initpath + _info "Installing cron job" + if ! crontab -l | grep 'le.sh cron' ; then + if [ -f "$LE_WORKING_DIR/le.sh" ] ; then + lesh="\"$LE_WORKING_DIR\"/le.sh" + else + _err "Can not install cronjob, le.sh not found." + return 1 + fi + crontab -l | { cat; echo "0 0 * * * LE_WORKING_DIR=\"$LE_WORKING_DIR\" $lesh cron > /dev/null"; } | crontab - + fi + return 0 +} + +uninstallcronjob() { + _info "Removing cron job" + cr="$(crontab -l | grep 'le.sh cron')" + if [ "$cr" ] ; then + crontab -l | sed "/le.sh cron/d" | crontab - + LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 6 | cut -d '=' -f 2 | tr -d '"')" + _info LE_WORKING_DIR "$LE_WORKING_DIR" + fi + _initpath + +} + + +# Detect profile file if not specified as environment variable +_detect_profile() { + if [ -n "$PROFILE" -a -f "$PROFILE" ]; then + echo "$PROFILE" + return + fi + + local DETECTED_PROFILE + DETECTED_PROFILE='' + local SHELLTYPE + SHELLTYPE="$(basename "/$SHELL")" + + if [ "$SHELLTYPE" = "bash" ]; then + if [ -f "$HOME/.bashrc" ]; then + DETECTED_PROFILE="$HOME/.bashrc" + elif [ -f "$HOME/.bash_profile" ]; then + DETECTED_PROFILE="$HOME/.bash_profile" + fi + elif [ "$SHELLTYPE" = "zsh" ]; then + DETECTED_PROFILE="$HOME/.zshrc" + fi + + if [ -z "$DETECTED_PROFILE" ]; then + if [ -f "$HOME/.profile" ]; then + DETECTED_PROFILE="$HOME/.profile" + elif [ -f "$HOME/.bashrc" ]; then + DETECTED_PROFILE="$HOME/.bashrc" + elif [ -f "$HOME/.bash_profile" ]; then + DETECTED_PROFILE="$HOME/.bash_profile" + elif [ -f "$HOME/.zshrc" ]; then + DETECTED_PROFILE="$HOME/.zshrc" + fi + fi + + if [ ! -z "$DETECTED_PROFILE" ]; then + echo "$DETECTED_PROFILE" + fi +} + +_initconf() { + _initpath + if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then + echo "#Account configurations: +#Here are the supported macros, uncomment them to make them take effect. +#ACCOUNT_EMAIL=aaa@aaa.com # the account email used to register account. + +#STAGE=1 # Use the staging api +#FORCE=1 # Force to issue cert +#DEBUG=1 # Debug mode + +#dns api +####################### +#Cloudflare: +#api key +#CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" +#account email +#CF_Email="xxxx@sss.com" + +####################### +#Dnspod.cn: +#api key id +#DP_Id="1234" +#api key +#DP_Key="sADDsdasdgdsf" + +####################### +#Cloudxns.com: +#CX_Key="1234" +# +#CX_Secret="sADDsdasdgdsf" + + " > $ACCOUNT_CONF_PATH + fi +} + +install() { + _initpath + + #check if there is sudo installed, AND if the current user is a sudoer. + if command -v sudo > /dev/null ; then + if [ "$(sudo -n uptime 2>&1|grep "load"|wc -l)" != "0" ] ; then + SUDO=sudo + fi + fi + + if command -v yum > /dev/null ; then + YUM="1" + INSTALL="$SUDO yum install -y " + elif command -v apt-get > /dev/null ; then + INSTALL="$SUDO apt-get install -y " + fi + + if ! command -v "curl" > /dev/null ; then + _err "Please install curl first." + _err "$INSTALL curl" + return 1 + fi + + if ! command -v "crontab" > /dev/null ; then + _err "Please install crontab first." + if [ "$YUM" ] ; then + _err "$INSTALL crontabs" + else + _err "$INSTALL crontab" + fi + return 1 + fi + + if ! command -v "openssl" > /dev/null ; then + _err "Please install openssl first." + _err "$INSTALL openssl" + return 1 + fi + + _info "Installing to $LE_WORKING_DIR" + + _info "Installed to $LE_WORKING_DIR/le.sh" + cp le.sh $LE_WORKING_DIR/ + chmod +x $LE_WORKING_DIR/le.sh + + _profile="$(_detect_profile)" + if [ "$_profile" ] ; then + _debug "Found profile: $_profile" + + echo "LE_WORKING_DIR=$LE_WORKING_DIR +alias le=\"$LE_WORKING_DIR/le.sh\" +alias le.sh=\"$LE_WORKING_DIR/le.sh\" + " > "$LE_WORKING_DIR/le.env" + + _setopt "$_profile" "source \"$LE_WORKING_DIR/le.env\"" + _info "OK, Close and reopen your terminal to start using le" + else + _info "No profile is found, you will need to go into $LE_WORKING_DIR to use le.sh" + fi + + mkdir -p $LE_WORKING_DIR/dnsapi + cp dnsapi/* $LE_WORKING_DIR/dnsapi/ + + #to keep compatible mv the .acc file to .key file + if [ -f "$LE_WORKING_DIR/account.acc" ] ; then + mv "$LE_WORKING_DIR/account.acc" "$LE_WORKING_DIR/account.key" + fi + + installcronjob + + if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then + _initconf + fi + _info OK +} + +uninstall() { + uninstallcronjob + _initpath + + _profile="$(_detect_profile)" + if [ "$_profile" ] ; then + sed -i /le.env/d "$_profile" + fi + + rm -f $LE_WORKING_DIR/le.sh + _info "The keys and certs are in $LE_WORKING_DIR, you can remove them by yourself." + +} + +cron() { + renewAll +} + +version() { + _info "$PROJECT" + _info "v$VER" +} + +showhelp() { + version + echo "Usage: le.sh [command] ...[args].... +Avalible commands: + +install: + Install le.sh to your system. +issue: + Issue a cert. +installcert: + Install the issued cert to apache/nginx or any other server. +renew: + Renew a cert. +renewAll: + Renew all the certs. +uninstall: + Uninstall le.sh, and uninstall the cron job. +version: + Show version info. +installcronjob: + Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job. +uninstallcronjob: + Uninstall the cron job. The 'uninstall' command can do this automatically. +createAccountKey: + Create an account private key, professional use. +createDomainKey: + Create an domain private key, professional use. +createCSR: + Create CSR , professional use. + " +} + + +if [ -z "$1" ] ; then + showhelp +else + "$@" +fi From 48a8e6e64b077be004dc693823cd21cfcc12edc2 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 8 Mar 2016 20:40:52 +0800 Subject: [PATCH 04/13] minor, just more checks --- le.sh | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/le.sh b/le.sh index 1b3768d1..12defd60 100755 --- a/le.sh +++ b/le.sh @@ -296,6 +296,7 @@ _setopt() { else _debug APP + echo "" >> "$__conf" echo "$__opt$__sep$__val$__end" >> "$__conf" fi _debug "$(grep -H -n "^$__opt$__sep" $__conf)" @@ -376,7 +377,10 @@ _initpath() { fi domain="$1" - mkdir -p "$LE_WORKING_DIR" + if ! mkdir -p "$LE_WORKING_DIR" ; then + _err "Can not craete working dir: $LE_WORKING_DIR" + return 1 + fi if [ -z "$ACCOUNT_KEY_PATH" ] ; then ACCOUNT_KEY_PATH="$LE_WORKING_DIR/account.key" @@ -1071,7 +1075,12 @@ installcronjob() { fi crontab -l | { cat; echo "0 0 * * * LE_WORKING_DIR=\"$LE_WORKING_DIR\" $lesh cron > /dev/null"; } | crontab - fi - return 0 + if [ "$?" != "0" ] ; then + _err "Install cron job failed. You need to manually renew your certs." + _err "Or you can add cronjob by yourself:" + _err "LE_WORKING_DIR=\"$LE_WORKING_DIR\" $lesh cron > /dev/null" + return 1 + fi } uninstallcronjob() { @@ -1163,7 +1172,10 @@ _initconf() { } install() { - _initpath + if ! _initpath ; then + _err "Install failed." + return 1 + fi #check if there is sudo installed, AND if the current user is a sudoer. if command -v sudo > /dev/null ; then @@ -1203,9 +1215,14 @@ install() { _info "Installing to $LE_WORKING_DIR" - _info "Installed to $LE_WORKING_DIR/le.sh" - cp le.sh $LE_WORKING_DIR/ - chmod +x $LE_WORKING_DIR/le.sh + cp le.sh "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/le.sh" + + if [ "$?" != "0" ] ; then + _err "Install failed, can not copy le.sh" + return 1 + fi + + _info "Installed to $LE_WORKING_DIR/le.sh" _profile="$(_detect_profile)" if [ "$_profile" ] ; then From 4c3b360886844440bde27e6b25e6aa27ac581ba6 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 8 Mar 2016 20:44:12 +0800 Subject: [PATCH 05/13] minor --- le.sh | 2636 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 1318 insertions(+), 1318 deletions(-) diff --git a/le.sh b/le.sh index 12defd60..5dca6265 100755 --- a/le.sh +++ b/le.sh @@ -1,1318 +1,1318 @@ -#!/usr/bin/env bash -VER=1.1.8 -PROJECT="https://github.com/Neilpang/le" - -DEFAULT_CA="https://acme-v01.api.letsencrypt.org" -DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" - -STAGE_CA="https://acme-staging.api.letsencrypt.org" - -VTYPE_HTTP="http-01" -VTYPE_DNS="dns-01" - -if [ -z "$AGREEMENT" ] ; then - AGREEMENT="$DEFAULT_AGREEMENT" -fi - -_debug() { - - if [ -z "$DEBUG" ] ; then - return - fi - - if [ -z "$2" ] ; then - echo $1 - else - echo "$1"="$2" - fi -} - -_info() { - if [ -z "$2" ] ; then - echo "$1" - else - echo "$1"="$2" - fi -} - -_err() { - if [ -z "$2" ] ; then - echo "$1" >&2 - else - echo "$1"="$2" >&2 - fi - return 1 -} - -_h2b() { - hex=$(cat) - i=1 - j=2 - while [ '1' ] ; do - h=$(printf $hex | cut -c $i-$j) - if [ -z "$h" ] ; then - break; - fi - printf "\x$h" - let "i+=2" - let "j+=2" - done -} - -_base64() { - openssl base64 -e | tr -d '\n' -} - -#domain [2048] -createAccountKey() { - _info "Creating account key" - if [ -z "$1" ] ; then - echo Usage: createAccountKey account-domain [2048] - return - fi - - account=$1 - length=$2 - - if [[ "$length" == "ec-"* ]] ; then - length=2048 - fi - - if [ -z "$2" ] ; then - _info "Use default length 2048" - length=2048 - fi - _initpath - - if [ -f "$ACCOUNT_KEY_PATH" ] ; then - _info "Account key exists, skip" - return - else - #generate account key - openssl genrsa $length > "$ACCOUNT_KEY_PATH" - fi - -} - -#domain length -createDomainKey() { - _info "Creating domain key" - if [ -z "$1" ] ; then - echo Usage: createDomainKey domain [2048] - return - fi - - domain=$1 - length=$2 - isec="" - if [[ "$length" == "ec-"* ]] ; then - isec="1" - length=$(printf $length | cut -d '-' -f 2-100) - eccname="$length" - fi - - if [ -z "$length" ] ; then - if [ "$isec" ] ; then - length=256 - else - length=2048 - fi - fi - _info "Use length $length" - - if [ "$isec" ] ; then - if [ "$length" == "256" ] ; then - eccname="prime256v1" - fi - if [ "$length" == "384" ] ; then - eccname="secp384r1" - fi - if [ "$length" == "521" ] ; then - eccname="secp521r1" - fi - _info "Using ec name: $eccname" - fi - - _initpath $domain - - if [ ! -f "$CERT_KEY_PATH" ] || ( [ "$FORCE" ] && ! [ "$IS_RENEW" ] ); then - #generate account key - if [ "$isec" ] ; then - openssl ecparam -name $eccname -genkey 2>/dev/null > "$CERT_KEY_PATH" - else - openssl genrsa $length 2>/dev/null > "$CERT_KEY_PATH" - fi - else - if [ "$IS_RENEW" ] ; then - _info "Domain key exists, skip" - return 0 - else - _err "Domain key exists, do you want to overwrite the key?" - _err "Set FORCE=1, and try again." - return 1 - fi - fi - -} - -# domain domainlist -createCSR() { - _info "Creating csr" - if [ -z "$1" ] ; then - echo Usage: $0 domain [domainlist] - return - fi - domain=$1 - _initpath $domain - - domainlist=$2 - - if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && ! [ "$FORCE" ]; then - _info "CSR exists, skip" - return - fi - - if [ -z "$domainlist" ] ; then - #single domain - _info "Single domain" $domain - openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" > "$CSR_PATH" - else - alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")" - #multi - _info "Multi domain" "$alt" - printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\n[SAN]\nsubjectAltName=$alt" > "$DOMAIN_SSL_CONF" - openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" -reqexts SAN -config "$DOMAIN_SSL_CONF" -out "$CSR_PATH" - fi - -} - -_b64() { - __n=$(cat) - echo $__n | tr '/+' '_-' | tr -d '= ' -} - -_time2str() { - #BSD - if date -u -d@$1 2>/dev/null ; then - return - fi - - #Linux - if date -u -r $1 2>/dev/null ; then - return - fi - -} - -_send_signed_request() { - url=$1 - payload=$2 - needbase64=$3 - - _debug url $url - _debug payload "$payload" - - CURL_HEADER="$LE_WORKING_DIR/curl.header" - dp="$LE_WORKING_DIR/curl.dump" - CURL="curl --silent --dump-header $CURL_HEADER " - if [ "$DEBUG" ] ; then - CURL="$CURL --trace-ascii $dp " - fi - payload64=$(echo -n $payload | _base64 | _b64) - _debug payload64 $payload64 - - nonceurl="$API/directory" - nonce="$($CURL -I $nonceurl | grep -o "^Replay-Nonce:.*$" | tr -d "\r\n" | cut -d ' ' -f 2)" - - _debug nonce "$nonce" - - protected="$(printf "$HEADERPLACE" | sed "s/NONCE/$nonce/" )" - _debug protected "$protected" - - protected64="$(printf "$protected" | _base64 | _b64)" - _debug protected64 "$protected64" - - sig=$(echo -n "$protected64.$payload64" | openssl dgst -sha256 -sign $ACCOUNT_KEY_PATH | _base64 | _b64) - _debug sig "$sig" - - body="{\"header\": $HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}" - _debug body "$body" - - if [ "$needbase64" ] ; then - response="$($CURL -X POST --data "$body" $url | _base64)" - else - response="$($CURL -X POST --data "$body" $url)" - fi - - responseHeaders="$(cat $CURL_HEADER)" - - _debug responseHeaders "$responseHeaders" - _debug response "$response" - code="$(grep ^HTTP $CURL_HEADER | tail -1 | cut -d " " -f 2 | tr -d "\r\n" )" - _debug code $code - -} - -_get() { - url="$1" - _debug url $url - response="$(curl --silent $url)" - ret=$? - _debug response "$response" - code="$(echo $response | grep -o '"status":[0-9]\+' | cut -d : -f 2)" - _debug code $code - return $ret -} - -#setopt "file" "opt" "=" "value" [";"] -_setopt() { - __conf="$1" - __opt="$2" - __sep="$3" - __val="$4" - __end="$5" - if [ -z "$__opt" ] ; then - echo usage: _setopt '"file" "opt" "=" "value" [";"]' - return - fi - if [ ! -f "$__conf" ] ; then - touch "$__conf" - fi - - if grep -H -n "^$__opt$__sep" "$__conf" > /dev/null ; then - _debug OK - if [[ "$__val" == *"&"* ]] ; then - __val="$(echo $__val | sed 's/&/\\&/g')" - fi - text="$(cat $__conf)" - printf "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" - - elif grep -H -n "^#$__opt$__sep" "$__conf" > /dev/null ; then - if [[ "$__val" == *"&"* ]] ; then - __val="$(echo $__val | sed 's/&/\\&/g')" - fi - text="$(cat $__conf)" - printf "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" - - else - _debug APP - echo "" >> "$__conf" - echo "$__opt$__sep$__val$__end" >> "$__conf" - fi - _debug "$(grep -H -n "^$__opt$__sep" $__conf)" -} - -#_savedomainconf key value -#save to domain.conf -_savedomainconf() { - key="$1" - value="$2" - if [ "$DOMAIN_CONF" ] ; then - _setopt $DOMAIN_CONF "$key" "=" "$value" - else - _err "DOMAIN_CONF is empty, can not save $key=$value" - fi -} - -#_saveaccountconf key value -_saveaccountconf() { - key="$1" - value="$2" - if [ "$ACCOUNT_CONF_PATH" ] ; then - _setopt $ACCOUNT_CONF_PATH "$key" "=" "$value" - else - _err "ACCOUNT_CONF_PATH is empty, can not save $key=$value" - fi -} - -_startserver() { - content="$1" - _NC="nc -q 1" - if nc -h 2>&1 | grep "nmap.org/ncat" >/dev/null ; then - _NC="nc" - fi -# while true ; do - if [ "$DEBUG" ] ; then - echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -l -p $Le_HTTPPort -vv - else - echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -l -p $Le_HTTPPort > /dev/null - fi -# done -} - -_stopserver() { - pid="$1" - -} - -_initpath() { - - if [ -z "$LE_WORKING_DIR" ]; then - LE_WORKING_DIR=$HOME/.le - fi - - if [ -z "$ACCOUNT_CONF_PATH" ] ; then - ACCOUNT_CONF_PATH="$LE_WORKING_DIR/account.conf" - fi - - if [ -f "$ACCOUNT_CONF_PATH" ] ; then - source "$ACCOUNT_CONF_PATH" - fi - - if [ -z "$API" ] ; then - if [ -z "$STAGE" ] ; then - API="$DEFAULT_CA" - else - API="$STAGE_CA" - _info "Using stage api:$API" - fi - fi - - if [ -z "$ACME_DIR" ] ; then - ACME_DIR="/home/.acme" - fi - - if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then - APACHE_CONF_BACKUP_DIR="$LE_WORKING_DIR/" - fi - - domain="$1" - if ! mkdir -p "$LE_WORKING_DIR" ; then - _err "Can not craete working dir: $LE_WORKING_DIR" - return 1 - fi - - if [ -z "$ACCOUNT_KEY_PATH" ] ; then - ACCOUNT_KEY_PATH="$LE_WORKING_DIR/account.key" - fi - - if [ -z "$domain" ] ; then - return 0 - fi - - domainhome="$LE_WORKING_DIR/$domain" - mkdir -p "$domainhome" - - if [ -z "$DOMAIN_PATH" ] ; then - DOMAIN_PATH="$domainhome" - fi - if [ -z "$DOMAIN_CONF" ] ; then - DOMAIN_CONF="$domainhome/$Le_Domain.conf" - fi - - if [ -z "$DOMAIN_SSL_CONF" ] ; then - DOMAIN_SSL_CONF="$domainhome/$Le_Domain.ssl.conf" - fi - - if [ -z "$CSR_PATH" ] ; then - CSR_PATH="$domainhome/$domain.csr" - fi - if [ -z "$CERT_KEY_PATH" ] ; then - CERT_KEY_PATH="$domainhome/$domain.key" - fi - if [ -z "$CERT_PATH" ] ; then - CERT_PATH="$domainhome/$domain.cer" - fi - if [ -z "$CA_CERT_PATH" ] ; then - CA_CERT_PATH="$domainhome/ca.cer" - fi - -} - - -_apachePath() { - httpdroot="$(apachectl -V | grep HTTPD_ROOT= | cut -d = -f 2 | tr -d '"' )" - httpdconfname="$(apachectl -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | tr -d '"' )" - httpdconf="$httpdroot/$httpdconfname" - if [ ! -f $httpdconf ] ; then - _err "Apache Config file not found" $httpdconf - return 1 - fi - return 0 -} - -_restoreApache() { - if [ -z "$usingApache" ] ; then - return 0 - fi - _initpath - if ! _apachePath ; then - return 1 - fi - - if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ] ; then - _debug "No config file to restore." - return 0 - fi - - cp -p "$APACHE_CONF_BACKUP_DIR/$httpdconfname" "$httpdconf" - if ! apachectl -t ; then - _err "Sorry, restore apache config error, please contact me." - return 1; - fi - rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" - return 0 -} - -_setApache() { - _initpath - if ! _apachePath ; then - return 1 - fi - - #backup the conf - _debug "Backup apache config file" $httpdconf - cp -p $httpdconf $APACHE_CONF_BACKUP_DIR/ - _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname" - _info "In case there is an error that can not be restored automatically, you may try restore it yourself." - _info "The backup file will be deleted on sucess, just forget it." - - #add alias - echo " -Alias /.well-known/acme-challenge $ACME_DIR - - -Require all granted - - " >> $httpdconf - - if ! apachectl -t ; then - _err "Sorry, apache config error, please contact me." - _restoreApache - return 1; - fi - - if [ ! -d "$ACME_DIR" ] ; then - mkdir -p "$ACME_DIR" - chmod 755 "$ACME_DIR" - fi - - if ! apachectl graceful ; then - _err "Sorry, apachectl graceful error, please contact me." - _restoreApache - return 1; - fi - usingApache="1" - return 0 -} - -_clearup () { - _stopserver $serverproc - serverproc="" - _restoreApache -} - -# webroot removelevel tokenfile -_clearupwebbroot() { - __webroot="$1" - if [ -z "$__webroot" ] ; then - _debug "no webroot specified, skip" - return 0 - fi - - if [ "$2" == '1' ] ; then - _debug "remove $__webroot/.well-known" - rm -rf "$__webroot/.well-known" - elif [ "$2" == '2' ] ; then - _debug "remove $__webroot/.well-known/acme-challenge" - rm -rf "$__webroot/.well-known/acme-challenge" - elif [ "$2" == '3' ] ; then - _debug "remove $__webroot/.well-known/acme-challenge/$3" - rm -rf "$__webroot/.well-known/acme-challenge/$3" - else - _info "Skip for removelevel:$2" - fi - - return 0 - -} - -issue() { - if [ -z "$2" ] ; then - _err "Usage: le issue webroot|no|apache|dns a.com [www.a.com,b.com,c.com]|no [key-length]|no" - return 1 - fi - Le_Webroot="$1" - Le_Domain="$2" - Le_Alt="$3" - Le_Keylength="$4" - Le_RealCertPath="$5" - Le_RealKeyPath="$6" - Le_RealCACertPath="$7" - Le_ReloadCmd="$8" - - - _initpath $Le_Domain - - if [ -f "$DOMAIN_CONF" ] ; then - Le_NextRenewTime=$(grep "^Le_NextRenewTime=" "$DOMAIN_CONF" | cut -d '=' -f 2) - if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then - _info "Skip, Next renewal time is: $(grep "^Le_NextRenewTimeStr" "$DOMAIN_CONF" | cut -d '=' -f 2)" - return 2 - fi - fi - - if [ "$Le_Alt" == "no" ] ; then - Le_Alt="" - fi - if [ "$Le_Keylength" == "no" ] ; then - Le_Keylength="" - fi - if [ "$Le_RealCertPath" == "no" ] ; then - Le_RealCertPath="" - fi - if [ "$Le_RealKeyPath" == "no" ] ; then - Le_RealKeyPath="" - fi - if [ "$Le_RealCACertPath" == "no" ] ; then - Le_RealCACertPath="" - fi - if [ "$Le_ReloadCmd" == "no" ] ; then - Le_ReloadCmd="" - fi - - _setopt "$DOMAIN_CONF" "Le_Domain" "=" "$Le_Domain" - _setopt "$DOMAIN_CONF" "Le_Alt" "=" "$Le_Alt" - _setopt "$DOMAIN_CONF" "Le_Webroot" "=" "$Le_Webroot" - _setopt "$DOMAIN_CONF" "Le_Keylength" "=" "$Le_Keylength" - _setopt "$DOMAIN_CONF" "Le_RealCertPath" "=" "\"$Le_RealCertPath\"" - _setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\"" - _setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\"" - _setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\"" - - if [ "$Le_Webroot" == "no" ] ; then - _info "Standalone mode." - if ! command -v "nc" > /dev/null ; then - _err "Please install netcat(nc) tools first." - return 1 - fi - - if [ -z "$Le_HTTPPort" ] ; then - Le_HTTPPort=80 - fi - _setopt "$DOMAIN_CONF" "Le_HTTPPort" "=" "$Le_HTTPPort" - - netprc="$(ss -ntpl | grep :$Le_HTTPPort" ")" - if [ "$netprc" ] ; then - _err "$netprc" - _err "tcp port $Le_HTTPPort is already used by $(echo "$netprc" | cut -d : -f 4)" - _err "Please stop it first" - return 1 - fi - fi - - if [ "$Le_Webroot" == "apache" ] ; then - if ! _setApache ; then - _err "set up apache error. Report error to me." - return 1 - fi - wellknown_path="$ACME_DIR" - else - usingApache="" - fi - - createAccountKey $Le_Domain $Le_Keylength - - if ! createDomainKey $Le_Domain $Le_Keylength ; then - _err "Create domain key error." - return 1 - fi - - if ! createCSR $Le_Domain $Le_Alt ; then - _err "Create CSR error." - return 1 - fi - - pub_exp=$(openssl rsa -in $ACCOUNT_KEY_PATH -noout -text | grep "^publicExponent:"| cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1) - if [ "${#pub_exp}" == "5" ] ; then - pub_exp=0$pub_exp - fi - _debug pub_exp "$pub_exp" - - e=$(echo $pub_exp | _h2b | _base64) - _debug e "$e" - - modulus=$(openssl rsa -in $ACCOUNT_KEY_PATH -modulus -noout | cut -d '=' -f 2 ) - n=$(echo $modulus| _h2b | _base64 | _b64 ) - - jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}' - - HEADER='{"alg": "RS256", "jwk": '$jwk'}' - HEADERPLACE='{"nonce": "NONCE", "alg": "RS256", "jwk": '$jwk'}' - _debug HEADER "$HEADER" - - accountkey_json=$(echo -n "$jwk" | tr -d ' ' ) - thumbprint=$(echo -n "$accountkey_json" | openssl dgst -sha256 -binary | _base64 | _b64) - - - _info "Registering account" - regjson='{"resource": "new-reg", "agreement": "'$AGREEMENT'"}' - if [ "$ACCOUNT_EMAIL" ] ; then - regjson='{"resource": "new-reg", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}' - fi - _send_signed_request "$API/acme/new-reg" "$regjson" - - if [ "$code" == "" ] || [ "$code" == '201' ] ; then - _info "Registered" - echo $response > $LE_WORKING_DIR/account.json - elif [ "$code" == '409' ] ; then - _info "Already registered" - else - _err "Register account Error." - _clearup - return 1 - fi - - vtype="$VTYPE_HTTP" - if [[ "$Le_Webroot" == "dns"* ]] ; then - vtype="$VTYPE_DNS" - fi - - vlist="$Le_Vlist" - # verify each domain - _info "Verify each domain" - sep='#' - if [ -z "$vlist" ] ; then - alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' ) - for d in $alldomains - do - _info "Getting token for domain" $d - _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$d\"}}" - if [ ! -z "$code" ] && [ ! "$code" == '201' ] ; then - _err "new-authz error: $response" - _clearup - return 1 - fi - - entry="$(printf $response | egrep -o '{[^{]*"type":"'$vtype'"[^}]*')" - _debug entry "$entry" - - token="$(printf "$entry" | egrep -o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')" - _debug token $token - - uri="$(printf "$entry" | egrep -o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )" - _debug uri $uri - - keyauthorization="$token.$thumbprint" - _debug keyauthorization "$keyauthorization" - - dvlist="$d$sep$keyauthorization$sep$uri" - _debug dvlist "$dvlist" - - vlist="$vlist$dvlist," - - done - - #add entry - dnsadded="" - ventries=$(echo "$vlist" | tr ',' ' ' ) - for ventry in $ventries - do - d=$(echo $ventry | cut -d $sep -f 1) - keyauthorization=$(echo $ventry | cut -d $sep -f 2) - - if [ "$vtype" == "$VTYPE_DNS" ] ; then - dnsadded='0' - txtdomain="_acme-challenge.$d" - _debug txtdomain "$txtdomain" - txt="$(echo -e -n $keyauthorization | openssl dgst -sha256 -binary | _base64 | _b64)" - _debug txt "$txt" - #dns - #1. check use api - d_api="" - if [ -f "$LE_WORKING_DIR/$d/$Le_Webroot" ] ; then - d_api="$LE_WORKING_DIR/$d/$Le_Webroot" - elif [ -f "$LE_WORKING_DIR/$d/$Le_Webroot.sh" ] ; then - d_api="$LE_WORKING_DIR/$d/$Le_Webroot.sh" - elif [ -f "$LE_WORKING_DIR/$Le_Webroot" ] ; then - d_api="$LE_WORKING_DIR/$Le_Webroot" - elif [ -f "$LE_WORKING_DIR/$Le_Webroot.sh" ] ; then - d_api="$LE_WORKING_DIR/$Le_Webroot.sh" - elif [ -f "$LE_WORKING_DIR/dnsapi/$Le_Webroot" ] ; then - d_api="$LE_WORKING_DIR/dnsapi/$Le_Webroot" - elif [ -f "$LE_WORKING_DIR/dnsapi/$Le_Webroot.sh" ] ; then - d_api="$LE_WORKING_DIR/dnsapi/$Le_Webroot.sh" - fi - _debug d_api "$d_api" - - if [ "$d_api" ]; then - _info "Found domain api file: $d_api" - else - _err "Add the following TXT record:" - _err "Domain: $txtdomain" - _err "TXT value: $txt" - _err "Please be aware that you prepend _acme-challenge. before your domain" - _err "so the resulting subdomain will be: $txtdomain" - continue - fi - - if ! source $d_api ; then - _err "Load file $d_api error. Please check your api file and try again." - return 1 - fi - - addcommand="$Le_Webroot-add" - if ! command -v $addcommand ; then - _err "It seems that your api file is not correct, it must have a function named: $Le_Webroot" - return 1 - fi - - if ! $addcommand $txtdomain $txt ; then - _err "Error add txt for domain:$txtdomain" - return 1 - fi - dnsadded='1' - fi - done - - if [ "$dnsadded" == '0' ] ; then - _setopt "$DOMAIN_CONF" "Le_Vlist" "=" "\"$vlist\"" - _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit." - _err "Please add the TXT records to the domains, and retry again." - return 1 - fi - - fi - - if [ "$dnsadded" == '1' ] ; then - _info "Sleep 60 seconds for the txt records to take effect" - sleep 60 - fi - - _debug "ok, let's start to verify" - ventries=$(echo "$vlist" | tr ',' ' ' ) - for ventry in $ventries - do - d=$(echo $ventry | cut -d $sep -f 1) - keyauthorization=$(echo $ventry | cut -d $sep -f 2) - uri=$(echo $ventry | cut -d $sep -f 3) - _info "Verifying:$d" - _debug "d" "$d" - _debug "keyauthorization" "$keyauthorization" - _debug "uri" "$uri" - removelevel="" - token="" - if [ "$vtype" == "$VTYPE_HTTP" ] ; then - if [ "$Le_Webroot" == "no" ] ; then - _info "Standalone mode server" - _startserver "$keyauthorization" & - serverproc="$!" - sleep 2 - _debug serverproc $serverproc - else - if [ -z "$wellknown_path" ] ; then - wellknown_path="$Le_Webroot/.well-known/acme-challenge" - fi - _debug wellknown_path "$wellknown_path" - - if [ ! -d "$Le_Webroot/.well-known" ] ; then - removelevel='1' - elif [ ! -d "$Le_Webroot/.well-known/acme-challenge" ] ; then - removelevel='2' - else - removelevel='3' - fi - - token="$(echo -e -n "$keyauthorization" | cut -d '.' -f 1)" - _debug "writing token:$token to $wellknown_path/$token" - - mkdir -p "$wellknown_path" - echo -n "$keyauthorization" > "$wellknown_path/$token" - - webroot_owner=$(stat -c '%U:%G' $Le_Webroot) - _debug "Changing owner/group of .well-known to $webroot_owner" - chown -R $webroot_owner "$Le_Webroot/.well-known" - - fi - fi - - _send_signed_request $uri "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}" - - if [ ! -z "$code" ] && [ ! "$code" == '202' ] ; then - _err "$d:Challenge error: $resource" - _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" - _clearup - return 1 - fi - - while [ "1" ] ; do - _debug "sleep 5 secs to verify" - sleep 5 - _debug "checking" - - if ! _get $uri ; then - _err "$d:Verify error:$resource" - _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" - _clearup - return 1 - fi - - status=$(echo $response | egrep -o '"status":"[^"]+"' | cut -d : -f 2 | tr -d '"') - if [ "$status" == "valid" ] ; then - _info "Success" - _stopserver $serverproc - serverproc="" - _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" - break; - fi - - if [ "$status" == "invalid" ] ; then - error=$(echo $response | egrep -o '"error":{[^}]*}' | grep -o '"detail":"[^"]*"' | cut -d '"' -f 4) - _err "$d:Verify error:$error" - _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" - _clearup - return 1; - fi - - if [ "$status" == "pending" ] ; then - _info "Pending" - else - _err "$d:Verify error:$response" - _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" - _clearup - return 1 - fi - - done - - done - - _clearup - _info "Verify finished, start to sign." - der="$(openssl req -in $CSR_PATH -outform DER | _base64 | _b64)" - _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64" - - - Le_LinkCert="$(grep -i -o '^Location.*$' $CURL_HEADER | tr -d "\r\n" | cut -d " " -f 2)" - _setopt "$DOMAIN_CONF" "Le_LinkCert" "=" "$Le_LinkCert" - - if [ "$Le_LinkCert" ] ; then - echo -----BEGIN CERTIFICATE----- > "$CERT_PATH" - curl --silent "$Le_LinkCert" | openssl base64 -e >> "$CERT_PATH" - echo -----END CERTIFICATE----- >> "$CERT_PATH" - _info "Cert success." - cat "$CERT_PATH" - - _info "Your cert is in $CERT_PATH" - fi - - - if [ -z "$Le_LinkCert" ] ; then - response="$(echo $response | openssl base64 -d -A)" - _err "Sign failed: $(echo "$response" | grep -o '"detail":"[^"]*"')" - return 1 - fi - - _setopt "$DOMAIN_CONF" 'Le_Vlist' '=' "\"\"" - - Le_LinkIssuer=$(grep -i '^Link' $CURL_HEADER | cut -d " " -f 2| cut -d ';' -f 1 | tr -d '<>' ) - _setopt "$DOMAIN_CONF" "Le_LinkIssuer" "=" "$Le_LinkIssuer" - - if [ "$Le_LinkIssuer" ] ; then - echo -----BEGIN CERTIFICATE----- > "$CA_CERT_PATH" - curl --silent "$Le_LinkIssuer" | openssl base64 -e >> "$CA_CERT_PATH" - echo -----END CERTIFICATE----- >> "$CA_CERT_PATH" - _info "The intermediate CA cert is in $CA_CERT_PATH" - fi - - Le_CertCreateTime=$(date -u "+%s") - _setopt "$DOMAIN_CONF" "Le_CertCreateTime" "=" "$Le_CertCreateTime" - - Le_CertCreateTimeStr=$(date -u ) - _setopt "$DOMAIN_CONF" "Le_CertCreateTimeStr" "=" "\"$Le_CertCreateTimeStr\"" - - if [ ! "$Le_RenewalDays" ] ; then - Le_RenewalDays=80 - fi - - _setopt "$DOMAIN_CONF" "Le_RenewalDays" "=" "$Le_RenewalDays" - - let "Le_NextRenewTime=Le_CertCreateTime+Le_RenewalDays*24*60*60" - _setopt "$DOMAIN_CONF" "Le_NextRenewTime" "=" "$Le_NextRenewTime" - - Le_NextRenewTimeStr=$( _time2str $Le_NextRenewTime ) - _setopt "$DOMAIN_CONF" "Le_NextRenewTimeStr" "=" "\"$Le_NextRenewTimeStr\"" - - - installcert $Le_Domain "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" - -} - -renew() { - Le_Domain="$1" - if [ -z "$Le_Domain" ] ; then - _err "Usage: $0 domain.com" - return 1 - fi - - _initpath $Le_Domain - - if [ ! -f "$DOMAIN_CONF" ] ; then - _info "$Le_Domain is not a issued domain, skip." - return 0; - fi - - source "$DOMAIN_CONF" - if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then - _info "Skip, Next renewal time is: $Le_NextRenewTimeStr" - return 2 - fi - - IS_RENEW="1" - issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" - local res=$? - IS_RENEW="" - - return $res -} - -renewAll() { - _initpath - _info "renewAll" - - for d in $(ls -F $LE_WORKING_DIR | grep [^.].*[.].*/$ ) ; do - d=$(echo $d | cut -d '/' -f 1) - _info "renew $d" - - Le_LinkCert="" - Le_Domain="" - Le_Alt="" - Le_Webroot="" - Le_Keylength="" - Le_LinkIssuer="" - - Le_CertCreateTime="" - Le_CertCreateTimeStr="" - Le_RenewalDays="" - Le_NextRenewTime="" - Le_NextRenewTimeStr="" - - Le_RealCertPath="" - Le_RealKeyPath="" - - Le_RealCACertPath="" - - Le_ReloadCmd="" - - DOMAIN_PATH="" - DOMAIN_CONF="" - DOMAIN_SSL_CONF="" - CSR_PATH="" - CERT_KEY_PATH="" - CERT_PATH="" - CA_CERT_PATH="" - ACCOUNT_KEY_PATH="" - - wellknown_path="" - - renew "$d" - done - -} - -installcert() { - Le_Domain="$1" - if [ -z "$Le_Domain" ] ; then - _err "Usage: $0 domain.com [cert-file-path]|no [key-file-path]|no [ca-cert-file-path]|no [reloadCmd]|no" - return 1 - fi - - Le_RealCertPath="$2" - Le_RealKeyPath="$3" - Le_RealCACertPath="$4" - Le_ReloadCmd="$5" - - _initpath $Le_Domain - - _setopt "$DOMAIN_CONF" "Le_RealCertPath" "=" "\"$Le_RealCertPath\"" - _setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\"" - _setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\"" - _setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\"" - - if [ "$Le_RealCertPath" ] ; then - if [ -f "$Le_RealCertPath" ] ; then - cp -p "$Le_RealCertPath" "$Le_RealCertPath".bak - fi - cat "$CERT_PATH" > "$Le_RealCertPath" - fi - - if [ "$Le_RealCACertPath" ] ; then - if [ -f "$Le_RealCACertPath" ] ; then - cp -p "$Le_RealCACertPath" "$Le_RealCACertPath".bak - fi - if [ "$Le_RealCACertPath" == "$Le_RealCertPath" ] ; then - echo "" >> "$Le_RealCACertPath" - cat "$CA_CERT_PATH" >> "$Le_RealCACertPath" - else - cat "$CA_CERT_PATH" > "$Le_RealCACertPath" - fi - fi - - - if [ "$Le_RealKeyPath" ] ; then - if [ -f "$Le_RealKeyPath" ] ; then - cp -p "$Le_RealKeyPath" "$Le_RealKeyPath".bak - fi - cat "$CERT_KEY_PATH" > "$Le_RealKeyPath" - fi - - if [ "$Le_ReloadCmd" ] ; then - _info "Run Le_ReloadCmd: $Le_ReloadCmd" - (cd "$DOMAIN_PATH" && eval "$Le_ReloadCmd") - fi - -} - -installcronjob() { - _initpath - _info "Installing cron job" - if ! crontab -l | grep 'le.sh cron' ; then - if [ -f "$LE_WORKING_DIR/le.sh" ] ; then - lesh="\"$LE_WORKING_DIR\"/le.sh" - else - _err "Can not install cronjob, le.sh not found." - return 1 - fi - crontab -l | { cat; echo "0 0 * * * LE_WORKING_DIR=\"$LE_WORKING_DIR\" $lesh cron > /dev/null"; } | crontab - - fi - if [ "$?" != "0" ] ; then - _err "Install cron job failed. You need to manually renew your certs." - _err "Or you can add cronjob by yourself:" - _err "LE_WORKING_DIR=\"$LE_WORKING_DIR\" $lesh cron > /dev/null" - return 1 - fi -} - -uninstallcronjob() { - _info "Removing cron job" - cr="$(crontab -l | grep 'le.sh cron')" - if [ "$cr" ] ; then - crontab -l | sed "/le.sh cron/d" | crontab - - LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 6 | cut -d '=' -f 2 | tr -d '"')" - _info LE_WORKING_DIR "$LE_WORKING_DIR" - fi - _initpath - -} - - -# Detect profile file if not specified as environment variable -_detect_profile() { - if [ -n "$PROFILE" -a -f "$PROFILE" ]; then - echo "$PROFILE" - return - fi - - local DETECTED_PROFILE - DETECTED_PROFILE='' - local SHELLTYPE - SHELLTYPE="$(basename "/$SHELL")" - - if [ "$SHELLTYPE" = "bash" ]; then - if [ -f "$HOME/.bashrc" ]; then - DETECTED_PROFILE="$HOME/.bashrc" - elif [ -f "$HOME/.bash_profile" ]; then - DETECTED_PROFILE="$HOME/.bash_profile" - fi - elif [ "$SHELLTYPE" = "zsh" ]; then - DETECTED_PROFILE="$HOME/.zshrc" - fi - - if [ -z "$DETECTED_PROFILE" ]; then - if [ -f "$HOME/.profile" ]; then - DETECTED_PROFILE="$HOME/.profile" - elif [ -f "$HOME/.bashrc" ]; then - DETECTED_PROFILE="$HOME/.bashrc" - elif [ -f "$HOME/.bash_profile" ]; then - DETECTED_PROFILE="$HOME/.bash_profile" - elif [ -f "$HOME/.zshrc" ]; then - DETECTED_PROFILE="$HOME/.zshrc" - fi - fi - - if [ ! -z "$DETECTED_PROFILE" ]; then - echo "$DETECTED_PROFILE" - fi -} - -_initconf() { - _initpath - if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then - echo "#Account configurations: -#Here are the supported macros, uncomment them to make them take effect. -#ACCOUNT_EMAIL=aaa@aaa.com # the account email used to register account. - -#STAGE=1 # Use the staging api -#FORCE=1 # Force to issue cert -#DEBUG=1 # Debug mode - -#dns api -####################### -#Cloudflare: -#api key -#CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" -#account email -#CF_Email="xxxx@sss.com" - -####################### -#Dnspod.cn: -#api key id -#DP_Id="1234" -#api key -#DP_Key="sADDsdasdgdsf" - -####################### -#Cloudxns.com: -#CX_Key="1234" -# -#CX_Secret="sADDsdasdgdsf" - - " > $ACCOUNT_CONF_PATH - fi -} - -install() { - if ! _initpath ; then - _err "Install failed." - return 1 - fi - - #check if there is sudo installed, AND if the current user is a sudoer. - if command -v sudo > /dev/null ; then - if [ "$(sudo -n uptime 2>&1|grep "load"|wc -l)" != "0" ] ; then - SUDO=sudo - fi - fi - - if command -v yum > /dev/null ; then - YUM="1" - INSTALL="$SUDO yum install -y " - elif command -v apt-get > /dev/null ; then - INSTALL="$SUDO apt-get install -y " - fi - - if ! command -v "curl" > /dev/null ; then - _err "Please install curl first." - _err "$INSTALL curl" - return 1 - fi - - if ! command -v "crontab" > /dev/null ; then - _err "Please install crontab first." - if [ "$YUM" ] ; then - _err "$INSTALL crontabs" - else - _err "$INSTALL crontab" - fi - return 1 - fi - - if ! command -v "openssl" > /dev/null ; then - _err "Please install openssl first." - _err "$INSTALL openssl" - return 1 - fi - - _info "Installing to $LE_WORKING_DIR" - - cp le.sh "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/le.sh" - - if [ "$?" != "0" ] ; then - _err "Install failed, can not copy le.sh" - return 1 - fi - - _info "Installed to $LE_WORKING_DIR/le.sh" - - _profile="$(_detect_profile)" - if [ "$_profile" ] ; then - _debug "Found profile: $_profile" - - echo "LE_WORKING_DIR=$LE_WORKING_DIR -alias le=\"$LE_WORKING_DIR/le.sh\" -alias le.sh=\"$LE_WORKING_DIR/le.sh\" - " > "$LE_WORKING_DIR/le.env" - - _setopt "$_profile" "source \"$LE_WORKING_DIR/le.env\"" - _info "OK, Close and reopen your terminal to start using le" - else - _info "No profile is found, you will need to go into $LE_WORKING_DIR to use le.sh" - fi - - mkdir -p $LE_WORKING_DIR/dnsapi - cp dnsapi/* $LE_WORKING_DIR/dnsapi/ - - #to keep compatible mv the .acc file to .key file - if [ -f "$LE_WORKING_DIR/account.acc" ] ; then - mv "$LE_WORKING_DIR/account.acc" "$LE_WORKING_DIR/account.key" - fi - - installcronjob - - if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then - _initconf - fi - _info OK -} - -uninstall() { - uninstallcronjob - _initpath - - _profile="$(_detect_profile)" - if [ "$_profile" ] ; then - sed -i /le.env/d "$_profile" - fi - - rm -f $LE_WORKING_DIR/le.sh - _info "The keys and certs are in $LE_WORKING_DIR, you can remove them by yourself." - -} - -cron() { - renewAll -} - -version() { - _info "$PROJECT" - _info "v$VER" -} - -showhelp() { - version - echo "Usage: le.sh [command] ...[args].... -Avalible commands: - -install: - Install le.sh to your system. -issue: - Issue a cert. -installcert: - Install the issued cert to apache/nginx or any other server. -renew: - Renew a cert. -renewAll: - Renew all the certs. -uninstall: - Uninstall le.sh, and uninstall the cron job. -version: - Show version info. -installcronjob: - Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job. -uninstallcronjob: - Uninstall the cron job. The 'uninstall' command can do this automatically. -createAccountKey: - Create an account private key, professional use. -createDomainKey: - Create an domain private key, professional use. -createCSR: - Create CSR , professional use. - " -} - - -if [ -z "$1" ] ; then - showhelp -else - "$@" -fi +#!/usr/bin/env bash +VER=1.1.8 +PROJECT="https://github.com/Neilpang/le" + +DEFAULT_CA="https://acme-v01.api.letsencrypt.org" +DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" + +STAGE_CA="https://acme-staging.api.letsencrypt.org" + +VTYPE_HTTP="http-01" +VTYPE_DNS="dns-01" + +if [ -z "$AGREEMENT" ] ; then + AGREEMENT="$DEFAULT_AGREEMENT" +fi + +_debug() { + + if [ -z "$DEBUG" ] ; then + return + fi + + if [ -z "$2" ] ; then + echo $1 + else + echo "$1"="$2" + fi +} + +_info() { + if [ -z "$2" ] ; then + echo "$1" + else + echo "$1"="$2" + fi +} + +_err() { + if [ -z "$2" ] ; then + echo "$1" >&2 + else + echo "$1"="$2" >&2 + fi + return 1 +} + +_h2b() { + hex=$(cat) + i=1 + j=2 + while [ '1' ] ; do + h=$(printf $hex | cut -c $i-$j) + if [ -z "$h" ] ; then + break; + fi + printf "\x$h" + let "i+=2" + let "j+=2" + done +} + +_base64() { + openssl base64 -e | tr -d '\n' +} + +#domain [2048] +createAccountKey() { + _info "Creating account key" + if [ -z "$1" ] ; then + echo Usage: createAccountKey account-domain [2048] + return + fi + + account=$1 + length=$2 + + if [[ "$length" == "ec-"* ]] ; then + length=2048 + fi + + if [ -z "$2" ] ; then + _info "Use default length 2048" + length=2048 + fi + _initpath + + if [ -f "$ACCOUNT_KEY_PATH" ] ; then + _info "Account key exists, skip" + return + else + #generate account key + openssl genrsa $length > "$ACCOUNT_KEY_PATH" + fi + +} + +#domain length +createDomainKey() { + _info "Creating domain key" + if [ -z "$1" ] ; then + echo Usage: createDomainKey domain [2048] + return + fi + + domain=$1 + length=$2 + isec="" + if [[ "$length" == "ec-"* ]] ; then + isec="1" + length=$(printf $length | cut -d '-' -f 2-100) + eccname="$length" + fi + + if [ -z "$length" ] ; then + if [ "$isec" ] ; then + length=256 + else + length=2048 + fi + fi + _info "Use length $length" + + if [ "$isec" ] ; then + if [ "$length" == "256" ] ; then + eccname="prime256v1" + fi + if [ "$length" == "384" ] ; then + eccname="secp384r1" + fi + if [ "$length" == "521" ] ; then + eccname="secp521r1" + fi + _info "Using ec name: $eccname" + fi + + _initpath $domain + + if [ ! -f "$CERT_KEY_PATH" ] || ( [ "$FORCE" ] && ! [ "$IS_RENEW" ] ); then + #generate account key + if [ "$isec" ] ; then + openssl ecparam -name $eccname -genkey 2>/dev/null > "$CERT_KEY_PATH" + else + openssl genrsa $length 2>/dev/null > "$CERT_KEY_PATH" + fi + else + if [ "$IS_RENEW" ] ; then + _info "Domain key exists, skip" + return 0 + else + _err "Domain key exists, do you want to overwrite the key?" + _err "Set FORCE=1, and try again." + return 1 + fi + fi + +} + +# domain domainlist +createCSR() { + _info "Creating csr" + if [ -z "$1" ] ; then + echo Usage: $0 domain [domainlist] + return + fi + domain=$1 + _initpath $domain + + domainlist=$2 + + if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && ! [ "$FORCE" ]; then + _info "CSR exists, skip" + return + fi + + if [ -z "$domainlist" ] ; then + #single domain + _info "Single domain" $domain + openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" > "$CSR_PATH" + else + alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")" + #multi + _info "Multi domain" "$alt" + printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\n[SAN]\nsubjectAltName=$alt" > "$DOMAIN_SSL_CONF" + openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" -reqexts SAN -config "$DOMAIN_SSL_CONF" -out "$CSR_PATH" + fi + +} + +_b64() { + __n=$(cat) + echo $__n | tr '/+' '_-' | tr -d '= ' +} + +_time2str() { + #BSD + if date -u -d@$1 2>/dev/null ; then + return + fi + + #Linux + if date -u -r $1 2>/dev/null ; then + return + fi + +} + +_send_signed_request() { + url=$1 + payload=$2 + needbase64=$3 + + _debug url $url + _debug payload "$payload" + + CURL_HEADER="$LE_WORKING_DIR/curl.header" + dp="$LE_WORKING_DIR/curl.dump" + CURL="curl --silent --dump-header $CURL_HEADER " + if [ "$DEBUG" ] ; then + CURL="$CURL --trace-ascii $dp " + fi + payload64=$(echo -n $payload | _base64 | _b64) + _debug payload64 $payload64 + + nonceurl="$API/directory" + nonce="$($CURL -I $nonceurl | grep -o "^Replay-Nonce:.*$" | tr -d "\r\n" | cut -d ' ' -f 2)" + + _debug nonce "$nonce" + + protected="$(printf "$HEADERPLACE" | sed "s/NONCE/$nonce/" )" + _debug protected "$protected" + + protected64="$(printf "$protected" | _base64 | _b64)" + _debug protected64 "$protected64" + + sig=$(echo -n "$protected64.$payload64" | openssl dgst -sha256 -sign $ACCOUNT_KEY_PATH | _base64 | _b64) + _debug sig "$sig" + + body="{\"header\": $HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}" + _debug body "$body" + + if [ "$needbase64" ] ; then + response="$($CURL -X POST --data "$body" $url | _base64)" + else + response="$($CURL -X POST --data "$body" $url)" + fi + + responseHeaders="$(cat $CURL_HEADER)" + + _debug responseHeaders "$responseHeaders" + _debug response "$response" + code="$(grep ^HTTP $CURL_HEADER | tail -1 | cut -d " " -f 2 | tr -d "\r\n" )" + _debug code $code + +} + +_get() { + url="$1" + _debug url $url + response="$(curl --silent $url)" + ret=$? + _debug response "$response" + code="$(echo $response | grep -o '"status":[0-9]\+' | cut -d : -f 2)" + _debug code $code + return $ret +} + +#setopt "file" "opt" "=" "value" [";"] +_setopt() { + __conf="$1" + __opt="$2" + __sep="$3" + __val="$4" + __end="$5" + if [ -z "$__opt" ] ; then + echo usage: _setopt '"file" "opt" "=" "value" [";"]' + return + fi + if [ ! -f "$__conf" ] ; then + touch "$__conf" + fi + + if grep -H -n "^$__opt$__sep" "$__conf" > /dev/null ; then + _debug OK + if [[ "$__val" == *"&"* ]] ; then + __val="$(echo $__val | sed 's/&/\\&/g')" + fi + text="$(cat $__conf)" + printf "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" + + elif grep -H -n "^#$__opt$__sep" "$__conf" > /dev/null ; then + if [[ "$__val" == *"&"* ]] ; then + __val="$(echo $__val | sed 's/&/\\&/g')" + fi + text="$(cat $__conf)" + printf "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" + + else + _debug APP + echo "" >> "$__conf" + echo "$__opt$__sep$__val$__end" >> "$__conf" + fi + _debug "$(grep -H -n "^$__opt$__sep" $__conf)" +} + +#_savedomainconf key value +#save to domain.conf +_savedomainconf() { + key="$1" + value="$2" + if [ "$DOMAIN_CONF" ] ; then + _setopt $DOMAIN_CONF "$key" "=" "$value" + else + _err "DOMAIN_CONF is empty, can not save $key=$value" + fi +} + +#_saveaccountconf key value +_saveaccountconf() { + key="$1" + value="$2" + if [ "$ACCOUNT_CONF_PATH" ] ; then + _setopt $ACCOUNT_CONF_PATH "$key" "=" "$value" + else + _err "ACCOUNT_CONF_PATH is empty, can not save $key=$value" + fi +} + +_startserver() { + content="$1" + _NC="nc -q 1" + if nc -h 2>&1 | grep "nmap.org/ncat" >/dev/null ; then + _NC="nc" + fi +# while true ; do + if [ "$DEBUG" ] ; then + echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -l -p $Le_HTTPPort -vv + else + echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -l -p $Le_HTTPPort > /dev/null + fi +# done +} + +_stopserver() { + pid="$1" + +} + +_initpath() { + + if [ -z "$LE_WORKING_DIR" ]; then + LE_WORKING_DIR=$HOME/.le + fi + + if [ -z "$ACCOUNT_CONF_PATH" ] ; then + ACCOUNT_CONF_PATH="$LE_WORKING_DIR/account.conf" + fi + + if [ -f "$ACCOUNT_CONF_PATH" ] ; then + source "$ACCOUNT_CONF_PATH" + fi + + if [ -z "$API" ] ; then + if [ -z "$STAGE" ] ; then + API="$DEFAULT_CA" + else + API="$STAGE_CA" + _info "Using stage api:$API" + fi + fi + + if [ -z "$ACME_DIR" ] ; then + ACME_DIR="/home/.acme" + fi + + if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then + APACHE_CONF_BACKUP_DIR="$LE_WORKING_DIR/" + fi + + domain="$1" + if ! mkdir -p "$LE_WORKING_DIR" ; then + _err "Can not craete working dir: $LE_WORKING_DIR" + return 1 + fi + + if [ -z "$ACCOUNT_KEY_PATH" ] ; then + ACCOUNT_KEY_PATH="$LE_WORKING_DIR/account.key" + fi + + if [ -z "$domain" ] ; then + return 0 + fi + + domainhome="$LE_WORKING_DIR/$domain" + mkdir -p "$domainhome" + + if [ -z "$DOMAIN_PATH" ] ; then + DOMAIN_PATH="$domainhome" + fi + if [ -z "$DOMAIN_CONF" ] ; then + DOMAIN_CONF="$domainhome/$Le_Domain.conf" + fi + + if [ -z "$DOMAIN_SSL_CONF" ] ; then + DOMAIN_SSL_CONF="$domainhome/$Le_Domain.ssl.conf" + fi + + if [ -z "$CSR_PATH" ] ; then + CSR_PATH="$domainhome/$domain.csr" + fi + if [ -z "$CERT_KEY_PATH" ] ; then + CERT_KEY_PATH="$domainhome/$domain.key" + fi + if [ -z "$CERT_PATH" ] ; then + CERT_PATH="$domainhome/$domain.cer" + fi + if [ -z "$CA_CERT_PATH" ] ; then + CA_CERT_PATH="$domainhome/ca.cer" + fi + +} + + +_apachePath() { + httpdroot="$(apachectl -V | grep HTTPD_ROOT= | cut -d = -f 2 | tr -d '"' )" + httpdconfname="$(apachectl -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | tr -d '"' )" + httpdconf="$httpdroot/$httpdconfname" + if [ ! -f $httpdconf ] ; then + _err "Apache Config file not found" $httpdconf + return 1 + fi + return 0 +} + +_restoreApache() { + if [ -z "$usingApache" ] ; then + return 0 + fi + _initpath + if ! _apachePath ; then + return 1 + fi + + if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ] ; then + _debug "No config file to restore." + return 0 + fi + + cp -p "$APACHE_CONF_BACKUP_DIR/$httpdconfname" "$httpdconf" + if ! apachectl -t ; then + _err "Sorry, restore apache config error, please contact me." + return 1; + fi + rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" + return 0 +} + +_setApache() { + _initpath + if ! _apachePath ; then + return 1 + fi + + #backup the conf + _debug "Backup apache config file" $httpdconf + cp -p $httpdconf $APACHE_CONF_BACKUP_DIR/ + _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname" + _info "In case there is an error that can not be restored automatically, you may try restore it yourself." + _info "The backup file will be deleted on sucess, just forget it." + + #add alias + echo " +Alias /.well-known/acme-challenge $ACME_DIR + + +Require all granted + + " >> $httpdconf + + if ! apachectl -t ; then + _err "Sorry, apache config error, please contact me." + _restoreApache + return 1; + fi + + if [ ! -d "$ACME_DIR" ] ; then + mkdir -p "$ACME_DIR" + chmod 755 "$ACME_DIR" + fi + + if ! apachectl graceful ; then + _err "Sorry, apachectl graceful error, please contact me." + _restoreApache + return 1; + fi + usingApache="1" + return 0 +} + +_clearup () { + _stopserver $serverproc + serverproc="" + _restoreApache +} + +# webroot removelevel tokenfile +_clearupwebbroot() { + __webroot="$1" + if [ -z "$__webroot" ] ; then + _debug "no webroot specified, skip" + return 0 + fi + + if [ "$2" == '1' ] ; then + _debug "remove $__webroot/.well-known" + rm -rf "$__webroot/.well-known" + elif [ "$2" == '2' ] ; then + _debug "remove $__webroot/.well-known/acme-challenge" + rm -rf "$__webroot/.well-known/acme-challenge" + elif [ "$2" == '3' ] ; then + _debug "remove $__webroot/.well-known/acme-challenge/$3" + rm -rf "$__webroot/.well-known/acme-challenge/$3" + else + _info "Skip for removelevel:$2" + fi + + return 0 + +} + +issue() { + if [ -z "$2" ] ; then + _err "Usage: le issue webroot|no|apache|dns a.com [www.a.com,b.com,c.com]|no [key-length]|no" + return 1 + fi + Le_Webroot="$1" + Le_Domain="$2" + Le_Alt="$3" + Le_Keylength="$4" + Le_RealCertPath="$5" + Le_RealKeyPath="$6" + Le_RealCACertPath="$7" + Le_ReloadCmd="$8" + + + _initpath $Le_Domain + + if [ -f "$DOMAIN_CONF" ] ; then + Le_NextRenewTime=$(grep "^Le_NextRenewTime=" "$DOMAIN_CONF" | cut -d '=' -f 2) + if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then + _info "Skip, Next renewal time is: $(grep "^Le_NextRenewTimeStr" "$DOMAIN_CONF" | cut -d '=' -f 2)" + return 2 + fi + fi + + if [ "$Le_Alt" == "no" ] ; then + Le_Alt="" + fi + if [ "$Le_Keylength" == "no" ] ; then + Le_Keylength="" + fi + if [ "$Le_RealCertPath" == "no" ] ; then + Le_RealCertPath="" + fi + if [ "$Le_RealKeyPath" == "no" ] ; then + Le_RealKeyPath="" + fi + if [ "$Le_RealCACertPath" == "no" ] ; then + Le_RealCACertPath="" + fi + if [ "$Le_ReloadCmd" == "no" ] ; then + Le_ReloadCmd="" + fi + + _setopt "$DOMAIN_CONF" "Le_Domain" "=" "$Le_Domain" + _setopt "$DOMAIN_CONF" "Le_Alt" "=" "$Le_Alt" + _setopt "$DOMAIN_CONF" "Le_Webroot" "=" "$Le_Webroot" + _setopt "$DOMAIN_CONF" "Le_Keylength" "=" "$Le_Keylength" + _setopt "$DOMAIN_CONF" "Le_RealCertPath" "=" "\"$Le_RealCertPath\"" + _setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\"" + _setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\"" + _setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\"" + + if [ "$Le_Webroot" == "no" ] ; then + _info "Standalone mode." + if ! command -v "nc" > /dev/null ; then + _err "Please install netcat(nc) tools first." + return 1 + fi + + if [ -z "$Le_HTTPPort" ] ; then + Le_HTTPPort=80 + fi + _setopt "$DOMAIN_CONF" "Le_HTTPPort" "=" "$Le_HTTPPort" + + netprc="$(ss -ntpl | grep :$Le_HTTPPort" ")" + if [ "$netprc" ] ; then + _err "$netprc" + _err "tcp port $Le_HTTPPort is already used by $(echo "$netprc" | cut -d : -f 4)" + _err "Please stop it first" + return 1 + fi + fi + + if [ "$Le_Webroot" == "apache" ] ; then + if ! _setApache ; then + _err "set up apache error. Report error to me." + return 1 + fi + wellknown_path="$ACME_DIR" + else + usingApache="" + fi + + createAccountKey $Le_Domain $Le_Keylength + + if ! createDomainKey $Le_Domain $Le_Keylength ; then + _err "Create domain key error." + return 1 + fi + + if ! createCSR $Le_Domain $Le_Alt ; then + _err "Create CSR error." + return 1 + fi + + pub_exp=$(openssl rsa -in $ACCOUNT_KEY_PATH -noout -text | grep "^publicExponent:"| cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1) + if [ "${#pub_exp}" == "5" ] ; then + pub_exp=0$pub_exp + fi + _debug pub_exp "$pub_exp" + + e=$(echo $pub_exp | _h2b | _base64) + _debug e "$e" + + modulus=$(openssl rsa -in $ACCOUNT_KEY_PATH -modulus -noout | cut -d '=' -f 2 ) + n=$(echo $modulus| _h2b | _base64 | _b64 ) + + jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}' + + HEADER='{"alg": "RS256", "jwk": '$jwk'}' + HEADERPLACE='{"nonce": "NONCE", "alg": "RS256", "jwk": '$jwk'}' + _debug HEADER "$HEADER" + + accountkey_json=$(echo -n "$jwk" | tr -d ' ' ) + thumbprint=$(echo -n "$accountkey_json" | openssl dgst -sha256 -binary | _base64 | _b64) + + + _info "Registering account" + regjson='{"resource": "new-reg", "agreement": "'$AGREEMENT'"}' + if [ "$ACCOUNT_EMAIL" ] ; then + regjson='{"resource": "new-reg", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}' + fi + _send_signed_request "$API/acme/new-reg" "$regjson" + + if [ "$code" == "" ] || [ "$code" == '201' ] ; then + _info "Registered" + echo $response > $LE_WORKING_DIR/account.json + elif [ "$code" == '409' ] ; then + _info "Already registered" + else + _err "Register account Error." + _clearup + return 1 + fi + + vtype="$VTYPE_HTTP" + if [[ "$Le_Webroot" == "dns"* ]] ; then + vtype="$VTYPE_DNS" + fi + + vlist="$Le_Vlist" + # verify each domain + _info "Verify each domain" + sep='#' + if [ -z "$vlist" ] ; then + alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' ) + for d in $alldomains + do + _info "Getting token for domain" $d + _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$d\"}}" + if [ ! -z "$code" ] && [ ! "$code" == '201' ] ; then + _err "new-authz error: $response" + _clearup + return 1 + fi + + entry="$(printf $response | egrep -o '{[^{]*"type":"'$vtype'"[^}]*')" + _debug entry "$entry" + + token="$(printf "$entry" | egrep -o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')" + _debug token $token + + uri="$(printf "$entry" | egrep -o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )" + _debug uri $uri + + keyauthorization="$token.$thumbprint" + _debug keyauthorization "$keyauthorization" + + dvlist="$d$sep$keyauthorization$sep$uri" + _debug dvlist "$dvlist" + + vlist="$vlist$dvlist," + + done + + #add entry + dnsadded="" + ventries=$(echo "$vlist" | tr ',' ' ' ) + for ventry in $ventries + do + d=$(echo $ventry | cut -d $sep -f 1) + keyauthorization=$(echo $ventry | cut -d $sep -f 2) + + if [ "$vtype" == "$VTYPE_DNS" ] ; then + dnsadded='0' + txtdomain="_acme-challenge.$d" + _debug txtdomain "$txtdomain" + txt="$(echo -e -n $keyauthorization | openssl dgst -sha256 -binary | _base64 | _b64)" + _debug txt "$txt" + #dns + #1. check use api + d_api="" + if [ -f "$LE_WORKING_DIR/$d/$Le_Webroot" ] ; then + d_api="$LE_WORKING_DIR/$d/$Le_Webroot" + elif [ -f "$LE_WORKING_DIR/$d/$Le_Webroot.sh" ] ; then + d_api="$LE_WORKING_DIR/$d/$Le_Webroot.sh" + elif [ -f "$LE_WORKING_DIR/$Le_Webroot" ] ; then + d_api="$LE_WORKING_DIR/$Le_Webroot" + elif [ -f "$LE_WORKING_DIR/$Le_Webroot.sh" ] ; then + d_api="$LE_WORKING_DIR/$Le_Webroot.sh" + elif [ -f "$LE_WORKING_DIR/dnsapi/$Le_Webroot" ] ; then + d_api="$LE_WORKING_DIR/dnsapi/$Le_Webroot" + elif [ -f "$LE_WORKING_DIR/dnsapi/$Le_Webroot.sh" ] ; then + d_api="$LE_WORKING_DIR/dnsapi/$Le_Webroot.sh" + fi + _debug d_api "$d_api" + + if [ "$d_api" ]; then + _info "Found domain api file: $d_api" + else + _err "Add the following TXT record:" + _err "Domain: $txtdomain" + _err "TXT value: $txt" + _err "Please be aware that you prepend _acme-challenge. before your domain" + _err "so the resulting subdomain will be: $txtdomain" + continue + fi + + if ! source $d_api ; then + _err "Load file $d_api error. Please check your api file and try again." + return 1 + fi + + addcommand="$Le_Webroot-add" + if ! command -v $addcommand ; then + _err "It seems that your api file is not correct, it must have a function named: $Le_Webroot" + return 1 + fi + + if ! $addcommand $txtdomain $txt ; then + _err "Error add txt for domain:$txtdomain" + return 1 + fi + dnsadded='1' + fi + done + + if [ "$dnsadded" == '0' ] ; then + _setopt "$DOMAIN_CONF" "Le_Vlist" "=" "\"$vlist\"" + _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit." + _err "Please add the TXT records to the domains, and retry again." + return 1 + fi + + fi + + if [ "$dnsadded" == '1' ] ; then + _info "Sleep 60 seconds for the txt records to take effect" + sleep 60 + fi + + _debug "ok, let's start to verify" + ventries=$(echo "$vlist" | tr ',' ' ' ) + for ventry in $ventries + do + d=$(echo $ventry | cut -d $sep -f 1) + keyauthorization=$(echo $ventry | cut -d $sep -f 2) + uri=$(echo $ventry | cut -d $sep -f 3) + _info "Verifying:$d" + _debug "d" "$d" + _debug "keyauthorization" "$keyauthorization" + _debug "uri" "$uri" + removelevel="" + token="" + if [ "$vtype" == "$VTYPE_HTTP" ] ; then + if [ "$Le_Webroot" == "no" ] ; then + _info "Standalone mode server" + _startserver "$keyauthorization" & + serverproc="$!" + sleep 2 + _debug serverproc $serverproc + else + if [ -z "$wellknown_path" ] ; then + wellknown_path="$Le_Webroot/.well-known/acme-challenge" + fi + _debug wellknown_path "$wellknown_path" + + if [ ! -d "$Le_Webroot/.well-known" ] ; then + removelevel='1' + elif [ ! -d "$Le_Webroot/.well-known/acme-challenge" ] ; then + removelevel='2' + else + removelevel='3' + fi + + token="$(echo -e -n "$keyauthorization" | cut -d '.' -f 1)" + _debug "writing token:$token to $wellknown_path/$token" + + mkdir -p "$wellknown_path" + echo -n "$keyauthorization" > "$wellknown_path/$token" + + webroot_owner=$(stat -c '%U:%G' $Le_Webroot) + _debug "Changing owner/group of .well-known to $webroot_owner" + chown -R $webroot_owner "$Le_Webroot/.well-known" + + fi + fi + + _send_signed_request $uri "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}" + + if [ ! -z "$code" ] && [ ! "$code" == '202' ] ; then + _err "$d:Challenge error: $resource" + _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" + _clearup + return 1 + fi + + while [ "1" ] ; do + _debug "sleep 5 secs to verify" + sleep 5 + _debug "checking" + + if ! _get $uri ; then + _err "$d:Verify error:$resource" + _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" + _clearup + return 1 + fi + + status=$(echo $response | egrep -o '"status":"[^"]+"' | cut -d : -f 2 | tr -d '"') + if [ "$status" == "valid" ] ; then + _info "Success" + _stopserver $serverproc + serverproc="" + _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" + break; + fi + + if [ "$status" == "invalid" ] ; then + error=$(echo $response | egrep -o '"error":{[^}]*}' | grep -o '"detail":"[^"]*"' | cut -d '"' -f 4) + _err "$d:Verify error:$error" + _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" + _clearup + return 1; + fi + + if [ "$status" == "pending" ] ; then + _info "Pending" + else + _err "$d:Verify error:$response" + _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" + _clearup + return 1 + fi + + done + + done + + _clearup + _info "Verify finished, start to sign." + der="$(openssl req -in $CSR_PATH -outform DER | _base64 | _b64)" + _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64" + + + Le_LinkCert="$(grep -i -o '^Location.*$' $CURL_HEADER | tr -d "\r\n" | cut -d " " -f 2)" + _setopt "$DOMAIN_CONF" "Le_LinkCert" "=" "$Le_LinkCert" + + if [ "$Le_LinkCert" ] ; then + echo -----BEGIN CERTIFICATE----- > "$CERT_PATH" + curl --silent "$Le_LinkCert" | openssl base64 -e >> "$CERT_PATH" + echo -----END CERTIFICATE----- >> "$CERT_PATH" + _info "Cert success." + cat "$CERT_PATH" + + _info "Your cert is in $CERT_PATH" + fi + + + if [ -z "$Le_LinkCert" ] ; then + response="$(echo $response | openssl base64 -d -A)" + _err "Sign failed: $(echo "$response" | grep -o '"detail":"[^"]*"')" + return 1 + fi + + _setopt "$DOMAIN_CONF" 'Le_Vlist' '=' "\"\"" + + Le_LinkIssuer=$(grep -i '^Link' $CURL_HEADER | cut -d " " -f 2| cut -d ';' -f 1 | tr -d '<>' ) + _setopt "$DOMAIN_CONF" "Le_LinkIssuer" "=" "$Le_LinkIssuer" + + if [ "$Le_LinkIssuer" ] ; then + echo -----BEGIN CERTIFICATE----- > "$CA_CERT_PATH" + curl --silent "$Le_LinkIssuer" | openssl base64 -e >> "$CA_CERT_PATH" + echo -----END CERTIFICATE----- >> "$CA_CERT_PATH" + _info "The intermediate CA cert is in $CA_CERT_PATH" + fi + + Le_CertCreateTime=$(date -u "+%s") + _setopt "$DOMAIN_CONF" "Le_CertCreateTime" "=" "$Le_CertCreateTime" + + Le_CertCreateTimeStr=$(date -u ) + _setopt "$DOMAIN_CONF" "Le_CertCreateTimeStr" "=" "\"$Le_CertCreateTimeStr\"" + + if [ ! "$Le_RenewalDays" ] ; then + Le_RenewalDays=80 + fi + + _setopt "$DOMAIN_CONF" "Le_RenewalDays" "=" "$Le_RenewalDays" + + let "Le_NextRenewTime=Le_CertCreateTime+Le_RenewalDays*24*60*60" + _setopt "$DOMAIN_CONF" "Le_NextRenewTime" "=" "$Le_NextRenewTime" + + Le_NextRenewTimeStr=$( _time2str $Le_NextRenewTime ) + _setopt "$DOMAIN_CONF" "Le_NextRenewTimeStr" "=" "\"$Le_NextRenewTimeStr\"" + + + installcert $Le_Domain "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" + +} + +renew() { + Le_Domain="$1" + if [ -z "$Le_Domain" ] ; then + _err "Usage: $0 domain.com" + return 1 + fi + + _initpath $Le_Domain + + if [ ! -f "$DOMAIN_CONF" ] ; then + _info "$Le_Domain is not a issued domain, skip." + return 0; + fi + + source "$DOMAIN_CONF" + if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then + _info "Skip, Next renewal time is: $Le_NextRenewTimeStr" + return 2 + fi + + IS_RENEW="1" + issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" + local res=$? + IS_RENEW="" + + return $res +} + +renewAll() { + _initpath + _info "renewAll" + + for d in $(ls -F $LE_WORKING_DIR | grep [^.].*[.].*/$ ) ; do + d=$(echo $d | cut -d '/' -f 1) + _info "renew $d" + + Le_LinkCert="" + Le_Domain="" + Le_Alt="" + Le_Webroot="" + Le_Keylength="" + Le_LinkIssuer="" + + Le_CertCreateTime="" + Le_CertCreateTimeStr="" + Le_RenewalDays="" + Le_NextRenewTime="" + Le_NextRenewTimeStr="" + + Le_RealCertPath="" + Le_RealKeyPath="" + + Le_RealCACertPath="" + + Le_ReloadCmd="" + + DOMAIN_PATH="" + DOMAIN_CONF="" + DOMAIN_SSL_CONF="" + CSR_PATH="" + CERT_KEY_PATH="" + CERT_PATH="" + CA_CERT_PATH="" + ACCOUNT_KEY_PATH="" + + wellknown_path="" + + renew "$d" + done + +} + +installcert() { + Le_Domain="$1" + if [ -z "$Le_Domain" ] ; then + _err "Usage: $0 domain.com [cert-file-path]|no [key-file-path]|no [ca-cert-file-path]|no [reloadCmd]|no" + return 1 + fi + + Le_RealCertPath="$2" + Le_RealKeyPath="$3" + Le_RealCACertPath="$4" + Le_ReloadCmd="$5" + + _initpath $Le_Domain + + _setopt "$DOMAIN_CONF" "Le_RealCertPath" "=" "\"$Le_RealCertPath\"" + _setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\"" + _setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\"" + _setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\"" + + if [ "$Le_RealCertPath" ] ; then + if [ -f "$Le_RealCertPath" ] ; then + cp -p "$Le_RealCertPath" "$Le_RealCertPath".bak + fi + cat "$CERT_PATH" > "$Le_RealCertPath" + fi + + if [ "$Le_RealCACertPath" ] ; then + if [ -f "$Le_RealCACertPath" ] ; then + cp -p "$Le_RealCACertPath" "$Le_RealCACertPath".bak + fi + if [ "$Le_RealCACertPath" == "$Le_RealCertPath" ] ; then + echo "" >> "$Le_RealCACertPath" + cat "$CA_CERT_PATH" >> "$Le_RealCACertPath" + else + cat "$CA_CERT_PATH" > "$Le_RealCACertPath" + fi + fi + + + if [ "$Le_RealKeyPath" ] ; then + if [ -f "$Le_RealKeyPath" ] ; then + cp -p "$Le_RealKeyPath" "$Le_RealKeyPath".bak + fi + cat "$CERT_KEY_PATH" > "$Le_RealKeyPath" + fi + + if [ "$Le_ReloadCmd" ] ; then + _info "Run Le_ReloadCmd: $Le_ReloadCmd" + (cd "$DOMAIN_PATH" && eval "$Le_ReloadCmd") + fi + +} + +installcronjob() { + _initpath + _info "Installing cron job" + if ! crontab -l | grep 'le.sh cron' ; then + if [ -f "$LE_WORKING_DIR/le.sh" ] ; then + lesh="\"$LE_WORKING_DIR\"/le.sh" + else + _err "Can not install cronjob, le.sh not found." + return 1 + fi + crontab -l | { cat; echo "0 0 * * * LE_WORKING_DIR=\"$LE_WORKING_DIR\" $lesh cron > /dev/null"; } | crontab - + fi + if [ "$?" != "0" ] ; then + _err "Install cron job failed. You need to manually renew your certs." + _err "Or you can add cronjob by yourself:" + _err "LE_WORKING_DIR=\"$LE_WORKING_DIR\" $lesh cron > /dev/null" + return 1 + fi +} + +uninstallcronjob() { + _info "Removing cron job" + cr="$(crontab -l | grep 'le.sh cron')" + if [ "$cr" ] ; then + crontab -l | sed "/le.sh cron/d" | crontab - + LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 6 | cut -d '=' -f 2 | tr -d '"')" + _info LE_WORKING_DIR "$LE_WORKING_DIR" + fi + _initpath + +} + + +# Detect profile file if not specified as environment variable +_detect_profile() { + if [ -n "$PROFILE" -a -f "$PROFILE" ]; then + echo "$PROFILE" + return + fi + + local DETECTED_PROFILE + DETECTED_PROFILE='' + local SHELLTYPE + SHELLTYPE="$(basename "/$SHELL")" + + if [ "$SHELLTYPE" = "bash" ]; then + if [ -f "$HOME/.bashrc" ]; then + DETECTED_PROFILE="$HOME/.bashrc" + elif [ -f "$HOME/.bash_profile" ]; then + DETECTED_PROFILE="$HOME/.bash_profile" + fi + elif [ "$SHELLTYPE" = "zsh" ]; then + DETECTED_PROFILE="$HOME/.zshrc" + fi + + if [ -z "$DETECTED_PROFILE" ]; then + if [ -f "$HOME/.profile" ]; then + DETECTED_PROFILE="$HOME/.profile" + elif [ -f "$HOME/.bashrc" ]; then + DETECTED_PROFILE="$HOME/.bashrc" + elif [ -f "$HOME/.bash_profile" ]; then + DETECTED_PROFILE="$HOME/.bash_profile" + elif [ -f "$HOME/.zshrc" ]; then + DETECTED_PROFILE="$HOME/.zshrc" + fi + fi + + if [ ! -z "$DETECTED_PROFILE" ]; then + echo "$DETECTED_PROFILE" + fi +} + +_initconf() { + _initpath + if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then + echo "#Account configurations: +#Here are the supported macros, uncomment them to make them take effect. +#ACCOUNT_EMAIL=aaa@aaa.com # the account email used to register account. + +#STAGE=1 # Use the staging api +#FORCE=1 # Force to issue cert +#DEBUG=1 # Debug mode + +#dns api +####################### +#Cloudflare: +#api key +#CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" +#account email +#CF_Email="xxxx@sss.com" + +####################### +#Dnspod.cn: +#api key id +#DP_Id="1234" +#api key +#DP_Key="sADDsdasdgdsf" + +####################### +#Cloudxns.com: +#CX_Key="1234" +# +#CX_Secret="sADDsdasdgdsf" + + " > $ACCOUNT_CONF_PATH + fi +} + +install() { + if ! _initpath ; then + _err "Install failed." + return 1 + fi + + #check if there is sudo installed, AND if the current user is a sudoer. + if command -v sudo > /dev/null ; then + if [ "$(sudo -n uptime 2>&1|grep "load"|wc -l)" != "0" ] ; then + SUDO=sudo + fi + fi + + if command -v yum > /dev/null ; then + YUM="1" + INSTALL="$SUDO yum install -y " + elif command -v apt-get > /dev/null ; then + INSTALL="$SUDO apt-get install -y " + fi + + if ! command -v "curl" > /dev/null ; then + _err "Please install curl first." + _err "$INSTALL curl" + return 1 + fi + + if ! command -v "crontab" > /dev/null ; then + _err "Please install crontab first." + if [ "$YUM" ] ; then + _err "$INSTALL crontabs" + else + _err "$INSTALL crontab" + fi + return 1 + fi + + if ! command -v "openssl" > /dev/null ; then + _err "Please install openssl first." + _err "$INSTALL openssl" + return 1 + fi + + _info "Installing to $LE_WORKING_DIR" + + cp le.sh "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/le.sh" + + if [ "$?" != "0" ] ; then + _err "Install failed, can not copy le.sh" + return 1 + fi + + _info "Installed to $LE_WORKING_DIR/le.sh" + + _profile="$(_detect_profile)" + if [ "$_profile" ] ; then + _debug "Found profile: $_profile" + + echo "LE_WORKING_DIR=$LE_WORKING_DIR +alias le=\"$LE_WORKING_DIR/le.sh\" +alias le.sh=\"$LE_WORKING_DIR/le.sh\" + " > "$LE_WORKING_DIR/le.env" + + _setopt "$_profile" "source \"$LE_WORKING_DIR/le.env\"" + _info "OK, Close and reopen your terminal to start using le" + else + _info "No profile is found, you will need to go into $LE_WORKING_DIR to use le.sh" + fi + + mkdir -p $LE_WORKING_DIR/dnsapi + cp dnsapi/* $LE_WORKING_DIR/dnsapi/ + + #to keep compatible mv the .acc file to .key file + if [ -f "$LE_WORKING_DIR/account.acc" ] ; then + mv "$LE_WORKING_DIR/account.acc" "$LE_WORKING_DIR/account.key" + fi + + installcronjob + + if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then + _initconf + fi + _info OK +} + +uninstall() { + uninstallcronjob + _initpath + + _profile="$(_detect_profile)" + if [ "$_profile" ] ; then + sed -i /le.env/d "$_profile" + fi + + rm -f $LE_WORKING_DIR/le.sh + _info "The keys and certs are in $LE_WORKING_DIR, you can remove them by yourself." + +} + +cron() { + renewAll +} + +version() { + _info "$PROJECT" + _info "v$VER" +} + +showhelp() { + version + echo "Usage: le.sh [command] ...[args].... +Avalible commands: + +install: + Install le.sh to your system. +issue: + Issue a cert. +installcert: + Install the issued cert to apache/nginx or any other server. +renew: + Renew a cert. +renewAll: + Renew all the certs. +uninstall: + Uninstall le.sh, and uninstall the cron job. +version: + Show version info. +installcronjob: + Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job. +uninstallcronjob: + Uninstall the cron job. The 'uninstall' command can do this automatically. +createAccountKey: + Create an account private key, professional use. +createDomainKey: + Create an domain private key, professional use. +createCSR: + Create CSR , professional use. + " +} + + +if [ -z "$1" ] ; then + showhelp +else + "$@" +fi From 6dfaaa702cf1a37219e2e22b3fa302a5364eca55 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 8 Mar 2016 20:55:54 +0800 Subject: [PATCH 06/13] minor, use "echo" for more compatible --- le.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/le.sh b/le.sh index 5dca6265..e2c19592 100755 --- a/le.sh +++ b/le.sh @@ -285,14 +285,14 @@ _setopt() { __val="$(echo $__val | sed 's/&/\\&/g')" fi text="$(cat $__conf)" - printf "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" + echo "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" elif grep -H -n "^#$__opt$__sep" "$__conf" > /dev/null ; then if [[ "$__val" == *"&"* ]] ; then __val="$(echo $__val | sed 's/&/\\&/g')" fi text="$(cat $__conf)" - printf "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" + echo "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" else _debug APP From b86869a0a4909cd9b98b718009e218b88cfd6d4e Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 8 Mar 2016 23:18:48 +0800 Subject: [PATCH 07/13] minor, fix blank line --- le.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/le.sh b/le.sh index e2c19592..7c93e5c3 100755 --- a/le.sh +++ b/le.sh @@ -296,7 +296,6 @@ _setopt() { else _debug APP - echo "" >> "$__conf" echo "$__opt$__sep$__val$__end" >> "$__conf" fi _debug "$(grep -H -n "^$__opt$__sep" $__conf)" @@ -1232,7 +1231,7 @@ install() { alias le=\"$LE_WORKING_DIR/le.sh\" alias le.sh=\"$LE_WORKING_DIR/le.sh\" " > "$LE_WORKING_DIR/le.env" - + echo "" >> "$_profile" _setopt "$_profile" "source \"$LE_WORKING_DIR/le.env\"" _info "OK, Close and reopen your terminal to start using le" else From 5fd3f21b1f7c39f9b5100f74933b4b21f0dd9ae2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Wed, 9 Mar 2016 11:32:50 +0100 Subject: [PATCH 08/13] update _initconf with ACCOUNT_KEY_PATH --- le.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/le.sh b/le.sh index 7c93e5c3..06172479 100755 --- a/le.sh +++ b/le.sh @@ -1140,6 +1140,7 @@ _initconf() { echo "#Account configurations: #Here are the supported macros, uncomment them to make them take effect. #ACCOUNT_EMAIL=aaa@aaa.com # the account email used to register account. +#ACCOUNT_KEY_PATH=\"/path/to/account.key\" #STAGE=1 # Use the staging api #FORCE=1 # Force to issue cert From 3d49985af886a0de520c27711538b9c250fd3884 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Wed, 9 Mar 2016 11:33:24 +0100 Subject: [PATCH 09/13] update _initconf proper " escaping --- le.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/le.sh b/le.sh index 06172479..cfc927a4 100755 --- a/le.sh +++ b/le.sh @@ -1150,22 +1150,22 @@ _initconf() { ####################### #Cloudflare: #api key -#CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" +#CF_Key=\"sdfsdfsdfljlbjkljlkjsdfoiwje\" #account email -#CF_Email="xxxx@sss.com" +#CF_Email=\"xxxx@sss.com\" ####################### #Dnspod.cn: #api key id -#DP_Id="1234" +#DP_Id=\"1234\" #api key -#DP_Key="sADDsdasdgdsf" +#DP_Key=\"sADDsdasdgdsf\" ####################### #Cloudxns.com: -#CX_Key="1234" +#CX_Key=\"1234\" # -#CX_Secret="sADDsdasdgdsf" +#CX_Secret=\"sADDsdasdgdsf\" " > $ACCOUNT_CONF_PATH fi From 1ad65f7d78e3897da776ba7ef79fb06e26ea1e0b Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 9 Mar 2016 22:45:05 +0800 Subject: [PATCH 10/13] fix compatible to pfsense. use "-config" for single domain to override the default openssl config file. --- le.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/le.sh b/le.sh index cfc927a4..f91fc1de 100755 --- a/le.sh +++ b/le.sh @@ -175,7 +175,8 @@ createCSR() { if [ -z "$domainlist" ] ; then #single domain _info "Single domain" $domain - openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" > "$CSR_PATH" + printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\n" > "$DOMAIN_SSL_CONF" + openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" -config "$DOMAIN_SSL_CONF" -out "$CSR_PATH" else alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")" #multi @@ -396,11 +397,11 @@ _initpath() { DOMAIN_PATH="$domainhome" fi if [ -z "$DOMAIN_CONF" ] ; then - DOMAIN_CONF="$domainhome/$Le_Domain.conf" + DOMAIN_CONF="$domainhome/$domain.conf" fi if [ -z "$DOMAIN_SSL_CONF" ] ; then - DOMAIN_SSL_CONF="$domainhome/$Le_Domain.ssl.conf" + DOMAIN_SSL_CONF="$domainhome/$domain.ssl.conf" fi if [ -z "$CSR_PATH" ] ; then From 44df29670786fd093b190b46ba5b64c42aaac8bd Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 9 Mar 2016 23:16:46 +0800 Subject: [PATCH 11/13] fix compatible for pfsense. --- le.sh | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/le.sh b/le.sh index f91fc1de..ac975308 100755 --- a/le.sh +++ b/le.sh @@ -205,6 +205,18 @@ _time2str() { } +_stat() { + #Linux + if stat -c '%U:%G' "$1" 2>/dev/null ; then + return + fi + + #BSD + if stat -f '%Su:%Sg' "$1" 2>/dev/null ; then + return + fi +} + _send_signed_request() { url=$1 payload=$2 @@ -819,7 +831,7 @@ issue() { mkdir -p "$wellknown_path" echo -n "$keyauthorization" > "$wellknown_path/$token" - webroot_owner=$(stat -c '%U:%G' $Le_Webroot) + webroot_owner=$(_stat $Le_Webroot) _debug "Changing owner/group of .well-known to $webroot_owner" chown -R $webroot_owner "$Le_Webroot/.well-known" From 7203a1c1a090ac707565a8253560009c9b04c097 Mon Sep 17 00:00:00 2001 From: neil Date: Wed, 9 Mar 2016 23:34:41 +0800 Subject: [PATCH 12/13] fix compatible, 'sed -i' is not supported be freeBSD --- le.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/le.sh b/le.sh index ac975308..95bb541a 100755 --- a/le.sh +++ b/le.sh @@ -1274,7 +1274,8 @@ uninstall() { _profile="$(_detect_profile)" if [ "$_profile" ] ; then - sed -i /le.env/d "$_profile" + text="$(cat $_profile)" + echo "$text" | sed "s|^source.*le.env.*$||" > "$_profile" fi rm -f $LE_WORKING_DIR/le.sh From 54f473d8268efa3520aa6f7664da6db6e03ffe23 Mon Sep 17 00:00:00 2001 From: Neil Date: Wed, 9 Mar 2016 23:42:49 +0800 Subject: [PATCH 13/13] support pfsense --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index c7c5b842..0be7453a 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ Do NOT require to be `root/sudoer`. 2. CentOS 3. Windows (cygwin with curl, openssl and crontab included) 4. FreeBSD with bash +5. pfsense with bash and curl #Supported Mode