[mirror_acme.sh.git] / deploy / ssh.sh

#!/usr/bin/env sh

# Script to deploy certificates to remote server by SSH
# Note that SSH must be able to login to remote host without a password...
# SSH Keys must have been exchanged with the remote host.  Validate and
# test that you can login to USER@SERVER from the host running acme.sh before
# using this script.
#
# The following variables exported from environment will be used.
# If not set then values previously saved in domain.conf file are used.
#
# Only a username is required.  All others are optional.
#
# The following examples are for QNAP NAS running QTS 4.2
# export DEPLOY_SSH_CMD=""  # defaults to "ssh -T"
# export DEPLOY_SSH_USER="admin"  # required
# export DEPLOY_SSH_SERVER="host1 host2:8022 192.168.0.1:9022"  # defaults to domain name, support multiple servers with optional port
# export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem"
# export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem"
# export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem"
# export DEPLOY_SSH_FULLCHAIN=""
# export DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart"
# export DEPLOY_SSH_BACKUP=""  # yes or no, default to yes or previously saved value
# export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy"  # path on remote system. Defaults to .acme_ssh_deploy
# export DEPLOY_SSH_MULTI_CALL=""  # yes or no, default to no or previously saved value
# export DEPLOY_SSH_USE_SCP="" yes or no, default to no
# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q"
#
########  Public functions #####################

#domain keyfile certfile cafile fullchain
ssh_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"
  _deploy_ssh_servers=""

  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"

  # USER is required to login by SSH to remote host.
  _migratedeployconf Le_Deploy_ssh_user DEPLOY_SSH_USER
  _getdeployconf DEPLOY_SSH_USER
  _debug2 DEPLOY_SSH_USER "$DEPLOY_SSH_USER"
  if [ -z "$DEPLOY_SSH_USER" ]; then
    _err "DEPLOY_SSH_USER not defined."
    return 1
  fi
  _savedeployconf DEPLOY_SSH_USER "$DEPLOY_SSH_USER"

  # SERVER is optional. If not provided then use _cdomain
  _migratedeployconf Le_Deploy_ssh_server DEPLOY_SSH_SERVER
  _getdeployconf DEPLOY_SSH_SERVER
  _debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER"
  if [ -z "$DEPLOY_SSH_SERVER" ]; then
    DEPLOY_SSH_SERVER="$_cdomain"
  fi
  _savedeployconf DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER"

  # CMD is optional. If not provided then use ssh
  _migratedeployconf Le_Deploy_ssh_cmd DEPLOY_SSH_CMD
  _getdeployconf DEPLOY_SSH_CMD
  _debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD"
  if [ -z "$DEPLOY_SSH_CMD" ]; then
    DEPLOY_SSH_CMD="ssh -T"
  fi
  _savedeployconf DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD"

  # BACKUP is optional. If not provided then default to previously saved value or yes.
  _migratedeployconf Le_Deploy_ssh_backup DEPLOY_SSH_BACKUP
  _getdeployconf DEPLOY_SSH_BACKUP
  _debug2 DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP"
  if [ -z "$DEPLOY_SSH_BACKUP" ]; then
    DEPLOY_SSH_BACKUP="yes"
  fi
  _savedeployconf DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP"

  # BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy
  _migratedeployconf Le_Deploy_ssh_backup_path DEPLOY_SSH_BACKUP_PATH
  _getdeployconf DEPLOY_SSH_BACKUP_PATH
  _debug2 DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH"
  if [ -z "$DEPLOY_SSH_BACKUP_PATH" ]; then
    DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy"
  fi
  _savedeployconf DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH"

  # MULTI_CALL is optional. If not provided then default to previously saved
  # value (which may be undefined... equivalent to "no").
  _migratedeployconf Le_Deploy_ssh_multi_call DEPLOY_SSH_MULTI_CALL
  _getdeployconf DEPLOY_SSH_MULTI_CALL
  _debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL"
  if [ -z "$DEPLOY_SSH_MULTI_CALL" ]; then
    DEPLOY_SSH_MULTI_CALL="no"
  fi
  _savedeployconf DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL"

  # KEYFILE is optional.
  # If provided then private key will be copied to provided filename.
  _migratedeployconf Le_Deploy_ssh_keyfile DEPLOY_SSH_KEYFILE
  _getdeployconf DEPLOY_SSH_KEYFILE
  _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE"
  if [ -n "$DEPLOY_SSH_KEYFILE" ]; then
    _savedeployconf DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE"
  fi

  # CERTFILE is optional.
  # If provided then certificate will be copied or appended to provided filename.
  _migratedeployconf Le_Deploy_ssh_certfile DEPLOY_SSH_CERTFILE
  _getdeployconf DEPLOY_SSH_CERTFILE
  _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE"
  if [ -n "$DEPLOY_SSH_CERTFILE" ]; then
    _savedeployconf DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE"
  fi

  # CAFILE is optional.
  # If provided then CA intermediate certificate will be copied or appended to provided filename.
  _migratedeployconf Le_Deploy_ssh_cafile DEPLOY_SSH_CAFILE
  _getdeployconf DEPLOY_SSH_CAFILE
  _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE"
  if [ -n "$DEPLOY_SSH_CAFILE" ]; then
    _savedeployconf DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE"
  fi

  # FULLCHAIN is optional.
  # If provided then fullchain certificate will be copied or appended to provided filename.
  _migratedeployconf Le_Deploy_ssh_fullchain DEPLOY_SSH_FULLCHAIN
  _getdeployconf DEPLOY_SSH_FULLCHAIN
  _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN"
  if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then
    _savedeployconf DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN"
  fi

  # REMOTE_CMD is optional.
  # If provided then this command will be executed on remote host.
  _migratedeployconf Le_Deploy_ssh_remote_cmd DEPLOY_SSH_REMOTE_CMD
  _getdeployconf DEPLOY_SSH_REMOTE_CMD
  _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD"
  if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then
    _savedeployconf DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD"
  fi

  # USE_SCP is optional. If not provided then default to previously saved
  # value (which may be undefined... equivalent to "no").
  _getdeployconf DEPLOY_SSH_USE_SCP
  _debug2 DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP"
  if [ -z "$DEPLOY_SSH_USE_SCP" ]; then
    DEPLOY_SSH_USE_SCP="no"
  fi
  _savedeployconf DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP"

  # SCP_CMD is optional. If not provided then use scp
  _getdeployconf DEPLOY_SSH_SCP_CMD
  _debug2 DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD"
  if [ -z "$DEPLOY_SSH_SCP_CMD" ]; then
    DEPLOY_SSH_SCP_CMD="scp -q"
  fi
  _savedeployconf DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD"

  if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
    DEPLOY_SSH_MULTI_CALL="yes"
    _info "Using scp as alternate method for copying files. Multicall Mode is implicit"
  elif [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
    _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host"
  else
    _info "Required commands batched and sent in single call to remote host"
  fi

  _deploy_ssh_servers="$DEPLOY_SSH_SERVER"
  for DEPLOY_SSH_SERVER in $_deploy_ssh_servers; do
    _ssh_deploy
  done
}

_ssh_deploy() {
  _err_code=0
  _cmdstr=""
  _backupprefix=""
  _backupdir=""
  _local_cert_file=""
  _local_ca_file=""
  _local_full_file=""

  case $DEPLOY_SSH_SERVER in
  *:*)
    _host=${DEPLOY_SSH_SERVER%:*}
    _port=${DEPLOY_SSH_SERVER##*:}
    ;;
  *)
    _host=$DEPLOY_SSH_SERVER
    _port=
    ;;
  esac

  _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port"

  if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
    _backupprefix="$DEPLOY_SSH_BACKUP_PATH/$_cdomain-backup"
    _backupdir="$_backupprefix-$(_utc_date | tr ' ' '-')"
    # run cleanup on the backup directory, erase all older
    # than 180 days (15552000 seconds).
    _cmdstr="{ now=\"\$(date -u +%s)\"; for fn in $_backupprefix*; \
do if [ -d \"\$fn\" ] && [ \"\$(expr \$now - \$(date -ur \$fn +%s) )\" -ge \"15552000\" ]; \
then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; done; }; $_cmdstr"
    # Alternate version of above... _cmdstr="find $_backupprefix* -type d -mtime +180 2>/dev/null | xargs rm -rf; $_cmdstr"
    # Create our backup directory for overwritten cert files.
    _cmdstr="mkdir -p $_backupdir; $_cmdstr"
    _info "Backup of old certificate files will be placed in remote directory $_backupdir"
    _info "Backup directories erased after 180 days."
    if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
      if ! _ssh_remote_cmd "$_cmdstr"; then
        return $_err_code
      fi
      _cmdstr=""
    fi
  fi

  if [ -n "$DEPLOY_SSH_KEYFILE" ]; then
    if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
      # backup file we are about to overwrite.
      _cmdstr="$_cmdstr cp $DEPLOY_SSH_KEYFILE $_backupdir >/dev/null;"
      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
        if ! _ssh_remote_cmd "$_cmdstr"; then
          return $_err_code
        fi
        _cmdstr=""
      fi
    fi

    # copy new key into file.
    if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
      # scp the file
      if ! _scp_remote_cmd "$_ckey" "$DEPLOY_SSH_KEYFILE"; then
        return $_err_code
      fi
    else
      # ssh echo to the file
      _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $DEPLOY_SSH_KEYFILE;"
      _info "will copy private key to remote file $DEPLOY_SSH_KEYFILE"
      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
        if ! _ssh_remote_cmd "$_cmdstr"; then
          return $_err_code
        fi
        _cmdstr=""
      fi
    fi
  fi

  if [ -n "$DEPLOY_SSH_CERTFILE" ]; then
    _pipe=">"
    if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then
      # if filename is same as previous file then append.
      _pipe=">>"
    elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
      # backup file we are about to overwrite.
      _cmdstr="$_cmdstr cp $DEPLOY_SSH_CERTFILE $_backupdir >/dev/null;"
      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
        if ! _ssh_remote_cmd "$_cmdstr"; then
          return $_err_code
        fi
        _cmdstr=""
      fi
    fi

    # copy new certificate into file.
    if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
      # scp the file
      _local_cert_file=$(_mktemp)
      if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then
        cat "$_ckey" >>"$_local_cert_file"
      fi
      cat "$_ccert" >>"$_local_cert_file"
      if ! _scp_remote_cmd "$_local_cert_file" "$DEPLOY_SSH_CERTFILE"; then
        return $_err_code
      fi
    else
      # ssh echo to the file
      _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $DEPLOY_SSH_CERTFILE;"
      _info "will copy certificate to remote file $DEPLOY_SSH_CERTFILE"
      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
        if ! _ssh_remote_cmd "$_cmdstr"; then
          return $_err_code
        fi
        _cmdstr=""
      fi
    fi
  fi

  if [ -n "$DEPLOY_SSH_CAFILE" ]; then
    _pipe=">"
    if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ] ||
      [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then
      # if filename is same as previous file then append.
      _pipe=">>"
    elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
      # backup file we are about to overwrite.
      _cmdstr="$_cmdstr cp $DEPLOY_SSH_CAFILE $_backupdir >/dev/null;"
      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
        if ! _ssh_remote_cmd "$_cmdstr"; then
          return $_err_code
        fi
        _cmdstr=""
      fi
    fi

    # copy new certificate into file.
    if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
      # scp the file
      _local_ca_file=$(_mktemp)
      if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ]; then
        cat "$_ckey" >>"$_local_ca_file"
      fi
      if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then
        cat "$_ccert" >>"$_local_ca_file"
      fi
      cat "$_cca" >>"$_local_ca_file"
      if ! _scp_remote_cmd "$_local_ca_file" "$DEPLOY_SSH_CAFILE"; then
        return $_err_code
      fi
    else
      # ssh echo to the file
      _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $DEPLOY_SSH_CAFILE;"
      _info "will copy CA file to remote file $DEPLOY_SSH_CAFILE"
      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
        if ! _ssh_remote_cmd "$_cmdstr"; then
          return $_err_code
        fi
        _cmdstr=""
      fi
    fi
  fi

  if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then
    _pipe=">"
    if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ] ||
      [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ] ||
      [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then
      # if filename is same as previous file then append.
      _pipe=">>"
    elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
      # backup file we are about to overwrite.
      _cmdstr="$_cmdstr cp $DEPLOY_SSH_FULLCHAIN $_backupdir >/dev/null;"
      if [ "$DEPLOY_SSH_FULLCHAIN" = "yes" ]; then
        if ! _ssh_remote_cmd "$_cmdstr"; then
          return $_err_code
        fi
        _cmdstr=""
      fi
    fi

    # copy new certificate into file.
    if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
      # scp the file
      _local_full_file=$(_mktemp)
      if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ]; then
        cat "$_ckey" >>"$_local_full_file"
      fi
      if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ]; then
        cat "$_ccert" >>"$_local_full_file"
      fi
      if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then
        cat "$_cca" >>"$_local_full_file"
      fi
      cat "$_cfullchain" >>"$_local_full_file"
      if ! _scp_remote_cmd "$_local_full_file" "$DEPLOY_SSH_FULLCHAIN"; then
        return $_err_code
      fi
    else
      # ssh echo to the file
      _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $DEPLOY_SSH_FULLCHAIN;"
      _info "will copy fullchain to remote file $DEPLOY_SSH_FULLCHAIN"
      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
        if ! _ssh_remote_cmd "$_cmdstr"; then
          return $_err_code
        fi
        _cmdstr=""
      fi
    fi
  fi

  # cleanup local files if any
  if [ -f "$_local_cert_file" ]; then
    rm -f "$_local_cert_file"
  fi
  if [ -f "$_local_ca_file" ]; then
    rm -f "$_local_ca_file"
  fi
  if [ -f "$_local_full_file" ]; then
    rm -f "$_local_full_file"
  fi

  if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then
    _cmdstr="$_cmdstr $DEPLOY_SSH_REMOTE_CMD;"
    _info "Will execute remote command $DEPLOY_SSH_REMOTE_CMD"
    if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
      if ! _ssh_remote_cmd "$_cmdstr"; then
        return $_err_code
      fi
      _cmdstr=""
    fi
  fi

  # if commands not all sent in multiple calls then all commands sent in a single SSH call now...
  if [ -n "$_cmdstr" ]; then
    if ! _ssh_remote_cmd "$_cmdstr"; then
      return $_err_code
    fi
  fi
  # cleanup in case all is ok
  return 0
}

#cmd
_ssh_remote_cmd() {
  _cmd="$1"

  _ssh_cmd="$DEPLOY_SSH_CMD"
  if [ -n "$_port" ]; then
    _ssh_cmd="$_ssh_cmd -p $_port"
  fi

  _secure_debug "Remote commands to execute: $_cmd"
  _info "Submitting sequence of commands to remote server by $_ssh_cmd"

  # quotations in bash cmd below intended.  Squash travis spellcheck error
  # shellcheck disable=SC2029
  $_ssh_cmd "$DEPLOY_SSH_USER@$_host" sh -c "'$_cmd'"
  _err_code="$?"

  if [ "$_err_code" != "0" ]; then
    _err "Error code $_err_code returned from ssh"
  fi

  return $_err_code
}

# cmd scp
_scp_remote_cmd() {
  _src=$1
  _dest=$2

  _scp_cmd="$DEPLOY_SSH_SCP_CMD"
  if [ -n "$_port" ]; then
    _scp_cmd="$_scp_cmd -P $_port"
  fi

  _secure_debug "Remote copy source $_src to destination $_dest"
  _info "Submitting secure copy by $_scp_cmd"

  $_scp_cmd "$_src" "$DEPLOY_SSH_USER"@"$_host":"$_dest"
  _err_code="$?"

  if [ "$_err_code" != "0" ]; then
    _err "Error code $_err_code returned from scp"
  fi

  return $_err_code
}
Commit	Line	Data
989651c2 DK	1	#!/usr/bin/env sh
989651c2 DK	2
7d75ad4c DK	3	# Script to deploy certificates to remote server by SSH
	4	# Note that SSH must be able to login to remote host without a password...
	5	# SSH Keys must have been exchanged with the remote host. Validate and
f158caa2	6	# test that you can login to USER@SERVER from the host running acme.sh before
7d75ad4c DK	7	# using this script.
7d75ad4c DK	8	#
989651c2 DK	9	# The following variables exported from environment will be used.
	10	# If not set then values previously saved in domain.conf file are used.
	11	#
7d75ad4c DK	12	# Only a username is required. All others are optional.
7d75ad4c DK	13	#
63134faf	14	# The following examples are for QNAP NAS running QTS 4.2
3d9608fa	15	# export DEPLOY_SSH_CMD="" # defaults to "ssh -T"
06492067	16	# export DEPLOY_SSH_USER="admin" # required
3ce7d410	17	# export DEPLOY_SSH_SERVER="host1 host2:8022 192.168.0.1:9022" # defaults to domain name, support multiple servers with optional port
06492067 DK	18	# export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem"
	19	# export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem"
	20	# export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem"
	21	# export DEPLOY_SSH_FULLCHAIN=""
	22	# export DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart"
554e083f	23	# export DEPLOY_SSH_BACKUP="" # yes or no, default to yes or previously saved value
f38df4df	24	# export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" # path on remote system. Defaults to .acme_ssh_deploy
554e083f	25	# export DEPLOY_SSH_MULTI_CALL="" # yes or no, default to no or previously saved value
9fb5bb62 PE	26	# export DEPLOY_SSH_USE_SCP="" yes or no, default to no
9fb5bb62 PE	27	# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q"
a4b2cebe	28	#
989651c2 DK	29	######## Public functions #####################
	30
	31	#domain keyfile certfile cafile fullchain
3be5a68e	32	ssh_deploy() {
989651c2 DK	33	_cdomain="$1"
	34	_ckey="$2"
	35	_ccert="$3"
	36	_cca="$4"
	37	_cfullchain="$5"
a78a09f5	38	_deploy_ssh_servers=""
989651c2 DK	39
	40	_debug _cdomain "$_cdomain"
	41	_debug _ckey "$_ckey"
	42	_debug _ccert "$_ccert"
	43	_debug _cca "$_cca"
	44	_debug _cfullchain "$_cfullchain"
	45
7d75ad4c	46	# USER is required to login by SSH to remote host.
9fb5bb62	47	_migratedeployconf Le_Deploy_ssh_user DEPLOY_SSH_USER
c43c711f GS	48	_getdeployconf DEPLOY_SSH_USER
c43c711f GS	49	_debug2 DEPLOY_SSH_USER "$DEPLOY_SSH_USER"
06492067	50	if [ -z "$DEPLOY_SSH_USER" ]; then
9fb5bb62 PE	51	_err "DEPLOY_SSH_USER not defined."
9fb5bb62 PE	52	return 1
7d75ad4c	53	fi
9fb5bb62	54	_savedeployconf DEPLOY_SSH_USER "$DEPLOY_SSH_USER"
7d75ad4c	55
f158caa2	56	# SERVER is optional. If not provided then use _cdomain
9fb5bb62	57	_migratedeployconf Le_Deploy_ssh_server DEPLOY_SSH_SERVER
c43c711f GS	58	_getdeployconf DEPLOY_SSH_SERVER
c43c711f GS	59	_debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER"
9fb5bb62 PE	60	if [ -z "$DEPLOY_SSH_SERVER" ]; then
9fb5bb62 PE	61	DEPLOY_SSH_SERVER="$_cdomain"
989651c2	62	fi
9fb5bb62	63	_savedeployconf DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER"
62e7d904	64
68d708e5	65	# CMD is optional. If not provided then use ssh
9fb5bb62	66	_migratedeployconf Le_Deploy_ssh_cmd DEPLOY_SSH_CMD
c43c711f GS	67	_getdeployconf DEPLOY_SSH_CMD
c43c711f GS	68	_debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD"
9fb5bb62 PE	69	if [ -z "$DEPLOY_SSH_CMD" ]; then
9fb5bb62 PE	70	DEPLOY_SSH_CMD="ssh -T"
20d23fcb	71	fi
9fb5bb62	72	_savedeployconf DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD"
20d23fcb	73
554e083f	74	# BACKUP is optional. If not provided then default to previously saved value or yes.
9fb5bb62	75	_migratedeployconf Le_Deploy_ssh_backup DEPLOY_SSH_BACKUP
c43c711f GS	76	_getdeployconf DEPLOY_SSH_BACKUP
c43c711f GS	77	_debug2 DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP"
9fb5bb62 PE	78	if [ -z "$DEPLOY_SSH_BACKUP" ]; then
9fb5bb62 PE	79	DEPLOY_SSH_BACKUP="yes"
a4b2cebe	80	fi
9fb5bb62	81	_savedeployconf DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP"
a4b2cebe	82
f38df4df	83	# BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy
9fb5bb62	84	_migratedeployconf Le_Deploy_ssh_backup_path DEPLOY_SSH_BACKUP_PATH
c43c711f GS	85	_getdeployconf DEPLOY_SSH_BACKUP_PATH
c43c711f GS	86	_debug2 DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH"
9fb5bb62 PE	87	if [ -z "$DEPLOY_SSH_BACKUP_PATH" ]; then
9fb5bb62 PE	88	DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy"
f38df4df	89	fi
9fb5bb62	90	_savedeployconf DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH"
f38df4df	91
554e083f	92	# MULTI_CALL is optional. If not provided then default to previously saved
554e083f	93	# value (which may be undefined... equivalent to "no").
9fb5bb62	94	_migratedeployconf Le_Deploy_ssh_multi_call DEPLOY_SSH_MULTI_CALL
c43c711f GS	95	_getdeployconf DEPLOY_SSH_MULTI_CALL
c43c711f GS	96	_debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL"
9fb5bb62 PE	97	if [ -z "$DEPLOY_SSH_MULTI_CALL" ]; then
	98	DEPLOY_SSH_MULTI_CALL="no"
	99	fi
	100	_savedeployconf DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL"
	101
	102	# KEYFILE is optional.
	103	# If provided then private key will be copied to provided filename.
	104	_migratedeployconf Le_Deploy_ssh_keyfile DEPLOY_SSH_KEYFILE
	105	_getdeployconf DEPLOY_SSH_KEYFILE
	106	_debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE"
	107	if [ -n "$DEPLOY_SSH_KEYFILE" ]; then
	108	_savedeployconf DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE"
	109	fi
	110
	111	# CERTFILE is optional.
	112	# If provided then certificate will be copied or appended to provided filename.
	113	_migratedeployconf Le_Deploy_ssh_certfile DEPLOY_SSH_CERTFILE
	114	_getdeployconf DEPLOY_SSH_CERTFILE
	115	_debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE"
	116	if [ -n "$DEPLOY_SSH_CERTFILE" ]; then
	117	_savedeployconf DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE"
	118	fi
	119
	120	# CAFILE is optional.
	121	# If provided then CA intermediate certificate will be copied or appended to provided filename.
	122	_migratedeployconf Le_Deploy_ssh_cafile DEPLOY_SSH_CAFILE
	123	_getdeployconf DEPLOY_SSH_CAFILE
	124	_debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE"
	125	if [ -n "$DEPLOY_SSH_CAFILE" ]; then
	126	_savedeployconf DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE"
	127	fi
	128
	129	# FULLCHAIN is optional.
	130	# If provided then fullchain certificate will be copied or appended to provided filename.
	131	_migratedeployconf Le_Deploy_ssh_fullchain DEPLOY_SSH_FULLCHAIN
	132	_getdeployconf DEPLOY_SSH_FULLCHAIN
	133	_debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN"
	134	if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then
	135	_savedeployconf DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN"
	136	fi
	137
	138	# REMOTE_CMD is optional.
	139	# If provided then this command will be executed on remote host.
	140	_migratedeployconf Le_Deploy_ssh_remote_cmd DEPLOY_SSH_REMOTE_CMD
	141	_getdeployconf DEPLOY_SSH_REMOTE_CMD
	142	_debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD"
	143	if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then
	144	_savedeployconf DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD"
cc820e97	145	fi
f73a4944	146
20d23fcb	147	# USE_SCP is optional. If not provided then default to previously saved
20d23fcb	148	# value (which may be undefined... equivalent to "no").
9fb5bb62 PE	149	_getdeployconf DEPLOY_SSH_USE_SCP
	150	_debug2 DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP"
	151	if [ -z "$DEPLOY_SSH_USE_SCP" ]; then
	152	DEPLOY_SSH_USE_SCP="no"
20d23fcb	153	fi
9fb5bb62	154	_savedeployconf DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP"
20d23fcb	155
20d23fcb	156	# SCP_CMD is optional. If not provided then use scp
9fb5bb62 PE	157	_getdeployconf DEPLOY_SSH_SCP_CMD
	158	_debug2 DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD"
	159	if [ -z "$DEPLOY_SSH_SCP_CMD" ]; then
	160	DEPLOY_SSH_SCP_CMD="scp -q"
	161	fi
	162	_savedeployconf DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD"
	163
	164	if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
	165	DEPLOY_SSH_MULTI_CALL="yes"
	166	_info "Using scp as alternate method for copying files. Multicall Mode is implicit"
	167	elif [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
	168	_info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host"
	169	else
	170	_info "Required commands batched and sent in single call to remote host"
20d23fcb	171	fi
20d23fcb	172
d2a9d731	173	_deploy_ssh_servers="$DEPLOY_SSH_SERVER"
9fb5bb62	174	for DEPLOY_SSH_SERVER in $_deploy_ssh_servers; do
a78a09f5 PE	175	_ssh_deploy
	176	done
	177	}
	178
	179	_ssh_deploy() {
	180	_err_code=0
	181	_cmdstr=""
	182	_backupprefix=""
	183	_backupdir=""
20d23fcb	184	_local_cert_file=""
	185	_local_ca_file=""
	186	_local_full_file=""
a78a09f5	187
c8929ca0	188	case $DEPLOY_SSH_SERVER in
74f28021 PE	189	:)
	190	_host=${DEPLOY_SSH_SERVER%:*}
	191	_port=${DEPLOY_SSH_SERVER##*:}
	192	;;
	193	*)
	194	_host=$DEPLOY_SSH_SERVER
	195	_port=
	196	;;
c8929ca0 PE	197	esac
	198
	199	_info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port"
989651c2	200
9fb5bb62 PE	201	if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
9fb5bb62 PE	202	_backupprefix="$DEPLOY_SSH_BACKUP_PATH/$_cdomain-backup"
f38df4df	203	_backupdir="$_backupprefix-$(_utc_date \| tr ' ' '-')"
283b04df	204	# run cleanup on the backup directory, erase all older
	205	# than 180 days (15552000 seconds).
	206	_cmdstr="{ now=\"\$(date -u +%s)\"; for fn in $_backupprefix*; \
	207	do if [ -d \"\$fn\" ] && [ \"\$(expr \$now - \$(date -ur \$fn +%s) )\" -ge \"15552000\" ]; \
	208	then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; done; }; $_cmdstr"
	209	# Alternate version of above... _cmdstr="find $_backupprefix* -type d -mtime +180 2>/dev/null \| xargs rm -rf; $_cmdstr"
	210	# Create our backup directory for overwritten cert files.
	211	_cmdstr="mkdir -p $_backupdir; $_cmdstr"
	212	_info "Backup of old certificate files will be placed in remote directory $_backupdir"
	213	_info "Backup directories erased after 180 days."
9fb5bb62	214	if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
cc820e97	215	if ! _ssh_remote_cmd "$_cmdstr"; then
	216	return $_err_code
	217	fi
	218	_cmdstr=""
	219	fi
283b04df	220	fi
283b04df	221
06492067	222	if [ -n "$DEPLOY_SSH_KEYFILE" ]; then
9fb5bb62	223	if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
a4b2cebe	224	# backup file we are about to overwrite.
9fb5bb62 PE	225	_cmdstr="$_cmdstr cp $DEPLOY_SSH_KEYFILE $_backupdir >/dev/null;"
9fb5bb62 PE	226	if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
20d23fcb	227	if ! _ssh_remote_cmd "$_cmdstr"; then
	228	return $_err_code
	229	fi
	230	_cmdstr=""
	231	fi
a4b2cebe	232	fi
20d23fcb	233
20d23fcb	234	# copy new key into file.
9fb5bb62	235	if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
20d23fcb	236	# scp the file
9fb5bb62	237	if ! _scp_remote_cmd "$_ckey" "$DEPLOY_SSH_KEYFILE"; then
08d60fcb	238	return $_err_code
20d23fcb	239	fi
20d23fcb	240	else
9fb5bb62 PE	241	# ssh echo to the file
	242	_cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $DEPLOY_SSH_KEYFILE;"
	243	_info "will copy private key to remote file $DEPLOY_SSH_KEYFILE"
	244	if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
20d23fcb	245	if ! _ssh_remote_cmd "$_cmdstr"; then
	246	return $_err_code
	247	fi
	248	_cmdstr=""
cc820e97	249	fi
cc820e97	250	fi
989651c2 DK	251	fi
989651c2 DK	252
06492067	253	if [ -n "$DEPLOY_SSH_CERTFILE" ]; then
a4b2cebe	254	_pipe=">"
9fb5bb62	255	if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then
68d708e5 DK	256	# if filename is same as previous file then append.
68d708e5 DK	257	_pipe=">>"
9fb5bb62	258	elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
7d75ad4c	259	# backup file we are about to overwrite.
9fb5bb62 PE	260	_cmdstr="$_cmdstr cp $DEPLOY_SSH_CERTFILE $_backupdir >/dev/null;"
9fb5bb62 PE	261	if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
20d23fcb	262	if ! _ssh_remote_cmd "$_cmdstr"; then
	263	return $_err_code
	264	fi
	265	_cmdstr=""
	266	fi
989651c2	267	fi
20d23fcb	268
9fb5bb62 PE	269	# copy new certificate into file.
	270	if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
	271	# scp the file
	272	_local_cert_file=$(_mktemp)
	273	if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then
f90cbb63	274	cat "$_ckey" >>"$_local_cert_file"
9fb5bb62	275	fi
f90cbb63	276	cat "$_ccert" >>"$_local_cert_file"
9fb5bb62 PE	277	if ! _scp_remote_cmd "$_local_cert_file" "$DEPLOY_SSH_CERTFILE"; then
9fb5bb62 PE	278	return $_err_code
20d23fcb	279	fi
20d23fcb	280	else
9fb5bb62 PE	281	# ssh echo to the file
	282	_cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $DEPLOY_SSH_CERTFILE;"
	283	_info "will copy certificate to remote file $DEPLOY_SSH_CERTFILE"
	284	if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
20d23fcb	285	if ! _ssh_remote_cmd "$_cmdstr"; then
	286	return $_err_code
	287	fi
	288	_cmdstr=""
cc820e97	289	fi
cc820e97	290	fi
989651c2 DK	291	fi
989651c2 DK	292
06492067	293	if [ -n "$DEPLOY_SSH_CAFILE" ]; then
a4b2cebe	294	_pipe=">"
9fb5bb62 PE	295	if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ] \|\|
9fb5bb62 PE	296	[ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then
68d708e5 DK	297	# if filename is same as previous file then append.
68d708e5 DK	298	_pipe=">>"
9fb5bb62	299	elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
68d708e5	300	# backup file we are about to overwrite.
9fb5bb62 PE	301	_cmdstr="$_cmdstr cp $DEPLOY_SSH_CAFILE $_backupdir >/dev/null;"
9fb5bb62 PE	302	if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
20d23fcb	303	if ! _ssh_remote_cmd "$_cmdstr"; then
	304	return $_err_code
	305	fi
	306	_cmdstr=""
	307	fi
68d708e5	308	fi
20d23fcb	309
9fb5bb62 PE	310	# copy new certificate into file.
	311	if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
	312	# scp the file
	313	_local_ca_file=$(_mktemp)
	314	if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ]; then
f90cbb63	315	cat "$_ckey" >>"$_local_ca_file"
9fb5bb62 PE	316	fi
9fb5bb62 PE	317	if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then
f90cbb63	318	cat "$_ccert" >>"$_local_ca_file"
9fb5bb62 PE	319	fi
	320	cat "$_cca" >>"$_local_ca_file"
	321	if ! _scp_remote_cmd "$_local_ca_file" "$DEPLOY_SSH_CAFILE"; then
	322	return $_err_code
20d23fcb	323	fi
20d23fcb	324	else
9fb5bb62 PE	325	# ssh echo to the file
	326	_cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $DEPLOY_SSH_CAFILE;"
	327	_info "will copy CA file to remote file $DEPLOY_SSH_CAFILE"
	328	if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
20d23fcb	329	if ! _ssh_remote_cmd "$_cmdstr"; then
	330	return $_err_code
	331	fi
	332	_cmdstr=""
cc820e97	333	fi
cc820e97	334	fi
989651c2 DK	335	fi
989651c2 DK	336
06492067	337	if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then
a4b2cebe	338	_pipe=">"
9fb5bb62 PE	339	if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ] \|\|
	340	[ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ] \|\|
	341	[ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then
68d708e5 DK	342	# if filename is same as previous file then append.
68d708e5 DK	343	_pipe=">>"
9fb5bb62	344	elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
68d708e5	345	# backup file we are about to overwrite.
9fb5bb62 PE	346	_cmdstr="$_cmdstr cp $DEPLOY_SSH_FULLCHAIN $_backupdir >/dev/null;"
9fb5bb62 PE	347	if [ "$DEPLOY_SSH_FULLCHAIN" = "yes" ]; then
20d23fcb	348	if ! _ssh_remote_cmd "$_cmdstr"; then
	349	return $_err_code
	350	fi
	351	_cmdstr=""
	352	fi
68d708e5	353	fi
20d23fcb	354
9fb5bb62 PE	355	# copy new certificate into file.
	356	if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
	357	# scp the file
	358	_local_full_file=$(_mktemp)
	359	if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ]; then
f90cbb63	360	cat "$_ckey" >>"$_local_full_file"
9fb5bb62 PE	361	fi
9fb5bb62 PE	362	if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ]; then
f90cbb63	363	cat "$_ccert" >>"$_local_full_file"
9fb5bb62 PE	364	fi
9fb5bb62 PE	365	if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then
f90cbb63	366	cat "$_cca" >>"$_local_full_file"
9fb5bb62	367	fi
f90cbb63	368	cat "$_cfullchain" >>"$_local_full_file"
9fb5bb62 PE	369	if ! _scp_remote_cmd "$_local_full_file" "$DEPLOY_SSH_FULLCHAIN"; then
9fb5bb62 PE	370	return $_err_code
20d23fcb	371	fi
20d23fcb	372	else
9fb5bb62 PE	373	# ssh echo to the file
	374	_cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $DEPLOY_SSH_FULLCHAIN;"
	375	_info "will copy fullchain to remote file $DEPLOY_SSH_FULLCHAIN"
	376	if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
20d23fcb	377	if ! _ssh_remote_cmd "$_cmdstr"; then
	378	return $_err_code
	379	fi
	380	_cmdstr=""
cc820e97	381	fi
cc820e97	382	fi
989651c2	383	fi
20d23fcb	384
9fb5bb62 PE	385	# cleanup local files if any
	386	if [ -f "$_local_cert_file" ]; then
	387	rm -f "$_local_cert_file"
20d23fcb	388	fi
9fb5bb62 PE	389	if [ -f "$_local_ca_file" ]; then
9fb5bb62 PE	390	rm -f "$_local_ca_file"
20d23fcb	391	fi
9fb5bb62 PE	392	if [ -f "$_local_full_file" ]; then
9fb5bb62 PE	393	rm -f "$_local_full_file"
20d23fcb	394	fi
20d23fcb	395
06492067	396	if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then
9fb5bb62 PE	397	_cmdstr="$_cmdstr $DEPLOY_SSH_REMOTE_CMD;"
	398	_info "Will execute remote command $DEPLOY_SSH_REMOTE_CMD"
	399	if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
cc820e97	400	if ! _ssh_remote_cmd "$_cmdstr"; then
	401	return $_err_code
	402	fi
	403	_cmdstr=""
	404	fi
989651c2 DK	405	fi
989651c2 DK	406
8ba573d1	407	# if commands not all sent in multiple calls then all commands sent in a single SSH call now...
cc820e97	408	if [ -n "$_cmdstr" ]; then
	409	if ! _ssh_remote_cmd "$_cmdstr"; then
	410	return $_err_code
	411	fi
6420d123	412	fi
20d23fcb	413	# cleanup in case all is ok
6420d123	414	return 0
	415	}
	416
	417	#cmd
	418	_ssh_remote_cmd() {
	419	_cmd="$1"
c8929ca0 PE	420
	421	_ssh_cmd="$DEPLOY_SSH_CMD"
	422	if [ -n "$_port" ]; then
	423	_ssh_cmd="$_ssh_cmd -p $_port"
	424	fi
	425
6420d123	426	_secure_debug "Remote commands to execute: $_cmd"
c8929ca0	427	_info "Submitting sequence of commands to remote server by $_ssh_cmd"
9fb5bb62	428
3812b275 DK	429	# quotations in bash cmd below intended. Squash travis spellcheck error
3812b275 DK	430	# shellcheck disable=SC2029
c8929ca0	431	$_ssh_cmd "$DEPLOY_SSH_USER@$_host" sh -c "'$_cmd'"
6420d123	432	_err_code="$?"
68d708e5	433
6420d123	434	if [ "$_err_code" != "0" ]; then
46ee74ed	435	_err "Error code $_err_code returned from ssh"
68d708e5	436	fi
989651c2	437
6420d123	438	return $_err_code
989651c2	439	}
20d23fcb	440
	441	# cmd scp
	442	_scp_remote_cmd() {
9fb5bb62 PE	443	_src=$1
9fb5bb62 PE	444	_dest=$2
9fb5bb62	445
c8929ca0 PE	446	_scp_cmd="$DEPLOY_SSH_SCP_CMD"
	447	if [ -n "$_port" ]; then
	448	_scp_cmd="$_scp_cmd -P $_port"
	449	fi
	450
	451	_secure_debug "Remote copy source $_src to destination $_dest"
	452	_info "Submitting secure copy by $_scp_cmd"
	453
	454	$_scp_cmd "$_src" "$DEPLOY_SSH_USER"@"$_host":"$_dest"
20d23fcb	455	_err_code="$?"
	456
	457	if [ "$_err_code" != "0" ]; then
	458	_err "Error code $_err_code returned from scp"
	459	fi
	460
	461	return $_err_code
	462	}