]>
Commit | Line | Data |
---|---|---|
989651c2 DK |
1 | #!/usr/bin/env sh |
2 | ||
7d75ad4c DK |
3 | # Script to deploy certificates to remote server by SSH |
4 | # Note that SSH must be able to login to remote host without a password... | |
5 | # SSH Keys must have been exchanged with the remote host. Validate and | |
f158caa2 | 6 | # test that you can login to USER@SERVER from the host running acme.sh before |
7d75ad4c DK |
7 | # using this script. |
8 | # | |
989651c2 DK |
9 | # The following variables exported from environment will be used. |
10 | # If not set then values previously saved in domain.conf file are used. | |
11 | # | |
7d75ad4c DK |
12 | # Only a username is required. All others are optional. |
13 | # | |
63134faf | 14 | # The following examples are for QNAP NAS running QTS 4.2 |
3d9608fa | 15 | # export DEPLOY_SSH_CMD="" # defaults to "ssh -T" |
06492067 | 16 | # export DEPLOY_SSH_USER="admin" # required |
3ce7d410 | 17 | # export DEPLOY_SSH_SERVER="host1 host2:8022 192.168.0.1:9022" # defaults to domain name, support multiple servers with optional port |
06492067 DK |
18 | # export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem" |
19 | # export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem" | |
20 | # export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem" | |
21 | # export DEPLOY_SSH_FULLCHAIN="" | |
22 | # export DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart" | |
554e083f | 23 | # export DEPLOY_SSH_BACKUP="" # yes or no, default to yes or previously saved value |
f38df4df | 24 | # export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" # path on remote system. Defaults to .acme_ssh_deploy |
554e083f | 25 | # export DEPLOY_SSH_MULTI_CALL="" # yes or no, default to no or previously saved value |
9fb5bb62 PE |
26 | # export DEPLOY_SSH_USE_SCP="" yes or no, default to no |
27 | # export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q" | |
a4b2cebe | 28 | # |
989651c2 DK |
29 | ######## Public functions ##################### |
30 | ||
31 | #domain keyfile certfile cafile fullchain | |
3be5a68e | 32 | ssh_deploy() { |
989651c2 DK |
33 | _cdomain="$1" |
34 | _ckey="$2" | |
35 | _ccert="$3" | |
36 | _cca="$4" | |
37 | _cfullchain="$5" | |
a78a09f5 | 38 | _deploy_ssh_servers="" |
989651c2 DK |
39 | |
40 | _debug _cdomain "$_cdomain" | |
41 | _debug _ckey "$_ckey" | |
42 | _debug _ccert "$_ccert" | |
43 | _debug _cca "$_cca" | |
44 | _debug _cfullchain "$_cfullchain" | |
45 | ||
7d75ad4c | 46 | # USER is required to login by SSH to remote host. |
9fb5bb62 | 47 | _migratedeployconf Le_Deploy_ssh_user DEPLOY_SSH_USER |
c43c711f GS |
48 | _getdeployconf DEPLOY_SSH_USER |
49 | _debug2 DEPLOY_SSH_USER "$DEPLOY_SSH_USER" | |
06492067 | 50 | if [ -z "$DEPLOY_SSH_USER" ]; then |
9fb5bb62 PE |
51 | _err "DEPLOY_SSH_USER not defined." |
52 | return 1 | |
7d75ad4c | 53 | fi |
9fb5bb62 | 54 | _savedeployconf DEPLOY_SSH_USER "$DEPLOY_SSH_USER" |
7d75ad4c | 55 | |
f158caa2 | 56 | # SERVER is optional. If not provided then use _cdomain |
9fb5bb62 | 57 | _migratedeployconf Le_Deploy_ssh_server DEPLOY_SSH_SERVER |
c43c711f GS |
58 | _getdeployconf DEPLOY_SSH_SERVER |
59 | _debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER" | |
9fb5bb62 PE |
60 | if [ -z "$DEPLOY_SSH_SERVER" ]; then |
61 | DEPLOY_SSH_SERVER="$_cdomain" | |
989651c2 | 62 | fi |
9fb5bb62 | 63 | _savedeployconf DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER" |
62e7d904 | 64 | |
68d708e5 | 65 | # CMD is optional. If not provided then use ssh |
9fb5bb62 | 66 | _migratedeployconf Le_Deploy_ssh_cmd DEPLOY_SSH_CMD |
c43c711f GS |
67 | _getdeployconf DEPLOY_SSH_CMD |
68 | _debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD" | |
9fb5bb62 PE |
69 | if [ -z "$DEPLOY_SSH_CMD" ]; then |
70 | DEPLOY_SSH_CMD="ssh -T" | |
20d23fcb | 71 | fi |
9fb5bb62 | 72 | _savedeployconf DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD" |
20d23fcb | 73 | |
554e083f | 74 | # BACKUP is optional. If not provided then default to previously saved value or yes. |
9fb5bb62 | 75 | _migratedeployconf Le_Deploy_ssh_backup DEPLOY_SSH_BACKUP |
c43c711f GS |
76 | _getdeployconf DEPLOY_SSH_BACKUP |
77 | _debug2 DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP" | |
9fb5bb62 PE |
78 | if [ -z "$DEPLOY_SSH_BACKUP" ]; then |
79 | DEPLOY_SSH_BACKUP="yes" | |
a4b2cebe | 80 | fi |
9fb5bb62 | 81 | _savedeployconf DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP" |
a4b2cebe | 82 | |
f38df4df | 83 | # BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy |
9fb5bb62 | 84 | _migratedeployconf Le_Deploy_ssh_backup_path DEPLOY_SSH_BACKUP_PATH |
c43c711f GS |
85 | _getdeployconf DEPLOY_SSH_BACKUP_PATH |
86 | _debug2 DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH" | |
9fb5bb62 PE |
87 | if [ -z "$DEPLOY_SSH_BACKUP_PATH" ]; then |
88 | DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" | |
f38df4df | 89 | fi |
9fb5bb62 | 90 | _savedeployconf DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH" |
f38df4df | 91 | |
554e083f | 92 | # MULTI_CALL is optional. If not provided then default to previously saved |
93 | # value (which may be undefined... equivalent to "no"). | |
9fb5bb62 | 94 | _migratedeployconf Le_Deploy_ssh_multi_call DEPLOY_SSH_MULTI_CALL |
c43c711f GS |
95 | _getdeployconf DEPLOY_SSH_MULTI_CALL |
96 | _debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL" | |
9fb5bb62 PE |
97 | if [ -z "$DEPLOY_SSH_MULTI_CALL" ]; then |
98 | DEPLOY_SSH_MULTI_CALL="no" | |
99 | fi | |
100 | _savedeployconf DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL" | |
101 | ||
102 | # KEYFILE is optional. | |
103 | # If provided then private key will be copied to provided filename. | |
104 | _migratedeployconf Le_Deploy_ssh_keyfile DEPLOY_SSH_KEYFILE | |
105 | _getdeployconf DEPLOY_SSH_KEYFILE | |
106 | _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" | |
107 | if [ -n "$DEPLOY_SSH_KEYFILE" ]; then | |
108 | _savedeployconf DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" | |
109 | fi | |
110 | ||
111 | # CERTFILE is optional. | |
112 | # If provided then certificate will be copied or appended to provided filename. | |
113 | _migratedeployconf Le_Deploy_ssh_certfile DEPLOY_SSH_CERTFILE | |
114 | _getdeployconf DEPLOY_SSH_CERTFILE | |
115 | _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" | |
116 | if [ -n "$DEPLOY_SSH_CERTFILE" ]; then | |
117 | _savedeployconf DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" | |
118 | fi | |
119 | ||
120 | # CAFILE is optional. | |
121 | # If provided then CA intermediate certificate will be copied or appended to provided filename. | |
122 | _migratedeployconf Le_Deploy_ssh_cafile DEPLOY_SSH_CAFILE | |
123 | _getdeployconf DEPLOY_SSH_CAFILE | |
124 | _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" | |
125 | if [ -n "$DEPLOY_SSH_CAFILE" ]; then | |
126 | _savedeployconf DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" | |
127 | fi | |
128 | ||
129 | # FULLCHAIN is optional. | |
130 | # If provided then fullchain certificate will be copied or appended to provided filename. | |
131 | _migratedeployconf Le_Deploy_ssh_fullchain DEPLOY_SSH_FULLCHAIN | |
132 | _getdeployconf DEPLOY_SSH_FULLCHAIN | |
133 | _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" | |
134 | if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then | |
135 | _savedeployconf DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" | |
136 | fi | |
137 | ||
138 | # REMOTE_CMD is optional. | |
139 | # If provided then this command will be executed on remote host. | |
140 | _migratedeployconf Le_Deploy_ssh_remote_cmd DEPLOY_SSH_REMOTE_CMD | |
141 | _getdeployconf DEPLOY_SSH_REMOTE_CMD | |
142 | _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" | |
143 | if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then | |
144 | _savedeployconf DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" | |
cc820e97 | 145 | fi |
f73a4944 | 146 | |
20d23fcb | 147 | # USE_SCP is optional. If not provided then default to previously saved |
148 | # value (which may be undefined... equivalent to "no"). | |
9fb5bb62 PE |
149 | _getdeployconf DEPLOY_SSH_USE_SCP |
150 | _debug2 DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP" | |
151 | if [ -z "$DEPLOY_SSH_USE_SCP" ]; then | |
152 | DEPLOY_SSH_USE_SCP="no" | |
20d23fcb | 153 | fi |
9fb5bb62 | 154 | _savedeployconf DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP" |
20d23fcb | 155 | |
156 | # SCP_CMD is optional. If not provided then use scp | |
9fb5bb62 PE |
157 | _getdeployconf DEPLOY_SSH_SCP_CMD |
158 | _debug2 DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD" | |
159 | if [ -z "$DEPLOY_SSH_SCP_CMD" ]; then | |
160 | DEPLOY_SSH_SCP_CMD="scp -q" | |
161 | fi | |
162 | _savedeployconf DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD" | |
163 | ||
164 | if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then | |
165 | DEPLOY_SSH_MULTI_CALL="yes" | |
166 | _info "Using scp as alternate method for copying files. Multicall Mode is implicit" | |
167 | elif [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then | |
168 | _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" | |
169 | else | |
170 | _info "Required commands batched and sent in single call to remote host" | |
20d23fcb | 171 | fi |
172 | ||
d2a9d731 | 173 | _deploy_ssh_servers="$DEPLOY_SSH_SERVER" |
9fb5bb62 | 174 | for DEPLOY_SSH_SERVER in $_deploy_ssh_servers; do |
a78a09f5 PE |
175 | _ssh_deploy |
176 | done | |
177 | } | |
178 | ||
179 | _ssh_deploy() { | |
180 | _err_code=0 | |
181 | _cmdstr="" | |
182 | _backupprefix="" | |
183 | _backupdir="" | |
20d23fcb | 184 | _local_cert_file="" |
185 | _local_ca_file="" | |
186 | _local_full_file="" | |
a78a09f5 | 187 | |
c8929ca0 | 188 | case $DEPLOY_SSH_SERVER in |
74f28021 PE |
189 | *:*) |
190 | _host=${DEPLOY_SSH_SERVER%:*} | |
191 | _port=${DEPLOY_SSH_SERVER##*:} | |
192 | ;; | |
193 | *) | |
194 | _host=$DEPLOY_SSH_SERVER | |
195 | _port= | |
196 | ;; | |
c8929ca0 PE |
197 | esac |
198 | ||
199 | _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port" | |
989651c2 | 200 | |
9fb5bb62 PE |
201 | if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then |
202 | _backupprefix="$DEPLOY_SSH_BACKUP_PATH/$_cdomain-backup" | |
f38df4df | 203 | _backupdir="$_backupprefix-$(_utc_date | tr ' ' '-')" |
283b04df | 204 | # run cleanup on the backup directory, erase all older |
205 | # than 180 days (15552000 seconds). | |
206 | _cmdstr="{ now=\"\$(date -u +%s)\"; for fn in $_backupprefix*; \ | |
207 | do if [ -d \"\$fn\" ] && [ \"\$(expr \$now - \$(date -ur \$fn +%s) )\" -ge \"15552000\" ]; \ | |
208 | then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; done; }; $_cmdstr" | |
209 | # Alternate version of above... _cmdstr="find $_backupprefix* -type d -mtime +180 2>/dev/null | xargs rm -rf; $_cmdstr" | |
210 | # Create our backup directory for overwritten cert files. | |
211 | _cmdstr="mkdir -p $_backupdir; $_cmdstr" | |
212 | _info "Backup of old certificate files will be placed in remote directory $_backupdir" | |
213 | _info "Backup directories erased after 180 days." | |
9fb5bb62 | 214 | if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then |
cc820e97 | 215 | if ! _ssh_remote_cmd "$_cmdstr"; then |
216 | return $_err_code | |
217 | fi | |
218 | _cmdstr="" | |
219 | fi | |
283b04df | 220 | fi |
221 | ||
06492067 | 222 | if [ -n "$DEPLOY_SSH_KEYFILE" ]; then |
9fb5bb62 | 223 | if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then |
a4b2cebe | 224 | # backup file we are about to overwrite. |
9fb5bb62 PE |
225 | _cmdstr="$_cmdstr cp $DEPLOY_SSH_KEYFILE $_backupdir >/dev/null;" |
226 | if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then | |
20d23fcb | 227 | if ! _ssh_remote_cmd "$_cmdstr"; then |
228 | return $_err_code | |
229 | fi | |
230 | _cmdstr="" | |
231 | fi | |
a4b2cebe | 232 | fi |
20d23fcb | 233 | |
20d23fcb | 234 | # copy new key into file. |
9fb5bb62 | 235 | if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then |
20d23fcb | 236 | # scp the file |
9fb5bb62 | 237 | if ! _scp_remote_cmd "$_ckey" "$DEPLOY_SSH_KEYFILE"; then |
08d60fcb | 238 | return $_err_code |
20d23fcb | 239 | fi |
240 | else | |
9fb5bb62 PE |
241 | # ssh echo to the file |
242 | _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $DEPLOY_SSH_KEYFILE;" | |
243 | _info "will copy private key to remote file $DEPLOY_SSH_KEYFILE" | |
244 | if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then | |
20d23fcb | 245 | if ! _ssh_remote_cmd "$_cmdstr"; then |
246 | return $_err_code | |
247 | fi | |
248 | _cmdstr="" | |
cc820e97 | 249 | fi |
cc820e97 | 250 | fi |
989651c2 DK |
251 | fi |
252 | ||
06492067 | 253 | if [ -n "$DEPLOY_SSH_CERTFILE" ]; then |
a4b2cebe | 254 | _pipe=">" |
9fb5bb62 | 255 | if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then |
68d708e5 DK |
256 | # if filename is same as previous file then append. |
257 | _pipe=">>" | |
9fb5bb62 | 258 | elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then |
7d75ad4c | 259 | # backup file we are about to overwrite. |
9fb5bb62 PE |
260 | _cmdstr="$_cmdstr cp $DEPLOY_SSH_CERTFILE $_backupdir >/dev/null;" |
261 | if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then | |
20d23fcb | 262 | if ! _ssh_remote_cmd "$_cmdstr"; then |
263 | return $_err_code | |
264 | fi | |
265 | _cmdstr="" | |
266 | fi | |
989651c2 | 267 | fi |
20d23fcb | 268 | |
9fb5bb62 PE |
269 | # copy new certificate into file. |
270 | if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then | |
271 | # scp the file | |
272 | _local_cert_file=$(_mktemp) | |
273 | if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then | |
f90cbb63 | 274 | cat "$_ckey" >>"$_local_cert_file" |
9fb5bb62 | 275 | fi |
f90cbb63 | 276 | cat "$_ccert" >>"$_local_cert_file" |
9fb5bb62 PE |
277 | if ! _scp_remote_cmd "$_local_cert_file" "$DEPLOY_SSH_CERTFILE"; then |
278 | return $_err_code | |
20d23fcb | 279 | fi |
280 | else | |
9fb5bb62 PE |
281 | # ssh echo to the file |
282 | _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $DEPLOY_SSH_CERTFILE;" | |
283 | _info "will copy certificate to remote file $DEPLOY_SSH_CERTFILE" | |
284 | if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then | |
20d23fcb | 285 | if ! _ssh_remote_cmd "$_cmdstr"; then |
286 | return $_err_code | |
287 | fi | |
288 | _cmdstr="" | |
cc820e97 | 289 | fi |
cc820e97 | 290 | fi |
989651c2 DK |
291 | fi |
292 | ||
06492067 | 293 | if [ -n "$DEPLOY_SSH_CAFILE" ]; then |
a4b2cebe | 294 | _pipe=">" |
9fb5bb62 PE |
295 | if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ] || |
296 | [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then | |
68d708e5 DK |
297 | # if filename is same as previous file then append. |
298 | _pipe=">>" | |
9fb5bb62 | 299 | elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then |
68d708e5 | 300 | # backup file we are about to overwrite. |
9fb5bb62 PE |
301 | _cmdstr="$_cmdstr cp $DEPLOY_SSH_CAFILE $_backupdir >/dev/null;" |
302 | if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then | |
20d23fcb | 303 | if ! _ssh_remote_cmd "$_cmdstr"; then |
304 | return $_err_code | |
305 | fi | |
306 | _cmdstr="" | |
307 | fi | |
68d708e5 | 308 | fi |
20d23fcb | 309 | |
9fb5bb62 PE |
310 | # copy new certificate into file. |
311 | if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then | |
312 | # scp the file | |
313 | _local_ca_file=$(_mktemp) | |
314 | if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ]; then | |
f90cbb63 | 315 | cat "$_ckey" >>"$_local_ca_file" |
9fb5bb62 PE |
316 | fi |
317 | if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then | |
f90cbb63 | 318 | cat "$_ccert" >>"$_local_ca_file" |
9fb5bb62 PE |
319 | fi |
320 | cat "$_cca" >>"$_local_ca_file" | |
321 | if ! _scp_remote_cmd "$_local_ca_file" "$DEPLOY_SSH_CAFILE"; then | |
322 | return $_err_code | |
20d23fcb | 323 | fi |
324 | else | |
9fb5bb62 PE |
325 | # ssh echo to the file |
326 | _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $DEPLOY_SSH_CAFILE;" | |
327 | _info "will copy CA file to remote file $DEPLOY_SSH_CAFILE" | |
328 | if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then | |
20d23fcb | 329 | if ! _ssh_remote_cmd "$_cmdstr"; then |
330 | return $_err_code | |
331 | fi | |
332 | _cmdstr="" | |
cc820e97 | 333 | fi |
cc820e97 | 334 | fi |
989651c2 DK |
335 | fi |
336 | ||
06492067 | 337 | if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then |
a4b2cebe | 338 | _pipe=">" |
9fb5bb62 PE |
339 | if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ] || |
340 | [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ] || | |
341 | [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then | |
68d708e5 DK |
342 | # if filename is same as previous file then append. |
343 | _pipe=">>" | |
9fb5bb62 | 344 | elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then |
68d708e5 | 345 | # backup file we are about to overwrite. |
9fb5bb62 PE |
346 | _cmdstr="$_cmdstr cp $DEPLOY_SSH_FULLCHAIN $_backupdir >/dev/null;" |
347 | if [ "$DEPLOY_SSH_FULLCHAIN" = "yes" ]; then | |
20d23fcb | 348 | if ! _ssh_remote_cmd "$_cmdstr"; then |
349 | return $_err_code | |
350 | fi | |
351 | _cmdstr="" | |
352 | fi | |
68d708e5 | 353 | fi |
20d23fcb | 354 | |
9fb5bb62 PE |
355 | # copy new certificate into file. |
356 | if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then | |
357 | # scp the file | |
358 | _local_full_file=$(_mktemp) | |
359 | if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ]; then | |
f90cbb63 | 360 | cat "$_ckey" >>"$_local_full_file" |
9fb5bb62 PE |
361 | fi |
362 | if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ]; then | |
f90cbb63 | 363 | cat "$_ccert" >>"$_local_full_file" |
9fb5bb62 PE |
364 | fi |
365 | if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then | |
f90cbb63 | 366 | cat "$_cca" >>"$_local_full_file" |
9fb5bb62 | 367 | fi |
f90cbb63 | 368 | cat "$_cfullchain" >>"$_local_full_file" |
9fb5bb62 PE |
369 | if ! _scp_remote_cmd "$_local_full_file" "$DEPLOY_SSH_FULLCHAIN"; then |
370 | return $_err_code | |
20d23fcb | 371 | fi |
372 | else | |
9fb5bb62 PE |
373 | # ssh echo to the file |
374 | _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $DEPLOY_SSH_FULLCHAIN;" | |
375 | _info "will copy fullchain to remote file $DEPLOY_SSH_FULLCHAIN" | |
376 | if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then | |
20d23fcb | 377 | if ! _ssh_remote_cmd "$_cmdstr"; then |
378 | return $_err_code | |
379 | fi | |
380 | _cmdstr="" | |
cc820e97 | 381 | fi |
cc820e97 | 382 | fi |
989651c2 | 383 | fi |
20d23fcb | 384 | |
9fb5bb62 PE |
385 | # cleanup local files if any |
386 | if [ -f "$_local_cert_file" ]; then | |
387 | rm -f "$_local_cert_file" | |
20d23fcb | 388 | fi |
9fb5bb62 PE |
389 | if [ -f "$_local_ca_file" ]; then |
390 | rm -f "$_local_ca_file" | |
20d23fcb | 391 | fi |
9fb5bb62 PE |
392 | if [ -f "$_local_full_file" ]; then |
393 | rm -f "$_local_full_file" | |
20d23fcb | 394 | fi |
395 | ||
06492067 | 396 | if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then |
9fb5bb62 PE |
397 | _cmdstr="$_cmdstr $DEPLOY_SSH_REMOTE_CMD;" |
398 | _info "Will execute remote command $DEPLOY_SSH_REMOTE_CMD" | |
399 | if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then | |
cc820e97 | 400 | if ! _ssh_remote_cmd "$_cmdstr"; then |
401 | return $_err_code | |
402 | fi | |
403 | _cmdstr="" | |
404 | fi | |
989651c2 DK |
405 | fi |
406 | ||
8ba573d1 | 407 | # if commands not all sent in multiple calls then all commands sent in a single SSH call now... |
cc820e97 | 408 | if [ -n "$_cmdstr" ]; then |
409 | if ! _ssh_remote_cmd "$_cmdstr"; then | |
410 | return $_err_code | |
411 | fi | |
6420d123 | 412 | fi |
20d23fcb | 413 | # cleanup in case all is ok |
6420d123 | 414 | return 0 |
415 | } | |
416 | ||
417 | #cmd | |
418 | _ssh_remote_cmd() { | |
419 | _cmd="$1" | |
c8929ca0 PE |
420 | |
421 | _ssh_cmd="$DEPLOY_SSH_CMD" | |
422 | if [ -n "$_port" ]; then | |
423 | _ssh_cmd="$_ssh_cmd -p $_port" | |
424 | fi | |
425 | ||
6420d123 | 426 | _secure_debug "Remote commands to execute: $_cmd" |
c8929ca0 | 427 | _info "Submitting sequence of commands to remote server by $_ssh_cmd" |
9fb5bb62 | 428 | |
3812b275 DK |
429 | # quotations in bash cmd below intended. Squash travis spellcheck error |
430 | # shellcheck disable=SC2029 | |
c8929ca0 | 431 | $_ssh_cmd "$DEPLOY_SSH_USER@$_host" sh -c "'$_cmd'" |
6420d123 | 432 | _err_code="$?" |
68d708e5 | 433 | |
6420d123 | 434 | if [ "$_err_code" != "0" ]; then |
46ee74ed | 435 | _err "Error code $_err_code returned from ssh" |
68d708e5 | 436 | fi |
989651c2 | 437 | |
6420d123 | 438 | return $_err_code |
989651c2 | 439 | } |
20d23fcb | 440 | |
441 | # cmd scp | |
442 | _scp_remote_cmd() { | |
9fb5bb62 PE |
443 | _src=$1 |
444 | _dest=$2 | |
9fb5bb62 | 445 | |
c8929ca0 PE |
446 | _scp_cmd="$DEPLOY_SSH_SCP_CMD" |
447 | if [ -n "$_port" ]; then | |
448 | _scp_cmd="$_scp_cmd -P $_port" | |
449 | fi | |
450 | ||
451 | _secure_debug "Remote copy source $_src to destination $_dest" | |
452 | _info "Submitting secure copy by $_scp_cmd" | |
453 | ||
454 | $_scp_cmd "$_src" "$DEPLOY_SSH_USER"@"$_host":"$_dest" | |
20d23fcb | 455 | _err_code="$?" |
456 | ||
457 | if [ "$_err_code" != "0" ]; then | |
458 | _err "Error code $_err_code returned from scp" | |
459 | fi | |
460 | ||
461 | return $_err_code | |
462 | } |