]>
Commit | Line | Data |
---|---|---|
e009ec8b | 1 | #!/usr/bin/env sh |
2 | ||
3 | # | |
4 | #AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje" | |
5 | # | |
6 | #AWS_SECRET_ACCESS_KEY="xxxxxxx" | |
7 | ||
8 | #This is the Amazon Route53 api wrapper for acme.sh | |
a22d3b23 | 9 | #All `_sleep` commands are included to avoid Route53 throttling, see |
df357521 | 10 | #https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-requests |
e009ec8b | 11 | |
12 | AWS_HOST="route53.amazonaws.com" | |
13 | AWS_URL="https://$AWS_HOST" | |
14 | ||
d795fac3 | 15 | AWS_WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Amazon-Route53-API" |
e009ec8b | 16 | |
17 | ######## Public functions ##################### | |
18 | ||
19 | #Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" | |
20 | dns_aws_add() { | |
21 | fulldomain=$1 | |
22 | txtvalue=$2 | |
23 | ||
693627a8 MG |
24 | AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}" |
25 | AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}" | |
b64f0ba8 | 26 | AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}" |
693627a8 MG |
27 | |
28 | if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then | |
f49f55f4 | 29 | _use_container_role || _use_instance_role |
48eaa0e5 MG |
30 | fi |
31 | ||
e009ec8b | 32 | if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then |
33 | AWS_ACCESS_KEY_ID="" | |
34 | AWS_SECRET_ACCESS_KEY="" | |
4fbd21da | 35 | _err "You haven't specifed the aws route53 api key id and and api key secret yet." |
60814ecf | 36 | _err "Please create your key and try again. see $(__green $AWS_WIKI)" |
e009ec8b | 37 | return 1 |
38 | fi | |
39 | ||
693627a8 | 40 | #save for future use, unless using a role which will be fetched as needed |
759f4f2c | 41 | if [ -z "$_using_role" ]; then |
48eaa0e5 MG |
42 | _saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" |
43 | _saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" | |
b64f0ba8 | 44 | _saveaccountconf_mutable AWS_DNS_SLOWRATE "$AWS_DNS_SLOWRATE" |
48eaa0e5 | 45 | fi |
e009ec8b | 46 | |
47 | _debug "First detect the root zone" | |
48 | if ! _get_root "$fulldomain"; then | |
49 | _err "invalid domain" | |
a22d3b23 | 50 | _sleep 1 |
e009ec8b | 51 | return 1 |
52 | fi | |
53 | _debug _domain_id "$_domain_id" | |
54 | _debug _sub_domain "$_sub_domain" | |
55 | _debug _domain "$_domain" | |
56 | ||
688fe131 | 57 | _info "Getting existing records for $fulldomain" |
64f07d9b | 58 | if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then |
a22d3b23 | 59 | _sleep 1 |
64f07d9b | 60 | return 1 |
61 | fi | |
62 | ||
63 | if _contains "$response" "<Name>$fulldomain.</Name>"; then | |
5f345d20 | 64 | _resource_record="$(echo "$response" | sed 's/<ResourceRecordSet>/"/g' | tr '"' "\n" | grep "<Name>$fulldomain.</Name>" | _egrep_o "<ResourceRecords.*</ResourceRecords>" | sed "s/<ResourceRecords>//" | sed "s#</ResourceRecords>##")" |
64f07d9b | 65 | _debug "_resource_record" "$_resource_record" |
66 | else | |
67 | _debug "single new add" | |
68 | fi | |
69 | ||
70 | if [ "$_resource_record" ] && _contains "$response" "$txtvalue"; then | |
4fbd21da | 71 | _info "The TXT record already exists. Skipping." |
a22d3b23 | 72 | _sleep 1 |
64f07d9b | 73 | return 0 |
74 | fi | |
75 | ||
76 | _debug "Adding records" | |
77 | ||
78 | _aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>UPSERT</Action><ResourceRecordSet><Name>$fulldomain</Name><Type>TXT</Type><TTL>300</TTL><ResourceRecords>$_resource_record<ResourceRecord><Value>\"$txtvalue\"</Value></ResourceRecord></ResourceRecords></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>" | |
16d79eba | 79 | |
e009ec8b | 80 | if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then |
4fbd21da | 81 | _info "TXT record updated successfully." |
b64f0ba8 SM |
82 | if [ -n "$AWS_DNS_SLOWRATE" ]; then |
83 | _info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds" | |
84 | _sleep "$AWS_DNS_SLOWRATE" | |
37978b4f SM |
85 | else |
86 | _sleep 1 | |
3021c5cf | 87 | fi |
37978b4f | 88 | |
e009ec8b | 89 | return 0 |
90 | fi | |
a22d3b23 | 91 | _sleep 1 |
16d79eba | 92 | return 1 |
e009ec8b | 93 | } |
94 | ||
dfbc244b | 95 | #fulldomain txtvalue |
e009ec8b | 96 | dns_aws_rm() { |
97 | fulldomain=$1 | |
dfbc244b | 98 | txtvalue=$2 |
99 | ||
693627a8 MG |
100 | AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}" |
101 | AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}" | |
b64f0ba8 | 102 | AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}" |
693627a8 MG |
103 | |
104 | if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then | |
f49f55f4 | 105 | _use_container_role || _use_instance_role |
48eaa0e5 MG |
106 | fi |
107 | ||
dfbc244b | 108 | _debug "First detect the root zone" |
109 | if ! _get_root "$fulldomain"; then | |
110 | _err "invalid domain" | |
a22d3b23 | 111 | _sleep 1 |
dfbc244b | 112 | return 1 |
113 | fi | |
114 | _debug _domain_id "$_domain_id" | |
115 | _debug _sub_domain "$_sub_domain" | |
116 | _debug _domain "$_domain" | |
117 | ||
4fbd21da | 118 | _info "Getting existing records for $fulldomain" |
64f07d9b | 119 | if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then |
a22d3b23 | 120 | _sleep 1 |
64f07d9b | 121 | return 1 |
122 | fi | |
123 | ||
124 | if _contains "$response" "<Name>$fulldomain.</Name>"; then | |
5f345d20 | 125 | _resource_record="$(echo "$response" | sed 's/<ResourceRecordSet>/"/g' | tr '"' "\n" | grep "<Name>$fulldomain.</Name>" | _egrep_o "<ResourceRecords.*</ResourceRecords>" | sed "s/<ResourceRecords>//" | sed "s#</ResourceRecords>##")" |
64f07d9b | 126 | _debug "_resource_record" "$_resource_record" |
127 | else | |
4fbd21da | 128 | _debug "no records exist, skip" |
a22d3b23 | 129 | _sleep 1 |
64f07d9b | 130 | return 0 |
131 | fi | |
132 | ||
133 | _aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>DELETE</Action><ResourceRecordSet><ResourceRecords>$_resource_record</ResourceRecords><Name>$fulldomain.</Name><Type>TXT</Type><TTL>300</TTL></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>" | |
dfbc244b | 134 | |
135 | if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then | |
4fbd21da | 136 | _info "TXT record deleted successfully." |
b64f0ba8 SM |
137 | if [ -n "$AWS_DNS_SLOWRATE" ]; then |
138 | _info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds" | |
139 | _sleep "$AWS_DNS_SLOWRATE" | |
37978b4f SM |
140 | else |
141 | _sleep 1 | |
ea6a3c09 | 142 | fi |
37978b4f | 143 | |
dfbc244b | 144 | return 0 |
145 | fi | |
a22d3b23 | 146 | _sleep 1 |
dfbc244b | 147 | return 1 |
e009ec8b | 148 | |
149 | } | |
150 | ||
329174b6 | 151 | #################### Private functions below ################################## |
e009ec8b | 152 | |
153 | _get_root() { | |
154 | domain=$1 | |
155 | i=2 | |
156 | p=1 | |
16d79eba | 157 | |
e009ec8b | 158 | if aws_rest GET "2013-04-01/hostedzone"; then |
e009ec8b | 159 | while true; do |
160 | h=$(printf "%s" "$domain" | cut -d . -f $i-100) | |
872bfe47 | 161 | _debug2 "Checking domain: $h" |
e009ec8b | 162 | if [ -z "$h" ]; then |
f7217c5f | 163 | if _contains "$response" "<IsTruncated>true</IsTruncated>" && _contains "$response" "<NextMarker>"; then |
1f4e64f8 | 164 | _debug "IsTruncated" |
165 | _nextMarker="$(echo "$response" | _egrep_o "<NextMarker>.*</NextMarker>" | cut -d '>' -f 2 | cut -d '<' -f 1)" | |
166 | _debug "NextMarker" "$_nextMarker" | |
fc9649db | 167 | if aws_rest GET "2013-04-01/hostedzone" "marker=$_nextMarker"; then |
1f4e64f8 | 168 | _debug "Truncated request OK" |
169 | i=2 | |
170 | p=1 | |
171 | continue | |
172 | else | |
173 | _err "Truncated request error." | |
174 | fi | |
175 | fi | |
e009ec8b | 176 | #not valid |
872bfe47 | 177 | _err "Invalid domain" |
e009ec8b | 178 | return 1 |
179 | fi | |
180 | ||
181 | if _contains "$response" "<Name>$h.</Name>"; then | |
cc1d3b20 | 182 | hostedzone="$(echo "$response" | sed 's/<HostedZone>/#&/g' | tr '#' '\n' | _egrep_o "<HostedZone><Id>[^<]*<.Id><Name>$h.<.Name>.*<PrivateZone>false<.PrivateZone>.*<.HostedZone>")" |
e009ec8b | 183 | _debug hostedzone "$hostedzone" |
872bfe47 | 184 | if [ "$hostedzone" ]; then |
185 | _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "<Id>.*<.Id>" | head -n 1 | _egrep_o ">.*<" | tr -d "<>") | |
186 | if [ "$_domain_id" ]; then | |
187 | _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) | |
188 | _domain=$h | |
189 | return 0 | |
190 | fi | |
4fbd21da | 191 | _err "Can't find domain with id: $h" |
e009ec8b | 192 | return 1 |
193 | fi | |
e009ec8b | 194 | fi |
195 | p=$i | |
196 | i=$(_math "$i" + 1) | |
197 | done | |
198 | fi | |
199 | return 1 | |
200 | } | |
201 | ||
f49f55f4 MG |
202 | _use_container_role() { |
203 | # automatically set if running inside ECS | |
204 | if [ -z "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then | |
205 | _debug "No ECS environment variable detected" | |
206 | return 1 | |
207 | fi | |
208 | _use_metadata "169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" | |
209 | } | |
210 | ||
48eaa0e5 | 211 | _use_instance_role() { |
759f4f2c MG |
212 | _url="http://169.254.169.254/latest/meta-data/iam/security-credentials/" |
213 | _debug "_url" "$_url" | |
214 | if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then | |
f49f55f4 MG |
215 | _debug "Unable to fetch IAM role from instance metadata" |
216 | return 1 | |
48eaa0e5 | 217 | fi |
759f4f2c | 218 | _aws_role=$(_get "$_url" "" 1) |
48eaa0e5 | 219 | _debug "_aws_role" "$_aws_role" |
f49f55f4 MG |
220 | _use_metadata "$_url$_aws_role" |
221 | } | |
222 | ||
223 | _use_metadata() { | |
48eaa0e5 | 224 | _aws_creds="$( |
19c43451 | 225 | _get "$1" "" 1 | |
226 | _normalizeJson | | |
227 | tr '{,}' '\n' | | |
228 | while read -r _line; do | |
48eaa0e5 MG |
229 | _key="$(echo "${_line%%:*}" | tr -d '"')" |
230 | _value="${_line#*:}" | |
231 | _debug3 "_key" "$_key" | |
232 | _secure_debug3 "_value" "$_value" | |
233 | case "$_key" in | |
19c43451 | 234 | AccessKeyId) echo "AWS_ACCESS_KEY_ID=$_value" ;; |
235 | SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY=$_value" ;; | |
236 | Token) echo "AWS_SESSION_TOKEN=$_value" ;; | |
48eaa0e5 | 237 | esac |
19c43451 | 238 | done | |
239 | paste -sd' ' - | |
48eaa0e5 MG |
240 | )" |
241 | _secure_debug "_aws_creds" "$_aws_creds" | |
f49f55f4 MG |
242 | |
243 | if [ -z "$_aws_creds" ]; then | |
244 | return 1 | |
245 | fi | |
246 | ||
48eaa0e5 | 247 | eval "$_aws_creds" |
759f4f2c | 248 | _using_role=true |
48eaa0e5 MG |
249 | } |
250 | ||
e009ec8b | 251 | #method uri qstr data |
252 | aws_rest() { | |
253 | mtd="$1" | |
254 | ep="$2" | |
255 | qsr="$3" | |
256 | data="$4" | |
257 | ||
258 | _debug mtd "$mtd" | |
259 | _debug ep "$ep" | |
260 | _debug qsr "$qsr" | |
261 | _debug data "$data" | |
262 | ||
263 | CanonicalURI="/$ep" | |
264 | _debug2 CanonicalURI "$CanonicalURI" | |
265 | ||
266 | CanonicalQueryString="$qsr" | |
267 | _debug2 CanonicalQueryString "$CanonicalQueryString" | |
268 | ||
269 | RequestDate="$(date -u +"%Y%m%dT%H%M%SZ")" | |
270 | _debug2 RequestDate "$RequestDate" | |
271 | ||
272 | #RequestDate="20161120T141056Z" ############## | |
273 | ||
3ca93f4a | 274 | export _H1="x-amz-date: $RequestDate" |
e009ec8b | 275 | |
276 | aws_host="$AWS_HOST" | |
277 | CanonicalHeaders="host:$aws_host\nx-amz-date:$RequestDate\n" | |
e009ec8b | 278 | SignedHeaders="host;x-amz-date" |
5415381c | 279 | if [ -n "$AWS_SESSION_TOKEN" ]; then |
819d2bc5 | 280 | export _H3="x-amz-security-token: $AWS_SESSION_TOKEN" |
5415381c KS |
281 | CanonicalHeaders="${CanonicalHeaders}x-amz-security-token:$AWS_SESSION_TOKEN\n" |
282 | SignedHeaders="${SignedHeaders};x-amz-security-token" | |
283 | fi | |
284 | _debug2 CanonicalHeaders "$CanonicalHeaders" | |
e009ec8b | 285 | _debug2 SignedHeaders "$SignedHeaders" |
286 | ||
287 | RequestPayload="$data" | |
288 | _debug2 RequestPayload "$RequestPayload" | |
289 | ||
290 | Hash="sha256" | |
291 | ||
292 | CanonicalRequest="$mtd\n$CanonicalURI\n$CanonicalQueryString\n$CanonicalHeaders\n$SignedHeaders\n$(printf "%s" "$RequestPayload" | _digest "$Hash" hex)" | |
293 | _debug2 CanonicalRequest "$CanonicalRequest" | |
2f1bc586 | 294 | |
16d79eba | 295 | HashedCanonicalRequest="$(printf "$CanonicalRequest%s" | _digest "$Hash" hex)" |
e009ec8b | 296 | _debug2 HashedCanonicalRequest "$HashedCanonicalRequest" |
297 | ||
298 | Algorithm="AWS4-HMAC-SHA256" | |
299 | _debug2 Algorithm "$Algorithm" | |
300 | ||
16d79eba | 301 | RequestDateOnly="$(echo "$RequestDate" | cut -c 1-8)" |
e009ec8b | 302 | _debug2 RequestDateOnly "$RequestDateOnly" |
303 | ||
304 | Region="us-east-1" | |
305 | Service="route53" | |
306 | ||
307 | CredentialScope="$RequestDateOnly/$Region/$Service/aws4_request" | |
308 | _debug2 CredentialScope "$CredentialScope" | |
309 | ||
310 | StringToSign="$Algorithm\n$RequestDate\n$CredentialScope\n$HashedCanonicalRequest" | |
311 | ||
312 | _debug2 StringToSign "$StringToSign" | |
313 | ||
314 | kSecret="AWS4$AWS_SECRET_ACCESS_KEY" | |
315 | ||
316 | #kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################ | |
317 | ||
e6e85b0c | 318 | _secure_debug2 kSecret "$kSecret" |
e009ec8b | 319 | |
1c22c2f7 | 320 | kSecretH="$(printf "%s" "$kSecret" | _hex_dump | tr -d " ")" |
e6e85b0c | 321 | _secure_debug2 kSecretH "$kSecretH" |
e009ec8b | 322 | |
323 | kDateH="$(printf "$RequestDateOnly%s" | _hmac "$Hash" "$kSecretH" hex)" | |
324 | _debug2 kDateH "$kDateH" | |
325 | ||
326 | kRegionH="$(printf "$Region%s" | _hmac "$Hash" "$kDateH" hex)" | |
327 | _debug2 kRegionH "$kRegionH" | |
328 | ||
329 | kServiceH="$(printf "$Service%s" | _hmac "$Hash" "$kRegionH" hex)" | |
330 | _debug2 kServiceH "$kServiceH" | |
331 | ||
13a8c309 | 332 | kSigningH="$(printf "%s" "aws4_request" | _hmac "$Hash" "$kServiceH" hex)" |
e009ec8b | 333 | _debug2 kSigningH "$kSigningH" |
334 | ||
335 | signature="$(printf "$StringToSign%s" | _hmac "$Hash" "$kSigningH" hex)" | |
336 | _debug2 signature "$signature" | |
337 | ||
338 | Authorization="$Algorithm Credential=$AWS_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature" | |
339 | _debug2 Authorization "$Authorization" | |
340 | ||
819d2bc5 | 341 | _H2="Authorization: $Authorization" |
342 | _debug _H2 "$_H2" | |
e009ec8b | 343 | |
fd77e463 | 344 | url="$AWS_URL/$ep" |
345 | if [ "$qsr" ]; then | |
346 | url="$AWS_URL/$ep?$qsr" | |
347 | fi | |
e009ec8b | 348 | |
349 | if [ "$mtd" = "GET" ]; then | |
350 | response="$(_get "$url")" | |
351 | else | |
352 | response="$(_post "$data" "$url")" | |
353 | fi | |
354 | ||
355 | _ret="$?" | |
64f07d9b | 356 | _debug2 response "$response" |
e009ec8b | 357 | if [ "$_ret" = "0" ]; then |
358 | if _contains "$response" "<ErrorResponse"; then | |
359 | _err "Response error:$response" | |
360 | return 1 | |
361 | fi | |
362 | fi | |
2f1bc586 | 363 | |
e009ec8b | 364 | return "$_ret" |
365 | } |