]>
Commit | Line | Data |
---|---|---|
e009ec8b | 1 | #!/usr/bin/env sh |
2 | ||
3 | # | |
4 | #AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje" | |
5 | # | |
6 | #AWS_SECRET_ACCESS_KEY="xxxxxxx" | |
7 | ||
8 | #This is the Amazon Route53 api wrapper for acme.sh | |
a22d3b23 | 9 | #All `_sleep` commands are included to avoid Route53 throttling, see |
df357521 | 10 | #https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-requests |
e009ec8b | 11 | |
12 | AWS_HOST="route53.amazonaws.com" | |
13 | AWS_URL="https://$AWS_HOST" | |
14 | ||
d795fac3 | 15 | AWS_WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Amazon-Route53-API" |
e009ec8b | 16 | |
17 | ######## Public functions ##################### | |
18 | ||
19 | #Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" | |
20 | dns_aws_add() { | |
21 | fulldomain=$1 | |
22 | txtvalue=$2 | |
23 | ||
693627a8 MG |
24 | AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}" |
25 | AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}" | |
b64f0ba8 | 26 | AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}" |
693627a8 MG |
27 | |
28 | if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then | |
f49f55f4 | 29 | _use_container_role || _use_instance_role |
48eaa0e5 MG |
30 | fi |
31 | ||
e009ec8b | 32 | if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then |
33 | AWS_ACCESS_KEY_ID="" | |
34 | AWS_SECRET_ACCESS_KEY="" | |
ec678bc6 | 35 | _err "You haven't specified the aws route53 api key id and and api key secret yet." |
60814ecf | 36 | _err "Please create your key and try again. see $(__green $AWS_WIKI)" |
e009ec8b | 37 | return 1 |
38 | fi | |
39 | ||
693627a8 | 40 | #save for future use, unless using a role which will be fetched as needed |
759f4f2c | 41 | if [ -z "$_using_role" ]; then |
48eaa0e5 MG |
42 | _saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" |
43 | _saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" | |
b64f0ba8 | 44 | _saveaccountconf_mutable AWS_DNS_SLOWRATE "$AWS_DNS_SLOWRATE" |
48eaa0e5 | 45 | fi |
e009ec8b | 46 | |
47 | _debug "First detect the root zone" | |
48 | if ! _get_root "$fulldomain"; then | |
49 | _err "invalid domain" | |
a22d3b23 | 50 | _sleep 1 |
e009ec8b | 51 | return 1 |
52 | fi | |
53 | _debug _domain_id "$_domain_id" | |
54 | _debug _sub_domain "$_sub_domain" | |
55 | _debug _domain "$_domain" | |
56 | ||
688fe131 | 57 | _info "Getting existing records for $fulldomain" |
64f07d9b | 58 | if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then |
a22d3b23 | 59 | _sleep 1 |
64f07d9b | 60 | return 1 |
61 | fi | |
62 | ||
63 | if _contains "$response" "<Name>$fulldomain.</Name>"; then | |
5f345d20 | 64 | _resource_record="$(echo "$response" | sed 's/<ResourceRecordSet>/"/g' | tr '"' "\n" | grep "<Name>$fulldomain.</Name>" | _egrep_o "<ResourceRecords.*</ResourceRecords>" | sed "s/<ResourceRecords>//" | sed "s#</ResourceRecords>##")" |
64f07d9b | 65 | _debug "_resource_record" "$_resource_record" |
66 | else | |
67 | _debug "single new add" | |
68 | fi | |
69 | ||
70 | if [ "$_resource_record" ] && _contains "$response" "$txtvalue"; then | |
4fbd21da | 71 | _info "The TXT record already exists. Skipping." |
a22d3b23 | 72 | _sleep 1 |
64f07d9b | 73 | return 0 |
74 | fi | |
75 | ||
76 | _debug "Adding records" | |
77 | ||
78 | _aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>UPSERT</Action><ResourceRecordSet><Name>$fulldomain</Name><Type>TXT</Type><TTL>300</TTL><ResourceRecords>$_resource_record<ResourceRecord><Value>\"$txtvalue\"</Value></ResourceRecord></ResourceRecords></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>" | |
16d79eba | 79 | |
e009ec8b | 80 | if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then |
4fbd21da | 81 | _info "TXT record updated successfully." |
b64f0ba8 SM |
82 | if [ -n "$AWS_DNS_SLOWRATE" ]; then |
83 | _info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds" | |
84 | _sleep "$AWS_DNS_SLOWRATE" | |
37978b4f SM |
85 | else |
86 | _sleep 1 | |
3021c5cf | 87 | fi |
37978b4f | 88 | |
e009ec8b | 89 | return 0 |
90 | fi | |
a22d3b23 | 91 | _sleep 1 |
16d79eba | 92 | return 1 |
e009ec8b | 93 | } |
94 | ||
dfbc244b | 95 | #fulldomain txtvalue |
e009ec8b | 96 | dns_aws_rm() { |
97 | fulldomain=$1 | |
dfbc244b | 98 | txtvalue=$2 |
99 | ||
693627a8 MG |
100 | AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}" |
101 | AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}" | |
b64f0ba8 | 102 | AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}" |
693627a8 MG |
103 | |
104 | if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then | |
f49f55f4 | 105 | _use_container_role || _use_instance_role |
48eaa0e5 MG |
106 | fi |
107 | ||
dfbc244b | 108 | _debug "First detect the root zone" |
109 | if ! _get_root "$fulldomain"; then | |
110 | _err "invalid domain" | |
a22d3b23 | 111 | _sleep 1 |
dfbc244b | 112 | return 1 |
113 | fi | |
114 | _debug _domain_id "$_domain_id" | |
115 | _debug _sub_domain "$_sub_domain" | |
116 | _debug _domain "$_domain" | |
117 | ||
4fbd21da | 118 | _info "Getting existing records for $fulldomain" |
64f07d9b | 119 | if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then |
a22d3b23 | 120 | _sleep 1 |
64f07d9b | 121 | return 1 |
122 | fi | |
123 | ||
124 | if _contains "$response" "<Name>$fulldomain.</Name>"; then | |
5f345d20 | 125 | _resource_record="$(echo "$response" | sed 's/<ResourceRecordSet>/"/g' | tr '"' "\n" | grep "<Name>$fulldomain.</Name>" | _egrep_o "<ResourceRecords.*</ResourceRecords>" | sed "s/<ResourceRecords>//" | sed "s#</ResourceRecords>##")" |
64f07d9b | 126 | _debug "_resource_record" "$_resource_record" |
127 | else | |
4fbd21da | 128 | _debug "no records exist, skip" |
a22d3b23 | 129 | _sleep 1 |
64f07d9b | 130 | return 0 |
131 | fi | |
132 | ||
133 | _aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>DELETE</Action><ResourceRecordSet><ResourceRecords>$_resource_record</ResourceRecords><Name>$fulldomain.</Name><Type>TXT</Type><TTL>300</TTL></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>" | |
dfbc244b | 134 | |
135 | if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then | |
4fbd21da | 136 | _info "TXT record deleted successfully." |
b64f0ba8 SM |
137 | if [ -n "$AWS_DNS_SLOWRATE" ]; then |
138 | _info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds" | |
139 | _sleep "$AWS_DNS_SLOWRATE" | |
37978b4f SM |
140 | else |
141 | _sleep 1 | |
ea6a3c09 | 142 | fi |
37978b4f | 143 | |
dfbc244b | 144 | return 0 |
145 | fi | |
a22d3b23 | 146 | _sleep 1 |
dfbc244b | 147 | return 1 |
e009ec8b | 148 | |
149 | } | |
150 | ||
329174b6 | 151 | #################### Private functions below ################################## |
e009ec8b | 152 | |
153 | _get_root() { | |
873b113c | 154 | domain=$1 |
2280e66d | 155 | i=1 |
e009ec8b | 156 | p=1 |
16d79eba | 157 | |
e48d7de7 | 158 | # iterate over names (a.b.c.d -> b.c.d -> c.d -> d) |
f426940b | 159 | while true; do |
160 | h=$(printf "%s" "$domain" | cut -d . -f $i-100) | |
161 | _debug "Checking domain: $h" | |
162 | if [ -z "$h" ]; then | |
163 | _error "invalid domain" | |
164 | return 1 | |
165 | fi | |
e009ec8b | 166 | |
e48d7de7 | 167 | # iterate over paginated result for list_hosted_zones |
f426940b | 168 | aws_rest GET "2013-04-01/hostedzone" |
169 | while true; do | |
e009ec8b | 170 | if _contains "$response" "<Name>$h.</Name>"; then |
6d5743c5 | 171 | hostedzone="$(echo "$response" | tr -d '\n' | sed 's/<HostedZone>/#&/g' | tr '#' '\n' | _egrep_o "<HostedZone><Id>[^<]*<.Id><Name>$h.<.Name>.*<PrivateZone>false<.PrivateZone>.*<.HostedZone>")" |
e009ec8b | 172 | _debug hostedzone "$hostedzone" |
872bfe47 | 173 | if [ "$hostedzone" ]; then |
174 | _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "<Id>.*<.Id>" | head -n 1 | _egrep_o ">.*<" | tr -d "<>") | |
175 | if [ "$_domain_id" ]; then | |
176 | _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) | |
177 | _domain=$h | |
178 | return 0 | |
179 | fi | |
4fbd21da | 180 | _err "Can't find domain with id: $h" |
e009ec8b | 181 | return 1 |
182 | fi | |
e009ec8b | 183 | fi |
f426940b | 184 | if _contains "$response" "<IsTruncated>true</IsTruncated>" && _contains "$response" "<NextMarker>"; then |
185 | _debug "IsTruncated" | |
186 | _nextMarker="$(echo "$response" | _egrep_o "<NextMarker>.*</NextMarker>" | cut -d '>' -f 2 | cut -d '<' -f 1)" | |
187 | _debug "NextMarker" "$_nextMarker" | |
188 | else | |
189 | break | |
190 | fi | |
191 | _debug "Checking domain: $h - Next Page " | |
192 | aws_rest GET "2013-04-01/hostedzone" "marker=$_nextMarker" | |
e009ec8b | 193 | done |
f426940b | 194 | p=$i |
195 | i=$(_math "$i" + 1) | |
196 | done | |
e009ec8b | 197 | return 1 |
198 | } | |
199 | ||
f49f55f4 MG |
200 | _use_container_role() { |
201 | # automatically set if running inside ECS | |
202 | if [ -z "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then | |
203 | _debug "No ECS environment variable detected" | |
204 | return 1 | |
205 | fi | |
206 | _use_metadata "169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" | |
207 | } | |
208 | ||
48eaa0e5 | 209 | _use_instance_role() { |
759f4f2c MG |
210 | _url="http://169.254.169.254/latest/meta-data/iam/security-credentials/" |
211 | _debug "_url" "$_url" | |
212 | if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then | |
f49f55f4 MG |
213 | _debug "Unable to fetch IAM role from instance metadata" |
214 | return 1 | |
48eaa0e5 | 215 | fi |
759f4f2c | 216 | _aws_role=$(_get "$_url" "" 1) |
48eaa0e5 | 217 | _debug "_aws_role" "$_aws_role" |
f49f55f4 MG |
218 | _use_metadata "$_url$_aws_role" |
219 | } | |
220 | ||
221 | _use_metadata() { | |
48eaa0e5 | 222 | _aws_creds="$( |
19c43451 | 223 | _get "$1" "" 1 | |
224 | _normalizeJson | | |
225 | tr '{,}' '\n' | | |
226 | while read -r _line; do | |
48eaa0e5 MG |
227 | _key="$(echo "${_line%%:*}" | tr -d '"')" |
228 | _value="${_line#*:}" | |
229 | _debug3 "_key" "$_key" | |
230 | _secure_debug3 "_value" "$_value" | |
231 | case "$_key" in | |
19c43451 | 232 | AccessKeyId) echo "AWS_ACCESS_KEY_ID=$_value" ;; |
233 | SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY=$_value" ;; | |
234 | Token) echo "AWS_SESSION_TOKEN=$_value" ;; | |
48eaa0e5 | 235 | esac |
19c43451 | 236 | done | |
237 | paste -sd' ' - | |
48eaa0e5 MG |
238 | )" |
239 | _secure_debug "_aws_creds" "$_aws_creds" | |
f49f55f4 MG |
240 | |
241 | if [ -z "$_aws_creds" ]; then | |
242 | return 1 | |
243 | fi | |
244 | ||
48eaa0e5 | 245 | eval "$_aws_creds" |
759f4f2c | 246 | _using_role=true |
48eaa0e5 MG |
247 | } |
248 | ||
e009ec8b | 249 | #method uri qstr data |
250 | aws_rest() { | |
251 | mtd="$1" | |
252 | ep="$2" | |
253 | qsr="$3" | |
254 | data="$4" | |
255 | ||
256 | _debug mtd "$mtd" | |
257 | _debug ep "$ep" | |
258 | _debug qsr "$qsr" | |
259 | _debug data "$data" | |
260 | ||
261 | CanonicalURI="/$ep" | |
262 | _debug2 CanonicalURI "$CanonicalURI" | |
263 | ||
264 | CanonicalQueryString="$qsr" | |
265 | _debug2 CanonicalQueryString "$CanonicalQueryString" | |
266 | ||
267 | RequestDate="$(date -u +"%Y%m%dT%H%M%SZ")" | |
268 | _debug2 RequestDate "$RequestDate" | |
269 | ||
270 | #RequestDate="20161120T141056Z" ############## | |
271 | ||
3ca93f4a | 272 | export _H1="x-amz-date: $RequestDate" |
e009ec8b | 273 | |
274 | aws_host="$AWS_HOST" | |
275 | CanonicalHeaders="host:$aws_host\nx-amz-date:$RequestDate\n" | |
e009ec8b | 276 | SignedHeaders="host;x-amz-date" |
5415381c | 277 | if [ -n "$AWS_SESSION_TOKEN" ]; then |
819d2bc5 | 278 | export _H3="x-amz-security-token: $AWS_SESSION_TOKEN" |
5415381c KS |
279 | CanonicalHeaders="${CanonicalHeaders}x-amz-security-token:$AWS_SESSION_TOKEN\n" |
280 | SignedHeaders="${SignedHeaders};x-amz-security-token" | |
281 | fi | |
282 | _debug2 CanonicalHeaders "$CanonicalHeaders" | |
e009ec8b | 283 | _debug2 SignedHeaders "$SignedHeaders" |
284 | ||
285 | RequestPayload="$data" | |
286 | _debug2 RequestPayload "$RequestPayload" | |
287 | ||
288 | Hash="sha256" | |
289 | ||
290 | CanonicalRequest="$mtd\n$CanonicalURI\n$CanonicalQueryString\n$CanonicalHeaders\n$SignedHeaders\n$(printf "%s" "$RequestPayload" | _digest "$Hash" hex)" | |
291 | _debug2 CanonicalRequest "$CanonicalRequest" | |
2f1bc586 | 292 | |
16d79eba | 293 | HashedCanonicalRequest="$(printf "$CanonicalRequest%s" | _digest "$Hash" hex)" |
e009ec8b | 294 | _debug2 HashedCanonicalRequest "$HashedCanonicalRequest" |
295 | ||
296 | Algorithm="AWS4-HMAC-SHA256" | |
297 | _debug2 Algorithm "$Algorithm" | |
298 | ||
16d79eba | 299 | RequestDateOnly="$(echo "$RequestDate" | cut -c 1-8)" |
e009ec8b | 300 | _debug2 RequestDateOnly "$RequestDateOnly" |
301 | ||
302 | Region="us-east-1" | |
303 | Service="route53" | |
304 | ||
305 | CredentialScope="$RequestDateOnly/$Region/$Service/aws4_request" | |
306 | _debug2 CredentialScope "$CredentialScope" | |
307 | ||
308 | StringToSign="$Algorithm\n$RequestDate\n$CredentialScope\n$HashedCanonicalRequest" | |
309 | ||
310 | _debug2 StringToSign "$StringToSign" | |
311 | ||
312 | kSecret="AWS4$AWS_SECRET_ACCESS_KEY" | |
313 | ||
314 | #kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################ | |
315 | ||
e6e85b0c | 316 | _secure_debug2 kSecret "$kSecret" |
e009ec8b | 317 | |
1c22c2f7 | 318 | kSecretH="$(printf "%s" "$kSecret" | _hex_dump | tr -d " ")" |
e6e85b0c | 319 | _secure_debug2 kSecretH "$kSecretH" |
e009ec8b | 320 | |
321 | kDateH="$(printf "$RequestDateOnly%s" | _hmac "$Hash" "$kSecretH" hex)" | |
322 | _debug2 kDateH "$kDateH" | |
323 | ||
324 | kRegionH="$(printf "$Region%s" | _hmac "$Hash" "$kDateH" hex)" | |
325 | _debug2 kRegionH "$kRegionH" | |
326 | ||
327 | kServiceH="$(printf "$Service%s" | _hmac "$Hash" "$kRegionH" hex)" | |
328 | _debug2 kServiceH "$kServiceH" | |
329 | ||
13a8c309 | 330 | kSigningH="$(printf "%s" "aws4_request" | _hmac "$Hash" "$kServiceH" hex)" |
e009ec8b | 331 | _debug2 kSigningH "$kSigningH" |
332 | ||
333 | signature="$(printf "$StringToSign%s" | _hmac "$Hash" "$kSigningH" hex)" | |
334 | _debug2 signature "$signature" | |
335 | ||
336 | Authorization="$Algorithm Credential=$AWS_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature" | |
337 | _debug2 Authorization "$Authorization" | |
338 | ||
819d2bc5 | 339 | _H2="Authorization: $Authorization" |
340 | _debug _H2 "$_H2" | |
e009ec8b | 341 | |
fd77e463 | 342 | url="$AWS_URL/$ep" |
343 | if [ "$qsr" ]; then | |
344 | url="$AWS_URL/$ep?$qsr" | |
345 | fi | |
e009ec8b | 346 | |
347 | if [ "$mtd" = "GET" ]; then | |
348 | response="$(_get "$url")" | |
349 | else | |
350 | response="$(_post "$data" "$url")" | |
351 | fi | |
352 | ||
353 | _ret="$?" | |
64f07d9b | 354 | _debug2 response "$response" |
e009ec8b | 355 | if [ "$_ret" = "0" ]; then |
356 | if _contains "$response" "<ErrorResponse"; then | |
357 | _err "Response error:$response" | |
358 | return 1 | |
359 | fi | |
360 | fi | |
2f1bc586 | 361 | |
e009ec8b | 362 | return "$_ret" |
363 | } |