]>
Commit | Line | Data |
---|---|---|
4c3b3608 | 1 | #!/usr/bin/env bash |
2 | VER=1.1.8 | |
3 | PROJECT="https://github.com/Neilpang/le" | |
4 | ||
5 | DEFAULT_CA="https://acme-v01.api.letsencrypt.org" | |
6 | DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" | |
7 | ||
8 | STAGE_CA="https://acme-staging.api.letsencrypt.org" | |
9 | ||
10 | VTYPE_HTTP="http-01" | |
11 | VTYPE_DNS="dns-01" | |
12 | ||
13 | if [ -z "$AGREEMENT" ] ; then | |
14 | AGREEMENT="$DEFAULT_AGREEMENT" | |
15 | fi | |
16 | ||
17 | _debug() { | |
18 | ||
19 | if [ -z "$DEBUG" ] ; then | |
20 | return | |
21 | fi | |
22 | ||
23 | if [ -z "$2" ] ; then | |
24 | echo $1 | |
25 | else | |
26 | echo "$1"="$2" | |
27 | fi | |
28 | } | |
29 | ||
30 | _info() { | |
31 | if [ -z "$2" ] ; then | |
32 | echo "$1" | |
33 | else | |
34 | echo "$1"="$2" | |
35 | fi | |
36 | } | |
37 | ||
38 | _err() { | |
39 | if [ -z "$2" ] ; then | |
40 | echo "$1" >&2 | |
41 | else | |
42 | echo "$1"="$2" >&2 | |
43 | fi | |
44 | return 1 | |
45 | } | |
46 | ||
47 | _h2b() { | |
48 | hex=$(cat) | |
49 | i=1 | |
50 | j=2 | |
51 | while [ '1' ] ; do | |
52 | h=$(printf $hex | cut -c $i-$j) | |
53 | if [ -z "$h" ] ; then | |
54 | break; | |
55 | fi | |
56 | printf "\x$h" | |
57 | let "i+=2" | |
58 | let "j+=2" | |
59 | done | |
60 | } | |
61 | ||
62 | _base64() { | |
63 | openssl base64 -e | tr -d '\n' | |
64 | } | |
65 | ||
66 | #domain [2048] | |
67 | createAccountKey() { | |
68 | _info "Creating account key" | |
69 | if [ -z "$1" ] ; then | |
70 | echo Usage: createAccountKey account-domain [2048] | |
71 | return | |
72 | fi | |
73 | ||
74 | account=$1 | |
75 | length=$2 | |
76 | ||
77 | if [[ "$length" == "ec-"* ]] ; then | |
78 | length=2048 | |
79 | fi | |
80 | ||
81 | if [ -z "$2" ] ; then | |
82 | _info "Use default length 2048" | |
83 | length=2048 | |
84 | fi | |
85 | _initpath | |
86 | ||
87 | if [ -f "$ACCOUNT_KEY_PATH" ] ; then | |
88 | _info "Account key exists, skip" | |
89 | return | |
90 | else | |
91 | #generate account key | |
f89d991d | 92 | openssl genrsa $length 2>/dev/null > "$ACCOUNT_KEY_PATH" |
4c3b3608 | 93 | fi |
94 | ||
95 | } | |
96 | ||
97 | #domain length | |
98 | createDomainKey() { | |
99 | _info "Creating domain key" | |
100 | if [ -z "$1" ] ; then | |
101 | echo Usage: createDomainKey domain [2048] | |
102 | return | |
103 | fi | |
104 | ||
105 | domain=$1 | |
106 | length=$2 | |
107 | isec="" | |
108 | if [[ "$length" == "ec-"* ]] ; then | |
109 | isec="1" | |
110 | length=$(printf $length | cut -d '-' -f 2-100) | |
111 | eccname="$length" | |
112 | fi | |
113 | ||
114 | if [ -z "$length" ] ; then | |
115 | if [ "$isec" ] ; then | |
116 | length=256 | |
117 | else | |
118 | length=2048 | |
119 | fi | |
120 | fi | |
121 | _info "Use length $length" | |
122 | ||
123 | if [ "$isec" ] ; then | |
124 | if [ "$length" == "256" ] ; then | |
125 | eccname="prime256v1" | |
126 | fi | |
127 | if [ "$length" == "384" ] ; then | |
128 | eccname="secp384r1" | |
129 | fi | |
130 | if [ "$length" == "521" ] ; then | |
131 | eccname="secp521r1" | |
132 | fi | |
133 | _info "Using ec name: $eccname" | |
134 | fi | |
135 | ||
136 | _initpath $domain | |
137 | ||
138 | if [ ! -f "$CERT_KEY_PATH" ] || ( [ "$FORCE" ] && ! [ "$IS_RENEW" ] ); then | |
139 | #generate account key | |
140 | if [ "$isec" ] ; then | |
141 | openssl ecparam -name $eccname -genkey 2>/dev/null > "$CERT_KEY_PATH" | |
142 | else | |
143 | openssl genrsa $length 2>/dev/null > "$CERT_KEY_PATH" | |
144 | fi | |
145 | else | |
146 | if [ "$IS_RENEW" ] ; then | |
147 | _info "Domain key exists, skip" | |
148 | return 0 | |
149 | else | |
150 | _err "Domain key exists, do you want to overwrite the key?" | |
151 | _err "Set FORCE=1, and try again." | |
152 | return 1 | |
153 | fi | |
154 | fi | |
155 | ||
156 | } | |
157 | ||
158 | # domain domainlist | |
159 | createCSR() { | |
160 | _info "Creating csr" | |
161 | if [ -z "$1" ] ; then | |
162 | echo Usage: $0 domain [domainlist] | |
163 | return | |
164 | fi | |
165 | domain=$1 | |
166 | _initpath $domain | |
167 | ||
168 | domainlist=$2 | |
169 | ||
170 | if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && ! [ "$FORCE" ]; then | |
171 | _info "CSR exists, skip" | |
172 | return | |
173 | fi | |
174 | ||
175 | if [ -z "$domainlist" ] ; then | |
176 | #single domain | |
177 | _info "Single domain" $domain | |
1ad65f7d | 178 | printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\n" > "$DOMAIN_SSL_CONF" |
179 | openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" -config "$DOMAIN_SSL_CONF" -out "$CSR_PATH" | |
4c3b3608 | 180 | else |
181 | alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")" | |
182 | #multi | |
183 | _info "Multi domain" "$alt" | |
184 | printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\n[SAN]\nsubjectAltName=$alt" > "$DOMAIN_SSL_CONF" | |
185 | openssl req -new -sha256 -key "$CERT_KEY_PATH" -subj "/CN=$domain" -reqexts SAN -config "$DOMAIN_SSL_CONF" -out "$CSR_PATH" | |
186 | fi | |
187 | ||
188 | } | |
189 | ||
190 | _b64() { | |
191 | __n=$(cat) | |
192 | echo $__n | tr '/+' '_-' | tr -d '= ' | |
193 | } | |
194 | ||
195 | _time2str() { | |
196 | #BSD | |
197 | if date -u -d@$1 2>/dev/null ; then | |
198 | return | |
199 | fi | |
200 | ||
201 | #Linux | |
202 | if date -u -r $1 2>/dev/null ; then | |
203 | return | |
204 | fi | |
205 | ||
206 | } | |
207 | ||
44df2967 | 208 | _stat() { |
209 | #Linux | |
210 | if stat -c '%U:%G' "$1" 2>/dev/null ; then | |
211 | return | |
212 | fi | |
213 | ||
214 | #BSD | |
215 | if stat -f '%Su:%Sg' "$1" 2>/dev/null ; then | |
216 | return | |
217 | fi | |
218 | } | |
219 | ||
4c3b3608 | 220 | _send_signed_request() { |
221 | url=$1 | |
222 | payload=$2 | |
223 | needbase64=$3 | |
224 | ||
225 | _debug url $url | |
226 | _debug payload "$payload" | |
227 | ||
228 | CURL_HEADER="$LE_WORKING_DIR/curl.header" | |
229 | dp="$LE_WORKING_DIR/curl.dump" | |
230 | CURL="curl --silent --dump-header $CURL_HEADER " | |
231 | if [ "$DEBUG" ] ; then | |
232 | CURL="$CURL --trace-ascii $dp " | |
233 | fi | |
234 | payload64=$(echo -n $payload | _base64 | _b64) | |
235 | _debug payload64 $payload64 | |
236 | ||
237 | nonceurl="$API/directory" | |
238 | nonce="$($CURL -I $nonceurl | grep -o "^Replay-Nonce:.*$" | tr -d "\r\n" | cut -d ' ' -f 2)" | |
239 | ||
240 | _debug nonce "$nonce" | |
241 | ||
242 | protected="$(printf "$HEADERPLACE" | sed "s/NONCE/$nonce/" )" | |
243 | _debug protected "$protected" | |
244 | ||
245 | protected64="$(printf "$protected" | _base64 | _b64)" | |
246 | _debug protected64 "$protected64" | |
247 | ||
248 | sig=$(echo -n "$protected64.$payload64" | openssl dgst -sha256 -sign $ACCOUNT_KEY_PATH | _base64 | _b64) | |
249 | _debug sig "$sig" | |
250 | ||
251 | body="{\"header\": $HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}" | |
252 | _debug body "$body" | |
253 | ||
254 | if [ "$needbase64" ] ; then | |
255 | response="$($CURL -X POST --data "$body" $url | _base64)" | |
256 | else | |
257 | response="$($CURL -X POST --data "$body" $url)" | |
258 | fi | |
259 | ||
260 | responseHeaders="$(cat $CURL_HEADER)" | |
261 | ||
262 | _debug responseHeaders "$responseHeaders" | |
263 | _debug response "$response" | |
264 | code="$(grep ^HTTP $CURL_HEADER | tail -1 | cut -d " " -f 2 | tr -d "\r\n" )" | |
265 | _debug code $code | |
266 | ||
267 | } | |
268 | ||
269 | _get() { | |
270 | url="$1" | |
271 | _debug url $url | |
272 | response="$(curl --silent $url)" | |
273 | ret=$? | |
274 | _debug response "$response" | |
275 | code="$(echo $response | grep -o '"status":[0-9]\+' | cut -d : -f 2)" | |
276 | _debug code $code | |
277 | return $ret | |
278 | } | |
279 | ||
280 | #setopt "file" "opt" "=" "value" [";"] | |
281 | _setopt() { | |
282 | __conf="$1" | |
283 | __opt="$2" | |
284 | __sep="$3" | |
285 | __val="$4" | |
286 | __end="$5" | |
287 | if [ -z "$__opt" ] ; then | |
288 | echo usage: _setopt '"file" "opt" "=" "value" [";"]' | |
289 | return | |
290 | fi | |
291 | if [ ! -f "$__conf" ] ; then | |
292 | touch "$__conf" | |
293 | fi | |
294 | ||
295 | if grep -H -n "^$__opt$__sep" "$__conf" > /dev/null ; then | |
296 | _debug OK | |
297 | if [[ "$__val" == *"&"* ]] ; then | |
298 | __val="$(echo $__val | sed 's/&/\\&/g')" | |
299 | fi | |
300 | text="$(cat $__conf)" | |
6dfaaa70 | 301 | echo "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" |
4c3b3608 | 302 | |
303 | elif grep -H -n "^#$__opt$__sep" "$__conf" > /dev/null ; then | |
304 | if [[ "$__val" == *"&"* ]] ; then | |
305 | __val="$(echo $__val | sed 's/&/\\&/g')" | |
306 | fi | |
307 | text="$(cat $__conf)" | |
6dfaaa70 | 308 | echo "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" > "$__conf" |
4c3b3608 | 309 | |
310 | else | |
311 | _debug APP | |
4c3b3608 | 312 | echo "$__opt$__sep$__val$__end" >> "$__conf" |
313 | fi | |
314 | _debug "$(grep -H -n "^$__opt$__sep" $__conf)" | |
315 | } | |
316 | ||
317 | #_savedomainconf key value | |
318 | #save to domain.conf | |
319 | _savedomainconf() { | |
320 | key="$1" | |
321 | value="$2" | |
322 | if [ "$DOMAIN_CONF" ] ; then | |
323 | _setopt $DOMAIN_CONF "$key" "=" "$value" | |
324 | else | |
325 | _err "DOMAIN_CONF is empty, can not save $key=$value" | |
326 | fi | |
327 | } | |
328 | ||
329 | #_saveaccountconf key value | |
330 | _saveaccountconf() { | |
331 | key="$1" | |
332 | value="$2" | |
333 | if [ "$ACCOUNT_CONF_PATH" ] ; then | |
334 | _setopt $ACCOUNT_CONF_PATH "$key" "=" "$value" | |
335 | else | |
336 | _err "ACCOUNT_CONF_PATH is empty, can not save $key=$value" | |
337 | fi | |
338 | } | |
339 | ||
340 | _startserver() { | |
341 | content="$1" | |
1b2e940d | 342 | _NC="nc -q 1 -l" |
343 | ||
344 | nchelp="$(nc -h 2>&1)" | |
bce55f42 | 345 | #centos |
1b2e940d | 346 | if echo "$nchelp" | grep "nmap.org/ncat" >/dev/null ; then |
347 | _NC="nc -l" | |
4c3b3608 | 348 | fi |
1b2e940d | 349 | |
051c706d | 350 | _debug "$_NC $Le_HTTPPort" |
4c3b3608 | 351 | # while true ; do |
352 | if [ "$DEBUG" ] ; then | |
3aff11f6 | 353 | if ! echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -p $Le_HTTPPort -vv ; then |
354 | echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC $Le_HTTPPort -vv ; | |
355 | fi | |
4c3b3608 | 356 | else |
3aff11f6 | 357 | if ! echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -p $Le_HTTPPort > /dev/null ; then |
358 | echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC $Le_HTTPPort > /dev/null | |
359 | fi | |
4c3b3608 | 360 | fi |
051c706d | 361 | if [ "$?" != "0" ] ; then |
362 | _err "nc listen error." | |
363 | return 1 | |
364 | fi | |
4c3b3608 | 365 | # done |
366 | } | |
367 | ||
368 | _stopserver() { | |
369 | pid="$1" | |
370 | ||
371 | } | |
372 | ||
373 | _initpath() { | |
374 | ||
375 | if [ -z "$LE_WORKING_DIR" ]; then | |
376 | LE_WORKING_DIR=$HOME/.le | |
377 | fi | |
378 | ||
379 | if [ -z "$ACCOUNT_CONF_PATH" ] ; then | |
380 | ACCOUNT_CONF_PATH="$LE_WORKING_DIR/account.conf" | |
381 | fi | |
382 | ||
383 | if [ -f "$ACCOUNT_CONF_PATH" ] ; then | |
384 | source "$ACCOUNT_CONF_PATH" | |
385 | fi | |
386 | ||
387 | if [ -z "$API" ] ; then | |
388 | if [ -z "$STAGE" ] ; then | |
389 | API="$DEFAULT_CA" | |
390 | else | |
391 | API="$STAGE_CA" | |
392 | _info "Using stage api:$API" | |
393 | fi | |
394 | fi | |
395 | ||
396 | if [ -z "$ACME_DIR" ] ; then | |
397 | ACME_DIR="/home/.acme" | |
398 | fi | |
399 | ||
400 | if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then | |
401 | APACHE_CONF_BACKUP_DIR="$LE_WORKING_DIR/" | |
402 | fi | |
403 | ||
404 | domain="$1" | |
405 | if ! mkdir -p "$LE_WORKING_DIR" ; then | |
406 | _err "Can not craete working dir: $LE_WORKING_DIR" | |
407 | return 1 | |
408 | fi | |
409 | ||
410 | if [ -z "$ACCOUNT_KEY_PATH" ] ; then | |
411 | ACCOUNT_KEY_PATH="$LE_WORKING_DIR/account.key" | |
412 | fi | |
413 | ||
414 | if [ -z "$domain" ] ; then | |
415 | return 0 | |
416 | fi | |
417 | ||
418 | domainhome="$LE_WORKING_DIR/$domain" | |
419 | mkdir -p "$domainhome" | |
420 | ||
421 | if [ -z "$DOMAIN_PATH" ] ; then | |
422 | DOMAIN_PATH="$domainhome" | |
423 | fi | |
424 | if [ -z "$DOMAIN_CONF" ] ; then | |
1ad65f7d | 425 | DOMAIN_CONF="$domainhome/$domain.conf" |
4c3b3608 | 426 | fi |
427 | ||
428 | if [ -z "$DOMAIN_SSL_CONF" ] ; then | |
1ad65f7d | 429 | DOMAIN_SSL_CONF="$domainhome/$domain.ssl.conf" |
4c3b3608 | 430 | fi |
431 | ||
432 | if [ -z "$CSR_PATH" ] ; then | |
433 | CSR_PATH="$domainhome/$domain.csr" | |
434 | fi | |
435 | if [ -z "$CERT_KEY_PATH" ] ; then | |
436 | CERT_KEY_PATH="$domainhome/$domain.key" | |
437 | fi | |
438 | if [ -z "$CERT_PATH" ] ; then | |
439 | CERT_PATH="$domainhome/$domain.cer" | |
440 | fi | |
441 | if [ -z "$CA_CERT_PATH" ] ; then | |
442 | CA_CERT_PATH="$domainhome/ca.cer" | |
443 | fi | |
caf1fc10 | 444 | if [ -z "$CERT_FULLCHAIN_PATH" ] ; then |
850db6d4 | 445 | CERT_FULLCHAIN_PATH="$domainhome/fullchain.cer" |
caf1fc10 | 446 | fi |
4c3b3608 | 447 | |
448 | } | |
449 | ||
450 | ||
451 | _apachePath() { | |
452 | httpdroot="$(apachectl -V | grep HTTPD_ROOT= | cut -d = -f 2 | tr -d '"' )" | |
453 | httpdconfname="$(apachectl -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | tr -d '"' )" | |
454 | httpdconf="$httpdroot/$httpdconfname" | |
455 | if [ ! -f $httpdconf ] ; then | |
456 | _err "Apache Config file not found" $httpdconf | |
457 | return 1 | |
458 | fi | |
459 | return 0 | |
460 | } | |
461 | ||
462 | _restoreApache() { | |
463 | if [ -z "$usingApache" ] ; then | |
464 | return 0 | |
465 | fi | |
466 | _initpath | |
467 | if ! _apachePath ; then | |
468 | return 1 | |
469 | fi | |
470 | ||
471 | if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ] ; then | |
472 | _debug "No config file to restore." | |
473 | return 0 | |
474 | fi | |
475 | ||
476 | cp -p "$APACHE_CONF_BACKUP_DIR/$httpdconfname" "$httpdconf" | |
477 | if ! apachectl -t ; then | |
478 | _err "Sorry, restore apache config error, please contact me." | |
479 | return 1; | |
480 | fi | |
481 | rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" | |
482 | return 0 | |
483 | } | |
484 | ||
485 | _setApache() { | |
486 | _initpath | |
487 | if ! _apachePath ; then | |
488 | return 1 | |
489 | fi | |
490 | ||
491 | #backup the conf | |
492 | _debug "Backup apache config file" $httpdconf | |
493 | cp -p $httpdconf $APACHE_CONF_BACKUP_DIR/ | |
494 | _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname" | |
495 | _info "In case there is an error that can not be restored automatically, you may try restore it yourself." | |
496 | _info "The backup file will be deleted on sucess, just forget it." | |
497 | ||
498 | #add alias | |
499 | echo " | |
500 | Alias /.well-known/acme-challenge $ACME_DIR | |
501 | ||
502 | <Directory $ACME_DIR > | |
503 | Require all granted | |
504 | </Directory> | |
505 | " >> $httpdconf | |
506 | ||
507 | if ! apachectl -t ; then | |
508 | _err "Sorry, apache config error, please contact me." | |
509 | _restoreApache | |
510 | return 1; | |
511 | fi | |
512 | ||
513 | if [ ! -d "$ACME_DIR" ] ; then | |
514 | mkdir -p "$ACME_DIR" | |
515 | chmod 755 "$ACME_DIR" | |
516 | fi | |
517 | ||
518 | if ! apachectl graceful ; then | |
519 | _err "Sorry, apachectl graceful error, please contact me." | |
520 | _restoreApache | |
521 | return 1; | |
522 | fi | |
523 | usingApache="1" | |
524 | return 0 | |
525 | } | |
526 | ||
527 | _clearup () { | |
528 | _stopserver $serverproc | |
529 | serverproc="" | |
530 | _restoreApache | |
531 | } | |
532 | ||
533 | # webroot removelevel tokenfile | |
534 | _clearupwebbroot() { | |
535 | __webroot="$1" | |
536 | if [ -z "$__webroot" ] ; then | |
537 | _debug "no webroot specified, skip" | |
538 | return 0 | |
539 | fi | |
540 | ||
541 | if [ "$2" == '1' ] ; then | |
542 | _debug "remove $__webroot/.well-known" | |
543 | rm -rf "$__webroot/.well-known" | |
544 | elif [ "$2" == '2' ] ; then | |
545 | _debug "remove $__webroot/.well-known/acme-challenge" | |
546 | rm -rf "$__webroot/.well-known/acme-challenge" | |
547 | elif [ "$2" == '3' ] ; then | |
548 | _debug "remove $__webroot/.well-known/acme-challenge/$3" | |
549 | rm -rf "$__webroot/.well-known/acme-challenge/$3" | |
550 | else | |
551 | _info "Skip for removelevel:$2" | |
552 | fi | |
553 | ||
554 | return 0 | |
555 | ||
556 | } | |
557 | ||
558 | issue() { | |
559 | if [ -z "$2" ] ; then | |
560 | _err "Usage: le issue webroot|no|apache|dns a.com [www.a.com,b.com,c.com]|no [key-length]|no" | |
561 | return 1 | |
562 | fi | |
563 | Le_Webroot="$1" | |
564 | Le_Domain="$2" | |
565 | Le_Alt="$3" | |
566 | Le_Keylength="$4" | |
567 | Le_RealCertPath="$5" | |
568 | Le_RealKeyPath="$6" | |
569 | Le_RealCACertPath="$7" | |
570 | Le_ReloadCmd="$8" | |
571 | ||
572 | ||
573 | _initpath $Le_Domain | |
574 | ||
575 | if [ -f "$DOMAIN_CONF" ] ; then | |
576 | Le_NextRenewTime=$(grep "^Le_NextRenewTime=" "$DOMAIN_CONF" | cut -d '=' -f 2) | |
577 | if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then | |
578 | _info "Skip, Next renewal time is: $(grep "^Le_NextRenewTimeStr" "$DOMAIN_CONF" | cut -d '=' -f 2)" | |
579 | return 2 | |
580 | fi | |
581 | fi | |
582 | ||
583 | if [ "$Le_Alt" == "no" ] ; then | |
584 | Le_Alt="" | |
585 | fi | |
586 | if [ "$Le_Keylength" == "no" ] ; then | |
587 | Le_Keylength="" | |
588 | fi | |
589 | if [ "$Le_RealCertPath" == "no" ] ; then | |
590 | Le_RealCertPath="" | |
591 | fi | |
592 | if [ "$Le_RealKeyPath" == "no" ] ; then | |
593 | Le_RealKeyPath="" | |
594 | fi | |
595 | if [ "$Le_RealCACertPath" == "no" ] ; then | |
596 | Le_RealCACertPath="" | |
597 | fi | |
598 | if [ "$Le_ReloadCmd" == "no" ] ; then | |
599 | Le_ReloadCmd="" | |
600 | fi | |
601 | ||
602 | _setopt "$DOMAIN_CONF" "Le_Domain" "=" "$Le_Domain" | |
603 | _setopt "$DOMAIN_CONF" "Le_Alt" "=" "$Le_Alt" | |
604 | _setopt "$DOMAIN_CONF" "Le_Webroot" "=" "$Le_Webroot" | |
605 | _setopt "$DOMAIN_CONF" "Le_Keylength" "=" "$Le_Keylength" | |
606 | _setopt "$DOMAIN_CONF" "Le_RealCertPath" "=" "\"$Le_RealCertPath\"" | |
607 | _setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\"" | |
608 | _setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\"" | |
609 | _setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\"" | |
610 | ||
611 | if [ "$Le_Webroot" == "no" ] ; then | |
612 | _info "Standalone mode." | |
613 | if ! command -v "nc" > /dev/null ; then | |
614 | _err "Please install netcat(nc) tools first." | |
615 | return 1 | |
616 | fi | |
617 | ||
618 | if [ -z "$Le_HTTPPort" ] ; then | |
619 | Le_HTTPPort=80 | |
620 | fi | |
621 | _setopt "$DOMAIN_CONF" "Le_HTTPPort" "=" "$Le_HTTPPort" | |
622 | ||
623 | netprc="$(ss -ntpl | grep :$Le_HTTPPort" ")" | |
624 | if [ "$netprc" ] ; then | |
625 | _err "$netprc" | |
626 | _err "tcp port $Le_HTTPPort is already used by $(echo "$netprc" | cut -d : -f 4)" | |
627 | _err "Please stop it first" | |
628 | return 1 | |
629 | fi | |
630 | fi | |
631 | ||
632 | if [ "$Le_Webroot" == "apache" ] ; then | |
633 | if ! _setApache ; then | |
634 | _err "set up apache error. Report error to me." | |
635 | return 1 | |
636 | fi | |
637 | wellknown_path="$ACME_DIR" | |
638 | else | |
639 | usingApache="" | |
640 | fi | |
641 | ||
642 | createAccountKey $Le_Domain $Le_Keylength | |
643 | ||
644 | if ! createDomainKey $Le_Domain $Le_Keylength ; then | |
645 | _err "Create domain key error." | |
646 | return 1 | |
647 | fi | |
648 | ||
649 | if ! createCSR $Le_Domain $Le_Alt ; then | |
650 | _err "Create CSR error." | |
651 | return 1 | |
652 | fi | |
653 | ||
654 | pub_exp=$(openssl rsa -in $ACCOUNT_KEY_PATH -noout -text | grep "^publicExponent:"| cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1) | |
655 | if [ "${#pub_exp}" == "5" ] ; then | |
656 | pub_exp=0$pub_exp | |
657 | fi | |
658 | _debug pub_exp "$pub_exp" | |
659 | ||
660 | e=$(echo $pub_exp | _h2b | _base64) | |
661 | _debug e "$e" | |
662 | ||
663 | modulus=$(openssl rsa -in $ACCOUNT_KEY_PATH -modulus -noout | cut -d '=' -f 2 ) | |
664 | n=$(echo $modulus| _h2b | _base64 | _b64 ) | |
665 | ||
666 | jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}' | |
667 | ||
668 | HEADER='{"alg": "RS256", "jwk": '$jwk'}' | |
669 | HEADERPLACE='{"nonce": "NONCE", "alg": "RS256", "jwk": '$jwk'}' | |
670 | _debug HEADER "$HEADER" | |
671 | ||
672 | accountkey_json=$(echo -n "$jwk" | tr -d ' ' ) | |
673 | thumbprint=$(echo -n "$accountkey_json" | openssl dgst -sha256 -binary | _base64 | _b64) | |
674 | ||
675 | ||
676 | _info "Registering account" | |
677 | regjson='{"resource": "new-reg", "agreement": "'$AGREEMENT'"}' | |
678 | if [ "$ACCOUNT_EMAIL" ] ; then | |
679 | regjson='{"resource": "new-reg", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "agreement": "'$AGREEMENT'"}' | |
680 | fi | |
681 | _send_signed_request "$API/acme/new-reg" "$regjson" | |
682 | ||
683 | if [ "$code" == "" ] || [ "$code" == '201' ] ; then | |
684 | _info "Registered" | |
685 | echo $response > $LE_WORKING_DIR/account.json | |
686 | elif [ "$code" == '409' ] ; then | |
687 | _info "Already registered" | |
688 | else | |
689 | _err "Register account Error." | |
690 | _clearup | |
691 | return 1 | |
692 | fi | |
693 | ||
694 | vtype="$VTYPE_HTTP" | |
695 | if [[ "$Le_Webroot" == "dns"* ]] ; then | |
696 | vtype="$VTYPE_DNS" | |
697 | fi | |
698 | ||
699 | vlist="$Le_Vlist" | |
700 | # verify each domain | |
701 | _info "Verify each domain" | |
702 | sep='#' | |
703 | if [ -z "$vlist" ] ; then | |
704 | alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' ) | |
705 | for d in $alldomains | |
706 | do | |
707 | _info "Getting token for domain" $d | |
708 | _send_signed_request "$API/acme/new-authz" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$d\"}}" | |
709 | if [ ! -z "$code" ] && [ ! "$code" == '201' ] ; then | |
710 | _err "new-authz error: $response" | |
711 | _clearup | |
712 | return 1 | |
713 | fi | |
714 | ||
348cddd7 | 715 | entry="$(printf $response | egrep -o '\{[^{]*"type":"'$vtype'"[^}]*')" |
4c3b3608 | 716 | _debug entry "$entry" |
717 | ||
718 | token="$(printf "$entry" | egrep -o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')" | |
719 | _debug token $token | |
720 | ||
721 | uri="$(printf "$entry" | egrep -o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )" | |
722 | _debug uri $uri | |
723 | ||
724 | keyauthorization="$token.$thumbprint" | |
725 | _debug keyauthorization "$keyauthorization" | |
726 | ||
727 | dvlist="$d$sep$keyauthorization$sep$uri" | |
728 | _debug dvlist "$dvlist" | |
729 | ||
730 | vlist="$vlist$dvlist," | |
731 | ||
732 | done | |
733 | ||
734 | #add entry | |
735 | dnsadded="" | |
736 | ventries=$(echo "$vlist" | tr ',' ' ' ) | |
737 | for ventry in $ventries | |
738 | do | |
739 | d=$(echo $ventry | cut -d $sep -f 1) | |
740 | keyauthorization=$(echo $ventry | cut -d $sep -f 2) | |
741 | ||
742 | if [ "$vtype" == "$VTYPE_DNS" ] ; then | |
743 | dnsadded='0' | |
744 | txtdomain="_acme-challenge.$d" | |
745 | _debug txtdomain "$txtdomain" | |
746 | txt="$(echo -e -n $keyauthorization | openssl dgst -sha256 -binary | _base64 | _b64)" | |
747 | _debug txt "$txt" | |
748 | #dns | |
749 | #1. check use api | |
750 | d_api="" | |
751 | if [ -f "$LE_WORKING_DIR/$d/$Le_Webroot" ] ; then | |
752 | d_api="$LE_WORKING_DIR/$d/$Le_Webroot" | |
753 | elif [ -f "$LE_WORKING_DIR/$d/$Le_Webroot.sh" ] ; then | |
754 | d_api="$LE_WORKING_DIR/$d/$Le_Webroot.sh" | |
755 | elif [ -f "$LE_WORKING_DIR/$Le_Webroot" ] ; then | |
756 | d_api="$LE_WORKING_DIR/$Le_Webroot" | |
757 | elif [ -f "$LE_WORKING_DIR/$Le_Webroot.sh" ] ; then | |
758 | d_api="$LE_WORKING_DIR/$Le_Webroot.sh" | |
759 | elif [ -f "$LE_WORKING_DIR/dnsapi/$Le_Webroot" ] ; then | |
760 | d_api="$LE_WORKING_DIR/dnsapi/$Le_Webroot" | |
761 | elif [ -f "$LE_WORKING_DIR/dnsapi/$Le_Webroot.sh" ] ; then | |
762 | d_api="$LE_WORKING_DIR/dnsapi/$Le_Webroot.sh" | |
763 | fi | |
764 | _debug d_api "$d_api" | |
765 | ||
766 | if [ "$d_api" ]; then | |
767 | _info "Found domain api file: $d_api" | |
768 | else | |
769 | _err "Add the following TXT record:" | |
770 | _err "Domain: $txtdomain" | |
771 | _err "TXT value: $txt" | |
772 | _err "Please be aware that you prepend _acme-challenge. before your domain" | |
773 | _err "so the resulting subdomain will be: $txtdomain" | |
774 | continue | |
775 | fi | |
776 | ||
777 | if ! source $d_api ; then | |
778 | _err "Load file $d_api error. Please check your api file and try again." | |
779 | return 1 | |
780 | fi | |
781 | ||
782 | addcommand="$Le_Webroot-add" | |
783 | if ! command -v $addcommand ; then | |
f8ad8f34 | 784 | _err "It seems that your api file is not correct, it must have a function named: $addcommand" |
4c3b3608 | 785 | return 1 |
786 | fi | |
787 | ||
788 | if ! $addcommand $txtdomain $txt ; then | |
789 | _err "Error add txt for domain:$txtdomain" | |
790 | return 1 | |
791 | fi | |
792 | dnsadded='1' | |
793 | fi | |
794 | done | |
795 | ||
796 | if [ "$dnsadded" == '0' ] ; then | |
797 | _setopt "$DOMAIN_CONF" "Le_Vlist" "=" "\"$vlist\"" | |
798 | _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit." | |
799 | _err "Please add the TXT records to the domains, and retry again." | |
800 | return 1 | |
801 | fi | |
802 | ||
803 | fi | |
804 | ||
805 | if [ "$dnsadded" == '1' ] ; then | |
806 | _info "Sleep 60 seconds for the txt records to take effect" | |
807 | sleep 60 | |
808 | fi | |
809 | ||
810 | _debug "ok, let's start to verify" | |
811 | ventries=$(echo "$vlist" | tr ',' ' ' ) | |
812 | for ventry in $ventries | |
813 | do | |
814 | d=$(echo $ventry | cut -d $sep -f 1) | |
815 | keyauthorization=$(echo $ventry | cut -d $sep -f 2) | |
816 | uri=$(echo $ventry | cut -d $sep -f 3) | |
817 | _info "Verifying:$d" | |
818 | _debug "d" "$d" | |
819 | _debug "keyauthorization" "$keyauthorization" | |
820 | _debug "uri" "$uri" | |
821 | removelevel="" | |
822 | token="" | |
823 | if [ "$vtype" == "$VTYPE_HTTP" ] ; then | |
824 | if [ "$Le_Webroot" == "no" ] ; then | |
825 | _info "Standalone mode server" | |
826 | _startserver "$keyauthorization" & | |
827 | serverproc="$!" | |
828 | sleep 2 | |
829 | _debug serverproc $serverproc | |
830 | else | |
831 | if [ -z "$wellknown_path" ] ; then | |
832 | wellknown_path="$Le_Webroot/.well-known/acme-challenge" | |
833 | fi | |
834 | _debug wellknown_path "$wellknown_path" | |
835 | ||
836 | if [ ! -d "$Le_Webroot/.well-known" ] ; then | |
837 | removelevel='1' | |
838 | elif [ ! -d "$Le_Webroot/.well-known/acme-challenge" ] ; then | |
839 | removelevel='2' | |
840 | else | |
841 | removelevel='3' | |
842 | fi | |
843 | ||
844 | token="$(echo -e -n "$keyauthorization" | cut -d '.' -f 1)" | |
845 | _debug "writing token:$token to $wellknown_path/$token" | |
846 | ||
847 | mkdir -p "$wellknown_path" | |
848 | echo -n "$keyauthorization" > "$wellknown_path/$token" | |
849 | ||
44df2967 | 850 | webroot_owner=$(_stat $Le_Webroot) |
4c3b3608 | 851 | _debug "Changing owner/group of .well-known to $webroot_owner" |
852 | chown -R $webroot_owner "$Le_Webroot/.well-known" | |
853 | ||
854 | fi | |
855 | fi | |
856 | ||
857 | _send_signed_request $uri "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}" | |
858 | ||
859 | if [ ! -z "$code" ] && [ ! "$code" == '202' ] ; then | |
860 | _err "$d:Challenge error: $resource" | |
861 | _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" | |
862 | _clearup | |
863 | return 1 | |
864 | fi | |
865 | ||
866 | while [ "1" ] ; do | |
867 | _debug "sleep 5 secs to verify" | |
868 | sleep 5 | |
869 | _debug "checking" | |
870 | ||
871 | if ! _get $uri ; then | |
872 | _err "$d:Verify error:$resource" | |
873 | _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" | |
874 | _clearup | |
875 | return 1 | |
876 | fi | |
877 | ||
878 | status=$(echo $response | egrep -o '"status":"[^"]+"' | cut -d : -f 2 | tr -d '"') | |
879 | if [ "$status" == "valid" ] ; then | |
880 | _info "Success" | |
881 | _stopserver $serverproc | |
882 | serverproc="" | |
883 | _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" | |
884 | break; | |
885 | fi | |
886 | ||
887 | if [ "$status" == "invalid" ] ; then | |
888 | error=$(echo $response | egrep -o '"error":{[^}]*}' | grep -o '"detail":"[^"]*"' | cut -d '"' -f 4) | |
889 | _err "$d:Verify error:$error" | |
890 | _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" | |
891 | _clearup | |
892 | return 1; | |
893 | fi | |
894 | ||
895 | if [ "$status" == "pending" ] ; then | |
896 | _info "Pending" | |
897 | else | |
898 | _err "$d:Verify error:$response" | |
899 | _clearupwebbroot "$Le_Webroot" "$removelevel" "$token" | |
900 | _clearup | |
901 | return 1 | |
902 | fi | |
903 | ||
904 | done | |
905 | ||
906 | done | |
907 | ||
908 | _clearup | |
909 | _info "Verify finished, start to sign." | |
910 | der="$(openssl req -in $CSR_PATH -outform DER | _base64 | _b64)" | |
911 | _send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64" | |
912 | ||
913 | ||
914 | Le_LinkCert="$(grep -i -o '^Location.*$' $CURL_HEADER | tr -d "\r\n" | cut -d " " -f 2)" | |
915 | _setopt "$DOMAIN_CONF" "Le_LinkCert" "=" "$Le_LinkCert" | |
916 | ||
917 | if [ "$Le_LinkCert" ] ; then | |
918 | echo -----BEGIN CERTIFICATE----- > "$CERT_PATH" | |
919 | curl --silent "$Le_LinkCert" | openssl base64 -e >> "$CERT_PATH" | |
920 | echo -----END CERTIFICATE----- >> "$CERT_PATH" | |
921 | _info "Cert success." | |
922 | cat "$CERT_PATH" | |
923 | ||
924 | _info "Your cert is in $CERT_PATH" | |
caf1fc10 | 925 | cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH" |
4c3b3608 | 926 | fi |
927 | ||
928 | ||
929 | if [ -z "$Le_LinkCert" ] ; then | |
930 | response="$(echo $response | openssl base64 -d -A)" | |
931 | _err "Sign failed: $(echo "$response" | grep -o '"detail":"[^"]*"')" | |
932 | return 1 | |
933 | fi | |
934 | ||
935 | _setopt "$DOMAIN_CONF" 'Le_Vlist' '=' "\"\"" | |
936 | ||
937 | Le_LinkIssuer=$(grep -i '^Link' $CURL_HEADER | cut -d " " -f 2| cut -d ';' -f 1 | tr -d '<>' ) | |
938 | _setopt "$DOMAIN_CONF" "Le_LinkIssuer" "=" "$Le_LinkIssuer" | |
939 | ||
940 | if [ "$Le_LinkIssuer" ] ; then | |
941 | echo -----BEGIN CERTIFICATE----- > "$CA_CERT_PATH" | |
942 | curl --silent "$Le_LinkIssuer" | openssl base64 -e >> "$CA_CERT_PATH" | |
943 | echo -----END CERTIFICATE----- >> "$CA_CERT_PATH" | |
944 | _info "The intermediate CA cert is in $CA_CERT_PATH" | |
caf1fc10 | 945 | cat "$CA_CERT_PATH" >> "$CERT_FULLCHAIN_PATH" |
946 | _info "And the full chain certs is there: $CERT_FULLCHAIN_PATH" | |
4c3b3608 | 947 | fi |
948 | ||
949 | Le_CertCreateTime=$(date -u "+%s") | |
950 | _setopt "$DOMAIN_CONF" "Le_CertCreateTime" "=" "$Le_CertCreateTime" | |
951 | ||
952 | Le_CertCreateTimeStr=$(date -u ) | |
953 | _setopt "$DOMAIN_CONF" "Le_CertCreateTimeStr" "=" "\"$Le_CertCreateTimeStr\"" | |
954 | ||
955 | if [ ! "$Le_RenewalDays" ] ; then | |
956 | Le_RenewalDays=80 | |
957 | fi | |
958 | ||
959 | _setopt "$DOMAIN_CONF" "Le_RenewalDays" "=" "$Le_RenewalDays" | |
960 | ||
961 | let "Le_NextRenewTime=Le_CertCreateTime+Le_RenewalDays*24*60*60" | |
962 | _setopt "$DOMAIN_CONF" "Le_NextRenewTime" "=" "$Le_NextRenewTime" | |
963 | ||
964 | Le_NextRenewTimeStr=$( _time2str $Le_NextRenewTime ) | |
965 | _setopt "$DOMAIN_CONF" "Le_NextRenewTimeStr" "=" "\"$Le_NextRenewTimeStr\"" | |
966 | ||
967 | ||
968 | installcert $Le_Domain "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" | |
969 | ||
970 | } | |
971 | ||
972 | renew() { | |
973 | Le_Domain="$1" | |
974 | if [ -z "$Le_Domain" ] ; then | |
975 | _err "Usage: $0 domain.com" | |
976 | return 1 | |
977 | fi | |
978 | ||
979 | _initpath $Le_Domain | |
980 | ||
981 | if [ ! -f "$DOMAIN_CONF" ] ; then | |
982 | _info "$Le_Domain is not a issued domain, skip." | |
983 | return 0; | |
984 | fi | |
985 | ||
986 | source "$DOMAIN_CONF" | |
987 | if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then | |
988 | _info "Skip, Next renewal time is: $Le_NextRenewTimeStr" | |
989 | return 2 | |
990 | fi | |
991 | ||
992 | IS_RENEW="1" | |
993 | issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" | |
994 | local res=$? | |
995 | IS_RENEW="" | |
996 | ||
997 | return $res | |
998 | } | |
999 | ||
1000 | renewAll() { | |
1001 | _initpath | |
1002 | _info "renewAll" | |
1003 | ||
1004 | for d in $(ls -F $LE_WORKING_DIR | grep [^.].*[.].*/$ ) ; do | |
1005 | d=$(echo $d | cut -d '/' -f 1) | |
1006 | _info "renew $d" | |
1007 | ||
1008 | Le_LinkCert="" | |
1009 | Le_Domain="" | |
1010 | Le_Alt="" | |
1011 | Le_Webroot="" | |
1012 | Le_Keylength="" | |
1013 | Le_LinkIssuer="" | |
1014 | ||
1015 | Le_CertCreateTime="" | |
1016 | Le_CertCreateTimeStr="" | |
1017 | Le_RenewalDays="" | |
1018 | Le_NextRenewTime="" | |
1019 | Le_NextRenewTimeStr="" | |
1020 | ||
1021 | Le_RealCertPath="" | |
1022 | Le_RealKeyPath="" | |
1023 | ||
1024 | Le_RealCACertPath="" | |
1025 | ||
1026 | Le_ReloadCmd="" | |
1027 | ||
1028 | DOMAIN_PATH="" | |
1029 | DOMAIN_CONF="" | |
1030 | DOMAIN_SSL_CONF="" | |
1031 | CSR_PATH="" | |
1032 | CERT_KEY_PATH="" | |
1033 | CERT_PATH="" | |
1034 | CA_CERT_PATH="" | |
caf1fc10 | 1035 | CERT_FULLCHAIN_PATH="" |
4c3b3608 | 1036 | ACCOUNT_KEY_PATH="" |
1037 | ||
1038 | wellknown_path="" | |
1039 | ||
1040 | renew "$d" | |
1041 | done | |
1042 | ||
1043 | } | |
1044 | ||
1045 | installcert() { | |
1046 | Le_Domain="$1" | |
1047 | if [ -z "$Le_Domain" ] ; then | |
1048 | _err "Usage: $0 domain.com [cert-file-path]|no [key-file-path]|no [ca-cert-file-path]|no [reloadCmd]|no" | |
1049 | return 1 | |
1050 | fi | |
1051 | ||
1052 | Le_RealCertPath="$2" | |
1053 | Le_RealKeyPath="$3" | |
1054 | Le_RealCACertPath="$4" | |
1055 | Le_ReloadCmd="$5" | |
1056 | ||
1057 | _initpath $Le_Domain | |
1058 | ||
1059 | _setopt "$DOMAIN_CONF" "Le_RealCertPath" "=" "\"$Le_RealCertPath\"" | |
1060 | _setopt "$DOMAIN_CONF" "Le_RealCACertPath" "=" "\"$Le_RealCACertPath\"" | |
1061 | _setopt "$DOMAIN_CONF" "Le_RealKeyPath" "=" "\"$Le_RealKeyPath\"" | |
1062 | _setopt "$DOMAIN_CONF" "Le_ReloadCmd" "=" "\"$Le_ReloadCmd\"" | |
1063 | ||
1064 | if [ "$Le_RealCertPath" ] ; then | |
1065 | if [ -f "$Le_RealCertPath" ] ; then | |
1066 | cp -p "$Le_RealCertPath" "$Le_RealCertPath".bak | |
1067 | fi | |
1068 | cat "$CERT_PATH" > "$Le_RealCertPath" | |
1069 | fi | |
1070 | ||
1071 | if [ "$Le_RealCACertPath" ] ; then | |
1072 | if [ -f "$Le_RealCACertPath" ] ; then | |
1073 | cp -p "$Le_RealCACertPath" "$Le_RealCACertPath".bak | |
1074 | fi | |
1075 | if [ "$Le_RealCACertPath" == "$Le_RealCertPath" ] ; then | |
1076 | echo "" >> "$Le_RealCACertPath" | |
1077 | cat "$CA_CERT_PATH" >> "$Le_RealCACertPath" | |
1078 | else | |
1079 | cat "$CA_CERT_PATH" > "$Le_RealCACertPath" | |
1080 | fi | |
1081 | fi | |
1082 | ||
1083 | ||
1084 | if [ "$Le_RealKeyPath" ] ; then | |
1085 | if [ -f "$Le_RealKeyPath" ] ; then | |
1086 | cp -p "$Le_RealKeyPath" "$Le_RealKeyPath".bak | |
1087 | fi | |
1088 | cat "$CERT_KEY_PATH" > "$Le_RealKeyPath" | |
1089 | fi | |
1090 | ||
1091 | if [ "$Le_ReloadCmd" ] ; then | |
1092 | _info "Run Le_ReloadCmd: $Le_ReloadCmd" | |
1093 | (cd "$DOMAIN_PATH" && eval "$Le_ReloadCmd") | |
1094 | fi | |
1095 | ||
1096 | } | |
1097 | ||
1098 | installcronjob() { | |
1099 | _initpath | |
1100 | _info "Installing cron job" | |
1101 | if ! crontab -l | grep 'le.sh cron' ; then | |
1102 | if [ -f "$LE_WORKING_DIR/le.sh" ] ; then | |
1103 | lesh="\"$LE_WORKING_DIR\"/le.sh" | |
1104 | else | |
1105 | _err "Can not install cronjob, le.sh not found." | |
1106 | return 1 | |
1107 | fi | |
1108 | crontab -l | { cat; echo "0 0 * * * LE_WORKING_DIR=\"$LE_WORKING_DIR\" $lesh cron > /dev/null"; } | crontab - | |
1109 | fi | |
1110 | if [ "$?" != "0" ] ; then | |
1111 | _err "Install cron job failed. You need to manually renew your certs." | |
1112 | _err "Or you can add cronjob by yourself:" | |
1113 | _err "LE_WORKING_DIR=\"$LE_WORKING_DIR\" $lesh cron > /dev/null" | |
1114 | return 1 | |
1115 | fi | |
1116 | } | |
1117 | ||
1118 | uninstallcronjob() { | |
1119 | _info "Removing cron job" | |
1120 | cr="$(crontab -l | grep 'le.sh cron')" | |
1121 | if [ "$cr" ] ; then | |
1122 | crontab -l | sed "/le.sh cron/d" | crontab - | |
1123 | LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 6 | cut -d '=' -f 2 | tr -d '"')" | |
1124 | _info LE_WORKING_DIR "$LE_WORKING_DIR" | |
1125 | fi | |
1126 | _initpath | |
1127 | ||
1128 | } | |
1129 | ||
1130 | ||
1131 | # Detect profile file if not specified as environment variable | |
1132 | _detect_profile() { | |
1133 | if [ -n "$PROFILE" -a -f "$PROFILE" ]; then | |
1134 | echo "$PROFILE" | |
1135 | return | |
1136 | fi | |
1137 | ||
1138 | local DETECTED_PROFILE | |
1139 | DETECTED_PROFILE='' | |
1140 | local SHELLTYPE | |
1141 | SHELLTYPE="$(basename "/$SHELL")" | |
1142 | ||
1143 | if [ "$SHELLTYPE" = "bash" ]; then | |
1144 | if [ -f "$HOME/.bashrc" ]; then | |
1145 | DETECTED_PROFILE="$HOME/.bashrc" | |
1146 | elif [ -f "$HOME/.bash_profile" ]; then | |
1147 | DETECTED_PROFILE="$HOME/.bash_profile" | |
1148 | fi | |
1149 | elif [ "$SHELLTYPE" = "zsh" ]; then | |
1150 | DETECTED_PROFILE="$HOME/.zshrc" | |
1151 | fi | |
1152 | ||
1153 | if [ -z "$DETECTED_PROFILE" ]; then | |
1154 | if [ -f "$HOME/.profile" ]; then | |
1155 | DETECTED_PROFILE="$HOME/.profile" | |
1156 | elif [ -f "$HOME/.bashrc" ]; then | |
1157 | DETECTED_PROFILE="$HOME/.bashrc" | |
1158 | elif [ -f "$HOME/.bash_profile" ]; then | |
1159 | DETECTED_PROFILE="$HOME/.bash_profile" | |
1160 | elif [ -f "$HOME/.zshrc" ]; then | |
1161 | DETECTED_PROFILE="$HOME/.zshrc" | |
1162 | fi | |
1163 | fi | |
1164 | ||
1165 | if [ ! -z "$DETECTED_PROFILE" ]; then | |
1166 | echo "$DETECTED_PROFILE" | |
1167 | fi | |
1168 | } | |
1169 | ||
1170 | _initconf() { | |
1171 | _initpath | |
1172 | if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then | |
1173 | echo "#Account configurations: | |
1174 | #Here are the supported macros, uncomment them to make them take effect. | |
1175 | #ACCOUNT_EMAIL=aaa@aaa.com # the account email used to register account. | |
5fd3f21b | 1176 | #ACCOUNT_KEY_PATH=\"/path/to/account.key\" |
4c3b3608 | 1177 | |
1178 | #STAGE=1 # Use the staging api | |
1179 | #FORCE=1 # Force to issue cert | |
1180 | #DEBUG=1 # Debug mode | |
1181 | ||
1182 | #dns api | |
1183 | ####################### | |
1184 | #Cloudflare: | |
1185 | #api key | |
3d49985a | 1186 | #CF_Key=\"sdfsdfsdfljlbjkljlkjsdfoiwje\" |
4c3b3608 | 1187 | #account email |
3d49985a | 1188 | #CF_Email=\"xxxx@sss.com\" |
4c3b3608 | 1189 | |
1190 | ####################### | |
1191 | #Dnspod.cn: | |
1192 | #api key id | |
3d49985a | 1193 | #DP_Id=\"1234\" |
4c3b3608 | 1194 | #api key |
3d49985a | 1195 | #DP_Key=\"sADDsdasdgdsf\" |
4c3b3608 | 1196 | |
1197 | ####################### | |
1198 | #Cloudxns.com: | |
3d49985a | 1199 | #CX_Key=\"1234\" |
4c3b3608 | 1200 | # |
3d49985a | 1201 | #CX_Secret=\"sADDsdasdgdsf\" |
4c3b3608 | 1202 | |
1203 | " > $ACCOUNT_CONF_PATH | |
1204 | fi | |
1205 | } | |
1206 | ||
1207 | install() { | |
1208 | if ! _initpath ; then | |
1209 | _err "Install failed." | |
1210 | return 1 | |
1211 | fi | |
1212 | ||
1213 | #check if there is sudo installed, AND if the current user is a sudoer. | |
1214 | if command -v sudo > /dev/null ; then | |
1215 | if [ "$(sudo -n uptime 2>&1|grep "load"|wc -l)" != "0" ] ; then | |
1216 | SUDO=sudo | |
1217 | fi | |
1218 | fi | |
1219 | ||
1220 | if command -v yum > /dev/null ; then | |
1221 | YUM="1" | |
1222 | INSTALL="$SUDO yum install -y " | |
1223 | elif command -v apt-get > /dev/null ; then | |
1224 | INSTALL="$SUDO apt-get install -y " | |
1225 | fi | |
1226 | ||
1227 | if ! command -v "curl" > /dev/null ; then | |
1228 | _err "Please install curl first." | |
1229 | _err "$INSTALL curl" | |
1230 | return 1 | |
1231 | fi | |
1232 | ||
1233 | if ! command -v "crontab" > /dev/null ; then | |
1234 | _err "Please install crontab first." | |
1235 | if [ "$YUM" ] ; then | |
1236 | _err "$INSTALL crontabs" | |
1237 | else | |
1238 | _err "$INSTALL crontab" | |
1239 | fi | |
1240 | return 1 | |
1241 | fi | |
1242 | ||
1243 | if ! command -v "openssl" > /dev/null ; then | |
1244 | _err "Please install openssl first." | |
1245 | _err "$INSTALL openssl" | |
1246 | return 1 | |
1247 | fi | |
1248 | ||
1249 | _info "Installing to $LE_WORKING_DIR" | |
1250 | ||
1251 | cp le.sh "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/le.sh" | |
1252 | ||
1253 | if [ "$?" != "0" ] ; then | |
1254 | _err "Install failed, can not copy le.sh" | |
1255 | return 1 | |
1256 | fi | |
1257 | ||
1258 | _info "Installed to $LE_WORKING_DIR/le.sh" | |
1259 | ||
1260 | _profile="$(_detect_profile)" | |
1261 | if [ "$_profile" ] ; then | |
1262 | _debug "Found profile: $_profile" | |
1263 | ||
1264 | echo "LE_WORKING_DIR=$LE_WORKING_DIR | |
1265 | alias le=\"$LE_WORKING_DIR/le.sh\" | |
1266 | alias le.sh=\"$LE_WORKING_DIR/le.sh\" | |
1267 | " > "$LE_WORKING_DIR/le.env" | |
b86869a0 | 1268 | echo "" >> "$_profile" |
4c3b3608 | 1269 | _setopt "$_profile" "source \"$LE_WORKING_DIR/le.env\"" |
1270 | _info "OK, Close and reopen your terminal to start using le" | |
1271 | else | |
1272 | _info "No profile is found, you will need to go into $LE_WORKING_DIR to use le.sh" | |
1273 | fi | |
1274 | ||
1275 | mkdir -p $LE_WORKING_DIR/dnsapi | |
1276 | cp dnsapi/* $LE_WORKING_DIR/dnsapi/ | |
1277 | ||
1278 | #to keep compatible mv the .acc file to .key file | |
1279 | if [ -f "$LE_WORKING_DIR/account.acc" ] ; then | |
1280 | mv "$LE_WORKING_DIR/account.acc" "$LE_WORKING_DIR/account.key" | |
1281 | fi | |
1282 | ||
1283 | installcronjob | |
1284 | ||
1285 | if [ ! -f "$ACCOUNT_CONF_PATH" ] ; then | |
1286 | _initconf | |
1287 | fi | |
1288 | _info OK | |
1289 | } | |
1290 | ||
1291 | uninstall() { | |
1292 | uninstallcronjob | |
1293 | _initpath | |
1294 | ||
1295 | _profile="$(_detect_profile)" | |
1296 | if [ "$_profile" ] ; then | |
7203a1c1 | 1297 | text="$(cat $_profile)" |
1298 | echo "$text" | sed "s|^source.*le.env.*$||" > "$_profile" | |
4c3b3608 | 1299 | fi |
1300 | ||
1301 | rm -f $LE_WORKING_DIR/le.sh | |
1302 | _info "The keys and certs are in $LE_WORKING_DIR, you can remove them by yourself." | |
1303 | ||
1304 | } | |
1305 | ||
1306 | cron() { | |
1307 | renewAll | |
1308 | } | |
1309 | ||
1310 | version() { | |
1311 | _info "$PROJECT" | |
1312 | _info "v$VER" | |
1313 | } | |
1314 | ||
1315 | showhelp() { | |
1316 | version | |
1317 | echo "Usage: le.sh [command] ...[args].... | |
1318 | Avalible commands: | |
1319 | ||
1320 | install: | |
1321 | Install le.sh to your system. | |
1322 | issue: | |
1323 | Issue a cert. | |
1324 | installcert: | |
1325 | Install the issued cert to apache/nginx or any other server. | |
1326 | renew: | |
1327 | Renew a cert. | |
1328 | renewAll: | |
1329 | Renew all the certs. | |
1330 | uninstall: | |
1331 | Uninstall le.sh, and uninstall the cron job. | |
1332 | version: | |
1333 | Show version info. | |
1334 | installcronjob: | |
1335 | Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job. | |
1336 | uninstallcronjob: | |
1337 | Uninstall the cron job. The 'uninstall' command can do this automatically. | |
1338 | createAccountKey: | |
1339 | Create an account private key, professional use. | |
1340 | createDomainKey: | |
1341 | Create an domain private key, professional use. | |
1342 | createCSR: | |
1343 | Create CSR , professional use. | |
1344 | " | |
1345 | } | |
1346 | ||
1347 | ||
1348 | if [ -z "$1" ] ; then | |
1349 | showhelp | |
1350 | else | |
1351 | "$@" | |
1352 | fi |