LOG_LEVEL_1=1
LOG_LEVEL_2=2
LOG_LEVEL_3=3
-DEFAULT_LOG_LEVEL="$LOG_LEVEL_1"
+DEFAULT_LOG_LEVEL="$LOG_LEVEL_2"
DEBUG_LEVEL_1=1
DEBUG_LEVEL_2=2
DEBUG_LEVEL_3=3
-DEBUG_LEVEL_DEFAULT=$DEBUG_LEVEL_1
+DEBUG_LEVEL_DEFAULT=$DEBUG_LEVEL_2
DEBUG_LEVEL_NONE=0
DOH_CLOUDFLARE=1
fi
}
+if [ "$(echo abc | egrep -o b 2>/dev/null)" = "b" ]; then
+ __USE_EGREP=1
+else
+ __USE_EGREP=""
+fi
+
_egrep_o() {
- if ! egrep -o "$1" 2>/dev/null; then
+ if [ "$__USE_EGREP" ]; then
+ egrep -o -- "$1"
+ else
sed -n 's/.*\('"$1"'\).*/\1/p'
fi
}
createCSR() {
_info "Creating csr"
if [ -z "$1" ]; then
- _usage "Usage: $PROJECT_ENTRY --create-csr --domain <domain.tld> [--domain <domain2.tld> ...]"
+ _usage "Usage: $PROJECT_ENTRY --create-csr --domain <domain.tld> [--domain <domain2.tld> ...] [--ecc]"
return
fi
}
_tail_n() {
- if ! tail -n "$1" 2>/dev/null; then
+ if _is_solaris; then
#fix for solaris
tail -"$1"
+ else
+ tail -n "$1"
+ fi
+}
+
+_tail_c() {
+ if _is_solaris; then
+ #fix for solaris
+ tail -"$1"c
+ else
+ tail -c "$1"
fi
}
if [ -z "$keyfile" ]; then
keyfile="$ACCOUNT_KEY_PATH"
fi
+ _debug "=======Begin Send Signed Request======="
_debug url "$url"
_debug payload "$payload"
_CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2 | cut -d , -f 1)"
- _body="$response"
- if [ "$needbase64" ]; then
- _body="$(echo "$_body" | _dbase64 multiline)"
- _debug3 _body "$_body"
- fi
- _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *: *[0-9]\+ *" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
+ if ! _startswith "$code" "2"; then
+ _body="$response"
+ if [ "$needbase64" ]; then
+ _body="$(echo "$_body" | _dbase64 multiline)"
+ _debug3 _body "$_body"
+ fi
- if [ "$code" = '503' ] || [ "$_retryafter" ]; then
- _sleep_overload_retry_sec=$_retryafter
- if [ -z "$_sleep_overload_retry_sec" ]; then
- _sleep_overload_retry_sec=5
+ _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *: *[0-9]\+ *" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
+ if [ "$code" = '503' ]; then
+ _sleep_overload_retry_sec=$_retryafter
+ if [ -z "$_sleep_overload_retry_sec" ]; then
+ _sleep_overload_retry_sec=5
+ fi
+ if [ $_sleep_overload_retry_sec -le 600 ]; then
+ _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds."
+ _sleep $_sleep_overload_retry_sec
+ continue
+ else
+ _info "The retryafter=$_retryafter is too large > 600, not retry anymore."
+ fi
fi
- if [ $_sleep_overload_retry_sec -le 600 ]; then
- _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds."
- _sleep $_sleep_overload_retry_sec
+ if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then
+ _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds."
+ _CACHED_NONCE=""
+ _sleep $_sleep_retry_sec
+ continue
+ fi
+ if _contains "$_body" "The Replay Nonce is not recognized"; then
+ _info "The replay Nonce is not valid, let's get a new one, Sleeping $_sleep_retry_sec seconds."
+ _CACHED_NONCE=""
+ _sleep $_sleep_retry_sec
continue
- else
- _info "The retryafter=$_retryafter is too large > 600, not retry anymore."
- return 1
fi
fi
- if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then
- _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds."
- _CACHED_NONCE=""
- _sleep $_sleep_retry_sec
- continue
- fi
- if _contains "$_body" "The Replay Nonce is not recognized"; then
- _info "The replay Nonce is not valid, let's get a new one, Sleeping $_sleep_retry_sec seconds."
- _CACHED_NONCE=""
- _sleep $_sleep_retry_sec
- continue
- fi
-
return 0
done
_info "Giving up sending to CA server after $MAX_REQUEST_RETRY_TIMES retries."
if [ ! -f "$__conf" ]; then
touch "$__conf"
fi
- if [ -n "$(tail -c 1 <"$__conf")" ]; then
+ if [ -n "$(_tail_c 1 <"$__conf")" ]; then
echo >>"$__conf"
fi
_err "nginx command is not found."
return 1
fi
- NGINX_CONF="$(nginx -V 2>&1 | _egrep_o "--conf-path=[^ ]* " | tr -d " ")"
+ NGINX_CONF="$(nginx -V 2>&1 | _egrep_o "\-\-conf-path=[^ ]* " | tr -d " ")"
_debug NGINX_CONF "$NGINX_CONF"
NGINX_CONF="$(echo "$NGINX_CONF" | cut -d = -f 2)"
_debug NGINX_CONF "$NGINX_CONF"
_d="*.$_d"
fi
_debug2 _d "$_d"
- _authorizations_map="$_d,$response
+ _authorizations_map="$_d,$response#$_authz_url
$_authorizations_map"
done
+
_debug2 _authorizations_map "$_authorizations_map"
_index=0
_on_issue_err "$_post_hook"
return 1
fi
-
+ _authz_url="$(echo "$_candidates" | sed "s/$_idn_d,//" | _egrep_o "#.*" | sed "s/^#//")"
+ _debug _authz_url "$_authz_url"
if [ -z "$thumbprint" ]; then
thumbprint="$(__calc_account_thumbprint)"
fi
_debug keyauthorization "$keyauthorization"
fi
- dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"
+ dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot$sep$_authz_url"
_debug dvlist "$dvlist"
vlist="$vlist$dvlist$dvsep"
keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
_currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
+ _authz_url=$(echo "$ventry" | cut -d "$sep" -f 6)
_debug d "$d"
if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
_debug "$d is already verified, skip $vtype."
uri=$(echo "$ventry" | cut -d "$sep" -f 3)
vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
_currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
-
+ _authz_url=$(echo "$ventry" | cut -d "$sep" -f 6)
if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
_info "$d is already verified, skip $vtype."
continue
_debug "d" "$d"
_debug "keyauthorization" "$keyauthorization"
_debug "uri" "$uri"
+ _debug "_authz_url" "$_authz_url"
removelevel=""
token="$(printf "%s" "$keyauthorization" | cut -d '.' -f 1)"
MAX_RETRY_TIMES=30
fi
+ _debug "Lets check the status of the authz"
while true; do
waittimes=$(_math "$waittimes" + 1)
if [ "$waittimes" -ge "$MAX_RETRY_TIMES" ]; then
errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)"
_debug2 errordetail "$errordetail"
if [ "$errordetail" ]; then
- _err "$d:Verify error:$errordetail"
+ _err "Invalid status, $d:Verify error detail:$errordetail"
else
- _err "$d:Verify error:$error"
+ _err "Invalid status, $d:Verify error:$error"
fi
if [ "$DEBUG" ]; then
if [ "$vtype" = "$VTYPE_HTTP" ]; then
break
fi
- if [ "$status" = "pending" ]; then
+ if _contains "$status" "pending"; then
_info "Pending, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)"
- elif [ "$status" = "processing" ]; then
+ elif _contains "$status" "processing"; then
_info "Processing, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)"
else
- _err "$d:Verify error:$response"
+ _err "Unknown status: $status, $d:Verify error:$response"
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
_clearup
_on_issue_err "$_post_hook" "$vlist"
_sleep 2
_debug "checking"
- _send_signed_request "$uri"
+ _send_signed_request "$_authz_url"
if [ "$?" != "0" ]; then
- _err "$d:Verify error:$response"
+ _err "Invalid code, $d:Verify error:$response"
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
_clearup
_on_issue_err "$_post_hook" "$vlist"
-f, --force Force install, force cert renewal or override sudo restrictions.
--staging, --test Use staging server, for testing.
- --debug [0|1|2|3] Output debug info. Defaults to 1 if argument is omitted.
+ --debug [0|1|2|3] Output debug info. Defaults to $DEBUG_LEVEL_DEFAULT if argument is omitted.
--output-insecure Output all the sensitive messages.
By default all the credentials/sensitive messages are hidden from the output/debug/log for security.
-w, --webroot <directory> Specifies the web root folder for web root mode.
-k, --keylength <bits> Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521.
-ak, --accountkeylength <bits> Specifies the account key length: 2048, 3072, 4096
--log [file] Specifies the log file. Defaults to \"$DEFAULT_LOG_FILE\" if argument is omitted.
- --log-level <1|2> Specifies the log level, default is 1.
+ --log-level <1|2> Specifies the log level, default is $DEFAULT_LOG_LEVEL.
--syslog <0|3|6|7> Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.
--eab-kid <eab_key_id> Key Identifier for External Account Binding.
--eab-hmac-key <eab_hmac_key> HMAC key for External Account Binding.
These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:
- --cert-file <file> Path to copy the cert file to after issue/renew..
+ --cert-file <file> Path to copy the cert file to after issue/renew.
--key-file <file> Path to copy the key file to after issue/renew.
--ca-file <file> Path to copy the intermediate cert file to after issue/renew.
--fullchain-file <file> Path to copy the fullchain cert file to after issue/renew.
--no-profile Only valid for '--install' command, which means: do not install aliases to user profile.
--no-color Do not output color text.
--force-color Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
- --ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--to-pkcs12' and '--create-csr'
+ --ecc Specifies use of the ECC cert. Only valid for '--install-cert', '--renew', '--remove ', '--revoke',
+ '--deploy', '--to-pkcs8', '--to-pkcs12' and '--create-csr'.
--csr <file> Specifies the input csr.
--pre-hook <command> Command to be run before obtaining any certificates.
--post-hook <command> Command to be run after attempting to obtain/renew certificates. Runs regardless of whether obtain/renew succeeded or failed.