- uses: actions/checkout@v2\r
- name: Clone acmetest\r
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/\r
- - uses: vmactions/freebsd-vm@v0.0.7\r
+ - uses: vmactions/freebsd-vm@v0.1.4\r
with:\r
envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'\r
prepare: pkg install -y socat curl\r
- uses: actions/checkout@v2\r
- name: Clone acmetest\r
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/\r
- - uses: vmactions/solaris-vm@v0.0.1\r
+ - uses: vmactions/solaris-vm@v0.0.3\r
with:\r
envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'\r
prepare: pkgutil -y -i socat curl\r
- uses: actions/checkout@v2\r
- name: Clone acmetest\r
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/\r
- - uses: vmactions/freebsd-vm@v0.0.7\r
+ - uses: vmactions/freebsd-vm@v0.1.4\r
with:\r
envs: 'NGROK_TOKEN TEST_LOCAL'\r
prepare: pkg install -y socat curl\r
run: echo "TestingDomain=${{steps.ngrok.outputs.server}}" >> $GITHUB_ENV\r
- name: Clone acmetest\r
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/\r
- - uses: vmactions/solaris-vm@v0.0.1\r
+ - uses: vmactions/solaris-vm@v0.0.3\r
with:\r
envs: 'TEST_LOCAL TestingDomain'\r
nat: |\r
steps:\r
- name: checkout code\r
uses: actions/checkout@v2\r
- - name: install buildx\r
- id: buildx\r
- uses: crazy-max/ghaction-docker-buildx@v3\r
- with:\r
- buildx-version: latest\r
- qemu-version: latest\r
+ - name: Set up QEMU\r
+ uses: docker/setup-qemu-action@v1\r
+ - name: Set up Docker Buildx\r
+ uses: docker/setup-buildx-action@v1\r
- name: login to docker hub\r
run: |\r
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin\r
- [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)
- [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA)
- [Pebble strict Mode](https://github.com/letsencrypt/pebble)
+- Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA
# Supported modes
Check this project: https://github.com/acmesh-official/get.acme.sh
```bash
-curl https://get.acme.sh | sh
+curl https://get.acme.sh | sh -s email=my@example.com
```
Or:
```bash
-wget -O - https://get.acme.sh | sh
+wget -O - https://get.acme.sh | sh -s email=my@example.com
```
```bash
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
-./acme.sh --install
+./acme.sh --install -m my@example.com
```
You `don't have to be root` then, although `it is recommended`.
#!/usr/bin/env sh
-VER=2.8.9
+VER=2.9.0
PROJECT_NAME="acme.sh"
DOH_CLOUDFLARE=1
DOH_GOOGLE=2
+DOH_ALI=3
+DOH_DP=4
HIDDEN_VALUE="[hidden](please add '--output-insecure' to see this value)"
fi
_h2b() {
- if _exists xxd && xxd -r -p 2>/dev/null; then
- return
+ if _exists xxd; then
+ if _contains "$(xxd --help 2>&1)" "assumes -c30"; then
+ if xxd -r -p -c 9999 2>/dev/null; then
+ return
+ fi
+ else
+ if xxd -r -p 2>/dev/null; then
+ return
+ fi
+ fi
fi
hex=$(cat)
if _isEccKey "$length"; then
_debug "Using ec name: $eccname"
- if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null)"; then
+ if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -noout -genkey 2>/dev/null)"; then
echo "$_opkey" >"$f"
else
_err "error ecc key name: $eccname"
fi
else
_debug "Using RSA: $length"
- if _opkey="$(${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null)"; then
+ __traditional=""
+ if _contains "$(${ACME_OPENSSL_BIN:-openssl} help genrsa 2>&1)" "-traditional"; then
+ __traditional="-traditional"
+ fi
+ if _opkey="$(${ACME_OPENSSL_BIN:-openssl} genrsa $__traditional "$length" 2>/dev/null)"; then
echo "$_opkey" >"$f"
else
_err "error rsa key: $length"
if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type" >/dev/null; then
_headers="$(cat "$HTTP_HEADER")"
_debug2 _headers "$_headers"
- _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
+ _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2 | cut -d , -f 1)"
fi
fi
if [ -z "$_CACHED_NONCE" ]; then
fi
_debug2 response "$response"
- _CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
+ _CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2 | cut -d , -f 1)"
if ! _startswith "$code" "2"; then
_body="$response"
_sleep $_sleep_retry_sec
continue
fi
+ if _contains "$_body" "The Replay Nonce is not recognized"; then
+ _info "The replay Nonce is not valid, let's get a new one, Sleeping $_sleep_retry_sec seconds."
+ _CACHED_NONCE=""
+ _sleep $_sleep_retry_sec
+ continue
+ fi
fi
return 0
done
return 0 # do nothing
fi
_saved=$(_readdomainconf "SAVED_$_rac_key")
- eval "export $_rac_key=\"$_saved\""
+ eval "export $_rac_key=\"\$_saved\""
}
#_saveaccountconf key value base64encode
_clear_conf "$ACCOUNT_CONF_PATH" "$1"
}
+#key
+_clearaccountconf_mutable() {
+ _clearaccountconf "SAVED_$1"
+ #remove later
+ _clearaccountconf "$1"
+}
+
#_savecaconf key value
_savecaconf() {
_save_conf "$CA_CONF" "$1" "$2"
echo 'HTTP/1.0 200 OK'; \
echo 'Content-Length\: $_content_len'; \
echo ''; \
-printf -- '$content';" &
+printf '%s' '$content';" &
serverproc="$!"
}
_debug "Try include files"
for included in $(cat "$2" | tr "\t" " " | grep "^ *include *.*;" | sed "s/include //" | tr -d " ;"); do
_debug "check included $included"
+ if !_startswith "$included" "/" && _exists dirname; then
+ _relpath="$(dirname "$_c_file")"
+ _debug "_relpath" "$_relpath"
+ included="$_relpath/included"
+ fi
if _checkConf "$1" "$included"; then
return 0
fi
#checks if cf server is available
_ns_is_available_cf() {
- if _get "https://cloudflare-dns.com" >/dev/null 2>&1; then
+ if _get "https://cloudflare-dns.com" "" 1 >/dev/null 2>&1; then
+ return 0
+ else
+ return 1
+ fi
+}
+
+_ns_is_available_google() {
+ if _get "https://dns.google" "" 1 >/dev/null 2>&1; then
return 0
else
return 1
_ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
}
+_ns_is_available_ali() {
+ if _get "https://dns.alidns.com" "" 1 >/dev/null 2>&1; then
+ return 0
+ else
+ return 1
+ fi
+}
+
+#domain, type
+_ns_lookup_ali() {
+ _cf_ld="$1"
+ _cf_ld_type="$2"
+ _cf_ep="https://dns.alidns.com/resolve"
+ _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
+}
+
+_ns_is_available_dp() {
+ if _get "https://dns.alidns.com" "" 1 >/dev/null 2>&1; then
+ return 0
+ else
+ return 1
+ fi
+}
+
+#dnspod
+_ns_lookup_dp() {
+ _cf_ld="$1"
+ _cf_ld_type="$2"
+ _cf_ep="https://doh.pub/dns-query"
+ _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
+}
+
#domain, type
_ns_lookup() {
if [ -z "$DOH_USE" ]; then
if _ns_is_available_cf; then
_debug "Use cloudflare doh server"
export DOH_USE=$DOH_CLOUDFLARE
- else
+ elif _ns_is_available_google; then
_debug "Use google doh server"
export DOH_USE=$DOH_GOOGLE
+ elif _ns_is_available_ali; then
+ _debug "Use aliyun doh server"
+ export DOH_USE=$DOH_ALI
+ elif _ns_is_available_dp; then
+ _debug "Use dns pod doh server"
+ export DOH_USE=$DOH_DP
+ else
+ _err "No doh"
fi
fi
if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then
_ns_lookup_cf "$@"
- else
+ elif [ "$DOH_USE" = "$DOH_GOOGLE" ]; then
_ns_lookup_google "$@"
+ elif [ "$DOH_USE" = "$DOH_ALI" ]; then
+ _ns_lookup_ali "$@"
+ elif [ "$DOH_USE" = "$DOH_DP" ]; then
+ _ns_lookup_dp "$@"
+ else
+ _err "Unknown doh provider: DOH_USE=$DOH_USE"
fi
}
if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then
_ns_purge_cf "$_p_txtdomain" "TXT"
else
- _debug "no purge api for google dns api, just sleep 5 secs"
+ _debug "no purge api for this doh api, just sleep 5 secs"
_sleep 5
fi
}
#file
-_get_cert_issuers() {
+_get_chain_issuers() {
_cfile="$1"
- if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
- ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+ if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
+ ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
else
- ${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+ _cindex=1
+ for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
+ _endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
+ _debug2 "_startn" "$_startn"
+ _debug2 "_endn" "$_endn"
+ if [ "$DEBUG" ]; then
+ _debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
+ fi
+ sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
+ _cindex=$(_math $_cindex + 1)
+ done
+ fi
+}
+
+#
+_get_chain_subjects() {
+ _cfile="$1"
+ if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
+ ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+ else
+ _cindex=1
+ for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
+ _endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
+ _debug2 "_startn" "$_startn"
+ _debug2 "_endn" "$_endn"
+ if [ "$DEBUG" ]; then
+ _debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
+ fi
+ sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
+ _cindex=$(_math $_cindex + 1)
+ done
fi
}
_match_issuer() {
_cfile="$1"
_missuer="$2"
- _fissuers="$(_get_cert_issuers $_cfile)"
+ _fissuers="$(_get_chain_issuers $_cfile)"
_debug2 _fissuers "$_fissuers"
- if _contains "$_fissuers" "$_missuer"; then
- return 0
- fi
- _fissuers="$(echo "$_fissuers" | _lower_case)"
+ _rootissuer="$(echo "$_fissuers" | _lower_case | _tail_n 1)"
+ _debug2 _rootissuer "$_rootissuer"
_missuer="$(echo "$_missuer" | _lower_case)"
- _contains "$_fissuers" "$_missuer"
+ _contains "$_rootissuer" "$_missuer"
}
#webroot, domain domainlist keylength
_debug2 response "$response"
status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
- if [ "$status" = "valid" ]; then
+ if _contains "$status" "valid"; then
_info "$(__green Success)"
_stopserver "$serverproc"
serverproc=""
_split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
+ if [ "$DEBUG" ]; then
+ _debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
+ fi
if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
_debug2 "rels" "$rels"
_relca="$CA_CERT_PATH.alt"
echo "$response" >"$_relcert"
_split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
+ if [ "$DEBUG" ]; then
+ _debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
+ fi
if _match_issuer "$_relfullchain" "$_preferred_chain"; then
_info "Matched issuer in: $rel"
cat $_relcert >"$CERT_PATH"
cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
cat $_relca >"$CA_CERT_PATH"
+ rm -f "$_relcert"
+ rm -f "$_relfullchain"
+ rm -f "$_relca"
break
fi
+ rm -f "$_relcert"
+ rm -f "$_relfullchain"
+ rm -f "$_relca"
done
fi
fi
_renew_hook="${10}"
_local_addr="${11}"
_challenge_alias="${12}"
+ _preferred_chain="${13}"
_csrsubj=$(_readSubjectFromCSR "$_csrfile")
if [ "$?" != "0" ]; then
_info "Copy csr to: $CSR_PATH"
cp "$_csrfile" "$CSR_PATH"
- issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias"
+ issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias" "$_preferred_chain"
}
}
-# nocron confighome noprofile
+# nocron confighome noprofile accountemail
install() {
if [ -z "$LE_WORKING_DIR" ]; then
_nocron="$1"
_c_home="$2"
_noprofile="$3"
+ _accountemail="$4"
+
if ! _initpath; then
_err "Install failed."
return 1
fi
fi
+ if [ "$_accountemail" ]; then
+ _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail"
+ fi
+
_info OK
}
--cert-home <directory> Specifies the home dir to save all the certs, only valid for '--install' command.
--config-home <directory> Specifies the home dir to save all the configurations.
--useragent <string> Specifies the user agent string. it will be saved for future use too.
- -m, --accountemail <email> Specifies the account email, only valid for the '--install' and '--update-account' command.
+ -m, --email <email> Specifies the account email, only valid for the '--install' and '--update-account' command.
--accountkey <file> Specifies the account key path, only valid for the '--install' command.
--days <ndays> Specifies the days to renew the cert when using '--issue' command. The default value is $DEFAULT_RENEW days.
--httpport <port> Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
--insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
--ca-bundle <file> Specifies the path to the CA certificate bundle to verify api server's certificate.
--ca-path <directory> Specifies directory containing CA certificates in PEM format, used by wget or curl.
- --nocron Only valid for '--install' command, which means: do not install the default cron job.
+ --no-cron Only valid for '--install' command, which means: do not install the default cron job.
In this case, the certs will not be renewed automatically.
- --noprofile Only valid for '--install' command, which means: do not install aliases to user profile.
+ --no-profile Only valid for '--install' command, which means: do not install aliases to user profile.
--no-color Do not output color text.
--force-color Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--to-pkcs12' and '--create-csr'
"
}
-# nocron noprofile
-_installOnline() {
+installOnline() {
_info "Installing from online archive."
- _nocron="$1"
- _noprofile="$2"
- if [ ! "$BRANCH" ]; then
- BRANCH="master"
+
+ _branch="$BRANCH"
+ if [ -z "$_branch" ]; then
+ _branch="master"
fi
- target="$PROJECT/archive/$BRANCH.tar.gz"
+ target="$PROJECT/archive/$_branch.tar.gz"
_info "Downloading $target"
- localname="$BRANCH.tar.gz"
+ localname="$_branch.tar.gz"
if ! _get "$target" >$localname; then
_err "Download error."
return 1
exit 1
fi
- cd "$PROJECT_NAME-$BRANCH"
+ cd "$PROJECT_NAME-$_branch"
chmod +x $PROJECT_ENTRY
- if ./$PROJECT_ENTRY install "$_nocron" "" "$_noprofile"; then
+ if ./$PROJECT_ENTRY --install "$@"; then
_info "Install success!"
_initpath
_saveaccountconf "UPGRADE_HASH" "$(_getUpgradeHash)"
cd ..
- rm -rf "$PROJECT_NAME-$BRANCH"
+ rm -rf "$PROJECT_NAME-$_branch"
rm -f "$localname"
)
}
[ -z "$FORCE" ] && [ "$(_getUpgradeHash)" = "$(_readaccountconf "UPGRADE_HASH")" ] && _info "Already uptodate!" && exit 0
export LE_WORKING_DIR
cd "$LE_WORKING_DIR"
- _installOnline "nocron" "noprofile"
+ installOnline "--nocron" "--noprofile"
); then
_info "Upgrade success!"
exit 0
--install)
_CMD="install"
;;
+ --install-online)
+ shift
+ installOnline "$@"
+ return
+ ;;
--uninstall)
_CMD="uninstall"
;;
USER_AGENT="$_useragent"
shift
;;
- -m | --accountemail)
+ -m | --email | --accountemail)
_accountemail="$2"
- ACCOUNT_EMAIL="$_accountemail"
+ export ACCOUNT_EMAIL="$_accountemail"
shift
;;
--accountkey)
CA_PATH="$_ca_path"
shift
;;
- --nocron)
+ --no-cron | --nocron)
_nocron="1"
;;
- --noprofile)
+ --no-profile | --noprofile)
_noprofile="1"
;;
--no-color)
fi
_debug "Running cmd: ${_CMD}"
case "${_CMD}" in
- install) install "$_nocron" "$_confighome" "$_noprofile" ;;
+ install) install "$_nocron" "$_confighome" "$_noprofile" "$_accountemail" ;;
uninstall) uninstall "$_nocron" ;;
upgrade) upgrade ;;
issue)
deploy "$_domain" "$_deploy_hook" "$_ecc"
;;
signcsr)
- signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias"
+ signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain"
;;
showcsr)
showcsr "$_csr" "$_domain"
}
-if [ "$INSTALLONLINE" ]; then
- INSTALLONLINE=""
- _installOnline
- exit
-fi
-
main() {
[ -z "$1" ] && showhelp && return
if _startswith "$1" '-'; then _process "$@"; else "$@"; fi
_cca="$4"
_cfullchain="$5"
+ _rest_endpoint="https://rest.cleverreach.com"
+
_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
_debug _ccert "$_ccert"
_getdeployconf DEPLOY_CLEVERREACH_CLIENT_ID
_getdeployconf DEPLOY_CLEVERREACH_CLIENT_SECRET
+ _getdeployconf DEPLOY_CLEVERREACH_SUBCLIENT_ID
if [ -z "${DEPLOY_CLEVERREACH_CLIENT_ID}" ]; then
_err "CleverReach Client ID is not found, please define DEPLOY_CLEVERREACH_CLIENT_ID."
_savedeployconf DEPLOY_CLEVERREACH_CLIENT_ID "${DEPLOY_CLEVERREACH_CLIENT_ID}"
_savedeployconf DEPLOY_CLEVERREACH_CLIENT_SECRET "${DEPLOY_CLEVERREACH_CLIENT_SECRET}"
+ _savedeployconf DEPLOY_CLEVERREACH_SUBCLIENT_ID "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}"
_info "Obtaining a CleverReach access token"
_data="{\"grant_type\": \"client_credentials\", \"client_id\": \"${DEPLOY_CLEVERREACH_CLIENT_ID}\", \"client_secret\": \"${DEPLOY_CLEVERREACH_CLIENT_SECRET}\"}"
- _auth_result="$(_post "$_data" "https://rest.cleverreach.com/oauth/token.php" "" "POST" "application/json")"
+ _auth_result="$(_post "$_data" "$_rest_endpoint/oauth/token.php" "" "POST" "application/json")"
_debug _data "$_data"
_debug _auth_result "$_auth_result"
_debug _regex "$_regex"
_access_token=$(echo "$_auth_result" | _json_decode | sed -n "s/$_regex/\1/p")
+ _debug _subclient "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}"
+
+ if [ -n "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}" ]; then
+ _info "Obtaining token for sub-client ${DEPLOY_CLEVERREACH_SUBCLIENT_ID}"
+ export _H1="Authorization: Bearer ${_access_token}"
+ _subclient_token_result="$(_get "$_rest_endpoint/v3/clients/$DEPLOY_CLEVERREACH_SUBCLIENT_ID/token")"
+ _access_token=$(echo "$_subclient_token_result" | sed -n "s/\"//p")
+
+ _debug _subclient_token_result "$_access_token"
+
+ _info "Destroying parent token at CleverReach, as it not needed anymore"
+ _destroy_result="$(_post "" "$_rest_endpoint/v3/oauth/token.json" "" "DELETE" "application/json")"
+ _debug _destroy_result "$_destroy_result"
+ fi
+
_info "Uploading certificate and key to CleverReach"
_certData="{\"cert\":\"$(_json_encode <"$_cfullchain")\", \"key\":\"$(_json_encode <"$_ckey")\"}"
export _H1="Authorization: Bearer ${_access_token}"
- _add_cert_result="$(_post "$_certData" "https://rest.cleverreach.com/v3/ssl" "" "POST" "application/json")"
+ _add_cert_result="$(_post "$_certData" "$_rest_endpoint/v3/ssl" "" "POST" "application/json")"
- _debug "Destroying token at CleverReach"
- _post "" "https://rest.cleverreach.com/v3/oauth/token.json" "" "DELETE" "application/json"
+ if [ -z "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}" ]; then
+ _info "Destroying token at CleverReach, as it not needed anymore"
+ _destroy_result="$(_post "" "$_rest_endpoint/v3/oauth/token.json" "" "DELETE" "application/json")"
+ _debug _destroy_result "$_destroy_result"
+ fi
if ! echo "$_add_cert_result" | grep '"error":' >/dev/null; then
_info "Uploaded certificate successfully"
--- /dev/null
+#!/usr/bin/env sh
+
+# Script to deploy cert to Peplink Routers
+#
+# The following environment variables must be set:
+#
+# PEPLINK_Hostname - Peplink hostname
+# PEPLINK_Username - Peplink username to login
+# PEPLINK_Password - Peplink password to login
+#
+# The following environmental variables may be set if you don't like their
+# default values:
+#
+# PEPLINK_Certtype - Certificate type to target for replacement
+# defaults to "webadmin", can be one of:
+# * "chub" (ContentHub)
+# * "openvpn" (OpenVPN CA)
+# * "portal" (Captive Portal SSL)
+# * "webadmin" (Web Admin SSL)
+# * "webproxy" (Proxy Root CA)
+# * "wwan_ca" (Wi-Fi WAN CA)
+# * "wwan_client" (Wi-Fi WAN Client)
+# PEPLINK_Scheme - defaults to "https"
+# PEPLINK_Port - defaults to "443"
+#
+#returns 0 means success, otherwise error.
+
+######## Public functions #####################
+
+_peplink_get_cookie_data() {
+ grep -i "\W$1=" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o "$1=[^;]*;" | tr -d ';'
+}
+
+#domain keyfile certfile cafile fullchain
+peplink_deploy() {
+
+ _cdomain="$1"
+ _ckey="$2"
+ _cfullchain="$5"
+
+ _debug _cdomain "$_cdomain"
+ _debug _cfullchain "$_cfullchain"
+ _debug _ckey "$_ckey"
+
+ # Get Hostname, Username and Password, but don't save until we successfully authenticate
+ _getdeployconf PEPLINK_Hostname
+ _getdeployconf PEPLINK_Username
+ _getdeployconf PEPLINK_Password
+ if [ -z "${PEPLINK_Hostname:-}" ] || [ -z "${PEPLINK_Username:-}" ] || [ -z "${PEPLINK_Password:-}" ]; then
+ _err "PEPLINK_Hostname & PEPLINK_Username & PEPLINK_Password must be set"
+ return 1
+ fi
+ _debug2 PEPLINK_Hostname "$PEPLINK_Hostname"
+ _debug2 PEPLINK_Username "$PEPLINK_Username"
+ _secure_debug2 PEPLINK_Password "$PEPLINK_Password"
+
+ # Optional certificate type, scheme, and port for Peplink
+ _getdeployconf PEPLINK_Certtype
+ _getdeployconf PEPLINK_Scheme
+ _getdeployconf PEPLINK_Port
+
+ # Don't save the certificate type until we verify it exists and is supported
+ _savedeployconf PEPLINK_Scheme "$PEPLINK_Scheme"
+ _savedeployconf PEPLINK_Port "$PEPLINK_Port"
+
+ # Default vaules for certificate type, scheme, and port
+ [ -n "${PEPLINK_Certtype}" ] || PEPLINK_Certtype="webadmin"
+ [ -n "${PEPLINK_Scheme}" ] || PEPLINK_Scheme="https"
+ [ -n "${PEPLINK_Port}" ] || PEPLINK_Port="443"
+
+ _debug2 PEPLINK_Certtype "$PEPLINK_Certtype"
+ _debug2 PEPLINK_Scheme "$PEPLINK_Scheme"
+ _debug2 PEPLINK_Port "$PEPLINK_Port"
+
+ _base_url="$PEPLINK_Scheme://$PEPLINK_Hostname:$PEPLINK_Port"
+ _debug _base_url "$_base_url"
+
+ # Login, get the auth token from the cookie
+ _info "Logging into $PEPLINK_Hostname:$PEPLINK_Port"
+ encoded_username="$(printf "%s" "$PEPLINK_Username" | _url_encode)"
+ encoded_password="$(printf "%s" "$PEPLINK_Password" | _url_encode)"
+ response=$(_post "func=login&username=$encoded_username&password=$encoded_password" "$_base_url/cgi-bin/MANGA/api.cgi")
+ auth_token=$(_peplink_get_cookie_data "bauth" <"$HTTP_HEADER")
+ _debug3 response "$response"
+ _debug auth_token "$auth_token"
+
+ if [ -z "$auth_token" ]; then
+ _err "Unable to authenticate to $PEPLINK_Hostname:$PEPLINK_Port using $PEPLINK_Scheme."
+ _err "Check your username and password."
+ return 1
+ fi
+
+ _H1="Cookie: $auth_token"
+ export _H1
+ _debug2 H1 "${_H1}"
+
+ # Now that we know the hostnameusername and password are good, save them
+ _savedeployconf PEPLINK_Hostname "$PEPLINK_Hostname"
+ _savedeployconf PEPLINK_Username "$PEPLINK_Username"
+ _savedeployconf PEPLINK_Password "$PEPLINK_Password"
+
+ _info "Generate form POST request"
+
+ encoded_key="$(_url_encode <"$_ckey")"
+ encoded_fullchain="$(_url_encode <"$_cfullchain")"
+ body="cert_type=$PEPLINK_Certtype&cert_uid=§ion=CERT_modify&key_pem=$encoded_key&key_pem_passphrase=&key_pem_passphrase_confirm=&cert_pem=$encoded_fullchain"
+ _debug3 body "$body"
+
+ _info "Upload $PEPLINK_Certtype certificate to the Peplink"
+
+ response=$(_post "$body" "$_base_url/cgi-bin/MANGA/admin.cgi")
+ _debug3 response "$response"
+
+ if echo "$response" | grep 'Success' >/dev/null; then
+ # We've verified this certificate type is valid, so save it
+ _savedeployconf PEPLINK_Certtype "$PEPLINK_Certtype"
+ _info "Certificate was updated"
+ return 0
+ else
+ _err "Unable to update certificate, error code $response"
+ return 1
+ fi
+}
# we've verified this certificate description is a thing, so save it
_savedeployconf SYNO_Certificate "$SYNO_Certificate"
- default=false
+ default=""
if echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
default=true
fi
#!/usr/bin/env sh
-#Here is a script to deploy cert to unifi server.
+# Here is a script to deploy cert on a Unifi Controller or Cloud Key device.
+# It supports:
+# - self-hosted Unifi Controller
+# - Unifi Cloud Key (Gen1/2/2+)
+# - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
+# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359
#returns 0 means success, otherwise error.
+# The deploy-hook automatically detects standard Unifi installations
+# for each of the supported environments. Most users should not need
+# to set any of these variables, but if you are running a self-hosted
+# Controller with custom locations, set these as necessary before running
+# the deploy hook. (Defaults shown below.)
+#
+# Settings for Unifi Controller:
+# Location of Java keystore or unifi.keystore.jks file:
#DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
+# Keystore password (built into Unifi Controller, not a user-set password):
#DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
+# Command to restart Unifi Controller:
#DEPLOY_UNIFI_RELOAD="service unifi restart"
+#
+# Settings for Unifi Cloud Key Gen1 (nginx admin pages):
+# Directory where cloudkey.crt and cloudkey.key live:
+#DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
+# Command to restart maintenance pages and Controller
+# (same setting as above, default is updated when running on Cloud Key Gen1):
+#DEPLOY_UNIFI_RELOAD="service nginx restart && service unifi restart"
+#
+# Settings for UnifiOS (Cloud Key Gen2):
+# Directory where unifi-core.crt and unifi-core.key live:
+#DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/"
+# Command to restart unifi-core:
+#DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core"
+#
+# At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR,
+# or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs.
######## Public functions #####################
_debug _cca "$_cca"
_debug _cfullchain "$_cfullchain"
- if ! _exists keytool; then
- _err "keytool not found"
- return 1
- fi
+ _getdeployconf DEPLOY_UNIFI_KEYSTORE
+ _getdeployconf DEPLOY_UNIFI_KEYPASS
+ _getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
+ _getdeployconf DEPLOY_UNIFI_CORE_CONFIG
+ _getdeployconf DEPLOY_UNIFI_RELOAD
+
+ _debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
+ _debug2 DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
+ _debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
+ _debug2 DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
+ _debug2 DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
+
+ # Space-separated list of environments detected and installed:
+ _services_updated=""
+
+ # Default reload commands accumulated as we auto-detect environments:
+ _reload_cmd=""
+
+ # Unifi Controller environment (self hosted or any Cloud Key) --
+ # auto-detect by file /usr/lib/unifi/data/keystore:
+ _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
+ if [ -f "$_unifi_keystore" ]; then
+ _info "Installing certificate for Unifi Controller (Java keystore)"
+ _debug _unifi_keystore "$_unifi_keystore"
+ if ! _exists keytool; then
+ _err "keytool not found"
+ return 1
+ fi
+ if [ ! -w "$_unifi_keystore" ]; then
+ _err "The file $_unifi_keystore is not writable, please change the permission."
+ return 1
+ fi
+
+ _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-aircontrolenterprise}"
- DEFAULT_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
- _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-$DEFAULT_UNIFI_KEYSTORE}"
- DEFAULT_UNIFI_KEYPASS="aircontrolenterprise"
- _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-$DEFAULT_UNIFI_KEYPASS}"
- DEFAULT_UNIFI_RELOAD="service unifi restart"
- _reload="${DEPLOY_UNIFI_RELOAD:-$DEFAULT_UNIFI_RELOAD}"
-
- _debug _unifi_keystore "$_unifi_keystore"
- if [ ! -f "$_unifi_keystore" ]; then
- if [ -z "$DEPLOY_UNIFI_KEYSTORE" ]; then
- _err "unifi keystore is not found, please define DEPLOY_UNIFI_KEYSTORE"
+ _debug "Generate import pkcs12"
+ _import_pkcs12="$(_mktemp)"
+ _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
+ # shellcheck disable=SC2181
+ if [ "$?" != "0" ]; then
+ _err "Error generating pkcs12. Please re-run with --debug and report a bug."
return 1
+ fi
+
+ _debug "Import into keystore: $_unifi_keystore"
+ if keytool -importkeystore \
+ -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
+ -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
+ -alias unifi -noprompt; then
+ _debug "Import keystore success!"
+ rm "$_import_pkcs12"
else
- _err "It seems that the specified unifi keystore is not valid, please check."
+ _err "Error importing into Unifi Java keystore."
+ _err "Please re-run with --debug and report a bug."
+ rm "$_import_pkcs12"
return 1
fi
+
+ if systemctl -q is-active unifi; then
+ _reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart"
+ fi
+ _services_updated="${_services_updated} unifi"
+ _info "Install Unifi Controller certificate success!"
+ elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
+ _err "The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check."
+ return 1
fi
- if [ ! -w "$_unifi_keystore" ]; then
- _err "The file $_unifi_keystore is not writable, please change the permission."
+
+ # Cloud Key environment (non-UnifiOS -- nginx serves admin pages) --
+ # auto-detect by file /etc/ssl/private/cloudkey.key:
+ _cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-/etc/ssl/private}"
+ if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then
+ _info "Installing certificate for Cloud Key Gen1 (nginx admin pages)"
+ _debug _cloudkey_certdir "$_cloudkey_certdir"
+ if [ ! -w "$_cloudkey_certdir" ]; then
+ _err "The directory $_cloudkey_certdir is not writable; please check permissions."
+ return 1
+ fi
+ # Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks.
+ # Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was
+ # updated above), but if not, we don't know how to handle this installation:
+ if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then
+ _err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'"
+ return 1
+ fi
+
+ cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt"
+ cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key"
+ (cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks)
+
+ if systemctl -q is-active nginx; then
+ _reload_cmd="${_reload_cmd:+$_reload_cmd && }service nginx restart"
+ fi
+ _info "Install Cloud Key Gen1 certificate success!"
+ _services_updated="${_services_updated} nginx"
+ elif [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then
+ _err "The specified DEPLOY_UNIFI_CLOUDKEY_CERTDIR='$DEPLOY_UNIFI_CLOUDKEY_CERTDIR' is not valid, please check."
return 1
fi
- _info "Generate import pkcs12"
- _import_pkcs12="$(_mktemp)"
- _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
- if [ "$?" != "0" ]; then
- _err "Oops, error creating import pkcs12, please report bug to us."
+ # UnifiOS environment -- auto-detect by /data/unifi-core/config/unifi-core.key:
+ _unifi_core_config="${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}"
+ if [ -f "${_unifi_core_config}/unifi-core.key" ]; then
+ _info "Installing certificate for UnifiOS"
+ _debug _unifi_core_config "$_unifi_core_config"
+ if [ ! -w "$_unifi_core_config" ]; then
+ _err "The directory $_unifi_core_config is not writable; please check permissions."
+ return 1
+ fi
+
+ cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
+ cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"
+
+ if systemctl -q is-active unifi-core; then
+ _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core"
+ fi
+ _info "Install UnifiOS certificate success!"
+ _services_updated="${_services_updated} unifi-core"
+ elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then
+ _err "The specified DEPLOY_UNIFI_CORE_CONFIG='$DEPLOY_UNIFI_CORE_CONFIG' is not valid, please check."
return 1
fi
- _info "Modify unifi keystore: $_unifi_keystore"
- if keytool -importkeystore \
- -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
- -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
- -alias unifi -noprompt; then
- _info "Import keystore success!"
- rm "$_import_pkcs12"
- else
- _err "Import unifi keystore error, please report bug to us."
- rm "$_import_pkcs12"
+ if [ -z "$_services_updated" ]; then
+ # None of the Unifi environments were auto-detected, so no deployment has occurred
+ # (and none of DEPLOY_UNIFI_{KEYSTORE,CLOUDKEY_CERTDIR,CORE_CONFIG} were set).
+ _err "Unable to detect Unifi environment in standard location."
+ _err "(This deploy hook must be run on the Unifi device, not a remote machine.)"
+ _err "For non-standard Unifi installations, set DEPLOY_UNIFI_KEYSTORE,"
+ _err "DEPLOY_UNIFI_CLOUDKEY_CERTDIR, and/or DEPLOY_UNIFI_CORE_CONFIG as appropriate."
return 1
fi
- _info "Run reload: $_reload"
- if eval "$_reload"; then
+ _reload_cmd="${DEPLOY_UNIFI_RELOAD:-$_reload_cmd}"
+ if [ -z "$_reload_cmd" ]; then
+ _err "Certificates were installed for services:${_services_updated},"
+ _err "but none appear to be active. Please set DEPLOY_UNIFI_RELOAD"
+ _err "to a command that will restart the necessary services."
+ return 1
+ fi
+ _info "Reload services (this may take some time): $_reload_cmd"
+ if eval "$_reload_cmd"; then
_info "Reload success!"
- if [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
- _savedomainconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
- else
- _cleardomainconf DEPLOY_UNIFI_KEYSTORE
- fi
- if [ "$DEPLOY_UNIFI_KEYPASS" ]; then
- _savedomainconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
- else
- _cleardomainconf DEPLOY_UNIFI_KEYPASS
- fi
- if [ "$DEPLOY_UNIFI_RELOAD" ]; then
- _savedomainconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
- else
- _cleardomainconf DEPLOY_UNIFI_RELOAD
- fi
- return 0
else
_err "Reload error"
return 1
fi
- return 0
+ # Successful, so save all (non-default) config:
+ _savedeployconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
+ _savedeployconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
+ _savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
+ _savedeployconf DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
+ _savedeployconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
+
+ return 0
}
fi
if [ -n "$FABIO" ]; then
- $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
+ $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
else
- $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
- $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
- $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
- $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
+ $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
+ $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
+ $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
+ $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
fi
}
#!/usr/bin/env sh
-#Arvan_Token="xxxx"
+#Arvan_Token="Apikey xxxx"
ARVAN_API_URL="https://napi.arvancloud.com/cdn/4.0/domains"
-
-#Author: Ehsan Aliakbar
+#Author: Vahid Fardi
#Report Bugs here: https://github.com/Neilpang/acme.sh
#
######## Public functions #####################
_info "Adding record"
if _arvan_rest POST "$_domain/dns-records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":{\"text\":\"$txtvalue\"},\"ttl\":120}"; then
if _contains "$response" "$txtvalue"; then
+ _info "response id is $response"
_info "Added, OK"
return 0
elif _contains "$response" "Record Data is Duplicated"; then
fi
fi
_err "Add txt record error."
- return 1
+ return 0
}
#Usage: fulldomain txtvalue
_debug _domain "$_domain"
_debug "Getting txt records"
- shorted_txtvalue=$(printf "%s" "$txtvalue" | cut -d "-" -d "_" -f1)
- _arvan_rest GET "${_domain}/dns-records?search=$shorted_txtvalue"
-
+ _arvan_rest GET "${_domain}/dns-records"
if ! printf "%s" "$response" | grep \"current_page\":1 >/dev/null; then
_err "Error on Arvan Api"
_err "Please create a github issue with debbug log"
return 1
fi
- count=$(printf "%s\n" "$response" | _egrep_o "\"total\":[^,]*" | cut -d : -f 2)
- _debug count "$count"
- if [ "$count" = "0" ]; then
- _info "Don't need to remove."
- else
- record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | head -n 1)
- _debug "record_id" "$record_id"
- if [ -z "$record_id" ]; then
- _err "Can not get record id to remove."
- return 1
- fi
- if ! _arvan_rest "DELETE" "${_domain}/dns-records/$record_id"; then
- _err "Delete record error."
- return 1
- fi
- _debug "$response"
- _contains "$response" 'dns record deleted'
+ _record_id=$(echo "$response" | _egrep_o ".\"id\":\"[^\"]*\",\"type\":\"txt\",\"name\":\"_acme-challenge\",\"value\":{\"text\":\"$txtvalue\"}" | cut -d : -f 2 | cut -d , -f 1 | tr -d \")
+ if ! _arvan_rest "DELETE" "${_domain}/dns-records/${_record_id}"; then
+ _err "Error on Arvan Api"
+ return 1
fi
+ _debug "$response"
+ _contains "$response" 'dns record deleted'
+ return 0
}
#################### Private functions below ##################################
# _domain_id=sdjkglgdfewsdfg
_get_root() {
domain=$1
- i=1
+ i=2
p=1
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
return 1
fi
- if ! _arvan_rest GET "?search=$h"; then
+ if ! _arvan_rest GET "$h"; then
return 1
fi
-
- if _contains "$response" "\"domain\":\"$h\"" || _contains "$response" '"total":1'; then
- _domain_id=$(echo "$response" | _egrep_o "\[.\"id\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
+ if _contains "$response" "\"domain\":\"$h\""; then
+ _domain_id=$(echo "$response" | cut -d : -f 3 | cut -d , -f 1 | tr -d \")
if [ "$_domain_id" ]; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
_domain=$h
data="$3"
token_trimmed=$(echo "$Arvan_Token" | tr -d '"')
-
export _H1="Authorization: $token_trimmed"
if [ "$mtd" = "DELETE" ]; then
else
response="$(_get "$ARVAN_API_URL/$ep$data")"
fi
+ return 0
}
--- /dev/null
+#!/usr/bin/env sh
+
+#
+#AURORA_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
+#
+#AURORA_Secret="sdfsdfsdfljlbjkljlkjsdfoiwje"
+
+AURORA_Api="https://api.auroradns.eu"
+
+######## Public functions #####################
+
+#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_aurora_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ AURORA_Key="${AURORA_Key:-$(_readaccountconf_mutable AURORA_Key)}"
+ AURORA_Secret="${AURORA_Secret:-$(_readaccountconf_mutable AURORA_Secret)}"
+
+ if [ -z "$AURORA_Key" ] || [ -z "$AURORA_Secret" ]; then
+ AURORA_Key=""
+ AURORA_Secret=""
+ _err "You didn't specify an Aurora api key and secret yet."
+ _err "You can get yours from here https://cp.pcextreme.nl/auroradns/users."
+ return 1
+ fi
+
+ #save the api key and secret to the account conf file.
+ _saveaccountconf_mutable AURORA_Key "$AURORA_Key"
+ _saveaccountconf_mutable AURORA_Secret "$AURORA_Secret"
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+ _debug _domain_id "$_domain_id"
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ _info "Adding record"
+ if _aurora_rest POST "zones/$_domain_id/records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":300}"; then
+ if _contains "$response" "$txtvalue"; then
+ _info "Added, OK"
+ return 0
+ elif _contains "$response" "RecordExistsError"; then
+ _info "Already exists, OK"
+ return 0
+ else
+ _err "Add txt record error."
+ return 1
+ fi
+ fi
+ _err "Add txt record error."
+ return 1
+
+}
+
+#fulldomain txtvalue
+dns_aurora_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ AURORA_Key="${AURORA_Key:-$(_readaccountconf_mutable AURORA_Key)}"
+ AURORA_Secret="${AURORA_Secret:-$(_readaccountconf_mutable AURORA_Secret)}"
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+ _debug _domain_id "$_domain_id"
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ _debug "Getting records"
+ _aurora_rest GET "zones/${_domain_id}/records"
+
+ if ! _contains "$response" "$txtvalue"; then
+ _info "Don't need to remove."
+ else
+ records=$(echo "$response" | _normalizeJson | tr -d "[]" | sed "s/},{/}|{/g" | tr "|" "\n")
+ if [ "$(echo "$records" | wc -l)" -le 2 ]; then
+ _err "Can not parse records."
+ return 1
+ fi
+ record_id=$(echo "$records" | grep "\"type\": *\"TXT\"" | grep "\"name\": *\"$_sub_domain\"" | grep "\"content\": *\"$txtvalue\"" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ")
+ _debug "record_id" "$record_id"
+ if [ -z "$record_id" ]; then
+ _err "Can not get record id to remove."
+ return 1
+ fi
+ if ! _aurora_rest DELETE "zones/$_domain_id/records/$record_id"; then
+ _err "Delete record error."
+ return 1
+ fi
+ fi
+ return 0
+
+}
+
+#################### Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+# _domain_id=sdjkglgdfewsdfg
+_get_root() {
+ domain=$1
+ i=1
+ p=1
+
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug h "$h"
+ if [ -z "$h" ]; then
+ #not valid
+ return 1
+ fi
+
+ if ! _aurora_rest GET "zones/$h"; then
+ return 1
+ fi
+
+ if _contains "$response" "\"name\": \"$h\""; then
+ _domain_id=$(echo "$response" | _normalizeJson | tr -d "{}" | tr "," "\n" | grep "\"id\": *\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ")
+ _debug _domain_id "$_domain_id"
+ if [ "$_domain_id" ]; then
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain=$h
+ return 0
+ fi
+ return 1
+ fi
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+ return 1
+}
+
+_aurora_rest() {
+ m=$1
+ ep="$2"
+ data="$3"
+ _debug "$ep"
+
+ key_trimmed=$(echo "$AURORA_Key" | tr -d '"')
+ secret_trimmed=$(echo "$AURORA_Secret" | tr -d '"')
+
+ timestamp=$(date -u +"%Y%m%dT%H%M%SZ")
+ signature=$(printf "%s/%s%s" "$m" "$ep" "$timestamp" | _hmac sha256 "$(printf "%s" "$secret_trimmed" | _hex_dump | tr -d " ")" | _base64)
+ authorization=$(printf "AuroraDNSv1 %s" "$(printf "%s:%s" "$key_trimmed" "$signature" | _base64)")
+
+ export _H1="Content-Type: application/json; charset=UTF-8"
+ export _H2="X-AuroraDNS-Date: $timestamp"
+ export _H3="Authorization: $authorization"
+
+ if [ "$m" != "GET" ]; then
+ _debug data "$data"
+ response="$(_post "$data" "$AURORA_Api/$ep" "" "$m")"
+ else
+ response="$(_get "$AURORA_Api/$ep")"
+ fi
+
+ if [ "$?" != "0" ]; then
+ _err "error $ep"
+ return 1
+ fi
+ _debug2 response "$response"
+ return 0
+}
return 1
fi
- _info "Adding TXT record"
- if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"add\":true,\"set\":{\"name\":\"${_sub_domain}\",\"ttl\":120,\"roundRobin\":[{\"value\":\"${txtvalue}\"}]}}]"; then
- if printf -- "%s" "$response" | grep "{\"success\":\"1 record(s) added, 0 record(s) updated, 0 record(s) deleted\"}" >/dev/null; then
- _info "Added"
- return 0
+ # The TXT record might already exist when working with wildcard certificates. In that case, update the record by adding the new value.
+ _debug "Search TXT record"
+ if _constellix_rest GET "domains/${_domain_id}/records/TXT/search?exact=${_sub_domain}"; then
+ if printf -- "%s" "$response" | grep "{\"errors\":\[\"Requested record was not found\"\]}" >/dev/null; then
+ _info "Adding TXT record"
+ if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"add\":true,\"set\":{\"name\":\"${_sub_domain}\",\"ttl\":60,\"roundRobin\":[{\"value\":\"${txtvalue}\"}]}}]"; then
+ if printf -- "%s" "$response" | grep "{\"success\":\"1 record(s) added, 0 record(s) updated, 0 record(s) deleted\"}" >/dev/null; then
+ _info "Added"
+ return 0
+ else
+ _err "Error adding TXT record"
+ fi
+ fi
else
- _err "Error adding TXT record"
- return 1
+ _record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]*" | cut -d ':' -f 2)
+ if _constellix_rest GET "domains/${_domain_id}/records/TXT/${_record_id}"; then
+ _new_rr_values=$(printf "%s\n" "$response" | _egrep_o '"roundRobin":\[[^]]*\]' | sed "s/\]$/,{\"value\":\"${txtvalue}\"}]/")
+ _debug _new_rr_values "$_new_rr_values"
+ _info "Updating TXT record"
+ if _constellix_rest PUT "domains/${_domain_id}/records/TXT/${_record_id}" "{\"name\":\"${_sub_domain}\",\"ttl\":60,${_new_rr_values}}"; then
+ if printf -- "%s" "$response" | grep "{\"success\":\"Record.*updated successfully\"}" >/dev/null; then
+ _info "Updated"
+ return 0
+ elif printf -- "%s" "$response" | grep "{\"errors\":\[\"Contents are identical\"\]}" >/dev/null; then
+ _info "Already exists, no need to update"
+ return 0
+ else
+ _err "Error updating TXT record"
+ fi
+ fi
+ fi
fi
fi
+
+ return 1
}
# Usage: fulldomain txtvalue
return 1
fi
- _info "Removing TXT record"
- if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"delete\":true,\"filter\":{\"field\":\"name\",\"op\":\"eq\",\"value\":\"${_sub_domain}\"}}]"; then
- if printf -- "%s" "$response" | grep "{\"success\":\"0 record(s) added, 0 record(s) updated, 1 record(s) deleted\"}" >/dev/null; then
+ # The TXT record might have been removed already when working with some wildcard certificates.
+ _debug "Search TXT record"
+ if _constellix_rest GET "domains/${_domain_id}/records/TXT/search?exact=${_sub_domain}"; then
+ if printf -- "%s" "$response" | grep "{\"errors\":\[\"Requested record was not found\"\]}" >/dev/null; then
_info "Removed"
return 0
else
- _err "Error removing TXT record"
- return 1
+ _info "Removing TXT record"
+ if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"delete\":true,\"filter\":{\"field\":\"name\",\"op\":\"eq\",\"value\":\"${_sub_domain}\"}}]"; then
+ if printf -- "%s" "$response" | grep "{\"success\":\"0 record(s) added, 0 record(s) updated, 1 record(s) deleted\"}" >/dev/null; then
+ _info "Removed"
+ return 0
+ else
+ _err "Error removing TXT record"
+ fi
+ fi
fi
fi
+
+ return 1
}
#################### Private functions below ##################################
fi
if _contains "$response" "\"name\":\"$h\""; then
- _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]+" | cut -d ':' -f 2)
+ _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]*" | cut -d ':' -f 2)
if [ "$_domain_id" ]; then
_sub_domain=$(printf "%s" "$domain" | cut -d '.' -f 1-$p)
_domain="$h"
_info "Adding record"
- if ! _rest POST "Record.Create" "login_token=$DP_Id,$DP_Key&format=json&lang=en&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=默认"; then
+ if ! _rest POST "Record.Create" "login_token=$DP_Id,$DP_Key&format=json&lang=en&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=%E9%BB%98%E8%AE%A4"; then
return 1
fi
return 1
fi
- if ! _rest POST "Record.List" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain"; then
+ if ! _rest POST "Record.List" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain"; then
_err "Record.Lis error."
return 1
fi
return 0
fi
- record_id=$(echo "$response" | _egrep_o '{[^{]*"value":"'"$txtvalue"'"' | cut -d , -f 1 | cut -d : -f 2 | tr -d \")
+ record_id=$(echo "$response" | tr "{" "\n" | grep -- "$txtvalue" | grep '^"id"' | cut -d : -f 2 | cut -d '"' -f 2)
_debug record_id "$record_id"
if [ -z "$record_id" ]; then
_err "Can not get record id."
return 1
fi
- if ! _rest POST "Record.Remove" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&record_id=$record_id"; then
+ if ! _rest POST "Record.Remove" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&record_id=$record_id"; then
_err "Record.Remove error."
return 1
fi
_info "Adding record"
- if ! _rest POST "Record.Create" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=default"; then
+ if ! _rest POST "Record.Create" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=default"; then
return 1
fi
return 1
fi
- if ! _rest POST "Domain.Info" "user_token=$DPI_Id,$DPI_Key&format=json&domain=$h"; then
+ if ! _rest POST "Domain.Info" "login_token=$DPI_Id,$DPI_Key&format=json&domain=$h"; then
return 1
fi
DuckDNS_API="https://www.duckdns.org/update"
-######## Public functions #####################
+######## Public functions ######################
#Usage: dns_duckdns_add _acme-challenge.domain.duckdns.org "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_duckdns_add() {
param="$2"
_debug param "$param"
url="$DuckDNS_API?$param"
- if [ "$DEBUG" -gt 0 ]; then
+ if [ -n "$DEBUG" ] && [ "$DEBUG" -gt 0 ]; then
url="$url&verbose=true"
fi
_debug url "$url"
if [ "$method" = "GET" ]; then
response="$(_get "$url")"
_debug2 response "$response"
- if [ "$DEBUG" -gt 0 ] && _contains "$response" "UPDATED" && _contains "$response" "OK"; then
+ if [ -n "$DEBUG" ] && [ "$DEBUG" -gt 0 ] && _contains "$response" "UPDATED" && _contains "$response" "OK"; then
response="OK"
fi
else
# HUAWEICLOUD_ProjectID
iam_api="https://iam.myhuaweicloud.com"
-dns_api="https://dns.ap-southeast-1.myhuaweicloud.com"
+dns_api="https://dns.ap-southeast-1.myhuaweicloud.com" # Should work
######## Public functions #####################
return 1
fi
+ unset token # Clear token
token="$(_get_token "${HUAWEICLOUD_Username}" "${HUAWEICLOUD_Password}" "${HUAWEICLOUD_ProjectID}")"
- _debug2 "${token}"
+ if [ -z "${token}" ]; then # Check token
+ _err "dns_api(dns_huaweicloud): Error getting token."
+ return 1
+ fi
+ _debug "Access token is: ${token}"
+
+ unset zoneid
zoneid="$(_get_zoneid "${token}" "${fulldomain}")"
- _debug "${zoneid}"
+ if [ -z "${zoneid}" ]; then
+ _err "dns_api(dns_huaweicloud): Error getting zone id."
+ return 1
+ fi
+ _debug "Zone ID is: ${zoneid}"
_debug "Adding Record"
_add_record "${token}" "${fulldomain}" "${txtvalue}"
ret="$?"
if [ "${ret}" != "0" ]; then
- _err "dns_huaweicloud: Error adding record."
+ _err "dns_api(dns_huaweicloud): Error adding record."
return 1
fi
return 1
fi
+ unset token # Clear token
token="$(_get_token "${HUAWEICLOUD_Username}" "${HUAWEICLOUD_Password}" "${HUAWEICLOUD_ProjectID}")"
- _debug2 "${token}"
+ if [ -z "${token}" ]; then # Check token
+ _err "dns_api(dns_huaweicloud): Error getting token."
+ return 1
+ fi
+ _debug "Access token is: ${token}"
+
+ unset zoneid
zoneid="$(_get_zoneid "${token}" "${fulldomain}")"
- _debug "${zoneid}"
- record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")"
- _debug "Record Set ID is: ${record_id}"
+ if [ -z "${zoneid}" ]; then
+ _err "dns_api(dns_huaweicloud): Error getting zone id."
+ return 1
+ fi
+ _debug "Zone ID is: ${zoneid}"
# Remove all records
# Therotically HuaweiCloud does not allow more than one record set
--- /dev/null
+#!/usr/bin/env sh
+
+# Supports IONOS DNS API Beta v1.0.0
+#
+# Usage:
+# Export IONOS_PREFIX and IONOS_SECRET before calling acme.sh:
+#
+# $ export IONOS_PREFIX="..."
+# $ export IONOS_SECRET="..."
+#
+# $ acme.sh --issue --dns dns_ionos ...
+
+IONOS_API="https://api.hosting.ionos.com/dns"
+IONOS_ROUTE_ZONES="/v1/zones"
+
+IONOS_TXT_TTL=60 # minimum accepted by API
+IONOS_TXT_PRIO=10
+
+dns_ionos_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ if ! _ionos_init; then
+ return 1
+ fi
+
+ _body="[{\"name\":\"$_sub_domain.$_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":$IONOS_TXT_TTL,\"prio\":$IONOS_TXT_PRIO,\"disabled\":false}]"
+
+ if _ionos_rest POST "$IONOS_ROUTE_ZONES/$_zone_id/records" "$_body" && [ -z "$response" ]; then
+ _info "TXT record has been created successfully."
+ return 0
+ fi
+
+ return 1
+}
+
+dns_ionos_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ if ! _ionos_init; then
+ return 1
+ fi
+
+ if ! _ionos_get_record "$fulldomain" "$_zone_id" "$txtvalue"; then
+ _err "Could not find _acme-challenge TXT record."
+ return 1
+ fi
+
+ if _ionos_rest DELETE "$IONOS_ROUTE_ZONES/$_zone_id/records/$_record_id" && [ -z "$response" ]; then
+ _info "TXT record has been deleted successfully."
+ return 0
+ fi
+
+ return 1
+}
+
+_ionos_init() {
+ IONOS_PREFIX="${IONOS_PREFIX:-$(_readaccountconf_mutable IONOS_PREFIX)}"
+ IONOS_SECRET="${IONOS_SECRET:-$(_readaccountconf_mutable IONOS_SECRET)}"
+
+ if [ -z "$IONOS_PREFIX" ] || [ -z "$IONOS_SECRET" ]; then
+ _err "You didn't specify an IONOS api prefix and secret yet."
+ _err "Read https://beta.developer.hosting.ionos.de/docs/getstarted to learn how to get a prefix and secret."
+ _err ""
+ _err "Then set them before calling acme.sh:"
+ _err "\$ export IONOS_PREFIX=\"...\""
+ _err "\$ export IONOS_SECRET=\"...\""
+ _err "\$ acme.sh --issue -d ... --dns dns_ionos"
+ return 1
+ fi
+
+ _saveaccountconf_mutable IONOS_PREFIX "$IONOS_PREFIX"
+ _saveaccountconf_mutable IONOS_SECRET "$IONOS_SECRET"
+
+ if ! _get_root "$fulldomain"; then
+ _err "Cannot find this domain in your IONOS account."
+ return 1
+ fi
+}
+
+_get_root() {
+ domain=$1
+ i=1
+ p=1
+
+ if _ionos_rest GET "$IONOS_ROUTE_ZONES"; then
+ response="$(echo "$response" | tr -d "\n")"
+
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ if [ -z "$h" ]; then
+ return 1
+ fi
+
+ _zone="$(echo "$response" | _egrep_o "\"name\":\"$h\".*\}")"
+ if [ "$_zone" ]; then
+ _zone_id=$(printf "%s\n" "$_zone" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"')
+ if [ "$_zone_id" ]; then
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain=$h
+
+ return 0
+ fi
+
+ return 1
+ fi
+
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+ fi
+
+ return 1
+}
+
+_ionos_get_record() {
+ fulldomain=$1
+ zone_id=$2
+ txtrecord=$3
+
+ if _ionos_rest GET "$IONOS_ROUTE_ZONES/$zone_id?recordName=$fulldomain&recordType=TXT"; then
+ response="$(echo "$response" | tr -d "\n")"
+
+ _record="$(echo "$response" | _egrep_o "\"name\":\"$fulldomain\"[^\}]*\"type\":\"TXT\"[^\}]*\"content\":\"\\\\\"$txtrecord\\\\\"\".*\}")"
+ if [ "$_record" ]; then
+ _record_id=$(printf "%s\n" "$_record" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"')
+
+ return 0
+ fi
+ fi
+
+ return 1
+}
+
+_ionos_rest() {
+ method="$1"
+ route="$2"
+ data="$3"
+
+ IONOS_API_KEY="$(printf "%s.%s" "$IONOS_PREFIX" "$IONOS_SECRET")"
+
+ export _H1="X-API-Key: $IONOS_API_KEY"
+
+ if [ "$method" != "GET" ]; then
+ export _H2="Accept: application/json"
+ export _H3="Content-Type: application/json"
+
+ response="$(_post "$data" "$IONOS_API$route" "" "$method" "application/json")"
+ else
+ export _H2="Accept: */*"
+
+ response="$(_get "$IONOS_API$route")"
+ fi
+
+ if [ "$?" != "0" ]; then
+ _err "Error $route"
+ return 1
+ fi
+
+ return 0
+}
# suffix . needed for zone -> domain.tld.
curData="{\"session_id\":\"${sessionID}\",\"primary_id\":{\"origin\":\"${curZone}.\"}}"
curResult="$(_post "${curData}" "${ISPC_Api}?dns_zone_get")"
- _debug "Calling _ISPC_getZoneInfo: '${curData}' '${ISPC_Api}?login'"
+ _debug "Calling _ISPC_getZoneInfo: '${curData}' '${ISPC_Api}?dns_zone_get'"
_debug "Result of _ISPC_getZoneInfo: '$curResult'"
if _contains "${curResult}" '"id":"'; then
zoneFound=true
;;
*) _info "Retrieved Zone ID" ;;
esac
- client_id=$(echo "${curResult}" | _egrep_o "sys_userid.*" | cut -d ':' -f 2 | cut -d '"' -f 2)
- _debug "Client ID: '${client_id}'"
- case "${client_id}" in
+ sys_userid=$(echo "${curResult}" | _egrep_o "sys_userid.*" | cut -d ':' -f 2 | cut -d '"' -f 2)
+ _debug "SYS User ID: '${sys_userid}'"
+ case "${sys_userid}" in
'' | *[!0-9]*)
- _err "Client ID is not numeric."
+ _err "SYS User ID is not numeric."
return 1
;;
- *) _info "Retrieved Client ID." ;;
+ *) _info "Retrieved SYS User ID." ;;
esac
zoneFound=""
zoneEnd=""
fi
+ # Need to get client_id as it is different from sys_userid
+ curData="{\"session_id\":\"${sessionID}\",\"sys_userid\":\"${sys_userid}\"}"
+ curResult="$(_post "${curData}" "${ISPC_Api}?client_get_id")"
+ _debug "Calling _ISPC_ClientGetID: '${curData}' '${ISPC_Api}?client_get_id'"
+ _debug "Result of _ISPC_ClientGetID: '$curResult'"
+ client_id=$(echo "${curResult}" | _egrep_o "response.*" | cut -d ':' -f 2 | cut -d '"' -f 2 | tr -d '{}')
+ _debug "Client ID: '${client_id}'"
+ case "${client_id}" in
+ '' | *[!0-9]*)
+ _err "Client ID is not numeric."
+ return 1
+ ;;
+ *) _info "Retrieved Client ID." ;;
+ esac
}
_ISPC_addTxt() {
#################### Private functions below ##################################
_Linode_API() {
+ LINODE_V4_API_KEY="${LINODE_V4_API_KEY:-$(_readaccountconf_mutable LINODE_V4_API_KEY)}"
if [ -z "$LINODE_V4_API_KEY" ]; then
LINODE_V4_API_KEY=""
return 1
fi
- _saveaccountconf LINODE_V4_API_KEY "$LINODE_V4_API_KEY"
+ _saveaccountconf_mutable LINODE_V4_API_KEY "$LINODE_V4_API_KEY"
}
#################### Private functions below ##################################
if [ -z "$NAMECHEAP_SOURCEIP" ]; then
_err "No Source IP specified for Namecheap API."
- _err "Use your public ip address or an url to retrieve it (e.g. https://ipconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
+ _err "Use your public ip address or an url to retrieve it (e.g. https://ifconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
return 1
else
_saveaccountconf NAMECHEAP_SOURCEIP "$NAMECHEAP_SOURCEIP"
_publicip=$(_get "$addr")
else
_err "No Source IP specified for Namecheap API."
- _err "Use your public ip address or an url to retrieve it (e.g. https://ipconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
+ _err "Use your public ip address or an url to retrieve it (e.g. https://ifconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
return 1
fi
fi
_hostid=$(echo "$_host" | _egrep_o ' HostId="[^"]*' | cut -d '"' -f 2)
_hostname=$(echo "$_host" | _egrep_o ' Name="[^"]*' | cut -d '"' -f 2)
_hosttype=$(echo "$_host" | _egrep_o ' Type="[^"]*' | cut -d '"' -f 2)
- _hostaddress=$(echo "$_host" | _egrep_o ' Address="[^"]*' | cut -d '"' -f 2)
+ _hostaddress=$(echo "$_host" | _egrep_o ' Address="[^"]*' | cut -d '"' -f 2 | _xml_decode)
_hostmxpref=$(echo "$_host" | _egrep_o ' MXPref="[^"]*' | cut -d '"' -f 2)
_hostttl=$(echo "$_host" | _egrep_o ' TTL="[^"]*' | cut -d '"' -f 2)
done
}
+
+_xml_decode() {
+ sed 's/"/"/g'
+}
#!/usr/bin/env sh
-# -*- mode: sh; tab-width: 2; indent-tabs-mode: s; coding: utf-8 -*-
-
# one.com ui wrapper for acme.sh
-# Author: github: @diseq
-# Created: 2019-02-17
-# Fixed by: @der-berni
-# Modified: 2020-04-07
-#
-# Use ONECOM_KeepCnameProxy to keep the CNAME DNS record
-# export ONECOM_KeepCnameProxy="1"
+
#
# export ONECOM_User="username"
# export ONECOM_Password="password"
-#
-# Usage:
-# acme.sh --issue --dns dns_one -d example.com
-#
-# only single domain supported atm
dns_one_add() {
fulldomain=$1
subdomain="${_sub_domain}"
maindomain=${_domain}
- useProxy=0
- if [ "${_sub_domain}" = "_acme-challenge" ]; then
- subdomain="proxy${_sub_domain}"
- useProxy=1
- fi
-
_debug subdomain "$subdomain"
_debug maindomain "$maindomain"
- if [ $useProxy -eq 1 ]; then
- #Check if the CNAME exists
- _dns_one_getrecord "CNAME" "$_sub_domain" "$subdomain.$maindomain"
- if [ -z "$id" ]; then
- _info "$(__red "Add CNAME Proxy record: '$(__green "\"$_sub_domain\" => \"$subdomain.$maindomain\"")'")"
- _dns_one_addrecord "CNAME" "$_sub_domain" "$subdomain.$maindomain"
-
- _info "Not valid yet, let's wait 1 hour to take effect."
- _sleep 3600
- fi
- fi
-
#Check if the TXT exists
_dns_one_getrecord "TXT" "$subdomain" "$txtvalue"
if [ -n "$id" ]; then
subdomain="${_sub_domain}"
maindomain=${_domain}
- useProxy=0
- if [ "${_sub_domain}" = "_acme-challenge" ]; then
- subdomain="proxy${_sub_domain}"
- useProxy=1
- fi
-
_debug subdomain "$subdomain"
_debug maindomain "$maindomain"
- if [ $useProxy -eq 1 ]; then
- if [ "$ONECOM_KeepCnameProxy" = "1" ]; then
- _info "$(__red "Keeping CNAME Proxy record: '$(__green "\"$_sub_domain\" => \"$subdomain.$maindomain\"")'")"
- else
- #Check if the CNAME exists
- _dns_one_getrecord "CNAME" "$_sub_domain" "$subdomain.$maindomain"
- if [ -n "$id" ]; then
- _info "$(__red "Removing CNAME Proxy record: '$(__green "\"$_sub_domain\" => \"$subdomain.$maindomain\"")'")"
- _dns_one_delrecord "$id"
- fi
- fi
- fi
#Check if the TXT exists
_dns_one_getrecord "TXT" "$subdomain" "$txtvalue"
# _domain=domain.com
_get_root() {
domain="$1"
- i=2
+ i=1
p=1
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
_dns_one_login() {
# get credentials
- ONECOM_KeepCnameProxy="${ONECOM_KeepCnameProxy:-$(_readaccountconf_mutable ONECOM_KeepCnameProxy)}"
- ONECOM_KeepCnameProxy="${ONECOM_KeepCnameProxy:-0}"
ONECOM_User="${ONECOM_User:-$(_readaccountconf_mutable ONECOM_User)}"
ONECOM_Password="${ONECOM_Password:-$(_readaccountconf_mutable ONECOM_Password)}"
if [ -z "$ONECOM_User" ] || [ -z "$ONECOM_Password" ]; then
fi
#save the api key and email to the account conf file.
- _saveaccountconf_mutable ONECOM_KeepCnameProxy "$ONECOM_KeepCnameProxy"
_saveaccountconf_mutable ONECOM_User "$ONECOM_User"
_saveaccountconf_mutable ONECOM_Password "$ONECOM_Password"
i=1
if _pdns_rest "GET" "/api/v1/servers/$PDNS_ServerId/zones"; then
- _zones_response="$response"
+ _zones_response=$(echo "$response" | _normalizeJson)
fi
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
- if _contains "$_zones_response" "\"name\": \"$h.\""; then
+ if _contains "$_zones_response" "\"name\":\"$h.\""; then
_domain="$h."
if [ -z "$h" ]; then
_domain="=2E"
--- /dev/null
+#!/usr/bin/env sh
+
+#
+#PORKBUN_API_KEY="pk1_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+#PORKBUN_SECRET_API_KEY="sk1_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+
+PORKBUN_Api="https://porkbun.com/api/json/v3"
+
+######## Public functions #####################
+
+#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_porkbun_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ PORKBUN_API_KEY="${PORKBUN_API_KEY:-$(_readaccountconf_mutable PORKBUN_API_KEY)}"
+ PORKBUN_SECRET_API_KEY="${PORKBUN_SECRET_API_KEY:-$(_readaccountconf_mutable PORKBUN_SECRET_API_KEY)}"
+
+ if [ -z "$PORKBUN_API_KEY" ] || [ -z "$PORKBUN_SECRET_API_KEY" ]; then
+ PORKBUN_API_KEY=''
+ PORKBUN_SECRET_API_KEY=''
+ _err "You didn't specify a Porkbun api key and secret api key yet."
+ _err "You can get yours from here https://porkbun.com/account/api."
+ return 1
+ fi
+
+ #save the credentials to the account conf file.
+ _saveaccountconf_mutable PORKBUN_API_KEY "$PORKBUN_API_KEY"
+ _saveaccountconf_mutable PORKBUN_SECRET_API_KEY "$PORKBUN_SECRET_API_KEY"
+
+ _debug 'First detect the root zone'
+ if ! _get_root "$fulldomain"; then
+ return 1
+ fi
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so
+ # we can not use updating anymore.
+ # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2)
+ # _debug count "$count"
+ # if [ "$count" = "0" ]; then
+ _info "Adding record"
+ if _porkbun_rest POST "dns/create/$_domain" "{\"name\":\"$_sub_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":120}"; then
+ if _contains "$response" '\"status\":"SUCCESS"'; then
+ _info "Added, OK"
+ return 0
+ elif _contains "$response" "The record already exists"; then
+ _info "Already exists, OK"
+ return 0
+ else
+ _err "Add txt record error. ($response)"
+ return 1
+ fi
+ fi
+ _err "Add txt record error."
+ return 1
+
+}
+
+#fulldomain txtvalue
+dns_porkbun_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ PORKBUN_API_KEY="${PORKBUN_API_KEY:-$(_readaccountconf_mutable PORKBUN_API_KEY)}"
+ PORKBUN_SECRET_API_KEY="${PORKBUN_SECRET_API_KEY:-$(_readaccountconf_mutable PORKBUN_SECRET_API_KEY)}"
+
+ _debug 'First detect the root zone'
+ if ! _get_root "$fulldomain"; then
+ return 1
+ fi
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ count=$(echo "$response" | _egrep_o "\"count\": *[^,]*" | cut -d : -f 2 | tr -d " ")
+ _debug count "$count"
+ if [ "$count" = "0" ]; then
+ _info "Don't need to remove."
+ else
+ record_id=$(echo "$response" | tr '{' '\n' | grep "$txtvalue" | cut -d, -f1 | cut -d: -f2 | tr -d \")
+ _debug "record_id" "$record_id"
+ if [ -z "$record_id" ]; then
+ _err "Can not get record id to remove."
+ return 1
+ fi
+ if ! _porkbun_rest POST "dns/delete/$_domain/$record_id"; then
+ _err "Delete record error."
+ return 1
+ fi
+ echo "$response" | tr -d " " | grep '\"status\":"SUCCESS"' >/dev/null
+ fi
+
+}
+
+#################### Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+_get_root() {
+ domain=$1
+ i=1
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug h "$h"
+ if [ -z "$h" ]; then
+ return 1
+ fi
+
+ if _porkbun_rest POST "dns/retrieve/$h"; then
+ if _contains "$response" "\"status\":\"SUCCESS\""; then
+ _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
+ _domain=$h
+ return 0
+ else
+ _debug "Go to next level of $_domain"
+ fi
+ else
+ _debug "Go to next level of $_domain"
+ fi
+ i=$(_math "$i" + 1)
+ done
+
+ return 1
+}
+
+_porkbun_rest() {
+ m=$1
+ ep="$2"
+ data="$3"
+ _debug "$ep"
+
+ api_key_trimmed=$(echo "$PORKBUN_API_KEY" | tr -d '"')
+ secret_api_key_trimmed=$(echo "$PORKBUN_SECRET_API_KEY" | tr -d '"')
+
+ test -z "$data" && data="{" || data="$(echo $data | cut -d'}' -f1),"
+ data="$data\"apikey\":\"$api_key_trimmed\",\"secretapikey\":\"$secret_api_key_trimmed\"}"
+
+ export _H1="Content-Type: application/json"
+
+ if [ "$m" != "GET" ]; then
+ _debug data "$data"
+ response="$(_post "$data" "$PORKBUN_Api/$ep" "" "$m")"
+ else
+ response="$(_get "$PORKBUN_Api/$ep")"
+ fi
+
+ _sleep 3 # prevent rate limit
+
+ if [ "$?" != "0" ]; then
+ _err "error $ep"
+ return 1
+ fi
+ _debug2 response "$response"
+ return 0
+}
--- /dev/null
+#!/usr/bin/env sh
+
+# Provider: RackCorp (www.rackcorp.com)
+# Author: Stephen Dendtler (sdendtler@rackcorp.com)
+# Report Bugs here: https://github.com/senjoo/acme.sh
+# Alternate email contact: support@rackcorp.com
+#
+# You'll need an API key (Portal: ADMINISTRATION -> API)
+# Set the environment variables as below:
+#
+# export RACKCORP_APIUUID="UUIDHERE"
+# export RACKCORP_APISECRET="SECRETHERE"
+#
+
+RACKCORP_API_ENDPOINT="https://api.rackcorp.net/api/rest/v2.4/json.php"
+
+######## Public functions #####################
+
+dns_rackcorp_add() {
+ fulldomain="$1"
+ txtvalue="$2"
+
+ _debug fulldomain="$fulldomain"
+ _debug txtvalue="$txtvalue"
+
+ if ! _rackcorp_validate; then
+ return 1
+ fi
+
+ _debug "Searching for root zone"
+ if ! _get_root "$fulldomain"; then
+ return 1
+ fi
+ _debug _lookup "$_lookup"
+ _debug _domain "$_domain"
+
+ _info "Creating TXT record."
+
+ if ! _rackcorp_api dns.record.create "\"name\":\"$_domain\",\"type\":\"TXT\",\"lookup\":\"$_lookup\",\"data\":\"$txtvalue\",\"ttl\":300"; then
+ return 1
+ fi
+
+ return 0
+}
+
+#Usage: fulldomain txtvalue
+#Remove the txt record after validation.
+dns_rackcorp_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _debug fulldomain="$fulldomain"
+ _debug txtvalue="$txtvalue"
+
+ if ! _rackcorp_validate; then
+ return 1
+ fi
+
+ _debug "Searching for root zone"
+ if ! _get_root "$fulldomain"; then
+ return 1
+ fi
+ _debug _lookup "$_lookup"
+ _debug _domain "$_domain"
+
+ _info "Creating TXT record."
+
+ if ! _rackcorp_api dns.record.delete "\"name\":\"$_domain\",\"type\":\"TXT\",\"lookup\":\"$_lookup\",\"data\":\"$txtvalue\""; then
+ return 1
+ fi
+
+ return 0
+}
+
+#################### Private functions below ##################################
+#_acme-challenge.domain.com
+#returns
+# _lookup=_acme-challenge
+# _domain=domain.com
+_get_root() {
+ domain=$1
+ i=1
+ p=1
+ if ! _rackcorp_api dns.domain.getall "\"name\":\"$domain\""; then
+ return 1
+ fi
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug searchhost "$h"
+ if [ -z "$h" ]; then
+ _err "Could not find domain for record $domain in RackCorp using the provided credentials"
+ #not valid
+ return 1
+ fi
+
+ _rackcorp_api dns.domain.getall "\"exactName\":\"$h\""
+
+ if _contains "$response" "\"matches\":1"; then
+ if _contains "$response" "\"name\":\"$h\""; then
+ _lookup=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain="$h"
+ return 0
+ fi
+ fi
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+
+ return 1
+}
+
+_rackcorp_validate() {
+ RACKCORP_APIUUID="${RACKCORP_APIUUID:-$(_readaccountconf_mutable RACKCORP_APIUUID)}"
+ if [ -z "$RACKCORP_APIUUID" ]; then
+ RACKCORP_APIUUID=""
+ _err "You require a RackCorp API UUID (export RACKCORP_APIUUID=\"<api uuid>\")"
+ _err "Please login to the portal and create an API key and try again."
+ return 1
+ fi
+
+ _saveaccountconf_mutable RACKCORP_APIUUID "$RACKCORP_APIUUID"
+
+ RACKCORP_APISECRET="${RACKCORP_APISECRET:-$(_readaccountconf_mutable RACKCORP_APISECRET)}"
+ if [ -z "$RACKCORP_APISECRET" ]; then
+ RACKCORP_APISECRET=""
+ _err "You require a RackCorp API secret (export RACKCORP_APISECRET=\"<api secret>\")"
+ _err "Please login to the portal and create an API key and try again."
+ return 1
+ fi
+
+ _saveaccountconf_mutable RACKCORP_APISECRET "$RACKCORP_APISECRET"
+
+ return 0
+}
+_rackcorp_api() {
+ _rackcorpcmd=$1
+ _rackcorpinputdata=$2
+ _debug cmd "$_rackcorpcmd $_rackcorpinputdata"
+
+ export _H1="Accept: application/json"
+ response="$(_post "{\"APIUUID\":\"$RACKCORP_APIUUID\",\"APISECRET\":\"$RACKCORP_APISECRET\",\"cmd\":\"$_rackcorpcmd\",$_rackcorpinputdata}" "$RACKCORP_API_ENDPOINT" "" "POST")"
+
+ if [ "$?" != "0" ]; then
+ _err "error $response"
+ return 1
+ fi
+ _debug2 response "$response"
+ if _contains "$response" "\"code\":\"OK\""; then
+ _debug code "OK"
+ else
+ _debug code "FAILED"
+ response=""
+ return 1
+ fi
+ return 0
+}
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"
- if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":20}"; then
- if printf -- "%s" "$response" | grep "ok" >/dev/null; then
- _info "Added, OK"
- return 0
- else
- _err "add txt record error."
- return 1
+ # check whether a txt record already exists for the subdomain
+ if printf -- "%s" "$response" | grep "{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\"" >/dev/null; then
+ _info "A txt record with the same name already exists."
+ # trim the string on the left
+ txtvalue_old=${response#*{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\",\"content\":\"}
+ # trim the string on the right
+ txtvalue_old=${txtvalue_old%%\"*}
+
+ _debug txtvalue_old "$txtvalue_old"
+
+ _info "Add the new txtvalue to the existing txt record."
+ if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":[\"$txtvalue\",\"$txtvalue_old\"],\"ttl\":20}"; then
+ if printf -- "%s" "$response" | grep "ok" >/dev/null; then
+ _info "Added additional txtvalue, OK"
+ return 0
+ else
+ _err "add txt record error."
+ return 1
+ fi
fi
+ _err "add txt record error."
+ return 1
+ else
+ _info "There is no txt record with the name yet."
+ if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":20}"; then
+ if printf -- "%s" "$response" | grep "ok" >/dev/null; then
+ _info "Added, OK"
+ return 0
+ else
+ _err "add txt record error."
+ return 1
+ fi
+ fi
+ _err "add txt record error."
+ return 1
fi
- _err "add txt record error."
return 1
}
#SIMPLY_ApiKey="apikey"
#
#SIMPLY_Api="https://api.simply.com/1/[ACCOUNTNAME]/[APIKEY]"
-
SIMPLY_Api_Default="https://api.simply.com/1"
+#This is used for determining success of REST call
+SIMPLY_SUCCESS_CODE='"status": 200'
+
######## Public functions #####################
#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_simply_add() {
return 1
fi
- if _contains "$response" '"code":"NOT_FOUND"'; then
+ if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then
_debug "$h not found"
else
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
return 1
fi
+ if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then
+ _err "Call to API not sucessfull, see below message for more details"
+ _err "$response"
+ return 1
+ fi
+
return 0
}
return 1
fi
+ if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then
+ _err "Call to API not sucessfull, see below message for more details"
+ _err "$response"
+ return 1
+ fi
+
return 0
}
--- /dev/null
+#!/usr/bin/env sh
+
+# Acme.sh DNS API wrapper for websupport.sk
+#
+# Original author: trgo.sk (https://github.com/trgosk)
+# Tweaks by: akulumbeg (https://github.com/akulumbeg)
+# Report Bugs here: https://github.com/akulumbeg/acme.sh
+
+# Requirements: API Key and Secret from https://admin.websupport.sk/en/auth/apiKey
+#
+# WS_ApiKey="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+# (called "Identifier" in the WS Admin)
+#
+# WS_ApiSecret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+# (called "Secret key" in the WS Admin)
+
+WS_Api="https://rest.websupport.sk"
+
+######## Public functions #####################
+
+dns_websupport_add() {
+ fulldomain=$1
+ txtvalue=$2
+
+ WS_ApiKey="${WS_ApiKey:-$(_readaccountconf_mutable WS_ApiKey)}"
+ WS_ApiSecret="${WS_ApiSecret:-$(_readaccountconf_mutable WS_ApiSecret)}"
+
+ if [ "$WS_ApiKey" ] && [ "$WS_ApiSecret" ]; then
+ _saveaccountconf_mutable WS_ApiKey "$WS_ApiKey"
+ _saveaccountconf_mutable WS_ApiSecret "$WS_ApiSecret"
+ else
+ WS_ApiKey=""
+ WS_ApiSecret=""
+ _err "You did not specify the API Key and/or API Secret"
+ _err "You can get the API login credentials from https://admin.websupport.sk/en/auth/apiKey"
+ return 1
+ fi
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so
+ # we can not use updating anymore.
+ # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2)
+ # _debug count "$count"
+ # if [ "$count" = "0" ]; then
+ _info "Adding record"
+ if _ws_rest POST "/v1/user/self/zone/$_domain/record" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":120}"; then
+ if _contains "$response" "$txtvalue"; then
+ _info "Added, OK"
+ return 0
+ elif _contains "$response" "The record already exists"; then
+ _info "Already exists, OK"
+ return 0
+ else
+ _err "Add txt record error."
+ return 1
+ fi
+ fi
+ _err "Add txt record error."
+ return 1
+
+}
+
+dns_websupport_rm() {
+ fulldomain=$1
+ txtvalue=$2
+
+ _debug2 fulldomain "$fulldomain"
+ _debug2 txtvalue "$txtvalue"
+
+ _debug "First detect the root zone"
+ if ! _get_root "$fulldomain"; then
+ _err "invalid domain"
+ return 1
+ fi
+
+ _debug _sub_domain "$_sub_domain"
+ _debug _domain "$_domain"
+
+ _debug "Getting txt records"
+ _ws_rest GET "/v1/user/self/zone/$_domain/record"
+
+ if [ "$(printf "%s" "$response" | tr -d " " | grep -c \"items\")" -lt "1" ]; then
+ _err "Error: $response"
+ return 1
+ fi
+
+ record_line="$(_get_from_array "$response" "$txtvalue")"
+ _debug record_line "$record_line"
+ if [ -z "$record_line" ]; then
+ _info "Don't need to remove."
+ else
+ record_id=$(echo "$record_line" | _egrep_o "\"id\": *[^,]*" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ")
+ _debug "record_id" "$record_id"
+ if [ -z "$record_id" ]; then
+ _err "Can not get record id to remove."
+ return 1
+ fi
+ if ! _ws_rest DELETE "/v1/user/self/zone/$_domain/record/$record_id"; then
+ _err "Delete record error."
+ return 1
+ fi
+ if [ "$(printf "%s" "$response" | tr -d " " | grep -c \"success\")" -lt "1" ]; then
+ return 1
+ else
+ return 0
+ fi
+ fi
+
+}
+
+#################### Private Functions ##################################
+
+_get_root() {
+ domain=$1
+ i=1
+ p=1
+
+ while true; do
+ h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+ _debug h "$h"
+ if [ -z "$h" ]; then
+ #not valid
+ return 1
+ fi
+
+ if ! _ws_rest GET "/v1/user/self/zone"; then
+ return 1
+ fi
+
+ if _contains "$response" "\"name\":\"$h\""; then
+ _domain_id=$(echo "$response" | _egrep_o "\[.\"id\": *[^,]*" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ")
+ if [ "$_domain_id" ]; then
+ _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+ _domain=$h
+ return 0
+ fi
+ return 1
+ fi
+ p=$i
+ i=$(_math "$i" + 1)
+ done
+ return 1
+}
+
+_ws_rest() {
+ me=$1
+ pa="$2"
+ da="$3"
+
+ _debug2 api_key "$WS_ApiKey"
+ _debug2 api_secret "$WS_ApiSecret"
+
+ timestamp=$(_time)
+ datez="$(_utc_date | sed "s/ /T/" | sed "s/$/+0000/")"
+ canonical_request="${me} ${pa} ${timestamp}"
+ signature_hash=$(printf "%s" "$canonical_request" | _hmac sha1 "$(printf "%s" "$WS_ApiSecret" | _hex_dump | tr -d " ")" hex)
+ basicauth="$(printf "%s:%s" "$WS_ApiKey" "$signature_hash" | _base64)"
+
+ _debug2 method "$me"
+ _debug2 path "$pa"
+ _debug2 data "$da"
+ _debug2 timestamp "$timestamp"
+ _debug2 datez "$datez"
+ _debug2 canonical_request "$canonical_request"
+ _debug2 signature_hash "$signature_hash"
+ _debug2 basicauth "$basicauth"
+
+ export _H1="Accept: application/json"
+ export _H2="Content-Type: application/json"
+ export _H3="Authorization: Basic ${basicauth}"
+ export _H4="Date: ${datez}"
+
+ _debug2 H1 "$_H1"
+ _debug2 H2 "$_H2"
+ _debug2 H3 "$_H3"
+ _debug2 H4 "$_H4"
+
+ if [ "$me" != "GET" ]; then
+ _debug2 "${me} $WS_Api${pa}"
+ _debug data "$da"
+ response="$(_post "$da" "${WS_Api}${pa}" "" "$me")"
+ else
+ _debug2 "GET $WS_Api${pa}"
+ response="$(_get "$WS_Api${pa}")"
+ fi
+
+ _debug2 response "$response"
+ return "$?"
+}
+
+_get_from_array() {
+ va="$1"
+ fi="$2"
+ for i in $(echo "$va" | sed "s/{/ /g"); do
+ if _contains "$i" "$fi"; then
+ echo "$i"
+ break
+ fi
+ done
+}
_mail_bin() {
_MAIL_BIN=""
- for b in "$MAIL_BIN" sendmail ssmtp mutt mail msmtp; do
+ for b in $MAIL_BIN sendmail ssmtp mutt mail msmtp; do
if _exists "$b"; then
_MAIL_BIN="$b"
break
# support smtp
+# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3358
+
+# This implementation uses either curl or Python (3 or 2.7).
+# (See also the "mail" notify hook, which supports other ways to send mail.)
+
+# SMTP_FROM="from@example.com" # required
+# SMTP_TO="to@example.com" # required
+# SMTP_HOST="smtp.example.com" # required
+# SMTP_PORT="25" # defaults to 25, 465 or 587 depending on SMTP_SECURE
+# SMTP_SECURE="tls" # one of "none", "ssl" (implicit TLS, TLS Wrapper), "tls" (explicit TLS, STARTTLS)
+# SMTP_USERNAME="" # set if SMTP server requires login
+# SMTP_PASSWORD="" # set if SMTP server requires login
+# SMTP_TIMEOUT="30" # seconds for SMTP operations to timeout
+# SMTP_BIN="/path/to/python_or_curl" # default finds first of python3, python2.7, python, pypy3, pypy, curl on PATH
+
+SMTP_SECURE_DEFAULT="tls"
+SMTP_TIMEOUT_DEFAULT="30"
+
+# subject content statuscode
smtp_send() {
- _subject="$1"
- _content="$2"
- _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
- _debug "_subject" "$_subject"
- _debug "_content" "$_content"
- _debug "_statusCode" "$_statusCode"
-
- _err "Not implemented yet."
- return 1
+ SMTP_SUBJECT="$1"
+ SMTP_CONTENT="$2"
+ # UNUSED: _statusCode="$3" # 0: success, 1: error 2($RENEW_SKIP): skipped
+
+ # Load and validate config:
+ SMTP_BIN="$(_readaccountconf_mutable_default SMTP_BIN)"
+ if [ -n "$SMTP_BIN" ] && ! _exists "$SMTP_BIN"; then
+ _err "SMTP_BIN '$SMTP_BIN' does not exist."
+ return 1
+ fi
+ if [ -z "$SMTP_BIN" ]; then
+ # Look for a command that can communicate with an SMTP server.
+ # (Please don't add sendmail, ssmtp, mutt, mail, or msmtp here.
+ # Those are already handled by the "mail" notify hook.)
+ for cmd in python3 python2.7 python pypy3 pypy curl; do
+ if _exists "$cmd"; then
+ SMTP_BIN="$cmd"
+ break
+ fi
+ done
+ if [ -z "$SMTP_BIN" ]; then
+ _err "The smtp notify-hook requires curl or Python, but can't find any."
+ _err 'If you have one of them, define SMTP_BIN="/path/to/curl_or_python".'
+ _err 'Otherwise, see if you can use the "mail" notify-hook instead.'
+ return 1
+ fi
+ fi
+ _debug SMTP_BIN "$SMTP_BIN"
+ _saveaccountconf_mutable_default SMTP_BIN "$SMTP_BIN"
+
+ SMTP_FROM="$(_readaccountconf_mutable_default SMTP_FROM)"
+ SMTP_FROM="$(_clean_email_header "$SMTP_FROM")"
+ if [ -z "$SMTP_FROM" ]; then
+ _err "You must define SMTP_FROM as the sender email address."
+ return 1
+ fi
+ if _email_has_display_name "$SMTP_FROM"; then
+ _err "SMTP_FROM must be only a simple email address (sender@example.com)."
+ _err "Change your SMTP_FROM='$SMTP_FROM' to remove the display name."
+ return 1
+ fi
+ _debug SMTP_FROM "$SMTP_FROM"
+ _saveaccountconf_mutable_default SMTP_FROM "$SMTP_FROM"
+
+ SMTP_TO="$(_readaccountconf_mutable_default SMTP_TO)"
+ SMTP_TO="$(_clean_email_header "$SMTP_TO")"
+ if [ -z "$SMTP_TO" ]; then
+ _err "You must define SMTP_TO as the recipient email address(es)."
+ return 1
+ fi
+ if _email_has_display_name "$SMTP_TO"; then
+ _err "SMTP_TO must be only simple email addresses (to@example.com,to2@example.com)."
+ _err "Change your SMTP_TO='$SMTP_TO' to remove the display name(s)."
+ return 1
+ fi
+ _debug SMTP_TO "$SMTP_TO"
+ _saveaccountconf_mutable_default SMTP_TO "$SMTP_TO"
+
+ SMTP_HOST="$(_readaccountconf_mutable_default SMTP_HOST)"
+ if [ -z "$SMTP_HOST" ]; then
+ _err "You must define SMTP_HOST as the SMTP server hostname."
+ return 1
+ fi
+ _debug SMTP_HOST "$SMTP_HOST"
+ _saveaccountconf_mutable_default SMTP_HOST "$SMTP_HOST"
+
+ SMTP_SECURE="$(_readaccountconf_mutable_default SMTP_SECURE "$SMTP_SECURE_DEFAULT")"
+ case "$SMTP_SECURE" in
+ "none") smtp_port_default="25" ;;
+ "ssl") smtp_port_default="465" ;;
+ "tls") smtp_port_default="587" ;;
+ *)
+ _err "Invalid SMTP_SECURE='$SMTP_SECURE'. It must be 'ssl', 'tls' or 'none'."
+ return 1
+ ;;
+ esac
+ _debug SMTP_SECURE "$SMTP_SECURE"
+ _saveaccountconf_mutable_default SMTP_SECURE "$SMTP_SECURE" "$SMTP_SECURE_DEFAULT"
+
+ SMTP_PORT="$(_readaccountconf_mutable_default SMTP_PORT "$smtp_port_default")"
+ case "$SMTP_PORT" in
+ *[!0-9]*)
+ _err "Invalid SMTP_PORT='$SMTP_PORT'. It must be a port number."
+ return 1
+ ;;
+ esac
+ _debug SMTP_PORT "$SMTP_PORT"
+ _saveaccountconf_mutable_default SMTP_PORT "$SMTP_PORT" "$smtp_port_default"
+
+ SMTP_USERNAME="$(_readaccountconf_mutable_default SMTP_USERNAME)"
+ _debug SMTP_USERNAME "$SMTP_USERNAME"
+ _saveaccountconf_mutable_default SMTP_USERNAME "$SMTP_USERNAME"
+
+ SMTP_PASSWORD="$(_readaccountconf_mutable_default SMTP_PASSWORD)"
+ _secure_debug SMTP_PASSWORD "$SMTP_PASSWORD"
+ _saveaccountconf_mutable_default SMTP_PASSWORD "$SMTP_PASSWORD"
+
+ SMTP_TIMEOUT="$(_readaccountconf_mutable_default SMTP_TIMEOUT "$SMTP_TIMEOUT_DEFAULT")"
+ _debug SMTP_TIMEOUT "$SMTP_TIMEOUT"
+ _saveaccountconf_mutable_default SMTP_TIMEOUT "$SMTP_TIMEOUT" "$SMTP_TIMEOUT_DEFAULT"
+
+ SMTP_X_MAILER="$(_clean_email_header "$PROJECT_NAME $VER --notify-hook smtp")"
+
+ # Run with --debug 2 (or above) to echo the transcript of the SMTP session.
+ # Careful: this may include SMTP_PASSWORD in plaintext!
+ if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then
+ SMTP_SHOW_TRANSCRIPT="True"
+ else
+ SMTP_SHOW_TRANSCRIPT=""
+ fi
+
+ SMTP_SUBJECT=$(_clean_email_header "$SMTP_SUBJECT")
+ _debug SMTP_SUBJECT "$SMTP_SUBJECT"
+ _debug SMTP_CONTENT "$SMTP_CONTENT"
+
+ # Send the message:
+ case "$(basename "$SMTP_BIN")" in
+ curl) _smtp_send=_smtp_send_curl ;;
+ py*) _smtp_send=_smtp_send_python ;;
+ *)
+ _err "Can't figure out how to invoke '$SMTP_BIN'."
+ _err "Check your SMTP_BIN setting."
+ return 1
+ ;;
+ esac
+
+ if ! smtp_output="$($_smtp_send)"; then
+ _err "Error sending message with $SMTP_BIN."
+ if [ -n "$smtp_output" ]; then
+ _err "$smtp_output"
+ fi
+ return 1
+ fi
+
+ return 0
+}
+
+# Strip CR and NL from text to prevent MIME header injection
+# text
+_clean_email_header() {
+ printf "%s" "$(echo "$1" | tr -d "\r\n")"
+}
+
+# Simple check for display name in an email address (< > or ")
+# email
+_email_has_display_name() {
+ _email="$1"
+ expr "$_email" : '^.*[<>"]' >/dev/null
+}
+
+##
+## curl smtp sending
+##
+
+# Send the message via curl using SMTP_* variables
+_smtp_send_curl() {
+ # Build curl args in $@
+ case "$SMTP_SECURE" in
+ none)
+ set -- --url "smtp://${SMTP_HOST}:${SMTP_PORT}"
+ ;;
+ ssl)
+ set -- --url "smtps://${SMTP_HOST}:${SMTP_PORT}"
+ ;;
+ tls)
+ set -- --url "smtp://${SMTP_HOST}:${SMTP_PORT}" --ssl-reqd
+ ;;
+ *)
+ # This will only occur if someone adds a new SMTP_SECURE option above
+ # without updating this code for it.
+ _err "Unhandled SMTP_SECURE='$SMTP_SECURE' in _smtp_send_curl"
+ _err "Please re-run with --debug and report a bug."
+ return 1
+ ;;
+ esac
+
+ set -- "$@" \
+ --upload-file - \
+ --mail-from "$SMTP_FROM" \
+ --max-time "$SMTP_TIMEOUT"
+
+ # Burst comma-separated $SMTP_TO into individual --mail-rcpt args.
+ _to="${SMTP_TO},"
+ while [ -n "$_to" ]; do
+ _rcpt="${_to%%,*}"
+ _to="${_to#*,}"
+ set -- "$@" --mail-rcpt "$_rcpt"
+ done
+
+ _smtp_login="${SMTP_USERNAME}:${SMTP_PASSWORD}"
+ if [ "$_smtp_login" != ":" ]; then
+ set -- "$@" --user "$_smtp_login"
+ fi
+
+ if [ "$SMTP_SHOW_TRANSCRIPT" = "True" ]; then
+ set -- "$@" --verbose
+ else
+ set -- "$@" --silent --show-error
+ fi
+
+ raw_message="$(_smtp_raw_message)"
+
+ _debug2 "curl command:" "$SMTP_BIN" "$*"
+ _debug2 "raw_message:\n$raw_message"
+
+ echo "$raw_message" | "$SMTP_BIN" "$@"
+}
+
+# Output an RFC-822 / RFC-5322 email message using SMTP_* variables.
+# (This assumes variables have already been cleaned for use in email headers.)
+_smtp_raw_message() {
+ echo "From: $SMTP_FROM"
+ echo "To: $SMTP_TO"
+ echo "Subject: $(_mime_encoded_word "$SMTP_SUBJECT")"
+ echo "Date: $(_rfc2822_date)"
+ echo "Content-Type: text/plain; charset=utf-8"
+ echo "X-Mailer: $SMTP_X_MAILER"
+ echo
+ echo "$SMTP_CONTENT"
+}
+
+# Convert text to RFC-2047 MIME "encoded word" format if it contains non-ASCII chars
+# text
+_mime_encoded_word() {
+ _text="$1"
+ # (regex character ranges like [a-z] can be locale-dependent; enumerate ASCII chars to avoid that)
+ _ascii='] $`"'"[!#%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ~^_abcdefghijklmnopqrstuvwxyz{|}~-"
+ if expr "$_text" : "^.*[^$_ascii]" >/dev/null; then
+ # At least one non-ASCII char; convert entire thing to encoded word
+ printf "%s" "=?UTF-8?B?$(printf "%s" "$_text" | _base64)?="
+ else
+ # Just printable ASCII, no conversion needed
+ printf "%s" "$_text"
+ fi
+}
+
+# Output current date in RFC-2822 Section 3.3 format as required in email headers
+# (e.g., "Mon, 15 Feb 2021 14:22:01 -0800")
+_rfc2822_date() {
+ # Notes:
+ # - this is deliberately not UTC, because it "SHOULD express local time" per spec
+ # - the spec requires weekday and month in the C locale (English), not localized
+ # - this date format specifier has been tested on Linux, Mac, Solaris and FreeBSD
+ _old_lc_time="$LC_TIME"
+ LC_TIME=C
+ date +'%a, %-d %b %Y %H:%M:%S %z'
+ LC_TIME="$_old_lc_time"
+}
+
+##
+## Python smtp sending
+##
+
+# Send the message via Python using SMTP_* variables
+_smtp_send_python() {
+ _debug "Python version" "$("$SMTP_BIN" --version 2>&1)"
+
+ # language=Python
+ "$SMTP_BIN" <<PYTHON
+# This code is meant to work with either Python 2.7.x or Python 3.4+.
+try:
+ try:
+ from email.message import EmailMessage
+ from email.policy import default as email_policy_default
+ except ImportError:
+ # Python 2 (or < 3.3)
+ from email.mime.text import MIMEText as EmailMessage
+ email_policy_default = None
+ from email.utils import formatdate as rfc2822_date
+ from smtplib import SMTP, SMTP_SSL, SMTPException
+ from socket import error as SocketError
+except ImportError as err:
+ print("A required Python standard package is missing. This system may have"
+ " a reduced version of Python unsuitable for sending mail: %s" % err)
+ exit(1)
+
+show_transcript = """$SMTP_SHOW_TRANSCRIPT""" == "True"
+
+smtp_host = """$SMTP_HOST"""
+smtp_port = int("""$SMTP_PORT""")
+smtp_secure = """$SMTP_SECURE"""
+username = """$SMTP_USERNAME"""
+password = """$SMTP_PASSWORD"""
+timeout=int("""$SMTP_TIMEOUT""") # seconds
+x_mailer="""$SMTP_X_MAILER"""
+
+from_email="""$SMTP_FROM"""
+to_emails="""$SMTP_TO""" # can be comma-separated
+subject="""$SMTP_SUBJECT"""
+content="""$SMTP_CONTENT"""
+
+try:
+ msg = EmailMessage(policy=email_policy_default)
+ msg.set_content(content)
+except (AttributeError, TypeError):
+ # Python 2 MIMEText
+ msg = EmailMessage(content)
+msg["Subject"] = subject
+msg["From"] = from_email
+msg["To"] = to_emails
+msg["Date"] = rfc2822_date(localtime=True)
+msg["X-Mailer"] = x_mailer
+
+smtp = None
+try:
+ if smtp_secure == "ssl":
+ smtp = SMTP_SSL(smtp_host, smtp_port, timeout=timeout)
+ else:
+ smtp = SMTP(smtp_host, smtp_port, timeout=timeout)
+ smtp.set_debuglevel(show_transcript)
+ if smtp_secure == "tls":
+ smtp.starttls()
+ if username or password:
+ smtp.login(username, password)
+ smtp.sendmail(msg["From"], msg["To"].split(","), msg.as_string())
+
+except SMTPException as err:
+ # Output just the error (skip the Python stack trace) for SMTP errors
+ print("Error sending: %r" % err)
+ exit(1)
+
+except SocketError as err:
+ print("Error connecting to %s:%d: %r" % (smtp_host, smtp_port, err))
+ exit(1)
+
+finally:
+ if smtp is not None:
+ smtp.quit()
+PYTHON
+}
+
+##
+## Conf helpers
+##
+
+#_readaccountconf_mutable_default name default_value
+# Given a name like MY_CONF:
+# - if MY_CONF is set and non-empty, output $MY_CONF
+# - if MY_CONF is set _empty_, output $default_value
+# (lets user `export MY_CONF=` to clear previous saved value
+# and return to default, without user having to know default)
+# - otherwise if _readaccountconf_mutable MY_CONF is non-empty, return that
+# (value of SAVED_MY_CONF from account.conf)
+# - otherwise output $default_value
+_readaccountconf_mutable_default() {
+ _name="$1"
+ _default_value="$2"
+
+ eval "_value=\"\$$_name\""
+ eval "_name_is_set=\"\${${_name}+true}\""
+ # ($_name_is_set is "true" if $$_name is set to anything, including empty)
+ if [ -z "${_value}" ] && [ "${_name_is_set:-}" != "true" ]; then
+ _value="$(_readaccountconf_mutable "$_name")"
+ fi
+ if [ -z "${_value}" ]; then
+ _value="$_default_value"
+ fi
+ printf "%s" "$_value"
+}
+
+#_saveaccountconf_mutable_default name value default_value base64encode
+# Like _saveaccountconf_mutable, but if value is default_value
+# then _clearaccountconf_mutable instead
+_saveaccountconf_mutable_default() {
+ _name="$1"
+ _value="$2"
+ _default_value="$3"
+ _base64encode="$4"
+
+ if [ "$_value" != "$_default_value" ]; then
+ _saveaccountconf_mutable "$_name" "$_value" "$_base64encode"
+ else
+ _clearaccountconf_mutable "$_name"
+ fi
}
--- /dev/null
+#!/usr/bin/env sh
+
+#Support Telegram Bots
+
+#TELEGRAM_BOT_APITOKEN=""
+#TELEGRAM_BOT_CHATID=""
+
+telegram_send() {
+ _subject="$1"
+ _content="$2"
+ _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+ _debug "_statusCode" "$_statusCode"
+
+ TELEGRAM_BOT_APITOKEN="${TELEGRAM_BOT_APITOKEN:-$(_readaccountconf_mutable TELEGRAM_BOT_APITOKEN)}"
+ if [ -z "$TELEGRAM_BOT_APITOKEN" ]; then
+ TELEGRAM_BOT_APITOKEN=""
+ _err "You didn't specify a Telegram BOT API Token TELEGRAM_BOT_APITOKEN yet."
+ return 1
+ fi
+ _saveaccountconf_mutable TELEGRAM_BOT_APITOKEN "$TELEGRAM_BOT_APITOKEN"
+
+ TELEGRAM_BOT_CHATID="${TELEGRAM_BOT_CHATID:-$(_readaccountconf_mutable TELEGRAM_BOT_CHATID)}"
+ if [ -z "$TELEGRAM_BOT_CHATID" ]; then
+ TELEGRAM_BOT_CHATID=""
+ _err "You didn't specify a Telegram Chat id TELEGRAM_BOT_CHATID yet."
+ return 1
+ fi
+ _saveaccountconf_mutable TELEGRAM_BOT_CHATID "$TELEGRAM_BOT_CHATID"
+
+ _content="$(printf "%s" "$_content" | sed -e 's/*/\\\\*/')"
+ _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)"
+ _data="{\"text\": \"$_content\", "
+ _data="$_data\"chat_id\": \"$TELEGRAM_BOT_CHATID\", "
+ _data="$_data\"parse_mode\": \"markdown\", "
+ _data="$_data\"disable_web_page_preview\": \"1\"}"
+
+ _debug "$_data"
+
+ export _H1="Content-Type: application/json"
+ _telegram_bot_url="https://api.telegram.org/bot${TELEGRAM_BOT_APITOKEN}/sendMessage"
+ if _post "$_data" "$_telegram_bot_url" >/dev/null; then
+ # shellcheck disable=SC2154
+ _message=$(printf "%s\n" "$response" | sed -n 's/.*"ok":\([^,]*\).*/\1/p')
+ if [ "$_message" = "true" ]; then
+ _info "telegram send success."
+ return 0
+ fi
+ fi
+ _err "telegram send error."
+ _err "$response"
+ return 1
+}