]> git.proxmox.com Git - mirror_acme.sh.git/blame - acme.sh
projects / mirror_acme.sh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
fix https://github.com/Neilpang/acme.sh/issues/1322
[mirror_acme.sh.git] / acme.sh
CommitLineData
0a7c9364 1#!/usr/bin/env sh
bfdf1f48 2
da0bd5a9 3VER=2.7.7
a7b7355d 4
6cc11ffb 5PROJECT_NAME="acme.sh"
a7b7355d 6
6cc11ffb 7PROJECT_ENTRY="acme.sh"
8
9PROJECT="https://github.com/Neilpang/$PROJECT_NAME"
4c3b3608 10
f3e4cea3 11DEFAULT_INSTALL_HOME="$HOME/.$PROJECT_NAME"
12_SCRIPT_="$0"
13
a61fe418 14_SUB_FOLDERS="dnsapi deploy"
f3e4cea3 15
c1151b0d 16LETSENCRYPT_CA_V1="https://acme-v01.api.letsencrypt.org/directory"
17LETSENCRYPT_STAGING_CA_V1="https://acme-staging.api.letsencrypt.org/directory"
18
19LETSENCRYPT_CA_V2="https://acme-v02.api.letsencrypt.org/directory"
20LETSENCRYPT_STAGING_CA_V2="https://acme-staging-v02.api.letsencrypt.org/directory"
21
22DEFAULT_CA=$LETSENCRYPT_CA_V1
23DEFAULT_STAGING_CA=$LETSENCRYPT_STAGING_CA_V1
f87890cb 24
07af4247 25DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
d0871bda 26DEFAULT_ACCOUNT_EMAIL=""
bbbdcb09 27
57e58ce7 28DEFAULT_ACCOUNT_KEY_LENGTH=2048
29DEFAULT_DOMAIN_KEY_LENGTH=2048
30
a746139c 31DEFAULT_OPENSSL_BIN="openssl"
32
c1151b0d 33_OLD_CA_HOST="https://acme-v01.api.letsencrypt.org"
4a2ac7bd 34_OLD_STAGE_CA_HOST="https://acme-staging.api.letsencrypt.org"
4c3b3608 35
36VTYPE_HTTP="http-01"
37VTYPE_DNS="dns-01"
e22bcf7c 38VTYPE_TLS="tls-sni-01"
c1151b0d 39VTYPE_TLS2="tls-sni-02"
e22bcf7c 40
0463b5d6 41LOCAL_ANY_ADDRESS="0.0.0.0"
42
656bd330 43MAX_RENEW=60
523c7682 44
4a4dacb5 45DEFAULT_DNS_SLEEP=120
46
3f4513b3 47NO_VALUE="no"
48
e22bcf7c 49W_TLS="tls"
64821ad4 50DNS_ALIAS_PREFIX="="
4c3b3608 51
0e44f587 52MODE_STATELESS="stateless"
53
ec603bee 54STATE_VERIFIED="verified_ok"
55
9d725af6 56NGINX="nginx:"
03f8d6e9 57NGINX_START="#ACME_NGINX_START"
58NGINX_END="#ACME_NGINX_END"
9d725af6 59
88fab7d6 60BEGIN_CSR="-----BEGIN CERTIFICATE REQUEST-----"
61END_CSR="-----END CERTIFICATE REQUEST-----"
62
63BEGIN_CERT="-----BEGIN CERTIFICATE-----"
64END_CERT="-----END CERTIFICATE-----"
65
45e386b2 66CONTENT_TYPE_JSON="application/jose+json"
cc179731 67RENEW_SKIP=2
68
43822d37 69ECC_SEP="_"
70ECC_SUFFIX="${ECC_SEP}ecc"
71
a73c5b33 72LOG_LEVEL_1=1
73LOG_LEVEL_2=2
74LOG_LEVEL_3=3
75DEFAULT_LOG_LEVEL="$LOG_LEVEL_1"
76
fc6cf4d9 77DEBUG_LEVEL_1=1
78DEBUG_LEVEL_2=2
79DEBUG_LEVEL_3=3
80DEBUG_LEVEL_DEFAULT=$DEBUG_LEVEL_1
81DEBUG_LEVEL_NONE=0
82
e6e85b0c 83HIDDEN_VALUE="[hidden](please add '--output-insecure' to see this value)"
84
e2edf208 85SYSLOG_ERROR="user.error"
fc6cf4d9 86SYSLOG_INFO="user.info"
e2edf208 87SYSLOG_DEBUG="user.debug"
88
fc6cf4d9 89#error
113089be 90SYSLOG_LEVEL_ERROR=3
fc6cf4d9 91#info
113089be 92SYSLOG_LEVEL_INFO=6
fc6cf4d9 93#debug
113089be 94SYSLOG_LEVEL_DEBUG=7
fc6cf4d9 95#debug2
113089be 96SYSLOG_LEVEL_DEBUG_2=8
fc6cf4d9 97#debug3
113089be 98SYSLOG_LEVEL_DEBUG_3=9
fc6cf4d9 99
113089be 100SYSLOG_LEVEL_DEFAULT=$SYSLOG_LEVEL_ERROR
fc6cf4d9 101#none
102SYSLOG_LEVEL_NONE=0
103
a73c5b33 104_DEBUG_WIKI="https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh"
4c3b3608 105
562a4c05 106_PREPARE_LINK="https://github.com/Neilpang/acme.sh/wiki/Install-preparations"
107
0e44f587 108_STATELESS_WIKI="https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode"
109
875625b1 110_DNS_ALIAS_WIKI="https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode"
111
309bec47 112_DNS_MANUAL_ERR="The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead."
113
114_DNS_MANUAL_WARN="It seems that you are using dns manual mode. please take care: $_DNS_MANUAL_ERR"
115
08ee072f 116__INTERACTIVE=""
4c2a3841 117if [ -t 1 ]; then
08ee072f 118 __INTERACTIVE="1"
119fi
00a50605 120
43822d37 121__green() {
08b4e1a7 122 if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
2d12b689 123 printf '\033[1;31;32m'
124 fi
3576754c 125 printf -- "%b" "$1"
08b4e1a7 126 if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
2d12b689 127 printf '\033[0m'
128 fi
43822d37 129}
130
131__red() {
08b4e1a7 132 if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
2d12b689 133 printf '\033[1;31;40m'
134 fi
3576754c 135 printf -- "%b" "$1"
08b4e1a7 136 if [ "$__INTERACTIVE${ACME_NO_COLOR}" = "1" ]; then
2d12b689 137 printf '\033[0m'
138 fi
43822d37 139}
00a50605 140
a73c5b33 141_printargs() {
569d6c55 142 if [ -z "$NO_TIMESTAMP" ] || [ "$NO_TIMESTAMP" = "0" ]; then
143 printf -- "%s" "[$(date)] "
144 fi
4c2a3841 145 if [ -z "$2" ]; then
569d6c55 146 printf -- "%s" "$1"
43822d37 147 else
569d6c55 148 printf -- "%s" "$1='$2'"
43822d37 149 fi
a73c5b33 150 printf "\n"
43822d37 151}
152
9d548d81 153_dlg_versions() {
154 echo "Diagnosis versions: "
851fedf7 155 echo "openssl:$ACME_OPENSSL_BIN"
d8ba26e6 156 if _exists "${ACME_OPENSSL_BIN:-openssl}"; then
157 ${ACME_OPENSSL_BIN:-openssl} version 2>&1
9d548d81 158 else
851fedf7 159 echo "$ACME_OPENSSL_BIN doesn't exists."
9d548d81 160 fi
4c2a3841 161
9d548d81 162 echo "apache:"
4c2a3841 163 if [ "$_APACHECTL" ] && _exists "$_APACHECTL"; then
e735d8d4 164 $_APACHECTL -V 2>&1
9d548d81 165 else
166 echo "apache doesn't exists."
167 fi
4c2a3841 168
326c386b 169 echo "nginx:"
170 if _exists "nginx"; then
171 nginx -V 2>&1
172 else
173 echo "nginx doesn't exists."
174 fi
175
3794b5cb 176 echo "socat:"
177 if _exists "socat"; then
178 socat -h 2>&1
9d548d81 179 else
3794b5cb 180 _debug "socat doesn't exists."
9d548d81 181 fi
182}
43822d37 183
e2edf208 184#class
185_syslog() {
fc6cf4d9 186 if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" = "$SYSLOG_LEVEL_NONE" ]; then
e2edf208 187 return
188 fi
189 _logclass="$1"
190 shift
5b3e3d9c 191 if [ -z "$__logger_i" ]; then
192 if _contains "$(logger --help 2>&1)" "-i"; then
193 __logger_i="logger -i"
194 else
195 __logger_i="logger"
196 fi
197 fi
198 $__logger_i -t "$PROJECT_NAME" -p "$_logclass" "$(_printargs "$@")" >/dev/null 2>&1
e2edf208 199}
200
a73c5b33 201_log() {
202 [ -z "$LOG_FILE" ] && return
95e06de5 203 _printargs "$@" >>"$LOG_FILE"
a73c5b33 204}
205
206_info() {
fc6cf4d9 207 _log "$@"
113089be 208 if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_INFO" ]; then
fc6cf4d9 209 _syslog "$SYSLOG_INFO" "$@"
210 fi
a73c5b33 211 _printargs "$@"
4c3b3608 212}
213
214_err() {
fc6cf4d9 215 _syslog "$SYSLOG_ERROR" "$@"
216 _log "$@"
569d6c55 217 if [ -z "$NO_TIMESTAMP" ] || [ "$NO_TIMESTAMP" = "0" ]; then
218 printf -- "%s" "[$(date)] " >&2
219 fi
4c2a3841 220 if [ -z "$2" ]; then
65de3110 221 __red "$1" >&2
222 else
223 __red "$1='$2'" >&2
224 fi
b19ba13a 225 printf "\n" >&2
4c3b3608 226 return 1
227}
228
43822d37 229_usage() {
4c2a3841 230 __red "$@" >&2
65de3110 231 printf "\n" >&2
43822d37 232}
233
c60883ef 234_debug() {
fc6cf4d9 235 if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_1" ]; then
236 _log "$@"
a73c5b33 237 fi
113089be 238 if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG" ]; then
fc6cf4d9 239 _syslog "$SYSLOG_DEBUG" "$@"
240 fi
241 if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_1" ]; then
242 _printargs "$@" >&2
c60883ef 243 fi
c60883ef 244}
245
e6e85b0c 246#output the sensitive messages
247_secure_debug() {
248 if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_1" ]; then
249 if [ "$OUTPUT_INSECURE" = "1" ]; then
250 _log "$@"
251 else
252 _log "$1" "$HIDDEN_VALUE"
253 fi
254 fi
255 if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG" ]; then
256 _syslog "$SYSLOG_DEBUG" "$1" "$HIDDEN_VALUE"
257 fi
258 if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_1" ]; then
259 if [ "$OUTPUT_INSECURE" = "1" ]; then
260 _printargs "$@" >&2
261 else
262 _printargs "$1" "$HIDDEN_VALUE" >&2
263 fi
264 fi
265}
266
a63b05a9 267_debug2() {
fc6cf4d9 268 if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_2" ]; then
269 _log "$@"
a73c5b33 270 fi
113089be 271 if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_2" ]; then
fc6cf4d9 272 _syslog "$SYSLOG_DEBUG" "$@"
273 fi
274 if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then
e2edf208 275 _printargs "$@" >&2
a63b05a9 276 fi
a63b05a9 277}
278
e6e85b0c 279_secure_debug2() {
280 if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_2" ]; then
281 if [ "$OUTPUT_INSECURE" = "1" ]; then
282 _log "$@"
283 else
284 _log "$1" "$HIDDEN_VALUE"
285 fi
286 fi
287 if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_2" ]; then
288 _syslog "$SYSLOG_DEBUG" "$1" "$HIDDEN_VALUE"
289 fi
290 if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then
291 if [ "$OUTPUT_INSECURE" = "1" ]; then
292 _printargs "$@" >&2
293 else
294 _printargs "$1" "$HIDDEN_VALUE" >&2
295 fi
296 fi
297}
298
22ea4004 299_debug3() {
fc6cf4d9 300 if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_3" ]; then
301 _log "$@"
302 fi
113089be 303 if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_3" ]; then
fc6cf4d9 304 _syslog "$SYSLOG_DEBUG" "$@"
a73c5b33 305 fi
fc6cf4d9 306 if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_3" ]; then
e2edf208 307 _printargs "$@" >&2
22ea4004 308 fi
22ea4004 309}
310
e6e85b0c 311_secure_debug3() {
312 if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_3" ]; then
313 if [ "$OUTPUT_INSECURE" = "1" ]; then
314 _log "$@"
315 else
316 _log "$1" "$HIDDEN_VALUE"
317 fi
318 fi
319 if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_3" ]; then
320 _syslog "$SYSLOG_DEBUG" "$1" "$HIDDEN_VALUE"
321 fi
322 if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_3" ]; then
323 if [ "$OUTPUT_INSECURE" = "1" ]; then
324 _printargs "$@" >&2
325 else
326 _printargs "$1" "$HIDDEN_VALUE" >&2
327 fi
328 fi
329}
330
c4bf5eef 331_upper_case() {
332 # shellcheck disable=SC2018,SC2019
333 tr 'a-z' 'A-Z'
334}
335
336_lower_case() {
337 # shellcheck disable=SC2018,SC2019
338 tr 'A-Z' 'a-z'
339}
340
4c2a3841 341_startswith() {
dceb3aca 342 _str="$1"
343 _sub="$2"
19539575 344 echo "$_str" | grep "^$_sub" >/dev/null 2>&1
dceb3aca 345}
346
4c2a3841 347_endswith() {
43822d37 348 _str="$1"
349 _sub="$2"
350 echo "$_str" | grep -- "$_sub\$" >/dev/null 2>&1
351}
352
4c2a3841 353_contains() {
dceb3aca 354 _str="$1"
355 _sub="$2"
43822d37 356 echo "$_str" | grep -- "$_sub" >/dev/null 2>&1
dceb3aca 357}
358
c53da1ef 359_hasfield() {
360 _str="$1"
361 _field="$2"
362 _sep="$3"
4c2a3841 363 if [ -z "$_field" ]; then
43822d37 364 _usage "Usage: str field [sep]"
c53da1ef 365 return 1
366 fi
4c2a3841 367
368 if [ -z "$_sep" ]; then
c53da1ef 369 _sep=","
370 fi
4c2a3841 371
6cf7be4b 372 for f in $(echo "$_str" | tr "$_sep" ' '); do
4c2a3841 373 if [ "$f" = "$_field" ]; then
0c9546cc 374 _debug2 "'$_str' contains '$_field'"
c53da1ef 375 return 0 #contains ok
376 fi
377 done
0c9546cc 378 _debug2 "'$_str' does not contain '$_field'"
3c07f57a 379 return 1 #not contains
c53da1ef 380}
381
422dd1fa 382# str index [sep]
4c2a3841 383_getfield() {
0463b5d6 384 _str="$1"
385 _findex="$2"
386 _sep="$3"
4c2a3841 387
388 if [ -z "$_findex" ]; then
0463b5d6 389 _usage "Usage: str field [sep]"
390 return 1
391 fi
4c2a3841 392
393 if [ -z "$_sep" ]; then
0463b5d6 394 _sep=","
395 fi
396
201aa244 397 _ffi="$_findex"
4c2a3841 398 while [ "$_ffi" -gt "0" ]; do
201aa244 399 _fv="$(echo "$_str" | cut -d "$_sep" -f "$_ffi")"
4c2a3841 400 if [ "$_fv" ]; then
0463b5d6 401 printf -- "%s" "$_fv"
402 return 0
403 fi
95e06de5 404 _ffi="$(_math "$_ffi" - 1)"
0463b5d6 405 done
4c2a3841 406
0463b5d6 407 printf -- "%s" "$_str"
408
409}
410
4c2a3841 411_exists() {
c60883ef 412 cmd="$1"
4c2a3841 413 if [ -z "$cmd" ]; then
43822d37 414 _usage "Usage: _exists cmd"
c60883ef 415 return 1
416 fi
82dc2244 417
418 if eval type type >/dev/null 2>&1; then
419 eval type "$cmd" >/dev/null 2>&1
420 elif command >/dev/null 2>&1; then
19539575 421 command -v "$cmd" >/dev/null 2>&1
ce4be4e9 422 else
e591d5cf 423 which "$cmd" >/dev/null 2>&1
eac18b1c 424 fi
c60883ef 425 ret="$?"
690a5e20 426 _debug3 "$cmd exists=$ret"
c60883ef 427 return $ret
428}
429
00a50605 430#a + b
4c2a3841 431_math() {
be68fbd4 432 _m_opts="$@"
433 printf "%s" "$(($_m_opts))"
00a50605 434}
435
436_h_char_2_dec() {
437 _ch=$1
438 case "${_ch}" in
4c2a3841 439 a | A)
19539575 440 printf "10"
4c2a3841 441 ;;
442 b | B)
19539575 443 printf "11"
4c2a3841 444 ;;
445 c | C)
19539575 446 printf "12"
4c2a3841 447 ;;
448 d | D)
19539575 449 printf "13"
4c2a3841 450 ;;
451 e | E)
19539575 452 printf "14"
4c2a3841 453 ;;
454 f | F)
19539575 455 printf "15"
4c2a3841 456 ;;
00a50605 457 *)
19539575 458 printf "%s" "$_ch"
4c2a3841 459 ;;
19539575 460 esac
00a50605 461
462}
463
fac1e367 464_URGLY_PRINTF=""
4c2a3841 465if [ "$(printf '\x41')" != 'A' ]; then
fac1e367 466 _URGLY_PRINTF=1
467fi
468
f8bcfeb2 469_ESCAPE_XARGS=""
841b7627 470if _exists xargs && [ "$(printf %s '\\x41' | xargs printf)" = 'A' ]; then
f8bcfeb2 471 _ESCAPE_XARGS=1
472fi
473
4c3b3608 474_h2b() {
b615cce9 475 if _exists xxd && xxd -r -p 2>/dev/null; then
b420ec6c 476 return
477 fi
478
4c3b3608 479 hex=$(cat)
fa93d68b 480 ic=""
481 jc=""
b420ec6c 482 _debug2 _URGLY_PRINTF "$_URGLY_PRINTF"
483 if [ -z "$_URGLY_PRINTF" ]; then
f8bcfeb2 484 if [ "$_ESCAPE_XARGS" ] && _exists xargs; then
fa93d68b 485 _debug2 "xargs"
ded4469e 486 echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/g' | xargs printf
fa93d68b 487 else
ded4469e 488 for h in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/ \1/g'); do
fa93d68b 489 if [ -z "$h" ]; then
490 break
491 fi
492 printf "\x$h%s"
493 done
494 fi
b420ec6c 495 else
ded4469e 496 for c in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\)/ \1/g'); do
fa93d68b 497 if [ -z "$ic" ]; then
498 ic=$c
499 continue
00a50605 500 fi
fa93d68b 501 jc=$c
19539575 502 ic="$(_h_char_2_dec "$ic")"
503 jc="$(_h_char_2_dec "$jc")"
e51bef6d 504 printf '\'"$(printf "%o" "$(_math "$ic" \* 16 + $jc)")""%s"
fa93d68b 505 ic=""
506 jc=""
b420ec6c 507 done
508 fi
e591d5cf 509
4c3b3608 510}
511
542d7977 512_is_solaris() {
513 _contains "${__OS__:=$(uname -a)}" "solaris" || _contains "${__OS__:=$(uname -a)}" "SunOS"
514}
515
9bdb799b 516#_ascii_hex str
517#this can only process ascii chars, should only be used when od command is missing as a backup way.
518_ascii_hex() {
519 _debug2 "Using _ascii_hex"
520 _str="$1"
521 _str_len=${#_str}
522 _h_i=1
523 while [ "$_h_i" -le "$_str_len" ]; do
524 _str_c="$(printf "%s" "$_str" | cut -c "$_h_i")"
525 printf " %02x" "'$_str_c"
526 _h_i="$(_math "$_h_i" + 1)"
527 done
528}
529
542d7977 530#stdin output hexstr splited by one space
531#input:"abc"
532#output: " 61 62 63"
533_hex_dump() {
4e4a6d83 534 if _exists od; then
535 od -A n -v -t x1 | tr -s " " | sed 's/ $//' | tr -d "\r\t\n"
536 elif _exists hexdump; then
537 _debug3 "using hexdump"
538 hexdump -v -e '/1 ""' -e '/1 " %02x" ""'
539 elif _exists xxd; then
540 _debug3 "using xxd"
541 xxd -ps -c 20 -i | sed "s/ 0x/ /g" | tr -d ",\n" | tr -s " "
542 else
543 _debug3 "using _ascii_hex"
9bdb799b 544 str=$(cat)
545 _ascii_hex "$str"
546 fi
542d7977 547}
548
549#url encode, no-preserved chars
550#A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
551#41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a
552
553#a b c d e f g h i j k l m n o p q r s t u v w x y z
554#61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a
555
556#0 1 2 3 4 5 6 7 8 9 - _ . ~
557#30 31 32 33 34 35 36 37 38 39 2d 5f 2e 7e
558
559#stdin stdout
560_url_encode() {
561 _hex_str=$(_hex_dump)
562 _debug3 "_url_encode"
563 _debug3 "_hex_str" "$_hex_str"
564 for _hex_code in $_hex_str; do
565 #upper case
566 case "${_hex_code}" in
c3b1eb08 567 "41")
568 printf "%s" "A"
569 ;;
570 "42")
571 printf "%s" "B"
572 ;;
573 "43")
574 printf "%s" "C"
575 ;;
576 "44")
577 printf "%s" "D"
578 ;;
579 "45")
580 printf "%s" "E"
581 ;;
582 "46")
583 printf "%s" "F"
584 ;;
585 "47")
586 printf "%s" "G"
587 ;;
588 "48")
589 printf "%s" "H"
590 ;;
591 "49")
592 printf "%s" "I"
593 ;;
594 "4a")
595 printf "%s" "J"
596 ;;
597 "4b")
598 printf "%s" "K"
599 ;;
600 "4c")
601 printf "%s" "L"
602 ;;
603 "4d")
604 printf "%s" "M"
605 ;;
606 "4e")
607 printf "%s" "N"
608 ;;
609 "4f")
610 printf "%s" "O"
611 ;;
612 "50")
613 printf "%s" "P"
614 ;;
615 "51")
616 printf "%s" "Q"
617 ;;
618 "52")
619 printf "%s" "R"
620 ;;
621 "53")
622 printf "%s" "S"
623 ;;
624 "54")
625 printf "%s" "T"
626 ;;
627 "55")
628 printf "%s" "U"
629 ;;
630 "56")
631 printf "%s" "V"
632 ;;
633 "57")
634 printf "%s" "W"
635 ;;
636 "58")
637 printf "%s" "X"
638 ;;
639 "59")
640 printf "%s" "Y"
641 ;;
642 "5a")
643 printf "%s" "Z"
644 ;;
645
646 #lower case
647 "61")
648 printf "%s" "a"
649 ;;
650 "62")
651 printf "%s" "b"
652 ;;
653 "63")
654 printf "%s" "c"
655 ;;
656 "64")
657 printf "%s" "d"
658 ;;
659 "65")
660 printf "%s" "e"
661 ;;
662 "66")
663 printf "%s" "f"
664 ;;
665 "67")
666 printf "%s" "g"
667 ;;
668 "68")
669 printf "%s" "h"
670 ;;
671 "69")
672 printf "%s" "i"
673 ;;
674 "6a")
675 printf "%s" "j"
676 ;;
677 "6b")
678 printf "%s" "k"
679 ;;
680 "6c")
681 printf "%s" "l"
682 ;;
683 "6d")
684 printf "%s" "m"
685 ;;
686 "6e")
687 printf "%s" "n"
688 ;;
689 "6f")
690 printf "%s" "o"
691 ;;
692 "70")
693 printf "%s" "p"
694 ;;
695 "71")
696 printf "%s" "q"
697 ;;
698 "72")
699 printf "%s" "r"
700 ;;
701 "73")
702 printf "%s" "s"
703 ;;
704 "74")
705 printf "%s" "t"
706 ;;
707 "75")
708 printf "%s" "u"
709 ;;
710 "76")
711 printf "%s" "v"
712 ;;
713 "77")
714 printf "%s" "w"
715 ;;
716 "78")
717 printf "%s" "x"
718 ;;
719 "79")
720 printf "%s" "y"
721 ;;
722 "7a")
723 printf "%s" "z"
724 ;;
725 #numbers
726 "30")
727 printf "%s" "0"
728 ;;
729 "31")
730 printf "%s" "1"
731 ;;
732 "32")
733 printf "%s" "2"
734 ;;
735 "33")
736 printf "%s" "3"
737 ;;
738 "34")
739 printf "%s" "4"
740 ;;
741 "35")
742 printf "%s" "5"
743 ;;
744 "36")
745 printf "%s" "6"
746 ;;
747 "37")
748 printf "%s" "7"
749 ;;
750 "38")
751 printf "%s" "8"
752 ;;
753 "39")
754 printf "%s" "9"
755 ;;
756 "2d")
757 printf "%s" "-"
758 ;;
759 "5f")
760 printf "%s" "_"
761 ;;
762 "2e")
763 printf "%s" "."
764 ;;
765 "7e")
766 printf "%s" "~"
767 ;;
3c07f57a 768 #other hex
542d7977 769 *)
c3b1eb08 770 printf '%%%s' "$_hex_code"
771 ;;
542d7977 772 esac
e009ec8b 773 done
774}
775
c60883ef 776#options file
777_sed_i() {
778 options="$1"
779 filename="$2"
4c2a3841 780 if [ -z "$filename" ]; then
43822d37 781 _usage "Usage:_sed_i options filename"
c60883ef 782 return 1
783 fi
14f3dbb7 784 _debug2 options "$options"
785 if sed -h 2>&1 | grep "\-i\[SUFFIX]" >/dev/null 2>&1; then
c60883ef 786 _debug "Using sed -i"
14f3dbb7 787 sed -i "$options" "$filename"
c60883ef 788 else
789 _debug "No -i support in sed"
19539575 790 text="$(cat "$filename")"
4c2a3841 791 echo "$text" | sed "$options" >"$filename"
c60883ef 792 fi
793}
794
22ea4004 795_egrep_o() {
a3c0c754 796 if ! egrep -o "$1" 2>/dev/null; then
22ea4004 797 sed -n 's/.*\('"$1"'\).*/\1/p'
22ea4004 798 fi
799}
800
88fab7d6 801#Usage: file startline endline
802_getfile() {
803 filename="$1"
804 startline="$2"
805 endline="$3"
4c2a3841 806 if [ -z "$endline" ]; then
43822d37 807 _usage "Usage: file startline endline"
88fab7d6 808 return 1
809 fi
4c2a3841 810
811 i="$(grep -n -- "$startline" "$filename" | cut -d : -f 1)"
812 if [ -z "$i" ]; then
88fab7d6 813 _err "Can not find start line: $startline"
814 return 1
815 fi
19539575 816 i="$(_math "$i" + 1)"
817 _debug i "$i"
4c2a3841 818
819 j="$(grep -n -- "$endline" "$filename" | cut -d : -f 1)"
820 if [ -z "$j" ]; then
88fab7d6 821 _err "Can not find end line: $endline"
822 return 1
823 fi
19539575 824 j="$(_math "$j" - 1)"
825 _debug j "$j"
4c2a3841 826
827 sed -n "$i,${j}p" "$filename"
88fab7d6 828
829}
830
831#Usage: multiline
4c3b3608 832_base64() {
ec9975c3 833 [ "" ] #urgly
4c2a3841 834 if [ "$1" ]; then
24d2a8b9 835 _debug3 "base64 multiline:'$1'"
d8ba26e6 836 ${ACME_OPENSSL_BIN:-openssl} base64 -e
88fab7d6 837 else
4d8b99a3 838 _debug3 "base64 single line."
d8ba26e6 839 ${ACME_OPENSSL_BIN:-openssl} base64 -e | tr -d '\r\n'
88fab7d6 840 fi
841}
842
843#Usage: multiline
844_dbase64() {
4c2a3841 845 if [ "$1" ]; then
d8ba26e6 846 ${ACME_OPENSSL_BIN:-openssl} base64 -d -A
88fab7d6 847 else
d8ba26e6 848 ${ACME_OPENSSL_BIN:-openssl} base64 -d
88fab7d6 849 fi
850}
851
183063a2 852#file
853_checkcert() {
854 _cf="$1"
855 if [ "$DEBUG" ]; then
7e381f8e 856 openssl x509 -noout -text -in "$_cf"
183063a2 857 else
7e381f8e 858 openssl x509 -noout -text -in "$_cf" >/dev/null 2>&1
183063a2 859 fi
860}
861
e22bcf7c 862#Usage: hashalg [outputhex]
88fab7d6 863#Output Base64-encoded digest
864_digest() {
865 alg="$1"
4c2a3841 866 if [ -z "$alg" ]; then
43822d37 867 _usage "Usage: _digest hashalg"
88fab7d6 868 return 1
869 fi
4c2a3841 870
e22bcf7c 871 outputhex="$2"
4c2a3841 872
c7b16249 873 if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ] || [ "$alg" = "md5" ]; then
4c2a3841 874 if [ "$outputhex" ]; then
d8ba26e6 875 ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hex | cut -d = -f 2 | tr -d ' '
e22bcf7c 876 else
d8ba26e6 877 ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -binary | _base64
b001840d 878 fi
879 else
880 _err "$alg is not supported yet"
881 return 1
882 fi
883
884}
885
e009ec8b 886#Usage: hashalg secret_hex [outputhex]
887#Output binary hmac
b001840d 888_hmac() {
889 alg="$1"
e009ec8b 890 secret_hex="$2"
b001840d 891 outputhex="$3"
4c2a3841 892
e009ec8b 893 if [ -z "$secret_hex" ]; then
4c2a3841 894 _usage "Usage: _hmac hashalg secret [outputhex]"
b001840d 895 return 1
896 fi
897
a6014bf0 898 if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ]; then
4c2a3841 899 if [ "$outputhex" ]; then
d8ba26e6 900 (${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" 2>/dev/null || ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hmac "$(printf "%s" "$secret_hex" | _h2b)") | cut -d = -f 2 | tr -d ' '
e22bcf7c 901 else
d8ba26e6 902 ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" -binary 2>/dev/null || ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hmac "$(printf "%s" "$secret_hex" | _h2b)" -binary
e22bcf7c 903 fi
88fab7d6 904 else
905 _err "$alg is not supported yet"
906 return 1
907 fi
908
909}
910
911#Usage: keyfile hashalg
912#Output: Base64-encoded signature value
913_sign() {
914 keyfile="$1"
915 alg="$2"
4c2a3841 916 if [ -z "$alg" ]; then
43822d37 917 _usage "Usage: _sign keyfile hashalg"
88fab7d6 918 return 1
919 fi
4c2a3841 920
d8ba26e6 921 _sign_openssl="${ACME_OPENSSL_BIN:-openssl} dgst -sign $keyfile "
4c2a3841 922
923 if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
f87890cb 924 $_sign_openssl -$alg | _base64
4c2a3841 925 elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
f87890cb 926 if ! _signedECText="$($_sign_openssl -sha$__ECC_KEY_LEN | ${ACME_OPENSSL_BIN:-openssl} asn1parse -inform DER)"; then
67184d7b 927 _err "Sign failed: $_sign_openssl"
928 _err "Key file: $keyfile"
357b514b 929 _err "Key content:$(wc -l <"$keyfile") lines"
67184d7b 930 return 1
931 fi
998783eb 932 _debug3 "_signedECText" "$_signedECText"
933 _ec_r="$(echo "$_signedECText" | _head_n 2 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")"
934 _debug3 "_ec_r" "$_ec_r"
935 _ec_s="$(echo "$_signedECText" | _head_n 3 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")"
936 _debug3 "_ec_s" "$_ec_s"
937 printf "%s" "$_ec_r$_ec_s" | _h2b | _base64
938 else
939 _err "Unknown key file format."
940 return 1
941 fi
4c2a3841 942
4c3b3608 943}
944
3281043e 945#keylength or isEcc flag (empty str => not ecc)
43822d37 946_isEccKey() {
947 _length="$1"
948
4c2a3841 949 if [ -z "$_length" ]; then
43822d37 950 return 1
951 fi
952
953 [ "$_length" != "1024" ] \
4c2a3841 954 && [ "$_length" != "2048" ] \
955 && [ "$_length" != "3072" ] \
956 && [ "$_length" != "4096" ] \
957 && [ "$_length" != "8192" ]
43822d37 958}
959
e22bcf7c 960# _createkey 2048|ec-256 file
961_createkey() {
962 length="$1"
963 f="$2"
c4236e58 964 _debug2 "_createkey for file:$f"
43822d37 965 eccname="$length"
4c2a3841 966 if _startswith "$length" "ec-"; then
f9a6988e 967 length=$(printf "%s" "$length" | cut -d '-' -f 2-100)
e22bcf7c 968
4c2a3841 969 if [ "$length" = "256" ]; then
e22bcf7c 970 eccname="prime256v1"
971 fi
4c2a3841 972 if [ "$length" = "384" ]; then
e22bcf7c 973 eccname="secp384r1"
974 fi
4c2a3841 975 if [ "$length" = "521" ]; then
e22bcf7c 976 eccname="secp521r1"
977 fi
43822d37 978
e22bcf7c 979 fi
980
4c2a3841 981 if [ -z "$length" ]; then
982 length=2048
43822d37 983 fi
4c2a3841 984
cbcd7e0f 985 _debug "Use length $length"
43822d37 986
81532f37 987 if ! touch "$f" >/dev/null 2>&1; then
988 _f_path="$(dirname "$f")"
989 _debug _f_path "$_f_path"
990 if ! mkdir -p "$_f_path"; then
991 _err "Can not create path: $_f_path"
992 return 1
993 fi
994 fi
995
4c2a3841 996 if _isEccKey "$length"; then
cbcd7e0f 997 _debug "Using ec name: $eccname"
d8ba26e6 998 ${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null >"$f"
e22bcf7c 999 else
cbcd7e0f 1000 _debug "Using RSA: $length"
d8ba26e6 1001 ${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null >"$f"
e22bcf7c 1002 fi
43822d37 1003
4c2a3841 1004 if [ "$?" != "0" ]; then
43822d37 1005 _err "Create key error."
1006 return 1
1007 fi
e22bcf7c 1008}
1009
9774b01b 1010#domain
1011_is_idn() {
1012 _is_idn_d="$1"
049be104 1013 _debug2 _is_idn_d "$_is_idn_d"
72f54ca6 1014 _idn_temp=$(printf "%s" "$_is_idn_d" | tr -d '0-9' | tr -d 'a-z' | tr -d 'A-Z' | tr -d '*.,-')
049be104 1015 _debug2 _idn_temp "$_idn_temp"
1016 [ "$_idn_temp" ]
9774b01b 1017}
1018
1019#aa.com
1020#aa.com,bb.com,cc.com
1021_idn() {
1022 __idn_d="$1"
4c2a3841 1023 if ! _is_idn "$__idn_d"; then
9774b01b 1024 printf "%s" "$__idn_d"
1025 return 0
1026 fi
4c2a3841 1027
1028 if _exists idn; then
1029 if _contains "$__idn_d" ','; then
9774b01b 1030 _i_first="1"
4c2a3841 1031 for f in $(echo "$__idn_d" | tr ',' ' '); do
9774b01b 1032 [ -z "$f" ] && continue
4c2a3841 1033 if [ -z "$_i_first" ]; then
9774b01b 1034 printf "%s" ","
1035 else
1036 _i_first=""
1037 fi
2a1e06f8 1038 idn --quiet "$f" | tr -d "\r\n"
9774b01b 1039 done
1040 else
1041 idn "$__idn_d" | tr -d "\r\n"
1042 fi
1043 else
1044 _err "Please install idn to process IDN names."
1045 fi
1046}
1047
e22bcf7c 1048#_createcsr cn san_list keyfile csrfile conf
1049_createcsr() {
1050 _debug _createcsr
1051 domain="$1"
1052 domainlist="$2"
0c9546cc 1053 csrkey="$3"
e22bcf7c 1054 csr="$4"
1055 csrconf="$5"
1056 _debug2 domain "$domain"
1057 _debug2 domainlist "$domainlist"
0c9546cc 1058 _debug2 csrkey "$csrkey"
1059 _debug2 csr "$csr"
1060 _debug2 csrconf "$csrconf"
4c2a3841 1061
1062 printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf"
1063
3f4513b3 1064 if [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
e22bcf7c 1065 #single domain
1066 _info "Single domain" "$domain"
c1151b0d 1067 printf -- "\nsubjectAltName=DNS:$domain" >>"$csrconf"
e22bcf7c 1068 else
f9a6988e 1069 domainlist="$(_idn "$domainlist")"
9774b01b 1070 _debug2 domainlist "$domainlist"
4c2a3841 1071 if _contains "$domainlist" ","; then
72f54ca6 1072 alt="DNS:$domain,DNS:$(echo "$domainlist" | sed "s/,,/,/g" | sed "s/,/,DNS:/g")"
e22bcf7c 1073 else
c1151b0d 1074 alt="DNS:$domain,DNS:$domainlist"
e22bcf7c 1075 fi
3c07f57a 1076 #multi
e22bcf7c 1077 _info "Multi domain" "$alt"
4c2a3841 1078 printf -- "\nsubjectAltName=$alt" >>"$csrconf"
0c9546cc 1079 fi
0a3b6c48 1080 if [ "$Le_OCSP_Staple" ] || [ "$Le_OCSP_Stable" ]; then
96db9362 1081 _savedomainconf Le_OCSP_Staple "$Le_OCSP_Staple"
0a3b6c48 1082 _cleardomainconf Le_OCSP_Stable
4c2a3841 1083 printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >>"$csrconf"
e22bcf7c 1084 fi
4c2a3841 1085
9774b01b 1086 _csr_cn="$(_idn "$domain")"
1087 _debug2 _csr_cn "$_csr_cn"
34f25fa5 1088 if _contains "$(uname -a)" "MINGW"; then
d8ba26e6 1089 ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "//CN=$_csr_cn" -config "$csrconf" -out "$csr"
34f25fa5 1090 else
d8ba26e6 1091 ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "/CN=$_csr_cn" -config "$csrconf" -out "$csr"
34f25fa5 1092 fi
e22bcf7c 1093}
1094
1095#_signcsr key csr conf cert
1096_signcsr() {
1097 key="$1"
1098 csr="$2"
1099 conf="$3"
1100 cert="$4"
5aa146a5 1101 _debug "_signcsr"
4c2a3841 1102
d8ba26e6 1103 _msg="$(${ACME_OPENSSL_BIN:-openssl} x509 -req -days 365 -in "$csr" -signkey "$key" -extensions v3_req -extfile "$conf" -out "$cert" 2>&1)"
5aa146a5 1104 _ret="$?"
1105 _debug "$_msg"
1106 return $_ret
e22bcf7c 1107}
1108
10afcaca 1109#_csrfile
1110_readSubjectFromCSR() {
1111 _csrfile="$1"
4c2a3841 1112 if [ -z "$_csrfile" ]; then
10afcaca 1113 _usage "_readSubjectFromCSR mycsr.csr"
1114 return 1
1115 fi
b963dadc 1116 ${ACME_OPENSSL_BIN:-openssl} req -noout -in "$_csrfile" -subject | tr ',' "\n" | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d ' \n'
10afcaca 1117}
1118
1119#_csrfile
1120#echo comma separated domain list
1121_readSubjectAltNamesFromCSR() {
1122 _csrfile="$1"
4c2a3841 1123 if [ -z "$_csrfile" ]; then
10afcaca 1124 _usage "_readSubjectAltNamesFromCSR mycsr.csr"
1125 return 1
1126 fi
4c2a3841 1127
10afcaca 1128 _csrsubj="$(_readSubjectFromCSR "$_csrfile")"
1129 _debug _csrsubj "$_csrsubj"
4c2a3841 1130
d8ba26e6 1131 _dnsAltnames="$(${ACME_OPENSSL_BIN:-openssl} req -noout -text -in "$_csrfile" | grep "^ *DNS:.*" | tr -d ' \n')"
10afcaca 1132 _debug _dnsAltnames "$_dnsAltnames"
4c2a3841 1133
1134 if _contains "$_dnsAltnames," "DNS:$_csrsubj,"; then
10afcaca 1135 _debug "AltNames contains subject"
1643b476 1136 _dnsAltnames="$(printf "%s" "$_dnsAltnames," | sed "s/DNS:$_csrsubj,//g")"
10afcaca 1137 else
1138 _debug "AltNames doesn't contain subject"
1139 fi
4c2a3841 1140
1643b476 1141 printf "%s" "$_dnsAltnames" | sed "s/DNS://g"
10afcaca 1142}
1143
3c07f57a 1144#_csrfile
10afcaca 1145_readKeyLengthFromCSR() {
1146 _csrfile="$1"
4c2a3841 1147 if [ -z "$_csrfile" ]; then
1643b476 1148 _usage "_readKeyLengthFromCSR mycsr.csr"
10afcaca 1149 return 1
1150 fi
4c2a3841 1151
d8ba26e6 1152 _outcsr="$(${ACME_OPENSSL_BIN:-openssl} req -noout -text -in "$_csrfile")"
7df062b7 1153 _debug2 _outcsr "$_outcsr"
4c2a3841 1154 if _contains "$_outcsr" "Public Key Algorithm: id-ecPublicKey"; then
10afcaca 1155 _debug "ECC CSR"
482cb737 1156 echo "$_outcsr" | tr "\t" " " | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
10afcaca 1157 else
1158 _debug "RSA CSR"
eb0ef6bd 1159 _rkl="$(echo "$_outcsr" | tr "\t" " " | _egrep_o "^ *Public.Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1)"
1160 if [ "$_rkl" ]; then
1161 echo "$_rkl"
1162 else
1163 echo "$_outcsr" | tr "\t" " " | _egrep_o "RSA Public.Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1
1164 fi
10afcaca 1165 fi
1166}
1167
34c27e09 1168_ss() {
1169 _port="$1"
4c2a3841 1170
1171 if _exists "ss"; then
edf08da6 1172 _debug "Using: ss"
14d7bfda 1173 ss -ntpl 2>/dev/null | grep ":$_port "
edf08da6 1174 return 0
1175 fi
1176
4c2a3841 1177 if _exists "netstat"; then
251fc37c 1178 _debug "Using: netstat"
4c2a3841 1179 if netstat -h 2>&1 | grep "\-p proto" >/dev/null; then
ccb96535 1180 #for windows version netstat tool
0463b5d6 1181 netstat -an -p tcp | grep "LISTENING" | grep ":$_port "
ccb96535 1182 else
4c2a3841 1183 if netstat -help 2>&1 | grep "\-p protocol" >/dev/null; then
19539575 1184 netstat -an -p tcp | grep LISTEN | grep ":$_port "
4c2a3841 1185 elif netstat -help 2>&1 | grep -- '-P protocol' >/dev/null; then
22ea4004 1186 #for solaris
e3c66532 1187 netstat -an -P tcp | grep "\.$_port " | grep "LISTEN"
f19f2100 1188 elif netstat -help 2>&1 | grep "\-p" >/dev/null; then
f21dd911 1189 #for full linux
19539575 1190 netstat -ntpl | grep ":$_port "
f21dd911 1191 else
1192 #for busybox (embedded linux; no pid support)
1193 netstat -ntl 2>/dev/null | grep ":$_port "
edf08da6 1194 fi
ccb96535 1195 fi
34c27e09 1196 return 0
1197 fi
edf08da6 1198
34c27e09 1199 return 1
1200}
1201
8eab77f3
BC		 1202#outfile key cert cacert [password [name [caname]]]
1203_toPkcs() {
1204 _cpfx="$1"
1205 _ckey="$2"
1206 _ccert="$3"
1207 _cca="$4"
1208 pfxPassword="$5"
1209 pfxName="$6"
1210 pfxCaname="$7"
1211
1212 if [ "$pfxCaname" ]; then
1213 ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:$pfxPassword" -name "$pfxName" -caname "$pfxCaname"
1214 elif [ "$pfxName" ]; then
1215 ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:$pfxPassword" -name "$pfxName"
1216 elif [ "$pfxPassword" ]; then
1217 ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:$pfxPassword"
1218 else
1219 ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca"
1220 fi
1221
1222}
1223
43822d37 1224#domain [password] [isEcc]
ac2d5123 1225toPkcs() {
1226 domain="$1"
1227 pfxPassword="$2"
4c2a3841 1228 if [ -z "$domain" ]; then
43822d37 1229 _usage "Usage: $PROJECT_ENTRY --toPkcs -d domain [--password pfx-password]"
ac2d5123 1230 return 1
1231 fi
1232
43822d37 1233 _isEcc="$3"
4c2a3841 1234
43822d37 1235 _initpath "$domain" "$_isEcc"
1236
8eab77f3 1237 _toPkcs "$CERT_PFX_PATH" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$pfxPassword"
4c2a3841 1238
1239 if [ "$?" = "0" ]; then
ac2d5123 1240 _info "Success, Pfx is exported to: $CERT_PFX_PATH"
1241 fi
1242
1243}
1244
4410226d 1245#domain [isEcc]
1246toPkcs8() {
1247 domain="$1"
1248
1249 if [ -z "$domain" ]; then
1250 _usage "Usage: $PROJECT_ENTRY --toPkcs8 -d domain [--ecc]"
1251 return 1
1252 fi
1253
1254 _isEcc="$2"
1255
1256 _initpath "$domain" "$_isEcc"
1257
d8ba26e6 1258 ${ACME_OPENSSL_BIN:-openssl} pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$CERT_KEY_PATH" -out "$CERT_PKCS8_PATH"
4410226d 1259
1260 if [ "$?" = "0" ]; then
1261 _info "Success, $CERT_PKCS8_PATH"
1262 fi
1263
1264}
1265
3c07f57a 1266#[2048]
4c3b3608 1267createAccountKey() {
1268 _info "Creating account key"
4c2a3841 1269 if [ -z "$1" ]; then
5fbc47eb 1270 _usage "Usage: $PROJECT_ENTRY --createAccountKey --accountkeylength 2048"
4c3b3608 1271 return
1272 fi
4c2a3841 1273
5fbc47eb 1274 length=$1
57e58ce7 1275 _create_account_key "$length"
1276
1277}
1278
1279_create_account_key() {
1280
5fbc47eb 1281 length=$1
4c2a3841 1282
1283 if [ -z "$length" ] || [ "$length" = "$NO_VALUE" ]; then
57e58ce7 1284 _debug "Use default length $DEFAULT_ACCOUNT_KEY_LENGTH"
1285 length="$DEFAULT_ACCOUNT_KEY_LENGTH"
4c3b3608 1286 fi
4c2a3841 1287
5fbc47eb 1288 _debug length "$length"
4c3b3608 1289 _initpath
5fbc47eb 1290
57e58ce7 1291 mkdir -p "$CA_DIR"
4c2a3841 1292 if [ -f "$ACCOUNT_KEY_PATH" ]; then
4c3b3608 1293 _info "Account key exists, skip"
1294 return
1295 else
1296 #generate account key
31a5487c 1297 _createkey "$length" "$ACCOUNT_KEY_PATH"
123e8f21 1298 chmod 600 "$ACCOUNT_KEY_PATH"
4c3b3608 1299 fi
1300
1301}
1302
43822d37 1303#domain [length]
4c3b3608 1304createDomainKey() {
1305 _info "Creating domain key"
4c2a3841 1306 if [ -z "$1" ]; then
43822d37 1307 _usage "Usage: $PROJECT_ENTRY --createDomainKey -d domain.com [ --keylength 2048 ]"
4c3b3608 1308 return
1309 fi
4c2a3841 1310
4c3b3608 1311 domain=$1
2844d73d 1312 _cdl=$2
e22bcf7c 1313
2844d73d 1314 if [ -z "$_cdl" ]; then
57e58ce7 1315 _debug "Use DEFAULT_DOMAIN_KEY_LENGTH=$DEFAULT_DOMAIN_KEY_LENGTH"
2844d73d 1316 _cdl="$DEFAULT_DOMAIN_KEY_LENGTH"
57e58ce7 1317 fi
e22bcf7c 1318
2844d73d 1319 _initpath "$domain" "$_cdl"
4c2a3841 1320
6b185d20 1321 if [ ! -f "$CERT_KEY_PATH" ] || ([ "$FORCE" ] && ! [ "$IS_RENEW" ]) || [ "$Le_ForceNewDomainKey" = "1" ]; then
2844d73d 1322 if _createkey "$_cdl" "$CERT_KEY_PATH"; then
1323 _savedomainconf Le_Keylength "$_cdl"
1324 _info "The domain key is here: $(__green $CERT_KEY_PATH)"
1325 fi
4c3b3608 1326 else
4c2a3841 1327 if [ "$IS_RENEW" ]; then
4c3b3608 1328 _info "Domain key exists, skip"
1329 return 0
1330 else
1331 _err "Domain key exists, do you want to overwrite the key?"
41e3eafa 1332 _err "Add '--force', and try again."
4c3b3608 1333 return 1
1334 fi
1335 fi
1336
1337}
1338
43822d37 1339# domain domainlist isEcc
4c3b3608 1340createCSR() {
1341 _info "Creating csr"
4c2a3841 1342 if [ -z "$1" ]; then
43822d37 1343 _usage "Usage: $PROJECT_ENTRY --createCSR -d domain1.com [-d domain2.com -d domain3.com ... ]"
4c3b3608 1344 return
1345 fi
4c2a3841 1346
43822d37 1347 domain="$1"
1348 domainlist="$2"
1349 _isEcc="$3"
4c2a3841 1350
43822d37 1351 _initpath "$domain" "$_isEcc"
4c2a3841 1352
1353 if [ -f "$CSR_PATH" ] && [ "$IS_RENEW" ] && [ -z "$FORCE" ]; then
4c3b3608 1354 _info "CSR exists, skip"
1355 return
1356 fi
4c2a3841 1357
1358 if [ ! -f "$CERT_KEY_PATH" ]; then
43822d37 1359 _err "The key file is not found: $CERT_KEY_PATH"
1360 _err "Please create the key file first."
1361 return 1
1362 fi
e22bcf7c 1363 _createcsr "$domain" "$domainlist" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"
4c2a3841 1364
4c3b3608 1365}
1366
11927a76 1367_url_replace() {
f9a6988e 1368 tr '/+' '_-' | tr -d '= '
4c3b3608 1369}
1370
1371_time2str() {
6fb2a1ed 1372 #Linux
f9a6988e 1373 if date -u -d@"$1" 2>/dev/null; then
4c3b3608 1374 return
1375 fi
4c2a3841 1376
6fb2a1ed 1377 #BSD
f9a6988e 1378 if date -u -r "$1" 2>/dev/null; then
4c3b3608 1379 return
1380 fi
4c2a3841 1381
22ea4004 1382 #Soaris
4c2a3841 1383 if _exists adb; then
031e885e 1384 _t_s_a=$(echo "0t${1}=Y" | adb)
1385 echo "$_t_s_a"
22ea4004 1386 fi
4c2a3841 1387
a07395fb
M		 1388 #Busybox
1389 if echo "$1" | awk '{ print strftime("%c", $0); }' 2>/dev/null; then
1390 return
1391 fi
4c3b3608 1392}
1393
eae29099 1394_normalizeJson() {
1395 sed "s/\" *: *\([\"{\[]\)/\":\1/g" | sed "s/^ *\([^ ]\)/\1/" | tr -d "\r\n"
1396}
1397
44df2967 1398_stat() {
1399 #Linux
4c2a3841 1400 if stat -c '%U:%G' "$1" 2>/dev/null; then
44df2967 1401 return
1402 fi
4c2a3841 1403
44df2967 1404 #BSD
4c2a3841 1405 if stat -f '%Su:%Sg' "$1" 2>/dev/null; then
44df2967 1406 return
1407 fi
4c2a3841 1408
1409 return 1 #error, 'stat' not found
44df2967 1410}
1411
166096dc 1412#keyfile
1413_calcjwk() {
1414 keyfile="$1"
4c2a3841 1415 if [ -z "$keyfile" ]; then
43822d37 1416 _usage "Usage: _calcjwk keyfile"
166096dc 1417 return 1
1418 fi
4c2a3841 1419
1420 if [ "$JWK_HEADER" ] && [ "$__CACHED_JWK_KEY_FILE" = "$keyfile" ]; then
ae2db62f 1421 _debug2 "Use cached jwk for file: $__CACHED_JWK_KEY_FILE"
1422 return 0
1423 fi
4c2a3841 1424
4c2a3841 1425 if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
166096dc 1426 _debug "RSA key"
d8ba26e6 1427 pub_exp=$(${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text | grep "^publicExponent:" | cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1)
4c2a3841 1428 if [ "${#pub_exp}" = "5" ]; then
166096dc 1429 pub_exp=0$pub_exp
1430 fi
22ea4004 1431 _debug3 pub_exp "$pub_exp"
4c2a3841 1432
f9a6988e 1433 e=$(echo "$pub_exp" | _h2b | _base64)
22ea4004 1434 _debug3 e "$e"
4c2a3841 1435
d8ba26e6 1436 modulus=$(${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -modulus -noout | cut -d '=' -f 2)
22ea4004 1437 _debug3 modulus "$modulus"
11927a76 1438 n="$(printf "%s" "$modulus" | _h2b | _base64 | _url_replace)"
4d8b99a3 1439 _debug3 n "$n"
1440
166096dc 1441 jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}'
22ea4004 1442 _debug3 jwk "$jwk"
4c2a3841 1443
5982f4bc 1444 JWK_HEADER='{"alg": "RS256", "jwk": '$jwk'}'
1445 JWK_HEADERPLACE_PART1='{"nonce": "'
c1151b0d 1446 JWK_HEADERPLACE_PART2='", "alg": "RS256"'
4c2a3841 1447 elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
166096dc 1448 _debug "EC key"
d8ba26e6 1449 crv="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n")"
22ea4004 1450 _debug3 crv "$crv"
f87890cb 1451 __ECC_KEY_LEN=$(echo "$crv" | cut -d "-" -f 2)
1452 if [ "$__ECC_KEY_LEN" = "521" ]; then
1453 __ECC_KEY_LEN=512
1454 fi
1455 _debug3 __ECC_KEY_LEN "$__ECC_KEY_LEN"
4c2a3841 1456 if [ -z "$crv" ]; then
d22b7938 1457 _debug "Let's try ASN1 OID"
d8ba26e6 1458 crv_oid="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^ASN1 OID:" | cut -d ":" -f 2 | tr -d " \r\n")"
cae9cee2 1459 _debug3 crv_oid "$crv_oid"
d22b7938 1460 case "${crv_oid}" in
1461 "prime256v1")
4c2a3841 1462 crv="P-256"
f87890cb 1463 __ECC_KEY_LEN=256
4c2a3841 1464 ;;
d22b7938 1465 "secp384r1")
4c2a3841 1466 crv="P-384"
f87890cb 1467 __ECC_KEY_LEN=384
4c2a3841 1468 ;;
d22b7938 1469 "secp521r1")
4c2a3841 1470 crv="P-521"
f87890cb 1471 __ECC_KEY_LEN=512
4c2a3841 1472 ;;
d22b7938 1473 *)
4c2a3841 1474 _err "ECC oid : $crv_oid"
1475 return 1
1476 ;;
067d586c 1477 esac
d22b7938 1478 _debug3 crv "$crv"
1479 fi
4c2a3841 1480
d8ba26e6 1481 pubi="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1)"
79a267ab 1482 pubi=$(_math "$pubi" + 1)
22ea4004 1483 _debug3 pubi "$pubi"
4c2a3841 1484
d8ba26e6 1485 pubj="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1)"
79a267ab 1486 pubj=$(_math "$pubj" - 1)
22ea4004 1487 _debug3 pubj "$pubj"
4c2a3841 1488
d8ba26e6 1489 pubtext="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | sed -n "$pubi,${pubj}p" | tr -d " \n\r")"
22ea4004 1490 _debug3 pubtext "$pubtext"
4c2a3841 1491
95e06de5 1492 xlen="$(printf "%s" "$pubtext" | tr -d ':' | wc -c)"
79a267ab 1493 xlen=$(_math "$xlen" / 4)
22ea4004 1494 _debug3 xlen "$xlen"
00a50605 1495
998783eb 1496 xend=$(_math "$xlen" + 1)
f9a6988e 1497 x="$(printf "%s" "$pubtext" | cut -d : -f 2-"$xend")"
22ea4004 1498 _debug3 x "$x"
4c2a3841 1499
11927a76 1500 x64="$(printf "%s" "$x" | tr -d : | _h2b | _base64 | _url_replace)"
22ea4004 1501 _debug3 x64 "$x64"
00a50605 1502
19539575 1503 xend=$(_math "$xend" + 1)
f9a6988e 1504 y="$(printf "%s" "$pubtext" | cut -d : -f "$xend"-10000)"
22ea4004 1505 _debug3 y "$y"
4c2a3841 1506
11927a76 1507 y64="$(printf "%s" "$y" | tr -d : | _h2b | _base64 | _url_replace)"
22ea4004 1508 _debug3 y64 "$y64"
4c2a3841 1509
ae2db62f 1510 jwk='{"crv": "'$crv'", "kty": "EC", "x": "'$x64'", "y": "'$y64'"}'
22ea4004 1511 _debug3 jwk "$jwk"
4c2a3841 1512
f87890cb 1513 JWK_HEADER='{"alg": "ES'$__ECC_KEY_LEN'", "jwk": '$jwk'}'
5982f4bc 1514 JWK_HEADERPLACE_PART1='{"nonce": "'
c1151b0d 1515 JWK_HEADERPLACE_PART2='", "alg": "ES'$__ECC_KEY_LEN'"'
166096dc 1516 else
1517 _err "Only RSA or EC key is supported."
1518 return 1
1519 fi
1520
5982f4bc 1521 _debug3 JWK_HEADER "$JWK_HEADER"
ae2db62f 1522 __CACHED_JWK_KEY_FILE="$keyfile"
166096dc 1523}
fac1e367 1524
3aae1ae3 1525_time() {
1526 date -u "+%s"
1527}
fac1e367 1528
5d2c5b01 1529_utc_date() {
1530 date -u "+%Y-%m-%d %H:%M:%S"
1531}
1532
fac1e367 1533_mktemp() {
4c2a3841 1534 if _exists mktemp; then
1535 if mktemp 2>/dev/null; then
610e0f21 1536 return 0
4c2a3841 1537 elif _contains "$(mktemp 2>&1)" "-t prefix" && mktemp -t "$PROJECT_NAME" 2>/dev/null; then
5c48e139 1538 #for Mac osx
610e0f21 1539 return 0
b19ba13a 1540 fi
fac1e367 1541 fi
4c2a3841 1542 if [ -d "/tmp" ]; then
3aae1ae3 1543 echo "/tmp/${PROJECT_NAME}wefADf24sf.$(_time).tmp"
1544 return 0
4c2a3841 1545 elif [ "$LE_TEMP_DIR" ] && mkdir -p "$LE_TEMP_DIR"; then
610e0f21 1546 echo "/$LE_TEMP_DIR/wefADf24sf.$(_time).tmp"
1547 return 0
3aae1ae3 1548 fi
1549 _err "Can not create temp file."
fac1e367 1550}
1551
1552_inithttp() {
1553
4c2a3841 1554 if [ -z "$HTTP_HEADER" ] || ! touch "$HTTP_HEADER"; then
fac1e367 1555 HTTP_HEADER="$(_mktemp)"
1556 _debug2 HTTP_HEADER "$HTTP_HEADER"
1557 fi
1558
4c2a3841 1559 if [ "$__HTTP_INITIALIZED" ]; then
1560 if [ "$_ACME_CURL$_ACME_WGET" ]; then
1befee5a 1561 _debug2 "Http already initialized."
1562 return 0
1563 fi
1564 fi
4c2a3841 1565
1566 if [ -z "$_ACME_CURL" ] && _exists "curl"; then
1befee5a 1567 _ACME_CURL="curl -L --silent --dump-header $HTTP_HEADER "
4c2a3841 1568 if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
fac1e367 1569 _CURL_DUMP="$(_mktemp)"
1befee5a 1570 _ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP "
fac1e367 1571 fi
1572
2aa75f03 1573 if [ "$CA_PATH" ]; then
1574 _ACME_CURL="$_ACME_CURL --capath $CA_PATH "
1575 elif [ "$CA_BUNDLE" ]; then
1befee5a 1576 _ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE "
78009539
PS		 1577 fi
1578
6ca5f3d8 1579 if _contains "$(curl --help 2>&1)" "--globoff"; then
1580 _ACME_CURL="$_ACME_CURL -g "
1581 fi
fac1e367 1582 fi
4c2a3841 1583
1befee5a 1584 if [ -z "$_ACME_WGET" ] && _exists "wget"; then
1585 _ACME_WGET="wget -q"
4c2a3841 1586 if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
1befee5a 1587 _ACME_WGET="$_ACME_WGET -d "
fac1e367 1588 fi
2aa75f03 1589 if [ "$CA_PATH" ]; then
1590 _ACME_WGET="$_ACME_WGET --ca-directory=$CA_PATH "
1591 elif [ "$CA_BUNDLE" ]; then
1592 _ACME_WGET="$_ACME_WGET --ca-certificate=$CA_BUNDLE "
78009539 1593 fi
fac1e367 1594 fi
1595
177b57e1 1596 #from wget 1.14: do not skip body on 404 error
58ef6d83 1597 if [ "$_ACME_WGET" ] && _contains "$($_ACME_WGET --help 2>&1)" "--content-on-error"; then
177b57e1 1598 _ACME_WGET="$_ACME_WGET --content-on-error "
1599 fi
1600
1befee5a 1601 __HTTP_INITIALIZED=1
fac1e367 1602
fac1e367 1603}
fac1e367 1604
45e386b2 1605# body url [needbase64] [POST|PUT] [ContentType]
c60883ef 1606_post() {
1607 body="$1"
c1151b0d 1608 _post_url="$2"
c60883ef 1609 needbase64="$3"
a4270efa 1610 httpmethod="$4"
45e386b2 1611 _postContentType="$5"
c60883ef 1612
4c2a3841 1613 if [ -z "$httpmethod" ]; then
a4270efa 1614 httpmethod="POST"
1615 fi
1616 _debug $httpmethod
c1151b0d 1617 _debug "_post_url" "$_post_url"
30de13b4 1618 _debug2 "body" "$body"
4c2a3841 1619
fac1e367 1620 _inithttp
4c2a3841 1621
9b124070 1622 if [ "$_ACME_CURL" ] && [ "${ACME_USE_WGET:-0}" = "0" ]; then
1befee5a 1623 _CURL="$_ACME_CURL"
7834c252 1624 if [ "$HTTPS_INSECURE" ]; then
1625 _CURL="$_CURL --insecure "
1626 fi
45e386b2 1627 if [ "$_postContentType" ]; then
1628 _CURL="$_CURL -H \"Content-Type: $_postContentType\" "
1629 fi
ec9fc8cb 1630 _debug "_CURL" "$_CURL"
4c2a3841 1631 if [ "$needbase64" ]; then
c1151b0d 1632 response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)"
c60883ef 1633 else
c1151b0d 1634 response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url")"
c60883ef 1635 fi
16679b57 1636 _ret="$?"
4c2a3841 1637 if [ "$_ret" != "0" ]; then
87ab2d90 1638 _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $_ret"
4c2a3841 1639 if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
87ab2d90 1640 _err "Here is the curl dump log:"
1641 _err "$(cat "$_CURL_DUMP")"
1642 fi
687cfcc2 1643 fi
4c2a3841 1644 elif [ "$_ACME_WGET" ]; then
7834c252 1645 _WGET="$_ACME_WGET"
1646 if [ "$HTTPS_INSECURE" ]; then
1647 _WGET="$_WGET --no-check-certificate "
1648 fi
1649 _debug "_WGET" "$_WGET"
4c2a3841 1650 if [ "$needbase64" ]; then
1651 if [ "$httpmethod" = "POST" ]; then
ef871775 1652 if [ "$_postContentType" ]; then
1653 response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
1654 else
1655 response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
1656 fi
8fb9a709 1657 else
ef871775 1658 if [ "$_postContentType" ]; then
1659 response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
1660 else
1661 response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
1662 fi
8fb9a709 1663 fi
c60883ef 1664 else
4c2a3841 1665 if [ "$httpmethod" = "POST" ]; then
ef871775 1666 if [ "$_postContentType" ]; then
1667 response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
1668 else
1669 response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
1670 fi
8fb9a709 1671 else
ef871775 1672 if [ "$_postContentType" ]; then
1673 response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
1674 else
1675 response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
1676 fi
8fb9a709 1677 fi
c60883ef 1678 fi
16679b57 1679 _ret="$?"
4c2a3841 1680 if [ "$_ret" = "8" ]; then
9f43c270 1681 _ret=0
810c129c 1682 _debug "wget returns 8, the server returns a 'Bad request' response, lets process the response later."
9f43c270 1683 fi
4c2a3841 1684 if [ "$_ret" != "0" ]; then
1685 _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret"
687cfcc2 1686 fi
c60883ef 1687 _sed_i "s/^ *//g" "$HTTP_HEADER"
d0b748a4 1688 else
1689 _ret="$?"
1690 _err "Neither curl nor wget is found, can not do $httpmethod."
c60883ef 1691 fi
16679b57 1692 _debug "_ret" "$_ret"
19539575 1693 printf "%s" "$response"
16679b57 1694 return $_ret
c60883ef 1695}
1696
75da0713 1697# url getheader timeout
c60883ef 1698_get() {
a4270efa 1699 _debug GET
c60883ef 1700 url="$1"
1701 onlyheader="$2"
75da0713 1702 t="$3"
79a267ab 1703 _debug url "$url"
72f54ca6 1704 _debug "timeout=$t"
fac1e367 1705
1706 _inithttp
1707
9b124070 1708 if [ "$_ACME_CURL" ] && [ "${ACME_USE_WGET:-0}" = "0" ]; then
1befee5a 1709 _CURL="$_ACME_CURL"
7834c252 1710 if [ "$HTTPS_INSECURE" ]; then
1711 _CURL="$_CURL --insecure "
1712 fi
4c2a3841 1713 if [ "$t" ]; then
75da0713 1714 _CURL="$_CURL --connect-timeout $t"
1715 fi
1716 _debug "_CURL" "$_CURL"
4c2a3841 1717 if [ "$onlyheader" ]; then
f9a6988e 1718 $_CURL -I --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url"
c60883ef 1719 else
f9a6988e 1720 $_CURL --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url"
c60883ef 1721 fi
9aaf36cd 1722 ret=$?
4c2a3841 1723 if [ "$ret" != "0" ]; then
d529eb6d 1724 _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $ret"
4c2a3841 1725 if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
fac1e367 1726 _err "Here is the curl dump log:"
1727 _err "$(cat "$_CURL_DUMP")"
1728 fi
1729 fi
4c2a3841 1730 elif [ "$_ACME_WGET" ]; then
1befee5a 1731 _WGET="$_ACME_WGET"
7834c252 1732 if [ "$HTTPS_INSECURE" ]; then
1733 _WGET="$_WGET --no-check-certificate "
1734 fi
4c2a3841 1735 if [ "$t" ]; then
75da0713 1736 _WGET="$_WGET --timeout=$t"
1737 fi
1738 _debug "_WGET" "$_WGET"
4c2a3841 1739 if [ "$onlyheader" ]; then
f9a6988e 1740 $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1 | sed 's/^[ ]*//g'
c60883ef 1741 else
f9a6988e 1742 $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -O - "$url"
c60883ef 1743 fi
9aaf36cd 1744 ret=$?
f731a4c7 1745 if [ "$ret" = "8" ]; then
39a1f1ef 1746 ret=0
810c129c 1747 _debug "wget returns 8, the server returns a 'Bad request' response, lets process the response later."
9f43c270 1748 fi
4c2a3841 1749 if [ "$ret" != "0" ]; then
1750 _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $ret"
fac1e367 1751 fi
d0b748a4 1752 else
1753 ret=$?
1754 _err "Neither curl nor wget is found, can not do GET."
9aaf36cd 1755 fi
ec9fc8cb 1756 _debug "ret" "$ret"
c60883ef 1757 return $ret
1758}
166096dc 1759
c2c8f320 1760_head_n() {
79a267ab 1761 head -n "$1"
c2c8f320 1762}
1763
1764_tail_n() {
f9a6988e 1765 if ! tail -n "$1" 2>/dev/null; then
19ab2a29 1766 #fix for solaris
f9a6988e 1767 tail -"$1"
19ab2a29 1768 fi
c2c8f320 1769}
fac1e367 1770
166096dc 1771# url payload needbase64 keyfile
4c3b3608 1772_send_signed_request() {
1773 url=$1
1774 payload=$2
1775 needbase64=$3
166096dc 1776 keyfile=$4
4c2a3841 1777 if [ -z "$keyfile" ]; then
166096dc 1778 keyfile="$ACCOUNT_KEY_PATH"
1779 fi
f9a6988e 1780 _debug url "$url"
4c3b3608 1781 _debug payload "$payload"
4c2a3841 1782
1783 if ! _calcjwk "$keyfile"; then
166096dc 1784 return 1
1785 fi
c60883ef 1786
11927a76 1787 payload64=$(printf "%s" "$payload" | _base64 | _url_replace)
f9a6988e 1788 _debug3 payload64 "$payload64"
4c2a3841 1789
0bc745f6 1790 MAX_REQUEST_RETRY_TIMES=5
1791 _request_retry_times=0
1792 while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do
b7924ce5 1793 _debug3 _request_retry_times "$_request_retry_times"
0bc745f6 1794 if [ -z "$_CACHED_NONCE" ]; then
8f01919f 1795 _headers=""
cae50e16 1796 if [ "$ACME_NEW_NONCE" ]; then
1797 _debug2 "Get nonce. ACME_NEW_NONCE" "$ACME_NEW_NONCE"
1798 nonceurl="$ACME_NEW_NONCE"
45e386b2 1799 if _post "" "$nonceurl" "" "HEAD" "$CONTENT_TYPE_JSON"; then
cae50e16 1800 _headers="$(cat "$HTTP_HEADER")"
1801 fi
1802 fi
1803 if [ -z "$_headers" ]; then
1804 _debug2 "Get nonce. ACME_DIRECTORY" "$ACME_DIRECTORY"
1805 nonceurl="$ACME_DIRECTORY"
1806 _headers="$(_get "$nonceurl" "onlyheader")"
1807 fi
0bc745f6 1808
1809 if [ "$?" != "0" ]; then
1810 _err "Can not connect to $nonceurl to get nonce."
1811 return 1
1812 fi
4c2a3841 1813
0bc745f6 1814 _debug2 _headers "$_headers"
4c2a3841 1815
0bc745f6 1816 _CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
1817 _debug2 _CACHED_NONCE "$_CACHED_NONCE"
1818 else
1819 _debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE"
1820 fi
1821 nonce="$_CACHED_NONCE"
1822 _debug2 nonce "$nonce"
4c2a3841 1823
c1151b0d 1824 if [ "$ACME_VERSION" = "2" ]; then
d2cde379 1825 if [ "$url" = "$ACME_NEW_ACCOUNT" ] || [ "$url" = "$ACME_REVOKE_CERT" ]; then
c1151b0d 1826 protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
1827 else
6b798b01 1828 protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"kid\": \"${ACCOUNT_URL}\""'}'
c1151b0d 1829 fi
1830 else
1831 protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
1832 fi
0bc745f6 1833 _debug3 protected "$protected"
a272ee4f 1834
0bc745f6 1835 protected64="$(printf "%s" "$protected" | _base64 | _url_replace)"
1836 _debug3 protected64 "$protected64"
4c2a3841 1837
0bc745f6 1838 if ! _sig_t="$(printf "%s" "$protected64.$payload64" | _sign "$keyfile" "sha256")"; then
1839 _err "Sign request failed."
1840 return 1
1841 fi
1842 _debug3 _sig_t "$_sig_t"
166096dc 1843
0bc745f6 1844 sig="$(printf "%s" "$_sig_t" | _url_replace)"
1845 _debug3 sig "$sig"
4c2a3841 1846
c1151b0d 1847 if [ "$ACME_VERSION" = "2" ]; then
1848 body="{\"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
1849 else
1850 body="{\"header\": $JWK_HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
1851 fi
0bc745f6 1852 _debug3 body "$body"
4c2a3841 1853
45e386b2 1854 response="$(_post "$body" "$url" "$needbase64" "POST" "$CONTENT_TYPE_JSON")"
0bc745f6 1855 _CACHED_NONCE=""
bbbdcb09 1856
0bc745f6 1857 if [ "$?" != "0" ]; then
1858 _err "Can not post to $url"
1859 return 1
1860 fi
1861 _debug2 original "$response"
1862 response="$(echo "$response" | _normalizeJson)"
4c3b3608 1863
64802502 1864 responseHeaders="$(cat "$HTTP_HEADER")"
4c3b3608 1865
0bc745f6 1866 _debug2 responseHeaders "$responseHeaders"
1867 _debug2 response "$response"
1868 code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
1869 _debug code "$code"
4c2a3841 1870
0bc745f6 1871 _CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
4c3b3608 1872
8148bfea 1873 _body="$response"
1874 if [ "$needbase64" ]; then
e1db5db8 1875 _body="$(echo "$_body" | _dbase64 | tr -d '\0')"
6d6b2efd 1876 _debug3 _body "$_body"
8148bfea 1877 fi
36309e6d 1878
8148bfea 1879 if _contains "$_body" "JWS has invalid anti-replay nonce"; then
0bc745f6 1880 _info "It seems the CA server is busy now, let's wait and retry."
1881 _request_retry_times=$(_math "$_request_retry_times" + 1)
1882 _sleep 5
1883 continue
1884 fi
b7924ce5 1885 break
0bc745f6 1886 done
4c3b3608 1887
4c3b3608 1888}
4c3b3608 1889
1890#setopt "file" "opt" "=" "value" [";"]
1891_setopt() {
1892 __conf="$1"
1893 __opt="$2"
1894 __sep="$3"
1895 __val="$4"
1896 __end="$5"
4c2a3841 1897 if [ -z "$__opt" ]; then
1898 _usage usage: _setopt '"file" "opt" "=" "value" [";"]'
4c3b3608 1899 return
1900 fi
4c2a3841 1901 if [ ! -f "$__conf" ]; then
4c3b3608 1902 touch "$__conf"
1903 fi
1904
4c2a3841 1905 if grep -n "^$__opt$__sep" "$__conf" >/dev/null; then
22ea4004 1906 _debug3 OK
4c2a3841 1907 if _contains "$__val" "&"; then
79a267ab 1908 __val="$(echo "$__val" | sed 's/&/\\&/g')"
4c3b3608 1909 fi
79a267ab 1910 text="$(cat "$__conf")"
52f8b787 1911 printf -- "%s\n" "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf"
4c3b3608 1912
4c2a3841 1913 elif grep -n "^#$__opt$__sep" "$__conf" >/dev/null; then
1914 if _contains "$__val" "&"; then
79a267ab 1915 __val="$(echo "$__val" | sed 's/&/\\&/g')"
4c3b3608 1916 fi
79a267ab 1917 text="$(cat "$__conf")"
52f8b787 1918 printf -- "%s\n" "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf"
4c3b3608 1919
1920 else
22ea4004 1921 _debug3 APP
4c2a3841 1922 echo "$__opt$__sep$__val$__end" >>"$__conf"
4c3b3608 1923 fi
1efb2085 1924 _debug3 "$(grep -n "^$__opt$__sep" "$__conf")"
4c3b3608 1925}
1926
8a29fbc8 1927#_save_conf file key value
1928#save to conf
1929_save_conf() {
1930 _s_c_f="$1"
1931 _sdkey="$2"
1932 _sdvalue="$3"
4c2a3841 1933 if [ "$_s_c_f" ]; then
8a29fbc8 1934 _setopt "$_s_c_f" "$_sdkey" "=" "'$_sdvalue'"
4d2f38b0 1935 else
8a29fbc8 1936 _err "config file is empty, can not save $_sdkey=$_sdvalue"
4d2f38b0 1937 fi
1938}
1939
8a29fbc8 1940#_clear_conf file key
1941_clear_conf() {
1942 _c_c_f="$1"
1943 _sdkey="$2"
4c2a3841 1944 if [ "$_c_c_f" ]; then
20ea8591 1945 _conf_data="$(cat "$_c_c_f")"
fa574fe8 1946 echo "$_conf_data" | sed "s/^$_sdkey *=.*$//" >"$_c_c_f"
4c3b3608 1947 else
8a29fbc8 1948 _err "config file is empty, can not clear"
4c3b3608 1949 fi
1950}
1951
8a29fbc8 1952#_read_conf file key
1953_read_conf() {
1954 _r_c_f="$1"
1955 _sdkey="$2"
4c2a3841 1956 if [ -f "$_r_c_f" ]; then
1957 (
79a267ab 1958 eval "$(grep "^$_sdkey *=" "$_r_c_f")"
4c2a3841 1959 eval "printf \"%s\" \"\$$_sdkey\""
1960 )
61623d22 1961 else
57e58ce7 1962 _debug "config file is empty, can not read $_sdkey"
4c3b3608 1963 fi
4c3b3608 1964}
1965
1966#_savedomainconf key value
1967#save to domain.conf
1968_savedomainconf() {
8a29fbc8 1969 _save_conf "$DOMAIN_CONF" "$1" "$2"
4d2f38b0 1970}
1971
1972#_cleardomainconf key
1973_cleardomainconf() {
8a29fbc8 1974 _clear_conf "$DOMAIN_CONF" "$1"
4c3b3608 1975}
1976
61623d22 1977#_readdomainconf key
1978_readdomainconf() {
8a29fbc8 1979 _read_conf "$DOMAIN_CONF" "$1"
61623d22 1980}
1981
4c3b3608 1982#_saveaccountconf key value
1983_saveaccountconf() {
8a29fbc8 1984 _save_conf "$ACCOUNT_CONF_PATH" "$1" "$2"
4c3b3608 1985}
1986
fcdf41ba 1987#key value
1988_saveaccountconf_mutable() {
1989 _save_conf "$ACCOUNT_CONF_PATH" "SAVED_$1" "$2"
1990 #remove later
1991 _clearaccountconf "$1"
1992}
1993
1994#key
1995_readaccountconf() {
1996 _read_conf "$ACCOUNT_CONF_PATH" "$1"
1997}
1998
1999#key
2000_readaccountconf_mutable() {
2001 _rac_key="$1"
2002 _readaccountconf "SAVED_$_rac_key"
2003}
2004
fac1e367 2005#_clearaccountconf key
2006_clearaccountconf() {
8a29fbc8 2007 _clear_conf "$ACCOUNT_CONF_PATH" "$1"
2008}
2009
2010#_savecaconf key value
2011_savecaconf() {
2012 _save_conf "$CA_CONF" "$1" "$2"
2013}
2014
2015#_readcaconf key
2016_readcaconf() {
2017 _read_conf "$CA_CONF" "$1"
2018}
2019
2020#_clearaccountconf key
2021_clearcaconf() {
2022 _clear_conf "$CA_CONF" "$1"
fac1e367 2023}
2024
0463b5d6 2025# content localaddress
4c3b3608 2026_startserver() {
2027 content="$1"
0463b5d6 2028 ncaddr="$2"
2029 _debug "ncaddr" "$ncaddr"
2030
6fc1447f 2031 _debug "startserver: $$"
4c2a3841 2032
39c8f79f 2033 _debug Le_HTTPPort "$Le_HTTPPort"
6ae0f7f5 2034 _debug Le_Listen_V4 "$Le_Listen_V4"
2035 _debug Le_Listen_V6 "$Le_Listen_V6"
4c2a3841 2036
3794b5cb 2037 _NC="socat"
4c2a3841 2038 if [ "$Le_Listen_V4" ]; then
6ae0f7f5 2039 _NC="$_NC -4"
4c2a3841 2040 elif [ "$Le_Listen_V6" ]; then
6ae0f7f5 2041 _NC="$_NC -6"
2042 fi
4c2a3841 2043
9ad7ac63 2044 if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then
5c568d69 2045 _NC="$_NC -d -d -v"
2046 fi
2047
9134b6ea
HC		 2048 SOCAT_OPTIONS=TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork
2049
2050 #Adding bind to local-address
d84665cb 2051 if [ "$ncaddr" ]; then
9ad7ac63 2052 SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}"
9134b6ea
HC		 2053 fi
2054
5c568d69 2055 _debug "_NC" "$_NC $SOCAT_OPTIONS"
bae50da7 2056 $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; echo HTTP/1.0 200 OK; echo ; echo $content; echo;" &
3794b5cb 2057 serverproc="$!"
4c3b3608 2058}
2059
4c2a3841 2060_stopserver() {
4c3b3608 2061 pid="$1"
6fc1447f 2062 _debug "pid" "$pid"
4c2a3841 2063 if [ -z "$pid" ]; then
6fc1447f 2064 return
2065 fi
e22bcf7c 2066
3794b5cb 2067 kill $pid
2068
4c3b3608 2069}
2070
fdcb6b72 2071# sleep sec
2072_sleep() {
2073 _sleep_sec="$1"
4c2a3841 2074 if [ "$__INTERACTIVE" ]; then
fdcb6b72 2075 _sleep_c="$_sleep_sec"
4c2a3841 2076 while [ "$_sleep_c" -ge "0" ]; do
c583d6bb 2077 printf "\r \r"
fdcb6b72 2078 __green "$_sleep_c"
79a267ab 2079 _sleep_c="$(_math "$_sleep_c" - 1)"
fdcb6b72 2080 sleep 1
2081 done
c583d6bb 2082 printf "\r"
fdcb6b72 2083 else
2084 sleep "$_sleep_sec"
2085 fi
2086}
e22bcf7c 2087
6ae0f7f5 2088# _starttlsserver san_a san_b port content _ncaddr
e22bcf7c 2089_starttlsserver() {
2090 _info "Starting tls server."
2091 san_a="$1"
2092 san_b="$2"
2093 port="$3"
2094 content="$4"
6ae0f7f5 2095 opaddr="$5"
4c2a3841 2096
e22bcf7c 2097 _debug san_a "$san_a"
2098 _debug san_b "$san_b"
2099 _debug port "$port"
4c2a3841 2100
e22bcf7c 2101 #create key TLS_KEY
4c2a3841 2102 if ! _createkey "2048" "$TLS_KEY"; then
e22bcf7c 2103 _err "Create tls validation key error."
2104 return 1
2105 fi
4c2a3841 2106
e22bcf7c 2107 #create csr
2108 alt="$san_a"
4c2a3841 2109 if [ "$san_b" ]; then
e22bcf7c 2110 alt="$alt,$san_b"
2111 fi
4c2a3841 2112 if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF"; then
e22bcf7c 2113 _err "Create tls validation csr error."
2114 return 1
2115 fi
4c2a3841 2116
e22bcf7c 2117 #self signed
4c2a3841 2118 if ! _signcsr "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" "$TLS_CERT"; then
e22bcf7c 2119 _err "Create tls validation cert error."
2120 return 1
2121 fi
4c2a3841 2122
5f6e3da7 2123 __S_OPENSSL="${ACME_OPENSSL_BIN:-openssl} s_server -www -cert $TLS_CERT -key $TLS_KEY "
2124 if [ "$opaddr" ]; then
2125 __S_OPENSSL="$__S_OPENSSL -accept $opaddr:$port"
2126 else
2127 __S_OPENSSL="$__S_OPENSSL -accept $port"
2128 fi
6ae0f7f5 2129
2130 _debug Le_Listen_V4 "$Le_Listen_V4"
2131 _debug Le_Listen_V6 "$Le_Listen_V6"
4c2a3841 2132 if [ "$Le_Listen_V4" ]; then
6ae0f7f5 2133 __S_OPENSSL="$__S_OPENSSL -4"
4c2a3841 2134 elif [ "$Le_Listen_V6" ]; then
6ae0f7f5 2135 __S_OPENSSL="$__S_OPENSSL -6"
2136 fi
4c2a3841 2137
6ae0f7f5 2138 _debug "$__S_OPENSSL"
5f6e3da7 2139 if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
2140 $__S_OPENSSL -tlsextdebug &
2141 else
2142 $__S_OPENSSL >/dev/null 2>&1 &
2143 fi
331c4bb6 2144
e22bcf7c 2145 serverproc="$!"
5dbf664a 2146 sleep 1
d5ec5f80 2147 _debug serverproc "$serverproc"
e22bcf7c 2148}
2149
18e46962 2150#file
2151_readlink() {
2152 _rf="$1"
2153 if ! readlink -f "$_rf" 2>/dev/null; then
6c4cc357 2154 if _startswith "$_rf" "/"; then
2155 echo "$_rf"
7da50703 2156 return 0
2157 fi
6c4cc357 2158 echo "$(pwd)/$_rf" | _conapath
18e46962 2159 fi
2160}
2161
6c4cc357 2162_conapath() {
2163 sed "s#/\./#/#g"
2164}
2165
5ea6e9c9 2166__initHome() {
4c2a3841 2167 if [ -z "$_SCRIPT_HOME" ]; then
2168 if _exists readlink && _exists dirname; then
66990cf8 2169 _debug "Lets find script dir."
f3e4cea3 2170 _debug "_SCRIPT_" "$_SCRIPT_"
18e46962 2171 _script="$(_readlink "$_SCRIPT_")"
f3e4cea3 2172 _debug "_script" "$_script"
2173 _script_home="$(dirname "$_script")"
2174 _debug "_script_home" "$_script_home"
4c2a3841 2175 if [ -d "$_script_home" ]; then
f3e4cea3 2176 _SCRIPT_HOME="$_script_home"
2177 else
2178 _err "It seems the script home is not correct:$_script_home"
2179 fi
2180 fi
2181 fi
2182
219e9115 2183 # if [ -z "$LE_WORKING_DIR" ]; then
2184 # if [ -f "$DEFAULT_INSTALL_HOME/account.conf" ]; then
2185 # _debug "It seems that $PROJECT_NAME is already installed in $DEFAULT_INSTALL_HOME"
2186 # LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
2187 # else
2188 # LE_WORKING_DIR="$_SCRIPT_HOME"
2189 # fi
2190 # fi
4c2a3841 2191
2192 if [ -z "$LE_WORKING_DIR" ]; then
f3e4cea3 2193 _debug "Using default home:$DEFAULT_INSTALL_HOME"
2194 LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
2195 fi
7da50703 2196 export LE_WORKING_DIR
f3e4cea3 2197
f5b546b3 2198 if [ -z "$LE_CONFIG_HOME" ]; then
2199 LE_CONFIG_HOME="$LE_WORKING_DIR"
27dbe77f 2200 fi
f5b546b3 2201 _debug "Using config home:$LE_CONFIG_HOME"
2202 export LE_CONFIG_HOME
27dbe77f 2203
f5b546b3 2204 _DEFAULT_ACCOUNT_CONF_PATH="$LE_CONFIG_HOME/account.conf"
d53289d7 2205
4c2a3841 2206 if [ -z "$ACCOUNT_CONF_PATH" ]; then
2207 if [ -f "$_DEFAULT_ACCOUNT_CONF_PATH" ]; then
8663fb7e 2208 . "$_DEFAULT_ACCOUNT_CONF_PATH"
635695ec 2209 fi
d53289d7 2210 fi
4c2a3841 2211
2212 if [ -z "$ACCOUNT_CONF_PATH" ]; then
d53289d7 2213 ACCOUNT_CONF_PATH="$_DEFAULT_ACCOUNT_CONF_PATH"
4c3b3608 2214 fi
4c2a3841 2215
f5b546b3 2216 DEFAULT_LOG_FILE="$LE_CONFIG_HOME/$PROJECT_NAME.log"
4c2a3841 2217
f5b546b3 2218 DEFAULT_CA_HOME="$LE_CONFIG_HOME/ca"
4c2a3841 2219
2220 if [ -z "$LE_TEMP_DIR" ]; then
f5b546b3 2221 LE_TEMP_DIR="$LE_CONFIG_HOME/tmp"
610e0f21 2222 fi
5ea6e9c9 2223}
2224
48d9a8c1 2225#server
2226_initAPI() {
2227 _api_server="${1:-$ACME_DIRECTORY}"
2228 _debug "_init api for server: $_api_server"
4cee14f3 2229
cae50e16 2230 if [ -z "$ACME_NEW_ACCOUNT" ]; then
48d9a8c1 2231 response=$(_get "$_api_server")
2232 if [ "$?" != "0" ]; then
2233 _debug2 "response" "$response"
2234 _err "Can not init api."
2235 return 1
2236 fi
2237 _debug2 "response" "$response"
2238
2239 ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'key-change" *: *"[^"]*"' | cut -d '"' -f 3)
c1151b0d 2240 if [ -z "$ACME_KEY_CHANGE" ]; then
2241 ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'keyChange" *: *"[^"]*"' | cut -d '"' -f 3)
2242 fi
48d9a8c1 2243 export ACME_KEY_CHANGE
2244
2245 ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'new-authz" *: *"[^"]*"' | cut -d '"' -f 3)
c1151b0d 2246 if [ -z "$ACME_NEW_AUTHZ" ]; then
2247 ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'newAuthz" *: *"[^"]*"' | cut -d '"' -f 3)
2248 fi
48d9a8c1 2249 export ACME_NEW_AUTHZ
2250
cae50e16 2251 ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3)
a71eba07 2252 ACME_NEW_ORDER_RES="new-cert"
cae50e16 2253 if [ -z "$ACME_NEW_ORDER" ]; then
2254 ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3)
a71eba07 2255 ACME_NEW_ORDER_RES="new-order"
c1151b0d 2256 if [ -z "$ACME_NEW_ORDER" ]; then
2257 ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'newOrder" *: *"[^"]*"' | cut -d '"' -f 3)
2258 fi
cae50e16 2259 fi
2260 export ACME_NEW_ORDER
a71eba07 2261 export ACME_NEW_ORDER_RES
48d9a8c1 2262
cae50e16 2263 ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3)
a71eba07 2264 ACME_NEW_ACCOUNT_RES="new-reg"
cae50e16 2265 if [ -z "$ACME_NEW_ACCOUNT" ]; then
2266 ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3)
a71eba07 2267 ACME_NEW_ACCOUNT_RES="new-account"
c1151b0d 2268 if [ -z "$ACME_NEW_ACCOUNT" ]; then
2269 ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3)
2270 if [ "$ACME_NEW_ACCOUNT" ]; then
2271 export ACME_VERSION=2
2272 fi
2273 fi
cae50e16 2274 fi
2275 export ACME_NEW_ACCOUNT
a71eba07 2276 export ACME_NEW_ACCOUNT_RES
48d9a8c1 2277
2278 ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3)
c1151b0d 2279 if [ -z "$ACME_REVOKE_CERT" ]; then
2280 ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3)
2281 fi
48d9a8c1 2282 export ACME_REVOKE_CERT
2283
cae50e16 2284 ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'new-nonce" *: *"[^"]*"' | cut -d '"' -f 3)
c1151b0d 2285 if [ -z "$ACME_NEW_NONCE" ]; then
2286 ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'newNonce" *: *"[^"]*"' | cut -d '"' -f 3)
2287 fi
cae50e16 2288 export ACME_NEW_NONCE
4249e13e 2289
f87890cb 2290 ACME_AGREEMENT=$(echo "$response" | _egrep_o 'terms-of-service" *: *"[^"]*"' | cut -d '"' -f 3)
c1151b0d 2291 if [ -z "$ACME_AGREEMENT" ]; then
2292 ACME_AGREEMENT=$(echo "$response" | _egrep_o 'termsOfService" *: *"[^"]*"' | cut -d '"' -f 3)
2293 fi
f87890cb 2294 export ACME_AGREEMENT
cae50e16 2295
f87890cb 2296 _debug "ACME_KEY_CHANGE" "$ACME_KEY_CHANGE"
2297 _debug "ACME_NEW_AUTHZ" "$ACME_NEW_AUTHZ"
2298 _debug "ACME_NEW_ORDER" "$ACME_NEW_ORDER"
2299 _debug "ACME_NEW_ACCOUNT" "$ACME_NEW_ACCOUNT"
2300 _debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT"
2301 _debug "ACME_AGREEMENT" "$ACME_AGREEMENT"
c1151b0d 2302 _debug "ACME_NEW_NONCE" "$ACME_NEW_NONCE"
2303 _debug "ACME_VERSION" "$ACME_VERSION"
48d9a8c1 2304
f87890cb 2305 fi
48d9a8c1 2306}
2307
3281043e 2308#[domain] [keylength or isEcc flag]
5ea6e9c9 2309_initpath() {
cd9fb3b6 2310 domain="$1"
2311 _ilength="$2"
5ea6e9c9 2312
2313 __initHome
2314
4c2a3841 2315 if [ -f "$ACCOUNT_CONF_PATH" ]; then
8663fb7e 2316 . "$ACCOUNT_CONF_PATH"
4c3b3608 2317 fi
2318
4c2a3841 2319 if [ "$IN_CRON" ]; then
2320 if [ ! "$_USER_PATH_EXPORTED" ]; then
281aa349 2321 _USER_PATH_EXPORTED=1
2322 export PATH="$USER_PATH:$PATH"
2323 fi
2324 fi
4c2a3841 2325
2326 if [ -z "$CA_HOME" ]; then
5c48e139 2327 CA_HOME="$DEFAULT_CA_HOME"
2328 fi
281aa349 2329
72f54ca6 2330 if [ "$ACME_VERSION" = "2" ]; then
2331 DEFAULT_CA="$LETSENCRYPT_CA_V2"
2332 DEFAULT_STAGING_CA="$LETSENCRYPT_STAGING_CA_V2"
2333 fi
2334
48d9a8c1 2335 if [ -z "$ACME_DIRECTORY" ]; then
4c2a3841 2336 if [ -z "$STAGE" ]; then
48d9a8c1 2337 ACME_DIRECTORY="$DEFAULT_CA"
4c3b3608 2338 else
c1151b0d 2339 ACME_DIRECTORY="$DEFAULT_STAGING_CA"
48d9a8c1 2340 _info "Using stage ACME_DIRECTORY: $ACME_DIRECTORY"
4c2a3841 2341 fi
4c3b3608 2342 fi
4c2a3841 2343
270ce875 2344 _debug2 ACME_DIRECTORY "$ACME_DIRECTORY"
98394f99 2345 _ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)"
48d9a8c1 2346 _debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST"
2347
2348 CA_DIR="$CA_HOME/$_ACME_SERVER_HOST"
4c2a3841 2349
5c48e139 2350 _DEFAULT_CA_CONF="$CA_DIR/ca.conf"
4c2a3841 2351
2352 if [ -z "$CA_CONF" ]; then
5c48e139 2353 CA_CONF="$_DEFAULT_CA_CONF"
2354 fi
c4236e58 2355 _debug3 CA_CONF "$CA_CONF"
4c2a3841 2356
2357 if [ -f "$CA_CONF" ]; then
5c48e139 2358 . "$CA_CONF"
2359 fi
2360
4c2a3841 2361 if [ -z "$ACME_DIR" ]; then
4c3b3608 2362 ACME_DIR="/home/.acme"
2363 fi
4c2a3841 2364
2365 if [ -z "$APACHE_CONF_BACKUP_DIR" ]; then
f5b546b3 2366 APACHE_CONF_BACKUP_DIR="$LE_CONFIG_HOME"
4c3b3608 2367 fi
4c2a3841 2368
2369 if [ -z "$USER_AGENT" ]; then
bbbdcb09 2370 USER_AGENT="$DEFAULT_USER_AGENT"
2371 fi
4c2a3841 2372
2373 if [ -z "$HTTP_HEADER" ]; then
f5b546b3 2374 HTTP_HEADER="$LE_CONFIG_HOME/http.header"
933c169d 2375 fi
b2817897 2376
5c48e139 2377 _OLD_ACCOUNT_KEY="$LE_WORKING_DIR/account.key"
2378 _OLD_ACCOUNT_JSON="$LE_WORKING_DIR/account.json"
4c2a3841 2379
5c48e139 2380 _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
2381 _DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
4c2a3841 2382 if [ -z "$ACCOUNT_KEY_PATH" ]; then
b2817897 2383 ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
4c3b3608 2384 fi
4c2a3841 2385
2386 if [ -z "$ACCOUNT_JSON_PATH" ]; then
5c48e139 2387 ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
2388 fi
4c2a3841 2389
f5b546b3 2390 _DEFAULT_CERT_HOME="$LE_CONFIG_HOME"
4c2a3841 2391 if [ -z "$CERT_HOME" ]; then
a79b26af
RD		 2392 CERT_HOME="$_DEFAULT_CERT_HOME"
2393 fi
2394
77f1ea40 2395 if [ -z "$ACME_OPENSSL_BIN" ] || [ ! -f "$ACME_OPENSSL_BIN" ] || [ ! -x "$ACME_OPENSSL_BIN" ]; then
851fedf7 2396 ACME_OPENSSL_BIN="$DEFAULT_OPENSSL_BIN"
a746139c 2397 fi
2398
cd9fb3b6 2399 if [ -z "$domain" ]; then
4c3b3608 2400 return 0
2401 fi
4c2a3841 2402
4c2a3841 2403 if [ -z "$DOMAIN_PATH" ]; then
43822d37 2404 domainhome="$CERT_HOME/$domain"
2405 domainhomeecc="$CERT_HOME/$domain$ECC_SUFFIX"
4c2a3841 2406
4c3b3608 2407 DOMAIN_PATH="$domainhome"
4c2a3841 2408
2409 if _isEccKey "$_ilength"; then
43822d37 2410 DOMAIN_PATH="$domainhomeecc"
2411 else
4c2a3841 2412 if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then
6d4e903b 2413 _info "The domain '$domain' seems to have a ECC cert already, please add '$(__red "--ecc")' parameter if you want to use that cert."
43822d37 2414 fi
2415 fi
2416 _debug DOMAIN_PATH "$DOMAIN_PATH"
4c3b3608 2417 fi
4c2a3841 2418
fd72cced 2419 if [ -z "$DOMAIN_BACKUP_PATH" ]; then
d88f8e86 2420 DOMAIN_BACKUP_PATH="$DOMAIN_PATH/backup"
fd72cced 2421 fi
2422
4c2a3841 2423 if [ -z "$DOMAIN_CONF" ]; then
43822d37 2424 DOMAIN_CONF="$DOMAIN_PATH/$domain.conf"
4c3b3608 2425 fi
4c2a3841 2426
2427 if [ -z "$DOMAIN_SSL_CONF" ]; then
0c9546cc 2428 DOMAIN_SSL_CONF="$DOMAIN_PATH/$domain.csr.conf"
4c3b3608 2429 fi
4c2a3841 2430
2431 if [ -z "$CSR_PATH" ]; then
43822d37 2432 CSR_PATH="$DOMAIN_PATH/$domain.csr"
4c3b3608 2433 fi
4c2a3841 2434 if [ -z "$CERT_KEY_PATH" ]; then
43822d37 2435 CERT_KEY_PATH="$DOMAIN_PATH/$domain.key"
4c3b3608 2436 fi
4c2a3841 2437 if [ -z "$CERT_PATH" ]; then
43822d37 2438 CERT_PATH="$DOMAIN_PATH/$domain.cer"
4c3b3608 2439 fi
4c2a3841 2440 if [ -z "$CA_CERT_PATH" ]; then
43822d37 2441 CA_CERT_PATH="$DOMAIN_PATH/ca.cer"
4c3b3608 2442 fi
4c2a3841 2443 if [ -z "$CERT_FULLCHAIN_PATH" ]; then
43822d37 2444 CERT_FULLCHAIN_PATH="$DOMAIN_PATH/fullchain.cer"
caf1fc10 2445 fi
4c2a3841 2446 if [ -z "$CERT_PFX_PATH" ]; then
43822d37 2447 CERT_PFX_PATH="$DOMAIN_PATH/$domain.pfx"
ac2d5123 2448 fi
4410226d 2449 if [ -z "$CERT_PKCS8_PATH" ]; then
2450 CERT_PKCS8_PATH="$DOMAIN_PATH/$domain.pkcs8"
2451 fi
4c2a3841 2452
2453 if [ -z "$TLS_CONF" ]; then
f94433e5 2454 TLS_CONF="$DOMAIN_PATH/tls.validation.conf"
e22bcf7c 2455 fi
4c2a3841 2456 if [ -z "$TLS_CERT" ]; then
f94433e5 2457 TLS_CERT="$DOMAIN_PATH/tls.validation.cert"
e22bcf7c 2458 fi
4c2a3841 2459 if [ -z "$TLS_KEY" ]; then
f94433e5 2460 TLS_KEY="$DOMAIN_PATH/tls.validation.key"
e22bcf7c 2461 fi
4c2a3841 2462 if [ -z "$TLS_CSR" ]; then
f94433e5 2463 TLS_CSR="$DOMAIN_PATH/tls.validation.csr"
e22bcf7c 2464 fi
4c2a3841 2465
4c3b3608 2466}
2467
610e0f21 2468_exec() {
4c2a3841 2469 if [ -z "$_EXEC_TEMP_ERR" ]; then
610e0f21 2470 _EXEC_TEMP_ERR="$(_mktemp)"
2471 fi
2472
4c2a3841 2473 if [ "$_EXEC_TEMP_ERR" ]; then
3e5b1024 2474 eval "$@ 2>>$_EXEC_TEMP_ERR"
610e0f21 2475 else
3e5b1024 2476 eval "$@"
610e0f21 2477 fi
2478}
2479
2480_exec_err() {
3e5b1024 2481 [ "$_EXEC_TEMP_ERR" ] && _err "$(cat "$_EXEC_TEMP_ERR")" && echo "" >"$_EXEC_TEMP_ERR"
610e0f21 2482}
4c3b3608 2483
2484_apachePath() {
c3dd3ef0 2485 _APACHECTL="apachectl"
4c2a3841 2486 if ! _exists apachectl; then
2487 if _exists apache2ctl; then
2488 _APACHECTL="apache2ctl"
e4a19585 2489 else
bc96082f 2490 _err "'apachectl not found. It seems that apache is not installed, or you are not root user.'"
e4a19585 2491 _err "Please use webroot mode to try again."
2492 return 1
2493 fi
80a0a7b5 2494 fi
4c2a3841 2495
2496 if ! _exec $_APACHECTL -V >/dev/null; then
610e0f21 2497 _exec_err
2498 return 1
2499 fi
4c2a3841 2500
2501 if [ "$APACHE_HTTPD_CONF" ]; then
5be1449d 2502 _saveaccountconf APACHE_HTTPD_CONF "$APACHE_HTTPD_CONF"
2503 httpdconf="$APACHE_HTTPD_CONF"
79a267ab 2504 httpdconfname="$(basename "$httpdconfname")"
d62ee940 2505 else
4c2a3841 2506 httpdconfname="$($_APACHECTL -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | tr -d '"')"
5be1449d 2507 _debug httpdconfname "$httpdconfname"
4c2a3841 2508
2509 if [ -z "$httpdconfname" ]; then
5be1449d 2510 _err "Can not read apache config file."
2511 return 1
2512 fi
4c2a3841 2513
2514 if _startswith "$httpdconfname" '/'; then
5be1449d 2515 httpdconf="$httpdconfname"
79a267ab 2516 httpdconfname="$(basename "$httpdconfname")"
5be1449d 2517 else
4c2a3841 2518 httpdroot="$($_APACHECTL -V | grep HTTPD_ROOT= | cut -d = -f 2 | tr -d '"')"
5be1449d 2519 _debug httpdroot "$httpdroot"
2520 httpdconf="$httpdroot/$httpdconfname"
79a267ab 2521 httpdconfname="$(basename "$httpdconfname")"
5be1449d 2522 fi
d62ee940 2523 fi
78768e98 2524 _debug httpdconf "$httpdconf"
8f63baf7 2525 _debug httpdconfname "$httpdconfname"
4c2a3841 2526 if [ ! -f "$httpdconf" ]; then
78768e98 2527 _err "Apache Config file not found" "$httpdconf"
4c3b3608 2528 return 1
2529 fi
2530 return 0
2531}
2532
2533_restoreApache() {
4c2a3841 2534 if [ -z "$usingApache" ]; then
4c3b3608 2535 return 0
2536 fi
2537 _initpath
4c2a3841 2538 if ! _apachePath; then
4c3b3608 2539 return 1
2540 fi
4c2a3841 2541
2542 if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ]; then
4c3b3608 2543 _debug "No config file to restore."
2544 return 0
2545 fi
4c2a3841 2546
2547 cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" >"$httpdconf"
5ef501c5 2548 _debug "Restored: $httpdconf."
4c2a3841 2549 if ! _exec $_APACHECTL -t; then
610e0f21 2550 _exec_err
4c3b3608 2551 _err "Sorry, restore apache config error, please contact me."
4c2a3841 2552 return 1
4c3b3608 2553 fi
5ef501c5 2554 _debug "Restored successfully."
4c3b3608 2555 rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname"
4c2a3841 2556 return 0
4c3b3608 2557}
2558
2559_setApache() {
2560 _initpath
4c2a3841 2561 if ! _apachePath; then
4c3b3608 2562 return 1
2563 fi
2564
5fc5016d 2565 #test the conf first
869578ce 2566 _info "Checking if there is an error in the apache config file before starting."
4c2a3841 2567
44edb2bd 2568 if ! _exec "$_APACHECTL" -t >/dev/null; then
610e0f21 2569 _exec_err
2570 _err "The apache config file has error, please fix it first, then try again."
869578ce 2571 _err "Don't worry, there is nothing changed to your system."
4c2a3841 2572 return 1
5fc5016d 2573 else
2574 _info "OK"
2575 fi
4c2a3841 2576
4c3b3608 2577 #backup the conf
5778811a 2578 _debug "Backup apache config file" "$httpdconf"
4c2a3841 2579 if ! cp "$httpdconf" "$APACHE_CONF_BACKUP_DIR/"; then
869578ce 2580 _err "Can not backup apache config file, so abort. Don't worry, the apache config is not changed."
61a48a5b 2581 _err "This might be a bug of $PROJECT_NAME , please report issue: $PROJECT"
8f63baf7 2582 return 1
2583 fi
4c3b3608 2584 _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname"
2585 _info "In case there is an error that can not be restored automatically, you may try restore it yourself."
329174b6 2586 _info "The backup file will be deleted on success, just forget it."
4c2a3841 2587
4c3b3608 2588 #add alias
4c2a3841 2589
2590 apacheVer="$($_APACHECTL -V | grep "Server version:" | cut -d : -f 2 | cut -d " " -f 2 | cut -d '/' -f 2)"
b09d597c 2591 _debug "apacheVer" "$apacheVer"
2592 apacheMajer="$(echo "$apacheVer" | cut -d . -f 1)"
2593 apacheMinor="$(echo "$apacheVer" | cut -d . -f 2)"
2594
4c2a3841 2595 if [ "$apacheVer" ] && [ "$apacheMajer$apacheMinor" -ge "24" ]; then
b09d597c 2596 echo "
4c3b3608 2597Alias /.well-known/acme-challenge $ACME_DIR
2598
2599<Directory $ACME_DIR >
2600Require all granted
b09d597c 2601</Directory>
4c2a3841 2602 " >>"$httpdconf"
b09d597c 2603 else
2604 echo "
2605Alias /.well-known/acme-challenge $ACME_DIR
2606
2607<Directory $ACME_DIR >
2608Order allow,deny
2609Allow from all
4c3b3608 2610</Directory>
4c2a3841 2611 " >>"$httpdconf"
b09d597c 2612 fi
2613
4c2a3841 2614 _msg="$($_APACHECTL -t 2>&1)"
2615 if [ "$?" != "0" ]; then
5fc5016d 2616 _err "Sorry, apache config error"
4c2a3841 2617 if _restoreApache; then
869578ce 2618 _err "The apache config file is restored."
5fc5016d 2619 else
869578ce 2620 _err "Sorry, The apache config file can not be restored, please report bug."
5fc5016d 2621 fi
4c2a3841 2622 return 1
4c3b3608 2623 fi
4c2a3841 2624
2625 if [ ! -d "$ACME_DIR" ]; then
4c3b3608 2626 mkdir -p "$ACME_DIR"
2627 chmod 755 "$ACME_DIR"
2628 fi
4c2a3841 2629
44edb2bd 2630 if ! _exec "$_APACHECTL" graceful; then
4c2a3841 2631 _exec_err
610e0f21 2632 _err "$_APACHECTL graceful error, please contact me."
4c3b3608 2633 _restoreApache
4c2a3841 2634 return 1
4c3b3608 2635 fi
2636 usingApache="1"
2637 return 0
2638}
2639
9d725af6 2640#find the real nginx conf file
2641#backup
2642#set the nginx conf
2643#returns the real nginx conf file
2644_setNginx() {
2645 _d="$1"
2646 _croot="$2"
2647 _thumbpt="$3"
37f39c08 2648
9d725af6 2649 FOUND_REAL_NGINX_CONF=""
9f90618a 2650 FOUND_REAL_NGINX_CONF_LN=""
9d725af6 2651 BACKUP_NGINX_CONF=""
2652 _debug _croot "$_croot"
2653 _start_f="$(echo "$_croot" | cut -d : -f 2)"
2654 _debug _start_f "$_start_f"
2655 if [ -z "$_start_f" ]; then
2656 _debug "find start conf from nginx command"
2657 if [ -z "$NGINX_CONF" ]; then
37f39c08 2658 if ! _exists "nginx"; then
2659 _err "nginx command is not found."
2660 return 1
2661 fi
9d725af6 2662 NGINX_CONF="$(nginx -V 2>&1 | _egrep_o "--conf-path=[^ ]* " | tr -d " ")"
2663 _debug NGINX_CONF "$NGINX_CONF"
2664 NGINX_CONF="$(echo "$NGINX_CONF" | cut -d = -f 2)"
2665 _debug NGINX_CONF "$NGINX_CONF"
2666 if [ ! -f "$NGINX_CONF" ]; then
2667 _err "'$NGINX_CONF' doesn't exist."
2668 NGINX_CONF=""
2669 return 1
2670 fi
2671 _debug "Found nginx conf file:$NGINX_CONF"
2672 fi
2673 _start_f="$NGINX_CONF"
2674 fi
03f8d6e9 2675 _debug "Start detect nginx conf for $_d from:$_start_f"
9d725af6 2676 if ! _checkConf "$_d" "$_start_f"; then
5378d9ca 2677 _err "Can not find conf file for domain $d"
9d725af6 2678 return 1
2679 fi
2680 _info "Found conf file: $FOUND_REAL_NGINX_CONF"
2681
9f90618a 2682 _ln=$FOUND_REAL_NGINX_CONF_LN
03f8d6e9 2683 _debug "_ln" "$_ln"
2684
2685 _lnn=$(_math $_ln + 1)
2686 _debug _lnn "$_lnn"
2687 _start_tag="$(sed -n "$_lnn,${_lnn}p" "$FOUND_REAL_NGINX_CONF")"
2688 _debug "_start_tag" "$_start_tag"
2689 if [ "$_start_tag" = "$NGINX_START" ]; then
2690 _info "The domain $_d is already configured, skip"
2691 FOUND_REAL_NGINX_CONF=""
2692 return 0
2693 fi
2694
9d725af6 2695 mkdir -p "$DOMAIN_BACKUP_PATH"
2696 _backup_conf="$DOMAIN_BACKUP_PATH/$_d.nginx.conf"
2697 _debug _backup_conf "$_backup_conf"
2698 BACKUP_NGINX_CONF="$_backup_conf"
2699 _info "Backup $FOUND_REAL_NGINX_CONF to $_backup_conf"
2700 if ! cp "$FOUND_REAL_NGINX_CONF" "$_backup_conf"; then
2701 _err "backup error."
2702 FOUND_REAL_NGINX_CONF=""
2703 return 1
2704 fi
2705
37f39c08 2706 if ! _exists "nginx"; then
2707 _err "nginx command is not found."
2708 return 1
2709 fi
9d725af6 2710 _info "Check the nginx conf before setting up."
2711 if ! _exec "nginx -t" >/dev/null; then
2712 _exec_err
2713 return 1
2714 fi
2715
2716 _info "OK, Set up nginx config file"
9d725af6 2717
302c41ed 2718 if ! sed -n "1,${_ln}p" "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"; then
03f8d6e9 2719 cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
9d725af6 2720 _err "write nginx conf error, but don't worry, the file is restored to the original version."
2721 return 1
2722 fi
2723
03f8d6e9 2724 echo "$NGINX_START
9d725af6 2725location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" {
2726 default_type text/plain;
2727 return 200 \"\$1.$_thumbpt\";
3c07f57a 2728}
03f8d6e9 2729#NGINX_START
2730" >>"$FOUND_REAL_NGINX_CONF"
9d725af6 2731
03f8d6e9 2732 if ! sed -n "${_lnn},99999p" "$_backup_conf" >>"$FOUND_REAL_NGINX_CONF"; then
2733 cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
9d725af6 2734 _err "write nginx conf error, but don't worry, the file is restored."
2735 return 1
2736 fi
df711b0e 2737 _debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)"
9d725af6 2738 _info "nginx conf is done, let's check it again."
2739 if ! _exec "nginx -t" >/dev/null; then
2740 _exec_err
2741 _err "It seems that nginx conf was broken, let's restore."
302c41ed 2742 cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
9d725af6 2743 return 1
2744 fi
2745
2746 _info "Reload nginx"
2747 if ! _exec "nginx -s reload" >/dev/null; then
2748 _exec_err
2749 _err "It seems that nginx reload error, let's restore."
302c41ed 2750 cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
9d725af6 2751 return 1
2752 fi
2753
2754 return 0
2755}
2756
2757#d , conf
2758_checkConf() {
2759 _d="$1"
2760 _c_file="$2"
2761 _debug "Start _checkConf from:$_c_file"
2762 if [ ! -f "$2" ] && ! echo "$2" | grep '*$' >/dev/null && echo "$2" | grep '*' >/dev/null; then
2763 _debug "wildcard"
2764 for _w_f in $2; do
7f618e7e 2765 if [ -f "$_w_f" ] && _checkConf "$1" "$_w_f"; then
9d725af6 2766 return 0
2767 fi
2768 done
2769 #not found
2770 return 1
2771 elif [ -f "$2" ]; then
2772 _debug "single"
2773 if _isRealNginxConf "$1" "$2"; then
2774 _debug "$2 is found."
2775 FOUND_REAL_NGINX_CONF="$2"
2776 return 0
2777 fi
f08a79d3 2778 if cat "$2" | tr "\t" " " | grep "^ *include *.*;" >/dev/null; then
9d725af6 2779 _debug "Try include files"
f08a79d3 2780 for included in $(cat "$2" | tr "\t" " " | grep "^ *include *.*;" | sed "s/include //" | tr -d " ;"); do
9d725af6 2781 _debug "check included $included"
2782 if _checkConf "$1" "$included"; then
2783 return 0
2784 fi
2785 done
2786 fi
2787 return 1
2788 else
2789 _debug "$2 not found."
2790 return 1
2791 fi
2792 return 1
2793}
2794
2795#d , conf
2796_isRealNginxConf() {
2797 _debug "_isRealNginxConf $1 $2"
302c41ed 2798 if [ -f "$2" ]; then
3f1a76d9 2799 for _fln in $(tr "\t" ' ' <"$2" | grep -n "^ *server_name.* $1" | cut -d : -f 1); do
302c41ed 2800 _debug _fln "$_fln"
2801 if [ "$_fln" ]; then
04a609b5 2802 _start=$(tr "\t" ' ' <"$2" | _head_n "$_fln" | grep -n "^ *server *" | grep -v server_name | _tail_n 1)
9f90618a 2803 _debug "_start" "$_start"
2804 _start_n=$(echo "$_start" | cut -d : -f 1)
2805 _start_nn=$(_math $_start_n + 1)
2806 _debug "_start_n" "$_start_n"
2807 _debug "_start_nn" "$_start_nn"
2808
2809 _left="$(sed -n "${_start_nn},99999p" "$2")"
2810 _debug2 _left "$_left"
012dd698 2811 _end="$(echo "$_left" | tr "\t" ' ' | grep -n "^ *server *" | grep -v server_name | _head_n 1)"
2812 _debug "_end" "$_end"
2813 if [ "$_end" ]; then
9f90618a 2814 _end_n=$(echo "$_end" | cut -d : -f 1)
2815 _debug "_end_n" "$_end_n"
2816 _seg_n=$(echo "$_left" | sed -n "1,${_end_n}p")
2817 else
2818 _seg_n="$_left"
2819 fi
2820
2821 _debug "_seg_n" "$_seg_n"
2822
04a609b5 2823 _skip_ssl=1
d1067c60 2824 for _listen_i in $(echo "$_seg_n" | tr "\t" ' ' | grep "^ *listen" | tr -d " "); do
04a609b5 2825 if [ "$_listen_i" ]; then
2826 if [ "$(echo "$_listen_i" | _egrep_o "listen.*ssl[ |;]")" ]; then
2827 _debug2 "$_listen_i is ssl"
2828 else
2829 _debug2 "$_listen_i is plain text"
2830 _skip_ssl=""
c05eb0b1 2831 break
2832 fi
04a609b5 2833 fi
2834 done
2835
2836 if [ "$_skip_ssl" = "1" ]; then
9f90618a 2837 _debug "ssl on, skip"
241cfc43 2838 else
2839 FOUND_REAL_NGINX_CONF_LN=$_fln
2840 _debug3 "found FOUND_REAL_NGINX_CONF_LN" "$FOUND_REAL_NGINX_CONF_LN"
2841 return 0
450efea1 2842 fi
302c41ed 2843 fi
2844 done
9d725af6 2845 fi
302c41ed 2846 return 1
9d725af6 2847}
2848
2849#restore all the nginx conf
2850_restoreNginx() {
5d943a35 2851 if [ -z "$NGINX_RESTORE_VLIST" ]; then
9d725af6 2852 _debug "No need to restore nginx, skip."
2853 return
2854 fi
2855 _debug "_restoreNginx"
5d943a35 2856 _debug "NGINX_RESTORE_VLIST" "$NGINX_RESTORE_VLIST"
9d725af6 2857
5d943a35 2858 for ng_entry in $(echo "$NGINX_RESTORE_VLIST" | tr "$dvsep" ' '); do
9d725af6 2859 _debug "ng_entry" "$ng_entry"
2860 _nd=$(echo "$ng_entry" | cut -d "$sep" -f 1)
2861 _ngconf=$(echo "$ng_entry" | cut -d "$sep" -f 2)
2862 _ngbackupconf=$(echo "$ng_entry" | cut -d "$sep" -f 3)
2863 _info "Restoring from $_ngbackupconf to $_ngconf"
302c41ed 2864 cat "$_ngbackupconf" >"$_ngconf"
9d725af6 2865 done
2866
2867 _info "Reload nginx"
2868 if ! _exec "nginx -s reload" >/dev/null; then
2869 _exec_err
2870 _err "It seems that nginx reload error, please report bug."
2871 return 1
2872 fi
2873 return 0
2874}
2875
5ef501c5 2876_clearup() {
44edb2bd 2877 _stopserver "$serverproc"
4c3b3608 2878 serverproc=""
2879 _restoreApache
9d725af6 2880 _restoreNginx
800e3f45 2881 _clearupdns
4c2a3841 2882 if [ -z "$DEBUG" ]; then
e22bcf7c 2883 rm -f "$TLS_CONF"
2884 rm -f "$TLS_CERT"
2885 rm -f "$TLS_KEY"
2886 rm -f "$TLS_CSR"
2887 fi
4c3b3608 2888}
2889
800e3f45 2890_clearupdns() {
2891 _debug "_clearupdns"
4c2a3841 2892 if [ "$dnsadded" != 1 ] || [ -z "$vlist" ]; then
65b22b49 2893 _debug "skip dns."
800e3f45 2894 return
2895 fi
875625b1 2896 _info "Removing DNS records."
4c2a3841 2897 ventries=$(echo "$vlist" | tr ',' ' ')
875625b1 2898 _alias_index=1
4c2a3841 2899 for ventry in $ventries; do
0c538f75 2900 d=$(echo "$ventry" | cut -d "$sep" -f 1)
2901 keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
2902 vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
2903 _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
11927a76 2904 txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _url_replace)"
21f201e3 2905 _debug txt "$txt"
4c2a3841 2906 if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
69212114 2907 _debug "$d is already verified, skip $vtype."
800e3f45 2908 continue
2909 fi
2910
4c2a3841 2911 if [ "$vtype" != "$VTYPE_DNS" ]; then
875625b1 2912 _debug "Skip $d for $vtype"
800e3f45 2913 continue
2914 fi
4c2a3841 2915
0c538f75 2916 d_api="$(_findHook "$d" dnsapi "$_currentRoot")"
800e3f45 2917 _debug d_api "$d_api"
4c2a3841 2918
2919 if [ -z "$d_api" ]; then
800e3f45 2920 _info "Not Found domain api file: $d_api"
2921 continue
2922 fi
4c2a3841 2923
800e3f45 2924 (
d5ec5f80 2925 if ! . "$d_api"; then
800e3f45 2926 _err "Load file $d_api error. Please check your api file and try again."
2927 return 1
2928 fi
4c2a3841 2929
800e3f45 2930 rmcommand="${_currentRoot}_rm"
d5ec5f80 2931 if ! _exists "$rmcommand"; then
800e3f45 2932 _err "It seems that your api file doesn't define $rmcommand"
2933 return 1
2934 fi
4c2a3841 2935
72f54ca6 2936 _dns_root_d="$d"
2937 if _startswith "$_dns_root_d" "*."; then
2938 _dns_root_d="$(echo "$_dns_root_d" | sed 's/*.//')"
2939 fi
875625b1 2940
2941 _d_alias="$(_getfield "$_challenge_alias" "$_alias_index")"
2942 _alias_index="$(_math "$_alias_index" + 1)"
2943 _debug "_d_alias" "$_d_alias"
2944 if [ "$_d_alias" ]; then
64821ad4 2945 if _startswith "$_d_alias" "$DNS_ALIAS_PREFIX"; then
2946 txtdomain="$(echo "$_d_alias" | sed "s/$DNS_ALIAS_PREFIX//")"
2947 else
2948 txtdomain="_acme-challenge.$_d_alias"
2949 fi
875625b1 2950 else
2951 txtdomain="_acme-challenge.$_dns_root_d"
2952 fi
4c2a3841 2953
21f201e3 2954 if ! $rmcommand "$txtdomain" "$txt"; then
800e3f45 2955 _err "Error removing txt for domain:$txtdomain"
2956 return 1
2957 fi
2958 )
4c2a3841 2959
800e3f45 2960 done
2961}
2962
4c3b3608 2963# webroot removelevel tokenfile
2964_clearupwebbroot() {
2965 __webroot="$1"
4c2a3841 2966 if [ -z "$__webroot" ]; then
4c3b3608 2967 _debug "no webroot specified, skip"
2968 return 0
2969 fi
4c2a3841 2970
dcf9cb58 2971 _rmpath=""
4c2a3841 2972 if [ "$2" = '1' ]; then
dcf9cb58 2973 _rmpath="$__webroot/.well-known"
4c2a3841 2974 elif [ "$2" = '2' ]; then
dcf9cb58 2975 _rmpath="$__webroot/.well-known/acme-challenge"
4c2a3841 2976 elif [ "$2" = '3' ]; then
dcf9cb58 2977 _rmpath="$__webroot/.well-known/acme-challenge/$3"
4c3b3608 2978 else
cc179731 2979 _debug "Skip for removelevel:$2"
4c3b3608 2980 fi
4c2a3841 2981
2982 if [ "$_rmpath" ]; then
2983 if [ "$DEBUG" ]; then
dcf9cb58 2984 _debug "Debugging, skip removing: $_rmpath"
2985 else
2986 rm -rf "$_rmpath"
2987 fi
2988 fi
4c2a3841 2989
4c3b3608 2990 return 0
2991
2992}
2993
b0070f03 2994_on_before_issue() {
af1cc3b3 2995 _chk_web_roots="$1"
02140ce7 2996 _chk_main_domain="$2"
2997 _chk_alt_domains="$3"
85e1f4ea 2998 _chk_pre_hook="$4"
2999 _chk_local_addr="$5"
30c2d84c 3000 _debug _on_before_issue
d0f7c309 3001 #run pre hook
85e1f4ea 3002 if [ "$_chk_pre_hook" ]; then
3003 _info "Run pre hook:'$_chk_pre_hook'"
d0f7c309 3004 if ! (
85e1f4ea 3005 cd "$DOMAIN_PATH" && eval "$_chk_pre_hook"
d0f7c309 3006 ); then
3007 _err "Error when run pre hook."
3008 return 1
3009 fi
3010 fi
3011
af1cc3b3 3012 if _hasfield "$_chk_web_roots" "$NO_VALUE"; then
3794b5cb 3013 if ! _exists "socat"; then
3014 _err "Please install socat tools first."
0463b5d6 3015 return 1
3016 fi
0463b5d6 3017 fi
3018
85e1f4ea 3019 _debug Le_LocalAddress "$_chk_local_addr"
4c2a3841 3020
02140ce7 3021 alldomains=$(echo "$_chk_main_domain,$_chk_alt_domains" | tr ',' ' ')
0463b5d6 3022 _index=1
3023 _currentRoot=""
3024 _addrIndex=1
4c2a3841 3025 for d in $alldomains; do
d5ec5f80 3026 _debug "Check for domain" "$d"
af1cc3b3 3027 _currentRoot="$(_getfield "$_chk_web_roots" $_index)"
0463b5d6 3028 _debug "_currentRoot" "$_currentRoot"
3029 _index=$(_math $_index + 1)
3030 _checkport=""
4c2a3841 3031 if [ "$_currentRoot" = "$NO_VALUE" ]; then
0463b5d6 3032 _info "Standalone mode."
4c2a3841 3033 if [ -z "$Le_HTTPPort" ]; then
0463b5d6 3034 Le_HTTPPort=80
3035 else
4c2a3841 3036 _savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
0463b5d6 3037 fi
3038 _checkport="$Le_HTTPPort"
4c2a3841 3039 elif [ "$_currentRoot" = "$W_TLS" ]; then
0463b5d6 3040 _info "Standalone tls mode."
4c2a3841 3041 if [ -z "$Le_TLSPort" ]; then
0463b5d6 3042 Le_TLSPort=443
3043 else
4c2a3841 3044 _savedomainconf "Le_TLSPort" "$Le_TLSPort"
0463b5d6 3045 fi
3046 _checkport="$Le_TLSPort"
3047 fi
4c2a3841 3048
3049 if [ "$_checkport" ]; then
0463b5d6 3050 _debug _checkport "$_checkport"
85e1f4ea 3051 _checkaddr="$(_getfield "$_chk_local_addr" $_addrIndex)"
0463b5d6 3052 _debug _checkaddr "$_checkaddr"
4c2a3841 3053
0463b5d6 3054 _addrIndex="$(_math $_addrIndex + 1)"
4c2a3841 3055
0463b5d6 3056 _netprc="$(_ss "$_checkport" | grep "$_checkport")"
3057 netprc="$(echo "$_netprc" | grep "$_checkaddr")"
4c2a3841 3058 if [ -z "$netprc" ]; then
0463b5d6 3059 netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS")"
3060 fi
4c2a3841 3061 if [ "$netprc" ]; then
0463b5d6 3062 _err "$netprc"
4c2a3841 3063 _err "tcp port $_checkport is already used by $(echo "$netprc" | cut -d : -f 4)"
0463b5d6 3064 _err "Please stop it first"
3065 return 1
3066 fi
3067 fi
3068 done
3069
af1cc3b3 3070 if _hasfield "$_chk_web_roots" "apache"; then
4c2a3841 3071 if ! _setApache; then
0463b5d6 3072 _err "set up apache error. Report error to me."
3073 return 1
3074 fi
3075 else
3076 usingApache=""
3077 fi
3078
b0070f03 3079}
3080
3081_on_issue_err() {
85e1f4ea 3082 _chk_post_hook="$1"
58e4d337 3083 _chk_vlist="$2"
30c2d84c 3084 _debug _on_issue_err
cd8fc359 3085
4c2a3841 3086 if [ "$LOG_FILE" ]; then
a73c5b33 3087 _err "Please check log file for more details: $LOG_FILE"
3088 else
54ae008d 3089 _err "Please add '--debug' or '--log' to check more details."
a73c5b33 3090 _err "See: $_DEBUG_WIKI"
3091 fi
4c2a3841 3092
b0070f03 3093 #run the post hook
85e1f4ea 3094 if [ "$_chk_post_hook" ]; then
3095 _info "Run post hook:'$_chk_post_hook'"
b0070f03 3096 if ! (
85e1f4ea 3097 cd "$DOMAIN_PATH" && eval "$_chk_post_hook"
4c2a3841 3098 ); then
b0070f03 3099 _err "Error when run post hook."
3100 return 1
3101 fi
3102 fi
58e4d337 3103
3104 #trigger the validation to flush the pending authz
ea722da3 3105 _debug2 "_chk_vlist" "$_chk_vlist"
58e4d337 3106 if [ "$_chk_vlist" ]; then
3107 (
c719a61e 3108 _debug2 "start to deactivate authz"
3109 ventries=$(echo "$_chk_vlist" | tr "$dvsep" ' ')
3110 for ventry in $ventries; do
3111 d=$(echo "$ventry" | cut -d "$sep" -f 1)
3112 keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
3113 uri=$(echo "$ventry" | cut -d "$sep" -f 3)
3114 vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
3115 _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
f94433e5 3116 __trigger_validation "$uri" "$keyauthorization"
c719a61e 3117 done
58e4d337 3118 )
3119 fi
3120
309bec47 3121 if [ "$IS_RENEW" = "1" ] && _hasfield "$Le_Webroot" "dns"; then
3122 _err "$_DNS_MANUAL_ERR"
3123 fi
3124
58e4d337 3125 if [ "$DEBUG" ] && [ "$DEBUG" -gt "0" ]; then
3126 _debug "$(_dlg_versions)"
3127 fi
3128
b0070f03 3129}
3130
3131_on_issue_success() {
85e1f4ea 3132 _chk_post_hook="$1"
3133 _chk_renew_hook="$2"
30c2d84c 3134 _debug _on_issue_success
b0070f03 3135 #run the post hook
85e1f4ea 3136 if [ "$_chk_post_hook" ]; then
3137 _info "Run post hook:'$_chk_post_hook'"
b0070f03 3138 if ! (
85e1f4ea 3139 cd "$DOMAIN_PATH" && eval "$_chk_post_hook"
4c2a3841 3140 ); then
b0070f03 3141 _err "Error when run post hook."
3142 return 1
3143 fi
3144 fi
4c2a3841 3145
b0070f03 3146 #run renew hook
85e1f4ea 3147 if [ "$IS_RENEW" ] && [ "$_chk_renew_hook" ]; then
3148 _info "Run renew hook:'$_chk_renew_hook'"
b0070f03 3149 if ! (
85e1f4ea 3150 cd "$DOMAIN_PATH" && eval "$_chk_renew_hook"
4c2a3841 3151 ); then
b0070f03 3152 _err "Error when run renew hook."
3153 return 1
3154 fi
4c2a3841 3155 fi
3156
309bec47 3157 if _hasfield "$Le_Webroot" "dns"; then
3158 _err "$_DNS_MANUAL_WARN"
3159 fi
3160
b0070f03 3161}
3162
eb59817e 3163updateaccount() {
3164 _initpath
3165 _regAccount
3166}
b0070f03 3167
eb59817e 3168registeraccount() {
57e58ce7 3169 _reg_length="$1"
eb59817e 3170 _initpath
57e58ce7 3171 _regAccount "$_reg_length"
eb59817e 3172}
d404e92d 3173
8a29fbc8 3174__calcAccountKeyHash() {
ca7202eb 3175 [ -f "$ACCOUNT_KEY_PATH" ] && _digest sha256 <"$ACCOUNT_KEY_PATH"
8a29fbc8 3176}
3177
339a8ad6 3178__calc_account_thumbprint() {
3179 printf "%s" "$jwk" | tr -d ' ' | _digest "sha256" | _url_replace
3180}
3181
57e58ce7 3182#keylength
d404e92d 3183_regAccount() {
3184 _initpath
57e58ce7 3185 _reg_length="$1"
f87890cb 3186 _debug3 _regAccount "$_regAccount"
c1151b0d 3187 _initAPI
3188
1bbc33a0 3189 mkdir -p "$CA_DIR"
5c48e139 3190 if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
3191 _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
3192 mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
3193 fi
4c2a3841 3194
5c48e139 3195 if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
3196 _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
3197 mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
3198 fi
4c2a3841 3199
3200 if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
3201 if ! _create_account_key "$_reg_length"; then
d404e92d 3202 _err "Create account key error."
3203 return 1
3204 fi
3205 fi
4c2a3841 3206
3207 if ! _calcjwk "$ACCOUNT_KEY_PATH"; then
d404e92d 3208 return 1
3209 fi
f8d22c48 3210
c1151b0d 3211 if [ "$ACME_VERSION" = "2" ]; then
3212 regjson='{"termsOfServiceAgreed": true}'
3213 if [ "$ACCOUNT_EMAIL" ]; then
3214 regjson='{"contact": ["mailto: '$ACCOUNT_EMAIL'"], "termsOfServiceAgreed": true}'
3215 fi
3216 else
3217 _reg_res="$ACME_NEW_ACCOUNT_RES"
3218 regjson='{"resource": "'$_reg_res'", "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
3219 if [ "$ACCOUNT_EMAIL" ]; then
3220 regjson='{"resource": "'$_reg_res'", "contact": ["mailto: '$ACCOUNT_EMAIL'"], "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
3221 fi
f87890cb 3222 fi
4c2a3841 3223
ca7ebd93 3224 _info "Registering account"
d404e92d 3225
f87890cb 3226 if ! _send_signed_request "${ACME_NEW_ACCOUNT}" "$regjson"; then
3227 _err "Register account Error: $response"
3228 return 1
3229 fi
d404e92d 3230
f87890cb 3231 if [ "$code" = "" ] || [ "$code" = '201' ]; then
3232 echo "$response" >"$ACCOUNT_JSON_PATH"
3233 _info "Registered"
7df20e50 3234 elif [ "$code" = '409' ] || [ "$code" = '200' ]; then
f87890cb 3235 _info "Already registered"
3236 else
3237 _err "Register account Error: $response"
3238 return 1
3239 fi
d404e92d 3240
f87890cb 3241 _accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
3242 _debug "_accUri" "$_accUri"
3243 _savecaconf "ACCOUNT_URL" "$_accUri"
c1151b0d 3244 export ACCOUNT_URL="$ACCOUNT_URL"
d404e92d 3245
f87890cb 3246 CA_KEY_HASH="$(__calcAccountKeyHash)"
3247 _debug "Calc CA_KEY_HASH" "$CA_KEY_HASH"
3248 _savecaconf CA_KEY_HASH "$CA_KEY_HASH"
d404e92d 3249
f87890cb 3250 if [ "$code" = '403' ]; then
3251 _err "It seems that the account key is already deactivated, please use a new account key."
3252 return 1
3253 fi
4c2a3841 3254
f87890cb 3255 ACCOUNT_THUMBPRINT="$(__calc_account_thumbprint)"
3256 _info "ACCOUNT_THUMBPRINT" "$ACCOUNT_THUMBPRINT"
d404e92d 3257}
3258
422dd1fa 3259#Implement deactivate account
3260deactivateaccount() {
3261 _initpath
3262
3263 if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
422dd1fa 3264 _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
3265 mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
3266 fi
3267
3268 if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
422dd1fa 3269 _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
3270 mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
3271 fi
3272
3273 if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
3274 _err "Account key is not found at: $ACCOUNT_KEY_PATH"
3275 return 1
3276 fi
3277
3278 _accUri=$(_readcaconf "ACCOUNT_URL")
3279 _debug _accUri "$_accUri"
3280
3281 if [ -z "$_accUri" ]; then
3282 _err "The account url is empty, please run '--update-account' first to update the account info first,"
3283 _err "Then try again."
3284 return 1
3285 fi
3286
3287 if ! _calcjwk "$ACCOUNT_KEY_PATH"; then
3288 return 1
3289 fi
3290 _initAPI
3291
d2cde379 3292 if [ "$ACME_VERSION" = "2" ]; then
3293 _djson="{\"status\":\"deactivated\"}"
3294 else
3295 _djson="{\"resource\": \"reg\", \"status\":\"deactivated\"}"
3296 fi
3297 if _send_signed_request "$_accUri" "$_djson" && _contains "$response" '"deactivated"'; then
422dd1fa 3298 _info "Deactivate account success for $_accUri."
3299 _accid=$(echo "$response" | _egrep_o "\"id\" *: *[^,]*," | cut -d : -f 2 | tr -d ' ,')
3300 elif [ "$code" = "403" ]; then
3301 _info "The account is already deactivated."
3302 _accid=$(_getfield "$_accUri" "999" "/")
3303 else
3304 _err "Deactivate: account failed for $_accUri."
3305 return 1
3306 fi
3307
3308 _debug "Account id: $_accid"
3309 if [ "$_accid" ]; then
3310 _deactivated_account_path="$CA_DIR/deactivated/$_accid"
3311 _debug _deactivated_account_path "$_deactivated_account_path"
3312 if mkdir -p "$_deactivated_account_path"; then
3313 _info "Moving deactivated account info to $_deactivated_account_path/"
3314 mv "$CA_CONF" "$_deactivated_account_path/"
3315 mv "$ACCOUNT_JSON_PATH" "$_deactivated_account_path/"
3316 mv "$ACCOUNT_KEY_PATH" "$_deactivated_account_path/"
3317 else
3318 _err "Can not create dir: $_deactivated_account_path, try to remove the deactivated account key."
3319 rm -f "$CA_CONF"
3320 rm -f "$ACCOUNT_JSON_PATH"
3321 rm -f "$ACCOUNT_KEY_PATH"
3322 fi
3323 fi
3324}
3325
a61fe418 3326# domain folder file
3327_findHook() {
3328 _hookdomain="$1"
3329 _hookcat="$2"
3330 _hookname="$3"
3331
c7b16249 3332 if [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname" ]; then
3333 d_api="$_SCRIPT_HOME/$_hookcat/$_hookname"
3334 elif [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname.sh" ]; then
3335 d_api="$_SCRIPT_HOME/$_hookcat/$_hookname.sh"
4c2a3841 3336 elif [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname" ]; then
a61fe418 3337 d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname"
4c2a3841 3338 elif [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname.sh" ]; then
a61fe418 3339 d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname.sh"
4c2a3841 3340 elif [ -f "$LE_WORKING_DIR/$_hookname" ]; then
a61fe418 3341 d_api="$LE_WORKING_DIR/$_hookname"
4c2a3841 3342 elif [ -f "$LE_WORKING_DIR/$_hookname.sh" ]; then
a61fe418 3343 d_api="$LE_WORKING_DIR/$_hookname.sh"
4c2a3841 3344 elif [ -f "$LE_WORKING_DIR/$_hookcat/$_hookname" ]; then
a61fe418 3345 d_api="$LE_WORKING_DIR/$_hookcat/$_hookname"
4c2a3841 3346 elif [ -f "$LE_WORKING_DIR/$_hookcat/$_hookname.sh" ]; then
a61fe418 3347 d_api="$LE_WORKING_DIR/$_hookcat/$_hookname.sh"
3348 fi
3349
3350 printf "%s" "$d_api"
3351}
3352
f940b2a5 3353#domain
3354__get_domain_new_authz() {
3355 _gdnd="$1"
3356 _info "Getting new-authz for domain" "$_gdnd"
40ef86f4 3357 _initAPI
f940b2a5 3358 _Max_new_authz_retry_times=5
3359 _authz_i=0
4c2a3841 3360 while [ "$_authz_i" -lt "$_Max_new_authz_retry_times" ]; do
efd96153 3361 _debug "Try new-authz for the $_authz_i time."
48d9a8c1 3362 if ! _send_signed_request "${ACME_NEW_AUTHZ}" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$(_idn "$_gdnd")\"}}"; then
f940b2a5 3363 _err "Can not get domain new authz."
3364 return 1
3365 fi
5413bf87 3366 if _contains "$response" "No registration exists matching provided key"; then
3367 _err "It seems there is an error, but it's recovered now, please try again."
3368 _err "If you see this message for a second time, please report bug: $(__green "$PROJECT")"
3369 _clearcaconf "CA_KEY_HASH"
3370 break
3371 fi
4c2a3841 3372 if ! _contains "$response" "An error occurred while processing your request"; then
f940b2a5 3373 _info "The new-authz request is ok."
3374 break
3375 fi
3376 _authz_i="$(_math "$_authz_i" + 1)"
9e45ac93 3377 _info "The server is busy, Sleep $_authz_i to retry."
f940b2a5 3378 _sleep "$_authz_i"
4c2a3841 3379 done
f940b2a5 3380
4c2a3841 3381 if [ "$_authz_i" = "$_Max_new_authz_retry_times" ]; then
efd96153 3382 _err "new-authz retry reach the max $_Max_new_authz_retry_times times."
f940b2a5 3383 fi
4c2a3841 3384
78915896 3385 if [ "$code" ] && [ "$code" != '201' ]; then
f940b2a5 3386 _err "new-authz error: $response"
3387 return 1
3388 fi
3389
3390}
3391
58e4d337 3392#uri keyAuthorization
f94433e5 3393__trigger_validation() {
58e4d337 3394 _debug2 "tigger domain validation."
3395 _t_url="$1"
3396 _debug2 _t_url "$_t_url"
3397 _t_key_authz="$2"
3398 _debug2 _t_key_authz "$_t_key_authz"
c1151b0d 3399 if [ "$ACME_VERSION" = "2" ]; then
3400 _send_signed_request "$_t_url" "{\"keyAuthorization\": \"$_t_key_authz\"}"
3401 else
3402 _send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"keyAuthorization\": \"$_t_key_authz\"}"
3403 fi
58e4d337 3404}
3405
3c07f57a 3406#webroot, domain domainlist keylength
4c3b3608 3407issue() {
4c2a3841 3408 if [ -z "$2" ]; then
43822d37 3409 _usage "Usage: $PROJECT_ENTRY --issue -d a.com -w /path/to/webroot/a.com/ "
4c3b3608 3410 return 1
3411 fi
49d75a0c 3412 if [ -z "$1" ]; then
3413 _usage "Please specify at least one validation method: '--webroot', '--standalone', '--apache', '--nginx' or '--dns' etc."
3414 return 1
3415 fi
af1cc3b3 3416 _web_roots="$1"
3417 _main_domain="$2"
02140ce7 3418 _alt_domains="$3"
d2cde379 3419
af1cc3b3 3420 if _contains "$_main_domain" ","; then
3421 _main_domain=$(echo "$2,$3" | cut -d , -f 1)
02140ce7 3422 _alt_domains=$(echo "$2,$3" | cut -d , -f 2- | sed "s/,${NO_VALUE}$//")
2aff36e7 3423 fi
d9c9114b 3424 _key_length="$4"
85e1f4ea 3425 _real_cert="$5"
3426 _real_key="$6"
3427 _real_ca="$7"
3428 _reload_cmd="$8"
3429 _real_fullchain="$9"
3430 _pre_hook="${10}"
3431 _post_hook="${11}"
3432 _renew_hook="${12}"
3433 _local_addr="${13}"
875625b1 3434 _challenge_alias="${14}"
eccec5f6 3435 #remove these later.
af1cc3b3 3436 if [ "$_web_roots" = "dns-cf" ]; then
3437 _web_roots="dns_cf"
eccec5f6 3438 fi
af1cc3b3 3439 if [ "$_web_roots" = "dns-dp" ]; then
3440 _web_roots="dns_dp"
eccec5f6 3441 fi
af1cc3b3 3442 if [ "$_web_roots" = "dns-cx" ]; then
3443 _web_roots="dns_cx"
eccec5f6 3444 fi
4c2a3841 3445
3446 if [ ! "$IS_RENEW" ]; then
d9c9114b 3447 _initpath "$_main_domain" "$_key_length"
43822d37 3448 mkdir -p "$DOMAIN_PATH"
3449 fi
eccec5f6 3450
48d9a8c1 3451 _debug "Using ACME_DIRECTORY: $ACME_DIRECTORY"
3452
3453 _initAPI
3454
4c2a3841 3455 if [ -f "$DOMAIN_CONF" ]; then
61623d22 3456 Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
a4270efa 3457 _debug Le_NextRenewTime "$Le_NextRenewTime"
95e06de5 3458 if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then
bb25febd 3459 _saved_domain=$(_readdomainconf Le_Domain)
3460 _debug _saved_domain "$_saved_domain"
3461 _saved_alt=$(_readdomainconf Le_Alt)
3462 _debug _saved_alt "$_saved_alt"
02140ce7 3463 if [ "$_saved_domain,$_saved_alt" = "$_main_domain,$_alt_domains" ]; then
bb25febd 3464 _info "Domains not changed."
3465 _info "Skip, Next renewal time is: $(__green "$(_readdomainconf Le_NextRenewTimeStr)")"
4c2a3841 3466 _info "Add '$(__red '--force')' to force to renew."
bb25febd 3467 return $RENEW_SKIP
3468 else
3469 _info "Domains have changed."
3470 fi
4c3b3608 3471 fi
3472 fi
96a46cfc 3473
af1cc3b3 3474 _savedomainconf "Le_Domain" "$_main_domain"
02140ce7 3475 _savedomainconf "Le_Alt" "$_alt_domains"
af1cc3b3 3476 _savedomainconf "Le_Webroot" "$_web_roots"
4c2a3841 3477
85e1f4ea 3478 _savedomainconf "Le_PreHook" "$_pre_hook"
3479 _savedomainconf "Le_PostHook" "$_post_hook"
3480 _savedomainconf "Le_RenewHook" "$_renew_hook"
4c2a3841 3481
85e1f4ea 3482 if [ "$_local_addr" ]; then
3483 _savedomainconf "Le_LocalAddress" "$_local_addr"
72518d48 3484 else
3485 _cleardomainconf "Le_LocalAddress"
3486 fi
875625b1 3487 if [ "$_challenge_alias" ]; then
3488 _savedomainconf "Le_ChallengeAlias" "$_challenge_alias"
3489 else
3490 _cleardomainconf "Le_ChallengeAlias"
3491 fi
6ae0f7f5 3492
48d9a8c1 3493 Le_API="$ACME_DIRECTORY"
f6dcd989 3494 _savedomainconf "Le_API" "$Le_API"
4c2a3841 3495
02140ce7 3496 if [ "$_alt_domains" = "$NO_VALUE" ]; then
3497 _alt_domains=""
4c3b3608 3498 fi
4c2a3841 3499
d9c9114b 3500 if [ "$_key_length" = "$NO_VALUE" ]; then
3501 _key_length=""
d404e92d 3502 fi
4c2a3841 3503
85e1f4ea 3504 if ! _on_before_issue "$_web_roots" "$_main_domain" "$_alt_domains" "$_pre_hook" "$_local_addr"; then
0463b5d6 3505 _err "_on_before_issue."
3506 return 1
4c3b3608 3507 fi
0463b5d6 3508
8a29fbc8 3509 _saved_account_key_hash="$(_readcaconf "CA_KEY_HASH")"
3510 _debug2 _saved_account_key_hash "$_saved_account_key_hash"
4c2a3841 3511
3512 if [ -z "$_saved_account_key_hash" ] || [ "$_saved_account_key_hash" != "$(__calcAccountKeyHash)" ]; then
57e58ce7 3513 if ! _regAccount "$_accountkeylength"; then
85e1f4ea 3514 _on_issue_err "$_post_hook"
8a29fbc8 3515 return 1
3516 fi
57e58ce7 3517 else
3518 _debug "_saved_account_key_hash is not changed, skip register account."
166096dc 3519 fi
166096dc 3520
4c2a3841 3521 if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ]; then
10afcaca 3522 _info "Signing from existing CSR."
3523 else
3524 _key=$(_readdomainconf Le_Keylength)
3525 _debug "Read key length:$_key"
c4b2e582 3526 if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ] || [ "$Le_ForceNewDomainKey" = "1" ]; then
d9c9114b 3527 if ! createDomainKey "$_main_domain" "$_key_length"; then
10afcaca 3528 _err "Create domain key error."
3529 _clearup
85e1f4ea 3530 _on_issue_err "$_post_hook"
10afcaca 3531 return 1
3532 fi
3533 fi
3534
02140ce7 3535 if ! _createcsr "$_main_domain" "$_alt_domains" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"; then
10afcaca 3536 _err "Create CSR error."
5ef501c5 3537 _clearup
85e1f4ea 3538 _on_issue_err "$_post_hook"
41e3eafa 3539 return 1
3540 fi
4c3b3608 3541 fi
10afcaca 3542
d9c9114b 3543 _savedomainconf "Le_Keylength" "$_key_length"
4c2a3841 3544
4c3b3608 3545 vlist="$Le_Vlist"
cae203be 3546
3547 _info "Getting domain auth token for each domain"
4c3b3608 3548 sep='#'
9d725af6 3549 dvsep=','
4c2a3841 3550 if [ -z "$vlist" ]; then
d2cde379 3551 if [ "$ACME_VERSION" = "2" ]; then
c1151b0d 3552 #make new order request
3553 _identifiers="{\"type\":\"dns\",\"value\":\"$_main_domain\"}"
3554 for d in $(echo "$_alt_domains" | tr ',' ' '); do
c1151b0d 3555 if [ "$d" ]; then
3556 _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$d\"}"
3557 fi
3558 done
3559 _debug2 _identifiers "$_identifiers"
3560 if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
3561 _err "Create new order error."
3562 _clearup
3563 _on_issue_err "$_post_hook"
3564 return 1
3565 fi
3566
d2cde379 3567 Le_OrderFinalize="$(echo "$response" | tr -d '\r\n' | _egrep_o '"finalize" *: *"[^"]*"' | cut -d '"' -f 4)"
3568 _debug Le_OrderFinalize "$Le_OrderFinalize"
3569 if [ -z "$Le_OrderFinalize" ]; then
78915896 3570 _err "Create new order error. Le_OrderFinalize not found. $response"
c1151b0d 3571 _clearup
3572 _on_issue_err "$_post_hook"
3573 return 1
3574 fi
3575
3576 #for dns manual mode
d2cde379 3577 _savedomainconf "Le_OrderFinalize" "$Le_OrderFinalize"
c1151b0d 3578
f8d22c48 3579 _authorizations_seg="$(echo "$response" | tr -d '\r\n' | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
c1151b0d 3580 _debug2 _authorizations_seg "$_authorizations_seg"
3581 if [ -z "$_authorizations_seg" ]; then
3582 _err "_authorizations_seg not found."
3583 _clearup
3584 _on_issue_err "$_post_hook"
3585 return 1
3586 fi
3587
3588 #domain and authz map
3589 _authorizations_map=""
f8d22c48 3590 for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
c1151b0d 3591 _debug2 "_authz_url" "$_authz_url"
3592 if ! response="$(_get "$_authz_url")"; then
3593 _err "get to authz error."
3594 _clearup
3595 _on_issue_err "$_post_hook"
3596 return 1
3597 fi
3598
3599 response="$(echo "$response" | _normalizeJson)"
3600 _debug2 response "$response"
3601 _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2 | tr -d ' "')"
72f54ca6 3602 if _contains "$response" "\"wildcard\" *: *true"; then
3603 _d="*.$_d"
3604 fi
c1151b0d 3605 _debug2 _d "$_d"
3606 _authorizations_map="$_d,$response
3607$_authorizations_map"
3608 done
3609 _debug2 _authorizations_map "$_authorizations_map"
3610 fi
3611
02140ce7 3612 alldomains=$(echo "$_main_domain,$_alt_domains" | tr ',' ' ')
c1151b0d 3613 _index=0
a63b05a9 3614 _currentRoot=""
4c2a3841 3615 for d in $alldomains; do
ca7202eb 3616 _info "Getting webroot for domain" "$d"
c1151b0d 3617 _index=$(_math $_index + 1)
af1cc3b3 3618 _w="$(echo $_web_roots | cut -d , -f $_index)"
9d725af6 3619 _debug _w "$_w"
4c2a3841 3620 if [ "$_w" ]; then
a63b05a9 3621 _currentRoot="$_w"
3622 fi
3623 _debug "_currentRoot" "$_currentRoot"
4c2a3841 3624
a63b05a9 3625 vtype="$VTYPE_HTTP"
c1151b0d 3626 #todo, v2 wildcard force to use dns
4c2a3841 3627 if _startswith "$_currentRoot" "dns"; then
a63b05a9 3628 vtype="$VTYPE_DNS"
3629 fi
4c2a3841 3630
3631 if [ "$_currentRoot" = "$W_TLS" ]; then
c1151b0d 3632 if [ "$ACME_VERSION" = "2" ]; then
3633 vtype="$VTYPE_TLS2"
3634 else
3635 vtype="$VTYPE_TLS"
3636 fi
e22bcf7c 3637 fi
c4d8fd83 3638
c1151b0d 3639 if [ "$ACME_VERSION" = "2" ]; then
3640 response="$(echo "$_authorizations_map" | grep "^$d," | sed "s/$d,//")"
3641 _debug2 "response" "$response"
3642 if [ -z "$response" ]; then
3643 _err "get to authz error."
3644 _clearup
3645 _on_issue_err "$_post_hook"
3646 return 1
3647 fi
3648 else
3649 if ! __get_domain_new_authz "$d"; then
3650 _clearup
3651 _on_issue_err "$_post_hook"
3652 return 1
3653 fi
c4d8fd83 3654 fi
3655
4c2a3841 3656 if [ -z "$thumbprint" ]; then
339a8ad6 3657 thumbprint="$(__calc_account_thumbprint)"
4c3b3608 3658 fi
3659
4c2a3841 3660 entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
4c3b3608 3661 _debug entry "$entry"
4c2a3841 3662 if [ -z "$entry" ]; then
584fb290 3663 _err "Error, can not get domain token entry $d"
a63766a0 3664 _supported_vtypes="$(echo "$response" | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ')"
b51ed9bb 3665 if [ "$_supported_vtypes" ]; then
3666 _err "The supported validation types are: $_supported_vtypes, but you specified: $vtype"
3667 fi
19539575 3668 _clearup
85e1f4ea 3669 _on_issue_err "$_post_hook"
19539575 3670 return 1
3671 fi
22ea4004 3672 token="$(printf "%s\n" "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
ca7202eb 3673 _debug token "$token"
4c2a3841 3674
584fb290 3675 if [ -z "$token" ]; then
3676 _err "Error, can not get domain token $entry"
3677 _clearup
3678 _on_issue_err "$_post_hook"
3679 return 1
3680 fi
c1151b0d 3681 if [ "$ACME_VERSION" = "2" ]; then
3682 uri="$(printf "%s\n" "$entry" | _egrep_o '"url":"[^"]*' | cut -d '"' -f 4 | _head_n 1)"
3683 else
3684 uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*' | cut -d '"' -f 4)"
3685 fi
ca7202eb 3686 _debug uri "$uri"
cae203be 3687
584fb290 3688 if [ -z "$uri" ]; then
3689 _err "Error, can not get domain uri. $entry"
3690 _clearup
3691 _on_issue_err "$_post_hook"
3692 return 1
3693 fi
4c3b3608 3694 keyauthorization="$token.$thumbprint"
3695 _debug keyauthorization "$keyauthorization"
3696
95e06de5 3697 if printf "%s" "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
c1151b0d 3698 _debug "$d is already verified."
ca7202eb 3699 keyauthorization="$STATE_VERIFIED"
d35bf517 3700 _debug keyauthorization "$keyauthorization"
ec603bee 3701 fi
3702
a63b05a9 3703 dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"
4c3b3608 3704 _debug dvlist "$dvlist"
4c2a3841 3705
9d725af6 3706 vlist="$vlist$dvlist$dvsep"
4c3b3608 3707
3708 done
9d725af6 3709 _debug vlist "$vlist"
4c3b3608 3710 #add entry
3711 dnsadded=""
9d725af6 3712 ventries=$(echo "$vlist" | tr "$dvsep" ' ')
1f7df33e 3713 _alias_index=1
4c2a3841 3714 for ventry in $ventries; do
ca7202eb 3715 d=$(echo "$ventry" | cut -d "$sep" -f 1)
3716 keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
3717 vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
3718 _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
72f54ca6 3719 _debug d "$d"
4c2a3841 3720 if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
69212114 3721 _debug "$d is already verified, skip $vtype."
ec603bee 3722 continue
3723 fi
3724
4c2a3841 3725 if [ "$vtype" = "$VTYPE_DNS" ]; then
4c3b3608 3726 dnsadded='0'
72f54ca6 3727 _dns_root_d="$d"
3728 if _startswith "$_dns_root_d" "*."; then
3729 _dns_root_d="$(echo "$_dns_root_d" | sed 's/*.//')"
3730 fi
875625b1 3731 _d_alias="$(_getfield "$_challenge_alias" "$_alias_index")"
3732 _alias_index="$(_math "$_alias_index" + 1)"
3733 _debug "_d_alias" "$_d_alias"
3734 if [ "$_d_alias" ]; then
64821ad4 3735 if _startswith "$_d_alias" "$DNS_ALIAS_PREFIX"; then
3736 txtdomain="$(echo "$_d_alias" | sed "s/$DNS_ALIAS_PREFIX//")"
3737 else
3738 txtdomain="_acme-challenge.$_d_alias"
3739 fi
875625b1 3740 else
3741 txtdomain="_acme-challenge.$_dns_root_d"
3742 fi
4c3b3608 3743 _debug txtdomain "$txtdomain"
11927a76 3744 txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _url_replace)"
4c3b3608 3745 _debug txt "$txt"
a61fe418 3746
72f54ca6 3747 d_api="$(_findHook "$_dns_root_d" dnsapi "$_currentRoot")"
a61fe418 3748
4c3b3608 3749 _debug d_api "$d_api"
4c2a3841 3750
3751 if [ "$d_api" ]; then
4c3b3608 3752 _info "Found domain api file: $d_api"
3753 else
5f8b60a0 3754 _info "$(__red "Add the following TXT record:")"
81772fb7 3755 _info "$(__red "Domain: '$(__green "$txtdomain")'")"
3756 _info "$(__red "TXT value: '$(__green "$txt")'")"
3757 _info "$(__red "Please be aware that you prepend _acme-challenge. before your domain")"
3758 _info "$(__red "so the resulting subdomain will be: $txtdomain")"
4c3b3608 3759 continue
3760 fi
4c2a3841 3761
73b8b120 3762 (
ca7202eb 3763 if ! . "$d_api"; then
73b8b120 3764 _err "Load file $d_api error. Please check your api file and try again."
3765 return 1
3766 fi
4c2a3841 3767
158f22f7 3768 addcommand="${_currentRoot}_add"
ca7202eb 3769 if ! _exists "$addcommand"; then
73b8b120 3770 _err "It seems that your api file is not correct, it must have a function named: $addcommand"
3771 return 1
3772 fi
4c2a3841 3773
ca7202eb 3774 if ! $addcommand "$txtdomain" "$txt"; then
73b8b120 3775 _err "Error add txt for domain:$txtdomain"
3776 return 1
3777 fi
3778 )
4c2a3841 3779
3780 if [ "$?" != "0" ]; then
5ef501c5 3781 _clearup
ea722da3 3782 _on_issue_err "$_post_hook" "$vlist"
4c3b3608 3783 return 1
3784 fi
3785 dnsadded='1'
3786 fi
3787 done
3788
4c2a3841 3789 if [ "$dnsadded" = '0' ]; then
3790 _savedomainconf "Le_Vlist" "$vlist"
4c3b3608 3791 _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit."
3792 _err "Please add the TXT records to the domains, and retry again."
5ef501c5 3793 _clearup
5f8b60a0 3794 _on_issue_err "$_post_hook"
4c3b3608 3795 return 1
3796 fi
4c2a3841 3797
4c3b3608 3798 fi
4c2a3841 3799
3800 if [ "$dnsadded" = '1' ]; then
3801 if [ -z "$Le_DNSSleep" ]; then
ca7202eb 3802 Le_DNSSleep="$DEFAULT_DNS_SLEEP"
0e38c60d 3803 else
4c2a3841 3804 _savedomainconf "Le_DNSSleep" "$Le_DNSSleep"
0e38c60d 3805 fi
3806
5fbc47eb 3807 _info "Sleep $(__green $Le_DNSSleep) seconds for the txt records to take effect"
ca7202eb 3808 _sleep "$Le_DNSSleep"
4c3b3608 3809 fi
4c2a3841 3810
5d943a35 3811 NGINX_RESTORE_VLIST=""
4c3b3608 3812 _debug "ok, let's start to verify"
a63b05a9 3813
0463b5d6 3814 _ncIndex=1
9d725af6 3815 ventries=$(echo "$vlist" | tr "$dvsep" ' ')
4c2a3841 3816 for ventry in $ventries; do
ca7202eb 3817 d=$(echo "$ventry" | cut -d "$sep" -f 1)
3818 keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
3819 uri=$(echo "$ventry" | cut -d "$sep" -f 3)
3820 vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
3821 _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
ec603bee 3822
4c2a3841 3823 if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
ec603bee 3824 _info "$d is already verified, skip $vtype."
3825 continue
3826 fi
3827
4c3b3608 3828 _info "Verifying:$d"
3829 _debug "d" "$d"
3830 _debug "keyauthorization" "$keyauthorization"
3831 _debug "uri" "$uri"
3832 removelevel=""
e22bcf7c 3833 token="$(printf "%s" "$keyauthorization" | cut -d '.' -f 1)"
a63b05a9 3834
3835 _debug "_currentRoot" "$_currentRoot"
3836
4c2a3841 3837 if [ "$vtype" = "$VTYPE_HTTP" ]; then
3838 if [ "$_currentRoot" = "$NO_VALUE" ]; then
4c3b3608 3839 _info "Standalone mode server"
85e1f4ea 3840 _ncaddr="$(_getfield "$_local_addr" "$_ncIndex")"
0463b5d6 3841 _ncIndex="$(_math $_ncIndex + 1)"
3794b5cb 3842 _startserver "$keyauthorization" "$_ncaddr"
4c2a3841 3843 if [ "$?" != "0" ]; then
5ef501c5 3844 _clearup
58e4d337 3845 _on_issue_err "$_post_hook" "$vlist"
6fc1447f 3846 return 1
3847 fi
5dbf664a 3848 sleep 1
ca7202eb 3849 _debug serverproc "$serverproc"
0e44f587 3850 elif [ "$_currentRoot" = "$MODE_STATELESS" ]; then
3851 _info "Stateless mode for domain:$d"
3852 _sleep 1
9d725af6 3853 elif _startswith "$_currentRoot" "$NGINX"; then
3854 _info "Nginx mode for domain:$d"
3855 #set up nginx server
3856 FOUND_REAL_NGINX_CONF=""
3857 BACKUP_NGINX_CONF=""
3858 if ! _setNginx "$d" "$_currentRoot" "$thumbprint"; then
3859 _clearup
58e4d337 3860 _on_issue_err "$_post_hook" "$vlist"
9d725af6 3861 return 1
03f8d6e9 3862 fi
302c41ed 3863
03f8d6e9 3864 if [ "$FOUND_REAL_NGINX_CONF" ]; then
9d725af6 3865 _realConf="$FOUND_REAL_NGINX_CONF"
3866 _backup="$BACKUP_NGINX_CONF"
3867 _debug _realConf "$_realConf"
5d943a35 3868 NGINX_RESTORE_VLIST="$d$sep$_realConf$sep$_backup$dvsep$NGINX_RESTORE_VLIST"
9d725af6 3869 fi
3870 _sleep 1
4c3b3608 3871 else
4c2a3841 3872 if [ "$_currentRoot" = "apache" ]; then
6f930641 3873 wellknown_path="$ACME_DIR"
3874 else
a63b05a9 3875 wellknown_path="$_currentRoot/.well-known/acme-challenge"
4c2a3841 3876 if [ ! -d "$_currentRoot/.well-known" ]; then
6f930641 3877 removelevel='1'
4c2a3841 3878 elif [ ! -d "$_currentRoot/.well-known/acme-challenge" ]; then
6f930641 3879 removelevel='2'
3880 else
3881 removelevel='3'
3882 fi
4c3b3608 3883 fi
6f930641 3884
4c3b3608 3885 _debug wellknown_path "$wellknown_path"
6f930641 3886
4c3b3608 3887 _debug "writing token:$token to $wellknown_path/$token"
3888
3889 mkdir -p "$wellknown_path"
93fc48a2 3890
4c2a3841 3891 if ! printf "%s" "$keyauthorization" >"$wellknown_path/$token"; then
93fc48a2 3892 _err "$d:Can not write token to file : $wellknown_path/$token"
3893 _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
3894 _clearup
58e4d337 3895 _on_issue_err "$_post_hook" "$vlist"
93fc48a2 3896 return 1
3897 fi
3898
4c2a3841 3899 if [ ! "$usingApache" ]; then
44edb2bd 3900 if webroot_owner=$(_stat "$_currentRoot"); then
32fdc196 3901 _debug "Changing owner/group of .well-known to $webroot_owner"
c87cd0de 3902 if ! _exec "chown -R \"$webroot_owner\" \"$_currentRoot/.well-known\""; then
3903 _debug "$(cat "$_EXEC_TEMP_ERR")"
3904 _exec_err >/dev/null 2>&1
3905 fi
32fdc196 3906 else
b54ce310 3907 _debug "not changing owner/group of webroot"
32fdc196 3908 fi
df886ffa 3909 fi
4c2a3841 3910
4c3b3608 3911 fi
4c2a3841 3912
3913 elif [ "$vtype" = "$VTYPE_TLS" ]; then
e22bcf7c 3914 #create A
3915 #_hash_A="$(printf "%s" $token | _digest "sha256" "hex" )"
3916 #_debug2 _hash_A "$_hash_A"
3917 #_x="$(echo $_hash_A | cut -c 1-32)"
3918 #_debug2 _x "$_x"
3919 #_y="$(echo $_hash_A | cut -c 33-64)"
3920 #_debug2 _y "$_y"
3921 #_SAN_A="$_x.$_y.token.acme.invalid"
3922 #_debug2 _SAN_A "$_SAN_A"
4c2a3841 3923
e22bcf7c 3924 #create B
0c538f75 3925 _hash_B="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"
e22bcf7c 3926 _debug2 _hash_B "$_hash_B"
0c538f75 3927 _x="$(echo "$_hash_B" | cut -c 1-32)"
e22bcf7c 3928 _debug2 _x "$_x"
0c538f75 3929 _y="$(echo "$_hash_B" | cut -c 33-64)"
e22bcf7c 3930 _debug2 _y "$_y"
4c2a3841 3931
e22bcf7c 3932 #_SAN_B="$_x.$_y.ka.acme.invalid"
4c2a3841 3933
e22bcf7c 3934 _SAN_B="$_x.$_y.acme.invalid"
3935 _debug2 _SAN_B "$_SAN_B"
4c2a3841 3936
85e1f4ea 3937 _ncaddr="$(_getfield "$_local_addr" "$_ncIndex")"
0c538f75 3938 _ncIndex="$(_math "$_ncIndex" + 1)"
0463b5d6 3939 if ! _starttlsserver "$_SAN_B" "$_SAN_A" "$Le_TLSPort" "$keyauthorization" "$_ncaddr"; then
e22bcf7c 3940 _err "Start tls server error."
3941 _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
3942 _clearup
58e4d337 3943 _on_issue_err "$_post_hook" "$vlist"
e22bcf7c 3944 return 1
3945 fi
4c3b3608 3946 fi
4c2a3841 3947
f94433e5 3948 if ! __trigger_validation "$uri" "$keyauthorization"; then
c4d8fd83 3949 _err "$d:Can not get challenge: $response"
3950 _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
3951 _clearup
58e4d337 3952 _on_issue_err "$_post_hook" "$vlist"
c4d8fd83 3953 return 1
3954 fi
4c2a3841 3955
c1151b0d 3956 if [ "$code" ] && [ "$code" != '202' ]; then
3957 if [ "$ACME_VERSION" = "2" ] && [ "$code" = '200' ]; then
3958 _debug "trigger validation code: $code"
3959 else
3960 _err "$d:Challenge error: $response"
3961 _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
3962 _clearup
3963 _on_issue_err "$_post_hook" "$vlist"
3964 return 1
3965 fi
4c3b3608 3966 fi
4c2a3841 3967
6fc1447f 3968 waittimes=0
4c2a3841 3969 if [ -z "$MAX_RETRY_TIMES" ]; then
6fc1447f 3970 MAX_RETRY_TIMES=30
3971 fi
4c2a3841 3972
3973 while true; do
0c538f75 3974 waittimes=$(_math "$waittimes" + 1)
4c2a3841 3975 if [ "$waittimes" -ge "$MAX_RETRY_TIMES" ]; then
6fc1447f 3976 _err "$d:Timeout"
3977 _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
3978 _clearup
58e4d337 3979 _on_issue_err "$_post_hook" "$vlist"
6fc1447f 3980 return 1
3981 fi
4c2a3841 3982
5dbf664a 3983 _debug "sleep 2 secs to verify"
3984 sleep 2
4c3b3608 3985 _debug "checking"
44edb2bd 3986 response="$(_get "$uri")"
4c2a3841 3987 if [ "$?" != "0" ]; then
c60883ef 3988 _err "$d:Verify error:$response"
a63b05a9 3989 _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
4c3b3608 3990 _clearup
58e4d337 3991 _on_issue_err "$_post_hook" "$vlist"
4c3b3608 3992 return 1
3993 fi
9aaf36cd 3994 _debug2 original "$response"
4c2a3841 3995
3996 response="$(echo "$response" | _normalizeJson)"
7012b91f 3997 _debug2 response "$response"
4c2a3841 3998
3999 status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
4000 if [ "$status" = "valid" ]; then
93f3098a 4001 _info "$(__green Success)"
ca7202eb 4002 _stopserver "$serverproc"
4c3b3608 4003 serverproc=""
a63b05a9 4004 _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
4c2a3841 4005 break
4c3b3608 4006 fi
4c2a3841 4007
4008 if [ "$status" = "invalid" ]; then
4009 error="$(echo "$response" | tr -d "\r\n" | _egrep_o '"error":\{[^\}]*')"
4010 _debug2 error "$error"
4011 errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)"
4012 _debug2 errordetail "$errordetail"
4013 if [ "$errordetail" ]; then
4014 _err "$d:Verify error:$errordetail"
4015 else
4016 _err "$d:Verify error:$error"
4017 fi
4018 if [ "$DEBUG" ]; then
4019 if [ "$vtype" = "$VTYPE_HTTP" ]; then
4020 _debug "Debug: get token url."
4021 _get "http://$d/.well-known/acme-challenge/$token" "" 1
4022 fi
4023 fi
a63b05a9 4024 _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
4c3b3608 4025 _clearup
58e4d337 4026 _on_issue_err "$_post_hook" "$vlist"
4c2a3841 4027 return 1
4c3b3608 4028 fi
4c2a3841 4029
4030 if [ "$status" = "pending" ]; then
4c3b3608 4031 _info "Pending"
4032 else
4c2a3841 4033 _err "$d:Verify error:$response"
a63b05a9 4034 _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
4c3b3608 4035 _clearup
58e4d337 4036 _on_issue_err "$_post_hook" "$vlist"
4c3b3608 4037 return 1
4038 fi
4c2a3841 4039
4c3b3608 4040 done
4c2a3841 4041
4c3b3608 4042 done
4043
4044 _clearup
4045 _info "Verify finished, start to sign."
11927a76 4046 der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
4c2a3841 4047
c1151b0d 4048 if [ "$ACME_VERSION" = "2" ]; then
d2cde379 4049 if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then
c1151b0d 4050 _err "Sign failed."
4051 _on_issue_err "$_post_hook"
4052 return 1
4053 fi
4054 if [ "$code" != "200" ]; then
4055 _err "Sign failed, code is not 200."
4056 _on_issue_err "$_post_hook"
4057 return 1
4058 fi
f8d22c48 4059 Le_LinkCert="$(echo "$response" | tr -d '\r\n' | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
4c2a3841 4060
f8d22c48 4061 if ! _get "$Le_LinkCert" >"$CERT_PATH"; then
c1151b0d 4062 _err "Sign failed, code is not 200."
4063 _on_issue_err "$_post_hook"
4064 return 1
4065 fi
4c3b3608 4066
1c35f46b 4067 if [ "$(grep -- "$BEGIN_CERT" "$CERT_PATH" | wc -l)" -gt "1" ]; then
4068 _debug "Found cert chain"
120cde16 4069 cat "$CERT_PATH" >"$CERT_FULLCHAIN_PATH"
1c35f46b 4070 _end_n="$(grep -n -- "$END_CERT" "$CERT_FULLCHAIN_PATH" | _head_n 1 | cut -d : -f 1)"
4071 _debug _end_n "$_end_n"
120cde16 4072 sed -n "1,${_end_n}p" "$CERT_FULLCHAIN_PATH" >"$CERT_PATH"
1c35f46b 4073 _end_n="$(_math $_end_n + 1)"
120cde16 4074 sed -n "${_end_n},9999p" "$CERT_FULLCHAIN_PATH" >"$CA_CERT_PATH"
1c35f46b 4075 fi
c1151b0d 4076 else
4077 if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then
4078 _err "Sign failed."
4079 _on_issue_err "$_post_hook"
4080 return 1
4081 fi
4082 _rcert="$response"
4083 Le_LinkCert="$(grep -i '^Location.*$' "$HTTP_HEADER" | _head_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
4c2a3841 4084 echo "$BEGIN_CERT" >"$CERT_PATH"
4c3b3608 4085
72518d48 4086 #if ! _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH" ; then
4087 # _debug "Get cert failed. Let's try last response."
3c07f57a 4088 # printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
72518d48 4089 #fi
4c2a3841 4090
4091 if ! printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >>"$CERT_PATH"; then
72518d48 4092 _debug "Try cert link."
4c2a3841 4093 _get "$Le_LinkCert" | _base64 "multiline" >>"$CERT_PATH"
d404e92d 4094 fi
4095
4c2a3841 4096 echo "$END_CERT" >>"$CERT_PATH"
c1151b0d 4097 fi
4098
4099 _debug "Le_LinkCert" "$Le_LinkCert"
4100 _savedomainconf "Le_LinkCert" "$Le_LinkCert"
4101
183063a2 4102 if [ -z "$Le_LinkCert" ] || ! _checkcert "$CERT_PATH"; then
716f7277 4103 response="$(echo "$response" | _dbase64 "multiline" | tr -d '\0' | _normalizeJson)"
183063a2 4104 _err "Sign failed: $(echo "$response" | _egrep_o '"detail":"[^"]*"')"
4105 _on_issue_err "$_post_hook"
4106 return 1
4107 fi
4108
c1151b0d 4109 if [ "$Le_LinkCert" ]; then
43822d37 4110 _info "$(__green "Cert success.")"
4c3b3608 4111 cat "$CERT_PATH"
5980ebc7 4112
4c2a3841 4113 _info "Your cert is in $(__green " $CERT_PATH ")"
4114
4115 if [ -f "$CERT_KEY_PATH" ]; then
4116 _info "Your cert key is in $(__green " $CERT_KEY_PATH ")"
5980ebc7 4117 fi
4118
4c2a3841 4119 if [ ! "$USER_PATH" ] || [ ! "$IN_CRON" ]; then
281aa349 4120 USER_PATH="$PATH"
4121 _saveaccountconf "USER_PATH" "$USER_PATH"
4122 fi
4c3b3608 4123 fi
4c3b3608 4124
4c2a3841 4125 _cleardomainconf "Le_Vlist"
4126
1c35f46b 4127 if [ "$ACME_VERSION" = "2" ]; then
4128 _debug "v2 chain."
4129 else
183063a2 4130 cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
1c35f46b 4131 Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
d8ba26e6 4132
1c35f46b 4133 if [ "$Le_LinkIssuer" ]; then
4134 if ! _contains "$Le_LinkIssuer" ":"; then
4135 _info "$(__red "Relative issuer link found.")"
4136 Le_LinkIssuer="$_ACME_SERVER_HOST$Le_LinkIssuer"
d8ba26e6 4137 fi
1c35f46b 4138 _debug Le_LinkIssuer "$Le_LinkIssuer"
4139 _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
d8ba26e6 4140
1c35f46b 4141 _link_issuer_retry=0
4142 _MAX_ISSUER_RETRY=5
4143 while [ "$_link_issuer_retry" -lt "$_MAX_ISSUER_RETRY" ]; do
4144 _debug _link_issuer_retry "$_link_issuer_retry"
4145 if [ "$ACME_VERSION" = "2" ]; then
4146 if _get "$Le_LinkIssuer" >"$CA_CERT_PATH"; then
4147 break
4148 fi
4149 else
4150 if _get "$Le_LinkIssuer" >"$CA_CERT_PATH.der"; then
4151 echo "$BEGIN_CERT" >"$CA_CERT_PATH"
4152 _base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH"
4153 echo "$END_CERT" >>"$CA_CERT_PATH"
183063a2 4154 if !_checkcert "$CA_CERT_PATH"; then
4155 _err "Can not get the ca cert."
4156 break
4157 fi
1c35f46b 4158 cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH"
4159 rm -f "$CA_CERT_PATH.der"
4160 break
4161 fi
c1151b0d 4162 fi
1c35f46b 4163 _link_issuer_retry=$(_math $_link_issuer_retry + 1)
4164 _sleep "$_link_issuer_retry"
4165 done
4166 if [ "$_link_issuer_retry" = "$_MAX_ISSUER_RETRY" ]; then
4167 _err "Max retry for issuer ca cert is reached."
d8ba26e6 4168 fi
1c35f46b 4169 else
4170 _debug "No Le_LinkIssuer header found."
d8ba26e6 4171 fi
4c3b3608 4172 fi
1c35f46b 4173 [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in $(__green " $CA_CERT_PATH ")"
4174 [ -f "$CERT_FULLCHAIN_PATH" ] && _info "And the full chain certs is there: $(__green " $CERT_FULLCHAIN_PATH ")"
4c2a3841 4175
3aae1ae3 4176 Le_CertCreateTime=$(_time)
4c2a3841 4177 _savedomainconf "Le_CertCreateTime" "$Le_CertCreateTime"
4178
4179 Le_CertCreateTimeStr=$(date -u)
4180 _savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr"
4181
4182 if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ] || [ "$Le_RenewalDays" -gt "$MAX_RENEW" ]; then
ca7202eb 4183 Le_RenewalDays="$MAX_RENEW"
054cb72e 4184 else
4c2a3841 4185 _savedomainconf "Le_RenewalDays" "$Le_RenewalDays"
13d7cae9 4186 fi
4c2a3841 4187
4188 if [ "$CA_BUNDLE" ]; then
78009539
PS		 4189 _saveaccountconf CA_BUNDLE "$CA_BUNDLE"
4190 else
4191 _clearaccountconf "CA_BUNDLE"
4192 fi
4193
2aa75f03 4194 if [ "$CA_PATH" ]; then
4195 _saveaccountconf CA_PATH "$CA_PATH"
4196 else
4197 _clearaccountconf "CA_PATH"
4198 fi
78009539 4199
4c2a3841 4200 if [ "$HTTPS_INSECURE" ]; then
fac1e367 4201 _saveaccountconf HTTPS_INSECURE "$HTTPS_INSECURE"
4202 else
4c2a3841 4203 _clearaccountconf "HTTPS_INSECURE"
13d7cae9 4204 fi
00a50605 4205
4c2a3841 4206 if [ "$Le_Listen_V4" ]; then
4207 _savedomainconf "Le_Listen_V4" "$Le_Listen_V4"
50827188 4208 _cleardomainconf Le_Listen_V6
4c2a3841 4209 elif [ "$Le_Listen_V6" ]; then
4210 _savedomainconf "Le_Listen_V6" "$Le_Listen_V6"
50827188 4211 _cleardomainconf Le_Listen_V4
4212 fi
f6dcd989 4213
c4b2e582 4214 if [ "$Le_ForceNewDomainKey" = "1" ]; then
4215 _savedomainconf "Le_ForceNewDomainKey" "$Le_ForceNewDomainKey"
4216 else
4217 _cleardomainconf Le_ForceNewDomainKey
4218 fi
4219
ca7202eb 4220 Le_NextRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60)
4c2a3841 4221
ca7202eb 4222 Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
4c2a3841 4223 _savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr"
4224
ca7202eb 4225 Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400)
4c2a3841 4226 _savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
f6dcd989 4227
6104680c 4228 if ! _on_issue_success "$_post_hook" "$_renew_hook"; then
4229 _err "Call hook error."
4230 return 1
4231 fi
4c3b3608 4232
85e1f4ea 4233 if [ "$_real_cert$_real_key$_real_ca$_reload_cmd$_real_fullchain" ]; then
4234 _savedomainconf "Le_RealCertPath" "$_real_cert"
4235 _savedomainconf "Le_RealCACertPath" "$_real_ca"
4236 _savedomainconf "Le_RealKeyPath" "$_real_key"
4237 _savedomainconf "Le_ReloadCmd" "$_reload_cmd"
4238 _savedomainconf "Le_RealFullChainPath" "$_real_fullchain"
044da37c 4239 _installcert "$_main_domain" "$_real_cert" "$_real_key" "$_real_ca" "$_real_fullchain" "$_reload_cmd"
01f54558 4240 fi
4c0d3f1b 4241
4c3b3608 4242}
4243
43822d37 4244#domain [isEcc]
4c3b3608 4245renew() {
4246 Le_Domain="$1"
4c2a3841 4247 if [ -z "$Le_Domain" ]; then
43822d37 4248 _usage "Usage: $PROJECT_ENTRY --renew -d domain.com [--ecc]"
4c3b3608 4249 return 1
4250 fi
4251
43822d37 4252 _isEcc="$2"
4253
e799ef29 4254 _initpath "$Le_Domain" "$_isEcc"
43822d37 4255
e2053b22 4256 _info "$(__green "Renew: '$Le_Domain'")"
4c2a3841 4257 if [ ! -f "$DOMAIN_CONF" ]; then
43822d37 4258 _info "'$Le_Domain' is not a issued domain, skip."
4c2a3841 4259 return 0
4c3b3608 4260 fi
4c2a3841 4261
4262 if [ "$Le_RenewalDays" ]; then
1e6b68f5 4263 _savedomainconf Le_RenewalDays "$Le_RenewalDays"
4264 fi
4265
8663fb7e 4266 . "$DOMAIN_CONF"
4c2a3841 4267
4268 if [ "$Le_API" ]; then
48d9a8c1 4269 if [ "$_OLD_CA_HOST" = "$Le_API" ]; then
4270 export Le_API="$DEFAULT_CA"
4271 _savedomainconf Le_API "$Le_API"
4272 fi
4a2ac7bd 4273 if [ "$_OLD_STAGE_CA_HOST" = "$Le_API" ]; then
c1151b0d 4274 export Le_API="$DEFAULT_STAGING_CA"
4a2ac7bd 4275 _savedomainconf Le_API "$Le_API"
4276 fi
48d9a8c1 4277 export ACME_DIRECTORY="$Le_API"
c4236e58 4278 #reload ca configs
4279 ACCOUNT_KEY_PATH=""
4280 ACCOUNT_JSON_PATH=""
4281 CA_CONF=""
4282 _debug3 "initpath again."
4283 _initpath "$Le_Domain" "$_isEcc"
5c48e139 4284 fi
4c2a3841 4285
4286 if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then
e2053b22 4287 _info "Skip, Next renewal time is: $(__green "$Le_NextRenewTimeStr")"
4288 _info "Add '$(__red '--force')' to force to renew."
e799ef29 4289 return "$RENEW_SKIP"
4c3b3608 4290 fi
4c2a3841 4291
c4d0aec5 4292 if [ "$IN_CRON" = "1" ] && [ -z "$Le_CertCreateTime" ]; then
4293 _info "Skip invalid cert for: $Le_Domain"
4294 return 0
4295 fi
4296
4c3b3608 4297 IS_RENEW="1"
875625b1 4298 issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias"
e799ef29 4299 res="$?"
4c2a3841 4300 if [ "$res" != "0" ]; then
e799ef29 4301 return "$res"
a61fe418 4302 fi
4c2a3841 4303
4304 if [ "$Le_DeployHook" ]; then
93bce1b2 4305 _deploy "$Le_Domain" "$Le_DeployHook"
e799ef29 4306 res="$?"
a61fe418 4307 fi
4c2a3841 4308
4c3b3608 4309 IS_RENEW=""
4310
e799ef29 4311 return "$res"
4c3b3608 4312}
4313
cc179731 4314#renewAll [stopRenewOnError]
4c3b3608 4315renewAll() {
4316 _initpath
cc179731 4317 _stopRenewOnError="$1"
4318 _debug "_stopRenewOnError" "$_stopRenewOnError"
4319 _ret="0"
43822d37 4320
e591d5cf 4321 for di in "${CERT_HOME}"/*.*/; do
4322 _debug di "$di"
44483dba 4323 if ! [ -d "$di" ]; then
3498a585 4324 _debug "Not directory, skip: $di"
4325 continue
4326 fi
e591d5cf 4327 d=$(basename "$di")
201aa244 4328 _debug d "$d"
43822d37 4329 (
201aa244 4330 if _endswith "$d" "$ECC_SUFFIX"; then
4331 _isEcc=$(echo "$d" | cut -d "$ECC_SEP" -f 2)
4332 d=$(echo "$d" | cut -d "$ECC_SEP" -f 1)
43822d37 4333 fi
4334 renew "$d" "$_isEcc"
4d2f38b0 4335 )
cc179731 4336 rc="$?"
4337 _debug "Return code: $rc"
4c2a3841 4338 if [ "$rc" != "0" ]; then
4339 if [ "$rc" = "$RENEW_SKIP" ]; then
cc179731 4340 _info "Skipped $d"
4c2a3841 4341 elif [ "$_stopRenewOnError" ]; then
cc179731 4342 _err "Error renew $d, stop now."
201aa244 4343 return "$rc"
cc179731 4344 else
4345 _ret="$rc"
482cb737 4346 _err "Error renew $d."
cc179731 4347 fi
4348 fi
4c3b3608 4349 done
201aa244 4350 return "$_ret"
4c3b3608 4351}
4352
10afcaca 4353#csr webroot
4c2a3841 4354signcsr() {
10afcaca 4355 _csrfile="$1"
4356 _csrW="$2"
4357 if [ -z "$_csrfile" ] || [ -z "$_csrW" ]; then
4358 _usage "Usage: $PROJECT_ENTRY --signcsr --csr mycsr.csr -w /path/to/webroot/a.com/ "
4359 return 1
4360 fi
4361
875625b1 4362 _real_cert="$3"
4363 _real_key="$4"
4364 _real_ca="$5"
4365 _reload_cmd="$6"
4366 _real_fullchain="$7"
4367 _pre_hook="${8}"
4368 _post_hook="${9}"
4369 _renew_hook="${10}"
4370 _local_addr="${11}"
4371 _challenge_alias="${12}"
4372
10afcaca 4373 _csrsubj=$(_readSubjectFromCSR "$_csrfile")
4c2a3841 4374 if [ "$?" != "0" ]; then
10afcaca 4375 _err "Can not read subject from csr: $_csrfile"
4376 return 1
4377 fi
ad752b31 4378 _debug _csrsubj "$_csrsubj"
2c9ed4c5 4379 if _contains "$_csrsubj" ' ' || ! _contains "$_csrsubj" '.'; then
4380 _info "It seems that the subject: $_csrsubj is not a valid domain name. Drop it."
4381 _csrsubj=""
4382 fi
10afcaca 4383
4384 _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
4c2a3841 4385 if [ "$?" != "0" ]; then
10afcaca 4386 _err "Can not read domain list from csr: $_csrfile"
4387 return 1
4388 fi
4389 _debug "_csrdomainlist" "$_csrdomainlist"
4c2a3841 4390
4391 if [ -z "$_csrsubj" ]; then
ad752b31 4392 _csrsubj="$(_getfield "$_csrdomainlist" 1)"
4393 _debug _csrsubj "$_csrsubj"
4394 _csrdomainlist="$(echo "$_csrdomainlist" | cut -d , -f 2-)"
4395 _debug "_csrdomainlist" "$_csrdomainlist"
4396 fi
4c2a3841 4397
4398 if [ -z "$_csrsubj" ]; then
ad752b31 4399 _err "Can not read subject from csr: $_csrfile"
4400 return 1
4401 fi
4c2a3841 4402
10afcaca 4403 _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
4c2a3841 4404 if [ "$?" != "0" ] || [ -z "$_csrkeylength" ]; then
10afcaca 4405 _err "Can not read key length from csr: $_csrfile"
4406 return 1
4407 fi
4c2a3841 4408
cd9fb3b6 4409 if [ -z "$ACME_VERSION" ] && _contains "$_csrsubj,$_csrdomainlist" "*."; then
4410 export ACME_VERSION=2
4411 fi
10afcaca 4412 _initpath "$_csrsubj" "$_csrkeylength"
4413 mkdir -p "$DOMAIN_PATH"
4c2a3841 4414
10afcaca 4415 _info "Copy csr to: $CSR_PATH"
4416 cp "$_csrfile" "$CSR_PATH"
4c2a3841 4417
875625b1 4418 issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias"
4c2a3841 4419
10afcaca 4420}
4421
4422showcsr() {
4c2a3841 4423 _csrfile="$1"
10afcaca 4424 _csrd="$2"
4425 if [ -z "$_csrfile" ] && [ -z "$_csrd" ]; then
4426 _usage "Usage: $PROJECT_ENTRY --showcsr --csr mycsr.csr"
4427 return 1
4428 fi
4429
4430 _initpath
4c2a3841 4431
10afcaca 4432 _csrsubj=$(_readSubjectFromCSR "$_csrfile")
4c2a3841 4433 if [ "$?" != "0" ] || [ -z "$_csrsubj" ]; then
10afcaca 4434 _err "Can not read subject from csr: $_csrfile"
4435 return 1
4436 fi
4c2a3841 4437
10afcaca 4438 _info "Subject=$_csrsubj"
4439
4440 _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile")
4c2a3841 4441 if [ "$?" != "0" ]; then
10afcaca 4442 _err "Can not read domain list from csr: $_csrfile"
4443 return 1
4444 fi
4445 _debug "_csrdomainlist" "$_csrdomainlist"
4446
4447 _info "SubjectAltNames=$_csrdomainlist"
4448
10afcaca 4449 _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile")
4c2a3841 4450 if [ "$?" != "0" ] || [ -z "$_csrkeylength" ]; then
10afcaca 4451 _err "Can not read key length from csr: $_csrfile"
4452 return 1
4453 fi
4454 _info "KeyLength=$_csrkeylength"
4455}
4456
6d7eda3e 4457list() {
22ea4004 4458 _raw="$1"
6d7eda3e 4459 _initpath
4c2a3841 4460
dcf4f8f6 4461 _sep="|"
4c2a3841 4462 if [ "$_raw" ]; then
d5ec5f80 4463 printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Created${_sep}Renew"
e591d5cf 4464 for di in "${CERT_HOME}"/*.*/; do
44483dba 4465 if ! [ -d "$di" ]; then
3498a585 4466 _debug "Not directory, skip: $di"
4467 continue
4468 fi
e591d5cf 4469 d=$(basename "$di")
201aa244 4470 _debug d "$d"
dcf4f8f6 4471 (
201aa244 4472 if _endswith "$d" "$ECC_SUFFIX"; then
4473 _isEcc=$(echo "$d" | cut -d "$ECC_SEP" -f 2)
4474 d=$(echo "$d" | cut -d "$ECC_SEP" -f 1)
43822d37 4475 fi
e591d5cf 4476 _initpath "$d" "$_isEcc"
4c2a3841 4477 if [ -f "$DOMAIN_CONF" ]; then
dcf4f8f6 4478 . "$DOMAIN_CONF"
d5ec5f80 4479 printf "%s\n" "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr"
dcf4f8f6 4480 fi
4481 )
4482 done
4483 else
4c2a3841 4484 if _exists column; then
22ea4004 4485 list "raw" | column -t -s "$_sep"
4486 else
43822d37 4487 list "raw" | tr "$_sep" '\t'
22ea4004 4488 fi
dcf4f8f6 4489 fi
6d7eda3e 4490
6d7eda3e 4491}
4492
93bce1b2 4493_deploy() {
4494 _d="$1"
4495 _hooks="$2"
4496
4497 for _d_api in $(echo "$_hooks" | tr ',' " "); do
4498 _deployApi="$(_findHook "$_d" deploy "$_d_api")"
4499 if [ -z "$_deployApi" ]; then
4500 _err "The deploy hook $_d_api is not found."
4501 return 1
4502 fi
4503 _debug _deployApi "$_deployApi"
4504
4505 if ! (
4506 if ! . "$_deployApi"; then
4507 _err "Load file $_deployApi error. Please check your api file and try again."
4508 return 1
4509 fi
4510
4511 d_command="${_d_api}_deploy"
4512 if ! _exists "$d_command"; then
4513 _err "It seems that your api file is not correct, it must have a function named: $d_command"
4514 return 1
4515 fi
4516
4517 if ! $d_command "$_d" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$CERT_FULLCHAIN_PATH"; then
4518 _err "Error deploy for domain:$_d"
4519 return 1
4520 fi
4521 ); then
4522 _err "Deploy error."
4523 return 1
4524 else
4525 _info "$(__green Success)"
4526 fi
4527 done
4528}
4529
4530#domain hooks
a61fe418 4531deploy() {
93bce1b2 4532 _d="$1"
4533 _hooks="$2"
a61fe418 4534 _isEcc="$3"
93bce1b2 4535 if [ -z "$_hooks" ]; then
a61fe418 4536 _usage "Usage: $PROJECT_ENTRY --deploy -d domain.com --deploy-hook cpanel [--ecc] "
4537 return 1
4538 fi
4539
93bce1b2 4540 _initpath "$_d" "$_isEcc"
4c2a3841 4541 if [ ! -d "$DOMAIN_PATH" ]; then
93bce1b2 4542 _err "Domain is not valid:'$_d'"
a61fe418 4543 return 1
4544 fi
4c2a3841 4545
93bce1b2 4546 . "$DOMAIN_CONF"
4c2a3841 4547
93bce1b2 4548 _savedomainconf Le_DeployHook "$_hooks"
4c2a3841 4549
93bce1b2 4550 _deploy "$_d" "$_hooks"
a61fe418 4551}
4552
4c3b3608 4553installcert() {
85e1f4ea 4554 _main_domain="$1"
4555 if [ -z "$_main_domain" ]; then
5c539af7 4556 _usage "Usage: $PROJECT_ENTRY --installcert -d domain.com [--ecc] [--cert-file cert-file-path] [--key-file key-file-path] [--ca-file ca-cert-file-path] [ --reloadCmd reloadCmd] [--fullchain-file fullchain-path]"
4c3b3608 4557 return 1
4558 fi
4559
85e1f4ea 4560 _real_cert="$2"
4561 _real_key="$3"
4562 _real_ca="$4"
4563 _reload_cmd="$5"
4564 _real_fullchain="$6"
43822d37 4565 _isEcc="$7"
4566
85e1f4ea 4567 _initpath "$_main_domain" "$_isEcc"
4c2a3841 4568 if [ ! -d "$DOMAIN_PATH" ]; then
85e1f4ea 4569 _err "Domain is not valid:'$_main_domain'"
43822d37 4570 return 1
4571 fi
4572
85e1f4ea 4573 _savedomainconf "Le_RealCertPath" "$_real_cert"
4574 _savedomainconf "Le_RealCACertPath" "$_real_ca"
4575 _savedomainconf "Le_RealKeyPath" "$_real_key"
4576 _savedomainconf "Le_ReloadCmd" "$_reload_cmd"
4577 _savedomainconf "Le_RealFullChainPath" "$_real_fullchain"
4578
044da37c 4579 _installcert "$_main_domain" "$_real_cert" "$_real_key" "$_real_ca" "$_real_fullchain" "$_reload_cmd"
43822d37 4580}
4c3b3608 4581
044da37c 4582#domain cert key ca fullchain reloadcmd backup-prefix
43822d37 4583_installcert() {
85e1f4ea 4584 _main_domain="$1"
4585 _real_cert="$2"
4586 _real_key="$3"
4587 _real_ca="$4"
044da37c 4588 _real_fullchain="$5"
4589 _reload_cmd="$6"
4590 _backup_prefix="$7"
4c3b3608 4591
85e1f4ea 4592 if [ "$_real_cert" = "$NO_VALUE" ]; then
4593 _real_cert=""
4d2f38b0 4594 fi
85e1f4ea 4595 if [ "$_real_key" = "$NO_VALUE" ]; then
4596 _real_key=""
4d2f38b0 4597 fi
85e1f4ea 4598 if [ "$_real_ca" = "$NO_VALUE" ]; then
4599 _real_ca=""
4d2f38b0 4600 fi
85e1f4ea 4601 if [ "$_reload_cmd" = "$NO_VALUE" ]; then
4602 _reload_cmd=""
4d2f38b0 4603 fi
85e1f4ea 4604 if [ "$_real_fullchain" = "$NO_VALUE" ]; then
4605 _real_fullchain=""
4d2f38b0 4606 fi
4c2a3841 4607
044da37c 4608 _backup_path="$DOMAIN_BACKUP_PATH/$_backup_prefix"
4609 mkdir -p "$_backup_path"
4610
85e1f4ea 4611 if [ "$_real_cert" ]; then
4612 _info "Installing cert to:$_real_cert"
4613 if [ -f "$_real_cert" ] && [ ! "$IS_RENEW" ]; then
044da37c 4614 cp "$_real_cert" "$_backup_path/cert.bak"
4c3b3608 4615 fi
85e1f4ea 4616 cat "$CERT_PATH" >"$_real_cert"
4c3b3608 4617 fi
4c2a3841 4618
85e1f4ea 4619 if [ "$_real_ca" ]; then
4620 _info "Installing CA to:$_real_ca"
4621 if [ "$_real_ca" = "$_real_cert" ]; then
4622 echo "" >>"$_real_ca"
4623 cat "$CA_CERT_PATH" >>"$_real_ca"
4c3b3608 4624 else
85e1f4ea 4625 if [ -f "$_real_ca" ] && [ ! "$IS_RENEW" ]; then
044da37c 4626 cp "$_real_ca" "$_backup_path/ca.bak"
78552b18 4627 fi
85e1f4ea 4628 cat "$CA_CERT_PATH" >"$_real_ca"
4c3b3608 4629 fi
4630 fi
4631
85e1f4ea 4632 if [ "$_real_key" ]; then
4633 _info "Installing key to:$_real_key"
4634 if [ -f "$_real_key" ] && [ ! "$IS_RENEW" ]; then
044da37c 4635 cp "$_real_key" "$_backup_path/key.bak"
4c3b3608 4636 fi
82014583 4637 if [ -f "$_real_key" ]; then
4638 cat "$CERT_KEY_PATH" >"$_real_key"
4639 else
4640 cat "$CERT_KEY_PATH" >"$_real_key"
7b92371a 4641 chmod 600 "$_real_key"
82014583 4642 fi
4c3b3608 4643 fi
4c2a3841 4644
85e1f4ea 4645 if [ "$_real_fullchain" ]; then
4646 _info "Installing full chain to:$_real_fullchain"
4647 if [ -f "$_real_fullchain" ] && [ ! "$IS_RENEW" ]; then
044da37c 4648 cp "$_real_fullchain" "$_backup_path/fullchain.bak"
a63b05a9 4649 fi
85e1f4ea 4650 cat "$CERT_FULLCHAIN_PATH" >"$_real_fullchain"
4c2a3841 4651 fi
4c3b3608 4652
85e1f4ea 4653 if [ "$_reload_cmd" ]; then
4654 _info "Run reload cmd: $_reload_cmd"
25555b8c 4655 if (
839bf0e2 4656 export CERT_PATH
4657 export CERT_KEY_PATH
4658 export CA_CERT_PATH
4659 export CERT_FULLCHAIN_PATH
58d4c74b 4660 export Le_Domain
85e1f4ea 4661 cd "$DOMAIN_PATH" && eval "$_reload_cmd"
839bf0e2 4662 ); then
43822d37 4663 _info "$(__green "Reload success")"
4d2f38b0 4664 else
4665 _err "Reload error for :$Le_Domain"
4666 fi
4667 fi
4668
4c3b3608 4669}
4670
27dbe77f 4671#confighome
4c3b3608 4672installcronjob() {
27dbe77f 4673 _c_home="$1"
4c3b3608 4674 _initpath
415f375c 4675 _CRONTAB="crontab"
4676 if ! _exists "$_CRONTAB" && _exists "fcrontab"; then
4677 _CRONTAB="fcrontab"
4678 fi
4679 if ! _exists "$_CRONTAB"; then
4680 _err "crontab/fcrontab doesn't exist, so, we can not install cron jobs."
77546ea5 4681 _err "All your certs will not be renewed automatically."
a7b7355d 4682 _err "You must add your own cron job to call '$PROJECT_ENTRY --cron' everyday."
77546ea5 4683 return 1
4684 fi
4685
4c3b3608 4686 _info "Installing cron job"
415f375c 4687 if ! $_CRONTAB -l | grep "$PROJECT_ENTRY --cron"; then
4c2a3841 4688 if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ]; then
a7b7355d 4689 lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
4c3b3608 4690 else
a7b7355d 4691 _err "Can not install cronjob, $PROJECT_ENTRY not found."
4c3b3608 4692 return 1
4693 fi
27dbe77f 4694
4695 if [ "$_c_home" ]; then
80941f84 4696 _c_entry="--config-home \"$_c_home\" "
27dbe77f 4697 fi
32b3717c 4698 _t=$(_time)
4699 random_minute=$(_math $_t % 60)
e2c939fb 4700 if _exists uname && uname -a | grep SunOS >/dev/null; then
415f375c 4701 $_CRONTAB -l | {
4c2a3841 4702 cat
0533bde9 4703 echo "$random_minute 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null"
415f375c 4704 } | $_CRONTAB --
22ea4004 4705 else
415f375c 4706 $_CRONTAB -l | {
4c2a3841 4707 cat
0533bde9 4708 echo "$random_minute 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null"
415f375c 4709 } | $_CRONTAB -
22ea4004 4710 fi
4c3b3608 4711 fi
4c2a3841 4712 if [ "$?" != "0" ]; then
4c3b3608 4713 _err "Install cron job failed. You need to manually renew your certs."
4714 _err "Or you can add cronjob by yourself:"
a7b7355d 4715 _err "$lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null"
4c3b3608 4716 return 1
4717 fi
4718}
4719
4720uninstallcronjob() {
415f375c 4721 _CRONTAB="crontab"
4722 if ! _exists "$_CRONTAB" && _exists "fcrontab"; then
4723 _CRONTAB="fcrontab"
4724 fi
4725
4726 if ! _exists "$_CRONTAB"; then
37db5b81 4727 return
4728 fi
4c3b3608 4729 _info "Removing cron job"
415f375c 4730 cr="$($_CRONTAB -l | grep "$PROJECT_ENTRY --cron")"
4c2a3841 4731 if [ "$cr" ]; then
4732 if _exists uname && uname -a | grep solaris >/dev/null; then
415f375c 4733 $_CRONTAB -l | sed "/$PROJECT_ENTRY --cron/d" | $_CRONTAB --
22ea4004 4734 else
415f375c 4735 $_CRONTAB -l | sed "/$PROJECT_ENTRY --cron/d" | $_CRONTAB -
22ea4004 4736 fi
a7b7355d 4737 LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 9 | tr -d '"')"
4c3b3608 4738 _info LE_WORKING_DIR "$LE_WORKING_DIR"
27dbe77f 4739 if _contains "$cr" "--config-home"; then
f5b546b3 4740 LE_CONFIG_HOME="$(echo "$cr" | cut -d ' ' -f 11 | tr -d '"')"
4741 _debug LE_CONFIG_HOME "$LE_CONFIG_HOME"
27dbe77f 4742 fi
4c2a3841 4743 fi
4c3b3608 4744 _initpath
a7b7355d 4745
4c3b3608 4746}
4747
6cb415f5 4748revoke() {
4749 Le_Domain="$1"
4c2a3841 4750 if [ -z "$Le_Domain" ]; then
78f0201d 4751 _usage "Usage: $PROJECT_ENTRY --revoke -d domain.com [--ecc]"
6cb415f5 4752 return 1
4753 fi
4c2a3841 4754
43822d37 4755 _isEcc="$2"
4756
c4a375b3 4757 _initpath "$Le_Domain" "$_isEcc"
4c2a3841 4758 if [ ! -f "$DOMAIN_CONF" ]; then
6cb415f5 4759 _err "$Le_Domain is not a issued domain, skip."
4c2a3841 4760 return 1
6cb415f5 4761 fi
4c2a3841 4762
4763 if [ ! -f "$CERT_PATH" ]; then
6cb415f5 4764 _err "Cert for $Le_Domain $CERT_PATH is not found, skip."
4765 return 1
4766 fi
6cb415f5 4767
11927a76 4768 cert="$(_getfile "${CERT_PATH}" "${BEGIN_CERT}" "${END_CERT}" | tr -d "\r\n" | _url_replace)"
4c2a3841 4769
4770 if [ -z "$cert" ]; then
6cb415f5 4771 _err "Cert for $Le_Domain is empty found, skip."
4772 return 1
4773 fi
4c2a3841 4774
48d9a8c1 4775 _initAPI
4776
d2cde379 4777 if [ "$ACME_VERSION" = "2" ]; then
4778 data="{\"certificate\": \"$cert\"}"
4779 else
4780 data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
4781 fi
48d9a8c1 4782 uri="${ACME_REVOKE_CERT}"
6cb415f5 4783
4c2a3841 4784 if [ -f "$CERT_KEY_PATH" ]; then
1befee5a 4785 _info "Try domain key first."
c4a375b3 4786 if _send_signed_request "$uri" "$data" "" "$CERT_KEY_PATH"; then
4c2a3841 4787 if [ -z "$response" ]; then
1befee5a 4788 _info "Revoke success."
c4a375b3 4789 rm -f "$CERT_PATH"
1befee5a 4790 return 0
4c2a3841 4791 else
1befee5a 4792 _err "Revoke error by domain key."
4793 _err "$response"
4794 fi
6cb415f5 4795 fi
4c2a3841 4796 else
1befee5a 4797 _info "Domain key file doesn't exists."
6cb415f5 4798 fi
6cb415f5 4799
1befee5a 4800 _info "Try account key."
6cb415f5 4801
c4a375b3 4802 if _send_signed_request "$uri" "$data" "" "$ACCOUNT_KEY_PATH"; then
4c2a3841 4803 if [ -z "$response" ]; then
6cb415f5 4804 _info "Revoke success."
c4a375b3 4805 rm -f "$CERT_PATH"
6cb415f5 4806 return 0
4c2a3841 4807 else
6cb415f5 4808 _err "Revoke error."
c9c31c04 4809 _debug "$response"
6cb415f5 4810 fi
4811 fi
4812 return 1
4813}
4c3b3608 4814
78f0201d 4815#domain ecc
4816remove() {
4817 Le_Domain="$1"
4818 if [ -z "$Le_Domain" ]; then
4819 _usage "Usage: $PROJECT_ENTRY --remove -d domain.com [--ecc]"
4820 return 1
4821 fi
4822
4823 _isEcc="$2"
4824
4825 _initpath "$Le_Domain" "$_isEcc"
4826 _removed_conf="$DOMAIN_CONF.removed"
4827 if [ ! -f "$DOMAIN_CONF" ]; then
4828 if [ -f "$_removed_conf" ]; then
4829 _err "$Le_Domain is already removed, You can remove the folder by yourself: $DOMAIN_PATH"
4830 else
4831 _err "$Le_Domain is not a issued domain, skip."
4832 fi
4833 return 1
4834 fi
4835
4836 if mv "$DOMAIN_CONF" "$_removed_conf"; then
68aea3af 4837 _info "$Le_Domain is removed, the key and cert files are in $(__green $DOMAIN_PATH)"
78f0201d 4838 _info "You can remove them by yourself."
4839 return 0
4840 else
4841 _err "Remove $Le_Domain failed."
4842 return 1
4843 fi
4844}
4845
0c00e870 4846#domain vtype
4847_deactivate() {
4848 _d_domain="$1"
4849 _d_type="$2"
4850 _initpath
4c2a3841 4851
d2cde379 4852 if [ "$ACME_VERSION" = "2" ]; then
4853 _identifiers="{\"type\":\"dns\",\"value\":\"$_d_domain\"}"
4854 if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
4855 _err "Can not get domain new order."
4856 return 1
4857 fi
4858 _authorizations_seg="$(echo "$response" | tr -d '\r\n' | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
4859 _debug2 _authorizations_seg "$_authorizations_seg"
4860 if [ -z "$_authorizations_seg" ]; then
4861 _err "_authorizations_seg not found."
4862 _clearup
4863 _on_issue_err "$_post_hook"
4864 return 1
4865 fi
4c2a3841 4866
d2cde379 4867 authzUri="$_authorizations_seg"
4868 _debug2 "authzUri" "$authzUri"
4869 if ! response="$(_get "$authzUri")"; then
4870 _err "get to authz error."
4871 _clearup
4872 _on_issue_err "$_post_hook"
4873 return 1
4874 fi
4c2a3841 4875
d2cde379 4876 response="$(echo "$response" | _normalizeJson)"
4877 _debug2 response "$response"
4878 _URL_NAME="url"
4879 else
4880 if ! __get_domain_new_authz "$_d_domain"; then
4881 _err "Can not get domain new authz token."
4882 return 1
4883 fi
4884
4885 authzUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
4886 _debug "authzUri" "$authzUri"
4887 if [ "$code" ] && [ ! "$code" = '201' ]; then
4888 _err "new-authz error: $response"
4889 return 1
4890 fi
4891 _URL_NAME="uri"
14d7bfda 4892 fi
0c00e870 4893
d2cde379 4894 entries="$(echo "$response" | _egrep_o "{ *\"type\":\"[^\"]*\", *\"status\": *\"valid\", *\"$_URL_NAME\"[^}]*")"
14d7bfda 4895 if [ -z "$entries" ]; then
4896 _info "No valid entries found."
4897 if [ -z "$thumbprint" ]; then
4898 thumbprint="$(__calc_account_thumbprint)"
4899 fi
4900 _debug "Trigger validation."
d2cde379 4901 vtype="$VTYPE_DNS"
14d7bfda 4902 entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
4903 _debug entry "$entry"
4904 if [ -z "$entry" ]; then
4905 _err "Error, can not get domain token $d"
0c00e870 4906 return 1
4907 fi
14d7bfda 4908 token="$(printf "%s\n" "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
4909 _debug token "$token"
4c2a3841 4910
d2cde379 4911 uri="$(printf "%s\n" "$entry" | _egrep_o "\"$_URL_NAME\":\"[^\"]*" | cut -d : -f 2,3 | tr -d '"')"
14d7bfda 4912 _debug uri "$uri"
4913
4914 keyauthorization="$token.$thumbprint"
4915 _debug keyauthorization "$keyauthorization"
4916 __trigger_validation "$uri" "$keyauthorization"
4917
4918 fi
4919
4920 _d_i=0
4921 _d_max_retry=$(echo "$entries" | wc -l)
4922 while [ "$_d_i" -lt "$_d_max_retry" ]; do
4923 _info "Deactivate: $_d_domain"
4924 _d_i="$(_math $_d_i + 1)"
4925 entry="$(echo "$entries" | sed -n "${_d_i}p")"
0c00e870 4926 _debug entry "$entry"
4c2a3841 4927
4928 if [ -z "$entry" ]; then
fb2029e7 4929 _info "No more valid entry found."
0c00e870 4930 break
4931 fi
4c2a3841 4932
0c00e870 4933 _vtype="$(printf "%s\n" "$entry" | _egrep_o '"type": *"[^"]*"' | cut -d : -f 2 | tr -d '"')"
c4a375b3 4934 _debug _vtype "$_vtype"
0c00e870 4935 _info "Found $_vtype"
4936
d2cde379 4937 uri="$(printf "%s\n" "$entry" | _egrep_o "\"$_URL_NAME\":\"[^\"]*" | cut -d : -f 2,3 | tr -d '"')"
c4a375b3 4938 _debug uri "$uri"
4c2a3841 4939
4940 if [ "$_d_type" ] && [ "$_d_type" != "$_vtype" ]; then
0c00e870 4941 _info "Skip $_vtype"
4942 continue
4943 fi
4c2a3841 4944
0c00e870 4945 _info "Deactivate: $_vtype"
4c2a3841 4946
d2cde379 4947 if [ "$ACME_VERSION" = "2" ]; then
4948 _djson="{\"status\":\"deactivated\"}"
4949 else
4950 _djson="{\"resource\": \"authz\", \"status\":\"deactivated\"}"
4951 fi
4952
4953 if _send_signed_request "$authzUri" "$_djson" && _contains "$response" '"deactivated"'; then
14d7bfda 4954 _info "Deactivate: $_vtype success."
4955 else
0c00e870 4956 _err "Can not deactivate $_vtype."
14d7bfda 4957 break
0c00e870 4958 fi
4c2a3841 4959
0c00e870 4960 done
4961 _debug "$_d_i"
14d7bfda 4962 if [ "$_d_i" -eq "$_d_max_retry" ]; then
0c00e870 4963 _info "Deactivated success!"
4964 else
4965 _err "Deactivate failed."
4966 fi
4967
4968}
4969
4970deactivate() {
3f4513b3 4971 _d_domain_list="$1"
0c00e870 4972 _d_type="$2"
4973 _initpath
a3bdaa85 4974 _initAPI
3f4513b3 4975 _debug _d_domain_list "$_d_domain_list"
4c2a3841 4976 if [ -z "$(echo $_d_domain_list | cut -d , -f 1)" ]; then
3f4513b3 4977 _usage "Usage: $PROJECT_ENTRY --deactivate -d domain.com [-d domain.com]"
0c00e870 4978 return 1
4979 fi
4c2a3841 4980 for _d_dm in $(echo "$_d_domain_list" | tr ',' ' '); do
4981 if [ -z "$_d_dm" ] || [ "$_d_dm" = "$NO_VALUE" ]; then
3f4513b3 4982 continue
4983 fi
c4a375b3 4984 if ! _deactivate "$_d_dm" "$_d_type"; then
86c017ec 4985 return 1
4986 fi
3f4513b3 4987 done
0c00e870 4988}
4989
4c3b3608 4990# Detect profile file if not specified as environment variable
4991_detect_profile() {
4c2a3841 4992 if [ -n "$PROFILE" -a -f "$PROFILE" ]; then
4c3b3608 4993 echo "$PROFILE"
4994 return
4995 fi
4996
4c3b3608 4997 DETECTED_PROFILE=''
4c3b3608 4998 SHELLTYPE="$(basename "/$SHELL")"
4999
4c2a3841 5000 if [ "$SHELLTYPE" = "bash" ]; then
5001 if [ -f "$HOME/.bashrc" ]; then
4c3b3608 5002 DETECTED_PROFILE="$HOME/.bashrc"
4c2a3841 5003 elif [ -f "$HOME/.bash_profile" ]; then
4c3b3608 5004 DETECTED_PROFILE="$HOME/.bash_profile"
5005 fi
4c2a3841 5006 elif [ "$SHELLTYPE" = "zsh" ]; then
4c3b3608 5007 DETECTED_PROFILE="$HOME/.zshrc"
5008 fi
5009
4c2a3841 5010 if [ -z "$DETECTED_PROFILE" ]; then
5011 if [ -f "$HOME/.profile" ]; then
4c3b3608 5012 DETECTED_PROFILE="$HOME/.profile"
4c2a3841 5013 elif [ -f "$HOME/.bashrc" ]; then
4c3b3608 5014 DETECTED_PROFILE="$HOME/.bashrc"
4c2a3841 5015 elif [ -f "$HOME/.bash_profile" ]; then
4c3b3608 5016 DETECTED_PROFILE="$HOME/.bash_profile"
4c2a3841 5017 elif [ -f "$HOME/.zshrc" ]; then
4c3b3608 5018 DETECTED_PROFILE="$HOME/.zshrc"
5019 fi
5020 fi
5021
1be222f6 5022 echo "$DETECTED_PROFILE"
4c3b3608 5023}
5024
5025_initconf() {
5026 _initpath
4c2a3841 5027 if [ ! -f "$ACCOUNT_CONF_PATH" ]; then
0ca5b799 5028 echo "
d404e92d 5029
d0871bda 5030#LOG_FILE=\"$DEFAULT_LOG_FILE\"
6b500036 5031#LOG_LEVEL=1
5ea6e9c9 5032
251d1c5c 5033#AUTO_UPGRADE=\"1\"
89002ed2 5034
569d6c55 5035#NO_TIMESTAMP=1
5b771039 5036
d5ec5f80 5037 " >"$ACCOUNT_CONF_PATH"
4c3b3608 5038 fi
5039}
5040
c8e9a31e 5041# nocron
c60883ef 5042_precheck() {
c8e9a31e 5043 _nocron="$1"
4c2a3841 5044
5045 if ! _exists "curl" && ! _exists "wget"; then
c60883ef 5046 _err "Please install curl or wget first, we need to access http resources."
4c3b3608 5047 return 1
5048 fi
4c2a3841 5049
5050 if [ -z "$_nocron" ]; then
415f375c 5051 if ! _exists "crontab" && ! _exists "fcrontab"; then
c8e9a31e 5052 _err "It is recommended to install crontab first. try to install 'cron, crontab, crontabs or vixie-cron'."
5053 _err "We need to set cron job to renew the certs automatically."
5054 _err "Otherwise, your certs will not be able to be renewed automatically."
4c2a3841 5055 if [ -z "$FORCE" ]; then
c8e9a31e 5056 _err "Please add '--force' and try install again to go without crontab."
5057 _err "./$PROJECT_ENTRY --install --force"
5058 return 1
5059 fi
77546ea5 5060 fi
4c3b3608 5061 fi
4c2a3841 5062
d8ba26e6 5063 if ! _exists "${ACME_OPENSSL_BIN:-openssl}"; then
851fedf7 5064 _err "Please install openssl first. ACME_OPENSSL_BIN=$ACME_OPENSSL_BIN"
c60883ef 5065 _err "We need openssl to generate keys."
4c3b3608 5066 return 1
5067 fi
4c2a3841 5068
3794b5cb 5069 if ! _exists "socat"; then
5070 _err "It is recommended to install socat first."
5071 _err "We use socat for standalone server if you use standalone mode."
c60883ef 5072 _err "If you don't use standalone mode, just ignore this warning."
5073 fi
4c2a3841 5074
c60883ef 5075 return 0
5076}
5077
0a7c9364 5078_setShebang() {
5079 _file="$1"
5080 _shebang="$2"
4c2a3841 5081 if [ -z "$_shebang" ]; then
43822d37 5082 _usage "Usage: file shebang"
0a7c9364 5083 return 1
5084 fi
5085 cp "$_file" "$_file.tmp"
4c2a3841 5086 echo "$_shebang" >"$_file"
5087 sed -n 2,99999p "$_file.tmp" >>"$_file"
5088 rm -f "$_file.tmp"
0a7c9364 5089}
5090
27dbe77f 5091#confighome
94dc5f33 5092_installalias() {
27dbe77f 5093 _c_home="$1"
94dc5f33 5094 _initpath
5095
5096 _envfile="$LE_WORKING_DIR/$PROJECT_ENTRY.env"
4c2a3841 5097 if [ "$_upgrading" ] && [ "$_upgrading" = "1" ]; then
44edb2bd 5098 echo "$(cat "$_envfile")" | sed "s|^LE_WORKING_DIR.*$||" >"$_envfile"
5099 echo "$(cat "$_envfile")" | sed "s|^alias le.*$||" >"$_envfile"
5100 echo "$(cat "$_envfile")" | sed "s|^alias le.sh.*$||" >"$_envfile"
94dc5f33 5101 fi
5102
27dbe77f 5103 if [ "$_c_home" ]; then
be83a6a3 5104 _c_entry=" --config-home '$_c_home'"
27dbe77f 5105 fi
5106
1786a5e5 5107 _setopt "$_envfile" "export LE_WORKING_DIR" "=" "\"$LE_WORKING_DIR\""
f5b546b3 5108 if [ "$_c_home" ]; then
5109 _setopt "$_envfile" "export LE_CONFIG_HOME" "=" "\"$LE_CONFIG_HOME\""
d04434e3 5110 else
5111 _sed_i "/^export LE_CONFIG_HOME/d" "$_envfile"
f5b546b3 5112 fi
be83a6a3 5113 _setopt "$_envfile" "alias $PROJECT_ENTRY" "=" "\"$LE_WORKING_DIR/$PROJECT_ENTRY$_c_entry\""
94dc5f33 5114
5115 _profile="$(_detect_profile)"
4c2a3841 5116 if [ "$_profile" ]; then
94dc5f33 5117 _debug "Found profile: $_profile"
aba5c634 5118 _info "Installing alias to '$_profile'"
94dc5f33 5119 _setopt "$_profile" ". \"$_envfile\""
5120 _info "OK, Close and reopen your terminal to start using $PROJECT_NAME"
5121 else
5122 _info "No profile is found, you will need to go into $LE_WORKING_DIR to use $PROJECT_NAME"
5123 fi
94dc5f33 5124
5125 #for csh
5126 _cshfile="$LE_WORKING_DIR/$PROJECT_ENTRY.csh"
94dc5f33 5127 _csh_profile="$HOME/.cshrc"
4c2a3841 5128 if [ -f "$_csh_profile" ]; then
aba5c634 5129 _info "Installing alias to '$_csh_profile'"
6626371d 5130 _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
f5b546b3 5131 if [ "$_c_home" ]; then
5132 _setopt "$_cshfile" "setenv LE_CONFIG_HOME" " " "\"$LE_CONFIG_HOME\""
d04434e3 5133 else
5134 _sed_i "/^setenv LE_CONFIG_HOME/d" "$_cshfile"
f5b546b3 5135 fi
be83a6a3 5136 _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY$_c_entry\""
4c2a3841 5137 _setopt "$_csh_profile" "source \"$_cshfile\""
94dc5f33 5138 fi
4c2a3841 5139
acafa585 5140 #for tcsh
5141 _tcsh_profile="$HOME/.tcshrc"
4c2a3841 5142 if [ -f "$_tcsh_profile" ]; then
aba5c634 5143 _info "Installing alias to '$_tcsh_profile'"
acafa585 5144 _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
f5b546b3 5145 if [ "$_c_home" ]; then
5146 _setopt "$_cshfile" "setenv LE_CONFIG_HOME" " " "\"$LE_CONFIG_HOME\""
5147 fi
be83a6a3 5148 _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY$_c_entry\""
4c2a3841 5149 _setopt "$_tcsh_profile" "source \"$_cshfile\""
acafa585 5150 fi
94dc5f33 5151
5152}
5153
86ef0a26 5154# nocron confighome noprofile
c60883ef 5155install() {
f3e4cea3 5156
4c2a3841 5157 if [ -z "$LE_WORKING_DIR" ]; then
f3e4cea3 5158 LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
5159 fi
4c2a3841 5160
c8e9a31e 5161 _nocron="$1"
27dbe77f 5162 _c_home="$2"
86ef0a26 5163 _noprofile="$3"
4c2a3841 5164 if ! _initpath; then
c60883ef 5165 _err "Install failed."
4c3b3608 5166 return 1
5167 fi
4c2a3841 5168 if [ "$_nocron" ]; then
52677b0a 5169 _debug "Skip install cron job"
5170 fi
4c2a3841 5171
4356eefb 5172 if [ "$IN_CRON" != "1" ]; then
5173 if ! _precheck "$_nocron"; then
5174 _err "Pre-check failed, can not install."
5175 return 1
5176 fi
4c3b3608 5177 fi
4c2a3841 5178
8e845d9f 5179 if [ -z "$_c_home" ] && [ "$LE_CONFIG_HOME" != "$LE_WORKING_DIR" ]; then
5180 _info "Using config home: $LE_CONFIG_HOME"
5181 _c_home="$LE_CONFIG_HOME"
5182 fi
5183
6cc11ffb 5184 #convert from le
4c2a3841 5185 if [ -d "$HOME/.le" ]; then
5186 for envfile in "le.env" "le.sh.env"; do
5187 if [ -f "$HOME/.le/$envfile" ]; then
5188 if grep "le.sh" "$HOME/.le/$envfile" >/dev/null; then
5189 _upgrading="1"
5190 _info "You are upgrading from le.sh"
5191 _info "Renaming \"$HOME/.le\" to $LE_WORKING_DIR"
5192 mv "$HOME/.le" "$LE_WORKING_DIR"
5193 mv "$LE_WORKING_DIR/$envfile" "$LE_WORKING_DIR/$PROJECT_ENTRY.env"
5194 break
6cc11ffb 5195 fi
5196 fi
5197 done
5198 fi
5199
4c3b3608 5200 _info "Installing to $LE_WORKING_DIR"
635695ec 5201
d04434e3 5202 if [ ! -d "$LE_WORKING_DIR" ]; then
5203 if ! mkdir -p "$LE_WORKING_DIR"; then
5204 _err "Can not create working dir: $LE_WORKING_DIR"
5205 return 1
5206 fi
5207
5208 chmod 700 "$LE_WORKING_DIR"
4a0f23e2 5209 fi
4c2a3841 5210
d04434e3 5211 if [ ! -d "$LE_CONFIG_HOME" ]; then
5212 if ! mkdir -p "$LE_CONFIG_HOME"; then
5213 _err "Can not create config dir: $LE_CONFIG_HOME"
5214 return 1
5215 fi
762978f8 5216
d04434e3 5217 chmod 700 "$LE_CONFIG_HOME"
27dbe77f 5218 fi
5219
d5ec5f80 5220 cp "$PROJECT_ENTRY" "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/$PROJECT_ENTRY"
4c3b3608 5221
4c2a3841 5222 if [ "$?" != "0" ]; then
a7b7355d 5223 _err "Install failed, can not copy $PROJECT_ENTRY"
4c3b3608 5224 return 1
5225 fi
5226
a7b7355d 5227 _info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
4c3b3608 5228
86ef0a26 5229 if [ "$IN_CRON" != "1" ] && [ -z "$_noprofile" ]; then
4356eefb 5230 _installalias "$_c_home"
5231 fi
4c3b3608 5232
4c2a3841 5233 for subf in $_SUB_FOLDERS; do
5234 if [ -d "$subf" ]; then
d5ec5f80 5235 mkdir -p "$LE_WORKING_DIR/$subf"
5236 cp "$subf"/* "$LE_WORKING_DIR"/"$subf"/
a61fe418 5237 fi
5238 done
5239
4c2a3841 5240 if [ ! -f "$ACCOUNT_CONF_PATH" ]; then
4c3b3608 5241 _initconf
5242 fi
6cc11ffb 5243
4c2a3841 5244 if [ "$_DEFAULT_ACCOUNT_CONF_PATH" != "$ACCOUNT_CONF_PATH" ]; then
635695ec 5245 _setopt "$_DEFAULT_ACCOUNT_CONF_PATH" "ACCOUNT_CONF_PATH" "=" "\"$ACCOUNT_CONF_PATH\""
6cc11ffb 5246 fi
5247
4c2a3841 5248 if [ "$_DEFAULT_CERT_HOME" != "$CERT_HOME" ]; then
b2817897 5249 _saveaccountconf "CERT_HOME" "$CERT_HOME"
5250 fi
5251
4c2a3841 5252 if [ "$_DEFAULT_ACCOUNT_KEY_PATH" != "$ACCOUNT_KEY_PATH" ]; then
b2817897 5253 _saveaccountconf "ACCOUNT_KEY_PATH" "$ACCOUNT_KEY_PATH"
5254 fi
4c2a3841 5255
5256 if [ -z "$_nocron" ]; then
27dbe77f 5257 installcronjob "$_c_home"
c8e9a31e 5258 fi
0a7c9364 5259
4c2a3841 5260 if [ -z "$NO_DETECT_SH" ]; then
641989fd 5261 #Modify shebang
4c2a3841 5262 if _exists bash; then
694af4ae 5263 _bash_path="$(bash -c "command -v bash 2>/dev/null")"
5264 if [ -z "$_bash_path" ]; then
5265 _bash_path="$(bash -c 'echo $SHELL')"
5266 fi
5267 fi
5268 if [ "$_bash_path" ]; then
329174b6 5269 _info "Good, bash is found, so change the shebang to use bash as preferred."
694af4ae 5270 _shebang='#!'"$_bash_path"
641989fd 5271 _setShebang "$LE_WORKING_DIR/$PROJECT_ENTRY" "$_shebang"
4c2a3841 5272 for subf in $_SUB_FOLDERS; do
5273 if [ -d "$LE_WORKING_DIR/$subf" ]; then
5274 for _apifile in "$LE_WORKING_DIR/$subf/"*.sh; do
a61fe418 5275 _setShebang "$_apifile" "$_shebang"
5276 done
5277 fi
5278 done
0a7c9364 5279 fi
5280 fi
5281
4c3b3608 5282 _info OK
5283}
5284
52677b0a 5285# nocron
4c3b3608 5286uninstall() {
52677b0a 5287 _nocron="$1"
4c2a3841 5288 if [ -z "$_nocron" ]; then
52677b0a 5289 uninstallcronjob
5290 fi
4c3b3608 5291 _initpath
5292
9aa3be7f 5293 _uninstallalias
4c2a3841 5294
d5ec5f80 5295 rm -f "$LE_WORKING_DIR/$PROJECT_ENTRY"
f5b546b3 5296 _info "The keys and certs are in \"$(__green "$LE_CONFIG_HOME")\", you can remove them by yourself."
9aa3be7f 5297
5298}
5299
5300_uninstallalias() {
5301 _initpath
5302
4c3b3608 5303 _profile="$(_detect_profile)"
4c2a3841 5304 if [ "$_profile" ]; then
9aa3be7f 5305 _info "Uninstalling alias from: '$_profile'"
d5ec5f80 5306 text="$(cat "$_profile")"
4c2a3841 5307 echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.env\"$||" >"$_profile"
4c3b3608 5308 fi
5309
94dc5f33 5310 _csh_profile="$HOME/.cshrc"
4c2a3841 5311 if [ -f "$_csh_profile" ]; then
9aa3be7f 5312 _info "Uninstalling alias from: '$_csh_profile'"
d5ec5f80 5313 text="$(cat "$_csh_profile")"
4c2a3841 5314 echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" >"$_csh_profile"
94dc5f33 5315 fi
4c2a3841 5316
acafa585 5317 _tcsh_profile="$HOME/.tcshrc"
4c2a3841 5318 if [ -f "$_tcsh_profile" ]; then
9aa3be7f 5319 _info "Uninstalling alias from: '$_csh_profile'"
d5ec5f80 5320 text="$(cat "$_tcsh_profile")"
4c2a3841 5321 echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" >"$_tcsh_profile"
acafa585 5322 fi
4c3b3608 5323
5324}
5325
5326cron() {
c73fdd40 5327 export IN_CRON=1
89002ed2 5328 _initpath
d8ba26e6 5329 _info "$(__green "===Starting cron===")"
4c2a3841 5330 if [ "$AUTO_UPGRADE" = "1" ]; then
89002ed2 5331 export LE_WORKING_DIR
5332 (
4c2a3841 5333 if ! upgrade; then
5334 _err "Cron:Upgrade failed!"
5335 return 1
5336 fi
89002ed2 5337 )
d5ec5f80 5338 . "$LE_WORKING_DIR/$PROJECT_ENTRY" >/dev/null
1ab63043 5339
4c2a3841 5340 if [ -t 1 ]; then
1ab63043 5341 __INTERACTIVE="1"
5342 fi
4c2a3841 5343
89002ed2 5344 _info "Auto upgraded to: $VER"
5345 fi
4c3b3608 5346 renewAll
cc179731 5347 _ret="$?"
281aa349 5348 IN_CRON=""
d8ba26e6 5349 _info "$(__green "===End cron===")"
0ba95a3d 5350 exit $_ret
4c3b3608 5351}
5352
5353version() {
a63b05a9 5354 echo "$PROJECT"
5355 echo "v$VER"
4c3b3608 5356}
5357
5358showhelp() {
d0871bda 5359 _initpath
4c3b3608 5360 version
a7b7355d 5361 echo "Usage: $PROJECT_ENTRY command ...[parameters]....
a63b05a9 5362Commands:
5363 --help, -h Show this help message.
5364 --version, -v Show version info.
a7b7355d 5365 --install Install $PROJECT_NAME to your system.
5366 --uninstall Uninstall $PROJECT_NAME, and uninstall the cron job.
d8beaf72 5367 --upgrade Upgrade $PROJECT_NAME to the latest code from $PROJECT.
a63b05a9 5368 --issue Issue a cert.
10afcaca 5369 --signcsr Issue a cert from an existing csr.
a61fe418 5370 --deploy Deploy the cert to your server.
27dbe77f 5371 --install-cert Install the issued cert to apache/nginx or any other server.
a63b05a9 5372 --renew, -r Renew a cert.
27dbe77f 5373 --renew-all Renew all the certs.
a63b05a9 5374 --revoke Revoke a cert.
47b49f1b 5375 --remove Remove the cert from list of certs known to $PROJECT_NAME.
10afcaca 5376 --list List all the certs.
5377 --showcsr Show the content of a csr.
27dbe77f 5378 --install-cronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
5379 --uninstall-cronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
a63b05a9 5380 --cron Run cron job to renew all the certs.
5381 --toPkcs Export the certificate and key to a pfx file.
4410226d 5382 --toPkcs8 Convert to pkcs8 format.
27dbe77f 5383 --update-account Update account info.
5384 --register-account Register account key.
422dd1fa 5385 --deactivate-account Deactivate the account.
0984585d 5386 --create-account-key Create an account private key, professional use.
5387 --create-domain-key Create an domain private key, professional use.
a63b05a9 5388 --createCSR, -ccsr Create CSR , professional use.
0c00e870 5389 --deactivate Deactivate the domain authz, professional use.
3c07f57a 5390
a63b05a9 5391Parameters:
5392 --domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
64821ad4 5393 --challenge-alias domain.tld The challenge domain alias for DNS alias mode: $_DNS_ALIAS_WIKI
5394 --domain-alias domain.tld The domain alias for DNS alias mode: $_DNS_ALIAS_WIKI
a63b05a9 5395 --force, -f Used to force to install or force to renew a cert immediately.
5396 --staging, --test Use staging server, just for test.
5397 --debug Output debug info.
e6e85b0c 5398 --output-insecure Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for secure.
a63b05a9 5399 --webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
5400 --standalone Use standalone mode.
0e44f587 5401 --stateless Use stateless mode, see: $_STATELESS_WIKI
a63b05a9 5402 --apache Use apache mode.
eccec5f6 5403 --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
4a4dacb5 5404 --dnssleep [$DEFAULT_DNS_SLEEP] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
3c07f57a 5405
a63b05a9 5406 --keylength, -k [2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
5407 --accountkeylength, -ak [2048] Specifies the account key length.
d0871bda 5408 --log [/path/to/logfile] Specifies the log file. The default is: \"$DEFAULT_LOG_FILE\" if you don't give a file path here.
a73c5b33 5409 --log-level 1|2 Specifies the log level, default is 1.
52765466 5410 --syslog [0|3|6|7] Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.
3c07f57a 5411
a63b05a9 5412 These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
3c07f57a 5413
13fe54c9 5414 --cert-file After issue/renew, the cert will be copied to this path.
5415 --key-file After issue/renew, the key will be copied to this path.
5416 --ca-file After issue/renew, the intermediate cert will be copied to this path.
5417 --fullchain-file After issue/renew, the fullchain cert will be copied to this path.
3c07f57a 5418
a63b05a9 5419 --reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
5420
48d9a8c1 5421 --server SERVER ACME Directory Resource URI. (default: https://acme-v01.api.letsencrypt.org/directory)
a63b05a9 5422 --accountconf Specifies a customized account config file.
635695ec 5423 --home Specifies the home dir for $PROJECT_NAME .
27dbe77f 5424 --cert-home Specifies the home dir to save all the certs, only valid for '--install' command.
5425 --config-home Specifies the home dir to save all the configurations.
635695ec 5426 --useragent Specifies the user agent string. it will be saved for future use too.
b5eb4b90 5427 --accountemail Specifies the account email for registering, Only valid for the '--install' command.
06625071 5428 --accountkey Specifies the account key path, Only valid for the '--install' command.
523c7682 5429 --days Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days.
39c8f79f 5430 --httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
6ae0f7f5 5431 --local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
dcf4f8f6 5432 --listraw Only used for '--list' command, list the certs in raw format.
27dbe77f 5433 --stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal.
13d7cae9 5434 --insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
8f73e241 5435 --ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate.
13fe54c9 5436 --ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl.
bc96082f 5437 --nocron Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
08b4e1a7 5438 --no-color Do not output color text.
27dbe77f 5439 --ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
10afcaca 5440 --csr Specifies the input csr.
b0070f03 5441 --pre-hook Command to be run before obtaining any certificates.
84a6730b 5442 --post-hook Command to be run after attempting to obtain/renew certificates. No matter the obtain/renew is success or failed.
b0070f03 5443 --renew-hook Command to be run once for each successfully renewed certificate.
a61fe418 5444 --deploy-hook The hook file to deploy cert
0c9546cc 5445 --ocsp-must-staple, --ocsp Generate ocsp must Staple extension.
c4b2e582 5446 --always-force-new-domain-key Generate new domain key when renewal. Otherwise, the domain key is not changed by default.
6bf281f9 5447 --auto-upgrade [0|1] Valid for '--upgrade' command, indicating whether to upgrade automatically in future.
6ae0f7f5 5448 --listen-v4 Force standalone/tls server to listen at ipv4.
5449 --listen-v6 Force standalone/tls server to listen at ipv6.
a746139c 5450 --openssl-bin Specifies a custom openssl bin location.
9b124070 5451 --use-wget Force to use wget, if you have both curl and wget installed.
4c3b3608 5452 "
5453}
5454
86ef0a26 5455# nocron noprofile
4a0f23e2 5456_installOnline() {
5457 _info "Installing from online archive."
52677b0a 5458 _nocron="$1"
86ef0a26 5459 _noprofile="$2"
4c2a3841 5460 if [ ! "$BRANCH" ]; then
4a0f23e2 5461 BRANCH="master"
5462 fi
a8df88ab 5463
4a0f23e2 5464 target="$PROJECT/archive/$BRANCH.tar.gz"
5465 _info "Downloading $target"
5466 localname="$BRANCH.tar.gz"
4c2a3841 5467 if ! _get "$target" >$localname; then
df9547ae 5468 _err "Download error."
4a0f23e2 5469 return 1
5470 fi
0bbe6eef 5471 (
4c2a3841 5472 _info "Extracting $localname"
3a3b0dd5 5473 if ! (tar xzf $localname || gtar xzf $localname); then
5474 _err "Extraction error."
5475 exit 1
5476 fi
4c2a3841 5477
5478 cd "$PROJECT_NAME-$BRANCH"
5479 chmod +x $PROJECT_ENTRY
86ef0a26 5480 if ./$PROJECT_ENTRY install "$_nocron" "" "$_noprofile"; then
4c2a3841 5481 _info "Install success!"
5482 fi
5483
5484 cd ..
5485
5486 rm -rf "$PROJECT_NAME-$BRANCH"
5487 rm -f "$localname"
0bbe6eef 5488 )
4a0f23e2 5489}
5490
52677b0a 5491upgrade() {
5492 if (
267f283a 5493 _initpath
5494 export LE_WORKING_DIR
d0b748a4 5495 cd "$LE_WORKING_DIR"
86ef0a26 5496 _installOnline "nocron" "noprofile"
4c2a3841 5497 ); then
52677b0a 5498 _info "Upgrade success!"
096d8992 5499 exit 0
52677b0a 5500 else
5501 _err "Upgrade failed!"
096d8992 5502 exit 1
52677b0a 5503 fi
5504}
a63b05a9 5505
5ea6e9c9 5506_processAccountConf() {
4c2a3841 5507 if [ "$_useragent" ]; then
5ea6e9c9 5508 _saveaccountconf "USER_AGENT" "$_useragent"
4c2a3841 5509 elif [ "$USER_AGENT" ] && [ "$USER_AGENT" != "$DEFAULT_USER_AGENT" ]; then
d0871bda 5510 _saveaccountconf "USER_AGENT" "$USER_AGENT"
5ea6e9c9 5511 fi
4c2a3841 5512
5513 if [ "$_accountemail" ]; then
5ea6e9c9 5514 _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail"
4c2a3841 5515 elif [ "$ACCOUNT_EMAIL" ] && [ "$ACCOUNT_EMAIL" != "$DEFAULT_ACCOUNT_EMAIL" ]; then
d0871bda 5516 _saveaccountconf "ACCOUNT_EMAIL" "$ACCOUNT_EMAIL"
5ea6e9c9 5517 fi
4c2a3841 5518
a746139c 5519 if [ "$_openssl_bin" ]; then
851fedf7 5520 _saveaccountconf "ACME_OPENSSL_BIN" "$_openssl_bin"
5521 elif [ "$ACME_OPENSSL_BIN" ] && [ "$ACME_OPENSSL_BIN" != "$DEFAULT_OPENSSL_BIN" ]; then
5522 _saveaccountconf "ACME_OPENSSL_BIN" "$ACME_OPENSSL_BIN"
a746139c 5523 fi
5524
4c2a3841 5525 if [ "$_auto_upgrade" ]; then
6bf281f9 5526 _saveaccountconf "AUTO_UPGRADE" "$_auto_upgrade"
4c2a3841 5527 elif [ "$AUTO_UPGRADE" ]; then
6bf281f9 5528 _saveaccountconf "AUTO_UPGRADE" "$AUTO_UPGRADE"
5529 fi
4c2a3841 5530
9b124070 5531 if [ "$_use_wget" ]; then
5532 _saveaccountconf "ACME_USE_WGET" "$_use_wget"
5533 elif [ "$ACME_USE_WGET" ]; then
5534 _saveaccountconf "ACME_USE_WGET" "$ACME_USE_WGET"
5535 fi
5536
5ea6e9c9 5537}
5538
a63b05a9 5539_process() {
5540 _CMD=""
5541 _domain=""
3f4513b3 5542 _altdomains="$NO_VALUE"
a63b05a9 5543 _webroot=""
875625b1 5544 _challenge_alias=""
bdbf323f 5545 _keylength=""
5546 _accountkeylength=""
5c539af7 5547 _cert_file=""
5548 _key_file=""
5549 _ca_file=""
5550 _fullchain_file=""
4d2f38b0 5551 _reloadcmd=""
a63b05a9 5552 _password=""
635695ec 5553 _accountconf=""
5554 _useragent=""
b5eb4b90 5555 _accountemail=""
5556 _accountkey=""
b2817897 5557 _certhome=""
27dbe77f 5558 _confighome=""
39c8f79f 5559 _httpport=""
e22bcf7c 5560 _tlsport=""
0e38c60d 5561 _dnssleep=""
dcf4f8f6 5562 _listraw=""
cc179731 5563 _stopRenewOnError=""
e3698edd 5564 #_insecure=""
78009539 5565 _ca_bundle=""
2aa75f03 5566 _ca_path=""
c8e9a31e 5567 _nocron=""
43822d37 5568 _ecc=""
10afcaca 5569 _csr=""
b0070f03 5570 _pre_hook=""
5571 _post_hook=""
5572 _renew_hook=""
a61fe418 5573 _deploy_hook=""
5ea6e9c9 5574 _logfile=""
d0871bda 5575 _log=""
0463b5d6 5576 _local_address=""
a73c5b33 5577 _log_level=""
6bf281f9 5578 _auto_upgrade=""
6ae0f7f5 5579 _listen_v4=""
5580 _listen_v6=""
a746139c 5581 _openssl_bin=""
e2edf208 5582 _syslog=""
9b124070 5583 _use_wget=""
98394f99 5584 _server=""
4c2a3841 5585 while [ ${#} -gt 0 ]; do
a63b05a9 5586 case "${1}" in
4c2a3841 5587
5588 --help | -h)
a63b05a9 5589 showhelp
5590 return
5591 ;;
4c2a3841 5592 --version | -v)
a63b05a9 5593 version
5594 return
5595 ;;
4c2a3841 5596 --install)
a63b05a9 5597 _CMD="install"
5598 ;;
4c2a3841 5599 --uninstall)
a63b05a9 5600 _CMD="uninstall"
5601 ;;
4c2a3841 5602 --upgrade)
52677b0a 5603 _CMD="upgrade"
5604 ;;
4c2a3841 5605 --issue)
a63b05a9 5606 _CMD="issue"
5607 ;;
4c2a3841 5608 --deploy)
a61fe418 5609 _CMD="deploy"
5610 ;;
4c2a3841 5611 --signcsr)
10afcaca 5612 _CMD="signcsr"
5613 ;;
4c2a3841 5614 --showcsr)
10afcaca 5615 _CMD="showcsr"
5616 ;;
db7e4bf9 5617 --installcert | -i | --install-cert)
a63b05a9 5618 _CMD="installcert"
5619 ;;
4c2a3841 5620 --renew | -r)
a63b05a9 5621 _CMD="renew"
5622 ;;
db7e4bf9 5623 --renewAll | --renewall | --renew-all)
a63b05a9 5624 _CMD="renewAll"
5625 ;;
4c2a3841 5626 --revoke)
a63b05a9 5627 _CMD="revoke"
5628 ;;
78f0201d 5629 --remove)
5630 _CMD="remove"
5631 ;;
4c2a3841 5632 --list)
6d7eda3e 5633 _CMD="list"
5634 ;;
ee20015d 5635 --installcronjob | --install-cronjob)
a63b05a9 5636 _CMD="installcronjob"
5637 ;;
db7e4bf9 5638 --uninstallcronjob | --uninstall-cronjob)
a63b05a9 5639 _CMD="uninstallcronjob"
5640 ;;
4c2a3841 5641 --cron)
a63b05a9 5642 _CMD="cron"
5643 ;;
4c2a3841 5644 --toPkcs)
a63b05a9 5645 _CMD="toPkcs"
4c2a3841 5646 ;;
4410226d 5647 --toPkcs8)
5648 _CMD="toPkcs8"
342128a4 5649 ;;
0984585d 5650 --createAccountKey | --createaccountkey | -cak | --create-account-key)
a63b05a9 5651 _CMD="createAccountKey"
5652 ;;
0984585d 5653 --createDomainKey | --createdomainkey | -cdk | --create-domain-key)
a63b05a9 5654 _CMD="createDomainKey"
5655 ;;
4c2a3841 5656 --createCSR | --createcsr | -ccr)
a63b05a9 5657 _CMD="createCSR"
5658 ;;
4c2a3841 5659 --deactivate)
0c00e870 5660 _CMD="deactivate"
5661 ;;
ee20015d 5662 --updateaccount | --update-account)
eb59817e 5663 _CMD="updateaccount"
5664 ;;
ee20015d 5665 --registeraccount | --register-account)
eb59817e 5666 _CMD="registeraccount"
5667 ;;
422dd1fa 5668 --deactivate-account)
5669 _CMD="deactivateaccount"
5670 ;;
4c2a3841 5671 --domain | -d)
a63b05a9 5672 _dvalue="$2"
4c2a3841 5673
5674 if [ "$_dvalue" ]; then
5675 if _startswith "$_dvalue" "-"; then
ee1737a5 5676 _err "'$_dvalue' is not a valid domain for parameter '$1'"
5677 return 1
5678 fi
4c2a3841 5679 if _is_idn "$_dvalue" && ! _exists idn; then
9774b01b 5680 _err "It seems that $_dvalue is an IDN( Internationalized Domain Names), please install 'idn' command first."
5681 return 1
5682 fi
4c2a3841 5683
9e9f839d 5684 if _startswith "$_dvalue" "*."; then
5685 _debug "Wildcard domain"
5686 export ACME_VERSION=2
5687 fi
4c2a3841 5688 if [ -z "$_domain" ]; then
ee1737a5 5689 _domain="$_dvalue"
a63b05a9 5690 else
4c2a3841 5691 if [ "$_altdomains" = "$NO_VALUE" ]; then
ee1737a5 5692 _altdomains="$_dvalue"
5693 else
5694 _altdomains="$_altdomains,$_dvalue"
5695 fi
a63b05a9 5696 fi
5697 fi
4c2a3841 5698
a63b05a9 5699 shift
5700 ;;
5701
4c2a3841 5702 --force | -f)
a63b05a9 5703 FORCE="1"
5704 ;;
4c2a3841 5705 --staging | --test)
a63b05a9 5706 STAGE="1"
5707 ;;
48d9a8c1 5708 --server)
5709 ACME_DIRECTORY="$2"
98394f99 5710 _server="$ACME_DIRECTORY"
48d9a8c1 5711 export ACME_DIRECTORY
5712 shift
5713 ;;
4c2a3841 5714 --debug)
5715 if [ -z "$2" ] || _startswith "$2" "-"; then
fc6cf4d9 5716 DEBUG="$DEBUG_LEVEL_DEFAULT"
a63b05a9 5717 else
5718 DEBUG="$2"
5719 shift
4c2a3841 5720 fi
a63b05a9 5721 ;;
e6e85b0c 5722 --output-insecure)
5723 export OUTPUT_INSECURE=1
5724 ;;
4c2a3841 5725 --webroot | -w)
a63b05a9 5726 wvalue="$2"
4c2a3841 5727 if [ -z "$_webroot" ]; then
a63b05a9 5728 _webroot="$wvalue"
5729 else
5730 _webroot="$_webroot,$wvalue"
5731 fi
5732 shift
4c2a3841 5733 ;;
875625b1 5734 --challenge-alias)
5735 cvalue="$2"
5736 _challenge_alias="$_challenge_alias$cvalue,"
5737 shift
5738 ;;
64821ad4 5739 --domain-alias)
5740 cvalue="$DNS_ALIAS_PREFIX$2"
5741 _challenge_alias="$_challenge_alias$cvalue,"
5742 shift
1f7df33e 5743 ;;
4c2a3841 5744 --standalone)
3f4513b3 5745 wvalue="$NO_VALUE"
4c2a3841 5746 if [ -z "$_webroot" ]; then
a63b05a9 5747 _webroot="$wvalue"
5748 else
5749 _webroot="$_webroot,$wvalue"
5750 fi
5751 ;;
0e44f587 5752 --stateless)
5753 wvalue="$MODE_STATELESS"
5754 if [ -z "$_webroot" ]; then
5755 _webroot="$wvalue"
5756 else
5757 _webroot="$_webroot,$wvalue"
5758 fi
5759 ;;
4c2a3841 5760 --local-address)
0463b5d6 5761 lvalue="$2"
5762 _local_address="$_local_address$lvalue,"
5763 shift
5764 ;;
4c2a3841 5765 --apache)
a63b05a9 5766 wvalue="apache"
4c2a3841 5767 if [ -z "$_webroot" ]; then
a63b05a9 5768 _webroot="$wvalue"
5769 else
5770 _webroot="$_webroot,$wvalue"
5771 fi
5772 ;;
9d725af6 5773 --nginx)
5774 wvalue="$NGINX"
5775 if [ -z "$_webroot" ]; then
5776 _webroot="$wvalue"
5777 else
5778 _webroot="$_webroot,$wvalue"
5779 fi
5780 ;;
4c2a3841 5781 --dns)
a63b05a9 5782 wvalue="dns"
a5c56c54 5783 if [ "$2" ] && ! _startswith "$2" "-"; then
a63b05a9 5784 wvalue="$2"
5785 shift
5786 fi
4c2a3841 5787 if [ -z "$_webroot" ]; then
a63b05a9 5788 _webroot="$wvalue"
5789 else
5790 _webroot="$_webroot,$wvalue"
5791 fi
5792 ;;
4c2a3841 5793 --dnssleep)
0e38c60d 5794 _dnssleep="$2"
5795 Le_DNSSleep="$_dnssleep"
5796 shift
5797 ;;
4c2a3841 5798
5799 --keylength | -k)
a63b05a9 5800 _keylength="$2"
a63b05a9 5801 shift
5802 ;;
4c2a3841 5803 --accountkeylength | -ak)
2ce87fe2 5804 _accountkeylength="$2"
a63b05a9 5805 shift
5806 ;;
5807
5c539af7 5808 --cert-file | --certpath)
5809 _cert_file="$2"
a63b05a9 5810 shift
5811 ;;
5c539af7 5812 --key-file | --keypath)
5813 _key_file="$2"
a63b05a9 5814 shift
5815 ;;
5c539af7 5816 --ca-file | --capath)
5817 _ca_file="$2"
a63b05a9 5818 shift
5819 ;;
5c539af7 5820 --fullchain-file | --fullchainpath)
5821 _fullchain_file="$2"
a63b05a9 5822 shift
5823 ;;
4c2a3841 5824 --reloadcmd | --reloadCmd)
a63b05a9 5825 _reloadcmd="$2"
5826 shift
5827 ;;
4c2a3841 5828 --password)
a63b05a9 5829 _password="$2"
5830 shift
5831 ;;
4c2a3841 5832 --accountconf)
635695ec 5833 _accountconf="$2"
5834 ACCOUNT_CONF_PATH="$_accountconf"
a7b7355d 5835 shift
a63b05a9 5836 ;;
4c2a3841 5837 --home)
a63b05a9 5838 LE_WORKING_DIR="$2"
a7b7355d 5839 shift
a63b05a9 5840 ;;
ee20015d 5841 --certhome | --cert-home)
b2817897 5842 _certhome="$2"
5843 CERT_HOME="$_certhome"
5844 shift
4c2a3841 5845 ;;
27dbe77f 5846 --config-home)
5847 _confighome="$2"
f5b546b3 5848 LE_CONFIG_HOME="$_confighome"
27dbe77f 5849 shift
5850 ;;
4c2a3841 5851 --useragent)
635695ec 5852 _useragent="$2"
5853 USER_AGENT="$_useragent"
5854 shift
5855 ;;
4c2a3841 5856 --accountemail)
b5eb4b90 5857 _accountemail="$2"
5858 ACCOUNT_EMAIL="$_accountemail"
5859 shift
5860 ;;
4c2a3841 5861 --accountkey)
b5eb4b90 5862 _accountkey="$2"
5863 ACCOUNT_KEY_PATH="$_accountkey"
5864 shift
5865 ;;
4c2a3841 5866 --days)
06625071 5867 _days="$2"
5868 Le_RenewalDays="$_days"
5869 shift
5870 ;;
4c2a3841 5871 --httpport)
39c8f79f 5872 _httpport="$2"
5873 Le_HTTPPort="$_httpport"
5874 shift
5875 ;;
4c2a3841 5876 --listraw)
dcf4f8f6 5877 _listraw="raw"
4c2a3841 5878 ;;
5879 --stopRenewOnError | --stoprenewonerror | -se)
cc179731 5880 _stopRenewOnError="1"
5881 ;;
4c2a3841 5882 --insecure)
e3698edd 5883 #_insecure="1"
fac1e367 5884 HTTPS_INSECURE="1"
13d7cae9 5885 ;;
4c2a3841 5886 --ca-bundle)
78d1cfb4 5887 _ca_bundle="$(_readlink "$2")"
78009539
PS		 5888 CA_BUNDLE="$_ca_bundle"
5889 shift
5890 ;;
2aa75f03 5891 --ca-path)
5892 _ca_path="$2"
5893 CA_PATH="$_ca_path"
5894 shift
5895 ;;
4c2a3841 5896 --nocron)
c8e9a31e 5897 _nocron="1"
5898 ;;
08b4e1a7 5899 --no-color)
5900 export ACME_NO_COLOR=1
5901 ;;
4c2a3841 5902 --ecc)
43822d37 5903 _ecc="isEcc"
5904 ;;
4c2a3841 5905 --csr)
10afcaca 5906 _csr="$2"
5907 shift
5908 ;;
4c2a3841 5909 --pre-hook)
b0070f03 5910 _pre_hook="$2"
5911 shift
5912 ;;
4c2a3841 5913 --post-hook)
b0070f03 5914 _post_hook="$2"
5915 shift
5916 ;;
4c2a3841 5917 --renew-hook)
b0070f03 5918 _renew_hook="$2"
5919 shift
5920 ;;
4c2a3841 5921 --deploy-hook)
93bce1b2 5922 if [ -z "$2" ] || _startswith "$2" "-"; then
5923 _usage "Please specify a value for '--deploy-hook'"
5924 return 1
5925 fi
5926 _deploy_hook="$_deploy_hook$2,"
a61fe418 5927 shift
5928 ;;
4c2a3841 5929 --ocsp-must-staple | --ocsp)
96db9362 5930 Le_OCSP_Staple="1"
0c9546cc 5931 ;;
c4b2e582 5932 --always-force-new-domain-key)
5933 if [ -z "$2" ] || _startswith "$2" "-"; then
5934 Le_ForceNewDomainKey=1
5935 else
5936 Le_ForceNewDomainKey="$2"
5937 shift
5938 fi
5939 ;;
4c2a3841 5940 --log | --logfile)
d0871bda 5941 _log="1"
5ea6e9c9 5942 _logfile="$2"
4c2a3841 5943 if _startswith "$_logfile" '-'; then
d0871bda 5944 _logfile=""
5945 else
5946 shift
5947 fi
5ea6e9c9 5948 LOG_FILE="$_logfile"
4c2a3841 5949 if [ -z "$LOG_LEVEL" ]; then
a73c5b33 5950 LOG_LEVEL="$DEFAULT_LOG_LEVEL"
5951 fi
5952 ;;
4c2a3841 5953 --log-level)
30bfc2ce 5954 _log_level="$2"
a73c5b33 5955 LOG_LEVEL="$_log_level"
5956 shift
5ea6e9c9 5957 ;;
e2edf208 5958 --syslog)
5959 if ! _startswith "$2" '-'; then
5960 _syslog="$2"
5961 shift
5962 fi
5963 if [ -z "$_syslog" ]; then
fc6cf4d9 5964 _syslog="$SYSLOG_LEVEL_DEFAULT"
e2edf208 5965 fi
5966 ;;
4c2a3841 5967 --auto-upgrade)
6bf281f9 5968 _auto_upgrade="$2"
4c2a3841 5969 if [ -z "$_auto_upgrade" ] || _startswith "$_auto_upgrade" '-'; then
6bf281f9 5970 _auto_upgrade="1"
5971 else
5972 shift
5973 fi
5974 AUTO_UPGRADE="$_auto_upgrade"
5975 ;;
4c2a3841 5976 --listen-v4)
6ae0f7f5 5977 _listen_v4="1"
5978 Le_Listen_V4="$_listen_v4"
5979 ;;
4c2a3841 5980 --listen-v6)
6ae0f7f5 5981 _listen_v6="1"
5982 Le_Listen_V6="$_listen_v6"
5983 ;;
a746139c 5984 --openssl-bin)
5985 _openssl_bin="$2"
851fedf7 5986 ACME_OPENSSL_BIN="$_openssl_bin"
7c2e8754 5987 shift
a746139c 5988 ;;
9b124070 5989 --use-wget)
5990 _use_wget="1"
5991 ACME_USE_WGET="1"
5992 ;;
4c2a3841 5993 *)
a63b05a9 5994 _err "Unknown parameter : $1"
5995 return 1
5996 ;;
5997 esac
5998
5999 shift 1
6000 done
6001
4c2a3841 6002 if [ "${_CMD}" != "install" ]; then
5ea6e9c9 6003 __initHome
661f0583 6004 if [ "$_log" ]; then
4c2a3841 6005 if [ -z "$_logfile" ]; then
661f0583 6006 _logfile="$DEFAULT_LOG_FILE"
6007 fi
d0871bda 6008 fi
4c2a3841 6009 if [ "$_logfile" ]; then
5ea6e9c9 6010 _saveaccountconf "LOG_FILE" "$_logfile"
661f0583 6011 LOG_FILE="$_logfile"
5ea6e9c9 6012 fi
a73c5b33 6013
4c2a3841 6014 if [ "$_log_level" ]; then
a73c5b33 6015 _saveaccountconf "LOG_LEVEL" "$_log_level"
6016 LOG_LEVEL="$_log_level"
6017 fi
4c2a3841 6018
e2edf208 6019 if [ "$_syslog" ]; then
6020 if _exists logger; then
6021 if [ "$_syslog" = "0" ]; then
6022 _clearaccountconf "SYS_LOG"
6023 else
6024 _saveaccountconf "SYS_LOG" "$_syslog"
6025 fi
6026 SYS_LOG="$_syslog"
6027 else
6028 _err "The 'logger' command is not found, can not enable syslog."
6029 _clearaccountconf "SYS_LOG"
6030 SYS_LOG=""
6031 fi
6032 fi
6033
5ea6e9c9 6034 _processAccountConf
6035 fi
4c2a3841 6036
9d548d81 6037 _debug2 LE_WORKING_DIR "$LE_WORKING_DIR"
4c2a3841 6038
6039 if [ "$DEBUG" ]; then
dcf9cb58 6040 version
98394f99 6041 if [ "$_server" ]; then
6042 _debug "Using server: $_server"
6043 fi
dcf9cb58 6044 fi
a63b05a9 6045
6046 case "${_CMD}" in
27dbe77f 6047 install) install "$_nocron" "$_confighome" ;;
bc96082f 6048 uninstall) uninstall "$_nocron" ;;
52677b0a 6049 upgrade) upgrade ;;
a63b05a9 6050 issue)
875625b1 6051 issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias"
a63b05a9 6052 ;;
a61fe418 6053 deploy)
6054 deploy "$_domain" "$_deploy_hook" "$_ecc"
6055 ;;
10afcaca 6056 signcsr)
875625b1 6057 signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias"
10afcaca 6058 ;;
6059 showcsr)
6060 showcsr "$_csr" "$_domain"
6061 ;;
a63b05a9 6062 installcert)
5c539af7 6063 installcert "$_domain" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_ecc"
a63b05a9 6064 ;;
4c2a3841 6065 renew)
43822d37 6066 renew "$_domain" "$_ecc"
a63b05a9 6067 ;;
4c2a3841 6068 renewAll)
cc179731 6069 renewAll "$_stopRenewOnError"
a63b05a9 6070 ;;
4c2a3841 6071 revoke)
43822d37 6072 revoke "$_domain" "$_ecc"
a63b05a9 6073 ;;
78f0201d 6074 remove)
6075 remove "$_domain" "$_ecc"
6076 ;;
4c2a3841 6077 deactivate)
3f4513b3 6078 deactivate "$_domain,$_altdomains"
eb59817e 6079 ;;
4c2a3841 6080 registeraccount)
57e58ce7 6081 registeraccount "$_accountkeylength"
eb59817e 6082 ;;
4c2a3841 6083 updateaccount)
eb59817e 6084 updateaccount
6085 ;;
422dd1fa 6086 deactivateaccount)
6087 deactivateaccount
6088 ;;
4c2a3841 6089 list)
dcf4f8f6 6090 list "$_listraw"
6d7eda3e 6091 ;;
27dbe77f 6092 installcronjob) installcronjob "$_confighome" ;;
a63b05a9 6093 uninstallcronjob) uninstallcronjob ;;
6094 cron) cron ;;
4c2a3841 6095 toPkcs)
43822d37 6096 toPkcs "$_domain" "$_password" "$_ecc"
a63b05a9 6097 ;;
4410226d 6098 toPkcs8)
6099 toPkcs8 "$_domain" "$_ecc"
6100 ;;
4c2a3841 6101 createAccountKey)
5fbc47eb 6102 createAccountKey "$_accountkeylength"
a63b05a9 6103 ;;
4c2a3841 6104 createDomainKey)
a63b05a9 6105 createDomainKey "$_domain" "$_keylength"
6106 ;;
4c2a3841 6107 createCSR)
43822d37 6108 createCSR "$_domain" "$_altdomains" "$_ecc"
a63b05a9 6109 ;;
6110
6111 *)
27dbe77f 6112 if [ "$_CMD" ]; then
6113 _err "Invalid command: $_CMD"
6114 fi
4c2a3841 6115 showhelp
a63b05a9 6116 return 1
4c2a3841 6117 ;;
a63b05a9 6118 esac
d3595686 6119 _ret="$?"
4c2a3841 6120 if [ "$_ret" != "0" ]; then
d3595686 6121 return $_ret
6122 fi
4c2a3841 6123
6124 if [ "${_CMD}" = "install" ]; then
6125 if [ "$_log" ]; then
6126 if [ -z "$LOG_FILE" ]; then
d0871bda 6127 LOG_FILE="$DEFAULT_LOG_FILE"
6128 fi
6129 _saveaccountconf "LOG_FILE" "$LOG_FILE"
5ea6e9c9 6130 fi
4c2a3841 6131
6132 if [ "$_log_level" ]; then
a73c5b33 6133 _saveaccountconf "LOG_LEVEL" "$_log_level"
6134 fi
e2edf208 6135
6136 if [ "$_syslog" ]; then
6137 if _exists logger; then
6138 if [ "$_syslog" = "0" ]; then
6139 _clearaccountconf "SYS_LOG"
6140 else
6141 _saveaccountconf "SYS_LOG" "$_syslog"
6142 fi
6143 else
6144 _err "The 'logger' command is not found, can not enable syslog."
6145 _clearaccountconf "SYS_LOG"
6146 SYS_LOG=""
6147 fi
6148 fi
6149
5ea6e9c9 6150 _processAccountConf
b5eb4b90 6151 fi
635695ec 6152
a63b05a9 6153}
6154
4c2a3841 6155if [ "$INSTALLONLINE" ]; then
d1f97fc8 6156 INSTALLONLINE=""
2fbf3991 6157 _installOnline
4a0f23e2 6158 exit
6159fi
4c3b3608 6160
319e0ae3 6161main() {
6162 [ -z "$1" ] && showhelp && return
4c2a3841 6163 if _startswith "$1" '-'; then _process "$@"; else "$@"; fi
319e0ae3 6164}
e69a7c38 6165
aa7b82de 6166main "$@"
acme.sh DNS challenge mirror