third-party-tools/acme.sh
1
0
Fork 0
mirror of https://github.com/acmesh-official/acme.sh synced 2025-11-23 17:26:03 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: third-party-tools:3.0.5
Branches Tags
third-party-tools:master third-party-tools:dev third-party-tools:ari third-party-tools:tlsa third-party-tools:u third-party-tools:shebang third-party-tools:json third-party-tools:dnsconf third-party-tools:cron
third-party-tools:3.1.1 third-party-tools:3.1.0 third-party-tools:3.0.9 third-party-tools:3.0.8 third-party-tools:3.0.7 third-party-tools:3.0.6 third-party-tools:3.0.5 third-party-tools:v3.0.5 third-party-tools:3.0.4 third-party-tools:3.0.3 third-party-tools:3.0.2 third-party-tools:3.0.1 third-party-tools:3.0.0 third-party-tools:2.9.0 third-party-tools:2.8.9 third-party-tools:2.8.8 third-party-tools:2.8.7 third-party-tools:2.8.6 third-party-tools:2.8.5 third-party-tools:2.8.4 third-party-tools:2.8.3 third-party-tools:2.8.2 third-party-tools:2.8.1 third-party-tools:2.8.0 third-party-tools:2.7.9 third-party-tools:2.7.8 third-party-tools:2.7.7 third-party-tools:2.7.6 third-party-tools:2.7.5 third-party-tools:2.7.4 third-party-tools:2.7.3 third-party-tools:2.7.2 third-party-tools:2.7.1 third-party-tools:v2.6.9 third-party-tools:2.6.8 third-party-tools:2.6.6 third-party-tools:2.6.5 third-party-tools:2.6.4 third-party-tools:2.6.0 third-party-tools:2.5.2 third-party-tools:2.3.0 third-party-tools:2.2.9 third-party-tools:2.0.2 third-party-tools:1.2.3 third-party-tools:1.2.2
..
compare: third-party-tools:3.0.7
Branches Tags
third-party-tools:dev third-party-tools:master third-party-tools:ari third-party-tools:tlsa third-party-tools:u third-party-tools:shebang third-party-tools:json third-party-tools:dnsconf third-party-tools:cron
third-party-tools:3.1.1 third-party-tools:3.1.0 third-party-tools:3.0.9 third-party-tools:3.0.8 third-party-tools:3.0.7 third-party-tools:3.0.6 third-party-tools:3.0.5 third-party-tools:v3.0.5 third-party-tools:3.0.4 third-party-tools:3.0.3 third-party-tools:3.0.2 third-party-tools:3.0.1 third-party-tools:3.0.0 third-party-tools:2.9.0 third-party-tools:2.8.9 third-party-tools:2.8.8 third-party-tools:2.8.7 third-party-tools:2.8.6 third-party-tools:2.8.5 third-party-tools:2.8.4 third-party-tools:2.8.3 third-party-tools:2.8.2 third-party-tools:2.8.1 third-party-tools:2.8.0 third-party-tools:2.7.9 third-party-tools:2.7.8 third-party-tools:2.7.7 third-party-tools:2.7.6 third-party-tools:2.7.5 third-party-tools:2.7.4 third-party-tools:2.7.3 third-party-tools:2.7.2 third-party-tools:2.7.1 third-party-tools:v2.6.9 third-party-tools:2.6.8 third-party-tools:2.6.6 third-party-tools:2.6.5 third-party-tools:2.6.4 third-party-tools:2.6.0 third-party-tools:2.5.2 third-party-tools:2.3.0 third-party-tools:2.2.9 third-party-tools:2.0.2 third-party-tools:1.2.3 third-party-tools:1.2.2

305 Commits
3.0.5 ... 3.0.7

Author SHA1 Message Date
neil
377a37e4c9 Merge pull request #4820 from acmesh-official/dev 
sync
 2023-10-05 13:25:27 +08:00
neil
6e163208b4 Merge pull request #4809 from winromulus/dev 
fix: Synology DSM API path regex
 2023-09-26 09:23:43 +08:00
Romeo Dumitrescu
87a7bde618 fix: Synology DSM API path regex 
Fix the regex for looking up the API path value from the Synology API query.
 2023-09-25 18:43:01 +03:00
neil
37b0498699 Merge pull request #4805 from acmesh-official/dev 
sync
 2023-09-24 17:03:38 +08:00
neil
59f976dc48 fix https://github.com/acmesh-official/acme.sh/issues/4798 2023-09-20 18:07:16 +08:00
neil
8565a853a8 Merge pull request #4787 from TobiasGrave/fix_variomedia_api 
Fix Variomedia API
 2023-09-15 09:07:24 +08:00
Tobias Grave
dfd49e46ad Fix root zone determination for Variomedia API 2023-09-14 09:25:45 +02:00
neil
73bbaced62 Merge pull request #4782 from KincaidYang/KincaidYang-patch-4 
Add TencentCloud API
 2023-09-13 21:13:33 +08:00
neil
0c8870cb7f Merge pull request #944 from MarcelWaldvogel/random-cron 
Random cron
 2023-09-13 21:07:51 +08:00
neil
1a90f66f73 Merge pull request #4794 from zbbfufu/feature/gandi-replace-apikey-by-personal-token 
dns_gandi: implements token in addition to the (deprecated) API key
 2023-09-13 18:02:12 +08:00
Julien Furgerot
558e706bde fix ci errors (shellcheck & shfmt) 2023-09-12 15:54:44 +02:00
Julien Furgerot
1a08be0a3f dns_gandi: implements personal access token in addition to the (deprecated) API key 2023-09-12 09:48:09 +02:00
Tobias Grave
ae4c186f55 Fix Variomedia API 2023-09-07 08:40:46 +02:00
KincaidYang
af534a73fc 移除部分敏感debug信息 2023-09-06 13:09:52 +08:00
KincaidYang
772bbdc862 Replace some functions 2023-09-06 12:57:19 +08:00
neil
86521ec443 Merge pull request #4754 from LJea/master 
Improved api compatibility with devices
 2023-09-04 15:55:04 +08:00
KincaidYang
e3c4c9265d Replace some functions. 2023-09-03 21:21:05 +08:00
KincaidYang
b3f8612e61 Following Neilpang's suggestions and project standards, replace some functions. 2023-09-03 01:31:57 +08:00
LJea
27b1dd04c4 improve the compatibility 
Fixed an issue where some embedded devices could not obtain nanoseconds resulting in abnormal parameter coding
 2023-09-03 01:02:16 +09:00
neil
46a876445f Merge pull request #3959 from Eagle3386/master 
Add ArtFiles.de DNS API plugin
 2023-09-02 22:39:00 +08:00
neil
9bb58e47a7 Merge pull request #4728 from Eagle3386/dev-1 
Fix Auth API access for DSM 6
 2023-09-02 22:06:22 +08:00
neil
b8447fcab8 Merge pull request #4780 from acmesh-official/dev 
sync
 2023-09-02 19:08:54 +08:00
KincaidYang
3abcfd8fa9 Add dns_tencent.sh 
Adapt to Tencent Cloud (DNSPod) API 3.0
 2023-09-02 18:47:59 +08:00
neil
f4ff2d5d2e Merge pull request #4779 from KincaidYang/master 2023-09-02 18:43:53 +08:00
KincaidYang
09b41aa667 fix for nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation 
In #4776, I mistakenly added libnghttp2 to NetBSD, now for correction.
 2023-09-02 18:38:51 +08:00
KincaidYang
87dc4fe388 fix for curl bugs nghttp2_option_set_no_rfc9113_leading_and_trailing_… 
In #4776, I mistakenly added libnghttp2 to NetBsd, and now it has been corrected and added to OpenBsd
 2023-09-02 18:23:14 +08:00
neil
eed8a7f078 add more debug code https://github.com/acmesh-official/acme.sh/issues/4768 2023-09-02 17:27:21 +08:00
neil
c18364c755 change default log level to 2 2023-09-02 17:18:12 +08:00
neil
04946e992e change the default debug level to 2. 2023-09-02 17:15:17 +08:00
neil
5533782152 Merge pull request #4777 from acmesh-official/dev 
sync
 2023-09-02 17:09:45 +08:00
neil
3f42487f0a Merge pull request #4749 from Nirzak/Nirzak-patch-1 
Fixed grep pattern regex for nginx conf path
 2023-09-02 15:45:30 +08:00
neil
8bdcd22486 fix https://github.com/acmesh-official/acme.sh/issues/4746 2023-09-02 15:45:07 +08:00
neil
b32d22731b remove 2023-09-02 15:45:06 +08:00
neil
b788cc24d1 Merge pull request #4764 from sebastianas/inwx 
inwx: Be case insensitive while searching for the cookie.
 2023-09-02 15:36:43 +08:00
neil
94948f6d34 Merge pull request #4776 from KincaidYang/master 
fix for curl bugs nghttp2_option_set_no_rfc9113_leading_and_trailing_…
 2023-09-02 15:27:15 +08:00
KincaidYang
e5b76ed4c4 Delete dnsapi/dns_tencent.sh 2023-09-02 15:13:37 +08:00
KincaidYang
29a2920a2c Add dns_tencent.sh 
Adapt to Tencent Cloud (DNSPod) API 3.0
 2023-09-02 14:49:43 +08:00
KincaidYang
089d35708b fix for curl bugs nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation 
see
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2018342
b6f62ac446
https://github.com/acmesh-official/acme.sh/issues/4775
 2023-09-02 14:31:17 +08:00
Sebastian Andrzej Siewior
9b0b5bce9f inwx: Be case insensitive while searching for the cookie. 
At least since 2023-08-25 the cookie is set via `set-cookie' instead the
expecting `Set-Cookie' string. A month earlier it was working.

Ignore the case while matching the cookie.

Fixes: #4763
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 2023-08-28 21:33:54 +02:00
neil
3039e4eb6d Merge pull request #4755 from glocknerc/master-1 
Master 1
 2023-08-24 09:19:57 +08:00
glocknerc
9143cd1485 Change grep to be case-insensitive when looking for Set-Cookie header since INWX change casing to lowercase 2023-08-23 14:07:07 +02:00
Nirjas Jakilim
13d31ecb7f fixed regex for nginx conf path 
Fixed the regex for nginx path configuration to fix grep: unrecognized option error
 2023-08-21 12:28:50 +06:00
neil
a936b2f1f6 Merge pull request #4745 from vitoyucepi/help_punctuation 
Remove punctuation symbol
 2023-08-21 09:08:48 +08:00
Vito
8d00f489cd Remove excessive full stop from help 2023-08-20 17:11:14 +00:00
Martin Arndt
b793dbf977 Fix device ID property name for DSM 6 2023-08-11 17:55:45 +02:00
Martin Arndt
d52b38777a Fix Auth API access for DSM 6 2023-08-09 19:52:37 +02:00
neil
56cf93dff2 Merge pull request #4575 from sg1888/panos-ecc-fix 
Added functionality for Palo Alto Firewall deployments (PANOS)
 2023-07-30 21:45:50 +08:00
neil
67d84cadad Merge pull request #4708 from sg1888/verbiage 
Fixed help verbiage to reflect capabilities of --ecc flag
 2023-07-30 21:30:49 +08:00
neil
b384a24c0e Merge pull request #4710 from zearan/patch-1 
Fix the API calls that get the list of domains that PLESK can manage
 2023-07-30 21:19:23 +08:00
Martin Arndt
66a68edbe6 Merge branch 'acmesh-official:master' into master 2023-07-30 14:56:31 +02:00
neil
dcf3d7234e Merge pull request #4712 from samuel-jimenez/dev 
Add DNSExit.com API support
 2023-07-30 11:32:03 +08:00
neil
0da839cce3 Merge pull request #4720 from acmesh-official/dev 
sync
 2023-07-30 11:22:51 +08:00
neil
b6f62ac446 fix for curl bugs nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation 
see https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2018342
 2023-07-30 10:58:22 +08:00
neil
15ee036db1 fix for solaris 2023-07-29 23:30:44 +08:00
neil
6db8ae451a fix for solaris 2023-07-29 23:17:20 +08:00
neil
a7f3d413ef fix for solaris 2023-07-29 22:32:30 +08:00
Malte Rabenseifner
3b7be478aa Fix stuff from tests 
ShellCheck tests have brought up a couple of issues, that I was not aware of needed to be taken care. This should fix the tests.
 2023-07-29 11:27:33 +02:00
neil
7f39cdc856 fix format 2023-07-29 16:45:49 +08:00
Martin Arndt
80006f4730 Added bug report url 2023-07-29 10:26:59 +02:00
neil
a51025fe8f fix https://github.com/acmesh-official/acme.sh/issues/3645 2023-07-29 15:32:50 +08:00
neil
c42ed9c693 Merge pull request #4714 from hknet/master 
Update dns_kappernet.sh
 2023-07-28 10:41:56 +08:00
Harald Kapper
c48c8d07de Update dns_kappernet.sh 
dns update waiting time is reduced now (new backend at kapper.net)
 2023-07-27 21:49:23 +02:00
samuel
4d4b6edbc2 Add DNSExit.com API support 2023-07-26 10:40:44 -05:00
Malte Rabenseifner
2014ca9feb Fix the API calls that get the list of domains that PLESK can manage 2023-07-26 15:36:11 +02:00
sg1888
a9f631f404 Added help verbiage for --ecc flag 2023-07-21 16:49:20 +00:00
sg1888
1984f44ffe Shell formatting 2023-07-18 20:18:12 +00:00
sg1888
02de281e40 Removed unused variable 2023-07-18 20:15:46 +00:00
sg1888
ae035deb92 Fixed shell check errors 2023-07-18 20:10:31 +00:00
sg1888
edd1b60c3d Removed ability to specify API key to facilitate future multiple host functionality. 2023-07-18 19:43:47 +00:00
neil
55a3709bd1 Merge pull request #4700 from szhu25/patch-1 
Fix SES region variable
 2023-07-17 09:56:58 +08:00
Martin Arndt
d1fc01a407 RI 2023-07-15 19:31:12 +02:00
Martin Arndt
65293f81d9 Merge branch 'master' into dev 2023-07-15 19:29:50 +02:00
Martin Arndt
0afb0f7958 Merge branch 'acmesh-official:dev' into dev 2023-07-15 19:19:31 +02:00
Steven Zhu
dd958872a8 Fix SES region variable 
The last version do not save the SES region into the config file, breaking the notification hook.
 2023-07-14 12:47:44 -04:00
sg1888
62a2ce1d35 Merge remote-tracking branch 'upstream/dev' into panos-ecc-fix 2023-07-12 00:22:03 +00:00
sg1888
b556908cab Modified ECC file test 2023-07-12 00:03:21 +00:00
sg1888
e69a19db5c Incorporated partial commit to address issue #4198 2023-07-11 23:56:41 +00:00
sg1888
d86414febb Excluded scopes for api key test 2023-07-11 23:41:24 +00:00
sg1888
832318fab1 Merge remote-tracking branch 'upstream/master' into panos-ecc-fix 2023-07-11 20:25:43 +00:00
neil
80ad62ff56 Merge pull request #3208 from cusae/dev 
Add BookMyName API support
 2023-07-10 09:21:50 +08:00
Arnaud Launay
ee50f254df Add BookMyName API support 2023-07-09 20:08:10 +02:00
Arnaud Launay
cc0be6cd90 Merge branch 'acmesh-official:dev' into dev 2023-07-09 20:00:52 +02:00
neil
a7455d7edd fix https://github.com/acmesh-official/acme.sh/issues/4562#issuecomment-1598731384 2023-07-08 14:11:51 +08:00
neil
b7c370fff7 Merge pull request #4691 from acmesh-official/4442 
4442
 2023-07-08 13:49:18 +08:00
neil
8fd3a64e35 fix https://github.com/acmesh-official/acme.sh/issues/4442 2023-07-08 12:51:56 +08:00
neil
3761fb4377 fix bug https://github.com/acmesh-official/acme.sh/issues/4442 2023-07-08 12:37:01 +08:00
neil
0472f5da6a Revert "fix format" 
This reverts commit 09041fb81d.

Revert "fix https://github.com/acmesh-official/acme.sh/issues/4680"

This reverts commit 299a157409.
 2023-07-08 11:43:44 +08:00
neil
09041fb81d fix format 2023-07-08 11:19:09 +08:00
neil
299a157409 fix https://github.com/acmesh-official/acme.sh/issues/4680 
zerossl returns retry-after header within "200 OK" code.
so we don't check the "503" code anymore.
 2023-07-08 11:17:19 +08:00
neil
53ede7b0d8 Merge pull request #4646 from Eagle3386/patch-1 
Remove external OTP dependency from deploy hook Synology_DSM.sh
 2023-07-08 10:54:56 +08:00
neil
cd13aee3e7 Merge pull request #4687 from szhu25/ses-notifyhook 
Notify hook: AWS SES
 2023-07-08 10:33:27 +08:00
Martin Arndt
8b3acb719e Fix TXT record removal 2023-07-05 13:04:08 +02:00
Martin Arndt
2961a90e7f Make ShellCheck & ShellFormat happy 2023-07-05 11:14:49 +02:00
Martin Arndt
db8a2d0c65 Fix & improve DNS API for ArtFiles.de 2023-07-05 11:05:06 +02:00
Steven Zhu
a6b5f0c9d4 Fix variable naming to make the access key and secret key consistent with Route53. 2023-07-04 22:31:30 -04:00
Steven Zhu
8d136c6a25 Add newline at end of file to satisfy shfmt's "extra line" error 2023-07-04 22:15:53 -04:00
Steven Zhu
4d94270cde Add newline at end of file to satisfy shfmt's "No newline at end of file" error 2023-07-04 22:14:17 -04:00
Steven Zhu
e0d96bcb39 Add initial AWS SES support 
Copied most of the v4 api stuff from DNS_AWS hook (Thanks!)

New tokens added:
AWS_SES_ACCESS_KEY_ID
AWS_SES_SECRET_ACCESS_KEY
AWS_SES_REGION
AWS_SES_TO
AWS_SES_FROM
AWS_SES_FROM_NAME (Optional)
 2023-07-04 21:54:49 -04:00
Martin Arndt
0d7b831661 Fix variable initialization 2023-07-04 16:58:14 +02:00
Martin Arndt
0c9e4f67a8 Update synology_dsm.sh 
Split "[ && ]" into "[ ] && [ ]" to make ShellCheck happy
 2023-07-04 15:55:44 +02:00
Martin Arndt
da2c386b60 Merge branch 'acmesh-official:dev' into dev 2023-07-04 15:51:15 +02:00
Martin Arndt
4770364d42 Merge branch 'acmesh-official:master' into master 2023-07-04 15:50:01 +02:00
Martin Arndt
db3f131dfc Re-add deprecated SYNO_TOTP_SECRET part for legacy compatibility 
As requested in acmesh-official/acme.sh/pull/4646 by Neil Pang
 2023-07-04 15:47:19 +02:00
Martin Arndt
d7f58c64f8 Merge branch 'acmesh-official:master' into patch-1 2023-07-04 14:57:19 +02:00
neil
41b6aebe7c Merge pull request #4574 from systemcrash/patch-1 
Spelling / grammar
 2023-06-30 11:10:23 +08:00
neil
7d50332246 Merge pull request #4412 from phedoreanu/bugfix/1984_hosting_csrftoken 
dns_1984.hosting.sh: fix login with valid csrftoken
 2023-06-11 21:26:17 +08:00
Adrian Fedoreanu
0d0478245f dns_1984hosting.sh: fix login with valid csrftoken and sessionid 2023-06-11 15:22:45 +02:00
neil
f680ede980 start 3.0.7 2023-06-10 01:16:57 +08:00
neil
b7caf7a016 Merge pull request #4663 from acmesh-official/dev 
sync
 2023-06-09 21:09:23 +08:00
neil
891198e4f3 Merge pull request #4653 from stokito/dns_ovh_runabove 
dns_ovh.sh Add ovh-us endpoint
 2023-06-09 20:41:24 +08:00
neil
38c5910be4 Merge pull request #4658 from Justman10000/master 
Update
 2023-06-09 20:26:25 +08:00
neil
327e2fb0a4 remove all exec. 
https://github.com/acmesh-official/acme.sh/issues/4659
 2023-06-09 20:18:38 +08:00
neil
c20c219990 Merge pull request #4661 from acmesh-official/dev 
sync
 2023-06-09 20:04:51 +08:00
neil
4c30250782 fix https://github.com/acmesh-official/acme.sh/issues/4659 2023-06-09 19:59:29 +08:00
Justin Nogossek
caf23f9a04 Remove not anymore exists tutorials and websites 2023-06-07 23:36:18 +02:00
Justin Nogossek
beab808b76 Update URL 2023-06-07 23:35:47 +02:00
Sergey Ponomarev
6c8920f63e dns_ovh.sh Add ovh-us endpoint 
Remove discontinued runabove.com
If any new env will be added then a user may spe

Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
 2023-06-05 12:54:54 +03:00
Martin Arndt
d108072bfb Add ArtFiles.de DNS API plugin 2023-05-30 09:24:17 +02:00
Martin Arndt
8cc7c5349a Merge branch 'acmesh-official:master' into master 2023-05-29 20:23:38 +02:00
Martin Arndt
fb33ea2a0b Fix single quote escaping 2023-05-29 20:21:16 +02:00
Martin Arndt
63fca33b04 Fix retrieval of domain zone 2023-05-29 20:12:52 +02:00
Martin Arndt
0548ad2fc6 Fix debug output of session ID 2023-05-28 22:33:15 +02:00
Martin Arndt
623d615cd7 Remove external OTP dependency from synology_dsm.sh 
Also adapt to DSM 7's API improvements.
 2023-05-28 21:42:53 +02:00
sg1888
126df9647b Modified keytest to perform a partial empty commit 2023-05-24 18:51:57 +00:00
sg1888
2e2e7cd054 Added ability to force commit to firewall. Username is now also mandatory 2023-05-17 20:06:06 +00:00
sg1888
0ebc9f7a44 Fixed typo 2023-05-15 01:46:21 +00:00
sg1888
a8fba65cbd Cleaned up verbiage. Added ability to store / update user variable. Added ability to use user/pass OR key 2023-05-15 01:43:54 +00:00
neil
51be15f66d Merge pull request #4150 from defnull/patch-sectigo-wildcard 
fix: Challenge not skipped for pre-validated wildcard domain orders
 2023-05-12 09:42:52 +08:00
neil
110e25e784 Merge pull request #4158 from lufi42/dev 
Plesk XMLAPI Compatibility with all Plesk editions
 2023-05-12 09:26:58 +08:00
neil
8414100d0b Merge pull request #4629 from fichtner/dns_opnsense 
dnsapi: fix OPNsense script to be compatible with upcoming 23.1.8
 2023-05-12 09:26:01 +08:00
lufi42
a3f4cb154e Merge branch 'acmesh-official:dev' into dev 2023-05-09 21:59:18 +02:00
Franco Fichtner
e6e22a1ca1 dnsapi: fix OPNsense script to be compatible with upcoming 23.1.8 
The current script is already broken due to Bind 9.16 -> 9.18 changes
due to their renaming scheme for primary/secondary so do not rely on the
compat layer (which was also broken for other reasons).
 2023-05-09 08:47:24 +02:00
sg1888
7623025b90 Fixes for POSIX sh shell 2023-04-24 18:45:50 +00:00
sg1888
56c98e9295 Merge remote-tracking branch 'upstream/master' into panos-ecc-fix 2023-04-24 17:02:48 +00:00
neilpang
b937665b90 minor 2023-04-23 13:18:17 +08:00
neilpang
a7bc2293c0 fix https://github.com/acmesh-official/acme.sh/issues/4612#issuecomment-1518929996 2023-04-23 13:16:12 +08:00
neil
0d25f7612b Merge pull request #4609 from acmesh-official/dev 
sync
 2023-04-21 20:21:30 +08:00
neilpang
84e4181ed7 fix https://github.com/acmesh-official/acme.sh/issues/4604 2023-04-20 18:11:55 +08:00
neilpang
f66a29d1c3 fix https://github.com/acmesh-official/acme.sh/issues/4606 2023-04-20 18:07:59 +08:00
neil
dbd3881cea Merge pull request #4515 from HRHDaniel/domain_conf_debug 
Domain conf debug
 2023-04-14 13:48:52 +08:00
sg1888
df753e2619 Added functionality to save and reuse API key 2023-04-12 22:00:53 +00:00
neil
7eb6bbe65f Merge pull request #4579 from daschr/dev 
Prevent whitespace splitting
 2023-04-03 11:06:22 +08:00
David Schramm
a570fda1cb prevent whitespace splitting 2023-04-02 17:30:47 +02:00
David Schramm
3b06fa6523 merge upstream 2023-04-02 17:28:47 +02:00
neil
dcdbe2fbb8 fix https://github.com/acmesh-official/acme.sh/pull/4577 2023-04-02 12:04:58 +08:00
David Schramm
dc1f36da43 prevent whitespace splitting 2023-04-01 09:25:19 +02:00
sg1888
cbb7082afd Fixed bug with wildcard certs and ecc keys 2023-03-31 00:33:44 +00:00
Paul Dee
6ee72e119c Spelling / grammar 2023-03-31 01:13:41 +02:00
neil
05dbd395e6 Merge pull request #4540 from Hobby-Student/dev 
[KAS] improve deletion of records
 2023-03-30 16:48:37 +08:00
neil
69e7360cc3 Merge pull request #4568 from imlonghao/patch-1 
fix(cloudns): fix grep when TXT record start with hyphen symbol
 2023-03-29 14:39:32 +08:00
imlonghao
7ef2533b98 fix(cloudns): fix grep when record start with hyphen symbol 2023-03-28 22:49:39 +08:00
neil
97f87c4229 Merge pull request #4542 from alexleigh/master 
Add support for Google Domains DNS API.
 2023-03-27 09:16:00 +08:00
neilpang
42a5cd961d fix https://github.com/acmesh-official/acme.sh/issues/4530#issuecomment-1473395845 2023-03-17 17:21:10 +08:00
neil
bf00d3157f Merge pull request #4544 from NCDGHA/bugfix/issue_4543_fix_retry-after 
Fix Retry-After handling
 2023-03-17 17:16:55 +08:00
neil
cf3ff4c136 Merge pull request #4551 from acmesh-official/dev 
sync
 2023-03-13 09:15:53 +08:00
neil
7fe06adcfd Merge pull request #4550 from eastonman/master 
dnsapi(huaweicloud): fix DomainName not retreived properly
 2023-03-13 09:14:32 +08:00
Easton Man
ae3e5dbf2c fix: fix DomainName not retreived properly 
Co-Authored-By: idawnlight <idawn@live.com>
 2023-03-12 12:41:29 +08:00
neil
20304590b4 Merge pull request #4547 from eastonman/master 
dnsapi(huaweicloud): Add retry count to avoid infinite loop when things go wrong
 2023-03-10 13:52:37 +08:00
Alex Leigh
2d8c0c0131 Add support for Google Domains DNS API. 
https://domains.google/learn/gts-acme/

This is an ACME API for Google Domains customers, which is
different from the Google Cloud Domains API for Google Cloud
customers.
 2023-03-08 11:13:25 -08:00
Markus Hoffrogge
70f4cad2ca Fix Retry-After handling 
- closes #4543
 2023-03-07 18:45:07 +01:00
Easton Man
1f777a94a7 fix: change some debug comments 2023-03-07 17:50:44 +08:00
Easton Man
7560c64f46 fix: fix typo 2023-03-07 11:30:32 +08:00
Easton Man
bddde60522 fix: use update instead of remove then add 2023-03-07 11:27:08 +08:00
Easton Man
e9366f8c76 fix: fix huaweicloud existing record 400 2023-03-07 10:56:10 +08:00
Easton Man
4dba84d09e fix: fix shfmt 2023-03-07 10:01:20 +08:00
Easton Man
0cce2d6098 fix: fix shellcheck 2023-03-07 09:57:39 +08:00
Easton Man
acbd8bce21 feat: add retry count for removing record set 
This avoids infinite loop when something went wrong and throws a error
 2023-03-07 09:48:13 +08:00
Hobby-Student
dea8a08b64 added missing new line at EOF 2023-03-06 20:36:53 +01:00
Hobby-Student
dde1bab1a8 improve deletion of records 2023-03-06 20:18:15 +01:00
neil
799e402077 Merge pull request #4536 from acmesh-official/dev 
sync
 2023-03-04 21:26:18 +08:00
neil
ce629e8e70 fix typo 2023-03-04 21:23:31 +08:00
neil
20cfc4ac66 fix https://github.com/acmesh-official/acme.sh/issues/4535 2023-03-04 21:22:17 +08:00
neil
132d5e8253 Merge pull request #4532 from acmesh-official/dev 
sync
 2023-03-02 22:07:16 +08:00
neilpang
cb8b341fb4 fix https://github.com/acmesh-official/acme.sh/issues/4530 2023-03-02 18:10:38 +08:00
neilpang
982c54b605 fix https://github.com/acmesh-official/acme.sh/issues/4530 2023-03-02 18:06:09 +08:00
neil
67f543332a Merge pull request #4531 from NCDGHA/bugfix/issue_4530_fix_http_status_503 
Fix to handle LE overload status 503 appropriately
 2023-03-02 18:00:36 +08:00
neil
88ac4086c2 Merge pull request #4518 from AnTheMaker/nanelo_dns 
Add Nanelo DNS support
 2023-03-02 09:40:47 +08:00
Markus Hoffrogge
15f96b7239 Fix to handle LE overload status 503 appropriately 
- LE HTTP response status 503 is not an error, it must be handled via sleep and retry
- s. https://community.letsencrypt.org/t/new-service-busy-responses-beginning-during-high-load/184174

fixes #4530
 2023-03-02 00:46:52 +01:00
neil
0ea84ad799 Merge pull request #4528 from chris03/bugfix/replace-expr 
SMTP notify: Use grep -E instead of expr
 2023-03-01 10:28:18 +08:00
Chris
1522b713da Use grep -E instead of expr 
expr was printing  `expr: warning: '^.*[<>"]': using '^' as the first character of a basic regular expression is not portable;`
 2023-02-28 21:08:33 -05:00
neil
fe6b27bb59 Merge pull request #4420 from romanlum/dev 
Added dns provider for ipv64.net
 2023-02-28 17:38:16 +08:00
Roman Lumetsberger
df14b15397 fix quote 2023-02-25 11:22:27 +00:00
Roman Lumetsberger
7dd12044de use _lower_case function 2023-02-25 11:18:33 +00:00
An | Anton Röhm
06e12a30e7 reduce nanelo dns ttl 2023-02-24 00:13:21 +01:00
An | Anton Röhm
d3fefd223d improve output 2023-02-24 00:01:39 +01:00
An | Anton Röhm
c0639c6608 Create first version of Nanelo DNS API integration 
[create dnsapi/dns_nanelo.sh]
 2023-02-23 23:29:46 +01:00
dharp
05a2eb3df4 add additional debug statement for DOMAIN_CONF 2023-02-21 10:19:07 -06:00
neil
d4befeb536 Merge pull request #4489 from acmesh-official/dev 
sync
 2023-02-04 20:08:11 +08:00
neil
f7f1168aad Merge pull request #4266 from skyksandr/master 
Vultr DNS: fix "grep: repetition-operator operand invalid" on FreeBSD
 2023-02-03 16:49:26 +08:00
Aleksandr Kunin
d6cf15368a Vultr DNS: fix "grep: repetition-operator operand invalid" on FreeBSD 2023-02-03 12:44:33 +07:00
neilpang
a5fbf3fb80 fix format 2023-02-03 09:59:42 +08:00
neilpang
3cf8f78745 fix format 2023-02-03 09:57:56 +08:00
neilpang
59dab6eac7 fix https://github.com/acmesh-official/acme.sh/issues/4485#issuecomment-1414022376 
https://github.com/acmesh-official/acme.sh/issues/4483#issuecomment-1414460122
 2023-02-03 09:55:51 +08:00
Roman Lumetsberger
553d861b8a fix shell check and formatting 2023-01-31 11:17:33 +01:00
Roman Lumetsberger
7b5d94d062 convert domain and subdomain to lower case 2023-01-31 11:10:42 +01:00
Roman Lumetsberger
cb021efaee Merge branch 'acmesh-official:dev' into dev 2023-01-31 10:34:29 +01:00
neilpang
c2344f3717 add log for doh 
https://github.com/acmesh-official/acme.sh/issues/4481
 2023-01-30 14:39:03 +08:00
neilpang
f537c606f7 fix warnings 2023-01-29 11:13:23 +08:00
neil
c8f48a4a90 Merge pull request #4478 from acmesh-official/dev 
sync
 2023-01-29 11:06:37 +08:00
neil
c2ad1b4e46 Merge pull request #4448 from PMExtra/feature/curl_fail 
curl return fail if HTTP errors
 2023-01-28 20:37:20 +08:00
neilpang
ba9d146d6c fix https://github.com/acmesh-official/acme.sh/issues/992 2023-01-28 17:29:03 +08:00
PMExtra
a5b04a0328 ensure curl --help backward compatible 2023-01-28 17:19:04 +08:00
neilpang
01249d0cb9 fix warning 2023-01-28 16:24:27 +08:00
neil
71c273fbcb Merge pull request #4476 from acmesh-official/dev 
sync
 2023-01-28 16:19:53 +08:00
neilpang
aa9cbf7c55 fix https://github.com/acmesh-official/acme.sh/issues/992 2023-01-28 16:18:27 +08:00
neil
429b18ed48 Merge pull request #4475 from acmesh-official/dev 
sync
 2023-01-28 15:31:55 +08:00
neilpang
2690c05781 fix format 2023-01-28 15:28:06 +08:00
neilpang
e3b688c9d8 fix format 2023-01-28 15:26:54 +08:00
neilpang
41b6f18a5d fix format 2023-01-28 15:25:50 +08:00
neilpang
5a59c39036 fix format 2023-01-28 15:24:21 +08:00
neil
a02dd18ad7 Merge pull request #4414 from beartom/master 
Update truenas.sh to deploy certificate for TrueCharts
 2023-01-28 15:20:10 +08:00
neil
16bdc7d0a3 fix from OpenAI https://github.com/acmesh-official/acme.sh/issues/992 
https://github.com/acmesh-official/acme.sh/pull/2609
 2023-01-27 11:44:20 +08:00
neil
40002e8040 Merge pull request #4447 from PMExtra/feature/vault 
improve vault and vault_cli deployhooks
 2023-01-24 18:49:18 +08:00
neil
6748c55c04 fix stepca 2023-01-24 18:00:09 +08:00
neil
deb63b4adf fix stepca 2023-01-24 17:58:46 +08:00
neil
015a9b9271 fix notify 2023-01-24 16:45:12 +08:00
neil
ab2305e259 fix stepca 2023-01-24 16:42:10 +08:00
neil
b99c998057 fix https://github.com/acmesh-official/acme.sh/issues/4463 2023-01-24 16:13:42 +08:00
neil
6c0a7144f6 fix https://github.com/acmesh-official/acme.sh/issues/4445 2023-01-24 15:45:25 +08:00
neil
bf50fce5bd fix https://github.com/acmesh-official/acme.sh/issues/4470 2023-01-24 15:17:48 +08:00
neil
8718b156c4 Merge pull request #4471 from vladislav-sharapov/patch-1 
fix(dns_openstack): fix argparse error
 2023-01-22 14:10:32 +08:00
Vladislav Sharapov
7bbdd1f839 fix(dns_openstack): fix argparse error 
Add equal sign to '--record' option to fix argparse error
occurring when ACME token starts with '-'.
 2023-01-20 23:56:14 +04:00
neil
ffed1a4afa Merge pull request #4468 from DreamOfIce/master 
Update deploy script for gcore
 2023-01-20 09:11:23 +08:00
冰雪殇璃陌梦
1bfd3642e8 Update gcore_cdn.sh 2023-01-19 10:19:05 +08:00
neil
577f4e0cc3 Merge pull request #4430 from zpeschke/gd_grammar 
Minor grammar fixes for gd
 2023-01-11 20:50:59 +08:00
neil
e2f05f3fc9 Merge pull request #4413 from trulyliu/dev 
Add gcore dns support.
 2023-01-11 20:46:07 +08:00
Gavin Leo
27f30631ed Add gcore dns support. 
https://apidocs.gcore.com/dns
 2023-01-05 14:30:02 +08:00
PMExtra
1ccfa96c2e improve logging 2022-12-28 02:47:49 +08:00
neil
a2c64e79ff fix for openbsd 2022-12-26 22:28:08 +08:00
neil
7b623f85cd minor 2022-12-26 21:43:02 +08:00
PMExtra
ed63eb6833 migrate FABIO to VAULT_FABIO_MODE and persist it 2022-12-23 19:34:31 +08:00
PMExtra
b8d0d3c242 improve chain.pem exists evaluating 2022-12-23 19:17:37 +08:00
PMExtra
fe1bfe9ae1 improve vault and vault_api deployhooks 2022-12-23 18:59:01 +08:00
PMExtra
7154c9ee5d improve curl --help predication 2022-12-23 17:42:27 +08:00
PMExtra
057c95bd1c improve wget --content-on-error condition 2022-12-23 17:39:51 +08:00
PMExtra
0cafc00c4f append --fail-with-body argument to curl if supported 2022-12-23 17:22:12 +08:00
neil
75d2898efd Merge pull request #4441 from plummer86/bugfix/_wget_out_fix 
Fix assignment: _wget_out
 2022-12-19 10:23:00 +08:00
plummer86
764a4c99fa Fix assignment to _wget_out 2022-12-18 22:32:49 +00:00
Zachary Peschke
160513c671 Minor grammar fixes for gd 2022-12-09 09:55:47 -07:00
neil
a2af26635f use ecc cert 2022-12-04 15:05:30 +08:00
neil
63869deeb2 Merge pull request #4091 from PMExtra/feature/ssh_scp 
Refact ssh hook to use deploy config, support scp and support specifying port
 2022-12-03 13:58:31 +08:00
Roman Lumetsberger
91e387e8b9 added doc for dns_ipv64_rm 2022-11-30 08:55:27 +01:00
Roman Lumetsberger
7d13146859 Added dns provider for ipv64.net 2022-11-30 08:35:03 +01:00
neil
699d2b7e7e Merge pull request #4409 from hatamiarash7/patch-1 
Update ArvanCloud API URL - Security & CI problem
 2022-11-29 21:12:47 +08:00
Arash Hatami
257de15c73 Fix export problems 2022-11-29 13:45:04 +03:30
Arash Hatami
5a0225d033 Fix export problem for special values 2022-11-29 12:21:49 +03:30
beartom
bd2d0e6ad3 Format 
Format
 2022-11-28 20:59:10 +08:00
Arash Hatami
0c0d1d4e52 Update duplicate message 2022-11-28 16:22:25 +03:30
Arash Hatami
eab9603921 Fix SH format 2022-11-28 16:11:17 +03:30
Arash Hatami
c07db3aa14 add 'Accept' header 2022-11-28 16:09:17 +03:30
neil
a19f7481b2 Merge pull request #4410 from kirisakow/patch-1 
Trim trailing slash in `--home` argument's value from the get-go to avoid that subsequently created paths contain two adjacent slashes in the middle
 2022-11-28 09:58:46 +08:00
lufi42
2905edce35 Merge branch 'acmesh-official:dev' into dev 2022-11-27 19:55:58 +01:00
beartom
04a5d794ac Update truenas.sh for certificate in chart release 
Update certificate in chart release of TrueCharts if any chart release Apps is using the same certificate as TrueNAS web UI.
 2022-11-27 21:55:01 +08:00
Kiril Isakov
264b9819ff Replace the BASH parameter substitution mechanism (unsupported by sh) with standard commands (supported by sh) 2022-11-27 09:22:06 +01:00
Arash Hatami
4610204c83 Test CI 2022-11-27 10:21:24 +03:30
neil
ecf1f17cf4 update key type 2022-11-27 11:10:14 +08:00
Kiril Isakov
9f942a6b65 Trim trailing slash in --home argument's value 
# What's expected

Since in `acme.sh` path strings are concatenated with a hardcoded slash in between, the left operand must never end with a trailing slash for the resulting path to be valid. Otherwise, obviously, the resulting path will have two adjacent slashes in the middle and will not be valid.

# What actually happens

Even though I cannot tell for each of the input params, I know this for sure for the the `--home` argument's value.

If I run `acme.sh` with `--home` argument's value being a path ending in a trailing slash,

```sh
acme.sh ... --debug ... --home /some/path/ ... -d somedomainna.me ...
```

I get the following (distinct) occurrencies of resulting invalid paths containing two adjacent slashes:

```
[...] Using config home:/some/path/

[...] DOMAIN_PATH='/some/path//somedomainna.me'

[...] _CURL='curl --silent --dump-header /some/path//http.header  -L  -g '

[...] The domain key is here: /some/path//somedomainna.me/somedomainna.me.key

[...] _CURL='curl --silent --dump-header /some/path//http.header  -L  -g  -I  '

[...] Your cert is in: /some/path//somedomainna.me/somedomainna.me.cer

[...] Your cert key is in: /some/path//somedomainna.me/somedomainna.me.key

[...] The intermediate CA cert is in: /some/path//somedomainna.me/ca.cer

[...] And the full chain certs is there: /some/path//somedomainna.me/fullchain.cer

```

# Suggested fix

Trim trailing slash in `--home` argument's value from the get-go.
 2022-11-26 16:00:03 +01:00
Arash Hatami
f4ed1b32b8 Update dns_arvan.sh 
Update API URL
 2022-11-26 18:12:11 +03:30
neil
ec0e871592 Use ec-256 as default key length 
fix https://github.com/acmesh-official/acme.sh/issues/2350#issuecomment-1324029469
 2022-11-23 21:57:38 +08:00
neil
7a756ebc4d start v3.0.6 2022-11-23 21:55:19 +08:00
lufi42
affb65219e Merge branch 'acmesh-official:dev' into dev 2022-07-17 13:30:37 +02:00
lufi42
78198bfdaf Merge branch 'acmesh-official:dev' into dev 2022-07-16 23:17:18 +02:00
lufi42
190cac394c Merge branch 'acmesh-official:dev' into dev 2022-07-11 21:26:37 +02:00
lufi42
be07fe9e9f Merge branch 'acmesh-official:dev' into dev 2022-07-10 18:23:12 +02:00
lufi42
ca0981645f Fixed shfmt error 2022-07-10 17:34:30 +02:00
lufi42
bc7e02b47a Fixed removal of TXT record when subdomain is case-sensitive and improved debug logging 
Plesk SPI return domain names always lower-case. Therefore the search for domain names in the API response must be case-insensitve. Set debug logging to the values that are reallys used for the spi calls.

added comment
 2022-07-10 17:22:59 +02:00
lufi42
55a55e9f74 Fixed debug log to prevent globbing and word splitting. 2022-07-10 17:22:59 +02:00
lufi42
b41d40da40 Extended debug logging in dns_pleskxml_rm() 2022-07-10 17:22:59 +02:00
lufi42
ba3e088b23 Improved error handling 
Improved error handling when result contains data-structure which might contain another status-flag that is related to the status of the related object and not the api call

Revert "Improved error handling"

This reverts commit fa6df1cfab134d38baad19fc1caa0842f00416d5.

Revert "Revert "Improved error handling""

This reverts commit 5a4b78392f063863ee9f56686f5c429e9376af1b.
 2022-07-10 17:22:59 +02:00
lufi42
40e0d72105 Merge branch 'acmesh-official:dev' into dev 2022-07-07 13:27:40 +02:00
lufi42
dfe80556d3 Merge branch 'acmesh-official:dev' into dev 2022-06-28 23:47:36 +02:00
Marcel Hellkamp
095697900b fix: Challenge not skipped for pre-validated wildcard domain orders 
Some CAs auto-validate orders based on account-level rules and do not
require a challenge at all. Sectigo introduced a non-standard challenges
named 'sectigo-dns-01', presumably to work around this issue in certbot.
This also works for non-wildcard domains in acme.sh, but wildcard domains
are rejected because acme.sh hard-codes 'dns-01' as the only allowed
challenge for wildcard domains, which is not offered by Sectigo.

This change simply moves the '"status":"valid"' check up a bit and ignores
challenge type mismatches or missing tokens if no challenge is needed anyway.
 2022-06-22 18:18:20 +02:00
Martin Arndt
13c7182948 Fix usage docs in file's header comment 2022-06-18 17:32:56 +02:00
Martin Arndt
edc76795d4 Merge branch 'acmesh-official:master' into master 2022-06-16 09:51:19 +02:00
neil
d2a9d731ed Update ssh.sh 2022-05-24 22:25:44 +08:00
PM Extra
3ce7d410c8 improve doc comments 2022-05-14 22:59:02 +08:00
PM Extra
74f28021e7 fix format again 2022-05-14 22:49:40 +08:00
PM Extra
f90cbb636a fix format 2022-05-14 22:41:59 +08:00
PM Extra
c8929ca0cb support specifying port for each host 2022-05-14 22:29:48 +08:00
PM Extra
9fb5bb620d refact ssh hook to use deploy config 2022-05-14 22:28:02 +08:00
PM Extra
ed58f32052 Merge branch 'dev' into feature/ssh_scp 2022-05-14 15:43:26 +08:00
lufi42
6d2ab4d270 Merge branch 'dev' of https://github.com/lufi42/acme.sh into dev 2022-03-09 01:47:51 +01:00
lufi42
a6b58bc88d Corrected use of Plesk API calls to fetch all domain for all Plesk editions 
This implementation of the Plesk API will add support for Plesk web admin edition and will now discover all domains ( of customers & administrative users) managed by the specific plesk instance.

The previous implementation of the Plesk API uses the customer API. This brings two problems:
1. The current API call only fetches the domains of resellers/customers and not the domains that are managed by administrative users.
compare:
https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-customer-accounts/retrieving-the-list-of-customer%E2%80%99s-domains.75309/
https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-plesk-server/getting-server-information/response-packet-structure-and-samples/list-of-domains.75294/

2. The customer API is only available in the web pro/host editions. The most common license on VPS/Dedicated Servers is nowadays the web admin edition. See: https://www.plesk.com/editions/

The correct way to get all domains in all Plesk editions is to use the Sites (Domains) API:
https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-sites-domains/getting-information-about-sites.66583/
This way is working for all plesk editions the same way.
 2022-03-09 01:42:26 +01:00
lufi42
ea3c37d754 Corrected use of Plesk API calls to fetch all domain for all Plesk editions 
This implementation of the Plesk API will add support for Plesk web admin edition and will now discover all domains managed by the specific plesk instance.

The existing implementation of the Plesk API uses the customer API. This brings two problems:
1. The current API call only fetches the domains of resellers/customers and not the domains that are managed by  administrative users.
compare:
https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-customer-accounts/retrieving-the-list-of-customer%E2%80%99s-domains.75309/
https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-plesk-server/getting-server-information/response-packet-structure-and-samples/list-of-domains.75294/

2. The customer API is only available in the pro/admin editions. The most common license on VPS/Dedicated Servers is the web host edition. See: https://www.plesk.com/editions/

The correct way to get all domains in all Plesk editions is to use the Sites (Domains) API:
https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-sites-domains/getting-information-about-sites.66583/
 2022-03-09 01:36:06 +01:00
fradev
b37bf06de8 Update ssh.sh 2022-03-01 17:57:59 +01:00
fradev
27bbf0ccaf Merge branch 'acmesh-official:master' into master 2022-03-01 17:44:46 +01:00
Martin Arndt
ed56d52af3 Changed GitHub issues URL 2022-02-27 15:12:05 +01:00
Martin Arndt
fb457968ec Fix formatting according to Shellcheck 3/3 2022-02-27 14:38:24 +01:00
Martin Arndt
0bea2e2b94 Fix formatting according to Shellcheck 2/2 2022-02-27 14:37:22 +01:00
Martin Arndt
72d02f442e Fix formatting according to Shellcheck 2022-02-27 14:35:21 +01:00
Martin Arndt
bcf63b5d27 Add ArtFiles.de DNS API plugin 2022-02-27 14:17:34 +01:00
fradev
71a32477e4 Merge branch 'acmesh-official:master' into master 2021-12-20 09:28:19 +01:00
fradev
08d60fcbf2 Update ssh.sh 
shfmt formatting
 2021-08-30 11:32:07 +02:00
fradev
4cda54774a Update ssh.sh 
SC2086 and SC2215
 2021-08-30 11:17:03 +02:00
fradev
613475ac26 Update ssh.sh 2021-08-30 11:08:06 +02:00
fradev
20d23fcb92 Update ssh.sh 
Added scp mode for copy the certs
 2021-08-25 16:55:36 +02:00
Marcel Waldvogel
92dbe6cdf8 Simplify and clarify SunOS crontab differences 2020-10-12 14:20:40 +02:00
Marcel Waldvogel
0781e8cf12 Use random hour for cron job 
The hour for the cron job isn't really random (as is the minute),
but assuming acme.sh installation times are not correlated, neither
will be the resulting cron start times.
 2020-10-12 13:52:57 +02:00
Arnaud Launay
b71a088da7 Revert "no private functions" 
This reverts commit d76fb566a2.
 2020-10-10 11:46:32 +02:00
Arnaud Launay
d76fb566a2 no private functions 2020-10-10 11:02:47 +02:00
Arnaud Launay
24a40af103 Merge remote-tracking branch 'upstream/dev' into dev 2020-10-09 17:32:30 +02:00
neil
4a60292f82 update freebsd 2020-10-09 17:22:17 +02:00
Arnaud Launay
7eea866869 BMN -> BookMyName 2020-10-05 15:57:52 +02:00
Arnaud Launay
4ab5456a98 keep shfmt happy 2020-10-05 15:49:00 +02:00
Arnaud Launay
8881a9f40e Add BookMyName API support 2020-10-05 15:46:18 +02:00
45 changed files with 2648 additions and 624 deletions
Expand all files Collapse all files

72
.github/workflows/DNS.yml vendored
View File

@@ -121,19 +121,19 @@ jobs:
- name: Run acmetest
run: |
if [ "${{ secrets.TokenName1}}" ] ; then
export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
fi
if [ "${{ secrets.TokenName2}}" ] ; then
export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
fi
if [ "${{ secrets.TokenName3}}" ] ; then
export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
fi
if [ "${{ secrets.TokenName4}}" ] ; then
export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
fi
if [ "${{ secrets.TokenName5}}" ] ; then
export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
fi
cd ../acmetest
./letest.sh
@@ -184,19 +184,19 @@ jobs:
shell: bash
run: |
if [ "${{ secrets.TokenName1}}" ] ; then
export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
fi
if [ "${{ secrets.TokenName2}}" ] ; then
export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
fi
if [ "${{ secrets.TokenName3}}" ] ; then
export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
fi
if [ "${{ secrets.TokenName4}}" ] ; then
export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
fi
if [ "${{ secrets.TokenName5}}" ] ; then
export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
fi
cd ../acmetest
./letest.sh
@@ -234,19 +234,19 @@ jobs:
copyback: false
run: |
if [ "${{ secrets.TokenName1}}" ] ; then
export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
fi
if [ "${{ secrets.TokenName2}}" ] ; then
export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
fi
if [ "${{ secrets.TokenName3}}" ] ; then
export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
fi
if [ "${{ secrets.TokenName4}}" ] ; then
export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
fi
if [ "${{ secrets.TokenName5}}" ] ; then
export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
fi
cd ../acmetest
./letest.sh
@@ -285,19 +285,19 @@ jobs:
copyback: false
run: |
if [ "${{ secrets.TokenName1}}" ] ; then
export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
fi
if [ "${{ secrets.TokenName2}}" ] ; then
export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
fi
if [ "${{ secrets.TokenName3}}" ] ; then
export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
fi
if [ "${{ secrets.TokenName4}}" ] ; then
export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
fi
if [ "${{ secrets.TokenName5}}" ] ; then
export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
fi
cd ../acmetest
./letest.sh
@@ -337,19 +337,19 @@ jobs:
copyback: false
run: |
if [ "${{ secrets.TokenName1}}" ] ; then
export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
fi
if [ "${{ secrets.TokenName2}}" ] ; then
export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
fi
if [ "${{ secrets.TokenName3}}" ] ; then
export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
fi
if [ "${{ secrets.TokenName4}}" ] ; then
export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
fi
if [ "${{ secrets.TokenName5}}" ] ; then
export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
fi
cd ../acmetest
./letest.sh
@@ -384,24 +384,24 @@ jobs:
with:
envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
prepare: |
pkg install -y curl socat
pkg install -y curl socat libnghttp2
usesh: true
copyback: false
run: |
if [ "${{ secrets.TokenName1}}" ] ; then
export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
fi
if [ "${{ secrets.TokenName2}}" ] ; then
export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
fi
if [ "${{ secrets.TokenName3}}" ] ; then
export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
fi
if [ "${{ secrets.TokenName4}}" ] ; then
export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
fi
if [ "${{ secrets.TokenName5}}" ] ; then
export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
fi
cd ../acmetest
./letest.sh
@@ -445,19 +445,19 @@ jobs:
pkg set-mediator -v -I default@1.1 openssl
export PATH=/usr/gnu/bin:$PATH
if [ "${{ secrets.TokenName1}}" ] ; then
export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
fi
if [ "${{ secrets.TokenName2}}" ] ; then
export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
fi
if [ "${{ secrets.TokenName3}}" ] ; then
export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
fi
if [ "${{ secrets.TokenName4}}" ] ; then
export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
fi
if [ "${{ secrets.TokenName5}}" ] ; then
export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
fi
cd ../acmetest
./letest.sh

2
.github/workflows/DragonFlyBSD.yml vendored
View File

@@ -62,7 +62,7 @@ jobs:
nat: |
"8080": "80"
prepare: |
pkg install -y curl socat
pkg install -y curl socat libnghttp2
usesh: true
run: |
cd ../acmetest \

1
.github/workflows/NetBSD.yml vendored
View File

@@ -61,7 +61,6 @@ jobs:
nat: |
"8080": "80"
prepare: |
export PKG_PATH="https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/$(uname -p)/$(uname -r|cut -f '1 2' -d.)/All/"
pkg_add curl socat
usesh: true
copyback: false

2
.github/workflows/OpenBSD.yml vendored
View File

@@ -66,7 +66,7 @@ jobs:
envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
nat: |
"8080": "80"
prepare: pkg_add socat curl wget
prepare: pkg_add socat curl wget libnghttp2
usesh: true
copyback: false
run: |

9
.github/workflows/Ubuntu.yml vendored
View File

@@ -80,9 +80,14 @@ jobs:
-p 9000:9000 \
-e "DOCKER_STEPCA_INIT_NAME=Smallstep" \
-e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \
-e "DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT=true" \
-e "DOCKER_STEPCA_INIT_PASSWORD=test" \
--name stepca \
smallstep/step-ca \
&& sleep 5 && docker exec stepca step ca provisioner add acme --type ACME \
smallstep/step-ca:0.23.1
sleep 5
docker exec stepca bash -c "echo test >test" \
&& docker exec stepca step ca provisioner add acme --type ACME --admin-subject step --admin-password-file=/home/step/test \
&& docker exec stepca kill -1 1 \
&& docker exec stepca cat /home/step/certs/root_ca.crt | sudo bash -c "cat - >>/etc/ssl/certs/ca-certificates.crt"
- name: Clone acmetest

8
.github/workflows/dockerhub.yml vendored
View File

@@ -28,9 +28,9 @@ jobs:
id: step_one
run: |
if [ "$DOCKER_PASSWORD" ] ; then
echo "::set-output name=hasToken::true"
echo "hasToken=true" >>$GITHUB_OUTPUT
else
echo "::set-output name=hasToken::false"
echo "hasToken=false" >>$GITHUB_OUTPUT
fi
- name: Check the value
run: echo ${{ steps.step_one.outputs.hasToken }}
@@ -43,9 +43,9 @@ jobs:
- name: checkout code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
uses: docker/setup-buildx-action@v2
- name: login to docker hub
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin

13
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM alpine:3.16.3
FROM alpine:3.17
RUN apk --no-cache add -f \
openssl \
@@ -12,7 +12,8 @@ RUN apk --no-cache add -f \
oath-toolkit-oathtool \
tar \
libidn \
jq
jq \
cronie
ENV LE_CONFIG_HOME /acme.sh
@@ -25,7 +26,7 @@ COPY ./ /install_acme.sh/
RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/
RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null##' | crontab -
RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null#> /proc/1/fd/1 2>/proc/1/fd/2#' | crontab -
RUN for verb in help \
version \
@@ -64,12 +65,10 @@ RUN for verb in help \
RUN printf "%b" '#!'"/usr/bin/env sh\n \
if [ \"\$1\" = \"daemon\" ]; then \n \
trap \"echo stop && killall crond && exit 0\" SIGTERM SIGINT \n \
crond && sleep infinity &\n \
wait \n \
exec crond -n -s -m off \n \
else \n \
exec -- \"\$@\"\n \
fi" >/entry.sh && chmod +x /entry.sh
fi\n" >/entry.sh && chmod +x /entry.sh
VOLUME /acme.sh

18
README.md
View File

@@ -51,14 +51,12 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
- [ruby-china.org](https://ruby-china.org/topics/31983)
- [Proxmox](https://pve.proxmox.com/wiki/Certificate_Management)
- [pfsense](https://github.com/pfsense/FreeBSD-ports/pull/89)
- [webfaction](https://community.webfaction.com/questions/19988/using-letsencrypt)
- [Loadbalancer.org](https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty)
- [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709)
- [Centminmod](https://centminmod.com/letsencrypt-acmetool-https.html)
- [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297)
- [archlinux](https://www.archlinux.org/packages/community/any/acme.sh)
- [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient)
- [CentOS Web Panel](http://centos-webpanel.com/)
- [CentOS Web Panel](https://control-webpanel.com)
- [lnmp.org](https://lnmp.org/)
- [more...](https://github.com/acmesh-official/acme.sh/wiki/Blogs-and-tutorials)
@@ -361,10 +359,6 @@ Ok, it's done.
# 10. Issue ECC certificates
`Let's Encrypt` can now issue **ECDSA** certificates.
And we support them too!
Just set the `keylength` parameter with a prefix `ec-`.
For example:
@@ -385,10 +379,12 @@ Please look at the `keylength` parameter above.
Valid values are:
1. **ec-256 (prime256v1, "ECDSA P-256")**
1. **ec-256 (prime256v1, "ECDSA P-256", which is the default key type)**
2. **ec-384 (secp384r1, "ECDSA P-384")**
3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)**
4. **2048 (RSA2048)**
5. **3072 (RSA3072)**
6. **4096 (RSA4096)**
# 11. Issue Wildcard certificates
@@ -510,10 +506,6 @@ Support this project with your organization. Your logo will show up here with a
<a href="https://opencollective.com/acmesh/organization/9/website"><img src="https://opencollective.com/acmesh/organization/9/avatar.svg"></a>
#### Sponsors
[![quantumca-acmesh-logo](https://user-images.githubusercontent.com/8305679/183255712-634ee1db-bb61-4c03-bca0-bacce99e078c.svg)](https://www.quantumca.com.cn/?__utm_source=acmesh-donation)
# 19. License & Others

332
acme.sh
View File

@@ -1,6 +1,6 @@
#!/usr/bin/env sh
VER=3.0.5
VER=3.0.7
PROJECT_NAME="acme.sh"
@@ -53,8 +53,8 @@ CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$
DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
DEFAULT_ACCOUNT_KEY_LENGTH=2048
DEFAULT_DOMAIN_KEY_LENGTH=2048
DEFAULT_ACCOUNT_KEY_LENGTH=ec-256
DEFAULT_DOMAIN_KEY_LENGTH=ec-256
DEFAULT_OPENSSL_BIN="openssl"
@@ -102,12 +102,12 @@ ECC_SUFFIX="${ECC_SEP}ecc"
LOG_LEVEL_1=1
LOG_LEVEL_2=2
LOG_LEVEL_3=3
DEFAULT_LOG_LEVEL="$LOG_LEVEL_1"
DEFAULT_LOG_LEVEL="$LOG_LEVEL_2"
DEBUG_LEVEL_1=1
DEBUG_LEVEL_2=2
DEBUG_LEVEL_3=3
DEBUG_LEVEL_DEFAULT=$DEBUG_LEVEL_1
DEBUG_LEVEL_DEFAULT=$DEBUG_LEVEL_2
DEBUG_LEVEL_NONE=0
DOH_CLOUDFLARE=1
@@ -923,8 +923,16 @@ _sed_i() {
fi
}
if [ "$(echo abc | egrep -o b 2>/dev/null)" = "b" ]; then
__USE_EGREP=1
else
__USE_EGREP=""
fi
_egrep_o() {
if ! egrep -o "$1" 2>/dev/null; then
if [ "$__USE_EGREP" ]; then
egrep -o -- "$1"
else
sed -n 's/.*\('"$1"'\).*/\1/p'
fi
}
@@ -1553,7 +1561,7 @@ createDomainKey() {
createCSR() {
_info "Creating csr"
if [ -z "$1" ]; then
_usage "Usage: $PROJECT_ENTRY --create-csr --domain <domain.tld> [--domain <domain2.tld> ...]"
_usage "Usage: $PROJECT_ENTRY --create-csr --domain <domain.tld> [--domain <domain2.tld> ...] [--ecc]"
return
fi
@@ -1637,7 +1645,7 @@ _stat() {
#keyfile
_isRSA() {
keyfile=$1
if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text | grep "^publicExponent:" >/dev/null 2>&1; then
if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text 2>&1 | grep "^publicExponent:" 2>&1 >/dev/null; then
return 0
fi
return 1
@@ -1646,7 +1654,7 @@ _isRSA() {
#keyfile
_isEcc() {
keyfile=$1
if grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" >/dev/null 2>&1; then
if grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" 2>&1 >/dev/null; then
return 0
fi
return 1
@@ -1744,7 +1752,7 @@ _calcjwk() {
_debug3 x64 "$x64"
xend=$(_math "$xend" + 1)
y="$(printf "%s" "$pubtext" | cut -d : -f "$xend"-10000)"
y="$(printf "%s" "$pubtext" | cut -d : -f "$xend"-2048)"
_debug3 y "$y"
y64="$(printf "%s" "$y" | tr -d : | _h2b | _base64 | _url_replace)"
@@ -1852,9 +1860,15 @@ _inithttp() {
_ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE "
fi
if _contains "$(curl --help 2>&1)" "--globoff"; then
if _contains "$(curl --help 2>&1)" "--globoff" || _contains "$(curl --help curl 2>&1)" "--globoff"; then
_ACME_CURL="$_ACME_CURL -g "
fi
#don't use --fail-with-body
##from curl 7.76: return fail on HTTP errors but keep the body
#if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then
# _ACME_CURL="$_ACME_CURL --fail-with-body "
#fi
fi
if [ -z "$_ACME_WGET" ] && _exists "wget"; then
@@ -1872,11 +1886,11 @@ _inithttp() {
elif [ "$CA_BUNDLE" ]; then
_ACME_WGET="$_ACME_WGET --ca-certificate=$CA_BUNDLE "
fi
fi
#from wget 1.14: do not skip body on 404 error
if [ "$_ACME_WGET" ] && _contains "$($_ACME_WGET --help 2>&1)" "--content-on-error"; then
_ACME_WGET="$_ACME_WGET --content-on-error "
#from wget 1.14: do not skip body on 404 error
if _contains "$(wget --help 2>&1)" "--content-on-error"; then
_ACME_WGET="$_ACME_WGET --content-on-error "
fi
fi
__HTTP_INITIALIZED=1
@@ -2058,7 +2072,7 @@ _get() {
fi
_debug "_WGET" "$_WGET"
if [ "$onlyheader" ]; then
_wget_out = "$($_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1)"
_wget_out="$($_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1)"
if _contains "$_WGET" " -d "; then
# Demultiplex wget debug output
echo "$_wget_out" >&2
@@ -2095,12 +2109,18 @@ _head_n() {
}
_tail_n() {
if ! tail -n "$1" 2>/dev/null; then
if _is_solaris; then
#fix for solaris
tail -"$1"
else
tail -n "$1"
fi
}
_tail_c() {
tail -c "$1" 2>/dev/null || tail -"$1"c
}
# url payload needbase64 keyfile
_send_signed_request() {
url=$1
@@ -2110,6 +2130,7 @@ _send_signed_request() {
if [ -z "$keyfile" ]; then
keyfile="$ACCOUNT_KEY_PATH"
fi
_debug "=======Begin Send Signed Request======="
_debug url "$url"
_debug payload "$payload"
@@ -2223,6 +2244,20 @@ _send_signed_request() {
_debug3 _body "$_body"
fi
_retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *: *[0-9]\+ *" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
if [ "$code" = '503' ]; then
_sleep_overload_retry_sec=$_retryafter
if [ -z "$_sleep_overload_retry_sec" ]; then
_sleep_overload_retry_sec=5
fi
if [ $_sleep_overload_retry_sec -le 600 ]; then
_info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds."
_sleep $_sleep_overload_retry_sec
continue
else
_info "The retryafter=$_retryafter is too large > 600, not retry anymore."
fi
fi
if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then
_info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds."
_CACHED_NONCE=""
@@ -2257,7 +2292,7 @@ _setopt() {
if [ ! -f "$__conf" ]; then
touch "$__conf"
fi
if [ -n "$(tail -c 1 <"$__conf")" ]; then
if [ -n "$(_tail_c 1 <"$__conf")" ]; then
echo >>"$__conf"
fi
@@ -2352,6 +2387,26 @@ _readdomainconf() {
_read_conf "$DOMAIN_CONF" "$1"
}
#_migratedomainconf oldkey newkey base64encode
_migratedomainconf() {
_old_key="$1"
_new_key="$2"
_b64encode="$3"
_value=$(_readdomainconf "$_old_key")
if [ -z "$_value" ]; then
return 1 # oldkey is not found
fi
_savedomainconf "$_new_key" "$_value" "$_b64encode"
_cleardomainconf "$_old_key"
_debug "Domain config $_old_key has been migrated to $_new_key"
}
#_migratedeployconf oldkey newkey base64encode
_migratedeployconf() {
_migratedomainconf "$1" "SAVED_$2" "$3" ||
_migratedomainconf "SAVED_$1" "SAVED_$2" "$3" # try only when oldkey itself is not found
}
#key value base64encode
_savedeployconf() {
_savedomainconf "SAVED_$1" "$2" "$3"
@@ -2366,12 +2421,14 @@ _getdeployconf() {
if [ "$_rac_value" ]; then
if _startswith "$_rac_value" '"' && _endswith "$_rac_value" '"'; then
_debug2 "trim quotation marks"
eval "export $_rac_key=$_rac_value"
eval $_rac_key=$_rac_value
export $_rac_key
fi
return 0 # do nothing
fi
_saved=$(_readdomainconf "SAVED_$_rac_key")
eval "export $_rac_key=\"\$_saved\""
_saved="$(_readdomainconf "SAVED_$_rac_key")"
eval $_rac_key=\$_saved
export $_rac_key
}
#_saveaccountconf key value base64encode
@@ -2835,12 +2892,14 @@ _initpath() {
if _isEccKey "$_ilength"; then
DOMAIN_PATH="$domainhomeecc"
else
elif [ -z "$__SELECTED_RSA_KEY" ]; then
if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then
_info "The domain '$domain' seems to have a ECC cert already, please add '$(__red "--ecc")' parameter if you want to use that cert."
_info "The domain '$domain' seems to have a ECC cert already, lets use ecc cert."
DOMAIN_PATH="$domainhomeecc"
fi
fi
_debug DOMAIN_PATH "$DOMAIN_PATH"
export DOMAIN_PATH
fi
if [ -z "$DOMAIN_BACKUP_PATH" ]; then
@@ -2892,22 +2951,6 @@ _initpath() {
}
_exec() {
if [ -z "$_EXEC_TEMP_ERR" ]; then
_EXEC_TEMP_ERR="$(_mktemp)"
fi
if [ "$_EXEC_TEMP_ERR" ]; then
eval "$@ 2>>$_EXEC_TEMP_ERR"
else
eval "$@"
fi
}
_exec_err() {
[ "$_EXEC_TEMP_ERR" ] && _err "$(cat "$_EXEC_TEMP_ERR")" && echo "" >"$_EXEC_TEMP_ERR"
}
_apachePath() {
_APACHECTL="apachectl"
if ! _exists apachectl; then
@@ -2920,8 +2963,7 @@ _apachePath() {
fi
fi
if ! _exec $_APACHECTL -V >/dev/null; then
_exec_err
if ! $_APACHECTL -V >/dev/null; then
return 1
fi
@@ -2973,8 +3015,7 @@ _restoreApache() {
cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" >"$httpdconf"
_debug "Restored: $httpdconf."
if ! _exec $_APACHECTL -t; then
_exec_err
if ! $_APACHECTL -t; then
_err "Sorry, restore apache config error, please contact me."
return 1
fi
@@ -2992,8 +3033,7 @@ _setApache() {
#test the conf first
_info "Checking if there is an error in the apache config file before starting."
if ! _exec "$_APACHECTL" -t >/dev/null; then
_exec_err
if ! $_APACHECTL -t >/dev/null; then
_err "The apache config file has error, please fix it first, then try again."
_err "Don't worry, there is nothing changed to your system."
return 1
@@ -3054,8 +3094,7 @@ Allow from all
chmod 755 "$ACME_DIR"
fi
if ! _exec "$_APACHECTL" graceful; then
_exec_err
if ! $_APACHECTL graceful; then
_err "$_APACHECTL graceful error, please contact me."
_restoreApache
return 1
@@ -3086,7 +3125,7 @@ _setNginx() {
_err "nginx command is not found."
return 1
fi
NGINX_CONF="$(nginx -V 2>&1 | _egrep_o "--conf-path=[^ ]* " | tr -d " ")"
NGINX_CONF="$(nginx -V 2>&1 | _egrep_o "\-\-conf-path=[^ ]* " | tr -d " ")"
_debug NGINX_CONF "$NGINX_CONF"
NGINX_CONF="$(echo "$NGINX_CONF" | cut -d = -f 2)"
_debug NGINX_CONF "$NGINX_CONF"
@@ -3140,8 +3179,7 @@ _setNginx() {
return 1
fi
_info "Check the nginx conf before setting up."
if ! _exec "nginx -t" >/dev/null; then
_exec_err
if ! nginx -t >/dev/null; then
return 1
fi
@@ -3168,16 +3206,14 @@ location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" {
fi
_debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)"
_info "nginx conf is done, let's check it again."
if ! _exec "nginx -t" >/dev/null; then
_exec_err
if ! nginx -t >/dev/null; then
_err "It seems that nginx conf was broken, let's restore."
cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
return 1
fi
_info "Reload nginx"
if ! _exec "nginx -s reload" >/dev/null; then
_exec_err
if ! nginx -s reload >/dev/null; then
_err "It seems that nginx reload error, let's restore."
cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
return 1
@@ -3302,8 +3338,7 @@ _restoreNginx() {
done
_info "Reload nginx"
if ! _exec "nginx -s reload" >/dev/null; then
_exec_err
if ! nginx -s reload >/dev/null; then
_err "It seems that nginx reload error, please report bug."
return 1
fi
@@ -3995,7 +4030,7 @@ _ns_purge_cf() {
#checks if cf server is available
_ns_is_available_cf() {
if _get "https://cloudflare-dns.com" "" 1 >/dev/null 2>&1; then
if _get "https://cloudflare-dns.com" "" 10 >/dev/null; then
return 0
else
return 1
@@ -4003,7 +4038,7 @@ _ns_is_available_cf() {
}
_ns_is_available_google() {
if _get "https://dns.google" "" 1 >/dev/null 2>&1; then
if _get "https://dns.google" "" 10 >/dev/null; then
return 0
else
return 1
@@ -4019,7 +4054,7 @@ _ns_lookup_google() {
}
_ns_is_available_ali() {
if _get "https://dns.alidns.com" "" 1 >/dev/null 2>&1; then
if _get "https://dns.alidns.com" "" 10 >/dev/null; then
return 0
else
return 1
@@ -4035,7 +4070,7 @@ _ns_lookup_ali() {
}
_ns_is_available_dp() {
if _get "https://doh.pub" "" 1 >/dev/null 2>&1; then
if _get "https://doh.pub" "" 10 >/dev/null; then
return 0
else
return 1
@@ -4582,9 +4617,10 @@ issue() {
_d="*.$_d"
fi
_debug2 _d "$_d"
_authorizations_map="$_d,$response
_authorizations_map="$_d,$response#$_authz_url
$_authorizations_map"
done
_debug2 _authorizations_map "$_authorizations_map"
_index=0
@@ -4636,33 +4672,32 @@ $_authorizations_map"
_on_issue_err "$_post_hook"
return 1
fi
_authz_url="$(echo "$_candidates" | sed "s/$_idn_d,//" | _egrep_o "#.*" | sed "s/^#//")"
_debug _authz_url "$_authz_url"
if [ -z "$thumbprint" ]; then
thumbprint="$(__calc_account_thumbprint)"
fi
keyauthorization=""
if echo "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
_debug "$d is already valid."
keyauthorization="$STATE_VERIFIED"
_debug keyauthorization "$keyauthorization"
fi
entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
_debug entry "$entry"
keyauthorization=""
if [ -z "$entry" ]; then
if ! _startswith "$d" '*.'; then
_debug "Not a wildcard domain, lets check whether the validation is already valid."
if echo "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
_debug "$d is already valid."
keyauthorization="$STATE_VERIFIED"
_debug keyauthorization "$keyauthorization"
fi
fi
if [ -z "$keyauthorization" ]; then
_err "Error, can not get domain token entry $d for $vtype"
_supported_vtypes="$(echo "$response" | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ')"
if [ "$_supported_vtypes" ]; then
_err "The supported validation types are: $_supported_vtypes, but you specified: $vtype"
fi
_clearup
_on_issue_err "$_post_hook"
return 1
if [ -z "$keyauthorization" -a -z "$entry" ]; then
_err "Error, can not get domain token entry $d for $vtype"
_supported_vtypes="$(echo "$response" | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ')"
if [ "$_supported_vtypes" ]; then
_err "The supported validation types are: $_supported_vtypes, but you specified: $vtype"
fi
_clearup
_on_issue_err "$_post_hook"
return 1
fi
if [ -z "$keyauthorization" ]; then
@@ -4688,15 +4723,9 @@ $_authorizations_map"
fi
keyauthorization="$token.$thumbprint"
_debug keyauthorization "$keyauthorization"
if printf "%s" "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
_debug "$d is already verified."
keyauthorization="$STATE_VERIFIED"
_debug keyauthorization "$keyauthorization"
fi
fi
dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"
dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot$sep$_authz_url"
_debug dvlist "$dvlist"
vlist="$vlist$dvlist$dvsep"
@@ -4713,6 +4742,7 @@ $_authorizations_map"
keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
_currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
_authz_url=$(echo "$ventry" | cut -d "$sep" -f 6)
_debug d "$d"
if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
_debug "$d is already verified, skip $vtype."
@@ -4838,7 +4868,7 @@ $_authorizations_map"
uri=$(echo "$ventry" | cut -d "$sep" -f 3)
vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
_currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
_authz_url=$(echo "$ventry" | cut -d "$sep" -f 6)
if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
_info "$d is already verified, skip $vtype."
continue
@@ -4848,6 +4878,7 @@ $_authorizations_map"
_debug "d" "$d"
_debug "keyauthorization" "$keyauthorization"
_debug "uri" "$uri"
_debug "_authz_url" "$_authz_url"
removelevel=""
token="$(printf "%s" "$keyauthorization" | cut -d '.' -f 1)"
@@ -4917,18 +4948,6 @@ $_authorizations_map"
if ! chmod a+r "$wellknown_path/$token"; then
_debug "chmod failed, but we just continue."
fi
if [ ! "$usingApache" ]; then
if webroot_owner=$(_stat "$_currentRoot"); then
_debug "Changing owner/group of .well-known to $webroot_owner"
if ! _exec "chown -R \"$webroot_owner\" \"$_currentRoot/.well-known\""; then
_debug "$(cat "$_EXEC_TEMP_ERR")"
_exec_err >/dev/null 2>&1
fi
else
_debug "not changing owner/group of webroot"
fi
fi
fi
elif [ "$vtype" = "$VTYPE_ALPN" ]; then
acmevalidationv1="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"
@@ -4967,6 +4986,7 @@ $_authorizations_map"
MAX_RETRY_TIMES=30
fi
_debug "Lets check the status of the authz"
while true; do
waittimes=$(_math "$waittimes" + 1)
if [ "$waittimes" -ge "$MAX_RETRY_TIMES" ]; then
@@ -4990,9 +5010,9 @@ $_authorizations_map"
errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)"
_debug2 errordetail "$errordetail"
if [ "$errordetail" ]; then
_err "$d:Verify error:$errordetail"
_err "Invalid status, $d:Verify error detail:$errordetail"
else
_err "$d:Verify error:$error"
_err "Invalid status, $d:Verify error:$error"
fi
if [ "$DEBUG" ]; then
if [ "$vtype" = "$VTYPE_HTTP" ]; then
@@ -5014,12 +5034,12 @@ $_authorizations_map"
break
fi
if [ "$status" = "pending" ]; then
if _contains "$status" "pending"; then
_info "Pending, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)"
elif [ "$status" = "processing" ]; then
elif _contains "$status" "processing"; then
_info "Processing, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)"
else
_err "$d:Verify error:$response"
_err "Unknown status: $status, $d:Verify error:$response"
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
_clearup
_on_issue_err "$_post_hook" "$vlist"
@@ -5029,10 +5049,10 @@ $_authorizations_map"
_sleep 2
_debug "checking"
_send_signed_request "$uri"
_send_signed_request "$_authz_url"
if [ "$?" != "0" ]; then
_err "$d:Verify error:$response"
_err "Invalid code, $d:Verify error:$response"
_clearupwebbroot "$_currentRoot" "$removelevel" "$token"
_clearup
_on_issue_err "$_post_hook" "$vlist"
@@ -5743,6 +5763,7 @@ deploy() {
return 1
fi
_debug2 DOMAIN_CONF "$DOMAIN_CONF"
. "$DOMAIN_CONF"
_savedomainconf Le_DeployHook "$_hooks"
@@ -5967,6 +5988,7 @@ installcronjob() {
fi
_t=$(_time)
random_minute=$(_math $_t % 60)
random_hour=$(_math $_t / 60 % 24)
if ! _exists "$_CRONTAB" && _exists "fcrontab"; then
_CRONTAB="fcrontab"
@@ -5991,16 +6013,14 @@ installcronjob() {
_info "Installing cron job"
if ! $_CRONTAB -l | grep "$PROJECT_ENTRY --cron"; then
if _exists uname && uname -a | grep SunOS >/dev/null; then
$_CRONTAB -l | {
cat
echo "$random_minute 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null"
} | $_CRONTAB --
_CRONTAB_STDIN="$_CRONTAB --"
else
$_CRONTAB -l | {
cat
echo "$random_minute 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null"
} | $_CRONTAB -
_CRONTAB_STDIN="$_CRONTAB -"
fi
$_CRONTAB -l | {
cat
echo "$random_minute $random_hour * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null"
} | $_CRONTAB_STDIN
fi
if [ "$?" != "0" ]; then
_err "Install cron job failed. You need to manually renew your certs."
@@ -6102,8 +6122,22 @@ revoke() {
uri="${ACME_REVOKE_CERT}"
_info "Try account key first."
if _send_signed_request "$uri" "$data" "" "$ACCOUNT_KEY_PATH"; then
if [ -z "$response" ]; then
_info "Revoke success."
rm -f "$CERT_PATH"
cat "$CERT_KEY_PATH" >"$CERT_KEY_PATH.revoked"
cat "$CSR_PATH" >"$CSR_PATH.revoked"
return 0
else
_err "Revoke error."
_debug "$response"
fi
fi
if [ -f "$CERT_KEY_PATH" ]; then
_info "Try domain key first."
_info "Try domain key."
if _send_signed_request "$uri" "$data" "" "$CERT_KEY_PATH"; then
if [ -z "$response" ]; then
_info "Revoke success."
@@ -6119,21 +6153,6 @@ revoke() {
else
_info "Domain key file doesn't exist."
fi
_info "Try account key."
if _send_signed_request "$uri" "$data" "" "$ACCOUNT_KEY_PATH"; then
if [ -z "$response" ]; then
_info "Revoke success."
rm -f "$CERT_PATH"
cat "$CERT_KEY_PATH" >"$CERT_KEY_PATH.revoked"
cat "$CSR_PATH" >"$CSR_PATH.revoked"
return 0
else
_err "Revoke error."
_debug "$response"
fi
fi
return 1
}
@@ -6707,6 +6726,13 @@ _send_notify() {
return 0
fi
_nsource="$NOTIFY_SOURCE"
if [ -z "$_nsource" ]; then
_nsource="$(hostname)"
fi
_nsubject="$_nsubject by $_nsource"
_send_err=0
for _n_hook in $(echo "$_nhooks" | tr ',' " "); do
_n_hook_file="$(_findHook "" $_SUB_FOLDER_NOTIFY "$_n_hook")"
@@ -6761,11 +6787,12 @@ setnotify() {
_nhook="$1"
_nlevel="$2"
_nmode="$3"
_nsource="$4"
_initpath
if [ -z "$_nhook$_nlevel$_nmode" ]; then
_usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook <hookname>] [--notify-level <0|1|2|3>] [--notify-mode <0|1>]"
if [ -z "$_nhook$_nlevel$_nmode$_nsource" ]; then
_usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook <hookname>] [--notify-level <0|1|2|3>] [--notify-mode <0|1>] [--notify-source <hostname>]"
_usage "$_NOTIFY_WIKI"
return 1
fi
@@ -6782,6 +6809,12 @@ setnotify() {
_saveaccountconf "NOTIFY_MODE" "$NOTIFY_MODE"
fi
if [ "$_nsource" ]; then
_info "Set notify source to: $_nsource"
export "NOTIFY_SOURCE=$_nsource"
_saveaccountconf "NOTIFY_SOURCE" "$NOTIFY_SOURCE"
fi
if [ "$_nhook" ]; then
_info "Set notify hook to: $_nhook"
if [ "$_nhook" = "$NO_VALUE" ]; then
@@ -6860,7 +6893,7 @@ Parameters:
-f, --force Force install, force cert renewal or override sudo restrictions.
--staging, --test Use staging server, for testing.
--debug [0|1|2|3] Output debug info. Defaults to 1 if argument is omitted.
--debug [0|1|2|3] Output debug info. Defaults to $DEBUG_LEVEL_DEFAULT if argument is omitted.
--output-insecure Output all the sensitive messages.
By default all the credentials/sensitive messages are hidden from the output/debug/log for security.
-w, --webroot <directory> Specifies the web root folder for web root mode.
@@ -6878,7 +6911,7 @@ Parameters:
-k, --keylength <bits> Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521.
-ak, --accountkeylength <bits> Specifies the account key length: 2048, 3072, 4096
--log [file] Specifies the log file. Defaults to \"$DEFAULT_LOG_FILE\" if argument is omitted.
--log-level <1|2> Specifies the log level, default is 1.
--log-level <1|2> Specifies the log level, default is $DEFAULT_LOG_LEVEL.
--syslog <0|3|6|7> Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.
--eab-kid <eab_key_id> Key Identifier for External Account Binding.
--eab-hmac-key <eab_hmac_key> HMAC key for External Account Binding.
@@ -6886,7 +6919,7 @@ Parameters:
These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:
--cert-file <file> Path to copy the cert file to after issue/renew..
--cert-file <file> Path to copy the cert file to after issue/renew.
--key-file <file> Path to copy the key file to after issue/renew.
--ca-file <file> Path to copy the intermediate cert file to after issue/renew.
--fullchain-file <file> Path to copy the fullchain cert file to after issue/renew.
@@ -6916,7 +6949,8 @@ Parameters:
--no-profile Only valid for '--install' command, which means: do not install aliases to user profile.
--no-color Do not output color text.
--force-color Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--to-pkcs12' and '--create-csr'
--ecc Specifies use of the ECC cert. Only valid for '--install-cert', '--renew', '--remove ', '--revoke',
'--deploy', '--to-pkcs8', '--to-pkcs12' and '--create-csr'.
--csr <file> Specifies the input csr.
--pre-hook <command> Command to be run before obtaining any certificates.
--post-hook <command> Command to be run after attempting to obtain/renew certificates. Runs regardless of whether obtain/renew succeeded or failed.
@@ -6942,6 +6976,7 @@ Parameters:
0: Bulk mode. Send all the domain's notifications in one message(mail).
1: Cert mode. Send a message for every single cert.
--notify-hook <hookname> Set the notify hook
--notify-source <server name> Set the server name in the notification message
--revoke-reason <0-10> The reason for revocation, can be used in conjunction with the '--revoke' command.
See: $_REVOKE_WIKI
@@ -7099,7 +7134,9 @@ _selectServer() {
_getCAShortName() {
caurl="$1"
if [ -z "$caurl" ]; then
caurl="$DEFAULT_CA"
#use letsencrypt as default value if the Le_API is empty
#this case can only come from the old upgrading.
caurl="$CA_LETSENCRYPT_V2"
fi
if [ "$CA_SSLCOM_ECC" = "$caurl" ]; then
caurl="$CA_SSLCOM_RSA" #just hack to get the short name
@@ -7216,6 +7253,7 @@ _process() {
_notify_hook=""
_notify_level=""
_notify_mode=""
_notify_source=""
_revoke_reason=""
_eab_kid=""
_eab_hmac_key=""
@@ -7461,6 +7499,9 @@ _process() {
--keylength | -k)
_keylength="$2"
shift
if [ "$_keylength" ] && ! _isEccKey "$_keylength"; then
export __SELECTED_RSA_KEY=1
fi
;;
-ak | --accountkeylength)
_accountkeylength="$2"
@@ -7496,7 +7537,7 @@ _process() {
shift
;;
--home)
export LE_WORKING_DIR="$2"
export LE_WORKING_DIR="$(echo "$2" | sed 's|/$||')"
shift
;;
--cert-home | --certhome)
@@ -7708,6 +7749,15 @@ _process() {
_notify_mode="$_nmode"
shift
;;
--notify-source)
_nsource="$2"
if _startswith "$_nsource" "-"; then
_err "'$_nsource' is not valid host name for '$1'"
return 1
fi
_notify_source="$_nsource"
shift
;;
--revoke-reason)
_revoke_reason="$2"
if _startswith "$_revoke_reason" "-"; then
@@ -7862,7 +7912,7 @@ _process() {
createCSR "$_domain" "$_altdomains" "$_ecc"
;;
setnotify)
setnotify "$_notify_hook" "$_notify_level" "$_notify_mode"
setnotify "$_notify_hook" "$_notify_level" "$_notify_mode" "$_notify_source"
;;
setdefaultca)
setdefaultca

27
deploy/docker.sh
View File

@@ -273,16 +273,27 @@ _check_curl_version() {
_minor="$(_getfield "$_cversion" 2 '.')"
_debug2 "_minor" "$_minor"
if [ "$_major$_minor" -lt "740" ]; then
if [ "$_major" -ge "8" ]; then
#ok
return 0
fi
if [ "$_major" = "7" ]; then
if [ "$_minor" -lt "40" ]; then
_err "curl v$_cversion doesn't support unit socket"
_err "Please upgrade to curl 7.40 or later."
return 1
fi
if [ "$_minor" -lt "50" ]; then
_debug "Use short host name"
export _CURL_NO_HOST=1
else
export _CURL_NO_HOST=
fi
return 0
else
_err "curl v$_cversion doesn't support unit socket"
_err "Please upgrade to curl 7.40 or later."
return 1
fi
if [ "$_major$_minor" -lt "750" ]; then
_debug "Use short host name"
export _CURL_NO_HOST=1
else
export _CURL_NO_HOST=
fi
return 0
}

15
deploy/gcore_cdn.sh
View File

@@ -1,10 +1,11 @@
#!/usr/bin/env sh
# Here is the script to deploy the cert to G-Core CDN service (https://gcorelabs.com/ru/) using the G-Core Labs API (https://docs.gcorelabs.com/cdn/).
# Here is the script to deploy the cert to G-Core CDN service (https://gcore.com/) using the G-Core Labs API (https://apidocs.gcore.com/cdn).
# Returns 0 when success.
#
# Written by temoffey <temofffey@gmail.com>
# Public domain, 2019
# Update by DreamOfIce <admin@dreamofice.cn> in 2023
#export DEPLOY_GCORE_CDN_USERNAME=myusername
#export DEPLOY_GCORE_CDN_PASSWORD=mypassword
@@ -56,7 +57,7 @@ gcore_cdn_deploy() {
_request="{\"username\":\"$Le_Deploy_gcore_cdn_username\",\"password\":\"$Le_Deploy_gcore_cdn_password\"}"
_debug _request "$_request"
export _H1="Content-Type:application/json"
_response=$(_post "$_request" "https://api.gcdn.co/auth/jwt/login")
_response=$(_post "$_request" "https://api.gcore.com/auth/jwt/login")
_debug _response "$_response"
_regex=".*\"access\":\"\([-._0-9A-Za-z]*\)\".*$"
_debug _regex "$_regex"
@@ -69,8 +70,8 @@ gcore_cdn_deploy() {
fi
_info "Find CDN resource with cname $_cdomain"
export _H2="Authorization:Token $_token"
_response=$(_get "https://api.gcdn.co/resources")
export _H2="Authorization:Bearer $_token"
_response=$(_get "https://api.gcore.com/cdn/resources")
_debug _response "$_response"
_regex="\"primary_resource\":null},"
_debug _regex "$_regex"
@@ -102,7 +103,7 @@ gcore_cdn_deploy() {
_date=$(date "+%d.%m.%Y %H:%M:%S")
_request="{\"name\":\"$_cdomain ($_date)\",\"sslCertificate\":\"$_fullchain\",\"sslPrivateKey\":\"$_key\"}"
_debug _request "$_request"
_response=$(_post "$_request" "https://api.gcdn.co/sslData")
_response=$(_post "$_request" "https://api.gcore.com/cdn/sslData")
_debug _response "$_response"
_regex=".*\"id\":\([0-9]*\).*$"
_debug _regex "$_regex"
@@ -117,7 +118,7 @@ gcore_cdn_deploy() {
_info "Update CDN resource"
_request="{\"originGroup\":$_originGroup,\"sslData\":$_sslDataAdd}"
_debug _request "$_request"
_response=$(_post "$_request" "https://api.gcdn.co/resources/$_resourceId" '' "PUT")
_response=$(_post "$_request" "https://api.gcore.com/cdn/resources/$_resourceId" '' "PUT")
_debug _response "$_response"
_regex=".*\"sslData\":\([0-9]*\).*$"
_debug _regex "$_regex"
@@ -133,7 +134,7 @@ gcore_cdn_deploy() {
_info "Not found old SSL certificate"
else
_info "Delete old SSL certificate"
_response=$(_post '' "https://api.gcdn.co/sslData/$_sslDataOld" '' "DELETE")
_response=$(_post '' "https://api.gcore.com/cdn/sslData/$_sslDataOld" '' "DELETE")
_debug _response "$_response"
fi

164
deploy/panos.sh
View File

@@ -7,11 +7,15 @@
#
# Firewall admin with superuser and IP address is required.
#
# export PANOS_USER="" # required
# export PANOS_PASS="" # required
# export PANOS_HOST="" # required
# REQURED:
# export PANOS_HOST=""
# export PANOS_USER="" #User *MUST* have Commit and Import Permissions in XML API for Admin Role
# export PANOS_PASS=""
#
# The script will automatically generate a new API key if
# no key is found, or if a saved key has expired or is invalid.
# This function is to parse the XML
# This function is to parse the XML response from the firewall
parse_response() {
type=$2
if [ "$type" = 'keygen' ]; then
@@ -23,25 +27,46 @@ parse_response() {
message="PAN-OS Key could not be set."
fi
else
status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g')
message=$(echo "$1" | sed 's/^.*<result>\(.*\)<\/result.*/\1/g')
status=$(echo "$1" | tr -d '\n' | sed 's/^.*"\([a-z]*\)".*/\1/g')
message=$(echo "$1" | tr -d '\n' | sed 's/.*\(<result>\|<msg>\|<line>\)\([^<]*\).*/\2/g')
_debug "Firewall message: $message"
if [ "$type" = 'keytest' ] && [ "$status" != "success" ]; then
_debug "**** API Key has EXPIRED or is INVALID ****"
unset _panos_key
fi
fi
return 0
}
#This function is used to deploy to the firewall
deployer() {
content=""
type=$1 # Types are keygen, cert, key, commit
_debug "**** Deploying $type *****"
type=$1 # Types are keytest, keygen, cert, key, commit
panos_url="https://$_panos_host/api/"
#Test API Key by performing a lookup
if [ "$type" = 'keytest' ]; then
_debug "**** Testing saved API Key ****"
_H1="Content-Type: application/x-www-form-urlencoded"
# Get Version Info to test key
content="type=version&key=$_panos_key"
## Exclude all scopes for the empty commit
#_exclude_scope="<policy-and-objects>exclude</policy-and-objects><device-and-network>exclude</device-and-network><shared-object>exclude</shared-object>"
#content="type=commit&action=partial&key=$_panos_key&cmd=<commit><partial>$_exclude_scope<admin><member>acmekeytest</member></admin></partial></commit>"
fi
# Generate API Key
if [ "$type" = 'keygen' ]; then
_debug "**** Generating new API Key ****"
_H1="Content-Type: application/x-www-form-urlencoded"
content="type=keygen&user=$_panos_user&password=$_panos_pass"
# content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}"
fi
# Deploy Cert or Key
if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then
#Generate DEIM
_debug "**** Deploying $type ****"
#Generate DELIM
delim="-----MultipartDelimiter$(date "+%s%N")"
nl="\015\012"
#Set Header
@@ -61,7 +86,7 @@ deployer() {
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456"
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cdomain.key")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
fi
#Close multipart
content="$content${nl}--$delim--${nl}${nl}"
@@ -69,16 +94,25 @@ deployer() {
content=$(printf %b "$content")
fi
# Commit changes
if [ "$type" = 'commit' ]; then
_debug "**** Committing changes ****"
export _H1="Content-Type: application/x-www-form-urlencoded"
cmd=$(printf "%s" "<commit><partial><$_panos_user></$_panos_user></partial></commit>" | _url_encode)
content="type=commit&key=$_panos_key&cmd=$cmd"
#Check for force commit - will commit ALL uncommited changes to the firewall. Use with caution!
if [ "$FORCE" ]; then
_debug "Force switch detected. Committing ALL changes to the firewall."
cmd=$(printf "%s" "<commit><partial><force><admin><member>$_panos_user</member></admin></force></partial></commit>" | _url_encode)
else
_exclude_scope="<policy-and-objects>exclude</policy-and-objects><device-and-network>exclude</device-and-network>"
cmd=$(printf "%s" "<commit><partial>$_exclude_scope<admin><member>$_panos_user</member></admin></partial></commit>" | _url_encode)
fi
content="type=commit&action=partial&key=$_panos_key&cmd=$cmd"
fi
response=$(_post "$content" "$panos_url" "" "POST")
parse_response "$response" "$type"
# Saving response to variables
response_status=$status
#DEBUG
_debug response_status "$response_status"
if [ "$response_status" = "success" ]; then
_debug "Successfully deployed $type"
@@ -92,43 +126,85 @@ deployer() {
# This is the main function that will call the other functions to deploy everything.
panos_deploy() {
_cdomain="$1"
_cdomain=$(echo "$1" | sed 's/*/WILDCARD_/g') #Wildcard Safe Filename
_ckey="$2"
_cfullchain="$5"
# PANOS ENV VAR check
if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then
_debug "No ENV variables found lets check for saved variables"
_getdeployconf PANOS_USER
_getdeployconf PANOS_PASS
_getdeployconf PANOS_HOST
_panos_user=$PANOS_USER
_panos_pass=$PANOS_PASS
_panos_host=$PANOS_HOST
if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then
_err "No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs."
return 1
else
_debug "Using saved env variables."
fi
else
_debug "Detected ENV variables to be saved to the deploy conf."
# Encrypt and save user
_savedeployconf PANOS_USER "$PANOS_USER" 1
_savedeployconf PANOS_PASS "$PANOS_PASS" 1
_savedeployconf PANOS_HOST "$PANOS_HOST" 1
_panos_user="$PANOS_USER"
_panos_pass="$PANOS_PASS"
_panos_host="$PANOS_HOST"
# VALID FILE CHECK
if [ ! -f "$_ckey" ] || [ ! -f "$_cfullchain" ]; then
_err "Unable to find a valid key and/or cert. If this is an ECDSA/ECC cert, use the --ecc flag when deploying."
return 1
fi
_debug "Let's use username and pass to generate token."
if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then
_err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST"
# PANOS_HOST
if [ "$PANOS_HOST" ]; then
_debug "Detected ENV variable PANOS_HOST. Saving to file."
_savedeployconf PANOS_HOST "$PANOS_HOST" 1
else
_debug "Attempting to load variable PANOS_HOST from file."
_getdeployconf PANOS_HOST
fi
# PANOS USER
if [ "$PANOS_USER" ]; then
_debug "Detected ENV variable PANOS_USER. Saving to file."
_savedeployconf PANOS_USER "$PANOS_USER" 1
else
_debug "Attempting to load variable PANOS_USER from file."
_getdeployconf PANOS_USER
fi
# PANOS_PASS
if [ "$PANOS_PASS" ]; then
_debug "Detected ENV variable PANOS_PASS. Saving to file."
_savedeployconf PANOS_PASS "$PANOS_PASS" 1
else
_debug "Attempting to load variable PANOS_PASS from file."
_getdeployconf PANOS_PASS
fi
# PANOS_KEY
_getdeployconf PANOS_KEY
if [ "$PANOS_KEY" ]; then
_debug "Detected saved key."
_panos_key=$PANOS_KEY
else
_debug "No key detected"
unset _panos_key
fi
#Store variables
_panos_host=$PANOS_HOST
_panos_user=$PANOS_USER
_panos_pass=$PANOS_PASS
#Test API Key if found. If the key is invalid, the variable _panos_key will be unset.
if [ "$_panos_host" ] && [ "$_panos_key" ]; then
_debug "**** Testing API KEY ****"
deployer keytest
fi
# Check for valid variables
if [ -z "$_panos_host" ]; then
_err "No host found. If this is your first time deploying, please set PANOS_HOST in ENV variables. You can delete it after you have successfully deployed the certs."
return 1
elif [ -z "$_panos_user" ]; then
_err "No user found. If this is your first time deploying, please set PANOS_USER in ENV variables. You can delete it after you have successfully deployed the certs."
return 1
elif [ -z "$_panos_pass" ]; then
_err "No password found. If this is your first time deploying, please set PANOS_PASS in ENV variables. You can delete it after you have successfully deployed the certs."
return 1
else
_debug "Getting PANOS KEY"
deployer keygen
# Generate a new API key if no valid API key is found
if [ -z "$_panos_key" ]; then
_err "Missing apikey."
_debug "**** Generating new PANOS API KEY ****"
deployer keygen
_savedeployconf PANOS_KEY "$_panos_key" 1
fi
# Confirm that a valid key was generated
if [ -z "$_panos_key" ]; then
_err "Unable to generate an API key. The user and pass may be invalid or not authorized to generate a new key. Please check the PANOS_USER and PANOS_PASS credentials and try again"
return 1
else
deployer cert

409
deploy/ssh.sh
View File

@@ -14,7 +14,7 @@
# The following examples are for QNAP NAS running QTS 4.2
# export DEPLOY_SSH_CMD="" # defaults to "ssh -T"
# export DEPLOY_SSH_USER="admin" # required
# export DEPLOY_SSH_SERVER="qnap" # defaults to domain name
# export DEPLOY_SSH_SERVER="host1 host2:8022 192.168.0.1:9022" # defaults to domain name, support multiple servers with optional port
# export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem"
# export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem"
# export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem"
@@ -23,6 +23,8 @@
# export DEPLOY_SSH_BACKUP="" # yes or no, default to yes or previously saved value
# export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" # path on remote system. Defaults to .acme_ssh_deploy
# export DEPLOY_SSH_MULTI_CALL="" # yes or no, default to no or previously saved value
# export DEPLOY_SSH_USE_SCP="" yes or no, default to no
# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q"
#
######## Public functions #####################
@@ -42,72 +44,134 @@ ssh_deploy() {
_debug _cfullchain "$_cfullchain"
# USER is required to login by SSH to remote host.
_migratedeployconf Le_Deploy_ssh_user DEPLOY_SSH_USER
_getdeployconf DEPLOY_SSH_USER
_debug2 DEPLOY_SSH_USER "$DEPLOY_SSH_USER"
if [ -z "$DEPLOY_SSH_USER" ]; then
if [ -z "$Le_Deploy_ssh_user" ]; then
_err "DEPLOY_SSH_USER not defined."
return 1
fi
else
Le_Deploy_ssh_user="$DEPLOY_SSH_USER"
_savedomainconf Le_Deploy_ssh_user "$Le_Deploy_ssh_user"
_err "DEPLOY_SSH_USER not defined."
return 1
fi
_savedeployconf DEPLOY_SSH_USER "$DEPLOY_SSH_USER"
# SERVER is optional. If not provided then use _cdomain
_migratedeployconf Le_Deploy_ssh_server DEPLOY_SSH_SERVER
_getdeployconf DEPLOY_SSH_SERVER
_debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER"
if [ -n "$DEPLOY_SSH_SERVER" ]; then
Le_Deploy_ssh_server="$DEPLOY_SSH_SERVER"
_savedomainconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server"
elif [ -z "$Le_Deploy_ssh_server" ]; then
Le_Deploy_ssh_server="$_cdomain"
if [ -z "$DEPLOY_SSH_SERVER" ]; then
DEPLOY_SSH_SERVER="$_cdomain"
fi
_savedeployconf DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER"
# CMD is optional. If not provided then use ssh
_migratedeployconf Le_Deploy_ssh_cmd DEPLOY_SSH_CMD
_getdeployconf DEPLOY_SSH_CMD
_debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD"
if [ -n "$DEPLOY_SSH_CMD" ]; then
Le_Deploy_ssh_cmd="$DEPLOY_SSH_CMD"
_savedomainconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd"
elif [ -z "$Le_Deploy_ssh_cmd" ]; then
Le_Deploy_ssh_cmd="ssh -T"
if [ -z "$DEPLOY_SSH_CMD" ]; then
DEPLOY_SSH_CMD="ssh -T"
fi
_savedeployconf DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD"
# BACKUP is optional. If not provided then default to previously saved value or yes.
_migratedeployconf Le_Deploy_ssh_backup DEPLOY_SSH_BACKUP
_getdeployconf DEPLOY_SSH_BACKUP
_debug2 DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP"
if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then
Le_Deploy_ssh_backup="no"
elif [ -z "$Le_Deploy_ssh_backup" ] || [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
Le_Deploy_ssh_backup="yes"
if [ -z "$DEPLOY_SSH_BACKUP" ]; then
DEPLOY_SSH_BACKUP="yes"
fi
_savedomainconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup"
_savedeployconf DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP"
# BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy
_migratedeployconf Le_Deploy_ssh_backup_path DEPLOY_SSH_BACKUP_PATH
_getdeployconf DEPLOY_SSH_BACKUP_PATH
_debug2 DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH"
if [ -n "$DEPLOY_SSH_BACKUP_PATH" ]; then
Le_Deploy_ssh_backup_path="$DEPLOY_SSH_BACKUP_PATH"
elif [ -z "$Le_Deploy_ssh_backup_path" ]; then
Le_Deploy_ssh_backup_path=".acme_ssh_deploy"
if [ -z "$DEPLOY_SSH_BACKUP_PATH" ]; then
DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy"
fi
_savedomainconf Le_Deploy_ssh_backup_path "$Le_Deploy_ssh_backup_path"
_savedeployconf DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH"
# MULTI_CALL is optional. If not provided then default to previously saved
# value (which may be undefined... equivalent to "no").
_migratedeployconf Le_Deploy_ssh_multi_call DEPLOY_SSH_MULTI_CALL
_getdeployconf DEPLOY_SSH_MULTI_CALL
_debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL"
if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
Le_Deploy_ssh_multi_call="yes"
_savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call"
elif [ "$DEPLOY_SSH_MULTI_CALL" = "no" ]; then
Le_Deploy_ssh_multi_call=""
_cleardomainconf Le_Deploy_ssh_multi_call
if [ -z "$DEPLOY_SSH_MULTI_CALL" ]; then
DEPLOY_SSH_MULTI_CALL="no"
fi
_savedeployconf DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL"
# KEYFILE is optional.
# If provided then private key will be copied to provided filename.
_migratedeployconf Le_Deploy_ssh_keyfile DEPLOY_SSH_KEYFILE
_getdeployconf DEPLOY_SSH_KEYFILE
_debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE"
if [ -n "$DEPLOY_SSH_KEYFILE" ]; then
_savedeployconf DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE"
fi
_deploy_ssh_servers=$Le_Deploy_ssh_server
for Le_Deploy_ssh_server in $_deploy_ssh_servers; do
# CERTFILE is optional.
# If provided then certificate will be copied or appended to provided filename.
_migratedeployconf Le_Deploy_ssh_certfile DEPLOY_SSH_CERTFILE
_getdeployconf DEPLOY_SSH_CERTFILE
_debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE"
if [ -n "$DEPLOY_SSH_CERTFILE" ]; then
_savedeployconf DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE"
fi
# CAFILE is optional.
# If provided then CA intermediate certificate will be copied or appended to provided filename.
_migratedeployconf Le_Deploy_ssh_cafile DEPLOY_SSH_CAFILE
_getdeployconf DEPLOY_SSH_CAFILE
_debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE"
if [ -n "$DEPLOY_SSH_CAFILE" ]; then
_savedeployconf DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE"
fi
# FULLCHAIN is optional.
# If provided then fullchain certificate will be copied or appended to provided filename.
_migratedeployconf Le_Deploy_ssh_fullchain DEPLOY_SSH_FULLCHAIN
_getdeployconf DEPLOY_SSH_FULLCHAIN
_debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN"
if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then
_savedeployconf DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN"
fi
# REMOTE_CMD is optional.
# If provided then this command will be executed on remote host.
_migratedeployconf Le_Deploy_ssh_remote_cmd DEPLOY_SSH_REMOTE_CMD
_getdeployconf DEPLOY_SSH_REMOTE_CMD
_debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD"
if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then
_savedeployconf DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD"
fi
# USE_SCP is optional. If not provided then default to previously saved
# value (which may be undefined... equivalent to "no").
_getdeployconf DEPLOY_SSH_USE_SCP
_debug2 DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP"
if [ -z "$DEPLOY_SSH_USE_SCP" ]; then
DEPLOY_SSH_USE_SCP="no"
fi
_savedeployconf DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP"
# SCP_CMD is optional. If not provided then use scp
_getdeployconf DEPLOY_SSH_SCP_CMD
_debug2 DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD"
if [ -z "$DEPLOY_SSH_SCP_CMD" ]; then
DEPLOY_SSH_SCP_CMD="scp -q"
fi
_savedeployconf DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD"
if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
DEPLOY_SSH_MULTI_CALL="yes"
_info "Using scp as alternate method for copying files. Multicall Mode is implicit"
elif [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
_info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host"
else
_info "Required commands batched and sent in single call to remote host"
fi
_deploy_ssh_servers="$DEPLOY_SSH_SERVER"
for DEPLOY_SSH_SERVER in $_deploy_ssh_servers; do
_ssh_deploy
done
}
@@ -117,16 +181,25 @@ _ssh_deploy() {
_cmdstr=""
_backupprefix=""
_backupdir=""
_local_cert_file=""
_local_ca_file=""
_local_full_file=""
_info "Deploy certificates to remote server $Le_Deploy_ssh_user@$Le_Deploy_ssh_server"
if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
_info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host"
else
_info "Required commands batched and sent in single call to remote host"
fi
case $DEPLOY_SSH_SERVER in
*:*)
_host=${DEPLOY_SSH_SERVER%:*}
_port=${DEPLOY_SSH_SERVER##*:}
;;
*)
_host=$DEPLOY_SSH_SERVER
_port=
;;
esac
if [ "$Le_Deploy_ssh_backup" = "yes" ]; then
_backupprefix="$Le_Deploy_ssh_backup_path/$_cdomain-backup"
_info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port"
if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
_backupprefix="$DEPLOY_SSH_BACKUP_PATH/$_cdomain-backup"
_backupdir="$_backupprefix-$(_utc_date | tr ' ' '-')"
# run cleanup on the backup directory, erase all older
# than 180 days (15552000 seconds).
@@ -138,7 +211,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
_cmdstr="mkdir -p $_backupdir; $_cmdstr"
_info "Backup of old certificate files will be placed in remote directory $_backupdir"
_info "Backup directories erased after 180 days."
if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
return $_err_code
fi
@@ -146,129 +219,184 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
fi
fi
# KEYFILE is optional.
# If provided then private key will be copied to provided filename.
_getdeployconf DEPLOY_SSH_KEYFILE
_debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE"
if [ -n "$DEPLOY_SSH_KEYFILE" ]; then
Le_Deploy_ssh_keyfile="$DEPLOY_SSH_KEYFILE"
_savedomainconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile"
fi
if [ -n "$Le_Deploy_ssh_keyfile" ]; then
if [ "$Le_Deploy_ssh_backup" = "yes" ]; then
if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
# backup file we are about to overwrite.
_cmdstr="$_cmdstr cp $Le_Deploy_ssh_keyfile $_backupdir >/dev/null;"
_cmdstr="$_cmdstr cp $DEPLOY_SSH_KEYFILE $_backupdir >/dev/null;"
if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
return $_err_code
fi
_cmdstr=""
fi
fi
# copy new certificate into file.
_cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;"
_info "will copy private key to remote file $Le_Deploy_ssh_keyfile"
if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
# copy new key into file.
if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
# scp the file
if ! _scp_remote_cmd "$_ckey" "$DEPLOY_SSH_KEYFILE"; then
return $_err_code
fi
_cmdstr=""
else
# ssh echo to the file
_cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $DEPLOY_SSH_KEYFILE;"
_info "will copy private key to remote file $DEPLOY_SSH_KEYFILE"
if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
return $_err_code
fi
_cmdstr=""
fi
fi
fi
# CERTFILE is optional.
# If provided then certificate will be copied or appended to provided filename.
_getdeployconf DEPLOY_SSH_CERTFILE
_debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE"
if [ -n "$DEPLOY_SSH_CERTFILE" ]; then
Le_Deploy_ssh_certfile="$DEPLOY_SSH_CERTFILE"
_savedomainconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile"
fi
if [ -n "$Le_Deploy_ssh_certfile" ]; then
_pipe=">"
if [ "$Le_Deploy_ssh_certfile" = "$Le_Deploy_ssh_keyfile" ]; then
if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then
# if filename is same as previous file then append.
_pipe=">>"
elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then
elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
# backup file we are about to overwrite.
_cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;"
_cmdstr="$_cmdstr cp $DEPLOY_SSH_CERTFILE $_backupdir >/dev/null;"
if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
return $_err_code
fi
_cmdstr=""
fi
fi
# copy new certificate into file.
_cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;"
_info "will copy certificate to remote file $Le_Deploy_ssh_certfile"
if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
# scp the file
_local_cert_file=$(_mktemp)
if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then
cat "$_ckey" >>"$_local_cert_file"
fi
cat "$_ccert" >>"$_local_cert_file"
if ! _scp_remote_cmd "$_local_cert_file" "$DEPLOY_SSH_CERTFILE"; then
return $_err_code
fi
_cmdstr=""
else
# ssh echo to the file
_cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $DEPLOY_SSH_CERTFILE;"
_info "will copy certificate to remote file $DEPLOY_SSH_CERTFILE"
if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
return $_err_code
fi
_cmdstr=""
fi
fi
fi
# CAFILE is optional.
# If provided then CA intermediate certificate will be copied or appended to provided filename.
_getdeployconf DEPLOY_SSH_CAFILE
_debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE"
if [ -n "$DEPLOY_SSH_CAFILE" ]; then
Le_Deploy_ssh_cafile="$DEPLOY_SSH_CAFILE"
_savedomainconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile"
fi
if [ -n "$Le_Deploy_ssh_cafile" ]; then
_pipe=">"
if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] ||
[ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then
if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ] ||
[ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then
# if filename is same as previous file then append.
_pipe=">>"
elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then
elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
# backup file we are about to overwrite.
_cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir >/dev/null;"
_cmdstr="$_cmdstr cp $DEPLOY_SSH_CAFILE $_backupdir >/dev/null;"
if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
return $_err_code
fi
_cmdstr=""
fi
fi
# copy new certificate into file.
_cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;"
_info "will copy CA file to remote file $Le_Deploy_ssh_cafile"
if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
# scp the file
_local_ca_file=$(_mktemp)
if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ]; then
cat "$_ckey" >>"$_local_ca_file"
fi
if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then
cat "$_ccert" >>"$_local_ca_file"
fi
cat "$_cca" >>"$_local_ca_file"
if ! _scp_remote_cmd "$_local_ca_file" "$DEPLOY_SSH_CAFILE"; then
return $_err_code
fi
_cmdstr=""
else
# ssh echo to the file
_cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $DEPLOY_SSH_CAFILE;"
_info "will copy CA file to remote file $DEPLOY_SSH_CAFILE"
if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
return $_err_code
fi
_cmdstr=""
fi
fi
fi
# FULLCHAIN is optional.
# If provided then fullchain certificate will be copied or appended to provided filename.
_getdeployconf DEPLOY_SSH_FULLCHAIN
_debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN"
if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then
Le_Deploy_ssh_fullchain="$DEPLOY_SSH_FULLCHAIN"
_savedomainconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain"
fi
if [ -n "$Le_Deploy_ssh_fullchain" ]; then
_pipe=">"
if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] ||
[ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ] ||
[ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then
if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ] ||
[ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ] ||
[ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then
# if filename is same as previous file then append.
_pipe=">>"
elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then
elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
# backup file we are about to overwrite.
_cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir >/dev/null;"
_cmdstr="$_cmdstr cp $DEPLOY_SSH_FULLCHAIN $_backupdir >/dev/null;"
if [ "$DEPLOY_SSH_FULLCHAIN" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
return $_err_code
fi
_cmdstr=""
fi
fi
# copy new certificate into file.
_cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;"
_info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain"
if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
# scp the file
_local_full_file=$(_mktemp)
if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ]; then
cat "$_ckey" >>"$_local_full_file"
fi
if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ]; then
cat "$_ccert" >>"$_local_full_file"
fi
if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then
cat "$_cca" >>"$_local_full_file"
fi
cat "$_cfullchain" >>"$_local_full_file"
if ! _scp_remote_cmd "$_local_full_file" "$DEPLOY_SSH_FULLCHAIN"; then
return $_err_code
fi
_cmdstr=""
else
# ssh echo to the file
_cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $DEPLOY_SSH_FULLCHAIN;"
_info "will copy fullchain to remote file $DEPLOY_SSH_FULLCHAIN"
if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
return $_err_code
fi
_cmdstr=""
fi
fi
fi
# REMOTE_CMD is optional.
# If provided then this command will be executed on remote host.
_getdeployconf DEPLOY_SSH_REMOTE_CMD
_debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD"
if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then
Le_Deploy_ssh_remote_cmd="$DEPLOY_SSH_REMOTE_CMD"
_savedomainconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd"
# cleanup local files if any
if [ -f "$_local_cert_file" ]; then
rm -f "$_local_cert_file"
fi
if [ -n "$Le_Deploy_ssh_remote_cmd" ]; then
_cmdstr="$_cmdstr $Le_Deploy_ssh_remote_cmd;"
_info "Will execute remote command $Le_Deploy_ssh_remote_cmd"
if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
if [ -f "$_local_ca_file" ]; then
rm -f "$_local_ca_file"
fi
if [ -f "$_local_full_file" ]; then
rm -f "$_local_full_file"
fi
if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then
_cmdstr="$_cmdstr $DEPLOY_SSH_REMOTE_CMD;"
_info "Will execute remote command $DEPLOY_SSH_REMOTE_CMD"
if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
if ! _ssh_remote_cmd "$_cmdstr"; then
return $_err_code
fi
@@ -282,17 +410,25 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
return $_err_code
fi
fi
# cleanup in case all is ok
return 0
}
#cmd
_ssh_remote_cmd() {
_cmd="$1"
_ssh_cmd="$DEPLOY_SSH_CMD"
if [ -n "$_port" ]; then
_ssh_cmd="$_ssh_cmd -p $_port"
fi
_secure_debug "Remote commands to execute: $_cmd"
_info "Submitting sequence of commands to remote server by ssh"
_info "Submitting sequence of commands to remote server by $_ssh_cmd"
# quotations in bash cmd below intended. Squash travis spellcheck error
# shellcheck disable=SC2029
$Le_Deploy_ssh_cmd "$Le_Deploy_ssh_user@$Le_Deploy_ssh_server" sh -c "'$_cmd'"
$_ssh_cmd "$DEPLOY_SSH_USER@$_host" sh -c "'$_cmd'"
_err_code="$?"
if [ "$_err_code" != "0" ]; then
@@ -301,3 +437,26 @@ _ssh_remote_cmd() {
return $_err_code
}
# cmd scp
_scp_remote_cmd() {
_src=$1
_dest=$2
_scp_cmd="$DEPLOY_SSH_SCP_CMD"
if [ -n "$_port" ]; then
_scp_cmd="$_scp_cmd -P $_port"
fi
_secure_debug "Remote copy source $_src to destination $_dest"
_info "Submitting secure copy by $_scp_cmd"
$_scp_cmd "$_src" "$DEPLOY_SSH_USER"@"$_host":"$_dest"
_err_code="$?"
if [ "$_err_code" != "0" ]; then
_err "Error code $_err_code returned from scp"
fi
return $_err_code
}

164
deploy/synology_dsm.sh
View File

@@ -1,34 +1,35 @@
#!/usr/bin/env sh
#!/bin/bash
# Here is a script to deploy cert to Synology DSM
#
# It requires following environment variables:
#
# SYNO_Username - Synology Username to login (must be an administrator)
# SYNO_Password - Synology Password to login
# SYNO_Certificate - Certificate description to target for replacement
#
# The following environmental variables may be set if you don't like their
# default values:
#
# SYNO_Scheme - defaults to http
# SYNO_Hostname - defaults to localhost
# SYNO_Port - defaults to 5000
# SYNO_DID - device ID to skip OTP - defaults to empty
# SYNO_TOTP_SECRET - TOTP secret to generate OTP - defaults to empty
#
################################################################################
# ACME.sh 3rd party deploy plugin for Synology DSM
################################################################################
# Authors: Brian Hartvigsen (creator), https://github.com/tresni
# Martin Arndt (contributor), https://troublezone.net/
# Updated: 2023-07-03
# Issues: https://github.com/acmesh-official/acme.sh/issues/2727
################################################################################
# Usage:
# 1. export SYNO_Username="adminUser"
# 2. export SYNO_Password="adminPassword"
# Optional exports (shown values are the defaults):
# - export SYNO_Certificate="" to replace a specific certificate via description
# - export SYNO_Scheme="http"
# - export SYNO_Hostname="localhost"
# - export SYNO_Port="5000"
# - export SYNO_Device_Name="CertRenewal" - required for skipping 2FA-OTP
# - export SYNO_Device_ID="" - required for skipping 2FA-OTP
# 3. acme.sh --deploy --deploy-hook synology_dsm -d example.com
################################################################################
# Dependencies:
# -------------
# - jq and curl
# - oathtool (When using 2 Factor Authentication and SYNO_TOTP_SECRET is set)
#
#returns 0 means success, otherwise error.
######## Public functions #####################
# - jq & curl
################################################################################
# Return value:
# 0 means success, otherwise error.
################################################################################
########## Public functions ####################################################
#domain keyfile certfile cafile fullchain
synology_dsm_deploy() {
_cdomain="$1"
_ckey="$2"
_ccert="$3"
@@ -36,39 +37,46 @@ synology_dsm_deploy() {
_debug _cdomain "$_cdomain"
# Get Username and Password, but don't save until we successfully authenticate
# Get username & password, but don't save until we authenticated successfully
_getdeployconf SYNO_Username
_getdeployconf SYNO_Password
_getdeployconf SYNO_Create
_getdeployconf SYNO_DID
_getdeployconf SYNO_TOTP_SECRET
_getdeployconf SYNO_Device_Name
_getdeployconf SYNO_Device_ID
if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then
_err "SYNO_Username & SYNO_Password must be set"
return 1
fi
if [ -n "${SYNO_Device_Name:-}" ] && [ -z "${SYNO_Device_ID:-}" ]; then
_err "SYNO_Device_Name set, but SYNO_Device_ID is empty"
return 1
fi
_debug2 SYNO_Username "$SYNO_Username"
_secure_debug2 SYNO_Password "$SYNO_Password"
_debug2 SYNO_Create "$SYNO_Create"
_debug2 SYNO_Device_Name "$SYNO_Device_Name"
_secure_debug2 SYNO_Device_ID "$SYNO_Device_ID"
# Optional scheme, hostname, and port for Synology DSM
# Optional scheme, hostname & port for Synology DSM
_getdeployconf SYNO_Scheme
_getdeployconf SYNO_Hostname
_getdeployconf SYNO_Port
# default vaules for scheme, hostname, and port
# defaulting to localhost and http because it's localhost...
# Default values for scheme, hostname & port
# Defaulting to localhost & http, because it's localhost
[ -n "${SYNO_Scheme}" ] || SYNO_Scheme="http"
[ -n "${SYNO_Hostname}" ] || SYNO_Hostname="localhost"
[ -n "${SYNO_Port}" ] || SYNO_Port="5000"
_savedeployconf SYNO_Scheme "$SYNO_Scheme"
_savedeployconf SYNO_Hostname "$SYNO_Hostname"
_savedeployconf SYNO_Port "$SYNO_Port"
_debug2 SYNO_Scheme "$SYNO_Scheme"
_debug2 SYNO_Hostname "$SYNO_Hostname"
_debug2 SYNO_Port "$SYNO_Port"
# Get the certificate description, but don't save it until we verfiy it's real
# Get the certificate description, but don't save it until we verify it's real
_getdeployconf SYNO_Certificate
_debug SYNO_Certificate "${SYNO_Certificate:-}"
@@ -83,53 +91,81 @@ synology_dsm_deploy() {
_debug "Getting API version"
response=$(_get "$_base_url/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth")
api_path=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"path" *: *"\([^"]*\)".*/\1/p')
api_version=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"maxVersion" *: *\([0-9]*\).*/\1/p')
_debug3 response "$response"
_debug3 api_path "$api_path"
_debug3 api_version "$api_version"
# Login, get the token from JSON and session id from cookie
# Login, get the session ID & SynoToken from JSON
_info "Logging into $SYNO_Hostname:$SYNO_Port"
encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)"
encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)"
otp_code=""
# START - DEPRECATED, only kept for legacy compatibility reasons
if [ -n "$SYNO_TOTP_SECRET" ]; then
_info "WARNING: Usage of SYNO_TOTP_SECRET is deprecated!"
_info " See synology_dsm.sh script or ACME.sh Wiki page for details:"
_info " https://github.com/acmesh-official/acme.sh/wiki/Synology-NAS-Guide"
DEPRECATED_otp_code=""
if _exists oathtool; then
otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)"
DEPRECATED_otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)"
else
_err "oathtool could not be found, install oathtool to use SYNO_TOTP_SECRET"
return 1
fi
if [ -n "$SYNO_DID" ]; then
_H1="Cookie: did=$SYNO_DID"
export _H1
_debug3 H1 "${_H1}"
fi
response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$DEPRECATED_otp_code&device_name=certrenewal&device_id=$SYNO_DID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
_debug3 response "$response"
# END - DEPRECATED, only kept for legacy compatibility reasons
# Get device ID if still empty first, otherwise log in right away
elif [ -z "${SYNO_Device_ID:-}" ]; then
printf "Enter OTP code for user '%s': " "$SYNO_Username"
read -r otp_code
if [ -z "${SYNO_Device_Name:-}" ]; then
printf "Enter device name or leave empty for default (CertRenewal): "
read -r SYNO_Device_Name
[ -n "${SYNO_Device_Name}" ] || SYNO_Device_Name="CertRenewal"
fi
response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&otp_code=$otp_code&enable_syno_token=yes&enable_device_token=yes&device_name=$SYNO_Device_Name")
_secure_debug3 response "$response"
id_property='device_id'
[ "${api_version}" -gt '6' ] || id_property='did'
SYNO_Device_ID=$(echo "$response" | grep "$id_property" | sed -n 's/.*"'$id_property'" *: *"\([^"]*\).*/\1/p')
_secure_debug2 SYNO_Device_ID "$SYNO_Device_ID"
else
response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&device_name=$SYNO_Device_Name&device_id=$SYNO_Device_ID")
_debug3 response "$response"
fi
if [ -n "$SYNO_DID" ]; then
_H1="Cookie: did=$SYNO_DID"
export _H1
_debug3 H1 "${_H1}"
fi
response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code&device_name=certrenewal&device_id=$SYNO_DID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p')
token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p')
_debug3 response "$response"
_debug token "$token"
if [ -z "$token" ]; then
_err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme."
_err "Check your username and password."
_err "If two-factor authentication is enabled for the user, set SYNO_TOTP_SECRET."
_debug "Session ID" "$sid"
_debug SynoToken "$token"
if [ -z "$SYNO_DID" ] && [ -z "$SYNO_Device_ID" ] || [ -z "$sid" ] || [ -z "$token" ]; then
_err "Unable to authenticate to $_base_url - check your username & password."
_err "If two-factor authentication is enabled for the user, set SYNO_Device_ID."
return 1
fi
sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p')
_H1="X-SYNO-TOKEN: $token"
export _H1
_debug2 H1 "${_H1}"
# Now that we know the username and password are good, save them
# Now that we know the username & password are good, save them
_savedeployconf SYNO_Username "$SYNO_Username"
_savedeployconf SYNO_Password "$SYNO_Password"
_savedeployconf SYNO_DID "$SYNO_DID"
_savedeployconf SYNO_TOTP_SECRET "$SYNO_TOTP_SECRET"
_savedeployconf SYNO_Device_Name "$SYNO_Device_Name"
_savedeployconf SYNO_Device_ID "$SYNO_Device_ID"
_info "Getting certificates in Synology DSM"
response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")
@@ -140,11 +176,11 @@ synology_dsm_deploy() {
_debug2 id "$id"
if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then
_err "Unable to find certificate: $SYNO_Certificate and \$SYNO_Create is not set"
_err "Unable to find certificate: $SYNO_Certificate & \$SYNO_Create is not set"
return 1
fi
# we've verified this certificate description is a thing, so save it
# We've verified this certificate description is a thing, so save it
_savedeployconf SYNO_Certificate "$SYNO_Certificate" "base64"
_info "Generate form POST request"
@@ -156,10 +192,10 @@ synology_dsm_deploy() {
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id"
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}"
if echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
_debug2 default "this is the default certificate"
_debug2 default "This is the default certificate"
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}true"
else
_debug2 default "this is NOT the default certificate"
_debug2 default "This is NOT the default certificate"
fi
content="$content${nl}--$delim--${nl}"
content="$(printf "%b_" "$content")"
@@ -171,13 +207,23 @@ synology_dsm_deploy() {
if ! echo "$response" | grep '"error":' >/dev/null; then
if echo "$response" | grep '"restart_httpd":true' >/dev/null; then
_info "http services were restarted"
_info "Restarting HTTP services succeeded"
else
_info "http services were NOT restarted"
_info "Restarting HTTP services failed"
fi
_logout
return 0
else
_err "Unable to update certificate, error code $response"
_logout
return 1
fi
}
#################### Private functions below ##################################
_logout() {
# Logout to not occupy a permanent session, e.g. in DSM's "Connected Users" widget
response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=logout")
_debug3 response "$response"
}

21
deploy/truenas.sh
View File

@@ -184,6 +184,27 @@ truenas_deploy() {
_info "S3 certificate is not configured or is not the same as TrueNAS web UI"
fi
_info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required"
if _exists jq; then
_info "Query all chart release"
_release_list=$(_get "$_api_url/chart/release")
_related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique")
_release_length=$(printf "%s" "$_related_name_list" | jq -r "length")
_info "Found $_release_length related chart release in list: $_related_name_list"
for i in $(seq 0 $((_release_length - 1))); do
_release_name=$(echo "$_related_name_list" | jq -r ".[$i]")
_info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name"
#Read the chart release configuration
_chart_config=$(printf "%s" "$_release_list" | jq -r ".[] | select(.name==\"$_release_name\")")
#Replace the old certificate id with the new one in path .config.ingress.main.tls[].scaleCert. Then update .config.ingress
_updated_chart_config=$(printf "%s" "$_chart_config" | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress ")
_update_chart_result="$(_post "{\"values\" : { \"ingress\" : $_updated_chart_config } }" "$_api_url/chart/release/id/$_release_name" "" "PUT" "application/json")"
_debug3 _update_chart_result "$_update_chart_result"
done
else
_info "Tool 'jq' does not exists, skip chart release checking"
fi
_info "Deleting old certificate"
_delete_result="$(_post "" "$_api_url/certificate/id/$_active_cert_id" "" "DELETE" "application/json")"

79
deploy/vault.sh
View File

@@ -7,13 +7,16 @@
#
# VAULT_PREFIX - this contains the prefix path in vault
# VAULT_ADDR - vault requires this to find your vault server
# VAULT_SAVE_TOKEN - set to anything if you want to save the token
# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying
# VAULT_KV_V2 - set to anything if you are using v2 of the kv engine
#
# additionally, you need to ensure that VAULT_TOKEN is avialable
# to access the vault server
#returns 0 means success, otherwise error.
######## Public functions #####################
######## Public functions #####################
#domain keyfile certfile cafile fullchain
vault_deploy() {
@@ -45,6 +48,26 @@ vault_deploy() {
fi
_savedeployconf VAULT_ADDR "$VAULT_ADDR"
_getdeployconf VAULT_SAVE_TOKEN
_savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN"
_getdeployconf VAULT_RENEW_TOKEN
_savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN"
_getdeployconf VAULT_KV_V2
_savedeployconf VAULT_KV_V2 "$VAULT_KV_V2"
_getdeployconf VAULT_TOKEN
if [ -z "$VAULT_TOKEN" ]; then
_err "VAULT_TOKEN needs to be defined"
return 1
fi
if [ -n "$VAULT_SAVE_TOKEN" ]; then
_savedeployconf VAULT_TOKEN "$VAULT_TOKEN"
fi
_migratedeployconf FABIO VAULT_FABIO_MODE
# JSON does not allow multiline strings.
# So replacing new-lines with "\n" here
_ckey=$(sed -z 's/\n/\\n/g' <"$2")
@@ -52,26 +75,56 @@ vault_deploy() {
_cca=$(sed -z 's/\n/\\n/g' <"$4")
_cfullchain=$(sed -z 's/\n/\\n/g' <"$5")
URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
export _H1="X-Vault-Token: $VAULT_TOKEN"
if [ -n "$FABIO" ]; then
if [ -n "$VAULT_RENEW_TOKEN" ]; then
URL="$VAULT_ADDR/v1/auth/token/renew-self"
_info "Renew the Vault token to default TTL"
if ! _post "" "$URL" >/dev/null; then
_err "Failed to renew the Vault token"
return 1
fi
fi
URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
if [ -n "$VAULT_FABIO_MODE" ]; then
_info "Writing certificate and key to $URL in Fabio mode"
if [ -n "$VAULT_KV_V2" ]; then
_post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL"
_post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1
else
_post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL"
_post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" >/dev/null || return 1
fi
else
if [ -n "$VAULT_KV_V2" ]; then
_post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem"
_post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key"
_post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem"
_post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem"
_info "Writing certificate to $URL/cert.pem"
_post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" >/dev/null || return 1
_info "Writing key to $URL/cert.key"
_post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" >/dev/null || return 1
_info "Writing CA certificate to $URL/ca.pem"
_post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/ca.pem" >/dev/null || return 1
_info "Writing full-chain certificate to $URL/fullchain.pem"
_post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" >/dev/null || return 1
else
_post "{\"value\": \"$_ccert\"}" "$URL/cert.pem"
_post "{\"value\": \"$_ckey\"}" "$URL/cert.key"
_post "{\"value\": \"$_cca\"}" "$URL/chain.pem"
_post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem"
_info "Writing certificate to $URL/cert.pem"
_post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" >/dev/null || return 1
_info "Writing key to $URL/cert.key"
_post "{\"value\": \"$_ckey\"}" "$URL/cert.key" >/dev/null || return 1
_info "Writing CA certificate to $URL/ca.pem"
_post "{\"value\": \"$_cca\"}" "$URL/ca.pem" >/dev/null || return 1
_info "Writing full-chain certificate to $URL/fullchain.pem"
_post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" >/dev/null || return 1
fi
# To make it compatible with the wrong ca path `chain.pem` which was used in former versions
if _contains "$(_get "$URL/chain.pem")" "-----BEGIN CERTIFICATE-----"; then
_err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning"
_info "Updating CA certificate to $URL/chain.pem for backward compatibility"
if [ -n "$VAULT_KV_V2" ]; then
_post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" >/dev/null || return 1
else
_post "{\"value\": \"$_cca\"}" "$URL/chain.pem" >/dev/null || return 1
fi
fi
fi

47
deploy/vault_cli.sh
View File

@@ -8,6 +8,8 @@
#
# VAULT_PREFIX - this contains the prefix path in vault
# VAULT_ADDR - vault requires this to find your vault server
# VAULT_SAVE_TOKEN - set to anything if you want to save the token
# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying
#
# additionally, you need to ensure that VAULT_TOKEN is avialable or
# `vault auth` has applied the appropriate authorization for the vault binary
@@ -33,15 +35,36 @@ vault_cli_deploy() {
_debug _cfullchain "$_cfullchain"
# validate required env vars
_getdeployconf VAULT_PREFIX
if [ -z "$VAULT_PREFIX" ]; then
_err "VAULT_PREFIX needs to be defined (contains prefix path in vault)"
return 1
fi
_savedeployconf VAULT_PREFIX "$VAULT_PREFIX"
_getdeployconf VAULT_ADDR
if [ -z "$VAULT_ADDR" ]; then
_err "VAULT_ADDR needs to be defined (contains vault connection address)"
return 1
fi
_savedeployconf VAULT_ADDR "$VAULT_ADDR"
_getdeployconf VAULT_SAVE_TOKEN
_savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN"
_getdeployconf VAULT_RENEW_TOKEN
_savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN"
_getdeployconf VAULT_TOKEN
if [ -z "$VAULT_TOKEN" ]; then
_err "VAULT_TOKEN needs to be defined"
return 1
fi
if [ -n "$VAULT_SAVE_TOKEN" ]; then
_savedeployconf VAULT_TOKEN "$VAULT_TOKEN"
fi
_migratedeployconf FABIO VAULT_FABIO_MODE
VAULT_CMD=$(command -v vault)
if [ ! $? ]; then
@@ -49,13 +72,33 @@ vault_cli_deploy() {
return 1
fi
if [ -n "$FABIO" ]; then
if [ -n "$VAULT_RENEW_TOKEN" ]; then
_info "Renew the Vault token to default TTL"
if ! $VAULT_CMD token renew; then
_err "Failed to renew the Vault token"
return 1
fi
fi
if [ -n "$VAULT_FABIO_MODE" ]; then
_info "Writing certificate and key to ${VAULT_PREFIX}/${_cdomain} in Fabio mode"
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
else
_info "Writing certificate to ${VAULT_PREFIX}/${_cdomain}/cert.pem"
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
_info "Writing key to ${VAULT_PREFIX}/${_cdomain}/cert.key"
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
_info "Writing CA certificate to ${VAULT_PREFIX}/${_cdomain}/ca.pem"
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/ca.pem" value=@"$_cca" || return 1
_info "Writing full-chain certificate to ${VAULT_PREFIX}/${_cdomain}/fullchain.pem"
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
# To make it compatible with the wrong ca path `chain.pem` which was used in former versions
if $VAULT_CMD kv get "${VAULT_PREFIX}/${_cdomain}/chain.pem" >/dev/null; then
_err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning"
_info "Updating CA certificate to ${VAULT_PREFIX}/${_cdomain}/chain.pem for backward compatibility"
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
fi
fi
}

156
dnsapi/dns_1984hosting.sh
View File

@@ -1,46 +1,46 @@
#!/usr/bin/env sh
#This file name is "dns_1984hosting.sh"
#So, here must be a method dns_1984hosting_add()
#Which will be called by acme.sh to add the txt record to your api system.
#returns 0 means success, otherwise error.
# This file name is "dns_1984hosting.sh"
# So, here must be a method dns_1984hosting_add()
# Which will be called by acme.sh to add the txt record to your api system.
# returns 0 means success, otherwise error.
#Author: Adrian Fedoreanu
#Report Bugs here: https://github.com/acmesh-official/acme.sh
# Author: Adrian Fedoreanu
# Report Bugs here: https://github.com/acmesh-official/acme.sh
# or here... https://github.com/acmesh-official/acme.sh/issues/2851
#
######## Public functions #####################
######## Public functions #####################
# Export 1984HOSTING username and password in following variables
#
# One984HOSTING_Username=username
# One984HOSTING_Password=password
#
# sessionid cookie is saved in ~/.acme.sh/account.conf
# username/password need to be set only when changed.
# username/password and csrftoken/sessionid cookies are saved in ~/.acme.sh/account.conf
#Usage: dns_1984hosting_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
# Usage: dns_1984hosting_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
# Add a text record.
dns_1984hosting_add() {
fulldomain=$1
txtvalue=$2
_info "Add TXT record using 1984Hosting"
_info "Add TXT record using 1984Hosting."
_debug fulldomain "$fulldomain"
_debug txtvalue "$txtvalue"
if ! _1984hosting_login; then
_err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file"
_err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file."
return 1
fi
_debug "First detect the root zone"
_debug "First detect the root zone."
if ! _get_root "$fulldomain"; then
_err "invalid domain" "$fulldomain"
_err "Invalid domain '$fulldomain'."
return 1
fi
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"
_debug "Add TXT record $fulldomain with value '$txtvalue'"
_debug "Add TXT record $fulldomain with value '$txtvalue'."
value="$(printf '%s' "$txtvalue" | _url_encode)"
url="https://1984.hosting/domains/entry/"
@@ -53,93 +53,97 @@ dns_1984hosting_add() {
_debug2 postdata "$postdata"
_authpost "$postdata" "$url"
response="$(echo "$_response" | _normalizeJson)"
_debug2 response "$response"
if _contains "$response" '"haserrors": true'; then
_err "1984Hosting failed to add TXT record for $_sub_domain bad RC from _post"
if _contains "$_response" '"haserrors": true'; then
_err "1984Hosting failed to add TXT record for $_sub_domain bad RC from _post."
return 1
elif _contains "$response" "html>"; then
_err "1984Hosting failed to add TXT record for $_sub_domain. Check $HTTP_HEADER file"
elif _contains "$_response" "html>"; then
_err "1984Hosting failed to add TXT record for $_sub_domain. Check $HTTP_HEADER file."
return 1
elif _contains "$response" '"auth": false'; then
_err "1984Hosting failed to add TXT record for $_sub_domain. Invalid or expired cookie"
elif _contains "$_response" '"auth": false'; then
_err "1984Hosting failed to add TXT record for $_sub_domain. Invalid or expired cookie."
return 1
fi
_info "Added acme challenge TXT record for $fulldomain at 1984Hosting"
_info "Added acme challenge TXT record for $fulldomain at 1984Hosting."
return 0
}
#Usage: fulldomain txtvalue
#Remove the txt record after validation.
# Usage: fulldomain txtvalue
# Remove the txt record after validation.
dns_1984hosting_rm() {
fulldomain=$1
txtvalue=$2
_info "Delete TXT record using 1984Hosting"
_info "Delete TXT record using 1984Hosting."
_debug fulldomain "$fulldomain"
_debug txtvalue "$txtvalue"
if ! _1984hosting_login; then
_err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file"
_err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file."
return 1
fi
_debug "First detect the root zone"
_debug "First detect the root zone."
if ! _get_root "$fulldomain"; then
_err "invalid domain" "$fulldomain"
_err "Invalid domain '$fulldomain'."
return 1
fi
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"
_debug "Delete $fulldomain TXT record"
_debug "Delete $fulldomain TXT record."
url="https://1984.hosting/domains"
if ! _get_zone_id "$url" "$_domain"; then
_err "invalid zone" "$_domain"
_err "Invalid zone '$_domain'."
return 1
fi
_htmlget "$url/$_zone_id" "$txtvalue"
_debug2 _response "$_response"
entry_id="$(echo "$_response" | _egrep_o 'entry_[0-9]+' | sed 's/entry_//')"
_debug2 entry_id "$entry_id"
if [ -z "$entry_id" ]; then
_err "Error getting TXT entry_id for $1"
_err "Error getting TXT entry_id for $1."
return 1
fi
_authpost "entry=$entry_id" "$url/delentry/"
response="$(echo "$_response" | _normalizeJson)"
_debug2 response "$response"
if ! _contains "$response" '"ok": true'; then
_err "1984Hosting failed to delete TXT record for $entry_id bad RC from _post"
if ! _contains "$_response" '"ok": true'; then
_err "1984Hosting failed to delete TXT record for $entry_id bad RC from _post."
return 1
fi
_info "Deleted acme challenge TXT record for $fulldomain at 1984Hosting"
_info "Deleted acme challenge TXT record for $fulldomain at 1984Hosting."
return 0
}
#################### Private functions below ##################################
# usage: _1984hosting_login username password
# returns 0 success
_1984hosting_login() {
if ! _check_credentials; then return 1; fi
if _check_cookies; then
_debug "Already logged in"
_debug "Already logged in."
return 0
fi
_debug "Login to 1984Hosting as user $One984HOSTING_Username"
_debug "Login to 1984Hosting as user $One984HOSTING_Username."
username=$(printf '%s' "$One984HOSTING_Username" | _url_encode)
password=$(printf '%s' "$One984HOSTING_Password" | _url_encode)
url="https://1984.hosting/accounts/checkuserauth/"
_get "https://1984.hosting/accounts/login/" | grep "csrfmiddlewaretoken"
csrftoken="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')"
sessionid="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'sessionid=[^;]*;' | tr -d ';')"
if [ -z "$csrftoken" ] || [ -z "$sessionid" ]; then
_err "One or more cookies are empty: '$csrftoken', '$sessionid'."
return 1
fi
export _H1="Cookie: $csrftoken; $sessionid"
export _H2="Referer: https://1984.hosting/accounts/login/"
csrf_header=$(echo "$csrftoken" | sed 's/csrftoken=//' | _head_n 1)
export _H3="X-CSRFToken: $csrf_header"
response="$(_post "username=$username&password=$password&otpkey=" $url)"
response="$(echo "$response" | _normalizeJson)"
_debug2 response "$response"
@@ -149,6 +153,8 @@ _1984hosting_login() {
One984HOSTING_CSRFTOKEN_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')"
export One984HOSTING_SESSIONID_COOKIE
export One984HOSTING_CSRFTOKEN_COOKIE
_saveaccountconf_mutable One984HOSTING_Username "$One984HOSTING_Username"
_saveaccountconf_mutable One984HOSTING_Password "$One984HOSTING_Password"
_saveaccountconf_mutable One984HOSTING_SESSIONID_COOKIE "$One984HOSTING_SESSIONID_COOKIE"
_saveaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE "$One984HOSTING_CSRFTOKEN_COOKIE"
return 0
@@ -157,9 +163,13 @@ _1984hosting_login() {
}
_check_credentials() {
One984HOSTING_Username="${One984HOSTING_Username:-$(_readaccountconf_mutable One984HOSTING_Username)}"
One984HOSTING_Password="${One984HOSTING_Password:-$(_readaccountconf_mutable One984HOSTING_Password)}"
if [ -z "$One984HOSTING_Username" ] || [ -z "$One984HOSTING_Password" ]; then
One984HOSTING_Username=""
One984HOSTING_Password=""
_clearaccountconf_mutable One984HOSTING_Username
_clearaccountconf_mutable One984HOSTING_Password
_err "You haven't specified 1984Hosting username or password yet."
_err "Please export as One984HOSTING_Username / One984HOSTING_Password and try again."
return 1
@@ -171,42 +181,43 @@ _check_cookies() {
One984HOSTING_SESSIONID_COOKIE="${One984HOSTING_SESSIONID_COOKIE:-$(_readaccountconf_mutable One984HOSTING_SESSIONID_COOKIE)}"
One984HOSTING_CSRFTOKEN_COOKIE="${One984HOSTING_CSRFTOKEN_COOKIE:-$(_readaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE)}"
if [ -z "$One984HOSTING_SESSIONID_COOKIE" ] || [ -z "$One984HOSTING_CSRFTOKEN_COOKIE" ]; then
_debug "No cached cookie(s) found"
_debug "No cached cookie(s) found."
return 1
fi
_authget "https://1984.hosting/accounts/loginstatus/"
if _contains "$response" '"ok": true'; then
_debug "Cached cookies still valid"
if _contains "$_response" '"ok": true'; then
_debug "Cached cookies still valid."
return 0
fi
_debug "Cached cookies no longer valid"
_debug "Cached cookies no longer valid. Clearing cookies."
One984HOSTING_SESSIONID_COOKIE=""
One984HOSTING_CSRFTOKEN_COOKIE=""
_saveaccountconf_mutable One984HOSTING_SESSIONID_COOKIE "$One984HOSTING_SESSIONID_COOKIE"
_saveaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE "$One984HOSTING_CSRFTOKEN_COOKIE"
_clearaccountconf_mutable One984HOSTING_SESSIONID_COOKIE
_clearaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE
return 1
}
#_acme-challenge.www.domain.com
#returns
# _sub_domain=_acme-challenge.www
# _domain=domain.com
# _acme-challenge.www.domain.com
# Returns
# _sub_domain=_acme-challenge.www
# _domain=domain.com
_get_root() {
domain="$1"
i=1
p=1
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
# not valid
if [ -z "$h" ]; then
#not valid
return 1
fi
_authget "https://1984.hosting/domains/soacheck/?zone=$h&nameserver=ns0.1984.is."
if _contains "$_response" "serial" && ! _contains "$_response" "null"; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
_domain="$h"
return 0
fi
@@ -216,46 +227,47 @@ _get_root() {
return 1
}
#usage: _get_zone_id url domain.com
#returns zone id for domain.com
# Usage: _get_zone_id url domain.com
# Returns zone id for domain.com
_get_zone_id() {
url=$1
domain=$2
_htmlget "$url" "$domain"
_debug2 _response "$_response"
_zone_id="$(echo "$_response" | _egrep_o 'zone\/[0-9]+' | _head_n 1)"
_debug2 _zone_id "$_zone_id"
if [ -z "$_zone_id" ]; then
_err "Error getting _zone_id for $2"
_err "Error getting _zone_id for $2."
return 1
fi
return 0
}
# add extra headers to request
# Add extra headers to request
_authget() {
export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE"
export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE; $One984HOSTING_SESSIONID_COOKIE"
_response=$(_get "$1" | _normalizeJson)
_debug2 _response "$_response"
}
# truncate huge HTML response
# echo: Argument list too long
# Truncate huge HTML response
# Echo: Argument list too long
_htmlget() {
export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE"
export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE; $One984HOSTING_SESSIONID_COOKIE"
_response=$(_get "$1" | grep "$2")
if _contains "$_response" "@$2"; then
_response=$(echo "$_response" | grep -v "[@]" | _head_n 1)
fi
_debug2 _response "$_response"
}
# add extra headers to request
# Add extra headers to request
_authpost() {
url="https://1984.hosting/domains"
_get_zone_id "$url" "$_domain"
csrf_header="$(echo "$One984HOSTING_CSRFTOKEN_COOKIE" | _egrep_o "=[^=][0-9a-zA-Z]*" | tr -d "=")"
export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE"
export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE; $One984HOSTING_SESSIONID_COOKIE"
export _H2="Referer: https://1984.hosting/domains/$_zone_id"
export _H3="X-CSRFToken: $csrf_header"
_response=$(_post "$1" "$2")
_response="$(_post "$1" "$2" | _normalizeJson)"
_debug2 _response "$_response"
}

2
dnsapi/dns_ali.sh
View File

@@ -117,7 +117,7 @@ _ali_urlencode() {
_ali_nonce() {
#_head_n 1 </dev/urandom | _digest "sha256" hex | cut -c 1-31
#Not so good...
date +"%s%N"
date +"%s%N" | sed 's/%N//g'
}
_check_exist_query() {

180
dnsapi/dns_artfiles.sh Normal file
View File

@@ -0,0 +1,180 @@
#!/usr/bin/env sh
################################################################################
# ACME.sh 3rd party DNS API plugin for ArtFiles.de
################################################################################
# Author: Martin Arndt, https://troublezone.net/
# Released: 2022-02-27
# Issues: https://github.com/acmesh-official/acme.sh/issues/4718
################################################################################
# Usage:
# 1. export AF_API_USERNAME='api12345678'
# 2. export AF_API_PASSWORD='apiPassword'
# 3. acme.sh --issue -d example.com --dns dns_artfiles
################################################################################
########## API configuration ###################################################
AF_API_SUCCESS='status":"OK'
AF_URL_DCP='https://dcp.c.artfiles.de/api/'
AF_URL_DNS=${AF_URL_DCP}'dns/{*}_dns.html?domain='
AF_URL_DOMAINS=${AF_URL_DCP}'domain/get_domains.html'
########## Public functions ####################################################
# Adds a new TXT record for given ACME challenge value & domain.
# Usage: dns_artfiles_add _acme-challenge.www.example.com "ACME challenge value"
dns_artfiles_add() {
domain="$1"
txtValue="$2"
_info 'Using ArtFiles.de DNS addition API…'
_debug 'Domain' "$domain"
_debug 'txtValue' "$txtValue"
_set_credentials
_saveaccountconf_mutable 'AF_API_USERNAME' "$AF_API_USERNAME"
_saveaccountconf_mutable 'AF_API_PASSWORD' "$AF_API_PASSWORD"
_set_headers
_get_zone "$domain"
_dns 'GET'
if ! _contains "$response" 'TXT'; then
_err 'Retrieving TXT records failed.'
return 1
fi
_clean_records
_dns 'SET' "$(printf -- '%s\n_acme-challenge "%s"' "$response" "$txtValue")"
if ! _contains "$response" "$AF_API_SUCCESS"; then
_err 'Adding ACME challenge value failed.'
return 1
fi
}
# Removes the existing TXT record for given ACME challenge value & domain.
# Usage: dns_artfiles_rm _acme-challenge.www.example.com "ACME challenge value"
dns_artfiles_rm() {
domain="$1"
txtValue="$2"
_info 'Using ArtFiles.de DNS removal API…'
_debug 'Domain' "$domain"
_debug 'txtValue' "$txtValue"
_set_credentials
_set_headers
_get_zone "$domain"
if ! _dns 'GET'; then
return 1
fi
if ! _contains "$response" "$txtValue"; then
_err 'Retrieved TXT records are missing given ACME challenge value.'
return 1
fi
_clean_records
response="$(printf -- '%s' "$response" | sed '/_acme-challenge "'"$txtValue"'"/d')"
_dns 'SET' "$response"
if ! _contains "$response" "$AF_API_SUCCESS"; then
_err 'Removing ACME challenge value failed.'
return 1
fi
}
########## Private functions ###################################################
# Cleans awful TXT records response of ArtFiles's API & pretty prints it.
# Usage: _clean_records
_clean_records() {
_info 'Cleaning TXT records…'
# Extract TXT part, strip trailing quote sign (ACME.sh API guidelines forbid
# usage of SED's GNU extensions, hence couldn't omit it via regex), strip '\'
# from '\"' & turn '\n' into real LF characters.
# Yup, awful API to use - but that's all we got to get this working, so… ;)
_debug2 'Raw ' "$response"
response="$(printf -- '%s' "$response" | sed 's/^.*TXT":"\([^}]*\).*$/\1/;s/,".*$//;s/.$//;s/\\"/"/g;s/\\n/\n/g')"
_debug2 'Clean' "$response"
}
# Executes an HTTP GET or POST request for getting or setting DNS records,
# containing given payload upon POST.
# Usage: _dns [GET | SET] [payload]
_dns() {
_info 'Executing HTTP request…'
action="$1"
payload="$(printf -- '%s' "$2" | _url_encode)"
url="$(printf -- '%s%s' "$AF_URL_DNS" "$domain" | sed 's/{\*}/'"$(printf -- '%s' "$action" | _lower_case)"'/')"
if [ "$action" = 'SET' ]; then
_debug2 'Payload' "$payload"
response="$(_post '' "$url&TXT=$payload" '' 'POST' 'application/x-www-form-urlencoded')"
else
response="$(_get "$url" '' 10)"
fi
if ! _contains "$response" "$AF_API_SUCCESS"; then
_err "DNS API error: $response"
return 1
fi
_debug 'Response' "$response"
return 0
}
# Gets the root domain zone for given domain.
# Usage: _get_zone _acme-challenge.www.example.com
_get_zone() {
fqdn="$1"
domains="$(_get "$AF_URL_DOMAINS" '' 10)"
_info 'Getting domain zone…'
_debug2 'FQDN' "$fqdn"
_debug2 'Domains' "$domains"
while _contains "$fqdn" "."; do
if _contains "$domains" "$fqdn"; then
domain="$fqdn"
_info "Found root domain zone: $domain"
break
else
fqdn="${fqdn#*.}"
_debug2 'FQDN' "$fqdn"
fi
done
if [ "$domain" = "$fqdn" ]; then
return 0
fi
_err 'Couldn'\''t find root domain zone.'
return 1
}
# Sets the credentials for accessing ArtFiles's API
# Usage: _set_credentials
_set_credentials() {
_info 'Setting credentials…'
AF_API_USERNAME="${AF_API_USERNAME:-$(_readaccountconf_mutable AF_API_USERNAME)}"
AF_API_PASSWORD="${AF_API_PASSWORD:-$(_readaccountconf_mutable AF_API_PASSWORD)}"
if [ -z "$AF_API_USERNAME" ] || [ -z "$AF_API_PASSWORD" ]; then
_err 'Missing ArtFiles.de username and/or password.'
_err 'Please ensure both are set via export command & try again.'
return 1
fi
}
# Adds the HTTP Authorization & Content-Type headers to a follow-up request.
# Usage: _set_headers
_set_headers() {
_info 'Setting headers…'
encoded="$(printf -- '%s:%s' "$AF_API_USERNAME" "$AF_API_PASSWORD" | _base64)"
export _H1="Authorization: Basic $encoded"
export _H2='Content-Type: application/json'
}

13
dnsapi/dns_arvan.sh
View File

@@ -1,10 +1,10 @@
#!/usr/bin/env sh
#Arvan_Token="Apikey xxxx"
# Arvan_Token="Apikey xxxx"
ARVAN_API_URL="https://napi.arvancloud.com/cdn/4.0/domains"
#Author: Vahid Fardi
#Report Bugs here: https://github.com/Neilpang/acme.sh
ARVAN_API_URL="https://napi.arvancloud.ir/cdn/4.0/domains"
# Author: Vahid Fardi
# Report Bugs here: https://github.com/Neilpang/acme.sh
#
######## Public functions #####################
@@ -18,7 +18,7 @@ dns_arvan_add() {
if [ -z "$Arvan_Token" ]; then
_err "You didn't specify \"Arvan_Token\" token yet."
_err "You can get yours from here https://npanel.arvancloud.com/profile/api-keys"
_err "You can get yours from here https://npanel.arvancloud.ir/profile/api-keys"
return 1
fi
#save the api token to the account conf file.
@@ -40,7 +40,7 @@ dns_arvan_add() {
_info "response id is $response"
_info "Added, OK"
return 0
elif _contains "$response" "Record Data is Duplicated"; then
elif _contains "$response" "Record Data is duplicate"; then
_info "Already exists, OK"
return 0
else
@@ -141,6 +141,7 @@ _arvan_rest() {
response="$(_post "$data" "$ARVAN_API_URL/$ep" "" "$mtd")"
elif [ "$mtd" = "POST" ]; then
export _H2="Content-Type: application/json"
export _H3="Accept: application/json"
_debug data "$data"
response="$(_post "$data" "$ARVAN_API_URL/$ep" "" "$mtd")"
else

89
dnsapi/dns_bookmyname.sh Normal file
View File

@@ -0,0 +1,89 @@
#!/usr/bin/env sh
#Here is a sample custom api script.
#This file name is "dns_bookmyname.sh"
#So, here must be a method dns_bookmyname_add()
#Which will be called by acme.sh to add the txt record to your api system.
#returns 0 means success, otherwise error.
#
#Author: Neilpang
#Report Bugs here: https://github.com/acmesh-official/acme.sh
#
######## Public functions #####################
# Please Read this guide first: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide
# BookMyName urls:
# https://BOOKMYNAME_USERNAME:BOOKMYNAME_PASSWORD@www.bookmyname.com/dyndns/?hostname=_acme-challenge.domain.tld&type=txt&ttl=300&do=add&value="XXXXXXXX"'
# https://BOOKMYNAME_USERNAME:BOOKMYNAME_PASSWORD@www.bookmyname.com/dyndns/?hostname=_acme-challenge.domain.tld&type=txt&ttl=300&do=remove&value="XXXXXXXX"'
# Output:
#good: update done, cid 123456, domain id 456789, type txt, ip XXXXXXXX
#good: remove done 1, cid 123456, domain id 456789, ttl 300, type txt, ip XXXXXXXX
# Be careful, BMN DNS servers can be slow to pick up changes; using dnssleep is thus advised.
# Usage:
# export BOOKMYNAME_USERNAME="ABCDE-FREE"
# export BOOKMYNAME_PASSWORD="MyPassword"
# /usr/local/ssl/acme.sh/acme.sh --dns dns_bookmyname --dnssleep 600 --issue -d domain.tld
#Usage: dns_bookmyname_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_bookmyname_add() {
fulldomain=$1
txtvalue=$2
_info "Using bookmyname"
_debug fulldomain "$fulldomain"
_debug txtvalue "$txtvalue"
BOOKMYNAME_USERNAME="${BOOKMYNAME_USERNAME:-$(_readaccountconf_mutable BOOKMYNAME_USERNAME)}"
BOOKMYNAME_PASSWORD="${BOOKMYNAME_PASSWORD:-$(_readaccountconf_mutable BOOKMYNAME_PASSWORD)}"
if [ -z "$BOOKMYNAME_USERNAME" ] || [ -z "$BOOKMYNAME_PASSWORD" ]; then
BOOKMYNAME_USERNAME=""
BOOKMYNAME_PASSWORD=""
_err "You didn't specify BookMyName username and password yet."
_err "Please specify them and try again."
return 1
fi
#save the credentials to the account conf file.
_saveaccountconf_mutable BOOKMYNAME_USERNAME "$BOOKMYNAME_USERNAME"
_saveaccountconf_mutable BOOKMYNAME_PASSWORD "$BOOKMYNAME_PASSWORD"
uri="https://${BOOKMYNAME_USERNAME}:${BOOKMYNAME_PASSWORD}@www.bookmyname.com/dyndns/"
data="?hostname=${fulldomain}&type=TXT&ttl=300&do=add&value=${txtvalue}"
result="$(_get "${uri}${data}")"
_debug "Result: $result"
if ! _startswith "$result" 'good: update done, cid '; then
_err "Can't add $fulldomain"
return 1
fi
}
#Usage: fulldomain txtvalue
#Remove the txt record after validation.
dns_bookmyname_rm() {
fulldomain=$1
txtvalue=$2
_info "Using bookmyname"
_debug fulldomain "$fulldomain"
_debug txtvalue "$txtvalue"
BOOKMYNAME_USERNAME="${BOOKMYNAME_USERNAME:-$(_readaccountconf_mutable BOOKMYNAME_USERNAME)}"
BOOKMYNAME_PASSWORD="${BOOKMYNAME_PASSWORD:-$(_readaccountconf_mutable BOOKMYNAME_PASSWORD)}"
uri="https://${BOOKMYNAME_USERNAME}:${BOOKMYNAME_PASSWORD}@www.bookmyname.com/dyndns/"
data="?hostname=${fulldomain}&type=TXT&ttl=300&do=remove&value=${txtvalue}"
result="$(_get "${uri}${data}")"
_debug "Result: $result"
if ! _startswith "$result" 'good: remove done 1, cid '; then
_info "Can't remove $fulldomain"
fi
}
#################### Private functions below ##################################

2
dnsapi/dns_cloudns.sh
View File

@@ -78,7 +78,7 @@ dns_cloudns_rm() {
return 1
fi
for i in $(echo "$response" | tr '{' "\n" | grep "$record"); do
for i in $(echo "$response" | tr '{' "\n" | grep -- "$record"); do
record_id=$(echo "$i" | tr ',' "\n" | grep -E '^"id"' | sed -re 's/^\"id\"\:\"([0-9]+)\"$/\1/g')
if [ -n "$record_id" ]; then

185
dnsapi/dns_dnsexit.sh Normal file
View File

@@ -0,0 +1,185 @@
#!/usr/bin/env sh
#use dns-01 at DNSExit.com
#Author: Samuel Jimenez
#Report Bugs here: https://github.com/acmesh-official/acme.sh
#DNSEXIT_API_KEY=ABCDEFGHIJ0123456789abcdefghij
#DNSEXIT_AUTH_USER=login@email.address
#DNSEXIT_AUTH_PASS=aStrongPassword
DNSEXIT_API_URL="https://api.dnsexit.com/dns/"
DNSEXIT_HOSTS_URL="https://update.dnsexit.com/ipupdate/hosts.jsp"
######## Public functions #####################
#Usage: dns_dnsexit_add _acme-challenge.*.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_dnsexit_add() {
fulldomain=$1
txtvalue=$2
_info "Using DNSExit.com"
_debug fulldomain "$fulldomain"
_debug txtvalue "$txtvalue"
_debug 'Load account auth'
if ! get_account_info; then
return 1
fi
_debug 'First detect the root zone'
if ! _get_root "$fulldomain"; then
return 1
fi
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"
if ! _dnsexit_rest "{\"domain\":\"$_domain\",\"add\":{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":0,\"overwrite\":false}}"; then
_err "$response"
return 1
fi
_debug2 _response "$response"
return 0
}
#Usage: fulldomain txtvalue
#Remove the txt record after validation.
dns_dnsexit_rm() {
fulldomain=$1
txtvalue=$2
_info "Using DNSExit.com"
_debug fulldomain "$fulldomain"
_debug txtvalue "$txtvalue"
_debug 'Load account auth'
if ! get_account_info; then
return 1
fi
_debug 'First detect the root zone'
if ! _get_root "$fulldomain"; then
_err "$response"
return 1
fi
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"
if ! _dnsexit_rest "{\"domain\":\"$_domain\",\"delete\":{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\"}}"; then
_err "$response"
return 1
fi
_debug2 _response "$response"
return 0
}
#################### Private functions below ##################################
#_acme-challenge.www.domain.com
#returns
# _sub_domain=_acme-challenge.www
# _domain=domain.com
_get_root() {
domain=$1
i=1
while true; do
_domain=$(printf "%s" "$domain" | cut -d . -f $i-100)
_debug h "$_domain"
if [ -z "$_domain" ]; then
return 1
fi
_debug login "$DNSEXIT_AUTH_USER"
_debug password "$DNSEXIT_AUTH_PASS"
_debug domain "$_domain"
_dnsexit_http "login=$DNSEXIT_AUTH_USER&password=$DNSEXIT_AUTH_PASS&domain=$_domain"
if _contains "$response" "0=$_domain"; then
_sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
return 0
else
_debug "Go to next level of $_domain"
fi
i=$(_math "$i" + 1)
done
return 1
}
_dnsexit_rest() {
m=POST
ep=""
data="$1"
_debug _dnsexit_rest "$ep"
_debug data "$data"
api_key_trimmed=$(echo "$DNSEXIT_API_KEY" | tr -d '"')
export _H1="apikey: $api_key_trimmed"
export _H2='Content-Type: application/json'
if [ "$m" != "GET" ]; then
_debug data "$data"
response="$(_post "$data" "$DNSEXIT_API_URL/$ep" "" "$m")"
else
response="$(_get "$DNSEXIT_API_URL/$ep")"
fi
if [ "$?" != "0" ]; then
_err "Error $ep"
return 1
fi
_debug2 response "$response"
return 0
}
_dnsexit_http() {
m=GET
param="$1"
_debug param "$param"
_debug get "$DNSEXIT_HOSTS_URL?$param"
response="$(_get "$DNSEXIT_HOSTS_URL?$param")"
_debug response "$response"
if [ "$?" != "0" ]; then
_err "Error $param"
return 1
fi
_debug2 response "$response"
return 0
}
get_account_info() {
DNSEXIT_API_KEY="${DNSEXIT_API_KEY:-$(_readaccountconf_mutable DNSEXIT_API_KEY)}"
if test -z "$DNSEXIT_API_KEY"; then
DNSEXIT_API_KEY=''
_err 'DNSEXIT_API_KEY was not exported'
return 1
fi
_saveaccountconf_mutable DNSEXIT_API_KEY "$DNSEXIT_API_KEY"
DNSEXIT_AUTH_USER="${DNSEXIT_AUTH_USER:-$(_readaccountconf_mutable DNSEXIT_AUTH_USER)}"
if test -z "$DNSEXIT_AUTH_USER"; then
DNSEXIT_AUTH_USER=""
_err 'DNSEXIT_AUTH_USER was not exported'
return 1
fi
_saveaccountconf_mutable DNSEXIT_AUTH_USER "$DNSEXIT_AUTH_USER"
DNSEXIT_AUTH_PASS="${DNSEXIT_AUTH_PASS:-$(_readaccountconf_mutable DNSEXIT_AUTH_PASS)}"
if test -z "$DNSEXIT_AUTH_PASS"; then
DNSEXIT_AUTH_PASS=""
_err 'DNSEXIT_AUTH_PASS was not exported'
return 1
fi
_saveaccountconf_mutable DNSEXIT_AUTH_PASS "$DNSEXIT_AUTH_PASS"
return 0
}

25
dnsapi/dns_gandi_livedns.sh
View File

@@ -1,7 +1,8 @@
#!/usr/bin/env sh
# Gandi LiveDNS v5 API
# https://doc.livedns.gandi.net/
# https://api.gandi.net/docs/livedns/
# https://api.gandi.net/docs/authentication/ for token + apikey (deprecated) authentication
# currently under beta
#
# Requires GANDI API KEY set in GANDI_LIVEDNS_KEY set as environment variable
@@ -19,13 +20,20 @@ dns_gandi_livedns_add() {
fulldomain=$1
txtvalue=$2
if [ -z "$GANDI_LIVEDNS_KEY" ]; then
_err "No API key specified for Gandi LiveDNS."
_err "Create your key and export it as GANDI_LIVEDNS_KEY"
if [ -z "$GANDI_LIVEDNS_KEY" ] && [ -z "$GANDI_LIVEDNS_TOKEN" ]; then
_err "No Token or API key (deprecated) specified for Gandi LiveDNS."
_err "Create your token or key and export it as GANDI_LIVEDNS_KEY or GANDI_LIVEDNS_TOKEN respectively"
return 1
fi
_saveaccountconf GANDI_LIVEDNS_KEY "$GANDI_LIVEDNS_KEY"
# Keep only one secret in configuration
if [ -n "$GANDI_LIVEDNS_TOKEN" ]; then
_saveaccountconf GANDI_LIVEDNS_TOKEN "$GANDI_LIVEDNS_TOKEN"
_clearaccountconf GANDI_LIVEDNS_KEY
elif [ -n "$GANDI_LIVEDNS_KEY" ]; then
_saveaccountconf GANDI_LIVEDNS_KEY "$GANDI_LIVEDNS_KEY"
_clearaccountconf GANDI_LIVEDNS_TOKEN
fi
_debug "First detect the root zone"
if ! _get_root "$fulldomain"; then
@@ -157,7 +165,12 @@ _gandi_livedns_rest() {
_debug "$ep"
export _H1="Content-Type: application/json"
export _H2="X-Api-Key: $GANDI_LIVEDNS_KEY"
if [ -n "$GANDI_LIVEDNS_TOKEN" ]; then
export _H2="Authorization: Bearer $GANDI_LIVEDNS_TOKEN"
else
export _H2="X-Api-Key: $GANDI_LIVEDNS_KEY"
fi
if [ "$m" = "GET" ]; then
response="$(_get "$GANDI_LIVEDNS_API/$ep")"

187
dnsapi/dns_gcore.sh Executable file
View File

@@ -0,0 +1,187 @@
#!/usr/bin/env sh
#
#GCORE_Key='773$7b7adaf2a2b32bfb1b83787b4ff32a67eb178e3ada1af733e47b1411f2461f7f4fa7ed7138e2772a46124377bad7384b3bb8d87748f87b3f23db4b8bbe41b2bb'
#
GCORE_Api="https://api.gcorelabs.com/dns/v2"
GCORE_Doc="https://apidocs.gcore.com/dns"
######## Public functions #####################
#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_gcore_add() {
fulldomain=$1
txtvalue=$2
GCORE_Key="${GCORE_Key:-$(_readaccountconf_mutable GCORE_Key)}"
if [ -z "$GCORE_Key" ]; then
GCORE_Key=""
_err "You didn't specify a Gcore api key yet."
_err "You can get yours from here $GCORE_Doc"
return 1
fi
#save the api key to the account conf file.
_saveaccountconf_mutable GCORE_Key "$GCORE_Key"
_debug "First detect the zone name"
if ! _get_root "$fulldomain"; then
_err "invalid domain"
return 1
fi
_debug _zone_name "$_zone_name"
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"
_debug "Getting txt records"
_gcore_rest GET "zones/$_zone_name/$fulldomain/TXT"
payload=""
if echo "$response" | grep "record is not found" >/dev/null; then
_info "Record doesn't exists"
payload="{\"resource_records\":[{\"content\":[\"$txtvalue\"],\"enabled\":true}],\"ttl\":120}"
elif echo "$response" | grep "$txtvalue" >/dev/null; then
_info "Already exists, OK"
return 0
elif echo "$response" | tr -d " " | grep \"name\":\""$fulldomain"\",\"type\":\"TXT\" >/dev/null; then
_info "Record with mismatch txtvalue, try update it"
payload=$(echo "$response" | tr -d " " | sed 's/"updated_at":[0-9]\+,//g' | sed 's/"meta":{}}]}/"meta":{}},{"content":['\""$txtvalue"\"'],"enabled":true}]}/')
fi
# For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so
# we can not use updating anymore.
# count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2)
# _debug count "$count"
# if [ "$count" = "0" ]; then
_info "Adding record"
if _gcore_rest PUT "zones/$_zone_name/$fulldomain/TXT" "$payload"; then
if _contains "$response" "$txtvalue"; then
_info "Added, OK"
return 0
elif _contains "$response" "rrset is already exists"; then
_info "Already exists, OK"
return 0
else
_err "Add txt record error."
return 1
fi
fi
_err "Add txt record error."
return 1
}
#fulldomain txtvalue
dns_gcore_rm() {
fulldomain=$1
txtvalue=$2
GCORE_Key="${GCORE_Key:-$(_readaccountconf_mutable GCORE_Key)}"
_debug "First detect the root zone"
if ! _get_root "$fulldomain"; then
_err "invalid domain"
return 1
fi
_debug _zone_name "$_zone_name"
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"
_debug "Getting txt records"
_gcore_rest GET "zones/$_zone_name/$fulldomain/TXT"
if echo "$response" | grep "record is not found" >/dev/null; then
_info "No such txt recrod"
return 0
fi
if ! echo "$response" | tr -d " " | grep \"name\":\""$fulldomain"\",\"type\":\"TXT\" >/dev/null; then
_err "Error: $response"
return 1
fi
if ! echo "$response" | tr -d " " | grep \""$txtvalue"\" >/dev/null; then
_info "No such txt recrod"
return 0
fi
count="$(echo "$response" | grep -o "content" | wc -l)"
if [ "$count" = "1" ]; then
if ! _gcore_rest DELETE "zones/$_zone_name/$fulldomain/TXT"; then
_err "Delete record error. $response"
return 1
fi
return 0
fi
payload="$(echo "$response" | tr -d " " | sed 's/"updated_at":[0-9]\+,//g' | sed 's/{"id":[0-9]\+,"content":\["'"$txtvalue"'"\],"enabled":true,"meta":{}}//' | sed 's/\[,/\[/' | sed 's/,,/,/' | sed 's/,\]/\]/')"
if ! _gcore_rest PUT "zones/$_zone_name/$fulldomain/TXT" "$payload"; then
_err "Delete record error. $response"
fi
}
#################### Private functions below ##################################
#_acme-challenge.sub.domain.com
#returns
# _sub_domain=_acme-challenge.sub or _acme-challenge
# _domain=domain.com
# _zone_name=domain.com or sub.domain.com
_get_root() {
domain=$1
i=1
p=1
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
_debug h "$h"
if [ -z "$h" ]; then
#not valid
return 1
fi
if ! _gcore_rest GET "zones/$h"; then
return 1
fi
if _contains "$response" "\"name\":\"$h\""; then
_zone_name=$h
if [ "$_zone_name" ]; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
_domain=$h
return 0
fi
return 1
fi
p=$i
i=$(_math "$i" + 1)
done
return 1
}
_gcore_rest() {
m=$1
ep="$2"
data="$3"
_debug "$ep"
key_trimmed=$(echo "$GCORE_Key" | tr -d '"')
export _H1="Content-Type: application/json"
export _H2="Authorization: APIKey $key_trimmed"
if [ "$m" != "GET" ]; then
_debug data "$data"
response="$(_post "$data" "$GCORE_Api/$ep" "" "$m")"
else
response="$(_get "$GCORE_Api/$ep")"
fi
if [ "$?" != "0" ]; then
_err "error $ep"
return 1
fi
_debug2 response "$response"
return 0
}

6
dnsapi/dns_gd.sh
View File

@@ -22,8 +22,8 @@ dns_gd_add() {
if [ -z "$GD_Key" ] || [ -z "$GD_Secret" ]; then
GD_Key=""
GD_Secret=""
_err "You don't specify godaddy api key and secret yet."
_err "Please create you key and try again."
_err "You didn't specify godaddy api key and secret yet."
_err "Please create your key and try again."
return 1
fi
@@ -46,7 +46,7 @@ dns_gd_add() {
fi
if _contains "$response" "$txtvalue"; then
_info "The record is existing, skip"
_info "This record already exists, skipping"
return 0
fi

173
dnsapi/dns_googledomains.sh Executable file
View File

@@ -0,0 +1,173 @@
#!/usr/bin/env sh
# Author: Alex Leigh <leigh at alexleigh dot me>
# Created: 2023-03-02
#GOOGLEDOMAINS_ACCESS_TOKEN="xxxx"
#GOOGLEDOMAINS_ZONE="xxxx"
GOOGLEDOMAINS_API="https://acmedns.googleapis.com/v1/acmeChallengeSets"
######## Public functions ########
#Usage: dns_googledomains_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_googledomains_add() {
fulldomain=$1
txtvalue=$2
_info "Invoking Google Domains ACME DNS API."
if ! _dns_googledomains_setup; then
return 1
fi
zone="$(_dns_googledomains_get_zone "$fulldomain")"
if [ -z "$zone" ]; then
_err "Could not find a Google Domains-managed zone containing the requested domain."
return 1
fi
_debug zone "$zone"
_debug txtvalue "$txtvalue"
_info "Adding TXT record for $fulldomain."
if _dns_googledomains_api "$zone" ":rotateChallenges" "{\"accessToken\":\"$GOOGLEDOMAINS_ACCESS_TOKEN\",\"recordsToAdd\":[{\"fqdn\":\"$fulldomain\",\"digest\":\"$txtvalue\"}],\"keepExpiredRecords\":true}"; then
if _contains "$response" "$txtvalue"; then
_info "TXT record added."
return 0
else
_err "Error adding TXT record."
return 1
fi
fi
_err "Error adding TXT record."
return 1
}
#Usage: dns_googledomains_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_googledomains_rm() {
fulldomain=$1
txtvalue=$2
_info "Invoking Google Domains ACME DNS API."
if ! _dns_googledomains_setup; then
return 1
fi
zone="$(_dns_googledomains_get_zone "$fulldomain")"
if [ -z "$zone" ]; then
_err "Could not find a Google Domains-managed domain based on request."
return 1
fi
_debug zone "$zone"
_debug txtvalue "$txtvalue"
_info "Removing TXT record for $fulldomain."
if _dns_googledomains_api "$zone" ":rotateChallenges" "{\"accessToken\":\"$GOOGLEDOMAINS_ACCESS_TOKEN\",\"recordsToRemove\":[{\"fqdn\":\"$fulldomain\",\"digest\":\"$txtvalue\"}],\"keepExpiredRecords\":true}"; then
if _contains "$response" "$txtvalue"; then
_err "Error removing TXT record."
return 1
else
_info "TXT record removed."
return 0
fi
fi
_err "Error removing TXT record."
return 1
}
######## Private functions ########
_dns_googledomains_setup() {
if [ -n "$GOOGLEDOMAINS_SETUP_COMPLETED" ]; then
return 0
fi
GOOGLEDOMAINS_ACCESS_TOKEN="${GOOGLEDOMAINS_ACCESS_TOKEN:-$(_readaccountconf_mutable GOOGLEDOMAINS_ACCESS_TOKEN)}"
GOOGLEDOMAINS_ZONE="${GOOGLEDOMAINS_ZONE:-$(_readaccountconf_mutable GOOGLEDOMAINS_ZONE)}"
if [ -z "$GOOGLEDOMAINS_ACCESS_TOKEN" ]; then
GOOGLEDOMAINS_ACCESS_TOKEN=""
_err "Google Domains access token was not specified."
_err "Please visit Google Domains Security settings to provision an ACME DNS API access token."
return 1
fi
if [ "$GOOGLEDOMAINS_ZONE" ]; then
_savedomainconf GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN"
_savedomainconf GOOGLEDOMAINS_ZONE "$GOOGLEDOMAINS_ZONE"
else
_saveaccountconf_mutable GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN"
_clearaccountconf_mutable GOOGLEDOMAINS_ZONE
_clearaccountconf GOOGLEDOMAINS_ZONE
fi
_debug GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN"
_debug GOOGLEDOMAINS_ZONE "$GOOGLEDOMAINS_ZONE"
GOOGLEDOMAINS_SETUP_COMPLETED=1
return 0
}
_dns_googledomains_get_zone() {
domain=$1
# Use zone directly if provided
if [ "$GOOGLEDOMAINS_ZONE" ]; then
if ! _dns_googledomains_api "$GOOGLEDOMAINS_ZONE"; then
return 1
fi
echo "$GOOGLEDOMAINS_ZONE"
return 0
fi
i=2
while true; do
curr=$(printf "%s" "$domain" | cut -d . -f $i-100)
_debug curr "$curr"
if [ -z "$curr" ]; then
return 1
fi
if _dns_googledomains_api "$curr"; then
echo "$curr"
return 0
fi
i=$(_math "$i" + 1)
done
return 1
}
_dns_googledomains_api() {
zone=$1
apimethod=$2
data="$3"
if [ -z "$data" ]; then
response="$(_get "$GOOGLEDOMAINS_API/$zone$apimethod")"
else
_debug data "$data"
export _H1="Content-Type: application/json"
response="$(_post "$data" "$GOOGLEDOMAINS_API/$zone$apimethod")"
fi
_debug response "$response"
if [ "$?" != "0" ]; then
_err "Error"
return 1
fi
if _contains "$response" "\"error\": {"; then
return 1
fi
return 0
}

84
dnsapi/dns_huaweicloud.sh
View File

@@ -23,7 +23,7 @@ dns_huaweicloud_add() {
HUAWEICLOUD_Username="${HUAWEICLOUD_Username:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}"
HUAWEICLOUD_Password="${HUAWEICLOUD_Password:-$(_readaccountconf_mutable HUAWEICLOUD_Password)}"
HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}"
HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_DomainName)}"
# Check information
if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_DomainName}" ]; then
@@ -74,7 +74,7 @@ dns_huaweicloud_rm() {
HUAWEICLOUD_Username="${HUAWEICLOUD_Username:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}"
HUAWEICLOUD_Password="${HUAWEICLOUD_Password:-$(_readaccountconf_mutable HUAWEICLOUD_Password)}"
HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}"
HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_DomainName)}"
# Check information
if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_DomainName}" ]; then
@@ -98,19 +98,59 @@ dns_huaweicloud_rm() {
fi
_debug "Zone ID is:" "${zoneid}"
# Remove all records
# Therotically HuaweiCloud does not allow more than one record set
# But remove them recurringly to increase robusty
while [ "${record_id}" != "0" ]; do
_debug "Removing Record"
_rm_record "${token}" "${zoneid}" "${record_id}"
record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")"
done
record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")"
_recursive_rm_record "${token}" "${fulldomain}" "${zoneid}" "${record_id}"
ret="$?"
if [ "${ret}" != "0" ]; then
_err "dns_api(dns_huaweicloud): Error removing record."
return 1
fi
return 0
}
################### Private functions below ##################################
# _recursive_rm_record
# remove all records from the record set
#
# _token=$1
# _domain=$2
# _zoneid=$3
# _record_id=$4
#
# Returns 0 on success
_recursive_rm_record() {
_token=$1
_domain=$2
_zoneid=$3
_record_id=$4
# Most likely to have problems will huaweicloud side if more than 50 attempts but still cannot fully remove the record set
# Maybe can be removed manually in the dashboard
_retry_cnt=50
# Remove all records
# Therotically HuaweiCloud does not allow more than one record set
# But remove them recurringly to increase robusty
while [ "${_record_id}" != "0" ] && [ "${_retry_cnt}" != "0" ]; do
_debug "Removing Record"
_retry_cnt=$((_retry_cnt - 1))
_rm_record "${_token}" "${_zoneid}" "${_record_id}"
_record_id="$(_get_recordset_id "${_token}" "${_domain}" "${_zoneid}")"
_debug2 "Checking record exists: record_id=${_record_id}"
done
# Check if retry count is reached
if [ "${_retry_cnt}" = "0" ]; then
_debug "Failed to remove record after 50 attempts, please try removing it manually in the dashboard"
return 1
fi
return 0
}
# _get_zoneid
#
# _token=$1
@@ -124,7 +164,7 @@ _get_zoneid() {
i=1
while true; do
h=$(printf "%s" "${_domain_string}" | cut -d . -f $i-100)
h=$(printf "%s" "${_domain_string}" | cut -d . -f "$i"-100)
if [ -z "$h" ]; then
#not valid
return 1
@@ -135,11 +175,11 @@ _get_zoneid() {
if _contains "${response}" '"id"'; then
zoneidlist=$(echo "${response}" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | tr -d " ")
zonenamelist=$(echo "${response}" | _egrep_o "\"name\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | tr -d " ")
_debug2 "Return Zone ID(s):" "${zoneidlist}"
_debug2 "Return Zone Name(s):" "${zonenamelist}"
_debug2 "Returned Zone ID(s):" "${zoneidlist}"
_debug2 "Returned Zone Name(s):" "${zonenamelist}"
zoneidnum=0
zoneidcount=$(echo "${zoneidlist}" | grep -c '^')
_debug "Retund Zone ID(s) Count:" "${zoneidcount}"
_debug "Returned Zone ID(s) Count:" "${zoneidcount}"
while [ "${zoneidnum}" -lt "${zoneidcount}" ]; do
zoneidnum=$(_math "$zoneidnum" + 1)
_zoneid=$(echo "${zoneidlist}" | sed -n "${zoneidnum}p")
@@ -206,8 +246,7 @@ _add_record() {
\"type\": \"TXT\",
\"ttl\": 1,
\"records\": [
${_exist_record},
\"\\\"${_txtvalue}\\\"\"
${_exist_record},\"\\\"${_txtvalue}\\\"\"
]
}"
fi
@@ -215,19 +254,16 @@ _add_record() {
_record_id="$(_get_recordset_id "${_token}" "${_domain}" "${zoneid}")"
_debug "Record Set ID is:" "${_record_id}"
# Remove all records
while [ "${_record_id}" != "0" ]; do
_debug "Removing Record"
_rm_record "${_token}" "${zoneid}" "${_record_id}"
_record_id="$(_get_recordset_id "${_token}" "${_domain}" "${zoneid}")"
done
# Add brand new records with all old and new records
export _H2="Content-Type: application/json"
export _H1="X-Auth-Token: ${_token}"
_debug2 "${_post_body}"
_post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null
if [ -z "${_exist_record}" ]; then
_post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null
else
_post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets/${_record_id}" false "PUT" >/dev/null
fi
_code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")"
if [ "$_code" != "202" ]; then
_err "dns_huaweicloud: http code ${_code}"

2
dnsapi/dns_inwx.sh
View File

@@ -194,7 +194,7 @@ _inwx_login() {
response="$(_post "$xml_content" "$INWX_Api" "" "POST")"
INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')")
INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')")
_H1=$INWX_Cookie
export _H1
export INWX_Cookie

157
dnsapi/dns_ipv64.sh Executable file
View File

@@ -0,0 +1,157 @@
#!/usr/bin/env sh
#Created by Roman Lumetsberger, to use ipv64.net's API to add/remove text records
#2022/11/29
# Pass credentials before "acme.sh --issue --dns dns_ipv64 ..."
# --
# export IPv64_Token="aaaaaaaaaaaaaaaaaaaaaaaaaa"
# --
#
IPv64_API="https://ipv64.net/api"
######## Public functions ######################
#Usage: dns_ipv64_add _acme-challenge.domain.ipv64.net "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_ipv64_add() {
fulldomain=$1
txtvalue=$2
IPv64_Token="${IPv64_Token:-$(_readaccountconf_mutable IPv64_Token)}"
if [ -z "$IPv64_Token" ]; then
_err "You must export variable: IPv64_Token"
_err "The API Key for your IPv64 account is necessary."
_err "You can look it up in your IPv64 account."
return 1
fi
# Now save the credentials.
_saveaccountconf_mutable IPv64_Token "$IPv64_Token"
if ! _get_root "$fulldomain"; then
_err "invalid domain" "$fulldomain"
return 1
fi
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"
# convert to lower case
_domain="$(echo "$_domain" | _lower_case)"
_sub_domain="$(echo "$_sub_domain" | _lower_case)"
# Now add the TXT record
_info "Trying to add TXT record"
if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then
_info "TXT record has been successfully added."
return 0
else
_err "Errors happened during adding the TXT record, response=$_response"
return 1
fi
}
#Usage: fulldomain txtvalue
#Usage: dns_ipv64_rm _acme-challenge.domain.ipv64.net "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
#Remove the txt record after validation.
dns_ipv64_rm() {
fulldomain=$1
txtvalue=$2
IPv64_Token="${IPv64_Token:-$(_readaccountconf_mutable IPv64_Token)}"
if [ -z "$IPv64_Token" ]; then
_err "You must export variable: IPv64_Token"
_err "The API Key for your IPv64 account is necessary."
_err "You can look it up in your IPv64 account."
return 1
fi
if ! _get_root "$fulldomain"; then
_err "invalid domain" "$fulldomain"
return 1
fi
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"
# convert to lower case
_domain="$(echo "$_domain" | _lower_case)"
_sub_domain="$(echo "$_sub_domain" | _lower_case)"
# Now delete the TXT record
_info "Trying to delete TXT record"
if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then
_info "TXT record has been successfully deleted."
return 0
else
_err "Errors happened during deleting the TXT record, response=$_response"
return 1
fi
}
#################### Private functions below ##################################
#_acme-challenge.www.domain.com
#returns
# _sub_domain=_acme-challenge.www
# _domain=domain.com
_get_root() {
domain="$1"
i=1
p=1
_ipv64_get "get_domains"
domain_data=$_response
while true; do
h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
if [ -z "$h" ]; then
#not valid
return 1
fi
#if _contains "$domain_data" "\""$h"\"\:"; then
if _contains "$domain_data" "\"""$h""\"\:"; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
_domain="$h"
return 0
fi
p=$i
i=$(_math "$i" + 1)
done
return 1
}
#send get request to api
# $1 has to set the api-function
_ipv64_get() {
url="$IPv64_API?$1"
export _H1="Authorization: Bearer $IPv64_Token"
_response=$(_get "$url")
_response="$(echo "$_response" | _normalizeJson)"
if _contains "$_response" "429 Too Many Requests"; then
_info "API throttled, sleeping to reset the limit"
_sleep 10
_response=$(_get "$url")
_response="$(echo "$_response" | _normalizeJson)"
fi
}
_ipv64_rest() {
url="$IPv64_API"
export _H1="Authorization: Bearer $IPv64_Token"
export _H2="Content-Type: application/x-www-form-urlencoded"
_response=$(_post "$2" "$url" "" "$1")
if _contains "$_response" "429 Too Many Requests"; then
_info "API throttled, sleeping to reset the limit"
_sleep 10
_response=$(_post "$2" "$url" "" "$1")
fi
if ! _contains "$_response" "\"info\":\"success\""; then
return 1
fi
_debug2 response "$_response"
return 0
}

4
dnsapi/dns_kappernet.sh
View File

@@ -45,8 +45,8 @@ dns_kappernet_add() {
if _kappernet_api GET "action=new&subject=$_domain&data=$data"; then
if _contains "$response" "{\"OK\":true"; then
_info "Waiting 120 seconds for DNS to spread the new record"
_sleep 120
_info "Waiting 1 second for DNS to spread the new record"
_sleep 1
return 0
else
_err "Error creating a TXT DNS Record: $fullhostname TXT $txtvalue"

2
dnsapi/dns_kas.sh
View File

@@ -215,7 +215,7 @@ _get_record_id() {
return 1
fi
_record_id="$(echo "$response" | tr -d '\n\r' | sed "s/<item xsi:type=\"ns2:Map\">/\n/g" | grep -i "$_record_name" | grep -i ">TXT<" | sed "s/<item><key xsi:type=\"xsd:string\">record_id<\/key><value xsi:type=\"xsd:string\">/=>/g" | sed "s/<\/value><\/item>/\n/g" | grep "=>" | sed "s/=>//g")"
_record_id="$(echo "$response" | tr -d '\n\r' | sed "s/<item xsi:type=\"ns2:Map\">/\n/g" | grep -i "$_record_name" | grep -i ">TXT<" | sed "s/<item><key xsi:type=\"xsd:string\">record_id<\/key><value xsi:type=\"xsd:string\">/=>/g" | grep -i "$_txtvalue" | sed "s/<\/value><\/item>/\n/g" | grep "=>" | sed "s/=>//g")"
_debug "[KAS] -> Record Id: " "$_record_id"
return 0
}

2
dnsapi/dns_leaseweb.sh
View File

@@ -6,7 +6,7 @@
#See https://developer.leaseweb.com for more information.
######## Public functions #####################
LSW_API="https://api.leaseweb.com/hosting/v2/domains/"
LSW_API="https://api.leaseweb.com/hosting/v2/domains"
#Usage: dns_leaseweb_add _acme-challenge.www.domain.com
dns_leaseweb_add() {

2
dnsapi/dns_loopia.sh
View File

@@ -107,7 +107,7 @@ _loopia_load_config() {
fi
if _contains "$LOOPIA_Password" "'" || _contains "$LOOPIA_Password" '"'; then
_err "Password contains quoute or double quoute and this is not supported by dns_loopia.sh"
_err "Password contains a quotation mark or double quotation marks and this is not supported by dns_loopia.sh"
return 1
fi

59
dnsapi/dns_nanelo.sh Normal file
View File

@@ -0,0 +1,59 @@
#!/usr/bin/env sh
# Official DNS API for Nanelo.com
# Provide the required API Key like this:
# NANELO_TOKEN="FmD408PdqT1E269gUK57"
NANELO_API="https://api.nanelo.com/v1/"
######## Public functions #####################
# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_nanelo_add() {
fulldomain=$1
txtvalue=$2
NANELO_TOKEN="${NANELO_TOKEN:-$(_readaccountconf_mutable NANELO_TOKEN)}"
if [ -z "$NANELO_TOKEN" ]; then
NANELO_TOKEN=""
_err "You didn't configure a Nanelo API Key yet."
_err "Please set NANELO_TOKEN and try again."
_err "Login to Nanelo.com and go to Settings > API Keys to get a Key"
return 1
fi
_saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN"
_info "Adding TXT record to ${fulldomain}"
response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")"
if _contains "${response}" 'success'; then
return 0
fi
_err "Could not create resource record, please check the logs"
_err "${response}"
return 1
}
dns_nanelo_rm() {
fulldomain=$1
txtvalue=$2
NANELO_TOKEN="${NANELO_TOKEN:-$(_readaccountconf_mutable NANELO_TOKEN)}"
if [ -z "$NANELO_TOKEN" ]; then
NANELO_TOKEN=""
_err "You didn't configure a Nanelo API Key yet."
_err "Please set NANELO_TOKEN and try again."
_err "Login to Nanelo.com and go to Settings > API Keys to get a Key"
return 1
fi
_saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN"
_info "Deleting resource record $fulldomain"
response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")"
if _contains "${response}" 'success'; then
return 0
fi
_err "Could not delete resource record, please check the logs"
_err "${response}"
return 1
}

12
dnsapi/dns_openstack.sh
View File

@@ -57,16 +57,16 @@ _dns_openstack_create_recordset() {
if [ -z "$_recordset_id" ]; then
_info "Creating a new recordset"
if ! _recordset_id=$(openstack recordset create -c id -f value --type TXT --record "$txtvalue" "$_zone_id" "$fulldomain."); then
if ! _recordset_id=$(openstack recordset create -c id -f value --type TXT --record="$txtvalue" "$_zone_id" "$fulldomain."); then
_err "No recordset ID found after create"
return 1
fi
else
_info "Updating existing recordset"
# Build new list of --record <rec> args for update
_record_args="--record $txtvalue"
# Build new list of --record=<rec> args for update
_record_args="--record=$txtvalue"
for _rec in $_records; do
_record_args="$_record_args --record $_rec"
_record_args="$_record_args --record=$_rec"
done
# shellcheck disable=SC2086
if ! _recordset_id=$(openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain."); then
@@ -107,13 +107,13 @@ _dns_openstack_delete_recordset() {
fi
else
_info "Found existing records, updating recordset"
# Build new list of --record <rec> args for update
# Build new list of --record=<rec> args for update
_record_args=""
for _rec in $_records; do
if [ "$_rec" = "$txtvalue" ]; then
continue
fi
_record_args="$_record_args --record $_rec"
_record_args="$_record_args --record=$_rec"
done
# shellcheck disable=SC2086
if ! openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain." >/dev/null; then

4
dnsapi/dns_opnsense.sh
View File

@@ -137,7 +137,7 @@ _get_root() {
domain=$1
i=2
p=1
if _opns_rest "GET" "/domain/searchMasterDomain"; then
if _opns_rest "GET" "/domain/searchPrimaryDomain"; then
_domain_response="$response"
else
return 1
@@ -150,7 +150,7 @@ _get_root() {
return 1
fi
_debug h "$h"
id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"master\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"primary\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
if [ -n "$id" ]; then
_debug id "$id"
_host=$(printf "%s" "$domain" | cut -d . -f 1-$p)

17
dnsapi/dns_ovh.sh
View File

@@ -14,6 +14,9 @@
#'ovh-eu'
OVH_EU='https://eu.api.ovh.com/1.0'
#'ovh-us'
OVH_US='https://api.us.ovhcloud.com/1.0'
#'ovh-ca':
OVH_CA='https://ca.api.ovh.com/1.0'
@@ -29,9 +32,6 @@ SYS_EU='https://eu.api.soyoustart.com/1.0'
#'soyoustart-ca'
SYS_CA='https://ca.api.soyoustart.com/1.0'
#'runabove-ca'
RAV_CA='https://api.runabove.com/1.0'
wiki="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-OVH-domain-api"
ovh_success="https://github.com/acmesh-official/acme.sh/wiki/OVH-Success"
@@ -45,6 +45,10 @@ _ovh_get_api() {
printf "%s" $OVH_EU
return
;;
ovh-us | ovhus)
printf "%s" $OVH_US
return
;;
ovh-ca | ovhca)
printf "%s" $OVH_CA
return
@@ -65,14 +69,15 @@ _ovh_get_api() {
printf "%s" $SYS_CA
return
;;
runabove-ca | runaboveca)
printf "%s" $RAV_CA
# raw API url starts with https://
https*)
printf "%s" "$1"
return
;;
*)
_err "Unknown parameter : $1"
_err "Unknown endpoint : $1"
return 1
;;
esac

60
dnsapi/dns_pleskxml.sh
View File

@@ -41,11 +41,15 @@ pleskxml_init_checks_done=0
NEWLINE='\
'
pleskxml_tplt_get_domains="<packet><customer><get-domain-list><filter/></get-domain-list></customer></packet>"
pleskxml_tplt_get_domains="<packet><webspace><get><filter/><dataset><gen_info/></dataset></get></webspace></packet>"
# Get a list of domains that PLESK can manage, so we can check root domain + host for acme.sh
# Also used to test credentials and URI.
# No params.
pleskxml_tplt_get_additional_domains="<packet><site><get><filter/><dataset><gen_info/></dataset></get></site></packet>"
# Get a list of additional domains that PLESK can manage, so we can check root domain + host for acme.sh
# No params.
pleskxml_tplt_get_dns_records="<packet><dns><get_rec><filter><site-id>%s</site-id></filter></get_rec></dns></packet>"
# Get all DNS records for a Plesk domain ID.
# PARAM = Plesk domain id to query
@@ -145,22 +149,25 @@ dns_pleskxml_rm() {
)"
if [ -z "$reclist" ]; then
_err "No TXT records found for root domain ${root_domain_name} (Plesk domain ID ${root_domain_id}). Exiting."
_err "No TXT records found for root domain $fulldomain (Plesk domain ID ${root_domain_id}). Exiting."
return 1
fi
_debug "Got list of DNS TXT records for root domain '$root_domain_name':"
_debug "Got list of DNS TXT records for root Plesk domain ID ${root_domain_id} of root domain $fulldomain:"
_debug "$reclist"
# Extracting the id of the TXT record for the full domain (NOT case-sensitive) and corresponding value
recid="$(
_value "$reclist" |
grep "<host>${fulldomain}.</host>" |
grep -i "<host>${fulldomain}.</host>" |
grep "<value>${txtvalue}</value>" |
sed 's/^.*<id>\([0-9]\{1,\}\)<\/id>.*$/\1/'
)"
_debug "Got id from line: $recid"
if ! _value "$recid" | grep '^[0-9]\{1,\}$' >/dev/null; then
_err "DNS records for root domain '${root_domain_name}' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'"
_err "DNS records for root domain '${fulldomain}.' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'"
_err "Cannot delete TXT record. Exiting."
return 1
fi
@@ -251,9 +258,12 @@ _call_api() {
# Detect any <status> that isn't "ok". None of the used calls should fail if the API is working correctly.
# Also detect if there simply aren't any status lines (null result?) and report that, as well.
# Remove <data></data> structure from result string, since it might contain <status> values that are related to the status of the domain and not to the API request
statuslines_count_total="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *<status>[^<]*</status> *$')"
statuslines_count_okay="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *<status>ok</status> *$')"
statuslines_count_total="$(echo "$pleskxml_prettyprint_result" | sed '/<data>/,/<\/data>/d' | grep -c '^ *<status>[^<]*</status> *$')"
statuslines_count_okay="$(echo "$pleskxml_prettyprint_result" | sed '/<data>/,/<\/data>/d' | grep -c '^ *<status>ok</status> *$')"
_debug "statuslines_count_total=$statuslines_count_total."
_debug "statuslines_count_okay=$statuslines_count_okay."
if [ -z "$statuslines_count_total" ]; then
@@ -369,16 +379,44 @@ _pleskxml_get_root_domain() {
return 1
fi
# Generate a crude list of domains known to this Plesk account.
# Generate a crude list of domains known to this Plesk account based on subscriptions.
# We convert <ascii-name> tags to <name> so it'll flag on a hit with either <name> or <ascii-name> fields,
# for non-Western character sets.
# Output will be one line per known domain, containing 2 <name> tages and a single <id> tag
# We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned.
output="$(_api_response_split "$pleskxml_prettyprint_result" 'domain' '<type>domain</type>' | sed 's/<ascii-name>/<name>/g;s/<\/ascii-name>/<\/name>/g' | grep '<name>' | grep '<id>')"
output="$(_api_response_split "$pleskxml_prettyprint_result" 'result' '<status>ok</status>' | sed 's/<ascii-name>/<name>/g;s/<\/ascii-name>/<\/name>/g' | grep '<name>' | grep '<id>')"
debug_output="$(printf "%s" "$output" | sed -n 's:.*<name>\(.*\)</name>.*:\1:p')"
_debug 'Domains managed by Plesk server are (ignore the hacked output):'
_debug "$output"
_debug 'Domains managed by Plesk server are:'
_debug "$debug_output"
_debug "Querying Plesk server for list of additional managed domains..."
_call_api "$pleskxml_tplt_get_additional_domains"
if [ "$pleskxml_retcode" -ne 0 ]; then
return 1
fi
# Generate a crude list of additional domains known to this Plesk account based on sites.
# We convert <ascii-name> tags to <name> so it'll flag on a hit with either <name> or <ascii-name> fields,
# for non-Western character sets.
# Output will be one line per known domain, containing 2 <name> tages and a single <id> tag
# We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned.
output_additional="$(_api_response_split "$pleskxml_prettyprint_result" 'result' '<status>ok</status>' | sed 's/<ascii-name>/<name>/g;s/<\/ascii-name>/<\/name>/g' | grep '<name>' | grep '<id>')"
debug_additional="$(printf "%s" "$output_additional" | sed -n 's:.*<name>\(.*\)</name>.*:\1:p')"
_debug 'Additional domains managed by Plesk server are:'
_debug "$debug_additional"
# Concate the two outputs together.
output="$(printf "%s" "$output $NEWLINE $output_additional")"
debug_output="$(printf "%s" "$output" | sed -n 's:.*<name>\(.*\)</name>.*:\1:p')"
_debug 'Domains (including additional) managed by Plesk server are:'
_debug "$debug_output"
# loop and test if domain, or any parent domain, is managed by Plesk
# Loop until we don't have any '.' in the string we're testing as a candidate Plesk-managed domain

211
dnsapi/dns_tencent.sh Normal file
View File

@@ -0,0 +1,211 @@
#!/usr/bin/env sh
Tencent_API="https://dnspod.tencentcloudapi.com"
#Tencent_SecretId="AKIDz81d2cd22cdcdc2dcd1cc1d1A"
#Tencent_SecretKey="Gu5t9abcabcaabcbabcbbbcbcbbccbbcb"
#Usage: dns_tencent_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_tencent_add() {
fulldomain=$1
txtvalue=$2
Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}"
Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}"
if [ -z "$Tencent_SecretId" ] || [ -z "$Tencent_SecretKey" ]; then
Tencent_SecretId=""
Tencent_SecretKey=""
_err "You don't specify tencent api SecretId and SecretKey yet."
return 1
fi
#save the api SecretId and SecretKey to the account conf file.
_saveaccountconf_mutable Tencent_SecretId "$Tencent_SecretId"
_saveaccountconf_mutable Tencent_SecretKey "$Tencent_SecretKey"
_debug "First detect the root zone"
if ! _get_root "$fulldomain"; then
return 1
fi
_debug "Add record"
_add_record_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "CreateRecord"
}
dns_tencent_rm() {
fulldomain=$1
txtvalue=$2
Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}"
Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}"
_debug "First detect the root zone"
if ! _get_root "$fulldomain"; then
return 1
fi
_debug "Get record list"
attempt=1
max_attempts=5
while [ -z "$record_id" ] && [ "$attempt" -le $max_attempts ]; do
_check_exist_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "DescribeRecordFilterList"
record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")"
_debug2 record_id "$record_id"
if [ -z "$record_id" ]; then
_debug "Due to TencentCloud API synchronization delay, record not found, waiting 10 seconds and retrying"
_sleep 10
attempt=$(_math "$attempt + 1")
fi
done
record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")"
_debug2 record_id "$record_id"
if [ -z "$record_id" ]; then
_debug "record not found after $max_attempts attempts, skip"
else
_debug "Delete record"
_delete_record_query "$record_id" && _tencent_rest "DeleteRecord"
fi
}
#################### Private functions below ##################################
_get_root() {
domain=$1
i=1
p=1
while true; do
h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
if [ -z "$h" ]; then
#not valid
return 1
fi
_describe_records_query "$h" "@"
if ! _tencent_rest "DescribeRecordList" "ignore"; then
return 1
fi
if _contains "$response" "\"TotalCount\":"; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
_debug _sub_domain "$_sub_domain"
_domain="$h"
_debug _domain "$_domain"
return 0
fi
p="$i"
i=$(_math "$i" + 1)
done
return 1
}
_tencent_rest() {
action=$1
service="dnspod"
payload="${query}"
timestamp=$(date -u +%s)
token=$(tencent_signature_v3 $service "$action" "$payload" "$timestamp")
version="2021-03-23"
if ! response="$(tencent_api_request $service $version "$action" "$payload" "$timestamp")"; then
_err "Error <$1>"
return 1
fi
_debug2 response "$response"
if [ -z "$2" ]; then
message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")"
if [ "$message" ]; then
_err "$message"
return 1
fi
fi
}
_add_record_query() {
query="{\"Domain\":\"$1\",\"SubDomain\":\"$2\",\"RecordType\":\"TXT\",\"RecordLineId\":\"0\",\"RecordLine\":\"0\",\"Value\":\"$3\",\"TTL\":600}"
}
_describe_records_query() {
query="{\"Domain\":\"$1\",\"Limit\":3000}"
}
_delete_record_query() {
query="{\"Domain\":\"$_domain\",\"RecordId\":$1}"
}
_check_exist_query() {
_domain="$1"
_subdomain="$2"
_value="$3"
query="{\"Domain\":\"$_domain\",\"SubDomain\":\"$_subdomain\",\"RecordValue\":\"$_value\"}"
}
# shell client for tencent cloud api v3 | @author: rehiy
tencent_sha256() {
printf %b "$@" | _digest sha256 hex
}
tencent_hmac_sha256() {
k=$1
shift
hex_key=$(printf %b "$k" | _hex_dump | tr -d ' ')
printf %b "$@" | _hmac sha256 "$hex_key" hex
}
tencent_hmac_sha256_hexkey() {
k=$1
shift
printf %b "$@" | _hmac sha256 "$k" hex
}
tencent_signature_v3() {
service=$1
action=$(echo "$2" | _lower_case)
payload=${3:-'{}'}
timestamp=${4:-$(date +%s)}
domain="$service.tencentcloudapi.com"
secretId=${Tencent_SecretId:-'tencent-cloud-secret-id'}
secretKey=${Tencent_SecretKey:-'tencent-cloud-secret-key'}
algorithm='TC3-HMAC-SHA256'
date=$(date -u -d "@$timestamp" +%Y-%m-%d 2>/dev/null)
[ -z "$date" ] && date=$(date -u -r "$timestamp" +%Y-%m-%d)
canonicalUri='/'
canonicalQuery=''
canonicalHeaders="content-type:application/json\nhost:$domain\nx-tc-action:$action\n"
signedHeaders='content-type;host;x-tc-action'
canonicalRequest="POST\n$canonicalUri\n$canonicalQuery\n$canonicalHeaders\n$signedHeaders\n$(tencent_sha256 "$payload")"
credentialScope="$date/$service/tc3_request"
stringToSign="$algorithm\n$timestamp\n$credentialScope\n$(tencent_sha256 "$canonicalRequest")"
secretDate=$(tencent_hmac_sha256 "TC3$secretKey" "$date")
secretService=$(tencent_hmac_sha256_hexkey "$secretDate" "$service")
secretSigning=$(tencent_hmac_sha256_hexkey "$secretService" 'tc3_request')
signature=$(tencent_hmac_sha256_hexkey "$secretSigning" "$stringToSign")
echo "$algorithm Credential=$secretId/$credentialScope, SignedHeaders=$signedHeaders, Signature=$signature"
}
tencent_api_request() {
service=$1
version=$2
action=$3
payload=${4:-'{}'}
timestamp=${5:-$(date +%s)}
token=$(tencent_signature_v3 "$service" "$action" "$payload" "$timestamp")
_H1="Content-Type: application/json"
_H2="Authorization: $token"
_H3="X-TC-Version: $version"
_H4="X-TC-Timestamp: $timestamp"
_H5="X-TC-Action: $action"
_post "$payload" "$Tencent_API" "" "POST" "application/json"
}

21
dnsapi/dns_variomedia.sh
View File

@@ -69,7 +69,7 @@ dns_variomedia_rm() {
return 1
fi
_record_id="$(echo "$response" | cut -d '[' -f2 | cut -d']' -f1 | sed 's/},[ \t]*{/\},§\{/g' | tr § '\n' | grep "$_sub_domain" | grep "$txtvalue" | sed 's/^{//;s/}[,]?$//' | tr , '\n' | tr -d '\"' | grep ^id | cut -d : -f2 | tr -d ' ')"
_record_id="$(echo "$response" | sed -E 's/,"tags":\[[^]]*\]//g' | cut -d '[' -f2 | cut -d']' -f1 | sed 's/},[ \t]*{/\},§\{/g' | tr § '\n' | grep "$_sub_domain" | grep -- "$txtvalue" | sed 's/^{//;s/}[,]?$//' | tr , '\n' | tr -d '\"' | grep ^id | cut -d : -f2 | tr -d ' ')"
_debug _record_id "$_record_id"
if [ "$_record_id" ]; then
_info "Successfully retrieved the record id for ACME challenge."
@@ -93,11 +93,11 @@ dns_variomedia_rm() {
# _sub_domain=_acme-challenge.www
# _domain=domain.com
_get_root() {
fulldomain=$1
domain=$1
i=1
p=1
while true; do
h=$(printf "%s" "$fulldomain" | cut -d . -f $i-100)
_debug h "$h"
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
if [ -z "$h" ]; then
return 1
fi
@@ -106,17 +106,14 @@ _get_root() {
return 1
fi
if _startswith "$response" "\{\"data\":"; then
if _contains "$response" "\"id\":\"$h\""; then
_sub_domain="$(echo "$fulldomain" | sed "s/\\.$h\$//")"
_domain=$h
return 0
fi
if _contains "$response" "\"id\":\"$h\""; then
_sub_domain=$(printf "%s" "$domain" | cut -d '.' -f 1-$p)
_domain="$h"
return 0
fi
p=$i
i=$(_math "$i" + 1)
done
_debug "root domain not found"
return 1
}

4
dnsapi/dns_vultr.sh
View File

@@ -78,7 +78,7 @@ dns_vultr_rm() {
return 1
fi
_record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'id' | cut -d : -f 2)"
_record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'id' | cut -d : -f 2 | tr -d '"')"
_debug _record_id "$_record_id"
if [ "$_record_id" ]; then
_info "Successfully retrieved the record id for ACME challenge."
@@ -116,7 +116,7 @@ _get_root() {
return 1
fi
if printf "%s\n" "$response" | grep '^\{.*\}' >/dev/null; then
if printf "%s\n" "$response" | grep -E '^\{.*\}' >/dev/null; then
if _contains "$response" "\"domain\":\"$_domain\""; then
_sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
return 0

226
notify/aws_ses.sh Normal file
View File

@@ -0,0 +1,226 @@
#!/usr/bin/env sh
#
#AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje"
#
#AWS_SECRET_ACCESS_KEY="xxxxxxx"
#
#AWS_SES_REGION="us-east-1"
#
#AWS_SES_TO="xxxx@xxx.com"
#
#AWS_SES_FROM="xxxx@cccc.com"
#
#AWS_SES_FROM_NAME="Something something"
#This is the Amazon SES api wrapper for acme.sh
AWS_WIKI="https://docs.aws.amazon.com/ses/latest/dg/send-email-api.html"
aws_ses_send() {
_subject="$1"
_content="$2"
_statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
_debug "_statusCode" "$_statusCode"
AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
AWS_SES_REGION="${AWS_SES_REGION:-$(_readaccountconf_mutable AWS_SES_REGION)}"
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
_use_container_role || _use_instance_role
fi
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
AWS_ACCESS_KEY_ID=""
AWS_SECRET_ACCESS_KEY=""
_err "You haven't specified the aws SES api key id and and api key secret yet."
_err "Please create your key and try again. see $(__green $AWS_WIKI)"
return 1
fi
if [ -z "$AWS_SES_REGION" ]; then
AWS_SES_REGION=""
_err "You haven't specified the aws SES api region yet."
_err "Please specify your region and try again. see https://docs.aws.amazon.com/general/latest/gr/ses.html"
return 1
fi
_saveaccountconf_mutable AWS_SES_REGION "$AWS_SES_REGION"
#save for future use, unless using a role which will be fetched as needed
if [ -z "$_using_role" ]; then
_saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
_saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
fi
AWS_SES_TO="${AWS_SES_TO:-$(_readaccountconf_mutable AWS_SES_TO)}"
if [ -z "$AWS_SES_TO" ]; then
AWS_SES_TO=""
_err "You didn't specify an email to AWS_SES_TO receive messages."
return 1
fi
_saveaccountconf_mutable AWS_SES_TO "$AWS_SES_TO"
AWS_SES_FROM="${AWS_SES_FROM:-$(_readaccountconf_mutable AWS_SES_FROM)}"
if [ -z "$AWS_SES_FROM" ]; then
AWS_SES_FROM=""
_err "You didn't specify an email to AWS_SES_FROM receive messages."
return 1
fi
_saveaccountconf_mutable AWS_SES_FROM "$AWS_SES_FROM"
AWS_SES_FROM_NAME="${AWS_SES_FROM_NAME:-$(_readaccountconf_mutable AWS_SES_FROM_NAME)}"
_saveaccountconf_mutable AWS_SES_FROM_NAME "$AWS_SES_FROM_NAME"
AWS_SES_SENDFROM="$AWS_SES_FROM_NAME <$AWS_SES_FROM>"
AWS_SES_ACTION="Action=SendEmail"
AWS_SES_SOURCE="Source=$AWS_SES_SENDFROM"
AWS_SES_TO="Destination.ToAddresses.member.1=$AWS_SES_TO"
AWS_SES_SUBJECT="Message.Subject.Data=$_subject"
AWS_SES_MESSAGE="Message.Body.Text.Data=$_content"
_data="${AWS_SES_ACTION}&${AWS_SES_SOURCE}&${AWS_SES_TO}&${AWS_SES_SUBJECT}&${AWS_SES_MESSAGE}"
response="$(aws_rest POST "" "" "$_data")"
}
_use_metadata() {
_aws_creds="$(
_get "$1" "" 1 |
_normalizeJson |
tr '{,}' '\n' |
while read -r _line; do
_key="$(echo "${_line%%:*}" | tr -d '"')"
_value="${_line#*:}"
_debug3 "_key" "$_key"
_secure_debug3 "_value" "$_value"
case "$_key" in
AccessKeyId) echo "AWS_ACCESS_KEY_ID=$_value" ;;
SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY=$_value" ;;
Token) echo "AWS_SESSION_TOKEN=$_value" ;;
esac
done |
paste -sd' ' -
)"
_secure_debug "_aws_creds" "$_aws_creds"
if [ -z "$_aws_creds" ]; then
return 1
fi
eval "$_aws_creds"
_using_role=true
}
#method uri qstr data
aws_rest() {
mtd="$1"
ep="$2"
qsr="$3"
data="$4"
_debug mtd "$mtd"
_debug ep "$ep"
_debug qsr "$qsr"
_debug data "$data"
CanonicalURI="/$ep"
_debug2 CanonicalURI "$CanonicalURI"
CanonicalQueryString="$qsr"
_debug2 CanonicalQueryString "$CanonicalQueryString"
RequestDate="$(date -u +"%Y%m%dT%H%M%SZ")"
_debug2 RequestDate "$RequestDate"
#RequestDate="20161120T141056Z" ##############
export _H1="x-amz-date: $RequestDate"
aws_host="email.$AWS_SES_REGION.amazonaws.com"
CanonicalHeaders="host:$aws_host\nx-amz-date:$RequestDate\n"
SignedHeaders="host;x-amz-date"
if [ -n "$AWS_SESSION_TOKEN" ]; then
export _H3="x-amz-security-token: $AWS_SESSION_TOKEN"
CanonicalHeaders="${CanonicalHeaders}x-amz-security-token:$AWS_SESSION_TOKEN\n"
SignedHeaders="${SignedHeaders};x-amz-security-token"
fi
_debug2 CanonicalHeaders "$CanonicalHeaders"
_debug2 SignedHeaders "$SignedHeaders"
RequestPayload="$data"
_debug2 RequestPayload "$RequestPayload"
Hash="sha256"
CanonicalRequest="$mtd\n$CanonicalURI\n$CanonicalQueryString\n$CanonicalHeaders\n$SignedHeaders\n$(printf "%s" "$RequestPayload" | _digest "$Hash" hex)"
_debug2 CanonicalRequest "$CanonicalRequest"
HashedCanonicalRequest="$(printf "$CanonicalRequest%s" | _digest "$Hash" hex)"
_debug2 HashedCanonicalRequest "$HashedCanonicalRequest"
Algorithm="AWS4-HMAC-SHA256"
_debug2 Algorithm "$Algorithm"
RequestDateOnly="$(echo "$RequestDate" | cut -c 1-8)"
_debug2 RequestDateOnly "$RequestDateOnly"
Region="$AWS_SES_REGION"
Service="ses"
CredentialScope="$RequestDateOnly/$Region/$Service/aws4_request"
_debug2 CredentialScope "$CredentialScope"
StringToSign="$Algorithm\n$RequestDate\n$CredentialScope\n$HashedCanonicalRequest"
_debug2 StringToSign "$StringToSign"
kSecret="AWS4$AWS_SECRET_ACCESS_KEY"
#kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################
_secure_debug2 kSecret "$kSecret"
kSecretH="$(printf "%s" "$kSecret" | _hex_dump | tr -d " ")"
_secure_debug2 kSecretH "$kSecretH"
kDateH="$(printf "$RequestDateOnly%s" | _hmac "$Hash" "$kSecretH" hex)"
_debug2 kDateH "$kDateH"
kRegionH="$(printf "$Region%s" | _hmac "$Hash" "$kDateH" hex)"
_debug2 kRegionH "$kRegionH"
kServiceH="$(printf "$Service%s" | _hmac "$Hash" "$kRegionH" hex)"
_debug2 kServiceH "$kServiceH"
kSigningH="$(printf "%s" "aws4_request" | _hmac "$Hash" "$kServiceH" hex)"
_debug2 kSigningH "$kSigningH"
signature="$(printf "$StringToSign%s" | _hmac "$Hash" "$kSigningH" hex)"
_debug2 signature "$signature"
Authorization="$Algorithm Credential=$AWS_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature"
_debug2 Authorization "$Authorization"
_H2="Authorization: $Authorization"
_debug _H2 "$_H2"
url="https://$aws_host/$ep"
if [ "$qsr" ]; then
url="https://$aws_host/$ep?$qsr"
fi
if [ "$mtd" = "GET" ]; then
response="$(_get "$url")"
else
response="$(_post "$data" "$url")"
fi
_ret="$?"
_debug2 response "$response"
if [ "$_ret" = "0" ]; then
if _contains "$response" "<ErrorResponse"; then
_err "Response error:$response"
return 1
fi
fi
}

4
notify/smtp.sh
View File

@@ -169,7 +169,7 @@ _clean_email_header() {
# email
_email_has_display_name() {
_email="$1"
expr "$_email" : '^.*[<>"]' >/dev/null
echo "$_email" | grep -q -E '^.*[<>"]'
}
##
@@ -249,7 +249,7 @@ _mime_encoded_word() {
_text="$1"
# (regex character ranges like [a-z] can be locale-dependent; enumerate ASCII chars to avoid that)
_ascii='] $`"'"[!#%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ~^_abcdefghijklmnopqrstuvwxyz{|}~-"
if expr "$_text" : "^.*[^$_ascii]" >/dev/null; then
if echo "$_text" | grep -q -E "^.*[^$_ascii]"; then
# At least one non-ASCII char; convert entire thing to encoded word
printf "%s" "=?UTF-8?B?$(printf "%s" "$_text" | _base64)?="
else