From b8c00f1c8a38fe7cd364f42a8ce2444dbef64e9a Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Mon, 26 Jun 2017 13:31:32 +0200 Subject: [PATCH 01/13] added consul deploy-hook script --- deploy/consul.sh | 68 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 deploy/consul.sh diff --git a/deploy/consul.sh b/deploy/consul.sh new file mode 100644 index 00000000..37eda90c --- /dev/null +++ b/deploy/consul.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +#Here is a sample custom api script. +#This file name is "myapi.sh" +#So, here must be a method myapi_deploy() +#Which will be called by acme.sh to deploy the cert +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +consul_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + if [ -z "$DEPLOY_CONSUL_URL" ] || [ -z "$DEPLOY_CONSUL_ROOT_KEY" ]; then + _err "You haven't specified the url or consul root key yet (DEPLOY_CONSUL_URL and DEPLOY_CONSUL_ROOT_KEY)." + _err "Please set them via export and try again." + _err "e.g. export DEPLOY_CONSUL_URL=http://localhost:8500/v1/kv" + _err "e.g. export DEPLOY_CONSUL_ROOT_KEY=acme" + return 1 + fi + + #Save consul url if it's succesful (First run case) + _saveaccountconf DEPLOY_CONSUL_URL "$DEPLOY_CONSUL_URL" + _saveaccountconf DEPLOY_CONSUL_ROOT_KEY "$DEPLOY_CONSUL_ROOT_KEY" + + _info "Deploying certificate to consul Key/Value store" + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + _debug DEPLOY_CONSUL_URL "$DEPLOY_CONSUL_URL" + _debug DEPLOY_CONSUL_ROOT_KEY "$DEPLOY_CONSUL_ROOT_KEY" + + # set base url for all uploads + upload_base_url="${DEPLOY_CONSUL_URL}/${DEPLOY_CONSUL_ROOT_KEY}/${_cdomain}" + _debug upload_base_url $upload_base_url + + # private + _info uploading $_ckey + response=$(_post "@${_ckey}" "${upload_base_url}/${_cdomain}.key" "" "PUT") + _debug response "$response" + + # public + _info uploading $_ccert + response=$(_post "@${_ccert}" "${upload_base_url}/${_cdomain}.cer" "" "PUT") + _debug response "$response" + + # ca + _info uploading $_cca + response=$(_post "@${_cca}" "${upload_base_url}/ca.cer" "" "PUT") + _debug response "$response" + + # fullchain + _info uploading $_cfullchain + response=$(_post "@${_cfullchain}" "${upload_base_url}/fullchain.cer" "" "PUT") + _debug response "$response" + + return 0 + +} + +#################### Private functions below ################################## From 01076a278a4db1645852130489d16b60b0cbd38a Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Mon, 26 Jun 2017 13:50:52 +0200 Subject: [PATCH 02/13] added double quotes as per travis checks --- deploy/consul.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/deploy/consul.sh b/deploy/consul.sh index 37eda90c..26749ab7 100644 --- a/deploy/consul.sh +++ b/deploy/consul.sh @@ -39,25 +39,25 @@ consul_deploy() { # set base url for all uploads upload_base_url="${DEPLOY_CONSUL_URL}/${DEPLOY_CONSUL_ROOT_KEY}/${_cdomain}" - _debug upload_base_url $upload_base_url + _debug upload_base_url "$upload_base_url" # private - _info uploading $_ckey + _info uploading "$_ckey" response=$(_post "@${_ckey}" "${upload_base_url}/${_cdomain}.key" "" "PUT") _debug response "$response" # public - _info uploading $_ccert + _info uploading "$_ccert" response=$(_post "@${_ccert}" "${upload_base_url}/${_cdomain}.cer" "" "PUT") _debug response "$response" # ca - _info uploading $_cca + _info uploading "$_cca" response=$(_post "@${_cca}" "${upload_base_url}/ca.cer" "" "PUT") _debug response "$response" # fullchain - _info uploading $_cfullchain + _info uploading "$_cfullchain" response=$(_post "@${_cfullchain}" "${upload_base_url}/fullchain.cer" "" "PUT") _debug response "$response" From 7bdf94058ee5db0fe452083458f8dc73b5252aaf Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Mon, 26 Jun 2017 18:20:35 +0200 Subject: [PATCH 03/13] Add s3 upload deploy-hook --- deploy/s3.sh | 188 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100644 deploy/s3.sh diff --git a/deploy/s3.sh b/deploy/s3.sh new file mode 100644 index 00000000..ad42cdad --- /dev/null +++ b/deploy/s3.sh @@ -0,0 +1,188 @@ +#!/bin/bash + +#Here is the script to deploy the cert to your s3 bucket. +#export S3_BUCKET=acme +#export S3_REGION=eu-central-1 +#export AWS_ACCESS_KEY_ID=exampleid +#export AWS_SECRET_ACCESS_KEY=examplekey + +# Checks to see if awscli present +# If not, use curl + aws v4 signature to upload object +# Make sure your keys have access to upload objects. +# Also make sure your default region is correct, otherwise, override with $S3_REGION + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +s3_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + if [ -z "$S3_BUCKET" ] ; then + _err "You haven't specified the bucket name yet." + _err "Please set it via export and try again." + _err "e.g. export S3_BUCKET=acme" + return 1 + fi + + if ! command -v aws; then + _debug "AWS CLI not installed, defaulting to curl method" + _aws_cli_installed=0 + else + _debug "AWS CLI installed, defaulting ignoring curl method" + _aws_cli_installed=1 + fi + + if [ "$_aws_cli_installed" -eq "0" ] && ([ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]); then + _err "AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY not set." + _err "Please set them via export, or use the aws-cli." + return 1 + fi + + if [ -z "$S3_REGION" ]; then + S3_REGION="us-east-1" + fi + + # Save s3 options if it's succesful (First run case) + _saveaccountconf S3_BUCKET "$S3_BUCKET" + _saveaccountconf S3_REGION "$S3_REGION" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + _debug S3_BUCKET "$S3_BUCKET" + _debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" + _debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" + + # REMOVE BEFORE COMMIT, ONLY FOR DEBUGGING + _aws_cli_installed=1 + + _info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION" + + if [ "$_aws_cli_installed" -eq "0" ]; then + _debug "deploying with curl method" + else + _debug "deploying with aws cli method" + fi + + # private + _deploy_to_bucket $_ckey "$_cdomain/$_cdomain.key" + # public + _deploy_to_bucket $_ccert "$_cdomain/$_cdomain.cer" + # ca + _deploy_to_bucket $_cca "$_cdomain/ca.cer" + # fullchain + _deploy_to_bucket $_cfullchain "$_cdomain/fullchain.cer" + + return 0 + +} + +#################### Private functions below ################################## + +_deploy_to_bucket() { + if [ "$_aws_cli_installed" -eq "0" ]; then + _deploy_with_curl $1 $2 + else + _deploy_with_awscli $1 $2 + fi +} + +_deploy_with_awscli() { + file="$1" + bucket="$S3_BUCKET" + prefix="$2" + region="$S3_REGION" + + aws s3 cp "$file" s3://"$bucket"/"$prefix" --region "$region" +} + +_deploy_with_curl() { + + file="${1}" + bucket="${S3_BUCKET}" + prefix="${2}" + region="${S3_REGION}" + acl="private" + timestamp="$(date -u "+%Y-%m-%d %H:%M:%S")" + signed_headers="date;host;x-amz-acl;x-amz-content-sha256;x-amz-date" + + if [[ $(uname) == "Darwin" ]]; then + iso_timestamp=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%dT%H%M%SZ") + date_scope=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%d") + date_header=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%a, %d %h %Y %T %Z") + else + iso_timestamp=$(date -ud "${timestamp}" "+%Y%m%dT%H%M%SZ") + date_scope=$(date -ud "${timestamp}" "+%Y%m%d") + date_header=$(date -ud "${timestamp}" "+%a, %d %h %Y %T %Z") + fi + + _info "Uploading $S3_BUCKET/$prefix" + + curl \ + -T "${file}" \ + -H "Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)" \ + -H "Date:${date_header}" \ + -H "x-amz-acl:${acl}" \ + -H "x-amz-content-sha256:$(_payload_hash)" \ + -H "x-amz-date:${iso_timestamp}" \ + "https://${bucket}.s3.${region}.amazonaws.com/${prefix}" + +} + +_payload_hash() { + local output=$(shasum -ba 256 "$file") + echo "${output%% *}" +} + +_canonical_request() { + echo "PUT" + echo "/${prefix}" + echo "" + echo "date:${date_header}" + echo "host:${bucket}.s3.${region}.amazonaws.com" + echo "x-amz-acl:${acl}" + echo "x-amz-content-sha256:$(_payload_hash)" + echo "x-amz-date:${iso_timestamp}" + echo "" + echo "${signed_headers}" + printf "$(_payload_hash)" +} + +_canonical_request_hash() { + local output=$(_canonical_request | shasum -a 256) + echo "${output%% *}" +} + +_string_to_sign() { + echo "AWS4-HMAC-SHA256" + echo "${iso_timestamp}" + echo "${date_scope}/${region}/s3/aws4_request" + printf "$(_canonical_request_hash)" +} + +_signature_key() { + local secret=$(printf "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_key) + local date_key=$(printf ${date_scope} | _hmac_sha256 "${secret}" | _hex_key) + local region_key=$(printf ${region} | _hmac_sha256 "${date_key}" | _hex_key) + local service_key=$(printf "s3" | _hmac_sha256 "${region_key}" | _hex_key) + printf "aws4_request" | _hmac_sha256 "${service_key}" | _hex_key +} + +_hex_key() { + hexdump -ve '1/1 "%.2x"'; echo +} + +_hmac_sha256() { + local hexkey=$1 + openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:${hexkey} +} + +_signature() { + _string_to_sign | _hmac_sha256 $(_signature_key) | _hex_key | sed "s/^.* //" +} \ No newline at end of file From f12fb74660c0b69955f0a3006e5da01276ca2433 Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Mon, 26 Jun 2017 18:22:29 +0200 Subject: [PATCH 04/13] removed debugging flag --- deploy/s3.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/deploy/s3.sh b/deploy/s3.sh index ad42cdad..ea93c022 100644 --- a/deploy/s3.sh +++ b/deploy/s3.sh @@ -58,9 +58,6 @@ s3_deploy() { _debug S3_BUCKET "$S3_BUCKET" _debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" _debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" - - # REMOVE BEFORE COMMIT, ONLY FOR DEBUGGING - _aws_cli_installed=1 _info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION" From f619c42cc401b1300ba5903019c024c11d73b6a0 Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Mon, 26 Jun 2017 18:38:17 +0200 Subject: [PATCH 05/13] removed wrong deploy-hook file --- deploy/consul.sh | 68 ------------------------------------------------ 1 file changed, 68 deletions(-) delete mode 100644 deploy/consul.sh diff --git a/deploy/consul.sh b/deploy/consul.sh deleted file mode 100644 index 26749ab7..00000000 --- a/deploy/consul.sh +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -#Here is a sample custom api script. -#This file name is "myapi.sh" -#So, here must be a method myapi_deploy() -#Which will be called by acme.sh to deploy the cert -#returns 0 means success, otherwise error. - -######## Public functions ##################### - -#domain keyfile certfile cafile fullchain -consul_deploy() { - _cdomain="$1" - _ckey="$2" - _ccert="$3" - _cca="$4" - _cfullchain="$5" - - if [ -z "$DEPLOY_CONSUL_URL" ] || [ -z "$DEPLOY_CONSUL_ROOT_KEY" ]; then - _err "You haven't specified the url or consul root key yet (DEPLOY_CONSUL_URL and DEPLOY_CONSUL_ROOT_KEY)." - _err "Please set them via export and try again." - _err "e.g. export DEPLOY_CONSUL_URL=http://localhost:8500/v1/kv" - _err "e.g. export DEPLOY_CONSUL_ROOT_KEY=acme" - return 1 - fi - - #Save consul url if it's succesful (First run case) - _saveaccountconf DEPLOY_CONSUL_URL "$DEPLOY_CONSUL_URL" - _saveaccountconf DEPLOY_CONSUL_ROOT_KEY "$DEPLOY_CONSUL_ROOT_KEY" - - _info "Deploying certificate to consul Key/Value store" - _debug _cdomain "$_cdomain" - _debug _ckey "$_ckey" - _debug _ccert "$_ccert" - _debug _cca "$_cca" - _debug _cfullchain "$_cfullchain" - _debug DEPLOY_CONSUL_URL "$DEPLOY_CONSUL_URL" - _debug DEPLOY_CONSUL_ROOT_KEY "$DEPLOY_CONSUL_ROOT_KEY" - - # set base url for all uploads - upload_base_url="${DEPLOY_CONSUL_URL}/${DEPLOY_CONSUL_ROOT_KEY}/${_cdomain}" - _debug upload_base_url "$upload_base_url" - - # private - _info uploading "$_ckey" - response=$(_post "@${_ckey}" "${upload_base_url}/${_cdomain}.key" "" "PUT") - _debug response "$response" - - # public - _info uploading "$_ccert" - response=$(_post "@${_ccert}" "${upload_base_url}/${_cdomain}.cer" "" "PUT") - _debug response "$response" - - # ca - _info uploading "$_cca" - response=$(_post "@${_cca}" "${upload_base_url}/ca.cer" "" "PUT") - _debug response "$response" - - # fullchain - _info uploading "$_cfullchain" - response=$(_post "@${_cfullchain}" "${upload_base_url}/fullchain.cer" "" "PUT") - _debug response "$response" - - return 0 - -} - -#################### Private functions below ################################## From 04997413a5e343f31a967aee6343c25fe283403f Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Mon, 26 Jun 2017 19:17:08 +0200 Subject: [PATCH 06/13] added comment about openssl on mac --- deploy/s3.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/deploy/s3.sh b/deploy/s3.sh index ea93c022..bd7558d2 100644 --- a/deploy/s3.sh +++ b/deploy/s3.sh @@ -11,6 +11,10 @@ # Make sure your keys have access to upload objects. # Also make sure your default region is correct, otherwise, override with $S3_REGION +# IMPORTANT +# If you're using acme.sh on a mac, make sure you have the latest version of openssl +# Upgrade easily with homebrew: brew install openssl + ######## Public functions ##################### #domain keyfile certfile cafile fullchain From 2f61a597c6706ca279f308f0d6f4c09dea54d158 Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Tue, 27 Jun 2017 07:44:04 +0200 Subject: [PATCH 07/13] added secure debug, use global functions, removed local variables --- deploy/s3.sh | 74 +++++++++++++++++++--------------------------------- 1 file changed, 27 insertions(+), 47 deletions(-) diff --git a/deploy/s3.sh b/deploy/s3.sh index bd7558d2..096d5927 100644 --- a/deploy/s3.sh +++ b/deploy/s3.sh @@ -1,19 +1,10 @@ #!/bin/bash -#Here is the script to deploy the cert to your s3 bucket. -#export S3_BUCKET=acme -#export S3_REGION=eu-central-1 -#export AWS_ACCESS_KEY_ID=exampleid -#export AWS_SECRET_ACCESS_KEY=examplekey - -# Checks to see if awscli present -# If not, use curl + aws v4 signature to upload object -# Make sure your keys have access to upload objects. -# Also make sure your default region is correct, otherwise, override with $S3_REGION - -# IMPORTANT -# If you're using acme.sh on a mac, make sure you have the latest version of openssl -# Upgrade easily with homebrew: brew install openssl +#Here is a sample custom api script. +#This file name is "myapi.sh" +#So, here must be a method myapi_deploy() +#Which will be called by acme.sh to deploy the cert +#returns 0 means success, otherwise error. ######## Public functions ##################### @@ -32,7 +23,7 @@ s3_deploy() { return 1 fi - if ! command -v aws; then + if ! _exists aws; then _debug "AWS CLI not installed, defaulting to curl method" _aws_cli_installed=0 else @@ -60,9 +51,9 @@ s3_deploy() { _debug _cca "$_cca" _debug _cfullchain "$_cfullchain" _debug S3_BUCKET "$S3_BUCKET" - _debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" - _debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" - + _secure_debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" + _secure_debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" + _info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION" if [ "$_aws_cli_installed" -eq "0" ]; then @@ -125,20 +116,18 @@ _deploy_with_curl() { _info "Uploading $S3_BUCKET/$prefix" - curl \ - -T "${file}" \ - -H "Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)" \ - -H "Date:${date_header}" \ - -H "x-amz-acl:${acl}" \ - -H "x-amz-content-sha256:$(_payload_hash)" \ - -H "x-amz-date:${iso_timestamp}" \ - "https://${bucket}.s3.${region}.amazonaws.com/${prefix}" - + export _H1="Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)" + export _H2="Date:${date_header}" + export _H3="x-amz-acl:${acl}" + export _H4="x-amz-content-sha256:$(_payload_hash)" + export _H5="x-amz-date:${iso_timestamp}" + response=$(_post "${file}" "https://${bucket}.s3.${region}.amazonaws.com/${prefix}") + _debug response } _payload_hash() { - local output=$(shasum -ba 256 "$file") - echo "${output%% *}" + hash_output=$(shasum -ba 256 "$file") + echo "${hash_output%% *}" } _canonical_request() { @@ -156,8 +145,8 @@ _canonical_request() { } _canonical_request_hash() { - local output=$(_canonical_request | shasum -a 256) - echo "${output%% *}" + _canonical_request_output=$(_canonical_request | shasum -a 256) + echo "${_canonical_request_output%% *}" } _string_to_sign() { @@ -168,22 +157,13 @@ _string_to_sign() { } _signature_key() { - local secret=$(printf "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_key) - local date_key=$(printf ${date_scope} | _hmac_sha256 "${secret}" | _hex_key) - local region_key=$(printf ${region} | _hmac_sha256 "${date_key}" | _hex_key) - local service_key=$(printf "s3" | _hmac_sha256 "${region_key}" | _hex_key) - printf "aws4_request" | _hmac_sha256 "${service_key}" | _hex_key -} - -_hex_key() { - hexdump -ve '1/1 "%.2x"'; echo -} - -_hmac_sha256() { - local hexkey=$1 - openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:${hexkey} + secret_key=$(printf "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_dump | tr -d " ") + date_key=$(printf ${date_scope} | _hmac "sha256" "${secret_key}" | _hex_dump | tr -d " ") + region_key=$(printf ${region} | _hmac "sha256" "${date_key}" | _hex_dump | tr -d " ") + service_key=$(printf "s3" | _hmac "sha256" "${region_key}" | _hex_dump | tr -d " ") + printf "aws4_request" | _hmac "sha256" "${service_key}" | _hex_dump | tr -d " " } _signature() { - _string_to_sign | _hmac_sha256 $(_signature_key) | _hex_key | sed "s/^.* //" -} \ No newline at end of file + _string_to_sign | _hmac "sha256" $(_signature_key) | _hex_dump | tr -d " " | sed "s/^.* //" +} From 5a5939fa568318f64f56ab1154226b24b2fa47aa Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Tue, 27 Jun 2017 07:49:48 +0200 Subject: [PATCH 08/13] cleanup --- deploy/s3.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/deploy/s3.sh b/deploy/s3.sh index 096d5927..50e3d5b6 100644 --- a/deploy/s3.sh +++ b/deploy/s3.sh @@ -54,6 +54,9 @@ s3_deploy() { _secure_debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" _secure_debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" + # REMOVE BEFORE COMMIT, ONLY FOR DEBUGGING + _aws_cli_installed=1 + _info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION" if [ "$_aws_cli_installed" -eq "0" ]; then @@ -126,8 +129,7 @@ _deploy_with_curl() { } _payload_hash() { - hash_output=$(shasum -ba 256 "$file") - echo "${hash_output%% *}" + echo "$(shasum -ba 256 "$file")%% *" } _canonical_request() { @@ -145,8 +147,7 @@ _canonical_request() { } _canonical_request_hash() { - _canonical_request_output=$(_canonical_request | shasum -a 256) - echo "${_canonical_request_output%% *}" + echo "$(_canonical_request | shasum -a 256)%% *" } _string_to_sign() { @@ -157,13 +158,13 @@ _string_to_sign() { } _signature_key() { - secret_key=$(printf "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_dump | tr -d " ") - date_key=$(printf ${date_scope} | _hmac "sha256" "${secret_key}" | _hex_dump | tr -d " ") - region_key=$(printf ${region} | _hmac "sha256" "${date_key}" | _hex_dump | tr -d " ") - service_key=$(printf "s3" | _hmac "sha256" "${region_key}" | _hex_dump | tr -d " ") - printf "aws4_request" | _hmac "sha256" "${service_key}" | _hex_dump | tr -d " " + secret_key=$(printf "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_dump) + date_key=$(printf ${date_scope} | _hmac "sha256" "${secret_key}" | _hex_dump) + region_key=$(printf ${region} | _hmac "sha256" "${date_key}" | _hex_dump) + service_key=$(printf "s3" | _hmac "sha256" "${region_key}" | _hex_dump) + printf "aws4_request" | _hmac "sha256" "${service_key}" | _hex_dump } _signature() { - _string_to_sign | _hmac "sha256" $(_signature_key) | _hex_dump | tr -d " " | sed "s/^.* //" + _string_to_sign | _hmac "sha256" $(_signature_key) | _hex_dump | sed "s/^.* //" } From 943d894b40a56b7ca29e58c011319c8d2e2d4552 Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Tue, 27 Jun 2017 07:50:20 +0200 Subject: [PATCH 09/13] cleanup of debug flag --- deploy/s3.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/deploy/s3.sh b/deploy/s3.sh index 50e3d5b6..08798637 100644 --- a/deploy/s3.sh +++ b/deploy/s3.sh @@ -54,9 +54,6 @@ s3_deploy() { _secure_debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" _secure_debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" - # REMOVE BEFORE COMMIT, ONLY FOR DEBUGGING - _aws_cli_installed=1 - _info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION" if [ "$_aws_cli_installed" -eq "0" ]; then From 6175b7e2d8e3ade5aa691c0c05ec2b77c20448a7 Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Tue, 27 Jun 2017 09:41:36 +0200 Subject: [PATCH 10/13] changed shebang and use debug2 for response --- deploy/s3.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/deploy/s3.sh b/deploy/s3.sh index 08798637..5b1e2523 100644 --- a/deploy/s3.sh +++ b/deploy/s3.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh #Here is a sample custom api script. #This file name is "myapi.sh" @@ -121,8 +121,9 @@ _deploy_with_curl() { export _H3="x-amz-acl:${acl}" export _H4="x-amz-content-sha256:$(_payload_hash)" export _H5="x-amz-date:${iso_timestamp}" + response=$(_post "${file}" "https://${bucket}.s3.${region}.amazonaws.com/${prefix}") - _debug response + _debug2 response } _payload_hash() { From 9205c22bf64fead9618fc6139fcf372cc4a5adbc Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Tue, 27 Jun 2017 10:26:43 +0200 Subject: [PATCH 11/13] shellchecks cleared --- deploy/s3.sh | 83 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 52 insertions(+), 31 deletions(-) diff --git a/deploy/s3.sh b/deploy/s3.sh index 5b1e2523..685af5ac 100644 --- a/deploy/s3.sh +++ b/deploy/s3.sh @@ -1,10 +1,16 @@ #!/bin/sh -#Here is a sample custom api script. -#This file name is "myapi.sh" -#So, here must be a method myapi_deploy() -#Which will be called by acme.sh to deploy the cert -#returns 0 means success, otherwise error. +# This script deploys your cert to a s3 bucket. +# export S3_BUCKET=acme +# export S3_REGION=eu-central-1 +# export AWS_PROFILE=default +# export AWS_ACCESS_KEY_ID=exampleid +# export AWS_SECRET_ACCESS_KEY=examplekey +# +# Checks to see if awscli present +# If not, use curl + aws v4 signature to upload object +# Make sure your keys have access to upload objects. +# Also make sure your default region is correct, otherwise, override with $S3_REGION ######## Public functions ##################### @@ -23,12 +29,17 @@ s3_deploy() { return 1 fi + if [ -z "$AWS_PROFILE" ]; then + AWS_PROFILE="default" + fi + if ! _exists aws; then _debug "AWS CLI not installed, defaulting to curl method" _aws_cli_installed=0 else _debug "AWS CLI installed, defaulting ignoring curl method" _aws_cli_installed=1 + S3_REGION="$(aws configure get region --profile ${AWS_PROFILE})" fi if [ "$_aws_cli_installed" -eq "0" ] && ([ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]); then @@ -44,6 +55,7 @@ s3_deploy() { # Save s3 options if it's succesful (First run case) _saveaccountconf S3_BUCKET "$S3_BUCKET" _saveaccountconf S3_REGION "$S3_REGION" + _saveaccountconf AWS_PROFILE "$AWS_PROFILE" _debug _cdomain "$_cdomain" _debug _ckey "$_ckey" @@ -51,9 +63,13 @@ s3_deploy() { _debug _cca "$_cca" _debug _cfullchain "$_cfullchain" _debug S3_BUCKET "$S3_BUCKET" + _debug AWS_PROFILE "$AWS_PROFILE" _secure_debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" _secure_debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" + # REMOVE BEFORE COMMIT, ONLY FOR DEBUGGING + _aws_cli_installed=1 + _info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION" if [ "$_aws_cli_installed" -eq "0" ]; then @@ -63,13 +79,13 @@ s3_deploy() { fi # private - _deploy_to_bucket $_ckey "$_cdomain/$_cdomain.key" + _deploy_to_bucket "$_ckey" "$_cdomain/$_cdomain.key" # public - _deploy_to_bucket $_ccert "$_cdomain/$_cdomain.cer" + _deploy_to_bucket "$_ccert" "$_cdomain/$_cdomain.cer" # ca - _deploy_to_bucket $_cca "$_cdomain/ca.cer" + _deploy_to_bucket "$_cca" "$_cdomain/ca.cer" # fullchain - _deploy_to_bucket $_cfullchain "$_cdomain/fullchain.cer" + _deploy_to_bucket "$_cfullchain" "$_cdomain/fullchain.cer" return 0 @@ -79,19 +95,16 @@ s3_deploy() { _deploy_to_bucket() { if [ "$_aws_cli_installed" -eq "0" ]; then - _deploy_with_curl $1 $2 + _deploy_with_curl "$1" "$2" else - _deploy_with_awscli $1 $2 + _deploy_with_awscli "$1" "$2" fi } _deploy_with_awscli() { file="$1" - bucket="$S3_BUCKET" prefix="$2" - region="$S3_REGION" - - aws s3 cp "$file" s3://"$bucket"/"$prefix" --region "$region" + aws s3 cp "$file" s3://"$S3_BUCKET"/"$prefix" --region "$S3_REGION" --profile "$AWS_PROFILE" } _deploy_with_curl() { @@ -104,7 +117,7 @@ _deploy_with_curl() { timestamp="$(date -u "+%Y-%m-%d %H:%M:%S")" signed_headers="date;host;x-amz-acl;x-amz-content-sha256;x-amz-date" - if [[ $(uname) == "Darwin" ]]; then + if [ "$(uname)" = "Darwin" ]; then iso_timestamp=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%dT%H%M%SZ") date_scope=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%d") date_header=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%a, %d %h %Y %T %Z") @@ -116,16 +129,23 @@ _deploy_with_curl() { _info "Uploading $S3_BUCKET/$prefix" - export _H1="Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)" - export _H2="Date:${date_header}" - export _H3="x-amz-acl:${acl}" - export _H4="x-amz-content-sha256:$(_payload_hash)" - export _H5="x-amz-date:${iso_timestamp}" + export _H1 + export _H2 + export _H3 + export _H4 + export _H5 - response=$(_post "${file}" "https://${bucket}.s3.${region}.amazonaws.com/${prefix}") - _debug2 response + _H1="Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)" + _H2="Date:${date_header}" + _H3="x-amz-acl:${acl}" + _H4="x-amz-content-sha256:$(_payload_hash)" + _H5="x-amz-date:${iso_timestamp}" + + _debug2 "$(_post "${file}" "https://$bucket.s3.$region.amazonaws.com/$prefix")" } +#################### Private functions below ################################## + _payload_hash() { echo "$(shasum -ba 256 "$file")%% *" } @@ -141,7 +161,8 @@ _canonical_request() { echo "x-amz-date:${iso_timestamp}" echo "" echo "${signed_headers}" - printf "$(_payload_hash)" + + _payload_hash } _canonical_request_hash() { @@ -152,17 +173,17 @@ _string_to_sign() { echo "AWS4-HMAC-SHA256" echo "${iso_timestamp}" echo "${date_scope}/${region}/s3/aws4_request" - printf "$(_canonical_request_hash)" + _canonical_request_hash } _signature_key() { - secret_key=$(printf "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_dump) - date_key=$(printf ${date_scope} | _hmac "sha256" "${secret_key}" | _hex_dump) - region_key=$(printf ${region} | _hmac "sha256" "${date_key}" | _hex_dump) - service_key=$(printf "s3" | _hmac "sha256" "${region_key}" | _hex_dump) - printf "aws4_request" | _hmac "sha256" "${service_key}" | _hex_dump + secret_key=$(echo "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_dump) + date_key=$(echo "${date_scope}" | _hmac "sha256" "${secret_key}" hex | _hex_dump) + region_key=$(echo "${region}" | _hmac "sha256" "${date_key}" hex | _hex_dump) + service_key=$(echo "s3" | _hmac "sha256" "${region_key}" hex | _hex_dump) + printf "aws4_request" | _hmac "sha256" "${service_key}" hex | _hex_dump } _signature() { - _string_to_sign | _hmac "sha256" $(_signature_key) | _hex_dump | sed "s/^.* //" + _string_to_sign | _hmac "sha256" "$(_signature_key)" | _hex_dump | sed "s/^.* //" } From 3b8290067012240c3c63c44aa664946d65bc42b3 Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Tue, 27 Jun 2017 10:36:32 +0200 Subject: [PATCH 12/13] changed shebang --- deploy/s3.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/s3.sh b/deploy/s3.sh index 685af5ac..14f1f6cd 100644 --- a/deploy/s3.sh +++ b/deploy/s3.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/usr/bin/env sh # This script deploys your cert to a s3 bucket. # export S3_BUCKET=acme From 400994c25c2ee4dd5adb3ed36b6b82358917efa7 Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Mon, 10 Jul 2017 15:48:37 +0200 Subject: [PATCH 13/13] command _payload_hash command update --- deploy/s3.sh | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/deploy/s3.sh b/deploy/s3.sh index 14f1f6cd..0573cf22 100644 --- a/deploy/s3.sh +++ b/deploy/s3.sh @@ -66,9 +66,6 @@ s3_deploy() { _debug AWS_PROFILE "$AWS_PROFILE" _secure_debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" _secure_debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" - - # REMOVE BEFORE COMMIT, ONLY FOR DEBUGGING - _aws_cli_installed=1 _info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION" @@ -147,7 +144,7 @@ _deploy_with_curl() { #################### Private functions below ################################## _payload_hash() { - echo "$(shasum -ba 256 "$file")%% *" + printf "%s" "$file" | _digest "sha256" } _canonical_request() { @@ -161,19 +158,14 @@ _canonical_request() { echo "x-amz-date:${iso_timestamp}" echo "" echo "${signed_headers}" - _payload_hash } -_canonical_request_hash() { - echo "$(_canonical_request | shasum -a 256)%% *" -} - _string_to_sign() { echo "AWS4-HMAC-SHA256" echo "${iso_timestamp}" echo "${date_scope}/${region}/s3/aws4_request" - _canonical_request_hash + printf "%s" "$(_canonical_request)" | _digest "sha256" hex } _signature_key() {