@ -1,6 +1,6 @@
#!/usr/bin/env sh
VER = 2.6.7
VER = 2.6.9
PROJECT_NAME = "acme.sh"
@ -107,7 +107,7 @@ __green() {
if [ " $__INTERACTIVE " ] ; then
printf '\033[1;31;32m'
fi
printf -- " $1 "
printf -- " %b" " $1 "
if [ " $__INTERACTIVE " ] ; then
printf '\033[0m'
fi
@ -117,7 +117,7 @@ __red() {
if [ " $__INTERACTIVE " ] ; then
printf '\033[1;31;40m'
fi
printf -- " $1 "
printf -- " %b" " $1 "
if [ " $__INTERACTIVE " ] ; then
printf '\033[0m'
fi
@ -138,8 +138,8 @@ _printargs() {
_dlg_versions( ) {
echo "Diagnosis versions: "
echo " openssl: $ACME_OPENSSL_BIN "
if _exists " $ ACME_OPENSSL_BIN" ; then
$ ACME_OPENSSL_BIN version 2>& 1
if _exists " ${ ACME_OPENSSL_BIN:- openssl } " ; then
${ ACME_OPENSSL_BIN:- openssl } version 2>& 1
else
echo " $ACME_OPENSSL_BIN doesn't exists. "
fi
@ -166,7 +166,14 @@ _syslog() {
fi
_logclass = " $1 "
shift
logger -i -t " $PROJECT_NAME " -p " $_logclass " " $( _printargs " $@ " ) " >/dev/null 2>& 1
if [ -z " $__logger_i " ] ; then
if _contains " $( logger --help 2>& 1) " "-i" ; then
__logger_i = "logger -i"
else
__logger_i = "logger"
fi
fi
$__logger_i -t " $PROJECT_NAME " -p " $_logclass " " $( _printargs " $@ " ) " >/dev/null 2>& 1
}
_log( ) {
@ -340,14 +347,14 @@ _hasfield() {
_sep = ","
fi
for f in $( echo " $_str " | tr ',' ' ' ) ; do
for f in $( echo " $_str " | tr " $_sep " ' ' ) ; do
if [ " $f " = " $_field " ] ; then
_debug2 " ' $_str ' contains ' $_field ' "
return 0 #contains ok
fi
done
_debug2 " ' $_str ' does not contain ' $_field ' "
return 1 #not contains
return 1 #not contains
}
_getfield( ) {
@ -722,7 +729,7 @@ _url_encode() {
"7e" )
printf "%s" "~"
; ;
#other hex
#other hex
*)
printf '%%%s' " $_hex_code "
; ;
@ -790,19 +797,19 @@ _base64() {
[ "" ] #urgly
if [ " $1 " ] ; then
_debug3 " base64 multiline:' $1 ' "
$ ACME_OPENSSL_BIN base64 -e
${ ACME_OPENSSL_BIN:- openssl } base64 -e
else
_debug3 "base64 single line."
$ ACME_OPENSSL_BIN base64 -e | tr -d '\r\n'
${ ACME_OPENSSL_BIN:- openssl } base64 -e | tr -d '\r\n'
fi
}
#Usage: multiline
_dbase64( ) {
if [ " $1 " ] ; then
$ ACME_OPENSSL_BIN base64 -d -A
${ ACME_OPENSSL_BIN:- openssl } base64 -d -A
else
$ ACME_OPENSSL_BIN base64 -d
${ ACME_OPENSSL_BIN:- openssl } base64 -d
fi
}
@ -819,9 +826,9 @@ _digest() {
if [ " $alg " = "sha256" ] || [ " $alg " = "sha1" ] || [ " $alg " = "md5" ] ; then
if [ " $outputhex " ] ; then
$ ACME_OPENSSL_BIN dgst -" $alg " -hex | cut -d = -f 2 | tr -d ' '
${ ACME_OPENSSL_BIN:- openssl } dgst -" $alg " -hex | cut -d = -f 2 | tr -d ' '
else
$ ACME_OPENSSL_BIN dgst -" $alg " -binary | _base64
${ ACME_OPENSSL_BIN:- openssl } dgst -" $alg " -binary | _base64
fi
else
_err " $alg is not supported yet "
@ -844,9 +851,9 @@ _hmac() {
if [ " $alg " = "sha256" ] || [ " $alg " = "sha1" ] ; then
if [ " $outputhex " ] ; then
( $ ACME_OPENSSL_BIN dgst -" $alg " -mac HMAC -macopt " hexkey: $secret_hex " 2>/dev/null || $ ACME_OPENSSL_BIN dgst -" $alg " -hmac " $( printf "%s" " $secret_hex " | _h2b) " ) | cut -d = -f 2 | tr -d ' '
( ${ ACME_OPENSSL_BIN:- openssl } dgst -" $alg " -mac HMAC -macopt " hexkey: $secret_hex " 2>/dev/null || ${ ACME_OPENSSL_BIN:- openssl } dgst -" $alg " -hmac " $( printf "%s" " $secret_hex " | _h2b) " ) | cut -d = -f 2 | tr -d ' '
else
$ ACME_OPENSSL_BIN dgst -" $alg " -mac HMAC -macopt " hexkey: $secret_hex " -binary 2>/dev/null || $ ACME_OPENSSL_BIN dgst -" $alg " -hmac " $( printf "%s" " $secret_hex " | _h2b) " -binary
${ ACME_OPENSSL_BIN:- openssl } dgst -" $alg " -mac HMAC -macopt " hexkey: $secret_hex " -binary 2>/dev/null || ${ ACME_OPENSSL_BIN:- openssl } dgst -" $alg " -hmac " $( printf "%s" " $secret_hex " | _h2b) " -binary
fi
else
_err " $alg is not supported yet "
@ -865,7 +872,7 @@ _sign() {
return 1
fi
_sign_openssl = " $ ACME_OPENSSL_BIN dgst -sign $keyfile "
_sign_openssl = " ${ ACME_OPENSSL_BIN:- openssl } dgst -sign $keyfile "
if [ " $alg " = "sha256" ] ; then
_sign_openssl = " $_sign_openssl - $alg "
else
@ -876,10 +883,10 @@ _sign() {
if grep "BEGIN RSA PRIVATE KEY" " $keyfile " >/dev/null 2>& 1; then
$_sign_openssl | _base64
elif grep "BEGIN EC PRIVATE KEY" " $keyfile " >/dev/null 2>& 1; then
if ! _signedECText = " $( $_sign_openssl | $ ACME_OPENSSL_BIN asn1parse -inform DER) " ; then
if ! _signedECText = " $( $_sign_openssl | ${ ACME_OPENSSL_BIN:- openssl } asn1parse -inform DER) " ; then
_err " Sign failed: $_sign_openssl "
_err " Key file: $keyfile "
_err " Key content: $( wc -l <" $keyfile " ) li s es"
_err " Key content: $( wc -l <" $keyfile " ) li n es"
return 1
fi
_debug3 "_signedECText" " $_signedECText "
@ -948,10 +955,10 @@ _createkey() {
if _isEccKey " $length " ; then
_debug " Using ec name: $eccname "
$ ACME_OPENSSL_BIN ecparam -name " $eccname " -genkey 2>/dev/null >" $f "
${ ACME_OPENSSL_BIN:- openssl } ecparam -name " $eccname " -genkey 2>/dev/null >" $f "
else
_debug " Using RSA: $length "
$ ACME_OPENSSL_BIN genrsa " $length " 2>/dev/null >" $f "
${ ACME_OPENSSL_BIN:- openssl } genrsa " $length " 2>/dev/null >" $f "
fi
if [ " $? " != "0" ] ; then
@ -1025,7 +1032,7 @@ _createcsr() {
else
alt = " DNS: $domainlist "
fi
#multi
#multi
_info "Multi domain" " $alt "
printf -- " \nsubjectAltName= $alt " >>" $csrconf "
fi
@ -1038,9 +1045,9 @@ _createcsr() {
_csr_cn = " $( _idn " $domain " ) "
_debug2 _csr_cn " $_csr_cn "
if _contains " $( uname -a) " "MINGW" ; then
$ ACME_OPENSSL_BIN req -new -sha256 -key " $csrkey " -subj " //CN= $_csr_cn " -config " $csrconf " -out " $csr "
${ ACME_OPENSSL_BIN:- openssl } req -new -sha256 -key " $csrkey " -subj " //CN= $_csr_cn " -config " $csrconf " -out " $csr "
else
$ ACME_OPENSSL_BIN req -new -sha256 -key " $csrkey " -subj " /CN= $_csr_cn " -config " $csrconf " -out " $csr "
${ ACME_OPENSSL_BIN:- openssl } req -new -sha256 -key " $csrkey " -subj " /CN= $_csr_cn " -config " $csrconf " -out " $csr "
fi
}
@ -1052,7 +1059,7 @@ _signcsr() {
cert = " $4 "
_debug "_signcsr"
_msg = " $( $ ACME_OPENSSL_BIN x509 -req -days 365 -in " $csr " -signkey " $key " -extensions v3_req -extfile " $conf " -out " $cert " 2>& 1) "
_msg = " $( ${ ACME_OPENSSL_BIN:- openssl } x509 -req -days 365 -in " $csr " -signkey " $key " -extensions v3_req -extfile " $conf " -out " $cert " 2>& 1) "
_ret = " $? "
_debug " $_msg "
return $_ret
@ -1065,7 +1072,7 @@ _readSubjectFromCSR() {
_usage "_readSubjectFromCSR mycsr.csr"
return 1
fi
$ ACME_OPENSSL_BIN req -noout -in " $_csrfile " -subject | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n'
${ ACME_OPENSSL_BIN:- openssl } req -noout -in " $_csrfile " -subject | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d '\n'
}
#_csrfile
@ -1080,7 +1087,7 @@ _readSubjectAltNamesFromCSR() {
_csrsubj = " $( _readSubjectFromCSR " $_csrfile " ) "
_debug _csrsubj " $_csrsubj "
_dnsAltnames = " $( $ ACME_OPENSSL_BIN req -noout -text -in " $_csrfile " | grep "^ *DNS:.*" | tr -d ' \n' ) "
_dnsAltnames = " $( ${ ACME_OPENSSL_BIN:- openssl } req -noout -text -in " $_csrfile " | grep "^ *DNS:.*" | tr -d ' \n' ) "
_debug _dnsAltnames " $_dnsAltnames "
if _contains " $_dnsAltnames , " " DNS: $_csrsubj , " ; then
@ -1093,7 +1100,7 @@ _readSubjectAltNamesFromCSR() {
printf "%s" " $_dnsAltnames " | sed "s/DNS://g"
}
#_csrfile
#_csrfile
_readKeyLengthFromCSR( ) {
_csrfile = " $1 "
if [ -z " $_csrfile " ] ; then
@ -1101,13 +1108,14 @@ _readKeyLengthFromCSR() {
return 1
fi
_outcsr = " $( $ACME_OPENSSL_BIN req -noout -text -in " $_csrfile " ) "
_outcsr = " $( ${ ACME_OPENSSL_BIN :- openssl } req -noout -text -in " $_csrfile " ) "
_debug2 _outcsr " $_outcsr "
if _contains " $_outcsr " "Public Key Algorithm: id-ecPublicKey" ; then
_debug "ECC CSR"
echo " $_outcsr " | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
echo " $_outcsr " | tr "\t" " " | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' '
else
_debug "RSA CSR"
echo " $_outcsr " | _egrep_o "(^ *| ^ RSA )Public.Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1
echo " $_outcsr " | tr "\t" " " | _egrep_o "(^ *| RSA )Public.Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1
fi
}
@ -1159,9 +1167,9 @@ toPkcs() {
_initpath " $domain " " $_isEcc "
if [ " $pfxPassword " ] ; then
$ ACME_OPENSSL_BIN pkcs12 -export -out " $CERT_PFX_PATH " -inkey " $CERT_KEY_PATH " -in " $CERT_PATH " -certfile " $CA_CERT_PATH " -password " pass: $pfxPassword "
${ ACME_OPENSSL_BIN:- openssl } pkcs12 -export -out " $CERT_PFX_PATH " -inkey " $CERT_KEY_PATH " -in " $CERT_PATH " -certfile " $CA_CERT_PATH " -password " pass: $pfxPassword "
else
$ ACME_OPENSSL_BIN pkcs12 -export -out " $CERT_PFX_PATH " -inkey " $CERT_KEY_PATH " -in " $CERT_PATH " -certfile " $CA_CERT_PATH "
${ ACME_OPENSSL_BIN:- openssl } pkcs12 -export -out " $CERT_PFX_PATH " -inkey " $CERT_KEY_PATH " -in " $CERT_PATH " -certfile " $CA_CERT_PATH "
fi
if [ " $? " = "0" ] ; then
@ -1183,7 +1191,7 @@ toPkcs8() {
_initpath " $domain " " $_isEcc "
$ ACME_OPENSSL_BIN pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in " $CERT_KEY_PATH " -out " $CERT_PKCS8_PATH "
${ ACME_OPENSSL_BIN:- openssl } pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in " $CERT_KEY_PATH " -out " $CERT_PKCS8_PATH "
if [ " $? " = "0" ] ; then
_info " Success, $CERT_PKCS8_PATH "
@ -1191,7 +1199,7 @@ toPkcs8() {
}
#[2048]
#[2048]
createAccountKey( ) {
_info "Creating account key"
if [ -z " $1 " ] ; then
@ -1344,7 +1352,7 @@ _calcjwk() {
if grep "BEGIN RSA PRIVATE KEY" " $keyfile " >/dev/null 2>& 1; then
_debug "RSA key"
pub_exp = $( $ ACME_OPENSSL_BIN rsa -in " $keyfile " -noout -text | grep "^publicExponent:" | cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1)
pub_exp = $( ${ ACME_OPENSSL_BIN:- openssl } rsa -in " $keyfile " -noout -text | grep "^publicExponent:" | cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1)
if [ " ${# pub_exp } " = "5" ] ; then
pub_exp = 0$pub_exp
fi
@ -1353,7 +1361,7 @@ _calcjwk() {
e = $( echo " $pub_exp " | _h2b | _base64)
_debug3 e " $e "
modulus = $( $ ACME_OPENSSL_BIN rsa -in " $keyfile " -modulus -noout | cut -d '=' -f 2)
modulus = $( ${ ACME_OPENSSL_BIN:- openssl } rsa -in " $keyfile " -modulus -noout | cut -d '=' -f 2)
_debug3 modulus " $modulus "
n = " $( printf "%s" " $modulus " | _h2b | _base64 | _url_replace) "
_debug3 n " $n "
@ -1366,12 +1374,12 @@ _calcjwk() {
JWK_HEADERPLACE_PART2 = '", "alg": "RS256", "jwk": ' $jwk '}'
elif grep "BEGIN EC PRIVATE KEY" " $keyfile " >/dev/null 2>& 1; then
_debug "EC key"
crv = " $( $ ACME_OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n" ) "
crv = " $( ${ ACME_OPENSSL_BIN:- openssl } ec -in " $keyfile " -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n" ) "
_debug3 crv " $crv "
if [ -z " $crv " ] ; then
_debug "Let's try ASN1 OID"
crv_oid = " $( $ ACME_OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | grep "^ASN1 OID:" | cut -d ":" -f 2 | tr -d " \r\n" ) "
crv_oid = " $( ${ ACME_OPENSSL_BIN:- openssl } ec -in " $keyfile " -noout -text 2>/dev/null | grep "^ASN1 OID:" | cut -d ":" -f 2 | tr -d " \r\n" ) "
_debug3 crv_oid " $crv_oid "
case " ${ crv_oid } " in
"prime256v1" )
@ -1391,15 +1399,15 @@ _calcjwk() {
_debug3 crv " $crv "
fi
pubi = " $( $ ACME_OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1) "
pubi = " $( ${ ACME_OPENSSL_BIN:- openssl } ec -in " $keyfile " -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1) "
pubi = $( _math " $pubi " + 1)
_debug3 pubi " $pubi "
pubj = " $( $ ACME_OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1) "
pubj = " $( ${ ACME_OPENSSL_BIN:- openssl } ec -in " $keyfile " -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1) "
pubj = $( _math " $pubj " - 1)
_debug3 pubj " $pubj "
pubtext = " $( $ ACME_OPENSSL_BIN ec -in " $keyfile " -noout -text 2>/dev/null | sed -n " $pubi , ${ pubj } p " | tr -d " \n\r" ) "
pubtext = " $( ${ ACME_OPENSSL_BIN:- openssl } ec -in " $keyfile " -noout -text 2>/dev/null | sed -n " $pubi , ${ pubj } p " | tr -d " \n\r" ) "
_debug3 pubtext " $pubtext "
xlen = " $( printf "%s" " $pubtext " | tr -d ':' | wc -c) "
@ -1483,7 +1491,9 @@ _inithttp() {
_ACME_CURL = " $_ACME_CURL --trace-ascii $_CURL_DUMP "
fi
if [ " $CA_BUNDLE " ] ; then
if [ " $CA_PATH " ] ; then
_ACME_CURL = " $_ACME_CURL --capath $CA_PATH "
elif [ " $CA_BUNDLE " ] ; then
_ACME_CURL = " $_ACME_CURL --cacert $CA_BUNDLE "
fi
@ -1494,8 +1504,10 @@ _inithttp() {
if [ " $DEBUG " ] && [ " $DEBUG " -ge "2" ] ; then
_ACME_WGET = " $_ACME_WGET -d "
fi
if [ " $CA_BUNDLE " ] ; then
_ACME_WGET = " $_ACME_WGET --ca-certificate $CA_BUNDLE "
if [ " $CA_PATH " ] ; then
_ACME_WGET = " $_ACME_WGET --ca-directory= $CA_PATH "
elif [ " $CA_BUNDLE " ] ; then
_ACME_WGET = " $_ACME_WGET --ca-certificate= $CA_BUNDLE "
fi
fi
@ -1842,6 +1854,24 @@ _saveaccountconf() {
_save_conf " $ACCOUNT_CONF_PATH " " $1 " " $2 "
}
#key value
_saveaccountconf_mutable( ) {
_save_conf " $ACCOUNT_CONF_PATH " " SAVED_ $1 " " $2 "
#remove later
_clearaccountconf " $1 "
}
#key
_readaccountconf( ) {
_read_conf " $ACCOUNT_CONF_PATH " " $1 "
}
#key
_readaccountconf_mutable( ) {
_rac_key = " $1 "
_readaccountconf " SAVED_ $_rac_key "
}
#_clearaccountconf key
_clearaccountconf( ) {
_clear_conf " $ACCOUNT_CONF_PATH " " $1 "
@ -2013,7 +2043,7 @@ _starttlsserver() {
return 1
fi
__S_OPENSSL = " $ ACME_OPENSSL_BIN s_server -cert $TLS_CERT -key $TLS_KEY "
__S_OPENSSL = " ${ ACME_OPENSSL_BIN:- openssl } s_server -cert $TLS_CERT -key $TLS_KEY "
if [ " $opaddr " ] ; then
__S_OPENSSL = " $__S_OPENSSL -accept $opaddr : $port "
else
@ -2254,16 +2284,16 @@ _initpath() {
fi
if [ -z " $TLS_CONF " ] ; then
TLS_CONF = " $DOMAIN_PATH /tls.val dation.conf"
TLS_CONF = " $DOMAIN_PATH /tls.val i dation.conf"
fi
if [ -z " $TLS_CERT " ] ; then
TLS_CERT = " $DOMAIN_PATH /tls.val dation.cert"
TLS_CERT = " $DOMAIN_PATH /tls.val i dation.cert"
fi
if [ -z " $TLS_KEY " ] ; then
TLS_KEY = " $DOMAIN_PATH /tls.val dation.key"
TLS_KEY = " $DOMAIN_PATH /tls.val i dation.key"
fi
if [ -z " $TLS_CSR " ] ; then
TLS_CSR = " $DOMAIN_PATH /tls.val dation.csr"
TLS_CSR = " $DOMAIN_PATH /tls.val i dation.csr"
fi
}
@ -2381,7 +2411,7 @@ _setApache() {
_debug "Backup apache config file" " $httpdconf "
if ! cp " $httpdconf " " $APACHE_CONF_BACKUP_DIR / " ; then
_err "Can not backup apache config file, so abort. Don't worry, the apache config is not changed."
_err " This might be a bug of $PROJECT_NAME , plea e report issue: $PROJECT "
_err " This might be a bug of $PROJECT_NAME , plea s e report issue: $PROJECT "
return 1
fi
_info " JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR / $httpdconfname "
@ -2523,7 +2553,7 @@ _setNginx() {
location ~ \" ^/\. well-known/acme-challenge/( [ -_a-zA-Z0-9] +) \$ \" {
default_type text/plain;
return 200 \" \$ 1.$_thumbpt \" ;
}
}
#NGINX_START
" >>" $FOUND_REAL_NGINX_CONF "
@ -2560,7 +2590,7 @@ _checkConf() {
if [ ! -f " $2 " ] && ! echo " $2 " | grep '*$' >/dev/null && echo " $2 " | grep '*' >/dev/null; then
_debug "wildcard"
for _w_f in $2 ; do
if [ -f " $_w_f " ] && _checkConf " $1 " " $_w_f " ; then
if [ -f " $_w_f " ] && _checkConf " $1 " " $_w_f " ; then
return 0
fi
done
@ -2594,10 +2624,10 @@ _checkConf() {
_isRealNginxConf( ) {
_debug " _isRealNginxConf $1 $2 "
if [ -f " $2 " ] ; then
for _fln in $( grep -n " ^ *server_name.* $1 " " $2 " | cut -d : -f 1) ; do
for _fln in $( tr "\t" ' ' <" $2 " | grep -n " ^ *server_name.* $1 " | cut -d : -f 1) ; do
_debug _fln " $_fln "
if [ " $_fln " ] ; then
_start = $( ca t " $2 " | _head_n " $_fln " | grep -n "^ *server *{" | _tail_n 1)
_start = $( tr "\t" ' ' <" $2 " | _head_n " $_fln " | grep -n "^ *server *{" | _tail_n 1)
_debug "_start" " $_start "
_start_n = $( echo " $_start " | cut -d : -f 1)
_start_nn = $( _math $_start_n + 1)
@ -2606,8 +2636,8 @@ _isRealNginxConf() {
_left = " $( sed -n " ${ _start_nn } ,99999p " " $2 " ) "
_debug2 _left " $_left "
if echo " $_left " | grep -n "^ *server *{" >/dev/null; then
_end = $( echo " $_left " | grep -n "^ *server *{" | _head_n 1)
if echo " $_left " | tr "\t" ' ' | grep -n "^ *server *{" >/dev/null; then
_end = $( echo " $_left " | tr "\t" ' ' | grep -n "^ *server *{" | _head_n 1)
_debug "_end" " $_end "
_end_n = $( echo " $_end " | cut -d : -f 1)
_debug "_end_n" " $_end_n "
@ -2879,7 +2909,7 @@ _on_issue_err() {
uri = $( echo " $ventry " | cut -d " $sep " -f 3)
vtype = $( echo " $ventry " | cut -d " $sep " -f 4)
_currentRoot = $( echo " $ventry " | cut -d " $sep " -f 5)
__trigger_validaton " $uri " " $keyauthorization "
__trigger_validati on " $uri " " $keyauthorization "
done
)
fi
@ -3101,7 +3131,7 @@ __get_domain_new_authz() {
}
#uri keyAuthorization
__trigger_validaton( ) {
__trigger_validati on( ) {
_debug2 "tigger domain validation."
_t_url = " $1 "
_debug2 _t_url " $_t_url "
@ -3110,12 +3140,16 @@ __trigger_validaton() {
_send_signed_request " $_t_url " " {\"resource\": \"challenge\", \"keyAuthorization\": \" $_t_key_authz \"} "
}
#webroot, domain domainlist keylength
#webroot, domain domainlist keylength
issue( ) {
if [ -z " $2 " ] ; then
_usage " Usage: $PROJECT_ENTRY --issue -d a.com -w /path/to/webroot/a.com/ "
return 1
fi
if [ -z " $1 " ] ; then
_usage "Please specify at least one validation method: '--webroot', '--standalone', '--apache', '--nginx' or '--dns' etc."
return 1
fi
_web_roots = " $1 "
_main_domain = " $2 "
_alt_domains = " $3 "
@ -3486,7 +3520,7 @@ issue() {
_exec_err >/dev/null 2>& 1
fi
else
_debug "not chan ing owner/group of webroot"
_debug "not chan g ing owner/group of webroot"
fi
fi
@ -3527,7 +3561,7 @@ issue() {
fi
fi
if ! __trigger_validaton " $uri " " $keyauthorization " ; then
if ! __trigger_validati on " $uri " " $keyauthorization " ; then
_err " $d :Can not get challenge: $response "
_clearupwebbroot " $_currentRoot " " $removelevel " " $token "
_clearup
@ -3631,6 +3665,7 @@ issue() {
_rcert = " $response "
Le_LinkCert = " $( grep -i '^Location.*$' " $HTTP_HEADER " | _head_n 1 | tr -d "\r\n" | cut -d " " -f 2) "
_debug "Le_LinkCert" " $Le_LinkCert "
_savedomainconf "Le_LinkCert" " $Le_LinkCert "
if [ " $Le_LinkCert " ] ; then
@ -3638,7 +3673,7 @@ issue() {
#if ! _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH" ; then
# _debug "Get cert failed. Let's try last response."
# printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
# printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
#fi
if ! printf -- "%s" " $_rcert " | _dbase64 "multiline" | _base64 "multiline" >>" $CERT_PATH " ; then
@ -3677,16 +3712,34 @@ issue() {
if ! _contains " $Le_LinkIssuer " ":" ; then
Le_LinkIssuer = " $API $Le_LinkIssuer "
fi
_debug Le_LinkIssuer " $Le_LinkIssuer "
_savedomainconf "Le_LinkIssuer" " $Le_LinkIssuer "
if [ " $Le_LinkIssuer " ] ; then
echo " $BEGIN_CERT " >" $CA_CERT_PATH "
_get " $Le_LinkIssuer " | _base64 "multiline" >>" $CA_CERT_PATH "
echo " $END_CERT " >>" $CA_CERT_PATH "
_info " The intermediate CA cert is in $( __green " $CA_CERT_PATH " ) "
cat " $CA_CERT_PATH " >>" $CERT_FULLCHAIN_PATH "
_info " And the full chain certs is there: $( __green " $CERT_FULLCHAIN_PATH " ) "
_link_issuer_retry = 0
_MAX_ISSUER_RETRY = 5
while [ " $_link_issuer_retry " -lt " $_MAX_ISSUER_RETRY " ] ; do
_debug _link_issuer_retry " $_link_issuer_retry "
if _get " $Le_LinkIssuer " >" $CA_CERT_PATH .der " ; then
echo " $BEGIN_CERT " >" $CA_CERT_PATH "
_base64 "multiline" <" $CA_CERT_PATH .der " >>" $CA_CERT_PATH "
echo " $END_CERT " >>" $CA_CERT_PATH "
_info " The intermediate CA cert is in $( __green " $CA_CERT_PATH " ) "
cat " $CA_CERT_PATH " >>" $CERT_FULLCHAIN_PATH "
_info " And the full chain certs is there: $( __green " $CERT_FULLCHAIN_PATH " ) "
rm -f " $CA_CERT_PATH .der "
break
fi
_link_issuer_retry = $( _math $_link_issuer_retry + 1)
_sleep " $_link_issuer_retry "
done
if [ " $_link_issuer_retry " = " $_MAX_ISSUER_RETRY " ] ; then
_err "Max retry for issuer ca cert is reached."
fi
else
_debug "No Le_LinkIssuer header found."
fi
Le_CertCreateTime = $( _time)
@ -3707,6 +3760,12 @@ issue() {
_clearaccountconf "CA_BUNDLE"
fi
if [ " $CA_PATH " ] ; then
_saveaccountconf CA_PATH " $CA_PATH "
else
_clearaccountconf "CA_PATH"
fi
if [ " $HTTPS_INSECURE " ] ; then
_saveaccountconf HTTPS_INSECURE " $HTTPS_INSECURE "
else
@ -3831,7 +3890,7 @@ renewAll() {
return " $rc "
else
_ret = " $rc "
_err " Error renew $d , Go ahead to next one ."
_err " Error renew $d ."
fi
fi
done
@ -4025,7 +4084,7 @@ deploy() {
installcert( ) {
_main_domain = " $1 "
if [ -z " $_main_domain " ] ; then
_usage " Usage: $PROJECT_ENTRY --installcert -d domain.com [--ecc] [--cert path cert-file-path] [--keypath key-file-path] [--capath ca-cert-file-path] [ --reloadCmd reloadCmd] [--fullchainpath fullchain-path]"
_usage " Usage: $PROJECT_ENTRY --installcert -d domain.com [--ecc] [--cert -file cert-file-path] [--key-file key-file-path] [--ca-file ca-cert-file-path] [ --reloadCmd reloadCmd] [--fullchain-file fullchain-path]"
return 1
fi
@ -4124,6 +4183,7 @@ _installcert() {
export CERT_KEY_PATH
export CA_CERT_PATH
export CERT_FULLCHAIN_PATH
export Le_Domain
cd " $DOMAIN_PATH " && eval " $_reload_cmd "
) ; then
_info " $( __green "Reload success" ) "
@ -4452,7 +4512,7 @@ _precheck() {
fi
fi
if ! _exists " $ ACME_OPENSSL_BIN" ; then
if ! _exists " ${ ACME_OPENSSL_BIN:- openssl } " ; then
_err " Please install openssl first. ACME_OPENSSL_BIN= $ACME_OPENSSL_BIN "
_err "We need openssl to generate keys."
return 1
@ -4694,6 +4754,7 @@ _uninstallalias() {
cron( ) {
IN_CRON = 1
_initpath
_info " $( __green "===Starting cron===" ) "
if [ " $AUTO_UPGRADE " = "1" ] ; then
export LE_WORKING_DIR
(
@ -4713,6 +4774,7 @@ cron() {
renewAll
_ret = " $? "
IN_CRON = ""
_info " $( __green "===End cron===" ) "
exit $_ret
}
@ -4752,7 +4814,7 @@ Commands:
--create-domain-key Create an domain private key, professional use.
--createCSR, -ccsr Create CSR , professional use.
--deactivate Deactivate the domain authz, professional use.
Parameters:
--domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
--force, -f Used to force to install or force to renew a cert immediately.
@ -4766,20 +4828,20 @@ Parameters:
--apache Use apache mode.
--dns [ dns_cf| dns_dp| dns_cx| /path/to/api/file] Use dns mode or dns api.
--dnssleep [ $DEFAULT_DNS_SLEEP ] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
--keylength, -k [ 2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
--accountkeylength, -ak [ 2048] Specifies the account key length.
--log [ /path/to/logfile] Specifies the log file. The default is: \" $DEFAULT_LOG_FILE \" if you don' t give a file path here.
--log-level 1| 2 Specifies the log level, default is 1.
--syslog [ 0| 3| 6| 7] Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.
These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
--certpath /path/to/real/cert/file After issue/renew, the cert will be copied to this path.
--keypath /path/to/real/key/file After issue/renew, the key will be copied to this path.
--capath /path/to/real/ca/file After issue/renew, the intermediate cert will be copied to this path.
--fullchainpath /path/to/fullchain/file After issue/renew, the fullchain cert will be copied to this path.
--cert-file After issue/renew, the cert will be copied to this path.
--key-file After issue/renew, the key will be copied to this path.
--ca-file After issue/renew, the intermediate cert will be copied to this path.
--fullchain-file After issue/renew, the fullchain cert will be copied to this path.
--reloadcmd \" service nginx reload\" After issue/renew, it' s used to reload the server.
--accountconf Specifies a customized account config file.
@ -4796,12 +4858,13 @@ Parameters:
--listraw Only used for '--list' command, list the certs in raw format.
--stopRenewOnError, -se Only valid for '--renew-all' command. Stop if one cert has error in renewal.
--insecure Do not check the server certificate, in some devices, the api server' s certificate may not be trusted.
--ca-bundle Specifices the path to the CA certificate bundle to verify api server' s certificate.
--ca-bundle Specifies the path to the CA certificate bundle to verify api server' s certificate.
--ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl.
--nocron Only valid for '--install' command, which means: do not install the default cron job. In this case , the certs will not be renewed automatically.
--ecc Specifies to use the ECC cert. Valid for '--install-cert' , '--renew' , '--revoke' , '--toPkcs' and '--createCSR'
--csr Specifies the input csr.
--pre-hook Command to be run before obtaining any certificates.
--post-hook Command to be run after attempting to obtain/renew certificates. No matter the obain/renew is success or failed.
--post-hook Command to be run after attempting to obtain/renew certificates. No matter the obt ain/renew is success or failed.
--renew-hook Command to be run once for each successfully renewed certificate.
--deploy-hook The hook file to deploy cert
--ocsp-must-staple, --ocsp Generate ocsp must Staple extension.
@ -4903,10 +4966,10 @@ _process() {
_webroot = ""
_keylength = ""
_accountkeylength = ""
_cert path = ""
_key path = ""
_ca path = ""
_fullchain path = ""
_cert _file = ""
_key _file = ""
_ca _file = ""
_fullchain _file = ""
_reloadcmd = ""
_password = ""
_accountconf = ""
@ -4922,6 +4985,7 @@ _process() {
_stopRenewOnError = ""
#_insecure=""
_ca_bundle = ""
_ca_path = ""
_nocron = ""
_ecc = ""
_csr = ""
@ -5147,20 +5211,20 @@ _process() {
shift
; ;
--certpath)
_cert path = " $2 "
--cert-file | --cert path)
_cert _file = " $2 "
shift
; ;
--keypath)
_key path = " $2 "
--key-file | --key path)
_key _file = " $2 "
shift
; ;
--capath)
_ca path = " $2 "
--ca-file | --ca path)
_ca _file = " $2 "
shift
; ;
--fullchainpath)
_fullchain path = " $2 "
--fullchain-file | --fullchain path)
_fullchain _file = " $2 "
shift
; ;
--reloadcmd | --reloadCmd)
@ -5236,6 +5300,11 @@ _process() {
CA_BUNDLE = " $_ca_bundle "
shift
; ;
--ca-path)
_ca_path = " $2 "
CA_PATH = " $_ca_path "
shift
; ;
--nocron)
_nocron = "1"
; ;
@ -5377,7 +5446,7 @@ _process() {
uninstall) uninstall " $_nocron " ; ;
upgrade) upgrade ; ;
issue)
issue " $_webroot " " $_domain " " $_altdomains " " $_keylength " " $_cert path" " $_keypath " " $_capath " " $_reloadcmd " " $_fullchainpath " " $_pre_hook " " $_post_hook " " $_renew_hook " " $_local_address "
issue " $_webroot " " $_domain " " $_altdomains " " $_keylength " " $_cert _file" " $_key_file " " $_ca_file " " $_reloadcmd " " $_fullchain_file " " $_pre_hook " " $_post_hook " " $_renew_hook " " $_local_address "
; ;
deploy)
deploy " $_domain " " $_deploy_hook " " $_ecc "
@ -5389,7 +5458,7 @@ _process() {
showcsr " $_csr " " $_domain "
; ;
installcert)
installcert " $_domain " " $_cert path" " $_keypath " " $_capath " " $_reloadcmd " " $_fullchainpath " " $_ecc "
installcert " $_domain " " $_cert _file" " $_key_file " " $_ca_file " " $_reloadcmd " " $_fullchain_file " " $_ecc "
; ;
renew)
renew " $_domain " " $_ecc "