|
|
|
#!/usr/bin/env sh
|
|
|
|
|
|
|
|
#Here is a sample custom api script.
|
|
|
|
#This file name is "myapi.sh"
|
|
|
|
#So, here must be a method myapi_deploy()
|
|
|
|
#Which will be called by acme.sh to deploy the cert
|
|
|
|
#returns 0 means success, otherwise error.
|
|
|
|
|
|
|
|
######## Public functions #####################
|
|
|
|
|
|
|
|
#domain keyfile certfile cafile fullchain
|
|
|
|
strongswan_deploy() {
|
|
|
|
_cdomain="${1}"
|
|
|
|
_ckey="${2}"
|
|
|
|
_ccert="${3}"
|
|
|
|
_cca="${4}"
|
|
|
|
_cfullchain="${5}"
|
|
|
|
_info "Using strongswan"
|
|
|
|
if _exists ipsec; then
|
|
|
|
_ipsec=ipsec
|
|
|
|
elif _exists strongswan; then
|
|
|
|
_ipsec=strongswan
|
|
|
|
fi
|
|
|
|
if _exists swanctl; then
|
|
|
|
_swanctl=swanctl
|
|
|
|
fi
|
|
|
|
# For legacy stroke mode
|
|
|
|
if [ -n "${_ipsec}" ]; then
|
|
|
|
_info "${_ipsec} command detected"
|
|
|
|
_confdir=$(${_ipsec} --confdir)
|
|
|
|
if [ -z "${_confdir}" ]; then
|
|
|
|
_err "no strongswan --confdir is detected"
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
_info _confdir "${_confdir}"
|
|
|
|
__deploy_cert "$@" "stroke" "${_confdir}"
|
|
|
|
${_ipsec} reload
|
|
|
|
fi
|
|
|
|
# For modern vici mode
|
|
|
|
if [ -n "${_swanctl}" ]; then
|
|
|
|
_info "${_swanctl} command detected"
|
|
|
|
for _dir in /usr/local/etc/swanctl /etc/swanctl /etc/strongswan/swanctl; do
|
|
|
|
if [ -d ${_dir} ]; then
|
|
|
|
_confdir=${_dir}
|
|
|
|
_info _confdir "${_confdir}"
|
|
|
|
break
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
if [ -z "${_confdir}" ]; then
|
|
|
|
_err "no swanctl config dir is found"
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
__deploy_cert "$@" "vici" "${_confdir}"
|
|
|
|
${_swanctl} --load-creds
|
|
|
|
fi
|
|
|
|
if [ -z "${_swanctl}" ] && [ -z "${_ipsec}" ]; then
|
|
|
|
_err "no strongswan or ipsec command is detected"
|
|
|
|
_err "no swanctl is detected"
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
#################### Private functions below ##################################
|
|
|
|
|
|
|
|
__deploy_cert() {
|
|
|
|
_cdomain="${1}"
|
|
|
|
_ckey="${2}"
|
|
|
|
_ccert="${3}"
|
|
|
|
_cca="${4}"
|
|
|
|
_cfullchain="${5}"
|
|
|
|
_swan_mode="${6}"
|
|
|
|
_confdir="${7}"
|
|
|
|
_debug _cdomain "${_cdomain}"
|
|
|
|
_debug _ckey "${_ckey}"
|
|
|
|
_debug _ccert "${_ccert}"
|
|
|
|
_debug _cca "${_cca}"
|
|
|
|
_debug _cfullchain "${_cfullchain}"
|
|
|
|
_debug _swan_mode "${_swan_mode}"
|
|
|
|
_debug _confdir "${_confdir}"
|
|
|
|
if [ "${_swan_mode}" = "vici" ]; then
|
|
|
|
_dir_private="private"
|
|
|
|
_dir_cert="x509"
|
|
|
|
_dir_ca="x509ca"
|
|
|
|
elif [ "${_swan_mode}" = "stroke" ]; then
|
|
|
|
_dir_private="ipsec.d/private"
|
|
|
|
_dir_cert="ipsec.d/certs"
|
|
|
|
_dir_ca="ipsec.d/cacerts"
|
|
|
|
else
|
|
|
|
_err "unknown StrongSwan mode ${_swan_mode}"
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
cat "${_ckey}" >"${_confdir}/${_dir_private}/$(basename "${_ckey}")"
|
|
|
|
cat "${_ccert}" >"${_confdir}/${_dir_cert}/$(basename "${_ccert}")"
|
|
|
|
cat "${_cca}" >"${_confdir}/${_dir_ca}/$(basename "${_cca}")"
|
|
|
|
if [ "${_swan_mode}" = "stroke" ]; then
|
|
|
|
cat "${_cfullchain}" >"${_confdir}/${_dir_ca}/$(basename "${_cfullchain}")"
|
|
|
|
fi
|
|
|
|
}
|