support ACME v2 wildcard cert
parent
f8d22c486e
commit
72f54ca6c1
38
acme.sh
38
acme.sh
|
@ -997,7 +997,7 @@ _createkey() {
|
||||||
_is_idn() {
|
_is_idn() {
|
||||||
_is_idn_d="$1"
|
_is_idn_d="$1"
|
||||||
_debug2 _is_idn_d "$_is_idn_d"
|
_debug2 _is_idn_d "$_is_idn_d"
|
||||||
_idn_temp=$(printf "%s" "$_is_idn_d" | tr -d '0-9' | tr -d 'a-z' | tr -d 'A-Z' | tr -d '.,-')
|
_idn_temp=$(printf "%s" "$_is_idn_d" | tr -d '0-9' | tr -d 'a-z' | tr -d 'A-Z' | tr -d '*.,-')
|
||||||
_debug2 _idn_temp "$_idn_temp"
|
_debug2 _idn_temp "$_idn_temp"
|
||||||
[ "$_idn_temp" ]
|
[ "$_idn_temp" ]
|
||||||
}
|
}
|
||||||
|
@ -1055,7 +1055,7 @@ _createcsr() {
|
||||||
domainlist="$(_idn "$domainlist")"
|
domainlist="$(_idn "$domainlist")"
|
||||||
_debug2 domainlist "$domainlist"
|
_debug2 domainlist "$domainlist"
|
||||||
if _contains "$domainlist" ","; then
|
if _contains "$domainlist" ","; then
|
||||||
alt="DNS:$domain,DNS:$(echo "$domainlist" | sed "s/,/,DNS:/g")"
|
alt="DNS:$domain,DNS:$(echo "$domainlist" | sed "s/,,/,/g" | sed "s/,/,DNS:/g")"
|
||||||
else
|
else
|
||||||
alt="DNS:$domain,DNS:$domainlist"
|
alt="DNS:$domain,DNS:$domainlist"
|
||||||
fi
|
fi
|
||||||
|
@ -1663,7 +1663,7 @@ _get() {
|
||||||
onlyheader="$2"
|
onlyheader="$2"
|
||||||
t="$3"
|
t="$3"
|
||||||
_debug url "$url"
|
_debug url "$url"
|
||||||
_debug "timeout" "$t"
|
_debug "timeout=$t"
|
||||||
|
|
||||||
_inithttp
|
_inithttp
|
||||||
|
|
||||||
|
@ -2277,6 +2277,11 @@ _initpath() {
|
||||||
CA_HOME="$DEFAULT_CA_HOME"
|
CA_HOME="$DEFAULT_CA_HOME"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$ACME_VERSION" = "2" ]; then
|
||||||
|
DEFAULT_CA="$LETSENCRYPT_CA_V2"
|
||||||
|
DEFAULT_STAGING_CA="$LETSENCRYPT_STAGING_CA_V2"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -z "$ACME_DIRECTORY" ]; then
|
if [ -z "$ACME_DIRECTORY" ]; then
|
||||||
if [ -z "$STAGE" ]; then
|
if [ -z "$STAGE" ]; then
|
||||||
ACME_DIRECTORY="$DEFAULT_CA"
|
ACME_DIRECTORY="$DEFAULT_CA"
|
||||||
|
@ -2863,7 +2868,11 @@ _clearupdns() {
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
txtdomain="_acme-challenge.$d"
|
_dns_root_d="$d"
|
||||||
|
if _startswith "$_dns_root_d" "*."; then
|
||||||
|
_dns_root_d="$(echo "$_dns_root_d" | sed 's/*.//')"
|
||||||
|
fi
|
||||||
|
txtdomain="_acme-challenge.$_dns_root_d"
|
||||||
|
|
||||||
if ! $rmcommand "$txtdomain" "$txt"; then
|
if ! $rmcommand "$txtdomain" "$txt"; then
|
||||||
_err "Error removing txt for domain:$txtdomain"
|
_err "Error removing txt for domain:$txtdomain"
|
||||||
|
@ -3503,6 +3512,9 @@ issue() {
|
||||||
response="$(echo "$response" | _normalizeJson)"
|
response="$(echo "$response" | _normalizeJson)"
|
||||||
_debug2 response "$response"
|
_debug2 response "$response"
|
||||||
_d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2 | tr -d ' "')"
|
_d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2 | tr -d ' "')"
|
||||||
|
if _contains "$response" "\"wildcard\" *: *true"; then
|
||||||
|
_d="*.$_d"
|
||||||
|
fi
|
||||||
_debug2 _d "$_d"
|
_debug2 _d "$_d"
|
||||||
_authorizations_map="$_d,$response
|
_authorizations_map="$_d,$response
|
||||||
$_authorizations_map"
|
$_authorizations_map"
|
||||||
|
@ -3600,7 +3612,7 @@ $_authorizations_map"
|
||||||
keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
|
keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
|
||||||
vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
|
vtype=$(echo "$ventry" | cut -d "$sep" -f 4)
|
||||||
_currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
|
_currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5)
|
||||||
|
_debug d "$d"
|
||||||
if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
|
if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then
|
||||||
_debug "$d is already verified, skip $vtype."
|
_debug "$d is already verified, skip $vtype."
|
||||||
continue
|
continue
|
||||||
|
@ -3608,12 +3620,16 @@ $_authorizations_map"
|
||||||
|
|
||||||
if [ "$vtype" = "$VTYPE_DNS" ]; then
|
if [ "$vtype" = "$VTYPE_DNS" ]; then
|
||||||
dnsadded='0'
|
dnsadded='0'
|
||||||
txtdomain="_acme-challenge.$d"
|
_dns_root_d="$d"
|
||||||
|
if _startswith "$_dns_root_d" "*."; then
|
||||||
|
_dns_root_d="$(echo "$_dns_root_d" | sed 's/*.//')"
|
||||||
|
fi
|
||||||
|
txtdomain="_acme-challenge.$_dns_root_d"
|
||||||
_debug txtdomain "$txtdomain"
|
_debug txtdomain "$txtdomain"
|
||||||
txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _url_replace)"
|
txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _url_replace)"
|
||||||
_debug txt "$txt"
|
_debug txt "$txt"
|
||||||
|
|
||||||
d_api="$(_findHook "$d" dnsapi "$_currentRoot")"
|
d_api="$(_findHook "$_dns_root_d" dnsapi "$_currentRoot")"
|
||||||
|
|
||||||
_debug d_api "$d_api"
|
_debug d_api "$d_api"
|
||||||
|
|
||||||
|
@ -5476,8 +5492,16 @@ _process() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$_domain" ]; then
|
if [ -z "$_domain" ]; then
|
||||||
|
if _startswith "$_dvalue" "*."; then
|
||||||
|
_err "The first domain can not be wildcard, '$_dvalue' is a wildcard domain."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
_domain="$_dvalue"
|
_domain="$_dvalue"
|
||||||
else
|
else
|
||||||
|
if _startswith "$_dvalue" "*."; then
|
||||||
|
_debug "Wildcard domain"
|
||||||
|
export ACME_VERSION=2
|
||||||
|
fi
|
||||||
if [ "$_altdomains" = "$NO_VALUE" ]; then
|
if [ "$_altdomains" = "$NO_VALUE" ]; then
|
||||||
_altdomains="$_dvalue"
|
_altdomains="$_dvalue"
|
||||||
else
|
else
|
||||||
|
|
|
@ -51,9 +51,11 @@ dns_cf_add() {
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2)
|
# For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so
|
||||||
_debug count "$count"
|
# we can not use updating anymore.
|
||||||
if [ "$count" = "0" ]; then
|
# count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2)
|
||||||
|
# _debug count "$count"
|
||||||
|
# if [ "$count" = "0" ]; then
|
||||||
_info "Adding record"
|
_info "Adding record"
|
||||||
if _cf_rest POST "zones/$_domain_id/dns_records" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":120}"; then
|
if _cf_rest POST "zones/$_domain_id/dns_records" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":120}"; then
|
||||||
if printf -- "%s" "$response" | grep "$fulldomain" >/dev/null; then
|
if printf -- "%s" "$response" | grep "$fulldomain" >/dev/null; then
|
||||||
|
@ -65,19 +67,20 @@ dns_cf_add() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
_err "Add txt record error."
|
_err "Add txt record error."
|
||||||
else
|
|
||||||
_info "Updating record"
|
|
||||||
record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | head -n 1)
|
|
||||||
_debug "record_id" "$record_id"
|
|
||||||
|
|
||||||
_cf_rest PUT "zones/$_domain_id/dns_records/$record_id" "{\"id\":\"$record_id\",\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"zone_id\":\"$_domain_id\",\"zone_name\":\"$_domain\"}"
|
|
||||||
if [ "$?" = "0" ]; then
|
|
||||||
_info "Updated, OK"
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
_err "Update error"
|
|
||||||
return 1
|
return 1
|
||||||
fi
|
# else
|
||||||
|
# _info "Updating record"
|
||||||
|
# record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | head -n 1)
|
||||||
|
# _debug "record_id" "$record_id"
|
||||||
|
#
|
||||||
|
# _cf_rest PUT "zones/$_domain_id/dns_records/$record_id" "{\"id\":\"$record_id\",\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"zone_id\":\"$_domain_id\",\"zone_name\":\"$_domain\"}"
|
||||||
|
# if [ "$?" = "0" ]; then
|
||||||
|
# _info "Updated, OK"
|
||||||
|
# return 0
|
||||||
|
# fi
|
||||||
|
# _err "Update error"
|
||||||
|
# return 1
|
||||||
|
# fi
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue