|
|
|
@ -1,5 +1,5 @@
|
|
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
VER=1.1.9
|
|
|
|
|
VER=1.2.0
|
|
|
|
|
PROJECT="https://github.com/Neilpang/le"
|
|
|
|
|
|
|
|
|
|
DEFAULT_CA="https://acme-v01.api.letsencrypt.org"
|
|
|
|
@ -20,18 +20,6 @@ if [ -z "$AGREEMENT" ] ; then
|
|
|
|
|
AGREEMENT="$DEFAULT_AGREEMENT"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
_debug() {
|
|
|
|
|
|
|
|
|
|
if [ -z "$DEBUG" ] ; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ -z "$2" ] ; then
|
|
|
|
|
echo $1
|
|
|
|
|
else
|
|
|
|
|
echo "$1"="$2"
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_info() {
|
|
|
|
|
if [ -z "$2" ] ; then
|
|
|
|
@ -50,6 +38,26 @@ _err() {
|
|
|
|
|
return 1
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_debug() {
|
|
|
|
|
if [ -z "$DEBUG" ] ; then
|
|
|
|
|
return
|
|
|
|
|
fi
|
|
|
|
|
_err "$1" "$2"
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_exists() {
|
|
|
|
|
cmd="$1"
|
|
|
|
|
if [ -z "$cmd" ] ; then
|
|
|
|
|
_err "Usage: _exists cmd"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
command -v $cmd >/dev/null 2>&1
|
|
|
|
|
ret="$?"
|
|
|
|
|
_debug "$cmd exists=$ret"
|
|
|
|
|
return $ret
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_h2b() {
|
|
|
|
|
hex=$(cat)
|
|
|
|
|
i=1
|
|
|
|
@ -65,6 +73,25 @@ _h2b() {
|
|
|
|
|
done
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#options file
|
|
|
|
|
_sed_i() {
|
|
|
|
|
options="$1"
|
|
|
|
|
filename="$2"
|
|
|
|
|
if [ -z "$filename" ] ; then
|
|
|
|
|
_err "Usage:_sed_i options filename"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if sed -h 2>&1 | grep "\-i[SUFFIX]" ; then
|
|
|
|
|
_debug "Using sed -i"
|
|
|
|
|
sed -i ""
|
|
|
|
|
else
|
|
|
|
|
_debug "No -i support in sed"
|
|
|
|
|
text="$(cat $filename)"
|
|
|
|
|
echo "$text" | sed "$options" > "$filename"
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#Usage: file startline endline
|
|
|
|
|
_getfile() {
|
|
|
|
|
filename="$1"
|
|
|
|
@ -393,6 +420,57 @@ _calcjwk() {
|
|
|
|
|
|
|
|
|
|
_debug HEADER "$HEADER"
|
|
|
|
|
}
|
|
|
|
|
# body url [needbase64]
|
|
|
|
|
_post() {
|
|
|
|
|
body="$1"
|
|
|
|
|
url="$2"
|
|
|
|
|
needbase64="$3"
|
|
|
|
|
|
|
|
|
|
if _exists "curl" ; then
|
|
|
|
|
dp="$LE_WORKING_DIR/curl.dump"
|
|
|
|
|
CURL="curl --silent --dump-header $HTTP_HEADER "
|
|
|
|
|
if [ "$DEBUG" ] ; then
|
|
|
|
|
CURL="$CURL --trace-ascii $dp "
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ "$needbase64" ] ; then
|
|
|
|
|
response="$($CURL -X POST --data "$body" $url | _base64)"
|
|
|
|
|
else
|
|
|
|
|
response="$($CURL -X POST --data "$body" $url)"
|
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
if [ "$needbase64" ] ; then
|
|
|
|
|
response="$(wget -q -S -O - --post-data="$body" $url 2>"$HTTP_HEADER" | _base64)"
|
|
|
|
|
else
|
|
|
|
|
response="$(wget -q -S -O - --post-data="$body" $url 2>"$HTTP_HEADER")"
|
|
|
|
|
fi
|
|
|
|
|
_sed_i "s/^ *//g" "$HTTP_HEADER"
|
|
|
|
|
fi
|
|
|
|
|
echo -n "$response"
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# url getheader
|
|
|
|
|
_get() {
|
|
|
|
|
url="$1"
|
|
|
|
|
onlyheader="$2"
|
|
|
|
|
_debug url $url
|
|
|
|
|
if _exists "curl" ; then
|
|
|
|
|
if [ "$onlyheader" ] ; then
|
|
|
|
|
curl -I --silent $url
|
|
|
|
|
else
|
|
|
|
|
curl --silent $url
|
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
if [ "$onlyheader" ] ; then
|
|
|
|
|
wget -S -q -O /dev/null $url 2>&1 | sed "s/^[ ]*//g"
|
|
|
|
|
else
|
|
|
|
|
wget -q -O - $url
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
ret=$?
|
|
|
|
|
return $ret
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# url payload needbase64 keyfile
|
|
|
|
|
_send_signed_request() {
|
|
|
|
@ -409,18 +487,12 @@ _send_signed_request() {
|
|
|
|
|
if ! _calcjwk "$keyfile" ; then
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
CURL_HEADER="$LE_WORKING_DIR/curl.header"
|
|
|
|
|
dp="$LE_WORKING_DIR/curl.dump"
|
|
|
|
|
CURL="curl --silent --dump-header $CURL_HEADER "
|
|
|
|
|
if [ "$DEBUG" ] ; then
|
|
|
|
|
CURL="$CURL --trace-ascii $dp "
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
payload64=$(echo -n $payload | _base64 | _urlencode)
|
|
|
|
|
_debug payload64 $payload64
|
|
|
|
|
|
|
|
|
|
nonceurl="$API/directory"
|
|
|
|
|
nonce="$($CURL -I $nonceurl | grep -o "^Replay-Nonce:.*$" | tr -d "\r\n" | cut -d ' ' -f 2)"
|
|
|
|
|
nonce="$(_get $nonceurl "onlyheader" | grep -o "Replay-Nonce:.*$" | tr -d "\r\n" | cut -d ' ' -f 2)"
|
|
|
|
|
|
|
|
|
|
_debug nonce "$nonce"
|
|
|
|
|
|
|
|
|
@ -436,31 +508,18 @@ _send_signed_request() {
|
|
|
|
|
body="{\"header\": $HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
|
|
|
|
|
_debug body "$body"
|
|
|
|
|
|
|
|
|
|
if [ "$needbase64" ] ; then
|
|
|
|
|
response="$($CURL -X POST --data "$body" $url | _base64)"
|
|
|
|
|
else
|
|
|
|
|
response="$($CURL -X POST --data "$body" $url)"
|
|
|
|
|
fi
|
|
|
|
|
HTTP_HEADER="$LE_WORKING_DIR/http.header"
|
|
|
|
|
response="$(_post "$body" $url "$needbase64" )"
|
|
|
|
|
|
|
|
|
|
responseHeaders="$(cat $CURL_HEADER)"
|
|
|
|
|
responseHeaders="$(cat $HTTP_HEADER)"
|
|
|
|
|
|
|
|
|
|
_debug responseHeaders "$responseHeaders"
|
|
|
|
|
_debug response "$response"
|
|
|
|
|
code="$(grep ^HTTP $CURL_HEADER | tail -1 | cut -d " " -f 2 | tr -d "\r\n" )"
|
|
|
|
|
code="$(grep "^HTTP" $HTTP_HEADER | tail -1 | cut -d " " -f 2 | tr -d "\r\n" )"
|
|
|
|
|
_debug code $code
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_get() {
|
|
|
|
|
url="$1"
|
|
|
|
|
_debug url $url
|
|
|
|
|
response="$(curl --silent $url)"
|
|
|
|
|
ret=$?
|
|
|
|
|
_debug response "$response"
|
|
|
|
|
code="$(echo $response | grep -o '"status":[0-9]\+' | cut -d : -f 2)"
|
|
|
|
|
_debug code $code
|
|
|
|
|
return $ret
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#setopt "file" "opt" "=" "value" [";"]
|
|
|
|
|
_setopt() {
|
|
|
|
@ -1040,7 +1099,7 @@ issue() {
|
|
|
|
|
_send_signed_request $uri "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}"
|
|
|
|
|
|
|
|
|
|
if [ ! -z "$code" ] && [ ! "$code" == '202' ] ; then
|
|
|
|
|
_err "$d:Challenge error: $resource"
|
|
|
|
|
_err "$d:Challenge error: $response"
|
|
|
|
|
_clearupwebbroot "$Le_Webroot" "$removelevel" "$token"
|
|
|
|
|
_clearup
|
|
|
|
|
return 1
|
|
|
|
@ -1050,9 +1109,9 @@ issue() {
|
|
|
|
|
_debug "sleep 5 secs to verify"
|
|
|
|
|
sleep 5
|
|
|
|
|
_debug "checking"
|
|
|
|
|
|
|
|
|
|
if ! _get $uri ; then
|
|
|
|
|
_err "$d:Verify error:$resource"
|
|
|
|
|
response="$(_get $uri)"
|
|
|
|
|
if [ "$?" != "0" ] ; then
|
|
|
|
|
_err "$d:Verify error:$response"
|
|
|
|
|
_clearupwebbroot "$Le_Webroot" "$removelevel" "$token"
|
|
|
|
|
_clearup
|
|
|
|
|
return 1
|
|
|
|
@ -1094,12 +1153,12 @@ issue() {
|
|
|
|
|
_send_signed_request "$API/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Le_LinkCert="$(grep -i -o '^Location.*$' $CURL_HEADER | tr -d "\r\n" | cut -d " " -f 2)"
|
|
|
|
|
Le_LinkCert="$(grep -i -o '^Location.*$' $HTTP_HEADER | tr -d "\r\n" | cut -d " " -f 2)"
|
|
|
|
|
_setopt "$DOMAIN_CONF" "Le_LinkCert" "=" "$Le_LinkCert"
|
|
|
|
|
|
|
|
|
|
if [ "$Le_LinkCert" ] ; then
|
|
|
|
|
echo "$BEGIN_CERT" > "$CERT_PATH"
|
|
|
|
|
curl --silent "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH"
|
|
|
|
|
_get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH"
|
|
|
|
|
echo "$END_CERT" >> "$CERT_PATH"
|
|
|
|
|
_info "Cert success."
|
|
|
|
|
cat "$CERT_PATH"
|
|
|
|
@ -1117,12 +1176,12 @@ issue() {
|
|
|
|
|
|
|
|
|
|
_setopt "$DOMAIN_CONF" 'Le_Vlist' '=' "\"\""
|
|
|
|
|
|
|
|
|
|
Le_LinkIssuer=$(grep -i '^Link' $CURL_HEADER | cut -d " " -f 2| cut -d ';' -f 1 | tr -d '<>' )
|
|
|
|
|
Le_LinkIssuer=$(grep -i '^Link' $HTTP_HEADER | cut -d " " -f 2| cut -d ';' -f 1 | tr -d '<>' )
|
|
|
|
|
_setopt "$DOMAIN_CONF" "Le_LinkIssuer" "=" "$Le_LinkIssuer"
|
|
|
|
|
|
|
|
|
|
if [ "$Le_LinkIssuer" ] ; then
|
|
|
|
|
echo "$BEGIN_CERT" > "$CA_CERT_PATH"
|
|
|
|
|
curl --silent "$Le_LinkIssuer" | _base64 "multiline" >> "$CA_CERT_PATH"
|
|
|
|
|
_get "$Le_LinkIssuer" | _base64 "multiline" >> "$CA_CERT_PATH"
|
|
|
|
|
echo "$END_CERT" >> "$CA_CERT_PATH"
|
|
|
|
|
_info "The intermediate CA cert is in $CA_CERT_PATH"
|
|
|
|
|
cat "$CA_CERT_PATH" >> "$CERT_FULLCHAIN_PATH"
|
|
|
|
@ -1389,48 +1448,44 @@ _initconf() {
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
install() {
|
|
|
|
|
if ! _initpath ; then
|
|
|
|
|
_err "Install failed."
|
|
|
|
|
_precheck() {
|
|
|
|
|
if ! _exists "curl" && ! _exists "wget"; then
|
|
|
|
|
_err "Please install curl or wget first, we need to access http resources."
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
#check if there is sudo installed, AND if the current user is a sudoer.
|
|
|
|
|
if command -v sudo > /dev/null ; then
|
|
|
|
|
if [ "$(sudo -n uptime 2>&1|grep "load"|wc -l)" != "0" ] ; then
|
|
|
|
|
SUDO=sudo
|
|
|
|
|
fi
|
|
|
|
|
if ! _exists "crontab" ; then
|
|
|
|
|
_err "Please install crontab first. try to install 'cron, crontab, crontabs or vixie-cron'."
|
|
|
|
|
_err "We need to set cron job to renew the certs automatically."
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if command -v yum > /dev/null ; then
|
|
|
|
|
YUM="1"
|
|
|
|
|
INSTALL="$SUDO yum install -y "
|
|
|
|
|
elif command -v apt-get > /dev/null ; then
|
|
|
|
|
INSTALL="$SUDO apt-get install -y "
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ! command -v "curl" > /dev/null ; then
|
|
|
|
|
_err "Please install curl first."
|
|
|
|
|
_err "$INSTALL curl"
|
|
|
|
|
if ! _exists "openssl" ; then
|
|
|
|
|
_err "Please install openssl first."
|
|
|
|
|
_err "We need openssl to generate keys."
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ! command -v "crontab" > /dev/null ; then
|
|
|
|
|
_err "Please install crontab first."
|
|
|
|
|
if [ "$YUM" ] ; then
|
|
|
|
|
_err "$INSTALL crontabs"
|
|
|
|
|
else
|
|
|
|
|
_err "$INSTALL crontab"
|
|
|
|
|
fi
|
|
|
|
|
if ! _exists "nc" ; then
|
|
|
|
|
_err "It is recommended to install nc first, try to install 'nc' or 'netcat'."
|
|
|
|
|
_err "We use nc for standalone server if you use standalone mode."
|
|
|
|
|
_err "If you don't use standalone mode, just ignore this warning."
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
install() {
|
|
|
|
|
if ! _initpath ; then
|
|
|
|
|
_err "Install failed."
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ! command -v "openssl" > /dev/null ; then
|
|
|
|
|
_err "Please install openssl first."
|
|
|
|
|
_err "$INSTALL openssl"
|
|
|
|
|
if ! _precheck ; then
|
|
|
|
|
_err "Pre-check failed, can not install."
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
_info "Installing to $LE_WORKING_DIR"
|
|
|
|
|
|
|
|
|
|
cp le.sh "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/le.sh"
|
|
|
|
|