|
|
|
@ -1827,23 +1827,29 @@ _send_signed_request() {
|
|
|
|
|
nonceurl="$ACME_NEW_NONCE" |
|
|
|
|
if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type"; then |
|
|
|
|
_headers="$(cat "$HTTP_HEADER")" |
|
|
|
|
_debug2 _headers "$_headers" |
|
|
|
|
_CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" |
|
|
|
|
fi |
|
|
|
|
fi |
|
|
|
|
if [ -z "$_headers" ]; then |
|
|
|
|
if [ -z "$_CACHED_NONCE" ]; then |
|
|
|
|
_debug2 "Get nonce with GET. ACME_DIRECTORY" "$ACME_DIRECTORY" |
|
|
|
|
nonceurl="$ACME_DIRECTORY" |
|
|
|
|
_headers="$(_get "$nonceurl" "onlyheader")" |
|
|
|
|
_debug2 _headers "$_headers" |
|
|
|
|
_CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" |
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
if [ -z "$_CACHED_NONCE" ] && [ "$ACME_NEW_NONCE" ]; then |
|
|
|
|
_debug2 "Get nonce with GET. ACME_NEW_NONCE" "$ACME_NEW_NONCE" |
|
|
|
|
nonceurl="$ACME_NEW_NONCE" |
|
|
|
|
_headers="$(_get "$nonceurl" "onlyheader")" |
|
|
|
|
_debug2 _headers "$_headers" |
|
|
|
|
_CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" |
|
|
|
|
fi |
|
|
|
|
_debug2 _CACHED_NONCE "$_CACHED_NONCE" |
|
|
|
|
if [ "$?" != "0" ]; then |
|
|
|
|
_err "Can not connect to $nonceurl to get nonce." |
|
|
|
|
return 1 |
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
_debug2 _headers "$_headers" |
|
|
|
|
|
|
|
|
|
_CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" |
|
|
|
|
_debug2 _CACHED_NONCE "$_CACHED_NONCE" |
|
|
|
|
else |
|
|
|
|
_debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE" |
|
|
|
|
fi |
|
|
|
@ -2060,6 +2066,7 @@ _clearcaconf() {
|
|
|
|
|
_startserver() { |
|
|
|
|
content="$1" |
|
|
|
|
ncaddr="$2" |
|
|
|
|
_debug "content" "$content" |
|
|
|
|
_debug "ncaddr" "$ncaddr" |
|
|
|
|
|
|
|
|
|
_debug "startserver: $$" |
|
|
|
@ -2086,8 +2093,14 @@ _startserver() {
|
|
|
|
|
SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}" |
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
_content_len="$(printf "%s" "$content" | wc -c)" |
|
|
|
|
_debug _content_len "$_content_len" |
|
|
|
|
_debug "_NC" "$_NC $SOCAT_OPTIONS" |
|
|
|
|
$_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; echo HTTP/1.0 200 OK; echo ; echo $content; echo;" & |
|
|
|
|
$_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; \ |
|
|
|
|
echo 'HTTP/1.0 200 OK'; \ |
|
|
|
|
echo 'Content-Length\: $_content_len'; \ |
|
|
|
|
echo ''; \ |
|
|
|
|
printf '$content';" & |
|
|
|
|
serverproc="$!" |
|
|
|
|
} |
|
|
|
|
|
|
|
|
@ -3062,6 +3075,7 @@ _on_before_issue() {
|
|
|
|
|
_info "Standalone mode." |
|
|
|
|
if [ -z "$Le_HTTPPort" ]; then |
|
|
|
|
Le_HTTPPort=80 |
|
|
|
|
_cleardomainconf "Le_HTTPPort" |
|
|
|
|
else |
|
|
|
|
_savedomainconf "Le_HTTPPort" "$Le_HTTPPort" |
|
|
|
|
fi |
|
|
|
@ -3269,7 +3283,7 @@ _regAccount() {
|
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
_debug2 responseHeaders "$responseHeaders" |
|
|
|
|
_accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")" |
|
|
|
|
_accUri="$(echo "$responseHeaders" | grep -i "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")" |
|
|
|
|
_debug "_accUri" "$_accUri" |
|
|
|
|
if [ -z "$_accUri" ]; then |
|
|
|
|
_err "Can not find account id url." |
|
|
|
@ -3435,7 +3449,7 @@ __trigger_validation() {
|
|
|
|
|
_t_vtype="$3" |
|
|
|
|
_debug2 _t_vtype "$_t_vtype" |
|
|
|
|
if [ "$ACME_VERSION" = "2" ]; then |
|
|
|
|
_send_signed_request "$_t_url" "{\"keyAuthorization\": \"$_t_key_authz\"}" |
|
|
|
|
_send_signed_request "$_t_url" "{}" |
|
|
|
|
else |
|
|
|
|
_send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"type\": \"$_t_vtype\", \"keyAuthorization\": \"$_t_key_authz\"}" |
|
|
|
|
fi |
|
|
|
@ -4205,20 +4219,66 @@ $_authorizations_map"
|
|
|
|
|
der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)" |
|
|
|
|
|
|
|
|
|
if [ "$ACME_VERSION" = "2" ]; then |
|
|
|
|
_info "Lets finalize the order, Le_OrderFinalize: $Le_OrderFinalize" |
|
|
|
|
if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then |
|
|
|
|
_err "Sign failed." |
|
|
|
|
_on_issue_err "$_post_hook" |
|
|
|
|
return 1 |
|
|
|
|
fi |
|
|
|
|
if [ "$code" != "200" ]; then |
|
|
|
|
_err "Sign failed, code is not 200." |
|
|
|
|
_err "Sign failed, finalize code is not 200." |
|
|
|
|
_err "$response" |
|
|
|
|
_on_issue_err "$_post_hook" |
|
|
|
|
return 1 |
|
|
|
|
fi |
|
|
|
|
Le_LinkCert="$(echo "$response" | tr -d '\r\n' | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)" |
|
|
|
|
Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n" | cut -d " " -f 2)" |
|
|
|
|
if [ -z "$Le_LinkOrder" ]; then |
|
|
|
|
_err "Sign error, can not get order link location header" |
|
|
|
|
_err "responseHeaders" "$responseHeaders" |
|
|
|
|
_on_issue_err "$_post_hook" |
|
|
|
|
return 1 |
|
|
|
|
fi |
|
|
|
|
_savedomainconf "Le_LinkOrder" "$Le_LinkOrder" |
|
|
|
|
|
|
|
|
|
_link_cert_retry=0 |
|
|
|
|
_MAX_CERT_RETRY=5 |
|
|
|
|
while [ -z "$Le_LinkCert" ] && [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do |
|
|
|
|
if _contains "$response" "\"status\":\"valid\""; then |
|
|
|
|
_debug "Order status is valid." |
|
|
|
|
Le_LinkCert="$(echo "$response" | tr -d '\r\n' | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)" |
|
|
|
|
_debug Le_LinkCert "$Le_LinkCert" |
|
|
|
|
if [ -z "$Le_LinkCert" ]; then |
|
|
|
|
_err "Sign error, can not find Le_LinkCert" |
|
|
|
|
_err "$response" |
|
|
|
|
_on_issue_err "$_post_hook" |
|
|
|
|
return 1 |
|
|
|
|
fi |
|
|
|
|
break |
|
|
|
|
elif _contains "$response" "\"processing\""; then |
|
|
|
|
_info "Order status is processing, lets sleep and retry." |
|
|
|
|
_sleep 2 |
|
|
|
|
else |
|
|
|
|
_err "Sign error, wrong status" |
|
|
|
|
_err "$response" |
|
|
|
|
_on_issue_err "$_post_hook" |
|
|
|
|
return 1 |
|
|
|
|
fi |
|
|
|
|
if ! _send_signed_request "$Le_LinkOrder"; then |
|
|
|
|
_err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder." |
|
|
|
|
_err "$response" |
|
|
|
|
_on_issue_err "$_post_hook" |
|
|
|
|
return 1 |
|
|
|
|
fi |
|
|
|
|
_link_cert_retry="$(_math $_link_cert_retry + 1)" |
|
|
|
|
done |
|
|
|
|
|
|
|
|
|
_tempSignedResponse="$response" |
|
|
|
|
if [ -z "$Le_LinkCert" ]; then |
|
|
|
|
_err "Sign failed, can not get Le_LinkCert, retry time limit." |
|
|
|
|
_err "$response" |
|
|
|
|
_on_issue_err "$_post_hook" |
|
|
|
|
return 1 |
|
|
|
|
fi |
|
|
|
|
_info "Download cert, Le_LinkCert: $Le_LinkCert" |
|
|
|
|
if ! _send_signed_request "$Le_LinkCert"; then |
|
|
|
|
_err "Sign failed, can not download cert:$Le_LinkCert." |
|
|
|
|
_err "$response" |
|
|
|
@ -4237,7 +4297,7 @@ $_authorizations_map"
|
|
|
|
|
_end_n="$(_math $_end_n + 1)" |
|
|
|
|
sed -n "${_end_n},9999p" "$CERT_FULLCHAIN_PATH" >"$CA_CERT_PATH" |
|
|
|
|
fi |
|
|
|
|
response="$_tempSignedResponse" |
|
|
|
|
|
|
|
|
|
else |
|
|
|
|
if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then |
|
|
|
|
_err "Sign failed. $response" |
|
|
|
|