In order to stop processing on failure to copy certificate
to remote side, fail on error of scp command.
Signed-off-by: Andreas Bießmann <andreas@biessmann.org>
In order to detect errorneous scripts on remote side, catch return code
and handle it respectively.
Signed-off-by: Andreas Bießmann <andreas@biessmann.org>
Reviewed-by: Ross Shen @sjtuross
This set the owner of script to ssh user, have the comment line in script
as real comment and removes policy since this is set from current user,
at least for RouterOS 7.x.
Signed-off-by: Andreas Bießmann <andreas@biessmann.org>
As the script is applying the fullchain which includes three certificates,
delete all of them before applying updated certificate.
Signed-off-by: Andreas Bießmann <andreas@biessmann.org>
Previously the deploy hook config was stored in the account config.
This seems odd and adds unnecessary limitations to the hook.
Now we're using the correct _*deployconf() functions to read and
write the deploy hook config.
This escapes special characters used in POSIX sed to prevent mismatches.
e.g. `SYNO_Certficiate=*.example.com` would not match a description of
"*.example.com" and would look to match any number of double quotes (the
last character in the sed regex prior to certificate description),
followed by any single character, followed by "example", followed by any
character, followed by "com".
After this change, it will properly match `*.example.com` and not
`""zexamplefcom`.
Additionally we now store the certificate description as base64 encoded
to prevent issues with single quotes.
Tested on DSM 7.0-41222 (VDSM) and DSM 6.2.4-25556 (DS1515+).
As noted by @buxm, previous fix didn't work for all versions of DSM 6.
The better fix appears to be simply not outputting the "as_default"
parameter unless we are doing something with the default certificate.
For some DSM installs, it appears that setting the "default" flag to the
string "false" actually sets it to true. This causes Synology to set
the last updated certificate to be the default certificate. Using an
empty string appears to still be accepted as a false-y value for DSMs
where this isn't happening and corrects the behavior in the cases that
it was.
Credit to @Run-King for identifying the fix and @buxm for reporting.
When using vault_cli with a kv2 path, it isn't working. I have the following error:
```
WARNING! The following warnings were returned from Vault:
* Invalid path for a versioned K/V secrets engine. See the API docs for the
appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put'
for this operation.
```
The new way to write data is to use `vault kv put`, it is compatible with kv1 and kv2.
Ref: https://www.vaultproject.io/docs/commands#reading-and-writing-data
```
The original version of K/V used the common read and write operations. A more advanced K/V Version 2 engine was released in Vault 0.10 and introduced the kv get and kv put commands.
```
* fix: unifi deploy hook also update Cloud Key nginx certs
When running on a Unifi Cloud Key device, also deploy to
/etc/ssl/private/cloudkey.{crt,key} and reload nginx. This
makes the new cert available for the Cloud Key management
app running via nginx on port 443 (as well as the port 8443
Unifi Controller app the deploy hook already supported).
Fixes#3326
* Improve settings documentation comments
* Improve Cloud Key pre-flight error messaging
* Fix typo
* Add support for UnifiOS (Cloud Key Gen2)
Since UnifiOS does not use the Java keystore (like a Unifi
Controller or Cloud Key Gen1 deploy), this also reworks
the settings validation and error messaging somewhat.
* PR review fixes
* Detect unsupported Cloud Key java keystore location
* Don't try to restart inactive services
(and remove extra spaces from reload command)
* Clean up error messages and internal variables
* Change to _getdeployconf/_savedeployconf
* Switch from cp to cat to preserve file permissions
acme .sh deploy Scipt for TrueNAS Server that uses the REST API from TrueNAS.
- Authentification with API Key
- If HTTP redirect is configured, automatik switch to HTTPS
- If WebDAV Certificate is the same as Web UI Certificate, Webdav Certificate get also an updated
- If FTP Certificate is the same as Web UI Certificate, FTP Certificate get also an updated
Small changes for DSM 6:
All fields (except enable_syno_token as explained below) must either be in the GET params or the POST params, you can't mix GET and POST params
enable_syno_token=yes must be in both the GET and POST params.
If enable_syno_token=yes is only in the POST fields, then DSM6 returns a synotoken of --------. If enable_syno_token=yes is only in the GET params, then it returns no synotoken at all. It must be in both to work.
Need to use /webapi/auth.cgi instead of /webapi/entry.cgi
Verified with DSM 6.2.3-25426 Update 2 and DSM 7.0-40850
This allows us to get the cookie and the token (as it appears to be only in the body in DSM 7.) HTTP_HEADERS is only guarenteed to be output with POST for both wget and curl.
I have modified the following things:
Originally, "/data/assets/ssl/" is always appended to the varialbe ${_mailcow_path}. Since I use acme.sh as docker container, I only want to include the mailcow-ssl directory in the acem.sh container and not the complete mailcow directory. So now it is checked if the file generate_config.sh is in the directory (then it is the mailcow root directory, see https://github.com/mailcow/mailcow-dockerized) and only then "/data/assets/ssl/" is appended, in all other cases the passed variable is taken over unchanged.
Because of the RP mailcow/mailcow-dockerized#2443 I have extended the script with ECC certificates.
I adapted the reboot commands as described in the mailcow manual (https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ssl/#how-to-use-your-own-certificate).
This provider relies on the the python-openstackclient and
python-designateclient tools be installed and working, with
either password or application credentials loaded in your env.
I'm actually not entirely sure why/how this worked with curl but not wget, but it did. The short answer is that using a GET does not result in the HTTP_HEADER file being written, instead you must pass in the http_headers param ($2) which will return the HTTP headers as a string. Luckily, the Token is in both the body and the header. We need it and the id (and smid if 2fa) cookie to proceed. So now we parrse the response for that instead of the HTTP_HEADER file.
Interesting side note: wget is fine if the URL contains a \r or \n, but curl will barf on it. So we need to make sure those are stripped from the token as it will be passed in the URL later.
It was discovered in testing that PAN-OS < 9.0 has slightly different
requirements for the multipart/form-data format and requires the `type`
parameter to be passed in the URL. These corrections should work for all
PAN-OS versions.
Before this update all remote commands were bunched together and
sent to the remote host in a single SSH command. This could result
in a very long sequence of commands that might be rejected by a
remote host (example is VMware ESXi that uses busybox sh).
With this update you can set DEPLOY_SSH_BATCH_MODE="no" and
each remote command is sent as a separate SSH call so now we
do not have big long sequence of commands. Defaults to same
behaviour as before this update.
haproxy deploy script now compatible with OpenSSL v1.1+
The OpenSSL OCSP request for haproxy deployment breaks from OpenSSL v1.1.0 on.
The format of the `-header` option has been changed and does now contain a `=` instead of a whitespace.
Other projects have hit the same issue:
https://github.com/nghttp2/nghttp2/issues/742
This commit determines the OpenSSL/LibreSSL version and then adjusts the request accordingly.
Also removed the duplicate command line and added some more debug output.
This allows you to update a key on a Synology DSM using the existing API.
Handles restarting the necessary services the certificate is attached to and all other internal stuff (copying the certificate around, etc.)
This is way less error prone than most articles I've found on how to update a Synology DSM certificate.
* support jdcloud.com
* fix format
* ttl 3000
* Escape slashes (#2375)
* Change 1.1.1.1 to 1.0.0.1 to probe compatibility (#2330)
As we can see, 1.1.1.1 is not routed or routed to an Intranet devices due to historical reason. Change 1.1.1.1 to 1.0.0.1 will have a better compatibility. I found this problem on my Tencent Cloud server.
* check empty id
* fix error
* Add dnsapi for Vultr (#2370)
* Add Vultr dns api
* PushOver notifications (#2325)
* PushOver notifications, using AppToken, UserKey, and optional sounds
* fix errors
* added dns api support for hexonet (#1776)
* update
* minor
* support new Cloudflare Token format
fix https://github.com/Neilpang/acme.sh/issues/2398
* fix wildcard domain name
* add more info
* fix https://github.com/Neilpang/acme.sh/issues/2377
* fix format
* fix format
* implement basic haproxy deploy
HAProxy requires the certificate chain and key to be concatenated and placed somewhere (can be anywhere). This script expects a single environment variable with the path where the concatenated PEM file should be written
* add docs for HAProxy deployment
* Add conditional check to ensure path is provided
* remove whitespace
* remove more whitespace (trying to get TravisCI working)
* add reload
* update for POSIX compliance
* add documentation for reload command
* Update haproxy deploy hook
Add functionality to add OCSP stapling info (.ocsp file), issuer (.issuer file) and multi-cert bundles (suffix on pem file based on key type).
This also corrects the order of key, certificate and intermediate in the PEM file, which although HAProxy does not seem to care, was incorrect in the prior version.
* Document updated haproxy deploy hook
* Fix variable name
* whitespace fixes
* Support HAPROXY_DEPLOY_PEM_PATH
Adds compatibility to original haproxy deploy hook while still allowing custom PEM file name (via HAPROXY_DEPLOY_PEM_NAME)
* update for new haproxy deploy vars
* Fix return from reload
* Fix Le_Keylength case
* Update cert suffix for bundles .ocsp generation
* Whitepspace
* Change default for reload
* Readme update
* Actually set reload default
* Fix README.md confict
neil