Merge branch 'acmesh-official:master' into master
This commit is contained in:
commit
4770364d42
@ -51,14 +51,12 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
|
||||
- [ruby-china.org](https://ruby-china.org/topics/31983)
|
||||
- [Proxmox](https://pve.proxmox.com/wiki/Certificate_Management)
|
||||
- [pfsense](https://github.com/pfsense/FreeBSD-ports/pull/89)
|
||||
- [webfaction](https://community.webfaction.com/questions/19988/using-letsencrypt)
|
||||
- [Loadbalancer.org](https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty)
|
||||
- [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709)
|
||||
- [Centminmod](https://centminmod.com/letsencrypt-acmetool-https.html)
|
||||
- [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297)
|
||||
- [archlinux](https://www.archlinux.org/packages/community/any/acme.sh)
|
||||
- [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient)
|
||||
- [CentOS Web Panel](http://centos-webpanel.com/)
|
||||
- [CentOS Web Panel](https://control-webpanel.com)
|
||||
- [lnmp.org](https://lnmp.org/)
|
||||
- [more...](https://github.com/acmesh-official/acme.sh/wiki/Blogs-and-tutorials)
|
||||
|
||||
|
73
acme.sh
73
acme.sh
@ -2884,6 +2884,7 @@ _initpath() {
|
||||
fi
|
||||
fi
|
||||
_debug DOMAIN_PATH "$DOMAIN_PATH"
|
||||
export DOMAIN_PATH
|
||||
fi
|
||||
|
||||
if [ -z "$DOMAIN_BACKUP_PATH" ]; then
|
||||
@ -2935,22 +2936,6 @@ _initpath() {
|
||||
|
||||
}
|
||||
|
||||
_exec() {
|
||||
if [ -z "$_EXEC_TEMP_ERR" ]; then
|
||||
_EXEC_TEMP_ERR="$(_mktemp)"
|
||||
fi
|
||||
|
||||
if [ "$_EXEC_TEMP_ERR" ]; then
|
||||
eval "$@ 2>>$_EXEC_TEMP_ERR"
|
||||
else
|
||||
eval "$@"
|
||||
fi
|
||||
}
|
||||
|
||||
_exec_err() {
|
||||
[ "$_EXEC_TEMP_ERR" ] && _err "$(cat "$_EXEC_TEMP_ERR")" && echo "" >"$_EXEC_TEMP_ERR"
|
||||
}
|
||||
|
||||
_apachePath() {
|
||||
_APACHECTL="apachectl"
|
||||
if ! _exists apachectl; then
|
||||
@ -2963,8 +2948,7 @@ _apachePath() {
|
||||
fi
|
||||
fi
|
||||
|
||||
if ! _exec $_APACHECTL -V >/dev/null; then
|
||||
_exec_err
|
||||
if ! $_APACHECTL -V >/dev/null; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
@ -3016,8 +3000,7 @@ _restoreApache() {
|
||||
|
||||
cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" >"$httpdconf"
|
||||
_debug "Restored: $httpdconf."
|
||||
if ! _exec $_APACHECTL -t; then
|
||||
_exec_err
|
||||
if ! $_APACHECTL -t; then
|
||||
_err "Sorry, restore apache config error, please contact me."
|
||||
return 1
|
||||
fi
|
||||
@ -3035,8 +3018,7 @@ _setApache() {
|
||||
#test the conf first
|
||||
_info "Checking if there is an error in the apache config file before starting."
|
||||
|
||||
if ! _exec "$_APACHECTL" -t >/dev/null; then
|
||||
_exec_err
|
||||
if ! $_APACHECTL -t >/dev/null; then
|
||||
_err "The apache config file has error, please fix it first, then try again."
|
||||
_err "Don't worry, there is nothing changed to your system."
|
||||
return 1
|
||||
@ -3097,8 +3079,7 @@ Allow from all
|
||||
chmod 755 "$ACME_DIR"
|
||||
fi
|
||||
|
||||
if ! _exec "$_APACHECTL" graceful; then
|
||||
_exec_err
|
||||
if ! $_APACHECTL graceful; then
|
||||
_err "$_APACHECTL graceful error, please contact me."
|
||||
_restoreApache
|
||||
return 1
|
||||
@ -3183,8 +3164,7 @@ _setNginx() {
|
||||
return 1
|
||||
fi
|
||||
_info "Check the nginx conf before setting up."
|
||||
if ! _exec "nginx -t" >/dev/null; then
|
||||
_exec_err
|
||||
if ! nginx -t >/dev/null; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
@ -3211,16 +3191,14 @@ location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" {
|
||||
fi
|
||||
_debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)"
|
||||
_info "nginx conf is done, let's check it again."
|
||||
if ! _exec "nginx -t" >/dev/null; then
|
||||
_exec_err
|
||||
if ! nginx -t >/dev/null; then
|
||||
_err "It seems that nginx conf was broken, let's restore."
|
||||
cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
|
||||
return 1
|
||||
fi
|
||||
|
||||
_info "Reload nginx"
|
||||
if ! _exec "nginx -s reload" >/dev/null; then
|
||||
_exec_err
|
||||
if ! nginx -s reload >/dev/null; then
|
||||
_err "It seems that nginx reload error, let's restore."
|
||||
cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
|
||||
return 1
|
||||
@ -3345,8 +3323,7 @@ _restoreNginx() {
|
||||
done
|
||||
|
||||
_info "Reload nginx"
|
||||
if ! _exec "nginx -s reload" >/dev/null; then
|
||||
_exec_err
|
||||
if ! nginx -s reload >/dev/null; then
|
||||
_err "It seems that nginx reload error, please report bug."
|
||||
return 1
|
||||
fi
|
||||
@ -4684,19 +4661,18 @@ $_authorizations_map"
|
||||
thumbprint="$(__calc_account_thumbprint)"
|
||||
fi
|
||||
|
||||
entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
|
||||
_debug entry "$entry"
|
||||
keyauthorization=""
|
||||
if [ -z "$entry" ]; then
|
||||
if ! _startswith "$d" '*.'; then
|
||||
_debug "Not a wildcard domain, lets check whether the validation is already valid."
|
||||
|
||||
if echo "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
|
||||
_debug "$d is already valid."
|
||||
keyauthorization="$STATE_VERIFIED"
|
||||
_debug keyauthorization "$keyauthorization"
|
||||
fi
|
||||
fi
|
||||
if [ -z "$keyauthorization" ]; then
|
||||
|
||||
entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
|
||||
_debug entry "$entry"
|
||||
|
||||
if [ -z "$keyauthorization" -a -z "$entry" ]; then
|
||||
_err "Error, can not get domain token entry $d for $vtype"
|
||||
_supported_vtypes="$(echo "$response" | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ')"
|
||||
if [ "$_supported_vtypes" ]; then
|
||||
@ -4706,7 +4682,6 @@ $_authorizations_map"
|
||||
_on_issue_err "$_post_hook"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$keyauthorization" ]; then
|
||||
token="$(echo "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
|
||||
@ -4731,12 +4706,6 @@ $_authorizations_map"
|
||||
fi
|
||||
keyauthorization="$token.$thumbprint"
|
||||
_debug keyauthorization "$keyauthorization"
|
||||
|
||||
if printf "%s" "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
|
||||
_debug "$d is already verified."
|
||||
keyauthorization="$STATE_VERIFIED"
|
||||
_debug keyauthorization "$keyauthorization"
|
||||
fi
|
||||
fi
|
||||
|
||||
dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"
|
||||
@ -4960,18 +4929,6 @@ $_authorizations_map"
|
||||
if ! chmod a+r "$wellknown_path/$token"; then
|
||||
_debug "chmod failed, but we just continue."
|
||||
fi
|
||||
if [ ! "$usingApache" ]; then
|
||||
if webroot_owner=$(_stat "$_currentRoot"); then
|
||||
_debug "Changing owner/group of .well-known to $webroot_owner"
|
||||
if ! _exec "chown -R \"$webroot_owner\" \"$_currentRoot/.well-known\""; then
|
||||
_debug "$(cat "$_EXEC_TEMP_ERR")"
|
||||
_exec_err >/dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
_debug "not changing owner/group of webroot"
|
||||
fi
|
||||
fi
|
||||
|
||||
fi
|
||||
elif [ "$vtype" = "$VTYPE_ALPN" ]; then
|
||||
acmevalidationv1="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"
|
||||
|
@ -273,16 +273,27 @@ _check_curl_version() {
|
||||
_minor="$(_getfield "$_cversion" 2 '.')"
|
||||
_debug2 "_minor" "$_minor"
|
||||
|
||||
if [ "$_major$_minor" -lt "740" ]; then
|
||||
if [ "$_major" -ge "8" ]; then
|
||||
#ok
|
||||
return 0
|
||||
fi
|
||||
if [ "$_major" = "7" ]; then
|
||||
if [ "$_minor" -lt "40" ]; then
|
||||
_err "curl v$_cversion doesn't support unit socket"
|
||||
_err "Please upgrade to curl 7.40 or later."
|
||||
return 1
|
||||
fi
|
||||
if [ "$_major$_minor" -lt "750" ]; then
|
||||
if [ "$_minor" -lt "50" ]; then
|
||||
_debug "Use short host name"
|
||||
export _CURL_NO_HOST=1
|
||||
else
|
||||
export _CURL_NO_HOST=
|
||||
fi
|
||||
return 0
|
||||
else
|
||||
_err "curl v$_cversion doesn't support unit socket"
|
||||
_err "Please upgrade to curl 7.40 or later."
|
||||
return 1
|
||||
fi
|
||||
|
||||
}
|
||||
|
@ -137,7 +137,7 @@ _get_root() {
|
||||
domain=$1
|
||||
i=2
|
||||
p=1
|
||||
if _opns_rest "GET" "/domain/searchMasterDomain"; then
|
||||
if _opns_rest "GET" "/domain/searchPrimaryDomain"; then
|
||||
_domain_response="$response"
|
||||
else
|
||||
return 1
|
||||
@ -150,7 +150,7 @@ _get_root() {
|
||||
return 1
|
||||
fi
|
||||
_debug h "$h"
|
||||
id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"master\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
|
||||
id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"primary\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
|
||||
if [ -n "$id" ]; then
|
||||
_debug id "$id"
|
||||
_host=$(printf "%s" "$domain" | cut -d . -f 1-$p)
|
||||
|
@ -14,6 +14,9 @@
|
||||
#'ovh-eu'
|
||||
OVH_EU='https://eu.api.ovh.com/1.0'
|
||||
|
||||
#'ovh-us'
|
||||
OVH_US='https://api.us.ovhcloud.com/1.0'
|
||||
|
||||
#'ovh-ca':
|
||||
OVH_CA='https://ca.api.ovh.com/1.0'
|
||||
|
||||
@ -29,9 +32,6 @@ SYS_EU='https://eu.api.soyoustart.com/1.0'
|
||||
#'soyoustart-ca'
|
||||
SYS_CA='https://ca.api.soyoustart.com/1.0'
|
||||
|
||||
#'runabove-ca'
|
||||
RAV_CA='https://api.runabove.com/1.0'
|
||||
|
||||
wiki="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-OVH-domain-api"
|
||||
|
||||
ovh_success="https://github.com/acmesh-official/acme.sh/wiki/OVH-Success"
|
||||
@ -45,6 +45,10 @@ _ovh_get_api() {
|
||||
printf "%s" $OVH_EU
|
||||
return
|
||||
;;
|
||||
ovh-us | ovhus)
|
||||
printf "%s" $OVH_US
|
||||
return
|
||||
;;
|
||||
ovh-ca | ovhca)
|
||||
printf "%s" $OVH_CA
|
||||
return
|
||||
@ -65,14 +69,15 @@ _ovh_get_api() {
|
||||
printf "%s" $SYS_CA
|
||||
return
|
||||
;;
|
||||
runabove-ca | runaboveca)
|
||||
printf "%s" $RAV_CA
|
||||
# raw API url starts with https://
|
||||
https*)
|
||||
printf "%s" "$1"
|
||||
return
|
||||
;;
|
||||
|
||||
*)
|
||||
|
||||
_err "Unknown parameter : $1"
|
||||
_err "Unknown endpoint : $1"
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
|
@ -41,7 +41,7 @@ pleskxml_init_checks_done=0
|
||||
NEWLINE='\
|
||||
'
|
||||
|
||||
pleskxml_tplt_get_domains="<packet><customer><get-domain-list><filter/></get-domain-list></customer></packet>"
|
||||
pleskxml_tplt_get_domains="<packet><webspace><get><filter/><dataset><gen_info/></dataset></get></webspace></packet>"
|
||||
# Get a list of domains that PLESK can manage, so we can check root domain + host for acme.sh
|
||||
# Also used to test credentials and URI.
|
||||
# No params.
|
||||
@ -145,22 +145,25 @@ dns_pleskxml_rm() {
|
||||
)"
|
||||
|
||||
if [ -z "$reclist" ]; then
|
||||
_err "No TXT records found for root domain ${root_domain_name} (Plesk domain ID ${root_domain_id}). Exiting."
|
||||
_err "No TXT records found for root domain $fulldomain (Plesk domain ID ${root_domain_id}). Exiting."
|
||||
return 1
|
||||
fi
|
||||
|
||||
_debug "Got list of DNS TXT records for root domain '$root_domain_name':"
|
||||
_debug "Got list of DNS TXT records for root Plesk domain ID ${root_domain_id} of root domain $fulldomain:"
|
||||
_debug "$reclist"
|
||||
|
||||
# Extracting the id of the TXT record for the full domain (NOT case-sensitive) and corresponding value
|
||||
recid="$(
|
||||
_value "$reclist" |
|
||||
grep "<host>${fulldomain}.</host>" |
|
||||
grep -i "<host>${fulldomain}.</host>" |
|
||||
grep "<value>${txtvalue}</value>" |
|
||||
sed 's/^.*<id>\([0-9]\{1,\}\)<\/id>.*$/\1/'
|
||||
)"
|
||||
|
||||
_debug "Got id from line: $recid"
|
||||
|
||||
if ! _value "$recid" | grep '^[0-9]\{1,\}$' >/dev/null; then
|
||||
_err "DNS records for root domain '${root_domain_name}' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'"
|
||||
_err "DNS records for root domain '${fulldomain}.' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'"
|
||||
_err "Cannot delete TXT record. Exiting."
|
||||
return 1
|
||||
fi
|
||||
@ -251,9 +254,12 @@ _call_api() {
|
||||
|
||||
# Detect any <status> that isn't "ok". None of the used calls should fail if the API is working correctly.
|
||||
# Also detect if there simply aren't any status lines (null result?) and report that, as well.
|
||||
# Remove <data></data> structure from result string, since it might contain <status> values that are related to the status of the domain and not to the API request
|
||||
|
||||
statuslines_count_total="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *<status>[^<]*</status> *$')"
|
||||
statuslines_count_okay="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *<status>ok</status> *$')"
|
||||
statuslines_count_total="$(echo "$pleskxml_prettyprint_result" | sed '/<data>/,/<\/data>/d' | grep -c '^ *<status>[^<]*</status> *$')"
|
||||
statuslines_count_okay="$(echo "$pleskxml_prettyprint_result" | sed '/<data>/,/<\/data>/d' | grep -c '^ *<status>ok</status> *$')"
|
||||
_debug "statuslines_count_total=$statuslines_count_total."
|
||||
_debug "statuslines_count_okay=$statuslines_count_okay."
|
||||
|
||||
if [ -z "$statuslines_count_total" ]; then
|
||||
|
||||
@ -375,7 +381,7 @@ _pleskxml_get_root_domain() {
|
||||
# Output will be one line per known domain, containing 2 <name> tages and a single <id> tag
|
||||
# We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned.
|
||||
|
||||
output="$(_api_response_split "$pleskxml_prettyprint_result" 'domain' '<type>domain</type>' | sed 's/<ascii-name>/<name>/g;s/<\/ascii-name>/<\/name>/g' | grep '<name>' | grep '<id>')"
|
||||
output="$(_api_response_split "$pleskxml_prettyprint_result" 'result' '<status>ok</status>' | sed 's/<ascii-name>/<name>/g;s/<\/ascii-name>/<\/name>/g' | grep '<name>' | grep '<id>')"
|
||||
|
||||
_debug 'Domains managed by Plesk server are (ignore the hacked output):'
|
||||
_debug "$output"
|
||||
|
Loading…
Reference in New Issue
Block a user