commit
75660e6f21
3
.github/workflows/DNS.yml
vendored
3
.github/workflows/DNS.yml
vendored
@ -143,8 +143,9 @@ jobs:
|
||||
C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git
|
||||
shell: cmd
|
||||
- name: Set ENV
|
||||
shell: cmd
|
||||
run: |
|
||||
echo '::set-env name=PATH::C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin'
|
||||
echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin >> %GITHUB_ENV%
|
||||
- name: Clone acmetest
|
||||
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
|
||||
- name: Run acmetest
|
||||
|
7
.github/workflows/LetsEncrypt.yml
vendored
7
.github/workflows/LetsEncrypt.yml
vendored
@ -87,8 +87,13 @@ jobs:
|
||||
C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git
|
||||
shell: cmd
|
||||
- name: Set ENV
|
||||
shell: cmd
|
||||
run: |
|
||||
echo '::set-env name=PATH::C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin'
|
||||
echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin >> %GITHUB_ENV%
|
||||
- name: Check ENV
|
||||
shell: cmd
|
||||
run: |
|
||||
echo "PATH=%PATH%"
|
||||
- name: Clone acmetest
|
||||
shell: cmd
|
||||
run: cd .. && git clone https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/
|
||||
|
2
.github/workflows/dockerhub.yml
vendored
2
.github/workflows/dockerhub.yml
vendored
@ -63,4 +63,4 @@ jobs:
|
||||
--tag ${DOCKER_IMAGE}:${DOCKER_IMAGE_TAG} \
|
||||
--output "type=image,push=true" \
|
||||
--build-arg AUTO_UPGRADE=${AUTO_UPGRADE} \
|
||||
--platform linux/arm64/v8,linux/amd64,linux/arm/v6,linux/arm/v7,linux/386 .
|
||||
--platform linux/arm64/v8,linux/amd64,linux/arm/v6,linux/arm/v7,linux/386,linux/ppc64le,linux/s390x .
|
||||
|
@ -7,6 +7,7 @@ RUN apk update -f \
|
||||
coreutils \
|
||||
bind-tools \
|
||||
curl \
|
||||
sed \
|
||||
socat \
|
||||
tzdata \
|
||||
oath-toolkit-oathtool \
|
||||
|
6
acme.sh
6
acme.sh
@ -3993,7 +3993,7 @@ _check_dns_entries() {
|
||||
#file
|
||||
_get_cert_issuers() {
|
||||
_cfile="$1"
|
||||
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7"; then
|
||||
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
|
||||
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
||||
else
|
||||
${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
||||
@ -5823,7 +5823,7 @@ _deactivate() {
|
||||
_URL_NAME="uri"
|
||||
fi
|
||||
|
||||
entries="$(echo "$response" | _egrep_o "[^{]*\"type\":\"[^\"]*\", *\"status\": *\"valid\", *\"$_URL_NAME\"[^}]*")"
|
||||
entries="$(echo "$response" | tr '][' '=' | _egrep_o "challenges\": *=[^=]*=" | tr '}{' '\n' | grep "\"status\": *\"valid\"")"
|
||||
if [ -z "$entries" ]; then
|
||||
_info "No valid entries found."
|
||||
if [ -z "$thumbprint" ]; then
|
||||
@ -5866,7 +5866,7 @@ _deactivate() {
|
||||
_debug _vtype "$_vtype"
|
||||
_info "Found $_vtype"
|
||||
|
||||
uri="$(echo "$entry" | _egrep_o "\"$_URL_NAME\":\"[^\"]*" | cut -d : -f 2,3 | tr -d '"')"
|
||||
uri="$(echo "$entry" | _egrep_o "\"$_URL_NAME\":\"[^\"]*\"" | tr -d '" ' | cut -d : -f 2-)"
|
||||
_debug uri "$uri"
|
||||
|
||||
if [ "$_d_type" ] && [ "$_d_type" != "$_vtype" ]; then
|
||||
|
@ -64,9 +64,9 @@ fritzbox_deploy() {
|
||||
_info "Log in to the FRITZ!Box"
|
||||
_fritzbox_challenge="$(_get "${_fritzbox_url}/login_sid.lua" | sed -e 's/^.*<Challenge>//' -e 's/<\/Challenge>.*$//')"
|
||||
if _exists iconv; then
|
||||
_fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | iconv -f ASCII -t UTF16LE | md5sum | awk '{print $1}')"
|
||||
_fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | iconv -f ASCII -t UTF16LE | _digest md5 hex)"
|
||||
else
|
||||
_fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | perl -p -e 'use Encode qw/encode/; print encode("UTF-16LE","$_"); $_="";' | md5sum | awk '{print $1}')"
|
||||
_fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | perl -p -e 'use Encode qw/encode/; print encode("UTF-16LE","$_"); $_="";' | _digest md5 hex)"
|
||||
fi
|
||||
_fritzbox_sid="$(_get "${_fritzbox_url}/login_sid.lua?sid=0000000000000000&username=${_fritzbox_username}&response=${_fritzbox_challenge}-${_fritzbox_hash}" | sed -e 's/^.*<SID>//' -e 's/<\/SID>.*$//')"
|
||||
|
||||
|
67
deploy/vault.sh
Normal file
67
deploy/vault.sh
Normal file
@ -0,0 +1,67 @@
|
||||
#!/usr/bin/env sh
|
||||
|
||||
# Here is a script to deploy cert to hashicorp vault using curl
|
||||
# (https://www.vaultproject.io/)
|
||||
#
|
||||
# it requires following environment variables:
|
||||
#
|
||||
# VAULT_PREFIX - this contains the prefix path in vault
|
||||
# VAULT_ADDR - vault requires this to find your vault server
|
||||
#
|
||||
# additionally, you need to ensure that VAULT_TOKEN is avialable
|
||||
# to access the vault server
|
||||
|
||||
#returns 0 means success, otherwise error.
|
||||
|
||||
######## Public functions #####################
|
||||
|
||||
#domain keyfile certfile cafile fullchain
|
||||
vault_deploy() {
|
||||
|
||||
_cdomain="$1"
|
||||
_ckey="$2"
|
||||
_ccert="$3"
|
||||
_cca="$4"
|
||||
_cfullchain="$5"
|
||||
|
||||
_debug _cdomain "$_cdomain"
|
||||
_debug _ckey "$_ckey"
|
||||
_debug _ccert "$_ccert"
|
||||
_debug _cca "$_cca"
|
||||
_debug _cfullchain "$_cfullchain"
|
||||
|
||||
# validate required env vars
|
||||
_getdeployconf VAULT_PREFIX
|
||||
if [ -z "$VAULT_PREFIX" ]; then
|
||||
_err "VAULT_PREFIX needs to be defined (contains prefix path in vault)"
|
||||
return 1
|
||||
fi
|
||||
_savedeployconf VAULT_PREFIX "$VAULT_PREFIX"
|
||||
|
||||
_getdeployconf VAULT_ADDR
|
||||
if [ -z "$VAULT_ADDR" ]; then
|
||||
_err "VAULT_ADDR needs to be defined (contains vault connection address)"
|
||||
return 1
|
||||
fi
|
||||
_savedeployconf VAULT_ADDR "$VAULT_ADDR"
|
||||
|
||||
# JSON does not allow multiline strings.
|
||||
# So replacing new-lines with "\n" here
|
||||
_ckey=$(sed -z 's/\n/\\n/g' <"$2")
|
||||
_ccert=$(sed -z 's/\n/\\n/g' <"$3")
|
||||
_cca=$(sed -z 's/\n/\\n/g' <"$4")
|
||||
_cfullchain=$(sed -z 's/\n/\\n/g' <"$5")
|
||||
|
||||
URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
|
||||
export _H1="X-Vault-Token: $VAULT_TOKEN"
|
||||
|
||||
if [ -n "$FABIO" ]; then
|
||||
_post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL"
|
||||
else
|
||||
_post "{\"value\": \"$_ccert\"}" "$URL/cert.pem"
|
||||
_post "{\"value\": \"$_ckey\"}" "$URL/cert.key"
|
||||
_post "{\"value\": \"$_cca\"}" "$URL/chain.pem"
|
||||
_post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem"
|
||||
fi
|
||||
|
||||
}
|
150
dnsapi/dns_anx.sh
Normal file
150
dnsapi/dns_anx.sh
Normal file
@ -0,0 +1,150 @@
|
||||
#!/usr/bin/env sh
|
||||
|
||||
# Anexia CloudDNS acme.sh hook
|
||||
# Author: MA
|
||||
|
||||
#ANX_Token="xxxx"
|
||||
|
||||
ANX_API='https://engine.anexia-it.com/api/clouddns/v1'
|
||||
|
||||
######## Public functions #####################
|
||||
|
||||
dns_anx_add() {
|
||||
fulldomain=$1
|
||||
txtvalue=$2
|
||||
|
||||
_info "Using ANX CDNS API"
|
||||
|
||||
ANX_Token="${ANX_Token:-$(_readaccountconf_mutable ANX_Token)}"
|
||||
_debug fulldomain "$fulldomain"
|
||||
_debug txtvalue "$txtvalue"
|
||||
|
||||
if [ "$ANX_Token" ]; then
|
||||
_saveaccountconf_mutable ANX_Token "$ANX_Token"
|
||||
else
|
||||
_err "You didn't specify a ANEXIA Engine API token."
|
||||
return 1
|
||||
fi
|
||||
|
||||
_debug "First detect the root zone"
|
||||
if ! _get_root "$fulldomain"; then
|
||||
_err "invalid domain"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Always add records, wildcard need two records with the same name
|
||||
_anx_rest POST "zone.json/${_domain}/records" "{\"name\":\"$_sub_domain\",\"type\":\"TXT\",\"rdata\":\"$txtvalue\"}"
|
||||
if _contains "$response" "$txtvalue"; then
|
||||
return 0
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
dns_anx_rm() {
|
||||
fulldomain=$1
|
||||
txtvalue=$2
|
||||
|
||||
_info "Using ANX CDNS API"
|
||||
|
||||
ANX_Token="${ANX_Token:-$(_readaccountconf_mutable ANX_Token)}"
|
||||
|
||||
_debug fulldomain "$fulldomain"
|
||||
_debug txtvalue "$txtvalue"
|
||||
|
||||
_debug "First detect the root zone"
|
||||
if ! _get_root "$fulldomain"; then
|
||||
_err "invalid domain"
|
||||
return 1
|
||||
fi
|
||||
|
||||
_get_record_id
|
||||
|
||||
if _is_uuid "$_record_id"; then
|
||||
if ! _anx_rest DELETE "zone.json/${_domain}/records/$_record_id"; then
|
||||
_err "Delete record"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
_info "No record found."
|
||||
fi
|
||||
echo "$response" | tr -d " " | grep \"status\":\"OK\" >/dev/null
|
||||
}
|
||||
|
||||
#################### Private functions below ##################################
|
||||
|
||||
_is_uuid() {
|
||||
pattern='^\{?[A-Z0-9a-z]{8}-[A-Z0-9a-z]{4}-[A-Z0-9a-z]{4}-[A-Z0-9a-z]{4}-[A-Z0-9a-z]{12}\}?$'
|
||||
if echo "$1" | _egrep_o "$pattern" >/dev/null; then
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
}
|
||||
|
||||
_get_record_id() {
|
||||
_debug subdomain "$_sub_domain"
|
||||
_debug domain "$_domain"
|
||||
|
||||
if _anx_rest GET "zone.json/${_domain}/records?name=$_sub_domain&type=TXT"; then
|
||||
_debug response "$response"
|
||||
if _contains "$response" "\"name\":\"$_sub_domain\"" >/dev/null; then
|
||||
_record_id=$(printf "%s\n" "$response" | _egrep_o "\[.\"identifier\":\"[^\"]*\"" | head -n 1 | cut -d : -f 2 | tr -d \")
|
||||
else
|
||||
_record_id=''
|
||||
fi
|
||||
else
|
||||
_err "Search existing record"
|
||||
fi
|
||||
}
|
||||
|
||||
_anx_rest() {
|
||||
m=$1
|
||||
ep="$2"
|
||||
data="$3"
|
||||
_debug "$ep"
|
||||
|
||||
export _H1="Content-Type: application/json"
|
||||
export _H2="Authorization: Token $ANX_Token"
|
||||
|
||||
if [ "$m" != "GET" ]; then
|
||||
_debug data "$data"
|
||||
response="$(_post "$data" "${ANX_API}/$ep" "" "$m")"
|
||||
else
|
||||
response="$(_get "${ANX_API}/$ep")"
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2181
|
||||
if [ "$?" != "0" ]; then
|
||||
_err "error $ep"
|
||||
return 1
|
||||
fi
|
||||
_debug response "$response"
|
||||
return 0
|
||||
}
|
||||
|
||||
_get_root() {
|
||||
domain=$1
|
||||
i=1
|
||||
p=1
|
||||
|
||||
_anx_rest GET "zone.json"
|
||||
|
||||
while true; do
|
||||
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
|
||||
_debug h "$h"
|
||||
if [ -z "$h" ]; then
|
||||
#not valid
|
||||
return 1
|
||||
fi
|
||||
|
||||
if _contains "$response" "\"name\":\"$h\""; then
|
||||
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
|
||||
_domain=$h
|
||||
return 0
|
||||
fi
|
||||
|
||||
p=$i
|
||||
i=$(_math "$i" + 1)
|
||||
done
|
||||
return 1
|
||||
}
|
466
dnsapi/dns_edgedns.sh
Executable file
466
dnsapi/dns_edgedns.sh
Executable file
@ -0,0 +1,466 @@
|
||||
#!/usr/bin/env sh
|
||||
|
||||
# Akamai Edge DNS v2 API
|
||||
# User must provide Open Edgegrid API credentials to the EdgeDNS installation. The remote user in EdgeDNS must have CRUD access to
|
||||
# Edge DNS Zones and Recordsets, e.g. DNS—Zone Record Management authorization
|
||||
|
||||
# Report bugs to https://control.akamai.com/apps/support-ui/#/contact-support
|
||||
|
||||
# Values to export:
|
||||
# --EITHER--
|
||||
# *** TBD. NOT IMPLEMENTED YET ***
|
||||
# specify Edgegrid credentials file and section
|
||||
# AKAMAI_EDGERC=<full file path>
|
||||
# AKAMAI_EDGERC_SECTION="default"
|
||||
## --OR--
|
||||
# specify indiviual credentials
|
||||
# export AKAMAI_HOST = <host>
|
||||
# export AKAMAI_ACCESS_TOKEN = <access token>
|
||||
# export AKAMAI_CLIENT_TOKEN = <client token>
|
||||
# export AKAMAI_CLIENT_SECRET = <client secret>
|
||||
|
||||
ACME_EDGEDNS_VERSION="0.1.0"
|
||||
|
||||
######## Public functions #####################
|
||||
|
||||
# Usage: dns_edgedns_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
|
||||
# Used to add txt record
|
||||
#
|
||||
dns_edgedns_add() {
|
||||
fulldomain=$1
|
||||
txtvalue=$2
|
||||
_debug "ENTERING DNS_EDGEDNS_ADD"
|
||||
_debug2 "fulldomain" "$fulldomain"
|
||||
_debug2 "txtvalue" "$txtvalue"
|
||||
|
||||
if ! _EDGEDNS_credentials; then
|
||||
_err "$@"
|
||||
return 1
|
||||
fi
|
||||
if ! _EDGEDNS_getZoneInfo "$fulldomain"; then
|
||||
_err "Invalid domain"
|
||||
return 1
|
||||
fi
|
||||
|
||||
_debug2 "Add: zone" "$zone"
|
||||
acmeRecordURI=$(printf "%s/%s/names/%s/types/TXT" "$edge_endpoint" "$zone" "$fulldomain")
|
||||
_debug3 "Add URL" "$acmeRecordURI"
|
||||
# Get existing TXT record
|
||||
_edge_result=$(_edgedns_rest GET "$acmeRecordURI")
|
||||
_api_status="$?"
|
||||
_debug3 "_edge_result" "$_edge_result"
|
||||
if [ "$_api_status" -ne 0 ]; then
|
||||
if [ "$curResult" = "FATAL" ]; then
|
||||
_err "$(printf "Fatal error: acme API function call : %s" "$retVal")"
|
||||
fi
|
||||
if [ "$_edge_result" != "404" ]; then
|
||||
_err "$(printf "Failure accessing Akamai Edge DNS API Server. Error: %s" "$_edge_result")"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
rdata="\"${txtvalue}\""
|
||||
record_op="POST"
|
||||
if [ "$_api_status" -eq 0 ]; then
|
||||
# record already exists. Get existing record data and update
|
||||
record_op="PUT"
|
||||
rdlist="${_edge_result#*\"rdata\":[}"
|
||||
rdlist="${rdlist%%]*}"
|
||||
rdlist=$(echo "$rdlist" | tr -d '"' | tr -d "\\\\")
|
||||
_debug3 "existing TXT found"
|
||||
_debug3 "record data" "$rdlist"
|
||||
# value already there?
|
||||
if _contains "$rdlist" "$txtvalue"; then
|
||||
return 0
|
||||
fi
|
||||
_txt_val=""
|
||||
while [ "$_txt_val" != "$rdlist" ] && [ "${rdlist}" ]; do
|
||||
_txt_val="${rdlist%%,*}"
|
||||
rdlist="${rdlist#*,}"
|
||||
rdata="${rdata},\"${_txt_val}\""
|
||||
done
|
||||
fi
|
||||
# Add the txtvalue TXT Record
|
||||
body="{\"name\":\"$fulldomain\",\"type\":\"TXT\",\"ttl\":600, \"rdata\":"[${rdata}]"}"
|
||||
_debug3 "Add body '${body}'"
|
||||
_edge_result=$(_edgedns_rest "$record_op" "$acmeRecordURI" "$body")
|
||||
_api_status="$?"
|
||||
if [ "$_api_status" -eq 0 ]; then
|
||||
_log "$(printf "Text value %s added to recordset %s" "$txtvalue" "$fulldomain")"
|
||||
return 0
|
||||
else
|
||||
_err "$(printf "error adding TXT record for validation. Error: %s" "$_edge_result")"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Usage: dns_edgedns_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
|
||||
# Used to delete txt record
|
||||
#
|
||||
dns_edgedns_rm() {
|
||||
fulldomain=$1
|
||||
txtvalue=$2
|
||||
_debug "ENTERING DNS_EDGEDNS_RM"
|
||||
_debug2 "fulldomain" "$fulldomain"
|
||||
_debug2 "txtvalue" "$txtvalue"
|
||||
|
||||
if ! _EDGEDNS_credentials; then
|
||||
_err "$@"
|
||||
return 1
|
||||
fi
|
||||
if ! _EDGEDNS_getZoneInfo "$fulldomain"; then
|
||||
_err "Invalid domain"
|
||||
return 1
|
||||
fi
|
||||
_debug2 "RM: zone" "${zone}"
|
||||
acmeRecordURI=$(printf "%s/%s/names/%s/types/TXT" "${edge_endpoint}" "$zone" "$fulldomain")
|
||||
_debug3 "RM URL" "$acmeRecordURI"
|
||||
# Get existing TXT record
|
||||
_edge_result=$(_edgedns_rest GET "$acmeRecordURI")
|
||||
_api_status="$?"
|
||||
if [ "$_api_status" -ne 0 ]; then
|
||||
if [ "$curResult" = "FATAL" ]; then
|
||||
_err "$(printf "Fatal error: acme API function call : %s" "$retVal")"
|
||||
fi
|
||||
if [ "$_edge_result" != "404" ]; then
|
||||
_err "$(printf "Failure accessing Akamai Edge DNS API Server. Error: %s" "$_edge_result")"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
_debug3 "_edge_result" "$_edge_result"
|
||||
record_op="DELETE"
|
||||
body=""
|
||||
if [ "$_api_status" -eq 0 ]; then
|
||||
# record already exists. Get existing record data and update
|
||||
rdlist="${_edge_result#*\"rdata\":[}"
|
||||
rdlist="${rdlist%%]*}"
|
||||
rdlist=$(echo "$rdlist" | tr -d '"' | tr -d "\\\\")
|
||||
_debug3 "rdlist" "$rdlist"
|
||||
if [ -n "$rdlist" ]; then
|
||||
record_op="PUT"
|
||||
comma=""
|
||||
rdata=""
|
||||
_txt_val=""
|
||||
while [ "$_txt_val" != "$rdlist" ] && [ "$rdlist" ]; do
|
||||
_txt_val="${rdlist%%,*}"
|
||||
rdlist="${rdlist#*,}"
|
||||
_debug3 "_txt_val" "$_txt_val"
|
||||
_debug3 "txtvalue" "$txtvalue"
|
||||
if ! _contains "$_txt_val" "$txtvalue"; then
|
||||
rdata="${rdata}${comma}\"${_txt_val}\""
|
||||
comma=","
|
||||
fi
|
||||
done
|
||||
if [ -z "$rdata" ]; then
|
||||
record_op="DELETE"
|
||||
else
|
||||
# Recreate the txtvalue TXT Record
|
||||
body="{\"name\":\"$fulldomain\",\"type\":\"TXT\",\"ttl\":600, \"rdata\":"[${rdata}]"}"
|
||||
_debug3 "body" "$body"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
_edge_result=$(_edgedns_rest "$record_op" "$acmeRecordURI" "$body")
|
||||
_api_status="$?"
|
||||
if [ "$_api_status" -eq 0 ]; then
|
||||
_log "$(printf "Text value %s removed from recordset %s" "$txtvalue" "$fulldomain")"
|
||||
return 0
|
||||
else
|
||||
_err "$(printf "error removing TXT record for validation. Error: %s" "$_edge_result")"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
#################### Private functions below ##################################
|
||||
|
||||
_EDGEDNS_credentials() {
|
||||
_debug "GettingEdge DNS credentials"
|
||||
_log "$(printf "ACME DNSAPI Edge DNS version %s" ${ACME_EDGEDNS_VERSION})"
|
||||
args_missing=0
|
||||
if [ -z "$AKAMAI_ACCESS_TOKEN" ]; then
|
||||
AKAMAI_ACCESS_TOKEN=""
|
||||
AKAMAI_CLIENT_TOKEN=""
|
||||
AKAMAI_HOST=""
|
||||
AKAMAI_CLIENT_SECRET=""
|
||||
_err "AKAMAI_ACCESS_TOKEN is missing"
|
||||
args_missing=1
|
||||
fi
|
||||
if [ -z "$AKAMAI_CLIENT_TOKEN" ]; then
|
||||
AKAMAI_ACCESS_TOKEN=""
|
||||
AKAMAI_CLIENT_TOKEN=""
|
||||
AKAMAI_HOST=""
|
||||
AKAMAI_CLIENT_SECRET=""
|
||||
_err "AKAMAI_CLIENT_TOKEN is missing"
|
||||
args_missing=1
|
||||
fi
|
||||
if [ -z "$AKAMAI_HOST" ]; then
|
||||
AKAMAI_ACCESS_TOKEN=""
|
||||
AKAMAI_CLIENT_TOKEN=""
|
||||
AKAMAI_HOST=""
|
||||
AKAMAI_CLIENT_SECRET=""
|
||||
_err "AKAMAI_HOST is missing"
|
||||
args_missing=1
|
||||
fi
|
||||
if [ -z "$AKAMAI_CLIENT_SECRET" ]; then
|
||||
AKAMAI_ACCESS_TOKEN=""
|
||||
AKAMAI_CLIENT_TOKEN=""
|
||||
AKAMAI_HOST=""
|
||||
AKAMAI_CLIENT_SECRET=""
|
||||
_err "AKAMAI_CLIENT_SECRET is missing"
|
||||
args_missing=1
|
||||
fi
|
||||
|
||||
if [ "$args_missing" = 1 ]; then
|
||||
_err "You have not properly specified the EdgeDNS Open Edgegrid API credentials. Please try again."
|
||||
return 1
|
||||
else
|
||||
_saveaccountconf_mutable AKAMAI_ACCESS_TOKEN "$AKAMAI_ACCESS_TOKEN"
|
||||
_saveaccountconf_mutable AKAMAI_CLIENT_TOKEN "$AKAMAI_CLIENT_TOKEN"
|
||||
_saveaccountconf_mutable AKAMAI_HOST "$AKAMAI_HOST"
|
||||
_saveaccountconf_mutable AKAMAI_CLIENT_SECRET "$AKAMAI_CLIENT_SECRET"
|
||||
# Set whether curl should use secure or insecure mode
|
||||
fi
|
||||
export HTTPS_INSECURE=0 # All Edgegrid API calls are secure
|
||||
edge_endpoint=$(printf "https://%s/config-dns/v2/zones" "$AKAMAI_HOST")
|
||||
_debug3 "Edge API Endpoint:" "$edge_endpoint"
|
||||
|
||||
}
|
||||
|
||||
_EDGEDNS_getZoneInfo() {
|
||||
_debug "Getting Zoneinfo"
|
||||
zoneEnd=false
|
||||
curZone=$1
|
||||
while [ -n "$zoneEnd" ]; do
|
||||
# we can strip the first part of the fulldomain, since its just the _acme-challenge string
|
||||
curZone="${curZone#*.}"
|
||||
# suffix . needed for zone -> domain.tld.
|
||||
# create zone get url
|
||||
get_zone_url=$(printf "%s/%s" "$edge_endpoint" "$curZone")
|
||||
_debug3 "Zone Get: " "${get_zone_url}"
|
||||
curResult=$(_edgedns_rest GET "$get_zone_url")
|
||||
retVal=$?
|
||||
if [ "$retVal" -ne 0 ]; then
|
||||
if [ "$curResult" = "FATAL" ]; then
|
||||
_err "$(printf "Fatal error: acme API function call : %s" "$retVal")"
|
||||
fi
|
||||
if [ "$curResult" != "404" ]; then
|
||||
_err "$(printf "Managed zone validation failed. Error response: %s" "$retVal")"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
if _contains "$curResult" "\"zone\":"; then
|
||||
_debug2 "Zone data" "${curResult}"
|
||||
zone=$(echo "${curResult}" | _egrep_o "\"zone\"\\s*:\\s*\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d "\"")
|
||||
_debug3 "Zone" "${zone}"
|
||||
zoneEnd=""
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [ "${curZone#*.}" != "$curZone" ]; then
|
||||
_debug3 "$(printf "%s still contains a '.' - so we can check next higher level" "$curZone")"
|
||||
else
|
||||
zoneEnd=true
|
||||
_err "Couldn't retrieve zone data."
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
_err "Failed to retrieve zone data."
|
||||
return 2
|
||||
}
|
||||
|
||||
_edgedns_headers=""
|
||||
|
||||
_edgedns_rest() {
|
||||
_debug "Handling API Request"
|
||||
m=$1
|
||||
# Assume endpoint is complete path, including query args if applicable
|
||||
ep=$2
|
||||
body_data=$3
|
||||
_edgedns_content_type=""
|
||||
_request_url_path="$ep"
|
||||
_request_body="$body_data"
|
||||
_request_method="$m"
|
||||
_edgedns_headers=""
|
||||
tab=""
|
||||
_edgedns_headers="${_edgedns_headers}${tab}Host: ${AKAMAI_HOST}"
|
||||
tab="\t"
|
||||
# Set in acme.sh _post/_get
|
||||
#_edgedns_headers="${_edgedns_headers}${tab}User-Agent:ACME DNSAPI Edge DNS version ${ACME_EDGEDNS_VERSION}"
|
||||
_edgedns_headers="${_edgedns_headers}${tab}Accept: application/json,*/*"
|
||||
if [ "$m" != "GET" ] && [ "$m" != "DELETE" ]; then
|
||||
_edgedns_content_type="application/json"
|
||||
_debug3 "_request_body" "$_request_body"
|
||||
_body_len=$(echo "$_request_body" | tr -d "\n\r" | awk '{print length}')
|
||||
_edgedns_headers="${_edgedns_headers}${tab}Content-Length: ${_body_len}"
|
||||
fi
|
||||
_edgedns_make_auth_header
|
||||
_edgedns_headers="${_edgedns_headers}${tab}Authorization: ${_signed_auth_header}"
|
||||
_secure_debug2 "Made Auth Header" "$_signed_auth_header"
|
||||
hdr_indx=1
|
||||
work_header="${_edgedns_headers}${tab}"
|
||||
_debug3 "work_header" "$work_header"
|
||||
while [ "$work_header" ]; do
|
||||
entry="${work_header%%\\t*}"
|
||||
work_header="${work_header#*\\t}"
|
||||
export "$(printf "_H%s=%s" "$hdr_indx" "$entry")"
|
||||
_debug2 "Request Header " "$entry"
|
||||
hdr_indx=$((hdr_indx + 1))
|
||||
done
|
||||
|
||||
# clear headers from previous request to avoid getting wrong http code on timeouts
|
||||
: >"$HTTP_HEADER"
|
||||
_debug2 "$ep"
|
||||
if [ "$m" != "GET" ]; then
|
||||
_debug3 "Method data" "$data"
|
||||
# body url [needbase64] [POST|PUT|DELETE] [ContentType]
|
||||
response=$(_post "$_request_body" "$ep" false "$m" "$_edgedns_content_type")
|
||||
else
|
||||
response=$(_get "$ep")
|
||||
fi
|
||||
_ret="$?"
|
||||
if [ "$_ret" -ne 0 ]; then
|
||||
_err "$(printf "acme.sh API function call failed. Error: %s" "$_ret")"
|
||||
echo "FATAL"
|
||||
return "$_ret"
|
||||
fi
|
||||
_debug2 "response" "${response}"
|
||||
_code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")"
|
||||
_debug2 "http response code" "$_code"
|
||||
if [ "$_code" = "200" ] || [ "$_code" = "201" ]; then
|
||||
# All good
|
||||
response="$(echo "${response}" | _normalizeJson)"
|
||||
echo "$response"
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [ "$_code" = "204" ]; then
|
||||
# Success, no body
|
||||
echo "$_code"
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [ "$_code" = "400" ]; then
|
||||
_err "Bad request presented"
|
||||
_log "$(printf "Headers: %s" "$_edgedns_headers")"
|
||||
_log "$(printf "Method: %s" "$_request_method")"
|
||||
_log "$(printf "URL: %s" "$ep")"
|
||||
_log "$(printf "Data: %s" "$data")"
|
||||
fi
|
||||
|
||||
if [ "$_code" = "403" ]; then
|
||||
_err "access denied make sure your Edgegrid cedentials are correct."
|
||||
fi
|
||||
|
||||
echo "$_code"
|
||||
return 1
|
||||
}
|
||||
|
||||
_edgedns_eg_timestamp() {
|
||||
_debug "Generating signature Timestamp"
|
||||
_debug3 "Retriving ntp time"
|
||||
_timeheaders="$(_get "https://www.ntp.org" "onlyheader")"
|
||||
_debug3 "_timeheaders" "$_timeheaders"
|
||||
_ntpdate="$(echo "$_timeheaders" | grep -i "Date:" | _head_n 1 | cut -d ':' -f 2- | tr -d "\r\n")"
|
||||
_debug3 "_ntpdate" "$_ntpdate"
|
||||
_ntpdate="$(echo "${_ntpdate}" | sed -e 's/^[[:space:]]*//')"
|
||||
_debug3 "_NTPDATE" "$_ntpdate"
|
||||
_ntptime="$(echo "${_ntpdate}" | _head_n 1 | cut -d " " -f 5 | tr -d "\r\n")"
|
||||
_debug3 "_ntptime" "$_ntptime"
|
||||
_eg_timestamp=$(date -u "+%Y%m%dT")
|
||||
_eg_timestamp="$(printf "%s%s+0000" "$_eg_timestamp" "$_ntptime")"
|
||||
_debug "_eg_timestamp" "$_eg_timestamp"
|
||||
}
|
||||
|
||||
_edgedns_new_nonce() {
|
||||
_debug "Generating Nonce"
|
||||
_nonce=$(echo "EDGEDNS$(_time)" | _digest sha1 hex | cut -c 1-32)
|
||||
_debug3 "_nonce" "$_nonce"
|
||||
}
|
||||
|
||||
_edgedns_make_auth_header() {
|
||||
_debug "Constructing Auth Header"
|
||||
_edgedns_new_nonce
|
||||
_edgedns_eg_timestamp
|
||||
# "Unsigned authorization header: 'EG1-HMAC-SHA256 client_token=block;access_token=block;timestamp=20200806T14:16:33+0000;nonce=72cde72c-82d9-4721-9854-2ba057929d67;'"
|
||||
_auth_header="$(printf "EG1-HMAC-SHA256 client_token=%s;access_token=%s;timestamp=%s;nonce=%s;" "$AKAMAI_CLIENT_TOKEN" "$AKAMAI_ACCESS_TOKEN" "$_eg_timestamp" "$_nonce")"
|
||||
_secure_debug2 "Unsigned Auth Header: " "$_auth_header"
|
||||
|
||||
_edgedns_sign_request
|
||||
_signed_auth_header="$(printf "%ssignature=%s" "$_auth_header" "$_signed_req")"
|
||||
_secure_debug2 "Signed Auth Header: " "${_signed_auth_header}"
|
||||
}
|
||||
|
||||
_edgedns_sign_request() {
|
||||
_debug2 "Signing http request"
|
||||
_edgedns_make_data_to_sign "$_auth_header"
|
||||
_secure_debug2 "Returned signed data" "$_mdata"
|
||||
_edgedns_make_signing_key "$_eg_timestamp"
|
||||
_edgedns_base64_hmac_sha256 "$_mdata" "$_signing_key"
|
||||
_signed_req="$_hmac_out"
|
||||
_secure_debug2 "Signed Request" "$_signed_req"
|
||||
}
|
||||
|
||||
_edgedns_make_signing_key() {
|
||||
_debug2 "Creating sigining key"
|
||||
ts=$1
|
||||
_edgedns_base64_hmac_sha256 "$ts" "$AKAMAI_CLIENT_SECRET"
|
||||
_signing_key="$_hmac_out"
|
||||
_secure_debug2 "Signing Key" "$_signing_key"
|
||||
|
||||
}
|
||||
|
||||
_edgedns_make_data_to_sign() {
|
||||
_debug2 "Processing data to sign"
|
||||
hdr=$1
|
||||
_secure_debug2 "hdr" "$hdr"
|
||||
_edgedns_make_content_hash
|
||||
path="$(echo "$_request_url_path" | tr -d "\n\r" | sed 's/https\?:\/\///')"
|
||||
path="${path#*$AKAMAI_HOST}"
|
||||
_debug "hier path" "$path"
|
||||
# dont expose headers to sign so use MT string
|
||||
_mdata="$(printf "%s\thttps\t%s\t%s\t%s\t%s\t%s" "$_request_method" "$AKAMAI_HOST" "$path" "" "$_hash" "$hdr")"
|
||||
_secure_debug2 "Data to Sign" "$_mdata"
|
||||
}
|
||||
|
||||
_edgedns_make_content_hash() {
|
||||
_debug2 "Generating content hash"
|
||||
_hash=""
|
||||
_debug2 "Request method" "${_request_method}"
|
||||
if [ "$_request_method" != "POST" ] || [ -z "$_request_body" ]; then
|
||||
return 0
|
||||
fi
|
||||
_debug2 "Req body" "$_request_body"
|
||||
_edgedns_base64_sha256 "$_request_body"
|
||||
_hash="$_sha256_out"
|
||||
_debug2 "Content hash" "$_hash"
|
||||
}
|
||||
|
||||
_edgedns_base64_hmac_sha256() {
|
||||
_debug2 "Generating hmac"
|
||||
data=$1
|
||||
key=$2
|
||||
encoded_data="$(echo "$data" | iconv -t utf-8)"
|
||||
encoded_key="$(echo "$key" | iconv -t utf-8)"
|
||||
_secure_debug2 "encoded data" "$encoded_data"
|
||||
_secure_debug2 "encoded key" "$encoded_key"
|
||||
|
||||
encoded_key_hex=$(printf "%s" "$encoded_key" | _hex_dump | tr -d ' ')
|
||||
data_sig="$(echo "$encoded_data" | tr -d "\n\r" | _hmac sha256 "$encoded_key_hex" | _base64)"
|
||||
|
||||
_secure_debug2 "data_sig:" "$data_sig"
|
||||
_hmac_out="$(echo "$data_sig" | tr -d "\n\r" | iconv -f utf-8)"
|
||||
_secure_debug2 "hmac" "$_hmac_out"
|
||||
}
|
||||
|
||||
_edgedns_base64_sha256() {
|
||||
_debug2 "Creating sha256 digest"
|
||||
trg=$1
|
||||
_secure_debug2 "digest data" "$trg"
|
||||
digest="$(echo "$trg" | tr -d "\n\r" | _digest "sha256")"
|
||||
_sha256_out="$(echo "$digest" | tr -d "\n\r" | iconv -f utf-8)"
|
||||
_secure_debug2 "digest decode" "$_sha256_out"
|
||||
}
|
||||
|
||||
#_edgedns_parse_edgerc() {
|
||||
# filepath=$1
|
||||
# section=$2
|
||||
#}
|
Loading…
Reference in New Issue
Block a user