Merge branch 'acmesh-official:master' into patch-1

2023-07-04 14:57:19 +02:00 · 2023-07-04 14:57:19 +02:00 · d7f58c64f8
commit d7f58c64f8
parent 0548ad2fc6 b7caf7a016
6 changed files with 73 additions and 96 deletions
--- a/README.md
+++ b/README.md
@ -51,14 +51,12 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
 - [ruby-china.org](https://ruby-china.org/topics/31983)
 - [Proxmox](https://pve.proxmox.com/wiki/Certificate_Management)
 - [pfsense](https://github.com/pfsense/FreeBSD-ports/pull/89)
- [webfaction](https://community.webfaction.com/questions/19988/using-letsencrypt)
 - [Loadbalancer.org](https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty)
 - [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709)
 - [Centminmod](https://centminmod.com/letsencrypt-acmetool-https.html)
 - [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297)
- [archlinux](https://www.archlinux.org/packages/community/any/acme.sh)
 - [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient)
- [CentOS Web Panel](http://centos-webpanel.com/)
+- [CentOS Web Panel](https://control-webpanel.com)
 - [lnmp.org](https://lnmp.org/)
 - [more...](https://github.com/acmesh-official/acme.sh/wiki/Blogs-and-tutorials)

--- a/acme.sh
+++ b/acme.sh
@ -2884,6 +2884,7 @@ _initpath() {
      fi
    fi
    _debug DOMAIN_PATH "$DOMAIN_PATH"
+    export DOMAIN_PATH
  fi

  if [ -z "$DOMAIN_BACKUP_PATH" ]; then
@ -2935,22 +2936,6 @@ _initpath() {

 }

-_exec() {
-  if [ -z "$_EXEC_TEMP_ERR" ]; then
-    _EXEC_TEMP_ERR="$(_mktemp)"
-  fi
-
-  if [ "$_EXEC_TEMP_ERR" ]; then
-    eval "$@ 2>>$_EXEC_TEMP_ERR"
-  else
-    eval "$@"
-  fi
-}
-
-_exec_err() {
-  [ "$_EXEC_TEMP_ERR" ] && _err "$(cat "$_EXEC_TEMP_ERR")" && echo "" >"$_EXEC_TEMP_ERR"
-}
-
 _apachePath() {
  _APACHECTL="apachectl"
  if ! _exists apachectl; then
@ -2963,8 +2948,7 @@ _apachePath() {
    fi
  fi

-  if ! _exec $_APACHECTL -V >/dev/null; then
-    _exec_err
+  if ! $_APACHECTL -V >/dev/null; then
    return 1
  fi

@ -3016,8 +3000,7 @@ _restoreApache() {

  cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" >"$httpdconf"
  _debug "Restored: $httpdconf."
-  if ! _exec $_APACHECTL -t; then
-    _exec_err
+  if ! $_APACHECTL -t; then
    _err "Sorry, restore apache config error, please contact me."
    return 1
  fi
@ -3035,8 +3018,7 @@ _setApache() {
  #test the conf first
  _info "Checking if there is an error in the apache config file before starting."

-  if ! _exec "$_APACHECTL" -t >/dev/null; then
-    _exec_err
+  if ! $_APACHECTL -t >/dev/null; then
    _err "The apache config file has error, please fix it first, then try again."
    _err "Don't worry, there is nothing changed to your system."
    return 1
@ -3097,8 +3079,7 @@ Allow from all
    chmod 755 "$ACME_DIR"
  fi

-  if ! _exec "$_APACHECTL" graceful; then
-    _exec_err
+  if ! $_APACHECTL graceful; then
    _err "$_APACHECTL  graceful error, please contact me."
    _restoreApache
    return 1
@ -3183,8 +3164,7 @@ _setNginx() {
    return 1
  fi
  _info "Check the nginx conf before setting up."
-  if ! _exec "nginx -t" >/dev/null; then
-    _exec_err
+  if ! nginx -t >/dev/null; then
    return 1
  fi

@ -3211,16 +3191,14 @@ location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" {
  fi
  _debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)"
  _info "nginx conf is done, let's check it again."
-  if ! _exec "nginx -t" >/dev/null; then
-    _exec_err
+  if ! nginx -t >/dev/null; then
    _err "It seems that nginx conf was broken, let's restore."
    cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
    return 1
  fi

  _info "Reload nginx"
-  if ! _exec "nginx -s reload" >/dev/null; then
-    _exec_err
+  if ! nginx -s reload >/dev/null; then
    _err "It seems that nginx reload error, let's restore."
    cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
    return 1
@ -3345,8 +3323,7 @@ _restoreNginx() {
  done

  _info "Reload nginx"
-  if ! _exec "nginx -s reload" >/dev/null; then
-    _exec_err
+  if ! nginx -s reload >/dev/null; then
    _err "It seems that nginx reload error, please report bug."
    return 1
  fi
@ -4684,28 +4661,26 @@ $_authorizations_map"
        thumbprint="$(__calc_account_thumbprint)"
      fi

+      keyauthorization=""
+
+      if echo "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
+        _debug "$d is already valid."
+        keyauthorization="$STATE_VERIFIED"
+        _debug keyauthorization "$keyauthorization"
+      fi
+
      entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
      _debug entry "$entry"
-      keyauthorization=""
-      if [ -z "$entry" ]; then
-        if ! _startswith "$d" '*.'; then
-          _debug "Not a wildcard domain, lets check whether the validation is already valid."
-          if echo "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
-            _debug "$d is already valid."
-            keyauthorization="$STATE_VERIFIED"
-            _debug keyauthorization "$keyauthorization"
-          fi
-        fi
-        if [ -z "$keyauthorization" ]; then
-          _err "Error, can not get domain token entry $d for $vtype"
-          _supported_vtypes="$(echo "$response" | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ')"
-          if [ "$_supported_vtypes" ]; then
-            _err "The supported validation types are: $_supported_vtypes, but you specified: $vtype"
-          fi
-          _clearup
-          _on_issue_err "$_post_hook"
-          return 1
+
+      if [ -z "$keyauthorization" -a -z "$entry" ]; then
+        _err "Error, can not get domain token entry $d for $vtype"
+        _supported_vtypes="$(echo "$response" | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ')"
+        if [ "$_supported_vtypes" ]; then
+          _err "The supported validation types are: $_supported_vtypes, but you specified: $vtype"
        fi
+        _clearup
+        _on_issue_err "$_post_hook"
+        return 1
      fi

      if [ -z "$keyauthorization" ]; then
@ -4731,12 +4706,6 @@ $_authorizations_map"
        fi
        keyauthorization="$token.$thumbprint"
        _debug keyauthorization "$keyauthorization"
-
-        if printf "%s" "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
-          _debug "$d is already verified."
-          keyauthorization="$STATE_VERIFIED"
-          _debug keyauthorization "$keyauthorization"
-        fi
      fi

      dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"
@ -4960,18 +4929,6 @@ $_authorizations_map"
        if ! chmod a+r "$wellknown_path/$token"; then
          _debug "chmod failed, but we just continue."
        fi
-        if [ ! "$usingApache" ]; then
-          if webroot_owner=$(_stat "$_currentRoot"); then
-            _debug "Changing owner/group of .well-known to $webroot_owner"
-            if ! _exec "chown -R \"$webroot_owner\" \"$_currentRoot/.well-known\""; then
-              _debug "$(cat "$_EXEC_TEMP_ERR")"
-              _exec_err >/dev/null 2>&1
-            fi
-          else
-            _debug "not changing owner/group of webroot"
-          fi
-        fi
-
      fi
    elif [ "$vtype" = "$VTYPE_ALPN" ]; then
      acmevalidationv1="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"
--- a/deploy/docker.sh
+++ b/deploy/docker.sh
@ -273,16 +273,27 @@ _check_curl_version() {
  _minor="$(_getfield "$_cversion" 2 '.')"
  _debug2 "_minor" "$_minor"

-  if [ "$_major$_minor" -lt "740" ]; then
+  if [ "$_major" -ge "8" ]; then
+    #ok
+    return 0
+  fi
+  if [ "$_major" = "7" ]; then
+    if [ "$_minor" -lt "40" ]; then
+      _err "curl v$_cversion doesn't support unit socket"
+      _err "Please upgrade to curl 7.40 or later."
+      return 1
+    fi
+    if [ "$_minor" -lt "50" ]; then
+      _debug "Use short host name"
+      export _CURL_NO_HOST=1
+    else
+      export _CURL_NO_HOST=
+    fi
+    return 0
+  else
    _err "curl v$_cversion doesn't support unit socket"
    _err "Please upgrade to curl 7.40 or later."
    return 1
  fi
-  if [ "$_major$_minor" -lt "750" ]; then
-    _debug "Use short host name"
-    export _CURL_NO_HOST=1
-  else
-    export _CURL_NO_HOST=
-  fi
-  return 0
+
 }
--- a/dnsapi/dns_opnsense.sh
+++ b/dnsapi/dns_opnsense.sh
@ -137,7 +137,7 @@ _get_root() {
  domain=$1
  i=2
  p=1
-  if _opns_rest "GET" "/domain/searchMasterDomain"; then
+  if _opns_rest "GET" "/domain/searchPrimaryDomain"; then
    _domain_response="$response"
  else
    return 1
@ -150,7 +150,7 @@ _get_root() {
      return 1
    fi
    _debug h "$h"
-    id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"master\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
+    id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"primary\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
    if [ -n "$id" ]; then
      _debug id "$id"
      _host=$(printf "%s" "$domain" | cut -d . -f 1-$p)
--- a/dnsapi/dns_ovh.sh
+++ b/dnsapi/dns_ovh.sh
@ -14,6 +14,9 @@
 #'ovh-eu'
 OVH_EU='https://eu.api.ovh.com/1.0'

+#'ovh-us'
+OVH_US='https://api.us.ovhcloud.com/1.0'
+
 #'ovh-ca':
 OVH_CA='https://ca.api.ovh.com/1.0'

@ -29,9 +32,6 @@ SYS_EU='https://eu.api.soyoustart.com/1.0'
 #'soyoustart-ca'
 SYS_CA='https://ca.api.soyoustart.com/1.0'

-#'runabove-ca'
-RAV_CA='https://api.runabove.com/1.0'
-
 wiki="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-OVH-domain-api"

 ovh_success="https://github.com/acmesh-official/acme.sh/wiki/OVH-Success"
@ -45,6 +45,10 @@ _ovh_get_api() {
    printf "%s" $OVH_EU
    return
    ;;
+  ovh-us | ovhus)
+    printf "%s" $OVH_US
+    return
+    ;;
  ovh-ca | ovhca)
    printf "%s" $OVH_CA
    return
@ -65,14 +69,15 @@ _ovh_get_api() {
    printf "%s" $SYS_CA
    return
    ;;
-  runabove-ca | runaboveca)
-    printf "%s" $RAV_CA
+  # raw API url starts with https://
+  https*)
+    printf "%s" "$1"
    return
    ;;

  *)

-    _err "Unknown parameter : $1"
+    _err "Unknown endpoint : $1"
    return 1
    ;;
  esac
--- a/dnsapi/dns_pleskxml.sh
+++ b/dnsapi/dns_pleskxml.sh
@ -41,7 +41,7 @@ pleskxml_init_checks_done=0
 NEWLINE='\
 '

-pleskxml_tplt_get_domains="<packet><customer><get-domain-list><filter/></get-domain-list></customer></packet>"
+pleskxml_tplt_get_domains="<packet><webspace><get><filter/><dataset><gen_info/></dataset></get></webspace></packet>"
 # Get a list of domains that PLESK can manage, so we can check root domain + host for acme.sh
 # Also used to test credentials and URI.
 # No params.
@ -145,22 +145,25 @@ dns_pleskxml_rm() {
  )"

  if [ -z "$reclist" ]; then
-    _err "No TXT records found for root domain ${root_domain_name} (Plesk domain ID ${root_domain_id}). Exiting."
+    _err "No TXT records found for root domain $fulldomain (Plesk domain ID ${root_domain_id}). Exiting."
    return 1
  fi

-  _debug "Got list of DNS TXT records for root domain '$root_domain_name':"
+  _debug "Got list of DNS TXT records for root Plesk domain ID ${root_domain_id} of root domain $fulldomain:"
  _debug "$reclist"

+  # Extracting the id of the TXT record for the full domain (NOT case-sensitive) and corresponding value
  recid="$(
    _value "$reclist" |
-      grep "<host>${fulldomain}.</host>" |
+      grep -i "<host>${fulldomain}.</host>" |
      grep "<value>${txtvalue}</value>" |
      sed 's/^.*<id>\([0-9]\{1,\}\)<\/id>.*$/\1/'
  )"

+  _debug "Got id from line: $recid"
+
  if ! _value "$recid" | grep '^[0-9]\{1,\}$' >/dev/null; then
-    _err "DNS records for root domain '${root_domain_name}' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'"
+    _err "DNS records for root domain '${fulldomain}.' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'"
    _err "Cannot delete TXT record. Exiting."
    return 1
  fi
@ -251,9 +254,12 @@ _call_api() {

  # Detect any <status> that isn't "ok". None of the used calls should fail if the API is working correctly.
  # Also detect if there simply aren't any status lines (null result?) and report that, as well.
+  # Remove <data></data> structure from result string, since it might contain <status> values that are related to the status of the domain and not to the API request

-  statuslines_count_total="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *<status>[^<]*</status> *$')"
-  statuslines_count_okay="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *<status>ok</status> *$')"
+  statuslines_count_total="$(echo "$pleskxml_prettyprint_result" | sed '/<data>/,/<\/data>/d' | grep -c '^ *<status>[^<]*</status> *$')"
+  statuslines_count_okay="$(echo "$pleskxml_prettyprint_result" | sed '/<data>/,/<\/data>/d' | grep -c '^ *<status>ok</status> *$')"
+  _debug "statuslines_count_total=$statuslines_count_total."
+  _debug "statuslines_count_okay=$statuslines_count_okay."

  if [ -z "$statuslines_count_total" ]; then

@ -375,7 +381,7 @@ _pleskxml_get_root_domain() {
  # Output will be one line per known domain, containing 2 <name> tages and a single <id> tag
  # We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned.

-  output="$(_api_response_split "$pleskxml_prettyprint_result" 'domain' '<type>domain</type>' | sed 's/<ascii-name>/<name>/g;s/<\/ascii-name>/<\/name>/g' | grep '<name>' | grep '<id>')"
+  output="$(_api_response_split "$pleskxml_prettyprint_result" 'result' '<status>ok</status>' | sed 's/<ascii-name>/<name>/g;s/<\/ascii-name>/<\/name>/g' | grep '<name>' | grep '<id>')"

  _debug 'Domains managed by Plesk server are (ignore the hacked output):'
  _debug "$output"