diff --git a/acme.sh b/acme.sh
index 4cf407f2..f6f34b6d 100755
--- a/acme.sh
+++ b/acme.sh
@@ -1,6 +1,6 @@
#!/usr/bin/env sh
-VER=3.0.8
+VER=3.0.9
PROJECT_NAME="acme.sh"
@@ -2361,7 +2361,7 @@ _clear_conf() {
_sdkey="$2"
if [ "$_c_c_f" ]; then
_conf_data="$(cat "$_c_c_f")"
- echo "$_conf_data" | sed "s/^$_sdkey *=.*$//" >"$_c_c_f"
+ echo "$_conf_data" | sed "/^$_sdkey *=.*$/d" >"$_c_c_f"
else
_err "Config file is empty, cannot clear"
fi
diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh
index 3ddb8de1..0d01e199 100644
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@@ -113,9 +113,9 @@ synology_dsm_deploy() {
# Default values for scheme, hostname and port
# Defaulting to localhost and http, because it's localhost…
- [ -n "$SYNO_SCHEME" ] || SYNO_SCHEME="http"
- [ -n "$SYNO_HOSTNAME" ] || SYNO_HOSTNAME="localhost"
- [ -n "$SYNO_PORT" ] || SYNO_PORT="5000"
+ [ -n "$SYNO_SCHEME" ] || SYNO_SCHEME=http
+ [ -n "$SYNO_HOSTNAME" ] || SYNO_HOSTNAME=localhost
+ [ -n "$SYNO_PORT" ] || SYNO_PORT=5000
_savedeployconf SYNO_SCHEME "$SYNO_SCHEME"
_savedeployconf SYNO_HOSTNAME "$SYNO_HOSTNAME"
_savedeployconf SYNO_PORT "$SYNO_PORT"
diff --git a/deploy/unifi.sh b/deploy/unifi.sh
index a864135e..4d8c058e 100644
--- a/deploy/unifi.sh
+++ b/deploy/unifi.sh
@@ -5,6 +5,15 @@
# - self-hosted Unifi Controller
# - Unifi Cloud Key (Gen1/2/2+)
# - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
+# - Unifi Dream Machine
+# This has not been tested on other "all-in-one" devices such as
+# UDM Pro or Unifi Express.
+#
+# OS Version v2.0.0+
+# Network Application version 7.0.0+
+# OS version ~3.1 removed java and keytool from the UnifiOS.
+# Using PKCS12 format keystore appears to work fine.
+#
# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359
#returns 0 means success, otherwise error.
@@ -74,14 +83,16 @@ unifi_deploy() {
_reload_cmd=""
# Unifi Controller environment (self hosted or any Cloud Key) --
- # auto-detect by file /usr/lib/unifi/data/keystore:
+ # auto-detect by file /usr/lib/unifi/data/keystore
_unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
if [ -f "$_unifi_keystore" ]; then
- _info "Installing certificate for Unifi Controller (Java keystore)"
_debug _unifi_keystore "$_unifi_keystore"
if ! _exists keytool; then
- _err "keytool not found"
- return 1
+ _do_keytool=0
+ _info "Installing certificate for Unifi Controller (PKCS12 keystore)."
+ else
+ _do_keytool=1
+ _info "Installing certificate for Unifi Controller (Java keystore)"
fi
if [ ! -w "$_unifi_keystore" ]; then
_err "The file $_unifi_keystore is not writable, please change the permission."
@@ -92,6 +103,7 @@ unifi_deploy() {
_debug "Generate import pkcs12"
_import_pkcs12="$(_mktemp)"
+ _debug "_toPkcs $_import_pkcs12 $_ckey $_ccert $_cca $_unifi_keypass unifi root"
_toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
# shellcheck disable=SC2181
if [ "$?" != "0" ]; then
@@ -99,22 +111,57 @@ unifi_deploy() {
return 1
fi
- _debug "Import into keystore: $_unifi_keystore"
- if keytool -importkeystore \
- -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
- -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
- -alias unifi -noprompt; then
- _debug "Import keystore success!"
- rm "$_import_pkcs12"
+ # Save the existing keystore in case something goes wrong.
+ mv -f "${_unifi_keystore}" "${_unifi_keystore}"_original
+ _info "Previous keystore saved to ${_unifi_keystore}_original."
+
+ if [ "$_do_keytool" -eq 1 ]; then
+ _debug "Import into keystore: $_unifi_keystore"
+ if keytool -importkeystore \
+ -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
+ -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
+ -alias unifi -noprompt; then
+ _debug "Import keystore success!"
+ else
+ _err "Error importing into Unifi Java keystore."
+ _err "Please re-run with --debug and report a bug."
+ _info "Restoring original keystore."
+ mv -f "${_unifi_keystore}"_original "${_unifi_keystore}"
+ rm "$_import_pkcs12"
+ return 1
+ fi
else
- _err "Error importing into Unifi Java keystore."
- _err "Please re-run with --debug and report a bug."
- rm "$_import_pkcs12"
- return 1
+ _debug "Copying new keystore to $_unifi_keystore"
+ cp -f "$_import_pkcs12" "$_unifi_keystore"
fi
+ # Update unifi service for certificate cipher compatibility
+ if ${ACME_OPENSSL_BIN:-openssl} pkcs12 \
+ -in "$_import_pkcs12" \
+ -password pass:aircontrolenterprise \
+ -nokeys | ${ACME_OPENSSL_BIN:-openssl} x509 -text \
+ -noout | grep -i "signature" | grep -iq ecdsa >/dev/null 2>&1; then
+ cp -f /usr/lib/unifi/data/system.properties /usr/lib/unifi/data/system.properties_original
+ _info "Updating system configuration for cipher compatibility."
+ _info "Saved original system config to /usr/lib/unifi/data/system.properties_original"
+ sed -i '/unifi\.https\.ciphers/d' /usr/lib/unifi/data/system.properties
+ echo "unifi.https.ciphers=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256" >>/usr/lib/unifi/data/system.properties
+ sed -i '/unifi\.https\.sslEnabledProtocols/d' /usr/lib/unifi/data/system.properties
+ echo "unifi.https.sslEnabledProtocols=TLSv1.3,TLSv1.2" >>/usr/lib/unifi/data/system.properties
+ _info "System configuration updated."
+ fi
+
+ rm "$_import_pkcs12"
+
+ # Restarting unifi-core will bring up unifi, doing it out of order results in
+ # a certificate error, and breaks wifiman.
+ # Restart if we aren't doing unifi-core, otherwise stop for later restart.
if systemctl -q is-active unifi; then
- _reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart"
+ if [ ! -f "${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}/unifi-core.key" ]; then
+ _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi"
+ else
+ _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl stop unifi"
+ fi
fi
_services_updated="${_services_updated} unifi"
_info "Install Unifi Controller certificate success!"
@@ -165,6 +212,11 @@ unifi_deploy() {
return 1
fi
+ # Save the existing certs in case something goes wrong.
+ cp -f "${_unifi_core_config}"/unifi-core.crt "${_unifi_core_config}"/unifi-core_original.crt
+ cp -f "${_unifi_core_config}"/unifi-core.key "${_unifi_core_config}"/unifi-core_original.key
+ _info "Previous certificate and key saved to ${_unifi_core_config}/unifi-core_original.crt/key."
+
cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"
diff --git a/dnsapi/dns_dynv6.sh b/dnsapi/dns_dynv6.sh
index 8b94dae7..6fbb23ca 100644
--- a/dnsapi/dns_dynv6.sh
+++ b/dnsapi/dns_dynv6.sh
@@ -16,8 +16,8 @@ dynv6_api="https://dynv6.com/api/v2"
# Please Read this guide first: https://github.com/Neilpang/acme.sh/wiki/DNS-API-Dev-Guide
#Usage: dns_dynv6_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_dynv6_add() {
- fulldomain=$1
- txtvalue=$2
+ fulldomain="$(echo "$1" | _lower_case)"
+ txtvalue="$2"
_info "Using dynv6 api"
_debug fulldomain "$fulldomain"
_debug txtvalue "$txtvalue"
@@ -50,8 +50,8 @@ dns_dynv6_add() {
#Usage: fulldomain txtvalue
#Remove the txt record after validation.
dns_dynv6_rm() {
- fulldomain=$1
- txtvalue=$2
+ fulldomain="$(echo "$1" | _lower_case)"
+ txtvalue="$2"
_info "Using dynv6 API"
_debug fulldomain "$fulldomain"
_debug txtvalue "$txtvalue"
@@ -206,7 +206,7 @@ _get_zone_id() {
return 1
fi
- zone_id="$(echo "$response" | tr '}' '\n' | grep "$selected" | tr ',' '\n' | grep id | tr -d '"')"
+ zone_id="$(echo "$response" | tr '}' '\n' | grep "$selected" | tr ',' '\n' | grep '"id":' | tr -d '"')"
_zone_id="${zone_id#id:}"
_debug "zone id: $_zone_id"
}
diff --git a/dnsapi/dns_inwx.sh b/dnsapi/dns_inwx.sh
index 8c89a697..b2d42451 100755
--- a/dnsapi/dns_inwx.sh
+++ b/dnsapi/dns_inwx.sh
@@ -163,6 +163,15 @@ _inwx_check_cookie() {
return 1
}
+_htmlEscape() {
+ _s="$1"
+ _s=$(echo "$_s" | sed "s/&/&/g")
+ _s=$(echo "$_s" | sed "s/\</g")
+ _s=$(echo "$_s" | sed "s/>/\>/g")
+ _s=$(echo "$_s" | sed 's/"/\"/g')
+ printf -- %s "$_s"
+}
+
_inwx_login() {
if _inwx_check_cookie; then
@@ -170,6 +179,8 @@ _inwx_login() {
return 0
fi
+ XML_PASS=$(_htmlEscape "$INWX_Password")
+
xml_content=$(printf '
account.login
@@ -193,7 +204,7 @@ _inwx_login() {
- ' "$INWX_User" "$INWX_Password")
+ ' "$INWX_User" "$XML_PASS")
response="$(_post "$xml_content" "$INWX_Api" "" "POST")"
diff --git a/dnsapi/dns_ispconfig.sh b/dnsapi/dns_ispconfig.sh
index 7fd0d99c..edc789e1 100755
--- a/dnsapi/dns_ispconfig.sh
+++ b/dnsapi/dns_ispconfig.sh
@@ -14,6 +14,8 @@ Options:
# User must provide login data and URL to the ISPConfig installation incl. port.
# The remote user in ISPConfig must have access to:
# - DNS txt Functions
+# - DNS zone functions
+# - Client functions
######## Public functions #####################
diff --git a/dnsapi/dns_nsupdate.sh b/dnsapi/dns_nsupdate.sh
index 2bc3d382..d5dbbcbc 100755
--- a/dnsapi/dns_nsupdate.sh
+++ b/dnsapi/dns_nsupdate.sh
@@ -39,13 +39,15 @@ dns_nsupdate_add() {
[ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d"
[ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D"
if [ -z "${NSUPDATE_ZONE}" ]; then
- nsupdate -k "${NSUPDATE_KEY}" $nsdebug "${NSUPDATE_OPT}" <