diff --git a/acme.sh b/acme.sh index 4cf407f2..f6f34b6d 100755 --- a/acme.sh +++ b/acme.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -VER=3.0.8 +VER=3.0.9 PROJECT_NAME="acme.sh" @@ -2361,7 +2361,7 @@ _clear_conf() { _sdkey="$2" if [ "$_c_c_f" ]; then _conf_data="$(cat "$_c_c_f")" - echo "$_conf_data" | sed "s/^$_sdkey *=.*$//" >"$_c_c_f" + echo "$_conf_data" | sed "/^$_sdkey *=.*$/d" >"$_c_c_f" else _err "Config file is empty, cannot clear" fi diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh index 3ddb8de1..0d01e199 100644 --- a/deploy/synology_dsm.sh +++ b/deploy/synology_dsm.sh @@ -113,9 +113,9 @@ synology_dsm_deploy() { # Default values for scheme, hostname and port # Defaulting to localhost and http, because it's localhost… - [ -n "$SYNO_SCHEME" ] || SYNO_SCHEME="http" - [ -n "$SYNO_HOSTNAME" ] || SYNO_HOSTNAME="localhost" - [ -n "$SYNO_PORT" ] || SYNO_PORT="5000" + [ -n "$SYNO_SCHEME" ] || SYNO_SCHEME=http + [ -n "$SYNO_HOSTNAME" ] || SYNO_HOSTNAME=localhost + [ -n "$SYNO_PORT" ] || SYNO_PORT=5000 _savedeployconf SYNO_SCHEME "$SYNO_SCHEME" _savedeployconf SYNO_HOSTNAME "$SYNO_HOSTNAME" _savedeployconf SYNO_PORT "$SYNO_PORT" diff --git a/deploy/unifi.sh b/deploy/unifi.sh index a864135e..4d8c058e 100644 --- a/deploy/unifi.sh +++ b/deploy/unifi.sh @@ -5,6 +5,15 @@ # - self-hosted Unifi Controller # - Unifi Cloud Key (Gen1/2/2+) # - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only) +# - Unifi Dream Machine +# This has not been tested on other "all-in-one" devices such as +# UDM Pro or Unifi Express. +# +# OS Version v2.0.0+ +# Network Application version 7.0.0+ +# OS version ~3.1 removed java and keytool from the UnifiOS. +# Using PKCS12 format keystore appears to work fine. +# # Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359 #returns 0 means success, otherwise error. @@ -74,14 +83,16 @@ unifi_deploy() { _reload_cmd="" # Unifi Controller environment (self hosted or any Cloud Key) -- - # auto-detect by file /usr/lib/unifi/data/keystore: + # auto-detect by file /usr/lib/unifi/data/keystore _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}" if [ -f "$_unifi_keystore" ]; then - _info "Installing certificate for Unifi Controller (Java keystore)" _debug _unifi_keystore "$_unifi_keystore" if ! _exists keytool; then - _err "keytool not found" - return 1 + _do_keytool=0 + _info "Installing certificate for Unifi Controller (PKCS12 keystore)." + else + _do_keytool=1 + _info "Installing certificate for Unifi Controller (Java keystore)" fi if [ ! -w "$_unifi_keystore" ]; then _err "The file $_unifi_keystore is not writable, please change the permission." @@ -92,6 +103,7 @@ unifi_deploy() { _debug "Generate import pkcs12" _import_pkcs12="$(_mktemp)" + _debug "_toPkcs $_import_pkcs12 $_ckey $_ccert $_cca $_unifi_keypass unifi root" _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root # shellcheck disable=SC2181 if [ "$?" != "0" ]; then @@ -99,22 +111,57 @@ unifi_deploy() { return 1 fi - _debug "Import into keystore: $_unifi_keystore" - if keytool -importkeystore \ - -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \ - -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \ - -alias unifi -noprompt; then - _debug "Import keystore success!" - rm "$_import_pkcs12" + # Save the existing keystore in case something goes wrong. + mv -f "${_unifi_keystore}" "${_unifi_keystore}"_original + _info "Previous keystore saved to ${_unifi_keystore}_original." + + if [ "$_do_keytool" -eq 1 ]; then + _debug "Import into keystore: $_unifi_keystore" + if keytool -importkeystore \ + -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \ + -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \ + -alias unifi -noprompt; then + _debug "Import keystore success!" + else + _err "Error importing into Unifi Java keystore." + _err "Please re-run with --debug and report a bug." + _info "Restoring original keystore." + mv -f "${_unifi_keystore}"_original "${_unifi_keystore}" + rm "$_import_pkcs12" + return 1 + fi else - _err "Error importing into Unifi Java keystore." - _err "Please re-run with --debug and report a bug." - rm "$_import_pkcs12" - return 1 + _debug "Copying new keystore to $_unifi_keystore" + cp -f "$_import_pkcs12" "$_unifi_keystore" fi + # Update unifi service for certificate cipher compatibility + if ${ACME_OPENSSL_BIN:-openssl} pkcs12 \ + -in "$_import_pkcs12" \ + -password pass:aircontrolenterprise \ + -nokeys | ${ACME_OPENSSL_BIN:-openssl} x509 -text \ + -noout | grep -i "signature" | grep -iq ecdsa >/dev/null 2>&1; then + cp -f /usr/lib/unifi/data/system.properties /usr/lib/unifi/data/system.properties_original + _info "Updating system configuration for cipher compatibility." + _info "Saved original system config to /usr/lib/unifi/data/system.properties_original" + sed -i '/unifi\.https\.ciphers/d' /usr/lib/unifi/data/system.properties + echo "unifi.https.ciphers=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256" >>/usr/lib/unifi/data/system.properties + sed -i '/unifi\.https\.sslEnabledProtocols/d' /usr/lib/unifi/data/system.properties + echo "unifi.https.sslEnabledProtocols=TLSv1.3,TLSv1.2" >>/usr/lib/unifi/data/system.properties + _info "System configuration updated." + fi + + rm "$_import_pkcs12" + + # Restarting unifi-core will bring up unifi, doing it out of order results in + # a certificate error, and breaks wifiman. + # Restart if we aren't doing unifi-core, otherwise stop for later restart. if systemctl -q is-active unifi; then - _reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart" + if [ ! -f "${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}/unifi-core.key" ]; then + _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi" + else + _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl stop unifi" + fi fi _services_updated="${_services_updated} unifi" _info "Install Unifi Controller certificate success!" @@ -165,6 +212,11 @@ unifi_deploy() { return 1 fi + # Save the existing certs in case something goes wrong. + cp -f "${_unifi_core_config}"/unifi-core.crt "${_unifi_core_config}"/unifi-core_original.crt + cp -f "${_unifi_core_config}"/unifi-core.key "${_unifi_core_config}"/unifi-core_original.key + _info "Previous certificate and key saved to ${_unifi_core_config}/unifi-core_original.crt/key." + cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt" cat "$_ckey" >"${_unifi_core_config}/unifi-core.key" diff --git a/dnsapi/dns_dynv6.sh b/dnsapi/dns_dynv6.sh index 8b94dae7..6fbb23ca 100644 --- a/dnsapi/dns_dynv6.sh +++ b/dnsapi/dns_dynv6.sh @@ -16,8 +16,8 @@ dynv6_api="https://dynv6.com/api/v2" # Please Read this guide first: https://github.com/Neilpang/acme.sh/wiki/DNS-API-Dev-Guide #Usage: dns_dynv6_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_dynv6_add() { - fulldomain=$1 - txtvalue=$2 + fulldomain="$(echo "$1" | _lower_case)" + txtvalue="$2" _info "Using dynv6 api" _debug fulldomain "$fulldomain" _debug txtvalue "$txtvalue" @@ -50,8 +50,8 @@ dns_dynv6_add() { #Usage: fulldomain txtvalue #Remove the txt record after validation. dns_dynv6_rm() { - fulldomain=$1 - txtvalue=$2 + fulldomain="$(echo "$1" | _lower_case)" + txtvalue="$2" _info "Using dynv6 API" _debug fulldomain "$fulldomain" _debug txtvalue "$txtvalue" @@ -206,7 +206,7 @@ _get_zone_id() { return 1 fi - zone_id="$(echo "$response" | tr '}' '\n' | grep "$selected" | tr ',' '\n' | grep id | tr -d '"')" + zone_id="$(echo "$response" | tr '}' '\n' | grep "$selected" | tr ',' '\n' | grep '"id":' | tr -d '"')" _zone_id="${zone_id#id:}" _debug "zone id: $_zone_id" } diff --git a/dnsapi/dns_inwx.sh b/dnsapi/dns_inwx.sh index 8c89a697..b2d42451 100755 --- a/dnsapi/dns_inwx.sh +++ b/dnsapi/dns_inwx.sh @@ -163,6 +163,15 @@ _inwx_check_cookie() { return 1 } +_htmlEscape() { + _s="$1" + _s=$(echo "$_s" | sed "s/&/&/g") + _s=$(echo "$_s" | sed "s//\>/g") + _s=$(echo "$_s" | sed 's/"/\"/g') + printf -- %s "$_s" +} + _inwx_login() { if _inwx_check_cookie; then @@ -170,6 +179,8 @@ _inwx_login() { return 0 fi + XML_PASS=$(_htmlEscape "$INWX_Password") + xml_content=$(printf ' account.login @@ -193,7 +204,7 @@ _inwx_login() { - ' "$INWX_User" "$INWX_Password") + ' "$INWX_User" "$XML_PASS") response="$(_post "$xml_content" "$INWX_Api" "" "POST")" diff --git a/dnsapi/dns_ispconfig.sh b/dnsapi/dns_ispconfig.sh index 7fd0d99c..edc789e1 100755 --- a/dnsapi/dns_ispconfig.sh +++ b/dnsapi/dns_ispconfig.sh @@ -14,6 +14,8 @@ Options: # User must provide login data and URL to the ISPConfig installation incl. port. # The remote user in ISPConfig must have access to: # - DNS txt Functions +# - DNS zone functions +# - Client functions ######## Public functions ##################### diff --git a/dnsapi/dns_nsupdate.sh b/dnsapi/dns_nsupdate.sh index 2bc3d382..d5dbbcbc 100755 --- a/dnsapi/dns_nsupdate.sh +++ b/dnsapi/dns_nsupdate.sh @@ -39,13 +39,15 @@ dns_nsupdate_add() { [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d" [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D" if [ -z "${NSUPDATE_ZONE}" ]; then - nsupdate -k "${NSUPDATE_KEY}" $nsdebug "${NSUPDATE_OPT}" <