mirror of
https://github.com/dehydrated-io/dehydrated.git
synced 2026-07-08 22:15:19 +02:00
ACME v02 Support
This commit is contained in:
committed by
Lukas Schauer
parent
35a9f31643
commit
68cb1e0661
@@ -6,7 +6,7 @@ This file contains a log of major changes in dehydrated
|
|||||||
- ...
|
- ...
|
||||||
|
|
||||||
## Added
|
## Added
|
||||||
- ...
|
- Support for ACME v02
|
||||||
|
|
||||||
## [0.5.0] - 2018-01-13
|
## [0.5.0] - 2018-01-13
|
||||||
## Changed
|
## Changed
|
||||||
|
|||||||
+151
-37
@@ -138,6 +138,7 @@ load_config() {
|
|||||||
AUTO_CLEANUP="no"
|
AUTO_CLEANUP="no"
|
||||||
DEHYDRATED_USER=
|
DEHYDRATED_USER=
|
||||||
DEHYDRATED_GROUP=
|
DEHYDRATED_GROUP=
|
||||||
|
API=1
|
||||||
|
|
||||||
if [[ -z "${CONFIG:-}" ]]; then
|
if [[ -z "${CONFIG:-}" ]]; then
|
||||||
echo "#" >&2
|
echo "#" >&2
|
||||||
@@ -256,14 +257,25 @@ init_system() {
|
|||||||
|
|
||||||
# Get CA URLs
|
# Get CA URLs
|
||||||
CA_DIRECTORY="$(http_request get "${CA}")"
|
CA_DIRECTORY="$(http_request get "${CA}")"
|
||||||
CA_NEW_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-cert)" &&
|
if [[ ${API} -eq 1 ]]; then
|
||||||
CA_NEW_AUTHZ="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-authz)" &&
|
# shellcheck disable=SC2015
|
||||||
CA_NEW_REG="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-reg)" &&
|
CA_NEW_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-cert)" &&
|
||||||
# shellcheck disable=SC2015
|
CA_NEW_AUTHZ="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-authz)" &&
|
||||||
CA_REVOKE_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value revoke-cert)" ||
|
CA_NEW_REG="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-reg)" &&
|
||||||
_exiterr "Problem retrieving ACME/CA-URLs, check if your configured CA points to the directory entrypoint."
|
CA_REVOKE_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value revoke-cert)" ||
|
||||||
# Since reg URI is missing from directory we will assume it is the same as CA_NEW_REG without the new part
|
_exiterr "Problem retrieving ACME/CA-URLs, check if your configured CA points to the directory entrypoint."
|
||||||
CA_REG=${CA_NEW_REG/new-reg/reg}
|
# Since reg URI is missing from directory we will assume it is the same as CA_NEW_REG without the new part
|
||||||
|
CA_REG=${CA_NEW_REG/new-reg/reg}
|
||||||
|
else
|
||||||
|
# shellcheck disable=SC2015
|
||||||
|
CA_NEW_ORDER="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newOrder)" &&
|
||||||
|
CA_NEW_NONCE="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newNonce)" &&
|
||||||
|
CA_NEW_ACCOUNT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newAccount)" &&
|
||||||
|
CA_REVOKE_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value revokeCert)" ||
|
||||||
|
_exiterr "Problem retrieving ACME/CA-URLs, check if your configured CA points to the directory entrypoint."
|
||||||
|
# Since acct URI is missing from directory we will assume it is the same as CA_NEW_ACCOUNT without the new part
|
||||||
|
CA_ACCOUNT=${CA_NEW_ACCOUNT/new-acct/acct}
|
||||||
|
fi
|
||||||
|
|
||||||
# Export some environment variables to be used in hook script
|
# Export some environment variables to be used in hook script
|
||||||
export WELLKNOWN BASEDIR CERTDIR CONFIG COMMAND
|
export WELLKNOWN BASEDIR CERTDIR CONFIG COMMAND
|
||||||
@@ -314,17 +326,25 @@ init_system() {
|
|||||||
echo "+ Registering account key with ACME server..."
|
echo "+ Registering account key with ACME server..."
|
||||||
FAILED=false
|
FAILED=false
|
||||||
|
|
||||||
if [[ -z "${CA_NEW_REG}" ]]; then
|
if [[ ${API} -eq 1 && -z "${CA_NEW_REG}" ]] || [[ ${API} -eq 2 && -z "${CA_NEW_ACCOUNT}" ]]; then
|
||||||
echo "Certificate authority doesn't allow registrations."
|
echo "Certificate authority doesn't allow registrations."
|
||||||
FAILED=true
|
FAILED=true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If an email for the contact has been provided then adding it to the registration request
|
# If an email for the contact has been provided then adding it to the registration request
|
||||||
if [[ "${FAILED}" = "false" ]]; then
|
if [[ "${FAILED}" = "false" ]]; then
|
||||||
if [[ -n "${CONTACT_EMAIL}" ]]; then
|
if [[ ${API} -eq 1 ]]; then
|
||||||
(signed_request "${CA_NEW_REG}" '{"resource": "new-reg", "contact":["mailto:'"${CONTACT_EMAIL}"'"], "agreement": "'"$LICENSE"'"}' > "${ACCOUNT_KEY_JSON}") || FAILED=true
|
if [[ -n "${CONTACT_EMAIL}" ]]; then
|
||||||
|
(signed_request "${CA_NEW_REG}" '{"resource": "new-reg", "contact":["mailto:'"${CONTACT_EMAIL}"'"], "agreement": "'"$LICENSE"'"}' > "${ACCOUNT_KEY_JSON}") || FAILED=true
|
||||||
|
else
|
||||||
|
(signed_request "${CA_NEW_REG}" '{"resource": "new-reg", "agreement": "'"$LICENSE"'"}' > "${ACCOUNT_KEY_JSON}") || FAILED=true
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
(signed_request "${CA_NEW_REG}" '{"resource": "new-reg", "agreement": "'"$LICENSE"'"}' > "${ACCOUNT_KEY_JSON}") || FAILED=true
|
if [[ -n "${CONTACT_EMAIL}" ]]; then
|
||||||
|
(signed_request "${CA_NEW_ACCOUNT}" '{"contact":["mailto:'"${CONTACT_EMAIL}"'"], "termsOfServiceAgreed": true}' > "${ACCOUNT_KEY_JSON}") || FAILED=true
|
||||||
|
else
|
||||||
|
(signed_request "${CA_NEW_ACCOUNT}" '{"termsOfServiceAgreed": true}' > "${ACCOUNT_KEY_JSON}") || FAILED=true
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -380,6 +400,13 @@ get_json_string_value() {
|
|||||||
sed -n "${filter}"
|
sed -n "${filter}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Get array value from json dictionary
|
||||||
|
get_json_array_value() {
|
||||||
|
local filter
|
||||||
|
filter=$(printf 's/.*"%s": *\\[\([^]]*\)\\].*/\\1/p' "$1")
|
||||||
|
sed -n "${filter}"
|
||||||
|
}
|
||||||
|
|
||||||
# Get integer value from json
|
# Get integer value from json
|
||||||
get_json_int_value() {
|
get_json_int_value() {
|
||||||
local filter
|
local filter
|
||||||
@@ -482,20 +509,40 @@ signed_request() {
|
|||||||
payload64="$(printf '%s' "${2}" | urlbase64)"
|
payload64="$(printf '%s' "${2}" | urlbase64)"
|
||||||
|
|
||||||
# Retrieve nonce from acme-server
|
# Retrieve nonce from acme-server
|
||||||
nonce="$(http_request head "${CA}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
|
if [[ ${API} -eq 1 ]]; then
|
||||||
|
nonce="$(http_request head "${CA}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
|
||||||
|
else
|
||||||
|
nonce="$(http_request head "${CA_NEW_NONCE}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
|
||||||
|
fi
|
||||||
|
|
||||||
# Build header with just our public key and algorithm information
|
# Build header with just our public key and algorithm information
|
||||||
header='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}}'
|
header='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}}'
|
||||||
|
|
||||||
# Build another header which also contains the previously received nonce and encode it as urlbase64
|
if [[ ${API} -eq 1 ]]; then
|
||||||
protected='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}, "nonce": "'"${nonce}"'"}'
|
# Build another header which also contains the previously received nonce and encode it as urlbase64
|
||||||
protected64="$(printf '%s' "${protected}" | urlbase64)"
|
protected='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}, "nonce": "'"${nonce}"'"}'
|
||||||
|
protected64="$(printf '%s' "${protected}" | urlbase64)"
|
||||||
|
else
|
||||||
|
# Build another header which also contains the previously received nonce and url and encode it as urlbase64
|
||||||
|
if [[ -e "${ACCOUNT_KEY_JSON}" ]] && [[ -n "$(cat "${ACCOUNT_KEY_JSON}" | get_json_int_value id)" ]]; then
|
||||||
|
REG_ID="$(cat "${ACCOUNT_KEY_JSON}" | get_json_int_value id)"
|
||||||
|
protected='{"alg": "RS256", "kid": "'"${CA_ACCOUNT}/${REG_ID}"'", "url": "'"${1}"'", "nonce": "'"${nonce}"'"}'
|
||||||
|
else
|
||||||
|
protected='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}, "url": "'"${1}"'", "nonce": "'"${nonce}"'"}'
|
||||||
|
fi
|
||||||
|
protected64="$(printf '%s' "${protected}" | urlbase64)"
|
||||||
|
fi
|
||||||
|
|
||||||
# Sign header with nonce and our payload with our private key and encode signature as urlbase64
|
# Sign header with nonce and our payload with our private key and encode signature as urlbase64
|
||||||
signed64="$(printf '%s' "${protected64}.${payload64}" | "${OPENSSL}" dgst -sha256 -sign "${ACCOUNT_KEY}" | urlbase64)"
|
signed64="$(printf '%s' "${protected64}.${payload64}" | "${OPENSSL}" dgst -sha256 -sign "${ACCOUNT_KEY}" | urlbase64)"
|
||||||
|
|
||||||
# Send header + extended header + payload + signature to the acme-server
|
if [[ ${API} -eq 1 ]]; then
|
||||||
data='{"header": '"${header}"', "protected": "'"${protected64}"'", "payload": "'"${payload64}"'", "signature": "'"${signed64}"'"}'
|
# Send header + extended header + payload + signature to the acme-server
|
||||||
|
data='{"header": '"${header}"', "protected": "'"${protected64}"'", "payload": "'"${payload64}"'", "signature": "'"${signed64}"'"}'
|
||||||
|
else
|
||||||
|
# Send extended header + payload + signature to the acme-server
|
||||||
|
data='{"protected": "'"${protected64}"'", "payload": "'"${payload64}"'", "signature": "'"${signed64}"'"}'
|
||||||
|
fi
|
||||||
|
|
||||||
http_request post "${1}" "${data}"
|
http_request post "${1}" "${data}"
|
||||||
}
|
}
|
||||||
@@ -548,22 +595,54 @@ sign_csr() {
|
|||||||
fi
|
fi
|
||||||
export altnames
|
export altnames
|
||||||
|
|
||||||
if [[ -z "${CA_NEW_AUTHZ}" ]] || [[ -z "${CA_NEW_CERT}" ]]; then
|
if [[ ${API} -eq 1 ]]; then
|
||||||
|
if [[ -z "${CA_NEW_AUTHZ}" ]] || [[ -z "${CA_NEW_CERT}" ]]; then
|
||||||
|
_exiterr "Certificate authority doesn't allow certificate signing"
|
||||||
|
fi
|
||||||
|
elif [[ ${API} -eq 2 ]] && [[ -z "${CA_NEW_ORDER}" ]]; then
|
||||||
_exiterr "Certificate authority doesn't allow certificate signing"
|
_exiterr "Certificate authority doesn't allow certificate signing"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local idx=0
|
|
||||||
if [[ -n "${ZSH_VERSION:-}" ]]; then
|
if [[ -n "${ZSH_VERSION:-}" ]]; then
|
||||||
local -A challenge_altnames challenge_uris challenge_tokens keyauths deploy_args
|
local -A challenge_altnames challenge_uris challenge_tokens keyauths deploy_args authorization
|
||||||
else
|
else
|
||||||
local -a challenge_altnames challenge_uris challenge_tokens keyauths deploy_args
|
local -a challenge_altnames challenge_uris challenge_tokens keyauths deploy_args authorization
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ ${API} -eq 2 ]]; then
|
||||||
|
# APIv2
|
||||||
|
for altname in ${altnames}; do
|
||||||
|
challenge_identifiers+="$(printf '{"type": "dns", "value": "%s"}, ' "${altname}")"
|
||||||
|
done
|
||||||
|
challenge_identifiers="[${challenge_identifiers%, }]"
|
||||||
|
|
||||||
|
echo " + Requesting challenges for ${altnames}..."
|
||||||
|
result="$(signed_request "${CA_NEW_ORDER}" '{"identifiers": '"${challenge_identifiers}"'}')"
|
||||||
|
|
||||||
|
authorizations="$(echo ${result} | get_json_array_value authorizations)"
|
||||||
|
finalize="$(echo "${result}" | get_json_string_value finalize)"
|
||||||
|
|
||||||
|
local idx=0
|
||||||
|
for uris in ${authorizations}; do
|
||||||
|
authorization[${idx}]="${uris}"
|
||||||
|
idx=$((idx+1))
|
||||||
|
done
|
||||||
|
|
||||||
|
unset challenge_identifiers authorizations
|
||||||
|
fi
|
||||||
|
|
||||||
|
local idx=0; idy=-1
|
||||||
# Request challenges
|
# Request challenges
|
||||||
for altname in ${altnames}; do
|
for altname in ${altnames}; do
|
||||||
# Ask the acme-server for new challenge token and extract them from the resulting json block
|
idy=$((idy+1))
|
||||||
echo " + Requesting challenge for ${altname}..."
|
if [[ ${API} -eq 1 ]]; then
|
||||||
response="$(signed_request "${CA_NEW_AUTHZ}" '{"resource": "new-authz", "identifier": {"type": "dns", "value": "'"${altname}"'"}}' | clean_json)"
|
# Ask the acme-server for new challenge token and extract them from the resulting json block
|
||||||
|
echo " + Requesting challenge for ${altname}..."
|
||||||
|
response="$(signed_request "${CA_NEW_AUTHZ}" '{"resource": "new-authz", "identifier": {"type": "dns", "value": "'"${altname}"'"}}' | clean_json)"
|
||||||
|
else
|
||||||
|
uris="$(<<<"${authorization[${idy}]}" _sed -e 's/\"(.*)".*/\1/')"
|
||||||
|
response="$(http_request get "${uris}" | clean_json)"
|
||||||
|
fi
|
||||||
|
|
||||||
challenge_status="$(printf '%s' "${response}" | rm_json_arrays | get_json_string_value status)"
|
challenge_status="$(printf '%s' "${response}" | rm_json_arrays | get_json_string_value status)"
|
||||||
if [ "${challenge_status}" = "valid" ] && [ ! "${PARAM_FORCE:-no}" = "yes" ]; then
|
if [ "${challenge_status}" = "valid" ] && [ ! "${PARAM_FORCE:-no}" = "yes" ]; then
|
||||||
@@ -575,7 +654,11 @@ sign_csr() {
|
|||||||
repl=$'\n''{' # fix syntax highlighting in Vim
|
repl=$'\n''{' # fix syntax highlighting in Vim
|
||||||
challenge="$(printf "%s" "${challenges//\{/${repl}}" | grep \""${CHALLENGETYPE}"\")"
|
challenge="$(printf "%s" "${challenges//\{/${repl}}" | grep \""${CHALLENGETYPE}"\")"
|
||||||
challenge_token="$(printf '%s' "${challenge}" | get_json_string_value token | _sed 's/[^A-Za-z0-9_\-]/_/g')"
|
challenge_token="$(printf '%s' "${challenge}" | get_json_string_value token | _sed 's/[^A-Za-z0-9_\-]/_/g')"
|
||||||
challenge_uri="$(printf '%s' "${challenge}" | get_json_string_value uri)"
|
if [[ ${API} -eq 1 ]]; then
|
||||||
|
challenge_uri="$(printf '%s' "${challenge}" | get_json_string_value uri)"
|
||||||
|
else
|
||||||
|
challenge_uri="$(printf '%s' "${challenge}" | get_json_string_value url)"
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ -z "${challenge_token}" ]] || [[ -z "${challenge_uri}" ]]; then
|
if [[ -z "${challenge_token}" ]] || [[ -z "${challenge_uri}" ]]; then
|
||||||
_exiterr "Can't retrieve challenges (${response})"
|
_exiterr "Can't retrieve challenges (${response})"
|
||||||
@@ -627,13 +710,21 @@ sign_csr() {
|
|||||||
|
|
||||||
# Ask the acme-server to verify our challenge and wait until it is no longer pending
|
# Ask the acme-server to verify our challenge and wait until it is no longer pending
|
||||||
echo " + Responding to challenge for ${altname}..."
|
echo " + Responding to challenge for ${altname}..."
|
||||||
result="$(signed_request "${challenge_uris[${idx}]}" '{"resource": "challenge", "keyAuthorization": "'"${keyauth}"'"}' | clean_json)"
|
if [[ ${API} -eq 1 ]]; then
|
||||||
|
result="$(signed_request "${challenge_uris[${idx}]}" '{"resource": "challenge", "keyAuthorization": "'"${keyauth}"'"}' | clean_json)"
|
||||||
|
else
|
||||||
|
result="$(signed_request "${challenge_uris[${idx}]}" '{"keyAuthorization": "'"${keyauth}"'"}' | clean_json)"
|
||||||
|
fi
|
||||||
|
|
||||||
reqstatus="$(printf '%s\n' "${result}" | get_json_string_value status)"
|
reqstatus="$(printf '%s\n' "${result}" | get_json_string_value status)"
|
||||||
|
|
||||||
while [[ "${reqstatus}" = "pending" ]]; do
|
while [[ "${reqstatus}" = "pending" ]]; do
|
||||||
sleep 1
|
sleep 1
|
||||||
result="$(http_request get "${challenge_uris[${idx}]}")"
|
if [[ ${API} -eq 1 ]]; then
|
||||||
|
result="$(http_request get "${challenge_uris[${idx}]}")"
|
||||||
|
else
|
||||||
|
result="$(http_request get "${challenge_uris[${idx}]}")"
|
||||||
|
fi
|
||||||
reqstatus="$(printf '%s\n' "${result}" | get_json_string_value status)"
|
reqstatus="$(printf '%s\n' "${result}" | get_json_string_value status)"
|
||||||
done
|
done
|
||||||
|
|
||||||
@@ -676,8 +767,13 @@ sign_csr() {
|
|||||||
# Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
|
# Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
|
||||||
echo " + Requesting certificate..."
|
echo " + Requesting certificate..."
|
||||||
csr64="$( <<<"${csr}" "${OPENSSL}" req -config "${OPENSSL_CNF}" -outform DER | urlbase64)"
|
csr64="$( <<<"${csr}" "${OPENSSL}" req -config "${OPENSSL_CNF}" -outform DER | urlbase64)"
|
||||||
crt64="$(signed_request "${CA_NEW_CERT}" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | "${OPENSSL}" base64 -e)"
|
if [[ ${API} -eq 1 ]]; then
|
||||||
crt="$( printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" )"
|
crt64="$(signed_request "${CA_NEW_CERT}" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | "${OPENSSL}" base64 -e)"
|
||||||
|
crt="$( printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" )"
|
||||||
|
else
|
||||||
|
result="$(signed_request "${finalize}" '{"csr": "'"${csr64}"'"}' | clean_json | get_json_string_value certificate)"
|
||||||
|
crt="$(http_request get "${result}")"
|
||||||
|
fi
|
||||||
|
|
||||||
# Try to load the certificate to detect corruption
|
# Try to load the certificate to detect corruption
|
||||||
echo " + Checking certificate..."
|
echo " + Checking certificate..."
|
||||||
@@ -755,7 +851,11 @@ sign_domain() {
|
|||||||
export altnames
|
export altnames
|
||||||
|
|
||||||
echo " + Signing domains..."
|
echo " + Signing domains..."
|
||||||
if [[ -z "${CA_NEW_AUTHZ}" ]] || [[ -z "${CA_NEW_CERT}" ]]; then
|
if [[ ${API} -eq 1 ]]; then
|
||||||
|
if [[ -z "${CA_NEW_AUTHZ}" ]] || [[ -z "${CA_NEW_CERT}" ]]; then
|
||||||
|
_exiterr "Certificate authority doesn't allow certificate signing"
|
||||||
|
fi
|
||||||
|
elif [[ ${API} -eq 2 ]] && [[ -z "${CA_NEW_ORDER}" ]]; then
|
||||||
_exiterr "Certificate authority doesn't allow certificate signing"
|
_exiterr "Certificate authority doesn't allow certificate signing"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -917,11 +1017,20 @@ command_account() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo "+ Updating registration id: ${REG_ID} contact information..."
|
echo "+ Updating registration id: ${REG_ID} contact information..."
|
||||||
# If an email for the contact has been provided then adding it to the registered account
|
if [[ ${API} -eq 1 ]]; then
|
||||||
if [[ -n "${CONTACT_EMAIL}" ]]; then
|
# If an email for the contact has been provided then adding it to the registered account
|
||||||
(signed_request "${CA_REG}"/"${REG_ID}" '{"resource": "reg", "contact":["mailto:'"${CONTACT_EMAIL}"'"]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
|
if [[ -n "${CONTACT_EMAIL}" ]]; then
|
||||||
|
(signed_request "${CA_REG}"/"${REG_ID}" '{"resource": "reg", "contact":["mailto:'"${CONTACT_EMAIL}"'"]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
|
||||||
|
else
|
||||||
|
(signed_request "${CA_REG}"/"${REG_ID}" '{"resource": "reg", "contact":[]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
(signed_request "${CA_REG}"/"${REG_ID}" '{"resource": "reg", "contact":[]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
|
# If an email for the contact has been provided then adding it to the registered account
|
||||||
|
if [[ -n "${CONTACT_EMAIL}" ]]; then
|
||||||
|
(signed_request "${CA_ACCOUNT}"/"${REG_ID}" '{"contact":["mailto:'"${CONTACT_EMAIL}"'"]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
|
||||||
|
else
|
||||||
|
(signed_request "${CA_ACCOUNT}"/"${REG_ID}" '{"contact":[]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "${FAILED}" = "true" ]]; then
|
if [[ "${FAILED}" = "true" ]]; then
|
||||||
@@ -966,7 +1075,7 @@ command_sign_domains() {
|
|||||||
# Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire
|
# Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire
|
||||||
ORIGIFS="${IFS}"
|
ORIGIFS="${IFS}"
|
||||||
IFS=$'\n'
|
IFS=$'\n'
|
||||||
for line in $(<"${DOMAINS_TXT}" tr -d '\r' | awk '{print tolower($0)}' | _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' -e 's/([^ ])>/\1 >/g' -e 's/> />/g' | (grep -vE '^(#|$)' || true)); do
|
for line in "$(<"${DOMAINS_TXT}" tr -d '\r' | awk '{print tolower($0)}' | _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' -e 's/([^ ])>/\1 >/g' -e 's/> />/g' | (grep -vE '^(#|$)' || true))"; do
|
||||||
reset_configvars
|
reset_configvars
|
||||||
IFS="${ORIGIFS}"
|
IFS="${ORIGIFS}"
|
||||||
alias="$(grep -Eo '>[^ ]+' <<< "${line}" || true)"
|
alias="$(grep -Eo '>[^ ]+' <<< "${line}" || true)"
|
||||||
@@ -1194,7 +1303,11 @@ command_revoke() {
|
|||||||
echo "Revoking ${cert}"
|
echo "Revoking ${cert}"
|
||||||
|
|
||||||
cert64="$("${OPENSSL}" x509 -in "${cert}" -inform PEM -outform DER | urlbase64)"
|
cert64="$("${OPENSSL}" x509 -in "${cert}" -inform PEM -outform DER | urlbase64)"
|
||||||
response="$(signed_request "${CA_REVOKE_CERT}" '{"resource": "revoke-cert", "certificate": "'"${cert64}"'"}' | clean_json)"
|
if [[ ${API} -eq 1 ]]; then
|
||||||
|
response="$(signed_request "${CA_REVOKE_CERT}" '{"resource": "revoke-cert", "certificate": "'"${cert64}"'"}' | clean_json)"
|
||||||
|
else
|
||||||
|
response="$(signed_request "${CA_REVOKE_CERT}" '{"certificate": "'"${cert64}"'"}' | clean_json)"
|
||||||
|
fi
|
||||||
# if there is a problem with our revoke request _request (via signed_request) will report this and "exit 1" out
|
# if there is a problem with our revoke request _request (via signed_request) will report this and "exit 1" out
|
||||||
# so if we are here, it is safe to assume the request was successful
|
# so if we are here, it is safe to assume the request was successful
|
||||||
echo " + Done."
|
echo " + Done."
|
||||||
@@ -1303,6 +1416,7 @@ main() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# shellcheck disable=SC2199
|
||||||
[[ -z "${@}" ]] && eval set -- "--help"
|
[[ -z "${@}" ]] && eval set -- "--help"
|
||||||
|
|
||||||
while (( ${#} )); do
|
while (( ${#} )); do
|
||||||
|
|||||||
@@ -110,3 +110,6 @@
|
|||||||
|
|
||||||
# Automatic cleanup (default: no)
|
# Automatic cleanup (default: no)
|
||||||
#AUTO_CLEANUP="no"
|
#AUTO_CLEANUP="no"
|
||||||
|
|
||||||
|
# ACME API version (default: 1)
|
||||||
|
#API=1
|
||||||
|
|||||||
Reference in New Issue
Block a user