From 12de7b0ee6d8e523b3d05a76a8b921ed6c1f81ca Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Mon, 30 Dec 2019 15:44:11 +0000 Subject: [PATCH] Lots of fixes for HTTP-01 auth to use POST-as-GET --- getssl | 43 +++++++++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/getssl b/getssl index 78c10a3..80730c6 100755 --- a/getssl +++ b/getssl @@ -279,7 +279,7 @@ check_challenge_completion() { # checks with the ACME server if our challenge is keyauthorization=$3 debug "sending request to ACME server saying we're ready for challenge" - send_signed_request "$uri" "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}" + send_signed_request "$uri" "{}" # check response from our request to perform challenge if [[ $API -eq 1 ]]; then @@ -294,10 +294,8 @@ check_challenge_completion() { # checks with the ACME server if our challenge is # loop "forever" to keep checking for a response from the ACME server. while true ; do - debug "checking" - if ! get_cr "$uri" ; then - error_exit "$domain:Verify error:$code" - fi + debug "checking if challenge is complete" + send_signed_request "$uri" "" status=$(json_get "$response" status) @@ -853,10 +851,10 @@ get_certificate() { # get certificate for csr, if all domains validated. else # APIv2 send_signed_request "$FinalizeLink" "{\"csr\": \"$der\"}" "needbase64" debug "order link was $OrderLink" - cd=$(curl --user-agent "$CURL_USERAGENT" --silent "$OrderLink") - CertData=$(json_get "$cd" "certificate") + send_signed_request "$OrderLink" "" + CertData=$(json_get "$response" "certificate") debug "CertData is at $CertData" - curl --user-agent "$CURL_USERAGENT" --silent "$CertData" > "$FULL_CHAIN" + send_signed_request "$CertData" "" "" "$FULL_CHAIN" info "Full certificate saved in $FULL_CHAIN" awk -v CERT_FILE="$CERT_FILE" -v CA_CERT="$CA_CERT" 'BEGIN {outfile=CERT_FILE} split_after==1 {outfile=CA_CERT;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > outfile}' "$FULL_CHAIN" info "Certificate saved in $CERT_FILE" @@ -1325,6 +1323,7 @@ set_server_type() { # uses SERVER_TYPE to set REMOTE_PORT and REMOTE_EXTRA REMOTE_PORT=636 elif [[ ${SERVER_TYPE} =~ ^[0-9]+$ ]]; then REMOTE_PORT=${SERVER_TYPE} + REMOTE_EXTRA="CUSTOM-HTTP-PORT" else info "${DOMAIN}: unknown server type \"$SERVER_TYPE\" in SERVER_TYPE" config_errors=true @@ -1335,6 +1334,7 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p url=$1 payload=$2 needbase64=$3 + outfile=$4 # save response into this file (certificate data) debug url "$url" @@ -1374,8 +1374,8 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p # Build another header which also contains the previously received nonce and encode it as urlbase64 if [[ $API -eq 1 ]]; then - protected='{"alg": "'"$jwkalg"'", "jwk": '"$jwk"', "nonce": "'"${nonce}"'", "url": "'"${url}"'"}' - protected64="$(printf '%s' "${protected}" | urlbase64)" + protected='{"alg": "'"$jwkalg"'", "jwk": '"$jwk"', "nonce": "'"${nonce}"'", "url": "'"${url}"'"}' + protected64="$(printf '%s' "${protected}" | urlbase64)" else # APIv2 if [[ -z "$KID" ]]; then debug "KID is blank, so using jwk" @@ -1384,7 +1384,6 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p else debug "using KID=${KID}" protected="{\"alg\": \"$jwkalg\", \"kid\": \"$KID\",\"nonce\": \"${nonce}\", \"url\": \"${url}\"}" - debug "protected = $protected" protected64="$(printf '%s' "${protected}" | urlbase64)" fi fi @@ -1415,13 +1414,22 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p code="500" loop_limit=5 while [[ "$code" -eq 500 ]]; do - if [[ "$needbase64" ]] ; then + if [[ "$outfile" ]] ; then + $CURL -X POST -H "Content-Type: application/jose+json" --data "$body" "$url" > $outfile + response=$(cat "$outfile") + elif [[ "$needbase64" ]] ; then response=$($CURL -X POST -H "Content-Type: application/jose+json" --data "$body" "$url" | urlbase64) else response=$($CURL -X POST -H "Content-Type: application/jose+json" --data "$body" "$url") fi responseHeaders=$(cat "$CURL_HEADER") + if [[ "$needbase64" && ${response##*()} != "{"* ]]; then + # response is in base64 too, decode + #!FIXME need to use openssl base64 decoder if it exists + response=$(echo "$response" | base64 -d) + fi + debug responseHeaders "$responseHeaders" debug response "$response" code=$(awk ' $1 ~ "^HTTP" {print $2}' "$CURL_HEADER" | tail -1) @@ -1430,7 +1438,9 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p response_status=$(json_get "$response" status \ | head -1| awk -F'"' '{print $2}') else # APIv2 - if [[ ${response##*()} == "{"* ]]; then + if [[ "$output" && "$response" ]]; then + debug "response written to $outfile" + elif [[ ${response##*()} == "{"* ]]; then response_status=$(json_get "$response" status) else debug "response not in json format" @@ -1915,6 +1925,7 @@ else info "unknown API version" graceful_exit fi +debug "Using API v$API" # if check_remote is true then connect and obtain the current certificate (if not forcing renewal) if [[ "${CHECK_REMOTE}" == "true" ]] && [[ $_FORCE_RENEW -eq 0 ]]; then @@ -2271,7 +2282,11 @@ for d in $alldomains; do done umask "$ORIG_UMASK" - wellknown_url="${CHALLENGE_CHECK_TYPE}://$d/.well-known/acme-challenge/$token" + if [[ "$REMOTE_EXTRA" = "CUSTOM-HTTP-PORT" ]]; then + wellknown_url="${CHALLENGE_CHECK_TYPE}://${d}:${REMOTE_PORT}/.well-known/acme-challenge/$token" + else + wellknown_url="${CHALLENGE_CHECK_TYPE}://${d}/.well-known/acme-challenge/$token" + fi debug wellknown_url "$wellknown_url" if [[ "$SKIP_HTTP_TOKEN_CHECK" == "true" ]]; then