diff --git a/getssl b/getssl index 0bdf91e..a359f98 100755 --- a/getssl +++ b/getssl @@ -69,10 +69,11 @@ # 2016-06-13 bugfix of issue 45, problem with SERVER_TYPE when it's just a port number (1.03) # 2016-06-13 bugfix issue 47 - DNS_DEL_COMMAND cleanup was run when not required. (1.04) # 2016-06-15 add error checking on RELOAD_CMD (1.05) +# 2016-06-20 updated sed and date functions to run on MAC OS X (1.06) # --------------------------------------------------------------------------- PROGNAME=${0##*/} -VERSION="1.05" +VERSION="1.06" # defaults CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl" @@ -105,9 +106,9 @@ ORIGCMD="$0 $*" cert_archive() { # Archive certificate file by copying with dates at end. certfile=$1 enddate=$(openssl x509 -in "$certfile" -noout -enddate 2>/dev/null| cut -d= -f 2-) - formatted_enddate=$(date -d "${enddate}" +%F) + formatted_enddate=$(os_date -d "${enddate}" +%F) startdate=$(openssl x509 -in "$certfile" -noout -startdate 2>/dev/null| cut -d= -f 2-) - formatted_startdate=$(date -d "${startdate}" +%F) + formatted_startdate=$(os_date -d "${startdate}" +%F) mv "${certfile}" "${certfile}_${formatted_startdate}_${formatted_enddate}" info "archiving old certificate file to ${certfile}_${formatted_startdate}_${formatted_enddate}" } @@ -295,6 +296,19 @@ getcr() { # get curl response return $ret } +get_os() { # function to get the current Operating System + if [[ $(uname) == "Linux" ]]; then + os="linux" + elif [[ $(uname) == "FreeBSD" ]]; then + os="bsd" + elif [[ $(uname) == "Darwin" ]]; then + os="mac" + else + os="unknown" + fi + debug "detected os type = $os" +} + graceful_exit() { # normal exit function. clean_up exit @@ -321,7 +335,7 @@ help_message() { # print out the help message } hex2bin() { # Remove spaces, add leading zero, escape as hex string and parse with printf - printf -- "$(cat | os_sed -e 's/[[:space:]]//g' -e 's/^(.(.{2})*)$/0\1/' -e 's/(.{2})/\\x\1/g')" + printf -- "$(cat | os_sed_e -e 's/[[:space:]]//g' -e 's/^(.(.{2})*)$/0\1/' -e 's/(.{2})/\\x\1/g')" } info() { # write out info as long as the quiet flag has not been set. @@ -330,11 +344,29 @@ info() { # write out info as long as the quiet flag has not been set. fi } +os_date() { # use different date version for different os types + if [[ "$os" == "mac" ]]; then + gdate "${@}" + else + date "${@}" + fi +} + os_sed() { # Use different sed version for different os types... - if [[ "$OSTYPE" == "linux-gnu" ]]; then - sed -r "${@}" + if [[ "$os" == "mac" ]]; then # MAC so use gsed + gsed "${@}" else + sed "${@}" + fi +} + +os_sed_e() { # Use different sed version for different os types (extended regex) + if [[ "$os" == "bsd" ]]; then # BSD required -E flag for extended regex sed -E "${@}" + elif [[ "$os" == "mac" ]]; then # MAC so use gsed + gsed -r "${@}" + else + sed -r "${@}" fi } @@ -389,7 +421,7 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p # get nonce from ACME server nonceurl="$CA/directory" - nonce=$($CURL -I $nonceurl | grep "^Replay-Nonce:" | sed s/\\r//|sed s/\\n//| cut -d ' ' -f 2) + nonce=$($CURL -I $nonceurl | grep "^Replay-Nonce:" | os_sed s/\\r//|os_sed s/\\n//| cut -d ' ' -f 2) debug nonce "$nonce" @@ -414,7 +446,7 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p response=$($CURL -X POST --data "$body" "$url") fi - responseHeaders=$(sed 's/\r//g' "$CURL_HEADER") + responseHeaders=$(os_sed 's/\r//g' "$CURL_HEADER") debug responseHeaders "$responseHeaders" debug response "$response" code=$(grep ^HTTP "$CURL_HEADER" | tail -1 | cut -d " " -f 2) @@ -434,7 +466,7 @@ signal_exit() { # Handle trapped signals } urlbase64() { # urlbase64: base64 encoded string with '+' replaced with '-' and '/' replaced with '_' - openssl base64 -e | tr -d '\n\r' | os_sed -e 's:=*$::g' -e 'y:+/:-_:' + openssl base64 -e | tr -d '\n\r' | os_sed_e -e 's:=*$::g' -e 'y:+/:-_:' } usage() { # program usage @@ -582,15 +614,24 @@ done # Main logic +# Get the current OS, so the correct functions can ve used for that OS. (sets the variable os) +get_os + #check if required applications are included requires openssl requires curl requires nslookup -requires sed requires grep requires awk requires tr +if [[ "$os" == "mac" ]]; then # mac so use gsed + requires gsed + requires gdate +else + requires sed + requires date +fi # Check if upgrades are available check_getssl_upgrade @@ -681,7 +722,7 @@ if [ ${_CREATE_CONFIG} -eq 1 ]; then echo "$EX_CERT" > "$DOMAIN_DIR/${DOMAIN}.crt" fi EX_SANS=$(echo "$EX_CERT" | openssl x509 -noout -text 2>/dev/null| grep "Subject Alternative Name" -A2 \ - | grep -Eo "DNS:[a-zA-Z 0-9.-]*" | sed "s@DNS:$DOMAIN@@g" | grep -v '^$' | cut -c 5-) + | grep -Eo "DNS:[a-zA-Z 0-9.-]*" | os_sed "s@DNS:$DOMAIN@@g" | grep -v '^$' | cut -c 5-) EX_SANS=${EX_SANS//$'\n'/','} fi write_domain_template "$DOMAIN_DIR/getssl.cfg" @@ -738,12 +779,12 @@ if [[ "${CHECK_REMOTE}" == "true" ]] && [ $_FORCE_RENEW -eq 0 ]; then debug "certificate on server is same as the local cert" else # check if the certificate is for the right domain - EX_CERT_DOMAIN=$(echo "$EX_CERT" | openssl x509 -noout -subject | sed s/.*CN=//) + EX_CERT_DOMAIN=$(echo "$EX_CERT" | openssl x509 -noout -subject | os_sed s/.*CN=//) if [ "$EX_CERT_DOMAIN" == "$DOMAIN" ]; then # check renew-date on ex_cert and compare to local ( if local exists) enddate_ex=$(echo "$EX_CERT" | openssl x509 -noout -enddate 2>/dev/null| cut -d= -f 2-) enddate_lc=$(openssl x509 -noout -enddate < "$CERT_FILE" 2>/dev/null| cut -d= -f 2-) - if [ "$(date -d "$enddate_ex" +%s)" -gt "$(date -d "$enddate_lc" +%s)" ]; then + if [ "$(os_date -d "$enddate_ex" +%s)" -gt "$(os_date -d "$enddate_lc" +%s)" ]; then # remote has longer to expiry date than local copy. # archive local copy and save remote to local cert_archive "$CERT_FILE" @@ -786,7 +827,7 @@ if [ -f "$CERT_FILE" ]; then enddate=$(openssl x509 -in "$CERT_FILE" -noout -enddate 2>/dev/null| cut -d= -f 2-) debug "enddate is $enddate" if [[ "$enddate" != "-" ]]; then - if [[ $(date -d "${RENEW_ALLOW} days" +%s) -lt $(date -d "$enddate" +%s) ]]; then + if [[ $(os_date -d "${RENEW_ALLOW} days" +%s) -lt $(os_date -d "$enddate" +%s) ]]; then info "certificate for $DOMAIN is still valid for more than $RENEW_ALLOW days (until $enddate)" # everything is OK, so exit. graceful_exit @@ -832,7 +873,7 @@ fi debug "created SAN list = $SANLIST" # check nslookup for domains -alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g") +alldomains=$(echo "$DOMAIN,$SANS" | os_sed "s/,/ /g") if [[ $VALIDATE_VIA_DNS != "true" ]]; then for d in $alldomains; do debug "checking nslookup for ${d}" @@ -907,7 +948,7 @@ fi info "Verify each domain" # loop through domains for cert ( from SANS list) -alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g") +alldomains=$(echo "$DOMAIN,$SANS" | os_sed "s/,/ /g") dn=0 for d in $alldomains; do # $d is domain in current loop, which is number $dn for ACL @@ -944,17 +985,17 @@ for d in $alldomains; do debug dns01 "$dns01" # get the token from the dns component - token=$(echo "$dns01" | sed 's/,/\n'/g| grep '"token":'| cut -d '"' -f 4) + token=$(echo "$dns01" | os_sed 's/,/\n'/g| grep '"token":'| cut -d '"' -f 4) debug token "$token" - uri=$(echo "$dns01" | sed 's/,/\n'/g| grep '"uri":'| cut -d '"' -f 4) + uri=$(echo "$dns01" | os_sed 's/,/\n'/g| grep '"uri":'| cut -d '"' -f 4) debug uri "$uri" keyauthorization="$token.$thumbprint" debug keyauthorization "$keyauthorization" #create signed authorization key from token. - auth_key=$(printf '%s' "$keyauthorization" | openssl sha -sha256 -binary | openssl base64 -e | tr -d '\n\r' | sed -e 's:=*$::g' -e 'y:+/:-_:') + auth_key=$(printf '%s' "$keyauthorization" | openssl sha -sha256 -binary | openssl base64 -e | tr -d '\n\r' | os_sed -e 's:=*$::g' -e 'y:+/:-_:') debug auth_key "$auth_key" debug "adding dns via command: $DNS_ADD_COMMAND $d $auth_key" @@ -996,10 +1037,10 @@ for d in $alldomains; do debug http01 "$http01" # get the token from the http component - token=$(echo "$http01" | sed 's/,/\n'/g| grep '"token":'| cut -d '"' -f 4) + token=$(echo "$http01" | os_sed 's/,/\n'/g| grep '"token":'| cut -d '"' -f 4) debug token "$token" - uri=$(echo "$http01" | sed 's/,/\n'/g| grep '"uri":'| cut -d '"' -f 4) + uri=$(echo "$http01" | os_sed 's/,/\n'/g| grep '"uri":'| cut -d '"' -f 4) debug uri "$uri" #create signed authorization key from token. @@ -1110,7 +1151,7 @@ debug "der $der" send_signed_request "$CA/acme/new-cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64" # convert certificate information into correct format and save to file. -CertData=$(grep -i -o '^Location.*' "$CURL_HEADER" |sed 's/\r//g'| cut -d " " -f 2) +CertData=$(grep -i -o '^Location.*' "$CURL_HEADER" |os_sed 's/\r//g'| cut -d " " -f 2) if [ "$CertData" ] ; then echo -----BEGIN CERTIFICATE----- > "$CERT_FILE" curl --silent "$CertData" | openssl base64 -e >> "$CERT_FILE" @@ -1126,7 +1167,7 @@ if [ -z "$CertData" ] ; then fi # get a copy of the CA certificate. -IssuerData=$(grep -i '^Link' "$CURL_HEADER" | cut -d " " -f 2| cut -d ';' -f 1 | sed 's///g') +IssuerData=$(grep -i '^Link' "$CURL_HEADER" | cut -d " " -f 2| cut -d ';' -f 1 | os_sed 's///g') if [ "$IssuerData" ] ; then echo -----BEGIN CERTIFICATE----- > "$CA_CERT" curl --silent "$IssuerData" | openssl base64 -e >> "$CA_CERT"