|
|
|
@ -102,10 +102,11 @@ |
|
|
|
# 2016-08-25 updated defaults for ACME agreement (1.36) |
|
|
|
# 2016-09-04 correct issue #101 when some domains already validated (1.37) |
|
|
|
# 2016-09-12 Checks if which is installed (1.38) |
|
|
|
# 2016-09-13 Only check for updates, if "-u" parameter has been given (1.39) |
|
|
|
# --------------------------------------------------------------------------- |
|
|
|
|
|
|
|
PROGNAME=${0##*/} |
|
|
|
VERSION="1.38" |
|
|
|
VERSION="1.39" |
|
|
|
|
|
|
|
# defaults |
|
|
|
CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl" |
|
|
|
@ -208,21 +209,14 @@ check_getssl_upgrade() { # check if a more recent version of code is available a |
|
|
|
debug "Most recent version is ${latestversion}" |
|
|
|
# use a default of 0 for cases where the latest code has not been obtained. |
|
|
|
if [ "${latestvdec:-0}" -gt "$localvdec" ]; then |
|
|
|
if [ ${_UPGRADE} -eq 1 ]; then |
|
|
|
temp_upgrade="$(mktemp)" |
|
|
|
echo "$latestcode" > "$temp_upgrade" |
|
|
|
install "$0" "${0}.v${VERSION}" |
|
|
|
install "$temp_upgrade" "$0" |
|
|
|
rm -f "$temp_upgrade" |
|
|
|
echo "Updated getssl from v${VERSION} to v${latestversion}" |
|
|
|
eval "$ORIGCMD" |
|
|
|
graceful_exit |
|
|
|
else |
|
|
|
info "" |
|
|
|
info "A more recent version (v${latestversion}) of getssl is available, please update" |
|
|
|
info "the easiest way is to use the -u or --upgrade flag" |
|
|
|
info "" |
|
|
|
fi |
|
|
|
temp_upgrade="$(mktemp)" |
|
|
|
echo "$latestcode" > "$temp_upgrade" |
|
|
|
install "$0" "${0}.v${VERSION}" |
|
|
|
install "$temp_upgrade" "$0" |
|
|
|
rm -f "$temp_upgrade" |
|
|
|
echo "Updated getssl from v${VERSION} to v${latestversion}" |
|
|
|
eval "$ORIGCMD" |
|
|
|
graceful_exit |
|
|
|
fi |
|
|
|
} |
|
|
|
|
|
|
|
@ -273,12 +267,12 @@ copy_file_to_location() { # copies a file, using scp if required. |
|
|
|
debug "ftp user=$ftpuser - pass=$ftppass - host=$ftphost dir=$ftpdirn file=$ftpfile" |
|
|
|
debug "from dir=$fromdir file=$fromfile" |
|
|
|
ftp -n <<- _EOF |
|
|
|
open $ftphost |
|
|
|
user $ftpuser $ftppass |
|
|
|
cd $ftpdirn |
|
|
|
lcd $fromdir |
|
|
|
put $fromfile |
|
|
|
_EOF |
|
|
|
open $ftphost |
|
|
|
user $ftpuser $ftppass |
|
|
|
cd $ftpdirn |
|
|
|
lcd $fromdir |
|
|
|
put $fromfile |
|
|
|
_EOF |
|
|
|
elif [[ "${to:0:5}" == "sftp:" ]] ; then |
|
|
|
debug "using sftp to copy the file from $from" |
|
|
|
ftpuser=$(echo "$to"| awk -F: '{print $2}') |
|
|
|
@ -292,10 +286,10 @@ copy_file_to_location() { # copies a file, using scp if required. |
|
|
|
debug "sftp user=$ftpuser - pass=$ftppass - host=$ftphost dir=$ftpdirn file=$ftpfile" |
|
|
|
debug "from dir=$fromdir file=$fromfile" |
|
|
|
sshpass -p "$ftppass" sftp "$ftpuser@$ftphost" <<- _EOF |
|
|
|
cd $ftpdirn |
|
|
|
lcd $fromdir |
|
|
|
put $fromfile |
|
|
|
_EOF |
|
|
|
cd $ftpdirn |
|
|
|
lcd $fromdir |
|
|
|
put $fromfile |
|
|
|
_EOF |
|
|
|
else |
|
|
|
mkdir -p "$(dirname "$to")" |
|
|
|
if [ $? -gt 0 ]; then |
|
|
|
@ -358,22 +352,22 @@ graceful_exit() { # normal exit function. |
|
|
|
|
|
|
|
help_message() { # print out the help message |
|
|
|
cat <<- _EOF_ |
|
|
|
$PROGNAME ver. $VERSION |
|
|
|
Obtain SSL certificates from the letsencrypt.org ACME server |
|
|
|
|
|
|
|
$(usage) |
|
|
|
|
|
|
|
Options: |
|
|
|
-h, --help Display this help message and exit |
|
|
|
-d, --debug Outputs debug information |
|
|
|
-c, --create Create default config files |
|
|
|
-f, --force Force renewal of cert (overrides expiry checks) |
|
|
|
-a, --all Check all certificates |
|
|
|
-q, --quiet Quiet mode (only outputs on error, or succcess of new cert) |
|
|
|
-u, --upgrade Upgrade getssl if a more recent version is available |
|
|
|
-w working_dir Working directory |
|
|
|
|
|
|
|
_EOF_ |
|
|
|
$PROGNAME ver. $VERSION |
|
|
|
Obtain SSL certificates from the letsencrypt.org ACME server |
|
|
|
|
|
|
|
$(usage) |
|
|
|
|
|
|
|
Options: |
|
|
|
-h, --help Display this help message and exit |
|
|
|
-d, --debug Outputs debug information |
|
|
|
-c, --create Create default config files |
|
|
|
-f, --force Force renewal of cert (overrides expiry checks) |
|
|
|
-a, --all Check all certificates |
|
|
|
-q, --quiet Quiet mode (only outputs on error, or succcess of new cert) |
|
|
|
-u, --upgrade Upgrade getssl if a more recent version is available |
|
|
|
-w working_dir Working directory |
|
|
|
|
|
|
|
_EOF_ |
|
|
|
} |
|
|
|
|
|
|
|
hex2bin() { # Remove spaces, add leading zero, escape as hex string and parse with printf |
|
|
|
@ -526,122 +520,122 @@ usage() { # program usage |
|
|
|
|
|
|
|
write_domain_template() { # write out a template file for a domain. |
|
|
|
cat > "$1" <<- _EOF_domain_ |
|
|
|
# Uncomment and modify any variables you need |
|
|
|
# see https://github.com/srvrco/getssl/wiki/Config-variables for details |
|
|
|
# |
|
|
|
# The staging server is best for testing |
|
|
|
#CA="https://acme-staging.api.letsencrypt.org" |
|
|
|
# This server issues full certificates, however has rate limits |
|
|
|
#CA="https://acme-v01.api.letsencrypt.org" |
|
|
|
|
|
|
|
#AGREEMENT="$AGREEMENT" |
|
|
|
|
|
|
|
# Set an email address associated with your account - generally set at account level rather than domain. |
|
|
|
#ACCOUNT_EMAIL="me@example.com" |
|
|
|
#ACCOUNT_KEY_LENGTH=4096 |
|
|
|
#ACCOUNT_KEY="$WORKING_DIR/account.key" |
|
|
|
PRIVATE_KEY_ALG="rsa" |
|
|
|
|
|
|
|
# Additional domains - this could be multiple domains / subdomains in a comma separated list |
|
|
|
# Note: this is Additional domains - so should not include the primary domain. |
|
|
|
SANS=${EX_SANS} |
|
|
|
|
|
|
|
# Acme Challenge Location. The first line for the domain, the following ones for each additional domain. |
|
|
|
# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location. |
|
|
|
# An ssh key will be needed to provide you with access to the remote server. |
|
|
|
# If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location |
|
|
|
# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" |
|
|
|
# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain. |
|
|
|
#ACL=('/var/www/${DOMAIN}/web/.well-known/acme-challenge' |
|
|
|
# 'ssh:server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge' |
|
|
|
# 'ftp:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge') |
|
|
|
|
|
|
|
#Enable use of a single ACL for all checks |
|
|
|
#USE_SINGLE_ACL="true" |
|
|
|
|
|
|
|
# Location for all your certs, these can either be on the server (so full path name) or using ssh as for the ACL |
|
|
|
#DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt" |
|
|
|
#DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key" |
|
|
|
#CA_CERT_LOCATION="/etc/ssl/chain.crt" |
|
|
|
#DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert |
|
|
|
#DOMAIN_KEY_CERT_LOCATION="" # this is the domain_key and domain cert |
|
|
|
#DOMAIN_PEM_LOCATION="" # this is the domain_key. domain cert and CA cert |
|
|
|
|
|
|
|
# The command needed to reload apache / nginx or whatever you use |
|
|
|
#RELOAD_CMD="" |
|
|
|
# The time period within which you want to allow renewal of a certificate |
|
|
|
# this prevents hitting some of the rate limits. |
|
|
|
RENEW_ALLOW="30" |
|
|
|
|
|
|
|
# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, |
|
|
|
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which |
|
|
|
# will be checked for certificate expiry and also will be checked after |
|
|
|
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true |
|
|
|
#SERVER_TYPE="https" |
|
|
|
#CHECK_REMOTE="true" |
|
|
|
|
|
|
|
# Use the following 3 variables if you want to validate via DNS |
|
|
|
#VALIDATE_VIA_DNS="true" |
|
|
|
#DNS_ADD_COMMAND= |
|
|
|
#DNS_DEL_COMMAND= |
|
|
|
#AUTH_DNS_SERVER="" |
|
|
|
#DNS_WAIT=10 |
|
|
|
#DNS_EXTRA_WAIT=60 |
|
|
|
_EOF_domain_ |
|
|
|
# Uncomment and modify any variables you need |
|
|
|
# see https://github.com/srvrco/getssl/wiki/Config-variables for details |
|
|
|
# |
|
|
|
# The staging server is best for testing |
|
|
|
#CA="https://acme-staging.api.letsencrypt.org" |
|
|
|
# This server issues full certificates, however has rate limits |
|
|
|
#CA="https://acme-v01.api.letsencrypt.org" |
|
|
|
|
|
|
|
#AGREEMENT="$AGREEMENT" |
|
|
|
|
|
|
|
# Set an email address associated with your account - generally set at account level rather than domain. |
|
|
|
#ACCOUNT_EMAIL="me@example.com" |
|
|
|
#ACCOUNT_KEY_LENGTH=4096 |
|
|
|
#ACCOUNT_KEY="$WORKING_DIR/account.key" |
|
|
|
PRIVATE_KEY_ALG="rsa" |
|
|
|
|
|
|
|
# Additional domains - this could be multiple domains / subdomains in a comma separated list |
|
|
|
# Note: this is Additional domains - so should not include the primary domain. |
|
|
|
SANS=${EX_SANS} |
|
|
|
|
|
|
|
# Acme Challenge Location. The first line for the domain, the following ones for each additional domain. |
|
|
|
# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location. |
|
|
|
# An ssh key will be needed to provide you with access to the remote server. |
|
|
|
# If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location |
|
|
|
# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" |
|
|
|
# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain. |
|
|
|
#ACL=('/var/www/${DOMAIN}/web/.well-known/acme-challenge' |
|
|
|
# 'ssh:server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge' |
|
|
|
# 'ftp:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge') |
|
|
|
|
|
|
|
#Enable use of a single ACL for all checks |
|
|
|
#USE_SINGLE_ACL="true" |
|
|
|
|
|
|
|
# Location for all your certs, these can either be on the server (so full path name) or using ssh as for the ACL |
|
|
|
#DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt" |
|
|
|
#DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key" |
|
|
|
#CA_CERT_LOCATION="/etc/ssl/chain.crt" |
|
|
|
#DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert |
|
|
|
#DOMAIN_KEY_CERT_LOCATION="" # this is the domain_key and domain cert |
|
|
|
#DOMAIN_PEM_LOCATION="" # this is the domain_key. domain cert and CA cert |
|
|
|
|
|
|
|
# The command needed to reload apache / nginx or whatever you use |
|
|
|
#RELOAD_CMD="" |
|
|
|
# The time period within which you want to allow renewal of a certificate |
|
|
|
# this prevents hitting some of the rate limits. |
|
|
|
RENEW_ALLOW="30" |
|
|
|
|
|
|
|
# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, |
|
|
|
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which |
|
|
|
# will be checked for certificate expiry and also will be checked after |
|
|
|
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true |
|
|
|
#SERVER_TYPE="https" |
|
|
|
#CHECK_REMOTE="true" |
|
|
|
|
|
|
|
# Use the following 3 variables if you want to validate via DNS |
|
|
|
#VALIDATE_VIA_DNS="true" |
|
|
|
#DNS_ADD_COMMAND= |
|
|
|
#DNS_DEL_COMMAND= |
|
|
|
#AUTH_DNS_SERVER="" |
|
|
|
#DNS_WAIT=10 |
|
|
|
#DNS_EXTRA_WAIT=60 |
|
|
|
_EOF_domain_ |
|
|
|
} |
|
|
|
|
|
|
|
write_getssl_template() { # write out the main template file |
|
|
|
cat > "$1" <<- _EOF_getssl_ |
|
|
|
# Uncomment and modify any variables you need |
|
|
|
# see https://github.com/srvrco/getssl/wiki/Config-variables for details |
|
|
|
# |
|
|
|
# The staging server is best for testing (hence set as default) |
|
|
|
CA="https://acme-staging.api.letsencrypt.org" |
|
|
|
# This server issues full certificates, however has rate limits |
|
|
|
#CA="https://acme-v01.api.letsencrypt.org" |
|
|
|
|
|
|
|
#AGREEMENT="$AGREEMENT" |
|
|
|
|
|
|
|
# Set an email address associated with your account - generally set at account level rather than domain. |
|
|
|
#ACCOUNT_EMAIL="me@example.com" |
|
|
|
ACCOUNT_KEY_LENGTH=4096 |
|
|
|
ACCOUNT_KEY="$WORKING_DIR/account.key" |
|
|
|
PRIVATE_KEY_ALG="rsa" |
|
|
|
|
|
|
|
# The command needed to reload apache / nginx or whatever you use |
|
|
|
#RELOAD_CMD="" |
|
|
|
# The time period within which you want to allow renewal of a certificate |
|
|
|
# this prevents hitting some of the rate limits. |
|
|
|
RENEW_ALLOW="30" |
|
|
|
|
|
|
|
# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, |
|
|
|
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which |
|
|
|
# will be checked for certificate expiry and also will be checked after |
|
|
|
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true |
|
|
|
SERVER_TYPE="https" |
|
|
|
CHECK_REMOTE="true" |
|
|
|
|
|
|
|
# openssl config file. The default should work in most cases. |
|
|
|
SSLCONF="$SSLCONF" |
|
|
|
|
|
|
|
# Use the following 3 variables if you want to validate via DNS |
|
|
|
#VALIDATE_VIA_DNS="true" |
|
|
|
#DNS_ADD_COMMAND= |
|
|
|
#DNS_DEL_COMMAND= |
|
|
|
#AUTH_DNS_SERVER="" |
|
|
|
#DNS_WAIT=10 |
|
|
|
#DNS_EXTRA_WAIT=60 |
|
|
|
_EOF_getssl_ |
|
|
|
# Uncomment and modify any variables you need |
|
|
|
# see https://github.com/srvrco/getssl/wiki/Config-variables for details |
|
|
|
# |
|
|
|
# The staging server is best for testing (hence set as default) |
|
|
|
CA="https://acme-staging.api.letsencrypt.org" |
|
|
|
# This server issues full certificates, however has rate limits |
|
|
|
#CA="https://acme-v01.api.letsencrypt.org" |
|
|
|
|
|
|
|
#AGREEMENT="$AGREEMENT" |
|
|
|
|
|
|
|
# Set an email address associated with your account - generally set at account level rather than domain. |
|
|
|
#ACCOUNT_EMAIL="me@example.com" |
|
|
|
ACCOUNT_KEY_LENGTH=4096 |
|
|
|
ACCOUNT_KEY="$WORKING_DIR/account.key" |
|
|
|
PRIVATE_KEY_ALG="rsa" |
|
|
|
|
|
|
|
# The command needed to reload apache / nginx or whatever you use |
|
|
|
#RELOAD_CMD="" |
|
|
|
# The time period within which you want to allow renewal of a certificate |
|
|
|
# this prevents hitting some of the rate limits. |
|
|
|
RENEW_ALLOW="30" |
|
|
|
|
|
|
|
# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, |
|
|
|
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which |
|
|
|
# will be checked for certificate expiry and also will be checked after |
|
|
|
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true |
|
|
|
SERVER_TYPE="https" |
|
|
|
CHECK_REMOTE="true" |
|
|
|
|
|
|
|
# openssl config file. The default should work in most cases. |
|
|
|
SSLCONF="$SSLCONF" |
|
|
|
|
|
|
|
# Use the following 3 variables if you want to validate via DNS |
|
|
|
#VALIDATE_VIA_DNS="true" |
|
|
|
#DNS_ADD_COMMAND= |
|
|
|
#DNS_DEL_COMMAND= |
|
|
|
#AUTH_DNS_SERVER="" |
|
|
|
#DNS_WAIT=10 |
|
|
|
#DNS_EXTRA_WAIT=60 |
|
|
|
_EOF_getssl_ |
|
|
|
} |
|
|
|
|
|
|
|
write_openssl_conf() { # write out a minimal openssl conf |
|
|
|
cat > "$1" <<- _EOF_openssl_conf_ |
|
|
|
# minimal openssl.cnf file |
|
|
|
distinguished_name = req_distinguished_name |
|
|
|
[ req_distinguished_name ] |
|
|
|
[v3_req] |
|
|
|
[v3_ca] |
|
|
|
_EOF_openssl_conf_ |
|
|
|
# minimal openssl.cnf file |
|
|
|
distinguished_name = req_distinguished_name |
|
|
|
[ req_distinguished_name ] |
|
|
|
[v3_req] |
|
|
|
[v3_ca] |
|
|
|
_EOF_openssl_conf_ |
|
|
|
} |
|
|
|
|
|
|
|
# Trap signals |
|
|
|
@ -699,8 +693,8 @@ else |
|
|
|
requires grep |
|
|
|
fi |
|
|
|
|
|
|
|
# Check if upgrades are available |
|
|
|
check_getssl_upgrade |
|
|
|
# Check if upgrades are available, if asked for |
|
|
|
[[ $_UPGRADE -eq 1 ]] && check_getssl_upgrade |
|
|
|
|
|
|
|
# get latest agreement from CA (as default) |
|
|
|
AGREEMENT=$(curl -I ${CA}/terms 2>/dev/null | grep "Location:" | awk '{print $2}'|os_sed 's/\r//') |
|
|
|
@ -1144,13 +1138,13 @@ for d in $alldomains; do |
|
|
|
|
|
|
|
# generate a file with the current variables for the dns-challenge |
|
|
|
cat > "$TEMP_DIR/dns_verify/$d" <<- _EOF_ |
|
|
|
token="${token}" |
|
|
|
uri="${uri}" |
|
|
|
keyauthorization="${keyauthorization}" |
|
|
|
d="${d}" |
|
|
|
primary_ns="${primary_ns}" |
|
|
|
auth_key="${auth_key}" |
|
|
|
_EOF_ |
|
|
|
token="${token}" |
|
|
|
uri="${uri}" |
|
|
|
keyauthorization="${keyauthorization}" |
|
|
|
d="${d}" |
|
|
|
primary_ns="${primary_ns}" |
|
|
|
auth_key="${auth_key}" |
|
|
|
_EOF_ |
|
|
|
|
|
|
|
else # set up the correct http token for verification |
|
|
|
# get the http component of the ACME response |
|
|
|
@ -1206,11 +1200,11 @@ for d in $alldomains; do |
|
|
|
ftplocn=$(echo "${DOMAIN_ACL}"| awk -F: '{print $5}') |
|
|
|
debug "ftp user=$ftpuser - pass=$ftppass - host=$ftphost loction=$ftplocn" |
|
|
|
ftp -n <<- EOF |
|
|
|
open $ftphost |
|
|
|
user $ftpuser $ftppass |
|
|
|
cd $ftplocn |
|
|
|
delete ${token:?} |
|
|
|
EOF |
|
|
|
open $ftphost |
|
|
|
user $ftpuser $ftppass |
|
|
|
cd $ftplocn |
|
|
|
delete ${token:?} |
|
|
|
EOF |
|
|
|
else |
|
|
|
rm -f "${DOMAIN_ACL:?}/${token:?}" |
|
|
|
fi |
|
|
|
|
Alexander
9 years ago
GitHub