diff --git a/getssl b/getssl index 33567cd..65f5137 100755 --- a/getssl +++ b/getssl @@ -102,10 +102,11 @@ # 2016-08-25 updated defaults for ACME agreement (1.36) # 2016-09-04 correct issue #101 when some domains already validated (1.37) # 2016-09-12 Checks if which is installed (1.38) +# 2016-09-13 Only check for updates, if "-u" parameter has been given (1.39) # --------------------------------------------------------------------------- PROGNAME=${0##*/} -VERSION="1.38" +VERSION="1.39" # defaults CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl" @@ -208,21 +209,14 @@ check_getssl_upgrade() { # check if a more recent version of code is available a debug "Most recent version is ${latestversion}" # use a default of 0 for cases where the latest code has not been obtained. if [ "${latestvdec:-0}" -gt "$localvdec" ]; then - if [ ${_UPGRADE} -eq 1 ]; then - temp_upgrade="$(mktemp)" - echo "$latestcode" > "$temp_upgrade" - install "$0" "${0}.v${VERSION}" - install "$temp_upgrade" "$0" - rm -f "$temp_upgrade" - echo "Updated getssl from v${VERSION} to v${latestversion}" - eval "$ORIGCMD" - graceful_exit - else - info "" - info "A more recent version (v${latestversion}) of getssl is available, please update" - info "the easiest way is to use the -u or --upgrade flag" - info "" - fi + temp_upgrade="$(mktemp)" + echo "$latestcode" > "$temp_upgrade" + install "$0" "${0}.v${VERSION}" + install "$temp_upgrade" "$0" + rm -f "$temp_upgrade" + echo "Updated getssl from v${VERSION} to v${latestversion}" + eval "$ORIGCMD" + graceful_exit fi } @@ -273,12 +267,12 @@ copy_file_to_location() { # copies a file, using scp if required. debug "ftp user=$ftpuser - pass=$ftppass - host=$ftphost dir=$ftpdirn file=$ftpfile" debug "from dir=$fromdir file=$fromfile" ftp -n <<- _EOF - open $ftphost - user $ftpuser $ftppass - cd $ftpdirn - lcd $fromdir - put $fromfile - _EOF + open $ftphost + user $ftpuser $ftppass + cd $ftpdirn + lcd $fromdir + put $fromfile + _EOF elif [[ "${to:0:5}" == "sftp:" ]] ; then debug "using sftp to copy the file from $from" ftpuser=$(echo "$to"| awk -F: '{print $2}') @@ -292,10 +286,10 @@ copy_file_to_location() { # copies a file, using scp if required. debug "sftp user=$ftpuser - pass=$ftppass - host=$ftphost dir=$ftpdirn file=$ftpfile" debug "from dir=$fromdir file=$fromfile" sshpass -p "$ftppass" sftp "$ftpuser@$ftphost" <<- _EOF - cd $ftpdirn - lcd $fromdir - put $fromfile - _EOF + cd $ftpdirn + lcd $fromdir + put $fromfile + _EOF else mkdir -p "$(dirname "$to")" if [ $? -gt 0 ]; then @@ -358,22 +352,22 @@ graceful_exit() { # normal exit function. help_message() { # print out the help message cat <<- _EOF_ - $PROGNAME ver. $VERSION - Obtain SSL certificates from the letsencrypt.org ACME server - - $(usage) - - Options: - -h, --help Display this help message and exit - -d, --debug Outputs debug information - -c, --create Create default config files - -f, --force Force renewal of cert (overrides expiry checks) - -a, --all Check all certificates - -q, --quiet Quiet mode (only outputs on error, or succcess of new cert) - -u, --upgrade Upgrade getssl if a more recent version is available - -w working_dir Working directory - - _EOF_ + $PROGNAME ver. $VERSION + Obtain SSL certificates from the letsencrypt.org ACME server + + $(usage) + + Options: + -h, --help Display this help message and exit + -d, --debug Outputs debug information + -c, --create Create default config files + -f, --force Force renewal of cert (overrides expiry checks) + -a, --all Check all certificates + -q, --quiet Quiet mode (only outputs on error, or succcess of new cert) + -u, --upgrade Upgrade getssl if a more recent version is available + -w working_dir Working directory + + _EOF_ } hex2bin() { # Remove spaces, add leading zero, escape as hex string and parse with printf @@ -526,122 +520,122 @@ usage() { # program usage write_domain_template() { # write out a template file for a domain. cat > "$1" <<- _EOF_domain_ - # Uncomment and modify any variables you need - # see https://github.com/srvrco/getssl/wiki/Config-variables for details - # - # The staging server is best for testing - #CA="https://acme-staging.api.letsencrypt.org" - # This server issues full certificates, however has rate limits - #CA="https://acme-v01.api.letsencrypt.org" - - #AGREEMENT="$AGREEMENT" - - # Set an email address associated with your account - generally set at account level rather than domain. - #ACCOUNT_EMAIL="me@example.com" - #ACCOUNT_KEY_LENGTH=4096 - #ACCOUNT_KEY="$WORKING_DIR/account.key" - PRIVATE_KEY_ALG="rsa" - - # Additional domains - this could be multiple domains / subdomains in a comma separated list - # Note: this is Additional domains - so should not include the primary domain. - SANS=${EX_SANS} - - # Acme Challenge Location. The first line for the domain, the following ones for each additional domain. - # If these start with ssh: then the next variable is assumed to be the hostname and the rest the location. - # An ssh key will be needed to provide you with access to the remote server. - # If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location - # These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" - # where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain. - #ACL=('/var/www/${DOMAIN}/web/.well-known/acme-challenge' - # 'ssh:server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge' - # 'ftp:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge') - - #Enable use of a single ACL for all checks - #USE_SINGLE_ACL="true" - - # Location for all your certs, these can either be on the server (so full path name) or using ssh as for the ACL - #DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt" - #DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key" - #CA_CERT_LOCATION="/etc/ssl/chain.crt" - #DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert - #DOMAIN_KEY_CERT_LOCATION="" # this is the domain_key and domain cert - #DOMAIN_PEM_LOCATION="" # this is the domain_key. domain cert and CA cert - - # The command needed to reload apache / nginx or whatever you use - #RELOAD_CMD="" - # The time period within which you want to allow renewal of a certificate - # this prevents hitting some of the rate limits. - RENEW_ALLOW="30" - - # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, - # smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which - # will be checked for certificate expiry and also will be checked after - # an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true - #SERVER_TYPE="https" - #CHECK_REMOTE="true" - - # Use the following 3 variables if you want to validate via DNS - #VALIDATE_VIA_DNS="true" - #DNS_ADD_COMMAND= - #DNS_DEL_COMMAND= - #AUTH_DNS_SERVER="" - #DNS_WAIT=10 - #DNS_EXTRA_WAIT=60 - _EOF_domain_ + # Uncomment and modify any variables you need + # see https://github.com/srvrco/getssl/wiki/Config-variables for details + # + # The staging server is best for testing + #CA="https://acme-staging.api.letsencrypt.org" + # This server issues full certificates, however has rate limits + #CA="https://acme-v01.api.letsencrypt.org" + + #AGREEMENT="$AGREEMENT" + + # Set an email address associated with your account - generally set at account level rather than domain. + #ACCOUNT_EMAIL="me@example.com" + #ACCOUNT_KEY_LENGTH=4096 + #ACCOUNT_KEY="$WORKING_DIR/account.key" + PRIVATE_KEY_ALG="rsa" + + # Additional domains - this could be multiple domains / subdomains in a comma separated list + # Note: this is Additional domains - so should not include the primary domain. + SANS=${EX_SANS} + + # Acme Challenge Location. The first line for the domain, the following ones for each additional domain. + # If these start with ssh: then the next variable is assumed to be the hostname and the rest the location. + # An ssh key will be needed to provide you with access to the remote server. + # If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location + # These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" + # where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain. + #ACL=('/var/www/${DOMAIN}/web/.well-known/acme-challenge' + # 'ssh:server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge' + # 'ftp:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge') + + #Enable use of a single ACL for all checks + #USE_SINGLE_ACL="true" + + # Location for all your certs, these can either be on the server (so full path name) or using ssh as for the ACL + #DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt" + #DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key" + #CA_CERT_LOCATION="/etc/ssl/chain.crt" + #DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert + #DOMAIN_KEY_CERT_LOCATION="" # this is the domain_key and domain cert + #DOMAIN_PEM_LOCATION="" # this is the domain_key. domain cert and CA cert + + # The command needed to reload apache / nginx or whatever you use + #RELOAD_CMD="" + # The time period within which you want to allow renewal of a certificate + # this prevents hitting some of the rate limits. + RENEW_ALLOW="30" + + # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, + # smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which + # will be checked for certificate expiry and also will be checked after + # an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true + #SERVER_TYPE="https" + #CHECK_REMOTE="true" + + # Use the following 3 variables if you want to validate via DNS + #VALIDATE_VIA_DNS="true" + #DNS_ADD_COMMAND= + #DNS_DEL_COMMAND= + #AUTH_DNS_SERVER="" + #DNS_WAIT=10 + #DNS_EXTRA_WAIT=60 + _EOF_domain_ } write_getssl_template() { # write out the main template file cat > "$1" <<- _EOF_getssl_ - # Uncomment and modify any variables you need - # see https://github.com/srvrco/getssl/wiki/Config-variables for details - # - # The staging server is best for testing (hence set as default) - CA="https://acme-staging.api.letsencrypt.org" - # This server issues full certificates, however has rate limits - #CA="https://acme-v01.api.letsencrypt.org" - - #AGREEMENT="$AGREEMENT" - - # Set an email address associated with your account - generally set at account level rather than domain. - #ACCOUNT_EMAIL="me@example.com" - ACCOUNT_KEY_LENGTH=4096 - ACCOUNT_KEY="$WORKING_DIR/account.key" - PRIVATE_KEY_ALG="rsa" - - # The command needed to reload apache / nginx or whatever you use - #RELOAD_CMD="" - # The time period within which you want to allow renewal of a certificate - # this prevents hitting some of the rate limits. - RENEW_ALLOW="30" - - # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, - # smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which - # will be checked for certificate expiry and also will be checked after - # an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true - SERVER_TYPE="https" - CHECK_REMOTE="true" - - # openssl config file. The default should work in most cases. - SSLCONF="$SSLCONF" - - # Use the following 3 variables if you want to validate via DNS - #VALIDATE_VIA_DNS="true" - #DNS_ADD_COMMAND= - #DNS_DEL_COMMAND= - #AUTH_DNS_SERVER="" - #DNS_WAIT=10 - #DNS_EXTRA_WAIT=60 - _EOF_getssl_ + # Uncomment and modify any variables you need + # see https://github.com/srvrco/getssl/wiki/Config-variables for details + # + # The staging server is best for testing (hence set as default) + CA="https://acme-staging.api.letsencrypt.org" + # This server issues full certificates, however has rate limits + #CA="https://acme-v01.api.letsencrypt.org" + + #AGREEMENT="$AGREEMENT" + + # Set an email address associated with your account - generally set at account level rather than domain. + #ACCOUNT_EMAIL="me@example.com" + ACCOUNT_KEY_LENGTH=4096 + ACCOUNT_KEY="$WORKING_DIR/account.key" + PRIVATE_KEY_ALG="rsa" + + # The command needed to reload apache / nginx or whatever you use + #RELOAD_CMD="" + # The time period within which you want to allow renewal of a certificate + # this prevents hitting some of the rate limits. + RENEW_ALLOW="30" + + # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, + # smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which + # will be checked for certificate expiry and also will be checked after + # an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true + SERVER_TYPE="https" + CHECK_REMOTE="true" + + # openssl config file. The default should work in most cases. + SSLCONF="$SSLCONF" + + # Use the following 3 variables if you want to validate via DNS + #VALIDATE_VIA_DNS="true" + #DNS_ADD_COMMAND= + #DNS_DEL_COMMAND= + #AUTH_DNS_SERVER="" + #DNS_WAIT=10 + #DNS_EXTRA_WAIT=60 + _EOF_getssl_ } write_openssl_conf() { # write out a minimal openssl conf cat > "$1" <<- _EOF_openssl_conf_ - # minimal openssl.cnf file - distinguished_name = req_distinguished_name - [ req_distinguished_name ] - [v3_req] - [v3_ca] - _EOF_openssl_conf_ + # minimal openssl.cnf file + distinguished_name = req_distinguished_name + [ req_distinguished_name ] + [v3_req] + [v3_ca] + _EOF_openssl_conf_ } # Trap signals @@ -699,8 +693,8 @@ else requires grep fi -# Check if upgrades are available -check_getssl_upgrade +# Check if upgrades are available, if asked for +[[ $_UPGRADE -eq 1 ]] && check_getssl_upgrade # get latest agreement from CA (as default) AGREEMENT=$(curl -I ${CA}/terms 2>/dev/null | grep "Location:" | awk '{print $2}'|os_sed 's/\r//') @@ -1144,13 +1138,13 @@ for d in $alldomains; do # generate a file with the current variables for the dns-challenge cat > "$TEMP_DIR/dns_verify/$d" <<- _EOF_ - token="${token}" - uri="${uri}" - keyauthorization="${keyauthorization}" - d="${d}" - primary_ns="${primary_ns}" - auth_key="${auth_key}" - _EOF_ + token="${token}" + uri="${uri}" + keyauthorization="${keyauthorization}" + d="${d}" + primary_ns="${primary_ns}" + auth_key="${auth_key}" + _EOF_ else # set up the correct http token for verification # get the http component of the ACME response @@ -1206,11 +1200,11 @@ for d in $alldomains; do ftplocn=$(echo "${DOMAIN_ACL}"| awk -F: '{print $5}') debug "ftp user=$ftpuser - pass=$ftppass - host=$ftphost loction=$ftplocn" ftp -n <<- EOF - open $ftphost - user $ftpuser $ftppass - cd $ftplocn - delete ${token:?} - EOF + open $ftphost + user $ftpuser $ftppass + cd $ftplocn + delete ${token:?} + EOF else rm -f "${DOMAIN_ACL:?}/${token:?}" fi