Fixes for HTTP-01 challenge for POST-as-GET

6 years ago · 7f1b94c6e2
--- a/+ 29
+++ b/+ 29
@ -279,7 +279,7 @@ check_challenge_completion() { # checks with the ACME server if our challenge is
  keyauthorization=$3

  debug "sending request to ACME server saying we're ready for challenge"
  send_signed_request "$uri" "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}"
  send_signed_request "$uri" "{}"

  # check response from our request to perform challenge
  if [[ $API -eq 1 ]]; then
@ -294,10 +294,8 @@ check_challenge_completion() { # checks with the ACME server if our challenge is

  # loop "forever" to keep checking for a response from the ACME server.
  while true ; do
    debug "checking"
    if ! get_cr "$uri" ; then
      error_exit "$domain:Verify error:$code"
    fi
    debug "checking if challenge is complete"
    send_signed_request "$uri" ""

    status=$(json_get "$response" status)

@ -853,10 +851,10 @@ get_certificate() { # get certificate for csr, if all domains validated.
  else # APIv2
    send_signed_request "$FinalizeLink" "{\"csr\": \"$der\"}" "needbase64"
    debug "order link was $OrderLink"
    cd=$(curl --user-agent "$CURL_USERAGENT" --silent "$OrderLink")
    CertData=$(json_get "$cd" "certificate")
    send_signed_request "$OrderLink" ""
    CertData=$(json_get "$response" "certificate")
    debug "CertData is at $CertData"
    curl --user-agent "$CURL_USERAGENT" --silent "$CertData" > "$FULL_CHAIN"
    send_signed_request "$CertData" "" "" "$FULL_CHAIN"
    info "Full certificate saved in $FULL_CHAIN"
    awk -v CERT_FILE="$CERT_FILE" -v CA_CERT="$CA_CERT" 'BEGIN {outfile=CERT_FILE} split_after==1 {outfile=CA_CERT;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > outfile}' "$FULL_CHAIN"
    info "Certificate saved in $CERT_FILE"
@ -1325,6 +1323,7 @@ set_server_type() { # uses SERVER_TYPE to set REMOTE_PORT and REMOTE_EXTRA
    REMOTE_PORT=636
  elif [[ ${SERVER_TYPE} =~ ^[0-9]+$ ]]; then
    REMOTE_PORT=${SERVER_TYPE}
    REMOTE_EXTRA="CUSTOM-HTTP-PORT"
  else
    info "${DOMAIN}: unknown server type \"$SERVER_TYPE\" in SERVER_TYPE"
    config_errors=true
@ -1335,6 +1334,7 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p
  url=$1
  payload=$2
  needbase64=$3
  outfile=$4 # save response into this file (certificate data)

  debug url "$url"

@ -1374,8 +1374,8 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p

    # Build another header which also contains the previously received nonce and encode it as urlbase64
    if [[ $API -eq 1 ]]; then
    protected='{"alg": "'"$jwkalg"'", "jwk": '"$jwk"', "nonce": "'"${nonce}"'", "url": "'"${url}"'"}'
    protected64="$(printf '%s' "${protected}" | urlbase64)"
      protected='{"alg": "'"$jwkalg"'", "jwk": '"$jwk"', "nonce": "'"${nonce}"'", "url": "'"${url}"'"}'
      protected64="$(printf '%s' "${protected}" | urlbase64)"
    else # APIv2
      if [[ -z "$KID" ]]; then
        debug "KID is blank, so using jwk"
@ -1384,7 +1384,6 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p
      else
        debug "using KID=${KID}"
        protected="{\"alg\": \"$jwkalg\", \"kid\": \"$KID\",\"nonce\": \"${nonce}\", \"url\": \"${url}\"}"
        debug "protected = $protected"
        protected64="$(printf '%s' "${protected}" | urlbase64)"
      fi
    fi
@ -1415,13 +1414,22 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p
    code="500"
    loop_limit=5
    while [[ "$code" -eq 500 ]]; do
      if [[ "$needbase64" ]] ; then
      if [[ "$outfile" ]] ; then
        $CURL -X POST -H "Content-Type: application/jose+json" --data "$body" "$url" > $outfile
        response=$(cat "$outfile")
      elif [[ "$needbase64" ]] ; then
        response=$($CURL -X POST -H "Content-Type: application/jose+json" --data "$body" "$url" | urlbase64)
      else
        response=$($CURL -X POST -H "Content-Type: application/jose+json" --data "$body" "$url")
      fi

      responseHeaders=$(cat "$CURL_HEADER")
      if [[ "$needbase64" && ${response##*()} != "{"* ]]; then
        # response is in base64 too, decode
        #!FIXME need to use openssl base64 decoder if it exists
        response=$(echo "$response" | base64 -d)
      fi

      debug responseHeaders "$responseHeaders"
      debug response  "$response"
      code=$(awk ' $1 ~ "^HTTP" {print $2}' "$CURL_HEADER" | tail -1)
@ -1430,7 +1438,9 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p
        response_status=$(json_get "$response" status \
                        | head -1| awk -F'"' '{print $2}')
      else # APIv2
        if [[ ${response##*()} == "{"* ]]; then
        if [[ "$output" && "$response" ]]; then
          debug "response written to $outfile"
        elif [[ ${response##*()} == "{"* ]]; then
          response_status=$(json_get "$response" status)
        else
          debug "response not in json format"
@ -1915,6 +1925,7 @@ else
  info "unknown API version"
  graceful_exit
 fi
 debug "Using API v$API"

 # if check_remote is true then connect and obtain the current certificate (if not forcing renewal)
 if [[ "${CHECK_REMOTE}" == "true" ]] && [[ $_FORCE_RENEW -eq 0 ]]; then
@ -2271,7 +2282,11 @@ for d in $alldomains; do
      done
      umask "$ORIG_UMASK"

      wellknown_url="${CHALLENGE_CHECK_TYPE}://$d/.well-known/acme-challenge/$token"
      if [[ "$REMOTE_EXTRA" = "CUSTOM-HTTP-PORT" ]]; then
        wellknown_url="${CHALLENGE_CHECK_TYPE}://${d}:${REMOTE_PORT}/.well-known/acme-challenge/$token"
      else
        wellknown_url="${CHALLENGE_CHECK_TYPE}://${d}/.well-known/acme-challenge/$token"
      fi
      debug wellknown_url "$wellknown_url"

      if [[ "$SKIP_HTTP_TOKEN_CHECK" == "true" ]]; then