RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
Browse Source

Merge remote-tracking branch 'origin/master' into Fix-missing-chain.crt-#349

pull/459/head
Tim Kimber 6 years ago
parent
dec01f1810 6e8d4ec06a
commit
9248ce788b
1 changed files with 37 additions and 35 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +37
    -35
      getssl

+ 37
- 35
getssl View File

@ -283,11 +283,11 @@ check_challenge_completion() { # checks with the ACME server if our challenge is
# check response from our request to perform challenge
if [[ $API -eq 1 ]]; then
if [[ ! -z "$code" ]] && [[ ! "$code" == '202' ]] ; then
if [[ -n "$code" ]] && [[ ! "$code" == '202' ]] ; then
error_exit "$domain:Challenge error: $code"
fi
else # APIv2
if [[ ! -z "$code" ]] && [[ ! "$code" == '200' ]] ; then
if [[ -n "$code" ]] && [[ ! "$code" == '200' ]] ; then
error_exit "$domain:Challenge error: $code"
fi
fi
@ -468,12 +468,13 @@ check_getssl_upgrade() { # check if a more recent version of code is available a
# Obtain all locally stored old versions in getssl_versions
declare -a getssl_versions
shopt -s nullglob
for getssl_version in $0.v*; do
for getssl_version in "$0".v*; do
getssl_versions[${#getssl_versions[@]}]="$getssl_version"
done
shopt -u nullglob
# Explicitly sort the getssl_versions array to make sure
shopt -s -o noglob
# shellcheck disable=SC2207
IFS=$'\n' getssl_versions=($(sort <<< "${getssl_versions[*]}"))
shopt -u -o noglob
# Remove entries until given number of old versions to keep is reached
@ -499,7 +500,7 @@ clean_up() { # Perform pre-exit housekeeping
if [[ $VALIDATE_VIA_DNS == "true" ]]; then
# Tidy up DNS entries if things failed part way though.
shopt -s nullglob
for dnsfile in $TEMP_DIR/dns_verify/*; do
for dnsfile in "$TEMP_DIR"/dns_verify/*; do
# shellcheck source=/dev/null
. "$dnsfile"
debug "attempting to clean up DNS entry for $d"
@ -507,10 +508,10 @@ clean_up() { # Perform pre-exit housekeeping
done
shopt -u nullglob
fi
if [[ ! -z "$DOMAIN_DIR" ]]; then
if [[ -n "$DOMAIN_DIR" ]]; then
rm -rf "${TEMP_DIR:?}"
fi
if [[ ! -z "$TEMP_UPGRADE_FILE" ]] && [[ -f "$TEMP_UPGRADE_FILE" ]]; then
if [[ -n "$TEMP_UPGRADE_FILE" ]] && [[ -f "$TEMP_UPGRADE_FILE" ]]; then
rm -f "$TEMP_UPGRADE_FILE"
fi
}
@ -530,7 +531,7 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required.
scp $from ${to:4}"
fi
debug "userid $TOKEN_USER_ID"
if [[ "$cert" == "challenge token" ]] && [[ ! -z "$TOKEN_USER_ID" ]]; then
if [[ "$cert" == "challenge token" ]] && [[ -n "$TOKEN_USER_ID" ]]; then
servername=$(echo "$to" | awk -F":" '{print $2}')
tofile=$(echo "$to" | awk -F":" '{print $3}')
debug "servername $servername"
@ -591,7 +592,7 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required.
error_exit "cannot copy $from to $to"
fi
fi
if [[ "$cert" == "challenge token" ]] && [[ ! -z "$TOKEN_USER_ID" ]]; then
if [[ "$cert" == "challenge token" ]] && [[ -n "$TOKEN_USER_ID" ]]; then
chown "$TOKEN_USER_ID" "$to"
fi
fi
@ -736,7 +737,7 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
else
res=$($DNS_CHECK_FUNC CNAME "$gad_d" "@$gad_s"| grep "^$gad_d")
fi
if [[ ! -z "$res" ]]; then # domain is a CNAME so get main domain
if [[ -n "$res" ]]; then # domain is a CNAME so get main domain
gad_d=$(echo "$res"| awk '{print $5}' |sed 's/\.$//g')
fi
if [[ -z "$gad_s" ]]; then #checking for CNAMEs
@ -1154,7 +1155,7 @@ json_get() { # get values from json
# remove newlines, so it's a single chunk of JSON
json_data=$( echo "$1" | tr '\n' ' ')
# if $3 is defined, this is the section which the item is in.
if [[ ! -z "$3" ]]; then
if [[ -n "$3" ]]; then
jg_section=$(echo "$json_data" | awk -F"[}]" '{for(i=1;i<=NF;i++){if($i~/\"'"${3}"'\"/){print $i}}}')
if [[ "$2" == "uri" ]]; then
jg_subsect=$(echo "$jg_section" | awk -F"[,]" '{for(i=1;i<=NF;i++){if($i~/\"'"${2}"'\"/){print $(i)}}}')
@ -1174,17 +1175,17 @@ json_get() { # get values from json
echo "$jg_result"
fi
else
if [[ ! -z "$6" ]]; then
if [[ -n "$6" ]]; then
full=$(json_awk "$1")
section=$(echo "$full" | grep "\"$2\"" | grep "\"$3\"" | grep "\"$4\"" | awk -F"," '{print $2}')
echo "$full" | grep "^..${5}\",$section" | awk '{print $2}' | tr -d '"'
elif [[ ! -z "$5" ]]; then
elif [[ -n "$5" ]]; then
full=$(json_awk "$1")
section=$(echo "$full" | grep "\"$2\"" | grep "\"$3\"" | grep "\"$4\"" | awk -F"," '{print $2}')
echo "$full" | grep "^..${2}\",$section" | grep "$5" | awk '{print $2}' | tr -d '"'
elif [[ ! -z "$3" ]]; then
elif [[ -n "$3" ]]; then
json_awk "$1" | grep "^..${2}...${3}" | awk '{print $2}' | tr -d '"'
elif [[ ! -z "$2" ]]; then
elif [[ -n "$2" ]]; then
json_awk "$1" | grep "^..${2}" | awk '{print $2}' | tr -d '"'
else
json_awk "$1"
@ -1205,7 +1206,7 @@ os_esed() { # Use different sed version for different os types (extended regex)
purge_archive() { # purge archive of old, invalid, certificates
arcdir="$1/archive"
debug "purging archives in ${arcdir}/"
for padir in $arcdir/????_??_??_??_??; do
for padir in "$arcdir"/????_??_??_??_??; do
# check each directory
if [[ -d "$padir" ]]; then
tstamp=$(basename "$padir"| awk -F"_" '{print $1"-"$2"-"$3" "$4":"$5}')
@ -1228,7 +1229,7 @@ purge_archive() { # purge archive of old, invalid, certificates
}
reload_service() { # Runs a command to reload services ( via ssh if needed)
if [[ ! -z "$RELOAD_CMD" ]]; then
if [[ -n "$RELOAD_CMD" ]]; then
info "reloading SSL services"
if [[ "${RELOAD_CMD:0:4}" == "ssh:" ]] ; then
sshhost=$(echo "$RELOAD_CMD"| awk -F: '{print $2}')
@ -1272,16 +1273,16 @@ requires() { # check if required function is available
if [[ "$i" == "${!#}" ]]; then # if on last variable then exit as not found
error_exit "this script requires one of: ${*:1:$(($#-1))}"
fi
res=$(which "$i" 2>/dev/null)
res=$(command -v "$i" 2>/dev/null)
debug "checking for $i ... $res"
if [[ ! -z "$res" ]]; then # if function found, then set variable to function and return
if [[ -n "$res" ]]; then # if function found, then set variable to function and return
debug "function $i found at $res - setting ${!#} to $i"
eval "${!#}=\$i"
return
fi
done
else # only one value, so check it.
result=$(which "$1" 2>/dev/null)
result=$(command -v "$1" 2>/dev/null)
debug "checking for required $1 ... $result"
if [[ -z "$result" ]]; then
error_exit "This script requires $1 installed"
@ -1341,6 +1342,7 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p
dp="$TEMP_DIR/curl.dump"
CURL="curl "
# shellcheck disable=SC2072
if [[ "$($CURL -V | head -1 | cut -d' ' -f2 )" > "7.33" ]]; then
CURL="$CURL --http1.1 "
fi
@ -1674,11 +1676,11 @@ while [[ -n ${1+defined} ]]; do
_UPGRADE_CHECK=0 ;;
-w)
shift; WORKING_DIR="$1" ;;
-* | --*)
-*)
usage
error_exit "Unknown option $1" ;;
*)
if [[ ! -z $DOMAIN ]]; then
if [[ -n $DOMAIN ]]; then
error_exit "invalid command line $DOMAIN - it appears to contain more than one domain"
fi
DOMAIN="$1"
@ -1787,7 +1789,7 @@ if [[ ${_CHECK_ALL} -eq 1 ]]; then
error_exit "DOMAIN_STORAGE not found - $DOMAIN_STORAGE"
fi
for dir in ${DOMAIN_STORAGE}/*; do
for dir in "${DOMAIN_STORAGE}"/*; do
if [[ -d "$dir" ]]; then
debug "Checking $dir"
cmd="$0 -U" # No update checks when calling recursively
@ -1835,7 +1837,7 @@ if [[ ${_CREATE_CONFIG} -eq 1 ]]; then
| openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:443" 2>/dev/null \
| openssl x509 2>/dev/null)
EX_SANS="www.${DOMAIN}"
if [[ ! -z "${EX_CERT}" ]]; then
if [[ -n "${EX_CERT}" ]]; then
EX_SANS=$(echo "$EX_CERT" \
| openssl x509 -noout -text 2>/dev/null| grep "Subject Alternative Name" -A2 \
| grep -Eo "DNS:[a-zA-Z 0-9.-]*" | sed "s@DNS:$DOMAIN@@g" | grep -v '^$' | cut -c 5-)
@ -1905,9 +1907,9 @@ if [[ -z "$URL_new_reg" ]] && [[ -z "$URL_newAccount" ]]; then
URL_newOrder=$(echo "$ca_all_loc" | grep "newOrder" | awk -F'"' '{print $4}')
fi
if [[ ! -z "$URL_new_reg" ]]; then
if [[ -n "$URL_new_reg" ]]; then
API=1
elif [[ ! -z "$URL_newAccount" ]]; then
elif [[ -n "$URL_newAccount" ]]; then
API=2
else
info "unknown API version"
@ -1921,7 +1923,7 @@ if [[ "${CHECK_REMOTE}" == "true" ]] && [[ $_FORCE_RENEW -eq 0 ]]; then
EX_CERT=$(echo \
| openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} 2>/dev/null \
| openssl x509 2>/dev/null)
if [[ ! -z "$EX_CERT" ]]; then # if obtained a cert
if [[ -n "$EX_CERT" ]]; then # if obtained a cert
if [[ -s "$CERT_FILE" ]]; then # if local exists
CERT_LOCAL=$(openssl x509 -noout -fingerprint < "$CERT_FILE" 2>/dev/null)
else # since local doesn't exist leave empty so that the domain validation will happen
@ -2154,7 +2156,7 @@ for d in $alldomains; do
debug "completed send_signed_request"
# check if we got a valid response and token, if not then error exit
if [[ ! -z "$code" ]] && [[ ! "$code" == '201' ]] ; then
if [[ -n "$code" ]] && [[ ! "$code" == '201' ]] ; then
error_exit "new-authz error: $response"
fi
else
@ -2322,7 +2324,7 @@ done # end of ... loop through domains for cert ( from SANS list)
# perform validation if via DNS challenge
if [[ $VALIDATE_VIA_DNS == "true" ]]; then
# loop through dns-variable files to check if dns has been changed
for dnsfile in $TEMP_DIR/dns_verify/*; do
for dnsfile in "$TEMP_DIR"/dns_verify/*; do
if [[ -e "$dnsfile" ]]; then
debug "loading DNSfile: $dnsfile"
# shellcheck source=/dev/null
@ -2375,7 +2377,7 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then
fi
# loop through dns-variable files to let the ACME server check the challenges
for dnsfile in $TEMP_DIR/dns_verify/*; do
for dnsfile in "$TEMP_DIR"/dns_verify/*; do
if [[ -e "$dnsfile" ]]; then
debug "loading DNSfile: $dnsfile"
# shellcheck source=/dev/null
@ -2418,17 +2420,17 @@ copy_file_to_location "domain certificate" "$CERT_FILE" "$DOMAIN_CERT_LOCATION"
copy_file_to_location "private key" "$DOMAIN_DIR/${DOMAIN}.key" "$DOMAIN_KEY_LOCATION"
copy_file_to_location "CA certificate" "$CA_CERT" "$CA_CERT_LOCATION"
if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then
if [[ ! -z "$DOMAIN_CERT_LOCATION" ]]; then
if [[ -n "$DOMAIN_CERT_LOCATION" ]]; then
copy_file_to_location "ec domain certificate" \
"${CERT_FILE%.*}.ec.crt" \
"${DOMAIN_CERT_LOCATION%.*}.ec.crt"
fi
if [[ ! -z "$DOMAIN_KEY_LOCATION" ]]; then
if [[ -n "$DOMAIN_KEY_LOCATION" ]]; then
copy_file_to_location "ec private key" \
"$DOMAIN_DIR/${DOMAIN}.ec.key" \
"${DOMAIN_KEY_LOCATION%.*}.ec.key"
fi
if [[ ! -z "$CA_CERT_LOCATION" ]]; then
if [[ -n "$CA_CERT_LOCATION" ]]; then
copy_file_to_location "ec CA certificate" \
"${CA_CERT%.*}.ec.crt" \
"${CA_CERT_LOCATION%.*}.ec.crt"
@ -2436,7 +2438,7 @@ if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then
fi
# if DOMAIN_CHAIN_LOCATION is not blank, then create and copy file.
if [[ ! -z "$DOMAIN_CHAIN_LOCATION" ]]; then
if [[ -n "$DOMAIN_CHAIN_LOCATION" ]]; then
if [[ "$(dirname "$DOMAIN_CHAIN_LOCATION")" == "." ]]; then
to_location="${DOMAIN_DIR}/${DOMAIN_CHAIN_LOCATION}"
else
@ -2450,7 +2452,7 @@ if [[ ! -z "$DOMAIN_CHAIN_LOCATION" ]]; then
fi
fi
# if DOMAIN_KEY_CERT_LOCATION is not blank, then create and copy file.
if [[ ! -z "$DOMAIN_KEY_CERT_LOCATION" ]]; then
if [[ -n "$DOMAIN_KEY_CERT_LOCATION" ]]; then
if [[ "$(dirname "$DOMAIN_KEY_CERT_LOCATION")" == "." ]]; then
to_location="${DOMAIN_DIR}/${DOMAIN_KEY_CERT_LOCATION}"
else
@ -2464,7 +2466,7 @@ if [[ ! -z "$DOMAIN_KEY_CERT_LOCATION" ]]; then
fi
fi
# if DOMAIN_PEM_LOCATION is not blank, then create and copy file.
if [[ ! -z "$DOMAIN_PEM_LOCATION" ]]; then
if [[ -n "$DOMAIN_PEM_LOCATION" ]]; then
if [[ "$(dirname "$DOMAIN_PEM_LOCATION")" == "." ]]; then
to_location="${DOMAIN_DIR}/${DOMAIN_PEM_LOCATION}"
else


Write Preview
Loading…
Cancel
Save