From bf9403fb9c7a5db5128981a08b75f0552af0144f Mon Sep 17 00:00:00 2001 From: Timothe Litt Date: Tue, 27 Jul 2021 11:17:01 -0400 Subject: [PATCH] Provide ftps:// copy which verifies remote TLS certificates ftses:// uses --insecure, which is, well, insecure. --- getssl | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/getssl b/getssl index e09af56..e86a1d3 100755 --- a/getssl +++ b/getssl @@ -264,7 +264,8 @@ # 2021-07-12 Do not redirect outputs on remote commands when the debug option is used (atisne) # 2021-07-20 Use +noidnout to enable certificates for IDN domains (#679)(2.37) # 2021-07-22 Only pass +noidnout param to dig/drill(#682)(2.38) -# 2021-07-25 Fix copy_file_to_location failures with ssh when suffix applied to file lacking an extension (2.39) +# 2021-07-25 Fix copy_file_to_location failures with ssh when suffix applied to file lacking an extension +# 2021-07-27 Provide ftps:// copy which verifies remote TLS certificates (vs. ftpes:// which is insecure) (2.39) # ---------------------------------------------------------------------------------------- case :$SHELLOPTS: in @@ -940,7 +941,7 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required. debug "davs user=$davsuser - pass=$davspass - host=$davshost port=$davsport dir=$davsdirn file=$davsfile" debug "from dir=$fromdir file=$fromfile" curl -u "${davsuser}:${davspass}" -T "${fromdir}/${fromfile}" "https://${davshost}:${davsport}${davsdirn}${davsfile}" - elif [[ "${to:0:6}" == "ftpes:" ]] ; then + elif [[ "${to:0:6}" == "ftpes:" ]] || [[ "${to:0:5}" == "ftps:" ]] ; then debug "using ftp to copy the file from $from" ftpuser=$(echo "$to"| awk -F: '{print $2}') ftppass=$(echo "$to"| awk -F: '{print $3}') @@ -952,7 +953,11 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required. fromfile=$(basename "$from") debug "ftp user=$ftpuser - pass=$ftppass - host=$ftphost dir=$ftpdirn file=$ftpfile" debug "from dir=$fromdir file=$fromfile" - curl --insecure --ftp-ssl -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}${ftpdirn}/" + if [[ "${to:0:5}" == "ftps:" ]] ; then + curl --ftp-ssl -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}${ftpdirn}/" + else + curl --insecure --ftp-ssl -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}${ftpdirn}/" + fi else if ! mkdir -p "$(dirname "$to")" ; then error_exit "cannot create ACL directory $(basename "$to")" @@ -2454,9 +2459,11 @@ write_domain_template() { # write out a template file for a domain. # An ssh key will be needed to provide you with access to the remote server. # Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign. # If left blank, the username on the local server will be used to authenticate against the remote server. - # If these start with ftp:/ftpes: then the next variables are ftpuserid:ftppassword:servername:ACL_location + # If these start with ftp:/ftpes:/ftps: then the next variables are ftpuserid:ftppassword:servername:ACL_location # These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" # where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain. + # ftp: uses regular ftp; ftpes: uses ftp over TLS but DOES NOT verify the remote certificates; ftps: uses ftp over TLS. + # ftpes: is less secure than ftps: and should only be used for hosts with self-signed certificates. # You can also user WebDAV over HTTPS as transport mechanism. To do so, start with davs: followed by username, # password, host, port (explicitly needed even if using default port 443) and path on the server. # Multiple locations can be defined for a file by separating the locations with a semi-colon. @@ -2465,7 +2472,7 @@ write_domain_template() { # write out a template file for a domain. # 'ssh:sshuserid@server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge' # 'ftp:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge' # 'davs:davsuserid:davspassword:{DOMAIN}:443:/web/.well-known/acme-challenge' - # 'ftpes:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge') + # 'ftps:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge') # Specify SSH options, e.g. non standard port in SSH_OPTS # (Can also use SCP_OPTS and SFTP_OPTS)