mirror of
https://github.com/serghey-rodin/vesta.git
synced 2025-08-19 21:04:06 -07:00
ACME v2 support
This commit is contained in:
parent
9f9ee14559
commit
41bfca0b21
1 changed files with 108 additions and 38 deletions
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# info: register letsencrypt user account
|
# info: register letsencrypt user account
|
||||||
# options: USER [EMAIL]
|
# options: USER [TYPE]
|
||||||
#
|
#
|
||||||
# The function creates and register LetsEncript account key
|
# The function creates and register LetsEncript account key
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
|
|
||||||
# Argument definition
|
# Argument definition
|
||||||
user=$1
|
user=$1
|
||||||
email=$2
|
type=${2-1}
|
||||||
key_size=4096
|
key_size=4096
|
||||||
|
|
||||||
# Includes
|
# Includes
|
||||||
|
@ -28,11 +28,17 @@ encode_base64() {
|
||||||
# Verifications #
|
# Verifications #
|
||||||
#----------------------------------------------------------#
|
#----------------------------------------------------------#
|
||||||
|
|
||||||
check_args '1' "$#" 'USER [EMAIL]'
|
check_args '1' "$#" 'USER [TYPE]'
|
||||||
is_format_valid 'user'
|
is_format_valid 'user'
|
||||||
is_object_valid 'user' 'USER' "$user"
|
is_object_valid 'user' 'USER' "$user"
|
||||||
if [ -e "$USER_DATA/ssl/le.conf" ]; then
|
if [ -e "$USER_DATA/ssl/le.conf" ]; then
|
||||||
exit
|
source "$USER_DATA/ssl/le.conf"
|
||||||
|
if [ "$type" -eq 1 ] && [ ! -z "$EMAIL" ]; then
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
if [ "$type" -eq 2 ] && [ ! -z "$KID" ]; then
|
||||||
|
exit
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
@ -40,14 +46,29 @@ fi
|
||||||
# Action #
|
# Action #
|
||||||
#----------------------------------------------------------#
|
#----------------------------------------------------------#
|
||||||
|
|
||||||
api='https://acme-v01.api.letsencrypt.org'
|
# Defining LE API endpoint
|
||||||
if [ -z "$email" ]; then
|
if [ "$type" -eq 1 ]; then
|
||||||
|
api='https://acme-v01.api.letsencrypt.org'
|
||||||
|
else
|
||||||
|
api='https://acme-v02.api.letsencrypt.org'
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Defining user email
|
||||||
|
if [ $type -eq 1 ]; then
|
||||||
email=$(get_user_value '$CONTACT')
|
email=$(get_user_value '$CONTACT')
|
||||||
fi
|
fi
|
||||||
|
|
||||||
agreement=$(curl -s -I "$api/terms" |grep Location |cut -f 2 -d \ |tr -d '\r\n')
|
# Defining user agreement
|
||||||
|
if [ "$type" -eq 1 ]; then
|
||||||
|
agreement=$(curl -s -I "$api/terms" |grep Location |\
|
||||||
|
cut -f 2 -d \ |tr -d '\r\n')
|
||||||
|
else
|
||||||
|
#agreement=$(curl -s "$api/directory" |grep termsOfService |\
|
||||||
|
# cut -f 4 -d '"')
|
||||||
|
agreement=''
|
||||||
|
fi
|
||||||
|
|
||||||
# Generating key
|
# Generating user key
|
||||||
key="$USER_DATA/ssl/user.key"
|
key="$USER_DATA/ssl/user.key"
|
||||||
if [ ! -e "$key" ]; then
|
if [ ! -e "$key" ]; then
|
||||||
openssl genrsa -out $key $key_size >/dev/null 2>&1
|
openssl genrsa -out $key $key_size >/dev/null 2>&1
|
||||||
|
@ -55,41 +76,77 @@ if [ ! -e "$key" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Defining key exponent
|
# Defining key exponent
|
||||||
exponent=$(openssl pkey -inform pem -in "$key" -noout -text_pub |\
|
if [ -z "$EXPONENT" ]; then
|
||||||
grep Exponent: |cut -f 2 -d '(' |cut -f 1 -d ')' |sed -e 's/x//' |\
|
exponent=$(openssl pkey -inform pem -in "$key" -noout -text_pub |\
|
||||||
xxd -r -p |encode_base64)
|
grep Exponent: |cut -f 2 -d '(' |cut -f 1 -d ')' |sed -e 's/x//' |\
|
||||||
|
xxd -r -p |encode_base64)
|
||||||
|
else
|
||||||
|
exponent="$EXPONENT"
|
||||||
|
fi
|
||||||
|
|
||||||
# Defining key modulus
|
# Defining key modulus
|
||||||
modulus=$(openssl rsa -in "$key" -modulus -noout |\
|
if [ -z "$MODULUS" ]; then
|
||||||
sed -e 's/^Modulus=//' |xxd -r -p |encode_base64)
|
modulus=$(openssl rsa -in "$key" -modulus -noout |\
|
||||||
|
sed -e 's/^Modulus=//' |xxd -r -p |encode_base64)
|
||||||
|
else
|
||||||
|
modulus="$MODULUS"
|
||||||
|
fi
|
||||||
|
|
||||||
# Defining key thumb
|
# Defining JWK token
|
||||||
thumb='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
|
jwk='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
|
||||||
thumb="$(echo -n "$thumb" |openssl dgst -sha256 -binary |encode_base64)"
|
|
||||||
|
|
||||||
# Defining JWK header
|
# Defining key thumbnail
|
||||||
header='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
|
if [ -z "$THUMB" ]; then
|
||||||
header='{"alg":"RS256","jwk":'"$header"'}'
|
thumb="$(echo -n "$jwk" |openssl dgst -sha256 -binary |encode_base64)"
|
||||||
|
else
|
||||||
|
thumb="$THUMB"
|
||||||
|
fi
|
||||||
|
|
||||||
# Requesting nonce
|
# Requesting ACME nonce
|
||||||
nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f 2 -d \ |tr -d '\r\n')
|
nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f 2 -d \ |tr -d '\r\n')
|
||||||
protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
|
|
||||||
|
|
||||||
# Defining registration query
|
# Defining payload and protected data for v1 and v2
|
||||||
query='{"resource":"new-reg","contact":["mailto:'"$email"'"],'
|
if [ "$type" -eq 1 ]; then
|
||||||
query=$query'"agreement":"'$agreement'"}'
|
header='{"alg":"RS256","jwk":'"$jwk"'}'
|
||||||
payload=$(echo -n "$query" |encode_base64)
|
protected='{"nonce":"'"$nonce"'"}'
|
||||||
|
payload='{"resource":"new-reg","contact":["mailto:'"$email"'"],'
|
||||||
|
payload=$payload'"agreement":"'$agreement'"}'
|
||||||
|
|
||||||
|
else
|
||||||
|
protected='{"nonce": "'$nonce'",'
|
||||||
|
protected=''$protected' "url": "'$api/acme/new-acct'",'
|
||||||
|
protected=''$protected' "alg": "RS256", "jwk": '$jwk'}'
|
||||||
|
payload='{"termsOfServiceAgreed": true}'
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Encoding data
|
||||||
|
protected=$(echo -n "$protected" |encode_base64)
|
||||||
|
payload=$(echo -n "$payload" |encode_base64)
|
||||||
|
|
||||||
|
# Signing request
|
||||||
signature=$(printf "%s" "$protected.$payload" |\
|
signature=$(printf "%s" "$protected.$payload" |\
|
||||||
openssl dgst -sha256 -binary -sign "$key" |encode_base64)
|
openssl dgst -sha256 -binary -sign "$key" |\
|
||||||
data='{"header":'"$header"',"protected":"'"$protected"'",'
|
encode_base64)
|
||||||
data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
|
|
||||||
|
|
||||||
# Sending request to LetsEncrypt API
|
if [ "$type" -eq 1 ]; then
|
||||||
answer=$(curl -s -i -d "$data" "$api/acme/new-reg")
|
data='{"header":'"$header"',"protected":"'"$protected"'",'
|
||||||
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
|
data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
|
||||||
|
|
||||||
|
answer=$(curl -s -i -d "$data" "$api/acme/new-reg")
|
||||||
|
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
|
||||||
|
else
|
||||||
|
data='{"protected":"'"$protected"'",'
|
||||||
|
data=$data'"payload":"'"$payload"'",'
|
||||||
|
data=$data'"signature":"'"$signature"'"}'
|
||||||
|
|
||||||
|
answer=$(curl -s -i -d "$data" "$api/acme/new-acct" \
|
||||||
|
-H "Content-Type: application/jose+json")
|
||||||
|
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
|
||||||
|
kid=$(echo "$answer" |grep Location: |cut -f2 -d ' '|tr -d '\r')
|
||||||
|
fi
|
||||||
|
|
||||||
# Checking http answer status
|
# Checking http answer status
|
||||||
if [[ "$status" -ne "201" ]] && [[ "$status" -ne "409" ]]; then
|
if [[ "${status:0:2}" -ne "20" ]] && [[ "$status" -ne "409" ]]; then
|
||||||
check_result $E_CONNECT "LetsEncrypt account registration $status"
|
check_result $E_CONNECT "LetsEncrypt account registration $status"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -99,12 +156,25 @@ fi
|
||||||
#----------------------------------------------------------#
|
#----------------------------------------------------------#
|
||||||
|
|
||||||
# Adding le.conf
|
# Adding le.conf
|
||||||
echo "EMAIL='$email'" > $USER_DATA/ssl/le.conf
|
if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
|
||||||
echo "EXPONENT='$exponent'" >> $USER_DATA/ssl/le.conf
|
echo "EXPONENT='$exponent'" > $USER_DATA/ssl/le.conf
|
||||||
echo "MODULUS='$modulus'" >> $USER_DATA/ssl/le.conf
|
echo "MODULUS='$modulus'" >> $USER_DATA/ssl/le.conf
|
||||||
echo "THUMB='$thumb'" >> $USER_DATA/ssl/le.conf
|
echo "THUMB='$thumb'" >> $USER_DATA/ssl/le.conf
|
||||||
chmod 660 $USER_DATA/ssl/le.conf
|
if [ "$type" -eq 1]; then
|
||||||
|
echo "EMAIL='$email'" >> $USER_DATA/ssl/le.conf
|
||||||
|
else
|
||||||
|
echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
|
||||||
|
fi
|
||||||
|
chmod 660 $USER_DATA/ssl/le.conf
|
||||||
|
else
|
||||||
|
if [ "$type" -eq 1 ]; then
|
||||||
|
sed -i '/^EMAIL=/d' $USER_DATA/ssl/le.conf
|
||||||
|
echo "EMAIL='$email'" >> $USER_DATA/ssl/le.conf
|
||||||
|
else
|
||||||
|
sed -i '/^KID=/d' $USER_DATA/ssl/le.conf
|
||||||
|
echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# Logging
|
# Logging
|
||||||
log_event "$OK" "$ARGUMENTS"
|
log_event "$OK" "$ARGUMENTS"
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue