mirror of
https://github.com/serghey-rodin/vesta.git
synced 2025-08-14 18:49:17 -07:00
Let's Encrypt v2 with wildcard support
This commit is contained in:
parent
4327a3d1bc
commit
f8b4d42b74
5 changed files with 257 additions and 472 deletions
|
@ -1,13 +1,8 @@
|
|||
#!/bin/bash
|
||||
# info: adding letsencrypt ssl cetificate for domain
|
||||
# options: USER DOMAIN [ALIASES] [RESTART] [NOTIFY]
|
||||
# info: check letsencrypt domain
|
||||
# options: USER DOMAIN [ALIASES]
|
||||
#
|
||||
# The function turns on SSL support for a domain. Parameter ssl_dir is a path
|
||||
# to directory where 2 or 3 ssl files can be found. Certificate file
|
||||
# domain.tld.crt and its key domain.tld.key are mandatory. Certificate
|
||||
# authority domain.tld.ca file is optional. If home directory parameter
|
||||
# (ssl_home) is not set, https domain uses public_shtml as separate
|
||||
# documentroot directory.
|
||||
# The function check and validates domain with Let's Encript
|
||||
|
||||
|
||||
#----------------------------------------------------------#
|
||||
|
@ -18,39 +13,67 @@
|
|||
user=$1
|
||||
domain=$2
|
||||
aliases=$3
|
||||
restart=$4
|
||||
notify=$5
|
||||
|
||||
# LE API
|
||||
API='https://acme-v02.api.letsencrypt.org'
|
||||
|
||||
# Includes
|
||||
source $VESTA/func/main.sh
|
||||
source $VESTA/func/domain.sh
|
||||
source $VESTA/conf/vesta.conf
|
||||
|
||||
# Additional argument formatting
|
||||
format_domain_idn
|
||||
# encode base64
|
||||
encode_base64() {
|
||||
cat |base64 |tr '+/' '-_' |tr -d '\r\n='
|
||||
}
|
||||
|
||||
# Let's Encrypt v2 curl function
|
||||
query_le_v2() {
|
||||
|
||||
protected='{"nonce": "'$3'",'
|
||||
protected=''$protected' "url": "'$1'",'
|
||||
protected=''$protected' "alg": "RS256", "kid": "'$KID'"}'
|
||||
content="Content-Type: application/jose+json"
|
||||
|
||||
payload_=$(echo -n "$2" |encode_base64)
|
||||
protected_=$(echo -n "$protected" |encode_base64)
|
||||
signature_=$(printf "%s" "$protected_.$payload_" |\
|
||||
openssl dgst -sha256 -binary -sign $USER_DATA/ssl/user.key |\
|
||||
encode_base64)
|
||||
|
||||
post_data='{"protected":"'"$protected_"'",'
|
||||
post_data=$post_data'"payload":"'"$payload_"'",'
|
||||
post_data=$post_data'"signature":"'"$signature_"'"}'
|
||||
|
||||
curl -s -i -d "$post_data" "$1" -H "$content"
|
||||
}
|
||||
|
||||
|
||||
|
||||
#----------------------------------------------------------#
|
||||
# Verifications #
|
||||
#----------------------------------------------------------#
|
||||
|
||||
check_args '2' "$#" 'USER DOMAIN [ALIASES] [RESTART] [NOTIFY]'
|
||||
is_format_valid 'user' 'domain'
|
||||
check_args '2' "$#" 'USER DOMAIN [ALIASES]'
|
||||
is_format_valid 'user' 'domain' 'aliases'
|
||||
is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
|
||||
is_system_enabled "$WEB_SSL" 'SSL_SUPPORT'
|
||||
is_object_valid 'user' 'USER' "$user"
|
||||
is_object_unsuspended 'user' 'USER' "$user"
|
||||
is_object_valid 'web' 'DOMAIN' "$domain"
|
||||
is_object_unsuspended 'web' 'DOMAIN' "$domain"
|
||||
get_domain_values 'web'
|
||||
for alias in $(echo "$aliases" |tr ',' '\n' |sort -u); do
|
||||
check_alias="$(echo $ALIAS |tr ',' '\n' |grep ^$alias$)"
|
||||
if [ -z "$check_alias" ]; then
|
||||
check_result $E_NOTEXIST "domain alias $alias doesn't exist"
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
#----------------------------------------------------------#
|
||||
# Action #
|
||||
#----------------------------------------------------------#
|
||||
|
||||
# Parsing domain data
|
||||
get_domain_values 'web'
|
||||
|
||||
# Registering LetsEncrypt user account
|
||||
$BIN/v-add-letsencrypt-user $user
|
||||
if [ "$?" -ne 0 ]; then
|
||||
|
@ -62,53 +85,152 @@ fi
|
|||
|
||||
# Parsing LetsEncrypt account data
|
||||
source $USER_DATA/ssl/le.conf
|
||||
email=$EMAIL
|
||||
|
||||
# Validating domain and aliases
|
||||
i=1
|
||||
for alias in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
|
||||
$BIN/v-check-letsencrypt-domain $user $alias
|
||||
if [ "$?" -ne 0 ]; then
|
||||
touch $VESTA/data/queue/letsencrypt.pipe
|
||||
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
|
||||
send_notice "LETSENCRYPT" "$alias validation failed"
|
||||
check_result $E_INVALID "LE domain validation" >/dev/null
|
||||
# Checking wildcard alias
|
||||
if [ "$aliases" = "*.$domain" ]; then
|
||||
wildcard='yes'
|
||||
proto="dns-01"
|
||||
if [ ! -e "$VESTA/data/users/$user/dns/$domain.conf" ]; then
|
||||
check_result $E_NOTEXIST "DNS domain $domain doesn't exist"
|
||||
fi
|
||||
else
|
||||
proto="http-01"
|
||||
fi
|
||||
|
||||
# Requesting nonce / STEP 1
|
||||
answer=$(curl -s -I "$API/directory")
|
||||
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
|
||||
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
|
||||
if [[ "$status" -ne 200 ]]; then
|
||||
check_result $E_CONNECT "Let's Encrypt nonce request status $status"
|
||||
fi
|
||||
|
||||
# Placing new order / STEP 2
|
||||
url="$API/acme/new-order"
|
||||
payload='{"identifiers":['
|
||||
for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
|
||||
payload=$payload'{"type":"dns","value":"'$identifier'"},'
|
||||
done
|
||||
payload=$(echo "$payload"|sed "s/,$//")
|
||||
payload=$payload']}'
|
||||
answer=$(query_le_v2 "$url" "$payload" "$nonce")
|
||||
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
|
||||
authz=$(echo "$answer" |grep "acme/authz" |cut -f2 -d '"')
|
||||
finalize=$(echo "$answer" |grep 'finalize":' |cut -f4 -d '"')
|
||||
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
|
||||
if [[ "$status" -ne 201 ]]; then
|
||||
check_result $E_CONNECT "Let's Encrypt new auth status $status"
|
||||
fi
|
||||
|
||||
# Requesting authorization token / STEP 3
|
||||
for auth in $authz; do
|
||||
payload=''
|
||||
answer=$(query_le_v2 "$auth" "$payload" "$nonce")
|
||||
url=$(echo "$answer" |grep -A3 $proto |grep url |cut -f 4 -d \")
|
||||
token=$(echo "$answer" |grep -A3 $proto |grep token |cut -f 4 -d \")
|
||||
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
|
||||
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
|
||||
if [[ "$status" -ne 200 ]]; then
|
||||
check_result $E_CONNECT "Let's Encrypt acme/authz bad status $status"
|
||||
fi
|
||||
|
||||
# Checking LE limits per account
|
||||
if [ "$i" -gt 100 ]; then
|
||||
touch $VESTA/data/queue/letsencrypt.pipe
|
||||
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
|
||||
send_notice 'LETSENCRYPT' 'Limit of domains per account is reached'
|
||||
check_result $E_LIMIT "LE can't sign more than 100 domains"
|
||||
# Accepting challenge / STEP 4
|
||||
if [ "$wildcard" = 'yes' ]; then
|
||||
record=$(printf "%s" "$token.$THUMB" |\
|
||||
openssl dgst -sha256 -binary |encode_base64)
|
||||
old_records=$($BIN/v-list-dns-records $user $domain plain|grep 'TXT')
|
||||
old_records=$(echo "$old_records" |grep _acme-challenge |cut -f 1)
|
||||
for old_record in $old_records; do
|
||||
$BIN/v-delete-dns-record $user $domain $old_record
|
||||
done
|
||||
$BIN/v-add-dns-record $user $domain "_acme-challenge" "TXT" $record
|
||||
check_result $? "DNS _acme-challenge record wasn't created"
|
||||
else
|
||||
if [ "$WEB_SYSTEM" = 'nginx' ] || [ ! -z "$PROXY_SYSTEM" ]; then
|
||||
conf="$HOMEDIR/$user/conf/web/nginx.$domain.conf_letsencrypt"
|
||||
sconf="$HOMEDIR/$user/conf/web/snginx.$domain.conf_letsencrypt"
|
||||
if [ ! -e "$conf" ]; then
|
||||
echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' \
|
||||
> $conf
|
||||
echo ' default_type text/plain;' >> $conf
|
||||
echo ' return 200 "$1.'$THUMB'";' >> $conf
|
||||
echo '}' >> $conf
|
||||
fi
|
||||
if [ ! -e "$sconf" ]; then
|
||||
ln -s "$conf" "$sconf"
|
||||
fi
|
||||
$BIN/v-restart-proxy
|
||||
check_result $? "Proxy restart failed" >/dev/null
|
||||
|
||||
else
|
||||
well_known="$HOMEDIR/$user/web/$rdomain/public_html/.well-known"
|
||||
acme_challenge="$well_known/acme-challenge"
|
||||
mkdir -p $acme_challenge
|
||||
echo "$token.$THUMB" > $acme_challenge/$token
|
||||
chown -R $user:$user $well_known
|
||||
fi
|
||||
$BIN/v-restart-web
|
||||
check_result $? "Web restart failed" >/dev/null
|
||||
fi
|
||||
|
||||
# Requesting ACME validation / STEP 5
|
||||
validation_check=$(echo "$answer" |grep '"valid"')
|
||||
if [[ ! -z "$validation_check" ]]; then
|
||||
validation='valid'
|
||||
else
|
||||
validation='pending'
|
||||
fi
|
||||
|
||||
# Doing pol check on status
|
||||
i=1
|
||||
while [ "$validation" = 'pending' ]; do
|
||||
payload='{}'
|
||||
answer=$(query_le_v2 "$url" "$payload" "$nonce")
|
||||
validation=$(echo "$answer"|grep -A1 $proto |tail -n1|cut -f4 -d \")
|
||||
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
|
||||
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
|
||||
if [[ "$status" -ne 200 ]]; then
|
||||
check_result $E_CONNECT "Let's Encrypt vvalidation status $status"
|
||||
fi
|
||||
|
||||
i=$((i + 1))
|
||||
if [ "$i" -gt 10 ]; then
|
||||
check_result $E_CONNECT "Let's Encrypt domain validation timeout"
|
||||
fi
|
||||
sleep 1
|
||||
done
|
||||
if [ "$validation" = 'invalid' ]; then
|
||||
check_result $E_CONNECT "Let's Encrypt domain verification failed"
|
||||
fi
|
||||
i=$((i++))
|
||||
done
|
||||
|
||||
# Generating CSR
|
||||
ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "$email" "US" "California" \
|
||||
|
||||
# Generating new ssl certificate
|
||||
ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "info@$domain" "US" "California"\
|
||||
"San Francisco" "Vesta" "IT" "$aliases" |tail -n1 |awk '{print $2}')
|
||||
|
||||
# Signing CSR
|
||||
crt=$($BIN/v-sign-letsencrypt-csr $user $domain $ssl_dir)
|
||||
if [ "$?" -ne 0 ]; then
|
||||
touch $VESTA/data/queue/letsencrypt.pipe
|
||||
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
|
||||
send_notice "LETSENCRYPT" "$alias validation failed"
|
||||
check_result "$E_INVALID" "LE $domain validation"
|
||||
# Sedning CSR to finalize order / STEP 6
|
||||
csr=$(openssl req -in $ssl_dir/$domain.csr -outform DER |encode_base64)
|
||||
payload='{"csr":"'$csr'"}'
|
||||
answer=$(query_le_v2 "$finalize" "$payload" "$nonce")
|
||||
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
|
||||
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
|
||||
certificate=$(echo "$answer"|grep 'certificate":' |cut -f4 -d '"')
|
||||
if [[ "$status" -ne 200 ]]; then
|
||||
check_result $E_CONNECT "Let's Encrypt finalize bad status $status"
|
||||
fi
|
||||
echo "$crt" > $ssl_dir/$domain.crt
|
||||
|
||||
# Dowloading CA certificate
|
||||
le_certs='https://letsencrypt.org/certs'
|
||||
x1='lets-encrypt-x1-cross-signed.pem.txt'
|
||||
x3='lets-encrypt-x3-cross-signed.pem.txt'
|
||||
issuer=$(openssl x509 -text -in $ssl_dir/$domain.crt |grep "Issuer:")
|
||||
if [ -z "$(echo $issuer|grep X3)" ]; then
|
||||
curl -s $le_certs/$x1 > $ssl_dir/$domain.ca
|
||||
else
|
||||
curl -s $le_certs/$x3 > $ssl_dir/$domain.ca
|
||||
fi
|
||||
# Downloading signed certificate / STEP 7
|
||||
curl -s "$certificate" -o $ssl_dir/$domain.pem
|
||||
|
||||
# Splitting up downloaded pem
|
||||
crt_end=$(grep -n END $ssl_dir/$domain.pem |head -n1 |cut -f1 -d:)
|
||||
head -n $crt_end $ssl_dir/$domain.pem > $ssl_dir/$domain.crt
|
||||
|
||||
pem_lines=$(wc -l $ssl_dir/$domain.pem |cut -f 1 -d ' ')
|
||||
ca_end=$(grep -n "BEGIN" $ssl_dir/$domain.pem |tail -n1 |cut -f 1 -d :)
|
||||
ca_end=$(( pem_lines - crt_end + 1 ))
|
||||
tail -n $ca_end $ssl_dir/$domain.pem > $ssl_dir/$domain.ca
|
||||
|
||||
# Adding SSL
|
||||
ssl_home=$(search_objects 'web' 'LETSENCRYPT' 'yes' 'SSL_HOME')
|
||||
|
@ -140,18 +262,13 @@ update_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT' 'yes'
|
|||
# Vesta #
|
||||
#----------------------------------------------------------#
|
||||
|
||||
# Restarting web
|
||||
$BIN/v-restart-web $restart
|
||||
if [ "$?" -ne 0 ]; then
|
||||
send_notice 'LETSENCRYPT' "web server needs to be restarted manually"
|
||||
fi
|
||||
# Deleteing task from queue
|
||||
touch $VESTA/data/queue/letsencrypt.pipe
|
||||
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
|
||||
|
||||
# Notifying user
|
||||
send_notice 'LETSENCRYPT' "$domain SSL has been installed successfully"
|
||||
|
||||
# Deleteing task from queue
|
||||
touch $VESTA/data/queue/letsencrypt.pipe
|
||||
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
|
||||
|
||||
# Logging
|
||||
log_event "$OK" "$ARGUMENTS"
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue