LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
25575 Commits
1 Branch
46 MiB
Tree: 17d2f61c7b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '17d2f61c7b'
${ noResults }
openwrt-packages-dist/net/acme/files/run.sh

387 lines
10 KiB
Raw Normal View History

acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: Fix for curl linked against mbed TLS. (#4254) Use newest acme.sh release (2.6.8). Remove dependency on ca-certificates and add dependency on ca-bundle. Update environment variable. Signed-off-by: Daniel Halmschlager <da@halms.at>
7 years ago
acme: Update to v1.4. This updates to the latest git version of acme.sh and drops the patch to disable timestamps from the output (since that is now supported upstream). Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: add support for nginx webserver This adds a metapakcge for acme luci ap without uhttpd dependency and adds entities and check to stop handle nginx server and modify the certificate set automatically. Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
6 years ago
acme: add haproxy support Signed-off-by: Wakatatsu Ryou <lialosiu@gmail.com>
3 years ago
acme: add support for user-provided setup and cleanup scripts Add possibility for user to provide setup and cleanup scripts for additional flexibility. Setup-script takes precedence over the built-in behavior of acme. This helps users with more complex use-cases to utilize acme to update certificates without adding complexity to the provided run.sh script. Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
4 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Update to v1.3. This version handles transitioning from a previous certificate that was issues using the staging server, adds more debug logging, and handles state directories better if issuing fails. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Support running in webroot mode, detect other daemons on port 80 For configurations where another web server is running on port 80, running acme.sh in standalone mode fails. Try to detect this and refuse to run; and allow the user to configure a webroot directory to use the running webserver for certificate verification. This also updates acme.sh to the latest version. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
7 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Support running in webroot mode, detect other daemons on port 80 For configurations where another web server is running on port 80, running acme.sh in standalone mode fails. Try to detect this and refuse to run; and allow the user to configure a webroot directory to use the running webserver for certificate verification. This also updates acme.sh to the latest version. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
7 years ago
acme: New version 1.2. This version will use the standalone (netcat) mode of acme.sh during verification instead of exposing uhttpd to the internet for the duration of the verification. It will also add an ip6tables rule to also support verification over IPv6. Also contains an updated version of acme.sh. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: add support for nginx webserver This adds a metapakcge for acme luci ap without uhttpd dependency and adds entities and check to stop handle nginx server and modify the certificate set automatically. Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
6 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: run through shellcheck Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Support running in webroot mode, detect other daemons on port 80 For configurations where another web server is running on port 80, running acme.sh in standalone mode fails. Try to detect this and refuse to run; and allow the user to configure a webroot directory to use the running webserver for certificate verification. This also updates acme.sh to the latest version. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
7 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: run through shellcheck Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Log acme.sh command invocation Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
5 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Get listener name from /proc/PID/exe instead of netstat output It seems the command name output from netstat can be truncated in weird ways, so let's get the binary name from /proc instead and use that for matching which listener we have. Fixes #15071. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Make sure we don't handle the same listener twice If a daemon listens on multiple addresses at once, it'll show up multiple times in get_listeners() which will clobber the config for uhttpd. Fix this by skipping subsequent handlings of the same daemon binary. Fixes #13325. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
4 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Get listener name from /proc/PID/exe instead of netstat output It seems the command name output from netstat can be truncated in weird ways, so let's get the binary name from /proc instead and use that for matching which listener we have. Fixes #15071. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
3 years ago
acme: Make sure we don't handle the same listener twice If a daemon listens on multiple addresses at once, it'll show up multiple times in get_listeners() which will clobber the config for uhttpd. Fix this by skipping subsequent handlings of the same daemon binary. Fixes #13325. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
4 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: run through shellcheck Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Fix uhttpd restart to load new certificates Fixes issue #16256 Signed-off-by: Dennis Schüsselbauer <scde@users.noreply.github.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: run through shellcheck Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: add haproxy support Signed-off-by: Wakatatsu Ryou <lialosiu@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Update to v1.3. This version handles transitioning from a previous certificate that was issues using the staging server, adds more debug logging, and handles state directories better if issuing fails. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Update to v1.3. This version handles transitioning from a previous certificate that was issues using the staging server, adds more debug logging, and handles state directories better if issuing fails. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: add haproxy support Signed-off-by: Wakatatsu Ryou <lialosiu@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Allow custom ACME server directory URL The underlying `acme.sh` allows custom ACME server URLs (using `--server`). Adding the necessary field to specify a custom ACME server URL from UCI. Signed-off-by: Jannis Pinter <jannis+openwrt@pinterjann.is>
4 years ago
Add option for days until renewal Signed-off-by: Jannis Pinter <jannis+openwrt@pinterjann.is>
4 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: add haproxy support Signed-off-by: Wakatatsu Ryou <lialosiu@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Allow custom ACME server directory URL The underlying `acme.sh` allows custom ACME server URLs (using `--server`). Adding the necessary field to specify a custom ACME server URL from UCI. Signed-off-by: Jannis Pinter <jannis+openwrt@pinterjann.is>
4 years ago
Add option for days until renewal Signed-off-by: Jannis Pinter <jannis+openwrt@pinterjann.is>
4 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: add haproxy support Signed-off-by: Wakatatsu Ryou <lialosiu@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: run through shellcheck Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: fix the 'Unknown parameter' problem caused by acme_server Signed-off-by: Meano <meano@foxmail.com>
4 years ago
acme: Allow custom ACME server directory URL The underlying `acme.sh` allows custom ACME server URLs (using `--server`). Adding the necessary field to specify a custom ACME server URL from UCI. Signed-off-by: Jannis Pinter <jannis+openwrt@pinterjann.is>
4 years ago
Add option for days until renewal Signed-off-by: Jannis Pinter <jannis+openwrt@pinterjann.is>
4 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: adopt to new behavior of nginx Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
3 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: adopt to new behavior of nginx Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: add haproxy support Signed-off-by: Wakatatsu Ryou <lialosiu@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: update to 2.9.0 Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time. Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a standard style. Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: Support running in webroot mode, detect other daemons on port 80 For configurations where another web server is running on port 80, running acme.sh in standalone mode fails. Try to detect this and refuse to run; and allow the user to configure a webroot directory to use the running webserver for certificate verification. This also updates acme.sh to the latest version. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
7 years ago
acme: Change boot init script logic to invoke start The new procd config dependency tracking requires the start method to be called even on boot. So add a state file that is checked by the run script to condition the special-case boot run instead of the previous independent call to the run script. Ref: https://github.com/openwrt/luci/pull/1769 Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
6 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: Support running in webroot mode, detect other daemons on port 80 For configurations where another web server is running on port 80, running acme.sh in standalone mode fails. Try to detect this and refuse to run; and allow the user to configure a webroot directory to use the running webserver for certificate verification. This also updates acme.sh to the latest version. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
7 years ago
acme: fix alignment space vs tabs Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
acme: Support running in webroot mode, detect other daemons on port 80 For configurations where another web server is running on port 80, running acme.sh in standalone mode fails. Try to detect this and refuse to run; and allow the user to configure a webroot directory to use the running webserver for certificate verification. This also updates acme.sh to the latest version. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
7 years ago
acme: New version 1.2. This version will use the standalone (netcat) mode of acme.sh during verification instead of exposing uhttpd to the internet for the duration of the verification. It will also add an ip6tables rule to also support verification over IPv6. Also contains an updated version of acme.sh. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
acme: Add package. This adds a package wrapping the acme.sh script from https://github.com/Neilpang/acme.sh in Uci config and hooks to interact correctly with uhttpd. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
8 years ago
 
  1. #!/bin/sh

  2. # Wrapper for acme.sh to work on openwrt.
  3. #
  4. # This program is free software; you can redistribute it and/or modify it under
  5. # the terms of the GNU General Public License as published by the Free Software
  6. # Foundation; either version 3 of the License, or (at your option) any later
  7. # version.
  8. #
  9. # Author: Toke Høiland-Jørgensen <toke@toke.dk>
  10. 

  11. CHECK_CRON=$1
  12. ACME=/usr/lib/acme/acme.sh
  13. export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
  14. export NO_TIMESTAMP=1
  15. 

  16. UHTTPD_LISTEN_HTTP=
  17. STATE_DIR='/etc/acme'
  18. ACCOUNT_EMAIL=
  19. DEBUG=0
  20. NGINX_WEBSERVER=0
  21. UPDATE_NGINX=0
  22. UPDATE_UHTTPD=0
  23. UPDATE_HAPROXY=0
  24. USER_CLEANUP=
  25. 

  26. . /lib/functions.sh
  27. 

  28. check_cron() {
  29. 	[ -f "/etc/crontabs/root" ] && grep -q '/etc/init.d/acme' /etc/crontabs/root && return
  30. 	echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root
  31. 	/etc/init.d/cron start
  32. }
  33. 

  34. log() {
  35. 	logger -t acme -s -p daemon.info -- "$@"
  36. }
  37. 

  38. err() {
  39. 	logger -t acme -s -p daemon.err -- "$@"
  40. }
  41. 

  42. debug() {
  43. 	[ "$DEBUG" -eq "1" ] && logger -t acme -s -p daemon.debug -- "$@"
  44. }
  45. 

  46. get_listeners() {
  47. 	local proto rq sq listen remote state program
  48. 	netstat -nptl 2> /dev/null | while read -r proto rq sq listen remote state program; do
  49. 		case "$proto#$listen#$program" in
  50. 			tcp#*:80#[0-9]*/*) echo -n "${program%% *} " ;;
  51. 		esac
  52. 	done
  53. }
  54. 

  55. run_acme() {
  56. 	debug "Running acme.sh as '$ACME $*'"
  57. 	$ACME "$@"
  58. }
  59. 

  60. pre_checks() {
  61. 	main_domain="$1"
  62. 

  63. 	log "Running pre checks for $main_domain."
  64. 

  65. 	listeners="$(get_listeners)"
  66. 

  67. 	debug "port80 listens: $listeners"
  68. 

  69. 	for listener in $(get_listeners); do
  70. 		pid="${listener%/*}"
  71. 		cmd="$(basename $(readlink /proc/$pid/exe))"
  72. 

  73. 		case "$cmd" in
  74. 			uhttpd)
  75. 				if [ -n "$UHTTPD_LISTEN_HTTP" ]; then
  76. 					debug "Already handled uhttpd; skipping"
  77. 					continue
  78. 				fi
  79. 

  80. 				debug "Found uhttpd listening on port 80; trying to disable."
  81. 

  82. 				UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http)
  83. 

  84. 				if [ -z "$UHTTPD_LISTEN_HTTP" ]; then
  85. 					err "$main_domain: Unable to find uhttpd listen config."
  86. 					err "Manually disable uhttpd or set webroot to continue."
  87. 					return 1
  88. 				fi
  89. 

  90. 				uci set uhttpd.main.listen_http=''
  91. 				uci commit uhttpd || return 1
  92. 				if ! /etc/init.d/uhttpd reload; then
  93. 					uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
  94. 					uci commit uhttpd
  95. 					return 1
  96. 				fi
  97. 				;;
  98. 			nginx)
  99. 				if [ "$NGINX_WEBSERVER" -eq "1" ]; then
  100. 					debug "Already handled nginx; skipping"
  101. 					continue
  102. 				fi
  103. 

  104. 				debug "Found nginx listening on port 80; trying to disable."
  105. 				NGINX_WEBSERVER=1
  106. 				local tries=0
  107. 				while grep -sq "$cmd" "/proc/$pid/cmdline" && kill -0 "$pid"; do
  108. 					/etc/init.d/nginx stop
  109. 					if [ $tries -gt 10 ]; then
  110. 						debug "Can't stop nginx. Terminating script."
  111. 						return 1
  112. 					fi
  113. 					debug "Waiting for nginx to stop..."
  114. 					tries=$((tries + 1))
  115. 					sleep 1
  116. 				done
  117. 				;;
  118. 			"")
  119. 				debug "Nothing listening on port 80."
  120. 				;;
  121. 			*)
  122. 				err "$main_domain: Cannot run in standalone mode; another daemon is listening on port 80."
  123. 				err "Disable other daemon or set webroot to continue."
  124. 				return 1
  125. 				;;
  126. 		esac
  127. 	done
  128. 

  129. 	iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
  130. 	ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
  131. 	debug "v4 input_rule: $(iptables -nvL input_rule)"
  132. 	debug "v6 input_rule: $(ip6tables -nvL input_rule)"
  133. 	return 0
  134. }
  135. 

  136. post_checks() {
  137. 	log "Running post checks (cleanup)."
  138. 	# The comment ensures we only touch our own rules. If no rules exist, that
  139. 	# is fine, so hide any errors
  140. 	iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2> /dev/null
  141. 	ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2> /dev/null
  142. 

  143. 	if [ -e /etc/init.d/uhttpd ] && { [ -n "$UHTTPD_LISTEN_HTTP" ] || [ "$UPDATE_UHTTPD" -eq 1 ]; }; then
  144. 		if [ -n "$UHTTPD_LISTEN_HTTP" ]; then
  145. 			uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
  146. 			UHTTPD_LISTEN_HTTP=
  147. 		fi
  148. 		uci commit uhttpd
  149. 		/etc/init.d/uhttpd restart
  150. 	fi
  151. 

  152. 	if [ -e /etc/init.d/nginx ] && { [ "$NGINX_WEBSERVER" -eq 1 ] || [ "$UPDATE_NGINX" -eq 1 ]; }; then
  153. 		NGINX_WEBSERVER=0
  154. 		/etc/init.d/nginx restart
  155. 	fi
  156. 

  157. 	if [ -e /etc/init.d/haproxy ] && [ "$UPDATE_HAPROXY" -eq 1 ] ; then
  158. 		/etc/init.d/haproxy restart
  159. 	fi
  160. 

  161. 	if [ -n "$USER_CLEANUP" ] && [ -f "$USER_CLEANUP" ]; then
  162. 		log "Running user-provided cleanup script from $USER_CLEANUP."
  163. 		"$USER_CLEANUP" || return 1
  164. 	fi
  165. }
  166. 

  167. err_out() {
  168. 	post_checks
  169. 	exit 1
  170. }
  171. 

  172. int_out() {
  173. 	post_checks
  174. 	trap - INT
  175. 	kill -INT $$
  176. }
  177. 

  178. is_staging() {
  179. 	local main_domain
  180. 	local domain_dir
  181. 	main_domain="$1"
  182. 	domain_dir="$2"
  183. 

  184. 	grep -q "acme-staging" "${domain_dir}/${main_domain}.conf"
  185. 	return $?
  186. }
  187. 

  188. issue_cert() {
  189. 	local section="$1"
  190. 	local acme_args=
  191. 	local enabled
  192. 	local use_staging
  193. 	local update_uhttpd
  194. 	local update_nginx
  195. 	local update_haproxy
  196. 	local keylength
  197. 	local keylength_ecc=0
  198. 	local domains
  199. 	local main_domain
  200. 	local moved_staging=0
  201. 	local failed_dir
  202. 	local webroot
  203. 	local dns
  204. 	local user_setup
  205. 	local user_cleanup
  206. 	local ret
  207. 	local domain_dir
  208. 	local acme_server
  209. 	local days
  210. 

  211. 	config_get_bool enabled "$section" enabled 0
  212. 	config_get_bool use_staging "$section" use_staging
  213. 	config_get_bool update_uhttpd "$section" update_uhttpd
  214. 	config_get_bool update_nginx "$section" update_nginx
  215. 	config_get_bool update_haproxy "$section" update_haproxy
  216. 	config_get calias "$section" calias
  217. 	config_get dalias "$section" dalias
  218. 	config_get domains "$section" domains
  219. 	config_get keylength "$section" keylength
  220. 	config_get webroot "$section" webroot
  221. 	config_get dns "$section" dns
  222. 	config_get user_setup "$section" user_setup
  223. 	config_get user_cleanup "$section" user_cleanup
  224. 	config_get acme_server "$section" acme_server
  225. 	config_get days "$section" days
  226. 

  227. 	UPDATE_NGINX=$update_nginx
  228. 	UPDATE_UHTTPD=$update_uhttpd
  229. 	UPDATE_HAPROXY=$update_haproxy
  230. 	USER_CLEANUP=$user_cleanup
  231. 

  232. 	[ "$enabled" -eq "1" ] || return
  233. 

  234. 	[ "$DEBUG" -eq "1" ] && acme_args="$acme_args --debug"
  235. 

  236. 	set -- $domains
  237. 	main_domain=$1
  238. 

  239. 	if [ -n "$user_setup" ] && [ -f "$user_setup" ]; then
  240. 		log "Running user-provided setup script from $user_setup."
  241. 		"$user_setup" "$main_domain" || return 1
  242. 	else
  243. 		[ -n "$webroot" ] || [ -n "$dns" ] || pre_checks "$main_domain" || return 1
  244. 	fi
  245. 

  246. 	if echo "$keylength" | grep -q "^ec-"; then
  247. 		domain_dir="$STATE_DIR/${main_domain}_ecc"
  248. 		keylength_ecc=1
  249. 	else
  250. 		domain_dir="$STATE_DIR/${main_domain}"
  251. 	fi
  252. 

  253. 	log "Running ACME for $main_domain"
  254. 

  255. 	handle_credentials() {
  256. 		local credential="$1"
  257. 		eval export $credential
  258. 	}
  259. 	config_list_foreach "$section" credentials handle_credentials
  260. 

  261. 	if [ -e "$domain_dir" ]; then
  262. 		if [ "$use_staging" -eq "0" ] && is_staging "$main_domain" "$domain_dir"; then
  263. 			log "Found previous cert issued using staging server. Moving it out of the way."
  264. 			mv "$domain_dir" "${domain_dir}.staging"
  265. 			moved_staging=1
  266. 		else
  267. 			log "Found previous cert config. Issuing renew."
  268. 			[ "$keylength_ecc" -eq "1" ] && acme_args="$acme_args --ecc"
  269. 			run_acme --home "$STATE_DIR" --renew -d "$main_domain" $acme_args && ret=0 || ret=1
  270. 			post_checks
  271. 			return $ret
  272. 		fi
  273. 	fi
  274. 

  275. 	acme_args="$acme_args $(for d in $domains; do echo -n "-d $d "; done)"
  276. 	acme_args="$acme_args --keylength $keylength"
  277. 	[ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL"
  278. 	[ "$use_staging" -eq "1" ] && acme_args="$acme_args --staging"
  279. 

  280. 	if [ -n "$acme_server" ]; then
  281. 		log "Using custom ACME server URL"
  282. 		acme_args="$acme_args --server $acme_server"
  283. 	fi
  284. 

  285. 	if [ -n "$days" ]; then
  286. 		log "Renewing after $days days"
  287. 		acme_args="$acme_args --days $days"
  288. 	fi
  289. 

  290. 	if [ -n "$dns" ]; then
  291. 		log "Using dns mode"
  292. 		acme_args="$acme_args --dns $dns"
  293. 		if [ -n "$dalias" ]; then
  294. 			log "Using domain alias for dns mode"
  295. 			acme_args="$acme_args --domain-alias $dalias"
  296. 			if [ -n "$calias" ]; then
  297. 				err "Both domain and challenge aliases are defined. Ignoring the challenge alias."
  298. 			fi
  299. 		elif [ -n "$calias" ]; then
  300. 			log "Using challenge alias for dns mode"
  301. 			acme_args="$acme_args --challenge-alias $calias"
  302. 		fi
  303. 	elif [ -z "$webroot" ]; then
  304. 		log "Using standalone mode"
  305. 		acme_args="$acme_args --standalone --listen-v6"
  306. 	else
  307. 		if [ ! -d "$webroot" ]; then
  308. 			err "$main_domain: Webroot dir '$webroot' does not exist!"
  309. 			post_checks
  310. 			return 1
  311. 		fi
  312. 		log "Using webroot dir: $webroot"
  313. 		acme_args="$acme_args --webroot $webroot"
  314. 	fi
  315. 

  316. 	if ! run_acme --home "$STATE_DIR" --issue $acme_args; then
  317. 		failed_dir="${domain_dir}.failed-$(date +%s)"
  318. 		err "Issuing cert for $main_domain failed. Moving state to $failed_dir"
  319. 		[ -d "$domain_dir" ] && mv "$domain_dir" "$failed_dir"
  320. 		if [ "$moved_staging" -eq "1" ]; then
  321. 			err "Restoring staging certificate"
  322. 			mv "${domain_dir}.staging" "${domain_dir}"
  323. 		fi
  324. 		post_checks
  325. 		return 1
  326. 	fi
  327. 

  328. 	if [ -e /etc/init.d/uhttpd ] && [ "$update_uhttpd" -eq "1" ]; then
  329. 		uci set uhttpd.main.key="${domain_dir}/${main_domain}.key"
  330. 		uci set uhttpd.main.cert="${domain_dir}/fullchain.cer"
  331. 		# commit and reload is in post_checks
  332. 	fi
  333. 

  334. 	local nginx_updated
  335. 	nginx_updated=0
  336. 	if command -v nginx-util 2> /dev/null && [ "$update_nginx" -eq "1" ]; then
  337. 		nginx_updated=1
  338. 		for domain in $domains; do
  339. 			nginx-util add_ssl "${domain}" acme "${domain_dir}/fullchain.cer" \

  340. 				"${domain_dir}/${main_domain}.key" || nginx_updated=0
  341. 		done
  342. 		# reload is in post_checks
  343. 	fi
  344. 

  345. 	if [ "$nginx_updated" -eq "0" ] && [ -w /etc/nginx/nginx.conf ] && [ "$update_nginx" -eq "1" ]; then
  346. 		sed -i "s#ssl_certificate\ .*#ssl_certificate ${domain_dir}/fullchain.cer;#g" /etc/nginx/nginx.conf
  347. 		sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key ${domain_dir}/${main_domain}.key;#g" /etc/nginx/nginx.conf
  348. 		# commit and reload is in post_checks
  349. 	fi
  350. 

  351. 	if [ -e /etc/init.d/haproxy ] && [ -w /etc/haproxy.cfg ] && [ "$update_haproxy" -eq "1" ]; then
  352. 		cat "${domain_dir}/${main_domain}.key" "${domain_dir}/fullchain.cer" > "${domain_dir}/${main_domain}-haproxy.pem"
  353. 		sed -i "s#bind :::443 v4v6 ssl crt .* alpn#bind :::443 v4v6 ssl crt ${domain_dir}/${main_domain}-haproxy.pem alpn#g" /etc/haproxy.cfg
  354. 		# commit and reload is in post_checks
  355. 	fi
  356. 

  357. 	post_checks
  358. }
  359. 

  360. load_vars() {
  361. 	local section="$1"
  362. 

  363. 	STATE_DIR=$(config_get "$section" state_dir)
  364. 	ACCOUNT_EMAIL=$(config_get "$section" account_email)
  365. 	DEBUG=$(config_get "$section" debug)
  366. }
  367. 

  368. check_cron
  369. [ -n "$CHECK_CRON" ] && exit 0
  370. [ -e "/var/run/acme_boot" ] && rm -f "/var/run/acme_boot" && exit 0
  371. 

  372. config_load acme
  373. config_foreach load_vars acme
  374. 

  375. if [ -z "$STATE_DIR" ] || [ -z "$ACCOUNT_EMAIL" ]; then
  376. 	err "state_dir and account_email must be set"
  377. 	exit 1
  378. fi
  379. 

  380. [ -d "$STATE_DIR" ] || mkdir -p "$STATE_DIR"
  381. 

  382. trap err_out HUP TERM
  383. trap int_out INT
  384. 

  385. config_foreach issue_cert cert
  386. 

  387. exit 0