LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
26496 Commits
1 Branch
46 MiB
Tree: 1e5e7ce469
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1e5e7ce469'
${ noResults }
openwrt-packages-dist/net/uacme/files/run.sh

508 lines
14 KiB
Raw Normal View History

uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: do not override production state dir variable With this commit, issue_cert() can be called multiple times alternating between staging and production certificates within a script. Before this commit, the production state dir was stored in $STATE_DIR. But in the case of $use_staging=1, this variable was overwritten in issue_cert() with $STAGING_STATE_DIR. This made it impossible to call issue_cert() with $use_staging=0 afterwards. Now the production state dir is stored in $PRODUCTION_STATE_DIR. This way it is not overridden anymore and issue_cert() can be called multiple times alternating with production and staging. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: add support for user-provided setup and cleanup scripts Add possibility for user to provide setup and cleanup scripts for additional flexibility. Setup-script takes precedence over the built-in behavior of uacme. This helps users with more complex use-cases to utilize uacme to update certificates without adding complexity to the provided run.sh script. Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
4 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: add support for user-provided setup and cleanup scripts Add possibility for user to provide setup and cleanup scripts for additional flexibility. Setup-script takes precedence over the built-in behavior of uacme. This helps users with more complex use-cases to utilize uacme to update certificates without adding complexity to the provided run.sh script. Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
4 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: add support for user-provided setup and cleanup scripts Add possibility for user to provide setup and cleanup scripts for additional flexibility. Setup-script takes precedence over the built-in behavior of uacme. This helps users with more complex use-cases to utilize uacme to update certificates without adding complexity to the provided run.sh script. Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
4 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: do not override production state dir variable With this commit, issue_cert() can be called multiple times alternating between staging and production certificates within a script. Before this commit, the production state dir was stored in $STATE_DIR. But in the case of $use_staging=1, this variable was overwritten in issue_cert() with $STAGING_STATE_DIR. This made it impossible to call issue_cert() with $use_staging=0 afterwards. Now the production state dir is stored in $PRODUCTION_STATE_DIR. This way it is not overridden anymore and issue_cert() can be called multiple times alternating with production and staging. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: add support for user-provided setup and cleanup scripts Add possibility for user to provide setup and cleanup scripts for additional flexibility. Setup-script takes precedence over the built-in behavior of uacme. This helps users with more complex use-cases to utilize uacme to update certificates without adding complexity to the provided run.sh script. Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
4 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: add support for user-provided setup and cleanup scripts Add possibility for user to provide setup and cleanup scripts for additional flexibility. Setup-script takes precedence over the built-in behavior of uacme. This helps users with more complex use-cases to utilize uacme to update certificates without adding complexity to the provided run.sh script. Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
4 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: add retries Prior to this commit, the acme service attempted to obtain certificates once and then terminated, regardless of whether the certificate could be obtained or not. This commit introduces a new uci option "retries" to the "certificate" section. If this option is set to N, the acme service will attempt to obtain the certificate up to N times before terminating. There is a waiting pause between the retries to comply with the rate limits of Let'sEncrypt. The waiting pause is: - 2 minutes for staging certificates - 24 minutes for production certificates The current "Failed Validation" rate limits of Let'sEncrypt are: - staging: 60 per hour -> 1 failure every 1 minute in avg. - production: 5 per hour -> 1 failure every 12 minutes in avg. This means that we are within rate limits by a factor of two. By default the option "retries" is set to "1", which means that acme behaves as before by default. If the variable is set to "0", infinite retries are performed. This feature is helpful, when you already want to initiate the certificate request, but you are still waiting for your dns server to be configured, your network to appear or other conditions. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: do not override production state dir variable With this commit, issue_cert() can be called multiple times alternating between staging and production certificates within a script. Before this commit, the production state dir was stored in $STATE_DIR. But in the case of $use_staging=1, this variable was overwritten in issue_cert() with $STAGING_STATE_DIR. This made it impossible to call issue_cert() with $use_staging=0 afterwards. Now the production state dir is stored in $PRODUCTION_STATE_DIR. This way it is not overridden anymore and issue_cert() can be called multiple times alternating with production and staging. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: add support for user-provided setup and cleanup scripts Add possibility for user to provide setup and cleanup scripts for additional flexibility. Setup-script takes precedence over the built-in behavior of uacme. This helps users with more complex use-cases to utilize uacme to update certificates without adding complexity to the provided run.sh script. Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
4 years ago
uacme: propagate rc of uacme in issue_cert() Before this commit, issue_cert always returned 1 no matter if uacme returned 1, 2, 3, ... With this commit, the return code of the uacme binary is propagated. Therefore the caller of issue_cert can differentiate between "no renew necessary" and "an error occurred". Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
3 years ago
uacme: add support for user-provided setup and cleanup scripts Add possibility for user to provide setup and cleanup scripts for additional flexibility. Setup-script takes precedence over the built-in behavior of uacme. This helps users with more complex use-cases to utilize uacme to update certificates without adding complexity to the provided run.sh script. Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
4 years ago
uacme: propagate rc of uacme in issue_cert() Before this commit, issue_cert always returned 1 no matter if uacme returned 1, 2, 3, ... With this commit, the return code of the uacme binary is propagated. Therefore the caller of issue_cert can differentiate between "no renew necessary" and "an error occurred". Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
3 years ago
uacme: add support for user-provided setup and cleanup scripts Add possibility for user to provide setup and cleanup scripts for additional flexibility. Setup-script takes precedence over the built-in behavior of uacme. This helps users with more complex use-cases to utilize uacme to update certificates without adding complexity to the provided run.sh script. Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
4 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: propagate rc of uacme in issue_cert() Before this commit, issue_cert always returned 1 no matter if uacme returned 1, 2, 3, ... With this commit, the return code of the uacme binary is propagated. Therefore the caller of issue_cert can differentiate between "no renew necessary" and "an error occurred". Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: propagate rc of uacme in issue_cert() Before this commit, issue_cert always returned 1 no matter if uacme returned 1, 2, 3, ... With this commit, the return code of the uacme binary is propagated. Therefore the caller of issue_cert can differentiate between "no renew necessary" and "an error occurred". Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: propagate rc of uacme in issue_cert() Before this commit, issue_cert always returned 1 no matter if uacme returned 1, 2, 3, ... With this commit, the return code of the uacme binary is propagated. Therefore the caller of issue_cert can differentiate between "no renew necessary" and "an error occurred". Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: propagate rc of uacme in issue_cert() Before this commit, issue_cert always returned 1 no matter if uacme returned 1, 2, 3, ... With this commit, the return code of the uacme binary is propagated. Therefore the caller of issue_cert can differentiate between "no renew necessary" and "an error occurred". Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: propagate rc of uacme in issue_cert() Before this commit, issue_cert always returned 1 no matter if uacme returned 1, 2, 3, ... With this commit, the return code of the uacme binary is propagated. Therefore the caller of issue_cert can differentiate between "no renew necessary" and "an error occurred". Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: propagate rc of uacme in issue_cert() Before this commit, issue_cert always returned 1 no matter if uacme returned 1, 2, 3, ... With this commit, the return code of the uacme binary is propagated. Therefore the caller of issue_cert can differentiate between "no renew necessary" and "an error occurred". Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: propagate rc of uacme in issue_cert() Before this commit, issue_cert always returned 1 no matter if uacme returned 1, 2, 3, ... With this commit, the return code of the uacme binary is propagated. Therefore the caller of issue_cert can differentiate between "no renew necessary" and "an error occurred". Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: adopt to new behavior of nginx Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: add retries Prior to this commit, the acme service attempted to obtain certificates once and then terminated, regardless of whether the certificate could be obtained or not. This commit introduces a new uci option "retries" to the "certificate" section. If this option is set to N, the acme service will attempt to obtain the certificate up to N times before terminating. There is a waiting pause between the retries to comply with the rate limits of Let'sEncrypt. The waiting pause is: - 2 minutes for staging certificates - 24 minutes for production certificates The current "Failed Validation" rate limits of Let'sEncrypt are: - staging: 60 per hour -> 1 failure every 1 minute in avg. - production: 5 per hour -> 1 failure every 12 minutes in avg. This means that we are within rate limits by a factor of two. By default the option "retries" is set to "1", which means that acme behaves as before by default. If the variable is set to "0", infinite retries are performed. This feature is helpful, when you already want to initiate the certificate request, but you are still waiting for your dns server to be configured, your network to appear or other conditions. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add use_auto_staging Staging certificates have the advantage that their retry limits are loose. Therefore they can be obtained quickly when automatic retries are used. Unfortunately they can not be used for deployments because their CA is not accepted by clients. Production certificates do not have this limitation, but their retry limits are strict. For production certificates, automatic retries can only be performed a few times per hour. This makes automatic obtainment of certificates tenacious. With use_auto_staging=1, the advantages of the two certificate types are combined. Uacme will first obtain a staging certificate. When the staging certificate is successfully obtained, uacme will switch and obtain a production certificate. Since the staging certificate has already been successfully obtained, we can ensure that the production certificate is successfully obtained in the first attempt. This means that "retries" are performed on the staging certificate and the production certificate is obtained in the first attempt. In summary, this feature enables fast obtaining of production certificates when automatic retries are used. By default, this feature is set to use_auto_staging=0, which means that uacme will behave as before by default. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add retries Prior to this commit, the acme service attempted to obtain certificates once and then terminated, regardless of whether the certificate could be obtained or not. This commit introduces a new uci option "retries" to the "certificate" section. If this option is set to N, the acme service will attempt to obtain the certificate up to N times before terminating. There is a waiting pause between the retries to comply with the rate limits of Let'sEncrypt. The waiting pause is: - 2 minutes for staging certificates - 24 minutes for production certificates The current "Failed Validation" rate limits of Let'sEncrypt are: - staging: 60 per hour -> 1 failure every 1 minute in avg. - production: 5 per hour -> 1 failure every 12 minutes in avg. This means that we are within rate limits by a factor of two. By default the option "retries" is set to "1", which means that acme behaves as before by default. If the variable is set to "0", infinite retries are performed. This feature is helpful, when you already want to initiate the certificate request, but you are still waiting for your dns server to be configured, your network to appear or other conditions. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add use_auto_staging Staging certificates have the advantage that their retry limits are loose. Therefore they can be obtained quickly when automatic retries are used. Unfortunately they can not be used for deployments because their CA is not accepted by clients. Production certificates do not have this limitation, but their retry limits are strict. For production certificates, automatic retries can only be performed a few times per hour. This makes automatic obtainment of certificates tenacious. With use_auto_staging=1, the advantages of the two certificate types are combined. Uacme will first obtain a staging certificate. When the staging certificate is successfully obtained, uacme will switch and obtain a production certificate. Since the staging certificate has already been successfully obtained, we can ensure that the production certificate is successfully obtained in the first attempt. This means that "retries" are performed on the staging certificate and the production certificate is obtained in the first attempt. In summary, this feature enables fast obtaining of production certificates when automatic retries are used. By default, this feature is set to use_auto_staging=0, which means that uacme will behave as before by default. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add retries Prior to this commit, the acme service attempted to obtain certificates once and then terminated, regardless of whether the certificate could be obtained or not. This commit introduces a new uci option "retries" to the "certificate" section. If this option is set to N, the acme service will attempt to obtain the certificate up to N times before terminating. There is a waiting pause between the retries to comply with the rate limits of Let'sEncrypt. The waiting pause is: - 2 minutes for staging certificates - 24 minutes for production certificates The current "Failed Validation" rate limits of Let'sEncrypt are: - staging: 60 per hour -> 1 failure every 1 minute in avg. - production: 5 per hour -> 1 failure every 12 minutes in avg. This means that we are within rate limits by a factor of two. By default the option "retries" is set to "1", which means that acme behaves as before by default. If the variable is set to "0", infinite retries are performed. This feature is helpful, when you already want to initiate the certificate request, but you are still waiting for your dns server to be configured, your network to appear or other conditions. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add use_auto_staging Staging certificates have the advantage that their retry limits are loose. Therefore they can be obtained quickly when automatic retries are used. Unfortunately they can not be used for deployments because their CA is not accepted by clients. Production certificates do not have this limitation, but their retry limits are strict. For production certificates, automatic retries can only be performed a few times per hour. This makes automatic obtainment of certificates tenacious. With use_auto_staging=1, the advantages of the two certificate types are combined. Uacme will first obtain a staging certificate. When the staging certificate is successfully obtained, uacme will switch and obtain a production certificate. Since the staging certificate has already been successfully obtained, we can ensure that the production certificate is successfully obtained in the first attempt. This means that "retries" are performed on the staging certificate and the production certificate is obtained in the first attempt. In summary, this feature enables fast obtaining of production certificates when automatic retries are used. By default, this feature is set to use_auto_staging=0, which means that uacme will behave as before by default. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add retries Prior to this commit, the acme service attempted to obtain certificates once and then terminated, regardless of whether the certificate could be obtained or not. This commit introduces a new uci option "retries" to the "certificate" section. If this option is set to N, the acme service will attempt to obtain the certificate up to N times before terminating. There is a waiting pause between the retries to comply with the rate limits of Let'sEncrypt. The waiting pause is: - 2 minutes for staging certificates - 24 minutes for production certificates The current "Failed Validation" rate limits of Let'sEncrypt are: - staging: 60 per hour -> 1 failure every 1 minute in avg. - production: 5 per hour -> 1 failure every 12 minutes in avg. This means that we are within rate limits by a factor of two. By default the option "retries" is set to "1", which means that acme behaves as before by default. If the variable is set to "0", infinite retries are performed. This feature is helpful, when you already want to initiate the certificate request, but you are still waiting for your dns server to be configured, your network to appear or other conditions. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add use_auto_staging Staging certificates have the advantage that their retry limits are loose. Therefore they can be obtained quickly when automatic retries are used. Unfortunately they can not be used for deployments because their CA is not accepted by clients. Production certificates do not have this limitation, but their retry limits are strict. For production certificates, automatic retries can only be performed a few times per hour. This makes automatic obtainment of certificates tenacious. With use_auto_staging=1, the advantages of the two certificate types are combined. Uacme will first obtain a staging certificate. When the staging certificate is successfully obtained, uacme will switch and obtain a production certificate. Since the staging certificate has already been successfully obtained, we can ensure that the production certificate is successfully obtained in the first attempt. This means that "retries" are performed on the staging certificate and the production certificate is obtained in the first attempt. In summary, this feature enables fast obtaining of production certificates when automatic retries are used. By default, this feature is set to use_auto_staging=0, which means that uacme will behave as before by default. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add retries Prior to this commit, the acme service attempted to obtain certificates once and then terminated, regardless of whether the certificate could be obtained or not. This commit introduces a new uci option "retries" to the "certificate" section. If this option is set to N, the acme service will attempt to obtain the certificate up to N times before terminating. There is a waiting pause between the retries to comply with the rate limits of Let'sEncrypt. The waiting pause is: - 2 minutes for staging certificates - 24 minutes for production certificates The current "Failed Validation" rate limits of Let'sEncrypt are: - staging: 60 per hour -> 1 failure every 1 minute in avg. - production: 5 per hour -> 1 failure every 12 minutes in avg. This means that we are within rate limits by a factor of two. By default the option "retries" is set to "1", which means that acme behaves as before by default. If the variable is set to "0", infinite retries are performed. This feature is helpful, when you already want to initiate the certificate request, but you are still waiting for your dns server to be configured, your network to appear or other conditions. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add use_auto_staging Staging certificates have the advantage that their retry limits are loose. Therefore they can be obtained quickly when automatic retries are used. Unfortunately they can not be used for deployments because their CA is not accepted by clients. Production certificates do not have this limitation, but their retry limits are strict. For production certificates, automatic retries can only be performed a few times per hour. This makes automatic obtainment of certificates tenacious. With use_auto_staging=1, the advantages of the two certificate types are combined. Uacme will first obtain a staging certificate. When the staging certificate is successfully obtained, uacme will switch and obtain a production certificate. Since the staging certificate has already been successfully obtained, we can ensure that the production certificate is successfully obtained in the first attempt. This means that "retries" are performed on the staging certificate and the production certificate is obtained in the first attempt. In summary, this feature enables fast obtaining of production certificates when automatic retries are used. By default, this feature is set to use_auto_staging=0, which means that uacme will behave as before by default. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add retries Prior to this commit, the acme service attempted to obtain certificates once and then terminated, regardless of whether the certificate could be obtained or not. This commit introduces a new uci option "retries" to the "certificate" section. If this option is set to N, the acme service will attempt to obtain the certificate up to N times before terminating. There is a waiting pause between the retries to comply with the rate limits of Let'sEncrypt. The waiting pause is: - 2 minutes for staging certificates - 24 minutes for production certificates The current "Failed Validation" rate limits of Let'sEncrypt are: - staging: 60 per hour -> 1 failure every 1 minute in avg. - production: 5 per hour -> 1 failure every 12 minutes in avg. This means that we are within rate limits by a factor of two. By default the option "retries" is set to "1", which means that acme behaves as before by default. If the variable is set to "0", infinite retries are performed. This feature is helpful, when you already want to initiate the certificate request, but you are still waiting for your dns server to be configured, your network to appear or other conditions. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add use_auto_staging Staging certificates have the advantage that their retry limits are loose. Therefore they can be obtained quickly when automatic retries are used. Unfortunately they can not be used for deployments because their CA is not accepted by clients. Production certificates do not have this limitation, but their retry limits are strict. For production certificates, automatic retries can only be performed a few times per hour. This makes automatic obtainment of certificates tenacious. With use_auto_staging=1, the advantages of the two certificate types are combined. Uacme will first obtain a staging certificate. When the staging certificate is successfully obtained, uacme will switch and obtain a production certificate. Since the staging certificate has already been successfully obtained, we can ensure that the production certificate is successfully obtained in the first attempt. This means that "retries" are performed on the staging certificate and the production certificate is obtained in the first attempt. In summary, this feature enables fast obtaining of production certificates when automatic retries are used. By default, this feature is set to use_auto_staging=0, which means that uacme will behave as before by default. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add retries Prior to this commit, the acme service attempted to obtain certificates once and then terminated, regardless of whether the certificate could be obtained or not. This commit introduces a new uci option "retries" to the "certificate" section. If this option is set to N, the acme service will attempt to obtain the certificate up to N times before terminating. There is a waiting pause between the retries to comply with the rate limits of Let'sEncrypt. The waiting pause is: - 2 minutes for staging certificates - 24 minutes for production certificates The current "Failed Validation" rate limits of Let'sEncrypt are: - staging: 60 per hour -> 1 failure every 1 minute in avg. - production: 5 per hour -> 1 failure every 12 minutes in avg. This means that we are within rate limits by a factor of two. By default the option "retries" is set to "1", which means that acme behaves as before by default. If the variable is set to "0", infinite retries are performed. This feature is helpful, when you already want to initiate the certificate request, but you are still waiting for your dns server to be configured, your network to appear or other conditions. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: do not override production state dir variable With this commit, issue_cert() can be called multiple times alternating between staging and production certificates within a script. Before this commit, the production state dir was stored in $STATE_DIR. But in the case of $use_staging=1, this variable was overwritten in issue_cert() with $STAGING_STATE_DIR. This made it impossible to call issue_cert() with $use_staging=0 afterwards. Now the production state dir is stored in $PRODUCTION_STATE_DIR. This way it is not overridden anymore and issue_cert() can be called multiple times alternating with production and staging. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: allow including run-uacme With this commit, the run-acme script can be included into other scripts by setting INLCUDE_ONLY=1. Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: do not override production state dir variable With this commit, issue_cert() can be called multiple times alternating between staging and production certificates within a script. Before this commit, the production state dir was stored in $STATE_DIR. But in the case of $use_staging=1, this variable was overwritten in issue_cert() with $STAGING_STATE_DIR. This made it impossible to call issue_cert() with $use_staging=0 afterwards. Now the production state dir is stored in $PRODUCTION_STATE_DIR. This way it is not overridden anymore and issue_cert() can be called multiple times alternating with production and staging. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: do not override production state dir variable With this commit, issue_cert() can be called multiple times alternating between staging and production certificates within a script. Before this commit, the production state dir was stored in $STATE_DIR. But in the case of $use_staging=1, this variable was overwritten in issue_cert() with $STAGING_STATE_DIR. This made it impossible to call issue_cert() with $use_staging=0 afterwards. Now the production state dir is stored in $PRODUCTION_STATE_DIR. This way it is not overridden anymore and issue_cert() can be called multiple times alternating with production and staging. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: allow including run-uacme With this commit, the run-acme script can be included into other scripts by setting INLCUDE_ONLY=1. Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
3 years ago
uacme: add retries Prior to this commit, the acme service attempted to obtain certificates once and then terminated, regardless of whether the certificate could be obtained or not. This commit introduces a new uci option "retries" to the "certificate" section. If this option is set to N, the acme service will attempt to obtain the certificate up to N times before terminating. There is a waiting pause between the retries to comply with the rate limits of Let'sEncrypt. The waiting pause is: - 2 minutes for staging certificates - 24 minutes for production certificates The current "Failed Validation" rate limits of Let'sEncrypt are: - staging: 60 per hour -> 1 failure every 1 minute in avg. - production: 5 per hour -> 1 failure every 12 minutes in avg. This means that we are within rate limits by a factor of two. By default the option "retries" is set to "1", which means that acme behaves as before by default. If the variable is set to "0", infinite retries are performed. This feature is helpful, when you already want to initiate the certificate request, but you are still waiting for your dns server to be configured, your network to appear or other conditions. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
3 years ago
uacme: add package lightweight client for the RFC8555 ACMEv2 protocol, written in plain C code with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
5 years ago
uacme: allow including run-uacme With this commit, the run-acme script can be included into other scripts by setting INLCUDE_ONLY=1. Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
3 years ago
 
  1. #!/bin/sh

  2. # Wrapper for uacme to work on openwrt.
  3. #
  4. # This program is free software; you can redistribute it and/or modify it under
  5. # the terms of the GNU General Public License as published by the Free Software
  6. # Foundation; either version 3 of the License, or (at your option) any later
  7. # version.
  8. #
  9. # Initial Author: Toke Høiland-Jørgensen <toke@toke.dk>
  10. # Adapted for uacme: Lucian Cristian <lucian.cristian@gmail.com>
  11. 

  12. CHECK_CRON=$1
  13. 

  14. #check for installed packages, for now, support only one
  15. if [ -e "/usr/lib/acme/acme.sh" ]; then
  16.     ACME=/usr/lib/acme/acme.sh
  17.     APP=acme
  18. elif [ -e "/usr/sbin/uacme" ]; then
  19.     ACME=/usr/sbin/uacme
  20.     HPROGRAM=/usr/share/uacme/uacme.sh
  21.     APP=uacme
  22. else
  23.     echo "Please install ACME or uACME package"
  24.     return 1
  25. fi
  26. 

  27. export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
  28. export NO_TIMESTAMP=1
  29. 

  30. UHTTPD_LISTEN_HTTP=
  31. PRODUCTION_STATE_DIR='/etc/acme'
  32. STAGING_STATE_DIR='/etc/acme/staging'
  33. 

  34. ACCOUNT_EMAIL=
  35. DEBUG=0
  36. NGINX_WEBSERVER=0
  37. UPDATE_NGINX=0
  38. UPDATE_UHTTPD=0
  39. UPDATE_HAPROXY=0
  40. USER_CLEANUP=
  41. 

  42. . /lib/functions.sh
  43. 

  44. check_cron()
  45. {
  46.     [ -f "/etc/crontabs/root" ] && grep -q '/etc/init.d/acme' /etc/crontabs/root && return
  47.     echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root
  48.     /etc/init.d/cron start
  49. }
  50. 

  51. log()
  52. {
  53.     logger -t $APP -s -p daemon.info "$@"
  54. }
  55. 

  56. err()
  57. {
  58.     logger -t $APP -s -p daemon.err "$@"
  59. }
  60. 

  61. debug()
  62. {
  63.     [ "$DEBUG" -eq "1" ] && logger -t $APP -s -p daemon.debug "$@"
  64. }
  65. 

  66. get_listeners() {
  67.     local proto rq sq listen remote state program
  68.     netstat -nptl 2>/dev/null | while read proto listen program; do
  69.         case "$proto#$listen#$program" in
  70.             tcp#*:80#[0-9]*/*) echo -n "${program%% *} " ;;
  71.         esac
  72.     done
  73. }
  74. 

  75. pre_checks()
  76. {
  77.     main_domain="$1"
  78. 

  79.     log "Running pre checks for $main_domain."
  80. 

  81.     listeners="$(get_listeners)"
  82. 

  83.     debug "port80 listens: $listeners"
  84. 

  85.     for listener in $(get_listeners); do
  86. 	pid="${listener%/*}"
  87. 	cmd="${listener#*/}"
  88. 

  89. 	case "$cmd" in
  90. 	    uhttpd)
  91. 		debug "Found uhttpd listening on port 80"
  92. 		if [ "$APP" = "acme" ]; then
  93. 		    UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http)
  94. 		    if [ -z "$UHTTPD_LISTEN_HTTP" ]; then
  95. 			err "$main_domain: Unable to find uhttpd listen config."
  96. 			err "Manually disable uhttpd or set webroot to continue."
  97. 			return 1
  98. 		    fi
  99. 		    uci set uhttpd.main.listen_http=''
  100. 		    uci commit uhttpd || return 1
  101. 		    if ! /etc/init.d/uhttpd reload ; then
  102. 			uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
  103. 			uci commit uhttpd
  104. 			return 1
  105. 		    fi
  106. 		fi
  107. 	    ;;
  108. 	    nginx*)
  109. 		debug "Found nginx listening on port 80"
  110. 		NGINX_WEBSERVER=1
  111. 		if [ "$APP" = "acme" ]; then
  112. 		    local tries=0
  113. 		    while grep -sq "$cmd" "/proc/$pid/cmdline" && kill -0 "$pid"; do
  114. 		    /etc/init.d/nginx stop
  115. 			if [ $tries -gt 10 ]; then
  116. 			    debug "Can't stop nginx. Terminating script."
  117. 			    return 1
  118. 			fi
  119. 		    debug "Waiting for nginx to stop..."
  120. 		    tries=$((tries + 1))
  121. 		    sleep 1
  122. 		    done
  123. 		fi
  124.             ;;
  125. 	    "")
  126. 		err "Nothing listening on port 80."
  127. 		err "Standalone mode not supported, setup uhttpd or nginx"
  128. 		return 1
  129.             ;;
  130.             *)
  131. 		err "$main_domain: unsupported (apache/haproxy?) daemon is listening on port 80."
  132. 		err "if webroot is set on your current webserver comment line 132 (return 1) from this script."
  133. 		return 1
  134.             ;;
  135. 	esac
  136.     done
  137. 

  138.     iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
  139.     debug "v4 input_rule: $(iptables -nvL input_rule)"
  140.     if [ -e "/usr/sbin/ip6tables" ]; then
  141. 	ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
  142. 	debug "v6 input_rule: $(ip6tables -nvL input_rule)"
  143.     fi
  144.     return 0
  145. }
  146. 

  147. post_checks()
  148. {
  149.     log "Running post checks (cleanup)."
  150.     # The comment ensures we only touch our own rules. If no rules exist, that
  151.     # is fine, so hide any errors
  152.     iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null
  153.     if [ -e "/usr/sbin/ip6tables" ]; then
  154. 	ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null
  155.     fi
  156.     if [ -e /etc/init.d/uhttpd ] && [ "$UPDATE_UHTTPD" -eq 1 ]; then
  157. 	uci commit uhttpd
  158. 	/etc/init.d/uhttpd reload
  159. 	log "Restarting uhttpd..."
  160.     fi
  161. 

  162.     if [ -e /etc/init.d/nginx ] && ( [ "$NGINX_WEBSERVER" -eq 1 ] || [ "$UPDATE_NGINX" -eq 1 ]; ); then
  163. 	NGINX_WEBSERVER=0
  164. 	/etc/init.d/nginx restart
  165. 	log "Restarting nginx..."
  166.     fi
  167. 

  168.     if [ -e /etc/init.d/haproxy ] && [ "$UPDATE_HAPROXY" -eq 1 ]; then
  169. 	/etc/init.d/haproxy restart
  170. 	log "Restarting haproxy..."
  171.     fi
  172. 

  173.     if [ -n "$USER_CLEANUP" ] && [ -f "$USER_CLEANUP" ]; then
  174. 	log "Running user-provided cleanup script from $USER_CLEANUP."
  175. 	"$USER_CLEANUP" || return 1
  176.     fi
  177. }
  178. 

  179. err_out()
  180. {
  181.     post_checks
  182.     exit 1
  183. }
  184. 

  185. int_out()
  186. {
  187.     post_checks
  188.     trap - INT
  189.     kill -INT $$
  190. }
  191. 

  192. is_staging()
  193. {
  194.     local main_domain="$1"
  195. 

  196.     grep -q "acme-staging" "$STATE_DIR/$main_domain/${main_domain}.conf"
  197.     return $?
  198. }
  199. 

  200. issue_cert()
  201. {
  202.     local section="$1"
  203.     local acme_args=
  204.     local debug=
  205.     local enabled
  206.     local use_staging
  207.     local update_uhttpd
  208.     local update_nginx
  209.     local update_haproxy
  210.     local keylength
  211.     local domains
  212.     local main_domain
  213.     local failed_dir
  214.     local webroot
  215.     local dns
  216.     local user_setup
  217.     local user_cleanup
  218.     local ret
  219.     local staging=
  220.     local HOOK=
  221. 

  222.     # reload uci values, as the value of use_staging may have changed
  223.     config_load acme
  224.     config_get_bool enabled "$section" enabled 0
  225.     config_get_bool use_staging "$section" use_staging
  226.     config_get_bool update_uhttpd "$section" update_uhttpd
  227.     config_get_bool update_nginx "$section" update_nginx
  228.     config_get_bool update_haproxy "$section" update_haproxy
  229.     config_get domains "$section" domains
  230.     config_get keylength "$section" keylength
  231.     config_get webroot "$section" webroot
  232.     config_get dns "$section" dns
  233.     config_get user_setup "$section" user_setup
  234.     config_get user_cleanup "$section" user_cleanup
  235. 

  236.     UPDATE_NGINX=$update_nginx
  237.     UPDATE_UHTTPD=$update_uhttpd
  238.     UPDATE_HAPROXY=$update_haproxy
  239.     USER_CLEANUP=$user_cleanup
  240. 

  241.     [ "$enabled" -eq "1" ] || return 0
  242. 

  243.     if [ "$APP" = "uacme" ]; then
  244. 	[ "$DEBUG" -eq "1" ] && debug="--verbose --verbose"
  245.     elif [ "$APP" = "acme" ]; then
  246. 	[ "$DEBUG" -eq "1" ] && acme_args="$acme_args --debug"
  247.     fi
  248.     if [ "$use_staging" -eq "1" ]; then
  249. 	STATE_DIR="$STAGING_STATE_DIR";
  250. 	staging="--staging";
  251.     else
  252. 	STATE_DIR="$PRODUCTION_STATE_DIR";
  253. 	staging="";
  254.     fi
  255. 

  256.     set -- $domains
  257.     main_domain=$1
  258. 

  259.     if [ -n "$user_setup" ] && [ -f "$user_setup" ]; then
  260. 	log "Running user-provided setup script from $user_setup."
  261. 	"$user_setup" "$main_domain" || return 2
  262.     else
  263. 	[ -n "$webroot" ] || [ -n "$dns" ] || pre_checks "$main_domain" || return 2
  264.     fi
  265. 

  266.     log "Running $APP for $main_domain"
  267. 

  268.     if [ "$APP" = "uacme" ]; then
  269. 	if [ ! -f  "$STATE_DIR/private/key.pem" ]; then
  270. 	    log "Create a new ACME account with email $ACCOUNT_EMAIL use staging=$use_staging"
  271. 	    $ACME $debug --confdir "$STATE_DIR" $staging --yes new $ACCOUNT_EMAIL
  272. 	fi
  273. 

  274. 	if [ -f "$STATE_DIR/$main_domain/cert.pem" ]; then
  275. 	    log "Found previous cert config, use staging=$use_staging. Issuing renew."
  276. 	    export CHALLENGE_PATH="$webroot"
  277. 	    $ACME $debug --confdir "$STATE_DIR" $staging --never-create issue $domains --hook=$HPROGRAM; ret=$?
  278. 	    post_checks
  279. 	    return $ret
  280. 	fi
  281.     fi
  282.     if [ "$APP" = "acme" ]; then
  283. 	handle_credentials() {
  284. 	    local credential="$1"
  285. 	    eval export "$credential"
  286. 	}
  287. 	config_list_foreach "$section" credentials handle_credentials
  288. 

  289. 	if [ -e "$STATE_DIR/$main_domain" ]; then
  290. 	    if [ "$use_staging" -eq "0" ] && is_staging "$main_domain"; then
  291. 		log "Found previous cert issued using staging server. Moving it out of the way."
  292. 		mv "$STATE_DIR/$main_domain" "$STATE_DIR/$main_domain.staging"
  293. 	    else
  294. 		log "Found previous cert config. Issuing renew."
  295. 		$ACME --home "$STATE_DIR" --renew -d "$main_domain" "$acme_args"; ret=$?
  296. 		post_checks
  297. 		return $ret
  298. 	    fi
  299. 	fi
  300.     fi
  301. 

  302.     acme_args="$acme_args --bits $keylength"
  303.     acme_args="$acme_args $(for d in $domains; do echo -n " $d "; done)"
  304.     if [ "$APP" = "acme" ]; then
  305. 	[ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL"
  306. 	[ "$use_staging" -eq "1" ] && acme_args="$acme_args --staging"
  307.     fi
  308.     if [ -n "$dns" ]; then
  309. #TO-DO
  310. 	if [ "$APP" = "acme" ]; then
  311. 	    log "Using dns mode"
  312. 	    acme_args="$acme_args --dns $dns"
  313. 	else
  314. 	    log "Using dns mode, dns-01 is not wrapped yet"
  315. 	    return 2
  316. #	    uacme_args="$uacme_args --dns $dns"
  317. 	fi
  318.     elif [ -z "$webroot" ]; then
  319. 	if [ "$APP" = "acme" ]; then
  320. 	    log "Using standalone mode"
  321. 	    acme_args="$acme_args --standalone --listen-v6"
  322. 	else
  323. 	    log "Standalone not supported by $APP"
  324. 	    return 2
  325. 	fi
  326.     else
  327. 	if [ ! -d "$webroot" ]; then
  328. 	    err "$main_domain: Webroot dir '$webroot' does not exist!"
  329. 	    post_checks
  330. 	    return 2
  331. 	fi
  332. 	log "Using webroot dir: $webroot"
  333. 	if [ "$APP" = "uacme" ]; then
  334. 	    export CHALLENGE_PATH="$webroot"
  335. 	else
  336. 	    acme_args="$acme_args --webroot $webroot"
  337. 	fi
  338.     fi
  339. 

  340.     if [ "$APP" = "uacme" ]; then
  341. 	workdir="--confdir"
  342. 	HOOK="--hook=$HPROGRAM"
  343.     else
  344. 	workdir="--home"
  345.     fi
  346. 

  347.     $ACME $debug $workdir "$STATE_DIR" $staging issue $acme_args $HOOK; ret=$?
  348.     if [ "$ret" -ne 0 ]; then
  349. 	failed_dir="$STATE_DIR/${main_domain}.failed-$(date +%s)"
  350. 	err "Issuing cert for $main_domain failed. Moving state to $failed_dir"
  351. 	[ -d "$STATE_DIR/$main_domain" ] && mv "$STATE_DIR/$main_domain" "$failed_dir"
  352. 	[ -d "$STATE_DIR/private/$main_domain" ] && mv "$STATE_DIR/private/$main_domain" "$failed_dir"
  353. 	post_checks
  354. 	return $ret
  355.     fi
  356. 

  357.     if [ -e /etc/init.d/uhttpd ] && [ "$update_uhttpd" -eq "1" ]; then
  358. 	if [ "$APP" = "uacme" ]; then
  359. 	    uci set uhttpd.main.key="$STATE_DIR/private/${main_domain}/key.pem"
  360. 	    uci set uhttpd.main.cert="$STATE_DIR/${main_domain}/cert.pem"
  361. 	else
  362. 	    uci set uhttpd.main.key="$STATE_DIR/${main_domain}/${main_domain}.key"
  363. 	    uci set uhttpd.main.cert="$STATE_DIR/${main_domain}/fullchain.cer"
  364. 	fi
  365. 	# commit and reload is in post_checks
  366.     fi
  367. 

  368.     local nginx_updated
  369.     nginx_updated=0
  370.     if command -v nginx-util 2>/dev/null && [ "$update_nginx" -eq "1" ]; then
  371. 	nginx_updated=1
  372. 	for domain in $domains; do
  373. 	    if [ "$APP" = "uacme" ]; then
  374. 		nginx-util add_ssl "${domain}" uacme "$STATE_DIR/${main_domain}/cert.pem" \

  375. 		    "$STATE_DIR/private/${main_domain}/key.pem" || nginx_updated=0
  376. 	    else
  377. 		nginx-util add_ssl "${domain}" acme "$STATE_DIR/${main_domain}/fullchain.cer" \

  378. 		    "$STATE_DIR/${main_domain}/${main_domain}.key" || nginx_updated=0
  379. 	    fi
  380. 	done
  381. 	# reload is in post_checks
  382.     fi
  383. 

  384.     if [ "$nginx_updated" -eq "0" ] && [ -w /etc/nginx/nginx.conf ] && [ "$update_nginx" -eq "1" ]; then
  385. 	if [ "$APP" = "uacme" ]; then
  386. 	    sed -i "s#ssl_certificate\ .*#ssl_certificate $STATE_DIR/${main_domain}/cert.pem;#g" /etc/nginx/nginx.conf
  387. 	    sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key $STATE_DIR/private/${main_domain}/key.pem;#g" /etc/nginx/nginx.conf
  388. 	else
  389. 	    sed -i "s#ssl_certificate\ .*#ssl_certificate $STATE_DIR/${main_domain}/fullchain.cer;#g" /etc/nginx/nginx.conf
  390. 	    sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key $STATE_DIR/${main_domain}/${main_domain}.key;#g" /etc/nginx/nginx.conf
  391. 	fi
  392. 	# commit and reload is in post_checks
  393.     fi
  394. 

  395.     if [ -e /etc/init.d/haproxy ] && [ "$update_haproxy" -eq 1 ]; then
  396. 	if [ "$APP" = "uacme" ]; then
  397. 	    cat $STATE_DIR/${main_domain}/cert.pem $STATE_DIR/private/${main_domain}/key.pem > $STATE_DIR/${main_domain}/full_haproxy.pem
  398. 	else
  399. 	    cat $STATE_DIR/${main_domain}/fullchain.cer $STATE_DIR/${main_domain}/${main_domain}.key > $STATE_DIR/${main_domain}/full_haproxy.pem
  400. 	fi
  401.     fi
  402. 

  403.     post_checks
  404. }
  405. 

  406. issue_cert_with_retries() {
  407. 	local section="$1"
  408. 	local use_staging
  409. 	local retries
  410. 	local use_auto_staging
  411. 	local infinite_retries
  412. 	config_get_bool use_staging "$section" use_staging
  413. 	config_get_bool use_auto_staging "$section" use_auto_staging
  414. 	config_get_bool enabled "$section" enabled
  415. 	config_get retries "$section" retries
  416. 

  417. 	[ -z "$retries" ] && retries=1
  418. 	[ -z "$use_auto_staging" ] && use_auto_staging=0
  419. 	[ "$retries" -eq "0" ] && infinite_retries=1
  420. 	[ "$enabled" -eq "1" ] || return 0
  421. 

  422. 	while true; do
  423. 		issue_cert "$1"; ret=$?
  424. 

  425. 		if [ "$ret" -eq "2" ]; then
  426. 			# An error occurred while retrieving the certificate.
  427. 			retries="$((retries-1))"
  428. 

  429. 			if [ "$use_auto_staging" -eq "1" ] && [ "$use_staging" -eq "0" ]; then
  430. 				log "Production certificate could not be obtained. Switching to staging server."
  431. 				use_staging=1
  432. 				uci set "acme.$1.use_staging=1"
  433. 				uci commit acme
  434. 			fi
  435. 

  436. 			if [ -z "$infinite_retries" ] && [ "$retries" -lt "1" ]; then
  437. 				log "An error occurred while retrieving the certificate. Retries exceeded."
  438. 				return "$ret"
  439. 			fi
  440. 

  441. 			if [ "$use_staging" -eq "1" ]; then
  442. 				# The "Failed Validations" limit of LetsEncrypt is 60 per hour. This
  443. 				# means one failure every minute. Here we wait 2 minutes to be within
  444. 				# limits for sure.
  445. 				sleeptime=120
  446. 			else
  447. 				# There is a "Failed Validation" limit of LetsEncrypt is 5 failures per
  448. 				# account, per hostname, per hour. This means one failure every 12
  449. 				# minutes. Here we wait 25 minutes to be within limits for sure.
  450. 				sleeptime=1500
  451. 			fi
  452. 

  453. 			log "An error occurred while retrieving the certificate. Retrying in $sleeptime seconds."
  454. 			sleep "$sleeptime"
  455. 			continue
  456. 		else
  457. 			if [ "$use_auto_staging" -eq "1" ]; then
  458. 				if [ "$use_staging" -eq "0" ]; then
  459. 					log "Production certificate obtained. Exiting."
  460. 				else
  461. 					log "Staging certificate obtained. Continuing with production server."
  462. 					use_staging=0
  463. 					uci set "acme.$1.use_staging=0"
  464. 					uci commit acme
  465. 					continue
  466. 				fi
  467. 			fi
  468. 

  469. 			return "$ret"
  470. 		fi
  471. 	done
  472. }
  473. 

  474. load_vars()
  475. {
  476.     local section="$1"
  477. 

  478.     PRODUCTION_STATE_DIR=$(config_get "$section" state_dir)
  479.     STAGING_STATE_DIR=$PRODUCTION_STATE_DIR/staging
  480.     ACCOUNT_EMAIL=$(config_get "$section" account_email)
  481.     DEBUG=$(config_get "$section" debug)
  482. }
  483. 

  484. if [ -z "$INCLUDE_ONLY" ]; then
  485.     check_cron
  486.     [ -n "$CHECK_CRON" ] && exit 0
  487.     [ -e "/var/run/acme_boot" ] && rm -f "/var/run/acme_boot" && exit 0
  488. fi
  489. 

  490. config_load acme
  491. config_foreach load_vars acme
  492. 

  493. if [ -z "$PRODUCTION_STATE_DIR" ] || [ -z "$ACCOUNT_EMAIL" ]; then
  494.     err "state_dir and account_email must be set"
  495.     exit 1
  496. fi
  497. 

  498. [ -d "$PRODUCTION_STATE_DIR" ] || mkdir -p "$PRODUCTION_STATE_DIR"
  499. [ -d "$STAGING_STATE_DIR" ] || mkdir -p "$STAGING_STATE_DIR"
  500. 

  501. trap err_out HUP TERM
  502. trap int_out INT
  503. 

  504. if [ -z "$INCLUDE_ONLY" ]; then
  505.     config_foreach issue_cert_with_retries cert
  506. 

  507.     exit 0
  508. fi