LILiK
/
openwrt-packages-dist

#!/bin/sh
# Wrapper for acme.sh to work on openwrt.## This program is free software; you can redistribute it and/or modify it under# the terms of the GNU General Public License as published by the Free Software# Foundation; either version 3 of the License, or (at your option) any later# version.## Author: Toke Høiland-Jørgensen <toke@toke.dk>
CHECK_CRON=$1ACME=/usr/lib/acme/acme.shexport CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crtexport NO_TIMESTAMP=1
UHTTPD_LISTEN_HTTP=STATE_DIR='/etc/acme'ACCOUNT_EMAIL=DEBUG=0NGINX_WEBSERVER=0UPDATE_NGINX=0UPDATE_UHTTPD=0UPDATE_HAPROXY=0NFT_HANDLE=USER_CLEANUP=
. /lib/functions.sh
check_cron() {	[ -f "/etc/crontabs/root" ] && grep -q '/etc/init.d/acme' /etc/crontabs/root && return	echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root	/etc/init.d/cron start}
log() {	logger -t acme -s -p daemon.info -- "$@"}
err() {	logger -t acme -s -p daemon.err -- "$@"}
debug() {	[ "$DEBUG" -eq "1" ] && logger -t acme -s -p daemon.debug -- "$@"}
get_listeners() {	local proto rq sq listen remote state program	netstat -nptl 2> /dev/null | while read -r proto rq sq listen remote state program; do		case "$proto#$listen#$program" in			tcp#*:80#[0-9]*/*) echo -n "${program%% *} " ;;		esac	done}
run_acme() {	debug "Running acme.sh as '$ACME $*'"	$ACME "$@"}
pre_checks() {	main_domain="$1"
	log "Running pre checks for $main_domain."
	listeners="$(get_listeners)"
	debug "port80 listens: $listeners"
	for listener in $(get_listeners); do		pid="${listener%/*}"		cmd="$(basename $(readlink /proc/$pid/exe))"
		case "$cmd" in			uhttpd)				if [ -n "$UHTTPD_LISTEN_HTTP" ]; then					debug "Already handled uhttpd; skipping"					continue				fi
				debug "Found uhttpd listening on port 80; trying to disable."
				UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http)
				if [ -z "$UHTTPD_LISTEN_HTTP" ]; then					err "$main_domain: Unable to find uhttpd listen config."					err "Manually disable uhttpd or set webroot to continue."					return 1				fi
				uci set uhttpd.main.listen_http=''				uci commit uhttpd || return 1				if ! /etc/init.d/uhttpd reload; then					uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"					uci commit uhttpd					return 1				fi				;;			nginx)				if [ "$NGINX_WEBSERVER" -eq "1" ]; then					debug "Already handled nginx; skipping"					continue				fi
				debug "Found nginx listening on port 80; trying to disable."				NGINX_WEBSERVER=1				local tries=0				while grep -sq "$cmd" "/proc/$pid/cmdline" && kill -0 "$pid"; do					/etc/init.d/nginx stop					if [ $tries -gt 10 ]; then						debug "Can't stop nginx. Terminating script."						return 1					fi					debug "Waiting for nginx to stop..."					tries=$((tries + 1))					sleep 1				done				;;			"")				debug "Nothing listening on port 80."				;;			*)				err "$main_domain: Cannot run in standalone mode; another daemon is listening on port 80."				err "Disable other daemon or set webroot to continue."				return 1				;;		esac	done
	NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+')	ret=$?	[ "$ret" -eq "0" ] || return 1	debug "added nft rule: $NFT_HANDLE"	return 0}
post_checks() {	log "Running post checks (cleanup)."	# $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft	[ -n "$NFT_HANDLE" ] && nft delete rule inet fw4 input $NFT_HANDLE
	if [ -e /etc/init.d/uhttpd ] && { [ -n "$UHTTPD_LISTEN_HTTP" ] || [ "$UPDATE_UHTTPD" -eq 1 ]; }; then		if [ -n "$UHTTPD_LISTEN_HTTP" ]; then			uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"			UHTTPD_LISTEN_HTTP=		fi		uci commit uhttpd		/etc/init.d/uhttpd restart	fi
	if [ -e /etc/init.d/nginx ] && { [ "$NGINX_WEBSERVER" -eq 1 ] || [ "$UPDATE_NGINX" -eq 1 ]; }; then		NGINX_WEBSERVER=0		/etc/init.d/nginx restart	fi
	if [ -e /etc/init.d/haproxy ] && [ "$UPDATE_HAPROXY" -eq 1 ] ; then		/etc/init.d/haproxy restart	fi
	if [ -n "$USER_CLEANUP" ] && [ -f "$USER_CLEANUP" ]; then		log "Running user-provided cleanup script from $USER_CLEANUP."		"$USER_CLEANUP" || return 1	fi}
err_out() {	post_checks	exit 1}
int_out() {	post_checks	trap - INT	kill -INT $$}
is_staging() {	local main_domain	local domain_dir	main_domain="$1"	domain_dir="$2"
	grep -q "acme-staging" "${domain_dir}/${main_domain}.conf"	return $?}
issue_cert() {	local section="$1"	local acme_args=	local enabled	local use_staging	local update_uhttpd	local update_nginx	local update_haproxy	local keylength	local keylength_ecc=0	local domains	local main_domain	local moved_staging=0	local failed_dir	local webroot	local dns	local user_setup	local user_cleanup	local ret	local domain_dir	local acme_server	local days
	config_get_bool enabled "$section" enabled 0	config_get_bool use_staging "$section" use_staging	config_get_bool update_uhttpd "$section" update_uhttpd	config_get_bool update_nginx "$section" update_nginx	config_get_bool update_haproxy "$section" update_haproxy	config_get calias "$section" calias	config_get dalias "$section" dalias	config_get domains "$section" domains	config_get keylength "$section" keylength	config_get webroot "$section" webroot	config_get dns "$section" dns	config_get user_setup "$section" user_setup	config_get user_cleanup "$section" user_cleanup	config_get acme_server "$section" acme_server	config_get days "$section" days
	UPDATE_NGINX=$update_nginx	UPDATE_UHTTPD=$update_uhttpd	UPDATE_HAPROXY=$update_haproxy	USER_CLEANUP=$user_cleanup
	[ "$enabled" -eq "1" ] || return
	[ "$DEBUG" -eq "1" ] && acme_args="$acme_args --debug"
	set -- $domains	main_domain=$1
	if [ -n "$user_setup" ] && [ -f "$user_setup" ]; then		log "Running user-provided setup script from $user_setup."		"$user_setup" "$main_domain" || return 1	else		[ -n "$webroot" ] || [ -n "$dns" ] || pre_checks "$main_domain" || return 1	fi
	if echo "$keylength" | grep -q "^ec-"; then		domain_dir="$STATE_DIR/${main_domain}_ecc"		keylength_ecc=1	else		domain_dir="$STATE_DIR/${main_domain}"	fi
	log "Running ACME for $main_domain"
	handle_credentials() {		local credential="$1"		eval export $credential	}	config_list_foreach "$section" credentials handle_credentials
	if [ -e "$domain_dir" ]; then		if [ "$use_staging" -eq "0" ] && is_staging "$main_domain" "$domain_dir"; then			log "Found previous cert issued using staging server. Moving it out of the way."			mv "$domain_dir" "${domain_dir}.staging"			moved_staging=1		else			log "Found previous cert config. Issuing renew."			[ "$keylength_ecc" -eq "1" ] && acme_args="$acme_args --ecc"			run_acme --home "$STATE_DIR" --renew -d "$main_domain" $acme_args && ret=0 || ret=1			post_checks			return $ret		fi	fi
	acme_args="$acme_args $(for d in $domains; do echo -n "-d $d "; done)"	acme_args="$acme_args --keylength $keylength"	[ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL"
	if [ -n "$acme_server" ]; then		log "Using custom ACME server URL"		acme_args="$acme_args --server $acme_server"	else		# default to letsencrypt because the upstream default may change		if [ "$use_staging" -eq "1" ]; then			acme_args="$acme_args --server letsencrypt_test"		else			acme_args="$acme_args --server letsencrypt"		fi	fi
	if [ -n "$days" ]; then		log "Renewing after $days days"		acme_args="$acme_args --days $days"	fi
	if [ -n "$dns" ]; then		log "Using dns mode"		acme_args="$acme_args --dns $dns"		if [ -n "$dalias" ]; then			log "Using domain alias for dns mode"			acme_args="$acme_args --domain-alias $dalias"			if [ -n "$calias" ]; then				err "Both domain and challenge aliases are defined. Ignoring the challenge alias."			fi		elif [ -n "$calias" ]; then			log "Using challenge alias for dns mode"			acme_args="$acme_args --challenge-alias $calias"		fi	elif [ -z "$webroot" ]; then		log "Using standalone mode"		acme_args="$acme_args --standalone --listen-v6"	else		if [ ! -d "$webroot" ]; then			err "$main_domain: Webroot dir '$webroot' does not exist!"			post_checks			return 1		fi		log "Using webroot dir: $webroot"		acme_args="$acme_args --webroot $webroot"	fi
	if ! run_acme --home "$STATE_DIR" --issue $acme_args; then		failed_dir="${domain_dir}.failed-$(date +%s)"		err "Issuing cert for $main_domain failed. Moving state to $failed_dir"		[ -d "$domain_dir" ] && mv "$domain_dir" "$failed_dir"		if [ "$moved_staging" -eq "1" ]; then			err "Restoring staging certificate"			mv "${domain_dir}.staging" "${domain_dir}"		fi		post_checks		return 1	fi
	if [ -e /etc/init.d/uhttpd ] && [ "$update_uhttpd" -eq "1" ]; then		uci set uhttpd.main.key="${domain_dir}/${main_domain}.key"		uci set uhttpd.main.cert="${domain_dir}/fullchain.cer"		# commit and reload is in post_checks	fi
	local nginx_updated	nginx_updated=0	if command -v nginx-util 2> /dev/null && [ "$update_nginx" -eq "1" ]; then		nginx_updated=1		for domain in $domains; do			nginx-util add_ssl "${domain}" acme "${domain_dir}/fullchain.cer" \
				"${domain_dir}/${main_domain}.key" || nginx_updated=0		done		# reload is in post_checks	fi
	if [ "$nginx_updated" -eq "0" ] && [ -w /etc/nginx/nginx.conf ] && [ "$update_nginx" -eq "1" ]; then		sed -i "s#ssl_certificate\ .*#ssl_certificate ${domain_dir}/fullchain.cer;#g" /etc/nginx/nginx.conf		sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key ${domain_dir}/${main_domain}.key;#g" /etc/nginx/nginx.conf		# commit and reload is in post_checks	fi
	if [ -e /etc/init.d/haproxy ] && [ -w /etc/haproxy.cfg ] && [ "$update_haproxy" -eq "1" ]; then		cat "${domain_dir}/${main_domain}.key" "${domain_dir}/fullchain.cer" > "${domain_dir}/${main_domain}-haproxy.pem"		sed -i "s#bind :::443 v4v6 ssl crt .* alpn#bind :::443 v4v6 ssl crt ${domain_dir}/${main_domain}-haproxy.pem alpn#g" /etc/haproxy.cfg		# commit and reload is in post_checks	fi
	post_checks}
load_vars() {	local section="$1"
	STATE_DIR=$(config_get "$section" state_dir)	ACCOUNT_EMAIL=$(config_get "$section" account_email)	DEBUG=$(config_get "$section" debug)}
check_cron[ -n "$CHECK_CRON" ] && exit 0[ -e "/var/run/acme_boot" ] && rm -f "/var/run/acme_boot" && exit 0
config_load acmeconfig_foreach load_vars acme
if [ -z "$STATE_DIR" ] || [ -z "$ACCOUNT_EMAIL" ]; then	err "state_dir and account_email must be set"	exit 1fi
[ -d "$STATE_DIR" ] || mkdir -p "$STATE_DIR"
trap err_out HUP TERMtrap int_out INT
config_foreach issue_cert cert
exit 0