LILiK
/
openwrt-packages-dist

#!/bin/sh
# Wrapper for uacme to work on openwrt.## This program is free software; you can redistribute it and/or modify it under# the terms of the GNU General Public License as published by the Free Software# Foundation; either version 3 of the License, or (at your option) any later# version.## Initial Author: Toke Høiland-Jørgensen <toke@toke.dk># Adapted for uacme: Lucian Cristian <lucian.cristian@gmail.com>
CHECK_CRON=$1
#check for installed packages, for now, support only oneif [ -e "/usr/lib/acme/acme.sh" ]; then    ACME=/usr/lib/acme/acme.sh    APP=acmeelif [ -e "/usr/sbin/uacme" ]; then    ACME=/usr/sbin/uacme    HPROGRAM=/usr/share/uacme/uacme.sh    APP=uacmeelse    echo "Please install ACME or uACME package"    return 1fi
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crtexport NO_TIMESTAMP=1
UHTTPD_LISTEN_HTTP=STATE_DIR='/etc/acme'STAGING_STATE_DIR='/etc/acme/staging'
ACCOUNT_EMAIL=DEBUG=0NGINX_WEBSERVER=0UPDATE_NGINX=0UPDATE_UHTTPD=0UPDATE_HAPROXY=0USER_CLEANUP=
. /lib/functions.sh
check_cron(){    [ -f "/etc/crontabs/root" ] && grep -q '/etc/init.d/acme' /etc/crontabs/root && return    echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root    /etc/init.d/cron start}
log(){    logger -t $APP -s -p daemon.info "$@"}
err(){    logger -t $APP -s -p daemon.err "$@"}
debug(){    [ "$DEBUG" -eq "1" ] && logger -t $APP -s -p daemon.debug "$@"}
get_listeners() {    local proto rq sq listen remote state program    netstat -nptl 2>/dev/null | while read proto listen program; do        case "$proto#$listen#$program" in            tcp#*:80#[0-9]*/*) echo -n "${program%% *} " ;;        esac    done}
pre_checks(){    main_domain="$1"
    log "Running pre checks for $main_domain."
    listeners="$(get_listeners)"
    debug "port80 listens: $listeners"
    for listener in $(get_listeners); do	pid="${listener%/*}"	cmd="${listener#*/}"
	case "$cmd" in	    uhttpd)		debug "Found uhttpd listening on port 80"		if [ "$APP" = "acme" ]; then		    UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http)		    if [ -z "$UHTTPD_LISTEN_HTTP" ]; then			err "$main_domain: Unable to find uhttpd listen config."			err "Manually disable uhttpd or set webroot to continue."			return 1		    fi		    uci set uhttpd.main.listen_http=''		    uci commit uhttpd || return 1		    if ! /etc/init.d/uhttpd reload ; then			uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"			uci commit uhttpd			return 1		    fi		fi	    ;;	    nginx*)		debug "Found nginx listening on port 80"		NGINX_WEBSERVER=1		if [ "$APP" = "acme" ]; then		    local tries=0		    while grep -sq "$cmd" "/proc/$pid/cmdline" && kill -0 "$pid"; do		    /etc/init.d/nginx stop			if [ $tries -gt 10 ]; then			    debug "Can't stop nginx. Terminating script."			    return 1			fi		    debug "Waiting for nginx to stop..."		    tries=$((tries + 1))		    sleep 1		    done		fi            ;;	    "")		err "Nothing listening on port 80."		err "Standalone mode not supported, setup uhttpd or nginx"		return 1            ;;            *)		err "$main_domain: unsupported (apache/haproxy?) daemon is listening on port 80."		err "if webroot is set on your current webserver comment line 132 (return 1) from this script."		return 1            ;;	esac    done
    iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1    debug "v4 input_rule: $(iptables -nvL input_rule)"    if [ -e "/usr/sbin/ip6tables" ]; then	ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1	debug "v6 input_rule: $(ip6tables -nvL input_rule)"    fi    return 0}
post_checks(){    log "Running post checks (cleanup)."    # The comment ensures we only touch our own rules. If no rules exist, that    # is fine, so hide any errors    iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null    if [ -e "/usr/sbin/ip6tables" ]; then	ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null    fi    if [ -e /etc/init.d/uhttpd ] && [ "$UPDATE_UHTTPD" -eq 1 ]; then	uci commit uhttpd	/etc/init.d/uhttpd reload	log "Restarting uhttpd..."    fi
    if [ -e /etc/init.d/nginx ] && ( [ "$NGINX_WEBSERVER" -eq 1 ] || [ "$UPDATE_NGINX" -eq 1 ]; ); then	NGINX_WEBSERVER=0	/etc/init.d/nginx restart	log "Restarting nginx..."    fi
    if [ -e /etc/init.d/haproxy ] && [ "$UPDATE_HAPROXY" -eq 1 ]; then	/etc/init.d/haproxy restart	log "Restarting haproxy..."    fi
    if [ -n "$USER_CLEANUP" ] && [ -f "$USER_CLEANUP" ]; then	log "Running user-provided cleanup script from $USER_CLEANUP."	"$USER_CLEANUP" || return 1    fi}
err_out(){    post_checks    exit 1}
int_out(){    post_checks    trap - INT    kill -INT $$}
is_staging(){    local main_domain="$1"
    grep -q "acme-staging" "$STATE_DIR/$main_domain/${main_domain}.conf"    return $?}
issue_cert(){    local section="$1"    local acme_args=    local debug=    local enabled    local use_staging    local update_uhttpd    local update_nginx    local update_haproxy    local keylength    local domains    local main_domain    local failed_dir    local webroot    local dns    local user_setup    local user_cleanup    local ret    local staging=    local HOOK=
    config_get_bool enabled "$section" enabled 0    config_get_bool use_staging "$section" use_staging    config_get_bool update_uhttpd "$section" update_uhttpd    config_get_bool update_nginx "$section" update_nginx    config_get_bool update_haproxy "$section" update_haproxy    config_get domains "$section" domains    config_get keylength "$section" keylength    config_get webroot "$section" webroot    config_get dns "$section" dns    config_get user_setup "$section" user_setup    config_get user_cleanup "$section" user_cleanup
    UPDATE_NGINX=$update_nginx    UPDATE_UHTTPD=$update_uhttpd    UPDATE_HAPROXY=$update_haproxy    USER_CLEANUP=$user_cleanup
    [ "$enabled" -eq "1" ] || return
    if [ "$APP" = "uacme" ]; then	[ "$DEBUG" -eq "1" ] && debug="--verbose --verbose"    elif [ "$APP" = "acme" ]; then	[ "$DEBUG" -eq "1" ] && acme_args="$acme_args --debug"    fi    [ "$use_staging" -eq "1" ] && STATE_DIR="$STAGING_STATE_DIR" && staging="--staging"
    set -- $domains    main_domain=$1
    if [ -n "$user_setup" ] && [ -f "$user_setup" ]; then	log "Running user-provided setup script from $user_setup."	"$user_setup" "$main_domain" || return 1    else	[ -n "$webroot" ] || [ -n "$dns" ] || pre_checks "$main_domain" || return 1    fi
    log "Running $APP for $main_domain"
    if [ "$APP" = "uacme" ]; then	if [ ! -f  "$STATE_DIR/private/key.pem" ]; then	    log "Create a new ACME account with email $ACCOUNT_EMAIL use staging=$use_staging"	    $ACME $debug --confdir "$STATE_DIR" $staging --yes new $ACCOUNT_EMAIL	fi
	if [ -f "$STATE_DIR/$main_domain/cert.pem" ]; then	    log "Found previous cert config, use staging=$use_staging. Issuing renew."	    export CHALLENGE_PATH="$webroot"	    $ACME $debug --confdir "$STATE_DIR" $staging --never-create issue $domains --hook=$HPROGRAM && ret=0 || ret=1	    post_checks	    return $ret	fi    fi    if [ "$APP" = "acme" ]; then	handle_credentials() {	    local credential="$1"	    eval export "$credential"	}	config_list_foreach "$section" credentials handle_credentials
	if [ -e "$STATE_DIR/$main_domain" ]; then	    if [ "$use_staging" -eq "0" ] && is_staging "$main_domain"; then		log "Found previous cert issued using staging server. Moving it out of the way."		mv "$STATE_DIR/$main_domain" "$STATE_DIR/$main_domain.staging"	    else		log "Found previous cert config. Issuing renew."		$ACME --home "$STATE_DIR" --renew -d "$main_domain" "$acme_args" && ret=0 || ret=1		post_checks		return $ret	    fi	fi    fi
    acme_args="$acme_args --bits $keylength"    acme_args="$acme_args $(for d in $domains; do echo -n " $d "; done)"    if [ "$APP" = "acme" ]; then	[ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL"	[ "$use_staging" -eq "1" ] && acme_args="$acme_args --staging"    fi    if [ -n "$dns" ]; then#TO-DO	if [ "$APP" = "acme" ]; then	    log "Using dns mode"	    acme_args="$acme_args --dns $dns"	else	    log "Using dns mode, dns-01 is not wrapped yet"	    return 1#	    uacme_args="$uacme_args --dns $dns"	fi    elif [ -z "$webroot" ]; then	if [ "$APP" = "acme" ]; then	    log "Using standalone mode"	    acme_args="$acme_args --standalone --listen-v6"	else	    log "Standalone not supported by $APP"	    return 1	fi    else	if [ ! -d "$webroot" ]; then	    err "$main_domain: Webroot dir '$webroot' does not exist!"	    post_checks	    return 1	fi	log "Using webroot dir: $webroot"	if [ "$APP" = "uacme" ]; then	    export CHALLENGE_PATH="$webroot"	else	    acme_args="$acme_args --webroot $webroot"	fi    fi
    if [ "$APP" = "uacme" ]; then	workdir="--confdir"	HOOK="--hook=$HPROGRAM"    else	workdir="--home"    fi    if ! $ACME $debug $workdir "$STATE_DIR" $staging issue $acme_args $HOOK; then	failed_dir="$STATE_DIR/${main_domain}.failed-$(date +%s)"	err "Issuing cert for $main_domain failed. Moving state to $failed_dir"	[ -d "$STATE_DIR/$main_domain" ] && mv "$STATE_DIR/$main_domain" "$failed_dir"	[ -d "$STATE_DIR/private/$main_domain" ] && mv "$STATE_DIR/private/$main_domain" "$failed_dir"	post_checks	return 1    fi
    if [ -e /etc/init.d/uhttpd ] && [ "$update_uhttpd" -eq "1" ]; then	if [ "$APP" = "uacme" ]; then	    uci set uhttpd.main.key="$STATE_DIR/private/${main_domain}/key.pem"	    uci set uhttpd.main.cert="$STATE_DIR/${main_domain}/cert.pem"	else	    uci set uhttpd.main.key="$STATE_DIR/${main_domain}/${main_domain}.key"	    uci set uhttpd.main.cert="$STATE_DIR/${main_domain}/fullchain.cer"	fi	# commit and reload is in post_checks    fi
    local nginx_updated    nginx_updated=0    if command -v nginx-util 2>/dev/null && [ "$update_nginx" -eq "1" ]; then	nginx_updated=1	for domain in $domains; do	    if [ "$APP" = "uacme" ]; then		nginx-util add_ssl "${domain}" uacme "$STATE_DIR/${main_domain}/cert.pem" \
		    "$STATE_DIR/private/${main_domain}/key.pem" || nginx_updated=0	    else		nginx-util add_ssl "${domain}" acme "$STATE_DIR/${main_domain}/fullchain.cer" \
		    "$STATE_DIR/${main_domain}/${main_domain}.key" || nginx_updated=0	    fi	done	# reload is in post_checks    fi
    if [ "$nginx_updated" -eq "0" ] && [ -w /etc/nginx/nginx.conf ] && [ "$update_nginx" -eq "1" ]; then	if [ "$APP" = "uacme" ]; then	    sed -i "s#ssl_certificate\ .*#ssl_certificate $STATE_DIR/${main_domain}/cert.pem;#g" /etc/nginx/nginx.conf	    sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key $STATE_DIR/private/${main_domain}/key.pem;#g" /etc/nginx/nginx.conf	else	    sed -i "s#ssl_certificate\ .*#ssl_certificate $STATE_DIR/${main_domain}/fullchain.cer;#g" /etc/nginx/nginx.conf	    sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key $STATE_DIR/${main_domain}/${main_domain}.key;#g" /etc/nginx/nginx.conf	fi	# commit and reload is in post_checks    fi
    if [ -e /etc/init.d/haproxy ] && [ "$update_haproxy" -eq 1 ]; then	if [ "$APP" = "uacme" ]; then	    cat $STATE_DIR/${main_domain}/cert.pem $STATE_DIR/private/${main_domain}/key.pem > $STATE_DIR/${main_domain}/full_haproxy.pem	else	    cat $STATE_DIR/${main_domain}/fullchain.cer $STATE_DIR/${main_domain}/${main_domain}.key > $STATE_DIR/${main_domain}/full_haproxy.pem	fi    fi
    post_checks}
load_vars(){    local section="$1"
    STATE_DIR=$(config_get "$section" state_dir)    STAGING_STATE_DIR=$STATE_DIR/staging    ACCOUNT_EMAIL=$(config_get "$section" account_email)    DEBUG=$(config_get "$section" debug)}
check_cron[ -n "$CHECK_CRON" ] && exit 0[ -e "/var/run/acme_boot" ] && rm -f "/var/run/acme_boot" && exit 0
config_load acmeconfig_foreach load_vars acme
if [ -z "$STATE_DIR" ] || [ -z "$ACCOUNT_EMAIL" ]; then    err "state_dir and account_email must be set"    exit 1fi
[ -d "$STATE_DIR" ] || mkdir -p "$STATE_DIR"[ -d "$STAGING_STATE_DIR" ] || mkdir -p "$STAGING_STATE_DIR"
trap err_out HUP TERMtrap int_out INT
config_foreach issue_cert cert
exit 0