You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

393 lines
10 KiB

  1. #!/bin/sh
  2. # Wrapper for acme.sh to work on openwrt.
  3. #
  4. # This program is free software; you can redistribute it and/or modify it under
  5. # the terms of the GNU General Public License as published by the Free Software
  6. # Foundation; either version 3 of the License, or (at your option) any later
  7. # version.
  8. #
  9. # Author: Toke Høiland-Jørgensen <toke@toke.dk>
  10. CHECK_CRON=$1
  11. ACME=/usr/lib/acme/acme.sh
  12. export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
  13. export NO_TIMESTAMP=1
  14. UHTTPD_LISTEN_HTTP=
  15. STATE_DIR='/etc/acme'
  16. ACCOUNT_EMAIL=
  17. DEBUG=0
  18. NGINX_WEBSERVER=0
  19. UPDATE_NGINX=0
  20. UPDATE_UHTTPD=0
  21. UPDATE_HAPROXY=0
  22. USER_CLEANUP=
  23. . /lib/functions.sh
  24. check_cron() {
  25. [ -f "/etc/crontabs/root" ] && grep -q '/etc/init.d/acme' /etc/crontabs/root && return
  26. echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root
  27. /etc/init.d/cron start
  28. }
  29. log() {
  30. logger -t acme -s -p daemon.info -- "$@"
  31. }
  32. err() {
  33. logger -t acme -s -p daemon.err -- "$@"
  34. }
  35. debug() {
  36. [ "$DEBUG" -eq "1" ] && logger -t acme -s -p daemon.debug -- "$@"
  37. }
  38. get_listeners() {
  39. local proto rq sq listen remote state program
  40. netstat -nptl 2> /dev/null | while read -r proto rq sq listen remote state program; do
  41. case "$proto#$listen#$program" in
  42. tcp#*:80#[0-9]*/*) echo -n "${program%% *} " ;;
  43. esac
  44. done
  45. }
  46. run_acme() {
  47. debug "Running acme.sh as '$ACME $*'"
  48. $ACME "$@"
  49. }
  50. pre_checks() {
  51. main_domain="$1"
  52. log "Running pre checks for $main_domain."
  53. listeners="$(get_listeners)"
  54. debug "port80 listens: $listeners"
  55. for listener in $(get_listeners); do
  56. pid="${listener%/*}"
  57. cmd="$(basename $(readlink /proc/$pid/exe))"
  58. case "$cmd" in
  59. uhttpd)
  60. if [ -n "$UHTTPD_LISTEN_HTTP" ]; then
  61. debug "Already handled uhttpd; skipping"
  62. continue
  63. fi
  64. debug "Found uhttpd listening on port 80; trying to disable."
  65. UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http)
  66. if [ -z "$UHTTPD_LISTEN_HTTP" ]; then
  67. err "$main_domain: Unable to find uhttpd listen config."
  68. err "Manually disable uhttpd or set webroot to continue."
  69. return 1
  70. fi
  71. uci set uhttpd.main.listen_http=''
  72. uci commit uhttpd || return 1
  73. if ! /etc/init.d/uhttpd reload; then
  74. uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
  75. uci commit uhttpd
  76. return 1
  77. fi
  78. ;;
  79. nginx)
  80. if [ "$NGINX_WEBSERVER" -eq "1" ]; then
  81. debug "Already handled nginx; skipping"
  82. continue
  83. fi
  84. debug "Found nginx listening on port 80; trying to disable."
  85. NGINX_WEBSERVER=1
  86. local tries=0
  87. while grep -sq "$cmd" "/proc/$pid/cmdline" && kill -0 "$pid"; do
  88. /etc/init.d/nginx stop
  89. if [ $tries -gt 10 ]; then
  90. debug "Can't stop nginx. Terminating script."
  91. return 1
  92. fi
  93. debug "Waiting for nginx to stop..."
  94. tries=$((tries + 1))
  95. sleep 1
  96. done
  97. ;;
  98. "")
  99. debug "Nothing listening on port 80."
  100. ;;
  101. *)
  102. err "$main_domain: Cannot run in standalone mode; another daemon is listening on port 80."
  103. err "Disable other daemon or set webroot to continue."
  104. return 1
  105. ;;
  106. esac
  107. done
  108. iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
  109. ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
  110. debug "v4 input_rule: $(iptables -nvL input_rule)"
  111. debug "v6 input_rule: $(ip6tables -nvL input_rule)"
  112. return 0
  113. }
  114. post_checks() {
  115. log "Running post checks (cleanup)."
  116. # The comment ensures we only touch our own rules. If no rules exist, that
  117. # is fine, so hide any errors
  118. iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2> /dev/null
  119. ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2> /dev/null
  120. if [ -e /etc/init.d/uhttpd ] && { [ -n "$UHTTPD_LISTEN_HTTP" ] || [ "$UPDATE_UHTTPD" -eq 1 ]; }; then
  121. if [ -n "$UHTTPD_LISTEN_HTTP" ]; then
  122. uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
  123. UHTTPD_LISTEN_HTTP=
  124. fi
  125. uci commit uhttpd
  126. /etc/init.d/uhttpd restart
  127. fi
  128. if [ -e /etc/init.d/nginx ] && { [ "$NGINX_WEBSERVER" -eq 1 ] || [ "$UPDATE_NGINX" -eq 1 ]; }; then
  129. NGINX_WEBSERVER=0
  130. /etc/init.d/nginx restart
  131. fi
  132. if [ -e /etc/init.d/haproxy ] && [ "$UPDATE_HAPROXY" -eq 1 ] ; then
  133. /etc/init.d/haproxy restart
  134. fi
  135. if [ -n "$USER_CLEANUP" ] && [ -f "$USER_CLEANUP" ]; then
  136. log "Running user-provided cleanup script from $USER_CLEANUP."
  137. "$USER_CLEANUP" || return 1
  138. fi
  139. }
  140. err_out() {
  141. post_checks
  142. exit 1
  143. }
  144. int_out() {
  145. post_checks
  146. trap - INT
  147. kill -INT $$
  148. }
  149. is_staging() {
  150. local main_domain
  151. local domain_dir
  152. main_domain="$1"
  153. domain_dir="$2"
  154. grep -q "acme-staging" "${domain_dir}/${main_domain}.conf"
  155. return $?
  156. }
  157. issue_cert() {
  158. local section="$1"
  159. local acme_args=
  160. local enabled
  161. local use_staging
  162. local update_uhttpd
  163. local update_nginx
  164. local update_haproxy
  165. local keylength
  166. local keylength_ecc=0
  167. local domains
  168. local main_domain
  169. local moved_staging=0
  170. local failed_dir
  171. local webroot
  172. local dns
  173. local user_setup
  174. local user_cleanup
  175. local ret
  176. local domain_dir
  177. local acme_server
  178. local days
  179. config_get_bool enabled "$section" enabled 0
  180. config_get_bool use_staging "$section" use_staging
  181. config_get_bool update_uhttpd "$section" update_uhttpd
  182. config_get_bool update_nginx "$section" update_nginx
  183. config_get_bool update_haproxy "$section" update_haproxy
  184. config_get calias "$section" calias
  185. config_get dalias "$section" dalias
  186. config_get domains "$section" domains
  187. config_get keylength "$section" keylength
  188. config_get webroot "$section" webroot
  189. config_get dns "$section" dns
  190. config_get user_setup "$section" user_setup
  191. config_get user_cleanup "$section" user_cleanup
  192. config_get acme_server "$section" acme_server
  193. config_get days "$section" days
  194. UPDATE_NGINX=$update_nginx
  195. UPDATE_UHTTPD=$update_uhttpd
  196. UPDATE_HAPROXY=$update_haproxy
  197. USER_CLEANUP=$user_cleanup
  198. [ "$enabled" -eq "1" ] || return
  199. [ "$DEBUG" -eq "1" ] && acme_args="$acme_args --debug"
  200. set -- $domains
  201. main_domain=$1
  202. if [ -n "$user_setup" ] && [ -f "$user_setup" ]; then
  203. log "Running user-provided setup script from $user_setup."
  204. "$user_setup" "$main_domain" || return 1
  205. else
  206. [ -n "$webroot" ] || [ -n "$dns" ] || pre_checks "$main_domain" || return 1
  207. fi
  208. if echo "$keylength" | grep -q "^ec-"; then
  209. domain_dir="$STATE_DIR/${main_domain}_ecc"
  210. keylength_ecc=1
  211. else
  212. domain_dir="$STATE_DIR/${main_domain}"
  213. fi
  214. log "Running ACME for $main_domain"
  215. handle_credentials() {
  216. local credential="$1"
  217. eval export $credential
  218. }
  219. config_list_foreach "$section" credentials handle_credentials
  220. if [ -e "$domain_dir" ]; then
  221. if [ "$use_staging" -eq "0" ] && is_staging "$main_domain" "$domain_dir"; then
  222. log "Found previous cert issued using staging server. Moving it out of the way."
  223. mv "$domain_dir" "${domain_dir}.staging"
  224. moved_staging=1
  225. else
  226. log "Found previous cert config. Issuing renew."
  227. [ "$keylength_ecc" -eq "1" ] && acme_args="$acme_args --ecc"
  228. run_acme --home "$STATE_DIR" --renew -d "$main_domain" $acme_args && ret=0 || ret=1
  229. post_checks
  230. return $ret
  231. fi
  232. fi
  233. acme_args="$acme_args $(for d in $domains; do echo -n "-d $d "; done)"
  234. acme_args="$acme_args --keylength $keylength"
  235. [ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL"
  236. if [ -n "$acme_server" ]; then
  237. log "Using custom ACME server URL"
  238. acme_args="$acme_args --server $acme_server"
  239. else
  240. # default to letsencrypt because the upstream default may change
  241. if [ "$use_staging" -eq "1" ]; then
  242. acme_args="$acme_args --server letsencrypt_test"
  243. else
  244. acme_args="$acme_args --server letsencrypt"
  245. fi
  246. fi
  247. if [ -n "$days" ]; then
  248. log "Renewing after $days days"
  249. acme_args="$acme_args --days $days"
  250. fi
  251. if [ -n "$dns" ]; then
  252. log "Using dns mode"
  253. acme_args="$acme_args --dns $dns"
  254. if [ -n "$dalias" ]; then
  255. log "Using domain alias for dns mode"
  256. acme_args="$acme_args --domain-alias $dalias"
  257. if [ -n "$calias" ]; then
  258. err "Both domain and challenge aliases are defined. Ignoring the challenge alias."
  259. fi
  260. elif [ -n "$calias" ]; then
  261. log "Using challenge alias for dns mode"
  262. acme_args="$acme_args --challenge-alias $calias"
  263. fi
  264. elif [ -z "$webroot" ]; then
  265. log "Using standalone mode"
  266. acme_args="$acme_args --standalone --listen-v6"
  267. else
  268. if [ ! -d "$webroot" ]; then
  269. err "$main_domain: Webroot dir '$webroot' does not exist!"
  270. post_checks
  271. return 1
  272. fi
  273. log "Using webroot dir: $webroot"
  274. acme_args="$acme_args --webroot $webroot"
  275. fi
  276. if ! run_acme --home "$STATE_DIR" --issue $acme_args; then
  277. failed_dir="${domain_dir}.failed-$(date +%s)"
  278. err "Issuing cert for $main_domain failed. Moving state to $failed_dir"
  279. [ -d "$domain_dir" ] && mv "$domain_dir" "$failed_dir"
  280. if [ "$moved_staging" -eq "1" ]; then
  281. err "Restoring staging certificate"
  282. mv "${domain_dir}.staging" "${domain_dir}"
  283. fi
  284. post_checks
  285. return 1
  286. fi
  287. if [ -e /etc/init.d/uhttpd ] && [ "$update_uhttpd" -eq "1" ]; then
  288. uci set uhttpd.main.key="${domain_dir}/${main_domain}.key"
  289. uci set uhttpd.main.cert="${domain_dir}/fullchain.cer"
  290. # commit and reload is in post_checks
  291. fi
  292. local nginx_updated
  293. nginx_updated=0
  294. if command -v nginx-util 2> /dev/null && [ "$update_nginx" -eq "1" ]; then
  295. nginx_updated=1
  296. for domain in $domains; do
  297. nginx-util add_ssl "${domain}" acme "${domain_dir}/fullchain.cer" \
  298. "${domain_dir}/${main_domain}.key" || nginx_updated=0
  299. done
  300. # reload is in post_checks
  301. fi
  302. if [ "$nginx_updated" -eq "0" ] && [ -w /etc/nginx/nginx.conf ] && [ "$update_nginx" -eq "1" ]; then
  303. sed -i "s#ssl_certificate\ .*#ssl_certificate ${domain_dir}/fullchain.cer;#g" /etc/nginx/nginx.conf
  304. sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key ${domain_dir}/${main_domain}.key;#g" /etc/nginx/nginx.conf
  305. # commit and reload is in post_checks
  306. fi
  307. if [ -e /etc/init.d/haproxy ] && [ -w /etc/haproxy.cfg ] && [ "$update_haproxy" -eq "1" ]; then
  308. cat "${domain_dir}/${main_domain}.key" "${domain_dir}/fullchain.cer" > "${domain_dir}/${main_domain}-haproxy.pem"
  309. sed -i "s#bind :::443 v4v6 ssl crt .* alpn#bind :::443 v4v6 ssl crt ${domain_dir}/${main_domain}-haproxy.pem alpn#g" /etc/haproxy.cfg
  310. # commit and reload is in post_checks
  311. fi
  312. post_checks
  313. }
  314. load_vars() {
  315. local section="$1"
  316. STATE_DIR=$(config_get "$section" state_dir)
  317. ACCOUNT_EMAIL=$(config_get "$section" account_email)
  318. DEBUG=$(config_get "$section" debug)
  319. }
  320. check_cron
  321. [ -n "$CHECK_CRON" ] && exit 0
  322. [ -e "/var/run/acme_boot" ] && rm -f "/var/run/acme_boot" && exit 0
  323. config_load acme
  324. config_foreach load_vars acme
  325. if [ -z "$STATE_DIR" ] || [ -z "$ACCOUNT_EMAIL" ]; then
  326. err "state_dir and account_email must be set"
  327. exit 1
  328. fi
  329. [ -d "$STATE_DIR" ] || mkdir -p "$STATE_DIR"
  330. trap err_out HUP TERM
  331. trap int_out INT
  332. config_foreach issue_cert cert
  333. exit 0