You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

508 lines
14 KiB

  1. #!/bin/sh
  2. # Wrapper for uacme to work on openwrt.
  3. #
  4. # This program is free software; you can redistribute it and/or modify it under
  5. # the terms of the GNU General Public License as published by the Free Software
  6. # Foundation; either version 3 of the License, or (at your option) any later
  7. # version.
  8. #
  9. # Initial Author: Toke Høiland-Jørgensen <toke@toke.dk>
  10. # Adapted for uacme: Lucian Cristian <lucian.cristian@gmail.com>
  11. CHECK_CRON=$1
  12. #check for installed packages, for now, support only one
  13. if [ -e "/usr/lib/acme/acme.sh" ]; then
  14. ACME=/usr/lib/acme/acme.sh
  15. APP=acme
  16. elif [ -e "/usr/sbin/uacme" ]; then
  17. ACME=/usr/sbin/uacme
  18. HPROGRAM=/usr/share/uacme/uacme.sh
  19. APP=uacme
  20. else
  21. echo "Please install ACME or uACME package"
  22. return 1
  23. fi
  24. export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
  25. export NO_TIMESTAMP=1
  26. UHTTPD_LISTEN_HTTP=
  27. PRODUCTION_STATE_DIR='/etc/acme'
  28. STAGING_STATE_DIR='/etc/acme/staging'
  29. ACCOUNT_EMAIL=
  30. DEBUG=0
  31. NGINX_WEBSERVER=0
  32. UPDATE_NGINX=0
  33. UPDATE_UHTTPD=0
  34. UPDATE_HAPROXY=0
  35. USER_CLEANUP=
  36. . /lib/functions.sh
  37. check_cron()
  38. {
  39. [ -f "/etc/crontabs/root" ] && grep -q '/etc/init.d/acme' /etc/crontabs/root && return
  40. echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root
  41. /etc/init.d/cron start
  42. }
  43. log()
  44. {
  45. logger -t $APP -s -p daemon.info "$@"
  46. }
  47. err()
  48. {
  49. logger -t $APP -s -p daemon.err "$@"
  50. }
  51. debug()
  52. {
  53. [ "$DEBUG" -eq "1" ] && logger -t $APP -s -p daemon.debug "$@"
  54. }
  55. get_listeners() {
  56. local proto rq sq listen remote state program
  57. netstat -nptl 2>/dev/null | while read proto listen program; do
  58. case "$proto#$listen#$program" in
  59. tcp#*:80#[0-9]*/*) echo -n "${program%% *} " ;;
  60. esac
  61. done
  62. }
  63. pre_checks()
  64. {
  65. main_domain="$1"
  66. log "Running pre checks for $main_domain."
  67. listeners="$(get_listeners)"
  68. debug "port80 listens: $listeners"
  69. for listener in $(get_listeners); do
  70. pid="${listener%/*}"
  71. cmd="${listener#*/}"
  72. case "$cmd" in
  73. uhttpd)
  74. debug "Found uhttpd listening on port 80"
  75. if [ "$APP" = "acme" ]; then
  76. UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http)
  77. if [ -z "$UHTTPD_LISTEN_HTTP" ]; then
  78. err "$main_domain: Unable to find uhttpd listen config."
  79. err "Manually disable uhttpd or set webroot to continue."
  80. return 1
  81. fi
  82. uci set uhttpd.main.listen_http=''
  83. uci commit uhttpd || return 1
  84. if ! /etc/init.d/uhttpd reload ; then
  85. uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
  86. uci commit uhttpd
  87. return 1
  88. fi
  89. fi
  90. ;;
  91. nginx*)
  92. debug "Found nginx listening on port 80"
  93. NGINX_WEBSERVER=1
  94. if [ "$APP" = "acme" ]; then
  95. local tries=0
  96. while grep -sq "$cmd" "/proc/$pid/cmdline" && kill -0 "$pid"; do
  97. /etc/init.d/nginx stop
  98. if [ $tries -gt 10 ]; then
  99. debug "Can't stop nginx. Terminating script."
  100. return 1
  101. fi
  102. debug "Waiting for nginx to stop..."
  103. tries=$((tries + 1))
  104. sleep 1
  105. done
  106. fi
  107. ;;
  108. "")
  109. err "Nothing listening on port 80."
  110. err "Standalone mode not supported, setup uhttpd or nginx"
  111. return 1
  112. ;;
  113. *)
  114. err "$main_domain: unsupported (apache/haproxy?) daemon is listening on port 80."
  115. err "if webroot is set on your current webserver comment line 132 (return 1) from this script."
  116. return 1
  117. ;;
  118. esac
  119. done
  120. iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
  121. debug "v4 input_rule: $(iptables -nvL input_rule)"
  122. if [ -e "/usr/sbin/ip6tables" ]; then
  123. ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
  124. debug "v6 input_rule: $(ip6tables -nvL input_rule)"
  125. fi
  126. return 0
  127. }
  128. post_checks()
  129. {
  130. log "Running post checks (cleanup)."
  131. # The comment ensures we only touch our own rules. If no rules exist, that
  132. # is fine, so hide any errors
  133. iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null
  134. if [ -e "/usr/sbin/ip6tables" ]; then
  135. ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null
  136. fi
  137. if [ -e /etc/init.d/uhttpd ] && [ "$UPDATE_UHTTPD" -eq 1 ]; then
  138. uci commit uhttpd
  139. /etc/init.d/uhttpd reload
  140. log "Restarting uhttpd..."
  141. fi
  142. if [ -e /etc/init.d/nginx ] && ( [ "$NGINX_WEBSERVER" -eq 1 ] || [ "$UPDATE_NGINX" -eq 1 ]; ); then
  143. NGINX_WEBSERVER=0
  144. /etc/init.d/nginx restart
  145. log "Restarting nginx..."
  146. fi
  147. if [ -e /etc/init.d/haproxy ] && [ "$UPDATE_HAPROXY" -eq 1 ]; then
  148. /etc/init.d/haproxy restart
  149. log "Restarting haproxy..."
  150. fi
  151. if [ -n "$USER_CLEANUP" ] && [ -f "$USER_CLEANUP" ]; then
  152. log "Running user-provided cleanup script from $USER_CLEANUP."
  153. "$USER_CLEANUP" || return 1
  154. fi
  155. }
  156. err_out()
  157. {
  158. post_checks
  159. exit 1
  160. }
  161. int_out()
  162. {
  163. post_checks
  164. trap - INT
  165. kill -INT $$
  166. }
  167. is_staging()
  168. {
  169. local main_domain="$1"
  170. grep -q "acme-staging" "$STATE_DIR/$main_domain/${main_domain}.conf"
  171. return $?
  172. }
  173. issue_cert()
  174. {
  175. local section="$1"
  176. local acme_args=
  177. local debug=
  178. local enabled
  179. local use_staging
  180. local update_uhttpd
  181. local update_nginx
  182. local update_haproxy
  183. local keylength
  184. local domains
  185. local main_domain
  186. local failed_dir
  187. local webroot
  188. local dns
  189. local user_setup
  190. local user_cleanup
  191. local ret
  192. local staging=
  193. local HOOK=
  194. # reload uci values, as the value of use_staging may have changed
  195. config_load acme
  196. config_get_bool enabled "$section" enabled 0
  197. config_get_bool use_staging "$section" use_staging
  198. config_get_bool update_uhttpd "$section" update_uhttpd
  199. config_get_bool update_nginx "$section" update_nginx
  200. config_get_bool update_haproxy "$section" update_haproxy
  201. config_get domains "$section" domains
  202. config_get keylength "$section" keylength
  203. config_get webroot "$section" webroot
  204. config_get dns "$section" dns
  205. config_get user_setup "$section" user_setup
  206. config_get user_cleanup "$section" user_cleanup
  207. UPDATE_NGINX=$update_nginx
  208. UPDATE_UHTTPD=$update_uhttpd
  209. UPDATE_HAPROXY=$update_haproxy
  210. USER_CLEANUP=$user_cleanup
  211. [ "$enabled" -eq "1" ] || return 0
  212. if [ "$APP" = "uacme" ]; then
  213. [ "$DEBUG" -eq "1" ] && debug="--verbose --verbose"
  214. elif [ "$APP" = "acme" ]; then
  215. [ "$DEBUG" -eq "1" ] && acme_args="$acme_args --debug"
  216. fi
  217. if [ "$use_staging" -eq "1" ]; then
  218. STATE_DIR="$STAGING_STATE_DIR";
  219. staging="--staging";
  220. else
  221. STATE_DIR="$PRODUCTION_STATE_DIR";
  222. staging="";
  223. fi
  224. set -- $domains
  225. main_domain=$1
  226. if [ -n "$user_setup" ] && [ -f "$user_setup" ]; then
  227. log "Running user-provided setup script from $user_setup."
  228. "$user_setup" "$main_domain" || return 2
  229. else
  230. [ -n "$webroot" ] || [ -n "$dns" ] || pre_checks "$main_domain" || return 2
  231. fi
  232. log "Running $APP for $main_domain"
  233. if [ "$APP" = "uacme" ]; then
  234. if [ ! -f "$STATE_DIR/private/key.pem" ]; then
  235. log "Create a new ACME account with email $ACCOUNT_EMAIL use staging=$use_staging"
  236. $ACME $debug --confdir "$STATE_DIR" $staging --yes new $ACCOUNT_EMAIL
  237. fi
  238. if [ -f "$STATE_DIR/$main_domain/cert.pem" ]; then
  239. log "Found previous cert config, use staging=$use_staging. Issuing renew."
  240. export CHALLENGE_PATH="$webroot"
  241. $ACME $debug --confdir "$STATE_DIR" $staging --never-create issue $domains --hook=$HPROGRAM; ret=$?
  242. post_checks
  243. return $ret
  244. fi
  245. fi
  246. if [ "$APP" = "acme" ]; then
  247. handle_credentials() {
  248. local credential="$1"
  249. eval export "$credential"
  250. }
  251. config_list_foreach "$section" credentials handle_credentials
  252. if [ -e "$STATE_DIR/$main_domain" ]; then
  253. if [ "$use_staging" -eq "0" ] && is_staging "$main_domain"; then
  254. log "Found previous cert issued using staging server. Moving it out of the way."
  255. mv "$STATE_DIR/$main_domain" "$STATE_DIR/$main_domain.staging"
  256. else
  257. log "Found previous cert config. Issuing renew."
  258. $ACME --home "$STATE_DIR" --renew -d "$main_domain" "$acme_args"; ret=$?
  259. post_checks
  260. return $ret
  261. fi
  262. fi
  263. fi
  264. acme_args="$acme_args --bits $keylength"
  265. acme_args="$acme_args $(for d in $domains; do echo -n " $d "; done)"
  266. if [ "$APP" = "acme" ]; then
  267. [ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL"
  268. [ "$use_staging" -eq "1" ] && acme_args="$acme_args --staging"
  269. fi
  270. if [ -n "$dns" ]; then
  271. #TO-DO
  272. if [ "$APP" = "acme" ]; then
  273. log "Using dns mode"
  274. acme_args="$acme_args --dns $dns"
  275. else
  276. log "Using dns mode, dns-01 is not wrapped yet"
  277. return 2
  278. # uacme_args="$uacme_args --dns $dns"
  279. fi
  280. elif [ -z "$webroot" ]; then
  281. if [ "$APP" = "acme" ]; then
  282. log "Using standalone mode"
  283. acme_args="$acme_args --standalone --listen-v6"
  284. else
  285. log "Standalone not supported by $APP"
  286. return 2
  287. fi
  288. else
  289. if [ ! -d "$webroot" ]; then
  290. err "$main_domain: Webroot dir '$webroot' does not exist!"
  291. post_checks
  292. return 2
  293. fi
  294. log "Using webroot dir: $webroot"
  295. if [ "$APP" = "uacme" ]; then
  296. export CHALLENGE_PATH="$webroot"
  297. else
  298. acme_args="$acme_args --webroot $webroot"
  299. fi
  300. fi
  301. if [ "$APP" = "uacme" ]; then
  302. workdir="--confdir"
  303. HOOK="--hook=$HPROGRAM"
  304. else
  305. workdir="--home"
  306. fi
  307. $ACME $debug $workdir "$STATE_DIR" $staging issue $acme_args $HOOK; ret=$?
  308. if [ "$ret" -ne 0 ]; then
  309. failed_dir="$STATE_DIR/${main_domain}.failed-$(date +%s)"
  310. err "Issuing cert for $main_domain failed. Moving state to $failed_dir"
  311. [ -d "$STATE_DIR/$main_domain" ] && mv "$STATE_DIR/$main_domain" "$failed_dir"
  312. [ -d "$STATE_DIR/private/$main_domain" ] && mv "$STATE_DIR/private/$main_domain" "$failed_dir"
  313. post_checks
  314. return $ret
  315. fi
  316. if [ -e /etc/init.d/uhttpd ] && [ "$update_uhttpd" -eq "1" ]; then
  317. if [ "$APP" = "uacme" ]; then
  318. uci set uhttpd.main.key="$STATE_DIR/private/${main_domain}/key.pem"
  319. uci set uhttpd.main.cert="$STATE_DIR/${main_domain}/cert.pem"
  320. else
  321. uci set uhttpd.main.key="$STATE_DIR/${main_domain}/${main_domain}.key"
  322. uci set uhttpd.main.cert="$STATE_DIR/${main_domain}/fullchain.cer"
  323. fi
  324. # commit and reload is in post_checks
  325. fi
  326. local nginx_updated
  327. nginx_updated=0
  328. if command -v nginx-util 2>/dev/null && [ "$update_nginx" -eq "1" ]; then
  329. nginx_updated=1
  330. for domain in $domains; do
  331. if [ "$APP" = "uacme" ]; then
  332. nginx-util add_ssl "${domain}" uacme "$STATE_DIR/${main_domain}/cert.pem" \
  333. "$STATE_DIR/private/${main_domain}/key.pem" || nginx_updated=0
  334. else
  335. nginx-util add_ssl "${domain}" acme "$STATE_DIR/${main_domain}/fullchain.cer" \
  336. "$STATE_DIR/${main_domain}/${main_domain}.key" || nginx_updated=0
  337. fi
  338. done
  339. # reload is in post_checks
  340. fi
  341. if [ "$nginx_updated" -eq "0" ] && [ -w /etc/nginx/nginx.conf ] && [ "$update_nginx" -eq "1" ]; then
  342. if [ "$APP" = "uacme" ]; then
  343. sed -i "s#ssl_certificate\ .*#ssl_certificate $STATE_DIR/${main_domain}/cert.pem;#g" /etc/nginx/nginx.conf
  344. sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key $STATE_DIR/private/${main_domain}/key.pem;#g" /etc/nginx/nginx.conf
  345. else
  346. sed -i "s#ssl_certificate\ .*#ssl_certificate $STATE_DIR/${main_domain}/fullchain.cer;#g" /etc/nginx/nginx.conf
  347. sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key $STATE_DIR/${main_domain}/${main_domain}.key;#g" /etc/nginx/nginx.conf
  348. fi
  349. # commit and reload is in post_checks
  350. fi
  351. if [ -e /etc/init.d/haproxy ] && [ "$update_haproxy" -eq 1 ]; then
  352. if [ "$APP" = "uacme" ]; then
  353. cat $STATE_DIR/${main_domain}/cert.pem $STATE_DIR/private/${main_domain}/key.pem > $STATE_DIR/${main_domain}/full_haproxy.pem
  354. else
  355. cat $STATE_DIR/${main_domain}/fullchain.cer $STATE_DIR/${main_domain}/${main_domain}.key > $STATE_DIR/${main_domain}/full_haproxy.pem
  356. fi
  357. fi
  358. post_checks
  359. }
  360. issue_cert_with_retries() {
  361. local section="$1"
  362. local use_staging
  363. local retries
  364. local use_auto_staging
  365. local infinite_retries
  366. config_get_bool use_staging "$section" use_staging
  367. config_get_bool use_auto_staging "$section" use_auto_staging
  368. config_get_bool enabled "$section" enabled
  369. config_get retries "$section" retries
  370. [ -z "$retries" ] && retries=1
  371. [ -z "$use_auto_staging" ] && use_auto_staging=0
  372. [ "$retries" -eq "0" ] && infinite_retries=1
  373. [ "$enabled" -eq "1" ] || return 0
  374. while true; do
  375. issue_cert "$1"; ret=$?
  376. if [ "$ret" -eq "2" ]; then
  377. # An error occurred while retrieving the certificate.
  378. retries="$((retries-1))"
  379. if [ "$use_auto_staging" -eq "1" ] && [ "$use_staging" -eq "0" ]; then
  380. log "Production certificate could not be obtained. Switching to staging server."
  381. use_staging=1
  382. uci set "acme.$1.use_staging=1"
  383. uci commit acme
  384. fi
  385. if [ -z "$infinite_retries" ] && [ "$retries" -lt "1" ]; then
  386. log "An error occurred while retrieving the certificate. Retries exceeded."
  387. return "$ret"
  388. fi
  389. if [ "$use_staging" -eq "1" ]; then
  390. # The "Failed Validations" limit of LetsEncrypt is 60 per hour. This
  391. # means one failure every minute. Here we wait 2 minutes to be within
  392. # limits for sure.
  393. sleeptime=120
  394. else
  395. # There is a "Failed Validation" limit of LetsEncrypt is 5 failures per
  396. # account, per hostname, per hour. This means one failure every 12
  397. # minutes. Here we wait 25 minutes to be within limits for sure.
  398. sleeptime=1500
  399. fi
  400. log "An error occurred while retrieving the certificate. Retrying in $sleeptime seconds."
  401. sleep "$sleeptime"
  402. continue
  403. else
  404. if [ "$use_auto_staging" -eq "1" ]; then
  405. if [ "$use_staging" -eq "0" ]; then
  406. log "Production certificate obtained. Exiting."
  407. else
  408. log "Staging certificate obtained. Continuing with production server."
  409. use_staging=0
  410. uci set "acme.$1.use_staging=0"
  411. uci commit acme
  412. continue
  413. fi
  414. fi
  415. return "$ret"
  416. fi
  417. done
  418. }
  419. load_vars()
  420. {
  421. local section="$1"
  422. PRODUCTION_STATE_DIR=$(config_get "$section" state_dir)
  423. STAGING_STATE_DIR=$PRODUCTION_STATE_DIR/staging
  424. ACCOUNT_EMAIL=$(config_get "$section" account_email)
  425. DEBUG=$(config_get "$section" debug)
  426. }
  427. if [ -z "$INCLUDE_ONLY" ]; then
  428. check_cron
  429. [ -n "$CHECK_CRON" ] && exit 0
  430. [ -e "/var/run/acme_boot" ] && rm -f "/var/run/acme_boot" && exit 0
  431. fi
  432. config_load acme
  433. config_foreach load_vars acme
  434. if [ -z "$PRODUCTION_STATE_DIR" ] || [ -z "$ACCOUNT_EMAIL" ]; then
  435. err "state_dir and account_email must be set"
  436. exit 1
  437. fi
  438. [ -d "$PRODUCTION_STATE_DIR" ] || mkdir -p "$PRODUCTION_STATE_DIR"
  439. [ -d "$STAGING_STATE_DIR" ] || mkdir -p "$STAGING_STATE_DIR"
  440. trap err_out HUP TERM
  441. trap int_out INT
  442. if [ -z "$INCLUDE_ONLY" ]; then
  443. config_foreach issue_cert_with_retries cert
  444. exit 0
  445. fi