You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

386 lines
9.7 KiB

  1. #!/bin/sh
  2. # Wrapper for acme.sh to work on openwrt.
  3. #
  4. # This program is free software; you can redistribute it and/or modify it under
  5. # the terms of the GNU General Public License as published by the Free Software
  6. # Foundation; either version 3 of the License, or (at your option) any later
  7. # version.
  8. #
  9. # Author: Toke Høiland-Jørgensen <toke@toke.dk>
  10. CHECK_CRON=$1
  11. ACME=/usr/lib/acme/acme.sh
  12. export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
  13. export NO_TIMESTAMP=1
  14. UHTTPD_LISTEN_HTTP=
  15. STATE_DIR='/etc/acme'
  16. ACCOUNT_EMAIL=
  17. DEBUG=0
  18. NGINX_WEBSERVER=0
  19. UPDATE_NGINX=0
  20. UPDATE_UHTTPD=0
  21. USER_CLEANUP=
  22. . /lib/functions.sh
  23. check_cron()
  24. {
  25. [ -f "/etc/crontabs/root" ] && grep -q '/etc/init.d/acme' /etc/crontabs/root && return
  26. echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root
  27. /etc/init.d/cron start
  28. }
  29. log()
  30. {
  31. logger -t acme -s -p daemon.info -- "$@"
  32. }
  33. err()
  34. {
  35. logger -t acme -s -p daemon.err -- "$@"
  36. }
  37. debug()
  38. {
  39. [ "$DEBUG" -eq "1" ] && logger -t acme -s -p daemon.debug -- "$@"
  40. }
  41. get_listeners() {
  42. local proto rq sq listen remote state program
  43. netstat -nptl 2>/dev/null | while read proto rq sq listen remote state program; do
  44. case "$proto#$listen#$program" in
  45. tcp#*:80#[0-9]*/*) echo -n "${program%% *} " ;;
  46. esac
  47. done
  48. }
  49. run_acme()
  50. {
  51. debug "Running acme.sh as '$ACME $@'"
  52. $ACME "$@"
  53. }
  54. pre_checks()
  55. {
  56. main_domain="$1"
  57. log "Running pre checks for $main_domain."
  58. listeners="$(get_listeners)"
  59. debug "port80 listens: $listeners"
  60. for listener in $(get_listeners); do
  61. pid="${listener%/*}"
  62. cmd="${listener#*/}"
  63. case "$cmd" in
  64. uhttpd)
  65. if [ -n "$UHTTPD_LISTEN_HTTP" ]; then
  66. debug "Already handled uhttpd; skipping"
  67. continue
  68. fi
  69. debug "Found uhttpd listening on port 80; trying to disable."
  70. UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http)
  71. if [ -z "$UHTTPD_LISTEN_HTTP" ]; then
  72. err "$main_domain: Unable to find uhttpd listen config."
  73. err "Manually disable uhttpd or set webroot to continue."
  74. return 1
  75. fi
  76. uci set uhttpd.main.listen_http=''
  77. uci commit uhttpd || return 1
  78. if ! /etc/init.d/uhttpd reload ; then
  79. uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
  80. uci commit uhttpd
  81. return 1
  82. fi
  83. ;;
  84. nginx*)
  85. if [ "$NGINX_WEBSERVER" -eq "1" ]; then
  86. debug "Already handled nginx; skipping"
  87. continue
  88. fi
  89. debug "Found nginx listening on port 80; trying to disable."
  90. NGINX_WEBSERVER=1
  91. local tries=0
  92. while grep -sq "$cmd" "/proc/$pid/cmdline" && kill -0 "$pid"; do
  93. /etc/init.d/nginx stop
  94. if [ $tries -gt 10 ]; then
  95. debug "Can't stop nginx. Terminating script."
  96. return 1
  97. fi
  98. debug "Waiting for nginx to stop..."
  99. tries=$((tries + 1))
  100. sleep 1
  101. done
  102. ;;
  103. "")
  104. debug "Nothing listening on port 80."
  105. ;;
  106. *)
  107. err "$main_domain: Cannot run in standalone mode; another daemon is listening on port 80."
  108. err "Disable other daemon or set webroot to continue."
  109. return 1
  110. ;;
  111. esac
  112. done
  113. iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
  114. ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
  115. debug "v4 input_rule: $(iptables -nvL input_rule)"
  116. debug "v6 input_rule: $(ip6tables -nvL input_rule)"
  117. return 0
  118. }
  119. post_checks()
  120. {
  121. log "Running post checks (cleanup)."
  122. # The comment ensures we only touch our own rules. If no rules exist, that
  123. # is fine, so hide any errors
  124. iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null
  125. ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null
  126. if [ -e /etc/init.d/uhttpd ] && ( [ -n "$UHTTPD_LISTEN_HTTP" ] || [ "$UPDATE_UHTTPD" -eq 1 ] ); then
  127. if [ -n "$UHTTPD_LISTEN_HTTP" ]; then
  128. uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
  129. UHTTPD_LISTEN_HTTP=
  130. fi
  131. uci commit uhttpd
  132. /etc/init.d/uhttpd reload
  133. fi
  134. if [ -e /etc/init.d/nginx ] && ( [ "$NGINX_WEBSERVER" -eq 1 ] || [ "$UPDATE_NGINX" -eq 1 ] ); then
  135. NGINX_WEBSERVER=0
  136. /etc/init.d/nginx restart
  137. fi
  138. if [ -n "$USER_CLEANUP" ] && [ -f "$USER_CLEANUP" ]; then
  139. log "Running user-provided cleanup script from $USER_CLEANUP."
  140. "$USER_CLEANUP" || return 1
  141. fi
  142. }
  143. err_out()
  144. {
  145. post_checks
  146. exit 1
  147. }
  148. int_out()
  149. {
  150. post_checks
  151. trap - INT
  152. kill -INT $$
  153. }
  154. is_staging()
  155. {
  156. local main_domain
  157. local domain_dir
  158. main_domain="$1"
  159. domain_dir="$2"
  160. grep -q "acme-staging" "${domain_dir}/${main_domain}.conf"
  161. return $?
  162. }
  163. issue_cert()
  164. {
  165. local section="$1"
  166. local acme_args=
  167. local enabled
  168. local use_staging
  169. local update_uhttpd
  170. local update_nginx
  171. local keylength
  172. local keylength_ecc=0
  173. local domains
  174. local main_domain
  175. local moved_staging=0
  176. local failed_dir
  177. local webroot
  178. local dns
  179. local user_setup
  180. local user_cleanup
  181. local ret
  182. local domain_dir
  183. local acme_server
  184. local days
  185. config_get_bool enabled "$section" enabled 0
  186. config_get_bool use_staging "$section" use_staging
  187. config_get_bool update_uhttpd "$section" update_uhttpd
  188. config_get_bool update_nginx "$section" update_nginx
  189. config_get calias "$section" calias
  190. config_get dalias "$section" dalias
  191. config_get domains "$section" domains
  192. config_get keylength "$section" keylength
  193. config_get webroot "$section" webroot
  194. config_get dns "$section" dns
  195. config_get user_setup "$section" user_setup
  196. config_get user_cleanup "$section" user_cleanup
  197. config_get acme_server "$section" acme_server
  198. config_get days "$section" days
  199. UPDATE_NGINX=$update_nginx
  200. UPDATE_UHTTPD=$update_uhttpd
  201. USER_CLEANUP=$user_cleanup
  202. [ "$enabled" -eq "1" ] || return
  203. [ "$DEBUG" -eq "1" ] && acme_args="$acme_args --debug"
  204. set -- $domains
  205. main_domain=$1
  206. if [ -n "$user_setup" ] && [ -f "$user_setup" ]; then
  207. log "Running user-provided setup script from $user_setup."
  208. "$user_setup" "$main_domain" || return 1
  209. else
  210. [ -n "$webroot" ] || [ -n "$dns" ] || pre_checks "$main_domain" || return 1
  211. fi
  212. if echo $keylength | grep -q "^ec-"; then
  213. domain_dir="$STATE_DIR/${main_domain}_ecc"
  214. keylength_ecc=1
  215. else
  216. domain_dir="$STATE_DIR/${main_domain}"
  217. fi
  218. log "Running ACME for $main_domain"
  219. handle_credentials() {
  220. local credential="$1"
  221. eval export $credential
  222. }
  223. config_list_foreach "$section" credentials handle_credentials
  224. if [ -e "$domain_dir" ]; then
  225. if [ "$use_staging" -eq "0" ] && is_staging "$main_domain" "$domain_dir"; then
  226. log "Found previous cert issued using staging server. Moving it out of the way."
  227. mv "$domain_dir" "${domain_dir}.staging"
  228. moved_staging=1
  229. else
  230. log "Found previous cert config. Issuing renew."
  231. [ "$keylength_ecc" -eq "1" ] && acme_args="$acme_args --ecc"
  232. run_acme --home "$STATE_DIR" --renew -d "$main_domain" $acme_args && ret=0 || ret=1
  233. post_checks
  234. return $ret
  235. fi
  236. fi
  237. acme_args="$acme_args $(for d in $domains; do echo -n "-d $d "; done)"
  238. acme_args="$acme_args --keylength $keylength"
  239. [ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL"
  240. [ "$use_staging" -eq "1" ] && acme_args="$acme_args --staging"
  241. if [ -n "$acme_server" ]; then
  242. log "Using custom ACME server URL"
  243. acme_args="$acme_args --server $acme_server"
  244. fi
  245. if [ -n "$days" ]; then
  246. log "Renewing after $days days"
  247. acme_args="$acme_args --days $days"
  248. fi
  249. if [ -n "$dns" ]; then
  250. log "Using dns mode"
  251. acme_args="$acme_args --dns $dns"
  252. if [ -n "$dalias" ]; then
  253. log "Using domain alias for dns mode"
  254. acme_args="$acme_args --domain-alias $dalias"
  255. if [ -n "$calias" ]; then
  256. err "Both domain and challenge aliases are defined. Ignoring the challenge alias."
  257. fi
  258. elif [ -n "$calias" ]; then
  259. log "Using challenge alias for dns mode"
  260. acme_args="$acme_args --challenge-alias $calias"
  261. fi
  262. elif [ -z "$webroot" ]; then
  263. log "Using standalone mode"
  264. acme_args="$acme_args --standalone --listen-v6"
  265. else
  266. if [ ! -d "$webroot" ]; then
  267. err "$main_domain: Webroot dir '$webroot' does not exist!"
  268. post_checks
  269. return 1
  270. fi
  271. log "Using webroot dir: $webroot"
  272. acme_args="$acme_args --webroot $webroot"
  273. fi
  274. if ! run_acme --home "$STATE_DIR" --issue $acme_args; then
  275. failed_dir="${domain_dir}.failed-$(date +%s)"
  276. err "Issuing cert for $main_domain failed. Moving state to $failed_dir"
  277. [ -d "$domain_dir" ] && mv "$domain_dir" "$failed_dir"
  278. if [ "$moved_staging" -eq "1" ]; then
  279. err "Restoring staging certificate"
  280. mv "${domain_dir}.staging" "${domain_dir}"
  281. fi
  282. post_checks
  283. return 1
  284. fi
  285. if [ -e /etc/init.d/uhttpd ] && [ "$update_uhttpd" -eq "1" ]; then
  286. uci set uhttpd.main.key="${domain_dir}/${main_domain}.key"
  287. uci set uhttpd.main.cert="${domain_dir}/fullchain.cer"
  288. # commit and reload is in post_checks
  289. fi
  290. local nginx_updated
  291. nginx_updated=0
  292. if command -v nginx-util 2>/dev/null && [ "$update_nginx" -eq "1" ]; then
  293. nginx_updated=1
  294. for domain in $domains; do
  295. nginx-util add_ssl "${domain}" acme "${domain_dir}/fullchain.cer" \
  296. "${domain_dir}/${main_domain}.key" || nginx_updated=0
  297. done
  298. # reload is in post_checks
  299. fi
  300. if [ "$nginx_updated" -eq "0" ] && [ -w /etc/nginx/nginx.conf ] && [ "$update_nginx" -eq "1" ]; then
  301. sed -i "s#ssl_certificate\ .*#ssl_certificate ${domain_dir}/fullchain.cer;#g" /etc/nginx/nginx.conf
  302. sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key ${domain_dir}/${main_domain}.key;#g" /etc/nginx/nginx.conf
  303. # commit and reload is in post_checks
  304. fi
  305. post_checks
  306. }
  307. load_vars()
  308. {
  309. local section="$1"
  310. STATE_DIR=$(config_get "$section" state_dir)
  311. ACCOUNT_EMAIL=$(config_get "$section" account_email)
  312. DEBUG=$(config_get "$section" debug)
  313. }
  314. check_cron
  315. [ -n "$CHECK_CRON" ] && exit 0
  316. [ -e "/var/run/acme_boot" ] && rm -f "/var/run/acme_boot" && exit 0
  317. config_load acme
  318. config_foreach load_vars acme
  319. if [ -z "$STATE_DIR" ] || [ -z "$ACCOUNT_EMAIL" ]; then
  320. err "state_dir and account_email must be set"
  321. exit 1
  322. fi
  323. [ -d "$STATE_DIR" ] || mkdir -p "$STATE_DIR"
  324. trap err_out HUP TERM
  325. trap int_out INT
  326. config_foreach issue_cert cert
  327. exit 0