#!/bin/sh # Wrapper for acme.sh to work on openwrt. # # This program is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free Software # Foundation; either version 3 of the License, or (at your option) any later # version. # # Author: Toke Høiland-Jørgensen CHECK_CRON=$1 ACME=/usr/lib/acme/acme.sh export SSL_CERT_DIR=/etc/ssl/certs UHTTPD_REDIRECT_HTTPS= UHTTPD_LISTEN_HTTP= STATE_DIR='/etc/acme' ACCOUNT_EMAIL= DEBUG=0 . /lib/functions.sh check_cron() { [ -f "/etc/crontabs/root" ] && grep -q '/etc/init.d/acme' /etc/crontabs/root && return echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root /etc/init.d/cron start } pre_checks() { echo "Running pre checks." check_cron UHTTPD_REDIRECT_HTTPS=$(uci get uhttpd.main.redirect_https) UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http) uci set uhttpd.main.redirect_https=1 uci set uhttpd.main.listen_http='0.0.0.0:80' uci commit uhttpd /etc/init.d/uhttpd reload || return 1 iptables -I input_rule -p tcp --dport 80 -j ACCEPT || return 1 return 0 } post_checks() { echo "Running post checks (cleanup)." iptables -D input_rule -p tcp --dport 80 -j ACCEPT uci set uhttpd.main.redirect_https="$UHTTPD_REDIRECT_HTTPS" uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP" uci commit uhttpd /etc/init.d/uhttpd reload } err_out() { post_checks exit 1 } int_out() { post_checks trap - SIGINT kill -SIGINT $$ } issue_cert() { local section="$1" local acme_args= local enabled local use_staging local update_uhttpd local keylength local domains local main_domain config_get_bool enabled "$section" enabled 0 config_get_bool use_staging "$section" use_staging config_get_bool update_uhttpd "$section" update_uhttpd config_get domains "$section" domains config_get keylength "$section" keylength [ "$enabled" -eq "1" ] || return [ "$DEBUG" -eq "1" ] && acme_args="$acme_args --debug" set -- $domains main_domain=$1 if [ -e "$STATE_DIR/$main_domain" ]; then $ACME --home "$STATE_DIR" --renew -d "$main_domain" $acme_args || return 1 return 0 fi acme_args="$acme_args $(for d in $domains; do echo -n "-d $d "; done)" acme_args="$acme_args --webroot $(uci get uhttpd.main.home)" acme_args="$acme_args --keylength $keylength" [ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL" [ "$use_staging" -eq "1" ] && acme_args="$acme_args --staging" if ! $ACME --home "$STATE_DIR" --issue $acme_args; then echo "Issuing cert for $main_domain failed. It may be necessary to remove $STATE_DIR/$main_domain to recover." >&2 return 1 fi if [ "$update_uhttpd" -eq "1" ]; then uci set uhttpd.main.key="$STATE_DIR/${main_domain}/${main_domain}.key" uci set uhttpd.main.cert="$STATE_DIR/${main_domain}/fullchain.cer" # commit and reload is in post_checks fi } load_vars() { local section="$1" STATE_DIR=$(config_get "$section" state_dir) ACCOUNT_EMAIL=$(config_get "$section" account_email) DEBUG=$(config_get "$section" debug) } if [ -n "$CHECK_CRON" ]; then check_cron exit 0 fi config_load acme config_foreach load_vars acme pre_checks || exit 1 trap err_out SIGHUP SIGTERM trap int_out SIGINT config_foreach issue_cert cert post_checks exit 0