From f1614fcf0d654a3fc5e18bfc0846de9c844b3c9b Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 23 Feb 2019 20:56:30 +0800 Subject: [PATCH 1/5] support pebble --- acme.sh | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/acme.sh b/acme.sh index 93112a1af2..94bebe67ea 100755 --- a/acme.sh +++ b/acme.sh @@ -1827,23 +1827,29 @@ _send_signed_request() { nonceurl="$ACME_NEW_NONCE" if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type"; then _headers="$(cat "$HTTP_HEADER")" + _debug2 _headers "$_headers" + _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" fi fi - if [ -z "$_headers" ]; then + if [ -z "$_CACHED_NONCE" ]; then _debug2 "Get nonce with GET. ACME_DIRECTORY" "$ACME_DIRECTORY" nonceurl="$ACME_DIRECTORY" _headers="$(_get "$nonceurl" "onlyheader")" + _debug2 _headers "$_headers" + _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" fi - + if [ -z "$_CACHED_NONCE" && "$ACME_NEW_NONCE" ]; then + _debug2 "Get nonce with GET. ACME_NEW_NONCE" "$ACME_NEW_NONCE" + nonceurl="$ACME_NEW_NONCE" + _headers="$(_get "$nonceurl" "onlyheader")" + _debug2 _headers "$_headers" + _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" + fi + _debug2 _CACHED_NONCE "$_CACHED_NONCE" if [ "$?" != "0" ]; then _err "Can not connect to $nonceurl to get nonce." return 1 fi - - _debug2 _headers "$_headers" - - _CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" - _debug2 _CACHED_NONCE "$_CACHED_NONCE" else _debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE" fi @@ -2060,6 +2066,7 @@ _clearcaconf() { _startserver() { content="$1" ncaddr="$2" + _debug "content" "$content" _debug "ncaddr" "$ncaddr" _debug "startserver: $$" @@ -2086,8 +2093,14 @@ _startserver() { SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}" fi + _content_len="$(printf "%s" "$content" | wc -c)" + _debug _content_len "$_content_len" _debug "_NC" "$_NC $SOCAT_OPTIONS" - $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; echo HTTP/1.0 200 OK; echo ; echo $content; echo;" & + $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; \ +echo 'HTTP/1.0 200 OK'; \ +echo 'Content-Length\: $_content_len'; \ +echo ''; \ +printf '$content';" & serverproc="$!" } @@ -3269,7 +3282,7 @@ _regAccount() { fi _debug2 responseHeaders "$responseHeaders" - _accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")" + _accUri="$(echo "$responseHeaders" | grep -i "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")" _debug "_accUri" "$_accUri" if [ -z "$_accUri" ]; then _err "Can not find account id url." @@ -3435,7 +3448,7 @@ __trigger_validation() { _t_vtype="$3" _debug2 _t_vtype "$_t_vtype" if [ "$ACME_VERSION" = "2" ]; then - _send_signed_request "$_t_url" "{\"keyAuthorization\": \"$_t_key_authz\"}" + _send_signed_request "$_t_url" "{}" else _send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"type\": \"$_t_vtype\", \"keyAuthorization\": \"$_t_key_authz\"}" fi From b0675e84c57e56e4c241b2c0a07bffccdff78bd5 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sun, 24 Feb 2019 21:24:20 +0800 Subject: [PATCH 2/5] fix error --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 94bebe67ea..a412e2fea7 100755 --- a/acme.sh +++ b/acme.sh @@ -1838,7 +1838,7 @@ _send_signed_request() { _debug2 _headers "$_headers" _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" fi - if [ -z "$_CACHED_NONCE" && "$ACME_NEW_NONCE" ]; then + if [ -z "$_CACHED_NONCE" ] && [ "$ACME_NEW_NONCE" ]; then _debug2 "Get nonce with GET. ACME_NEW_NONCE" "$ACME_NEW_NONCE" nonceurl="$ACME_NEW_NONCE" _headers="$(_get "$nonceurl" "onlyheader")" From 6cd2117ba60508ee7df9d26e1d8e64112a157797 Mon Sep 17 00:00:00 2001 From: neilpang Date: Tue, 26 Feb 2019 23:12:49 +0800 Subject: [PATCH 3/5] fix processing status for sign cert --- acme.sh | 43 +++++++++++++++++++++++++++++++------------ 1 file changed, 31 insertions(+), 12 deletions(-) diff --git a/acme.sh b/acme.sh index a412e2fea7..38c415ca74 100755 --- a/acme.sh +++ b/acme.sh @@ -4218,20 +4218,39 @@ $_authorizations_map" der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)" if [ "$ACME_VERSION" = "2" ]; then - if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then - _err "Sign failed." - _on_issue_err "$_post_hook" - return 1 - fi - if [ "$code" != "200" ]; then - _err "Sign failed, code is not 200." + _link_cert_retry=0 + _MAX_CERT_RETRY=5 + while [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do + if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then + _err "Sign failed." + _on_issue_err "$_post_hook" + return 1 + fi + if [ "$code" != "200" ]; then + _err "Sign failed, code is not 200." + _err "$response" + _on_issue_err "$_post_hook" + return 1 + fi + Le_LinkCert="$(echo "$response" | tr -d '\r\n' | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)" + _debug Le_LinkCert "$Le_LinkCert" + _tempSignedResponse="$response" + if [ -z "$Le_LinkCert" ]; then + if ! _contains "$response" "\"status\": \"processing\""; then + _err "Sign error, wrong status" + _err "$response" + fi + fi + if [ "$Le_LinkCert" ]; then + break; + fi + _link_cert_retry="$($_link_cert_retry + 1)" + _sleep 5 + done + if [ -z "$Le_LinkCert" ]; then + _err "Sign failed, can not get Le_LinkCert." _err "$response" - _on_issue_err "$_post_hook" - return 1 fi - Le_LinkCert="$(echo "$response" | tr -d '\r\n' | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)" - - _tempSignedResponse="$response" if ! _send_signed_request "$Le_LinkCert"; then _err "Sign failed, can not download cert:$Le_LinkCert." _err "$response" From e128b4b6bff700f278cfa3ae5e5eb96e987bff33 Mon Sep 17 00:00:00 2001 From: neilpang Date: Tue, 26 Feb 2019 23:16:03 +0800 Subject: [PATCH 4/5] fix typo --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 38c415ca74..a4691109ac 100755 --- a/acme.sh +++ b/acme.sh @@ -4236,7 +4236,7 @@ $_authorizations_map" _debug Le_LinkCert "$Le_LinkCert" _tempSignedResponse="$response" if [ -z "$Le_LinkCert" ]; then - if ! _contains "$response" "\"status\": \"processing\""; then + if ! _contains "$response" "\"processing\""; then _err "Sign error, wrong status" _err "$response" fi @@ -4244,7 +4244,7 @@ $_authorizations_map" if [ "$Le_LinkCert" ]; then break; fi - _link_cert_retry="$($_link_cert_retry + 1)" + _link_cert_retry="$(_math $_link_cert_retry + 1)" _sleep 5 done if [ -z "$Le_LinkCert" ]; then From 38af934407412851d8abce2b5982b577c1a09433 Mon Sep 17 00:00:00 2001 From: neilpang Date: Wed, 27 Feb 2019 19:27:07 +0800 Subject: [PATCH 5/5] support async finalize order --- acme.sh | 68 ++++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 48 insertions(+), 20 deletions(-) diff --git a/acme.sh b/acme.sh index a4691109ac..8ee22479df 100755 --- a/acme.sh +++ b/acme.sh @@ -3075,6 +3075,7 @@ _on_before_issue() { _info "Standalone mode." if [ -z "$Le_HTTPPort" ]; then Le_HTTPPort=80 + _cleardomainconf "Le_HTTPPort" else _savedomainconf "Le_HTTPPort" "$Le_HTTPPort" fi @@ -4218,39 +4219,66 @@ $_authorizations_map" der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)" if [ "$ACME_VERSION" = "2" ]; then + _info "Lets finalize the order, Le_OrderFinalize: $Le_OrderFinalize" + if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then + _err "Sign failed." + _on_issue_err "$_post_hook" + return 1 + fi + if [ "$code" != "200" ]; then + _err "Sign failed, finalize code is not 200." + _err "$response" + _on_issue_err "$_post_hook" + return 1 + fi + Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n" | cut -d " " -f 2)" + if [ -z "$Le_LinkOrder" ]; then + _err "Sign error, can not get order link location header" + _err "responseHeaders" "$responseHeaders" + _on_issue_err "$_post_hook" + return 1 + fi + _savedomainconf "Le_LinkOrder" "$Le_LinkOrder" + _link_cert_retry=0 _MAX_CERT_RETRY=5 - while [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do - if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then - _err "Sign failed." + while [ -z "$Le_LinkCert" ] && [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do + if _contains "$response" "\"status\":\"valid\""; then + _debug "Order status is valid." + Le_LinkCert="$(echo "$response" | tr -d '\r\n' | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)" + _debug Le_LinkCert "$Le_LinkCert" + if [ -z "$Le_LinkCert" ]; then + _err "Sign error, can not find Le_LinkCert" + _err "$response" + _on_issue_err "$_post_hook" + return 1 + fi + break + elif _contains "$response" "\"processing\""; then + _info "Order status is processing, lets sleep and retry." + _sleep 2 + else + _err "Sign error, wrong status" + _err "$response" _on_issue_err "$_post_hook" return 1 fi - if [ "$code" != "200" ]; then - _err "Sign failed, code is not 200." + if ! _send_signed_request "$Le_LinkOrder"; then + _err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder." _err "$response" _on_issue_err "$_post_hook" return 1 fi - Le_LinkCert="$(echo "$response" | tr -d '\r\n' | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)" - _debug Le_LinkCert "$Le_LinkCert" - _tempSignedResponse="$response" - if [ -z "$Le_LinkCert" ]; then - if ! _contains "$response" "\"processing\""; then - _err "Sign error, wrong status" - _err "$response" - fi - fi - if [ "$Le_LinkCert" ]; then - break; - fi _link_cert_retry="$(_math $_link_cert_retry + 1)" - _sleep 5 done + if [ -z "$Le_LinkCert" ]; then - _err "Sign failed, can not get Le_LinkCert." + _err "Sign failed, can not get Le_LinkCert, retry time limit." _err "$response" + _on_issue_err "$_post_hook" + return 1 fi + _info "Download cert, Le_LinkCert: $Le_LinkCert" if ! _send_signed_request "$Le_LinkCert"; then _err "Sign failed, can not download cert:$Le_LinkCert." _err "$response" @@ -4269,7 +4297,7 @@ $_authorizations_map" _end_n="$(_math $_end_n + 1)" sed -n "${_end_n},9999p" "$CERT_FULLCHAIN_PATH" >"$CA_CERT_PATH" fi - response="$_tempSignedResponse" + else if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then _err "Sign failed. $response"