Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Peb #2126

Merged
merged 5 commits into from
Feb 27, 2019
Merged

Peb #2126

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f1614fc
support pebble
Feb 23, 2019
b0675e8
fix error
Feb 24, 2019
6cd2117
fix processing status for sign cert
Feb 26, 2019
e128b4b
fix typo
Feb 26, 2019
38af934
support async finalize order
Feb 27, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 74 additions & 14 deletions acme.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1827,23 +1827,29 @@ _send_signed_request() {
nonceurl="$ACME_NEW_NONCE"
if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type"; then
_headers="$(cat "$HTTP_HEADER")"
_debug2 _headers "$_headers"
_CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
fi
fi
if [ -z "$_headers" ]; then
if [ -z "$_CACHED_NONCE" ]; then
_debug2 "Get nonce with GET. ACME_DIRECTORY" "$ACME_DIRECTORY"
nonceurl="$ACME_DIRECTORY"
_headers="$(_get "$nonceurl" "onlyheader")"
_debug2 _headers "$_headers"
_CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
fi

if [ -z "$_CACHED_NONCE" ] && [ "$ACME_NEW_NONCE" ]; then
_debug2 "Get nonce with GET. ACME_NEW_NONCE" "$ACME_NEW_NONCE"
nonceurl="$ACME_NEW_NONCE"
_headers="$(_get "$nonceurl" "onlyheader")"
_debug2 _headers "$_headers"
_CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
fi
_debug2 _CACHED_NONCE "$_CACHED_NONCE"
if [ "$?" != "0" ]; then
_err "Can not connect to $nonceurl to get nonce."
return 1
fi

_debug2 _headers "$_headers"

_CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
_debug2 _CACHED_NONCE "$_CACHED_NONCE"
else
_debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE"
fi
Expand Down Expand Up @@ -2060,6 +2066,7 @@ _clearcaconf() {
_startserver() {
content="$1"
ncaddr="$2"
_debug "content" "$content"
_debug "ncaddr" "$ncaddr"

_debug "startserver: $$"
Expand All @@ -2086,8 +2093,14 @@ _startserver() {
SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}"
fi

_content_len="$(printf "%s" "$content" | wc -c)"
_debug _content_len "$_content_len"
_debug "_NC" "$_NC $SOCAT_OPTIONS"
$_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; echo HTTP/1.0 200 OK; echo ; echo $content; echo;" &
$_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; \
echo 'HTTP/1.0 200 OK'; \
echo 'Content-Length\: $_content_len'; \
echo ''; \
printf '$content';" &
serverproc="$!"
}

Expand Down Expand Up @@ -3062,6 +3075,7 @@ _on_before_issue() {
_info "Standalone mode."
if [ -z "$Le_HTTPPort" ]; then
Le_HTTPPort=80
_cleardomainconf "Le_HTTPPort"
else
_savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
fi
Expand Down Expand Up @@ -3269,7 +3283,7 @@ _regAccount() {
fi

_debug2 responseHeaders "$responseHeaders"
_accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
_accUri="$(echo "$responseHeaders" | grep -i "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
_debug "_accUri" "$_accUri"
if [ -z "$_accUri" ]; then
_err "Can not find account id url."
Expand Down Expand Up @@ -3435,7 +3449,7 @@ __trigger_validation() {
_t_vtype="$3"
_debug2 _t_vtype "$_t_vtype"
if [ "$ACME_VERSION" = "2" ]; then
_send_signed_request "$_t_url" "{\"keyAuthorization\": \"$_t_key_authz\"}"
_send_signed_request "$_t_url" "{}"
else
_send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"type\": \"$_t_vtype\", \"keyAuthorization\": \"$_t_key_authz\"}"
fi
Expand Down Expand Up @@ -4205,20 +4219,66 @@ $_authorizations_map"
der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"

if [ "$ACME_VERSION" = "2" ]; then
_info "Lets finalize the order, Le_OrderFinalize: $Le_OrderFinalize"
if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then
_err "Sign failed."
_on_issue_err "$_post_hook"
return 1
fi
if [ "$code" != "200" ]; then
_err "Sign failed, code is not 200."
_err "Sign failed, finalize code is not 200."
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
Le_LinkCert="$(echo "$response" | tr -d '\r\n' | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
if [ -z "$Le_LinkOrder" ]; then
_err "Sign error, can not get order link location header"
_err "responseHeaders" "$responseHeaders"
_on_issue_err "$_post_hook"
return 1
fi
_savedomainconf "Le_LinkOrder" "$Le_LinkOrder"

_link_cert_retry=0
_MAX_CERT_RETRY=5
while [ -z "$Le_LinkCert" ] && [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do
if _contains "$response" "\"status\":\"valid\""; then
_debug "Order status is valid."
Le_LinkCert="$(echo "$response" | tr -d '\r\n' | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
_debug Le_LinkCert "$Le_LinkCert"
if [ -z "$Le_LinkCert" ]; then
_err "Sign error, can not find Le_LinkCert"
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
break
elif _contains "$response" "\"processing\""; then
_info "Order status is processing, lets sleep and retry."
_sleep 2
else
_err "Sign error, wrong status"
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
if ! _send_signed_request "$Le_LinkOrder"; then
_err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder."
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
_link_cert_retry="$(_math $_link_cert_retry + 1)"
done

_tempSignedResponse="$response"
if [ -z "$Le_LinkCert" ]; then
_err "Sign failed, can not get Le_LinkCert, retry time limit."
_err "$response"
_on_issue_err "$_post_hook"
return 1
fi
_info "Download cert, Le_LinkCert: $Le_LinkCert"
if ! _send_signed_request "$Le_LinkCert"; then
_err "Sign failed, can not download cert:$Le_LinkCert."
_err "$response"
Expand All @@ -4237,7 +4297,7 @@ $_authorizations_map"
_end_n="$(_math $_end_n + 1)"
sed -n "${_end_n},9999p" "$CERT_FULLCHAIN_PATH" >"$CA_CERT_PATH"
fi
response="$_tempSignedResponse"

else
if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then
_err "Sign failed. $response"
Expand Down