Syncing with the original repo (#2)

* change arvan api script

* change Author name

* change name actor

* Updated --preferred-chain to issue ISRG properly

To support different openssl crl2pkcs7 help cli format

* dnsapi/pdns: also normalize json response in detecting root zone

* Chain (acmesh-official#3408)

* fix acmesh-official#3384
match the issuer to the root CA cert subject

* fix format

* fix acmesh-official#3384

* remove the alt files. acmesh-official#3384

* upgrade freebsd and solaris

* duckdns - fix "integer expression expected" errors (acmesh-official#3397)

* fix "integer expression expected" errors

* duckdns fix

* Update dns_duckdns.sh

* Update dns_duckdns.sh

* Implement smtp notify hook

Support notifications via direct SMTP server connection.
Uses Python (2.7.x or 3.4+) to communicate with SMTP server.

* Make shfmt happy

(I'm open to better ways of formatting the heredoc
that embeds the Python script.)

* Only save config if send is successful

* Add instructions for reporting bugs

* Prep for curl or Python; clean up SMTP_* variable usage

* Implement curl version of smtp notify-hook

* More than one blank line is an abomination, apparently

I will not try to use whitespace to group code visually

* Fix: Unifi deploy hook support Unifi Cloud Key (acmesh-official#3327)

* fix: unifi deploy hook also update Cloud Key nginx certs

When running on a Unifi Cloud Key device, also deploy to
/etc/ssl/private/cloudkey.{crt,key} and reload nginx. This
makes the new cert available for the Cloud Key management
app running via nginx on port 443 (as well as the port 8443
Unifi Controller app the deploy hook already supported).

Fixes acmesh-official#3326

* Improve settings documentation comments

* Improve Cloud Key pre-flight error messaging

* Fix typo

* Add support for UnifiOS (Cloud Key Gen2)

Since UnifiOS does not use the Java keystore (like a Unifi
Controller or Cloud Key Gen1 deploy), this also reworks
the settings validation and error messaging somewhat.

* PR review fixes

* Detect unsupported Cloud Key java keystore location

* Don't try to restart inactive services

(and remove extra spaces from reload command)

* Clean up error messages and internal variables

* Change to _getdeployconf/_savedeployconf

* Switch from cp to cat to preserve file permissions

* feat: add huaweicloud error handling

* fix: fix freebsd and solaris

* support openssl 3.0
fix acmesh-official#3399

* make the fix for rsa key only

* Use PROJECT_NAME and VER for X-Mailer header

Also add X-Mailer header to Python version

* Add _clearaccountconf_mutable()

* Rework read/save config to not save default values

Add and use _readaccountconf_mutable_default and
_saveaccountconf_mutable_default helpers to capture
common default value handling.

New approach also eliminates need for separate
underscore-prefixed version of each conf var.

* Implement _rfc2822_date helper

* Clean email headers and warn on unsupported address format

Just in case, make sure CR or NL don't end up in
an email header.

* Clarify _readaccountconf_mutable_default

* Add Date email header in Python implementation

* Use email.policy.default in Python 3 implementation

Improves standards compatibility and utf-8 handling
in Python 3.3-3.8. (email.policy.default becomes the
default in Python 3.9.)

* Prefer Python to curl when both available

* Change default SMTP_SECURE to "tls"

Secure by default. Also try to minimize configuration errors.
(Many ESPs/ISPs require STARTTLS, and most support it.)

* Update dns_dp.sh

没有encode中文字符会导致提交失败

* No need to include EC parameters explicitly with the private key.
(they are embedded)

* Fixes response handling and thereby allow issuing of subdomain certs

* Adds comment

* fix acmesh-official#3402

* dnsapi/ionos: Use POST instead of PATCH for adding TXT record

The API now supports a POST route for adding records. Therefore
checking for already existing records and including them in a PATCH
request is no longer necessary.

* fix acmesh-official#3433

* fix acmesh-official#3019

* fix format

* Update dns_servercow.sh to support wildcard certs

Updated dns_servercow.sh to support txt records with multiple entries. This supports wildcard certificates that require txt records with the same name and different contents.

* Update dns_servercow.sh to support wildcard certs

Updated dns_servercow.sh to support txt records with multiple entries. This supports wildcard certificates that require txt records with the same name and different contents.

* fix acmesh-official#3312

* fix format

* feat: add dns_porkbun

* fix: prevent rate limit

Co-authored-by: Vahid Fardi <[email protected]>
Co-authored-by: neil <[email protected]>
Co-authored-by: Gnought <[email protected]>
Co-authored-by: manuel <[email protected]>
Co-authored-by: jerrm <[email protected]>
Co-authored-by: medmunds <[email protected]>
Co-authored-by: Mike Edmunds <[email protected]>
Co-authored-by: Easton Man <[email protected]>
Co-authored-by: czeming <[email protected]>
Co-authored-by: Geert Hendrickx <[email protected]>
Co-authored-by: Kristian Johansson <[email protected]>
Co-authored-by: Lukas Brocke <[email protected]>
Co-authored-by: anom-human <[email protected]>
Co-authored-by: neil <[email protected]>
Co-authored-by: Quentin Dreyer <[email protected]>

.github/workflows/DNS.yml

@@ -184,7 +184,7 @@ jobs:
     - uses: actions/checkout@v2
     - name: Clone acmetest
       run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/freebsd-vm@v0.0.7
+    - uses: vmactions/freebsd-vm@v0.1.2
       with:
         envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
         prepare: pkg install -y socat curl
@@ -223,7 +223,7 @@ jobs:
     - uses: actions/checkout@v2
     - name: Clone acmetest
       run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/[email protected].1
+    - uses: vmactions/[email protected].3
       with:
         envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
         prepare: pkgutil -y -i socat curl

.github/workflows/LetsEncrypt.yml

@@ -111,7 +111,7 @@ jobs:
     - uses: actions/checkout@v2
     - name: Clone acmetest
       run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/freebsd-vm@v0.0.7
+    - uses: vmactions/freebsd-vm@v0.1.2
       with:
         envs: 'NGROK_TOKEN TEST_LOCAL'
         prepare: pkg install -y socat curl
@@ -136,7 +136,7 @@ jobs:
       run: echo "TestingDomain=${{steps.ngrok.outputs.server}}" >> $GITHUB_ENV
     - name: Clone acmetest
       run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/[email protected].1
+    - uses: vmactions/[email protected].3
       with:
         envs: 'TEST_LOCAL TestingDomain'
         nat: |

acme.sh

@@ -562,8 +562,16 @@ if _exists xargs && [ "$(printf %s '\\x41' | xargs printf)" = 'A' ]; then
 fi
 
 _h2b() {
-  if _exists xxd && xxd -r -p 2>/dev/null; then
-    return
+  if _exists xxd; then
+    if _contains "$(xxd --help 2>&1)" "assumes -c30"; then
+      if xxd -r -p -c 9999 2>/dev/null; then
+        return
+      fi
+    else
+      if xxd -r -p 2>/dev/null; then
+        return
+      fi
+    fi
   fi
 
   hex=$(cat)
@@ -1124,15 +1132,19 @@ _createkey() {
 
   if _isEccKey "$length"; then
     _debug "Using ec name: $eccname"
-    if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null)"; then
+    if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -noout -genkey 2>/dev/null)"; then
       echo "$_opkey" >"$f"
     else
       _err "error ecc key name: $eccname"
       return 1
     fi
   else
     _debug "Using RSA: $length"
-    if _opkey="$(${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null)"; then
+    __traditional=""
+    if _contains "$(${ACME_OPENSSL_BIN:-openssl} help genrsa 2>&1)" "-traditional"; then
+      __traditional="-traditional"
+    fi
+    if _opkey="$(${ACME_OPENSSL_BIN:-openssl} genrsa $__traditional "$length" 2>/dev/null)"; then
       echo "$_opkey" >"$f"
     else
       _err "error rsa key: $length"
@@ -2121,6 +2133,12 @@ _send_signed_request() {
         _sleep $_sleep_retry_sec
         continue
       fi
+      if _contains "$_body" "The Replay Nonce is not recognized"; then
+        _info "The replay Nonce is not valid, let's get a new one, Sleeping $_sleep_retry_sec seconds."
+        _CACHED_NONCE=""
+        _sleep $_sleep_retry_sec
+        continue
+      fi
     fi
     return 0
   done
@@ -2279,6 +2297,13 @@ _clearaccountconf() {
   _clear_conf "$ACCOUNT_CONF_PATH" "$1"
 }
 
+#key
+_clearaccountconf_mutable() {
+  _clearaccountconf "SAVED_$1"
+  #remove later
+  _clearaccountconf "$1"
+}
+
 #_savecaconf  key  value
 _savecaconf() {
   _save_conf "$CA_CONF" "$1" "$2"
@@ -4009,27 +4034,55 @@ _check_dns_entries() {
 }
 
 #file
-_get_cert_issuers() {
+_get_chain_issuers() {
   _cfile="$1"
-  if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
-    ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+  if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
+    ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
   else
-    ${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+    _cindex=1
+    for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
+      _endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
+      _debug2 "_startn" "$_startn"
+      _debug2 "_endn" "$_endn"
+      if [ "$DEBUG" ]; then
+        _debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
+      fi
+      sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
+      _cindex=$(_math $_cindex + 1)
+    done
+  fi
+}
+
+#
+_get_chain_subjects() {
+  _cfile="$1"
+  if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
+    ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+  else
+    _cindex=1
+    for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
+      _endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
+      _debug2 "_startn" "$_startn"
+      _debug2 "_endn" "$_endn"
+      if [ "$DEBUG" ]; then
+        _debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
+      fi
+      sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
+      _cindex=$(_math $_cindex + 1)
+    done
   fi
 }
 
 #cert  issuer
 _match_issuer() {
   _cfile="$1"
   _missuer="$2"
-  _fissuers="$(_get_cert_issuers $_cfile)"
+  _fissuers="$(_get_chain_issuers $_cfile)"
   _debug2 _fissuers "$_fissuers"
-  if _contains "$_fissuers" "$_missuer"; then
-    return 0
-  fi
-  _fissuers="$(echo "$_fissuers" | _lower_case)"
+  _rootissuer="$(echo "$_fissuers" | _lower_case | _tail_n 1)"
+  _debug2 _rootissuer "$_rootissuer"
   _missuer="$(echo "$_missuer" | _lower_case)"
-  _contains "$_fissuers" "$_missuer"
+  _contains "$_rootissuer" "$_missuer"
 }
 
 #webroot, domain domainlist  keylength
@@ -4803,6 +4856,9 @@ $_authorizations_map"
     _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
 
     if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
+      if [ "$DEBUG" ]; then
+        _debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
+      fi
       if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
         rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
         _debug2 "rels" "$rels"
@@ -4818,13 +4874,22 @@ $_authorizations_map"
           _relca="$CA_CERT_PATH.alt"
           echo "$response" >"$_relcert"
           _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
+          if [ "$DEBUG" ]; then
+            _debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
+          fi
           if _match_issuer "$_relfullchain" "$_preferred_chain"; then
             _info "Matched issuer in: $rel"
             cat $_relcert >"$CERT_PATH"
             cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
             cat $_relca >"$CA_CERT_PATH"
+            rm -f "$_relcert"
+            rm -f "$_relfullchain"
+            rm -f "$_relca"
             break
           fi
+          rm -f "$_relcert"
+          rm -f "$_relfullchain"
+          rm -f "$_relca"
         done
       fi
     fi
@@ -5222,6 +5287,7 @@ signcsr() {
   _renew_hook="${10}"
   _local_addr="${11}"
   _challenge_alias="${12}"
+  _preferred_chain="${13}"
 
   _csrsubj=$(_readSubjectFromCSR "$_csrfile")
   if [ "$?" != "0" ]; then
@@ -5268,7 +5334,7 @@ signcsr() {
   _info "Copy csr to: $CSR_PATH"
   cp "$_csrfile" "$CSR_PATH"
 
-  issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias"
+  issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias" "$_preferred_chain"
 
 }
 
@@ -7365,7 +7431,7 @@ _process() {
     deploy "$_domain" "$_deploy_hook" "$_ecc"
     ;;
   signcsr)
-    signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias"
+    signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain"
     ;;
   showcsr)
     showcsr "$_csr" "$_domain"