Merge pull request #3386 from acmesh-official/dev

sync

.github/workflows/dockerhub.yml

@@ -33,12 +33,10 @@ jobs:
     steps:
       - name: checkout code
         uses: actions/checkout@v2
-      - name: install buildx
-        id: buildx
-        uses: crazy-max/ghaction-docker-buildx@v3
-        with:
-          buildx-version: latest
-          qemu-version: latest
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
       - name: login to docker hub
         run: |
           echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin

README.md

@@ -89,6 +89,7 @@ https://github.com/acmesh-official/acmetest
 - [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)
 - [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA)
 - [Pebble strict Mode](https://github.com/letsencrypt/pebble)
+- Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA
 
 # Supported modes
 
@@ -109,13 +110,13 @@ https://github.com/acmesh-official/acmetest
 Check this project: https://github.com/acmesh-official/get.acme.sh
 
 ```bash
-curl https://get.acme.sh | sh
+curl https://get.acme.sh | sh -s email=my@example.com
 ```
 
 Or:
 
 ```bash
-wget -O -  https://get.acme.sh | sh
+wget -O -  https://get.acme.sh | sh -s email=my@example.com
 ```
 
 
@@ -126,7 +127,7 @@ Clone this project and launch installation:
 ```bash
 git clone https://github.com/acmesh-official/acme.sh.git
 cd ./acme.sh
-./acme.sh --install
+./acme.sh --install -m my@example.com
 ```
 
 You `don't have to be root` then, although `it is recommended`.

acme.sh

@@ -6105,7 +6105,7 @@ _installalias() {
 
 }
 
-# nocron confighome noprofile
+# nocron confighome noprofile accountemail
 install() {
 
   if [ -z "$LE_WORKING_DIR" ]; then
@@ -6115,6 +6115,8 @@ install() {
   _nocron="$1"
   _c_home="$2"
   _noprofile="$3"
+  _accountemail="$4"
+
   if ! _initpath; then
     _err "Install failed."
     return 1
@@ -6233,6 +6235,10 @@ install() {
     fi
   fi
 
+  if [ "$_accountemail" ]; then
+    _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail"
+  fi
+
   _info OK
 }
 
@@ -6511,7 +6517,7 @@ Parameters:
   --cert-home <directory>           Specifies the home dir to save all the certs, only valid for '--install' command.
   --config-home <directory>         Specifies the home dir to save all the configurations.
   --useragent <string>              Specifies the user agent string. it will be saved for future use too.
-  -m, --accountemail <email>        Specifies the account email, only valid for the '--install' and '--update-account' command.
+  -m, --email <email>               Specifies the account email, only valid for the '--install' and '--update-account' command.
   --accountkey <file>               Specifies the account key path, only valid for the '--install' command.
   --days <ndays>                    Specifies the days to renew the cert when using '--issue' command. The default value is $DEFAULT_RENEW days.
   --httpport <port>                 Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
@@ -6522,9 +6528,9 @@ Parameters:
   --insecure                        Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
   --ca-bundle <file>                Specifies the path to the CA certificate bundle to verify api server's certificate.
   --ca-path <directory>             Specifies directory containing CA certificates in PEM format, used by wget or curl.
-  --nocron                          Only valid for '--install' command, which means: do not install the default cron job.
+  --no-cron                         Only valid for '--install' command, which means: do not install the default cron job.
                                     In this case, the certs will not be renewed automatically.
-  --noprofile                       Only valid for '--install' command, which means: do not install aliases to user profile.
+  --no-profile                      Only valid for '--install' command, which means: do not install aliases to user profile.
   --no-color                        Do not output color text.
   --force-color                     Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
   --ecc                             Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--to-pkcs12' and '--create-csr'
@@ -6562,18 +6568,18 @@ Parameters:
 "
 }
 
-# nocron noprofile
-_installOnline() {
+
+installOnline() {
   _info "Installing from online archive."
-  _nocron="$1"
-  _noprofile="$2"
-  if [ ! "$BRANCH" ]; then
-    BRANCH="master"
+
+  _branch="$BRANCH"
+  if [ -z "$_branch" ]; then
+    _branch="master"
   fi
 
-  target="$PROJECT/archive/$BRANCH.tar.gz"
+  target="$PROJECT/archive/$_branch.tar.gz"
   _info "Downloading $target"
-  localname="$BRANCH.tar.gz"
+  localname="$_branch.tar.gz"
   if ! _get "$target" >$localname; then
     _err "Download error."
     return 1
@@ -6585,17 +6591,17 @@ _installOnline() {
       exit 1
     fi
 
-    cd "$PROJECT_NAME-$BRANCH"
+    cd "$PROJECT_NAME-$_branch"
     chmod +x $PROJECT_ENTRY
-    if ./$PROJECT_ENTRY install "$_nocron" "" "$_noprofile"; then
+    if ./$PROJECT_ENTRY --install "$@"; then
       _info "Install success!"
       _initpath
       _saveaccountconf "UPGRADE_HASH" "$(_getUpgradeHash)"
     fi
 
     cd ..
 
-    rm -rf "$PROJECT_NAME-$BRANCH"
+    rm -rf "$PROJECT_NAME-$_branch"
     rm -f "$localname"
   )
 }
@@ -6623,7 +6629,7 @@ upgrade() {
     [ -z "$FORCE" ] && [ "$(_getUpgradeHash)" = "$(_readaccountconf "UPGRADE_HASH")" ] && _info "Already uptodate!" && exit 0
     export LE_WORKING_DIR
     cd "$LE_WORKING_DIR"
-    _installOnline "nocron" "noprofile"
+    installOnline "--nocron" "--noprofile"
   ); then
     _info "Upgrade success!"
     exit 0
@@ -6803,6 +6809,11 @@ _process() {
     --install)
       _CMD="install"
       ;;
+    --install-online)
+      shift
+      installOnline "$@"
+      return
+      ;;
     --uninstall)
       _CMD="uninstall"
       ;;
@@ -7077,9 +7088,9 @@ _process() {
       USER_AGENT="$_useragent"
       shift
       ;;
-    -m | --accountemail)
+    -m | --email | --accountemail)
       _accountemail="$2"
-      ACCOUNT_EMAIL="$_accountemail"
+      export ACCOUNT_EMAIL="$_accountemail"
       shift
       ;;
     --accountkey)
@@ -7122,10 +7133,10 @@ _process() {
       CA_PATH="$_ca_path"
       shift
       ;;
-    --nocron)
+    --no-cron | --nocron)
       _nocron="1"
       ;;
-    --noprofile)
+    --no-profile | --noprofile)
       _noprofile="1"
       ;;
     --no-color)
@@ -7345,7 +7356,7 @@ _process() {
   fi
   _debug "Running cmd: ${_CMD}"
   case "${_CMD}" in
-  install) install "$_nocron" "$_confighome" "$_noprofile" ;;
+  install) install "$_nocron" "$_confighome" "$_noprofile" "$_accountemail" ;;
   uninstall) uninstall "$_nocron" ;;
   upgrade) upgrade ;;
   issue)
@@ -7458,12 +7469,6 @@ _process() {
 
 }
 
-if [ "$INSTALLONLINE" ]; then
-  INSTALLONLINE=""
-  _installOnline
-  exit
-fi
-
 main() {
   [ -z "$1" ] && showhelp && return
   if _startswith "$1" '-'; then _process "$@"; else "$@"; fi

deploy/peplink.sh

@@ -0,0 +1,123 @@
+#!/usr/bin/env sh
+
+# Script to deploy cert to Peplink Routers
+#
+# The following environment variables must be set:
+#
+# PEPLINK_Hostname - Peplink hostname
+# PEPLINK_Username - Peplink username to login
+# PEPLINK_Password - Peplink password to login
+#
+# The following environmental variables may be set if you don't like their
+# default values:
+#
+# PEPLINK_Certtype - Certificate type to target for replacement
+#                    defaults to "webadmin", can be one of:
+#                      * "chub" (ContentHub)
+#                      * "openvpn" (OpenVPN CA)
+#                      * "portal" (Captive Portal SSL)
+#                      * "webadmin" (Web Admin SSL)
+#                      * "webproxy" (Proxy Root CA)
+#                      * "wwan_ca" (Wi-Fi WAN CA)
+#                      * "wwan_client" (Wi-Fi WAN Client)
+# PEPLINK_Scheme   - defaults to "https"
+# PEPLINK_Port     - defaults to "443"
+#
+#returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+_peplink_get_cookie_data() {
+  grep -i "\W$1=" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o "$1=[^;]*;" | tr -d ';'
+}
+
+#domain keyfile certfile cafile fullchain
+peplink_deploy() {
+
+  _cdomain="$1"
+  _ckey="$2"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _cfullchain "$_cfullchain"
+  _debug _ckey "$_ckey"
+
+  # Get Hostname, Username and Password, but don't save until we successfully authenticate
+  _getdeployconf PEPLINK_Hostname
+  _getdeployconf PEPLINK_Username
+  _getdeployconf PEPLINK_Password
+  if [ -z "${PEPLINK_Hostname:-}" ] || [ -z "${PEPLINK_Username:-}" ] || [ -z "${PEPLINK_Password:-}" ]; then
+    _err "PEPLINK_Hostname & PEPLINK_Username & PEPLINK_Password must be set"
+    return 1
+  fi
+  _debug2 PEPLINK_Hostname "$PEPLINK_Hostname"
+  _debug2 PEPLINK_Username "$PEPLINK_Username"
+  _secure_debug2 PEPLINK_Password "$PEPLINK_Password"
+
+  # Optional certificate type, scheme, and port for Peplink
+  _getdeployconf PEPLINK_Certtype
+  _getdeployconf PEPLINK_Scheme
+  _getdeployconf PEPLINK_Port
+
+  # Don't save the certificate type until we verify it exists and is supported
+  _savedeployconf PEPLINK_Scheme "$PEPLINK_Scheme"
+  _savedeployconf PEPLINK_Port "$PEPLINK_Port"
+
+  # Default vaules for certificate type, scheme, and port
+  [ -n "${PEPLINK_Certtype}" ] || PEPLINK_Certtype="webadmin"
+  [ -n "${PEPLINK_Scheme}" ] || PEPLINK_Scheme="https"
+  [ -n "${PEPLINK_Port}" ] || PEPLINK_Port="443"
+
+  _debug2 PEPLINK_Certtype "$PEPLINK_Certtype"
+  _debug2 PEPLINK_Scheme "$PEPLINK_Scheme"
+  _debug2 PEPLINK_Port "$PEPLINK_Port"
+
+  _base_url="$PEPLINK_Scheme://$PEPLINK_Hostname:$PEPLINK_Port"
+  _debug _base_url "$_base_url"
+
+  # Login, get the auth token from the cookie
+  _info "Logging into $PEPLINK_Hostname:$PEPLINK_Port"
+  encoded_username="$(printf "%s" "$PEPLINK_Username" | _url_encode)"
+  encoded_password="$(printf "%s" "$PEPLINK_Password" | _url_encode)"
+  response=$(_post "func=login&username=$encoded_username&password=$encoded_password" "$_base_url/cgi-bin/MANGA/api.cgi")
+  auth_token=$(_peplink_get_cookie_data "bauth" <"$HTTP_HEADER")
+  _debug3 response "$response"
+  _debug auth_token "$auth_token"
+
+  if [ -z "$auth_token" ]; then
+    _err "Unable to authenticate to $PEPLINK_Hostname:$PEPLINK_Port using $PEPLINK_Scheme."
+    _err "Check your username and password."
+    return 1
+  fi
+
+  _H1="Cookie: $auth_token"
+  export _H1
+  _debug2 H1 "${_H1}"
+
+  # Now that we know the hostnameusername and password are good, save them
+  _savedeployconf PEPLINK_Hostname "$PEPLINK_Hostname"
+  _savedeployconf PEPLINK_Username "$PEPLINK_Username"
+  _savedeployconf PEPLINK_Password "$PEPLINK_Password"
+
+  _info "Generate form POST request"
+
+  encoded_key="$(_url_encode <"$_ckey")"
+  encoded_fullchain="$(_url_encode <"$_cfullchain")"
+  body="cert_type=$PEPLINK_Certtype&cert_uid=&section=CERT_modify&key_pem=$encoded_key&key_pem_passphrase=&key_pem_passphrase_confirm=&cert_pem=$encoded_fullchain"
+  _debug3 body "$body"
+
+  _info "Upload $PEPLINK_Certtype certificate to the Peplink"
+
+  response=$(_post "$body" "$_base_url/cgi-bin/MANGA/admin.cgi")
+  _debug3 response "$response"
+
+  if echo "$response" | grep 'Success' >/dev/null; then
+    # We've verified this certificate type is valid, so save it
+    _savedeployconf PEPLINK_Certtype "$PEPLINK_Certtype"
+    _info "Certificate was updated"
+    return 0
+  else
+    _err "Unable to update certificate, error code $response"
+    return 1
+  fi
+}

dnsapi/dns_dpi.sh

@@ -53,7 +53,7 @@ dns_dpi_rm() {
     return 1
   fi
 
-  if ! _rest POST "Record.List" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain"; then
+  if ! _rest POST "Record.List" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain"; then
     _err "Record.Lis error."
     return 1
   fi
@@ -63,14 +63,14 @@ dns_dpi_rm() {
     return 0
   fi
 
-  record_id=$(echo "$response" | _egrep_o '{[^{]*"value":"'"$txtvalue"'"' | cut -d , -f 1 | cut -d : -f 2 | tr -d \")
+  record_id=$(echo "$response" | tr "{" "\n" | grep -- "$txtvalue" | grep '^"id"' | cut -d : -f 2 | cut -d '"' -f 2)
   _debug record_id "$record_id"
   if [ -z "$record_id" ]; then
     _err "Can not get record id."
     return 1
   fi
 
-  if ! _rest POST "Record.Remove" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&record_id=$record_id"; then
+  if ! _rest POST "Record.Remove" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&record_id=$record_id"; then
     _err "Record.Remove error."
     return 1
   fi
@@ -89,7 +89,7 @@ add_record() {
 
   _info "Adding record"
 
-  if ! _rest POST "Record.Create" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=default"; then
+  if ! _rest POST "Record.Create" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=default"; then
     return 1
   fi
 
@@ -113,7 +113,7 @@ _get_root() {
       return 1
     fi
 
-    if ! _rest POST "Domain.Info" "user_token=$DPI_Id,$DPI_Key&format=json&domain=$h"; then
+    if ! _rest POST "Domain.Info" "login_token=$DPI_Id,$DPI_Key&format=json&domain=$h"; then
       return 1
     fi