From b0ca4435fdbee019ac72f8df0cb304e1de5deffc Mon Sep 17 00:00:00 2001 From: Ciaran Walsh Date: Wed, 21 Feb 2024 00:21:09 +0000 Subject: [PATCH 001/313] Fix for empty error objects in response breaking extraction of domain validation types Fix for empty error objects in the response which mess up the extraction of domain validation types due to the closing brace in the error object prematurely matching the end of the search pattern. This seems to be a recent change with ZeroSSL in particular where "error":{} is being included in responses. There could potentially be a related issue if there is a complex error object ever returned in the validation check response where an embedded sub-object could lead to an incomplete extraction of the error message, roughly around line 5040. Adapted from fix suggested here: https://github.com/acmesh-official/acme.sh/issues/4933#issuecomment-1870499018 --- acme.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 38ccaade..34ac49e8 100755 --- a/acme.sh +++ b/acme.sh @@ -4722,7 +4722,8 @@ $_authorizations_map" _debug keyauthorization "$keyauthorization" fi - entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" + # Fix for empty error objects in response which mess up the original code, adapted from fix suggested here: https://github.com/acmesh-official/acme.sh/issues/4933#issuecomment-1870499018 + entry="$(echo "$response" | sed s/'"error":{}'/'"error":null'/ | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" _debug entry "$entry" if [ -z "$keyauthorization" -a -z "$entry" ]; then @@ -6283,7 +6284,8 @@ _deactivate() { fi _debug "Trigger validation." vtype="$(_getIdType "$_d_domain")" - entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" + # Fix for empty error objects in response which mess up the original code, adapted from fix suggested here: https://github.com/acmesh-official/acme.sh/issues/4933#issuecomment-1870499018 + entry="$(echo "$response" | sed s/'"error":{}'/'"error":null'/ | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" _debug entry "$entry" if [ -z "$entry" ]; then _err "Error, can not get domain token $d" From 54eba51b35b7ec48f5e4eecfad3139e6a6ed34f4 Mon Sep 17 00:00:00 2001 From: b1n23 <97284148+b1n23@users.noreply.github.com> Date: Wed, 20 Mar 2024 19:14:00 +0800 Subject: [PATCH 002/313] Add deployhook for Netlify --- deploy/netlify.sh | 62 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 deploy/netlify.sh diff --git a/deploy/netlify.sh b/deploy/netlify.sh new file mode 100644 index 00000000..3b854018 --- /dev/null +++ b/deploy/netlify.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env sh + +# Script to deploy certificate to Netlify +# https://docs.netlify.com/api/get-started/#authentication +# https://open-api.netlify.com/#tag/sniCertificate + +# This deployment required following variables +# export Netlify_ACCESS_TOKEN="Your Netlify Access Token" +# export Netlify_SITE_ID="Your Netlify Site ID" + +# returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +netlify_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + if [ -z "$Netlify_ACCESS_TOKEN" ]; then + _err "Netlify_ACCESS_TOKEN is not defined." + return 1 + else + _savedomainconf Netlify_ACCESS_TOKEN "$Netlify_ACCESS_TOKEN" + fi + if [ -z "$Netlify_SITE_ID" ]; then + _err "Netlify_SITE_ID is not defined." + return 1 + else + _savedomainconf Netlify_SITE_ID "$Netlify_SITE_ID" + fi + + _info "Deploying certificate to Netlify..." + + ## upload certificate + string_ccert=$(sed 's/$/\\n/' "$_ccert" | tr -d '\n') + string_cca=$(sed 's/$/\\n/' "$_cca" | tr -d '\n') + string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n') + _request_body="{\"certificate\":\"$string_ccert\",\"key\":\"$string_key\",\"ca_certificates\":\"$string_cca\"}" + _debug _request_body "$_request_body" + _debug Netlify_ACCESS_TOKEN "$Netlify_ACCESS_TOKEN" + export _H1="Authorization: Bearer $Netlify_ACCESS_TOKEN" + _response=$(_post "$_request_body" "https://api.netlify.com/api/v1/sites/$Netlify_SITE_ID/ssl" "" "POST" "application/json") + + if _contains "$_response" "\"error\""; then + _err "Error in deploying $_cdomain certificate to Netlify." + _err "$_response" + return 1 + fi + _debug response "$_response" + _info "Domain $_cdomain certificate successfully deployed to Netlify." + return 0 +} \ No newline at end of file From c508984f564fc99235e5d99142f0af6972430d0c Mon Sep 17 00:00:00 2001 From: b1n23 <97284148+b1n23@users.noreply.github.com> Date: Wed, 20 Mar 2024 18:16:53 +0800 Subject: [PATCH 003/313] Add deployhook for Edgio --- deploy/edgio.sh | 80 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 deploy/edgio.sh diff --git a/deploy/edgio.sh b/deploy/edgio.sh new file mode 100644 index 00000000..604b00e8 --- /dev/null +++ b/deploy/edgio.sh @@ -0,0 +1,80 @@ +#!/usr/bin/env sh + +# Here is a script to deploy cert to edgio using its API +# https://docs.edg.io/guides/v7/develop/rest_api/authentication +# https://docs.edg.io/rest_api/#tag/tls-certs/operation/postConfigV01TlsCerts + +# This deployment required following variables +# export EDGIO_CLIENT_ID="Your Edgio Client ID" +# export EDGIO_CLIENT_SECRET="Your Edgio Client Secret" +# export EDGIO_ENVIRONMENT_ID="Your Edgio Environment ID" + +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +edgio_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + if [ -z "$EDGIO_CLIENT_ID" ]; then + _err "EDGIO_CLIENT_ID is not defined." + return 1 + else + _savedomainconf EDGIO_CLIENT_ID "$EDGIO_CLIENT_ID" + fi + + if [ -z "$EDGIO_CLIENT_SECRET" ]; then + _err "EDGIO_CLIENT_SECRET is not defined." + return 1 + else + _savedomainconf EDGIO_CLIENT_SECRET "$EDGIO_CLIENT_SECRET" + fi + + if [ -z "$EDGIO_ENVIRONMENT_ID" ]; then + _err "EDGIO_ENVIRONMENT_ID is not defined." + return 1 + else + _savedomainconf EDGIO_ENVIRONMENT_ID "$EDGIO_ENVIRONMENT_ID" + fi + + _info "Getting access token" + _data="client_id=$EDGIO_CLIENT_ID&client_secret=$EDGIO_CLIENT_SECRET&grant_type=client_credentials&scope=app.config" + _debug Get_access_token_data "$_data" + _response=$(_post "$_data" "https://id.edgio.app/connect/token" "" "POST" "application/x-www-form-urlencoded" ) + _debug Get_access_token_response "$_response" + _access_token=$(echo "$_response" | _json_decode | _egrep_o '"access_token":"[^"]*' | cut -d : -f 2 | tr -d '"') + _debug _access_token "$_access_token" + if [ -z "$_access_token" ]; then + _err "Error in getting access token" + return 1 + fi + + _info "Uploading certificate" + string_ccert=$(sed 's/$/\\n/' "$_ccert" | tr -d '\n') + string_cca=$(sed 's/$/\\n/' "$_cca" | tr -d '\n') + string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n') + _data="{\"environment_id\":\"$EDGIO_ENVIRONMENT_ID\",\"primary_cert\":\"$string_ccert\",\"intermediate_cert\":\"$string_cca\",\"private_key\":\"$string_key\"}" + _debug Upload_certificate_data "$_data" + _H1="Authorization: Bearer $_access_token" + _response=$(_post "$_data" "https://edgioapis.com/config/v0.1/tls-certs" "" "POST" "application/json") + + if _contains "$_response" "message"; then + _err "Error in deploying $_cdomain certificate to Edgio." + _err "$_response" + return 1 + fi + _debug Upload_certificate_response "$_response" + _info "Domain $_cdomain certificate successfully deployed to Edgio." + return 0 +} \ No newline at end of file From d1a1d1da8f550bf80a8339a7c15735619e581a2b Mon Sep 17 00:00:00 2001 From: b1n23 <97284148+b1n23@users.noreply.github.com> Date: Wed, 20 Mar 2024 18:16:44 +0800 Subject: [PATCH 004/313] Add deployhook for CacheFly --- deploy/cachefly.sh | 56 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 deploy/cachefly.sh diff --git a/deploy/cachefly.sh b/deploy/cachefly.sh new file mode 100644 index 00000000..0e436d26 --- /dev/null +++ b/deploy/cachefly.sh @@ -0,0 +1,56 @@ +#!/usr/bin/env sh + +# Script to deploy certificate to CacheFly +# https://api.cachefly.com/api/2.5/docs#tag/Certificates/paths/~1certificates/post + +# This deployment required following variables +# export CACHEFLY_TOKEN="Your CacheFly API Token" + +# returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +CACHEFLY_API_BASE="https://api.cachefly.com/api/2.5" + +cachefly_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + if [ -z "$CACHEFLY_TOKEN" ]; then + _err "CACHEFLY_TOKEN is not defined." + return 1 + else + _savedomainconf CACHEFLY_TOKEN "$CACHEFLY_TOKEN" + fi + + _info "Deploying certificate to CacheFly..." + + ## upload certificate + string_fullchain=$(sed 's/$/\\n/' "$_cfullchain" | tr -d '\n') + string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n') + + _request_body="{\"certificate\":\"$string_fullchain\",\"certificateKey\":\"$string_key\"}" + _debug _request_body "$_request_body" + _debug CACHEFLY_TOKEN "$CACHEFLY_TOKEN" + export _H1="Authorization: Bearer $CACHEFLY_TOKEN" + _response=$(_post "$_request_body" "$CACHEFLY_API_BASE/certificates" "" "POST" "application/json") + + if _contains "$_response" "message"; then + _err "Error in deploying $_cdomain certificate to CacheFly." + _err "$_response" + return 1 + fi + _debug response "$_response" + _info "Domain $_cdomain certificate successfully deployed to CacheFly." + return 0 +} \ No newline at end of file From 696182cfa4ceff50cd7c5b05a15cc591c55173bd Mon Sep 17 00:00:00 2001 From: b1n23 <97284148+b1n23@users.noreply.github.com> Date: Wed, 20 Mar 2024 23:05:43 +0800 Subject: [PATCH 005/313] deployhook Edgio: Support multiple Environment ID --- deploy/edgio.sh | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/deploy/edgio.sh b/deploy/edgio.sh index 604b00e8..aadaa98a 100644 --- a/deploy/edgio.sh +++ b/deploy/edgio.sh @@ -9,7 +9,10 @@ # export EDGIO_CLIENT_SECRET="Your Edgio Client Secret" # export EDGIO_ENVIRONMENT_ID="Your Edgio Environment ID" -#returns 0 means success, otherwise error. +# If have more than one Environment ID +# export EDGIO_ENVIRONMENT_ID="ENVIRONMENT_ID_1 ENVIRONMENT_ID_2" + +# returns 0 means success, otherwise error. ######## Public functions ##################### @@ -64,17 +67,20 @@ edgio_deploy() { string_ccert=$(sed 's/$/\\n/' "$_ccert" | tr -d '\n') string_cca=$(sed 's/$/\\n/' "$_cca" | tr -d '\n') string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n') - _data="{\"environment_id\":\"$EDGIO_ENVIRONMENT_ID\",\"primary_cert\":\"$string_ccert\",\"intermediate_cert\":\"$string_cca\",\"private_key\":\"$string_key\"}" - _debug Upload_certificate_data "$_data" - _H1="Authorization: Bearer $_access_token" - _response=$(_post "$_data" "https://edgioapis.com/config/v0.1/tls-certs" "" "POST" "application/json") - if _contains "$_response" "message"; then - _err "Error in deploying $_cdomain certificate to Edgio." - _err "$_response" - return 1 - fi - _debug Upload_certificate_response "$_response" - _info "Domain $_cdomain certificate successfully deployed to Edgio." + for ENVIRONMENT_ID in $EDGIO_ENVIRONMENT_ID; do + _data="{\"environment_id\":\"$ENVIRONMENT_ID\",\"primary_cert\":\"$string_ccert\",\"intermediate_cert\":\"$string_cca\",\"private_key\":\"$string_key\"}" + _debug Upload_certificate_data "$_data" + _H1="Authorization: Bearer $_access_token" + _response=$(_post "$_data" "https://edgioapis.com/config/v0.1/tls-certs" "" "POST" "application/json") + if _contains "$_response" "message"; then + _err "Error in deploying $_cdomain certificate to Edgio ENVIRONMENT_ID $ENVIRONMENT_ID." + _err "$_response" + return 1 + fi + _debug Upload_certificate_response "$_response" + _info "Domain $_cdomain certificate successfully deployed to Edgio ENVIRONMENT_ID $ENVIRONMENT_ID." + done + return 0 } \ No newline at end of file From 3b46060caa7a94e04926099ba32118efd07cc116 Mon Sep 17 00:00:00 2001 From: b1n23 <97284148+b1n23@users.noreply.github.com> Date: Wed, 20 Mar 2024 23:06:09 +0800 Subject: [PATCH 006/313] deployhook Netlify: Support multiple Site ID --- deploy/netlify.sh | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/deploy/netlify.sh b/deploy/netlify.sh index 3b854018..2ff9bcb6 100644 --- a/deploy/netlify.sh +++ b/deploy/netlify.sh @@ -8,6 +8,9 @@ # export Netlify_ACCESS_TOKEN="Your Netlify Access Token" # export Netlify_SITE_ID="Your Netlify Site ID" +# If have more than one SITE ID +# export Netlify_SITE_ID="SITE_ID_1 SITE_ID_2" + # returns 0 means success, otherwise error. ######## Public functions ##################### @@ -45,18 +48,22 @@ netlify_deploy() { string_ccert=$(sed 's/$/\\n/' "$_ccert" | tr -d '\n') string_cca=$(sed 's/$/\\n/' "$_cca" | tr -d '\n') string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n') - _request_body="{\"certificate\":\"$string_ccert\",\"key\":\"$string_key\",\"ca_certificates\":\"$string_cca\"}" - _debug _request_body "$_request_body" - _debug Netlify_ACCESS_TOKEN "$Netlify_ACCESS_TOKEN" - export _H1="Authorization: Bearer $Netlify_ACCESS_TOKEN" - _response=$(_post "$_request_body" "https://api.netlify.com/api/v1/sites/$Netlify_SITE_ID/ssl" "" "POST" "application/json") - if _contains "$_response" "\"error\""; then - _err "Error in deploying $_cdomain certificate to Netlify." - _err "$_response" - return 1 - fi - _debug response "$_response" - _info "Domain $_cdomain certificate successfully deployed to Netlify." + for SITE_ID in $Netlify_SITE_ID; do + _request_body="{\"certificate\":\"$string_ccert\",\"key\":\"$string_key\",\"ca_certificates\":\"$string_cca\"}" + _debug _request_body "$_request_body" + _debug Netlify_ACCESS_TOKEN "$Netlify_ACCESS_TOKEN" + export _H1="Authorization: Bearer $Netlify_ACCESS_TOKEN" + _response=$(_post "$_request_body" "https://api.netlify.com/api/v1/sites/$SITE_ID/ssl" "" "POST" "application/json") + + if _contains "$_response" "\"error\""; then + _err "Error in deploying $_cdomain certificate to Netlify SITE_ID $SITE_ID." + _err "$_response" + return 1 + fi + _debug response "$_response" + _info "Domain $_cdomain certificate successfully deployed to Netlify SITE_ID $SITE_ID." + done + return 0 } \ No newline at end of file From e7284df1df2eb586ec89bf69e19086779d63ff02 Mon Sep 17 00:00:00 2001 From: b1n23 <97284148+b1n23@users.noreply.github.com> Date: Thu, 21 Mar 2024 21:44:33 +0800 Subject: [PATCH 007/313] Add deployhook for DirectAdmin --- deploy/directadmin.sh | 80 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 deploy/directadmin.sh diff --git a/deploy/directadmin.sh b/deploy/directadmin.sh new file mode 100644 index 00000000..23d46df9 --- /dev/null +++ b/deploy/directadmin.sh @@ -0,0 +1,80 @@ +#!/usr/bin/env sh + +# Script to deploy certificate to DirectAdmin +# https://docs.directadmin.com/directadmin/customizing-workflow/api-all-about.html#creating-a-login-key +# https://docs.directadmin.com/changelog/version-1.24.4.html#cmd-api-catch-all-pop-passwords-frontpage-protected-dirs-ssl-certs + +# This deployment required following variables +# export DirectAdmin_ENDPOINT="example.com:2222" +# export DirectAdmin_USERNAME="Your DirectAdmin Username" +# export DirectAdmin_KEY="Your DirectAdmin Login Key or Password" +# export DirectAdmin_MAIN_DOMAIN="Your DirectAdmin Main Domain, NOT Subdomain" + +# returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +directadmin_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + if [ -z "$DirectAdmin_ENDPOINT" ]; then + _err "DirectAdmin_ENDPOINT is not defined." + return 1 + else + _savedomainconf DirectAdmin_ENDPOINT "$DirectAdmin_ENDPOINT" + fi + if [ -z "$DirectAdmin_USERNAME" ]; then + _err "DirectAdmin_USERNAME is not defined." + return 1 + else + _savedomainconf DirectAdmin_USERNAME "$DirectAdmin_USERNAME" + fi + if [ -z "$DirectAdmin_KEY" ]; then + _err "DirectAdmin_KEY is not defined." + return 1 + else + _savedomainconf DirectAdmin_KEY "$DirectAdmin_KEY" + fi + if [ -z "$DirectAdmin_MAIN_DOMAIN" ]; then + _err "DirectAdmin_MAIN_DOMAIN is not defined." + return 1 + else + _savedomainconf DirectAdmin_MAIN_DOMAIN "$DirectAdmin_MAIN_DOMAIN" + fi + + _info "Deploying certificate to DirectAdmin..." + + # upload certificate + string_cfullchain=$(sed 's/$/\\n/' "$_cfullchain" | tr -d '\n') + string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n') + + _request_body="{\"domain\":\"$DirectAdmin_MAIN_DOMAIN\",\"action\":\"save\",\"type\":\"paste\",\"certificate\":\"$string_key\n$string_cfullchain\n\"}" + _debug _request_body "$_request_body" + _debug DirectAdmin_ENDPOINT "$DirectAdmin_ENDPOINT" + _debug DirectAdmin_USERNAME "$DirectAdmin_USERNAME" + _debug DirectAdmin_KEY "$DirectAdmin_KEY" + _debug DirectAdmin_MAIN_DOMAIN "$DirectAdmin_MAIN_DOMAIN" + _response=$(_post "$_request_body" "https://$DirectAdmin_USERNAME:$DirectAdmin_KEY@$DirectAdmin_ENDPOINT/CMD_API_SSL" "" "POST" "application/json") + + if _contains "$_response" "error=1"; then + _err "Error in deploying $_cdomain certificate to DirectAdmin Domain $DirectAdmin_MAIN_DOMAIN." + _err "$_response" + return 1 + fi + + _info "$_response" + _info "Domain $_cdomain certificate successfully deployed to DirectAdmin Domain $DirectAdmin_MAIN_DOMAIN." + + return 0 +} \ No newline at end of file From 295af0168753caf491a86745f0c8ef6b6bc207be Mon Sep 17 00:00:00 2001 From: b1n23 <97284148+b1n23@users.noreply.github.com> Date: Thu, 28 Mar 2024 23:07:14 +0800 Subject: [PATCH 008/313] Add deployhook for KeyHelp --- deploy/keyhelp.sh | 111 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 deploy/keyhelp.sh diff --git a/deploy/keyhelp.sh b/deploy/keyhelp.sh new file mode 100644 index 00000000..b792f021 --- /dev/null +++ b/deploy/keyhelp.sh @@ -0,0 +1,111 @@ +#!/usr/bin/env sh + +# Script to deploy certificate to KeyHelp +# This deployment required following variables +# export DEPLOY_KEYHELP_BASEURL="https://keyhelp.example.com" +# export DEPLOY_KEYHELP_USERNAME="Your KeyHelp Username" +# export DEPLOY_KEYHELP_PASSWORD="Your KeyHelp Password" +# export DEPLOY_KEYHELP_DOMAIN_ID="Depoly certificate to this Domain ID" + +# Open the 'Edit domain' page, and you will see id=xxx at the end of the URL. This is the Domain ID. +# https://DEPLOY_KEYHELP_BASEURL/index.php?page=domains&action=edit&id=xxx + +# If have more than one domain name +# export DEPLOY_KEYHELP_DOMAIN_ID="111 222 333" + +keyhelp_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + if [ -z "$DEPLOY_KEYHELP_BASEURL" ]; then + _err "DEPLOY_KEYHELP_BASEURL is not defined." + return 1 + else + _savedomainconf DEPLOY_KEYHELP_BASEURL "$DEPLOY_KEYHELP_BASEURL" + fi + + if [ -z "$DEPLOY_KEYHELP_USERNAME" ]; then + _err "DEPLOY_KEYHELP_USERNAME is not defined." + return 1 + else + _savedomainconf DEPLOY_KEYHELP_USERNAME "$DEPLOY_KEYHELP_USERNAME" + fi + + if [ -z "$DEPLOY_KEYHELP_PASSWORD" ]; then + _err "DEPLOY_KEYHELP_PASSWORD is not defined." + return 1 + else + _savedomainconf DEPLOY_KEYHELP_PASSWORD "$DEPLOY_KEYHELP_PASSWORD" + fi + + if [ -z "$DEPLOY_KEYHELP_DOMAIN_ID" ]; then + _err "DEPLOY_KEYHELP_DOMAIN_ID is not defined." + return 1 + else + _savedomainconf DEPLOY_KEYHELP_DOMAIN_ID "$DEPLOY_KEYHELP_DOMAIN_ID" + fi + + _info "Logging in to keyhelp panel" + username_encoded="$(printf "%s" "${DEPLOY_KEYHELP_USERNAME}" | _url_encode)" + password_encoded="$(printf "%s" "${DEPLOY_KEYHELP_PASSWORD}" | _url_encode)" + _H1="Content-Type: application/x-www-form-urlencoded" + _response=$(_get "$DEPLOY_KEYHELP_BASEURL/index.php?submit=1&username=$username_encoded&password=$password_encoded" "TRUE") + _cookie="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2)" + + # If cookies is not empty then logon successful + if [ -z "$_cookie" ]; then + _err "Fail to get cookie." + return 1 + fi + _debug "cookie" "$_cookie" + + _info "Uploading certificate" + _date=$(date +"%Y%m%d") + encoded_key="$(_url_encode <"$_ckey")" + encoded_ccert="$(_url_encode <"$_ccert")" + encoded_cca="$(_url_encode <"$_cca")" + certificate_name="$_cdomain-$_date" + + _request_body="submit=1&certificate_name=$certificate_name&add_type=upload&text_private_key=$encoded_key&text_certificate=$encoded_ccert&text_ca_certificate=$encoded_cca" + _H1="Cookie: $_cookie" + _response=$(_post "$_request_body" "$DEPLOY_KEYHELP_BASEURL/index.php?page=ssl_certificates&action=add" "" "POST") + _message=$(echo "$_response" | grep -A 2 'message-body' | sed -n '/
/,/<\/div>/{//!p;}' | sed 's/<[^>]*>//g' | sed 's/^ *//;s/ *$//') + _info "_message" "$_message" + if [ -z "$_message" ]; then + _err "Fail to upload certificate." + return 1 + fi + + for DOMAIN_ID in $DEPLOY_KEYHELP_DOMAIN_ID; do + _info "Apply certificate to domain id $DOMAIN_ID" + _response=$(_get "$DEPLOY_KEYHELP_BASEURL/index.php?page=domains&action=edit&id=$DOMAIN_ID") + cert_value=$(echo "$_response" | grep "$certificate_name" | sed -n 's/.*value="\([^"]*\).*/\1/p') + target_type=$(echo "$_response" | grep 'target_type' | grep 'checked' | sed -n 's/.*value="\([^"]*\).*/\1/p') + _debug "cert_value" "$cert_value" + if [ -z "$cert_value" ]; then + _err "Fail to get certificate id." + return 1 + fi + + _request_body="submit=1&id=$DOMAIN_ID&target_type=$target_type&certificate_type=custom&certificate_id=$cert_value" + _response=$(_post "$_request_body" "$DEPLOY_KEYHELP_BASEURL/index.php?page=domains&action=edit" "" "POST") + _message=$(echo "$_response" | grep -A 2 'message-body' | sed -n '/
/,/<\/div>/{//!p;}' | sed 's/<[^>]*>//g' | sed 's/^ *//;s/ *$//') + _info "_message" "$_message" + if [ -z "$_message" ]; then + _err "Fail to apply certificate." + return 1 + fi + done + + _info "Domain $_cdomain certificate successfully deployed to KeyHelp Domain ID $DEPLOY_KEYHELP_DOMAIN_ID." + return 0 +} \ No newline at end of file From c466f063c82ed23e695612d946ac9dcf98f71a1c Mon Sep 17 00:00:00 2001 From: b1n23 <97284148+b1n23@users.noreply.github.com> Date: Mon, 1 Apr 2024 21:59:12 +0800 Subject: [PATCH 009/313] add newline at end of file --- deploy/cachefly.sh | 2 +- deploy/directadmin.sh | 2 +- deploy/edgio.sh | 2 +- deploy/keyhelp.sh | 2 +- deploy/netlify.sh | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/deploy/cachefly.sh b/deploy/cachefly.sh index 0e436d26..325b2230 100644 --- a/deploy/cachefly.sh +++ b/deploy/cachefly.sh @@ -53,4 +53,4 @@ cachefly_deploy() { _debug response "$_response" _info "Domain $_cdomain certificate successfully deployed to CacheFly." return 0 -} \ No newline at end of file +} diff --git a/deploy/directadmin.sh b/deploy/directadmin.sh index 23d46df9..84818f93 100644 --- a/deploy/directadmin.sh +++ b/deploy/directadmin.sh @@ -77,4 +77,4 @@ directadmin_deploy() { _info "Domain $_cdomain certificate successfully deployed to DirectAdmin Domain $DirectAdmin_MAIN_DOMAIN." return 0 -} \ No newline at end of file +} diff --git a/deploy/edgio.sh b/deploy/edgio.sh index aadaa98a..1b0569cb 100644 --- a/deploy/edgio.sh +++ b/deploy/edgio.sh @@ -83,4 +83,4 @@ edgio_deploy() { done return 0 -} \ No newline at end of file +} diff --git a/deploy/keyhelp.sh b/deploy/keyhelp.sh index b792f021..58f13152 100644 --- a/deploy/keyhelp.sh +++ b/deploy/keyhelp.sh @@ -108,4 +108,4 @@ keyhelp_deploy() { _info "Domain $_cdomain certificate successfully deployed to KeyHelp Domain ID $DEPLOY_KEYHELP_DOMAIN_ID." return 0 -} \ No newline at end of file +} diff --git a/deploy/netlify.sh b/deploy/netlify.sh index 2ff9bcb6..fb254a32 100644 --- a/deploy/netlify.sh +++ b/deploy/netlify.sh @@ -66,4 +66,4 @@ netlify_deploy() { done return 0 -} \ No newline at end of file +} From bfba44fbadc142a0f8dd87e107953e17970a4a90 Mon Sep 17 00:00:00 2001 From: b1n23 <97284148+b1n23@users.noreply.github.com> Date: Sun, 7 Apr 2024 12:36:19 +0000 Subject: [PATCH 010/313] format adjustment --- deploy/cachefly.sh | 2 +- deploy/edgio.sh | 6 +++--- deploy/keyhelp.sh | 8 ++++---- deploy/netlify.sh | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/deploy/cachefly.sh b/deploy/cachefly.sh index 325b2230..7841b20b 100644 --- a/deploy/cachefly.sh +++ b/deploy/cachefly.sh @@ -44,7 +44,7 @@ cachefly_deploy() { _debug CACHEFLY_TOKEN "$CACHEFLY_TOKEN" export _H1="Authorization: Bearer $CACHEFLY_TOKEN" _response=$(_post "$_request_body" "$CACHEFLY_API_BASE/certificates" "" "POST" "application/json") - + if _contains "$_response" "message"; then _err "Error in deploying $_cdomain certificate to CacheFly." _err "$_response" diff --git a/deploy/edgio.sh b/deploy/edgio.sh index 1b0569cb..1acd0c8f 100644 --- a/deploy/edgio.sh +++ b/deploy/edgio.sh @@ -23,7 +23,7 @@ edgio_deploy() { _ccert="$3" _cca="$4" _cfullchain="$5" - + _debug _cdomain "$_cdomain" _debug _ckey "$_ckey" _debug _ccert "$_ccert" @@ -50,11 +50,11 @@ edgio_deploy() { else _savedomainconf EDGIO_ENVIRONMENT_ID "$EDGIO_ENVIRONMENT_ID" fi - + _info "Getting access token" _data="client_id=$EDGIO_CLIENT_ID&client_secret=$EDGIO_CLIENT_SECRET&grant_type=client_credentials&scope=app.config" _debug Get_access_token_data "$_data" - _response=$(_post "$_data" "https://id.edgio.app/connect/token" "" "POST" "application/x-www-form-urlencoded" ) + _response=$(_post "$_data" "https://id.edgio.app/connect/token" "" "POST" "application/x-www-form-urlencoded") _debug Get_access_token_response "$_response" _access_token=$(echo "$_response" | _json_decode | _egrep_o '"access_token":"[^"]*' | cut -d : -f 2 | tr -d '"') _debug _access_token "$_access_token" diff --git a/deploy/keyhelp.sh b/deploy/keyhelp.sh index 58f13152..839b874c 100644 --- a/deploy/keyhelp.sh +++ b/deploy/keyhelp.sh @@ -92,8 +92,8 @@ keyhelp_deploy() { target_type=$(echo "$_response" | grep 'target_type' | grep 'checked' | sed -n 's/.*value="\([^"]*\).*/\1/p') _debug "cert_value" "$cert_value" if [ -z "$cert_value" ]; then - _err "Fail to get certificate id." - return 1 + _err "Fail to get certificate id." + return 1 fi _request_body="submit=1&id=$DOMAIN_ID&target_type=$target_type&certificate_type=custom&certificate_id=$cert_value" @@ -101,8 +101,8 @@ keyhelp_deploy() { _message=$(echo "$_response" | grep -A 2 'message-body' | sed -n '/
/,/<\/div>/{//!p;}' | sed 's/<[^>]*>//g' | sed 's/^ *//;s/ *$//') _info "_message" "$_message" if [ -z "$_message" ]; then - _err "Fail to apply certificate." - return 1 + _err "Fail to apply certificate." + return 1 fi done diff --git a/deploy/netlify.sh b/deploy/netlify.sh index fb254a32..8d25f74c 100644 --- a/deploy/netlify.sh +++ b/deploy/netlify.sh @@ -48,14 +48,14 @@ netlify_deploy() { string_ccert=$(sed 's/$/\\n/' "$_ccert" | tr -d '\n') string_cca=$(sed 's/$/\\n/' "$_cca" | tr -d '\n') string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n') - + for SITE_ID in $Netlify_SITE_ID; do _request_body="{\"certificate\":\"$string_ccert\",\"key\":\"$string_key\",\"ca_certificates\":\"$string_cca\"}" _debug _request_body "$_request_body" _debug Netlify_ACCESS_TOKEN "$Netlify_ACCESS_TOKEN" export _H1="Authorization: Bearer $Netlify_ACCESS_TOKEN" _response=$(_post "$_request_body" "https://api.netlify.com/api/v1/sites/$SITE_ID/ssl" "" "POST" "application/json") - + if _contains "$_response" "\"error\""; then _err "Error in deploying $_cdomain certificate to Netlify SITE_ID $SITE_ID." _err "$_response" From 1116b73a08aae1b58c8edb6fbb016d82ac3364c1 Mon Sep 17 00:00:00 2001 From: b1n23 <97284148+b1n23@users.noreply.github.com> Date: Mon, 3 Jun 2024 16:47:43 +0800 Subject: [PATCH 011/313] deployhook KeyHelp: Support enabling the Enforce HTTPS option --- deploy/keyhelp.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/deploy/keyhelp.sh b/deploy/keyhelp.sh index 839b874c..0750e415 100644 --- a/deploy/keyhelp.sh +++ b/deploy/keyhelp.sh @@ -5,6 +5,7 @@ # export DEPLOY_KEYHELP_BASEURL="https://keyhelp.example.com" # export DEPLOY_KEYHELP_USERNAME="Your KeyHelp Username" # export DEPLOY_KEYHELP_PASSWORD="Your KeyHelp Password" +# export DEPLOY_KEYHELP_ENFORCE_HTTPS="1" # 0 or 1, input 1 to enable Enforce HTTP to HTTPS redirection. # export DEPLOY_KEYHELP_DOMAIN_ID="Depoly certificate to this Domain ID" # Open the 'Edit domain' page, and you will see id=xxx at the end of the URL. This is the Domain ID. @@ -54,6 +55,11 @@ keyhelp_deploy() { _savedomainconf DEPLOY_KEYHELP_DOMAIN_ID "$DEPLOY_KEYHELP_DOMAIN_ID" fi + # Optional DEPLOY_KEYHELP_ENFORCE_HTTPS + _getdeployconf DEPLOY_KEYHELP_ENFORCE_HTTPS + # set default values for DEPLOY_KEYHELP_ENFORCE_HTTPS + [ -n "${DEPLOY_KEYHELP_ENFORCE_HTTPS}" ] || DEPLOY_KEYHELP_ENFORCE_HTTPS="1" + _info "Logging in to keyhelp panel" username_encoded="$(printf "%s" "${DEPLOY_KEYHELP_USERNAME}" | _url_encode)" password_encoded="$(printf "%s" "${DEPLOY_KEYHELP_PASSWORD}" | _url_encode)" @@ -96,7 +102,7 @@ keyhelp_deploy() { return 1 fi - _request_body="submit=1&id=$DOMAIN_ID&target_type=$target_type&certificate_type=custom&certificate_id=$cert_value" + _request_body="submit=1&id=$DOMAIN_ID&target_type=$target_type&certificate_type=custom&certificate_id=$cert_value&enforce_https=$DEPLOY_KEYHELP_ENFORCE_HTTPS" _response=$(_post "$_request_body" "$DEPLOY_KEYHELP_BASEURL/index.php?page=domains&action=edit" "" "POST") _message=$(echo "$_response" | grep -A 2 'message-body' | sed -n '/
/,/<\/div>/{//!p;}' | sed 's/<[^>]*>//g' | sed 's/^ *//;s/ *$//') _info "_message" "$_message" From 3f40380c69d75bbf09bdb9e4cdb1c007fe437655 Mon Sep 17 00:00:00 2001 From: b1n23 <97284148+b1n23@users.noreply.github.com> Date: Mon, 3 Jun 2024 16:57:51 +0800 Subject: [PATCH 012/313] deployhook Directadmin: Support for selecting the scheme of DirectAdmin , HTTP or HTTPS --- deploy/directadmin.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/deploy/directadmin.sh b/deploy/directadmin.sh index 84818f93..3f60a088 100644 --- a/deploy/directadmin.sh +++ b/deploy/directadmin.sh @@ -5,6 +5,7 @@ # https://docs.directadmin.com/changelog/version-1.24.4.html#cmd-api-catch-all-pop-passwords-frontpage-protected-dirs-ssl-certs # This deployment required following variables +# export DirectAdmin_SCHEME="https" # Optional, https or http, defaults to https # export DirectAdmin_ENDPOINT="example.com:2222" # export DirectAdmin_USERNAME="Your DirectAdmin Username" # export DirectAdmin_KEY="Your DirectAdmin Login Key or Password" @@ -53,6 +54,11 @@ directadmin_deploy() { _savedomainconf DirectAdmin_MAIN_DOMAIN "$DirectAdmin_MAIN_DOMAIN" fi + # Optional SCHEME + _getdeployconf DirectAdmin_SCHEME + # set default values for DirectAdmin_SCHEME + [ -n "${DirectAdmin_SCHEME}" ] || DirectAdmin_SCHEME="https" + _info "Deploying certificate to DirectAdmin..." # upload certificate @@ -65,7 +71,7 @@ directadmin_deploy() { _debug DirectAdmin_USERNAME "$DirectAdmin_USERNAME" _debug DirectAdmin_KEY "$DirectAdmin_KEY" _debug DirectAdmin_MAIN_DOMAIN "$DirectAdmin_MAIN_DOMAIN" - _response=$(_post "$_request_body" "https://$DirectAdmin_USERNAME:$DirectAdmin_KEY@$DirectAdmin_ENDPOINT/CMD_API_SSL" "" "POST" "application/json") + _response=$(_post "$_request_body" "$DirectAdmin_SCHEME://$DirectAdmin_USERNAME:$DirectAdmin_KEY@$DirectAdmin_ENDPOINT/CMD_API_SSL" "" "POST" "application/json") if _contains "$_response" "error=1"; then _err "Error in deploying $_cdomain certificate to DirectAdmin Domain $DirectAdmin_MAIN_DOMAIN." From 2beb2f5659e968423f91c8db2d634d85177fff2a Mon Sep 17 00:00:00 2001 From: Manuel Sanchez Pinar Date: Thu, 4 Jul 2024 14:03:20 +0200 Subject: [PATCH 013/313] fix: rage4 - add error 400 and TXT cleanup The following error happens if the header is set to 'Content-Type: application/json': {"statusCode":400,"message":"One or more errors occurred!", "errors":{"serializerErrors":["The input does not contain any JSON tokens. Expected the input to start with a valid JSON token, when isFinalBlock is true. LineNumber: 0 | BytePositionInLine: 0."]}} Fix TXT removal --- dnsapi/dns_rage4.sh | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_rage4.sh b/dnsapi/dns_rage4.sh index ad312759..c27fbc5f 100755 --- a/dnsapi/dns_rage4.sh +++ b/dnsapi/dns_rage4.sh @@ -42,6 +42,14 @@ dns_rage4_add() { _debug _domain_id "$_domain_id" _rage4_rest "createrecord/?id=$_domain_id&name=$fulldomain&content=$unquotedtxtvalue&type=TXT&active=true&ttl=1" + + # Response after adding a TXT record should be something like this: + # {"status":true,"id":28160443,"error":null} + if ! _contains "$response" '"error":null' >/dev/null; then + _err "Error while adding TXT record: '$response'" + return 1 + fi + return 0 } @@ -63,7 +71,12 @@ dns_rage4_rm() { _debug "Getting txt records" _rage4_rest "getrecords/?id=${_domain_id}" - _record_id=$(echo "$response" | sed -rn 's/.*"id":([[:digit:]]+)[^\}]*'"$txtvalue"'.*/\1/p') + _record_id=$(echo "$response" | tr '{' '\n' | grep '"TXT"' | grep "\"$txtvalue" | sed -rn 's/.*"id":([[:digit:]]+),.*/\1/p') + if [ -z "$_record_id" ]; then + _err "error retrieving the record_id of the new TXT record in order to delete it, got: '$_record_id'." + return 1 + fi + _rage4_rest "deleterecord/?id=${_record_id}" return 0 } @@ -105,8 +118,7 @@ _rage4_rest() { token_trimmed=$(echo "$RAGE4_TOKEN" | tr -d '"') auth=$(printf '%s:%s' "$username_trimmed" "$token_trimmed" | _base64) - export _H1="Content-Type: application/json" - export _H2="Authorization: Basic $auth" + export _H1="Authorization: Basic $auth" response="$(_get "$RAGE4_Api$ep")" From 2f5ea120cb18d56d9d21da07034cb679457b3c94 Mon Sep 17 00:00:00 2001 From: b1n23 <97284148+b1n23@users.noreply.github.com> Date: Tue, 16 Jul 2024 00:25:53 +0800 Subject: [PATCH 014/313] deployhook KeyHelp: fix bug --- deploy/keyhelp.sh | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/deploy/keyhelp.sh b/deploy/keyhelp.sh index 0750e415..97f9c21c 100644 --- a/deploy/keyhelp.sh +++ b/deploy/keyhelp.sh @@ -5,7 +5,6 @@ # export DEPLOY_KEYHELP_BASEURL="https://keyhelp.example.com" # export DEPLOY_KEYHELP_USERNAME="Your KeyHelp Username" # export DEPLOY_KEYHELP_PASSWORD="Your KeyHelp Password" -# export DEPLOY_KEYHELP_ENFORCE_HTTPS="1" # 0 or 1, input 1 to enable Enforce HTTP to HTTPS redirection. # export DEPLOY_KEYHELP_DOMAIN_ID="Depoly certificate to this Domain ID" # Open the 'Edit domain' page, and you will see id=xxx at the end of the URL. This is the Domain ID. @@ -96,13 +95,28 @@ keyhelp_deploy() { _response=$(_get "$DEPLOY_KEYHELP_BASEURL/index.php?page=domains&action=edit&id=$DOMAIN_ID") cert_value=$(echo "$_response" | grep "$certificate_name" | sed -n 's/.*value="\([^"]*\).*/\1/p') target_type=$(echo "$_response" | grep 'target_type' | grep 'checked' | sed -n 's/.*value="\([^"]*\).*/\1/p') + if [ "$target_type" = "directory" ]; then + path=$(echo "$_response" | awk '/name="path"/{getline; print}' | sed -n 's/.*value="\([^"]*\).*/\1/p') + fi + echo "$_response" | grep "is_prefer_https" | grep "checked" >/dev/null + if [ $? -eq 0 ]; then + is_prefer_https=1 + else + is_prefer_https=0 + fi + echo "$_response" | grep "hsts_enabled" | grep "checked" >/dev/null + if [ $? -eq 0 ]; then + hsts_enabled=1 + else + hsts_enabled=0 + fi _debug "cert_value" "$cert_value" if [ -z "$cert_value" ]; then _err "Fail to get certificate id." return 1 fi - _request_body="submit=1&id=$DOMAIN_ID&target_type=$target_type&certificate_type=custom&certificate_id=$cert_value&enforce_https=$DEPLOY_KEYHELP_ENFORCE_HTTPS" + _request_body="submit=1&id=$DOMAIN_ID&target_type=$target_type&path=$path&is_prefer_https=$is_prefer_https&hsts_enabled=$hsts_enabled&certificate_type=custom&certificate_id=$cert_value&enforce_https=$DEPLOY_KEYHELP_ENFORCE_HTTPS" _response=$(_post "$_request_body" "$DEPLOY_KEYHELP_BASEURL/index.php?page=domains&action=edit" "" "POST") _message=$(echo "$_response" | grep -A 2 'message-body' | sed -n '/
/,/<\/div>/{//!p;}' | sed 's/<[^>]*>//g' | sed 's/^ *//;s/ *$//') _info "_message" "$_message" From d5b5bcef5631ae2e04d9df7c19be0947351145ab Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 10 Dec 2024 20:54:20 +0100 Subject: [PATCH 015/313] support ARI, not finished yet https://github.com/acmesh-official/acme.sh/issues/4944 --- acme.sh | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/acme.sh b/acme.sh index 9842e3f1..bc146996 100755 --- a/acme.sh +++ b/acme.sh @@ -2746,6 +2746,7 @@ _clearAPI() { ACME_REVOKE_CERT="" ACME_NEW_NONCE="" ACME_AGREEMENT="" + ACME_RENEWAL_INFO="" } #server @@ -2790,6 +2791,9 @@ _initAPI() { ACME_AGREEMENT=$(echo "$response" | _egrep_o 'termsOfService" *: *"[^"]*"' | cut -d '"' -f 3) export ACME_AGREEMENT + ACME_RENEWAL_INFO=$(echo "$response" | _egrep_o 'renewalInfo" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_RENEWAL_INFO + _debug "ACME_KEY_CHANGE" "$ACME_KEY_CHANGE" _debug "ACME_NEW_AUTHZ" "$ACME_NEW_AUTHZ" _debug "ACME_NEW_ORDER" "$ACME_NEW_ORDER" @@ -2797,6 +2801,7 @@ _initAPI() { _debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT" _debug "ACME_AGREEMENT" "$ACME_AGREEMENT" _debug "ACME_NEW_NONCE" "$ACME_NEW_NONCE" + _debug "ACME_RENEWAL_INFO" "$ACME_RENEWAL_INFO" if [ "$ACME_NEW_ACCOUNT" ] && [ "$ACME_NEW_ORDER" ]; then return 0 fi @@ -6416,6 +6421,36 @@ deactivate() { done } +#cert +_getAKI() { + _cert="$1" + openssl x509 -in "$_cert" -text -noout | grep "X509v3 Authority Key Identifier" -A 1 | _tail_n 1 | tr -d ' :' +} + +#cert +_getSerial() { + _cert="$1" + openssl x509 -in "$_cert" -serial -noout | cut -d = -f 2 +} + +#cert +_get_ARI() { + _cert="$1" + _aki=$(_getAKI "$_cert") + _ser=$(_getSerial "$_cert") + _debug2 "_aki" "$_aki" + _debug2 "_ser" "$_ser" + + _akiurl="$(echo "$_aki" | _h2b | _base64 | tr -d = | _url_encode)" + _debug2 "_akiurl" "$_akiurl" + _serurl="$(echo "$_ser" | _h2b | _base64 | tr -d = | _url_encode)" + _debug2 "_serurl" "$_serurl" + + _ARI_URL="$ACME_RENEWAL_INFO/$_akiurl.$_serurl" + _get "$_ARI_URL" + +} + # Detect profile file if not specified as environment variable _detect_profile() { if [ -n "$PROFILE" -a -f "$PROFILE" ]; then From 5ddffc9172e9dd00c90f4251e0e37310525db337 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 10 Dec 2024 21:01:37 +0100 Subject: [PATCH 016/313] fix format --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index bc146996..4290d7a1 100755 --- a/acme.sh +++ b/acme.sh @@ -6441,9 +6441,9 @@ _get_ARI() { _debug2 "_aki" "$_aki" _debug2 "_ser" "$_ser" - _akiurl="$(echo "$_aki" | _h2b | _base64 | tr -d = | _url_encode)" + _akiurl="$(echo "$_aki" | _h2b | _base64 | tr -d = | _url_encode)" _debug2 "_akiurl" "$_akiurl" - _serurl="$(echo "$_ser" | _h2b | _base64 | tr -d = | _url_encode)" + _serurl="$(echo "$_ser" | _h2b | _base64 | tr -d = | _url_encode)" _debug2 "_serurl" "$_serurl" _ARI_URL="$ACME_RENEWAL_INFO/$_akiurl.$_serurl" From ee661e5d7112674cf432a6dacc6455b11c54f38e Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 10 Dec 2024 21:02:54 +0100 Subject: [PATCH 017/313] fix format --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 4290d7a1..b7558ee5 100755 --- a/acme.sh +++ b/acme.sh @@ -6445,7 +6445,7 @@ _get_ARI() { _debug2 "_akiurl" "$_akiurl" _serurl="$(echo "$_ser" | _h2b | _base64 | tr -d = | _url_encode)" _debug2 "_serurl" "$_serurl" - + _ARI_URL="$ACME_RENEWAL_INFO/$_akiurl.$_serurl" _get "$_ARI_URL" From 29342e036f5b3e821be3770686bdef022623ef61 Mon Sep 17 00:00:00 2001 From: kir Date: Tue, 11 Mar 2025 08:07:38 +0000 Subject: [PATCH 018/313] Update _get_root url in dnsapi/dns_fornex.sh --- dnsapi/dns_fornex.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_fornex.sh b/dnsapi/dns_fornex.sh index 91e5491b..dcaa2297 100644 --- a/dnsapi/dns_fornex.sh +++ b/dnsapi/dns_fornex.sh @@ -95,7 +95,7 @@ _get_root() { return 1 fi - if ! _rest GET "dns/domain/"; then + if ! _rest GET "dns/domain/?q=$h"; then return 1 fi From c6a9825c0a2c6c4852a869a9cbf4864d1e270ccb Mon Sep 17 00:00:00 2001 From: asavin Date: Fri, 18 Apr 2025 17:25:55 +0200 Subject: [PATCH 019/313] Initial commit --- dnsapi/dns_efficientip.sh | 125 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100755 dnsapi/dns_efficientip.sh diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh new file mode 100755 index 00000000..fe5538bd --- /dev/null +++ b/dnsapi/dns_efficientip.sh @@ -0,0 +1,125 @@ +#!/bin/sh +export dns_efficientip_info='efficientip.com +Site: https://efficientip.com/ +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_efficientip +Options: + EfficientIP_Creds HTTP Basic Authentication credentials. E.g. "username:password" + EfficientIP_Token_Key Alternative API token key identifier, prefered over basic authentication. + EfficientIP_Token_Secret Alternative API token secret, required when using a token key. + EfficientIP_Server EfficientIP SOLIDserver Management IP or FQDN. + EfficientIP_DNS_Name Name of the DNS smart or server. + EfficientIP_View Name of the DNS view (optional). +Issues: github.com/acmesh-official/acme.sh/issues/ +Author: EfficientIP-Labs +' + +dns_efficientip_add() { + + fulldomain=$1 + txtvalue=$2 + + _info "Using EfficientIP API" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + if ([ -z "$EfficientIP_Creds" ] && ([ -z "$EfficientIP_Token_Key" ] || [ -z "$EfficientIP_Token_Secret" ])) || [ -z "$EfficientIP_Server" ]; then + EfficientIP_Creds="" + EfficientIP_Token_Key="" + EfficientIP_Token_Secret="" + EfficientIP_Server="" + _err "You didn't specify any EfficientIP credentials or token or server (EfficientIP_Creds; EfficientIP_Token_Key; EfficientIP_Token_Secret; EfficientIP_Server)." + _err "Please set them via EXPORT EfficientIP_Creds=username:password or EXPORT EfficientIP_server=ip/hostname" + _err "or if you want to use Token instead set via EXPORT EfficientIP_Token_Key=yourkey" + _err "and EXPORT EfficientIP_Token_Secret=yoursecret" + _err "and try again." + return 1 + fi + + _saveaccountconf EfficientIP_Creds "${EfficientIP_Creds}" + _saveaccountconf EfficientIP_Token_Key "${EfficientIP_Token_Key}" + _saveaccountconf EfficientIP_Token_Secret "${EfficientIP_Token_Secret}" + _saveaccountconf EfficientIP_Server "${EfficientIP_Server}" + _saveaccountconf EfficientIP_DNS_Name "${EfficientIP_DNS_Name}" + _saveaccountconf EfficientIP_View "${EfficientIP_View}" + + EfficientIP_ViewEncoded=$(printf "%b" "${EfficientIP_View}" | _url_encode) + EfficientIP_DNSNameEncoded=$(printf "%b" "${EfficientIP_DNS_Name}" | _url_encode) + + export _H1="Accept-Language:en-US" + baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_add?rr_type=TXT&rr_name=$fulldomain&rr_value1=$txtvalue" + + if [ "${EfficientIP_DNSNameEncoded}" != "" ]; then + baseurlnObject="${baseurlnObject}&dns_name=${EfficientIP_DNSNameEncoded}" + fi + if [ "${EfficientIP_ViewEncoded}" != "" ]; then + baseurlnObject="${baseurlnObject}&dnsview_name=${EfficientIP_ViewEncoded}" + fi + + if [ -z "${EfficientIP_Token_Secret}" ] || [ -z "${EfficientIP_Token_Key}" ]; then + EfficientIP_CredsEncoded=$(printf "%b" "${EfficientIP_Creds}" | _base64) + export _H2="Authorization: Basic ${EfficientIP_CredsEncoded}" + else + TS=$(date +%s) + Sig=$(printf "%b\n$TS\nPOST\n$baseurlnObject" "${EfficientIP_Token_Secret}" | openssl dgst -sha3-256 | cut -d '=' -f 2 | tr -d ' ') + EfficientIP_CredsEncoded=$(printf "%b:%b" "${EfficientIP_Token_Key}" "$Sig") + export _H2="Authorization: SDS ${EfficientIP_CredsEncoded}" + export _H3="X-SDS-TS: ${TS}" + fi + + result="$(_post "" "${baseurlnObject}" "" "POST")" + + if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then + _info "Successfully created the txt record" + return 0 + else + _err "Error encountered during record addition" + _err "${result}" + return 1 + fi +} + +dns_efficientip_rm() { + + fulldomain=$1 + txtvalue=$2 + + _info "Using EfficientIP API" + _debug fulldomain "${fulldomain}" + _debug txtvalue "${txtvalue}" + + EfficientIP_ViewEncoded=$(printf "%b" "${EfficientIP_View}" | _url_encode) + EfficientIP_DNSNameEncoded=$(printf "%b" "${EfficientIP_DNS_Name}" | _url_encode) + EfficientIP_CredsEncoded=$(printf "%b" "${EfficientIP_Creds}" | _base64) + + export _H1="Accept-Language:en-US" + + baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_delete?rr_type=TXT&rr_name=$fulldomain&rr_value1=$txtvalue" + if [ "${EfficientIP_DNSNameEncoded}" != "" ]; then + baseurlnObject="${baseurlnObject}&dns_name=${EfficientIP_DNSNameEncoded}" + fi + if [ "${EfficientIP_ViewEncoded}" != "" ]; then + baseurlnObject="${baseurlnObject}&dnsview_name=${EfficientIP_ViewEncoded}" + fi + + if [ -z "$EfficientIP_Token_Secret" ] || [ -z "$EfficientIP_Token_Key" ]; then + EfficientIP_CredsEncoded=$(printf "%b" "${EfficientIP_Creds}" | _base64) + export _H2="Authorization: Basic $EfficientIP_CredsEncoded" + else + TS=$(date +%s) + Sig=$(printf "%b\n$TS\nDELETE\n${baseurlnObject}" "${EfficientIP_Token_Secret}" | openssl dgst -sha3-256 | cut -d '=' -f 2 | tr -d ' ') + EfficientIP_CredsEncoded=$(printf "%b:%b" "${EfficientIP_Token_Key}" "$Sig" | _base64) + export _H2="Authorization: SDS ${EfficientIP_CredsEncoded}" + export _H3="X-SDS-TS: $TS" + fi + + result="$(_post "" "${baseurlnObject}" "" "DELETE")" + + if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then + _info "Successfully deleted the txt record" + return 0 + else + _err "Error encountered during record delete" + _err "${result}" + return 1 + fi +} \ No newline at end of file From 218934e76722697be3c258a7205daf8c1b5e26c0 Mon Sep 17 00:00:00 2001 From: asavin Date: Fri, 18 Apr 2025 18:06:12 +0200 Subject: [PATCH 020/313] Remove export ? --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index fe5538bd..9c06514c 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -1,5 +1,5 @@ #!/bin/sh -export dns_efficientip_info='efficientip.com +dns_efficientip_info='efficientip.com Site: https://efficientip.com/ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_efficientip Options: From a0c5ef4e6fb9acc47ac6b56bf29081b8b4cbb6ce Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 11:17:14 +0200 Subject: [PATCH 021/313] Fixing shellcheck issues --- dnsapi/dns_efficientip.sh | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 9c06514c..d04aec5d 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -14,7 +14,6 @@ Author: EfficientIP-Labs ' dns_efficientip_add() { - fulldomain=$1 txtvalue=$2 @@ -22,7 +21,7 @@ dns_efficientip_add() { _debug fulldomain "$fulldomain" _debug txtvalue "$txtvalue" - if ([ -z "$EfficientIP_Creds" ] && ([ -z "$EfficientIP_Token_Key" ] || [ -z "$EfficientIP_Token_Secret" ])) || [ -z "$EfficientIP_Server" ]; then + if ([ -z "${EfficientIP_Creds}" ] && ([ -z "${EfficientIP_Token_Key}" ] || [ -z "${EfficientIP_Token_Secret}" ])) || [ -z "${EfficientIP_Server}" ]; then EfficientIP_Creds="" EfficientIP_Token_Key="" EfficientIP_Token_Secret="" @@ -35,6 +34,16 @@ dns_efficientip_add() { return 1 fi + if [ -z "${EfficientIP_DNS_Name}" ]; then + EfficientIP_DNS_Name="" + fi; + EfficientIP_DNSNameEncoded=$(printf "%b" "${EfficientIP_DNS_Name}" | _url_encode) + + if [ -z "${EfficientIP_View}" ]; then + EfficientIP_View="" + fi; + EfficientIP_ViewEncoded=$(printf "%b" "${EfficientIP_View}" | _url_encode) + _saveaccountconf EfficientIP_Creds "${EfficientIP_Creds}" _saveaccountconf EfficientIP_Token_Key "${EfficientIP_Token_Key}" _saveaccountconf EfficientIP_Token_Secret "${EfficientIP_Token_Secret}" @@ -42,15 +51,13 @@ dns_efficientip_add() { _saveaccountconf EfficientIP_DNS_Name "${EfficientIP_DNS_Name}" _saveaccountconf EfficientIP_View "${EfficientIP_View}" - EfficientIP_ViewEncoded=$(printf "%b" "${EfficientIP_View}" | _url_encode) - EfficientIP_DNSNameEncoded=$(printf "%b" "${EfficientIP_DNS_Name}" | _url_encode) - export _H1="Accept-Language:en-US" - baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_add?rr_type=TXT&rr_name=$fulldomain&rr_value1=$txtvalue" + baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_add?rr_type=TXT&rr_name=${fulldomain}&rr_value1=${txtvalue}" if [ "${EfficientIP_DNSNameEncoded}" != "" ]; then baseurlnObject="${baseurlnObject}&dns_name=${EfficientIP_DNSNameEncoded}" fi + if [ "${EfficientIP_ViewEncoded}" != "" ]; then baseurlnObject="${baseurlnObject}&dnsview_name=${EfficientIP_ViewEncoded}" fi From 7c610124d9cb6f2427bbf8357c2f5d20917426bb Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 11:32:23 +0200 Subject: [PATCH 022/313] Updating Options to meet OptionsAlt pre-requisites --- dnsapi/dns_efficientip.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index d04aec5d..89fb48f5 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -4,11 +4,16 @@ Site: https://efficientip.com/ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_efficientip Options: EfficientIP_Creds HTTP Basic Authentication credentials. E.g. "username:password" - EfficientIP_Token_Key Alternative API token key identifier, prefered over basic authentication. + EfficientIP_Server EfficientIP SOLIDserver Management IP address or FQDN. + EfficientIP_DNS_Name Name of the DNS smart or server hosting the zone. Optional. + EfficientIP_View Name of the DNS view hosting the zone. Optional. +OptionsAlt: + EfficientIP_Token_Key Alternative API token key, prefered over basic authentication. EfficientIP_Token_Secret Alternative API token secret, required when using a token key. - EfficientIP_Server EfficientIP SOLIDserver Management IP or FQDN. - EfficientIP_DNS_Name Name of the DNS smart or server. - EfficientIP_View Name of the DNS view (optional). + EfficientIP_Server EfficientIP SOLIDserver Management IP address or FQDN. + EfficientIP_DNS_Name Name of the DNS smart or server hosting the zone. Optional. + EfficientIP_View Name of the DNS view hosting the zone. Optional. + Issues: github.com/acmesh-official/acme.sh/issues/ Author: EfficientIP-Labs ' From 1f77b8926680008b2c11038598f120be8b12edce Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 11:40:01 +0200 Subject: [PATCH 023/313] Updating issue ID --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 89fb48f5..c6638fcc 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -14,7 +14,7 @@ OptionsAlt: EfficientIP_DNS_Name Name of the DNS smart or server hosting the zone. Optional. EfficientIP_View Name of the DNS view hosting the zone. Optional. -Issues: github.com/acmesh-official/acme.sh/issues/ +Issues: github.com/acmesh-official/acme.sh/issues/6325 Author: EfficientIP-Labs ' From 75603755023b9fba0d6710fbe391f99fc7c577ec Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 15:23:11 +0200 Subject: [PATCH 024/313] Update for testing github action pipeline --- dnsapi/dns_efficientip.sh | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index c6638fcc..eb19fe38 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -78,13 +78,17 @@ dns_efficientip_add() { export _H3="X-SDS-TS: ${TS}" fi - result="$(_post "" "${baseurlnObject}" "" "POST")" + if [ -n "${GITHUB_ACTIONS+1}" ]; then + result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" + else + result="$(_post "" "${baseurlnObject}" "" "POST")" + fi; if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then - _info "Successfully created the txt record" + _info "Record successfully created" return 0 else - _err "Error encountered during record addition" + _err "Error creating the record" _err "${result}" return 1 fi @@ -124,13 +128,17 @@ dns_efficientip_rm() { export _H3="X-SDS-TS: $TS" fi - result="$(_post "" "${baseurlnObject}" "" "DELETE")" + if [ -n "${GITHUB_ACTIONS+1}" ]; then + result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" + else + result="$(_post "" "${baseurlnObject}" "" "DELETE")" + fi if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then - _info "Successfully deleted the txt record" + _info "Record successfully deleted" return 0 else - _err "Error encountered during record delete" + _err "Error deleting the record" _err "${result}" return 1 fi From e089a3d8a152aaff32bd3cc3e7d786226a949901 Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 15:31:17 +0200 Subject: [PATCH 025/313] Update for testing github action pipeline --- dnsapi/dns_efficientip.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index eb19fe38..b39d8fba 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -33,9 +33,9 @@ dns_efficientip_add() { EfficientIP_Server="" _err "You didn't specify any EfficientIP credentials or token or server (EfficientIP_Creds; EfficientIP_Token_Key; EfficientIP_Token_Secret; EfficientIP_Server)." _err "Please set them via EXPORT EfficientIP_Creds=username:password or EXPORT EfficientIP_server=ip/hostname" - _err "or if you want to use Token instead set via EXPORT EfficientIP_Token_Key=yourkey" + _err "or if you want to use Token instead EXPORT EfficientIP_Token_Key=yourkey" _err "and EXPORT EfficientIP_Token_Secret=yoursecret" - _err "and try again." + _err "then try again." return 1 fi From eabd7592fe3942bc38b501c2cd25a25eda9c56ac Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 15:41:22 +0200 Subject: [PATCH 026/313] Fixing sh syntax --- dnsapi/dns_efficientip.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index b39d8fba..ab946e3e 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -41,12 +41,14 @@ dns_efficientip_add() { if [ -z "${EfficientIP_DNS_Name}" ]; then EfficientIP_DNS_Name="" - fi; + fi + EfficientIP_DNSNameEncoded=$(printf "%b" "${EfficientIP_DNS_Name}" | _url_encode) if [ -z "${EfficientIP_View}" ]; then EfficientIP_View="" - fi; + fi + EfficientIP_ViewEncoded=$(printf "%b" "${EfficientIP_View}" | _url_encode) _saveaccountconf EfficientIP_Creds "${EfficientIP_Creds}" @@ -82,7 +84,7 @@ dns_efficientip_add() { result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" else result="$(_post "" "${baseurlnObject}" "" "POST")" - fi; + fi if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then _info "Record successfully created" @@ -113,6 +115,7 @@ dns_efficientip_rm() { if [ "${EfficientIP_DNSNameEncoded}" != "" ]; then baseurlnObject="${baseurlnObject}&dns_name=${EfficientIP_DNSNameEncoded}" fi + if [ "${EfficientIP_ViewEncoded}" != "" ]; then baseurlnObject="${baseurlnObject}&dnsview_name=${EfficientIP_ViewEncoded}" fi @@ -142,4 +145,4 @@ dns_efficientip_rm() { _err "${result}" return 1 fi -} \ No newline at end of file +} From 9eeb979c7bfdc9ed6a5455223e10f0761691029b Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 15:49:41 +0200 Subject: [PATCH 027/313] Fixing shellcheck issue --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index ab946e3e..292d6b5e 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -26,7 +26,7 @@ dns_efficientip_add() { _debug fulldomain "$fulldomain" _debug txtvalue "$txtvalue" - if ([ -z "${EfficientIP_Creds}" ] && ([ -z "${EfficientIP_Token_Key}" ] || [ -z "${EfficientIP_Token_Secret}" ])) || [ -z "${EfficientIP_Server}" ]; then + if { [ -z "${EfficientIP_Creds}" ] && { [ -z "${EfficientIP_Token_Key}" ] || [ -z "${EfficientIP_Token_Secret}" ]; }; } || [ -z "${EfficientIP_Server}" ]; then EfficientIP_Creds="" EfficientIP_Token_Key="" EfficientIP_Token_Secret="" From 5bc01aa2518bdde413bc8a0dffce705d1c6d602c Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 15:56:49 +0200 Subject: [PATCH 028/313] Disabling SC2034 --- dnsapi/dns_efficientip.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 292d6b5e..9dc2e374 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -1,4 +1,5 @@ #!/bin/sh +# shellcheck disable=SC2034 dns_efficientip_info='efficientip.com Site: https://efficientip.com/ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_efficientip From 59a43ce5d1cea2803b3f3d138b5459463c7d253b Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 16:27:36 +0200 Subject: [PATCH 029/313] Disabling SC2034 --- dnsapi/dns_efficientip.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 9dc2e374..d1fdccf6 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -14,7 +14,6 @@ OptionsAlt: EfficientIP_Server EfficientIP SOLIDserver Management IP address or FQDN. EfficientIP_DNS_Name Name of the DNS smart or server hosting the zone. Optional. EfficientIP_View Name of the DNS view hosting the zone. Optional. - Issues: github.com/acmesh-official/acme.sh/issues/6325 Author: EfficientIP-Labs ' From 90e9d8ff52bd26c2dd99f6b5d71ccd099a8d9389 Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 16:38:37 +0200 Subject: [PATCH 030/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index d1fdccf6..9a73303f 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -145,4 +145,4 @@ dns_efficientip_rm() { _err "${result}" return 1 fi -} +} \ No newline at end of file From 5bb09f469f96eb6c3cf9d72a4ac504c409484f51 Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 17:06:33 +0200 Subject: [PATCH 031/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 9a73303f..bed5c1d6 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -80,7 +80,7 @@ dns_efficientip_add() { export _H3="X-SDS-TS: ${TS}" fi - if [ -n "${GITHUB_ACTIONS+1}" ]; then + if [ -n "${TEST_DNS+1}" ]; then result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" else result="$(_post "" "${baseurlnObject}" "" "POST")" @@ -131,7 +131,7 @@ dns_efficientip_rm() { export _H3="X-SDS-TS: $TS" fi - if [ -n "${GITHUB_ACTIONS+1}" ]; then + if [ -n "${TEST_DNS+1}" ]; then result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" else result="$(_post "" "${baseurlnObject}" "" "DELETE")" @@ -145,4 +145,4 @@ dns_efficientip_rm() { _err "${result}" return 1 fi -} \ No newline at end of file +} From 7a0450a7f466b21e37c452aa1bac8e343c448391 Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 17:55:23 +0200 Subject: [PATCH 032/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index bed5c1d6..546b8dc2 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -90,7 +90,7 @@ dns_efficientip_add() { _info "Record successfully created" return 0 else - _err "Error creating the record" + _err "Error creating the DNS record" _err "${result}" return 1 fi @@ -141,7 +141,7 @@ dns_efficientip_rm() { _info "Record successfully deleted" return 0 else - _err "Error deleting the record" + _err "Error deleting the DNS record" _err "${result}" return 1 fi From 30d5d1aea9a9825eca1bcdc4898a162bb2b8f621 Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 18:01:29 +0200 Subject: [PATCH 033/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 546b8dc2..a44cab98 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -80,11 +80,7 @@ dns_efficientip_add() { export _H3="X-SDS-TS: ${TS}" fi - if [ -n "${TEST_DNS+1}" ]; then - result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" - else - result="$(_post "" "${baseurlnObject}" "" "POST")" - fi + result="$(_post "" "${baseurlnObject}" "" "POST")" if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then _info "Record successfully created" @@ -131,11 +127,7 @@ dns_efficientip_rm() { export _H3="X-SDS-TS: $TS" fi - if [ -n "${TEST_DNS+1}" ]; then - result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" - else - result="$(_post "" "${baseurlnObject}" "" "DELETE")" - fi + result="$(_post "" "${baseurlnObject}" "" "DELETE")" if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then _info "Record successfully deleted" From f29bfd995d3204398d7d7346f25092de01a39efc Mon Sep 17 00:00:00 2001 From: asavin Date: Thu, 24 Apr 2025 10:15:56 +0200 Subject: [PATCH 034/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index a44cab98..997f58f4 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -86,7 +86,7 @@ dns_efficientip_add() { _info "Record successfully created" return 0 else - _err "Error creating the DNS record" + _err "Error creating the DNS record using EIP" _err "${result}" return 1 fi From 4d933c23a8660ab472445f22f688c97eb3c97170 Mon Sep 17 00:00:00 2001 From: asavin Date: Thu, 24 Apr 2025 10:43:46 +0200 Subject: [PATCH 035/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 997f58f4..bd95eb42 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -86,7 +86,7 @@ dns_efficientip_add() { _info "Record successfully created" return 0 else - _err "Error creating the DNS record using EIP" + _err "Error creating the DNS record EIP" _err "${result}" return 1 fi From 91081ade3c82949c9a492232d9cb042966dcb507 Mon Sep 17 00:00:00 2001 From: asavin Date: Thu, 24 Apr 2025 10:50:57 +0200 Subject: [PATCH 036/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index bd95eb42..997f58f4 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -86,7 +86,7 @@ dns_efficientip_add() { _info "Record successfully created" return 0 else - _err "Error creating the DNS record EIP" + _err "Error creating the DNS record using EIP" _err "${result}" return 1 fi From 9f09dcd18cb6538875f5937199dc1358b6b270cb Mon Sep 17 00:00:00 2001 From: asavin Date: Thu, 24 Apr 2025 11:13:38 +0200 Subject: [PATCH 037/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 997f58f4..e9d190b7 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -86,7 +86,7 @@ dns_efficientip_add() { _info "Record successfully created" return 0 else - _err "Error creating the DNS record using EIP" + _err "Error creating the DNS record with EIP" _err "${result}" return 1 fi From 7f1423dd6f77a073359a2300408e111b5ee1176c Mon Sep 17 00:00:00 2001 From: asavin Date: Thu, 24 Apr 2025 13:33:28 +0200 Subject: [PATCH 038/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index e9d190b7..f2eaaf3b 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -59,7 +59,7 @@ dns_efficientip_add() { _saveaccountconf EfficientIP_View "${EfficientIP_View}" export _H1="Accept-Language:en-US" - baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_add?rr_type=TXT&rr_name=${fulldomain}&rr_value1=${txtvalue}" + baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_add?rr_type=TXT&rr_ttl=300&rr_name=${fulldomain}&rr_value1=${txtvalue}" if [ "${EfficientIP_DNSNameEncoded}" != "" ]; then baseurlnObject="${baseurlnObject}&dns_name=${EfficientIP_DNSNameEncoded}" @@ -86,7 +86,7 @@ dns_efficientip_add() { _info "Record successfully created" return 0 else - _err "Error creating the DNS record with EIP" + _err "Error creating the DNS record" _err "${result}" return 1 fi From 419738fbd5e3f7ad67f67a322e2f2cac18658dfd Mon Sep 17 00:00:00 2001 From: asavin Date: Thu, 24 Apr 2025 16:05:20 +0200 Subject: [PATCH 039/313] Triggering pipeline with DNS_WILDCARD --- dnsapi/dns_efficientip.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index f2eaaf3b..afcd9af4 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -83,10 +83,10 @@ dns_efficientip_add() { result="$(_post "" "${baseurlnObject}" "" "POST")" if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then - _info "Record successfully created" + _info "DNS record successfully created" return 0 else - _err "Error creating the DNS record" + _err "Error creating DNS record" _err "${result}" return 1 fi @@ -130,10 +130,10 @@ dns_efficientip_rm() { result="$(_post "" "${baseurlnObject}" "" "DELETE")" if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then - _info "Record successfully deleted" + _info "DNS Record successfully deleted" return 0 else - _err "Error deleting the DNS record" + _err "Error deleting DNS record" _err "${result}" return 1 fi From e08f9080c2c90e933052c4047dc6be5f37f65783 Mon Sep 17 00:00:00 2001 From: asavin Date: Fri, 18 Apr 2025 17:25:55 +0200 Subject: [PATCH 040/313] Initial commit --- dnsapi/dns_efficientip.sh | 125 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100755 dnsapi/dns_efficientip.sh diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh new file mode 100755 index 00000000..fe5538bd --- /dev/null +++ b/dnsapi/dns_efficientip.sh @@ -0,0 +1,125 @@ +#!/bin/sh +export dns_efficientip_info='efficientip.com +Site: https://efficientip.com/ +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_efficientip +Options: + EfficientIP_Creds HTTP Basic Authentication credentials. E.g. "username:password" + EfficientIP_Token_Key Alternative API token key identifier, prefered over basic authentication. + EfficientIP_Token_Secret Alternative API token secret, required when using a token key. + EfficientIP_Server EfficientIP SOLIDserver Management IP or FQDN. + EfficientIP_DNS_Name Name of the DNS smart or server. + EfficientIP_View Name of the DNS view (optional). +Issues: github.com/acmesh-official/acme.sh/issues/ +Author: EfficientIP-Labs +' + +dns_efficientip_add() { + + fulldomain=$1 + txtvalue=$2 + + _info "Using EfficientIP API" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + if ([ -z "$EfficientIP_Creds" ] && ([ -z "$EfficientIP_Token_Key" ] || [ -z "$EfficientIP_Token_Secret" ])) || [ -z "$EfficientIP_Server" ]; then + EfficientIP_Creds="" + EfficientIP_Token_Key="" + EfficientIP_Token_Secret="" + EfficientIP_Server="" + _err "You didn't specify any EfficientIP credentials or token or server (EfficientIP_Creds; EfficientIP_Token_Key; EfficientIP_Token_Secret; EfficientIP_Server)." + _err "Please set them via EXPORT EfficientIP_Creds=username:password or EXPORT EfficientIP_server=ip/hostname" + _err "or if you want to use Token instead set via EXPORT EfficientIP_Token_Key=yourkey" + _err "and EXPORT EfficientIP_Token_Secret=yoursecret" + _err "and try again." + return 1 + fi + + _saveaccountconf EfficientIP_Creds "${EfficientIP_Creds}" + _saveaccountconf EfficientIP_Token_Key "${EfficientIP_Token_Key}" + _saveaccountconf EfficientIP_Token_Secret "${EfficientIP_Token_Secret}" + _saveaccountconf EfficientIP_Server "${EfficientIP_Server}" + _saveaccountconf EfficientIP_DNS_Name "${EfficientIP_DNS_Name}" + _saveaccountconf EfficientIP_View "${EfficientIP_View}" + + EfficientIP_ViewEncoded=$(printf "%b" "${EfficientIP_View}" | _url_encode) + EfficientIP_DNSNameEncoded=$(printf "%b" "${EfficientIP_DNS_Name}" | _url_encode) + + export _H1="Accept-Language:en-US" + baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_add?rr_type=TXT&rr_name=$fulldomain&rr_value1=$txtvalue" + + if [ "${EfficientIP_DNSNameEncoded}" != "" ]; then + baseurlnObject="${baseurlnObject}&dns_name=${EfficientIP_DNSNameEncoded}" + fi + if [ "${EfficientIP_ViewEncoded}" != "" ]; then + baseurlnObject="${baseurlnObject}&dnsview_name=${EfficientIP_ViewEncoded}" + fi + + if [ -z "${EfficientIP_Token_Secret}" ] || [ -z "${EfficientIP_Token_Key}" ]; then + EfficientIP_CredsEncoded=$(printf "%b" "${EfficientIP_Creds}" | _base64) + export _H2="Authorization: Basic ${EfficientIP_CredsEncoded}" + else + TS=$(date +%s) + Sig=$(printf "%b\n$TS\nPOST\n$baseurlnObject" "${EfficientIP_Token_Secret}" | openssl dgst -sha3-256 | cut -d '=' -f 2 | tr -d ' ') + EfficientIP_CredsEncoded=$(printf "%b:%b" "${EfficientIP_Token_Key}" "$Sig") + export _H2="Authorization: SDS ${EfficientIP_CredsEncoded}" + export _H3="X-SDS-TS: ${TS}" + fi + + result="$(_post "" "${baseurlnObject}" "" "POST")" + + if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then + _info "Successfully created the txt record" + return 0 + else + _err "Error encountered during record addition" + _err "${result}" + return 1 + fi +} + +dns_efficientip_rm() { + + fulldomain=$1 + txtvalue=$2 + + _info "Using EfficientIP API" + _debug fulldomain "${fulldomain}" + _debug txtvalue "${txtvalue}" + + EfficientIP_ViewEncoded=$(printf "%b" "${EfficientIP_View}" | _url_encode) + EfficientIP_DNSNameEncoded=$(printf "%b" "${EfficientIP_DNS_Name}" | _url_encode) + EfficientIP_CredsEncoded=$(printf "%b" "${EfficientIP_Creds}" | _base64) + + export _H1="Accept-Language:en-US" + + baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_delete?rr_type=TXT&rr_name=$fulldomain&rr_value1=$txtvalue" + if [ "${EfficientIP_DNSNameEncoded}" != "" ]; then + baseurlnObject="${baseurlnObject}&dns_name=${EfficientIP_DNSNameEncoded}" + fi + if [ "${EfficientIP_ViewEncoded}" != "" ]; then + baseurlnObject="${baseurlnObject}&dnsview_name=${EfficientIP_ViewEncoded}" + fi + + if [ -z "$EfficientIP_Token_Secret" ] || [ -z "$EfficientIP_Token_Key" ]; then + EfficientIP_CredsEncoded=$(printf "%b" "${EfficientIP_Creds}" | _base64) + export _H2="Authorization: Basic $EfficientIP_CredsEncoded" + else + TS=$(date +%s) + Sig=$(printf "%b\n$TS\nDELETE\n${baseurlnObject}" "${EfficientIP_Token_Secret}" | openssl dgst -sha3-256 | cut -d '=' -f 2 | tr -d ' ') + EfficientIP_CredsEncoded=$(printf "%b:%b" "${EfficientIP_Token_Key}" "$Sig" | _base64) + export _H2="Authorization: SDS ${EfficientIP_CredsEncoded}" + export _H3="X-SDS-TS: $TS" + fi + + result="$(_post "" "${baseurlnObject}" "" "DELETE")" + + if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then + _info "Successfully deleted the txt record" + return 0 + else + _err "Error encountered during record delete" + _err "${result}" + return 1 + fi +} \ No newline at end of file From 8ca90297e730305f00ac645d03180446efc20dc2 Mon Sep 17 00:00:00 2001 From: asavin Date: Fri, 18 Apr 2025 18:06:12 +0200 Subject: [PATCH 041/313] Remove export ? --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index fe5538bd..9c06514c 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -1,5 +1,5 @@ #!/bin/sh -export dns_efficientip_info='efficientip.com +dns_efficientip_info='efficientip.com Site: https://efficientip.com/ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_efficientip Options: From f7d8abe8ea94a1673c50e86b9479140e3ba69342 Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 11:17:14 +0200 Subject: [PATCH 042/313] Fixing shellcheck issues --- dnsapi/dns_efficientip.sh | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 9c06514c..d04aec5d 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -14,7 +14,6 @@ Author: EfficientIP-Labs ' dns_efficientip_add() { - fulldomain=$1 txtvalue=$2 @@ -22,7 +21,7 @@ dns_efficientip_add() { _debug fulldomain "$fulldomain" _debug txtvalue "$txtvalue" - if ([ -z "$EfficientIP_Creds" ] && ([ -z "$EfficientIP_Token_Key" ] || [ -z "$EfficientIP_Token_Secret" ])) || [ -z "$EfficientIP_Server" ]; then + if ([ -z "${EfficientIP_Creds}" ] && ([ -z "${EfficientIP_Token_Key}" ] || [ -z "${EfficientIP_Token_Secret}" ])) || [ -z "${EfficientIP_Server}" ]; then EfficientIP_Creds="" EfficientIP_Token_Key="" EfficientIP_Token_Secret="" @@ -35,6 +34,16 @@ dns_efficientip_add() { return 1 fi + if [ -z "${EfficientIP_DNS_Name}" ]; then + EfficientIP_DNS_Name="" + fi; + EfficientIP_DNSNameEncoded=$(printf "%b" "${EfficientIP_DNS_Name}" | _url_encode) + + if [ -z "${EfficientIP_View}" ]; then + EfficientIP_View="" + fi; + EfficientIP_ViewEncoded=$(printf "%b" "${EfficientIP_View}" | _url_encode) + _saveaccountconf EfficientIP_Creds "${EfficientIP_Creds}" _saveaccountconf EfficientIP_Token_Key "${EfficientIP_Token_Key}" _saveaccountconf EfficientIP_Token_Secret "${EfficientIP_Token_Secret}" @@ -42,15 +51,13 @@ dns_efficientip_add() { _saveaccountconf EfficientIP_DNS_Name "${EfficientIP_DNS_Name}" _saveaccountconf EfficientIP_View "${EfficientIP_View}" - EfficientIP_ViewEncoded=$(printf "%b" "${EfficientIP_View}" | _url_encode) - EfficientIP_DNSNameEncoded=$(printf "%b" "${EfficientIP_DNS_Name}" | _url_encode) - export _H1="Accept-Language:en-US" - baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_add?rr_type=TXT&rr_name=$fulldomain&rr_value1=$txtvalue" + baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_add?rr_type=TXT&rr_name=${fulldomain}&rr_value1=${txtvalue}" if [ "${EfficientIP_DNSNameEncoded}" != "" ]; then baseurlnObject="${baseurlnObject}&dns_name=${EfficientIP_DNSNameEncoded}" fi + if [ "${EfficientIP_ViewEncoded}" != "" ]; then baseurlnObject="${baseurlnObject}&dnsview_name=${EfficientIP_ViewEncoded}" fi From 8484565e951845e47d24901dd0123a6dc73520cf Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 11:32:23 +0200 Subject: [PATCH 043/313] Updating Options to meet OptionsAlt pre-requisites --- dnsapi/dns_efficientip.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index d04aec5d..89fb48f5 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -4,11 +4,16 @@ Site: https://efficientip.com/ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_efficientip Options: EfficientIP_Creds HTTP Basic Authentication credentials. E.g. "username:password" - EfficientIP_Token_Key Alternative API token key identifier, prefered over basic authentication. + EfficientIP_Server EfficientIP SOLIDserver Management IP address or FQDN. + EfficientIP_DNS_Name Name of the DNS smart or server hosting the zone. Optional. + EfficientIP_View Name of the DNS view hosting the zone. Optional. +OptionsAlt: + EfficientIP_Token_Key Alternative API token key, prefered over basic authentication. EfficientIP_Token_Secret Alternative API token secret, required when using a token key. - EfficientIP_Server EfficientIP SOLIDserver Management IP or FQDN. - EfficientIP_DNS_Name Name of the DNS smart or server. - EfficientIP_View Name of the DNS view (optional). + EfficientIP_Server EfficientIP SOLIDserver Management IP address or FQDN. + EfficientIP_DNS_Name Name of the DNS smart or server hosting the zone. Optional. + EfficientIP_View Name of the DNS view hosting the zone. Optional. + Issues: github.com/acmesh-official/acme.sh/issues/ Author: EfficientIP-Labs ' From 67855f21d45136741a4efdde94990a3b7a9acaed Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 11:40:01 +0200 Subject: [PATCH 044/313] Updating issue ID --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 89fb48f5..c6638fcc 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -14,7 +14,7 @@ OptionsAlt: EfficientIP_DNS_Name Name of the DNS smart or server hosting the zone. Optional. EfficientIP_View Name of the DNS view hosting the zone. Optional. -Issues: github.com/acmesh-official/acme.sh/issues/ +Issues: github.com/acmesh-official/acme.sh/issues/6325 Author: EfficientIP-Labs ' From 4d7cb7de5f78fa788927eaa89dd863bb66e8d7dd Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 15:23:11 +0200 Subject: [PATCH 045/313] Update for testing github action pipeline --- dnsapi/dns_efficientip.sh | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index c6638fcc..eb19fe38 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -78,13 +78,17 @@ dns_efficientip_add() { export _H3="X-SDS-TS: ${TS}" fi - result="$(_post "" "${baseurlnObject}" "" "POST")" + if [ -n "${GITHUB_ACTIONS+1}" ]; then + result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" + else + result="$(_post "" "${baseurlnObject}" "" "POST")" + fi; if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then - _info "Successfully created the txt record" + _info "Record successfully created" return 0 else - _err "Error encountered during record addition" + _err "Error creating the record" _err "${result}" return 1 fi @@ -124,13 +128,17 @@ dns_efficientip_rm() { export _H3="X-SDS-TS: $TS" fi - result="$(_post "" "${baseurlnObject}" "" "DELETE")" + if [ -n "${GITHUB_ACTIONS+1}" ]; then + result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" + else + result="$(_post "" "${baseurlnObject}" "" "DELETE")" + fi if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then - _info "Successfully deleted the txt record" + _info "Record successfully deleted" return 0 else - _err "Error encountered during record delete" + _err "Error deleting the record" _err "${result}" return 1 fi From 1f056998f3017ae63848cb763a546f57251900a2 Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 15:31:17 +0200 Subject: [PATCH 046/313] Update for testing github action pipeline --- dnsapi/dns_efficientip.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index eb19fe38..b39d8fba 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -33,9 +33,9 @@ dns_efficientip_add() { EfficientIP_Server="" _err "You didn't specify any EfficientIP credentials or token or server (EfficientIP_Creds; EfficientIP_Token_Key; EfficientIP_Token_Secret; EfficientIP_Server)." _err "Please set them via EXPORT EfficientIP_Creds=username:password or EXPORT EfficientIP_server=ip/hostname" - _err "or if you want to use Token instead set via EXPORT EfficientIP_Token_Key=yourkey" + _err "or if you want to use Token instead EXPORT EfficientIP_Token_Key=yourkey" _err "and EXPORT EfficientIP_Token_Secret=yoursecret" - _err "and try again." + _err "then try again." return 1 fi From 292026288af0d2f0e5cea0bbb304b1ecf4e14e6c Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 15:41:22 +0200 Subject: [PATCH 047/313] Fixing sh syntax --- dnsapi/dns_efficientip.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index b39d8fba..ab946e3e 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -41,12 +41,14 @@ dns_efficientip_add() { if [ -z "${EfficientIP_DNS_Name}" ]; then EfficientIP_DNS_Name="" - fi; + fi + EfficientIP_DNSNameEncoded=$(printf "%b" "${EfficientIP_DNS_Name}" | _url_encode) if [ -z "${EfficientIP_View}" ]; then EfficientIP_View="" - fi; + fi + EfficientIP_ViewEncoded=$(printf "%b" "${EfficientIP_View}" | _url_encode) _saveaccountconf EfficientIP_Creds "${EfficientIP_Creds}" @@ -82,7 +84,7 @@ dns_efficientip_add() { result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" else result="$(_post "" "${baseurlnObject}" "" "POST")" - fi; + fi if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then _info "Record successfully created" @@ -113,6 +115,7 @@ dns_efficientip_rm() { if [ "${EfficientIP_DNSNameEncoded}" != "" ]; then baseurlnObject="${baseurlnObject}&dns_name=${EfficientIP_DNSNameEncoded}" fi + if [ "${EfficientIP_ViewEncoded}" != "" ]; then baseurlnObject="${baseurlnObject}&dnsview_name=${EfficientIP_ViewEncoded}" fi @@ -142,4 +145,4 @@ dns_efficientip_rm() { _err "${result}" return 1 fi -} \ No newline at end of file +} From c9287071e3a836ae0c2deaf02e2c3de7879f2d71 Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 15:49:41 +0200 Subject: [PATCH 048/313] Fixing shellcheck issue --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index ab946e3e..292d6b5e 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -26,7 +26,7 @@ dns_efficientip_add() { _debug fulldomain "$fulldomain" _debug txtvalue "$txtvalue" - if ([ -z "${EfficientIP_Creds}" ] && ([ -z "${EfficientIP_Token_Key}" ] || [ -z "${EfficientIP_Token_Secret}" ])) || [ -z "${EfficientIP_Server}" ]; then + if { [ -z "${EfficientIP_Creds}" ] && { [ -z "${EfficientIP_Token_Key}" ] || [ -z "${EfficientIP_Token_Secret}" ]; }; } || [ -z "${EfficientIP_Server}" ]; then EfficientIP_Creds="" EfficientIP_Token_Key="" EfficientIP_Token_Secret="" From af92bbca2ac10b9e7ecf4c042fb696cdfeb67d46 Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 15:56:49 +0200 Subject: [PATCH 049/313] Disabling SC2034 --- dnsapi/dns_efficientip.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 292d6b5e..9dc2e374 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -1,4 +1,5 @@ #!/bin/sh +# shellcheck disable=SC2034 dns_efficientip_info='efficientip.com Site: https://efficientip.com/ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_efficientip From a1eee5923a5b4f947bd9fea8b4be351f548d203f Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 16:27:36 +0200 Subject: [PATCH 050/313] Disabling SC2034 --- dnsapi/dns_efficientip.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 9dc2e374..d1fdccf6 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -14,7 +14,6 @@ OptionsAlt: EfficientIP_Server EfficientIP SOLIDserver Management IP address or FQDN. EfficientIP_DNS_Name Name of the DNS smart or server hosting the zone. Optional. EfficientIP_View Name of the DNS view hosting the zone. Optional. - Issues: github.com/acmesh-official/acme.sh/issues/6325 Author: EfficientIP-Labs ' From 13631ea2de465e44153d0da0e685e228aee7c427 Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 16:38:37 +0200 Subject: [PATCH 051/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index d1fdccf6..9a73303f 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -145,4 +145,4 @@ dns_efficientip_rm() { _err "${result}" return 1 fi -} +} \ No newline at end of file From 74ca0fb76307370b3e40f6b014af893c5fb0c4ae Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 17:06:33 +0200 Subject: [PATCH 052/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 9a73303f..bed5c1d6 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -80,7 +80,7 @@ dns_efficientip_add() { export _H3="X-SDS-TS: ${TS}" fi - if [ -n "${GITHUB_ACTIONS+1}" ]; then + if [ -n "${TEST_DNS+1}" ]; then result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" else result="$(_post "" "${baseurlnObject}" "" "POST")" @@ -131,7 +131,7 @@ dns_efficientip_rm() { export _H3="X-SDS-TS: $TS" fi - if [ -n "${GITHUB_ACTIONS+1}" ]; then + if [ -n "${TEST_DNS+1}" ]; then result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" else result="$(_post "" "${baseurlnObject}" "" "DELETE")" @@ -145,4 +145,4 @@ dns_efficientip_rm() { _err "${result}" return 1 fi -} \ No newline at end of file +} From 42febe97b56071054a208acc0b0d415ac9010fe2 Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 17:55:23 +0200 Subject: [PATCH 053/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index bed5c1d6..546b8dc2 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -90,7 +90,7 @@ dns_efficientip_add() { _info "Record successfully created" return 0 else - _err "Error creating the record" + _err "Error creating the DNS record" _err "${result}" return 1 fi @@ -141,7 +141,7 @@ dns_efficientip_rm() { _info "Record successfully deleted" return 0 else - _err "Error deleting the record" + _err "Error deleting the DNS record" _err "${result}" return 1 fi From c421e2ddfcea8cc0996a39a157ebabb4ff55cb91 Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 22 Apr 2025 18:01:29 +0200 Subject: [PATCH 054/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 546b8dc2..a44cab98 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -80,11 +80,7 @@ dns_efficientip_add() { export _H3="X-SDS-TS: ${TS}" fi - if [ -n "${TEST_DNS+1}" ]; then - result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" - else - result="$(_post "" "${baseurlnObject}" "" "POST")" - fi + result="$(_post "" "${baseurlnObject}" "" "POST")" if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then _info "Record successfully created" @@ -131,11 +127,7 @@ dns_efficientip_rm() { export _H3="X-SDS-TS: $TS" fi - if [ -n "${TEST_DNS+1}" ]; then - result="$(printf "[{\"ret_oid\": \"%d\"}]" "42")" - else - result="$(_post "" "${baseurlnObject}" "" "DELETE")" - fi + result="$(_post "" "${baseurlnObject}" "" "DELETE")" if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then _info "Record successfully deleted" From 67fd35127c714a9392aeec3efb672220f7c3dc22 Mon Sep 17 00:00:00 2001 From: asavin Date: Thu, 24 Apr 2025 10:15:56 +0200 Subject: [PATCH 055/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index a44cab98..997f58f4 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -86,7 +86,7 @@ dns_efficientip_add() { _info "Record successfully created" return 0 else - _err "Error creating the DNS record" + _err "Error creating the DNS record using EIP" _err "${result}" return 1 fi From 3baa5e145f56aaab785150762c24d4599728d72d Mon Sep 17 00:00:00 2001 From: asavin Date: Thu, 24 Apr 2025 10:43:46 +0200 Subject: [PATCH 056/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 997f58f4..bd95eb42 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -86,7 +86,7 @@ dns_efficientip_add() { _info "Record successfully created" return 0 else - _err "Error creating the DNS record using EIP" + _err "Error creating the DNS record EIP" _err "${result}" return 1 fi From 947e872850c07f7b534f447a42b022c712013ea6 Mon Sep 17 00:00:00 2001 From: asavin Date: Thu, 24 Apr 2025 10:50:57 +0200 Subject: [PATCH 057/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index bd95eb42..997f58f4 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -86,7 +86,7 @@ dns_efficientip_add() { _info "Record successfully created" return 0 else - _err "Error creating the DNS record EIP" + _err "Error creating the DNS record using EIP" _err "${result}" return 1 fi From c2762d3b6f91a158ba88fe5d627cd1097a67383a Mon Sep 17 00:00:00 2001 From: asavin Date: Thu, 24 Apr 2025 11:13:38 +0200 Subject: [PATCH 058/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 997f58f4..e9d190b7 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -86,7 +86,7 @@ dns_efficientip_add() { _info "Record successfully created" return 0 else - _err "Error creating the DNS record using EIP" + _err "Error creating the DNS record with EIP" _err "${result}" return 1 fi From ca4cb018d07c996f73118c8354dbfc263058711f Mon Sep 17 00:00:00 2001 From: asavin Date: Thu, 24 Apr 2025 13:33:28 +0200 Subject: [PATCH 059/313] Triggering another action pipeline --- dnsapi/dns_efficientip.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index e9d190b7..f2eaaf3b 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -59,7 +59,7 @@ dns_efficientip_add() { _saveaccountconf EfficientIP_View "${EfficientIP_View}" export _H1="Accept-Language:en-US" - baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_add?rr_type=TXT&rr_name=${fulldomain}&rr_value1=${txtvalue}" + baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_add?rr_type=TXT&rr_ttl=300&rr_name=${fulldomain}&rr_value1=${txtvalue}" if [ "${EfficientIP_DNSNameEncoded}" != "" ]; then baseurlnObject="${baseurlnObject}&dns_name=${EfficientIP_DNSNameEncoded}" @@ -86,7 +86,7 @@ dns_efficientip_add() { _info "Record successfully created" return 0 else - _err "Error creating the DNS record with EIP" + _err "Error creating the DNS record" _err "${result}" return 1 fi From a2e52dadb96ace9a69b4fccbcb15dd97d289c6df Mon Sep 17 00:00:00 2001 From: asavin Date: Thu, 24 Apr 2025 16:05:20 +0200 Subject: [PATCH 060/313] Triggering pipeline with DNS_WILDCARD --- dnsapi/dns_efficientip.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index f2eaaf3b..afcd9af4 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -83,10 +83,10 @@ dns_efficientip_add() { result="$(_post "" "${baseurlnObject}" "" "POST")" if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then - _info "Record successfully created" + _info "DNS record successfully created" return 0 else - _err "Error creating the DNS record" + _err "Error creating DNS record" _err "${result}" return 1 fi @@ -130,10 +130,10 @@ dns_efficientip_rm() { result="$(_post "" "${baseurlnObject}" "" "DELETE")" if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then - _info "Record successfully deleted" + _info "DNS Record successfully deleted" return 0 else - _err "Error deleting the DNS record" + _err "Error deleting DNS record" _err "${result}" return 1 fi From e0da5f170304dc373a4a647d83fbe0a13a53ec7e Mon Sep 17 00:00:00 2001 From: OPPO9008 <41640509+OPPO9008@users.noreply.github.com> Date: Mon, 19 May 2025 09:49:21 +0800 Subject: [PATCH 061/313] Update dns_la.sh --- dnsapi/dns_la.sh | 109 ++++++++++++++++++++++++++++++++++++----------- 1 file changed, 83 insertions(+), 26 deletions(-) diff --git a/dnsapi/dns_la.sh b/dnsapi/dns_la.sh index f19333c4..97437897 100644 --- a/dnsapi/dns_la.sh +++ b/dnsapi/dns_la.sh @@ -1,14 +1,18 @@ #!/usr/bin/env sh -# shellcheck disable=SC2034 -dns_la_info='dns.la -Site: dns.la -Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_la -Options: - LA_Id API ID - LA_Key API key -Issues: github.com/acmesh-official/acme.sh/issues/4257 -' +# LA_Id="123" +# LA_Sk="456" +# LA_Token="" +# +#Site: dns.la +#Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_la +#Options: +#我的账户 API 密钥 中获取 APIID APISecret +# LA_Id APIID +# LA_Key APISecret +# LA_Token 用冒号连接 APIID APISecret 再base64生成 +#Issues: github.com/acmesh-official/acme.sh/issues/4257 +#' LA_Api="https://api.dns.la/api" ######## Public functions ##################### @@ -19,18 +23,23 @@ dns_la_add() { txtvalue=$2 LA_Id="${LA_Id:-$(_readaccountconf_mutable LA_Id)}" - LA_Key="${LA_Key:-$(_readaccountconf_mutable LA_Key)}" + LA_Sk="${LA_Sk:-$(_readaccountconf_mutable LA_Sk)}" + _log "LA_Id=$LA_Id" + _log "LA_Sk=$LA_Sk" - if [ -z "$LA_Id" ] || [ -z "$LA_Key" ]; then + if [ -z "$LA_Id" ] || [ -z "$LA_Sk" ]; then LA_Id="" - LA_Key="" + LA_Sk="" _err "You didn't specify a dnsla api id and key yet." return 1 fi #save the api key and email to the account conf file. _saveaccountconf_mutable LA_Id "$LA_Id" - _saveaccountconf_mutable LA_Key "$LA_Key" + _saveaccountconf_mutable LA_Sk "$LA_Sk" + + # generate dnsla token + _la_token _debug "First detect the root zone" if ! _get_root "$fulldomain"; then @@ -42,11 +51,13 @@ dns_la_add() { _debug _domain "$_domain" _info "Adding record" - if _la_rest "record.ashx?cmd=create&apiid=$LA_Id&apipass=$LA_Key&rtype=json&domainid=$_domain_id&host=$_sub_domain&recordtype=TXT&recorddata=$txtvalue&recordline="; then - if _contains "$response" '"resultid":'; then + + # record type is enum in new api, 16 for TXT + if _la_post "{\"domainId\":\"$_domain_id\",\"type\":16,\"host\":\"$_sub_domain\",\"data\":\"$txtvalue\",\"ttl\":600}" "record"; then + if _contains "$response" '"id":'; then _info "Added, OK" return 0 - elif _contains "$response" '"code":532'; then + elif _contains "$response" '"msg":"与已有记录冲突"'; then _info "Already exists, OK" return 0 else @@ -54,7 +65,7 @@ dns_la_add() { return 1 fi fi - _err "Add txt record error." + _err "Add txt record failed." return 1 } @@ -65,7 +76,9 @@ dns_la_rm() { txtvalue=$2 LA_Id="${LA_Id:-$(_readaccountconf_mutable LA_Id)}" - LA_Key="${LA_Key:-$(_readaccountconf_mutable LA_Key)}" + LA_Sk="${LA_Sk:-$(_readaccountconf_mutable LA_Sk)}" + + _la_token _debug "First detect the root zone" if ! _get_root "$fulldomain"; then @@ -77,27 +90,29 @@ dns_la_rm() { _debug _domain "$_domain" _debug "Getting txt records" - if ! _la_rest "record.ashx?cmd=listn&apiid=$LA_Id&apipass=$LA_Key&rtype=json&domainid=$_domain_id&domain=$_domain&host=$_sub_domain&recordtype=TXT&recorddata=$txtvalue"; then + # record type is enum in new api, 16 for TXT + if ! _la_get "recordList?pageIndex=1&pageSize=10&domainId=$_domain_id&host=$_sub_domain&type=16&data=$txtvalue"; then _err "Error" return 1 fi - if ! _contains "$response" '"recordid":'; then + if ! _contains "$response" '"id":'; then _info "Don't need to remove." return 0 fi - record_id=$(printf "%s" "$response" | grep '"recordid":' | cut -d : -f 2 | cut -d , -f 1 | tr -d '\r' | tr -d '\n') + record_id=$(printf "%s" "$response" | grep '"id":' | head -n1 | sed 's/.*"id": *"\([^"]*\)".*/\1/') _debug "record_id" "$record_id" if [ -z "$record_id" ]; then _err "Can not get record id to remove." return 1 fi - if ! _la_rest "record.ashx?cmd=remove&apiid=$LA_Id&apipass=$LA_Key&rtype=json&domainid=$_domain_id&domain=$_domain&recordid=$record_id"; then + # remove record in new api is RESTful + if ! _la_post "" "record?id=$record_id" "DELETE"; then _err "Delete record error." return 1 fi - _contains "$response" '"code":300' + _contains "$response" '"code":200' } @@ -119,12 +134,13 @@ _get_root() { return 1 fi - if ! _la_rest "domain.ashx?cmd=get&apiid=$LA_Id&apipass=$LA_Key&rtype=json&domain=$h"; then + if ! _la_get "domain?domain=$h"; then return 1 fi - if _contains "$response" '"domainid":'; then - _domain_id=$(printf "%s" "$response" | grep '"domainid":' | cut -d : -f 2 | cut -d , -f 1 | tr -d '\r' | tr -d '\n') + if _contains "$response" '"domain":'; then + _domain_id=$(echo "$response" | sed -n 's/.*"id":"\([^"]*\)".*/\1/p') + _log "_domain_id" "$_domain_id" if [ "$_domain_id" ]; then _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") _domain="$h" @@ -143,6 +159,21 @@ _la_rest() { url="$LA_Api/$1" _debug "$url" + if ! response="$(_get "$url" "Authorization: Basic $LA_Token" | tr -d ' ' | tr "}" ",")"; then + _err "Error: $url" + return 1 + fi + + _debug2 response "$response" + return 0 +} + +_la_get() { + url="$LA_Api/$1" + _debug "$url" + + export _H1="Authorization: Basic $LA_Token" + if ! response="$(_get "$url" | tr -d ' ' | tr "}" ",")"; then _err "Error: $url" return 1 @@ -151,3 +182,29 @@ _la_rest() { _debug2 response "$response" return 0 } + +# Usage: _la_post body url [POST|PUT|DELETE] +_la_post() { + body=$1 + url="$LA_Api/$2" + http_method=$3 + _debug "$body" + _debug "$url" + + export _H1="Authorization: Basic $LA_Token" + + if ! response="$(_post "$body" "$url" "" "$http_method")"; then + _err "Error: $url" + return 1 + fi + + _debug2 response "$response" + return 0 +} + +_la_token() { + LA_Token=$(printf "%s:%s" "$LA_Id" "$LA_Sk" | base64 -w 0) + _debug "$LA_Token" + + return 0 +} From 9e7d1b9ce75373c4233790527054925f42da5d16 Mon Sep 17 00:00:00 2001 From: OPPO9008 <41640509+OPPO9008@users.noreply.github.com> Date: Mon, 19 May 2025 13:16:30 +0800 Subject: [PATCH 062/313] Update dns_la.sh --- dnsapi/dns_la.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_la.sh b/dnsapi/dns_la.sh index 97437897..ba8ebcac 100644 --- a/dnsapi/dns_la.sh +++ b/dnsapi/dns_la.sh @@ -203,7 +203,7 @@ _la_post() { } _la_token() { - LA_Token=$(printf "%s:%s" "$LA_Id" "$LA_Sk" | base64 -w 0) + LA_Token=$(printf "%s:%s" "$LA_Id" "$LA_Sk" | _base64) _debug "$LA_Token" return 0 From 500cfbc19c08feab8763fd141181a5820290747e Mon Sep 17 00:00:00 2001 From: OPPO9008 <41640509+OPPO9008@users.noreply.github.com> Date: Mon, 19 May 2025 21:29:33 +0800 Subject: [PATCH 063/313] Update dns_la.sh --- dnsapi/dns_la.sh | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/dnsapi/dns_la.sh b/dnsapi/dns_la.sh index ba8ebcac..7c3765cd 100644 --- a/dnsapi/dns_la.sh +++ b/dnsapi/dns_la.sh @@ -2,17 +2,16 @@ # LA_Id="123" # LA_Sk="456" -# LA_Token="" -# -#Site: dns.la -#Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_la -#Options: -#我的账户 API 密钥 中获取 APIID APISecret -# LA_Id APIID -# LA_Key APISecret -# LA_Token 用冒号连接 APIID APISecret 再base64生成 -#Issues: github.com/acmesh-official/acme.sh/issues/4257 -#' +# shellcheck disable=SC2034 +LA_Token='dns.la +Site: dns.la +Docs: https://www.dns.la/docs/ApiDoc +Options: + LA_Id APIID + LA_Key APISecret + LA_Token 用冒号连接 APIID APISecret 再base64生成 +Issues: github.com/acmesh-official/acme.sh/issues/4257 +' LA_Api="https://api.dns.la/api" ######## Public functions ##################### From cddf098f47cde203dee97335176ef04bc7f3cdcc Mon Sep 17 00:00:00 2001 From: OPPO9008 <41640509+OPPO9008@users.noreply.github.com> Date: Tue, 20 May 2025 20:28:59 +0800 Subject: [PATCH 064/313] Update dns_la.sh --- dnsapi/dns_la.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_la.sh b/dnsapi/dns_la.sh index 7c3765cd..651b74c0 100644 --- a/dnsapi/dns_la.sh +++ b/dnsapi/dns_la.sh @@ -5,10 +5,10 @@ # shellcheck disable=SC2034 LA_Token='dns.la Site: dns.la -Docs: https://www.dns.la/docs/ApiDoc +Docs: https://github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_la Options: LA_Id APIID - LA_Key APISecret + LA_Sk APISecret LA_Token 用冒号连接 APIID APISecret 再base64生成 Issues: github.com/acmesh-official/acme.sh/issues/4257 ' From c8f1e4119719a911087dc266090ca04eb7dd20c1 Mon Sep 17 00:00:00 2001 From: OPPO9008 <41640509+OPPO9008@users.noreply.github.com> Date: Tue, 20 May 2025 20:29:44 +0800 Subject: [PATCH 065/313] Update dns_la.sh --- dnsapi/dns_la.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_la.sh b/dnsapi/dns_la.sh index 651b74c0..c2934b54 100644 --- a/dnsapi/dns_la.sh +++ b/dnsapi/dns_la.sh @@ -5,7 +5,7 @@ # shellcheck disable=SC2034 LA_Token='dns.la Site: dns.la -Docs: https://github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_la +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_la Options: LA_Id APIID LA_Sk APISecret From 5a085f25142ce84f51b7f7d18674352fefa5e56e Mon Sep 17 00:00:00 2001 From: asavin Date: Sun, 25 May 2025 18:36:57 +0200 Subject: [PATCH 066/313] Addressing #discussion_r2105799190 --- acme.sh | 2 +- dnsapi/dns_efficientip.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index e9eb6b94..93e18a5c 100755 --- a/acme.sh +++ b/acme.sh @@ -1017,7 +1017,7 @@ _digest() { outputhex="$2" - if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ] || [ "$alg" = "md5" ]; then + if [ "$alg" = "sha3-256" ] || [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ] || [ "$alg" = "md5" ]; then if [ "$outputhex" ]; then ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hex | cut -d = -f 2 | tr -d ' ' else diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index afcd9af4..7dcac294 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -74,7 +74,7 @@ dns_efficientip_add() { export _H2="Authorization: Basic ${EfficientIP_CredsEncoded}" else TS=$(date +%s) - Sig=$(printf "%b\n$TS\nPOST\n$baseurlnObject" "${EfficientIP_Token_Secret}" | openssl dgst -sha3-256 | cut -d '=' -f 2 | tr -d ' ') + Sig=$(printf "%b\n$TS\nPOST\n$baseurlnObject" "${EfficientIP_Token_Secret}" | _digest sha3-256 hex) EfficientIP_CredsEncoded=$(printf "%b:%b" "${EfficientIP_Token_Key}" "$Sig") export _H2="Authorization: SDS ${EfficientIP_CredsEncoded}" export _H3="X-SDS-TS: ${TS}" From 19678db9333f901219befcbd388fc454aa6b7119 Mon Sep 17 00:00:00 2001 From: OPPO9008 <41640509+OPPO9008@users.noreply.github.com> Date: Fri, 6 Jun 2025 02:06:27 +0800 Subject: [PATCH 067/313] Update dns_la.sh --- dnsapi/dns_la.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_la.sh b/dnsapi/dns_la.sh index c2934b54..772f8845 100644 --- a/dnsapi/dns_la.sh +++ b/dnsapi/dns_la.sh @@ -3,7 +3,7 @@ # LA_Id="123" # LA_Sk="456" # shellcheck disable=SC2034 -LA_Token='dns.la +dns_la_info='dns.la Site: dns.la Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_la Options: From bff1064dbd205db86832c876151304b97bf9d78f Mon Sep 17 00:00:00 2001 From: Lambiek12 Date: Sun, 8 Jun 2025 15:39:10 +0200 Subject: [PATCH 068/313] Add new dnsapi support for OpenProvider.eu using new REST API --- dnsapi/dns_openprovider_rest.sh | 193 ++++++++++++++++++++++++++++++++ 1 file changed, 193 insertions(+) create mode 100644 dnsapi/dns_openprovider_rest.sh diff --git a/dnsapi/dns_openprovider_rest.sh b/dnsapi/dns_openprovider_rest.sh new file mode 100644 index 00000000..a6725fcc --- /dev/null +++ b/dnsapi/dns_openprovider_rest.sh @@ -0,0 +1,193 @@ +#!/usr/bin/env sh +# shellcheck disable=SC2034 +dns_openprovider_rest_info='OpenProvider (REST) +Domains: OpenProvider.com +Site: OpenProvider.eu +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_openprovider_rest +Options: + OPENPROVIDER_REST_USERNAME Openprovider Account Username + OPENPROVIDER_REST_PASSWORD Openprovider Account Password +Issues: github.com/acmesh-official/acme.sh/issues/6122 +Author: Lambiek12 +' + +OPENPROVIDER_API_URL="https://api.openprovider.eu/v1beta" + +######## Public functions ##################### + +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to add txt record +dns_openprovider_rest_add() { + fulldomain=$1 + txtvalue=$2 + + _openprovider_prepare_credentials || return 1 + + _debug "Try fetch OpenProvider DNS zone details" + if ! _get_dns_zone "$fulldomain"; then + _err "DNS zone not found within configured OpenProvider account." + return 1 + fi + + if [ -n "$_domain_id" ]; then + addzonerecordrequestparameters="dns/zones/$_domain_name" + addzonerecordrequestbody="{\"id\":$_domain_id,\"name\":\"$_domain_name\",\"records\":{\"add\":[{\"name\":\"$_sub_domain\",\"ttl\":900,\"type\":\"TXT\",\"value\":\"$txtvalue\"}]}}" + + if _openprovider_rest PUT "$addzonerecordrequestparameters" "$addzonerecordrequestbody"; then + if _contains "$response" "\"success\":true"; then + return 0 + elif _contains "$response" "\"Duplicate record\""; then + _debug "Record already existed" + return 0 + else + _err "Adding TXT record failed due to errors." + return 1 + fi + fi + fi + + _err "Adding TXT record failed due to errors." + return 1 +} + +# Usage: rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to remove the txt record after validation +dns_openprovider_rest_rm() { + fulldomain=$1 + txtvalue=$2 + + _openprovider_prepare_credentials || return 1 + + _debug "Try fetch OpenProvider DNS zone details" + if ! _get_dns_zone "$fulldomain"; then + _err "DNS zone not found within configured OpenProvider account." + return 1 + fi + + if [ -n "$_domain_id" ]; then + removezonerecordrequestparameters="dns/zones/$_domain_name" + removezonerecordrequestbody="{\"id\":$_domain_id,\"name\":\"$_domain_name\",\"records\":{\"remove\":[{\"name\":\"$_sub_domain\",\"ttl\":900,\"type\":\"TXT\",\"value\":\"\\\"$txtvalue\\\"\"}]}}" + + if _openprovider_rest PUT "$removezonerecordrequestparameters" "$removezonerecordrequestbody"; then + if _contains "$response" "\"success\":true"; then + return 0 + else + _err "Removing TXT record failed due to errors." + return 1 + fi + fi + fi + + _err "Removing TXT record failed due to errors." + return 1 +} + +#################### OpenProvider API common functions #################### +_openprovider_prepare_credentials() { + OPENPROVIDER_REST_USERNAME="${OPENPROVIDER_REST_USERNAME:-$(_readaccountconf_mutable OPENPROVIDER_REST_USERNAME)}" + OPENPROVIDER_REST_PASSWORD="${OPENPROVIDER_REST_PASSWORD:-$(_readaccountconf_mutable OPENPROVIDER_REST_PASSWORD)}" + + if [ -z "$OPENPROVIDER_REST_USERNAME" ] || [ -z "$OPENPROVIDER_REST_PASSWORD" ]; then + OPENPROVIDER_REST_USERNAME="" + OPENPROVIDER_REST_PASSWORD="" + _err "You didn't specify the Openprovider username or password yet." + return 1 + fi + + #save the credentials to the account conf file. + _saveaccountconf_mutable OPENPROVIDER_REST_USERNAME "$OPENPROVIDER_REST_USERNAME" + _saveaccountconf_mutable OPENPROVIDER_REST_PASSWORD "$OPENPROVIDER_REST_PASSWORD" +} + +_openprovider_rest() { + httpmethod=$1 + queryparameters=$2 + requestbody=$3 + + _openprovider_rest_login + if [ -z "$openproviderauthtoken" ]; then + _err "Unable to fetch authentication token from Openprovider API." + return 1 + fi + + export _H1="Content-Type: application/json" + export _H2="Accept: application/json" + export _H3="Authorization: Bearer $openproviderauthtoken" + + _debug httpmethod "$httpmethod" + _debug requestfullurl "$OPENPROVIDER_API_URL/$queryparameters" + _debug queryparameters "$queryparameters" + + if [ "$httpmethod" != "GET" ]; then + _debug requestbody "$requestbody" + + response="$(_post "$requestbody" "$OPENPROVIDER_API_URL/$queryparameters" "" "$httpmethod")" + else + response="$(_get "$OPENPROVIDER_API_URL/$queryparameters")" + fi + + if [ "$?" != "0" ]; then + _err "No valid parameters supplied for Openprovider API: Error $queryparameters" + return 1 + fi + + _debug2 response "$response" + + return 0 +} + +_openprovider_rest_login() { + export _H1="Content-Type: application/json" + export _H2="Accept: application/json" + + loginrequesturl="$OPENPROVIDER_API_URL/auth/login" + loginrequestbody="{\"ip\":\"0.0.0.0\",\"password\":\"$OPENPROVIDER_REST_PASSWORD\",\"username\":\"$OPENPROVIDER_REST_USERNAME\"}" + loginresponse="$(_post "$loginrequestbody" "$loginrequesturl" "" "POST")" + + openproviderauthtoken="$(printf "%s\n" "$loginresponse" | _egrep_o '"token" *: *"[^"]*' | _head_n 1 | sed 's#^"token" *: *"##')" + _debug openproviderauthtoken "$openproviderauthtoken" + + export openproviderauthtoken +} + +#################### Private functions ################################## + +# Usage: _get_dns_zone _acme-challenge.www.domain.com +# Returns: +# _domain_id=123456789 +# _domain_name=domain.com +# _sub_domain=_acme-challenge.www +_get_dns_zone() { + domain=$1 + i=1 + p=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) + if [ -z "$h" ]; then + # Empty value not allowed + return 1 + fi + + if ! _openprovider_rest GET "dns/zones/$h" ""; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\""; then + _domain_id="$(printf "%s\n" "$response" | _egrep_o '"id" *: *[^,]*' | _head_n 1 | sed 's#^"id" *: *##')" + _debug _domain_id "$_domain_id" + + _domain_name="$h" + _debug _domain_name "$_domain_name" + + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") + _debug _sub_domain "$_sub_domain" + return 0 + fi + + p=$i + i=$(_math "$i" + 1) + done + + return 1 +} From 06d3739a8dc9b235aadc0460d7ddcbb2e867a04e Mon Sep 17 00:00:00 2001 From: Lambiek12 Date: Sun, 8 Jun 2025 17:29:39 +0200 Subject: [PATCH 069/313] Cleanup duplicate debug log output based on DNS test run --- dnsapi/dns_openprovider_rest.sh | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/dnsapi/dns_openprovider_rest.sh b/dnsapi/dns_openprovider_rest.sh index a6725fcc..3b8d20d2 100644 --- a/dnsapi/dns_openprovider_rest.sh +++ b/dnsapi/dns_openprovider_rest.sh @@ -113,14 +113,8 @@ _openprovider_rest() { export _H1="Content-Type: application/json" export _H2="Accept: application/json" export _H3="Authorization: Bearer $openproviderauthtoken" - - _debug httpmethod "$httpmethod" - _debug requestfullurl "$OPENPROVIDER_API_URL/$queryparameters" - _debug queryparameters "$queryparameters" - + if [ "$httpmethod" != "GET" ]; then - _debug requestbody "$requestbody" - response="$(_post "$requestbody" "$OPENPROVIDER_API_URL/$queryparameters" "" "$httpmethod")" else response="$(_get "$OPENPROVIDER_API_URL/$queryparameters")" @@ -145,7 +139,6 @@ _openprovider_rest_login() { loginresponse="$(_post "$loginrequestbody" "$loginrequesturl" "" "POST")" openproviderauthtoken="$(printf "%s\n" "$loginresponse" | _egrep_o '"token" *: *"[^"]*' | _head_n 1 | sed 's#^"token" *: *"##')" - _debug openproviderauthtoken "$openproviderauthtoken" export openproviderauthtoken } From fcd358eb71e0c8ca49b11e2fbca133c9c5937844 Mon Sep 17 00:00:00 2001 From: Lambiek12 Date: Sun, 8 Jun 2025 17:35:09 +0200 Subject: [PATCH 070/313] Resolve spellcheck error --- dnsapi/dns_openprovider_rest.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_openprovider_rest.sh b/dnsapi/dns_openprovider_rest.sh index 3b8d20d2..210dc6fc 100644 --- a/dnsapi/dns_openprovider_rest.sh +++ b/dnsapi/dns_openprovider_rest.sh @@ -113,7 +113,7 @@ _openprovider_rest() { export _H1="Content-Type: application/json" export _H2="Accept: application/json" export _H3="Authorization: Bearer $openproviderauthtoken" - + if [ "$httpmethod" != "GET" ]; then response="$(_post "$requestbody" "$OPENPROVIDER_API_URL/$queryparameters" "" "$httpmethod")" else From ca08ce42626d98cf7d9112f1b41c771218b2d23c Mon Sep 17 00:00:00 2001 From: asavin Date: Mon, 23 Jun 2025 08:59:33 +0200 Subject: [PATCH 071/313] Fixing forgottent openssl ref --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 7dcac294..4a09c5bb 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -121,7 +121,7 @@ dns_efficientip_rm() { export _H2="Authorization: Basic $EfficientIP_CredsEncoded" else TS=$(date +%s) - Sig=$(printf "%b\n$TS\nDELETE\n${baseurlnObject}" "${EfficientIP_Token_Secret}" | openssl dgst -sha3-256 | cut -d '=' -f 2 | tr -d ' ') + Sig=$(printf "%b\n$TS\nDELETE\n${baseurlnObject}" "${EfficientIP_Token_Secret}" | _digest sha3-256 hex) EfficientIP_CredsEncoded=$(printf "%b:%b" "${EfficientIP_Token_Key}" "$Sig" | _base64) export _H2="Authorization: SDS ${EfficientIP_CredsEncoded}" export _H3="X-SDS-TS: $TS" From 2bea808251d3e0c65fab47dafba0fec636128a6a Mon Sep 17 00:00:00 2001 From: OPPO9008 <41640509+OPPO9008@users.noreply.github.com> Date: Wed, 2 Jul 2025 21:15:46 +0800 Subject: [PATCH 072/313] Update dns_la.sh --- dnsapi/dns_la.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_la.sh b/dnsapi/dns_la.sh index 772f8845..9cb6327e 100644 --- a/dnsapi/dns_la.sh +++ b/dnsapi/dns_la.sh @@ -100,7 +100,7 @@ dns_la_rm() { return 0 fi - record_id=$(printf "%s" "$response" | grep '"id":' | head -n1 | sed 's/.*"id": *"\([^"]*\)".*/\1/') + record_id=$(printf "%s" "$response" | grep '"id":' | _head_n 1 | sed 's/.*"id": *"\([^"]*\)".*/\1/') _debug "record_id" "$record_id" if [ -z "$record_id" ]; then _err "Can not get record id to remove." From 3b0f624302294c3d817e5c3218a263905dff9f67 Mon Sep 17 00:00:00 2001 From: Jens Spanier Date: Thu, 10 Jul 2025 10:55:05 +0200 Subject: [PATCH 073/313] Support certificate profile selection --- acme.sh | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index d70e323b..46c1124c 100755 --- a/acme.sh +++ b/acme.sh @@ -4416,6 +4416,7 @@ issue() { _preferred_chain="${15}" _valid_from="${16}" _valid_to="${17}" + _certificate_profile="${18}" if [ -z "$_ACME_IS_RENEW" ]; then _initpath "$_main_domain" "$_key_length" @@ -4491,6 +4492,11 @@ issue() { else _cleardomainconf "Le_Preferred_Chain" fi + if [ "$_certificate_profile" ]; then + _savedomainconf "Le_Certificate_Profile" "$_certificate_profile" + else + _cleardomainconf "Le_Certificate_Profile" + fi Le_API="$ACME_DIRECTORY" _savedomainconf "Le_API" "$Le_API" @@ -4622,6 +4628,9 @@ issue() { if [ "$_notAfter" ]; then _newOrderObj="$_newOrderObj,\"notAfter\": \"$_notAfter\"" fi + if [ "$_certificate_profile" ]; then + _newOrderObj="$_newOrderObj,\"profile\": \"$_certificate_profile\"" + fi _debug "STEP 1, Ordering a Certificate" if ! _send_signed_request "$ACME_NEW_ORDER" "$_newOrderObj}"; then _err "Error creating new order." @@ -5503,6 +5512,7 @@ renew() { Le_PostHook="$(_readdomainconf Le_PostHook)" Le_RenewHook="$(_readdomainconf Le_RenewHook)" Le_Preferred_Chain="$(_readdomainconf Le_Preferred_Chain)" + Le_Certificate_Profile="$(_readdomainconf Le_Certificate_Profile)" # When renewing from an old version, the empty Le_Keylength means 2048. # Note, do not use DEFAULT_DOMAIN_KEY_LENGTH as that value may change over # time but an empty value implies 2048 specifically. @@ -5517,7 +5527,7 @@ renew() { _cleardomainconf Le_OCSP_Staple fi fi - issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias" "$Le_Preferred_Chain" "$Le_Valid_From" "$Le_Valid_To" + issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias" "$Le_Preferred_Chain" "$Le_Valid_From" "$Le_Valid_To" "$Le_Certificate_Profile" res="$?" if [ "$res" != "0" ]; then return "$res" @@ -6989,6 +6999,8 @@ Parameters: If no match, the default offered chain will be used. (default: empty) See: $_PREFERRED_CHAIN_WIKI + --certificate-profile If the CA offers profiles, select the desired profile + --valid-to Request the NotAfter field of the cert. See: $_VALIDITY_WIKI --valid-from Request the NotBefore field of the cert. @@ -7364,6 +7376,7 @@ _process() { _preferred_chain="" _valid_from="" _valid_to="" + _certificate_profile="" while [ ${#} -gt 0 ]; do case "${1}" in @@ -7682,6 +7695,10 @@ _process() { _valid_to="$2" shift ;; + --certificate-profile) + _certificate_profile="$2" + shift + ;; --httpport) _httpport="$2" Le_HTTPPort="$_httpport" @@ -7957,7 +7974,7 @@ _process() { uninstall) uninstall "$_nocron" ;; upgrade) upgrade ;; issue) - issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain" "$_valid_from" "$_valid_to" + issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain" "$_valid_from" "$_valid_to" "$_certificate_profile" ;; deploy) deploy "$_domain" "$_deploy_hook" "$_ecc" From 06c1911a2830c7ccb7d08cf3ec210921bfbb5038 Mon Sep 17 00:00:00 2001 From: PrivacyFreak <220089342+privacyfr3ak@users.noreply.github.com> Date: Mon, 14 Jul 2025 18:48:32 +0000 Subject: [PATCH 074/313] fix keystore ownership read for unifi.sh --- deploy/unifi.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/unifi.sh b/deploy/unifi.sh index 1f274236..2af46b4a 100644 --- a/deploy/unifi.sh +++ b/deploy/unifi.sh @@ -143,8 +143,8 @@ unifi_deploy() { # correct file ownership according to the directory, the keystore is placed in _unifi_keystore_dir=$(dirname "${_unifi_keystore}") - _unifi_keystore_dir_owner=$(find "${_unifi_keystore_dir}" -maxdepth 0 -printf '%u\n') - _unifi_keystore_owner=$(find "${_unifi_keystore}" -maxdepth 0 -printf '%u\n') + _unifi_keystore_dir_owner=$(ls -ld "${_unifi_keystore_dir}" | awk '{print $3}') + _unifi_keystore_owner=$(ls -l "${_unifi_keystore}" | awk '{print $3}') if ! [ "${_unifi_keystore_owner}" = "${_unifi_keystore_dir_owner}" ]; then _debug "Changing keystore owner to ${_unifi_keystore_dir_owner}" chown "$_unifi_keystore_dir_owner" "${_unifi_keystore}" >/dev/null 2>&1 # fail quietly if we're not running as root From 1f486fc9a524ead28d4b801f450b097eb3a58311 Mon Sep 17 00:00:00 2001 From: keryfan <35259207+keryfan@users.noreply.github.com> Date: Tue, 12 Aug 2025 11:12:09 +0300 Subject: [PATCH 075/313] Upload latest dev branch to master (#3) * Fix for empty error objects in response breaking extraction of domain validation types Fix for empty error objects in the response which mess up the extraction of domain validation types due to the closing brace in the error object prematurely matching the end of the search pattern. This seems to be a recent change with ZeroSSL in particular where "error":{} is being included in responses. There could potentially be a related issue if there is a complex error object ever returned in the validation check response where an embedded sub-object could lead to an incomplete extraction of the error message, roughly around line 5040. Adapted from fix suggested here: https://github.com/acmesh-official/acme.sh/issues/4933#issuecomment-1870499018 * Add new dnsapi support for OpenProvider.eu using new REST API * Cleanup duplicate debug log output based on DNS test run * Resolve spellcheck error * Configure 10 second timeout to ACME_DIRECTORY API call * add support for AIX style netstat * add * fix for wiki * minor * minor * wiki * wiki * dnsapi: dns_mydnsjp.sh fix author The @epgdatacapbon was renamed to @tkmsst Signed-off-by: Sergey Ponomarev * dnsapi: dns_ddnss.sh remove RaidenII from authors He made the DuckDNS script that was used for this script but he can't support the script. Signed-off-by: Sergey Ponomarev * dnsapi: fix authors: use @ for GitHub profiles Signed-off-by: Sergey Ponomarev * dnsapi: dns_vultr.sh remove empty author Signed-off-by: Sergey Ponomarev * dnsapi: dns_mijnhost.sh rearrange fields, use user docs instead of API docs Signed-off-by: Sergey Ponomarev * dnsapi: fix Structured DNS Info Signed-off-by: Sergey Ponomarev * Fix logged typo when running pre hook * Run post hook when _on_before_issue errors --------- Signed-off-by: Sergey Ponomarev Co-authored-by: Ciaran Walsh Co-authored-by: Lambiek12 Co-authored-by: Erwin Oegema Co-authored-by: laDanz Co-authored-by: neil Co-authored-by: neil Co-authored-by: Sergey Ponomarev Co-authored-by: David Beitey Co-authored-by: Jan-willem van Kampen --- .github/workflows/wiki-monitor.yml | 60 ++++++++++ acme.sh | 17 ++- dnsapi/dns_beget.sh | 2 +- dnsapi/dns_bookmyname.sh | 2 +- dnsapi/dns_ddnss.sh | 2 +- dnsapi/dns_dnshome.sh | 2 +- dnsapi/dns_duckdns.sh | 2 +- dnsapi/dns_dyn.sh | 2 +- dnsapi/dns_dynv6.sh | 2 +- dnsapi/dns_easydns.sh | 2 +- dnsapi/dns_freedns.sh | 2 +- dnsapi/dns_he_ddns.sh | 1 + dnsapi/dns_joker.sh | 2 +- dnsapi/dns_mijnhost.sh | 9 +- dnsapi/dns_mydnsjp.sh | 2 +- dnsapi/dns_namecom.sh | 2 +- dnsapi/dns_namesilo.sh | 2 +- dnsapi/dns_openprovider_rest.sh | 186 +++++++++++++++++++++++++++++ dnsapi/dns_pleskxml.sh | 2 +- dnsapi/dns_schlundtech.sh | 2 +- dnsapi/dns_selectel.sh | 38 +++--- dnsapi/dns_spaceship.sh | 8 +- dnsapi/dns_tele3.sh | 2 +- dnsapi/dns_timeweb.sh | 2 +- dnsapi/dns_udr.sh | 2 +- dnsapi/dns_vscale.sh | 2 +- dnsapi/dns_vultr.sh | 1 - dnsapi/dns_websupport.sh | 2 +- dnsapi/dns_world4you.sh | 2 +- 29 files changed, 305 insertions(+), 57 deletions(-) create mode 100644 .github/workflows/wiki-monitor.yml create mode 100644 dnsapi/dns_openprovider_rest.sh diff --git a/.github/workflows/wiki-monitor.yml b/.github/workflows/wiki-monitor.yml new file mode 100644 index 00000000..89497580 --- /dev/null +++ b/.github/workflows/wiki-monitor.yml @@ -0,0 +1,60 @@ +name: Notify via Issue on Wiki Edit + +on: + gollum: + +jobs: + notify: + runs-on: ubuntu-latest + steps: + - name: Checkout wiki repository + uses: actions/checkout@v4 + with: + repository: ${{ github.repository }}.wiki + path: wiki + + - name: Generate wiki change message + run: | + actor="${{ github.actor }}" + sender_url=$(jq -r '.sender.html_url' "$GITHUB_EVENT_PATH") + page_name=$(jq -r '.pages[0].page_name' "$GITHUB_EVENT_PATH") + page_sha=$(jq -r '.pages[0].sha' "$GITHUB_EVENT_PATH") + page_url=$(jq -r '.pages[0].html_url' "$GITHUB_EVENT_PATH") + page_action=$(jq -r '.pages[0].action' "$GITHUB_EVENT_PATH") + now="$(date '+%Y-%m-%d %H:%M:%S')" + + cd wiki + prev_sha=$(git rev-list $page_sha^ -- "$page_name.md" | head -n 1) + if [ -n "$prev_sha" ]; then + git diff $prev_sha $page_sha -- "$page_name.md" > ../wiki.diff || echo "(No diff found)" > ../wiki.diff + else + echo "(no diff)" > ../wiki.diff + fi + cd .. + { + echo "Wiki edited" + echo -n "User: " + echo "[$actor]($sender_url)" + echo "Time: $now" + echo "Page: [$page_name]($page_url) (Action: $page_action)" + echo "" + echo "----" + echo "### diff:" + echo '```diff' + cat wiki.diff + echo '```' + } > wiki-change-msg.txt + + - name: Create issue to notify Neilpang + uses: peter-evans/create-issue-from-file@v5 + with: + title: "Wiki edited" + content-filepath: ./wiki-change-msg.txt + assignees: Neilpang + env: + TZ: Asia/Shanghai + + + + + diff --git a/acme.sh b/acme.sh index e9eb6b94..d9ae208a 100755 --- a/acme.sh +++ b/acme.sh @@ -1401,6 +1401,12 @@ _ss() { return 0 fi + if [ "$(uname)" = "AIX" ]; then + _debug "Using: AIX netstat" + netstat -an | grep "^tcp" | grep "LISTEN" | grep "\.$_port " + return 0 + fi + if _exists "netstat"; then _debug "Using: netstat" if netstat -help 2>&1 | grep "\-p proto" >/dev/null; then @@ -2761,7 +2767,7 @@ _initAPI() { _request_retry_times=0 while [ -z "$ACME_NEW_ACCOUNT" ] && [ "${_request_retry_times}" -lt "$MAX_API_RETRY_TIMES" ]; do _request_retry_times=$(_math "$_request_retry_times" + 1) - response=$(_get "$_api_server") + response=$(_get "$_api_server" "" 10) if [ "$?" != "0" ]; then _debug2 "response" "$response" _info "Cannot init API for: $_api_server." @@ -3507,7 +3513,7 @@ _on_before_issue() { _debug _chk_alt_domains "$_chk_alt_domains" #run pre hook if [ "$_chk_pre_hook" ]; then - _info "Runing pre hook:'$_chk_pre_hook'" + _info "Running pre hook:'$_chk_pre_hook'" if ! ( export Le_Domain="$_chk_main_domain" export Le_Alt="$_chk_alt_domains" @@ -4496,6 +4502,7 @@ issue() { if ! _on_before_issue "$_web_roots" "$_main_domain" "$_alt_domains" "$_pre_hook" "$_local_addr"; then _err "_on_before_issue." + _on_issue_err "$_post_hook" return 1 fi @@ -4755,7 +4762,8 @@ $_authorizations_map" _debug keyauthorization "$keyauthorization" fi - entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" + # Fix for empty error objects in response which mess up the original code, adapted from fix suggested here: https://github.com/acmesh-official/acme.sh/issues/4933#issuecomment-1870499018 + entry="$(echo "$response" | sed s/'"error":{}'/'"error":null'/ | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" _debug entry "$entry" if [ -z "$keyauthorization" -a -z "$entry" ]; then @@ -6344,7 +6352,8 @@ _deactivate() { fi _debug "Trigger validation." vtype="$(_getIdType "$_d_domain")" - entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" + # Fix for empty error objects in response which mess up the original code, adapted from fix suggested here: https://github.com/acmesh-official/acme.sh/issues/4933#issuecomment-1870499018 + entry="$(echo "$response" | sed s/'"error":{}'/'"error":null'/ | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" _debug entry "$entry" if [ -z "$entry" ]; then _err "$d: Cannot get domain token" diff --git a/dnsapi/dns_beget.sh b/dnsapi/dns_beget.sh index aa43caed..5f3b1eb1 100755 --- a/dnsapi/dns_beget.sh +++ b/dnsapi/dns_beget.sh @@ -7,7 +7,7 @@ Options: BEGET_User API user BEGET_Password API password Issues: github.com/acmesh-official/acme.sh/issues/6200 -Author: ARNik arnik@arnik.ru +Author: ARNik ' Beget_Api="https://api.beget.com/api" diff --git a/dnsapi/dns_bookmyname.sh b/dnsapi/dns_bookmyname.sh index 668cf074..cf3f1e3e 100644 --- a/dnsapi/dns_bookmyname.sh +++ b/dnsapi/dns_bookmyname.sh @@ -7,7 +7,7 @@ Options: BOOKMYNAME_USERNAME Username BOOKMYNAME_PASSWORD Password Issues: github.com/acmesh-official/acme.sh/issues/3209 -Author: Neilpang +Author: @Neilpang ' ######## Public functions ##################### diff --git a/dnsapi/dns_ddnss.sh b/dnsapi/dns_ddnss.sh index 118b148b..0ac353d4 100644 --- a/dnsapi/dns_ddnss.sh +++ b/dnsapi/dns_ddnss.sh @@ -6,7 +6,7 @@ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_ddnss Options: DDNSS_Token API Token Issues: github.com/acmesh-official/acme.sh/issues/2230 -Author: RaidenII, helbgd, mod242 +Author: @helbgd, @mod242 ' DDNSS_DNS_API="https://ddnss.de/upd.php" diff --git a/dnsapi/dns_dnshome.sh b/dnsapi/dns_dnshome.sh index 59828796..6d583246 100755 --- a/dnsapi/dns_dnshome.sh +++ b/dnsapi/dns_dnshome.sh @@ -7,7 +7,7 @@ Options: DNSHOME_Subdomain Subdomain DNSHOME_SubdomainPassword Subdomain Password Issues: github.com/acmesh-official/acme.sh/issues/3819 -Author: dnsHome.de https://github.com/dnsHome-de +Author: @dnsHome-de ' # Usage: add subdomain.ddnsdomain.tld "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" diff --git a/dnsapi/dns_duckdns.sh b/dnsapi/dns_duckdns.sh index 71594873..33d401b0 100755 --- a/dnsapi/dns_duckdns.sh +++ b/dnsapi/dns_duckdns.sh @@ -5,7 +5,7 @@ Site: www.DuckDNS.org Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_duckdns Options: DuckDNS_Token API Token -Author: RaidenII +Author: @RaidenII ' DuckDNS_API="https://www.duckdns.org/update" diff --git a/dnsapi/dns_dyn.sh b/dnsapi/dns_dyn.sh index 94201923..9b1a97a2 100644 --- a/dnsapi/dns_dyn.sh +++ b/dnsapi/dns_dyn.sh @@ -8,7 +8,7 @@ Options: DYN_Customer Customer DYN_Username API Username DYN_Password Secret -Author: Gerd Naschenweng +Author: Gerd Naschenweng <@magicdude4eva> ' # Dyn Managed DNS API diff --git a/dnsapi/dns_dynv6.sh b/dnsapi/dns_dynv6.sh index 76af17f5..0c9491f8 100644 --- a/dnsapi/dns_dynv6.sh +++ b/dnsapi/dns_dynv6.sh @@ -8,7 +8,7 @@ Options: OptionsAlt: KEY Path to SSH private key file. E.g. "/root/.ssh/dynv6" Issues: github.com/acmesh-official/acme.sh/issues/2702 -Author: StefanAbl +Author: @StefanAbl ' dynv6_api="https://dynv6.com/api/v2" diff --git a/dnsapi/dns_easydns.sh b/dnsapi/dns_easydns.sh index 1c96ac8f..423def2b 100644 --- a/dnsapi/dns_easydns.sh +++ b/dnsapi/dns_easydns.sh @@ -7,7 +7,7 @@ Options: EASYDNS_Token API Token EASYDNS_Key API Key Issues: github.com/acmesh-official/acme.sh/issues/2647 -Author: Neilpang, wurzelpanzer +Author: @Neilpang, wurzelpanzer ' # API Documentation: https://sandbox.rest.easydns.net:3001/ diff --git a/dnsapi/dns_freedns.sh b/dnsapi/dns_freedns.sh index 114f30e0..13d9f68b 100755 --- a/dnsapi/dns_freedns.sh +++ b/dnsapi/dns_freedns.sh @@ -7,7 +7,7 @@ Options: FREEDNS_User Username FREEDNS_Password Password Issues: github.com/acmesh-official/acme.sh/issues/2305 -Author: David Kerr +Author: David Kerr <@dkerr64> ' ######## Public functions ##################### diff --git a/dnsapi/dns_he_ddns.sh b/dnsapi/dns_he_ddns.sh index cd7d1ec2..1fe9a7fd 100644 --- a/dnsapi/dns_he_ddns.sh +++ b/dnsapi/dns_he_ddns.sh @@ -5,6 +5,7 @@ Site: dns.he.net Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_he_ddns Options: HE_DDNS_KEY The DDNS key +Issues: https://github.com/acmesh-official/acme.sh/issues/5238 Author: Markku Leiniö ' diff --git a/dnsapi/dns_joker.sh b/dnsapi/dns_joker.sh index 1fe33c67..401471be 100644 --- a/dnsapi/dns_joker.sh +++ b/dnsapi/dns_joker.sh @@ -7,7 +7,7 @@ Options: JOKER_USERNAME Username JOKER_PASSWORD Password Issues: github.com/acmesh-official/acme.sh/issues/2840 -Author: +Author: @aattww ' JOKER_API="https://svc.joker.com/nic/replace" diff --git a/dnsapi/dns_mijnhost.sh b/dnsapi/dns_mijnhost.sh index 9dafc702..9f5e7710 100644 --- a/dnsapi/dns_mijnhost.sh +++ b/dnsapi/dns_mijnhost.sh @@ -1,16 +1,15 @@ #!/usr/bin/env sh # shellcheck disable=SC2034 dns_mijnhost_info='mijn.host -Domains: mijn.host Site: mijn.host -Docs: https://mijn.host/api/doc/ -Issues: https://github.com/acmesh-official/acme.sh/issues/6177 -Author: peterv99 +Docs: https://github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_mijnhost Options: MIJNHOST_API_KEY API Key +Issues: github.com/acmesh-official/acme.sh/issues/6177 +Author: @peterv99 ' -######## Public functions ###################### Constants for your mijn-host API +######## Public functions ###################### MIJNHOST_API="https://mijn.host/api/v2" # Add TXT record for domain verification diff --git a/dnsapi/dns_mydnsjp.sh b/dnsapi/dns_mydnsjp.sh index 336c4889..4dfffaaa 100755 --- a/dnsapi/dns_mydnsjp.sh +++ b/dnsapi/dns_mydnsjp.sh @@ -6,7 +6,7 @@ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_mydnsjp Options: MYDNSJP_MasterID Master ID MYDNSJP_Password Password -Author: epgdatacapbon +Author: @tkmsst ' ######## Public functions ##################### diff --git a/dnsapi/dns_namecom.sh b/dnsapi/dns_namecom.sh index 44549c9e..1062c849 100755 --- a/dnsapi/dns_namecom.sh +++ b/dnsapi/dns_namecom.sh @@ -6,7 +6,7 @@ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_namecom Options: Namecom_Username Username Namecom_Token API Token -Author: RaidenII +Author: @RaidenII ' ######## Public functions ##################### diff --git a/dnsapi/dns_namesilo.sh b/dnsapi/dns_namesilo.sh index b31e32a1..5d47a59a 100755 --- a/dnsapi/dns_namesilo.sh +++ b/dnsapi/dns_namesilo.sh @@ -5,7 +5,7 @@ Site: NameSilo.com Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_namesilo Options: Namesilo_Key API Key -Author: meowthink +Author: @meowthink ' #Utilize API to finish dns-01 verifications. diff --git a/dnsapi/dns_openprovider_rest.sh b/dnsapi/dns_openprovider_rest.sh new file mode 100644 index 00000000..210dc6fc --- /dev/null +++ b/dnsapi/dns_openprovider_rest.sh @@ -0,0 +1,186 @@ +#!/usr/bin/env sh +# shellcheck disable=SC2034 +dns_openprovider_rest_info='OpenProvider (REST) +Domains: OpenProvider.com +Site: OpenProvider.eu +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_openprovider_rest +Options: + OPENPROVIDER_REST_USERNAME Openprovider Account Username + OPENPROVIDER_REST_PASSWORD Openprovider Account Password +Issues: github.com/acmesh-official/acme.sh/issues/6122 +Author: Lambiek12 +' + +OPENPROVIDER_API_URL="https://api.openprovider.eu/v1beta" + +######## Public functions ##################### + +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to add txt record +dns_openprovider_rest_add() { + fulldomain=$1 + txtvalue=$2 + + _openprovider_prepare_credentials || return 1 + + _debug "Try fetch OpenProvider DNS zone details" + if ! _get_dns_zone "$fulldomain"; then + _err "DNS zone not found within configured OpenProvider account." + return 1 + fi + + if [ -n "$_domain_id" ]; then + addzonerecordrequestparameters="dns/zones/$_domain_name" + addzonerecordrequestbody="{\"id\":$_domain_id,\"name\":\"$_domain_name\",\"records\":{\"add\":[{\"name\":\"$_sub_domain\",\"ttl\":900,\"type\":\"TXT\",\"value\":\"$txtvalue\"}]}}" + + if _openprovider_rest PUT "$addzonerecordrequestparameters" "$addzonerecordrequestbody"; then + if _contains "$response" "\"success\":true"; then + return 0 + elif _contains "$response" "\"Duplicate record\""; then + _debug "Record already existed" + return 0 + else + _err "Adding TXT record failed due to errors." + return 1 + fi + fi + fi + + _err "Adding TXT record failed due to errors." + return 1 +} + +# Usage: rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to remove the txt record after validation +dns_openprovider_rest_rm() { + fulldomain=$1 + txtvalue=$2 + + _openprovider_prepare_credentials || return 1 + + _debug "Try fetch OpenProvider DNS zone details" + if ! _get_dns_zone "$fulldomain"; then + _err "DNS zone not found within configured OpenProvider account." + return 1 + fi + + if [ -n "$_domain_id" ]; then + removezonerecordrequestparameters="dns/zones/$_domain_name" + removezonerecordrequestbody="{\"id\":$_domain_id,\"name\":\"$_domain_name\",\"records\":{\"remove\":[{\"name\":\"$_sub_domain\",\"ttl\":900,\"type\":\"TXT\",\"value\":\"\\\"$txtvalue\\\"\"}]}}" + + if _openprovider_rest PUT "$removezonerecordrequestparameters" "$removezonerecordrequestbody"; then + if _contains "$response" "\"success\":true"; then + return 0 + else + _err "Removing TXT record failed due to errors." + return 1 + fi + fi + fi + + _err "Removing TXT record failed due to errors." + return 1 +} + +#################### OpenProvider API common functions #################### +_openprovider_prepare_credentials() { + OPENPROVIDER_REST_USERNAME="${OPENPROVIDER_REST_USERNAME:-$(_readaccountconf_mutable OPENPROVIDER_REST_USERNAME)}" + OPENPROVIDER_REST_PASSWORD="${OPENPROVIDER_REST_PASSWORD:-$(_readaccountconf_mutable OPENPROVIDER_REST_PASSWORD)}" + + if [ -z "$OPENPROVIDER_REST_USERNAME" ] || [ -z "$OPENPROVIDER_REST_PASSWORD" ]; then + OPENPROVIDER_REST_USERNAME="" + OPENPROVIDER_REST_PASSWORD="" + _err "You didn't specify the Openprovider username or password yet." + return 1 + fi + + #save the credentials to the account conf file. + _saveaccountconf_mutable OPENPROVIDER_REST_USERNAME "$OPENPROVIDER_REST_USERNAME" + _saveaccountconf_mutable OPENPROVIDER_REST_PASSWORD "$OPENPROVIDER_REST_PASSWORD" +} + +_openprovider_rest() { + httpmethod=$1 + queryparameters=$2 + requestbody=$3 + + _openprovider_rest_login + if [ -z "$openproviderauthtoken" ]; then + _err "Unable to fetch authentication token from Openprovider API." + return 1 + fi + + export _H1="Content-Type: application/json" + export _H2="Accept: application/json" + export _H3="Authorization: Bearer $openproviderauthtoken" + + if [ "$httpmethod" != "GET" ]; then + response="$(_post "$requestbody" "$OPENPROVIDER_API_URL/$queryparameters" "" "$httpmethod")" + else + response="$(_get "$OPENPROVIDER_API_URL/$queryparameters")" + fi + + if [ "$?" != "0" ]; then + _err "No valid parameters supplied for Openprovider API: Error $queryparameters" + return 1 + fi + + _debug2 response "$response" + + return 0 +} + +_openprovider_rest_login() { + export _H1="Content-Type: application/json" + export _H2="Accept: application/json" + + loginrequesturl="$OPENPROVIDER_API_URL/auth/login" + loginrequestbody="{\"ip\":\"0.0.0.0\",\"password\":\"$OPENPROVIDER_REST_PASSWORD\",\"username\":\"$OPENPROVIDER_REST_USERNAME\"}" + loginresponse="$(_post "$loginrequestbody" "$loginrequesturl" "" "POST")" + + openproviderauthtoken="$(printf "%s\n" "$loginresponse" | _egrep_o '"token" *: *"[^"]*' | _head_n 1 | sed 's#^"token" *: *"##')" + + export openproviderauthtoken +} + +#################### Private functions ################################## + +# Usage: _get_dns_zone _acme-challenge.www.domain.com +# Returns: +# _domain_id=123456789 +# _domain_name=domain.com +# _sub_domain=_acme-challenge.www +_get_dns_zone() { + domain=$1 + i=1 + p=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) + if [ -z "$h" ]; then + # Empty value not allowed + return 1 + fi + + if ! _openprovider_rest GET "dns/zones/$h" ""; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\""; then + _domain_id="$(printf "%s\n" "$response" | _egrep_o '"id" *: *[^,]*' | _head_n 1 | sed 's#^"id" *: *##')" + _debug _domain_id "$_domain_id" + + _domain_name="$h" + _debug _domain_name "$_domain_name" + + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") + _debug _sub_domain "$_sub_domain" + return 0 + fi + + p=$i + i=$(_math "$i" + 1) + done + + return 1 +} diff --git a/dnsapi/dns_pleskxml.sh b/dnsapi/dns_pleskxml.sh index 6b38abcb..465bcc60 100644 --- a/dnsapi/dns_pleskxml.sh +++ b/dnsapi/dns_pleskxml.sh @@ -8,7 +8,7 @@ Options: pleskxml_user Username pleskxml_pass Password Issues: github.com/acmesh-official/acme.sh/issues/2577 -Author: Stilez, +Author: @Stilez, @romanlum ' ## Plesk XML API described at: diff --git a/dnsapi/dns_schlundtech.sh b/dnsapi/dns_schlundtech.sh index 6d2930a2..21930110 100644 --- a/dnsapi/dns_schlundtech.sh +++ b/dnsapi/dns_schlundtech.sh @@ -7,7 +7,7 @@ Options: SCHLUNDTECH_USER Username SCHLUNDTECH_PASSWORD Password Issues: github.com/acmesh-official/acme.sh/issues/2246 -Author: +Author: @mod242 ' SCHLUNDTECH_API="https://gateway.schlundtech.de" diff --git a/dnsapi/dns_selectel.sh b/dnsapi/dns_selectel.sh index 434bc483..565f541b 100644 --- a/dnsapi/dns_selectel.sh +++ b/dnsapi/dns_selectel.sh @@ -1,27 +1,21 @@ #!/usr/bin/env sh # shellcheck disable=SC2034 - -# dns_selectel_info='Selectel.com -# Domains: Selectel.ru -# Site: Selectel.com -# Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_selectel -# Options: -# Variables that must be defined before running -# SL_Ver can take one of the values 'v1' or 'v2', default is 'v1' -# SL_Ver='v1', when using version API legacy (v1) -# SL_Ver='v2', when using version API actual (v2) -# when using API version v1, i.e. SL_Ver is 'v1' or not defined: -# SL_Key - API Key, required -# when using API version v2: -# SL_Ver - required as 'v2' -# SL_Login_ID - account ID, required -# SL_Project_Name - name project, required -# SL_Login_Name - service user name, required -# SL_Pswd - service user password, required -# SL_Expire - token lifetime in minutes (0-1440), default 1400 minutes -# -# Issues: github.com/acmesh-official/acme.sh/issues/5126 -# +dns_selectel_info='Selectel.com +Domains: Selectel.ru +Site: Selectel.com +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_selectel +Options: For old API version v1 (deprecated) + SL_Ver API version. Use "v1". + SL_Key API Key +OptionsAlt: For the current API version v2 + SL_Ver API version. Use "v2". + SL_Login_ID Account ID + SL_Project_Name Project name + SL_Login_Name Service user name + SL_Pswd Service user password + SL_Expire Token lifetime. In minutes (0-1440). Default "1400" +Issues: github.com/acmesh-official/acme.sh/issues/5126 +' SL_Api="https://api.selectel.ru/domains" auth_uri="https://cloud.api.selcloud.ru/identity/v3/auth/tokens" diff --git a/dnsapi/dns_spaceship.sh b/dnsapi/dns_spaceship.sh index 770e22cc..8fff4037 100644 --- a/dnsapi/dns_spaceship.sh +++ b/dnsapi/dns_spaceship.sh @@ -4,11 +4,11 @@ dns_spaceship_info='Spaceship.com Site: Spaceship.com Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_spaceship Options: - SPACESHIP_API_KEY Spaceship API Key - SPACESHIP_API_SECRET Spaceship API Secret - SPACESHIP_ROOT_DOMAIN (Optional) Manually specify the root domain if auto-detection fails + SPACESHIP_API_KEY API Key + SPACESHIP_API_SECRET API Secret + SPACESHIP_ROOT_DOMAIN Root domain. Manually specify the root domain if auto-detection fails. Optional. Issues: github.com/acmesh-official/acme.sh/issues/6304 -Author: Meow +Author: Meow <@Meo597> ' # Spaceship API diff --git a/dnsapi/dns_tele3.sh b/dnsapi/dns_tele3.sh index e5974951..3a3ccf8c 100644 --- a/dnsapi/dns_tele3.sh +++ b/dnsapi/dns_tele3.sh @@ -6,7 +6,7 @@ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#tele3 Options: TELE3_Key API Key TELE3_Secret API Secret -Author: Roman Blizik +Author: Roman Blizik <@par-pa> ' TELE3_API="https://www.tele3.cz/acme/" diff --git a/dnsapi/dns_timeweb.sh b/dnsapi/dns_timeweb.sh index 544564ea..7040ac9a 100644 --- a/dnsapi/dns_timeweb.sh +++ b/dnsapi/dns_timeweb.sh @@ -6,7 +6,7 @@ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_timeweb Options: TW_Token API JWT token. Get it from the control panel at https://timeweb.cloud/my/api-keys Issues: github.com/acmesh-official/acme.sh/issues/5140 -Author: Nikolay Pronchev +Author: Nikolay Pronchev <@nikolaypronchev> ' TW_Api="https://api.timeweb.cloud/api/v1" diff --git a/dnsapi/dns_udr.sh b/dnsapi/dns_udr.sh index f9772e10..656a0557 100644 --- a/dnsapi/dns_udr.sh +++ b/dnsapi/dns_udr.sh @@ -7,7 +7,7 @@ Options: UDR_USER Username UDR_PASS Password Issues: github.com/acmesh-official/acme.sh/issues/3923 -Author: Andreas Scherer +Author: Andreas Scherer <@andischerer> ' UDR_API="https://api.domainreselling.de/api/call.cgi" diff --git a/dnsapi/dns_vscale.sh b/dnsapi/dns_vscale.sh index c3915c69..faf3105d 100755 --- a/dnsapi/dns_vscale.sh +++ b/dnsapi/dns_vscale.sh @@ -5,7 +5,7 @@ Site: vscale.io Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_vscale Options: VSCALE_API_KEY API Key -Author: Alex Loban +Author: Alex Loban <@LAV45> ' VSCALE_API_URL="https://api.vscale.io/v1" diff --git a/dnsapi/dns_vultr.sh b/dnsapi/dns_vultr.sh index 61ec3f60..4002e5de 100644 --- a/dnsapi/dns_vultr.sh +++ b/dnsapi/dns_vultr.sh @@ -6,7 +6,6 @@ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_vultr Options: VULTR_API_KEY API Key Issues: github.com/acmesh-official/acme.sh/issues/2374 -Author: ' VULTR_Api="https://api.vultr.com/v2" diff --git a/dnsapi/dns_websupport.sh b/dnsapi/dns_websupport.sh index bfc4b23a..2374afc3 100644 --- a/dnsapi/dns_websupport.sh +++ b/dnsapi/dns_websupport.sh @@ -7,7 +7,7 @@ Options: WS_ApiKey API Key. Called "Identifier" in the WS Admin WS_ApiSecret API Secret. Called "Secret key" in the WS Admin Issues: github.com/acmesh-official/acme.sh/issues/3486 -Author: trgo.sk , akulumbeg +Author: trgo.sk <@trgosk>, @akulumbeg ' # Requirements: API Key and Secret from https://admin.websupport.sk/en/auth/apiKey diff --git a/dnsapi/dns_world4you.sh b/dnsapi/dns_world4you.sh index 46cdc4fe..dc295330 100644 --- a/dnsapi/dns_world4you.sh +++ b/dnsapi/dns_world4you.sh @@ -7,7 +7,7 @@ Options: WORLD4YOU_USERNAME Username WORLD4YOU_PASSWORD Password Issues: github.com/acmesh-official/acme.sh/issues/3269 -Author: Lorenz Stechauner +Author: Lorenz Stechauner <@NerLOR> ' WORLD4YOU_API="https://my.world4you.com/en" From 1b5e66f9c2e4907408c05164010d7cd4422d6051 Mon Sep 17 00:00:00 2001 From: wout Date: Wed, 23 Jul 2025 10:12:32 +0200 Subject: [PATCH 076/313] Add sleep before each REST call to Constellix to prevent rate limit --- dnsapi/dns_constellix.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dnsapi/dns_constellix.sh b/dnsapi/dns_constellix.sh index 6a50e199..480541ed 100644 --- a/dnsapi/dns_constellix.sh +++ b/dnsapi/dns_constellix.sh @@ -156,6 +156,9 @@ _constellix_rest() { data="$3" _debug "$ep" + # Prevent rate limit + _sleep 2 + rdate=$(date +"%s")"000" hmac=$(printf "%s" "$rdate" | _hmac sha1 "$(printf "%s" "$CONSTELLIX_Secret" | _hex_dump | tr -d ' ')" | _base64) From ab22c8ca1cb89cda5e47d510de10e12ffabd39a0 Mon Sep 17 00:00:00 2001 From: wout Date: Tue, 12 Aug 2025 19:04:19 +0200 Subject: [PATCH 077/313] Convert domain to lower case, needed for Constellix REST API --- dnsapi/dns_constellix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_constellix.sh b/dnsapi/dns_constellix.sh index 480541ed..7251f8b2 100644 --- a/dnsapi/dns_constellix.sh +++ b/dnsapi/dns_constellix.sh @@ -117,7 +117,7 @@ dns_constellix_rm() { #################### Private functions below ################################## _get_root() { - domain=$1 + domain=$(echo "$1" | _lower_case) i=2 p=1 _debug "Detecting root zone" From bcf0afb25ef9f159da397db73f1050c3b92f56d0 Mon Sep 17 00:00:00 2001 From: Tobias Grave Date: Fri, 15 Aug 2025 09:02:57 +0200 Subject: [PATCH 078/313] Variomedia API: Fix DNS deletion issues --- dnsapi/dns_variomedia.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_variomedia.sh b/dnsapi/dns_variomedia.sh index fa38bbb6..4620b854 100644 --- a/dnsapi/dns_variomedia.sh +++ b/dnsapi/dns_variomedia.sh @@ -74,7 +74,7 @@ dns_variomedia_rm() { return 1 fi - _record_id="$(echo "$response" | sed -E 's/,"tags":\[[^]]*\]//g' | cut -d '[' -f2 | cut -d']' -f1 | sed 's/},[ \t]*{/\},§\{/g' | tr § '\n' | grep "$_sub_domain" | grep -- "$txtvalue" | sed 's/^{//;s/}[,]?$//' | tr , '\n' | tr -d '\"' | grep ^id | cut -d : -f2 | tr -d ' ')" + _record_id="$(echo "$response" | sed -E 's/,"tags":\[[^]]*\]//g' | cut -d '[' -f3 | cut -d']' -f1 | sed 's/},[ \t]*{/\},§\{/g' | tr § '\n' | grep -i "$_sub_domain" | grep -- "$txtvalue" | sed 's/^{//;s/}[,]?$//' | tr , '\n' | tr -d '\"' | grep ^id | cut -d : -f2 | tr -d ' ')" _debug _record_id "$_record_id" if [ "$_record_id" ]; then _info "Successfully retrieved the record id for ACME challenge." From 5b02e8633441ece592bc2b9f21bd52b7ea38af25 Mon Sep 17 00:00:00 2001 From: asauerwein Date: Wed, 20 Aug 2025 17:47:36 +0200 Subject: [PATCH 079/313] add template_stack option to push to device --- deploy/panos.sh | 75 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 72 insertions(+), 3 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 0dc1b2f0..2ed6a230 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -7,20 +7,26 @@ # # Firewall admin with superuser and IP address is required. # -# REQURED: +# REQUIRED: # export PANOS_HOST="" # export PANOS_USER="" #User *MUST* have Commit and Import Permissions in XML API for Admin Role # export PANOS_PASS="" # # OPTIONAL -# export PANOS_TEMPLATE="" #Template Name of panorama managed devices +# export PANOS_TEMPLATE="" # Template Name of panorama managed devices +# export PANOS_TEMPLATE_STACK="" # set a Template Stack if certificate should also be pushed automatically +# export PANOS_VSYS="Shared" # name of the vsys to import the certificate # # The script will automatically generate a new API key if # no key is found, or if a saved key has expired or is invalid. + + + # This function is to parse the XML response from the firewall parse_response() { type=$2 + _debug "API Response: $1" if [ "$type" = 'keygen' ]; then status=$(echo "$1" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g') if [ "$status" = "success" ]; then @@ -30,6 +36,13 @@ parse_response() { message="PAN-OS Key could not be set." fi else + if [ "$type" = 'commit' ]; then + job_id=$(echo "$1" | sed 's/^.*\(\)\(.*\)<\/job>.*/\2/g') + _commit_job_id=$job_id + elif [ "$type" = 'job_status' ]; then + job_status=$(echo "$1" | tr -d '\n' | sed 's/^.*\([^<]*\)<\/result>.*/\1/g') + _commit_job_status=$job_status + fi status=$(echo "$1" | tr -d '\n' | sed 's/^.*"\([a-z]*\)".*/\1/g') message=$(echo "$1" | tr -d '\n' | sed 's/.*\(\|\|\)\([^<]*\).*/\2/g') _debug "Firewall message: $message" @@ -44,7 +57,7 @@ parse_response() { #This function is used to deploy to the firewall deployer() { content="" - type=$1 # Types are keytest, keygen, cert, key, commit + type=$1 # Types are keytest, keygen, cert, key, commit, job_status, push panos_url="https://$_panos_host/api/" #Test API Key by performing a lookup @@ -84,6 +97,9 @@ deployer() { if [ "$_panos_template" ]; then content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl\"\r\n\r\n$_panos_template" fi + if [ "$_panos_vsys" ]; then + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl-vsys\"\r\n\r\n$_panos_vsys" + fi fi if [ "$type" = 'key' ]; then panos_url="${panos_url}?type=import" @@ -96,6 +112,9 @@ deployer() { if [ "$_panos_template" ]; then content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl\"\r\n\r\n$_panos_template" fi + if [ "$_panos_vsys" ]; then + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl-vsys\"\r\n\r\n$_panos_vsys" + fi fi #Close multipart content="$content${nl}--$delim--${nl}${nl}" @@ -118,6 +137,22 @@ deployer() { content="type=commit&action=partial&key=$_panos_key&cmd=$cmd" fi + # Query job status + if [ "$type" = 'job_status' ]; then + echo "**** Querying job $_commit_job_id status ****" + H1="Content-Type: application/x-www-form-urlencoded" + cmd=$(printf "%s" "$_commit_job_id" | _url_encode) + content="type=op&key=$_panos_key&cmd=$cmd" + fi + + # Push changes + if [ "$type" = 'push' ]; then + echo "**** Pushing changes ****" + H1="Content-Type: application/x-www-form-urlencoded" + cmd=$(printf "%s" "$_panos_template_stack$_panos_user" | _url_encode) + content="type=commit&action=all&key=$_panos_key&cmd=$cmd" + fi + response=$(_post "$content" "$panos_url" "" "POST") parse_response "$response" "$type" # Saving response to variables @@ -126,6 +161,8 @@ deployer() { if [ "$response_status" = "success" ]; then _debug "Successfully deployed $type" return 0 + elif [ "$_commit_job_status" ]; then + _debug "Commit Job Status = $_commit_job_status" else _err "Deploy of type $type failed. Try deploying with --debug to troubleshoot." _debug "$message" @@ -191,11 +228,31 @@ panos_deploy() { _getdeployconf PANOS_TEMPLATE fi + # PANOS_TEMPLATE_STACK + if [ "$PANOS_TEMPLATE_STACK" ]; then + _debug "Detected ENV variable PANOS_TEMPLATE_STACK. Saving to file." + _savedeployconf PANOS_TEMPLATE_STACK "$PANOS_TEMPLATE_STACK" 1 + else + _debug "Attempting to load variable PANOS_TEMPLATE_STACK from file." + _getdeployconf PANOS_TEMPLATE_STACK + fi + + # PANOS_TEMPLATE_STACK + if [ "$PANOS_VSYS" ]; then + _debug "Detected ENV variable PANOS_VSYS. Saving to file." + _savedeployconf PANOS_VSYS "$PANOS_VSYS" 1 + else + _debug "Attempting to load variable PANOS_VSYS from file." + _getdeployconf PANOS_VSYS + fi + #Store variables _panos_host=$PANOS_HOST _panos_user=$PANOS_USER _panos_pass=$PANOS_PASS _panos_template=$PANOS_TEMPLATE + _panos_template_stack=$PANOS_TEMPLATE_STACK + _panos_vsys=$PANOS_VSYS #Test API Key if found. If the key is invalid, the variable _panos_key will be unset. if [ "$_panos_host" ] && [ "$_panos_key" ]; then @@ -229,6 +286,18 @@ panos_deploy() { deployer cert deployer key deployer commit + if [ "$_panos_template_stack" ]; then + # try to get job status for 20 times in 30 sec interval + for ((i = 0 ; i < 20 ; i++ )); do + deployer job_status + if [[ "$_commit_job_status" == "OK" ]]; then + echo "Commit finished!" + break + fi + sleep 30 + done + deployer push + fi fi fi } From fdb1e8c2e46143a84aa8d26d49d5c1dce50aea74 Mon Sep 17 00:00:00 2001 From: asauerwein Date: Wed, 20 Aug 2025 18:37:25 +0200 Subject: [PATCH 080/313] fix usage of H1 header change to while loop use global variable for loop fix if statement to be sh compliant shfmt --- deploy/panos.sh | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 2ed6a230..a9232e79 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -20,8 +20,8 @@ # The script will automatically generate a new API key if # no key is found, or if a saved key has expired or is invalid. - - +_COMMIT_WAIT_INTERVAL=30 # query commit status every 30 seconds +_COMMIT_WAIT_ITERATIONS=20 # query commit status 20 times (20*30 = 600 seconds = 10 minutes) # This function is to parse the XML response from the firewall parse_response() { @@ -59,11 +59,11 @@ deployer() { content="" type=$1 # Types are keytest, keygen, cert, key, commit, job_status, push panos_url="https://$_panos_host/api/" + export _H1="Content-Type: application/x-www-form-urlencoded" #Test API Key by performing a lookup if [ "$type" = 'keytest' ]; then _debug "**** Testing saved API Key ****" - _H1="Content-Type: application/x-www-form-urlencoded" # Get Version Info to test key content="type=version&key=$_panos_key" ## Exclude all scopes for the empty commit @@ -74,7 +74,6 @@ deployer() { # Generate API Key if [ "$type" = 'keygen' ]; then _debug "**** Generating new API Key ****" - _H1="Content-Type: application/x-www-form-urlencoded" content="type=keygen&user=$_panos_user&password=$_panos_pass" # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}" fi @@ -99,7 +98,7 @@ deployer() { fi if [ "$_panos_vsys" ]; then content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl-vsys\"\r\n\r\n$_panos_vsys" - fi + fi fi if [ "$type" = 'key' ]; then panos_url="${panos_url}?type=import" @@ -114,7 +113,7 @@ deployer() { fi if [ "$_panos_vsys" ]; then content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl-vsys\"\r\n\r\n$_panos_vsys" - fi + fi fi #Close multipart content="$content${nl}--$delim--${nl}${nl}" @@ -125,7 +124,6 @@ deployer() { # Commit changes if [ "$type" = 'commit' ]; then _debug "**** Committing changes ****" - export _H1="Content-Type: application/x-www-form-urlencoded" #Check for force commit - will commit ALL uncommited changes to the firewall. Use with caution! if [ "$FORCE" ]; then _debug "Force switch detected. Committing ALL changes to the firewall." @@ -140,7 +138,6 @@ deployer() { # Query job status if [ "$type" = 'job_status' ]; then echo "**** Querying job $_commit_job_id status ****" - H1="Content-Type: application/x-www-form-urlencoded" cmd=$(printf "%s" "$_commit_job_id" | _url_encode) content="type=op&key=$_panos_key&cmd=$cmd" fi @@ -148,7 +145,6 @@ deployer() { # Push changes if [ "$type" = 'push' ]; then echo "**** Pushing changes ****" - H1="Content-Type: application/x-www-form-urlencoded" cmd=$(printf "%s" "$_panos_template_stack$_panos_user" | _url_encode) content="type=commit&action=all&key=$_panos_key&cmd=$cmd" fi @@ -288,13 +284,15 @@ panos_deploy() { deployer commit if [ "$_panos_template_stack" ]; then # try to get job status for 20 times in 30 sec interval - for ((i = 0 ; i < 20 ; i++ )); do - deployer job_status - if [[ "$_commit_job_status" == "OK" ]]; then - echo "Commit finished!" - break - fi - sleep 30 + i=0 + while [ "$i" -lt $_COMMIT_WAIT_ITERATIONS ]; do + deployer job_status + if [ "$_commit_job_status" = "OK" ]; then + echo "Commit finished!" + break + fi + sleep $_COMMIT_WAIT_INTERVAL + i=$((i + 1)) done deployer push fi From d7c428fc8d6bb123b890ec669b606eaf620b9c25 Mon Sep 17 00:00:00 2001 From: Richard Glidden Date: Mon, 30 Jun 2025 14:14:26 -0400 Subject: [PATCH 081/313] feat: Add ability to deploy to remote TrueNAS instances --- deploy/truenas_ws.sh | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/deploy/truenas_ws.sh b/deploy/truenas_ws.sh index bdc1b846..74a46530 100644 --- a/deploy/truenas_ws.sh +++ b/deploy/truenas_ws.sh @@ -39,13 +39,13 @@ _ws_call() { _debug "_ws_call arg2" "$2" _debug "_ws_call arg3" "$3" if [ $# -eq 3 ]; then - _ws_response=$(midclt -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2" "$3") + _ws_response=$(midclt --uri $_ws_uri -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2" "$3") fi if [ $# -eq 2 ]; then - _ws_response=$(midclt -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2") + _ws_response=$(midclt --uri $_ws_uri -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2") fi if [ $# -eq 1 ]; then - _ws_response=$(midclt -K "$DEPLOY_TRUENAS_APIKEY" call "$1") + _ws_response=$(midclt --uri $_ws_uri -K "$DEPLOY_TRUENAS_APIKEY" call "$1") fi _debug "_ws_response" "$_ws_response" printf "%s" "$_ws_response" @@ -60,7 +60,7 @@ _ws_upload_cert() { import sys from truenas_api_client import Client -with Client() as c: +with Client(uri="$_ws_uri") as c: ### Login with API key print("I:Trying to upload new certificate...") @@ -175,6 +175,16 @@ truenas_ws_deploy() { _debug _file_ca "$_file_ca" _debug _file_fullchain "$_file_fullchain" + ########## Default values for hostname and protocol + [ -n "${DEPLOY_TRUENAS_HOSTNAME}" ] || DEPLOY_TRUENAS_HOSTNAME="localhost" + [ -n "${DEPLOY_TRUENAS_PROTOCOL}" ] || DEPLOY_TRUENAS_PROTOCOL="ws" + + _debug2 DEPLOY_TRUENAS_HOSTNAME "$DEPLOY_TRUENAS_HOSTNAME" + _debug2 DEPLOY_TRUENAS_PROTOCOL "$DEPLOY_TRUENAS_PROTOCOL" + + _ws_uri="$DEPLOY_TRUENAS_PROTOCOL://$DEPLOY_TRUENAS_HOSTNAME/websocket" + _debug _ws_uri "$_ws_uri" + ########## Environment check _info "Checking environment variables..." @@ -304,7 +314,7 @@ truenas_ws_deploy() { _info "Restarting WebUI..." _ws_response=$(_ws_call "system.general.ui_restart") _info "Waiting for UI restart..." - sleep 6 + sleep 15 ########## Certificates From 6d40ac86449cdb80b52c6ffb647eac560174c84c Mon Sep 17 00:00:00 2001 From: Richard Glidden Date: Mon, 30 Jun 2025 14:51:36 -0400 Subject: [PATCH 082/313] chore: Fix shellcheck errors --- deploy/truenas_ws.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy/truenas_ws.sh b/deploy/truenas_ws.sh index 74a46530..ea6fc7e6 100644 --- a/deploy/truenas_ws.sh +++ b/deploy/truenas_ws.sh @@ -39,13 +39,13 @@ _ws_call() { _debug "_ws_call arg2" "$2" _debug "_ws_call arg3" "$3" if [ $# -eq 3 ]; then - _ws_response=$(midclt --uri $_ws_uri -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2" "$3") + _ws_response=$(midclt --uri "$_ws_uri" -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2" "$3") fi if [ $# -eq 2 ]; then - _ws_response=$(midclt --uri $_ws_uri -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2") + _ws_response=$(midclt --uri "$_ws_uri" -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2") fi if [ $# -eq 1 ]; then - _ws_response=$(midclt --uri $_ws_uri -K "$DEPLOY_TRUENAS_APIKEY" call "$1") + _ws_response=$(midclt --uri "$_ws_uri" -K "$DEPLOY_TRUENAS_APIKEY" call "$1") fi _debug "_ws_response" "$_ws_response" printf "%s" "$_ws_response" From 5aae3333bc653340c45981b6bd798ec90509301a Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Sun, 31 Aug 2025 20:44:24 +0100 Subject: [PATCH 083/313] Show proxmox deploy scripts response only on debug --- deploy/proxmoxbs.sh | 12 +++++++++++- deploy/proxmoxve.sh | 12 +++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/deploy/proxmoxbs.sh b/deploy/proxmoxbs.sh index d1146454..e8528e8f 100644 --- a/deploy/proxmoxbs.sh +++ b/deploy/proxmoxbs.sh @@ -115,6 +115,16 @@ HEREDOC _info "Push certificates to server" export HTTPS_INSECURE=1 export _H1="Authorization: PBSAPIToken=${_proxmoxbs_header_api_token}" - _post "$_json_payload" "$_target_url" "" POST "application/json" + response=$(_post "$_json_payload" "$_target_url" "" POST "application/json") + _retval=$? + if [ "${_retval}" -eq 0 ]; then + _debug3 response "$response" + _info "Certificate successfully deployed" + return 0 + else + _err "Certificate deployment failed" + _debug "Response" "$response" + return 1 + fi } diff --git a/deploy/proxmoxve.sh b/deploy/proxmoxve.sh index f9de590c..8c67f7de 100644 --- a/deploy/proxmoxve.sh +++ b/deploy/proxmoxve.sh @@ -127,6 +127,16 @@ HEREDOC _info "Push certificates to server" export HTTPS_INSECURE=1 export _H1="Authorization: PVEAPIToken=${_proxmoxve_header_api_token}" - _post "$_json_payload" "$_target_url" "" POST "application/json" + response=$(_post "$_json_payload" "$_target_url" "" POST "application/json") + _retval=$? + if [ "${_retval}" -eq 0 ]; then + _debug3 response "$response" + _info "Certificate successfully deployed" + return 0 + else + _err "Certificate deployment failed" + _debug "Response" "$response" + return 1 + fi } From d366b7e4fc7799bcb1a43213e2566096e1c19a28 Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Mon, 1 Sep 2025 19:54:36 +0100 Subject: [PATCH 084/313] Fix diff in wiki notifications (use full clone) The checkout action fetches one single commit, so attempts to find previous states of a page result in error. Adding fetch-depth:0 to the configuration fetches all commits and makes finding the previous commit that changed a page possible in the github action. --- .github/workflows/wiki-monitor.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/wiki-monitor.yml b/.github/workflows/wiki-monitor.yml index 89497580..b0332775 100644 --- a/.github/workflows/wiki-monitor.yml +++ b/.github/workflows/wiki-monitor.yml @@ -12,6 +12,7 @@ jobs: with: repository: ${{ github.repository }}.wiki path: wiki + fetch-depth: 0 - name: Generate wiki change message run: | @@ -58,3 +59,4 @@ jobs: + From 04e254923939d0d600cd8b29dfe3b34ca7421052 Mon Sep 17 00:00:00 2001 From: Guillaume PELURE Date: Tue, 2 Sep 2025 21:13:38 +0200 Subject: [PATCH 085/313] socat rejects TCP-LISTEN on ipv6 only networks --- acme.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d70e323b..5c4d6543 100755 --- a/acme.sh +++ b/acme.sh @@ -2538,15 +2538,17 @@ _startserver() { _NC="socat" if [ "$Le_Listen_V6" ]; then _NC="$_NC -6" + SOCAT_OPTIONS=TCP6-LISTEN else _NC="$_NC -4" + SOCAT_OPTIONS=TCP4-LISTEN fi if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then _NC="$_NC -d -d -v" fi - SOCAT_OPTIONS=TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork + SOCAT_OPTIONS=$SOCAT_OPTIONS:$Le_HTTPPort,crlf,reuseaddr,fork #Adding bind to local-address if [ "$ncaddr" ]; then From 39cb87dc4bf481460ddba4d2754f07d351da07e4 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 5 Sep 2025 22:08:55 +0200 Subject: [PATCH 086/313] fix for DragonflyBSD just move "date -u -j -f" before the linux branch. --- acme.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index d9ae208a..bfd26bd6 100755 --- a/acme.sh +++ b/acme.sh @@ -1811,6 +1811,10 @@ _time() { # 2022-04-01 08:10:33 to 1648800633 #or 2022-04-01T08:10:33Z to 1648800633 _date2time() { + #Mac/BSD + if date -u -j -f "%Y-%m-%d %H:%M:%S" "$(echo "$1" | tr -d "Z" | tr "T" ' ')" +"%s" 2>/dev/null; then + return + fi #Linux if date -u -d "$(echo "$1" | tr -d "Z" | tr "T" ' ')" +"%s" 2>/dev/null; then return @@ -1820,10 +1824,6 @@ _date2time() { if gdate -u -d "$(echo "$1" | tr -d "Z" | tr "T" ' ')" +"%s" 2>/dev/null; then return fi - #Mac/BSD - if date -u -j -f "%Y-%m-%d %H:%M:%S" "$(echo "$1" | tr -d "Z" | tr "T" ' ')" +"%s" 2>/dev/null; then - return - fi #Omnios if python3 -c "import datetime; print(int(datetime.datetime.strptime(\"$1\", \"%Y-%m-%d %H:%M:%S\").replace(tzinfo=datetime.timezone.utc).timestamp()))" 2>/dev/null; then return From e0e3cdc316f75af54e411f844093a9cff08781ac Mon Sep 17 00:00:00 2001 From: Eric Fu Date: Sat, 6 Sep 2025 22:31:50 +0800 Subject: [PATCH 087/313] Fix sed command in telegram notifier --- notify/telegram.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/notify/telegram.sh b/notify/telegram.sh index ccbd1533..c0621ae7 100644 --- a/notify/telegram.sh +++ b/notify/telegram.sh @@ -34,8 +34,8 @@ telegram_send() { fi _saveaccountconf_mutable TELEGRAM_BOT_URLBASE "$TELEGRAM_BOT_URLBASE" - _subject="$(printf "%s" "$_subject" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([_*[()~`>#+--=|{}.!]\)/\\\\\1/g')" - _content="$(printf "%s" "$_content" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([_*[()~`>#+--=|{}.!]\)/\\\\\1/g')" + _subject="$(printf "%s" "$_subject" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([_*[()~`>#+\-=|{}.!]\)/\\\\\1/g')" + _content="$(printf "%s" "$_content" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([_*[()~`>#+\-=|{}.!]\)/\\\\\1/g')" _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)" _data="{\"text\": \"$_content\", " _data="$_data\"chat_id\": \"$TELEGRAM_BOT_CHATID\", " From 30faf500eb4f9394c3d43dbbba5eda43e4947e34 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 7 Sep 2025 10:09:27 +0200 Subject: [PATCH 088/313] fix https://github.com/acmesh-official/acme.sh/pull/6499#issuecomment-3259771356 --- acme.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d335990c..3316b25f 100755 --- a/acme.sh +++ b/acme.sh @@ -2539,9 +2539,11 @@ _startserver() { if [ "$Le_Listen_V6" ]; then _NC="$_NC -6" SOCAT_OPTIONS=TCP6-LISTEN - else + elif [ "$Le_Listen_V4" ]; then _NC="$_NC -4" SOCAT_OPTIONS=TCP4-LISTEN + else + SOCAT_OPTIONS=TCP-LISTEN fi if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then From 93dc22a71f62e28b28788974f5474c6331e9fb6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=20=7C=20Anton=20R=C3=B6hm?= <18481195+AnTheMaker@users.noreply.github.com> Date: Sun, 7 Sep 2025 16:57:10 +0200 Subject: [PATCH 089/313] Support Nanelo DNS Team- & Workspace-specific API keys Nanelo Team- and Workspace-specific API keys require the "domain" parameter to be set containing the DNS zone name (unlike the Domain-specific API keys). So I've added a function to detect the root DNS zone and set the required parameter as described here: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide#3-detect-which-part-is-your-root-zone --- dnsapi/dns_nanelo.sh | 62 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 60 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh index 1ab47a89..cc3573a0 100644 --- a/dnsapi/dns_nanelo.sh +++ b/dnsapi/dns_nanelo.sh @@ -27,8 +27,16 @@ dns_nanelo_add() { fi _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + _info "Adding TXT record to ${fulldomain}" - response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?domain=${_domain}&type=TXT&ttl=60&name=${_sub_domain}&value=${txtvalue}")" if _contains "${response}" 'success'; then return 0 fi @@ -51,8 +59,16 @@ dns_nanelo_rm() { fi _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + _info "Deleting resource record $fulldomain" - response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?domain=${_domain}&type=TXT&ttl=60&name=${_sub_domain}&value=${txtvalue}")" if _contains "${response}" 'success'; then return 0 fi @@ -60,3 +76,45 @@ dns_nanelo_rm() { _err "${response}" return 1 } + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com + +_get_root() { + fulldomain=$1 + + # Fetch all zones from Nanelo + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/getzones")" || return 1 + + # Extract "zones" array into space-separated list + zones=$(echo "$response" \ + | tr -d ' \n' \ + | sed -n 's/.*"zones":\[\([^]]*\)\].*/\1/p' \ + | tr -d '"' \ + | tr , ' ') + _debug zones "$zones" + + bestzone="" + for z in $zones; do + case "$fulldomain" in + *.$z|$z) + if [ ${#z} -gt ${#bestzone} ]; then + bestzone=$z + fi + ;; + esac + done + + if [ -z "$bestzone" ]; then + _err "No matching zone found for $fulldomain" + return 1 + fi + + _domain="$bestzone" + _sub_domain=$(printf "%s" "$fulldomain" | sed "s/\\.$_domain\$//") + + return 0 +} From 31d72645838a1781dc5e38c0b1291e94b30ad0dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=20=7C=20Anton=20R=C3=B6hm?= <18481195+AnTheMaker@users.noreply.github.com> Date: Sun, 7 Sep 2025 17:14:06 +0200 Subject: [PATCH 090/313] Fix pattern matching for best zone selection --- dnsapi/dns_nanelo.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh index cc3573a0..abf3cf47 100644 --- a/dnsapi/dns_nanelo.sh +++ b/dnsapi/dns_nanelo.sh @@ -100,7 +100,7 @@ _get_root() { bestzone="" for z in $zones; do case "$fulldomain" in - *.$z|$z) + *."$z"|"$z") if [ ${#z} -gt ${#bestzone} ]; then bestzone=$z fi From 5aa964cde997a091b47af6a0b355f236d8631391 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=20=7C=20Anton=20R=C3=B6hm?= <18481195+AnTheMaker@users.noreply.github.com> Date: Sun, 7 Sep 2025 17:14:40 +0200 Subject: [PATCH 091/313] Formatting using shfmt to format the code --- dnsapi/dns_nanelo.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh index abf3cf47..8bb95136 100644 --- a/dnsapi/dns_nanelo.sh +++ b/dnsapi/dns_nanelo.sh @@ -90,21 +90,21 @@ _get_root() { response="$(_get "$NANELO_API$NANELO_TOKEN/dns/getzones")" || return 1 # Extract "zones" array into space-separated list - zones=$(echo "$response" \ - | tr -d ' \n' \ - | sed -n 's/.*"zones":\[\([^]]*\)\].*/\1/p' \ - | tr -d '"' \ - | tr , ' ') + zones=$(echo "$response" | + tr -d ' \n' | + sed -n 's/.*"zones":\[\([^]]*\)\].*/\1/p' | + tr -d '"' | + tr , ' ') _debug zones "$zones" bestzone="" for z in $zones; do case "$fulldomain" in - *."$z"|"$z") - if [ ${#z} -gt ${#bestzone} ]; then - bestzone=$z - fi - ;; + *."$z" | "$z") + if [ ${#z} -gt ${#bestzone} ]; then + bestzone=$z + fi + ;; esac done From d8a92a2e658d4ea120dd71d41928e55dc713deb9 Mon Sep 17 00:00:00 2001 From: An <18481195+AnTheMaker@users.noreply.github.com> Date: Mon, 8 Sep 2025 21:27:57 +0200 Subject: [PATCH 092/313] switch nanelo api to post requests --- dnsapi/dns_nanelo.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh index 8bb95136..23f306a7 100644 --- a/dnsapi/dns_nanelo.sh +++ b/dnsapi/dns_nanelo.sh @@ -36,7 +36,7 @@ dns_nanelo_add() { _debug _domain "$_domain" _info "Adding TXT record to ${fulldomain}" - response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?domain=${_domain}&type=TXT&ttl=60&name=${_sub_domain}&value=${txtvalue}")" + response="$(_post "" "$NANELO_API$NANELO_TOKEN/dns/addrecord?domain=${_domain}&type=TXT&ttl=60&name=${_sub_domain}&value=${txtvalue}" "" "" "")" if _contains "${response}" 'success'; then return 0 fi @@ -68,7 +68,7 @@ dns_nanelo_rm() { _debug _domain "$_domain" _info "Deleting resource record $fulldomain" - response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?domain=${_domain}&type=TXT&ttl=60&name=${_sub_domain}&value=${txtvalue}")" + response="$(_post "" "$NANELO_API$NANELO_TOKEN/dns/deleterecord?domain=${_domain}&type=TXT&ttl=60&name=${_sub_domain}&value=${txtvalue}" "" "" "")" if _contains "${response}" 'success'; then return 0 fi From 8608e9cd3a49c1a9f948e19ea3a62fac62a24aef Mon Sep 17 00:00:00 2001 From: Richard Glidden Date: Fri, 12 Sep 2025 22:22:30 -0400 Subject: [PATCH 093/313] Save and read variables --- deploy/truenas_ws.sh | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/deploy/truenas_ws.sh b/deploy/truenas_ws.sh index ea6fc7e6..a204d352 100644 --- a/deploy/truenas_ws.sh +++ b/deploy/truenas_ws.sh @@ -175,25 +175,31 @@ truenas_ws_deploy() { _debug _file_ca "$_file_ca" _debug _file_fullchain "$_file_fullchain" - ########## Default values for hostname and protocol - [ -n "${DEPLOY_TRUENAS_HOSTNAME}" ] || DEPLOY_TRUENAS_HOSTNAME="localhost" - [ -n "${DEPLOY_TRUENAS_PROTOCOL}" ] || DEPLOY_TRUENAS_PROTOCOL="ws" - - _debug2 DEPLOY_TRUENAS_HOSTNAME "$DEPLOY_TRUENAS_HOSTNAME" - _debug2 DEPLOY_TRUENAS_PROTOCOL "$DEPLOY_TRUENAS_PROTOCOL" - - _ws_uri="$DEPLOY_TRUENAS_PROTOCOL://$DEPLOY_TRUENAS_HOSTNAME/websocket" - _debug _ws_uri "$_ws_uri" - ########## Environment check _info "Checking environment variables..." _getdeployconf DEPLOY_TRUENAS_APIKEY + _getdeployconf DEPLOY_TRUENAS_HOSTNAME + _getdeployconf DEPLOY_TRUENAS_PROTOCOL # Check API Key if [ -z "$DEPLOY_TRUENAS_APIKEY" ]; then _err "TrueNAS API key not found, please set the DEPLOY_TRUENAS_APIKEY environment variable." return 1 fi + # Check Hostname, default to localhost if not set + if [ -z "$DEPLOY_TRUENAS_HOSTNAME" ]; then + _info "TrueNAS hostname not set. Using 'localhost'." + DEPLOY_TRUENAS_HOSTNAME="localhost" + fi + # Check protocol, default to ws if not set + if [ -z "$DEPLOY_TRUENAS_PROTOCOL" ]; then + _info "TrueNAS protocol not set. Using 'ws'." + DEPLOY_TRUENAS_PROTOCOL="ws" + fi + _ws_uri="$DEPLOY_TRUENAS_PROTOCOL://$DEPLOY_TRUENAS_HOSTNAME/websocket" + _debug2 DEPLOY_TRUENAS_HOSTNAME "$DEPLOY_TRUENAS_HOSTNAME" + _debug2 DEPLOY_TRUENAS_PROTOCOL "$DEPLOY_TRUENAS_PROTOCOL" + _debug _ws_uri "$_ws_uri" _secure_debug2 DEPLOY_TRUENAS_APIKEY "$DEPLOY_TRUENAS_APIKEY" _info "Environment variables: OK" @@ -215,6 +221,8 @@ truenas_ws_deploy() { return 2 fi _savedeployconf DEPLOY_TRUENAS_APIKEY "$DEPLOY_TRUENAS_APIKEY" + _savedeployconf DEPLOY_TRUENAS_HOSTNAME "$DEPLOY_TRUENAS_HOSTNAME" + _savedeployconf DEPLOY_TRUENAS_PROTOCOL "$DEPLOY_TRUENAS_PROTOCOL" _info "TrueNAS health: OK" ########## System info From a1ea2a5aa6a63c1c99daffc66c1463e3a2ac88ab Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 14 Sep 2025 10:35:21 +0200 Subject: [PATCH 094/313] fix tr https://github.com/acmesh-official/acme.sh/issues/6511#issuecomment-3282521860 --- acme.sh | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index 3316b25f..02986a33 100755 --- a/acme.sh +++ b/acme.sh @@ -436,14 +436,28 @@ _secure_debug3() { fi } +__USE_TR_TAG="" +if [ "$(echo "abc" | LANG=C tr a-z A-Z 2>/dev/null)" != "ABC" ] ; then + __USE_TR_TAG="1" +fi +export __USE_TR_TAG + _upper_case() { + if [ "$__USE_TR_TAG" ]; then + LANG=C tr '[:lower:]' '[:upper:]' + else # shellcheck disable=SC2018,SC2019 - tr '[a-z]' '[A-Z]' + LANG=C tr '[a-z]' '[A-Z]' + fi } _lower_case() { - # shellcheck disable=SC2018,SC2019 - tr '[A-Z]' '[a-z]' + if [ "$__USE_TR_TAG" ]; then + LANG=C tr '[:upper:]' '[:lower:]' + else + # shellcheck disable=SC2018,SC2019 + LANG=C tr '[A-Z]' '[a-z]' + fi } _startswith() { From d76f4b27b0f2eae8b75d41459eff6e51094045ca Mon Sep 17 00:00:00 2001 From: benyamin-codez <115509179+benyamin-codez@users.noreply.github.com> Date: Sun, 7 Sep 2025 23:54:45 +1000 Subject: [PATCH 095/313] dnsapi/dns_opnsense.sh: Refresh for OPNsense v25.7 series Updates the dns_opnsense.sh Bourne shell script for OPNSense v25.7 series: 1. Fixes historical error in rm_record() [used incorrect response variable] 2. Improves debug messaging in rm_record() 3. Fixes _get_root() for change in OPNsense API * Response is now split into pseudo-rows * We now iterate through pseudo-rows for matching domainname field 4. Fixes _existingchallenge() for change in OPNsense API * Fixes unreliable regex for uuid * Adds domain regex and %domain field 5. Fixes historical error in _existingchallenge() [incorrect variable syntax] Resolves #6467 Signed-off-by: benyamin-codez <115509179+benyamin-codez@users.noreply.github.com> --- dnsapi/dns_opnsense.sh | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/dnsapi/dns_opnsense.sh b/dnsapi/dns_opnsense.sh index d1e9c0ac..a11cfae5 100755 --- a/dnsapi/dns_opnsense.sh +++ b/dnsapi/dns_opnsense.sh @@ -110,15 +110,16 @@ rm_record() { if _existingchallenge "$_domain" "$_host" "$new_challenge"; then # Delete if _opns_rest "POST" "/record/delRecord/${_uuid}" "\{\}"; then - if echo "$_return_str" | _egrep_o "\"result\":\"deleted\"" >/dev/null; then - _opns_rest "POST" "/service/reconfigure" "{}" + if echo "$response" | _egrep_o "\"result\":\"deleted\"" >/dev/null; then _debug "Record deleted" + _opns_rest "POST" "/service/reconfigure" "{}" + _debug "Service reconfigured" else _err "Error deleting record $_host from domain $fulldomain" return 1 fi else - _err "Error deleting record $_host from domain $fulldomain" + _err "Error requesting deletion of record $_host from domain $fulldomain" return 1 fi else @@ -150,14 +151,17 @@ _get_root() { return 1 fi _debug h "$h" - id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"primary\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2) - if [ -n "$id" ]; then - _debug id "$id" - _host=$(printf "%s" "$domain" | cut -d . -f 1-"$p") - _domain="${h}" - _domainid="${id}" - return 0 - fi + lines=$(echo "$_domain_response" | sed 's/{/\n/g') + for line in $lines; do + id=$(echo "$line" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"primary\",.*\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2) + if [ -n "$id" ]; then + _debug id "$id" + _host=$(printf "%s" "$domain" | cut -d . -f 1-"$p") + _domain="${h}" + _domainid="${id}" + return 0 + fi + done p=$i i=$(_math "$i" + 1) done @@ -206,13 +210,13 @@ _existingchallenge() { return 1 fi _uuid="" - _uuid=$(echo "$_record_response" | _egrep_o "\"uuid\":\"[^\"]*\",\"enabled\":\"[01]\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"" | cut -d ':' -f 2 | cut -d '"' -f 2) + _uuid=$(echo "$_record_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"[01]\",\"domain\":\"[a-z0-9\-]*\",\"%domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"" | cut -d ':' -f 2 | cut -d '"' -f 2) if [ -n "$_uuid" ]; then _debug uuid "$_uuid" return 0 fi - _debug "${2}.$1{1} record not found" + _debug "${2}.${1} record not found" return 1 } From df350e6660df5b61e353a5daed7d7a1ee1f5ba4a Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 15 Sep 2025 19:34:54 +0200 Subject: [PATCH 096/313] fix format --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 02986a33..9105a0a4 100755 --- a/acme.sh +++ b/acme.sh @@ -437,7 +437,7 @@ _secure_debug3() { } __USE_TR_TAG="" -if [ "$(echo "abc" | LANG=C tr a-z A-Z 2>/dev/null)" != "ABC" ] ; then +if [ "$(echo "abc" | LANG=C tr a-z A-Z 2>/dev/null)" != "ABC" ]; then __USE_TR_TAG="1" fi export __USE_TR_TAG @@ -446,7 +446,7 @@ _upper_case() { if [ "$__USE_TR_TAG" ]; then LANG=C tr '[:lower:]' '[:upper:]' else - # shellcheck disable=SC2018,SC2019 + # shellcheck disable=SC2018,SC2019 LANG=C tr '[a-z]' '[A-Z]' fi } From 44c7473ef97bcae83e829a4a7e6b2ddcfc0d8369 Mon Sep 17 00:00:00 2001 From: Min Wang Date: Tue, 16 Sep 2025 15:09:12 +0800 Subject: [PATCH 097/313] fix bug for #6510 --- notify/telegram.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/notify/telegram.sh b/notify/telegram.sh index c0621ae7..7da05729 100644 --- a/notify/telegram.sh +++ b/notify/telegram.sh @@ -34,8 +34,8 @@ telegram_send() { fi _saveaccountconf_mutable TELEGRAM_BOT_URLBASE "$TELEGRAM_BOT_URLBASE" - _subject="$(printf "%s" "$_subject" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([_*[()~`>#+\-=|{}.!]\)/\\\\\1/g')" - _content="$(printf "%s" "$_content" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([_*[()~`>#+\-=|{}.!]\)/\\\\\1/g')" + _subject="$(printf "%s" "$_subject" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([-_*[()~`>#+\-=|{}.!]\)/\\\\\1/g')" + _content="$(printf "%s" "$_content" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([-_*[()~`>#+\-=|{}.!]\)/\\\\\1/g')" _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)" _data="{\"text\": \"$_content\", " _data="$_data\"chat_id\": \"$TELEGRAM_BOT_CHATID\", " From 1b00ced7adf0c9ffe39c2f5e883395f7abefc2cc Mon Sep 17 00:00:00 2001 From: Jens Spanier Date: Tue, 16 Sep 2025 09:20:31 +0200 Subject: [PATCH 098/313] Add `--profile` as option for selecting certificate profile --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index ead7602b..7a8e4e9b 100755 --- a/acme.sh +++ b/acme.sh @@ -7702,7 +7702,7 @@ _process() { _valid_to="$2" shift ;; - --certificate-profile) + --certificate-profile | --profile) _certificate_profile="$2" shift ;; From 070cd0f4dfe983d093e1661aab8b73678cf5b259 Mon Sep 17 00:00:00 2001 From: Richard Glidden Date: Tue, 16 Sep 2025 22:19:16 -0400 Subject: [PATCH 099/313] Use _sleep instead of sleep --- deploy/truenas_ws.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/truenas_ws.sh b/deploy/truenas_ws.sh index a204d352..d334853e 100644 --- a/deploy/truenas_ws.sh +++ b/deploy/truenas_ws.sh @@ -121,7 +121,7 @@ _ws_check_jobid() { # n/a _ws_get_job_result() { while true; do - sleep 2 + _sleep 2 _ws_response=$(_ws_call "core.get_jobs" "[[\"id\", \"=\", $1]]") if [ "$(printf "%s" "$_ws_response" | jq -r '.[]."state"')" != "RUNNING" ]; then _ws_result="$(printf "%s" "$_ws_response" | jq '.[]."result"')" @@ -322,7 +322,7 @@ truenas_ws_deploy() { _info "Restarting WebUI..." _ws_response=$(_ws_call "system.general.ui_restart") _info "Waiting for UI restart..." - sleep 15 + _sleep 15 ########## Certificates From c3ec827fdd87ae7a595f7c84aa7395a52321f6df Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 19 Sep 2025 20:54:09 +0200 Subject: [PATCH 100/313] remove buypass --- acme.sh | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/acme.sh b/acme.sh index 9105a0a4..4d849845 100755 --- a/acme.sh +++ b/acme.sh @@ -23,9 +23,6 @@ _SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY" CA_LETSENCRYPT_V2="https://acme-v02.api.letsencrypt.org/directory" CA_LETSENCRYPT_V2_TEST="https://acme-staging-v02.api.letsencrypt.org/directory" -CA_BUYPASS="https://api.buypass.com/acme/directory" -CA_BUYPASS_TEST="https://api.test4.buypass.no/acme/directory" - CA_ZEROSSL="https://acme.zerossl.com/v2/DV90" _ZERO_EAB_ENDPOINT="https://api.zerossl.com/acme/eab-credentials-email" @@ -42,14 +39,12 @@ CA_NAMES=" ZeroSSL.com,zerossl LetsEncrypt.org,letsencrypt LetsEncrypt.org_test,letsencrypt_test,letsencrypttest -BuyPass.com,buypass -BuyPass.com_test,buypass_test,buypasstest SSL.com,sslcom Google.com,google Google.com_test,googletest,google_test " -CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_SSLCOM_RSA,$CA_GOOGLE,$CA_GOOGLE_TEST" +CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_SSLCOM_RSA,$CA_GOOGLE,$CA_GOOGLE_TEST" DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)" @@ -5478,10 +5473,6 @@ renew() { _info "Switching back to $CA_LETSENCRYPT_V2" Le_API="$CA_LETSENCRYPT_V2" ;; - "$CA_BUYPASS_TEST") - _info "Switching back to $CA_BUYPASS" - Le_API="$CA_BUYPASS" - ;; "$CA_GOOGLE_TEST") _info "Switching back to $CA_GOOGLE" Le_API="$CA_GOOGLE" From 471e0c05f9b69dd2ae2ce7c7968b7f497334c18d Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 20 Sep 2025 10:38:43 +0200 Subject: [PATCH 101/313] remove mageia --- .github/workflows/Linux.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Linux.yml b/.github/workflows/Linux.yml index c74e9d3e..f3352a41 100644 --- a/.github/workflows/Linux.yml +++ b/.github/workflows/Linux.yml @@ -26,7 +26,7 @@ jobs: Linux: strategy: matrix: - os: ["ubuntu:latest", "debian:latest", "almalinux:latest", "fedora:latest", "opensuse/leap:latest", "alpine:latest", "oraclelinux:8", "kalilinux/kali", "archlinux:latest", "mageia", "gentoo/stage3"] + os: ["ubuntu:latest", "debian:latest", "almalinux:latest", "fedora:latest", "opensuse/leap:latest", "alpine:latest", "oraclelinux:8", "kalilinux/kali", "archlinux:latest", "gentoo/stage3"] runs-on: ubuntu-latest env: TEST_LOCAL: 1 From f22b490a10bf07317096511e59d7791fc13b4fb7 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 21 Sep 2025 18:04:59 +0200 Subject: [PATCH 102/313] remove buypass --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 9a5c106b..a8cb5403 100644 --- a/README.md +++ b/README.md @@ -98,7 +98,6 @@ https://github.com/acmesh-official/acmetest - [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)(default) - Letsencrypt.org CA -- [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA) - [SSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA) - [Google.com Public CA](https://github.com/acmesh-official/acme.sh/wiki/Google-Public-CA) - [Pebble strict Mode](https://github.com/letsencrypt/pebble) From 5954f0dde54488d68bdd4c92ea2f0ab8ea1ee869 Mon Sep 17 00:00:00 2001 From: Jens Spanier Date: Mon, 22 Sep 2025 12:11:50 +0200 Subject: [PATCH 103/313] Change to `--cert-profile` --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 7a8e4e9b..d157c2a4 100755 --- a/acme.sh +++ b/acme.sh @@ -7702,7 +7702,7 @@ _process() { _valid_to="$2" shift ;; - --certificate-profile | --profile) + --certificate-profile | --cert-profile) _certificate_profile="$2" shift ;; From 604e6873ba43609dc686f869e5c42a7d31547030 Mon Sep 17 00:00:00 2001 From: Jens Spanier Date: Mon, 22 Sep 2025 12:12:17 +0200 Subject: [PATCH 104/313] Add short name + wiki link to help --- acme.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d157c2a4..ef3c592d 100755 --- a/acme.sh +++ b/acme.sh @@ -180,6 +180,8 @@ _VALIDITY_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Validity" _DNSCHECK_WIKI="https://github.com/acmesh-official/acme.sh/wiki/dnscheck" +_PROFILESELECTION_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Profile-selection" + _DNS_MANUAL_ERR="The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead." _DNS_MANUAL_WARN="It seems that you are using dns manual mode. please take care: $_DNS_MANUAL_ERR" @@ -7006,7 +7008,8 @@ Parameters: If no match, the default offered chain will be used. (default: empty) See: $_PREFERRED_CHAIN_WIKI - --certificate-profile If the CA offers profiles, select the desired profile + --cert-profile, --certificate-profile If the CA offers profiles, select the desired profile + See: $_PROFILESELECTION_WIKI --valid-to Request the NotAfter field of the cert. See: $_VALIDITY_WIKI From 11995b958ab560b2e8e60c816ba79200163047e9 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 27 Sep 2025 22:57:42 +0200 Subject: [PATCH 105/313] add actalis.com CA --- acme.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index e895bbdc..23b03039 100755 --- a/acme.sh +++ b/acme.sh @@ -32,6 +32,8 @@ CA_SSLCOM_ECC="https://acme.ssl.com/sslcom-dv-ecc" CA_GOOGLE="https://dv.acme-v02.api.pki.goog/directory" CA_GOOGLE_TEST="https://dv.acme-v02.test-api.pki.goog/directory" +CA_ACTALIS="https://acme-api.actalis.com/acme/directory" + DEFAULT_CA=$CA_ZEROSSL DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST @@ -42,9 +44,10 @@ LetsEncrypt.org_test,letsencrypt_test,letsencrypttest SSL.com,sslcom Google.com,google Google.com_test,googletest,google_test +Actalis.com,actalis.com,actalis " -CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_SSLCOM_RSA,$CA_GOOGLE,$CA_GOOGLE_TEST" +CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_SSLCOM_RSA,$CA_GOOGLE,$CA_GOOGLE_TEST,$CA_ACTALIS" DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)" From e5214ea2e58c9a7fd5fb95f651a5cfc1193787f4 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 27 Sep 2025 23:12:05 +0200 Subject: [PATCH 106/313] add Actalis.com CA --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index a8cb5403..f7038f59 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,7 @@ https://github.com/acmesh-official/acmetest - Letsencrypt.org CA - [SSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA) - [Google.com Public CA](https://github.com/acmesh-official/acme.sh/wiki/Google-Public-CA) +- [Actalis.com CA](https://github.com/acmesh-official/acme.sh/wiki/Actalis.com-CA) - [Pebble strict Mode](https://github.com/letsencrypt/pebble) - Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA From b244c76dd5f316c55812c9ebd41012625e58e5a0 Mon Sep 17 00:00:00 2001 From: Steven Zhu Date: Sat, 27 Sep 2025 17:29:12 -0400 Subject: [PATCH 107/313] Add --list-profiles command to show CA profiles This commit introduces a new command, `--list-profiles`, to allow users to discover the certificate profiles supported by a Certificate Authority. The command queries the `meta.profiles` object within the ACME directory JSON for the selected server and formats the output for readability. If a CA does not publish profiles in its directory, the command reports that none were found. Usage: acme.sh --list-profiles [--server letsencrypt] --- acme.sh | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/acme.sh b/acme.sh index 23b03039..24ebc5d4 100755 --- a/acme.sh +++ b/acme.sh @@ -5838,6 +5838,49 @@ list() { } +list_profiles() { + _initpath + _initAPI + + _l_server_url="$ACME_DIRECTORY" + _l_server_name="$(_getCAShortName "$_l_server_url")" + _info "Fetching profiles from $_l_server_name ($_l_server_url)..." + + # _initAPI fetches the directory, so we just need to parse its response. + response=$(_get "$_l_server_url" "" 10) + if [ "$?" != "0" ]; then + _err "Failed to connect to CA directory: $_l_server_url" + return 1 + fi + + # Isolate the profiles object using the script's regex tool + profiles_json=$(echo "$response" | _egrep_o '"profiles" *: *\{[^\}]*\}') + + if [ -z "$profiles_json" ]; then + _info "The CA '$_l_server_name' does not publish certificate profiles via its directory endpoint." + return 0 + fi + + # Strip the outer layer to get the key-value pairs + profiles_kv=$(echo "$profiles_json" | sed 's/"profiles" *: *{//' | sed 's/}$//' | tr ',' '\n') + + printf "\n%-15s %s\n" "name" "info" + printf -- "--------------------------------------------------------------------\n" + + _old_IFS="$IFS" + IFS=' +' + for pair in $profiles_kv; do + # Trim quotes and whitespace + _name=$(echo "$pair" | cut -d: -f1 | tr -d '" \t') + _info_url=$(echo "$pair" | cut -d: -f2- | sed 's/^ *//' | tr -d '"') + printf "%-15s %s\n" "$_name" "$_info_url" + done + IFS="$_old_IFS" + + return 0 +} + _deploy() { _d="$1" _hooks="$2" @@ -7498,6 +7541,9 @@ _process() { --set-default-chain) _CMD="setdefaultchain" ;; + --list-profiles) + _CMD="list_profiles" + ;; -d | --domain) _dvalue="$2" @@ -8063,6 +8109,9 @@ _process() { setdefaultchain) setdefaultchain "$_preferred_chain" ;; + list_profiles) + list_profiles + ;; *) if [ "$_CMD" ]; then _err "Invalid command: $_CMD" From 80748b9fe0a3e9af6f8db7b97fb9bea69e8d7206 Mon Sep 17 00:00:00 2001 From: Steven Zhu Date: Sat, 27 Sep 2025 17:37:37 -0400 Subject: [PATCH 108/313] Quick Patch --- acme.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index 24ebc5d4..308db1aa 100755 --- a/acme.sh +++ b/acme.sh @@ -5846,15 +5846,14 @@ list_profiles() { _l_server_name="$(_getCAShortName "$_l_server_url")" _info "Fetching profiles from $_l_server_name ($_l_server_url)..." - # _initAPI fetches the directory, so we just need to parse its response. response=$(_get "$_l_server_url" "" 10) if [ "$?" != "0" ]; then _err "Failed to connect to CA directory: $_l_server_url" return 1 fi - # Isolate the profiles object using the script's regex tool - profiles_json=$(echo "$response" | _egrep_o '"profiles" *: *\{[^\}]*\}') + normalized_response=$(echo "$response" | _normalizeJson) + profiles_json=$(echo "$normalized_response" | _egrep_o '"profiles" *: *\{[^\}]*\}') if [ -z "$profiles_json" ]; then _info "The CA '$_l_server_name' does not publish certificate profiles via its directory endpoint." From 0f5093c0b7555c149ae2d7ab01d548dfd7844b2c Mon Sep 17 00:00:00 2001 From: Steven Zhu Date: Sat, 27 Sep 2025 17:52:44 -0400 Subject: [PATCH 109/313] Remove space --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 308db1aa..e5a0885f 100755 --- a/acme.sh +++ b/acme.sh @@ -7542,7 +7542,7 @@ _process() { ;; --list-profiles) _CMD="list_profiles" - ;; + ;; -d | --domain) _dvalue="$2" @@ -8110,7 +8110,7 @@ _process() { ;; list_profiles) list_profiles - ;; + ;; *) if [ "$_CMD" ]; then _err "Invalid command: $_CMD" From d439933b52a0f251afaaa780acecff85d6eb3c29 Mon Sep 17 00:00:00 2001 From: Steven Zhu Date: Sun, 28 Sep 2025 19:20:08 -0400 Subject: [PATCH 110/313] add Profile column to --list output This commit adds a new "Profile" column to the output of the `--list` command. The column displays the value of the `Le_Certificate_Profile` variable stored in each domain's respective configuration file. If a profile is not set for a certificate, the column is left empty. This enhances the utility of the list command by providing more at-a-glance information about each certificate's configuration, which is particularly useful for CAs that support different certificate profiles. --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index e5a0885f..7caec290 100755 --- a/acme.sh +++ b/acme.sh @@ -5804,7 +5804,7 @@ list() { _sep="|" if [ "$_raw" ]; then if [ -z "$_domain" ]; then - printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}CA${_sep}Created${_sep}Renew" + printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Profile${_sep}CA${_sep}Created${_sep}Renew" fi for di in "${CERT_HOME}"/*.*/; do d=$(basename "$di") @@ -5819,7 +5819,7 @@ list() { . "$DOMAIN_CONF" _ca="$(_getCAShortName "$Le_API")" if [ -z "$_domain" ]; then - printf "%s\n" "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$_ca${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr" + printf "%s\n" "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$Le_Certificate_Profile${_sep}$_ca${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr" else if [ "$_domain" = "$d" ]; then cat "$DOMAIN_CONF" From 17da49bb782b797209531cb00cfcc8c3ee0370a8 Mon Sep 17 00:00:00 2001 From: Jens Spanier Date: Thu, 9 Oct 2025 13:16:28 +0200 Subject: [PATCH 111/313] add keyhelp deploy hook --- deploy/keyhelp.sh | 86 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 deploy/keyhelp.sh diff --git a/deploy/keyhelp.sh b/deploy/keyhelp.sh new file mode 100644 index 00000000..224a7ea8 --- /dev/null +++ b/deploy/keyhelp.sh @@ -0,0 +1,86 @@ +#!/usr/bin/env sh + +keyhelp_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + + # Read config from saved values or env + _getdeployconf DEPLOY_KEYHELP_HOST + _getdeployconf DEPLOY_KEYHELP_API_KEY + + _debug DEPLOY_KEYHELP_HOST "$DEPLOY_KEYHELP_HOST" + _secure_debug DEPLOY_KEYHELP_API_KEY "$DEPLOY_KEYHELP_API_KEY" + + if [ -z "$DEPLOY_KEYHELP_HOST" ]; then + _err "KeyHelp host not found, please define DEPLOY_KEYHELP_HOST." + return 1 + fi + if [ -z "$DEPLOY_KEYHELP_API_KEY" ]; then + _err "KeyHelp api key not found, please define DEPLOY_KEYHELP_API_KEY." + return 1 + fi + + # Save current values + _savedeployconf DEPLOY_KEYHELP_HOST "$DEPLOY_KEYHELP_HOST" + _savedeployconf DEPLOY_KEYHELP_API_KEY "$DEPLOY_KEYHELP_API_KEY" + + _request_key="$(tr '\n' ':' <"$_ckey" | sed 's/:/\\n/g')" + _request_cert="$(tr '\n' ':' <"$_ccert" | sed 's/:/\\n/g')" + _request_ca="$(tr '\n' ':' <"$_cca" | sed 's/:/\\n/g')" + + _request_body="{ + \"name\": \"$_cdomain\", + \"components\": { + \"private_key\": \"$_request_key\", + \"certificate\": \"$_request_cert\", + \"ca_certificate\": \"$_request_ca\" + } + }" + + _hosts="$(echo "$DEPLOY_KEYHELP_HOST" | tr "," " ")" + _keys="$(echo "$DEPLOY_KEYHELP_API_KEY" | tr "," " ")" + _i=1 + + for _host in $_hosts; do + _key="$(_getfield "$_keys" "$_i" " ")" + _i="$(_math $_i + 1)" + + export _H1="X-API-Key: $_key" + + _put_url="$_host/api/v2/certificates/name/$_cdomain" + if _post "$_request_body" "$_put_url" "" "PUT" "application/json" >/dev/null; then + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")" + else + _err "Cannot make PUT request to $_put_url" + return 1 + fi + + if [ "$_code" = "404" ]; then + _info "$_cdomain not found, creating new entry at $_host" + + _post_url="$_host/api/v2/certificates" + if _post "$_request_body" "$_post_url" "" "POST" "application/json" >/dev/null; then + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")" + else + _err "Cannot make POST request to $_post_url" + return 1 + fi + fi + + if _startswith "$_code" "2"; then + _info "$_cdomain set at $_host" + else + _err "HTTP status code is $_code" + return 1 + fi + done + + return 0 +} From f7cc72be354c9cf90fc16e270fa0f7bb01ea1825 Mon Sep 17 00:00:00 2001 From: Jens Spanier Date: Thu, 9 Oct 2025 13:28:04 +0200 Subject: [PATCH 112/313] add missing double quotes --- deploy/keyhelp.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/keyhelp.sh b/deploy/keyhelp.sh index 224a7ea8..944ca5aa 100644 --- a/deploy/keyhelp.sh +++ b/deploy/keyhelp.sh @@ -50,7 +50,7 @@ keyhelp_deploy() { for _host in $_hosts; do _key="$(_getfield "$_keys" "$_i" " ")" - _i="$(_math $_i + 1)" + _i="$(_math "$_i" + 1)" export _H1="X-API-Key: $_key" From 3c3ec2c97cde17b1566db80526ceaf504310d002 Mon Sep 17 00:00:00 2001 From: Philipp Klapp Date: Mon, 13 Oct 2025 09:05:59 +0200 Subject: [PATCH 113/313] Script created for Hetzner Cloud --- dnsapi/dns_hetznercloud.sh | 431 +++++++++++++++++++++++++++++++++++++ 1 file changed, 431 insertions(+) create mode 100644 dnsapi/dns_hetznercloud.sh diff --git a/dnsapi/dns_hetznercloud.sh b/dnsapi/dns_hetznercloud.sh new file mode 100644 index 00000000..e5b5b0d6 --- /dev/null +++ b/dnsapi/dns_hetznercloud.sh @@ -0,0 +1,431 @@ +#!/usr/bin/env sh +# shellcheck disable=SC2034 +dns_hetznercloud_info='Hetzner Cloud DNS +Site: Hetzner.com +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_hetznercloud +Options: + HETZNER_TOKEN API token for the Hetzner Cloud DNS API +Optional: + HETZNER_TTL Custom TTL for new TXT rrsets (default 120) + HETZNER_API Override API endpoint (default https://api.hetzner.cloud/v1) +Issues: github.com/acmesh-official/acme.sh/issues +' + +HETZNERCLOUD_API_DEFAULT="https://api.hetzner.cloud/v1" +HETZNERCLOUD_TTL_DEFAULT=120 + +######## Public functions ##################### + +dns_hetznercloud_add() { + fulldomain="$(_idn "${1}")" + txtvalue="${2}" + + _info "Using Hetzner Cloud DNS API to add record" + + if ! _hetznercloud_init; then + return 1 + fi + + if ! _hetznercloud_prepare_zone "${fulldomain}"; then + _err "Unable to determine Hetzner Cloud zone for ${fulldomain}" + return 1 + fi + + if ! _hetznercloud_get_rrset; then + return 1 + fi + + if [ "${_hetznercloud_last_http_code}" = "200" ]; then + if _hetznercloud_rrset_contains_value "${txtvalue}"; then + _info "TXT record already present; nothing to do." + return 0 + fi + elif [ "${_hetznercloud_last_http_code}" != "404" ]; then + _hetznercloud_log_http_error "Failed to query existing TXT rrset" "${_hetznercloud_last_http_code}" + return 1 + fi + + add_payload="$(_hetznercloud_build_add_payload "${txtvalue}")" + if [ -z "${add_payload}" ]; then + _err "Failed to build request payload." + return 1 + fi + + if ! _hetznercloud_api POST "${_hetznercloud_rrset_action_add}" "${add_payload}"; then + return 1 + fi + + case "${_hetznercloud_last_http_code}" in + 200 | 201 | 202 | 204) + _info "Hetzner Cloud TXT record added." + return 0 + ;; + 401 | 403) + _err "Hetzner Cloud DNS API authentication failed (HTTP ${_hetznercloud_last_http_code}). Check HETZNER_TOKEN for the new API." + _hetznercloud_log_http_error "" "${_hetznercloud_last_http_code}" + return 1 + ;; + 409 | 422) + _hetznercloud_log_http_error "Hetzner Cloud DNS rejected the add_records request" "${_hetznercloud_last_http_code}" + return 1 + ;; + *) + _hetznercloud_log_http_error "Hetzner Cloud DNS add_records request failed" "${_hetznercloud_last_http_code}" + return 1 + ;; + esac +} + +dns_hetznercloud_rm() { + fulldomain="$(_idn "${1}")" + txtvalue="${2}" + + _info "Using Hetzner Cloud DNS API to remove record" + + if ! _hetznercloud_init; then + return 1 + fi + + if ! _hetznercloud_prepare_zone "${fulldomain}"; then + _err "Unable to determine Hetzner Cloud zone for ${fulldomain}" + return 1 + fi + + if ! _hetznercloud_get_rrset; then + return 1 + fi + + if [ "${_hetznercloud_last_http_code}" = "404" ]; then + _info "TXT rrset does not exist; nothing to remove." + return 0 + fi + + if [ "${_hetznercloud_last_http_code}" != "200" ]; then + _hetznercloud_log_http_error "Failed to query existing TXT rrset" "${_hetznercloud_last_http_code}" + return 1 + fi + + if _hetznercloud_rrset_contains_value "${txtvalue}"; then + remove_payload="$(_hetznercloud_build_remove_payload "${txtvalue}")" + if [ -z "${remove_payload}" ]; then + _err "Failed to build remove_records payload." + return 1 + fi + if ! _hetznercloud_api POST "${_hetznercloud_rrset_action_remove}" "${remove_payload}"; then + return 1 + fi + case "${_hetznercloud_last_http_code}" in + 200 | 201 | 202 | 204) + _info "Hetzner Cloud TXT record removed." + return 0 + ;; + 401 | 403) + _err "Hetzner Cloud DNS API authentication failed (HTTP ${_hetznercloud_last_http_code}). Check HETZNER_TOKEN for the new API." + _hetznercloud_log_http_error "" "${_hetznercloud_last_http_code}" + return 1 + ;; + 404) + _info "TXT rrset already absent after remove action." + return 0 + ;; + 409 | 422) + _hetznercloud_log_http_error "Hetzner Cloud DNS rejected the remove_records request" "${_hetznercloud_last_http_code}" + return 1 + ;; + *) + _hetznercloud_log_http_error "Hetzner Cloud DNS remove_records request failed" "${_hetznercloud_last_http_code}" + return 1 + ;; + esac + else + _info "TXT value not present; nothing to remove." + return 0 + fi +} + +#################### Private functions ################################## + +_hetznercloud_init() { + HETZNER_TOKEN="${HETZNER_TOKEN:-$(_readaccountconf_mutable HETZNER_TOKEN)}" + if [ -z "${HETZNER_TOKEN}" ]; then + _err "The environment variable HETZNER_TOKEN must be set for the Hetzner Cloud DNS API." + return 1 + fi + HETZNER_TOKEN=$(echo "${HETZNER_TOKEN}" | tr -d '"') + _saveaccountconf_mutable HETZNER_TOKEN "${HETZNER_TOKEN}" + + HETZNER_API="${HETZNER_API:-$(_readaccountconf_mutable HETZNER_API)}" + if [ -z "${HETZNER_API}" ]; then + HETZNER_API="${HETZNERCLOUD_API_DEFAULT}" + fi + _saveaccountconf_mutable HETZNER_API "${HETZNER_API}" + + HETZNER_TTL="${HETZNER_TTL:-$(_readaccountconf_mutable HETZNER_TTL)}" + if [ -z "${HETZNER_TTL}" ]; then + HETZNER_TTL="${HETZNERCLOUD_TTL_DEFAULT}" + fi + ttl_check=$(printf "%s" "${HETZNER_TTL}" | tr -d '0-9') + if [ -n "${ttl_check}" ]; then + _err "HETZNER_TTL must be an integer value." + return 1 + fi + _saveaccountconf_mutable HETZNER_TTL "${HETZNER_TTL}" + + return 0 +} + +_hetznercloud_prepare_zone() { + _hetznercloud_zone_id="" + _hetznercloud_zone_name="" + _hetznercloud_zone_name_lc="" + _hetznercloud_rr_name="" + _hetznercloud_rrset_path="" + _hetznercloud_rrset_action_add="" + _hetznercloud_rrset_action_remove="" + fulldomain_lc=$(printf "%s" "${1}" | sed 's/\.$//' | _lower_case) + + i=2 + p=1 + while true; do + candidate=$(printf "%s" "${fulldomain_lc}" | cut -d . -f "${i}"-100) + if [ -z "${candidate}" ]; then + return 1 + fi + + if _hetznercloud_get_zone_by_candidate "${candidate}"; then + zone_name_lc="${_hetznercloud_zone_name_lc}" + if [ "${fulldomain_lc}" = "${zone_name_lc}" ]; then + _hetznercloud_rr_name="@" + else + suffix=".${zone_name_lc}" + if _endswith "${fulldomain_lc}" "${suffix}"; then + _hetznercloud_rr_name="${fulldomain_lc%"${suffix}"}" + else + _hetznercloud_rr_name="${fulldomain_lc}" + fi + fi + _hetznercloud_rrset_path=$(printf "%s" "${_hetznercloud_rr_name}" | _url_encode) + _hetznercloud_rrset_action_add="/zones/${_hetznercloud_zone_id}/rrsets/${_hetznercloud_rrset_path}/TXT/actions/add_records" + _hetznercloud_rrset_action_remove="/zones/${_hetznercloud_zone_id}/rrsets/${_hetznercloud_rrset_path}/TXT/actions/remove_records" + return 0 + fi + p=${i} + i=$(_math "${i}" + 1) + done +} + +_hetznercloud_get_zone_by_candidate() { + candidate="${1}" + zone_key=$(printf "%s" "${candidate}" | sed 's/[^A-Za-z0-9]/_/g') + zone_conf_key="HETZNERCLOUD_ZONE_ID_for_${zone_key}" + + cached_zone_id=$(_readdomainconf "${zone_conf_key}") + if [ -n "${cached_zone_id}" ]; then + if _hetznercloud_api GET "/zones/${cached_zone_id}"; then + if [ "${_hetznercloud_last_http_code}" = "200" ]; then + zone_data=$(printf "%s" "${response}" | _normalizeJson | sed 's/^{"zone"://' | sed 's/}$//') + if _hetznercloud_parse_zone_fields "${zone_data}"; then + zone_name_lc=$(printf "%s" "${_hetznercloud_zone_name}" | _lower_case) + if [ "${zone_name_lc}" = "${candidate}" ]; then + return 0 + fi + fi + elif [ "${_hetznercloud_last_http_code}" = "404" ]; then + _cleardomainconf "${zone_conf_key}" + fi + else + return 1 + fi + fi + + if _hetznercloud_api GET "/zones/${candidate}"; then + if [ "${_hetznercloud_last_http_code}" = "200" ]; then + zone_data=$(printf "%s" "${response}" | _normalizeJson | sed 's/^{"zone"://' | sed 's/}$//') + if _hetznercloud_parse_zone_fields "${zone_data}"; then + zone_name_lc=$(printf "%s" "${_hetznercloud_zone_name}" | _lower_case) + if [ "${zone_name_lc}" = "${candidate}" ]; then + _savedomainconf "${zone_conf_key}" "${_hetznercloud_zone_id}" + return 0 + fi + fi + elif [ "${_hetznercloud_last_http_code}" != "404" ]; then + _hetznercloud_log_http_error "Hetzner Cloud zone lookup failed" "${_hetznercloud_last_http_code}" + return 1 + fi + else + return 1 + fi + + encoded_candidate=$(printf "%s" "${candidate}" | _url_encode) + if ! _hetznercloud_api GET "/zones?name=${encoded_candidate}"; then + return 1 + fi + if [ "${_hetznercloud_last_http_code}" != "200" ]; then + if [ "${_hetznercloud_last_http_code}" = "404" ]; then + return 1 + fi + _hetznercloud_log_http_error "Hetzner Cloud zone search failed" "${_hetznercloud_last_http_code}" + return 1 + fi + + zone_data=$(_hetznercloud_extract_zone_from_list "${response}" "${candidate}") + if [ -z "${zone_data}" ]; then + return 1 + fi + if ! _hetznercloud_parse_zone_fields "${zone_data}"; then + return 1 + fi + _savedomainconf "${zone_conf_key}" "${_hetznercloud_zone_id}" + return 0 +} + +_hetznercloud_parse_zone_fields() { + zone_json="${1}" + if [ -z "${zone_json}" ]; then + return 1 + fi + normalized=$(printf "%s" "${zone_json}" | _normalizeJson) + zone_id=$(printf "%s" "${normalized}" | _egrep_o '"id":[^,}]*' | _head_n 1 | cut -d : -f 2 | tr -d ' "') + zone_name=$(printf "%s" "${normalized}" | _egrep_o '"name":"[^"]*"' | _head_n 1 | cut -d : -f 2 | tr -d '"') + if [ -z "${zone_id}" ] || [ -z "${zone_name}" ]; then + return 1 + fi + _hetznercloud_zone_id="${zone_id}" + _hetznercloud_zone_name="${zone_name}" + _hetznercloud_zone_name_lc=$(printf "%s" "${zone_name}" | sed 's/\.$//' | _lower_case) + return 0 +} + +_hetznercloud_extract_zone_from_list() { + list_response=$(printf "%s" "${1}" | _normalizeJson) + candidate="${2}" + escaped_candidate=$(_hetznercloud_escape_regex "${candidate}") + printf "%s" "${list_response}" | _egrep_o "{[^{}]*\"name\":\"${escaped_candidate}\"[^{}]*}" | _head_n 1 +} + +_hetznercloud_escape_regex() { + printf "%s" "${1}" | sed 's/\\/\\\\/g' | sed 's/\./\\./g' | sed 's/-/\\-/g' +} + +_hetznercloud_get_rrset() { + if [ -z "${_hetznercloud_zone_id}" ] || [ -z "${_hetznercloud_rrset_path}" ]; then + return 1 + fi + if ! _hetznercloud_api GET "/zones/${_hetznercloud_zone_id}/rrsets/${_hetznercloud_rrset_path}/TXT"; then + return 1 + fi + return 0 +} + +_hetznercloud_rrset_contains_value() { + wanted_value="${1}" + normalized=$(printf "%s" "${response}" | _normalizeJson) + escaped_value=$(_hetznercloud_escape_value "${wanted_value}") + search_pattern="\"value\":\"\\\\\"${escaped_value}\\\\\"\"" + if _contains "${normalized}" "${search_pattern}"; then + return 0 + fi + return 1 +} + +_hetznercloud_build_add_payload() { + value="${1}" + escaped_value=$(_hetznercloud_escape_value "${value}") + printf '{"ttl":%s,"records":[{"value":"\\"%s\\""}]}' "${HETZNER_TTL}" "${escaped_value}" +} + +_hetznercloud_build_remove_payload() { + value="${1}" + escaped_value=$(_hetznercloud_escape_value "${value}") + printf '{"records":[{"value":"\\"%s\\""}]}' "${escaped_value}" +} + +_hetznercloud_escape_value() { + printf "%s" "${1}" | sed 's/\\/\\\\/g' | sed 's/"/\\"/g' +} + +_hetznercloud_error_message() { + if [ -z "${response}" ]; then + return 1 + fi + message=$(printf "%s" "${response}" | _normalizeJson | _egrep_o '"message":"[^"]*"' | _head_n 1 | cut -d : -f 2 | tr -d '"') + if [ -n "${message}" ]; then + printf "%s" "${message}" + return 0 + fi + return 1 +} + +_hetznercloud_log_http_error() { + context="${1}" + code="${2}" + message="$(_hetznercloud_error_message)" + if [ -n "${context}" ]; then + if [ -n "${message}" ]; then + _err "${context} (HTTP ${code}): ${message}" + else + _err "${context} (HTTP ${code})" + fi + else + if [ -n "${message}" ]; then + _err "Hetzner Cloud DNS API error (HTTP ${code}): ${message}" + else + _err "Hetzner Cloud DNS API error (HTTP ${code})" + fi + fi +} + +_hetznercloud_api() { + method="${1}" + ep="${2}" + data="${3}" + retried="${4}" + + if [ -z "${method}" ]; then + method="GET" + fi + + if ! _startswith "${ep}" "/"; then + ep="/${ep}" + fi + url="${HETZNER_API}${ep}" + + export _H1="Authorization: Bearer ${HETZNER_TOKEN}" + export _H2="Accept: application/json" + export _H3="" + export _H4="" + export _H5="" + + : >"${HTTP_HEADER}" + + if [ "${method}" = "GET" ]; then + response="$(_get "${url}")" + else + if [ -z "${data}" ]; then + data="{}" + fi + response="$(_post "${data}" "${url}" "" "${method}" "application/json")" + fi + ret="${?}" + + _hetznercloud_last_http_code=$(grep "^HTTP" "${HTTP_HEADER}" | _tail_n 1 | cut -d " " -f 2 | tr -d '\r\n') + + if [ "${ret}" != "0" ]; then + return 1 + fi + + if [ "${_hetznercloud_last_http_code}" = "429" ] && [ "${retried}" != "retried" ]; then + retry_after=$(grep -i "^Retry-After" "${HTTP_HEADER}" | _tail_n 1 | cut -d : -f 2 | tr -d ' \r') + if [ -z "${retry_after}" ]; then + retry_after=1 + fi + _info "Hetzner Cloud DNS API rate limit hit; retrying in ${retry_after} seconds." + _sleep "${retry_after}" + if ! _hetznercloud_api "${method}" "${ep}" "${data}" "retried"; then + return 1 + fi + return 0 + fi + + return 0 +} From 25c564bae1efb7d01388b63752976957aa5dfb6b Mon Sep 17 00:00:00 2001 From: Vmichelin Date: Tue, 14 Oct 2025 10:10:19 +0200 Subject: [PATCH 114/313] fix #6555 : ovh dns api enable to remove record --- dnsapi/dns_ovh.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_ovh.sh b/dnsapi/dns_ovh.sh index 24ad0904..9f2cd23f 100755 --- a/dnsapi/dns_ovh.sh +++ b/dnsapi/dns_ovh.sh @@ -201,7 +201,7 @@ dns_ovh_rm() { if ! _ovh_rest GET "domain/zone/$_domain/record/$rid"; then return 1 fi - if _contains "$response" "\"target\":\"$txtvalue\""; then + if _contains "$response" "$txtvalue"; then _debug "Found txt id:$rid" if ! _ovh_rest DELETE "domain/zone/$_domain/record/$rid"; then return 1 From c4671272c0987d2de0caebafb0216f5e061c9eb7 Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 14 Oct 2025 13:35:15 +0200 Subject: [PATCH 115/313] Yet another push to try the test suite --- dnsapi/dns_efficientip.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index 4a09c5bb..a5f6b09d 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -93,7 +93,6 @@ dns_efficientip_add() { } dns_efficientip_rm() { - fulldomain=$1 txtvalue=$2 From 65bd3d67b41d975019f194bdf3cb9e01680ba771 Mon Sep 17 00:00:00 2001 From: An <18481195+AnTheMaker@users.noreply.github.com> Date: Tue, 14 Oct 2025 15:51:28 +0200 Subject: [PATCH 116/313] nanelo dns: minor log improvements --- dnsapi/dns_nanelo.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_nanelo.sh b/dnsapi/dns_nanelo.sh index 23f306a7..0c42989b 100644 --- a/dnsapi/dns_nanelo.sh +++ b/dnsapi/dns_nanelo.sh @@ -59,7 +59,7 @@ dns_nanelo_rm() { fi _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" - _debug "First detect the root zone" + _debug "First, let's detect the root zone:" if ! _get_root "$fulldomain"; then _err "invalid domain" return 1 From a2c2b7ffee184d3e8f4c4ccf63685ffdb68232c0 Mon Sep 17 00:00:00 2001 From: DuolaD Date: Sat, 18 Oct 2025 11:41:26 +0800 Subject: [PATCH 117/313] Fixed the issue where Telegram bots would not push notifications. --- notify/telegram.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/notify/telegram.sh b/notify/telegram.sh index 7da05729..4ed50a65 100644 --- a/notify/telegram.sh +++ b/notify/telegram.sh @@ -34,8 +34,8 @@ telegram_send() { fi _saveaccountconf_mutable TELEGRAM_BOT_URLBASE "$TELEGRAM_BOT_URLBASE" - _subject="$(printf "%s" "$_subject" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([-_*[()~`>#+\-=|{}.!]\)/\\\\\1/g')" - _content="$(printf "%s" "$_content" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([-_*[()~`>#+\-=|{}.!]\)/\\\\\1/g')" + _subject="$(printf "%s" "$_subject" | sed -E 's/([][()~`>#+=|{}.!*_\\-])/\\\\\1/g')" + _content="$(printf "%s" "$_content" | sed -E 's/([][()~`>#+=|{}.!*_\\-])/\\\\\1/g')" _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)" _data="{\"text\": \"$_content\", " _data="$_data\"chat_id\": \"$TELEGRAM_BOT_CHATID\", " From ef76831d37161af4876202f0cde2596956aab9fb Mon Sep 17 00:00:00 2001 From: asavin Date: Sat, 18 Oct 2025 14:16:51 +0200 Subject: [PATCH 118/313] Addressing #pullrequestreview-3353279982 --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index a5f6b09d..f12a2a85 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/usr/bin/env sh # shellcheck disable=SC2034 dns_efficientip_info='efficientip.com Site: https://efficientip.com/ From 3cdce86339d8ace8ba62c4ed756138bad669457d Mon Sep 17 00:00:00 2001 From: Jens Spanier Date: Tue, 21 Oct 2025 11:34:46 +0200 Subject: [PATCH 119/313] rename to keyhelp_api --- deploy/{keyhelp.sh => keyhelp_api.sh} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename deploy/{keyhelp.sh => keyhelp_api.sh} (99%) diff --git a/deploy/keyhelp.sh b/deploy/keyhelp_api.sh similarity index 99% rename from deploy/keyhelp.sh rename to deploy/keyhelp_api.sh index 944ca5aa..75e9d951 100644 --- a/deploy/keyhelp.sh +++ b/deploy/keyhelp_api.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -keyhelp_deploy() { +keyhelp_api_deploy() { _cdomain="$1" _ckey="$2" _ccert="$3" From 7ca8a9e449a16969b30f5c69420f55b14edec6b0 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Fri, 24 Oct 2025 11:34:25 -0400 Subject: [PATCH 120/313] QUIC.cloud support for acme.sh --- dnsapi/dns_qc.sh | 188 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100755 dnsapi/dns_qc.sh diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh new file mode 100755 index 00000000..64956bd5 --- /dev/null +++ b/dnsapi/dns_qc.sh @@ -0,0 +1,188 @@ +#!/usr/bin/env sh +# shellcheck disable=SC2034 +dns_qc_info='QUIC.cloud +Site: quic.cloud +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_qc +Options: + QC_API_KEY QC API Key + QC_API_EMAIL Your account email +' + +QC_Api="https://api.quic.cloud/v2" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_qc_add() { + fulldomain=$1 + txtvalue=$2 + + _debug "Enter dns_qc_add fulldomain: $fulldomain, txtvalue: $txtvalue" + QC_API_KEY="${QC_API_KEY:-$(_readaccountconf_mutable QC_API_KEY)}" + QC_API_EMAIL="${QC_API_EMAIL:-$(_readaccountconf_mutable QC_API_EMAIL)}" + + if [ "$QC_API_KEY" ]; then + _savedomainconf QC_API_KEY "$QC_API_KEY" + else + _err "You didn't specify a QUIC.cloud are api key and email yet." + _err "You can get yours from here https://my.quic.cloud/up/api." + return 1 + fi + + if ! _contains "$QC_API_EMAIL" "@"; then + _err "It seems that the QC_API_EMAIL=$QC_API_EMAIL is not a valid email address." + _err "Please check and retry." + return 1 + fi + #save the api key and email to the account conf file. + _savedomainconf QC_API_EMAIL "$QC_API_EMAIL" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _qc_rest GET "zones/${_domain_id}/records" + + if ! echo "$response" | tr -d " " | grep \"success\":true >/dev/null; then + _err "Error failed response from QC GET: $response" + return 1 + fi + + # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so + # we can not use updating anymore. + # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) + # _debug count "$count" + # if [ "$count" = "0" ]; then + _info "Adding record" + if _qc_rest POST "zones/$_domain_id/records" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":1800}"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + return 0 + elif _contains "$response" "Same record already exists"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error: $response" + return 1 + fi + fi + _err "Add txt record error: POST failed: $response" + return 1 + +} + +#fulldomain txtvalue +dns_qc_rm() { + fulldomain=$1 + txtvalue=$2 + + _debug "Enter dns_qc_rm fulldomain: $fulldomain, txtvalue: $txtvalue" + QC_API_KEY="${QC_API_KEY:-$(_readaccountconf_mutable QC_API_KEY)}" + QC_API_EMAIL="${QC_API_EMAIL:-$(_readaccountconf_mutable QC_API_EMAIL)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _qc_rest GET "zones/${_domain_id}/records" + + if ! echo "$response" | tr -d " " | grep \"success\":true >/dev/null; then + _err "Error rm GET response: $response" + return 1 + fi + + response=$(echo "$response"|jq ".result[] | select(.content == \"$txtvalue\") | select(.type == \"TXT\")") + if [ "${response}" = "" ]; then + _info "Don't need to remove." + else + record_id=$(echo "$response" | grep \"id\"| awk -F ' ' '{print $2}'| sed 's/,$//') + _debug "record_id" "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then + _err "Delete record error." + return 1 + fi + _info "TXT Record ID: $record_id successfully deleted" + fi + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=1 + p=1 + + h=$(printf "%s" "$domain" | cut -d . -f2-) + _debug h "$h" + if [ -z "$h" ]; then + _err "$h ($domain) is an invalid domain" + return 1 + fi + + if ! _qc_rest GET "zones"; then + _debug "qc_rest failed" + return 1 + fi + + if _contains "$response" "\"name\":\"$h\"" || _contains "$response" "\"name\":\"$h.\""; then + _domain_id=$h + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") + _domain=$h + return 0 + fi + _err "Empty domain_id $h" + return 1 + fi + _err "Missing domain_id $h" + return 1 +} + +_qc_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + email_trimmed=$(echo "$QC_API_EMAIL" | tr -d '"') + token_trimmed=$(echo "$QC_API_KEY" | tr -d '"') + + export _H1="Content-Type: application/json" + export _H2="X-Auth-Email: $email_trimmed" + export _H3="X-Auth-Key: $token_trimmed" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$QC_Api/$ep" "" "$m")" + else + response="$(_get "$QC_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} From 48c48cb344d9f748dbc3c0dab1d7b1a62e5de7ba Mon Sep 17 00:00:00 2001 From: Roy Orbitson Date: Mon, 27 Oct 2025 16:02:33 +1030 Subject: [PATCH 121/313] Choose an IP address family for outgoing requests Useful where remote endpoints filter requests by IP address, but one's Internet connection has a stable IP for only one address family, e.g.: a dynamic IPv6 prefix and a static IPv4 address; or a static IPv6 prefix and CGNAT IPv4. --- acme.sh | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/acme.sh b/acme.sh index 7caec290..98b827e8 100755 --- a/acme.sh +++ b/acme.sh @@ -1897,6 +1897,11 @@ _inithttp() { if [ -z "$_ACME_CURL" ] && _exists "curl"; then _ACME_CURL="curl --silent --dump-header $HTTP_HEADER " + if [ "$ACME_USE_IPV6_REQUESTS" ]; then + _ACME_CURL="$_ACME_CURL --ipv6 " + elif [ "$ACME_USE_IPV4_REQUESTS" ]; then + _ACME_CURL="$_ACME_CURL --ipv4 " + fi if [ -z "$ACME_HTTP_NO_REDIRECTS" ]; then _ACME_CURL="$_ACME_CURL -L " fi @@ -1924,6 +1929,11 @@ _inithttp() { if [ -z "$_ACME_WGET" ] && _exists "wget"; then _ACME_WGET="wget -q" + if [ "$ACME_USE_IPV6_REQUESTS" ]; then + _ACME_WGET="$_ACME_WGET --inet6-only " + elif [ "$ACME_USE_IPV4_REQUESTS" ]; then + _ACME_WGET="$_ACME_WGET --inet4-only " + fi if [ "$ACME_HTTP_NO_REDIRECTS" ]; then _ACME_WGET="$_ACME_WGET --max-redirect 0 " fi @@ -7076,6 +7086,8 @@ Parameters: --alpn Use standalone alpn mode. --stateless Use stateless mode. See: $_STATELESS_WIKI + --request-v4 Force client requests to use ipv4. + --request-v6 Force client requests to use ipv6. --apache Use Apache mode. --dns [dns_hook] Use dns manual mode or dns api. Defaults to manual mode when argument is omitted. @@ -7255,6 +7267,20 @@ _processAccountConf() { _saveaccountconf "ACME_USE_WGET" "$ACME_USE_WGET" fi + if [ "$_request_v6" ]; then + _saveaccountconf "ACME_USE_IPV6_REQUESTS" "$_request_v6" + _clearaccountconf "ACME_USE_IPV4_REQUESTS" + elif [ "$ACME_USE_IPV6_REQUESTS" ]; then + _saveaccountconf "ACME_USE_IPV6_REQUESTS" "$ACME_USE_IPV6_REQUESTS" + _clearaccountconf "ACME_USE_IPV4_REQUESTS" + elif [ "$_request_v4" ]; then + _saveaccountconf "ACME_USE_IPV4_REQUESTS" "$_request_v4" + _clearaccountconf "ACME_USE_IPV6_REQUESTS" + elif [ "$ACME_USE_IPV4_REQUESTS" ]; then + _saveaccountconf "ACME_USE_IPV4_REQUESTS" "$ACME_USE_IPV4_REQUESTS" + _clearaccountconf "ACME_USE_IPV6_REQUESTS" + fi + } _checkSudo() { @@ -7420,6 +7446,8 @@ _process() { _local_address="" _log_level="" _auto_upgrade="" + _request_v4="" + _request_v6="" _listen_v4="" _listen_v6="" _openssl_bin="" @@ -7885,6 +7913,18 @@ _process() { fi AUTO_UPGRADE="$_auto_upgrade" ;; + --request-v4) + _request_v4="1" + ACME_USE_IPV4_REQUESTS="1" + _request_v6="" + ACME_USE_IPV6_REQUESTS="" + ;; + --request-v6) + _request_v6="1" + ACME_USE_IPV6_REQUESTS="1" + _request_v4="" + ACME_USE_IPV4_REQUESTS="" + ;; --listen-v4) _listen_v4="1" Le_Listen_V4="$_listen_v4" From e25e30dcdd5e20ab3ff27f9fb1abe1027090e103 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Mon, 27 Oct 2025 12:00:01 -0400 Subject: [PATCH 122/313] Added wiki doc --- wiki/dnsapi/dns_qc | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 wiki/dnsapi/dns_qc diff --git a/wiki/dnsapi/dns_qc b/wiki/dnsapi/dns_qc new file mode 100644 index 00000000..50b1879e --- /dev/null +++ b/wiki/dnsapi/dns_qc @@ -0,0 +1,27 @@ +# Use QUIC.cloud DNS API + +This uses the QUIC.cloud DNS API. + +## Obtain an API key from the QUIC.cloude system. If you do not already have one, once logged into QUIC.cloud: + +- Select the Human icon at the top right of the screen and select **Edit Profile** +- On the left side of the screen, press the **API Access** item. +- Press the **Generate Key** button. It will present you with a token you will need below. + +## Use the API + +You will need to provide 2 environment variables to acme.sh: + +- **QC_API_KEY**: This is the API Token value obtained in the QUIC.cloud screens. +- **QC_API_EMAIL**: This is the email you used in your QUIC.cloud configuration + +## Using in OpenLiteSpeed + +This feature is fully supported and documented in version 1.9 and later of OpenLiteSpeed. See the OpenLiteSpeed (documentation)[https://docs.openlitespeed.org/config/advanced/acme/). + +## License + +Copyright: acme.sh wiki contributors + +License: GNU General Public License version 3 or any later version + From 68eb6defd356a62dd0b6c8255846f2851e667da3 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Mon, 27 Oct 2025 12:04:08 -0400 Subject: [PATCH 123/313] Removed false wiki page --- wiki/dnsapi/dns_qc | 27 --------------------------- 1 file changed, 27 deletions(-) delete mode 100644 wiki/dnsapi/dns_qc diff --git a/wiki/dnsapi/dns_qc b/wiki/dnsapi/dns_qc deleted file mode 100644 index 50b1879e..00000000 --- a/wiki/dnsapi/dns_qc +++ /dev/null @@ -1,27 +0,0 @@ -# Use QUIC.cloud DNS API - -This uses the QUIC.cloud DNS API. - -## Obtain an API key from the QUIC.cloude system. If you do not already have one, once logged into QUIC.cloud: - -- Select the Human icon at the top right of the screen and select **Edit Profile** -- On the left side of the screen, press the **API Access** item. -- Press the **Generate Key** button. It will present you with a token you will need below. - -## Use the API - -You will need to provide 2 environment variables to acme.sh: - -- **QC_API_KEY**: This is the API Token value obtained in the QUIC.cloud screens. -- **QC_API_EMAIL**: This is the email you used in your QUIC.cloud configuration - -## Using in OpenLiteSpeed - -This feature is fully supported and documented in version 1.9 and later of OpenLiteSpeed. See the OpenLiteSpeed (documentation)[https://docs.openlitespeed.org/config/advanced/acme/). - -## License - -Copyright: acme.sh wiki contributors - -License: GNU General Public License version 3 or any later version - From 7c5b9a5b922e5bed34f64fda6b58b257820955b9 Mon Sep 17 00:00:00 2001 From: Dennis Schmidt Date: Thu, 30 Oct 2025 09:17:13 +0000 Subject: [PATCH 124/313] Add priority, tags and title to ntfy notification Make the ntfy.sh notifications easier to distinguish at a first glance. --- notify/ntfy.sh | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/notify/ntfy.sh b/notify/ntfy.sh index 21e39559..ecb65879 100644 --- a/notify/ntfy.sh +++ b/notify/ntfy.sh @@ -14,6 +14,13 @@ ntfy_send() { _debug "_content" "$_content" _debug "_statusCode" "$_statusCode" + _priority_default="default" + _priority_error="high" + + _tag_success="white_check_mark" + _tag_error="warning" + _tag_info="information_source" + NTFY_URL="${NTFY_URL:-$(_readaccountconf_mutable NTFY_URL)}" if [ "$NTFY_URL" ]; then _saveaccountconf_mutable NTFY_URL "$NTFY_URL" @@ -30,7 +37,26 @@ ntfy_send() { export _H1="Authorization: Bearer $NTFY_TOKEN" fi - _data="${_subject}. $_content" + case "$_statusCode" in + 0) + _priority="$_priority_default" + _tag="$_tag_success" + ;; + 1) + _priority="$_priority_error" + _tag="$_tag_error" + ;; + 2) + _priority="$_priority_default" + _tag="$_tag_info" + ;; + esac + + export _H2="Priority: $_priority" + export _H3="Tags: $_tag" + export _H4="Title: $PROJECT_NAME: $_subject" + + _data="$_content" response="$(_post "$_data" "$NTFY_URL/$NTFY_TOPIC" "" "POST" "")" if [ "$?" = "0" ] && _contains "$response" "expires"; then From 3d21ac4525b2b60bd5efd1b9d23e9822a8be0ded Mon Sep 17 00:00:00 2001 From: Dennis Schmidt Date: Fri, 31 Oct 2025 08:40:34 +0000 Subject: [PATCH 125/313] CS Make shfmt happy --- notify/ntfy.sh | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/notify/ntfy.sh b/notify/ntfy.sh index ecb65879..3a788a84 100644 --- a/notify/ntfy.sh +++ b/notify/ntfy.sh @@ -38,18 +38,18 @@ ntfy_send() { fi case "$_statusCode" in - 0) - _priority="$_priority_default" - _tag="$_tag_success" - ;; - 1) - _priority="$_priority_error" - _tag="$_tag_error" - ;; - 2) - _priority="$_priority_default" - _tag="$_tag_info" - ;; + 0) + _priority="$_priority_default" + _tag="$_tag_success" + ;; + 1) + _priority="$_priority_error" + _tag="$_tag_error" + ;; + 2) + _priority="$_priority_default" + _tag="$_tag_info" + ;; esac export _H2="Priority: $_priority" From b65f432ee02b1ad45224e97cf89e5144680b9d41 Mon Sep 17 00:00:00 2001 From: Philipp Klapp Date: Sat, 1 Nov 2025 13:44:11 +0100 Subject: [PATCH 126/313] Normalize Hetzner zone names to punycode --- dnsapi/dns_hetznercloud.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_hetznercloud.sh b/dnsapi/dns_hetznercloud.sh index e5b5b0d6..e53ac23a 100644 --- a/dnsapi/dns_hetznercloud.sh +++ b/dnsapi/dns_hetznercloud.sh @@ -290,9 +290,15 @@ _hetznercloud_parse_zone_fields() { if [ -z "${zone_id}" ] || [ -z "${zone_name}" ]; then return 1 fi + zone_name_trimmed=$(printf "%s" "${zone_name}" | sed 's/\.$//') + if zone_name_ascii=$(_idn "${zone_name_trimmed}"); then + zone_name="${zone_name_ascii}" + else + zone_name="${zone_name_trimmed}" + fi _hetznercloud_zone_id="${zone_id}" _hetznercloud_zone_name="${zone_name}" - _hetznercloud_zone_name_lc=$(printf "%s" "${zone_name}" | sed 's/\.$//' | _lower_case) + _hetznercloud_zone_name_lc=$(printf "%s" "${zone_name}" | _lower_case) return 0 } From 5f8146050464c9f0c6ae69160e672ad3bce388b3 Mon Sep 17 00:00:00 2001 From: Philipp Klapp Date: Sun, 2 Nov 2025 04:07:58 +0100 Subject: [PATCH 127/313] Wait for Hetzner Cloud DNS actions to complete before returning --- dnsapi/dns_hetznercloud.sh | 156 +++++++++++++++++++++++++++++++++++++ 1 file changed, 156 insertions(+) diff --git a/dnsapi/dns_hetznercloud.sh b/dnsapi/dns_hetznercloud.sh index e53ac23a..4a7eea90 100644 --- a/dnsapi/dns_hetznercloud.sh +++ b/dnsapi/dns_hetznercloud.sh @@ -8,11 +8,13 @@ Options: Optional: HETZNER_TTL Custom TTL for new TXT rrsets (default 120) HETZNER_API Override API endpoint (default https://api.hetzner.cloud/v1) + HETZNER_MAX_ATTEMPTS Number of 1s polls to wait for async actions (default 120) Issues: github.com/acmesh-official/acme.sh/issues ' HETZNERCLOUD_API_DEFAULT="https://api.hetzner.cloud/v1" HETZNERCLOUD_TTL_DEFAULT=120 +HETZNER_MAX_ATTEMPTS_DEFAULT=120 ######## Public functions ##################### @@ -57,6 +59,9 @@ dns_hetznercloud_add() { case "${_hetznercloud_last_http_code}" in 200 | 201 | 202 | 204) + if ! _hetznercloud_handle_action_response "TXT record add"; then + return 1 + fi _info "Hetzner Cloud TXT record added." return 0 ;; @@ -116,6 +121,9 @@ dns_hetznercloud_rm() { fi case "${_hetznercloud_last_http_code}" in 200 | 201 | 202 | 204) + if ! _hetznercloud_handle_action_response "TXT record remove"; then + return 1 + fi _info "Hetzner Cloud TXT record removed." return 0 ;; @@ -171,6 +179,17 @@ _hetznercloud_init() { fi _saveaccountconf_mutable HETZNER_TTL "${HETZNER_TTL}" + HETZNER_MAX_ATTEMPTS="${HETZNER_MAX_ATTEMPTS:-$(_readaccountconf_mutable HETZNER_MAX_ATTEMPTS)}" + if [ -z "${HETZNER_MAX_ATTEMPTS}" ]; then + HETZNER_MAX_ATTEMPTS="${HETZNER_MAX_ATTEMPTS_DEFAULT}" + fi + attempts_check=$(printf "%s" "${HETZNER_MAX_ATTEMPTS}" | tr -d '0-9') + if [ -n "${attempts_check}" ]; then + _err "HETZNER_MAX_ATTEMPTS must be an integer value." + return 1 + fi + _saveaccountconf_mutable HETZNER_MAX_ATTEMPTS "${HETZNER_MAX_ATTEMPTS}" + return 0 } @@ -435,3 +454,140 @@ _hetznercloud_api() { return 0 } + +_hetznercloud_handle_action_response() { + context="${1}" + if [ -z "${response}" ]; then + return 0 + fi + + normalized=$(printf "%s" "${response}" | _normalizeJson) + + failed_message="" + if failed_message=$(_hetznercloud_extract_failed_action_message "${normalized}"); then + if [ -n "${failed_message}" ]; then + _err "Hetzner Cloud DNS ${context} failed: ${failed_message}" + else + _err "Hetzner Cloud DNS ${context} failed." + fi + return 1 + fi + + action_ids="" + if action_ids=$(_hetznercloud_extract_action_ids "${normalized}"); then + for action_id in ${action_ids}; do + if [ -z "${action_id}" ]; then + continue + fi + if ! _hetznercloud_wait_for_action "${action_id}" "${context}"; then + return 1 + fi + done + fi + + return 0 +} + +_hetznercloud_extract_failed_action_message() { + normalized="${1}" + failed_section=$(printf "%s" "${normalized}" | _egrep_o '"failed_actions":\[[^]]*\]') + if [ -z "${failed_section}" ]; then + return 1 + fi + if _contains "${failed_section}" '"failed_actions":[]'; then + return 1 + fi + message=$(printf "%s" "${failed_section}" | _egrep_o '"message":"[^"]*"' | _head_n 1 | cut -d : -f 2 | tr -d '"') + if [ -n "${message}" ]; then + printf "%s" "${message}" + else + printf "%s" "${failed_section}" + fi + return 0 +} + +_hetznercloud_extract_action_ids() { + normalized="${1}" + actions_section=$(printf "%s" "${normalized}" | _egrep_o '"actions":\[[^]]*\]') + if [ -z "${actions_section}" ]; then + return 1 + fi + action_ids=$(printf "%s" "${actions_section}" | _egrep_o '"id":[0-9]*' | cut -d : -f 2 | tr -d '"' | tr '\n' ' ') + action_ids=$(printf "%s" "${action_ids}" | tr -s ' ') + action_ids=$(printf "%s" "${action_ids}" | sed 's/^ //;s/ $//') + if [ -z "${action_ids}" ]; then + return 1 + fi + printf "%s" "${action_ids}" + return 0 +} + +_hetznercloud_wait_for_action() { + action_id="${1}" + context="${2}" + attempts="0" + + while true; do + if ! _hetznercloud_api GET "/actions/${action_id}"; then + return 1 + fi + if [ "${_hetznercloud_last_http_code}" != "200" ]; then + _hetznercloud_log_http_error "Hetzner Cloud DNS action ${action_id} query failed" "${_hetznercloud_last_http_code}" + return 1 + fi + + normalized=$(printf "%s" "${response}" | _normalizeJson) + action_status=$(_hetznercloud_action_status_from_normalized "${normalized}") + + if [ -z "${action_status}" ]; then + _err "Hetzner Cloud DNS ${context} action ${action_id} returned no status." + return 1 + fi + + if [ "${action_status}" = "success" ]; then + return 0 + fi + + if [ "${action_status}" = "error" ]; then + if action_error=$(_hetznercloud_action_error_from_normalized "${normalized}"); then + _err "Hetzner Cloud DNS ${context} action ${action_id} failed: ${action_error}" + else + _err "Hetzner Cloud DNS ${context} action ${action_id} failed." + fi + return 1 + fi + + attempts=$(_math "${attempts}" + 1) + if [ "${attempts}" -ge "${HETZNER_MAX_ATTEMPTS}" ]; then + _err "Hetzner Cloud DNS ${context} action ${action_id} did not complete after ${HETZNER_MAX_ATTEMPTS} attempts." + return 1 + fi + + _sleep 1 + done +} + +_hetznercloud_action_status_from_normalized() { + normalized="${1}" + status=$(printf "%s" "${normalized}" | _egrep_o '"status":"[^"]*"' | _head_n 1 | cut -d : -f 2 | tr -d '"') + printf "%s" "${status}" +} + +_hetznercloud_action_error_from_normalized() { + normalized="${1}" + error_section=$(printf "%s" "${normalized}" | _egrep_o '"error":{[^}]*}') + if [ -z "${error_section}" ]; then + return 1 + fi + message=$(printf "%s" "${error_section}" | _egrep_o '"message":"[^"]*"' | _head_n 1 | cut -d : -f 2 | tr -d '"') + if [ -n "${message}" ]; then + printf "%s" "${message}" + return 0 + fi + code=$(printf "%s" "${error_section}" | _egrep_o '"code":"[^"]*"' | _head_n 1 | cut -d : -f 2 | tr -d '"') + if [ -n "${code}" ]; then + printf "%s" "${code}" + return 0 + fi + return 1 +} From 693b1f7a74a52ed3a1499f64b9ebfe2bfc70f0ad Mon Sep 17 00:00:00 2001 From: Richard Glidden Date: Sun, 2 Nov 2025 22:50:55 -0500 Subject: [PATCH 128/313] Fix TrueNAS deploy fails on TrueNAS 25.10 --- deploy/truenas_ws.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/truenas_ws.sh b/deploy/truenas_ws.sh index d334853e..df34f927 100644 --- a/deploy/truenas_ws.sh +++ b/deploy/truenas_ws.sh @@ -71,7 +71,7 @@ with Client(uri="$_ws_uri") as c: fullchain = file.read() with open('$2', 'r') as file: privatekey = file.read() - ret = c.call("certificate.create", {"name": "$3", "create_type": "CERTIFICATE_CREATE_IMPORTED", "certificate": fullchain, "privatekey": privatekey, "passphrase": ""}, job=True) + ret = c.call("certificate.create", {"name": "$3", "create_type": "CERTIFICATE_CREATE_IMPORTED", "certificate": fullchain, "privatekey": privatekey}, job=True) print("R:" + str(ret["id"])) sys.exit(0) else: From b7c8601540d1296e5409387f171c1898620b8c38 Mon Sep 17 00:00:00 2001 From: Peter Lindegaard Hansen Date: Mon, 3 Nov 2025 16:18:15 +0100 Subject: [PATCH 129/313] Update dns_curanet.sh --- dnsapi/dns_curanet.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_curanet.sh b/dnsapi/dns_curanet.sh index f57afa1f..42bc28f2 100644 --- a/dnsapi/dns_curanet.sh +++ b/dnsapi/dns_curanet.sh @@ -154,7 +154,7 @@ _get_root() { export _H3="Authorization: Bearer $CURANET_ACCESS_TOKEN" response="$(_get "$CURANET_REST_URL/$h/Records" "" "")" - if [ ! "$(echo "$response" | _egrep_o "Entity not found")" ]; then + if [ ! "$(echo "$response" | _egrep_o "Entity not found|Bad Request")" ]; then _domain=$h return 0 fi From d187b982eb922c4ba09ec8085655a760794f7edf Mon Sep 17 00:00:00 2001 From: Peter Lindegaard Hansen Date: Mon, 3 Nov 2025 18:14:27 +0100 Subject: [PATCH 130/313] Update dns_curanet.sh --- dnsapi/dns_curanet.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_curanet.sh b/dnsapi/dns_curanet.sh index 42bc28f2..0ef03fea 100644 --- a/dnsapi/dns_curanet.sh +++ b/dnsapi/dns_curanet.sh @@ -15,7 +15,7 @@ CURANET_REST_URL="https://api.curanet.dk/dns/v1/Domains" CURANET_AUTH_URL="https://apiauth.dk.team.blue/auth/realms/Curanet/protocol/openid-connect/token" CURANET_ACCESS_TOKEN="" -######## Public functions ##################### +######## Public functions #################### #Usage: dns_curanet_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_curanet_add() { From 0fa53d62cbfcea7ae5626f3d90bd66e4bef2c731 Mon Sep 17 00:00:00 2001 From: seagleNet Date: Tue, 4 Nov 2025 09:35:47 +0100 Subject: [PATCH 131/313] feat: Add notify plugin for opsgenie --- notify/opsgenie.sh | 130 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 notify/opsgenie.sh diff --git a/notify/opsgenie.sh b/notify/opsgenie.sh new file mode 100644 index 00000000..d352a18c --- /dev/null +++ b/notify/opsgenie.sh @@ -0,0 +1,130 @@ +#!/usr/bin/env sh + +#Support OpsGenie API integration + +#OPSGENIE_API_KEY="" Required, opsgenie api key +#OPSGENIE_REGION="" Optional, opsgenie region, can be EU or US (default: US) +#OPSGENIE_PRIORITY_SUCCESS="" Optional, opsgenie priority for success (default: P5) +#OPSGENIE_PRIORITY_ERROR="" Optional, opsgenie priority for error (default: P2) +#OPSGENIE_PRIORITY_SKIP="" Optional, opsgenie priority for renew skipped (default: P5) + +_OPSGENIE_AVAIL_REGION="US,EU" +_OPSGENIE_AVAIL_PRIORITIES="P1,P2,P3,P4,P5" + +opsgenie_send() { + _subject="$1" + _content="$2" + _status_code="$3" #0: success, 1: error, 2($RENEW_SKIP): skipped + + OPSGENIE_API_KEY="${OPSGENIE_API_KEY:-$(_readaccountconf_mutable OPSGENIE_API_KEY)}" + if [ -z "$OPSGENIE_API_KEY" ]; then + OPSGENIE_API_KEY="" + _err "You didn't specify an OpsGenie API key OPSGENIE_API_KEY yet." + return 1 + fi + _saveaccountconf_mutable OPSGENIE_API_KEY "$OPSGENIE_API_KEY" + export _H1="Authorization: GenieKey $OPSGENIE_API_KEY" + + OPSGENIE_REGION="${OPSGENIE_REGION:-$(_readaccountconf_mutable OPSGENIE_REGION)}" + if [ -z "$OPSGENIE_REGION" ]; then + OPSGENIE_REGION="US" + _info "The OPSGENIE_REGION is not set, so use the default US as regeion." + elif ! _hasfield "$_OPSGENIE_AVAIL_REGION" "$OPSGENIE_REGION"; then + _err "The OPSGENIE_REGION \"$OPSGENIE_REGION\" is not available, should be one of $_OPSGENIE_AVAIL_REGION" + OPSGENIE_REGION="" + return 1 + else + _saveaccountconf_mutable OPSGENIE_REGION "$OPSGENIE_REGION" + fi + + OPSGENIE_PRIORITY_SUCCESS="${OPSGENIE_PRIORITY_SUCCESS:-$(_readaccountconf_mutable OPSGENIE_PRIORITY_SUCCESS)}" + if [ -z "$OPSGENIE_PRIORITY_SUCCESS" ]; then + OPSGENIE_PRIORITY_SUCCESS="P5" + _info "The OPSGENIE_PRIORITY_SUCCESS is not set, so use the default P5 as priority." + elif ! _hasfield "$_OPSGENIE_AVAIL_PRIORITIES" "$OPSGENIE_PRIORITY_SUCCESS"; then + _err "The OPSGENIE_PRIORITY_SUCCESS \"$OPSGENIE_PRIORITY_SUCCESS\" is not available, should be one of $_OPSGENIE_AVAIL_PRIORITIES" + OPSGENIE_PRIORITY_SUCCESS="" + return 1 + else + _saveaccountconf_mutable OPSGENIE_PRIORITY_SUCCESS "$OPSGENIE_PRIORITY_SUCCESS" + fi + + OPSGENIE_PRIORITY_ERROR="${OPSGENIE_PRIORITY_ERROR:-$(_readaccountconf_mutable OPSGENIE_PRIORITY_ERROR)}" + if [ -z "$OPSGENIE_PRIORITY_ERROR" ]; then + OPSGENIE_PRIORITY_ERROR="P2" + _info "The OPSGENIE_PRIORITY_ERROR is not set, so use the default P2 as priority." + elif ! _hasfield "$_OPSGENIE_AVAIL_PRIORITIES" "$OPSGENIE_PRIORITY_ERROR"; then + _err "The OPSGENIE_PRIORITY_ERROR \"$OPSGENIE_PRIORITY_ERROR\" is not available, should be one of $_OPSGENIE_AVAIL_PRIORITIES" + OPSGENIE_PRIORITY_ERROR="" + return 1 + else + _saveaccountconf_mutable OPSGENIE_PRIORITY_ERROR "$OPSGENIE_PRIORITY_ERROR" + fi + + OPSGENIE_PRIORITY_SKIP="${OPSGENIE_PRIORITY_SKIP:-$(_readaccountconf_mutable OPSGENIE_PRIORITY_SKIP)}" + if [ -z "$OPSGENIE_PRIORITY_SKIP" ]; then + OPSGENIE_PRIORITY_SKIP="P5" + _info "The OPSGENIE_PRIORITY_SKIP is not set, so use the default P5 as priority." + elif ! _hasfield "$_OPSGENIE_AVAIL_PRIORITIES" "$OPSGENIE_PRIORITY_SKIP"; then + _err "The OPSGENIE_PRIORITY_SKIP \"$OPSGENIE_PRIORITY_SKIP\" is not available, should be one of $_OPSGENIE_AVAIL_PRIORITIES" + OPSGENIE_PRIORITY_SKIP="" + return 1 + else + _saveaccountconf_mutable OPSGENIE_PRIORITY_SKIP "$OPSGENIE_PRIORITY_SKIP" + fi + + case "$OPSGENIE_REGION" in + "US") + _opsgenie_url="https://api.opsgenie.com/v2/alerts" + ;; + "EU") + _opsgenie_url="https://api.eu.opsgenie.com/v2/alerts" + ;; + *) + _err "opsgenie region error." + return 1 + ;; + esac + + case $_status_code in + 0) + _priority=$OPSGENIE_PRIORITY_SUCCESS + ;; + 1) + _priority=$OPSGENIE_PRIORITY_ERROR + ;; + 2) + _priority=$OPSGENIE_PRIORITY_SKIP + ;; + *) + _priority=$OPSGENIE_PRIORITY_ERROR + ;; + esac + + _subject_json=$(echo "$_subject" | _json_encode) + _content_json=$(echo "$_content" | _json_encode) + _subject_underscore=$(echo "$_subject" | sed 's/ /_/g') + _alias_json=$(echo "acme.sh-$(hostname)-$_subject_underscore-$(date +%Y%m%d)" | base64 --wrap=0 | _json_encode) + + _data="{ + \"message\": \"$_subject_json\", + \"alias\": \"$_alias_json\", + \"description\": \"$_content_json\", + \"tags\": [ + \"acme.sh\", + \"host:$(hostname)\" + ], + \"entity\": \"$(hostname -f)\", + \"priority\": \"$_priority\" +}" + + if response=$(_post "$_data" "$_opsgenie_url" "" "" "application/json"); then + if ! _contains "$response" error; then + _info "opsgenie send success." + return 0 + fi + fi + _err "opsgenie send error." + _err "$response" + return 1 +} From c5f41479a909f1a7cad58b74dcaedc880c7fc495 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20V=C3=A1mos?= Date: Fri, 7 Nov 2025 16:16:30 +0100 Subject: [PATCH 132/313] Bump Alpine version from 3.21 to 3.22 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7523f0af..d8f8b265 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.21 +FROM alpine:3.22 RUN apk --no-cache add -f \ openssl \ From 59a286b0b76b088915455ead9e9015037d5fd579 Mon Sep 17 00:00:00 2001 From: privacyfr3ak <220089342+privacyfr3ak@users.noreply.github.com> Date: Sat, 8 Nov 2025 16:59:10 -0500 Subject: [PATCH 133/313] disable shellcheck --- deploy/unifi.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deploy/unifi.sh b/deploy/unifi.sh index 2af46b4a..1d13e04f 100644 --- a/deploy/unifi.sh +++ b/deploy/unifi.sh @@ -143,7 +143,9 @@ unifi_deploy() { # correct file ownership according to the directory, the keystore is placed in _unifi_keystore_dir=$(dirname "${_unifi_keystore}") + # shellcheck disable=SC2012 _unifi_keystore_dir_owner=$(ls -ld "${_unifi_keystore_dir}" | awk '{print $3}') + # shellcheck disable=SC2012 _unifi_keystore_owner=$(ls -l "${_unifi_keystore}" | awk '{print $3}') if ! [ "${_unifi_keystore_owner}" = "${_unifi_keystore_dir_owner}" ]; then _debug "Changing keystore owner to ${_unifi_keystore_dir_owner}" From 839d611f642ee5e739ecb6006e0347d2067d2ccf Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 9 Nov 2025 18:50:09 +0100 Subject: [PATCH 134/313] use ghcr.io/letsencrypt/pebble:latest --- .github/workflows/PebbleStrict.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/PebbleStrict.yml b/.github/workflows/PebbleStrict.yml index b0326332..af6aab4f 100644 --- a/.github/workflows/PebbleStrict.yml +++ b/.github/workflows/PebbleStrict.yml @@ -65,7 +65,7 @@ jobs: run: | docker run --rm -itd --name=pebble \ -e PEBBLE_VA_ALWAYS_VALID=1 \ - -p 14000:14000 -p 15000:15000 letsencrypt/pebble:latest pebble -config /test/config/pebble-config.json -strict + -p 14000:14000 -p 15000:15000 ghcr.io/letsencrypt/pebble:latest pebble -config /test/config/pebble-config.json -strict - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest From 9a994e7f36532169da970dcada70b537bfdb6128 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 9 Nov 2025 19:03:30 +0100 Subject: [PATCH 135/313] fix --- .github/workflows/PebbleStrict.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/PebbleStrict.yml b/.github/workflows/PebbleStrict.yml index af6aab4f..729874ce 100644 --- a/.github/workflows/PebbleStrict.yml +++ b/.github/workflows/PebbleStrict.yml @@ -65,7 +65,7 @@ jobs: run: | docker run --rm -itd --name=pebble \ -e PEBBLE_VA_ALWAYS_VALID=1 \ - -p 14000:14000 -p 15000:15000 ghcr.io/letsencrypt/pebble:latest pebble -config /test/config/pebble-config.json -strict + -p 14000:14000 -p 15000:15000 ghcr.io/letsencrypt/pebble:latest -config /test/config/pebble-config.json -strict - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest From 57f8221bab028429b0a699464d7f4bf40c61701b Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 9 Nov 2025 19:58:25 +0100 Subject: [PATCH 136/313] fix --request-v4/6 https://github.com/acmesh-official/acme.sh/pull/6582 --- acme.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/acme.sh b/acme.sh index 98b827e8..8ac9b366 100755 --- a/acme.sh +++ b/acme.sh @@ -7086,8 +7086,6 @@ Parameters: --alpn Use standalone alpn mode. --stateless Use stateless mode. See: $_STATELESS_WIKI - --request-v4 Force client requests to use ipv4. - --request-v6 Force client requests to use ipv6. --apache Use Apache mode. --dns [dns_hook] Use dns manual mode or dns api. Defaults to manual mode when argument is omitted. @@ -7149,6 +7147,8 @@ Parameters: --auto-upgrade [0|1] Valid for '--upgrade' command, indicating whether to upgrade automatically in future. Defaults to 1 if argument is omitted. --listen-v4 Force standalone/tls server to listen at ipv4. --listen-v6 Force standalone/tls server to listen at ipv6. + --request-v4 Force client requests to use ipv4 to connect to the CA server. + --request-v6 Force client requests to use ipv6 to connect to the CA server. --openssl-bin Specifies a custom openssl bin location. --use-wget Force to use wget, if you have both curl and wget installed. --yes-I-know-dns-manual-mode-enough-go-ahead-please Force use of dns manual mode. @@ -7270,15 +7270,19 @@ _processAccountConf() { if [ "$_request_v6" ]; then _saveaccountconf "ACME_USE_IPV6_REQUESTS" "$_request_v6" _clearaccountconf "ACME_USE_IPV4_REQUESTS" - elif [ "$ACME_USE_IPV6_REQUESTS" ]; then - _saveaccountconf "ACME_USE_IPV6_REQUESTS" "$ACME_USE_IPV6_REQUESTS" - _clearaccountconf "ACME_USE_IPV4_REQUESTS" + ACME_USE_IPV4_REQUESTS= elif [ "$_request_v4" ]; then _saveaccountconf "ACME_USE_IPV4_REQUESTS" "$_request_v4" _clearaccountconf "ACME_USE_IPV6_REQUESTS" + ACME_USE_IPV6_REQUESTS= + elif [ "$ACME_USE_IPV6_REQUESTS" ]; then + _saveaccountconf "ACME_USE_IPV6_REQUESTS" "$ACME_USE_IPV6_REQUESTS" + _clearaccountconf "ACME_USE_IPV4_REQUESTS" + ACME_USE_IPV4_REQUESTS= elif [ "$ACME_USE_IPV4_REQUESTS" ]; then _saveaccountconf "ACME_USE_IPV4_REQUESTS" "$ACME_USE_IPV4_REQUESTS" _clearaccountconf "ACME_USE_IPV6_REQUESTS" + ACME_USE_IPV6_REQUESTS= fi } From 4a7f35dea7f8a91545976245e89730bc3f3ffeb1 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 15 Nov 2025 11:12:00 +0100 Subject: [PATCH 137/313] remove clientauth https://github.com/acmesh-official/acme.sh/issues/6610 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 8ac9b366..95337cc8 100755 --- a/acme.sh +++ b/acme.sh @@ -1271,7 +1271,7 @@ _createcsr() { _savedomainconf Le_ExtKeyUse "$Le_ExtKeyUse" printf "\nextendedKeyUsage=$Le_ExtKeyUse\n" >>"$csrconf" else - printf "\nextendedKeyUsage=serverAuth,clientAuth\n" >>"$csrconf" + printf "\nextendedKeyUsage=serverAuth\n" >>"$csrconf" fi if [ "$acmeValidationv1" ]; then From 66bad853aec3778303feec693bf9194644e27f36 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 15 Nov 2025 11:27:04 +0100 Subject: [PATCH 138/313] remove ClearLinux --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index f7038f59..e6a8966a 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,6 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa) |18|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Oracle Linux |19|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Mageia |10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux -|11|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|ClearLinux |22|-----| Cloud Linux https://github.com/acmesh-official/acme.sh/issues/111 |23|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT) |24|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management) From a6ff1d69248868531daf0390e5747f50cdefd735 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 16 Nov 2025 09:30:41 +0100 Subject: [PATCH 139/313] add logo --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index e6a8966a..6953cc71 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +[![zerossl.com](https://github.com/user-attachments/assets/7531085e-399b-4ac2-82a2-90d14a0b7f05)](https://zerossl.com/?fromacme.sh) + # An ACME Shell script: acme.sh [![FreeBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml) From 0d1f9edf3fb57b901da0c2f21cd593b4f683e2ba Mon Sep 17 00:00:00 2001 From: Joe Bauser Date: Mon, 17 Nov 2025 15:24:40 -0500 Subject: [PATCH 140/313] README.md clarify keylength arg and ECC default Reorder and reword small portions of the keylength documentation and make the ECC cert default explicitly stated in part 2 to avoid confusion. Fixes #6590 --- README.md | 37 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 6953cc71..05656044 100644 --- a/README.md +++ b/README.md @@ -208,6 +208,8 @@ The certs will be placed in `~/.acme.sh/example.com/` The certs will be renewed automatically every **60** days. +The certs will default to ECC certificates. + More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert @@ -359,27 +361,11 @@ Ok, it's done. **Please use dns api mode instead.** -# 10. Issue ECC certificates +# 10. Issue certificates of different key types and lengths (ECC or RSA) -Just set the `keylength` parameter with a prefix `ec-`. +Just set the `keylength` to a valid, supported, value. -For example: - -### Single domain ECC certificate - -```bash -acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256 -``` - -### SAN multi domain ECC certificate - -```bash -acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength ec-256 -``` - -Please look at the `keylength` parameter above. - -Valid values are: +Valid values for the `keylength` parameter are: 1. **ec-256 (prime256v1, "ECDSA P-256", which is the default key type)** 2. **ec-384 (secp384r1, "ECDSA P-384")** @@ -388,6 +374,19 @@ Valid values are: 5. **3072 (RSA3072)** 6. **4096 (RSA4096)** +For example: + +### Single domain with ECDSA P-384 certificate + +```bash +acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-384 +``` + +### SAN multi domain with RSA4096 certificate + +```bash +acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength 4096 +``` # 11. Issue Wildcard certificates From 6715320e78ea1baa4ec1437166f73215b3fbc2a2 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 18 Nov 2025 21:41:43 +0100 Subject: [PATCH 141/313] fix https://github.com/acmesh-official/acme.sh/issues/6610 https://github.com/acmesh-official/acme.sh/issues/6617#issuecomment-3546341480 --- acme.sh | 33 ++++++++++++++++++++++++--------- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/acme.sh b/acme.sh index 95337cc8..00d2d2d5 100755 --- a/acme.sh +++ b/acme.sh @@ -1250,7 +1250,7 @@ _idn() { fi } -#_createcsr cn san_list keyfile csrfile conf acmeValidationv1 +#_createcsr cn san_list keyfile csrfile conf acmeValidationv1 extendedUsage _createcsr() { _debug _createcsr domain="$1" @@ -1259,6 +1259,7 @@ _createcsr() { csr="$4" csrconf="$5" acmeValidationv1="$6" + extusage="$7" _debug2 domain "$domain" _debug2 domainlist "$domainlist" _debug2 csrkey "$csrkey" @@ -1267,11 +1268,10 @@ _createcsr() { printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]" >"$csrconf" - if [ "$Le_ExtKeyUse" ]; then - _savedomainconf Le_ExtKeyUse "$Le_ExtKeyUse" - printf "\nextendedKeyUsage=$Le_ExtKeyUse\n" >>"$csrconf" + if [ "$extusage" ]; then + printf "\nextendedKeyUsage=$extusage\n" >>"$csrconf" else - printf "\nextendedKeyUsage=serverAuth\n" >>"$csrconf" + printf "\nextendedKeyUsage=serverAuth,clientAuth\n" >>"$csrconf" fi if [ "$acmeValidationv1" ]; then @@ -4445,6 +4445,7 @@ issue() { _valid_from="${16}" _valid_to="${17}" _certificate_profile="${18}" + _extended_key_usage="${19}" if [ -z "$_ACME_IS_RENEW" ]; then _initpath "$_main_domain" "$_key_length" @@ -4589,12 +4590,25 @@ issue() { return 1 fi fi - if ! _createcsr "$_main_domain" "$_alt_domains" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"; then + _keyusage="$_extended_key_usage" + if [ "$Le_API" = "$CA_GOOGLE" ] || [ "$Le_API" = "$CA_GOOGLE_TEST" ]; then + if [ -z "$_keyusage" ]; then + #https://github.com/acmesh-official/acme.sh/issues/6610 + #google accepts serverauth only + _keyusage="serverAuth" + fi + fi + if ! _createcsr "$_main_domain" "$_alt_domains" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF" "" "$_keyusage"; then _err "Error creating CSR." _clearup _on_issue_err "$_post_hook" return 1 fi + if [ "$_extended_key_usage" ]; then + _savedomainconf "Le_ExtKeyUse" "$_extended_key_usage" + else + _cleardomainconf "Le_ExtKeyUse" + fi fi _savedomainconf "Le_Keylength" "$_key_length" @@ -5553,7 +5567,7 @@ renew() { _cleardomainconf Le_OCSP_Staple fi fi - issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias" "$Le_Preferred_Chain" "$Le_Valid_From" "$Le_Valid_To" "$Le_Certificate_Profile" + issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias" "$Le_Preferred_Chain" "$Le_Valid_From" "$Le_Valid_To" "$Le_Certificate_Profile" "$Le_ExtKeyUse" res="$?" if [ "$res" != "0" ]; then return "$res" @@ -7469,6 +7483,7 @@ _process() { _valid_from="" _valid_to="" _certificate_profile="" + _extended_key_usage="" while [ ${#} -gt 0 ]; do case "${1}" in @@ -7864,7 +7879,7 @@ _process() { shift ;; --extended-key-usage) - Le_ExtKeyUse="$2" + _extended_key_usage="$2" shift ;; --ocsp-must-staple | --ocsp) @@ -8081,7 +8096,7 @@ _process() { uninstall) uninstall "$_nocron" ;; upgrade) upgrade ;; issue) - issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain" "$_valid_from" "$_valid_to" "$_certificate_profile" + issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain" "$_valid_from" "$_valid_to" "$_certificate_profile" "$_extended_key_usage" ;; deploy) deploy "$_domain" "$_deploy_hook" "$_ecc" From 9a74c86327bd4731f1bfc3494df2b8a911548555 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Wed, 19 Nov 2025 09:06:55 -0500 Subject: [PATCH 142/313] Commit to force initial test --- dnsapi/dns_qc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 64956bd5..aa4ff891 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -141,7 +141,7 @@ _get_root() { fi if ! _qc_rest GET "zones"; then - _debug "qc_rest failed" + _err "qc_rest failed" return 1 fi From c950b67e4b8e87bd72a6ea762a704883633095c3 Mon Sep 17 00:00:00 2001 From: Mason <36799194+WongIong@users.noreply.github.com> Date: Wed, 19 Nov 2025 23:27:45 +0800 Subject: [PATCH 143/313] Adapting to Cloudflare's new response --- dnsapi/dns_cf.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_cf.sh b/dnsapi/dns_cf.sh index 736742f3..b2749972 100755 --- a/dnsapi/dns_cf.sh +++ b/dnsapi/dns_cf.sh @@ -92,7 +92,9 @@ dns_cf_add() { if _contains "$response" "$txtvalue"; then _info "Added, OK" return 0 - elif _contains "$response" "The record already exists"; then + elif _contains "$response" "The record already exists" \ + || _contains "$response" "An identical record already exists." \ + || _contains "$response" '"code":81058'; then _info "Already exists, OK" return 0 else From a9f96bf7097f37fe52b1a79b9b41582f6ff37632 Mon Sep 17 00:00:00 2001 From: Mason <36799194+WongIong@users.noreply.github.com> Date: Thu, 20 Nov 2025 00:29:44 +0800 Subject: [PATCH 144/313] Reformat using shfmt --- dnsapi/dns_cf.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_cf.sh b/dnsapi/dns_cf.sh index b2749972..7b383c43 100755 --- a/dnsapi/dns_cf.sh +++ b/dnsapi/dns_cf.sh @@ -92,9 +92,9 @@ dns_cf_add() { if _contains "$response" "$txtvalue"; then _info "Added, OK" return 0 - elif _contains "$response" "The record already exists" \ - || _contains "$response" "An identical record already exists." \ - || _contains "$response" '"code":81058'; then + elif _contains "$response" "The record already exists" || + _contains "$response" "An identical record already exists." || + _contains "$response" '"code":81058'; then _info "Already exists, OK" return 0 else From 3d3053f4277b0218faae29a3adf19b13d32709af Mon Sep 17 00:00:00 2001 From: Antoni Company Date: Thu, 20 Nov 2025 10:06:37 +0000 Subject: [PATCH 145/313] feat: Add custom filename for panos --- deploy/panos.sh | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index a9232e79..8f911fba 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -16,6 +16,7 @@ # export PANOS_TEMPLATE="" # Template Name of panorama managed devices # export PANOS_TEMPLATE_STACK="" # set a Template Stack if certificate should also be pushed automatically # export PANOS_VSYS="Shared" # name of the vsys to import the certificate +# export PANOS_FILENAME="" # use a custom filename to work around Panorama's 31-character limit # # The script will automatically generate a new API key if # no key is found, or if a saved key has expired or is invalid. @@ -89,7 +90,7 @@ deployer() { if [ "$type" = 'cert' ]; then panos_url="${panos_url}?type=import" content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\ncertificate" - content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_panos_filename" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")" @@ -103,11 +104,11 @@ deployer() { if [ "$type" = 'key' ]; then panos_url="${panos_url}?type=import" content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\nprivate-key" - content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_panos_filename" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456" - content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cdomain.key")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_panos_filename.key")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" if [ "$_panos_template" ]; then content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl\"\r\n\r\n$_panos_template" fi @@ -168,7 +169,6 @@ deployer() { # This is the main function that will call the other functions to deploy everything. panos_deploy() { - _cdomain=$(echo "$1" | sed 's/*/WILDCARD_/g') #Wildcard Safe Filename _ckey="$2" _cfullchain="$5" @@ -242,6 +242,15 @@ panos_deploy() { _getdeployconf PANOS_VSYS fi + # PANOS_FILENAME + if [ "$PANOS_FILENAME" ]; then + _debug "Detected ENV variable PANOS_FILENAME. Saving to file." + _savedeployconf PANOS_FILENAME "$PANOS_FILENAME" 1 + else + _debug "Attempting to load variable PANOS_FILENAME from file." + _getdeployconf PANOS_FILENAME + fi + #Store variables _panos_host=$PANOS_HOST _panos_user=$PANOS_USER @@ -249,6 +258,7 @@ panos_deploy() { _panos_template=$PANOS_TEMPLATE _panos_template_stack=$PANOS_TEMPLATE_STACK _panos_vsys=$PANOS_VSYS + _panos_filename=$PANOS_FILENAME #Test API Key if found. If the key is invalid, the variable _panos_key will be unset. if [ "$_panos_host" ] && [ "$_panos_key" ]; then @@ -267,6 +277,12 @@ panos_deploy() { _err "No password found. If this is your first time deploying, please set PANOS_PASS in ENV variables. You can delete it after you have successfully deployed the certs." return 1 else + # Use filename based on the first domain on the certificate if no custom filename is set + if [ -z "$_panos_filename" ]; then + _panos_filename=$(echo "$1" | sed 's/*/WILDCARD_/g') #Wildcard Safe Filename + _savedeployconf PANOS_FILENAME "$_panos_filename" 1 + fi + # Generate a new API key if no valid API key is found if [ -z "$_panos_key" ]; then _debug "**** Generating new PANOS API KEY ****" From 9381835a7c48e432b440d0dab24ed5aba683ee35 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Fri, 24 Oct 2025 11:34:25 -0400 Subject: [PATCH 146/313] QUIC.cloud support for acme.sh --- dnsapi/dns_qc.sh | 188 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100755 dnsapi/dns_qc.sh diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh new file mode 100755 index 00000000..64956bd5 --- /dev/null +++ b/dnsapi/dns_qc.sh @@ -0,0 +1,188 @@ +#!/usr/bin/env sh +# shellcheck disable=SC2034 +dns_qc_info='QUIC.cloud +Site: quic.cloud +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_qc +Options: + QC_API_KEY QC API Key + QC_API_EMAIL Your account email +' + +QC_Api="https://api.quic.cloud/v2" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_qc_add() { + fulldomain=$1 + txtvalue=$2 + + _debug "Enter dns_qc_add fulldomain: $fulldomain, txtvalue: $txtvalue" + QC_API_KEY="${QC_API_KEY:-$(_readaccountconf_mutable QC_API_KEY)}" + QC_API_EMAIL="${QC_API_EMAIL:-$(_readaccountconf_mutable QC_API_EMAIL)}" + + if [ "$QC_API_KEY" ]; then + _savedomainconf QC_API_KEY "$QC_API_KEY" + else + _err "You didn't specify a QUIC.cloud are api key and email yet." + _err "You can get yours from here https://my.quic.cloud/up/api." + return 1 + fi + + if ! _contains "$QC_API_EMAIL" "@"; then + _err "It seems that the QC_API_EMAIL=$QC_API_EMAIL is not a valid email address." + _err "Please check and retry." + return 1 + fi + #save the api key and email to the account conf file. + _savedomainconf QC_API_EMAIL "$QC_API_EMAIL" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _qc_rest GET "zones/${_domain_id}/records" + + if ! echo "$response" | tr -d " " | grep \"success\":true >/dev/null; then + _err "Error failed response from QC GET: $response" + return 1 + fi + + # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so + # we can not use updating anymore. + # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) + # _debug count "$count" + # if [ "$count" = "0" ]; then + _info "Adding record" + if _qc_rest POST "zones/$_domain_id/records" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":1800}"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + return 0 + elif _contains "$response" "Same record already exists"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error: $response" + return 1 + fi + fi + _err "Add txt record error: POST failed: $response" + return 1 + +} + +#fulldomain txtvalue +dns_qc_rm() { + fulldomain=$1 + txtvalue=$2 + + _debug "Enter dns_qc_rm fulldomain: $fulldomain, txtvalue: $txtvalue" + QC_API_KEY="${QC_API_KEY:-$(_readaccountconf_mutable QC_API_KEY)}" + QC_API_EMAIL="${QC_API_EMAIL:-$(_readaccountconf_mutable QC_API_EMAIL)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _qc_rest GET "zones/${_domain_id}/records" + + if ! echo "$response" | tr -d " " | grep \"success\":true >/dev/null; then + _err "Error rm GET response: $response" + return 1 + fi + + response=$(echo "$response"|jq ".result[] | select(.content == \"$txtvalue\") | select(.type == \"TXT\")") + if [ "${response}" = "" ]; then + _info "Don't need to remove." + else + record_id=$(echo "$response" | grep \"id\"| awk -F ' ' '{print $2}'| sed 's/,$//') + _debug "record_id" "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then + _err "Delete record error." + return 1 + fi + _info "TXT Record ID: $record_id successfully deleted" + fi + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=1 + p=1 + + h=$(printf "%s" "$domain" | cut -d . -f2-) + _debug h "$h" + if [ -z "$h" ]; then + _err "$h ($domain) is an invalid domain" + return 1 + fi + + if ! _qc_rest GET "zones"; then + _debug "qc_rest failed" + return 1 + fi + + if _contains "$response" "\"name\":\"$h\"" || _contains "$response" "\"name\":\"$h.\""; then + _domain_id=$h + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") + _domain=$h + return 0 + fi + _err "Empty domain_id $h" + return 1 + fi + _err "Missing domain_id $h" + return 1 +} + +_qc_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + email_trimmed=$(echo "$QC_API_EMAIL" | tr -d '"') + token_trimmed=$(echo "$QC_API_KEY" | tr -d '"') + + export _H1="Content-Type: application/json" + export _H2="X-Auth-Email: $email_trimmed" + export _H3="X-Auth-Key: $token_trimmed" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$QC_Api/$ep" "" "$m")" + else + response="$(_get "$QC_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} From 72a6a5ce047d6376744bc9a7813f58fbdbf036fc Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Mon, 27 Oct 2025 12:00:01 -0400 Subject: [PATCH 147/313] Added wiki doc --- wiki/dnsapi/dns_qc | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 wiki/dnsapi/dns_qc diff --git a/wiki/dnsapi/dns_qc b/wiki/dnsapi/dns_qc new file mode 100644 index 00000000..50b1879e --- /dev/null +++ b/wiki/dnsapi/dns_qc @@ -0,0 +1,27 @@ +# Use QUIC.cloud DNS API + +This uses the QUIC.cloud DNS API. + +## Obtain an API key from the QUIC.cloude system. If you do not already have one, once logged into QUIC.cloud: + +- Select the Human icon at the top right of the screen and select **Edit Profile** +- On the left side of the screen, press the **API Access** item. +- Press the **Generate Key** button. It will present you with a token you will need below. + +## Use the API + +You will need to provide 2 environment variables to acme.sh: + +- **QC_API_KEY**: This is the API Token value obtained in the QUIC.cloud screens. +- **QC_API_EMAIL**: This is the email you used in your QUIC.cloud configuration + +## Using in OpenLiteSpeed + +This feature is fully supported and documented in version 1.9 and later of OpenLiteSpeed. See the OpenLiteSpeed (documentation)[https://docs.openlitespeed.org/config/advanced/acme/). + +## License + +Copyright: acme.sh wiki contributors + +License: GNU General Public License version 3 or any later version + From cf5fd403e85c06c1c5ec4110e8112b50308b1fa2 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Mon, 27 Oct 2025 12:04:08 -0400 Subject: [PATCH 148/313] Removed false wiki page --- wiki/dnsapi/dns_qc | 27 --------------------------- 1 file changed, 27 deletions(-) delete mode 100644 wiki/dnsapi/dns_qc diff --git a/wiki/dnsapi/dns_qc b/wiki/dnsapi/dns_qc deleted file mode 100644 index 50b1879e..00000000 --- a/wiki/dnsapi/dns_qc +++ /dev/null @@ -1,27 +0,0 @@ -# Use QUIC.cloud DNS API - -This uses the QUIC.cloud DNS API. - -## Obtain an API key from the QUIC.cloude system. If you do not already have one, once logged into QUIC.cloud: - -- Select the Human icon at the top right of the screen and select **Edit Profile** -- On the left side of the screen, press the **API Access** item. -- Press the **Generate Key** button. It will present you with a token you will need below. - -## Use the API - -You will need to provide 2 environment variables to acme.sh: - -- **QC_API_KEY**: This is the API Token value obtained in the QUIC.cloud screens. -- **QC_API_EMAIL**: This is the email you used in your QUIC.cloud configuration - -## Using in OpenLiteSpeed - -This feature is fully supported and documented in version 1.9 and later of OpenLiteSpeed. See the OpenLiteSpeed (documentation)[https://docs.openlitespeed.org/config/advanced/acme/). - -## License - -Copyright: acme.sh wiki contributors - -License: GNU General Public License version 3 or any later version - From d0d97a40a62c85efcfdb96c9affd682847889c1f Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Wed, 19 Nov 2025 09:06:55 -0500 Subject: [PATCH 149/313] Commit to force initial test --- dnsapi/dns_qc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 64956bd5..aa4ff891 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -141,7 +141,7 @@ _get_root() { fi if ! _qc_rest GET "zones"; then - _debug "qc_rest failed" + _err "qc_rest failed" return 1 fi From d2539c3f1aefb9cf0d7d29f488fb37f28b690188 Mon Sep 17 00:00:00 2001 From: neil Date: Thu, 20 Nov 2025 21:18:40 +0100 Subject: [PATCH 150/313] fix https://github.com/acmesh-official/acme.sh/issues/6402 --- acme.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/acme.sh b/acme.sh index 00d2d2d5..6578d414 100755 --- a/acme.sh +++ b/acme.sh @@ -5242,6 +5242,16 @@ $_authorizations_map" return 1 fi break + elif _contains "$response" "\"ready\""; then + _info "Order status is 'ready', let's sleep and retry." + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + _debug "_retryafter" "$_retryafter" + if [ "$_retryafter" ]; then + _info "Sleeping for $_retryafter seconds then retrying" + _sleep $_retryafter + else + _sleep 2 + fi elif _contains "$response" "\"processing\""; then _info "Order status is 'processing', let's sleep and retry." _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') From b500ac3dbbd20d70de487636c2486375aade488a Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Thu, 20 Nov 2025 15:38:56 -0500 Subject: [PATCH 151/313] Updated secret and dns_qc.sh --- dnsapi/dns_qc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index aa4ff891..1eeef97f 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -107,7 +107,7 @@ dns_qc_rm() { if [ "${response}" = "" ]; then _info "Don't need to remove." else - record_id=$(echo "$response" | grep \"id\"| awk -F ' ' '{print $2}'| sed 's/,$//') + record_id=$(echo "$response" | grep \"id\"| awk -F ' ' '{print $2}'| sed 's/,$//') _debug "record_id" "$record_id" if [ -z "$record_id" ]; then _err "Can not get record id to remove." From 0f42b06b48b488fc3b90fd40671673acd1066735 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Fri, 21 Nov 2025 08:02:59 -0500 Subject: [PATCH 152/313] Trying again to fix shfmt error --- dnsapi/dns_qc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 1eeef97f..66444aa6 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -103,7 +103,7 @@ dns_qc_rm() { return 1 fi - response=$(echo "$response"|jq ".result[] | select(.content == \"$txtvalue\") | select(.type == \"TXT\")") + response=$(echo "$response"|jq ".result[]" | select(.content == \"$txtvalue\") | select(.type == \"TXT\")) if [ "${response}" = "" ]; then _info "Don't need to remove." else From 90d2ff8fad85f4bd92aafabaf24928435421c455 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Fri, 21 Nov 2025 15:27:38 -0500 Subject: [PATCH 153/313] Better fixes for shfmt errors --- dnsapi/dns_qc.sh | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 66444aa6..0ec53864 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -59,13 +59,13 @@ dns_qc_add() { # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) # _debug count "$count" # if [ "$count" = "0" ]; then - _info "Adding record" + _info "Adding txt record" if _qc_rest POST "zones/$_domain_id/records" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":1800}"; then if _contains "$response" "$txtvalue"; then - _info "Added, OK" + _info "Added txt record, OK" return 0 elif _contains "$response" "Same record already exists"; then - _info "Already exists, OK" + _info "txt record already exists, OK" return 0 else _err "Add txt record error: $response" @@ -103,18 +103,19 @@ dns_qc_rm() { return 1 fi - response=$(echo "$response"|jq ".result[]" | select(.content == \"$txtvalue\") | select(.type == \"TXT\")) + response=$(echo "$response"|jq ".result[] | select(.id) | select(.content == \"$txtvalue\") | select(.type == \"TXT\")") + _debug get txt response "$response" if [ "${response}" = "" ]; then - _info "Don't need to remove." + _info "Don't need to remove txt records." else record_id=$(echo "$response" | grep \"id\"| awk -F ' ' '{print $2}'| sed 's/,$//') - _debug "record_id" "$record_id" + _debug "txt record_id" "$record_id" if [ -z "$record_id" ]; then - _err "Can not get record id to remove." + _err "Can not get txt record id to remove." return 1 fi if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then - _err "Delete record error." + _err "Delete txt record error." return 1 fi _info "TXT Record ID: $record_id successfully deleted" From 5e76ea820ca42f76055e57de5769325a4c34531b Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Fri, 21 Nov 2025 16:01:14 -0500 Subject: [PATCH 154/313] Additional shfmt issues --- dnsapi/dns_qc.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 0ec53864..ab02f17e 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -104,18 +104,18 @@ dns_qc_rm() { fi response=$(echo "$response"|jq ".result[] | select(.id) | select(.content == \"$txtvalue\") | select(.type == \"TXT\")") - _debug get txt response "$response" + _debug "get txt response" "$response" if [ "${response}" = "" ]; then _info "Don't need to remove txt records." else record_id=$(echo "$response" | grep \"id\"| awk -F ' ' '{print $2}'| sed 's/,$//') _debug "txt record_id" "$record_id" if [ -z "$record_id" ]; then - _err "Can not get txt record id to remove." + _info "Can not get txt record id to remove." return 1 fi if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then - _err "Delete txt record error." + _info "Delete txt record error." return 1 fi _info "TXT Record ID: $record_id successfully deleted" From ded539b11c365359082c3801fb2057593cae535f Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Fri, 21 Nov 2025 16:04:23 -0500 Subject: [PATCH 155/313] Additional shfmt issues --- dnsapi/dns_qc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index ab02f17e..723bbea8 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -112,7 +112,7 @@ dns_qc_rm() { _debug "txt record_id" "$record_id" if [ -z "$record_id" ]; then _info "Can not get txt record id to remove." - return 1 + return 0 fi if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then _info "Delete txt record error." From 20ef8cd369f712d08bbb094f1dd95809065fcd6d Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Fri, 21 Nov 2025 16:22:42 -0500 Subject: [PATCH 156/313] Additional shfmt issues --- dnsapi/dns_qc.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 723bbea8..ef246a2b 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -111,7 +111,7 @@ dns_qc_rm() { record_id=$(echo "$response" | grep \"id\"| awk -F ' ' '{print $2}'| sed 's/,$//') _debug "txt record_id" "$record_id" if [ -z "$record_id" ]; then - _info "Can not get txt record id to remove." + #_info "Can not get txt record id to remove." return 0 fi if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then @@ -120,7 +120,7 @@ dns_qc_rm() { fi _info "TXT Record ID: $record_id successfully deleted" fi - + return 0 } #################### Private functions below ################################## From 88e9681481b3694b2fab4cf7663306eca8c6e386 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Fri, 21 Nov 2025 16:26:24 -0500 Subject: [PATCH 157/313] Additional shfmt issues --- dnsapi/dns_qc.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index ef246a2b..c30d4595 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -110,10 +110,6 @@ dns_qc_rm() { else record_id=$(echo "$response" | grep \"id\"| awk -F ' ' '{print $2}'| sed 's/,$//') _debug "txt record_id" "$record_id" - if [ -z "$record_id" ]; then - #_info "Can not get txt record id to remove." - return 0 - fi if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then _info "Delete txt record error." return 1 From 46a2608783ea647042ea2a6d06c1c0e37bd91f05 Mon Sep 17 00:00:00 2001 From: Antoni Company Date: Sat, 22 Nov 2025 09:22:32 +0000 Subject: [PATCH 158/313] fix: Renamed filaname to certname - Changed filename to certname to better reflect the actual issue at hand. - Restored _cdomain variable to its original place for clarity. --- deploy/panos.sh | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 8f911fba..c54d21fe 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -16,7 +16,7 @@ # export PANOS_TEMPLATE="" # Template Name of panorama managed devices # export PANOS_TEMPLATE_STACK="" # set a Template Stack if certificate should also be pushed automatically # export PANOS_VSYS="Shared" # name of the vsys to import the certificate -# export PANOS_FILENAME="" # use a custom filename to work around Panorama's 31-character limit +# export PANOS_CERTNAME="" # use a custom certificate name to work around Panorama's 31-character limit # # The script will automatically generate a new API key if # no key is found, or if a saved key has expired or is invalid. @@ -90,7 +90,7 @@ deployer() { if [ "$type" = 'cert' ]; then panos_url="${panos_url}?type=import" content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\ncertificate" - content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_panos_filename" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_panos_certname" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")" @@ -104,11 +104,11 @@ deployer() { if [ "$type" = 'key' ]; then panos_url="${panos_url}?type=import" content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\nprivate-key" - content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_panos_filename" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_panos_certname" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456" - content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_panos_filename.key")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_panos_certname.key")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" if [ "$_panos_template" ]; then content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl\"\r\n\r\n$_panos_template" fi @@ -169,6 +169,7 @@ deployer() { # This is the main function that will call the other functions to deploy everything. panos_deploy() { + _cdomain=$(echo "$1" | sed 's/*/WILDCARD_/g') #Wildcard Safe Filename _ckey="$2" _cfullchain="$5" @@ -242,13 +243,13 @@ panos_deploy() { _getdeployconf PANOS_VSYS fi - # PANOS_FILENAME - if [ "$PANOS_FILENAME" ]; then - _debug "Detected ENV variable PANOS_FILENAME. Saving to file." - _savedeployconf PANOS_FILENAME "$PANOS_FILENAME" 1 + # PANOS_CERTNAME + if [ "$PANOS_CERTNAME" ]; then + _debug "Detected ENV variable PANOS_CERTNAME. Saving to file." + _savedeployconf PANOS_CERTNAME "$PANOS_CERTNAME" 1 else - _debug "Attempting to load variable PANOS_FILENAME from file." - _getdeployconf PANOS_FILENAME + _debug "Attempting to load variable PANOS_CERTNAME from file." + _getdeployconf PANOS_CERTNAME fi #Store variables @@ -258,7 +259,7 @@ panos_deploy() { _panos_template=$PANOS_TEMPLATE _panos_template_stack=$PANOS_TEMPLATE_STACK _panos_vsys=$PANOS_VSYS - _panos_filename=$PANOS_FILENAME + _panos_certname=$PANOS_CERTNAME #Test API Key if found. If the key is invalid, the variable _panos_key will be unset. if [ "$_panos_host" ] && [ "$_panos_key" ]; then @@ -277,10 +278,10 @@ panos_deploy() { _err "No password found. If this is your first time deploying, please set PANOS_PASS in ENV variables. You can delete it after you have successfully deployed the certs." return 1 else - # Use filename based on the first domain on the certificate if no custom filename is set - if [ -z "$_panos_filename" ]; then - _panos_filename=$(echo "$1" | sed 's/*/WILDCARD_/g') #Wildcard Safe Filename - _savedeployconf PANOS_FILENAME "$_panos_filename" 1 + # Use certificate name based on the first domain on the certificate if no custom certificate name is set + if [ -z "$_panos_certname" ]; then + _panos_certname="$_cdomain" + _savedeployconf PANOS_CERTNAME "$_panos_certname" 1 fi # Generate a new API key if no valid API key is found From 9b30bd5a0356c83ad5c02d3040ae8daee4dbdbea Mon Sep 17 00:00:00 2001 From: ZeroSSL-Andreas Date: Tue, 25 Nov 2025 14:41:31 +0100 Subject: [PATCH 159/313] Update README.md --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index 05656044..4afd90a8 100644 --- a/README.md +++ b/README.md @@ -523,3 +523,20 @@ Your donation makes **acme.sh** better: 1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/) [Donate List](https://github.com/acmesh-official/acme.sh/wiki/Donate-list) + +# 21. About this repository + +> [!NOTE] +> This repository is officially maintained by ZeroSSL as part of our commitment to providing secure and reliable SSL/TLS solutions. We welcome contributions and feedback from the community! +> For more information about our services, including free and paid SSL/TLS certificates, visit https://zerossl.com. +> +> All donations made through this repository go directly to the original independent maintainer (Neil Pang), not to ZeroSSL. +

+ + + + + ZeroSSL + + +

From 75ee17aeeb9560cf45b0193efa48f4f46bcdbaab Mon Sep 17 00:00:00 2001 From: asavin Date: Tue, 25 Nov 2025 14:47:26 +0100 Subject: [PATCH 160/313] Remove unecessary base64 encoding --- dnsapi/dns_efficientip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_efficientip.sh b/dnsapi/dns_efficientip.sh index f12a2a85..a485849a 100755 --- a/dnsapi/dns_efficientip.sh +++ b/dnsapi/dns_efficientip.sh @@ -121,7 +121,7 @@ dns_efficientip_rm() { else TS=$(date +%s) Sig=$(printf "%b\n$TS\nDELETE\n${baseurlnObject}" "${EfficientIP_Token_Secret}" | _digest sha3-256 hex) - EfficientIP_CredsEncoded=$(printf "%b:%b" "${EfficientIP_Token_Key}" "$Sig" | _base64) + EfficientIP_CredsEncoded=$(printf "%b:%b" "${EfficientIP_Token_Key}" "$Sig") export _H2="Authorization: SDS ${EfficientIP_CredsEncoded}" export _H3="X-SDS-TS: $TS" fi From 705fbcd570dfec12b9851cdd9b047020c60e5185 Mon Sep 17 00:00:00 2001 From: neil Date: Thu, 27 Nov 2025 22:13:18 +0100 Subject: [PATCH 161/313] fix https://github.com/acmesh-official/acme.sh/issues/6124#issuecomment-3586650156 --- Dockerfile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index d8f8b265..88edc4a2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,6 +15,8 @@ RUN apk --no-cache add -f \ jq \ cronie +ENV LE_WORKING_DIR=/acmebin + ENV LE_CONFIG_HOME=/acme.sh ARG AUTO_UPGRADE=1 @@ -30,7 +32,7 @@ COPY ./notify /install_acme.sh/notify RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/ -RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null#> /proc/1/fd/1 2>/proc/1/fd/2#' | crontab - +RUN ln -s $LE_WORKING_DIR/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null#> /proc/1/fd/1 2>/proc/1/fd/2#' | crontab - RUN for verb in help \ version \ @@ -64,7 +66,7 @@ RUN for verb in help \ set-default-ca \ set-default-chain \ ; do \ - printf -- "%b" "#!/usr/bin/env sh\n/root/.acme.sh/acme.sh --${verb} --config-home /acme.sh \"\$@\"" >/usr/local/bin/--${verb} && chmod +x /usr/local/bin/--${verb} \ + printf -- "%b" "#!/usr/bin/env sh\n$LE_WORKING_DIR/acme.sh --${verb} --config-home $LE_CONFIG_HOME \"\$@\"" >/usr/local/bin/--${verb} && chmod +x /usr/local/bin/--${verb} \ ; done RUN printf "%b" '#!'"/usr/bin/env sh\n \ @@ -72,7 +74,7 @@ if [ \"\$1\" = \"daemon\" ]; then \n \ exec crond -n -s -m off \n \ else \n \ exec -- \"\$@\"\n \ -fi\n" >/entry.sh && chmod +x /entry.sh +fi\n" >/entry.sh && chmod +x /entry.sh && chmod -R o+rwx $LE_WORKING_DIR && chmod -R o+rwx $LE_CONFIG_HOME VOLUME /acme.sh From c5566eafebaa04edd30074058e2eefba5b5bfc1e Mon Sep 17 00:00:00 2001 From: SunMar Date: Fri, 28 Nov 2025 09:44:50 +0100 Subject: [PATCH 162/313] fix "dns_aws.sh: line 164: _error: command not found" #6443 --- dnsapi/dns_aws.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_aws.sh b/dnsapi/dns_aws.sh index c88c9d9c..b76d69c2 100755 --- a/dnsapi/dns_aws.sh +++ b/dnsapi/dns_aws.sh @@ -161,7 +161,7 @@ _get_root() { h=$(printf "%s" "$domain" | cut -d . -f "$i"-100 | sed 's/\./\\./g') _debug "Checking domain: $h" if [ -z "$h" ]; then - _error "invalid domain" + _err "invalid domain" return 1 fi From ac0df6bc885db5f67e2ccebecfacbedd011974f4 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 29 Nov 2025 16:36:14 +0100 Subject: [PATCH 163/313] start 3.1.3 --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 6578d414..da67fa14 100755 --- a/acme.sh +++ b/acme.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -VER=3.1.2 +VER=3.1.3 PROJECT_NAME="acme.sh" From 5c6d8aacbeeb4063822064c27bdaf4a144975cb7 Mon Sep 17 00:00:00 2001 From: Stefan Date: Sat, 29 Nov 2025 22:38:02 +0100 Subject: [PATCH 164/313] Add files via upload --- dnsapi/dns_infoblox_uddi.sh | 220 ++++++++++++++++++++++++++++++++++++ 1 file changed, 220 insertions(+) create mode 100644 dnsapi/dns_infoblox_uddi.sh diff --git a/dnsapi/dns_infoblox_uddi.sh b/dnsapi/dns_infoblox_uddi.sh new file mode 100644 index 00000000..545ce41d --- /dev/null +++ b/dnsapi/dns_infoblox_uddi.sh @@ -0,0 +1,220 @@ +#!/usr/bin/env sh +# shellcheck disable=SC2034 +dns_infoblox_uddi_info='Infoblox UDDI +Site: Infoblox.com +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_infoblox_uddi +Options: + Infoblox_UDDI_Key API Key for Infoblox UDDI + Infoblox_Portal URL, e.g. "csp.infoblox.com" or "csp.eu.infoblox.com" +Issues: github.com/acmesh-official/acme.sh/issues +Author: Stefan Riegel +' + +######## Public functions ##################### + +#Usage: dns_infoblox_uddi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_infoblox_uddi_add() { + fulldomain=$1 + txtvalue=$2 + + Infoblox_UDDI_Key="${Infoblox_UDDI_Key:-$(_readaccountconf_mutable Infoblox_UDDI_Key)}" + Infoblox_Portal="${Infoblox_Portal:-$(_readaccountconf_mutable Infoblox_Portal)}" + + _info "Using Infoblox UDDI API" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + if [ -z "$Infoblox_UDDI_Key" ] || [ -z "$Infoblox_Portal" ]; then + Infoblox_UDDI_Key="" + Infoblox_Portal="" + _err "You didn't specify the Infoblox UDDI key or server (Infoblox_UDDI_Key; Infoblox_Portal)." + _err "Please set them via EXPORT Infoblox_UDDI_Key=your_key, EXPORT Infoblox_Portal=csp.infoblox.com and try again." + return 1 + fi + + _saveaccountconf_mutable Infoblox_UDDI_Key "$Infoblox_UDDI_Key" + _saveaccountconf_mutable Infoblox_Portal "$Infoblox_Portal" + + export _H1="Authorization: token $Infoblox_UDDI_Key" + export _H2="Content-Type: application/json" + + zone_url="https://$Infoblox_Portal/api/ddi/v1/dns/auth_zone" + _debug "Fetching zones from: $zone_url" + zone_result="$(_get "$zone_url")" + _debug2 "zone_result: $zone_result" + + if [ "$?" != "0" ]; then + _err "Error fetching zones from Infoblox API" + return 1 + fi + + fulldomain_no_acme=$(echo "$fulldomain" | sed 's/^_acme-challenge\.//') + _debug "Looking for zone matching domain: $fulldomain_no_acme" + + zone_fqdn="" + temp_domain="$fulldomain_no_acme" + + while [ -n "$temp_domain" ]; do + _debug "Checking if '$temp_domain' is a zone..." + if echo "$zone_result" | grep -q "\"fqdn\":\"$temp_domain\"" || echo "$zone_result" | grep -q "\"fqdn\":\"$temp_domain\.\""; then + zone_fqdn="$temp_domain" + _debug "Found matching zone: $zone_fqdn" + break + fi + temp_domain=$(echo "$temp_domain" | sed 's/^[^.]*\.//') + if ! echo "$temp_domain" | grep -q '\.'; then + break + fi + done + + if [ -z "$zone_fqdn" ]; then + _err "Could not determine zone for domain $fulldomain" + _err "Available zones: $(echo "$zone_result" | _egrep_o '"fqdn":"[^"]*"' | sed 's/"fqdn":"//;s/"//')" + return 1 + fi + + zone_id=$(echo "$zone_result" | jq -r '(.results // .)[] | select(.fqdn == "'"$zone_fqdn"'" or .fqdn == "'"$zone_fqdn"'.") | .id' | head -1) + + _debug "zone_id: $zone_id" + + if [ -z "$zone_id" ]; then + _err "Could not find zone ID for $zone_fqdn" + _debug "Zone result: $zone_result" + return 1 + fi + + _debug "Extracting name_in_zone from fulldomain='$fulldomain' with zone_fqdn='$zone_fqdn'" + name_in_zone=$(echo "$fulldomain" | sed "s/\.$zone_fqdn\$//") + _debug "name_in_zone after removing zone: '$name_in_zone'" + name_in_zone=$(echo "$name_in_zone" | sed 's/\.$//') + _debug "name_in_zone final: '$name_in_zone'" + + baseurl="https://$Infoblox_Portal/api/ddi/v1/dns/record" + + body="{\"type\":\"TXT\",\"name_in_zone\":\"$name_in_zone\",\"zone\":\"$zone_id\",\"ttl\":120,\"inheritance_sources\":{\"ttl\":{\"action\":\"override\"}},\"rdata\":{\"text\":\"$txtvalue\"}}" + + _debug "POST URL: $baseurl" + _debug "POST body: $body" + result="$(_post "$body" "$baseurl" "" "POST")" + _debug "POST result: $result" + + if echo "$result" | grep -q '"id"'; then + record_id=$(echo "$result" | _egrep_o '"id":"[^"]*"' | head -1 | sed 's/"id":"\([^"]*\)"/\1/') + _info "Successfully created TXT record with ID: $record_id" + return 0 + else + _err "Error encountered during record addition" + _err "Response: $result" + return 1 + fi +} + +#Usage: dns_infoblox_uddi_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_infoblox_uddi_rm() { + fulldomain=$1 + txtvalue=$2 + + Infoblox_UDDI_Key="${Infoblox_UDDI_Key:-$(_readaccountconf_mutable Infoblox_UDDI_Key)}" + Infoblox_Portal="${Infoblox_Portal:-$(_readaccountconf_mutable Infoblox_Portal)}" + + if [ -z "$Infoblox_UDDI_Key" ] || [ -z "$Infoblox_Portal" ]; then + _err "Credentials not found" + return 1 + fi + + _info "Using Infoblox UDDI API" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + export _H1="Authorization: token $Infoblox_UDDI_Key" + export _H2="Content-Type: application/json" + + zone_url="https://$Infoblox_Portal/api/ddi/v1/dns/auth_zone" + _debug "Fetching zones from: $zone_url" + zone_result="$(_get "$zone_url")" + _debug2 "zone_result: $zone_result" + + if [ "$?" != "0" ]; then + _err "Error fetching zones from Infoblox API" + return 1 + fi + + fulldomain_no_acme=$(echo "$fulldomain" | sed 's/^_acme-challenge\.//') + _debug "Looking for zone matching domain: $fulldomain_no_acme" + + zone_fqdn="" + temp_domain="$fulldomain_no_acme" + + while [ -n "$temp_domain" ]; do + _debug "Checking if '$temp_domain' is a zone..." + if echo "$zone_result" | grep -q "\"fqdn\":\"$temp_domain\"" || echo "$zone_result" | grep -q "\"fqdn\":\"$temp_domain\.\""; then + zone_fqdn="$temp_domain" + _debug "Found matching zone: $zone_fqdn" + break + fi + temp_domain=$(echo "$temp_domain" | sed 's/^[^.]*\.//') + if ! echo "$temp_domain" | grep -q '\.'; then + break + fi + done + + if [ -z "$zone_fqdn" ]; then + _err "Could not determine zone for domain $fulldomain" + _err "Available zones: $(echo "$zone_result" | _egrep_o '"fqdn":"[^"]*"' | sed 's/"fqdn":"//;s/"//')" + return 1 + fi + + zone_id=$(echo "$zone_result" | jq -r '(.results // .)[] | select(.fqdn == "'"$zone_fqdn"'" or .fqdn == "'"$zone_fqdn"'.") | .id' | head -1) + + _debug "zone_id: $zone_id" + + if [ -z "$zone_id" ]; then + _err "Could not find zone ID for $zone_fqdn" + _debug "Zone result: $zone_result" + return 1 + fi + + name_in_zone=$(echo "$fulldomain" | sed "s/\.$zone_fqdn\$//" | sed 's/\.$//') + _debug "name_in_zone: $name_in_zone" + + filter="type eq 'TXT' and name_in_zone eq '$name_in_zone' and zone eq '$zone_id'" + filter_encoded=$(_url_encode "$filter") + geturl="https://$Infoblox_Portal/api/ddi/v1/dns/record?_filter=$filter_encoded" + _debug "GET URL: $geturl" + + result="$(_get "$geturl")" + _debug "GET result: $result" + + if echo "$result" | grep -q '"results":'; then + record_count=$(echo "$result" | jq -r '.results | length') + _debug "Found $record_count result(s)" + + record_id=$(echo "$result" | jq -r '.results[] | select(.rdata.text == "'"$txtvalue"'") | .id' | head -1) + + if [ -n "$record_id" ]; then + record_uuid=$(echo "$record_id" | sed 's/.*\/\([a-f0-9-]*\)$/\1/') + _debug "Found record UUID: $record_uuid" + + delurl="https://$Infoblox_Portal/api/ddi/v1/dns/record/$record_uuid" + _debug "DELETE URL: $delurl" + rmResult="$(_post "" "$delurl" "" "DELETE")" + + if [ -z "$rmResult" ] || [ "$rmResult" = "{}" ]; then + _info "Successfully deleted the txt record" + return 0 + else + _err "Error occurred during txt record delete" + _err "Response: $rmResult" + return 1 + fi + else + _err "Record to delete didn't match an existing record (no matching txtvalue found)" + _debug "Looking for txtvalue: $txtvalue" + return 1 + fi + else + _err "Record to delete didn't match an existing record (no results found)" + _debug "Response: $result" + return 1 + fi +} From 054a73f297dc91c21a2d4cac06ab8b00b68cb480 Mon Sep 17 00:00:00 2001 From: Stefan Date: Sat, 29 Nov 2025 22:48:06 +0100 Subject: [PATCH 165/313] fix DNS API From 657b7195d6427c0bc2110c609b0a27365361597f Mon Sep 17 00:00:00 2001 From: Stefan Riegel Date: Sat, 29 Nov 2025 23:06:20 +0100 Subject: [PATCH 166/313] Fix Authorization header format --- dnsapi/dns_infoblox_uddi.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_infoblox_uddi.sh b/dnsapi/dns_infoblox_uddi.sh index 545ce41d..c49a7f82 100644 --- a/dnsapi/dns_infoblox_uddi.sh +++ b/dnsapi/dns_infoblox_uddi.sh @@ -35,7 +35,7 @@ dns_infoblox_uddi_add() { _saveaccountconf_mutable Infoblox_UDDI_Key "$Infoblox_UDDI_Key" _saveaccountconf_mutable Infoblox_Portal "$Infoblox_Portal" - export _H1="Authorization: token $Infoblox_UDDI_Key" + export _H1="Authorization: Token $Infoblox_UDDI_Key" export _H2="Content-Type: application/json" zone_url="https://$Infoblox_Portal/api/ddi/v1/dns/auth_zone" @@ -126,7 +126,7 @@ dns_infoblox_uddi_rm() { _debug fulldomain "$fulldomain" _debug txtvalue "$txtvalue" - export _H1="Authorization: token $Infoblox_UDDI_Key" + export _H1="Authorization: Token $Infoblox_UDDI_Key" export _H2="Content-Type: application/json" zone_url="https://$Infoblox_Portal/api/ddi/v1/dns/auth_zone" From eeb91de6a369e209558147f49dbe9a98b08a9a0e Mon Sep 17 00:00:00 2001 From: Stefan Riegel Date: Sat, 29 Nov 2025 23:13:52 +0100 Subject: [PATCH 167/313] Replace jq with shell-based JSON parsing --- dnsapi/dns_infoblox_uddi.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/dnsapi/dns_infoblox_uddi.sh b/dnsapi/dns_infoblox_uddi.sh index c49a7f82..674090be 100644 --- a/dnsapi/dns_infoblox_uddi.sh +++ b/dnsapi/dns_infoblox_uddi.sh @@ -73,7 +73,7 @@ dns_infoblox_uddi_add() { return 1 fi - zone_id=$(echo "$zone_result" | jq -r '(.results // .)[] | select(.fqdn == "'"$zone_fqdn"'" or .fqdn == "'"$zone_fqdn"'.") | .id' | head -1) + zone_id=$(echo "$zone_result" | _egrep_o '"id":"dns/auth_zone/[^"]*"' | _egrep_o 'dns/auth_zone/[^"]*' | _head_n 1) _debug "zone_id: $zone_id" @@ -164,7 +164,7 @@ dns_infoblox_uddi_rm() { return 1 fi - zone_id=$(echo "$zone_result" | jq -r '(.results // .)[] | select(.fqdn == "'"$zone_fqdn"'" or .fqdn == "'"$zone_fqdn"'.") | .id' | head -1) + zone_id=$(echo "$zone_result" | _egrep_o '"id":"dns/auth_zone/[^"]*"' | _egrep_o 'dns/auth_zone/[^"]*' | _head_n 1) _debug "zone_id: $zone_id" @@ -186,10 +186,8 @@ dns_infoblox_uddi_rm() { _debug "GET result: $result" if echo "$result" | grep -q '"results":'; then - record_count=$(echo "$result" | jq -r '.results | length') - _debug "Found $record_count result(s)" - - record_id=$(echo "$result" | jq -r '.results[] | select(.rdata.text == "'"$txtvalue"'") | .id' | head -1) + record_id=$(echo "$result" | _egrep_o '"id":"dns/record/[^"]*"' | _egrep_o 'dns/record/[^"]*' | _head_n 1) + _debug "Found record_id: $record_id" if [ -n "$record_id" ]; then record_uuid=$(echo "$record_id" | sed 's/.*\/\([a-f0-9-]*\)$/\1/') From ca35e8c1189b2aa75cf022913154c10aaee30732 Mon Sep 17 00:00:00 2001 From: Stefan Riegel Date: Sat, 29 Nov 2025 23:32:28 +0100 Subject: [PATCH 168/313] Fix zone_id extraction to query correct zone --- dnsapi/dns_infoblox_uddi.sh | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_infoblox_uddi.sh b/dnsapi/dns_infoblox_uddi.sh index 674090be..8dfeab5f 100644 --- a/dnsapi/dns_infoblox_uddi.sh +++ b/dnsapi/dns_infoblox_uddi.sh @@ -73,7 +73,14 @@ dns_infoblox_uddi_add() { return 1 fi - zone_id=$(echo "$zone_result" | _egrep_o '"id":"dns/auth_zone/[^"]*"' | _egrep_o 'dns/auth_zone/[^"]*' | _head_n 1) + # Fetch exact zone_id for the matched fqdn using server-side filtering + filter="fqdn eq '$zone_fqdn.' or fqdn eq '$zone_fqdn'" + filter_encoded=$(_url_encode "$filter") + zone_query="$zone_url?_filter=$filter_encoded" + _debug "Fetching zone_id with filter: $zone_query" + zone_lookup="$(_get "$zone_query")" + _debug2 "zone_lookup: $zone_lookup" + zone_id=$(echo "$zone_lookup" | _egrep_o '"id":"dns/auth_zone/[^\"]*"' | _head_n 1 | sed 's/.*"id":"\([^\"]*\)".*/\1/') _debug "zone_id: $zone_id" @@ -164,7 +171,14 @@ dns_infoblox_uddi_rm() { return 1 fi - zone_id=$(echo "$zone_result" | _egrep_o '"id":"dns/auth_zone/[^"]*"' | _egrep_o 'dns/auth_zone/[^"]*' | _head_n 1) + # Fetch exact zone_id for the matched fqdn using server-side filtering + filter="fqdn eq '$zone_fqdn.' or fqdn eq '$zone_fqdn'" + filter_encoded=$(_url_encode "$filter") + zone_query="$zone_url?_filter=$filter_encoded" + _debug "Fetching zone_id with filter: $zone_query" + zone_lookup="$(_get "$zone_query")" + _debug2 "zone_lookup: $zone_lookup" + zone_id=$(echo "$zone_lookup" | _egrep_o '"id":"dns/auth_zone/[^\"]*"' | _head_n 1 | sed 's/.*"id":"\([^\"]*\)".*/\1/') _debug "zone_id: $zone_id" @@ -177,7 +191,7 @@ dns_infoblox_uddi_rm() { name_in_zone=$(echo "$fulldomain" | sed "s/\.$zone_fqdn\$//" | sed 's/\.$//') _debug "name_in_zone: $name_in_zone" - filter="type eq 'TXT' and name_in_zone eq '$name_in_zone' and zone eq '$zone_id'" + filter="type eq 'TXT' and name_in_zone eq '$name_in_zone' and zone eq '$zone_id' and rdata.text eq '$txtvalue'" filter_encoded=$(_url_encode "$filter") geturl="https://$Infoblox_Portal/api/ddi/v1/dns/record?_filter=$filter_encoded" _debug "GET URL: $geturl" @@ -186,7 +200,7 @@ dns_infoblox_uddi_rm() { _debug "GET result: $result" if echo "$result" | grep -q '"results":'; then - record_id=$(echo "$result" | _egrep_o '"id":"dns/record/[^"]*"' | _egrep_o 'dns/record/[^"]*' | _head_n 1) + record_id=$(echo "$result" | _egrep_o '"id":"dns/record/[^\"]*"' | _head_n 1 | sed 's/.*"id":"\([^\"]*\)".*/\1/') _debug "Found record_id: $record_id" if [ -n "$record_id" ]; then From 490b9e2d09d998cee6736176e8c7eefa08b6029b Mon Sep 17 00:00:00 2001 From: Stefan Riegel Date: Sat, 29 Nov 2025 23:39:43 +0100 Subject: [PATCH 169/313] Clean up debug statements --- dnsapi/dns_infoblox_uddi.sh | 25 +++++++------------------ 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/dnsapi/dns_infoblox_uddi.sh b/dnsapi/dns_infoblox_uddi.sh index 8dfeab5f..ebf4484c 100644 --- a/dnsapi/dns_infoblox_uddi.sh +++ b/dnsapi/dns_infoblox_uddi.sh @@ -39,7 +39,6 @@ dns_infoblox_uddi_add() { export _H2="Content-Type: application/json" zone_url="https://$Infoblox_Portal/api/ddi/v1/dns/auth_zone" - _debug "Fetching zones from: $zone_url" zone_result="$(_get "$zone_url")" _debug2 "zone_result: $zone_result" @@ -77,12 +76,11 @@ dns_infoblox_uddi_add() { filter="fqdn eq '$zone_fqdn.' or fqdn eq '$zone_fqdn'" filter_encoded=$(_url_encode "$filter") zone_query="$zone_url?_filter=$filter_encoded" - _debug "Fetching zone_id with filter: $zone_query" zone_lookup="$(_get "$zone_query")" _debug2 "zone_lookup: $zone_lookup" zone_id=$(echo "$zone_lookup" | _egrep_o '"id":"dns/auth_zone/[^\"]*"' | _head_n 1 | sed 's/.*"id":"\([^\"]*\)".*/\1/') - _debug "zone_id: $zone_id" + _debug zone_id "$zone_id" if [ -z "$zone_id" ]; then _err "Could not find zone ID for $zone_fqdn" @@ -90,20 +88,16 @@ dns_infoblox_uddi_add() { return 1 fi - _debug "Extracting name_in_zone from fulldomain='$fulldomain' with zone_fqdn='$zone_fqdn'" name_in_zone=$(echo "$fulldomain" | sed "s/\.$zone_fqdn\$//") - _debug "name_in_zone after removing zone: '$name_in_zone'" name_in_zone=$(echo "$name_in_zone" | sed 's/\.$//') - _debug "name_in_zone final: '$name_in_zone'" + _debug name_in_zone "$name_in_zone" baseurl="https://$Infoblox_Portal/api/ddi/v1/dns/record" body="{\"type\":\"TXT\",\"name_in_zone\":\"$name_in_zone\",\"zone\":\"$zone_id\",\"ttl\":120,\"inheritance_sources\":{\"ttl\":{\"action\":\"override\"}},\"rdata\":{\"text\":\"$txtvalue\"}}" - _debug "POST URL: $baseurl" - _debug "POST body: $body" result="$(_post "$body" "$baseurl" "" "POST")" - _debug "POST result: $result" + _debug2 result "$result" if echo "$result" | grep -q '"id"'; then record_id=$(echo "$result" | _egrep_o '"id":"[^"]*"' | head -1 | sed 's/"id":"\([^"]*\)"/\1/') @@ -137,7 +131,6 @@ dns_infoblox_uddi_rm() { export _H2="Content-Type: application/json" zone_url="https://$Infoblox_Portal/api/ddi/v1/dns/auth_zone" - _debug "Fetching zones from: $zone_url" zone_result="$(_get "$zone_url")" _debug2 "zone_result: $zone_result" @@ -175,12 +168,11 @@ dns_infoblox_uddi_rm() { filter="fqdn eq '$zone_fqdn.' or fqdn eq '$zone_fqdn'" filter_encoded=$(_url_encode "$filter") zone_query="$zone_url?_filter=$filter_encoded" - _debug "Fetching zone_id with filter: $zone_query" zone_lookup="$(_get "$zone_query")" _debug2 "zone_lookup: $zone_lookup" zone_id=$(echo "$zone_lookup" | _egrep_o '"id":"dns/auth_zone/[^\"]*"' | _head_n 1 | sed 's/.*"id":"\([^\"]*\)".*/\1/') - _debug "zone_id: $zone_id" + _debug zone_id "$zone_id" if [ -z "$zone_id" ]; then _err "Could not find zone ID for $zone_fqdn" @@ -189,15 +181,14 @@ dns_infoblox_uddi_rm() { fi name_in_zone=$(echo "$fulldomain" | sed "s/\.$zone_fqdn\$//" | sed 's/\.$//') - _debug "name_in_zone: $name_in_zone" + _debug name_in_zone "$name_in_zone" filter="type eq 'TXT' and name_in_zone eq '$name_in_zone' and zone eq '$zone_id' and rdata.text eq '$txtvalue'" filter_encoded=$(_url_encode "$filter") geturl="https://$Infoblox_Portal/api/ddi/v1/dns/record?_filter=$filter_encoded" - _debug "GET URL: $geturl" result="$(_get "$geturl")" - _debug "GET result: $result" + _debug2 result "$result" if echo "$result" | grep -q '"results":'; then record_id=$(echo "$result" | _egrep_o '"id":"dns/record/[^\"]*"' | _head_n 1 | sed 's/.*"id":"\([^\"]*\)".*/\1/') @@ -205,10 +196,9 @@ dns_infoblox_uddi_rm() { if [ -n "$record_id" ]; then record_uuid=$(echo "$record_id" | sed 's/.*\/\([a-f0-9-]*\)$/\1/') - _debug "Found record UUID: $record_uuid" + _debug record_uuid "$record_uuid" delurl="https://$Infoblox_Portal/api/ddi/v1/dns/record/$record_uuid" - _debug "DELETE URL: $delurl" rmResult="$(_post "" "$delurl" "" "DELETE")" if [ -z "$rmResult" ] || [ "$rmResult" = "{}" ]; then @@ -221,7 +211,6 @@ dns_infoblox_uddi_rm() { fi else _err "Record to delete didn't match an existing record (no matching txtvalue found)" - _debug "Looking for txtvalue: $txtvalue" return 1 fi else From 890ab4a7bbfc9e950ba0ae103796e066442c25ee Mon Sep 17 00:00:00 2001 From: Stefan Riegel Date: Sun, 30 Nov 2025 00:48:15 +0100 Subject: [PATCH 170/313] Refactor dns_infoblox_uddi.sh: Fix zone detection and add wildcard cert support - Added _get_root() helper function for proper zone detection - Fixed zone ID extraction to match dns/auth_zone/* pattern - Added _infoblox_rest() wrapper for API calls with proper auth - Improved error handling for authentication failures - Added support for wildcard certificates (multiple TXT records) - Filter by exact txtvalue when deleting records - Follow acme.sh best practices and conventions Tested with: - Standard domain certificates - Wildcard certificates (*.domain.com) - Multiple subdomains - Staging and production Let's Encrypt --- dnsapi/dns_infoblox_uddi.sh | 299 +++++++++++++++++++----------------- 1 file changed, 161 insertions(+), 138 deletions(-) diff --git a/dnsapi/dns_infoblox_uddi.sh b/dnsapi/dns_infoblox_uddi.sh index ebf4484c..54cfe47b 100644 --- a/dnsapi/dns_infoblox_uddi.sh +++ b/dnsapi/dns_infoblox_uddi.sh @@ -10,6 +10,8 @@ Issues: github.com/acmesh-official/acme.sh/issues Author: Stefan Riegel ' +Infoblox_UDDI_Api="https://" + ######## Public functions ##################### #Usage: dns_infoblox_uddi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" @@ -38,76 +40,42 @@ dns_infoblox_uddi_add() { export _H1="Authorization: Token $Infoblox_UDDI_Key" export _H2="Content-Type: application/json" - zone_url="https://$Infoblox_Portal/api/ddi/v1/dns/auth_zone" - zone_result="$(_get "$zone_url")" - _debug2 "zone_result: $zone_result" - - if [ "$?" != "0" ]; then - _err "Error fetching zones from Infoblox API" + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" return 1 fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" - fulldomain_no_acme=$(echo "$fulldomain" | sed 's/^_acme-challenge\.//') - _debug "Looking for zone matching domain: $fulldomain_no_acme" + _debug "Getting existing txt records" + _infoblox_rest GET "dns/record?_filter=type%20eq%20'TXT'%20and%20name_in_zone%20eq%20'$_sub_domain'%20and%20zone%20eq%20'$_domain_id'" - zone_fqdn="" - temp_domain="$fulldomain_no_acme" + _info "Adding record" + body="{\"type\":\"TXT\",\"name_in_zone\":\"$_sub_domain\",\"zone\":\"$_domain_id\",\"ttl\":120,\"inheritance_sources\":{\"ttl\":{\"action\":\"override\"}},\"rdata\":{\"text\":\"$txtvalue\"}}" - while [ -n "$temp_domain" ]; do - _debug "Checking if '$temp_domain' is a zone..." - if echo "$zone_result" | grep -q "\"fqdn\":\"$temp_domain\"" || echo "$zone_result" | grep -q "\"fqdn\":\"$temp_domain\.\""; then - zone_fqdn="$temp_domain" - _debug "Found matching zone: $zone_fqdn" - break + if _infoblox_rest POST "dns/record" "$body"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + return 0 + elif _contains "$response" '"error"'; then + # Check if record already exists + if _contains "$response" "already exists" || _contains "$response" "duplicate"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error." + _err "Response: $response" + return 1 + fi + else + _info "Added, OK" + return 0 fi - temp_domain=$(echo "$temp_domain" | sed 's/^[^.]*\.//') - if ! echo "$temp_domain" | grep -q '\.'; then - break - fi - done - - if [ -z "$zone_fqdn" ]; then - _err "Could not determine zone for domain $fulldomain" - _err "Available zones: $(echo "$zone_result" | _egrep_o '"fqdn":"[^"]*"' | sed 's/"fqdn":"//;s/"//')" - return 1 - fi - - # Fetch exact zone_id for the matched fqdn using server-side filtering - filter="fqdn eq '$zone_fqdn.' or fqdn eq '$zone_fqdn'" - filter_encoded=$(_url_encode "$filter") - zone_query="$zone_url?_filter=$filter_encoded" - zone_lookup="$(_get "$zone_query")" - _debug2 "zone_lookup: $zone_lookup" - zone_id=$(echo "$zone_lookup" | _egrep_o '"id":"dns/auth_zone/[^\"]*"' | _head_n 1 | sed 's/.*"id":"\([^\"]*\)".*/\1/') - - _debug zone_id "$zone_id" - - if [ -z "$zone_id" ]; then - _err "Could not find zone ID for $zone_fqdn" - _debug "Zone result: $zone_result" - return 1 - fi - - name_in_zone=$(echo "$fulldomain" | sed "s/\.$zone_fqdn\$//") - name_in_zone=$(echo "$name_in_zone" | sed 's/\.$//') - _debug name_in_zone "$name_in_zone" - - baseurl="https://$Infoblox_Portal/api/ddi/v1/dns/record" - - body="{\"type\":\"TXT\",\"name_in_zone\":\"$name_in_zone\",\"zone\":\"$zone_id\",\"ttl\":120,\"inheritance_sources\":{\"ttl\":{\"action\":\"override\"}},\"rdata\":{\"text\":\"$txtvalue\"}}" - - result="$(_post "$body" "$baseurl" "" "POST")" - _debug2 result "$result" - - if echo "$result" | grep -q '"id"'; then - record_id=$(echo "$result" | _egrep_o '"id":"[^"]*"' | head -1 | sed 's/"id":"\([^"]*\)"/\1/') - _info "Successfully created TXT record with ID: $record_id" - return 0 - else - _err "Error encountered during record addition" - _err "Response: $result" - return 1 fi + _err "Add txt record error." + return 1 } #Usage: dns_infoblox_uddi_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" @@ -130,92 +98,147 @@ dns_infoblox_uddi_rm() { export _H1="Authorization: Token $Infoblox_UDDI_Key" export _H2="Content-Type: application/json" - zone_url="https://$Infoblox_Portal/api/ddi/v1/dns/auth_zone" - zone_result="$(_get "$zone_url")" - _debug2 "zone_result: $zone_result" + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" - if [ "$?" != "0" ]; then - _err "Error fetching zones from Infoblox API" + _debug "Getting txt records to delete" + # Filter by txtvalue to support wildcard certs (multiple TXT records) + filter="type%20eq%20'TXT'%20and%20name_in_zone%20eq%20'$_sub_domain'%20and%20zone%20eq%20'$_domain_id'%20and%20rdata.text%20eq%20'$txtvalue'" + _infoblox_rest GET "dns/record?_filter=$filter" + + if ! _contains "$response" '"results"'; then + _info "Don't need to remove, record not found." + return 0 + fi + + record_id=$(echo "$response" | _egrep_o '"id":[[:space:]]*"[^"]*"' | _head_n 1 | cut -d '"' -f 4) + _debug "record_id" "$record_id" + + if [ -z "$record_id" ]; then + _info "Don't need to remove, record not found." + return 0 + fi + + # Extract UUID from the full record ID (format: dns/record/uuid) + record_uuid=$(echo "$record_id" | sed 's|.*/||') + _debug "record_uuid" "$record_uuid" + + if ! _infoblox_rest DELETE "dns/record/$record_uuid"; then + _err "Delete record error." return 1 fi - fulldomain_no_acme=$(echo "$fulldomain" | sed 's/^_acme-challenge\.//') - _debug "Looking for zone matching domain: $fulldomain_no_acme" + _info "Removed record successfully" + return 0 +} - zone_fqdn="" - temp_domain="$fulldomain_no_acme" +#################### Private functions below ################################## - while [ -n "$temp_domain" ]; do - _debug "Checking if '$temp_domain' is a zone..." - if echo "$zone_result" | grep -q "\"fqdn\":\"$temp_domain\"" || echo "$zone_result" | grep -q "\"fqdn\":\"$temp_domain\.\""; then - zone_fqdn="$temp_domain" - _debug "Found matching zone: $zone_fqdn" - break - fi - temp_domain=$(echo "$temp_domain" | sed 's/^[^.]*\.//') - if ! echo "$temp_domain" | grep -q '\.'; then - break - fi - done +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=dns/auth_zone/xxxx-xxxx +_get_root() { + domain=$1 + i=1 + p=1 - if [ -z "$zone_fqdn" ]; then - _err "Could not determine zone for domain $fulldomain" - _err "Available zones: $(echo "$zone_result" | _egrep_o '"fqdn":"[^"]*"' | sed 's/"fqdn":"//;s/"//')" - return 1 - fi + # Remove _acme-challenge prefix if present + domain_no_acme=$(echo "$domain" | sed 's/^_acme-challenge\.//') - # Fetch exact zone_id for the matched fqdn using server-side filtering - filter="fqdn eq '$zone_fqdn.' or fqdn eq '$zone_fqdn'" - filter_encoded=$(_url_encode "$filter") - zone_query="$zone_url?_filter=$filter_encoded" - zone_lookup="$(_get "$zone_query")" - _debug2 "zone_lookup: $zone_lookup" - zone_id=$(echo "$zone_lookup" | _egrep_o '"id":"dns/auth_zone/[^\"]*"' | _head_n 1 | sed 's/.*"id":"\([^\"]*\)".*/\1/') - - _debug zone_id "$zone_id" - - if [ -z "$zone_id" ]; then - _err "Could not find zone ID for $zone_fqdn" - _debug "Zone result: $zone_result" - return 1 - fi - - name_in_zone=$(echo "$fulldomain" | sed "s/\.$zone_fqdn\$//" | sed 's/\.$//') - _debug name_in_zone "$name_in_zone" - - filter="type eq 'TXT' and name_in_zone eq '$name_in_zone' and zone eq '$zone_id' and rdata.text eq '$txtvalue'" - filter_encoded=$(_url_encode "$filter") - geturl="https://$Infoblox_Portal/api/ddi/v1/dns/record?_filter=$filter_encoded" - - result="$(_get "$geturl")" - _debug2 result "$result" - - if echo "$result" | grep -q '"results":'; then - record_id=$(echo "$result" | _egrep_o '"id":"dns/record/[^\"]*"' | _head_n 1 | sed 's/.*"id":"\([^\"]*\)".*/\1/') - _debug "Found record_id: $record_id" - - if [ -n "$record_id" ]; then - record_uuid=$(echo "$record_id" | sed 's/.*\/\([a-f0-9-]*\)$/\1/') - _debug record_uuid "$record_uuid" - - delurl="https://$Infoblox_Portal/api/ddi/v1/dns/record/$record_uuid" - rmResult="$(_post "" "$delurl" "" "DELETE")" - - if [ -z "$rmResult" ] || [ "$rmResult" = "{}" ]; then - _info "Successfully deleted the txt record" - return 0 - else - _err "Error occurred during txt record delete" - _err "Response: $rmResult" - return 1 - fi - else - _err "Record to delete didn't match an existing record (no matching txtvalue found)" + while true; do + h=$(printf "%s" "$domain_no_acme" | cut -d . -f "$i"-100) + _debug h "$h" + if [ -z "$h" ]; then + # not valid return 1 fi + + # Query for the zone with both trailing dot and without + filter="fqdn%20eq%20'$h.'%20or%20fqdn%20eq%20'$h'" + if ! _infoblox_rest GET "dns/auth_zone?_filter=$filter"; then + # API error - don't continue if we get auth errors + if _contains "$response" "401" || _contains "$response" "Authorization"; then + _err "Authentication failed. Please check your Infoblox_UDDI_Key." + return 1 + fi + # For other errors, continue to parent domain + p=$i + i=$((i + 1)) + continue + fi + + # Check if response contains results (even if empty) + if _contains "$response" '"results"'; then + # Extract zone ID - must match the pattern dns/auth_zone/... + zone_id=$(echo "$response" | _egrep_o '"id":[[:space:]]*"dns/auth_zone/[^"]*"' | _head_n 1 | cut -d '"' -f 4) + if [ -n "$zone_id" ]; then + # Found the zone + _domain="$h" + _domain_id="$zone_id" + + # Calculate subdomain + if [ "$_domain" = "$domain" ]; then + _sub_domain="" + else + _cutlength=$((${#domain} - ${#_domain} - 1)) + _sub_domain=$(printf "%s" "$domain" | cut -c "1-$_cutlength") + fi + + return 0 + fi + fi + + p=$i + i=$((i + 1)) + done + + return 1 +} + +# _infoblox_rest GET "dns/record?_filter=..." +# _infoblox_rest POST "dns/record" "{json body}" +# _infoblox_rest DELETE "dns/record/uuid" +_infoblox_rest() { + method=$1 + ep="$2" + data="$3" + + _debug "$ep" + + # Ensure credentials are available (when called from _get_root) + Infoblox_UDDI_Key="${Infoblox_UDDI_Key:-$(_readaccountconf_mutable Infoblox_UDDI_Key)}" + Infoblox_Portal="${Infoblox_Portal:-$(_readaccountconf_mutable Infoblox_Portal)}" + + Infoblox_UDDI_Api="https://$Infoblox_Portal/api/ddi/v1" + export _H1="Authorization: Token $Infoblox_UDDI_Key" + export _H2="Content-Type: application/json" + + # Debug (masked) + _tok_len=$(printf "%s" "$Infoblox_UDDI_Key" | wc -c | tr -d ' \n') + _debug2 "Auth header set" "Token len=${_tok_len} on $Infoblox_Portal" + + if [ "$method" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$Infoblox_UDDI_Api/$ep" "" "$method")" else - _err "Record to delete didn't match an existing record (no results found)" - _debug "Response: $result" + response="$(_get "$Infoblox_UDDI_Api/$ep")" + fi + + _ret="$?" + _debug2 response "$response" + + if [ "$_ret" != "0" ]; then + _err "Error: $ep" return 1 fi + + return 0 } From 36b8ca2bc07d0e46dd65fc8d8365d9ca1797d786 Mon Sep 17 00:00:00 2001 From: Stefan Riegel Date: Sun, 30 Nov 2025 00:49:36 +0100 Subject: [PATCH 171/313] Fix shfmt formatting: Remove trailing whitespace --- dnsapi/dns_infoblox_uddi.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_infoblox_uddi.sh b/dnsapi/dns_infoblox_uddi.sh index 54cfe47b..4b15088a 100644 --- a/dnsapi/dns_infoblox_uddi.sh +++ b/dnsapi/dns_infoblox_uddi.sh @@ -183,7 +183,7 @@ _get_root() { # Found the zone _domain="$h" _domain_id="$zone_id" - + # Calculate subdomain if [ "$_domain" = "$domain" ]; then _sub_domain="" @@ -191,7 +191,7 @@ _get_root() { _cutlength=$((${#domain} - ${#_domain} - 1)) _sub_domain=$(printf "%s" "$domain" | cut -c "1-$_cutlength") fi - + return 0 fi fi From 9980ad0fef9634b105c59711dd5f470a4b35f080 Mon Sep 17 00:00:00 2001 From: hostup <52465293+hostup@users.noreply.github.com> Date: Mon, 1 Dec 2025 13:33:19 +0100 Subject: [PATCH 172/313] add HostUp DNS --- dnsapi/dns_hostup.sh | 473 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 473 insertions(+) create mode 100644 dnsapi/dns_hostup.sh diff --git a/dnsapi/dns_hostup.sh b/dnsapi/dns_hostup.sh new file mode 100644 index 00000000..4da0dd9d --- /dev/null +++ b/dnsapi/dns_hostup.sh @@ -0,0 +1,473 @@ +#!/usr/bin/env sh +# shellcheck disable=SC2034,SC2154 + +dns_hostup_info='HostUp DNS +Site: hostup.se +Docs: https://hostup.se/en/support/api-autentisering/ +Options: + HOSTUP_API_KEY Required. HostUp API key with read:dns + write:dns + read:domains scopes. + HOSTUP_API_BASE Optional. Override API base URL (default: https://cloud.hostup.se/api). + HOSTUP_TTL Optional. TTL for TXT records (default: 60 seconds). + HOSTUP_ZONE_ID Optional. Force a specific zone ID (skip auto-detection). +Author: HostUp (https://cloud.hostup.se/contact/en) +' + +HOSTUP_API_BASE_DEFAULT="https://cloud.hostup.se/api" +HOSTUP_DEFAULT_TTL=60 + +# Public: add TXT record +# Usage: dns_hostup_add _acme-challenge.example.com "txt-value" +dns_hostup_add() { + fulldomain="$1" + txtvalue="$2" + + _info "Using HostUp DNS API" + + if ! _hostup_init; then + return 1 + fi + + if ! _hostup_detect_zone "$fulldomain"; then + _err "Unable to determine HostUp zone for $fulldomain" + return 1 + fi + + record_name="$(_hostup_record_name "$fulldomain" "$HOSTUP_ZONE_DOMAIN")" + record_name="$(_hostup_sanitize_name "$record_name")" + record_value="$(_hostup_json_escape "$txtvalue")" + + ttl="${HOSTUP_TTL:-$HOSTUP_DEFAULT_TTL}" + + _debug "zone_id" "$HOSTUP_ZONE_ID" + _debug "zone_domain" "$HOSTUP_ZONE_DOMAIN" + _debug "record_name" "$record_name" + _debug "ttl" "$ttl" + + request_body="{\"name\":\"$record_name\",\"type\":\"TXT\",\"value\":\"$record_value\",\"ttl\":$ttl}" + + if ! _hostup_rest "POST" "/dns/zones/$HOSTUP_ZONE_ID/records" "$request_body"; then + return 1 + fi + + if ! _contains "$_hostup_response" '"success":true'; then + _err "HostUp DNS API: failed to create TXT record for $fulldomain" + _debug2 "_hostup_response" "$_hostup_response" + return 1 + fi + + record_id="$(_hostup_extract_record_id "$_hostup_response")" + if [ -n "$record_id" ]; then + _hostup_save_record_id "$HOSTUP_ZONE_ID" "$fulldomain" "$record_id" + _debug "hostup_saved_record_id" "$record_id" + fi + + _info "Added TXT record for $fulldomain" + return 0 +} + +# Public: remove TXT record +# Usage: dns_hostup_rm _acme-challenge.example.com "txt-value" +dns_hostup_rm() { + fulldomain="$1" + txtvalue="$2" + + _info "Using HostUp DNS API" + + if ! _hostup_init; then + return 1 + fi + + if ! _hostup_detect_zone "$fulldomain"; then + _err "Unable to determine HostUp zone for $fulldomain" + return 1 + fi + + record_name_fqdn="$(_hostup_fqdn "$fulldomain")" + record_value="$txtvalue" + + record_id_cached="$(_hostup_get_saved_record_id "$HOSTUP_ZONE_ID" "$fulldomain")" + if [ -n "$record_id_cached" ]; then + _debug "hostup_record_id_cached" "$record_id_cached" + if _hostup_delete_record_by_id "$HOSTUP_ZONE_ID" "$record_id_cached"; then + _info "Deleted TXT record $record_id_cached" + _hostup_clear_record_id "$HOSTUP_ZONE_ID" "$fulldomain" + HOSTUP_ZONE_ID="" + return 0 + fi + fi + + if ! _hostup_find_record "$HOSTUP_ZONE_ID" "$record_name_fqdn" "$record_value"; then + _info "TXT record not found for $record_name_fqdn. Skipping removal." + _hostup_clear_record_id "$HOSTUP_ZONE_ID" "$fulldomain" + return 0 + fi + + _debug "Deleting record" "$HOSTUP_RECORD_ID" + + if ! _hostup_delete_record_by_id "$HOSTUP_ZONE_ID" "$HOSTUP_RECORD_ID"; then + return 1 + fi + + _info "Deleted TXT record $HOSTUP_RECORD_ID" + _hostup_clear_record_id "$HOSTUP_ZONE_ID" "$fulldomain" + HOSTUP_ZONE_ID="" + return 0 +} + +########################## +# Private helper methods # +########################## + +_hostup_init() { + HOSTUP_API_KEY="${HOSTUP_API_KEY:-$(_readaccountconf_mutable HOSTUP_API_KEY)}" + HOSTUP_API_BASE="${HOSTUP_API_BASE:-$(_readaccountconf_mutable HOSTUP_API_BASE)}" + HOSTUP_TTL="${HOSTUP_TTL:-$(_readaccountconf_mutable HOSTUP_TTL)}" + HOSTUP_ZONE_ID="${HOSTUP_ZONE_ID:-$(_readaccountconf_mutable HOSTUP_ZONE_ID)}" + + if [ -z "$HOSTUP_API_BASE" ]; then + HOSTUP_API_BASE="$HOSTUP_API_BASE_DEFAULT" + fi + + if [ -z "$HOSTUP_API_KEY" ]; then + HOSTUP_API_KEY="" + _err "HOSTUP_API_KEY is not set." + _err "Please export your HostUp API key with read:dns and write:dns scopes." + return 1 + fi + + _saveaccountconf_mutable HOSTUP_API_KEY "$HOSTUP_API_KEY" + _saveaccountconf_mutable HOSTUP_API_BASE "$HOSTUP_API_BASE" + + if [ -n "$HOSTUP_TTL" ]; then + _saveaccountconf_mutable HOSTUP_TTL "$HOSTUP_TTL" + fi + + if [ -n "$HOSTUP_ZONE_ID" ]; then + _saveaccountconf_mutable HOSTUP_ZONE_ID "$HOSTUP_ZONE_ID" + fi + + return 0 +} + +_hostup_detect_zone() { + fulldomain="$1" + + if [ -n "$HOSTUP_ZONE_ID" ] && [ -n "$HOSTUP_ZONE_DOMAIN" ]; then + return 0 + fi + + HOSTUP_ZONE_DOMAIN="" + _debug "hostup_full_domain" "$fulldomain" + + if [ -n "$HOSTUP_ZONE_ID" ] && [ -z "$HOSTUP_ZONE_DOMAIN" ]; then + # Attempt to fetch domain name for provided zone ID + if _hostup_fetch_zone_details "$HOSTUP_ZONE_ID"; then + return 0 + fi + HOSTUP_ZONE_ID="" + fi + + if ! _hostup_load_zones; then + return 1 + fi + + _domain_candidate="$(printf "%s" "$fulldomain" | tr 'A-Z' 'a-z')" + _debug "hostup_initial_candidate" "$_domain_candidate" + + while [ -n "$_domain_candidate" ]; do + _debug "hostup_zone_candidate" "$_domain_candidate" + if _hostup_lookup_zone "$_domain_candidate"; then + HOSTUP_ZONE_DOMAIN="$_lookup_zone_domain" + HOSTUP_ZONE_ID="$_lookup_zone_id" + return 0 + fi + + if ! printf "%s" "$_domain_candidate" | _contains "."; then + break + fi + + _domain_candidate="${_domain_candidate#*.}" + done + + HOSTUP_ZONE_ID="" + return 1 +} + +_hostup_record_name() { + fulldomain="$1" + zonedomain="$2" + + # Remove trailing dot, if any + fulldomain="${fulldomain%.}" + zonedomain="${zonedomain%.}" + + if [ "$fulldomain" = "$zonedomain" ]; then + printf "%s" "@" + return 0 + fi + + suffix=".$zonedomain" + case "$fulldomain" in + *"$suffix") + printf "%s" "${fulldomain%$suffix}" + ;; + *) + # Domain not within zone, fall back to full host + printf "%s" "$fulldomain" + ;; + esac +} + +_hostup_sanitize_name() { + name="$1" + + if [ -z "$name" ] || [ "$name" = "." ]; then + printf "%s" "@" + return 0 + fi + + # Remove any trailing dot + name="${name%.}" + printf "%s" "$name" +} + +_hostup_fqdn() { + domain="$1" + printf "%s" "${domain%.}" +} + +_hostup_fetch_zone_details() { + zone_id="$1" + + if ! _hostup_rest "GET" "/dns/zones/$zone_id/records" ""; then + return 1 + fi + + zonedomain="$(printf "%s" "$_hostup_response" | _egrep_o '"domain":"[^"]*"' | sed -n '1p' | cut -d ':' -f 2 | tr -d '"')" + if [ -n "$zonedomain" ]; then + HOSTUP_ZONE_DOMAIN="$zonedomain" + return 0 + fi + + return 1 +} + +_hostup_load_zones() { + if ! _hostup_rest "GET" "/dns/zones" ""; then + return 1 + fi + + HOSTUP_ZONES_CACHE="" + data="$(printf "%s" "$_hostup_response" | tr '{' '\n')" + + while IFS= read -r line; do + case "$line" in + *'"domain_id"'*'"domain"'*) + zone_id="$(printf "%s" "$line" | _hostup_json_extract "domain_id")" + zone_domain="$(printf "%s" "$line" | _hostup_json_extract "domain")" + if [ -n "$zone_id" ] && [ -n "$zone_domain" ]; then + HOSTUP_ZONES_CACHE="${HOSTUP_ZONES_CACHE}${zone_domain}|${zone_id} +" + _debug "hostup_zone_loaded" "$zone_domain|$zone_id" + fi + ;; + esac + done < Date: Mon, 1 Dec 2025 13:49:12 +0100 Subject: [PATCH 173/313] chore: trigger DNS API test From b8e394e76ad6198fb856f479aa5a63549231a21d Mon Sep 17 00:00:00 2001 From: hostup <52465293+hostup@users.noreply.github.com> Date: Mon, 1 Dec 2025 15:48:48 +0100 Subject: [PATCH 174/313] Update dns_hostup.sh bug fix Omnios fial --- dnsapi/dns_hostup.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_hostup.sh b/dnsapi/dns_hostup.sh index 4da0dd9d..8d0600f7 100644 --- a/dnsapi/dns_hostup.sh +++ b/dnsapi/dns_hostup.sh @@ -182,9 +182,10 @@ _hostup_detect_zone() { return 0 fi - if ! printf "%s" "$_domain_candidate" | _contains "."; then - break - fi + case "$_domain_candidate" in + *.*) ;; + *) break ;; + esac _domain_candidate="${_domain_candidate#*.}" done From d97b4477b2dcf2753ea0afbd24eea8487625aed2 Mon Sep 17 00:00:00 2001 From: hostup <52465293+hostup@users.noreply.github.com> Date: Mon, 1 Dec 2025 15:55:17 +0100 Subject: [PATCH 175/313] Update dns_hostup.sh --- dnsapi/dns_hostup.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/dnsapi/dns_hostup.sh b/dnsapi/dns_hostup.sh index 8d0600f7..3547f006 100644 --- a/dnsapi/dns_hostup.sh +++ b/dnsapi/dns_hostup.sh @@ -171,7 +171,7 @@ _hostup_detect_zone() { return 1 fi - _domain_candidate="$(printf "%s" "$fulldomain" | tr 'A-Z' 'a-z')" + _domain_candidate="$(printf "%s" "$fulldomain" | tr '[:upper:]' '[:lower:]')" _debug "hostup_initial_candidate" "$_domain_candidate" while [ -n "$_domain_candidate" ]; do @@ -181,10 +181,10 @@ _hostup_detect_zone() { HOSTUP_ZONE_ID="$_lookup_zone_id" return 0 fi - + case "$_domain_candidate" in - *.*) ;; - *) break ;; + *.*) ;; + *) break ;; esac _domain_candidate="${_domain_candidate#*.}" @@ -210,7 +210,7 @@ _hostup_record_name() { suffix=".$zonedomain" case "$fulldomain" in *"$suffix") - printf "%s" "${fulldomain%$suffix}" + printf "%s" "${fulldomain%"$suffix"}" ;; *) # Domain not within zone, fall back to full host @@ -371,7 +371,7 @@ _hostup_record_key() { zone_id="$1" domain="$2" safe_zone="$(printf "%s" "$zone_id" | sed 's/[^A-Za-z0-9]/_/g')" - safe_domain="$(printf "%s" "$domain" | tr 'A-Z' 'a-z' | sed 's/[^a-z0-9]/_/g')" + safe_domain="$(printf "%s" "$domain" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/_/g')" printf "%s_%s" "$safe_zone" "$safe_domain" } @@ -449,7 +449,7 @@ _hostup_rest() { _debug2 "_hostup_response" "$_hostup_response" case "$http_status" in - 200|201|204) return 0 ;; + 200 | 201 | 204) return 0 ;; 401) _err "HostUp API returned 401 Unauthorized. Check HOSTUP_API_KEY scopes and IP restrictions." return 1 From 64a6ea68fa704ce4df35b03cff7c29fe531c38b3 Mon Sep 17 00:00:00 2001 From: hostup <52465293+hostup@users.noreply.github.com> Date: Mon, 1 Dec 2025 15:58:36 +0100 Subject: [PATCH 176/313] Update dns_hostup.sh --- dnsapi/dns_hostup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_hostup.sh b/dnsapi/dns_hostup.sh index 3547f006..ca49096f 100644 --- a/dnsapi/dns_hostup.sh +++ b/dnsapi/dns_hostup.sh @@ -181,7 +181,7 @@ _hostup_detect_zone() { HOSTUP_ZONE_ID="$_lookup_zone_id" return 0 fi - + case "$_domain_candidate" in *.*) ;; *) break ;; From 51b4fa00800ae2aad88a81fe76783d374044318c Mon Sep 17 00:00:00 2001 From: hostup <52465293+hostup@users.noreply.github.com> Date: Mon, 1 Dec 2025 17:19:16 +0100 Subject: [PATCH 177/313] Update dns_hostup.sh --- dnsapi/dns_hostup.sh | 49 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 38 insertions(+), 11 deletions(-) diff --git a/dnsapi/dns_hostup.sh b/dnsapi/dns_hostup.sh index ca49096f..347f34d1 100644 --- a/dnsapi/dns_hostup.sh +++ b/dnsapi/dns_hostup.sh @@ -319,10 +319,14 @@ _hostup_find_record() { records="$(printf "%s" "$_hostup_response" | tr '{' '\n')" while IFS= read -r line; do - case "$line" in + # Normalize line to make TXT value matching reliable + line_clean="$(printf "%s" "$line" | tr -d '\r\n')" + line_value_clean="$(printf "%s" "$line_clean" | sed 's/\\"//g')" + + case "$line_clean" in *'"type":"TXT"'*'"name"'*'"value"'*) - name_value="$(printf "%s" "$line" | _hostup_json_extract "name")" - record_value="$(printf "%s" "$line" | _hostup_json_extract "value")" + name_value="$(_hostup_json_extract "name" "$line_clean")" + record_value="$(_hostup_json_extract "value" "$line_value_clean")" _debug "hostup_record_raw" "$record_value" if [ "${record_value#\"}" != "$record_value" ] && [ "${record_value%\"}" != "$record_value" ]; then @@ -337,7 +341,7 @@ _hostup_find_record() { _debug "hostup_record_value" "$record_value" if [ "$name_value" = "$fqdn" ] && [ "$record_value" = "$txtvalue" ]; then - record_id="$(printf "%s" "$line" | _hostup_json_extract "id")" + record_id="$(_hostup_json_extract "id" "$line_clean")" if [ -n "$record_id" ]; then HOSTUP_RECORD_ID="$record_id" return 0 @@ -354,13 +358,30 @@ EOF _hostup_json_extract() { key="$1" - printf "%s" "$line" | - _egrep_o "\"$key\":\"[^\"]*\"" | - head -n1 | - cut -d : -f2- | - sed 's/^"//' | - sed 's/"$//' | - sed 's/\\"/"/g' + input="${2:-$line}" + + # First try to extract quoted values (strings) + quoted_match="$(printf "%s" "$input" | _egrep_o "\"$key\":\"[^\"]*\"" | head -n1)" + if [ -n "$quoted_match" ]; then + printf "%s" "$quoted_match" | + cut -d : -f2- | + sed 's/^"//' | + sed 's/"$//' | + sed 's/\\"/"/g' + return 0 + fi + + # Fallback for unquoted values (e.g., numeric IDs) + unquoted_match="$(printf "%s" "$input" | _egrep_o "\"$key\":[^,}]*" | head -n1)" + if [ -n "$unquoted_match" ]; then + printf "%s" "$unquoted_match" | + cut -d : -f2- | + tr -d '", ' | + tr -d '\r\n' + return 0 + fi + + return 1 } _hostup_json_escape() { @@ -398,6 +419,12 @@ _hostup_clear_record_id() { } _hostup_extract_record_id() { + record_id="$(_hostup_json_extract "id" "$1")" + if [ -n "$record_id" ]; then + printf "%s" "$record_id" + return 0 + fi + printf "%s" "$1" | _egrep_o '"id":[0-9]+' | head -n1 | cut -d: -f2 } From d3930639db5a0a0cd6fbf75d02d8c538568a1816 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Fri, 5 Dec 2025 08:58:41 -0500 Subject: [PATCH 178/313] Updated secrets and put back guards --- dnsapi/dns_qc.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index c30d4595..3ea8403c 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -110,6 +110,10 @@ dns_qc_rm() { else record_id=$(echo "$response" | grep \"id\"| awk -F ' ' '{print $2}'| sed 's/,$//') _debug "txt record_id" "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get txt record id to remove." + return 1 + fi if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then _info "Delete txt record error." return 1 From 67a389cbbf781492bbb9d554d8f0da45c77e5da3 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Fri, 5 Dec 2025 10:35:52 -0500 Subject: [PATCH 179/313] Minor change and setup secrets again --- dnsapi/dns_qc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 3ea8403c..6d1a9eb4 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -111,7 +111,7 @@ dns_qc_rm() { record_id=$(echo "$response" | grep \"id\"| awk -F ' ' '{print $2}'| sed 's/,$//') _debug "txt record_id" "$record_id" if [ -z "$record_id" ]; then - _err "Can not get txt record id to remove." + _err "Can not get txt record id to remove. Run in debug mode." return 1 fi if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then From 6b6d22c5ba0d7645444d26629793d22f51e19841 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Fri, 5 Dec 2025 13:52:59 -0500 Subject: [PATCH 180/313] shfmt updates --- dnsapi/dns_qc.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 6d1a9eb4..6d4f7299 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -34,7 +34,7 @@ dns_qc_add() { _err "Please check and retry." return 1 fi - #save the api key and email to the account conf file. + #save the api key and email to the account conf file. _savedomainconf QC_API_EMAIL "$QC_API_EMAIL" _debug "First detect the root zone" @@ -103,12 +103,12 @@ dns_qc_rm() { return 1 fi - response=$(echo "$response"|jq ".result[] | select(.id) | select(.content == \"$txtvalue\") | select(.type == \"TXT\")") + response=$(echo "$response" | jq ".result[] | select(.id) | select(.content == \"$txtvalue\") | select(.type == \"TXT\")") _debug "get txt response" "$response" if [ "${response}" = "" ]; then _info "Don't need to remove txt records." else - record_id=$(echo "$response" | grep \"id\"| awk -F ' ' '{print $2}'| sed 's/,$//') + record_id=$(echo "$response" | grep \"id\" | awk -F ' ' '{print $2}' | sed 's/,$//') _debug "txt record_id" "$record_id" if [ -z "$record_id" ]; then _err "Can not get txt record id to remove. Run in debug mode." From bee01c938a234021d4aa8d6bcb2cb6d421262573 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 5 Dec 2025 21:46:05 +0100 Subject: [PATCH 181/313] add comment --- .github/workflows/wiki-monitor.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/wiki-monitor.yml b/.github/workflows/wiki-monitor.yml index b0332775..a79d70a4 100644 --- a/.github/workflows/wiki-monitor.yml +++ b/.github/workflows/wiki-monitor.yml @@ -22,6 +22,7 @@ jobs: page_sha=$(jq -r '.pages[0].sha' "$GITHUB_EVENT_PATH") page_url=$(jq -r '.pages[0].html_url' "$GITHUB_EVENT_PATH") page_action=$(jq -r '.pages[0].action' "$GITHUB_EVENT_PATH") + page_summary=$(jq -r '.pages[0].summary' "$GITHUB_EVENT_PATH") now="$(date '+%Y-%m-%d %H:%M:%S')" cd wiki @@ -35,9 +36,11 @@ jobs: { echo "Wiki edited" echo -n "User: " - echo "[$actor]($sender_url)" + echo "@$actor [$actor]($sender_url)" echo "Time: $now" echo "Page: [$page_name]($page_url) (Action: $page_action)" + echo "Comment: $page_summary" + echo "[Click here to Revert](${page_url}/_history)" echo "" echo "----" echo "### diff:" From a1857af6de5dcee0ec109a36b45dbb4b0326e067 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Fri, 5 Dec 2025 15:53:17 -0500 Subject: [PATCH 182/313] Update error message and secrets --- dnsapi/dns_qc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 6d4f7299..cea411e8 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -24,7 +24,7 @@ dns_qc_add() { if [ "$QC_API_KEY" ]; then _savedomainconf QC_API_KEY "$QC_API_KEY" else - _err "You didn't specify a QUIC.cloud are api key and email yet." + _err "You didn't specify a QUIC.cloud api key as QC_API_KEY." _err "You can get yours from here https://my.quic.cloud/up/api." return 1 fi From ed1bd01592afba97749f2b51573b8c35f2372c31 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Fri, 5 Dec 2025 16:29:49 -0500 Subject: [PATCH 183/313] Save account information differently --- dnsapi/dns_qc.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index cea411e8..7ae2f1cd 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -22,7 +22,7 @@ dns_qc_add() { QC_API_EMAIL="${QC_API_EMAIL:-$(_readaccountconf_mutable QC_API_EMAIL)}" if [ "$QC_API_KEY" ]; then - _savedomainconf QC_API_KEY "$QC_API_KEY" + _saveaccountconf_mutable QC_API_KEY "$QC_API_KEY" else _err "You didn't specify a QUIC.cloud api key as QC_API_KEY." _err "You can get yours from here https://my.quic.cloud/up/api." @@ -35,7 +35,7 @@ dns_qc_add() { return 1 fi #save the api key and email to the account conf file. - _savedomainconf QC_API_EMAIL "$QC_API_EMAIL" + _saveaccountconf_mutable QC_API_EMAIL "$QC_API_EMAIL" _debug "First detect the root zone" if ! _get_root "$fulldomain"; then From 45cb36f6d909dc5ed5b5534088aed088b9c3e55f Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 5 Dec 2025 22:31:45 +0100 Subject: [PATCH 184/313] fix https://github.com/acmesh-official/acme.sh/issues/6246#issuecomment-3610998032 --- dnsapi/dns_ali.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_ali.sh b/dnsapi/dns_ali.sh index 53a82f91..cbee773e 100755 --- a/dnsapi/dns_ali.sh +++ b/dnsapi/dns_ali.sh @@ -97,9 +97,10 @@ _ali_rest() { } _ali_nonce() { - #_head_n 1 /dev/null && return 0 + fi + printf "%s" "$(date +%s)$$$(date +%N)" | _digest sha256 hex | cut -c 1-32 } _timestamp() { From 3b2c2b16b2472c986f16a00eb24f27456f57a318 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 6 Dec 2025 11:23:28 +0100 Subject: [PATCH 185/313] minor --- dnsapi/dns_ali.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/dnsapi/dns_ali.sh b/dnsapi/dns_ali.sh index cbee773e..90196c69 100755 --- a/dnsapi/dns_ali.sh +++ b/dnsapi/dns_ali.sh @@ -103,7 +103,7 @@ _ali_nonce() { printf "%s" "$(date +%s)$$$(date +%N)" | _digest sha256 hex | cut -c 1-32 } -_timestamp() { +_ali_timestamp() { date -u +"%Y-%m-%dT%H%%3A%M%%3A%SZ" } @@ -151,7 +151,7 @@ _check_exist_query() { query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' - query=$query'&Timestamp='$(_timestamp) + query=$query'&Timestamp='$(_ali_timestamp) query=$query'&TypeKeyWord=TXT' query=$query'&Version=2015-01-09' } @@ -167,7 +167,7 @@ _add_record_query() { query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' - query=$query'&Timestamp='$(_timestamp) + query=$query'&Timestamp='$(_ali_timestamp) query=$query'&Type=TXT' query=$query'&Value='$3 query=$query'&Version=2015-01-09' @@ -183,7 +183,7 @@ _delete_record_query() { query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' - query=$query'&Timestamp='$(_timestamp) + query=$query'&Timestamp='$(_ali_timestamp) query=$query'&Version=2015-01-09' } @@ -197,7 +197,7 @@ _describe_records_query() { query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' - query=$query'&Timestamp='$(_timestamp) + query=$query'&Timestamp='$(_ali_timestamp) query=$query'&Version=2015-01-09' } From 875cf056b7e293c67b4ae9549455a20fa798da62 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Mon, 8 Dec 2025 08:40:44 -0500 Subject: [PATCH 186/313] Submit dns_qc.sh for review --- dns_qc.sh | 201 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 201 insertions(+) create mode 100755 dns_qc.sh diff --git a/dns_qc.sh b/dns_qc.sh new file mode 100755 index 00000000..78a243ae --- /dev/null +++ b/dns_qc.sh @@ -0,0 +1,201 @@ +#!/usr/bin/env sh +# shellcheck disable=SC2034 +dns_qc_info='QUIC.cloud +Site: quic.cloud +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_qc +Options: + QC_API_KEY QC API Key + QC_API_EMAIL Your account email +' + +QC_Api="https://api.quic.cloud/v2" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_qc_add() { + fulldomain=$1 + txtvalue=$2 + + _debug "Enter dns_qc_add fulldomain: $fulldomain, txtvalue: $txtvalue" + QC_API_KEY="${QC_API_KEY:-$(_readaccountconf_mutable QC_API_KEY)}" + QC_API_EMAIL="${QC_API_EMAIL:-$(_readaccountconf_mutable QC_API_EMAIL)}" + + if [ "$QC_API_KEY" ]; then + _savedomainconf QC_API_KEY "$QC_API_KEY" + else + _err "You didn't specify a QUIC.cloud are api key and email yet." + _err "You can get yours from here https://my.quic.cloud/up/api." + return 1 + fi + + if ! _contains "$QC_API_EMAIL" "@"; then + _err "It seems that the QC_API_EMAIL=$QC_API_EMAIL is not a valid email address." + _err "Please check and retry." + return 1 + fi + #save the api key and email to the account conf file. + _savedomainconf QC_API_EMAIL "$QC_API_EMAIL" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _qc_rest GET "zones/${_domain_id}/records" + + if ! echo "$response" | tr -d " " | grep \"success\":true >/dev/null; then + _err "Error failed response from QC GET: $response" + return 1 + fi + + # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so + # we can not use updating anymore. + # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) + # _debug count "$count" + # if [ "$count" = "0" ]; then + _info "Adding txt record" + if _qc_rest POST "zones/$_domain_id/records" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":1800}"; then + if _contains "$response" "$txtvalue"; then + _info "Added txt record, OK" + return 0 + elif _contains "$response" "Same record already exists"; then + _info "txt record already exists, OK" + return 0 + else + _err "Add txt record error: $response" + return 1 + fi + fi + _err "Add txt record error: POST failed: $response" + return 1 + +} + +#fulldomain txtvalue +dns_qc_rm() { + fulldomain=$1 + txtvalue=$2 + + _debug "Enter dns_qc_rm fulldomain: $fulldomain, txtvalue: $txtvalue" + QC_API_KEY="${QC_API_KEY:-$(_readaccountconf_mutable QC_API_KEY)}" + QC_API_EMAIL="${QC_API_EMAIL:-$(_readaccountconf_mutable QC_API_EMAIL)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _qc_rest GET "zones/${_domain_id}/records" + + if ! echo "$response" | tr -d " " | grep \"success\":true >/dev/null; then + _err "Error rm GET response: $response" + return 1 + fi + + response=$(echo "$response" | jq ".result[] | select(.id) | select(.content == \"$txtvalue\") | select(.type == \"TXT\")") + _debug "get txt response" "$response" + if [ "${response}" = "" ]; then + _info "Don't need to remove txt records." + else + record_id=$(echo "$response" | grep \"id\" | awk -F ' ' '{print $2}' | sed 's/,$//') + _debug "txt record_id" "$record_id" + + if [[ -z "$record_id" ]]; then + _err "Can not get txt record id to remove. Run in debug mode." + return 1 + fi + + if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then + _info "Delete txt record error." + return 1 + fi + + _info "TXT Record ID: $record_id successfully deleted" + fi + +} + +#################### Private functions below ################################# +#_acme-challenge.www.domain.com +#returns +#_sub_domain=_acme-challenge.www +#_domain=domain.com +#_domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + p=1 + h=$(printf "%s" "$domain" | cut -d . -f2-) + _debug h "$h" + + if [[ -z "$h" ]]; then + _err "$h ($domain) is an invalid domain" + return 1 + fi + + if ! _qc_rest GET "zones"; then + _err "qc_rest failed" + return 1 + fi + + if _contains "$response" "\"name\":\"$h\"" || _contains "$response" "\"name\":\"$h.\""; then + _domain_id=$h + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") + _domain=$h + return 0 + fi + + _err "Empty domain_id $h" + return 1 + fi + _err "Missing domain_id $h" + return 1 + +} + +_qc_rest() { + + m="$1" + ep="$2" + data="$3" + + _debug "$ep" + + email_trimmed=$(echo "$QC_API_EMAIL" | tr -d '"') + + token_trimmed=$(echo "$QC_API_KEY" | tr -d '"') + + export _H1="Content-Type: application/json" + + export _H2="X-Auth-Email: $email_trimmed" + + export _H3="X-Auth-Key: $token_trimmed" + + if [[ "$m" != "GET" ]]; then + _debug data "$data" + response="$(_post "$data" "$QC_Api/$ep" "" "$m")" + + else + response="$(_get "$QC_Api/$ep")" + + fi + + if [[ "$?" != "0" ]]; then + _err "error $ep" + return 1 + fi + + _debug2 response "$response" + +} From 5fcca7c7e0e8144e555987328caccf60eaa533d3 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Mon, 8 Dec 2025 08:48:30 -0500 Subject: [PATCH 187/313] Retry correct commit --- dnsapi/dns_qc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 7ae2f1cd..0765c697 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -17,7 +17,7 @@ dns_qc_add() { fulldomain=$1 txtvalue=$2 - _debug "Enter dns_qc_add fulldomain: $fulldomain, txtvalue: $txtvalue" + _debug "Enter dns_qc_add fulldomain: $fulldomain, txtvalue: $txtvalue." QC_API_KEY="${QC_API_KEY:-$(_readaccountconf_mutable QC_API_KEY)}" QC_API_EMAIL="${QC_API_EMAIL:-$(_readaccountconf_mutable QC_API_EMAIL)}" From 4965c704d7ea39675bc4131b04264611dd6f1aaa Mon Sep 17 00:00:00 2001 From: ufozone Date: Sun, 7 Dec 2025 15:07:50 +0100 Subject: [PATCH 188/313] Initial commit for mgw-media.de --- dnsapi/dns_mgwm.sh | 112 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 dnsapi/dns_mgwm.sh diff --git a/dnsapi/dns_mgwm.sh b/dnsapi/dns_mgwm.sh new file mode 100644 index 00000000..7715b645 --- /dev/null +++ b/dnsapi/dns_mgwm.sh @@ -0,0 +1,112 @@ +#!/usr/bin/env sh +# shellcheck disable=SC2034 + +# DNS provider information for acme.sh +dns_mgwm_info='mgw-media.de +Site: mgw-media.de +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_mgwm +Options: + MGWM_CUSTOMER Your customer number + MGWM_API_HASH Your API Hash +Issues: github.com/acmesh-official/acme.sh +' + +# Base URL for the mgw-media.de API +MGWM_API_BASE="https://api.mgw-media.de/record" + +######## Public functions ##################### +# This function is called by acme.sh to add a TXT record. +dns_mgwm_add() { + fulldomain=$1 + txtvalue=$2 + + _info "Using mgw-media.de DNS API for domain $fulldomain" + _debug "fulldomain: $fulldomain" + _debug "txtvalue: $txtvalue" + + # Call private function to load and save environment variables and set up the Basic Auth Header. + if ! _mgwm_init_env; then + return 1 + fi + + # Construct the API URL for adding a record. + _add_url="${MGWM_API_BASE}/add/${fulldomain}/txt/${txtvalue}" + _debug "Calling MGWM ADD URL: ${_add_url}" + + # Execute the HTTP GET request with the Authorization Header. + # The 5th parameter of _get is where acme.sh expects custom HTTP headers like Authorization. + response="$(_get "" "$_add_url" "" "GET" "$_H1")" + _debug "MGWM add response: $response" + + # Check the API response for success. The API returns "OK" on success. + if [ "$response" = "OK" ]; then + _info "TXT record for $fulldomain successfully added via MGWM API." + _sleep 10 # Wait briefly for DNS propagation, a common practice in DNS-01 hooks. + return 0 + else + _err "mgwm_add: Failed to add TXT record for $fulldomain. Unexpected API Response: '$response'" + return 1 + fi +} + +# This function is called by acme.sh to remove a TXT record after validation. +dns_mgwm_rm() { + fulldomain=$1 + txtvalue=$2 # This txtvalue is now used to identify the specific record to be removed. + + _info "Removing TXT record for $fulldomain using mgw-media.de DNS API" + _debug "fulldomain: $fulldomain" + _debug "txtvalue: $txtvalue" + + # Call private function to load and save environment variables and set up the Basic Auth Header. + if ! _mgwm_init_env; then + return 1 + fi + + # Construct the API URL for removing a record. + # To delete a specific record by its value (as required by ACME v2 for multiple TXT records), + # the txtvalue must be part of the URL, similar to the add action. + _rm_url="${MGWM_API_BASE}/rm/${fulldomain}/txt/${txtvalue}" + _debug "Calling MGWM RM URL: ${_rm_url}" + + # Execute the HTTP GET request with the Authorization Header. + response="$(_get "" "$_rm_url" "" "GET" "$_H1")" + _debug "MGWM rm response: $response" + + # Check the API response for success. The API returns "OK" on success. + if [ "$response" = "OK" ]; then + _info "TXT record for $fulldomain successfully removed via MGWM API." + return 0 + else + _err "mgwm_rm: Failed to remove TXT record for $fulldomain. Unexpected API Response: '$response'" + return 1 + fi +} + +#################### Private functions below ################################## + +# _mgwm_init_env() loads the mgw-media.de API credentials (customer number and hash) +# from environment variables or acme.sh's configuration, saves them, and +# prepares the global _H1 variable for Basic Authorization header. +_mgwm_init_env() { + # Load credentials from environment or acme.sh config + MGWM_CUSTOMER="${MGWM_CUSTOMER:-$(_readaccountconf_mutable MGWM_CUSTOMER)}" + MGWM_API_HASH="${MGWM_API_HASH:-$(_readaccountconf_mutable MGWM_API_HASH)}" + + # Check if credentials are set + if [ -z "$MGWM_CUSTOMER" ] || [ -z "$MGWM_API_HASH" ]; then + _err "You didn't specify one or more of MGWM_CUSTOMER or MGWM_API_HASH." + _err "Please check these environment variables and try again." + return 1 + fi + + # Save credentials for automatic renewal and future calls + _saveaccountconf_mutable MGWM_CUSTOMER "$MGWM_CUSTOMER" + _saveaccountconf_mutable MGWM_API_HASH "$MGWM_API_HASH" + + # Create the Basic Auth Header. acme.sh's _base64 function is used for encoding. + _credentials="$(printf "%s:%s" "$MGWM_CUSTOMER" "$MGWM_API_HASH" | _base64)" + export _H1="Authorization: Basic $_credentials" + _debug "Set Authorization Header: Basic " # Log debug message without sensitive credentials + return 0 +} From daf7f7c268cc33170e40321ee5b02d96fc2b9960 Mon Sep 17 00:00:00 2001 From: "Markus G." <29913712+ufozone@users.noreply.github.com> Date: Sun, 7 Dec 2025 17:29:24 +0100 Subject: [PATCH 189/313] Refactor dns_mgwm.sh for better API integration Refactor DNS API script to improve credential handling and update API endpoint. --- dnsapi/dns_mgwm.sh | 99 +++++++++++++++++++++++++--------------------- 1 file changed, 54 insertions(+), 45 deletions(-) diff --git a/dnsapi/dns_mgwm.sh b/dnsapi/dns_mgwm.sh index 7715b645..b3e21726 100644 --- a/dnsapi/dns_mgwm.sh +++ b/dnsapi/dns_mgwm.sh @@ -2,17 +2,18 @@ # shellcheck disable=SC2034 # DNS provider information for acme.sh -dns_mgwm_info='mgw-media.de +dns_mgwm_info='MGW-MEDIA.DE Site: mgw-media.de Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_mgwm Options: - MGWM_CUSTOMER Your customer number - MGWM_API_HASH Your API Hash + MGWM_CUSTOMER Your customer number (username for Basic Auth). + MGWM_API_HASH Your API Hash (password for Basic Auth). Issues: github.com/acmesh-official/acme.sh +Author: (Your Name or generated by AI) ' -# Base URL for the mgw-media.de API -MGWM_API_BASE="https://api.mgw-media.de/record" +# Base endpoint for the MGW-MEDIA.DE API (parameters will be added as query strings) +MGWM_API_ENDPOINT="https://api.mgw-media.de/record" ######## Public functions ##################### # This function is called by acme.sh to add a TXT record. @@ -24,16 +25,32 @@ dns_mgwm_add() { _debug "fulldomain: $fulldomain" _debug "txtvalue: $txtvalue" - # Call private function to load and save environment variables and set up the Basic Auth Header. - if ! _mgwm_init_env; then + # Load credentials from environment or acme.sh config + MGWM_CUSTOMER="${MGWM_CUSTOMER:-$(_readaccountconf_mutable MGWM_CUSTOMER)}" + MGWM_API_HASH="${MGWM_API_HASH:-$(_readaccountconf_mutable MGWM_API_HASH)}" + + # Check if credentials are set + if [ -z "$MGWM_CUSTOMER" ] || [ -z "$MGWM_API_HASH" ]; then + _err "You didn't specify one or more of MGWM_CUSTOMER or MGWM_API_HASH." + _err "Please check these environment variables and try again." return 1 fi - # Construct the API URL for adding a record. - _add_url="${MGWM_API_BASE}/add/${fulldomain}/txt/${txtvalue}" + # Save credentials for automatic renewal and future calls + _saveaccountconf_mutable MGWM_CUSTOMER "$MGWM_CUSTOMER" + _saveaccountconf_mutable MGWM_API_HASH "$MGWM_API_HASH" + + # Create the Basic Auth Header directly in this function's scope + _credentials="$(printf "%s:%s" "$MGWM_CUSTOMER" "$MGWM_API_HASH" | _base64)" + # Export _H1 so _get function can pick it up + export _H1="Authorization: Basic $_credentials" + _debug "Set Authorization Header: Basic " # Log debug message without sensitive credentials + + # Construct the API URL for adding a record with query parameters + _add_url="${MGWM_API_ENDPOINT}?action=add&fulldomain=${fulldomain}&type=txt&content=${txtvalue}" _debug "Calling MGWM ADD URL: ${_add_url}" - # Execute the HTTP GET request with the Authorization Header. + # Execute the HTTP GET request with the Authorization Header (_H1) # The 5th parameter of _get is where acme.sh expects custom HTTP headers like Authorization. response="$(_get "" "$_add_url" "" "GET" "$_H1")" _debug "MGWM add response: $response" @@ -52,24 +69,39 @@ dns_mgwm_add() { # This function is called by acme.sh to remove a TXT record after validation. dns_mgwm_rm() { fulldomain=$1 - txtvalue=$2 # This txtvalue is now used to identify the specific record to be removed. + txtvalue=$2 # This value is not used by the RM API in this case. _info "Removing TXT record for $fulldomain using mgw-media.de DNS API" _debug "fulldomain: $fulldomain" - _debug "txtvalue: $txtvalue" + _debug "txtvalue: $txtvalue" # Still logging for completeness, but not used in URL - # Call private function to load and save environment variables and set up the Basic Auth Header. - if ! _mgwm_init_env; then + # Load credentials from environment or acme.sh config + MGWM_CUSTOMER="${MGWM_CUSTOMER:-$(_readaccountconf_mutable MGWM_CUSTOMER)}" + MGWM_API_HASH="${MGWM_API_HASH:-$(_readaccountconf_mutable MGWM_API_HASH)}" + + # Check if credentials are set + if [ -z "$MGWM_CUSTOMER" ] || [ -z "$MGWM_API_HASH" ]; then + _err "You didn't specify one or more of MGWM_CUSTOMER or MGWM_API_HASH." + _err "Please check these environment variables and try again." return 1 fi - # Construct the API URL for removing a record. - # To delete a specific record by its value (as required by ACME v2 for multiple TXT records), - # the txtvalue must be part of the URL, similar to the add action. - _rm_url="${MGWM_API_BASE}/rm/${fulldomain}/txt/${txtvalue}" + # Save credentials (important for future renewals if not saved by add function) + _saveaccountconf_mutable MGWM_CUSTOMER "$MGWM_CUSTOMER" + _saveaccountconf_mutable MGWM_API_HASH "$MGWM_API_HASH" + + # Create the Basic Auth Header directly in this function's scope + _credentials="$(printf "%s:%s" "$MGWM_CUSTOMER" "$MGWM_API_HASH" | _base64)" + # Export _H1 so _get function can pick it up + export _H1="Authorization: Basic $_credentials" + _debug "Set Authorization Header: Basic " # Log debug message without sensitive credentials + + # Construct the API URL for removing a record with query parameters + # The RM API from mgw-media.de does not expect a 'content' parameter. + _rm_url="${MGWM_API_ENDPOINT}?action=rm&fulldomain=${fulldomain}&type=txt" _debug "Calling MGWM RM URL: ${_rm_url}" - # Execute the HTTP GET request with the Authorization Header. + # Execute the HTTP GET request with the Authorization Header (_H1) response="$(_get "" "$_rm_url" "" "GET" "$_H1")" _debug "MGWM rm response: $response" @@ -84,29 +116,6 @@ dns_mgwm_rm() { } #################### Private functions below ################################## - -# _mgwm_init_env() loads the mgw-media.de API credentials (customer number and hash) -# from environment variables or acme.sh's configuration, saves them, and -# prepares the global _H1 variable for Basic Authorization header. -_mgwm_init_env() { - # Load credentials from environment or acme.sh config - MGWM_CUSTOMER="${MGWM_CUSTOMER:-$(_readaccountconf_mutable MGWM_CUSTOMER)}" - MGWM_API_HASH="${MGWM_API_HASH:-$(_readaccountconf_mutable MGWM_API_HASH)}" - - # Check if credentials are set - if [ -z "$MGWM_CUSTOMER" ] || [ -z "$MGWM_API_HASH" ]; then - _err "You didn't specify one or more of MGWM_CUSTOMER or MGWM_API_HASH." - _err "Please check these environment variables and try again." - return 1 - fi - - # Save credentials for automatic renewal and future calls - _saveaccountconf_mutable MGWM_CUSTOMER "$MGWM_CUSTOMER" - _saveaccountconf_mutable MGWM_API_HASH "$MGWM_API_HASH" - - # Create the Basic Auth Header. acme.sh's _base64 function is used for encoding. - _credentials="$(printf "%s:%s" "$MGWM_CUSTOMER" "$MGWM_API_HASH" | _base64)" - export _H1="Authorization: Basic $_credentials" - _debug "Set Authorization Header: Basic " # Log debug message without sensitive credentials - return 0 -} +# The _mgwm_init_env function has been inlined into dns_mgwm_add and dns_mgwm_rm +# to ensure credentials and the Authorization header are set correctly within +# each function's sub-shell context. From 11eaad1fa742d4d55e7a3bc17675b581e2281b59 Mon Sep 17 00:00:00 2001 From: "Markus G." <29913712+ufozone@users.noreply.github.com> Date: Sun, 7 Dec 2025 17:32:30 +0100 Subject: [PATCH 190/313] Update API URLs to include .php extension --- dnsapi/dns_mgwm.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_mgwm.sh b/dnsapi/dns_mgwm.sh index b3e21726..42c6d93a 100644 --- a/dnsapi/dns_mgwm.sh +++ b/dnsapi/dns_mgwm.sh @@ -47,7 +47,7 @@ dns_mgwm_add() { _debug "Set Authorization Header: Basic " # Log debug message without sensitive credentials # Construct the API URL for adding a record with query parameters - _add_url="${MGWM_API_ENDPOINT}?action=add&fulldomain=${fulldomain}&type=txt&content=${txtvalue}" + _add_url="${MGWM_API_ENDPOINT}.php?action=add&fulldomain=${fulldomain}&type=txt&content=${txtvalue}" _debug "Calling MGWM ADD URL: ${_add_url}" # Execute the HTTP GET request with the Authorization Header (_H1) @@ -98,7 +98,7 @@ dns_mgwm_rm() { # Construct the API URL for removing a record with query parameters # The RM API from mgw-media.de does not expect a 'content' parameter. - _rm_url="${MGWM_API_ENDPOINT}?action=rm&fulldomain=${fulldomain}&type=txt" + _rm_url="${MGWM_API_ENDPOINT}.php?action=rm&fulldomain=${fulldomain}&type=txt" _debug "Calling MGWM RM URL: ${_rm_url}" # Execute the HTTP GET request with the Authorization Header (_H1) From e94c6be4a1c877a06afcc0c1b4530b864b777bd5 Mon Sep 17 00:00:00 2001 From: "Markus G." <29913712+ufozone@users.noreply.github.com> Date: Sun, 7 Dec 2025 17:41:27 +0100 Subject: [PATCH 191/313] Update MGWM API endpoint to IPv4 --- dnsapi/dns_mgwm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_mgwm.sh b/dnsapi/dns_mgwm.sh index 42c6d93a..a3aabb53 100644 --- a/dnsapi/dns_mgwm.sh +++ b/dnsapi/dns_mgwm.sh @@ -13,7 +13,7 @@ Author: (Your Name or generated by AI) ' # Base endpoint for the MGW-MEDIA.DE API (parameters will be added as query strings) -MGWM_API_ENDPOINT="https://api.mgw-media.de/record" +MGWM_API_ENDPOINT="https://ipv4.api.mgw-media.de/record" ######## Public functions ##################### # This function is called by acme.sh to add a TXT record. From 2ba615555cf214edc447e4435bb20ee30b4340a9 Mon Sep 17 00:00:00 2001 From: "Markus G." <29913712+ufozone@users.noreply.github.com> Date: Sun, 7 Dec 2025 17:59:04 +0100 Subject: [PATCH 192/313] Refactor dns_mgwm.sh for improved API interaction Refactor MGWM API script to improve clarity and functionality. Update API endpoint and streamline credential handling. --- dnsapi/dns_mgwm.sh | 110 +++++++++++++++++++++++---------------------- 1 file changed, 56 insertions(+), 54 deletions(-) diff --git a/dnsapi/dns_mgwm.sh b/dnsapi/dns_mgwm.sh index a3aabb53..c02b7a6d 100644 --- a/dnsapi/dns_mgwm.sh +++ b/dnsapi/dns_mgwm.sh @@ -9,11 +9,12 @@ Options: MGWM_CUSTOMER Your customer number (username for Basic Auth). MGWM_API_HASH Your API Hash (password for Basic Auth). Issues: github.com/acmesh-official/acme.sh -Author: (Your Name or generated by AI) +Author: Generated by AI (with user input) ' -# Base endpoint for the MGW-MEDIA.DE API (parameters will be added as query strings) -MGWM_API_ENDPOINT="https://ipv4.api.mgw-media.de/record" +# Direct endpoint for the PHP script with query parameters +# This variable replaces MGWM_API_BASE when using query-parameter-based URLs directly. +MGWM_API_ENDPOINT="https://api.mgw-media.de/record.php" ######## Public functions ##################### # This function is called by acme.sh to add a TXT record. @@ -25,34 +26,20 @@ dns_mgwm_add() { _debug "fulldomain: $fulldomain" _debug "txtvalue: $txtvalue" - # Load credentials from environment or acme.sh config - MGWM_CUSTOMER="${MGWM_CUSTOMER:-$(_readaccountconf_mutable MGWM_CUSTOMER)}" - MGWM_API_HASH="${MGWM_API_HASH:-$(_readaccountconf_mutable MGWM_API_HASH)}" - - # Check if credentials are set - if [ -z "$MGWM_CUSTOMER" ] || [ -z "$MGWM_API_HASH" ]; then - _err "You didn't specify one or more of MGWM_CUSTOMER or MGWM_API_HASH." - _err "Please check these environment variables and try again." + # Call private function to load and save environment variables and set up the Basic Auth Header. + if ! _mgwm_init_env; then return 1 fi - # Save credentials for automatic renewal and future calls - _saveaccountconf_mutable MGWM_CUSTOMER "$MGWM_CUSTOMER" - _saveaccountconf_mutable MGWM_API_HASH "$MGWM_API_HASH" - - # Create the Basic Auth Header directly in this function's scope - _credentials="$(printf "%s:%s" "$MGWM_CUSTOMER" "$MGWM_API_HASH" | _base64)" - # Export _H1 so _get function can pick it up - export _H1="Authorization: Basic $_credentials" - _debug "Set Authorization Header: Basic " # Log debug message without sensitive credentials - - # Construct the API URL for adding a record with query parameters - _add_url="${MGWM_API_ENDPOINT}.php?action=add&fulldomain=${fulldomain}&type=txt&content=${txtvalue}" + # Construct the API URL using query parameters. + # This targets the record.php script directly, passing action, fulldomain, type, and content. + _add_url="${MGWM_API_ENDPOINT}?action=add&fulldomain=${fulldomain}&type=txt&content=${txtvalue}" _debug "Calling MGWM ADD URL: ${_add_url}" - # Execute the HTTP GET request with the Authorization Header (_H1) - # The 5th parameter of _get is where acme.sh expects custom HTTP headers like Authorization. - response="$(_get "" "$_add_url" "" "GET" "$_H1")" + # Execute the HTTP GET request. + # Correct parameters for _get(): url="$1", onlyheader="$2", t="$3" + # The Authorization Header (_H1) is automatically picked up by _get() from the environment. + response="$(_get "$_add_url" "" "")" # <-- KORRIGIERTER AUFRUF VON _get() _debug "MGWM add response: $response" # Check the API response for success. The API returns "OK" on success. @@ -69,40 +56,26 @@ dns_mgwm_add() { # This function is called by acme.sh to remove a TXT record after validation. dns_mgwm_rm() { fulldomain=$1 - txtvalue=$2 # This value is not used by the RM API in this case. + txtvalue=$2 # This txtvalue is now used to identify the specific record to be removed. _info "Removing TXT record for $fulldomain using mgw-media.de DNS API" _debug "fulldomain: $fulldomain" - _debug "txtvalue: $txtvalue" # Still logging for completeness, but not used in URL + _debug "txtvalue: $txtvalue" - # Load credentials from environment or acme.sh config - MGWM_CUSTOMER="${MGWM_CUSTOMER:-$(_readaccountconf_mutable MGWM_CUSTOMER)}" - MGWM_API_HASH="${MGWM_API_HASH:-$(_readaccountconf_mutable MGWM_API_HASH)}" - - # Check if credentials are set - if [ -z "$MGWM_CUSTOMER" ] || [ -z "$MGWM_API_HASH" ]; then - _err "You didn't specify one or more of MGWM_CUSTOMER or MGWM_API_HASH." - _err "Please check these environment variables and try again." + # Call private function to load and save environment variables and set up the Basic Auth Header. + if ! _mgwm_init_env; then return 1 fi - # Save credentials (important for future renewals if not saved by add function) - _saveaccountconf_mutable MGWM_CUSTOMER "$MGWM_CUSTOMER" - _saveaccountconf_mutable MGWM_API_HASH "$MGWM_API_HASH" - - # Create the Basic Auth Header directly in this function's scope - _credentials="$(printf "%s:%s" "$MGWM_CUSTOMER" "$MGWM_API_HASH" | _base64)" - # Export _H1 so _get function can pick it up - export _H1="Authorization: Basic $_credentials" - _debug "Set Authorization Header: Basic " # Log debug message without sensitive credentials - - # Construct the API URL for removing a record with query parameters - # The RM API from mgw-media.de does not expect a 'content' parameter. - _rm_url="${MGWM_API_ENDPOINT}.php?action=rm&fulldomain=${fulldomain}&type=txt" + # Construct the API URL for removing a record. + # This targets the record.php script directly, passing action, fulldomain, type, and content. + _rm_url="${MGWM_API_ENDPOINT}?action=rm&fulldomain=${fulldomain}&type=txt&content=${txtvalue}" _debug "Calling MGWM RM URL: ${_rm_url}" - # Execute the HTTP GET request with the Authorization Header (_H1) - response="$(_get "" "$_rm_url" "" "GET" "$_H1")" + # Execute the HTTP GET request. + # Correct parameters for _get(): url="$1", onlyheader="$2", t="$3" + # The Authorization Header (_H1) is automatically picked up by _get() from the environment. + response="$(_get "$_rm_url" "" "")" # <-- KORRIGIERTER AUFRUF VON _get() _debug "MGWM rm response: $response" # Check the API response for success. The API returns "OK" on success. @@ -116,6 +89,35 @@ dns_mgwm_rm() { } #################### Private functions below ################################## -# The _mgwm_init_env function has been inlined into dns_mgwm_add and dns_mgwm_rm -# to ensure credentials and the Authorization header are set correctly within -# each function's sub-shell context. + +# _mgwm_init_env() loads the mgw-media.de API credentials (customer number and hash) +# from environment variables or acme.sh's configuration, saves them, and +# prepares the global _H1 variable for Basic Authorization header. +_mgwm_init_env() { + # Load credentials from environment or acme.sh config + MGWM_CUSTOMER="${MGWM_CUSTOMER:-$(_readaccountconf_mutable MGWM_CUSTOMER)}" + MGWM_API_HASH="${MGWM_API_HASH:-$(_readaccountconf_mutable MGWM_API_HASH)}" + + # Check if credentials are set + if [ -z "$MGWM_CUSTOMER" ] || [ -z "$MGWM_API_HASH" ]; then + _err "You didn't specify one or more of MGWM_CUSTOMER or MGWM_API_HASH." + _err "Please check these environment variables and try again." + return 1 + fi + + # Save credentials for automatic renewal and future calls + _saveaccountconf_mutable MGWM_CUSTOMER "$MGWM_CUSTOMER" + _saveaccountconf_mutable MGWM_API_HASH "$MGWM_API_HASH" + + # Create the Basic Auth Header. acme.sh's _base64 function is used for encoding. + _credentials="$(printf "%s:%s" "$MGWM_CUSTOMER" "$MGWM_API_HASH" | _base64)" + export _H1="Authorization: Basic $_credentials" + _debug "Set Authorization Header: Basic " # Log debug message without sensitive credentials + return 0 +} + +# The _get_root function, often found in other acme.sh DNS API scripts, +# is not necessary for the MGW-MEDIA.DE API. +# The MGW-MEDIA.DE API directly accepts the complete FQDN (fulldomain) +# in its URL path and handles the extraction of the subdomain and root domain internally. +# Therefore, no custom _get_root implementation is needed here. From 546c2d47d5b6a740eb7cbf874e81529106a1e66d Mon Sep 17 00:00:00 2001 From: "Markus G." <29913712+ufozone@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:11:42 +0100 Subject: [PATCH 193/313] Refactor DNS API for mgw-media.de Updated DNS API script for mgw-media.de to use new base URL and improved API request structure. --- dnsapi/dns_mgwm.sh | 43 +++++++++++++++++-------------------------- 1 file changed, 17 insertions(+), 26 deletions(-) diff --git a/dnsapi/dns_mgwm.sh b/dnsapi/dns_mgwm.sh index c02b7a6d..f38c184e 100644 --- a/dnsapi/dns_mgwm.sh +++ b/dnsapi/dns_mgwm.sh @@ -2,19 +2,17 @@ # shellcheck disable=SC2034 # DNS provider information for acme.sh -dns_mgwm_info='MGW-MEDIA.DE +dns_mgwm_info='mgw-media.de Site: mgw-media.de Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_mgwm Options: - MGWM_CUSTOMER Your customer number (username for Basic Auth). - MGWM_API_HASH Your API Hash (password for Basic Auth). + MGWM_CUSTOMER Your customer number + MGWM_API_HASH Your API Hash Issues: github.com/acmesh-official/acme.sh -Author: Generated by AI (with user input) ' -# Direct endpoint for the PHP script with query parameters -# This variable replaces MGWM_API_BASE when using query-parameter-based URLs directly. -MGWM_API_ENDPOINT="https://api.mgw-media.de/record.php" +# Base URL for the mgw-media.de API +MGWM_API_BASE="https://api.mgw-media.de/record" ######## Public functions ##################### # This function is called by acme.sh to add a TXT record. @@ -31,15 +29,14 @@ dns_mgwm_add() { return 1 fi - # Construct the API URL using query parameters. - # This targets the record.php script directly, passing action, fulldomain, type, and content. - _add_url="${MGWM_API_ENDPOINT}?action=add&fulldomain=${fulldomain}&type=txt&content=${txtvalue}" + # Construct the API URL for adding a record. + #_add_url="${MGWM_API_BASE}/add/${fulldomain}/txt/${txtvalue}" + _add_url="${MGWM_API_BASE}.php?action=add&fulldomain=${fulldomain}&type=txt&content=${txtvalue}" _debug "Calling MGWM ADD URL: ${_add_url}" - # Execute the HTTP GET request. - # Correct parameters for _get(): url="$1", onlyheader="$2", t="$3" - # The Authorization Header (_H1) is automatically picked up by _get() from the environment. - response="$(_get "$_add_url" "" "")" # <-- KORRIGIERTER AUFRUF VON _get() + # Execute the HTTP GET request with the Authorization Header. + # The 5th parameter of _get is where acme.sh expects custom HTTP headers like Authorization. + response="$(_get "$_add_url")" _debug "MGWM add response: $response" # Check the API response for success. The API returns "OK" on success. @@ -68,14 +65,14 @@ dns_mgwm_rm() { fi # Construct the API URL for removing a record. - # This targets the record.php script directly, passing action, fulldomain, type, and content. - _rm_url="${MGWM_API_ENDPOINT}?action=rm&fulldomain=${fulldomain}&type=txt&content=${txtvalue}" + # To delete a specific record by its value (as required by ACME v2 for multiple TXT records), + # the txtvalue must be part of the URL, similar to the add action. + #_rm_url="${MGWM_API_BASE}/rm/${fulldomain}/txt/${txtvalue}" + _rm_url="${MGWM_API_BASE}.php?action=rm&fulldomain=${fulldomain}&type=txt&content=${txtvalue}" _debug "Calling MGWM RM URL: ${_rm_url}" - # Execute the HTTP GET request. - # Correct parameters for _get(): url="$1", onlyheader="$2", t="$3" - # The Authorization Header (_H1) is automatically picked up by _get() from the environment. - response="$(_get "$_rm_url" "" "")" # <-- KORRIGIERTER AUFRUF VON _get() + # Execute the HTTP GET request with the Authorization Header. + response="$(_get "$_rm_url")" _debug "MGWM rm response: $response" # Check the API response for success. The API returns "OK" on success. @@ -115,9 +112,3 @@ _mgwm_init_env() { _debug "Set Authorization Header: Basic " # Log debug message without sensitive credentials return 0 } - -# The _get_root function, often found in other acme.sh DNS API scripts, -# is not necessary for the MGW-MEDIA.DE API. -# The MGW-MEDIA.DE API directly accepts the complete FQDN (fulldomain) -# in its URL path and handles the extraction of the subdomain and root domain internally. -# Therefore, no custom _get_root implementation is needed here. From d8722c46d9b8ed938122ef54ec89e440878263ac Mon Sep 17 00:00:00 2001 From: "Markus G." <29913712+ufozone@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:26:29 +0100 Subject: [PATCH 194/313] Consolidate API request logic in dns_mgwm.sh Refactor DNS API functions to use a unified request handler. --- dnsapi/dns_mgwm.sh | 100 ++++++++++++++++++++++----------------------- 1 file changed, 49 insertions(+), 51 deletions(-) diff --git a/dnsapi/dns_mgwm.sh b/dnsapi/dns_mgwm.sh index f38c184e..ca48584c 100644 --- a/dnsapi/dns_mgwm.sh +++ b/dnsapi/dns_mgwm.sh @@ -1,6 +1,5 @@ #!/usr/bin/env sh # shellcheck disable=SC2034 - # DNS provider information for acme.sh dns_mgwm_info='mgw-media.de Site: mgw-media.de @@ -10,87 +9,66 @@ Options: MGWM_API_HASH Your API Hash Issues: github.com/acmesh-official/acme.sh ' - # Base URL for the mgw-media.de API MGWM_API_BASE="https://api.mgw-media.de/record" - ######## Public functions ##################### # This function is called by acme.sh to add a TXT record. dns_mgwm_add() { fulldomain=$1 txtvalue=$2 - - _info "Using mgw-media.de DNS API for domain $fulldomain" + _info "Using mgw-media.de DNS API for domain $fulldomain (add record)" _debug "fulldomain: $fulldomain" _debug "txtvalue: $txtvalue" - # Call private function to load and save environment variables and set up the Basic Auth Header. - if ! _mgwm_init_env; then - return 1 - fi - - # Construct the API URL for adding a record. - #_add_url="${MGWM_API_BASE}/add/${fulldomain}/txt/${txtvalue}" - _add_url="${MGWM_API_BASE}.php?action=add&fulldomain=${fulldomain}&type=txt&content=${txtvalue}" - _debug "Calling MGWM ADD URL: ${_add_url}" - - # Execute the HTTP GET request with the Authorization Header. - # The 5th parameter of _get is where acme.sh expects custom HTTP headers like Authorization. - response="$(_get "$_add_url")" - _debug "MGWM add response: $response" - - # Check the API response for success. The API returns "OK" on success. - if [ "$response" = "OK" ]; then + # Call the new private function to handle the API request. + # The 'add' action, fulldomain, type 'txt' and txtvalue are passed. + if _mgwm_perform_api_request "add" "$fulldomain" "txt" "$txtvalue"; then _info "TXT record for $fulldomain successfully added via MGWM API." _sleep 10 # Wait briefly for DNS propagation, a common practice in DNS-01 hooks. return 0 else - _err "mgwm_add: Failed to add TXT record for $fulldomain. Unexpected API Response: '$response'" + # Error message already logged by _mgwm_perform_api_request, but a specific one here helps. + _err "mgwm_add: Failed to add TXT record for $fulldomain." return 1 fi } - # This function is called by acme.sh to remove a TXT record after validation. dns_mgwm_rm() { fulldomain=$1 txtvalue=$2 # This txtvalue is now used to identify the specific record to be removed. - - _info "Removing TXT record for $fulldomain using mgw-media.de DNS API" + _info "Removing TXT record for $fulldomain using mgw-media.de DNS API (remove record)" _debug "fulldomain: $fulldomain" _debug "txtvalue: $txtvalue" - # Call private function to load and save environment variables and set up the Basic Auth Header. - if ! _mgwm_init_env; then - return 1 - fi - - # Construct the API URL for removing a record. - # To delete a specific record by its value (as required by ACME v2 for multiple TXT records), - # the txtvalue must be part of the URL, similar to the add action. - #_rm_url="${MGWM_API_BASE}/rm/${fulldomain}/txt/${txtvalue}" - _rm_url="${MGWM_API_BASE}.php?action=rm&fulldomain=${fulldomain}&type=txt&content=${txtvalue}" - _debug "Calling MGWM RM URL: ${_rm_url}" - - # Execute the HTTP GET request with the Authorization Header. - response="$(_get "$_rm_url")" - _debug "MGWM rm response: $response" - - # Check the API response for success. The API returns "OK" on success. - if [ "$response" = "OK" ]; then + # Call the new private function to handle the API request. + # The 'rm' action, fulldomain, type 'txt' and txtvalue are passed. + if _mgwm_perform_api_request "rm" "$fulldomain" "txt" "$txtvalue"; then _info "TXT record for $fulldomain successfully removed via MGWM API." return 0 else - _err "mgwm_rm: Failed to remove TXT record for $fulldomain. Unexpected API Response: '$response'" + # Error message already logged by _mgwm_perform_api_request, but a specific one here helps. + _err "mgwm_rm: Failed to remove TXT record for $fulldomain." return 1 fi } - #################### Private functions below ################################## -# _mgwm_init_env() loads the mgw-media.de API credentials (customer number and hash) -# from environment variables or acme.sh's configuration, saves them, and -# prepares the global _H1 variable for Basic Authorization header. -_mgwm_init_env() { +# _mgwm_perform_api_request() encapsulates the API call logic, including +# loading credentials, setting the Authorization header, and executing the request. +# Arguments: +# $1: action (e.g., "add", "rm") +# $2: fulldomain +# $3: type (e.g., "txt") +# $4: content (the txtvalue) +_mgwm_perform_api_request() { + _action="$1" + _fulldomain="$2" + _type="$3" + _content="$4" + + _debug "Calling _mgwm_perform_api_request for action: $_action, domain: $_fulldomain, type: $_type, content: $_content" + + # --- Start of _mgwm_init_env logic (now embedded here) --- # Load credentials from environment or acme.sh config MGWM_CUSTOMER="${MGWM_CUSTOMER:-$(_readaccountconf_mutable MGWM_CUSTOMER)}" MGWM_API_HASH="${MGWM_API_HASH:-$(_readaccountconf_mutable MGWM_API_HASH)}" @@ -110,5 +88,25 @@ _mgwm_init_env() { _credentials="$(printf "%s:%s" "$MGWM_CUSTOMER" "$MGWM_API_HASH" | _base64)" export _H1="Authorization: Basic $_credentials" _debug "Set Authorization Header: Basic " # Log debug message without sensitive credentials - return 0 + # --- End of _mgwm_init_env logic --- + + # Construct the API URL based on the action and provided parameters. + _request_url="${MGWM_API_BASE}.php?action=${_action}&fulldomain=${_fulldomain}&type=${_type}&content=${_content}" + _debug "Constructed MGWM API URL for action '$_action': ${_request_url}" + + # Execute the HTTP GET request with the Authorization Header. + # The 5th parameter of _get is where acme.sh expects custom HTTP headers like Authorization. + response="$(_get "$_request_url")" + _debug "MGWM API response for action '$_action': $response" + + # Check the API response for success. The API returns "OK" on success. + if [ "$response" = "OK" ]; then + _info "MGWM API action '$_action' for record '$_fulldomain' successful." + return 0 + else + _err "mgwm_perform_api_request: Failed API action '$_action' for record '$_fulldomain'. Unexpected API Response: '$response'" + return 1 + fi } + +# The original _mgwm_init_env function is now removed as its logic is integrated into _mgwm_perform_api_request. From 503ca1e9c277721c095aee8b86a6f35c18498ff1 Mon Sep 17 00:00:00 2001 From: "Markus G." <29913712+ufozone@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:34:01 +0100 Subject: [PATCH 195/313] Change MGWM_API_BASE to use IP address --- dnsapi/dns_mgwm.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_mgwm.sh b/dnsapi/dns_mgwm.sh index ca48584c..5fa6c216 100644 --- a/dnsapi/dns_mgwm.sh +++ b/dnsapi/dns_mgwm.sh @@ -10,7 +10,8 @@ Options: Issues: github.com/acmesh-official/acme.sh ' # Base URL for the mgw-media.de API -MGWM_API_BASE="https://api.mgw-media.de/record" +#MGWM_API_BASE="https://api.mgw-media.de/record" +MGWM_API_BASE="http://217.114.220.70/record" ######## Public functions ##################### # This function is called by acme.sh to add a TXT record. dns_mgwm_add() { @@ -88,6 +89,7 @@ _mgwm_perform_api_request() { _credentials="$(printf "%s:%s" "$MGWM_CUSTOMER" "$MGWM_API_HASH" | _base64)" export _H1="Authorization: Basic $_credentials" _debug "Set Authorization Header: Basic " # Log debug message without sensitive credentials + export _H2="Host: api.mgw-media.de" # --- End of _mgwm_init_env logic --- # Construct the API URL based on the action and provided parameters. From 95da407de86f37d021aa07d44010072c8da01327 Mon Sep 17 00:00:00 2001 From: "Markus G." <29913712+ufozone@users.noreply.github.com> Date: Sun, 7 Dec 2025 19:02:51 +0100 Subject: [PATCH 196/313] Refactor DNS API script to use new request function --- dnsapi/dns_mgwm.sh | 38 +++++++++++++++++--------------------- 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/dnsapi/dns_mgwm.sh b/dnsapi/dns_mgwm.sh index 5fa6c216..bb0cb650 100644 --- a/dnsapi/dns_mgwm.sh +++ b/dnsapi/dns_mgwm.sh @@ -10,9 +10,10 @@ Options: Issues: github.com/acmesh-official/acme.sh ' # Base URL for the mgw-media.de API -#MGWM_API_BASE="https://api.mgw-media.de/record" -MGWM_API_BASE="http://217.114.220.70/record" +MGWM_API_BASE="https://api.mgw-media.de/record" + ######## Public functions ##################### + # This function is called by acme.sh to add a TXT record. dns_mgwm_add() { fulldomain=$1 @@ -23,12 +24,12 @@ dns_mgwm_add() { # Call the new private function to handle the API request. # The 'add' action, fulldomain, type 'txt' and txtvalue are passed. - if _mgwm_perform_api_request "add" "$fulldomain" "txt" "$txtvalue"; then - _info "TXT record for $fulldomain successfully added via MGWM API." + if _mgwm_request "add" "$fulldomain" "txt" "$txtvalue"; then + _info "TXT record for $fulldomain successfully added via mgw-media.de API." _sleep 10 # Wait briefly for DNS propagation, a common practice in DNS-01 hooks. return 0 else - # Error message already logged by _mgwm_perform_api_request, but a specific one here helps. + # Error message already logged by _mgwm_request, but a specific one here helps. _err "mgwm_add: Failed to add TXT record for $fulldomain." return 1 fi @@ -43,33 +44,32 @@ dns_mgwm_rm() { # Call the new private function to handle the API request. # The 'rm' action, fulldomain, type 'txt' and txtvalue are passed. - if _mgwm_perform_api_request "rm" "$fulldomain" "txt" "$txtvalue"; then - _info "TXT record for $fulldomain successfully removed via MGWM API." + if _mgwm_request "rm" "$fulldomain" "txt" "$txtvalue"; then + _info "TXT record for $fulldomain successfully removed via mgw-media.de API." return 0 else - # Error message already logged by _mgwm_perform_api_request, but a specific one here helps. + # Error message already logged by _mgwm_request, but a specific one here helps. _err "mgwm_rm: Failed to remove TXT record for $fulldomain." return 1 fi } #################### Private functions below ################################## -# _mgwm_perform_api_request() encapsulates the API call logic, including +# _mgwm_request() encapsulates the API call logic, including # loading credentials, setting the Authorization header, and executing the request. # Arguments: # $1: action (e.g., "add", "rm") # $2: fulldomain # $3: type (e.g., "txt") # $4: content (the txtvalue) -_mgwm_perform_api_request() { +_mgwm_request() { _action="$1" _fulldomain="$2" _type="$3" _content="$4" - _debug "Calling _mgwm_perform_api_request for action: $_action, domain: $_fulldomain, type: $_type, content: $_content" + _debug "Calling _mgwm_request for action: $_action, domain: $_fulldomain, type: $_type, content: $_content" - # --- Start of _mgwm_init_env logic (now embedded here) --- # Load credentials from environment or acme.sh config MGWM_CUSTOMER="${MGWM_CUSTOMER:-$(_readaccountconf_mutable MGWM_CUSTOMER)}" MGWM_API_HASH="${MGWM_API_HASH:-$(_readaccountconf_mutable MGWM_API_HASH)}" @@ -89,26 +89,22 @@ _mgwm_perform_api_request() { _credentials="$(printf "%s:%s" "$MGWM_CUSTOMER" "$MGWM_API_HASH" | _base64)" export _H1="Authorization: Basic $_credentials" _debug "Set Authorization Header: Basic " # Log debug message without sensitive credentials - export _H2="Host: api.mgw-media.de" - # --- End of _mgwm_init_env logic --- # Construct the API URL based on the action and provided parameters. - _request_url="${MGWM_API_BASE}.php?action=${_action}&fulldomain=${_fulldomain}&type=${_type}&content=${_content}" - _debug "Constructed MGWM API URL for action '$_action': ${_request_url}" + _request_url="${MGWM_API_BASE}/${_action}/${_fulldomain}/${_type}/${_content}" + _debug "Constructed mgw-media.de API URL for action '$_action': ${_request_url}" # Execute the HTTP GET request with the Authorization Header. # The 5th parameter of _get is where acme.sh expects custom HTTP headers like Authorization. response="$(_get "$_request_url")" - _debug "MGWM API response for action '$_action': $response" + _debug "mgw-media.de API response for action '$_action': $response" # Check the API response for success. The API returns "OK" on success. if [ "$response" = "OK" ]; then - _info "MGWM API action '$_action' for record '$_fulldomain' successful." + _info "mgw-media.de API action '$_action' for record '$_fulldomain' successful." return 0 else - _err "mgwm_perform_api_request: Failed API action '$_action' for record '$_fulldomain'. Unexpected API Response: '$response'" + _err "Failed mgw-media.de API action '$_action' for record '$_fulldomain'. Unexpected API Response: '$response'" return 1 fi } - -# The original _mgwm_init_env function is now removed as its logic is integrated into _mgwm_perform_api_request. From 0d2955b48d51846bc86ed4259d679569e80dccf5 Mon Sep 17 00:00:00 2001 From: "Markus G." <29913712+ufozone@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:11:40 +0100 Subject: [PATCH 197/313] Update documentation links in dns_mgwm.sh --- dnsapi/dns_mgwm.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_mgwm.sh b/dnsapi/dns_mgwm.sh index bb0cb650..28f1342d 100644 --- a/dnsapi/dns_mgwm.sh +++ b/dnsapi/dns_mgwm.sh @@ -3,11 +3,11 @@ # DNS provider information for acme.sh dns_mgwm_info='mgw-media.de Site: mgw-media.de -Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_mgwm +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_mgwm Options: MGWM_CUSTOMER Your customer number MGWM_API_HASH Your API Hash -Issues: github.com/acmesh-official/acme.sh +Issues: github.com/acmesh-official/acme.sh/issues/6669 ' # Base URL for the mgw-media.de API MGWM_API_BASE="https://api.mgw-media.de/record" From f142f37064c6d0ea837a77c4a08499a38d0cbeaa Mon Sep 17 00:00:00 2001 From: "Markus G." <29913712+ufozone@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:11:56 +0100 Subject: [PATCH 198/313] Remove DNS provider information comment Removed comment about DNS provider information. --- dnsapi/dns_mgwm.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/dnsapi/dns_mgwm.sh b/dnsapi/dns_mgwm.sh index 28f1342d..618e90e2 100644 --- a/dnsapi/dns_mgwm.sh +++ b/dnsapi/dns_mgwm.sh @@ -1,6 +1,5 @@ #!/usr/bin/env sh # shellcheck disable=SC2034 -# DNS provider information for acme.sh dns_mgwm_info='mgw-media.de Site: mgw-media.de Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_mgwm From 329dab9a67b48b43e31ab3b8ebb7acf511399b0a Mon Sep 17 00:00:00 2001 From: Gilles Filippini Date: Sun, 16 Nov 2025 15:07:15 +0100 Subject: [PATCH 199/313] Use '_mutable' functions for authentication variables Fixes #6081. --- dnsapi/dns_gandi_livedns.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_gandi_livedns.sh b/dnsapi/dns_gandi_livedns.sh index 0516fee9..aaef07bf 100644 --- a/dnsapi/dns_gandi_livedns.sh +++ b/dnsapi/dns_gandi_livedns.sh @@ -23,6 +23,8 @@ dns_gandi_livedns_add() { fulldomain=$1 txtvalue=$2 + GANDI_LIVEDNS_KEY="${GANDI_LIVEDNS_KEY:-$(_readaccountconf_mutable GANDI_LIVEDNS_KEY)}" + GANDI_LIVEDNS_TOKEN="${GANDI_LIVEDNS_TOKEN:-$(_readaccountconf_mutable GANDI_LIVEDNS_TOKEN)}" if [ -z "$GANDI_LIVEDNS_KEY" ] && [ -z "$GANDI_LIVEDNS_TOKEN" ]; then _err "No Token or API key (deprecated) specified for Gandi LiveDNS." _err "Create your token or key and export it as GANDI_LIVEDNS_KEY or GANDI_LIVEDNS_TOKEN respectively" @@ -31,11 +33,11 @@ dns_gandi_livedns_add() { # Keep only one secret in configuration if [ -n "$GANDI_LIVEDNS_TOKEN" ]; then - _saveaccountconf GANDI_LIVEDNS_TOKEN "$GANDI_LIVEDNS_TOKEN" - _clearaccountconf GANDI_LIVEDNS_KEY + _saveaccountconf_mutable GANDI_LIVEDNS_TOKEN "$GANDI_LIVEDNS_TOKEN" + _clearaccountconf_mutable GANDI_LIVEDNS_KEY elif [ -n "$GANDI_LIVEDNS_KEY" ]; then - _saveaccountconf GANDI_LIVEDNS_KEY "$GANDI_LIVEDNS_KEY" - _clearaccountconf GANDI_LIVEDNS_TOKEN + _saveaccountconf_mutable GANDI_LIVEDNS_KEY "$GANDI_LIVEDNS_KEY" + _clearaccountconf_mutable GANDI_LIVEDNS_TOKEN fi _debug "First detect the root zone" From ad3783170e70653033f88de7ead7c44c990c9f9d Mon Sep 17 00:00:00 2001 From: "Markus G." <29913712+ufozone@users.noreply.github.com> Date: Mon, 8 Dec 2025 19:31:40 +0100 Subject: [PATCH 200/313] Fix formatting issues in dns_mgwm.sh script --- dnsapi/dns_mgwm.sh | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/dnsapi/dns_mgwm.sh b/dnsapi/dns_mgwm.sh index 618e90e2..57679127 100644 --- a/dnsapi/dns_mgwm.sh +++ b/dnsapi/dns_mgwm.sh @@ -24,13 +24,13 @@ dns_mgwm_add() { # Call the new private function to handle the API request. # The 'add' action, fulldomain, type 'txt' and txtvalue are passed. if _mgwm_request "add" "$fulldomain" "txt" "$txtvalue"; then - _info "TXT record for $fulldomain successfully added via mgw-media.de API." - _sleep 10 # Wait briefly for DNS propagation, a common practice in DNS-01 hooks. - return 0 + _info "TXT record for $fulldomain successfully added via mgw-media.de API." + _sleep 10 # Wait briefly for DNS propagation, a common practice in DNS-01 hooks. + return 0 else - # Error message already logged by _mgwm_request, but a specific one here helps. - _err "mgwm_add: Failed to add TXT record for $fulldomain." - return 1 + # Error message already logged by _mgwm_request, but a specific one here helps. + _err "mgwm_add: Failed to add TXT record for $fulldomain." + return 1 fi } # This function is called by acme.sh to remove a TXT record after validation. @@ -44,12 +44,12 @@ dns_mgwm_rm() { # Call the new private function to handle the API request. # The 'rm' action, fulldomain, type 'txt' and txtvalue are passed. if _mgwm_request "rm" "$fulldomain" "txt" "$txtvalue"; then - _info "TXT record for $fulldomain successfully removed via mgw-media.de API." - return 0 + _info "TXT record for $fulldomain successfully removed via mgw-media.de API." + return 0 else - # Error message already logged by _mgwm_request, but a specific one here helps. - _err "mgwm_rm: Failed to remove TXT record for $fulldomain." - return 1 + # Error message already logged by _mgwm_request, but a specific one here helps. + _err "mgwm_rm: Failed to remove TXT record for $fulldomain." + return 1 fi } #################### Private functions below ################################## @@ -100,10 +100,10 @@ _mgwm_request() { # Check the API response for success. The API returns "OK" on success. if [ "$response" = "OK" ]; then - _info "mgw-media.de API action '$_action' for record '$_fulldomain' successful." - return 0 + _info "mgw-media.de API action '$_action' for record '$_fulldomain' successful." + return 0 else - _err "Failed mgw-media.de API action '$_action' for record '$_fulldomain'. Unexpected API Response: '$response'" - return 1 + _err "Failed mgw-media.de API action '$_action' for record '$_fulldomain'. Unexpected API Response: '$response'" + return 1 fi } From e8708a748903f7d52ac07b3281755de5345dacd5 Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 8 Dec 2025 21:12:49 +0100 Subject: [PATCH 201/313] fix solaris --- .github/workflows/DNS.yml | 4 +++- .github/workflows/Solaris.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index be9d3aae..ccce2ff6 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -441,7 +441,9 @@ jobs: with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' copyback: false - prepare: pkgutil -y -i socat + prepare: | + pkgutil -U + pkgutil -y -i socat run: | pkg set-mediator -v -I default@1.1 openssl export PATH=/usr/gnu/bin:$PATH diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index 95bcd8d1..0ba3d2eb 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -66,7 +66,9 @@ jobs: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' nat: | "8080": "80" - prepare: pkgutil -y -i socat curl wget + prepare: | + pkgutil -U + pkgutil -y -i socat curl wget copyback: false run: | cd ../acmetest \ From 1413aa332bb48d6cb60a4ef7114fe0be57f3e303 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ivan=20Miri=C4=87?= <1009277+imiric@users.noreply.github.com> Date: Fri, 5 Dec 2025 15:12:27 +0100 Subject: [PATCH 202/313] fix: update Exoscale DNS script This updates the Exoscale DNS script to work with v2 of their API. --- dnsapi/dns_exoscale.sh | 226 ++++++++++++++++++++++++----------------- 1 file changed, 132 insertions(+), 94 deletions(-) mode change 100755 => 100644 dnsapi/dns_exoscale.sh diff --git a/dnsapi/dns_exoscale.sh b/dnsapi/dns_exoscale.sh old mode 100755 new mode 100644 index 6898ce38..ddd526a4 --- a/dnsapi/dns_exoscale.sh +++ b/dnsapi/dns_exoscale.sh @@ -8,9 +8,9 @@ Options: EXOSCALE_SECRET_KEY API Secret key ' -EXOSCALE_API=https://api.exoscale.com/dns/v1 +EXOSCALE_API="https://api-ch-gva-2.exoscale.com/v2" -######## Public functions ##################### +######## Public functions ######## # Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" # Used to add txt record @@ -18,159 +18,197 @@ dns_exoscale_add() { fulldomain=$1 txtvalue=$2 - if ! _checkAuth; then + _debug "Using Exoscale DNS v2 API" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + if ! _check_auth; then return 1 fi - _debug "First detect the root zone" - if ! _get_root "$fulldomain"; then - _err "invalid domain" + root_domain_id=$(_get_root_domain_id "$fulldomain") + if [ -z "$root_domain_id" ]; then + _err "Unable to determine root domain ID for $fulldomain" return 1 fi + _debug root_domain_id "$root_domain_id" - _debug _sub_domain "$_sub_domain" - _debug _domain "$_domain" + # Always get the subdomain part first + sub_domain=$(_get_sub_domain "$fulldomain" "$root_domain_id") + _debug sub_domain "$sub_domain" - _info "Adding record" - if _exoscale_rest POST "domains/$_domain_id/records" "{\"record\":{\"name\":\"$_sub_domain\",\"record_type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":120}}" "$_domain_token"; then - if _contains "$response" "$txtvalue"; then - _info "Added, OK" - return 0 - fi + # Build the record name properly + if [ -z "$sub_domain" ]; then + record_name="_acme-challenge" + else + record_name="_acme-challenge.$sub_domain" fi - _err "Add txt record error." - return 1 + payload=$(printf '{"name":"%s","type":"TXT","content":"%s","ttl":120}' "$record_name" "$txtvalue") + _debug payload "$payload" + + response=$(_exoscale_rest POST "/dns-domain/${root_domain_id}/record" "$payload") + if _contains "$response" "\"id\""; then + _info "TXT record added successfully." + return 0 + else + _err "Error adding TXT record: $response" + return 1 + fi } -# Usage: fulldomain txtvalue -# Used to remove the txt record after validation dns_exoscale_rm() { fulldomain=$1 - txtvalue=$2 - if ! _checkAuth; then + _debug "Using Exoscale DNS v2 API for removal" + _debug fulldomain "$fulldomain" + + if ! _check_auth; then return 1 fi - _debug "First detect the root zone" - if ! _get_root "$fulldomain"; then - _err "invalid domain" + root_domain_id=$(_get_root_domain_id "$fulldomain") + if [ -z "$root_domain_id" ]; then + _err "Unable to determine root domain ID for $fulldomain" return 1 fi - _debug _sub_domain "$_sub_domain" - _debug _domain "$_domain" - - _debug "Getting txt records" - _exoscale_rest GET "domains/${_domain_id}/records?type=TXT&name=$_sub_domain" "" "$_domain_token" - if _contains "$response" "\"name\":\"$_sub_domain\"" >/dev/null; then - _record_id=$(echo "$response" | tr '{' "\n" | grep "\"content\":\"$txtvalue\"" | _egrep_o "\"id\":[^,]+" | _head_n 1 | cut -d : -f 2 | tr -d \") + record_name="_acme-challenge" + sub_domain=$(_get_sub_domain "$fulldomain" "$root_domain_id") + if [ -n "$sub_domain" ]; then + record_name="_acme-challenge.$sub_domain" fi - if [ -z "$_record_id" ]; then - _err "Can not get record id to remove." + record_id=$(_find_record_id "$root_domain_id" "$record_name") + if [ -z "$record_id" ]; then + _err "TXT record not found for deletion." return 1 fi - _debug "Deleting record $_record_id" - - if ! _exoscale_rest DELETE "domains/$_domain_id/records/$_record_id" "" "$_domain_token"; then - _err "Delete record error." + response=$(_exoscale_rest DELETE "/dns-domain/$root_domain_id/record/$record_id") + if _contains "$response" "\"state\":\"success\""; then + _info "TXT record deleted successfully." + return 0 + else + _err "Error deleting TXT record: $response" return 1 fi - - return 0 } -#################### Private functions below ################################## +######## Private helpers ######## -_checkAuth() { +_check_auth() { EXOSCALE_API_KEY="${EXOSCALE_API_KEY:-$(_readaccountconf_mutable EXOSCALE_API_KEY)}" EXOSCALE_SECRET_KEY="${EXOSCALE_SECRET_KEY:-$(_readaccountconf_mutable EXOSCALE_SECRET_KEY)}" - if [ -z "$EXOSCALE_API_KEY" ] || [ -z "$EXOSCALE_SECRET_KEY" ]; then - EXOSCALE_API_KEY="" - EXOSCALE_SECRET_KEY="" - _err "You don't specify Exoscale application key and application secret yet." - _err "Please create you key and try again." + _err "EXOSCALE_API_KEY and EXOSCALE_SECRET_KEY must be set." return 1 fi - _saveaccountconf_mutable EXOSCALE_API_KEY "$EXOSCALE_API_KEY" _saveaccountconf_mutable EXOSCALE_SECRET_KEY "$EXOSCALE_SECRET_KEY" - return 0 } -#_acme-challenge.www.domain.com -#returns -# _sub_domain=_acme-challenge.www -# _domain=domain.com -# _domain_id=sdjkglgdfewsdfg -# _domain_token=sdjkglgdfewsdfg -_get_root() { - - if ! _exoscale_rest GET "domains"; then - return 1 - fi - +_get_root_domain_id() { domain=$1 - i=2 - p=1 + i=1 while true; do - h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) - _debug h "$h" - if [ -z "$h" ]; then - #not valid - return 1 - fi - - if _contains "$response" "\"name\":\"$h\"" >/dev/null; then - _domain_id=$(echo "$response" | tr '{' "\n" | grep "\"name\":\"$h\"" | _egrep_o "\"id\":[^,]+" | _head_n 1 | cut -d : -f 2 | tr -d \") - _domain_token=$(echo "$response" | tr '{' "\n" | grep "\"name\":\"$h\"" | _egrep_o "\"token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \") - if [ "$_domain_token" ] && [ "$_domain_id" ]; then - _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") - _domain=$h - return 0 + candidate=$(printf "%s" "$domain" | cut -d . -f "${i}-100") + [ -z "$candidate" ] && return 1 + _debug "Trying root domain candidate: $candidate" + domains=$(_exoscale_rest GET "/dns-domain") + # Extract from dns-domains array + result=$(echo "$domains" | _egrep_o '"dns-domains":\[.*\]' | _egrep_o '\{"id":"[^"]*","created-at":"[^"]*","unicode-name":"[^"]*"\}' | while read -r item; do + name=$(echo "$item" | _egrep_o '"unicode-name":"[^"]*"' | cut -d'"' -f4) + id=$(echo "$item" | _egrep_o '"id":"[^"]*"' | cut -d'"' -f4) + if [ "$name" = "$candidate" ]; then + echo "$id" + break fi - return 1 + done) + if [ -n "$result" ]; then + echo "$result" + return 0 fi - p=$i i=$(_math "$i" + 1) done - return 1 } -# returns response +_get_sub_domain() { + fulldomain=$1 + root_id=$2 + root_info=$(_exoscale_rest GET "/dns-domain/$root_id") + _debug root_info "$root_info" + root_name=$(echo "$root_info" | _egrep_o "\"unicode-name\":\"[^\"]*\"" | cut -d\" -f4) + sub=${fulldomain%%."$root_name"} + + if [ "$sub" = "_acme-challenge" ]; then + echo "" + else + # Remove _acme-challenge. prefix to get the actual subdomain + echo "${sub#_acme-challenge.}" + fi +} + +_find_record_id() { + root_id=$1 + name=$2 + records=$(_exoscale_rest GET "/dns-domain/$root_id/record") + + # Convert search name to lowercase for case-insensitive matching + name_lower=$(echo "$name" | tr '[:upper:]' '[:lower:]') + + echo "$records" | _egrep_o '\{[^}]*"name":"[^"]*"[^}]*\}' | while read -r record; do + record_name=$(echo "$record" | _egrep_o '"name":"[^"]*"' | cut -d'"' -f4) + record_name_lower=$(echo "$record_name" | tr '[:upper:]' '[:lower:]') + if [ "$record_name_lower" = "$name_lower" ]; then + echo "$record" | _egrep_o '"id":"[^"]*"' | _head_n 1 | cut -d'"' -f4 + break + fi + done +} + +_exoscale_sign() { + k=$1 + shift + hex_key=$(printf %b "$k" | _hex_dump | tr -d ' ') + printf %s "$@" | _hmac sha256 "$hex_key" +} + _exoscale_rest() { method=$1 - path="$2" - data="$3" - token="$4" - request_url="$EXOSCALE_API/$path" - _debug "$path" + path=$2 + data=$3 + + url="${EXOSCALE_API}${path}" + expiration=$(_math "$(date +%s)" + 300) # 5m from now + + # Build the message with the actual body or empty line + message=$(printf "%s %s\n%s\n\n\n%s" "$method" "/v2$path" "$data" "$expiration") + signature=$(_exoscale_sign "$EXOSCALE_SECRET_KEY" "$message" | _base64) + auth="EXO2-HMAC-SHA256 credential=${EXOSCALE_API_KEY},expires=${expiration},signature=${signature}" + + _debug "API request: $method $url" + _debug "Signed message: [$message]" + _debug "Authorization header: [$auth]" export _H1="Accept: application/json" - - if [ "$token" ]; then - export _H2="X-DNS-Domain-Token: $token" - else - export _H2="X-DNS-Token: $EXOSCALE_API_KEY:$EXOSCALE_SECRET_KEY" - fi + export _H2="Authorization: ${auth}" if [ "$data" ] || [ "$method" = "DELETE" ]; then export _H3="Content-Type: application/json" _debug data "$data" - response="$(_post "$data" "$request_url" "" "$method")" + response="$(_post "$data" "$url" "" "$method")" else - response="$(_get "$request_url" "" "" "$method")" + response="$(_get "$url" "" "" "$method")" fi - if [ "$?" != "0" ]; then - _err "error $request_url" + # shellcheck disable=SC2181 + if [ "$?" -ne 0 ]; then + _err "error $url" return 1 fi _debug2 response "$response" + echo "$response" return 0 } From e5dea48d3cc3bdb49696398e5d17edb515046279 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Tue, 9 Dec 2025 07:40:00 -0500 Subject: [PATCH 203/313] Retry pull request with HTTPS_INSECURE=1 --- dnsapi/dns_qc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 0765c697..7ae2f1cd 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -17,7 +17,7 @@ dns_qc_add() { fulldomain=$1 txtvalue=$2 - _debug "Enter dns_qc_add fulldomain: $fulldomain, txtvalue: $txtvalue." + _debug "Enter dns_qc_add fulldomain: $fulldomain, txtvalue: $txtvalue" QC_API_KEY="${QC_API_KEY:-$(_readaccountconf_mutable QC_API_KEY)}" QC_API_EMAIL="${QC_API_EMAIL:-$(_readaccountconf_mutable QC_API_EMAIL)}" From 30639737441dc8ea33a5b1c9ffb53c9517713922 Mon Sep 17 00:00:00 2001 From: fratoro <7229526+fratoro@users.noreply.github.com> Date: Tue, 9 Dec 2025 16:49:12 +0100 Subject: [PATCH 204/313] Update dns_cyon to use unique user-agent and all cookies --- dnsapi/dns_cyon.sh | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_cyon.sh b/dnsapi/dns_cyon.sh index a585e772..882ebc48 100644 --- a/dnsapi/dns_cyon.sh +++ b/dnsapi/dns_cyon.sh @@ -101,6 +101,8 @@ _cyon_load_parameters() { # This header is required for curl calls. _H1="X-Requested-With: XMLHttpRequest" export _H1 + _H3="User-Agent: cyon-dns-acmesh/1.0" + export _H3 } _cyon_print_header() { @@ -125,7 +127,11 @@ _cyon_print_header() { } _cyon_get_cookie_header() { - printf "Cookie: %s" "$(grep "cyon=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o 'cyon=[^;]*;' | tr -d ';')" + # Extract all cookies from the response headers (case-insensitive) + _cookies="$(grep -i "^set-cookie:" "$HTTP_HEADER" | sed 's/^[Ss]et-[Cc]ookie: //' | sed 's/;.*//' | tr '\n' '; ' | sed 's/; $//')" + if [ -n "$_cookies" ]; then + printf "Cookie: %s" "$_cookies" + fi } _cyon_login() { @@ -155,6 +161,13 @@ _cyon_login() { _get "https://my.cyon.ch/" >/dev/null + # Update cookie after loading main page (only if new cookies are set) + _new_cookies="$(_cyon_get_cookie_header)" + if [ -n "$_new_cookies" ]; then + _H2="$_new_cookies" + export _H2 + fi + # todo: instead of just checking if the env variable is defined, check if we actually need to do a 2FA auth request. # 2FA authentication with OTP? @@ -184,6 +197,13 @@ _cyon_login() { fi _info " success" + + # Update cookie after 2FA (only if new cookies are set) + _new_cookies="$(_cyon_get_cookie_header)" + if [ -n "$_new_cookies" ]; then + _H2="$_new_cookies" + export _H2 + fi fi _info "" @@ -205,7 +225,17 @@ _cyon_change_domain_env() { domain_env="$(printf "%s" "${fulldomain}" | sed -E -e 's/.*\.(.*\..*)$/\1/')" _debug "Changing domain environment to ${domain_env}" - gloo_item_key="$(_get "https://my.cyon.ch/domain/" | tr '\n' ' ' | sed -E -e "s/.*data-domain=\"${domain_env}\"[^<]*data-itemkey=\"([^\"]*).*/\1/")" + domain_page_response="$(_get "https://my.cyon.ch/domain/")" + _debug domain_page_response "${domain_page_response}" + + # Check if we got an error response (JSON) instead of HTML + if printf "%s" "${domain_page_response}" | grep -q '"iserror":true'; then + _err " $(printf "%s" "${domain_page_response}" | _cyon_get_response_message)" + _err "" + return 1 + fi + + gloo_item_key="$(printf "%s" "${domain_page_response}" | tr '\n' ' ' | sed -E -e "s/.*data-domain=\"${domain_env}\"[^<]*data-itemkey=\"([^\"]*).*/\1/")" _debug gloo_item_key "${gloo_item_key}" domain_env_url="https://my.cyon.ch/user/environment/setdomain/d/${domain_env}/gik/${gloo_item_key}" From 70bc5a6fbac33463e2e22dcb21e29b639dd33ffd Mon Sep 17 00:00:00 2001 From: fratoro <7229526+fratoro@users.noreply.github.com> Date: Tue, 9 Dec 2025 22:57:26 +0100 Subject: [PATCH 205/313] Update dns_cyon to use unique user-agent and all cookies --- dnsapi/dns_cyon.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/dnsapi/dns_cyon.sh b/dnsapi/dns_cyon.sh index 882ebc48..0c74be2a 100644 --- a/dnsapi/dns_cyon.sh +++ b/dnsapi/dns_cyon.sh @@ -168,8 +168,6 @@ _cyon_login() { export _H2 fi - # todo: instead of just checking if the env variable is defined, check if we actually need to do a 2FA auth request. - # 2FA authentication with OTP? if [ -n "${CY_OTP_Secret}" ]; then _info " - Authorising with OTP code..." From 5017c12324967423cb44ae7d0b6d5b9ee354317d Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Thu, 11 Dec 2025 09:03:38 -0500 Subject: [PATCH 206/313] Trying verification again --- dnsapi/dns_qc.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 7ae2f1cd..2376d718 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -39,7 +39,7 @@ dns_qc_add() { _debug "First detect the root zone" if ! _get_root "$fulldomain"; then - _err "invalid domain" + _err "invalid domain during add" return 1 fi _debug _domain_id "$_domain_id" @@ -59,7 +59,7 @@ dns_qc_add() { # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) # _debug count "$count" # if [ "$count" = "0" ]; then - _info "Adding txt record" + _info "Adding txt record." if _qc_rest POST "zones/$_domain_id/records" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":1800}"; then if _contains "$response" "$txtvalue"; then _info "Added txt record, OK" @@ -88,7 +88,7 @@ dns_qc_rm() { _debug "First detect the root zone" if ! _get_root "$fulldomain"; then - _err "invalid domain" + _err "invalid domain during rm" return 1 fi _debug _domain_id "$_domain_id" From 6f66e294defe1b0e1d5de1ff57cd596308ce013a Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Thu, 11 Dec 2025 15:43:15 -0500 Subject: [PATCH 207/313] Yet another try --- dns_qc.sh | 201 ----------------------------------------------- dnsapi/dns_qc.sh | 2 +- 2 files changed, 1 insertion(+), 202 deletions(-) delete mode 100755 dns_qc.sh diff --git a/dns_qc.sh b/dns_qc.sh deleted file mode 100755 index 78a243ae..00000000 --- a/dns_qc.sh +++ /dev/null @@ -1,201 +0,0 @@ -#!/usr/bin/env sh -# shellcheck disable=SC2034 -dns_qc_info='QUIC.cloud -Site: quic.cloud -Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_qc -Options: - QC_API_KEY QC API Key - QC_API_EMAIL Your account email -' - -QC_Api="https://api.quic.cloud/v2" - -######## Public functions ##################### - -#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" -dns_qc_add() { - fulldomain=$1 - txtvalue=$2 - - _debug "Enter dns_qc_add fulldomain: $fulldomain, txtvalue: $txtvalue" - QC_API_KEY="${QC_API_KEY:-$(_readaccountconf_mutable QC_API_KEY)}" - QC_API_EMAIL="${QC_API_EMAIL:-$(_readaccountconf_mutable QC_API_EMAIL)}" - - if [ "$QC_API_KEY" ]; then - _savedomainconf QC_API_KEY "$QC_API_KEY" - else - _err "You didn't specify a QUIC.cloud are api key and email yet." - _err "You can get yours from here https://my.quic.cloud/up/api." - return 1 - fi - - if ! _contains "$QC_API_EMAIL" "@"; then - _err "It seems that the QC_API_EMAIL=$QC_API_EMAIL is not a valid email address." - _err "Please check and retry." - return 1 - fi - #save the api key and email to the account conf file. - _savedomainconf QC_API_EMAIL "$QC_API_EMAIL" - - _debug "First detect the root zone" - if ! _get_root "$fulldomain"; then - _err "invalid domain" - return 1 - fi - _debug _domain_id "$_domain_id" - _debug _sub_domain "$_sub_domain" - _debug _domain "$_domain" - - _debug "Getting txt records" - _qc_rest GET "zones/${_domain_id}/records" - - if ! echo "$response" | tr -d " " | grep \"success\":true >/dev/null; then - _err "Error failed response from QC GET: $response" - return 1 - fi - - # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so - # we can not use updating anymore. - # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) - # _debug count "$count" - # if [ "$count" = "0" ]; then - _info "Adding txt record" - if _qc_rest POST "zones/$_domain_id/records" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":1800}"; then - if _contains "$response" "$txtvalue"; then - _info "Added txt record, OK" - return 0 - elif _contains "$response" "Same record already exists"; then - _info "txt record already exists, OK" - return 0 - else - _err "Add txt record error: $response" - return 1 - fi - fi - _err "Add txt record error: POST failed: $response" - return 1 - -} - -#fulldomain txtvalue -dns_qc_rm() { - fulldomain=$1 - txtvalue=$2 - - _debug "Enter dns_qc_rm fulldomain: $fulldomain, txtvalue: $txtvalue" - QC_API_KEY="${QC_API_KEY:-$(_readaccountconf_mutable QC_API_KEY)}" - QC_API_EMAIL="${QC_API_EMAIL:-$(_readaccountconf_mutable QC_API_EMAIL)}" - - _debug "First detect the root zone" - if ! _get_root "$fulldomain"; then - _err "invalid domain" - return 1 - fi - _debug _domain_id "$_domain_id" - _debug _sub_domain "$_sub_domain" - _debug _domain "$_domain" - - _debug "Getting txt records" - _qc_rest GET "zones/${_domain_id}/records" - - if ! echo "$response" | tr -d " " | grep \"success\":true >/dev/null; then - _err "Error rm GET response: $response" - return 1 - fi - - response=$(echo "$response" | jq ".result[] | select(.id) | select(.content == \"$txtvalue\") | select(.type == \"TXT\")") - _debug "get txt response" "$response" - if [ "${response}" = "" ]; then - _info "Don't need to remove txt records." - else - record_id=$(echo "$response" | grep \"id\" | awk -F ' ' '{print $2}' | sed 's/,$//') - _debug "txt record_id" "$record_id" - - if [[ -z "$record_id" ]]; then - _err "Can not get txt record id to remove. Run in debug mode." - return 1 - fi - - if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then - _info "Delete txt record error." - return 1 - fi - - _info "TXT Record ID: $record_id successfully deleted" - fi - -} - -#################### Private functions below ################################# -#_acme-challenge.www.domain.com -#returns -#_sub_domain=_acme-challenge.www -#_domain=domain.com -#_domain_id=sdjkglgdfewsdfg -_get_root() { - domain=$1 - p=1 - h=$(printf "%s" "$domain" | cut -d . -f2-) - _debug h "$h" - - if [[ -z "$h" ]]; then - _err "$h ($domain) is an invalid domain" - return 1 - fi - - if ! _qc_rest GET "zones"; then - _err "qc_rest failed" - return 1 - fi - - if _contains "$response" "\"name\":\"$h\"" || _contains "$response" "\"name\":\"$h.\""; then - _domain_id=$h - if [ "$_domain_id" ]; then - _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") - _domain=$h - return 0 - fi - - _err "Empty domain_id $h" - return 1 - fi - _err "Missing domain_id $h" - return 1 - -} - -_qc_rest() { - - m="$1" - ep="$2" - data="$3" - - _debug "$ep" - - email_trimmed=$(echo "$QC_API_EMAIL" | tr -d '"') - - token_trimmed=$(echo "$QC_API_KEY" | tr -d '"') - - export _H1="Content-Type: application/json" - - export _H2="X-Auth-Email: $email_trimmed" - - export _H3="X-Auth-Key: $token_trimmed" - - if [[ "$m" != "GET" ]]; then - _debug data "$data" - response="$(_post "$data" "$QC_Api/$ep" "" "$m")" - - else - response="$(_get "$QC_Api/$ep")" - - fi - - if [[ "$?" != "0" ]]; then - _err "error $ep" - return 1 - fi - - _debug2 response "$response" - -} diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 2376d718..b7267f63 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -59,7 +59,7 @@ dns_qc_add() { # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) # _debug count "$count" # if [ "$count" = "0" ]; then - _info "Adding txt record." + _info "Adding txt record" if _qc_rest POST "zones/$_domain_id/records" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":1800}"; then if _contains "$response" "$txtvalue"; then _info "Added txt record, OK" From b4042d5ccb5082643f4e4eb3ac63bf9437205f4a Mon Sep 17 00:00:00 2001 From: as-kholin Date: Tue, 16 Dec 2025 14:51:42 -0500 Subject: [PATCH 208/313] Updated checks for empty parameters to actually trigger, and added a validation check against the omg.lol API to confirm address and apikey are good before proceeding --- dnsapi/dns_omglol.sh | 40 +++++++++++++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/dnsapi/dns_omglol.sh b/dnsapi/dns_omglol.sh index df080bcf..ddde8f2d 100644 --- a/dnsapi/dns_omglol.sh +++ b/dnsapi/dns_omglol.sh @@ -35,7 +35,7 @@ dns_omglol_add() { _debug "omg.lol Address" "$OMG_Address" omg_validate "$OMG_ApiKey" "$OMG_Address" "$fulldomain" - if [ ! $? ]; then + if [ 1 = $? ]; then return 1 fi @@ -67,7 +67,7 @@ dns_omglol_rm() { _debug "omg.lol Address" "$OMG_Address" omg_validate "$OMG_ApiKey" "$OMG_Address" "$fulldomain" - if [ ! $? ]; then + if [ 1 = $? ]; then return 1 fi @@ -100,18 +100,48 @@ omg_validate() { fi _endswith "$fulldomain" "omg.lol" - if [ ! $? ]; then + if [ 1 = $? ]; then _err "Domain name requested is not under omg.lol" return 1 fi _endswith "$fulldomain" "$omg_address.omg.lol" - if [ ! $? ]; then + if [ 1 = $? ]; then _err "Domain name is not a subdomain of provided omg.lol address $omg_address" return 1 fi - _debug "Required environment parameters are all present" + omg_testconnect "$omg_apikey" "$omg_address" + if [ 1 = $? ]; then + _err "Authentication to omg.lol for address $omg_address using provided API key failed" + return 1 + fi + + _debug "Required environment parameters are all present and validated" +} + +# Validate that the address and API key are both correct and associated to each other +omg_testconnect() { + omg_apikey=$1 + omg_address=$2 + + _debug2 "Function" "omg_testconnect" + _secure_debug2 "omg.lol API key" "$omg_apikey" + _debug2 "omg.lol Address" "$omg_address" + + export _H1=$(_createAuthHeader "$omg_apikey") + endpoint="https://api.omg.lol/address/$omg_address/info" + _debug2 "Endpoint for validation" "$endpoint" + + response=$(_get "$endpoint" "" 30) + + _jsonResponseCheck "$response" "status_code" 200 + if [ 1 = $? ]; then + _debug2 "Failed to query omg.lol for $omg_address with provided API key" + _secure_debug2 "API Key" "omg_apikey" + _secure_debug3 "Raw response" "$response" + return 1 + fi } # Add (or modify) an entry for a new ACME query From 4a7e5d07209fa3d50ac9ecf3b7df2febef903084 Mon Sep 17 00:00:00 2001 From: as-kholin Date: Tue, 16 Dec 2025 15:00:05 -0500 Subject: [PATCH 209/313] Updating Auth header to satisfy shellcheck --- dnsapi/dns_omglol.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_omglol.sh b/dnsapi/dns_omglol.sh index ddde8f2d..652cfd15 100644 --- a/dnsapi/dns_omglol.sh +++ b/dnsapi/dns_omglol.sh @@ -129,7 +129,8 @@ omg_testconnect() { _secure_debug2 "omg.lol API key" "$omg_apikey" _debug2 "omg.lol Address" "$omg_address" - export _H1=$(_createAuthHeader "$omg_apikey") + authheader="$(_createAuthHeader "$omg_apikey")" + export _H1="$authheader" endpoint="https://api.omg.lol/address/$omg_address/info" _debug2 "Endpoint for validation" "$endpoint" From 85ff92170b1810fe7005c65f240c2b34f0cfe468 Mon Sep 17 00:00:00 2001 From: as-kholin Date: Wed, 17 Dec 2025 17:15:10 -0500 Subject: [PATCH 210/313] Updated comment to be more clear on variable vs. definition --- dnsapi/dns_omglol.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_omglol.sh b/dnsapi/dns_omglol.sh index 652cfd15..fd38d046 100644 --- a/dnsapi/dns_omglol.sh +++ b/dnsapi/dns_omglol.sh @@ -4,8 +4,8 @@ dns_omglol_info='omg.lol Site: omg.lol Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_omglol Options: - OMG_ApiKey API Key. This is accessible from the bottom of the account page at https://home.omg.lol/account - OMG_Address Address. This is your omg.lol address, without the preceding @ - you can see your list on your dashboard at https://home.omg.lol/dashboard + OMG_ApiKey - API Key. This is accessible from the bottom of the account page at https://home.omg.lol/account + OMG_Address - Address. This is your omg.lol address, without the preceding @ - you can see your list on your dashboard at https://home.omg.lol/dashboard Issues: github.com/acmesh-official/acme.sh/issues/5299 Author: @Kholin ' From e3b1bccb6aa5e1cda2a1d65c5bae66cec54edb30 Mon Sep 17 00:00:00 2001 From: Robert Rettig Date: Thu, 18 Dec 2025 16:00:55 +0000 Subject: [PATCH 211/313] Fixes to support INWX again Fixes #6688 --- dnsapi/dns_inwx.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_inwx.sh b/dnsapi/dns_inwx.sh index 808fc3a9..89ab67ee 100755 --- a/dnsapi/dns_inwx.sh +++ b/dnsapi/dns_inwx.sh @@ -125,7 +125,7 @@ dns_inwx_rm() { if ! printf "%s" "$response" | grep "count" >/dev/null; then _info "Do not need to delete record" else - _record_id=$(printf '%s' "$response" | _egrep_o '.*(record){1}(.*)([0-9]+){1}' | _egrep_o 'id<\/name>[0-9]+' | _egrep_o '[0-9]+') + _record_id=$(printf '%s' "$response" | _egrep_o '.*(record){1}(.*)([0-9]+){1}' | _egrep_o 'id<\/name>[0-9]+' | _egrep_o '[0-9]+') _info "Deleting record" _inwx_delete_record "$_record_id" fi @@ -324,7 +324,7 @@ _inwx_delete_record() { id - %s + %s @@ -362,7 +362,7 @@ _inwx_update_record() { id - %s + %s From 00aaed1b14aaaf15a5c548f36e9b60ca20b7d069 Mon Sep 17 00:00:00 2001 From: Sergey Parfenov Date: Fri, 19 Dec 2025 18:05:01 +0300 Subject: [PATCH 212/313] Fix strongswan deploy hook Make it more resistant to deploy hooks api change by passing custom arguments first --- deploy/strongswan.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/deploy/strongswan.sh b/deploy/strongswan.sh index 14567d17..80353c54 100644 --- a/deploy/strongswan.sh +++ b/deploy/strongswan.sh @@ -33,7 +33,7 @@ strongswan_deploy() { return 1 fi _info _confdir "${_confdir}" - __deploy_cert "$@" "stroke" "${_confdir}" + __deploy_cert "stroke" "${_confdir}" "$@" ${_ipsec} reload fi # For modern vici mode @@ -50,7 +50,7 @@ strongswan_deploy() { _err "no swanctl config dir is found" return 1 fi - __deploy_cert "$@" "vici" "${_confdir}" + __deploy_cert "vici" "${_confdir}" "$@" ${_swanctl} --load-creds fi if [ -z "${_swanctl}" ] && [ -z "${_ipsec}" ]; then @@ -63,13 +63,13 @@ strongswan_deploy() { #################### Private functions below ################################## __deploy_cert() { - _cdomain="${1}" - _ckey="${2}" - _ccert="${3}" - _cca="${4}" - _cfullchain="${5}" - _swan_mode="${6}" - _confdir="${7}" + _swan_mode="${1}" + _confdir="${2}" + _cdomain="${3}" + _ckey="${4}" + _ccert="${5}" + _cca="${6}" + _cfullchain="${7}" _debug _cdomain "${_cdomain}" _debug _ckey "${_ckey}" _debug _ccert "${_ccert}" From 987882ea37f28b581b44614d93b0a9ab2f9823e4 Mon Sep 17 00:00:00 2001 From: Robert Rettig Date: Fri, 19 Dec 2025 17:49:24 +0100 Subject: [PATCH 213/313] fix delete --- dnsapi/dns_inwx.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_inwx.sh b/dnsapi/dns_inwx.sh index 89ab67ee..afe2c465 100755 --- a/dnsapi/dns_inwx.sh +++ b/dnsapi/dns_inwx.sh @@ -110,11 +110,17 @@ dns_inwx_rm() { %s + + content + + %s + + - ' "$_domain" "$_sub_domain") + ' "$_domain" "$_sub_domain" "$txtvalue") response="$(_post "$xml_content" "$INWX_Api" "" "POST")" if ! _contains "$response" "Command completed successfully"; then From 1c65c04b54b56a24c6f45d122b594c126b6a45c2 Mon Sep 17 00:00:00 2001 From: Robert Rettig Date: Fri, 19 Dec 2025 17:51:13 +0100 Subject: [PATCH 214/313] update dns_inwx_info --- dnsapi/dns_inwx.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_inwx.sh b/dnsapi/dns_inwx.sh index afe2c465..d83e08d6 100755 --- a/dnsapi/dns_inwx.sh +++ b/dnsapi/dns_inwx.sh @@ -6,6 +6,7 @@ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_inwx Options: INWX_User Username INWX_Password Password + INWX_Shared_Secret 2 Factor Authentication Shared Secret (optional) ' # Dependencies: From 27ebf09c5c3834011e29d5adf0f12d0f43540107 Mon Sep 17 00:00:00 2001 From: Robert Rettig Date: Fri, 19 Dec 2025 18:02:18 +0100 Subject: [PATCH 215/313] Improve _htmlEscape function robustness by using printf instead of echo small commit to trigger github actions --- dnsapi/dns_inwx.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_inwx.sh b/dnsapi/dns_inwx.sh index d83e08d6..a7ce9769 100755 --- a/dnsapi/dns_inwx.sh +++ b/dnsapi/dns_inwx.sh @@ -172,10 +172,10 @@ _inwx_check_cookie() { _htmlEscape() { _s="$1" - _s=$(echo "$_s" | sed "s/&/&/g") - _s=$(echo "$_s" | sed "s//\>/g") - _s=$(echo "$_s" | sed 's/"/\"/g') + _s=$(printf '%s' "$_s" | sed "s/&/&/g") + _s=$(printf '%s' "$_s" | sed "s//\>/g") + _s=$(printf '%s' "$_s" | sed 's/"/\"/g') printf -- %s "$_s" } From a5ad15be0212cefc2ffa99bcd4c611d15576d4ee Mon Sep 17 00:00:00 2001 From: Robert Rettig Date: Fri, 19 Dec 2025 18:07:46 +0100 Subject: [PATCH 216/313] Add oathtool to Docker job for 2FA support --- .github/workflows/DNS.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index ccce2ff6..8f7ebd56 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -67,6 +67,8 @@ jobs: TokenName5: ${{ secrets.TokenName5}} steps: - uses: actions/checkout@v4 + - name: Install oathtool + run: sudo apt-get update && sudo apt-get install -y oathtool - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Set env file @@ -116,7 +118,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install tools - run: brew install socat + run: brew install socat oath-toolkit - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest @@ -173,7 +175,7 @@ jobs: shell: cmd - name: Install cygwin additional packages run: | - C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s https://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git + C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s https://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git,oath-toolkit shell: cmd - name: Set ENV shell: cmd @@ -230,7 +232,7 @@ jobs: - uses: vmactions/freebsd-vm@v1 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' - prepare: pkg install -y socat curl + prepare: pkg install -y socat curl oath-toolkit usesh: true copyback: false run: | @@ -281,7 +283,7 @@ jobs: - uses: vmactions/openbsd-vm@v1 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' - prepare: pkg_add socat curl libiconv + prepare: pkg_add socat curl libiconv oath-toolkit usesh: true copyback: false run: | @@ -333,7 +335,7 @@ jobs: with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: | - /usr/sbin/pkg_add curl socat + /usr/sbin/pkg_add curl socat oath-toolkit usesh: true copyback: false run: | @@ -385,7 +387,7 @@ jobs: with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: | - pkg install -y curl socat libnghttp2 + pkg install -y curl socat libnghttp2 oath-toolkit usesh: true copyback: false run: | @@ -443,7 +445,7 @@ jobs: copyback: false prepare: | pkgutil -U - pkgutil -y -i socat + pkgutil -y -i socat oathtool run: | pkg set-mediator -v -I default@1.1 openssl export PATH=/usr/gnu/bin:$PATH @@ -494,7 +496,7 @@ jobs: with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' copyback: false - prepare: pkg install socat + prepare: pkg install socat oath-toolkit run: | if [ "${{ secrets.TokenName1}}" ] ; then export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" From 0e5aab346f7958fdbe35ffa6a133614a59826a3f Mon Sep 17 00:00:00 2001 From: Robert Rettig Date: Fri, 19 Dec 2025 18:17:05 +0100 Subject: [PATCH 217/313] Add oathtool to acmetest Docker image for 2FA support --- .github/workflows/DNS.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 8f7ebd56..781c13fb 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -67,10 +67,15 @@ jobs: TokenName5: ${{ secrets.TokenName5}} steps: - uses: actions/checkout@v4 - - name: Install oathtool - run: sudo apt-get update && sudo apt-get install -y oathtool - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - name: Ensure oathtool in test container + run: | + cd ../acmetest + # Add oathtool installation to acmetest Dockerfile if it exists + if [ -f Dockerfile ]; then + sed -i 's/tzdata/tzdata oath-toolkit-oathtool/g' Dockerfile + fi - name: Set env file run: | cd ../acmetest From e92d0a74926855b607fdfb948eafe6bf44e0fdfa Mon Sep 17 00:00:00 2001 From: Robert Rettig Date: Fri, 19 Dec 2025 18:20:56 +0100 Subject: [PATCH 218/313] Fix: Install oathtool at runtime in test container --- .github/workflows/DNS.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 781c13fb..e6319c09 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -69,13 +69,11 @@ jobs: - uses: actions/checkout@v4 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - name: Ensure oathtool in test container + - name: Install oathtool in test container run: | cd ../acmetest - # Add oathtool installation to acmetest Dockerfile if it exists - if [ -f Dockerfile ]; then - sed -i 's/tzdata/tzdata oath-toolkit-oathtool/g' Dockerfile - fi + # Modify letest.sh to install oathtool at runtime + sed -i '/TEST_LOCAL skip setup/a apt-get update -qq && apt-get install -y -qq oathtool > /dev/null 2>&1 || true' letest.sh - name: Set env file run: | cd ../acmetest From b6523c230110f5477f3d4a45a020e4b99d230e69 Mon Sep 17 00:00:00 2001 From: Robert Rettig Date: Fri, 19 Dec 2025 18:42:28 +0100 Subject: [PATCH 219/313] Install oathtool in container via _setup function --- .github/workflows/DNS.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index e6319c09..64fa85d2 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -69,11 +69,11 @@ jobs: - uses: actions/checkout@v4 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - name: Install oathtool in test container + - name: Patch acmetest to install oathtool in container run: | cd ../acmetest - # Modify letest.sh to install oathtool at runtime - sed -i '/TEST_LOCAL skip setup/a apt-get update -qq && apt-get install -y -qq oathtool > /dev/null 2>&1 || true' letest.sh + # Add oathtool installation before the test runs inside container + sed -i '/^_setup() {$/a \ if command -v apt-get >/dev/null 2>&1; then\n apt-get update -qq && apt-get install -y -qq oathtool >/dev/null 2>&1 || true\n fi' letest.sh - name: Set env file run: | cd ../acmetest From cba0ff832116b2fc322c3dd51401322789a62d4a Mon Sep 17 00:00:00 2001 From: Robert Rettig Date: Fri, 19 Dec 2025 19:09:23 +0100 Subject: [PATCH 220/313] Add oathtool to ubuntu package list in plat.conf --- .github/workflows/DNS.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 64fa85d2..84cebf94 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -69,11 +69,11 @@ jobs: - uses: actions/checkout@v4 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - name: Patch acmetest to install oathtool in container + - name: Add oathtool to ubuntu package list run: | cd ../acmetest - # Add oathtool installation before the test runs inside container - sed -i '/^_setup() {$/a \ if command -v apt-get >/dev/null 2>&1; then\n apt-get update -qq && apt-get install -y -qq oathtool >/dev/null 2>&1 || true\n fi' letest.sh + # Add oathtool to the ubuntu platform package list + sed -i 's/unzip,openssl,cron,socat,curl,idn,wget/unzip,openssl,cron,socat,curl,idn,wget,oathtool/' plat.conf - name: Set env file run: | cd ../acmetest From 65892453be0cff43cf1b6f996f5cbc2707d540d7 Mon Sep 17 00:00:00 2001 From: Robert Rettig Date: Fri, 19 Dec 2025 19:23:13 +0100 Subject: [PATCH 221/313] take a fork of acmetest --- .github/workflows/DNS.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 84cebf94..5650c9e8 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -68,12 +68,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Clone acmetest - run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - name: Add oathtool to ubuntu package list - run: | - cd ../acmetest - # Add oathtool to the ubuntu platform package list - sed -i 's/unzip,openssl,cron,socat,curl,idn,wget/unzip,openssl,cron,socat,curl,idn,wget,oathtool/' plat.conf + run: cd .. && git clone --depth=1 https://github.com/flybyray/acmetest.git && cp -r acme.sh acmetest/ - name: Set env file run: | cd ../acmetest From 3fb4c313ec3d28967ed22de769872ef8336d40a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=B5=B7=E6=B6=9B?= Date: Fri, 19 Dec 2025 16:41:22 +0800 Subject: [PATCH 222/313] Support list IPv6 address certificate --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index ba0f62bc..053f16db 100755 --- a/acme.sh +++ b/acme.sh @@ -5840,7 +5840,7 @@ list() { if [ -z "$_domain" ]; then printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Profile${_sep}CA${_sep}Created${_sep}Renew" fi - for di in "${CERT_HOME}"/*.*/; do + for di in "${CERT_HOME}"/{*.*,*:*}/; do d=$(basename "$di") _debug d "$d" ( From 1b2630dc0d4030f4507bcfeba60bdc2e102c1410 Mon Sep 17 00:00:00 2001 From: Robert Rettig Date: Sat, 20 Dec 2025 13:26:38 +0100 Subject: [PATCH 223/313] stop using oathtool --- .github/workflows/DNS.yml | 2 +- dnsapi/dns_inwx.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 5650c9e8..39d2a121 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -68,7 +68,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Clone acmetest - run: cd .. && git clone --depth=1 https://github.com/flybyray/acmetest.git && cp -r acme.sh acmetest/ + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Set env file run: | cd ../acmetest diff --git a/dnsapi/dns_inwx.sh b/dnsapi/dns_inwx.sh index a7ce9769..08809bf0 100755 --- a/dnsapi/dns_inwx.sh +++ b/dnsapi/dns_inwx.sh @@ -6,7 +6,7 @@ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_inwx Options: INWX_User Username INWX_Password Password - INWX_Shared_Secret 2 Factor Authentication Shared Secret (optional) + INWX_Shared_Secret 2 Factor Authentication Shared Secret (optional requires oathtool) ' # Dependencies: From 5fb42b7339b82d3397b2003dedd3302b439d745c Mon Sep 17 00:00:00 2001 From: Robert Rettig Date: Sat, 20 Dec 2025 14:53:01 +0100 Subject: [PATCH 224/313] remove prior additions which tried to use oathtool in tests --- .github/workflows/DNS.yml | 16 ++++++++-------- dnsapi/dns_inwx.sh | 8 ++++---- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 39d2a121..ccce2ff6 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -116,7 +116,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install tools - run: brew install socat oath-toolkit + run: brew install socat - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - name: Run acmetest @@ -173,7 +173,7 @@ jobs: shell: cmd - name: Install cygwin additional packages run: | - C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s https://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git,oath-toolkit + C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s https://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git shell: cmd - name: Set ENV shell: cmd @@ -230,7 +230,7 @@ jobs: - uses: vmactions/freebsd-vm@v1 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' - prepare: pkg install -y socat curl oath-toolkit + prepare: pkg install -y socat curl usesh: true copyback: false run: | @@ -281,7 +281,7 @@ jobs: - uses: vmactions/openbsd-vm@v1 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' - prepare: pkg_add socat curl libiconv oath-toolkit + prepare: pkg_add socat curl libiconv usesh: true copyback: false run: | @@ -333,7 +333,7 @@ jobs: with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: | - /usr/sbin/pkg_add curl socat oath-toolkit + /usr/sbin/pkg_add curl socat usesh: true copyback: false run: | @@ -385,7 +385,7 @@ jobs: with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: | - pkg install -y curl socat libnghttp2 oath-toolkit + pkg install -y curl socat libnghttp2 usesh: true copyback: false run: | @@ -443,7 +443,7 @@ jobs: copyback: false prepare: | pkgutil -U - pkgutil -y -i socat oathtool + pkgutil -y -i socat run: | pkg set-mediator -v -I default@1.1 openssl export PATH=/usr/gnu/bin:$PATH @@ -494,7 +494,7 @@ jobs: with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' copyback: false - prepare: pkg install socat oath-toolkit + prepare: pkg install socat run: | if [ "${{ secrets.TokenName1}}" ] ; then export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" diff --git a/dnsapi/dns_inwx.sh b/dnsapi/dns_inwx.sh index 08809bf0..2cf91404 100755 --- a/dnsapi/dns_inwx.sh +++ b/dnsapi/dns_inwx.sh @@ -172,10 +172,10 @@ _inwx_check_cookie() { _htmlEscape() { _s="$1" - _s=$(printf '%s' "$_s" | sed "s/&/&/g") - _s=$(printf '%s' "$_s" | sed "s//\>/g") - _s=$(printf '%s' "$_s" | sed 's/"/\"/g') + _s=$(echo "$_s" | sed "s/&/&/g") + _s=$(echo "$_s" | sed "s//\>/g") + _s=$(echo "$_s" | sed 's/"/\"/g') printf -- %s "$_s" } From f85de2b0d3560bab9fb553b53e9564edcad1b01d Mon Sep 17 00:00:00 2001 From: Erfan Gholizade Date: Wed, 3 Dec 2025 18:26:58 +0330 Subject: [PATCH 225/313] Added Sotoon dns api handle the case of metadata 404 in old api domains fix index of domain start fix shfmt Revert "handle the case of metadata 404 in old api domains" This reverts commit 9fe4616664b897c9891271006e7489b10bb818ca. fix 404 on dot ad hyphen fix shfmt --- dnsapi/dns_sotoon.sh | 319 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 319 insertions(+) create mode 100644 dnsapi/dns_sotoon.sh diff --git a/dnsapi/dns_sotoon.sh b/dnsapi/dns_sotoon.sh new file mode 100644 index 00000000..4a0fc034 --- /dev/null +++ b/dnsapi/dns_sotoon.sh @@ -0,0 +1,319 @@ +#!/usr/bin/env sh +# shellcheck disable=SC2034 +dns_sotoon_info='Sotoon.ir +Site: Sotoon.ir +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_sotoon +Options: + Sotoon_Token API Token + Sotoon_WorkspaceUUID Workspace UUID + Sotoon_WorkspaceName Workspace Name +Issues: github.com/acmesh-official/acme.sh/issues/6656 +Author: Erfan Gholizade +' + +SOTOON_API_URL="https://api.sotoon.ir/delivery/v2/global" + +######## Public functions ##################### + +#Adding the txt record for validation. +#Usage: dns_sotoon_add fulldomain TXT_record +#Usage: dns_sotoon_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_sotoon_add() { + fulldomain=$1 + txtvalue=$2 + _info_sotoon "Using Sotoon" + + Sotoon_Token="${Sotoon_Token:-$(_readaccountconf_mutable Sotoon_Token)}" + Sotoon_WorkspaceUUID="${Sotoon_WorkspaceUUID:-$(_readaccountconf_mutable Sotoon_WorkspaceUUID)}" + Sotoon_WorkspaceName="${Sotoon_WorkspaceName:-$(_readaccountconf_mutable Sotoon_WorkspaceName)}" + + if [ -z "$Sotoon_Token" ]; then + _err_sotoon "You didn't specify \"Sotoon_Token\" token yet." + _err_sotoon "You can get yours from here https://ocean.sotoon.ir/profile/tokens" + return 1 + fi + if [ -z "$Sotoon_WorkspaceUUID" ]; then + _err_sotoon "You didn't specify \"Sotoon_WorkspaceUUID\" Workspace UUID yet." + _err_sotoon "You can get yours from here https://ocean.sotoon.ir/profile/workspaces" + return 1 + fi + if [ -z "$Sotoon_WorkspaceName" ]; then + _err_sotoon "You didn't specify \"Sotoon_WorkspaceName\" Workspace Name yet." + _err_sotoon "You can get yours from here https://ocean.sotoon.ir/profile/workspaces" + return 1 + fi + + #save the info to the account conf file. + _saveaccountconf_mutable Sotoon_Token "$Sotoon_Token" + _saveaccountconf_mutable Sotoon_WorkspaceUUID "$Sotoon_WorkspaceUUID" + _saveaccountconf_mutable Sotoon_WorkspaceName "$Sotoon_WorkspaceName" + + _debug_sotoon "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err_sotoon "invalid domain" + return 1 + fi + + _info_sotoon "Adding record" + + _debug_sotoon _domain_id "$_domain_id" + _debug_sotoon _sub_domain "$_sub_domain" + _debug_sotoon _domain "$_domain" + + # First, GET the current domain zone to check for existing TXT records + # This is needed for wildcard certs which require multiple TXT values + _info_sotoon "Checking for existing TXT records" + if ! _sotoon_rest GET "$_domain_id"; then + _err_sotoon "Failed to get domain zone" + return 1 + fi + + # Check if there are existing TXT records for this subdomain + _existing_txt="" + if _contains "$response" "\"$_sub_domain\""; then + _debug_sotoon "Found existing records for $_sub_domain" + # Extract existing TXT values from the response + # The format is: "_acme-challenge":[{"TXT":"value1","type":"TXT","ttl":10},{"TXT":"value2",...}] + _existing_txt=$(echo "$response" | _egrep_o "\"$_sub_domain\":\[[^]]*\]" | sed "s/\"$_sub_domain\"://") + _debug_sotoon "Existing TXT records: $_existing_txt" + fi + + # Build the new record entry + _new_record="{\"TXT\":\"$txtvalue\",\"type\":\"TXT\",\"ttl\":120}" + + # If there are existing records, append to them; otherwise create new array + if [ -n "$_existing_txt" ] && [ "$_existing_txt" != "[]" ] && [ "$_existing_txt" != "null" ]; then + # Check if this exact TXT value already exists (avoid duplicates) + if _contains "$_existing_txt" "\"$txtvalue\""; then + _info_sotoon "TXT record already exists, skipping" + return 0 + fi + # Remove the closing bracket and append new record + _combined_records="$(echo "$_existing_txt" | sed 's/]$//'),$_new_record]" + _debug_sotoon "Combined records: $_combined_records" + else + # No existing records, create new array + _combined_records="[$_new_record]" + fi + + # Prepare the DNS record data in Kubernetes CRD format + _dns_record="{\"spec\":{\"records\":{\"$_sub_domain\":$_combined_records}}}" + + _debug_sotoon "DNS record payload: $_dns_record" + + # Use PATCH to update/add the record to the domain zone + _info_sotoon "Updating domain zone $_domain_id with TXT record" + if _sotoon_rest PATCH "$_domain_id" "$_dns_record"; then + if _contains "$response" "$txtvalue" || _contains "$response" "\"$_sub_domain\""; then + _info_sotoon "Added, OK" + return 0 + else + _debug_sotoon "Response: $response" + _err_sotoon "Add txt record error." + return 1 + fi + fi + + _err_sotoon "Add txt record error." + return 1 +} + +#Remove the txt record after validation. +#Usage: dns_sotoon_rm fulldomain TXT_record +#Usage: dns_sotoon_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_sotoon_rm() { + fulldomain=$1 + txtvalue=$2 + _info_sotoon "Using Sotoon" + _debug_sotoon fulldomain "$fulldomain" + _debug_sotoon txtvalue "$txtvalue" + + Sotoon_Token="${Sotoon_Token:-$(_readaccountconf_mutable Sotoon_Token)}" + Sotoon_WorkspaceUUID="${Sotoon_WorkspaceUUID:-$(_readaccountconf_mutable Sotoon_WorkspaceUUID)}" + Sotoon_WorkspaceName="${Sotoon_WorkspaceName:-$(_readaccountconf_mutable Sotoon_WorkspaceName)}" + + _debug_sotoon "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err_sotoon "invalid domain" + return 1 + fi + _debug_sotoon _domain_id "$_domain_id" + _debug_sotoon _sub_domain "$_sub_domain" + _debug_sotoon _domain "$_domain" + + _info_sotoon "Removing TXT record" + + # First, GET the current domain zone to check for existing TXT records + if ! _sotoon_rest GET "$_domain_id"; then + _err_sotoon "Failed to get domain zone" + return 1 + fi + + # Check if there are existing TXT records for this subdomain + _existing_txt="" + if _contains "$response" "\"$_sub_domain\""; then + _debug_sotoon "Found existing records for $_sub_domain" + _existing_txt=$(echo "$response" | _egrep_o "\"$_sub_domain\":\[[^]]*\]" | sed "s/\"$_sub_domain\"://") + _debug_sotoon "Existing TXT records: $_existing_txt" + fi + + # If no existing records, nothing to remove + if [ -z "$_existing_txt" ] || [ "$_existing_txt" = "[]" ] || [ "$_existing_txt" = "null" ]; then + _info_sotoon "No TXT records found, nothing to remove" + return 0 + fi + + # Remove the specific TXT value from the array + # This handles the case where there are multiple TXT values (wildcard certs) + _remaining_records=$(echo "$_existing_txt" | sed "s/{\"TXT\":\"$txtvalue\"[^}]*},*//g" | sed 's/,]/]/g' | sed 's/\[,/[/g') + _debug_sotoon "Remaining records after removal: $_remaining_records" + + # If no records remain, set to null to remove the subdomain entirely + if [ "$_remaining_records" = "[]" ] || [ -z "$_remaining_records" ]; then + _dns_record="{\"spec\":{\"records\":{\"$_sub_domain\":null}}}" + else + _dns_record="{\"spec\":{\"records\":{\"$_sub_domain\":$_remaining_records}}}" + fi + + _debug_sotoon "Remove record payload: $_dns_record" + + # Use PATCH to remove the record from the domain zone + if _sotoon_rest PATCH "$_domain_id" "$_dns_record"; then + _info_sotoon "Record removed, OK" + return 0 + else + _debug_sotoon "Response: $response" + _err_sotoon "Error removing record" + return 1 + fi +} + +#################### Private functions below ################################## + +_get_root() { + domain=$1 + i=1 + p=1 + + _debug_sotoon "Getting root domain for: $domain" + _debug_sotoon "Sotoon WorkspaceUUID: $Sotoon_WorkspaceUUID" + _debug_sotoon "Sotoon WorkspaceName: $Sotoon_WorkspaceName" + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) + _debug_sotoon "Checking domain part: $h" + + if [ -z "$h" ]; then + #not valid + _err_sotoon "Could not find valid domain" + return 1 + fi + + _debug_sotoon "Fetching domain zones from Sotoon API" + if ! _sotoon_rest GET ""; then + _err_sotoon "Failed to get domain zones from Sotoon API" + _err_sotoon "Please check your Sotoon_Token, Sotoon_WorkspaceUUID, and Sotoon_WorkspaceName" + return 1 + fi + + _debug2_sotoon "API Response: $response" + + # Check if the response contains our domain + # Sotoon API uses Kubernetes CRD format with spec.origin for domain matching + if _contains "$response" "\"origin\":\"$h\""; then + _debug_sotoon "Found domain by origin: $h" + + # In Kubernetes CRD format, the metadata.name is the resource identifier + # The name can be either: + # 1. Same as origin + # 2. Origin with dots replaced by hyphens + # We check both patterns in the response to determine which one exists + + # Convert origin to hyphenated version for checking + _h_hyphenated=$(echo "$h" | tr '.' '-') + + # Check if the hyphenated name exists in the response + if _contains "$response" "\"name\":\"$_h_hyphenated\""; then + _domain_id="$_h_hyphenated" + _debug_sotoon "Found domain ID (hyphenated): $_domain_id" + # Check if the origin itself is used as name + elif _contains "$response" "\"name\":\"$h\""; then + _domain_id="$h" + _debug_sotoon "Found domain ID (same as origin): $_domain_id" + else + # Fallback: use the hyphenated version (more common) + _domain_id="$_h_hyphenated" + _debug_sotoon "Using hyphenated domain ID as fallback: $_domain_id" + fi + + if [ -n "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") + _domain=$h + _debug_sotoon "Domain ID (metadata.name): $_domain_id" + _debug_sotoon "Sub domain: $_sub_domain" + _debug_sotoon "Domain (origin): $_domain" + return 0 + fi + _err_sotoon "Found domain $h but could not extract domain ID" + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_sotoon_rest() { + mtd="$1" + resource_id="$2" + data="$3" + + token_trimmed=$(echo "$Sotoon_Token" | tr -d '"') + + # Construct the API endpoint + _api_path="$SOTOON_API_URL/workspaces/$Sotoon_WorkspaceUUID/namespaces/$Sotoon_WorkspaceName/domainzones" + + if [ -n "$resource_id" ]; then + _api_path="$_api_path/$resource_id" + fi + + _debug_sotoon "API Path: $_api_path" + _debug_sotoon "Method: $mtd" + + # Set authorization header - Sotoon API uses Bearer token + export _H1="Authorization: Bearer $token_trimmed" + + if [ "$mtd" = "GET" ]; then + # GET request + _debug_sotoon "GET" "$_api_path" + response="$(_get "$_api_path")" + elif [ "$mtd" = "PATCH" ]; then + # PATCH Request + export _H2="Content-Type: application/merge-patch+json" + _debug_sotoon data "$data" + response="$(_post "$data" "$_api_path" "" "$mtd")" + else + _err_sotoon "Unknown method: $mtd" + return 1 + fi + + _debug2_sotoon response "$response" + return 0 +} + +#Wrappers for logging +_info_sotoon() { + _info "[Sotoon]" "$@" +} + +_err_sotoon() { + _err "[Sotoon]" "$@" +} + +_debug_sotoon() { + _debug "[Sotoon]" "$@" +} + +_debug2_sotoon() { + _debug2 "[Sotoon]" "$@" +} From 03d8d3bc1b20fe356feb823069424868e149898e Mon Sep 17 00:00:00 2001 From: hostup <52465293+hostup@users.noreply.github.com> Date: Mon, 22 Dec 2025 04:29:50 +0100 Subject: [PATCH 226/313] Update dns_hostup.sh --- dnsapi/dns_hostup.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/dnsapi/dns_hostup.sh b/dnsapi/dns_hostup.sh index 347f34d1..af722297 100644 --- a/dnsapi/dns_hostup.sh +++ b/dnsapi/dns_hostup.sh @@ -171,7 +171,7 @@ _hostup_detect_zone() { return 1 fi - _domain_candidate="$(printf "%s" "$fulldomain" | tr '[:upper:]' '[:lower:]')" + _domain_candidate="$(_lower_case "$fulldomain")" _debug "hostup_initial_candidate" "$_domain_candidate" while [ -n "$_domain_candidate" ]; do @@ -361,7 +361,7 @@ _hostup_json_extract() { input="${2:-$line}" # First try to extract quoted values (strings) - quoted_match="$(printf "%s" "$input" | _egrep_o "\"$key\":\"[^\"]*\"" | head -n1)" + quoted_match="$(printf "%s" "$input" | _egrep_o "\"$key\":\"[^\"]*\"" | _head_n 1)" if [ -n "$quoted_match" ]; then printf "%s" "$quoted_match" | cut -d : -f2- | @@ -372,7 +372,7 @@ _hostup_json_extract() { fi # Fallback for unquoted values (e.g., numeric IDs) - unquoted_match="$(printf "%s" "$input" | _egrep_o "\"$key\":[^,}]*" | head -n1)" + unquoted_match="$(printf "%s" "$input" | _egrep_o "\"$key\":[^,}]*" | _head_n 1)" if [ -n "$unquoted_match" ]; then printf "%s" "$unquoted_match" | cut -d : -f2- | @@ -392,7 +392,7 @@ _hostup_record_key() { zone_id="$1" domain="$2" safe_zone="$(printf "%s" "$zone_id" | sed 's/[^A-Za-z0-9]/_/g')" - safe_domain="$(printf "%s" "$domain" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/_/g')" + safe_domain="$(printf "%s" "$(_lower_case "$domain")" | sed 's/[^a-z0-9]/_/g')" printf "%s_%s" "$safe_zone" "$safe_domain" } @@ -425,7 +425,7 @@ _hostup_extract_record_id() { return 0 fi - printf "%s" "$1" | _egrep_o '"id":[0-9]+' | head -n1 | cut -d: -f2 + printf "%s" "$1" | _egrep_o '"id":[0-9]+' | _head_n 1 | cut -d: -f2 } _hostup_delete_record_by_id() { From e321b3c75c0eabe6341f9d7b5643a9e9ef4019a6 Mon Sep 17 00:00:00 2001 From: hostup <52465293+hostup@users.noreply.github.com> Date: Mon, 22 Dec 2025 04:53:21 +0100 Subject: [PATCH 227/313] Update dns_hostup.sh --- dnsapi/dns_hostup.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_hostup.sh b/dnsapi/dns_hostup.sh index af722297..b3211069 100644 --- a/dnsapi/dns_hostup.sh +++ b/dnsapi/dns_hostup.sh @@ -3,7 +3,7 @@ dns_hostup_info='HostUp DNS Site: hostup.se -Docs: https://hostup.se/en/support/api-autentisering/ +Docs: https://developer.hostup.se/ Options: HOSTUP_API_KEY Required. HostUp API key with read:dns + write:dns + read:domains scopes. HOSTUP_API_BASE Optional. Override API base URL (default: https://cloud.hostup.se/api). @@ -171,7 +171,7 @@ _hostup_detect_zone() { return 1 fi - _domain_candidate="$(_lower_case "$fulldomain")" + _domain_candidate="$(printf "%s" "$fulldomain" | _lower_case)" _debug "hostup_initial_candidate" "$_domain_candidate" while [ -n "$_domain_candidate" ]; do @@ -392,7 +392,7 @@ _hostup_record_key() { zone_id="$1" domain="$2" safe_zone="$(printf "%s" "$zone_id" | sed 's/[^A-Za-z0-9]/_/g')" - safe_domain="$(printf "%s" "$(_lower_case "$domain")" | sed 's/[^a-z0-9]/_/g')" + safe_domain="$(printf "%s" "$domain" | _lower_case | sed 's/[^a-z0-9]/_/g')" printf "%s_%s" "$safe_zone" "$safe_domain" } From 0eb40c6ce6ce5c0bf17f39893e1b6ea4056ae362 Mon Sep 17 00:00:00 2001 From: DreamSlave <50408721+mq00fc@users.noreply.github.com> Date: Mon, 22 Dec 2025 17:00:22 +0800 Subject: [PATCH 228/313] Update timestamp variable in ali_cdn.sh --- deploy/ali_cdn.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/ali_cdn.sh b/deploy/ali_cdn.sh index 70a2e532..3c28674e 100644 --- a/deploy/ali_cdn.sh +++ b/deploy/ali_cdn.sh @@ -83,6 +83,6 @@ _set_cdn_domain_ssl_certificate_query() { query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' - query=$query'&Timestamp='$(_timestamp) + query=$query'&Timestamp='$(_ali_timestamp) query=$query'&Version=2018-05-10' } From fd6a14de8a69193a5367dfaae71857d804a83528 Mon Sep 17 00:00:00 2001 From: DreamSlave <50408721+mq00fc@users.noreply.github.com> Date: Mon, 22 Dec 2025 17:00:31 +0800 Subject: [PATCH 229/313] Update timestamp function in ali_dcdn.sh --- deploy/ali_dcdn.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/ali_dcdn.sh b/deploy/ali_dcdn.sh index 14ac500a..27d3a726 100644 --- a/deploy/ali_dcdn.sh +++ b/deploy/ali_dcdn.sh @@ -83,6 +83,6 @@ _set_dcdn_domain_ssl_certificate_query() { query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' - query=$query'&Timestamp='$(_timestamp) + query=$query'&Timestamp='$(_ali_timestamp) query=$query'&Version=2018-01-15' } From 1d26d4fc913abf6358e449fc4713b16cc0781b1f Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Mon, 22 Dec 2025 16:42:26 -0500 Subject: [PATCH 230/313] Detect missing jq --- dnsapi/dns_qc.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index b7267f63..81a1e636 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -18,6 +18,11 @@ dns_qc_add() { txtvalue=$2 _debug "Enter dns_qc_add fulldomain: $fulldomain, txtvalue: $txtvalue" + if ! _exists jq; then + _err "jq not found" + return 1 + fi + QC_API_KEY="${QC_API_KEY:-$(_readaccountconf_mutable QC_API_KEY)}" QC_API_EMAIL="${QC_API_EMAIL:-$(_readaccountconf_mutable QC_API_EMAIL)}" From 94783f46ad0c512b74a4f3ac760860c4ef0c2d61 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Tue, 23 Dec 2025 07:53:33 -0500 Subject: [PATCH 231/313] Retry to pass workflow --- dnsapi/dns_qc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 81a1e636..aa58d0dc 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -19,7 +19,7 @@ dns_qc_add() { _debug "Enter dns_qc_add fulldomain: $fulldomain, txtvalue: $txtvalue" if ! _exists jq; then - _err "jq not found" + _err "In dns_qc jq not found" return 1 fi From f1aac43f0f9c701e47b8ab52d64495cd9b1d0287 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Tue, 23 Dec 2025 09:10:49 -0500 Subject: [PATCH 232/313] Retry for workflow --- dnsapi/dns_qc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index aa58d0dc..ed784f28 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -19,7 +19,7 @@ dns_qc_add() { _debug "Enter dns_qc_add fulldomain: $fulldomain, txtvalue: $txtvalue" if ! _exists jq; then - _err "In dns_qc jq not found" + _err "In dns_qc jq not found." return 1 fi From 383557df61d616f0b5d1e01c97bba48d2cb74553 Mon Sep 17 00:00:00 2001 From: Erfan Gholizade Date: Wed, 24 Dec 2025 17:19:17 +0330 Subject: [PATCH 233/313] improve: change sotoon api to v2.1 with simplification --- dnsapi/dns_sotoon.sh | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/dnsapi/dns_sotoon.sh b/dnsapi/dns_sotoon.sh index 4a0fc034..b94a220f 100644 --- a/dnsapi/dns_sotoon.sh +++ b/dnsapi/dns_sotoon.sh @@ -6,12 +6,11 @@ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_sotoon Options: Sotoon_Token API Token Sotoon_WorkspaceUUID Workspace UUID - Sotoon_WorkspaceName Workspace Name Issues: github.com/acmesh-official/acme.sh/issues/6656 Author: Erfan Gholizade ' -SOTOON_API_URL="https://api.sotoon.ir/delivery/v2/global" +SOTOON_API_URL="https://api.sotoon.ir/delivery/v2.1/global" ######## Public functions ##################### @@ -25,7 +24,6 @@ dns_sotoon_add() { Sotoon_Token="${Sotoon_Token:-$(_readaccountconf_mutable Sotoon_Token)}" Sotoon_WorkspaceUUID="${Sotoon_WorkspaceUUID:-$(_readaccountconf_mutable Sotoon_WorkspaceUUID)}" - Sotoon_WorkspaceName="${Sotoon_WorkspaceName:-$(_readaccountconf_mutable Sotoon_WorkspaceName)}" if [ -z "$Sotoon_Token" ]; then _err_sotoon "You didn't specify \"Sotoon_Token\" token yet." @@ -37,16 +35,10 @@ dns_sotoon_add() { _err_sotoon "You can get yours from here https://ocean.sotoon.ir/profile/workspaces" return 1 fi - if [ -z "$Sotoon_WorkspaceName" ]; then - _err_sotoon "You didn't specify \"Sotoon_WorkspaceName\" Workspace Name yet." - _err_sotoon "You can get yours from here https://ocean.sotoon.ir/profile/workspaces" - return 1 - fi #save the info to the account conf file. _saveaccountconf_mutable Sotoon_Token "$Sotoon_Token" _saveaccountconf_mutable Sotoon_WorkspaceUUID "$Sotoon_WorkspaceUUID" - _saveaccountconf_mutable Sotoon_WorkspaceName "$Sotoon_WorkspaceName" _debug_sotoon "First detect the root zone" if ! _get_root "$fulldomain"; then @@ -130,7 +122,6 @@ dns_sotoon_rm() { Sotoon_Token="${Sotoon_Token:-$(_readaccountconf_mutable Sotoon_Token)}" Sotoon_WorkspaceUUID="${Sotoon_WorkspaceUUID:-$(_readaccountconf_mutable Sotoon_WorkspaceUUID)}" - Sotoon_WorkspaceName="${Sotoon_WorkspaceName:-$(_readaccountconf_mutable Sotoon_WorkspaceName)}" _debug_sotoon "First detect the root zone" if ! _get_root "$fulldomain"; then @@ -197,7 +188,6 @@ _get_root() { _debug_sotoon "Getting root domain for: $domain" _debug_sotoon "Sotoon WorkspaceUUID: $Sotoon_WorkspaceUUID" - _debug_sotoon "Sotoon WorkspaceName: $Sotoon_WorkspaceName" while true; do h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) @@ -212,7 +202,7 @@ _get_root() { _debug_sotoon "Fetching domain zones from Sotoon API" if ! _sotoon_rest GET ""; then _err_sotoon "Failed to get domain zones from Sotoon API" - _err_sotoon "Please check your Sotoon_Token, Sotoon_WorkspaceUUID, and Sotoon_WorkspaceName" + _err_sotoon "Please check your Sotoon_Token, Sotoon_WorkspaceUUID" return 1 fi @@ -271,7 +261,7 @@ _sotoon_rest() { token_trimmed=$(echo "$Sotoon_Token" | tr -d '"') # Construct the API endpoint - _api_path="$SOTOON_API_URL/workspaces/$Sotoon_WorkspaceUUID/namespaces/$Sotoon_WorkspaceName/domainzones" + _api_path="$SOTOON_API_URL/workspaces/$Sotoon_WorkspaceUUID/domainzones" if [ -n "$resource_id" ]; then _api_path="$_api_path/$resource_id" From f4a575fee15054eec1b02c82836ed41053a52e81 Mon Sep 17 00:00:00 2001 From: jwaterwater Date: Thu, 25 Dec 2025 14:48:44 +0800 Subject: [PATCH 234/313] bug fixed --- deploy/ali_cdn.sh | 2 +- deploy/ali_dcdn.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/ali_cdn.sh b/deploy/ali_cdn.sh index 70a2e532..3c28674e 100644 --- a/deploy/ali_cdn.sh +++ b/deploy/ali_cdn.sh @@ -83,6 +83,6 @@ _set_cdn_domain_ssl_certificate_query() { query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' - query=$query'&Timestamp='$(_timestamp) + query=$query'&Timestamp='$(_ali_timestamp) query=$query'&Version=2018-05-10' } diff --git a/deploy/ali_dcdn.sh b/deploy/ali_dcdn.sh index 14ac500a..27d3a726 100644 --- a/deploy/ali_dcdn.sh +++ b/deploy/ali_dcdn.sh @@ -83,6 +83,6 @@ _set_dcdn_domain_ssl_certificate_query() { query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' - query=$query'&Timestamp='$(_timestamp) + query=$query'&Timestamp='$(_ali_timestamp) query=$query'&Version=2018-01-15' } From b9c877adb973d6efa128664ded3761aee1fa0872 Mon Sep 17 00:00:00 2001 From: xiagw Date: Sat, 27 Dec 2025 14:33:03 +0800 Subject: [PATCH 235/313] fix: update timestamp variable for CDN and DCDN SSL certificate queries --- deploy/ali_cdn.sh | 2 +- deploy/ali_dcdn.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/ali_cdn.sh b/deploy/ali_cdn.sh index 70a2e532..3c28674e 100644 --- a/deploy/ali_cdn.sh +++ b/deploy/ali_cdn.sh @@ -83,6 +83,6 @@ _set_cdn_domain_ssl_certificate_query() { query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' - query=$query'&Timestamp='$(_timestamp) + query=$query'&Timestamp='$(_ali_timestamp) query=$query'&Version=2018-05-10' } diff --git a/deploy/ali_dcdn.sh b/deploy/ali_dcdn.sh index 14ac500a..27d3a726 100644 --- a/deploy/ali_dcdn.sh +++ b/deploy/ali_dcdn.sh @@ -83,6 +83,6 @@ _set_dcdn_domain_ssl_certificate_query() { query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' - query=$query'&Timestamp='$(_timestamp) + query=$query'&Timestamp='$(_ali_timestamp) query=$query'&Version=2018-01-15' } From 5a730bf00d705c7914dc630ecc5149b3bd9ad87e Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Thu, 20 Feb 2025 21:42:11 +0100 Subject: [PATCH 236/313] implemented checking deploy file --- deploy/multideploy.sh | 114 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 deploy/multideploy.sh diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh new file mode 100644 index 00000000..ba57afa1 --- /dev/null +++ b/deploy/multideploy.sh @@ -0,0 +1,114 @@ +#!/usr/bin/env sh + +# MULTIDEPLOY_CONFIG="default" + +######## Public functions ##################### + +MULTIDEPLOY_VERSION="1.0" +MULTIDEPLOY_FILENAME="multideploy.yaml" + +# domain keyfile certfile cafile fullchain pfx +multideploy_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + _cpfx="$6" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + _debug _cpfx "$_cpfx" + + DOMAIN_DIR=$_cdomain + if echo "$DOMAIN_PATH" | grep -q "$ECC_SUFFIX"; then + DOMAIN_DIR="$DOMAIN_DIR"_ecc + fi + _debug2 "DOMAIN_DIR" "$DOMAIN_DIR" + + _preprocess_deployfile "$DOMAIN_DIR/$MULTIDEPLOY_FILENAME" + + MULTIDEPLOY_CONFIG="${MULTIDEPLOY_CONFIG:-$(_getdeployconf MULTIDEPLOY_CONFIG)}" + if [ -z "$MULTIDEPLOY_CONFIG" ]; then + MULTIDEPLOY_CONFIG="default" + _info "MULTIDEPLOY_CONFIG is not set, so I will use 'default'." + else + _savedeployconf "MULTIDEPLOY_CONFIG" "$MULTIDEPLOY_CONFIG" + _debug2 "MULTIDEPLOY_CONFIG" "$MULTIDEPLOY_CONFIG" + fi + + # TODO: Deploy to services +} + +#################### Private functions below ##################### + +# deploy_filepath +_preprocess_deployfile() { + deploy_file="$1" + + # Check if yq is installed + if ! command -v yq >/dev/null 2>&1; then + _err "yq is not installed! Please install yq and try again." + return 1 + fi + + # Check if deploy file exists and create a default template if not + if [ -f "$deploy_file" ]; then + _debug3 "Deploy file found." + _check_deployfile "$deploy_file" "$MULTIDEPLOY_CONFIG" + else + # TODO: Replace URL with wiki link + _err "Deploy file not found. Go to https://CHANGE_URL_TO_WIKI to see how to create one." + return 1 + fi +} + +# deploy_filepath deploy_config +_check_deployfile() { + deploy_file="$1" + deploy_config="$3" + + # Check version + deploy_file_version=$(yq '.version' "$deploy_file") + if [ "$MULTIDEPLOY_VERSION" != "$deploy_file_version" ]; then + _err "As of $PROJECT_NAME $VER, the deploy file needs version $MULTIDEPLOY_VERSION! Your current deploy file is of version $deploy_file_version." + return 1 + fi + + # Check if config exists + if ! yq e ".configs[] | select(.name == \"$deploy_config\")" "$deploy_file" >/dev/null; then + _err "Config '$deploy_config' not found." + return 1 + fi + + # Extract all services from config + services=$(yq e ".configs[] | select(.name == \"$deploy_config\").services[]" "$deploy_file") + + if [ -z "$services" ]; then + _err "Config '$deploy_config' does not have any services to deploy to." + return 1 + fi + + # Check if extracted services exist in services list + for service in $services; do + if ! yq e ".services[] | select(.name == \"$service\")" "$deploy_file" >/dev/null; then + _err "Service '$service' not found." + return 1 + fi + + # Check if service has hook + if ! yq e ".services[] | select(.name == \"$service\").hook" "$deploy_file" >/dev/null; then + _err "Service '$service' does not have a hook." + return 1 + fi + + # Check if service has environment + if ! yq e ".services[] | select(.name == \"$service\").environment" "$deploy_file" >/dev/null; then + _err "Service '$service' does not an environment." + return 1 + fi + done +} From 3c184486c3b0749bfa6d1812071d3f099a155815 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Thu, 20 Feb 2025 21:56:28 +0100 Subject: [PATCH 237/313] fixed indents --- deploy/multideploy.sh | 158 +++++++++++++++++++++--------------------- 1 file changed, 79 insertions(+), 79 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index ba57afa1..08e0aba6 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -9,106 +9,106 @@ MULTIDEPLOY_FILENAME="multideploy.yaml" # domain keyfile certfile cafile fullchain pfx multideploy_deploy() { - _cdomain="$1" - _ckey="$2" - _ccert="$3" - _cca="$4" - _cfullchain="$5" - _cpfx="$6" + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + _cpfx="$6" - _debug _cdomain "$_cdomain" - _debug _ckey "$_ckey" - _debug _ccert "$_ccert" - _debug _cca "$_cca" - _debug _cfullchain "$_cfullchain" - _debug _cpfx "$_cpfx" + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + _debug _cpfx "$_cpfx" - DOMAIN_DIR=$_cdomain - if echo "$DOMAIN_PATH" | grep -q "$ECC_SUFFIX"; then - DOMAIN_DIR="$DOMAIN_DIR"_ecc - fi - _debug2 "DOMAIN_DIR" "$DOMAIN_DIR" + DOMAIN_DIR=$_cdomain + if echo "$DOMAIN_PATH" | grep -q "$ECC_SUFFIX"; then + DOMAIN_DIR="$DOMAIN_DIR"_ecc + fi + _debug2 "DOMAIN_DIR" "$DOMAIN_DIR" - _preprocess_deployfile "$DOMAIN_DIR/$MULTIDEPLOY_FILENAME" + _preprocess_deployfile "$DOMAIN_DIR/$MULTIDEPLOY_FILENAME" - MULTIDEPLOY_CONFIG="${MULTIDEPLOY_CONFIG:-$(_getdeployconf MULTIDEPLOY_CONFIG)}" - if [ -z "$MULTIDEPLOY_CONFIG" ]; then - MULTIDEPLOY_CONFIG="default" - _info "MULTIDEPLOY_CONFIG is not set, so I will use 'default'." - else - _savedeployconf "MULTIDEPLOY_CONFIG" "$MULTIDEPLOY_CONFIG" - _debug2 "MULTIDEPLOY_CONFIG" "$MULTIDEPLOY_CONFIG" - fi + MULTIDEPLOY_CONFIG="${MULTIDEPLOY_CONFIG:-$(_getdeployconf MULTIDEPLOY_CONFIG)}" + if [ -z "$MULTIDEPLOY_CONFIG" ]; then + MULTIDEPLOY_CONFIG="default" + _info "MULTIDEPLOY_CONFIG is not set, so I will use 'default'." + else + _savedeployconf "MULTIDEPLOY_CONFIG" "$MULTIDEPLOY_CONFIG" + _debug2 "MULTIDEPLOY_CONFIG" "$MULTIDEPLOY_CONFIG" + fi - # TODO: Deploy to services + # TODO: Deploy to services } #################### Private functions below ##################### # deploy_filepath _preprocess_deployfile() { - deploy_file="$1" + deploy_file="$1" - # Check if yq is installed - if ! command -v yq >/dev/null 2>&1; then - _err "yq is not installed! Please install yq and try again." - return 1 - fi + # Check if yq is installed + if ! command -v yq >/dev/null 2>&1; then + _err "yq is not installed! Please install yq and try again." + return 1 + fi - # Check if deploy file exists and create a default template if not - if [ -f "$deploy_file" ]; then - _debug3 "Deploy file found." - _check_deployfile "$deploy_file" "$MULTIDEPLOY_CONFIG" - else - # TODO: Replace URL with wiki link - _err "Deploy file not found. Go to https://CHANGE_URL_TO_WIKI to see how to create one." - return 1 - fi + # Check if deploy file exists and create a default template if not + if [ -f "$deploy_file" ]; then + _debug3 "Deploy file found." + _check_deployfile "$deploy_file" "$MULTIDEPLOY_CONFIG" + else + # TODO: Replace URL with wiki link + _err "Deploy file not found. Go to https://CHANGE_URL_TO_WIKI to see how to create one." + return 1 + fi } # deploy_filepath deploy_config _check_deployfile() { - deploy_file="$1" - deploy_config="$3" + deploy_file="$1" + deploy_config="$3" - # Check version - deploy_file_version=$(yq '.version' "$deploy_file") - if [ "$MULTIDEPLOY_VERSION" != "$deploy_file_version" ]; then - _err "As of $PROJECT_NAME $VER, the deploy file needs version $MULTIDEPLOY_VERSION! Your current deploy file is of version $deploy_file_version." - return 1 + # Check version + deploy_file_version=$(yq '.version' "$deploy_file") + if [ "$MULTIDEPLOY_VERSION" != "$deploy_file_version" ]; then + _err "As of $PROJECT_NAME $VER, the deploy file needs version $MULTIDEPLOY_VERSION! Your current deploy file is of version $deploy_file_version." + return 1 + fi + + # Check if config exists + if ! yq e ".configs[] | select(.name == \"$deploy_config\")" "$deploy_file" >/dev/null; then + _err "Config '$deploy_config' not found." + return 1 + fi + + # Extract all services from config + services=$(yq e ".configs[] | select(.name == \"$deploy_config\").services[]" "$deploy_file") + + if [ -z "$services" ]; then + _err "Config '$deploy_config' does not have any services to deploy to." + return 1 + fi + + # Check if extracted services exist in services list + for service in $services; do + if ! yq e ".services[] | select(.name == \"$service\")" "$deploy_file" >/dev/null; then + _err "Service '$service' not found." + return 1 fi - # Check if config exists - if ! yq e ".configs[] | select(.name == \"$deploy_config\")" "$deploy_file" >/dev/null; then - _err "Config '$deploy_config' not found." - return 1 + # Check if service has hook + if ! yq e ".services[] | select(.name == \"$service\").hook" "$deploy_file" >/dev/null; then + _err "Service '$service' does not have a hook." + return 1 fi - # Extract all services from config - services=$(yq e ".configs[] | select(.name == \"$deploy_config\").services[]" "$deploy_file") - - if [ -z "$services" ]; then - _err "Config '$deploy_config' does not have any services to deploy to." - return 1 + # Check if service has environment + if ! yq e ".services[] | select(.name == \"$service\").environment" "$deploy_file" >/dev/null; then + _err "Service '$service' does not an environment." + return 1 fi - - # Check if extracted services exist in services list - for service in $services; do - if ! yq e ".services[] | select(.name == \"$service\")" "$deploy_file" >/dev/null; then - _err "Service '$service' not found." - return 1 - fi - - # Check if service has hook - if ! yq e ".services[] | select(.name == \"$service\").hook" "$deploy_file" >/dev/null; then - _err "Service '$service' does not have a hook." - return 1 - fi - - # Check if service has environment - if ! yq e ".services[] | select(.name == \"$service\").environment" "$deploy_file" >/dev/null; then - _err "Service '$service' does not an environment." - return 1 - fi - done + done } From b2eb1d2bbc8fed4f940afa1fb20a4e0beb33bf3a Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Thu, 20 Feb 2025 23:02:56 +0100 Subject: [PATCH 238/313] refactored getting services --- deploy/multideploy.sh | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 08e0aba6..2a83a19f 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -85,7 +85,7 @@ _check_deployfile() { fi # Extract all services from config - services=$(yq e ".configs[] | select(.name == \"$deploy_config\").services[]" "$deploy_file") + services=$(_get_services_list "$deploy_file" "$deploy_config") if [ -z "$services" ]; then _err "Config '$deploy_config' does not have any services to deploy to." @@ -112,3 +112,29 @@ _check_deployfile() { fi done } + +# deploy_filepath deploy_config +_get_services_list() { + deploy_file="$1" + deploy_config="$2" + + services=$(yq e ".configs[] | select(.name == \"$deploy_config\").services[]" "$deploy_file") + echo "$services" +} + +# deploy_filepath service_names +_get_full_services_list() { + deploy_file="$1" + shift + service_names="$*" + + full_services="" + for service in $service_names; do + full_service=$(yq e ".services[] | select(.name == \"$service\")" "$deploy_file") + full_services="$full_services +$full_service" + done + + echo "$full_services" +} + From 0ed5e21232ddcf821f47a1bd223fd05511494775 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Fri, 21 Feb 2025 10:49:08 +0100 Subject: [PATCH 239/313] fixed formatting and private var names --- deploy/multideploy.sh | 68 +++++++++++++++++++++---------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 2a83a19f..245c95a6 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -29,7 +29,7 @@ multideploy_deploy() { fi _debug2 "DOMAIN_DIR" "$DOMAIN_DIR" - _preprocess_deployfile "$DOMAIN_DIR/$MULTIDEPLOY_FILENAME" + _preprocess_deployfile "$DOMAIN_DIR/$MULTIDEPLOY_FILENAME" || return 1 MULTIDEPLOY_CONFIG="${MULTIDEPLOY_CONFIG:-$(_getdeployconf MULTIDEPLOY_CONFIG)}" if [ -z "$MULTIDEPLOY_CONFIG" ]; then @@ -47,7 +47,7 @@ multideploy_deploy() { # deploy_filepath _preprocess_deployfile() { - deploy_file="$1" + _deploy_file="$1" # Check if yq is installed if ! command -v yq >/dev/null 2>&1; then @@ -56,9 +56,9 @@ _preprocess_deployfile() { fi # Check if deploy file exists and create a default template if not - if [ -f "$deploy_file" ]; then + if [ -f "$_deploy_file" ]; then _debug3 "Deploy file found." - _check_deployfile "$deploy_file" "$MULTIDEPLOY_CONFIG" + _check_deployfile "$_deploy_file" "$MULTIDEPLOY_CONFIG" else # TODO: Replace URL with wiki link _err "Deploy file not found. Go to https://CHANGE_URL_TO_WIKI to see how to create one." @@ -66,48 +66,48 @@ _preprocess_deployfile() { fi } -# deploy_filepath deploy_config +# deploy_filepath _deploy_config _check_deployfile() { - deploy_file="$1" - deploy_config="$3" + _deploy_file="$1" + _deploy_config="$3" # Check version - deploy_file_version=$(yq '.version' "$deploy_file") - if [ "$MULTIDEPLOY_VERSION" != "$deploy_file_version" ]; then - _err "As of $PROJECT_NAME $VER, the deploy file needs version $MULTIDEPLOY_VERSION! Your current deploy file is of version $deploy_file_version." + _deploy_file_version=$(yq '.version' "$_deploy_file") + if [ "$MULTIDEPLOY_VERSION" != "$_deploy_file_version" ]; then + _err "As of $PROJECT_NAME $VER, the deploy file needs version $MULTIDEPLOY_VERSION! Your current deploy file is of version $_deploy_file_version." return 1 fi # Check if config exists - if ! yq e ".configs[] | select(.name == \"$deploy_config\")" "$deploy_file" >/dev/null; then - _err "Config '$deploy_config' not found." + if ! yq e ".configs[] | select(.name == \"$_deploy_config\")" "$_deploy_file" >/dev/null; then + _err "Config '$_deploy_config' not found." return 1 fi # Extract all services from config - services=$(_get_services_list "$deploy_file" "$deploy_config") + _services=$(_get_services_list "$_deploy_file" "$_deploy_config") - if [ -z "$services" ]; then - _err "Config '$deploy_config' does not have any services to deploy to." + if [ -z "$_services" ]; then + _err "Config '$_deploy_config' does not have any services to deploy to." return 1 fi # Check if extracted services exist in services list - for service in $services; do - if ! yq e ".services[] | select(.name == \"$service\")" "$deploy_file" >/dev/null; then - _err "Service '$service' not found." + for _service in $_services; do + if ! yq e ".services[] | select(.name == \"$_service\")" "$_deploy_file" >/dev/null; then + _err "Service '$_service' not found." return 1 fi # Check if service has hook - if ! yq e ".services[] | select(.name == \"$service\").hook" "$deploy_file" >/dev/null; then - _err "Service '$service' does not have a hook." + if ! yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file" >/dev/null; then + _err "Service '$_service' does not have a hook." return 1 fi # Check if service has environment - if ! yq e ".services[] | select(.name == \"$service\").environment" "$deploy_file" >/dev/null; then - _err "Service '$service' does not an environment." + if ! yq e ".services[] | select(.name == \"$_service\").environment" "$_deploy_file" >/dev/null; then + _err "Service '$_service' does not an environment." return 1 fi done @@ -115,26 +115,26 @@ _check_deployfile() { # deploy_filepath deploy_config _get_services_list() { - deploy_file="$1" - deploy_config="$2" + _deploy_file="$1" + _deploy_config="$2" - services=$(yq e ".configs[] | select(.name == \"$deploy_config\").services[]" "$deploy_file") - echo "$services" + _services=$(yq e ".configs[] | select(.name == \"$_deploy_config\").services[]" "$_deploy_file") + echo "$_services" } # deploy_filepath service_names _get_full_services_list() { - deploy_file="$1" + _deploy_file="$1" shift - service_names="$*" + _service_names="$*" - full_services="" - for service in $service_names; do - full_service=$(yq e ".services[] | select(.name == \"$service\")" "$deploy_file") - full_services="$full_services -$full_service" + _full_services="" + for _service in $_service_names; do + _full_service=$(yq e ".services[] | select(.name == \"$_service\")" "$_deploy_file") + _full_services="$_full_services +$_full_service" done - echo "$full_services" + echo "$_full_services" } From 67d58a12e76944389fab15632e078c3c10717b79 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Fri, 21 Feb 2025 10:50:11 +0100 Subject: [PATCH 240/313] implemented handling envs --- deploy/multideploy.sh | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 245c95a6..d1642538 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -138,3 +138,25 @@ $_full_service" echo "$_full_services" } +# env_list +_export_envs() { + _env_list="$1" + + for _env in $_env_list; do + _key=$(echo "$_env" | cut -d '=' -f1) + _value=$(echo "$_env" | cut -d '=' -f2-) + _savedomainconf "$_key" "$_value" + _secure_debug3 "Saved $_key" "$_value" + done +} + +_clear_envs() { + _env_list="$1" + + for _env in $_env_list; do + _key=$(echo "$_env" | cut -d '=' -f1) + _debug3 "Deleting key" "$_key" + _cleardomainconf "SAVED_$_key" + unset "$_key" + done +} From 23e1a53ec8d7b33e44fe81d5cf19534f1a5de296 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Fri, 21 Feb 2025 10:50:35 +0100 Subject: [PATCH 241/313] implemented deploying to services --- deploy/multideploy.sh | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index d1642538..caca02e2 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -40,7 +40,16 @@ multideploy_deploy() { _debug2 "MULTIDEPLOY_CONFIG" "$MULTIDEPLOY_CONFIG" fi - # TODO: Deploy to services + # Deploy to services + _services=$(_get_services_list "$DOMAIN_DIR/$MULTIDEPLOY_FILENAME" "$MULTIDEPLOY_CONFIG") + _full_services=$(_get_full_services_list "$DOMAIN_DIR/$MULTIDEPLOY_FILENAME" "$_services") + _deploy_services "$DOMAIN_DIR/$MULTIDEPLOY_FILENAME" "$_full_services" + + # Save deployhook for renewals + _debug2 "Setting Le_DeployHook" + _savedomainconf "Le_DeployHook" "multideploy" + + return 0 } #################### Private functions below ##################### @@ -160,3 +169,34 @@ _clear_envs() { unset "$_key" done } + +# deploy_filepath services_array +_deploy_services() { + _deploy_file="$1" + shift + _services="$*" + + for _service in $_services; do + _hook=$(yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file") + _envs=$(yq e ".services[] | select(.name == \"$_service\").environment[]" "$_deploy_file") + _export_envs "$_envs" + _deploy_service "$_service" "$_hook" + _clear_envs "$_envs" + done +} + +_deploy_service() { + _name="$1" + _hook="$2" + + _debug2 "SERVICE" "$_name" + _debug2 "HOOK" "$_hook" + + _info "$(__green "Deploying") to '$_name' using '$_hook'" + if echo "$DOMAIN_PATH" | grep -q "$ECC_SUFFIX"; then + _debug2 "User wants to use ECC." + deploy "$_cdomain" "$_hook" "isEcc" + else + deploy "$_cdomain" "$_hook" + fi +} From 34eb2a655a8da40827478931ce984ad3f265356f Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Fri, 21 Feb 2025 10:50:50 +0100 Subject: [PATCH 242/313] added yq to dockerfile --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 88edc4a2..4852cde4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,6 +13,7 @@ RUN apk --no-cache add -f \ tar \ libidn \ jq \ + yq \ cronie ENV LE_WORKING_DIR=/acmebin From fb0926dc81ccbdcbfc833f07de307f029e4289bc Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Fri, 21 Feb 2025 15:51:02 +0100 Subject: [PATCH 243/313] implemented checking for different kinds of deploy file --- deploy/multideploy.sh | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index caca02e2..9df2c423 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -5,7 +5,8 @@ ######## Public functions ##################### MULTIDEPLOY_VERSION="1.0" -MULTIDEPLOY_FILENAME="multideploy.yaml" +MULTIDEPLOY_FILENAME="multideploy.yml" +MULTIDEPLOY_FILENAME2="multideploy.yaml" # domain keyfile certfile cafile fullchain pfx multideploy_deploy() { @@ -56,18 +57,30 @@ multideploy_deploy() { # deploy_filepath _preprocess_deployfile() { - _deploy_file="$1" - # Check if yq is installed if ! command -v yq >/dev/null 2>&1; then _err "yq is not installed! Please install yq and try again." return 1 fi + _debug3 "yq is installed." - # Check if deploy file exists and create a default template if not - if [ -f "$_deploy_file" ]; then - _debug3 "Deploy file found." - _check_deployfile "$_deploy_file" "$MULTIDEPLOY_CONFIG" + # Check if deploy file exists + for file in "$@"; do + _debug3 "Checking file" "$DOMAIN_PATH/$file" + if [ -f "$DOMAIN_PATH/$file" ]; then + _debug3 "File found" + if [ -n "$found_file" ]; then + _err "Multiple deploy files found. Please keep only one deploy file." + return 1 + fi + found_file="$file" + else + _debug3 "File not found" + fi + done + + if [ -n "$found_file" ]; then + _check_deployfile "$DOMAIN_PATH/$found_file" "$MULTIDEPLOY_CONFIG" else # TODO: Replace URL with wiki link _err "Deploy file not found. Go to https://CHANGE_URL_TO_WIKI to see how to create one." From db1dc4de0deb66b75bf83a4b1d6a274b7b5e6f09 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Fri, 21 Feb 2025 15:52:02 +0100 Subject: [PATCH 244/313] added debug messages --- deploy/multideploy.sh | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 9df2c423..3c243c04 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -30,8 +30,6 @@ multideploy_deploy() { fi _debug2 "DOMAIN_DIR" "$DOMAIN_DIR" - _preprocess_deployfile "$DOMAIN_DIR/$MULTIDEPLOY_FILENAME" || return 1 - MULTIDEPLOY_CONFIG="${MULTIDEPLOY_CONFIG:-$(_getdeployconf MULTIDEPLOY_CONFIG)}" if [ -z "$MULTIDEPLOY_CONFIG" ]; then MULTIDEPLOY_CONFIG="default" @@ -91,7 +89,10 @@ _preprocess_deployfile() { # deploy_filepath _deploy_config _check_deployfile() { _deploy_file="$1" - _deploy_config="$3" + _deploy_config="$2" + + _debug2 "Deploy file" "$_deploy_file" + _debug2 "Deploy config" "$_deploy_config" # Check version _deploy_file_version=$(yq '.version' "$_deploy_file") @@ -99,23 +100,29 @@ _check_deployfile() { _err "As of $PROJECT_NAME $VER, the deploy file needs version $MULTIDEPLOY_VERSION! Your current deploy file is of version $_deploy_file_version." return 1 fi + _debug2 "Deploy file version is compatible: $_deploy_file_version" # Check if config exists if ! yq e ".configs[] | select(.name == \"$_deploy_config\")" "$_deploy_file" >/dev/null; then _err "Config '$_deploy_config' not found." return 1 fi + _debug2 "Config found: $_deploy_config" # Extract all services from config _services=$(_get_services_list "$_deploy_file" "$_deploy_config") + _debug2 "Services" "$_services" if [ -z "$_services" ]; then _err "Config '$_deploy_config' does not have any services to deploy to." return 1 fi + _debug2 "Config has services." # Check if extracted services exist in services list for _service in $_services; do + _debug2 "Checking service" "$_service" + # Check if service exists if ! yq e ".services[] | select(.name == \"$_service\")" "$_deploy_file" >/dev/null; then _err "Service '$_service' not found." return 1 @@ -140,6 +147,10 @@ _get_services_list() { _deploy_file="$1" _deploy_config="$2" + _debug2 "Getting services list" + _debug3 "Deploy file" "$_deploy_file" + _debug3 "Deploy config" "$_deploy_config" + _services=$(yq e ".configs[] | select(.name == \"$_deploy_config\").services[]" "$_deploy_file") echo "$_services" } @@ -150,6 +161,9 @@ _get_full_services_list() { shift _service_names="$*" + _debug3 "Deploy file" "$_deploy_file" + _debug3 "Service names" "$_service_names" + _full_services="" for _service in $_service_names; do _full_service=$(yq e ".services[] | select(.name == \"$_service\")" "$_deploy_file") @@ -164,6 +178,8 @@ $_full_service" _export_envs() { _env_list="$1" + _secure_debug3 "Exporting envs" "$_env_list" + for _env in $_env_list; do _key=$(echo "$_env" | cut -d '=' -f1) _value=$(echo "$_env" | cut -d '=' -f2-) @@ -175,6 +191,8 @@ _export_envs() { _clear_envs() { _env_list="$1" + _secure_debug3 "Clearing envs" "$_env_list" + for _env in $_env_list; do _key=$(echo "$_env" | cut -d '=' -f1) _debug3 "Deleting key" "$_key" @@ -189,6 +207,9 @@ _deploy_services() { shift _services="$*" + _debug3 "Deploy file" "$_deploy_file" + _debug3 "Services" "$_services" + for _service in $_services; do _hook=$(yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file") _envs=$(yq e ".services[] | select(.name == \"$_service\").environment[]" "$_deploy_file") From 768de270bf6943047f3f52d38b0af28c423dd765 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Fri, 21 Feb 2025 18:23:13 +0100 Subject: [PATCH 245/313] improved preprocessing and fixed bug with wrong param of services --- deploy/multideploy.sh | 31 +++++++++---------------------- 1 file changed, 9 insertions(+), 22 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 3c243c04..7b4e1400 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -39,10 +39,13 @@ multideploy_deploy() { _debug2 "MULTIDEPLOY_CONFIG" "$MULTIDEPLOY_CONFIG" fi + OLDIFS=$IFS + file=$(_preprocess_deployfile "$MULTIDEPLOY_FILENAME" "$MULTIDEPLOY_FILENAME2") || return 1 + _debug3 "File" "$file" + # Deploy to services - _services=$(_get_services_list "$DOMAIN_DIR/$MULTIDEPLOY_FILENAME" "$MULTIDEPLOY_CONFIG") - _full_services=$(_get_full_services_list "$DOMAIN_DIR/$MULTIDEPLOY_FILENAME" "$_services") - _deploy_services "$DOMAIN_DIR/$MULTIDEPLOY_FILENAME" "$_full_services" + _services=$(_get_services_list "$file" "$MULTIDEPLOY_CONFIG") + _deploy_services "$file" "$_services" # Save deployhook for renewals _debug2 "Setting Le_DeployHook" @@ -84,6 +87,8 @@ _preprocess_deployfile() { _err "Deploy file not found. Go to https://CHANGE_URL_TO_WIKI to see how to create one." return 1 fi + + echo "$DOMAIN_PATH/$found_file" } # deploy_filepath _deploy_config @@ -155,25 +160,6 @@ _get_services_list() { echo "$_services" } -# deploy_filepath service_names -_get_full_services_list() { - _deploy_file="$1" - shift - _service_names="$*" - - _debug3 "Deploy file" "$_deploy_file" - _debug3 "Service names" "$_service_names" - - _full_services="" - for _service in $_service_names; do - _full_service=$(yq e ".services[] | select(.name == \"$_service\")" "$_deploy_file") - _full_services="$_full_services -$_full_service" - done - - echo "$_full_services" -} - # env_list _export_envs() { _env_list="$1" @@ -211,6 +197,7 @@ _deploy_services() { _debug3 "Services" "$_services" for _service in $_services; do + _debug2 "Service" "$_service" _hook=$(yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file") _envs=$(yq e ".services[] | select(.name == \"$_service\").environment[]" "$_deploy_file") _export_envs "$_envs" From ba7c368ee535c198187320a740d5da816126c51b Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Fri, 21 Feb 2025 18:23:29 +0100 Subject: [PATCH 246/313] fixed IFS problems --- deploy/multideploy.sh | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 7b4e1400..9e2fb1d2 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -66,6 +66,7 @@ _preprocess_deployfile() { _debug3 "yq is installed." # Check if deploy file exists + IFS=$(printf '\n') for file in "$@"; do _debug3 "Checking file" "$DOMAIN_PATH/$file" if [ -f "$DOMAIN_PATH/$file" ]; then @@ -79,6 +80,7 @@ _preprocess_deployfile() { _debug3 "File not found" fi done + IFS=$OLDIFS if [ -n "$found_file" ]; then _check_deployfile "$DOMAIN_PATH/$found_file" "$MULTIDEPLOY_CONFIG" @@ -124,6 +126,7 @@ _check_deployfile() { fi _debug2 "Config has services." + IFS=$(printf '\n') # Check if extracted services exist in services list for _service in $_services; do _debug2 "Checking service" "$_service" @@ -145,6 +148,7 @@ _check_deployfile() { return 1 fi done + IFS=$OLDIFS } # deploy_filepath deploy_config @@ -166,25 +170,27 @@ _export_envs() { _secure_debug3 "Exporting envs" "$_env_list" - for _env in $_env_list; do - _key=$(echo "$_env" | cut -d '=' -f1) - _value=$(echo "$_env" | cut -d '=' -f2-) + IFS=$(printf '\n') + echo "$_env_list" | yq e -r 'to_entries | .[] | .key + "=" + .value' | while IFS='=' read -r _key _value; do _savedomainconf "$_key" "$_value" _secure_debug3 "Saved $_key" "$_value" done + IFS=$OLDIFS } _clear_envs() { _env_list="$1" _secure_debug3 "Clearing envs" "$_env_list" + env_pairs=$(echo "$_env_list" | yq e -r 'to_entries | .[] | .key + "=" + .value') - for _env in $_env_list; do - _key=$(echo "$_env" | cut -d '=' -f1) + IFS=$(printf '\n') + echo "$env_pairs" | while IFS='=' read -r _key _value; do _debug3 "Deleting key" "$_key" _cleardomainconf "SAVED_$_key" unset "$_key" done + IFS="$OLDIFS" } # deploy_filepath services_array @@ -196,14 +202,17 @@ _deploy_services() { _debug3 "Deploy file" "$_deploy_file" _debug3 "Services" "$_services" + IFS=$(printf '\n') for _service in $_services; do _debug2 "Service" "$_service" _hook=$(yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file") _envs=$(yq e ".services[] | select(.name == \"$_service\").environment[]" "$_deploy_file") + _export_envs "$_envs" _deploy_service "$_service" "$_hook" _clear_envs "$_envs" done + IFS=$OLDIFS } _deploy_service() { From 2cc5e66517908eed21bbc03ba5066919dd27365e Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Fri, 21 Feb 2025 18:31:24 +0100 Subject: [PATCH 247/313] added docs --- deploy/multideploy.sh | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 9e2fb1d2..129bb38f 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -151,7 +151,13 @@ _check_deployfile() { IFS=$OLDIFS } -# deploy_filepath deploy_config +# Description: +# This function retrieves a list of services from the deploy configuration file. +# Arguments: +# $1 - The path to the deploy configuration file. +# $2 - The name of the deploy configuration to use. +# Usage: +# _get_services_list "" "" _get_services_list() { _deploy_file="$1" _deploy_config="$2" @@ -164,7 +170,12 @@ _get_services_list() { echo "$_services" } -# env_list +# Description: This function takes a list of environment variables in YAML format, +# parses them, and exports each key-value pair as environment variables. +# Arguments: +# $1 - A string containing the list of environment variables in YAML format. +# Usage: +# _export_envs "$env_list" _export_envs() { _env_list="$1" @@ -178,6 +189,13 @@ _export_envs() { IFS=$OLDIFS } +# Description: +# This function takes a YAML formatted string of environment variables, parses it, +# and clears each environment variable. It logs the process of clearing each variable. +# Arguments: +# $1 - A YAML formatted string containing environment variable key-value pairs. +# Usage: +# _clear_envs "" _clear_envs() { _env_list="$1" @@ -188,7 +206,7 @@ _clear_envs() { echo "$env_pairs" | while IFS='=' read -r _key _value; do _debug3 "Deleting key" "$_key" _cleardomainconf "SAVED_$_key" - unset "$_key" + unset -v "$_key" done IFS="$OLDIFS" } From 74ed0354a3f135884b37c5b5adf3557a22afb2d2 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Fri, 21 Feb 2025 18:44:46 +0100 Subject: [PATCH 248/313] added docs and enhanced log messages --- deploy/multideploy.sh | 57 +++++++++++++++++++++++++++++++++---------- 1 file changed, 44 insertions(+), 13 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 129bb38f..81754f1c 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -2,13 +2,21 @@ # MULTIDEPLOY_CONFIG="default" -######## Public functions ##################### - MULTIDEPLOY_VERSION="1.0" MULTIDEPLOY_FILENAME="multideploy.yml" MULTIDEPLOY_FILENAME2="multideploy.yaml" -# domain keyfile certfile cafile fullchain pfx +# Description: This function handles the deployment of certificates to multiple services. +# It processes the provided certificate files and deploys them according to the +# configuration specified in the MULTIDEPLOY_CONFIG. +# +# Parameters: +# _cdomain - The domain name for which the certificate is issued. +# _ckey - The private key file for the certificate. +# _ccert - The certificate file. +# _cca - The CA (Certificate Authority) file. +# _cfullchain - The full chain certificate file. +# _cpfx - The PFX (Personal Information Exchange) file. multideploy_deploy() { _cdomain="$1" _ckey="$2" @@ -40,7 +48,10 @@ multideploy_deploy() { fi OLDIFS=$IFS - file=$(_preprocess_deployfile "$MULTIDEPLOY_FILENAME" "$MULTIDEPLOY_FILENAME2") || return 1 + if ! file=$(_preprocess_deployfile "$MULTIDEPLOY_FILENAME" "$MULTIDEPLOY_FILENAME2"); then + _err "Failed to preprocess deploy file." + return 1 + fi _debug3 "File" "$file" # Deploy to services @@ -54,9 +65,13 @@ multideploy_deploy() { return 0 } -#################### Private functions below ##################### - -# deploy_filepath +# Description: +# This function preprocesses the deploy file by checking if 'yq' is installed, +# verifying the existence of the deploy file, and ensuring only one deploy file is present. +# Arguments: +# $@ - Posible deploy file names. +# Usage: +# _preprocess_deployfile "" "" _preprocess_deployfile() { # Check if yq is installed if ! command -v yq >/dev/null 2>&1; then @@ -93,7 +108,13 @@ _preprocess_deployfile() { echo "$DOMAIN_PATH/$found_file" } -# deploy_filepath _deploy_config +# Description: +# This function checks the deploy file for version compatibility and the existence of the specified configuration and services. +# Arguments: +# $1 - The path to the deploy configuration file. +# $2 - The name of the deploy configuration to use. +# Usage: +# _check_deployfile "" "" _check_deployfile() { _deploy_file="$1" _deploy_config="$2" @@ -144,7 +165,7 @@ _check_deployfile() { # Check if service has environment if ! yq e ".services[] | select(.name == \"$_service\").environment" "$_deploy_file" >/dev/null; then - _err "Service '$_service' does not an environment." + _err "Service '$_service' does not have an environment." return 1 fi done @@ -211,7 +232,13 @@ _clear_envs() { IFS="$OLDIFS" } -# deploy_filepath services_array +# Description: +# This function deploys services listed in the deploy configuration file. +# Arguments: +# $1 - The path to the deploy configuration file. +# $2 - The list of services to deploy. +# Usage: +# _deploy_services "" "" _deploy_services() { _deploy_file="$1" shift @@ -220,8 +247,7 @@ _deploy_services() { _debug3 "Deploy file" "$_deploy_file" _debug3 "Services" "$_services" - IFS=$(printf '\n') - for _service in $_services; do + printf '%s\n' "$_services" | while IFS= read -r _service; do _debug2 "Service" "$_service" _hook=$(yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file") _envs=$(yq e ".services[] | select(.name == \"$_service\").environment[]" "$_deploy_file") @@ -230,9 +256,14 @@ _deploy_services() { _deploy_service "$_service" "$_hook" _clear_envs "$_envs" done - IFS=$OLDIFS } +# Description: Deploys a service using the specified hook. +# Arguments: +# $1 - The name of the service to deploy. +# $2 - The hook to use for deployment. +# Usage: +# _deploy_service _deploy_service() { _name="$1" _hook="$2" From 88d4637ee31e4d27a6e9978d8bfb1b52e55ef8d7 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Fri, 21 Feb 2025 19:02:55 +0100 Subject: [PATCH 249/313] added header doc --- deploy/multideploy.sh | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 81754f1c..bea4622b 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -1,6 +1,25 @@ #!/usr/bin/env sh -# MULTIDEPLOY_CONFIG="default" +################################################################################ +# ACME.sh 3rd party deploy plugin for multiple (same) services +################################################################################ +# Authors: tomo2403 (creator), https://github.com/tomo2403 +# Updated: 2024-07-03 +# Issues: https://github.com/acmesh-official/acme.sh/issues/XXXXX +################################################################################ +# Usage (shown values are the examples): +# 1. Set optional environment variables +# - export MULTIDEPLOY_CONFIG="default" - "default" will be automatically used if not set" +# +# 2. Run command: +# acme.sh --deploy --deploy-hook multideploy -d example.com +################################################################################ +# Dependencies: +# - yq +################################################################################ +# Return value: +# 0 means success, otherwise error. +################################################################################ MULTIDEPLOY_VERSION="1.0" MULTIDEPLOY_FILENAME="multideploy.yml" From c16e059535b873a46f6ee2a47f8810843f0b2292 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Fri, 21 Feb 2025 19:15:42 +0100 Subject: [PATCH 250/313] allowed using varaibles in deploy file --- deploy/multideploy.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index bea4622b..58df0482 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -223,6 +223,7 @@ _export_envs() { IFS=$(printf '\n') echo "$_env_list" | yq e -r 'to_entries | .[] | .key + "=" + .value' | while IFS='=' read -r _key _value; do + _value=$(eval echo "$_value") _savedomainconf "$_key" "$_value" _secure_debug3 "Saved $_key" "$_value" done From 88cde7be6db1901932f9458f624b0362f348edd4 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Fri, 21 Feb 2025 19:26:56 +0100 Subject: [PATCH 251/313] fixed missing wiki link --- deploy/multideploy.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 58df0482..9e3f4e17 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -119,8 +119,7 @@ _preprocess_deployfile() { if [ -n "$found_file" ]; then _check_deployfile "$DOMAIN_PATH/$found_file" "$MULTIDEPLOY_CONFIG" else - # TODO: Replace URL with wiki link - _err "Deploy file not found. Go to https://CHANGE_URL_TO_WIKI to see how to create one." + _err "Deploy file not found. Go to https://github.com/acmesh-official/acme.sh/wiki/deployhooks#36-deploying-to-multiple-services-with-the-same-hooks to see how to create one." return 1 fi From c1e17c366fd367cc68a3b89d9eca2abd161cbbde Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:26:53 +0100 Subject: [PATCH 252/313] Update links in multideploy.sh --- deploy/multideploy.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 9e3f4e17..b002f068 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -4,8 +4,8 @@ # ACME.sh 3rd party deploy plugin for multiple (same) services ################################################################################ # Authors: tomo2403 (creator), https://github.com/tomo2403 -# Updated: 2024-07-03 -# Issues: https://github.com/acmesh-official/acme.sh/issues/XXXXX +# Updated: 2025-03-01 +# Issues: https://github.com/acmesh-official/acme.sh/issues and mention @tomo2403 ################################################################################ # Usage (shown values are the examples): # 1. Set optional environment variables From 95c75460513f8faa5cdfbee869cc70d0354c9bce Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Thu, 27 Mar 2025 19:11:31 +0100 Subject: [PATCH 253/313] removed configs and implemented specification of deploy file name --- deploy/multideploy.sh | 67 +++++++++++-------------------------------- 1 file changed, 17 insertions(+), 50 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index b002f068..24177e66 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -9,7 +9,7 @@ ################################################################################ # Usage (shown values are the examples): # 1. Set optional environment variables -# - export MULTIDEPLOY_CONFIG="default" - "default" will be automatically used if not set" +# - export MULTIDEPLOY_FILENAME="multideploy.yaml" - "multideploy.yml" will be automatically used if not set" # # 2. Run command: # acme.sh --deploy --deploy-hook multideploy -d example.com @@ -22,12 +22,10 @@ ################################################################################ MULTIDEPLOY_VERSION="1.0" -MULTIDEPLOY_FILENAME="multideploy.yml" -MULTIDEPLOY_FILENAME2="multideploy.yaml" # Description: This function handles the deployment of certificates to multiple services. # It processes the provided certificate files and deploys them according to the -# configuration specified in the MULTIDEPLOY_CONFIG. +# configuration specified in the multideploy file. # # Parameters: # _cdomain - The domain name for which the certificate is issued. @@ -57,25 +55,24 @@ multideploy_deploy() { fi _debug2 "DOMAIN_DIR" "$DOMAIN_DIR" - MULTIDEPLOY_CONFIG="${MULTIDEPLOY_CONFIG:-$(_getdeployconf MULTIDEPLOY_CONFIG)}" - if [ -z "$MULTIDEPLOY_CONFIG" ]; then - MULTIDEPLOY_CONFIG="default" - _info "MULTIDEPLOY_CONFIG is not set, so I will use 'default'." + MULTIDEPLOY_FILENAME="${MULTIDEPLOY_FILENAME:-$(_getdeployconf MULTIDEPLOY_FILENAME)}" + if [ -z "$MULTIDEPLOY_FILENAME" ]; then + MULTIDEPLOY_FILENAME="multideploy.yml" + _info "MULTIDEPLOY_FILENAME is not set, so I will use 'multideploy.yml'." else - _savedeployconf "MULTIDEPLOY_CONFIG" "$MULTIDEPLOY_CONFIG" - _debug2 "MULTIDEPLOY_CONFIG" "$MULTIDEPLOY_CONFIG" + _savedeployconf "MULTIDEPLOY_FILENAME" "$MULTIDEPLOY_FILENAME" + _debug2 "MULTIDEPLOY_FILENAME" "$MULTIDEPLOY_FILENAME" fi OLDIFS=$IFS - if ! file=$(_preprocess_deployfile "$MULTIDEPLOY_FILENAME" "$MULTIDEPLOY_FILENAME2"); then + if ! file=$(_preprocess_deployfile "$MULTIDEPLOY_FILENAME"); then _err "Failed to preprocess deploy file." return 1 fi _debug3 "File" "$file" # Deploy to services - _services=$(_get_services_list "$file" "$MULTIDEPLOY_CONFIG") - _deploy_services "$file" "$_services" + _deploy_services "$file" # Save deployhook for renewals _debug2 "Setting Le_DeployHook" @@ -90,7 +87,7 @@ multideploy_deploy() { # Arguments: # $@ - Posible deploy file names. # Usage: -# _preprocess_deployfile "" "" +# _preprocess_deployfile "" "?" _preprocess_deployfile() { # Check if yq is installed if ! command -v yq >/dev/null 2>&1; then @@ -117,7 +114,7 @@ _preprocess_deployfile() { IFS=$OLDIFS if [ -n "$found_file" ]; then - _check_deployfile "$DOMAIN_PATH/$found_file" "$MULTIDEPLOY_CONFIG" + _check_deployfile "$DOMAIN_PATH/$found_file" else _err "Deploy file not found. Go to https://github.com/acmesh-official/acme.sh/wiki/deployhooks#36-deploying-to-multiple-services-with-the-same-hooks to see how to create one." return 1 @@ -132,13 +129,10 @@ _preprocess_deployfile() { # $1 - The path to the deploy configuration file. # $2 - The name of the deploy configuration to use. # Usage: -# _check_deployfile "" "" +# _check_deployfile "" _check_deployfile() { _deploy_file="$1" - _deploy_config="$2" - _debug2 "Deploy file" "$_deploy_file" - _debug2 "Deploy config" "$_deploy_config" # Check version _deploy_file_version=$(yq '.version' "$_deploy_file") @@ -148,19 +142,12 @@ _check_deployfile() { fi _debug2 "Deploy file version is compatible: $_deploy_file_version" - # Check if config exists - if ! yq e ".configs[] | select(.name == \"$_deploy_config\")" "$_deploy_file" >/dev/null; then - _err "Config '$_deploy_config' not found." - return 1 - fi - _debug2 "Config found: $_deploy_config" - # Extract all services from config - _services=$(_get_services_list "$_deploy_file" "$_deploy_config") + _services=$(yq e '.services[].name' "$_deploy_file") _debug2 "Services" "$_services" if [ -z "$_services" ]; then - _err "Config '$_deploy_config' does not have any services to deploy to." + _err "Config does not have any services to deploy to." return 1 fi _debug2 "Config has services." @@ -190,25 +177,6 @@ _check_deployfile() { IFS=$OLDIFS } -# Description: -# This function retrieves a list of services from the deploy configuration file. -# Arguments: -# $1 - The path to the deploy configuration file. -# $2 - The name of the deploy configuration to use. -# Usage: -# _get_services_list "" "" -_get_services_list() { - _deploy_file="$1" - _deploy_config="$2" - - _debug2 "Getting services list" - _debug3 "Deploy file" "$_deploy_file" - _debug3 "Deploy config" "$_deploy_config" - - _services=$(yq e ".configs[] | select(.name == \"$_deploy_config\").services[]" "$_deploy_file") - echo "$_services" -} - # Description: This function takes a list of environment variables in YAML format, # parses them, and exports each key-value pair as environment variables. # Arguments: @@ -260,10 +228,9 @@ _clear_envs() { # _deploy_services "" "" _deploy_services() { _deploy_file="$1" - shift - _services="$*" - _debug3 "Deploy file" "$_deploy_file" + + _services=$(yq e '.services[].name' "$_deploy_file") _debug3 "Services" "$_services" printf '%s\n' "$_services" | while IFS= read -r _service; do From 17e0bbcbb67c32fff1cb620d08a0c1b277565332 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Thu, 27 Mar 2025 19:16:07 +0100 Subject: [PATCH 254/313] fixed formatting --- deploy/multideploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 24177e66..c297878c 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -229,7 +229,7 @@ _clear_envs() { _deploy_services() { _deploy_file="$1" _debug3 "Deploy file" "$_deploy_file" - + _services=$(yq e '.services[].name' "$_deploy_file") _debug3 "Services" "$_services" From 88e4d64c1a242342a60f7aa1bddd4ba842c5b500 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Thu, 10 Apr 2025 10:24:32 +0200 Subject: [PATCH 255/313] fixed IFS problems for some hooks --- deploy/multideploy.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index c297878c..b728ee77 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -233,7 +233,9 @@ _deploy_services() { _services=$(yq e '.services[].name' "$_deploy_file") _debug3 "Services" "$_services" - printf '%s\n' "$_services" | while IFS= read -r _service; do + _service_list=$(printf '%s\n' "$_services") + + for _service in $(printf '%s\n' "$_service_list"); do _debug2 "Service" "$_service" _hook=$(yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file") _envs=$(yq e ".services[] | select(.name == \"$_service\").environment[]" "$_deploy_file") From c1c49d5a01e929d326b8a7f4a8fb2d3780f6e8ec Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Sun, 13 Apr 2025 16:38:28 +0200 Subject: [PATCH 256/313] simplified deploy method --- deploy/multideploy.sh | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index b728ee77..93809e6e 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -260,10 +260,5 @@ _deploy_service() { _debug2 "HOOK" "$_hook" _info "$(__green "Deploying") to '$_name' using '$_hook'" - if echo "$DOMAIN_PATH" | grep -q "$ECC_SUFFIX"; then - _debug2 "User wants to use ECC." - deploy "$_cdomain" "$_hook" "isEcc" - else - deploy "$_cdomain" "$_hook" - fi + _deploy "$_cdomain" "$_hook" } From a55d40be972e7ebd4f64599211b0e861ed2f83e9 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Tue, 27 May 2025 22:07:22 +0200 Subject: [PATCH 257/313] fixed bug with envs due to the use of a wrong function --- deploy/multideploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 93809e6e..c77d1fdf 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -191,7 +191,7 @@ _export_envs() { IFS=$(printf '\n') echo "$_env_list" | yq e -r 'to_entries | .[] | .key + "=" + .value' | while IFS='=' read -r _key _value; do _value=$(eval echo "$_value") - _savedomainconf "$_key" "$_value" + _savedeployconf "$_key" "$_value" _secure_debug3 "Saved $_key" "$_value" done IFS=$OLDIFS From e5b47f6402567d75db58edcb5b4b67194de58202 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Wed, 28 May 2025 20:02:07 +0200 Subject: [PATCH 258/313] implemented exiting with 1 if at least one deployment fails --- deploy/multideploy.sh | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index c77d1fdf..5b323303 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -72,13 +72,17 @@ multideploy_deploy() { _debug3 "File" "$file" # Deploy to services - _deploy_services "$file" + if _deploy_services "$file"; then + _deploymentOk=0 + else + _deploymentOk=1 + fi # Save deployhook for renewals _debug2 "Setting Le_DeployHook" _savedomainconf "Le_DeployHook" "multideploy" - return 0 + return "$_deploymentOk" } # Description: @@ -235,15 +239,26 @@ _deploy_services() { _service_list=$(printf '%s\n' "$_services") + _errors="" for _service in $(printf '%s\n' "$_service_list"); do _debug2 "Service" "$_service" _hook=$(yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file") _envs=$(yq e ".services[] | select(.name == \"$_service\").environment[]" "$_deploy_file") _export_envs "$_envs" - _deploy_service "$_service" "$_hook" + if ! _deploy_service "$_service" "$_hook"; then + _errors="$_service, $_errors" + fi _clear_envs "$_envs" done + + if [ -n "$_errors" ]; then + _err "Deployment failed for services: $_errors" + return 1 + else + _debug "All services deployed successfully." + return 0 + fi } # Description: Deploys a service using the specified hook. @@ -261,4 +276,5 @@ _deploy_service() { _info "$(__green "Deploying") to '$_name' using '$_hook'" _deploy "$_cdomain" "$_hook" + return $? } From 093f36b4d670a03b571ea68f28b4d180ad6f6261 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Wed, 28 May 2025 20:19:18 +0200 Subject: [PATCH 259/313] implemented exiting with the number of failed deployments --- deploy/multideploy.sh | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 5b323303..fd04043a 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -72,17 +72,14 @@ multideploy_deploy() { _debug3 "File" "$file" # Deploy to services - if _deploy_services "$file"; then - _deploymentOk=0 - else - _deploymentOk=1 - fi + _deploy_services "$file" + _exitCode="$?" # Save deployhook for renewals _debug2 "Setting Le_DeployHook" _savedomainconf "Le_DeployHook" "multideploy" - return "$_deploymentOk" + return "$_exitCode" } # Description: @@ -239,7 +236,8 @@ _deploy_services() { _service_list=$(printf '%s\n' "$_services") - _errors="" + _failedServices="" + _failedCount=0 for _service in $(printf '%s\n' "$_service_list"); do _debug2 "Service" "$_service" _hook=$(yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file") @@ -247,18 +245,21 @@ _deploy_services() { _export_envs "$_envs" if ! _deploy_service "$_service" "$_hook"; then - _errors="$_service, $_errors" + _failedServices="$_service, $_failedServices" + _failedCount=$((_failedCount + 1)) fi _clear_envs "$_envs" done - if [ -n "$_errors" ]; then - _err "Deployment failed for services: $_errors" - return 1 + _debug3 "Failed services" "$_failedServices" + _debug2 "Failed count" "$_failedCount" + if [ -n "$_failedServices" ]; then + _info "$(__red "Deployment failed") for services: $_failedServices" else _debug "All services deployed successfully." - return 0 fi + + return "$_failedCount" } # Description: Deploys a service using the specified hook. From 7b16526e7f0f217a4d0e02505d32f4260e884c40 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Sat, 31 May 2025 19:21:10 +0200 Subject: [PATCH 260/313] removed dead code --- deploy/multideploy.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index fd04043a..85a8dfd4 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -49,12 +49,6 @@ multideploy_deploy() { _debug _cfullchain "$_cfullchain" _debug _cpfx "$_cpfx" - DOMAIN_DIR=$_cdomain - if echo "$DOMAIN_PATH" | grep -q "$ECC_SUFFIX"; then - DOMAIN_DIR="$DOMAIN_DIR"_ecc - fi - _debug2 "DOMAIN_DIR" "$DOMAIN_DIR" - MULTIDEPLOY_FILENAME="${MULTIDEPLOY_FILENAME:-$(_getdeployconf MULTIDEPLOY_FILENAME)}" if [ -z "$MULTIDEPLOY_FILENAME" ]; then MULTIDEPLOY_FILENAME="multideploy.yml" From 37c25aa107e0c05e2ddc4131cc0d9efc0dad5971 Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Sat, 31 May 2025 20:19:49 +0200 Subject: [PATCH 261/313] removed unneeded return value --- deploy/multideploy.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 85a8dfd4..88a2c6cc 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -271,5 +271,4 @@ _deploy_service() { _info "$(__green "Deploying") to '$_name' using '$_hook'" _deploy "$_cdomain" "$_hook" - return $? } From d375012c5db3d688daba40425430778ac0106aaf Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Tue, 1 Jul 2025 16:02:50 +0200 Subject: [PATCH 262/313] fixed yml file env list --- deploy/multideploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 88a2c6cc..9ab16d0d 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -235,7 +235,7 @@ _deploy_services() { for _service in $(printf '%s\n' "$_service_list"); do _debug2 "Service" "$_service" _hook=$(yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file") - _envs=$(yq e ".services[] | select(.name == \"$_service\").environment[]" "$_deploy_file") + _envs=$(yq e ".services[] | select(.name == \"$_service\").environment" "$_deploy_file") _export_envs "$_envs" if ! _deploy_service "$_service" "$_hook"; then From f850e8d0e466514262ecb6ee6d051da228dad115 Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Sun, 31 Aug 2025 13:45:34 +0100 Subject: [PATCH 263/313] Support spaces in service names - Prefer using a pipe to `while read` - But use a temp file when the loop needs to modify variables that need to be used outside the loop, as the pipe creates a subshell and modifications do not survive after the loop exits. --- deploy/multideploy.sh | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 9ab16d0d..f5d6f587 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -147,9 +147,8 @@ _check_deployfile() { fi _debug2 "Config has services." - IFS=$(printf '\n') # Check if extracted services exist in services list - for _service in $_services; do + echo "$_services" | while read -r _service; do _debug2 "Checking service" "$_service" # Check if service exists if ! yq e ".services[] | select(.name == \"$_service\")" "$_deploy_file" >/dev/null; then @@ -169,7 +168,6 @@ _check_deployfile() { return 1 fi done - IFS=$OLDIFS } # Description: This function takes a list of environment variables in YAML format, @@ -225,14 +223,15 @@ _deploy_services() { _deploy_file="$1" _debug3 "Deploy file" "$_deploy_file" - _services=$(yq e '.services[].name' "$_deploy_file") - _debug3 "Services" "$_services" + _tempfile=$(mktemp) + trap "rm -f $_tempfile" EXIT - _service_list=$(printf '%s\n' "$_services") + yq e '.services[].name' "$_deploy_file" > $_tempfile + _debug3 "Services" "$(cat $_tempfile)" _failedServices="" _failedCount=0 - for _service in $(printf '%s\n' "$_service_list"); do + while read -r _service; do _debug2 "Service" "$_service" _hook=$(yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file") _envs=$(yq e ".services[] | select(.name == \"$_service\").environment" "$_deploy_file") @@ -243,7 +242,7 @@ _deploy_services() { _failedCount=$((_failedCount + 1)) fi _clear_envs "$_envs" - done + done < "$_tempfile" _debug3 "Failed services" "$_failedServices" _debug2 "Failed count" "$_failedCount" From 986a6138ebda928297a859f12ab72f2b040d7e27 Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Sun, 31 Aug 2025 19:19:44 +0100 Subject: [PATCH 264/313] Fix config file checks The config file checks were returning okay even when there were errors. The yq tool returns "null" when it cannot find what's queried, but exists with a 0 rc still. --- deploy/multideploy.sh | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index f5d6f587..5ed62ec3 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -127,7 +127,7 @@ _preprocess_deployfile() { # _check_deployfile "" _check_deployfile() { _deploy_file="$1" - _debug2 "Deploy file" "$_deploy_file" + _debug2 "check: Deploy file" "$_deploy_file" # Check version _deploy_file_version=$(yq '.version' "$_deploy_file") @@ -135,38 +135,44 @@ _check_deployfile() { _err "As of $PROJECT_NAME $VER, the deploy file needs version $MULTIDEPLOY_VERSION! Your current deploy file is of version $_deploy_file_version." return 1 fi - _debug2 "Deploy file version is compatible: $_deploy_file_version" + _debug2 "check: Deploy file version is compatible: $_deploy_file_version" # Extract all services from config _services=$(yq e '.services[].name' "$_deploy_file") - _debug2 "Services" "$_services" if [ -z "$_services" ]; then _err "Config does not have any services to deploy to." return 1 fi - _debug2 "Config has services." + _debug2 "check: Config has services." + echo "$_services" | while read -r _service; do + _debug3 " - $_service" + done # Check if extracted services exist in services list echo "$_services" | while read -r _service; do - _debug2 "Checking service" "$_service" + _debug2 "check: Checking service: $_service" # Check if service exists - if ! yq e ".services[] | select(.name == \"$_service\")" "$_deploy_file" >/dev/null; then + _service_config=$(yq e ".services[] | select(.name == \"$_service\")" "$_deploy_file") + if [ -z "$_service_config" ] || [ "$_service_config" = "null" ]; then _err "Service '$_service' not found." return 1 fi + _secure_debug3 "check: Service '$_service' configuration" "$_service_config" - # Check if service has hook - if ! yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file" >/dev/null; then + _service_hook=$(echo "$_service_config" | yq e ".hook" -) + if [ -z "$_service_hook" ] || [ "$_service_hook" = "null" ]; then _err "Service '$_service' does not have a hook." return 1 fi + _debug3 "check: Service '$_service' hook" "$_service_hook" - # Check if service has environment - if ! yq e ".services[] | select(.name == \"$_service\").environment" "$_deploy_file" >/dev/null; then + _service_environment=$(echo "$_service_config" | yq e ".environment" -) + if [ -z "$_service_environment" ] || [ "$_service_environment" = "null" ]; then _err "Service '$_service' does not have an environment." return 1 fi + _secure_debug3 "check: Service '$_service' environment" "$_service_environment" done } From 1d8788767f0173423a03201ece84562268beccb9 Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Sun, 31 Aug 2025 19:20:38 +0100 Subject: [PATCH 265/313] Make failure to check file stop the deployment Before this, checker issues were only logged. This stops the deployment if any configuration is incorrect. --- deploy/multideploy.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 5ed62ec3..18b6d7ce 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -108,12 +108,15 @@ _preprocess_deployfile() { done IFS=$OLDIFS - if [ -n "$found_file" ]; then - _check_deployfile "$DOMAIN_PATH/$found_file" - else + if [ -z "$found_file" ]; + then _err "Deploy file not found. Go to https://github.com/acmesh-official/acme.sh/wiki/deployhooks#36-deploying-to-multiple-services-with-the-same-hooks to see how to create one." return 1 fi + if ! _check_deployfile "$DOMAIN_PATH/$found_file"; then + _err "Deploy file is not valid: $DOMAIN_PATH/$found_file" + return 1 + fi echo "$DOMAIN_PATH/$found_file" } From 1eee4dee9cfd165587f8a95104b5f4251c440416 Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Sun, 31 Aug 2025 19:22:21 +0100 Subject: [PATCH 266/313] Update dependency name from yq to yq-go --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4852cde4..36b2adac 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ RUN apk --no-cache add -f \ tar \ libidn \ jq \ - yq \ + yq-go \ cronie ENV LE_WORKING_DIR=/acmebin From a961e03a597537f09ce9475bd9609ddb858d3773 Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Sun, 31 Aug 2025 19:32:52 +0100 Subject: [PATCH 267/313] Explain the use of eval --- deploy/multideploy.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 18b6d7ce..8c6f4267 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -192,6 +192,7 @@ _export_envs() { IFS=$(printf '\n') echo "$_env_list" | yq e -r 'to_entries | .[] | .key + "=" + .value' | while IFS='=' read -r _key _value; do + # Using eval to expand nested variables in the configuration file _value=$(eval echo "$_value") _savedeployconf "$_key" "$_value" _secure_debug3 "Saved $_key" "$_value" From 69dd2cf78b71d1e616011428b5500a15f463f9d3 Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Sun, 31 Aug 2025 19:36:07 +0100 Subject: [PATCH 268/313] Explain _clear_envs rationale --- deploy/multideploy.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 8c6f4267..8a2fbd37 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -203,6 +203,14 @@ _export_envs() { # Description: # This function takes a YAML formatted string of environment variables, parses it, # and clears each environment variable. It logs the process of clearing each variable. +# +# Note: Environment variables for a hook may be optional and differ between +# services using the same hook. +# If one service sets optional environment variables and another does not, the +# variables may persist and affect subsequent deployments. +# Clearing these variables after each service ensures that only the +# environment variables explicitly specified for each service in the deploy +# file are used. # Arguments: # $1 - A YAML formatted string containing environment variable key-value pairs. # Usage: From 8a788651745b39ba15d8b6a078180822f91cd1da Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Sun, 31 Aug 2025 19:41:12 +0100 Subject: [PATCH 269/313] Quote paths to prevent word splitting --- deploy/multideploy.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 8a2fbd37..2db9a758 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -244,8 +244,8 @@ _deploy_services() { _tempfile=$(mktemp) trap "rm -f $_tempfile" EXIT - yq e '.services[].name' "$_deploy_file" > $_tempfile - _debug3 "Services" "$(cat $_tempfile)" + yq e '.services[].name' "$_deploy_file" > "$_tempfile" + _debug3 "Services" "$(cat "$_tempfile")" _failedServices="" _failedCount=0 From 4f0a4850a68ed0b7882f463fe755516fee4b1ecc Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Sun, 31 Aug 2025 19:43:49 +0100 Subject: [PATCH 270/313] Remove unnecessary resetting of IFS --- deploy/multideploy.sh | 7 ------- 1 file changed, 7 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 2db9a758..eec7b8ac 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -58,7 +58,6 @@ multideploy_deploy() { _debug2 "MULTIDEPLOY_FILENAME" "$MULTIDEPLOY_FILENAME" fi - OLDIFS=$IFS if ! file=$(_preprocess_deployfile "$MULTIDEPLOY_FILENAME"); then _err "Failed to preprocess deploy file." return 1 @@ -92,7 +91,6 @@ _preprocess_deployfile() { _debug3 "yq is installed." # Check if deploy file exists - IFS=$(printf '\n') for file in "$@"; do _debug3 "Checking file" "$DOMAIN_PATH/$file" if [ -f "$DOMAIN_PATH/$file" ]; then @@ -106,7 +104,6 @@ _preprocess_deployfile() { _debug3 "File not found" fi done - IFS=$OLDIFS if [ -z "$found_file" ]; then @@ -190,14 +187,12 @@ _export_envs() { _secure_debug3 "Exporting envs" "$_env_list" - IFS=$(printf '\n') echo "$_env_list" | yq e -r 'to_entries | .[] | .key + "=" + .value' | while IFS='=' read -r _key _value; do # Using eval to expand nested variables in the configuration file _value=$(eval echo "$_value") _savedeployconf "$_key" "$_value" _secure_debug3 "Saved $_key" "$_value" done - IFS=$OLDIFS } # Description: @@ -221,13 +216,11 @@ _clear_envs() { _secure_debug3 "Clearing envs" "$_env_list" env_pairs=$(echo "$_env_list" | yq e -r 'to_entries | .[] | .key + "=" + .value') - IFS=$(printf '\n') echo "$env_pairs" | while IFS='=' read -r _key _value; do _debug3 "Deleting key" "$_key" _cleardomainconf "SAVED_$_key" unset -v "$_key" done - IFS="$OLDIFS" } # Description: From 6b66e734a92d1d6a5b2bfedeb81ded69f04d02ec Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Sun, 31 Aug 2025 20:02:56 +0100 Subject: [PATCH 271/313] Remove explicit save of the deployhook acme.sh takes care of that --- deploy/multideploy.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index eec7b8ac..e1b8bf87 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -68,10 +68,6 @@ multideploy_deploy() { _deploy_services "$file" _exitCode="$?" - # Save deployhook for renewals - _debug2 "Setting Le_DeployHook" - _savedomainconf "Le_DeployHook" "multideploy" - return "$_exitCode" } From b8b1f1e9b40765dbe917f510e205a5f81f70b0f9 Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Mon, 1 Sep 2025 00:04:42 +0100 Subject: [PATCH 272/313] Remove config logging when checking Because it causes a mysterious crash and it's honestly not worth it. --- deploy/multideploy.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index e1b8bf87..2d2a7a37 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -154,21 +154,18 @@ _check_deployfile() { _err "Service '$_service' not found." return 1 fi - _secure_debug3 "check: Service '$_service' configuration" "$_service_config" _service_hook=$(echo "$_service_config" | yq e ".hook" -) if [ -z "$_service_hook" ] || [ "$_service_hook" = "null" ]; then _err "Service '$_service' does not have a hook." return 1 fi - _debug3 "check: Service '$_service' hook" "$_service_hook" _service_environment=$(echo "$_service_config" | yq e ".environment" -) if [ -z "$_service_environment" ] || [ "$_service_environment" = "null" ]; then _err "Service '$_service' does not have an environment." return 1 fi - _secure_debug3 "check: Service '$_service' environment" "$_service_environment" done } From ab7835ec58a74d002dfc2eba593000789edda9b3 Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Mon, 1 Sep 2025 00:06:07 +0100 Subject: [PATCH 273/313] Fix eval bug by quoting Before this, the eval call would try to run some commands (if they were compound commands) in the yaml file on the machine running acme.sh Eval might not be worth it for the little benefit it brings. --- deploy/multideploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 2d2a7a37..460e06d5 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -182,7 +182,7 @@ _export_envs() { echo "$_env_list" | yq e -r 'to_entries | .[] | .key + "=" + .value' | while IFS='=' read -r _key _value; do # Using eval to expand nested variables in the configuration file - _value=$(eval echo "$_value") + _value=$(eval 'echo "'"$_value"'"') _savedeployconf "$_key" "$_value" _secure_debug3 "Saved $_key" "$_value" done From 96f38655b4bc8a7147eec36742c5ac3e10779384 Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Mon, 1 Sep 2025 00:07:44 +0100 Subject: [PATCH 274/313] Use file descriptor 3 for main deployment loop Before this, some deployment scripts would interact with STDIN and that would cause this loop to skip some elements. By using descriptor 3 we avoid clashing with the very common stdin and stdout. --- deploy/multideploy.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 460e06d5..590cfba7 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -235,7 +235,7 @@ _deploy_services() { _failedServices="" _failedCount=0 - while read -r _service; do + while read -r _service <&3; do _debug2 "Service" "$_service" _hook=$(yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file") _envs=$(yq e ".services[] | select(.name == \"$_service\").environment" "$_deploy_file") @@ -246,7 +246,7 @@ _deploy_services() { _failedCount=$((_failedCount + 1)) fi _clear_envs "$_envs" - done < "$_tempfile" + done 3< "$_tempfile" _debug3 "Failed services" "$_failedServices" _debug2 "Failed count" "$_failedCount" From 61b59831c491e1f038c64bd31f863fc8fd8e280b Mon Sep 17 00:00:00 2001 From: tomo <49612544+tomo2403@users.noreply.github.com> Date: Sat, 6 Sep 2025 12:31:56 +0200 Subject: [PATCH 275/313] minor code style adjustments in multideploy script --- deploy/multideploy.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 590cfba7..9e8b7164 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -101,8 +101,7 @@ _preprocess_deployfile() { fi done - if [ -z "$found_file" ]; - then + if [ -z "$found_file" ]; then _err "Deploy file not found. Go to https://github.com/acmesh-official/acme.sh/wiki/deployhooks#36-deploying-to-multiple-services-with-the-same-hooks to see how to create one." return 1 fi @@ -228,9 +227,9 @@ _deploy_services() { _debug3 "Deploy file" "$_deploy_file" _tempfile=$(mktemp) - trap "rm -f $_tempfile" EXIT + trap 'rm -f $_tempfile' EXIT - yq e '.services[].name' "$_deploy_file" > "$_tempfile" + yq e '.services[].name' "$_deploy_file" >"$_tempfile" _debug3 "Services" "$(cat "$_tempfile")" _failedServices="" @@ -246,7 +245,7 @@ _deploy_services() { _failedCount=$((_failedCount + 1)) fi _clear_envs "$_envs" - done 3< "$_tempfile" + done 3<"$_tempfile" _debug3 "Failed services" "$_failedServices" _debug2 "Failed count" "$_failedCount" From 11cae37405e2f82b6356fd662551be625a16cb6f Mon Sep 17 00:00:00 2001 From: invario <67800603+invario@users.noreply.github.com> Date: Sat, 20 Dec 2025 11:04:04 -0500 Subject: [PATCH 276/313] make compatible with both yq versions kislyuk yq (used by Debian packages) does not accept `yq e` and also returns strings with double quotes. mikefarah's yq-go (used by Alpine) accepts `yq e` and `yq`. replace `yq e` with `yq` and also use `-r` switch to remove double quoting to ensure uniform return values from both yq versions. Signed-off-by: invario <67800603+invario@users.noreply.github.com> --- deploy/multideploy.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/deploy/multideploy.sh b/deploy/multideploy.sh index 9e8b7164..ef920f64 100644 --- a/deploy/multideploy.sh +++ b/deploy/multideploy.sh @@ -125,7 +125,7 @@ _check_deployfile() { _debug2 "check: Deploy file" "$_deploy_file" # Check version - _deploy_file_version=$(yq '.version' "$_deploy_file") + _deploy_file_version=$(yq -r '.version' "$_deploy_file") if [ "$MULTIDEPLOY_VERSION" != "$_deploy_file_version" ]; then _err "As of $PROJECT_NAME $VER, the deploy file needs version $MULTIDEPLOY_VERSION! Your current deploy file is of version $_deploy_file_version." return 1 @@ -133,7 +133,7 @@ _check_deployfile() { _debug2 "check: Deploy file version is compatible: $_deploy_file_version" # Extract all services from config - _services=$(yq e '.services[].name' "$_deploy_file") + _services=$(yq -r '.services[].name' "$_deploy_file") if [ -z "$_services" ]; then _err "Config does not have any services to deploy to." @@ -148,19 +148,19 @@ _check_deployfile() { echo "$_services" | while read -r _service; do _debug2 "check: Checking service: $_service" # Check if service exists - _service_config=$(yq e ".services[] | select(.name == \"$_service\")" "$_deploy_file") + _service_config=$(yq -r ".services[] | select(.name == \"$_service\")" "$_deploy_file") if [ -z "$_service_config" ] || [ "$_service_config" = "null" ]; then _err "Service '$_service' not found." return 1 fi - _service_hook=$(echo "$_service_config" | yq e ".hook" -) + _service_hook=$(echo "$_service_config" | yq -r ".hook" -) if [ -z "$_service_hook" ] || [ "$_service_hook" = "null" ]; then _err "Service '$_service' does not have a hook." return 1 fi - _service_environment=$(echo "$_service_config" | yq e ".environment" -) + _service_environment=$(echo "$_service_config" | yq -r ".environment" -) if [ -z "$_service_environment" ] || [ "$_service_environment" = "null" ]; then _err "Service '$_service' does not have an environment." return 1 @@ -179,7 +179,7 @@ _export_envs() { _secure_debug3 "Exporting envs" "$_env_list" - echo "$_env_list" | yq e -r 'to_entries | .[] | .key + "=" + .value' | while IFS='=' read -r _key _value; do + echo "$_env_list" | yq -r 'to_entries | .[] | .key + "=" + .value' | while IFS='=' read -r _key _value; do # Using eval to expand nested variables in the configuration file _value=$(eval 'echo "'"$_value"'"') _savedeployconf "$_key" "$_value" @@ -206,7 +206,7 @@ _clear_envs() { _env_list="$1" _secure_debug3 "Clearing envs" "$_env_list" - env_pairs=$(echo "$_env_list" | yq e -r 'to_entries | .[] | .key + "=" + .value') + env_pairs=$(echo "$_env_list" | yq -r 'to_entries | .[] | .key + "=" + .value') echo "$env_pairs" | while IFS='=' read -r _key _value; do _debug3 "Deleting key" "$_key" @@ -229,15 +229,15 @@ _deploy_services() { _tempfile=$(mktemp) trap 'rm -f $_tempfile' EXIT - yq e '.services[].name' "$_deploy_file" >"$_tempfile" + yq -r '.services[].name' "$_deploy_file" >"$_tempfile" _debug3 "Services" "$(cat "$_tempfile")" _failedServices="" _failedCount=0 while read -r _service <&3; do _debug2 "Service" "$_service" - _hook=$(yq e ".services[] | select(.name == \"$_service\").hook" "$_deploy_file") - _envs=$(yq e ".services[] | select(.name == \"$_service\").environment" "$_deploy_file") + _hook=$(yq -r ".services[] | select(.name == \"$_service\").hook" "$_deploy_file") + _envs=$(yq -r ".services[] | select(.name == \"$_service\").environment" "$_deploy_file") _export_envs "$_envs" if ! _deploy_service "$_service" "$_hook"; then From fc7168e11d3b5af9f7f7e93f7887d797639c9cb4 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 27 Dec 2025 11:20:22 +0100 Subject: [PATCH 277/313] change default renew to 30 days change default renew to 30 days and fix readme --- README.md | 390 ++++++++++++++++++++++++++++++------------------------ acme.sh | 2 +- 2 files changed, 220 insertions(+), 172 deletions(-) diff --git a/README.md b/README.md index 4afd90a8..d6ddf36e 100644 --- a/README.md +++ b/README.md @@ -1,54 +1,70 @@ -[![zerossl.com](https://github.com/user-attachments/assets/7531085e-399b-4ac2-82a2-90d14a0b7f05)](https://zerossl.com/?fromacme.sh) +

+ + zerossl.com + +

-# An ACME Shell script: acme.sh +

🔐 acme.sh

+

An ACME Protocol Client Written Purely in Shell

-[![FreeBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml) -[![OpenBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml) -[![NetBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml) -[![MacOS](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml) -[![Ubuntu](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml) -[![Windows](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml) -[![Solaris](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml) -[![DragonFlyBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml) -[![Omnios](https://github.com/acmesh-official/acme.sh/actions/workflows/Omnios.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Omnios.yml) +

+ FreeBSD + OpenBSD + NetBSD + MacOS + Ubuntu + Windows + Solaris + DragonFlyBSD + Omnios +

-![Shellcheck](https://github.com/acmesh-official/acme.sh/workflows/Shellcheck/badge.svg) -![PebbleStrict](https://github.com/acmesh-official/acme.sh/workflows/PebbleStrict/badge.svg) -![DockerHub](https://github.com/acmesh-official/acme.sh/workflows/Build%20DockerHub/badge.svg) +

+ Shellcheck + PebbleStrict + DockerHub +

+ +

+ Financial Contributors on Open Collective + Join the chat at Gitter + Docker stars + Docker pulls +

- -[![Join the chat at https://gitter.im/acme-sh/Lobby](https://badges.gitter.im/acme-sh/Lobby.svg)](https://gitter.im/acme-sh/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) -[![Docker stars](https://img.shields.io/docker/stars/neilpang/acme.sh.svg)](https://hub.docker.com/r/neilpang/acme.sh "Click to view the image on Docker Hub") -[![Docker pulls](https://img.shields.io/docker/pulls/neilpang/acme.sh.svg)](https://hub.docker.com/r/neilpang/acme.sh "Click to view the image on Docker Hub") +--- +## ✨ Features +- 🐚 An ACME protocol client written **purely in Shell** (Unix shell) language +- 📜 Full ACME protocol implementation +- 🔑 Support **ECDSA** certificates +- 🌐 Support **SAN** and **wildcard** certificates +- ⚡ Simple, powerful and very easy to use — only **3 minutes** to learn! +- 🔧 Compatible with **Bash**, **dash** and **sh** +- 🚫 No dependencies on Python +- 🔄 One script to issue, renew and install your certificates automatically +- 👤 **DOES NOT** require `root/sudoer` access +- 🐳 Docker ready +- 🌍 IPv6 ready +- 📧 Cron job notifications for renewal or error -- An ACME protocol client written purely in Shell (Unix shell) language. -- Full ACME protocol implementation. -- Support ECDSA certs -- Support SAN and wildcard certs -- Simple, powerful and very easy to use. You only need 3 minutes to learn it. -- Bash, dash and sh compatible. -- Purely written in Shell with no dependencies on python. -- Just one script to issue, renew and install your certificates automatically. -- DOES NOT require `root/sudoer` access. -- Docker ready -- IPv6 ready -- Cron job notifications for renewal or error etc. +> 💡 It's probably the **easiest & smartest** shell script to automatically issue & renew free certificates. -It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates. +

+ 📚 Wiki • + 🐳 Docker Guide • + 🐦 Twitter +

-Wiki: https://github.com/acmesh-official/acme.sh/wiki +--- -For Docker Fans: [acme.sh :two_hearts: Docker ](https://github.com/acmesh-official/acme.sh/wiki/Run-acme.sh-in-docker) +## 🌏 [中文说明](https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E) -Twitter: [@neilpangxa](https://twitter.com/neilpangxa) +--- - -# [中文说明](https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E) - -# Who: +## 🏆 Who Uses acme.sh? - [FreeBSD.org](https://blog.crashed.org/letsencrypt-in-freebsd-org/) - [ruby-china.org](https://ruby-china.org/topics/31983) - [Proxmox](https://pve.proxmox.com/wiki/Certificate_Management) @@ -62,7 +78,9 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa) - [lnmp.org](https://lnmp.org/) - [more...](https://github.com/acmesh-official/acme.sh/wiki/Blogs-and-tutorials) -# Tested OS +--- + +## 🖥️ Tested OS | NO | Status| Platform| |----|-------|---------| @@ -91,50 +109,60 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa) |24|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management) -Check our [testing project](https://github.com/acmesh-official/acmetest): +> 🧪 Check our [testing project](https://github.com/acmesh-official/acmetest) +> +> 🖥️ The testing VMs are supported by [vmactions.org](https://vmactions.org) -https://github.com/acmesh-official/acmetest +--- -# Supported CA +## 🏛️ Supported CA -- [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)(default) -- Letsencrypt.org CA -- [SSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA) -- [Google.com Public CA](https://github.com/acmesh-official/acme.sh/wiki/Google-Public-CA) -- [Actalis.com CA](https://github.com/acmesh-official/acme.sh/wiki/Actalis.com-CA) -- [Pebble strict Mode](https://github.com/letsencrypt/pebble) -- Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA +| CA | Status | +|---|---| +| [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA) | ⭐ **Default** | +| Letsencrypt.org CA | ✅ Supported | +| [SSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA) | ✅ Supported | +| [Google.com Public CA](https://github.com/acmesh-official/acme.sh/wiki/Google-Public-CA) | ✅ Supported | +| [Actalis.com CA](https://github.com/acmesh-official/acme.sh/wiki/Actalis.com-CA) | ✅ Supported | +| [Pebble strict Mode](https://github.com/letsencrypt/pebble) | ✅ Supported | +| Any [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA | ✅ Supported | -# Supported modes +--- -- Webroot mode -- Standalone mode -- Standalone tls-alpn mode -- Apache mode -- Nginx mode -- DNS mode -- [DNS alias mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode) -- [Stateless mode](https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode) +## ⚙️ Supported Modes +| Mode | Description | +|------|-------------| +| 📁 Webroot mode | Use existing webroot directory | +| 🖥️ Standalone mode | Built-in webserver on port 80 | +| 🔐 Standalone tls-alpn mode | Built-in webserver on port 443 | +| 🪶 Apache mode | Use Apache for verification | +| ⚡ Nginx mode | Use Nginx for verification | +| 🌐 DNS mode | Use DNS TXT records | +| 🔗 [DNS alias mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode) | Use DNS alias for verification | +| 📡 [Stateless mode](https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode) | Stateless verification | -# 1. How to install +--- -### 1. Install online +## 📖 Usage Guide -Check this project: https://github.com/acmesh-official/get.acme.sh +### 1️⃣ How to Install + +#### 📥 Install Online + +> Check this project: https://github.com/acmesh-official/get.acme.sh ```bash curl https://get.acme.sh | sh -s email=my@example.com ``` -Or: +**Or:** ```bash wget -O - https://get.acme.sh | sh -s email=my@example.com ``` - -### 2. Or, Install from git +#### 📦 Install from Git Clone this project and launch installation: @@ -144,11 +172,11 @@ cd ./acme.sh ./acme.sh --install -m my@example.com ``` -You `don't have to be root` then, although `it is recommended`. +> 💡 You `don't have to be root` then, although `it is recommended`. -Advanced Installation: https://github.com/acmesh-official/acme.sh/wiki/How-to-install +📚 **Advanced Installation:** https://github.com/acmesh-official/acme.sh/wiki/How-to-install -The installer will perform 3 actions: +**The installer will perform 3 actions:** 1. Create and copy `acme.sh` to your home dir (`$HOME`): `~/.acme.sh/`. All certs will be placed in this folder too. @@ -161,17 +189,19 @@ Cron entry example: 0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null ``` -After the installation, you must close the current terminal and reopen it to make the alias take effect. +> ⚠️ After the installation, you must close the current terminal and reopen it to make the alias take effect. -Ok, you are ready to issue certs now. +✅ **You are ready to issue certs now!** -Show help message: +**Show help message:** ```sh -root@v1:~# acme.sh -h +acme.sh -h ``` -# 2. Just issue a cert +--- + +### 2️⃣ Issue a Certificate **Example 1:** Single domain. @@ -206,19 +236,21 @@ You must point and bind all the domains to the same webroot dir: `/home/wwwroot/ The certs will be placed in `~/.acme.sh/example.com/` -The certs will be renewed automatically every **60** days. +> 🔄 The certs will be renewed automatically every **30** days. -The certs will default to ECC certificates. +> 🔐 The certs will default to **ECC** certificates. -More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +📚 **More examples:** https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +--- -# 3. Install the cert to Apache/Nginx etc. +### 3️⃣ Install the Certificate to Apache/Nginx After the cert is generated, you probably want to install/copy the cert to your Apache/Nginx or other servers. -You **MUST** use this command to copy the certs to the target files, **DO NOT** use the certs files in **~/.acme.sh/** folder, they are for internal use only, the folder structure may change in the future. -**Apache** example: +> ⚠️ **IMPORTANT:** You **MUST** use this command to copy the certs to the target files. **DO NOT** use the certs files in `~/.acme.sh/` folder — they are for internal use only, the folder structure may change in the future. + +#### 🪶 Apache Example: ```bash acme.sh --install-cert -d example.com \ --cert-file /path/to/certfile/in/apache/cert.pem \ @@ -227,7 +259,7 @@ acme.sh --install-cert -d example.com \ --reloadcmd "service apache2 force-reload" ``` -**Nginx** example: +#### ⚡ Nginx Example: ```bash acme.sh --install-cert -d example.com \ --key-file /path/to/keyfile/in/nginx/key.pem \ @@ -241,91 +273,89 @@ The ownership and permission info of existing files are preserved. You can pre-c Install/copy the cert/key to the production Apache or Nginx path. -The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`. +> 🔄 The cert will be renewed every **30** days by default (configurable). Once renewed, the Apache/Nginx service will be reloaded automatically. +> ⚠️ **IMPORTANT:** The `reloadcmd` is very important. The cert can be automatically renewed, but without a correct `reloadcmd`, the cert may not be flushed to your server (like nginx or apache), then your website will not be able to show the renewed cert. -**Please take care: The reloadcmd is very important. The cert can be automatically renewed, but, without a correct 'reloadcmd' the cert may not be flushed to your server(like nginx or apache), then your website will not be able to show renewed cert in 60 days.** +--- -# 4. Use Standalone server to issue cert +### 4️⃣ Use Standalone Server to Issue Certificate -**(requires you to be root/sudoer or have permission to listen on port 80 (TCP))** +> 🔐 Requires root/sudoer or permission to listen on port **80** (TCP) -Port `80` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. +> ⚠️ Port `80` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. ```bash acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com ``` -More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +📚 **More examples:** https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert -# 5. Use Standalone ssl server to issue cert +--- -**(requires you to be root/sudoer or have permission to listen on port 443 (TCP))** +### 5️⃣ Use Standalone TLS Server to Issue Certificate -Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. +> 🔐 Requires root/sudoer or permission to listen on port **443** (TCP) + +> ⚠️ Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. ```bash acme.sh --issue --alpn -d example.com -d www.example.com -d cp.example.com ``` -More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +📚 **More examples:** https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +--- -# 6. Use Apache mode +### 6️⃣ Use Apache Mode -**(requires you to be root/sudoer, since it is required to interact with Apache server)** +> 🔐 Requires root/sudoer to interact with Apache server If you are running a web server, it is recommended to use the `Webroot mode`. Particularly, if you are running an Apache server, you can use Apache mode instead. This mode doesn't write any files to your web root folder. -Just set string "apache" as the second argument and it will force use of apache plugin automatically. - ```sh acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com ``` -**This apache mode is only to issue the cert, it will not change your apache config files. -You will need to configure your website config files to use the cert by yourself. -We don't want to mess with your apache server, don't worry.** +> 💡 **Note:** This Apache mode is only to issue the cert, it will **not** change your Apache config files. You will need to configure your website config files to use the cert by yourself. We don't want to mess with your Apache server, don't worry! -More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +📚 **More examples:** https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert -# 7. Use Nginx mode +--- -**(requires you to be root/sudoer, since it is required to interact with Nginx server)** +### 7️⃣ Use Nginx Mode + +> 🔐 Requires root/sudoer to interact with Nginx server If you are running a web server, it is recommended to use the `Webroot mode`. -Particularly, if you are running an nginx server, you can use nginx mode instead. This mode doesn't write any files to your web root folder. +Particularly, if you are running an Nginx server, you can use Nginx mode instead. This mode doesn't write any files to your web root folder. -Just set string "nginx" as the second argument. - -It will configure nginx server automatically to verify the domain and then restore the nginx config to the original version. - -So, the config is not changed. +It will configure Nginx server automatically to verify the domain and then restore the Nginx config to the original version. So, the config is not changed. ```sh acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com ``` -**This nginx mode is only to issue the cert, it will not change your nginx config files. -You will need to configure your website config files to use the cert by yourself. -We don't want to mess with your nginx server, don't worry.** +> 💡 **Note:** This Nginx mode is only to issue the cert, it will **not** change your Nginx config files. You will need to configure your website config files to use the cert by yourself. We don't want to mess with your Nginx server, don't worry! -More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +📚 **More examples:** https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert -# 8. Automatic DNS API integration +--- + +### 8️⃣ Automatic DNS API Integration If your DNS provider supports API access, we can use that API to automatically issue the certs. -You don't have to do anything manually! +> ✨ **You don't have to do anything manually!** -### Currently acme.sh supports most of the dns providers: +📚 **Currently acme.sh supports most DNS providers:** https://github.com/acmesh-official/acme.sh/wiki/dnsapi -https://github.com/acmesh-official/acme.sh/wiki/dnsapi +--- -# 9. Use DNS manual mode: +### 9️⃣ Use DNS Manual Mode See: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode first. @@ -355,67 +385,74 @@ Then just rerun with `renew` argument: acme.sh --renew -d example.com ``` -Ok, it's done. +✅ **Done!** -**Take care, this is dns manual mode, it can not be renewed automatically. you will have to add a new txt record to your domain by your hand when you renew your cert.** +> ⚠️ **WARNING:** This is DNS manual mode — it **cannot** be renewed automatically. You will have to add a new TXT record to your domain manually when you renew your cert. **Please use DNS API mode instead.** -**Please use dns api mode instead.** +--- -# 10. Issue certificates of different key types and lengths (ECC or RSA) +### 🔟 Issue Certificates of Different Key Types (ECC or RSA) -Just set the `keylength` to a valid, supported, value. +Just set the `keylength` to a valid, supported value. -Valid values for the `keylength` parameter are: +**Valid values for the `keylength` parameter:** -1. **ec-256 (prime256v1, "ECDSA P-256", which is the default key type)** -2. **ec-384 (secp384r1, "ECDSA P-384")** -3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)** -4. **2048 (RSA2048)** -5. **3072 (RSA3072)** -6. **4096 (RSA4096)** +| Key Length | Description | +|------------|-------------| +| `ec-256` | prime256v1, "ECDSA P-256" ⭐ **Default** | +| `ec-384` | secp384r1, "ECDSA P-384" | +| `ec-521` | secp521r1, "ECDSA P-521" ⚠️ Not supported by Let's Encrypt yet | +| `2048` | RSA 2048-bit | +| `3072` | RSA 3072-bit | +| `4096` | RSA 4096-bit | -For example: +**Examples:** -### Single domain with ECDSA P-384 certificate +#### Single domain with ECDSA P-384 certificate ```bash acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-384 ``` -### SAN multi domain with RSA4096 certificate +#### SAN multi domain with RSA4096 certificate ```bash acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength 4096 ``` -# 11. Issue Wildcard certificates +--- -It's simple, just give a wildcard domain as the `-d` parameter. +### 1️⃣1️⃣ Issue Wildcard Certificates + +It's simple! Just give a wildcard domain as the `-d` parameter: ```sh -acme.sh --issue -d example.com -d '*.example.com' --dns dns_cf +acme.sh --issue -d example.com -d '*.example.com' --dns dns_cf ``` -# 12. How to renew the certs +--- -No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days. +### 1️⃣2️⃣ How to Renew Certificates -However, you can also force to renew a cert: +> 🔄 No need to renew manually! All certs will be renewed automatically every **30** days. + +However, you can force a renewal: ```sh acme.sh --renew -d example.com --force ``` -or, for ECC cert: +**For ECC cert:** ```sh acme.sh --renew -d example.com --force --ecc ``` +--- -# 13. How to stop cert renewal +### 1️⃣3️⃣ How to Stop Certificate Renewal To stop renewal of a cert, you can execute the following to remove the cert from the renewal list: @@ -425,73 +462,78 @@ acme.sh --remove -d example.com [--ecc] The cert/key file is not removed from the disk. -You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself. +> 💡 You can remove the respective directory (e.g. `~/.acme.sh/example.com`) manually. +--- -# 14. How to upgrade `acme.sh` +### 1️⃣4️⃣ How to Upgrade acme.sh -acme.sh is in constant development, so it's strongly recommended to use the latest code. +> 🚀 acme.sh is in constant development — it's strongly recommended to use the latest code. -You can update acme.sh to the latest code: +**Update to latest:** ```sh acme.sh --upgrade ``` -You can also enable auto upgrade: +**Enable auto upgrade:** ```sh acme.sh --upgrade --auto-upgrade ``` -Then **acme.sh** will be kept up to date automatically. - -Disable auto upgrade: +**Disable auto upgrade:** ```sh acme.sh --upgrade --auto-upgrade 0 ``` +--- -# 15. Issue a cert from an existing CSR +### 1️⃣5️⃣ Issue a Certificate from an Existing CSR -https://github.com/acmesh-official/acme.sh/wiki/Issue-a-cert-from-existing-CSR +📚 https://github.com/acmesh-official/acme.sh/wiki/Issue-a-cert-from-existing-CSR +--- -# 16. Send notifications in cronjob +### 1️⃣6️⃣ Send Notifications in Cronjob -https://github.com/acmesh-official/acme.sh/wiki/notify +📚 https://github.com/acmesh-official/acme.sh/wiki/notify +--- -# 17. Under the Hood +### 1️⃣7️⃣ Under the Hood -Speak ACME language using shell, directly to "Let's Encrypt". +> 🔧 Speak ACME language using shell, directly to "Let's Encrypt". -TODO: +--- +### 1️⃣8️⃣ Acknowledgments -# 18. Acknowledgments +| Project | Link | +|---------|------| +| 🙏 Acme-tiny | https://github.com/diafygi/acme-tiny | +| 📜 ACME protocol | https://github.com/ietf-wg-acme/acme | -1. Acme-tiny: https://github.com/diafygi/acme-tiny -2. ACME protocol: https://github.com/ietf-wg-acme/acme +--- +## 👥 Contributors -## Contributors - -### Code Contributors +### 💻 Code Contributors This project exists thanks to all the people who contribute. + -### Financial Contributors +### 💰 Financial Contributors Become a financial contributor and help us sustain our community. [[Contribute](https://opencollective.com/acmesh/contribute)] -#### Individuals +#### 👤 Individuals -#### Organizations +#### 🏢 Organizations Support this project with your organization. Your logo will show up here with a link to your website. [[Contribute](https://opencollective.com/acmesh/contribute)] @@ -506,25 +548,31 @@ Support this project with your organization. Your logo will show up here with a +--- +### 1️⃣9️⃣ License & Others -# 19. License & Others +📄 **License:** GPLv3 -License is GPLv3 +⭐ Please **Star** and **Fork** this project! -Please Star and Fork me. +🐛 [Issues](https://github.com/acmesh-official/acme.sh/issues) and 🔀 [Pull Requests](https://github.com/acmesh-official/acme.sh/pulls) are welcome. -[Issues](https://github.com/acmesh-official/acme.sh/issues) and [pull requests](https://github.com/acmesh-official/acme.sh/pulls) are welcome. +--- +### 2️⃣0️⃣ Donate -# 20. Donate -Your donation makes **acme.sh** better: +> 💝 Your donation makes **acme.sh** better! -1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/) +| Method | Link | +|--------|------| +| PayPal / Alipay(支付宝) / Wechat(微信) | [https://donate.acme.sh/](https://donate.acme.sh/) | -[Donate List](https://github.com/acmesh-official/acme.sh/wiki/Donate-list) +📜 [Donate List](https://github.com/acmesh-official/acme.sh/wiki/Donate-list) -# 21. About this repository +--- + +### 2️⃣1️⃣ About This Repository > [!NOTE] > This repository is officially maintained by ZeroSSL as part of our commitment to providing secure and reliable SSL/TLS solutions. We welcome contributions and feedback from the community! @@ -532,7 +580,7 @@ Your donation makes **acme.sh** better: > > All donations made through this repository go directly to the original independent maintainer (Neil Pang), not to ZeroSSL.

- + diff --git a/acme.sh b/acme.sh index 053f16db..5cd2cb3f 100755 --- a/acme.sh +++ b/acme.sh @@ -65,7 +65,7 @@ ID_TYPE_IP="ip" LOCAL_ANY_ADDRESS="0.0.0.0" -DEFAULT_RENEW=60 +DEFAULT_RENEW=30 NO_VALUE="no" From 361e7c5ad4e26d2b790c187d2cb36555cc040d03 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 27 Dec 2025 11:26:59 +0100 Subject: [PATCH 278/313] use nfs for vms use nfs for vms --- .github/workflows/DNS.yml | 12 ++++++------ .github/workflows/DragonFlyBSD.yml | 2 +- .github/workflows/FreeBSD.yml | 2 +- .github/workflows/NetBSD.yml | 2 +- .github/workflows/Omnios.yml | 2 +- .github/workflows/OpenBSD.yml | 2 +- .github/workflows/Solaris.yml | 2 +- 7 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index ccce2ff6..18b763c1 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -232,7 +232,7 @@ jobs: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: pkg install -y socat curl usesh: true - copyback: false + sync: nfs run: | if [ "${{ secrets.TokenName1}}" ] ; then export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" @@ -283,7 +283,7 @@ jobs: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' prepare: pkg_add socat curl libiconv usesh: true - copyback: false + sync: nfs run: | if [ "${{ secrets.TokenName1}}" ] ; then export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" @@ -335,7 +335,7 @@ jobs: prepare: | /usr/sbin/pkg_add curl socat usesh: true - copyback: false + sync: nfs run: | if [ "${{ secrets.TokenName1}}" ] ; then export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" @@ -387,7 +387,7 @@ jobs: prepare: | pkg install -y curl socat libnghttp2 usesh: true - copyback: false + sync: nfs run: | if [ "${{ secrets.TokenName1}}" ] ; then export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" @@ -440,7 +440,7 @@ jobs: - uses: vmactions/solaris-vm@v1 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' - copyback: false + sync: nfs prepare: | pkgutil -U pkgutil -y -i socat @@ -493,7 +493,7 @@ jobs: - uses: vmactions/omnios-vm@v1 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' - copyback: false + sync: nfs prepare: pkg install socat run: | if [ "${{ secrets.TokenName1}}" ] ; then diff --git a/.github/workflows/DragonFlyBSD.yml b/.github/workflows/DragonFlyBSD.yml index 5c56168f..b047a210 100644 --- a/.github/workflows/DragonFlyBSD.yml +++ b/.github/workflows/DragonFlyBSD.yml @@ -63,7 +63,7 @@ jobs: prepare: | pkg install -y curl socat libnghttp2 usesh: true - copyback: false + sync: nfs run: | cd ../acmetest \ && ./letest.sh diff --git a/.github/workflows/FreeBSD.yml b/.github/workflows/FreeBSD.yml index 961907e8..a4fca67c 100644 --- a/.github/workflows/FreeBSD.yml +++ b/.github/workflows/FreeBSD.yml @@ -68,7 +68,7 @@ jobs: "8080": "80" prepare: pkg install -y socat curl wget usesh: true - copyback: false + sync: nfs run: | cd ../acmetest \ && ./letest.sh diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index a4f90f68..13b70350 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -63,7 +63,7 @@ jobs: prepare: | /usr/sbin/pkg_add curl socat usesh: true - copyback: false + sync: nfs run: | cd ../acmetest \ && ./letest.sh diff --git a/.github/workflows/Omnios.yml b/.github/workflows/Omnios.yml index 882cedf6..5d0af1b1 100644 --- a/.github/workflows/Omnios.yml +++ b/.github/workflows/Omnios.yml @@ -67,7 +67,7 @@ jobs: nat: | "8080": "80" prepare: pkg install socat wget - copyback: false + sync: nfs run: | cd ../acmetest \ && ./letest.sh diff --git a/.github/workflows/OpenBSD.yml b/.github/workflows/OpenBSD.yml index d5697c10..98e18545 100644 --- a/.github/workflows/OpenBSD.yml +++ b/.github/workflows/OpenBSD.yml @@ -68,7 +68,7 @@ jobs: "8080": "80" prepare: pkg_add socat curl wget libnghttp2 usesh: true - copyback: false + sync: nfs run: | cd ../acmetest \ && ./letest.sh diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index 0ba3d2eb..21a16d1a 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -69,7 +69,7 @@ jobs: prepare: | pkgutil -U pkgutil -y -i socat curl wget - copyback: false + sync: nfs run: | cd ../acmetest \ && ./letest.sh From 49a3d586a3673b41fb08169a37a970464f86bc03 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 27 Dec 2025 11:37:39 +0100 Subject: [PATCH 279/313] Add OpenIndiana CI workflow Introduces a GitHub Actions workflow for OpenIndiana to automate testing of shell scripts. --- .github/workflows/OpenIndiana.yml | 75 +++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 .github/workflows/OpenIndiana.yml diff --git a/.github/workflows/OpenIndiana.yml b/.github/workflows/OpenIndiana.yml new file mode 100644 index 00000000..19b1efaa --- /dev/null +++ b/.github/workflows/OpenIndiana.yml @@ -0,0 +1,75 @@ +name: OpenIndiana +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/OpenIndiana.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/OpenIndiana.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + + +jobs: + OpenIndiana: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) + ACME_USE_WGET: 1 + #- TEST_ACME_Server: "ZeroSSL.com" + # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + # CA: "ZeroSSL RSA Domain Secure Site CA" + # CA_EMAIL: "githubtest@acme.sh" + # TEST_PREFERRED_CHAIN: "" + runs-on: ubuntu-latest + env: + TEST_LOCAL: 1 + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} + steps: + - uses: actions/checkout@v4 + - uses: vmactions/cf-tunnel@v0 + id: tunnel + with: + protocol: http + port: 8080 + - name: Set envs + run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/openindiana-vm@v0 + with: + envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' + nat: | + "8080": "80" + prepare: pkg install socat curl + sync: nfs + run: | + cd ../acmetest \ + && ./letest.sh + + From 76fdac59bc77757d2691c010be0b89a52ba6da47 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 27 Dec 2025 11:41:58 +0100 Subject: [PATCH 280/313] Add OpenIndiana CI workflow and badge Introduced a new OpenIndiana job to the DNS GitHub Actions workflow for testing, including necessary environment variables and steps. Updated README to display the OpenIndiana workflow status badge. --- .github/workflows/DNS.yml | 49 +++++++++++++++++++++++++++++++++++++++ README.md | 1 + 2 files changed, 50 insertions(+) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 18b763c1..b200f56b 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -515,3 +515,52 @@ jobs: ./letest.sh + OpenIndiana: + runs-on: ubuntu-latest + needs: Omnios + env: + TEST_DNS : ${{ secrets.TEST_DNS }} + TestingDomain: ${{ secrets.TestingDomain }} + TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} + TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} + CASE: le_test_dnsapi + TEST_LOCAL: 1 + DEBUG: ${{ secrets.DEBUG }} + http_proxy: ${{ secrets.http_proxy }} + https_proxy: ${{ secrets.https_proxy }} + HTTPS_INSECURE: 1 # always set to 1 to ignore https error, since OpenIndiana doesn't accept the expired ISRG X1 root + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} + steps: + - uses: actions/checkout@v4 + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/openindiana-vm@v0 + with: + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + sync: nfs + prepare: pkg install socat + run: | + if [ "${{ secrets.TokenName1}}" ] ; then + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" + fi + if [ "${{ secrets.TokenName2}}" ] ; then + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" + fi + if [ "${{ secrets.TokenName3}}" ] ; then + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" + fi + if [ "${{ secrets.TokenName4}}" ] ; then + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" + fi + if [ "${{ secrets.TokenName5}}" ] ; then + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" + fi + cd ../acmetest + ./letest.sh + + diff --git a/README.md b/README.md index d6ddf36e..149bca2b 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ Solaris DragonFlyBSD Omnios + OpenIndiana

From 47f24126f5ec95e192d1697f8588097ea902a2a6 Mon Sep 17 00:00:00 2001 From: neil Date: Sat, 27 Dec 2025 11:47:16 +0100 Subject: [PATCH 281/313] Update supported OS table in README add openindiana --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 149bca2b..41b6b272 100644 --- a/README.md +++ b/README.md @@ -95,8 +95,8 @@ |8|[![NetBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml)|NetBSD |9|[![DragonFlyBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml)|DragonFlyBSD |10|[![Omnios](https://github.com/acmesh-official/acme.sh/actions/workflows/Omnios.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Omnios.yml)|Omnios -|11|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)| Debian -|12|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|CentOS +|11|[![OpenIndiana](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenIndiana.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenIndiana.yml)|OpenIndiana +|12|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)| Debian |13|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|openSUSE |14|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Alpine Linux (with curl) |15|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Archlinux @@ -104,10 +104,10 @@ |17|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Kali Linux |18|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Oracle Linux |19|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Mageia -|10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux -|22|-----| Cloud Linux https://github.com/acmesh-official/acme.sh/issues/111 -|23|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT) -|24|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management) +|20|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux +|21|-----| Cloud Linux https://github.com/acmesh-official/acme.sh/issues/111 +|22|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT) +|23|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management) > 🧪 Check our [testing project](https://github.com/acmesh-official/acmetest) From 21d52b5995b94f873c074662988972ad8392c5f9 Mon Sep 17 00:00:00 2001 From: Hugo Haakseth Date: Tue, 30 Dec 2025 10:57:12 +0100 Subject: [PATCH 282/313] Store pfx password base64 encoded --- acme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 5cd2cb3f..1401870b 100755 --- a/acme.sh +++ b/acme.sh @@ -1466,7 +1466,7 @@ _toPkcs() { ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" fi if [ "$?" = "0" ]; then - _savedomainconf "Le_PFXPassword" "$pfxPassword" + _savedomainconf "Le_PFXPassword" "$pfxPassword" "base64" fi } @@ -5450,10 +5450,10 @@ $_authorizations_map" _savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime" #convert to pkcs12 + Le_PFXPassword="$(_readdomainconf Le_PFXPassword)" if [ "$Le_PFXPassword" ]; then _toPkcs "$CERT_PFX_PATH" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$Le_PFXPassword" fi - export CERT_PFX_PATH if [ "$_real_cert$_real_key$_real_ca$_reload_cmd$_real_fullchain" ]; then _savedomainconf "Le_RealCertPath" "$_real_cert" From 162cfebbbb1122a53f3b62f46365084a5052cf05 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Tue, 30 Dec 2025 15:36:06 -0500 Subject: [PATCH 283/313] Removed jq requirement --- dnsapi/dns_qc.sh | 57 ++++++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 21 deletions(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index ed784f28..1073200f 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -18,11 +18,6 @@ dns_qc_add() { txtvalue=$2 _debug "Enter dns_qc_add fulldomain: $fulldomain, txtvalue: $txtvalue" - if ! _exists jq; then - _err "In dns_qc jq not found." - return 1 - fi - QC_API_KEY="${QC_API_KEY:-$(_readaccountconf_mutable QC_API_KEY)}" QC_API_EMAIL="${QC_API_EMAIL:-$(_readaccountconf_mutable QC_API_EMAIL)}" @@ -108,23 +103,43 @@ dns_qc_rm() { return 1 fi - response=$(echo "$response" | jq ".result[] | select(.id) | select(.content == \"$txtvalue\") | select(.type == \"TXT\")") - _debug "get txt response" "$response" - if [ "${response}" = "" ]; then - _info "Don't need to remove txt records." - else - record_id=$(echo "$response" | grep \"id\" | awk -F ' ' '{print $2}' | sed 's/,$//') - _debug "txt record_id" "$record_id" - if [ -z "$record_id" ]; then - _err "Can not get txt record id to remove. Run in debug mode." - return 1 - fi - if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then - _info "Delete txt record error." - return 1 - fi - _info "TXT Record ID: $record_id successfully deleted" + _debug "Pre-jq response:" "$response" + # Do not use jq or subsequent code + #response=$(echo "$response" | jq ".result[] | select(.id) | select(.content == \"$txtvalue\") | select(.type == \"TXT\")") + #_debug "get txt response" "$response" + #if [ "${response}" = "" ]; then + # _info "Don't need to remove txt records." + # return 0 + #fi + #record_id=$(echo "$response" | grep \"id\" | awk -F ' ' '{print $2}' | sed 's/,$//') + #_debug "txt record_id" "$record_id" + #Instead of jq + array=$(echo $response | grep -o '\[[^]]*\]' | sed 's/^\[\(.*\)\]$/\1/') + if [ -z "$array" ]; then + _err "Expected array in QC response: $response" + return 1 fi + # Temporary file to hold matched content (one per line) + tmpfile=$(_mktemp) + echo $array | grep -o '{[^}]*}' | sed 's/^{//;s/}$//' > "$tmpfile" + while IFS= read -r obj || [ -n "$obj" ]; do + if echo $obj | grep -q '"TXT"' && echo $obj | grep -q '"id"' && echo $obj | grep -q $txtvalue ; then + _debug "response includes" "$obj" + record_id=$(echo $obj | sed 's/^\"id\":\([0-9]\+\).*/\1/' ) + break + fi + done < $tmpfile + rm $tmpfile + if [ -z "$record_id" ]; then + _info "TXT record, or $txtvalue not found, noting to remove" + return 0 + fi + #End of jq replacement + if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then + _info "Delete txt record error." + return 1 + fi + _info "TXT Record ID: $record_id successfully deleted" return 0 } From e031457cfacbf3abd35a51bbc56d443c09a975b4 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Tue, 30 Dec 2025 15:48:29 -0500 Subject: [PATCH 284/313] shfmt fixes --- dnsapi/dns_qc.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 1073200f..35e99fa2 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -130,15 +130,18 @@ dns_qc_rm() { fi done < $tmpfile rm $tmpfile + if [ -z "$record_id" ]; then - _info "TXT record, or $txtvalue not found, noting to remove" + _info "TXT record, or $txtvalue not found, nothing to remove" return 0 fi + #End of jq replacement if ! _qc_rest DELETE "zones/$_domain_id/records/$record_id"; then _info "Delete txt record error." return 1 fi + _info "TXT Record ID: $record_id successfully deleted" return 0 } From 185d92f1e7d7ad62d84178d06bce9ae0be49775e Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Tue, 30 Dec 2025 15:50:39 -0500 Subject: [PATCH 285/313] shfmt fixes --- dnsapi/dns_qc.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 35e99fa2..68c33ebc 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -141,9 +141,10 @@ dns_qc_rm() { _info "Delete txt record error." return 1 fi - + _info "TXT Record ID: $record_id successfully deleted" return 0 + } #################### Private functions below ################################## From 0b66acf332c539466ea4039b8e473246b3a26eba Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Tue, 30 Dec 2025 15:54:23 -0500 Subject: [PATCH 286/313] shfmt fixes --- dnsapi/dns_qc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 68c33ebc..9fcf977a 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -144,7 +144,7 @@ dns_qc_rm() { _info "TXT Record ID: $record_id successfully deleted" return 0 - + } #################### Private functions below ################################## From b4f30ff02678035e56339b44d0238d7583abaead Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Tue, 30 Dec 2025 16:07:01 -0500 Subject: [PATCH 287/313] Updated for shfmt --- dnsapi/dns_qc.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 9fcf977a..65e1c90b 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -121,14 +121,14 @@ dns_qc_rm() { fi # Temporary file to hold matched content (one per line) tmpfile=$(_mktemp) - echo $array | grep -o '{[^}]*}' | sed 's/^{//;s/}$//' > "$tmpfile" + echo $array | grep -o '{[^}]*}' | sed 's/^{//;s/}$//' >"$tmpfile" while IFS= read -r obj || [ -n "$obj" ]; do - if echo $obj | grep -q '"TXT"' && echo $obj | grep -q '"id"' && echo $obj | grep -q $txtvalue ; then + if echo $obj | grep -q '"TXT"' && echo $obj | grep -q '"id"' && echo $obj | grep -q $txtvalue; then _debug "response includes" "$obj" - record_id=$(echo $obj | sed 's/^\"id\":\([0-9]\+\).*/\1/' ) + record_id=$(echo $obj | sed 's/^\"id\":\([0-9]\+\).*/\1/') break fi - done < $tmpfile + done <$tmpfile rm $tmpfile if [ -z "$record_id" ]; then From 397c0605e575b70f9d76c4863a40c7dde374d5b4 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Tue, 30 Dec 2025 16:11:39 -0500 Subject: [PATCH 288/313] Double quote for globbing --- dnsapi/dns_qc.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 65e1c90b..efa54fda 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -121,15 +121,15 @@ dns_qc_rm() { fi # Temporary file to hold matched content (one per line) tmpfile=$(_mktemp) - echo $array | grep -o '{[^}]*}' | sed 's/^{//;s/}$//' >"$tmpfile" + echo $array | grep -o '{[^}]*}' | sed 's/^{//;s/}$//' > "$tmpfile" while IFS= read -r obj || [ -n "$obj" ]; do - if echo $obj | grep -q '"TXT"' && echo $obj | grep -q '"id"' && echo $obj | grep -q $txtvalue; then + if echo $obj | grep -q '"TXT"' && echo $obj | grep -q '"id"' && echo $obj | grep -q $txtvalue ; then _debug "response includes" "$obj" record_id=$(echo $obj | sed 's/^\"id\":\([0-9]\+\).*/\1/') break fi - done <$tmpfile - rm $tmpfile + done < "$tmpfile" + rm "$tmpfile" if [ -z "$record_id" ]; then _info "TXT record, or $txtvalue not found, nothing to remove" From 778b4a38edef9f8d4aa5f6d9494af37db838f6fc Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Tue, 30 Dec 2025 16:17:03 -0500 Subject: [PATCH 289/313] Missed several double quote issues --- dnsapi/dns_qc.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index efa54fda..f48eeb08 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -114,18 +114,18 @@ dns_qc_rm() { #record_id=$(echo "$response" | grep \"id\" | awk -F ' ' '{print $2}' | sed 's/,$//') #_debug "txt record_id" "$record_id" #Instead of jq - array=$(echo $response | grep -o '\[[^]]*\]' | sed 's/^\[\(.*\)\]$/\1/') + array=$(echo "$response" | grep -o '\[[^]]*\]' | sed 's/^\[\(.*\)\]$/\1/') if [ -z "$array" ]; then _err "Expected array in QC response: $response" return 1 fi # Temporary file to hold matched content (one per line) tmpfile=$(_mktemp) - echo $array | grep -o '{[^}]*}' | sed 's/^{//;s/}$//' > "$tmpfile" + echo "$array" | grep -o '{[^}]*}' | sed 's/^{//;s/}$//' > "$tmpfile" while IFS= read -r obj || [ -n "$obj" ]; do - if echo $obj | grep -q '"TXT"' && echo $obj | grep -q '"id"' && echo $obj | grep -q $txtvalue ; then + if echo "$obj" | grep -q '"TXT"' && echo $obj | grep -q '"id"' && echo $obj | grep -q $txtvalue ; then _debug "response includes" "$obj" - record_id=$(echo $obj | sed 's/^\"id\":\([0-9]\+\).*/\1/') + record_id=$(echo "$obj" | sed 's/^\"id\":\([0-9]\+\).*/\1/') break fi done < "$tmpfile" From f9ffdbe4074bce3bab40220cdfb2fa337c303360 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Tue, 30 Dec 2025 16:23:01 -0500 Subject: [PATCH 290/313] Initialize record_id --- dnsapi/dns_qc.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index f48eeb08..ecf5d387 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -122,6 +122,8 @@ dns_qc_rm() { # Temporary file to hold matched content (one per line) tmpfile=$(_mktemp) echo "$array" | grep -o '{[^}]*}' | sed 's/^{//;s/}$//' > "$tmpfile" + record_id="" + while IFS= read -r obj || [ -n "$obj" ]; do if echo "$obj" | grep -q '"TXT"' && echo $obj | grep -q '"id"' && echo $obj | grep -q $txtvalue ; then _debug "response includes" "$obj" @@ -129,6 +131,7 @@ dns_qc_rm() { break fi done < "$tmpfile" + rm "$tmpfile" if [ -z "$record_id" ]; then From cf2f9ef2518dcefa3fa8f2bb50841fc56bb01b43 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Tue, 30 Dec 2025 16:27:21 -0500 Subject: [PATCH 291/313] Missed additional quotes --- dnsapi/dns_qc.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index ecf5d387..756939cb 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -125,13 +125,13 @@ dns_qc_rm() { record_id="" while IFS= read -r obj || [ -n "$obj" ]; do - if echo "$obj" | grep -q '"TXT"' && echo $obj | grep -q '"id"' && echo $obj | grep -q $txtvalue ; then + if echo "$obj" | grep -q '"TXT"' && echo "$obj" | grep -q '"id"' && echo "$obj" | grep -q "$txtvalue" ; then _debug "response includes" "$obj" record_id=$(echo "$obj" | sed 's/^\"id\":\([0-9]\+\).*/\1/') break fi done < "$tmpfile" - + rm "$tmpfile" if [ -z "$record_id" ]; then From 6a37f23b143f8701b19631c7d3052a63b450f602 Mon Sep 17 00:00:00 2001 From: Bob Perper Date: Tue, 30 Dec 2025 16:31:16 -0500 Subject: [PATCH 292/313] Ran shfmt locally --- dnsapi/dns_qc.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsapi/dns_qc.sh b/dnsapi/dns_qc.sh index 756939cb..78756a35 100755 --- a/dnsapi/dns_qc.sh +++ b/dnsapi/dns_qc.sh @@ -121,16 +121,16 @@ dns_qc_rm() { fi # Temporary file to hold matched content (one per line) tmpfile=$(_mktemp) - echo "$array" | grep -o '{[^}]*}' | sed 's/^{//;s/}$//' > "$tmpfile" + echo "$array" | grep -o '{[^}]*}' | sed 's/^{//;s/}$//' >"$tmpfile" record_id="" while IFS= read -r obj || [ -n "$obj" ]; do - if echo "$obj" | grep -q '"TXT"' && echo "$obj" | grep -q '"id"' && echo "$obj" | grep -q "$txtvalue" ; then + if echo "$obj" | grep -q '"TXT"' && echo "$obj" | grep -q '"id"' && echo "$obj" | grep -q "$txtvalue"; then _debug "response includes" "$obj" record_id=$(echo "$obj" | sed 's/^\"id\":\([0-9]\+\).*/\1/') break fi - done < "$tmpfile" + done <"$tmpfile" rm "$tmpfile" From 2ad984d8ada9cf4e67ee0c6e61fd76c92d195291 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 1 Jan 2026 13:26:02 +0000 Subject: [PATCH 293/313] feat(qiniu): make forceHttps configurable via environment variable Add QINIU_FORCE_HTTPS environment variable (default: false) to allow configuring HTTPS redirect behavior for CDN domains. --- deploy/qiniu.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/deploy/qiniu.sh b/deploy/qiniu.sh index 02250ed3..3737ed4e 100644 --- a/deploy/qiniu.sh +++ b/deploy/qiniu.sh @@ -8,6 +8,8 @@ # export QINIU_CDN_DOMAIN="cdn.example.com" # If you have more than one domain, just # export QINIU_CDN_DOMAIN="cdn1.example.com cdn2.example.com" +# Optional: force HTTPS redirect (default: false) +# export QINIU_FORCE_HTTPS="true" QINIU_API_BASE="https://api.qiniu.com" @@ -44,6 +46,12 @@ qiniu_deploy() { QINIU_CDN_DOMAIN="$_cdomain" fi + if [ -z "$QINIU_FORCE_HTTPS" ]; then + QINIU_FORCE_HTTPS="false" + else + _savedomainconf QINIU_FORCE_HTTPS "$QINIU_FORCE_HTTPS" + fi + ## upload certificate string_fullchain=$(sed 's/$/\\n/' "$_cfullchain" | tr -d '\n') string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n') @@ -69,7 +77,7 @@ qiniu_deploy() { _debug certId "$_certId" ## update domain ssl config - update_body="{\"certid\":$_certId,\"forceHttps\":false}" + update_body="{\"certid\":$_certId,\"forceHttps\":$QINIU_FORCE_HTTPS}" for domain in $QINIU_CDN_DOMAIN; do update_path="/domain/$domain/httpsconf" update_access_token="$(_make_access_token "$update_path")" From b08bb2ef69b087ebf36f0cae37471b1e0561f68c Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Fri, 2 Jan 2026 12:08:22 +0000 Subject: [PATCH 294/313] Fix list command for POSIX sh by avoiding brace expansion --- acme.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index fc2afcc8..645de117 100755 --- a/acme.sh +++ b/acme.sh @@ -5845,7 +5845,8 @@ list() { if [ -z "$_domain" ]; then printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Profile${_sep}CA${_sep}Created${_sep}Renew" fi - for di in "${CERT_HOME}"/{*.*,*:*}/; do + for di in "${CERT_HOME}"/*.* "${CERT_HOME}"/*:*; do + [ -d "$di" ] || continue d=$(basename "$di") _debug d "$d" ( From 045e4dee2ed765a8a9d8f8c44fdd6358ce9aae70 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 2 Jan 2026 16:24:06 +0100 Subject: [PATCH 295/313] use openindiana-vm@v1 --- .github/workflows/DNS.yml | 2 +- .github/workflows/OpenIndiana.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index b200f56b..c0c51a84 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -539,7 +539,7 @@ jobs: - uses: actions/checkout@v4 - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/openindiana-vm@v0 + - uses: vmactions/openindiana-vm@v1 with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' sync: nfs diff --git a/.github/workflows/OpenIndiana.yml b/.github/workflows/OpenIndiana.yml index 19b1efaa..d17803de 100644 --- a/.github/workflows/OpenIndiana.yml +++ b/.github/workflows/OpenIndiana.yml @@ -61,7 +61,7 @@ jobs: run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV - name: Clone acmetest run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ - - uses: vmactions/openindiana-vm@v0 + - uses: vmactions/openindiana-vm@v1 with: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' nat: | From 94c670a759eadc1e9acb88f3dfa61c8a340c7b61 Mon Sep 17 00:00:00 2001 From: Jens Spanier <42373861+JensSpanier@users.noreply.github.com> Date: Sun, 4 Jan 2026 11:49:35 +0100 Subject: [PATCH 296/313] Remove asterisks and line breaks --- notify/pushover.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/notify/pushover.sh b/notify/pushover.sh index 0f99739a..c59ec026 100644 --- a/notify/pushover.sh +++ b/notify/pushover.sh @@ -46,8 +46,8 @@ pushover_send() { fi export _H1="Content-Type: application/json" - _content="$(printf "*%s*\n" "$_content" | _json_encode)" - _subject="$(printf "*%s*\n" "$_subject" | _json_encode)" + _content="$(printf "%s" "$_content" | _json_encode)" + _subject="$(printf "%s" "$_subject" | _json_encode)" _data="{\"token\": \"$PUSHOVER_TOKEN\",\"user\": \"$PUSHOVER_USER\",\"title\": \"$_subject\",\"message\": \"$_content\",\"sound\": \"$PUSHOVER_SOUND\", \"device\": \"$PUSHOVER_DEVICE\", \"priority\": \"$PUSHOVER_PRIORITY\"}" response="$(_post "$_data" "$PUSHOVER_URI")" From 877cbe04c915bdb00c48612e0f6f3e51082c89d4 Mon Sep 17 00:00:00 2001 From: Amin Sharifi Date: Sun, 4 Jan 2026 16:18:18 +0330 Subject: [PATCH 297/313] Add VirakCloud DNS API support with add and remove TXT record functions --- dnsapi/dns_virakcloud.sh | 229 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100755 dnsapi/dns_virakcloud.sh diff --git a/dnsapi/dns_virakcloud.sh b/dnsapi/dns_virakcloud.sh new file mode 100755 index 00000000..ade4796b --- /dev/null +++ b/dnsapi/dns_virakcloud.sh @@ -0,0 +1,229 @@ +#!/usr/bin/env sh +# shellcheck disable=SC2034 +dns_virakcloud_info='VirakCloud DNS API +Site: VirakCloud.com +Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_virakcloud +Options: + VIRAKCLOUD_API_TOKEN VirakCloud API Bearer Token +' + +VIRAKCLOUD_API_URL="https://public-api.virakcloud.com/dns" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +#Used to add txt record +dns_virakcloud_add() { + fulldomain=$1 + txtvalue=$2 + + VIRAKCLOUD_API_TOKEN="${VIRAKCLOUD_API_TOKEN:-$(_readaccountconf_mutable VIRAKCLOUD_API_TOKEN)}" + + if [ -z "$VIRAKCLOUD_API_TOKEN" ]; then + _err "You haven't configured your VirakCloud API token yet." + _err "Please set VIRAKCLOUD_API_TOKEN environment variable or run:" + _err " export VIRAKCLOUD_API_TOKEN=\"your-api-token\"" + return 1 + fi + + _saveaccountconf_mutable VIRAKCLOUD_API_TOKEN "$VIRAKCLOUD_API_TOKEN" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + http_code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")" + if [ "$http_code" = "401" ]; then + return 1 + fi + _err "Invalid domain" + return 1 + fi + + _debug _domain "$_domain" + _debug fulldomain "$fulldomain" + + _info "Adding TXT record" + + if _virakcloud_rest POST "domains/${_domain}/records" "{\"record\":\"${fulldomain}\",\"type\":\"TXT\",\"ttl\":3600,\"content\":\"${txtvalue}\"}"; then + if echo "$response" | grep -q "success" || echo "$response" | grep -q "\"data\""; then + _info "Added, OK" + return 0 + elif echo "$response" | grep -q "already exists" || echo "$response" | grep -q "duplicate"; then + _info "Record already exists, OK" + return 0 + else + _err "Add TXT record error." + _err "Response: $response" + return 1 + fi + fi + + _err "Add TXT record error." + return 1 +} + +#Usage: fulldomain txtvalue +#Used to remove the txt record after validation +dns_virakcloud_rm() { + fulldomain=$1 + txtvalue=$2 + + VIRAKCLOUD_API_TOKEN="${VIRAKCLOUD_API_TOKEN:-$(_readaccountconf_mutable VIRAKCLOUD_API_TOKEN)}" + + if [ -z "$VIRAKCLOUD_API_TOKEN" ]; then + _err "You haven't configured your VirakCloud API token yet." + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + http_code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")" + if [ "$http_code" = "401" ]; then + return 1 + fi + _err "Invalid domain" + return 1 + fi + + _debug _domain "$_domain" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + _info "Removing TXT record" + + _debug "Getting list of records to find content ID" + if ! _virakcloud_rest GET "domains/${_domain}/records" ""; then + return 1 + fi + + _debug2 "Records response" "$response" + + contentid="" + # Extract innermost objects (content objects) which look like {"id":"...","content_raw":"..."} + # We filter for the one containing txtvalue + + target_obj=$(echo "$response" | grep -o '{[^}]*}' | grep "$txtvalue" | _head_n 1) + + if [ -n "$target_obj" ]; then + contentid=$(echo "$target_obj" | _egrep_o '"id":"[^"]*"' | cut -d '"' -f 4) + fi + + if [ -z "$contentid" ]; then + _debug "Could not find matching record ID in response" + _info "Record not found, may have been already removed" + return 0 + fi + + _debug contentid "$contentid" + + if _virakcloud_rest DELETE "domains/${_domain}/records/${fulldomain}/TXT/${contentid}" ""; then + if echo "$response" | grep -q "success" || [ -z "$response" ]; then + _info "Removed, OK" + return 0 + elif echo "$response" | grep -q "not found" || echo "$response" | grep -q "404"; then + _info "Record not found, OK" + return 0 + else + _err "Remove TXT record error." + _err "Response: $response" + return 1 + fi + fi + + _err "Remove TXT record error." + return 1 +} + +#################### Private functions below ################################## + +#_acme-challenge.www.domain.com +#returns +# _domain=domain.com +_get_root() { + domain=$1 + i=1 + p=1 + + # Optimization: skip _acme-challenge subdomain to avoid 422 errors + if echo "$domain" | grep -q "^_acme-challenge."; then + i=2 + fi + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) + _debug h "$h" + + if [ -z "$h" ]; then + return 1 + fi + + if ! _virakcloud_rest GET "domains/$h" ""; then + http_code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")" + if [ "$http_code" = "401" ]; then + return 1 + fi + p=$i + i=$(_math "$i" + 1) + continue + fi + + if echo "$response" | grep -q "\"name\""; then + _domain="$h" + return 0 + fi + + p=$i + i=$(_math "$i" + 1) + done + + return 1 +} + +_virakcloud_rest() { + m=$1 + ep="$2" + data="$3" + + _debug "$ep" + + export _H1="Content-Type: application/json" + export _H2="Authorization: Bearer $VIRAKCLOUD_API_TOKEN" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$VIRAKCLOUD_API_URL/$ep" "" "$m")" + else + response="$(_get "$VIRAKCLOUD_API_URL/$ep")" + fi + + _ret="$?" + + if [ "$_ret" != "0" ]; then + _err "error on $m $ep" + return 1 + fi + + http_code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")" + _debug "http response code" "$http_code" + + if [ "$http_code" = "401" ]; then + _err "VirakCloud API returned 401 Unauthorized." + _err "Your VIRAKCLOUD_API_TOKEN is invalid or expired." + _err "Please check your API token and try again." + return 1 + fi + + if [ "$http_code" = "403" ]; then + _err "VirakCloud API returned 403 Forbidden." + _err "Your API token does not have permission to access this resource." + return 1 + fi + + if [ -n "$http_code" ] && [ "$http_code" -ge 400 ]; then + _err "VirakCloud API error. HTTP code: $http_code" + _err "Response: $response" + return 1 + fi + + _debug2 response "$response" + return 0 +} From ef035248c35976ff849eda4011e67f08bac41831 Mon Sep 17 00:00:00 2001 From: Amin Sharifi Date: Sun, 4 Jan 2026 16:29:30 +0330 Subject: [PATCH 298/313] Add VirakCloud DNS API support --- dnsapi/dns_virakcloud.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsapi/dns_virakcloud.sh b/dnsapi/dns_virakcloud.sh index ade4796b..84da5773 100755 --- a/dnsapi/dns_virakcloud.sh +++ b/dnsapi/dns_virakcloud.sh @@ -43,6 +43,7 @@ dns_virakcloud_add() { _info "Adding TXT record" + if _virakcloud_rest POST "domains/${_domain}/records" "{\"record\":\"${fulldomain}\",\"type\":\"TXT\",\"ttl\":3600,\"content\":\"${txtvalue}\"}"; then if echo "$response" | grep -q "success" || echo "$response" | grep -q "\"data\""; then _info "Added, OK" From 70462b5ac3f257d8814002427b0693f67b437b3c Mon Sep 17 00:00:00 2001 From: Amin Sharifi Date: Sun, 4 Jan 2026 16:33:37 +0330 Subject: [PATCH 299/313] run `~/shfmt -l -w -i 2 dnsapi/dns_virakcloud.sh` and Remove unnecessary blank lines in dns_virakcloud.sh --- dnsapi/dns_virakcloud.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/dnsapi/dns_virakcloud.sh b/dnsapi/dns_virakcloud.sh index 84da5773..7ae665d2 100755 --- a/dnsapi/dns_virakcloud.sh +++ b/dnsapi/dns_virakcloud.sh @@ -43,7 +43,6 @@ dns_virakcloud_add() { _info "Adding TXT record" - if _virakcloud_rest POST "domains/${_domain}/records" "{\"record\":\"${fulldomain}\",\"type\":\"TXT\",\"ttl\":3600,\"content\":\"${txtvalue}\"}"; then if echo "$response" | grep -q "success" || echo "$response" | grep -q "\"data\""; then _info "Added, OK" @@ -101,11 +100,11 @@ dns_virakcloud_rm() { contentid="" # Extract innermost objects (content objects) which look like {"id":"...","content_raw":"..."} # We filter for the one containing txtvalue - + target_obj=$(echo "$response" | grep -o '{[^}]*}' | grep "$txtvalue" | _head_n 1) - + if [ -n "$target_obj" ]; then - contentid=$(echo "$target_obj" | _egrep_o '"id":"[^"]*"' | cut -d '"' -f 4) + contentid=$(echo "$target_obj" | _egrep_o '"id":"[^"]*"' | cut -d '"' -f 4) fi if [ -z "$contentid" ]; then @@ -197,7 +196,7 @@ _virakcloud_rest() { fi _ret="$?" - + if [ "$_ret" != "0" ]; then _err "error on $m $ep" return 1 From 35f99c545c2c9dd9bca8211e3ab29bbcd123d259 Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 5 Jan 2026 21:10:58 +0100 Subject: [PATCH 300/313] add debug wiki --- .github/workflows/DNS.yml | 42 +++++++++++++++++++++++++++--- .github/workflows/DragonFlyBSD.yml | 6 ++++- .github/workflows/FreeBSD.yml | 6 ++++- .github/workflows/NetBSD.yml | 8 ++++-- .github/workflows/Omnios.yml | 6 ++++- .github/workflows/OpenBSD.yml | 6 ++++- .github/workflows/OpenIndiana.yml | 6 ++++- .github/workflows/Solaris.yml | 6 ++++- 8 files changed, 74 insertions(+), 12 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index c0c51a84..4634ed96 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -251,7 +251,11 @@ jobs: fi cd ../acmetest ./letest.sh - + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" @@ -302,7 +306,11 @@ jobs: fi cd ../acmetest ./letest.sh - + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" @@ -354,7 +362,11 @@ jobs: fi cd ../acmetest ./letest.sh - + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" @@ -406,7 +418,11 @@ jobs: fi cd ../acmetest ./letest.sh - + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" @@ -464,6 +480,11 @@ jobs: fi cd ../acmetest ./letest.sh + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" Omnios: @@ -513,6 +534,12 @@ jobs: fi cd ../acmetest ./letest.sh + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" + OpenIndiana: @@ -562,5 +589,12 @@ jobs: fi cd ../acmetest ./letest.sh + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" + + diff --git a/.github/workflows/DragonFlyBSD.yml b/.github/workflows/DragonFlyBSD.yml index b047a210..dda8c99f 100644 --- a/.github/workflows/DragonFlyBSD.yml +++ b/.github/workflows/DragonFlyBSD.yml @@ -67,5 +67,9 @@ jobs: run: | cd ../acmetest \ && ./letest.sh - + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" diff --git a/.github/workflows/FreeBSD.yml b/.github/workflows/FreeBSD.yml index a4fca67c..21123c4a 100644 --- a/.github/workflows/FreeBSD.yml +++ b/.github/workflows/FreeBSD.yml @@ -72,5 +72,9 @@ jobs: run: | cd ../acmetest \ && ./letest.sh - + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" diff --git a/.github/workflows/NetBSD.yml b/.github/workflows/NetBSD.yml index 13b70350..40421552 100644 --- a/.github/workflows/NetBSD.yml +++ b/.github/workflows/NetBSD.yml @@ -67,5 +67,9 @@ jobs: run: | cd ../acmetest \ && ./letest.sh - - + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" + diff --git a/.github/workflows/Omnios.yml b/.github/workflows/Omnios.yml index 5d0af1b1..20eb24d7 100644 --- a/.github/workflows/Omnios.yml +++ b/.github/workflows/Omnios.yml @@ -71,5 +71,9 @@ jobs: run: | cd ../acmetest \ && ./letest.sh - + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" diff --git a/.github/workflows/OpenBSD.yml b/.github/workflows/OpenBSD.yml index 98e18545..fab6e4fd 100644 --- a/.github/workflows/OpenBSD.yml +++ b/.github/workflows/OpenBSD.yml @@ -72,5 +72,9 @@ jobs: run: | cd ../acmetest \ && ./letest.sh - + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" diff --git a/.github/workflows/OpenIndiana.yml b/.github/workflows/OpenIndiana.yml index d17803de..abad376c 100644 --- a/.github/workflows/OpenIndiana.yml +++ b/.github/workflows/OpenIndiana.yml @@ -71,5 +71,9 @@ jobs: run: | cd ../acmetest \ && ./letest.sh - + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" diff --git a/.github/workflows/Solaris.yml b/.github/workflows/Solaris.yml index 21a16d1a..2388da71 100644 --- a/.github/workflows/Solaris.yml +++ b/.github/workflows/Solaris.yml @@ -73,5 +73,9 @@ jobs: run: | cd ../acmetest \ && ./letest.sh - + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" From 2092d6061b0ec963534b8a39b0624be96c07e2c4 Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 5 Jan 2026 21:38:37 +0100 Subject: [PATCH 301/313] fix https://github.com/acmesh-official/acme.sh/issues/6736#issuecomment-3707981300 --- acme.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/acme.sh b/acme.sh index 645de117..2d2ef796 100755 --- a/acme.sh +++ b/acme.sh @@ -5749,6 +5749,10 @@ signcsr() { _local_addr="${11}" _challenge_alias="${12}" _preferred_chain="${13}" + _valid_f="${14}" + _valid_t="${15}" + _cert_prof="${16}" + _en_key_usage="${17}" _csrsubj=$(_readSubjectFromCSR "$_csrfile") if [ "$?" != "0" ]; then @@ -5792,7 +5796,7 @@ signcsr() { _info "Copying CSR to: $CSR_PATH" cp "$_csrfile" "$CSR_PATH" - issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias" "$_preferred_chain" + issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias" "$_preferred_chain" "$_valid_f" "$_valid_t" "$_cert_prof" "$_en_key_usage" } @@ -8148,7 +8152,7 @@ _process() { deploy "$_domain" "$_deploy_hook" "$_ecc" ;; signcsr) - signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain" + signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain" "$_valid_from" "$_valid_to" "$_certificate_profile" "$_extended_key_usage" ;; showcsr) showcsr "$_csr" "$_domain" From 903a53991d6cf01170864d09585b2406f5c5f16e Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 5 Jan 2026 22:06:33 +0100 Subject: [PATCH 302/313] fix bugs --- acme.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 2cec6592..d2e3b766 100755 --- a/acme.sh +++ b/acme.sh @@ -4470,7 +4470,7 @@ issue() { Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime) _debug Le_NextRenewTime "$Le_NextRenewTime" if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then - _valid_to_saved=$(_readdomainconf Le_Valid_to) + _valid_to_saved=$(_readdomainconf Le_Valid_To) if [ "$_valid_to_saved" ] && ! _startswith "$_valid_to_saved" "+"; then _info "The domain is set to be valid to: $_valid_to_saved" _info "It cannot be renewed automatically" @@ -5568,6 +5568,10 @@ renew() { Le_RenewHook="$(_readdomainconf Le_RenewHook)" Le_Preferred_Chain="$(_readdomainconf Le_Preferred_Chain)" Le_Certificate_Profile="$(_readdomainconf Le_Certificate_Profile)" + Le_Valid_From="$(_readdomainconf Le_Valid_From)" + Le_Valid_To="$(_readdomainconf Le_Valid_To)" + Le_ExtKeyUse="$(_readdomainconf Le_ExtKeyUse)" + # When renewing from an old version, the empty Le_Keylength means 2048. # Note, do not use DEFAULT_DOMAIN_KEY_LENGTH as that value may change over # time but an empty value implies 2048 specifically. From 5ad2bea129b6a497aae30e50f64ac387a629d0f6 Mon Sep 17 00:00:00 2001 From: Denis Kurz Date: Sat, 10 Jan 2026 01:03:37 +0100 Subject: [PATCH 303/313] fix typos --- dnsapi/dns_dynv6.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/dnsapi/dns_dynv6.sh b/dnsapi/dns_dynv6.sh index 0c9491f8..a68b5fb9 100644 --- a/dnsapi/dns_dynv6.sh +++ b/dnsapi/dns_dynv6.sh @@ -107,7 +107,7 @@ _get_domain() { return 0 fi done - _err "Either their is no such host on your dnyv6 account or it cannot be accessed with this key" + _err "Either there is no such host on your dynv6 account, or it cannot be accessed with this key" return 1 } @@ -179,8 +179,8 @@ _dns_dynv6_rm_http() { fi } +#Usage: _get_zone_id $record #get the zoneid for a specifc record or zone -#usage: _get_zone_id §record #where $record is the record to get the id for #returns _zone_id the id of the zone _get_zone_id() { @@ -217,9 +217,9 @@ _get_zone_name() { _zone_name="${_zone_name#name:}" } -#usaage _get_record_id $zone_id $record -# where zone_id is thevalue returned by _get_zone_id -# and record ist in the form _acme.www for an fqdn of _acme.www.example.com +#usage _get_record_id $zone_id $record +# where zone_id is the value returned by _get_zone_id +# and record is in the form _acme.www for an fqdn of _acme.www.example.com # returns _record_id _get_record_id() { _zone_id="$1" From 880d93f7f7645995b716f39e9666cb76acc10351 Mon Sep 17 00:00:00 2001 From: Denis Kurz Date: Sat, 10 Jan 2026 01:06:48 +0100 Subject: [PATCH 304/313] fix(dynv6): allow 'id' in dns challenge If the random dns challenge string happens to contain 'id', the parsing method passed a broken, mingled mix of the record's data and id field, instead of just the id. As a result, deleting the TXT record failed. We now specifically look for '"id":', which cannot appear as part of the challenge string. --- dnsapi/dns_dynv6.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_dynv6.sh b/dnsapi/dns_dynv6.sh index a68b5fb9..d5d49094 100644 --- a/dnsapi/dns_dynv6.sh +++ b/dnsapi/dns_dynv6.sh @@ -234,7 +234,7 @@ _get_record_id() { _get_record_id_from_response() { response="$1" - _record_id="$(echo "$response" | tr '}' '\n' | grep "\"name\":\"$record\"" | grep "\"data\":\"$value\"" | tr ',' '\n' | grep id | tr -d '"' | tr -d 'id:')" + _record_id="$(echo "$response" | tr '}' '\n' | grep "\"name\":\"$record\"" | grep "\"data\":\"$value\"" | tr ',' '\n' | grep '"id":' | tr -d '"' | tr -d 'id:' | tr -d '{')" #_record_id="${_record_id#id:}" if [ -z "$_record_id" ]; then _err "no such record: $record found in zone $_zone_id" From b37867d027d6b54e3946193fa2d672de225b1c5f Mon Sep 17 00:00:00 2001 From: Denis Kurz Date: Sat, 10 Jan 2026 01:26:06 +0100 Subject: [PATCH 305/313] remove unused code --- dnsapi/dns_dynv6.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/dnsapi/dns_dynv6.sh b/dnsapi/dns_dynv6.sh index d5d49094..3e7ce8d6 100644 --- a/dnsapi/dns_dynv6.sh +++ b/dnsapi/dns_dynv6.sh @@ -189,7 +189,6 @@ _get_zone_id() { _dynv6_rest GET zones zones="$(echo "$response" | tr '}' '\n' | tr ',' '\n' | grep name | sed 's/\[//g' | tr -d '{' | tr -d '"')" - #echo $zones selected="" for z in $zones; do @@ -235,7 +234,6 @@ _get_record_id() { _get_record_id_from_response() { response="$1" _record_id="$(echo "$response" | tr '}' '\n' | grep "\"name\":\"$record\"" | grep "\"data\":\"$value\"" | tr ',' '\n' | grep '"id":' | tr -d '"' | tr -d 'id:' | tr -d '{')" - #_record_id="${_record_id#id:}" if [ -z "$_record_id" ]; then _err "no such record: $record found in zone $_zone_id" return 1 From 5e670e0d93199c7a74146c9c93c4c1eed92e16fe Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 11 Jan 2026 21:02:47 +0100 Subject: [PATCH 306/313] support haiku --- .github/workflows/DNS.yml | 53 ++++++++++++++++++ .github/workflows/Haiku.yml | 79 +++++++++++++++++++++++++++ acme.sh | 104 +++++++++++++++++++++++++----------- 3 files changed, 205 insertions(+), 31 deletions(-) create mode 100644 .github/workflows/Haiku.yml diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 4634ed96..957d0e97 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -597,4 +597,57 @@ jobs: + Haiku: + runs-on: ubuntu-latest + needs: OpenIndiana + env: + TEST_DNS : ${{ secrets.TEST_DNS }} + TestingDomain: ${{ secrets.TestingDomain }} + TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} + TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} + CASE: le_test_dnsapi + TEST_LOCAL: 1 + DEBUG: ${{ secrets.DEBUG }} + http_proxy: ${{ secrets.http_proxy }} + https_proxy: ${{ secrets.https_proxy }} + HTTPS_INSECURE: 1 # always set to 1 to ignore https error, since OpenIndiana doesn't accept the expired ISRG X1 root + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} + steps: + - uses: actions/checkout@v4 + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/haiku-vm@v1 + with: + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + sync: rsync + run: | + if [ "${{ secrets.TokenName1}}" ] ; then + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" + fi + if [ "${{ secrets.TokenName2}}" ] ; then + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" + fi + if [ "${{ secrets.TokenName3}}" ] ; then + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" + fi + if [ "${{ secrets.TokenName4}}" ] ; then + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" + fi + if [ "${{ secrets.TokenName5}}" ] ; then + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" + fi + cd ../acmetest + ./letest.sh + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" + + diff --git a/.github/workflows/Haiku.yml b/.github/workflows/Haiku.yml new file mode 100644 index 00000000..3ae50051 --- /dev/null +++ b/.github/workflows/Haiku.yml @@ -0,0 +1,79 @@ +name: Haiku +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/Haiku.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/Haiku.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + + +jobs: + Haiku: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) + ACME_USE_WGET: 1 + #- TEST_ACME_Server: "ZeroSSL.com" + # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + # CA: "ZeroSSL RSA Domain Secure Site CA" + # CA_EMAIL: "githubtest@acme.sh" + # TEST_PREFERRED_CHAIN: "" + runs-on: ubuntu-latest + env: + TEST_LOCAL: 1 + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} + steps: + - uses: actions/checkout@v4 + - uses: vmactions/cf-tunnel@v0 + id: tunnel + with: + protocol: http + port: 8080 + - name: Set envs + run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/haiku-vm@v1 + with: + envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' + nat: | + "8080": "80" + prepare: pkg install socat curl + sync: nfs + run: | + cd ../acmetest \ + && ./letest.sh + - name: onError + if: ${{ failure() }} + run: | + echo "See how to debug in VM:" + echo "https://github.com/acmesh-official/acme.sh/wiki/debug-in-VM" + diff --git a/acme.sh b/acme.sh index d2e3b766..1a3763c3 100755 --- a/acme.sh +++ b/acme.sh @@ -250,6 +250,13 @@ _dlg_versions() { socat -V 2>&1 else _debug "socat doesn't exist." + if _exists "python3"; then + python3 -V 2>&1 + elif _exists "python2"; then + python2 -V 2>&1 + elif _exists "python"; then + python -V 2>&1 + fi fi } @@ -2559,41 +2566,76 @@ _startserver() { _debug Le_Listen_V4 "$Le_Listen_V4" _debug Le_Listen_V6 "$Le_Listen_V6" - _NC="socat" - if [ "$Le_Listen_V6" ]; then - _NC="$_NC -6" - SOCAT_OPTIONS=TCP6-LISTEN - elif [ "$Le_Listen_V4" ]; then - _NC="$_NC -4" - SOCAT_OPTIONS=TCP4-LISTEN - else - SOCAT_OPTIONS=TCP-LISTEN - fi + if _exists "socat"; then + _NC="socat" + if [ "$Le_Listen_V6" ]; then + _NC="$_NC -6" + SOCAT_OPTIONS=TCP6-LISTEN + elif [ "$Le_Listen_V4" ]; then + _NC="$_NC -4" + SOCAT_OPTIONS=TCP4-LISTEN + else + SOCAT_OPTIONS=TCP-LISTEN + fi - if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then - _NC="$_NC -d -d -v" - fi + if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then + _NC="$_NC -d -d -v" + fi - SOCAT_OPTIONS=$SOCAT_OPTIONS:$Le_HTTPPort,crlf,reuseaddr,fork + SOCAT_OPTIONS=$SOCAT_OPTIONS:$Le_HTTPPort,crlf,reuseaddr,fork - #Adding bind to local-address - if [ "$ncaddr" ]; then - SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}" - fi + #Adding bind to local-address + if [ "$ncaddr" ]; then + SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}" + fi - _content_len="$(printf "%s" "$content" | wc -c)" - _debug _content_len "$_content_len" - _debug "_NC" "$_NC $SOCAT_OPTIONS" - export _SOCAT_ERR="$(_mktemp)" - $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; \ + _content_len="$(printf "%s" "$content" | wc -c)" + _debug _content_len "$_content_len" + _debug "_NC" "$_NC $SOCAT_OPTIONS" + export _SOCAT_ERR="$(_mktemp)" + $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; \ echo 'HTTP/1.0 200 OK'; \ echo 'Content-Length\: $_content_len'; \ echo ''; \ printf '%s' '$content';" 2>"$_SOCAT_ERR" & - serverproc="$!" + serverproc="$!" + else + _PYTHON="" + if _exists "python3"; then + _PYTHON="python3" + elif _exists "python2"; then + _PYTHON="python2" + elif _exists "python"; then + _PYTHON="python" + fi + if [ "$_PYTHON" ]; then + _debug "Using python: $_PYTHON" + _AF="socket.AF_INET" + _BIND_ADDR="0.0.0.0" + if [ "$Le_Listen_V6" ]; then + _AF="socket.AF_INET6" + _BIND_ADDR="::" + fi + if [ "$ncaddr" ]; then + _BIND_ADDR="$ncaddr" + fi + export _SOCAT_ERR="$(_mktemp)" + $_PYTHON -c "import socket,sys;s=socket.socket($_AF,socket.SOCK_STREAM);s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1);s.bind((sys.argv[2],int(sys.argv[1])));s.listen(5);res='HTTP/1.0 200 OK\r\nContent-Length: '+str(len(sys.argv[3]))+'\r\n\r\n'+sys.argv[3]; +while True: + c,a=s.accept() + c.sendall(res.encode() if hasattr(res, 'encode') else res) + c.close()" "$Le_HTTPPort" "$_BIND_ADDR" "$content" 2>"$_SOCAT_ERR" & + serverproc="$!" + _NC="$_PYTHON" + else + _err "Please install socat or python first for standalone mode." + return 1 + fi + fi + if [ -f "$_SOCAT_ERR" ]; then if grep "Permission denied" "$_SOCAT_ERR" >/dev/null; then - _err "socat: $(cat $_SOCAT_ERR)" + _err "$_NC: $(cat $_SOCAT_ERR)" _err "Can not listen for user: $(whoami)" _err "Maybe try with root again?" rm -f "$_SOCAT_ERR" @@ -3557,9 +3599,9 @@ _on_before_issue() { fi fi - if _hasfield "$_chk_web_roots" "$NO_VALUE"; then - if ! _exists "socat"; then - _err "Please install socat tools first." + if _hasfield "$_chk_web_roots" "$NO_VALUE" && [ "$_chk_web_roots" = "$NO_VALUE" ]; then + if ! _exists "socat" && ! _exists "python" && ! _exists "python2" && ! _exists "python3"; then + _err "Please install socat or python tools first." return 1 fi fi @@ -6664,9 +6706,9 @@ _precheck() { return 1 fi - if ! _exists "socat"; then - _err "It is recommended to install socat first." - _err "We use socat for the standalone server, which is used for standalone mode." + if ! _exists "socat" && ! _exists "python" && ! _exists "python2" && ! _exists "python3"; then + _err "It is recommended to install socat or python first." + _err "We use socat or python for the standalone server, which is used for standalone mode." _err "If you don't want to use standalone mode, you may ignore this warning." fi From 09009794e02b83606b025bbf72c83e1b1851bfe0 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 11 Jan 2026 21:10:37 +0100 Subject: [PATCH 307/313] fix --- .github/workflows/Haiku.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Haiku.yml b/.github/workflows/Haiku.yml index 3ae50051..3cf8d5db 100644 --- a/.github/workflows/Haiku.yml +++ b/.github/workflows/Haiku.yml @@ -66,8 +66,8 @@ jobs: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' nat: | "8080": "80" - prepare: pkg install socat curl - sync: nfs + sync: rsync + copyback: false run: | cd ../acmetest \ && ./letest.sh From 3e36b618237c19c7347bba3fcb718a36fea0eeab Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 11 Jan 2026 21:14:29 +0100 Subject: [PATCH 308/313] fix haiku --- .github/workflows/DNS.yml | 2 ++ .github/workflows/Haiku.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 957d0e97..73e19b89 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -625,6 +625,8 @@ jobs: with: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' sync: rsync + copyback: false + prepare: pkgman install -y cronie run: | if [ "${{ secrets.TokenName1}}" ] ; then export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" diff --git a/.github/workflows/Haiku.yml b/.github/workflows/Haiku.yml index 3cf8d5db..6034cc4f 100644 --- a/.github/workflows/Haiku.yml +++ b/.github/workflows/Haiku.yml @@ -66,6 +66,7 @@ jobs: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' nat: | "8080": "80" + prepare: pkgman install -y cronie sync: rsync copyback: false run: | From d8c062defb622ff08d3a333dd283cac300c385f6 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 11 Jan 2026 21:21:08 +0100 Subject: [PATCH 309/313] fix haiku --- .github/workflows/Haiku.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/Haiku.yml b/.github/workflows/Haiku.yml index 6034cc4f..4b78f930 100644 --- a/.github/workflows/Haiku.yml +++ b/.github/workflows/Haiku.yml @@ -23,6 +23,7 @@ concurrency: jobs: Haiku: strategy: + fail-fast: false matrix: include: - TEST_ACME_Server: "LetsEncrypt.org_test" From d57ab0ab7dd29e844360c52baeefb0f8f51e85b1 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 11 Jan 2026 21:28:45 +0100 Subject: [PATCH 310/313] fix haiku --- .github/workflows/DNS.yml | 5 ++++- .github/workflows/Haiku.yml | 4 +++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DNS.yml b/.github/workflows/DNS.yml index 73e19b89..1a37b8a9 100644 --- a/.github/workflows/DNS.yml +++ b/.github/workflows/DNS.yml @@ -626,7 +626,10 @@ jobs: envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' sync: rsync copyback: false - prepare: pkgman install -y cronie + prepare: | + mkdir -p /boot/home/.cache + pkgman install -y cronie + run: | if [ "${{ secrets.TokenName1}}" ] ; then export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" diff --git a/.github/workflows/Haiku.yml b/.github/workflows/Haiku.yml index 4b78f930..1dbfc2c4 100644 --- a/.github/workflows/Haiku.yml +++ b/.github/workflows/Haiku.yml @@ -67,7 +67,9 @@ jobs: envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' nat: | "8080": "80" - prepare: pkgman install -y cronie + prepare: | + mkdir -p /boot/home/.cache + pkgman install -y cronie sync: rsync copyback: false run: | From 40b29c1879193e7a8da824f1ffa8f195e573b276 Mon Sep 17 00:00:00 2001 From: neil Date: Sun, 11 Jan 2026 21:37:02 +0100 Subject: [PATCH 311/313] support Haiku OS --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 41b6b272..740e5ef0 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ DragonFlyBSD Omnios OpenIndiana + Haiku

@@ -108,6 +109,7 @@ |21|-----| Cloud Linux https://github.com/acmesh-official/acme.sh/issues/111 |22|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT) |23|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management) +|24|[![Haiku](https://github.com/acmesh-official/acme.sh/actions/workflows/Haiku.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Haiku.yml)|Haiku OS > 🧪 Check our [testing project](https://github.com/acmesh-official/acmetest) From 892b3ca219e3c8c9594d7cfd697e4fde1d455638 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 13 Jan 2026 21:11:00 +0100 Subject: [PATCH 312/313] fix account.conf permission https://github.com/acmesh-official/acme.sh/issues/6708#issuecomment-3745737079 --- acme.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/acme.sh b/acme.sh index 1a3763c3..7d9ee2d2 100755 --- a/acme.sh +++ b/acme.sh @@ -2358,6 +2358,7 @@ _setopt() { fi if [ ! -f "$__conf" ]; then touch "$__conf" + chmod 600 "$__conf" fi if [ -n "$(_tail_c 1 <"$__conf")" ]; then echo >>"$__conf" @@ -6671,6 +6672,7 @@ _initconf() { #NO_TIMESTAMP=1 " >"$ACCOUNT_CONF_PATH" + chmod 600 "$ACCOUNT_CONF_PATH" fi } From e2882c536b892d6c2c9dc368d723d161b610caea Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 13 Jan 2026 21:43:46 +0100 Subject: [PATCH 313/313] disable notifications for myself disable notifications for myself --- .github/workflows/pr_dns.yml | 1 + .github/workflows/pr_notify.yml | 1 + .github/workflows/wiki-monitor.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/pr_dns.yml b/.github/workflows/pr_dns.yml index 50eb2adb..558ebf48 100644 --- a/.github/workflows/pr_dns.yml +++ b/.github/workflows/pr_dns.yml @@ -11,6 +11,7 @@ on: jobs: welcome: runs-on: ubuntu-latest + if: github.actor != 'neilpang' steps: - uses: actions/github-script@v6 with: diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml index b6b03c67..416ed721 100644 --- a/.github/workflows/pr_notify.yml +++ b/.github/workflows/pr_notify.yml @@ -13,6 +13,7 @@ on: jobs: welcome: runs-on: ubuntu-latest + if: github.actor != 'neilpang' steps: - uses: actions/github-script@v6 with: diff --git a/.github/workflows/wiki-monitor.yml b/.github/workflows/wiki-monitor.yml index a79d70a4..59cd0e5b 100644 --- a/.github/workflows/wiki-monitor.yml +++ b/.github/workflows/wiki-monitor.yml @@ -6,6 +6,7 @@ on: jobs: notify: runs-on: ubuntu-latest + if: github.actor != 'neilpang' steps: - name: Checkout wiki repository uses: actions/checkout@v4