Merge pull request #2512 from Neilpang/dev

fix list() performance

.github/FUNDING.yml

@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: acmesh
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

README.md

@@ -1,6 +1,6 @@
 # An ACME Shell script: acme.sh [![Build Status](https://travis-ci.org/Neilpang/acme.sh.svg?branch=master)](https://travis-ci.org/Neilpang/acme.sh)
 
-[![Join the chat at https://gitter.im/acme-sh/Lobby](https://badges.gitter.im/acme-sh/Lobby.svg)](https://gitter.im/acme-sh/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+<img src="https://opencollective.com/acmesh/tiers/backers/badge.svg?label=backer&color=brightgreen" /> [![Join the chat at https://gitter.im/acme-sh/Lobby](https://badges.gitter.im/acme-sh/Lobby.svg)](https://gitter.im/acme-sh/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 - An ACME protocol client written purely in Shell (Unix shell) language.
 - Full ACME protocol implementation.
 - Support ACME v1 and ACME v2

acme.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-VER=2.8.2
+VER=2.8.3
 
 PROJECT_NAME="acme.sh"
 
@@ -135,6 +135,8 @@ _DNS_MANUAL_WIKI="https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode"
 
 _NOTIFY_WIKI="https://github.com/Neilpang/acme.sh/wiki/notify"
 
+_SUDO_WIKI="https://github.com/Neilpang/acme.sh/wiki/sudo"
+
 _DNS_MANUAL_ERR="The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead."
 
 _DNS_MANUAL_WARN="It seems that you are using dns manual mode. please take care: $_DNS_MANUAL_ERR"
@@ -1695,18 +1697,37 @@ _post() {
     if [ "$HTTPS_INSECURE" ]; then
       _CURL="$_CURL --insecure  "
     fi
+    if [ "$httpmethod" = "HEAD" ]; then
+      _CURL="$_CURL -I  "
+    fi
     _debug "_CURL" "$_CURL"
     if [ "$needbase64" ]; then
-      if [ "$_postContentType" ]; then
-        response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)"
+      if [ "$body" ]; then
+        if [ "$_postContentType" ]; then
+          response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)"
+        else
+          response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)"
+        fi
       else
-        response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)"
+        if [ "$_postContentType" ]; then
+          response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url" | _base64)"
+        else
+          response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url" | _base64)"
+        fi
       fi
     else
-      if [ "$_postContentType" ]; then
-        response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url")"
+      if [ "$body" ]; then
+        if [ "$_postContentType" ]; then
+          response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url")"
+        else
+          response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url")"
+        fi
       else
-        response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url")"
+        if [ "$_postContentType" ]; then
+          response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url")"
+        else
+          response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url")"
+        fi
       fi
     fi
     _ret="$?"
@@ -1722,6 +1743,9 @@ _post() {
     if [ "$HTTPS_INSECURE" ]; then
       _WGET="$_WGET --no-check-certificate "
     fi
+    if [ "$httpmethod" = "HEAD" ]; then
+      _WGET="$_WGET --read-timeout=3.0  --tries=2  "
+    fi
     _debug "_WGET" "$_WGET"
     if [ "$needbase64" ]; then
       if [ "$httpmethod" = "POST" ]; then
@@ -1744,6 +1768,12 @@ _post() {
         else
           response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
         fi
+      elif [ "$httpmethod" = "HEAD" ]; then
+        if [ "$_postContentType" ]; then
+          response="$($_WGET --spider -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+        else
+          response="$($_WGET --spider -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+        fi
       else
         if [ "$_postContentType" ]; then
           response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
@@ -1876,7 +1906,7 @@ _send_signed_request() {
       if [ "$ACME_NEW_NONCE" ]; then
         _debug2 "Get nonce with HEAD. ACME_NEW_NONCE" "$ACME_NEW_NONCE"
         nonceurl="$ACME_NEW_NONCE"
-        if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type"; then
+        if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type" >/dev/null; then
           _headers="$(cat "$HTTP_HEADER")"
           _debug2 _headers "$_headers"
           _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
@@ -2797,6 +2827,11 @@ _setNginx() {
       _debug NGINX_CONF "$NGINX_CONF"
       NGINX_CONF="$(echo "$NGINX_CONF" | cut -d = -f 2)"
       _debug NGINX_CONF "$NGINX_CONF"
+      if [ -z "$NGINX_CONF" ]; then
+        _err "Can not find nginx conf."
+        NGINX_CONF=""
+        return 1
+      fi
       if [ ! -f "$NGINX_CONF" ]; then
         _err "'$NGINX_CONF' doesn't exist."
         NGINX_CONF=""
@@ -4939,18 +4974,14 @@ list() {
   if [ "$_raw" ]; then
     printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Created${_sep}Renew"
     for di in "${CERT_HOME}"/*.*/; do
-      if ! [ -d "$di" ]; then
-        _debug "Not directory, skip: $di"
-        continue
-      fi
       d=$(basename "$di")
       _debug d "$d"
       (
         if _endswith "$d" "$ECC_SUFFIX"; then
-          _isEcc=$(echo "$d" | cut -d "$ECC_SEP" -f 2)
+          _isEcc="ecc"
           d=$(echo "$d" | cut -d "$ECC_SEP" -f 1)
         fi
-        _initpath "$d" "$_isEcc"
+        DOMAIN_CONF="$di/$d.conf"
         if [ -f "$DOMAIN_CONF" ]; then
           . "$DOMAIN_CONF"
           printf "%s\n" "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr"
@@ -6233,6 +6264,23 @@ _processAccountConf() {
 
 }
 
+_checkSudo() {
+  if [ "$SUDO_GID" ] && [ "$SUDO_COMMAND" ] && [ "$SUDO_USER" ] && [ "$SUDO_UID" ]; then
+    if [ "$SUDO_USER" = "root" ] && [ "$SUDO_UID" = "0" ]; then
+      #it's root using sudo, no matter it's using sudo or not, just fine
+      return 0
+    fi
+    if [ "$SUDO_COMMAND" = "/bin/su" ] || [ "$SUDO_COMMAND" = "/bin/bash" ]; then
+      #it's a normal user doing "sudo su", or `sudo -i` or `sudo -s`
+      #fine
+      return 0
+    fi
+    #otherwise
+    return 1
+  fi
+  return 0
+}
+
 _process() {
   _CMD=""
   _domain=""
@@ -6484,6 +6532,10 @@ _process() {
         ;;
       --nginx)
         wvalue="$NGINX"
+        if [ "$2" ] && ! _startswith "$2" "-"; then
+          wvalue="$NGINX$2"
+          shift
+        fi
         if [ -z "$_webroot" ]; then
           _webroot="$wvalue"
         else
@@ -6761,6 +6813,14 @@ _process() {
   done
 
   if [ "${_CMD}" != "install" ]; then
+    if [ "$__INTERACTIVE" ] && ! _checkSudo; then
+      if [ -z "$FORCE" ]; then
+        #Use "echo" here, instead of _info. it's too early
+        echo "It seems that you are using sudo, please read this link first:"
+        echo "$_SUDO_WIKI"
+        return 1
+      fi
+    fi
     __initHome
     if [ "$_log" ]; then
       if [ -z "$_logfile" ]; then

dnsapi/dns_ali.sh

@@ -185,7 +185,7 @@ _clean() {
     return 1
   fi
 
-  record_id="$(echo "$response" | tr '{' "\n" | grep "$_sub_domain" | grep "$txtvalue" | tr "," "\n" | grep RecordId | cut -d '"' -f 4)"
+  record_id="$(echo "$response" | tr '{' "\n" | grep "$_sub_domain" | grep -- "$txtvalue" | tr "," "\n" | grep RecordId | cut -d '"' -f 4)"
   _debug2 record_id "$record_id"
 
   if [ -z "$record_id" ]; then

dnsapi/dns_domeneshop.sh

@@ -0,0 +1,155 @@
+#!/usr/bin/env sh
+
+DOMENESHOP_Api_Endpoint="https://api.domeneshop.no/v0"
+
+#####################  Public functions #####################
+
+# Usage: dns_domeneshop_add <full domain> <txt record>
+# Example: dns_domeneshop_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_domeneshop_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  # Get token and secret
+  DOMENESHOP_Token="${DOMENESHOP_Token:-$(_readaccountconf_mutable DOMENESHOP_Token)}"
+  DOMENESHOP_Secret="${DOMENESHOP_Secret:-$(_readaccountconf_mutable DOMENESHOP_Secret)}"
+
+  if [ -z "$DOMENESHOP_Token" ] || [ -z "$DOMENESHOP_Secret" ]; then
+    DOMENESHOP_Token=""
+    DOMENESHOP_Secret=""
+    _err "You need to spesify a Domeneshop/Domainnameshop API Token and Secret."
+    return 1
+  fi
+
+  # Save the api token and secret.
+  _saveaccountconf_mutable DOMENESHOP_Token "$DOMENESHOP_Token"
+  _saveaccountconf_mutable DOMENESHOP_Secret "$DOMENESHOP_Secret"
+
+  # Get the domain name id
+  if ! _get_domainid "$fulldomain"; then
+    _err "Did not find domainname"
+    return 1
+  fi
+
+  # Create record
+  _domeneshop_rest POST "domains/$_domainid/dns" "{\"type\":\"TXT\",\"host\":\"$_sub_domain\",\"data\":\"$txtvalue\",\"ttl\":120}"
+}
+
+# Usage: dns_domeneshop_rm <full domain> <txt record>
+# Example: dns_domeneshop_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_domeneshop_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  # Get token and secret
+  DOMENESHOP_Token="${DOMENESHOP_Token:-$(_readaccountconf_mutable DOMENESHOP_Token)}"
+  DOMENESHOP_Secret="${DOMENESHOP_Secret:-$(_readaccountconf_mutable DOMENESHOP_Secret)}"
+
+  if [ -z "$DOMENESHOP_Token" ] || [ -z "$DOMENESHOP_Secret" ]; then
+    DOMENESHOP_Token=""
+    DOMENESHOP_Secret=""
+    _err "You need to spesify a Domeneshop/Domainnameshop API Token and Secret."
+    return 1
+  fi
+
+  # Get the domain name id
+  if ! _get_domainid "$fulldomain"; then
+    _err "Did not find domainname"
+    return 1
+  fi
+
+  # Find record
+  if ! _get_recordid "$_domainid" "$_sub_domain" "$txtvalue"; then
+    _err "Did not find dns record"
+    return 1
+  fi
+
+  # Remove record
+  _domeneshop_rest DELETE "domains/$_domainid/dns/$_recordid"
+}
+
+#####################  Private functions #####################
+
+_get_domainid() {
+  domain=$1
+
+  # Get domains
+  _domeneshop_rest GET "domains"
+
+  if ! _contains "$response" "\"id\":"; then
+    _err "failed to get domain names"
+    return 1
+  fi
+
+  i=2
+  p=1
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _debug "h" "$h"
+    if [ -z "$h" ]; then
+      #not valid
+      return 1
+    fi
+
+    if _contains "$response" "\"$h\"" >/dev/null; then
+      # We have found the domain name.
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _domain=$h
+      _domainid=$(printf "%s" "$response" | _egrep_o "[^{]*\"domain\":\"$_domain\"[^}]*" | _egrep_o "\"id\":[0-9]+" | cut -d : -f 2)
+      return 0
+    fi
+    p=$i
+    i=$(_math "$i" + 1)
+  done
+  return 1
+}
+
+_get_recordid() {
+  domainid=$1
+  subdomain=$2
+  txtvalue=$3
+
+  # Get all dns records for the domainname
+  _domeneshop_rest GET "domains/$domainid/dns"
+
+  if ! _contains "$response" "\"id\":"; then
+    _debug "No records in dns"
+    return 1
+  fi
+
+  if ! _contains "$response" "\"host\":\"$subdomain\""; then
+    _debug "Record does not exist"
+    return 1
+  fi
+
+  # Get the id of the record in question
+  _recordid=$(printf "%s" "$response" | _egrep_o "[^{]*\"host\":\"$subdomain\"[^}]*" | _egrep_o "[^{]*\"data\":\"$txtvalue\"[^}]*" | _egrep_o "\"id\":[0-9]+" | cut -d : -f 2)
+  if [ -z "$_recordid" ]; then
+    return 1
+  fi
+  return 0
+}
+
+_domeneshop_rest() {
+  method=$1
+  endpoint=$2
+  data=$3
+
+  credentials=$(printf "%b" "$DOMENESHOP_Token:$DOMENESHOP_Secret" | _base64)
+
+  export _H1="Authorization: Basic $credentials"
+  export _H2="Content-Type: application/json"
+
+  if [ "$method" != "GET" ]; then
+    response="$(_post "$data" "$DOMENESHOP_Api_Endpoint/$endpoint" "" "$method")"
+  else
+    response="$(_get "$DOMENESHOP_Api_Endpoint/$endpoint")"
+  fi
+
+  if [ "$?" != "0" ]; then
+    _err "error $endpoint"
+    return 1
+  fi
+
+  return 0
+}

dnsapi/dns_linode_v4.sh

@@ -31,7 +31,8 @@ dns_linode_v4_add() {
   _payload="{
               \"type\": \"TXT\",
               \"name\": \"$_sub_domain\",
-              \"target\": \"$txtvalue\"
+              \"target\": \"$txtvalue\",
+              \"ttl_sec\": 300
             }"
 
   if _rest POST "/$_domain_id/records" "$_payload" && [ -n "$response" ]; then

dnsapi/dns_namesilo.sh

@@ -110,7 +110,7 @@ _get_root() {
       return 1
     fi
 
-    if _contains "$response" "$host"; then
+    if _contains "$response" "<domain>$host"; then
       _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
       _domain="$host"
       return 0

notify/xmpp.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/env sh
+
+#Support xmpp via sendxmpp
+
+#XMPP_BIN="/usr/bin/sendxmpp"
+#XMPP_BIN_ARGS="-n -t --tls-ca-path=/etc/ssl/certs"
+#XMPP_TO="zzzz@example.com"
+
+xmpp_send() {
+  _subject="$1"
+  _content="$2"
+  _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+  _debug "_subject" "$_subject"
+  _debug "_content" "$_content"
+  _debug "_statusCode" "$_statusCode"
+
+  XMPP_BIN="${XMPP_BIN:-$(_readaccountconf_mutable XMPP_BIN)}"
+  if [ -n "$XMPP_BIN" ] && ! _exists "$XMPP_BIN"; then
+    _err "It seems that the command $XMPP_BIN is not in path."
+    return 1
+  fi
+  _XMPP_BIN=$(_xmpp_bin)
+  if [ -n "$XMPP_BIN" ]; then
+    _saveaccountconf_mutable XMPP_BIN "$XMPP_BIN"
+  else
+    _clearaccountconf "XMPP_BIN"
+  fi
+
+  XMPP_BIN_ARGS="${XMPP_BIN_ARGS:-$(_readaccountconf_mutable XMPP_BIN_ARGS)}"
+  if [ -n "$XMPP_BIN_ARGS" ]; then
+    _saveaccountconf_mutable XMPP_BIN_ARGS "$XMPP_BIN_ARGS"
+  else
+    _clearaccountconf "XMPP_BIN_ARGS"
+  fi
+
+  XMPP_TO="${XMPP_TO:-$(_readaccountconf_mutable XMPP_TO)}"
+  if [ -n "$XMPP_TO" ]; then
+    if ! _xmpp_valid "$XMPP_TO"; then
+      _err "It seems that the XMPP_TO=$XMPP_TO is not a valid xmpp address."
+      return 1
+    fi
+
+    _saveaccountconf_mutable XMPP_TO "$XMPP_TO"
+  fi
+
+  result=$({ _xmpp_message | eval "$(_xmpp_cmnd)"; } 2>&1)
+
+  # shellcheck disable=SC2181
+  if [ $? -ne 0 ]; then
+    _debug "xmpp send error."
+    _err "$result"
+    return 1
+  fi
+
+  _debug "xmpp send success."
+  return 0
+}
+
+_xmpp_bin() {
+  if [ -n "$XMPP_BIN" ]; then
+    _XMPP_BIN="$XMPP_BIN"
+  elif _exists "sendxmpp"; then
+    _XMPP_BIN="sendxmpp"
+  else
+    _err "Please install sendxmpp first."
+    return 1
+  fi
+
+  echo "$_XMPP_BIN"
+}
+
+_xmpp_cmnd() {
+  case $(basename "$_XMPP_BIN") in
+    sendxmpp)
+      echo "'$_XMPP_BIN' '$XMPP_TO' $XMPP_BIN_ARGS"
+      ;;
+    *)
+      _err "Command $XMPP_BIN is not supported, use sendxmpp."
+      return 1
+      ;;
+  esac
+}
+
+_xmpp_message() {
+  echo "$_subject"
+}
+
+_xmpp_valid() {
+  _contains "$1" "@"
+}