mirror of
https://github.com/hiskang/acme.sh
synced 2025-10-31 02:17:18 +00:00
support ECC key, ECDSA certificate
This commit is contained in:
neil
parent
0f71a9fe96
commit
1add47a6b6
19
README.md
19
README.md
@ -181,6 +181,25 @@ If your dns provider is not in the supported list above, you can write your own
|
|||||||
For more details: [How to use dns api](dnsapi)
|
For more details: [How to use dns api](dnsapi)
|
||||||
|
|
||||||
|
|
||||||
|
# Issue ECC certificate:
|
||||||
|
LetsEncrypt now can issue ECDSA certificate.
|
||||||
|
And we also support it.
|
||||||
|
|
||||||
|
Just set key length to the `length` paramiter with a prefix "ec-".
|
||||||
|
For example:
|
||||||
|
```
|
||||||
|
le issue /home/wwwroot/aa.com aa.com www.aa.com ec-256
|
||||||
|
```
|
||||||
|
Please look at the last parameter above.
|
||||||
|
|
||||||
|
Valid values are:
|
||||||
|
|
||||||
|
1. ec-256 (prime256v1, "ECDSA P-256")
|
||||||
|
2. ec-384 (secp384r1, "ECDSA P-384")
|
||||||
|
3. ec-521 (secp521r1, "ECDSA P-521", not supported by letsencrypt yet.)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#Under the Hood
|
#Under the Hood
|
||||||
|
|
||||||
Speak ACME language with bash directly to Let's encrypt.
|
Speak ACME language with bash directly to Let's encrypt.
|
||||||
|
|||||||
67
le.sh
67
le.sh
@ -1,5 +1,5 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
VER=1.1.5
|
VER=1.1.6
|
||||||
PROJECT="https://github.com/Neilpang/le"
|
PROJECT="https://github.com/Neilpang/le"
|
||||||
|
|
||||||
DEFAULT_CA="https://acme-v01.api.letsencrypt.org"
|
DEFAULT_CA="https://acme-v01.api.letsencrypt.org"
|
||||||
@ -41,6 +41,7 @@ _err() {
|
|||||||
else
|
else
|
||||||
echo "$1"="$2" >&2
|
echo "$1"="$2" >&2
|
||||||
fi
|
fi
|
||||||
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
_h2b() {
|
_h2b() {
|
||||||
@ -66,12 +67,17 @@ _base64() {
|
|||||||
createAccountKey() {
|
createAccountKey() {
|
||||||
_info "Creating account key"
|
_info "Creating account key"
|
||||||
if [ -z "$1" ] ; then
|
if [ -z "$1" ] ; then
|
||||||
echo Usage: $0 account-domain [2048]
|
echo Usage: createAccountKey account-domain [2048]
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
account=$1
|
account=$1
|
||||||
length=$2
|
length=$2
|
||||||
|
|
||||||
|
if [[ "$length" == "ec-"* ]] ; then
|
||||||
|
length=2048
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -z "$2" ] ; then
|
if [ -z "$2" ] ; then
|
||||||
_info "Use default length 2048"
|
_info "Use default length 2048"
|
||||||
length=2048
|
length=2048
|
||||||
@ -92,21 +98,50 @@ createAccountKey() {
|
|||||||
createDomainKey() {
|
createDomainKey() {
|
||||||
_info "Creating domain key"
|
_info "Creating domain key"
|
||||||
if [ -z "$1" ] ; then
|
if [ -z "$1" ] ; then
|
||||||
echo Usage: $0 domain [2048]
|
echo Usage: createDomainKey domain [2048]
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
domain=$1
|
domain=$1
|
||||||
length=$2
|
length=$2
|
||||||
if [ -z "$2" ] ; then
|
isec=""
|
||||||
_info "Use default length 2048"
|
if [[ "$length" == "ec-"* ]] ; then
|
||||||
|
isec="1"
|
||||||
|
length=$(printf $length | cut -d '-' -f 2-100)
|
||||||
|
eccname="$length"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$length" ] ; then
|
||||||
|
if [ "$isec" ] ; then
|
||||||
|
length=256
|
||||||
|
else
|
||||||
length=2048
|
length=2048
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
_info "Use length $length"
|
||||||
|
|
||||||
|
if [ "$isec" ] ; then
|
||||||
|
if [ "$length" == "256" ] ; then
|
||||||
|
eccname="prime256v1"
|
||||||
|
fi
|
||||||
|
if [ "$length" == "384" ] ; then
|
||||||
|
eccname="secp384r1"
|
||||||
|
fi
|
||||||
|
if [ "$length" == "521" ] ; then
|
||||||
|
eccname="secp521r1"
|
||||||
|
fi
|
||||||
|
_info "Using ec name: $eccname"
|
||||||
|
fi
|
||||||
|
|
||||||
_initpath $domain
|
_initpath $domain
|
||||||
|
|
||||||
if [ ! -f "$CERT_KEY_PATH" ] || ( [ "$FORCE" ] && ! [ "$IS_RENEW" ] ); then
|
if [ ! -f "$CERT_KEY_PATH" ] || ( [ "$FORCE" ] && ! [ "$IS_RENEW" ] ); then
|
||||||
#generate account key
|
#generate account key
|
||||||
openssl genrsa $length > "$CERT_KEY_PATH"
|
if [ "$isec" ] ; then
|
||||||
|
openssl ecparam -name $eccname -genkey 2>/dev/null > "$CERT_KEY_PATH"
|
||||||
|
else
|
||||||
|
openssl genrsa $length 2>/dev/null > "$CERT_KEY_PATH"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
if [ "$IS_RENEW" ] ; then
|
if [ "$IS_RENEW" ] ; then
|
||||||
_info "Domain key exists, skip"
|
_info "Domain key exists, skip"
|
||||||
@ -250,7 +285,7 @@ _savedomainconf() {
|
|||||||
if [ "$DOMAIN_CONF" ] ; then
|
if [ "$DOMAIN_CONF" ] ; then
|
||||||
_setopt $DOMAIN_CONF "$key" "=" "$value"
|
_setopt $DOMAIN_CONF "$key" "=" "$value"
|
||||||
else
|
else
|
||||||
_debug "DOMAIN_CONF is empty, can not save $key=$value"
|
_err "DOMAIN_CONF is empty, can not save $key=$value"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -261,7 +296,7 @@ _saveaccountconf() {
|
|||||||
if [ "$ACCOUNT_CONF_PATH" ] ; then
|
if [ "$ACCOUNT_CONF_PATH" ] ; then
|
||||||
_setopt $ACCOUNT_CONF_PATH "$key" "=" "$value"
|
_setopt $ACCOUNT_CONF_PATH "$key" "=" "$value"
|
||||||
else
|
else
|
||||||
_debug "ACCOUNT_CONF_PATH is empty, can not save $key=$value"
|
_err "ACCOUNT_CONF_PATH is empty, can not save $key=$value"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -330,28 +365,28 @@ _initpath() {
|
|||||||
ACCOUNT_KEY_PATH="$LE_WORKING_DIR/account.key"
|
ACCOUNT_KEY_PATH="$LE_WORKING_DIR/account.key"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ -z "$domain" ] ; then
|
if [ -z "$domain" ] ; then
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mkdir -p "$LE_WORKING_DIR/$domain"
|
domainhome="$LE_WORKING_DIR/$domain"
|
||||||
|
mkdir -p "$domainhome"
|
||||||
|
|
||||||
if [ -z "$DOMAIN_CONF" ] ; then
|
if [ -z "$DOMAIN_CONF" ] ; then
|
||||||
DOMAIN_CONF="$LE_WORKING_DIR/$domain/$Le_Domain.conf"
|
DOMAIN_CONF="$domainhome/$Le_Domain.conf"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$CSR_PATH" ] ; then
|
if [ -z "$CSR_PATH" ] ; then
|
||||||
CSR_PATH="$LE_WORKING_DIR/$domain/$domain.csr"
|
CSR_PATH="$domainhome/$domain.csr"
|
||||||
fi
|
fi
|
||||||
if [ -z "$CERT_KEY_PATH" ] ; then
|
if [ -z "$CERT_KEY_PATH" ] ; then
|
||||||
CERT_KEY_PATH="$LE_WORKING_DIR/$domain/$domain.key"
|
CERT_KEY_PATH="$domainhome/$domain.key"
|
||||||
fi
|
fi
|
||||||
if [ -z "$CERT_PATH" ] ; then
|
if [ -z "$CERT_PATH" ] ; then
|
||||||
CERT_PATH="$LE_WORKING_DIR/$domain/$domain.cer"
|
CERT_PATH="$domainhome/$domain.cer"
|
||||||
fi
|
fi
|
||||||
if [ -z "$CA_CERT_PATH" ] ; then
|
if [ -z "$CA_CERT_PATH" ] ; then
|
||||||
CA_CERT_PATH="$LE_WORKING_DIR/$domain/ca.cer"
|
CA_CERT_PATH="$domainhome/ca.cer"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user