Merge pull request #20 from Neilpang/dev

supprt apache server plugin
2025-10-31 10:27:22 +00:00 · 2016-01-10 11:01:28 +08:00 · 2016-01-10 11:01:28 +08:00 · 2bf1d93afd
commit 2bf1d93afd
parent 8172bdee87 2c75b3fd6b
2 changed files with 129 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -1,12 +1,12 @@
 # le
 Simplest shell script for LetsEncrypt free Certificate client

-This is a shell version from https://github.com/diafygi/acme-tiny
-
 Pure written in bash, no dependencies to python , acme-tiny or LetsEncrypt official client (https://github.com/letsencrypt/letsencrypt)

 Just one script, to issue, renew your certificates automatically.

+This is a shell version from https://github.com/diafygi/acme-tiny, but without any dependencies.
+
 Probably it's the smallest&easiest&smartest shell script to automatically  issue&renew the free certificates from LetsEncrypt.


@ -15,6 +15,11 @@ Probably it's the smallest&easiest&smartest shell script to automatically  issue
 2. CentOS


+#Supported Mode
+1. Webroot mode
+2. Standalone mode
+3. Apache mode
+
 #How to use

 1. Clone this project: https://github.com/Neilpang/le.git
@ -37,7 +42,7 @@ root@xvm:~# le
 Usage: issue|renew|renewAll|createAccountKey|createDomainKey|createCSR|install|uninstall

 root@xvm:~# le issue
-Usage: le  issue  webroot|no   a.com  [www.a.com,b.com,c.com]|no   [key-length]|no  [cert-file-path]|no  [key-file-path]|no  [ca-cert-file-path]|no   [reloadCmd]|no
+Usage: le  issue  webroot|no|apache   a.com  [www.a.com,b.com,c.com]|no   [key-length]|no  [cert-file-path]|no  [key-file-path]|no  [ca-cert-file-path]|no   [reloadCmd]|no

 ```

@ -77,6 +82,17 @@ The tcp `80` port must be free to listen, otherwise you will be prompted to free
 le issue    no    aa.com    www.aa.com,cp.aa.com
 ```

+# Use Apache mode:
+If you are running a web server, apache or nginx, it its recommended to use the Webroot mode.
+Particularly,  if you are running an apache server, you can use apache mode instead. Which doesn't write any file to your web root folder.
+
+Just set string "apache" to the first argument, it will use apache plugin automatically.
+
+```
+le  issue  apache  aa.com  www.aa.com
+```
+All the other arguments are the same with previous.
+


 #Under the Hood
--- a/le.sh
+++ b/le.sh
@ -1,6 +1,6 @@
 #!/bin/bash

-
+PROJECT="https://github.com/Neilpang/le"

 DEFAULT_CA="https://acme-v01.api.letsencrypt.org"
 DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"
@ -234,7 +234,15 @@ _stopserver() {

 _initpath() {
  if [ -z "$WORKING_DIR" ]; then
-    WORKING_DIR=~/.le
+    WORKING_DIR=$HOME/.le
+  fi
+  
+  if [ -z "$ACME_DIR" ] ; then
+    ACME_DIR="/home/.acme"
+  fi
+  
+  if [ -z "$APACHE_CONF_BACKUP_DIR" ] ; then
+    APACHE_CONF_BACKUP_DIR="$WORKING_DIR/"
  fi
  
  domain="$1"
@ -256,9 +264,91 @@ _initpath() {
  CERT_PATH="$WORKING_DIR/$domain/$domain.cer"
  
  CA_CERT_PATH="$WORKING_DIR/$domain/ca.cer"
+  
+
+  
 }


+_apachePath() {
+  httpdroot="$(apachectl -V | grep HTTPD_ROOT= | cut -d = -f 2 | sed s/\"//g)"
+  httpdconfname="$(apachectl -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | sed s/\"//g)"
+  httpdconf="$httpdroot/$httpdconfname"
+  if [ ! -f $httpdconf ] ; then
+    _err "Apache Config file not found" $httpdconf
+    return 1
+  fi
+  return 0
+}
+
+_restoreApache() {
+  _initpath
+  if ! _apachePath ; then
+    return 1
+  fi
+  
+  if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ] ; then
+    _debug "No config file to restore."
+    return 0
+  fi
+  
+  cp -p "$APACHE_CONF_BACKUP_DIR/$httpdconfname" "$httpdconf"
+  if ! apachectl  -t ; then
+    _err "Sorry, restore apache config error, please contact me."
+    return 1;
+  fi
+  rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname"
+  return 0  
+}
+
+_setApache() {
+  _initpath
+  if ! _apachePath ; then
+    return 1
+  fi
+
+  #backup the conf
+  _debug "Backup apache config file" $httpdconf
+  cp -p $httpdconf $APACHE_CONF_BACKUP_DIR/
+  _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname"
+  _info "In case there is an error that can not be restored automatically, you may try restore it yourself."
+  _info "The backup file will be deleted on sucess, just forget it."
+  
+  #add alias
+  echo "
+Alias /.well-known/acme-challenge  $ACME_DIR
+
+<Directory $ACME_DIR >
+Order allow,deny
+Allow from all
+</Directory>
+  " >> $httpdconf
+  
+  if ! apachectl  -t ; then
+    _err "Sorry, apache config error, please contact me."
+    _restoreApache
+    return 1;
+  fi
+  
+  if [ ! -d "$ACME_DIR" ] ; then
+    mkdir -p "$ACME_DIR"
+    chmod 755 "$ACME_DIR"
+  fi
+  
+  if ! apachectl  graceful ; then
+    _err "Sorry, apachectl  graceful error, please contact me."
+    _restoreApache
+    return 1;
+  fi
+  
+  return 0
+}
+
+_clearup () {
+  _stopserver $serverproc
+  _restoreApache
+}
+
 issue() {
  if [ -z "$1" ] ; then
    echo "Usage: le  issue  webroot|no   a.com  [www.a.com,b.com,c.com]|no   [key-length]|no  [cert-file-path]|no  [key-file-path]|no  [ca-cert-file-path]|no   [reloadCmd]|no"
@ -330,6 +420,14 @@ issue() {
      return 1
    fi
  fi
+  
+  if [ "$Le_Webroot" == "apache" ] ; then
+    if ! _setApache ; then
+      _err "set up apache error. Report error to me."
+      return 1
+    fi
+    wellknown_path="$ACME_DIR"
+  fi

  createAccountKey $Le_Domain $Le_Keylength
  
@ -373,6 +471,7 @@ issue() {
    _info "Already registered"
  else
    _err "Register account Error."
+    _clearup
    return 1
  fi
  
@ -388,6 +487,7 @@ issue() {
 
    if [ ! -z "$code" ] && [ ! "$code" == '201' ] ; then
      _err "new-authz error: $response"
+      _clearup
      return 1
    fi
    
@ -410,7 +510,9 @@ issue() {
      sleep 2
      _debug serverproc $serverproc
    else
-      wellknown_path="$Le_Webroot/.well-known/acme-challenge"
+      if [ -z "$wellknown_path" ] ; then
+        wellknown_path="$Le_Webroot/.well-known/acme-challenge"
+      fi
      _debug wellknown_path "$wellknown_path"
      
      mkdir -p "$wellknown_path"
@ -425,7 +527,7 @@ issue() {
    
    if [ ! -z "$code" ] && [ ! "$code" == '202' ] ; then
      _err "$d:Challenge error: $resource"
-      _stopserver $serverproc
+      _clearup
      return 1
    fi
    
@ -436,7 +538,7 @@ issue() {
      
      if ! _get $uri ; then
        _err "$d:Verify error:$resource"
-        _stopserver $serverproc
+        _clearup
        return 1
      fi
      
@ -449,7 +551,7 @@ issue() {
      if [ "$status" == "invalid" ] ; then
         error=$(echo $response | egrep -o '"error":{[^}]*}' | grep -o '"detail":"[^"]*"' | cut -d '"' -f 4)
        _err "$d:Verify error:$error"
-        _stopserver $serverproc
+        _clearup
        return 1;
      fi
      
@ -457,7 +559,7 @@ issue() {
        _info "Pending"
      else
        _err "$d:Verify error:$response" 
-        _stopserver $serverproc
+        _clearup
        return 1
      fi
      
@ -488,6 +590,7 @@ issue() {
  if [ -z "$Le_LinkCert" ] ; then
    response="$(echo $response | base64 -d)"
    _err "Sign failed: $(echo "$response" | grep -o  '"detail":"[^"]*"')"
+    _clearup
    return 1
  fi