Merge pull request #1376 from Neilpang/dev

sync
2025-10-31 10:27:22 +00:00 · 2018-03-14 22:12:11 +08:00 · 2018-03-14 22:12:11 +08:00 · dff4d03bd4
commit dff4d03bd4
parent 14bb60c61f 28d83d42e2
2 changed files with 60 additions and 43 deletions
--- a/README.md
+++ b/README.md
@ -220,22 +220,7 @@ acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com
 More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert


-# 5. Use Standalone TLS server to issue cert
-
-**(requires you to be root/sudoer or have permission to listen on port 443 (TCP))**
-
-acme.sh supports `tls-sni-01` validation.
-
-Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again.
-
-```bash
-acme.sh --issue --tls -d example.com -d www.example.com -d cp.example.com
-```
-
-More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
-
-
-# 6. Use Apache mode
+# 5. Use Apache mode

 **(requires you to be root/sudoer, since it is required to interact with Apache server)**

@ -255,7 +240,7 @@ We don't want to mess your apache server, don't worry.**

 More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert

-# 7. Use Nginx mode
+# 6. Use Nginx mode

 **(requires you to be root/sudoer, since it is required to interact with Nginx server)**

@ -279,7 +264,7 @@ We don't want to mess your nginx server, don't worry.**

 More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert

-# 8. Automatic DNS API integration
+# 7. Automatic DNS API integration

 If your DNS provider supports API access, we can use that API to automatically issue the certs.

@ -342,7 +327,7 @@ If your DNS provider is not on the supported list above, you can write your own

 For more details: [How to use DNS API](dnsapi)

-# 9. Use DNS manual mode:
+# 8. Use DNS manual mode:

 If your dns provider doesn't support any api access, you can add the txt record by your hand.

@ -376,7 +361,7 @@ Ok, it's done.

 **Please use dns api mode instead.**

-# 10. Issue ECC certificates
+# 9. Issue ECC certificates

 `Let's Encrypt` can now issue **ECDSA** certificates.

@ -408,7 +393,7 @@ Valid values are:



-# 11. Issue Wildcard certificates
+# 10. Issue Wildcard certificates

 It's simple, just give a wildcard domain as the `-d` parameter.

@ -418,7 +403,7 @@ acme.sh  --issue -d example.com  -d *.example.com  --dns dns_cf



-# 12. How to renew the certs
+# 11. How to renew the certs

 No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days.

@ -435,7 +420,7 @@ acme.sh --renew -d example.com --force --ecc
 ```


-# 13. How to stop cert renewal
+# 12. How to stop cert renewal

 To stop renewal of a cert, you can execute the following to remove the cert from the renewal list:

@ -448,7 +433,7 @@ The cert/key file is not removed from the disk.
 You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself.


-# 14. How to upgrade `acme.sh`
+# 13. How to upgrade `acme.sh`

 acme.sh is in constant development, so it's strongly recommended to use the latest code.

@ -473,25 +458,25 @@ acme.sh --upgrade --auto-upgrade 0
 ```


-# 15. Issue a cert from an existing CSR
+# 14. Issue a cert from an existing CSR

 https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR


-# 16. Under the Hood
+# 15. Under the Hood

 Speak ACME language using shell, directly to "Let's Encrypt".

 TODO:


-# 17. Acknowledgments
+# 16. Acknowledgments

 1. Acme-tiny: https://github.com/diafygi/acme-tiny
 2. ACME protocol: https://github.com/ietf-wg-acme/acme


-# 18. License & Others
+# 17. License & Others

 License is GPLv3

@ -500,7 +485,7 @@ Please Star and Fork me.
 [Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcome.


-# 19. Donate
+# 18. Donate
 Your donation makes **acme.sh** better:

 1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/)
--- a/acme.sh
+++ b/acme.sh
@ -1,6 +1,6 @@
 #!/usr/bin/env sh

-VER=2.7.7
+VER=2.7.8

 PROJECT_NAME="acme.sh"

@ -47,6 +47,7 @@ DEFAULT_DNS_SLEEP=120
 NO_VALUE="no"

 W_TLS="tls"
+W_DNS="dns"
 DNS_ALIAS_PREFIX="="

 MODE_STATELESS="stateless"
@ -2341,7 +2342,7 @@ _initpath() {
    fi
  fi

-  _debug2 ACME_DIRECTORY "$ACME_DIRECTORY"
+  _debug ACME_DIRECTORY "$ACME_DIRECTORY"
  _ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)"
  _debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST"

@ -2998,6 +2999,8 @@ _on_before_issue() {
  _chk_pre_hook="$4"
  _chk_local_addr="$5"
  _debug _on_before_issue
+  _debug _chk_main_domain "$_chk_main_domain"
+  _debug _chk_alt_domains "$_chk_alt_domains"
  #run pre hook
  if [ "$_chk_pre_hook" ]; then
    _info "Run pre hook:'$_chk_pre_hook'"
@ -3018,11 +3021,17 @@ _on_before_issue() {

  _debug Le_LocalAddress "$_chk_local_addr"

-  alldomains=$(echo "$_chk_main_domain,$_chk_alt_domains" | tr ',' ' ')
  _index=1
  _currentRoot=""
  _addrIndex=1
-  for d in $alldomains; do
+  _w_index=1
+  while true; do
+    d="$(echo "$_chk_main_domain,$_chk_alt_domains," | cut -d , -f "$_w_index")"
+    _w_index="$(_math "$_w_index" + 1)"
+    _debug d "$d"
+    if [ -z "$d" ]; then
+      break
+    fi
    _debug "Check for domain" "$d"
    _currentRoot="$(_getfield "$_chk_web_roots" $_index)"
    _debug "_currentRoot" "$_currentRoot"
@ -3118,7 +3127,7 @@ _on_issue_err() {
    )
  fi

-  if [ "$IS_RENEW" = "1" ] && _hasfield "$Le_Webroot" "dns"; then
+  if [ "$IS_RENEW" = "1" ] && _hasfield "$Le_Webroot" "$W_DNS"; then
    _err "$_DNS_MANUAL_ERR"
  fi

@ -3154,7 +3163,7 @@ _on_issue_success() {
    fi
  fi

-  if _hasfield "$Le_Webroot" "dns"; then
+  if _hasfield "$Le_Webroot" "$W_DNS"; then
    _err "$_DNS_MANUAL_WARN"
  fi

@ -3421,6 +3430,9 @@ issue() {
    _main_domain=$(echo "$2,$3" | cut -d , -f 1)
    _alt_domains=$(echo "$2,$3" | cut -d , -f 2- | sed "s/,${NO_VALUE}$//")
  fi
+  _debug _main_domain "$_main_domain"
+  _debug _alt_domains "$_alt_domains"
+
  _key_length="$4"
  _real_cert="$5"
  _real_key="$6"
@ -3551,10 +3563,15 @@ issue() {
    if [ "$ACME_VERSION" = "2" ]; then
      #make new order request
      _identifiers="{\"type\":\"dns\",\"value\":\"$_main_domain\"}"
-      for d in $(echo "$_alt_domains" | tr ',' ' '); do
-        if [ "$d" ]; then
-          _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$d\"}"
+      _w_index=1
+      while true; do
+        d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
+        _w_index="$(_math "$_w_index" + 1)"
+        _debug d "$d"
+        if [ -z "$d" ]; then
+          break
        fi
+        _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$d\"}"
      done
      _debug2 _identifiers "$_identifiers"
      if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
@ -3591,6 +3608,8 @@ issue() {
        _debug2 "_authz_url" "$_authz_url"
        if ! response="$(_get "$_authz_url")"; then
          _err "get to authz error."
+          _err "_authorizations_seg" "$_authorizations_seg"
+          _err "_authz_url" "$_authz_url"
          _clearup
          _on_issue_err "$_post_hook"
          return 1
@ -3609,10 +3628,16 @@ $_authorizations_map"
      _debug2 _authorizations_map "$_authorizations_map"
    fi

-    alldomains=$(echo "$_main_domain,$_alt_domains" | tr ',' ' ')
    _index=0
    _currentRoot=""
-    for d in $alldomains; do
+    _w_index=1
+    while true; do
+      d="$(echo "$_main_domain,$_alt_domains," | cut -d , -f "$_w_index")"
+      _w_index="$(_math "$_w_index" + 1)"
+      _debug d "$d"
+      if [ -z "$d" ]; then
+        break
+      fi
      _info "Getting webroot for domain" "$d"
      _index=$(_math $_index + 1)
      _w="$(echo $_web_roots | cut -d , -f $_index)"
@ -3624,7 +3649,7 @@ $_authorizations_map"

      vtype="$VTYPE_HTTP"
      #todo, v2 wildcard force to use dns
-      if _startswith "$_currentRoot" "dns"; then
+      if _startswith "$_currentRoot" "$W_DNS"; then
        vtype="$VTYPE_DNS"
      fi

@ -3641,6 +3666,7 @@ $_authorizations_map"
        _debug2 "response" "$response"
        if [ -z "$response" ]; then
          _err "get to authz error."
+          _err "_authorizations_map" "$_authorizations_map"
          _clearup
          _on_issue_err "$_post_hook"
          return 1
@ -3751,6 +3777,10 @@ $_authorizations_map"
        if [ "$d_api" ]; then
          _info "Found domain api file: $d_api"
        else
+          if [ "$_currentRoot" != "$W_DNS" ]; then
+            _err "Can not find dns api hook for: $_currentRoot"
+            _info "You need to add the txt record manually."
+          fi
          _info "$(__red "Add the following TXT record:")"
          _info "$(__red "Domain: '$(__green "$txtdomain")'")"
          _info "$(__red "TXT value: '$(__green "$txt")'")"
@ -4264,7 +4294,7 @@ renew() {
  fi

  . "$DOMAIN_CONF"
-
+  _debug Le_API "$Le_API"
  if [ "$Le_API" ]; then
    if [ "$_OLD_CA_HOST" = "$Le_API" ]; then
      export Le_API="$DEFAULT_CA"
@ -4868,6 +4898,8 @@ _deactivate() {
    _debug2 "authzUri" "$authzUri"
    if ! response="$(_get "$authzUri")"; then
      _err "get to authz error."
+      _err "_authorizations_seg" "$_authorizations_seg"
+      _err "authzUri" "$authzUri"
      _clearup
      _on_issue_err "$_post_hook"
      return 1
@ -5779,7 +5811,7 @@ _process() {
        fi
        ;;
      --dns)
-        wvalue="dns"
+        wvalue="$W_DNS"
        if [ "$2" ] && ! _startswith "$2" "-"; then
          wvalue="$2"
          shift