mirror of
https://github.com/myvesta/vesta.git
synced 2024-12-21 11:31:21 -08:00
5e9cf711e6
Credits to HestiaCP - https://github.com/hestiacp/hestiacp/pull/4622
476 lines
22 KiB
Bash
Executable File
476 lines
22 KiB
Bash
Executable File
#!/bin/bash
|
|
# info: check letsencrypt domain
|
|
# options: USER DOMAIN [ALIASES]
|
|
#
|
|
# The function check and validates domain with Let's Encript
|
|
|
|
|
|
#----------------------------------------------------------#
|
|
# Variable&Function #
|
|
#----------------------------------------------------------#
|
|
|
|
# Argument definition
|
|
user=$1
|
|
domain=$2
|
|
aliases=$3
|
|
|
|
# LE API
|
|
API='https://acme-v02.api.letsencrypt.org'
|
|
|
|
if [[ "$LE_STAGING" = 'yes' ]]; then
|
|
API='https://acme-staging-v02.api.letsencrypt.org'
|
|
fi
|
|
|
|
deb_release=$(cat /etc/debian_version | tr "." "\n" | head -n1)
|
|
|
|
# Includes
|
|
source $VESTA/func/main.sh
|
|
source $VESTA/func/domain.sh
|
|
source $VESTA/conf/vesta.conf
|
|
|
|
# Additional argument formatting
|
|
format_identifier_idn() {
|
|
identifier_idn=$identifier
|
|
if [[ "$identifier_idn" = *[![:ascii:]]* ]]; then
|
|
identifier_idn=$(idn -t --quiet -a $identifier_idn)
|
|
fi
|
|
}
|
|
|
|
# encode base64
|
|
encode_base64() {
|
|
cat |base64 |tr '+/' '-_' |tr -d '\r\n='
|
|
}
|
|
|
|
# Let's Encrypt v2 curl function
|
|
query_le_v2() {
|
|
|
|
protected='{"nonce": "'$3'",'
|
|
protected=''$protected' "url": "'$1'",'
|
|
protected=''$protected' "alg": "RS256", "kid": "'$KID'"}'
|
|
content="Content-Type: application/jose+json"
|
|
|
|
payload_=$(echo -n "$2" |encode_base64)
|
|
protected_=$(echo -n "$protected" |encode_base64)
|
|
signature_=$(printf "%s" "$protected_.$payload_" |\
|
|
openssl dgst -sha256 -binary -sign $USER_DATA/ssl/user.key |\
|
|
encode_base64)
|
|
|
|
post_data='{"protected":"'"$protected_"'",'
|
|
post_data=$post_data'"payload":"'"$payload_"'",'
|
|
post_data=$post_data'"signature":"'"$signature_"'"}'
|
|
|
|
# Save http response to file passed as "$4" arg or print to stdout if not provided
|
|
# http response headers are always sent to stdout
|
|
local save_to_file=${4:-"/dev/stdout"}
|
|
if [ "$deb_release" -gt 8 ]; then
|
|
curl --location --user-agent "myVesta" --insecure --retry 5 --retry-connrefused --silent --dump-header /dev/stdout --data "$post_data" "$1" --header "$content" --output "$save_to_file"
|
|
else
|
|
curl --location --user-agent "myVesta" --insecure --retry 5 --silent --dump-header /dev/stdout --data "$post_data" "$1" --header "$content" --output "$save_to_file"
|
|
fi
|
|
}
|
|
|
|
|
|
|
|
#----------------------------------------------------------#
|
|
# Verifications #
|
|
#----------------------------------------------------------#
|
|
|
|
check_args '2' "$#" 'USER DOMAIN [ALIASES]'
|
|
is_format_valid 'user' 'domain' 'aliases'
|
|
is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
|
|
is_object_valid 'user' 'USER' "$user"
|
|
is_object_unsuspended 'user' 'USER' "$user"
|
|
is_object_valid 'web' 'DOMAIN' "$domain"
|
|
is_object_unsuspended 'web' 'DOMAIN' "$domain"
|
|
get_domain_values 'web'
|
|
|
|
echo "-----------------------------------------------------------------------------------" >> /usr/local/vesta/log/letsencrypt.log
|
|
echo "[$(date)] : v-add-letsencrypt-domain $domain [$aliases]" >> /usr/local/vesta/log/letsencrypt.log
|
|
|
|
# check if alias is the letsencrypt wildcard domain, if not, make the normal checks
|
|
if [[ "$aliases" != "*.$domain" ]]; then
|
|
for alias in $(echo "$aliases" |tr ',' '\n' |sort -u); do
|
|
check_alias="$(echo $ALIAS |tr ',' '\n' |grep ^$alias$)"
|
|
if [ -z "$check_alias" ]; then
|
|
echo "[$(date)] : EXIT=domain alias $alias doesn't exist" >> /usr/local/vesta/log/letsencrypt.log
|
|
check_result $E_NOTEXIST "domain alias $alias doesn't exist"
|
|
fi
|
|
done
|
|
fi;
|
|
|
|
#----------------------------------------------------------#
|
|
# Action #
|
|
#----------------------------------------------------------#
|
|
|
|
# Registering LetsEncrypt user account
|
|
echo "[$(date)] : v-add-letsencrypt-user $user" >> /usr/local/vesta/log/letsencrypt.log
|
|
$BIN/v-add-letsencrypt-user $user
|
|
echo "[$(date)] : result: $?" >> /usr/local/vesta/log/letsencrypt.log
|
|
if [ "$?" -ne 0 ]; then
|
|
touch $VESTA/data/queue/letsencrypt.pipe
|
|
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
|
|
send_notice "LETSENCRYPT" "Account registration failed"
|
|
echo "[$(date)] : EXIT=LE account registration" >> /usr/local/vesta/log/letsencrypt.log
|
|
check_result $E_CONNECT "LE account registration" >/dev/null
|
|
fi
|
|
|
|
# Parsing LetsEncrypt account data
|
|
source $USER_DATA/ssl/le.conf
|
|
|
|
# Checking wildcard alias
|
|
if [ "$aliases" = "*.$domain" ]; then
|
|
echo "[$(date)] : Checking wildcard alias" >> /usr/local/vesta/log/letsencrypt.log
|
|
wildcard='yes'
|
|
proto="dns-01"
|
|
if [ ! -e "$VESTA/data/users/$user/dns/$domain.conf" ]; then
|
|
echo "[$(date)] : EXIT=DNS domain $domain doesn't exist" >> /usr/local/vesta/log/letsencrypt.log
|
|
check_result $E_NOTEXIST "DNS domain $domain doesn't exist"
|
|
fi
|
|
else
|
|
proto="http-01"
|
|
fi
|
|
|
|
# Requesting nonce / STEP 1
|
|
echo "[$(date)] : --- Requesting nonce / STEP 1 ---" >> /usr/local/vesta/log/letsencrypt.log
|
|
echo "[$(date)] : curl -s -I \"$API/directory\"" >> /usr/local/vesta/log/letsencrypt.log
|
|
answer=$(curl --user-agent "myVesta" -s -I "$API/directory")
|
|
echo "[$(date)] : answer=$answer" >> /usr/local/vesta/log/letsencrypt.log
|
|
nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
|
|
echo "[$(date)] : nonce=$nonce" >> /usr/local/vesta/log/letsencrypt.log
|
|
status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
|
|
echo "[$(date)] : status=$status" >> /usr/local/vesta/log/letsencrypt.log
|
|
if [[ "$status" -ne 200 ]]; then
|
|
echo "[$(date)] : EXIT=Let's Encrypt nonce request status $status" >> /usr/local/vesta/log/letsencrypt.log
|
|
check_result $E_CONNECT "Let's Encrypt nonce request status $status"
|
|
fi
|
|
|
|
# Placing new order / STEP 2
|
|
echo "[$(date)] : --- Placing new order / STEP 2 ---" >> /usr/local/vesta/log/letsencrypt.log
|
|
url="$API/acme/new-order"
|
|
payload='{"identifiers":['
|
|
for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
|
|
format_identifier_idn
|
|
payload=$payload'{"type":"dns","value":"'$identifier_idn'"},'
|
|
done
|
|
payload=$(echo "$payload"|sed "s/,$//")
|
|
payload=$payload']}'
|
|
# validation='pending'
|
|
# # Start counter to avoid infinite loop
|
|
# i=0
|
|
# while [ "$validation" = 'pending' ]; do
|
|
# echo "[$(date)] : ----------------------- step 2 loop, counter \$i=$i -----------------------" >> /usr/local/vesta/log/letsencrypt.log
|
|
echo "[$(date)] : payload=$payload" >> /usr/local/vesta/log/letsencrypt.log
|
|
echo "[$(date)] : query_le_v2 \"$url\" \"$payload\" \"$nonce\"" >> /usr/local/vesta/log/letsencrypt.log
|
|
answer=$(query_le_v2 "$url" "$payload" "$nonce")
|
|
echo "[$(date)] : answer=$answer" >> /usr/local/vesta/log/letsencrypt.log
|
|
nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
|
|
echo "[$(date)] : nonce=$nonce" >> /usr/local/vesta/log/letsencrypt.log
|
|
authz=$(echo "$answer" |grep "acme/authz" |cut -f2 -d '"')
|
|
echo "[$(date)] : authz=$authz" >> /usr/local/vesta/log/letsencrypt.log
|
|
finalize=$(echo "$answer" |grep 'finalize":' |cut -f4 -d '"')
|
|
echo "[$(date)] : finalize=$finalize" >> /usr/local/vesta/log/letsencrypt.log
|
|
order=$(echo -e "$answer" | grep -i location | cut -f2 -d \ | tr -d '\r\n')
|
|
echo "[$(date)] : order=$order" >> /usr/local/vesta/log/letsencrypt.log
|
|
status=$(echo "$answer" |grep HTTP/ |tail -n1 |cut -f2 -d ' ')
|
|
echo "[$(date)] : status=$status" >> /usr/local/vesta/log/letsencrypt.log
|
|
validation=$(echo "$answer" | grep 'status":' | cut -f4 -d '"')
|
|
echo "[$(date)] : validation=$validation" >> /usr/local/vesta/log/letsencrypt.log
|
|
if [[ "$status" -ne 201 ]]; then
|
|
echo "[$(date)] : EXIT=Let's Encrypt new auth status $status" >> /usr/local/vesta/log/letsencrypt.log
|
|
check_result $E_CONNECT "Let's Encrypt new auth status $status"
|
|
fi
|
|
# # Exit the loop after 5 attempts
|
|
# i=$((i + 1))
|
|
# if [ $i -gt 5 ]; then
|
|
# break
|
|
# fi
|
|
# sleep 2
|
|
# done
|
|
|
|
# Requesting authorization token / STEP 3
|
|
echo "[$(date)] : --- Requesting authorization token / STEP 3 ---" >> /usr/local/vesta/log/letsencrypt.log
|
|
for auth in $authz; do
|
|
payload=''
|
|
echo "[$(date)] : for auth=$auth" >> /usr/local/vesta/log/letsencrypt.log
|
|
echo "[$(date)] : query_le_v2 \"$auth\" \"$payload\" \"$nonce\"" >> /usr/local/vesta/log/letsencrypt.log
|
|
answer=$(query_le_v2 "$auth" "$payload" "$nonce")
|
|
echo "[$(date)] : answer=$answer" >> /usr/local/vesta/log/letsencrypt.log
|
|
url=$(echo "$answer" |grep -A3 $proto |grep url |cut -f 4 -d \")
|
|
echo "[$(date)] : url=$url" >> /usr/local/vesta/log/letsencrypt.log
|
|
token=$(echo "$answer" |grep -A3 $proto |grep token |cut -f 4 -d \")
|
|
echo "[$(date)] : token=$token" >> /usr/local/vesta/log/letsencrypt.log
|
|
nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
|
|
echo "[$(date)] : nonce=$nonce" >> /usr/local/vesta/log/letsencrypt.log
|
|
status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
|
|
echo "[$(date)] : status=$status" >> /usr/local/vesta/log/letsencrypt.log
|
|
if [[ "$status" -ne 200 ]]; then
|
|
echo "[$(date)] : EXIT=Let's Encrypt acme/authz bad status $status" >> /usr/local/vesta/log/letsencrypt.log
|
|
check_result $E_CONNECT "Let's Encrypt acme/authz bad status $status"
|
|
fi
|
|
|
|
# Configuring challenge / STEP 4
|
|
echo "[$(date)] : --- Configuring challenge / STEP 4 ---" >> /usr/local/vesta/log/letsencrypt.log
|
|
echo "[$(date)] : wildcard=$wildcard" >> /usr/local/vesta/log/letsencrypt.log
|
|
if [ "$wildcard" = 'yes' ]; then
|
|
record=$(printf "%s" "$token.$THUMB" |\
|
|
openssl dgst -sha256 -binary |encode_base64)
|
|
old_records=$($BIN/v-list-dns-records $user $domain plain|grep 'TXT')
|
|
old_records=$(echo "$old_records" |grep _acme-challenge |cut -f 1)
|
|
for old_record in $old_records; do
|
|
$BIN/v-delete-dns-record "$user" "$domain" "$old_record"
|
|
done
|
|
$BIN/v-add-dns-record "$user" "$domain" "_acme-challenge" "TXT" "$record"
|
|
exitstatus=$?
|
|
echo "[$(date)] : v-add-dns-record \"$user\" \"$domain\" \"_acme-challenge\" \"TXT\" \"$record\"" >> /usr/local/vesta/log/letsencrypt.log
|
|
if [ "$exitstatus" -ne 0 ]; then
|
|
echo "[$(date)] : EXIT=DNS _acme-challenge record wasn't created" >> /usr/local/vesta/log/letsencrypt.log
|
|
fi
|
|
check_result $exitstatus "DNS _acme-challenge record wasn't created"
|
|
systemctl restart bind9
|
|
else
|
|
if [ "$WEB_SYSTEM" = 'nginx' ] || [ ! -z "$PROXY_SYSTEM" ]; then
|
|
if [ -f "/usr/local/vesta/web/inc/nginx_proxy" ]; then
|
|
# if vesta is behind main nginx
|
|
well_known="$HOMEDIR/$user/web/$domain/public_html/.well-known"
|
|
acme_challenge="$well_known/acme-challenge"
|
|
mkdir -p $acme_challenge
|
|
echo "$token.$THUMB" > $acme_challenge/$token
|
|
echo "[$(date)] : in $acme_challenge/$token we put: $token.$THUMB" >> /usr/local/vesta/log/letsencrypt.log
|
|
chown -R $user:$user $well_known
|
|
else
|
|
# default nginx method
|
|
conf="$HOMEDIR/$user/conf/web/nginx.$domain.conf_letsencrypt"
|
|
sconf="$HOMEDIR/$user/conf/web/snginx.$domain.conf_letsencrypt"
|
|
# if [ ! -e "$conf" ]; then
|
|
echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' \
|
|
> $conf
|
|
echo ' default_type text/plain;' >> $conf
|
|
echo ' return 200 "$1.'$THUMB'";' >> $conf
|
|
echo '}' >> $conf
|
|
# fi
|
|
echo "[$(date)] : in $conf we put: $THUMB" >> /usr/local/vesta/log/letsencrypt.log
|
|
if [ ! -e "$sconf" ]; then
|
|
ln -s "$conf" "$sconf"
|
|
fi
|
|
echo "[$(date)] : v-restart-proxy" >> /usr/local/vesta/log/letsencrypt.log
|
|
$BIN/v-restart-proxy
|
|
if [ -z "$PROXY_SYSTEM" ]; then
|
|
# apache-less variant
|
|
echo "[$(date)] : v-restart-web" >> /usr/local/vesta/log/letsencrypt.log
|
|
$BIN/v-restart-web
|
|
fi
|
|
exitstatus=$?
|
|
if [ "$exitstatus" -ne 0 ]; then
|
|
echo "[$(date)] : EXIT=Proxy restart failed = $exitstatus" >> /usr/local/vesta/log/letsencrypt.log
|
|
fi
|
|
check_result $exitstatus "Proxy restart failed" >/dev/null
|
|
fi
|
|
else
|
|
well_known="$HOMEDIR/$user/web/$domain/public_html/.well-known"
|
|
acme_challenge="$well_known/acme-challenge"
|
|
mkdir -p $acme_challenge
|
|
echo "$token.$THUMB" > $acme_challenge/$token
|
|
chown -R $user:$user $well_known
|
|
echo "[$(date)] : in $acme_challenge/$token we put: $token.$THUMB" >> /usr/local/vesta/log/letsencrypt.log
|
|
# $BIN/v-restart-web
|
|
# check_result $? "Web restart failed" >/dev/null
|
|
fi
|
|
fi
|
|
|
|
# Requesting ACME validation / STEP 5
|
|
echo "[$(date)] : --- Requesting ACME validation / STEP 5 ---" >> /usr/local/vesta/log/letsencrypt.log
|
|
validation_check=$(echo "$answer" |grep '"valid"')
|
|
echo "[$(date)] : validation_check=$validation_check" >> /usr/local/vesta/log/letsencrypt.log
|
|
if [[ ! -z "$validation_check" ]]; then
|
|
validation='valid'
|
|
else
|
|
validation='pending'
|
|
fi
|
|
|
|
# Doing pol check on status
|
|
i=1
|
|
while [ "$validation" = 'pending' ]; do
|
|
i=0
|
|
while true; do
|
|
echo "[$(date)] : ----------------------- Doing pol check on status, counter \$i=$i -----------------------" >> /usr/local/vesta/log/letsencrypt.log
|
|
payload='{}'
|
|
echo "[$(date)] : query_le_v2 \"$url\" \"$payload\" \"$nonce\"" >> /usr/local/vesta/log/letsencrypt.log
|
|
answer=$(query_le_v2 "$url" "$payload" "$nonce")
|
|
echo "[$(date)] : answer=$answer" >> /usr/local/vesta/log/letsencrypt.log
|
|
url2=$(echo "$answer" |grep -A3 $proto |grep url |cut -f 4 -d \")
|
|
echo "[$(date)] : url2=$url2" >> /usr/local/vesta/log/letsencrypt.log
|
|
validation=$(echo "$answer"|grep -A1 $proto |tail -n1|cut -f4 -d \")
|
|
echo "[$(date)] : validation=$validation" >> /usr/local/vesta/log/letsencrypt.log
|
|
nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
|
|
echo "[$(date)] : nonce=$nonce" >> /usr/local/vesta/log/letsencrypt.log
|
|
status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
|
|
echo "[$(date)] : status=$status" >> /usr/local/vesta/log/letsencrypt.log
|
|
if [[ $(echo "$answer" | grep 'addressesResolved') != "" ]]; then
|
|
break
|
|
fi
|
|
i=$((i + 1))
|
|
if ((i > 30)); then
|
|
break
|
|
fi
|
|
sleep 2
|
|
done
|
|
if [[ "$status" -ne 200 ]]; then
|
|
echo "[$(date)] : EXIT=Let's Encrypt validation status $status" >> /usr/local/vesta/log/letsencrypt.log
|
|
check_result $E_CONNECT "Let's Encrypt validation status $status"
|
|
fi
|
|
|
|
i=$((i + 1))
|
|
if [ "$i" -gt 10 ]; then
|
|
echo "[$(date)] : EXIT=Let's Encrypt domain validation timeout" >> /usr/local/vesta/log/letsencrypt.log
|
|
check_result $E_CONNECT "Let's Encrypt domain validation timeout"
|
|
fi
|
|
echo "[$(date)] : curl: $url2 :" >> /usr/local/vesta/log/letsencrypt.log
|
|
get_answer=$(curl --user-agent "myVesta" --silent -S "$url2")
|
|
echo "[$(date)] : get_answer=$get_answer" >> /usr/local/vesta/log/letsencrypt.log
|
|
sleeping=$((i*2))
|
|
echo "[$(date)] : sleep $sleeping (i=$i)" >> /usr/local/vesta/log/letsencrypt.log
|
|
sleep $sleeping
|
|
done
|
|
if [ "$validation" = 'invalid' ]; then
|
|
echo "[$(date)] : EXIT=Let's Encrypt domain verification failed" >> /usr/local/vesta/log/letsencrypt.log
|
|
check_result $E_CONNECT "Let's Encrypt domain verification failed"
|
|
fi
|
|
done
|
|
|
|
|
|
# Generating new ssl certificate
|
|
ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "info@$domain" "US" "California"\
|
|
"San Francisco" "Vesta" "IT" "$aliases" |tail -n1 |awk '{print $2}')
|
|
|
|
# Sending CSR to finalize order / STEP 6
|
|
echo "[$(date)] : --- Sending CSR to finalize order / STEP 6 ---" >> /usr/local/vesta/log/letsencrypt.log
|
|
|
|
csr=$(openssl req -in $ssl_dir/$domain.csr -outform DER |encode_base64)
|
|
payload='{"csr":"'$csr'"}'
|
|
echo "[$(date)] : query_le_v2 \"$finalize\" \"$payload\" \"$nonce\"" >> /usr/local/vesta/log/letsencrypt.log
|
|
answer=$(query_le_v2 "$finalize" "$payload" "$nonce")
|
|
echo "[$(date)] : answer=$answer" >> /usr/local/vesta/log/letsencrypt.log
|
|
nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
|
|
echo "[$(date)] : nonce=$nonce" >> /usr/local/vesta/log/letsencrypt.log
|
|
status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
|
|
echo "[$(date)] : status=$status" >> /usr/local/vesta/log/letsencrypt.log
|
|
certificate=$(echo "$answer"|grep 'certificate":' |cut -f4 -d '"')
|
|
echo "[$(date)] : certificate=$certificate" >> /usr/local/vesta/log/letsencrypt.log
|
|
if [[ "$status" -ne 200 ]]; then
|
|
echo "[$(date)] : EXIT=Let's Encrypt finalize bad status $status" >> /usr/local/vesta/log/letsencrypt.log
|
|
check_result $E_CONNECT "Let's Encrypt finalize bad status $status"
|
|
fi
|
|
|
|
if [ "$nonce" = "" ]; then
|
|
echo "[$(date)] : EXIT=Let's Encrypt 'nonce' is empty after step 6" >> /usr/local/vesta/log/letsencrypt.log
|
|
check_result $E_CONNECT "Let's Encrypt 'nonce' is empty after step 6"
|
|
fi
|
|
|
|
if [ "$certificate" = "" ]; then
|
|
validation="processing"
|
|
i=1
|
|
while [ "$validation" = "processing" ]; do
|
|
echo "[$(date)] : --- Polling server waiting for Certificate / STEP 7 ---" >> /usr/local/vesta/log/letsencrypt.log
|
|
answer=$(query_le_v2 "$order" "" "$nonce")
|
|
i=$((i + 1))
|
|
|
|
nonce=$(echo "$answer" | grep -i nonce | cut -f2 -d \ | tr -d '\r\n')
|
|
echo "[$(date)] : answer=$answer" >> /usr/local/vesta/log/letsencrypt.log
|
|
status=$(echo "$answer" | grep HTTP/ | tail -n1 | cut -f 2 -d ' ')
|
|
echo "[$(date)] : status=$status" >> /usr/local/vesta/log/letsencrypt.log
|
|
validation=$(echo "$answer" | grep 'status":' | cut -f4 -d '"')
|
|
echo "[$(date)] : validation=$validation" >> /usr/local/vesta/log/letsencrypt.log
|
|
certificate=$(echo "$answer" | grep 'certificate":' | cut -f4 -d '"')
|
|
echo "[$(date)] : certificate=$certificate" >> /usr/local/vesta/log/letsencrypt.log
|
|
sleep $((i * 2)) # Sleep for 2s, 4s, 6s, 8s
|
|
if [ $i -gt 10 ]; then
|
|
check_result "$E_CONNECT" "Certificate processing timeout ($domain)"
|
|
fi
|
|
done
|
|
fi
|
|
|
|
if [ "$certificate" = "" ]; then
|
|
echo "[$(date)] : EXIT=Let's Encrypt 'certificate' is empty after step 7" >> /usr/local/vesta/log/letsencrypt.log
|
|
check_result $E_CONNECT "Let's Encrypt 'certificate' is empty after step 7"
|
|
fi
|
|
|
|
# Downloading signed certificate / STEP 8
|
|
echo "[$(date)] : --- Downloading signed certificate / STEP 8 ---" >> /usr/local/vesta/log/letsencrypt.log
|
|
echo "[$(date)] : query_le_v2 \"$certificate\" \"\" \"$nonce\"" >> /usr/local/vesta/log/letsencrypt.log
|
|
answer=$(query_le_v2 "$certificate" "" "$nonce" "$ssl_dir/$domain.pem")
|
|
echo "[$(date)] : answer=$answer" >> /usr/local/vesta/log/letsencrypt.log
|
|
status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
|
|
echo "[$(date)] : status=$status" >> /usr/local/vesta/log/letsencrypt.log
|
|
if [[ "$status" -ne 200 ]]; then
|
|
[ -d "$ssl_dir" ] && rm -rf "$ssl_dir"
|
|
echo "[$(date)] : EXIT=Let's Encrypt downloading signed cert failed status: $status" >> /usr/local/vesta/log/letsencrypt.log
|
|
check_result $E_NOTEXIST "Let's Encrypt downloading signed cert failed status: $status"
|
|
fi
|
|
|
|
# Splitting up downloaded pem
|
|
# echo "[$(date)] : - Splitting up downloaded pem" >> /usr/local/vesta/log/letsencrypt.log
|
|
crt_end=$(grep -n 'END CERTIFICATE' $ssl_dir/$domain.pem |head -n1 |cut -f1 -d:)
|
|
# echo "[$(date)] : crt_end=$crt_end" >> /usr/local/vesta/log/letsencrypt.log
|
|
head -n $crt_end $ssl_dir/$domain.pem > $ssl_dir/$domain.crt
|
|
|
|
pem_lines=$(wc -l $ssl_dir/$domain.pem |cut -f 1 -d ' ')
|
|
# echo "[$(date)] : pem_lines=$pem_lines" >> /usr/local/vesta/log/letsencrypt.log
|
|
ca_end=$(grep -n 'BEGIN CERTIFICATE' $ssl_dir/$domain.pem |tail -n1 |cut -f 1 -d :)
|
|
# echo "[$(date)] : ca_end=$ca_end" >> /usr/local/vesta/log/letsencrypt.log
|
|
ca_end=$(( pem_lines - crt_end + 1 ))
|
|
# echo "[$(date)] : ca_end=$ca_end" >> /usr/local/vesta/log/letsencrypt.log
|
|
tail -n $ca_end $ssl_dir/$domain.pem > $ssl_dir/$domain.ca
|
|
|
|
# Temporary fix for double "END CERTIFICATE"
|
|
if [[ $(head -n 1 $ssl_dir/$domain.ca) = "-----END CERTIFICATE-----" ]]; then
|
|
sed -i '1,2d' $ssl_dir/$domain.ca
|
|
fi
|
|
|
|
# Adding SSL
|
|
ssl_home=$(search_objects 'web' 'LETSENCRYPT' 'yes' 'SSL_HOME')
|
|
$BIN/v-delete-web-domain-ssl $user $domain >/dev/null 2>&1
|
|
echo "[$(date)] : v-add-web-domain-ssl $user $domain $ssl_dir $ssl_home" >> /usr/local/vesta/log/letsencrypt.log
|
|
$BIN/v-add-web-domain-ssl $user $domain $ssl_dir $ssl_home
|
|
exitstatus=$?
|
|
echo "[$(date)] : v-add-web-domain-ssl status: $exitstatus" >> /usr/local/vesta/log/letsencrypt.log
|
|
if [ "$exitstatus" -ne '0' ]; then
|
|
touch $VESTA/data/queue/letsencrypt.pipe
|
|
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
|
|
echo "[$(date)] : EXIT=$domain certificate installation failed" >> /usr/local/vesta/log/letsencrypt.log
|
|
send_notice 'LETSENCRYPT' "$domain certificate installation failed"
|
|
check_result $exitstatus "SSL install" >/dev/null
|
|
fi
|
|
|
|
# Adding LE autorenew cronjob
|
|
if [ -z "$(grep v-update-lets $VESTA/data/users/admin/cron.conf)" ]; then
|
|
min=$(generate_password '012345' '2')
|
|
hour=$(generate_password '1234567' '1')
|
|
cmd="sudo $BIN/v-update-letsencrypt-ssl"
|
|
$BIN/v-add-cron-job admin "$min" "$hour" '*' '*' '*' "$cmd" > /dev/null
|
|
fi
|
|
|
|
# Updating letsencrypt key
|
|
if [ -z "$LETSENCRYPT" ]; then
|
|
add_object_key "web" 'DOMAIN' "$domain" 'LETSENCRYPT' 'FTP_USER'
|
|
fi
|
|
update_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT' 'yes'
|
|
|
|
reset_web_counter "$user" "$domain" 'LETSENCRYPT_FAIL_COUNT'
|
|
|
|
#----------------------------------------------------------#
|
|
# Vesta #
|
|
#----------------------------------------------------------#
|
|
|
|
# Deleteing task from queue
|
|
touch $VESTA/data/queue/letsencrypt.pipe
|
|
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
|
|
|
|
# Notifying user
|
|
send_notice 'LETSENCRYPT' "$domain SSL has been installed successfully"
|
|
echo "[$(date)] : EXIT=***** $domain SSL has been installed successfully *****" >> /usr/local/vesta/log/letsencrypt.log
|
|
|
|
# Logging
|
|
log_event "$OK" "$ARGUMENTS"
|
|
|
|
exit
|