mirror of
https://github.com/myvesta/vesta.git
synced 2025-01-10 21:12:52 -08:00
163 lines
5.3 KiB
Bash
Executable File
163 lines
5.3 KiB
Bash
Executable File
#!/bin/bash
|
|
# info: check letsencrypt domain
|
|
# options: USER DOMAIN
|
|
#
|
|
# The function check and validates domain with LetsEncript
|
|
|
|
|
|
#----------------------------------------------------------#
|
|
# Variable&Function #
|
|
#----------------------------------------------------------#
|
|
|
|
# Argument definition
|
|
user=$1
|
|
domain=$2
|
|
|
|
# Includes
|
|
source $VESTA/func/main.sh
|
|
source $VESTA/conf/vesta.conf
|
|
|
|
# encode base64
|
|
encode_base64() {
|
|
cat |base64 |tr '+/' '-_' |tr -d '\r\n='
|
|
}
|
|
|
|
# Additional argument formatting
|
|
format_domain_idn
|
|
|
|
|
|
#----------------------------------------------------------#
|
|
# Verifications #
|
|
#----------------------------------------------------------#
|
|
|
|
check_args '2' "$#" 'USER DOMAIN'
|
|
is_format_valid 'user' 'domain'
|
|
is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
|
|
is_object_valid 'user' 'USER' "$user"
|
|
is_object_unsuspended 'user' 'USER' "$user"
|
|
if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
|
|
check_result $E_NOTEXIST "LetsEncrypt key doesn't exist"
|
|
fi
|
|
rdomain=$(egrep "'$domain'|'$domain,|,$domain,|,$domain'" $USER_DATA/web.conf)
|
|
if [ -z "$rdomain" ]; then
|
|
check_result $E_NOTEXIST "domain $domain doesn't exist"
|
|
fi
|
|
|
|
|
|
#----------------------------------------------------------#
|
|
# Action #
|
|
#----------------------------------------------------------#
|
|
|
|
source $USER_DATA/ssl/le.conf
|
|
api='https://acme-v01.api.letsencrypt.org'
|
|
r_domain=$(echo "$rdomain" |cut -f 2 -d \')
|
|
key="$USER_DATA/ssl/user.key"
|
|
exponent="$EXPONENT"
|
|
modulus="$MODULUS"
|
|
thumb="$THUMB"
|
|
|
|
# Defining JWK header
|
|
header='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
|
|
header='{"alg":"RS256","jwk":'"$header"'}'
|
|
|
|
# Requesting nonce
|
|
nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
|
|
protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
|
|
|
|
# Defining ACME query (request challenge)
|
|
query='{"resource":"new-authz","identifier"'
|
|
query=$query':{"type":"dns","value":"'"$domain_idn"'"}}'
|
|
payload=$(echo -n "$query" |encode_base64)
|
|
signature=$(printf "%s" "$protected.$payload" |\
|
|
openssl dgst -sha256 -binary -sign "$key" |encode_base64)
|
|
data='{"header":'"$header"',"protected":"'"$protected"'",'
|
|
data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
|
|
|
|
# Sending request to LetsEncrypt API
|
|
answer=$(curl -s -i -d "$data" "$api/acme/new-authz")
|
|
|
|
# Checking http answer status
|
|
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
|
|
if [[ "$status" -ne "201" ]]; then
|
|
check_result $E_CONNECT "LetsEncrypt challenge request $status"
|
|
fi
|
|
|
|
# Parsing domain nonce,token and uri
|
|
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
|
|
protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
|
|
token=$(echo "$answer" |grep -A 3 http-01 |grep token |cut -f 4 -d \")
|
|
uri=$(echo "$answer" |grep -A 3 http-01 |grep uri |cut -f 4 -d \")
|
|
|
|
# Adding location wrapper for request challenge
|
|
if [ "$WEB_SYSTEM" = 'nginx' ] || [ "$PROXY_SYSTEM" = 'nginx' ]; then
|
|
conf="$HOMEDIR/$user/conf/web/nginx.$r_domain.conf_letsencrypt"
|
|
sconf="$HOMEDIR/$user/conf/web/snginx.$r_domain.conf_letsencrypt"
|
|
if [ ! -e "$conf" ]; then
|
|
echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' > $conf
|
|
echo ' default_type text/plain;' >> $conf
|
|
echo ' return 200 "$1.'$thumb'";' >> $conf
|
|
echo '}' >> $conf
|
|
fi
|
|
if [ ! -e "$sconf" ]; then
|
|
ln -s "$conf" "$sconf"
|
|
fi
|
|
else
|
|
acme="$HOMEDIR/$user/web/$r_domain/public_html/.well-known/acme-challenge"
|
|
if [ ! -d "$acme" ]; then
|
|
mkdir -p $acme
|
|
fi
|
|
echo "$token.$thumb" > $acme/$token
|
|
chown -R $user:$user $HOMEDIR/$user/web/$r_domain/public_html/.well-known
|
|
fi
|
|
|
|
# Restarting web server
|
|
if [ -z "$PROXY_SYSTEM" ]; then
|
|
$BIN/v-restart-web
|
|
check_result $? "Proxy restart failed" >/dev/null
|
|
else
|
|
$BIN/v-restart-proxy
|
|
$BIN/v-restart-web
|
|
check_result $? "Web restart failed" >/dev/null
|
|
fi
|
|
|
|
# Defining ACME query (request validation)
|
|
query='{"resource":"challenge","type":"http-01","keyAuthorization"'
|
|
query=$query':"'$token.$thumb'","token":"'$token'"}'
|
|
payload=$(echo -n "$query" |encode_base64)
|
|
signature=$(printf "%s" "$protected.$payload" |\
|
|
openssl dgst -sha256 -binary -sign "$key" |encode_base64)
|
|
data='{"header":'"$header"',"protected":"'"$protected"'",'
|
|
data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
|
|
|
|
# Sending request to LetsEncrypt API
|
|
answer=$(curl -s -i -d "$data" "$uri")
|
|
|
|
# Checking domain validation status
|
|
i=1
|
|
status=$(echo $answer |tr ',' '\n' |grep status |cut -f 4 -d \")
|
|
location=$(echo "$answer" |grep Location: |awk '{print $2}' |tr -d '\r\n')
|
|
while [ "$status" = 'pending' ]; do
|
|
answer=$(curl -s -i "$location")
|
|
detail="$(echo $answer |tr ',' '\n' |grep detail |cut -f 4 -d \")"
|
|
status=$(echo "$answer" |tr ',' '\n' |grep status |cut -f 4 -d \")
|
|
sleep 1
|
|
i=$((i + 1))
|
|
if [ "$i" -gt 60 ]; then
|
|
check_result $E_CONNECT "$detail"
|
|
fi
|
|
done
|
|
if [ "$status" = 'invalid' ]; then
|
|
detail="$(echo $answer |tr ',' '\n' |grep detail |cut -f 4 -d \")"
|
|
check_result $E_CONNECT "$detail"
|
|
fi
|
|
|
|
|
|
#----------------------------------------------------------#
|
|
# Vesta #
|
|
#----------------------------------------------------------#
|
|
|
|
# Logging
|
|
log_event "$OK" "$ARGUMENTS"
|
|
|
|
exit
|