diff --git a/package_versions.txt b/package_versions.txt index 11c323a..488f143 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -1,33 +1,33 @@ NAME VERSION TYPE -ConfigArgParse 1.5.5 python -PyJWT 2.7.0 python -PyYAML 6.0 python +ConfigArgParse 1.7 python +PyJWT 2.8.0 python +PyYAML 6.0.1 python acme 2.6.0 python alpine-baselayout 3.4.3-r1 apk alpine-baselayout-data 3.4.3-r1 apk alpine-keys 2.4-r1 apk alpine-release 3.18.2-r0 apk aom-libs 3.6.1-r0 apk -apache2-utils 2.4.57-r2 apk +apache2-utils 2.4.57-r3 apk apk-tools 2.14.0-r2 apk apr 1.7.4-r0 apk apr-util 1.6.3-r1 apk argon2-libs 20190702-r4 apk attrs 23.1.0 python azure-common 1.1.28 python -azure-core 1.27.1 python +azure-core 1.28.0 python azure-identity 1.13.0 python azure-mgmt-core 1.4.0 python azure-mgmt-dns 8.1.0 python bash 5.2.15-r5 apk beautifulsoup4 4.12.2 python -boto3 1.26.165 python -botocore 1.29.165 python +boto3 1.28.12 python +botocore 1.31.12 python brotli-libs 1.0.9-r14 apk bs4 0.0.1 python busybox 1.36.1 binary -busybox 1.36.1-r0 apk -busybox-binsh 1.36.1-r0 apk +busybox 1.36.1-r1 apk +busybox-binsh 1.36.1-r1 apk c-client 2007f-r15 apk ca-certificates 20230506-r0 apk ca-certificates-bundle 20230506-r0 apk @@ -49,7 +49,7 @@ certbot-dns-domeneshop 0.2.9 python certbot-dns-duckdns 1.3 python certbot-dns-dynu 0.0.4 python certbot-dns-gehirn 2.6.0 python -certbot-dns-godaddy 0.2.2 python +certbot-dns-godaddy 2.6.0 python certbot-dns-google 2.6.0 python certbot-dns-google-domains 0.1.11 python certbot-dns-he 1.0.0 python @@ -72,19 +72,19 @@ certbot-dns-standalone 1.1 python certbot-dns-transip 0.5.2 python certbot-dns-vultr 1.1.0 python certbot-plugin-gandi 1.4.3 python -certifi 2023.5.7 python +certifi 2023.7.22 python cffi 1.15.1 python -charset-normalizer 3.1.0 python +charset-normalizer 3.2.0 python cloudflare 2.11.6 python configobj 5.0.8 python coreutils 9.3-r1 apk -cryptography 41.0.1 python +cryptography 41.0.2 python curl 8.1.2-r0 apk -dataclasses-json 0.5.9 python +dataclasses-json 0.5.13 python distro 1.8.0 python dns-lexicon 3.11.7 python dnslib 0.9.23 python -dnspython 2.3.0 python +dnspython 2.4.1 python domeneshop 0.4.3 python fail2ban 1.0.2 python fail2ban 1.0.2-r2 apk @@ -97,28 +97,28 @@ gdbm 1.23-r1 apk git 2.40.1-r0 apk git-perl 2.40.1-r0 apk gmp 6.2.1-r3 apk -gnupg 2.4.1-r1 apk -gnupg-dirmngr 2.4.1-r1 apk -gnupg-gpgconf 2.4.1-r1 apk -gnupg-keyboxd 2.4.1-r1 apk -gnupg-utils 2.4.1-r1 apk -gnupg-wks-client 2.4.1-r1 apk +gnupg 2.4.3-r0 apk +gnupg-dirmngr 2.4.3-r0 apk +gnupg-gpgconf 2.4.3-r0 apk +gnupg-keyboxd 2.4.3-r0 apk +gnupg-utils 2.4.3-r0 apk +gnupg-wks-client 2.4.3-r0 apk gnutls 3.8.0-r2 apk google-api-core 2.11.1 python -google-api-python-client 2.91.0 python -google-auth 2.21.0 python +google-api-python-client 2.95.0 python +google-auth 2.22.0 python google-auth-httplib2 0.1.0 python googleapis-common-protos 1.59.1 python -gpg 2.4.1-r1 apk -gpg-agent 2.4.1-r1 apk -gpg-wks-server 2.4.1-r1 apk -gpgsm 2.4.1-r1 apk -gpgv 2.4.1-r1 apk +gpg 2.4.3-r0 apk +gpg-agent 2.4.3-r0 apk +gpg-wks-server 2.4.3-r0 apk +gpgsm 2.4.3-r0 apk +gpgv 2.4.3-r0 apk httplib2 0.22.0 python -icu-data-en 73.2-r1 apk -icu-libs 73.2-r1 apk +icu-data-en 73.2-r2 apk +icu-libs 73.2-r2 apk idna 3.4 python -importlib-metadata 6.7.0 python +importlib-metadata 6.8.0 python ip6tables 1.8.9-r2 apk iptables 1.8.9-r2 apk isodate 0.6.1 python @@ -134,7 +134,7 @@ libavif 0.11.1-r2 apk libbsd 0.11.7-r1 apk libbz2 1.0.8-r5 apk libc-utils 0.7.2-r5 apk -libcrypto3 3.1.1-r1 apk +libcrypto3 3.1.1-r3 apk libcurl 8.1.2-r0 apk libdav1d 1.2.1-r0 apk libedit 20221030.3.1-r1 apk @@ -150,7 +150,7 @@ libidn2 2.3.4-r1 apk libintl 0.21.1-r7 apk libjpeg-turbo 2.1.5.1-r3 apk libksba 1.6.4-r0 apk -libldap 2.6.4-r3 apk +libldap 2.6.5-r0 apk libmaxminddb-libs 1.7.1-r1 apk libmcrypt 2.5.8-r10 apk libmd 1.0.4-r2 apk @@ -166,7 +166,7 @@ libsasl 2.1.28-r4 apk libseccomp 2.5.4-r2 apk libsm 1.2.4-r1 apk libsodium 1.0.18-r3 apk -libssl3 3.1.1-r1 apk +libssl3 3.1.1-r3 apk libstdc++ 12.2.1_git20220924-r10 apk libtasn1 4.19.0-r1 apk libunistring 1.1-r1 apk @@ -185,15 +185,14 @@ libzip 1.9.2-r2 apk linux-pam 1.5.2-r10 apk logrotate 3.21.0-r1 apk loopialib 0.2.0 python -lxml 4.9.2 python +lxml 4.9.3 python lz4-libs 1.9.4-r4 apk -marshmallow 3.19.0 python -marshmallow-enum 1.5.1 python +marshmallow 3.20.1 python memcached 1.6.21 binary memcached 1.6.21-r0 apk -mock 5.0.2 python +mock 5.1.0 python mpdecimal 2.5.1-r2 apk -msal 1.22.0 python +msal 1.23.0 python msal-extensions 1.0.0 python musl 1.2.4-r0 apk musl-utils 1.2.4-r0 apk @@ -224,7 +223,7 @@ nginx-mod-stream-geoip2 1.24.0-r6 apk nginx-vim 1.24.0-r6 apk npth 1.6-r4 apk oniguruma 6.9.8-r1 apk -openssl 3.1.1-r1 apk +openssl 3.1.1-r3 apk p11-kit 0.24.1-r2 apk packaging 23.1 python parsedatetime 2.6 python @@ -233,64 +232,64 @@ pcre2 10.42-r1 apk perl 5.36.1-r2 apk perl-error 0.17029-r1 apk perl-git 2.40.1-r0 apk -php-cli 8.2.7 binary -php-fpm 8.2.7 binary -php82 8.2.7-r0 apk -php82-bcmath 8.2.7-r0 apk -php82-bz2 8.2.7-r0 apk -php82-common 8.2.7-r0 apk -php82-ctype 8.2.7-r0 apk -php82-curl 8.2.7-r0 apk -php82-dom 8.2.7-r0 apk -php82-exif 8.2.7-r0 apk -php82-fileinfo 8.2.7-r0 apk -php82-fpm 8.2.7-r0 apk -php82-ftp 8.2.7-r0 apk -php82-gd 8.2.7-r0 apk -php82-gmp 8.2.7-r0 apk -php82-iconv 8.2.7-r0 apk -php82-imap 8.2.7-r0 apk -php82-intl 8.2.7-r0 apk -php82-ldap 8.2.7-r0 apk -php82-mbstring 8.2.7-r0 apk -php82-mysqli 8.2.7-r0 apk -php82-mysqlnd 8.2.7-r0 apk -php82-opcache 8.2.7-r0 apk -php82-openssl 8.2.7-r0 apk -php82-pdo 8.2.7-r0 apk -php82-pdo_mysql 8.2.7-r0 apk -php82-pdo_odbc 8.2.7-r0 apk -php82-pdo_pgsql 8.2.7-r0 apk -php82-pdo_sqlite 8.2.7-r0 apk -php82-pear 8.2.7-r0 apk +php-cli 8.2.8 binary +php-fpm 8.2.8 binary +php82 8.2.8-r0 apk +php82-bcmath 8.2.8-r0 apk +php82-bz2 8.2.8-r0 apk +php82-common 8.2.8-r0 apk +php82-ctype 8.2.8-r0 apk +php82-curl 8.2.8-r0 apk +php82-dom 8.2.8-r0 apk +php82-exif 8.2.8-r0 apk +php82-fileinfo 8.2.8-r0 apk +php82-fpm 8.2.8-r0 apk +php82-ftp 8.2.8-r0 apk +php82-gd 8.2.8-r0 apk +php82-gmp 8.2.8-r0 apk +php82-iconv 8.2.8-r0 apk +php82-imap 8.2.8-r0 apk +php82-intl 8.2.8-r0 apk +php82-ldap 8.2.8-r0 apk +php82-mbstring 8.2.8-r0 apk +php82-mysqli 8.2.8-r0 apk +php82-mysqlnd 8.2.8-r0 apk +php82-opcache 8.2.8-r0 apk +php82-openssl 8.2.8-r0 apk +php82-pdo 8.2.8-r0 apk +php82-pdo_mysql 8.2.8-r0 apk +php82-pdo_odbc 8.2.8-r0 apk +php82-pdo_pgsql 8.2.8-r0 apk +php82-pdo_sqlite 8.2.8-r0 apk +php82-pear 8.2.8-r0 apk php82-pecl-apcu 5.1.22-r0 apk php82-pecl-igbinary 3.2.14-r0 apk php82-pecl-mcrypt 1.0.6-r0 apk php82-pecl-memcached 3.2.0-r1 apk php82-pecl-msgpack 2.2.0-r0 apk php82-pecl-redis 5.3.7-r2 apk -php82-pgsql 8.2.7-r0 apk -php82-phar 8.2.7-r0 apk -php82-posix 8.2.7-r0 apk -php82-session 8.2.7-r0 apk -php82-simplexml 8.2.7-r0 apk -php82-soap 8.2.7-r0 apk -php82-sockets 8.2.7-r0 apk -php82-sodium 8.2.7-r0 apk -php82-sqlite3 8.2.7-r0 apk -php82-tokenizer 8.2.7-r0 apk -php82-xml 8.2.7-r0 apk -php82-xmlreader 8.2.7-r0 apk -php82-xmlwriter 8.2.7-r0 apk -php82-xsl 8.2.7-r0 apk -php82-zip 8.2.7-r0 apk +php82-pgsql 8.2.8-r0 apk +php82-phar 8.2.8-r0 apk +php82-posix 8.2.8-r0 apk +php82-session 8.2.8-r0 apk +php82-simplexml 8.2.8-r0 apk +php82-soap 8.2.8-r0 apk +php82-sockets 8.2.8-r0 apk +php82-sodium 8.2.8-r0 apk +php82-sqlite3 8.2.8-r0 apk +php82-tokenizer 8.2.8-r0 apk +php82-xml 8.2.8-r0 apk +php82-xmlreader 8.2.8-r0 apk +php82-xmlwriter 8.2.8-r0 apk +php82-xsl 8.2.8-r0 apk +php82-zip 8.2.8-r0 apk pinentry 1.2.1-r1 apk -pip 23.1.2 python +pip 23.2.1 python pkb-client 1.2 python popt 1.19-r2 apk portalocker 2.7.0 python procps-ng 4.0.3-r1 apk -protobuf 4.23.3 python +protobuf 4.23.4 python publicsuffixlist 0.9.4 python pyOpenSSL 23.2.0 python pyRFC3339 1.1 python @@ -321,20 +320,20 @@ six 1.16.0 python skalibs 2.13.1.1-r1 apk soupsieve 2.4.1 python sqlite-libs 3.41.2-r2 apk -ssl_client 1.36.1-r0 apk +ssl_client 1.36.1-r1 apk tiff 4.5.1-r0 apk tldextract 3.4.4 python typing-inspect 0.9.0 python -typing_extensions 4.7.0 python +typing_extensions 4.7.1 python tzdata 2023c-r1 apk unixodbc 2.3.11-r2 apk uritemplate 4.1.1 python urllib3 1.26.16 python utmps-libs 0.1.2.1-r1 apk -wheel 0.40.0 python +wheel 0.41.0 python whois 5.5.17-r0 apk xz-libs 5.4.3-r0 apk -zipp 3.15.0 python +zipp 3.16.2 python zlib 1.2.13-r1 apk zope.interface 6.0 python zstd-libs 1.5.5-r4 apk diff --git a/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run b/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run index 7dc1eae..d5ee713 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run @@ -29,6 +29,23 @@ if [[ "${VALIDATION}" = "dns" ]] && [[ ! "${DNSPLUGIN}" =~ ^(acmedns|aliyun|azur sleep infinity fi +# set_ini_value logic: +# - if the name is not found in the file, append the name=value to the end of the file +# - if the name is found in the file, replace the value +# - if the name is found in the file but commented out, uncomment the line and replace the value +# call set_ini_value with parameters: $1=name $2=value $3=file +function set_ini_value() { + name=${1//\//\\/} + value=${2//\//\\/} + sed -i \ + -e '/^#\?\(\s*'"${name}"'\s*=\s*\).*/{s//\1'"${value}"'/;:a;n;ba;q}' \ + -e '$a'"${name}"'='"${value}" "${3}" +} + +# ensure config files exist and has at least one value set (set_ini_value does not work on empty files) +touch /config/etc/letsencrypt/cli.ini +grep -qF 'agree-tos' /config/etc/letsencrypt/cli.ini || echo 'agree-tos=true' >>/config/etc/letsencrypt/cli.ini + # copy dns default configs cp -n /defaults/dns-conf/* /config/dns-conf/ 2> >(grep -v 'cp: not replacing') lsiown -R abc:abc /config/dns-conf @@ -157,21 +174,25 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] || [[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ]]; then - REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${ORIGEMAIL}") - REV_ZEROSSL_EAB_KID=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") - REV_ZEROSSL_EAB_HMAC_KEY=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") + REV_ACMESERVER=("https://acme.zerossl.com/v2/DV90") + REV_ZEROSSL_EAB_KID=$(awk -F "=" '/eab-kid/ {print $2}' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" | tr -d ' ') + REV_ZEROSSL_EAB_HMAC_KEY=$(awk -F "=" '/eab-hmac-key/ {print $2}' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" | tr -d ' ') if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then - echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." - sleep infinity + REV_ZEROSSL_EAB_KID=$(awk -F "=" '/eab-kid/ {print $2}' /config/etc/letsencrypt/cli.ini | tr -d ' ') + REV_ZEROSSL_EAB_HMAC_KEY=$(awk -F "=" '/eab-hmac-key/ {print $2}' /config/etc/letsencrypt/cli.ini | tr -d ' ') + fi + if [[ -n "${REV_ZEROSSL_EAB_KID}" ]] && [[ -n "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then + REV_ACMESERVER+=("--eab-kid" "${REV_ZEROSSL_EAB_KID}" "--eab-hmac-key" "${REV_ZEROSSL_EAB_HMAC_KEY}") fi - REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}" elif [[ "${ORIGSTAGING}" = "true" ]]; then - REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" + REV_ACMESERVER=("https://acme-staging-v02.api.letsencrypt.org/directory") else - REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" + REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory") fi if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then - certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} || true + certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true + else + certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true fi rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} fi @@ -182,9 +203,11 @@ echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS # Check if the cert is using the old LE root cert, revoke and regen if necessary if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking." - REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" + REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory") if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then - certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} || true + certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true + else + certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true fi rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} fi @@ -208,52 +231,51 @@ else ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" fi -# figuring out url only vs url & subdomains vs subdomains only +set_ini_value "server" "${ACMESERVER}" /config/etc/letsencrypt/cli.ini + +# figuring out domain only vs domain & subdomains vs subdomains only +DOMAINS_ARRAY=() +if [[ -z "${SUBDOMAINS}" ]] || [[ "${ONLY_SUBDOMAINS}" != true ]]; then + DOMAINS_ARRAY+=("${URL}") +fi if [[ -n "${SUBDOMAINS}" ]]; then echo "SUBDOMAINS entered, processing" + SUBDOMAINS_ARRAY=() if [[ "${SUBDOMAINS}" = "wildcard" ]]; then - if [[ "${ONLY_SUBDOMAINS}" = true ]]; then - export URL_REAL="-d *.${URL}" - echo "Wildcard cert for only the subdomains of ${URL} will be requested" - else - export URL_REAL="-d *.${URL} -d ${URL}" - echo "Wildcard cert for ${URL} will be requested" - fi + SUBDOMAINS_ARRAY+=("*.${URL}") + echo "Wildcard cert for ${URL} will be requested" else - echo "SUBDOMAINS entered, processing" for job in $(echo "${SUBDOMAINS}" | tr "," " "); do - export SUBDOMAINS_REAL="${SUBDOMAINS_REAL} -d ${job}.${URL}" + SUBDOMAINS_ARRAY+=("${job}.${URL}") done - if [[ "${ONLY_SUBDOMAINS}" = true ]]; then - URL_REAL="${SUBDOMAINS_REAL}" - echo "Only subdomains, no URL in cert" - else - URL_REAL="-d ${URL}${SUBDOMAINS_REAL}" - fi - echo "Sub-domains processed are: ${SUBDOMAINS_REAL}" + echo "Sub-domains processed are: $(echo "${SUBDOMAINS_ARRAY[*]}" | tr " " ",")" fi -else - echo "No subdomains defined" - URL_REAL="-d ${URL}" + DOMAINS_ARRAY+=("${SUBDOMAINS_ARRAY[@]}") fi # add extra domains if [[ -n "${EXTRA_DOMAINS}" ]]; then echo "EXTRA_DOMAINS entered, processing" + EXTRA_DOMAINS_ARRAY=() for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do - export EXTRA_DOMAINS_REAL="${EXTRA_DOMAINS_REAL} -d ${job}" + EXTRA_DOMAINS_ARRAY+=("${job}") done - echo "Extra domains processed are: ${EXTRA_DOMAINS_REAL}" - URL_REAL="${URL_REAL} ${EXTRA_DOMAINS_REAL}" + echo "Extra domains processed are: $(echo "${EXTRA_DOMAINS_ARRAY[*]}" | tr " " ",")" + DOMAINS_ARRAY+=("${EXTRA_DOMAINS_ARRAY[@]}") fi +# setting domains in cli.ini +set_ini_value "domains" "$(echo "${DOMAINS_ARRAY[*]}" | tr " " ",")" /config/etc/letsencrypt/cli.ini + # figuring out whether to use e-mail and which if [[ ${EMAIL} == *@* ]]; then echo "E-mail address entered: ${EMAIL}" - EMAILPARAM="-m ${EMAIL} --no-eff-email" + set_ini_value "email" "${EMAIL}" /config/etc/letsencrypt/cli.ini + set_ini_value "no-eff-email" "true" /config/etc/letsencrypt/cli.ini + set_ini_value "register-unsafely-without-email" "false" /config/etc/letsencrypt/cli.ini else echo "No e-mail address entered or address invalid" - EMAILPARAM="--register-unsafely-without-email" + set_ini_value "register-unsafely-without-email" "true" /config/etc/letsencrypt/cli.ini fi # alter extension for error message @@ -265,37 +287,41 @@ fi # setting the validation method to use if [[ "${VALIDATION}" = "dns" ]]; then - AUTHENTICATORPARAM="--authenticator dns-${DNSPLUGIN}" - DNSCREDENTIALSPARAM="--dns-${DNSPLUGIN}-credentials ${DNSCREDENTIALFILE}" - if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + set_ini_value "preferred-challenges" "dns" /config/etc/letsencrypt/cli.ini + set_ini_value "authenticator" "dns-${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini + set_ini_value "dns-${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini + if [[ -n "${PROPAGATION}" ]]; then set_ini_value "dns-${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi # plugins that don't support setting credentials file if [[ "${DNSPLUGIN}" =~ ^(route53|standalone)$ ]]; then - DNSCREDENTIALSPARAM="" + sed "/^dns-${DNSPLUGIN}-credentials /d" /config/etc/letsencrypt/cli.ini fi # plugins that don't support setting propagation if [[ "${DNSPLUGIN}" =~ ^(azure|gandi|route53|standalone)$ ]]; then if [[ -n "${PROPAGATION}" ]]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi - PROPAGATIONPARAM="" + sed "/^dns-${DNSPLUGIN}-propagation-seconds /d" /config/etc/letsencrypt/cli.ini fi # plugins that use old parameter naming convention - if [[ "${DNSPLUGIN}" =~ ^(cpanel)$ ]]; then - AUTHENTICATORPARAM="--authenticator ${DNSPLUGIN}" - DNSCREDENTIALSPARAM="--${DNSPLUGIN}-credentials ${DNSCREDENTIALFILE}" - if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + if [[ "${DNSPLUGIN}" =~ ^(cpanel|directadmin)$ ]]; then + sed "/^dns-${DNSPLUGIN}-credentials /d" /config/etc/letsencrypt/cli.ini + sed "/^dns-${DNSPLUGIN}-propagation-seconds /d" /config/etc/letsencrypt/cli.ini + set_ini_value "authenticator" "${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini + set_ini_value "${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini + if [[ -n "${PROPAGATION}" ]]; then set_ini_value "${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi fi # don't restore txt records when using DuckDNS plugin if [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then - AUTHENTICATORPARAM="${AUTHENTICATORPARAM} --dns-${DNSPLUGIN}-no-txt-restore" + set_ini_value "dns-${DNSPLUGIN}-no-txt-restore" "true" /config/etc/letsencrypt/cli.ini fi - PREFCHAL="${AUTHENTICATORPARAM} ${DNSCREDENTIALSPARAM} ${PROPAGATIONPARAM}" echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected" elif [[ "${VALIDATION}" = "tls-sni" ]]; then - PREFCHAL="--standalone --preferred-challenges http" + set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini + set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini echo "*****tls-sni validation has been deprecated, attempting http validation instead" else - PREFCHAL="--standalone --preferred-challenges http" + set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini + set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini echo "http validation is selected" fi @@ -304,17 +330,17 @@ if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then echo "Retrieving EAB from ZeroSSL" EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}") - ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") - ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") + ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | jq .eab_kid) + ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | jq .eab_hmac_key) if [[ -z "${ZEROSSL_EAB_KID}" ]] || [[ -z "${ZEROSSL_EAB_HMAC_KEY}" ]]; then echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." sleep infinity fi - ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}" + set_ini_value "eab-kid" "${ZEROSSL_EAB_KID}" /config/etc/letsencrypt/cli.ini + set_ini_value "eab-hmac-key" "${ZEROSSL_EAB_HMAC_KEY}" /config/etc/letsencrypt/cli.ini fi echo "Generating new certificate" - # shellcheck disable=SC2086 - certbot certonly --non-interactive --renew-by-default --server ${ACMESERVER} ${ZEROSSL_EAB} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${URL_REAL} + certbot certonly --non-interactive --renew-by-default if [[ ! -d /config/keys/letsencrypt ]]; then if [[ "${VALIDATION}" = "dns" ]]; then echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file."