#!/bin/sh # Wrapper for acme.sh to work on openwrt. # # This program is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free Software # Foundation; either version 3 of the License, or (at your option) any later # version. # # Author: Toke Høiland-Jørgensen CHECK_CRON=$1 ACME=/usr/lib/acme/acme.sh export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt export NO_TIMESTAMP=1 UHTTPD_LISTEN_HTTP= STATE_DIR='/etc/acme' ACCOUNT_EMAIL= DEBUG=0 NGINX_WEBSERVER=0 UPDATE_NGINX=0 UPDATE_UHTTPD=0 UPDATE_HAPROXY=0 USER_CLEANUP= . /lib/functions.sh check_cron() { [ -f "/etc/crontabs/root" ] && grep -q '/etc/init.d/acme' /etc/crontabs/root && return echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root /etc/init.d/cron start } log() { logger -t acme -s -p daemon.info -- "$@" } err() { logger -t acme -s -p daemon.err -- "$@" } debug() { [ "$DEBUG" -eq "1" ] && logger -t acme -s -p daemon.debug -- "$@" } get_listeners() { local proto rq sq listen remote state program netstat -nptl 2> /dev/null | while read -r proto rq sq listen remote state program; do case "$proto#$listen#$program" in tcp#*:80#[0-9]*/*) echo -n "${program%% *} " ;; esac done } run_acme() { debug "Running acme.sh as '$ACME $*'" $ACME "$@" } pre_checks() { main_domain="$1" log "Running pre checks for $main_domain." listeners="$(get_listeners)" debug "port80 listens: $listeners" for listener in $(get_listeners); do pid="${listener%/*}" cmd="$(basename $(readlink /proc/$pid/exe))" case "$cmd" in uhttpd) if [ -n "$UHTTPD_LISTEN_HTTP" ]; then debug "Already handled uhttpd; skipping" continue fi debug "Found uhttpd listening on port 80; trying to disable." UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http) if [ -z "$UHTTPD_LISTEN_HTTP" ]; then err "$main_domain: Unable to find uhttpd listen config." err "Manually disable uhttpd or set webroot to continue." return 1 fi uci set uhttpd.main.listen_http='' uci commit uhttpd || return 1 if ! /etc/init.d/uhttpd reload; then uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP" uci commit uhttpd return 1 fi ;; nginx) if [ "$NGINX_WEBSERVER" -eq "1" ]; then debug "Already handled nginx; skipping" continue fi debug "Found nginx listening on port 80; trying to disable." NGINX_WEBSERVER=1 local tries=0 while grep -sq "$cmd" "/proc/$pid/cmdline" && kill -0 "$pid"; do /etc/init.d/nginx stop if [ $tries -gt 10 ]; then debug "Can't stop nginx. Terminating script." return 1 fi debug "Waiting for nginx to stop..." tries=$((tries + 1)) sleep 1 done ;; "") debug "Nothing listening on port 80." ;; *) err "$main_domain: Cannot run in standalone mode; another daemon is listening on port 80." err "Disable other daemon or set webroot to continue." return 1 ;; esac done iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1 ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1 debug "v4 input_rule: $(iptables -nvL input_rule)" debug "v6 input_rule: $(ip6tables -nvL input_rule)" return 0 } post_checks() { log "Running post checks (cleanup)." # The comment ensures we only touch our own rules. If no rules exist, that # is fine, so hide any errors iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2> /dev/null ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2> /dev/null if [ -e /etc/init.d/uhttpd ] && { [ -n "$UHTTPD_LISTEN_HTTP" ] || [ "$UPDATE_UHTTPD" -eq 1 ]; }; then if [ -n "$UHTTPD_LISTEN_HTTP" ]; then uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP" UHTTPD_LISTEN_HTTP= fi uci commit uhttpd /etc/init.d/uhttpd restart fi if [ -e /etc/init.d/nginx ] && { [ "$NGINX_WEBSERVER" -eq 1 ] || [ "$UPDATE_NGINX" -eq 1 ]; }; then NGINX_WEBSERVER=0 /etc/init.d/nginx restart fi if [ -e /etc/init.d/haproxy ] && [ "$UPDATE_HAPROXY" -eq 1 ] ; then /etc/init.d/haproxy restart fi if [ -n "$USER_CLEANUP" ] && [ -f "$USER_CLEANUP" ]; then log "Running user-provided cleanup script from $USER_CLEANUP." "$USER_CLEANUP" || return 1 fi } err_out() { post_checks exit 1 } int_out() { post_checks trap - INT kill -INT $$ } is_staging() { local main_domain local domain_dir main_domain="$1" domain_dir="$2" grep -q "acme-staging" "${domain_dir}/${main_domain}.conf" return $? } issue_cert() { local section="$1" local acme_args= local enabled local use_staging local update_uhttpd local update_nginx local update_haproxy local keylength local keylength_ecc=0 local domains local main_domain local moved_staging=0 local failed_dir local webroot local dns local user_setup local user_cleanup local ret local domain_dir local acme_server local days config_get_bool enabled "$section" enabled 0 config_get_bool use_staging "$section" use_staging config_get_bool update_uhttpd "$section" update_uhttpd config_get_bool update_nginx "$section" update_nginx config_get_bool update_haproxy "$section" update_haproxy config_get calias "$section" calias config_get dalias "$section" dalias config_get domains "$section" domains config_get keylength "$section" keylength config_get webroot "$section" webroot config_get dns "$section" dns config_get user_setup "$section" user_setup config_get user_cleanup "$section" user_cleanup config_get acme_server "$section" acme_server config_get days "$section" days UPDATE_NGINX=$update_nginx UPDATE_UHTTPD=$update_uhttpd UPDATE_HAPROXY=$update_haproxy USER_CLEANUP=$user_cleanup [ "$enabled" -eq "1" ] || return [ "$DEBUG" -eq "1" ] && acme_args="$acme_args --debug" set -- $domains main_domain=$1 if [ -n "$user_setup" ] && [ -f "$user_setup" ]; then log "Running user-provided setup script from $user_setup." "$user_setup" "$main_domain" || return 1 else [ -n "$webroot" ] || [ -n "$dns" ] || pre_checks "$main_domain" || return 1 fi if echo "$keylength" | grep -q "^ec-"; then domain_dir="$STATE_DIR/${main_domain}_ecc" keylength_ecc=1 else domain_dir="$STATE_DIR/${main_domain}" fi log "Running ACME for $main_domain" handle_credentials() { local credential="$1" eval export $credential } config_list_foreach "$section" credentials handle_credentials if [ -e "$domain_dir" ]; then if [ "$use_staging" -eq "0" ] && is_staging "$main_domain" "$domain_dir"; then log "Found previous cert issued using staging server. Moving it out of the way." mv "$domain_dir" "${domain_dir}.staging" moved_staging=1 else log "Found previous cert config. Issuing renew." [ "$keylength_ecc" -eq "1" ] && acme_args="$acme_args --ecc" run_acme --home "$STATE_DIR" --renew -d "$main_domain" $acme_args && ret=0 || ret=1 post_checks return $ret fi fi acme_args="$acme_args $(for d in $domains; do echo -n "-d $d "; done)" acme_args="$acme_args --keylength $keylength" [ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL" if [ -n "$acme_server" ]; then log "Using custom ACME server URL" acme_args="$acme_args --server $acme_server" else # default to letsencrypt because the upstream default may change if [ "$use_staging" -eq "1" ]; then acme_args="$acme_args --server letsencrypt_test" else acme_args="$acme_args --server letsencrypt" fi fi if [ -n "$days" ]; then log "Renewing after $days days" acme_args="$acme_args --days $days" fi if [ -n "$dns" ]; then log "Using dns mode" acme_args="$acme_args --dns $dns" if [ -n "$dalias" ]; then log "Using domain alias for dns mode" acme_args="$acme_args --domain-alias $dalias" if [ -n "$calias" ]; then err "Both domain and challenge aliases are defined. Ignoring the challenge alias." fi elif [ -n "$calias" ]; then log "Using challenge alias for dns mode" acme_args="$acme_args --challenge-alias $calias" fi elif [ -z "$webroot" ]; then log "Using standalone mode" acme_args="$acme_args --standalone --listen-v6" else if [ ! -d "$webroot" ]; then err "$main_domain: Webroot dir '$webroot' does not exist!" post_checks return 1 fi log "Using webroot dir: $webroot" acme_args="$acme_args --webroot $webroot" fi if ! run_acme --home "$STATE_DIR" --issue $acme_args; then failed_dir="${domain_dir}.failed-$(date +%s)" err "Issuing cert for $main_domain failed. Moving state to $failed_dir" [ -d "$domain_dir" ] && mv "$domain_dir" "$failed_dir" if [ "$moved_staging" -eq "1" ]; then err "Restoring staging certificate" mv "${domain_dir}.staging" "${domain_dir}" fi post_checks return 1 fi if [ -e /etc/init.d/uhttpd ] && [ "$update_uhttpd" -eq "1" ]; then uci set uhttpd.main.key="${domain_dir}/${main_domain}.key" uci set uhttpd.main.cert="${domain_dir}/fullchain.cer" # commit and reload is in post_checks fi local nginx_updated nginx_updated=0 if command -v nginx-util 2> /dev/null && [ "$update_nginx" -eq "1" ]; then nginx_updated=1 for domain in $domains; do nginx-util add_ssl "${domain}" acme "${domain_dir}/fullchain.cer" \ "${domain_dir}/${main_domain}.key" || nginx_updated=0 done # reload is in post_checks fi if [ "$nginx_updated" -eq "0" ] && [ -w /etc/nginx/nginx.conf ] && [ "$update_nginx" -eq "1" ]; then sed -i "s#ssl_certificate\ .*#ssl_certificate ${domain_dir}/fullchain.cer;#g" /etc/nginx/nginx.conf sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key ${domain_dir}/${main_domain}.key;#g" /etc/nginx/nginx.conf # commit and reload is in post_checks fi if [ -e /etc/init.d/haproxy ] && [ -w /etc/haproxy.cfg ] && [ "$update_haproxy" -eq "1" ]; then cat "${domain_dir}/${main_domain}.key" "${domain_dir}/fullchain.cer" > "${domain_dir}/${main_domain}-haproxy.pem" sed -i "s#bind :::443 v4v6 ssl crt .* alpn#bind :::443 v4v6 ssl crt ${domain_dir}/${main_domain}-haproxy.pem alpn#g" /etc/haproxy.cfg # commit and reload is in post_checks fi post_checks } load_vars() { local section="$1" STATE_DIR=$(config_get "$section" state_dir) ACCOUNT_EMAIL=$(config_get "$section" account_email) DEBUG=$(config_get "$section" debug) } check_cron [ -n "$CHECK_CRON" ] && exit 0 [ -e "/var/run/acme_boot" ] && rm -f "/var/run/acme_boot" && exit 0 config_load acme config_foreach load_vars acme if [ -z "$STATE_DIR" ] || [ -z "$ACCOUNT_EMAIL" ]; then err "state_dir and account_email must be set" exit 1 fi [ -d "$STATE_DIR" ] || mkdir -p "$STATE_DIR" trap err_out HUP TERM trap int_out INT config_foreach issue_cert cert exit 0