forked from hestiacp/hestiacp
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathv-add-letsencrypt-user
More file actions
executable file
·184 lines (152 loc) · 5.17 KB
/
v-add-letsencrypt-user
File metadata and controls
executable file
·184 lines (152 loc) · 5.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
#!/bin/bash
# info: register letsencrypt user account
# options: USER [TYPE]
#
# The function creates and register LetsEncript account key
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
user=$1
type=${2-1}
key_size=4096
# Includes
source $HESTIA/func/main.sh
source $HESTIA/conf/hestia.conf
# encode base64
encode_base64() {
cat |base64 |tr '+/' '-_' |tr -d '\r\n='
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '1' "$#" 'USER [TYPE]'
is_format_valid 'user'
is_object_valid 'user' 'USER' "$user"
if [ -e "$USER_DATA/ssl/le.conf" ]; then
source "$USER_DATA/ssl/le.conf"
if [ "$type" -eq 1 ] && [ ! -z "$EMAIL" ]; then
exit
fi
if [ "$type" -eq 2 ] && [ ! -z "$KID" ]; then
exit
fi
fi
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Defining LE API endpoint
if [ "$type" -eq 1 ]; then
api='https://acme-v01.api.letsencrypt.org'
else
api='https://acme-v02.api.letsencrypt.org'
fi
# Defining user email
if [ $type -eq 1 ]; then
email=$(get_user_value '$CONTACT')
fi
# Defining user agreement
if [ "$type" -eq 1 ]; then
agreement=$(curl -s -I "$api/terms" |grep Location |\
cut -f 2 -d \ |tr -d '\r\n')
else
#agreement=$(curl -s "$api/directory" |grep termsOfService |\
# cut -f 4 -d '"')
agreement=''
fi
# Generating user key
key="$USER_DATA/ssl/user.key"
if [ ! -e "$key" ]; then
openssl genrsa -out $key $key_size >/dev/null 2>&1
chmod 600 $key
fi
# Defining key exponent
if [ -z "$EXPONENT" ]; then
exponent=$(openssl pkey -inform pem -in "$key" -noout -text_pub |\
grep Exponent: |cut -f 2 -d '(' |cut -f 1 -d ')' |sed -e 's/x//' |\
xxd -r -p |encode_base64)
else
exponent="$EXPONENT"
fi
# Defining key modulus
if [ -z "$MODULUS" ]; then
modulus=$(openssl rsa -in "$key" -modulus -noout |\
sed -e 's/^Modulus=//' |xxd -r -p |encode_base64)
else
modulus="$MODULUS"
fi
# Defining JWK token
jwk='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
# Defining key thumbnail
if [ -z "$THUMB" ]; then
thumb="$(echo -n "$jwk" |openssl dgst -sha256 -binary |encode_base64)"
else
thumb="$THUMB"
fi
# Requesting ACME nonce
nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f 2 -d \ |tr -d '\r\n')
# Defining payload and protected data for v1 and v2
if [ "$type" -eq 1 ]; then
header='{"alg":"RS256","jwk":'"$jwk"'}'
protected='{"nonce":"'"$nonce"'"}'
payload='{"resource":"new-reg","contact":["mailto:'"$email"'"],'
payload=$payload'"agreement":"'$agreement'"}'
else
protected='{"nonce": "'$nonce'",'
protected=''$protected' "url": "'$api/acme/new-acct'",'
protected=''$protected' "alg": "RS256", "jwk": '$jwk'}'
payload='{"termsOfServiceAgreed": true}'
fi
# Encoding data
protected=$(echo -n "$protected" |encode_base64)
payload=$(echo -n "$payload" |encode_base64)
# Signing request
signature=$(printf "%s" "$protected.$payload" |\
openssl dgst -sha256 -binary -sign "$key" |\
encode_base64)
if [ "$type" -eq 1 ]; then
data='{"header":'"$header"',"protected":"'"$protected"'",'
data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
answer=$(curl -s -i -d "$data" "$api/acme/new-reg")
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
else
data='{"protected":"'"$protected"'",'
data=$data'"payload":"'"$payload"'",'
data=$data'"signature":"'"$signature"'"}'
answer=$(curl -s -i -d "$data" "$api/acme/new-acct" \
-H "Content-Type: application/jose+json")
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
kid=$(echo "$answer" |grep Location: |cut -f2 -d ' '|tr -d '\r')
fi
# Checking http answer status
if [[ "${status:0:2}" -ne "20" ]] && [[ "$status" -ne "409" ]]; then
check_result $E_CONNECT "LetsEncrypt account registration $status"
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Adding le.conf
if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
echo "EXPONENT='$exponent'" > $USER_DATA/ssl/le.conf
echo "MODULUS='$modulus'" >> $USER_DATA/ssl/le.conf
echo "THUMB='$thumb'" >> $USER_DATA/ssl/le.conf
if [ "$type" -eq 1]; then
echo "EMAIL='$email'" >> $USER_DATA/ssl/le.conf
echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
else
echo "EMAIL='$email'" >> $USER_DATA/ssl/le.conf
echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
fi
chmod 660 $USER_DATA/ssl/le.conf
else
if [ "$type" -eq 1 ]; then
sed -i '/^EMAIL=/d' $USER_DATA/ssl/le.conf
echo "EMAIL='$email'" >> $USER_DATA/ssl/le.conf
else
sed -i '/^KID=/d' $USER_DATA/ssl/le.conf
echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
fi
fi
# Logging
log_event "$OK" "$ARGUMENTS"
exit