LetsEncrypt core API support

Author: serghey-rodin

bin/v-add-letsencrypt-domain

@@ -0,0 +1,97 @@
+#!/bin/bash
+# info: adding letsencrypt ssl cetificate for domain
+# options: USER DOMAIN [ALIASES] [RESTART]
+#
+# The function turns on SSL support for a domain. Parameter ssl_dir is a path
+# to directory where 2 or 3 ssl files can be found. Certificate file 
+# domain.tld.crt and its key domain.tld.key  are mandatory. Certificate
+# authority domain.tld.ca file is optional. If home directory  parameter
+# (ssl_home) is not set, https domain uses public_shtml as separate
+# documentroot directory.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+domain=$2
+aliases=$3
+restart=$4
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/func/domain.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '2' "$#" 'USER DOMAIN [RESTART]'
+is_format_valid 'user' 'domain'
+is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
+is_system_enabled "$WEB_SSL" 'SSL_SUPPORT'
+is_object_valid 'user' 'USER' "$user"
+is_object_unsuspended 'user' 'USER' "$user"
+is_object_valid 'web' 'DOMAIN' "$domain"
+is_object_unsuspended 'web' 'DOMAIN' "$domain"
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Registering LetsEncrypt user account
+$BIN/v-add-letsencrypt-user $user
+check_result $? "LE account registration" >/dev/null
+source $USER_DATA/ssl/le.conf
+email=$EMAIL
+
+# Validating domain and aliases
+i=1
+for alias in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
+    $BIN/v-check-letsencrypt-domain $user $alias
+    check_result $? "LE domain validation" >/dev/null
+    if [ "$i" -gt 6 ]; then
+        check_result $E_LIMIT "LE can't sign more than 6 domains"
+    fi
+    i=$((i++))
+done
+
+# Generating CSR
+ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "$email" "US" "California" \
+    "San Francisco" "Vesta" "IT" "$aliases" |tail -n1 |awk '{print $2}')
+
+# Signing CSR
+crt=$($BIN/v-sign-letsencrypt-csr $user $domain $ssl_dir)
+check_result $? "$crt"
+echo "$crt" > $ssl_dir/$domain.crt
+
+# Dowloading CA certificate
+le_certs='https://letsencrypt.org/certs'
+x1='lets-encrypt-x1-cross-signed.pem.txt'
+x3='lets-encrypt-x3-cross-signed.pem.txt'
+issuer=$(openssl x509 -text -in $ssl_dir/$domain.crt |grep "Issuer:")
+if [ -z "$(echo $issuer|grep X3)" ]; then
+    curl -s $le_certs/$x1 > $ssl_dir/$domain.ca
+else
+    curl -s $le_certs/$x3 > $ssl_dir/$domain.ca
+fi
+
+# Adding SSL
+$BIN/v-delete-web-domain-ssl $user $domain >/dev/null 2>&1
+$BIN/v-add-web-domain-ssl $user $domain $ssl_dir
+check_result $? "SSL install" >/dev/null
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$ARGUMENTS"
+
+exit

bin/v-add-letsencrypt-user

@@ -0,0 +1,111 @@
+#!/bin/bash
+# info: register letsencrypt user account
+# options: USER [EMAIL]
+#
+# The function creates and register LetsEncript account key
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+email=$2
+key_size=2048
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+# encode base64
+encode_base64() {
+    cat |base64 |tr '+/' '-_' |tr -d '\r\n='
+}
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'USER [EMAIL]'
+is_format_valid 'user'
+is_object_valid 'user' 'USER' "$user"
+if [ -e "$USER_DATA/ssl/le.conf" ]; then
+    exit
+fi
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+api='https://acme-v01.api.letsencrypt.org'
+agreement='https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf'
+if [ -z "$email" ]; then
+    email=$(get_user_value '$CONTACT')
+fi
+
+# Generating key
+key="$USER_DATA/ssl/user.key"
+if [ ! -e "$key" ]; then
+    openssl genrsa -out $key $key_size >/dev/null 2>&1
+    chmod 600 $key
+fi
+
+# Defining key exponent
+exponent=$(openssl pkey -inform perm -in "$key" -noout -text_pub |\
+    grep Exponent: |cut -f 2 -d '(' |cut -f 1 -d ')' |sed -e 's/x//' |\
+    xxd -r -p |encode_base64)
+
+# Defining key modulus
+modulus=$(openssl rsa -in "$key" -modulus -noout |\
+    sed -e 's/^Modulus=//' |xxd -r -p |encode_base64)
+
+# Defining key thumb
+thumb='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
+thumb="$(echo -n "$thumb" |openssl dgst -sha256 -binary |encode_base64)"
+
+# Defining JWK header
+header='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
+header='{"alg":"RS256","jwk":'"$header"'}'
+
+# Requesting nonce
+nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f 2 -d \ |tr -d '\r\n')
+protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
+
+# Defining registration query
+query='{"resource":"new-reg","contact":["mailto:'"$email"'"],'
+query=$query'"agreement":"'$agreement'"}'
+payload=$(echo -n "$query" |encode_base64)
+signature=$(printf "%s" "$protected.$payload" |\
+    openssl dgst -sha256 -binary -sign "$key" |encode_base64)
+data='{"header":'"$header"',"protected":"'"$protected"'",'
+data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
+
+# Sending request to LetsEncrypt API
+answer=$(curl -s -i -d "$data" "$api/acme/new-reg")
+status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
+
+# Checking http answer status
+if [[ "$status" -ne "201" ]] && [[ "$status" -ne "409" ]]; then
+    check_result $E_CONNECT "LetsEncrypt account registration $status"
+fi
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Adding le.conf
+echo "EMAIL='$email'" > $USER_DATA/ssl/le.conf
+echo "EXPONENT='$exponent'" >> $USER_DATA/ssl/le.conf
+echo "MODULUS='$modulus'" >> $USER_DATA/ssl/le.conf
+echo "THUMB='$thumb'" >> $USER_DATA/ssl/le.conf
+chmod 660  $USER_DATA/ssl/le.conf
+
+
+# Logging
+log_event "$OK" "$ARGUMENTS"
+
+exit

bin/v-check-letsencrypt-domain

@@ -0,0 +1,145 @@
+#!/bin/bash
+# info: check letsencrypt domain
+# options: USER DOMAIN
+#
+# The function check and validates domain with LetsEncript
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+domain=$(idn -t --quiet -u "$2" )
+domain=$(echo $domain | tr '[:upper:]' '[:lower:]')
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+# encode base64
+encode_base64() {
+    cat |base64 |tr '+/' '-_' |tr -d '\r\n='
+}
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '2' "$#" 'USER DOMAIN'
+is_format_valid 'user' 'domain'
+is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
+is_object_valid 'user' 'USER' "$user"
+is_object_unsuspended 'user' 'USER' "$user"
+if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
+    check_result $E_NOTEXIST "LetsEncrypt key doesn't exist"
+fi
+check_domain=$(grep -w "$domain'" $USER_DATA/web.conf)
+if [ -z "$check_domain" ]; then
+    check_result $E_NOTEXIST "domain $domain doesn't exist"
+fi
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+source $USER_DATA/ssl/le.conf
+api='https://acme-v01.api.letsencrypt.org'
+r_domain=$(echo "$check_domain" |cut -f 2 -d \')
+key="$USER_DATA/ssl/user.key"
+exponent="$EXPONENT"
+modulus="$MODULUS"
+thumb="$THUMB"
+
+# Defining JWK header
+header='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
+header='{"alg":"RS256","jwk":'"$header"'}'
+
+# Requesting nonce
+nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
+protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
+
+# Defining ACME query (request challenge)
+query='{"resource":"new-authz","identifier"'
+query=$query':{"type":"dns","value":"'"$domain"'"}}'
+payload=$(echo -n "$query" |encode_base64)
+signature=$(printf "%s" "$protected.$payload" |\
+    openssl dgst -sha256 -binary -sign "$key" |encode_base64)
+data='{"header":'"$header"',"protected":"'"$protected"'",'
+data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
+
+# Sending request to LetsEncrypt API
+answer=$(curl -s -i -d "$data" "$api/acme/new-authz")
+
+# Checking http answer status
+status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
+if [[ "$status" -ne "201" ]]; then
+    check_result $E_CONNECT "LetsEncrypt challenge request $status"
+fi
+
+# Parsing domain nonce,token and uri
+nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
+protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
+token=$(echo "$answer" |tr ',' '\n' |grep -A 3 http-01 |grep token)
+token=$(echo "$token" |cut -f 4 -d \")
+uri=$(echo "$answer" |tr ',' '\n' |grep -A 3 http-01 |grep uri)
+uri=$(echo "$uri" |cut -f 4 -d \")
+
+# Adding location wrapper for request challenge
+if [ "$WEB_SYSTEM" = 'nginx' ] || [ "$PROXY_SYSTEM" = 'nginx' ]; then
+    conf="$HOMEDIR/$user/conf/web/nginx.$r_domain.conf_letsencrypt"
+    if [ ! -e "$conf" ]; then
+        echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' > $conf
+        echo '    default_type text/plain;' >> $conf
+        echo '    return 200 "$1.'$thumb'";' >> $conf
+        echo '}' >> $conf
+        if [ ! -z "$PROXY_SYSTEM" ]; then
+            $BIN/v-restart-proxy
+            check_result $? "Proxy restart failed" >/dev/null
+        else
+            $BIN/v-restart-web
+            check_result $? "Web restart failed" >/dev/null
+        fi
+    fi
+else
+    acme="$HOMEDIR/$user/web/$r_domain/public_html/.well-known/acme-challenge"
+    echo "$token" > $acme/$token.$thumb
+    chown -R $user:$user $HOMEDIR/$user/web/$r_domain/public_html/.well-known
+fi
+
+# Defining ACME query (request validation)
+query='{"resource":"challenge","type":"http-01","keyAuthorization"'
+query=$query':"'$token.$thumb'","token":"'$token'"}'
+payload=$(echo -n "$query" |encode_base64)
+signature=$(printf "%s" "$protected.$payload" |\
+    openssl dgst -sha256 -binary -sign "$key" |encode_base64)
+data='{"header":'"$header"',"protected":"'"$protected"'",'
+data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
+
+# Sending request to LetsEncrypt API
+answer=$(curl -s -i -d "$data" "$uri")
+
+# Checking domain validation status
+status=$(echo $answer |tr ',' '\n' |grep status |cut -f 4 -d \")
+location=$(echo "$answer" |grep Location: |awk '{print $2}' |tr -d '\r\n')
+while [ "$status" = 'pending' ] ; do
+    answer=$(curl -s -i "$location")
+    status=$(echo "$answer" |tr ',' '\n' |grep status |cut -f 4 -d \")
+done
+if [ "$status" = 'invalid' ]; then
+    detail="$(echo $answer |tr ',' '\n' |grep detail |cut -f 4 -d \")"
+    check_result $E_CONNECT "$detail"
+fi
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$ARGUMENTS"
+
+exit