Merge pull request #6715 from acmesh-official/dev

sync

Author: neilpang

Dockerfile

@@ -13,6 +13,7 @@ RUN apk --no-cache add -f \
   tar \
   libidn \
   jq \
+  yq-go \
   cronie
 
 ENV LE_WORKING_DIR=/acmebin

README.md

@@ -65,7 +65,7 @@ ID_TYPE_IP="ip"
 
 LOCAL_ANY_ADDRESS="0.0.0.0"
 
-DEFAULT_RENEW=60
+DEFAULT_RENEW=30
 
 NO_VALUE="no"
 
@@ -5840,7 +5840,7 @@ list() {
     if [ -z "$_domain" ]; then
       printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Profile${_sep}CA${_sep}Created${_sep}Renew"
     fi
-    for di in "${CERT_HOME}"/*.*/; do
+    for di in "${CERT_HOME}"/{*.*,*:*}/; do
       d=$(basename "$di")
       _debug d "$d"
       (

acme.sh

@@ -83,6 +83,6 @@ _set_cdn_domain_ssl_certificate_query() {
   query=$query'&SignatureMethod=HMAC-SHA1'
   query=$query"&SignatureNonce=$(_ali_nonce)"
   query=$query'&SignatureVersion=1.0'
-  query=$query'&Timestamp='$(_timestamp)
+  query=$query'&Timestamp='$(_ali_timestamp)
   query=$query'&Version=2018-05-10'
 }

deploy/ali_cdn.sh

@@ -83,6 +83,6 @@ _set_dcdn_domain_ssl_certificate_query() {
   query=$query'&SignatureMethod=HMAC-SHA1'
   query=$query"&SignatureNonce=$(_ali_nonce)"
   query=$query'&SignatureVersion=1.0'
-  query=$query'&Timestamp='$(_timestamp)
+  query=$query'&Timestamp='$(_ali_timestamp)
   query=$query'&Version=2018-01-15'
 }

deploy/ali_dcdn.sh

@@ -0,0 +1,276 @@
+#!/usr/bin/env sh
+
+################################################################################
+# ACME.sh 3rd party deploy plugin for multiple (same) services
+################################################################################
+# Authors: tomo2403 (creator), https://github.com/tomo2403
+# Updated: 2025-03-01
+# Issues:  https://github.com/acmesh-official/acme.sh/issues and mention @tomo2403
+################################################################################
+# Usage (shown values are the examples):
+# 1. Set optional environment variables
+#   - export MULTIDEPLOY_FILENAME="multideploy.yaml"     - "multideploy.yml" will be automatically used if not set"
+#
+# 2. Run command:
+# acme.sh --deploy --deploy-hook multideploy -d example.com
+################################################################################
+# Dependencies:
+# - yq
+################################################################################
+# Return value:
+# 0 means success, otherwise error.
+################################################################################
+
+MULTIDEPLOY_VERSION="1.0"
+
+# Description: This function handles the deployment of certificates to multiple services.
+#              It processes the provided certificate files and deploys them according to the
+#              configuration specified in the multideploy file.
+#
+# Parameters:
+#   _cdomain     - The domain name for which the certificate is issued.
+#   _ckey        - The private key file for the certificate.
+#   _ccert       - The certificate file.
+#   _cca         - The CA (Certificate Authority) file.
+#   _cfullchain  - The full chain certificate file.
+#   _cpfx        - The PFX (Personal Information Exchange) file.
+multideploy_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+  _cpfx="$6"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+  _debug _cpfx "$_cpfx"
+
+  MULTIDEPLOY_FILENAME="${MULTIDEPLOY_FILENAME:-$(_getdeployconf MULTIDEPLOY_FILENAME)}"
+  if [ -z "$MULTIDEPLOY_FILENAME" ]; then
+    MULTIDEPLOY_FILENAME="multideploy.yml"
+    _info "MULTIDEPLOY_FILENAME is not set, so I will use 'multideploy.yml'."
+  else
+    _savedeployconf "MULTIDEPLOY_FILENAME" "$MULTIDEPLOY_FILENAME"
+    _debug2 "MULTIDEPLOY_FILENAME" "$MULTIDEPLOY_FILENAME"
+  fi
+
+  if ! file=$(_preprocess_deployfile "$MULTIDEPLOY_FILENAME"); then
+    _err "Failed to preprocess deploy file."
+    return 1
+  fi
+  _debug3 "File" "$file"
+
+  # Deploy to services
+  _deploy_services "$file"
+  _exitCode="$?"
+
+  return "$_exitCode"
+}
+
+# Description:
+#   This function preprocesses the deploy file by checking if 'yq' is installed,
+#   verifying the existence of the deploy file, and ensuring only one deploy file is present.
+# Arguments:
+#   $@ - Posible deploy file names.
+# Usage:
+#   _preprocess_deployfile "<deploy_file1>" "<deploy_file2>?"
+_preprocess_deployfile() {
+  # Check if yq is installed
+  if ! command -v yq >/dev/null 2>&1; then
+    _err "yq is not installed! Please install yq and try again."
+    return 1
+  fi
+  _debug3 "yq is installed."
+
+  # Check if deploy file exists
+  for file in "$@"; do
+    _debug3 "Checking file" "$DOMAIN_PATH/$file"
+    if [ -f "$DOMAIN_PATH/$file" ]; then
+      _debug3 "File found"
+      if [ -n "$found_file" ]; then
+        _err "Multiple deploy files found. Please keep only one deploy file."
+        return 1
+      fi
+      found_file="$file"
+    else
+      _debug3 "File not found"
+    fi
+  done
+
+  if [ -z "$found_file" ]; then
+    _err "Deploy file not found. Go to https://github.com/acmesh-official/acme.sh/wiki/deployhooks#36-deploying-to-multiple-services-with-the-same-hooks to see how to create one."
+    return 1
+  fi
+  if ! _check_deployfile "$DOMAIN_PATH/$found_file"; then
+    _err "Deploy file is not valid: $DOMAIN_PATH/$found_file"
+    return 1
+  fi
+
+  echo "$DOMAIN_PATH/$found_file"
+}
+
+# Description:
+#   This function checks the deploy file for version compatibility and the existence of the specified configuration and services.
+# Arguments:
+#   $1 - The path to the deploy configuration file.
+#   $2 - The name of the deploy configuration to use.
+# Usage:
+#   _check_deployfile "<deploy_file_path>"
+_check_deployfile() {
+  _deploy_file="$1"
+  _debug2 "check: Deploy file" "$_deploy_file"
+
+  # Check version
+  _deploy_file_version=$(yq -r '.version' "$_deploy_file")
+  if [ "$MULTIDEPLOY_VERSION" != "$_deploy_file_version" ]; then
+    _err "As of $PROJECT_NAME $VER, the deploy file needs version $MULTIDEPLOY_VERSION! Your current deploy file is of version $_deploy_file_version."
+    return 1
+  fi
+  _debug2 "check: Deploy file version is compatible: $_deploy_file_version"
+
+  # Extract all services from config
+  _services=$(yq -r '.services[].name' "$_deploy_file")
+
+  if [ -z "$_services" ]; then
+    _err "Config does not have any services to deploy to."
+    return 1
+  fi
+  _debug2 "check: Config has services."
+  echo "$_services" | while read -r _service; do
+    _debug3 " - $_service"
+  done
+
+  # Check if extracted services exist in services list
+  echo "$_services" | while read -r _service; do
+    _debug2 "check: Checking service: $_service"
+    # Check if service exists
+    _service_config=$(yq -r ".services[] | select(.name == \"$_service\")" "$_deploy_file")
+    if [ -z "$_service_config" ] || [ "$_service_config" = "null" ]; then
+      _err "Service '$_service' not found."
+      return 1
+    fi
+
+    _service_hook=$(echo "$_service_config" | yq -r ".hook" -)
+    if [ -z "$_service_hook" ] || [ "$_service_hook" = "null" ]; then
+      _err "Service '$_service' does not have a hook."
+      return 1
+    fi
+
+    _service_environment=$(echo "$_service_config" | yq -r ".environment" -)
+    if [ -z "$_service_environment" ] || [ "$_service_environment" = "null" ]; then
+      _err "Service '$_service' does not have an environment."
+      return 1
+    fi
+  done
+}
+
+# Description: This function takes a list of environment variables in YAML format,
+#              parses them, and exports each key-value pair as environment variables.
+# Arguments:
+#   $1 - A string containing the list of environment variables in YAML format.
+# Usage:
+#   _export_envs "$env_list"
+_export_envs() {
+  _env_list="$1"
+
+  _secure_debug3 "Exporting envs" "$_env_list"
+
+  echo "$_env_list" | yq -r 'to_entries | .[] | .key + "=" + .value' | while IFS='=' read -r _key _value; do
+    # Using eval to expand nested variables in the configuration file
+    _value=$(eval 'echo "'"$_value"'"')
+    _savedeployconf "$_key" "$_value"
+    _secure_debug3 "Saved $_key" "$_value"
+  done
+}
+
+# Description:
+#   This function takes a YAML formatted string of environment variables, parses it,
+#   and clears each environment variable. It logs the process of clearing each variable.
+#
+#   Note: Environment variables for a hook may be optional and differ between
+#   services using the same hook.
+#   If one service sets optional environment variables and another does not, the
+#   variables may persist and affect subsequent deployments.
+#   Clearing these variables after each service ensures that only the
+#   environment variables explicitly specified for each service in the deploy
+#   file are used.
+# Arguments:
+#   $1 - A YAML formatted string containing environment variable key-value pairs.
+# Usage:
+#   _clear_envs "<yaml_string>"
+_clear_envs() {
+  _env_list="$1"
+
+  _secure_debug3 "Clearing envs" "$_env_list"
+  env_pairs=$(echo "$_env_list" | yq -r 'to_entries | .[] | .key + "=" + .value')
+
+  echo "$env_pairs" | while IFS='=' read -r _key _value; do
+    _debug3 "Deleting key" "$_key"
+    _cleardomainconf "SAVED_$_key"
+    unset -v "$_key"
+  done
+}
+
+# Description:
+#   This function deploys services listed in the deploy configuration file.
+# Arguments:
+#   $1 - The path to the deploy configuration file.
+#   $2 - The list of services to deploy.
+# Usage:
+#   _deploy_services "<deploy_file_path>" "<services_list>"
+_deploy_services() {
+  _deploy_file="$1"
+  _debug3 "Deploy file" "$_deploy_file"
+
+  _tempfile=$(mktemp)
+  trap 'rm -f $_tempfile' EXIT
+
+  yq -r '.services[].name' "$_deploy_file" >"$_tempfile"
+  _debug3 "Services" "$(cat "$_tempfile")"
+
+  _failedServices=""
+  _failedCount=0
+  while read -r _service <&3; do
+    _debug2 "Service" "$_service"
+    _hook=$(yq -r ".services[] | select(.name == \"$_service\").hook" "$_deploy_file")
+    _envs=$(yq -r ".services[] | select(.name == \"$_service\").environment" "$_deploy_file")
+
+    _export_envs "$_envs"
+    if ! _deploy_service "$_service" "$_hook"; then
+      _failedServices="$_service, $_failedServices"
+      _failedCount=$((_failedCount + 1))
+    fi
+    _clear_envs "$_envs"
+  done 3<"$_tempfile"
+
+  _debug3 "Failed services" "$_failedServices"
+  _debug2 "Failed count" "$_failedCount"
+  if [ -n "$_failedServices" ]; then
+    _info "$(__red "Deployment failed") for services: $_failedServices"
+  else
+    _debug "All services deployed successfully."
+  fi
+
+  return "$_failedCount"
+}
+
+# Description: Deploys a service using the specified hook.
+# Arguments:
+#   $1 - The name of the service to deploy.
+#   $2 - The hook to use for deployment.
+# Usage:
+#   _deploy_service <service_name> <hook>
+_deploy_service() {
+  _name="$1"
+  _hook="$2"
+
+  _debug2 "SERVICE" "$_name"
+  _debug2 "HOOK" "$_hook"
+
+  _info "$(__green "Deploying") to '$_name' using '$_hook'"
+  _deploy "$_cdomain" "$_hook"
+}

deploy/multideploy.sh

@@ -33,7 +33,7 @@ strongswan_deploy() {
       return 1
     fi
     _info _confdir "${_confdir}"
-    __deploy_cert "$@" "stroke" "${_confdir}"
+    __deploy_cert "stroke" "${_confdir}" "$@"
     ${_ipsec} reload
   fi
   # For modern vici mode
@@ -50,7 +50,7 @@ strongswan_deploy() {
       _err "no swanctl config dir is found"
       return 1
     fi
-    __deploy_cert "$@" "vici" "${_confdir}"
+    __deploy_cert "vici" "${_confdir}" "$@"
     ${_swanctl} --load-creds
   fi
   if [ -z "${_swanctl}" ] && [ -z "${_ipsec}" ]; then
@@ -63,13 +63,13 @@ strongswan_deploy() {
 ####################  Private functions below ##################################
 
 __deploy_cert() {
-  _cdomain="${1}"
-  _ckey="${2}"
-  _ccert="${3}"
-  _cca="${4}"
-  _cfullchain="${5}"
-  _swan_mode="${6}"
-  _confdir="${7}"
+  _swan_mode="${1}"
+  _confdir="${2}"
+  _cdomain="${3}"
+  _ckey="${4}"
+  _ccert="${5}"
+  _cca="${6}"
+  _cfullchain="${7}"
   _debug _cdomain "${_cdomain}"
   _debug _ckey "${_ckey}"
   _debug _ccert "${_ccert}"