Home Explore Project
Register Sign In
linux
/
acme.sh
3
0
Fork 0
Files Issues 2 Pull Requests 0 Wiki
Browse Source

Merge pull request #1981 from Neilpang/alpn

Alpn
neil 6 years ago
parent
2b9ebd6662 f99ca918db
commit
13964ac726
1 changed files with 50 additions and 6 deletions
Split View Show Diff Stats
  1. 50 6
      acme.sh

+ 50 - 6
acme.sh
View File 

@@ -37,6 +37,7 @@ VTYPE_HTTP="http-01"
 
 VTYPE_DNS="dns-01"
 
 VTYPE_TLS="tls-sni-01"
 
 VTYPE_TLS2="tls-sni-02"
 
+VTYPE_ALPN="tls-alpn-01"
 
 
 LOCAL_ANY_ADDRESS="0.0.0.0"
 
 
@@ -48,6 +49,7 @@ NO_VALUE="no"
 
 
 W_TLS="tls"
 
 W_DNS="dns"
 
+W_ALPN="alpn"
 
 DNS_ALIAS_PREFIX="="
 
 
 MODE_STATELESS="stateless"
 
@@ -1046,7 +1048,7 @@ _idn() {
 
   fi
 
 }
 
 
-#_createcsr  cn  san_list  keyfile csrfile conf
 
+#_createcsr  cn  san_list  keyfile csrfile conf acmeValidationv1
 
 _createcsr() {
 
   _debug _createcsr
 
   domain="$1"
 
@@ -1054,6 +1056,7 @@ _createcsr() {
 
   csrkey="$3"
 
   csr="$4"
 
   csrconf="$5"
 
+  acmeValidationv1="$6"
 
   _debug2 domain "$domain"
 
   _debug2 domainlist "$domainlist"
 
   _debug2 csrkey "$csrkey"
 
@@ -1062,7 +1065,9 @@ _createcsr() {
 
 
   printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf"
 
 
-  if [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
 
+  if [ "$acmeValidationv1" ]; then
 
+    printf -- "\nsubjectAltName=DNS:$domainlist" >>"$csrconf"
 
+  elif [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then
 
     #single domain
 
     _info "Single domain" "$domain"
 
     printf -- "\nsubjectAltName=DNS:$domain" >>"$csrconf"
 
@@ -1084,6 +1089,10 @@ _createcsr() {
 
     printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >>"$csrconf"
 
   fi
 
 
+  if [ "$acmeValidationv1" ]; then
 
+    printf "\n1.3.6.1.5.5.7.1.30.1=critical,DER:04:20:${acmeValidationv1}" >>"${csrconf}"
 
+  fi
 
+
 
   _csr_cn="$(_idn "$domain")"
 
   _debug2 _csr_cn "$_csr_cn"
 
   if _contains "$(uname -a)" "MINGW"; then
 
@@ -2107,7 +2116,7 @@ _sleep() {
 
   fi
 
 }
 
 
-# _starttlsserver  san_a  san_b port content _ncaddr
 
+# _starttlsserver  san_a  san_b port content _ncaddr acmeValidationv1
 
 _starttlsserver() {
 
   _info "Starting tls server."
 
   san_a="$1"
 
@@ -2115,10 +2124,12 @@ _starttlsserver() {
 
   port="$3"
 
   content="$4"
 
   opaddr="$5"
 
+  acmeValidationv1="$6"
 
 
   _debug san_a "$san_a"
 
   _debug san_b "$san_b"
 
   _debug port "$port"
 
+  _debug acmeValidationv1 "$acmeValidationv1"
 
 
   #create key TLS_KEY
 
   if ! _createkey "2048" "$TLS_KEY"; then
 
@@ -2131,7 +2142,7 @@ _starttlsserver() {
 
   if [ "$san_b" ]; then
 
     alt="$alt,$san_b"
 
   fi
 
-  if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF"; then
 
+  if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" "$acmeValidationv1"; then
 
     _err "Create tls validation csr error."
 
     return 1
 
   fi
 
@@ -2157,6 +2168,10 @@ _starttlsserver() {
 
     __S_OPENSSL="$__S_OPENSSL -6"
 
   fi
 
 
+  if [ "$acmeValidationv1" ]; then
 
+    __S_OPENSSL="$__S_OPENSSL -alpn acme-tls/1"
 
+  fi
 
+
 
   _debug "$__S_OPENSSL"
 
   if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
 
     $__S_OPENSSL -tlsextdebug &
 
@@ -3067,8 +3082,8 @@ _on_before_issue() {
 
         _savedomainconf "Le_HTTPPort" "$Le_HTTPPort"
 
       fi
 
       _checkport="$Le_HTTPPort"
 
-    elif [ "$_currentRoot" = "$W_TLS" ]; then
 
-      _info "Standalone tls mode."
 
+    elif [ "$_currentRoot" = "$W_TLS" ] || [ "$_currentRoot" = "$W_ALPN" ]; then
 
+      _info "Standalone tls/alpn mode."
 
       if [ -z "$Le_TLSPort" ]; then
 
         Le_TLSPort=443
 
       else
 
@@ -3694,6 +3709,10 @@ $_authorizations_map"
 
         fi
 
       fi
 
 
+      if [ "$_currentRoot" = "$W_ALPN" ]; then
 
+        vtype="$VTYPE_ALPN"
 
+      fi
 
+
 
       if [ "$ACME_VERSION" = "2" ]; then
 
         response="$(echo "$_authorizations_map" | grep "^$d," | sed "s/$d,//")"
 
         _debug2 "response" "$response"
 
@@ -4007,6 +4026,16 @@ $_authorizations_map"
 
         _on_issue_err "$_post_hook" "$vlist"
 
         return 1
 
       fi
 
+    elif [ "$vtype" = "$VTYPE_ALPN" ]; then
 
+      acmevalidationv1="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")"
 
+      _debug acmevalidationv1 "$acmevalidationv1"
 
+      if ! _starttlsserver "$d" "" "$Le_TLSPort" "$keyauthorization" "$_ncaddr" "$acmevalidationv1"; then
 
+        _err "Start tls server error."
 
+        _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
 
+        _clearup
 
+        _on_issue_err "$_post_hook" "$vlist"
 
+        return 1
 
+      fi
 
     fi
 
 
     if ! __trigger_validation "$uri" "$keyauthorization"; then
 
@@ -5469,6 +5498,7 @@ Parameters:
 
   --output-insecure                 Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for secure.
 
   --webroot, -w  /path/to/webroot   Specifies the web root folder for web root mode.
 
   --standalone                      Use standalone mode.
 
+  --alpn                            Use standalone alpn mode.
 
   --stateless                       Use stateless mode, see: $_STATELESS_WIKI
 
   --apache                          Use apache mode.
 
   --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file]   Use dns mode or dns api.
 
@@ -5499,6 +5529,7 @@ Parameters:
 
   --accountkey                      Specifies the account key path, only valid for the '--install' command.
 
   --days                            Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days.
 
   --httpport                        Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
 
+  --tlsport                         Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
 
   --local-address                   Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
 
   --listraw                         Only used for '--list' command, list the certs in raw format.
 
   --stopRenewOnError, -se           Only valid for '--renew-all' command. Stop if one cert has error in renewal.
 
@@ -5823,6 +5854,14 @@ _process() {
 
           _webroot="$_webroot,$wvalue"
 
         fi
 
         ;;
 
+      --alpn)
 
+        wvalue="$W_ALPN"
 
+        if [ -z "$_webroot" ]; then
 
+          _webroot="$wvalue"
 
+        else
 
+          _webroot="$_webroot,$wvalue"
 
+        fi
 
+        ;;
 
       --stateless)
 
         wvalue="$MODE_STATELESS"
 
         if [ -z "$_webroot" ]; then
 
@@ -5947,6 +5986,11 @@ _process() {
 
         Le_HTTPPort="$_httpport"
 
         shift
 
         ;;
 
+      --tlsport)
 
+        _tlsport="$2"
 
+        Le_TLSPort="$_tlsport"
 
+        shift
 
+        ;;
 
       --listraw)
 
         _listraw="raw"
 
         ;;