Reduce and simplify number of exported variables. Also allow any cert file to

append to previous file.

deploy/README.md

@@ -42,15 +42,13 @@ export ACME_DEPLOY_SSH_USER="admin"
 ```
 Optional...
 ```bash
+export ACME_DEPLOY_SSH_CMD=""
 export ACME_DEPLOY_SSH_SERVER="qnap"
-export ACME_DEPLOY_SSH_PORT="22"
-export ACME_DEPLOY_SSH_SERVICE_STOP=""
 export ACME_DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem"
 export ACME_DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem"
 export ACME_DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem"
 export ACME_DEPLOY_SSH_FULLCHAIN=""
 export ACME_DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart"
-export ACME_DEPLOY_SSH_SERVICE_START=""
 ```
 The values used above are illustrative only and represent those that could 
 be used to deploy certificates to a QNAP NAS device running QTS 4.2
@@ -64,16 +62,13 @@ can login to USER@URL from the host running acme.sh before using this script.
 The USER@URL at the remote server must also have has permissions to write to
 the target location of the certificate files and to execute any commands
 (e.g. to stop/start services).
+###ACME_DEPLOY_SSH_CMD
+You can customize the ssh command used to connect to the remote host. For example
+if you need to connect to a specific port at the remote server you can set this
+to, for example, "ssh -p 22"
 ###ACME_DEPLOY_SSH_SERVER
 URL or IP Address of the remote server.  If not provided then the domain
 name provided on the acme.sh --deploy command line is used.
-###ACME_DEPLOY_SSH_PORT
-Port number that SSH will attempt to connect to at the remote server.  If
-not provided then defaults to 22.
-###ACME_DEPLOY_SSH_SERVICE_STOP
-Command to execute on the remote server prior to copying any certificates. This
-would typically be used to stop the service for which the certificates are
-being deployed.
 ###ACME_DEPLOY_SSH_KEYFILE
 Target filename for the private key issued by LetsEncrypt.
 ###ACME_DEPLOY_SSH_CERTFILE
@@ -82,22 +77,18 @@ is the same as that provided for ACME_DEPLOY_SSH_KEYFILE then this certificate
 is appended to the same file as the private key.
 ###ACME_DEPLOY_SSH_CAFILE
 Target filename for the CA intermediate certificate issued by LetsEncrypt.
+If this is the same as a previous filename then it is appended to the same
+file
 ###ACME_DEPLOY_SSH_FULLCHAIN
 Target filename for the fullchain certificate issued by LetsEncrypt.
+If this is the same as a previous filename then it is appended to the same
+file
 ###ACME_DEPLOY_SSH_REMOTE_CMD
 Command to execute on the remote server after copying any certificates.  This
-could be any additional command required prior to starting the service again,
-or could be a all-inclusive restart (stop and start of service).  If
-ACME_DEPLOY_SSH_SERVICE_STOP value was provided then a 2 second sleep is
-inserted prior to calling this command to allow the system to stabalize.
-###ACME_DEPLOY_SSH_SERVICE_START
-Command to execute on the remote server after copying any certificates.  This
-would typically be used to stop the service for which the certificates are
-being deployed.  If ACME_DEPLOY_SSH_SERVICE_STOP or ACME_DEPLOY_SSH_REMOTE_CMD
-values were provided then a 2 second sleep is inserted prior to calling
-this command to allow the system to stabalize.
+could be any additional command required for example to stop and restart
+the service.
 
-##Backups
+###Backups
 Before writing a certificate file to the remote server the existing
 certificate will be copied to a backup directory on the remote server.
 These are placed in a hidden directory in the home directory of the SSH

deploy/ssh.sh

@@ -12,16 +12,14 @@
 # Only a username is required.  All others are optional.
 #
 # The following examples are for QNAP NAS running QTS 4.2 
+# export ACME_DEPLOY_SSH_CMD=""
 # export ACME_DEPLOY_SSH_USER="admin"
 # export ACME_DEPLOY_SSH_SERVER="qnap"
-# export ACME_DEPLOY_SSH_PORT="22"
-# export ACME_DEPLOY_SSH_SERVICE_STOP=""
 # export ACME_DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem"
 # export ACME_DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem"
 # export ACME_DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem"
 # export ACME_DEPLOY_SSH_FULLCHAIN=""
-# export ACME_DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart"
-# export ACME_DEPLOY_SSH_SERVICE_START=""
+# export ACME_DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart" 
 
 ########  Public functions #####################
 
@@ -67,26 +65,15 @@ ssh_deploy() {
     Le_Deploy_ssh_server="$_cdomain"
   fi
 
-  # PORT is optional. If not provided then use port 22
-  if [ -n "$ACME_DEPLOY_SSH_PORT" ]; then
-    Le_Deploy_ssh_port="$ACME_DEPLOY_SSH_PORT"
-    _savedomainconf Le_Deploy_ssh_port "$Le_Deploy_ssh_port"
-  elif [ -z "$Le_Deploy_ssh_port" ]; then
-    Le_Deploy_ssh_port="22"
+  # CMD is optional. If not provided then use ssh
+  if [ -n "$ACME_DEPLOY_SSH_CMD" ]; then
+    Le_Deploy_ssh_cmd="$ACME_DEPLOY_SSH_CMD"
+    _savedomainconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd"
+  elif [ -z "$Le_Deploy_ssh_cmd" ]; then
+    Le_Deploy_ssh_cmd="ssh"
   fi
 
-  _info "Deploy certificates to remote server $Le_Deploy_ssh_user@$Le_Deploy_ssh_server on port $Le_Deploy_ssh_port"
-
-  # SERVICE_STOP is optional.
-  # If provided then this command will be executed on remote host.
-  if [ -n "$ACME_DEPLOY_SSH_SERVICE_STOP" ]; then
-    Le_Deploy_ssh_service_stop="$ACME_DEPLOY_SSH_SERVICE_STOP"
-    _savedomainconf Le_Deploy_ssh_service_stop "$Le_Deploy_ssh_service_stop"
-  fi
-  if [ -n "$Le_Deploy_ssh_service_stop" ]; then
-    _cmdstr="$_cmdstr $Le_Deploy_ssh_service_stop ;"
-    _info "Will stop remote service with command $Le_Deploy_ssh_service_stop"
-  fi
+  _info "Deploy certificates to remote server $Le_Deploy_ssh_user@$Le_Deploy_ssh_server"
 
   # KEYFILE is optional.
   # If provided then private key will be copied to provided filename.
@@ -110,78 +97,72 @@ ssh_deploy() {
   fi
   if [ -n "$Le_Deploy_ssh_certfile" ]; then
     if [ "$Le_Deploy_ssh_certfile" = "$Le_Deploy_ssh_keyfile" ]; then
-      # if filename is same as that provided for private key then append.
-      _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" >> $Le_Deploy_ssh_certfile ;"
-      _info "will append certificate to same file"
+      # if filename is same as previous file then append.
+      _pipe=">>"
     else
       # backup file we are about to overwrite.
       _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir ;"
-      # copy new certificate into file.
-      _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" > $Le_Deploy_ssh_certfile ;"
-      _info "will copy certificate to remote file $Le_Deploy_ssh_certfile"
+      _pipe=">"
     fi
+    # copy new certificate into file.
+    _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile ;"
+    _info "will copy certificate to remote file $Le_Deploy_ssh_certfile"
   fi
 
   # CAFILE is optional.
-  # If provided then CA intermediate certificate will be copied to provided filename.
+  # If provided then CA intermediate certificate will be copied or appended to provided filename.
   if [ -n "$ACME_DEPLOY_SSH_CAFILE" ]; then
     Le_Deploy_ssh_cafile="$ACME_DEPLOY_SSH_CAFILE"
     _savedomainconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile"
   fi
   if [ -n "$Le_Deploy_ssh_cafile" ]; then
-    # backup file we are about to overwrite.
-    _cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir ;"
+    if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] ||
+       [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then
+      # if filename is same as previous file then append.
+      _pipe=">>"
+    else
+      # backup file we are about to overwrite.
+      _cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir ;"
+      _pipe=">"
+    fi
     # copy new certificate into file.
-    _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" > $Le_Deploy_ssh_cafile ;"
+    _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile ;"
     _info "will copy CA file to remote file $Le_Deploy_ssh_cafile"
   fi
 
   # FULLCHAIN is optional.
-  # If provided then fullchain certificate will be copied to provided filename.
+  # If provided then fullchain certificate will be copied or appended to provided filename.
   if [ -n "$ACME_DEPLOY_SSH_FULLCHAIN" ]; then
     Le_Deploy_ssh_fullchain="$ACME_DEPLOY_SSH_FULLCHAIN"
     _savedomainconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain"
   fi
   if [ -n "$Le_Deploy_ssh_fullchain" ]; then
-    # backup file we are about to overwrite.
-    _cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir ;"
+    if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] ||
+       [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ] ||
+       [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then
+      # if filename is same as previous file then append.
+      _pipe=">>"
+    else
+      # backup file we are about to overwrite.
+      _cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir ;"
+      _pipe=">"
+    fi
     # copy new certificate into file.
-    _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" > $Le_Deploy_ssh_fullchain ;"
-    _info "will copy full chain to remote file $Le_Deploy_ssh_fullchain"
+    _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain ;"
+    _info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain"
   fi
 
   # REMOTE_CMD is optional.
   # If provided then this command will be executed on remote host.
-  # A 2 second delay is inserted to allow system to stabalize after
-  # executing a service stop.
   if [ -n "$ACME_DEPLOY_SSH_REMOTE_CMD" ]; then
     Le_Deploy_ssh_remote_cmd="$ACME_DEPLOY_SSH_REMOTE_CMD"
     _savedomainconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd"
   fi
   if [ -n "$Le_Deploy_ssh_remote_cmd" ]; then
-    if [ -n "$Le_Deploy_ssh_service_stop" ]; then
-      _cmdstr="$_cmdstr sleep 2 ;"
-    fi
     _cmdstr="$_cmdstr $Le_Deploy_ssh_remote_cmd ;"
     _info "Will execute remote command $Le_Deploy_ssh_remote_cmd"
   fi
 
-  # SERVICE_START is optional.
-  # If provided then this command will be executed on remote host.
-  # A 2 second delay is inserted to allow system to stabalize after
-  # executing a service stop or previous command.
-  if [ -n "$ACME_DEPLOY_SSH_SERVICE_START" ]; then
-    Le_Deploy_ssh_service_start="$ACME_DEPLOY_SSH_SERVICE_START"
-    _savedomainconf Le_Deploy_ssh_service_start "$Le_Deploy_ssh_service_start"
-  fi
-  if [ -n "$Le_Deploy_ssh_service_start" ]; then
-    if [ -n "$Le_Deploy_ssh_service_stop" ] || [ -n "$Le_Deploy_ssh_remote_cmd" ]; then
-      _cmdstr="$_cmdstr sleep 2 ;"
-    fi
-    _cmdstr="$_cmdstr $Le_Deploy_ssh_service_start ;"
-    _info "Will start remote service with command $Le_Deploy_ssh_remote_cmd"
-  fi
-
   if [ -z "$_cmdstr" ]; then
     _err "No remote commands to excute. Failed to deploy certificates to remote server"
     return 1
@@ -199,7 +180,12 @@ ssh_deploy() {
   _info "Submitting sequence of commands to remote server by ssh"
   # quotations in bash cmd below intended.  Squash travis spellcheck error
   # shellcheck disable=SC2029
-  ssh -T -p "$Le_Deploy_ssh_port" "$Le_Deploy_ssh_user@$Le_Deploy_ssh_server" sh -c "'$_cmdstr'"
+  $Le_Deploy_ssh_cmd -T "$Le_Deploy_ssh_user@$Le_Deploy_ssh_server" sh -c "'$_cmdstr'"
+  _ret="$?"
+
+  if [ "$_ret" != "0" ]; then
+    _err "Error code $_ret returned from $Le_Deploy_ssh_cmd"
+  fi
 
-  return $?
+  return $_ret
 }