Merge remote-tracking branch 'upstream/master'

README.md

@@ -25,7 +25,7 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
 
 # [中文说明](https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E)
 
-# Who are using **acme.sh**
+# Who:
 - [FreeBSD.org](https://blog.crashed.org/letsencrypt-in-freebsd-org/)
 - [ruby-china.org](https://ruby-china.org/topics/31983)
 - [Proxmox](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer))
@@ -74,7 +74,7 @@ https://github.com/Neilpang/acmetest
 - Webroot mode
 - Standalone mode
 - Apache mode
-- Nginx mode ( Beta )
+- Nginx mode
 - DNS mode
 - [Stateless mode](https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode)
 
@@ -204,6 +204,8 @@ Install/copy the cert/key to the production Apache or Nginx path.
 The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`.
 
 
+**Please take care:  The reloadcmd is very important. The cert can be automatically renewed, but, without a correct 'reloadcmd' the cert may not be flushed to your server(like nginx or apache), then your website will not be able to show renewwed cert in 60 days.**
+
 # 4. Use Standalone server to issue cert
 
 **(requires you to be root/sudoer or have permission to listen on port 80 (TCP))**
@@ -238,7 +240,7 @@ More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
 
 If you are running a web server, Apache or Nginx, it is recommended to use the `Webroot mode`.
 
-Particularly, if you are running an Apache server, you should use Apache mode instead. This mode doesn't write any files to your web root folder.
+Particularly, if you are running an Apache server, you can use Apache mode instead. This mode doesn't write any files to your web root folder.
 
 Just set string "apache" as the second argument and it will force use of apache plugin automatically.
 
@@ -246,6 +248,10 @@ Just set string "apache" as the second argument and it will force use of apache
 acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com
 ```
 
+**This apache mode is only to issue the cert, it will not change your apache config files. 
+You will need to configure your website config files to use the cert by yourself.
+We don't want to mess your apache server, don't worry.**
+
 More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
 
 # 7. Use Nginx mode
@@ -266,6 +272,10 @@ So, the config is not changed.
 acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com
 ```
 
+**This nginx mode is only to issue the cert, it will not change your nginx config files. 
+You will need to configure your website config files to use the cert by yourself.
+We don't want to mess your nginx server, don't worry.**
+
 More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
 
 # 8. Automatic DNS API integration
@@ -332,7 +342,7 @@ For more details: [How to use DNS API](dnsapi)
 
 # 9. Use DNS manual mode:
 
-If your dns provider doesn't support any api access, you will have to add the txt record by your hand.
+If your dns provider doesn't support any api access, you can add the txt record by your hand.
 
 ```bash
 acme.sh --issue --dns -d example.com -d www.example.com -d cp.example.com
@@ -370,7 +380,7 @@ Ok, it's done.
 
 And we support them too!
 
-Just set the `length` parameter with a prefix `ec-`.
+Just set the `keylength` parameter with a prefix `ec-`.
 
 For example:
 
@@ -386,7 +396,7 @@ acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256
 acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength ec-256
 ```
 
-Please look at the last parameter above.
+Please look at the `keylength` parameter above.
 
 Valid values are:
 

acme.sh

@@ -1281,6 +1281,7 @@ _create_account_key() {
   else
     #generate account key
     _createkey "$length" "$ACCOUNT_KEY_PATH"
+    chmod 600 "$ACCOUNT_KEY_PATH"
   fi
 
 }
@@ -1838,7 +1839,7 @@ _send_signed_request() {
     _body="$response"
     if [ "$needbase64" ]; then
       _body="$(echo "$_body" | _dbase64)"
-      _debug2 _body "$_body"
+      _debug3 _body "$_body"
     fi
 
     if _contains "$_body" "JWS has invalid anti-replay nonce"; then
@@ -2006,9 +2007,19 @@ _startserver() {
     _NC="$_NC -6"
   fi
 
-  _debug "_NC" "$_NC"
-  #todo  listen address
-  $_NC TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork SYSTEM:"sleep 0.5; echo HTTP/1.1 200 OK; echo ; echo  $content; echo;" &
+  if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then
+    _NC="$_NC -d -d -v"
+  fi
+
+  SOCAT_OPTIONS=TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork
+
+  #Adding bind to local-address
+  if [ "$ncaddr" ]; then
+    SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}"
+  fi
+
+  _debug "_NC" "$_NC $SOCAT_OPTIONS"
+  $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; echo HTTP/1.0 200 OK; echo ; echo  $content; echo;" &
   serverproc="$!"
 }
 
@@ -5062,7 +5073,7 @@ _installalias() {
 
 }
 
-# nocron confighome
+# nocron confighome noprofile
 install() {
 
   if [ -z "$LE_WORKING_DIR" ]; then
@@ -5071,6 +5082,7 @@ install() {
 
   _nocron="$1"
   _c_home="$2"
+  _noprofile="$3"
   if ! _initpath; then
     _err "Install failed."
     return 1
@@ -5136,7 +5148,7 @@ install() {
 
   _info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
 
-  if [ "$IN_CRON" != "1" ]; then
+  if [ "$IN_CRON" != "1" ] && [ -z "$_noprofile" ]; then
     _installalias "$_c_home"
   fi
 
@@ -5362,10 +5374,11 @@ Parameters:
   "
 }
 
-# nocron
+# nocron noprofile
 _installOnline() {
   _info "Installing from online archive."
   _nocron="$1"
+  _noprofile="$2"
   if [ ! "$BRANCH" ]; then
     BRANCH="master"
   fi
@@ -5386,7 +5399,7 @@ _installOnline() {
 
     cd "$PROJECT_NAME-$BRANCH"
     chmod +x $PROJECT_ENTRY
-    if ./$PROJECT_ENTRY install "$_nocron"; then
+    if ./$PROJECT_ENTRY install "$_nocron" "" "$_noprofile"; then
       _info "Install success!"
     fi
 
@@ -5402,7 +5415,7 @@ upgrade() {
     _initpath
     export LE_WORKING_DIR
     cd "$LE_WORKING_DIR"
-    _installOnline "nocron"
+    _installOnline "nocron" "noprofile"
   ); then
     _info "Upgrade success!"
     exit 0

deploy/strongswan.sh

@@ -22,6 +22,8 @@ strongswan_deploy() {
     _ipsec=/usr/sbin/ipsec
   elif [ -x /usr/sbin/strongswan ]; then
     _ipsec=/usr/sbin/strongswan
+  elif [ -x /usr/local/sbin/ipsec ]; then
+    _ipsec=/usr/local/sbin/ipsec
   else
     _err "no strongswan or ipsec command is detected"
     return 1

dnsapi/dns_he.sh

@@ -75,17 +75,19 @@ dns_he_rm() {
   body="$body&hosted_dns_zoneid=$_zone_id"
   body="$body&menu=edit_zone"
   body="$body&hosted_dns_editzone="
-  domain_regex="$(echo "$_full_domain" | sed 's/\./\\./g')" # escape dots
-  _record_id=$(_post "$body" "https://dns.he.net/" \
-    | tr -d '\n' \
-    | _egrep_o "data=\"&quot;${_txt_value}&quot;([^>]+>){6}[^<]+<[^;]+;deleteRecord\('[0-9]+','${domain_regex}','TXT'\)" \
-    | _egrep_o "[0-9]+','${domain_regex}','TXT'\)$" \
-    | _egrep_o "^[0-9]+"
-  )
-  # The series of egreps above could have been done a bit shorter but
-  #  I wanted to double-check whether it's the correct record (in case
-  #  HE changes their website somehow).
 
+  response="$(_post "$body" "https://dns.he.net/")"
+  _debug2 "response" "$response"
+  if ! _contains "$response" "$_txt_value"; then
+    _debug "The txt record is not found, just skip"
+    return 0
+  fi
+  _record_id="$(echo "$response" | tr -d "#" | sed "s/<tr/#<tr/g" | tr -d "\n" | tr "#" "\n" | grep "$_full_domain" | grep '"dns_tr"' | grep "$_txt_value" | cut -d '"' -f 4)"
+  _debug2 _record_id "$_record_id"
+  if [ -z "$_record_id" ]; then
+    _err "Can not find record id"
+    return 1
+  fi
   # Remove the record
   body="email=${HE_Username}&pass=${HE_Password}"
   body="$body&menu=edit_zone"
@@ -108,41 +110,26 @@ dns_he_rm() {
 
 ########################## PRIVATE FUNCTIONS ###########################
 
-#-- _find_zone() -------------------------------------------------------
-# Returns the most specific zone found in administration interface.
-#
-# Example:
-#
-# _find_zone first.second.third.co.uk
-#
-# ... will return the first zone that exists in admin out of these:
-# - "first.second.third.co.uk"
-# - "second.third.co.uk"
-# - "third.co.uk"
-# - "co.uk" <-- unlikely
-# - "uk"    <-'
-#
-# (another approach would be something like this:
-#   https://github.com/hlandau/acme/blob/master/_doc/dns.hook
-#   - that's better if there are multiple pages. It's so much simpler.
-# )
-
 _find_zone() {
-
   _domain="$1"
-
   body="email=${HE_Username}&pass=${HE_Password}"
-  _matches=$(_post "$body" "https://dns.he.net/" \
-    | _egrep_o "delete_dom.*name=\"[^\"]+\" value=\"[0-9]+"
-  )
+  response="$(_post "$body" "https://dns.he.net/")"
+  _debug2 response "$response"
+  _table="$(echo "$response" | tr -d "#" | sed "s/<table/#<table/g" | tr -d "\n" | tr "#" "\n" | grep 'id="domains_table"')"
+  _debug2 _table "$_table"
+  _matches="$(echo "$_table" | sed "s/<tr/#<tr/g" | tr "#" "\n" | grep 'alt="edit"' | tr -d " " | sed "s/<td/#<td/g" | tr "#" "\n" | sed -n 3p)"
+  _debug2 _matches "$_matches"
   # Zone names and zone IDs are in same order
-  _zone_ids=$(echo "$_matches" | cut -d '"' -f 5)
-  _zone_names=$(echo "$_matches" | cut -d '"' -f 3)
+  _zone_ids=$(echo "$_matches" | _egrep_o "hosted_dns_zoneid=[0-9]*&" | cut -d = -f 2 | tr -d '&')
+  _zone_names=$(echo "$_matches" | _egrep_o "name=.*onclick" | cut -d '"' -f 2)
   _debug2 "These are the zones on this HE account:"
   _debug2 "$_zone_names"
   _debug2 "And these are their respective IDs:"
   _debug2 "$_zone_ids"
-
+  if [ -z "$_zone_names" ] || [ -z "$_zone_ids" ]; then
+    _err "Can not get zone names."
+    return 1
+  fi
   # Walk through all possible zone names
   _strip_counter=1
   while true; do
@@ -156,17 +143,10 @@ _find_zone() {
 
     _debug "Looking for zone \"${_attempted_zone}\""
 
-    # Take care of "." and only match whole lines. Note that grep -F
-    # cannot be used because there's no way to make it match whole
-    # lines.
-    regex="^$(echo "$_attempted_zone" | sed 's/\./\\./g')$"
-    line_num=$(echo "$_zone_names" \
-      | grep -n "$regex" \
-      | cut -d : -f 1
-    )
-
-    if [ -n "$line_num" ]; then
-      _zone_id=$(echo "$_zone_ids" | sed "${line_num}q;d")
+    line_num="$(echo "$_zone_names" | grep -n "$_attempted_zone" | cut -d : -f 1)"
+
+    if [ "$line_num" ]; then
+      _zone_id=$(echo "$_zone_ids" | sed -n "${line_num}p")
       _debug "Found relevant zone \"$_attempted_zone\" with id \"$_zone_id\" - will be used for domain \"$_domain\"."
       return 0
     fi

dnsapi/dns_yandex.sh

@@ -16,7 +16,7 @@ dns_yandex_add() {
   _PDD_credentials || return 1
   export _H1="PddToken: $PDD_Token"
 
-  curDomain=$(_PDD_get_domain "$fulldomain")
+  _PDD_get_domain "$fulldomain"
   _debug "Found suitable domain in pdd: $curDomain"
   curData="domain=${curDomain}&type=TXT&subdomain=${curSubdomain}&ttl=360&content=${txtvalue}"
   curUri="https://pddimp.yandex.ru/api2/admin/dns/add"
@@ -33,7 +33,7 @@ dns_yandex_rm() {
   record_id=$(pdd_get_record_id "${fulldomain}")
   _debug "Result: $record_id"
 
-  curDomain=$(_PDD_get_domain "$fulldomain")
+  _PDD_get_domain "$fulldomain"
   _debug "Found suitable domain in pdd: $curDomain"
 
   curUri="https://pddimp.yandex.ru/api2/admin/dns/del"
@@ -72,8 +72,8 @@ _PDD_get_domain() {
       if [ "$d" = "$__t" ]; then
         p=$(_math $k - 1)
         curSubdomain="$(echo "$fulldomain" | cut -d . -f "1-$p")"
-        echo "$__t"
-        return
+        curDomain="$__t"
+        return 0
       fi
     done
     k=$(_math $k + 1)
@@ -96,7 +96,7 @@ _PDD_credentials() {
 pdd_get_record_id() {
   fulldomain="${1}"
 
-  curDomain=$(_PDD_get_domain "$fulldomain")
+  _PDD_get_domain "$fulldomain"
   _debug "Found suitable domain in pdd: $curDomain"
 
   curUri="https://pddimp.yandex.ru/api2/admin/dns/list?domain=${curDomain}"