2 # Wrapper for acme.sh to work on openwrt.
4 # This program is free software; you can redistribute it and/or modify it under
5 # the terms of the GNU General Public License as published by the Free Software
6 # Foundation; either version 3 of the License, or (at your option) any later
9 # Author: Toke Høiland-Jørgensen <toke@toke.dk>
12 ACME=/usr/lib/acme/acme.sh
13 export SSL_CERT_DIR=/etc/ssl/certs
25 [ -f "/etc/crontabs/root" ] && grep -q '/etc/init.d/acme' /etc/crontabs/root && return
26 echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root
27 /etc/init.d/cron start
32 [ "$DEBUG" -eq "1" ] && echo "$@" >&2
37 echo "Running pre checks."
40 [ -d "$STATE_DIR" ] || mkdir -p "$STATE_DIR"
42 if [ -e /etc/init.d/uhttpd ]; then
44 UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http)
46 uci set uhttpd.main.listen_http=''
48 /etc/init.d/uhttpd reload || return 1
51 iptables -I input_rule -p tcp --dport 80 -j ACCEPT || return 1
52 ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT || return 1
53 debug "v4 input_rule: $(iptables -nvL input_rule)"
54 debug "v6 input_rule: $(ip6tables -nvL input_rule)"
55 debug "port80 listens: $(netstat -ntpl | grep :80)"
61 echo "Running post checks (cleanup)."
62 iptables -D input_rule -p tcp --dport 80 -j ACCEPT
63 ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT
65 if [ -e /etc/init.d/uhttpd ]; then
66 uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
68 /etc/init.d/uhttpd reload
87 local main_domain="$1"
89 grep -q "acme-staging" "$STATE_DIR/$main_domain/${main_domain}.conf"
103 local moved_staging=0
106 config_get_bool enabled "$section" enabled 0
107 config_get_bool use_staging "$section" use_staging
108 config_get_bool update_uhttpd "$section" update_uhttpd
109 config_get domains "$section" domains
110 config_get keylength "$section" keylength
112 [ "$enabled" -eq "1" ] || return
114 [ "$DEBUG" -eq "1" ] && acme_args="$acme_args --debug"
119 if [ -e "$STATE_DIR/$main_domain" ]; then
120 if [ "$use_staging" -eq "0" ] && is_staging "$main_domain"; then
121 echo "Found previous cert issued using staging server. Moving it out of the way."
122 mv "$STATE_DIR/$main_domain" "$STATE_DIR/$main_domain.staging"
125 echo "Found previous cert config. Issuing renew."
126 $ACME --home "$STATE_DIR" --renew -d "$main_domain" $acme_args || return 1
132 acme_args="$acme_args $(for d in $domains; do echo -n "-d $d "; done)"
133 acme_args="$acme_args --standalone"
134 acme_args="$acme_args --keylength $keylength"
135 [ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL"
136 [ "$use_staging" -eq "1" ] && acme_args="$acme_args --staging"
138 if ! $ACME --home "$STATE_DIR" --issue $acme_args; then
139 failed_dir="$STATE_DIR/${main_domain}.failed-$(date +%s)"
140 echo "Issuing cert for $main_domain failed. Moving state to $failed_dir" >&2
141 [ -d "$STATE_DIR/$main_domain" ] && mv "$STATE_DIR/$main_domain" "$failed_dir"
142 if [ "$moved_staging" -eq "1" ]; then
143 echo "Restoring staging certificate" >&2
144 mv "$STATE_DIR/${main_domain}.staging" "$STATE_DIR/${main_domain}"
149 if [ "$update_uhttpd" -eq "1" ]; then
150 uci set uhttpd.main.key="$STATE_DIR/${main_domain}/${main_domain}.key"
151 uci set uhttpd.main.cert="$STATE_DIR/${main_domain}/fullchain.cer"
152 # commit and reload is in post_checks
161 STATE_DIR=$(config_get "$section" state_dir)
162 ACCOUNT_EMAIL=$(config_get "$section" account_email)
163 DEBUG=$(config_get "$section" debug)
166 if [ -n "$CHECK_CRON" ]; then
172 config_foreach load_vars acme
175 trap err_out HUP TERM
178 config_foreach issue_cert cert