ASR_BASE
Change-Id: Icf3719cc0afe3eeb3edc7fa80a2eb5199ca9dda1
diff --git a/external/subpack/net/uacme/files/run.sh b/external/subpack/net/uacme/files/run.sh
new file mode 100644
index 0000000..aafcad8
--- /dev/null
+++ b/external/subpack/net/uacme/files/run.sh
@@ -0,0 +1,426 @@
+#!/bin/sh
+# Wrapper for uacme to work on openwrt.
+#
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 3 of the License, or (at your option) any later
+# version.
+#
+# Initial Author: Toke Høiland-Jørgensen <toke@toke.dk>
+# Adapted for uacme: Lucian Cristian <lucian.cristian@gmail.com>
+
+CHECK_CRON=$1
+
+#check for installed packages, for now, support only one
+if [ -e "/usr/lib/acme/acme.sh" ]; then
+ ACME=/usr/lib/acme/acme.sh
+ APP=acme
+elif [ -e "/usr/sbin/uacme" ]; then
+ ACME=/usr/sbin/uacme
+ HPROGRAM=/usr/share/uacme/uacme.sh
+ APP=uacme
+else
+ echo "Please install ACME or uACME package"
+ return 1
+fi
+
+export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+export NO_TIMESTAMP=1
+
+UHTTPD_LISTEN_HTTP=
+STATE_DIR='/etc/acme'
+STAGING_STATE_DIR='/etc/acme/staging'
+
+ACCOUNT_EMAIL=
+DEBUG=0
+NGINX_WEBSERVER=0
+UPDATE_NGINX=0
+UPDATE_UHTTPD=0
+UPDATE_HAPROXY=0
+USER_CLEANUP=
+
+. /lib/functions.sh
+
+check_cron()
+{
+ [ -f "/etc/crontabs/root" ] && grep -q '/etc/init.d/acme' /etc/crontabs/root && return
+ echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root
+ /etc/init.d/cron start
+}
+
+log()
+{
+ logger -t $APP -s -p daemon.info "$@"
+}
+
+err()
+{
+ logger -t $APP -s -p daemon.err "$@"
+}
+
+debug()
+{
+ [ "$DEBUG" -eq "1" ] && logger -t $APP -s -p daemon.debug "$@"
+}
+
+get_listeners() {
+ local proto rq sq listen remote state program
+ netstat -nptl 2>/dev/null | while read proto listen program; do
+ case "$proto#$listen#$program" in
+ tcp#*:80#[0-9]*/*) echo -n "${program%% *} " ;;
+ esac
+ done
+}
+
+pre_checks()
+{
+ main_domain="$1"
+
+ log "Running pre checks for $main_domain."
+
+ listeners="$(get_listeners)"
+
+ debug "port80 listens: $listeners"
+
+ for listener in $(get_listeners); do
+ pid="${listener%/*}"
+ cmd="${listener#*/}"
+
+ case "$cmd" in
+ uhttpd)
+ debug "Found uhttpd listening on port 80"
+ if [ "$APP" = "acme" ]; then
+ UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http)
+ if [ -z "$UHTTPD_LISTEN_HTTP" ]; then
+ err "$main_domain: Unable to find uhttpd listen config."
+ err "Manually disable uhttpd or set webroot to continue."
+ return 1
+ fi
+ uci set uhttpd.main.listen_http=''
+ uci commit uhttpd || return 1
+ if ! /etc/init.d/uhttpd reload ; then
+ uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
+ uci commit uhttpd
+ return 1
+ fi
+ fi
+ ;;
+ nginx*)
+ debug "Found nginx listening on port 80"
+ NGINX_WEBSERVER=1
+ if [ "$APP" = "acme" ]; then
+ local tries=0
+ while grep -sq "$cmd" "/proc/$pid/cmdline" && kill -0 "$pid"; do
+ /etc/init.d/nginx stop
+ if [ $tries -gt 10 ]; then
+ debug "Can't stop nginx. Terminating script."
+ return 1
+ fi
+ debug "Waiting for nginx to stop..."
+ tries=$((tries + 1))
+ sleep 1
+ done
+ fi
+ ;;
+ "")
+ err "Nothing listening on port 80."
+ err "Standalone mode not supported, setup uhttpd or nginx"
+ return 1
+ ;;
+ *)
+ err "$main_domain: unsupported (apache/haproxy?) daemon is listening on port 80."
+ err "if webroot is set on your current webserver comment line 132 (return 1) from this script."
+ return 1
+ ;;
+ esac
+ done
+
+ iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
+ debug "v4 input_rule: $(iptables -nvL input_rule)"
+ if [ -e "/usr/sbin/ip6tables" ]; then
+ ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
+ debug "v6 input_rule: $(ip6tables -nvL input_rule)"
+ fi
+ return 0
+}
+
+post_checks()
+{
+ log "Running post checks (cleanup)."
+ # The comment ensures we only touch our own rules. If no rules exist, that
+ # is fine, so hide any errors
+ iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null
+ if [ -e "/usr/sbin/ip6tables" ]; then
+ ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null
+ fi
+ if [ -e /etc/init.d/uhttpd ] && [ "$UPDATE_UHTTPD" -eq 1 ]; then
+ uci commit uhttpd
+ /etc/init.d/uhttpd reload
+ log "Restarting uhttpd..."
+ fi
+
+ if [ -e /etc/init.d/nginx ] && ( [ "$NGINX_WEBSERVER" -eq 1 ] || [ "$UPDATE_NGINX" -eq 1 ]; ); then
+ NGINX_WEBSERVER=0
+ /etc/init.d/nginx restart
+ log "Restarting nginx..."
+ fi
+
+ if [ -e /etc/init.d/haproxy ] && [ "$UPDATE_HAPROXY" -eq 1 ]; then
+ /etc/init.d/haproxy restart
+ log "Restarting haproxy..."
+ fi
+
+ if [ -n "$USER_CLEANUP" ] && [ -f "$USER_CLEANUP" ]; then
+ log "Running user-provided cleanup script from $USER_CLEANUP."
+ "$USER_CLEANUP" || return 1
+ fi
+}
+
+err_out()
+{
+ post_checks
+ exit 1
+}
+
+int_out()
+{
+ post_checks
+ trap - INT
+ kill -INT $$
+}
+
+is_staging()
+{
+ local main_domain="$1"
+
+ grep -q "acme-staging" "$STATE_DIR/$main_domain/${main_domain}.conf"
+ return $?
+}
+
+issue_cert()
+{
+ local section="$1"
+ local acme_args=
+ local debug=
+ local enabled
+ local use_staging
+ local update_uhttpd
+ local update_nginx
+ local update_haproxy
+ local keylength
+ local domains
+ local main_domain
+ local failed_dir
+ local webroot
+ local dns
+ local user_setup
+ local user_cleanup
+ local ret
+ local staging=
+ local HOOK=
+
+ config_get_bool enabled "$section" enabled 0
+ config_get_bool use_staging "$section" use_staging
+ config_get_bool update_uhttpd "$section" update_uhttpd
+ config_get_bool update_nginx "$section" update_nginx
+ config_get_bool update_haproxy "$section" update_haproxy
+ config_get domains "$section" domains
+ config_get keylength "$section" keylength
+ config_get webroot "$section" webroot
+ config_get dns "$section" dns
+ config_get user_setup "$section" user_setup
+ config_get user_cleanup "$section" user_cleanup
+
+ UPDATE_NGINX=$update_nginx
+ UPDATE_UHTTPD=$update_uhttpd
+ UPDATE_HAPROXY=$update_haproxy
+ USER_CLEANUP=$user_cleanup
+
+ [ "$enabled" -eq "1" ] || return
+
+ if [ "$APP" = "uacme" ]; then
+ [ "$DEBUG" -eq "1" ] && debug="--verbose --verbose"
+ elif [ "$APP" = "acme" ]; then
+ [ "$DEBUG" -eq "1" ] && acme_args="$acme_args --debug"
+ fi
+ [ "$use_staging" -eq "1" ] && STATE_DIR="$STAGING_STATE_DIR" && staging="--staging"
+
+ set -- $domains
+ main_domain=$1
+
+ if [ -n "$user_setup" ] && [ -f "$user_setup" ]; then
+ log "Running user-provided setup script from $user_setup."
+ "$user_setup" "$main_domain" || return 1
+ else
+ [ -n "$webroot" ] || [ -n "$dns" ] || pre_checks "$main_domain" || return 1
+ fi
+
+ log "Running $APP for $main_domain"
+
+ if [ "$APP" = "uacme" ]; then
+ if [ ! -f "$STATE_DIR/private/key.pem" ]; then
+ log "Create a new ACME account with email $ACCOUNT_EMAIL use staging=$use_staging"
+ $ACME $debug --confdir "$STATE_DIR" $staging --yes new $ACCOUNT_EMAIL
+ fi
+
+ if [ -f "$STATE_DIR/$main_domain/cert.pem" ]; then
+ log "Found previous cert config, use staging=$use_staging. Issuing renew."
+ export CHALLENGE_PATH="$webroot"
+ $ACME $debug --confdir "$STATE_DIR" $staging --never-create issue $domains --hook=$HPROGRAM && ret=0 || ret=1
+ post_checks
+ return $ret
+ fi
+ fi
+ if [ "$APP" = "acme" ]; then
+ handle_credentials() {
+ local credential="$1"
+ eval export "$credential"
+ }
+ config_list_foreach "$section" credentials handle_credentials
+
+ if [ -e "$STATE_DIR/$main_domain" ]; then
+ if [ "$use_staging" -eq "0" ] && is_staging "$main_domain"; then
+ log "Found previous cert issued using staging server. Moving it out of the way."
+ mv "$STATE_DIR/$main_domain" "$STATE_DIR/$main_domain.staging"
+ else
+ log "Found previous cert config. Issuing renew."
+ $ACME --home "$STATE_DIR" --renew -d "$main_domain" "$acme_args" && ret=0 || ret=1
+ post_checks
+ return $ret
+ fi
+ fi
+ fi
+
+ acme_args="$acme_args --bits $keylength"
+ acme_args="$acme_args $(for d in $domains; do echo -n " $d "; done)"
+ if [ "$APP" = "acme" ]; then
+ [ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL"
+ [ "$use_staging" -eq "1" ] && acme_args="$acme_args --staging"
+ fi
+ if [ -n "$dns" ]; then
+#TO-DO
+ if [ "$APP" = "acme" ]; then
+ log "Using dns mode"
+ acme_args="$acme_args --dns $dns"
+ else
+ log "Using dns mode, dns-01 is not wrapped yet"
+ return 1
+# uacme_args="$uacme_args --dns $dns"
+ fi
+ elif [ -z "$webroot" ]; then
+ if [ "$APP" = "acme" ]; then
+ log "Using standalone mode"
+ acme_args="$acme_args --standalone --listen-v6"
+ else
+ log "Standalone not supported by $APP"
+ return 1
+ fi
+ else
+ if [ ! -d "$webroot" ]; then
+ err "$main_domain: Webroot dir '$webroot' does not exist!"
+ post_checks
+ return 1
+ fi
+ log "Using webroot dir: $webroot"
+ if [ "$APP" = "uacme" ]; then
+ export CHALLENGE_PATH="$webroot"
+ else
+ acme_args="$acme_args --webroot $webroot"
+ fi
+ fi
+
+ if [ "$APP" = "uacme" ]; then
+ workdir="--confdir"
+ HOOK="--hook=$HPROGRAM"
+ else
+ workdir="--home"
+ fi
+ if ! $ACME $debug $workdir "$STATE_DIR" $staging issue $acme_args $HOOK; then
+ failed_dir="$STATE_DIR/${main_domain}.failed-$(date +%s)"
+ err "Issuing cert for $main_domain failed. Moving state to $failed_dir"
+ [ -d "$STATE_DIR/$main_domain" ] && mv "$STATE_DIR/$main_domain" "$failed_dir"
+ [ -d "$STATE_DIR/private/$main_domain" ] && mv "$STATE_DIR/private/$main_domain" "$failed_dir"
+ post_checks
+ return 1
+ fi
+
+ if [ -e /etc/init.d/uhttpd ] && [ "$update_uhttpd" -eq "1" ]; then
+ if [ "$APP" = "uacme" ]; then
+ uci set uhttpd.main.key="$STATE_DIR/private/${main_domain}/key.pem"
+ uci set uhttpd.main.cert="$STATE_DIR/${main_domain}/cert.pem"
+ else
+ uci set uhttpd.main.key="$STATE_DIR/${main_domain}/${main_domain}.key"
+ uci set uhttpd.main.cert="$STATE_DIR/${main_domain}/fullchain.cer"
+ fi
+ # commit and reload is in post_checks
+ fi
+
+ local nginx_updated
+ nginx_updated=0
+ if command -v nginx-util 2>/dev/null && [ "$update_nginx" -eq "1" ]; then
+ nginx_updated=1
+ for domain in $domains; do
+ if [ "$APP" = "uacme" ]; then
+ nginx-util add_ssl "${domain}" uacme "$STATE_DIR/${main_domain}/cert.pem" \
+ "$STATE_DIR/private/${main_domain}/key.pem" || nginx_updated=0
+ else
+ nginx-util add_ssl "${domain}" acme "$STATE_DIR/${main_domain}/fullchain.cer" \
+ "$STATE_DIR/${main_domain}/${main_domain}.key" || nginx_updated=0
+ fi
+ done
+ # reload is in post_checks
+ fi
+
+ if [ "$nginx_updated" -eq "0" ] && [ -w /etc/nginx/nginx.conf ] && [ "$update_nginx" -eq "1" ]; then
+ if [ "$APP" = "uacme" ]; then
+ sed -i "s#ssl_certificate\ .*#ssl_certificate $STATE_DIR/${main_domain}/cert.pem;#g" /etc/nginx/nginx.conf
+ sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key $STATE_DIR/private/${main_domain}/key.pem;#g" /etc/nginx/nginx.conf
+ else
+ sed -i "s#ssl_certificate\ .*#ssl_certificate $STATE_DIR/${main_domain}/fullchain.cer;#g" /etc/nginx/nginx.conf
+ sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key $STATE_DIR/${main_domain}/${main_domain}.key;#g" /etc/nginx/nginx.conf
+ fi
+ # commit and reload is in post_checks
+ fi
+
+ if [ -e /etc/init.d/haproxy ] && [ "$update_haproxy" -eq 1 ]; then
+ if [ "$APP" = "uacme" ]; then
+ cat $STATE_DIR/${main_domain}/cert.pem $STATE_DIR/private/${main_domain}/key.pem > $STATE_DIR/${main_domain}/full_haproxy.pem
+ else
+ cat $STATE_DIR/${main_domain}/fullchain.cer $STATE_DIR/${main_domain}/${main_domain}.key > $STATE_DIR/${main_domain}/full_haproxy.pem
+ fi
+ fi
+
+ post_checks
+}
+
+load_vars()
+{
+ local section="$1"
+
+ STATE_DIR=$(config_get "$section" state_dir)
+ STAGING_STATE_DIR=$STATE_DIR/staging
+ ACCOUNT_EMAIL=$(config_get "$section" account_email)
+ DEBUG=$(config_get "$section" debug)
+}
+
+check_cron
+[ -n "$CHECK_CRON" ] && exit 0
+[ -e "/var/run/acme_boot" ] && rm -f "/var/run/acme_boot" && exit 0
+
+config_load acme
+config_foreach load_vars acme
+
+if [ -z "$STATE_DIR" ] || [ -z "$ACCOUNT_EMAIL" ]; then
+ err "state_dir and account_email must be set"
+ exit 1
+fi
+
+[ -d "$STATE_DIR" ] || mkdir -p "$STATE_DIR"
+[ -d "$STAGING_STATE_DIR" ] || mkdir -p "$STAGING_STATE_DIR"
+
+trap err_out HUP TERM
+trap int_out INT
+
+config_foreach issue_cert cert
+
+exit 0