2 # Wrapper for acme.sh to work on openwrt.
4 # This program is free software; you can redistribute it and/or modify it under
5 # the terms of the GNU General Public License as published by the Free Software
6 # Foundation; either version 3 of the License, or (at your option) any later
9 # Authors: Toke Høiland-Jørgensen <toke@toke.dk>
12 export CHALLENGE_DIR
=$run_dir/challenge
13 export CERT_DIR
=/etc
/ssl
/acme
15 HOOK
=/usr
/lib
/acme
/hook
18 # shellcheck source=/dev/null
20 # shellcheck source=net/acme/files/functions.sh
21 .
/usr
/lib
/acme
/functions.sh
24 log debug
"cleaning up"
25 if [ -e $run_dir/lock
]; then
28 if [ "$NFT_HANDLE" ]; then
29 # $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
30 nft delete rule inet fw4 input
$NFT_HANDLE
37 # compatibility for old option name
38 config_get_bool staging
"$section" use_staging
39 if [ -z "$staging" ]; then
40 config_get_bool staging
"$section" staging
0
43 config_get calias
"$section" calias
45 config_get dalias
"$section" dalias
47 config_get domains
"$section" domains
50 main_domain
="$(first_arg $domains)"
51 config_get keylength
"$section" keylength ec-256
53 config_get dns
"$section" dns
55 config_get acme_server
"$section" acme_server
57 config_get days
"$section" days
59 config_get standalone
"$section" standalone
0
61 config_get dns_wait
"$section" dns_wait
64 config_get webroot
"$section" webroot
66 if [ "$webroot" ]; then
67 log warn
"Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
78 config_get_bool enabled
"$section" enabled
1
79 [ "$enabled" = 1 ] ||
return
81 load_options
"$section"
82 if [ -z "$dns" ] && [ "$standalone" = 0 ]; then
83 mkdir
-p "$CHALLENGE_DIR"
86 if [ "$standalone" = 1 ] && [ -z "$NFT_HANDLE" ]; then
87 if ! NFT_HANDLE
=$
(nft
-a -e insert rule inet fw4 input tcp dport
80 counter accept comment ACME |
grep -o 'handle [0-9]\+'); then
90 log debug
"added nft rule: $NFT_HANDLE"
96 config_list_foreach
"$section" credentials load_credentials
104 config_get account_email
"$section" account_email
105 if [ -z "$account_email" ]; then
106 log err
"account_email option is required"
111 config_get state_dir
"$section" state_dir
112 if [ "$state_dir" ]; then
113 log warn
"Option \"state_dir\" is deprecated, please remove it. Certificates now exist in $CERT_DIR."
114 mkdir
-p "$state_dir"
120 config_get debug
"$section" debug
0
123 # only look for the first acme section
129 Usage: acme <command> [arguments]
131 get issue or renew certificates
136 if [ ! -x "$HOOK" ]; then
137 log err
"An ACME client like acme-acmesh or acme-uacme is required, which is not installed."
144 exec 200>$run_dir/lock
145 if ! flock
-n 200; then
146 log err
"Another ACME instance is already running."
153 config_foreach load_globals acme
155 config_foreach get_cert cert