Merge pull request #660 from tlhackque/master

Update from tlhackque/getssl

.gitattributes

@@ -1,6 +1,11 @@
+# Files not to include in .zip/.tar.gz archives
+#
+.git*           export-ignore
+
 # Handle line endings automatically for files detected as text
 # and leave all files detected as binary untouched.
 * text=auto
 
 # Make all text files lf formatted
 *     text eol=lf
+

.gitignore

@@ -0,0 +1,9 @@
+*~
+*#
+*.swp
+*.tmp
+*.bak
+*.tdy
+*.tar.gz
+*.orig
+JSON.sh

Makefile

@@ -19,10 +19,9 @@ ifneq ($(strip $(DESTDIR)),)
 	mkdir -p $(DESTDIR)
 endif
 
-	install -Dm755 getssl $(DESTDIR)/usr/bin/getssl
-
-	install -dm755 $(DESTDIR)/usr/share/getssl
-	cp -r *_scripts $(DESTDIR)/usr/share/getssl
+	install -Dvm755 getssl $(DESTDIR)/usr/bin/getssl
+	install -dvm755 $(DESTDIR)/usr/share/getssl
+	for dir in *_scripts; do install -dv $(DESTDIR)/usr/share/getssl/$$dir; install -pv $$dir/* $(DESTDIR)/usr/share/getssl/$$dir/; done
 
 .PHONY: install
 

README.md

@@ -89,7 +89,7 @@ certificates to a remote server ( providing you have a ssh with key,
 sftp or ftp access to the remote server).
 
 ```getssl -h
-getssl ver. 2.35
+getssl ver. 2.36
 Obtain SSL certificates from the letsencrypt.org ACME server
 
 Usage: getssl [-h|--help] [-d|--debug] [-c|--create] [-f|--force] [-a|--all] [-q|--quiet] [-Q|--mute] [-u|--upgrade] [-k|--keep #] [-U|--nocheck] [-r|--revoke cert key] [-w working_dir] [--preferred-chain chain] domain   
@@ -107,6 +107,7 @@ Options:
   -u, --upgrade      Upgrade getssl if a more recent version is available - can be used with or without domain(s)
   -k, --keep     "#" Maximum number of old getssl versions to keep when upgrading
   -U, --nocheck      Do not check if a more recent version is available
+  -v  --version      Display current version of getssl
   -w working_dir "Working directory"
     --preferred-chain "chain" Use an alternate chain for the certificate
 ```
@@ -376,7 +377,7 @@ Usage: `getssl -r path/to/cert path/to/key [CA_server]`
 You need to specify both the certificate you want to revoke, and the
 account or private domain key which was used to sign / obtain the
 original certificate. The `CA_server` is an optional parameter and
-defaults to Let's Encrypt ("<https://acme-v01.api.letsencrypt.org>") as
+defaults to Let's Encrypt ("<https://acme-v02.api.letsencrypt.org>") as
 that is currently the only Certificate Authority using the ACME
 protocol.
 

dns_scripts/00GoDaddy-README.txt

@@ -0,0 +1,63 @@
+Using GoDaddy DNS for LetsEncrypt domain validation.
+
+Quick guide to setting up getssl for domain validation of
+GoDaddy DNS domains.
+
+There are two prerequisites to using getssl with GoDaddy DNS:
+
+1) Obtain an API access key from developer.godaddy.com
+   At first sign-up, you will be required to take a "test" key.
+   This is NOT what you need.  Accept it, then get a "Production"
+   key.  At this writing, there is no charge - but you must have
+   a GoDaddy customer account.
+
+   You must get the API key for the account which owns the domain
+   that you want to get certificates for.  If the domains that you
+   manage are owned by more than one account, get a key for each.
+
+   The access key consists of a "Key" and a "Secret".  You need
+   both.
+
+2) Obtain JSON.sh - https://github.com/dominictarr/JSON.sh
+
+With those in hand, the installation procedure is:
+
+1) Put JSON.sh in the getssl DNS scripts directory 
+   Default: /usr/share/getssl/dns_scripts
+
+2) Open your config file (the global file in ~/.getssl/getssl.cfg
+   or the per-account file in ~/.getssl/example.net/getssl.cfg
+
+3) Set the following options:
+   VALIDATE_VIA_DNS="true"
+   DNS_ADD_COMMAND="/usr/share/getssl/dns_scripts/dns_add_godaddy"
+   DNS_DEL_COMMAND="/usr/share/getssl/dns_scripts/dns_del_godaddy"
+   # The API key for your account/this domain
+   export GODADDY_KEY="..." GODADDY_SECRET="..."
+   # The base domain name(s) in which the challege records are stored
+   # E.g. if www.example.net is in the example.net zone:
+   export GODADDY_BASE="example.com example.net"
+
+ 4) Set any other options that you wish (per the standard
+   directions.)  Use the test CA to make sure that
+   everything is setup correctly.
+
+That's it.  getssl example.net will now validate with DNS.
+
+To trace record additions and removals, run getssl as
+GODADDY_TRACE=Y getssl example.net
+
+There are additional options, which are documented in the
+*godaddy" files and dns_godaddy -h.
+
+Copyright (C) 2017, 2018 Timothe Litt  litt at acm _dot org
+
+This sofware may be freely used providing this notice is included with
+all copies.  The name of the author may not be used to endorse
+any other product or derivative work.  No warranty is provided
+and the user assumes all responsibility for use of this software.
+
+Report any issues to https://github.com/tlhackque/getssl/issues.
+
+Enjoy.
+

dns_scripts/dns_add_godaddy

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (2017) Timothe Litt  litt at acm _dot org
+# Copyright (C) 2017, 2018 Timothe Litt  litt at acm _dot org
 
 # Add token to GoDaddy dns using dns_godaddy
 
@@ -36,5 +36,6 @@ fi
 
 export GODADDY_KEY
 export GODADDY_SECRET
+export GODADDY_BASE
 
-$GODADDY_SCRIPT -q add "${fulldomain}" "_acme-challenge" "${token}"
+$GODADDY_SCRIPT -q add "${fulldomain}" "_acme-challenge.${fulldomain}." "${token}"

dns_scripts/dns_add_nsupdate

@@ -21,8 +21,9 @@ if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
   options="-k ${DNS_NSUPDATE_KEYFILE}"
 fi
 
+cmd=
 if [ -n "${DNS_SERVER}" ]; then
-        cmd+="server ${DNS_SERVER}\n"
+  cmd+="server ${DNS_SERVER}\n"
 fi
 
 cmd+="update add  ${DNS_ZONE:-"_acme-challenge.${fulldomain}."} 300 in TXT \"${token}\"\n"

dns_scripts/dns_del_godaddy

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (2017) Timothe Litt  litt at acm _dot org
+# Copyright (C) 2017,2018 Timothe Litt  litt at acm _dot org
 
 # Remove token from GoDaddy dns using dns_godaddy
 
@@ -24,7 +24,7 @@ token="$2"
 
 [ -z "$GODADDY_SCRIPT" ] && GODADDY_SCRIPT="/usr/share/getssl/dns_scripts/dns_godaddy"
 [[ "$GODADDY_SCRIPT" =~ ^~ ]] && \
-    eval 'GODADDY_SCRIPT=`readlink -nf ' "$GODADDY_SCRIPT" '`'
+    eval 'GODADDY_SCRIPT=`readlink -nf ' $GODADDY_SCRIPT '`'
 
 if ! [ -x "$GODADDY_SCRIPT" ]; then
     echo "$GODADDY_SCRIPT: not found.  Please install, softlink or set GODADDY_SCRIPT to its full path"
@@ -34,5 +34,6 @@ fi
 
 export GODADDY_KEY
 export GODADDY_SECRET
+export GODADDY_BASE
 
 $GODADDY_SCRIPT -q del "${fulldomain}" "_acme-challenge.${fulldomain}." "${token}"

dns_scripts/dns_del_nsupdate

@@ -21,8 +21,9 @@ if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
   options="-k ${DNS_NSUPDATE_KEYFILE}"
 fi
 
+cmd=
 if [ -n "${DNS_SERVER}" ]; then
-        cmd+="server ${DNS_SERVER}\n"
+  cmd+="server ${DNS_SERVER}\n"
 fi
 
 cmd+="update delete  ${DNS_ZONE:-"_acme-challenge.${fulldomain}."} 300 in TXT \"${token}\"\n"

dns_scripts/dns_godaddy

@@ -1,8 +1,8 @@
 #!/bin/bash
 
-# Copyright (2017) Timothe Litt  litt at acm _dot org
+# Copyright (C) 2017,2018 Timothe Litt  litt at acm _dot org
 
-VERSION="1.0.1"
+VERSION="1.0.3"
 PROG="`basename $0`"
 
 # This script is used to update TXT records in GoDaddy DNS server
@@ -31,6 +31,7 @@ DEBUG="$GODADDY_DEBUG"
 
 while getopts 'dhj:k:s:t:qv' opt; do
     case $opt in
+        b) GODADDY_BASE="$OPTARG"                      ;;
         d) DEBUG="Y"                                   ;;
         j) JSON="$OPTARG"                              ;;
         k) GODADDY_KEY="$OPTARG"                       ;;
@@ -72,6 +73,9 @@ Arguments:
     For minimal trace output (to override -q), define GODADDY_TRACE="y".
 
 Options
+    -b    Domain name(s) in which challenge records are stored
+          E.g. often, www.example.net is stored in example.net.
+          Default from GODADDY_BASE
     -d    Provide debugging output - all requests and responses
     -h    This help.
     -j:   Location of JSON.sh Default `dirname $0`/JSON.sh, or
@@ -84,6 +88,7 @@ Options
     All output, except for this help text, is to stderr.
 
 Environment variables
+    GODADDY_BASE    Domain name(s) in which challenge records are stored
     GODADDY_JSON    location of the JSOH.sh script
     GODADDY_KEY     default API key
     GODADDY_SCRIPT  location of this script, default location of JSON.sh
@@ -92,7 +97,7 @@ Environment variables
     GODADDY_TFILE   appends protocol trace to file. Overrides -t
 
 BUGS
-    Due to a limitation of the gOdADDY API, deleting the last TXT record
+    Due to a limitation of the GoDaddy API, deleting the last TXT record
     would be too risky for my taste.  So in that case, I replace it with
     _dummy.record_.domain.  TXT "Ihis record is not used".  This record is
     not automatically deleted by this script, though it's perfectly OK to
@@ -155,6 +160,7 @@ if [ -z "$name" ]; then
     echo "'name' parameter is required, see -h" >&2
     exit 3
 fi
+! [[ "$name" =~ [.]$ ]] && name="${name}.${domain}."
 data="$4"
 if [ -z "$data" ]; then
     echo "'data' parameter is required, see -h" >&2
@@ -206,7 +212,23 @@ if [ "$op" = "add" ]; then
 
     while [[ "$domain" =~ [^.]+\.[^.]+ ]]; do
 
-        url="$API/$domain/records/TXT/$name"
+        reqname="$name"
+        # The API doesn't trim the base domain from the name (it used to)
+        # If specified, remove any listed base.
+        if [ -n "$GODADDY_BASE" ]; then
+            for GDB in $GODADDY_BASE; do
+                gdb="`echo "$GDB" | sed -e's/\\.$//;s/\\./\\\\./g;'`"
+                gdb="^(.+)\\.$gdb\\.?$"
+                if [[ "$name" =~ $gdb ]]; then
+                    reqname="${BASH_REMATCH[1]}"
+                    break;
+                fi
+            done
+        else
+            eval 'reqname="$''{name%'"'.$domain.'}"'"'
+        fi
+
+        url="$API/$domain/records/TXT/$reqname"
 
         request='[{"data":"'$data'","ttl":'$ttl'}]'
         [ -n "$DEBUG" ] && cat >&2 <<EOF
@@ -332,10 +354,14 @@ Old TXT RRSET:
 $current
 EOF
 
-# Remove the desired record.  The name must be relative.
+# Remove the desired record.  The name must be relative. Order varies.
 
 eval 'name="$''{name%'"'.$domain.'}"'"'
 
+match="$(printf '"name":"%s","data":"%s","ttl":' "$name" "$data")"
+cmd="$(printf 'echo %s%s%s | grep -v %s%s%s' "'" "$current" "'" "'" "$match" "'")"
+eval 'new="$('"$cmd"')"'
+
 match="$(printf '"data":"%s","name":"%s","ttl":' "$data" "$name")"
 cmd="$(printf 'echo %s%s%s | grep -v %s%s%s' "'" "$current" "'" "'" "$match" "'")"
 eval 'new="$('"$cmd"')"'