Skip to content

Commit d2bdc92

Browse files
timkimbertimkimber
authored
Merge pull request #685 from tlhackque/master
Fix copy_file_to_location failures with ssh, missing ftps://
2 parents a3983b3 + 23b670d commit d2bdc92

File tree

1 file changed

+39
-6
lines changed

1 file changed

+39
-6
lines changed

getssl

+39-6
Original file line numberDiff line numberDiff line change
@@ -264,6 +264,8 @@
264264
# 2021-07-12 Do not redirect outputs on remote commands when the debug option is used (atisne)
265265
# 2021-07-20 Use +noidnout to enable certificates for IDN domains (#679)(2.37)
266266
# 2021-07-22 Only pass +noidnout param to dig/drill(#682)(2.38)
267+
# 2021-07-25 Fix copy_file_to_location failures with ssh when suffix applied to file lacking an extension (tlhackque)(#686)
268+
# 2021-07-27 Support ftps://, FTPS_OPTIONS, remove default --insecure parameter to ftpes. Report caller(s) of error_exit in debug and test modes (tlhackque)(#687)(2.39)
267269
# ----------------------------------------------------------------------------------------
268270

269271
case :$SHELLOPTS: in
@@ -272,7 +274,7 @@ esac
272274

273275
PROGNAME=${0##*/}
274276
PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)"
275-
VERSION="2.38"
277+
VERSION="2.39"
276278

277279
# defaults
278280
ACCOUNT_KEY_LENGTH=4096
@@ -290,6 +292,7 @@ DEFAULT_REVOKE_CA="https://acme-v02.api.letsencrypt.org"
290292
DOMAIN_KEY_LENGTH=4096
291293
DUAL_RSA_ECDSA="false"
292294
FTP_OPTIONS=""
295+
FTPS_OPTIONS=""
293296
FULL_CHAIN_INCLUDE_ROOT="false"
294297
GETSSL_IGNORE_CP_PRESERVE="false"
295298
HTTP_TOKEN_CHECK_WAIT=0
@@ -850,7 +853,12 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required.
850853
IFS=\; read -r -a copy_locations <<<"$3"
851854
for to in "${copy_locations[@]}"; do
852855
if [[ -n "$suffix" ]]; then
853-
to="${to%.*}.${suffix}.${to##*.}"
856+
bname="$(basename "$to")"
857+
if [[ "${bname##*.}" == "$bname" ]]; then
858+
to="${to}.${suffix}"
859+
else
860+
to="${to%.*}.${suffix}.${to##*.}"
861+
fi
854862
fi
855863
info "copying $cert to $to"
856864
if [[ "${to:0:4}" == "ssh:" ]] ; then
@@ -934,7 +942,7 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required.
934942
debug "davs user=$davsuser - pass=$davspass - host=$davshost port=$davsport dir=$davsdirn file=$davsfile"
935943
debug "from dir=$fromdir file=$fromfile"
936944
curl -u "${davsuser}:${davspass}" -T "${fromdir}/${fromfile}" "https://${davshost}:${davsport}${davsdirn}${davsfile}"
937-
elif [[ "${to:0:6}" == "ftpes:" ]] ; then
945+
elif [[ "${to:0:6}" == "ftpes:" ]] || [[ "${to:0:5}" == "ftps:" ]] ; then
938946
debug "using ftp to copy the file from $from"
939947
ftpuser=$(echo "$to"| awk -F: '{print $2}')
940948
ftppass=$(echo "$to"| awk -F: '{print $3}')
@@ -946,7 +954,13 @@ copy_file_to_location() { # copies a file, using scp, sftp or ftp if required.
946954
fromfile=$(basename "$from")
947955
debug "ftp user=$ftpuser - pass=$ftppass - host=$ftphost dir=$ftpdirn file=$ftpfile"
948956
debug "from dir=$fromdir file=$fromfile"
949-
curl --insecure --ftp-ssl -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}${ftpdirn}/"
957+
if [[ "${to:0:5}" == "ftps:" ]] ; then
958+
# shellcheck disable=SC2086
959+
curl $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}${ftpdirn}:990/"
960+
else
961+
# shellcheck disable=SC2086
962+
curl $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" -T "${fromdir}/${fromfile}" "ftp://${ftphost}${ftpdirn}/"
963+
fi
950964
else
951965
if ! mkdir -p "$(dirname "$to")" ; then
952966
error_exit "cannot create ACL directory $(basename "$to")"
@@ -1146,6 +1160,9 @@ test_output() { # write out debug output for testing
11461160

11471161
error_exit() { # give error message on error exit
11481162
echo -e "${PROGNAME}: ${1:-"Unknown Error"}" >&2
1163+
if [[ ${_RUNNING_TEST} -eq 1 ]] || [[ ${_USE_DEBUG} -eq 1 ]] ; then
1164+
traceback
1165+
fi
11491166
clean_up
11501167
exit 1
11511168
}
@@ -1357,7 +1374,10 @@ for d in "${alldomains[@]}"; do
13571374
else
13581375
sleep "$HTTP_TOKEN_CHECK_WAIT"
13591376
# check that we can reach the challenge ourselves, if not, then error
1360-
if [[ ! "$(curl --user-agent "$CURL_USERAGENT" -k --silent --location "$wellknown_url")" == "$keyauthorization" ]]; then
1377+
# ACME only allows port 80 (http), but redirects may use https. --insecure is used in case
1378+
# those certificates are being renewed. Let's Encrypt does the same. In this case, we verify
1379+
# that the correct data is returned, so this is safe.
1380+
if [[ ! "$(curl --user-agent "$CURL_USERAGENT" --insecure --silent --location "$wellknown_url")" == "$keyauthorization" ]]; then
13611381
error_exit "for some reason could not reach $wellknown_url - please check it manually"
13621382
fi
13631383
fi
@@ -2393,6 +2413,16 @@ signal_exit() { # Handle trapped signals
23932413
esac
23942414
}
23952415

2416+
traceback() { # Print function traceback
2417+
local i d=1 lbl=" called"
2418+
echo "Traceback" >&2
2419+
for ((i=$((${#FUNCNAME[@]}-1)); i>0; i--)); do
2420+
if [[ ${i} -eq 1 ]] ; then lbl=" called traceback" ; fi
2421+
printf "%*s%s() line %d%s\n" "$d" '' "${FUNCNAME[$i]}" "${BASH_LINENO[$((i-1))]}" "$lbl" >&2
2422+
((d++))
2423+
done
2424+
}
2425+
23962426
urlbase64() { # urlbase64: base64 encoded string with '+' replaced with '-' and '/' replaced with '_'
23972427
openssl base64 -e | tr -d '\n\r' | os_esed -e 's:=*$::g' -e 'y:+/:-_:'
23982428
}
@@ -2448,9 +2478,11 @@ write_domain_template() { # write out a template file for a domain.
24482478
# An ssh key will be needed to provide you with access to the remote server.
24492479
# Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
24502480
# If left blank, the username on the local server will be used to authenticate against the remote server.
2451-
# If these start with ftp:/ftpes: then the next variables are ftpuserid:ftppassword:servername:ACL_location
2481+
# If these start with ftp:/ftpes:/ftps: then the next variables are ftpuserid:ftppassword:servername:ACL_location
24522482
# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
24532483
# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
2484+
# ftp: uses regular ftp; ftpes: ftp over explicit TLS (port 21); ftps: ftp over implicit TLS (port 990).
2485+
# ftps/ftpes support FTPS_OPTIONS, e.g. to add "--insecure" to the curl command for hosts with self-signed certificates.
24542486
# You can also user WebDAV over HTTPS as transport mechanism. To do so, start with davs: followed by username,
24552487
# password, host, port (explicitly needed even if using default port 443) and path on the server.
24562488
# Multiple locations can be defined for a file by separating the locations with a semi-colon.
@@ -2459,6 +2491,7 @@ write_domain_template() { # write out a template file for a domain.
24592491
# 'ssh:sshuserid@server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge'
24602492
# 'ftp:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge'
24612493
# 'davs:davsuserid:davspassword:{DOMAIN}:443:/web/.well-known/acme-challenge'
2494+
# 'ftps:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge'
24622495
# 'ftpes:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge')
24632496
24642497
# Specify SSH options, e.g. non standard port in SSH_OPTS

0 commit comments

Comments
 (0)