#!/bin/sh [ "${acme:-}" = true ] || return 0 : ${acme_email:="root@${email_domain}"} : ${acme_keylength:='ec-256'} acme_cert_dir=/usr/local/etc/ssl/acme acme_standalone_port=9080 acme_user=acme acme_home=/var/db/acme acme_webroot=/usr/local/www/acme acmeproxy_home=/var/spool/acmeproxy dhparams_path=/etc/ssl/dhparams.pem pkg install -y acme.sh install_directory -m 0775 -o root -g "$acme_user" "$acme_cert_dir" install_template -m 0644 /etc/cron.d/acme if [ -n "${acme_eab_kid:-}" ]; then su -m "$acme_user" -c "acme.sh --home ${acme_home} --register-account --eab-kid ${acme_eab_kid} --eab-hmac-key ${acme_eab_hmac_key}" else su -m "$acme_user" -c "acme.sh --home ${acme_home} --register-account --email ${acme_email}" fi if [ "${nginx_public:-}" = true ] && ! [ -f "$dhparams_path" ]; then openssl dhparam -out "$dhparams_path" 2048 fi if [ "${acme_standalone:-}" != true ]; then install_directory -o root -g "$acme_user" -m 0775 "$acme_webroot" fi acme_install_certificate(){ _aic_group=0 _aic_reload_cmd= _aic_name= _aic_domain= while getopts g:r: _aic_opt; do case $_aic_opt in g) _aic_group=$OPTARG ;; r) _aic_reload_cmd=$OPTARG ;; esac done shift $((OPTIND - 1)) _aic_name=$1; shift _aic_key_path="${acme_cert_dir}/${_aic_name}.key" _aic_cert_path="${acme_cert_dir}/${_aic_name}.crt" _aic_ca_path="${acme_cert_dir}/${_aic_name}.ca.crt" _aic_firstdomain=$1 _aic_domain_args='' for _aic_domain; do _aic_domain_args="${_aic_domain_args} -d ${_aic_domain}" done # Acquire the certificate via HTTP ACME challenge. if [ "${acme_standalone:-}" = true ]; then su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} --standalone --httpport ${acme_standalone_port} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$? else su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} -w ${acme_webroot} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$? fi case $_aic_rc in 0) ;; # New cert was issued. 2) ;; # Cert was unchanged. *) die "failed to issue ACME certificate for: $*" ;; esac # Install the certificate to the requested location. if [ -f "$_aic_key_path" ]; then chmod 640 "$_aic_key_path" chown "${acme_user}:${_aic_group}" "$_aic_key_path" else install -o "$acme_user" -g "$_aic_group" -m 0640 /dev/null "$_aic_key_path" fi if [ -n "$_aic_reload_cmd" ]; then su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_firstdomain} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${_aic_ca_path} --reloadcmd '${_aic_reload_cmd}'" else su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_firstdomain} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --ca-file ${_aic_ca_path} " fi } acme_setup_proxy(){ [ -n "${acmeproxy_domains:-}" ] || return 0 install_directory -o root -g wheel -m 0755 "$acmeproxy_home" install_directory -o "$acme_user" -g "${acmeproxy_client_gid:-${acmeproxy_client_group}}" -m 0750 "${acmeproxy_home}/certs" # Configure SSHD for acmeproxy. install_template -m 0644 /usr/local/etc/ssh/sshd_config.d/acmeproxy.conf service openssh reload # Acquire ACME certificates for client SFTP. for domain in $acmeproxy_domains; do su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} -w ${acme_webroot} -d ${domain}" && _asp_rc=$? || _asp_rc=$? case $_asp_rc in 0) ;; # New cert was issued. 2) ;; # Cert was unchanged. *) die "failed to issue ACME certificate for ${domain}" ;; esac _asp_cert="${acmeproxy_home}/certs/${domain}.crt" _asp_key="${acmeproxy_home}/certs/${domain}.key" _asp_group="${acmeproxy_client_gid:-${acmeproxy_client_group}}" if [ -f "$_asp_key" ]; then chmod 640 "$_asp_key" chown "${acme_user}:${_asp_group}" "$_asp_key" else install -o "$acme_user" -g "$_asp_group" -m 0640 /dev/null "$_asp_key" fi su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${domain} --key-file ${_asp_key} --fullchain-file ${_asp_cert}" done }