Merge pull request #4986 from acmesh-official/dev

sync

.github/workflows/DNS.yml

@@ -332,7 +332,7 @@ jobs:
       with:
         envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
         prepare: |
-          pkg_add curl socat
+          /usr/sbin/pkg_add curl socat
         usesh: true
         copyback: false
         run: |
@@ -493,8 +493,6 @@ jobs:
         copyback: false
         prepare: pkg install socat
         run: |
-          pkg set-mediator -v -I default@1.1 openssl
-          export PATH=/usr/gnu/bin:$PATH
           if [ "${{ secrets.TokenName1}}" ] ; then
             export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
           fi

.github/workflows/NetBSD.yml

@@ -20,7 +20,6 @@ concurrency:
 
 
 
-
 jobs:
   NetBSD:
     strategy:
@@ -44,6 +43,7 @@ jobs:
       CA: ${{ matrix.CA }}
       CA_EMAIL: ${{ matrix.CA_EMAIL }}
       TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
     steps:
     - uses: actions/checkout@v4
     - uses: vmactions/cf-tunnel@v0
@@ -57,7 +57,7 @@ jobs:
       run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
     - uses: vmactions/netbsd-vm@v1
       with:
-        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN'
+        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
         nat: |
           "8080": "80"
         prepare: |

acme.sh

@@ -2499,10 +2499,10 @@ _startserver() {
   _debug Le_Listen_V6 "$Le_Listen_V6"
 
   _NC="socat"
-  if [ "$Le_Listen_V4" ]; then
-    _NC="$_NC -4"
-  elif [ "$Le_Listen_V6" ]; then
+  if [ "$Le_Listen_V6" ]; then
     _NC="$_NC -6"
+  else
+    _NC="$_NC -4"
   fi
 
   if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then
@@ -4515,7 +4515,7 @@ issue() {
 
   vlist="$Le_Vlist"
   _cleardomainconf "Le_Vlist"
-  _info "Getting domain auth token for each domain"
+  _debug "Getting domain auth token for each domain"
   sep='#'
   dvsep=','
   if [ -z "$vlist" ]; then
@@ -4571,12 +4571,22 @@ issue() {
     if [ "$_notAfter" ]; then
       _newOrderObj="$_newOrderObj,\"notAfter\": \"$_notAfter\""
     fi
+    _debug "STEP 1, Ordering a Certificate"
     if ! _send_signed_request "$ACME_NEW_ORDER" "$_newOrderObj}"; then
       _err "Create new order error."
       _clearup
       _on_issue_err "$_post_hook"
       return 1
     fi
+    if _contains "$response" "invalid"; then
+      if echo "$response" | _normalizeJson | grep '"status":"invalid"' >/dev/null 2>&1; then
+        _err "Create new order with invalid status."
+        _err "$response"
+        _clearup
+        _on_issue_err "$_post_hook"
+        return 1
+      fi
+    fi
 
     Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)"
     _debug Le_LinkOrder "$Le_LinkOrder"
@@ -4601,6 +4611,7 @@ issue() {
       return 1
     fi
 
+    _debug "STEP 2, Get the authorizations of each domain"
     #domain and authz map
     _authorizations_map=""
     for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
@@ -4609,13 +4620,22 @@ issue() {
         _err "get to authz error."
         _err "_authorizations_seg" "$_authorizations_seg"
         _err "_authz_url" "$_authz_url"
+        _err "$response"
         _clearup
         _on_issue_err "$_post_hook"
         return 1
       fi
 
       response="$(echo "$response" | _normalizeJson)"
       _debug2 response "$response"
+      if echo "$response" | grep '"status":"invalid"' >/dev/null 2>&1; then
+        _err "get authz objec with invalid status, please try again later."
+        _err "_authorizations_seg" "$_authorizations_seg"
+        _err "$response"
+        _clearup
+        _on_issue_err "$_post_hook"
+        return 1
+      fi
       _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2- | tr -d ' "')"
       if _contains "$response" "\"wildcard\" *: *true"; then
         _d="*.$_d"

deploy/routeros.sh

@@ -137,7 +137,7 @@ routeros_deploy() {
     return $_err_code
   fi
 
-  DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USERNAME \
+  DEPLOY_SCRIPT_CMD="/system script add name=\"LECertDeploy-$_cdomain\" owner=$ROUTER_OS_USERNAME \
 comment=\"generated by routeros deploy script in acme.sh\" \
 source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
 \n/certificate remove [ find name=$_cdomain.cer_1 ];\
@@ -158,11 +158,11 @@ source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
     return $_err_code
   fi
 
-  if ! _ssh_remote_cmd "/system script run \"LE Cert Deploy - $_cdomain\""; then
+  if ! _ssh_remote_cmd "/system script run \"LECertDeploy-$_cdomain\""; then
     return $_err_code
   fi
 
-  if ! _ssh_remote_cmd "/system script remove \"LE Cert Deploy - $_cdomain\""; then
+  if ! _ssh_remote_cmd "/system script remove \"LECertDeploy-$_cdomain\""; then
     return $_err_code
   fi
 

deploy/synology_dsm.sh

@@ -223,7 +223,7 @@ synology_dsm_deploy() {
 
 ####################  Private functions below ##################################
 _logout() {
-  # Logout to not occupy a permanent session, e.g. in DSM's "Connected Users" widget
-  response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=logout")
+  # Logout CERT user only to not occupy a permanent session, e.g. in DSM's "Connected Users" widget (based on previous variables)
+  response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=logout&_sid=$sid")
   _debug3 response "$response"
 }

dnsapi/dns_gandi_livedns.sh

@@ -13,7 +13,7 @@
 #
 ########  Public functions #####################
 
-GANDI_LIVEDNS_API="https://dns.api.gandi.net/api/v5"
+GANDI_LIVEDNS_API="https://api.gandi.net/v5/livedns"
 
 #Usage: dns_gandi_livedns_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_gandi_livedns_add() {
@@ -78,7 +78,7 @@ dns_gandi_livedns_rm() {
   _gandi_livedns_rest PUT \
     "domains/$_domain/records/$_sub_domain/TXT" \
     "{\"rrset_ttl\": 300, \"rrset_values\": $_new_rrset_values}" &&
-    _contains "$response" '{"message": "DNS Record Created"}' &&
+    _contains "$response" '{"message":"DNS Record Created"}' &&
     _info "Removing record $(__green "success")"
 }
 
@@ -134,7 +134,7 @@ _dns_gandi_append_record() {
   _debug new_rrset_values "$_rrset_values"
   _gandi_livedns_rest PUT "domains/$_domain/records/$sub_domain/TXT" \
     "{\"rrset_ttl\": 300, \"rrset_values\": $_rrset_values}" &&
-    _contains "$response" '{"message": "DNS Record Created"}' &&
+    _contains "$response" '{"message":"DNS Record Created"}' &&
     _info "Adding record $(__green "success")"
 }
 
@@ -144,11 +144,11 @@ _dns_gandi_existing_rrset_values() {
   if ! _gandi_livedns_rest GET "domains/$domain/records/$sub_domain"; then
     return 1
   fi
-  if ! _contains "$response" '"rrset_type": "TXT"'; then
+  if ! _contains "$response" '"rrset_type":"TXT"'; then
     _debug "Does not have a _acme-challenge TXT record yet."
     return 1
   fi
-  if _contains "$response" '"rrset_values": \[\]'; then
+  if _contains "$response" '"rrset_values":\[\]'; then
     _debug "Empty rrset_values for TXT record, no previous TXT record."
     return 1
   fi
@@ -169,7 +169,7 @@ _gandi_livedns_rest() {
   if [ -n "$GANDI_LIVEDNS_TOKEN" ]; then
     export _H2="Authorization: Bearer $GANDI_LIVEDNS_TOKEN"
   else
-    export _H2="X-Api-Key: $GANDI_LIVEDNS_KEY"
+    export _H2="Authorization: Apikey $GANDI_LIVEDNS_KEY"
   fi
 
   if [ "$m" = "GET" ]; then