acme.sh
acme.sh copied to clipboard
acmesh-official
dns_aruba.sh - First release
If this is a PR to support new DNS API or new notification API, please read this guide first: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide Please check the guide items one by one. Then add your usage here: https://github.com/acmesh-official/acme.sh/wiki/dnsapi
![auto-comment[bot] avatar](https://avatars.githubusercontent.com/in/14394?v=4 "Published by a pub.dev verified publisher"){kind=small}
What I have to do? I tested the shell and it works. What I need to do to merge it?
@JTrotta Hi i've tried your script in Pfsense Acme package but i think we have an error:
At line 97
Syntax error: redirection unexpected (expecting word)
The line is:
read -ra ADDR <<< "$temp" #put Ids into array
<<< exists in bash but not in dash all other dns script call Dash shell #!/usr/bin/env sh
you use bash in you script, it's not correct as said the point 4 of the dev guide: The file shebang must be sh not bash
@execcr mmmh good catch. How did you test it in Pfsense? I tested it with no errors.
Did you tested in pfsense? I have modified acme.inc script in/usr/local/pkg/acme to add the entry for your script, adding the 4 variable named ARUBA_*. Then in the subfolder dnsapi i've put your code from github.
Restart pfsense, i've the DNS Aruba method in the webgui and tested it with a subdomain.
I've tried to modify line 97 problem to:
set -- "$temp" #read -ra ADDR <<< "$temp" #put Ids into array domain_id="$1" #domain_id="${ADDR[0]}" # first element is zone Id #printf "%s" $1 _info "DomainId is: $domain_id" _info "Consumer key is ok." return 0
To get around missing <<< in dash but then it pop up another error in this function:
` returns TXT record and put it in_record_id, if esists _extract_record_id() { subdomain=$1 _arrayid=0 _ids="$(echo "$domainData" | grep -oP '(?<="Id": )[^,]+')" _names="$(echo "$domainData" | grep -oP '(?<="Name": ")[^"]+')" ARRAY_IDS=($(echo "$_ids" | tr ", " "\n")) ARRAY_NAMES=($_names)
for i in "${!ARRAY_NAMES[@]}" do if [[ ${ARRAY_NAMES[$i]} = $subdomain ]]; then _debug printf "%s\t%s\n" "$i" "${ARRAY_NAMES[$i]}" _arrayid=$i _debug"Found txt record id: ${ARRAY_IDS[$_arrayid]}" _recordId=${ARRAY_IDS[$_arrayid} printf "%s" "${ARRAY_IDS[$_arrayid}" return 0 fi done
return 1 } `
All this error are not related to the script itself, rather to the differencies between bash and dash. But i'm not a bash or dash programmer, i have some very basic foundamentals and nothing else. Btw thank you very much for your works.
Hi, i've checked the new commit. On some system grep -P option does not exists becouse is still Experimental (and in pfsense does not exist)
Then i have a problem with the Get info for the domain:
if ! _aruba_rest GET "api/domains/dns/$_domain/details" || _contains "$response" "error" || _contains "$response" "denied"; then
It seems that it's checking for the whole domain instead getting the second level domain.
For examle, if a want to make a certificate for myapp.mydomain.it, the get function should call
https://api.arubabusiness.it/api/domains/dns/mydomain.it/details
Instead the GET that get passed is https://api.arubabusiness.it/api/domains/dns/myapp.mydomain.it/details
And the response i get is
4-4: The domain dashboard.monitoro.cloud does not appear on the dns system.No Domains match the criteria becouse it does not exists as an aruba domain itsfelf.
@execcr It's not clear what you mean. $_domain is an ACME parameter. and it should be a second level.
@JTrotta yes it's an ACME parameter but it should not be used directly to call Aruba API. Aruba api need the root domain. If i want to issue a certificate for myapp.linux.org i will pass to acme.sh -d myapp.linux.org. But in the api call i should pass onyl linux.org, aruba will not accept the third level myapp becouse the zone didn't exists. Sorry if it was not clear.
@execcr It's not clear. It is exacltly want I did. The error is related to grep, as you catch in the first post. Try my last release.
It have some problem with curl
[Sun Apr 19 16:59:25 CEST 2020] Single domain='myapp.linux.it' [Sun Apr 19 16:59:25 CEST 2020] Getting domain auth token for each domain [Sun Apr 19 16:59:28 CEST 2020] Getting webroot for domain='dashboard.monitoro.cloud' [Sun Apr 19 16:59:28 CEST 2020] Adding txt value: 7VQSQZLuwsCAqsgFMGVl4MsRsQuvsOBtJP5ffr7NIWs for domain: _acme-challenge.myapp.linux.it [Sun Apr 19 16:59:28 CEST 2020] Using ARUBA endpoint: aruba-it [Sun Apr 19 16:59:28 CEST 2020] ARUBA consumer key is empty, Let's get one: [Sun Apr 19 16:59:28 CEST 2020] Unknown parameter : aruba-it [Sun Apr 19 16:59:28 CEST 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3 [Sun Apr 19 16:59:28 CEST 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3 [Sun Apr 19 16:59:28 CEST 2020] Unable to get access_token [Sun Apr 19 16:59:28 CEST 2020] Can not get consumer key. [Sun Apr 19 16:59:28 CEST 2020] Error add txt for domain:_acme-challenge.myapp.linux.it [Sun Apr 19 16:59:28 CEST 2020] Please check log file for more details: /tmp/acme/myapp.linux.it-TestApp/acme_issuecert.log
@execcr you cannot use acme DNS for third level FQDN. Only second domain. DNS API is used to certificate the domain of your own (i.e. federico.it), not myapp.linux.it. it's not yours it's linux.it
No wait this is not true. You could validate any subdomain you want (and even wildcard one, for example -d ".example.org" -d ".staging.example.org" -d "*.live.example.org"). Is written in the point 3 of the Dev guide that you need to corectly detect the root zone and this is the case scenario.
For example, i have multiple third level domain using letsencrypt with Amazon route 53 (myapp1.example.org myapp2.exmple.org) and they are working.
FYI, this is the sting that acme implementation use when i launch a renew/issue:
/usr/local/pkg/acme/acme.sh --issue -d 'myapp2.exmple.org' --dns 'dns_route53' --home '/tmp/acme/myapp2.exmple.org/' --accountconf '/tmp/acme/myapp2.exmple.org/accountconf.conf' --force --reloadCmd '/tmp/acme/myapp2.exmple.org/reloadcmd.sh' --log-level 3 --log '/tmp/acme/myapp2.exmple.org/acme_issuecert.log'
BTW, thank you for your awesome work.
No wait this is not true. You could validate any subdomain you want (and even wildcard one, for example -d ".example.org" -d ".staging.example.org" -d "*.live.example.org"). Is written in the point 3 of the Dev guide that you need to corectly detect the root zone and this is the case scenario.
For example, i have multiple third level domain using letsencrypt with Amazon route 53 (myapp1.example.org myapp2.exmple.org) and they are working.
FYI, this is the sting that acme implementation use when i launch a renew/issue:
/usr/local/pkg/acme/acme.sh --issue -d 'myapp2.exmple.org' --dns 'dns_route53' --home '/tmp/acme/myapp2.exmple.org/' --accountconf '/tmp/acme/myapp2.exmple.org/accountconf.conf' --force --reloadCmd '/tmp/acme/myapp2.exmple.org/reloadcmd.sh' --log-level 3 --log '/tmp/acme/myapp2.exmple.org/acme_issuecert.log'BTW, thank you for your awesome work.
You wrote "linux.it". I wrote that you must own the second level.
Yes i must owe the second domain. But what i was talking about (and correct me if i'm wrong, i'm not at your coding skill level) you are using the $_domain variable (passed with the -d argument when launching acme.sh) for the GET api call to Aruba. I was telling you that i could pass also names likes myapp.example.org and so the GET api call will include that in the url and the API fail.
Btw i don't know why this error
Unknown parameter : aruba-it
And who is outputting it in the log (maybe a cache problem on pfsense with the new variable added ARUBA_END_POINT that was missing in my Configuration File. Tomorrow i will clear the old configuration file and try again. The curl errors could be a consequence of that error.
@execcr I changed the endpoint selection. You have to delete the .conf file and/or re-save parameters in pfsense GUI
Sorry it was not working again: `_aruba_get_api() { _ogaep="$1"
case "${_ogaep}" in
aruba-b-it | arubabit)
printf "%s" $ARUBA_BUSINESS_IT
return
;;
*)
_err "Unknown parameter : $1"
return 1
;;
esac }`
This function does not return the https api address (it return blank or empty $ARUBA_API
I forced ARUBA_API='https://api.arubabusiness.it' just after ARUBA_API="$(_aruba_get_api $ARUBA_END_POINT)" to proceed.
And then it fails during: Checking authentication and get domain details
Becouse it was passing the url
url='https://api.arubabusiness.it/api/domains/dns/myapp.linux.cloud/details'
and the API response is:
response='4-4: The domain dashboard.monitoro.cloud does not appear on the dns system.No Domains match the criteria '
Hey, id like to help you get that api running (specially on pfsense). But I dont own a aruba account/api key, nor any domains there.
Hey, id like to help you get that api running (specially on pfsense). But I dont own a aruba account/api key, nor any domains there.
Check why Travis hate me
Hey, id like to help you get that api running (specially on pfsense). But I dont own a aruba account/api key, nor any domains there.
Hi, i'm an Aruba customer and i really hadn't any way to create a restricted account, scoped to a single test domain for you. What i can do i so give you the simil-swagger api documentation and some API response to the query.
But I don't know what problem have JTrotta with Travis :(
Seems there is some error on line 87. You reference "api/domains/dns/$_domain/details" but this variable hasn't been assigned.
@wangqiliang I saw that warning. But It's a warning not an error. Moreover it works. Any way I'll try to change it.
@execcr I changed the API endpoint selction. Retry now, but you have to change Pfsense gui, this way:
$acme_domain_validation_method['dns_aruba'] = array('name' => "ARUBA Business", 'fields' => array( 'ARUBA_AK' => array('name' => "aruba_ak", 'columnheader' => "Application Key", 'type' => "textbox", 'description' => "ARUBA Username" ), 'ARUBA_AS' => array('name' => "aruba_as", 'columnheader' => "Application Secret", 'type' => "password", 'description' => "ARUBA Password" ), 'ARUBA_TK' => array('name' => "aruba_tk", 'columnheader' => "Application Key", 'type' => "textbox", 'description' => "ARUBA Application Key" ), 'ARUBA_END_POINT' => array('name' => 'aruba_end_point', 'columnheader' => 'API Endpoint', 'type' => 'select', 'items' => array( '' => array('name' => 'None'), 'aruba-b-it' => array('name' => 'ARUBA Business'), ), 'description' => 'Choose the ARUBA API Endpoint / Region' ),
));
@JTrotta i've Tested it. It fails after getting the Consumer Key
[Wed Apr 22 09:00:49 CEST 2020] Get domain details
[Wed Apr 22 09:00:50 CEST 2020] DomainId is:
[Wed Apr 22 09:00:50 CEST 2020] Adding record
[Wed Apr 22 09:00:50 CEST 2020] Response error 4-8: Unprocessable Entity | |
[Wed Apr 22 09:00:50 CEST 2020] Add txt record error.
@execcr This means that the record Id has not been found. Check the complete log, The Json containing the whole data has been downloaded? The fulldomain is correct? I test it with my domain in pfsense and it works.
@Jtrotta sorry busy day. So this is the issuecert log. Seems that what was failing was the determination of the root zone for the GET query to Aruba,
`[Wed Apr 22 08:59:34 CEST 2020] First detect the root zone [Wed Apr 22 08:59:34 CEST 2020] doamin to check: myapp.linux.org [Wed Apr 22 08:59:34 CEST 2020] api/domains/dns/myapp.linux.org/details [Wed Apr 22 08:59:34 CEST 2020] _aruba_url='https://api.arubabusiness.it/api/domains/dns/myapp.linux.org/details'
[Wed Apr 22 08:59:34 CEST 2020] _H3='Authorization: Bearer MyAuthBearer' [Wed Apr 22 08:59:34 CEST 2020] _H4='Authorization-Key: MyApiKey' [Wed Apr 22 08:59:34 CEST 2020] GET [Wed Apr 22 08:59:34 CEST 2020] url='https://api.arubabusiness.it/api/domains/dns/myapp.linux.org/details'
[Wed Apr 22 08:59:34 CEST 2020] timeout= [Wed Apr 22 08:59:34 CEST 2020] curl exists=0 [Wed Apr 22 08:59:34 CEST 2020] wget exists=127 [Wed Apr 22 08:59:34 CEST 2020] _CURL='curl -L --silent --dump-header /tmp/acme/myapp.linux.org//http.header -g ' [Wed Apr 22 08:59:34 CEST 2020] ret='0' [Wed Apr 22 08:59:34 CEST 2020] response='4-4: The domain myapp.linux.org does not appear on the dns system.No Domains match the criteria ' [Wed Apr 22 08:59:34 CEST 2020] Get domain details [Wed Apr 22 08:59:34 CEST 2020] api/domains/dns/myapp.linux.org/details [Wed Apr 22 08:59:34 CEST 2020] _aruba_url='https://api.arubabusiness.it/api/domains/dns/myapp.linux.org/details' [Wed Apr 22 08:59:34 CEST 2020] _H3='Authorization: Bearer MyAuthBearer' [Wed Apr 22 08:59:34 CEST 2020] _H4='Authorization-Key: MyApiKey' [Wed Apr 22 08:59:34 CEST 2020] GET [Wed Apr 22 08:59:34 CEST 2020] url='https://api.arubabusiness.it/api/domains/dns/myapp.linux.org/details' [Wed Apr 22 08:59:34 CEST 2020] timeout= [Wed Apr 22 08:59:34 CEST 2020] curl exists=0 [Wed Apr 22 08:59:34 CEST 2020] wget exists=127 [Wed Apr 22 08:59:34 CEST 2020] _CURL='curl -L --silent --dump-header /tmp/acme/myapp.linux.org//http.header -g ' [Wed Apr 22 08:59:35 CEST 2020] ret='0' [Wed Apr 22 08:59:35 CEST 2020] response='4-4: The domain myapp.linux.org does not appear on the dns system.No Domains match the criteria ' [Wed Apr 22 08:59:35 CEST 2020] DomainId is: [Wed Apr 22 08:59:35 CEST 2020] Check if _acme-challenge record exists in ='myapp.linux.org'`
@execcr shouldn't the domain "linux.org" be checked on DNS, not the subdomain myapp.linux.org. ?!
Hey, id like to help you get that api running (specially on pfsense). But I dont own a aruba account/api key, nor any domains there.
Hi, i'm an Aruba customer and i really hadn't any way to create a restricted account, scoped to a single test domain for you. What i can do i so give you the simil-swagger api documentation and some API response to the query.
But I don't know what problem have JTrotta with Travis :(
I'd like to take a look at the swagger docu.