From bbb432f0f7e4fdd1899f31d492e5a88eff00b49a Mon Sep 17 00:00:00 2001 From: NewName Date: Tue, 19 Mar 2024 23:23:13 +0800 Subject: [PATCH] Update acme.sh --- acme.sh | 419 +++++++++++--------------------------------------------- 1 file changed, 79 insertions(+), 340 deletions(-) diff --git a/acme.sh b/acme.sh index f532307..92b835c 100644 --- a/acme.sh +++ b/acme.sh @@ -1,366 +1,105 @@ #!/bin/bash -RED="\033[31m" -GREEN="\033[32m" -YELLOW="\033[33m" -PLAIN='\033[0m' +# 检查是否以 root 用户运行 +if [ "$(id -u)" != "0" ]; then + echo "请以 root 用户运行此脚本" + exit 1 +fi -red(){ - echo -e "\033[31m\033[01m$1\033[0m" +# 生成更真实的随机邮箱 +generate_random_email() { + local part_one=$(tr -dc 'a-z0-9' < /dev/urandom | fold -w 8 | head -n 1) + local part_two=$(tr -dc 'a-z0-9' < /dev/urandom | fold -w 4 | head -n 1) + local part_three=$(tr -dc 'a-z0-9' < /dev/urandom | fold -w 4 | head -n 1) + echo "${part_one}.${part_two}${part_three}@gmail.com" } -green(){ - echo -e "\033[32m\033[01m$1\033[0m" -} - -yellow(){ - echo -e "\033[33m\033[01m$1\033[0m" -} - -REGEX=("debian" "ubuntu" "centos|red hat|kernel|oracle linux|alma|rocky" "'amazon linux'" "fedora") -RELEASE=("Debian" "Ubuntu" "CentOS" "CentOS" "Fedora") -PACKAGE_UPDATE=("apt-get update" "apt-get update" "yum -y update" "yum -y update" "yum -y update") -PACKAGE_INSTALL=("apt -y install" "apt -y install" "yum -y install" "yum -y install" "yum -y install") -PACKAGE_REMOVE=("apt -y remove" "apt -y remove" "yum -y remove" "yum -y remove" "yum -y remove") -PACKAGE_UNINSTALL=("apt -y autoremove" "apt -y autoremove" "yum -y autoremove" "yum -y autoremove" "yum -y autoremove") - -[[ $EUID -ne 0 ]] && red "注意:请在root用户下运行脚本" && exit 1 - -CMD=("$(grep -i pretty_name /etc/os-release 2>/dev/null | cut -d \" -f2)" "$(hostnamectl 2>/dev/null | grep -i system | cut -d : -f2)" "$(lsb_release -sd 2>/dev/null)" "$(grep -i description /etc/lsb-release 2>/dev/null | cut -d \" -f2)" "$(grep . /etc/redhat-release 2>/dev/null)" "$(grep . /etc/issue 2>/dev/null | cut -d \\ -f1 | sed '/^[ ]*$/d')") - -for i in "${CMD[@]}"; do - SYS="$i" - if [[ -n $SYS ]]; then - break - fi -done - -for ((int = 0; int < ${#REGEX[@]}; int++)); do - if [[ $(echo "$SYS" | tr '[:upper:]' '[:lower:]') =~ ${REGEX[int]} ]]; then - SYSTEM="${RELEASE[int]}" && [[ -n $SYSTEM ]] && break - fi -done - -[[ -z $SYSTEM ]] && red "不支持当前VPS系统, 请使用主流的操作系统" && exit 1 - -check_ip(){ - ipv4=$(curl -s4m8 ip.sb -k | sed -n 1p) - ipv6=$(curl -s6m8 ip.sb -k | sed -n 1p) -} - -inst_acme(){ - if [[ ! $SYSTEM == "CentOS" ]]; then - ${PACKAGE_UPDATE[int]} - fi - ${PACKAGE_INSTALL[int]} curl wget sudo socat openssl - - if [[ $SYSTEM == "CentOS" ]]; then - ${PACKAGE_INSTALL[int]} cronie - systemctl start crond - systemctl enable crond +# 检测 acme.sh 是否安装 +check_acme_installation() { + if ! command -v acme.sh &> /dev/null; then + echo "acme.sh 未安装,正在安装..." + curl https://get.acme.sh | sh + source ~/.bashrc else - ${PACKAGE_INSTALL[int]} cron - systemctl start cron - systemctl enable cron - fi - - read -rp "请输入注册邮箱 (例: admin@gmail.com, 或留空自动生成一个gmail邮箱): " email - if [[ -z $email ]]; then - automail=$(date +%s%N | md5sum | cut -c 1-16) - email=$automail@gmail.com - yellow "已取消设置邮箱, 使用自动生成的gmail邮箱: $email" - fi - - curl https://get.acme.sh | sh -s email=$email - source ~/.bashrc - bash ~/.acme.sh/acme.sh --upgrade --auto-upgrade - - switch_provider - - if [[ -n $(~/.acme.sh/acme.sh -v 2>/dev/null) ]]; then - green "Acme.sh 证书一键申请脚本安装成功!" - else - red "抱歉, Acme.sh 证书一键申请脚本安装失败" - green "建议如下:" - yellow "1. 检查 VPS 的网络环境" + echo "acme.sh 已安装" fi } -unst_acme() { - [[ -z $(~/.acme.sh/acme.sh -v 2>/dev/null) ]] && yellow "未安装Acme.sh, 卸载程序无法执行!" && exit 1 - ~/.acme.sh/acme.sh --uninstall - sed -i '/--cron/d' /etc/crontab >/dev/null 2>&1 - rm -rf ~/.acme.sh - green "Acme.sh 证书一键申请脚本已彻底卸载!" +# 注册 CA 机构 +register_ca() { + local ca="$1" + local email="$2" + echo "正在注册 CA 机构 $ca 使用电子邮件 $email..." + ~/.acme.sh/acme.sh --register-account -m "$email" --server "$ca" } -check_80(){ - - if [[ -z $(type -P lsof) ]]; then - if [[ ! $SYSTEM == "CentOS" ]]; then - ${PACKAGE_UPDATE[int]} - fi - ${PACKAGE_INSTALL[int]} lsof - fi - - yellow "正在检测 80 端口是否占用..." - sleep 1 - - if [[ $(lsof -i:"80" | grep -i -c "listen") -eq 0 ]]; then - green "检测到目前 80 端口未被占用" - sleep 1 - else - red "检测到目前 80 端口被其他程序被占用,以下为占用程序信息" - lsof -i:"80" - read -rp "如需结束占用进程请按Y,按其他键则退出 [Y/N]: " yn - if [[ $yn =~ "Y"|"y" ]]; then - lsof -i:"80" | awk '{print $2}' | grep -v "PID" | xargs kill -9 - sleep 1 - else - exit 1 - fi - fi -} +# 生成 SSL 证书 +generate_ssl_certificate() { + local domain_name="$1" + local ca="$2" + echo "正在为 $domain_name 生成 SSL 证书..." + systemctl stop nginx -checktls() { - if [[ -f /root/cert.crt && -f /root/private.key ]]; then - if [[ -s /root/cert.crt && -s /root/private.key ]]; then - if [[ -n $(type -P wg-quick) && -n $(type -P wgcf) ]]; then - wg-quick up wgcf >/dev/null 2>&1 - fi - if [[ -a "/opt/warp-go/warp-go" ]]; then - systemctl start warp-go - fi + # 使用 acme.sh 生成证书 + ~/.acme.sh/acme.sh --issue --standalone -d "$domain_name" --server "$ca" - echo $domain > /root/ca.log - sed -i '/--cron/d' /etc/crontab >/dev/null 2>&1 - echo "0 0 * * * root bash /root/.acme.sh/acme.sh --cron -f >/dev/null 2>&1" >> /etc/crontab - - green "证书申请成功! 脚本申请到的证书 (cert.crt) 和私钥 (private.key) 文件已保存到 /root 文件夹下" - yellow "证书 crt 文件路径如下: /root/cert.crt" - yellow "私钥 key 文件路径如下: /root/private.key" - else - if [[ -n $(type -P wg-quick) && -n $(type -P wgcf) ]]; then - wg-quick up wgcf >/dev/null 2>&1 - fi - if [[ -a "/opt/warp-go/warp-go" ]]; then - systemctl start warp-go - fi - - red "抱歉,证书申请失败" - green "建议如下: " - yellow "1. 自行检测防火墙是否打开, 如使用 80 端口申请模式时, 请关闭防火墙或放行 80 端口" - yellow "2. 同一域名多次申请可能会触发 Let's Encrypt 官方风控, 请尝试使用脚本菜单的 9 选项更换证书颁发机构, 再重试申请证书, 或更换域名、或等待 7 天后再尝试执行脚本" - fi - fi -} - -acme_standalone(){ - [[ -z $(~/.acme.sh/acme.sh -v 2>/dev/null) ]] && inst_acme - - check_80 - - WARPv4Status=$(curl -s4m8 https://www.cloudflare.com/cdn-cgi/trace -k | grep warp | cut -d= -f2) - WARPv6Status=$(curl -s6m8 https://www.cloudflare.com/cdn-cgi/trace -k | grep warp | cut -d= -f2) - if [[ $WARPv4Status =~ on|plus ]] || [[ $WARPv6Status =~ on|plus ]]; then - wg-quick down wgcf >/dev/null 2>&1 - systemctl stop warp-go >/dev/null 2>&1 - fi - - check_ip - - echo "" - yellow "在使用80端口申请模式时, 请先将您的域名解析至你的VPS的真实IP地址, 否则会导致证书申请失败" - echo "" - if [[ -n $ipv4 && -n $ipv6 ]]; then - echo -e "VPS的真实IPv4地址为: ${GREEN}$ipv4${PLAIN}" - echo -e "VPS的真实IPv6地址为: ${GREEN}$ipv6${PLAIN}" - elif [[ -n $ipv4 && -z $ipv6 ]]; then - echo -e "VPS的真实IPv4地址为: ${GREEN}$ipv4${PLAIN}" - elif [[ -z $ipv4 && -n $ipv6 ]]; then - echo -e "VPS的真实IPv6地址为: ${GREEN}$ipv6${PLAIN}" - fi - echo "" - - read -rp "请输入解析完成的域名: " domain - [[ -z $domain ]] && red "未输入域名,无法执行操作!" && exit 1 - green "已输入的域名:$domain" && sleep 1 - - domainIP=$(curl -sm8 ipget.net/?ip="${domain}") - if [[ -z $domainIP ]]; then - domainIP=$(echo "$(nslookup $domain 2>&1)" | awk '{print $NF}') - fi - - if [[ $domainIP == $ipv6 ]]; then - bash ~/.acme.sh/acme.sh --issue -d ${domain} --standalone -k ec-256 --listen-v6 --insecure - fi - if [[ $domainIP == $ipv4 ]]; then - bash ~/.acme.sh/acme.sh --issue -d ${domain} --standalone -k ec-256 --insecure - fi - - if [[ -n $(echo $domainIP | grep nginx) ]]; then - if [[ -n $(type -P wg-quick) && -n $(type -P wgcf) ]]; then - wg-quick up wgcf >/dev/null 2>&1 - fi - if [[ -a "/opt/warp-go/warp-go" ]]; then - systemctl start warp-go - fi - yellow "域名解析失败, 请检查域名是否正确填写或等待解析完成再执行脚本" + if [ $? -ne 0 ]; then + echo "SSL 证书生成失败" exit 1 - elif [[ -n $(echo $domainIP | grep ":") || -n $(echo $domainIP | grep ".") ]]; then - if [[ $domainIP != $ipv4 ]] && [[ $domainIP != $ipv6 ]]; then - if [[ -n $(type -P wg-quick) && -n $(type -P wgcf) ]]; then - wg-quick up wgcf >/dev/null 2>&1 - fi - if [[ -a "/opt/warp-go/warp-go" ]]; then - systemctl start warp-go - fi - green "域名 ${domain} 目前解析的IP: ($domainIP)" - red "当前域名解析的 IP 与当前 VPS 使用的真实IP不匹配" - green "建议如下:" - yellow "1. 请确保 CloudFlare 小云朵为关闭状态 (仅限DNS), 其他域名解析或 CDN 网站设置同理" - yellow "2. 请检查 DNS 解析设置的 IP 是否为 VPS 的真实 IP" - exit 1 - fi - fi - - bash ~/.acme.sh/acme.sh --install-cert -d ${domain} --key-file /root/private.key --fullchain-file /root/cert.crt --ecc - checktls -} - -acme_cfapiTLD(){ - [[ -z $(~/.acme.sh/acme.sh -v 2>/dev/null) ]] && inst_acme - - check_ip - - read -rp "请输入需要申请证书的域名: " domain - if [[ $(echo ${domain:0-2}) =~ cf|ga|gq|ml|tk ]]; then - red "检测为 Freenom 免费域名, 由于 CloudFlare API 不支持, 故无法使用本模式申请!" - exit fi - read -rp "请输入 CloudFlare Global API Key: " cfgak - [[ -z $cfgak ]] && red "未输入 CloudFlare Global API Key, 无法执行操作!" && exit 1 - export CF_Key="$cfgak" - read -rp "请输入 CloudFlare 的登录邮箱: " cfemail - [[ -z $domain ]] && red "未输入 CloudFlare 的登录邮箱, 无法执行操作!" && exit 1 - export CF_Email="$cfemail" - - if [[ -z $ipv4 ]]; then - bash ~/.acme.sh/acme.sh --issue --dns dns_cf -d "${domain}" -k ec-256 --listen-v6 --insecure - else - bash ~/.acme.sh/acme.sh --issue --dns dns_cf -d "${domain}" -k ec-256 --insecure - fi + local cert_path="/etc/ssl/$domain_name.cer" + local key_path="/etc/ssl/$domain_name.key" - bash ~/.acme.sh/acme.sh --install-cert -d "${domain}" --key-file /root/private.key --fullchain-file /root/cert.crt --ecc - checktls + ~/.acme.sh/acme.sh --install-cert -d "$domain_name" \ + --key-file "$key_path" \ + --fullchain-file "$cert_path" \ + --reloadcmd "systemctl restart nginx" + + # 显示证书和密钥的路径 + echo -e "\033[0;32m证书路径: $cert_path" + echo -e "密钥路径: $key_path\033[0m" } -acme_cfapiNTLD(){ - [[ -z $(~/.acme.sh/acme.sh -v 2>/dev/null) ]] && inst_acme - - check_ip - - read -rp "请输入需要申请证书的泛域名 (输入格式:example.com): " domain - [[ -z $domain ]] && red "未输入域名,无法执行操作!" && exit 1 - if [[ $(echo ${domain:0-2}) =~ cf|ga|gq|ml|tk ]]; then - red "检测为 Freenom 免费域名, 由于 CloudFlare API 不支持, 故无法使用本模式申请!" - back2menu - fi +# 主流程 +read -p "请输入您的域名: " domain_name - read -rp "请输入 CloudFlare Global API Key: " cfgak - [[ -z $cfgak ]] && red "未输入 CloudFlare Global API Key, 无法执行操作!" && exit 1 - export CF_Key="$cfgak" - read -rp "请输入 CloudFlare 的登录邮箱: " cfemail - [[ -z $domain ]] && red "未输入 CloudFlare 的登录邮箱, 无法执行操作!" && exit 1 - export CF_Email="$cfemail" +# 检查证书和密钥是否已经存在 +cert_path="/etc/ssl/$domain_name.cer" +key_path="/etc/ssl/$domain_name.key" - if [[ -z $ipv4 ]]; then - bash ~/.acme.sh/acme.sh --issue --dns dns_cf -d "*.${domain}" -d "${domain}" -k ec-256 --listen-v6 --insecure - else - bash ~/.acme.sh/acme.sh --issue --dns dns_cf -d "*.${domain}" -d "${domain}" -k ec-256 --insecure - fi +if [ -f "$cert_path" ] && [ -f "$key_path" ]; then + echo -e "\033[0;32m证书已存在:" + echo -e "证书路径: $cert_path" + echo -e "密钥路径: $key_path\033[0m" + exit 0 +fi - bash ~/.acme.sh/acme.sh --install-cert -d "*.${domain}" --key-file /root/private.key --fullchain-file /root/cert.crt --ecc - checktls -} +# 生成随机邮箱 +user_email=$(generate_random_email) +echo "生成的邮箱: $user_email" -view_cert(){ - [[ -z $(~/.acme.sh/acme.sh -v 2>/dev/null) ]] && inst_acme - bash ~/.acme.sh/acme.sh --list -} +# 检查 acme.sh 安装 +check_acme_installation -revoke_cert() { - [[ -z $(~/.acme.sh/acme.sh -v 2>/dev/null) ]] && inst_acme +# CA 机构选择 +echo "请选择 CA 机构:" +echo "1) Let's Encrypt" +echo "2) Buypass" +echo "3) ZeroSSL" +read -p "选择 CA 机构 (默认: 1): " ca_choice - bash ~/.acme.sh/acme.sh --list - read -rp "请输入要撤销的域名证书 (复制 Main_Domain 下显示的域名): " domain - [[ -z $domain ]] && red "未输入域名,无法执行操作!" && exit 1 +case $ca_choice in + 2) + CA="buypass" + ;; + 3) + CA="zerossl" + ;; + *) + CA="letsencrypt" + ;; +esac - if [[ -n $(bash ~/.acme.sh/acme.sh --list | grep $domain) ]]; then - bash ~/.acme.sh/acme.sh --revoke -d ${domain} --ecc - bash ~/.acme.sh/acme.sh --remove -d ${domain} --ecc - - rm -rf ~/.acme.sh/${domain}_ecc - rm -f /root/cert.crt /root/private.key - - green "撤销 ${domain} 的域名证书成功" - else - red "未找到 ${domain} 的域名证书, 请检查后重新运行!" - fi -} - -renew_cert() { - [[ -z $(~/.acme.sh/acme.sh -v 2>/dev/null) ]] && yellow "未安装acme.sh, 无法执行操作!" && exit 1 - bash ~/.acme.sh/acme.sh --cron -f -} - -switch_provider(){ - [[ -z $(~/.acme.sh/acme.sh -v 2>/dev/null) ]] && inst_acme - - yellow "请选择证书提供商, 默认通过 Letsencrypt.org 来申请证书 " - yellow "如果证书申请失败, 例如一天内通过 Letsencrypt.org 申请次数过多, 可选 BuyPass.com 或 ZeroSSL.com 来申请." - echo -e " ${GREEN}1.${PLAIN} Letsencrypt.org ${YELLOW}(默认)${PLAIN}" - echo -e " ${GREEN}2.${PLAIN} BuyPass.com" - echo -e " ${GREEN}3.${PLAIN} ZeroSSL.com" - read -rp "请选择证书提供商 [1-3]: " provider - case $provider in - 2) bash ~/.acme.sh/acme.sh --set-default-ca --server buypass && green "切换证书提供商为 BuyPass.com 成功!" ;; - 3) bash ~/.acme.sh/acme.sh --set-default-ca --server zerossl && green "切换证书提供商为 ZeroSSL.com 成功!" ;; - *) bash ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt && green "切换证书提供商为 Letsencrypt.org 成功!" ;; - esac -} - -menu() { - clear - echo "" - echo -e " ${GREEN}1.${PLAIN} 安装 Acme.sh 域名证书申请脚本" - echo -e " ${GREEN}2.${PLAIN} ${RED}卸载 Acme.sh 域名证书申请脚本${PLAIN}" - echo " -------------" - echo -e " ${GREEN}3.${PLAIN} 申请单域名证书 ${YELLOW}(80端口申请)${PLAIN}" - echo -e " ${GREEN}4.${PLAIN} 申请单域名证书 ${YELLOW}(CF API申请)${PLAIN} ${GREEN}(无需解析)${PLAIN} ${RED}(不支持freenom域名)${PLAIN}" - echo -e " ${GREEN}5.${PLAIN} 申请泛域名证书 ${YELLOW}(CF API申请)${PLAIN} ${GREEN}(无需解析)${PLAIN} ${RED}(不支持freenom域名)${PLAIN}" - echo " -------------" - echo -e " ${GREEN}6.${PLAIN} 查看已申请的证书" - echo -e " ${GREEN}7.${PLAIN} 撤销并删除已申请的证书" - echo -e " ${GREEN}8.${PLAIN} 手动续期已申请的证书" - echo -e " ${GREEN}9.${PLAIN} 切换证书颁发机构" - echo " -------------" - echo -e " ${GREEN}0.${PLAIN} 退出脚本" - echo "" - read -rp "请输入选项 [0-9]: " menuInput - case "$menuInput" in - 1 ) inst_acme ;; - 2 ) unst_acme ;; - 3 ) acme_standalone ;; - 4 ) acme_cfapiTLD ;; - 5 ) acme_cfapiNTLD ;; - 6 ) view_cert ;; - 7 ) revoke_cert ;; - 8 ) renew_cert ;; - 9 ) switch_provider ;; - * ) exit 1 ;; - esac -} - -menu +register_ca "$CA" "$user_email" +generate_ssl_certificate "$domain_name" "$CA"