Update for some improvements and fixes.

CHANGES.md

@@ -0,0 +1,7 @@
+# Change logs
+
+## v0.2.0
+
+- 完善使用教程
+- 配置文件添加 `no-auto-upgrade`  配置项以禁止 certbot 自动更新，**默认开启**。
+- 增加根据证书存储目录，检测域名是否已经签发证书。

README.md

@@ -20,9 +20,25 @@
 使用 Git Clone 仓库，例如：
 
 ```sh
-cd /usr/local
-git clone https://github.com/fenying/le-alidns.git
-cd le-alidns
+LE_ALIDNS_INSTALL_ROOT=/usr/local
+LE_ALIDNS_DIRNAME=le-alidns
+LE_ALIDNS_ROOT="${LE_ALIDNS_INSTALL_ROOT}/${LE_ALIDNS_DIRNAME}"
+cd $LE_ALIDNS_INSTALL_ROOT
+git clone https://github.com/fenying/le-alidns.git $LE_ALIDNS_DIRNAME
+cd $LE_ALIDNS_ROOT
+find '.' -name '*.sh' -exec chmod 0700 {} \; # 设置 Shell 脚本执行权限
+git config --local core.filemode false # 忽略该git仓库的文件权限属性改动
+```
+
+### 更新版本
+
+```sh
+LE_ALIDNS_INSTALL_ROOT=/usr/local
+LE_ALIDNS_DIRNAME=le-alidns
+LE_ALIDNS_ROOT="${LE_ALIDNS_INSTALL_ROOT}/${LE_ALIDNS_DIRNAME}"
+cd $LE_ALIDNS_ROOT
+git config --local core.filemode false
+git pull
 find '.' -name '*.sh' -exec chmod 0700 {} \; # 设置 Shell 脚本执行权限
 ```
 
@@ -40,6 +56,23 @@ find '.' -name '*.sh' -exec chmod 0700 {} \; # 设置 Shell 脚本执行权限
 
 2.  复制 default.conf 配置文件为 /etc/le-alidns.conf，并根据需要配置。
 
+### 配置 Pip 源
+
+由于某些不可描述的原因，对于在国内使用 Pip 会出现无法下载或者下载极其缓慢的情况。
+这个情况请修改 Pip 配置文件（一般是 `~/.pip/pip.conf`），使用清华大学的源：
+
+> 不要使用阿里云的源。
+
+```ini
+[global]
+index-url=https://pypi.tuna.tsinghua.edu.cn/simple
+
+[install]
+trusted-host=pypi.tuna.tsinghua.edu.cn
+```
+
+> 参考：https://github.com/certbot/certbot/issues/2516
+
 ### 签发新证书
 
 执行 `sudo /path/to/sign-all.sh` 即可为 domains 里配置的所有域名都签发证书。

actions/load-config.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # Initialize the configuration
-rm -f $LEALIDNS_CONFIG_BASH_RC
 
 if [ -z "$LEALIDNS_CONFIG" ]
 then
@@ -18,10 +17,13 @@ echo "Configuration file ${CONFIG_FILE} not found."
 exit -1
 fi
 
-CFG_FIELDS="domains email log-file certbot-root rsa-key-size after-cert before-cert after-new-cert"
-CFG_RSA_KEY_SIZE=2048
-CFG_LOG_FILE=./le-alidns.log
-CFG_CERTBOT_ROOT=/usr/local/certbot
+export CFG_FIELDS="domains email log-file certbot-root rsa-key-size"
+export CFG_FIELDS="${CFG_FIELDS} after-cert before-cert after-new-cert"
+export CFG_FIELDS="${CFG_FIELDS} no-auto-upgrade"
+export CFG_RSA_KEY_SIZE=2048
+export CFG_LOG_FILE=./le-alidns.log
+export CFG_CERTBOT_ROOT=/usr/local/certbot
+export CFG_NO_AUTO_UPGRADE=on
 
 for line in `cat ${CONFIG_FILE} | tr -d '[ \t]'`
 do
@@ -50,61 +52,51 @@ do
 
     if [ "$FIELD_NAME" == "domains" ]
     then
-        CFG_DOMAINS="$FIELD_VALUE ${CFG_DOMAINS}"
+        export CFG_DOMAINS="$FIELD_VALUE ${CFG_DOMAINS}"
     fi;
 
     if [ "$FIELD_NAME" == "domain" ]
     then
-        CFG_DOMAINS="${FIELD_VALUE} ${CFG_DOMAINS}"
+        export CFG_DOMAINS="${FIELD_VALUE} ${CFG_DOMAINS}"
     fi;
 
     if [ "$FIELD_NAME" == "email" ]
     then
-        CFG_EMAIL=$FIELD_VALUE
+        export CFG_EMAIL=$FIELD_VALUE
     fi;
 
     if [ "$FIELD_NAME" == "certbot-root" ]
     then
-        CFG_CERTBOT_ROOT=$FIELD_VALUE
+        export CFG_CERTBOT_ROOT=$FIELD_VALUE
     fi;
 
     if [ "$FIELD_NAME" == "log-file" ]
     then
-        CFG_LOG_FILE=$FIELD_VALUE
+        export CFG_LOG_FILE=$FIELD_VALUE
     fi;
 
     if [ "$FIELD_NAME" == "rsa-key-size" ]
     then
-        CFG_RSA_KEY_SIZE=$FIELD_VALUE
+        export CFG_RSA_KEY_SIZE=$FIELD_VALUE
     fi;
 
     if [ "$FIELD_NAME" == "after-new-cert" ]
     then
-        CFG_ON_NEW_CERT="--deploy-hook $FIELD_VALUE"
+        export CFG_ON_NEW_CERT="--deploy-hook $FIELD_VALUE"
     fi;
 
     if [ "$FIELD_NAME" == "before-cert" ]
     then
-        CFG_ON_START=$FIELD_VALUE
+        export CFG_ON_START=$FIELD_VALUE
     fi;
 
     if [ "$FIELD_NAME" == "after-cert" ]
     then
-        CFG_ON_END=$FIELD_VALUE
+        export CFG_ON_END=$FIELD_VALUE
     fi;
-done
 
-echo "" > $LEALIDNS_CONFIG_BASH_RC
-echo "export CFG_LOG_FILE=${CFG_LOG_FILE}" >> $LEALIDNS_CONFIG_BASH_RC
-echo "export CFG_CERTBOT_ROOT=${CFG_CERTBOT_ROOT}" >> $LEALIDNS_CONFIG_BASH_RC
-echo "export CFG_EMAIL=${CFG_EMAIL}" >> $LEALIDNS_CONFIG_BASH_RC
-echo "export CFG_DOMAINS='${CFG_DOMAINS}'" >> $LEALIDNS_CONFIG_BASH_RC
-echo "export CFG_RSA_KEY_SIZE=${CFG_RSA_KEY_SIZE}" >> $LEALIDNS_CONFIG_BASH_RC
-echo "export CFG_ON_NEW_CERT=${CFG_ON_NEW_CERT}" >> $LEALIDNS_CONFIG_BASH_RC
-echo "export CFG_ON_START=${CFG_ON_START}" >> $LEALIDNS_CONFIG_BASH_RC
-echo "export CFG_ON_END=${CFG_ON_END}" >> $LEALIDNS_CONFIG_BASH_RC
-
-echo "- Using certbot at ${CFG_CERTBOT_ROOT}."
-echo "- Using E-Mail ${CFG_EMAIL}."
-echo "- Saving logs to file ${CFG_LOG_FILE}."
-echo ""
+    if [ "$FIELD_NAME" == "no-auto-upgrade" ]
+    then
+        export CFG_NO_AUTO_UPGRADE=$FIELD_VALUE
+    fi;
+done

default.conf

@@ -8,6 +8,10 @@ domains = a.test1.sample.com, b.test2.sample.com # 签署多个域名的证书
 # 你的邮箱，用于 Let's Encrypt 登记
 email = admin@sample.com
 
+# 关闭 Certbot 的自动更新功能。
+# 默认值：on
+# no-auto-upgrade = on
+
 # Certbot 的安装目录
 # 默认值：/usr/local/certbot
 # certbot-root = /usr/local/certbot

renew-all.sh

@@ -3,20 +3,9 @@
 # Initialize the path to root of LE-AliDNS
 export LEALIDNS_ACTION=renew-all
 export LEALIDNS_ROOT=$(dirname "$0")/
-export LEALIDNS_CONFIG_BASH_RC=${LEALIDNS_ROOT}.config.bash_rc
 
 # Load configuration
-sh ${LEALIDNS_ROOT}actions/load-config.sh
-
-if [[ ! -f $LEALIDNS_CONFIG_BASH_RC ]]
-then
-    echo "Failed to load configurations."
-    exit -1;
-fi
-
-source $LEALIDNS_CONFIG_BASH_RC
-
-rm -f $LEALIDNS_CONFIG_BASH_RC
+source ${LEALIDNS_ROOT}actions/load-config.sh
 
 declare WRITE_LOG_TARGET=$CFG_LOG_FILE
 
@@ -31,6 +20,11 @@ if [[ "$CFG_ON_START" != "" && -x $CFG_ON_START ]]; then
     $CFG_ON_START
 fi
 
+if [[ "$CFG_NO_AUTO_UPGRADE" == "on" ]]; then
+    ARG_NO_AUTO_UPGRADE="--no-bootstrap --no-self-upgrade"
+    write_log "Turned off certbot aoto-updates.";
+fi
+
 write_log "Renew task started at $(date '+%Y-%m-%d %H:%M:%S')";
 
 # The path to list file of DNS record id
@@ -40,32 +34,22 @@ rm -f $RECORD_ID_LIST_FILE
 
 mkdir ${LEALIDNS_ROOT}domains -p
 
-if [ "$LEALIDNS_FORCE" == "1" ]
-then
-
-    CERTBOT_RESULT=$($CFG_CERTBOT_ROOT/certbot-auto renew \
-        --manual \
-        --force-renew \
-        --manual-public-ip-logging-ok \
-        --preferred-challenges dns \
-        --agree-tos \
-        --email $CFG_EMAIL \
-        --rsa-key-size $CFG_RSA_KEY_SIZE \
-        $CFG_ON_NEW_CERT \
-        --manual-auth-hook ${LEALIDNS_ROOT}actions/create-dns-record.sh)
-else
-
-    CERTBOT_RESULT=$($CFG_CERTBOT_ROOT/certbot-auto renew \
-        --manual \
-        --manual-public-ip-logging-ok \
-        --preferred-challenges dns \
-        --agree-tos \
-        --email $CFG_EMAIL \
-        --rsa-key-size $CFG_RSA_KEY_SIZE \
-        $CFG_ON_NEW_CERT \
-        --manual-auth-hook ${LEALIDNS_ROOT}actions/create-dns-record.sh)
+if [[ "$LEALIDNS_FORCE" == "1" ]]; then
+ARG_FORCE="--force-renew"
 fi
 
+CERTBOT_RESULT=$($CFG_CERTBOT_ROOT/certbot-auto renew \
+    --manual \
+    --manual-public-ip-logging-ok \
+    --preferred-challenges dns \
+    $ARG_FORCE \
+    --agree-tos \
+    --email $CFG_EMAIL \
+    --rsa-key-size $CFG_RSA_KEY_SIZE \
+    $CFG_ON_NEW_CERT \
+    $ARG_NO_AUTO_UPGRADE \
+    --manual-auth-hook ${LEALIDNS_ROOT}actions/create-dns-record.sh)
+
 write_log "Details: $CERTBOT_RESULT";
 
 sh ${LEALIDNS_ROOT}actions/clean-dns-record.sh

sign-all.sh

@@ -3,20 +3,9 @@
 # Initialize the path to root of LE-AliDNS
 export LEALIDNS_ACTION=sign-all
 export LEALIDNS_ROOT=$(dirname "$0")/
-export LEALIDNS_CONFIG_BASH_RC=${LEALIDNS_ROOT}.config.bash_rc
 
 # Load configuration
-sh ${LEALIDNS_ROOT}actions/load-config.sh
-
-if [[ ! -f $LEALIDNS_CONFIG_BASH_RC ]]
-then
-    echo "Failed to load configurations."
-    exit -1;
-fi
-
-source $LEALIDNS_CONFIG_BASH_RC
-
-rm -f $LEALIDNS_CONFIG_BASH_RC
+source ${LEALIDNS_ROOT}actions/load-config.sh
 
 # The path to list file of DNS record id
 export RECORD_ID_LIST_FILE=./dns-records
@@ -36,9 +25,12 @@ if [[ "$CFG_ON_START" != "" && -x $CFG_ON_START ]]; then
     $CFG_ON_START
 fi
 
-write_log "Sign task started at $(date '+%Y-%m-%d %H:%M:%S')";
+if [[ "$CFG_NO_AUTO_UPGRADE" == "on" ]]; then
+    NO_AUTO_UPGRADE="--no-bootstrap --no-self-upgrade"
+    write_log "Turned off certbot aoto-updates.";
+fi
 
-mkdir ${LEALIDNS_ROOT}domains -p
+write_log "Sign task started at $(date '+%Y-%m-%d %H:%M:%S')";
 
 # Split domains by ","
 
@@ -52,23 +44,22 @@ strsplitby() {
 
 CFG_DOMAINS=("$CFG_DOMAINS")
 
-echo "Requesting signing certificates for domains..."
+echo "Requesting certificates for domains..."
 echo ""
 
+CERTS_ROOT=/etc/letsencrypt/live/
+
 for domain in ${CFG_DOMAINS[@]}
 do
-    DOMAIN_DIR=${LEALIDNS_ROOT}domains/$domain/
 
-    if [ -f ${DOMAIN_DIR}lock ]
+    if [[ -f "${LEALIDNS_ROOT}domains/${domain}/lock" ]]
     then
         write_log "! Domain '${domain}' is alredy signed, ignored."
         write_log "  Please use renew command to refresh it."
         write_log ""
         continue;
     fi;
 
-    mkdir $DOMAIN_DIR -p
-
     if [[ $domain =~ "," ]]
     then
         domains=$(strsplitby "," "$domain");
@@ -77,9 +68,21 @@ do
             ARG_DOMAINS="$ARG_DOMAINS -d $item"
         done
 
+        if [[ "$ARG_DOMAINS" == "" ]]; then
+            continue;
+        fi
+
         write_log "Requesting certificate for domains '${domain}'..."
     else
 
+        if [ -f ${CERTS_ROOT}${domain}/cert.pem ]
+        then
+            write_log "! Domain '${domain}' is alredy signed, ignored."
+            write_log "  Please use renew command to refresh it."
+            write_log ""
+            continue;
+        fi;
+
         ARG_DOMAINS="-d $domain"
 
         write_log "Requesting certificate for domain '${domain}'..."
@@ -96,12 +99,16 @@ do
             --rsa-key-size $CFG_RSA_KEY_SIZE \
             $ARG_DOMAINS \
             $CFG_ON_NEW_CERT \
+            $NO_AUTO_UPGRADE \
             --manual-auth-hook ${LEALIDNS_ROOT}actions/create-dns-record.sh)
     fi;
 
-    write_log "Details: $CERTBOT_RESULT"
+    if [[ ! $domain =~ "," ]]; then
+        mkdir -p "${LEALIDNS_ROOT}domains/${domain}";
+        touch "${LEALIDNS_ROOT}domains/${domain}/lock";
+    fi
 
-    touch ${DOMAIN_DIR}lock
+    write_log "Details: $CERTBOT_RESULT"
 done
 
 sh ${LEALIDNS_ROOT}actions/clean-dns-record.sh