Merge branch 'acmesh-official:master' into master

.github/workflows/DNS.yml

@@ -332,7 +332,7 @@ jobs:
       with:
         envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
         prepare: |
-          pkg_add curl socat
+          /usr/sbin/pkg_add curl socat
         usesh: true
         copyback: false
         run: |
@@ -493,8 +493,6 @@ jobs:
         copyback: false
         prepare: pkg install socat
         run: |
-          pkg set-mediator -v -I [email protected] openssl
-          export PATH=/usr/gnu/bin:$PATH
           if [ "${{ secrets.TokenName1}}" ] ; then
             export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
           fi

.github/workflows/NetBSD.yml

@@ -20,7 +20,6 @@ concurrency:
 
 
 
-
 jobs:
   NetBSD:
     strategy:
@@ -44,6 +43,7 @@ jobs:
       CA: ${{ matrix.CA }}
       CA_EMAIL: ${{ matrix.CA_EMAIL }}
       TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
     steps:
     - uses: actions/checkout@v4
     - uses: vmactions/cf-tunnel@v0
@@ -57,7 +57,7 @@ jobs:
       run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
     - uses: vmactions/netbsd-vm@v1
       with:
-        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN'
+        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
         nat: |
           "8080": "80"
         prepare: |

.github/workflows/pr_dns.yml

@@ -4,8 +4,6 @@ on:
   pull_request_target:
     types:
       - opened
-    branches:
-      - 'dev'
     paths:
       - 'dnsapi/*.sh'
 
@@ -22,6 +20,7 @@ jobs:
               owner: context.repo.owner,
               repo: context.repo.repo,
               body: `**Welcome**
+                First thing: don't send PR to the master branch, please send to the dev branch instead.
                 Please make sure you've read our [DNS API Dev Guide](../wiki/DNS-API-Dev-Guide) and [DNS-API-Test](../wiki/DNS-API-Test).
                 Then reply on this message, otherwise, your code will not be reviewed or merged.
                 We look forward to reviewing your Pull request shortly ✨

acme.sh

@@ -2499,10 +2499,10 @@ _startserver() {
   _debug Le_Listen_V6 "$Le_Listen_V6"
 
   _NC="socat"
-  if [ "$Le_Listen_V4" ]; then
-    _NC="$_NC -4"
-  elif [ "$Le_Listen_V6" ]; then
+  if [ "$Le_Listen_V6" ]; then
     _NC="$_NC -6"
+  else
+    _NC="$_NC -4"
   fi
 
   if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then
@@ -2519,22 +2519,34 @@ _startserver() {
   _content_len="$(printf "%s" "$content" | wc -c)"
   _debug _content_len "$_content_len"
   _debug "_NC" "$_NC $SOCAT_OPTIONS"
+  export _SOCAT_ERR="$(_mktemp)"
   $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; \
 echo 'HTTP/1.0 200 OK'; \
 echo 'Content-Length\: $_content_len'; \
 echo ''; \
-printf '%s' '$content';" &
+printf '%s' '$content';" 2>"$_SOCAT_ERR" &
   serverproc="$!"
+  if [ -f "$_SOCAT_ERR" ]; then
+    if grep "Permission denied" "$_SOCAT_ERR" >/dev/null; then
+      _err "socat: $(cat $_SOCAT_ERR)"
+      _err "Can not listen for user: $(whoami)"
+      _err "Maybe try with root again?"
+      rm -f "$_SOCAT_ERR"
+      return 1
+    fi
+  fi
 }
 
 _stopserver() {
   pid="$1"
   _debug "pid" "$pid"
   if [ -z "$pid" ]; then
+    rm -f "$_SOCAT_ERR"
     return
   fi
 
   kill $pid
+  rm -f "$_SOCAT_ERR"
 
 }
 
@@ -3183,7 +3195,8 @@ _setNginx() {
     return 1
   fi
   _info "Check the nginx conf before setting up."
-  if ! nginx -t >/dev/null; then
+  if ! nginx -t >/dev/null 2>&1; then
+    _err "It seems that nginx conf is not correct, cannot continue."
     return 1
   fi
 
@@ -3210,14 +3223,14 @@ location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" {
   fi
   _debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)"
   _info "nginx conf is done, let's check it again."
-  if ! nginx -t >/dev/null; then
+  if ! nginx -t >/dev/null 2>&1; then
     _err "It seems that nginx conf was broken, let's restore."
     cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
     return 1
   fi
 
   _info "Reload nginx"
-  if ! nginx -s reload >/dev/null; then
+  if ! nginx -s reload >/dev/null 2>&1; then
     _err "It seems that nginx reload error, let's restore."
     cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
     return 1
@@ -4515,7 +4528,7 @@ issue() {
 
   vlist="$Le_Vlist"
   _cleardomainconf "Le_Vlist"
-  _info "Getting domain auth token for each domain"
+  _debug "Getting domain auth token for each domain"
   sep='#'
   dvsep=','
   if [ -z "$vlist" ]; then
@@ -4571,12 +4584,22 @@ issue() {
     if [ "$_notAfter" ]; then
       _newOrderObj="$_newOrderObj,\"notAfter\": \"$_notAfter\""
     fi
+    _debug "STEP 1, Ordering a Certificate"
     if ! _send_signed_request "$ACME_NEW_ORDER" "$_newOrderObj}"; then
       _err "Create new order error."
       _clearup
       _on_issue_err "$_post_hook"
       return 1
     fi
+    if _contains "$response" "invalid"; then
+      if echo "$response" | _normalizeJson | grep '"status":"invalid"' >/dev/null 2>&1; then
+        _err "Create new order with invalid status."
+        _err "$response"
+        _clearup
+        _on_issue_err "$_post_hook"
+        return 1
+      fi
+    fi
 
     Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)"
     _debug Le_LinkOrder "$Le_LinkOrder"
@@ -4601,6 +4624,7 @@ issue() {
       return 1
     fi
 
+    _debug "STEP 2, Get the authorizations of each domain"
     #domain and authz map
     _authorizations_map=""
     for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
@@ -4609,13 +4633,22 @@ issue() {
         _err "get to authz error."
         _err "_authorizations_seg" "$_authorizations_seg"
         _err "_authz_url" "$_authz_url"
+        _err "$response"
         _clearup
         _on_issue_err "$_post_hook"
         return 1
       fi
 
       response="$(echo "$response" | _normalizeJson)"
       _debug2 response "$response"
+      if echo "$response" | grep '"status":"invalid"' >/dev/null 2>&1; then
+        _err "get authz objec with invalid status, please try again later."
+        _err "_authorizations_seg" "$_authorizations_seg"
+        _err "$response"
+        _clearup
+        _on_issue_err "$_post_hook"
+        return 1
+      fi
       _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2- | tr -d ' "')"
       if _contains "$response" "\"wildcard\" *: *true"; then
         _d="*.$_d"

deploy/routeros.sh

@@ -137,7 +137,7 @@ routeros_deploy() {
     return $_err_code
   fi
 
-  DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USERNAME \
+  DEPLOY_SCRIPT_CMD="/system script add name=\"LECertDeploy-$_cdomain\" owner=$ROUTER_OS_USERNAME \
 comment=\"generated by routeros deploy script in acme.sh\" \
 source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
 \n/certificate remove [ find name=$_cdomain.cer_1 ];\
@@ -158,11 +158,11 @@ source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
     return $_err_code
   fi
 
-  if ! _ssh_remote_cmd "/system script run \"LE Cert Deploy - $_cdomain\""; then
+  if ! _ssh_remote_cmd "/system script run \"LECertDeploy-$_cdomain\""; then
     return $_err_code
   fi
 
-  if ! _ssh_remote_cmd "/system script remove \"LE Cert Deploy - $_cdomain\""; then
+  if ! _ssh_remote_cmd "/system script remove \"LECertDeploy-$_cdomain\""; then
     return $_err_code
   fi