From 5bde8291afed42424abd2735c870c3664db3869a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9B=BE=E5=A8=81?= Date: Sun, 12 Mar 2023 07:43:52 +0800 Subject: [PATCH] add acme.sh, thingsboard, server-init.sh --- README.md | 11 +- acme.sh-master/.github/FUNDING.yml | 12 + acme.sh-master/.github/ISSUE_TEMPLATE.md | 27 + .../.github/PULL_REQUEST_TEMPLATE.md | 9 + acme.sh-master/.github/workflows/DNS.yml | 465 + .../.github/workflows/DragonFlyBSD.yml | 71 + acme.sh-master/.github/workflows/FreeBSD.yml | 76 + acme.sh-master/.github/workflows/Linux.yml | 48 + acme.sh-master/.github/workflows/MacOS.yml | 60 + acme.sh-master/.github/workflows/NetBSD.yml | 71 + acme.sh-master/.github/workflows/OpenBSD.yml | 76 + .../.github/workflows/PebbleStrict.yml | 72 + acme.sh-master/.github/workflows/Solaris.yml | 74 + acme.sh-master/.github/workflows/Ubuntu.yml | 103 + acme.sh-master/.github/workflows/Windows.yml | 78 + .../.github/workflows/dockerhub.yml | 73 + acme.sh-master/.github/workflows/issue.yml | 19 + acme.sh-master/.github/workflows/pr_dns.yml | 30 + .../.github/workflows/pr_notify.yml | 30 + .../.github/workflows/shellcheck.yml | 38 + acme.sh-master/Dockerfile | 76 + acme.sh-master/LICENSE.md | 674 ++ acme.sh-master/README.md | 530 ++ acme.sh-master/acme.sh | 7991 +++++++++++++++++ acme.sh-master/deploy/README.md | 6 + acme.sh-master/deploy/apache.sh | 26 + acme.sh-master/deploy/cleverreach.sh | 92 + acme.sh-master/deploy/consul.sh | 98 + acme.sh-master/deploy/cpanel_uapi.sh | 211 + acme.sh-master/deploy/docker.sh | 288 + acme.sh-master/deploy/dovecot.sh | 26 + acme.sh-master/deploy/exim4.sh | 114 + acme.sh-master/deploy/fritzbox.sh | 126 + acme.sh-master/deploy/gcore_cdn.sh | 143 + acme.sh-master/deploy/gitlab.sh | 80 + acme.sh-master/deploy/haproxy.sh | 280 + acme.sh-master/deploy/keychain.sh | 25 + acme.sh-master/deploy/kong.sh | 77 + acme.sh-master/deploy/lighttpd.sh | 280 + acme.sh-master/deploy/mailcow.sh | 69 + acme.sh-master/deploy/myapi.sh | 28 + acme.sh-master/deploy/mydevil.sh | 59 + acme.sh-master/deploy/mysqld.sh | 26 + acme.sh-master/deploy/nginx.sh | 26 + acme.sh-master/deploy/openmediavault.sh | 156 + acme.sh-master/deploy/opensshd.sh | 26 + acme.sh-master/deploy/openstack.sh | 262 + acme.sh-master/deploy/panos.sh | 139 + acme.sh-master/deploy/peplink.sh | 123 + acme.sh-master/deploy/proxmoxve.sh | 132 + acme.sh-master/deploy/pureftpd.sh | 26 + acme.sh-master/deploy/qiniu.sh | 96 + acme.sh-master/deploy/routeros.sh | 203 + acme.sh-master/deploy/ssh.sh | 462 + acme.sh-master/deploy/strongswan.sh | 55 + acme.sh-master/deploy/synology_dsm.sh | 183 + acme.sh-master/deploy/truenas.sh | 223 + acme.sh-master/deploy/unifi.sh | 214 + acme.sh-master/deploy/vault.sh | 131 + acme.sh-master/deploy/vault_cli.sh | 104 + acme.sh-master/deploy/vsftpd.sh | 110 + acme.sh-master/dnsapi/README.md | 6 + acme.sh-master/dnsapi/dns_1984hosting.sh | 261 + acme.sh-master/dnsapi/dns_acmedns.sh | 94 + acme.sh-master/dnsapi/dns_acmeproxy.sh | 83 + acme.sh-master/dnsapi/dns_active24.sh | 141 + acme.sh-master/dnsapi/dns_ad.sh | 147 + acme.sh-master/dnsapi/dns_ali.sh | 203 + acme.sh-master/dnsapi/dns_anx.sh | 150 + acme.sh-master/dnsapi/dns_arvan.sh | 151 + acme.sh-master/dnsapi/dns_aurora.sh | 171 + acme.sh-master/dnsapi/dns_autodns.sh | 264 + acme.sh-master/dnsapi/dns_aws.sh | 363 + acme.sh-master/dnsapi/dns_azion.sh | 204 + acme.sh-master/dnsapi/dns_azure.sh | 378 + acme.sh-master/dnsapi/dns_bunny.sh | 248 + acme.sh-master/dnsapi/dns_cf.sh | 249 + acme.sh-master/dnsapi/dns_clouddns.sh | 197 + acme.sh-master/dnsapi/dns_cloudns.sh | 208 + acme.sh-master/dnsapi/dns_cn.sh | 157 + acme.sh-master/dnsapi/dns_conoha.sh | 253 + acme.sh-master/dnsapi/dns_constellix.sh | 176 + acme.sh-master/dnsapi/dns_cpanel.sh | 160 + acme.sh-master/dnsapi/dns_curanet.sh | 159 + acme.sh-master/dnsapi/dns_cyon.sh | 328 + acme.sh-master/dnsapi/dns_da.sh | 184 + acme.sh-master/dnsapi/dns_ddnss.sh | 130 + acme.sh-master/dnsapi/dns_desec.sh | 197 + acme.sh-master/dnsapi/dns_df.sh | 65 + acme.sh-master/dnsapi/dns_dgon.sh | 249 + acme.sh-master/dnsapi/dns_dnshome.sh | 87 + acme.sh-master/dnsapi/dns_dnsimple.sh | 198 + acme.sh-master/dnsapi/dns_dnsservices.sh | 248 + acme.sh-master/dnsapi/dns_do.sh | 148 + acme.sh-master/dnsapi/dns_doapi.sh | 59 + acme.sh-master/dnsapi/dns_domeneshop.sh | 155 + acme.sh-master/dnsapi/dns_dp.sh | 161 + acme.sh-master/dnsapi/dns_dpi.sh | 161 + acme.sh-master/dnsapi/dns_dreamhost.sh | 97 + acme.sh-master/dnsapi/dns_duckdns.sh | 132 + acme.sh-master/dnsapi/dns_durabledns.sh | 176 + acme.sh-master/dnsapi/dns_dyn.sh | 339 + acme.sh-master/dnsapi/dns_dynu.sh | 232 + acme.sh-master/dnsapi/dns_dynv6.sh | 285 + acme.sh-master/dnsapi/dns_easydns.sh | 171 + acme.sh-master/dnsapi/dns_edgedns.sh | 470 + acme.sh-master/dnsapi/dns_euserv.sh | 358 + acme.sh-master/dnsapi/dns_exoscale.sh | 168 + acme.sh-master/dnsapi/dns_fornex.sh | 146 + acme.sh-master/dnsapi/dns_freedns.sh | 371 + acme.sh-master/dnsapi/dns_gandi_livedns.sh | 175 + acme.sh-master/dnsapi/dns_gcloud.sh | 170 + acme.sh-master/dnsapi/dns_gcore.sh | 187 + acme.sh-master/dnsapi/dns_gd.sh | 200 + acme.sh-master/dnsapi/dns_geoscaling.sh | 232 + acme.sh-master/dnsapi/dns_he.sh | 173 + acme.sh-master/dnsapi/dns_hetzner.sh | 252 + acme.sh-master/dnsapi/dns_hexonet.sh | 156 + acme.sh-master/dnsapi/dns_hostingde.sh | 178 + acme.sh-master/dnsapi/dns_huaweicloud.sh | 291 + acme.sh-master/dnsapi/dns_infoblox.sh | 111 + acme.sh-master/dnsapi/dns_infomaniak.sh | 199 + acme.sh-master/dnsapi/dns_internetbs.sh | 180 + acme.sh-master/dnsapi/dns_inwx.sh | 420 + acme.sh-master/dnsapi/dns_ionos.sh | 171 + acme.sh-master/dnsapi/dns_ipv64.sh | 157 + acme.sh-master/dnsapi/dns_ispconfig.sh | 194 + acme.sh-master/dnsapi/dns_jd.sh | 286 + acme.sh-master/dnsapi/dns_joker.sh | 129 + acme.sh-master/dnsapi/dns_kappernet.sh | 150 + acme.sh-master/dnsapi/dns_kas.sh | 281 + acme.sh-master/dnsapi/dns_kinghost.sh | 107 + acme.sh-master/dnsapi/dns_knot.sh | 97 + acme.sh-master/dnsapi/dns_la.sh | 147 + acme.sh-master/dnsapi/dns_leaseweb.sh | 149 + acme.sh-master/dnsapi/dns_lexicon.sh | 113 + acme.sh-master/dnsapi/dns_linode.sh | 183 + acme.sh-master/dnsapi/dns_linode_v4.sh | 187 + acme.sh-master/dnsapi/dns_loopia.sh | 326 + acme.sh-master/dnsapi/dns_lua.sh | 154 + acme.sh-master/dnsapi/dns_maradns.sh | 69 + acme.sh-master/dnsapi/dns_me.sh | 157 + acme.sh-master/dnsapi/dns_miab.sh | 211 + acme.sh-master/dnsapi/dns_misaka.sh | 159 + acme.sh-master/dnsapi/dns_myapi.sh | 37 + acme.sh-master/dnsapi/dns_mydevil.sh | 99 + acme.sh-master/dnsapi/dns_mydnsjp.sh | 196 + acme.sh-master/dnsapi/dns_mythic_beasts.sh | 261 + acme.sh-master/dnsapi/dns_namecheap.sh | 411 + acme.sh-master/dnsapi/dns_namecom.sh | 173 + acme.sh-master/dnsapi/dns_namesilo.sh | 142 + acme.sh-master/dnsapi/dns_nanelo.sh | 59 + acme.sh-master/dnsapi/dns_nederhost.sh | 127 + acme.sh-master/dnsapi/dns_neodigit.sh | 181 + acme.sh-master/dnsapi/dns_netcup.sh | 134 + acme.sh-master/dnsapi/dns_netlify.sh | 162 + acme.sh-master/dnsapi/dns_nic.sh | 205 + acme.sh-master/dnsapi/dns_njalla.sh | 168 + acme.sh-master/dnsapi/dns_nm.sh | 88 + acme.sh-master/dnsapi/dns_nsd.sh | 64 + acme.sh-master/dnsapi/dns_nsone.sh | 158 + acme.sh-master/dnsapi/dns_nsupdate.sh | 98 + acme.sh-master/dnsapi/dns_nw.sh | 211 + acme.sh-master/dnsapi/dns_oci.sh | 325 + acme.sh-master/dnsapi/dns_one.sh | 227 + acme.sh-master/dnsapi/dns_online.sh | 217 + acme.sh-master/dnsapi/dns_openprovider.sh | 247 + acme.sh-master/dnsapi/dns_openstack.sh | 348 + acme.sh-master/dnsapi/dns_opnsense.sh | 272 + acme.sh-master/dnsapi/dns_ovh.sh | 322 + acme.sh-master/dnsapi/dns_pdns.sh | 233 + acme.sh-master/dnsapi/dns_pleskxml.sh | 417 + acme.sh-master/dnsapi/dns_pointhq.sh | 164 + acme.sh-master/dnsapi/dns_porkbun.sh | 157 + acme.sh-master/dnsapi/dns_rackcorp.sh | 156 + acme.sh-master/dnsapi/dns_rackspace.sh | 208 + acme.sh-master/dnsapi/dns_rage4.sh | 115 + acme.sh-master/dnsapi/dns_rcode0.sh | 224 + acme.sh-master/dnsapi/dns_regru.sh | 127 + acme.sh-master/dnsapi/dns_scaleway.sh | 176 + acme.sh-master/dnsapi/dns_schlundtech.sh | 261 + acme.sh-master/dnsapi/dns_selectel.sh | 161 + acme.sh-master/dnsapi/dns_selfhost.sh | 94 + acme.sh-master/dnsapi/dns_servercow.sh | 196 + acme.sh-master/dnsapi/dns_simply.sh | 269 + acme.sh-master/dnsapi/dns_tele3.sh | 69 + acme.sh-master/dnsapi/dns_transip.sh | 183 + acme.sh-master/dnsapi/dns_udr.sh | 160 + acme.sh-master/dnsapi/dns_ultra.sh | 167 + acme.sh-master/dnsapi/dns_unoeuro.sh | 179 + acme.sh-master/dnsapi/dns_variomedia.sh | 147 + acme.sh-master/dnsapi/dns_veesp.sh | 158 + acme.sh-master/dnsapi/dns_vercel.sh | 142 + acme.sh-master/dnsapi/dns_vscale.sh | 149 + acme.sh-master/dnsapi/dns_vultr.sh | 161 + acme.sh-master/dnsapi/dns_websupport.sh | 207 + acme.sh-master/dnsapi/dns_world4you.sh | 220 + acme.sh-master/dnsapi/dns_yandex.sh | 121 + acme.sh-master/dnsapi/dns_yc.sh | 264 + acme.sh-master/dnsapi/dns_zilore.sh | 139 + acme.sh-master/dnsapi/dns_zone.sh | 149 + acme.sh-master/dnsapi/dns_zonomi.sh | 85 + acme.sh-master/notify/bark.sh | 51 + acme.sh-master/notify/callmebotWhatsApp.sh | 44 + acme.sh-master/notify/cqhttp.sh | 64 + acme.sh-master/notify/dingtalk.sh | 68 + acme.sh-master/notify/discord.sh | 57 + acme.sh-master/notify/feishu.sh | 48 + acme.sh-master/notify/gotify.sh | 62 + acme.sh-master/notify/ifttt.sh | 86 + acme.sh-master/notify/mail.sh | 144 + acme.sh-master/notify/mailgun.sh | 131 + acme.sh-master/notify/pop.sh | 15 + acme.sh-master/notify/postmark.sh | 58 + acme.sh-master/notify/pushbullet.sh | 44 + acme.sh-master/notify/pushover.sh | 63 + acme.sh-master/notify/sendgrid.sh | 64 + acme.sh-master/notify/slack.sh | 55 + acme.sh-master/notify/slack_app.sh | 45 + acme.sh-master/notify/smtp.sh | 399 + acme.sh-master/notify/teams.sh | 86 + acme.sh-master/notify/telegram.sh | 52 + acme.sh-master/notify/weixin_work.sh | 49 + acme.sh-master/notify/xmpp.sh | 90 + acme.sh.zip | Bin 0 -> 414688 bytes crawlab/docker-compose.yml | 4 +- nginx/data/conf.d/thingsboard.conf | 51 + server-init.sh | 50 + thingsboard/docker-compose.yml | 16 + thingsboard/readme.md | 36 + 230 files changed, 44047 insertions(+), 3 deletions(-) create mode 100644 acme.sh-master/.github/FUNDING.yml create mode 100644 acme.sh-master/.github/ISSUE_TEMPLATE.md create mode 100644 acme.sh-master/.github/PULL_REQUEST_TEMPLATE.md create mode 100644 acme.sh-master/.github/workflows/DNS.yml create mode 100644 acme.sh-master/.github/workflows/DragonFlyBSD.yml create mode 100644 acme.sh-master/.github/workflows/FreeBSD.yml create mode 100644 acme.sh-master/.github/workflows/Linux.yml create mode 100644 acme.sh-master/.github/workflows/MacOS.yml create mode 100644 acme.sh-master/.github/workflows/NetBSD.yml create mode 100644 acme.sh-master/.github/workflows/OpenBSD.yml create mode 100644 acme.sh-master/.github/workflows/PebbleStrict.yml create mode 100644 acme.sh-master/.github/workflows/Solaris.yml create mode 100644 acme.sh-master/.github/workflows/Ubuntu.yml create mode 100644 acme.sh-master/.github/workflows/Windows.yml create mode 100644 acme.sh-master/.github/workflows/dockerhub.yml create mode 100644 acme.sh-master/.github/workflows/issue.yml create mode 100644 acme.sh-master/.github/workflows/pr_dns.yml create mode 100644 acme.sh-master/.github/workflows/pr_notify.yml create mode 100644 acme.sh-master/.github/workflows/shellcheck.yml create mode 100644 acme.sh-master/Dockerfile create mode 100644 acme.sh-master/LICENSE.md create mode 100644 acme.sh-master/README.md create mode 100644 acme.sh-master/acme.sh create mode 100644 acme.sh-master/deploy/README.md create mode 100644 acme.sh-master/deploy/apache.sh create mode 100644 acme.sh-master/deploy/cleverreach.sh create mode 100644 acme.sh-master/deploy/consul.sh create mode 100644 acme.sh-master/deploy/cpanel_uapi.sh create mode 100644 acme.sh-master/deploy/docker.sh create mode 100644 acme.sh-master/deploy/dovecot.sh create mode 100644 acme.sh-master/deploy/exim4.sh create mode 100644 acme.sh-master/deploy/fritzbox.sh create mode 100644 acme.sh-master/deploy/gcore_cdn.sh create mode 100644 acme.sh-master/deploy/gitlab.sh create mode 100644 acme.sh-master/deploy/haproxy.sh create mode 100644 acme.sh-master/deploy/keychain.sh create mode 100644 acme.sh-master/deploy/kong.sh create mode 100644 acme.sh-master/deploy/lighttpd.sh create mode 100644 acme.sh-master/deploy/mailcow.sh create mode 100644 acme.sh-master/deploy/myapi.sh create mode 100644 acme.sh-master/deploy/mydevil.sh create mode 100644 acme.sh-master/deploy/mysqld.sh create mode 100644 acme.sh-master/deploy/nginx.sh create mode 100644 acme.sh-master/deploy/openmediavault.sh create mode 100644 acme.sh-master/deploy/opensshd.sh create mode 100644 acme.sh-master/deploy/openstack.sh create mode 100644 acme.sh-master/deploy/panos.sh create mode 100644 acme.sh-master/deploy/peplink.sh create mode 100644 acme.sh-master/deploy/proxmoxve.sh create mode 100644 acme.sh-master/deploy/pureftpd.sh create mode 100644 acme.sh-master/deploy/qiniu.sh create mode 100644 acme.sh-master/deploy/routeros.sh create mode 100644 acme.sh-master/deploy/ssh.sh create mode 100644 acme.sh-master/deploy/strongswan.sh create mode 100644 acme.sh-master/deploy/synology_dsm.sh create mode 100644 acme.sh-master/deploy/truenas.sh create mode 100644 acme.sh-master/deploy/unifi.sh create mode 100644 acme.sh-master/deploy/vault.sh create mode 100644 acme.sh-master/deploy/vault_cli.sh create mode 100644 acme.sh-master/deploy/vsftpd.sh create mode 100644 acme.sh-master/dnsapi/README.md create mode 100644 acme.sh-master/dnsapi/dns_1984hosting.sh create mode 100644 acme.sh-master/dnsapi/dns_acmedns.sh create mode 100644 acme.sh-master/dnsapi/dns_acmeproxy.sh create mode 100644 acme.sh-master/dnsapi/dns_active24.sh create mode 100644 acme.sh-master/dnsapi/dns_ad.sh create mode 100644 acme.sh-master/dnsapi/dns_ali.sh create mode 100644 acme.sh-master/dnsapi/dns_anx.sh create mode 100644 acme.sh-master/dnsapi/dns_arvan.sh create mode 100644 acme.sh-master/dnsapi/dns_aurora.sh create mode 100644 acme.sh-master/dnsapi/dns_autodns.sh create mode 100644 acme.sh-master/dnsapi/dns_aws.sh create mode 100644 acme.sh-master/dnsapi/dns_azion.sh create mode 100644 acme.sh-master/dnsapi/dns_azure.sh create mode 100644 acme.sh-master/dnsapi/dns_bunny.sh create mode 100644 acme.sh-master/dnsapi/dns_cf.sh create mode 100644 acme.sh-master/dnsapi/dns_clouddns.sh create mode 100644 acme.sh-master/dnsapi/dns_cloudns.sh create mode 100644 acme.sh-master/dnsapi/dns_cn.sh create mode 100644 acme.sh-master/dnsapi/dns_conoha.sh create mode 100644 acme.sh-master/dnsapi/dns_constellix.sh create mode 100644 acme.sh-master/dnsapi/dns_cpanel.sh create mode 100644 acme.sh-master/dnsapi/dns_curanet.sh create mode 100644 acme.sh-master/dnsapi/dns_cyon.sh create mode 100644 acme.sh-master/dnsapi/dns_da.sh create mode 100644 acme.sh-master/dnsapi/dns_ddnss.sh create mode 100644 acme.sh-master/dnsapi/dns_desec.sh create mode 100644 acme.sh-master/dnsapi/dns_df.sh create mode 100644 acme.sh-master/dnsapi/dns_dgon.sh create mode 100644 acme.sh-master/dnsapi/dns_dnshome.sh create mode 100644 acme.sh-master/dnsapi/dns_dnsimple.sh create mode 100644 acme.sh-master/dnsapi/dns_dnsservices.sh create mode 100644 acme.sh-master/dnsapi/dns_do.sh create mode 100644 acme.sh-master/dnsapi/dns_doapi.sh create mode 100644 acme.sh-master/dnsapi/dns_domeneshop.sh create mode 100644 acme.sh-master/dnsapi/dns_dp.sh create mode 100644 acme.sh-master/dnsapi/dns_dpi.sh create mode 100644 acme.sh-master/dnsapi/dns_dreamhost.sh create mode 100644 acme.sh-master/dnsapi/dns_duckdns.sh create mode 100644 acme.sh-master/dnsapi/dns_durabledns.sh create mode 100644 acme.sh-master/dnsapi/dns_dyn.sh create mode 100644 acme.sh-master/dnsapi/dns_dynu.sh create mode 100644 acme.sh-master/dnsapi/dns_dynv6.sh create mode 100644 acme.sh-master/dnsapi/dns_easydns.sh create mode 100644 acme.sh-master/dnsapi/dns_edgedns.sh create mode 100644 acme.sh-master/dnsapi/dns_euserv.sh create mode 100644 acme.sh-master/dnsapi/dns_exoscale.sh create mode 100644 acme.sh-master/dnsapi/dns_fornex.sh create mode 100644 acme.sh-master/dnsapi/dns_freedns.sh create mode 100644 acme.sh-master/dnsapi/dns_gandi_livedns.sh create mode 100644 acme.sh-master/dnsapi/dns_gcloud.sh create mode 100644 acme.sh-master/dnsapi/dns_gcore.sh create mode 100644 acme.sh-master/dnsapi/dns_gd.sh create mode 100644 acme.sh-master/dnsapi/dns_geoscaling.sh create mode 100644 acme.sh-master/dnsapi/dns_he.sh create mode 100644 acme.sh-master/dnsapi/dns_hetzner.sh create mode 100644 acme.sh-master/dnsapi/dns_hexonet.sh create mode 100644 acme.sh-master/dnsapi/dns_hostingde.sh create mode 100644 acme.sh-master/dnsapi/dns_huaweicloud.sh create mode 100644 acme.sh-master/dnsapi/dns_infoblox.sh create mode 100644 acme.sh-master/dnsapi/dns_infomaniak.sh create mode 100644 acme.sh-master/dnsapi/dns_internetbs.sh create mode 100644 acme.sh-master/dnsapi/dns_inwx.sh create mode 100644 acme.sh-master/dnsapi/dns_ionos.sh create mode 100644 acme.sh-master/dnsapi/dns_ipv64.sh create mode 100644 acme.sh-master/dnsapi/dns_ispconfig.sh create mode 100644 acme.sh-master/dnsapi/dns_jd.sh create mode 100644 acme.sh-master/dnsapi/dns_joker.sh create mode 100644 acme.sh-master/dnsapi/dns_kappernet.sh create mode 100644 acme.sh-master/dnsapi/dns_kas.sh create mode 100644 acme.sh-master/dnsapi/dns_kinghost.sh create mode 100644 acme.sh-master/dnsapi/dns_knot.sh create mode 100644 acme.sh-master/dnsapi/dns_la.sh create mode 100644 acme.sh-master/dnsapi/dns_leaseweb.sh create mode 100644 acme.sh-master/dnsapi/dns_lexicon.sh create mode 100644 acme.sh-master/dnsapi/dns_linode.sh create mode 100644 acme.sh-master/dnsapi/dns_linode_v4.sh create mode 100644 acme.sh-master/dnsapi/dns_loopia.sh create mode 100644 acme.sh-master/dnsapi/dns_lua.sh create mode 100644 acme.sh-master/dnsapi/dns_maradns.sh create mode 100644 acme.sh-master/dnsapi/dns_me.sh create mode 100644 acme.sh-master/dnsapi/dns_miab.sh create mode 100644 acme.sh-master/dnsapi/dns_misaka.sh create mode 100644 acme.sh-master/dnsapi/dns_myapi.sh create mode 100644 acme.sh-master/dnsapi/dns_mydevil.sh create mode 100644 acme.sh-master/dnsapi/dns_mydnsjp.sh create mode 100644 acme.sh-master/dnsapi/dns_mythic_beasts.sh create mode 100644 acme.sh-master/dnsapi/dns_namecheap.sh create mode 100644 acme.sh-master/dnsapi/dns_namecom.sh create mode 100644 acme.sh-master/dnsapi/dns_namesilo.sh create mode 100644 acme.sh-master/dnsapi/dns_nanelo.sh create mode 100644 acme.sh-master/dnsapi/dns_nederhost.sh create mode 100644 acme.sh-master/dnsapi/dns_neodigit.sh create mode 100644 acme.sh-master/dnsapi/dns_netcup.sh create mode 100644 acme.sh-master/dnsapi/dns_netlify.sh create mode 100644 acme.sh-master/dnsapi/dns_nic.sh create mode 100644 acme.sh-master/dnsapi/dns_njalla.sh create mode 100644 acme.sh-master/dnsapi/dns_nm.sh create mode 100644 acme.sh-master/dnsapi/dns_nsd.sh create mode 100644 acme.sh-master/dnsapi/dns_nsone.sh create mode 100644 acme.sh-master/dnsapi/dns_nsupdate.sh create mode 100644 acme.sh-master/dnsapi/dns_nw.sh create mode 100644 acme.sh-master/dnsapi/dns_oci.sh create mode 100644 acme.sh-master/dnsapi/dns_one.sh create mode 100644 acme.sh-master/dnsapi/dns_online.sh create mode 100644 acme.sh-master/dnsapi/dns_openprovider.sh create mode 100644 acme.sh-master/dnsapi/dns_openstack.sh create mode 100644 acme.sh-master/dnsapi/dns_opnsense.sh create mode 100644 acme.sh-master/dnsapi/dns_ovh.sh create mode 100644 acme.sh-master/dnsapi/dns_pdns.sh create mode 100644 acme.sh-master/dnsapi/dns_pleskxml.sh create mode 100644 acme.sh-master/dnsapi/dns_pointhq.sh create mode 100644 acme.sh-master/dnsapi/dns_porkbun.sh create mode 100644 acme.sh-master/dnsapi/dns_rackcorp.sh create mode 100644 acme.sh-master/dnsapi/dns_rackspace.sh create mode 100644 acme.sh-master/dnsapi/dns_rage4.sh create mode 100644 acme.sh-master/dnsapi/dns_rcode0.sh create mode 100644 acme.sh-master/dnsapi/dns_regru.sh create mode 100644 acme.sh-master/dnsapi/dns_scaleway.sh create mode 100644 acme.sh-master/dnsapi/dns_schlundtech.sh create mode 100644 acme.sh-master/dnsapi/dns_selectel.sh create mode 100644 acme.sh-master/dnsapi/dns_selfhost.sh create mode 100644 acme.sh-master/dnsapi/dns_servercow.sh create mode 100644 acme.sh-master/dnsapi/dns_simply.sh create mode 100644 acme.sh-master/dnsapi/dns_tele3.sh create mode 100644 acme.sh-master/dnsapi/dns_transip.sh create mode 100644 acme.sh-master/dnsapi/dns_udr.sh create mode 100644 acme.sh-master/dnsapi/dns_ultra.sh create mode 100644 acme.sh-master/dnsapi/dns_unoeuro.sh create mode 100644 acme.sh-master/dnsapi/dns_variomedia.sh create mode 100644 acme.sh-master/dnsapi/dns_veesp.sh create mode 100644 acme.sh-master/dnsapi/dns_vercel.sh create mode 100644 acme.sh-master/dnsapi/dns_vscale.sh create mode 100644 acme.sh-master/dnsapi/dns_vultr.sh create mode 100644 acme.sh-master/dnsapi/dns_websupport.sh create mode 100644 acme.sh-master/dnsapi/dns_world4you.sh create mode 100644 acme.sh-master/dnsapi/dns_yandex.sh create mode 100644 acme.sh-master/dnsapi/dns_yc.sh create mode 100644 acme.sh-master/dnsapi/dns_zilore.sh create mode 100644 acme.sh-master/dnsapi/dns_zone.sh create mode 100644 acme.sh-master/dnsapi/dns_zonomi.sh create mode 100644 acme.sh-master/notify/bark.sh create mode 100644 acme.sh-master/notify/callmebotWhatsApp.sh create mode 100644 acme.sh-master/notify/cqhttp.sh create mode 100644 acme.sh-master/notify/dingtalk.sh create mode 100644 acme.sh-master/notify/discord.sh create mode 100644 acme.sh-master/notify/feishu.sh create mode 100644 acme.sh-master/notify/gotify.sh create mode 100644 acme.sh-master/notify/ifttt.sh create mode 100644 acme.sh-master/notify/mail.sh create mode 100644 acme.sh-master/notify/mailgun.sh create mode 100644 acme.sh-master/notify/pop.sh create mode 100644 acme.sh-master/notify/postmark.sh create mode 100644 acme.sh-master/notify/pushbullet.sh create mode 100644 acme.sh-master/notify/pushover.sh create mode 100644 acme.sh-master/notify/sendgrid.sh create mode 100644 acme.sh-master/notify/slack.sh create mode 100644 acme.sh-master/notify/slack_app.sh create mode 100644 acme.sh-master/notify/smtp.sh create mode 100644 acme.sh-master/notify/teams.sh create mode 100644 acme.sh-master/notify/telegram.sh create mode 100644 acme.sh-master/notify/weixin_work.sh create mode 100644 acme.sh-master/notify/xmpp.sh create mode 100644 acme.sh.zip create mode 100644 nginx/data/conf.d/thingsboard.conf create mode 100644 server-init.sh create mode 100644 thingsboard/docker-compose.yml create mode 100644 thingsboard/readme.md diff --git a/README.md b/README.md index 34436ed..f46d49a 100644 --- a/README.md +++ b/README.md @@ -14,8 +14,15 @@ https://docs.cloudreve.org/getting-started/install https://blog.csdn.net/gengkui9897/article/details/127348289 - - # maven私有仓库 nexus [(115条消息) DockerCompose - 部署 Nexus 私服_docker-compose nexus_云原生.乔豆麻袋.cn的博客-CSDN博客](https://blog.csdn.net/qiaohao0206/article/details/125471721) + + + +1. administrative professional / coordinator /support/assistant NAICS 541611/561110 +2. Cyber security.. Cybersecirty" support audit, identiy threats, cybersecutity preparedness, cloud security, asset management +3. modernization +4. AI/ML +5. Digital teransformation/records management/scanning documents +6. data processing/hosting/related servicec NAICS 518210 diff --git a/acme.sh-master/.github/FUNDING.yml b/acme.sh-master/.github/FUNDING.yml new file mode 100644 index 0000000..8905a65 --- /dev/null +++ b/acme.sh-master/.github/FUNDING.yml @@ -0,0 +1,12 @@ +# These are supported funding model platforms + +github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] +patreon: # Replace with a single Patreon username +open_collective: acmesh +ko_fi: neilpang +tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel +community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry +liberapay: # Replace with a single Liberapay username +issuehunt: # Replace with a single IssueHunt username +otechie: # Replace with a single Otechie username +custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] diff --git a/acme.sh-master/.github/ISSUE_TEMPLATE.md b/acme.sh-master/.github/ISSUE_TEMPLATE.md new file mode 100644 index 0000000..f70553c --- /dev/null +++ b/acme.sh-master/.github/ISSUE_TEMPLATE.md @@ -0,0 +1,27 @@ + + +Steps to reproduce +------------------ + +Debug log +----------------- + +``` +acme.sh --issue ..... --debug 2 +``` + + diff --git a/acme.sh-master/.github/PULL_REQUEST_TEMPLATE.md b/acme.sh-master/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..0f48556 --- /dev/null +++ b/acme.sh-master/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,9 @@ + \ No newline at end of file diff --git a/acme.sh-master/.github/workflows/DNS.yml b/acme.sh-master/.github/workflows/DNS.yml new file mode 100644 index 0000000..615e5d8 --- /dev/null +++ b/acme.sh-master/.github/workflows/DNS.yml @@ -0,0 +1,465 @@ +name: DNS +on: + push: + paths: + - 'dnsapi/*.sh' + - '.github/workflows/DNS.yml' + pull_request: + branches: + - 'dev' + paths: + - 'dnsapi/*.sh' + - '.github/workflows/DNS.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + CheckToken: + runs-on: ubuntu-latest + outputs: + hasToken: ${{ steps.step_one.outputs.hasToken }} + steps: + - name: Set the value + id: step_one + run: | + if [ "${{secrets.TokenName1}}" ] ; then + echo "::set-output name=hasToken::true" + else + echo "::set-output name=hasToken::false" + fi + - name: Check the value + run: echo ${{ steps.step_one.outputs.hasToken }} + + Fail: + runs-on: ubuntu-latest + needs: CheckToken + if: "contains(needs.CheckToken.outputs.hasToken, 'false')" + steps: + - name: "Read this: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test" + run: | + echo "Read this: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test" + if [ "${{github.repository_owner}}" != "acmesh-official" ]; then + false + fi + + Docker: + runs-on: ubuntu-latest + needs: CheckToken + if: "contains(needs.CheckToken.outputs.hasToken, 'true')" + env: + TEST_DNS : ${{ secrets.TEST_DNS }} + TestingDomain: ${{ secrets.TestingDomain }} + TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} + TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} + CASE: le_test_dnsapi + TEST_LOCAL: 1 + DEBUG: ${{ secrets.DEBUG }} + http_proxy: ${{ secrets.http_proxy }} + https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} + steps: + - uses: actions/checkout@v3 + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - name: Set env file + run: | + cd ../acmetest + if [ "${{ secrets.TokenName1}}" ] ; then + echo "${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}" >> docker.env + fi + if [ "${{ secrets.TokenName2}}" ] ; then + echo "${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}" >> docker.env + fi + if [ "${{ secrets.TokenName3}}" ] ; then + echo "${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}" >> docker.env + fi + if [ "${{ secrets.TokenName4}}" ] ; then + echo "${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}" >> docker.env + fi + if [ "${{ secrets.TokenName5}}" ] ; then + echo "${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}" >> docker.env + fi + + - name: Run acmetest + run: cd ../acmetest && ./rundocker.sh testall + + + + + MacOS: + runs-on: macos-latest + needs: Docker + env: + TEST_DNS : ${{ secrets.TEST_DNS }} + TestingDomain: ${{ secrets.TestingDomain }} + TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} + TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} + CASE: le_test_dnsapi + TEST_LOCAL: 1 + DEBUG: ${{ secrets.DEBUG }} + http_proxy: ${{ secrets.http_proxy }} + https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} + steps: + - uses: actions/checkout@v3 + - name: Install tools + run: brew install socat + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - name: Run acmetest + run: | + if [ "${{ secrets.TokenName1}}" ] ; then + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" + fi + if [ "${{ secrets.TokenName2}}" ] ; then + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" + fi + if [ "${{ secrets.TokenName3}}" ] ; then + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" + fi + if [ "${{ secrets.TokenName4}}" ] ; then + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" + fi + if [ "${{ secrets.TokenName5}}" ] ; then + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" + fi + cd ../acmetest + ./letest.sh + + + + + Windows: + runs-on: windows-latest + needs: MacOS + env: + TEST_DNS : ${{ secrets.TEST_DNS }} + TestingDomain: ${{ secrets.TestingDomain }} + TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} + TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} + CASE: le_test_dnsapi + TEST_LOCAL: 1 + DEBUG: ${{ secrets.DEBUG }} + http_proxy: ${{ secrets.http_proxy }} + https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} + steps: + - name: Set git to use LF + run: | + git config --global core.autocrlf false + - uses: actions/checkout@v3 + - name: Install cygwin base packages with chocolatey + run: | + choco config get cacheLocation + choco install --no-progress cygwin + shell: cmd + - name: Install cygwin additional packages + run: | + C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s https://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git + shell: cmd + - name: Set ENV + shell: cmd + run: | + echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin >> %GITHUB_ENV% + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - name: Run acmetest + shell: bash + run: | + if [ "${{ secrets.TokenName1}}" ] ; then + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" + fi + if [ "${{ secrets.TokenName2}}" ] ; then + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" + fi + if [ "${{ secrets.TokenName3}}" ] ; then + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" + fi + if [ "${{ secrets.TokenName4}}" ] ; then + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" + fi + if [ "${{ secrets.TokenName5}}" ] ; then + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" + fi + cd ../acmetest + ./letest.sh + + + + FreeBSD: + runs-on: macos-12 + needs: Windows + env: + TEST_DNS : ${{ secrets.TEST_DNS }} + TestingDomain: ${{ secrets.TestingDomain }} + TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} + TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} + CASE: le_test_dnsapi + TEST_LOCAL: 1 + DEBUG: ${{ secrets.DEBUG }} + http_proxy: ${{ secrets.http_proxy }} + https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} + steps: + - uses: actions/checkout@v3 + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/freebsd-vm@v0 + with: + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + prepare: pkg install -y socat curl + usesh: true + copyback: false + run: | + if [ "${{ secrets.TokenName1}}" ] ; then + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" + fi + if [ "${{ secrets.TokenName2}}" ] ; then + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" + fi + if [ "${{ secrets.TokenName3}}" ] ; then + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" + fi + if [ "${{ secrets.TokenName4}}" ] ; then + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" + fi + if [ "${{ secrets.TokenName5}}" ] ; then + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" + fi + cd ../acmetest + ./letest.sh + + + + + OpenBSD: + runs-on: macos-12 + needs: FreeBSD + env: + TEST_DNS : ${{ secrets.TEST_DNS }} + TestingDomain: ${{ secrets.TestingDomain }} + TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} + TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} + CASE: le_test_dnsapi + TEST_LOCAL: 1 + DEBUG: ${{ secrets.DEBUG }} + http_proxy: ${{ secrets.http_proxy }} + https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} + steps: + - uses: actions/checkout@v3 + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/openbsd-vm@v0 + with: + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + prepare: pkg_add socat curl + usesh: true + copyback: false + run: | + if [ "${{ secrets.TokenName1}}" ] ; then + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" + fi + if [ "${{ secrets.TokenName2}}" ] ; then + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" + fi + if [ "${{ secrets.TokenName3}}" ] ; then + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" + fi + if [ "${{ secrets.TokenName4}}" ] ; then + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" + fi + if [ "${{ secrets.TokenName5}}" ] ; then + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" + fi + cd ../acmetest + ./letest.sh + + + + + NetBSD: + runs-on: macos-12 + needs: OpenBSD + env: + TEST_DNS : ${{ secrets.TEST_DNS }} + TestingDomain: ${{ secrets.TestingDomain }} + TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} + TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} + CASE: le_test_dnsapi + TEST_LOCAL: 1 + DEBUG: ${{ secrets.DEBUG }} + http_proxy: ${{ secrets.http_proxy }} + https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} + steps: + - uses: actions/checkout@v3 + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/netbsd-vm@v0 + with: + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + prepare: | + pkg_add curl socat + usesh: true + copyback: false + run: | + if [ "${{ secrets.TokenName1}}" ] ; then + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" + fi + if [ "${{ secrets.TokenName2}}" ] ; then + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" + fi + if [ "${{ secrets.TokenName3}}" ] ; then + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" + fi + if [ "${{ secrets.TokenName4}}" ] ; then + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" + fi + if [ "${{ secrets.TokenName5}}" ] ; then + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" + fi + cd ../acmetest + ./letest.sh + + + + + DragonFlyBSD: + runs-on: macos-12 + needs: NetBSD + env: + TEST_DNS : ${{ secrets.TEST_DNS }} + TestingDomain: ${{ secrets.TestingDomain }} + TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} + TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} + CASE: le_test_dnsapi + TEST_LOCAL: 1 + DEBUG: ${{ secrets.DEBUG }} + http_proxy: ${{ secrets.http_proxy }} + https_proxy: ${{ secrets.https_proxy }} + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} + steps: + - uses: actions/checkout@v3 + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/dragonflybsd-vm@v0 + with: + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + prepare: | + pkg install -y curl socat + usesh: true + copyback: false + run: | + if [ "${{ secrets.TokenName1}}" ] ; then + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" + fi + if [ "${{ secrets.TokenName2}}" ] ; then + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" + fi + if [ "${{ secrets.TokenName3}}" ] ; then + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" + fi + if [ "${{ secrets.TokenName4}}" ] ; then + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" + fi + if [ "${{ secrets.TokenName5}}" ] ; then + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" + fi + cd ../acmetest + ./letest.sh + + + + + + + + Solaris: + runs-on: macos-12 + needs: DragonFlyBSD + env: + TEST_DNS : ${{ secrets.TEST_DNS }} + TestingDomain: ${{ secrets.TestingDomain }} + TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }} + TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }} + TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }} + CASE: le_test_dnsapi + TEST_LOCAL: 1 + DEBUG: ${{ secrets.DEBUG }} + http_proxy: ${{ secrets.http_proxy }} + https_proxy: ${{ secrets.https_proxy }} + HTTPS_INSECURE: 1 # always set to 1 to ignore https error, since Solaris doesn't accept the expired ISRG X1 root + TokenName1: ${{ secrets.TokenName1}} + TokenName2: ${{ secrets.TokenName2}} + TokenName3: ${{ secrets.TokenName3}} + TokenName4: ${{ secrets.TokenName4}} + TokenName5: ${{ secrets.TokenName5}} + steps: + - uses: actions/checkout@v3 + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/solaris-vm@v0 + with: + envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}' + copyback: false + prepare: pkgutil -y -i socat + run: | + pkg set-mediator -v -I default@1.1 openssl + export PATH=/usr/gnu/bin:$PATH + if [ "${{ secrets.TokenName1}}" ] ; then + export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}" + fi + if [ "${{ secrets.TokenName2}}" ] ; then + export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}" + fi + if [ "${{ secrets.TokenName3}}" ] ; then + export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}" + fi + if [ "${{ secrets.TokenName4}}" ] ; then + export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}" + fi + if [ "${{ secrets.TokenName5}}" ] ; then + export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}" + fi + cd ../acmetest + ./letest.sh + + diff --git a/acme.sh-master/.github/workflows/DragonFlyBSD.yml b/acme.sh-master/.github/workflows/DragonFlyBSD.yml new file mode 100644 index 0000000..77b825d --- /dev/null +++ b/acme.sh-master/.github/workflows/DragonFlyBSD.yml @@ -0,0 +1,71 @@ +name: DragonFlyBSD +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/DragonFlyBSD.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/DragonFlyBSD.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + + + +jobs: + DragonFlyBSD: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + #- TEST_ACME_Server: "ZeroSSL.com" + # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + # CA: "ZeroSSL RSA Domain Secure Site CA" + # CA_EMAIL: "githubtest@acme.sh" + # TEST_PREFERRED_CHAIN: "" + runs-on: macos-12 + env: + TEST_LOCAL: 1 + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + steps: + - uses: actions/checkout@v3 + - uses: vmactions/cf-tunnel@v0 + id: tunnel + with: + protocol: http + port: 8080 + - name: Set envs + run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/dragonflybsd-vm@v0 + with: + envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' + copyback: "false" + nat: | + "8080": "80" + prepare: | + pkg install -y curl socat + usesh: true + run: | + cd ../acmetest \ + && ./letest.sh + + diff --git a/acme.sh-master/.github/workflows/FreeBSD.yml b/acme.sh-master/.github/workflows/FreeBSD.yml new file mode 100644 index 0000000..fe06b2f --- /dev/null +++ b/acme.sh-master/.github/workflows/FreeBSD.yml @@ -0,0 +1,76 @@ +name: FreeBSD +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/FreeBSD.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/FreeBSD.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + + +jobs: + FreeBSD: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + ACME_USE_WGET: 1 + #- TEST_ACME_Server: "ZeroSSL.com" + # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + # CA: "ZeroSSL RSA Domain Secure Site CA" + # CA_EMAIL: "githubtest@acme.sh" + # TEST_PREFERRED_CHAIN: "" + runs-on: macos-12 + env: + TEST_LOCAL: 1 + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} + steps: + - uses: actions/checkout@v3 + - uses: vmactions/cf-tunnel@v0 + id: tunnel + with: + protocol: http + port: 8080 + - name: Set envs + run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/freebsd-vm@v0 + with: + envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' + nat: | + "8080": "80" + prepare: pkg install -y socat curl wget + usesh: true + copyback: false + run: | + cd ../acmetest \ + && ./letest.sh + + diff --git a/acme.sh-master/.github/workflows/Linux.yml b/acme.sh-master/.github/workflows/Linux.yml new file mode 100644 index 0000000..98a56a2 --- /dev/null +++ b/acme.sh-master/.github/workflows/Linux.yml @@ -0,0 +1,48 @@ +name: Linux +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/Linux.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/Linux.yml' + + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + + + +jobs: + Linux: + strategy: + matrix: + os: ["ubuntu:latest", "debian:latest", "almalinux:latest", "fedora:latest", "centos:7", "opensuse/leap:latest", "alpine:latest", "oraclelinux:8", "kalilinux/kali", "archlinux:latest", "mageia", "gentoo/stage3"] + runs-on: ubuntu-latest + env: + TEST_LOCAL: 1 + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + TEST_ACME_Server: "LetsEncrypt.org_test" + steps: + - uses: actions/checkout@v3 + - name: Clone acmetest + run: | + cd .. \ + && git clone --depth=1 https://github.com/acmesh-official/acmetest.git \ + && cp -r acme.sh acmetest/ + - name: Run acmetest + run: | + cd ../acmetest \ + && ./rundocker.sh testplat ${{ matrix.os }} + + + diff --git a/acme.sh-master/.github/workflows/MacOS.yml b/acme.sh-master/.github/workflows/MacOS.yml new file mode 100644 index 0000000..ffc66eb --- /dev/null +++ b/acme.sh-master/.github/workflows/MacOS.yml @@ -0,0 +1,60 @@ +name: MacOS +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/MacOS.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/MacOS.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + + +jobs: + MacOS: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + #- TEST_ACME_Server: "ZeroSSL.com" + # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + # CA: "ZeroSSL RSA Domain Secure Site CA" + # CA_EMAIL: "githubtest@acme.sh" + # TEST_PREFERRED_CHAIN: "" + runs-on: macos-latest + env: + TEST_LOCAL: 1 + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + steps: + - uses: actions/checkout@v3 + - name: Install tools + run: brew install socat + - name: Clone acmetest + run: | + cd .. \ + && git clone --depth=1 https://github.com/acmesh-official/acmetest.git \ + && cp -r acme.sh acmetest/ + - name: Run acmetest + run: | + cd ../acmetest \ + && sudo --preserve-env ./letest.sh + + diff --git a/acme.sh-master/.github/workflows/NetBSD.yml b/acme.sh-master/.github/workflows/NetBSD.yml new file mode 100644 index 0000000..cdda385 --- /dev/null +++ b/acme.sh-master/.github/workflows/NetBSD.yml @@ -0,0 +1,71 @@ +name: NetBSD +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/NetBSD.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/NetBSD.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + + + +jobs: + NetBSD: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + #- TEST_ACME_Server: "ZeroSSL.com" + # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + # CA: "ZeroSSL RSA Domain Secure Site CA" + # CA_EMAIL: "githubtest@acme.sh" + # TEST_PREFERRED_CHAIN: "" + runs-on: macos-12 + env: + TEST_LOCAL: 1 + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + steps: + - uses: actions/checkout@v3 + - uses: vmactions/cf-tunnel@v0 + id: tunnel + with: + protocol: http + port: 8080 + - name: Set envs + run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/netbsd-vm@v0 + with: + envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN' + nat: | + "8080": "80" + prepare: | + pkg_add curl socat + usesh: true + copyback: false + run: | + cd ../acmetest \ + && ./letest.sh + + diff --git a/acme.sh-master/.github/workflows/OpenBSD.yml b/acme.sh-master/.github/workflows/OpenBSD.yml new file mode 100644 index 0000000..c33de06 --- /dev/null +++ b/acme.sh-master/.github/workflows/OpenBSD.yml @@ -0,0 +1,76 @@ +name: OpenBSD +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/OpenBSD.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/OpenBSD.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + + +jobs: + OpenBSD: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + ACME_USE_WGET: 1 + #- TEST_ACME_Server: "ZeroSSL.com" + # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + # CA: "ZeroSSL RSA Domain Secure Site CA" + # CA_EMAIL: "githubtest@acme.sh" + # TEST_PREFERRED_CHAIN: "" + runs-on: macos-12 + env: + TEST_LOCAL: 1 + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} + steps: + - uses: actions/checkout@v3 + - uses: vmactions/cf-tunnel@v0 + id: tunnel + with: + protocol: http + port: 8080 + - name: Set envs + run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/openbsd-vm@v0 + with: + envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' + nat: | + "8080": "80" + prepare: pkg_add socat curl wget + usesh: true + copyback: false + run: | + cd ../acmetest \ + && ./letest.sh + + diff --git a/acme.sh-master/.github/workflows/PebbleStrict.yml b/acme.sh-master/.github/workflows/PebbleStrict.yml new file mode 100644 index 0000000..7e2d62a --- /dev/null +++ b/acme.sh-master/.github/workflows/PebbleStrict.yml @@ -0,0 +1,72 @@ +name: PebbleStrict +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/PebbleStrict.yml' + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/PebbleStrict.yml' + + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + + +jobs: + PebbleStrict: + runs-on: ubuntu-latest + env: + TestingDomain: example.com + TestingAltDomains: www.example.com + TEST_ACME_Server: https://localhost:14000/dir + HTTPS_INSECURE: 1 + Le_HTTPPort: 5002 + TEST_LOCAL: 1 + TEST_CA: "Pebble Intermediate CA" + + steps: + - uses: actions/checkout@v3 + - name: Install tools + run: sudo apt-get install -y socat + - name: Run Pebble + run: cd .. && curl https://raw.githubusercontent.com/letsencrypt/pebble/master/docker-compose.yml >docker-compose.yml && docker-compose up -d + - name: Set up Pebble + run: curl --request POST --data '{"ip":"10.30.50.1"}' http://localhost:8055/set-default-ipv4 + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - name: Run acmetest + run: cd ../acmetest && ./letest.sh + + PebbleStrict_IPCert: + runs-on: ubuntu-latest + env: + TestingDomain: 1.23.45.67 + TEST_ACME_Server: https://localhost:14000/dir + HTTPS_INSECURE: 1 + Le_HTTPPort: 5002 + Le_TLSPort: 5001 + TEST_LOCAL: 1 + TEST_CA: "Pebble Intermediate CA" + TEST_IPCERT: 1 + + steps: + - uses: actions/checkout@v3 + - name: Install tools + run: sudo apt-get install -y socat + - name: Run Pebble + run: | + docker run --rm -itd --name=pebble \ + -e PEBBLE_VA_ALWAYS_VALID=1 \ + -p 14000:14000 -p 15000:15000 letsencrypt/pebble:latest pebble -config /test/config/pebble-config.json -strict + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - name: Run acmetest + run: cd ../acmetest && ./letest.sh \ No newline at end of file diff --git a/acme.sh-master/.github/workflows/Solaris.yml b/acme.sh-master/.github/workflows/Solaris.yml new file mode 100644 index 0000000..26ae3fe --- /dev/null +++ b/acme.sh-master/.github/workflows/Solaris.yml @@ -0,0 +1,74 @@ +name: Solaris +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/Solaris.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/Solaris.yml' + + + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + Solaris: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + ACME_USE_WGET: 1 + #- TEST_ACME_Server: "ZeroSSL.com" + # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + # CA: "ZeroSSL RSA Domain Secure Site CA" + # CA_EMAIL: "githubtest@acme.sh" + # TEST_PREFERRED_CHAIN: "" + runs-on: macos-12 + env: + TEST_LOCAL: 1 + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} + steps: + - uses: actions/checkout@v3 + - uses: vmactions/cf-tunnel@v0 + id: tunnel + with: + protocol: http + port: 8080 + - name: Set envs + run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV + - name: Clone acmetest + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - uses: vmactions/solaris-vm@v0 + with: + envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET' + copyback: "false" + nat: | + "8080": "80" + prepare: pkgutil -y -i socat curl wget + run: | + cd ../acmetest \ + && ./letest.sh + diff --git a/acme.sh-master/.github/workflows/Ubuntu.yml b/acme.sh-master/.github/workflows/Ubuntu.yml new file mode 100644 index 0000000..7231b0e --- /dev/null +++ b/acme.sh-master/.github/workflows/Ubuntu.yml @@ -0,0 +1,103 @@ +name: Ubuntu +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/Ubuntu.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/Ubuntu.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + + +jobs: + Ubuntu: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + ACME_USE_WGET: 1 + - TEST_ACME_Server: "ZeroSSL.com" + CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + CA: "ZeroSSL RSA Domain Secure Site CA" + CA_EMAIL: "githubtest@acme.sh" + TEST_PREFERRED_CHAIN: "" + - TEST_ACME_Server: "https://localhost:9000/acme/acme/directory" + CA_ECDSA: "Smallstep Intermediate CA" + CA: "Smallstep Intermediate CA" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: "" + NO_REVOKE: 1 + - TEST_ACME_Server: "https://localhost:9000/acme/acme/directory" + CA_ECDSA: "Smallstep Intermediate CA" + CA: "Smallstep Intermediate CA" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: "" + NO_REVOKE: 1 + TEST_IPCERT: 1 + TestingDomain: "172.17.0.1" + + runs-on: ubuntu-latest + env: + TEST_LOCAL: 1 + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + NO_ECC_384: ${{ matrix.NO_ECC_384 }} + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + NO_REVOKE: ${{ matrix.NO_REVOKE }} + TEST_IPCERT: ${{ matrix.TEST_IPCERT }} + TestingDomain: ${{ matrix.TestingDomain }} + ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }} + steps: + - uses: actions/checkout@v3 + - name: Install tools + run: sudo apt-get install -y socat wget + - name: Start StepCA + if: ${{ matrix.TEST_ACME_Server=='https://localhost:9000/acme/acme/directory' }} + run: | + docker run --rm -d \ + -p 9000:9000 \ + -e "DOCKER_STEPCA_INIT_NAME=Smallstep" \ + -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \ + -e "DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT=true" \ + -e "DOCKER_STEPCA_INIT_PASSWORD=test" \ + --name stepca \ + smallstep/step-ca:0.23.1 + + sleep 5 + docker exec stepca bash -c "echo test >test" \ + && docker exec stepca step ca provisioner add acme --type ACME --admin-subject step --admin-password-file=/home/step/test \ + && docker exec stepca kill -1 1 \ + && docker exec stepca cat /home/step/certs/root_ca.crt | sudo bash -c "cat - >>/etc/ssl/certs/ca-certificates.crt" + - name: Clone acmetest + run: | + cd .. \ + && git clone --depth=1 https://github.com/acmesh-official/acmetest.git \ + && cp -r acme.sh acmetest/ + - name: Run acmetest + run: | + cd ../acmetest \ + && sudo --preserve-env ./letest.sh + + diff --git a/acme.sh-master/.github/workflows/Windows.yml b/acme.sh-master/.github/workflows/Windows.yml new file mode 100644 index 0000000..d5aa37e --- /dev/null +++ b/acme.sh-master/.github/workflows/Windows.yml @@ -0,0 +1,78 @@ +name: Windows +on: + push: + branches: + - '*' + paths: + - '*.sh' + - '.github/workflows/Windows.yml' + + pull_request: + branches: + - dev + paths: + - '*.sh' + - '.github/workflows/Windows.yml' + + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + +jobs: + Windows: + strategy: + matrix: + include: + - TEST_ACME_Server: "LetsEncrypt.org_test" + CA_ECDSA: "" + CA: "" + CA_EMAIL: "" + TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1 + #- TEST_ACME_Server: "ZeroSSL.com" + # CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA" + # CA: "ZeroSSL RSA Domain Secure Site CA" + # CA_EMAIL: "githubtest@acme.sh" + # TEST_PREFERRED_CHAIN: "" + runs-on: windows-latest + env: + TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }} + CA_ECDSA: ${{ matrix.CA_ECDSA }} + CA: ${{ matrix.CA }} + CA_EMAIL: ${{ matrix.CA_EMAIL }} + TEST_LOCAL: 1 + #The 80 port is used by Windows server, we have to use a custom port, tunnel will also use this port. + Le_HTTPPort: 8888 + TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }} + steps: + - name: Set git to use LF + run: | + git config --global core.autocrlf false + - uses: actions/checkout@v3 + - name: Install cygwin base packages with chocolatey + run: | + choco config get cacheLocation + choco install --no-progress cygwin + shell: cmd + - name: Install cygwin additional packages + run: | + C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s https://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git,xxd + shell: cmd + - name: Set ENV + shell: cmd + run: | + echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin;%PATH% >> %GITHUB_ENV% + - name: Check ENV + shell: cmd + run: | + echo "PATH=%PATH%" + - name: Clone acmetest + shell: cmd + run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git && cp -r acme.sh acmetest/ + - name: Run acmetest + shell: cmd + run: cd ../acmetest && bash.exe -c ./letest.sh + + + diff --git a/acme.sh-master/.github/workflows/dockerhub.yml b/acme.sh-master/.github/workflows/dockerhub.yml new file mode 100644 index 0000000..3d71fd0 --- /dev/null +++ b/acme.sh-master/.github/workflows/dockerhub.yml @@ -0,0 +1,73 @@ + +name: Build DockerHub +on: + push: + branches: + - '*' + tags: + - '*' + paths: + - '**.sh' + - "Dockerfile" + - '.github/workflows/dockerhub.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + +jobs: + CheckToken: + runs-on: ubuntu-latest + outputs: + hasToken: ${{ steps.step_one.outputs.hasToken }} + env: + DOCKER_PASSWORD : ${{ secrets.DOCKER_PASSWORD }} + steps: + - name: Set the value + id: step_one + run: | + if [ "$DOCKER_PASSWORD" ] ; then + echo "hasToken=true" >>$GITHUB_OUTPUT + else + echo "hasToken=false" >>$GITHUB_OUTPUT + fi + - name: Check the value + run: echo ${{ steps.step_one.outputs.hasToken }} + + build: + runs-on: ubuntu-latest + needs: CheckToken + if: "contains(needs.CheckToken.outputs.hasToken, 'true')" + steps: + - name: checkout code + uses: actions/checkout@v3 + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: login to docker hub + run: | + echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin + - name: build and push the image + run: | + DOCKER_IMAGE=neilpang/acme.sh + + if [[ $GITHUB_REF == refs/tags/* ]]; then + DOCKER_IMAGE_TAG=${GITHUB_REF#refs/tags/} + fi + + if [[ $GITHUB_REF == refs/heads/* ]]; then + DOCKER_IMAGE_TAG=${GITHUB_REF#refs/heads/} + + if [[ $DOCKER_IMAGE_TAG == master ]]; then + DOCKER_IMAGE_TAG=latest + AUTO_UPGRADE=1 + fi + fi + + docker buildx build \ + --tag ${DOCKER_IMAGE}:${DOCKER_IMAGE_TAG} \ + --output "type=image,push=true" \ + --build-arg AUTO_UPGRADE=${AUTO_UPGRADE} \ + --platform linux/arm64/v8,linux/amd64,linux/arm/v6,linux/arm/v7,linux/386,linux/ppc64le,linux/s390x . diff --git a/acme.sh-master/.github/workflows/issue.yml b/acme.sh-master/.github/workflows/issue.yml new file mode 100644 index 0000000..e92b041 --- /dev/null +++ b/acme.sh-master/.github/workflows/issue.yml @@ -0,0 +1,19 @@ +name: "Update issues" +on: + issues: + types: [opened] + +jobs: + comment: + runs-on: ubuntu-latest + steps: + - uses: actions/github-script@v6 + with: + script: | + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: "Please upgrade to the latest code and try again first. Maybe it's already fixed. ```acme.sh --upgrade``` If it's still not working, please provide the log with `--debug 2`, otherwise, nobody can help you." + + }) \ No newline at end of file diff --git a/acme.sh-master/.github/workflows/pr_dns.yml b/acme.sh-master/.github/workflows/pr_dns.yml new file mode 100644 index 0000000..5faa910 --- /dev/null +++ b/acme.sh-master/.github/workflows/pr_dns.yml @@ -0,0 +1,30 @@ +name: Check dns api + +on: + pull_request_target: + types: + - opened + branches: + - 'dev' + paths: + - 'dnsapi/*.sh' + + +jobs: + welcome: + runs-on: ubuntu-latest + steps: + - uses: actions/github-script@v6 + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: `**Welcome** + Please make sure you're read our [DNS API Dev Guide](../wiki/DNS-API-Dev-Guide) and [DNS-API-Test](../wiki/DNS-API-Test). + Then reply on this message, otherwise, your code will not be reviewed or merged. + We look forward to reviewing your Pull request shortly ✨ + ` + }) + diff --git a/acme.sh-master/.github/workflows/pr_notify.yml b/acme.sh-master/.github/workflows/pr_notify.yml new file mode 100644 index 0000000..4844e29 --- /dev/null +++ b/acme.sh-master/.github/workflows/pr_notify.yml @@ -0,0 +1,30 @@ +name: Check dns api + +on: + pull_request_target: + types: + - opened + branches: + - 'dev' + paths: + - 'notify/*.sh' + + +jobs: + welcome: + runs-on: ubuntu-latest + steps: + - uses: actions/github-script@v6 + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: `**Welcome** + Please make sure you're read our [Code-of-conduct](../wiki/Code-of-conduct) and add the usage here: [notify](../wiki/notify). + Then reply on this message, otherwise, your code will not be reviewed or merged. + We look forward to reviewing your Pull request shortly ✨ + ` + }) + diff --git a/acme.sh-master/.github/workflows/shellcheck.yml b/acme.sh-master/.github/workflows/shellcheck.yml new file mode 100644 index 0000000..a84f5ba --- /dev/null +++ b/acme.sh-master/.github/workflows/shellcheck.yml @@ -0,0 +1,38 @@ +name: Shellcheck +on: + push: + branches: + - '*' + paths: + - '**.sh' + - '.github/workflows/shellcheck.yml' + pull_request: + branches: + - dev + paths: + - '**.sh' + - '.github/workflows/shellcheck.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + +jobs: + ShellCheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Install Shellcheck + run: sudo apt-get install -y shellcheck + - name: DoShellcheck + run: shellcheck -V && shellcheck -e SC2181 -e SC2089 **/*.sh && echo "shellcheck OK" + + shfmt: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Install shfmt + run: curl -sSL https://github.com/mvdan/sh/releases/download/v3.1.2/shfmt_v3.1.2_linux_amd64 -o ~/shfmt && chmod +x ~/shfmt + - name: shfmt + run: ~/shfmt -l -w -i 2 . ; git diff --exit-code && echo "shfmt OK" diff --git a/acme.sh-master/Dockerfile b/acme.sh-master/Dockerfile new file mode 100644 index 0000000..2ad50e6 --- /dev/null +++ b/acme.sh-master/Dockerfile @@ -0,0 +1,76 @@ +FROM alpine:3.17 + +RUN apk --no-cache add -f \ + openssl \ + openssh-client \ + coreutils \ + bind-tools \ + curl \ + sed \ + socat \ + tzdata \ + oath-toolkit-oathtool \ + tar \ + libidn \ + jq \ + cronie + +ENV LE_CONFIG_HOME /acme.sh + +ARG AUTO_UPGRADE=1 + +ENV AUTO_UPGRADE $AUTO_UPGRADE + +#Install +COPY ./ /install_acme.sh/ +RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/ + + +RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null#> /proc/1/fd/1 2>/proc/1/fd/2#' | crontab - + +RUN for verb in help \ + version \ + install \ + uninstall \ + upgrade \ + issue \ + signcsr \ + deploy \ + install-cert \ + renew \ + renew-all \ + revoke \ + remove \ + list \ + info \ + showcsr \ + install-cronjob \ + uninstall-cronjob \ + cron \ + toPkcs \ + toPkcs8 \ + update-account \ + register-account \ + create-account-key \ + create-domain-key \ + createCSR \ + deactivate \ + deactivate-account \ + set-notify \ + set-default-ca \ + set-default-chain \ + ; do \ + printf -- "%b" "#!/usr/bin/env sh\n/root/.acme.sh/acme.sh --${verb} --config-home /acme.sh \"\$@\"" >/usr/local/bin/--${verb} && chmod +x /usr/local/bin/--${verb} \ + ; done + +RUN printf "%b" '#!'"/usr/bin/env sh\n \ +if [ \"\$1\" = \"daemon\" ]; then \n \ + exec crond -n -s -m off \n \ +else \n \ + exec -- \"\$@\"\n \ +fi\n" >/entry.sh && chmod +x /entry.sh + +VOLUME /acme.sh + +ENTRYPOINT ["/entry.sh"] +CMD ["--help"] diff --git a/acme.sh-master/LICENSE.md b/acme.sh-master/LICENSE.md new file mode 100644 index 0000000..f288702 --- /dev/null +++ b/acme.sh-master/LICENSE.md @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/acme.sh-master/README.md b/acme.sh-master/README.md new file mode 100644 index 0000000..15bc408 --- /dev/null +++ b/acme.sh-master/README.md @@ -0,0 +1,530 @@ +# An ACME Shell script: acme.sh + +[![FreeBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml) +[![OpenBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml) +[![NetBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml) +[![MacOS](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml) +[![Ubuntu](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml) +[![Windows](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml) +[![Solaris](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml) +[![DragonFlyBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml) + + +![Shellcheck](https://github.com/acmesh-official/acme.sh/workflows/Shellcheck/badge.svg) +![PebbleStrict](https://github.com/acmesh-official/acme.sh/workflows/PebbleStrict/badge.svg) +![DockerHub](https://github.com/acmesh-official/acme.sh/workflows/Build%20DockerHub/badge.svg) + + + +[![Join the chat at https://gitter.im/acme-sh/Lobby](https://badges.gitter.im/acme-sh/Lobby.svg)](https://gitter.im/acme-sh/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) +[![Docker stars](https://img.shields.io/docker/stars/neilpang/acme.sh.svg)](https://hub.docker.com/r/neilpang/acme.sh "Click to view the image on Docker Hub") +[![Docker pulls](https://img.shields.io/docker/pulls/neilpang/acme.sh.svg)](https://hub.docker.com/r/neilpang/acme.sh "Click to view the image on Docker Hub") + + + +- An ACME protocol client written purely in Shell (Unix shell) language. +- Full ACME protocol implementation. +- Support ECDSA certs +- Support SAN and wildcard certs +- Simple, powerful and very easy to use. You only need 3 minutes to learn it. +- Bash, dash and sh compatible. +- Purely written in Shell with no dependencies on python. +- Just one script to issue, renew and install your certificates automatically. +- DOES NOT require `root/sudoer` access. +- Docker ready +- IPv6 ready +- Cron job notifications for renewal or error etc. + +It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates. + +Wiki: https://github.com/acmesh-official/acme.sh/wiki + +For Docker Fans: [acme.sh :two_hearts: Docker ](https://github.com/acmesh-official/acme.sh/wiki/Run-acme.sh-in-docker) + +Twitter: [@neilpangxa](https://twitter.com/neilpangxa) + + +# [中文说明](https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E) + +# Who: +- [FreeBSD.org](https://blog.crashed.org/letsencrypt-in-freebsd-org/) +- [ruby-china.org](https://ruby-china.org/topics/31983) +- [Proxmox](https://pve.proxmox.com/wiki/Certificate_Management) +- [pfsense](https://github.com/pfsense/FreeBSD-ports/pull/89) +- [webfaction](https://community.webfaction.com/questions/19988/using-letsencrypt) +- [Loadbalancer.org](https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty) +- [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709) +- [Centminmod](https://centminmod.com/letsencrypt-acmetool-https.html) +- [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297) +- [archlinux](https://www.archlinux.org/packages/community/any/acme.sh) +- [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient) +- [CentOS Web Panel](http://centos-webpanel.com/) +- [lnmp.org](https://lnmp.org/) +- [more...](https://github.com/acmesh-official/acme.sh/wiki/Blogs-and-tutorials) + +# Tested OS + +| NO | Status| Platform| +|----|-------|---------| +|1|[![MacOS](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml)|Mac OSX +|2|[![Windows](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml)|Windows (cygwin with curl, openssl and crontab included) +|3|[![FreeBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml)|FreeBSD +|4|[![Solaris](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml)|Solaris +|5|[![Ubuntu](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml)| Ubuntu +|6|NA|pfsense +|7|[![OpenBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml)|OpenBSD +|8|[![NetBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml)|NetBSD +|9|[![DragonFlyBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml)|DragonFlyBSD +|10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)| Debian +|11|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|CentOS +|12|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|openSUSE +|13|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Alpine Linux (with curl) +|14|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Archlinux +|15|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|fedora +|16|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Kali Linux +|17|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Oracle Linux +|18|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Mageia +|19|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux +|10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|ClearLinux +|11|-----| Cloud Linux https://github.com/acmesh-official/acme.sh/issues/111 +|22|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT) +|23|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management) + + +Check our [testing project](https://github.com/acmesh-official/acmetest): + +https://github.com/acmesh-official/acmetest + +# Supported CA + +- [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)(default) +- Letsencrypt.org CA +- [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA) +- [SSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA) +- [Google.com Public CA](https://github.com/acmesh-official/acme.sh/wiki/Google-Public-CA) +- [Pebble strict Mode](https://github.com/letsencrypt/pebble) +- Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA + +# Supported modes + +- Webroot mode +- Standalone mode +- Standalone tls-alpn mode +- Apache mode +- Nginx mode +- DNS mode +- [DNS alias mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode) +- [Stateless mode](https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode) + + +# 1. How to install + +### 1. Install online + +Check this project: https://github.com/acmesh-official/get.acme.sh + +```bash +curl https://get.acme.sh | sh -s email=my@example.com +``` + +Or: + +```bash +wget -O - https://get.acme.sh | sh -s email=my@example.com +``` + + +### 2. Or, Install from git + +Clone this project and launch installation: + +```bash +git clone https://github.com/acmesh-official/acme.sh.git +cd ./acme.sh +./acme.sh --install -m my@example.com +``` + +You `don't have to be root` then, although `it is recommended`. + +Advanced Installation: https://github.com/acmesh-official/acme.sh/wiki/How-to-install + +The installer will perform 3 actions: + +1. Create and copy `acme.sh` to your home dir (`$HOME`): `~/.acme.sh/`. +All certs will be placed in this folder too. +2. Create alias for: `acme.sh=~/.acme.sh/acme.sh`. +3. Create daily cron job to check and renew the certs if needed. + +Cron entry example: + +```bash +0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null +``` + +After the installation, you must close the current terminal and reopen it to make the alias take effect. + +Ok, you are ready to issue certs now. + +Show help message: + +```sh +root@v1:~# acme.sh -h +``` + +# 2. Just issue a cert + +**Example 1:** Single domain. + +```bash +acme.sh --issue -d example.com -w /home/wwwroot/example.com +``` + +or: + +```bash +acme.sh --issue -d example.com -w /home/username/public_html +``` + +or: + +```bash +acme.sh --issue -d example.com -w /var/www/html +``` + +**Example 2:** Multiple domains in the same cert. + +```bash +acme.sh --issue -d example.com -d www.example.com -d cp.example.com -w /home/wwwroot/example.com +``` + +The parameter `/home/wwwroot/example.com` or `/home/username/public_html` or `/var/www/html` is the web root folder where you host your website files. You **MUST** have `write access` to this folder. + +Second argument **"example.com"** is the main domain you want to issue the cert for. +You must have at least one domain there. + +You must point and bind all the domains to the same webroot dir: `/home/wwwroot/example.com`. + +The certs will be placed in `~/.acme.sh/example.com/` + +The certs will be renewed automatically every **60** days. + +More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert + + +# 3. Install the cert to Apache/Nginx etc. + +After the cert is generated, you probably want to install/copy the cert to your Apache/Nginx or other servers. +You **MUST** use this command to copy the certs to the target files, **DO NOT** use the certs files in **~/.acme.sh/** folder, they are for internal use only, the folder structure may change in the future. + +**Apache** example: +```bash +acme.sh --install-cert -d example.com \ +--cert-file /path/to/certfile/in/apache/cert.pem \ +--key-file /path/to/keyfile/in/apache/key.pem \ +--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \ +--reloadcmd "service apache2 force-reload" +``` + +**Nginx** example: +```bash +acme.sh --install-cert -d example.com \ +--key-file /path/to/keyfile/in/nginx/key.pem \ +--fullchain-file /path/to/fullchain/nginx/cert.pem \ +--reloadcmd "service nginx force-reload" +``` + +Only the domain is required, all the other parameters are optional. + +The ownership and permission info of existing files are preserved. You can pre-create the files to define the ownership and permission. + +Install/copy the cert/key to the production Apache or Nginx path. + +The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`. + + +**Please take care: The reloadcmd is very important. The cert can be automatically renewed, but, without a correct 'reloadcmd' the cert may not be flushed to your server(like nginx or apache), then your website will not be able to show renewed cert in 60 days.** + +# 4. Use Standalone server to issue cert + +**(requires you to be root/sudoer or have permission to listen on port 80 (TCP))** + +Port `80` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. + +```bash +acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com +``` + +More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert + +# 5. Use Standalone ssl server to issue cert + +**(requires you to be root/sudoer or have permission to listen on port 443 (TCP))** + +Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. + +```bash +acme.sh --issue --alpn -d example.com -d www.example.com -d cp.example.com +``` + +More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert + + +# 6. Use Apache mode + +**(requires you to be root/sudoer, since it is required to interact with Apache server)** + +If you are running a web server, it is recommended to use the `Webroot mode`. + +Particularly, if you are running an Apache server, you can use Apache mode instead. This mode doesn't write any files to your web root folder. + +Just set string "apache" as the second argument and it will force use of apache plugin automatically. + +```sh +acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com +``` + +**This apache mode is only to issue the cert, it will not change your apache config files. +You will need to configure your website config files to use the cert by yourself. +We don't want to mess with your apache server, don't worry.** + +More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert + +# 7. Use Nginx mode + +**(requires you to be root/sudoer, since it is required to interact with Nginx server)** + +If you are running a web server, it is recommended to use the `Webroot mode`. + +Particularly, if you are running an nginx server, you can use nginx mode instead. This mode doesn't write any files to your web root folder. + +Just set string "nginx" as the second argument. + +It will configure nginx server automatically to verify the domain and then restore the nginx config to the original version. + +So, the config is not changed. + +```sh +acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com +``` + +**This nginx mode is only to issue the cert, it will not change your nginx config files. +You will need to configure your website config files to use the cert by yourself. +We don't want to mess with your nginx server, don't worry.** + +More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert + +# 8. Automatic DNS API integration + +If your DNS provider supports API access, we can use that API to automatically issue the certs. + +You don't have to do anything manually! + +### Currently acme.sh supports most of the dns providers: + +https://github.com/acmesh-official/acme.sh/wiki/dnsapi + +# 9. Use DNS manual mode: + +See: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode first. + +If your dns provider doesn't support any api access, you can add the txt record by hand. + +```bash +acme.sh --issue --dns -d example.com -d www.example.com -d cp.example.com +``` + +You should get an output like below: + +```sh +Add the following txt record: +Domain:_acme-challenge.example.com +Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c + +Add the following txt record: +Domain:_acme-challenge.www.example.com +Txt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + +Please add those txt records to the domains. Waiting for the dns to take effect. +``` + +Then just rerun with `renew` argument: + +```bash +acme.sh --renew -d example.com +``` + +Ok, it's done. + +**Take care, this is dns manual mode, it can not be renewed automatically. you will have to add a new txt record to your domain by your hand when you renew your cert.** + +**Please use dns api mode instead.** + +# 10. Issue ECC certificates + +Just set the `keylength` parameter with a prefix `ec-`. + +For example: + +### Single domain ECC certificate + +```bash +acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256 +``` + +### SAN multi domain ECC certificate + +```bash +acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength ec-256 +``` + +Please look at the `keylength` parameter above. + +Valid values are: + +1. **ec-256 (prime256v1, "ECDSA P-256", which is the default key type)** +2. **ec-384 (secp384r1, "ECDSA P-384")** +3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)** +4. **2048 (RSA2048)** +5. **3072 (RSA3072)** +6. **4096 (RSA4096)** + + +# 11. Issue Wildcard certificates + +It's simple, just give a wildcard domain as the `-d` parameter. + +```sh +acme.sh --issue -d example.com -d '*.example.com' --dns dns_cf +``` + + + +# 12. How to renew the certs + +No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days. + +However, you can also force to renew a cert: + +```sh +acme.sh --renew -d example.com --force +``` + +or, for ECC cert: + +```sh +acme.sh --renew -d example.com --force --ecc +``` + + +# 13. How to stop cert renewal + +To stop renewal of a cert, you can execute the following to remove the cert from the renewal list: + +```sh +acme.sh --remove -d example.com [--ecc] +``` + +The cert/key file is not removed from the disk. + +You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself. + + +# 14. How to upgrade `acme.sh` + +acme.sh is in constant development, so it's strongly recommended to use the latest code. + +You can update acme.sh to the latest code: + +```sh +acme.sh --upgrade +``` + +You can also enable auto upgrade: + +```sh +acme.sh --upgrade --auto-upgrade +``` + +Then **acme.sh** will be kept up to date automatically. + +Disable auto upgrade: + +```sh +acme.sh --upgrade --auto-upgrade 0 +``` + + +# 15. Issue a cert from an existing CSR + +https://github.com/acmesh-official/acme.sh/wiki/Issue-a-cert-from-existing-CSR + + +# 16. Send notifications in cronjob + +https://github.com/acmesh-official/acme.sh/wiki/notify + + +# 17. Under the Hood + +Speak ACME language using shell, directly to "Let's Encrypt". + +TODO: + + +# 18. Acknowledgments + +1. Acme-tiny: https://github.com/diafygi/acme-tiny +2. ACME protocol: https://github.com/ietf-wg-acme/acme + + +## Contributors + +### Code Contributors + +This project exists thanks to all the people who contribute. + + +### Financial Contributors + +Become a financial contributor and help us sustain our community. [[Contribute](https://opencollective.com/acmesh/contribute)] + +#### Individuals + + + +#### Organizations + +Support this project with your organization. Your logo will show up here with a link to your website. [[Contribute](https://opencollective.com/acmesh/contribute)] + + + + + + + + + + + + + +#### Sponsors + +[![quantumca-acmesh-logo](https://user-images.githubusercontent.com/8305679/183255712-634ee1db-bb61-4c03-bca0-bacce99e078c.svg)](https://www.quantumca.com.cn/?__utm_source=acmesh-donation) + + +# 19. License & Others + +License is GPLv3 + +Please Star and Fork me. + +[Issues](https://github.com/acmesh-official/acme.sh/issues) and [pull requests](https://github.com/acmesh-official/acme.sh/pulls) are welcome. + + +# 20. Donate +Your donation makes **acme.sh** better: + +1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/) + +[Donate List](https://github.com/acmesh-official/acme.sh/wiki/Donate-list) diff --git a/acme.sh-master/acme.sh b/acme.sh-master/acme.sh new file mode 100644 index 0000000..5d73cdb --- /dev/null +++ b/acme.sh-master/acme.sh @@ -0,0 +1,7991 @@ +#!/usr/bin/env sh + +VER=3.0.6 + +PROJECT_NAME="acme.sh" + +PROJECT_ENTRY="acme.sh" + +PROJECT="https://github.com/acmesh-official/$PROJECT_NAME" + +DEFAULT_INSTALL_HOME="$HOME/.$PROJECT_NAME" + +_WINDOWS_SCHEDULER_NAME="$PROJECT_NAME.cron" + +_SCRIPT_="$0" + +_SUB_FOLDER_NOTIFY="notify" +_SUB_FOLDER_DNSAPI="dnsapi" +_SUB_FOLDER_DEPLOY="deploy" + +_SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY" + +CA_LETSENCRYPT_V2="https://acme-v02.api.letsencrypt.org/directory" +CA_LETSENCRYPT_V2_TEST="https://acme-staging-v02.api.letsencrypt.org/directory" + +CA_BUYPASS="https://api.buypass.com/acme/directory" +CA_BUYPASS_TEST="https://api.test4.buypass.no/acme/directory" + +CA_ZEROSSL="https://acme.zerossl.com/v2/DV90" +_ZERO_EAB_ENDPOINT="https://api.zerossl.com/acme/eab-credentials-email" + +CA_SSLCOM_RSA="https://acme.ssl.com/sslcom-dv-rsa" +CA_SSLCOM_ECC="https://acme.ssl.com/sslcom-dv-ecc" + +CA_GOOGLE="https://dv.acme-v02.api.pki.goog/directory" +CA_GOOGLE_TEST="https://dv.acme-v02.test-api.pki.goog/directory" + +DEFAULT_CA=$CA_ZEROSSL +DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST + +CA_NAMES=" +ZeroSSL.com,zerossl +LetsEncrypt.org,letsencrypt +LetsEncrypt.org_test,letsencrypt_test,letsencrypttest +BuyPass.com,buypass +BuyPass.com_test,buypass_test,buypasstest +SSL.com,sslcom +Google.com,google +Google.com_test,googletest,google_test +" + +CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_SSLCOM_RSA,$CA_GOOGLE,$CA_GOOGLE_TEST" + +DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)" + +DEFAULT_ACCOUNT_KEY_LENGTH=ec-256 +DEFAULT_DOMAIN_KEY_LENGTH=ec-256 + +DEFAULT_OPENSSL_BIN="openssl" + +VTYPE_HTTP="http-01" +VTYPE_DNS="dns-01" +VTYPE_ALPN="tls-alpn-01" + +ID_TYPE_DNS="dns" +ID_TYPE_IP="ip" + +LOCAL_ANY_ADDRESS="0.0.0.0" + +DEFAULT_RENEW=60 + +NO_VALUE="no" + +W_DNS="dns" +W_ALPN="alpn" +DNS_ALIAS_PREFIX="=" + +MODE_STATELESS="stateless" + +STATE_VERIFIED="verified_ok" + +NGINX="nginx:" +NGINX_START="#ACME_NGINX_START" +NGINX_END="#ACME_NGINX_END" + +BEGIN_CSR="-----BEGIN [NEW ]\{0,4\}CERTIFICATE REQUEST-----" +END_CSR="-----END [NEW ]\{0,4\}CERTIFICATE REQUEST-----" + +BEGIN_CERT="-----BEGIN CERTIFICATE-----" +END_CERT="-----END CERTIFICATE-----" + +CONTENT_TYPE_JSON="application/jose+json" +RENEW_SKIP=2 +CODE_DNS_MANUAL=3 + +B64CONF_START="__ACME_BASE64__START_" +B64CONF_END="__ACME_BASE64__END_" + +ECC_SEP="_" +ECC_SUFFIX="${ECC_SEP}ecc" + +LOG_LEVEL_1=1 +LOG_LEVEL_2=2 +LOG_LEVEL_3=3 +DEFAULT_LOG_LEVEL="$LOG_LEVEL_1" + +DEBUG_LEVEL_1=1 +DEBUG_LEVEL_2=2 +DEBUG_LEVEL_3=3 +DEBUG_LEVEL_DEFAULT=$DEBUG_LEVEL_1 +DEBUG_LEVEL_NONE=0 + +DOH_CLOUDFLARE=1 +DOH_GOOGLE=2 +DOH_ALI=3 +DOH_DP=4 + +HIDDEN_VALUE="[hidden](please add '--output-insecure' to see this value)" + +SYSLOG_ERROR="user.error" +SYSLOG_INFO="user.info" +SYSLOG_DEBUG="user.debug" + +#error +SYSLOG_LEVEL_ERROR=3 +#info +SYSLOG_LEVEL_INFO=6 +#debug +SYSLOG_LEVEL_DEBUG=7 +#debug2 +SYSLOG_LEVEL_DEBUG_2=8 +#debug3 +SYSLOG_LEVEL_DEBUG_3=9 + +SYSLOG_LEVEL_DEFAULT=$SYSLOG_LEVEL_ERROR +#none +SYSLOG_LEVEL_NONE=0 + +NOTIFY_LEVEL_DISABLE=0 +NOTIFY_LEVEL_ERROR=1 +NOTIFY_LEVEL_RENEW=2 +NOTIFY_LEVEL_SKIP=3 + +NOTIFY_LEVEL_DEFAULT=$NOTIFY_LEVEL_RENEW + +NOTIFY_MODE_BULK=0 +NOTIFY_MODE_CERT=1 + +NOTIFY_MODE_DEFAULT=$NOTIFY_MODE_BULK + +_BASE64_ENCODED_CFGS="Le_PreHook Le_PostHook Le_RenewHook Le_Preferred_Chain Le_ReloadCmd" + +_DEBUG_WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh" + +_PREPARE_LINK="https://github.com/acmesh-official/acme.sh/wiki/Install-preparations" + +_STATELESS_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode" + +_DNS_ALIAS_WIKI="https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode" + +_DNS_MANUAL_WIKI="https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode" + +_DNS_API_WIKI="https://github.com/acmesh-official/acme.sh/wiki/dnsapi" + +_NOTIFY_WIKI="https://github.com/acmesh-official/acme.sh/wiki/notify" + +_SUDO_WIKI="https://github.com/acmesh-official/acme.sh/wiki/sudo" + +_REVOKE_WIKI="https://github.com/acmesh-official/acme.sh/wiki/revokecert" + +_ZEROSSL_WIKI="https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA" + +_SSLCOM_WIKI="https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA" + +_SERVER_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Server" + +_PREFERRED_CHAIN_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain" + +_VALIDITY_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Validity" + +_DNSCHECK_WIKI="https://github.com/acmesh-official/acme.sh/wiki/dnscheck" + +_DNS_MANUAL_ERR="The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead." + +_DNS_MANUAL_WARN="It seems that you are using dns manual mode. please take care: $_DNS_MANUAL_ERR" + +_DNS_MANUAL_ERROR="It seems that you are using dns manual mode. Read this link first: $_DNS_MANUAL_WIKI" + +__INTERACTIVE="" +if [ -t 1 ]; then + __INTERACTIVE="1" +fi + +__green() { + if [ "${__INTERACTIVE}${ACME_NO_COLOR:-0}" = "10" -o "${ACME_FORCE_COLOR}" = "1" ]; then + printf '\33[1;32m%b\33[0m' "$1" + return + fi + printf -- "%b" "$1" +} + +__red() { + if [ "${__INTERACTIVE}${ACME_NO_COLOR:-0}" = "10" -o "${ACME_FORCE_COLOR}" = "1" ]; then + printf '\33[1;31m%b\33[0m' "$1" + return + fi + printf -- "%b" "$1" +} + +_printargs() { + _exitstatus="$?" + if [ -z "$NO_TIMESTAMP" ] || [ "$NO_TIMESTAMP" = "0" ]; then + printf -- "%s" "[$(date)] " + fi + if [ -z "$2" ]; then + printf -- "%s" "$1" + else + printf -- "%s" "$1='$2'" + fi + printf "\n" + # return the saved exit status + return "$_exitstatus" +} + +_dlg_versions() { + echo "Diagnosis versions: " + echo "openssl:$ACME_OPENSSL_BIN" + if _exists "${ACME_OPENSSL_BIN:-openssl}"; then + ${ACME_OPENSSL_BIN:-openssl} version 2>&1 + else + echo "$ACME_OPENSSL_BIN doesn't exist." + fi + + echo "apache:" + if [ "$_APACHECTL" ] && _exists "$_APACHECTL"; then + $_APACHECTL -V 2>&1 + else + echo "apache doesn't exist." + fi + + echo "nginx:" + if _exists "nginx"; then + nginx -V 2>&1 + else + echo "nginx doesn't exist." + fi + + echo "socat:" + if _exists "socat"; then + socat -V 2>&1 + else + _debug "socat doesn't exist." + fi +} + +#class +_syslog() { + _exitstatus="$?" + if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" = "$SYSLOG_LEVEL_NONE" ]; then + return + fi + _logclass="$1" + shift + if [ -z "$__logger_i" ]; then + if _contains "$(logger --help 2>&1)" "-i"; then + __logger_i="logger -i" + else + __logger_i="logger" + fi + fi + $__logger_i -t "$PROJECT_NAME" -p "$_logclass" "$(_printargs "$@")" >/dev/null 2>&1 + return "$_exitstatus" +} + +_log() { + [ -z "$LOG_FILE" ] && return + _printargs "$@" >>"$LOG_FILE" +} + +_info() { + _log "$@" + if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_INFO" ]; then + _syslog "$SYSLOG_INFO" "$@" + fi + _printargs "$@" +} + +_err() { + _syslog "$SYSLOG_ERROR" "$@" + _log "$@" + if [ -z "$NO_TIMESTAMP" ] || [ "$NO_TIMESTAMP" = "0" ]; then + printf -- "%s" "[$(date)] " >&2 + fi + if [ -z "$2" ]; then + __red "$1" >&2 + else + __red "$1='$2'" >&2 + fi + printf "\n" >&2 + return 1 +} + +_usage() { + __red "$@" >&2 + printf "\n" >&2 +} + +__debug_bash_helper() { + # At this point only do for --debug 3 + if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -lt "$DEBUG_LEVEL_3" ]; then + return + fi + # Return extra debug info when running with bash, otherwise return empty + # string. + if [ -z "${BASH_VERSION}" ]; then + return + fi + # We are a bash shell at this point, return the filename, function name, and + # line number as a string + _dbh_saveIFS=$IFS + IFS=" " + # Must use eval or syntax error happens under dash. The eval should use + # single quotes as older versions of busybox had a bug with double quotes and + # eval. + # Use 'caller 1' as we want one level up the stack as we should be called + # by one of the _debug* functions + eval '_dbh_called=($(caller 1))' + IFS=$_dbh_saveIFS + eval '_dbh_file=${_dbh_called[2]}' + if [ -n "${_script_home}" ]; then + # Trim off the _script_home directory name + eval '_dbh_file=${_dbh_file#$_script_home/}' + fi + eval '_dbh_function=${_dbh_called[1]}' + eval '_dbh_lineno=${_dbh_called[0]}' + printf "%-40s " "$_dbh_file:${_dbh_function}:${_dbh_lineno}" +} + +_debug() { + if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_1" ]; then + _log "$@" + fi + if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG" ]; then + _syslog "$SYSLOG_DEBUG" "$@" + fi + if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_1" ]; then + _bash_debug=$(__debug_bash_helper) + _printargs "${_bash_debug}$@" >&2 + fi +} + +#output the sensitive messages +_secure_debug() { + if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_1" ]; then + if [ "$OUTPUT_INSECURE" = "1" ]; then + _log "$@" + else + _log "$1" "$HIDDEN_VALUE" + fi + fi + if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG" ]; then + _syslog "$SYSLOG_DEBUG" "$1" "$HIDDEN_VALUE" + fi + if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_1" ]; then + if [ "$OUTPUT_INSECURE" = "1" ]; then + _printargs "$@" >&2 + else + _printargs "$1" "$HIDDEN_VALUE" >&2 + fi + fi +} + +_debug2() { + if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_2" ]; then + _log "$@" + fi + if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_2" ]; then + _syslog "$SYSLOG_DEBUG" "$@" + fi + if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then + _bash_debug=$(__debug_bash_helper) + _printargs "${_bash_debug}$@" >&2 + fi +} + +_secure_debug2() { + if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_2" ]; then + if [ "$OUTPUT_INSECURE" = "1" ]; then + _log "$@" + else + _log "$1" "$HIDDEN_VALUE" + fi + fi + if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_2" ]; then + _syslog "$SYSLOG_DEBUG" "$1" "$HIDDEN_VALUE" + fi + if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then + if [ "$OUTPUT_INSECURE" = "1" ]; then + _printargs "$@" >&2 + else + _printargs "$1" "$HIDDEN_VALUE" >&2 + fi + fi +} + +_debug3() { + if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_3" ]; then + _log "$@" + fi + if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_3" ]; then + _syslog "$SYSLOG_DEBUG" "$@" + fi + if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_3" ]; then + _bash_debug=$(__debug_bash_helper) + _printargs "${_bash_debug}$@" >&2 + fi +} + +_secure_debug3() { + if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_3" ]; then + if [ "$OUTPUT_INSECURE" = "1" ]; then + _log "$@" + else + _log "$1" "$HIDDEN_VALUE" + fi + fi + if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_3" ]; then + _syslog "$SYSLOG_DEBUG" "$1" "$HIDDEN_VALUE" + fi + if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_3" ]; then + if [ "$OUTPUT_INSECURE" = "1" ]; then + _printargs "$@" >&2 + else + _printargs "$1" "$HIDDEN_VALUE" >&2 + fi + fi +} + +_upper_case() { + # shellcheck disable=SC2018,SC2019 + tr '[a-z]' '[A-Z]' +} + +_lower_case() { + # shellcheck disable=SC2018,SC2019 + tr '[A-Z]' '[a-z]' +} + +_startswith() { + _str="$1" + _sub="$2" + echo "$_str" | grep -- "^$_sub" >/dev/null 2>&1 +} + +_endswith() { + _str="$1" + _sub="$2" + echo "$_str" | grep -- "$_sub\$" >/dev/null 2>&1 +} + +_contains() { + _str="$1" + _sub="$2" + echo "$_str" | grep -- "$_sub" >/dev/null 2>&1 +} + +_hasfield() { + _str="$1" + _field="$2" + _sep="$3" + if [ -z "$_field" ]; then + _usage "Usage: str field [sep]" + return 1 + fi + + if [ -z "$_sep" ]; then + _sep="," + fi + + for f in $(echo "$_str" | tr "$_sep" ' '); do + if [ "$f" = "$_field" ]; then + _debug2 "'$_str' contains '$_field'" + return 0 #contains ok + fi + done + _debug2 "'$_str' does not contain '$_field'" + return 1 #not contains +} + +# str index [sep] +_getfield() { + _str="$1" + _findex="$2" + _sep="$3" + + if [ -z "$_findex" ]; then + _usage "Usage: str field [sep]" + return 1 + fi + + if [ -z "$_sep" ]; then + _sep="," + fi + + _ffi="$_findex" + while [ "$_ffi" -gt "0" ]; do + _fv="$(echo "$_str" | cut -d "$_sep" -f "$_ffi")" + if [ "$_fv" ]; then + printf -- "%s" "$_fv" + return 0 + fi + _ffi="$(_math "$_ffi" - 1)" + done + + printf -- "%s" "$_str" + +} + +_exists() { + cmd="$1" + if [ -z "$cmd" ]; then + _usage "Usage: _exists cmd" + return 1 + fi + + if eval type type >/dev/null 2>&1; then + eval type "$cmd" >/dev/null 2>&1 + elif command >/dev/null 2>&1; then + command -v "$cmd" >/dev/null 2>&1 + else + which "$cmd" >/dev/null 2>&1 + fi + ret="$?" + _debug3 "$cmd exists=$ret" + return $ret +} + +#a + b +_math() { + _m_opts="$@" + printf "%s" "$(($_m_opts))" +} + +_h_char_2_dec() { + _ch=$1 + case "${_ch}" in + a | A) + printf "10" + ;; + b | B) + printf "11" + ;; + c | C) + printf "12" + ;; + d | D) + printf "13" + ;; + e | E) + printf "14" + ;; + f | F) + printf "15" + ;; + *) + printf "%s" "$_ch" + ;; + esac + +} + +_URGLY_PRINTF="" +if [ "$(printf '\x41')" != 'A' ]; then + _URGLY_PRINTF=1 +fi + +_ESCAPE_XARGS="" +if _exists xargs && [ "$(printf %s '\\x41' | xargs printf)" = 'A' ]; then + _ESCAPE_XARGS=1 +fi + +_h2b() { + if _exists xxd; then + if _contains "$(xxd --help 2>&1)" "assumes -c30"; then + if xxd -r -p -c 9999 2>/dev/null; then + return + fi + else + if xxd -r -p 2>/dev/null; then + return + fi + fi + fi + + hex=$(cat) + ic="" + jc="" + _debug2 _URGLY_PRINTF "$_URGLY_PRINTF" + if [ -z "$_URGLY_PRINTF" ]; then + if [ "$_ESCAPE_XARGS" ] && _exists xargs; then + _debug2 "xargs" + echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/g' | xargs printf + else + for h in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/ \1/g'); do + if [ -z "$h" ]; then + break + fi + printf "\x$h%s" + done + fi + else + for c in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\)/ \1/g'); do + if [ -z "$ic" ]; then + ic=$c + continue + fi + jc=$c + ic="$(_h_char_2_dec "$ic")" + jc="$(_h_char_2_dec "$jc")" + printf '\'"$(printf "%o" "$(_math "$ic" \* 16 + $jc)")""%s" + ic="" + jc="" + done + fi + +} + +_is_solaris() { + _contains "${__OS__:=$(uname -a)}" "solaris" || _contains "${__OS__:=$(uname -a)}" "SunOS" +} + +#_ascii_hex str +#this can only process ascii chars, should only be used when od command is missing as a backup way. +_ascii_hex() { + _debug2 "Using _ascii_hex" + _str="$1" + _str_len=${#_str} + _h_i=1 + while [ "$_h_i" -le "$_str_len" ]; do + _str_c="$(printf "%s" "$_str" | cut -c "$_h_i")" + printf " %02x" "'$_str_c" + _h_i="$(_math "$_h_i" + 1)" + done +} + +#stdin output hexstr splited by one space +#input:"abc" +#output: " 61 62 63" +_hex_dump() { + if _exists od; then + od -A n -v -t x1 | tr -s " " | sed 's/ $//' | tr -d "\r\t\n" + elif _exists hexdump; then + _debug3 "using hexdump" + hexdump -v -e '/1 ""' -e '/1 " %02x" ""' + elif _exists xxd; then + _debug3 "using xxd" + xxd -ps -c 20 -i | sed "s/ 0x/ /g" | tr -d ",\n" | tr -s " " + else + _debug3 "using _ascii_hex" + str=$(cat) + _ascii_hex "$str" + fi +} + +#url encode, no-preserved chars +#A B C D E F G H I J K L M N O P Q R S T U V W X Y Z +#41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a + +#a b c d e f g h i j k l m n o p q r s t u v w x y z +#61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a + +#0 1 2 3 4 5 6 7 8 9 - _ . ~ +#30 31 32 33 34 35 36 37 38 39 2d 5f 2e 7e + +#stdin stdout +_url_encode() { + _hex_str=$(_hex_dump) + _debug3 "_url_encode" + _debug3 "_hex_str" "$_hex_str" + for _hex_code in $_hex_str; do + #upper case + case "${_hex_code}" in + "41") + printf "%s" "A" + ;; + "42") + printf "%s" "B" + ;; + "43") + printf "%s" "C" + ;; + "44") + printf "%s" "D" + ;; + "45") + printf "%s" "E" + ;; + "46") + printf "%s" "F" + ;; + "47") + printf "%s" "G" + ;; + "48") + printf "%s" "H" + ;; + "49") + printf "%s" "I" + ;; + "4a") + printf "%s" "J" + ;; + "4b") + printf "%s" "K" + ;; + "4c") + printf "%s" "L" + ;; + "4d") + printf "%s" "M" + ;; + "4e") + printf "%s" "N" + ;; + "4f") + printf "%s" "O" + ;; + "50") + printf "%s" "P" + ;; + "51") + printf "%s" "Q" + ;; + "52") + printf "%s" "R" + ;; + "53") + printf "%s" "S" + ;; + "54") + printf "%s" "T" + ;; + "55") + printf "%s" "U" + ;; + "56") + printf "%s" "V" + ;; + "57") + printf "%s" "W" + ;; + "58") + printf "%s" "X" + ;; + "59") + printf "%s" "Y" + ;; + "5a") + printf "%s" "Z" + ;; + + #lower case + "61") + printf "%s" "a" + ;; + "62") + printf "%s" "b" + ;; + "63") + printf "%s" "c" + ;; + "64") + printf "%s" "d" + ;; + "65") + printf "%s" "e" + ;; + "66") + printf "%s" "f" + ;; + "67") + printf "%s" "g" + ;; + "68") + printf "%s" "h" + ;; + "69") + printf "%s" "i" + ;; + "6a") + printf "%s" "j" + ;; + "6b") + printf "%s" "k" + ;; + "6c") + printf "%s" "l" + ;; + "6d") + printf "%s" "m" + ;; + "6e") + printf "%s" "n" + ;; + "6f") + printf "%s" "o" + ;; + "70") + printf "%s" "p" + ;; + "71") + printf "%s" "q" + ;; + "72") + printf "%s" "r" + ;; + "73") + printf "%s" "s" + ;; + "74") + printf "%s" "t" + ;; + "75") + printf "%s" "u" + ;; + "76") + printf "%s" "v" + ;; + "77") + printf "%s" "w" + ;; + "78") + printf "%s" "x" + ;; + "79") + printf "%s" "y" + ;; + "7a") + printf "%s" "z" + ;; + #numbers + "30") + printf "%s" "0" + ;; + "31") + printf "%s" "1" + ;; + "32") + printf "%s" "2" + ;; + "33") + printf "%s" "3" + ;; + "34") + printf "%s" "4" + ;; + "35") + printf "%s" "5" + ;; + "36") + printf "%s" "6" + ;; + "37") + printf "%s" "7" + ;; + "38") + printf "%s" "8" + ;; + "39") + printf "%s" "9" + ;; + "2d") + printf "%s" "-" + ;; + "5f") + printf "%s" "_" + ;; + "2e") + printf "%s" "." + ;; + "7e") + printf "%s" "~" + ;; + #other hex + *) + printf '%%%s' "$_hex_code" + ;; + esac + done +} + +_json_encode() { + _j_str="$(sed 's/"/\\"/g' | sed "s/\r/\\r/g")" + _debug3 "_json_encode" + _debug3 "_j_str" "$_j_str" + echo "$_j_str" | _hex_dump | _lower_case | sed 's/0a/5c 6e/g' | tr -d ' ' | _h2b | tr -d "\r\n" +} + +#from: http:\/\/ to http:// +_json_decode() { + _j_str="$(sed 's#\\/#/#g')" + _debug3 "_json_decode" + _debug3 "_j_str" "$_j_str" + echo "$_j_str" +} + +#options file +_sed_i() { + options="$1" + filename="$2" + if [ -z "$filename" ]; then + _usage "Usage:_sed_i options filename" + return 1 + fi + _debug2 options "$options" + if sed -h 2>&1 | grep "\-i\[SUFFIX]" >/dev/null 2>&1; then + _debug "Using sed -i" + sed -i "$options" "$filename" + else + _debug "No -i support in sed" + text="$(cat "$filename")" + echo "$text" | sed "$options" >"$filename" + fi +} + +_egrep_o() { + if ! egrep -o "$1" 2>/dev/null; then + sed -n 's/.*\('"$1"'\).*/\1/p' + fi +} + +#Usage: file startline endline +_getfile() { + filename="$1" + startline="$2" + endline="$3" + if [ -z "$endline" ]; then + _usage "Usage: file startline endline" + return 1 + fi + + i="$(grep -n -- "$startline" "$filename" | cut -d : -f 1)" + if [ -z "$i" ]; then + _err "Can not find start line: $startline" + return 1 + fi + i="$(_math "$i" + 1)" + _debug i "$i" + + j="$(grep -n -- "$endline" "$filename" | cut -d : -f 1)" + if [ -z "$j" ]; then + _err "Can not find end line: $endline" + return 1 + fi + j="$(_math "$j" - 1)" + _debug j "$j" + + sed -n "$i,${j}p" "$filename" + +} + +#Usage: multiline +_base64() { + [ "" ] #urgly + if [ "$1" ]; then + _debug3 "base64 multiline:'$1'" + ${ACME_OPENSSL_BIN:-openssl} base64 -e + else + _debug3 "base64 single line." + ${ACME_OPENSSL_BIN:-openssl} base64 -e | tr -d '\r\n' + fi +} + +#Usage: multiline +_dbase64() { + if [ "$1" ]; then + ${ACME_OPENSSL_BIN:-openssl} base64 -d + else + ${ACME_OPENSSL_BIN:-openssl} base64 -d -A + fi +} + +#file +_checkcert() { + _cf="$1" + if [ "$DEBUG" ]; then + ${ACME_OPENSSL_BIN:-openssl} x509 -noout -text -in "$_cf" + else + ${ACME_OPENSSL_BIN:-openssl} x509 -noout -text -in "$_cf" >/dev/null 2>&1 + fi +} + +#Usage: hashalg [outputhex] +#Output Base64-encoded digest +_digest() { + alg="$1" + if [ -z "$alg" ]; then + _usage "Usage: _digest hashalg" + return 1 + fi + + outputhex="$2" + + if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ] || [ "$alg" = "md5" ]; then + if [ "$outputhex" ]; then + ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hex | cut -d = -f 2 | tr -d ' ' + else + ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -binary | _base64 + fi + else + _err "$alg is not supported yet" + return 1 + fi + +} + +#Usage: hashalg secret_hex [outputhex] +#Output binary hmac +_hmac() { + alg="$1" + secret_hex="$2" + outputhex="$3" + + if [ -z "$secret_hex" ]; then + _usage "Usage: _hmac hashalg secret [outputhex]" + return 1 + fi + + if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ]; then + if [ "$outputhex" ]; then + (${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" 2>/dev/null || ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hmac "$(printf "%s" "$secret_hex" | _h2b)") | cut -d = -f 2 | tr -d ' ' + else + ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" -binary 2>/dev/null || ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hmac "$(printf "%s" "$secret_hex" | _h2b)" -binary + fi + else + _err "$alg is not supported yet" + return 1 + fi + +} + +#Usage: keyfile hashalg +#Output: Base64-encoded signature value +_sign() { + keyfile="$1" + alg="$2" + if [ -z "$alg" ]; then + _usage "Usage: _sign keyfile hashalg" + return 1 + fi + + _sign_openssl="${ACME_OPENSSL_BIN:-openssl} dgst -sign $keyfile " + + if _isRSA "$keyfile" >/dev/null 2>&1; then + $_sign_openssl -$alg | _base64 + elif _isEcc "$keyfile" >/dev/null 2>&1; then + if ! _signedECText="$($_sign_openssl -sha$__ECC_KEY_LEN | ${ACME_OPENSSL_BIN:-openssl} asn1parse -inform DER)"; then + _err "Sign failed: $_sign_openssl" + _err "Key file: $keyfile" + _err "Key content:$(wc -l <"$keyfile") lines" + return 1 + fi + _debug3 "_signedECText" "$_signedECText" + _ec_r="$(echo "$_signedECText" | _head_n 2 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")" + _ec_s="$(echo "$_signedECText" | _head_n 3 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")" + if [ "$__ECC_KEY_LEN" -eq "256" ]; then + while [ "${#_ec_r}" -lt "64" ]; do + _ec_r="0${_ec_r}" + done + while [ "${#_ec_s}" -lt "64" ]; do + _ec_s="0${_ec_s}" + done + fi + if [ "$__ECC_KEY_LEN" -eq "384" ]; then + while [ "${#_ec_r}" -lt "96" ]; do + _ec_r="0${_ec_r}" + done + while [ "${#_ec_s}" -lt "96" ]; do + _ec_s="0${_ec_s}" + done + fi + if [ "$__ECC_KEY_LEN" -eq "512" ]; then + while [ "${#_ec_r}" -lt "132" ]; do + _ec_r="0${_ec_r}" + done + while [ "${#_ec_s}" -lt "132" ]; do + _ec_s="0${_ec_s}" + done + fi + _debug3 "_ec_r" "$_ec_r" + _debug3 "_ec_s" "$_ec_s" + printf "%s" "$_ec_r$_ec_s" | _h2b | _base64 + else + _err "Unknown key file format." + return 1 + fi + +} + +#keylength or isEcc flag (empty str => not ecc) +_isEccKey() { + _length="$1" + + if [ -z "$_length" ]; then + return 1 + fi + + [ "$_length" != "1024" ] && + [ "$_length" != "2048" ] && + [ "$_length" != "3072" ] && + [ "$_length" != "4096" ] && + [ "$_length" != "8192" ] +} + +# _createkey 2048|ec-256 file +_createkey() { + length="$1" + f="$2" + _debug2 "_createkey for file:$f" + eccname="$length" + if _startswith "$length" "ec-"; then + length=$(printf "%s" "$length" | cut -d '-' -f 2-100) + + if [ "$length" = "256" ]; then + eccname="prime256v1" + fi + if [ "$length" = "384" ]; then + eccname="secp384r1" + fi + if [ "$length" = "521" ]; then + eccname="secp521r1" + fi + + fi + + if [ -z "$length" ]; then + length=2048 + fi + + _debug "Use length $length" + + if ! [ -e "$f" ]; then + if ! touch "$f" >/dev/null 2>&1; then + _f_path="$(dirname "$f")" + _debug _f_path "$_f_path" + if ! mkdir -p "$_f_path"; then + _err "Can not create path: $_f_path" + return 1 + fi + fi + if ! touch "$f" >/dev/null 2>&1; then + return 1 + fi + chmod 600 "$f" + fi + + if _isEccKey "$length"; then + _debug "Using ec name: $eccname" + if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -noout -genkey 2>/dev/null)"; then + echo "$_opkey" >"$f" + else + _err "error ecc key name: $eccname" + return 1 + fi + else + _debug "Using RSA: $length" + __traditional="" + if _contains "$(${ACME_OPENSSL_BIN:-openssl} help genrsa 2>&1)" "-traditional"; then + __traditional="-traditional" + fi + if _opkey="$(${ACME_OPENSSL_BIN:-openssl} genrsa $__traditional "$length" 2>/dev/null)"; then + echo "$_opkey" >"$f" + else + _err "error rsa key: $length" + return 1 + fi + fi + + if [ "$?" != "0" ]; then + _err "Create key error." + return 1 + fi +} + +#domain +_is_idn() { + _is_idn_d="$1" + _debug2 _is_idn_d "$_is_idn_d" + _idn_temp=$(printf "%s" "$_is_idn_d" | tr -d '[0-9]' | tr -d '[a-z]' | tr -d '[A-Z]' | tr -d '*.,-_') + _debug2 _idn_temp "$_idn_temp" + [ "$_idn_temp" ] +} + +#aa.com +#aa.com,bb.com,cc.com +_idn() { + __idn_d="$1" + if ! _is_idn "$__idn_d"; then + printf "%s" "$__idn_d" + return 0 + fi + + if _exists idn; then + if _contains "$__idn_d" ','; then + _i_first="1" + for f in $(echo "$__idn_d" | tr ',' ' '); do + [ -z "$f" ] && continue + if [ -z "$_i_first" ]; then + printf "%s" "," + else + _i_first="" + fi + idn --quiet "$f" | tr -d "\r\n" + done + else + idn "$__idn_d" | tr -d "\r\n" + fi + else + _err "Please install idn to process IDN names." + fi +} + +#_createcsr cn san_list keyfile csrfile conf acmeValidationv1 +_createcsr() { + _debug _createcsr + domain="$1" + domainlist="$2" + csrkey="$3" + csr="$4" + csrconf="$5" + acmeValidationv1="$6" + _debug2 domain "$domain" + _debug2 domainlist "$domainlist" + _debug2 csrkey "$csrkey" + _debug2 csr "$csr" + _debug2 csrconf "$csrconf" + + printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\nextendedKeyUsage=serverAuth,clientAuth\n" >"$csrconf" + + if [ "$acmeValidationv1" ]; then + domainlist="$(_idn "$domainlist")" + _debug2 domainlist "$domainlist" + alt="" + for dl in $(echo "$domainlist" | tr "," ' '); do + if [ "$alt" ]; then + alt="$alt,$(_getIdType "$dl" | _upper_case):$dl" + else + alt="$(_getIdType "$dl" | _upper_case):$dl" + fi + done + printf -- "\nsubjectAltName=$alt" >>"$csrconf" + elif [ -z "$domainlist" ] || [ "$domainlist" = "$NO_VALUE" ]; then + #single domain + _info "Single domain" "$domain" + printf -- "\nsubjectAltName=$(_getIdType "$domain" | _upper_case):$(_idn "$domain")" >>"$csrconf" + else + domainlist="$(_idn "$domainlist")" + _debug2 domainlist "$domainlist" + alt="$(_getIdType "$domain" | _upper_case):$(_idn "$domain")" + for dl in $(echo "'$domainlist'" | sed "s/,/' '/g"); do + dl=$(echo "$dl" | tr -d "'") + alt="$alt,$(_getIdType "$dl" | _upper_case):$dl" + done + #multi + _info "Multi domain" "$alt" + printf -- "\nsubjectAltName=$alt" >>"$csrconf" + fi + if [ "$Le_OCSP_Staple" = "1" ]; then + _savedomainconf Le_OCSP_Staple "$Le_OCSP_Staple" + printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >>"$csrconf" + fi + + if [ "$acmeValidationv1" ]; then + printf "\n1.3.6.1.5.5.7.1.31=critical,DER:04:20:${acmeValidationv1}" >>"${csrconf}" + fi + + _csr_cn="$(_idn "$domain")" + _debug2 _csr_cn "$_csr_cn" + if _contains "$(uname -a)" "MINGW"; then + if _isIP "$_csr_cn"; then + ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "//O=$PROJECT_NAME" -config "$csrconf" -out "$csr" + else + ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "//CN=$_csr_cn" -config "$csrconf" -out "$csr" + fi + else + if _isIP "$_csr_cn"; then + ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "/O=$PROJECT_NAME" -config "$csrconf" -out "$csr" + else + ${ACME_OPENSSL_BIN:-openssl} req -new -sha256 -key "$csrkey" -subj "/CN=$_csr_cn" -config "$csrconf" -out "$csr" + fi + fi +} + +#_signcsr key csr conf cert +_signcsr() { + key="$1" + csr="$2" + conf="$3" + cert="$4" + _debug "_signcsr" + + _msg="$(${ACME_OPENSSL_BIN:-openssl} x509 -req -days 365 -in "$csr" -signkey "$key" -extensions v3_req -extfile "$conf" -out "$cert" 2>&1)" + _ret="$?" + _debug "$_msg" + return $_ret +} + +#_csrfile +_readSubjectFromCSR() { + _csrfile="$1" + if [ -z "$_csrfile" ]; then + _usage "_readSubjectFromCSR mycsr.csr" + return 1 + fi + ${ACME_OPENSSL_BIN:-openssl} req -noout -in "$_csrfile" -subject | tr ',' "\n" | _egrep_o "CN *=.*" | cut -d = -f 2 | cut -d / -f 1 | tr -d ' \n' +} + +#_csrfile +#echo comma separated domain list +_readSubjectAltNamesFromCSR() { + _csrfile="$1" + if [ -z "$_csrfile" ]; then + _usage "_readSubjectAltNamesFromCSR mycsr.csr" + return 1 + fi + + _csrsubj="$(_readSubjectFromCSR "$_csrfile")" + _debug _csrsubj "$_csrsubj" + + _dnsAltnames="$(${ACME_OPENSSL_BIN:-openssl} req -noout -text -in "$_csrfile" | grep "^ *DNS:.*" | tr -d ' \n')" + _debug _dnsAltnames "$_dnsAltnames" + + if _contains "$_dnsAltnames," "DNS:$_csrsubj,"; then + _debug "AltNames contains subject" + _excapedAlgnames="$(echo "$_dnsAltnames" | tr '*' '#')" + _debug _excapedAlgnames "$_excapedAlgnames" + _escapedSubject="$(echo "$_csrsubj" | tr '*' '#')" + _debug _escapedSubject "$_escapedSubject" + _dnsAltnames="$(echo "$_excapedAlgnames," | sed "s/DNS:$_escapedSubject,//g" | tr '#' '*' | sed "s/,\$//g")" + _debug _dnsAltnames "$_dnsAltnames" + else + _debug "AltNames doesn't contain subject" + fi + + echo "$_dnsAltnames" | sed "s/DNS://g" +} + +#_csrfile +_readKeyLengthFromCSR() { + _csrfile="$1" + if [ -z "$_csrfile" ]; then + _usage "_readKeyLengthFromCSR mycsr.csr" + return 1 + fi + + _outcsr="$(${ACME_OPENSSL_BIN:-openssl} req -noout -text -in "$_csrfile")" + _debug2 _outcsr "$_outcsr" + if _contains "$_outcsr" "Public Key Algorithm: id-ecPublicKey"; then + _debug "ECC CSR" + echo "$_outcsr" | tr "\t" " " | _egrep_o "^ *ASN1 OID:.*" | cut -d ':' -f 2 | tr -d ' ' + else + _debug "RSA CSR" + _rkl="$(echo "$_outcsr" | tr "\t" " " | _egrep_o "^ *Public.Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1)" + if [ "$_rkl" ]; then + echo "$_rkl" + else + echo "$_outcsr" | tr "\t" " " | _egrep_o "RSA Public.Key:.*" | cut -d '(' -f 2 | cut -d ' ' -f 1 + fi + fi +} + +_ss() { + _port="$1" + + if _exists "ss"; then + _debug "Using: ss" + ss -ntpl 2>/dev/null | grep ":$_port " + return 0 + fi + + if _exists "netstat"; then + _debug "Using: netstat" + if netstat -help 2>&1 | grep "\-p proto" >/dev/null; then + #for windows version netstat tool + netstat -an -p tcp | grep "LISTENING" | grep ":$_port " + else + if netstat -help 2>&1 | grep "\-p protocol" >/dev/null; then + netstat -an -p tcp | grep LISTEN | grep ":$_port " + elif netstat -help 2>&1 | grep -- '-P protocol' >/dev/null; then + #for solaris + netstat -an -P tcp | grep "\.$_port " | grep "LISTEN" + elif netstat -help 2>&1 | grep "\-p" >/dev/null; then + #for full linux + netstat -ntpl | grep ":$_port " + else + #for busybox (embedded linux; no pid support) + netstat -ntl 2>/dev/null | grep ":$_port " + fi + fi + return 0 + fi + + return 1 +} + +#outfile key cert cacert [password [name [caname]]] +_toPkcs() { + _cpfx="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + pfxPassword="$5" + pfxName="$6" + pfxCaname="$7" + + if [ "$pfxCaname" ]; then + ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:$pfxPassword" -name "$pfxName" -caname "$pfxCaname" + elif [ "$pfxName" ]; then + ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:$pfxPassword" -name "$pfxName" + elif [ "$pfxPassword" ]; then + ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:$pfxPassword" + else + ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" + fi + +} + +#domain [password] [isEcc] +toPkcs() { + domain="$1" + pfxPassword="$2" + if [ -z "$domain" ]; then + _usage "Usage: $PROJECT_ENTRY --to-pkcs12 --domain [--password ] [--ecc]" + return 1 + fi + + _isEcc="$3" + + _initpath "$domain" "$_isEcc" + + _toPkcs "$CERT_PFX_PATH" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$pfxPassword" + + if [ "$?" = "0" ]; then + _info "Success, Pfx is exported to: $CERT_PFX_PATH" + fi + +} + +#domain [isEcc] +toPkcs8() { + domain="$1" + + if [ -z "$domain" ]; then + _usage "Usage: $PROJECT_ENTRY --to-pkcs8 --domain [--ecc]" + return 1 + fi + + _isEcc="$2" + + _initpath "$domain" "$_isEcc" + + ${ACME_OPENSSL_BIN:-openssl} pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$CERT_KEY_PATH" -out "$CERT_PKCS8_PATH" + + if [ "$?" = "0" ]; then + _info "Success, $CERT_PKCS8_PATH" + fi + +} + +#[2048] +createAccountKey() { + _info "Creating account key" + if [ -z "$1" ]; then + _usage "Usage: $PROJECT_ENTRY --create-account-key [--accountkeylength ]" + return + fi + + length=$1 + _create_account_key "$length" + +} + +_create_account_key() { + + length=$1 + + if [ -z "$length" ] || [ "$length" = "$NO_VALUE" ]; then + _debug "Use default length $DEFAULT_ACCOUNT_KEY_LENGTH" + length="$DEFAULT_ACCOUNT_KEY_LENGTH" + fi + + _debug length "$length" + _initpath + + mkdir -p "$CA_DIR" + if [ -s "$ACCOUNT_KEY_PATH" ]; then + _info "Account key exists, skip" + return 0 + else + #generate account key + if _createkey "$length" "$ACCOUNT_KEY_PATH"; then + _info "Create account key ok." + return 0 + else + _err "Create account key error." + return 1 + fi + fi + +} + +#domain [length] +createDomainKey() { + _info "Creating domain key" + if [ -z "$1" ]; then + _usage "Usage: $PROJECT_ENTRY --create-domain-key --domain [--keylength ]" + return + fi + + domain=$1 + _cdl=$2 + + if [ -z "$_cdl" ]; then + _debug "Use DEFAULT_DOMAIN_KEY_LENGTH=$DEFAULT_DOMAIN_KEY_LENGTH" + _cdl="$DEFAULT_DOMAIN_KEY_LENGTH" + fi + + _initpath "$domain" "$_cdl" + + if [ ! -f "$CERT_KEY_PATH" ] || [ ! -s "$CERT_KEY_PATH" ] || ([ "$FORCE" ] && ! [ "$_ACME_IS_RENEW" ]) || [ "$Le_ForceNewDomainKey" = "1" ]; then + if _createkey "$_cdl" "$CERT_KEY_PATH"; then + _savedomainconf Le_Keylength "$_cdl" + _info "The domain key is here: $(__green $CERT_KEY_PATH)" + return 0 + else + _err "Can not create domain key" + return 1 + fi + else + if [ "$_ACME_IS_RENEW" ]; then + _info "Domain key exists, skip" + return 0 + else + _err "Domain key exists, do you want to overwrite the key?" + _err "Add '--force', and try again." + return 1 + fi + fi + +} + +# domain domainlist isEcc +createCSR() { + _info "Creating csr" + if [ -z "$1" ]; then + _usage "Usage: $PROJECT_ENTRY --create-csr --domain [--domain ...]" + return + fi + + domain="$1" + domainlist="$2" + _isEcc="$3" + + _initpath "$domain" "$_isEcc" + + if [ -f "$CSR_PATH" ] && [ "$_ACME_IS_RENEW" ] && [ -z "$FORCE" ]; then + _info "CSR exists, skip" + return + fi + + if [ ! -f "$CERT_KEY_PATH" ]; then + _err "The key file is not found: $CERT_KEY_PATH" + _err "Please create the key file first." + return 1 + fi + _createcsr "$domain" "$domainlist" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF" + +} + +_url_replace() { + tr '/+' '_-' | tr -d '= ' +} + +#base64 string +_durl_replace_base64() { + _l=$((${#1} % 4)) + if [ $_l -eq 2 ]; then + _s="$1"'==' + elif [ $_l -eq 3 ]; then + _s="$1"'=' + else + _s="$1" + fi + echo "$_s" | tr '_-' '/+' +} + +_time2str() { + #BSD + if date -u -r "$1" -j "+%Y-%m-%dT%H:%M:%SZ" 2>/dev/null; then + return + fi + + #Linux + if date -u --date=@"$1" "+%Y-%m-%dT%H:%M:%SZ" 2>/dev/null; then + return + fi + + #Solaris + if printf "%(%Y-%m-%dT%H:%M:%SZ)T\n" $1 2>/dev/null; then + return + fi + + #Busybox + if echo "$1" | awk '{ print strftime("%Y-%m-%dT%H:%M:%SZ", $0); }' 2>/dev/null; then + return + fi +} + +_normalizeJson() { + sed "s/\" *: *\([\"{\[]\)/\":\1/g" | sed "s/^ *\([^ ]\)/\1/" | tr -d "\r\n" +} + +_stat() { + #Linux + if stat -c '%U:%G' "$1" 2>/dev/null; then + return + fi + + #BSD + if stat -f '%Su:%Sg' "$1" 2>/dev/null; then + return + fi + + return 1 #error, 'stat' not found +} + +#keyfile +_isRSA() { + keyfile=$1 + if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text 2>&1 | grep "^publicExponent:" 2>&1 >/dev/null; then + return 0 + fi + return 1 +} + +#keyfile +_isEcc() { + keyfile=$1 + if grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || ${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" 2>&1 >/dev/null; then + return 0 + fi + return 1 +} + +#keyfile +_calcjwk() { + keyfile="$1" + if [ -z "$keyfile" ]; then + _usage "Usage: _calcjwk keyfile" + return 1 + fi + + if [ "$JWK_HEADER" ] && [ "$__CACHED_JWK_KEY_FILE" = "$keyfile" ]; then + _debug2 "Use cached jwk for file: $__CACHED_JWK_KEY_FILE" + return 0 + fi + + if _isRSA "$keyfile"; then + _debug "RSA key" + pub_exp=$(${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -noout -text | grep "^publicExponent:" | cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1) + if [ "${#pub_exp}" = "5" ]; then + pub_exp=0$pub_exp + fi + _debug3 pub_exp "$pub_exp" + + e=$(echo "$pub_exp" | _h2b | _base64) + _debug3 e "$e" + + modulus=$(${ACME_OPENSSL_BIN:-openssl} rsa -in "$keyfile" -modulus -noout | cut -d '=' -f 2) + _debug3 modulus "$modulus" + n="$(printf "%s" "$modulus" | _h2b | _base64 | _url_replace)" + _debug3 n "$n" + + jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}' + _debug3 jwk "$jwk" + + JWK_HEADER='{"alg": "RS256", "jwk": '$jwk'}' + JWK_HEADERPLACE_PART1='{"nonce": "' + JWK_HEADERPLACE_PART2='", "alg": "RS256"' + elif _isEcc "$keyfile"; then + _debug "EC key" + crv="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^NIST CURVE:" | cut -d ":" -f 2 | tr -d " \r\n")" + _debug3 crv "$crv" + __ECC_KEY_LEN=$(echo "$crv" | cut -d "-" -f 2) + if [ "$__ECC_KEY_LEN" = "521" ]; then + __ECC_KEY_LEN=512 + fi + _debug3 __ECC_KEY_LEN "$__ECC_KEY_LEN" + if [ -z "$crv" ]; then + _debug "Let's try ASN1 OID" + crv_oid="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep "^ASN1 OID:" | cut -d ":" -f 2 | tr -d " \r\n")" + _debug3 crv_oid "$crv_oid" + case "${crv_oid}" in + "prime256v1") + crv="P-256" + __ECC_KEY_LEN=256 + ;; + "secp384r1") + crv="P-384" + __ECC_KEY_LEN=384 + ;; + "secp521r1") + crv="P-521" + __ECC_KEY_LEN=512 + ;; + *) + _err "ECC oid : $crv_oid" + return 1 + ;; + esac + _debug3 crv "$crv" + fi + + pubi="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep -n pub: | cut -d : -f 1)" + pubi=$(_math "$pubi" + 1) + _debug3 pubi "$pubi" + + pubj="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | grep -n "ASN1 OID:" | cut -d : -f 1)" + pubj=$(_math "$pubj" - 1) + _debug3 pubj "$pubj" + + pubtext="$(${ACME_OPENSSL_BIN:-openssl} ec -in "$keyfile" -noout -text 2>/dev/null | sed -n "$pubi,${pubj}p" | tr -d " \n\r")" + _debug3 pubtext "$pubtext" + + xlen="$(printf "%s" "$pubtext" | tr -d ':' | wc -c)" + xlen=$(_math "$xlen" / 4) + _debug3 xlen "$xlen" + + xend=$(_math "$xlen" + 1) + x="$(printf "%s" "$pubtext" | cut -d : -f 2-"$xend")" + _debug3 x "$x" + + x64="$(printf "%s" "$x" | tr -d : | _h2b | _base64 | _url_replace)" + _debug3 x64 "$x64" + + xend=$(_math "$xend" + 1) + y="$(printf "%s" "$pubtext" | cut -d : -f "$xend"-2048)" + _debug3 y "$y" + + y64="$(printf "%s" "$y" | tr -d : | _h2b | _base64 | _url_replace)" + _debug3 y64 "$y64" + + jwk='{"crv": "'$crv'", "kty": "EC", "x": "'$x64'", "y": "'$y64'"}' + _debug3 jwk "$jwk" + + JWK_HEADER='{"alg": "ES'$__ECC_KEY_LEN'", "jwk": '$jwk'}' + JWK_HEADERPLACE_PART1='{"nonce": "' + JWK_HEADERPLACE_PART2='", "alg": "ES'$__ECC_KEY_LEN'"' + else + _err "Only RSA or EC key is supported. keyfile=$keyfile" + _debug2 "$(cat "$keyfile")" + return 1 + fi + + _debug3 JWK_HEADER "$JWK_HEADER" + __CACHED_JWK_KEY_FILE="$keyfile" +} + +_time() { + date -u "+%s" +} + +#support 2 formats: +# 2022-04-01 08:10:33 to 1648800633 +#or 2022-04-01T08:10:33Z to 1648800633 +_date2time() { + #Linux + if date -u -d "$(echo "$1" | tr -d "Z" | tr "T" ' ')" +"%s" 2>/dev/null; then + return + fi + + #Solaris + if gdate -u -d "$(echo "$1" | tr -d "Z" | tr "T" ' ')" +"%s" 2>/dev/null; then + return + fi + #Mac/BSD + if date -u -j -f "%Y-%m-%d %H:%M:%S" "$(echo "$1" | tr -d "Z" | tr "T" ' ')" +"%s" 2>/dev/null; then + return + fi + _err "Can not parse _date2time $1" + return 1 +} + +_utc_date() { + date -u "+%Y-%m-%d %H:%M:%S" +} + +_mktemp() { + if _exists mktemp; then + if mktemp 2>/dev/null; then + return 0 + elif _contains "$(mktemp 2>&1)" "-t prefix" && mktemp -t "$PROJECT_NAME" 2>/dev/null; then + #for Mac osx + return 0 + fi + fi + if [ -d "/tmp" ]; then + echo "/tmp/${PROJECT_NAME}wefADf24sf.$(_time).tmp" + return 0 + elif [ "$LE_TEMP_DIR" ] && mkdir -p "$LE_TEMP_DIR"; then + echo "/$LE_TEMP_DIR/wefADf24sf.$(_time).tmp" + return 0 + fi + _err "Can not create temp file." +} + +#clear all the https envs to cause _inithttp() to run next time. +_resethttp() { + __HTTP_INITIALIZED="" + _ACME_CURL="" + _ACME_WGET="" + ACME_HTTP_NO_REDIRECTS="" +} + +_inithttp() { + + if [ -z "$HTTP_HEADER" ] || ! touch "$HTTP_HEADER"; then + HTTP_HEADER="$(_mktemp)" + _debug2 HTTP_HEADER "$HTTP_HEADER" + fi + + if [ "$__HTTP_INITIALIZED" ]; then + if [ "$_ACME_CURL$_ACME_WGET" ]; then + _debug2 "Http already initialized." + return 0 + fi + fi + + if [ -z "$_ACME_CURL" ] && _exists "curl"; then + _ACME_CURL="curl --silent --dump-header $HTTP_HEADER " + if [ -z "$ACME_HTTP_NO_REDIRECTS" ]; then + _ACME_CURL="$_ACME_CURL -L " + fi + if [ "$DEBUG" ] && [ "$DEBUG" -ge 2 ]; then + _CURL_DUMP="$(_mktemp)" + _ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP " + fi + + if [ "$CA_PATH" ]; then + _ACME_CURL="$_ACME_CURL --capath $CA_PATH " + elif [ "$CA_BUNDLE" ]; then + _ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE " + fi + + if _contains "$(curl --help 2>&1)" "--globoff" || _contains "$(curl --help curl 2>&1)" "--globoff"; then + _ACME_CURL="$_ACME_CURL -g " + fi + + #don't use --fail-with-body + ##from curl 7.76: return fail on HTTP errors but keep the body + #if _contains "$(curl --help http 2>&1)" "--fail-with-body"; then + # _ACME_CURL="$_ACME_CURL --fail-with-body " + #fi + fi + + if [ -z "$_ACME_WGET" ] && _exists "wget"; then + _ACME_WGET="wget -q" + if [ "$ACME_HTTP_NO_REDIRECTS" ]; then + _ACME_WGET="$_ACME_WGET --max-redirect 0 " + fi + if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then + if [ "$_ACME_WGET" ] && _contains "$($_ACME_WGET --help 2>&1)" "--debug"; then + _ACME_WGET="$_ACME_WGET -d " + fi + fi + if [ "$CA_PATH" ]; then + _ACME_WGET="$_ACME_WGET --ca-directory=$CA_PATH " + elif [ "$CA_BUNDLE" ]; then + _ACME_WGET="$_ACME_WGET --ca-certificate=$CA_BUNDLE " + fi + + #from wget 1.14: do not skip body on 404 error + if _contains "$(wget --help 2>&1)" "--content-on-error"; then + _ACME_WGET="$_ACME_WGET --content-on-error " + fi + fi + + __HTTP_INITIALIZED=1 + +} + +# body url [needbase64] [POST|PUT|DELETE] [ContentType] +_post() { + body="$1" + _post_url="$2" + needbase64="$3" + httpmethod="$4" + _postContentType="$5" + + if [ -z "$httpmethod" ]; then + httpmethod="POST" + fi + _debug $httpmethod + _debug "_post_url" "$_post_url" + _debug2 "body" "$body" + _debug2 "_postContentType" "$_postContentType" + + _inithttp + + if [ "$_ACME_CURL" ] && [ "${ACME_USE_WGET:-0}" = "0" ]; then + _CURL="$_ACME_CURL" + if [ "$HTTPS_INSECURE" ]; then + _CURL="$_CURL --insecure " + fi + if [ "$httpmethod" = "HEAD" ]; then + _CURL="$_CURL -I " + fi + _debug "_CURL" "$_CURL" + if [ "$needbase64" ]; then + if [ "$body" ]; then + if [ "$_postContentType" ]; then + response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)" + else + response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)" + fi + else + if [ "$_postContentType" ]; then + response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url" | _base64)" + else + response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url" | _base64)" + fi + fi + else + if [ "$body" ]; then + if [ "$_postContentType" ]; then + response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url")" + else + response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url")" + fi + else + if [ "$_postContentType" ]; then + response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "Content-Type: $_postContentType" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url")" + else + response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$_post_url")" + fi + fi + fi + _ret="$?" + if [ "$_ret" != "0" ]; then + _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $_ret" + if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then + _err "Here is the curl dump log:" + _err "$(cat "$_CURL_DUMP")" + fi + fi + elif [ "$_ACME_WGET" ]; then + _WGET="$_ACME_WGET" + if [ "$HTTPS_INSECURE" ]; then + _WGET="$_WGET --no-check-certificate " + fi + if [ "$httpmethod" = "HEAD" ]; then + _WGET="$_WGET --read-timeout=3.0 --tries=2 " + fi + _debug "_WGET" "$_WGET" + if [ "$needbase64" ]; then + if [ "$httpmethod" = "POST" ]; then + if [ "$_postContentType" ]; then + response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)" + else + response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)" + fi + else + if [ "$_postContentType" ]; then + response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)" + else + response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)" + fi + fi + else + if [ "$httpmethod" = "POST" ]; then + if [ "$_postContentType" ]; then + response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")" + else + response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")" + fi + elif [ "$httpmethod" = "HEAD" ]; then + if [ "$_postContentType" ]; then + response="$($_WGET --spider -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")" + else + response="$($_WGET --spider -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")" + fi + else + if [ "$_postContentType" ]; then + response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER")" + else + response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER")" + fi + fi + fi + _ret="$?" + if [ "$_ret" = "8" ]; then + _ret=0 + _debug "wget returns 8, the server returns a 'Bad request' response, lets process the response later." + fi + if [ "$_ret" != "0" ]; then + _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret" + fi + if _contains "$_WGET" " -d "; then + # Demultiplex wget debug output + cat "$HTTP_HEADER" >&2 + _sed_i '/^[^ ][^ ]/d; /^ *$/d' "$HTTP_HEADER" + fi + # remove leading whitespaces from header to match curl format + _sed_i 's/^ //g' "$HTTP_HEADER" + else + _ret="$?" + _err "Neither curl nor wget is found, can not do $httpmethod." + fi + _debug "_ret" "$_ret" + printf "%s" "$response" + return $_ret +} + +# url getheader timeout +_get() { + _debug GET + url="$1" + onlyheader="$2" + t="$3" + _debug url "$url" + _debug "timeout=$t" + + _inithttp + + if [ "$_ACME_CURL" ] && [ "${ACME_USE_WGET:-0}" = "0" ]; then + _CURL="$_ACME_CURL" + if [ "$HTTPS_INSECURE" ]; then + _CURL="$_CURL --insecure " + fi + if [ "$t" ]; then + _CURL="$_CURL --connect-timeout $t" + fi + _debug "_CURL" "$_CURL" + if [ "$onlyheader" ]; then + $_CURL -I --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url" + else + $_CURL --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url" + fi + ret=$? + if [ "$ret" != "0" ]; then + _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $ret" + if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then + _err "Here is the curl dump log:" + _err "$(cat "$_CURL_DUMP")" + fi + fi + elif [ "$_ACME_WGET" ]; then + _WGET="$_ACME_WGET" + if [ "$HTTPS_INSECURE" ]; then + _WGET="$_WGET --no-check-certificate " + fi + if [ "$t" ]; then + _WGET="$_WGET --timeout=$t" + fi + _debug "_WGET" "$_WGET" + if [ "$onlyheader" ]; then + _wget_out="$($_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O /dev/null "$url" 2>&1)" + if _contains "$_WGET" " -d "; then + # Demultiplex wget debug output + echo "$_wget_out" >&2 + echo "$_wget_out" | sed '/^[^ ][^ ]/d; /^ *$/d; s/^ //g' - + fi + else + $_WGET --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" -S -O - "$url" 2>"$HTTP_HEADER" + if _contains "$_WGET" " -d "; then + # Demultiplex wget debug output + cat "$HTTP_HEADER" >&2 + _sed_i '/^[^ ][^ ]/d; /^ *$/d' "$HTTP_HEADER" + fi + # remove leading whitespaces from header to match curl format + _sed_i 's/^ //g' "$HTTP_HEADER" + fi + ret=$? + if [ "$ret" = "8" ]; then + ret=0 + _debug "wget returns 8, the server returns a 'Bad request' response, lets process the response later." + fi + if [ "$ret" != "0" ]; then + _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $ret" + fi + else + ret=$? + _err "Neither curl nor wget is found, can not do GET." + fi + _debug "ret" "$ret" + return $ret +} + +_head_n() { + head -n "$1" +} + +_tail_n() { + if ! tail -n "$1" 2>/dev/null; then + #fix for solaris + tail -"$1" + fi +} + +# url payload needbase64 keyfile +_send_signed_request() { + url=$1 + payload=$2 + needbase64=$3 + keyfile=$4 + if [ -z "$keyfile" ]; then + keyfile="$ACCOUNT_KEY_PATH" + fi + _debug url "$url" + _debug payload "$payload" + + if ! _calcjwk "$keyfile"; then + return 1 + fi + + __request_conent_type="$CONTENT_TYPE_JSON" + + payload64=$(printf "%s" "$payload" | _base64 | _url_replace) + _debug3 payload64 "$payload64" + + MAX_REQUEST_RETRY_TIMES=20 + _sleep_retry_sec=1 + _request_retry_times=0 + while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do + _request_retry_times=$(_math "$_request_retry_times" + 1) + _debug3 _request_retry_times "$_request_retry_times" + if [ -z "$_CACHED_NONCE" ]; then + _headers="" + if [ "$ACME_NEW_NONCE" ]; then + _debug2 "Get nonce with HEAD. ACME_NEW_NONCE" "$ACME_NEW_NONCE" + nonceurl="$ACME_NEW_NONCE" + if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type" >/dev/null; then + _headers="$(cat "$HTTP_HEADER")" + _debug2 _headers "$_headers" + _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2 | cut -d , -f 1)" + fi + fi + if [ -z "$_CACHED_NONCE" ]; then + _debug2 "Get nonce with GET. ACME_DIRECTORY" "$ACME_DIRECTORY" + nonceurl="$ACME_DIRECTORY" + _headers="$(_get "$nonceurl" "onlyheader")" + _debug2 _headers "$_headers" + _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" + fi + if [ -z "$_CACHED_NONCE" ] && [ "$ACME_NEW_NONCE" ]; then + _debug2 "Get nonce with GET. ACME_NEW_NONCE" "$ACME_NEW_NONCE" + nonceurl="$ACME_NEW_NONCE" + _headers="$(_get "$nonceurl" "onlyheader")" + _debug2 _headers "$_headers" + _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" + fi + _debug2 _CACHED_NONCE "$_CACHED_NONCE" + if [ "$?" != "0" ]; then + _err "Can not connect to $nonceurl to get nonce." + return 1 + fi + else + _debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE" + fi + nonce="$_CACHED_NONCE" + _debug2 nonce "$nonce" + if [ -z "$nonce" ]; then + _info "Could not get nonce, let's try again." + _sleep 2 + continue + fi + + if [ "$url" = "$ACME_NEW_ACCOUNT" ]; then + protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}' + elif [ "$url" = "$ACME_REVOKE_CERT" ] && [ "$keyfile" != "$ACCOUNT_KEY_PATH" ]; then + protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}' + else + protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"kid\": \"${ACCOUNT_URL}\""'}' + fi + + _debug3 protected "$protected" + + protected64="$(printf "%s" "$protected" | _base64 | _url_replace)" + _debug3 protected64 "$protected64" + + if ! _sig_t="$(printf "%s" "$protected64.$payload64" | _sign "$keyfile" "sha256")"; then + _err "Sign request failed." + return 1 + fi + _debug3 _sig_t "$_sig_t" + + sig="$(printf "%s" "$_sig_t" | _url_replace)" + _debug3 sig "$sig" + + body="{\"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}" + _debug3 body "$body" + + response="$(_post "$body" "$url" "$needbase64" "POST" "$__request_conent_type")" + _CACHED_NONCE="" + + if [ "$?" != "0" ]; then + _err "Can not post to $url" + return 1 + fi + + responseHeaders="$(cat "$HTTP_HEADER")" + _debug2 responseHeaders "$responseHeaders" + + code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")" + _debug code "$code" + + _debug2 original "$response" + if echo "$responseHeaders" | grep -i "Content-Type: *application/json" >/dev/null 2>&1; then + response="$(echo "$response" | _json_decode | _normalizeJson)" + fi + _debug2 response "$response" + + _CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2 | cut -d , -f 1)" + + if ! _startswith "$code" "2"; then + _body="$response" + if [ "$needbase64" ]; then + _body="$(echo "$_body" | _dbase64 multiline)" + _debug3 _body "$_body" + fi + + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + if [ "$code" = '503' ] || [ "$_retryafter" ]; then + _sleep_overload_retry_sec=$_retryafter + if [ -z "$_sleep_overload_retry_sec" ]; then + _sleep_overload_retry_sec=5 + fi + _info "It seems the CA server is currently overloaded, let's wait and retry. Sleeping $_sleep_overload_retry_sec seconds." + _sleep $_sleep_overload_retry_sec + continue + fi + if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then + _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds." + _CACHED_NONCE="" + _sleep $_sleep_retry_sec + continue + fi + if _contains "$_body" "The Replay Nonce is not recognized"; then + _info "The replay Nonce is not valid, let's get a new one, Sleeping $_sleep_retry_sec seconds." + _CACHED_NONCE="" + _sleep $_sleep_retry_sec + continue + fi + fi + return 0 + done + _info "Giving up sending to CA server after $MAX_REQUEST_RETRY_TIMES retries." + return 1 + +} + +#setopt "file" "opt" "=" "value" [";"] +_setopt() { + __conf="$1" + __opt="$2" + __sep="$3" + __val="$4" + __end="$5" + if [ -z "$__opt" ]; then + _usage usage: _setopt '"file" "opt" "=" "value" [";"]' + return + fi + if [ ! -f "$__conf" ]; then + touch "$__conf" + fi + if [ -n "$(tail -c 1 <"$__conf")" ]; then + echo >>"$__conf" + fi + + if grep -n "^$__opt$__sep" "$__conf" >/dev/null; then + _debug3 OK + if _contains "$__val" "&"; then + __val="$(echo "$__val" | sed 's/&/\\&/g')" + fi + if _contains "$__val" "|"; then + __val="$(echo "$__val" | sed 's/|/\\|/g')" + fi + text="$(cat "$__conf")" + printf -- "%s\n" "$text" | sed "s|^$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf" + + elif grep -n "^#$__opt$__sep" "$__conf" >/dev/null; then + if _contains "$__val" "&"; then + __val="$(echo "$__val" | sed 's/&/\\&/g')" + fi + if _contains "$__val" "|"; then + __val="$(echo "$__val" | sed 's/|/\\|/g')" + fi + text="$(cat "$__conf")" + printf -- "%s\n" "$text" | sed "s|^#$__opt$__sep.*$|$__opt$__sep$__val$__end|" >"$__conf" + + else + _debug3 APP + echo "$__opt$__sep$__val$__end" >>"$__conf" + fi + _debug3 "$(grep -n "^$__opt$__sep" "$__conf")" +} + +#_save_conf file key value base64encode +#save to conf +_save_conf() { + _s_c_f="$1" + _sdkey="$2" + _sdvalue="$3" + _b64encode="$4" + if [ "$_sdvalue" ] && [ "$_b64encode" ]; then + _sdvalue="${B64CONF_START}$(printf "%s" "${_sdvalue}" | _base64)${B64CONF_END}" + fi + if [ "$_s_c_f" ]; then + _setopt "$_s_c_f" "$_sdkey" "=" "'$_sdvalue'" + else + _err "config file is empty, can not save $_sdkey=$_sdvalue" + fi +} + +#_clear_conf file key +_clear_conf() { + _c_c_f="$1" + _sdkey="$2" + if [ "$_c_c_f" ]; then + _conf_data="$(cat "$_c_c_f")" + echo "$_conf_data" | sed "s/^$_sdkey *=.*$//" >"$_c_c_f" + else + _err "config file is empty, can not clear" + fi +} + +#_read_conf file key +_read_conf() { + _r_c_f="$1" + _sdkey="$2" + if [ -f "$_r_c_f" ]; then + _sdv="$( + eval "$(grep "^$_sdkey *=" "$_r_c_f")" + eval "printf \"%s\" \"\$$_sdkey\"" + )" + if _startswith "$_sdv" "${B64CONF_START}" && _endswith "$_sdv" "${B64CONF_END}"; then + _sdv="$(echo "$_sdv" | sed "s/${B64CONF_START}//" | sed "s/${B64CONF_END}//" | _dbase64)" + fi + printf "%s" "$_sdv" + else + _debug "config file is empty, can not read $_sdkey" + fi +} + +#_savedomainconf key value base64encode +#save to domain.conf +_savedomainconf() { + _save_conf "$DOMAIN_CONF" "$@" +} + +#_cleardomainconf key +_cleardomainconf() { + _clear_conf "$DOMAIN_CONF" "$1" +} + +#_readdomainconf key +_readdomainconf() { + _read_conf "$DOMAIN_CONF" "$1" +} + +#_migratedomainconf oldkey newkey base64encode +_migratedomainconf() { + _old_key="$1" + _new_key="$2" + _b64encode="$3" + _value=$(_readdomainconf "$_old_key") + if [ -z "$_value" ]; then + return 1 # oldkey is not found + fi + _savedomainconf "$_new_key" "$_value" "$_b64encode" + _cleardomainconf "$_old_key" + _debug "Domain config $_old_key has been migrated to $_new_key" +} + +#_migratedeployconf oldkey newkey base64encode +_migratedeployconf() { + _migratedomainconf "$1" "SAVED_$2" "$3" || + _migratedomainconf "SAVED_$1" "SAVED_$2" "$3" # try only when oldkey itself is not found +} + +#key value base64encode +_savedeployconf() { + _savedomainconf "SAVED_$1" "$2" "$3" + #remove later + _cleardomainconf "$1" +} + +#key +_getdeployconf() { + _rac_key="$1" + _rac_value="$(eval echo \$"$_rac_key")" + if [ "$_rac_value" ]; then + if _startswith "$_rac_value" '"' && _endswith "$_rac_value" '"'; then + _debug2 "trim quotation marks" + eval $_rac_key=$_rac_value + export $_rac_key + fi + return 0 # do nothing + fi + _saved="$(_readdomainconf "SAVED_$_rac_key")" + eval $_rac_key="$_saved" + export $_rac_key +} + +#_saveaccountconf key value base64encode +_saveaccountconf() { + _save_conf "$ACCOUNT_CONF_PATH" "$@" +} + +#key value base64encode +_saveaccountconf_mutable() { + _save_conf "$ACCOUNT_CONF_PATH" "SAVED_$1" "$2" "$3" + #remove later + _clearaccountconf "$1" +} + +#key +_readaccountconf() { + _read_conf "$ACCOUNT_CONF_PATH" "$1" +} + +#key +_readaccountconf_mutable() { + _rac_key="$1" + _readaccountconf "SAVED_$_rac_key" +} + +#_clearaccountconf key +_clearaccountconf() { + _clear_conf "$ACCOUNT_CONF_PATH" "$1" +} + +#key +_clearaccountconf_mutable() { + _clearaccountconf "SAVED_$1" + #remove later + _clearaccountconf "$1" +} + +#_savecaconf key value +_savecaconf() { + _save_conf "$CA_CONF" "$1" "$2" +} + +#_readcaconf key +_readcaconf() { + _read_conf "$CA_CONF" "$1" +} + +#_clearaccountconf key +_clearcaconf() { + _clear_conf "$CA_CONF" "$1" +} + +# content localaddress +_startserver() { + content="$1" + ncaddr="$2" + _debug "content" "$content" + _debug "ncaddr" "$ncaddr" + + _debug "startserver: $$" + + _debug Le_HTTPPort "$Le_HTTPPort" + _debug Le_Listen_V4 "$Le_Listen_V4" + _debug Le_Listen_V6 "$Le_Listen_V6" + + _NC="socat" + if [ "$Le_Listen_V4" ]; then + _NC="$_NC -4" + elif [ "$Le_Listen_V6" ]; then + _NC="$_NC -6" + fi + + if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then + _NC="$_NC -d -d -v" + fi + + SOCAT_OPTIONS=TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork + + #Adding bind to local-address + if [ "$ncaddr" ]; then + SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}" + fi + + _content_len="$(printf "%s" "$content" | wc -c)" + _debug _content_len "$_content_len" + _debug "_NC" "$_NC $SOCAT_OPTIONS" + $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; \ +echo 'HTTP/1.0 200 OK'; \ +echo 'Content-Length\: $_content_len'; \ +echo ''; \ +printf '%s' '$content';" & + serverproc="$!" +} + +_stopserver() { + pid="$1" + _debug "pid" "$pid" + if [ -z "$pid" ]; then + return + fi + + kill $pid + +} + +# sleep sec +_sleep() { + _sleep_sec="$1" + if [ "$__INTERACTIVE" ]; then + _sleep_c="$_sleep_sec" + while [ "$_sleep_c" -ge "0" ]; do + printf "\r \r" + __green "$_sleep_c" + _sleep_c="$(_math "$_sleep_c" - 1)" + sleep 1 + done + printf "\r" + else + sleep "$_sleep_sec" + fi +} + +# _starttlsserver san_a san_b port content _ncaddr acmeValidationv1 +_starttlsserver() { + _info "Starting tls server." + san_a="$1" + san_b="$2" + port="$3" + content="$4" + opaddr="$5" + acmeValidationv1="$6" + + _debug san_a "$san_a" + _debug san_b "$san_b" + _debug port "$port" + _debug acmeValidationv1 "$acmeValidationv1" + + #create key TLS_KEY + if ! _createkey "2048" "$TLS_KEY"; then + _err "Create tls validation key error." + return 1 + fi + + #create csr + alt="$san_a" + if [ "$san_b" ]; then + alt="$alt,$san_b" + fi + if ! _createcsr "tls.acme.sh" "$alt" "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" "$acmeValidationv1"; then + _err "Create tls validation csr error." + return 1 + fi + + #self signed + if ! _signcsr "$TLS_KEY" "$TLS_CSR" "$TLS_CONF" "$TLS_CERT"; then + _err "Create tls validation cert error." + return 1 + fi + + __S_OPENSSL="${ACME_OPENSSL_BIN:-openssl} s_server -www -cert $TLS_CERT -key $TLS_KEY " + if [ "$opaddr" ]; then + __S_OPENSSL="$__S_OPENSSL -accept $opaddr:$port" + else + __S_OPENSSL="$__S_OPENSSL -accept $port" + fi + + _debug Le_Listen_V4 "$Le_Listen_V4" + _debug Le_Listen_V6 "$Le_Listen_V6" + if [ "$Le_Listen_V4" ]; then + __S_OPENSSL="$__S_OPENSSL -4" + elif [ "$Le_Listen_V6" ]; then + __S_OPENSSL="$__S_OPENSSL -6" + fi + + if [ "$acmeValidationv1" ]; then + __S_OPENSSL="$__S_OPENSSL -alpn acme-tls/1" + fi + + _debug "$__S_OPENSSL" + if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then + $__S_OPENSSL -tlsextdebug & + else + $__S_OPENSSL >/dev/null 2>&1 & + fi + + serverproc="$!" + sleep 1 + _debug serverproc "$serverproc" +} + +#file +_readlink() { + _rf="$1" + if ! readlink -f "$_rf" 2>/dev/null; then + if _startswith "$_rf" "/"; then + echo "$_rf" + return 0 + fi + echo "$(pwd)/$_rf" | _conapath + fi +} + +_conapath() { + sed "s#/\./#/#g" +} + +__initHome() { + if [ -z "$_SCRIPT_HOME" ]; then + if _exists readlink && _exists dirname; then + _debug "Lets find script dir." + _debug "_SCRIPT_" "$_SCRIPT_" + _script="$(_readlink "$_SCRIPT_")" + _debug "_script" "$_script" + _script_home="$(dirname "$_script")" + _debug "_script_home" "$_script_home" + if [ -d "$_script_home" ]; then + export _SCRIPT_HOME="$_script_home" + else + _err "It seems the script home is not correct:$_script_home" + fi + fi + fi + + # if [ -z "$LE_WORKING_DIR" ]; then + # if [ -f "$DEFAULT_INSTALL_HOME/account.conf" ]; then + # _debug "It seems that $PROJECT_NAME is already installed in $DEFAULT_INSTALL_HOME" + # LE_WORKING_DIR="$DEFAULT_INSTALL_HOME" + # else + # LE_WORKING_DIR="$_SCRIPT_HOME" + # fi + # fi + + if [ -z "$LE_WORKING_DIR" ]; then + _debug "Using default home:$DEFAULT_INSTALL_HOME" + LE_WORKING_DIR="$DEFAULT_INSTALL_HOME" + fi + export LE_WORKING_DIR + + if [ -z "$LE_CONFIG_HOME" ]; then + LE_CONFIG_HOME="$LE_WORKING_DIR" + fi + _debug "Using config home:$LE_CONFIG_HOME" + export LE_CONFIG_HOME + + _DEFAULT_ACCOUNT_CONF_PATH="$LE_CONFIG_HOME/account.conf" + + if [ -z "$ACCOUNT_CONF_PATH" ]; then + if [ -f "$_DEFAULT_ACCOUNT_CONF_PATH" ]; then + . "$_DEFAULT_ACCOUNT_CONF_PATH" + fi + fi + + if [ -z "$ACCOUNT_CONF_PATH" ]; then + ACCOUNT_CONF_PATH="$_DEFAULT_ACCOUNT_CONF_PATH" + fi + _debug3 ACCOUNT_CONF_PATH "$ACCOUNT_CONF_PATH" + DEFAULT_LOG_FILE="$LE_CONFIG_HOME/$PROJECT_NAME.log" + + DEFAULT_CA_HOME="$LE_CONFIG_HOME/ca" + + if [ -z "$LE_TEMP_DIR" ]; then + LE_TEMP_DIR="$LE_CONFIG_HOME/tmp" + fi +} + +_clearAPI() { + ACME_NEW_ACCOUNT="" + ACME_KEY_CHANGE="" + ACME_NEW_AUTHZ="" + ACME_NEW_ORDER="" + ACME_REVOKE_CERT="" + ACME_NEW_NONCE="" + ACME_AGREEMENT="" +} + +#server +_initAPI() { + _api_server="${1:-$ACME_DIRECTORY}" + _debug "_init api for server: $_api_server" + + MAX_API_RETRY_TIMES=10 + _sleep_retry_sec=10 + _request_retry_times=0 + while [ -z "$ACME_NEW_ACCOUNT" ] && [ "${_request_retry_times}" -lt "$MAX_API_RETRY_TIMES" ]; do + _request_retry_times=$(_math "$_request_retry_times" + 1) + response=$(_get "$_api_server") + if [ "$?" != "0" ]; then + _debug2 "response" "$response" + _info "Can not init api for: $_api_server." + _info "Sleep $_sleep_retry_sec and retry." + _sleep "$_sleep_retry_sec" + continue + fi + response=$(echo "$response" | _json_decode) + _debug2 "response" "$response" + + ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'keyChange" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_KEY_CHANGE + + ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'newAuthz" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_NEW_AUTHZ + + ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'newOrder" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_NEW_ORDER + + ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_NEW_ACCOUNT + + ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_REVOKE_CERT + + ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'newNonce" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_NEW_NONCE + + ACME_AGREEMENT=$(echo "$response" | _egrep_o 'termsOfService" *: *"[^"]*"' | cut -d '"' -f 3) + export ACME_AGREEMENT + + _debug "ACME_KEY_CHANGE" "$ACME_KEY_CHANGE" + _debug "ACME_NEW_AUTHZ" "$ACME_NEW_AUTHZ" + _debug "ACME_NEW_ORDER" "$ACME_NEW_ORDER" + _debug "ACME_NEW_ACCOUNT" "$ACME_NEW_ACCOUNT" + _debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT" + _debug "ACME_AGREEMENT" "$ACME_AGREEMENT" + _debug "ACME_NEW_NONCE" "$ACME_NEW_NONCE" + if [ "$ACME_NEW_ACCOUNT" ] && [ "$ACME_NEW_ORDER" ]; then + return 0 + fi + _info "Sleep $_sleep_retry_sec and retry." + _sleep "$_sleep_retry_sec" + done + if [ "$ACME_NEW_ACCOUNT" ] && [ "$ACME_NEW_ORDER" ]; then + return 0 + fi + _err "Can not init api, for $_api_server" + return 1 +} + +_clearCA() { + export CA_CONF= + export ACCOUNT_KEY_PATH= + export ACCOUNT_JSON_PATH= +} + +#[domain] [keylength or isEcc flag] +_initpath() { + domain="$1" + _ilength="$2" + + __initHome + + if [ -f "$ACCOUNT_CONF_PATH" ]; then + . "$ACCOUNT_CONF_PATH" + fi + + if [ "$_ACME_IN_CRON" ]; then + if [ ! "$_USER_PATH_EXPORTED" ]; then + _USER_PATH_EXPORTED=1 + export PATH="$USER_PATH:$PATH" + fi + fi + + if [ -z "$CA_HOME" ]; then + CA_HOME="$DEFAULT_CA_HOME" + fi + + if [ -z "$ACME_DIRECTORY" ]; then + if [ "$STAGE" ]; then + ACME_DIRECTORY="$DEFAULT_STAGING_CA" + _info "Using ACME_DIRECTORY: $ACME_DIRECTORY" + else + default_acme_server=$(_readaccountconf "DEFAULT_ACME_SERVER") + _debug default_acme_server "$default_acme_server" + if [ "$default_acme_server" ]; then + ACME_DIRECTORY="$default_acme_server" + else + ACME_DIRECTORY="$DEFAULT_CA" + fi + fi + fi + + _debug ACME_DIRECTORY "$ACME_DIRECTORY" + _ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)" + _debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST" + + _ACME_SERVER_PATH="$(echo "$ACME_DIRECTORY" | cut -d : -f 2- | tr -s / | cut -d / -f 3-)" + _debug2 "_ACME_SERVER_PATH" "$_ACME_SERVER_PATH" + + CA_DIR="$CA_HOME/$_ACME_SERVER_HOST/$_ACME_SERVER_PATH" + _DEFAULT_CA_CONF="$CA_DIR/ca.conf" + if [ -z "$CA_CONF" ]; then + CA_CONF="$_DEFAULT_CA_CONF" + fi + _debug3 CA_CONF "$CA_CONF" + + _OLD_CADIR="$CA_HOME/$_ACME_SERVER_HOST" + _OLD_ACCOUNT_KEY="$_OLD_CADIR/account.key" + _OLD_ACCOUNT_JSON="$_OLD_CADIR/account.json" + _OLD_CA_CONF="$_OLD_CADIR/ca.conf" + + _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key" + _DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json" + if [ -z "$ACCOUNT_KEY_PATH" ]; then + ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH" + if [ -f "$_OLD_ACCOUNT_KEY" ] && ! [ -f "$ACCOUNT_KEY_PATH" ]; then + mkdir -p "$CA_DIR" + mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH" + fi + fi + + if [ -z "$ACCOUNT_JSON_PATH" ]; then + ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH" + if [ -f "$_OLD_ACCOUNT_JSON" ] && ! [ -f "$ACCOUNT_JSON_PATH" ]; then + mkdir -p "$CA_DIR" + mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH" + fi + fi + + if [ -f "$_OLD_CA_CONF" ] && ! [ -f "$CA_CONF" ]; then + mkdir -p "$CA_DIR" + mv "$_OLD_CA_CONF" "$CA_CONF" + fi + + if [ -f "$CA_CONF" ]; then + . "$CA_CONF" + fi + + if [ -z "$ACME_DIR" ]; then + ACME_DIR="/home/.acme" + fi + + if [ -z "$APACHE_CONF_BACKUP_DIR" ]; then + APACHE_CONF_BACKUP_DIR="$LE_CONFIG_HOME" + fi + + if [ -z "$USER_AGENT" ]; then + USER_AGENT="$DEFAULT_USER_AGENT" + fi + + if [ -z "$HTTP_HEADER" ]; then + HTTP_HEADER="$LE_CONFIG_HOME/http.header" + fi + + _DEFAULT_CERT_HOME="$LE_CONFIG_HOME" + if [ -z "$CERT_HOME" ]; then + CERT_HOME="$_DEFAULT_CERT_HOME" + fi + + if [ -z "$ACME_OPENSSL_BIN" ] || [ ! -f "$ACME_OPENSSL_BIN" ] || [ ! -x "$ACME_OPENSSL_BIN" ]; then + ACME_OPENSSL_BIN="$DEFAULT_OPENSSL_BIN" + fi + + if [ -z "$domain" ]; then + return 0 + fi + + if [ -z "$DOMAIN_PATH" ]; then + domainhome="$CERT_HOME/$domain" + domainhomeecc="$CERT_HOME/$domain$ECC_SUFFIX" + + DOMAIN_PATH="$domainhome" + + if _isEccKey "$_ilength"; then + DOMAIN_PATH="$domainhomeecc" + elif [ -z "$__SELECTED_RSA_KEY" ]; then + if [ ! -d "$domainhome" ] && [ -d "$domainhomeecc" ]; then + _info "The domain '$domain' seems to have a ECC cert already, lets use ecc cert." + DOMAIN_PATH="$domainhomeecc" + fi + fi + _debug DOMAIN_PATH "$DOMAIN_PATH" + fi + + if [ -z "$DOMAIN_BACKUP_PATH" ]; then + DOMAIN_BACKUP_PATH="$DOMAIN_PATH/backup" + fi + + if [ -z "$DOMAIN_CONF" ]; then + DOMAIN_CONF="$DOMAIN_PATH/$domain.conf" + fi + + if [ -z "$DOMAIN_SSL_CONF" ]; then + DOMAIN_SSL_CONF="$DOMAIN_PATH/$domain.csr.conf" + fi + + if [ -z "$CSR_PATH" ]; then + CSR_PATH="$DOMAIN_PATH/$domain.csr" + fi + if [ -z "$CERT_KEY_PATH" ]; then + CERT_KEY_PATH="$DOMAIN_PATH/$domain.key" + fi + if [ -z "$CERT_PATH" ]; then + CERT_PATH="$DOMAIN_PATH/$domain.cer" + fi + if [ -z "$CA_CERT_PATH" ]; then + CA_CERT_PATH="$DOMAIN_PATH/ca.cer" + fi + if [ -z "$CERT_FULLCHAIN_PATH" ]; then + CERT_FULLCHAIN_PATH="$DOMAIN_PATH/fullchain.cer" + fi + if [ -z "$CERT_PFX_PATH" ]; then + CERT_PFX_PATH="$DOMAIN_PATH/$domain.pfx" + fi + if [ -z "$CERT_PKCS8_PATH" ]; then + CERT_PKCS8_PATH="$DOMAIN_PATH/$domain.pkcs8" + fi + + if [ -z "$TLS_CONF" ]; then + TLS_CONF="$DOMAIN_PATH/tls.validation.conf" + fi + if [ -z "$TLS_CERT" ]; then + TLS_CERT="$DOMAIN_PATH/tls.validation.cert" + fi + if [ -z "$TLS_KEY" ]; then + TLS_KEY="$DOMAIN_PATH/tls.validation.key" + fi + if [ -z "$TLS_CSR" ]; then + TLS_CSR="$DOMAIN_PATH/tls.validation.csr" + fi + +} + +_exec() { + if [ -z "$_EXEC_TEMP_ERR" ]; then + _EXEC_TEMP_ERR="$(_mktemp)" + fi + + if [ "$_EXEC_TEMP_ERR" ]; then + eval "$@ 2>>$_EXEC_TEMP_ERR" + else + eval "$@" + fi +} + +_exec_err() { + [ "$_EXEC_TEMP_ERR" ] && _err "$(cat "$_EXEC_TEMP_ERR")" && echo "" >"$_EXEC_TEMP_ERR" +} + +_apachePath() { + _APACHECTL="apachectl" + if ! _exists apachectl; then + if _exists apache2ctl; then + _APACHECTL="apache2ctl" + else + _err "'apachectl not found. It seems that apache is not installed, or you are not root user.'" + _err "Please use webroot mode to try again." + return 1 + fi + fi + + if ! _exec $_APACHECTL -V >/dev/null; then + _exec_err + return 1 + fi + + if [ "$APACHE_HTTPD_CONF" ]; then + _saveaccountconf APACHE_HTTPD_CONF "$APACHE_HTTPD_CONF" + httpdconf="$APACHE_HTTPD_CONF" + httpdconfname="$(basename "$httpdconfname")" + else + httpdconfname="$($_APACHECTL -V | grep SERVER_CONFIG_FILE= | cut -d = -f 2 | tr -d '"')" + _debug httpdconfname "$httpdconfname" + + if [ -z "$httpdconfname" ]; then + _err "Can not read apache config file." + return 1 + fi + + if _startswith "$httpdconfname" '/'; then + httpdconf="$httpdconfname" + httpdconfname="$(basename "$httpdconfname")" + else + httpdroot="$($_APACHECTL -V | grep HTTPD_ROOT= | cut -d = -f 2 | tr -d '"')" + _debug httpdroot "$httpdroot" + httpdconf="$httpdroot/$httpdconfname" + httpdconfname="$(basename "$httpdconfname")" + fi + fi + _debug httpdconf "$httpdconf" + _debug httpdconfname "$httpdconfname" + if [ ! -f "$httpdconf" ]; then + _err "Apache Config file not found" "$httpdconf" + return 1 + fi + return 0 +} + +_restoreApache() { + if [ -z "$usingApache" ]; then + return 0 + fi + _initpath + if ! _apachePath; then + return 1 + fi + + if [ ! -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" ]; then + _debug "No config file to restore." + return 0 + fi + + cat "$APACHE_CONF_BACKUP_DIR/$httpdconfname" >"$httpdconf" + _debug "Restored: $httpdconf." + if ! _exec $_APACHECTL -t; then + _exec_err + _err "Sorry, restore apache config error, please contact me." + return 1 + fi + _debug "Restored successfully." + rm -f "$APACHE_CONF_BACKUP_DIR/$httpdconfname" + return 0 +} + +_setApache() { + _initpath + if ! _apachePath; then + return 1 + fi + + #test the conf first + _info "Checking if there is an error in the apache config file before starting." + + if ! _exec "$_APACHECTL" -t >/dev/null; then + _exec_err + _err "The apache config file has error, please fix it first, then try again." + _err "Don't worry, there is nothing changed to your system." + return 1 + else + _info "OK" + fi + + #backup the conf + _debug "Backup apache config file" "$httpdconf" + if ! cp "$httpdconf" "$APACHE_CONF_BACKUP_DIR/"; then + _err "Can not backup apache config file, so abort. Don't worry, the apache config is not changed." + _err "This might be a bug of $PROJECT_NAME , please report issue: $PROJECT" + return 1 + fi + _info "JFYI, Config file $httpdconf is backuped to $APACHE_CONF_BACKUP_DIR/$httpdconfname" + _info "In case there is an error that can not be restored automatically, you may try restore it yourself." + _info "The backup file will be deleted on success, just forget it." + + #add alias + + apacheVer="$($_APACHECTL -V | grep "Server version:" | cut -d : -f 2 | cut -d " " -f 2 | cut -d '/' -f 2)" + _debug "apacheVer" "$apacheVer" + apacheMajor="$(echo "$apacheVer" | cut -d . -f 1)" + apacheMinor="$(echo "$apacheVer" | cut -d . -f 2)" + + if [ "$apacheVer" ] && [ "$apacheMajor$apacheMinor" -ge "24" ]; then + echo " +Alias /.well-known/acme-challenge $ACME_DIR + + +Require all granted + + " >>"$httpdconf" + else + echo " +Alias /.well-known/acme-challenge $ACME_DIR + + +Order allow,deny +Allow from all + + " >>"$httpdconf" + fi + + _msg="$($_APACHECTL -t 2>&1)" + if [ "$?" != "0" ]; then + _err "Sorry, apache config error" + if _restoreApache; then + _err "The apache config file is restored." + else + _err "Sorry, the apache config file can not be restored, please report bug." + fi + return 1 + fi + + if [ ! -d "$ACME_DIR" ]; then + mkdir -p "$ACME_DIR" + chmod 755 "$ACME_DIR" + fi + + if ! _exec "$_APACHECTL" graceful; then + _exec_err + _err "$_APACHECTL graceful error, please contact me." + _restoreApache + return 1 + fi + usingApache="1" + return 0 +} + +#find the real nginx conf file +#backup +#set the nginx conf +#returns the real nginx conf file +_setNginx() { + _d="$1" + _croot="$2" + _thumbpt="$3" + + FOUND_REAL_NGINX_CONF="" + FOUND_REAL_NGINX_CONF_LN="" + BACKUP_NGINX_CONF="" + _debug _croot "$_croot" + _start_f="$(echo "$_croot" | cut -d : -f 2)" + _debug _start_f "$_start_f" + if [ -z "$_start_f" ]; then + _debug "find start conf from nginx command" + if [ -z "$NGINX_CONF" ]; then + if ! _exists "nginx"; then + _err "nginx command is not found." + return 1 + fi + NGINX_CONF="$(nginx -V 2>&1 | _egrep_o "--conf-path=[^ ]* " | tr -d " ")" + _debug NGINX_CONF "$NGINX_CONF" + NGINX_CONF="$(echo "$NGINX_CONF" | cut -d = -f 2)" + _debug NGINX_CONF "$NGINX_CONF" + if [ -z "$NGINX_CONF" ]; then + _err "Can not find nginx conf." + NGINX_CONF="" + return 1 + fi + if [ ! -f "$NGINX_CONF" ]; then + _err "'$NGINX_CONF' doesn't exist." + NGINX_CONF="" + return 1 + fi + _debug "Found nginx conf file:$NGINX_CONF" + fi + _start_f="$NGINX_CONF" + fi + _debug "Start detect nginx conf for $_d from:$_start_f" + if ! _checkConf "$_d" "$_start_f"; then + _err "Can not find conf file for domain $d" + return 1 + fi + _info "Found conf file: $FOUND_REAL_NGINX_CONF" + + _ln=$FOUND_REAL_NGINX_CONF_LN + _debug "_ln" "$_ln" + + _lnn=$(_math $_ln + 1) + _debug _lnn "$_lnn" + _start_tag="$(sed -n "$_lnn,${_lnn}p" "$FOUND_REAL_NGINX_CONF")" + _debug "_start_tag" "$_start_tag" + if [ "$_start_tag" = "$NGINX_START" ]; then + _info "The domain $_d is already configured, skip" + FOUND_REAL_NGINX_CONF="" + return 0 + fi + + mkdir -p "$DOMAIN_BACKUP_PATH" + _backup_conf="$DOMAIN_BACKUP_PATH/$_d.nginx.conf" + _debug _backup_conf "$_backup_conf" + BACKUP_NGINX_CONF="$_backup_conf" + _info "Backup $FOUND_REAL_NGINX_CONF to $_backup_conf" + if ! cp "$FOUND_REAL_NGINX_CONF" "$_backup_conf"; then + _err "backup error." + FOUND_REAL_NGINX_CONF="" + return 1 + fi + + if ! _exists "nginx"; then + _err "nginx command is not found." + return 1 + fi + _info "Check the nginx conf before setting up." + if ! _exec "nginx -t" >/dev/null; then + _exec_err + return 1 + fi + + _info "OK, Set up nginx config file" + + if ! sed -n "1,${_ln}p" "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"; then + cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF" + _err "write nginx conf error, but don't worry, the file is restored to the original version." + return 1 + fi + + echo "$NGINX_START +location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" { + default_type text/plain; + return 200 \"\$1.$_thumbpt\"; +} +#NGINX_START +" >>"$FOUND_REAL_NGINX_CONF" + + if ! sed -n "${_lnn},99999p" "$_backup_conf" >>"$FOUND_REAL_NGINX_CONF"; then + cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF" + _err "write nginx conf error, but don't worry, the file is restored." + return 1 + fi + _debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)" + _info "nginx conf is done, let's check it again." + if ! _exec "nginx -t" >/dev/null; then + _exec_err + _err "It seems that nginx conf was broken, let's restore." + cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF" + return 1 + fi + + _info "Reload nginx" + if ! _exec "nginx -s reload" >/dev/null; then + _exec_err + _err "It seems that nginx reload error, let's restore." + cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF" + return 1 + fi + + return 0 +} + +#d , conf +_checkConf() { + _d="$1" + _c_file="$2" + _debug "Start _checkConf from:$_c_file" + if [ ! -f "$2" ] && ! echo "$2" | grep '*$' >/dev/null && echo "$2" | grep '*' >/dev/null; then + _debug "wildcard" + for _w_f in $2; do + if [ -f "$_w_f" ] && _checkConf "$1" "$_w_f"; then + return 0 + fi + done + #not found + return 1 + elif [ -f "$2" ]; then + _debug "single" + if _isRealNginxConf "$1" "$2"; then + _debug "$2 is found." + FOUND_REAL_NGINX_CONF="$2" + return 0 + fi + if cat "$2" | tr "\t" " " | grep "^ *include *.*;" >/dev/null; then + _debug "Try include files" + for included in $(cat "$2" | tr "\t" " " | grep "^ *include *.*;" | sed "s/include //" | tr -d " ;"); do + _debug "check included $included" + if ! _startswith "$included" "/" && _exists dirname; then + _relpath="$(dirname "$2")" + _debug "_relpath" "$_relpath" + included="$_relpath/$included" + fi + if _checkConf "$1" "$included"; then + return 0 + fi + done + fi + return 1 + else + _debug "$2 not found." + return 1 + fi + return 1 +} + +#d , conf +_isRealNginxConf() { + _debug "_isRealNginxConf $1 $2" + if [ -f "$2" ]; then + for _fln in $(tr "\t" ' ' <"$2" | grep -n "^ *server_name.* $1" | cut -d : -f 1); do + _debug _fln "$_fln" + if [ "$_fln" ]; then + _start=$(tr "\t" ' ' <"$2" | _head_n "$_fln" | grep -n "^ *server *" | grep -v server_name | _tail_n 1) + _debug "_start" "$_start" + _start_n=$(echo "$_start" | cut -d : -f 1) + _start_nn=$(_math $_start_n + 1) + _debug "_start_n" "$_start_n" + _debug "_start_nn" "$_start_nn" + + _left="$(sed -n "${_start_nn},99999p" "$2")" + _debug2 _left "$_left" + _end="$(echo "$_left" | tr "\t" ' ' | grep -n "^ *server *" | grep -v server_name | _head_n 1)" + _debug "_end" "$_end" + if [ "$_end" ]; then + _end_n=$(echo "$_end" | cut -d : -f 1) + _debug "_end_n" "$_end_n" + _seg_n=$(echo "$_left" | sed -n "1,${_end_n}p") + else + _seg_n="$_left" + fi + + _debug "_seg_n" "$_seg_n" + + _skip_ssl=1 + for _listen_i in $(echo "$_seg_n" | tr "\t" ' ' | grep "^ *listen" | tr -d " "); do + if [ "$_listen_i" ]; then + if [ "$(echo "$_listen_i" | _egrep_o "listen.*ssl")" ]; then + _debug2 "$_listen_i is ssl" + else + _debug2 "$_listen_i is plain text" + _skip_ssl="" + break + fi + fi + done + + if [ "$_skip_ssl" = "1" ]; then + _debug "ssl on, skip" + else + FOUND_REAL_NGINX_CONF_LN=$_fln + _debug3 "found FOUND_REAL_NGINX_CONF_LN" "$FOUND_REAL_NGINX_CONF_LN" + return 0 + fi + fi + done + fi + return 1 +} + +#restore all the nginx conf +_restoreNginx() { + if [ -z "$NGINX_RESTORE_VLIST" ]; then + _debug "No need to restore nginx, skip." + return + fi + _debug "_restoreNginx" + _debug "NGINX_RESTORE_VLIST" "$NGINX_RESTORE_VLIST" + + for ng_entry in $(echo "$NGINX_RESTORE_VLIST" | tr "$dvsep" ' '); do + _debug "ng_entry" "$ng_entry" + _nd=$(echo "$ng_entry" | cut -d "$sep" -f 1) + _ngconf=$(echo "$ng_entry" | cut -d "$sep" -f 2) + _ngbackupconf=$(echo "$ng_entry" | cut -d "$sep" -f 3) + _info "Restoring from $_ngbackupconf to $_ngconf" + cat "$_ngbackupconf" >"$_ngconf" + done + + _info "Reload nginx" + if ! _exec "nginx -s reload" >/dev/null; then + _exec_err + _err "It seems that nginx reload error, please report bug." + return 1 + fi + return 0 +} + +_clearup() { + _stopserver "$serverproc" + serverproc="" + _restoreApache + _restoreNginx + _clearupdns + if [ -z "$DEBUG" ]; then + rm -f "$TLS_CONF" + rm -f "$TLS_CERT" + rm -f "$TLS_KEY" + rm -f "$TLS_CSR" + fi +} + +_clearupdns() { + _debug "_clearupdns" + _debug "dns_entries" "$dns_entries" + + if [ -z "$dns_entries" ]; then + _debug "skip dns." + return + fi + _info "Removing DNS records." + + for entry in $dns_entries; do + d=$(_getfield "$entry" 1) + txtdomain=$(_getfield "$entry" 2) + aliasDomain=$(_getfield "$entry" 3) + _currentRoot=$(_getfield "$entry" 4) + txt=$(_getfield "$entry" 5) + d_api=$(_getfield "$entry" 6) + _debug "d" "$d" + _debug "txtdomain" "$txtdomain" + _debug "aliasDomain" "$aliasDomain" + _debug "_currentRoot" "$_currentRoot" + _debug "txt" "$txt" + _debug "d_api" "$d_api" + if [ "$d_api" = "$txt" ]; then + d_api="" + fi + + if [ -z "$d_api" ]; then + _info "Not Found domain api file: $d_api" + continue + fi + + if [ "$aliasDomain" ]; then + txtdomain="$aliasDomain" + fi + + ( + if ! . "$d_api"; then + _err "Load file $d_api error. Please check your api file and try again." + return 1 + fi + + rmcommand="${_currentRoot}_rm" + if ! _exists "$rmcommand"; then + _err "It seems that your api file doesn't define $rmcommand" + return 1 + fi + _info "Removing txt: $txt for domain: $txtdomain" + if ! $rmcommand "$txtdomain" "$txt"; then + _err "Error removing txt for domain:$txtdomain" + return 1 + fi + _info "Removed: Success" + ) + + done +} + +# webroot removelevel tokenfile +_clearupwebbroot() { + __webroot="$1" + if [ -z "$__webroot" ]; then + _debug "no webroot specified, skip" + return 0 + fi + + _rmpath="" + if [ "$2" = '1' ]; then + _rmpath="$__webroot/.well-known" + elif [ "$2" = '2' ]; then + _rmpath="$__webroot/.well-known/acme-challenge" + elif [ "$2" = '3' ]; then + _rmpath="$__webroot/.well-known/acme-challenge/$3" + else + _debug "Skip for removelevel:$2" + fi + + if [ "$_rmpath" ]; then + if [ "$DEBUG" ]; then + _debug "Debugging, skip removing: $_rmpath" + else + rm -rf "$_rmpath" + fi + fi + + return 0 + +} + +_on_before_issue() { + _chk_web_roots="$1" + _chk_main_domain="$2" + _chk_alt_domains="$3" + _chk_pre_hook="$4" + _chk_local_addr="$5" + _debug _on_before_issue + _debug _chk_main_domain "$_chk_main_domain" + _debug _chk_alt_domains "$_chk_alt_domains" + #run pre hook + if [ "$_chk_pre_hook" ]; then + _info "Run pre hook:'$_chk_pre_hook'" + if ! ( + export Le_Domain="$_chk_main_domain" + export Le_Alt="$_chk_alt_domains" + cd "$DOMAIN_PATH" && eval "$_chk_pre_hook" + ); then + _err "Error when run pre hook." + return 1 + fi + fi + + if _hasfield "$_chk_web_roots" "$NO_VALUE"; then + if ! _exists "socat"; then + _err "Please install socat tools first." + return 1 + fi + fi + + _debug Le_LocalAddress "$_chk_local_addr" + + _index=1 + _currentRoot="" + _addrIndex=1 + _w_index=1 + while true; do + d="$(echo "$_chk_main_domain,$_chk_alt_domains," | cut -d , -f "$_w_index")" + _w_index="$(_math "$_w_index" + 1)" + _debug d "$d" + if [ -z "$d" ]; then + break + fi + _debug "Check for domain" "$d" + _currentRoot="$(_getfield "$_chk_web_roots" $_index)" + _debug "_currentRoot" "$_currentRoot" + _index=$(_math $_index + 1) + _checkport="" + if [ "$_currentRoot" = "$NO_VALUE" ]; then + _info "Standalone mode." + if [ -z "$Le_HTTPPort" ]; then + Le_HTTPPort=80 + _cleardomainconf "Le_HTTPPort" + else + _savedomainconf "Le_HTTPPort" "$Le_HTTPPort" + fi + _checkport="$Le_HTTPPort" + elif [ "$_currentRoot" = "$W_ALPN" ]; then + _info "Standalone alpn mode." + if [ -z "$Le_TLSPort" ]; then + Le_TLSPort=443 + else + _savedomainconf "Le_TLSPort" "$Le_TLSPort" + fi + _checkport="$Le_TLSPort" + fi + + if [ "$_checkport" ]; then + _debug _checkport "$_checkport" + _checkaddr="$(_getfield "$_chk_local_addr" $_addrIndex)" + _debug _checkaddr "$_checkaddr" + + _addrIndex="$(_math $_addrIndex + 1)" + + _netprc="$(_ss "$_checkport" | grep "$_checkport")" + netprc="$(echo "$_netprc" | grep "$_checkaddr")" + if [ -z "$netprc" ]; then + netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS:$_checkport")" + fi + if [ "$netprc" ]; then + _err "$netprc" + _err "tcp port $_checkport is already used by $(echo "$netprc" | cut -d : -f 4)" + _err "Please stop it first" + return 1 + fi + fi + done + + if _hasfield "$_chk_web_roots" "apache"; then + if ! _setApache; then + _err "set up apache error. Report error to me." + return 1 + fi + else + usingApache="" + fi + +} + +_on_issue_err() { + _chk_post_hook="$1" + _chk_vlist="$2" + _debug _on_issue_err + + if [ "$LOG_FILE" ]; then + _err "Please check log file for more details: $LOG_FILE" + else + _err "Please add '--debug' or '--log' to check more details." + _err "See: $_DEBUG_WIKI" + fi + + #run the post hook + if [ "$_chk_post_hook" ]; then + _info "Run post hook:'$_chk_post_hook'" + if ! ( + cd "$DOMAIN_PATH" && eval "$_chk_post_hook" + ); then + _err "Error when run post hook." + return 1 + fi + fi + + #trigger the validation to flush the pending authz + _debug2 "_chk_vlist" "$_chk_vlist" + if [ "$_chk_vlist" ]; then + ( + _debug2 "start to deactivate authz" + ventries=$(echo "$_chk_vlist" | tr "$dvsep" ' ') + for ventry in $ventries; do + d=$(echo "$ventry" | cut -d "$sep" -f 1) + keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2) + uri=$(echo "$ventry" | cut -d "$sep" -f 3) + vtype=$(echo "$ventry" | cut -d "$sep" -f 4) + _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5) + __trigger_validation "$uri" "$keyauthorization" + done + ) + fi + + if [ "$_ACME_IS_RENEW" = "1" ] && _hasfield "$Le_Webroot" "$W_DNS"; then + _err "$_DNS_MANUAL_ERR" + fi + + if [ "$DEBUG" ] && [ "$DEBUG" -gt "0" ]; then + _debug "$(_dlg_versions)" + fi + +} + +_on_issue_success() { + _chk_post_hook="$1" + _chk_renew_hook="$2" + _debug _on_issue_success + + #run the post hook + if [ "$_chk_post_hook" ]; then + _info "Run post hook:'$_chk_post_hook'" + if ! ( + export CERT_PATH + export CERT_KEY_PATH + export CA_CERT_PATH + export CERT_FULLCHAIN_PATH + export Le_Domain="$_main_domain" + cd "$DOMAIN_PATH" && eval "$_chk_post_hook" + ); then + _err "Error when run post hook." + return 1 + fi + fi + + #run renew hook + if [ "$_ACME_IS_RENEW" ] && [ "$_chk_renew_hook" ]; then + _info "Run renew hook:'$_chk_renew_hook'" + if ! ( + export CERT_PATH + export CERT_KEY_PATH + export CA_CERT_PATH + export CERT_FULLCHAIN_PATH + export Le_Domain="$_main_domain" + cd "$DOMAIN_PATH" && eval "$_chk_renew_hook" + ); then + _err "Error when run renew hook." + return 1 + fi + fi + + if _hasfield "$Le_Webroot" "$W_DNS" && [ -z "$FORCE_DNS_MANUAL" ]; then + _err "$_DNS_MANUAL_WARN" + fi + +} + +#account_key_length eab-kid eab-hmac-key +registeraccount() { + _account_key_length="$1" + _eab_id="$2" + _eab_hmac_key="$3" + _initpath + _regAccount "$_account_key_length" "$_eab_id" "$_eab_hmac_key" +} + +__calcAccountKeyHash() { + [ -f "$ACCOUNT_KEY_PATH" ] && _digest sha256 <"$ACCOUNT_KEY_PATH" +} + +__calc_account_thumbprint() { + printf "%s" "$jwk" | tr -d ' ' | _digest "sha256" | _url_replace +} + +_getAccountEmail() { + if [ "$ACCOUNT_EMAIL" ]; then + echo "$ACCOUNT_EMAIL" + return 0 + fi + if [ -z "$CA_EMAIL" ]; then + CA_EMAIL="$(_readcaconf CA_EMAIL)" + fi + if [ "$CA_EMAIL" ]; then + echo "$CA_EMAIL" + return 0 + fi + _readaccountconf "ACCOUNT_EMAIL" +} + +#keylength +_regAccount() { + _initpath + _reg_length="$1" + _eab_id="$2" + _eab_hmac_key="$3" + _debug3 _regAccount "$_regAccount" + _initAPI + + mkdir -p "$CA_DIR" + + if [ ! -f "$ACCOUNT_KEY_PATH" ]; then + if ! _create_account_key "$_reg_length"; then + _err "Create account key error." + return 1 + fi + fi + + if ! _calcjwk "$ACCOUNT_KEY_PATH"; then + return 1 + fi + if [ "$_eab_id" ] && [ "$_eab_hmac_key" ]; then + _savecaconf CA_EAB_KEY_ID "$_eab_id" + _savecaconf CA_EAB_HMAC_KEY "$_eab_hmac_key" + fi + _eab_id=$(_readcaconf "CA_EAB_KEY_ID") + _eab_hmac_key=$(_readcaconf "CA_EAB_HMAC_KEY") + _secure_debug3 _eab_id "$_eab_id" + _secure_debug3 _eab_hmac_key "$_eab_hmac_key" + _email="$(_getAccountEmail)" + if [ "$_email" ]; then + _savecaconf "CA_EMAIL" "$_email" + fi + + if [ "$ACME_DIRECTORY" = "$CA_ZEROSSL" ]; then + if [ -z "$_eab_id" ] || [ -z "$_eab_hmac_key" ]; then + _info "No EAB credentials found for ZeroSSL, let's get one" + if [ -z "$_email" ]; then + _info "$(__green "$PROJECT_NAME is using ZeroSSL as default CA now.")" + _info "$(__green "Please update your account with an email address first.")" + _info "$(__green "$PROJECT_ENTRY --register-account -m my@example.com")" + _info "See: $(__green "$_ZEROSSL_WIKI")" + return 1 + fi + _eabresp=$(_post "email=$_email" $_ZERO_EAB_ENDPOINT) + if [ "$?" != "0" ]; then + _debug2 "$_eabresp" + _err "Can not get EAB credentials from ZeroSSL." + return 1 + fi + _secure_debug2 _eabresp "$_eabresp" + _eab_id="$(echo "$_eabresp" | tr ',}' '\n\n' | grep '"eab_kid"' | cut -d : -f 2 | tr -d '"')" + _secure_debug2 _eab_id "$_eab_id" + if [ -z "$_eab_id" ]; then + _err "Can not resolve _eab_id" + return 1 + fi + _eab_hmac_key="$(echo "$_eabresp" | tr ',}' '\n\n' | grep '"eab_hmac_key"' | cut -d : -f 2 | tr -d '"')" + _secure_debug2 _eab_hmac_key "$_eab_hmac_key" + if [ -z "$_eab_hmac_key" ]; then + _err "Can not resolve _eab_hmac_key" + return 1 + fi + _savecaconf CA_EAB_KEY_ID "$_eab_id" + _savecaconf CA_EAB_HMAC_KEY "$_eab_hmac_key" + fi + fi + if [ "$_eab_id" ] && [ "$_eab_hmac_key" ]; then + eab_protected="{\"alg\":\"HS256\",\"kid\":\"$_eab_id\",\"url\":\"${ACME_NEW_ACCOUNT}\"}" + _debug3 eab_protected "$eab_protected" + + eab_protected64=$(printf "%s" "$eab_protected" | _base64 | _url_replace) + _debug3 eab_protected64 "$eab_protected64" + + eab_payload64=$(printf "%s" "$jwk" | _base64 | _url_replace) + _debug3 eab_payload64 "$eab_payload64" + + eab_sign_t="$eab_protected64.$eab_payload64" + _debug3 eab_sign_t "$eab_sign_t" + + key_hex="$(_durl_replace_base64 "$_eab_hmac_key" | _dbase64 multi | _hex_dump | tr -d ' ')" + _debug3 key_hex "$key_hex" + + eab_signature=$(printf "%s" "$eab_sign_t" | _hmac sha256 $key_hex | _base64 | _url_replace) + _debug3 eab_signature "$eab_signature" + + externalBinding=",\"externalAccountBinding\":{\"protected\":\"$eab_protected64\", \"payload\":\"$eab_payload64\", \"signature\":\"$eab_signature\"}" + _debug3 externalBinding "$externalBinding" + fi + if [ "$_email" ]; then + email_sg="\"contact\": [\"mailto:$_email\"], " + fi + regjson="{$email_sg\"termsOfServiceAgreed\": true$externalBinding}" + + _info "Registering account: $ACME_DIRECTORY" + + if ! _send_signed_request "${ACME_NEW_ACCOUNT}" "$regjson"; then + _err "Register account Error: $response" + return 1 + fi + + _eabAlreadyBound="" + if [ "$code" = "" ] || [ "$code" = '201' ]; then + echo "$response" >"$ACCOUNT_JSON_PATH" + _info "Registered" + elif [ "$code" = '409' ] || [ "$code" = '200' ]; then + _info "Already registered" + elif [ "$code" = '400' ] && _contains "$response" 'The account is not awaiting external account binding'; then + _info "Already register EAB." + _eabAlreadyBound=1 + else + _err "Register account Error: $response" + return 1 + fi + + if [ -z "$_eabAlreadyBound" ]; then + _debug2 responseHeaders "$responseHeaders" + _accUri="$(echo "$responseHeaders" | grep -i "^Location:" | _head_n 1 | cut -d ':' -f 2- | tr -d "\r\n ")" + _debug "_accUri" "$_accUri" + if [ -z "$_accUri" ]; then + _err "Can not find account id url." + _err "$responseHeaders" + return 1 + fi + _savecaconf "ACCOUNT_URL" "$_accUri" + else + ACCOUNT_URL="$(_readcaconf ACCOUNT_URL)" + fi + export ACCOUNT_URL="$_accUri" + + CA_KEY_HASH="$(__calcAccountKeyHash)" + _debug "Calc CA_KEY_HASH" "$CA_KEY_HASH" + _savecaconf CA_KEY_HASH "$CA_KEY_HASH" + + if [ "$code" = '403' ]; then + _err "It seems that the account key is already deactivated, please use a new account key." + return 1 + fi + + ACCOUNT_THUMBPRINT="$(__calc_account_thumbprint)" + _info "ACCOUNT_THUMBPRINT" "$ACCOUNT_THUMBPRINT" +} + +#implement updateaccount +updateaccount() { + _initpath + + if [ ! -f "$ACCOUNT_KEY_PATH" ]; then + _err "Account key is not found at: $ACCOUNT_KEY_PATH" + return 1 + fi + + _accUri=$(_readcaconf "ACCOUNT_URL") + _debug _accUri "$_accUri" + + if [ -z "$_accUri" ]; then + _err "The account url is empty, please run '--update-account' first to update the account info first," + _err "Then try again." + return 1 + fi + + if ! _calcjwk "$ACCOUNT_KEY_PATH"; then + return 1 + fi + _initAPI + + _email="$(_getAccountEmail)" + + if [ "$_email" ]; then + updjson='{"contact": ["mailto:'$_email'"]}' + else + updjson='{"contact": []}' + fi + + _send_signed_request "$_accUri" "$updjson" + + if [ "$code" = '200' ]; then + echo "$response" >"$ACCOUNT_JSON_PATH" + _info "Account update success for $_accUri." + else + _info "Error. The account was not updated." + return 1 + fi +} + +#Implement deactivate account +deactivateaccount() { + _initpath + + if [ ! -f "$ACCOUNT_KEY_PATH" ]; then + _err "Account key is not found at: $ACCOUNT_KEY_PATH" + return 1 + fi + + _accUri=$(_readcaconf "ACCOUNT_URL") + _debug _accUri "$_accUri" + + if [ -z "$_accUri" ]; then + _err "The account url is empty, please run '--update-account' first to update the account info first," + _err "Then try again." + return 1 + fi + + if ! _calcjwk "$ACCOUNT_KEY_PATH"; then + return 1 + fi + _initAPI + + _djson="{\"status\":\"deactivated\"}" + + if _send_signed_request "$_accUri" "$_djson" && _contains "$response" '"deactivated"'; then + _info "Deactivate account success for $_accUri." + _accid=$(echo "$response" | _egrep_o "\"id\" *: *[^,]*," | cut -d : -f 2 | tr -d ' ,') + elif [ "$code" = "403" ]; then + _info "The account is already deactivated." + _accid=$(_getfield "$_accUri" "999" "/") + else + _err "Deactivate: account failed for $_accUri." + return 1 + fi + + _debug "Account id: $_accid" + if [ "$_accid" ]; then + _deactivated_account_path="$CA_DIR/deactivated/$_accid" + _debug _deactivated_account_path "$_deactivated_account_path" + if mkdir -p "$_deactivated_account_path"; then + _info "Moving deactivated account info to $_deactivated_account_path/" + mv "$CA_CONF" "$_deactivated_account_path/" + mv "$ACCOUNT_JSON_PATH" "$_deactivated_account_path/" + mv "$ACCOUNT_KEY_PATH" "$_deactivated_account_path/" + else + _err "Can not create dir: $_deactivated_account_path, try to remove the deactivated account key." + rm -f "$CA_CONF" + rm -f "$ACCOUNT_JSON_PATH" + rm -f "$ACCOUNT_KEY_PATH" + fi + fi +} + +# domain folder file +_findHook() { + _hookdomain="$1" + _hookcat="$2" + _hookname="$3" + + if [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname" ]; then + d_api="$_SCRIPT_HOME/$_hookcat/$_hookname" + elif [ -f "$_SCRIPT_HOME/$_hookcat/$_hookname.sh" ]; then + d_api="$_SCRIPT_HOME/$_hookcat/$_hookname.sh" + elif [ "$_hookdomain" ] && [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname" ]; then + d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname" + elif [ "$_hookdomain" ] && [ -f "$LE_WORKING_DIR/$_hookdomain/$_hookname.sh" ]; then + d_api="$LE_WORKING_DIR/$_hookdomain/$_hookname.sh" + elif [ -f "$LE_WORKING_DIR/$_hookname" ]; then + d_api="$LE_WORKING_DIR/$_hookname" + elif [ -f "$LE_WORKING_DIR/$_hookname.sh" ]; then + d_api="$LE_WORKING_DIR/$_hookname.sh" + elif [ -f "$LE_WORKING_DIR/$_hookcat/$_hookname" ]; then + d_api="$LE_WORKING_DIR/$_hookcat/$_hookname" + elif [ -f "$LE_WORKING_DIR/$_hookcat/$_hookname.sh" ]; then + d_api="$LE_WORKING_DIR/$_hookcat/$_hookname.sh" + fi + + printf "%s" "$d_api" +} + +#domain +__get_domain_new_authz() { + _gdnd="$1" + _info "Getting new-authz for domain" "$_gdnd" + _initAPI + _Max_new_authz_retry_times=5 + _authz_i=0 + while [ "$_authz_i" -lt "$_Max_new_authz_retry_times" ]; do + _debug "Try new-authz for the $_authz_i time." + if ! _send_signed_request "${ACME_NEW_AUTHZ}" "{\"resource\": \"new-authz\", \"identifier\": {\"type\": \"dns\", \"value\": \"$(_idn "$_gdnd")\"}}"; then + _err "Can not get domain new authz." + return 1 + fi + if _contains "$response" "No registration exists matching provided key"; then + _err "It seems there is an error, but it's recovered now, please try again." + _err "If you see this message for a second time, please report bug: $(__green "$PROJECT")" + _clearcaconf "CA_KEY_HASH" + break + fi + if ! _contains "$response" "An error occurred while processing your request"; then + _info "The new-authz request is ok." + break + fi + _authz_i="$(_math "$_authz_i" + 1)" + _info "The server is busy, Sleep $_authz_i to retry." + _sleep "$_authz_i" + done + + if [ "$_authz_i" = "$_Max_new_authz_retry_times" ]; then + _err "new-authz retry reach the max $_Max_new_authz_retry_times times." + fi + + if [ "$code" ] && [ "$code" != '201' ]; then + _err "new-authz error: $response" + return 1 + fi + +} + +#uri keyAuthorization +__trigger_validation() { + _debug2 "Trigger domain validation." + _t_url="$1" + _debug2 _t_url "$_t_url" + _t_key_authz="$2" + _debug2 _t_key_authz "$_t_key_authz" + _t_vtype="$3" + _debug2 _t_vtype "$_t_vtype" + + _send_signed_request "$_t_url" "{}" + +} + +#endpoint domain type +_ns_lookup_impl() { + _ns_ep="$1" + _ns_domain="$2" + _ns_type="$3" + _debug2 "_ns_ep" "$_ns_ep" + _debug2 "_ns_domain" "$_ns_domain" + _debug2 "_ns_type" "$_ns_type" + + response="$(_H1="accept: application/dns-json" _get "$_ns_ep?name=$_ns_domain&type=$_ns_type")" + _ret=$? + _debug2 "response" "$response" + if [ "$_ret" != "0" ]; then + return $_ret + fi + _answers="$(echo "$response" | tr '{}' '<>' | _egrep_o '"Answer":\[[^]]*]' | tr '<>' '\n\n')" + _debug2 "_answers" "$_answers" + echo "$_answers" +} + +#domain, type +_ns_lookup_cf() { + _cf_ld="$1" + _cf_ld_type="$2" + _cf_ep="https://cloudflare-dns.com/dns-query" + _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type" +} + +#domain, type +_ns_purge_cf() { + _cf_d="$1" + _cf_d_type="$2" + _debug "Cloudflare purge $_cf_d_type record for domain $_cf_d" + _cf_purl="https://cloudflare-dns.com/api/v1/purge?domain=$_cf_d&type=$_cf_d_type" + response="$(_post "" "$_cf_purl")" + _debug2 response "$response" +} + +#checks if cf server is available +_ns_is_available_cf() { + if _get "https://cloudflare-dns.com" "" 10 >/dev/null; then + return 0 + else + return 1 + fi +} + +_ns_is_available_google() { + if _get "https://dns.google" "" 10 >/dev/null; then + return 0 + else + return 1 + fi +} + +#domain, type +_ns_lookup_google() { + _cf_ld="$1" + _cf_ld_type="$2" + _cf_ep="https://dns.google/resolve" + _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type" +} + +_ns_is_available_ali() { + if _get "https://dns.alidns.com" "" 10 >/dev/null; then + return 0 + else + return 1 + fi +} + +#domain, type +_ns_lookup_ali() { + _cf_ld="$1" + _cf_ld_type="$2" + _cf_ep="https://dns.alidns.com/resolve" + _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type" +} + +_ns_is_available_dp() { + if _get "https://doh.pub" "" 10 >/dev/null; then + return 0 + else + return 1 + fi +} + +#dnspod +_ns_lookup_dp() { + _cf_ld="$1" + _cf_ld_type="$2" + _cf_ep="https://doh.pub/dns-query" + _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type" +} + +_ns_select_doh() { + if [ -z "$DOH_USE" ]; then + _debug "Detect dns server first." + if _ns_is_available_cf; then + _debug "Use cloudflare doh server" + export DOH_USE=$DOH_CLOUDFLARE + elif _ns_is_available_google; then + _debug "Use google doh server" + export DOH_USE=$DOH_GOOGLE + elif _ns_is_available_ali; then + _debug "Use aliyun doh server" + export DOH_USE=$DOH_ALI + elif _ns_is_available_dp; then + _debug "Use dns pod doh server" + export DOH_USE=$DOH_DP + else + _err "No doh" + fi + fi +} + +#domain, type +_ns_lookup() { + _ns_select_doh + if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then + _ns_lookup_cf "$@" + elif [ "$DOH_USE" = "$DOH_GOOGLE" ]; then + _ns_lookup_google "$@" + elif [ "$DOH_USE" = "$DOH_ALI" ]; then + _ns_lookup_ali "$@" + elif [ "$DOH_USE" = "$DOH_DP" ]; then + _ns_lookup_dp "$@" + else + _err "Unknown doh provider: DOH_USE=$DOH_USE" + fi + +} + +#txtdomain, alias, txt +__check_txt() { + _c_txtdomain="$1" + _c_aliasdomain="$2" + _c_txt="$3" + _debug "_c_txtdomain" "$_c_txtdomain" + _debug "_c_aliasdomain" "$_c_aliasdomain" + _debug "_c_txt" "$_c_txt" + _ns_select_doh + _answers="$(_ns_lookup "$_c_aliasdomain" TXT)" + _contains "$_answers" "$_c_txt" + +} + +#txtdomain +__purge_txt() { + _p_txtdomain="$1" + _debug _p_txtdomain "$_p_txtdomain" + if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then + _ns_purge_cf "$_p_txtdomain" "TXT" + else + _debug "no purge api for this doh api, just sleep 5 secs" + _sleep 5 + fi + +} + +#wait and check each dns entries +_check_dns_entries() { + _success_txt="," + _end_time="$(_time)" + _end_time="$(_math "$_end_time" + 1200)" #let's check no more than 20 minutes. + + while [ "$(_time)" -le "$_end_time" ]; do + _info "You can use '--dnssleep' to disable public dns checks." + _info "See: $_DNSCHECK_WIKI" + _left="" + for entry in $dns_entries; do + d=$(_getfield "$entry" 1) + txtdomain=$(_getfield "$entry" 2) + txtdomain=$(_idn "$txtdomain") + aliasDomain=$(_getfield "$entry" 3) + aliasDomain=$(_idn "$aliasDomain") + txt=$(_getfield "$entry" 5) + d_api=$(_getfield "$entry" 6) + _debug "d" "$d" + _debug "txtdomain" "$txtdomain" + _debug "aliasDomain" "$aliasDomain" + _debug "txt" "$txt" + _debug "d_api" "$d_api" + _info "Checking $d for $aliasDomain" + if _contains "$_success_txt" ",$txt,"; then + _info "Already success, continue next one." + continue + fi + + if __check_txt "$txtdomain" "$aliasDomain" "$txt"; then + _info "Domain $d '$aliasDomain' success." + _success_txt="$_success_txt,$txt," + continue + fi + _left=1 + _info "Not valid yet, let's wait 10 seconds and check next one." + __purge_txt "$txtdomain" + if [ "$txtdomain" != "$aliasDomain" ]; then + __purge_txt "$aliasDomain" + fi + _sleep 10 + done + if [ "$_left" ]; then + _info "Let's wait 10 seconds and check again". + _sleep 10 + else + _info "All success, let's return" + return 0 + fi + done + _info "Timed out waiting for DNS." + return 1 + +} + +#file +_get_chain_issuers() { + _cfile="$1" + if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then + ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 + else + _cindex=1 + for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do + _endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)" + _debug2 "_startn" "$_startn" + _debug2 "_endn" "$_endn" + if [ "$DEBUG" ]; then + _debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")" + fi + sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/" + _cindex=$(_math $_cindex + 1) + done + fi +} + +# +_get_chain_subjects() { + _cfile="$1" + if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then + ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 + else + _cindex=1 + for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do + _endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)" + _debug2 "_startn" "$_startn" + _debug2 "_endn" "$_endn" + if [ "$DEBUG" ]; then + _debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")" + fi + sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/" + _cindex=$(_math $_cindex + 1) + done + fi +} + +#cert issuer +_match_issuer() { + _cfile="$1" + _missuer="$2" + _fissuers="$(_get_chain_issuers $_cfile)" + _debug2 _fissuers "$_fissuers" + _rootissuer="$(echo "$_fissuers" | _lower_case | _tail_n 1)" + _debug2 _rootissuer "$_rootissuer" + _missuer="$(echo "$_missuer" | _lower_case)" + _contains "$_rootissuer" "$_missuer" +} + +#ip +_isIPv4() { + for seg in $(echo "$1" | tr '.' ' '); do + _debug2 seg "$seg" + if [ "$(echo "$seg" | tr -d '[0-9]')" ]; then + #not all number + return 1 + fi + if [ $seg -ge 0 ] && [ $seg -lt 256 ]; then + continue + fi + return 1 + done + return 0 +} + +#ip6 +_isIPv6() { + _contains "$1" ":" +} + +#ip +_isIP() { + _isIPv4 "$1" || _isIPv6 "$1" +} + +#identifier +_getIdType() { + if _isIP "$1"; then + echo "$ID_TYPE_IP" + else + echo "$ID_TYPE_DNS" + fi +} + +# beginTime dateTo +# beginTime is full string format("2022-04-01T08:10:33Z"), beginTime can be empty, to use current time +# dateTo can be ether in full string format("2022-04-01T08:10:33Z") or in delta format(+5d or +20h) +_convertValidaty() { + _beginTime="$1" + _dateTo="$2" + _debug2 "_beginTime" "$_beginTime" + _debug2 "_dateTo" "$_dateTo" + + if _startswith "$_dateTo" "+"; then + _v_begin=$(_time) + if [ "$_beginTime" ]; then + _v_begin="$(_date2time "$_beginTime")" + fi + _debug2 "_v_begin" "$_v_begin" + if _endswith "$_dateTo" "h"; then + _v_end=$(_math "$_v_begin + 60 * 60 * $(echo "$_dateTo" | tr -d '+h')") + elif _endswith "$_dateTo" "d"; then + _v_end=$(_math "$_v_begin + 60 * 60 * 24 * $(echo "$_dateTo" | tr -d '+d')") + else + _err "Not recognized format for _dateTo: $_dateTo" + return 1 + fi + _debug2 "_v_end" "$_v_end" + _time2str "$_v_end" + else + if [ "$(_time)" -gt "$(_date2time "$_dateTo")" ]; then + _err "The validaty to is in the past: _dateTo = $_dateTo" + return 1 + fi + echo "$_dateTo" + fi +} + +#webroot, domain domainlist keylength +issue() { + if [ -z "$2" ]; then + _usage "Usage: $PROJECT_ENTRY --issue --domain --webroot " + return 1 + fi + if [ -z "$1" ]; then + _usage "Please specify at least one validation method: '--webroot', '--standalone', '--apache', '--nginx' or '--dns' etc." + return 1 + fi + _web_roots="$1" + _main_domain="$2" + _alt_domains="$3" + + if _contains "$_main_domain" ","; then + _main_domain=$(echo "$2,$3" | cut -d , -f 1) + _alt_domains=$(echo "$2,$3" | cut -d , -f 2- | sed "s/,${NO_VALUE}$//") + fi + _debug _main_domain "$_main_domain" + _debug _alt_domains "$_alt_domains" + + _key_length="$4" + _real_cert="$5" + _real_key="$6" + _real_ca="$7" + _reload_cmd="$8" + _real_fullchain="$9" + _pre_hook="${10}" + _post_hook="${11}" + _renew_hook="${12}" + _local_addr="${13}" + _challenge_alias="${14}" + _preferred_chain="${15}" + _valid_from="${16}" + _valid_to="${17}" + + if [ -z "$_ACME_IS_RENEW" ]; then + _initpath "$_main_domain" "$_key_length" + mkdir -p "$DOMAIN_PATH" + elif ! _hasfield "$_web_roots" "$W_DNS"; then + Le_OrderFinalize="" + Le_LinkOrder="" + Le_LinkCert="" + fi + + if _hasfield "$_web_roots" "$W_DNS" && [ -z "$FORCE_DNS_MANUAL" ]; then + _err "$_DNS_MANUAL_ERROR" + return 1 + fi + + if [ -f "$DOMAIN_CONF" ]; then + Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime) + _debug Le_NextRenewTime "$Le_NextRenewTime" + if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then + _valid_to_saved=$(_readdomainconf Le_Valid_to) + if [ "$_valid_to_saved" ] && ! _startswith "$_valid_to_saved" "+"; then + _info "The domain is set to be valid to: $_valid_to_saved" + _info "It can not be renewed automatically" + _info "See: $_VALIDITY_WIKI" + return $RENEW_SKIP + fi + _saved_domain=$(_readdomainconf Le_Domain) + _debug _saved_domain "$_saved_domain" + _saved_alt=$(_readdomainconf Le_Alt) + _debug _saved_alt "$_saved_alt" + _normized_saved_domains="$(echo "$_saved_domain,$_saved_alt" | tr "," "\n" | sort | tr '\n' ',')" + _debug _normized_saved_domains "$_normized_saved_domains" + + _normized_domains="$(echo "$_main_domain,$_alt_domains" | tr "," "\n" | sort | tr '\n' ',')" + _debug _normized_domains "$_normized_domains" + + if [ "$_normized_saved_domains" = "$_normized_domains" ]; then + _info "Domains not changed." + _info "Skip, Next renewal time is: $(__green "$(_readdomainconf Le_NextRenewTimeStr)")" + _info "Add '$(__red '--force')' to force to renew." + return $RENEW_SKIP + else + _info "Domains have changed." + fi + fi + fi + + _debug "Using ACME_DIRECTORY: $ACME_DIRECTORY" + if ! _initAPI; then + return 1 + fi + + _savedomainconf "Le_Domain" "$_main_domain" + _savedomainconf "Le_Alt" "$_alt_domains" + _savedomainconf "Le_Webroot" "$_web_roots" + + _savedomainconf "Le_PreHook" "$_pre_hook" "base64" + _savedomainconf "Le_PostHook" "$_post_hook" "base64" + _savedomainconf "Le_RenewHook" "$_renew_hook" "base64" + + if [ "$_local_addr" ]; then + _savedomainconf "Le_LocalAddress" "$_local_addr" + else + _cleardomainconf "Le_LocalAddress" + fi + if [ "$_challenge_alias" ]; then + _savedomainconf "Le_ChallengeAlias" "$_challenge_alias" + else + _cleardomainconf "Le_ChallengeAlias" + fi + if [ "$_preferred_chain" ]; then + _savedomainconf "Le_Preferred_Chain" "$_preferred_chain" "base64" + else + _cleardomainconf "Le_Preferred_Chain" + fi + + Le_API="$ACME_DIRECTORY" + _savedomainconf "Le_API" "$Le_API" + + _info "Using CA: $ACME_DIRECTORY" + if [ "$_alt_domains" = "$NO_VALUE" ]; then + _alt_domains="" + fi + + if ! _on_before_issue "$_web_roots" "$_main_domain" "$_alt_domains" "$_pre_hook" "$_local_addr"; then + _err "_on_before_issue." + return 1 + fi + + _saved_account_key_hash="$(_readcaconf "CA_KEY_HASH")" + _debug2 _saved_account_key_hash "$_saved_account_key_hash" + + if [ -z "$ACCOUNT_URL" ] || [ -z "$_saved_account_key_hash" ] || [ "$_saved_account_key_hash" != "$(__calcAccountKeyHash)" ]; then + if ! _regAccount "$_accountkeylength"; then + _on_issue_err "$_post_hook" + return 1 + fi + else + _debug "_saved_account_key_hash is not changed, skip register account." + fi + + export Le_Next_Domain_Key="$CERT_KEY_PATH.next" + if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ]; then + _info "Signing from existing CSR." + else + # When renewing from an old version, the empty Le_Keylength means 2048. + # Note, do not use DEFAULT_DOMAIN_KEY_LENGTH as that value may change over + # time but an empty value implies 2048 specifically. + _key=$(_readdomainconf Le_Keylength) + if [ -z "$_key" ]; then + _key=2048 + fi + _debug "Read key length:$_key" + if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ] || [ "$Le_ForceNewDomainKey" = "1" ]; then + if [ "$Le_ForceNewDomainKey" = "1" ] && [ -f "$Le_Next_Domain_Key" ]; then + _info "Using pre generated key: $Le_Next_Domain_Key" + cat "$Le_Next_Domain_Key" >"$CERT_KEY_PATH" + echo "" >"$Le_Next_Domain_Key" + else + if ! createDomainKey "$_main_domain" "$_key_length"; then + _err "Create domain key error." + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + fi + fi + if [ "$Le_ForceNewDomainKey" ]; then + _info "Generate next pre-generate key." + if [ ! -e "$Le_Next_Domain_Key" ]; then + touch "$Le_Next_Domain_Key" + chmod 600 "$Le_Next_Domain_Key" + fi + if ! _createkey "$_key_length" "$Le_Next_Domain_Key"; then + _err "Can not pre generate domain key" + return 1 + fi + fi + if ! _createcsr "$_main_domain" "$_alt_domains" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"; then + _err "Create CSR error." + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + fi + + _savedomainconf "Le_Keylength" "$_key_length" + + vlist="$Le_Vlist" + _cleardomainconf "Le_Vlist" + _info "Getting domain auth token for each domain" + sep='#' + dvsep=',' + if [ -z "$vlist" ]; then + #make new order request + _identifiers="{\"type\":\"$(_getIdType "$_main_domain")\",\"value\":\"$(_idn "$_main_domain")\"}" + _w_index=1 + while true; do + d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")" + _w_index="$(_math "$_w_index" + 1)" + _debug d "$d" + if [ -z "$d" ]; then + break + fi + _identifiers="$_identifiers,{\"type\":\"$(_getIdType "$d")\",\"value\":\"$(_idn "$d")\"}" + done + _debug2 _identifiers "$_identifiers" + _notBefore="" + _notAfter="" + + if [ "$_valid_from" ]; then + _savedomainconf "Le_Valid_From" "$_valid_from" + _debug2 "_valid_from" "$_valid_from" + _notBefore="$(_convertValidaty "" "$_valid_from")" + if [ "$?" != "0" ]; then + _err "Can not parse _valid_from: $_valid_from" + return 1 + fi + if [ "$(_time)" -gt "$(_date2time "$_notBefore")" ]; then + _notBefore="" + fi + else + _cleardomainconf "Le_Valid_From" + fi + _debug2 _notBefore "$_notBefore" + + if [ "$_valid_to" ]; then + _debug2 "_valid_to" "$_valid_to" + _savedomainconf "Le_Valid_To" "$_valid_to" + _notAfter="$(_convertValidaty "$_notBefore" "$_valid_to")" + if [ "$?" != "0" ]; then + _err "Can not parse _valid_to: $_valid_to" + return 1 + fi + else + _cleardomainconf "Le_Valid_To" + fi + _debug2 "_notAfter" "$_notAfter" + + _newOrderObj="{\"identifiers\": [$_identifiers]" + if [ "$_notBefore" ]; then + _newOrderObj="$_newOrderObj,\"notBefore\": \"$_notBefore\"" + fi + if [ "$_notAfter" ]; then + _newOrderObj="$_newOrderObj,\"notAfter\": \"$_notAfter\"" + fi + if ! _send_signed_request "$ACME_NEW_ORDER" "$_newOrderObj}"; then + _err "Create new order error." + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + + Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)" + _debug Le_LinkOrder "$Le_LinkOrder" + Le_OrderFinalize="$(echo "$response" | _egrep_o '"finalize" *: *"[^"]*"' | cut -d '"' -f 4)" + _debug Le_OrderFinalize "$Le_OrderFinalize" + if [ -z "$Le_OrderFinalize" ]; then + _err "Create new order error. Le_OrderFinalize not found. $response" + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + + #for dns manual mode + _savedomainconf "Le_OrderFinalize" "$Le_OrderFinalize" + + _authorizations_seg="$(echo "$response" | _json_decode | _egrep_o '"authorizations" *: *\[[^\[]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')" + _debug2 _authorizations_seg "$_authorizations_seg" + if [ -z "$_authorizations_seg" ]; then + _err "_authorizations_seg not found." + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + + #domain and authz map + _authorizations_map="" + for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do + _debug2 "_authz_url" "$_authz_url" + if ! _send_signed_request "$_authz_url"; then + _err "get to authz error." + _err "_authorizations_seg" "$_authorizations_seg" + _err "_authz_url" "$_authz_url" + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + + response="$(echo "$response" | _normalizeJson)" + _debug2 response "$response" + _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2- | tr -d ' "')" + if _contains "$response" "\"wildcard\" *: *true"; then + _d="*.$_d" + fi + _debug2 _d "$_d" + _authorizations_map="$_d,$response +$_authorizations_map" + done + _debug2 _authorizations_map "$_authorizations_map" + + _index=0 + _currentRoot="" + _w_index=1 + while true; do + d="$(echo "$_main_domain,$_alt_domains," | cut -d , -f "$_w_index")" + _w_index="$(_math "$_w_index" + 1)" + _debug d "$d" + if [ -z "$d" ]; then + break + fi + _info "Getting webroot for domain" "$d" + _index=$(_math $_index + 1) + _w="$(echo $_web_roots | cut -d , -f $_index)" + _debug _w "$_w" + if [ "$_w" ]; then + _currentRoot="$_w" + fi + _debug "_currentRoot" "$_currentRoot" + + vtype="$VTYPE_HTTP" + #todo, v2 wildcard force to use dns + if _startswith "$_currentRoot" "$W_DNS"; then + vtype="$VTYPE_DNS" + fi + + if [ "$_currentRoot" = "$W_ALPN" ]; then + vtype="$VTYPE_ALPN" + fi + + _idn_d="$(_idn "$d")" + _candidates="$(echo "$_authorizations_map" | grep -i "^$_idn_d,")" + _debug2 _candidates "$_candidates" + if [ "$(echo "$_candidates" | wc -l)" -gt 1 ]; then + for _can in $_candidates; do + if _startswith "$(echo "$_can" | tr '.' '|')" "$(echo "$_idn_d" | tr '.' '|'),"; then + _candidates="$_can" + break + fi + done + fi + response="$(echo "$_candidates" | sed "s/$_idn_d,//")" + _debug2 "response" "$response" + if [ -z "$response" ]; then + _err "get to authz error." + _err "_authorizations_map" "$_authorizations_map" + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + + if [ -z "$thumbprint" ]; then + thumbprint="$(__calc_account_thumbprint)" + fi + + entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" + _debug entry "$entry" + keyauthorization="" + if [ -z "$entry" ]; then + if ! _startswith "$d" '*.'; then + _debug "Not a wildcard domain, lets check whether the validation is already valid." + if echo "$response" | grep '"status":"valid"' >/dev/null 2>&1; then + _debug "$d is already valid." + keyauthorization="$STATE_VERIFIED" + _debug keyauthorization "$keyauthorization" + fi + fi + if [ -z "$keyauthorization" ]; then + _err "Error, can not get domain token entry $d for $vtype" + _supported_vtypes="$(echo "$response" | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ')" + if [ "$_supported_vtypes" ]; then + _err "The supported validation types are: $_supported_vtypes, but you specified: $vtype" + fi + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + fi + + if [ -z "$keyauthorization" ]; then + token="$(echo "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')" + _debug token "$token" + + if [ -z "$token" ]; then + _err "Error, can not get domain token $entry" + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + + uri="$(echo "$entry" | _egrep_o '"url":"[^"]*' | cut -d '"' -f 4 | _head_n 1)" + + _debug uri "$uri" + + if [ -z "$uri" ]; then + _err "Error, can not get domain uri. $entry" + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + keyauthorization="$token.$thumbprint" + _debug keyauthorization "$keyauthorization" + + if printf "%s" "$response" | grep '"status":"valid"' >/dev/null 2>&1; then + _debug "$d is already verified." + keyauthorization="$STATE_VERIFIED" + _debug keyauthorization "$keyauthorization" + fi + fi + + dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot" + _debug dvlist "$dvlist" + + vlist="$vlist$dvlist$dvsep" + + done + _debug vlist "$vlist" + #add entry + dns_entries="" + dnsadded="" + ventries=$(echo "$vlist" | tr "$dvsep" ' ') + _alias_index=1 + for ventry in $ventries; do + d=$(echo "$ventry" | cut -d "$sep" -f 1) + keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2) + vtype=$(echo "$ventry" | cut -d "$sep" -f 4) + _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5) + _debug d "$d" + if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then + _debug "$d is already verified, skip $vtype." + _alias_index="$(_math "$_alias_index" + 1)" + continue + fi + + if [ "$vtype" = "$VTYPE_DNS" ]; then + dnsadded='0' + _dns_root_d="$d" + if _startswith "$_dns_root_d" "*."; then + _dns_root_d="$(echo "$_dns_root_d" | sed 's/*.//')" + fi + _d_alias="$(_getfield "$_challenge_alias" "$_alias_index")" + test "$_d_alias" = "$NO_VALUE" && _d_alias="" + _alias_index="$(_math "$_alias_index" + 1)" + _debug "_d_alias" "$_d_alias" + if [ "$_d_alias" ]; then + if _startswith "$_d_alias" "$DNS_ALIAS_PREFIX"; then + txtdomain="$(echo "$_d_alias" | sed "s/$DNS_ALIAS_PREFIX//")" + else + txtdomain="_acme-challenge.$_d_alias" + fi + dns_entry="${_dns_root_d}${dvsep}_acme-challenge.$_dns_root_d$dvsep$txtdomain$dvsep$_currentRoot" + else + txtdomain="_acme-challenge.$_dns_root_d" + dns_entry="${_dns_root_d}${dvsep}_acme-challenge.$_dns_root_d$dvsep$dvsep$_currentRoot" + fi + + _debug txtdomain "$txtdomain" + txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _url_replace)" + _debug txt "$txt" + + d_api="$(_findHook "$_dns_root_d" $_SUB_FOLDER_DNSAPI "$_currentRoot")" + _debug d_api "$d_api" + + dns_entry="$dns_entry$dvsep$txt${dvsep}$d_api" + _debug2 dns_entry "$dns_entry" + if [ "$d_api" ]; then + _debug "Found domain api file: $d_api" + else + if [ "$_currentRoot" != "$W_DNS" ]; then + _err "Can not find dns api hook for: $_currentRoot" + _info "You need to add the txt record manually." + fi + _info "$(__red "Add the following TXT record:")" + _info "$(__red "Domain: '$(__green "$txtdomain")'")" + _info "$(__red "TXT value: '$(__green "$txt")'")" + _info "$(__red "Please be aware that you prepend _acme-challenge. before your domain")" + _info "$(__red "so the resulting subdomain will be: $txtdomain")" + continue + fi + + ( + if ! . "$d_api"; then + _err "Load file $d_api error. Please check your api file and try again." + return 1 + fi + + addcommand="${_currentRoot}_add" + if ! _exists "$addcommand"; then + _err "It seems that your api file is not correct, it must have a function named: $addcommand" + return 1 + fi + _info "Adding txt value: $txt for domain: $txtdomain" + if ! $addcommand "$txtdomain" "$txt"; then + _err "Error add txt for domain:$txtdomain" + return 1 + fi + _info "The txt record is added: Success." + ) + + if [ "$?" != "0" ]; then + _on_issue_err "$_post_hook" "$vlist" + _clearup + return 1 + fi + dns_entries="$dns_entries$dns_entry +" + _debug2 "$dns_entries" + dnsadded='1' + fi + done + + if [ "$dnsadded" = '0' ]; then + _savedomainconf "Le_Vlist" "$vlist" + _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit." + _err "Please add the TXT records to the domains, and re-run with --renew." + _on_issue_err "$_post_hook" + _clearup + # If asked to be in manual DNS mode, flag this exit with a separate + # error so it can be distinguished from other failures. + return $CODE_DNS_MANUAL + fi + + fi + + if [ "$dns_entries" ]; then + if [ -z "$Le_DNSSleep" ]; then + _info "Let's check each DNS record now. Sleep 20 seconds first." + _sleep 20 + if ! _check_dns_entries; then + _err "check dns error." + _on_issue_err "$_post_hook" + _clearup + return 1 + fi + else + _savedomainconf "Le_DNSSleep" "$Le_DNSSleep" + _info "Sleep $(__green $Le_DNSSleep) seconds for the txt records to take effect" + _sleep "$Le_DNSSleep" + fi + fi + + NGINX_RESTORE_VLIST="" + _debug "ok, let's start to verify" + + _ncIndex=1 + ventries=$(echo "$vlist" | tr "$dvsep" ' ') + for ventry in $ventries; do + d=$(echo "$ventry" | cut -d "$sep" -f 1) + keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2) + uri=$(echo "$ventry" | cut -d "$sep" -f 3) + vtype=$(echo "$ventry" | cut -d "$sep" -f 4) + _currentRoot=$(echo "$ventry" | cut -d "$sep" -f 5) + + if [ "$keyauthorization" = "$STATE_VERIFIED" ]; then + _info "$d is already verified, skip $vtype." + continue + fi + + _info "Verifying: $d" + _debug "d" "$d" + _debug "keyauthorization" "$keyauthorization" + _debug "uri" "$uri" + removelevel="" + token="$(printf "%s" "$keyauthorization" | cut -d '.' -f 1)" + + _debug "_currentRoot" "$_currentRoot" + + if [ "$vtype" = "$VTYPE_HTTP" ]; then + if [ "$_currentRoot" = "$NO_VALUE" ]; then + _info "Standalone mode server" + _ncaddr="$(_getfield "$_local_addr" "$_ncIndex")" + _ncIndex="$(_math $_ncIndex + 1)" + _startserver "$keyauthorization" "$_ncaddr" + if [ "$?" != "0" ]; then + _clearup + _on_issue_err "$_post_hook" "$vlist" + return 1 + fi + sleep 1 + _debug serverproc "$serverproc" + elif [ "$_currentRoot" = "$MODE_STATELESS" ]; then + _info "Stateless mode for domain:$d" + _sleep 1 + elif _startswith "$_currentRoot" "$NGINX"; then + _info "Nginx mode for domain:$d" + #set up nginx server + FOUND_REAL_NGINX_CONF="" + BACKUP_NGINX_CONF="" + if ! _setNginx "$d" "$_currentRoot" "$thumbprint"; then + _clearup + _on_issue_err "$_post_hook" "$vlist" + return 1 + fi + + if [ "$FOUND_REAL_NGINX_CONF" ]; then + _realConf="$FOUND_REAL_NGINX_CONF" + _backup="$BACKUP_NGINX_CONF" + _debug _realConf "$_realConf" + NGINX_RESTORE_VLIST="$d$sep$_realConf$sep$_backup$dvsep$NGINX_RESTORE_VLIST" + fi + _sleep 1 + else + if [ "$_currentRoot" = "apache" ]; then + wellknown_path="$ACME_DIR" + else + wellknown_path="$_currentRoot/.well-known/acme-challenge" + if [ ! -d "$_currentRoot/.well-known" ]; then + removelevel='1' + elif [ ! -d "$_currentRoot/.well-known/acme-challenge" ]; then + removelevel='2' + else + removelevel='3' + fi + fi + + _debug wellknown_path "$wellknown_path" + + _debug "writing token:$token to $wellknown_path/$token" + + mkdir -p "$wellknown_path" + + if ! printf "%s" "$keyauthorization" >"$wellknown_path/$token"; then + _err "$d:Can not write token to file : $wellknown_path/$token" + _clearupwebbroot "$_currentRoot" "$removelevel" "$token" + _clearup + _on_issue_err "$_post_hook" "$vlist" + return 1 + fi + if ! chmod a+r "$wellknown_path/$token"; then + _debug "chmod failed, but we just continue." + fi + if [ ! "$usingApache" ]; then + if webroot_owner=$(_stat "$_currentRoot"); then + _debug "Changing owner/group of .well-known to $webroot_owner" + if ! _exec "chown -R \"$webroot_owner\" \"$_currentRoot/.well-known\""; then + _debug "$(cat "$_EXEC_TEMP_ERR")" + _exec_err >/dev/null 2>&1 + fi + else + _debug "not changing owner/group of webroot" + fi + fi + + fi + elif [ "$vtype" = "$VTYPE_ALPN" ]; then + acmevalidationv1="$(printf "%s" "$keyauthorization" | _digest "sha256" "hex")" + _debug acmevalidationv1 "$acmevalidationv1" + if ! _starttlsserver "$d" "" "$Le_TLSPort" "$keyauthorization" "$_ncaddr" "$acmevalidationv1"; then + _err "Start tls server error." + _clearupwebbroot "$_currentRoot" "$removelevel" "$token" + _clearup + _on_issue_err "$_post_hook" "$vlist" + return 1 + fi + fi + + if ! __trigger_validation "$uri" "$keyauthorization" "$vtype"; then + _err "$d:Can not get challenge: $response" + _clearupwebbroot "$_currentRoot" "$removelevel" "$token" + _clearup + _on_issue_err "$_post_hook" "$vlist" + return 1 + fi + + if [ "$code" ] && [ "$code" != '202' ]; then + if [ "$code" = '200' ]; then + _debug "trigger validation code: $code" + else + _err "$d:Challenge error: $response" + _clearupwebbroot "$_currentRoot" "$removelevel" "$token" + _clearup + _on_issue_err "$_post_hook" "$vlist" + return 1 + fi + fi + + waittimes=0 + if [ -z "$MAX_RETRY_TIMES" ]; then + MAX_RETRY_TIMES=30 + fi + + while true; do + waittimes=$(_math "$waittimes" + 1) + if [ "$waittimes" -ge "$MAX_RETRY_TIMES" ]; then + _err "$d:Timeout" + _clearupwebbroot "$_currentRoot" "$removelevel" "$token" + _clearup + _on_issue_err "$_post_hook" "$vlist" + return 1 + fi + + _debug2 original "$response" + + response="$(echo "$response" | _normalizeJson)" + _debug2 response "$response" + + status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"') + _debug2 status "$status" + if _contains "$status" "invalid"; then + error="$(echo "$response" | _egrep_o '"error":\{[^\}]*')" + _debug2 error "$error" + errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)" + _debug2 errordetail "$errordetail" + if [ "$errordetail" ]; then + _err "$d:Verify error:$errordetail" + else + _err "$d:Verify error:$error" + fi + if [ "$DEBUG" ]; then + if [ "$vtype" = "$VTYPE_HTTP" ]; then + _debug "Debug: get token url." + _get "http://$d/.well-known/acme-challenge/$token" "" 1 + fi + fi + _clearupwebbroot "$_currentRoot" "$removelevel" "$token" + _clearup + _on_issue_err "$_post_hook" "$vlist" + return 1 + fi + + if _contains "$status" "valid"; then + _info "$(__green Success)" + _stopserver "$serverproc" + serverproc="" + _clearupwebbroot "$_currentRoot" "$removelevel" "$token" + break + fi + + if [ "$status" = "pending" ]; then + _info "Pending, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)" + elif [ "$status" = "processing" ]; then + _info "Processing, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)" + else + _err "$d:Verify error:$response" + _clearupwebbroot "$_currentRoot" "$removelevel" "$token" + _clearup + _on_issue_err "$_post_hook" "$vlist" + return 1 + fi + _debug "sleep 2 secs to verify again" + _sleep 2 + _debug "checking" + + _send_signed_request "$uri" + + if [ "$?" != "0" ]; then + _err "$d:Verify error:$response" + _clearupwebbroot "$_currentRoot" "$removelevel" "$token" + _clearup + _on_issue_err "$_post_hook" "$vlist" + return 1 + fi + done + + done + + _clearup + _info "Verify finished, start to sign." + der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)" + + _info "Lets finalize the order." + _info "Le_OrderFinalize" "$Le_OrderFinalize" + if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then + _err "Sign failed." + _on_issue_err "$_post_hook" + return 1 + fi + if [ "$code" != "200" ]; then + _err "Sign failed, finalize code is not 200." + _err "$response" + _on_issue_err "$_post_hook" + return 1 + fi + if [ -z "$Le_LinkOrder" ]; then + Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n \t" | cut -d ":" -f 2-)" + fi + + _savedomainconf "Le_LinkOrder" "$Le_LinkOrder" + + _link_cert_retry=0 + _MAX_CERT_RETRY=30 + while [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do + if _contains "$response" "\"status\":\"valid\""; then + _debug "Order status is valid." + Le_LinkCert="$(echo "$response" | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)" + _debug Le_LinkCert "$Le_LinkCert" + if [ -z "$Le_LinkCert" ]; then + _err "Sign error, can not find Le_LinkCert" + _err "$response" + _on_issue_err "$_post_hook" + return 1 + fi + break + elif _contains "$response" "\"processing\""; then + _info "Order status is processing, lets sleep and retry." + _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r') + _debug "_retryafter" "$_retryafter" + if [ "$_retryafter" ]; then + _info "Retry after: $_retryafter" + _sleep $_retryafter + else + _sleep 2 + fi + else + _err "Sign error, wrong status" + _err "$response" + _on_issue_err "$_post_hook" + return 1 + fi + #the order is processing, so we are going to poll order status + if [ -z "$Le_LinkOrder" ]; then + _err "Sign error, can not get order link location header" + _err "responseHeaders" "$responseHeaders" + _on_issue_err "$_post_hook" + return 1 + fi + _info "Polling order status: $Le_LinkOrder" + if ! _send_signed_request "$Le_LinkOrder"; then + _err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder." + _err "$response" + _on_issue_err "$_post_hook" + return 1 + fi + _link_cert_retry="$(_math $_link_cert_retry + 1)" + done + + if [ -z "$Le_LinkCert" ]; then + _err "Sign failed, can not get Le_LinkCert, retry time limit." + _err "$response" + _on_issue_err "$_post_hook" + return 1 + fi + _info "Downloading cert." + _info "Le_LinkCert" "$Le_LinkCert" + if ! _send_signed_request "$Le_LinkCert"; then + _err "Sign failed, can not download cert:$Le_LinkCert." + _err "$response" + _on_issue_err "$_post_hook" + return 1 + fi + + echo "$response" >"$CERT_PATH" + _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH" + if [ -z "$_preferred_chain" ]; then + _preferred_chain=$(_readcaconf DEFAULT_PREFERRED_CHAIN) + fi + if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then + if [ "$DEBUG" ]; then + _debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")" + fi + if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then + rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)" + _debug2 "rels" "$rels" + for rel in $rels; do + _info "Try rel: $rel" + if ! _send_signed_request "$rel"; then + _err "Sign failed, can not download cert:$rel" + _err "$response" + continue + fi + _relcert="$CERT_PATH.alt" + _relfullchain="$CERT_FULLCHAIN_PATH.alt" + _relca="$CA_CERT_PATH.alt" + echo "$response" >"$_relcert" + _split_cert_chain "$_relcert" "$_relfullchain" "$_relca" + if [ "$DEBUG" ]; then + _debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")" + fi + if _match_issuer "$_relfullchain" "$_preferred_chain"; then + _info "Matched issuer in: $rel" + cat $_relcert >"$CERT_PATH" + cat $_relfullchain >"$CERT_FULLCHAIN_PATH" + cat $_relca >"$CA_CERT_PATH" + rm -f "$_relcert" + rm -f "$_relfullchain" + rm -f "$_relca" + break + fi + rm -f "$_relcert" + rm -f "$_relfullchain" + rm -f "$_relca" + done + fi + fi + + _debug "Le_LinkCert" "$Le_LinkCert" + _savedomainconf "Le_LinkCert" "$Le_LinkCert" + + if [ -z "$Le_LinkCert" ] || ! _checkcert "$CERT_PATH"; then + response="$(echo "$response" | _dbase64 "multiline" | tr -d '\0' | _normalizeJson)" + _err "Sign failed: $(echo "$response" | _egrep_o '"detail":"[^"]*"')" + _on_issue_err "$_post_hook" + return 1 + fi + + if [ "$Le_LinkCert" ]; then + _info "$(__green "Cert success.")" + cat "$CERT_PATH" + + _info "Your cert is in: $(__green "$CERT_PATH")" + + if [ -f "$CERT_KEY_PATH" ]; then + _info "Your cert key is in: $(__green "$CERT_KEY_PATH")" + fi + + if [ ! "$USER_PATH" ] || [ ! "$_ACME_IN_CRON" ]; then + USER_PATH="$PATH" + _saveaccountconf "USER_PATH" "$USER_PATH" + fi + fi + + [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in: $(__green "$CA_CERT_PATH")" + [ -f "$CERT_FULLCHAIN_PATH" ] && _info "And the full chain certs is there: $(__green "$CERT_FULLCHAIN_PATH")" + if [ "$Le_ForceNewDomainKey" ] && [ -e "$Le_Next_Domain_Key" ]; then + _info "Your pre-generated next key for future cert key change is in: $(__green "$Le_Next_Domain_Key")" + fi + + Le_CertCreateTime=$(_time) + _savedomainconf "Le_CertCreateTime" "$Le_CertCreateTime" + + Le_CertCreateTimeStr=$(_time2str "$Le_CertCreateTime") + _savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr" + + if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ]; then + Le_RenewalDays="$DEFAULT_RENEW" + else + _savedomainconf "Le_RenewalDays" "$Le_RenewalDays" + fi + + if [ "$CA_BUNDLE" ]; then + _saveaccountconf CA_BUNDLE "$CA_BUNDLE" + else + _clearaccountconf "CA_BUNDLE" + fi + + if [ "$CA_PATH" ]; then + _saveaccountconf CA_PATH "$CA_PATH" + else + _clearaccountconf "CA_PATH" + fi + + if [ "$HTTPS_INSECURE" ]; then + _saveaccountconf HTTPS_INSECURE "$HTTPS_INSECURE" + else + _clearaccountconf "HTTPS_INSECURE" + fi + + if [ "$Le_Listen_V4" ]; then + _savedomainconf "Le_Listen_V4" "$Le_Listen_V4" + _cleardomainconf Le_Listen_V6 + elif [ "$Le_Listen_V6" ]; then + _savedomainconf "Le_Listen_V6" "$Le_Listen_V6" + _cleardomainconf Le_Listen_V4 + fi + + if [ "$Le_ForceNewDomainKey" = "1" ]; then + _savedomainconf "Le_ForceNewDomainKey" "$Le_ForceNewDomainKey" + else + _cleardomainconf Le_ForceNewDomainKey + fi + if [ "$_notAfter" ]; then + Le_NextRenewTime=$(_date2time "$_notAfter") + Le_NextRenewTimeStr="$_notAfter" + if [ "$_valid_to" ] && ! _startswith "$_valid_to" "+"; then + _info "The domain is set to be valid to: $_valid_to" + _info "It can not be renewed automatically" + _info "See: $_VALIDITY_WIKI" + else + _now=$(_time) + _debug2 "_now" "$_now" + _lifetime=$(_math $Le_NextRenewTime - $_now) + _debug2 "_lifetime" "$_lifetime" + if [ $_lifetime -gt 86400 ]; then + #if lifetime is logner than one day, it will renew one day before + Le_NextRenewTime=$(_math $Le_NextRenewTime - 86400) + Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime") + else + #if lifetime is less than 24 hours, it will renew one hour before + Le_NextRenewTime=$(_math $Le_NextRenewTime - 3600) + Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime") + fi + fi + else + Le_NextRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60) + Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400) + Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime") + fi + _savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr" + _savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime" + + if [ "$_real_cert$_real_key$_real_ca$_reload_cmd$_real_fullchain" ]; then + _savedomainconf "Le_RealCertPath" "$_real_cert" + _savedomainconf "Le_RealCACertPath" "$_real_ca" + _savedomainconf "Le_RealKeyPath" "$_real_key" + _savedomainconf "Le_ReloadCmd" "$_reload_cmd" "base64" + _savedomainconf "Le_RealFullChainPath" "$_real_fullchain" + if ! _installcert "$_main_domain" "$_real_cert" "$_real_key" "$_real_ca" "$_real_fullchain" "$_reload_cmd"; then + return 1 + fi + fi + + if ! _on_issue_success "$_post_hook" "$_renew_hook"; then + _err "Call hook error." + return 1 + fi +} + +#in_out_cert out_fullchain out_ca +_split_cert_chain() { + _certf="$1" + _fullchainf="$2" + _caf="$3" + if [ "$(grep -- "$BEGIN_CERT" "$_certf" | wc -l)" -gt "1" ]; then + _debug "Found cert chain" + cat "$_certf" >"$_fullchainf" + _end_n="$(grep -n -- "$END_CERT" "$_fullchainf" | _head_n 1 | cut -d : -f 1)" + _debug _end_n "$_end_n" + sed -n "1,${_end_n}p" "$_fullchainf" >"$_certf" + _end_n="$(_math $_end_n + 1)" + sed -n "${_end_n},9999p" "$_fullchainf" >"$_caf" + fi +} + +#domain [isEcc] [server] +renew() { + Le_Domain="$1" + if [ -z "$Le_Domain" ]; then + _usage "Usage: $PROJECT_ENTRY --renew --domain [--ecc] [--server server]" + return 1 + fi + + _isEcc="$2" + _renewServer="$3" + _debug "_renewServer" "$_renewServer" + + _initpath "$Le_Domain" "$_isEcc" + + _set_level=${NOTIFY_LEVEL:-$NOTIFY_LEVEL_DEFAULT} + _info "$(__green "Renew: '$Le_Domain'")" + if [ ! -f "$DOMAIN_CONF" ]; then + _info "'$Le_Domain' is not an issued domain, skip." + return $RENEW_SKIP + fi + + if [ "$Le_RenewalDays" ]; then + _savedomainconf Le_RenewalDays "$Le_RenewalDays" + fi + + . "$DOMAIN_CONF" + _debug Le_API "$Le_API" + + case "$Le_API" in + "$CA_LETSENCRYPT_V2_TEST") + _info "Switching back to $CA_LETSENCRYPT_V2" + Le_API="$CA_LETSENCRYPT_V2" + ;; + "$CA_BUYPASS_TEST") + _info "Switching back to $CA_BUYPASS" + Le_API="$CA_BUYPASS" + ;; + "$CA_GOOGLE_TEST") + _info "Switching back to $CA_GOOGLE" + Le_API="$CA_GOOGLE" + ;; + esac + + if [ "$_server" ]; then + Le_API="$_server" + fi + _info "Renew to Le_API=$Le_API" + + _clearAPI + _clearCA + export ACME_DIRECTORY="$Le_API" + + #reload ca configs + _debug2 "initpath again." + _initpath "$Le_Domain" "$_isEcc" + + if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then + _info "Skip, Next renewal time is: $(__green "$Le_NextRenewTimeStr")" + _info "Add '$(__red '--force')' to force to renew." + if [ -z "$_ACME_IN_RENEWALL" ]; then + if [ $_set_level -ge $NOTIFY_LEVEL_SKIP ]; then + _send_notify "Renew $Le_Domain skipped" "Good, the cert is skipped." "$NOTIFY_HOOK" "$RENEW_SKIP" + fi + fi + return "$RENEW_SKIP" + fi + + if [ "$_ACME_IN_CRON" = "1" ] && [ -z "$Le_CertCreateTime" ]; then + _info "Skip invalid cert for: $Le_Domain" + return $RENEW_SKIP + fi + + _ACME_IS_RENEW="1" + Le_ReloadCmd="$(_readdomainconf Le_ReloadCmd)" + Le_PreHook="$(_readdomainconf Le_PreHook)" + Le_PostHook="$(_readdomainconf Le_PostHook)" + Le_RenewHook="$(_readdomainconf Le_RenewHook)" + Le_Preferred_Chain="$(_readdomainconf Le_Preferred_Chain)" + # When renewing from an old version, the empty Le_Keylength means 2048. + # Note, do not use DEFAULT_DOMAIN_KEY_LENGTH as that value may change over + # time but an empty value implies 2048 specifically. + Le_Keylength="$(_readdomainconf Le_Keylength)" + if [ -z "$Le_Keylength" ]; then + Le_Keylength=2048 + fi + issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias" "$Le_Preferred_Chain" "$Le_Valid_From" "$Le_Valid_To" + res="$?" + if [ "$res" != "0" ]; then + return "$res" + fi + + if [ "$Le_DeployHook" ]; then + _deploy "$Le_Domain" "$Le_DeployHook" + res="$?" + fi + + _ACME_IS_RENEW="" + if [ -z "$_ACME_IN_RENEWALL" ]; then + if [ "$res" = "0" ]; then + if [ $_set_level -ge $NOTIFY_LEVEL_RENEW ]; then + _send_notify "Renew $d success" "Good, the cert is renewed." "$NOTIFY_HOOK" 0 + fi + else + if [ $_set_level -ge $NOTIFY_LEVEL_ERROR ]; then + _send_notify "Renew $d error" "There is an error." "$NOTIFY_HOOK" 1 + fi + fi + fi + + return "$res" +} + +#renewAll [stopRenewOnError] [server] +renewAll() { + _initpath + _clearCA + _stopRenewOnError="$1" + _debug "_stopRenewOnError" "$_stopRenewOnError" + + _server="$2" + _debug "_server" "$_server" + + _ret="0" + _success_msg="" + _error_msg="" + _skipped_msg="" + _error_level=$NOTIFY_LEVEL_SKIP + _notify_code=$RENEW_SKIP + _set_level=${NOTIFY_LEVEL:-$NOTIFY_LEVEL_DEFAULT} + _debug "_set_level" "$_set_level" + export _ACME_IN_RENEWALL=1 + for di in "${CERT_HOME}"/*.*/; do + _debug di "$di" + if ! [ -d "$di" ]; then + _debug "Not a directory, skip: $di" + continue + fi + d=$(basename "$di") + _debug d "$d" + ( + if _endswith "$d" "$ECC_SUFFIX"; then + _isEcc=$(echo "$d" | cut -d "$ECC_SEP" -f 2) + d=$(echo "$d" | cut -d "$ECC_SEP" -f 1) + fi + renew "$d" "$_isEcc" "$_server" + ) + rc="$?" + _debug "Return code: $rc" + if [ "$rc" = "0" ]; then + if [ $_error_level -gt $NOTIFY_LEVEL_RENEW ]; then + _error_level="$NOTIFY_LEVEL_RENEW" + _notify_code=0 + fi + + if [ $_set_level -ge $NOTIFY_LEVEL_RENEW ]; then + if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then + _send_notify "Renew $d success" "Good, the cert is renewed." "$NOTIFY_HOOK" 0 + fi + fi + + _success_msg="${_success_msg} $d +" + elif [ "$rc" = "$RENEW_SKIP" ]; then + if [ $_error_level -gt $NOTIFY_LEVEL_SKIP ]; then + _error_level="$NOTIFY_LEVEL_SKIP" + _notify_code=$RENEW_SKIP + fi + + if [ $_set_level -ge $NOTIFY_LEVEL_SKIP ]; then + if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then + _send_notify "Renew $d skipped" "Good, the cert is skipped." "$NOTIFY_HOOK" "$RENEW_SKIP" + fi + fi + + _info "Skipped $d" + _skipped_msg="${_skipped_msg} $d +" + else + if [ $_error_level -gt $NOTIFY_LEVEL_ERROR ]; then + _error_level="$NOTIFY_LEVEL_ERROR" + _notify_code=1 + fi + + if [ $_set_level -ge $NOTIFY_LEVEL_ERROR ]; then + if [ "$NOTIFY_MODE" = "$NOTIFY_MODE_CERT" ]; then + _send_notify "Renew $d error" "There is an error." "$NOTIFY_HOOK" 1 + fi + fi + + _error_msg="${_error_msg} $d +" + if [ "$_stopRenewOnError" ]; then + _err "Error renew $d, stop now." + _ret="$rc" + break + else + _ret="$rc" + _err "Error renew $d." + fi + fi + done + _debug _error_level "$_error_level" + _debug _set_level "$_set_level" + if [ $_error_level -le $_set_level ]; then + if [ -z "$NOTIFY_MODE" ] || [ "$NOTIFY_MODE" = "$NOTIFY_MODE_BULK" ]; then + _msg_subject="Renew" + if [ "$_error_msg" ]; then + _msg_subject="${_msg_subject} Error" + _msg_data="Error certs: +${_error_msg} +" + fi + if [ "$_success_msg" ]; then + _msg_subject="${_msg_subject} Success" + _msg_data="${_msg_data}Success certs: +${_success_msg} +" + fi + if [ "$_skipped_msg" ]; then + _msg_subject="${_msg_subject} Skipped" + _msg_data="${_msg_data}Skipped certs: +${_skipped_msg} +" + fi + + _send_notify "$_msg_subject" "$_msg_data" "$NOTIFY_HOOK" "$_notify_code" + fi + fi + + return "$_ret" +} + +#csr webroot +signcsr() { + _csrfile="$1" + _csrW="$2" + if [ -z "$_csrfile" ] || [ -z "$_csrW" ]; then + _usage "Usage: $PROJECT_ENTRY --sign-csr --csr --webroot " + return 1 + fi + + _real_cert="$3" + _real_key="$4" + _real_ca="$5" + _reload_cmd="$6" + _real_fullchain="$7" + _pre_hook="${8}" + _post_hook="${9}" + _renew_hook="${10}" + _local_addr="${11}" + _challenge_alias="${12}" + _preferred_chain="${13}" + + _csrsubj=$(_readSubjectFromCSR "$_csrfile") + if [ "$?" != "0" ]; then + _err "Can not read subject from csr: $_csrfile" + return 1 + fi + _debug _csrsubj "$_csrsubj" + if _contains "$_csrsubj" ' ' || ! _contains "$_csrsubj" '.'; then + _info "It seems that the subject: $_csrsubj is not a valid domain name. Drop it." + _csrsubj="" + fi + + _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile") + if [ "$?" != "0" ]; then + _err "Can not read domain list from csr: $_csrfile" + return 1 + fi + _debug "_csrdomainlist" "$_csrdomainlist" + + if [ -z "$_csrsubj" ]; then + _csrsubj="$(_getfield "$_csrdomainlist" 1)" + _debug _csrsubj "$_csrsubj" + _csrdomainlist="$(echo "$_csrdomainlist" | cut -d , -f 2-)" + _debug "_csrdomainlist" "$_csrdomainlist" + fi + + if [ -z "$_csrsubj" ]; then + _err "Can not read subject from csr: $_csrfile" + return 1 + fi + + _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile") + if [ "$?" != "0" ] || [ -z "$_csrkeylength" ]; then + _err "Can not read key length from csr: $_csrfile" + return 1 + fi + + _initpath "$_csrsubj" "$_csrkeylength" + mkdir -p "$DOMAIN_PATH" + + _info "Copy csr to: $CSR_PATH" + cp "$_csrfile" "$CSR_PATH" + + issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias" "$_preferred_chain" + +} + +showcsr() { + _csrfile="$1" + _csrd="$2" + if [ -z "$_csrfile" ] && [ -z "$_csrd" ]; then + _usage "Usage: $PROJECT_ENTRY --show-csr --csr " + return 1 + fi + + _initpath + + _csrsubj=$(_readSubjectFromCSR "$_csrfile") + if [ "$?" != "0" ]; then + _err "Can not read subject from csr: $_csrfile" + return 1 + fi + if [ -z "$_csrsubj" ]; then + _info "The Subject is empty" + fi + + _info "Subject=$_csrsubj" + + _csrdomainlist=$(_readSubjectAltNamesFromCSR "$_csrfile") + if [ "$?" != "0" ]; then + _err "Can not read domain list from csr: $_csrfile" + return 1 + fi + _debug "_csrdomainlist" "$_csrdomainlist" + + _info "SubjectAltNames=$_csrdomainlist" + + _csrkeylength=$(_readKeyLengthFromCSR "$_csrfile") + if [ "$?" != "0" ] || [ -z "$_csrkeylength" ]; then + _err "Can not read key length from csr: $_csrfile" + return 1 + fi + _info "KeyLength=$_csrkeylength" +} + +#listraw domain +list() { + _raw="$1" + _domain="$2" + _initpath + + _sep="|" + if [ "$_raw" ]; then + if [ -z "$_domain" ]; then + printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}CA${_sep}Created${_sep}Renew" + fi + for di in "${CERT_HOME}"/*.*/; do + d=$(basename "$di") + _debug d "$d" + ( + if _endswith "$d" "$ECC_SUFFIX"; then + _isEcc="ecc" + d=$(echo "$d" | cut -d "$ECC_SEP" -f 1) + fi + DOMAIN_CONF="$di/$d.conf" + if [ -f "$DOMAIN_CONF" ]; then + . "$DOMAIN_CONF" + _ca="$(_getCAShortName "$Le_API")" + if [ -z "$_domain" ]; then + printf "%s\n" "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$_ca${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr" + else + if [ "$_domain" = "$d" ]; then + cat "$DOMAIN_CONF" + fi + fi + fi + ) + done + else + if _exists column; then + list "raw" "$_domain" | column -t -s "$_sep" + else + list "raw" "$_domain" | tr "$_sep" '\t' + fi + fi + +} + +_deploy() { + _d="$1" + _hooks="$2" + + for _d_api in $(echo "$_hooks" | tr ',' " "); do + _deployApi="$(_findHook "$_d" $_SUB_FOLDER_DEPLOY "$_d_api")" + if [ -z "$_deployApi" ]; then + _err "The deploy hook $_d_api is not found." + return 1 + fi + _debug _deployApi "$_deployApi" + + if ! ( + if ! . "$_deployApi"; then + _err "Load file $_deployApi error. Please check your api file and try again." + return 1 + fi + + d_command="${_d_api}_deploy" + if ! _exists "$d_command"; then + _err "It seems that your api file is not correct, it must have a function named: $d_command" + return 1 + fi + + if ! $d_command "$_d" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$CERT_FULLCHAIN_PATH"; then + _err "Error deploy for domain:$_d" + return 1 + fi + ); then + _err "Deploy error." + return 1 + else + _info "$(__green Success)" + fi + done +} + +#domain hooks +deploy() { + _d="$1" + _hooks="$2" + _isEcc="$3" + if [ -z "$_hooks" ]; then + _usage "Usage: $PROJECT_ENTRY --deploy --domain --deploy-hook [--ecc] " + return 1 + fi + + _initpath "$_d" "$_isEcc" + if [ ! -d "$DOMAIN_PATH" ]; then + _err "The domain '$_d' is not a cert name. You must use the cert name to specify the cert to install." + _err "Can not find path:'$DOMAIN_PATH'" + return 1 + fi + + . "$DOMAIN_CONF" + + _savedomainconf Le_DeployHook "$_hooks" + + _deploy "$_d" "$_hooks" +} + +installcert() { + _main_domain="$1" + if [ -z "$_main_domain" ]; then + _usage "Usage: $PROJECT_ENTRY --install-cert --domain [--ecc] [--cert-file ] [--key-file ] [--ca-file ] [ --reloadcmd ] [--fullchain-file ]" + return 1 + fi + + _real_cert="$2" + _real_key="$3" + _real_ca="$4" + _reload_cmd="$5" + _real_fullchain="$6" + _isEcc="$7" + + _initpath "$_main_domain" "$_isEcc" + if [ ! -d "$DOMAIN_PATH" ]; then + _err "The domain '$_main_domain' is not a cert name. You must use the cert name to specify the cert to install." + _err "Can not find path:'$DOMAIN_PATH'" + return 1 + fi + + _savedomainconf "Le_RealCertPath" "$_real_cert" + _savedomainconf "Le_RealCACertPath" "$_real_ca" + _savedomainconf "Le_RealKeyPath" "$_real_key" + _savedomainconf "Le_ReloadCmd" "$_reload_cmd" "base64" + _savedomainconf "Le_RealFullChainPath" "$_real_fullchain" + export Le_ForceNewDomainKey="$(_readdomainconf Le_ForceNewDomainKey)" + export Le_Next_Domain_Key + _installcert "$_main_domain" "$_real_cert" "$_real_key" "$_real_ca" "$_real_fullchain" "$_reload_cmd" +} + +#domain cert key ca fullchain reloadcmd backup-prefix +_installcert() { + _main_domain="$1" + _real_cert="$2" + _real_key="$3" + _real_ca="$4" + _real_fullchain="$5" + _reload_cmd="$6" + _backup_prefix="$7" + + if [ "$_real_cert" = "$NO_VALUE" ]; then + _real_cert="" + fi + if [ "$_real_key" = "$NO_VALUE" ]; then + _real_key="" + fi + if [ "$_real_ca" = "$NO_VALUE" ]; then + _real_ca="" + fi + if [ "$_reload_cmd" = "$NO_VALUE" ]; then + _reload_cmd="" + fi + if [ "$_real_fullchain" = "$NO_VALUE" ]; then + _real_fullchain="" + fi + + _backup_path="$DOMAIN_BACKUP_PATH/$_backup_prefix" + mkdir -p "$_backup_path" + + if [ "$_real_cert" ]; then + _info "Installing cert to: $_real_cert" + if [ -f "$_real_cert" ] && [ ! "$_ACME_IS_RENEW" ]; then + cp "$_real_cert" "$_backup_path/cert.bak" + fi + if [ "$CERT_PATH" != "$_real_cert" ]; then + cat "$CERT_PATH" >"$_real_cert" || return 1 + fi + fi + + if [ "$_real_ca" ]; then + _info "Installing CA to: $_real_ca" + if [ "$_real_ca" = "$_real_cert" ]; then + echo "" >>"$_real_ca" + cat "$CA_CERT_PATH" >>"$_real_ca" || return 1 + else + if [ -f "$_real_ca" ] && [ ! "$_ACME_IS_RENEW" ]; then + cp "$_real_ca" "$_backup_path/ca.bak" + fi + if [ "$CA_CERT_PATH" != "$_real_ca" ]; then + cat "$CA_CERT_PATH" >"$_real_ca" || return 1 + fi + fi + fi + + if [ "$_real_key" ]; then + _info "Installing key to: $_real_key" + if [ -f "$_real_key" ] && [ ! "$_ACME_IS_RENEW" ]; then + cp "$_real_key" "$_backup_path/key.bak" + fi + if [ "$CERT_KEY_PATH" != "$_real_key" ]; then + if [ -f "$_real_key" ]; then + cat "$CERT_KEY_PATH" >"$_real_key" || return 1 + else + touch "$_real_key" || return 1 + chmod 600 "$_real_key" + cat "$CERT_KEY_PATH" >"$_real_key" || return 1 + fi + fi + fi + + if [ "$_real_fullchain" ]; then + _info "Installing full chain to: $_real_fullchain" + if [ -f "$_real_fullchain" ] && [ ! "$_ACME_IS_RENEW" ]; then + cp "$_real_fullchain" "$_backup_path/fullchain.bak" + fi + if [ "$_real_fullchain" != "$CERT_FULLCHAIN_PATH" ]; then + cat "$CERT_FULLCHAIN_PATH" >"$_real_fullchain" || return 1 + fi + fi + + if [ "$_reload_cmd" ]; then + _info "Run reload cmd: $_reload_cmd" + if ( + export CERT_PATH + export CERT_KEY_PATH + export CA_CERT_PATH + export CERT_FULLCHAIN_PATH + export Le_Domain="$_main_domain" + export Le_ForceNewDomainKey + export Le_Next_Domain_Key + cd "$DOMAIN_PATH" && eval "$_reload_cmd" + ); then + _info "$(__green "Reload success")" + else + _err "Reload error for :$Le_Domain" + fi + fi + +} + +__read_password() { + unset _pp + prompt="Enter Password:" + while IFS= read -p "$prompt" -r -s -n 1 char; do + if [ "$char" = $'\0' ]; then + break + fi + prompt='*' + _pp="$_pp$char" + done + echo "$_pp" +} + +_install_win_taskscheduler() { + _lesh="$1" + _centry="$2" + _randomminute="$3" + if ! _exists cygpath; then + _err "cygpath not found" + return 1 + fi + if ! _exists schtasks; then + _err "schtasks.exe is not found, are you on Windows?" + return 1 + fi + _winbash="$(cygpath -w $(which bash))" + _debug _winbash "$_winbash" + if [ -z "$_winbash" ]; then + _err "can not find bash path" + return 1 + fi + _myname="$(whoami)" + _debug "_myname" "$_myname" + if [ -z "$_myname" ]; then + _err "can not find my user name" + return 1 + fi + _debug "_lesh" "$_lesh" + + _info "To install scheduler task in your Windows account, you must input your windows password." + _info "$PROJECT_NAME doesn't save your password." + _info "Please input your Windows password for: $(__green "$_myname")" + _password="$(__read_password)" + #SCHTASKS.exe '/create' '/SC' 'DAILY' '/TN' "$_WINDOWS_SCHEDULER_NAME" '/F' '/ST' "00:$_randomminute" '/RU' "$_myname" '/RP' "$_password" '/TR' "$_winbash -l -c '$_lesh --cron --home \"$LE_WORKING_DIR\" $_centry'" >/dev/null + echo SCHTASKS.exe '/create' '/SC' 'DAILY' '/TN' "$_WINDOWS_SCHEDULER_NAME" '/F' '/ST' "00:$_randomminute" '/RU' "$_myname" '/RP' "$_password" '/TR' "\"$_winbash -l -c '$_lesh --cron --home \"$LE_WORKING_DIR\" $_centry'\"" | cmd.exe >/dev/null + echo + +} + +_uninstall_win_taskscheduler() { + if ! _exists schtasks; then + _err "schtasks.exe is not found, are you on Windows?" + return 1 + fi + if ! echo SCHTASKS /query /tn "$_WINDOWS_SCHEDULER_NAME" | cmd.exe >/dev/null; then + _debug "scheduler $_WINDOWS_SCHEDULER_NAME is not found." + else + _info "Removing $_WINDOWS_SCHEDULER_NAME" + echo SCHTASKS /delete /f /tn "$_WINDOWS_SCHEDULER_NAME" | cmd.exe >/dev/null + fi +} + +#confighome +installcronjob() { + _c_home="$1" + _initpath + _CRONTAB="crontab" + if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ]; then + lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY" + else + _debug "_SCRIPT_" "$_SCRIPT_" + _script="$(_readlink "$_SCRIPT_")" + _debug _script "$_script" + if [ -f "$_script" ]; then + _info "Using the current script from: $_script" + lesh="$_script" + else + _err "Can not install cronjob, $PROJECT_ENTRY not found." + return 1 + fi + fi + if [ "$_c_home" ]; then + _c_entry="--config-home \"$_c_home\" " + fi + _t=$(_time) + random_minute=$(_math $_t % 60) + + if ! _exists "$_CRONTAB" && _exists "fcrontab"; then + _CRONTAB="fcrontab" + fi + + if ! _exists "$_CRONTAB"; then + if _exists cygpath && _exists schtasks.exe; then + _info "It seems you are on Windows, let's install Windows scheduler task." + if _install_win_taskscheduler "$lesh" "$_c_entry" "$random_minute"; then + _info "Install Windows scheduler task success." + return 0 + else + _err "Install Windows scheduler task failed." + return 1 + fi + fi + _err "crontab/fcrontab doesn't exist, so, we can not install cron jobs." + _err "All your certs will not be renewed automatically." + _err "You must add your own cron job to call '$PROJECT_ENTRY --cron' everyday." + return 1 + fi + _info "Installing cron job" + if ! $_CRONTAB -l | grep "$PROJECT_ENTRY --cron"; then + if _exists uname && uname -a | grep SunOS >/dev/null; then + $_CRONTAB -l | { + cat + echo "$random_minute 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null" + } | $_CRONTAB -- + else + $_CRONTAB -l | { + cat + echo "$random_minute 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null" + } | $_CRONTAB - + fi + fi + if [ "$?" != "0" ]; then + _err "Install cron job failed. You need to manually renew your certs." + _err "Or you can add cronjob by yourself:" + _err "$lesh --cron --home \"$LE_WORKING_DIR\" > /dev/null" + return 1 + fi +} + +uninstallcronjob() { + _CRONTAB="crontab" + if ! _exists "$_CRONTAB" && _exists "fcrontab"; then + _CRONTAB="fcrontab" + fi + + if ! _exists "$_CRONTAB"; then + if _exists cygpath && _exists schtasks.exe; then + _info "It seems you are on Windows, let's uninstall Windows scheduler task." + if _uninstall_win_taskscheduler; then + _info "Uninstall Windows scheduler task success." + return 0 + else + _err "Uninstall Windows scheduler task failed." + return 1 + fi + fi + return + fi + _info "Removing cron job" + cr="$($_CRONTAB -l | grep "$PROJECT_ENTRY --cron")" + if [ "$cr" ]; then + if _exists uname && uname -a | grep SunOS >/dev/null; then + $_CRONTAB -l | sed "/$PROJECT_ENTRY --cron/d" | $_CRONTAB -- + else + $_CRONTAB -l | sed "/$PROJECT_ENTRY --cron/d" | $_CRONTAB - + fi + LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 9 | tr -d '"')" + _info LE_WORKING_DIR "$LE_WORKING_DIR" + if _contains "$cr" "--config-home"; then + LE_CONFIG_HOME="$(echo "$cr" | cut -d ' ' -f 11 | tr -d '"')" + _debug LE_CONFIG_HOME "$LE_CONFIG_HOME" + fi + fi + _initpath + +} + +#domain isECC revokeReason +revoke() { + Le_Domain="$1" + if [ -z "$Le_Domain" ]; then + _usage "Usage: $PROJECT_ENTRY --revoke --domain [--ecc]" + return 1 + fi + + _isEcc="$2" + _reason="$3" + if [ -z "$_reason" ]; then + _reason="0" + fi + _initpath "$Le_Domain" "$_isEcc" + if [ ! -f "$DOMAIN_CONF" ]; then + _err "$Le_Domain is not a issued domain, skip." + return 1 + fi + + if [ ! -f "$CERT_PATH" ]; then + _err "Cert for $Le_Domain $CERT_PATH is not found, skip." + return 1 + fi + + . "$DOMAIN_CONF" + _debug Le_API "$Le_API" + + if [ "$Le_API" ]; then + if [ "$Le_API" != "$ACME_DIRECTORY" ]; then + _clearAPI + fi + export ACME_DIRECTORY="$Le_API" + #reload ca configs + ACCOUNT_KEY_PATH="" + ACCOUNT_JSON_PATH="" + CA_CONF="" + _debug3 "initpath again." + _initpath "$Le_Domain" "$_isEcc" + _initAPI + fi + + cert="$(_getfile "${CERT_PATH}" "${BEGIN_CERT}" "${END_CERT}" | tr -d "\r\n" | _url_replace)" + + if [ -z "$cert" ]; then + _err "Cert for $Le_Domain is empty found, skip." + return 1 + fi + + _initAPI + + data="{\"certificate\": \"$cert\",\"reason\":$_reason}" + + uri="${ACME_REVOKE_CERT}" + + if [ -f "$CERT_KEY_PATH" ]; then + _info "Try domain key first." + if _send_signed_request "$uri" "$data" "" "$CERT_KEY_PATH"; then + if [ -z "$response" ]; then + _info "Revoke success." + rm -f "$CERT_PATH" + cat "$CERT_KEY_PATH" >"$CERT_KEY_PATH.revoked" + cat "$CSR_PATH" >"$CSR_PATH.revoked" + return 0 + else + _err "Revoke error by domain key." + _err "$response" + fi + fi + else + _info "Domain key file doesn't exist." + fi + + _info "Try account key." + + if _send_signed_request "$uri" "$data" "" "$ACCOUNT_KEY_PATH"; then + if [ -z "$response" ]; then + _info "Revoke success." + rm -f "$CERT_PATH" + cat "$CERT_KEY_PATH" >"$CERT_KEY_PATH.revoked" + cat "$CSR_PATH" >"$CSR_PATH.revoked" + return 0 + else + _err "Revoke error." + _debug "$response" + fi + fi + return 1 +} + +#domain ecc +remove() { + Le_Domain="$1" + if [ -z "$Le_Domain" ]; then + _usage "Usage: $PROJECT_ENTRY --remove --domain [--ecc]" + return 1 + fi + + _isEcc="$2" + + _initpath "$Le_Domain" "$_isEcc" + _removed_conf="$DOMAIN_CONF.removed" + if [ ! -f "$DOMAIN_CONF" ]; then + if [ -f "$_removed_conf" ]; then + _err "$Le_Domain is already removed, You can remove the folder by yourself: $DOMAIN_PATH" + else + _err "$Le_Domain is not a issued domain, skip." + fi + return 1 + fi + + if mv "$DOMAIN_CONF" "$_removed_conf"; then + _info "$Le_Domain is removed, the key and cert files are in $(__green $DOMAIN_PATH)" + _info "You can remove them by yourself." + return 0 + else + _err "Remove $Le_Domain failed." + return 1 + fi +} + +#domain vtype +_deactivate() { + _d_domain="$1" + _d_type="$2" + _initpath "$_d_domain" "$_d_type" + + . "$DOMAIN_CONF" + _debug Le_API "$Le_API" + + if [ "$Le_API" ]; then + if [ "$Le_API" != "$ACME_DIRECTORY" ]; then + _clearAPI + fi + export ACME_DIRECTORY="$Le_API" + #reload ca configs + ACCOUNT_KEY_PATH="" + ACCOUNT_JSON_PATH="" + CA_CONF="" + _debug3 "initpath again." + _initpath "$Le_Domain" "$_d_type" + _initAPI + fi + + _identifiers="{\"type\":\"$(_getIdType "$_d_domain")\",\"value\":\"$_d_domain\"}" + if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then + _err "Can not get domain new order." + return 1 + fi + _authorizations_seg="$(echo "$response" | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')" + _debug2 _authorizations_seg "$_authorizations_seg" + if [ -z "$_authorizations_seg" ]; then + _err "_authorizations_seg not found." + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + + authzUri="$_authorizations_seg" + _debug2 "authzUri" "$authzUri" + if ! _send_signed_request "$authzUri"; then + _err "get to authz error." + _err "_authorizations_seg" "$_authorizations_seg" + _err "authzUri" "$authzUri" + _clearup + _on_issue_err "$_post_hook" + return 1 + fi + + response="$(echo "$response" | _normalizeJson)" + _debug2 response "$response" + _URL_NAME="url" + + entries="$(echo "$response" | tr '][' '==' | _egrep_o "challenges\": *=[^=]*=" | tr '}{' '\n\n' | grep "\"status\": *\"valid\"")" + if [ -z "$entries" ]; then + _info "No valid entries found." + if [ -z "$thumbprint" ]; then + thumbprint="$(__calc_account_thumbprint)" + fi + _debug "Trigger validation." + vtype="$(_getIdType "$_d_domain")" + entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" + _debug entry "$entry" + if [ -z "$entry" ]; then + _err "Error, can not get domain token $d" + return 1 + fi + token="$(echo "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')" + _debug token "$token" + + uri="$(echo "$entry" | _egrep_o "\"$_URL_NAME\":\"[^\"]*" | cut -d : -f 2,3 | tr -d '"')" + _debug uri "$uri" + + keyauthorization="$token.$thumbprint" + _debug keyauthorization "$keyauthorization" + __trigger_validation "$uri" "$keyauthorization" + + fi + + _d_i=0 + _d_max_retry=$(echo "$entries" | wc -l) + while [ "$_d_i" -lt "$_d_max_retry" ]; do + _info "Deactivate: $_d_domain" + _d_i="$(_math $_d_i + 1)" + entry="$(echo "$entries" | sed -n "${_d_i}p")" + _debug entry "$entry" + + if [ -z "$entry" ]; then + _info "No more valid entry found." + break + fi + + _vtype="$(echo "$entry" | _egrep_o '"type": *"[^"]*"' | cut -d : -f 2 | tr -d '"')" + _debug _vtype "$_vtype" + _info "Found $_vtype" + + uri="$(echo "$entry" | _egrep_o "\"$_URL_NAME\":\"[^\"]*\"" | tr -d '" ' | cut -d : -f 2-)" + _debug uri "$uri" + + if [ "$_d_type" ] && [ "$_d_type" != "$_vtype" ]; then + _info "Skip $_vtype" + continue + fi + + _info "Deactivate: $_vtype" + + _djson="{\"status\":\"deactivated\"}" + + if _send_signed_request "$authzUri" "$_djson" && _contains "$response" '"deactivated"'; then + _info "Deactivate: $_vtype success." + else + _err "Can not deactivate $_vtype." + break + fi + + done + _debug "$_d_i" + if [ "$_d_i" -eq "$_d_max_retry" ]; then + _info "Deactivated success!" + else + _err "Deactivate failed." + fi + +} + +deactivate() { + _d_domain_list="$1" + _d_type="$2" + _initpath + _initAPI + _debug _d_domain_list "$_d_domain_list" + if [ -z "$(echo $_d_domain_list | cut -d , -f 1)" ]; then + _usage "Usage: $PROJECT_ENTRY --deactivate --domain [--domain ...]" + return 1 + fi + for _d_dm in $(echo "$_d_domain_list" | tr ',' ' '); do + if [ -z "$_d_dm" ] || [ "$_d_dm" = "$NO_VALUE" ]; then + continue + fi + if ! _deactivate "$_d_dm" "$_d_type"; then + return 1 + fi + done +} + +# Detect profile file if not specified as environment variable +_detect_profile() { + if [ -n "$PROFILE" -a -f "$PROFILE" ]; then + echo "$PROFILE" + return + fi + + DETECTED_PROFILE='' + SHELLTYPE="$(basename "/$SHELL")" + + if [ "$SHELLTYPE" = "bash" ]; then + if [ -f "$HOME/.bashrc" ]; then + DETECTED_PROFILE="$HOME/.bashrc" + elif [ -f "$HOME/.bash_profile" ]; then + DETECTED_PROFILE="$HOME/.bash_profile" + fi + elif [ "$SHELLTYPE" = "zsh" ]; then + DETECTED_PROFILE="$HOME/.zshrc" + fi + + if [ -z "$DETECTED_PROFILE" ]; then + if [ -f "$HOME/.profile" ]; then + DETECTED_PROFILE="$HOME/.profile" + elif [ -f "$HOME/.bashrc" ]; then + DETECTED_PROFILE="$HOME/.bashrc" + elif [ -f "$HOME/.bash_profile" ]; then + DETECTED_PROFILE="$HOME/.bash_profile" + elif [ -f "$HOME/.zshrc" ]; then + DETECTED_PROFILE="$HOME/.zshrc" + fi + fi + + echo "$DETECTED_PROFILE" +} + +_initconf() { + _initpath + if [ ! -f "$ACCOUNT_CONF_PATH" ]; then + echo " + +#LOG_FILE=\"$DEFAULT_LOG_FILE\" +#LOG_LEVEL=1 + +#AUTO_UPGRADE=\"1\" + +#NO_TIMESTAMP=1 + + " >"$ACCOUNT_CONF_PATH" + fi +} + +# nocron +_precheck() { + _nocron="$1" + + if ! _exists "curl" && ! _exists "wget"; then + _err "Please install curl or wget first, we need to access http resources." + return 1 + fi + + if [ -z "$_nocron" ]; then + if ! _exists "crontab" && ! _exists "fcrontab"; then + if _exists cygpath && _exists schtasks.exe; then + _info "It seems you are on Windows, we will install Windows scheduler task." + else + _err "It is recommended to install crontab first. try to install 'cron, crontab, crontabs or vixie-cron'." + _err "We need to set cron job to renew the certs automatically." + _err "Otherwise, your certs will not be able to be renewed automatically." + if [ -z "$FORCE" ]; then + _err "Please add '--force' and try install again to go without crontab." + _err "./$PROJECT_ENTRY --install --force" + return 1 + fi + fi + fi + fi + + if ! _exists "${ACME_OPENSSL_BIN:-openssl}"; then + _err "Please install openssl first. ACME_OPENSSL_BIN=$ACME_OPENSSL_BIN" + _err "We need openssl to generate keys." + return 1 + fi + + if ! _exists "socat"; then + _err "It is recommended to install socat first." + _err "We use socat for standalone server if you use standalone mode." + _err "If you don't use standalone mode, just ignore this warning." + fi + + return 0 +} + +_setShebang() { + _file="$1" + _shebang="$2" + if [ -z "$_shebang" ]; then + _usage "Usage: file shebang" + return 1 + fi + cp "$_file" "$_file.tmp" + echo "$_shebang" >"$_file" + sed -n 2,99999p "$_file.tmp" >>"$_file" + rm -f "$_file.tmp" +} + +#confighome +_installalias() { + _c_home="$1" + _initpath + + _envfile="$LE_WORKING_DIR/$PROJECT_ENTRY.env" + if [ "$_upgrading" ] && [ "$_upgrading" = "1" ]; then + echo "$(cat "$_envfile")" | sed "s|^LE_WORKING_DIR.*$||" >"$_envfile" + echo "$(cat "$_envfile")" | sed "s|^alias le.*$||" >"$_envfile" + echo "$(cat "$_envfile")" | sed "s|^alias le.sh.*$||" >"$_envfile" + fi + + if [ "$_c_home" ]; then + _c_entry=" --config-home '$_c_home'" + fi + + _setopt "$_envfile" "export LE_WORKING_DIR" "=" "\"$LE_WORKING_DIR\"" + if [ "$_c_home" ]; then + _setopt "$_envfile" "export LE_CONFIG_HOME" "=" "\"$LE_CONFIG_HOME\"" + else + _sed_i "/^export LE_CONFIG_HOME/d" "$_envfile" + fi + _setopt "$_envfile" "alias $PROJECT_ENTRY" "=" "\"$LE_WORKING_DIR/$PROJECT_ENTRY$_c_entry\"" + + _profile="$(_detect_profile)" + if [ "$_profile" ]; then + _debug "Found profile: $_profile" + _info "Installing alias to '$_profile'" + _setopt "$_profile" ". \"$_envfile\"" + _info "OK, Close and reopen your terminal to start using $PROJECT_NAME" + else + _info "No profile is found, you will need to go into $LE_WORKING_DIR to use $PROJECT_NAME" + fi + + #for csh + _cshfile="$LE_WORKING_DIR/$PROJECT_ENTRY.csh" + _csh_profile="$HOME/.cshrc" + if [ -f "$_csh_profile" ]; then + _info "Installing alias to '$_csh_profile'" + _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\"" + if [ "$_c_home" ]; then + _setopt "$_cshfile" "setenv LE_CONFIG_HOME" " " "\"$LE_CONFIG_HOME\"" + else + _sed_i "/^setenv LE_CONFIG_HOME/d" "$_cshfile" + fi + _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY$_c_entry\"" + _setopt "$_csh_profile" "source \"$_cshfile\"" + fi + + #for tcsh + _tcsh_profile="$HOME/.tcshrc" + if [ -f "$_tcsh_profile" ]; then + _info "Installing alias to '$_tcsh_profile'" + _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\"" + if [ "$_c_home" ]; then + _setopt "$_cshfile" "setenv LE_CONFIG_HOME" " " "\"$LE_CONFIG_HOME\"" + fi + _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY$_c_entry\"" + _setopt "$_tcsh_profile" "source \"$_cshfile\"" + fi + +} + +# nocron confighome noprofile accountemail +install() { + + if [ -z "$LE_WORKING_DIR" ]; then + LE_WORKING_DIR="$DEFAULT_INSTALL_HOME" + fi + + _nocron="$1" + _c_home="$2" + _noprofile="$3" + _accountemail="$4" + + if ! _initpath; then + _err "Install failed." + return 1 + fi + if [ "$_nocron" ]; then + _debug "Skip install cron job" + fi + + if [ "$_ACME_IN_CRON" != "1" ]; then + if ! _precheck "$_nocron"; then + _err "Pre-check failed, can not install." + return 1 + fi + fi + + if [ -z "$_c_home" ] && [ "$LE_CONFIG_HOME" != "$LE_WORKING_DIR" ]; then + _info "Using config home: $LE_CONFIG_HOME" + _c_home="$LE_CONFIG_HOME" + fi + + #convert from le + if [ -d "$HOME/.le" ]; then + for envfile in "le.env" "le.sh.env"; do + if [ -f "$HOME/.le/$envfile" ]; then + if grep "le.sh" "$HOME/.le/$envfile" >/dev/null; then + _upgrading="1" + _info "You are upgrading from le.sh" + _info "Renaming \"$HOME/.le\" to $LE_WORKING_DIR" + mv "$HOME/.le" "$LE_WORKING_DIR" + mv "$LE_WORKING_DIR/$envfile" "$LE_WORKING_DIR/$PROJECT_ENTRY.env" + break + fi + fi + done + fi + + _info "Installing to $LE_WORKING_DIR" + + if [ ! -d "$LE_WORKING_DIR" ]; then + if ! mkdir -p "$LE_WORKING_DIR"; then + _err "Can not create working dir: $LE_WORKING_DIR" + return 1 + fi + + chmod 700 "$LE_WORKING_DIR" + fi + + if [ ! -d "$LE_CONFIG_HOME" ]; then + if ! mkdir -p "$LE_CONFIG_HOME"; then + _err "Can not create config dir: $LE_CONFIG_HOME" + return 1 + fi + + chmod 700 "$LE_CONFIG_HOME" + fi + + cp "$PROJECT_ENTRY" "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/$PROJECT_ENTRY" + + if [ "$?" != "0" ]; then + _err "Install failed, can not copy $PROJECT_ENTRY" + return 1 + fi + + _info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY" + + if [ "$_ACME_IN_CRON" != "1" ] && [ -z "$_noprofile" ]; then + _installalias "$_c_home" + fi + + for subf in $_SUB_FOLDERS; do + if [ -d "$subf" ]; then + mkdir -p "$LE_WORKING_DIR/$subf" + cp "$subf"/* "$LE_WORKING_DIR"/"$subf"/ + fi + done + + if [ ! -f "$ACCOUNT_CONF_PATH" ]; then + _initconf + fi + + if [ "$_DEFAULT_ACCOUNT_CONF_PATH" != "$ACCOUNT_CONF_PATH" ]; then + _setopt "$_DEFAULT_ACCOUNT_CONF_PATH" "ACCOUNT_CONF_PATH" "=" "\"$ACCOUNT_CONF_PATH\"" + fi + + if [ "$_DEFAULT_CERT_HOME" != "$CERT_HOME" ]; then + _saveaccountconf "CERT_HOME" "$CERT_HOME" + fi + + if [ "$_DEFAULT_ACCOUNT_KEY_PATH" != "$ACCOUNT_KEY_PATH" ]; then + _saveaccountconf "ACCOUNT_KEY_PATH" "$ACCOUNT_KEY_PATH" + fi + + if [ -z "$_nocron" ]; then + installcronjob "$_c_home" + fi + + if [ -z "$NO_DETECT_SH" ]; then + #Modify shebang + if _exists bash; then + _bash_path="$(bash -c "command -v bash 2>/dev/null")" + if [ -z "$_bash_path" ]; then + _bash_path="$(bash -c 'echo $SHELL')" + fi + fi + if [ "$_bash_path" ]; then + _info "Good, bash is found, so change the shebang to use bash as preferred." + _shebang='#!'"$_bash_path" + _setShebang "$LE_WORKING_DIR/$PROJECT_ENTRY" "$_shebang" + for subf in $_SUB_FOLDERS; do + if [ -d "$LE_WORKING_DIR/$subf" ]; then + for _apifile in "$LE_WORKING_DIR/$subf/"*.sh; do + _setShebang "$_apifile" "$_shebang" + done + fi + done + fi + fi + + if [ "$_accountemail" ]; then + _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail" + fi + _saveaccountconf "UPGRADE_HASH" "$(_getUpgradeHash)" + _info OK +} + +# nocron +uninstall() { + _nocron="$1" + if [ -z "$_nocron" ]; then + uninstallcronjob + fi + _initpath + + _uninstallalias + + rm -f "$LE_WORKING_DIR/$PROJECT_ENTRY" + _info "The keys and certs are in \"$(__green "$LE_CONFIG_HOME")\", you can remove them by yourself." + +} + +_uninstallalias() { + _initpath + + _profile="$(_detect_profile)" + if [ "$_profile" ]; then + _info "Uninstalling alias from: '$_profile'" + text="$(cat "$_profile")" + echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.env\"$||" >"$_profile" + fi + + _csh_profile="$HOME/.cshrc" + if [ -f "$_csh_profile" ]; then + _info "Uninstalling alias from: '$_csh_profile'" + text="$(cat "$_csh_profile")" + echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" >"$_csh_profile" + fi + + _tcsh_profile="$HOME/.tcshrc" + if [ -f "$_tcsh_profile" ]; then + _info "Uninstalling alias from: '$_csh_profile'" + text="$(cat "$_tcsh_profile")" + echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" >"$_tcsh_profile" + fi + +} + +cron() { + export _ACME_IN_CRON=1 + _initpath + _info "$(__green "===Starting cron===")" + if [ "$AUTO_UPGRADE" = "1" ]; then + export LE_WORKING_DIR + ( + if ! upgrade; then + _err "Cron:Upgrade failed!" + return 1 + fi + ) + . "$LE_WORKING_DIR/$PROJECT_ENTRY" >/dev/null + + if [ -t 1 ]; then + __INTERACTIVE="1" + fi + + _info "Auto upgraded to: $VER" + fi + renewAll + _ret="$?" + _ACME_IN_CRON="" + _info "$(__green "===End cron===")" + exit $_ret +} + +version() { + echo "$PROJECT" + echo "v$VER" +} + +# subject content hooks code +_send_notify() { + _nsubject="$1" + _ncontent="$2" + _nhooks="$3" + _nerror="$4" + + if [ "$NOTIFY_LEVEL" = "$NOTIFY_LEVEL_DISABLE" ]; then + _debug "The NOTIFY_LEVEL is $NOTIFY_LEVEL, disabled, just return." + return 0 + fi + + if [ -z "$_nhooks" ]; then + _debug "The NOTIFY_HOOK is empty, just return." + return 0 + fi + + _nsource="$NOTIFY_SOURCE" + if [ -z "$_nsource" ]; then + _nsource="$(hostname)" + fi + + _nsubject="$_nsubject by $_nsource" + + _send_err=0 + for _n_hook in $(echo "$_nhooks" | tr ',' " "); do + _n_hook_file="$(_findHook "" $_SUB_FOLDER_NOTIFY "$_n_hook")" + _info "Sending via: $_n_hook" + _debug "Found $_n_hook_file for $_n_hook" + if [ -z "$_n_hook_file" ]; then + _err "Can not find the hook file for $_n_hook" + continue + fi + if ! ( + if ! . "$_n_hook_file"; then + _err "Load file $_n_hook_file error. Please check your api file and try again." + return 1 + fi + + d_command="${_n_hook}_send" + if ! _exists "$d_command"; then + _err "It seems that your api file is not correct, it must have a function named: $d_command" + return 1 + fi + + if ! $d_command "$_nsubject" "$_ncontent" "$_nerror"; then + _err "Error send message by $d_command" + return 1 + fi + + return 0 + ); then + _err "Set $_n_hook_file error." + _send_err=1 + else + _info "$_n_hook $(__green Success)" + fi + done + return $_send_err + +} + +# hook +_set_notify_hook() { + _nhooks="$1" + + _test_subject="Hello, this is a notification from $PROJECT_NAME" + _test_content="If you receive this message, your notification works." + + _send_notify "$_test_subject" "$_test_content" "$_nhooks" 0 + +} + +#[hook] [level] [mode] +setnotify() { + _nhook="$1" + _nlevel="$2" + _nmode="$3" + _nsource="$4" + + _initpath + + if [ -z "$_nhook$_nlevel$_nmode$_nsource" ]; then + _usage "Usage: $PROJECT_ENTRY --set-notify [--notify-hook ] [--notify-level <0|1|2|3>] [--notify-mode <0|1>] [--notify-source ]" + _usage "$_NOTIFY_WIKI" + return 1 + fi + + if [ "$_nlevel" ]; then + _info "Set notify level to: $_nlevel" + export "NOTIFY_LEVEL=$_nlevel" + _saveaccountconf "NOTIFY_LEVEL" "$NOTIFY_LEVEL" + fi + + if [ "$_nmode" ]; then + _info "Set notify mode to: $_nmode" + export "NOTIFY_MODE=$_nmode" + _saveaccountconf "NOTIFY_MODE" "$NOTIFY_MODE" + fi + + if [ "$_nsource" ]; then + _info "Set notify source to: $_nsource" + export "NOTIFY_SOURCE=$_nsource" + _saveaccountconf "NOTIFY_SOURCE" "$NOTIFY_SOURCE" + fi + + if [ "$_nhook" ]; then + _info "Set notify hook to: $_nhook" + if [ "$_nhook" = "$NO_VALUE" ]; then + _info "Clear notify hook" + _clearaccountconf "NOTIFY_HOOK" + else + if _set_notify_hook "$_nhook"; then + export NOTIFY_HOOK="$_nhook" + _saveaccountconf "NOTIFY_HOOK" "$NOTIFY_HOOK" + return 0 + else + _err "Can not set notify hook to: $_nhook" + return 1 + fi + fi + fi + +} + +showhelp() { + _initpath + version + echo "Usage: $PROJECT_ENTRY ... [parameters ...] +Commands: + -h, --help Show this help message. + -v, --version Show version info. + --install Install $PROJECT_NAME to your system. + --uninstall Uninstall $PROJECT_NAME, and uninstall the cron job. + --upgrade Upgrade $PROJECT_NAME to the latest code from $PROJECT. + --issue Issue a cert. + --deploy Deploy the cert to your server. + -i, --install-cert Install the issued cert to apache/nginx or any other server. + -r, --renew Renew a cert. + --renew-all Renew all the certs. + --revoke Revoke a cert. + --remove Remove the cert from list of certs known to $PROJECT_NAME. + --list List all the certs. + --info Show the $PROJECT_NAME configs, or the configs for a domain with [-d domain] parameter. + --to-pkcs12 Export the certificate and key to a pfx file. + --to-pkcs8 Convert to pkcs8 format. + --sign-csr Issue a cert from an existing csr. + --show-csr Show the content of a csr. + -ccr, --create-csr Create CSR, professional use. + --create-domain-key Create an domain private key, professional use. + --update-account Update account info. + --register-account Register account key. + --deactivate-account Deactivate the account. + --create-account-key Create an account private key, professional use. + --install-cronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job. + --uninstall-cronjob Uninstall the cron job. The 'uninstall' command can do this automatically. + --cron Run cron job to renew all the certs. + --set-notify Set the cron notification hook, level or mode. + --deactivate Deactivate the domain authz, professional use. + --set-default-ca Used with '--server', Set the default CA to use. + See: $_SERVER_WIKI + --set-default-chain Set the default preferred chain for a CA. + See: $_PREFERRED_CHAIN_WIKI + + +Parameters: + -d, --domain Specifies a domain, used to issue, renew or revoke etc. + --challenge-alias The challenge domain alias for DNS alias mode. + See: $_DNS_ALIAS_WIKI + + --domain-alias The domain alias for DNS alias mode. + See: $_DNS_ALIAS_WIKI + + --preferred-chain If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. + If no match, the default offered chain will be used. (default: empty) + See: $_PREFERRED_CHAIN_WIKI + + --valid-to Request the NotAfter field of the cert. + See: $_VALIDITY_WIKI + --valid-from Request the NotBefore field of the cert. + See: $_VALIDITY_WIKI + + -f, --force Force install, force cert renewal or override sudo restrictions. + --staging, --test Use staging server, for testing. + --debug [0|1|2|3] Output debug info. Defaults to 1 if argument is omitted. + --output-insecure Output all the sensitive messages. + By default all the credentials/sensitive messages are hidden from the output/debug/log for security. + -w, --webroot Specifies the web root folder for web root mode. + --standalone Use standalone mode. + --alpn Use standalone alpn mode. + --stateless Use stateless mode. + See: $_STATELESS_WIKI + + --apache Use apache mode. + --dns [dns_hook] Use dns manual mode or dns api. Defaults to manual mode when argument is omitted. + See: $_DNS_API_WIKI + + --dnssleep The time in seconds to wait for all the txt records to propagate in dns api mode. + It's not necessary to use this by default, $PROJECT_NAME polls dns status by DOH automatically. + -k, --keylength Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521. + -ak, --accountkeylength Specifies the account key length: 2048, 3072, 4096 + --log [file] Specifies the log file. Defaults to \"$DEFAULT_LOG_FILE\" if argument is omitted. + --log-level <1|2> Specifies the log level, default is 1. + --syslog <0|3|6|7> Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug. + --eab-kid Key Identifier for External Account Binding. + --eab-hmac-key HMAC key for External Account Binding. + + + These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert: + + --cert-file Path to copy the cert file to after issue/renew.. + --key-file Path to copy the key file to after issue/renew. + --ca-file Path to copy the intermediate cert file to after issue/renew. + --fullchain-file Path to copy the fullchain cert file to after issue/renew. + --reloadcmd Command to execute after issue/renew to reload the server. + + --server ACME Directory Resource URI. (default: $DEFAULT_CA) + See: $_SERVER_WIKI + + --accountconf Specifies a customized account config file. + --home Specifies the home dir for $PROJECT_NAME. + --cert-home Specifies the home dir to save all the certs, only valid for '--install' command. + --config-home Specifies the home dir to save all the configurations. + --useragent Specifies the user agent string. it will be saved for future use too. + -m, --email Specifies the account email, only valid for the '--install' and '--update-account' command. + --accountkey Specifies the account key path, only valid for the '--install' command. + --days Specifies the days to renew the cert when using '--issue' command. The default value is $DEFAULT_RENEW days. + --httpport Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer. + --tlsport Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer. + --local-address Specifies the standalone/tls server listening address, in case you have multiple ip addresses. + --listraw Only used for '--list' command, list the certs in raw format. + -se, --stop-renew-on-error Only valid for '--renew-all' command. Stop if one cert has error in renewal. + --insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted. + --ca-bundle Specifies the path to the CA certificate bundle to verify api server's certificate. + --ca-path Specifies directory containing CA certificates in PEM format, used by wget or curl. + --no-cron Only valid for '--install' command, which means: do not install the default cron job. + In this case, the certs will not be renewed automatically. + --no-profile Only valid for '--install' command, which means: do not install aliases to user profile. + --no-color Do not output color text. + --force-color Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails. + --ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--to-pkcs12' and '--create-csr' + --csr Specifies the input csr. + --pre-hook Command to be run before obtaining any certificates. + --post-hook Command to be run after attempting to obtain/renew certificates. Runs regardless of whether obtain/renew succeeded or failed. + --renew-hook Command to be run after each successfully renewed certificate. + --deploy-hook The hook file to deploy cert + --ocsp, --ocsp-must-staple Generate OCSP-Must-Staple extension. + --always-force-new-domain-key Generate new domain key on renewal. Otherwise, the domain key is not changed by default. + --auto-upgrade [0|1] Valid for '--upgrade' command, indicating whether to upgrade automatically in future. Defaults to 1 if argument is omitted. + --listen-v4 Force standalone/tls server to listen at ipv4. + --listen-v6 Force standalone/tls server to listen at ipv6. + --openssl-bin Specifies a custom openssl bin location. + --use-wget Force to use wget, if you have both curl and wget installed. + --yes-I-know-dns-manual-mode-enough-go-ahead-please Force use of dns manual mode. + See: $_DNS_MANUAL_WIKI + + -b, --branch Only valid for '--upgrade' command, specifies the branch name to upgrade to. + --notify-level <0|1|2|3> Set the notification level: Default value is $NOTIFY_LEVEL_DEFAULT. + 0: disabled, no notification will be sent. + 1: send notifications only when there is an error. + 2: send notifications when a cert is successfully renewed, or there is an error. + 3: send notifications when a cert is skipped, renewed, or error. + --notify-mode <0|1> Set notification mode. Default value is $NOTIFY_MODE_DEFAULT. + 0: Bulk mode. Send all the domain's notifications in one message(mail). + 1: Cert mode. Send a message for every single cert. + --notify-hook Set the notify hook + --notify-source Set the server name in the notification message + --revoke-reason <0-10> The reason for revocation, can be used in conjunction with the '--revoke' command. + See: $_REVOKE_WIKI + + --password Add a password to exported pfx file. Use with --to-pkcs12. + + +" +} + +installOnline() { + _info "Installing from online archive." + + _branch="$BRANCH" + if [ -z "$_branch" ]; then + _branch="master" + fi + + target="$PROJECT/archive/$_branch.tar.gz" + _info "Downloading $target" + localname="$_branch.tar.gz" + if ! _get "$target" >$localname; then + _err "Download error." + return 1 + fi + ( + _info "Extracting $localname" + if ! (tar xzf $localname || gtar xzf $localname); then + _err "Extraction error." + exit 1 + fi + + cd "$PROJECT_NAME-$_branch" + chmod +x $PROJECT_ENTRY + if ./$PROJECT_ENTRY --install "$@"; then + _info "Install success!" + fi + + cd .. + + rm -rf "$PROJECT_NAME-$_branch" + rm -f "$localname" + ) +} + +_getRepoHash() { + _hash_path=$1 + shift + _hash_url="https://api.github.com/repos/acmesh-official/$PROJECT_NAME/git/refs/$_hash_path" + _get $_hash_url | tr -d "\r\n" | tr '{},' '\n\n\n' | grep '"sha":' | cut -d '"' -f 4 +} + +_getUpgradeHash() { + _b="$BRANCH" + if [ -z "$_b" ]; then + _b="master" + fi + _hash=$(_getRepoHash "heads/$_b") + if [ -z "$_hash" ]; then _hash=$(_getRepoHash "tags/$_b"); fi + echo $_hash +} + +upgrade() { + if ( + _initpath + [ -z "$FORCE" ] && [ "$(_getUpgradeHash)" = "$(_readaccountconf "UPGRADE_HASH")" ] && _info "Already uptodate!" && exit 0 + export LE_WORKING_DIR + cd "$LE_WORKING_DIR" + installOnline "--nocron" "--noprofile" + ); then + _info "Upgrade success!" + exit 0 + else + _err "Upgrade failed!" + exit 1 + fi +} + +_processAccountConf() { + if [ "$_useragent" ]; then + _saveaccountconf "USER_AGENT" "$_useragent" + elif [ "$USER_AGENT" ] && [ "$USER_AGENT" != "$DEFAULT_USER_AGENT" ]; then + _saveaccountconf "USER_AGENT" "$USER_AGENT" + fi + + if [ "$_openssl_bin" ]; then + _saveaccountconf "ACME_OPENSSL_BIN" "$_openssl_bin" + elif [ "$ACME_OPENSSL_BIN" ] && [ "$ACME_OPENSSL_BIN" != "$DEFAULT_OPENSSL_BIN" ]; then + _saveaccountconf "ACME_OPENSSL_BIN" "$ACME_OPENSSL_BIN" + fi + + if [ "$_auto_upgrade" ]; then + _saveaccountconf "AUTO_UPGRADE" "$_auto_upgrade" + elif [ "$AUTO_UPGRADE" ]; then + _saveaccountconf "AUTO_UPGRADE" "$AUTO_UPGRADE" + fi + + if [ "$_use_wget" ]; then + _saveaccountconf "ACME_USE_WGET" "$_use_wget" + elif [ "$ACME_USE_WGET" ]; then + _saveaccountconf "ACME_USE_WGET" "$ACME_USE_WGET" + fi + +} + +_checkSudo() { + if [ -z "__INTERACTIVE" ]; then + #don't check if it's not in an interactive shell + return 0 + fi + if [ "$SUDO_GID" ] && [ "$SUDO_COMMAND" ] && [ "$SUDO_USER" ] && [ "$SUDO_UID" ]; then + if [ "$SUDO_USER" = "root" ] && [ "$SUDO_UID" = "0" ]; then + #it's root using sudo, no matter it's using sudo or not, just fine + return 0 + fi + if [ -n "$SUDO_COMMAND" ]; then + #it's a normal user doing "sudo su", or `sudo -i` or `sudo -s`, or `sudo su acmeuser1` + _endswith "$SUDO_COMMAND" /bin/su || _contains "$SUDO_COMMAND" "/bin/su " || grep "^$SUDO_COMMAND\$" /etc/shells >/dev/null 2>&1 + return $? + fi + #otherwise + return 1 + fi + return 0 +} + +#server #keylength +_selectServer() { + _server="$1" + _skeylength="$2" + _server_lower="$(echo "$_server" | _lower_case)" + _sindex=0 + for snames in $CA_NAMES; do + snames="$(echo "$snames" | _lower_case)" + _sindex="$(_math $_sindex + 1)" + _debug2 "_selectServer try snames" "$snames" + for sname in $(echo "$snames" | tr ',' ' '); do + if [ "$_server_lower" = "$sname" ]; then + _debug2 "_selectServer match $sname" + _serverdir="$(_getfield "$CA_SERVERS" $_sindex)" + if [ "$_serverdir" = "$CA_SSLCOM_RSA" ] && _isEccKey "$_skeylength"; then + _serverdir="$CA_SSLCOM_ECC" + fi + _debug "Selected server: $_serverdir" + ACME_DIRECTORY="$_serverdir" + export ACME_DIRECTORY + return + fi + done + done + ACME_DIRECTORY="$_server" + export ACME_DIRECTORY +} + +#url +_getCAShortName() { + caurl="$1" + if [ -z "$caurl" ]; then + #use letsencrypt as default value if the Le_API is empty + #this case can only come from the old upgrading. + caurl="$CA_LETSENCRYPT_V2" + fi + if [ "$CA_SSLCOM_ECC" = "$caurl" ]; then + caurl="$CA_SSLCOM_RSA" #just hack to get the short name + fi + caurl_lower="$(echo $caurl | _lower_case)" + _sindex=0 + for surl in $(echo "$CA_SERVERS" | _lower_case | tr , ' '); do + _sindex="$(_math $_sindex + 1)" + if [ "$caurl_lower" = "$surl" ]; then + _nindex=0 + for snames in $CA_NAMES; do + _nindex="$(_math $_nindex + 1)" + if [ $_nindex -ge $_sindex ]; then + _getfield "$snames" 1 + return + fi + done + fi + done + echo "$caurl" +} + +#set default ca to $ACME_DIRECTORY +setdefaultca() { + if [ -z "$ACME_DIRECTORY" ]; then + _err "Please give a --server parameter." + return 1 + fi + _saveaccountconf "DEFAULT_ACME_SERVER" "$ACME_DIRECTORY" + _info "Changed default CA to: $(__green "$ACME_DIRECTORY")" +} + +#preferred-chain +setdefaultchain() { + _initpath + _preferred_chain="$1" + if [ -z "$_preferred_chain" ]; then + _err "Please give a '--preferred-chain value' value." + return 1 + fi + mkdir -p "$CA_DIR" + _savecaconf "DEFAULT_PREFERRED_CHAIN" "$_preferred_chain" +} + +#domain ecc +info() { + _domain="$1" + _ecc="$2" + _initpath + if [ -z "$_domain" ]; then + _debug "Show global configs" + echo "LE_WORKING_DIR=$LE_WORKING_DIR" + echo "LE_CONFIG_HOME=$LE_CONFIG_HOME" + cat "$ACCOUNT_CONF_PATH" + else + _debug "Show domain configs" + ( + _initpath "$_domain" "$_ecc" + echo "DOMAIN_CONF=$DOMAIN_CONF" + for seg in $(cat $DOMAIN_CONF | cut -d = -f 1); do + echo "$seg=$(_readdomainconf "$seg")" + done + ) + fi +} + +_process() { + _CMD="" + _domain="" + _altdomains="$NO_VALUE" + _webroot="" + _challenge_alias="" + _keylength="$DEFAULT_DOMAIN_KEY_LENGTH" + _accountkeylength="$DEFAULT_ACCOUNT_KEY_LENGTH" + _cert_file="" + _key_file="" + _ca_file="" + _fullchain_file="" + _reloadcmd="" + _password="" + _accountconf="" + _useragent="" + _accountemail="" + _accountkey="" + _certhome="" + _confighome="" + _httpport="" + _tlsport="" + _dnssleep="" + _listraw="" + _stopRenewOnError="" + #_insecure="" + _ca_bundle="" + _ca_path="" + _nocron="" + _noprofile="" + _ecc="" + _csr="" + _pre_hook="" + _post_hook="" + _renew_hook="" + _deploy_hook="" + _logfile="" + _log="" + _local_address="" + _log_level="" + _auto_upgrade="" + _listen_v4="" + _listen_v6="" + _openssl_bin="" + _syslog="" + _use_wget="" + _server="" + _notify_hook="" + _notify_level="" + _notify_mode="" + _notify_source="" + _revoke_reason="" + _eab_kid="" + _eab_hmac_key="" + _preferred_chain="" + _valid_from="" + _valid_to="" + while [ ${#} -gt 0 ]; do + case "${1}" in + + --help | -h) + showhelp + return + ;; + --version | -v) + version + return + ;; + --install) + _CMD="install" + ;; + --install-online) + shift + installOnline "$@" + return + ;; + --uninstall) + _CMD="uninstall" + ;; + --upgrade) + _CMD="upgrade" + ;; + --issue) + _CMD="issue" + ;; + --deploy) + _CMD="deploy" + ;; + --sign-csr | --signcsr) + _CMD="signcsr" + ;; + --show-csr | --showcsr) + _CMD="showcsr" + ;; + -i | --install-cert | --installcert) + _CMD="installcert" + ;; + --renew | -r) + _CMD="renew" + ;; + --renew-all | --renewAll | --renewall) + _CMD="renewAll" + ;; + --revoke) + _CMD="revoke" + ;; + --remove) + _CMD="remove" + ;; + --list) + _CMD="list" + ;; + --info) + _CMD="info" + ;; + --install-cronjob | --installcronjob) + _CMD="installcronjob" + ;; + --uninstall-cronjob | --uninstallcronjob) + _CMD="uninstallcronjob" + ;; + --cron) + _CMD="cron" + ;; + --to-pkcs12 | --to-pkcs | --toPkcs) + _CMD="toPkcs" + ;; + --to-pkcs8 | --toPkcs8) + _CMD="toPkcs8" + ;; + --create-account-key | --createAccountKey | --createaccountkey | -cak) + _CMD="createAccountKey" + ;; + --create-domain-key | --createDomainKey | --createdomainkey | -cdk) + _CMD="createDomainKey" + ;; + -ccr | --create-csr | --createCSR | --createcsr) + _CMD="createCSR" + ;; + --deactivate) + _CMD="deactivate" + ;; + --update-account | --updateaccount) + _CMD="updateaccount" + ;; + --register-account | --registeraccount) + _CMD="registeraccount" + ;; + --deactivate-account) + _CMD="deactivateaccount" + ;; + --set-notify) + _CMD="setnotify" + ;; + --set-default-ca) + _CMD="setdefaultca" + ;; + --set-default-chain) + _CMD="setdefaultchain" + ;; + -d | --domain) + _dvalue="$2" + + if [ "$_dvalue" ]; then + if _startswith "$_dvalue" "-"; then + _err "'$_dvalue' is not a valid domain for parameter '$1'" + return 1 + fi + if _is_idn "$_dvalue" && ! _exists idn; then + _err "It seems that $_dvalue is an IDN( Internationalized Domain Names), please install 'idn' command first." + return 1 + fi + + if [ -z "$_domain" ]; then + _domain="$_dvalue" + else + if [ "$_altdomains" = "$NO_VALUE" ]; then + _altdomains="$_dvalue" + else + _altdomains="$_altdomains,$_dvalue" + fi + fi + fi + + shift + ;; + + -f | --force) + FORCE="1" + ;; + --staging | --test) + STAGE="1" + ;; + --server) + _server="$2" + shift + ;; + --debug) + if [ -z "$2" ] || _startswith "$2" "-"; then + DEBUG="$DEBUG_LEVEL_DEFAULT" + else + DEBUG="$2" + shift + fi + ;; + --output-insecure) + export OUTPUT_INSECURE=1 + ;; + -w | --webroot) + wvalue="$2" + if [ -z "$_webroot" ]; then + _webroot="$wvalue" + else + _webroot="$_webroot,$wvalue" + fi + shift + ;; + --challenge-alias) + cvalue="$2" + _challenge_alias="$_challenge_alias$cvalue," + shift + ;; + --domain-alias) + cvalue="$DNS_ALIAS_PREFIX$2" + _challenge_alias="$_challenge_alias$cvalue," + shift + ;; + --standalone) + wvalue="$NO_VALUE" + if [ -z "$_webroot" ]; then + _webroot="$wvalue" + else + _webroot="$_webroot,$wvalue" + fi + ;; + --alpn) + wvalue="$W_ALPN" + if [ -z "$_webroot" ]; then + _webroot="$wvalue" + else + _webroot="$_webroot,$wvalue" + fi + ;; + --stateless) + wvalue="$MODE_STATELESS" + if [ -z "$_webroot" ]; then + _webroot="$wvalue" + else + _webroot="$_webroot,$wvalue" + fi + ;; + --local-address) + lvalue="$2" + _local_address="$_local_address$lvalue," + shift + ;; + --apache) + wvalue="apache" + if [ -z "$_webroot" ]; then + _webroot="$wvalue" + else + _webroot="$_webroot,$wvalue" + fi + ;; + --nginx) + wvalue="$NGINX" + if [ "$2" ] && ! _startswith "$2" "-"; then + wvalue="$NGINX$2" + shift + fi + if [ -z "$_webroot" ]; then + _webroot="$wvalue" + else + _webroot="$_webroot,$wvalue" + fi + ;; + --dns) + wvalue="$W_DNS" + if [ "$2" ] && ! _startswith "$2" "-"; then + wvalue="$2" + shift + fi + if [ -z "$_webroot" ]; then + _webroot="$wvalue" + else + _webroot="$_webroot,$wvalue" + fi + ;; + --dnssleep) + _dnssleep="$2" + Le_DNSSleep="$_dnssleep" + shift + ;; + --keylength | -k) + _keylength="$2" + shift + if [ "$_keylength" ] && ! _isEccKey "$_keylength"; then + export __SELECTED_RSA_KEY=1 + fi + ;; + -ak | --accountkeylength) + _accountkeylength="$2" + shift + ;; + --cert-file | --certpath) + _cert_file="$2" + shift + ;; + --key-file | --keypath) + _key_file="$2" + shift + ;; + --ca-file | --capath) + _ca_file="$2" + shift + ;; + --fullchain-file | --fullchainpath) + _fullchain_file="$2" + shift + ;; + --reloadcmd | --reloadCmd) + _reloadcmd="$2" + shift + ;; + --password) + _password="$2" + shift + ;; + --accountconf) + _accountconf="$2" + ACCOUNT_CONF_PATH="$_accountconf" + shift + ;; + --home) + export LE_WORKING_DIR="$(echo "$2" | sed 's|/$||')" + shift + ;; + --cert-home | --certhome) + _certhome="$2" + export CERT_HOME="$_certhome" + shift + ;; + --config-home) + _confighome="$2" + export LE_CONFIG_HOME="$_confighome" + shift + ;; + --useragent) + _useragent="$2" + USER_AGENT="$_useragent" + shift + ;; + -m | --email | --accountemail) + _accountemail="$2" + export ACCOUNT_EMAIL="$_accountemail" + shift + ;; + --accountkey) + _accountkey="$2" + ACCOUNT_KEY_PATH="$_accountkey" + shift + ;; + --days) + _days="$2" + Le_RenewalDays="$_days" + shift + ;; + --valid-from) + _valid_from="$2" + shift + ;; + --valid-to) + _valid_to="$2" + shift + ;; + --httpport) + _httpport="$2" + Le_HTTPPort="$_httpport" + shift + ;; + --tlsport) + _tlsport="$2" + Le_TLSPort="$_tlsport" + shift + ;; + --listraw) + _listraw="raw" + ;; + -se | --stop-renew-on-error | --stopRenewOnError | --stoprenewonerror) + _stopRenewOnError="1" + ;; + --insecure) + #_insecure="1" + HTTPS_INSECURE="1" + ;; + --ca-bundle) + _ca_bundle="$(_readlink "$2")" + CA_BUNDLE="$_ca_bundle" + shift + ;; + --ca-path) + _ca_path="$2" + CA_PATH="$_ca_path" + shift + ;; + --no-cron | --nocron) + _nocron="1" + ;; + --no-profile | --noprofile) + _noprofile="1" + ;; + --no-color) + export ACME_NO_COLOR=1 + ;; + --force-color) + export ACME_FORCE_COLOR=1 + ;; + --ecc) + _ecc="isEcc" + ;; + --csr) + _csr="$2" + shift + ;; + --pre-hook) + _pre_hook="$2" + shift + ;; + --post-hook) + _post_hook="$2" + shift + ;; + --renew-hook) + _renew_hook="$2" + shift + ;; + --deploy-hook) + if [ -z "$2" ] || _startswith "$2" "-"; then + _usage "Please specify a value for '--deploy-hook'" + return 1 + fi + _deploy_hook="$_deploy_hook$2," + shift + ;; + --ocsp-must-staple | --ocsp) + Le_OCSP_Staple="1" + ;; + --always-force-new-domain-key) + if [ -z "$2" ] || _startswith "$2" "-"; then + Le_ForceNewDomainKey=1 + else + Le_ForceNewDomainKey="$2" + shift + fi + ;; + --yes-I-know-dns-manual-mode-enough-go-ahead-please) + export FORCE_DNS_MANUAL=1 + ;; + --log | --logfile) + _log="1" + _logfile="$2" + if _startswith "$_logfile" '-'; then + _logfile="" + else + shift + fi + LOG_FILE="$_logfile" + if [ -z "$LOG_LEVEL" ]; then + LOG_LEVEL="$DEFAULT_LOG_LEVEL" + fi + ;; + --log-level) + _log_level="$2" + LOG_LEVEL="$_log_level" + shift + ;; + --syslog) + if ! _startswith "$2" '-'; then + _syslog="$2" + shift + fi + if [ -z "$_syslog" ]; then + _syslog="$SYSLOG_LEVEL_DEFAULT" + fi + ;; + --auto-upgrade) + _auto_upgrade="$2" + if [ -z "$_auto_upgrade" ] || _startswith "$_auto_upgrade" '-'; then + _auto_upgrade="1" + else + shift + fi + AUTO_UPGRADE="$_auto_upgrade" + ;; + --listen-v4) + _listen_v4="1" + Le_Listen_V4="$_listen_v4" + ;; + --listen-v6) + _listen_v6="1" + Le_Listen_V6="$_listen_v6" + ;; + --openssl-bin) + _openssl_bin="$2" + ACME_OPENSSL_BIN="$_openssl_bin" + shift + ;; + --use-wget) + _use_wget="1" + ACME_USE_WGET="1" + ;; + --branch | -b) + export BRANCH="$2" + shift + ;; + --notify-hook) + _nhook="$2" + if _startswith "$_nhook" "-"; then + _err "'$_nhook' is not a hook name for '$1'" + return 1 + fi + if [ "$_notify_hook" ]; then + _notify_hook="$_notify_hook,$_nhook" + else + _notify_hook="$_nhook" + fi + shift + ;; + --notify-level) + _nlevel="$2" + if _startswith "$_nlevel" "-"; then + _err "'$_nlevel' is not a integer for '$1'" + return 1 + fi + _notify_level="$_nlevel" + shift + ;; + --notify-mode) + _nmode="$2" + if _startswith "$_nmode" "-"; then + _err "'$_nmode' is not a integer for '$1'" + return 1 + fi + _notify_mode="$_nmode" + shift + ;; + --notify-source) + _nsource="$2" + if _startswith "$_nsource" "-"; then + _err "'$_nsource' is not valid host name for '$1'" + return 1 + fi + _notify_source="$_nsource" + shift + ;; + --revoke-reason) + _revoke_reason="$2" + if _startswith "$_revoke_reason" "-"; then + _err "'$_revoke_reason' is not a integer for '$1'" + return 1 + fi + shift + ;; + --eab-kid) + _eab_kid="$2" + shift + ;; + --eab-hmac-key) + _eab_hmac_key="$2" + shift + ;; + --preferred-chain) + _preferred_chain="$2" + shift + ;; + *) + _err "Unknown parameter : $1" + return 1 + ;; + esac + + shift 1 + done + + if [ "$_server" ]; then + _selectServer "$_server" "${_ecc:-$_keylength}" + _server="$ACME_DIRECTORY" + fi + + if [ "${_CMD}" != "install" ]; then + if [ "$__INTERACTIVE" ] && ! _checkSudo; then + if [ -z "$FORCE" ]; then + #Use "echo" here, instead of _info. it's too early + echo "It seems that you are using sudo, please read this link first:" + echo "$_SUDO_WIKI" + return 1 + fi + fi + __initHome + if [ "$_log" ]; then + if [ -z "$_logfile" ]; then + _logfile="$DEFAULT_LOG_FILE" + fi + fi + if [ "$_logfile" ]; then + _saveaccountconf "LOG_FILE" "$_logfile" + LOG_FILE="$_logfile" + fi + + if [ "$_log_level" ]; then + _saveaccountconf "LOG_LEVEL" "$_log_level" + LOG_LEVEL="$_log_level" + fi + + if [ "$_syslog" ]; then + if _exists logger; then + if [ "$_syslog" = "0" ]; then + _clearaccountconf "SYS_LOG" + else + _saveaccountconf "SYS_LOG" "$_syslog" + fi + SYS_LOG="$_syslog" + else + _err "The 'logger' command is not found, can not enable syslog." + _clearaccountconf "SYS_LOG" + SYS_LOG="" + fi + fi + + _processAccountConf + fi + + _debug2 LE_WORKING_DIR "$LE_WORKING_DIR" + + if [ "$DEBUG" ]; then + version + if [ "$_server" ]; then + _debug "Using server: $_server" + fi + fi + _debug "Running cmd: ${_CMD}" + case "${_CMD}" in + install) install "$_nocron" "$_confighome" "$_noprofile" "$_accountemail" ;; + uninstall) uninstall "$_nocron" ;; + upgrade) upgrade ;; + issue) + issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain" "$_valid_from" "$_valid_to" + ;; + deploy) + deploy "$_domain" "$_deploy_hook" "$_ecc" + ;; + signcsr) + signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain" + ;; + showcsr) + showcsr "$_csr" "$_domain" + ;; + installcert) + installcert "$_domain" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_ecc" + ;; + renew) + renew "$_domain" "$_ecc" "$_server" + ;; + renewAll) + renewAll "$_stopRenewOnError" "$_server" + ;; + revoke) + revoke "$_domain" "$_ecc" "$_revoke_reason" + ;; + remove) + remove "$_domain" "$_ecc" + ;; + deactivate) + deactivate "$_domain,$_altdomains" + ;; + registeraccount) + registeraccount "$_accountkeylength" "$_eab_kid" "$_eab_hmac_key" + ;; + updateaccount) + updateaccount + ;; + deactivateaccount) + deactivateaccount + ;; + list) + list "$_listraw" "$_domain" + ;; + info) + info "$_domain" "$_ecc" + ;; + installcronjob) installcronjob "$_confighome" ;; + uninstallcronjob) uninstallcronjob ;; + cron) cron ;; + toPkcs) + toPkcs "$_domain" "$_password" "$_ecc" + ;; + toPkcs8) + toPkcs8 "$_domain" "$_ecc" + ;; + createAccountKey) + createAccountKey "$_accountkeylength" + ;; + createDomainKey) + createDomainKey "$_domain" "$_keylength" + ;; + createCSR) + createCSR "$_domain" "$_altdomains" "$_ecc" + ;; + setnotify) + setnotify "$_notify_hook" "$_notify_level" "$_notify_mode" "$_notify_source" + ;; + setdefaultca) + setdefaultca + ;; + setdefaultchain) + setdefaultchain "$_preferred_chain" + ;; + *) + if [ "$_CMD" ]; then + _err "Invalid command: $_CMD" + fi + showhelp + return 1 + ;; + esac + _ret="$?" + if [ "$_ret" != "0" ]; then + return $_ret + fi + + if [ "${_CMD}" = "install" ]; then + if [ "$_log" ]; then + if [ -z "$LOG_FILE" ]; then + LOG_FILE="$DEFAULT_LOG_FILE" + fi + _saveaccountconf "LOG_FILE" "$LOG_FILE" + fi + + if [ "$_log_level" ]; then + _saveaccountconf "LOG_LEVEL" "$_log_level" + fi + + if [ "$_syslog" ]; then + if _exists logger; then + if [ "$_syslog" = "0" ]; then + _clearaccountconf "SYS_LOG" + else + _saveaccountconf "SYS_LOG" "$_syslog" + fi + else + _err "The 'logger' command is not found, can not enable syslog." + _clearaccountconf "SYS_LOG" + SYS_LOG="" + fi + fi + + _processAccountConf + fi + +} + +main() { + [ -z "$1" ] && showhelp && return + if _startswith "$1" '-'; then _process "$@"; else "$@"; fi +} + +main "$@" diff --git a/acme.sh-master/deploy/README.md b/acme.sh-master/deploy/README.md new file mode 100644 index 0000000..e3f239f --- /dev/null +++ b/acme.sh-master/deploy/README.md @@ -0,0 +1,6 @@ +# Using deploy api + +deploy hook usage: + +https://github.com/acmesh-official/acme.sh/wiki/deployhooks + diff --git a/acme.sh-master/deploy/apache.sh b/acme.sh-master/deploy/apache.sh new file mode 100644 index 0000000..7b34bd5 --- /dev/null +++ b/acme.sh-master/deploy/apache.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env sh + +#Here is a script to deploy cert to apache server. + +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +apache_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _err "Deploy cert to apache server, Not implemented yet" + return 1 + +} diff --git a/acme.sh-master/deploy/cleverreach.sh b/acme.sh-master/deploy/cleverreach.sh new file mode 100644 index 0000000..a460a13 --- /dev/null +++ b/acme.sh-master/deploy/cleverreach.sh @@ -0,0 +1,92 @@ +#!/usr/bin/env sh +# Here is the script to deploy the cert to your CleverReach Account using the CleverReach REST API. +# Your OAuth needs the right scope, please contact CleverReach support for that. +# +# Written by Jan-Philipp Benecke +# Public domain, 2020 +# +# Following environment variables must be set: +# +#export DEPLOY_CLEVERREACH_CLIENT_ID=myid +#export DEPLOY_CLEVERREACH_CLIENT_SECRET=mysecret + +cleverreach_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _rest_endpoint="https://rest.cleverreach.com" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _getdeployconf DEPLOY_CLEVERREACH_CLIENT_ID + _getdeployconf DEPLOY_CLEVERREACH_CLIENT_SECRET + _getdeployconf DEPLOY_CLEVERREACH_SUBCLIENT_ID + + if [ -z "${DEPLOY_CLEVERREACH_CLIENT_ID}" ]; then + _err "CleverReach Client ID is not found, please define DEPLOY_CLEVERREACH_CLIENT_ID." + return 1 + fi + if [ -z "${DEPLOY_CLEVERREACH_CLIENT_SECRET}" ]; then + _err "CleverReach client secret is not found, please define DEPLOY_CLEVERREACH_CLIENT_SECRET." + return 1 + fi + + _savedeployconf DEPLOY_CLEVERREACH_CLIENT_ID "${DEPLOY_CLEVERREACH_CLIENT_ID}" + _savedeployconf DEPLOY_CLEVERREACH_CLIENT_SECRET "${DEPLOY_CLEVERREACH_CLIENT_SECRET}" + _savedeployconf DEPLOY_CLEVERREACH_SUBCLIENT_ID "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}" + + _info "Obtaining a CleverReach access token" + + _data="{\"grant_type\": \"client_credentials\", \"client_id\": \"${DEPLOY_CLEVERREACH_CLIENT_ID}\", \"client_secret\": \"${DEPLOY_CLEVERREACH_CLIENT_SECRET}\"}" + _auth_result="$(_post "$_data" "$_rest_endpoint/oauth/token.php" "" "POST" "application/json")" + + _debug _data "$_data" + _debug _auth_result "$_auth_result" + + _regex=".*\"access_token\":\"\([-._0-9A-Za-z]*\)\".*$" + _debug _regex "$_regex" + _access_token=$(echo "$_auth_result" | _json_decode | sed -n "s/$_regex/\1/p") + + _debug _subclient "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}" + + if [ -n "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}" ]; then + _info "Obtaining token for sub-client ${DEPLOY_CLEVERREACH_SUBCLIENT_ID}" + export _H1="Authorization: Bearer ${_access_token}" + _subclient_token_result="$(_get "$_rest_endpoint/v3/clients/$DEPLOY_CLEVERREACH_SUBCLIENT_ID/token")" + _access_token=$(echo "$_subclient_token_result" | sed -n "s/\"//p") + + _debug _subclient_token_result "$_access_token" + + _info "Destroying parent token at CleverReach, as it not needed anymore" + _destroy_result="$(_post "" "$_rest_endpoint/v3/oauth/token.json" "" "DELETE" "application/json")" + _debug _destroy_result "$_destroy_result" + fi + + _info "Uploading certificate and key to CleverReach" + + _certData="{\"cert\":\"$(_json_encode <"$_cfullchain")\", \"key\":\"$(_json_encode <"$_ckey")\"}" + export _H1="Authorization: Bearer ${_access_token}" + _add_cert_result="$(_post "$_certData" "$_rest_endpoint/v3/ssl" "" "POST" "application/json")" + + if [ -z "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}" ]; then + _info "Destroying token at CleverReach, as it not needed anymore" + _destroy_result="$(_post "" "$_rest_endpoint/v3/oauth/token.json" "" "DELETE" "application/json")" + _debug _destroy_result "$_destroy_result" + fi + + if ! echo "$_add_cert_result" | grep '"error":' >/dev/null; then + _info "Uploaded certificate successfully" + return 0 + else + _debug _add_cert_result "$_add_cert_result" + _err "Unable to update certificate" + return 1 + fi +} diff --git a/acme.sh-master/deploy/consul.sh b/acme.sh-master/deploy/consul.sh new file mode 100644 index 0000000..f93fb45 --- /dev/null +++ b/acme.sh-master/deploy/consul.sh @@ -0,0 +1,98 @@ +#!/usr/bin/env sh + +# Here is a script to deploy cert to hashicorp consul using curl +# (https://www.consul.io/) +# +# it requires following environment variables: +# +# CONSUL_PREFIX - this contains the prefix path in consul +# CONSUL_HTTP_ADDR - consul requires this to find your consul server +# +# additionally, you need to ensure that CONSUL_HTTP_TOKEN is available +# to access the consul server + +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +consul_deploy() { + + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + # validate required env vars + _getdeployconf CONSUL_PREFIX + if [ -z "$CONSUL_PREFIX" ]; then + _err "CONSUL_PREFIX needs to be defined (contains prefix path in vault)" + return 1 + fi + _savedeployconf CONSUL_PREFIX "$CONSUL_PREFIX" + + _getdeployconf CONSUL_HTTP_ADDR + if [ -z "$CONSUL_HTTP_ADDR" ]; then + _err "CONSUL_HTTP_ADDR needs to be defined (contains consul connection address)" + return 1 + fi + _savedeployconf CONSUL_HTTP_ADDR "$CONSUL_HTTP_ADDR" + + CONSUL_CMD=$(command -v consul) + + # force CLI, but the binary does not exist => error + if [ -n "$USE_CLI" ] && [ -z "$CONSUL_CMD" ]; then + _err "Cannot find the consul binary!" + return 1 + fi + + # use the CLI first + if [ -n "$USE_CLI" ] || [ -n "$CONSUL_CMD" ]; then + _info "Found consul binary, deploying with CLI" + consul_deploy_cli "$CONSUL_CMD" "$CONSUL_PREFIX" + else + _info "Did not find consul binary, deploying with API" + consul_deploy_api "$CONSUL_HTTP_ADDR" "$CONSUL_PREFIX" "$CONSUL_HTTP_TOKEN" + fi +} + +consul_deploy_api() { + CONSUL_HTTP_ADDR="$1" + CONSUL_PREFIX="$2" + CONSUL_HTTP_TOKEN="$3" + + URL="$CONSUL_HTTP_ADDR/v1/kv/$CONSUL_PREFIX" + export _H1="X-Consul-Token: $CONSUL_HTTP_TOKEN" + + if [ -n "$FABIO" ]; then + _post "$(cat "$_cfullchain")" "$URL/${_cdomain}-cert.pem" '' "PUT" || return 1 + _post "$(cat "$_ckey")" "$URL/${_cdomain}-key.pem" '' "PUT" || return 1 + else + _post "$(cat "$_ccert")" "$URL/${_cdomain}/cert.pem" '' "PUT" || return 1 + _post "$(cat "$_ckey")" "$URL/${_cdomain}/cert.key" '' "PUT" || return 1 + _post "$(cat "$_cca")" "$URL/${_cdomain}/chain.pem" '' "PUT" || return 1 + _post "$(cat "$_cfullchain")" "$URL/${_cdomain}/fullchain.pem" '' "PUT" || return 1 + fi +} + +consul_deploy_cli() { + CONSUL_CMD="$1" + CONSUL_PREFIX="$2" + + if [ -n "$FABIO" ]; then + $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}-cert.pem" @"$_cfullchain" || return 1 + $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}-key.pem" @"$_ckey" || return 1 + else + $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1 + $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1 + $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1 + $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1 + fi +} diff --git a/acme.sh-master/deploy/cpanel_uapi.sh b/acme.sh-master/deploy/cpanel_uapi.sh new file mode 100644 index 0000000..e5381b6 --- /dev/null +++ b/acme.sh-master/deploy/cpanel_uapi.sh @@ -0,0 +1,211 @@ +#!/usr/bin/env sh +# Here is the script to deploy the cert to your cpanel using the cpanel API. +# Uses command line uapi. --user option is needed only if run as root. +# Returns 0 when success. +# +# Configure DEPLOY_CPANEL_AUTO_<...> options to enable or restrict automatic +# detection of deployment targets through UAPI (if not set, defaults below are used.) +# - ENABLED : 'true' for multi-site / wildcard capability; otherwise single-site mode. +# - NOMATCH : 'true' to allow deployment to sites that do not match the certificate. +# - INCLUDE : Comma-separated list - sites must match this field. +# - EXCLUDE : Comma-separated list - sites must NOT match this field. +# INCLUDE/EXCLUDE both support non-lexical, glob-style matches using '*' +# +# Please note that I am no longer using Github. If you want to report an issue +# or contact me, visit https://forum.webseodesigners.com/web-design-seo-and-hosting-f16/ +# +# Written by Santeri Kannisto +# Public domain, 2017-2018 +# +# export DEPLOY_CPANEL_USER=myusername +# export DEPLOY_CPANEL_AUTO_ENABLED='true' +# export DEPLOY_CPANEL_AUTO_NOMATCH='false' +# export DEPLOY_CPANEL_AUTO_INCLUDE='*' +# export DEPLOY_CPANEL_AUTO_EXCLUDE='' + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +cpanel_uapi_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + # re-declare vars inherited from acme.sh but not passed to make ShellCheck happy + : "${Le_Alt:=""}" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + if ! _exists uapi; then + _err "The command uapi is not found." + return 1 + fi + + # declare useful constants + uapi_error_response='status: 0' + + # read cert and key files and urlencode both + _cert=$(_url_encode <"$_ccert") + _key=$(_url_encode <"$_ckey") + + _debug2 _cert "$_cert" + _debug2 _key "$_key" + + if [ "$(id -u)" = 0 ]; then + _getdeployconf DEPLOY_CPANEL_USER + # fallback to _readdomainconf for old installs + if [ -z "${DEPLOY_CPANEL_USER:=$(_readdomainconf DEPLOY_CPANEL_USER)}" ]; then + _err "It seems that you are root, please define the target user name: export DEPLOY_CPANEL_USER=username" + return 1 + fi + _debug DEPLOY_CPANEL_USER "$DEPLOY_CPANEL_USER" + _savedeployconf DEPLOY_CPANEL_USER "$DEPLOY_CPANEL_USER" + + _uapi_user="$DEPLOY_CPANEL_USER" + fi + + # Load all AUTO envars and set defaults - see above for usage + __cpanel_initautoparam ENABLED 'true' + __cpanel_initautoparam NOMATCH 'false' + __cpanel_initautoparam INCLUDE '*' + __cpanel_initautoparam EXCLUDE '' + + # Auto mode + if [ "$DEPLOY_CPANEL_AUTO_ENABLED" = "true" ]; then + # call API for site config + _response=$(uapi DomainInfo list_domains) + # exit if error in response + if [ -z "$_response" ] || [ "${_response#*"$uapi_error_response"}" != "$_response" ]; then + _err "Error in deploying certificate - cannot retrieve sitelist:" + _err "\n$_response" + return 1 + fi + + # parse response to create site list + sitelist=$(__cpanel_parse_response "$_response") + _debug "UAPI sites found: $sitelist" + + # filter sitelist using configured domains + # skip if NOMATCH is "true" + if [ "$DEPLOY_CPANEL_AUTO_NOMATCH" = "true" ]; then + _debug "DEPLOY_CPANEL_AUTO_NOMATCH is true" + _info "UAPI nomatch mode is enabled - Will not validate sites are valid for the certificate" + else + _debug "DEPLOY_CPANEL_AUTO_NOMATCH is false" + d="$(echo "${Le_Alt}," | sed -e "s/^$_cdomain,//" -e "s/,$_cdomain,/,/")" + d="$(echo "$_cdomain,$d" | tr ',' '\n' | sed -e 's/\./\\./g' -e 's/\*/\[\^\.\]\*/g')" + sitelist="$(echo "$sitelist" | grep -ix "$d")" + _debug2 "Matched UAPI sites: $sitelist" + fi + + # filter sites that do not match $DEPLOY_CPANEL_AUTO_INCLUDE + _info "Applying sitelist filter DEPLOY_CPANEL_AUTO_INCLUDE: $DEPLOY_CPANEL_AUTO_INCLUDE" + sitelist="$(echo "$sitelist" | grep -ix "$(echo "$DEPLOY_CPANEL_AUTO_INCLUDE" | tr ',' '\n' | sed -e 's/\./\\./g' -e 's/\*/\.\*/g')")" + _debug2 "Remaining sites: $sitelist" + + # filter sites that match $DEPLOY_CPANEL_AUTO_EXCLUDE + _info "Applying sitelist filter DEPLOY_CPANEL_AUTO_EXCLUDE: $DEPLOY_CPANEL_AUTO_EXCLUDE" + sitelist="$(echo "$sitelist" | grep -vix "$(echo "$DEPLOY_CPANEL_AUTO_EXCLUDE" | tr ',' '\n' | sed -e 's/\./\\./g' -e 's/\*/\.\*/g')")" + _debug2 "Remaining sites: $sitelist" + + # counter for success / failure check + successes=0 + if [ -n "$sitelist" ]; then + sitetotal="$(echo "$sitelist" | wc -l)" + _debug "$sitetotal sites to deploy" + else + sitetotal=0 + _debug "No sites to deploy" + fi + + # for each site: call uapi to publish cert and log result. Only return failure if all fail + for site in $sitelist; do + # call uapi to publish cert, check response for errors and log them. + if [ -n "$_uapi_user" ]; then + _response=$(uapi --user="$_uapi_user" SSL install_ssl domain="$site" cert="$_cert" key="$_key") + else + _response=$(uapi SSL install_ssl domain="$site" cert="$_cert" key="$_key") + fi + if [ "${_response#*"$uapi_error_response"}" != "$_response" ]; then + _err "Error in deploying certificate to $site:" + _err "$_response" + else + successes=$((successes + 1)) + _debug "$_response" + _info "Succcessfully deployed to $site" + fi + done + + # Raise error if all updates fail + if [ "$sitetotal" -gt 0 ] && [ "$successes" -eq 0 ]; then + _err "Could not deploy to any of $sitetotal sites via UAPI" + _debug "successes: $successes, sitetotal: $sitetotal" + return 1 + fi + + _info "Successfully deployed certificate to $successes of $sitetotal sites via UAPI" + return 0 + else + # "classic" mode - will only try to deploy to the primary domain; will not check UAPI first + if [ -n "$_uapi_user" ]; then + _response=$(uapi --user="$_uapi_user" SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key") + else + _response=$(uapi SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key") + fi + + if [ "${_response#*"$uapi_error_response"}" != "$_response" ]; then + _err "Error in deploying certificate:" + _err "$_response" + return 1 + fi + + _debug response "$_response" + _info "Certificate successfully deployed" + return 0 + fi +} + +######## Private functions ##################### + +# Internal utility to process YML from UAPI - looks at main_domain, sub_domains, addon domains and parked domains +#[response] +__cpanel_parse_response() { + if [ $# -gt 0 ]; then resp="$*"; else resp="$(cat)"; fi + + echo "$resp" | + sed -En \ + -e 's/\r$//' \ + -e 's/^( *)([_.[:alnum:]]+) *: *(.*)/\1,\2,\3/p' \ + -e 's/^( *)- (.*)/\1,-,\2/p' | + awk -F, '{ + level = length($1)/2; + section[level] = $2; + for (i in section) {if (i > level) {delete section[i]}} + if (length($3) > 0) { + prefix=""; + for (i=0; i < level; i++) + { prefix = (prefix)(section[i])("/") } + printf("%s%s=%s\n", prefix, $2, $3); + } + }' | + sed -En -e 's/^result\/data\/(main_domain|sub_domains\/-|addon_domains\/-|parked_domains\/-)=(.*)$/\2/p' +} + +# Load parameter by prefix+name - fallback to default if not set, and save to config +#pname pdefault +__cpanel_initautoparam() { + pname="$1" + pdefault="$2" + pkey="DEPLOY_CPANEL_AUTO_$pname" + + _getdeployconf "$pkey" + [ -n "$(eval echo "\"\$$pkey\"")" ] || eval "$pkey=\"$pdefault\"" + _debug2 "$pkey" "$(eval echo "\"\$$pkey\"")" + _savedeployconf "$pkey" "$(eval echo "\"\$$pkey\"")" +} diff --git a/acme.sh-master/deploy/docker.sh b/acme.sh-master/deploy/docker.sh new file mode 100644 index 0000000..3aa1b2c --- /dev/null +++ b/acme.sh-master/deploy/docker.sh @@ -0,0 +1,288 @@ +#!/usr/bin/env sh + +#DEPLOY_DOCKER_CONTAINER_LABEL="xxxxxxx" + +#DEPLOY_DOCKER_CONTAINER_KEY_FILE="/path/to/key.pem" +#DEPLOY_DOCKER_CONTAINER_CERT_FILE="/path/to/cert.pem" +#DEPLOY_DOCKER_CONTAINER_CA_FILE="/path/to/ca.pem" +#DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE="/path/to/fullchain.pem" +#DEPLOY_DOCKER_CONTAINER_RELOAD_CMD="service nginx force-reload" + +_DEPLOY_DOCKER_WIKI="https://github.com/acmesh-official/acme.sh/wiki/deploy-to-docker-containers" + +_DOCKER_HOST_DEFAULT="/var/run/docker.sock" + +docker_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + _debug _cdomain "$_cdomain" + _getdeployconf DEPLOY_DOCKER_CONTAINER_LABEL + _debug2 DEPLOY_DOCKER_CONTAINER_LABEL "$DEPLOY_DOCKER_CONTAINER_LABEL" + if [ -z "$DEPLOY_DOCKER_CONTAINER_LABEL" ]; then + _err "The DEPLOY_DOCKER_CONTAINER_LABEL variable is not defined, we use this label to find the container." + _err "See: $_DEPLOY_DOCKER_WIKI" + fi + + _savedeployconf DEPLOY_DOCKER_CONTAINER_LABEL "$DEPLOY_DOCKER_CONTAINER_LABEL" + + if [ "$DOCKER_HOST" ]; then + _saveaccountconf DOCKER_HOST "$DOCKER_HOST" + fi + + if _exists docker && docker version | grep -i docker >/dev/null; then + _info "Using docker command" + export _USE_DOCKER_COMMAND=1 + else + export _USE_DOCKER_COMMAND= + fi + + export _USE_UNIX_SOCKET= + if [ -z "$_USE_DOCKER_COMMAND" ]; then + export _USE_REST= + if [ "$DOCKER_HOST" ]; then + _debug "Try use docker host: $DOCKER_HOST" + export _USE_REST=1 + else + export _DOCKER_SOCK="$_DOCKER_HOST_DEFAULT" + _debug "Try use $_DOCKER_SOCK" + if [ ! -e "$_DOCKER_SOCK" ] || [ ! -w "$_DOCKER_SOCK" ]; then + _err "$_DOCKER_SOCK is not available" + return 1 + fi + export _USE_UNIX_SOCKET=1 + if ! _exists "curl"; then + _err "Please install curl first." + _err "We need curl to work." + return 1 + fi + if ! _check_curl_version; then + return 1 + fi + fi + fi + + _getdeployconf DEPLOY_DOCKER_CONTAINER_KEY_FILE + _debug2 DEPLOY_DOCKER_CONTAINER_KEY_FILE "$DEPLOY_DOCKER_CONTAINER_KEY_FILE" + if [ "$DEPLOY_DOCKER_CONTAINER_KEY_FILE" ]; then + _savedeployconf DEPLOY_DOCKER_CONTAINER_KEY_FILE "$DEPLOY_DOCKER_CONTAINER_KEY_FILE" + fi + + _getdeployconf DEPLOY_DOCKER_CONTAINER_CERT_FILE + _debug2 DEPLOY_DOCKER_CONTAINER_CERT_FILE "$DEPLOY_DOCKER_CONTAINER_CERT_FILE" + if [ "$DEPLOY_DOCKER_CONTAINER_CERT_FILE" ]; then + _savedeployconf DEPLOY_DOCKER_CONTAINER_CERT_FILE "$DEPLOY_DOCKER_CONTAINER_CERT_FILE" + fi + + _getdeployconf DEPLOY_DOCKER_CONTAINER_CA_FILE + _debug2 DEPLOY_DOCKER_CONTAINER_CA_FILE "$DEPLOY_DOCKER_CONTAINER_CA_FILE" + if [ "$DEPLOY_DOCKER_CONTAINER_CA_FILE" ]; then + _savedeployconf DEPLOY_DOCKER_CONTAINER_CA_FILE "$DEPLOY_DOCKER_CONTAINER_CA_FILE" + fi + + _getdeployconf DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE + _debug2 DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE "$DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE" + if [ "$DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE" ]; then + _savedeployconf DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE "$DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE" + fi + + _getdeployconf DEPLOY_DOCKER_CONTAINER_RELOAD_CMD + _debug2 DEPLOY_DOCKER_CONTAINER_RELOAD_CMD "$DEPLOY_DOCKER_CONTAINER_RELOAD_CMD" + if [ "$DEPLOY_DOCKER_CONTAINER_RELOAD_CMD" ]; then + _savedeployconf DEPLOY_DOCKER_CONTAINER_RELOAD_CMD "$DEPLOY_DOCKER_CONTAINER_RELOAD_CMD" "base64" + fi + + _cid="$(_get_id "$DEPLOY_DOCKER_CONTAINER_LABEL")" + _info "Container id: $_cid" + if [ -z "$_cid" ]; then + _err "can not find container id" + return 1 + fi + + if [ "$DEPLOY_DOCKER_CONTAINER_KEY_FILE" ]; then + if ! _docker_cp "$_cid" "$_ckey" "$DEPLOY_DOCKER_CONTAINER_KEY_FILE"; then + return 1 + fi + fi + + if [ "$DEPLOY_DOCKER_CONTAINER_CERT_FILE" ]; then + if ! _docker_cp "$_cid" "$_ccert" "$DEPLOY_DOCKER_CONTAINER_CERT_FILE"; then + return 1 + fi + fi + + if [ "$DEPLOY_DOCKER_CONTAINER_CA_FILE" ]; then + if ! _docker_cp "$_cid" "$_cca" "$DEPLOY_DOCKER_CONTAINER_CA_FILE"; then + return 1 + fi + fi + + if [ "$DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE" ]; then + if ! _docker_cp "$_cid" "$_cfullchain" "$DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE"; then + return 1 + fi + fi + + if [ "$DEPLOY_DOCKER_CONTAINER_RELOAD_CMD" ]; then + _info "Reloading: $DEPLOY_DOCKER_CONTAINER_RELOAD_CMD" + if ! _docker_exec "$_cid" "$DEPLOY_DOCKER_CONTAINER_RELOAD_CMD"; then + return 1 + fi + fi + return 0 +} + +#label +_get_id() { + _label="$1" + if [ "$_USE_DOCKER_COMMAND" ]; then + docker ps -f label="$_label" --format "{{.ID}}" + elif [ "$_USE_REST" ]; then + _err "Not implemented yet." + return 1 + elif [ "$_USE_UNIX_SOCKET" ]; then + _req="{\"label\":[\"$_label\"]}" + _debug2 _req "$_req" + _req="$(printf "%s" "$_req" | _url_encode)" + _debug2 _req "$_req" + listjson="$(_curl_unix_sock "${_DOCKER_SOCK:-$_DOCKER_HOST_DEFAULT}" GET "/containers/json?filters=$_req")" + _debug2 "listjson" "$listjson" + echo "$listjson" | tr '{,' '\n' | grep -i '"id":' | _head_n 1 | cut -d '"' -f 4 + else + _err "Not implemented yet." + return 1 + fi +} + +#id cmd +_docker_exec() { + _eargs="$*" + _debug2 "_docker_exec $_eargs" + _dcid="$1" + shift + if [ "$_USE_DOCKER_COMMAND" ]; then + docker exec -i "$_dcid" sh -c "$*" + elif [ "$_USE_REST" ]; then + _err "Not implemented yet." + return 1 + elif [ "$_USE_UNIX_SOCKET" ]; then + _cmd="$*" + #_cmd="$(printf "%s" "$_cmd" | sed 's/ /","/g')" + _debug2 _cmd "$_cmd" + #create exec instance: + cjson="$(_curl_unix_sock "$_DOCKER_SOCK" POST "/containers/$_dcid/exec" "{\"Cmd\": [\"sh\", \"-c\", \"$_cmd\"]}")" + _debug2 cjson "$cjson" + execid="$(echo "$cjson" | cut -d '"' -f 4)" + _debug execid "$execid" + ejson="$(_curl_unix_sock "$_DOCKER_SOCK" POST "/exec/$execid/start" "{\"Detach\": false,\"Tty\": false}")" + _debug2 ejson "$ejson" + if [ "$ejson" ]; then + _err "$ejson" + return 1 + fi + else + _err "Not implemented yet." + return 1 + fi +} + +#id from to +_docker_cp() { + _dcid="$1" + _from="$2" + _to="$3" + _info "Copying file from $_from to $_to" + _dir="$(dirname "$_to")" + _debug2 _dir "$_dir" + if ! _docker_exec "$_dcid" mkdir -p "$_dir"; then + _err "Can not create dir: $_dir" + return 1 + fi + if [ "$_USE_DOCKER_COMMAND" ]; then + if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then + _docker_exec "$_dcid" tee "$_to" <"$_from" + else + _docker_exec "$_dcid" tee "$_to" <"$_from" >/dev/null + fi + if [ "$?" = "0" ]; then + _info "Success" + return 0 + else + _info "Error" + return 1 + fi + elif [ "$_USE_REST" ]; then + _err "Not implemented yet." + return 1 + elif [ "$_USE_UNIX_SOCKET" ]; then + _frompath="$_from" + if _startswith "$_frompath" '/'; then + _frompath="$(echo "$_from" | cut -b 2-)" #remove the first '/' char + fi + _debug2 "_frompath" "$_frompath" + _toname="$(basename "$_to")" + _debug2 "_toname" "$_toname" + _debug2 "_from" "$_from" + if ! tar --transform="s,$(printf "%s" "$_frompath" | tr '*' .),$_toname," -cz "$_from" 2>/dev/null | _curl_unix_sock "$_DOCKER_SOCK" PUT "/containers/$_dcid/archive?noOverwriteDirNonDir=1&path=$(printf "%s" "$_dir" | _url_encode)" '@-' "Content-Type: application/octet-stream"; then + _err "copy error" + return 1 + fi + return 0 + else + _err "Not implemented yet." + return 1 + fi + +} + +#sock method endpoint data content-type +_curl_unix_sock() { + _socket="$1" + _method="$2" + _endpoint="$3" + _data="$4" + _ctype="$5" + if [ -z "$_ctype" ]; then + _ctype="Content-Type: application/json" + fi + _debug _data "$_data" + _debug2 "url" "http://localhost$_endpoint" + if [ "$_CURL_NO_HOST" ]; then + _cux_url="http:$_endpoint" + else + _cux_url="http://localhost$_endpoint" + fi + + if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then + curl -vvv --silent --unix-socket "$_socket" -X "$_method" --data-binary "$_data" --header "$_ctype" "$_cux_url" + else + curl --silent --unix-socket "$_socket" -X "$_method" --data-binary "$_data" --header "$_ctype" "$_cux_url" + fi + +} + +_check_curl_version() { + _cversion="$(curl -V | grep '^curl ' | cut -d ' ' -f 2)" + _debug2 "_cversion" "$_cversion" + + _major="$(_getfield "$_cversion" 1 '.')" + _debug2 "_major" "$_major" + + _minor="$(_getfield "$_cversion" 2 '.')" + _debug2 "_minor" "$_minor" + + if [ "$_major$_minor" -lt "740" ]; then + _err "curl v$_cversion doesn't support unit socket" + _err "Please upgrade to curl 7.40 or later." + return 1 + fi + if [ "$_major$_minor" -lt "750" ]; then + _debug "Use short host name" + export _CURL_NO_HOST=1 + else + export _CURL_NO_HOST= + fi + return 0 +} diff --git a/acme.sh-master/deploy/dovecot.sh b/acme.sh-master/deploy/dovecot.sh new file mode 100644 index 0000000..3baf23d --- /dev/null +++ b/acme.sh-master/deploy/dovecot.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env sh + +#Here is a script to deploy cert to dovecot server. + +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +dovecot_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _err "Not implemented yet" + return 1 + +} diff --git a/acme.sh-master/deploy/exim4.sh b/acme.sh-master/deploy/exim4.sh new file mode 100644 index 0000000..260b879 --- /dev/null +++ b/acme.sh-master/deploy/exim4.sh @@ -0,0 +1,114 @@ +#!/usr/bin/env sh + +#Here is a script to deploy cert to exim4 server. + +#returns 0 means success, otherwise error. + +#DEPLOY_EXIM4_CONF="/etc/exim/exim.conf" +#DEPLOY_EXIM4_RELOAD="service exim4 restart" + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +exim4_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _ssl_path="/etc/acme.sh/exim4" + if ! mkdir -p "$_ssl_path"; then + _err "Can not create folder:$_ssl_path" + return 1 + fi + + _info "Copying key and cert" + _real_key="$_ssl_path/exim4.key" + if ! cat "$_ckey" >"$_real_key"; then + _err "Error: write key file to: $_real_key" + return 1 + fi + _real_fullchain="$_ssl_path/exim4.pem" + if ! cat "$_cfullchain" >"$_real_fullchain"; then + _err "Error: write key file to: $_real_fullchain" + return 1 + fi + + DEFAULT_EXIM4_RELOAD="service exim4 restart" + _reload="${DEPLOY_EXIM4_RELOAD:-$DEFAULT_EXIM4_RELOAD}" + + if [ -z "$IS_RENEW" ]; then + DEFAULT_EXIM4_CONF="/etc/exim/exim.conf" + if [ ! -f "$DEFAULT_EXIM4_CONF" ]; then + DEFAULT_EXIM4_CONF="/etc/exim4/exim4.conf.template" + fi + _exim4_conf="${DEPLOY_EXIM4_CONF:-$DEFAULT_EXIM4_CONF}" + _debug _exim4_conf "$_exim4_conf" + if [ ! -f "$_exim4_conf" ]; then + if [ -z "$DEPLOY_EXIM4_CONF" ]; then + _err "exim4 conf is not found, please define DEPLOY_EXIM4_CONF" + return 1 + else + _err "It seems that the specified exim4 conf is not valid, please check." + return 1 + fi + fi + if [ ! -w "$_exim4_conf" ]; then + _err "The file $_exim4_conf is not writable, please change the permission." + return 1 + fi + _backup_conf="$DOMAIN_BACKUP_PATH/exim4.conf.bak" + _info "Backup $_exim4_conf to $_backup_conf" + cp "$_exim4_conf" "$_backup_conf" + + _info "Modify exim4 conf: $_exim4_conf" + if _setopt "$_exim4_conf" "tls_certificate" "=" "$_real_fullchain" && + _setopt "$_exim4_conf" "tls_privatekey" "=" "$_real_key"; then + _info "Set config success!" + else + _err "Config exim4 server error, please report bug to us." + _info "Restoring exim4 conf" + if cat "$_backup_conf" >"$_exim4_conf"; then + _info "Restore conf success" + eval "$_reload" + else + _err "Oops, error restore exim4 conf, please report bug to us." + fi + return 1 + fi + fi + + _info "Run reload: $_reload" + if eval "$_reload"; then + _info "Reload success!" + if [ "$DEPLOY_EXIM4_CONF" ]; then + _savedomainconf DEPLOY_EXIM4_CONF "$DEPLOY_EXIM4_CONF" + else + _cleardomainconf DEPLOY_EXIM4_CONF + fi + if [ "$DEPLOY_EXIM4_RELOAD" ]; then + _savedomainconf DEPLOY_EXIM4_RELOAD "$DEPLOY_EXIM4_RELOAD" + else + _cleardomainconf DEPLOY_EXIM4_RELOAD + fi + return 0 + else + _err "Reload error, restoring" + if cat "$_backup_conf" >"$_exim4_conf"; then + _info "Restore conf success" + eval "$_reload" + else + _err "Oops, error restore exim4 conf, please report bug to us." + fi + return 1 + fi + return 0 + +} diff --git a/acme.sh-master/deploy/fritzbox.sh b/acme.sh-master/deploy/fritzbox.sh new file mode 100644 index 0000000..416a412 --- /dev/null +++ b/acme.sh-master/deploy/fritzbox.sh @@ -0,0 +1,126 @@ +#!/usr/bin/env sh + +#Here is a script to deploy cert to an AVM FRITZ!Box router. + +#returns 0 means success, otherwise error. + +#DEPLOY_FRITZBOX_USERNAME="username" +#DEPLOY_FRITZBOX_PASSWORD="password" +#DEPLOY_FRITZBOX_URL="https://fritz.box" + +# Kudos to wikrie at Github for his FRITZ!Box update script: +# https://gist.github.com/wikrie/f1d5747a714e0a34d0582981f7cb4cfb + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +fritzbox_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + if ! _exists iconv; then + if ! _exists uconv; then + if ! _exists perl; then + _err "iconv or uconv or perl not found" + return 1 + fi + fi + fi + + # Clear traces of incorrectly stored values + _clearaccountconf DEPLOY_FRITZBOX_USERNAME + _clearaccountconf DEPLOY_FRITZBOX_PASSWORD + _clearaccountconf DEPLOY_FRITZBOX_URL + + # Read config from saved values or env + _getdeployconf DEPLOY_FRITZBOX_USERNAME + _getdeployconf DEPLOY_FRITZBOX_PASSWORD + _getdeployconf DEPLOY_FRITZBOX_URL + + _debug DEPLOY_FRITZBOX_URL "$DEPLOY_FRITZBOX_URL" + _debug DEPLOY_FRITZBOX_USERNAME "$DEPLOY_FRITZBOX_USERNAME" + _secure_debug DEPLOY_FRITZBOX_PASSWORD "$DEPLOY_FRITZBOX_PASSWORD" + + if [ -z "$DEPLOY_FRITZBOX_USERNAME" ]; then + _err "FRITZ!Box username is not found, please define DEPLOY_FRITZBOX_USERNAME." + return 1 + fi + if [ -z "$DEPLOY_FRITZBOX_PASSWORD" ]; then + _err "FRITZ!Box password is not found, please define DEPLOY_FRITZBOX_PASSWORD." + return 1 + fi + if [ -z "$DEPLOY_FRITZBOX_URL" ]; then + _err "FRITZ!Box url is not found, please define DEPLOY_FRITZBOX_URL." + return 1 + fi + + # Save current values + _savedeployconf DEPLOY_FRITZBOX_USERNAME "$DEPLOY_FRITZBOX_USERNAME" + _savedeployconf DEPLOY_FRITZBOX_PASSWORD "$DEPLOY_FRITZBOX_PASSWORD" + _savedeployconf DEPLOY_FRITZBOX_URL "$DEPLOY_FRITZBOX_URL" + + # Do not check for a valid SSL certificate, because initially the cert is not valid, so it could not install the LE generated certificate + export HTTPS_INSECURE=1 + + _info "Log in to the FRITZ!Box" + _fritzbox_challenge="$(_get "${DEPLOY_FRITZBOX_URL}/login_sid.lua" | sed -e 's/^.*//' -e 's/<\/Challenge>.*$//')" + if _exists iconv; then + _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${DEPLOY_FRITZBOX_PASSWORD}" | iconv -f ASCII -t UTF16LE | _digest md5 hex)" + elif _exists uconv; then + _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${DEPLOY_FRITZBOX_PASSWORD}" | uconv -f ASCII -t UTF16LE | _digest md5 hex)" + else + _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${DEPLOY_FRITZBOX_PASSWORD}" | perl -p -e 'use Encode qw/encode/; print encode("UTF-16LE","$_"); $_="";' | _digest md5 hex)" + fi + _fritzbox_sid="$(_get "${DEPLOY_FRITZBOX_URL}/login_sid.lua?sid=0000000000000000&username=${DEPLOY_FRITZBOX_USERNAME}&response=${_fritzbox_challenge}-${_fritzbox_hash}" | sed -e 's/^.*//' -e 's/<\/SID>.*$//')" + + if [ -z "${_fritzbox_sid}" ] || [ "${_fritzbox_sid}" = "0000000000000000" ]; then + _err "Logging in to the FRITZ!Box failed. Please check username, password and URL." + return 1 + fi + + _info "Generate form POST request" + _post_request="$(_mktemp)" + _post_boundary="---------------------------$(date +%Y%m%d%H%M%S)" + # _CERTPASSWORD_ is unset because Let's Encrypt certificates don't have a password. But if they ever do, here's the place to use it! + _CERTPASSWORD_= + { + printf -- "--" + printf -- "%s\r\n" "${_post_boundary}" + printf "Content-Disposition: form-data; name=\"sid\"\r\n\r\n%s\r\n" "${_fritzbox_sid}" + printf -- "--" + printf -- "%s\r\n" "${_post_boundary}" + printf "Content-Disposition: form-data; name=\"BoxCertPassword\"\r\n\r\n%s\r\n" "${_CERTPASSWORD_}" + printf -- "--" + printf -- "%s\r\n" "${_post_boundary}" + printf "Content-Disposition: form-data; name=\"BoxCertImportFile\"; filename=\"BoxCert.pem\"\r\n" + printf "Content-Type: application/octet-stream\r\n\r\n" + cat "${_ckey}" "${_cfullchain}" + printf "\r\n" + printf -- "--" + printf -- "%s--" "${_post_boundary}" + } >>"${_post_request}" + + _info "Upload certificate to the FRITZ!Box" + + export _H1="Content-type: multipart/form-data boundary=${_post_boundary}" + _post "$(cat "${_post_request}")" "${DEPLOY_FRITZBOX_URL}/cgi-bin/firmwarecfg" | grep SSL + + retval=$? + if [ $retval = 0 ]; then + _info "Upload successful" + else + _err "Upload failed" + fi + rm "${_post_request}" + + return $retval +} diff --git a/acme.sh-master/deploy/gcore_cdn.sh b/acme.sh-master/deploy/gcore_cdn.sh new file mode 100644 index 0000000..fd17cc2 --- /dev/null +++ b/acme.sh-master/deploy/gcore_cdn.sh @@ -0,0 +1,143 @@ +#!/usr/bin/env sh + +# Here is the script to deploy the cert to G-Core CDN service (https://gcore.com/) using the G-Core Labs API (https://apidocs.gcore.com/cdn). +# Returns 0 when success. +# +# Written by temoffey +# Public domain, 2019 +# Update by DreamOfIce in 2023 + +#export DEPLOY_GCORE_CDN_USERNAME=myusername +#export DEPLOY_GCORE_CDN_PASSWORD=mypassword + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain + +gcore_cdn_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _fullchain=$(tr '\r\n' '*#' <"$_cfullchain" | sed 's/*#/#/g;s/##/#/g;s/#/\\n/g') + _key=$(tr '\r\n' '*#' <"$_ckey" | sed 's/*#/#/g;s/#/\\n/g') + + _debug _fullchain "$_fullchain" + _debug _key "$_key" + + if [ -z "$DEPLOY_GCORE_CDN_USERNAME" ]; then + if [ -z "$Le_Deploy_gcore_cdn_username" ]; then + _err "Please define the target username: export DEPLOY_GCORE_CDN_USERNAME=username" + return 1 + fi + else + Le_Deploy_gcore_cdn_username="$DEPLOY_GCORE_CDN_USERNAME" + _savedomainconf Le_Deploy_gcore_cdn_username "$Le_Deploy_gcore_cdn_username" + fi + + if [ -z "$DEPLOY_GCORE_CDN_PASSWORD" ]; then + if [ -z "$Le_Deploy_gcore_cdn_password" ]; then + _err "Please define the target password: export DEPLOY_GCORE_CDN_PASSWORD=password" + return 1 + fi + else + Le_Deploy_gcore_cdn_password="$DEPLOY_GCORE_CDN_PASSWORD" + _savedomainconf Le_Deploy_gcore_cdn_password "$Le_Deploy_gcore_cdn_password" + fi + + _info "Get authorization token" + _request="{\"username\":\"$Le_Deploy_gcore_cdn_username\",\"password\":\"$Le_Deploy_gcore_cdn_password\"}" + _debug _request "$_request" + export _H1="Content-Type:application/json" + _response=$(_post "$_request" "https://api.gcore.com/auth/jwt/login") + _debug _response "$_response" + _regex=".*\"access\":\"\([-._0-9A-Za-z]*\)\".*$" + _debug _regex "$_regex" + _token=$(echo "$_response" | sed -n "s/$_regex/\1/p") + _debug _token "$_token" + + if [ -z "$_token" ]; then + _err "Error G-Core Labs API authorization" + return 1 + fi + + _info "Find CDN resource with cname $_cdomain" + export _H2="Authorization:Bearer $_token" + _response=$(_get "https://api.gcore.com/cdn/resources") + _debug _response "$_response" + _regex="\"primary_resource\":null}," + _debug _regex "$_regex" + _response=$(echo "$_response" | sed "s/$_regex/$_regex\n/g") + _debug _response "$_response" + _regex="^.*\"cname\":\"$_cdomain\".*$" + _debug _regex "$_regex" + _resource=$(echo "$_response" | _egrep_o "$_regex") + _debug _resource "$_resource" + _regex=".*\"id\":\([0-9]*\).*$" + _debug _regex "$_regex" + _resourceId=$(echo "$_resource" | sed -n "s/$_regex/\1/p") + _debug _resourceId "$_resourceId" + _regex=".*\"sslData\":\([0-9]*\).*$" + _debug _regex "$_regex" + _sslDataOld=$(echo "$_resource" | sed -n "s/$_regex/\1/p") + _debug _sslDataOld "$_sslDataOld" + _regex=".*\"originGroup\":\([0-9]*\).*$" + _debug _regex "$_regex" + _originGroup=$(echo "$_resource" | sed -n "s/$_regex/\1/p") + _debug _originGroup "$_originGroup" + + if [ -z "$_resourceId" ] || [ -z "$_originGroup" ]; then + _err "Not found CDN resource with cname $_cdomain" + return 1 + fi + + _info "Add new SSL certificate" + _date=$(date "+%d.%m.%Y %H:%M:%S") + _request="{\"name\":\"$_cdomain ($_date)\",\"sslCertificate\":\"$_fullchain\",\"sslPrivateKey\":\"$_key\"}" + _debug _request "$_request" + _response=$(_post "$_request" "https://api.gcore.com/cdn/sslData") + _debug _response "$_response" + _regex=".*\"id\":\([0-9]*\).*$" + _debug _regex "$_regex" + _sslDataAdd=$(echo "$_response" | sed -n "s/$_regex/\1/p") + _debug _sslDataAdd "$_sslDataAdd" + + if [ -z "$_sslDataAdd" ]; then + _err "Error new SSL certificate add" + return 1 + fi + + _info "Update CDN resource" + _request="{\"originGroup\":$_originGroup,\"sslData\":$_sslDataAdd}" + _debug _request "$_request" + _response=$(_post "$_request" "https://api.gcore.com/cdn/resources/$_resourceId" '' "PUT") + _debug _response "$_response" + _regex=".*\"sslData\":\([0-9]*\).*$" + _debug _regex "$_regex" + _sslDataNew=$(echo "$_response" | sed -n "s/$_regex/\1/p") + _debug _sslDataNew "$_sslDataNew" + + if [ "$_sslDataNew" != "$_sslDataAdd" ]; then + _err "Error CDN resource update" + return 1 + fi + + if [ -z "$_sslDataOld" ] || [ "$_sslDataOld" = "null" ]; then + _info "Not found old SSL certificate" + else + _info "Delete old SSL certificate" + _response=$(_post '' "https://api.gcore.com/cdn/sslData/$_sslDataOld" '' "DELETE") + _debug _response "$_response" + fi + + _info "Certificate successfully deployed" + return 0 +} diff --git a/acme.sh-master/deploy/gitlab.sh b/acme.sh-master/deploy/gitlab.sh new file mode 100644 index 0000000..595b6d2 --- /dev/null +++ b/acme.sh-master/deploy/gitlab.sh @@ -0,0 +1,80 @@ +#!/usr/bin/env sh + +# Script to deploy certificate to a Gitlab hosted page + +# The following variables exported from environment will be used. +# If not set then values previously saved in domain.conf file are used. + +# All the variables are required + +# export GITLAB_TOKEN="xxxxxxx" +# export GITLAB_PROJECT_ID=012345 +# export GITLAB_DOMAIN="mydomain.com" + +gitlab_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + if [ -z "$GITLAB_TOKEN" ]; then + if [ -z "$Le_Deploy_gitlab_token" ]; then + _err "GITLAB_TOKEN not defined." + return 1 + fi + else + Le_Deploy_gitlab_token="$GITLAB_TOKEN" + _savedomainconf Le_Deploy_gitlab_token "$Le_Deploy_gitlab_token" + fi + + if [ -z "$GITLAB_PROJECT_ID" ]; then + if [ -z "$Le_Deploy_gitlab_project_id" ]; then + _err "GITLAB_PROJECT_ID not defined." + return 1 + fi + else + Le_Deploy_gitlab_project_id="$GITLAB_PROJECT_ID" + _savedomainconf Le_Deploy_gitlab_project_id "$Le_Deploy_gitlab_project_id" + fi + + if [ -z "$GITLAB_DOMAIN" ]; then + if [ -z "$Le_Deploy_gitlab_domain" ]; then + _err "GITLAB_DOMAIN not defined." + return 1 + fi + else + Le_Deploy_gitlab_domain="$GITLAB_DOMAIN" + _savedomainconf Le_Deploy_gitlab_domain "$Le_Deploy_gitlab_domain" + fi + + string_fullchain=$(_url_encode <"$_cfullchain") + string_key=$(_url_encode <"$_ckey") + + body="certificate=$string_fullchain&key=$string_key" + + export _H1="PRIVATE-TOKEN: $Le_Deploy_gitlab_token" + + gitlab_url="https://gitlab.com/api/v4/projects/$Le_Deploy_gitlab_project_id/pages/domains/$Le_Deploy_gitlab_domain" + + _response=$(_post "$body" "$gitlab_url" 0 PUT | _dbase64 "multiline") + + error_response="error" + + if test "${_response#*"$error_response"}" != "$_response"; then + _err "Error in deploying certificate:" + _err "$_response" + return 1 + fi + + _debug response "$_response" + _info "Certificate successfully deployed" + + return 0 +} diff --git a/acme.sh-master/deploy/haproxy.sh b/acme.sh-master/deploy/haproxy.sh new file mode 100644 index 0000000..c255059 --- /dev/null +++ b/acme.sh-master/deploy/haproxy.sh @@ -0,0 +1,280 @@ +#!/usr/bin/env sh + +# Script for acme.sh to deploy certificates to haproxy +# +# The following variables can be exported: +# +# export DEPLOY_HAPROXY_PEM_NAME="${domain}.pem" +# +# Defines the name of the PEM file. +# Defaults to ".pem" +# +# export DEPLOY_HAPROXY_PEM_PATH="/etc/haproxy" +# +# Defines location of PEM file for HAProxy. +# Defaults to /etc/haproxy +# +# export DEPLOY_HAPROXY_RELOAD="systemctl reload haproxy" +# +# OPTIONAL: Reload command used post deploy +# This defaults to be a no-op (ie "true"). +# It is strongly recommended to set this something that makes sense +# for your distro. +# +# export DEPLOY_HAPROXY_ISSUER="no" +# +# OPTIONAL: Places CA file as "${DEPLOY_HAPROXY_PEM}.issuer" +# Note: Required for OCSP stapling to work +# +# export DEPLOY_HAPROXY_BUNDLE="no" +# +# OPTIONAL: Deploy this certificate as part of a multi-cert bundle +# This adds a suffix to the certificate based on the certificate type +# eg RSA certificates will have .rsa as a suffix to the file name +# HAProxy will load all certificates and provide one or the other +# depending on client capabilities +# Note: This functionality requires HAProxy was compiled against +# a version of OpenSSL that supports this. +# + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +haproxy_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + # Some defaults + DEPLOY_HAPROXY_PEM_PATH_DEFAULT="/etc/haproxy" + DEPLOY_HAPROXY_PEM_NAME_DEFAULT="${_cdomain}.pem" + DEPLOY_HAPROXY_BUNDLE_DEFAULT="no" + DEPLOY_HAPROXY_ISSUER_DEFAULT="no" + DEPLOY_HAPROXY_RELOAD_DEFAULT="true" + + _debug _cdomain "${_cdomain}" + _debug _ckey "${_ckey}" + _debug _ccert "${_ccert}" + _debug _cca "${_cca}" + _debug _cfullchain "${_cfullchain}" + + # PEM_PATH is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}" + _getdeployconf DEPLOY_HAPROXY_PEM_PATH + _debug2 DEPLOY_HAPROXY_PEM_PATH "${DEPLOY_HAPROXY_PEM_PATH}" + if [ -n "${DEPLOY_HAPROXY_PEM_PATH}" ]; then + Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH}" + _savedomainconf Le_Deploy_haproxy_pem_path "${Le_Deploy_haproxy_pem_path}" + elif [ -z "${Le_Deploy_haproxy_pem_path}" ]; then + Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}" + fi + + # Ensure PEM_PATH exists + if [ -d "${Le_Deploy_haproxy_pem_path}" ]; then + _debug "PEM_PATH ${Le_Deploy_haproxy_pem_path} exists" + else + _err "PEM_PATH ${Le_Deploy_haproxy_pem_path} does not exist" + return 1 + fi + + # PEM_NAME is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}" + _getdeployconf DEPLOY_HAPROXY_PEM_NAME + _debug2 DEPLOY_HAPROXY_PEM_NAME "${DEPLOY_HAPROXY_PEM_NAME}" + if [ -n "${DEPLOY_HAPROXY_PEM_NAME}" ]; then + Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME}" + _savedomainconf Le_Deploy_haproxy_pem_name "${Le_Deploy_haproxy_pem_name}" + elif [ -z "${Le_Deploy_haproxy_pem_name}" ]; then + Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}" + fi + + # BUNDLE is optional. If not provided then assume "${DEPLOY_HAPROXY_BUNDLE_DEFAULT}" + _getdeployconf DEPLOY_HAPROXY_BUNDLE + _debug2 DEPLOY_HAPROXY_BUNDLE "${DEPLOY_HAPROXY_BUNDLE}" + if [ -n "${DEPLOY_HAPROXY_BUNDLE}" ]; then + Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE}" + _savedomainconf Le_Deploy_haproxy_bundle "${Le_Deploy_haproxy_bundle}" + elif [ -z "${Le_Deploy_haproxy_bundle}" ]; then + Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE_DEFAULT}" + fi + + # ISSUER is optional. If not provided then assume "${DEPLOY_HAPROXY_ISSUER_DEFAULT}" + _getdeployconf DEPLOY_HAPROXY_ISSUER + _debug2 DEPLOY_HAPROXY_ISSUER "${DEPLOY_HAPROXY_ISSUER}" + if [ -n "${DEPLOY_HAPROXY_ISSUER}" ]; then + Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER}" + _savedomainconf Le_Deploy_haproxy_issuer "${Le_Deploy_haproxy_issuer}" + elif [ -z "${Le_Deploy_haproxy_issuer}" ]; then + Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER_DEFAULT}" + fi + + # RELOAD is optional. If not provided then assume "${DEPLOY_HAPROXY_RELOAD_DEFAULT}" + _getdeployconf DEPLOY_HAPROXY_RELOAD + _debug2 DEPLOY_HAPROXY_RELOAD "${DEPLOY_HAPROXY_RELOAD}" + if [ -n "${DEPLOY_HAPROXY_RELOAD}" ]; then + Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD}" + _savedomainconf Le_Deploy_haproxy_reload "${Le_Deploy_haproxy_reload}" + elif [ -z "${Le_Deploy_haproxy_reload}" ]; then + Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD_DEFAULT}" + fi + + # Set the suffix depending if we are creating a bundle or not + if [ "${Le_Deploy_haproxy_bundle}" = "yes" ]; then + _info "Bundle creation requested" + # Initialise $Le_Keylength if its not already set + if [ -z "${Le_Keylength}" ]; then + Le_Keylength="" + fi + if _isEccKey "${Le_Keylength}"; then + _info "ECC key type detected" + _suffix=".ecdsa" + else + _info "RSA key type detected" + _suffix=".rsa" + fi + else + _suffix="" + fi + _debug _suffix "${_suffix}" + + # Set variables for later + _pem="${Le_Deploy_haproxy_pem_path}/${Le_Deploy_haproxy_pem_name}${_suffix}" + _issuer="${_pem}.issuer" + _ocsp="${_pem}.ocsp" + _reload="${Le_Deploy_haproxy_reload}" + + _info "Deploying PEM file" + # Create a temporary PEM file + _temppem="$(_mktemp)" + _debug _temppem "${_temppem}" + cat "${_ckey}" "${_ccert}" "${_cca}" >"${_temppem}" + _ret="$?" + + # Check that we could create the temporary file + if [ "${_ret}" != "0" ]; then + _err "Error code ${_ret} returned during PEM file creation" + [ -f "${_temppem}" ] && rm -f "${_temppem}" + return ${_ret} + fi + + # Move PEM file into place + _info "Moving new certificate into place" + _debug _pem "${_pem}" + cat "${_temppem}" >"${_pem}" + _ret=$? + + # Clean up temp file + [ -f "${_temppem}" ] && rm -f "${_temppem}" + + # Deal with any failure of moving PEM file into place + if [ "${_ret}" != "0" ]; then + _err "Error code ${_ret} returned while moving new certificate into place" + return ${_ret} + fi + + # Update .issuer file if requested + if [ "${Le_Deploy_haproxy_issuer}" = "yes" ]; then + _info "Updating .issuer file" + _debug _issuer "${_issuer}" + cat "${_cca}" >"${_issuer}" + _ret="$?" + + if [ "${_ret}" != "0" ]; then + _err "Error code ${_ret} returned while copying issuer/CA certificate into place" + return ${_ret} + fi + else + [ -f "${_issuer}" ] && _err "Issuer file update not requested but .issuer file exists" + fi + + # Update .ocsp file if certificate was requested with --ocsp/--ocsp-must-staple option + if [ -z "${Le_OCSP_Staple}" ]; then + Le_OCSP_Staple="0" + fi + if [ "${Le_OCSP_Staple}" = "1" ]; then + _info "Updating OCSP stapling info" + _debug _ocsp "${_ocsp}" + _info "Extracting OCSP URL" + _ocsp_url=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -ocsp_uri -in "${_pem}") + _debug _ocsp_url "${_ocsp_url}" + + # Only process OCSP if URL was present + if [ "${_ocsp_url}" != "" ]; then + # Extract the hostname from the OCSP URL + _info "Extracting OCSP URL" + _ocsp_host=$(echo "${_ocsp_url}" | cut -d/ -f3) + _debug _ocsp_host "${_ocsp_host}" + + # Only process the certificate if we have a .issuer file + if [ -r "${_issuer}" ]; then + # Check if issuer cert is also a root CA cert + _subjectdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10) + _debug _subjectdn "${_subjectdn}" + _issuerdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10) + _debug _issuerdn "${_issuerdn}" + _info "Requesting OCSP response" + # If the issuer is a CA cert then our command line has "-CAfile" added + if [ "${_subjectdn}" = "${_issuerdn}" ]; then + _cafile_argument="-CAfile \"${_issuer}\"" + else + _cafile_argument="" + fi + _debug _cafile_argument "${_cafile_argument}" + # if OpenSSL/LibreSSL is v1.1 or above, the format for the -header option has changed + _openssl_version=$(${ACME_OPENSSL_BIN:-openssl} version | cut -d' ' -f2) + _debug _openssl_version "${_openssl_version}" + _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1) + _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2) + if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then + _header_sep="=" + else + _header_sep=" " + fi + # Request the OCSP response from the issuer and store it + _openssl_ocsp_cmd="${ACME_OPENSSL_BIN:-openssl} ocsp \ + -issuer \"${_issuer}\" \ + -cert \"${_pem}\" \ + -url \"${_ocsp_url}\" \ + -header Host${_header_sep}\"${_ocsp_host}\" \ + -respout \"${_ocsp}\" \ + -verify_other \"${_issuer}\" \ + ${_cafile_argument} \ + | grep -q \"${_pem}: good\"" + _debug _openssl_ocsp_cmd "${_openssl_ocsp_cmd}" + eval "${_openssl_ocsp_cmd}" + _ret=$? + else + # Non fatal: No issuer file was present so no OCSP stapling file created + _err "OCSP stapling in use but no .issuer file was present" + fi + else + # Non fatal: No OCSP url was found int the certificate + _err "OCSP update requested but no OCSP URL was found in certificate" + fi + + # Non fatal: Check return code of openssl command + if [ "${_ret}" != "0" ]; then + _err "Updating OCSP stapling failed with return code ${_ret}" + fi + else + # An OCSP file was already present but certificate did not have OCSP extension + if [ -f "${_ocsp}" ]; then + _err "OCSP was not requested but .ocsp file exists." + # Could remove the file at this step, although HAProxy just ignores it in this case + # rm -f "${_ocsp}" || _err "Problem removing stale .ocsp file" + fi + fi + + # Reload HAProxy + _debug _reload "${_reload}" + eval "${_reload}" + _ret=$? + if [ "${_ret}" != "0" ]; then + _err "Error code ${_ret} during reload" + return ${_ret} + else + _info "Reload successful" + fi + + return 0 +} diff --git a/acme.sh-master/deploy/keychain.sh b/acme.sh-master/deploy/keychain.sh new file mode 100644 index 0000000..d86b4d0 --- /dev/null +++ b/acme.sh-master/deploy/keychain.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env sh + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +keychain_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + /usr/bin/security import "$_ckey" -k "/Library/Keychains/System.keychain" + /usr/bin/security import "$_ccert" -k "/Library/Keychains/System.keychain" + /usr/bin/security import "$_cca" -k "/Library/Keychains/System.keychain" + /usr/bin/security import "$_cfullchain" -k "/Library/Keychains/System.keychain" + + return 0 +} diff --git a/acme.sh-master/deploy/kong.sh b/acme.sh-master/deploy/kong.sh new file mode 100644 index 0000000..b8faced --- /dev/null +++ b/acme.sh-master/deploy/kong.sh @@ -0,0 +1,77 @@ +#!/usr/bin/env sh +# If certificate already exists it will update only cert and key, not touching other parameters +# If certificate doesn't exist it will only upload cert and key, and not set other parameters +# Note that we deploy full chain +# Written by Geoffroi Genot + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +kong_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + _info "Deploying certificate on Kong instance" + if [ -z "$KONG_URL" ]; then + _debug "KONG_URL Not set, using default http://localhost:8001" + KONG_URL="http://localhost:8001" + fi + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + #Get ssl_uuid linked to the domain + ssl_uuid=$(_get "$KONG_URL/certificates/$_cdomain" | _normalizeJson | _egrep_o '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}') + if [ -z "$ssl_uuid" ]; then + _debug "Unable to get Kong ssl_uuid for domain $_cdomain" + _debug "Make sure that KONG_URL is correctly configured" + _debug "Make sure that a Kong certificate match the sni" + _debug "Kong url: $KONG_URL" + _info "No existing certificate, creating..." + #return 1 + fi + #Save kong url if it's succesful (First run case) + _saveaccountconf KONG_URL "$KONG_URL" + #Generate DEIM + delim="-----MultipartDelimiter$(date "+%s%N")" + nl="\015\012" + #Set Header + _H1="Content-Type: multipart/form-data; boundary=$delim" + #Generate data for request (Multipart/form-data with mixed content) + if [ -z "$ssl_uuid" ]; then + #set sni to domain + content="--$delim${nl}Content-Disposition: form-data; name=\"snis[]\"${nl}${nl}$_cdomain" + fi + #add key + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" + #Add cert + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"cert\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")" + #Close multipart + content="$content${nl}--$delim--${nl}" + #Convert CRLF + content=$(printf %b "$content") + #DEBUG + _debug header "$_H1" + _debug content "$content" + #Check if sslcreated (if not => POST else => PATCH) + + if [ -z "$ssl_uuid" ]; then + #Post certificate to Kong + response=$(_post "$content" "$KONG_URL/certificates" "" "POST") + else + #patch + response=$(_post "$content" "$KONG_URL/certificates/$ssl_uuid" "" "PATCH") + fi + if ! [ "$(echo "$response" | _egrep_o "created_at")" = "created_at" ]; then + _err "An error occurred with cert upload. Check response:" + _err "$response" + return 1 + fi + _debug response "$response" + _info "Certificate successfully deployed" +} diff --git a/acme.sh-master/deploy/lighttpd.sh b/acme.sh-master/deploy/lighttpd.sh new file mode 100644 index 0000000..71f64b9 --- /dev/null +++ b/acme.sh-master/deploy/lighttpd.sh @@ -0,0 +1,280 @@ +#!/usr/bin/env sh + +# Script for acme.sh to deploy certificates to lighttpd +# +# The following variables can be exported: +# +# export DEPLOY_LIGHTTPD_PEM_NAME="${domain}.pem" +# +# Defines the name of the PEM file. +# Defaults to ".pem" +# +# export DEPLOY_LIGHTTPD_PEM_PATH="/etc/lighttpd" +# +# Defines location of PEM file for Lighttpd. +# Defaults to /etc/lighttpd +# +# export DEPLOY_LIGHTTPD_RELOAD="systemctl reload lighttpd" +# +# OPTIONAL: Reload command used post deploy +# This defaults to be a no-op (ie "true"). +# It is strongly recommended to set this something that makes sense +# for your distro. +# +# export DEPLOY_LIGHTTPD_ISSUER="yes" +# +# OPTIONAL: Places CA file as "${DEPLOY_LIGHTTPD_PEM}.issuer" +# Note: Required for OCSP stapling to work +# +# export DEPLOY_LIGHTTPD_BUNDLE="no" +# +# OPTIONAL: Deploy this certificate as part of a multi-cert bundle +# This adds a suffix to the certificate based on the certificate type +# eg RSA certificates will have .rsa as a suffix to the file name +# Lighttpd will load all certificates and provide one or the other +# depending on client capabilities +# Note: This functionality requires Lighttpd was compiled against +# a version of OpenSSL that supports this. +# + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +lighttpd_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + # Some defaults + DEPLOY_LIGHTTPD_PEM_PATH_DEFAULT="/etc/lighttpd" + DEPLOY_LIGHTTPD_PEM_NAME_DEFAULT="${_cdomain}.pem" + DEPLOY_LIGHTTPD_BUNDLE_DEFAULT="no" + DEPLOY_LIGHTTPD_ISSUER_DEFAULT="yes" + DEPLOY_LIGHTTPD_RELOAD_DEFAULT="true" + + _debug _cdomain "${_cdomain}" + _debug _ckey "${_ckey}" + _debug _ccert "${_ccert}" + _debug _cca "${_cca}" + _debug _cfullchain "${_cfullchain}" + + # PEM_PATH is optional. If not provided then assume "${DEPLOY_LIGHTTPD_PEM_PATH_DEFAULT}" + _getdeployconf DEPLOY_LIGHTTPD_PEM_PATH + _debug2 DEPLOY_LIGHTTPD_PEM_PATH "${DEPLOY_LIGHTTPD_PEM_PATH}" + if [ -n "${DEPLOY_LIGHTTPD_PEM_PATH}" ]; then + Le_Deploy_lighttpd_pem_path="${DEPLOY_LIGHTTPD_PEM_PATH}" + _savedomainconf Le_Deploy_lighttpd_pem_path "${Le_Deploy_lighttpd_pem_path}" + elif [ -z "${Le_Deploy_lighttpd_pem_path}" ]; then + Le_Deploy_lighttpd_pem_path="${DEPLOY_LIGHTTPD_PEM_PATH_DEFAULT}" + fi + + # Ensure PEM_PATH exists + if [ -d "${Le_Deploy_lighttpd_pem_path}" ]; then + _debug "PEM_PATH ${Le_Deploy_lighttpd_pem_path} exists" + else + _err "PEM_PATH ${Le_Deploy_lighttpd_pem_path} does not exist" + return 1 + fi + + # PEM_NAME is optional. If not provided then assume "${DEPLOY_LIGHTTPD_PEM_NAME_DEFAULT}" + _getdeployconf DEPLOY_LIGHTTPD_PEM_NAME + _debug2 DEPLOY_LIGHTTPD_PEM_NAME "${DEPLOY_LIGHTTPD_PEM_NAME}" + if [ -n "${DEPLOY_LIGHTTPD_PEM_NAME}" ]; then + Le_Deploy_lighttpd_pem_name="${DEPLOY_LIGHTTPD_PEM_NAME}" + _savedomainconf Le_Deploy_lighttpd_pem_name "${Le_Deploy_lighttpd_pem_name}" + elif [ -z "${Le_Deploy_lighttpd_pem_name}" ]; then + Le_Deploy_lighttpd_pem_name="${DEPLOY_LIGHTTPD_PEM_NAME_DEFAULT}" + fi + + # BUNDLE is optional. If not provided then assume "${DEPLOY_LIGHTTPD_BUNDLE_DEFAULT}" + _getdeployconf DEPLOY_LIGHTTPD_BUNDLE + _debug2 DEPLOY_LIGHTTPD_BUNDLE "${DEPLOY_LIGHTTPD_BUNDLE}" + if [ -n "${DEPLOY_LIGHTTPD_BUNDLE}" ]; then + Le_Deploy_lighttpd_bundle="${DEPLOY_LIGHTTPD_BUNDLE}" + _savedomainconf Le_Deploy_lighttpd_bundle "${Le_Deploy_lighttpd_bundle}" + elif [ -z "${Le_Deploy_lighttpd_bundle}" ]; then + Le_Deploy_lighttpd_bundle="${DEPLOY_LIGHTTPD_BUNDLE_DEFAULT}" + fi + + # ISSUER is optional. If not provided then assume "${DEPLOY_LIGHTTPD_ISSUER_DEFAULT}" + _getdeployconf DEPLOY_LIGHTTPD_ISSUER + _debug2 DEPLOY_LIGHTTPD_ISSUER "${DEPLOY_LIGHTTPD_ISSUER}" + if [ -n "${DEPLOY_LIGHTTPD_ISSUER}" ]; then + Le_Deploy_lighttpd_issuer="${DEPLOY_LIGHTTPD_ISSUER}" + _savedomainconf Le_Deploy_lighttpd_issuer "${Le_Deploy_lighttpd_issuer}" + elif [ -z "${Le_Deploy_lighttpd_issuer}" ]; then + Le_Deploy_lighttpd_issuer="${DEPLOY_LIGHTTPD_ISSUER_DEFAULT}" + fi + + # RELOAD is optional. If not provided then assume "${DEPLOY_LIGHTTPD_RELOAD_DEFAULT}" + _getdeployconf DEPLOY_LIGHTTPD_RELOAD + _debug2 DEPLOY_LIGHTTPD_RELOAD "${DEPLOY_LIGHTTPD_RELOAD}" + if [ -n "${DEPLOY_LIGHTTPD_RELOAD}" ]; then + Le_Deploy_lighttpd_reload="${DEPLOY_LIGHTTPD_RELOAD}" + _savedomainconf Le_Deploy_lighttpd_reload "${Le_Deploy_lighttpd_reload}" + elif [ -z "${Le_Deploy_lighttpd_reload}" ]; then + Le_Deploy_lighttpd_reload="${DEPLOY_LIGHTTPD_RELOAD_DEFAULT}" + fi + + # Set the suffix depending if we are creating a bundle or not + if [ "${Le_Deploy_lighttpd_bundle}" = "yes" ]; then + _info "Bundle creation requested" + # Initialise $Le_Keylength if its not already set + if [ -z "${Le_Keylength}" ]; then + Le_Keylength="" + fi + if _isEccKey "${Le_Keylength}"; then + _info "ECC key type detected" + _suffix=".ecdsa" + else + _info "RSA key type detected" + _suffix=".rsa" + fi + else + _suffix="" + fi + _debug _suffix "${_suffix}" + + # Set variables for later + _pem="${Le_Deploy_lighttpd_pem_path}/${Le_Deploy_lighttpd_pem_name}${_suffix}" + _issuer="${_pem}.issuer" + _ocsp="${_pem}.ocsp" + _reload="${Le_Deploy_lighttpd_reload}" + + _info "Deploying PEM file" + # Create a temporary PEM file + _temppem="$(_mktemp)" + _debug _temppem "${_temppem}" + cat "${_ckey}" "${_ccert}" "${_cca}" >"${_temppem}" + _ret="$?" + + # Check that we could create the temporary file + if [ "${_ret}" != "0" ]; then + _err "Error code ${_ret} returned during PEM file creation" + [ -f "${_temppem}" ] && rm -f "${_temppem}" + return ${_ret} + fi + + # Move PEM file into place + _info "Moving new certificate into place" + _debug _pem "${_pem}" + cat "${_temppem}" >"${_pem}" + _ret=$? + + # Clean up temp file + [ -f "${_temppem}" ] && rm -f "${_temppem}" + + # Deal with any failure of moving PEM file into place + if [ "${_ret}" != "0" ]; then + _err "Error code ${_ret} returned while moving new certificate into place" + return ${_ret} + fi + + # Update .issuer file if requested + if [ "${Le_Deploy_lighttpd_issuer}" = "yes" ]; then + _info "Updating .issuer file" + _debug _issuer "${_issuer}" + cat "${_cca}" >"${_issuer}" + _ret="$?" + + if [ "${_ret}" != "0" ]; then + _err "Error code ${_ret} returned while copying issuer/CA certificate into place" + return ${_ret} + fi + else + [ -f "${_issuer}" ] && _err "Issuer file update not requested but .issuer file exists" + fi + + # Update .ocsp file if certificate was requested with --ocsp/--ocsp-must-staple option + if [ -z "${Le_OCSP_Staple}" ]; then + Le_OCSP_Staple="0" + fi + if [ "${Le_OCSP_Staple}" = "1" ]; then + _info "Updating OCSP stapling info" + _debug _ocsp "${_ocsp}" + _info "Extracting OCSP URL" + _ocsp_url=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -ocsp_uri -in "${_pem}") + _debug _ocsp_url "${_ocsp_url}" + + # Only process OCSP if URL was present + if [ "${_ocsp_url}" != "" ]; then + # Extract the hostname from the OCSP URL + _info "Extracting OCSP URL" + _ocsp_host=$(echo "${_ocsp_url}" | cut -d/ -f3) + _debug _ocsp_host "${_ocsp_host}" + + # Only process the certificate if we have a .issuer file + if [ -r "${_issuer}" ]; then + # Check if issuer cert is also a root CA cert + _subjectdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10) + _debug _subjectdn "${_subjectdn}" + _issuerdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10) + _debug _issuerdn "${_issuerdn}" + _info "Requesting OCSP response" + # If the issuer is a CA cert then our command line has "-CAfile" added + if [ "${_subjectdn}" = "${_issuerdn}" ]; then + _cafile_argument="-CAfile \"${_issuer}\"" + else + _cafile_argument="" + fi + _debug _cafile_argument "${_cafile_argument}" + # if OpenSSL/LibreSSL is v1.1 or above, the format for the -header option has changed + _openssl_version=$(${ACME_OPENSSL_BIN:-openssl} version | cut -d' ' -f2) + _debug _openssl_version "${_openssl_version}" + _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1) + _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2) + if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then + _header_sep="=" + else + _header_sep=" " + fi + # Request the OCSP response from the issuer and store it + _openssl_ocsp_cmd="${ACME_OPENSSL_BIN:-openssl} ocsp \ + -issuer \"${_issuer}\" \ + -cert \"${_pem}\" \ + -url \"${_ocsp_url}\" \ + -header Host${_header_sep}\"${_ocsp_host}\" \ + -respout \"${_ocsp}\" \ + -verify_other \"${_issuer}\" \ + ${_cafile_argument} \ + | grep -q \"${_pem}: good\"" + _debug _openssl_ocsp_cmd "${_openssl_ocsp_cmd}" + eval "${_openssl_ocsp_cmd}" + _ret=$? + else + # Non fatal: No issuer file was present so no OCSP stapling file created + _err "OCSP stapling in use but no .issuer file was present" + fi + else + # Non fatal: No OCSP url was found int the certificate + _err "OCSP update requested but no OCSP URL was found in certificate" + fi + + # Non fatal: Check return code of openssl command + if [ "${_ret}" != "0" ]; then + _err "Updating OCSP stapling failed with return code ${_ret}" + fi + else + # An OCSP file was already present but certificate did not have OCSP extension + if [ -f "${_ocsp}" ]; then + _err "OCSP was not requested but .ocsp file exists." + # Could remove the file at this step, although Lighttpd just ignores it in this case + # rm -f "${_ocsp}" || _err "Problem removing stale .ocsp file" + fi + fi + + # Reload Lighttpd + _debug _reload "${_reload}" + eval "${_reload}" + _ret=$? + if [ "${_ret}" != "0" ]; then + _err "Error code ${_ret} during reload" + return ${_ret} + else + _info "Reload successful" + fi + + return 0 +} diff --git a/acme.sh-master/deploy/mailcow.sh b/acme.sh-master/deploy/mailcow.sh new file mode 100644 index 0000000..99dc80e --- /dev/null +++ b/acme.sh-master/deploy/mailcow.sh @@ -0,0 +1,69 @@ +#!/usr/bin/env sh + +#Here is a script to deploy cert to mailcow. + +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +mailcow_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _getdeployconf DEPLOY_MAILCOW_PATH + _getdeployconf DEPLOY_MAILCOW_RELOAD + + _debug DEPLOY_MAILCOW_PATH "$DEPLOY_MAILCOW_PATH" + _debug DEPLOY_MAILCOW_RELOAD "$DEPLOY_MAILCOW_RELOAD" + + if [ -z "$DEPLOY_MAILCOW_PATH" ]; then + _err "Mailcow path is not found, please define DEPLOY_MAILCOW_PATH." + return 1 + fi + + _savedeployconf DEPLOY_MAILCOW_PATH "$DEPLOY_MAILCOW_PATH" + [ -n "$DEPLOY_MAILCOW_RELOAD" ] && _savedeployconf DEPLOY_MAILCOW_RELOAD "$DEPLOY_MAILCOW_RELOAD" + + _ssl_path="$DEPLOY_MAILCOW_PATH" + if [ -f "$DEPLOY_MAILCOW_PATH/generate_config.sh" ]; then + _ssl_path="$DEPLOY_MAILCOW_PATH/data/assets/ssl/" + fi + + if [ ! -d "$_ssl_path" ]; then + _err "Cannot find mailcow ssl path: $_ssl_path" + return 1 + fi + + _info "Copying key and cert" + _real_key="$_ssl_path/key.pem" + if ! cat "$_ckey" >"$_real_key"; then + _err "Error: write key file to: $_real_key" + return 1 + fi + + _real_fullchain="$_ssl_path/cert.pem" + if ! cat "$_cfullchain" >"$_real_fullchain"; then + _err "Error: write cert file to: $_real_fullchain" + return 1 + fi + + DEFAULT_MAILCOW_RELOAD="docker restart \$(docker ps --quiet --filter name=nginx-mailcow --filter name=dovecot-mailcow --filter name=postfix-mailcow)" + _reload="${DEPLOY_MAILCOW_RELOAD:-$DEFAULT_MAILCOW_RELOAD}" + + _info "Run reload: $_reload" + if eval "$_reload"; then + _info "Reload success!" + fi + return 0 + +} diff --git a/acme.sh-master/deploy/myapi.sh b/acme.sh-master/deploy/myapi.sh new file mode 100644 index 0000000..5075fab --- /dev/null +++ b/acme.sh-master/deploy/myapi.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env sh + +#Here is a sample custom api script. +#This file name is "myapi.sh" +#So, here must be a method myapi_deploy() +#Which will be called by acme.sh to deploy the cert +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +myapi_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _err "Not implemented yet" + return 1 + +} diff --git a/acme.sh-master/deploy/mydevil.sh b/acme.sh-master/deploy/mydevil.sh new file mode 100644 index 0000000..bd9868a --- /dev/null +++ b/acme.sh-master/deploy/mydevil.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env sh + +# MyDevil.net API (2019-02-03) +# +# MyDevil.net already supports automatic Let's Encrypt certificates, +# except for wildcard domains. +# +# This script depends on `devil` command that MyDevil.net provides, +# which means that it works only on server side. +# +# Author: Marcin Konicki +# +######## Public functions ##################### + +# Usage: mydevil_deploy domain keyfile certfile cafile fullchain +mydevil_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + ip="" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + if ! _exists "devil"; then + _err "Could not find 'devil' command." + return 1 + fi + + ip=$(mydevil_get_ip "$_cdomain") + if [ -z "$ip" ]; then + _err "Could not find IP for domain $_cdomain." + return 1 + fi + + # Delete old certificate first + _info "Removing old certificate for $_cdomain at $ip" + devil ssl www del "$ip" "$_cdomain" + + # Add new certificate + _info "Adding new certificate for $_cdomain at $ip" + devil ssl www add "$ip" "$_cfullchain" "$_ckey" "$_cdomain" || return 1 + + return 0 +} + +#################### Private functions below ################################## + +# Usage: ip=$(mydevil_get_ip domain.com) +# echo $ip +mydevil_get_ip() { + devil dns list "$1" | cut -w -s -f 3,7 | grep "^A$(printf '\t')" | cut -w -s -f 2 || return 1 + return 0 +} diff --git a/acme.sh-master/deploy/mysqld.sh b/acme.sh-master/deploy/mysqld.sh new file mode 100644 index 0000000..8778843 --- /dev/null +++ b/acme.sh-master/deploy/mysqld.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env sh + +#Here is a script to deploy cert to mysqld server. + +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +mysqld_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _err "deploy cert to mysqld server, Not implemented yet" + return 1 + +} diff --git a/acme.sh-master/deploy/nginx.sh b/acme.sh-master/deploy/nginx.sh new file mode 100644 index 0000000..952b27f --- /dev/null +++ b/acme.sh-master/deploy/nginx.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env sh + +#Here is a script to deploy cert to nginx server. + +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +nginx_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _err "deploy cert to nginx server, Not implemented yet" + return 1 + +} diff --git a/acme.sh-master/deploy/openmediavault.sh b/acme.sh-master/deploy/openmediavault.sh new file mode 100644 index 0000000..cfc2d33 --- /dev/null +++ b/acme.sh-master/deploy/openmediavault.sh @@ -0,0 +1,156 @@ +#!/usr/bin/env sh + +# This deploy hook is tested on OpenMediaVault 5.x. It supports both local and remote deployment. +# The way it works is that if a cert with the matching domain name is not found, it will firstly create a dummy cert to get its uuid, and then replace it with your cert. +# +# DEPLOY_OMV_WEBUI_ADMIN - This is OMV web gui admin account. Default value is admin. It's required as the user parameter (-u) for the omv-rpc command. +# DEPLOY_OMV_HOST and DEPLOY_OMV_SSH_USER are optional. They are used for remote deployment through ssh (support public key authentication only). Per design, OMV web gui admin doesn't have ssh permission, so another account is needed for ssh. +# +# returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +openmediavault_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _getdeployconf DEPLOY_OMV_WEBUI_ADMIN + + if [ -z "$DEPLOY_OMV_WEBUI_ADMIN" ]; then + DEPLOY_OMV_WEBUI_ADMIN="admin" + fi + + _savedeployconf DEPLOY_OMV_WEBUI_ADMIN "$DEPLOY_OMV_WEBUI_ADMIN" + + _getdeployconf DEPLOY_OMV_HOST + _getdeployconf DEPLOY_OMV_SSH_USER + + if [ -n "$DEPLOY_OMV_HOST" ] && [ -n "$DEPLOY_OMV_SSH_USER" ]; then + _info "[OMV deploy-hook] Deploy certificate remotely through ssh." + _savedeployconf DEPLOY_OMV_HOST "$DEPLOY_OMV_HOST" + _savedeployconf DEPLOY_OMV_SSH_USER "$DEPLOY_OMV_SSH_USER" + else + _info "[OMV deploy-hook] Deploy certificate locally." + fi + + if [ -n "$DEPLOY_OMV_HOST" ] && [ -n "$DEPLOY_OMV_SSH_USER" ]; then + + _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'CertificateMgmt' 'getList' '{\"start\": 0, \"limit\": -1}' | jq -r '.data[] | select(.name==\"/CN='$_cdomain'\") | .uuid'" + # shellcheck disable=SC2029 + _uuid=$(ssh "$DEPLOY_OMV_SSH_USER@$DEPLOY_OMV_HOST" "$_command") + _debug _command "$_command" + + if [ -z "$_uuid" ]; then + _info "[OMV deploy-hook] Domain $_cdomain has no certificate in openmediavault, creating it!" + _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'CertificateMgmt' 'create' '{\"cn\": \"test.example.com\", \"size\": 4096, \"days\": 3650, \"c\": \"\", \"st\": \"\", \"l\": \"\", \"o\": \"\", \"ou\": \"\", \"email\": \"\"}' | jq -r '.uuid'" + # shellcheck disable=SC2029 + _uuid=$(ssh "$DEPLOY_OMV_SSH_USER@$DEPLOY_OMV_HOST" "$_command") + _debug _command "$_command" + + if [ -z "$_uuid" ]; then + _err "[OMV deploy-hook] An error occured while creating the certificate" + return 1 + fi + fi + + _info "[OMV deploy-hook] Domain $_cdomain has uuid: $_uuid" + _fullchain=$(jq <"$_cfullchain" -aRs .) + _key=$(jq <"$_ckey" -aRs .) + + _debug _fullchain "$_fullchain" + _debug _key "$_key" + + _info "[OMV deploy-hook] Updating key and certificate in openmediavault" + _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'CertificateMgmt' 'set' '{\"uuid\":\"$_uuid\", \"certificate\":$_fullchain, \"privatekey\":$_key, \"comment\":\"acme.sh deployed $(date)\"}'" + # shellcheck disable=SC2029 + _result=$(ssh "$DEPLOY_OMV_SSH_USER@$DEPLOY_OMV_HOST" "$_command") + + _debug _command "$_command" + _debug _result "$_result" + + _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'WebGui' 'setSettings' \$(omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'WebGui' 'getSettings' | jq -c '.sslcertificateref=\"$_uuid\"')" + # shellcheck disable=SC2029 + _result=$(ssh "$DEPLOY_OMV_SSH_USER@$DEPLOY_OMV_HOST" "$_command") + + _debug _command "$_command" + _debug _result "$_result" + + _info "[OMV deploy-hook] Asking openmediavault to apply changes... (this could take some time, hang in there)" + _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'Config' 'applyChanges' '{\"modules\":[], \"force\": false}'" + # shellcheck disable=SC2029 + _result=$(ssh "$DEPLOY_OMV_SSH_USER@$DEPLOY_OMV_HOST" "$_command") + + _debug _command "$_command" + _debug _result "$_result" + + _info "[OMV deploy-hook] Asking nginx to reload" + _command="nginx -s reload" + # shellcheck disable=SC2029 + _result=$(ssh "$DEPLOY_OMV_SSH_USER@$DEPLOY_OMV_HOST" "$_command") + + _debug _command "$_command" + _debug _result "$_result" + + else + + # shellcheck disable=SC2086 + _uuid=$(omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'CertificateMgmt' 'getList' '{"start": 0, "limit": -1}' | jq -r '.data[] | select(.name=="/CN='$_cdomain'") | .uuid') + if [ -z "$_uuid" ]; then + _info "[OMV deploy-hook] Domain $_cdomain has no certificate in openmediavault, creating it!" + # shellcheck disable=SC2086 + _uuid=$(omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'CertificateMgmt' 'create' '{"cn": "test.example.com", "size": 4096, "days": 3650, "c": "", "st": "", "l": "", "o": "", "ou": "", "email": ""}' | jq -r '.uuid') + + if [ -z "$_uuid" ]; then + _err "[OMB deploy-hook] An error occured while creating the certificate" + return 1 + fi + fi + + _info "[OMV deploy-hook] Domain $_cdomain has uuid: $_uuid" + _fullchain=$(jq <"$_cfullchain" -aRs .) + _key=$(jq <"$_ckey" -aRs .) + + _debug _fullchain "$_fullchain" + _debug _key "$_key" + + _info "[OMV deploy-hook] Updating key and certificate in openmediavault" + _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'CertificateMgmt' 'set' '{\"uuid\":\"$_uuid\", \"certificate\":$_fullchain, \"privatekey\":$_key, \"comment\":\"acme.sh deployed $(date)\"}'" + _result=$(eval "$_command") + + _debug _command "$_command" + _debug _result "$_result" + + _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'WebGui' 'setSettings' \$(omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'WebGui' 'getSettings' | jq -c '.sslcertificateref=\"$_uuid\"')" + _result=$(eval "$_command") + + _debug _command "$_command" + _debug _result "$_result" + + _info "[OMV deploy-hook] Asking openmediavault to apply changes... (this could take some time, hang in there)" + _command="omv-rpc -u $DEPLOY_OMV_WEBUI_ADMIN 'Config' 'applyChanges' '{\"modules\":[], \"force\": false}'" + _result=$(eval "$_command") + + _debug _command "$_command" + _debug _result "$_result" + + _info "[OMV deploy-hook] Asking nginx to reload" + _command="nginx -s reload" + _result=$(eval "$_command") + + _debug _command "$_command" + _debug _result "$_result" + + fi + + return 0 +} diff --git a/acme.sh-master/deploy/opensshd.sh b/acme.sh-master/deploy/opensshd.sh new file mode 100644 index 0000000..9001b97 --- /dev/null +++ b/acme.sh-master/deploy/opensshd.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env sh + +#Here is a script to deploy cert to opensshd server. + +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +opensshd_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _err "deploy cert to opensshd server, Not implemented yet" + return 1 + +} diff --git a/acme.sh-master/deploy/openstack.sh b/acme.sh-master/deploy/openstack.sh new file mode 100644 index 0000000..f205885 --- /dev/null +++ b/acme.sh-master/deploy/openstack.sh @@ -0,0 +1,262 @@ +#!/usr/bin/env sh + +# OpenStack Barbican deploy hook +# +# This requires you to have OpenStackClient and python-barbicanclient +# installed. +# +# You will require Keystone V3 credentials loaded into your environment, which +# could be either password or v3applicationcredential type. +# +# Author: Andy Botting + +openstack_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + if ! _exists openstack; then + _err "OpenStack client not found" + return 1 + fi + + _openstack_credentials || return $? + + _info "Generate import pkcs12" + _import_pkcs12="$(_mktemp)" + if ! _openstack_to_pkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca"; then + _err "Error creating pkcs12 certificate" + return 1 + fi + _debug _import_pkcs12 "$_import_pkcs12" + _base64_pkcs12=$(_base64 "multiline" <"$_import_pkcs12") + + secretHrefs=$(_openstack_get_secrets) + _debug secretHrefs "$secretHrefs" + _openstack_store_secret || return $? + + if [ -n "$secretHrefs" ]; then + _info "Cleaning up existing secret" + _openstack_delete_secrets || return $? + fi + + _info "Certificate successfully deployed" + return 0 +} + +_openstack_store_secret() { + if ! openstack secret store --name "$_cdomain." -t 'application/octet-stream' -e base64 --payload "$_base64_pkcs12"; then + _err "Failed to create OpenStack secret" + return 1 + fi + return +} + +_openstack_delete_secrets() { + echo "$secretHrefs" | while read -r secretHref; do + _info "Deleting old secret $secretHref" + if ! openstack secret delete "$secretHref"; then + _err "Failed to delete OpenStack secret" + return 1 + fi + done + return +} + +_openstack_get_secrets() { + if ! secretHrefs=$(openstack secret list -f value --name "$_cdomain." | cut -d' ' -f1); then + _err "Failed to list secrets" + return 1 + fi + echo "$secretHrefs" +} + +_openstack_to_pkcs() { + # The existing _toPkcs command can't allow an empty password, due to sh + # -z test, so copied here and forcing the empty password. + _cpfx="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + + ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:" +} + +_openstack_credentials() { + _debug "Check OpenStack credentials" + + # If we have OS_AUTH_URL already set in the environment, then assume we want + # to use those, otherwise use stored credentials + if [ -n "$OS_AUTH_URL" ]; then + _debug "OS_AUTH_URL env var found, using environment" + else + _debug "OS_AUTH_URL not found, loading stored credentials" + OS_AUTH_URL="${OS_AUTH_URL:-$(_readaccountconf_mutable OS_AUTH_URL)}" + OS_IDENTITY_API_VERSION="${OS_IDENTITY_API_VERSION:-$(_readaccountconf_mutable OS_IDENTITY_API_VERSION)}" + OS_AUTH_TYPE="${OS_AUTH_TYPE:-$(_readaccountconf_mutable OS_AUTH_TYPE)}" + OS_APPLICATION_CREDENTIAL_ID="${OS_APPLICATION_CREDENTIAL_ID:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID)}" + OS_APPLICATION_CREDENTIAL_SECRET="${OS_APPLICATION_CREDENTIAL_SECRET:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET)}" + OS_USERNAME="${OS_USERNAME:-$(_readaccountconf_mutable OS_USERNAME)}" + OS_PASSWORD="${OS_PASSWORD:-$(_readaccountconf_mutable OS_PASSWORD)}" + OS_PROJECT_NAME="${OS_PROJECT_NAME:-$(_readaccountconf_mutable OS_PROJECT_NAME)}" + OS_PROJECT_ID="${OS_PROJECT_ID:-$(_readaccountconf_mutable OS_PROJECT_ID)}" + OS_USER_DOMAIN_NAME="${OS_USER_DOMAIN_NAME:-$(_readaccountconf_mutable OS_USER_DOMAIN_NAME)}" + OS_USER_DOMAIN_ID="${OS_USER_DOMAIN_ID:-$(_readaccountconf_mutable OS_USER_DOMAIN_ID)}" + OS_PROJECT_DOMAIN_NAME="${OS_PROJECT_DOMAIN_NAME:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_NAME)}" + OS_PROJECT_DOMAIN_ID="${OS_PROJECT_DOMAIN_ID:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_ID)}" + fi + + # Check each var and either save or clear it depending on whether its set. + # The helps us clear out old vars in the case where a user may want + # to switch between password and app creds + _debug "OS_AUTH_URL" "$OS_AUTH_URL" + if [ -n "$OS_AUTH_URL" ]; then + export OS_AUTH_URL + _saveaccountconf_mutable OS_AUTH_URL "$OS_AUTH_URL" + else + unset OS_AUTH_URL + _clearaccountconf SAVED_OS_AUTH_URL + fi + + _debug "OS_IDENTITY_API_VERSION" "$OS_IDENTITY_API_VERSION" + if [ -n "$OS_IDENTITY_API_VERSION" ]; then + export OS_IDENTITY_API_VERSION + _saveaccountconf_mutable OS_IDENTITY_API_VERSION "$OS_IDENTITY_API_VERSION" + else + unset OS_IDENTITY_API_VERSION + _clearaccountconf SAVED_OS_IDENTITY_API_VERSION + fi + + _debug "OS_AUTH_TYPE" "$OS_AUTH_TYPE" + if [ -n "$OS_AUTH_TYPE" ]; then + export OS_AUTH_TYPE + _saveaccountconf_mutable OS_AUTH_TYPE "$OS_AUTH_TYPE" + else + unset OS_AUTH_TYPE + _clearaccountconf SAVED_OS_AUTH_TYPE + fi + + _debug "OS_APPLICATION_CREDENTIAL_ID" "$OS_APPLICATION_CREDENTIAL_ID" + if [ -n "$OS_APPLICATION_CREDENTIAL_ID" ]; then + export OS_APPLICATION_CREDENTIAL_ID + _saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID "$OS_APPLICATION_CREDENTIAL_ID" + else + unset OS_APPLICATION_CREDENTIAL_ID + _clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_ID + fi + + _secure_debug "OS_APPLICATION_CREDENTIAL_SECRET" "$OS_APPLICATION_CREDENTIAL_SECRET" + if [ -n "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then + export OS_APPLICATION_CREDENTIAL_SECRET + _saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET "$OS_APPLICATION_CREDENTIAL_SECRET" + else + unset OS_APPLICATION_CREDENTIAL_SECRET + _clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_SECRET + fi + + _debug "OS_USERNAME" "$OS_USERNAME" + if [ -n "$OS_USERNAME" ]; then + export OS_USERNAME + _saveaccountconf_mutable OS_USERNAME "$OS_USERNAME" + else + unset OS_USERNAME + _clearaccountconf SAVED_OS_USERNAME + fi + + _secure_debug "OS_PASSWORD" "$OS_PASSWORD" + if [ -n "$OS_PASSWORD" ]; then + export OS_PASSWORD + _saveaccountconf_mutable OS_PASSWORD "$OS_PASSWORD" + else + unset OS_PASSWORD + _clearaccountconf SAVED_OS_PASSWORD + fi + + _debug "OS_PROJECT_NAME" "$OS_PROJECT_NAME" + if [ -n "$OS_PROJECT_NAME" ]; then + export OS_PROJECT_NAME + _saveaccountconf_mutable OS_PROJECT_NAME "$OS_PROJECT_NAME" + else + unset OS_PROJECT_NAME + _clearaccountconf SAVED_OS_PROJECT_NAME + fi + + _debug "OS_PROJECT_ID" "$OS_PROJECT_ID" + if [ -n "$OS_PROJECT_ID" ]; then + export OS_PROJECT_ID + _saveaccountconf_mutable OS_PROJECT_ID "$OS_PROJECT_ID" + else + unset OS_PROJECT_ID + _clearaccountconf SAVED_OS_PROJECT_ID + fi + + _debug "OS_USER_DOMAIN_NAME" "$OS_USER_DOMAIN_NAME" + if [ -n "$OS_USER_DOMAIN_NAME" ]; then + export OS_USER_DOMAIN_NAME + _saveaccountconf_mutable OS_USER_DOMAIN_NAME "$OS_USER_DOMAIN_NAME" + else + unset OS_USER_DOMAIN_NAME + _clearaccountconf SAVED_OS_USER_DOMAIN_NAME + fi + + _debug "OS_USER_DOMAIN_ID" "$OS_USER_DOMAIN_ID" + if [ -n "$OS_USER_DOMAIN_ID" ]; then + export OS_USER_DOMAIN_ID + _saveaccountconf_mutable OS_USER_DOMAIN_ID "$OS_USER_DOMAIN_ID" + else + unset OS_USER_DOMAIN_ID + _clearaccountconf SAVED_OS_USER_DOMAIN_ID + fi + + _debug "OS_PROJECT_DOMAIN_NAME" "$OS_PROJECT_DOMAIN_NAME" + if [ -n "$OS_PROJECT_DOMAIN_NAME" ]; then + export OS_PROJECT_DOMAIN_NAME + _saveaccountconf_mutable OS_PROJECT_DOMAIN_NAME "$OS_PROJECT_DOMAIN_NAME" + else + unset OS_PROJECT_DOMAIN_NAME + _clearaccountconf SAVED_OS_PROJECT_DOMAIN_NAME + fi + + _debug "OS_PROJECT_DOMAIN_ID" "$OS_PROJECT_DOMAIN_ID" + if [ -n "$OS_PROJECT_DOMAIN_ID" ]; then + export OS_PROJECT_DOMAIN_ID + _saveaccountconf_mutable OS_PROJECT_DOMAIN_ID "$OS_PROJECT_DOMAIN_ID" + else + unset OS_PROJECT_DOMAIN_ID + _clearaccountconf SAVED_OS_PROJECT_DOMAIN_ID + fi + + if [ "$OS_AUTH_TYPE" = "v3applicationcredential" ]; then + # Application Credential auth + if [ -z "$OS_APPLICATION_CREDENTIAL_ID" ] || [ -z "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then + _err "When using OpenStack application credentials, OS_APPLICATION_CREDENTIAL_ID" + _err "and OS_APPLICATION_CREDENTIAL_SECRET must be set." + _err "Please check your credentials and try again." + return 1 + fi + else + # Password auth + if [ -z "$OS_USERNAME" ] || [ -z "$OS_PASSWORD" ]; then + _err "OpenStack username or password not found." + _err "Please check your credentials and try again." + return 1 + fi + + if [ -z "$OS_PROJECT_NAME" ] && [ -z "$OS_PROJECT_ID" ]; then + _err "When using password authentication, OS_PROJECT_NAME or" + _err "OS_PROJECT_ID must be set." + _err "Please check your credentials and try again." + return 1 + fi + fi + + return 0 +} diff --git a/acme.sh-master/deploy/panos.sh b/acme.sh-master/deploy/panos.sh new file mode 100644 index 0000000..ef622de --- /dev/null +++ b/acme.sh-master/deploy/panos.sh @@ -0,0 +1,139 @@ +#!/usr/bin/env sh + +# Script to deploy certificates to Palo Alto Networks PANOS via API +# Note PANOS API KEY and IP address needs to be set prior to running. +# The following variables exported from environment will be used. +# If not set then values previously saved in domain.conf file are used. +# +# Firewall admin with superuser and IP address is required. +# +# export PANOS_USER="" # required +# export PANOS_PASS="" # required +# export PANOS_HOST="" # required + +# This function is to parse the XML +parse_response() { + type=$2 + if [ "$type" = 'keygen' ]; then + status=$(echo "$1" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g') + if [ "$status" = "success" ]; then + panos_key=$(echo "$1" | sed 's/^.*\(\)\(.*\)<\/key>.*/\2/g') + _panos_key=$panos_key + else + message="PAN-OS Key could not be set." + fi + else + status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g') + message=$(echo "$1" | sed 's/^.*\(.*\)<\/result.*/\1/g') + fi + return 0 +} + +deployer() { + content="" + type=$1 # Types are keygen, cert, key, commit + _debug "**** Deploying $type *****" + panos_url="https://$_panos_host/api/" + if [ "$type" = 'keygen' ]; then + _H1="Content-Type: application/x-www-form-urlencoded" + content="type=keygen&user=$_panos_user&password=$_panos_pass" + # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}" + fi + + if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then + #Generate DEIM + delim="-----MultipartDelimiter$(date "+%s%N")" + nl="\015\012" + #Set Header + export _H1="Content-Type: multipart/form-data; boundary=$delim" + if [ "$type" = 'cert' ]; then + panos_url="${panos_url}?type=import" + content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\ncertificate" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")" + fi + if [ "$type" = 'key' ]; then + panos_url="${panos_url}?type=import" + content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\nprivate-key" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" + fi + #Close multipart + content="$content${nl}--$delim--${nl}${nl}" + #Convert CRLF + content=$(printf %b "$content") + fi + + if [ "$type" = 'commit' ]; then + export _H1="Content-Type: application/x-www-form-urlencoded" + cmd=$(printf "%s" "<$_panos_user>" | _url_encode) + content="type=commit&key=$_panos_key&cmd=$cmd" + fi + response=$(_post "$content" "$panos_url" "" "POST") + parse_response "$response" "$type" + # Saving response to variables + response_status=$status + #DEBUG + _debug response_status "$response_status" + if [ "$response_status" = "success" ]; then + _debug "Successfully deployed $type" + return 0 + else + _err "Deploy of type $type failed. Try deploying with --debug to troubleshoot." + _debug "$message" + return 1 + fi +} + +# This is the main function that will call the other functions to deploy everything. +panos_deploy() { + _cdomain="$1" + _ckey="$2" + _cfullchain="$5" + # PANOS ENV VAR check + if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then + _debug "No ENV variables found lets check for saved variables" + _getdeployconf PANOS_USER + _getdeployconf PANOS_PASS + _getdeployconf PANOS_HOST + _panos_user=$PANOS_USER + _panos_pass=$PANOS_PASS + _panos_host=$PANOS_HOST + if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then + _err "No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs." + return 1 + else + _debug "Using saved env variables." + fi + else + _debug "Detected ENV variables to be saved to the deploy conf." + # Encrypt and save user + _savedeployconf PANOS_USER "$PANOS_USER" 1 + _savedeployconf PANOS_PASS "$PANOS_PASS" 1 + _savedeployconf PANOS_HOST "$PANOS_HOST" 1 + _panos_user="$PANOS_USER" + _panos_pass="$PANOS_PASS" + _panos_host="$PANOS_HOST" + fi + _debug "Let's use username and pass to generate token." + if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then + _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST" + return 1 + else + _debug "Getting PANOS KEY" + deployer keygen + if [ -z "$_panos_key" ]; then + _err "Missing apikey." + return 1 + else + deployer cert + deployer key + deployer commit + fi + fi +} diff --git a/acme.sh-master/deploy/peplink.sh b/acme.sh-master/deploy/peplink.sh new file mode 100644 index 0000000..c4bd624 --- /dev/null +++ b/acme.sh-master/deploy/peplink.sh @@ -0,0 +1,123 @@ +#!/usr/bin/env sh + +# Script to deploy cert to Peplink Routers +# +# The following environment variables must be set: +# +# PEPLINK_Hostname - Peplink hostname +# PEPLINK_Username - Peplink username to login +# PEPLINK_Password - Peplink password to login +# +# The following environmental variables may be set if you don't like their +# default values: +# +# PEPLINK_Certtype - Certificate type to target for replacement +# defaults to "webadmin", can be one of: +# * "chub" (ContentHub) +# * "openvpn" (OpenVPN CA) +# * "portal" (Captive Portal SSL) +# * "webadmin" (Web Admin SSL) +# * "webproxy" (Proxy Root CA) +# * "wwan_ca" (Wi-Fi WAN CA) +# * "wwan_client" (Wi-Fi WAN Client) +# PEPLINK_Scheme - defaults to "https" +# PEPLINK_Port - defaults to "443" +# +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +_peplink_get_cookie_data() { + grep -i "\W$1=" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o "$1=[^;]*;" | tr -d ';' +} + +#domain keyfile certfile cafile fullchain +peplink_deploy() { + + _cdomain="$1" + _ckey="$2" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _cfullchain "$_cfullchain" + _debug _ckey "$_ckey" + + # Get Hostname, Username and Password, but don't save until we successfully authenticate + _getdeployconf PEPLINK_Hostname + _getdeployconf PEPLINK_Username + _getdeployconf PEPLINK_Password + if [ -z "${PEPLINK_Hostname:-}" ] || [ -z "${PEPLINK_Username:-}" ] || [ -z "${PEPLINK_Password:-}" ]; then + _err "PEPLINK_Hostname & PEPLINK_Username & PEPLINK_Password must be set" + return 1 + fi + _debug2 PEPLINK_Hostname "$PEPLINK_Hostname" + _debug2 PEPLINK_Username "$PEPLINK_Username" + _secure_debug2 PEPLINK_Password "$PEPLINK_Password" + + # Optional certificate type, scheme, and port for Peplink + _getdeployconf PEPLINK_Certtype + _getdeployconf PEPLINK_Scheme + _getdeployconf PEPLINK_Port + + # Don't save the certificate type until we verify it exists and is supported + _savedeployconf PEPLINK_Scheme "$PEPLINK_Scheme" + _savedeployconf PEPLINK_Port "$PEPLINK_Port" + + # Default vaules for certificate type, scheme, and port + [ -n "${PEPLINK_Certtype}" ] || PEPLINK_Certtype="webadmin" + [ -n "${PEPLINK_Scheme}" ] || PEPLINK_Scheme="https" + [ -n "${PEPLINK_Port}" ] || PEPLINK_Port="443" + + _debug2 PEPLINK_Certtype "$PEPLINK_Certtype" + _debug2 PEPLINK_Scheme "$PEPLINK_Scheme" + _debug2 PEPLINK_Port "$PEPLINK_Port" + + _base_url="$PEPLINK_Scheme://$PEPLINK_Hostname:$PEPLINK_Port" + _debug _base_url "$_base_url" + + # Login, get the auth token from the cookie + _info "Logging into $PEPLINK_Hostname:$PEPLINK_Port" + encoded_username="$(printf "%s" "$PEPLINK_Username" | _url_encode)" + encoded_password="$(printf "%s" "$PEPLINK_Password" | _url_encode)" + response=$(_post "func=login&username=$encoded_username&password=$encoded_password" "$_base_url/cgi-bin/MANGA/api.cgi") + auth_token=$(_peplink_get_cookie_data "bauth" <"$HTTP_HEADER") + _debug3 response "$response" + _debug auth_token "$auth_token" + + if [ -z "$auth_token" ]; then + _err "Unable to authenticate to $PEPLINK_Hostname:$PEPLINK_Port using $PEPLINK_Scheme." + _err "Check your username and password." + return 1 + fi + + _H1="Cookie: $auth_token" + export _H1 + _debug2 H1 "${_H1}" + + # Now that we know the hostnameusername and password are good, save them + _savedeployconf PEPLINK_Hostname "$PEPLINK_Hostname" + _savedeployconf PEPLINK_Username "$PEPLINK_Username" + _savedeployconf PEPLINK_Password "$PEPLINK_Password" + + _info "Generate form POST request" + + encoded_key="$(_url_encode <"$_ckey")" + encoded_fullchain="$(_url_encode <"$_cfullchain")" + body="cert_type=$PEPLINK_Certtype&cert_uid=§ion=CERT_modify&key_pem=$encoded_key&key_pem_passphrase=&key_pem_passphrase_confirm=&cert_pem=$encoded_fullchain" + _debug3 body "$body" + + _info "Upload $PEPLINK_Certtype certificate to the Peplink" + + response=$(_post "$body" "$_base_url/cgi-bin/MANGA/admin.cgi") + _debug3 response "$response" + + if echo "$response" | grep 'Success' >/dev/null; then + # We've verified this certificate type is valid, so save it + _savedeployconf PEPLINK_Certtype "$PEPLINK_Certtype" + _info "Certificate was updated" + return 0 + else + _err "Unable to update certificate, error code $response" + return 1 + fi +} diff --git a/acme.sh-master/deploy/proxmoxve.sh b/acme.sh-master/deploy/proxmoxve.sh new file mode 100644 index 0000000..216a8fc --- /dev/null +++ b/acme.sh-master/deploy/proxmoxve.sh @@ -0,0 +1,132 @@ +#!/usr/bin/env sh + +# Deploy certificates to a proxmox virtual environment node using the API. +# +# Environment variables that can be set are: +# `DEPLOY_PROXMOXVE_SERVER`: The hostname of the proxmox ve node. Defaults to +# _cdomain. +# `DEPLOY_PROXMOXVE_SERVER_PORT`: The port number the management interface is on. +# Defaults to 8006. +# `DEPLOY_PROXMOXVE_NODE_NAME`: The name of the node we'll be connecting to. +# Defaults to the host portion of the server +# domain name. +# `DEPLOY_PROXMOXVE_USER`: The user we'll connect as. Defaults to root. +# `DEPLOY_PROXMOXVE_USER_REALM`: The authentication realm the user authenticates +# with. Defaults to pam. +# `DEPLOY_PROXMOXVE_API_TOKEN_NAME`: The name of the API token created for the +# user account. Defaults to acme. +# `DEPLOY_PROXMOXVE_API_TOKEN_KEY`: The API token. Required. + +proxmoxve_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug2 _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + # "Sane" defaults. + _getdeployconf DEPLOY_PROXMOXVE_SERVER + if [ -z "$DEPLOY_PROXMOXVE_SERVER" ]; then + _target_hostname="$_cdomain" + else + _target_hostname="$DEPLOY_PROXMOXVE_SERVER" + _savedeployconf DEPLOY_PROXMOXVE_SERVER "$DEPLOY_PROXMOXVE_SERVER" + fi + _debug2 DEPLOY_PROXMOXVE_SERVER "$_target_hostname" + + _getdeployconf DEPLOY_PROXMOXVE_SERVER_PORT + if [ -z "$DEPLOY_PROXMOXVE_SERVER_PORT" ]; then + _target_port="8006" + else + _target_port="$DEPLOY_PROXMOXVE_SERVER_PORT" + _savedeployconf DEPLOY_PROXMOXVE_SERVER_PORT "$DEPLOY_PROXMOXVE_SERVER_PORT" + fi + _debug2 DEPLOY_PROXMOXVE_SERVER_PORT "$_target_port" + + _getdeployconf DEPLOY_PROXMOXVE_NODE_NAME + if [ -z "$DEPLOY_PROXMOXVE_NODE_NAME" ]; then + _node_name=$(echo "$_target_hostname" | cut -d. -f1) + else + _node_name="$DEPLOY_PROXMOXVE_NODE_NAME" + _savedeployconf DEPLOY_PROXMOXVE_NODE_NAME "$DEPLOY_PROXMOXVE_NODE_NAME" + fi + _debug2 DEPLOY_PROXMOXVE_NODE_NAME "$_node_name" + + # Complete URL. + _target_url="https://${_target_hostname}:${_target_port}/api2/json/nodes/${_node_name}/certificates/custom" + _debug TARGET_URL "$_target_url" + + # More "sane" defaults. + _getdeployconf DEPLOY_PROXMOXVE_USER + if [ -z "$DEPLOY_PROXMOXVE_USER" ]; then + _proxmoxve_user="root" + else + _proxmoxve_user="$DEPLOY_PROXMOXVE_USER" + _savedeployconf DEPLOY_PROXMOXVE_USER "$DEPLOY_PROXMOXVE_USER" + fi + _debug2 DEPLOY_PROXMOXVE_USER "$_proxmoxve_user" + + _getdeployconf DEPLOY_PROXMOXVE_USER_REALM + if [ -z "$DEPLOY_PROXMOXVE_USER_REALM" ]; then + _proxmoxve_user_realm="pam" + else + _proxmoxve_user_realm="$DEPLOY_PROXMOXVE_USER_REALM" + _savedeployconf DEPLOY_PROXMOXVE_USER_REALM "$DEPLOY_PROXMOXVE_USER_REALM" + fi + _debug2 DEPLOY_PROXMOXVE_USER_REALM "$_proxmoxve_user_realm" + + _getdeployconf DEPLOY_PROXMOXVE_API_TOKEN_NAME + if [ -z "$DEPLOY_PROXMOXVE_API_TOKEN_NAME" ]; then + _proxmoxve_api_token_name="acme" + else + _proxmoxve_api_token_name="$DEPLOY_PROXMOXVE_API_TOKEN_NAME" + _savedeployconf DEPLOY_PROXMOXVE_API_TOKEN_NAME "$DEPLOY_PROXMOXVE_API_TOKEN_NAME" + fi + _debug2 DEPLOY_PROXMOXVE_API_TOKEN_NAME "$_proxmoxve_api_token_name" + + # This is required. + _getdeployconf DEPLOY_PROXMOXVE_API_TOKEN_KEY + if [ -z "$DEPLOY_PROXMOXVE_API_TOKEN_KEY" ]; then + _err "API key not provided." + return 1 + else + _proxmoxve_api_token_key="$DEPLOY_PROXMOXVE_API_TOKEN_KEY" + _savedeployconf DEPLOY_PROXMOXVE_API_TOKEN_KEY "$DEPLOY_PROXMOXVE_API_TOKEN_KEY" + fi + _debug2 DEPLOY_PROXMOXVE_API_TOKEN_KEY _proxmoxve_api_token_key + + # PVE API Token header value. Used in "Authorization: PVEAPIToken". + _proxmoxve_header_api_token="${_proxmoxve_user}@${_proxmoxve_user_realm}!${_proxmoxve_api_token_name}=${_proxmoxve_api_token_key}" + _debug2 "Auth Header" _proxmoxve_header_api_token + + # Ugly. I hate putting heredocs inside functions because heredocs don't + # account for whitespace correctly but it _does_ work and is several times + # cleaner than anything else I had here. + # + # This dumps the json payload to a variable that should be passable to the + # _psot function. + _json_payload=$( + cat < 6.41.3, but it is not guaranteed that it will be +# true for future versions when upgrading. +# +# If the router have other certificates with the same name as the one +# beeing deployed, then this script will remove those certificates. +# +# At the end of the script, the services that use those certificates +# could be updated. Currently only the www-ssl service is beeing +# updated, but more services could be added. +# +# For instance: +# ```sh +# export ROUTER_OS_ADDITIONAL_SERVICES="/ip service set api-ssl certificate=$_cdomain.cer_0" +# ``` +# +# One optional thing to do as well is to create a script that updates +# all the required services and run that script in a single command. +# +# To adopt parameters to `scp` and/or `ssh` set the optional +# `ROUTER_OS_SSH_CMD` and `ROUTER_OS_SCP_CMD` variables accordingly, +# see ssh(1) and scp(1) for parameters to those commands. +# +# Example: +# ```ssh +# export ROUTER_OS_SSH_CMD="ssh -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts" +# export ROUTER_OS_SCP_CMD="scp -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts" +# ```` +# +# returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +routeros_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + _err_code=0 + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _getdeployconf ROUTER_OS_HOST + + if [ -z "$ROUTER_OS_HOST" ]; then + _debug "Using _cdomain as ROUTER_OS_HOST, please set if not correct." + ROUTER_OS_HOST="$_cdomain" + fi + + _getdeployconf ROUTER_OS_USERNAME + + if [ -z "$ROUTER_OS_USERNAME" ]; then + _err "Need to set the env variable ROUTER_OS_USERNAME" + return 1 + fi + + _getdeployconf ROUTER_OS_PORT + + if [ -z "$ROUTER_OS_PORT" ]; then + _debug "Using default port 22 as ROUTER_OS_PORT, please set if not correct." + ROUTER_OS_PORT=22 + fi + + _getdeployconf ROUTER_OS_SSH_CMD + + if [ -z "$ROUTER_OS_SSH_CMD" ]; then + _debug "Use default ssh setup." + ROUTER_OS_SSH_CMD="ssh -p $ROUTER_OS_PORT" + fi + + _getdeployconf ROUTER_OS_SCP_CMD + + if [ -z "$ROUTER_OS_SCP_CMD" ]; then + _debug "USe default scp setup." + ROUTER_OS_SCP_CMD="scp -P $ROUTER_OS_PORT" + fi + + _getdeployconf ROUTER_OS_ADDITIONAL_SERVICES + + if [ -z "$ROUTER_OS_ADDITIONAL_SERVICES" ]; then + _debug "Not enabling additional services" + ROUTER_OS_ADDITIONAL_SERVICES="" + fi + + _savedeployconf ROUTER_OS_HOST "$ROUTER_OS_HOST" + _savedeployconf ROUTER_OS_USERNAME "$ROUTER_OS_USERNAME" + _savedeployconf ROUTER_OS_PORT "$ROUTER_OS_PORT" + _savedeployconf ROUTER_OS_SSH_CMD "$ROUTER_OS_SSH_CMD" + _savedeployconf ROUTER_OS_SCP_CMD "$ROUTER_OS_SCP_CMD" + _savedeployconf ROUTER_OS_ADDITIONAL_SERVICES "$ROUTER_OS_ADDITIONAL_SERVICES" + + # push key to routeros + if ! _scp_certificate "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"; then + return $_err_code + fi + + # push certificate chain to routeros + if ! _scp_certificate "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"; then + return $_err_code + fi + + DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USERNAME \ +comment=\"generated by routeros deploy script in acme.sh\" \ +source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\ +\n/certificate remove [ find name=$_cdomain.cer_1 ];\ +\n/certificate remove [ find name=$_cdomain.cer_2 ];\ +\ndelay 1;\ +\n/certificate import file-name=$_cdomain.cer passphrase=\\\"\\\";\ +\n/certificate import file-name=$_cdomain.key passphrase=\\\"\\\";\ +\ndelay 1;\ +\n/file remove $_cdomain.cer;\ +\n/file remove $_cdomain.key;\ +\ndelay 2;\ +\n/ip service set www-ssl certificate=$_cdomain.cer_0;\ +\n$ROUTER_OS_ADDITIONAL_SERVICES;\ +\n\" +" + + if ! _ssh_remote_cmd "$DEPLOY_SCRIPT_CMD"; then + return $_err_code + fi + + if ! _ssh_remote_cmd "/system script run \"LE Cert Deploy - $_cdomain\""; then + return $_err_code + fi + + if ! _ssh_remote_cmd "/system script remove \"LE Cert Deploy - $_cdomain\""; then + return $_err_code + fi + + return 0 +} + +# inspired by deploy/ssh.sh +_ssh_remote_cmd() { + _cmd="$1" + _secure_debug "Remote commands to execute: $_cmd" + _info "Submitting sequence of commands to routeros" + # quotations in bash cmd below intended. Squash travis spellcheck error + # shellcheck disable=SC2029 + $ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$_cmd" + _err_code="$?" + + if [ "$_err_code" != "0" ]; then + _err "Error code $_err_code returned from routeros" + fi + + return $_err_code +} + +_scp_certificate() { + _src="$1" + _dst="$2" + _secure_debug "scp '$_src' to '$_dst'" + _info "Push key '$_src' to routeros" + + $ROUTER_OS_SCP_CMD "$_src" "$_dst" + _err_code="$?" + + if [ "$_err_code" != "0" ]; then + _err "Error code $_err_code returned from scp" + fi + + return $_err_code +} diff --git a/acme.sh-master/deploy/ssh.sh b/acme.sh-master/deploy/ssh.sh new file mode 100644 index 0000000..c66e2e1 --- /dev/null +++ b/acme.sh-master/deploy/ssh.sh @@ -0,0 +1,462 @@ +#!/usr/bin/env sh + +# Script to deploy certificates to remote server by SSH +# Note that SSH must be able to login to remote host without a password... +# SSH Keys must have been exchanged with the remote host. Validate and +# test that you can login to USER@SERVER from the host running acme.sh before +# using this script. +# +# The following variables exported from environment will be used. +# If not set then values previously saved in domain.conf file are used. +# +# Only a username is required. All others are optional. +# +# The following examples are for QNAP NAS running QTS 4.2 +# export DEPLOY_SSH_CMD="" # defaults to "ssh -T" +# export DEPLOY_SSH_USER="admin" # required +# export DEPLOY_SSH_SERVER="host1 host2:8022 192.168.0.1:9022" # defaults to domain name, support multiple servers with optional port +# export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem" +# export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem" +# export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem" +# export DEPLOY_SSH_FULLCHAIN="" +# export DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart" +# export DEPLOY_SSH_BACKUP="" # yes or no, default to yes or previously saved value +# export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" # path on remote system. Defaults to .acme_ssh_deploy +# export DEPLOY_SSH_MULTI_CALL="" # yes or no, default to no or previously saved value +# export DEPLOY_SSH_USE_SCP="" yes or no, default to no +# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q" +# +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +ssh_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + _deploy_ssh_servers="" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + # USER is required to login by SSH to remote host. + _migratedeployconf Le_Deploy_ssh_user DEPLOY_SSH_USER + _getdeployconf DEPLOY_SSH_USER + _debug2 DEPLOY_SSH_USER "$DEPLOY_SSH_USER" + if [ -z "$DEPLOY_SSH_USER" ]; then + _err "DEPLOY_SSH_USER not defined." + return 1 + fi + _savedeployconf DEPLOY_SSH_USER "$DEPLOY_SSH_USER" + + # SERVER is optional. If not provided then use _cdomain + _migratedeployconf Le_Deploy_ssh_server DEPLOY_SSH_SERVER + _getdeployconf DEPLOY_SSH_SERVER + _debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER" + if [ -z "$DEPLOY_SSH_SERVER" ]; then + DEPLOY_SSH_SERVER="$_cdomain" + fi + _savedeployconf DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER" + + # CMD is optional. If not provided then use ssh + _migratedeployconf Le_Deploy_ssh_cmd DEPLOY_SSH_CMD + _getdeployconf DEPLOY_SSH_CMD + _debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD" + if [ -z "$DEPLOY_SSH_CMD" ]; then + DEPLOY_SSH_CMD="ssh -T" + fi + _savedeployconf DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD" + + # BACKUP is optional. If not provided then default to previously saved value or yes. + _migratedeployconf Le_Deploy_ssh_backup DEPLOY_SSH_BACKUP + _getdeployconf DEPLOY_SSH_BACKUP + _debug2 DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP" + if [ -z "$DEPLOY_SSH_BACKUP" ]; then + DEPLOY_SSH_BACKUP="yes" + fi + _savedeployconf DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP" + + # BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy + _migratedeployconf Le_Deploy_ssh_backup_path DEPLOY_SSH_BACKUP_PATH + _getdeployconf DEPLOY_SSH_BACKUP_PATH + _debug2 DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH" + if [ -z "$DEPLOY_SSH_BACKUP_PATH" ]; then + DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy" + fi + _savedeployconf DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH" + + # MULTI_CALL is optional. If not provided then default to previously saved + # value (which may be undefined... equivalent to "no"). + _migratedeployconf Le_Deploy_ssh_multi_call DEPLOY_SSH_MULTI_CALL + _getdeployconf DEPLOY_SSH_MULTI_CALL + _debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL" + if [ -z "$DEPLOY_SSH_MULTI_CALL" ]; then + DEPLOY_SSH_MULTI_CALL="no" + fi + _savedeployconf DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL" + + # KEYFILE is optional. + # If provided then private key will be copied to provided filename. + _migratedeployconf Le_Deploy_ssh_keyfile DEPLOY_SSH_KEYFILE + _getdeployconf DEPLOY_SSH_KEYFILE + _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" + if [ -n "$DEPLOY_SSH_KEYFILE" ]; then + _savedeployconf DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE" + fi + + # CERTFILE is optional. + # If provided then certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_ssh_certfile DEPLOY_SSH_CERTFILE + _getdeployconf DEPLOY_SSH_CERTFILE + _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" + if [ -n "$DEPLOY_SSH_CERTFILE" ]; then + _savedeployconf DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE" + fi + + # CAFILE is optional. + # If provided then CA intermediate certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_ssh_cafile DEPLOY_SSH_CAFILE + _getdeployconf DEPLOY_SSH_CAFILE + _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" + if [ -n "$DEPLOY_SSH_CAFILE" ]; then + _savedeployconf DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE" + fi + + # FULLCHAIN is optional. + # If provided then fullchain certificate will be copied or appended to provided filename. + _migratedeployconf Le_Deploy_ssh_fullchain DEPLOY_SSH_FULLCHAIN + _getdeployconf DEPLOY_SSH_FULLCHAIN + _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" + if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then + _savedeployconf DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN" + fi + + # REMOTE_CMD is optional. + # If provided then this command will be executed on remote host. + _migratedeployconf Le_Deploy_ssh_remote_cmd DEPLOY_SSH_REMOTE_CMD + _getdeployconf DEPLOY_SSH_REMOTE_CMD + _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" + if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then + _savedeployconf DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD" + fi + + # USE_SCP is optional. If not provided then default to previously saved + # value (which may be undefined... equivalent to "no"). + _getdeployconf DEPLOY_SSH_USE_SCP + _debug2 DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP" + if [ -z "$DEPLOY_SSH_USE_SCP" ]; then + DEPLOY_SSH_USE_SCP="no" + fi + _savedeployconf DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP" + + # SCP_CMD is optional. If not provided then use scp + _getdeployconf DEPLOY_SSH_SCP_CMD + _debug2 DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD" + if [ -z "$DEPLOY_SSH_SCP_CMD" ]; then + DEPLOY_SSH_SCP_CMD="scp -q" + fi + _savedeployconf DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD" + + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + DEPLOY_SSH_MULTI_CALL="yes" + _info "Using scp as alternate method for copying files. Multicall Mode is implicit" + elif [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then + _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host" + else + _info "Required commands batched and sent in single call to remote host" + fi + + _deploy_ssh_servers="$DEPLOY_SSH_SERVER" + for DEPLOY_SSH_SERVER in $_deploy_ssh_servers; do + _ssh_deploy + done +} + +_ssh_deploy() { + _err_code=0 + _cmdstr="" + _backupprefix="" + _backupdir="" + _local_cert_file="" + _local_ca_file="" + _local_full_file="" + + case $DEPLOY_SSH_SERVER in + *:*) + _host=${DEPLOY_SSH_SERVER%:*} + _port=${DEPLOY_SSH_SERVER##*:} + ;; + *) + _host=$DEPLOY_SSH_SERVER + _port= + ;; + esac + + _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port" + + if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then + _backupprefix="$DEPLOY_SSH_BACKUP_PATH/$_cdomain-backup" + _backupdir="$_backupprefix-$(_utc_date | tr ' ' '-')" + # run cleanup on the backup directory, erase all older + # than 180 days (15552000 seconds). + _cmdstr="{ now=\"\$(date -u +%s)\"; for fn in $_backupprefix*; \ +do if [ -d \"\$fn\" ] && [ \"\$(expr \$now - \$(date -ur \$fn +%s) )\" -ge \"15552000\" ]; \ +then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; done; }; $_cmdstr" + # Alternate version of above... _cmdstr="find $_backupprefix* -type d -mtime +180 2>/dev/null | xargs rm -rf; $_cmdstr" + # Create our backup directory for overwritten cert files. + _cmdstr="mkdir -p $_backupdir; $_cmdstr" + _info "Backup of old certificate files will be placed in remote directory $_backupdir" + _info "Backup directories erased after 180 days." + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi + fi + + if [ -n "$DEPLOY_SSH_KEYFILE" ]; then + if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then + # backup file we are about to overwrite. + _cmdstr="$_cmdstr cp $DEPLOY_SSH_KEYFILE $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi + fi + + # copy new key into file. + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + # scp the file + if ! _scp_remote_cmd "$_ckey" "$DEPLOY_SSH_KEYFILE"; then + return $_err_code + fi + else + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $DEPLOY_SSH_KEYFILE;" + _info "will copy private key to remote file $DEPLOY_SSH_KEYFILE" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi + fi + fi + + if [ -n "$DEPLOY_SSH_CERTFILE" ]; then + _pipe=">" + if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then + # if filename is same as previous file then append. + _pipe=">>" + elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then + # backup file we are about to overwrite. + _cmdstr="$_cmdstr cp $DEPLOY_SSH_CERTFILE $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi + fi + + # copy new certificate into file. + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + # scp the file + _local_cert_file=$(_mktemp) + if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then + cat "$_ckey" >>"$_local_cert_file" + fi + cat "$_ccert" >>"$_local_cert_file" + if ! _scp_remote_cmd "$_local_cert_file" "$DEPLOY_SSH_CERTFILE"; then + return $_err_code + fi + else + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $DEPLOY_SSH_CERTFILE;" + _info "will copy certificate to remote file $DEPLOY_SSH_CERTFILE" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi + fi + fi + + if [ -n "$DEPLOY_SSH_CAFILE" ]; then + _pipe=">" + if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ] || + [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then + # if filename is same as previous file then append. + _pipe=">>" + elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then + # backup file we are about to overwrite. + _cmdstr="$_cmdstr cp $DEPLOY_SSH_CAFILE $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi + fi + + # copy new certificate into file. + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + # scp the file + _local_ca_file=$(_mktemp) + if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ]; then + cat "$_ckey" >>"$_local_ca_file" + fi + if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then + cat "$_ccert" >>"$_local_ca_file" + fi + cat "$_cca" >>"$_local_ca_file" + if ! _scp_remote_cmd "$_local_ca_file" "$DEPLOY_SSH_CAFILE"; then + return $_err_code + fi + else + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $DEPLOY_SSH_CAFILE;" + _info "will copy CA file to remote file $DEPLOY_SSH_CAFILE" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi + fi + fi + + if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then + _pipe=">" + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ] || + [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ] || + [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then + # if filename is same as previous file then append. + _pipe=">>" + elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then + # backup file we are about to overwrite. + _cmdstr="$_cmdstr cp $DEPLOY_SSH_FULLCHAIN $_backupdir >/dev/null;" + if [ "$DEPLOY_SSH_FULLCHAIN" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi + fi + + # copy new certificate into file. + if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then + # scp the file + _local_full_file=$(_mktemp) + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ]; then + cat "$_ckey" >>"$_local_full_file" + fi + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ]; then + cat "$_ccert" >>"$_local_full_file" + fi + if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then + cat "$_cca" >>"$_local_full_file" + fi + cat "$_cfullchain" >>"$_local_full_file" + if ! _scp_remote_cmd "$_local_full_file" "$DEPLOY_SSH_FULLCHAIN"; then + return $_err_code + fi + else + # ssh echo to the file + _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $DEPLOY_SSH_FULLCHAIN;" + _info "will copy fullchain to remote file $DEPLOY_SSH_FULLCHAIN" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi + fi + fi + + # cleanup local files if any + if [ -f "$_local_cert_file" ]; then + rm -f "$_local_cert_file" + fi + if [ -f "$_local_ca_file" ]; then + rm -f "$_local_ca_file" + fi + if [ -f "$_local_full_file" ]; then + rm -f "$_local_full_file" + fi + + if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then + _cmdstr="$_cmdstr $DEPLOY_SSH_REMOTE_CMD;" + _info "Will execute remote command $DEPLOY_SSH_REMOTE_CMD" + if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + _cmdstr="" + fi + fi + + # if commands not all sent in multiple calls then all commands sent in a single SSH call now... + if [ -n "$_cmdstr" ]; then + if ! _ssh_remote_cmd "$_cmdstr"; then + return $_err_code + fi + fi + # cleanup in case all is ok + return 0 +} + +#cmd +_ssh_remote_cmd() { + _cmd="$1" + + _ssh_cmd="$DEPLOY_SSH_CMD" + if [ -n "$_port" ]; then + _ssh_cmd="$_ssh_cmd -p $_port" + fi + + _secure_debug "Remote commands to execute: $_cmd" + _info "Submitting sequence of commands to remote server by $_ssh_cmd" + + # quotations in bash cmd below intended. Squash travis spellcheck error + # shellcheck disable=SC2029 + $_ssh_cmd "$DEPLOY_SSH_USER@$_host" sh -c "'$_cmd'" + _err_code="$?" + + if [ "$_err_code" != "0" ]; then + _err "Error code $_err_code returned from ssh" + fi + + return $_err_code +} + +# cmd scp +_scp_remote_cmd() { + _src=$1 + _dest=$2 + + _scp_cmd="$DEPLOY_SSH_SCP_CMD" + if [ -n "$_port" ]; then + _scp_cmd="$_scp_cmd -P $_port" + fi + + _secure_debug "Remote copy source $_src to destination $_dest" + _info "Submitting secure copy by $_scp_cmd" + + $_scp_cmd "$_src" "$DEPLOY_SSH_USER"@"$_host":"$_dest" + _err_code="$?" + + if [ "$_err_code" != "0" ]; then + _err "Error code $_err_code returned from scp" + fi + + return $_err_code +} diff --git a/acme.sh-master/deploy/strongswan.sh b/acme.sh-master/deploy/strongswan.sh new file mode 100644 index 0000000..3d5f1b3 --- /dev/null +++ b/acme.sh-master/deploy/strongswan.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env sh + +#Here is a sample custom api script. +#This file name is "myapi.sh" +#So, here must be a method myapi_deploy() +#Which will be called by acme.sh to deploy the cert +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +strongswan_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _info "Using strongswan" + + if [ -x /usr/sbin/ipsec ]; then + _ipsec=/usr/sbin/ipsec + elif [ -x /usr/sbin/strongswan ]; then + _ipsec=/usr/sbin/strongswan + elif [ -x /usr/local/sbin/ipsec ]; then + _ipsec=/usr/local/sbin/ipsec + else + _err "no strongswan or ipsec command is detected" + return 1 + fi + + _info _ipsec "$_ipsec" + + _confdir=$($_ipsec --confdir) + if [ $? -ne 0 ] || [ -z "$_confdir" ]; then + _err "no strongswan --confdir is detected" + return 1 + fi + + _info _confdir "$_confdir" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + cat "$_ckey" >"${_confdir}/ipsec.d/private/$(basename "$_ckey")" + cat "$_ccert" >"${_confdir}/ipsec.d/certs/$(basename "$_ccert")" + cat "$_cca" >"${_confdir}/ipsec.d/cacerts/$(basename "$_cca")" + cat "$_cfullchain" >"${_confdir}/ipsec.d/cacerts/$(basename "$_cfullchain")" + + $_ipsec reload + +} diff --git a/acme.sh-master/deploy/synology_dsm.sh b/acme.sh-master/deploy/synology_dsm.sh new file mode 100644 index 0000000..c31a5df --- /dev/null +++ b/acme.sh-master/deploy/synology_dsm.sh @@ -0,0 +1,183 @@ +#!/usr/bin/env sh + +# Here is a script to deploy cert to Synology DSM +# +# It requires following environment variables: +# +# SYNO_Username - Synology Username to login (must be an administrator) +# SYNO_Password - Synology Password to login +# SYNO_Certificate - Certificate description to target for replacement +# +# The following environmental variables may be set if you don't like their +# default values: +# +# SYNO_Scheme - defaults to http +# SYNO_Hostname - defaults to localhost +# SYNO_Port - defaults to 5000 +# SYNO_DID - device ID to skip OTP - defaults to empty +# SYNO_TOTP_SECRET - TOTP secret to generate OTP - defaults to empty +# +# Dependencies: +# ------------- +# - jq and curl +# - oathtool (When using 2 Factor Authentication and SYNO_TOTP_SECRET is set) +# +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +synology_dsm_deploy() { + + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + + _debug _cdomain "$_cdomain" + + # Get Username and Password, but don't save until we successfully authenticate + _getdeployconf SYNO_Username + _getdeployconf SYNO_Password + _getdeployconf SYNO_Create + _getdeployconf SYNO_DID + _getdeployconf SYNO_TOTP_SECRET + if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then + _err "SYNO_Username & SYNO_Password must be set" + return 1 + fi + _debug2 SYNO_Username "$SYNO_Username" + _secure_debug2 SYNO_Password "$SYNO_Password" + + # Optional scheme, hostname, and port for Synology DSM + _getdeployconf SYNO_Scheme + _getdeployconf SYNO_Hostname + _getdeployconf SYNO_Port + + # default vaules for scheme, hostname, and port + # defaulting to localhost and http because it's localhost... + [ -n "${SYNO_Scheme}" ] || SYNO_Scheme="http" + [ -n "${SYNO_Hostname}" ] || SYNO_Hostname="localhost" + [ -n "${SYNO_Port}" ] || SYNO_Port="5000" + + _savedeployconf SYNO_Scheme "$SYNO_Scheme" + _savedeployconf SYNO_Hostname "$SYNO_Hostname" + _savedeployconf SYNO_Port "$SYNO_Port" + + _debug2 SYNO_Scheme "$SYNO_Scheme" + _debug2 SYNO_Hostname "$SYNO_Hostname" + _debug2 SYNO_Port "$SYNO_Port" + + # Get the certificate description, but don't save it until we verfiy it's real + _getdeployconf SYNO_Certificate + _debug SYNO_Certificate "${SYNO_Certificate:-}" + + # shellcheck disable=SC1003 # We are not trying to escape a single quote + if printf "%s" "$SYNO_Certificate" | grep '\\'; then + _err "Do not use a backslash (\) in your certificate description" + return 1 + fi + + _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port" + _debug _base_url "$_base_url" + + _debug "Getting API version" + response=$(_get "$_base_url/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth") + api_version=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"maxVersion" *: *\([0-9]*\).*/\1/p') + _debug3 response "$response" + _debug3 api_version "$api_version" + + # Login, get the token from JSON and session id from cookie + _info "Logging into $SYNO_Hostname:$SYNO_Port" + encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)" + encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)" + + otp_code="" + if [ -n "$SYNO_TOTP_SECRET" ]; then + if _exists oathtool; then + otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)" + else + _err "oathtool could not be found, install oathtool to use SYNO_TOTP_SECRET" + return 1 + fi + fi + + if [ -n "$SYNO_DID" ]; then + _H1="Cookie: did=$SYNO_DID" + export _H1 + _debug3 H1 "${_H1}" + fi + + response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code&device_name=certrenewal&device_id=$SYNO_DID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes") + token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p') + _debug3 response "$response" + _debug token "$token" + + if [ -z "$token" ]; then + _err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme." + _err "Check your username and password." + _err "If two-factor authentication is enabled for the user, set SYNO_TOTP_SECRET." + return 1 + fi + sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p') + + _H1="X-SYNO-TOKEN: $token" + export _H1 + _debug2 H1 "${_H1}" + + # Now that we know the username and password are good, save them + _savedeployconf SYNO_Username "$SYNO_Username" + _savedeployconf SYNO_Password "$SYNO_Password" + _savedeployconf SYNO_DID "$SYNO_DID" + _savedeployconf SYNO_TOTP_SECRET "$SYNO_TOTP_SECRET" + + _info "Getting certificates in Synology DSM" + response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi") + _debug3 response "$response" + escaped_certificate="$(printf "%s" "$SYNO_Certificate" | sed 's/\([].*^$[]\)/\\\1/g;s/"/\\\\"/g')" + _debug escaped_certificate "$escaped_certificate" + id=$(echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\"id\":\"\([^\"]*\).*/\1/p") + _debug2 id "$id" + + if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then + _err "Unable to find certificate: $SYNO_Certificate and \$SYNO_Create is not set" + return 1 + fi + + # we've verified this certificate description is a thing, so save it + _savedeployconf SYNO_Certificate "$SYNO_Certificate" "base64" + + _info "Generate form POST request" + nl="\0015\0012" + delim="--------------------------$(_utc_date | tr -d -- '-: ')" + content="--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")\0012" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"cert\"; filename=\"$(basename "$_ccert")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ccert")\0012" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\0012" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}" + if echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then + _debug2 default "this is the default certificate" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}true" + else + _debug2 default "this is NOT the default certificate" + fi + content="$content${nl}--$delim--${nl}" + content="$(printf "%b_" "$content")" + content="${content%_}" # protect trailing \n + + _info "Upload certificate to the Synology DSM" + response=$(_post "$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token&_sid=$sid" "" "POST" "multipart/form-data; boundary=${delim}") + _debug3 response "$response" + + if ! echo "$response" | grep '"error":' >/dev/null; then + if echo "$response" | grep '"restart_httpd":true' >/dev/null; then + _info "http services were restarted" + else + _info "http services were NOT restarted" + fi + return 0 + else + _err "Unable to update certificate, error code $response" + return 1 + fi +} diff --git a/acme.sh-master/deploy/truenas.sh b/acme.sh-master/deploy/truenas.sh new file mode 100644 index 0000000..c79e6da --- /dev/null +++ b/acme.sh-master/deploy/truenas.sh @@ -0,0 +1,223 @@ +#!/usr/bin/env sh + +# Here is a scipt to deploy the cert to your TrueNAS using the REST API. +# https://www.truenas.com/docs/hub/additional-topics/api/rest_api.html +# +# Written by Frank Plass github@f-plass.de +# https://github.com/danb35/deploy-freenas/blob/master/deploy_freenas.py +# Thanks to danb35 for your template! +# +# Following environment variables must be set: +# +# export DEPLOY_TRUENAS_APIKEY="HTTPS redirection is enabled" + _info "Setting DEPLOY_TRUENAS_SCHEME to 'https'" + DEPLOY_TRUENAS_SCHEME="https" + _api_url="$DEPLOY_TRUENAS_SCHEME://$DEPLOY_TRUENAS_HOSTNAME/api/v2.0" + _savedeployconf DEPLOY_TRUENAS_SCHEME "$DEPLOY_TRUENAS_SCHEME" + fi + + _info "Uploading new certificate to TrueNAS" + _certname="Letsencrypt_$(_utc_date | tr ' ' '_' | tr -d -- ':')" + _debug3 _certname "$_certname" + + _certData="{\"create_type\": \"CERTIFICATE_CREATE_IMPORTED\", \"name\": \"${_certname}\", \"certificate\": \"$(_json_encode <"$_cfullchain")\", \"privatekey\": \"$(_json_encode <"$_ckey")\"}" + _add_cert_result="$(_post "$_certData" "$_api_url/certificate" "" "POST" "application/json")" + + _debug3 _add_cert_result "$_add_cert_result" + + _info "Fetching list of installed certificates" + _cert_list=$(_get "$_api_url/system/general/ui_certificate_choices") + _cert_id=$(echo "$_cert_list" | grep "$_certname" | sed -n 's/.*"\([0-9]\{1,\}\)".*$/\1/p') + + _debug3 _cert_id "$_cert_id" + + _info "Current activate certificate ID: $_cert_id" + _activateData="{\"ui_certificate\": \"${_cert_id}\"}" + _activate_result="$(_post "$_activateData" "$_api_url/system/general" "" "PUT" "application/json")" + + _debug3 _activate_result "$_activate_result" + + _info "Checking if WebDAV certificate is the same as the TrueNAS web UI" + _webdav_list=$(_get "$_api_url/webdav") + _webdav_cert_id=$(echo "$_webdav_list" | grep '"certssl":' | tr -d -- '"certsl: ,') + + if [ "$_webdav_cert_id" = "$_active_cert_id" ]; then + _info "Updating the WebDAV certificate" + _debug _webdav_cert_id "$_webdav_cert_id" + _webdav_data="{\"certssl\": \"${_cert_id}\"}" + _activate_webdav_cert="$(_post "$_webdav_data" "$_api_url/webdav" "" "PUT" "application/json")" + _webdav_new_cert_id=$(echo "$_activate_webdav_cert" | _json_decode | grep '"certssl":' | sed -n 's/.*: \([0-9]\{1,\}\),\{0,1\}$/\1/p') + if [ "$_webdav_new_cert_id" -eq "$_cert_id" ]; then + _info "WebDAV certificate updated successfully" + else + _err "Unable to set WebDAV certificate" + _debug3 _activate_webdav_cert "$_activate_webdav_cert" + _debug3 _webdav_new_cert_id "$_webdav_new_cert_id" + return 1 + fi + _debug3 _webdav_new_cert_id "$_webdav_new_cert_id" + else + _info "WebDAV certificate is not configured or is not the same as TrueNAS web UI" + fi + + _info "Checking if FTP certificate is the same as the TrueNAS web UI" + _ftp_list=$(_get "$_api_url/ftp") + _ftp_cert_id=$(echo "$_ftp_list" | grep '"ssltls_certificate":' | tr -d -- '"certislfa:_ ,') + + if [ "$_ftp_cert_id" = "$_active_cert_id" ]; then + _info "Updating the FTP certificate" + _debug _ftp_cert_id "$_ftp_cert_id" + _ftp_data="{\"ssltls_certificate\": \"${_cert_id}\"}" + _activate_ftp_cert="$(_post "$_ftp_data" "$_api_url/ftp" "" "PUT" "application/json")" + _ftp_new_cert_id=$(echo "$_activate_ftp_cert" | _json_decode | grep '"ssltls_certificate":' | sed -n 's/.*: \([0-9]\{1,\}\),\{0,1\}$/\1/p') + if [ "$_ftp_new_cert_id" -eq "$_cert_id" ]; then + _info "FTP certificate updated successfully" + else + _err "Unable to set FTP certificate" + _debug3 _activate_ftp_cert "$_activate_ftp_cert" + _debug3 _ftp_new_cert_id "$_ftp_new_cert_id" + return 1 + fi + _debug3 _activate_ftp_cert "$_activate_ftp_cert" + else + _info "FTP certificate is not configured or is not the same as TrueNAS web UI" + fi + + _info "Checking if S3 certificate is the same as the TrueNAS web UI" + _s3_list=$(_get "$_api_url/s3") + _s3_cert_id=$(echo "$_s3_list" | grep '"certificate":' | tr -d -- '"certifa:_ ,') + + if [ "$_s3_cert_id" = "$_active_cert_id" ]; then + _info "Updating the S3 certificate" + _debug _s3_cert_id "$_s3_cert_id" + _s3_data="{\"certificate\": \"${_cert_id}\"}" + _activate_s3_cert="$(_post "$_s3_data" "$_api_url/s3" "" "PUT" "application/json")" + _s3_new_cert_id=$(echo "$_activate_s3_cert" | _json_decode | grep '"certificate":' | sed -n 's/.*: \([0-9]\{1,\}\),\{0,1\}$/\1/p') + if [ "$_s3_new_cert_id" -eq "$_cert_id" ]; then + _info "S3 certificate updated successfully" + else + _err "Unable to set S3 certificate" + _debug3 _activate_s3_cert "$_activate_s3_cert" + _debug3 _s3_new_cert_id "$_s3_new_cert_id" + return 1 + fi + _debug3 _activate_s3_cert "$_activate_s3_cert" + else + _info "S3 certificate is not configured or is not the same as TrueNAS web UI" + fi + + _info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required" + if _exists jq; then + _info "Query all chart release" + _release_list=$(_get "$_api_url/chart/release") + _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique") + _release_length=$(printf "%s" "$_related_name_list" | jq -r "length") + _info "Found $_release_length related chart release in list: $_related_name_list" + for i in $(seq 0 $((_release_length - 1))); do + _release_name=$(echo "$_related_name_list" | jq -r ".[$i]") + _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name" + #Read the chart release configuration + _chart_config=$(printf "%s" "$_release_list" | jq -r ".[] | select(.name==\"$_release_name\")") + #Replace the old certificate id with the new one in path .config.ingress.main.tls[].scaleCert. Then update .config.ingress + _updated_chart_config=$(printf "%s" "$_chart_config" | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert ) |= $_cert_id | .config.ingress ") + _update_chart_result="$(_post "{\"values\" : { \"ingress\" : $_updated_chart_config } }" "$_api_url/chart/release/id/$_release_name" "" "PUT" "application/json")" + _debug3 _update_chart_result "$_update_chart_result" + done + else + _info "Tool 'jq' does not exists, skip chart release checking" + fi + + _info "Deleting old certificate" + _delete_result="$(_post "" "$_api_url/certificate/id/$_active_cert_id" "" "DELETE" "application/json")" + + _debug3 _delete_result "$_delete_result" + + _info "Reloading TrueNAS web UI" + _restart_UI=$(_get "$_api_url/system/general/ui_restart") + _debug2 _restart_UI "$_restart_UI" + + if [ -n "$_add_cert_result" ] && [ -n "$_activate_result" ]; then + return 0 + else + _err "Certificate update was not succesful, please try again with --debug" + return 1 + fi +} diff --git a/acme.sh-master/deploy/unifi.sh b/acme.sh-master/deploy/unifi.sh new file mode 100644 index 0000000..a864135 --- /dev/null +++ b/acme.sh-master/deploy/unifi.sh @@ -0,0 +1,214 @@ +#!/usr/bin/env sh + +# Here is a script to deploy cert on a Unifi Controller or Cloud Key device. +# It supports: +# - self-hosted Unifi Controller +# - Unifi Cloud Key (Gen1/2/2+) +# - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only) +# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359 + +#returns 0 means success, otherwise error. + +# The deploy-hook automatically detects standard Unifi installations +# for each of the supported environments. Most users should not need +# to set any of these variables, but if you are running a self-hosted +# Controller with custom locations, set these as necessary before running +# the deploy hook. (Defaults shown below.) +# +# Settings for Unifi Controller: +# Location of Java keystore or unifi.keystore.jks file: +#DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore" +# Keystore password (built into Unifi Controller, not a user-set password): +#DEPLOY_UNIFI_KEYPASS="aircontrolenterprise" +# Command to restart Unifi Controller: +#DEPLOY_UNIFI_RELOAD="service unifi restart" +# +# Settings for Unifi Cloud Key Gen1 (nginx admin pages): +# Directory where cloudkey.crt and cloudkey.key live: +#DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private" +# Command to restart maintenance pages and Controller +# (same setting as above, default is updated when running on Cloud Key Gen1): +#DEPLOY_UNIFI_RELOAD="service nginx restart && service unifi restart" +# +# Settings for UnifiOS (Cloud Key Gen2): +# Directory where unifi-core.crt and unifi-core.key live: +#DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/" +# Command to restart unifi-core: +#DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core" +# +# At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR, +# or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +unifi_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _getdeployconf DEPLOY_UNIFI_KEYSTORE + _getdeployconf DEPLOY_UNIFI_KEYPASS + _getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR + _getdeployconf DEPLOY_UNIFI_CORE_CONFIG + _getdeployconf DEPLOY_UNIFI_RELOAD + + _debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE" + _debug2 DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS" + _debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" + _debug2 DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG" + _debug2 DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD" + + # Space-separated list of environments detected and installed: + _services_updated="" + + # Default reload commands accumulated as we auto-detect environments: + _reload_cmd="" + + # Unifi Controller environment (self hosted or any Cloud Key) -- + # auto-detect by file /usr/lib/unifi/data/keystore: + _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}" + if [ -f "$_unifi_keystore" ]; then + _info "Installing certificate for Unifi Controller (Java keystore)" + _debug _unifi_keystore "$_unifi_keystore" + if ! _exists keytool; then + _err "keytool not found" + return 1 + fi + if [ ! -w "$_unifi_keystore" ]; then + _err "The file $_unifi_keystore is not writable, please change the permission." + return 1 + fi + + _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-aircontrolenterprise}" + + _debug "Generate import pkcs12" + _import_pkcs12="$(_mktemp)" + _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root + # shellcheck disable=SC2181 + if [ "$?" != "0" ]; then + _err "Error generating pkcs12. Please re-run with --debug and report a bug." + return 1 + fi + + _debug "Import into keystore: $_unifi_keystore" + if keytool -importkeystore \ + -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \ + -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \ + -alias unifi -noprompt; then + _debug "Import keystore success!" + rm "$_import_pkcs12" + else + _err "Error importing into Unifi Java keystore." + _err "Please re-run with --debug and report a bug." + rm "$_import_pkcs12" + return 1 + fi + + if systemctl -q is-active unifi; then + _reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart" + fi + _services_updated="${_services_updated} unifi" + _info "Install Unifi Controller certificate success!" + elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then + _err "The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check." + return 1 + fi + + # Cloud Key environment (non-UnifiOS -- nginx serves admin pages) -- + # auto-detect by file /etc/ssl/private/cloudkey.key: + _cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-/etc/ssl/private}" + if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then + _info "Installing certificate for Cloud Key Gen1 (nginx admin pages)" + _debug _cloudkey_certdir "$_cloudkey_certdir" + if [ ! -w "$_cloudkey_certdir" ]; then + _err "The directory $_cloudkey_certdir is not writable; please check permissions." + return 1 + fi + # Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks. + # Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was + # updated above), but if not, we don't know how to handle this installation: + if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then + _err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'" + return 1 + fi + + cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt" + cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key" + (cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks) + + if systemctl -q is-active nginx; then + _reload_cmd="${_reload_cmd:+$_reload_cmd && }service nginx restart" + fi + _info "Install Cloud Key Gen1 certificate success!" + _services_updated="${_services_updated} nginx" + elif [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then + _err "The specified DEPLOY_UNIFI_CLOUDKEY_CERTDIR='$DEPLOY_UNIFI_CLOUDKEY_CERTDIR' is not valid, please check." + return 1 + fi + + # UnifiOS environment -- auto-detect by /data/unifi-core/config/unifi-core.key: + _unifi_core_config="${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}" + if [ -f "${_unifi_core_config}/unifi-core.key" ]; then + _info "Installing certificate for UnifiOS" + _debug _unifi_core_config "$_unifi_core_config" + if [ ! -w "$_unifi_core_config" ]; then + _err "The directory $_unifi_core_config is not writable; please check permissions." + return 1 + fi + + cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt" + cat "$_ckey" >"${_unifi_core_config}/unifi-core.key" + + if systemctl -q is-active unifi-core; then + _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core" + fi + _info "Install UnifiOS certificate success!" + _services_updated="${_services_updated} unifi-core" + elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then + _err "The specified DEPLOY_UNIFI_CORE_CONFIG='$DEPLOY_UNIFI_CORE_CONFIG' is not valid, please check." + return 1 + fi + + if [ -z "$_services_updated" ]; then + # None of the Unifi environments were auto-detected, so no deployment has occurred + # (and none of DEPLOY_UNIFI_{KEYSTORE,CLOUDKEY_CERTDIR,CORE_CONFIG} were set). + _err "Unable to detect Unifi environment in standard location." + _err "(This deploy hook must be run on the Unifi device, not a remote machine.)" + _err "For non-standard Unifi installations, set DEPLOY_UNIFI_KEYSTORE," + _err "DEPLOY_UNIFI_CLOUDKEY_CERTDIR, and/or DEPLOY_UNIFI_CORE_CONFIG as appropriate." + return 1 + fi + + _reload_cmd="${DEPLOY_UNIFI_RELOAD:-$_reload_cmd}" + if [ -z "$_reload_cmd" ]; then + _err "Certificates were installed for services:${_services_updated}," + _err "but none appear to be active. Please set DEPLOY_UNIFI_RELOAD" + _err "to a command that will restart the necessary services." + return 1 + fi + _info "Reload services (this may take some time): $_reload_cmd" + if eval "$_reload_cmd"; then + _info "Reload success!" + else + _err "Reload error" + return 1 + fi + + # Successful, so save all (non-default) config: + _savedeployconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE" + _savedeployconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS" + _savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" + _savedeployconf DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG" + _savedeployconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD" + + return 0 +} diff --git a/acme.sh-master/deploy/vault.sh b/acme.sh-master/deploy/vault.sh new file mode 100644 index 0000000..569faba --- /dev/null +++ b/acme.sh-master/deploy/vault.sh @@ -0,0 +1,131 @@ +#!/usr/bin/env sh + +# Here is a script to deploy cert to hashicorp vault using curl +# (https://www.vaultproject.io/) +# +# it requires following environment variables: +# +# VAULT_PREFIX - this contains the prefix path in vault +# VAULT_ADDR - vault requires this to find your vault server +# VAULT_SAVE_TOKEN - set to anything if you want to save the token +# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying +# VAULT_KV_V2 - set to anything if you are using v2 of the kv engine +# +# additionally, you need to ensure that VAULT_TOKEN is avialable +# to access the vault server + +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +vault_deploy() { + + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + # validate required env vars + _getdeployconf VAULT_PREFIX + if [ -z "$VAULT_PREFIX" ]; then + _err "VAULT_PREFIX needs to be defined (contains prefix path in vault)" + return 1 + fi + _savedeployconf VAULT_PREFIX "$VAULT_PREFIX" + + _getdeployconf VAULT_ADDR + if [ -z "$VAULT_ADDR" ]; then + _err "VAULT_ADDR needs to be defined (contains vault connection address)" + return 1 + fi + _savedeployconf VAULT_ADDR "$VAULT_ADDR" + + _getdeployconf VAULT_SAVE_TOKEN + _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN" + + _getdeployconf VAULT_RENEW_TOKEN + _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN" + + _getdeployconf VAULT_KV_V2 + _savedeployconf VAULT_KV_V2 "$VAULT_KV_V2" + + _getdeployconf VAULT_TOKEN + if [ -z "$VAULT_TOKEN" ]; then + _err "VAULT_TOKEN needs to be defined" + return 1 + fi + if [ -n "$VAULT_SAVE_TOKEN" ]; then + _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" + fi + + _migratedeployconf FABIO VAULT_FABIO_MODE + + # JSON does not allow multiline strings. + # So replacing new-lines with "\n" here + _ckey=$(sed -z 's/\n/\\n/g' <"$2") + _ccert=$(sed -z 's/\n/\\n/g' <"$3") + _cca=$(sed -z 's/\n/\\n/g' <"$4") + _cfullchain=$(sed -z 's/\n/\\n/g' <"$5") + + export _H1="X-Vault-Token: $VAULT_TOKEN" + + if [ -n "$VAULT_RENEW_TOKEN" ]; then + URL="$VAULT_ADDR/v1/auth/token/renew-self" + _info "Renew the Vault token to default TTL" + if ! _post "" "$URL" >/dev/null; then + _err "Failed to renew the Vault token" + return 1 + fi + fi + + URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain" + + if [ -n "$VAULT_FABIO_MODE" ]; then + _info "Writing certificate and key to $URL in Fabio mode" + if [ -n "$VAULT_KV_V2" ]; then + _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1 + else + _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" >/dev/null || return 1 + fi + else + if [ -n "$VAULT_KV_V2" ]; then + _info "Writing certificate to $URL/cert.pem" + _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" >/dev/null || return 1 + _info "Writing key to $URL/cert.key" + _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" >/dev/null || return 1 + _info "Writing CA certificate to $URL/ca.pem" + _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/ca.pem" >/dev/null || return 1 + _info "Writing full-chain certificate to $URL/fullchain.pem" + _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" >/dev/null || return 1 + else + _info "Writing certificate to $URL/cert.pem" + _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" >/dev/null || return 1 + _info "Writing key to $URL/cert.key" + _post "{\"value\": \"$_ckey\"}" "$URL/cert.key" >/dev/null || return 1 + _info "Writing CA certificate to $URL/ca.pem" + _post "{\"value\": \"$_cca\"}" "$URL/ca.pem" >/dev/null || return 1 + _info "Writing full-chain certificate to $URL/fullchain.pem" + _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" >/dev/null || return 1 + fi + + # To make it compatible with the wrong ca path `chain.pem` which was used in former versions + if _contains "$(_get "$URL/chain.pem")" "-----BEGIN CERTIFICATE-----"; then + _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" + _info "Updating CA certificate to $URL/chain.pem for backward compatibility" + if [ -n "$VAULT_KV_V2" ]; then + _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" >/dev/null || return 1 + else + _post "{\"value\": \"$_cca\"}" "$URL/chain.pem" >/dev/null || return 1 + fi + fi + fi + +} diff --git a/acme.sh-master/deploy/vault_cli.sh b/acme.sh-master/deploy/vault_cli.sh new file mode 100644 index 0000000..3ebb807 --- /dev/null +++ b/acme.sh-master/deploy/vault_cli.sh @@ -0,0 +1,104 @@ +#!/usr/bin/env sh + +# Here is a script to deploy cert to hashicorp vault +# (https://www.vaultproject.io/) +# +# it requires the vault binary to be available in PATH, and the following +# environment variables: +# +# VAULT_PREFIX - this contains the prefix path in vault +# VAULT_ADDR - vault requires this to find your vault server +# VAULT_SAVE_TOKEN - set to anything if you want to save the token +# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying +# +# additionally, you need to ensure that VAULT_TOKEN is avialable or +# `vault auth` has applied the appropriate authorization for the vault binary +# to access the vault server + +#returns 0 means success, otherwise error. + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +vault_cli_deploy() { + + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + # validate required env vars + _getdeployconf VAULT_PREFIX + if [ -z "$VAULT_PREFIX" ]; then + _err "VAULT_PREFIX needs to be defined (contains prefix path in vault)" + return 1 + fi + _savedeployconf VAULT_PREFIX "$VAULT_PREFIX" + + _getdeployconf VAULT_ADDR + if [ -z "$VAULT_ADDR" ]; then + _err "VAULT_ADDR needs to be defined (contains vault connection address)" + return 1 + fi + _savedeployconf VAULT_ADDR "$VAULT_ADDR" + + _getdeployconf VAULT_SAVE_TOKEN + _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN" + + _getdeployconf VAULT_RENEW_TOKEN + _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN" + + _getdeployconf VAULT_TOKEN + if [ -z "$VAULT_TOKEN" ]; then + _err "VAULT_TOKEN needs to be defined" + return 1 + fi + if [ -n "$VAULT_SAVE_TOKEN" ]; then + _savedeployconf VAULT_TOKEN "$VAULT_TOKEN" + fi + + _migratedeployconf FABIO VAULT_FABIO_MODE + + VAULT_CMD=$(command -v vault) + if [ ! $? ]; then + _err "cannot find vault binary!" + return 1 + fi + + if [ -n "$VAULT_RENEW_TOKEN" ]; then + _info "Renew the Vault token to default TTL" + if ! $VAULT_CMD token renew; then + _err "Failed to renew the Vault token" + return 1 + fi + fi + + if [ -n "$VAULT_FABIO_MODE" ]; then + _info "Writing certificate and key to ${VAULT_PREFIX}/${_cdomain} in Fabio mode" + $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1 + else + _info "Writing certificate to ${VAULT_PREFIX}/${_cdomain}/cert.pem" + $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1 + _info "Writing key to ${VAULT_PREFIX}/${_cdomain}/cert.key" + $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1 + _info "Writing CA certificate to ${VAULT_PREFIX}/${_cdomain}/ca.pem" + $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/ca.pem" value=@"$_cca" || return 1 + _info "Writing full-chain certificate to ${VAULT_PREFIX}/${_cdomain}/fullchain.pem" + $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1 + + # To make it compatible with the wrong ca path `chain.pem` which was used in former versions + if $VAULT_CMD kv get "${VAULT_PREFIX}/${_cdomain}/chain.pem" >/dev/null; then + _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" + _info "Updating CA certificate to ${VAULT_PREFIX}/${_cdomain}/chain.pem for backward compatibility" + $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1 + fi + fi + +} diff --git a/acme.sh-master/deploy/vsftpd.sh b/acme.sh-master/deploy/vsftpd.sh new file mode 100644 index 0000000..8cf24e4 --- /dev/null +++ b/acme.sh-master/deploy/vsftpd.sh @@ -0,0 +1,110 @@ +#!/usr/bin/env sh + +#Here is a script to deploy cert to vsftpd server. + +#returns 0 means success, otherwise error. + +#DEPLOY_VSFTPD_CONF="/etc/vsftpd.conf" +#DEPLOY_VSFTPD_RELOAD="service vsftpd restart" + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +vsftpd_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _ssl_path="/etc/acme.sh/vsftpd" + if ! mkdir -p "$_ssl_path"; then + _err "Can not create folder:$_ssl_path" + return 1 + fi + + _info "Copying key and cert" + _real_key="$_ssl_path/vsftpd.key" + if ! cat "$_ckey" >"$_real_key"; then + _err "Error: write key file to: $_real_key" + return 1 + fi + _real_fullchain="$_ssl_path/vsftpd.chain.pem" + if ! cat "$_cfullchain" >"$_real_fullchain"; then + _err "Error: write key file to: $_real_fullchain" + return 1 + fi + + DEFAULT_VSFTPD_RELOAD="service vsftpd restart" + _reload="${DEPLOY_VSFTPD_RELOAD:-$DEFAULT_VSFTPD_RELOAD}" + + if [ -z "$IS_RENEW" ]; then + DEFAULT_VSFTPD_CONF="/etc/vsftpd.conf" + _vsftpd_conf="${DEPLOY_VSFTPD_CONF:-$DEFAULT_VSFTPD_CONF}" + if [ ! -f "$_vsftpd_conf" ]; then + if [ -z "$DEPLOY_VSFTPD_CONF" ]; then + _err "vsftpd conf is not found, please define DEPLOY_VSFTPD_CONF" + return 1 + else + _err "It seems that the specified vsftpd conf is not valid, please check." + return 1 + fi + fi + if [ ! -w "$_vsftpd_conf" ]; then + _err "The file $_vsftpd_conf is not writable, please change the permission." + return 1 + fi + _backup_conf="$DOMAIN_BACKUP_PATH/vsftpd.conf.bak" + _info "Backup $_vsftpd_conf to $_backup_conf" + cp "$_vsftpd_conf" "$_backup_conf" + + _info "Modify vsftpd conf: $_vsftpd_conf" + if _setopt "$_vsftpd_conf" "rsa_cert_file" "=" "$_real_fullchain" && + _setopt "$_vsftpd_conf" "rsa_private_key_file" "=" "$_real_key" && + _setopt "$_vsftpd_conf" "ssl_enable" "=" "YES"; then + _info "Set config success!" + else + _err "Config vsftpd server error, please report bug to us." + _info "Restoring vsftpd conf" + if cat "$_backup_conf" >"$_vsftpd_conf"; then + _info "Restore conf success" + eval "$_reload" + else + _err "Oops, error restore vsftpd conf, please report bug to us." + fi + return 1 + fi + fi + + _info "Run reload: $_reload" + if eval "$_reload"; then + _info "Reload success!" + if [ "$DEPLOY_VSFTPD_CONF" ]; then + _savedomainconf DEPLOY_VSFTPD_CONF "$DEPLOY_VSFTPD_CONF" + else + _cleardomainconf DEPLOY_VSFTPD_CONF + fi + if [ "$DEPLOY_VSFTPD_RELOAD" ]; then + _savedomainconf DEPLOY_VSFTPD_RELOAD "$DEPLOY_VSFTPD_RELOAD" + else + _cleardomainconf DEPLOY_VSFTPD_RELOAD + fi + return 0 + else + _err "Reload error, restoring" + if cat "$_backup_conf" >"$_vsftpd_conf"; then + _info "Restore conf success" + eval "$_reload" + else + _err "Oops, error restore vsftpd conf, please report bug to us." + fi + return 1 + fi + return 0 +} diff --git a/acme.sh-master/dnsapi/README.md b/acme.sh-master/dnsapi/README.md new file mode 100644 index 0000000..e81f791 --- /dev/null +++ b/acme.sh-master/dnsapi/README.md @@ -0,0 +1,6 @@ +# How to use DNS API +DNS api usage: + + +https://github.com/acmesh-official/acme.sh/wiki/dnsapi + diff --git a/acme.sh-master/dnsapi/dns_1984hosting.sh b/acme.sh-master/dnsapi/dns_1984hosting.sh new file mode 100644 index 0000000..6accc59 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_1984hosting.sh @@ -0,0 +1,261 @@ +#!/usr/bin/env sh +#This file name is "dns_1984hosting.sh" +#So, here must be a method dns_1984hosting_add() +#Which will be called by acme.sh to add the txt record to your api system. +#returns 0 means success, otherwise error. + +#Author: Adrian Fedoreanu +#Report Bugs here: https://github.com/acmesh-official/acme.sh +# or here... https://github.com/acmesh-official/acme.sh/issues/2851 +# +######## Public functions ##################### + +# Export 1984HOSTING username and password in following variables +# +# One984HOSTING_Username=username +# One984HOSTING_Password=password +# +# sessionid cookie is saved in ~/.acme.sh/account.conf +# username/password need to be set only when changed. + +#Usage: dns_1984hosting_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_1984hosting_add() { + fulldomain=$1 + txtvalue=$2 + + _info "Add TXT record using 1984Hosting" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + if ! _1984hosting_login; then + _err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file" + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" "$fulldomain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Add TXT record $fulldomain with value '$txtvalue'" + value="$(printf '%s' "$txtvalue" | _url_encode)" + url="https://1984.hosting/domains/entry/" + + postdata="entry=new" + postdata="$postdata&type=TXT" + postdata="$postdata&ttl=900" + postdata="$postdata&zone=$_domain" + postdata="$postdata&host=$_sub_domain" + postdata="$postdata&rdata=%22$value%22" + _debug2 postdata "$postdata" + + _authpost "$postdata" "$url" + response="$(echo "$_response" | _normalizeJson)" + _debug2 response "$response" + + if _contains "$response" '"haserrors": true'; then + _err "1984Hosting failed to add TXT record for $_sub_domain bad RC from _post" + return 1 + elif _contains "$response" "html>"; then + _err "1984Hosting failed to add TXT record for $_sub_domain. Check $HTTP_HEADER file" + return 1 + elif _contains "$response" '"auth": false'; then + _err "1984Hosting failed to add TXT record for $_sub_domain. Invalid or expired cookie" + return 1 + fi + + _info "Added acme challenge TXT record for $fulldomain at 1984Hosting" + return 0 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_1984hosting_rm() { + fulldomain=$1 + txtvalue=$2 + + _info "Delete TXT record using 1984Hosting" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + if ! _1984hosting_login; then + _err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file" + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" "$fulldomain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + _debug "Delete $fulldomain TXT record" + + url="https://1984.hosting/domains" + if ! _get_zone_id "$url" "$_domain"; then + _err "invalid zone" "$_domain" + return 1 + fi + + _htmlget "$url/$_zone_id" "$txtvalue" + _debug2 _response "$_response" + entry_id="$(echo "$_response" | _egrep_o 'entry_[0-9]+' | sed 's/entry_//')" + _debug2 entry_id "$entry_id" + if [ -z "$entry_id" ]; then + _err "Error getting TXT entry_id for $1" + return 1 + fi + + _authpost "entry=$entry_id" "$url/delentry/" + response="$(echo "$_response" | _normalizeJson)" + _debug2 response "$response" + + if ! _contains "$response" '"ok": true'; then + _err "1984Hosting failed to delete TXT record for $entry_id bad RC from _post" + return 1 + fi + + _info "Deleted acme challenge TXT record for $fulldomain at 1984Hosting" + return 0 +} + +#################### Private functions below ################################## + +# usage: _1984hosting_login username password +# returns 0 success +_1984hosting_login() { + if ! _check_credentials; then return 1; fi + + if _check_cookies; then + _debug "Already logged in" + return 0 + fi + + _debug "Login to 1984Hosting as user $One984HOSTING_Username" + username=$(printf '%s' "$One984HOSTING_Username" | _url_encode) + password=$(printf '%s' "$One984HOSTING_Password" | _url_encode) + url="https://1984.hosting/accounts/checkuserauth/" + + response="$(_post "username=$username&password=$password&otpkey=" $url)" + response="$(echo "$response" | _normalizeJson)" + _debug2 response "$response" + + if _contains "$response" '"loggedin": true'; then + One984HOSTING_SESSIONID_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'sessionid=[^;]*;' | tr -d ';')" + One984HOSTING_CSRFTOKEN_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')" + export One984HOSTING_SESSIONID_COOKIE + export One984HOSTING_CSRFTOKEN_COOKIE + _saveaccountconf_mutable One984HOSTING_SESSIONID_COOKIE "$One984HOSTING_SESSIONID_COOKIE" + _saveaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE "$One984HOSTING_CSRFTOKEN_COOKIE" + return 0 + fi + return 1 +} + +_check_credentials() { + if [ -z "$One984HOSTING_Username" ] || [ -z "$One984HOSTING_Password" ]; then + One984HOSTING_Username="" + One984HOSTING_Password="" + _err "You haven't specified 1984Hosting username or password yet." + _err "Please export as One984HOSTING_Username / One984HOSTING_Password and try again." + return 1 + fi + return 0 +} + +_check_cookies() { + One984HOSTING_SESSIONID_COOKIE="${One984HOSTING_SESSIONID_COOKIE:-$(_readaccountconf_mutable One984HOSTING_SESSIONID_COOKIE)}" + One984HOSTING_CSRFTOKEN_COOKIE="${One984HOSTING_CSRFTOKEN_COOKIE:-$(_readaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE)}" + if [ -z "$One984HOSTING_SESSIONID_COOKIE" ] || [ -z "$One984HOSTING_CSRFTOKEN_COOKIE" ]; then + _debug "No cached cookie(s) found" + return 1 + fi + + _authget "https://1984.hosting/accounts/loginstatus/" + if _contains "$response" '"ok": true'; then + _debug "Cached cookies still valid" + return 0 + fi + _debug "Cached cookies no longer valid" + One984HOSTING_SESSIONID_COOKIE="" + One984HOSTING_CSRFTOKEN_COOKIE="" + _saveaccountconf_mutable One984HOSTING_SESSIONID_COOKIE "$One984HOSTING_SESSIONID_COOKIE" + _saveaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE "$One984HOSTING_CSRFTOKEN_COOKIE" + return 1 +} + +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain="$1" + i=1 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + + if [ -z "$h" ]; then + #not valid + return 1 + fi + + _authget "https://1984.hosting/domains/soacheck/?zone=$h&nameserver=ns0.1984.is." + if _contains "$_response" "serial" && ! _contains "$_response" "null"; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +#usage: _get_zone_id url domain.com +#returns zone id for domain.com +_get_zone_id() { + url=$1 + domain=$2 + _htmlget "$url" "$domain" + _debug2 _response "$_response" + _zone_id="$(echo "$_response" | _egrep_o 'zone\/[0-9]+' | _head_n 1)" + _debug2 _zone_id "$_zone_id" + if [ -z "$_zone_id" ]; then + _err "Error getting _zone_id for $2" + return 1 + fi + return 0 +} + +# add extra headers to request +_authget() { + export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE" + _response=$(_get "$1" | _normalizeJson) + _debug2 _response "$_response" +} + +# truncate huge HTML response +# echo: Argument list too long +_htmlget() { + export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE" + _response=$(_get "$1" | grep "$2") + if _contains "$_response" "@$2"; then + _response=$(echo "$_response" | grep -v "[@]" | _head_n 1) + fi +} + +# add extra headers to request +_authpost() { + url="https://1984.hosting/domains" + _get_zone_id "$url" "$_domain" + csrf_header="$(echo "$One984HOSTING_CSRFTOKEN_COOKIE" | _egrep_o "=[^=][0-9a-zA-Z]*" | tr -d "=")" + export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE" + export _H2="Referer: https://1984.hosting/domains/$_zone_id" + export _H3="X-CSRFToken: $csrf_header" + _response=$(_post "$1" "$2") +} diff --git a/acme.sh-master/dnsapi/dns_acmedns.sh b/acme.sh-master/dnsapi/dns_acmedns.sh new file mode 100644 index 0000000..057f974 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_acmedns.sh @@ -0,0 +1,94 @@ +#!/usr/bin/env sh +# +#Author: Wolfgang Ebner +#Author: Sven Neubuaer +#Report Bugs here: https://github.com/dampfklon/acme.sh +# +# Usage: +# export ACMEDNS_BASE_URL="https://auth.acme-dns.io" +# +# You can optionally define an already existing account: +# +# export ACMEDNS_USERNAME="" +# export ACMEDNS_PASSWORD="" +# export ACMEDNS_SUBDOMAIN="" +# +######## Public functions ##################### + +#Usage: dns_acmedns_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to add txt record +dns_acmedns_add() { + fulldomain=$1 + txtvalue=$2 + _info "Using acme-dns" + _debug "fulldomain $fulldomain" + _debug "txtvalue $txtvalue" + + #for compatiblity from account conf + ACMEDNS_USERNAME="${ACMEDNS_USERNAME:-$(_readaccountconf_mutable ACMEDNS_USERNAME)}" + _clearaccountconf_mutable ACMEDNS_USERNAME + ACMEDNS_PASSWORD="${ACMEDNS_PASSWORD:-$(_readaccountconf_mutable ACMEDNS_PASSWORD)}" + _clearaccountconf_mutable ACMEDNS_PASSWORD + ACMEDNS_SUBDOMAIN="${ACMEDNS_SUBDOMAIN:-$(_readaccountconf_mutable ACMEDNS_SUBDOMAIN)}" + _clearaccountconf_mutable ACMEDNS_SUBDOMAIN + + ACMEDNS_BASE_URL="${ACMEDNS_BASE_URL:-$(_readdomainconf ACMEDNS_BASE_URL)}" + ACMEDNS_USERNAME="${ACMEDNS_USERNAME:-$(_readdomainconf ACMEDNS_USERNAME)}" + ACMEDNS_PASSWORD="${ACMEDNS_PASSWORD:-$(_readdomainconf ACMEDNS_PASSWORD)}" + ACMEDNS_SUBDOMAIN="${ACMEDNS_SUBDOMAIN:-$(_readdomainconf ACMEDNS_SUBDOMAIN)}" + + if [ "$ACMEDNS_BASE_URL" = "" ]; then + ACMEDNS_BASE_URL="https://auth.acme-dns.io" + fi + + ACMEDNS_UPDATE_URL="$ACMEDNS_BASE_URL/update" + ACMEDNS_REGISTER_URL="$ACMEDNS_BASE_URL/register" + + if [ -z "$ACMEDNS_USERNAME" ] || [ -z "$ACMEDNS_PASSWORD" ]; then + response="$(_post "" "$ACMEDNS_REGISTER_URL" "" "POST")" + _debug response "$response" + ACMEDNS_USERNAME=$(echo "$response" | sed -n 's/^{.*\"username\":[ ]*\"\([^\"]*\)\".*}/\1/p') + _debug "received username: $ACMEDNS_USERNAME" + ACMEDNS_PASSWORD=$(echo "$response" | sed -n 's/^{.*\"password\":[ ]*\"\([^\"]*\)\".*}/\1/p') + _debug "received password: $ACMEDNS_PASSWORD" + ACMEDNS_SUBDOMAIN=$(echo "$response" | sed -n 's/^{.*\"subdomain\":[ ]*\"\([^\"]*\)\".*}/\1/p') + _debug "received subdomain: $ACMEDNS_SUBDOMAIN" + ACMEDNS_FULLDOMAIN=$(echo "$response" | sed -n 's/^{.*\"fulldomain\":[ ]*\"\([^\"]*\)\".*}/\1/p') + _info "##########################################################" + _info "# Create $fulldomain CNAME $ACMEDNS_FULLDOMAIN DNS entry #" + _info "##########################################################" + _info "Press enter to continue... " + read -r _ + fi + + _savedomainconf ACMEDNS_BASE_URL "$ACMEDNS_BASE_URL" + _savedomainconf ACMEDNS_USERNAME "$ACMEDNS_USERNAME" + _savedomainconf ACMEDNS_PASSWORD "$ACMEDNS_PASSWORD" + _savedomainconf ACMEDNS_SUBDOMAIN "$ACMEDNS_SUBDOMAIN" + + export _H1="X-Api-User: $ACMEDNS_USERNAME" + export _H2="X-Api-Key: $ACMEDNS_PASSWORD" + data="{\"subdomain\":\"$ACMEDNS_SUBDOMAIN\", \"txt\": \"$txtvalue\"}" + + _debug data "$data" + response="$(_post "$data" "$ACMEDNS_UPDATE_URL" "" "POST")" + _debug response "$response" + + if ! echo "$response" | grep "\"$txtvalue\"" >/dev/null; then + _err "invalid response of acme-dns" + return 1 + fi + +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_acmedns_rm() { + fulldomain=$1 + txtvalue=$2 + _info "Using acme-dns" + _debug "fulldomain $fulldomain" + _debug "txtvalue $txtvalue" +} + +#################### Private functions below ################################## diff --git a/acme.sh-master/dnsapi/dns_acmeproxy.sh b/acme.sh-master/dnsapi/dns_acmeproxy.sh new file mode 100644 index 0000000..9d5533f --- /dev/null +++ b/acme.sh-master/dnsapi/dns_acmeproxy.sh @@ -0,0 +1,83 @@ +#!/usr/bin/env sh + +## Acmeproxy DNS provider to be used with acmeproxy (https://github.com/mdbraber/acmeproxy) +## API integration by Maarten den Braber +## +## Report any bugs via https://github.com/mdbraber/acme.sh + +dns_acmeproxy_add() { + fulldomain="${1}" + txtvalue="${2}" + action="present" + + _debug "Calling: _acmeproxy_request() '${fulldomain}' '${txtvalue}' '${action}'" + _acmeproxy_request "$fulldomain" "$txtvalue" "$action" +} + +dns_acmeproxy_rm() { + fulldomain="${1}" + txtvalue="${2}" + action="cleanup" + + _debug "Calling: _acmeproxy_request() '${fulldomain}' '${txtvalue}' '${action}'" + _acmeproxy_request "$fulldomain" "$txtvalue" "$action" +} + +_acmeproxy_request() { + + ## Nothing to see here, just some housekeeping + fulldomain=$1 + txtvalue=$2 + action=$3 + + _info "Using acmeproxy" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + ACMEPROXY_ENDPOINT="${ACMEPROXY_ENDPOINT:-$(_readaccountconf_mutable ACMEPROXY_ENDPOINT)}" + ACMEPROXY_USERNAME="${ACMEPROXY_USERNAME:-$(_readaccountconf_mutable ACMEPROXY_USERNAME)}" + ACMEPROXY_PASSWORD="${ACMEPROXY_PASSWORD:-$(_readaccountconf_mutable ACMEPROXY_PASSWORD)}" + + ## Check for the endpoint + if [ -z "$ACMEPROXY_ENDPOINT" ]; then + ACMEPROXY_ENDPOINT="" + _err "You didn't specify the endpoint" + _err "Please set them via 'export ACMEPROXY_ENDPOINT=https://ip:port' and try again." + return 1 + fi + + ## Save the credentials to the account file + _saveaccountconf_mutable ACMEPROXY_ENDPOINT "$ACMEPROXY_ENDPOINT" + _saveaccountconf_mutable ACMEPROXY_USERNAME "$ACMEPROXY_USERNAME" + _saveaccountconf_mutable ACMEPROXY_PASSWORD "$ACMEPROXY_PASSWORD" + + if [ -z "$ACMEPROXY_USERNAME" ] || [ -z "$ACMEPROXY_PASSWORD" ]; then + _info "ACMEPROXY_USERNAME and/or ACMEPROXY_PASSWORD not set - using without client authentication! Make sure you're using server authentication (e.g. IP-based)" + export _H1="Accept: application/json" + export _H2="Content-Type: application/json" + else + ## Base64 encode the credentials + credentials=$(printf "%b" "$ACMEPROXY_USERNAME:$ACMEPROXY_PASSWORD" | _base64) + + ## Construct the HTTP Authorization header + export _H1="Authorization: Basic $credentials" + export _H2="Accept: application/json" + export _H3="Content-Type: application/json" + fi + + ## Add the challenge record to the acmeproxy grid member + response="$(_post "{\"fqdn\": \"$fulldomain.\", \"value\": \"$txtvalue\"}" "$ACMEPROXY_ENDPOINT/$action" "" "POST")" + + ## Let's see if we get something intelligible back from the unit + if echo "$response" | grep "\"$txtvalue\"" >/dev/null; then + _info "Successfully updated the txt record" + return 0 + else + _err "Error encountered during record addition" + _err "$response" + return 1 + fi + +} + +#################### Private functions below ################################## diff --git a/acme.sh-master/dnsapi/dns_active24.sh b/acme.sh-master/dnsapi/dns_active24.sh new file mode 100644 index 0000000..862f734 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_active24.sh @@ -0,0 +1,141 @@ +#!/usr/bin/env sh + +#ACTIVE24_Token="sdfsdfsdfljlbjkljlkjsdfoiwje" + +ACTIVE24_Api="https://api.active24.com" + +######## Public functions ##################### + +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to add txt record +dns_active24_add() { + fulldomain=$1 + txtvalue=$2 + + _active24_init + + _info "Adding txt record" + if _active24_rest POST "dns/$_domain/txt/v1" "{\"name\":\"$_sub_domain\",\"text\":\"$txtvalue\",\"ttl\":0}"; then + if _contains "$response" "errors"; then + _err "Add txt record error." + return 1 + else + _info "Added, OK" + return 0 + fi + fi + _err "Add txt record error." + return 1 +} + +# Usage: fulldomain txtvalue +# Used to remove the txt record after validation +dns_active24_rm() { + fulldomain=$1 + txtvalue=$2 + + _active24_init + + _debug "Getting txt records" + _active24_rest GET "dns/$_domain/records/v1" + + if _contains "$response" "errors"; then + _err "Error" + return 1 + fi + + hash_ids=$(echo "$response" | _egrep_o "[^{]+${txtvalue}[^}]+" | _egrep_o "hashId\":\"[^\"]+" | cut -c10-) + + for hash_id in $hash_ids; do + _debug "Removing hash_id" "$hash_id" + if _active24_rest DELETE "dns/$_domain/$hash_id/v1" ""; then + if _contains "$response" "errors"; then + _err "Unable to remove txt record." + return 1 + else + _info "Removed txt record." + return 0 + fi + fi + done + + _err "No txt records found." + return 1 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + + if ! _active24_rest GET "dns/domains/v1"; then + return 1 + fi + + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug "h" "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" "\"$h\"" >/dev/null; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_active24_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Authorization: Bearer $ACTIVE24_Token" + + if [ "$m" != "GET" ]; then + _debug "data" "$data" + response="$(_post "$data" "$ACTIVE24_Api/$ep" "" "$m" "application/json")" + else + response="$(_get "$ACTIVE24_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} + +_active24_init() { + ACTIVE24_Token="${ACTIVE24_Token:-$(_readaccountconf_mutable ACTIVE24_Token)}" + if [ -z "$ACTIVE24_Token" ]; then + ACTIVE24_Token="" + _err "You didn't specify a Active24 api token yet." + _err "Please create the token and try again." + return 1 + fi + + _saveaccountconf_mutable ACTIVE24_Token "$ACTIVE24_Token" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" +} diff --git a/acme.sh-master/dnsapi/dns_ad.sh b/acme.sh-master/dnsapi/dns_ad.sh new file mode 100644 index 0000000..fc4a664 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_ad.sh @@ -0,0 +1,147 @@ +#!/usr/bin/env sh + +# +#AD_API_KEY="sdfsdfsdfljlbjkljlkjsdfoiwje" + +#This is the Alwaysdata api wrapper for acme.sh +# +#Author: Paul Koppen +#Report Bugs here: https://github.com/wpk-/acme.sh + +AD_API_URL="https://$AD_API_KEY:@api.alwaysdata.com/v1" + +######## Public functions ##################### + +#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_ad_add() { + fulldomain=$1 + txtvalue=$2 + + if [ -z "$AD_API_KEY" ]; then + AD_API_KEY="" + _err "You didn't specify the AD api key yet." + _err "Please create you key and try again." + return 1 + fi + + _saveaccountconf AD_API_KEY "$AD_API_KEY" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _ad_tmpl_json="{\"domain\":$_domain_id,\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":\"$txtvalue\"}" + + if _ad_rest POST "record/" "$_ad_tmpl_json" && [ -z "$response" ]; then + _info "txt record updated success." + return 0 + fi + + return 1 +} + +#fulldomain txtvalue +dns_ad_rm() { + fulldomain=$1 + txtvalue=$2 + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _ad_rest GET "record/?domain=$_domain_id&name=$_sub_domain" + + if [ -n "$response" ]; then + record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\s*[0-9]+" | cut -d : -f 2 | tr -d " " | _head_n 1) + _debug record_id "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if _ad_rest DELETE "record/$record_id/" && [ -z "$response" ]; then + _info "txt record deleted success." + return 0 + fi + _debug response "$response" + return 1 + fi + + return 1 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=12345 +_get_root() { + domain=$1 + i=2 + p=1 + + if _ad_rest GET "domain/"; then + response="$(echo "$response" | tr -d "\n" | sed 's/{/\n&/g')" + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + hostedzone="$(echo "$response" | _egrep_o "{.*\"name\":\s*\"$h\".*}")" + if [ "$hostedzone" ]; then + _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "\"id\":\s*[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ ) + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + fi + return 1 +} + +#method uri qstr data +_ad_rest() { + mtd="$1" + ep="$2" + data="$3" + + _debug mtd "$mtd" + _debug ep "$ep" + + export _H1="Accept: application/json" + export _H2="Content-Type: application/json" + + if [ "$mtd" != "GET" ]; then + # both POST and DELETE. + _debug data "$data" + response="$(_post "$data" "$AD_API_URL/$ep" "" "$mtd")" + else + response="$(_get "$AD_API_URL/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_ali.sh b/acme.sh-master/dnsapi/dns_ali.sh new file mode 100644 index 0000000..c210567 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_ali.sh @@ -0,0 +1,203 @@ +#!/usr/bin/env sh + +Ali_API="https://alidns.aliyuncs.com/" + +#Ali_Key="LTqIA87hOKdjevsf5" +#Ali_Secret="0p5EYueFNq501xnCPzKNbx6K51qPH2" + +#Usage: dns_ali_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_ali_add() { + fulldomain=$1 + txtvalue=$2 + + Ali_Key="${Ali_Key:-$(_readaccountconf_mutable Ali_Key)}" + Ali_Secret="${Ali_Secret:-$(_readaccountconf_mutable Ali_Secret)}" + if [ -z "$Ali_Key" ] || [ -z "$Ali_Secret" ]; then + Ali_Key="" + Ali_Secret="" + _err "You don't specify aliyun api key and secret yet." + return 1 + fi + + #save the api key and secret to the account conf file. + _saveaccountconf_mutable Ali_Key "$Ali_Key" + _saveaccountconf_mutable Ali_Secret "$Ali_Secret" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + return 1 + fi + + _debug "Add record" + _add_record_query "$_domain" "$_sub_domain" "$txtvalue" && _ali_rest "Add record" +} + +dns_ali_rm() { + fulldomain=$1 + txtvalue=$2 + Ali_Key="${Ali_Key:-$(_readaccountconf_mutable Ali_Key)}" + Ali_Secret="${Ali_Secret:-$(_readaccountconf_mutable Ali_Secret)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + return 1 + fi + + _clean +} + +#################### Private functions below ################################## + +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + _describe_records_query "$h" + if ! _ali_rest "Get root" "ignore"; then + return 1 + fi + + if _contains "$response" "PageNumber"; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _debug _sub_domain "$_sub_domain" + _domain="$h" + _debug _domain "$_domain" + return 0 + fi + p="$i" + i=$(_math "$i" + 1) + done + return 1 +} + +_ali_rest() { + signature=$(printf "%s" "GET&%2F&$(_ali_urlencode "$query")" | _hmac "sha1" "$(printf "%s" "$Ali_Secret&" | _hex_dump | tr -d " ")" | _base64) + signature=$(_ali_urlencode "$signature") + url="$Ali_API?$query&Signature=$signature" + + if ! response="$(_get "$url")"; then + _err "Error <$1>" + return 1 + fi + + _debug2 response "$response" + if [ -z "$2" ]; then + message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")" + if [ "$message" ]; then + _err "$message" + return 1 + fi + fi +} + +_ali_urlencode() { + _str="$1" + _str_len=${#_str} + _u_i=1 + while [ "$_u_i" -le "$_str_len" ]; do + _str_c="$(printf "%s" "$_str" | cut -c "$_u_i")" + case $_str_c in [a-zA-Z0-9.~_-]) + printf "%s" "$_str_c" + ;; + *) + printf "%%%02X" "'$_str_c" + ;; + esac + _u_i="$(_math "$_u_i" + 1)" + done +} + +_ali_nonce() { + #_head_n 1 /dev/null +} + +#################### Private functions below ################################## + +_is_uuid() { + pattern='^\{?[A-Z0-9a-z]{8}-[A-Z0-9a-z]{4}-[A-Z0-9a-z]{4}-[A-Z0-9a-z]{4}-[A-Z0-9a-z]{12}\}?$' + if echo "$1" | _egrep_o "$pattern" >/dev/null; then + return 0 + fi + return 1 +} + +_get_record_id() { + _debug subdomain "$_sub_domain" + _debug domain "$_domain" + + if _anx_rest GET "zone.json/${_domain}/records?name=$_sub_domain&type=TXT"; then + _debug response "$response" + if _contains "$response" "\"name\":\"$_sub_domain\"" >/dev/null; then + _record_id=$(printf "%s\n" "$response" | _egrep_o "\[.\"identifier\":\"[^\"]*\"" | head -n 1 | cut -d : -f 2 | tr -d \") + else + _record_id='' + fi + else + _err "Search existing record" + fi +} + +_anx_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Content-Type: application/json" + export _H2="Authorization: Token $ANX_Token" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "${ANX_API}/$ep" "" "$m")" + else + response="$(_get "${ANX_API}/$ep")" + fi + + # shellcheck disable=SC2181 + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug response "$response" + return 0 +} + +_get_root() { + domain=$1 + i=1 + p=1 + + _anx_rest GET "zone.json" + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" "\"name\":\"$h\""; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + + p=$i + i=$(_math "$i" + 1) + done + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_arvan.sh b/acme.sh-master/dnsapi/dns_arvan.sh new file mode 100644 index 0000000..4ca5b68 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_arvan.sh @@ -0,0 +1,151 @@ +#!/usr/bin/env sh + +# Arvan_Token="Apikey xxxx" + +ARVAN_API_URL="https://napi.arvancloud.ir/cdn/4.0/domains" +# Author: Vahid Fardi +# Report Bugs here: https://github.com/Neilpang/acme.sh +# +######## Public functions ##################### + +#Usage: dns_arvan_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_arvan_add() { + fulldomain=$1 + txtvalue=$2 + _info "Using Arvan" + + Arvan_Token="${Arvan_Token:-$(_readaccountconf_mutable Arvan_Token)}" + + if [ -z "$Arvan_Token" ]; then + _err "You didn't specify \"Arvan_Token\" token yet." + _err "You can get yours from here https://npanel.arvancloud.ir/profile/api-keys" + return 1 + fi + #save the api token to the account conf file. + _saveaccountconf_mutable Arvan_Token "$Arvan_Token" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + if _arvan_rest POST "$_domain/dns-records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":{\"text\":\"$txtvalue\"},\"ttl\":120}"; then + if _contains "$response" "$txtvalue"; then + _info "response id is $response" + _info "Added, OK" + return 0 + elif _contains "$response" "Record Data is duplicate"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 0 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_arvan_rm() { + fulldomain=$1 + txtvalue=$2 + _info "Using Arvan" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + Arvan_Token="${Arvan_Token:-$(_readaccountconf_mutable Arvan_Token)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _arvan_rest GET "${_domain}/dns-records" + if ! printf "%s" "$response" | grep \"current_page\":1 >/dev/null; then + _err "Error on Arvan Api" + _err "Please create a github issue with debbug log" + return 1 + fi + + _record_id=$(echo "$response" | _egrep_o ".\"id\":\"[^\"]*\",\"type\":\"txt\",\"name\":\"_acme-challenge\",\"value\":{\"text\":\"$txtvalue\"}" | cut -d : -f 2 | cut -d , -f 1 | tr -d \") + if ! _arvan_rest "DELETE" "${_domain}/dns-records/${_record_id}"; then + _err "Error on Arvan Api" + return 1 + fi + _debug "$response" + _contains "$response" 'dns record deleted' + return 0 +} + +#################### Private functions below ################################## + +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _arvan_rest GET "$h"; then + return 1 + fi + if _contains "$response" "\"domain\":\"$h\""; then + _domain_id=$(echo "$response" | cut -d : -f 3 | cut -d , -f 1 | tr -d \") + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_arvan_rest() { + mtd="$1" + ep="$2" + data="$3" + + token_trimmed=$(echo "$Arvan_Token" | tr -d '"') + export _H1="Authorization: $token_trimmed" + + if [ "$mtd" = "DELETE" ]; then + #DELETE Request shouldn't have Content-Type + _debug data "$data" + response="$(_post "$data" "$ARVAN_API_URL/$ep" "" "$mtd")" + elif [ "$mtd" = "POST" ]; then + export _H2="Content-Type: application/json" + export _H3="Accept: application/json" + _debug data "$data" + response="$(_post "$data" "$ARVAN_API_URL/$ep" "" "$mtd")" + else + response="$(_get "$ARVAN_API_URL/$ep$data")" + fi + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_aurora.sh b/acme.sh-master/dnsapi/dns_aurora.sh new file mode 100644 index 0000000..00f4473 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_aurora.sh @@ -0,0 +1,171 @@ +#!/usr/bin/env sh + +# +#AURORA_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" +# +#AURORA_Secret="sdfsdfsdfljlbjkljlkjsdfoiwje" + +AURORA_Api="https://api.auroradns.eu" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_aurora_add() { + fulldomain=$1 + txtvalue=$2 + + AURORA_Key="${AURORA_Key:-$(_readaccountconf_mutable AURORA_Key)}" + AURORA_Secret="${AURORA_Secret:-$(_readaccountconf_mutable AURORA_Secret)}" + + if [ -z "$AURORA_Key" ] || [ -z "$AURORA_Secret" ]; then + AURORA_Key="" + AURORA_Secret="" + _err "You didn't specify an Aurora api key and secret yet." + _err "You can get yours from here https://cp.pcextreme.nl/auroradns/users." + return 1 + fi + + #save the api key and secret to the account conf file. + _saveaccountconf_mutable AURORA_Key "$AURORA_Key" + _saveaccountconf_mutable AURORA_Secret "$AURORA_Secret" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + if _aurora_rest POST "zones/$_domain_id/records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":300}"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + return 0 + elif _contains "$response" "RecordExistsError"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 + +} + +#fulldomain txtvalue +dns_aurora_rm() { + fulldomain=$1 + txtvalue=$2 + + AURORA_Key="${AURORA_Key:-$(_readaccountconf_mutable AURORA_Key)}" + AURORA_Secret="${AURORA_Secret:-$(_readaccountconf_mutable AURORA_Secret)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting records" + _aurora_rest GET "zones/${_domain_id}/records" + + if ! _contains "$response" "$txtvalue"; then + _info "Don't need to remove." + else + records=$(echo "$response" | _normalizeJson | tr -d "[]" | sed "s/},{/}|{/g" | tr "|" "\n") + if [ "$(echo "$records" | wc -l)" -le 2 ]; then + _err "Can not parse records." + return 1 + fi + record_id=$(echo "$records" | grep "\"type\": *\"TXT\"" | grep "\"name\": *\"$_sub_domain\"" | grep "\"content\": *\"$txtvalue\"" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ") + _debug "record_id" "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if ! _aurora_rest DELETE "zones/$_domain_id/records/$record_id"; then + _err "Delete record error." + return 1 + fi + fi + return 0 + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=1 + p=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _aurora_rest GET "zones/$h"; then + return 1 + fi + + if _contains "$response" "\"name\": \"$h\""; then + _domain_id=$(echo "$response" | _normalizeJson | tr -d "{}" | tr "," "\n" | grep "\"id\": *\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ") + _debug _domain_id "$_domain_id" + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_aurora_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + key_trimmed=$(echo "$AURORA_Key" | tr -d '"') + secret_trimmed=$(echo "$AURORA_Secret" | tr -d '"') + + timestamp=$(date -u +"%Y%m%dT%H%M%SZ") + signature=$(printf "%s/%s%s" "$m" "$ep" "$timestamp" | _hmac sha256 "$(printf "%s" "$secret_trimmed" | _hex_dump | tr -d " ")" | _base64) + authorization=$(printf "AuroraDNSv1 %s" "$(printf "%s:%s" "$key_trimmed" "$signature" | _base64)") + + export _H1="Content-Type: application/json; charset=UTF-8" + export _H2="X-AuroraDNS-Date: $timestamp" + export _H3="Authorization: $authorization" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$AURORA_Api/$ep" "" "$m")" + else + response="$(_get "$AURORA_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_autodns.sh b/acme.sh-master/dnsapi/dns_autodns.sh new file mode 100644 index 0000000..9253448 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_autodns.sh @@ -0,0 +1,264 @@ +#!/usr/bin/env sh +# -*- mode: sh; tab-width: 2; indent-tabs-mode: s; coding: utf-8 -*- + +# This is the InternetX autoDNS xml api wrapper for acme.sh +# Author: auerswald@gmail.com +# Created: 2018-01-14 +# +# export AUTODNS_USER="username" +# export AUTODNS_PASSWORD="password" +# export AUTODNS_CONTEXT="context" +# +# Usage: +# acme.sh --issue --dns dns_autodns -d example.com + +AUTODNS_API="https://gateway.autodns.com" + +# Arguments: +# txtdomain +# txt +dns_autodns_add() { + fulldomain="$1" + txtvalue="$2" + + AUTODNS_USER="${AUTODNS_USER:-$(_readaccountconf_mutable AUTODNS_USER)}" + AUTODNS_PASSWORD="${AUTODNS_PASSWORD:-$(_readaccountconf_mutable AUTODNS_PASSWORD)}" + AUTODNS_CONTEXT="${AUTODNS_CONTEXT:-$(_readaccountconf_mutable AUTODNS_CONTEXT)}" + + if [ -z "$AUTODNS_USER" ] || [ -z "$AUTODNS_CONTEXT" ] || [ -z "$AUTODNS_PASSWORD" ]; then + _err "You don't specify autodns user, password and context." + return 1 + fi + + _saveaccountconf_mutable AUTODNS_USER "$AUTODNS_USER" + _saveaccountconf_mutable AUTODNS_PASSWORD "$AUTODNS_PASSWORD" + _saveaccountconf_mutable AUTODNS_CONTEXT "$AUTODNS_CONTEXT" + + _debug "First detect the root zone" + + if ! _get_autodns_zone "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _zone "$_zone" + _debug _system_ns "$_system_ns" + + _info "Adding TXT record" + + autodns_response="$(_autodns_zone_update "$_zone" "$_sub_domain" "$txtvalue" "$_system_ns")" + + if [ "$?" -eq "0" ]; then + _info "Added, OK" + return 0 + fi + + return 1 +} + +# Arguments: +# txtdomain +# txt +dns_autodns_rm() { + fulldomain="$1" + txtvalue="$2" + + AUTODNS_USER="${AUTODNS_USER:-$(_readaccountconf_mutable AUTODNS_USER)}" + AUTODNS_PASSWORD="${AUTODNS_PASSWORD:-$(_readaccountconf_mutable AUTODNS_PASSWORD)}" + AUTODNS_CONTEXT="${AUTODNS_CONTEXT:-$(_readaccountconf_mutable AUTODNS_CONTEXT)}" + + if [ -z "$AUTODNS_USER" ] || [ -z "$AUTODNS_CONTEXT" ] || [ -z "$AUTODNS_PASSWORD" ]; then + _err "You don't specify autodns user, password and context." + return 1 + fi + + _debug "First detect the root zone" + + if ! _get_autodns_zone "$fulldomain"; then + _err "zone not found" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _zone "$_zone" + _debug _system_ns "$_system_ns" + + _info "Delete TXT record" + + autodns_response="$(_autodns_zone_cleanup "$_zone" "$_sub_domain" "$txtvalue" "$_system_ns")" + + if [ "$?" -eq "0" ]; then + _info "Deleted, OK" + return 0 + fi + + return 1 +} + +#################### Private functions below ################################## + +# Arguments: +# fulldomain +# Returns: +# _sub_domain=_acme-challenge.www +# _zone=domain.com +# _system_ns +_get_autodns_zone() { + domain="$1" + + i=2 + p=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + + if [ -z "$h" ]; then + # not valid + return 1 + fi + + autodns_response="$(_autodns_zone_inquire "$h")" + + if [ "$?" -ne "0" ]; then + _err "invalid domain" + return 1 + fi + + if _contains "$autodns_response" "1" >/dev/null; then + _zone="$(echo "$autodns_response" | _egrep_o '[^<]*' | cut -d '>' -f 2 | cut -d '<' -f 1)" + _system_ns="$(echo "$autodns_response" | _egrep_o '[^<]*' | cut -d '>' -f 2 | cut -d '<' -f 1)" + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + return 0 + fi + + p=$i + i=$(_math "$i" + 1) + done + + return 1 +} + +_build_request_auth_xml() { + printf " + %s + %s + %s + " "$AUTODNS_USER" "$AUTODNS_PASSWORD" "$AUTODNS_CONTEXT" +} + +# Arguments: +# zone +_build_zone_inquire_xml() { + printf " + + %s + + 0205 + + 1 + 1 + + + name + eq + %s + + + " "$(_build_request_auth_xml)" "$1" +} + +# Arguments: +# zone +# subdomain +# txtvalue +# system_ns +_build_zone_update_xml() { + printf " + + %s + + 0202001 + + + %s + 600 + TXT + %s + + + + %s + %s + + + " "$(_build_request_auth_xml)" "$2" "$3" "$1" "$4" +} + +# Arguments: +# zone +_autodns_zone_inquire() { + request_data="$(_build_zone_inquire_xml "$1")" + autodns_response="$(_autodns_api_call "$request_data")" + ret="$?" + + printf "%s" "$autodns_response" + return "$ret" +} + +# Arguments: +# zone +# subdomain +# txtvalue +# system_ns +_autodns_zone_update() { + request_data="$(_build_zone_update_xml "$1" "$2" "$3" "$4")" + autodns_response="$(_autodns_api_call "$request_data")" + ret="$?" + + printf "%s" "$autodns_response" + return "$ret" +} + +# Arguments: +# zone +# subdomain +# txtvalue +# system_ns +_autodns_zone_cleanup() { + request_data="$(_build_zone_update_xml "$1" "$2" "$3" "$4")" + # replace 'rr_add>' with 'rr_rem>' in request_data + request_data="$(printf -- "%s" "$request_data" | sed 's/rr_add>/rr_rem>/g')" + autodns_response="$(_autodns_api_call "$request_data")" + ret="$?" + + printf "%s" "$autodns_response" + return "$ret" +} + +# Arguments: +# request_data +_autodns_api_call() { + request_data="$1" + + _debug request_data "$request_data" + + autodns_response="$(_post "$request_data" "$AUTODNS_API")" + ret="$?" + + _debug autodns_response "$autodns_response" + + if [ "$ret" -ne "0" ]; then + _err "error" + return 1 + fi + + if _contains "$autodns_response" "success" >/dev/null; then + _info "success" + printf "%s" "$autodns_response" + return 0 + fi + + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_aws.sh b/acme.sh-master/dnsapi/dns_aws.sh new file mode 100644 index 0000000..50c9326 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_aws.sh @@ -0,0 +1,363 @@ +#!/usr/bin/env sh + +# +#AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje" +# +#AWS_SECRET_ACCESS_KEY="xxxxxxx" + +#This is the Amazon Route53 api wrapper for acme.sh +#All `_sleep` commands are included to avoid Route53 throttling, see +#https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-requests + +AWS_HOST="route53.amazonaws.com" +AWS_URL="https://$AWS_HOST" + +AWS_WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Amazon-Route53-API" + +######## Public functions ##################### + +#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_aws_add() { + fulldomain=$1 + txtvalue=$2 + + AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}" + AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}" + AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}" + + if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then + _use_container_role || _use_instance_role + fi + + if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then + AWS_ACCESS_KEY_ID="" + AWS_SECRET_ACCESS_KEY="" + _err "You haven't specified the aws route53 api key id and and api key secret yet." + _err "Please create your key and try again. see $(__green $AWS_WIKI)" + return 1 + fi + + #save for future use, unless using a role which will be fetched as needed + if [ -z "$_using_role" ]; then + _saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" + _saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" + _saveaccountconf_mutable AWS_DNS_SLOWRATE "$AWS_DNS_SLOWRATE" + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + _sleep 1 + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Getting existing records for $fulldomain" + if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then + _sleep 1 + return 1 + fi + + if _contains "$response" "$fulldomain."; then + _resource_record="$(echo "$response" | sed 's//"/g' | tr '"' "\n" | grep "$fulldomain." | _egrep_o "" | sed "s///" | sed "s###")" + _debug "_resource_record" "$_resource_record" + else + _debug "single new add" + fi + + if [ "$_resource_record" ] && _contains "$response" "$txtvalue"; then + _info "The TXT record already exists. Skipping." + _sleep 1 + return 0 + fi + + _debug "Adding records" + + _aws_tmpl_xml="UPSERT$fulldomainTXT300$_resource_record\"$txtvalue\"" + + if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then + _info "TXT record updated successfully." + if [ -n "$AWS_DNS_SLOWRATE" ]; then + _info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds" + _sleep "$AWS_DNS_SLOWRATE" + else + _sleep 1 + fi + + return 0 + fi + _sleep 1 + return 1 +} + +#fulldomain txtvalue +dns_aws_rm() { + fulldomain=$1 + txtvalue=$2 + + AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}" + AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}" + AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}" + + if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then + _use_container_role || _use_instance_role + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + _sleep 1 + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Getting existing records for $fulldomain" + if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then + _sleep 1 + return 1 + fi + + if _contains "$response" "$fulldomain."; then + _resource_record="$(echo "$response" | sed 's//"/g' | tr '"' "\n" | grep "$fulldomain." | _egrep_o "" | sed "s///" | sed "s###")" + _debug "_resource_record" "$_resource_record" + else + _debug "no records exist, skip" + _sleep 1 + return 0 + fi + + _aws_tmpl_xml="DELETE$_resource_record$fulldomain.TXT300" + + if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then + _info "TXT record deleted successfully." + if [ -n "$AWS_DNS_SLOWRATE" ]; then + _info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds" + _sleep "$AWS_DNS_SLOWRATE" + else + _sleep 1 + fi + + return 0 + fi + _sleep 1 + return 1 + +} + +#################### Private functions below ################################## + +_get_root() { + domain=$1 + i=1 + p=1 + + # iterate over names (a.b.c.d -> b.c.d -> c.d -> d) + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug "Checking domain: $h" + if [ -z "$h" ]; then + _error "invalid domain" + return 1 + fi + + # iterate over paginated result for list_hosted_zones + aws_rest GET "2013-04-01/hostedzone" + while true; do + if _contains "$response" "$h."; then + hostedzone="$(echo "$response" | tr -d '\n' | sed 's//#&/g' | tr '#' '\n' | _egrep_o "[^<]*<.Id>$h.<.Name>.*false<.PrivateZone>.*<.HostedZone>")" + _debug hostedzone "$hostedzone" + if [ "$hostedzone" ]; then + _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o ".*<.Id>" | head -n 1 | _egrep_o ">.*<" | tr -d "<>") + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + _err "Can't find domain with id: $h" + return 1 + fi + fi + if _contains "$response" "true" && _contains "$response" ""; then + _debug "IsTruncated" + _nextMarker="$(echo "$response" | _egrep_o ".*" | cut -d '>' -f 2 | cut -d '<' -f 1)" + _debug "NextMarker" "$_nextMarker" + else + break + fi + _debug "Checking domain: $h - Next Page " + aws_rest GET "2013-04-01/hostedzone" "marker=$_nextMarker" + done + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_use_container_role() { + # automatically set if running inside ECS + if [ -z "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then + _debug "No ECS environment variable detected" + return 1 + fi + _use_metadata "169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" +} + +_use_instance_role() { + _url="http://169.254.169.254/latest/meta-data/iam/security-credentials/" + _debug "_url" "$_url" + if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then + _debug "Unable to fetch IAM role from instance metadata" + return 1 + fi + _aws_role=$(_get "$_url" "" 1) + _debug "_aws_role" "$_aws_role" + _use_metadata "$_url$_aws_role" +} + +_use_metadata() { + _aws_creds="$( + _get "$1" "" 1 | + _normalizeJson | + tr '{,}' '\n' | + while read -r _line; do + _key="$(echo "${_line%%:*}" | tr -d '"')" + _value="${_line#*:}" + _debug3 "_key" "$_key" + _secure_debug3 "_value" "$_value" + case "$_key" in + AccessKeyId) echo "AWS_ACCESS_KEY_ID=$_value" ;; + SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY=$_value" ;; + Token) echo "AWS_SESSION_TOKEN=$_value" ;; + esac + done | + paste -sd' ' - + )" + _secure_debug "_aws_creds" "$_aws_creds" + + if [ -z "$_aws_creds" ]; then + return 1 + fi + + eval "$_aws_creds" + _using_role=true +} + +#method uri qstr data +aws_rest() { + mtd="$1" + ep="$2" + qsr="$3" + data="$4" + + _debug mtd "$mtd" + _debug ep "$ep" + _debug qsr "$qsr" + _debug data "$data" + + CanonicalURI="/$ep" + _debug2 CanonicalURI "$CanonicalURI" + + CanonicalQueryString="$qsr" + _debug2 CanonicalQueryString "$CanonicalQueryString" + + RequestDate="$(date -u +"%Y%m%dT%H%M%SZ")" + _debug2 RequestDate "$RequestDate" + + #RequestDate="20161120T141056Z" ############## + + export _H1="x-amz-date: $RequestDate" + + aws_host="$AWS_HOST" + CanonicalHeaders="host:$aws_host\nx-amz-date:$RequestDate\n" + SignedHeaders="host;x-amz-date" + if [ -n "$AWS_SESSION_TOKEN" ]; then + export _H3="x-amz-security-token: $AWS_SESSION_TOKEN" + CanonicalHeaders="${CanonicalHeaders}x-amz-security-token:$AWS_SESSION_TOKEN\n" + SignedHeaders="${SignedHeaders};x-amz-security-token" + fi + _debug2 CanonicalHeaders "$CanonicalHeaders" + _debug2 SignedHeaders "$SignedHeaders" + + RequestPayload="$data" + _debug2 RequestPayload "$RequestPayload" + + Hash="sha256" + + CanonicalRequest="$mtd\n$CanonicalURI\n$CanonicalQueryString\n$CanonicalHeaders\n$SignedHeaders\n$(printf "%s" "$RequestPayload" | _digest "$Hash" hex)" + _debug2 CanonicalRequest "$CanonicalRequest" + + HashedCanonicalRequest="$(printf "$CanonicalRequest%s" | _digest "$Hash" hex)" + _debug2 HashedCanonicalRequest "$HashedCanonicalRequest" + + Algorithm="AWS4-HMAC-SHA256" + _debug2 Algorithm "$Algorithm" + + RequestDateOnly="$(echo "$RequestDate" | cut -c 1-8)" + _debug2 RequestDateOnly "$RequestDateOnly" + + Region="us-east-1" + Service="route53" + + CredentialScope="$RequestDateOnly/$Region/$Service/aws4_request" + _debug2 CredentialScope "$CredentialScope" + + StringToSign="$Algorithm\n$RequestDate\n$CredentialScope\n$HashedCanonicalRequest" + + _debug2 StringToSign "$StringToSign" + + kSecret="AWS4$AWS_SECRET_ACCESS_KEY" + + #kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################ + + _secure_debug2 kSecret "$kSecret" + + kSecretH="$(printf "%s" "$kSecret" | _hex_dump | tr -d " ")" + _secure_debug2 kSecretH "$kSecretH" + + kDateH="$(printf "$RequestDateOnly%s" | _hmac "$Hash" "$kSecretH" hex)" + _debug2 kDateH "$kDateH" + + kRegionH="$(printf "$Region%s" | _hmac "$Hash" "$kDateH" hex)" + _debug2 kRegionH "$kRegionH" + + kServiceH="$(printf "$Service%s" | _hmac "$Hash" "$kRegionH" hex)" + _debug2 kServiceH "$kServiceH" + + kSigningH="$(printf "%s" "aws4_request" | _hmac "$Hash" "$kServiceH" hex)" + _debug2 kSigningH "$kSigningH" + + signature="$(printf "$StringToSign%s" | _hmac "$Hash" "$kSigningH" hex)" + _debug2 signature "$signature" + + Authorization="$Algorithm Credential=$AWS_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature" + _debug2 Authorization "$Authorization" + + _H2="Authorization: $Authorization" + _debug _H2 "$_H2" + + url="$AWS_URL/$ep" + if [ "$qsr" ]; then + url="$AWS_URL/$ep?$qsr" + fi + + if [ "$mtd" = "GET" ]; then + response="$(_get "$url")" + else + response="$(_post "$data" "$url")" + fi + + _ret="$?" + _debug2 response "$response" + if [ "$_ret" = "0" ]; then + if _contains "$response" "/dev/null; then + _azion_token=$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \") + export AZION_Token="$_azion_token" + else + _err "Failed to generate Azion token" + return 1 + fi +} + +_azion_rest() { + _method=$1 + _uri="$2" + _data="$3" + + if [ -z "$AZION_Token" ]; then + _get_token + fi + _debug2 token "$AZION_Token" + + export _H1="Accept: application/json; version=3" + export _H2="Content-Type: application/json" + export _H3="Authorization: token $AZION_Token" + + if [ "$_method" != "GET" ]; then + _debug _data "$_data" + response="$(_post "$_data" "$AZION_Api/$_uri" "" "$_method")" + else + response="$(_get "$AZION_Api/$_uri")" + fi + + _debug2 response "$response" + + if [ "$?" != "0" ]; then + _err "error $_method $_uri $_data" + return 1 + fi + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_azure.sh b/acme.sh-master/dnsapi/dns_azure.sh new file mode 100644 index 0000000..1c33c13 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_azure.sh @@ -0,0 +1,378 @@ +#!/usr/bin/env sh + +WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Azure-DNS" + +######## Public functions ##################### + +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to add txt record +# +# Ref: https://docs.microsoft.com/en-us/rest/api/dns/recordsets/createorupdate +# + +dns_azure_add() { + fulldomain=$1 + txtvalue=$2 + + AZUREDNS_SUBSCRIPTIONID="${AZUREDNS_SUBSCRIPTIONID:-$(_readaccountconf_mutable AZUREDNS_SUBSCRIPTIONID)}" + if [ -z "$AZUREDNS_SUBSCRIPTIONID" ]; then + AZUREDNS_SUBSCRIPTIONID="" + AZUREDNS_TENANTID="" + AZUREDNS_APPID="" + AZUREDNS_CLIENTSECRET="" + _err "You didn't specify the Azure Subscription ID" + return 1 + fi + #save subscription id to account conf file. + _saveaccountconf_mutable AZUREDNS_SUBSCRIPTIONID "$AZUREDNS_SUBSCRIPTIONID" + + AZUREDNS_MANAGEDIDENTITY="${AZUREDNS_MANAGEDIDENTITY:-$(_readaccountconf_mutable AZUREDNS_MANAGEDIDENTITY)}" + if [ "$AZUREDNS_MANAGEDIDENTITY" = true ]; then + _info "Using Azure managed identity" + #save managed identity as preferred authentication method, clear service principal credentials from conf file. + _saveaccountconf_mutable AZUREDNS_MANAGEDIDENTITY "$AZUREDNS_MANAGEDIDENTITY" + _saveaccountconf_mutable AZUREDNS_TENANTID "" + _saveaccountconf_mutable AZUREDNS_APPID "" + _saveaccountconf_mutable AZUREDNS_CLIENTSECRET "" + else + _info "You didn't ask to use Azure managed identity, checking service principal credentials" + AZUREDNS_TENANTID="${AZUREDNS_TENANTID:-$(_readaccountconf_mutable AZUREDNS_TENANTID)}" + AZUREDNS_APPID="${AZUREDNS_APPID:-$(_readaccountconf_mutable AZUREDNS_APPID)}" + AZUREDNS_CLIENTSECRET="${AZUREDNS_CLIENTSECRET:-$(_readaccountconf_mutable AZUREDNS_CLIENTSECRET)}" + + if [ -z "$AZUREDNS_TENANTID" ]; then + AZUREDNS_SUBSCRIPTIONID="" + AZUREDNS_TENANTID="" + AZUREDNS_APPID="" + AZUREDNS_CLIENTSECRET="" + _err "You didn't specify the Azure Tenant ID " + return 1 + fi + + if [ -z "$AZUREDNS_APPID" ]; then + AZUREDNS_SUBSCRIPTIONID="" + AZUREDNS_TENANTID="" + AZUREDNS_APPID="" + AZUREDNS_CLIENTSECRET="" + _err "You didn't specify the Azure App ID" + return 1 + fi + + if [ -z "$AZUREDNS_CLIENTSECRET" ]; then + AZUREDNS_SUBSCRIPTIONID="" + AZUREDNS_TENANTID="" + AZUREDNS_APPID="" + AZUREDNS_CLIENTSECRET="" + _err "You didn't specify the Azure Client Secret" + return 1 + fi + + #save account details to account conf file, don't opt in for azure manages identity check. + _saveaccountconf_mutable AZUREDNS_MANAGEDIDENTITY "false" + _saveaccountconf_mutable AZUREDNS_TENANTID "$AZUREDNS_TENANTID" + _saveaccountconf_mutable AZUREDNS_APPID "$AZUREDNS_APPID" + _saveaccountconf_mutable AZUREDNS_CLIENTSECRET "$AZUREDNS_CLIENTSECRET" + fi + + accesstoken=$(_azure_getaccess_token "$AZUREDNS_MANAGEDIDENTITY" "$AZUREDNS_TENANTID" "$AZUREDNS_APPID" "$AZUREDNS_CLIENTSECRET") + + if ! _get_root "$fulldomain" "$AZUREDNS_SUBSCRIPTIONID" "$accesstoken"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + acmeRecordURI="https://management.azure.com$(printf '%s' "$_domain_id" | sed 's/\\//g')/TXT/$_sub_domain?api-version=2017-09-01" + _debug "$acmeRecordURI" + # Get existing TXT record + _azure_rest GET "$acmeRecordURI" "" "$accesstoken" + values="{\"value\":[\"$txtvalue\"]}" + timestamp="$(_time)" + if [ "$_code" = "200" ]; then + vlist="$(echo "$response" | _egrep_o "\"value\"\\s*:\\s*\\[\\s*\"[^\"]*\"\\s*]" | cut -d : -f 2 | tr -d "[]\"")" + _debug "existing TXT found" + _debug "$vlist" + existingts="$(echo "$response" | _egrep_o "\"acmetscheck\"\\s*:\\s*\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d "\"")" + if [ -z "$existingts" ]; then + # the record was not created by acme.sh. Copy the exisiting entires + existingts=$timestamp + fi + _diff="$(_math "$timestamp - $existingts")" + _debug "existing txt age: $_diff" + # only use recently added records and discard if older than 2 hours because they are probably orphaned + if [ "$_diff" -lt 7200 ]; then + _debug "existing txt value: $vlist" + for v in $vlist; do + values="$values ,{\"value\":[\"$v\"]}" + done + fi + fi + # Add the txtvalue TXT Record + body="{\"properties\":{\"metadata\":{\"acmetscheck\":\"$timestamp\"},\"TTL\":10, \"TXTRecords\":[$values]}}" + _azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken" + if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then + _info "validation value added" + return 0 + else + _err "error adding validation value ($_code)" + return 1 + fi +} + +# Usage: fulldomain txtvalue +# Used to remove the txt record after validation +# +# Ref: https://docs.microsoft.com/en-us/rest/api/dns/recordsets/delete +# +dns_azure_rm() { + fulldomain=$1 + txtvalue=$2 + + AZUREDNS_SUBSCRIPTIONID="${AZUREDNS_SUBSCRIPTIONID:-$(_readaccountconf_mutable AZUREDNS_SUBSCRIPTIONID)}" + if [ -z "$AZUREDNS_SUBSCRIPTIONID" ]; then + AZUREDNS_SUBSCRIPTIONID="" + AZUREDNS_TENANTID="" + AZUREDNS_APPID="" + AZUREDNS_CLIENTSECRET="" + _err "You didn't specify the Azure Subscription ID " + return 1 + fi + + AZUREDNS_MANAGEDIDENTITY="${AZUREDNS_MANAGEDIDENTITY:-$(_readaccountconf_mutable AZUREDNS_MANAGEDIDENTITY)}" + if [ "$AZUREDNS_MANAGEDIDENTITY" = true ]; then + _info "Using Azure managed identity" + else + _info "You didn't ask to use Azure managed identity, checking service principal credentials" + AZUREDNS_TENANTID="${AZUREDNS_TENANTID:-$(_readaccountconf_mutable AZUREDNS_TENANTID)}" + AZUREDNS_APPID="${AZUREDNS_APPID:-$(_readaccountconf_mutable AZUREDNS_APPID)}" + AZUREDNS_CLIENTSECRET="${AZUREDNS_CLIENTSECRET:-$(_readaccountconf_mutable AZUREDNS_CLIENTSECRET)}" + + if [ -z "$AZUREDNS_TENANTID" ]; then + AZUREDNS_SUBSCRIPTIONID="" + AZUREDNS_TENANTID="" + AZUREDNS_APPID="" + AZUREDNS_CLIENTSECRET="" + _err "You didn't specify the Azure Tenant ID " + return 1 + fi + + if [ -z "$AZUREDNS_APPID" ]; then + AZUREDNS_SUBSCRIPTIONID="" + AZUREDNS_TENANTID="" + AZUREDNS_APPID="" + AZUREDNS_CLIENTSECRET="" + _err "You didn't specify the Azure App ID" + return 1 + fi + + if [ -z "$AZUREDNS_CLIENTSECRET" ]; then + AZUREDNS_SUBSCRIPTIONID="" + AZUREDNS_TENANTID="" + AZUREDNS_APPID="" + AZUREDNS_CLIENTSECRET="" + _err "You didn't specify the Azure Client Secret" + return 1 + fi + fi + + accesstoken=$(_azure_getaccess_token "$AZUREDNS_MANAGEDIDENTITY" "$AZUREDNS_TENANTID" "$AZUREDNS_APPID" "$AZUREDNS_CLIENTSECRET") + + if ! _get_root "$fulldomain" "$AZUREDNS_SUBSCRIPTIONID" "$accesstoken"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + acmeRecordURI="https://management.azure.com$(printf '%s' "$_domain_id" | sed 's/\\//g')/TXT/$_sub_domain?api-version=2017-09-01" + _debug "$acmeRecordURI" + # Get existing TXT record + _azure_rest GET "$acmeRecordURI" "" "$accesstoken" + timestamp="$(_time)" + if [ "$_code" = "200" ]; then + vlist="$(echo "$response" | _egrep_o "\"value\"\\s*:\\s*\\[\\s*\"[^\"]*\"\\s*]" | cut -d : -f 2 | tr -d "[]\"" | grep -v -- "$txtvalue")" + values="" + comma="" + for v in $vlist; do + values="$values$comma{\"value\":[\"$v\"]}" + comma="," + done + if [ -z "$values" ]; then + # No values left remove record + _debug "removing validation record completely $acmeRecordURI" + _azure_rest DELETE "$acmeRecordURI" "" "$accesstoken" + if [ "$_code" = "200" ] || [ "$_code" = '204' ]; then + _info "validation record removed" + else + _err "error removing validation record ($_code)" + return 1 + fi + else + # Remove only txtvalue from the TXT Record + body="{\"properties\":{\"metadata\":{\"acmetscheck\":\"$timestamp\"},\"TTL\":10, \"TXTRecords\":[$values]}}" + _azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken" + if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then + _info "validation value removed" + return 0 + else + _err "error removing validation value ($_code)" + return 1 + fi + fi + fi +} + +################### Private functions below ################################## + +_azure_rest() { + m=$1 + ep="$2" + data="$3" + accesstoken="$4" + + MAX_REQUEST_RETRY_TIMES=5 + _request_retry_times=0 + while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do + _debug3 _request_retry_times "$_request_retry_times" + export _H1="authorization: Bearer $accesstoken" + export _H2="accept: application/json" + export _H3="Content-Type: application/json" + # clear headers from previous request to avoid getting wrong http code on timeouts + : >"$HTTP_HEADER" + _debug "$ep" + if [ "$m" != "GET" ]; then + _secure_debug2 "data $data" + response="$(_post "$data" "$ep" "" "$m")" + else + response="$(_get "$ep")" + fi + _ret="$?" + _secure_debug2 "response $response" + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" + _debug "http response code $_code" + if [ "$_code" = "401" ]; then + # we have an invalid access token set to expired + _saveaccountconf_mutable AZUREDNS_TOKENVALIDTO "0" + _err "access denied make sure your Azure settings are correct. See $WIKI" + return 1 + fi + # See https://docs.microsoft.com/en-us/azure/architecture/best-practices/retry-service-specific#general-rest-and-retry-guidelines for retryable HTTP codes + if [ "$_ret" != "0" ] || [ -z "$_code" ] || [ "$_code" = "408" ] || [ "$_code" = "500" ] || [ "$_code" = "503" ] || [ "$_code" = "504" ]; then + _request_retry_times="$(_math "$_request_retry_times" + 1)" + _info "REST call error $_code retrying $ep in $_request_retry_times s" + _sleep "$_request_retry_times" + continue + fi + break + done + if [ "$_request_retry_times" = "$MAX_REQUEST_RETRY_TIMES" ]; then + _err "Error Azure REST called was retried $MAX_REQUEST_RETRY_TIMES times." + _err "Calling $ep failed." + return 1 + fi + response="$(echo "$response" | _normalizeJson)" + return 0 +} + +## Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#request-an-access-token +_azure_getaccess_token() { + managedIdentity=$1 + tenantID=$2 + clientID=$3 + clientSecret=$4 + + accesstoken="${AZUREDNS_BEARERTOKEN:-$(_readaccountconf_mutable AZUREDNS_BEARERTOKEN)}" + expires_on="${AZUREDNS_TOKENVALIDTO:-$(_readaccountconf_mutable AZUREDNS_TOKENVALIDTO)}" + + # can we reuse the bearer token? + if [ -n "$accesstoken" ] && [ -n "$expires_on" ]; then + if [ "$(_time)" -lt "$expires_on" ]; then + # brearer token is still valid - reuse it + _debug "reusing bearer token" + printf "%s" "$accesstoken" + return 0 + else + _debug "bearer token expired" + fi + fi + _debug "getting new bearer token" + + if [ "$managedIdentity" = true ]; then + # https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http + export _H1="Metadata: true" + response="$(_get http://169.254.169.254/metadata/identity/oauth2/token\?api-version=2018-02-01\&resource=https://management.azure.com/)" + response="$(echo "$response" | _normalizeJson)" + accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \") + expires_on=$(echo "$response" | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \") + else + export _H1="accept: application/json" + export _H2="Content-Type: application/x-www-form-urlencoded" + body="resource=$(printf "%s" 'https://management.core.windows.net/' | _url_encode)&client_id=$(printf "%s" "$clientID" | _url_encode)&client_secret=$(printf "%s" "$clientSecret" | _url_encode)&grant_type=client_credentials" + _secure_debug2 "data $body" + response="$(_post "$body" "https://login.microsoftonline.com/$tenantID/oauth2/token" "" "POST")" + _ret="$?" + _secure_debug2 "response $response" + response="$(echo "$response" | _normalizeJson)" + accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \") + expires_on=$(echo "$response" | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \") + fi + + if [ -z "$accesstoken" ]; then + _err "no acccess token received. Check your Azure settings see $WIKI" + return 1 + fi + if [ "$_ret" != "0" ]; then + _err "error $response" + return 1 + fi + _saveaccountconf_mutable AZUREDNS_BEARERTOKEN "$accesstoken" + _saveaccountconf_mutable AZUREDNS_TOKENVALIDTO "$expires_on" + printf "%s" "$accesstoken" + return 0 +} + +_get_root() { + domain=$1 + subscriptionId=$2 + accesstoken=$3 + i=1 + p=1 + + ## Ref: https://docs.microsoft.com/en-us/rest/api/dns/zones/list + ## returns up to 100 zones in one response therefore handling more results is not not implemented + ## (ZoneListResult with continuation token for the next page of results) + ## Per https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#dns-limits you are limited to 100 Zone/subscriptions anyways + ## + _azure_rest GET "https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.Network/dnszones?\$top=500&api-version=2017-09-01" "" "$accesstoken" + # Find matching domain name in Json response + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug2 "Checking domain: $h" + if [ -z "$h" ]; then + #not valid + _err "Invalid domain" + return 1 + fi + + if _contains "$response" "\"name\":\"$h\"" >/dev/null; then + _domain_id=$(echo "$response" | _egrep_o "\\{\"id\":\"[^\"]*\\/$h\"" | head -n 1 | cut -d : -f 2 | tr -d \") + if [ "$_domain_id" ]; then + if [ "$i" = 1 ]; then + #create the record at the domain apex (@) if only the domain name was provided as --domain-alias + _sub_domain="@" + else + _sub_domain=$(echo "$domain" | cut -d . -f 1-$p) + fi + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_bunny.sh b/acme.sh-master/dnsapi/dns_bunny.sh new file mode 100644 index 0000000..a9b1ea5 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_bunny.sh @@ -0,0 +1,248 @@ +#!/usr/bin/env sh + +## Will be called by acme.sh to add the TXT record via the Bunny DNS API. +## returns 0 means success, otherwise error. + +## Author: nosilver4u +## GitHub: https://github.com/nosilver4u/acme.sh + +## +## Environment Variables Required: +## +## BUNNY_API_KEY="75310dc4-ca77-9ac3-9a19-f6355db573b49ce92ae1-2655-3ebd-61ac-3a3ae34834cc" +## + +##################### Public functions ##################### + +## Create the text record for validation. +## Usage: fulldomain txtvalue +## EG: "_acme-challenge.www.other.domain.com" "XKrxpRBosdq0HG9i01zxXp5CPBs" +dns_bunny_add() { + fulldomain="$(echo "$1" | _lower_case)" + txtvalue=$2 + + BUNNY_API_KEY="${BUNNY_API_KEY:-$(_readaccountconf_mutable BUNNY_API_KEY)}" + # Check if API Key is set + if [ -z "$BUNNY_API_KEY" ]; then + BUNNY_API_KEY="" + _err "You did not specify Bunny.net API key." + _err "Please export BUNNY_API_KEY and try again." + return 1 + fi + + _info "Using Bunny.net dns validation - add record" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + ## save the env vars (key and domain split location) for later automated use + _saveaccountconf_mutable BUNNY_API_KEY "$BUNNY_API_KEY" + + ## split the domain for Bunny API + if ! _get_base_domain "$fulldomain"; then + _err "domain not found in your account for addition" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + _debug _domain_id "$_domain_id" + + ## Set the header with our post type and auth key + export _H1="Accept: application/json" + export _H2="AccessKey: $BUNNY_API_KEY" + export _H3="Content-Type: application/json" + PURL="https://api.bunny.net/dnszone/$_domain_id/records" + PBODY='{"Id":'$_domain_id',"Type":3,"Name":"'$_sub_domain'","Value":"'$txtvalue'","ttl":120}' + + _debug PURL "$PURL" + _debug PBODY "$PBODY" + + ## the create request - POST + ## args: BODY, URL, [need64, httpmethod] + response="$(_post "$PBODY" "$PURL" "" "PUT")" + + ## check response + if [ "$?" != "0" ]; then + _err "error in response: $response" + return 1 + fi + _debug2 response "$response" + + ## finished correctly + return 0 +} + +## Remove the txt record after validation. +## Usage: fulldomain txtvalue +## EG: "_acme-challenge.www.other.domain.com" "XKrxpRBosdq0HG9i01zxXp5CPBs" +dns_bunny_rm() { + fulldomain="$(echo "$1" | _lower_case)" + txtvalue=$2 + + BUNNY_API_KEY="${BUNNY_API_KEY:-$(_readaccountconf_mutable BUNNY_API_KEY)}" + # Check if API Key Exists + if [ -z "$BUNNY_API_KEY" ]; then + BUNNY_API_KEY="" + _err "You did not specify Bunny.net API key." + _err "Please export BUNNY_API_KEY and try again." + return 1 + fi + + _info "Using Bunny.net dns validation - remove record" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + ## split the domain for Bunny API + if ! _get_base_domain "$fulldomain"; then + _err "Domain not found in your account for TXT record removal" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + _debug _domain_id "$_domain_id" + + ## Set the header with our post type and key auth key + export _H1="Accept: application/json" + export _H2="AccessKey: $BUNNY_API_KEY" + ## get URL for the list of DNS records + GURL="https://api.bunny.net/dnszone/$_domain_id" + + ## 1) Get the domain/zone records + ## the fetch request - GET + ## args: URL, [onlyheader, timeout] + domain_list="$(_get "$GURL")" + + ## check response + if [ "$?" != "0" ]; then + _err "error in domain_list response: $domain_list" + return 1 + fi + _debug2 domain_list "$domain_list" + + ## 2) search through records + ## check for what we are looking for: "Type":3,"Value":"$txtvalue","Name":"$_sub_domain" + record="$(echo "$domain_list" | _egrep_o "\"Id\"\s*\:\s*\"*[0-9]+\"*,\s*\"Type\"[^}]*\"Value\"\s*\:\s*\"$txtvalue\"[^}]*\"Name\"\s*\:\s*\"$_sub_domain\"")" + + if [ -n "$record" ]; then + + ## We found records + rec_ids="$(echo "$record" | _egrep_o "Id\"\s*\:\s*\"*[0-9]+" | _egrep_o "[0-9]+")" + _debug rec_ids "$rec_ids" + if [ -n "$rec_ids" ]; then + echo "$rec_ids" | while IFS= read -r rec_id; do + ## delete the record + ## delete URL for removing the one we dont want + DURL="https://api.bunny.net/dnszone/$_domain_id/records/$rec_id" + + ## the removal request - DELETE + ## args: BODY, URL, [need64, httpmethod] + response="$(_post "" "$DURL" "" "DELETE")" + + ## check response (sort of) + if [ "$?" != "0" ]; then + _err "error in remove response: $response" + return 1 + fi + _debug2 response "$response" + + done + fi + fi + + ## finished correctly + return 0 +} + +##################### Private functions below ##################### + +## Split the domain provided into the "base domain" and the "start prefix". +## This function searches for the longest subdomain in your account +## for the full domain given and splits it into the base domain (zone) +## and the prefix/record to be added/removed +## USAGE: fulldomain +## EG: "_acme-challenge.two.three.four.domain.com" +## returns +## _sub_domain="_acme-challenge.two" +## _domain="three.four.domain.com" *IF* zone "three.four.domain.com" exists +## _domain_id=234 +## if only "domain.com" exists it will return +## _sub_domain="_acme-challenge.two.three.four" +## _domain="domain.com" +## _domain_id=234 +_get_base_domain() { + # args + fulldomain="$(echo "$1" | _lower_case)" + _debug fulldomain "$fulldomain" + + # domain max legal length = 253 + MAX_DOM=255 + page=1 + + ## get a list of domains for the account to check thru + ## Set the headers + export _H1="Accept: application/json" + export _H2="AccessKey: $BUNNY_API_KEY" + _debug BUNNY_API_KEY "$BUNNY_API_KEY" + ## get URL for the list of domains + ## may get: "links":{"pages":{"last":".../v2/domains/DOM/records?page=2","next":".../v2/domains/DOM/records?page=2"}} + DOMURL="https://api.bunny.net/dnszone" + + ## while we dont have a matching domain we keep going + while [ -z "$found" ]; do + ## get the domain list (current page) + domain_list="$(_get "$DOMURL")" + + ## check response + if [ "$?" != "0" ]; then + _err "error in domain_list response: $domain_list" + return 1 + fi + _debug2 domain_list "$domain_list" + + i=1 + while [ $i -gt 0 ]; do + ## get next longest domain + _domain=$(printf "%s" "$fulldomain" | cut -d . -f "$i"-"$MAX_DOM") + ## check we got something back from our cut (or are we at the end) + if [ -z "$_domain" ]; then + break + fi + ## we got part of a domain back - grep it out + found="$(echo "$domain_list" | _egrep_o "\"Id\"\s*:\s*\"*[0-9]+\"*,\s*\"Domain\"\s*\:\s*\"$_domain\"")" + ## check if it exists + if [ -n "$found" ]; then + ## exists - exit loop returning the parts + sub_point=$(_math $i - 1) + _sub_domain=$(printf "%s" "$fulldomain" | cut -d . -f 1-"$sub_point") + _domain_id="$(echo "$found" | _egrep_o "Id\"\s*\:\s*\"*[0-9]+" | _egrep_o "[0-9]+")" + _debug _domain_id "$_domain_id" + _debug _domain "$_domain" + _debug _sub_domain "$_sub_domain" + found="" + return 0 + fi + ## increment cut point $i + i=$(_math $i + 1) + done + + if [ -z "$found" ]; then + page=$(_math $page + 1) + nextpage="https://api.bunny.net/dnszone?page=$page" + ## Find the next page if we don't have a match. + hasnextpage="$(echo "$domain_list" | _egrep_o "\"HasMoreItems\"\s*:\s*true")" + if [ -z "$hasnextpage" ]; then + _err "No record and no nextpage in Bunny.net domain search." + found="" + return 1 + fi + _debug2 nextpage "$nextpage" + DOMURL="$nextpage" + fi + + done + + ## We went through the entire domain zone list and didn't find one that matched. + ## If we ever get here, something is broken in the code... + _err "Domain not found in Bunny.net account, but we should never get here!" + found="" + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_cf.sh b/acme.sh-master/dnsapi/dns_cf.sh new file mode 100644 index 0000000..cd8d9a8 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_cf.sh @@ -0,0 +1,249 @@ +#!/usr/bin/env sh + +# +#CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" +# +#CF_Email="xxxx@sss.com" + +#CF_Token="xxxx" +#CF_Account_ID="xxxx" +#CF_Zone_ID="xxxx" + +CF_Api="https://api.cloudflare.com/client/v4" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_cf_add() { + fulldomain=$1 + txtvalue=$2 + + CF_Token="${CF_Token:-$(_readaccountconf_mutable CF_Token)}" + CF_Account_ID="${CF_Account_ID:-$(_readaccountconf_mutable CF_Account_ID)}" + CF_Zone_ID="${CF_Zone_ID:-$(_readaccountconf_mutable CF_Zone_ID)}" + CF_Key="${CF_Key:-$(_readaccountconf_mutable CF_Key)}" + CF_Email="${CF_Email:-$(_readaccountconf_mutable CF_Email)}" + + if [ "$CF_Token" ]; then + if [ "$CF_Zone_ID" ]; then + _savedomainconf CF_Token "$CF_Token" + _savedomainconf CF_Account_ID "$CF_Account_ID" + _savedomainconf CF_Zone_ID "$CF_Zone_ID" + else + _saveaccountconf_mutable CF_Token "$CF_Token" + _saveaccountconf_mutable CF_Account_ID "$CF_Account_ID" + _clearaccountconf_mutable CF_Zone_ID + _clearaccountconf CF_Zone_ID + fi + else + if [ -z "$CF_Key" ] || [ -z "$CF_Email" ]; then + CF_Key="" + CF_Email="" + _err "You didn't specify a Cloudflare api key and email yet." + _err "You can get yours from here https://dash.cloudflare.com/profile." + return 1 + fi + + if ! _contains "$CF_Email" "@"; then + _err "It seems that the CF_Email=$CF_Email is not a valid email address." + _err "Please check and retry." + return 1 + fi + #save the api key and email to the account conf file. + _saveaccountconf_mutable CF_Key "$CF_Key" + _saveaccountconf_mutable CF_Email "$CF_Email" + + _clearaccountconf_mutable CF_Token + _clearaccountconf_mutable CF_Account_ID + _clearaccountconf_mutable CF_Zone_ID + _clearaccountconf CF_Token + _clearaccountconf CF_Account_ID + _clearaccountconf CF_Zone_ID + + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _cf_rest GET "zones/${_domain_id}/dns_records?type=TXT&name=$fulldomain" + + if ! echo "$response" | tr -d " " | grep \"success\":true >/dev/null; then + _err "Error" + return 1 + fi + + # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so + # we can not use updating anymore. + # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) + # _debug count "$count" + # if [ "$count" = "0" ]; then + _info "Adding record" + if _cf_rest POST "zones/$_domain_id/dns_records" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":120}"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + return 0 + elif _contains "$response" "The record already exists"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 + +} + +#fulldomain txtvalue +dns_cf_rm() { + fulldomain=$1 + txtvalue=$2 + + CF_Token="${CF_Token:-$(_readaccountconf_mutable CF_Token)}" + CF_Account_ID="${CF_Account_ID:-$(_readaccountconf_mutable CF_Account_ID)}" + CF_Zone_ID="${CF_Zone_ID:-$(_readaccountconf_mutable CF_Zone_ID)}" + CF_Key="${CF_Key:-$(_readaccountconf_mutable CF_Key)}" + CF_Email="${CF_Email:-$(_readaccountconf_mutable CF_Email)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _cf_rest GET "zones/${_domain_id}/dns_records?type=TXT&name=$fulldomain&content=$txtvalue" + + if ! echo "$response" | tr -d " " | grep \"success\":true >/dev/null; then + _err "Error: $response" + return 1 + fi + + count=$(echo "$response" | _egrep_o "\"count\": *[^,]*" | cut -d : -f 2 | tr -d " ") + _debug count "$count" + if [ "$count" = "0" ]; then + _info "Don't need to remove." + else + record_id=$(echo "$response" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ") + _debug "record_id" "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if ! _cf_rest DELETE "zones/$_domain_id/dns_records/$record_id"; then + _err "Delete record error." + return 1 + fi + echo "$response" | tr -d " " | grep \"success\":true >/dev/null + fi + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=1 + p=1 + + # Use Zone ID directly if provided + if [ "$CF_Zone_ID" ]; then + if ! _cf_rest GET "zones/$CF_Zone_ID"; then + return 1 + else + if echo "$response" | tr -d " " | grep \"success\":true >/dev/null; then + _domain=$(echo "$response" | _egrep_o "\"name\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ") + if [ "$_domain" ]; then + _cutlength=$((${#domain} - ${#_domain} - 1)) + _sub_domain=$(printf "%s" "$domain" | cut -c "1-$_cutlength") + _domain_id=$CF_Zone_ID + return 0 + else + return 1 + fi + else + return 1 + fi + fi + fi + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if [ "$CF_Account_ID" ]; then + if ! _cf_rest GET "zones?name=$h&account.id=$CF_Account_ID"; then + return 1 + fi + else + if ! _cf_rest GET "zones?name=$h"; then + return 1 + fi + fi + + if _contains "$response" "\"name\":\"$h\"" || _contains "$response" '"total_count":1'; then + _domain_id=$(echo "$response" | _egrep_o "\[.\"id\": *\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ") + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_cf_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + email_trimmed=$(echo "$CF_Email" | tr -d '"') + key_trimmed=$(echo "$CF_Key" | tr -d '"') + token_trimmed=$(echo "$CF_Token" | tr -d '"') + + export _H1="Content-Type: application/json" + if [ "$token_trimmed" ]; then + export _H2="Authorization: Bearer $token_trimmed" + else + export _H2="X-Auth-Email: $email_trimmed" + export _H3="X-Auth-Key: $key_trimmed" + fi + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$CF_Api/$ep" "" "$m")" + else + response="$(_get "$CF_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_clouddns.sh b/acme.sh-master/dnsapi/dns_clouddns.sh new file mode 100644 index 0000000..31ae4ee --- /dev/null +++ b/acme.sh-master/dnsapi/dns_clouddns.sh @@ -0,0 +1,197 @@ +#!/usr/bin/env sh + +# Author: Radek Sprta + +#CLOUDDNS_EMAIL=XXXXX +#CLOUDDNS_PASSWORD="YYYYYYYYY" +#CLOUDDNS_CLIENT_ID=XXXXX + +CLOUDDNS_API='https://admin.vshosting.cloud/clouddns' +CLOUDDNS_LOGIN_API='https://admin.vshosting.cloud/api/public/auth/login' + +######## Public functions ##################### + +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_clouddns_add() { + fulldomain=$1 + txtvalue=$2 + _debug "fulldomain" "$fulldomain" + + CLOUDDNS_CLIENT_ID="${CLOUDDNS_CLIENT_ID:-$(_readaccountconf_mutable CLOUDDNS_CLIENT_ID)}" + CLOUDDNS_EMAIL="${CLOUDDNS_EMAIL:-$(_readaccountconf_mutable CLOUDDNS_EMAIL)}" + CLOUDDNS_PASSWORD="${CLOUDDNS_PASSWORD:-$(_readaccountconf_mutable CLOUDDNS_PASSWORD)}" + + if [ -z "$CLOUDDNS_PASSWORD" ] || [ -z "$CLOUDDNS_EMAIL" ] || [ -z "$CLOUDDNS_CLIENT_ID" ]; then + CLOUDDNS_CLIENT_ID="" + CLOUDDNS_EMAIL="" + CLOUDDNS_PASSWORD="" + _err "You didn't specify a CloudDNS password, email and client ID yet." + return 1 + fi + if ! _contains "$CLOUDDNS_EMAIL" "@"; then + _err "It seems that the CLOUDDNS_EMAIL=$CLOUDDNS_EMAIL is not a valid email address." + _err "Please check and retry." + return 1 + fi + # Save CloudDNS client id, email and password to config file + _saveaccountconf_mutable CLOUDDNS_CLIENT_ID "$CLOUDDNS_CLIENT_ID" + _saveaccountconf_mutable CLOUDDNS_EMAIL "$CLOUDDNS_EMAIL" + _saveaccountconf_mutable CLOUDDNS_PASSWORD "$CLOUDDNS_PASSWORD" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "Invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # Add TXT record + data="{\"type\":\"TXT\",\"name\":\"$fulldomain.\",\"value\":\"$txtvalue\",\"domainId\":\"$_domain_id\"}" + if _clouddns_api POST "record-txt" "$data"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + elif _contains "$response" '"code":4136'; then + _info "Already exists, OK" + else + _err "Add TXT record error." + return 1 + fi + fi + + _debug "Publishing record changes" + _clouddns_api PUT "domain/$_domain_id/publish" "{\"soaTtl\":300}" +} + +# Usage: rm _acme-challenge.www.domain.com +dns_clouddns_rm() { + fulldomain=$1 + _debug "fulldomain" "$fulldomain" + + CLOUDDNS_CLIENT_ID="${CLOUDDNS_CLIENT_ID:-$(_readaccountconf_mutable CLOUDDNS_CLIENT_ID)}" + CLOUDDNS_EMAIL="${CLOUDDNS_EMAIL:-$(_readaccountconf_mutable CLOUDDNS_EMAIL)}" + CLOUDDNS_PASSWORD="${CLOUDDNS_PASSWORD:-$(_readaccountconf_mutable CLOUDDNS_PASSWORD)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "Invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # Get record ID + _clouddns_api GET "domain/$_domain_id" + if _contains "$response" "lastDomainRecordList"; then + re="\"lastDomainRecordList\".*\"id\":\"([^\"}]*)\"[^}]*\"name\":\"$fulldomain.\"," + _last_domains=$(echo "$response" | _egrep_o "$re") + re2="\"id\":\"([^\"}]*)\"[^}]*\"name\":\"$fulldomain.\"," + _record_id=$(echo "$_last_domains" | _egrep_o "$re2" | _head_n 1 | cut -d : -f 2 | cut -d , -f 1 | tr -d "\"") + _debug _record_id "$_record_id" + else + _err "Could not retrieve record ID" + return 1 + fi + + _info "Removing record" + if _clouddns_api DELETE "record/$_record_id"; then + if _contains "$response" "\"error\":"; then + _err "Could not remove record" + return 1 + fi + fi + + _debug "Publishing record changes" + _clouddns_api PUT "domain/$_domain_id/publish" "{\"soaTtl\":300}" +} + +#################### Private functions below ################################## + +# Usage: _get_root _acme-challenge.www.domain.com +# Returns: +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + + # Get domain root + data="{\"search\": [{\"name\": \"clientId\", \"operator\": \"eq\", \"value\": \"$CLOUDDNS_CLIENT_ID\"}]}" + _clouddns_api "POST" "domain/search" "$data" + domain_slice="$domain" + while [ -z "$domain_root" ]; do + if _contains "$response" "\"domainName\":\"$domain_slice\.\""; then + domain_root="$domain_slice" + _debug domain_root "$domain_root" + fi + domain_slice="$(echo "$domain_slice" | cut -d . -f 2-)" + done + + # Get domain id + data="{\"search\": [{\"name\": \"clientId\", \"operator\": \"eq\", \"value\": \"$CLOUDDNS_CLIENT_ID\"}, \ + {\"name\": \"domainName\", \"operator\": \"eq\", \"value\": \"$domain_root.\"}]}" + _clouddns_api "POST" "domain/search" "$data" + if _contains "$response" "\"id\":\""; then + re='domainType\":\"[^\"]*\",\"id\":\"([^\"]*)\",' # Match domain id + _domain_id=$(echo "$response" | _egrep_o "$re" | _head_n 1 | cut -d : -f 3 | tr -d "\",") + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | sed "s/.$domain_root//") + _domain="$domain_root" + return 0 + fi + _err 'Domain name not found on your CloudDNS account' + return 1 + fi + return 1 +} + +# Usage: _clouddns_api GET domain/search '{"data": "value"}' +# Returns: +# response='{"message": "api response"}' +_clouddns_api() { + method=$1 + endpoint="$2" + data="$3" + _debug endpoint "$endpoint" + + if [ -z "$CLOUDDNS_TOKEN" ]; then + _clouddns_login + fi + _debug CLOUDDNS_TOKEN "$CLOUDDNS_TOKEN" + + export _H1="Content-Type: application/json" + export _H2="Authorization: Bearer $CLOUDDNS_TOKEN" + + if [ "$method" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$CLOUDDNS_API/$endpoint" "" "$method" | tr -d '\t\r\n ')" + else + response="$(_get "$CLOUDDNS_API/$endpoint" | tr -d '\t\r\n ')" + fi + + # shellcheck disable=SC2181 + if [ "$?" != "0" ]; then + _err "Error $endpoint" + return 1 + fi + _debug2 response "$response" + return 0 +} + +# Returns: +# CLOUDDNS_TOKEN=dslfje2rj23l +_clouddns_login() { + login_data="{\"email\": \"$CLOUDDNS_EMAIL\", \"password\": \"$CLOUDDNS_PASSWORD\"}" + response="$(_post "$login_data" "$CLOUDDNS_LOGIN_API" "" "POST" "Content-Type: application/json")" + + if _contains "$response" "\"accessToken\":\""; then + CLOUDDNS_TOKEN=$(echo "$response" | _egrep_o "\"accessToken\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \") + export CLOUDDNS_TOKEN + else + echo 'Could not get CloudDNS access token; check your credentials' + return 1 + fi + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_cloudns.sh b/acme.sh-master/dnsapi/dns_cloudns.sh new file mode 100644 index 0000000..b03fd57 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_cloudns.sh @@ -0,0 +1,208 @@ +#!/usr/bin/env sh + +# Author: Boyan Peychev +# Repository: https://github.com/ClouDNS/acme.sh/ +# Editor: I Komang Suryadana + +#CLOUDNS_AUTH_ID=XXXXX +#CLOUDNS_SUB_AUTH_ID=XXXXX +#CLOUDNS_AUTH_PASSWORD="YYYYYYYYY" +CLOUDNS_API="https://api.cloudns.net" +DOMAIN_TYPE= +DOMAIN_MASTER= + +######## Public functions ##################### + +#Usage: dns_cloudns_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_cloudns_add() { + _info "Using cloudns" + + if ! _dns_cloudns_init_check; then + return 1 + fi + + zone="$(_dns_cloudns_get_zone_name "$1")" + if [ -z "$zone" ]; then + _err "Missing DNS zone at ClouDNS. Please log into your control panel and create the required DNS zone for the initial setup." + return 1 + fi + + host="$(echo "$1" | sed "s/\.$zone\$//")" + record=$2 + + _debug zone "$zone" + _debug host "$host" + _debug record "$record" + + _info "Adding the TXT record for $1" + _dns_cloudns_http_api_call "dns/add-record.json" "domain-name=$zone&record-type=TXT&host=$host&record=$record&ttl=60" + if ! _contains "$response" "\"status\":\"Success\""; then + _err "Record cannot be added." + return 1 + fi + _info "Added." + + return 0 +} + +#Usage: dns_cloudns_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_cloudns_rm() { + _info "Using cloudns" + + if ! _dns_cloudns_init_check; then + return 1 + fi + + if [ -z "$zone" ]; then + zone="$(_dns_cloudns_get_zone_name "$1")" + if [ -z "$zone" ]; then + _err "Missing DNS zone at ClouDNS. Please log into your control panel and create the required DNS zone for the initial setup." + return 1 + fi + fi + + host="$(echo "$1" | sed "s/\.$zone\$//")" + record=$2 + + _dns_cloudns_get_zone_info "$zone" + + _debug "Type" "$DOMAIN_TYPE" + _debug "Cloud Master" "$DOMAIN_MASTER" + if _contains "$DOMAIN_TYPE" "cloud"; then + zone=$DOMAIN_MASTER + fi + _debug "ZONE" "$zone" + + _dns_cloudns_http_api_call "dns/records.json" "domain-name=$zone&host=$host&type=TXT" + if ! _contains "$response" "\"id\":"; then + return 1 + fi + + for i in $(echo "$response" | tr '{' "\n" | grep "$record"); do + record_id=$(echo "$i" | tr ',' "\n" | grep -E '^"id"' | sed -re 's/^\"id\"\:\"([0-9]+)\"$/\1/g') + + if [ -n "$record_id" ]; then + _debug zone "$zone" + _debug host "$host" + _debug record "$record" + _debug record_id "$record_id" + + _info "Deleting the TXT record for $1" + _dns_cloudns_http_api_call "dns/delete-record.json" "domain-name=$zone&record-id=$record_id" + + if ! _contains "$response" "\"status\":\"Success\""; then + _err "The TXT record for $1 cannot be deleted." + else + _info "Deleted." + fi + fi + done + + return 0 +} + +#################### Private functions below ################################## +_dns_cloudns_init_check() { + if [ -n "$CLOUDNS_INIT_CHECK_COMPLETED" ]; then + return 0 + fi + + CLOUDNS_AUTH_ID="${CLOUDNS_AUTH_ID:-$(_readaccountconf_mutable CLOUDNS_AUTH_ID)}" + CLOUDNS_SUB_AUTH_ID="${CLOUDNS_SUB_AUTH_ID:-$(_readaccountconf_mutable CLOUDNS_SUB_AUTH_ID)}" + CLOUDNS_AUTH_PASSWORD="${CLOUDNS_AUTH_PASSWORD:-$(_readaccountconf_mutable CLOUDNS_AUTH_PASSWORD)}" + if [ -z "$CLOUDNS_AUTH_ID$CLOUDNS_SUB_AUTH_ID" ] || [ -z "$CLOUDNS_AUTH_PASSWORD" ]; then + CLOUDNS_AUTH_ID="" + CLOUDNS_SUB_AUTH_ID="" + CLOUDNS_AUTH_PASSWORD="" + _err "You don't specify cloudns api id and password yet." + _err "Please create you id and password and try again." + return 1 + fi + + if [ -z "$CLOUDNS_AUTH_ID" ] && [ -z "$CLOUDNS_SUB_AUTH_ID" ]; then + _err "CLOUDNS_AUTH_ID or CLOUDNS_SUB_AUTH_ID is not configured" + return 1 + fi + + if [ -z "$CLOUDNS_AUTH_PASSWORD" ]; then + _err "CLOUDNS_AUTH_PASSWORD is not configured" + return 1 + fi + + _dns_cloudns_http_api_call "dns/login.json" "" + + if ! _contains "$response" "\"status\":\"Success\""; then + _err "Invalid CLOUDNS_AUTH_ID or CLOUDNS_AUTH_PASSWORD. Please check your login credentials." + return 1 + fi + + # save the api id and password to the account conf file. + _saveaccountconf_mutable CLOUDNS_AUTH_ID "$CLOUDNS_AUTH_ID" + _saveaccountconf_mutable CLOUDNS_SUB_AUTH_ID "$CLOUDNS_SUB_AUTH_ID" + _saveaccountconf_mutable CLOUDNS_AUTH_PASSWORD "$CLOUDNS_AUTH_PASSWORD" + + CLOUDNS_INIT_CHECK_COMPLETED=1 + + return 0 +} + +_dns_cloudns_get_zone_info() { + zone=$1 + _dns_cloudns_http_api_call "dns/get-zone-info.json" "domain-name=$zone" + if ! _contains "$response" "\"status\":\"Failed\""; then + DOMAIN_TYPE=$(echo "$response" | _egrep_o '"type":"[^"]*"' | cut -d : -f 2 | tr -d '"') + if _contains "$DOMAIN_TYPE" "cloud"; then + DOMAIN_MASTER=$(echo "$response" | _egrep_o '"cloud-master":"[^"]*"' | cut -d : -f 2 | tr -d '"') + fi + fi + return 0 +} + +_dns_cloudns_get_zone_name() { + i=2 + while true; do + zoneForCheck=$(printf "%s" "$1" | cut -d . -f $i-100) + + if [ -z "$zoneForCheck" ]; then + return 1 + fi + + _debug zoneForCheck "$zoneForCheck" + + _dns_cloudns_http_api_call "dns/get-zone-info.json" "domain-name=$zoneForCheck" + + if ! _contains "$response" "\"status\":\"Failed\""; then + echo "$zoneForCheck" + return 0 + fi + + i=$(_math "$i" + 1) + done + return 1 +} + +_dns_cloudns_http_api_call() { + method=$1 + + _debug CLOUDNS_AUTH_ID "$CLOUDNS_AUTH_ID" + _debug CLOUDNS_SUB_AUTH_ID "$CLOUDNS_SUB_AUTH_ID" + _debug CLOUDNS_AUTH_PASSWORD "$CLOUDNS_AUTH_PASSWORD" + + if [ -n "$CLOUDNS_SUB_AUTH_ID" ]; then + auth_user="sub-auth-id=$CLOUDNS_SUB_AUTH_ID" + else + auth_user="auth-id=$CLOUDNS_AUTH_ID" + fi + + if [ -z "$2" ]; then + data="$auth_user&auth-password=$CLOUDNS_AUTH_PASSWORD" + else + data="$auth_user&auth-password=$CLOUDNS_AUTH_PASSWORD&$2" + fi + + response="$(_get "$CLOUDNS_API/$method?$data")" + + _debug response "$response" + + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_cn.sh b/acme.sh-master/dnsapi/dns_cn.sh new file mode 100644 index 0000000..38d1f4a --- /dev/null +++ b/acme.sh-master/dnsapi/dns_cn.sh @@ -0,0 +1,157 @@ +#!/usr/bin/env sh + +# DNS API for acme.sh for Core-Networks (https://beta.api.core-networks.de/doc/). +# created by 5ll and francis + +CN_API="https://beta.api.core-networks.de" + +######## Public functions ##################### + +dns_cn_add() { + fulldomain=$1 + txtvalue=$2 + + if ! _cn_login; then + _err "login failed" + return 1 + fi + + _debug "First detect the root zone" + if ! _cn_get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug "_sub_domain $_sub_domain" + _debug "_domain $_domain" + + _info "Adding record" + curData="{\"name\":\"$_sub_domain\",\"ttl\":120,\"type\":\"TXT\",\"data\":\"$txtvalue\"}" + curResult="$(_post "${curData}" "${CN_API}/dnszones/${_domain}/records/")" + + _debug "curData $curData" + _debug "curResult $curResult" + + if _contains "$curResult" ""; then + _info "Added, OK" + + if ! _cn_commit; then + _err "commiting changes failed" + return 1 + fi + return 0 + + else + _err "Add txt record error." + _debug "curData is $curData" + _debug "curResult is $curResult" + _err "error adding text record, response was $curResult" + return 1 + fi +} + +dns_cn_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _cn_login; then + _err "login failed" + return 1 + fi + + _debug "First detect the root zone" + if ! _cn_get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _info "Deleting record" + curData="{\"name\":\"$_sub_domain\",\"data\":\"$txtvalue\"}" + curResult="$(_post "${curData}" "${CN_API}/dnszones/${_domain}/records/delete")" + _debug curData is "$curData" + + _info "commiting changes" + if ! _cn_commit; then + _err "commiting changes failed" + return 1 + fi + + _info "Deletet txt record" + return 0 +} + +################### Private functions below ################################## +_cn_login() { + CN_User="${CN_User:-$(_readaccountconf_mutable CN_User)}" + CN_Password="${CN_Password:-$(_readaccountconf_mutable CN_Password)}" + if [ -z "$CN_User" ] || [ -z "$CN_Password" ]; then + CN_User="" + CN_Password="" + _err "You must export variables: CN_User and CN_Password" + return 1 + fi + + #save the config variables to the account conf file. + _saveaccountconf_mutable CN_User "$CN_User" + _saveaccountconf_mutable CN_Password "$CN_Password" + + _info "Getting an AUTH-Token" + curData="{\"login\":\"${CN_User}\",\"password\":\"${CN_Password}\"}" + curResult="$(_post "${curData}" "${CN_API}/auth/token")" + _debug "Calling _CN_login: '${curData}' '${CN_API}/auth/token'" + + if _contains "${curResult}" '"token":"'; then + authToken=$(echo "${curResult}" | cut -d ":" -f2 | cut -d "," -f1 | sed 's/^.\(.*\).$/\1/') + export _H1="Authorization: Bearer $authToken" + _info "Successfully acquired AUTH-Token" + _debug "AUTH-Token: '${authToken}'" + _debug "_H1 '${_H1}'" + else + _err "Couldn't acquire an AUTH-Token" + return 1 + fi +} + +# Commit changes +_cn_commit() { + _info "Commiting changes" + _post "" "${CN_API}/dnszones/$h/records/commit" +} + +_cn_get_root() { + domain=$1 + i=2 + p=1 + while true; do + + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + _debug _H1 "${_H1}" + + if [ -z "$h" ]; then + #not valid + return 1 + fi + + _cn_zonelist="$(_get ${CN_API}/dnszones/)" + _debug _cn_zonelist "${_cn_zonelist}" + + if [ "$?" != "0" ]; then + _err "something went wrong while getting the zone list" + return 1 + fi + + if _contains "$_cn_zonelist" "\"name\":\"$h\"" >/dev/null; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + else + _debug "Zonelist does not contain domain - iterating " + fi + p=$i + i=$(_math "$i" + 1) + + done + _err "Zonelist does not contain domain - exiting" + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_conoha.sh b/acme.sh-master/dnsapi/dns_conoha.sh new file mode 100644 index 0000000..ddc3207 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_conoha.sh @@ -0,0 +1,253 @@ +#!/usr/bin/env sh + +CONOHA_DNS_EP_PREFIX_REGEXP="https://dns-service\." + +######## Public functions ##################### + +#Usage: dns_conoha_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_conoha_add() { + fulldomain=$1 + txtvalue=$2 + _info "Using conoha" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + _debug "Check uesrname and password" + CONOHA_Username="${CONOHA_Username:-$(_readaccountconf_mutable CONOHA_Username)}" + CONOHA_Password="${CONOHA_Password:-$(_readaccountconf_mutable CONOHA_Password)}" + CONOHA_TenantId="${CONOHA_TenantId:-$(_readaccountconf_mutable CONOHA_TenantId)}" + CONOHA_IdentityServiceApi="${CONOHA_IdentityServiceApi:-$(_readaccountconf_mutable CONOHA_IdentityServiceApi)}" + if [ -z "$CONOHA_Username" ] || [ -z "$CONOHA_Password" ] || [ -z "$CONOHA_TenantId" ] || [ -z "$CONOHA_IdentityServiceApi" ]; then + CONOHA_Username="" + CONOHA_Password="" + CONOHA_TenantId="" + CONOHA_IdentityServiceApi="" + _err "You didn't specify a conoha api username and password yet." + _err "Please create the user and try again." + return 1 + fi + + _saveaccountconf_mutable CONOHA_Username "$CONOHA_Username" + _saveaccountconf_mutable CONOHA_Password "$CONOHA_Password" + _saveaccountconf_mutable CONOHA_TenantId "$CONOHA_TenantId" + _saveaccountconf_mutable CONOHA_IdentityServiceApi "$CONOHA_IdentityServiceApi" + + if token="$(_conoha_get_accesstoken "$CONOHA_IdentityServiceApi/tokens" "$CONOHA_Username" "$CONOHA_Password" "$CONOHA_TenantId")"; then + accesstoken="$(printf "%s" "$token" | sed -n 1p)" + CONOHA_Api="$(printf "%s" "$token" | sed -n 2p)" + else + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain" "$CONOHA_Api" "$accesstoken"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + body="{\"type\":\"TXT\",\"name\":\"$fulldomain.\",\"data\":\"$txtvalue\",\"ttl\":60}" + if _conoha_rest POST "$CONOHA_Api/v1/domains/$_domain_id/records" "$body" "$accesstoken"; then + if _contains "$response" '"data":"'"$txtvalue"'"'; then + _info "Added, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + + _err "Add txt record error." + return 1 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_conoha_rm() { + fulldomain=$1 + txtvalue=$2 + _info "Using conoha" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + _debug "Check uesrname and password" + CONOHA_Username="${CONOHA_Username:-$(_readaccountconf_mutable CONOHA_Username)}" + CONOHA_Password="${CONOHA_Password:-$(_readaccountconf_mutable CONOHA_Password)}" + CONOHA_TenantId="${CONOHA_TenantId:-$(_readaccountconf_mutable CONOHA_TenantId)}" + CONOHA_IdentityServiceApi="${CONOHA_IdentityServiceApi:-$(_readaccountconf_mutable CONOHA_IdentityServiceApi)}" + if [ -z "$CONOHA_Username" ] || [ -z "$CONOHA_Password" ] || [ -z "$CONOHA_TenantId" ] || [ -z "$CONOHA_IdentityServiceApi" ]; then + CONOHA_Username="" + CONOHA_Password="" + CONOHA_TenantId="" + CONOHA_IdentityServiceApi="" + _err "You didn't specify a conoha api username and password yet." + _err "Please create the user and try again." + return 1 + fi + + _saveaccountconf_mutable CONOHA_Username "$CONOHA_Username" + _saveaccountconf_mutable CONOHA_Password "$CONOHA_Password" + _saveaccountconf_mutable CONOHA_TenantId "$CONOHA_TenantId" + _saveaccountconf_mutable CONOHA_IdentityServiceApi "$CONOHA_IdentityServiceApi" + + if token="$(_conoha_get_accesstoken "$CONOHA_IdentityServiceApi/tokens" "$CONOHA_Username" "$CONOHA_Password" "$CONOHA_TenantId")"; then + accesstoken="$(printf "%s" "$token" | sed -n 1p)" + CONOHA_Api="$(printf "%s" "$token" | sed -n 2p)" + else + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain" "$CONOHA_Api" "$accesstoken"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + if ! _conoha_rest GET "$CONOHA_Api/v1/domains/$_domain_id/records" "" "$accesstoken"; then + _err "Error" + return 1 + fi + + record_id=$(printf "%s" "$response" | _egrep_o '{[^}]*}' | + grep '"type":"TXT"' | grep "\"data\":\"$txtvalue\"" | _egrep_o "\"id\":\"[^\"]*\"" | + _head_n 1 | cut -d : -f 2 | tr -d \") + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + _debug record_id "$record_id" + + _info "Removing the txt record" + if ! _conoha_rest DELETE "$CONOHA_Api/v1/domains/$_domain_id/records/$record_id" "" "$accesstoken"; then + _err "Delete record error." + return 1 + fi + + return 0 +} + +#################### Private functions below ################################## + +_conoha_rest() { + m="$1" + ep="$2" + data="$3" + accesstoken="$4" + + export _H1="Accept: application/json" + export _H2="Content-Type: application/json" + if [ -n "$accesstoken" ]; then + export _H3="X-Auth-Token: $accesstoken" + fi + + _debug "$ep" + if [ "$m" != "GET" ]; then + _secure_debug2 data "$data" + response="$(_post "$data" "$ep" "" "$m")" + else + response="$(_get "$ep")" + fi + _ret="$?" + _secure_debug2 response "$response" + if [ "$_ret" != "0" ]; then + _err "error $ep" + return 1 + fi + + response="$(printf "%s" "$response" | _normalizeJson)" + return 0 +} + +_conoha_get_accesstoken() { + ep="$1" + username="$2" + password="$3" + tenantId="$4" + + accesstoken="$(_readaccountconf_mutable conoha_accesstoken)" + expires="$(_readaccountconf_mutable conoha_tokenvalidto)" + CONOHA_Api="$(_readaccountconf_mutable conoha_dns_ep)" + + # can we reuse the access token? + if [ -n "$accesstoken" ] && [ -n "$expires" ] && [ -n "$CONOHA_Api" ]; then + utc_date="$(_utc_date | sed "s/ /T/")" + if expr "$utc_date" "<" "$expires" >/dev/null; then + # access token is still valid - reuse it + _debug "reusing access token" + printf "%s\n%s\n" "$accesstoken" "$CONOHA_Api" + return 0 + else + _debug "access token expired" + fi + fi + _debug "getting new access token" + + body="$(printf '{"auth":{"passwordCredentials":{"username":"%s","password":"%s"},"tenantId":"%s"}}' "$username" "$password" "$tenantId")" + if ! _conoha_rest POST "$ep" "$body" ""; then + _err error "$response" + return 1 + fi + accesstoken=$(printf "%s" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \") + expires=$(printf "%s" "$response" | _egrep_o "\"expires\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2-4 | tr -d \" | tr -d Z) #expect UTC + if [ -z "$accesstoken" ] || [ -z "$expires" ]; then + _err "no acccess token received. Check your Conoha settings see $WIKI" + return 1 + fi + _saveaccountconf_mutable conoha_accesstoken "$accesstoken" + _saveaccountconf_mutable conoha_tokenvalidto "$expires" + + CONOHA_Api=$(printf "%s" "$response" | _egrep_o 'publicURL":"'"$CONOHA_DNS_EP_PREFIX_REGEXP"'[^"]*"' | _head_n 1 | cut -d : -f 2-3 | tr -d \") + if [ -z "$CONOHA_Api" ]; then + _err "failed to get conoha dns endpoint url" + return 1 + fi + _saveaccountconf_mutable conoha_dns_ep "$CONOHA_Api" + + printf "%s\n%s\n" "$accesstoken" "$CONOHA_Api" + return 0 +} + +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain="$1" + ep="$2" + accesstoken="$3" + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100). + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _conoha_rest GET "$ep/v1/domains?name=$h" "" "$accesstoken"; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\"" >/dev/null; then + _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | head -n 1 | cut -d : -f 2 | tr -d \") + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_constellix.sh b/acme.sh-master/dnsapi/dns_constellix.sh new file mode 100644 index 0000000..69d216f --- /dev/null +++ b/acme.sh-master/dnsapi/dns_constellix.sh @@ -0,0 +1,176 @@ +#!/usr/bin/env sh + +# Author: Wout Decre + +CONSTELLIX_Api="https://api.dns.constellix.com/v1" +#CONSTELLIX_Key="XXX" +#CONSTELLIX_Secret="XXX" + +######## Public functions ##################### + +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to add txt record +dns_constellix_add() { + fulldomain=$1 + txtvalue=$2 + + CONSTELLIX_Key="${CONSTELLIX_Key:-$(_readaccountconf_mutable CONSTELLIX_Key)}" + CONSTELLIX_Secret="${CONSTELLIX_Secret:-$(_readaccountconf_mutable CONSTELLIX_Secret)}" + + if [ -z "$CONSTELLIX_Key" ] || [ -z "$CONSTELLIX_Secret" ]; then + _err "You did not specify the Contellix API key and secret yet." + return 1 + fi + + _saveaccountconf_mutable CONSTELLIX_Key "$CONSTELLIX_Key" + _saveaccountconf_mutable CONSTELLIX_Secret "$CONSTELLIX_Secret" + + if ! _get_root "$fulldomain"; then + _err "Invalid domain" + return 1 + fi + + # The TXT record might already exist when working with wildcard certificates. In that case, update the record by adding the new value. + _debug "Search TXT record" + if _constellix_rest GET "domains/${_domain_id}/records/TXT/search?exact=${_sub_domain}"; then + if printf -- "%s" "$response" | grep "{\"errors\":\[\"Requested record was not found\"\]}" >/dev/null; then + _info "Adding TXT record" + if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"add\":true,\"set\":{\"name\":\"${_sub_domain}\",\"ttl\":60,\"roundRobin\":[{\"value\":\"${txtvalue}\"}]}}]"; then + if printf -- "%s" "$response" | grep "{\"success\":\"1 record(s) added, 0 record(s) updated, 0 record(s) deleted\"}" >/dev/null; then + _info "Added" + return 0 + else + _err "Error adding TXT record" + fi + fi + else + _record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]*" | cut -d ':' -f 2) + if _constellix_rest GET "domains/${_domain_id}/records/TXT/${_record_id}"; then + _new_rr_values=$(printf "%s\n" "$response" | _egrep_o '"roundRobin":\[[^]]*\]' | sed "s/\]$/,{\"value\":\"${txtvalue}\"}]/") + _debug _new_rr_values "$_new_rr_values" + _info "Updating TXT record" + if _constellix_rest PUT "domains/${_domain_id}/records/TXT/${_record_id}" "{\"name\":\"${_sub_domain}\",\"ttl\":60,${_new_rr_values}}"; then + if printf -- "%s" "$response" | grep "{\"success\":\"Record.*updated successfully\"}" >/dev/null; then + _info "Updated" + return 0 + elif printf -- "%s" "$response" | grep "{\"errors\":\[\"Contents are identical\"\]}" >/dev/null; then + _info "Already exists, no need to update" + return 0 + else + _err "Error updating TXT record" + fi + fi + fi + fi + fi + + return 1 +} + +# Usage: fulldomain txtvalue +# Used to remove the txt record after validation +dns_constellix_rm() { + fulldomain=$1 + txtvalue=$2 + + CONSTELLIX_Key="${CONSTELLIX_Key:-$(_readaccountconf_mutable CONSTELLIX_Key)}" + CONSTELLIX_Secret="${CONSTELLIX_Secret:-$(_readaccountconf_mutable CONSTELLIX_Secret)}" + + if [ -z "$CONSTELLIX_Key" ] || [ -z "$CONSTELLIX_Secret" ]; then + _err "You did not specify the Contellix API key and secret yet." + return 1 + fi + + if ! _get_root "$fulldomain"; then + _err "Invalid domain" + return 1 + fi + + # The TXT record might have been removed already when working with some wildcard certificates. + _debug "Search TXT record" + if _constellix_rest GET "domains/${_domain_id}/records/TXT/search?exact=${_sub_domain}"; then + if printf -- "%s" "$response" | grep "{\"errors\":\[\"Requested record was not found\"\]}" >/dev/null; then + _info "Removed" + return 0 + else + _info "Removing TXT record" + if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"delete\":true,\"filter\":{\"field\":\"name\",\"op\":\"eq\",\"value\":\"${_sub_domain}\"}}]"; then + if printf -- "%s" "$response" | grep "{\"success\":\"0 record(s) added, 0 record(s) updated, 1 record(s) deleted\"}" >/dev/null; then + _info "Removed" + return 0 + else + _err "Error removing TXT record" + fi + fi + fi + fi + + return 1 +} + +#################### Private functions below ################################## + +_get_root() { + domain=$1 + i=2 + p=1 + _debug "Detecting root zone" + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + return 1 + fi + + if ! _constellix_rest GET "domains/search?exact=$h"; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\""; then + _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]*" | cut -d ':' -f 2) + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d '.' -f 1-$p) + _domain="$h" + + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_constellix_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + rdate=$(date +"%s")"000" + hmac=$(printf "%s" "$rdate" | _hmac sha1 "$(printf "%s" "$CONSTELLIX_Secret" | _hex_dump | tr -d ' ')" | _base64) + + export _H1="x-cnsdns-apiKey: $CONSTELLIX_Key" + export _H2="x-cnsdns-requestDate: $rdate" + export _H3="x-cnsdns-hmac: $hmac" + export _H4="Accept: application/json" + export _H5="Content-Type: application/json" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$CONSTELLIX_Api/$ep" "" "$m")" + else + response="$(_get "$CONSTELLIX_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "Error $ep" + return 1 + fi + + _debug response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_cpanel.sh b/acme.sh-master/dnsapi/dns_cpanel.sh new file mode 100644 index 0000000..f6126bc --- /dev/null +++ b/acme.sh-master/dnsapi/dns_cpanel.sh @@ -0,0 +1,160 @@ +#!/usr/bin/env sh +# +#Author: Bjarne Saltbaek +#Report Bugs here: https://github.com/acmesh-official/acme.sh/issues/3732 +# +# +######## Public functions ##################### +# +# Export CPANEL username,api token and hostname in the following variables +# +# cPanel_Username=username +# cPanel_Apitoken=apitoken +# cPanel_Hostname=hostname +# +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" + +# Used to add txt record +dns_cpanel_add() { + fulldomain=$1 + txtvalue=$2 + + _info "Adding TXT record to cPanel based system" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + _debug cPanel_Username "$cPanel_Username" + _debug cPanel_Apitoken "$cPanel_Apitoken" + _debug cPanel_Hostname "$cPanel_Hostname" + + if ! _cpanel_login; then + _err "cPanel Login failed for user $cPanel_Username. Check $HTTP_HEADER file" + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "No matching root domain for $fulldomain found" + return 1 + fi + # adding entry + _info "Adding the entry" + stripped_fulldomain=$(echo "$fulldomain" | sed "s/.$_domain//") + _debug "Adding $stripped_fulldomain to $_domain zone" + _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=add_zone_record&domain=$_domain&name=$stripped_fulldomain&type=TXT&txtdata=$txtvalue&ttl=1" + if _successful_update; then return 0; fi + _err "Couldn't create entry!" + return 1 +} + +# Usage: fulldomain txtvalue +# Used to remove the txt record after validation +dns_cpanel_rm() { + fulldomain=$1 + txtvalue=$2 + + _info "Using cPanel based system" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + if ! _cpanel_login; then + _err "cPanel Login failed for user $cPanel_Username. Check $HTTP_HEADER file" + return 1 + fi + + if ! _get_root; then + _err "No matching root domain for $fulldomain found" + return 1 + fi + + _findentry "$fulldomain" "$txtvalue" + if [ -z "$_id" ]; then + _info "Entry doesn't exist, nothing to delete" + return 0 + fi + _debug "Deleting record..." + _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=remove_zone_record&domain=$_domain&line=$_id" + # removing entry + _debug "_result is: $_result" + + if _successful_update; then return 0; fi + _err "Couldn't delete entry!" + return 1 +} + +#################### Private functions below ################################## + +_checkcredentials() { + cPanel_Username="${cPanel_Username:-$(_readaccountconf_mutable cPanel_Username)}" + cPanel_Apitoken="${cPanel_Apitoken:-$(_readaccountconf_mutable cPanel_Apitoken)}" + cPanel_Hostname="${cPanel_Hostname:-$(_readaccountconf_mutable cPanel_Hostname)}" + + if [ -z "$cPanel_Username" ] || [ -z "$cPanel_Apitoken" ] || [ -z "$cPanel_Hostname" ]; then + cPanel_Username="" + cPanel_Apitoken="" + cPanel_Hostname="" + _err "You haven't specified cPanel username, apitoken and hostname yet." + _err "Please add credentials and try again." + return 1 + fi + #save the credentials to the account conf file. + _saveaccountconf_mutable cPanel_Username "$cPanel_Username" + _saveaccountconf_mutable cPanel_Apitoken "$cPanel_Apitoken" + _saveaccountconf_mutable cPanel_Hostname "$cPanel_Hostname" + return 0 +} + +_cpanel_login() { + if ! _checkcredentials; then return 1; fi + + if ! _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=CustInfo&cpanel_jsonapi_func=displaycontactinfo"; then + _err "cPanel login failed for user $cPanel_Username." + return 1 + fi + return 0 +} + +_myget() { + #Adds auth header to request + export _H1="Authorization: cpanel $cPanel_Username:$cPanel_Apitoken" + _result=$(_get "$cPanel_Hostname/$1") +} + +_get_root() { + _myget 'json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=fetchzones' + _domains=$(echo "$_result" | _egrep_o '"[a-z0-9\.\-]*":\["; cPanel first' | cut -d':' -f1 | sed 's/"//g' | sed 's/{//g') + _debug "_result is: $_result" + _debug "_domains is: $_domains" + if [ -z "$_domains" ]; then + _err "Primary domain list not found!" + return 1 + fi + for _domain in $_domains; do + _debug "Checking if $fulldomain ends with $_domain" + if (_endswith "$fulldomain" "$_domain"); then + _debug "Root domain: $_domain" + return 0 + fi + done + return 1 +} + +_successful_update() { + if (echo "$_result" | _egrep_o 'data":\[[^]]*]' | grep -q '"newserial":null'); then return 1; fi + return 0 +} + +_findentry() { + _debug "In _findentry" + #returns id of dns entry, if it exists + _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=fetchzone_records&domain=$_domain" + _id=$(echo "$_result" | sed -e "s/},{/},\n{/g" | grep "$fulldomain" | grep "$txtvalue" | _egrep_o 'line":[0-9]+' | cut -d ':' -f 2) + _debug "_result is: $_result" + _debug "fulldomain. is $fulldomain." + _debug "txtvalue is $txtvalue" + _debug "_id is: $_id" + if [ -n "$_id" ]; then + _debug "Entry found with _id=$_id" + return 0 + fi + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_curanet.sh b/acme.sh-master/dnsapi/dns_curanet.sh new file mode 100644 index 0000000..4b39f36 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_curanet.sh @@ -0,0 +1,159 @@ +#!/usr/bin/env sh + +#Script to use with curanet.dk, scannet.dk, wannafind.dk, dandomain.dk DNS management. +#Requires api credentials with scope: dns +#Author: Peter L. Hansen +#Version 1.0 + +CURANET_REST_URL="https://api.curanet.dk/dns/v1/Domains" +CURANET_AUTH_URL="https://apiauth.dk.team.blue/auth/realms/Curanet/protocol/openid-connect/token" +CURANET_ACCESS_TOKEN="" + +######## Public functions ##################### + +#Usage: dns_curanet_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_curanet_add() { + fulldomain=$1 + txtvalue=$2 + _info "Using curanet" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + CURANET_AUTHCLIENTID="${CURANET_AUTHCLIENTID:-$(_readaccountconf_mutable CURANET_AUTHCLIENTID)}" + CURANET_AUTHSECRET="${CURANET_AUTHSECRET:-$(_readaccountconf_mutable CURANET_AUTHSECRET)}" + if [ -z "$CURANET_AUTHCLIENTID" ] || [ -z "$CURANET_AUTHSECRET" ]; then + CURANET_AUTHCLIENTID="" + CURANET_AUTHSECRET="" + _err "You don't specify curanet api client and secret." + _err "Please create your auth info and try again." + return 1 + fi + + #save the credentials to the account conf file. + _saveaccountconf_mutable CURANET_AUTHCLIENTID "$CURANET_AUTHCLIENTID" + _saveaccountconf_mutable CURANET_AUTHSECRET "$CURANET_AUTHSECRET" + + if ! _get_token; then + _err "Unable to get token" + return 1 + fi + + if ! _get_root "$fulldomain"; then + _err "Invalid domain" + return 1 + fi + + export _H1="Content-Type: application/json-patch+json" + export _H2="Accept: application/json" + export _H3="Authorization: Bearer $CURANET_ACCESS_TOKEN" + data="{\"name\": \"$fulldomain\",\"type\": \"TXT\",\"ttl\": 60,\"priority\": 0,\"data\": \"$txtvalue\"}" + response="$(_post "$data" "$CURANET_REST_URL/${_domain}/Records" "" "")" + + if _contains "$response" "$txtvalue"; then + _debug "TXT record added OK" + else + _err "Unable to add TXT record" + return 1 + fi + + return 0 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_curanet_rm() { + fulldomain=$1 + txtvalue=$2 + _info "Using curanet" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + CURANET_AUTHCLIENTID="${CURANET_AUTHCLIENTID:-$(_readaccountconf_mutable CURANET_AUTHCLIENTID)}" + CURANET_AUTHSECRET="${CURANET_AUTHSECRET:-$(_readaccountconf_mutable CURANET_AUTHSECRET)}" + + if ! _get_token; then + _err "Unable to get token" + return 1 + fi + + if ! _get_root "$fulldomain"; then + _err "Invalid domain" + return 1 + fi + + _debug "Getting current record list to identify TXT to delete" + + export _H1="Content-Type: application/json" + export _H2="Accept: application/json" + export _H3="Authorization: Bearer $CURANET_ACCESS_TOKEN" + + response="$(_get "$CURANET_REST_URL/${_domain}/Records" "" "")" + + if ! _contains "$response" "$txtvalue"; then + _err "Unable to delete record (does not contain $txtvalue )" + return 1 + fi + + recordid=$(echo "$response" | _egrep_o "{\"id\":[0-9]+,\"name\":\"$fulldomain\",\"type\":\"TXT\",\"ttl\":60,\"priority\":0,\"data\":\"..$txtvalue" | _egrep_o "id\":[0-9]+" | cut -c 5-) + + if [ -z "$recordid" ]; then + _err "Unable to get recordid" + _debug "regex {\"id\":[0-9]+,\"name\":\"$fulldomain\",\"type\":\"TXT\",\"ttl\":60,\"priority\":0,\"data\":\"..$txtvalue" + _debug "response $response" + return 1 + fi + + _debug "Deleting recordID $recordid" + response="$(_post "" "$CURANET_REST_URL/${_domain}/Records/$recordid" "" "DELETE")" + return 0 +} + +#################### Private functions below ################################## + +_get_token() { + response="$(_post "grant_type=client_credentials&client_id=$CURANET_AUTHCLIENTID&client_secret=$CURANET_AUTHSECRET&scope=dns" "$CURANET_AUTH_URL" "" "")" + if ! _contains "$response" "access_token"; then + _err "Unable get access token" + return 1 + fi + CURANET_ACCESS_TOKEN=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]+" | cut -c 17-) + + if [ -z "$CURANET_ACCESS_TOKEN" ]; then + _err "Unable to get token" + return 1 + fi + + return 0 + +} + +#_acme-challenge.www.domain.com +#returns +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + export _H1="Content-Type: application/json" + export _H2="Accept: application/json" + export _H3="Authorization: Bearer $CURANET_ACCESS_TOKEN" + response="$(_get "$CURANET_REST_URL/$h/Records" "" "")" + + if [ ! "$(echo "$response" | _egrep_o "Entity not found")" ]; then + _domain=$h + return 0 + fi + + i=$(_math "$i" + 1) + done + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_cyon.sh b/acme.sh-master/dnsapi/dns_cyon.sh new file mode 100644 index 0000000..830e883 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_cyon.sh @@ -0,0 +1,328 @@ +#!/usr/bin/env sh + +######## +# Custom cyon.ch DNS API for use with [acme.sh](https://github.com/acmesh-official/acme.sh) +# +# Usage: acme.sh --issue --dns dns_cyon -d www.domain.com +# +# Dependencies: +# ------------- +# - oathtool (When using 2 Factor Authentication) +# +# Issues: +# ------- +# Any issues / questions / suggestions can be posted here: +# https://github.com/noplanman/cyon-api/issues +# +# Author: Armando Lüscher +######## + +dns_cyon_add() { + _cyon_load_credentials && + _cyon_load_parameters "$@" && + _cyon_print_header "add" && + _cyon_login && + _cyon_change_domain_env && + _cyon_add_txt && + _cyon_logout +} + +dns_cyon_rm() { + _cyon_load_credentials && + _cyon_load_parameters "$@" && + _cyon_print_header "delete" && + _cyon_login && + _cyon_change_domain_env && + _cyon_delete_txt && + _cyon_logout +} + +######################### +### PRIVATE FUNCTIONS ### +######################### + +_cyon_load_credentials() { + # Convert loaded password to/from base64 as needed. + if [ "${CY_Password_B64}" ]; then + CY_Password="$(printf "%s" "${CY_Password_B64}" | _dbase64)" + elif [ "${CY_Password}" ]; then + CY_Password_B64="$(printf "%s" "${CY_Password}" | _base64)" + fi + + if [ -z "${CY_Username}" ] || [ -z "${CY_Password}" ]; then + # Dummy entries to satisfy script checker. + CY_Username="" + CY_Password="" + CY_OTP_Secret="" + + _err "" + _err "You haven't set your cyon.ch login credentials yet." + _err "Please set the required cyon environment variables." + _err "" + return 1 + fi + + # Save the login credentials to the account.conf file. + _debug "Save credentials to account.conf" + _saveaccountconf CY_Username "${CY_Username}" + _saveaccountconf CY_Password_B64 "$CY_Password_B64" + if [ -n "${CY_OTP_Secret}" ]; then + _saveaccountconf CY_OTP_Secret "$CY_OTP_Secret" + else + _clearaccountconf CY_OTP_Secret + fi +} + +_cyon_is_idn() { + _idn_temp="$(printf "%s" "${1}" | tr -d "0-9a-zA-Z.,-_")" + _idn_temp2="$(printf "%s" "${1}" | grep -o "xn--")" + [ "$_idn_temp" ] || [ "$_idn_temp2" ] +} + +_cyon_load_parameters() { + # Read the required parameters to add the TXT entry. + # shellcheck disable=SC2018,SC2019 + fulldomain="$(printf "%s" "${1}" | tr "A-Z" "a-z")" + fulldomain_idn="${fulldomain}" + + # Special case for IDNs, as cyon needs a domain environment change, + # which uses the "pretty" instead of the punycode version. + if _cyon_is_idn "${fulldomain}"; then + if ! _exists idn; then + _err "Please install idn to process IDN names." + _err "" + return 1 + fi + + fulldomain="$(idn -u "${fulldomain}")" + fulldomain_idn="$(idn -a "${fulldomain}")" + fi + + _debug fulldomain "${fulldomain}" + _debug fulldomain_idn "${fulldomain_idn}" + + txtvalue="${2}" + _debug txtvalue "${txtvalue}" + + # This header is required for curl calls. + _H1="X-Requested-With: XMLHttpRequest" + export _H1 +} + +_cyon_print_header() { + if [ "${1}" = "add" ]; then + _info "" + _info "+---------------------------------------------+" + _info "| Adding DNS TXT entry to your cyon.ch domain |" + _info "+---------------------------------------------+" + _info "" + _info " * Full Domain: ${fulldomain}" + _info " * TXT Value: ${txtvalue}" + _info "" + elif [ "${1}" = "delete" ]; then + _info "" + _info "+-------------------------------------------------+" + _info "| Deleting DNS TXT entry from your cyon.ch domain |" + _info "+-------------------------------------------------+" + _info "" + _info " * Full Domain: ${fulldomain}" + _info "" + fi +} + +_cyon_get_cookie_header() { + printf "Cookie: %s" "$(grep "cyon=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o 'cyon=[^;]*;' | tr -d ';')" +} + +_cyon_login() { + _info " - Logging in..." + + username_encoded="$(printf "%s" "${CY_Username}" | _url_encode)" + password_encoded="$(printf "%s" "${CY_Password}" | _url_encode)" + + login_url="https://my.cyon.ch/auth/index/dologin-async" + login_data="$(printf "%s" "username=${username_encoded}&password=${password_encoded}&pathname=%2F")" + + login_response="$(_post "$login_data" "$login_url")" + _debug login_response "${login_response}" + + # Bail if login fails. + if [ "$(printf "%s" "${login_response}" | _cyon_get_response_success)" != "success" ]; then + _err " $(printf "%s" "${login_response}" | _cyon_get_response_message)" + _err "" + return 1 + fi + + _info " success" + + # NECESSARY!! Load the main page after login, to get the new cookie. + _H2="$(_cyon_get_cookie_header)" + export _H2 + + _get "https://my.cyon.ch/" >/dev/null + + # todo: instead of just checking if the env variable is defined, check if we actually need to do a 2FA auth request. + + # 2FA authentication with OTP? + if [ -n "${CY_OTP_Secret}" ]; then + _info " - Authorising with OTP code..." + + if ! _exists oathtool; then + _err "Please install oathtool to use 2 Factor Authentication." + _err "" + return 1 + fi + + # Get OTP code with the defined secret. + otp_code="$(oathtool --base32 --totp "${CY_OTP_Secret}" 2>/dev/null)" + + login_otp_url="https://my.cyon.ch/auth/multi-factor/domultifactorauth-async" + login_otp_data="totpcode=${otp_code}&pathname=%2F&rememberme=0" + + login_otp_response="$(_post "$login_otp_data" "$login_otp_url")" + _debug login_otp_response "${login_otp_response}" + + # Bail if OTP authentication fails. + if [ "$(printf "%s" "${login_otp_response}" | _cyon_get_response_success)" != "success" ]; then + _err " $(printf "%s" "${login_otp_response}" | _cyon_get_response_message)" + _err "" + return 1 + fi + + _info " success" + fi + + _info "" +} + +_cyon_logout() { + _info " - Logging out..." + + _get "https://my.cyon.ch/auth/index/dologout" >/dev/null + + _info " success" + _info "" +} + +_cyon_change_domain_env() { + _info " - Changing domain environment..." + + # Get the "example.com" part of the full domain name. + domain_env="$(printf "%s" "${fulldomain}" | sed -E -e 's/.*\.(.*\..*)$/\1/')" + _debug "Changing domain environment to ${domain_env}" + + gloo_item_key="$(_get "https://my.cyon.ch/domain/" | tr '\n' ' ' | sed -E -e "s/.*data-domain=\"${domain_env}\"[^<]*data-itemkey=\"([^\"]*).*/\1/")" + _debug gloo_item_key "${gloo_item_key}" + + domain_env_url="https://my.cyon.ch/user/environment/setdomain/d/${domain_env}/gik/${gloo_item_key}" + + domain_env_response="$(_get "${domain_env_url}")" + _debug domain_env_response "${domain_env_response}" + + if ! _cyon_check_if_2fa_missed "${domain_env_response}"; then return 1; fi + + domain_env_success="$(printf "%s" "${domain_env_response}" | _egrep_o '"authenticated":\w*' | cut -d : -f 2)" + + # Bail if domain environment change fails. + if [ "${domain_env_success}" != "true" ]; then + _err " $(printf "%s" "${domain_env_response}" | _cyon_get_response_message)" + _err "" + return 1 + fi + + _info " success" + _info "" +} + +_cyon_add_txt() { + _info " - Adding DNS TXT entry..." + + add_txt_url="https://my.cyon.ch/domain/dnseditor/add-record-async" + add_txt_data="zone=${fulldomain_idn}.&ttl=900&type=TXT&value=${txtvalue}" + + add_txt_response="$(_post "$add_txt_data" "$add_txt_url")" + _debug add_txt_response "${add_txt_response}" + + if ! _cyon_check_if_2fa_missed "${add_txt_response}"; then return 1; fi + + add_txt_message="$(printf "%s" "${add_txt_response}" | _cyon_get_response_message)" + add_txt_status="$(printf "%s" "${add_txt_response}" | _cyon_get_response_status)" + + # Bail if adding TXT entry fails. + if [ "${add_txt_status}" != "true" ]; then + _err " ${add_txt_message}" + _err "" + return 1 + fi + + _info " success (TXT|${fulldomain_idn}.|${txtvalue})" + _info "" +} + +_cyon_delete_txt() { + _info " - Deleting DNS TXT entry..." + + list_txt_url="https://my.cyon.ch/domain/dnseditor/list-async" + + list_txt_response="$(_get "${list_txt_url}" | sed -e 's/data-hash/\\ndata-hash/g')" + _debug list_txt_response "${list_txt_response}" + + if ! _cyon_check_if_2fa_missed "${list_txt_response}"; then return 1; fi + + # Find and delete all acme challenge entries for the $fulldomain. + _dns_entries="$(printf "%b\n" "${list_txt_response}" | sed -n 's/data-hash=\\"\([^"]*\)\\" data-identifier=\\"\([^"]*\)\\".*/\1 \2/p')" + + printf "%s" "${_dns_entries}" | while read -r _hash _identifier; do + dns_type="$(printf "%s" "$_identifier" | cut -d'|' -f1)" + dns_domain="$(printf "%s" "$_identifier" | cut -d'|' -f2)" + + if [ "${dns_type}" != "TXT" ] || [ "${dns_domain}" != "${fulldomain_idn}." ]; then + continue + fi + + hash_encoded="$(printf "%s" "${_hash}" | _url_encode)" + identifier_encoded="$(printf "%s" "${_identifier}" | _url_encode)" + + delete_txt_url="https://my.cyon.ch/domain/dnseditor/delete-record-async" + delete_txt_data="$(printf "%s" "hash=${hash_encoded}&identifier=${identifier_encoded}")" + + delete_txt_response="$(_post "$delete_txt_data" "$delete_txt_url")" + _debug delete_txt_response "${delete_txt_response}" + + if ! _cyon_check_if_2fa_missed "${delete_txt_response}"; then return 1; fi + + delete_txt_message="$(printf "%s" "${delete_txt_response}" | _cyon_get_response_message)" + delete_txt_status="$(printf "%s" "${delete_txt_response}" | _cyon_get_response_status)" + + # Skip if deleting TXT entry fails. + if [ "${delete_txt_status}" != "true" ]; then + _err " ${delete_txt_message} (${_identifier})" + else + _info " success (${_identifier})" + fi + done + + _info " done" + _info "" +} + +_cyon_get_response_message() { + _egrep_o '"message":"[^"]*"' | cut -d : -f 2 | tr -d '"' +} + +_cyon_get_response_status() { + _egrep_o '"status":\w*' | cut -d : -f 2 +} + +_cyon_get_response_success() { + _egrep_o '"onSuccess":"[^"]*"' | cut -d : -f 2 | tr -d '"' +} + +_cyon_check_if_2fa_missed() { + # Did we miss the 2FA? + if test "${1#*multi_factor_form}" != "${1}"; then + _err " Missed OTP authentication!" + _err "" + return 1 + fi +} diff --git a/acme.sh-master/dnsapi/dns_da.sh b/acme.sh-master/dnsapi/dns_da.sh new file mode 100644 index 0000000..4d3e09b --- /dev/null +++ b/acme.sh-master/dnsapi/dns_da.sh @@ -0,0 +1,184 @@ +#!/usr/bin/env sh +# -*- mode: sh; tab-width: 2; indent-tabs-mode: s; coding: utf-8 -*- +# vim: et ts=2 sw=2 +# +# DirectAdmin 1.41.0 API +# The DirectAdmin interface has it's own Let's encrypt functionality, but this +# script can be used to generate certificates for names which are not hosted on +# DirectAdmin +# +# User must provide login data and URL to DirectAdmin incl. port. +# You can create login key, by using the Login Keys function +# ( https://da.example.com:8443/CMD_LOGIN_KEYS ), which only has access to +# - CMD_API_DNS_CONTROL +# - CMD_API_SHOW_DOMAINS +# +# See also https://www.directadmin.com/api.php and +# https://www.directadmin.com/features.php?id=1298 +# +# Report bugs to https://github.com/TigerP/acme.sh/issues +# +# Values to export: +# export DA_Api="https://remoteUser:remotePassword@da.example.com:8443" +# export DA_Api_Insecure=1 +# +# Set DA_Api_Insecure to 1 for insecure and 0 for secure -> difference is +# whether ssl cert is checked for validity (0) or whether it is just accepted +# (1) +# +######## Public functions ##################### + +# Usage: dns_myapi_add _acme-challenge.www.example.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to add txt record +dns_da_add() { + fulldomain="${1}" + txtvalue="${2}" + _debug "Calling: dns_da_add() '${fulldomain}' '${txtvalue}'" + _DA_credentials && _DA_getDomainInfo && _DA_addTxt +} + +# Usage: dns_da_rm _acme-challenge.www.example.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to remove the txt record after validation +dns_da_rm() { + fulldomain="${1}" + txtvalue="${2}" + _debug "Calling: dns_da_rm() '${fulldomain}' '${txtvalue}'" + _DA_credentials && _DA_getDomainInfo && _DA_rmTxt +} + +#################### Private functions below ################################## +# Usage: _DA_credentials +# It will check if the needed settings are available +_DA_credentials() { + DA_Api="${DA_Api:-$(_readaccountconf_mutable DA_Api)}" + DA_Api_Insecure="${DA_Api_Insecure:-$(_readaccountconf_mutable DA_Api_Insecure)}" + if [ -z "${DA_Api}" ] || [ -z "${DA_Api_Insecure}" ]; then + DA_Api="" + DA_Api_Insecure="" + _err "You haven't specified the DirectAdmin Login data, URL and whether you want check the DirectAdmin SSL cert. Please try again." + return 1 + else + _saveaccountconf_mutable DA_Api "${DA_Api}" + _saveaccountconf_mutable DA_Api_Insecure "${DA_Api_Insecure}" + # Set whether curl should use secure or insecure mode + export HTTPS_INSECURE="${DA_Api_Insecure}" + fi +} + +# Usage: _get_root _acme-challenge.www.example.com +# Split the full domain to a domain and subdomain +#returns +# _sub_domain=_acme-challenge.www +# _domain=example.com +_get_root() { + domain=$1 + i=2 + p=1 + # Get a list of all the domains + # response will contain "list[]=example.com&list[]=example.org" + _da_api CMD_API_SHOW_DOMAINS "" "${domain}" + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + # not valid + _debug "The given domain $h is not valid" + return 1 + fi + if _contains "$response" "$h" >/dev/null; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + _debug "Stop on 100" + return 1 +} + +# Usage: _da_api CMD_API_* data example.com +# Use the DirectAdmin API and check the result +# returns +# response="error=0&text=Result text&details=" +_da_api() { + cmd=$1 + data=$2 + domain=$3 + _debug "$domain; $data" + response="$(_post "$data" "$DA_Api/$cmd" "" "POST")" + + if [ "$?" != "0" ]; then + _err "error $cmd" + return 1 + fi + _debug response "$response" + + case "${cmd}" in + CMD_API_DNS_CONTROL) + # Parse the result in general + # error=0&text=Records Deleted&details= + # error=1&text=Cannot View Dns Record&details=No domain provided + err_field="$(_getfield "$response" 1 '&')" + txt_field="$(_getfield "$response" 2 '&')" + details_field="$(_getfield "$response" 3 '&')" + error="$(_getfield "$err_field" 2 '=')" + text="$(_getfield "$txt_field" 2 '=')" + details="$(_getfield "$details_field" 2 '=')" + _debug "error: ${error}, text: ${text}, details: ${details}" + if [ "$error" != "0" ]; then + _err "error $response" + return 1 + fi + ;; + CMD_API_SHOW_DOMAINS) ;; + esac + return 0 +} + +# Usage: _DA_getDomainInfo +# Get the root zone if possible +_DA_getDomainInfo() { + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + else + _debug "The root domain: $_domain" + _debug "The sub domain: $_sub_domain" + fi + return 0 +} + +# Usage: _DA_addTxt +# Use the API to add a record +_DA_addTxt() { + curData="domain=${_domain}&action=add&type=TXT&name=${_sub_domain}&value=\"${txtvalue}\"" + _debug "Calling _DA_addTxt: '${curData}' '${DA_Api}/CMD_API_DNS_CONTROL'" + _da_api CMD_API_DNS_CONTROL "${curData}" "${_domain}" + _debug "Result of _DA_addTxt: '$response'" + if _contains "${response}" 'error=0'; then + _debug "Add TXT succeeded" + return 0 + fi + _debug "Add TXT failed" + return 1 +} + +# Usage: _DA_rmTxt +# Use the API to remove a record +_DA_rmTxt() { + curData="domain=${_domain}&action=select&txtrecs0=name=${_sub_domain}&value=\"${txtvalue}\"" + _debug "Calling _DA_rmTxt: '${curData}' '${DA_Api}/CMD_API_DNS_CONTROL'" + if _da_api CMD_API_DNS_CONTROL "${curData}" "${_domain}"; then + _debug "Result of _DA_rmTxt: '$response'" + else + _err "Result of _DA_rmTxt: '$response'" + fi + if _contains "${response}" 'error=0'; then + _debug "RM TXT succeeded" + return 0 + fi + _debug "RM TXT failed" + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_ddnss.sh b/acme.sh-master/dnsapi/dns_ddnss.sh new file mode 100644 index 0000000..b9da33f --- /dev/null +++ b/acme.sh-master/dnsapi/dns_ddnss.sh @@ -0,0 +1,130 @@ +#!/usr/bin/env sh + +#Created by RaidenII, to use DuckDNS's API to add/remove text records +#modified by helbgd @ 03/13/2018 to support ddnss.de +#modified by mod242 @ 04/24/2018 to support different ddnss domains +#Please note: the Wildcard Feature must be turned on for the Host record +#and the checkbox for TXT needs to be enabled + +# Pass credentials before "acme.sh --issue --dns dns_ddnss ..." +# -- +# export DDNSS_Token="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" +# -- +# + +DDNSS_DNS_API="https://ddnss.de/upd.php" + +######## Public functions ##################### + +#Usage: dns_ddnss_add _acme-challenge.domain.ddnss.de "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_ddnss_add() { + fulldomain=$1 + txtvalue=$2 + + DDNSS_Token="${DDNSS_Token:-$(_readaccountconf_mutable DDNSS_Token)}" + if [ -z "$DDNSS_Token" ]; then + _err "You must export variable: DDNSS_Token" + _err "The token for your DDNSS account is necessary." + _err "You can look it up in your DDNSS account." + return 1 + fi + + # Now save the credentials. + _saveaccountconf_mutable DDNSS_Token "$DDNSS_Token" + + # Unfortunately, DDNSS does not seems to support lookup domain through API + # So I assume your credentials (which are your domain and token) are correct + # If something goes wrong, we will get a KO response from DDNSS + + if ! _ddnss_get_domain; then + return 1 + fi + + # Now add the TXT record to DDNSS DNS + _info "Trying to add TXT record" + if _ddnss_rest GET "key=$DDNSS_Token&host=$_ddnss_domain&txtm=1&txt=$txtvalue"; then + if [ "$response" = "Updated 1 hostname." ]; then + _info "TXT record has been successfully added to your DDNSS domain." + _info "Note that all subdomains under this domain uses the same TXT record." + return 0 + else + _err "Errors happened during adding the TXT record, response=$response" + return 1 + fi + else + _err "Errors happened during adding the TXT record." + return 1 + fi +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_ddnss_rm() { + fulldomain=$1 + txtvalue=$2 + + DDNSS_Token="${DDNSS_Token:-$(_readaccountconf_mutable DDNSS_Token)}" + if [ -z "$DDNSS_Token" ]; then + _err "You must export variable: DDNSS_Token" + _err "The token for your DDNSS account is necessary." + _err "You can look it up in your DDNSS account." + return 1 + fi + + if ! _ddnss_get_domain; then + return 1 + fi + + # Now remove the TXT record from DDNS DNS + _info "Trying to remove TXT record" + if _ddnss_rest GET "key=$DDNSS_Token&host=$_ddnss_domain&txtm=2"; then + if [ "$response" = "Updated 1 hostname." ]; then + _info "TXT record has been successfully removed from your DDNSS domain." + return 0 + else + _err "Errors happened during removing the TXT record, response=$response" + return 1 + fi + else + _err "Errors happened during removing the TXT record." + return 1 + fi +} + +#################### Private functions below ################################## + +#fulldomain=_acme-challenge.domain.ddnss.de +#returns +# _ddnss_domain=domain +_ddnss_get_domain() { + + # We'll extract the domain/username from full domain + _ddnss_domain="$(echo "$fulldomain" | _lower_case | _egrep_o '[.][^.][^.]*[.](ddnss|dyn-ip24|dyndns|dyn|dyndns1|home-webserver|myhome-server|dynip)\..*' | cut -d . -f 2-)" + + if [ -z "$_ddnss_domain" ]; then + _err "Error extracting the domain." + return 1 + fi + + return 0 +} + +#Usage: method URI +_ddnss_rest() { + method=$1 + param="$2" + _debug param "$param" + url="$DDNSS_DNS_API?$param" + _debug url "$url" + + # DDNSS uses GET to update domain info + if [ "$method" = "GET" ]; then + response="$(_get "$url" | sed 's/<[a-zA-Z\/][^>]*>//g' | tr -s "\n" | _tail_n 1)" + else + _err "Unsupported method" + return 1 + fi + + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_desec.sh b/acme.sh-master/dnsapi/dns_desec.sh new file mode 100644 index 0000000..495a678 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_desec.sh @@ -0,0 +1,197 @@ +#!/usr/bin/env sh +# +# deSEC.io Domain API +# +# Author: Zheng Qian +# +# deSEC API doc +# https://desec.readthedocs.io/en/latest/ + +REST_API="https://desec.io/api/v1/domains" + +######## Public functions ##################### + +#Usage: dns_desec_add _acme-challenge.foobar.dedyn.io "d41d8cd98f00b204e9800998ecf8427e" +dns_desec_add() { + fulldomain=$1 + txtvalue=$2 + _info "Using desec.io api" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + DEDYN_TOKEN="${DEDYN_TOKEN:-$(_readaccountconf_mutable DEDYN_TOKEN)}" + + if [ -z "$DEDYN_TOKEN" ]; then + DEDYN_TOKEN="" + _err "You did not specify DEDYN_TOKEN yet." + _err "Please create your key and try again." + _err "e.g." + _err "export DEDYN_TOKEN=d41d8cd98f00b204e9800998ecf8427e" + return 1 + fi + #save the api token to the account conf file. + _saveaccountconf_mutable DEDYN_TOKEN "$DEDYN_TOKEN" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain" "$REST_API/"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # Get existing TXT record + _debug "Getting txt records" + txtvalues="\"\\\"$txtvalue\\\"\"" + _desec_rest GET "$REST_API/$_domain/rrsets/$_sub_domain/TXT/" + + if [ "$_code" = "200" ]; then + oldtxtvalues="$(echo "$response" | _egrep_o "\"records\":\\[\"\\S*\"\\]" | cut -d : -f 2 | tr -d "[]\\\\\"" | sed "s/,/ /g")" + _debug "existing TXT found" + _debug oldtxtvalues "$oldtxtvalues" + if [ -n "$oldtxtvalues" ]; then + for oldtxtvalue in $oldtxtvalues; do + txtvalues="$txtvalues, \"\\\"$oldtxtvalue\\\"\"" + done + fi + fi + _debug txtvalues "$txtvalues" + _info "Adding record" + body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]" + + if _desec_rest PUT "$REST_API/$_domain/rrsets/" "$body"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + + _err "Add txt record error." + return 1 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_desec_rm() { + fulldomain=$1 + txtvalue=$2 + _info "Using desec.io api" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + DEDYN_TOKEN="${DEDYN_TOKEN:-$(_readaccountconf_mutable DEDYN_TOKEN)}" + + if [ -z "$DEDYN_TOKEN" ]; then + DEDYN_TOKEN="" + _err "You did not specify DEDYN_TOKEN yet." + _err "Please create your key and try again." + _err "e.g." + _err "export DEDYN_TOKEN=d41d8cd98f00b204e9800998ecf8427e" + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain" "$REST_API/"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # Get existing TXT record + _debug "Getting txt records" + txtvalues="" + _desec_rest GET "$REST_API/$_domain/rrsets/$_sub_domain/TXT/" + + if [ "$_code" = "200" ]; then + oldtxtvalues="$(echo "$response" | _egrep_o "\"records\":\\[\"\\S*\"\\]" | cut -d : -f 2 | tr -d "[]\\\\\"" | sed "s/,/ /g")" + _debug "existing TXT found" + _debug oldtxtvalues "$oldtxtvalues" + if [ -n "$oldtxtvalues" ]; then + for oldtxtvalue in $oldtxtvalues; do + if [ "$txtvalue" != "$oldtxtvalue" ]; then + txtvalues="$txtvalues, \"\\\"$oldtxtvalue\\\"\"" + fi + done + fi + fi + txtvalues="$(echo "$txtvalues" | cut -c3-)" + _debug txtvalues "$txtvalues" + + _info "Deleting record" + body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]" + _desec_rest PUT "$REST_API/$_domain/rrsets/" "$body" + if [ "$_code" = "200" ]; then + _info "Deleted, OK" + return 0 + fi + + _err "Delete txt record error." + return 1 +} + +#################### Private functions below ################################## + +_desec_rest() { + m="$1" + ep="$2" + data="$3" + + export _H1="Authorization: Token $DEDYN_TOKEN" + export _H2="Accept: application/json" + export _H3="Content-Type: application/json" + + if [ "$m" != "GET" ]; then + _secure_debug2 data "$data" + response="$(_post "$data" "$ep" "" "$m")" + else + response="$(_get "$ep")" + fi + _ret="$?" + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" + _debug "http response code $_code" + _secure_debug2 response "$response" + if [ "$_ret" != "0" ]; then + _err "error $ep" + return 1 + fi + + response="$(printf "%s" "$response" | _normalizeJson)" + return 0 +} + +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain="$1" + ep="$2" + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _desec_rest GET "$ep"; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\"" >/dev/null; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_df.sh b/acme.sh-master/dnsapi/dns_df.sh new file mode 100644 index 0000000..c0499dd --- /dev/null +++ b/acme.sh-master/dnsapi/dns_df.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env sh + +######################################################################## +# https://dyndnsfree.de hook script for acme.sh +# +# Environment variables: +# +# - $DF_user (your dyndnsfree.de username) +# - $DF_password (your dyndnsfree.de password) +# +# Author: Thilo Gass +# Git repo: https://github.com/ThiloGa/acme.sh + +#-- dns_df_add() - Add TXT record -------------------------------------- +# Usage: dns_df_add _acme-challenge.subdomain.domain.com "XyZ123..." + +dyndnsfree_api="https://dynup.de/acme.php" + +dns_df_add() { + fulldomain=$1 + txt_value=$2 + _info "Using DNS-01 dyndnsfree.de hook" + + DF_user="${DF_user:-$(_readaccountconf_mutable DF_user)}" + DF_password="${DF_password:-$(_readaccountconf_mutable DF_password)}" + if [ -z "$DF_user" ] || [ -z "$DF_password" ]; then + DF_user="" + DF_password="" + _err "No auth details provided. Please set user credentials using the \$DF_user and \$DF_password environment variables." + return 1 + fi + #save the api user and password to the account conf file. + _debug "Save user and password" + _saveaccountconf_mutable DF_user "$DF_user" + _saveaccountconf_mutable DF_password "$DF_password" + + domain="$(printf "%s" "$fulldomain" | cut -d"." -f2-)" + + get="$dyndnsfree_api?username=$DF_user&password=$DF_password&hostname=$domain&add_hostname=$fulldomain&txt=$txt_value" + + if ! erg="$(_get "$get")"; then + _err "error Adding $fulldomain TXT: $txt_value" + return 1 + fi + + if _contains "$erg" "success"; then + _info "Success, TXT Added, OK" + else + _err "error Adding $fulldomain TXT: $txt_value erg: $erg" + return 1 + fi + + _debug "ok Auto $fulldomain TXT: $txt_value erg: $erg" + return 0 +} + +dns_df_rm() { + + fulldomain=$1 + txtvalue=$2 + _info "TXT enrty in $fulldomain is deleted automatically" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + +} diff --git a/acme.sh-master/dnsapi/dns_dgon.sh b/acme.sh-master/dnsapi/dns_dgon.sh new file mode 100644 index 0000000..afe1b32 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_dgon.sh @@ -0,0 +1,249 @@ +#!/usr/bin/env sh + +## Will be called by acme.sh to add the txt record to your api system. +## returns 0 means success, otherwise error. + +## Author: thewer +## GitHub: https://github.com/gitwer/acme.sh + +## +## Environment Variables Required: +## +## DO_API_KEY="75310dc4ca779ac39a19f6355db573b49ce92ae126553ebd61ac3a3ae34834cc" +## + +##################### Public functions ##################### + +## Create the text record for validation. +## Usage: fulldomain txtvalue +## EG: "_acme-challenge.www.other.domain.com" "XKrxpRBosdq0HG9i01zxXp5CPBs" +dns_dgon_add() { + fulldomain="$(echo "$1" | _lower_case)" + txtvalue=$2 + + DO_API_KEY="${DO_API_KEY:-$(_readaccountconf_mutable DO_API_KEY)}" + # Check if API Key Exists + if [ -z "$DO_API_KEY" ]; then + DO_API_KEY="" + _err "You did not specify DigitalOcean API key." + _err "Please export DO_API_KEY and try again." + return 1 + fi + + _info "Using digitalocean dns validation - add record" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + ## save the env vars (key and domain split location) for later automated use + _saveaccountconf_mutable DO_API_KEY "$DO_API_KEY" + + ## split the domain for DO API + if ! _get_base_domain "$fulldomain"; then + _err "domain not found in your account for addition" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + ## Set the header with our post type and key auth key + export _H1="Content-Type: application/json" + export _H2="Authorization: Bearer $DO_API_KEY" + PURL='https://api.digitalocean.com/v2/domains/'$_domain'/records' + PBODY='{"type":"TXT","name":"'$_sub_domain'","data":"'$txtvalue'","ttl":120}' + + _debug PURL "$PURL" + _debug PBODY "$PBODY" + + ## the create request - post + ## args: BODY, URL, [need64, httpmethod] + response="$(_post "$PBODY" "$PURL")" + + ## check response + if [ "$?" != "0" ]; then + _err "error in response: $response" + return 1 + fi + _debug2 response "$response" + + ## finished correctly + return 0 +} + +## Remove the txt record after validation. +## Usage: fulldomain txtvalue +## EG: "_acme-challenge.www.other.domain.com" "XKrxpRBosdq0HG9i01zxXp5CPBs" +dns_dgon_rm() { + fulldomain="$(echo "$1" | _lower_case)" + txtvalue=$2 + + DO_API_KEY="${DO_API_KEY:-$(_readaccountconf_mutable DO_API_KEY)}" + # Check if API Key Exists + if [ -z "$DO_API_KEY" ]; then + DO_API_KEY="" + _err "You did not specify DigitalOcean API key." + _err "Please export DO_API_KEY and try again." + return 1 + fi + + _info "Using digitalocean dns validation - remove record" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + ## split the domain for DO API + if ! _get_base_domain "$fulldomain"; then + _err "domain not found in your account for removal" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + ## Set the header with our post type and key auth key + export _H1="Content-Type: application/json" + export _H2="Authorization: Bearer $DO_API_KEY" + ## get URL for the list of domains + ## may get: "links":{"pages":{"last":".../v2/domains/DOM/records?page=2","next":".../v2/domains/DOM/records?page=2"}} + GURL="https://api.digitalocean.com/v2/domains/$_domain/records" + + ## Get all the matching records + while true; do + ## 1) get the URL + ## the create request - get + ## args: URL, [onlyheader, timeout] + domain_list="$(_get "$GURL")" + + ## check response + if [ "$?" != "0" ]; then + _err "error in domain_list response: $domain_list" + return 1 + fi + _debug2 domain_list "$domain_list" + + ## 2) find records + ## check for what we are looking for: "type":"A","name":"$_sub_domain" + record="$(echo "$domain_list" | _egrep_o "\"id\"\s*\:\s*\"*[0-9]+\"*[^}]*\"name\"\s*\:\s*\"$_sub_domain\"[^}]*\"data\"\s*\:\s*\"$txtvalue\"")" + + if [ -n "$record" ]; then + + ## we found records + rec_ids="$(echo "$record" | _egrep_o "id\"\s*\:\s*\"*[0-9]+" | _egrep_o "[0-9]+")" + _debug rec_ids "$rec_ids" + if [ -n "$rec_ids" ]; then + echo "$rec_ids" | while IFS= read -r rec_id; do + ## delete the record + ## delete URL for removing the one we dont want + DURL="https://api.digitalocean.com/v2/domains/$_domain/records/$rec_id" + + ## the create request - delete + ## args: BODY, URL, [need64, httpmethod] + response="$(_post "" "$DURL" "" "DELETE")" + + ## check response (sort of) + if [ "$?" != "0" ]; then + _err "error in remove response: $response" + return 1 + fi + _debug2 response "$response" + + done + fi + fi + + ## 3) find the next page + nextpage="$(echo "$domain_list" | _egrep_o "\"links\".*" | _egrep_o "\"next\".*" | _egrep_o "http.*page\=[0-9]+")" + if [ -z "$nextpage" ]; then + break + fi + _debug2 nextpage "$nextpage" + GURL="$nextpage" + + done + + ## finished correctly + return 0 +} + +##################### Private functions below ##################### + +## Split the domain provided into the "bade domain" and the "start prefix". +## This function searches for the longest subdomain in your account +## for the full domain given and splits it into the base domain (zone) +## and the prefix/record to be added/removed +## USAGE: fulldomain +## EG: "_acme-challenge.two.three.four.domain.com" +## returns +## _sub_domain="_acme-challenge.two" +## _domain="three.four.domain.com" *IF* zone "three.four.domain.com" exists +## if only "domain.com" exists it will return +## _sub_domain="_acme-challenge.two.three.four" +## _domain="domain.com" +_get_base_domain() { + # args + fulldomain="$(echo "$1" | _lower_case)" + _debug fulldomain "$fulldomain" + + # domain max legal length = 253 + MAX_DOM=255 + + ## get a list of domains for the account to check thru + ## Set the headers + export _H1="Content-Type: application/json" + export _H2="Authorization: Bearer $DO_API_KEY" + _debug DO_API_KEY "$DO_API_KEY" + ## get URL for the list of domains + ## may get: "links":{"pages":{"last":".../v2/domains/DOM/records?page=2","next":".../v2/domains/DOM/records?page=2"}} + DOMURL="https://api.digitalocean.com/v2/domains" + found="" + + ## while we dont have a matching domain we keep going + while [ -z "$found" ]; do + ## get the domain list (current page) + domain_list="$(_get "$DOMURL")" + + ## check response + if [ "$?" != "0" ]; then + _err "error in domain_list response: $domain_list" + return 1 + fi + _debug2 domain_list "$domain_list" + + i=1 + while [ $i -gt 0 ]; do + ## get next longest domain + _domain=$(printf "%s" "$fulldomain" | cut -d . -f "$i"-"$MAX_DOM") + ## check we got something back from our cut (or are we at the end) + if [ -z "$_domain" ]; then + break + fi + ## we got part of a domain back - grep it out + found="$(echo "$domain_list" | _egrep_o "\"name\"\s*\:\s*\"$_domain\"")" + ## check if it exists + if [ -n "$found" ]; then + ## exists - exit loop returning the parts + sub_point=$(_math $i - 1) + _sub_domain=$(printf "%s" "$fulldomain" | cut -d . -f 1-"$sub_point") + _debug _domain "$_domain" + _debug _sub_domain "$_sub_domain" + return 0 + fi + ## increment cut point $i + i=$(_math $i + 1) + done + + if [ -z "$found" ]; then + ## find the next page if we dont have a match + nextpage="$(echo "$domain_list" | _egrep_o "\"links\".*" | _egrep_o "\"next\".*" | _egrep_o "http.*page\=[0-9]+")" + if [ -z "$nextpage" ]; then + _err "no record and no nextpage in digital ocean DNS removal" + return 1 + fi + _debug2 nextpage "$nextpage" + DOMURL="$nextpage" + fi + + done + + ## we went through the entire domain zone list and dint find one that matched + ## doesnt look like we can add in the record + _err "domain not found in DigitalOcean account, but we should never get here" + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_dnshome.sh b/acme.sh-master/dnsapi/dns_dnshome.sh new file mode 100644 index 0000000..9960876 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_dnshome.sh @@ -0,0 +1,87 @@ +#!/usr/bin/env sh + +# dnsHome.de API for acme.sh +# +# This Script adds the necessary TXT record to a Subdomain +# +# Author dnsHome.de (https://github.com/dnsHome-de) +# +# Report Bugs to https://github.com/acmesh-official/acme.sh/issues/3819 +# +# export DNSHOME_Subdomain="" +# export DNSHOME_SubdomainPassword="" + +# Usage: add subdomain.ddnsdomain.tld "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to add txt record +dns_dnshome_add() { + txtvalue=$2 + + DNSHOME_Subdomain="${DNSHOME_Subdomain:-$(_readdomainconf DNSHOME_Subdomain)}" + DNSHOME_SubdomainPassword="${DNSHOME_SubdomainPassword:-$(_readdomainconf DNSHOME_SubdomainPassword)}" + + if [ -z "$DNSHOME_Subdomain" ] || [ -z "$DNSHOME_SubdomainPassword" ]; then + DNSHOME_Subdomain="" + DNSHOME_SubdomainPassword="" + _err "Please specify/export your dnsHome.de Subdomain and Password" + return 1 + fi + + #save the credentials to the account conf file. + _savedomainconf DNSHOME_Subdomain "$DNSHOME_Subdomain" + _savedomainconf DNSHOME_SubdomainPassword "$DNSHOME_SubdomainPassword" + + DNSHOME_Api="https://$DNSHOME_Subdomain:$DNSHOME_SubdomainPassword@www.dnshome.de/dyndns.php" + + _DNSHOME_rest POST "acme=add&txt=$txtvalue" + if ! echo "$response" | grep 'successfully' >/dev/null; then + _err "Error" + _err "$response" + return 1 + fi + + return 0 +} + +# Usage: txtvalue +# Used to remove the txt record after validation +dns_dnshome_rm() { + txtvalue=$2 + + DNSHOME_Subdomain="${DNSHOME_Subdomain:-$(_readdomainconf DNSHOME_Subdomain)}" + DNSHOME_SubdomainPassword="${DNSHOME_SubdomainPassword:-$(_readdomainconf DNSHOME_SubdomainPassword)}" + + DNSHOME_Api="https://$DNSHOME_Subdomain:$DNSHOME_SubdomainPassword@www.dnshome.de/dyndns.php" + + if [ -z "$DNSHOME_Subdomain" ] || [ -z "$DNSHOME_SubdomainPassword" ]; then + DNSHOME_Subdomain="" + DNSHOME_SubdomainPassword="" + _err "Please specify/export your dnsHome.de Subdomain and Password" + return 1 + fi + + _DNSHOME_rest POST "acme=rm&txt=$txtvalue" + if ! echo "$response" | grep 'successfully' >/dev/null; then + _err "Error" + _err "$response" + return 1 + fi + + return 0 +} + +#################### Private functions below ################################## +_DNSHOME_rest() { + method=$1 + data="$2" + _debug "$data" + + _debug data "$data" + response="$(_post "$data" "$DNSHOME_Api" "" "$method")" + + if [ "$?" != "0" ]; then + _err "error $data" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_dnsimple.sh b/acme.sh-master/dnsapi/dns_dnsimple.sh new file mode 100644 index 0000000..d831eb2 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_dnsimple.sh @@ -0,0 +1,198 @@ +#!/usr/bin/env sh + +# DNSimple domain api +# https://github.com/pho3nixf1re/acme.sh/issues +# +# This is your oauth token which can be acquired on the account page. Please +# note that this must be an _account_ token and not a _user_ token. +# https://dnsimple.com/a//account/access_tokens +# DNSimple_OAUTH_TOKEN="sdfsdfsdfljlbjkljlkjsdfoiwje" + +DNSimple_API="https://api.dnsimple.com/v2" + +######## Public functions ##################### + +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_dnsimple_add() { + fulldomain=$1 + txtvalue=$2 + + if [ -z "$DNSimple_OAUTH_TOKEN" ]; then + DNSimple_OAUTH_TOKEN="" + _err "You have not set the dnsimple oauth token yet." + _err "Please visit https://dnsimple.com/user to generate it." + return 1 + fi + + # save the oauth token for later + _saveaccountconf DNSimple_OAUTH_TOKEN "$DNSimple_OAUTH_TOKEN" + + if ! _get_account_id; then + _err "failed to retrive account id" + return 1 + fi + + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _get_records "$_account_id" "$_domain" "$_sub_domain" + + _info "Adding record" + if _dnsimple_rest POST "$_account_id/zones/$_domain/records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":120}"; then + if printf -- "%s" "$response" | grep "\"name\":\"$_sub_domain\"" >/dev/null; then + _info "Added" + return 0 + else + _err "Unexpected response while adding text record." + return 1 + fi + fi + _err "Add txt record error." +} + +# fulldomain +dns_dnsimple_rm() { + fulldomain=$1 + + if ! _get_account_id; then + _err "failed to retrive account id" + return 1 + fi + + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _get_records "$_account_id" "$_domain" "$_sub_domain" + + _extract_record_id "$_records" "$_sub_domain" + if [ "$_record_id" ]; then + echo "$_record_id" | while read -r item; do + if _dnsimple_rest DELETE "$_account_id/zones/$_domain/records/$item"; then + _info "removed record" "$item" + return 0 + else + _err "failed to remove record" "$item" + return 1 + fi + done + fi +} + +#################### Private functions bellow ################################## +# _acme-challenge.www.domain.com +# returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=2 + previous=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + # not valid + return 1 + fi + + if ! _dnsimple_rest GET "$_account_id/zones/$h"; then + return 1 + fi + + if _contains "$response" 'not found'; then + _debug "$h not found" + else + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$previous) + _domain="$h" + + _debug _domain "$_domain" + _debug _sub_domain "$_sub_domain" + + return 0 + fi + + previous="$i" + i=$(_math "$i" + 1) + done + return 1 +} + +# returns _account_id +_get_account_id() { + _debug "retrive account id" + if ! _dnsimple_rest GET "whoami"; then + return 1 + fi + + if _contains "$response" "\"account\":null"; then + _err "no account associated with this token" + return 1 + fi + + if _contains "$response" "timeout"; then + _err "timeout retrieving account id" + return 1 + fi + + _account_id=$(printf "%s" "$response" | _egrep_o "\"id\":[^,]*,\"email\":" | cut -d: -f2 | cut -d, -f1) + _debug _account_id "$_account_id" + + return 0 +} + +# returns +# _records +# _records_count +_get_records() { + account_id=$1 + domain=$2 + sub_domain=$3 + + _debug "fetching txt records" + _dnsimple_rest GET "$account_id/zones/$domain/records?per_page=5000&sort=id:desc" + + if ! _contains "$response" "\"id\":"; then + _err "failed to retrieve records" + return 1 + fi + + _records_count=$(printf "%s" "$response" | _egrep_o "\"name\":\"$sub_domain\"" | wc -l | _egrep_o "[0-9]+") + _records=$response + _debug _records_count "$_records_count" +} + +# returns _record_id +_extract_record_id() { + _record_id=$(printf "%s" "$_records" | _egrep_o "\"id\":[^,]*,\"zone_id\":\"[^,]*\",\"parent_id\":null,\"name\":\"$_sub_domain\"" | cut -d: -f2 | cut -d, -f1) + _debug "_record_id" "$_record_id" +} + +# returns response +_dnsimple_rest() { + method=$1 + path="$2" + data="$3" + request_url="$DNSimple_API/$path" + _debug "$path" + + export _H1="Accept: application/json" + export _H2="Authorization: Bearer $DNSimple_OAUTH_TOKEN" + + if [ "$data" ] || [ "$method" = "DELETE" ]; then + _H1="Content-Type: application/json" + _debug data "$data" + response="$(_post "$data" "$request_url" "" "$method")" + else + response="$(_get "$request_url" "" "" "$method")" + fi + + if [ "$?" != "0" ]; then + _err "error $request_url" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_dnsservices.sh b/acme.sh-master/dnsapi/dns_dnsservices.sh new file mode 100644 index 0000000..008153a --- /dev/null +++ b/acme.sh-master/dnsapi/dns_dnsservices.sh @@ -0,0 +1,248 @@ +#!/usr/bin/env sh + +#This file name is "dns_dnsservices.sh" +#Script for Danish DNS registra and DNS hosting provider https://dns.services + +#Author: Bjarke Bruun +#Report Bugs here: https://github.com/acmesh-official/acme.sh/issues/4152 + +# Global variable to connect to the DNS.Services API +DNSServices_API=https://dns.services/api + +######## Public functions ##################### + +#Usage: dns_dnsservices_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_dnsservices_add() { + fulldomain="$1" + txtvalue="$2" + + _info "Using dns.services to create ACME DNS challenge" + _debug2 add_fulldomain "$fulldomain" + _debug2 add_txtvalue "$txtvalue" + + # Read username/password from environment or .acme.sh/accounts.conf + DnsServices_Username="${DnsServices_Username:-$(_readaccountconf_mutable DnsServices_Username)}" + DnsServices_Password="${DnsServices_Password:-$(_readaccountconf_mutable DnsServices_Password)}" + if [ -z "$DnsServices_Username" ] || [ -z "$DnsServices_Password" ]; then + DnsServices_Username="" + DnsServices_Password="" + _err "You didn't specify dns.services api username and password yet." + _err "Set environment variables DnsServices_Username and DnsServices_Password" + return 1 + fi + + # Setup GET/POST/DELETE headers + _setup_headers + + #save the credentials to the account conf file. + _saveaccountconf_mutable DnsServices_Username "$DnsServices_Username" + _saveaccountconf_mutable DnsServices_Password "$DnsServices_Password" + + if ! _contains "$DnsServices_Username" "@"; then + _err "It seems that the username variable DnsServices_Username has not been set/left blank" + _err "or is not a valid email. Please correct and try again." + return 1 + fi + + if ! _get_root "${fulldomain}"; then + _err "Invalid domain ${fulldomain}" + return 1 + fi + + if ! createRecord "$fulldomain" "${txtvalue}"; then + _err "Error creating TXT record in domain $fulldomain in $rootZoneName" + return 1 + fi + + _debug2 challenge-created "Created $fulldomain" + return 0 +} + +#Usage: fulldomain txtvalue +#Description: Remove the txt record after validation. +dns_dnsservices_rm() { + fulldomain="$1" + txtvalue="$2" + + _info "Using dns.services to remove DNS record $fulldomain TXT $txtvalue" + _debug rm_fulldomain "$fulldomain" + _debug rm_txtvalue "$txtvalue" + + # Read username/password from environment or .acme.sh/accounts.conf + DnsServices_Username="${DnsServices_Username:-$(_readaccountconf_mutable DnsServices_Username)}" + DnsServices_Password="${DnsServices_Password:-$(_readaccountconf_mutable DnsServices_Password)}" + if [ -z "$DnsServices_Username" ] || [ -z "$DnsServices_Password" ]; then + DnsServices_Username="" + DnsServices_Password="" + _err "You didn't specify dns.services api username and password yet." + _err "Set environment variables DnsServices_Username and DnsServices_Password" + return 1 + fi + + # Setup GET/POST/DELETE headers + _setup_headers + + if ! _get_root "${fulldomain}"; then + _err "Invalid domain ${fulldomain}" + return 1 + fi + + _debug2 rm_rootDomainInfo "found root domain $rootZoneName for $fulldomain" + + if ! deleteRecord "${fulldomain}" "${txtvalue}"; then + _err "Error removing record: $fulldomain TXT ${txtvalue}" + return 1 + fi + + return 0 +} + +#################### Private functions below ################################## + +_setup_headers() { + # Set up API Headers for _get() and _post() + # The _add or _rm must have been called before to work + + if [ -z "$DnsServices_Username" ] || [ -z "$DnsServices_Password" ]; then + _err "Could not setup BASIC authentication headers, they are missing" + return 1 + fi + + DnsServiceCredentials="$(printf "%s" "$DnsServices_Username:$DnsServices_Password" | _base64)" + export _H1="Authorization: Basic $DnsServiceCredentials" + export _H2="Content-Type: application/json" + + # Just return if headers are set + return 0 +} + +_get_root() { + domain="$1" + _debug2 _get_root "Get the root domain of ${domain} for DNS API" + + # Setup _get() and _post() headers + #_setup_headers + + result=$(_H1="$_H1" _H2="$_H2" _get "$DNSServices_API/dns") + result2="$(printf "%s\n" "$result" | tr '[' '\n' | grep '"name"')" + result3="$(printf "%s\n" "$result2" | tr '}' '\n' | grep '"name"' | sed "s,^\,,,g" | sed "s,$,},g")" + useResult="" + _debug2 _get_root "Got the following root domain(s) $result" + _debug2 _get_root "- JSON: $result" + + if [ "$(printf "%s\n" "$result" | tr '}' '\n' | grep -c '"name"')" -gt "1" ]; then + checkMultiZones="true" + _debug2 _get_root "- multiple zones found" + else + checkMultiZones="false" + _debug2 _get_root "- single zone found" + fi + + # Find/isolate the root zone to work with in createRecord() and deleteRecord() + rootZone="" + if [ "$checkMultiZones" = "true" ]; then + #rootZone=$(for x in $(printf "%s" "${result3}" | tr ',' '\n' | sed -n 's/.*"name":"\(.*\)",.*/\1/p'); do if [ "$(echo "$domain" | grep "$x")" != "" ]; then echo "$x"; fi; done) + rootZone=$(for x in $(printf "%s\n" "${result3}" | tr ',' '\n' | grep name | cut -d'"' -f4); do if [ "$(echo "$domain" | grep "$x")" != "" ]; then echo "$x"; fi; done) + if [ "$rootZone" != "" ]; then + _debug2 _rootZone "- root zone for $domain is $rootZone" + else + _err "Could not find root zone for $domain, is it correctly typed?" + return 1 + fi + else + rootZone=$(echo "$result" | tr '}' '\n' | _egrep_o '"name":"[^"]*' | cut -d'"' -f4) + _debug2 _get_root "- only found 1 domain in API: $rootZone" + fi + + if [ -z "$rootZone" ]; then + _err "Could not find root domain for $domain - is it correctly typed?" + return 1 + fi + + # Make sure we use the correct API zone data + useResult="$(printf "%s\n" "${result3}" tr ',' '\n' | grep "$rootZone")" + _debug2 _useResult "useResult=$useResult" + + # Setup variables used by other functions to communicate with DNS.Services API + #zoneInfo=$(printf "%s\n" "$useResult" | sed -E 's,.*(zones)(.*),\1\2,g' | sed -E 's,^(.*"name":")([^"]*)"(.*)$,\2,g') + zoneInfo=$(printf "%s\n" "$useResult" | tr ',' '\n' | grep '"name"' | cut -d'"' -f4) + rootZoneName="$rootZone" + subDomainName="$(printf "%s\n" "$domain" | sed "s,\.$rootZone,,g")" + subDomainNameClean="$(printf "%s\n" "$domain" | sed "s,_acme-challenge.,,g")" + rootZoneDomainID=$(printf "%s\n" "$useResult" | tr ',' '\n' | grep domain_id | cut -d'"' -f4) + rootZoneServiceID=$(printf "%s\n" "$useResult" | tr ',' '\n' | grep service_id | cut -d'"' -f4) + + _debug2 _zoneInfo "Zone info from API : $zoneInfo" + _debug2 _get_root "Root zone name : $rootZoneName" + _debug2 _get_root "Root zone domain ID : $rootZoneDomainID" + _debug2 _get_root "Root zone service ID: $rootZoneServiceID" + _debug2 _get_root "Sub domain : $subDomainName" + + _debug _get_root "Found valid root domain $rootZone for $subDomainNameClean" + return 0 +} + +createRecord() { + fulldomain="$1" + txtvalue="$2" + + # Get root domain information - needed for DNS.Services API communication + if [ -z "$rootZoneName" ] || [ -z "$rootZoneDomainID" ] || [ -z "$rootZoneServiceID" ]; then + _get_root "$fulldomain" + fi + if [ -z "$rootZoneName" ] || [ -z "$rootZoneDomainID" ] || [ -z "$rootZoneServiceID" ]; then + _err "Something happend - could not get the API zone information" + return 1 + fi + + _debug2 createRecord "CNAME TXT value is: $txtvalue" + + # Prepare data to send to API + data="{\"name\":\"${fulldomain}\",\"type\":\"TXT\",\"content\":\"${txtvalue}\", \"ttl\":\"10\"}" + + _debug2 createRecord "data to API: $data" + result=$(_post "$data" "$DNSServices_API/service/$rootZoneServiceID/dns/$rootZoneDomainID/records" "" "POST") + _debug2 createRecord "result from API: $result" + + if [ "$(echo "$result" | _egrep_o "\"success\":true")" = "" ]; then + _err "Failed to create TXT record $fulldomain with content $txtvalue in zone $rootZoneName" + _err "$result" + return 1 + fi + + _info "Record \"$fulldomain TXT $txtvalue\" has been created" + return 0 +} + +deleteRecord() { + fulldomain="$1" + txtvalue="$2" + + _log deleteRecord "Deleting $fulldomain TXT $txtvalue record" + + if [ -z "$rootZoneName" ] || [ -z "$rootZoneDomainID" ] || [ -z "$rootZoneServiceID" ]; then + _get_root "$fulldomain" + fi + + result="$(_H1="$_H1" _H2="$_H2" _get "$DNSServices_API/service/$rootZoneServiceID/dns/$rootZoneDomainID")" + #recordInfo="$(echo "$result" | sed -e 's/:{/:{\n/g' -e 's/},/\n},\n/g' | grep "${txtvalue}")" + #recordID="$(echo "$recordInfo" | sed -e 's/:{/:{\n/g' -e 's/},/\n},\n/g' | grep "${txtvalue}" | sed -E 's,.*(zones)(.*),\1\2,g' | sed -E 's,^(.*"id":")([^"]*)"(.*)$,\2,g')" + recordID="$(printf "%s\n" "$result" | tr '}' '\n' | grep -- "$txtvalue" | tr ',' '\n' | grep '"id"' | cut -d'"' -f4)" + _debug2 _recordID "recordID used for deletion of record: $recordID" + + if [ -z "$recordID" ]; then + _info "Record $fulldomain TXT $txtvalue not found or already deleted" + return 0 + else + _debug2 deleteRecord "Found recordID=$recordID" + fi + + _debug2 deleteRecord "DELETE request $DNSServices_API/service/$rootZoneServiceID/dns/$rootZoneDomainID/records/$recordID" + _log "curl DELETE request $DNSServices_API/service/$rootZoneServiceID/dns/$rootZoneDomainID/records/$recordID" + result="$(_H1="$_H1" _H2="$_H2" _post "" "$DNSServices_API/service/$rootZoneServiceID/dns/$rootZoneDomainID/records/$recordID" "" "DELETE")" + _debug2 deleteRecord "API Delete result \"$result\"" + _log "curl API Delete result \"$result\"" + + # Return OK regardless + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_do.sh b/acme.sh-master/dnsapi/dns_do.sh new file mode 100644 index 0000000..3850890 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_do.sh @@ -0,0 +1,148 @@ +#!/usr/bin/env sh + +# DNS API for Domain-Offensive / Resellerinterface / Domainrobot + +# Report bugs at https://github.com/seidler2547/acme.sh/issues + +# set these environment variables to match your customer ID and password: +# DO_PID="KD-1234567" +# DO_PW="cdfkjl3n2" + +DO_URL="https://soap.resellerinterface.de/" + +######## Public functions ##################### + +#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_do_add() { + fulldomain=$1 + txtvalue=$2 + if _dns_do_authenticate; then + _info "Adding TXT record to ${_domain} as ${fulldomain}" + _dns_do_soap createRR origin "${_domain}" name "${fulldomain}" type TXT data "${txtvalue}" ttl 300 + if _contains "${response}" '>success<'; then + return 0 + fi + _err "Could not create resource record, check logs" + fi + return 1 +} + +#fulldomain +dns_do_rm() { + fulldomain=$1 + if _dns_do_authenticate; then + if _dns_do_list_rrs; then + _dns_do_had_error=0 + for _rrid in ${_rr_list}; do + _info "Deleting resource record $_rrid for $_domain" + _dns_do_soap deleteRR origin "${_domain}" rrid "${_rrid}" + if ! _contains "${response}" '>success<'; then + _dns_do_had_error=1 + _err "Could not delete resource record for ${_domain}, id ${_rrid}" + fi + done + return $_dns_do_had_error + fi + fi + return 1 +} + +#################### Private functions below ################################## +_dns_do_authenticate() { + _info "Authenticating as ${DO_PID}" + _dns_do_soap authPartner partner "${DO_PID}" password "${DO_PW}" + if _contains "${response}" '>success<'; then + _get_root "$fulldomain" + _debug "_domain $_domain" + return 0 + else + _err "Authentication failed, are DO_PID and DO_PW set correctly?" + fi + return 1 +} + +_dns_do_list_rrs() { + _dns_do_soap getRRList origin "${_domain}" + if ! _contains "${response}" 'SOAP-ENC:Array'; then + _err "getRRList origin ${_domain} failed" + return 1 + fi + _rr_list="$(echo "${response}" | + tr -d "\n\r\t" | + sed -e 's//\n/g' | + grep ">$(_regexcape "$fulldomain")" | + sed -e 's/<\/item>/\n/g' | + grep '>id[0-9]{1,16}<' | + tr -d '><')" + [ "${_rr_list}" ] +} + +_dns_do_soap() { + func="$1" + shift + # put the parameters to xml + body="" + while [ "$1" ]; do + _k="$1" + shift + _v="$1" + shift + body="$body<$_k>$_v" + done + body="$body" + _debug2 "SOAP request ${body}" + + # build SOAP XML + _xml=' + + '"$body"' +' + + # set SOAP headers + export _H1="SOAPAction: ${DO_URL}#${func}" + + if ! response="$(_post "${_xml}" "${DO_URL}")"; then + _err "Error <$1>" + return 1 + fi + _debug2 "SOAP response $response" + + # retrieve cookie header + _H2="$(_egrep_o 'Cookie: [^;]+' <"$HTTP_HEADER" | _head_n 1)" + export _H2 + + return 0 +} + +_get_root() { + domain=$1 + i=1 + + _dns_do_soap getDomainList + _all_domains="$(echo "${response}" | + tr -d "\n\r\t " | + _egrep_o 'domain]+>[^<]+' | + sed -e 's/^domain<\/key>]*>//g')" + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + return 1 + fi + + if _contains "${_all_domains}" "^$(_regexcape "$h")\$"; then + _domain="$h" + return 0 + fi + + i=$(_math $i + 1) + done + _debug "$domain not found" + + return 1 +} + +_regexcape() { + echo "$1" | sed -e 's/\([]\.$*^[]\)/\\\1/g' +} diff --git a/acme.sh-master/dnsapi/dns_doapi.sh b/acme.sh-master/dnsapi/dns_doapi.sh new file mode 100644 index 0000000..a001d52 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_doapi.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env sh + +# Official Let's Encrypt API for do.de / Domain-Offensive +# +# This is different from the dns_do adapter, because dns_do is only usable for enterprise customers +# This API is also available to private customers/individuals +# +# Provide the required LetsEncrypt token like this: +# DO_LETOKEN="FmD408PdqT1E269gUK57" + +DO_API="https://www.do.de/api/letsencrypt" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_doapi_add() { + fulldomain=$1 + txtvalue=$2 + + DO_LETOKEN="${DO_LETOKEN:-$(_readaccountconf_mutable DO_LETOKEN)}" + if [ -z "$DO_LETOKEN" ]; then + DO_LETOKEN="" + _err "You didn't configure a do.de API token yet." + _err "Please set DO_LETOKEN and try again." + return 1 + fi + _saveaccountconf_mutable DO_LETOKEN "$DO_LETOKEN" + + _info "Adding TXT record to ${fulldomain}" + response="$(_get "$DO_API?token=$DO_LETOKEN&domain=${fulldomain}&value=${txtvalue}")" + if _contains "${response}" 'success'; then + return 0 + fi + _err "Could not create resource record, check logs" + _err "${response}" + return 1 +} + +dns_doapi_rm() { + fulldomain=$1 + + DO_LETOKEN="${DO_LETOKEN:-$(_readaccountconf_mutable DO_LETOKEN)}" + if [ -z "$DO_LETOKEN" ]; then + DO_LETOKEN="" + _err "You didn't configure a do.de API token yet." + _err "Please set DO_LETOKEN and try again." + return 1 + fi + _saveaccountconf_mutable DO_LETOKEN "$DO_LETOKEN" + + _info "Deleting resource record $fulldomain" + response="$(_get "$DO_API?token=$DO_LETOKEN&domain=${fulldomain}&action=delete")" + if _contains "${response}" 'success'; then + return 0 + fi + _err "Could not delete resource record, check logs" + _err "${response}" + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_domeneshop.sh b/acme.sh-master/dnsapi/dns_domeneshop.sh new file mode 100644 index 0000000..9a3791f --- /dev/null +++ b/acme.sh-master/dnsapi/dns_domeneshop.sh @@ -0,0 +1,155 @@ +#!/usr/bin/env sh + +DOMENESHOP_Api_Endpoint="https://api.domeneshop.no/v0" + +##################### Public functions ##################### + +# Usage: dns_domeneshop_add +# Example: dns_domeneshop_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_domeneshop_add() { + fulldomain=$1 + txtvalue=$2 + + # Get token and secret + DOMENESHOP_Token="${DOMENESHOP_Token:-$(_readaccountconf_mutable DOMENESHOP_Token)}" + DOMENESHOP_Secret="${DOMENESHOP_Secret:-$(_readaccountconf_mutable DOMENESHOP_Secret)}" + + if [ -z "$DOMENESHOP_Token" ] || [ -z "$DOMENESHOP_Secret" ]; then + DOMENESHOP_Token="" + DOMENESHOP_Secret="" + _err "You need to spesify a Domeneshop/Domainnameshop API Token and Secret." + return 1 + fi + + # Save the api token and secret. + _saveaccountconf_mutable DOMENESHOP_Token "$DOMENESHOP_Token" + _saveaccountconf_mutable DOMENESHOP_Secret "$DOMENESHOP_Secret" + + # Get the domain name id + if ! _get_domainid "$fulldomain"; then + _err "Did not find domainname" + return 1 + fi + + # Create record + _domeneshop_rest POST "domains/$_domainid/dns" "{\"type\":\"TXT\",\"host\":\"$_sub_domain\",\"data\":\"$txtvalue\",\"ttl\":120}" +} + +# Usage: dns_domeneshop_rm +# Example: dns_domeneshop_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_domeneshop_rm() { + fulldomain=$1 + txtvalue=$2 + + # Get token and secret + DOMENESHOP_Token="${DOMENESHOP_Token:-$(_readaccountconf_mutable DOMENESHOP_Token)}" + DOMENESHOP_Secret="${DOMENESHOP_Secret:-$(_readaccountconf_mutable DOMENESHOP_Secret)}" + + if [ -z "$DOMENESHOP_Token" ] || [ -z "$DOMENESHOP_Secret" ]; then + DOMENESHOP_Token="" + DOMENESHOP_Secret="" + _err "You need to spesify a Domeneshop/Domainnameshop API Token and Secret." + return 1 + fi + + # Get the domain name id + if ! _get_domainid "$fulldomain"; then + _err "Did not find domainname" + return 1 + fi + + # Find record + if ! _get_recordid "$_domainid" "$_sub_domain" "$txtvalue"; then + _err "Did not find dns record" + return 1 + fi + + # Remove record + _domeneshop_rest DELETE "domains/$_domainid/dns/$_recordid" +} + +##################### Private functions ##################### + +_get_domainid() { + domain=$1 + + # Get domains + _domeneshop_rest GET "domains" + + if ! _contains "$response" "\"id\":"; then + _err "failed to get domain names" + return 1 + fi + + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug "h" "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" "\"$h\"" >/dev/null; then + # We have found the domain name. + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + _domainid=$(printf "%s" "$response" | _egrep_o "[^{]*\"domain\":\"$_domain\"[^}]*" | _egrep_o "\"id\":[0-9]+" | cut -d : -f 2) + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_get_recordid() { + domainid=$1 + subdomain=$2 + txtvalue=$3 + + # Get all dns records for the domainname + _domeneshop_rest GET "domains/$domainid/dns" + + if ! _contains "$response" "\"id\":"; then + _debug "No records in dns" + return 1 + fi + + if ! _contains "$response" "\"host\":\"$subdomain\""; then + _debug "Record does not exist" + return 1 + fi + + # Get the id of the record in question + _recordid=$(printf "%s" "$response" | _egrep_o "[^{]*\"host\":\"$subdomain\"[^}]*" | _egrep_o "[^{]*\"data\":\"$txtvalue\"[^}]*" | _egrep_o "\"id\":[0-9]+" | cut -d : -f 2) + if [ -z "$_recordid" ]; then + return 1 + fi + return 0 +} + +_domeneshop_rest() { + method=$1 + endpoint=$2 + data=$3 + + credentials=$(printf "%b" "$DOMENESHOP_Token:$DOMENESHOP_Secret" | _base64) + + export _H1="Authorization: Basic $credentials" + export _H2="Content-Type: application/json" + + if [ "$method" != "GET" ]; then + response="$(_post "$data" "$DOMENESHOP_Api_Endpoint/$endpoint" "" "$method")" + else + response="$(_get "$DOMENESHOP_Api_Endpoint/$endpoint")" + fi + + if [ "$?" != "0" ]; then + _err "error $endpoint" + return 1 + fi + + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_dp.sh b/acme.sh-master/dnsapi/dns_dp.sh new file mode 100644 index 0000000..9b8b7a8 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_dp.sh @@ -0,0 +1,161 @@ +#!/usr/bin/env sh + +# Dnspod.cn Domain api +# +#DP_Id="1234" +# +#DP_Key="sADDsdasdgdsf" + +REST_API="https://dnsapi.cn" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_dp_add() { + fulldomain=$1 + txtvalue=$2 + + DP_Id="${DP_Id:-$(_readaccountconf_mutable DP_Id)}" + DP_Key="${DP_Key:-$(_readaccountconf_mutable DP_Key)}" + if [ -z "$DP_Id" ] || [ -z "$DP_Key" ]; then + DP_Id="" + DP_Key="" + _err "You don't specify dnspod api key and key id yet." + _err "Please create you key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable DP_Id "$DP_Id" + _saveaccountconf_mutable DP_Key "$DP_Key" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + add_record "$_domain" "$_sub_domain" "$txtvalue" + +} + +#fulldomain txtvalue +dns_dp_rm() { + fulldomain=$1 + txtvalue=$2 + + DP_Id="${DP_Id:-$(_readaccountconf_mutable DP_Id)}" + DP_Key="${DP_Key:-$(_readaccountconf_mutable DP_Key)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + if ! _rest POST "Record.List" "login_token=$DP_Id,$DP_Key&format=json&lang=en&domain_id=$_domain_id&sub_domain=$_sub_domain"; then + _err "Record.Lis error." + return 1 + fi + + if _contains "$response" 'No records'; then + _info "Don't need to remove." + return 0 + fi + + record_id=$(echo "$response" | tr "{" "\n" | grep -- "$txtvalue" | grep '^"id"' | cut -d : -f 2 | cut -d '"' -f 2) + _debug record_id "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id." + return 1 + fi + + if ! _rest POST "Record.Remove" "login_token=$DP_Id,$DP_Key&format=json&lang=en&domain_id=$_domain_id&record_id=$record_id"; then + _err "Record.Remove error." + return 1 + fi + + _contains "$response" "successful" + +} + +#add the txt record. +#usage: root sub txtvalue +add_record() { + root=$1 + sub=$2 + txtvalue=$3 + fulldomain="$sub.$root" + + _info "Adding record" + + if ! _rest POST "Record.Create" "login_token=$DP_Id,$DP_Key&format=json&lang=en&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=%E9%BB%98%E8%AE%A4"; then + return 1 + fi + + _contains "$response" "successful" || _contains "$response" "Domain record already exists" +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _rest POST "Domain.Info" "login_token=$DP_Id,$DP_Key&format=json&lang=en&domain=$h"; then + return 1 + fi + + if _contains "$response" "successful"; then + _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \") + _debug _domain_id "$_domain_id" + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _debug _sub_domain "$_sub_domain" + _domain="$h" + _debug _domain "$_domain" + return 0 + fi + return 1 + fi + p="$i" + i=$(_math "$i" + 1) + done + return 1 +} + +#Usage: method URI data +_rest() { + m="$1" + ep="$2" + data="$3" + _debug "$ep" + url="$REST_API/$ep" + + _debug url "$url" + + if [ "$m" = "GET" ]; then + response="$(_get "$url" | tr -d '\r')" + else + _debug2 data "$data" + response="$(_post "$data" "$url" | tr -d '\r')" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_dpi.sh b/acme.sh-master/dnsapi/dns_dpi.sh new file mode 100644 index 0000000..2955eff --- /dev/null +++ b/acme.sh-master/dnsapi/dns_dpi.sh @@ -0,0 +1,161 @@ +#!/usr/bin/env sh + +# Dnspod.com Domain api +# +#DPI_Id="1234" +# +#DPI_Key="sADDsdasdgdsf" + +REST_API="https://api.dnspod.com" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_dpi_add() { + fulldomain=$1 + txtvalue=$2 + + DPI_Id="${DPI_Id:-$(_readaccountconf_mutable DPI_Id)}" + DPI_Key="${DPI_Key:-$(_readaccountconf_mutable DPI_Key)}" + if [ -z "$DPI_Id" ] || [ -z "$DPI_Key" ]; then + DPI_Id="" + DPI_Key="" + _err "You don't specify dnspod api key and key id yet." + _err "Please create you key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable DPI_Id "$DPI_Id" + _saveaccountconf_mutable DPI_Key "$DPI_Key" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + add_record "$_domain" "$_sub_domain" "$txtvalue" + +} + +#fulldomain txtvalue +dns_dpi_rm() { + fulldomain=$1 + txtvalue=$2 + + DPI_Id="${DPI_Id:-$(_readaccountconf_mutable DPI_Id)}" + DPI_Key="${DPI_Key:-$(_readaccountconf_mutable DPI_Key)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + if ! _rest POST "Record.List" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain"; then + _err "Record.Lis error." + return 1 + fi + + if _contains "$response" 'No records'; then + _info "Don't need to remove." + return 0 + fi + + record_id=$(echo "$response" | tr "{" "\n" | grep -- "$txtvalue" | grep '^"id"' | cut -d : -f 2 | cut -d '"' -f 2) + _debug record_id "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id." + return 1 + fi + + if ! _rest POST "Record.Remove" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&record_id=$record_id"; then + _err "Record.Remove error." + return 1 + fi + + _contains "$response" "Operation successful" + +} + +#add the txt record. +#usage: root sub txtvalue +add_record() { + root=$1 + sub=$2 + txtvalue=$3 + fulldomain="$sub.$root" + + _info "Adding record" + + if ! _rest POST "Record.Create" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=default"; then + return 1 + fi + + _contains "$response" "Operation successful" || _contains "$response" "Domain record already exists" +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _rest POST "Domain.Info" "login_token=$DPI_Id,$DPI_Key&format=json&domain=$h"; then + return 1 + fi + + if _contains "$response" "Operation successful"; then + _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \") + _debug _domain_id "$_domain_id" + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _debug _sub_domain "$_sub_domain" + _domain="$h" + _debug _domain "$_domain" + return 0 + fi + return 1 + fi + p="$i" + i=$(_math "$i" + 1) + done + return 1 +} + +#Usage: method URI data +_rest() { + m="$1" + ep="$2" + data="$3" + _debug "$ep" + url="$REST_API/$ep" + + _debug url "$url" + + if [ "$m" = "GET" ]; then + response="$(_get "$url" | tr -d '\r')" + else + _debug2 data "$data" + response="$(_post "$data" "$url" | tr -d '\r')" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_dreamhost.sh b/acme.sh-master/dnsapi/dns_dreamhost.sh new file mode 100644 index 0000000..a401793 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_dreamhost.sh @@ -0,0 +1,97 @@ +#!/usr/bin/env sh + +#Author: RhinoLance +#Report Bugs here: https://github.com/RhinoLance/acme.sh +# + +#define the api endpoint +DH_API_ENDPOINT="https://api.dreamhost.com/" +querystring="" + +######## Public functions ##################### + +#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_dreamhost_add() { + fulldomain=$1 + txtvalue=$2 + + if ! validate "$fulldomain" "$txtvalue"; then + return 1 + fi + + querystring="key=$DH_API_KEY&cmd=dns-add_record&record=$fulldomain&type=TXT&value=$txtvalue" + if ! submit "$querystring"; then + return 1 + fi + + return 0 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_dreamhost_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! validate "$fulldomain" "$txtvalue"; then + return 1 + fi + + querystring="key=$DH_API_KEY&cmd=dns-remove_record&record=$fulldomain&type=TXT&value=$txtvalue" + if ! submit "$querystring"; then + return 1 + fi + + return 0 +} + +#################### Private functions below ################################## + +#send the command to the api endpoint. +submit() { + querystring=$1 + + url="$DH_API_ENDPOINT?$querystring" + + _debug url "$url" + + if ! response="$(_get "$url")"; then + _err "Error <$1>" + return 1 + fi + + if [ -z "$2" ]; then + message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")" + if [ -n "$message" ]; then + _err "$message" + return 1 + fi + fi + + _debug response "$response" + + return 0 +} + +#check that we have a valid API Key +validate() { + fulldomain=$1 + txtvalue=$2 + + _info "Using dreamhost" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + #retrieve the API key from the environment variable if it exists, otherwise look for a saved key. + DH_API_KEY="${DH_API_KEY:-$(_readaccountconf_mutable DH_API_KEY)}" + + if [ -z "$DH_API_KEY" ]; then + DH_API_KEY="" + _err "You didn't specify the DreamHost api key yet (export DH_API_KEY=\"\")" + _err "Please login to your control panel, create a key and try again." + return 1 + fi + + #save the api key to the account conf file. + _saveaccountconf_mutable DH_API_KEY "$DH_API_KEY" +} diff --git a/acme.sh-master/dnsapi/dns_duckdns.sh b/acme.sh-master/dnsapi/dns_duckdns.sh new file mode 100644 index 0000000..d6e1dbd --- /dev/null +++ b/acme.sh-master/dnsapi/dns_duckdns.sh @@ -0,0 +1,132 @@ +#!/usr/bin/env sh + +#Created by RaidenII, to use DuckDNS's API to add/remove text records +#06/27/2017 + +# Pass credentials before "acme.sh --issue --dns dns_duckdns ..." +# -- +# export DuckDNS_Token="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" +# -- +# +# Due to the fact that DuckDNS uses StartSSL as cert provider, --insecure may need to be used with acme.sh + +DuckDNS_API="https://www.duckdns.org/update" + +######## Public functions ###################### + +#Usage: dns_duckdns_add _acme-challenge.domain.duckdns.org "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_duckdns_add() { + fulldomain=$1 + txtvalue=$2 + + DuckDNS_Token="${DuckDNS_Token:-$(_readaccountconf_mutable DuckDNS_Token)}" + if [ -z "$DuckDNS_Token" ]; then + _err "You must export variable: DuckDNS_Token" + _err "The token for your DuckDNS account is necessary." + _err "You can look it up in your DuckDNS account." + return 1 + fi + + # Now save the credentials. + _saveaccountconf_mutable DuckDNS_Token "$DuckDNS_Token" + + # Unfortunately, DuckDNS does not seems to support lookup domain through API + # So I assume your credentials (which are your domain and token) are correct + # If something goes wrong, we will get a KO response from DuckDNS + + if ! _duckdns_get_domain; then + return 1 + fi + + # Now add the TXT record to DuckDNS + _info "Trying to add TXT record" + if _duckdns_rest GET "domains=$_duckdns_domain&token=$DuckDNS_Token&txt=$txtvalue"; then + if [ "$response" = "OK" ]; then + _info "TXT record has been successfully added to your DuckDNS domain." + _info "Note that all subdomains under this domain uses the same TXT record." + return 0 + else + _err "Errors happened during adding the TXT record, response=$response" + return 1 + fi + else + _err "Errors happened during adding the TXT record." + return 1 + fi +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_duckdns_rm() { + fulldomain=$1 + txtvalue=$2 + + DuckDNS_Token="${DuckDNS_Token:-$(_readaccountconf_mutable DuckDNS_Token)}" + if [ -z "$DuckDNS_Token" ]; then + _err "You must export variable: DuckDNS_Token" + _err "The token for your DuckDNS account is necessary." + _err "You can look it up in your DuckDNS account." + return 1 + fi + + if ! _duckdns_get_domain; then + return 1 + fi + + # Now remove the TXT record from DuckDNS + _info "Trying to remove TXT record" + if _duckdns_rest GET "domains=$_duckdns_domain&token=$DuckDNS_Token&txt=&clear=true"; then + if [ "$response" = "OK" ]; then + _info "TXT record has been successfully removed from your DuckDNS domain." + return 0 + else + _err "Errors happened during removing the TXT record, response=$response" + return 1 + fi + else + _err "Errors happened during removing the TXT record." + return 1 + fi +} + +#################### Private functions below ################################## + +# fulldomain may be 'domain.duckdns.org' (if using --domain-alias) or '_acme-challenge.domain.duckdns.org' +# either way, return 'domain'. (duckdns does not allow further subdomains and restricts domains to [a-z0-9-].) +_duckdns_get_domain() { + + # We'll extract the domain/username from full domain + _duckdns_domain="$(printf "%s" "$fulldomain" | _lower_case | _egrep_o '^(_acme-challenge\.)?([a-z0-9-]+\.)+duckdns\.org' | sed -n 's/^\([^.]\{1,\}\.\)*\([a-z0-9-]\{1,\}\)\.duckdns\.org$/\2/p;')" + + if [ -z "$_duckdns_domain" ]; then + _err "Error extracting the domain." + return 1 + fi + + return 0 +} + +#Usage: method URI +_duckdns_rest() { + method=$1 + param="$2" + _debug param "$param" + url="$DuckDNS_API?$param" + if [ -n "$DEBUG" ] && [ "$DEBUG" -gt 0 ]; then + url="$url&verbose=true" + fi + _debug url "$url" + + # DuckDNS uses GET to update domain info + if [ "$method" = "GET" ]; then + response="$(_get "$url")" + _debug2 response "$response" + if [ -n "$DEBUG" ] && [ "$DEBUG" -gt 0 ] && _contains "$response" "UPDATED" && _contains "$response" "OK"; then + response="OK" + fi + else + _err "Unsupported method" + return 1 + fi + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_durabledns.sh b/acme.sh-master/dnsapi/dns_durabledns.sh new file mode 100644 index 0000000..677ae24 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_durabledns.sh @@ -0,0 +1,176 @@ +#!/usr/bin/env sh + +#DD_API_User="xxxxx" +#DD_API_Key="xxxxxx" + +_DD_BASE="https://durabledns.com/services/dns" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_durabledns_add() { + fulldomain=$1 + txtvalue=$2 + + DD_API_User="${DD_API_User:-$(_readaccountconf_mutable DD_API_User)}" + DD_API_Key="${DD_API_Key:-$(_readaccountconf_mutable DD_API_Key)}" + if [ -z "$DD_API_User" ] || [ -z "$DD_API_Key" ]; then + DD_API_User="" + DD_API_Key="" + _err "You didn't specify a durabledns api user or key yet." + _err "You can get yours from here https://durabledns.com/dashboard/index.php" + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable DD_API_User "$DD_API_User" + _saveaccountconf_mutable DD_API_Key "$DD_API_Key" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _dd_soap createRecord string zonename "$_domain." string name "$_sub_domain" string type "TXT" string data "$txtvalue" int aux 0 int ttl 10 string ddns_enabled N + _contains "$response" "createRecordResponse" +} + +dns_durabledns_rm() { + fulldomain=$1 + txtvalue=$2 + + DD_API_User="${DD_API_User:-$(_readaccountconf_mutable DD_API_User)}" + DD_API_Key="${DD_API_Key:-$(_readaccountconf_mutable DD_API_Key)}" + if [ -z "$DD_API_User" ] || [ -z "$DD_API_Key" ]; then + DD_API_User="" + DD_API_Key="" + _err "You didn't specify a durabledns api user or key yet." + _err "You can get yours from here https://durabledns.com/dashboard/index.php" + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Find record id" + if ! _dd_soap listRecords string zonename "$_domain."; then + _err "can not listRecords" + return 1 + fi + + subtxt="$(echo "$txtvalue" | cut -c 1-30)" + record="$(echo "$response" | sed 's//#/g' | tr '#' '\n' | grep ">$subtxt")" + _debug record "$record" + if [ -z "$record" ]; then + _err "can not find record for txtvalue" "$txtvalue" + _err "$response" + return 1 + fi + + recordid="$(echo "$record" | _egrep_o '[0-9]*' | cut -d '>' -f 2 | cut -d '<' -f 1)" + _debug recordid "$recordid" + if [ -z "$recordid" ]; then + _err "can not find record id" + return 1 + fi + + if ! _dd_soap deleteRecord string zonename "$_domain." int id "$recordid"; then + _err "delete error" + return 1 + fi + + _contains "$response" "Success" +} + +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + if ! _dd_soap "listZones"; then + return 1 + fi + + i=1 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" ">$h."; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 + +} + +#method +_dd_soap() { + _method="$1" + shift + _urn="${_method}wsdl" + # put the parameters to xml + body=" + $DD_API_User + $DD_API_Key + " + while [ "$1" ]; do + _t="$1" + shift + _k="$1" + shift + _v="$1" + shift + body="$body<$_k xsi:type=\"xsd:$_t\">$_v" + done + body="$body" + _debug2 "SOAP request ${body}" + + # build SOAP XML + _xml=' + + '"$body"' +' + + _debug2 _xml "$_xml" + # set SOAP headers + _action="SOAPAction: \"urn:$_urn#$_method\"" + _debug2 "_action" "$_action" + export _H1="$_action" + export _H2="Content-Type: text/xml; charset=utf-8" + + _url="$_DD_BASE/$_method.php" + _debug "_url" "$_url" + if ! response="$(_post "${_xml}" "${_url}")"; then + _err "Error <$1>" + return 1 + fi + _debug2 "response" "$response" + response="$(echo "$response" | tr -d "\r\n" | _egrep_o ":${_method}Response .*:${_method}Response><")" + _debug2 "response" "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_dyn.sh b/acme.sh-master/dnsapi/dns_dyn.sh new file mode 100644 index 0000000..024e0a3 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_dyn.sh @@ -0,0 +1,339 @@ +#!/usr/bin/env sh +# +# Dyn.com Domain API +# +# Author: Gerd Naschenweng +# https://github.com/magicdude4eva +# +# Dyn Managed DNS API +# https://help.dyn.com/dns-api-knowledge-base/ +# +# It is recommended to add a "Dyn Managed DNS" user specific for API access. +# The "Zones & Records Permissions" required by this script are: +# -- +# RecordAdd +# RecordUpdate +# RecordDelete +# RecordGet +# ZoneGet +# ZoneAddNode +# ZoneRemoveNode +# ZonePublish +# -- +# +# Pass credentials before "acme.sh --issue --dns dns_dyn ..." +# -- +# export DYN_Customer="customer" +# export DYN_Username="apiuser" +# export DYN_Password="secret" +# -- + +DYN_API="https://api.dynect.net/REST" + +#REST_API +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "Challenge-code" +dns_dyn_add() { + fulldomain="$1" + txtvalue="$2" + + DYN_Customer="${DYN_Customer:-$(_readaccountconf_mutable DYN_Customer)}" + DYN_Username="${DYN_Username:-$(_readaccountconf_mutable DYN_Username)}" + DYN_Password="${DYN_Password:-$(_readaccountconf_mutable DYN_Password)}" + if [ -z "$DYN_Customer" ] || [ -z "$DYN_Username" ] || [ -z "$DYN_Password" ]; then + DYN_Customer="" + DYN_Username="" + DYN_Password="" + _err "You must export variables: DYN_Customer, DYN_Username and DYN_Password" + return 1 + fi + + #save the config variables to the account conf file. + _saveaccountconf_mutable DYN_Customer "$DYN_Customer" + _saveaccountconf_mutable DYN_Username "$DYN_Username" + _saveaccountconf_mutable DYN_Password "$DYN_Password" + + if ! _dyn_get_authtoken; then + return 1 + fi + + if [ -z "$_dyn_authtoken" ]; then + _dyn_end_session + return 1 + fi + + if ! _dyn_get_zone; then + _dyn_end_session + return 1 + fi + + if ! _dyn_add_record; then + _dyn_end_session + return 1 + fi + + if ! _dyn_publish_zone; then + _dyn_end_session + return 1 + fi + + _dyn_end_session + + return 0 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_dyn_rm() { + fulldomain="$1" + txtvalue="$2" + + DYN_Customer="${DYN_Customer:-$(_readaccountconf_mutable DYN_Customer)}" + DYN_Username="${DYN_Username:-$(_readaccountconf_mutable DYN_Username)}" + DYN_Password="${DYN_Password:-$(_readaccountconf_mutable DYN_Password)}" + if [ -z "$DYN_Customer" ] || [ -z "$DYN_Username" ] || [ -z "$DYN_Password" ]; then + DYN_Customer="" + DYN_Username="" + DYN_Password="" + _err "You must export variables: DYN_Customer, DYN_Username and DYN_Password" + return 1 + fi + + if ! _dyn_get_authtoken; then + return 1 + fi + + if [ -z "$_dyn_authtoken" ]; then + _dyn_end_session + return 1 + fi + + if ! _dyn_get_zone; then + _dyn_end_session + return 1 + fi + + if ! _dyn_get_record_id; then + _dyn_end_session + return 1 + fi + + if [ -z "$_dyn_record_id" ]; then + _dyn_end_session + return 1 + fi + + if ! _dyn_rm_record; then + _dyn_end_session + return 1 + fi + + if ! _dyn_publish_zone; then + _dyn_end_session + return 1 + fi + + _dyn_end_session + + return 0 +} + +#################### Private functions below ################################## + +#get Auth-Token +_dyn_get_authtoken() { + + _info "Start Dyn API Session" + + data="{\"customer_name\":\"$DYN_Customer\", \"user_name\":\"$DYN_Username\", \"password\":\"$DYN_Password\"}" + dyn_url="$DYN_API/Session/" + method="POST" + + _debug data "$data" + _debug dyn_url "$dyn_url" + + export _H1="Content-Type: application/json" + + response="$(_post "$data" "$dyn_url" "" "$method")" + sessionstatus="$(printf "%s\n" "$response" | _egrep_o '"status" *: *"[^"]*' | _head_n 1 | sed 's#^"status" *: *"##')" + + _debug response "$response" + _debug sessionstatus "$sessionstatus" + + if [ "$sessionstatus" = "success" ]; then + _dyn_authtoken="$(printf "%s\n" "$response" | _egrep_o '"token" *: *"[^"]*' | _head_n 1 | sed 's#^"token" *: *"##')" + _info "Token received" + _debug _dyn_authtoken "$_dyn_authtoken" + return 0 + fi + + _dyn_authtoken="" + _err "get token failed" + return 1 +} + +#fulldomain=_acme-challenge.www.domain.com +#returns +# _dyn_zone=domain.com +_dyn_get_zone() { + i=2 + while true; do + domain="$(printf "%s" "$fulldomain" | cut -d . -f "$i-100")" + if [ -z "$domain" ]; then + break + fi + + dyn_url="$DYN_API/Zone/$domain/" + + export _H1="Auth-Token: $_dyn_authtoken" + export _H2="Content-Type: application/json" + + response="$(_get "$dyn_url" "" "")" + sessionstatus="$(printf "%s\n" "$response" | _egrep_o '"status" *: *"[^"]*' | _head_n 1 | sed 's#^"status" *: *"##')" + + _debug dyn_url "$dyn_url" + _debug response "$response" + _debug sessionstatus "$sessionstatus" + + if [ "$sessionstatus" = "success" ]; then + _dyn_zone="$domain" + return 0 + fi + i=$(_math "$i" + 1) + done + + _dyn_zone="" + _err "get zone failed" + return 1 +} + +#add TXT record +_dyn_add_record() { + + _info "Adding TXT record" + + data="{\"rdata\":{\"txtdata\":\"$txtvalue\"},\"ttl\":\"300\"}" + dyn_url="$DYN_API/TXTRecord/$_dyn_zone/$fulldomain/" + method="POST" + + export _H1="Auth-Token: $_dyn_authtoken" + export _H2="Content-Type: application/json" + + response="$(_post "$data" "$dyn_url" "" "$method")" + sessionstatus="$(printf "%s\n" "$response" | _egrep_o '"status" *: *"[^"]*' | _head_n 1 | sed 's#^"status" *: *"##')" + + _debug response "$response" + _debug sessionstatus "$sessionstatus" + + if [ "$sessionstatus" = "success" ]; then + _info "TXT Record successfully added" + return 0 + fi + + _err "add TXT record failed" + return 1 +} + +#publish the zone +_dyn_publish_zone() { + + _info "Publishing zone" + + data="{\"publish\":\"true\"}" + dyn_url="$DYN_API/Zone/$_dyn_zone/" + method="PUT" + + export _H1="Auth-Token: $_dyn_authtoken" + export _H2="Content-Type: application/json" + + response="$(_post "$data" "$dyn_url" "" "$method")" + sessionstatus="$(printf "%s\n" "$response" | _egrep_o '"status" *: *"[^"]*' | _head_n 1 | sed 's#^"status" *: *"##')" + + _debug response "$response" + _debug sessionstatus "$sessionstatus" + + if [ "$sessionstatus" = "success" ]; then + _info "Zone published" + return 0 + fi + + _err "publish zone failed" + return 1 +} + +#get record_id of TXT record so we can delete the record +_dyn_get_record_id() { + + _info "Getting record_id of TXT record" + + dyn_url="$DYN_API/TXTRecord/$_dyn_zone/$fulldomain/" + + export _H1="Auth-Token: $_dyn_authtoken" + export _H2="Content-Type: application/json" + + response="$(_get "$dyn_url" "" "")" + sessionstatus="$(printf "%s\n" "$response" | _egrep_o '"status" *: *"[^"]*' | _head_n 1 | sed 's#^"status" *: *"##')" + + _debug response "$response" + _debug sessionstatus "$sessionstatus" + + if [ "$sessionstatus" = "success" ]; then + _dyn_record_id="$(printf "%s\n" "$response" | _egrep_o "\"data\" *: *\[\"/REST/TXTRecord/$_dyn_zone/$fulldomain/[^\"]*" | _head_n 1 | sed "s#^\"data\" *: *\[\"/REST/TXTRecord/$_dyn_zone/$fulldomain/##")" + _debug _dyn_record_id "$_dyn_record_id" + return 0 + fi + + _dyn_record_id="" + _err "getting record_id failed" + return 1 +} + +#delete TXT record +_dyn_rm_record() { + + _info "Deleting TXT record" + + dyn_url="$DYN_API/TXTRecord/$_dyn_zone/$fulldomain/$_dyn_record_id/" + method="DELETE" + + _debug dyn_url "$dyn_url" + + export _H1="Auth-Token: $_dyn_authtoken" + export _H2="Content-Type: application/json" + + response="$(_post "" "$dyn_url" "" "$method")" + sessionstatus="$(printf "%s\n" "$response" | _egrep_o '"status" *: *"[^"]*' | _head_n 1 | sed 's#^"status" *: *"##')" + + _debug response "$response" + _debug sessionstatus "$sessionstatus" + + if [ "$sessionstatus" = "success" ]; then + _info "TXT record successfully deleted" + return 0 + fi + + _err "delete TXT record failed" + return 1 +} + +#logout +_dyn_end_session() { + + _info "End Dyn API Session" + + dyn_url="$DYN_API/Session/" + method="DELETE" + + _debug dyn_url "$dyn_url" + + export _H1="Auth-Token: $_dyn_authtoken" + export _H2="Content-Type: application/json" + + response="$(_post "" "$dyn_url" "" "$method")" + + _debug response "$response" + + _dyn_authtoken="" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_dynu.sh b/acme.sh-master/dnsapi/dns_dynu.sh new file mode 100644 index 0000000..406ef17 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_dynu.sh @@ -0,0 +1,232 @@ +#!/usr/bin/env sh + +#Client ID +#Dynu_ClientId="0b71cae7-a099-4f6b-8ddf-94571cdb760d" +# +#Secret +#Dynu_Secret="aCUEY4BDCV45KI8CSIC3sp2LKQ9" +# +#Token +Dynu_Token="" +# +#Endpoint +Dynu_EndPoint="https://api.dynu.com/v2" +# +#Author: Dynu Systems, Inc. +#Report Bugs here: https://github.com/shar0119/acme.sh +# +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_dynu_add() { + fulldomain=$1 + txtvalue=$2 + + if [ -z "$Dynu_ClientId" ] || [ -z "$Dynu_Secret" ]; then + Dynu_ClientId="" + Dynu_Secret="" + _err "Dynu client id and secret is not specified." + _err "Please create you API client id and secret and try again." + return 1 + fi + + #save the client id and secret to the account conf file. + _saveaccountconf Dynu_ClientId "$Dynu_ClientId" + _saveaccountconf Dynu_Secret "$Dynu_Secret" + + if [ -z "$Dynu_Token" ]; then + _info "Getting Dynu token." + if ! _dynu_authentication; then + _err "Can not get token." + fi + fi + + _debug "Detect root zone" + if ! _get_root "$fulldomain"; then + _err "Invalid domain." + return 1 + fi + + _debug _node "$_node" + _debug _domain_name "$_domain_name" + + _info "Creating TXT record." + if ! _dynu_rest POST "dns/$dnsId/record" "{\"domainId\":\"$dnsId\",\"nodeName\":\"$_node\",\"recordType\":\"TXT\",\"textData\":\"$txtvalue\",\"state\":true,\"ttl\":90}"; then + return 1 + fi + + if ! _contains "$response" "200"; then + _err "Could not add TXT record." + return 1 + fi + + return 0 +} + +#Usage: rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_dynu_rm() { + fulldomain=$1 + txtvalue=$2 + + if [ -z "$Dynu_ClientId" ] || [ -z "$Dynu_Secret" ]; then + Dynu_ClientId="" + Dynu_Secret="" + _err "Dynu client id and secret is not specified." + _err "Please create you API client id and secret and try again." + return 1 + fi + + #save the client id and secret to the account conf file. + _saveaccountconf Dynu_ClientId "$Dynu_ClientId" + _saveaccountconf Dynu_Secret "$Dynu_Secret" + + if [ -z "$Dynu_Token" ]; then + _info "Getting Dynu token." + if ! _dynu_authentication; then + _err "Can not get token." + fi + fi + + _debug "Detect root zone." + if ! _get_root "$fulldomain"; then + _err "Invalid domain." + return 1 + fi + + _debug _node "$_node" + _debug _domain_name "$_domain_name" + + _info "Checking for TXT record." + if ! _get_recordid "$fulldomain" "$txtvalue"; then + _err "Could not get TXT record id." + return 1 + fi + + if [ "$_dns_record_id" = "" ]; then + _err "TXT record not found." + return 1 + fi + + _info "Removing TXT record." + if ! _delete_txt_record "$_dns_record_id"; then + _err "Could not remove TXT record $_dns_record_id." + fi + + return 0 +} + +######## Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _node=_acme-challenge.www +# _domain_name=domain.com +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _dynu_rest GET "dns/getroot/$h"; then + return 1 + fi + + if _contains "$response" "\"domainName\":\"$h\"" >/dev/null; then + dnsId=$(printf "%s" "$response" | tr -d "{}" | cut -d , -f 2 | cut -d : -f 2) + _domain_name=$h + _node=$(printf "%s" "$domain" | cut -d . -f 1-$p) + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 + +} + +_get_recordid() { + fulldomain=$1 + txtvalue=$2 + + if ! _dynu_rest GET "dns/$dnsId/record"; then + return 1 + fi + + if ! _contains "$response" "$txtvalue"; then + _dns_record_id=0 + return 0 + fi + + _dns_record_id=$(printf "%s" "$response" | sed -e 's/[^{]*\({[^}]*}\)[^{]*/\1\n/g' | grep "\"textData\":\"$txtvalue\"" | sed -e 's/.*"id":\([^,]*\).*/\1/') + return 0 +} + +_delete_txt_record() { + _dns_record_id=$1 + + if ! _dynu_rest DELETE "dns/$dnsId/record/$_dns_record_id"; then + return 1 + fi + + if ! _contains "$response" "200"; then + return 1 + fi + + return 0 +} + +_dynu_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Authorization: Bearer $Dynu_Token" + export _H2="Content-Type: application/json" + + if [ "$data" ] || [ "$m" = "DELETE" ]; then + _debug data "$data" + response="$(_post "$data" "$Dynu_EndPoint/$ep" "" "$m")" + else + _info "Getting $Dynu_EndPoint/$ep" + response="$(_get "$Dynu_EndPoint/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} + +_dynu_authentication() { + realm="$(printf "%s" "$Dynu_ClientId:$Dynu_Secret" | _base64)" + + export _H1="Authorization: Basic $realm" + export _H2="Content-Type: application/json" + + response="$(_get "$Dynu_EndPoint/oauth2/token")" + if [ "$?" != "0" ]; then + _err "Authentication failed." + return 1 + fi + if _contains "$response" "Authentication Exception"; then + _err "Authentication failed." + return 1 + fi + if _contains "$response" "access_token"; then + Dynu_Token=$(printf "%s" "$response" | tr -d "{}" | cut -d , -f 1 | cut -d : -f 2 | cut -d '"' -f 2) + fi + if _contains "$Dynu_Token" "null"; then + Dynu_Token="" + fi + + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_dynv6.sh b/acme.sh-master/dnsapi/dns_dynv6.sh new file mode 100644 index 0000000..90814b1 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_dynv6.sh @@ -0,0 +1,285 @@ +#!/usr/bin/env sh +#Author StefanAbl +#Usage specify a private keyfile to use with dynv6 'export KEY="path/to/keyfile"' +#or use the HTTP REST API by by specifying a token 'export DYNV6_TOKEN="value" +#if no keyfile is specified, you will be asked if you want to create one in /home/$USER/.ssh/dynv6 and /home/$USER/.ssh/dynv6.pub + +dynv6_api="https://dynv6.com/api/v2" +######## Public functions ##################### +# Please Read this guide first: https://github.com/Neilpang/acme.sh/wiki/DNS-API-Dev-Guide +#Usage: dns_dynv6_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_dynv6_add() { + fulldomain=$1 + txtvalue=$2 + _info "Using dynv6 api" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + _get_authentication + if [ "$dynv6_token" ]; then + _dns_dynv6_add_http + return $? + else + _info "using key file $dynv6_keyfile" + _your_hosts="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts)" + if ! _get_domain "$fulldomain" "$_your_hosts"; then + _err "Host not found on your account" + return 1 + fi + _debug "found host on your account" + returnval="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts \""$_host"\" records set \""$_record"\" txt data \""$txtvalue"\")" + _debug "Dynv6 returned this after record was added: $returnval" + if _contains "$returnval" "created"; then + return 0 + elif _contains "$returnval" "updated"; then + return 0 + else + _err "Something went wrong! it does not seem like the record was added successfully" + return 1 + fi + return 1 + fi + return 1 +} +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_dynv6_rm() { + fulldomain=$1 + txtvalue=$2 + _info "Using dynv6 API" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + _get_authentication + if [ "$dynv6_token" ]; then + _dns_dynv6_rm_http + return $? + else + _info "using key file $dynv6_keyfile" + _your_hosts="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts)" + if ! _get_domain "$fulldomain" "$_your_hosts"; then + _err "Host not found on your account" + return 1 + fi + _debug "found host on your account" + _info "$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts "\"$_host\"" records del "\"$_record\"" txt)" + return 0 + fi +} +#################### Private functions below ################################## +#Usage: No Input required +#returns +#dynv6_keyfile the path to the new key file that has been generated +_generate_new_key() { + dynv6_keyfile="$(eval echo ~"$USER")/.ssh/dynv6" + _info "Path to key file used: $dynv6_keyfile" + if [ ! -f "$dynv6_keyfile" ] && [ ! -f "$dynv6_keyfile.pub" ]; then + _debug "generating key in $dynv6_keyfile and $dynv6_keyfile.pub" + ssh-keygen -f "$dynv6_keyfile" -t ssh-ed25519 -N '' + else + _err "There is already a file in $dynv6_keyfile or $dynv6_keyfile.pub" + return 1 + fi +} + +#Usage: _acme-challenge.www.example.dynv6.net "$_your_hosts" +#where _your_hosts is the output of ssh -i ~/.ssh/dynv6.pub api@dynv6.com hosts +#returns +#_host= example.dynv6.net +#_record=_acme-challenge.www +#aborts if not a valid domain +_get_domain() { + #_your_hosts="$(ssh -i ~/.ssh/dynv6.pub api@dynv6.com hosts)" + _full_domain="$1" + _your_hosts="$2" + + _your_hosts="$(echo "$_your_hosts" | awk '/\./ {print $1}')" + for l in $_your_hosts; do + #echo "host: $l" + if test "${_full_domain#*"$l"}" != "$_full_domain"; then + _record=${_full_domain%."$l"} + _host=$l + _debug "The host is $_host and the record $_record" + return 0 + fi + done + _err "Either their is no such host on your dnyv6 account or it cannot be accessed with this key" + return 1 +} + +# Usage: No input required +#returns +#dynv6_keyfile path to the key that will be used +_get_authentication() { + dynv6_token="${DYNV6_TOKEN:-$(_readaccountconf_mutable dynv6_token)}" + if [ "$dynv6_token" ]; then + _debug "Found HTTP Token. Going to use the HTTP API and not the SSH API" + if [ "$DYNV6_TOKEN" ]; then + _saveaccountconf_mutable dynv6_token "$dynv6_token" + fi + else + _debug "no HTTP token found. Looking for an SSH key" + dynv6_keyfile="${dynv6_keyfile:-$(_readaccountconf_mutable dynv6_keyfile)}" + _debug "Your key is $dynv6_keyfile" + if [ -z "$dynv6_keyfile" ]; then + if [ -z "$KEY" ]; then + _err "You did not specify a key to use with dynv6" + _info "Creating new dynv6 API key to add to dynv6.com" + _generate_new_key + _info "Please add this key to dynv6.com $(cat "$dynv6_keyfile.pub")" + _info "Hit Enter to continue" + read -r _ + #save the credentials to the account conf file. + else + dynv6_keyfile="$KEY" + fi + _saveaccountconf_mutable dynv6_keyfile "$dynv6_keyfile" + fi + fi +} + +_dns_dynv6_add_http() { + _debug "Got HTTP token form _get_authentication method. Going to use the HTTP API" + if ! _get_zone_id "$fulldomain"; then + _err "Could not find a matching zone for $fulldomain. Maybe your HTTP Token is not authorized to access the zone" + return 1 + fi + _get_zone_name "$_zone_id" + record=${fulldomain%%."$_zone_name"} + _set_record TXT "$record" "$txtvalue" + if _contains "$response" "$txtvalue"; then + _info "Successfully added record" + return 0 + else + _err "Something went wrong while adding the record" + return 1 + fi +} + +_dns_dynv6_rm_http() { + _debug "Got HTTP token form _get_authentication method. Going to use the HTTP API" + if ! _get_zone_id "$fulldomain"; then + _err "Could not find a matching zone for $fulldomain. Maybe your HTTP Token is not authorized to access the zone" + return 1 + fi + _get_zone_name "$_zone_id" + record=${fulldomain%%."$_zone_name"} + _get_record_id "$_zone_id" "$record" "$txtvalue" + _del_record "$_zone_id" "$_record_id" + if [ -z "$response" ]; then + _info "Successfully deleted record" + return 0 + else + _err "Something went wrong while deleting the record" + return 1 + fi +} + +#get the zoneid for a specifc record or zone +#usage: _get_zone_id §record +#where $record is the record to get the id for +#returns _zone_id the id of the zone +_get_zone_id() { + record="$1" + _debug "getting zone id for $record" + _dynv6_rest GET zones + + zones="$(echo "$response" | tr '}' '\n' | tr ',' '\n' | grep name | sed 's/\[//g' | tr -d '{' | tr -d '"')" + #echo $zones + + selected="" + for z in $zones; do + z="${z#name:}" + _debug zone: "$z" + if _contains "$record" "$z"; then + _debug "$z found in $record" + selected="$z" + fi + done + if [ -z "$selected" ]; then + _err "no zone found" + return 1 + fi + + zone_id="$(echo "$response" | tr '}' '\n' | grep "$selected" | tr ',' '\n' | grep id | tr -d '"')" + _zone_id="${zone_id#id:}" + _debug "zone id: $_zone_id" +} + +_get_zone_name() { + _zone_id="$1" + _dynv6_rest GET zones/"$_zone_id" + _zone_name="$(echo "$response" | tr ',' '\n' | tr -d '{' | grep name | tr -d '"')" + _zone_name="${_zone_name#name:}" +} + +#usaage _get_record_id $zone_id $record +# where zone_id is thevalue returned by _get_zone_id +# and record ist in the form _acme.www for an fqdn of _acme.www.example.com +# returns _record_id +_get_record_id() { + _zone_id="$1" + record="$2" + value="$3" + _dynv6_rest GET "zones/$_zone_id/records" + if ! _get_record_id_from_response "$response"; then + _err "no such record $record found in zone $_zone_id" + return 1 + fi +} + +_get_record_id_from_response() { + response="$1" + _record_id="$(echo "$response" | tr '}' '\n' | grep "\"name\":\"$record\"" | grep "\"data\":\"$value\"" | tr ',' '\n' | grep id | tr -d '"' | tr -d 'id:')" + #_record_id="${_record_id#id:}" + if [ -z "$_record_id" ]; then + _err "no such record: $record found in zone $_zone_id" + return 1 + fi + _debug "record id: $_record_id" + return 0 +} +#usage: _set_record TXT _acme_challenge.www longvalue 12345678 +#zone id is optional can also be set as vairable bevor calling this method +_set_record() { + type="$1" + record="$2" + value="$3" + if [ "$4" ]; then + _zone_id="$4" + fi + data="{\"name\": \"$record\", \"data\": \"$value\", \"type\": \"$type\"}" + #data='{ "name": "acme.test.thorn.dynv6.net", "type": "A", "data": "192.168.0.1"}' + echo "$data" + #"{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":120}" + _dynv6_rest POST "zones/$_zone_id/records" "$data" +} +_del_record() { + _zone_id=$1 + _record_id=$2 + _dynv6_rest DELETE zones/"$_zone_id"/records/"$_record_id" +} + +_dynv6_rest() { + m=$1 #method GET,POST,DELETE or PUT + ep="$2" #the endpoint + data="$3" + _debug "$ep" + + token_trimmed=$(echo "$dynv6_token" | tr -d '"') + + export _H1="Authorization: Bearer $token_trimmed" + export _H2="Content-Type: application/json" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$dynv6_api/$ep" "" "$m")" + else + response="$(_get "$dynv6_api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_easydns.sh b/acme.sh-master/dnsapi/dns_easydns.sh new file mode 100644 index 0000000..ab47a0b --- /dev/null +++ b/acme.sh-master/dnsapi/dns_easydns.sh @@ -0,0 +1,171 @@ +#!/usr/bin/env sh + +####################################################### +# +# easyDNS REST API for acme.sh by Neilpang based on dns_cf.sh +# +# API Documentation: https://sandbox.rest.easydns.net:3001/ +# +# Author: wurzelpanzer [wurzelpanzer@maximolider.net] +# Report Bugs here: https://github.com/acmesh-official/acme.sh/issues/2647 +# +#################### Public functions ################# + +#EASYDNS_Key="xxxxxxxxxxxxxxxxxxxxxxxx" +#EASYDNS_Token="xxxxxxxxxxxxxxxxxxxxxxxx" +EASYDNS_Api="https://rest.easydns.net" + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_easydns_add() { + fulldomain=$1 + txtvalue=$2 + + EASYDNS_Token="${EASYDNS_Token:-$(_readaccountconf_mutable EASYDNS_Token)}" + EASYDNS_Key="${EASYDNS_Key:-$(_readaccountconf_mutable EASYDNS_Key)}" + + if [ -z "$EASYDNS_Token" ] || [ -z "$EASYDNS_Key" ]; then + _err "You didn't specify an easydns.net token or api key. Signup at https://cp.easydns.com/manage/security/api/signup.php" + return 1 + else + _saveaccountconf_mutable EASYDNS_Token "$EASYDNS_Token" + _saveaccountconf_mutable EASYDNS_Key "$EASYDNS_Key" + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _EASYDNS_rest GET "zones/records/all/${_domain}/search/${_sub_domain}" + + if ! printf "%s" "$response" | grep \"status\":200 >/dev/null; then + _err "Error" + return 1 + fi + + _info "Adding record" + if _EASYDNS_rest PUT "zones/records/add/$_domain/TXT" "{\"host\":\"$_sub_domain\",\"rdata\":\"$txtvalue\"}"; then + if _contains "$response" "\"status\":201"; then + _info "Added, OK" + return 0 + elif _contains "$response" "Record already exists"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 + +} + +dns_easydns_rm() { + fulldomain=$1 + txtvalue=$2 + + EASYDNS_Token="${EASYDNS_Token:-$(_readaccountconf_mutable EASYDNS_Token)}" + EASYDNS_Key="${EASYDNS_Key:-$(_readaccountconf_mutable EASYDNS_Key)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _EASYDNS_rest GET "zones/records/all/${_domain}/search/${_sub_domain}" + + if ! printf "%s" "$response" | grep \"status\":200 >/dev/null; then + _err "Error" + return 1 + fi + + count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) + _debug count "$count" + if [ "$count" = "0" ]; then + _info "Don't need to remove." + else + record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | head -n 1) + _debug "record_id" "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if ! _EASYDNS_rest DELETE "zones/records/$_domain/$record_id"; then + _err "Delete record error." + return 1 + fi + _contains "$response" "\"status\":200" + fi + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=1 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _EASYDNS_rest GET "zones/records/all/$h"; then + return 1 + fi + + if _contains "$response" "\"status\":200"; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_EASYDNS_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + basicauth=$(printf "%s" "$EASYDNS_Token":"$EASYDNS_Key" | _base64) + + export _H1="accept: application/json" + if [ "$basicauth" ]; then + export _H2="Authorization: Basic $basicauth" + fi + + if [ "$m" != "GET" ]; then + export _H3="Content-Type: application/json" + _debug data "$data" + response="$(_post "$data" "$EASYDNS_Api/$ep" "" "$m")" + else + response="$(_get "$EASYDNS_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_edgedns.sh b/acme.sh-master/dnsapi/dns_edgedns.sh new file mode 100644 index 0000000..27650eb --- /dev/null +++ b/acme.sh-master/dnsapi/dns_edgedns.sh @@ -0,0 +1,470 @@ +#!/usr/bin/env sh + +# Akamai Edge DNS v2 API +# User must provide Open Edgegrid API credentials to the EdgeDNS installation. The remote user in EdgeDNS must have CRUD access to +# Edge DNS Zones and Recordsets, e.g. DNS—Zone Record Management authorization + +# Report bugs to https://control.akamai.com/apps/support-ui/#/contact-support + +# Values to export: +# --EITHER-- +# *** TBD. NOT IMPLEMENTED YET *** +# specify Edgegrid credentials file and section +# AKAMAI_EDGERC= +# AKAMAI_EDGERC_SECTION="default" +## --OR-- +# specify indiviual credentials +# export AKAMAI_HOST = +# export AKAMAI_ACCESS_TOKEN = +# export AKAMAI_CLIENT_TOKEN = +# export AKAMAI_CLIENT_SECRET = + +ACME_EDGEDNS_VERSION="0.1.0" + +######## Public functions ##################### + +# Usage: dns_edgedns_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to add txt record +# +dns_edgedns_add() { + fulldomain=$1 + txtvalue=$2 + _debug "ENTERING DNS_EDGEDNS_ADD" + _debug2 "fulldomain" "$fulldomain" + _debug2 "txtvalue" "$txtvalue" + + if ! _EDGEDNS_credentials; then + _err "$@" + return 1 + fi + if ! _EDGEDNS_getZoneInfo "$fulldomain"; then + _err "Invalid domain" + return 1 + fi + + _debug2 "Add: zone" "$zone" + acmeRecordURI=$(printf "%s/%s/names/%s/types/TXT" "$edge_endpoint" "$zone" "$fulldomain") + _debug3 "Add URL" "$acmeRecordURI" + # Get existing TXT record + _edge_result=$(_edgedns_rest GET "$acmeRecordURI") + _api_status="$?" + _debug3 "_edge_result" "$_edge_result" + if [ "$_api_status" -ne 0 ]; then + if [ "$curResult" = "FATAL" ]; then + _err "$(printf "Fatal error: acme API function call : %s" "$retVal")" + fi + if [ "$_edge_result" != "404" ]; then + _err "$(printf "Failure accessing Akamai Edge DNS API Server. Error: %s" "$_edge_result")" + return 1 + fi + fi + rdata="\"${txtvalue}\"" + record_op="POST" + if [ "$_api_status" -eq 0 ]; then + # record already exists. Get existing record data and update + record_op="PUT" + rdlist="${_edge_result#*\"rdata\":[}" + rdlist="${rdlist%%]*}" + rdlist=$(echo "$rdlist" | tr -d '"' | tr -d "\\\\") + _debug3 "existing TXT found" + _debug3 "record data" "$rdlist" + # value already there? + if _contains "$rdlist" "$txtvalue"; then + return 0 + fi + _txt_val="" + while [ "$_txt_val" != "$rdlist" ] && [ "${rdlist}" ]; do + _txt_val="${rdlist%%,*}" + rdlist="${rdlist#*,}" + rdata="${rdata},\"${_txt_val}\"" + done + fi + # Add the txtvalue TXT Record + body="{\"name\":\"$fulldomain\",\"type\":\"TXT\",\"ttl\":600, \"rdata\":"[${rdata}]"}" + _debug3 "Add body '${body}'" + _edge_result=$(_edgedns_rest "$record_op" "$acmeRecordURI" "$body") + _api_status="$?" + if [ "$_api_status" -eq 0 ]; then + _log "$(printf "Text value %s added to recordset %s" "$txtvalue" "$fulldomain")" + return 0 + else + _err "$(printf "error adding TXT record for validation. Error: %s" "$_edge_result")" + return 1 + fi +} + +# Usage: dns_edgedns_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to delete txt record +# +dns_edgedns_rm() { + fulldomain=$1 + txtvalue=$2 + _debug "ENTERING DNS_EDGEDNS_RM" + _debug2 "fulldomain" "$fulldomain" + _debug2 "txtvalue" "$txtvalue" + + if ! _EDGEDNS_credentials; then + _err "$@" + return 1 + fi + if ! _EDGEDNS_getZoneInfo "$fulldomain"; then + _err "Invalid domain" + return 1 + fi + _debug2 "RM: zone" "${zone}" + acmeRecordURI=$(printf "%s/%s/names/%s/types/TXT" "${edge_endpoint}" "$zone" "$fulldomain") + _debug3 "RM URL" "$acmeRecordURI" + # Get existing TXT record + _edge_result=$(_edgedns_rest GET "$acmeRecordURI") + _api_status="$?" + if [ "$_api_status" -ne 0 ]; then + if [ "$curResult" = "FATAL" ]; then + _err "$(printf "Fatal error: acme API function call : %s" "$retVal")" + fi + if [ "$_edge_result" != "404" ]; then + _err "$(printf "Failure accessing Akamai Edge DNS API Server. Error: %s" "$_edge_result")" + return 1 + fi + fi + _debug3 "_edge_result" "$_edge_result" + record_op="DELETE" + body="" + if [ "$_api_status" -eq 0 ]; then + # record already exists. Get existing record data and update + rdlist="${_edge_result#*\"rdata\":[}" + rdlist="${rdlist%%]*}" + rdlist=$(echo "$rdlist" | tr -d '"' | tr -d "\\\\") + _debug3 "rdlist" "$rdlist" + if [ -n "$rdlist" ]; then + record_op="PUT" + comma="" + rdata="" + _txt_val="" + while [ "$_txt_val" != "$rdlist" ] && [ "$rdlist" ]; do + _txt_val="${rdlist%%,*}" + rdlist="${rdlist#*,}" + _debug3 "_txt_val" "$_txt_val" + _debug3 "txtvalue" "$txtvalue" + if ! _contains "$_txt_val" "$txtvalue"; then + rdata="${rdata}${comma}\"${_txt_val}\"" + comma="," + fi + done + if [ -z "$rdata" ]; then + record_op="DELETE" + else + # Recreate the txtvalue TXT Record + body="{\"name\":\"$fulldomain\",\"type\":\"TXT\",\"ttl\":600, \"rdata\":"[${rdata}]"}" + _debug3 "body" "$body" + fi + fi + fi + _edge_result=$(_edgedns_rest "$record_op" "$acmeRecordURI" "$body") + _api_status="$?" + if [ "$_api_status" -eq 0 ]; then + _log "$(printf "Text value %s removed from recordset %s" "$txtvalue" "$fulldomain")" + return 0 + else + _err "$(printf "error removing TXT record for validation. Error: %s" "$_edge_result")" + return 1 + fi +} + +#################### Private functions below ################################## + +_EDGEDNS_credentials() { + _debug "GettingEdge DNS credentials" + _log "$(printf "ACME DNSAPI Edge DNS version %s" ${ACME_EDGEDNS_VERSION})" + args_missing=0 + AKAMAI_ACCESS_TOKEN="${AKAMAI_ACCESS_TOKEN:-$(_readaccountconf_mutable AKAMAI_ACCESS_TOKEN)}" + if [ -z "$AKAMAI_ACCESS_TOKEN" ]; then + AKAMAI_ACCESS_TOKEN="" + AKAMAI_CLIENT_TOKEN="" + AKAMAI_HOST="" + AKAMAI_CLIENT_SECRET="" + _err "AKAMAI_ACCESS_TOKEN is missing" + args_missing=1 + fi + AKAMAI_CLIENT_TOKEN="${AKAMAI_CLIENT_TOKEN:-$(_readaccountconf_mutable AKAMAI_CLIENT_TOKEN)}" + if [ -z "$AKAMAI_CLIENT_TOKEN" ]; then + AKAMAI_ACCESS_TOKEN="" + AKAMAI_CLIENT_TOKEN="" + AKAMAI_HOST="" + AKAMAI_CLIENT_SECRET="" + _err "AKAMAI_CLIENT_TOKEN is missing" + args_missing=1 + fi + AKAMAI_HOST="${AKAMAI_HOST:-$(_readaccountconf_mutable AKAMAI_HOST)}" + if [ -z "$AKAMAI_HOST" ]; then + AKAMAI_ACCESS_TOKEN="" + AKAMAI_CLIENT_TOKEN="" + AKAMAI_HOST="" + AKAMAI_CLIENT_SECRET="" + _err "AKAMAI_HOST is missing" + args_missing=1 + fi + AKAMAI_CLIENT_SECRET="${AKAMAI_CLIENT_SECRET:-$(_readaccountconf_mutable AKAMAI_CLIENT_SECRET)}" + if [ -z "$AKAMAI_CLIENT_SECRET" ]; then + AKAMAI_ACCESS_TOKEN="" + AKAMAI_CLIENT_TOKEN="" + AKAMAI_HOST="" + AKAMAI_CLIENT_SECRET="" + _err "AKAMAI_CLIENT_SECRET is missing" + args_missing=1 + fi + + if [ "$args_missing" = 1 ]; then + _err "You have not properly specified the EdgeDNS Open Edgegrid API credentials. Please try again." + return 1 + else + _saveaccountconf_mutable AKAMAI_ACCESS_TOKEN "$AKAMAI_ACCESS_TOKEN" + _saveaccountconf_mutable AKAMAI_CLIENT_TOKEN "$AKAMAI_CLIENT_TOKEN" + _saveaccountconf_mutable AKAMAI_HOST "$AKAMAI_HOST" + _saveaccountconf_mutable AKAMAI_CLIENT_SECRET "$AKAMAI_CLIENT_SECRET" + # Set whether curl should use secure or insecure mode + fi + export HTTPS_INSECURE=0 # All Edgegrid API calls are secure + edge_endpoint=$(printf "https://%s/config-dns/v2/zones" "$AKAMAI_HOST") + _debug3 "Edge API Endpoint:" "$edge_endpoint" + +} + +_EDGEDNS_getZoneInfo() { + _debug "Getting Zoneinfo" + zoneEnd=false + curZone=$1 + while [ -n "$zoneEnd" ]; do + # we can strip the first part of the fulldomain, since its just the _acme-challenge string + curZone="${curZone#*.}" + # suffix . needed for zone -> domain.tld. + # create zone get url + get_zone_url=$(printf "%s/%s" "$edge_endpoint" "$curZone") + _debug3 "Zone Get: " "${get_zone_url}" + curResult=$(_edgedns_rest GET "$get_zone_url") + retVal=$? + if [ "$retVal" -ne 0 ]; then + if [ "$curResult" = "FATAL" ]; then + _err "$(printf "Fatal error: acme API function call : %s" "$retVal")" + fi + if [ "$curResult" != "404" ]; then + _err "$(printf "Managed zone validation failed. Error response: %s" "$retVal")" + return 1 + fi + fi + if _contains "$curResult" "\"zone\":"; then + _debug2 "Zone data" "${curResult}" + zone=$(echo "${curResult}" | _egrep_o "\"zone\"\\s*:\\s*\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d "\"") + _debug3 "Zone" "${zone}" + zoneEnd="" + return 0 + fi + + if [ "${curZone#*.}" != "$curZone" ]; then + _debug3 "$(printf "%s still contains a '.' - so we can check next higher level" "$curZone")" + else + zoneEnd=true + _err "Couldn't retrieve zone data." + return 1 + fi + done + _err "Failed to retrieve zone data." + return 2 +} + +_edgedns_headers="" + +_edgedns_rest() { + _debug "Handling API Request" + m=$1 + # Assume endpoint is complete path, including query args if applicable + ep=$2 + body_data=$3 + _edgedns_content_type="" + _request_url_path="$ep" + _request_body="$body_data" + _request_method="$m" + _edgedns_headers="" + tab="" + _edgedns_headers="${_edgedns_headers}${tab}Host: ${AKAMAI_HOST}" + tab="\t" + # Set in acme.sh _post/_get + #_edgedns_headers="${_edgedns_headers}${tab}User-Agent:ACME DNSAPI Edge DNS version ${ACME_EDGEDNS_VERSION}" + _edgedns_headers="${_edgedns_headers}${tab}Accept: application/json,*/*" + if [ "$m" != "GET" ] && [ "$m" != "DELETE" ]; then + _edgedns_content_type="application/json" + _debug3 "_request_body" "$_request_body" + _body_len=$(echo "$_request_body" | tr -d "\n\r" | awk '{print length}') + _edgedns_headers="${_edgedns_headers}${tab}Content-Length: ${_body_len}" + fi + _edgedns_make_auth_header + _edgedns_headers="${_edgedns_headers}${tab}Authorization: ${_signed_auth_header}" + _secure_debug2 "Made Auth Header" "$_signed_auth_header" + hdr_indx=1 + work_header="${_edgedns_headers}${tab}" + _debug3 "work_header" "$work_header" + while [ "$work_header" ]; do + entry="${work_header%%\\t*}" + work_header="${work_header#*\\t}" + export "$(printf "_H%s=%s" "$hdr_indx" "$entry")" + _debug2 "Request Header " "$entry" + hdr_indx=$((hdr_indx + 1)) + done + + # clear headers from previous request to avoid getting wrong http code on timeouts + : >"$HTTP_HEADER" + _debug2 "$ep" + if [ "$m" != "GET" ]; then + _debug3 "Method data" "$data" + # body url [needbase64] [POST|PUT|DELETE] [ContentType] + response=$(_post "$_request_body" "$ep" false "$m" "$_edgedns_content_type") + else + response=$(_get "$ep") + fi + _ret="$?" + if [ "$_ret" -ne 0 ]; then + _err "$(printf "acme.sh API function call failed. Error: %s" "$_ret")" + echo "FATAL" + return "$_ret" + fi + _debug2 "response" "${response}" + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" + _debug2 "http response code" "$_code" + if [ "$_code" = "200" ] || [ "$_code" = "201" ]; then + # All good + response="$(echo "${response}" | _normalizeJson)" + echo "$response" + return 0 + fi + + if [ "$_code" = "204" ]; then + # Success, no body + echo "$_code" + return 0 + fi + + if [ "$_code" = "400" ]; then + _err "Bad request presented" + _log "$(printf "Headers: %s" "$_edgedns_headers")" + _log "$(printf "Method: %s" "$_request_method")" + _log "$(printf "URL: %s" "$ep")" + _log "$(printf "Data: %s" "$data")" + fi + + if [ "$_code" = "403" ]; then + _err "access denied make sure your Edgegrid cedentials are correct." + fi + + echo "$_code" + return 1 +} + +_edgedns_eg_timestamp() { + _debug "Generating signature Timestamp" + _debug3 "Retriving ntp time" + _timeheaders="$(_get "https://www.ntp.org" "onlyheader")" + _debug3 "_timeheaders" "$_timeheaders" + _ntpdate="$(echo "$_timeheaders" | grep -i "Date:" | _head_n 1 | cut -d ':' -f 2- | tr -d "\r\n")" + _debug3 "_ntpdate" "$_ntpdate" + _ntpdate="$(echo "${_ntpdate}" | sed -e 's/^[[:space:]]*//')" + _debug3 "_NTPDATE" "$_ntpdate" + _ntptime="$(echo "${_ntpdate}" | _head_n 1 | cut -d " " -f 5 | tr -d "\r\n")" + _debug3 "_ntptime" "$_ntptime" + _eg_timestamp=$(date -u "+%Y%m%dT") + _eg_timestamp="$(printf "%s%s+0000" "$_eg_timestamp" "$_ntptime")" + _debug "_eg_timestamp" "$_eg_timestamp" +} + +_edgedns_new_nonce() { + _debug "Generating Nonce" + _nonce=$(echo "EDGEDNS$(_time)" | _digest sha1 hex | cut -c 1-32) + _debug3 "_nonce" "$_nonce" +} + +_edgedns_make_auth_header() { + _debug "Constructing Auth Header" + _edgedns_new_nonce + _edgedns_eg_timestamp + # "Unsigned authorization header: 'EG1-HMAC-SHA256 client_token=block;access_token=block;timestamp=20200806T14:16:33+0000;nonce=72cde72c-82d9-4721-9854-2ba057929d67;'" + _auth_header="$(printf "EG1-HMAC-SHA256 client_token=%s;access_token=%s;timestamp=%s;nonce=%s;" "$AKAMAI_CLIENT_TOKEN" "$AKAMAI_ACCESS_TOKEN" "$_eg_timestamp" "$_nonce")" + _secure_debug2 "Unsigned Auth Header: " "$_auth_header" + + _edgedns_sign_request + _signed_auth_header="$(printf "%ssignature=%s" "$_auth_header" "$_signed_req")" + _secure_debug2 "Signed Auth Header: " "${_signed_auth_header}" +} + +_edgedns_sign_request() { + _debug2 "Signing http request" + _edgedns_make_data_to_sign "$_auth_header" + _secure_debug2 "Returned signed data" "$_mdata" + _edgedns_make_signing_key "$_eg_timestamp" + _edgedns_base64_hmac_sha256 "$_mdata" "$_signing_key" + _signed_req="$_hmac_out" + _secure_debug2 "Signed Request" "$_signed_req" +} + +_edgedns_make_signing_key() { + _debug2 "Creating sigining key" + ts=$1 + _edgedns_base64_hmac_sha256 "$ts" "$AKAMAI_CLIENT_SECRET" + _signing_key="$_hmac_out" + _secure_debug2 "Signing Key" "$_signing_key" + +} + +_edgedns_make_data_to_sign() { + _debug2 "Processing data to sign" + hdr=$1 + _secure_debug2 "hdr" "$hdr" + _edgedns_make_content_hash + path="$(echo "$_request_url_path" | tr -d "\n\r" | sed 's/https\?:\/\///')" + path=${path#*"$AKAMAI_HOST"} + _debug "hier path" "$path" + # dont expose headers to sign so use MT string + _mdata="$(printf "%s\thttps\t%s\t%s\t%s\t%s\t%s" "$_request_method" "$AKAMAI_HOST" "$path" "" "$_hash" "$hdr")" + _secure_debug2 "Data to Sign" "$_mdata" +} + +_edgedns_make_content_hash() { + _debug2 "Generating content hash" + _hash="" + _debug2 "Request method" "${_request_method}" + if [ "$_request_method" != "POST" ] || [ -z "$_request_body" ]; then + return 0 + fi + _debug2 "Req body" "$_request_body" + _edgedns_base64_sha256 "$_request_body" + _hash="$_sha256_out" + _debug2 "Content hash" "$_hash" +} + +_edgedns_base64_hmac_sha256() { + _debug2 "Generating hmac" + data=$1 + key=$2 + encoded_data="$(echo "$data" | iconv -t utf-8)" + encoded_key="$(echo "$key" | iconv -t utf-8)" + _secure_debug2 "encoded data" "$encoded_data" + _secure_debug2 "encoded key" "$encoded_key" + + encoded_key_hex=$(printf "%s" "$encoded_key" | _hex_dump | tr -d ' ') + data_sig="$(echo "$encoded_data" | tr -d "\n\r" | _hmac sha256 "$encoded_key_hex" | _base64)" + + _secure_debug2 "data_sig:" "$data_sig" + _hmac_out="$(echo "$data_sig" | tr -d "\n\r" | iconv -f utf-8)" + _secure_debug2 "hmac" "$_hmac_out" +} + +_edgedns_base64_sha256() { + _debug2 "Creating sha256 digest" + trg=$1 + _secure_debug2 "digest data" "$trg" + digest="$(echo "$trg" | tr -d "\n\r" | _digest "sha256")" + _sha256_out="$(echo "$digest" | tr -d "\n\r" | iconv -f utf-8)" + _secure_debug2 "digest decode" "$_sha256_out" +} + +#_edgedns_parse_edgerc() { +# filepath=$1 +# section=$2 +#} diff --git a/acme.sh-master/dnsapi/dns_euserv.sh b/acme.sh-master/dnsapi/dns_euserv.sh new file mode 100644 index 0000000..cfb4b81 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_euserv.sh @@ -0,0 +1,358 @@ +#!/usr/bin/env sh + +#This is the euserv.eu api wrapper for acme.sh +# +#Author: Michael Brueckner +#Report Bugs: https://www.github.com/initit/acme.sh or mbr@initit.de + +# +#EUSERV_Username="username" +# +#EUSERV_Password="password" +# +# Dependencies: +# ------------- +# - none - + +EUSERV_Api="https://api.euserv.net" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_euserv_add() { + fulldomain="$(echo "$1" | _lower_case)" + txtvalue=$2 + + EUSERV_Username="${EUSERV_Username:-$(_readaccountconf_mutable EUSERV_Username)}" + EUSERV_Password="${EUSERV_Password:-$(_readaccountconf_mutable EUSERV_Password)}" + if [ -z "$EUSERV_Username" ] || [ -z "$EUSERV_Password" ]; then + EUSERV_Username="" + EUSERV_Password="" + _err "You don't specify euserv user and password yet." + _err "Please create your key and try again." + return 1 + fi + + #save the user and email to the account conf file. + _saveaccountconf_mutable EUSERV_Username "$EUSERV_Username" + _saveaccountconf_mutable EUSERV_Password "$EUSERV_Password" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug "_sub_domain" "$_sub_domain" + _debug "_domain" "$_domain" + _info "Adding record" + if ! _euserv_add_record "$_domain" "$_sub_domain" "$txtvalue"; then + return 1 + fi + +} + +#fulldomain txtvalue +dns_euserv_rm() { + + fulldomain="$(echo "$1" | _lower_case)" + txtvalue=$2 + + EUSERV_Username="${EUSERV_Username:-$(_readaccountconf_mutable EUSERV_Username)}" + EUSERV_Password="${EUSERV_Password:-$(_readaccountconf_mutable EUSERV_Password)}" + if [ -z "$EUSERV_Username" ] || [ -z "$EUSERV_Password" ]; then + EUSERV_Username="" + EUSERV_Password="" + _err "You don't specify euserv user and password yet." + _err "Please create your key and try again." + return 1 + fi + + #save the user and email to the account conf file. + _saveaccountconf_mutable EUSERV_Username "$EUSERV_Username" + _saveaccountconf_mutable EUSERV_Password "$EUSERV_Password" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug "_sub_domain" "$_sub_domain" + _debug "_domain" "$_domain" + + _debug "Getting txt records" + + xml_content=$(printf ' + + domain.dns_get_active_records + + + + + + login + + %s + + + + password + + %s + + + + domain_id + + %s + + + + + + + ' "$EUSERV_Username" "$EUSERV_Password" "$_euserv_domain_id") + + export _H1="Content-Type: text/xml" + response="$(_post "$xml_content" "$EUSERV_Api" "" "POST")" + + if ! _contains "$response" "status100"; then + _err "Error could not get txt records" + _debug "xml_content" "$xml_content" + _debug "response" "$response" + return 1 + fi + + if ! echo "$response" | grep '>dns_record_content<.*>'"$txtvalue"'<' >/dev/null; then + _info "Do not need to delete record" + else + # find XML block where txtvalue is in. The record_id is allways prior this line! + _endLine=$(echo "$response" | grep -n '>dns_record_content<.*>'"$txtvalue"'<' | cut -d ':' -f 1) + # record_id is the last Tag with a number before the row _endLine, identified by + _record_id=$(echo "$response" | sed -n '1,'"$_endLine"'p' | grep '' | _tail_n 1 | sed 's/.*\([0-9]*\)<\/name>.*/\1/') + _info "Deleting record" + _euserv_delete_record "$_record_id" + fi + +} + +#################### Private functions below ################################## + +_get_root() { + domain=$1 + _debug "get root" + + # Just to read the domain_orders once + + domain=$1 + i=2 + p=1 + + if ! _euserv_get_domain_orders; then + return 1 + fi + + # Get saved response with domain_orders + response="$_euserv_domain_orders" + + while true; do + h=$(echo "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" "$h"; then + _sub_domain=$(echo "$domain" | cut -d . -f 1-$p) + _domain="$h" + if ! _euserv_get_domain_id "$_domain"; then + _err "invalid domain" + return 1 + fi + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + + return 1 +} + +_euserv_get_domain_orders() { + # returns: _euserv_domain_orders + + _debug "get domain_orders" + + xml_content=$(printf ' + + domain.get_domain_orders + + + + + + login + %s + + + password + %s + + + + + + ' "$EUSERV_Username" "$EUSERV_Password") + + export _H1="Content-Type: text/xml" + response="$(_post "$xml_content" "$EUSERV_Api" "" "POST")" + + if ! _contains "$response" "status100"; then + _err "Error could not get domain orders" + _debug "xml_content" "$xml_content" + _debug "response" "$response" + return 1 + fi + + # save response to reduce API calls + _euserv_domain_orders="$response" + return 0 +} + +_euserv_get_domain_id() { + # returns: _euserv_domain_id + domain=$1 + _debug "get domain_id" + + # find line where the domain name is within the $response + _startLine=$(echo "$_euserv_domain_orders" | grep -n '>domain_name<.*>'"$domain"'<' | cut -d ':' -f 1) + # next occurency of domain_id after the domain_name is the correct one + _euserv_domain_id=$(echo "$_euserv_domain_orders" | sed -n "$_startLine"',$p' | grep '>domain_id<' | _head_n 1 | sed 's/.*\([0-9]*\)<\/i4>.*/\1/') + + if [ -z "$_euserv_domain_id" ]; then + _err "Could not find domain_id for domain $domain" + _debug "_euserv_domain_orders" "$_euserv_domain_orders" + return 1 + fi + + return 0 +} + +_euserv_delete_record() { + record_id=$1 + xml_content=$(printf ' + + domain.dns_delete_record + + + + + + login + + %s + + + + password + + %s + + + + dns_record_id + + %s + + + + + + + ' "$EUSERV_Username" "$EUSERV_Password" "$record_id") + + export _H1="Content-Type: text/xml" + response="$(_post "$xml_content" "$EUSERV_Api" "" "POST")" + + if ! _contains "$response" "status100"; then + _err "Error deleting record" + _debug "xml_content" "$xml_content" + _debug "response" "$response" + return 1 + fi + + return 0 + +} + +_euserv_add_record() { + domain=$1 + sub_domain=$2 + txtval=$3 + + xml_content=$(printf ' + + domain.dns_create_record + + + + + + login + + %s + + + + password + + %s + + + domain_id + + %s + + + + dns_record_subdomain + + %s + + + + dns_record_type + + TXT + + + + dns_record_value + + %s + + + + dns_record_ttl + + 300 + + + + + + + ' "$EUSERV_Username" "$EUSERV_Password" "$_euserv_domain_id" "$sub_domain" "$txtval") + + export _H1="Content-Type: text/xml" + response="$(_post "$xml_content" "$EUSERV_Api" "" "POST")" + + if ! _contains "$response" "status100"; then + _err "Error could not create record" + _debug "xml_content" "$xml_content" + _debug "response" "$response" + return 1 + fi + + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_exoscale.sh b/acme.sh-master/dnsapi/dns_exoscale.sh new file mode 100644 index 0000000..ccf05fc --- /dev/null +++ b/acme.sh-master/dnsapi/dns_exoscale.sh @@ -0,0 +1,168 @@ +#!/usr/bin/env sh + +EXOSCALE_API=https://api.exoscale.com/dns/v1 + +######## Public functions ##################### + +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to add txt record +dns_exoscale_add() { + fulldomain=$1 + txtvalue=$2 + + if ! _checkAuth; then + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + if _exoscale_rest POST "domains/$_domain_id/records" "{\"record\":{\"name\":\"$_sub_domain\",\"record_type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":120}}" "$_domain_token"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + return 0 + fi + fi + _err "Add txt record error." + return 1 + +} + +# Usage: fulldomain txtvalue +# Used to remove the txt record after validation +dns_exoscale_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _checkAuth; then + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _exoscale_rest GET "domains/${_domain_id}/records?type=TXT&name=$_sub_domain" "" "$_domain_token" + if _contains "$response" "\"name\":\"$_sub_domain\"" >/dev/null; then + _record_id=$(echo "$response" | tr '{' "\n" | grep "\"content\":\"$txtvalue\"" | _egrep_o "\"id\":[^,]+" | _head_n 1 | cut -d : -f 2 | tr -d \") + fi + + if [ -z "$_record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + + _debug "Deleting record $_record_id" + + if ! _exoscale_rest DELETE "domains/$_domain_id/records/$_record_id" "" "$_domain_token"; then + _err "Delete record error." + return 1 + fi + + return 0 +} + +#################### Private functions below ################################## + +_checkAuth() { + EXOSCALE_API_KEY="${EXOSCALE_API_KEY:-$(_readaccountconf_mutable EXOSCALE_API_KEY)}" + EXOSCALE_SECRET_KEY="${EXOSCALE_SECRET_KEY:-$(_readaccountconf_mutable EXOSCALE_SECRET_KEY)}" + + if [ -z "$EXOSCALE_API_KEY" ] || [ -z "$EXOSCALE_SECRET_KEY" ]; then + EXOSCALE_API_KEY="" + EXOSCALE_SECRET_KEY="" + _err "You don't specify Exoscale application key and application secret yet." + _err "Please create you key and try again." + return 1 + fi + + _saveaccountconf_mutable EXOSCALE_API_KEY "$EXOSCALE_API_KEY" + _saveaccountconf_mutable EXOSCALE_SECRET_KEY "$EXOSCALE_SECRET_KEY" + + return 0 +} + +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +# _domain_token=sdjkglgdfewsdfg +_get_root() { + + if ! _exoscale_rest GET "domains"; then + return 1 + fi + + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" "\"name\":\"$h\"" >/dev/null; then + _domain_id=$(echo "$response" | tr '{' "\n" | grep "\"name\":\"$h\"" | _egrep_o "\"id\":[^,]+" | _head_n 1 | cut -d : -f 2 | tr -d \") + _domain_token=$(echo "$response" | tr '{' "\n" | grep "\"name\":\"$h\"" | _egrep_o "\"token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \") + if [ "$_domain_token" ] && [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +# returns response +_exoscale_rest() { + method=$1 + path="$2" + data="$3" + token="$4" + request_url="$EXOSCALE_API/$path" + _debug "$path" + + export _H1="Accept: application/json" + + if [ "$token" ]; then + export _H2="X-DNS-Domain-Token: $token" + else + export _H2="X-DNS-Token: $EXOSCALE_API_KEY:$EXOSCALE_SECRET_KEY" + fi + + if [ "$data" ] || [ "$method" = "DELETE" ]; then + export _H3="Content-Type: application/json" + _debug data "$data" + response="$(_post "$data" "$request_url" "" "$method")" + else + response="$(_get "$request_url" "" "" "$method")" + fi + + if [ "$?" != "0" ]; then + _err "error $request_url" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_fornex.sh b/acme.sh-master/dnsapi/dns_fornex.sh new file mode 100644 index 0000000..53be307 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_fornex.sh @@ -0,0 +1,146 @@ +#!/usr/bin/env sh + +#Author: Timur Umarov + +FORNEX_API_URL="https://fornex.com/api/dns/v0.1" + +######## Public functions ##################### + +#Usage: dns_fornex_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_fornex_add() { + fulldomain=$1 + txtvalue=$2 + + if ! _Fornex_API; then + return 1 + fi + + if ! _get_root "$fulldomain"; then + _err "Unable to determine root domain" + return 1 + else + _debug _domain "$_domain" + fi + + _info "Adding record" + if _rest POST "$_domain/entry_set/add/" "host=$fulldomain&type=TXT&value=$txtvalue&apikey=$FORNEX_API_KEY"; then + _debug _response "$response" + if _contains "$response" '"ok": true' || _contains "$response" 'Такая запись уже существует.'; then + _info "Added, OK" + return 0 + fi + fi + _err "Add txt record error." + return 1 +} + +#Usage: dns_fornex_rm _acme-challenge.www.domain.com +dns_fornex_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _Fornex_API; then + return 1 + fi + + if ! _get_root "$fulldomain"; then + _err "Unable to determine root domain" + return 1 + else + _debug _domain "$_domain" + fi + + _debug "Getting txt records" + _rest GET "$_domain/entry_set.json?apikey=$FORNEX_API_KEY" + + if ! _contains "$response" "$txtvalue"; then + _err "Txt record not found" + return 1 + fi + + _record_id="$(echo "$response" | _egrep_o "{[^{]*\"value\"*:*\"$txtvalue\"[^}]*}" | sed -n -e 's#.*"id": \([0-9]*\).*#\1#p')" + _debug "_record_id" "$_record_id" + if [ -z "$_record_id" ]; then + _err "can not find _record_id" + return 1 + fi + + if ! _rest POST "$_domain/entry_set/$_record_id/delete/" "apikey=$FORNEX_API_KEY"; then + _err "Delete record error." + return 1 + fi + return 0 +} + +#################### Private functions below ################################## + +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + + i=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _rest GET "domain_list.json?q=$h&apikey=$FORNEX_API_KEY"; then + return 1 + fi + + if _contains "$response" "\"$h\"" >/dev/null; then + _domain=$h + return 0 + else + _debug "$h not found" + fi + i=$(_math "$i" + 1) + done + + return 1 +} + +_Fornex_API() { + FORNEX_API_KEY="${FORNEX_API_KEY:-$(_readaccountconf_mutable FORNEX_API_KEY)}" + if [ -z "$FORNEX_API_KEY" ]; then + FORNEX_API_KEY="" + + _err "You didn't specify the Fornex API key yet." + _err "Please create your key and try again." + + return 1 + fi + + _saveaccountconf_mutable FORNEX_API_KEY "$FORNEX_API_KEY" +} + +#method method action data +_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Accept: application/json" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$FORNEX_API_URL/$ep" "" "$m")" + else + response="$(_get "$FORNEX_API_URL/$ep" | _normalizeJson)" + fi + + _ret="$?" + if [ "$_ret" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_freedns.sh b/acme.sh-master/dnsapi/dns_freedns.sh new file mode 100644 index 0000000..29cee43 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_freedns.sh @@ -0,0 +1,371 @@ +#!/usr/bin/env sh + +#This file name is "dns_freedns.sh" +#So, here must be a method dns_freedns_add() +#Which will be called by acme.sh to add the txt record to your api system. +#returns 0 means success, otherwise error. +# +#Author: David Kerr +#Report Bugs here: https://github.com/dkerr64/acme.sh +#or here... https://github.com/acmesh-official/acme.sh/issues/2305 +# +######## Public functions ##################### + +# Export FreeDNS userid and password in following variables... +# FREEDNS_User=username +# FREEDNS_Password=password +# login cookie is saved in acme account config file so userid / pw +# need to be set only when changed. + +#Usage: dns_freedns_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_freedns_add() { + fulldomain="$1" + txtvalue="$2" + + _info "Add TXT record using FreeDNS" + _debug "fulldomain: $fulldomain" + _debug "txtvalue: $txtvalue" + + if [ -z "$FREEDNS_User" ] || [ -z "$FREEDNS_Password" ]; then + FREEDNS_User="" + FREEDNS_Password="" + if [ -z "$FREEDNS_COOKIE" ]; then + _err "You did not specify the FreeDNS username and password yet." + _err "Please export as FREEDNS_User / FREEDNS_Password and try again." + return 1 + fi + using_cached_cookies="true" + else + FREEDNS_COOKIE="$(_freedns_login "$FREEDNS_User" "$FREEDNS_Password")" + if [ -z "$FREEDNS_COOKIE" ]; then + return 1 + fi + using_cached_cookies="false" + fi + + _debug "FreeDNS login cookies: $FREEDNS_COOKIE (cached = $using_cached_cookies)" + + _saveaccountconf FREEDNS_COOKIE "$FREEDNS_COOKIE" + + # We may have to cycle through the domain name to find the + # TLD that we own... + i=1 + wmax="$(echo "$fulldomain" | tr '.' ' ' | wc -w)" + while [ "$i" -lt "$wmax" ]; do + # split our full domain name into two parts... + sub_domain="$(echo "$fulldomain" | cut -d. -f -"$i")" + i="$(_math "$i" + 1)" + top_domain="$(echo "$fulldomain" | cut -d. -f "$i"-100)" + _debug "sub_domain: $sub_domain" + _debug "top_domain: $top_domain" + + DNSdomainid="$(_freedns_domain_id "$top_domain")" + if [ "$?" = "0" ]; then + _info "Domain $top_domain found at FreeDNS, domain_id $DNSdomainid" + break + else + _info "Domain $top_domain not found at FreeDNS, try with next level of TLD" + fi + done + + if [ -z "$DNSdomainid" ]; then + # If domain ID is empty then something went wrong (top level + # domain not found at FreeDNS). + _err "Domain $top_domain not found at FreeDNS" + return 1 + fi + + # Add in new TXT record with the value provided + _debug "Adding TXT record for $fulldomain, $txtvalue" + _freedns_add_txt_record "$FREEDNS_COOKIE" "$DNSdomainid" "$sub_domain" "$txtvalue" + return $? +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_freedns_rm() { + fulldomain="$1" + txtvalue="$2" + + _info "Delete TXT record using FreeDNS" + _debug "fulldomain: $fulldomain" + _debug "txtvalue: $txtvalue" + + # Need to read cookie from conf file again in case new value set + # during login to FreeDNS when TXT record was created. + FREEDNS_COOKIE="$(_readaccountconf "FREEDNS_COOKIE")" + _debug "FreeDNS login cookies: $FREEDNS_COOKIE" + + TXTdataid="$(_freedns_data_id "$fulldomain" "TXT")" + if [ "$?" != "0" ]; then + _info "Cannot delete TXT record for $fulldomain, record does not exist at FreeDNS" + return 1 + fi + _debug "Data ID's found, $TXTdataid" + + # now we have one (or more) TXT record data ID's. Load the page + # for that record and search for the record txt value. If match + # then we can delete it. + lines="$(echo "$TXTdataid" | wc -l)" + _debug "Found $lines TXT data records for $fulldomain" + i=0 + while [ "$i" -lt "$lines" ]; do + i="$(_math "$i" + 1)" + dataid="$(echo "$TXTdataid" | sed -n "${i}p")" + _debug "$dataid" + + htmlpage="$(_freedns_retrieve_data_page "$FREEDNS_COOKIE" "$dataid")" + if [ "$?" != "0" ]; then + if [ "$using_cached_cookies" = "true" ]; then + _err "Has your FreeDNS username and password changed? If so..." + _err "Please export as FREEDNS_User / FREEDNS_Password and try again." + fi + return 1 + fi + + echo "$htmlpage" | grep "value=\""$txtvalue"\"" >/dev/null + if [ "$?" = "0" ]; then + # Found a match... delete the record and return + _info "Deleting TXT record for $fulldomain, $txtvalue" + _freedns_delete_txt_record "$FREEDNS_COOKIE" "$dataid" + return $? + fi + done + + # If we get this far we did not find a match + # Not necessarily an error, but log anyway. + _info "Cannot delete TXT record for $fulldomain, $txtvalue. Does not exist at FreeDNS" + return 0 +} + +#################### Private functions below ################################## + +# usage: _freedns_login username password +# print string "cookie=value" etc. +# returns 0 success +_freedns_login() { + export _H1="Accept-Language:en-US" + username="$1" + password="$2" + url="https://freedns.afraid.org/zc.php?step=2" + + _debug "Login to FreeDNS as user $username" + + htmlpage="$(_post "username=$(printf '%s' "$username" | _url_encode)&password=$(printf '%s' "$password" | _url_encode)&submit=Login&action=auth" "$url")" + + if [ "$?" != "0" ]; then + _err "FreeDNS login failed for user $username bad RC from _post" + return 1 + fi + + cookies="$(grep -i '^Set-Cookie.*dns_cookie.*$' "$HTTP_HEADER" | _head_n 1 | tr -d "\r\n" | cut -d " " -f 2)" + + # if cookies is not empty then logon successful + if [ -z "$cookies" ]; then + _debug3 "htmlpage: $htmlpage" + _err "FreeDNS login failed for user $username. Check $HTTP_HEADER file" + return 1 + fi + + printf "%s" "$cookies" + return 0 +} + +# usage _freedns_retrieve_subdomain_page login_cookies +# echo page retrieved (html) +# returns 0 success +_freedns_retrieve_subdomain_page() { + export _H1="Cookie:$1" + export _H2="Accept-Language:en-US" + url="https://freedns.afraid.org/subdomain/" + + _debug "Retrieve subdomain page from FreeDNS" + + htmlpage="$(_get "$url")" + + if [ "$?" != "0" ]; then + _err "FreeDNS retrieve subdomains failed bad RC from _get" + return 1 + elif [ -z "$htmlpage" ]; then + _err "FreeDNS returned empty subdomain page" + return 1 + fi + + _debug3 "htmlpage: $htmlpage" + + printf "%s" "$htmlpage" + return 0 +} + +# usage _freedns_retrieve_data_page login_cookies data_id +# echo page retrieved (html) +# returns 0 success +_freedns_retrieve_data_page() { + export _H1="Cookie:$1" + export _H2="Accept-Language:en-US" + data_id="$2" + url="https://freedns.afraid.org/subdomain/edit.php?data_id=$2" + + _debug "Retrieve data page for ID $data_id from FreeDNS" + + htmlpage="$(_get "$url")" + + if [ "$?" != "0" ]; then + _err "FreeDNS retrieve data page failed bad RC from _get" + return 1 + elif [ -z "$htmlpage" ]; then + _err "FreeDNS returned empty data page" + return 1 + fi + + _debug3 "htmlpage: $htmlpage" + + printf "%s" "$htmlpage" + return 0 +} + +# usage _freedns_add_txt_record login_cookies domain_id subdomain value +# returns 0 success +_freedns_add_txt_record() { + export _H1="Cookie:$1" + export _H2="Accept-Language:en-US" + domain_id="$2" + subdomain="$3" + value="$(printf '%s' "$4" | _url_encode)" + url="https://freedns.afraid.org/subdomain/save.php?step=2" + + htmlpage="$(_post "type=TXT&domain_id=$domain_id&subdomain=$subdomain&address=%22$value%22&send=Save%21" "$url")" + + if [ "$?" != "0" ]; then + _err "FreeDNS failed to add TXT record for $subdomain bad RC from _post" + return 1 + elif ! grep "200 OK" "$HTTP_HEADER" >/dev/null; then + _debug3 "htmlpage: $htmlpage" + _err "FreeDNS failed to add TXT record for $subdomain. Check $HTTP_HEADER file" + return 1 + elif _contains "$htmlpage" "security code was incorrect"; then + _debug3 "htmlpage: $htmlpage" + _err "FreeDNS failed to add TXT record for $subdomain as FreeDNS requested security code" + _err "Note that you cannot use automatic DNS validation for FreeDNS public domains" + return 1 + fi + + _debug3 "htmlpage: $htmlpage" + _info "Added acme challenge TXT record for $fulldomain at FreeDNS" + return 0 +} + +# usage _freedns_delete_txt_record login_cookies data_id +# returns 0 success +_freedns_delete_txt_record() { + export _H1="Cookie:$1" + export _H2="Accept-Language:en-US" + data_id="$2" + url="https://freedns.afraid.org/subdomain/delete2.php" + + htmlheader="$(_get "$url?data_id%5B%5D=$data_id&submit=delete+selected" "onlyheader")" + + if [ "$?" != "0" ]; then + _err "FreeDNS failed to delete TXT record for $data_id bad RC from _get" + return 1 + elif ! _contains "$htmlheader" "200 OK"; then + _debug2 "htmlheader: $htmlheader" + _err "FreeDNS failed to delete TXT record $data_id" + return 1 + fi + + _info "Deleted acme challenge TXT record for $fulldomain at FreeDNS" + return 0 +} + +# usage _freedns_domain_id domain_name +# echo the domain_id if found +# return 0 success +_freedns_domain_id() { + # Start by escaping the dots in the domain name + search_domain="$(echo "$1" | sed 's/\./\\./g')" + + # Sometimes FreeDNS does not return the subdomain page but rather + # returns a page regarding becoming a premium member. This usually + # happens after a period of inactivity. Immediately trying again + # returns the correct subdomain page. So, we will try twice to + # load the page and obtain our domain ID + attempts=2 + while [ "$attempts" -gt "0" ]; do + attempts="$(_math "$attempts" - 1)" + + htmlpage="$(_freedns_retrieve_subdomain_page "$FREEDNS_COOKIE")" + if [ "$?" != "0" ]; then + if [ "$using_cached_cookies" = "true" ]; then + _err "Has your FreeDNS username and password changed? If so..." + _err "Please export as FREEDNS_User / FREEDNS_Password and try again." + fi + return 1 + fi + + domain_id="$(echo "$htmlpage" | tr -d " \t\r\n\v\f" | sed 's//@/g' | tr '@' '\n' | + grep "$search_domain\|$search_domain(.*)" | + sed -n 's/.*\(edit\.php?edit_domain_id=[0-9a-zA-Z]*\).*/\1/p' | + cut -d = -f 2)" + # The above beauty extracts domain ID from the html page... + # strip out all blank space and new lines. Then insert newlines + # before each table row + # search for the domain within each row (which may or may not have + # a text string in brackets (.*) after it. + # And finally extract the domain ID. + if [ -n "$domain_id" ]; then + printf "%s" "$domain_id" + return 0 + fi + _debug "Domain $search_domain not found. Retry loading subdomain page ($attempts attempts remaining)" + done + _debug "Domain $search_domain not found after retry" + return 1 +} + +# usage _freedns_data_id domain_name record_type +# echo the data_id(s) if found +# return 0 success +_freedns_data_id() { + # Start by escaping the dots in the domain name + search_domain="$(echo "$1" | sed 's/\./\\./g')" + record_type="$2" + + # Sometimes FreeDNS does not return the subdomain page but rather + # returns a page regarding becoming a premium member. This usually + # happens after a period of inactivity. Immediately trying again + # returns the correct subdomain page. So, we will try twice to + # load the page and obtain our domain ID + attempts=2 + while [ "$attempts" -gt "0" ]; do + attempts="$(_math "$attempts" - 1)" + + htmlpage="$(_freedns_retrieve_subdomain_page "$FREEDNS_COOKIE")" + if [ "$?" != "0" ]; then + if [ "$using_cached_cookies" = "true" ]; then + _err "Has your FreeDNS username and password changed? If so..." + _err "Please export as FREEDNS_User / FREEDNS_Password and try again." + fi + return 1 + fi + + data_id="$(echo "$htmlpage" | tr -d " \t\r\n\v\f" | sed 's//@/g' | tr '@' '\n' | + grep "$record_type" | + grep "$search_domain" | + sed -n 's/.*\(edit\.php?data_id=[0-9a-zA-Z]*\).*/\1/p' | + cut -d = -f 2)" + # The above beauty extracts data ID from the html page... + # strip out all blank space and new lines. Then insert newlines + # before each table row + # search for the record type withing each row (e.g. TXT) + # search for the domain within each row (which is within a + # anchor. And finally extract the domain ID. + if [ -n "$data_id" ]; then + printf "%s" "$data_id" + return 0 + fi + _debug "Domain $search_domain not found. Retry loading subdomain page ($attempts attempts remaining)" + done + _debug "Domain $search_domain not found after retry" + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_gandi_livedns.sh b/acme.sh-master/dnsapi/dns_gandi_livedns.sh new file mode 100644 index 0000000..931da88 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_gandi_livedns.sh @@ -0,0 +1,175 @@ +#!/usr/bin/env sh + +# Gandi LiveDNS v5 API +# https://doc.livedns.gandi.net/ +# currently under beta +# +# Requires GANDI API KEY set in GANDI_LIVEDNS_KEY set as environment variable +# +#Author: Frédéric Crozat +# Dominik Röttsches +#Report Bugs here: https://github.com/fcrozat/acme.sh +# +######## Public functions ##################### + +GANDI_LIVEDNS_API="https://dns.api.gandi.net/api/v5" + +#Usage: dns_gandi_livedns_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_gandi_livedns_add() { + fulldomain=$1 + txtvalue=$2 + + if [ -z "$GANDI_LIVEDNS_KEY" ]; then + _err "No API key specified for Gandi LiveDNS." + _err "Create your key and export it as GANDI_LIVEDNS_KEY" + return 1 + fi + + _saveaccountconf GANDI_LIVEDNS_KEY "$GANDI_LIVEDNS_KEY" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + _debug domain "$_domain" + _debug sub_domain "$_sub_domain" + + _dns_gandi_append_record "$_domain" "$_sub_domain" "$txtvalue" +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_gandi_livedns_rm() { + fulldomain=$1 + txtvalue=$2 + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug fulldomain "$fulldomain" + _debug domain "$_domain" + _debug sub_domain "$_sub_domain" + _debug txtvalue "$txtvalue" + + if ! _dns_gandi_existing_rrset_values "$_domain" "$_sub_domain"; then + return 1 + fi + _new_rrset_values=$(echo "$_rrset_values" | sed "s/...$txtvalue...//g") + # Cleanup dangling commata. + _new_rrset_values=$(echo "$_new_rrset_values" | sed "s/, ,/ ,/g") + _new_rrset_values=$(echo "$_new_rrset_values" | sed "s/, *\]/\]/g") + _new_rrset_values=$(echo "$_new_rrset_values" | sed "s/\[ *,/\[/g") + _debug "New rrset_values" "$_new_rrset_values" + + _gandi_livedns_rest PUT \ + "domains/$_domain/records/$_sub_domain/TXT" \ + "{\"rrset_ttl\": 300, \"rrset_values\": $_new_rrset_values}" && + _contains "$response" '{"message": "DNS Record Created"}' && + _info "Removing record $(__green "success")" +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _gandi_livedns_rest GET "domains/$h"; then + return 1 + fi + + if _contains "$response" '"code": 401'; then + _err "$response" + return 1 + elif _contains "$response" '"code": 404'; then + _debug "$h not found" + else + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + p="$i" + i=$(_math "$i" + 1) + done + return 1 +} + +_dns_gandi_append_record() { + domain=$1 + sub_domain=$2 + txtvalue=$3 + + if _dns_gandi_existing_rrset_values "$domain" "$sub_domain"; then + _debug "Appending new value" + _rrset_values=$(echo "$_rrset_values" | sed "s/\"]/\",\"$txtvalue\"]/") + else + _debug "Creating new record" "$_rrset_values" + _rrset_values="[\"$txtvalue\"]" + fi + _debug new_rrset_values "$_rrset_values" + _gandi_livedns_rest PUT "domains/$_domain/records/$sub_domain/TXT" \ + "{\"rrset_ttl\": 300, \"rrset_values\": $_rrset_values}" && + _contains "$response" '{"message": "DNS Record Created"}' && + _info "Adding record $(__green "success")" +} + +_dns_gandi_existing_rrset_values() { + domain=$1 + sub_domain=$2 + if ! _gandi_livedns_rest GET "domains/$domain/records/$sub_domain"; then + return 1 + fi + if ! _contains "$response" '"rrset_type": "TXT"'; then + _debug "Does not have a _acme-challenge TXT record yet." + return 1 + fi + if _contains "$response" '"rrset_values": \[\]'; then + _debug "Empty rrset_values for TXT record, no previous TXT record." + return 1 + fi + _debug "Already has TXT record." + _rrset_values=$(echo "$response" | _egrep_o 'rrset_values.*\[.*\]' | + _egrep_o '\[".*\"]') + return 0 +} + +_gandi_livedns_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Content-Type: application/json" + export _H2="X-Api-Key: $GANDI_LIVEDNS_KEY" + + if [ "$m" = "GET" ]; then + response="$(_get "$GANDI_LIVEDNS_API/$ep")" + else + _debug data "$data" + response="$(_post "$data" "$GANDI_LIVEDNS_API/$ep" "" "$m")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_gcloud.sh b/acme.sh-master/dnsapi/dns_gcloud.sh new file mode 100644 index 0000000..2788ad5 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_gcloud.sh @@ -0,0 +1,170 @@ +#!/usr/bin/env sh + +# Author: Janos Lenart + +######## Public functions ##################### + +# Usage: dns_gcloud_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_gcloud_add() { + fulldomain=$1 + txtvalue=$2 + _info "Using gcloud" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + _dns_gcloud_find_zone || return $? + + # Add an extra RR + _dns_gcloud_start_tr || return $? + _dns_gcloud_get_rrdatas || return $? + echo "$rrdatas" | _dns_gcloud_remove_rrs || return $? + printf "%s\n%s\n" "$rrdatas" "\"$txtvalue\"" | grep -v '^$' | _dns_gcloud_add_rrs || return $? + _dns_gcloud_execute_tr || return $? + + _info "$fulldomain record added" +} + +# Usage: dns_gcloud_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Remove the txt record after validation. +dns_gcloud_rm() { + fulldomain=$1 + txtvalue=$2 + _info "Using gcloud" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + _dns_gcloud_find_zone || return $? + + # Remove one RR + _dns_gcloud_start_tr || return $? + _dns_gcloud_get_rrdatas || return $? + echo "$rrdatas" | _dns_gcloud_remove_rrs || return $? + echo "$rrdatas" | grep -F -v -- "\"$txtvalue\"" | _dns_gcloud_add_rrs || return $? + _dns_gcloud_execute_tr || return $? + + _info "$fulldomain record added" +} + +#################### Private functions below ################################## + +_dns_gcloud_start_tr() { + if ! trd=$(mktemp -d); then + _err "_dns_gcloud_start_tr: failed to create temporary directory" + return 1 + fi + tr="$trd/tr.yaml" + _debug tr "$tr" + + if ! gcloud dns record-sets transaction start \ + --transaction-file="$tr" \ + --zone="$managedZone"; then + rm -r "$trd" + _err "_dns_gcloud_start_tr: failed to execute transaction" + return 1 + fi +} + +_dns_gcloud_execute_tr() { + if ! gcloud dns record-sets transaction execute \ + --transaction-file="$tr" \ + --zone="$managedZone"; then + _debug tr "$(cat "$tr")" + rm -r "$trd" + _err "_dns_gcloud_execute_tr: failed to execute transaction" + return 1 + fi + rm -r "$trd" + + for i in $(seq 1 120); do + if gcloud dns record-sets changes list \ + --zone="$managedZone" \ + --filter='status != done' | + grep -q '^.*'; then + _info "_dns_gcloud_execute_tr: waiting for transaction to be comitted ($i/120)..." + sleep 5 + else + return 0 + fi + done + + _err "_dns_gcloud_execute_tr: transaction is still pending after 10 minutes" + rm -r "$trd" + return 1 +} + +_dns_gcloud_remove_rrs() { + if ! xargs -r gcloud dns record-sets transaction remove \ + --name="$fulldomain." \ + --ttl="$ttl" \ + --type=TXT \ + --zone="$managedZone" \ + --transaction-file="$tr" --; then + _debug tr "$(cat "$tr")" + rm -r "$trd" + _err "_dns_gcloud_remove_rrs: failed to remove RRs" + return 1 + fi +} + +_dns_gcloud_add_rrs() { + ttl=60 + if ! xargs -r gcloud dns record-sets transaction add \ + --name="$fulldomain." \ + --ttl="$ttl" \ + --type=TXT \ + --zone="$managedZone" \ + --transaction-file="$tr" --; then + _debug tr "$(cat "$tr")" + rm -r "$trd" + _err "_dns_gcloud_add_rrs: failed to add RRs" + return 1 + fi +} + +_dns_gcloud_find_zone() { + # Prepare a filter that matches zones that are suiteable for this entry. + # For example, _acme-challenge.something.domain.com might need to go into something.domain.com or domain.com; + # this function finds the longest postfix that has a managed zone. + part="$fulldomain" + filter="dnsName=( " + while [ "$part" != "" ]; do + filter="$filter$part. " + part="$(echo "$part" | sed 's/[^.]*\.*//')" + done + filter="$filter) AND visibility=public" + _debug filter "$filter" + + # List domains and find the zone with the deepest sub-domain (in case of some levels of delegation) + if ! match=$(gcloud dns managed-zones list \ + --format="value(name, dnsName)" \ + --filter="$filter" | + while read -r dnsName name; do + printf "%s\t%s\t%s\n" "$(echo "$name" | awk -F"." '{print NF-1}')" "$dnsName" "$name" + done | + sort -n -r | _head_n 1 | cut -f2,3 | grep '^.*'); then + _err "_dns_gcloud_find_zone: Can't find a matching managed zone! Perhaps wrong project or gcloud credentials?" + return 1 + fi + + dnsName=$(echo "$match" | cut -f2) + _debug dnsName "$dnsName" + managedZone=$(echo "$match" | cut -f1) + _debug managedZone "$managedZone" +} + +_dns_gcloud_get_rrdatas() { + if ! rrdatas=$(gcloud dns record-sets list \ + --zone="$managedZone" \ + --name="$fulldomain." \ + --type=TXT \ + --format="value(ttl,rrdatas)"); then + _err "_dns_gcloud_get_rrdatas: Failed to list record-sets" + rm -r "$trd" + return 1 + fi + ttl=$(echo "$rrdatas" | cut -f1) + # starting with version 353.0.0 gcloud seems to + # separate records with a semicolon instead of commas + # see also https://cloud.google.com/sdk/docs/release-notes#35300_2021-08-17 + rrdatas=$(echo "$rrdatas" | cut -f2 | sed 's/"[,;]"/"\n"/g') +} diff --git a/acme.sh-master/dnsapi/dns_gcore.sh b/acme.sh-master/dnsapi/dns_gcore.sh new file mode 100644 index 0000000..d549a65 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_gcore.sh @@ -0,0 +1,187 @@ +#!/usr/bin/env sh + +# +#GCORE_Key='773$7b7adaf2a2b32bfb1b83787b4ff32a67eb178e3ada1af733e47b1411f2461f7f4fa7ed7138e2772a46124377bad7384b3bb8d87748f87b3f23db4b8bbe41b2bb' +# + +GCORE_Api="https://api.gcorelabs.com/dns/v2" +GCORE_Doc="https://apidocs.gcore.com/dns" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_gcore_add() { + fulldomain=$1 + txtvalue=$2 + + GCORE_Key="${GCORE_Key:-$(_readaccountconf_mutable GCORE_Key)}" + + if [ -z "$GCORE_Key" ]; then + GCORE_Key="" + _err "You didn't specify a Gcore api key yet." + _err "You can get yours from here $GCORE_Doc" + return 1 + fi + + #save the api key to the account conf file. + _saveaccountconf_mutable GCORE_Key "$GCORE_Key" + + _debug "First detect the zone name" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _zone_name "$_zone_name" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _gcore_rest GET "zones/$_zone_name/$fulldomain/TXT" + payload="" + + if echo "$response" | grep "record is not found" >/dev/null; then + _info "Record doesn't exists" + payload="{\"resource_records\":[{\"content\":[\"$txtvalue\"],\"enabled\":true}],\"ttl\":120}" + elif echo "$response" | grep "$txtvalue" >/dev/null; then + _info "Already exists, OK" + return 0 + elif echo "$response" | tr -d " " | grep \"name\":\""$fulldomain"\",\"type\":\"TXT\" >/dev/null; then + _info "Record with mismatch txtvalue, try update it" + payload=$(echo "$response" | tr -d " " | sed 's/"updated_at":[0-9]\+,//g' | sed 's/"meta":{}}]}/"meta":{}},{"content":['\""$txtvalue"\"'],"enabled":true}]}/') + fi + + # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so + # we can not use updating anymore. + # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) + # _debug count "$count" + # if [ "$count" = "0" ]; then + _info "Adding record" + if _gcore_rest PUT "zones/$_zone_name/$fulldomain/TXT" "$payload"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + return 0 + elif _contains "$response" "rrset is already exists"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 +} + +#fulldomain txtvalue +dns_gcore_rm() { + fulldomain=$1 + txtvalue=$2 + + GCORE_Key="${GCORE_Key:-$(_readaccountconf_mutable GCORE_Key)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _zone_name "$_zone_name" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _gcore_rest GET "zones/$_zone_name/$fulldomain/TXT" + + if echo "$response" | grep "record is not found" >/dev/null; then + _info "No such txt recrod" + return 0 + fi + + if ! echo "$response" | tr -d " " | grep \"name\":\""$fulldomain"\",\"type\":\"TXT\" >/dev/null; then + _err "Error: $response" + return 1 + fi + + if ! echo "$response" | tr -d " " | grep \""$txtvalue"\" >/dev/null; then + _info "No such txt recrod" + return 0 + fi + + count="$(echo "$response" | grep -o "content" | wc -l)" + + if [ "$count" = "1" ]; then + if ! _gcore_rest DELETE "zones/$_zone_name/$fulldomain/TXT"; then + _err "Delete record error. $response" + return 1 + fi + return 0 + fi + + payload="$(echo "$response" | tr -d " " | sed 's/"updated_at":[0-9]\+,//g' | sed 's/{"id":[0-9]\+,"content":\["'"$txtvalue"'"\],"enabled":true,"meta":{}}//' | sed 's/\[,/\[/' | sed 's/,,/,/' | sed 's/,\]/\]/')" + if ! _gcore_rest PUT "zones/$_zone_name/$fulldomain/TXT" "$payload"; then + _err "Delete record error. $response" + fi +} + +#################### Private functions below ################################## +#_acme-challenge.sub.domain.com +#returns +# _sub_domain=_acme-challenge.sub or _acme-challenge +# _domain=domain.com +# _zone_name=domain.com or sub.domain.com +_get_root() { + domain=$1 + i=1 + p=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _gcore_rest GET "zones/$h"; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\""; then + _zone_name=$h + if [ "$_zone_name" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_gcore_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + key_trimmed=$(echo "$GCORE_Key" | tr -d '"') + + export _H1="Content-Type: application/json" + export _H2="Authorization: APIKey $key_trimmed" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$GCORE_Api/$ep" "" "$m")" + else + response="$(_get "$GCORE_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_gd.sh b/acme.sh-master/dnsapi/dns_gd.sh new file mode 100644 index 0000000..1729115 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_gd.sh @@ -0,0 +1,200 @@ +#!/usr/bin/env sh + +#Godaddy domain api +# Get API key and secret from https://developer.godaddy.com/ +# +# GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" +# GD_Secret="asdfsdfsfsdfsdfdfsdf" +# +# Ex.: acme.sh --issue --staging --dns dns_gd -d "*.s.example.com" -d "s.example.com" + +GD_Api="https://api.godaddy.com/v1" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_gd_add() { + fulldomain=$1 + txtvalue=$2 + + GD_Key="${GD_Key:-$(_readaccountconf_mutable GD_Key)}" + GD_Secret="${GD_Secret:-$(_readaccountconf_mutable GD_Secret)}" + if [ -z "$GD_Key" ] || [ -z "$GD_Secret" ]; then + GD_Key="" + GD_Secret="" + _err "You didn't specify godaddy api key and secret yet." + _err "Please create your key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable GD_Key "$GD_Key" + _saveaccountconf_mutable GD_Secret "$GD_Secret" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting existing records" + if ! _gd_rest GET "domains/$_domain/records/TXT/$_sub_domain"; then + return 1 + fi + + if _contains "$response" "$txtvalue"; then + _info "This record already exists, skipping" + return 0 + fi + + _add_data="{\"data\":\"$txtvalue\"}" + for t in $(echo "$response" | tr '{' "\n" | grep "\"name\":\"$_sub_domain\"" | tr ',' "\n" | grep '"data"' | cut -d : -f 2); do + _debug2 t "$t" + # ignore empty (previously removed) records, to prevent useless _acme-challenge TXT entries + if [ "$t" ] && [ "$t" != '""' ]; then + _add_data="$_add_data,{\"data\":$t}" + fi + done + _debug2 _add_data "$_add_data" + + _info "Adding record" + if _gd_rest PUT "domains/$_domain/records/TXT/$_sub_domain" "[$_add_data]"; then + _debug "Checking updated records of '${fulldomain}'" + + if ! _gd_rest GET "domains/$_domain/records/TXT/$_sub_domain"; then + _err "Validating TXT record for '${fulldomain}' with rest error [$?]." "$response" + return 1 + fi + + if ! _contains "$response" "$txtvalue"; then + _err "TXT record '${txtvalue}' for '${fulldomain}', value wasn't set!" + return 1 + fi + else + _err "Add txt record error, value '${txtvalue}' for '${fulldomain}' was not set." + return 1 + fi + + _sleep 10 + _info "Added TXT record '${txtvalue}' for '${fulldomain}'." + return 0 +} + +#fulldomain +dns_gd_rm() { + fulldomain=$1 + txtvalue=$2 + + GD_Key="${GD_Key:-$(_readaccountconf_mutable GD_Key)}" + GD_Secret="${GD_Secret:-$(_readaccountconf_mutable GD_Secret)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting existing records" + if ! _gd_rest GET "domains/$_domain/records/TXT/$_sub_domain"; then + return 1 + fi + + if ! _contains "$response" "$txtvalue"; then + _info "The record does not exist, skip" + return 0 + fi + + _add_data="" + for t in $(echo "$response" | tr '{' "\n" | grep "\"name\":\"$_sub_domain\"" | tr ',' "\n" | grep '"data"' | cut -d : -f 2); do + _debug2 t "$t" + if [ "$t" ] && [ "$t" != "\"$txtvalue\"" ]; then + if [ "$_add_data" ]; then + _add_data="$_add_data,{\"data\":$t}" + else + _add_data="{\"data\":$t}" + fi + fi + done + if [ -z "$_add_data" ]; then + # delete empty record + _debug "Delete last record for '${fulldomain}'" + if ! _gd_rest DELETE "domains/$_domain/records/TXT/$_sub_domain"; then + _err "Cannot delete empty TXT record for '$fulldomain'" + return 1 + fi + else + # remove specific TXT value, keeping other entries + _debug2 _add_data "$_add_data" + if ! _gd_rest PUT "domains/$_domain/records/TXT/$_sub_domain" "[$_add_data]"; then + _err "Cannot update TXT record for '$fulldomain'" + return 1 + fi + fi +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _gd_rest GET "domains/$h"; then + return 1 + fi + + if _contains "$response" '"code":"NOT_FOUND"'; then + _debug "$h not found" + else + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + p="$i" + i=$(_math "$i" + 1) + done + return 1 +} + +_gd_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Authorization: sso-key $GD_Key:$GD_Secret" + export _H2="Content-Type: application/json" + + if [ "$data" ] || [ "$m" = "DELETE" ]; then + _debug "data ($m): " "$data" + response="$(_post "$data" "$GD_Api/$ep" "" "$m")" + else + response="$(_get "$GD_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error on rest call ($m): $ep" + return 1 + fi + _debug2 response "$response" + if _contains "$response" "UNABLE_TO_AUTHENTICATE"; then + _err "It seems that your api key or secret is not correct." + return 1 + fi + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_geoscaling.sh b/acme.sh-master/dnsapi/dns_geoscaling.sh new file mode 100644 index 0000000..6ccf4da --- /dev/null +++ b/acme.sh-master/dnsapi/dns_geoscaling.sh @@ -0,0 +1,232 @@ +#!/usr/bin/env sh + +######################################################################## +# Geoscaling hook script for acme.sh +# +# Environment variables: +# +# - $GEOSCALING_Username (your Geoscaling username - this is usually NOT an amail address) +# - $GEOSCALING_Password (your Geoscaling password) + +#-- dns_geoscaling_add() - Add TXT record -------------------------------------- +# Usage: dns_geoscaling_add _acme-challenge.subdomain.domain.com "XyZ123..." + +dns_geoscaling_add() { + full_domain=$1 + txt_value=$2 + _info "Using DNS-01 Geoscaling DNS2 hook" + + GEOSCALING_Username="${GEOSCALING_Username:-$(_readaccountconf_mutable GEOSCALING_Username)}" + GEOSCALING_Password="${GEOSCALING_Password:-$(_readaccountconf_mutable GEOSCALING_Password)}" + if [ -z "$GEOSCALING_Username" ] || [ -z "$GEOSCALING_Password" ]; then + GEOSCALING_Username= + GEOSCALING_Password= + _err "No auth details provided. Please set user credentials using the \$GEOSCALING_Username and \$GEOSCALING_Password environment variables." + return 1 + fi + _saveaccountconf_mutable GEOSCALING_Username "${GEOSCALING_Username}" + _saveaccountconf_mutable GEOSCALING_Password "${GEOSCALING_Password}" + + # Fills in the $zone_id and $zone_name + find_zone "${full_domain}" || return 1 + _debug "Zone id '${zone_id}' will be used." + + # We're logged in here + + # we should add ${full_domain} minus the trailing ${zone_name} + + prefix=$(echo "${full_domain}" | sed "s|\\.${zone_name}\$||") + + body="id=${zone_id}&name=${prefix}&type=TXT&content=${txt_value}&ttl=300&prio=0" + + do_post "$body" "https://www.geoscaling.com/dns2/ajax/add_record.php" + exit_code="$?" + if [ "${exit_code}" -eq 0 ]; then + _info "TXT record added successfully." + else + _err "Couldn't add the TXT record." + fi + do_logout + return "${exit_code}" +} + +#-- dns_geoscaling_rm() - Remove TXT record ------------------------------------ +# Usage: dns_geoscaling_rm _acme-challenge.subdomain.domain.com "XyZ123..." + +dns_geoscaling_rm() { + full_domain=$1 + txt_value=$2 + _info "Cleaning up after DNS-01 Geoscaling DNS2 hook" + + GEOSCALING_Username="${GEOSCALING_Username:-$(_readaccountconf_mutable GEOSCALING_Username)}" + GEOSCALING_Password="${GEOSCALING_Password:-$(_readaccountconf_mutable GEOSCALING_Password)}" + if [ -z "$GEOSCALING_Username" ] || [ -z "$GEOSCALING_Password" ]; then + GEOSCALING_Username= + GEOSCALING_Password= + _err "No auth details provided. Please set user credentials using the \$GEOSCALING_Username and \$GEOSCALING_Password environment variables." + return 1 + fi + _saveaccountconf_mutable GEOSCALING_Username "${GEOSCALING_Username}" + _saveaccountconf_mutable GEOSCALING_Password "${GEOSCALING_Password}" + + # fills in the $zone_id + find_zone "${full_domain}" || return 1 + _debug "Zone id '${zone_id}' will be used." + + # Here we're logged in + # Find the record id to clean + + # get the domain + response=$(do_get "https://www.geoscaling.com/dns2/index.php?module=domain&id=${zone_id}") + _debug2 "response" "$response" + + table="$(echo "${response}" | tr -d '\n' | sed 's|.*
Basic Records
.*||')" + _debug2 table "${table}" + names=$(echo "${table}" | _egrep_o 'id="[0-9]+\.name">[^<]*' | sed 's|||; s|.*>||') + ids=$(echo "${table}" | _egrep_o 'id="[0-9]+\.name">[^<]*' | sed 's|\.name">.*||; s|id="||') + types=$(echo "${table}" | _egrep_o 'id="[0-9]+\.type">[^<]*' | sed 's|||; s|.*>||') + values=$(echo "${table}" | _egrep_o 'id="[0-9]+\.content">[^<]*' | sed 's|||; s|.*>||') + + _debug2 names "${names}" + _debug2 ids "${ids}" + _debug2 types "${types}" + _debug2 values "${values}" + + # look for line whose name is ${full_domain}, whose type is TXT, and whose value is ${txt_value} + line_num="$(echo "${values}" | grep -F -n -- "${txt_value}" | _head_n 1 | cut -d ':' -f 1)" + _debug2 line_num "${line_num}" + found_id= + if [ -n "$line_num" ]; then + type=$(echo "${types}" | sed -n "${line_num}p") + name=$(echo "${names}" | sed -n "${line_num}p") + id=$(echo "${ids}" | sed -n "${line_num}p") + + _debug2 type "$type" + _debug2 name "$name" + _debug2 id "$id" + _debug2 full_domain "$full_domain" + + if [ "${type}" = "TXT" ] && [ "${name}" = "${full_domain}" ]; then + found_id=${id} + fi + fi + + if [ "${found_id}" = "" ]; then + _err "Can not find record id." + return 0 + fi + + # Remove the record + body="id=${zone_id}&record_id=${found_id}" + response=$(do_post "$body" "https://www.geoscaling.com/dns2/ajax/delete_record.php") + exit_code="$?" + if [ "$exit_code" -eq 0 ]; then + _info "Record removed successfully." + else + _err "Could not clean (remove) up the record. Please go to Geoscaling administration interface and clean it by hand." + fi + do_logout + return "${exit_code}" +} + +########################## PRIVATE FUNCTIONS ########################### + +do_get() { + _url=$1 + export _H1="Cookie: $geoscaling_phpsessid_cookie" + _get "${_url}" +} + +do_post() { + _body=$1 + _url=$2 + export _H1="Cookie: $geoscaling_phpsessid_cookie" + _post "${_body}" "${_url}" +} + +do_login() { + + _info "Logging in..." + + username_encoded="$(printf "%s" "${GEOSCALING_Username}" | _url_encode)" + password_encoded="$(printf "%s" "${GEOSCALING_Password}" | _url_encode)" + body="username=${username_encoded}&password=${password_encoded}" + + response=$(_post "$body" "https://www.geoscaling.com/dns2/index.php?module=auth") + _debug2 response "${response}" + + #retcode=$(grep '^HTTP[^ ]*' "${HTTP_HEADER}" | _head_n 1 | _egrep_o '[0-9]+$') + retcode=$(grep '^HTTP[^ ]*' "${HTTP_HEADER}" | _head_n 1 | cut -d ' ' -f 2) + + if [ "$retcode" != "302" ]; then + _err "Geoscaling login failed for user ${GEOSCALING_Username}. Check ${HTTP_HEADER} file" + return 1 + fi + + geoscaling_phpsessid_cookie="$(grep -i '^set-cookie:' "${HTTP_HEADER}" | _egrep_o 'PHPSESSID=[^;]*;' | tr -d ';')" + return 0 + +} + +do_logout() { + _info "Logging out." + response="$(do_get "https://www.geoscaling.com/dns2/index.php?module=auth")" + _debug2 response "$response" + return 0 +} + +find_zone() { + domain="$1" + + # do login + do_login || return 1 + + # get zones + response="$(do_get "https://www.geoscaling.com/dns2/index.php?module=domains")" + + table="$(echo "${response}" | tr -d '\n' | sed 's|.*
Your domains
.*||')" + _debug2 table "${table}" + zone_names="$(echo "${table}" | _egrep_o '[^<]*' | sed 's|||;s|||')" + _debug2 _matches "${zone_names}" + # Zone names and zone IDs are in same order + zone_ids=$(echo "${table}" | _egrep_o '' | sed 's|.*id=||;s|. .*||') + + _debug2 "These are the zones on this Geoscaling account:" + _debug2 "zone_names" "${zone_names}" + _debug2 "And these are their respective IDs:" + _debug2 "zone_ids" "${zone_ids}" + if [ -z "${zone_names}" ] || [ -z "${zone_ids}" ]; then + _err "Can not get zone names or IDs." + return 1 + fi + # Walk through all possible zone names + strip_counter=1 + while true; do + attempted_zone=$(echo "${domain}" | cut -d . -f ${strip_counter}-) + + # All possible zone names have been tried + if [ -z "${attempted_zone}" ]; then + _err "No zone for domain '${domain}' found." + return 1 + fi + + _debug "Looking for zone '${attempted_zone}'" + + line_num="$(echo "${zone_names}" | grep -n "^${attempted_zone}\$" | _head_n 1 | cut -d : -f 1)" + _debug2 line_num "${line_num}" + if [ "$line_num" ]; then + zone_id=$(echo "${zone_ids}" | sed -n "${line_num}p") + zone_name=$(echo "${zone_names}" | sed -n "${line_num}p") + if [ -z "${zone_id}" ]; then + _err "Can not find zone id." + return 1 + fi + _debug "Found relevant zone '${attempted_zone}' with id '${zone_id}' - will be used for domain '${domain}'." + return 0 + fi + + _debug "Zone '${attempted_zone}' doesn't exist, let's try a less specific zone." + strip_counter=$(_math "${strip_counter}" + 1) + done +} +# vim: et:ts=2:sw=2: diff --git a/acme.sh-master/dnsapi/dns_he.sh b/acme.sh-master/dnsapi/dns_he.sh new file mode 100644 index 0000000..bf4a503 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_he.sh @@ -0,0 +1,173 @@ +#!/usr/bin/env sh + +######################################################################## +# Hurricane Electric hook script for acme.sh +# +# Environment variables: +# +# - $HE_Username (your dns.he.net username) +# - $HE_Password (your dns.he.net password) +# +# Author: Ondrej Simek +# Git repo: https://github.com/angel333/acme.sh + +#-- dns_he_add() - Add TXT record -------------------------------------- +# Usage: dns_he_add _acme-challenge.subdomain.domain.com "XyZ123..." + +dns_he_add() { + _full_domain=$1 + _txt_value=$2 + _info "Using DNS-01 Hurricane Electric hook" + + HE_Username="${HE_Username:-$(_readaccountconf_mutable HE_Username)}" + HE_Password="${HE_Password:-$(_readaccountconf_mutable HE_Password)}" + if [ -z "$HE_Username" ] || [ -z "$HE_Password" ]; then + HE_Username= + HE_Password= + _err "No auth details provided. Please set user credentials using the \$HE_Username and \$HE_Password environment variables." + return 1 + fi + _saveaccountconf_mutable HE_Username "$HE_Username" + _saveaccountconf_mutable HE_Password "$HE_Password" + + # Fills in the $_zone_id + _find_zone "$_full_domain" || return 1 + _debug "Zone id \"$_zone_id\" will be used." + username_encoded="$(printf "%s" "${HE_Username}" | _url_encode)" + password_encoded="$(printf "%s" "${HE_Password}" | _url_encode)" + body="email=${username_encoded}&pass=${password_encoded}" + body="$body&account=" + body="$body&menu=edit_zone" + body="$body&Type=TXT" + body="$body&hosted_dns_zoneid=$_zone_id" + body="$body&hosted_dns_recordid=" + body="$body&hosted_dns_editzone=1" + body="$body&Priority=" + body="$body&Name=$_full_domain" + body="$body&Content=$_txt_value" + body="$body&TTL=300" + body="$body&hosted_dns_editrecord=Submit" + response="$(_post "$body" "https://dns.he.net/")" + exit_code="$?" + if [ "$exit_code" -eq 0 ]; then + _info "TXT record added successfully." + else + _err "Couldn't add the TXT record." + fi + _debug2 response "$response" + return "$exit_code" +} + +#-- dns_he_rm() - Remove TXT record ------------------------------------ +# Usage: dns_he_rm _acme-challenge.subdomain.domain.com "XyZ123..." + +dns_he_rm() { + _full_domain=$1 + _txt_value=$2 + _info "Cleaning up after DNS-01 Hurricane Electric hook" + HE_Username="${HE_Username:-$(_readaccountconf_mutable HE_Username)}" + HE_Password="${HE_Password:-$(_readaccountconf_mutable HE_Password)}" + # fills in the $_zone_id + _find_zone "$_full_domain" || return 1 + _debug "Zone id \"$_zone_id\" will be used." + + # Find the record id to clean + username_encoded="$(printf "%s" "${HE_Username}" | _url_encode)" + password_encoded="$(printf "%s" "${HE_Password}" | _url_encode)" + body="email=${username_encoded}&pass=${password_encoded}" + body="$body&hosted_dns_zoneid=$_zone_id" + body="$body&menu=edit_zone" + body="$body&hosted_dns_editzone=" + + response="$(_post "$body" "https://dns.he.net/")" + _debug2 "response" "$response" + if ! _contains "$response" "$_txt_value"; then + _debug "The txt record is not found, just skip" + return 0 + fi + _record_id="$(echo "$response" | tr -d "#" | sed "s/Successfully removed record.
' \ + >/dev/null + exit_code="$?" + if [ "$exit_code" -eq 0 ]; then + _info "Record removed successfully." + else + _err "Could not clean (remove) up the record. Please go to HE administration interface and clean it by hand." + return "$exit_code" + fi +} + +########################## PRIVATE FUNCTIONS ########################### + +_find_zone() { + _domain="$1" + username_encoded="$(printf "%s" "${HE_Username}" | _url_encode)" + password_encoded="$(printf "%s" "${HE_Password}" | _url_encode)" + body="email=${username_encoded}&pass=${password_encoded}" + response="$(_post "$body" "https://dns.he.net/")" + _debug2 response "$response" + if _contains "$response" '>Incorrect<'; then + _err "Unable to login to dns.he.net please check username and password" + return 1 + fi + _table="$(echo "$response" | tr -d "#" | sed "s//dev/null + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" + if [ "$_code" != "202" ]; then + _err "dns_huaweicloud: http code ${_code}" + return 1 + fi + return 0 +} + +# _rm_record $token $zoneid $recordid +# assume ${dns_api} exist +# no output +# return 0 +_rm_record() { + _token=$1 + _zone_id=$2 + _record_id=$3 + + export _H2="Content-Type: application/json" + export _H1="X-Auth-Token: ${_token}" + + _post "" "${dns_api}/v2/zones/${_zone_id}/recordsets/${_record_id}" false "DELETE" >/dev/null + return $? +} + +_get_token() { + _username=$1 + _password=$2 + _domain_name=$3 + + _debug "Getting Token" + body="{ + \"auth\": { + \"identity\": { + \"methods\": [ + \"password\" + ], + \"password\": { + \"user\": { + \"name\": \"${_username}\", + \"password\": \"${_password}\", + \"domain\": { + \"name\": \"${_domain_name}\" + } + } + } + }, + \"scope\": { + \"project\": { + \"name\": \"ap-southeast-1\" + } + } + } + }" + export _H1="Content-Type: application/json;charset=utf8" + _post "${body}" "${iam_api}/v3/auth/tokens" >/dev/null + _code=$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n") + _token=$(grep "^X-Subject-Token" "$HTTP_HEADER" | cut -d " " -f 2-) + _secure_debug "${_code}" + printf "%s" "${_token}" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_infoblox.sh b/acme.sh-master/dnsapi/dns_infoblox.sh new file mode 100644 index 0000000..6bfd36e --- /dev/null +++ b/acme.sh-master/dnsapi/dns_infoblox.sh @@ -0,0 +1,111 @@ +#!/usr/bin/env sh + +## Infoblox API integration by Jason Keller and Elijah Tenai +## +## Report any bugs via https://github.com/jasonkeller/acme.sh + +dns_infoblox_add() { + + ## Nothing to see here, just some housekeeping + fulldomain=$1 + txtvalue=$2 + + _info "Using Infoblox API" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + ## Check for the credentials + if [ -z "$Infoblox_Creds" ] || [ -z "$Infoblox_Server" ]; then + Infoblox_Creds="" + Infoblox_Server="" + _err "You didn't specify the Infoblox credentials or server (Infoblox_Creds; Infoblox_Server)." + _err "Please set them via EXPORT Infoblox_Creds=username:password or EXPORT Infoblox_server=ip/hostname and try again." + return 1 + fi + + if [ -z "$Infoblox_View" ]; then + _info "No Infoblox_View set, using fallback value 'default'" + Infoblox_View="default" + fi + + ## Save the credentials to the account file + _saveaccountconf Infoblox_Creds "$Infoblox_Creds" + _saveaccountconf Infoblox_Server "$Infoblox_Server" + _saveaccountconf Infoblox_View "$Infoblox_View" + + ## URLencode Infoblox View to deal with e.g. spaces + Infoblox_ViewEncoded=$(printf "%b" "$Infoblox_View" | _url_encode) + + ## Base64 encode the credentials + Infoblox_CredsEncoded=$(printf "%b" "$Infoblox_Creds" | _base64) + + ## Construct the HTTP Authorization header + export _H1="Accept-Language:en-US" + export _H2="Authorization: Basic $Infoblox_CredsEncoded" + + ## Construct the request URL + baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=${Infoblox_ViewEncoded}" + + ## Add the challenge record to the Infoblox grid member + result="$(_post "" "$baseurlnObject" "" "POST")" + + ## Let's see if we get something intelligible back from the unit + if [ "$(echo "$result" | _egrep_o "record:txt/.*:.*/${Infoblox_ViewEncoded}")" ]; then + _info "Successfully created the txt record" + return 0 + else + _err "Error encountered during record addition" + _err "$result" + return 1 + fi + +} + +dns_infoblox_rm() { + + ## Nothing to see here, just some housekeeping + fulldomain=$1 + txtvalue=$2 + + _info "Using Infoblox API" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + ## URLencode Infoblox View to deal with e.g. spaces + Infoblox_ViewEncoded=$(printf "%b" "$Infoblox_View" | _url_encode) + + ## Base64 encode the credentials + Infoblox_CredsEncoded="$(printf "%b" "$Infoblox_Creds" | _base64)" + + ## Construct the HTTP Authorization header + export _H1="Accept-Language:en-US" + export _H2="Authorization: Basic $Infoblox_CredsEncoded" + + ## Does the record exist? Let's check. + baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=${Infoblox_ViewEncoded}&_return_type=xml-pretty" + result="$(_get "$baseurlnObject")" + + ## Let's see if we get something intelligible back from the grid + if [ "$(echo "$result" | _egrep_o "record:txt/.*:.*/${Infoblox_ViewEncoded}")" ]; then + ## Extract the object reference + objRef="$(printf "%b" "$result" | _egrep_o "record:txt/.*:.*/${Infoblox_ViewEncoded}")" + objRmUrl="https://$Infoblox_Server/wapi/v2.2.2/$objRef" + ## Delete them! All the stale records! + rmResult="$(_post "" "$objRmUrl" "" "DELETE")" + ## Let's see if that worked + if [ "$(echo "$rmResult" | _egrep_o "record:txt/.*:.*/${Infoblox_ViewEncoded}")" ]; then + _info "Successfully deleted $objRef" + return 0 + else + _err "Error occurred during txt record delete" + _err "$rmResult" + return 1 + fi + else + _err "Record to delete didn't match an existing record" + _err "$result" + return 1 + fi +} + +#################### Private functions below ################################## diff --git a/acme.sh-master/dnsapi/dns_infomaniak.sh b/acme.sh-master/dnsapi/dns_infomaniak.sh new file mode 100644 index 0000000..a005132 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_infomaniak.sh @@ -0,0 +1,199 @@ +#!/usr/bin/env sh + +############################################################################### +# Infomaniak API integration +# +# To use this API you need visit the API dashboard of your account +# once logged into https://manager.infomaniak.com add /api/dashboard to the URL +# +# Please report bugs to +# https://github.com/acmesh-official/acme.sh/issues/3188 +# +# Note: the URL looks like this: +# https://manager.infomaniak.com/v3//api/dashboard +# Then generate a token with the scope Domain +# this is given as an environment variable INFOMANIAK_API_TOKEN +############################################################################### + +# base variables + +DEFAULT_INFOMANIAK_API_URL="https://api.infomaniak.com" +DEFAULT_INFOMANIAK_TTL=300 + +######## Public functions ##################### + +#Usage: dns_infomaniak_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_infomaniak_add() { + + INFOMANIAK_API_TOKEN="${INFOMANIAK_API_TOKEN:-$(_readaccountconf_mutable INFOMANIAK_API_TOKEN)}" + INFOMANIAK_API_URL="${INFOMANIAK_API_URL:-$(_readaccountconf_mutable INFOMANIAK_API_URL)}" + INFOMANIAK_TTL="${INFOMANIAK_TTL:-$(_readaccountconf_mutable INFOMANIAK_TTL)}" + + if [ -z "$INFOMANIAK_API_TOKEN" ]; then + INFOMANIAK_API_TOKEN="" + _err "Please provide a valid Infomaniak API token in variable INFOMANIAK_API_TOKEN" + return 1 + fi + + if [ -z "$INFOMANIAK_API_URL" ]; then + INFOMANIAK_API_URL="$DEFAULT_INFOMANIAK_API_URL" + fi + + if [ -z "$INFOMANIAK_TTL" ]; then + INFOMANIAK_TTL="$DEFAULT_INFOMANIAK_TTL" + fi + + #save the token to the account conf file. + _saveaccountconf_mutable INFOMANIAK_API_TOKEN "$INFOMANIAK_API_TOKEN" + + if [ "$INFOMANIAK_API_URL" != "$DEFAULT_INFOMANIAK_API_URL" ]; then + _saveaccountconf_mutable INFOMANIAK_API_URL "$INFOMANIAK_API_URL" + fi + + if [ "$INFOMANIAK_TTL" != "$DEFAULT_INFOMANIAK_TTL" ]; then + _saveaccountconf_mutable INFOMANIAK_TTL "$INFOMANIAK_TTL" + fi + + export _H1="Authorization: Bearer $INFOMANIAK_API_TOKEN" + export _H2="Content-Type: application/json" + + fulldomain="$1" + txtvalue="$2" + + _info "Infomaniak DNS API" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + fqdn=${fulldomain#_acme-challenge.} + + # guess which base domain to add record to + zone_and_id=$(_find_zone "$fqdn") + if [ -z "$zone_and_id" ]; then + _err "cannot find zone to modify" + return 1 + fi + zone=${zone_and_id% *} + domain_id=${zone_and_id#* } + + # extract first part of domain + key=${fulldomain%."$zone"} + + _debug "zone:$zone id:$domain_id key:$key" + + # payload + data="{\"type\": \"TXT\", \"source\": \"$key\", \"target\": \"$txtvalue\", \"ttl\": $INFOMANIAK_TTL}" + + # API call + response=$(_post "$data" "${INFOMANIAK_API_URL}/1/domain/$domain_id/dns/record") + if [ -n "$response" ] && echo "$response" | _contains '"result":"success"'; then + _info "Record added" + _debug "Response: $response" + return 0 + fi + _err "could not create record" + _debug "Response: $response" + return 1 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_infomaniak_rm() { + + INFOMANIAK_API_TOKEN="${INFOMANIAK_API_TOKEN:-$(_readaccountconf_mutable INFOMANIAK_API_TOKEN)}" + INFOMANIAK_API_URL="${INFOMANIAK_API_URL:-$(_readaccountconf_mutable INFOMANIAK_API_URL)}" + INFOMANIAK_TTL="${INFOMANIAK_TTL:-$(_readaccountconf_mutable INFOMANIAK_TTL)}" + + if [ -z "$INFOMANIAK_API_TOKEN" ]; then + INFOMANIAK_API_TOKEN="" + _err "Please provide a valid Infomaniak API token in variable INFOMANIAK_API_TOKEN" + return 1 + fi + + if [ -z "$INFOMANIAK_API_URL" ]; then + INFOMANIAK_API_URL="$DEFAULT_INFOMANIAK_API_URL" + fi + + if [ -z "$INFOMANIAK_TTL" ]; then + INFOMANIAK_TTL="$DEFAULT_INFOMANIAK_TTL" + fi + + #save the token to the account conf file. + _saveaccountconf_mutable INFOMANIAK_API_TOKEN "$INFOMANIAK_API_TOKEN" + + if [ "$INFOMANIAK_API_URL" != "$DEFAULT_INFOMANIAK_API_URL" ]; then + _saveaccountconf_mutable INFOMANIAK_API_URL "$INFOMANIAK_API_URL" + fi + + if [ "$INFOMANIAK_TTL" != "$DEFAULT_INFOMANIAK_TTL" ]; then + _saveaccountconf_mutable INFOMANIAK_TTL "$INFOMANIAK_TTL" + fi + + export _H1="Authorization: Bearer $INFOMANIAK_API_TOKEN" + export _H2="ContentType: application/json" + + fulldomain=$1 + txtvalue=$2 + _info "Infomaniak DNS API" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + fqdn=${fulldomain#_acme-challenge.} + + # guess which base domain to add record to + zone_and_id=$(_find_zone "$fqdn") + if [ -z "$zone_and_id" ]; then + _err "cannot find zone to modify" + return 1 + fi + zone=${zone_and_id% *} + domain_id=${zone_and_id#* } + + # extract first part of domain + key=${fulldomain%."$zone"} + + _debug "zone:$zone id:$domain_id key:$key" + + # find previous record + # shellcheck disable=SC1004 + record_id=$(_get "${INFOMANIAK_API_URL}/1/domain/$domain_id/dns/record" | sed 's/.*"data":\[\(.*\)\]}/\1/; s/},{/}\ +{/g' | sed -n 's/.*"id":"*\([0-9]*\)"*.*"source_idn":"'"$fulldomain"'".*"target_idn":"'"$txtvalue"'".*/\1/p') + if [ -z "$record_id" ]; then + _err "could not find record to delete" + return 1 + fi + _debug "record_id: $record_id" + + # API call + response=$(_post "" "${INFOMANIAK_API_URL}/1/domain/$domain_id/dns/record/$record_id" "" DELETE) + if [ -n "$response" ] && echo "$response" | _contains '"result":"success"'; then + _info "Record deleted" + return 0 + fi + _err "could not delete record" + return 1 +} + +#################### Private functions below ################################## + +_get_domain_id() { + domain="$1" + + # shellcheck disable=SC1004 + _get "${INFOMANIAK_API_URL}/1/product?service_name=domain&customer_name=$domain" | sed 's/.*"data":\[{\(.*\)}\]}/\1/; s/,/\ +/g' | sed -n 's/^"id":\(.*\)/\1/p' +} + +_find_zone() { + zone="$1" + + # find domain in list, removing . parts sequentialy + while _contains "$zone" '\.'; do + _debug "testing $zone" + id=$(_get_domain_id "$zone") + if [ -n "$id" ]; then + echo "$zone $id" + return + fi + zone=${zone#*.} + done +} diff --git a/acme.sh-master/dnsapi/dns_internetbs.sh b/acme.sh-master/dnsapi/dns_internetbs.sh new file mode 100644 index 0000000..ae6b9e1 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_internetbs.sh @@ -0,0 +1,180 @@ +#!/usr/bin/env sh + +#This is the Internet.BS api wrapper for acme.sh +# +#Author: Ne-Lexa +#Report Bugs here: https://github.com/Ne-Lexa/acme.sh + +#INTERNETBS_API_KEY="sdfsdfsdfljlbjkljlkjsdfoiwje" +#INTERNETBS_API_PASSWORD="sdfsdfsdfljlbjkljlkjsdfoiwje" + +INTERNETBS_API_URL="https://api.internet.bs" + +######## Public functions ##################### + +#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_internetbs_add() { + fulldomain=$1 + txtvalue=$2 + + INTERNETBS_API_KEY="${INTERNETBS_API_KEY:-$(_readaccountconf_mutable INTERNETBS_API_KEY)}" + INTERNETBS_API_PASSWORD="${INTERNETBS_API_PASSWORD:-$(_readaccountconf_mutable INTERNETBS_API_PASSWORD)}" + + if [ -z "$INTERNETBS_API_KEY" ] || [ -z "$INTERNETBS_API_PASSWORD" ]; then + INTERNETBS_API_KEY="" + INTERNETBS_API_PASSWORD="" + _err "You didn't specify the INTERNET.BS api key and password yet." + _err "Please create you key and try again." + return 1 + fi + + _saveaccountconf_mutable INTERNETBS_API_KEY "$INTERNETBS_API_KEY" + _saveaccountconf_mutable INTERNETBS_API_PASSWORD "$INTERNETBS_API_PASSWORD" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # https://testapi.internet.bs/Domain/DnsRecord/Add?ApiKey=testapi&Password=testpass&FullRecordName=w3.test-api-domain7.net&Type=CNAME&Value=www.internet.bs%&ResponseFormat=json + if _internetbs_rest POST "Domain/DnsRecord/Add" "FullRecordName=${_sub_domain}.${_domain}&Type=TXT&Value=${txtvalue}&ResponseFormat=json"; then + if ! _contains "$response" "\"status\":\"SUCCESS\""; then + _err "ERROR add TXT record" + _err "$response" + return 1 + fi + + _info "txt record add success." + return 0 + fi + + return 1 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_internetbs_rm() { + fulldomain=$1 + txtvalue=$2 + + INTERNETBS_API_KEY="${INTERNETBS_API_KEY:-$(_readaccountconf_mutable INTERNETBS_API_KEY)}" + INTERNETBS_API_PASSWORD="${INTERNETBS_API_PASSWORD:-$(_readaccountconf_mutable INTERNETBS_API_PASSWORD)}" + + if [ -z "$INTERNETBS_API_KEY" ] || [ -z "$INTERNETBS_API_PASSWORD" ]; then + INTERNETBS_API_KEY="" + INTERNETBS_API_PASSWORD="" + _err "You didn't specify the INTERNET.BS api key and password yet." + _err "Please create you key and try again." + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + # https://testapi.internet.bs/Domain/DnsRecord/List?ApiKey=testapi&Password=testpass&Domain=test-api-domain7.net&FilterType=CNAME&ResponseFormat=json + _internetbs_rest POST "Domain/DnsRecord/List" "Domain=$_domain&FilterType=TXT&ResponseFormat=json" + + if ! _contains "$response" "\"status\":\"SUCCESS\""; then + _err "ERROR list dns records" + _err "$response" + return 1 + fi + + if _contains "$response" "\name\":\"${_sub_domain}.${_domain}\""; then + _info "txt record find." + + # https://testapi.internet.bs/Domain/DnsRecord/Remove?ApiKey=testapi&Password=testpass&FullRecordName=www.test-api-domain7.net&Type=cname&ResponseFormat=json + _internetbs_rest POST "Domain/DnsRecord/Remove" "FullRecordName=${_sub_domain}.${_domain}&Type=TXT&ResponseFormat=json" + + if ! _contains "$response" "\"status\":\"SUCCESS\""; then + _err "ERROR remove dns record" + _err "$response" + return 1 + fi + + _info "txt record deleted success." + return 0 + fi + + return 1 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=12345 +_get_root() { + domain=$1 + i=2 + p=1 + + # https://testapi.internet.bs/Domain/List?ApiKey=testapi&Password=testpass&CompactList=yes&ResponseFormat=json + if _internetbs_rest POST "Domain/List" "CompactList=yes&ResponseFormat=json"; then + + if ! _contains "$response" "\"status\":\"SUCCESS\""; then + _err "ERROR fetch domain list" + _err "$response" + return 1 + fi + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f ${i}-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" "\"$h\""; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-${p}) + _domain=${h} + return 0 + fi + + p=${i} + i=$(_math "$i" + 1) + done + fi + return 1 +} + +#Usage: method URI data +_internetbs_rest() { + m="$1" + ep="$2" + data="$3" + url="${INTERNETBS_API_URL}/${ep}" + + _debug url "$url" + + apiKey="$(printf "%s" "${INTERNETBS_API_KEY}" | _url_encode)" + password="$(printf "%s" "${INTERNETBS_API_PASSWORD}" | _url_encode)" + + if [ "$m" = "GET" ]; then + response="$(_get "${url}?ApiKey=${apiKey}&Password=${password}&${data}" | tr -d '\r')" + else + _debug2 data "$data" + response="$(_post "$data" "${url}?ApiKey=${apiKey}&Password=${password}" | tr -d '\r')" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_inwx.sh b/acme.sh-master/dnsapi/dns_inwx.sh new file mode 100644 index 0000000..ba789da --- /dev/null +++ b/acme.sh-master/dnsapi/dns_inwx.sh @@ -0,0 +1,420 @@ +#!/usr/bin/env sh + +# +#INWX_User="username" +# +#INWX_Password="password" +# +# Dependencies: +# ------------- +# - oathtool (When using 2 Factor Authentication) + +INWX_Api="https://api.domrobot.com/xmlrpc/" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_inwx_add() { + fulldomain=$1 + txtvalue=$2 + + INWX_User="${INWX_User:-$(_readaccountconf_mutable INWX_User)}" + INWX_Password="${INWX_Password:-$(_readaccountconf_mutable INWX_Password)}" + INWX_Shared_Secret="${INWX_Shared_Secret:-$(_readaccountconf_mutable INWX_Shared_Secret)}" + if [ -z "$INWX_User" ] || [ -z "$INWX_Password" ]; then + INWX_User="" + INWX_Password="" + _err "You don't specify inwx user and password yet." + _err "Please create you key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable INWX_User "$INWX_User" + _saveaccountconf_mutable INWX_Password "$INWX_Password" + _saveaccountconf_mutable INWX_Shared_Secret "$INWX_Shared_Secret" + + if ! _inwx_login; then + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + _inwx_add_record "$_domain" "$_sub_domain" "$txtvalue" + +} + +#fulldomain txtvalue +dns_inwx_rm() { + + fulldomain=$1 + txtvalue=$2 + + INWX_User="${INWX_User:-$(_readaccountconf_mutable INWX_User)}" + INWX_Password="${INWX_Password:-$(_readaccountconf_mutable INWX_Password)}" + INWX_Shared_Secret="${INWX_Shared_Secret:-$(_readaccountconf_mutable INWX_Shared_Secret)}" + if [ -z "$INWX_User" ] || [ -z "$INWX_Password" ]; then + INWX_User="" + INWX_Password="" + _err "You don't specify inwx user and password yet." + _err "Please create you key and try again." + return 1 + fi + + if ! _inwx_login; then + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + + xml_content=$(printf ' + + nameserver.info + + + + + + domain + + %s + + + + type + + TXT + + + + name + + %s + + + + + + + ' "$_domain" "$_sub_domain") + response="$(_post "$xml_content" "$INWX_Api" "" "POST")" + + if ! _contains "$response" "Command completed successfully"; then + _err "Error could not get txt records" + return 1 + fi + + if ! printf "%s" "$response" | grep "count" >/dev/null; then + _info "Do not need to delete record" + else + _record_id=$(printf '%s' "$response" | _egrep_o '.*(record){1}(.*)([0-9]+){1}' | _egrep_o 'id<\/name>[0-9]+' | _egrep_o '[0-9]+') + _info "Deleting record" + _inwx_delete_record "$_record_id" + fi + +} + +#################### Private functions below ################################## + +_inwx_check_cookie() { + INWX_Cookie="${INWX_Cookie:-$(_readaccountconf_mutable INWX_Cookie)}" + if [ -z "$INWX_Cookie" ]; then + _debug "No cached cookie found" + return 1 + fi + _H1="$INWX_Cookie" + export _H1 + + xml_content=$(printf ' + + account.info + ') + + response="$(_post "$xml_content" "$INWX_Api" "" "POST")" + + if _contains "$response" "code1000"; then + _debug "Cached cookie still valid" + return 0 + fi + + _debug "Cached cookie no longer valid" + _H1="" + export _H1 + INWX_Cookie="" + _saveaccountconf_mutable INWX_Cookie "$INWX_Cookie" + return 1 +} + +_inwx_login() { + + if _inwx_check_cookie; then + _debug "Already logged in" + return 0 + fi + + xml_content=$(printf ' + + account.login + + + + + + user + + %s + + + + pass + + %s + + + + + + + ' "$INWX_User" "$INWX_Password") + + response="$(_post "$xml_content" "$INWX_Api" "" "POST")" + + INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')") + _H1=$INWX_Cookie + export _H1 + export INWX_Cookie + _saveaccountconf_mutable INWX_Cookie "$INWX_Cookie" + + if ! _contains "$response" "code1000"; then + _err "INWX API: Authentication error (username/password correct?)" + return 1 + fi + + #https://github.com/inwx/php-client/blob/master/INWX/Domrobot.php#L71 + if _contains "$response" "tfaGOOGLE-AUTH"; then + if [ -z "$INWX_Shared_Secret" ]; then + _err "INWX API: Mobile TAN detected." + _err "Please define a shared secret." + return 1 + fi + + if ! _exists oathtool; then + _err "Please install oathtool to use 2 Factor Authentication." + _err "" + return 1 + fi + + tan="$(oathtool --base32 --totp "${INWX_Shared_Secret}" 2>/dev/null)" + + xml_content=$(printf ' + + account.unlock + + + + + + tan + + %s + + + + + + + ' "$tan") + + response="$(_post "$xml_content" "$INWX_Api" "" "POST")" + + if ! _contains "$response" "code1000"; then + _err "INWX API: Mobile TAN not correct." + return 1 + fi + fi + +} + +_get_root() { + domain=$1 + _debug "get root" + + domain=$1 + i=2 + p=1 + + xml_content=' + + nameserver.list + + + + + + pagelimit + + 9999 + + + + + + + ' + + response="$(_post "$xml_content" "$INWX_Api" "" "POST")" + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" "$h"; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 + +} + +_inwx_delete_record() { + record_id=$1 + xml_content=$(printf ' + + nameserver.deleteRecord + + + + + + id + + %s + + + + + + + ' "$record_id") + + response="$(_post "$xml_content" "$INWX_Api" "" "POST")" + + if ! printf "%s" "$response" | grep "Command completed successfully" >/dev/null; then + _err "Error" + return 1 + fi + return 0 + +} + +_inwx_update_record() { + record_id=$1 + txtval=$2 + xml_content=$(printf ' + + nameserver.updateRecord + + + + + + content + + %s + + + + id + + %s + + + + + + + ' "$txtval" "$record_id") + + response="$(_post "$xml_content" "$INWX_Api" "" "POST")" + + if ! printf "%s" "$response" | grep "Command completed successfully" >/dev/null; then + _err "Error" + return 1 + fi + return 0 + +} + +_inwx_add_record() { + + domain=$1 + sub_domain=$2 + txtval=$3 + + xml_content=$(printf ' + + nameserver.createRecord + + + + + + domain + + %s + + + + type + + TXT + + + + content + + %s + + + + name + + %s + + + + + + + ' "$domain" "$txtval" "$sub_domain") + + response="$(_post "$xml_content" "$INWX_Api" "" "POST")" + + if ! printf "%s" "$response" | grep "Command completed successfully" >/dev/null; then + _err "Error" + return 1 + fi + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_ionos.sh b/acme.sh-master/dnsapi/dns_ionos.sh new file mode 100644 index 0000000..e4ad331 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_ionos.sh @@ -0,0 +1,171 @@ +#!/usr/bin/env sh + +# Supports IONOS DNS API v1.0.1 +# +# Usage: +# Export IONOS_PREFIX and IONOS_SECRET before calling acme.sh: +# +# $ export IONOS_PREFIX="..." +# $ export IONOS_SECRET="..." +# +# $ acme.sh --issue --dns dns_ionos ... + +IONOS_API="https://api.hosting.ionos.com/dns" +IONOS_ROUTE_ZONES="/v1/zones" + +IONOS_TXT_TTL=60 # minimum accepted by API +IONOS_TXT_PRIO=10 + +dns_ionos_add() { + fulldomain=$1 + txtvalue=$2 + + if ! _ionos_init; then + return 1 + fi + + _body="[{\"name\":\"$_sub_domain.$_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":$IONOS_TXT_TTL,\"prio\":$IONOS_TXT_PRIO,\"disabled\":false}]" + + if _ionos_rest POST "$IONOS_ROUTE_ZONES/$_zone_id/records" "$_body" && [ "$_code" = "201" ]; then + _info "TXT record has been created successfully." + return 0 + fi + + return 1 +} + +dns_ionos_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _ionos_init; then + return 1 + fi + + if ! _ionos_get_record "$fulldomain" "$_zone_id" "$txtvalue"; then + _err "Could not find _acme-challenge TXT record." + return 1 + fi + + if _ionos_rest DELETE "$IONOS_ROUTE_ZONES/$_zone_id/records/$_record_id" && [ "$_code" = "200" ]; then + _info "TXT record has been deleted successfully." + return 0 + fi + + return 1 +} + +_ionos_init() { + IONOS_PREFIX="${IONOS_PREFIX:-$(_readaccountconf_mutable IONOS_PREFIX)}" + IONOS_SECRET="${IONOS_SECRET:-$(_readaccountconf_mutable IONOS_SECRET)}" + + if [ -z "$IONOS_PREFIX" ] || [ -z "$IONOS_SECRET" ]; then + _err "You didn't specify an IONOS api prefix and secret yet." + _err "Read https://beta.developer.hosting.ionos.de/docs/getstarted to learn how to get a prefix and secret." + _err "" + _err "Then set them before calling acme.sh:" + _err "\$ export IONOS_PREFIX=\"...\"" + _err "\$ export IONOS_SECRET=\"...\"" + _err "\$ acme.sh --issue -d ... --dns dns_ionos" + return 1 + fi + + _saveaccountconf_mutable IONOS_PREFIX "$IONOS_PREFIX" + _saveaccountconf_mutable IONOS_SECRET "$IONOS_SECRET" + + if ! _get_root "$fulldomain"; then + _err "Cannot find this domain in your IONOS account." + return 1 + fi +} + +_get_root() { + domain=$1 + i=1 + p=1 + + if _ionos_rest GET "$IONOS_ROUTE_ZONES"; then + _response="$(echo "$_response" | tr -d "\n")" + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + return 1 + fi + + _zone="$(echo "$_response" | _egrep_o "\"name\":\"$h\".*\}")" + if [ "$_zone" ]; then + _zone_id=$(printf "%s\n" "$_zone" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"') + if [ "$_zone_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + + return 0 + fi + + return 1 + fi + + p=$i + i=$(_math "$i" + 1) + done + fi + + return 1 +} + +_ionos_get_record() { + fulldomain=$1 + zone_id=$2 + txtrecord=$3 + + if _ionos_rest GET "$IONOS_ROUTE_ZONES/$zone_id?recordName=$fulldomain&recordType=TXT"; then + _response="$(echo "$_response" | tr -d "\n")" + + _record="$(echo "$_response" | _egrep_o "\"name\":\"$fulldomain\"[^\}]*\"type\":\"TXT\"[^\}]*\"content\":\"\\\\\"$txtrecord\\\\\"\".*\}")" + if [ "$_record" ]; then + _record_id=$(printf "%s\n" "$_record" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"') + + return 0 + fi + fi + + return 1 +} + +_ionos_rest() { + method="$1" + route="$2" + data="$3" + + IONOS_API_KEY="$(printf "%s.%s" "$IONOS_PREFIX" "$IONOS_SECRET")" + + export _H1="X-API-Key: $IONOS_API_KEY" + + # clear headers + : >"$HTTP_HEADER" + + if [ "$method" != "GET" ]; then + export _H2="Accept: application/json" + export _H3="Content-Type: application/json" + + _response="$(_post "$data" "$IONOS_API$route" "" "$method" "application/json")" + else + export _H2="Accept: */*" + export _H3= + + _response="$(_get "$IONOS_API$route")" + fi + + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" + + if [ "$?" != "0" ]; then + _err "Error $route: $_response" + return 1 + fi + + _debug2 "_response" "$_response" + _debug2 "_code" "$_code" + + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_ipv64.sh b/acme.sh-master/dnsapi/dns_ipv64.sh new file mode 100644 index 0000000..5447011 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_ipv64.sh @@ -0,0 +1,157 @@ +#!/usr/bin/env sh + +#Created by Roman Lumetsberger, to use ipv64.net's API to add/remove text records +#2022/11/29 + +# Pass credentials before "acme.sh --issue --dns dns_ipv64 ..." +# -- +# export IPv64_Token="aaaaaaaaaaaaaaaaaaaaaaaaaa" +# -- +# + +IPv64_API="https://ipv64.net/api" + +######## Public functions ###################### + +#Usage: dns_ipv64_add _acme-challenge.domain.ipv64.net "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_ipv64_add() { + fulldomain=$1 + txtvalue=$2 + + IPv64_Token="${IPv64_Token:-$(_readaccountconf_mutable IPv64_Token)}" + if [ -z "$IPv64_Token" ]; then + _err "You must export variable: IPv64_Token" + _err "The API Key for your IPv64 account is necessary." + _err "You can look it up in your IPv64 account." + return 1 + fi + + # Now save the credentials. + _saveaccountconf_mutable IPv64_Token "$IPv64_Token" + + if ! _get_root "$fulldomain"; then + _err "invalid domain" "$fulldomain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # convert to lower case + _domain="$(echo "$_domain" | _lower_case)" + _sub_domain="$(echo "$_sub_domain" | _lower_case)" + # Now add the TXT record + _info "Trying to add TXT record" + if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then + _info "TXT record has been successfully added." + return 0 + else + _err "Errors happened during adding the TXT record, response=$_response" + return 1 + fi + +} + +#Usage: fulldomain txtvalue +#Usage: dns_ipv64_rm _acme-challenge.domain.ipv64.net "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +#Remove the txt record after validation. +dns_ipv64_rm() { + fulldomain=$1 + txtvalue=$2 + + IPv64_Token="${IPv64_Token:-$(_readaccountconf_mutable IPv64_Token)}" + if [ -z "$IPv64_Token" ]; then + _err "You must export variable: IPv64_Token" + _err "The API Key for your IPv64 account is necessary." + _err "You can look it up in your IPv64 account." + return 1 + fi + + if ! _get_root "$fulldomain"; then + _err "invalid domain" "$fulldomain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # convert to lower case + _domain="$(echo "$_domain" | _lower_case)" + _sub_domain="$(echo "$_sub_domain" | _lower_case)" + # Now delete the TXT record + _info "Trying to delete TXT record" + if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then + _info "TXT record has been successfully deleted." + return 0 + else + _err "Errors happened during deleting the TXT record, response=$_response" + return 1 + fi + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain="$1" + i=1 + p=1 + + _ipv64_get "get_domains" + domain_data=$_response + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f "$i"-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + #if _contains "$domain_data" "\""$h"\"\:"; then + if _contains "$domain_data" "\"""$h""\"\:"; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p") + _domain="$h" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +#send get request to api +# $1 has to set the api-function +_ipv64_get() { + url="$IPv64_API?$1" + export _H1="Authorization: Bearer $IPv64_Token" + + _response=$(_get "$url") + _response="$(echo "$_response" | _normalizeJson)" + + if _contains "$_response" "429 Too Many Requests"; then + _info "API throttled, sleeping to reset the limit" + _sleep 10 + _response=$(_get "$url") + _response="$(echo "$_response" | _normalizeJson)" + fi +} + +_ipv64_rest() { + url="$IPv64_API" + export _H1="Authorization: Bearer $IPv64_Token" + export _H2="Content-Type: application/x-www-form-urlencoded" + _response=$(_post "$2" "$url" "" "$1") + + if _contains "$_response" "429 Too Many Requests"; then + _info "API throttled, sleeping to reset the limit" + _sleep 10 + _response=$(_post "$2" "$url" "" "$1") + fi + + if ! _contains "$_response" "\"info\":\"success\""; then + return 1 + fi + _debug2 response "$_response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_ispconfig.sh b/acme.sh-master/dnsapi/dns_ispconfig.sh new file mode 100644 index 0000000..560f073 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_ispconfig.sh @@ -0,0 +1,194 @@ +#!/usr/bin/env sh + +# ISPConfig 3.1 API +# User must provide login data and URL to the ISPConfig installation incl. port. The remote user in ISPConfig must have access to: +# - DNS txt Functions + +# Report bugs to https://github.com/sjau/acme.sh + +# Values to export: +# export ISPC_User="remoteUser" +# export ISPC_Password="remotePassword" +# export ISPC_Api="https://ispc.domain.tld:8080/remote/json.php" +# export ISPC_Api_Insecure=1 # Set 1 for insecure and 0 for secure -> difference is whether ssl cert is checked for validity (0) or whether it is just accepted (1) + +######## Public functions ##################### + +#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_ispconfig_add() { + fulldomain="${1}" + txtvalue="${2}" + _debug "Calling: dns_ispconfig_add() '${fulldomain}' '${txtvalue}'" + _ISPC_credentials && _ISPC_login && _ISPC_getZoneInfo && _ISPC_addTxt +} + +#Usage: dns_myapi_rm _acme-challenge.www.domain.com +dns_ispconfig_rm() { + fulldomain="${1}" + _debug "Calling: dns_ispconfig_rm() '${fulldomain}'" + _ISPC_credentials && _ISPC_login && _ISPC_rmTxt +} + +#################### Private functions below ################################## + +_ISPC_credentials() { + ISPC_User="${ISPC_User:-$(_readaccountconf_mutable ISPC_User)}" + ISPC_Password="${ISPC_Password:-$(_readaccountconf_mutable ISPC_Password)}" + ISPC_Api="${ISPC_Api:-$(_readaccountconf_mutable ISPC_Api)}" + ISPC_Api_Insecure="${ISPC_Api_Insecure:-$(_readaccountconf_mutable ISPC_Api_Insecure)}" + if [ -z "${ISPC_User}" ] || [ -z "${ISPC_Password}" ] || [ -z "${ISPC_Api}" ] || [ -z "${ISPC_Api_Insecure}" ]; then + ISPC_User="" + ISPC_Password="" + ISPC_Api="" + ISPC_Api_Insecure="" + _err "You haven't specified the ISPConfig Login data, URL and whether you want check the ISPC SSL cert. Please try again." + return 1 + else + _saveaccountconf_mutable ISPC_User "${ISPC_User}" + _saveaccountconf_mutable ISPC_Password "${ISPC_Password}" + _saveaccountconf_mutable ISPC_Api "${ISPC_Api}" + _saveaccountconf_mutable ISPC_Api_Insecure "${ISPC_Api_Insecure}" + # Set whether curl should use secure or insecure mode + export HTTPS_INSECURE="${ISPC_Api_Insecure}" + fi +} + +_ISPC_login() { + _info "Getting Session ID" + curData="{\"username\":\"${ISPC_User}\",\"password\":\"${ISPC_Password}\",\"client_login\":false}" + curResult="$(_post "${curData}" "${ISPC_Api}?login")" + _debug "Calling _ISPC_login: '${curData}' '${ISPC_Api}?login'" + _debug "Result of _ISPC_login: '$curResult'" + if _contains "${curResult}" '"code":"ok"'; then + sessionID=$(echo "${curResult}" | _egrep_o "response.*" | cut -d ':' -f 2 | cut -d '"' -f 2) + _info "Retrieved Session ID." + _debug "Session ID: '${sessionID}'" + else + _err "Couldn't retrieve the Session ID." + return 1 + fi +} + +_ISPC_getZoneInfo() { + _info "Getting Zoneinfo" + zoneEnd=false + curZone="${fulldomain}" + while [ "${zoneEnd}" = false ]; do + # we can strip the first part of the fulldomain, since it's just the _acme-challenge string + curZone="${curZone#*.}" + # suffix . needed for zone -> domain.tld. + curData="{\"session_id\":\"${sessionID}\",\"primary_id\":{\"origin\":\"${curZone}.\"}}" + curResult="$(_post "${curData}" "${ISPC_Api}?dns_zone_get")" + _debug "Calling _ISPC_getZoneInfo: '${curData}' '${ISPC_Api}?dns_zone_get'" + _debug "Result of _ISPC_getZoneInfo: '$curResult'" + if _contains "${curResult}" '"id":"'; then + zoneFound=true + zoneEnd=true + _info "Retrieved zone data." + _debug "Zone data: '${curResult}'" + fi + if [ "${curZone#*.}" != "$curZone" ]; then + _debug2 "$curZone still contains a '.' - so we can check next higher level" + else + zoneEnd=true + _err "Couldn't retrieve zone data." + return 1 + fi + done + if [ "${zoneFound}" ]; then + server_id=$(echo "${curResult}" | _egrep_o "server_id.*" | cut -d ':' -f 2 | cut -d '"' -f 2) + _debug "Server ID: '${server_id}'" + case "${server_id}" in + '' | *[!0-9]*) + _err "Server ID is not numeric." + return 1 + ;; + *) _info "Retrieved Server ID" ;; + esac + zone=$(echo "${curResult}" | _egrep_o "\"id.*" | cut -d ':' -f 2 | cut -d '"' -f 2) + _debug "Zone: '${zone}'" + case "${zone}" in + '' | *[!0-9]*) + _err "Zone ID is not numeric." + return 1 + ;; + *) _info "Retrieved Zone ID" ;; + esac + sys_userid=$(echo "${curResult}" | _egrep_o "sys_userid.*" | cut -d ':' -f 2 | cut -d '"' -f 2) + _debug "SYS User ID: '${sys_userid}'" + case "${sys_userid}" in + '' | *[!0-9]*) + _err "SYS User ID is not numeric." + return 1 + ;; + *) _info "Retrieved SYS User ID." ;; + esac + zoneFound="" + zoneEnd="" + fi + # Need to get client_id as it is different from sys_userid + curData="{\"session_id\":\"${sessionID}\",\"sys_userid\":\"${sys_userid}\"}" + curResult="$(_post "${curData}" "${ISPC_Api}?client_get_id")" + _debug "Calling _ISPC_ClientGetID: '${curData}' '${ISPC_Api}?client_get_id'" + _debug "Result of _ISPC_ClientGetID: '$curResult'" + client_id=$(echo "${curResult}" | _egrep_o "response.*" | cut -d ':' -f 2 | cut -d '"' -f 2 | tr -d '{}') + _debug "Client ID: '${client_id}'" + case "${client_id}" in + '' | *[!0-9]*) + _err "Client ID is not numeric." + return 1 + ;; + *) _info "Retrieved Client ID." ;; + esac +} + +_ISPC_addTxt() { + curSerial="$(date +%s)" + curStamp="$(date +'%F %T')" + params="\"server_id\":\"${server_id}\",\"zone\":\"${zone}\",\"name\":\"${fulldomain}.\",\"type\":\"txt\",\"data\":\"${txtvalue}\",\"aux\":\"0\",\"ttl\":\"3600\",\"active\":\"y\",\"stamp\":\"${curStamp}\",\"serial\":\"${curSerial}\"" + curData="{\"session_id\":\"${sessionID}\",\"client_id\":\"${client_id}\",\"params\":{${params}},\"update_serial\":true}" + curResult="$(_post "${curData}" "${ISPC_Api}?dns_txt_add")" + _debug "Calling _ISPC_addTxt: '${curData}' '${ISPC_Api}?dns_txt_add'" + _debug "Result of _ISPC_addTxt: '$curResult'" + record_id=$(echo "${curResult}" | _egrep_o "\"response.*" | cut -d ':' -f 2 | cut -d '"' -f 2) + _debug "Record ID: '${record_id}'" + case "${record_id}" in + '' | *[!0-9]*) + _err "Couldn't add ACME Challenge TXT record to zone." + return 1 + ;; + *) _info "Added ACME Challenge TXT record to zone." ;; + esac +} + +_ISPC_rmTxt() { + # Need to get the record ID. + curData="{\"session_id\":\"${sessionID}\",\"primary_id\":{\"name\":\"${fulldomain}.\",\"type\":\"TXT\"}}" + curResult="$(_post "${curData}" "${ISPC_Api}?dns_txt_get")" + _debug "Calling _ISPC_rmTxt: '${curData}' '${ISPC_Api}?dns_txt_get'" + _debug "Result of _ISPC_rmTxt: '$curResult'" + if _contains "${curResult}" '"code":"ok"'; then + record_id=$(echo "${curResult}" | _egrep_o "\"id.*" | cut -d ':' -f 2 | cut -d '"' -f 2) + _debug "Record ID: '${record_id}'" + case "${record_id}" in + '' | *[!0-9]*) + _err "Record ID is not numeric." + return 1 + ;; + *) + unset IFS + _info "Retrieved Record ID." + curData="{\"session_id\":\"${sessionID}\",\"primary_id\":\"${record_id}\",\"update_serial\":true}" + curResult="$(_post "${curData}" "${ISPC_Api}?dns_txt_delete")" + _debug "Calling _ISPC_rmTxt: '${curData}' '${ISPC_Api}?dns_txt_delete'" + _debug "Result of _ISPC_rmTxt: '$curResult'" + if _contains "${curResult}" '"code":"ok"'; then + _info "Removed ACME Challenge TXT record from zone." + else + _err "Couldn't remove ACME Challenge TXT record from zone." + return 1 + fi + ;; + esac + fi +} diff --git a/acme.sh-master/dnsapi/dns_jd.sh b/acme.sh-master/dnsapi/dns_jd.sh new file mode 100644 index 0000000..d0f2a50 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_jd.sh @@ -0,0 +1,286 @@ +#!/usr/bin/env sh + +# +#JD_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje" +#JD_ACCESS_KEY_SECRET="xxxxxxx" +#JD_REGION="cn-north-1" + +_JD_ACCOUNT="https://uc.jdcloud.com/account/accesskey" + +_JD_PROD="clouddnsservice" +_JD_API="jdcloud-api.com" + +_JD_API_VERSION="v1" +_JD_DEFAULT_REGION="cn-north-1" + +_JD_HOST="$_JD_PROD.$_JD_API" + +######## Public functions ##################### + +#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_jd_add() { + fulldomain=$1 + txtvalue=$2 + + JD_ACCESS_KEY_ID="${JD_ACCESS_KEY_ID:-$(_readaccountconf_mutable JD_ACCESS_KEY_ID)}" + JD_ACCESS_KEY_SECRET="${JD_ACCESS_KEY_SECRET:-$(_readaccountconf_mutable JD_ACCESS_KEY_SECRET)}" + JD_REGION="${JD_REGION:-$(_readaccountconf_mutable JD_REGION)}" + + if [ -z "$JD_ACCESS_KEY_ID" ] || [ -z "$JD_ACCESS_KEY_SECRET" ]; then + JD_ACCESS_KEY_ID="" + JD_ACCESS_KEY_SECRET="" + _err "You haven't specifed the jdcloud api key id or api key secret yet." + _err "Please create your key and try again. see $(__green $_JD_ACCOUNT)" + return 1 + fi + + _saveaccountconf_mutable JD_ACCESS_KEY_ID "$JD_ACCESS_KEY_ID" + _saveaccountconf_mutable JD_ACCESS_KEY_SECRET "$JD_ACCESS_KEY_SECRET" + if [ -z "$JD_REGION" ]; then + _debug "Using default region: $_JD_DEFAULT_REGION" + JD_REGION="$_JD_DEFAULT_REGION" + else + _saveaccountconf_mutable JD_REGION "$JD_REGION" + fi + _JD_BASE_URI="$_JD_API_VERSION/regions/$JD_REGION" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + #_debug "Getting getViewTree" + + _debug "Adding records" + + _addrr="{\"req\":{\"hostRecord\":\"$_sub_domain\",\"hostValue\":\"$txtvalue\",\"ttl\":300,\"type\":\"TXT\",\"viewValue\":-1},\"regionId\":\"$JD_REGION\",\"domainId\":\"$_domain_id\"}" + #_addrr='{"req":{"hostRecord":"xx","hostValue":"\"value4\"","jcloudRes":false,"mxPriority":null,"port":null,"ttl":300,"type":"TXT","weight":null,"viewValue":-1},"regionId":"cn-north-1","domainId":"8824"}' + if jd_rest POST "domain/$_domain_id/RRAdd" "" "$_addrr"; then + _rid="$(echo "$response" | tr '{},' '\n' | grep '"id":' | cut -d : -f 2)" + if [ -z "$_rid" ]; then + _err "Can not find record id from the result." + return 1 + fi + _info "TXT record added successfully." + _srid="$(_readdomainconf "JD_CLOUD_RIDS")" + if [ "$_srid" ]; then + _rid="$_srid,$_rid" + fi + _savedomainconf "JD_CLOUD_RIDS" "$_rid" + return 0 + fi + + return 1 +} + +dns_jd_rm() { + fulldomain=$1 + txtvalue=$2 + + JD_ACCESS_KEY_ID="${JD_ACCESS_KEY_ID:-$(_readaccountconf_mutable JD_ACCESS_KEY_ID)}" + JD_ACCESS_KEY_SECRET="${JD_ACCESS_KEY_SECRET:-$(_readaccountconf_mutable JD_ACCESS_KEY_SECRET)}" + JD_REGION="${JD_REGION:-$(_readaccountconf_mutable JD_REGION)}" + + if [ -z "$JD_REGION" ]; then + _debug "Using default region: $_JD_DEFAULT_REGION" + JD_REGION="$_JD_DEFAULT_REGION" + fi + + _JD_BASE_URI="$_JD_API_VERSION/regions/$JD_REGION" + + _info "Getting existing records for $fulldomain" + _srid="$(_readdomainconf "JD_CLOUD_RIDS")" + _debug _srid "$_srid" + + if [ -z "$_srid" ]; then + _err "Not rid skip" + return 0 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _cleardomainconf JD_CLOUD_RIDS + + _aws_tmpl_xml="{\"ids\":[$_srid],\"action\":\"del\",\"regionId\":\"$JD_REGION\",\"domainId\":\"$_domain_id\"}" + + if jd_rest POST "domain/$_domain_id/RROperate" "" "$_aws_tmpl_xml" && _contains "$response" "\"code\":\"OK\""; then + _info "TXT record deleted successfully." + return 0 + fi + return 1 + +} + +#################### Private functions below ################################## + +_get_root() { + domain=$1 + i=1 + p=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug2 "Checking domain: $h" + if ! jd_rest GET "domain"; then + _err "error get domain list" + return 1 + fi + if [ -z "$h" ]; then + #not valid + _err "Invalid domain" + return 1 + fi + + if _contains "$response" "\"domainName\":\"$h\""; then + hostedzone="$(echo "$response" | tr '{}' '\n' | grep "\"domainName\":\"$h\"")" + _debug hostedzone "$hostedzone" + if [ "$hostedzone" ]; then + _domain_id="$(echo "$hostedzone" | tr ',' '\n' | grep "\"id\":" | cut -d : -f 2)" + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + fi + _err "Can't find domain with id: $h" + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + + return 1 +} + +#method uri qstr data +jd_rest() { + mtd="$1" + ep="$2" + qsr="$3" + data="$4" + + _debug mtd "$mtd" + _debug ep "$ep" + _debug qsr "$qsr" + _debug data "$data" + + CanonicalURI="/$_JD_BASE_URI/$ep" + _debug2 CanonicalURI "$CanonicalURI" + + CanonicalQueryString="$qsr" + _debug2 CanonicalQueryString "$CanonicalQueryString" + + RequestDate="$(date -u +"%Y%m%dT%H%M%SZ")" + #RequestDate="20190713T082155Z" ###################################################### + _debug2 RequestDate "$RequestDate" + export _H1="X-Jdcloud-Date: $RequestDate" + + RequestNonce="2bd0852a-8bae-4087-b2d5-$(_time)" + #RequestNonce="894baff5-72d4-4244-883a-7b2eb51e7fbe" ################################# + _debug2 RequestNonce "$RequestNonce" + export _H2="X-Jdcloud-Nonce: $RequestNonce" + + if [ "$data" ]; then + CanonicalHeaders="content-type:application/json\n" + SignedHeaders="content-type;" + else + CanonicalHeaders="" + SignedHeaders="" + fi + CanonicalHeaders="${CanonicalHeaders}host:$_JD_HOST\nx-jdcloud-date:$RequestDate\nx-jdcloud-nonce:$RequestNonce\n" + SignedHeaders="${SignedHeaders}host;x-jdcloud-date;x-jdcloud-nonce" + + _debug2 CanonicalHeaders "$CanonicalHeaders" + _debug2 SignedHeaders "$SignedHeaders" + + Hash="sha256" + + RequestPayload="$data" + _debug2 RequestPayload "$RequestPayload" + + RequestPayloadHash="$(printf "%s" "$RequestPayload" | _digest "$Hash" hex | _lower_case)" + _debug2 RequestPayloadHash "$RequestPayloadHash" + + CanonicalRequest="$mtd\n$CanonicalURI\n$CanonicalQueryString\n$CanonicalHeaders\n$SignedHeaders\n$RequestPayloadHash" + _debug2 CanonicalRequest "$CanonicalRequest" + + HashedCanonicalRequest="$(printf "$CanonicalRequest%s" | _digest "$Hash" hex)" + _debug2 HashedCanonicalRequest "$HashedCanonicalRequest" + + Algorithm="JDCLOUD2-HMAC-SHA256" + _debug2 Algorithm "$Algorithm" + + RequestDateOnly="$(echo "$RequestDate" | cut -c 1-8)" + _debug2 RequestDateOnly "$RequestDateOnly" + + Region="$JD_REGION" + Service="$_JD_PROD" + + CredentialScope="$RequestDateOnly/$Region/$Service/jdcloud2_request" + _debug2 CredentialScope "$CredentialScope" + + StringToSign="$Algorithm\n$RequestDate\n$CredentialScope\n$HashedCanonicalRequest" + + _debug2 StringToSign "$StringToSign" + + kSecret="JDCLOUD2$JD_ACCESS_KEY_SECRET" + + _secure_debug2 kSecret "$kSecret" + + kSecretH="$(printf "%s" "$kSecret" | _hex_dump | tr -d " ")" + _secure_debug2 kSecretH "$kSecretH" + + kDateH="$(printf "$RequestDateOnly%s" | _hmac "$Hash" "$kSecretH" hex)" + _debug2 kDateH "$kDateH" + + kRegionH="$(printf "$Region%s" | _hmac "$Hash" "$kDateH" hex)" + _debug2 kRegionH "$kRegionH" + + kServiceH="$(printf "$Service%s" | _hmac "$Hash" "$kRegionH" hex)" + _debug2 kServiceH "$kServiceH" + + kSigningH="$(printf "%s" "jdcloud2_request" | _hmac "$Hash" "$kServiceH" hex)" + _debug2 kSigningH "$kSigningH" + + signature="$(printf "$StringToSign%s" | _hmac "$Hash" "$kSigningH" hex)" + _debug2 signature "$signature" + + Authorization="$Algorithm Credential=$JD_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature" + _debug2 Authorization "$Authorization" + + _H3="Authorization: $Authorization" + _debug _H3 "$_H3" + + url="https://$_JD_HOST$CanonicalURI" + if [ "$qsr" ]; then + url="https://$_JD_HOST$CanonicalURI?$qsr" + fi + + if [ "$mtd" = "GET" ]; then + response="$(_get "$url")" + else + response="$(_post "$data" "$url" "" "$mtd" "application/json")" + fi + + _ret="$?" + _debug2 response "$response" + if [ "$_ret" = "0" ]; then + if _contains "$response" "\"error\""; then + _err "Response error:$response" + return 1 + fi + fi + + return "$_ret" +} diff --git a/acme.sh-master/dnsapi/dns_joker.sh b/acme.sh-master/dnsapi/dns_joker.sh new file mode 100644 index 0000000..78399a1 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_joker.sh @@ -0,0 +1,129 @@ +#!/usr/bin/env sh + +# Joker.com API for acme.sh +# +# This script adds the necessary TXT record to a domain in Joker.com. +# +# You must activate Dynamic DNS in Joker.com DNS configuration first. +# Username and password below refer to Dynamic DNS authentication, +# not your Joker.com login credentials. +# See: https://joker.com/faq/content/11/427/en/what-is-dynamic-dns-dyndns.html +# +# NOTE: This script does not support wildcard certificates, because +# Joker.com API does not support adding two TXT records with the same +# subdomain. Adding the second record will overwrite the first one. +# See: https://joker.com/faq/content/6/496/en/let_s-encrypt-support.html +# "... this request will replace all TXT records for the specified +# label by the provided content" +# +# Author: aattww (https://github.com/aattww/) +# +# Report bugs to https://github.com/acmesh-official/acme.sh/issues/2840 +# +# JOKER_USERNAME="xxxx" +# JOKER_PASSWORD="xxxx" + +JOKER_API="https://svc.joker.com/nic/replace" + +######## Public functions ##################### + +#Usage: dns_joker_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_joker_add() { + fulldomain=$1 + txtvalue=$2 + + JOKER_USERNAME="${JOKER_USERNAME:-$(_readaccountconf_mutable JOKER_USERNAME)}" + JOKER_PASSWORD="${JOKER_PASSWORD:-$(_readaccountconf_mutable JOKER_PASSWORD)}" + + if [ -z "$JOKER_USERNAME" ] || [ -z "$JOKER_PASSWORD" ]; then + _err "No Joker.com username and password specified." + return 1 + fi + + _saveaccountconf_mutable JOKER_USERNAME "$JOKER_USERNAME" + _saveaccountconf_mutable JOKER_PASSWORD "$JOKER_PASSWORD" + + if ! _get_root "$fulldomain"; then + _err "Invalid domain" + return 1 + fi + + _info "Adding TXT record" + if _joker_rest "username=$JOKER_USERNAME&password=$JOKER_PASSWORD&zone=$_domain&label=$_sub_domain&type=TXT&value=$txtvalue"; then + if _startswith "$response" "OK"; then + _info "Added, OK" + return 0 + fi + fi + _err "Error adding TXT record." + return 1 +} + +#fulldomain txtvalue +dns_joker_rm() { + fulldomain=$1 + txtvalue=$2 + + JOKER_USERNAME="${JOKER_USERNAME:-$(_readaccountconf_mutable JOKER_USERNAME)}" + JOKER_PASSWORD="${JOKER_PASSWORD:-$(_readaccountconf_mutable JOKER_PASSWORD)}" + + if ! _get_root "$fulldomain"; then + _err "Invalid domain" + return 1 + fi + + _info "Removing TXT record" + # TXT record is removed by setting its value to empty. + if _joker_rest "username=$JOKER_USERNAME&password=$JOKER_PASSWORD&zone=$_domain&label=$_sub_domain&type=TXT&value="; then + if _startswith "$response" "OK"; then + _info "Removed, OK" + return 0 + fi + fi + _err "Error removing TXT record." + return 1 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + fulldomain=$1 + i=1 + while true; do + h=$(printf "%s" "$fulldomain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + return 1 + fi + + # Try to remove a test record. With correct root domain, username and password this will return "OK: ..." regardless + # of record in question existing or not. + if _joker_rest "username=$JOKER_USERNAME&password=$JOKER_PASSWORD&zone=$h&label=jokerTXTUpdateTest&type=TXT&value="; then + if _startswith "$response" "OK"; then + _sub_domain="$(echo "$fulldomain" | sed "s/\\.$h\$//")" + _domain=$h + return 0 + fi + fi + + i=$(_math "$i" + 1) + done + + _debug "Root domain not found" + return 1 +} + +_joker_rest() { + data="$1" + _debug data "$data" + + if ! response="$(_post "$data" "$JOKER_API" "" "POST")"; then + _err "Error POSTing" + return 1 + fi + _debug response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_kappernet.sh b/acme.sh-master/dnsapi/dns_kappernet.sh new file mode 100644 index 0000000..83a7e5f --- /dev/null +++ b/acme.sh-master/dnsapi/dns_kappernet.sh @@ -0,0 +1,150 @@ +#!/usr/bin/env sh + +# kapper.net domain api +# for further questions please contact: support@kapper.net +# please report issues here: https://github.com/acmesh-official/acme.sh/issues/2977 + +#KAPPERNETDNS_Key="yourKAPPERNETapikey" +#KAPPERNETDNS_Secret="yourKAPPERNETapisecret" + +KAPPERNETDNS_Api="https://dnspanel.kapper.net/API/1.2?APIKey=$KAPPERNETDNS_Key&APISecret=$KAPPERNETDNS_Secret" + +############################################################################### +# called with +# fullhostname: something.example.com +# txtvalue: someacmegenerated string +dns_kappernet_add() { + fullhostname=$1 + txtvalue=$2 + + KAPPERNETDNS_Key="${KAPPERNETDNS_Key:-$(_readaccountconf_mutable KAPPERNETDNS_Key)}" + KAPPERNETDNS_Secret="${KAPPERNETDNS_Secret:-$(_readaccountconf_mutable KAPPERNETDNS_Secret)}" + + if [ -z "$KAPPERNETDNS_Key" ] || [ -z "$KAPPERNETDNS_Secret" ]; then + KAPPERNETDNS_Key="" + KAPPERNETDNS_Secret="" + _err "Please specify your kapper.net api key and secret." + _err "If you have not received yours - send your mail to" + _err "support@kapper.net to get your key and secret." + return 1 + fi + + #store the api key and email to the account conf file. + _saveaccountconf_mutable KAPPERNETDNS_Key "$KAPPERNETDNS_Key" + _saveaccountconf_mutable KAPPERNETDNS_Secret "$KAPPERNETDNS_Secret" + _debug "Checking Domain ..." + if ! _get_root "$fullhostname"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "SUBDOMAIN: $_sub_domain" + _debug _domain "DOMAIN: $_domain" + + _info "Trying to add TXT DNS Record" + data="%7B%22name%22%3A%22$fullhostname%22%2C%22type%22%3A%22TXT%22%2C%22content%22%3A%22$txtvalue%22%2C%22ttl%22%3A%223600%22%2C%22prio%22%3A%22%22%7D" + if _kappernet_api GET "action=new&subject=$_domain&data=$data"; then + + if _contains "$response" "{\"OK\":true"; then + _info "Waiting 120 seconds for DNS to spread the new record" + _sleep 120 + return 0 + else + _err "Error creating a TXT DNS Record: $fullhostname TXT $txtvalue" + _err "Error Message: $response" + return 1 + fi + fi + _err "Failed creating TXT Record" +} + +############################################################################### +# called with +# fullhostname: something.example.com +dns_kappernet_rm() { + fullhostname=$1 + txtvalue=$2 + + KAPPERNETDNS_Key="${KAPPERNETDNS_Key:-$(_readaccountconf_mutable KAPPERNETDNS_Key)}" + KAPPERNETDNS_Secret="${KAPPERNETDNS_Secret:-$(_readaccountconf_mutable KAPPERNETDNS_Secret)}" + + if [ -z "$KAPPERNETDNS_Key" ] || [ -z "$KAPPERNETDNS_Secret" ]; then + KAPPERNETDNS_Key="" + KAPPERNETDNS_Secret="" + _err "Please specify your kapper.net api key and secret." + _err "If you have not received yours - send your mail to" + _err "support@kapper.net to get your key and secret." + return 1 + fi + + #store the api key and email to the account conf file. + _saveaccountconf_mutable KAPPERNETDNS_Key "$KAPPERNETDNS_Key" + _saveaccountconf_mutable KAPPERNETDNS_Secret "$KAPPERNETDNS_Secret" + + _info "Trying to remove the TXT Record: $fullhostname containing $txtvalue" + data="%7B%22name%22%3A%22$fullhostname%22%2C%22type%22%3A%22TXT%22%2C%22content%22%3A%22$txtvalue%22%2C%22ttl%22%3A%223600%22%2C%22prio%22%3A%22%22%7D" + if _kappernet_api GET "action=del&subject=$fullhostname&data=$data"; then + if _contains "$response" "{\"OK\":true"; then + return 0 + else + _err "Error deleting DNS Record: $fullhostname containing $txtvalue" + _err "Problem: $response" + return 1 + fi + fi + _err "Problem deleting TXT DNS record" +} + +#################### Private functions below ################################## +# called with hostname +# e.g._acme-challenge.www.domain.com returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + if ! _kappernet_api GET "action=list&subject=$h"; then + return 1 + fi + if _contains "$response" '"OK":false'; then + _debug "$h not found" + else + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + p="$i" + i=$(_math "$i" + 1) + done + return 1 +} + +################################################################################ +# calls the kapper.net DNS Panel API +# with +# method +# param +_kappernet_api() { + method=$1 + param="$2" + + _debug param "PARAMETER=$param" + url="$KAPPERNETDNS_Api&$param" + _debug url "URL=$url" + + if [ "$method" = "GET" ]; then + response="$(_get "$url")" + else + _err "Unsupported method" + return 1 + fi + + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_kas.sh b/acme.sh-master/dnsapi/dns_kas.sh new file mode 100644 index 0000000..053abd2 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_kas.sh @@ -0,0 +1,281 @@ +#!/usr/bin/env sh +######################################################################## +# All-inkl Kasserver hook script for acme.sh +# +# Environment variables: +# +# - $KAS_Login (Kasserver API login name) +# - $KAS_Authtype (Kasserver API auth type. Default: plain) +# - $KAS_Authdata (Kasserver API auth data.) +# +# Last update: squared GmbH +# Credits: +# - dns_he.sh. Thanks a lot man! +# - Martin Kammerlander, Phlegx Systems OG +# - Marc-Oliver Lange +# - https://github.com/o1oo11oo/kasapi.sh +######################################################################## +KAS_Api_GET="$(_get "https://kasapi.kasserver.com/soap/wsdl/KasApi.wsdl")" +KAS_Api="$(echo "$KAS_Api_GET" | tr -d ' ' | grep -i "//g")" +_info "[KAS] -> API URL $KAS_Api" + +KAS_Auth_GET="$(_get "https://kasapi.kasserver.com/soap/wsdl/KasAuth.wsdl")" +KAS_Auth="$(echo "$KAS_Auth_GET" | tr -d ' ' | grep -i "//g")" +_info "[KAS] -> AUTH URL $KAS_Auth" + +KAS_default_ratelimit=5 # TODO - Every response delivers a ratelimit (seconds) where KASAPI is blocking a request. + +######## Public functions ##################### +dns_kas_add() { + _fulldomain=$1 + _txtvalue=$2 + + _info "[KAS] -> Using DNS-01 All-inkl/Kasserver hook" + _info "[KAS] -> Check and Save Props" + _check_and_save + + _info "[KAS] -> Adding $_fulldomain DNS TXT entry on all-inkl.com/Kasserver" + _info "[KAS] -> Retriving Credential Token" + _get_credential_token + + _info "[KAS] -> Checking Zone and Record_Name" + _get_zone_and_record_name "$_fulldomain" + + _info "[KAS] -> Checking for existing Record entries" + _get_record_id + + # If there is a record_id, delete the entry + if [ -n "$_record_id" ]; then + _info "[KAS] -> Existing records found. Now deleting old entries" + for i in $_record_id; do + _delete_RecordByID "$i" + done + else + _info "[KAS] -> No record found." + fi + + _info "[KAS] -> Creating TXT DNS record" + action="add_dns_settings" + kasReqParam="\"record_name\":\"$_record_name\"" + kasReqParam="$kasReqParam,\"record_type\":\"TXT\"" + kasReqParam="$kasReqParam,\"record_data\":\"$_txtvalue\"" + kasReqParam="$kasReqParam,\"record_aux\":\"0\"" + kasReqParam="$kasReqParam,\"zone_host\":\"$_zone\"" + response="$(_callAPI "$action" "$kasReqParam")" + _debug2 "[KAS] -> Response" "$response" + + if [ -z "$response" ]; then + _info "[KAS] -> Response was empty, please check manually." + return 1 + elif _contains "$response" ""; then + faultstring="$(echo "$response" | tr -d '\n\r' | sed "s//\n=> /g" | sed "s/<\/faultstring>/\n/g" | grep "=>" | sed "s/=> //g")" + case "${faultstring}" in + "record_already_exists") + _info "[KAS] -> The record already exists, which must not be a problem. Please check manually." + ;; + *) + _err "[KAS] -> An error =>$faultstring<= occurred, please check manually." + return 1 + ;; + esac + elif ! _contains "$response" "ReturnStringTRUE"; then + _err "[KAS] -> An unknown error occurred, please check manually." + return 1 + fi + return 0 +} + +dns_kas_rm() { + _fulldomain=$1 + _txtvalue=$2 + + _info "[KAS] -> Using DNS-01 All-inkl/Kasserver hook" + _info "[KAS] -> Check and Save Props" + _check_and_save + + _info "[KAS] -> Cleaning up after All-inkl/Kasserver hook" + _info "[KAS] -> Removing $_fulldomain DNS TXT entry on All-inkl/Kasserver" + _info "[KAS] -> Retriving Credential Token" + _get_credential_token + + _info "[KAS] -> Checking Zone and Record_Name" + _get_zone_and_record_name "$_fulldomain" + + _info "[KAS] -> Getting Record ID" + _get_record_id + + _info "[KAS] -> Removing entries with ID: $_record_id" + # If there is a record_id, delete the entry + if [ -n "$_record_id" ]; then + for i in $_record_id; do + _delete_RecordByID "$i" + done + else # Cannot delete or unkown error + _info "[KAS] -> No record_id found that can be deleted. Please check manually." + fi + return 0 +} + +########################## PRIVATE FUNCTIONS ########################### +# Delete Record ID +_delete_RecordByID() { + recId=$1 + action="delete_dns_settings" + kasReqParam="\"record_id\":\"$recId\"" + response="$(_callAPI "$action" "$kasReqParam")" + _debug2 "[KAS] -> Response" "$response" + + if [ -z "$response" ]; then + _info "[KAS] -> Response was empty, please check manually." + return 1 + elif _contains "$response" ""; then + faultstring="$(echo "$response" | tr -d '\n\r' | sed "s//\n=> /g" | sed "s/<\/faultstring>/\n/g" | grep "=>" | sed "s/=> //g")" + case "${faultstring}" in + "record_id_not_found") + _info "[KAS] -> The record was not found, which perhaps is not a problem. Please check manually." + ;; + *) + _err "[KAS] -> An error =>$faultstring<= occurred, please check manually." + return 1 + ;; + esac + elif ! _contains "$response" "ReturnStringTRUE"; then + _err "[KAS] -> An unknown error occurred, please check manually." + return 1 + fi +} +# Checks for the ENV variables and saves them +_check_and_save() { + KAS_Login="${KAS_Login:-$(_readaccountconf_mutable KAS_Login)}" + KAS_Authtype="${KAS_Authtype:-$(_readaccountconf_mutable KAS_Authtype)}" + KAS_Authdata="${KAS_Authdata:-$(_readaccountconf_mutable KAS_Authdata)}" + + if [ -z "$KAS_Login" ] || [ -z "$KAS_Authtype" ] || [ -z "$KAS_Authdata" ]; then + KAS_Login= + KAS_Authtype= + KAS_Authdata= + _err "[KAS] -> No auth details provided. Please set user credentials using the \$KAS_Login, \$KAS_Authtype, and \$KAS_Authdata environment variables." + return 1 + fi + _saveaccountconf_mutable KAS_Login "$KAS_Login" + _saveaccountconf_mutable KAS_Authtype "$KAS_Authtype" + _saveaccountconf_mutable KAS_Authdata "$KAS_Authdata" + return 0 +} + +# Gets back the base domain/zone and record name. +# See: https://github.com/Neilpang/acme.sh/wiki/DNS-API-Dev-Guide +_get_zone_and_record_name() { + action="get_domains" + response="$(_callAPI "$action")" + _debug2 "[KAS] -> Response" "$response" + + if [ -z "$response" ]; then + _info "[KAS] -> Response was empty, please check manually." + return 1 + elif _contains "$response" ""; then + faultstring="$(echo "$response" | tr -d '\n\r' | sed "s//\n=> /g" | sed "s/<\/faultstring>/\n/g" | grep "=>" | sed "s/=> //g")" + _err "[KAS] -> Either no domains were found or another error =>$faultstring<= occurred, please check manually." + return 1 + fi + + zonen="$(echo "$response" | sed 's//\n/g' | sed -r 's/(.*domain_name<\/key>)(.*)(<\/value.*)/\2/' | sed '/^ Zone:" "$_zone" + _debug "[KAS] -> Domain:" "$domain" + _debug "[KAS] -> Record_Name:" "$_record_name" + return 0 +} + +# Retrieve the DNS record ID +_get_record_id() { + action="get_dns_settings" + kasReqParam="\"zone_host\":\"$_zone\"" + response="$(_callAPI "$action" "$kasReqParam")" + _debug2 "[KAS] -> Response" "$response" + + if [ -z "$response" ]; then + _info "[KAS] -> Response was empty, please check manually." + return 1 + elif _contains "$response" ""; then + faultstring="$(echo "$response" | tr -d '\n\r' | sed "s//\n=> /g" | sed "s/<\/faultstring>/\n/g" | grep "=>" | sed "s/=> //g")" + _err "[KAS] -> Either no domains were found or another error =>$faultstring<= occurred, please check manually." + return 1 + fi + + _record_id="$(echo "$response" | tr -d '\n\r' | sed "s//\n/g" | grep -i "$_record_name" | grep -i ">TXT<" | sed "s/record_id<\/key>/=>/g" | sed "s/<\/value><\/item>/\n/g" | grep "=>" | sed "s/=>//g")" + _debug "[KAS] -> Record Id: " "$_record_id" + return 0 +} + +# Retrieve credential token +_get_credential_token() { + baseParamAuth="\"kas_login\":\"$KAS_Login\"" + baseParamAuth="$baseParamAuth,\"kas_auth_type\":\"$KAS_Authtype\"" + baseParamAuth="$baseParamAuth,\"kas_auth_data\":\"$KAS_Authdata\"" + baseParamAuth="$baseParamAuth,\"session_lifetime\":600" + baseParamAuth="$baseParamAuth,\"session_update_lifetime\":\"Y\"" + + data='{' + data="$data$baseParamAuth}" + + _debug "[KAS] -> Be friendly and wait $KAS_default_ratelimit seconds by default before calling KAS API." + _sleep $KAS_default_ratelimit + + contentType="text/xml" + export _H1="SOAPAction: urn:xmethodsKasApiAuthentication#KasAuth" + response="$(_post "$data" "$KAS_Auth" "" "POST" "$contentType")" + _debug2 "[KAS] -> Response" "$response" + + if [ -z "$response" ]; then + _info "[KAS] -> Response was empty, please check manually." + return 1 + elif _contains "$response" ""; then + faultstring="$(echo "$response" | tr -d '\n\r' | sed "s//\n=> /g" | sed "s/<\/faultstring>/\n/g" | grep "=>" | sed "s/=> //g")" + _err "[KAS] -> Could not retrieve login token or antoher error =>$faultstring<= occurred, please check manually." + return 1 + fi + + _credential_token="$(echo "$response" | tr '\n' ' ' | sed 's/.*return xsi:type="xsd:string">\(.*\)<\/return>/\1/' | sed 's/<\/ns1:KasAuthResponse\(.*\)Envelope>.*//')" + _debug "[KAS] -> Credential Token: " "$_credential_token" + return 0 +} + +_callAPI() { + kasaction=$1 + kasReqParams=$2 + + baseParamAuth="\"kas_login\":\"$KAS_Login\"" + baseParamAuth="$baseParamAuth,\"kas_auth_type\":\"session\"" + baseParamAuth="$baseParamAuth,\"kas_auth_data\":\"$_credential_token\"" + + data='{' + data="$data$baseParamAuth,\"kas_action\":\"$kasaction\"" + if [ -n "$kasReqParams" ]; then + data="$data,\"KasRequestParams\":{$kasReqParams}" + fi + data="$data}" + + _debug2 "[KAS] -> Request" "$data" + + _debug "[KAS] -> Be friendly and wait $KAS_default_ratelimit seconds by default before calling KAS API." + _sleep $KAS_default_ratelimit + + contentType="text/xml" + export _H1="SOAPAction: urn:xmethodsKasApi#KasApi" + response="$(_post "$data" "$KAS_Api" "" "POST" "$contentType")" + _debug2 "[KAS] -> Response" "$response" + echo "$response" +} diff --git a/acme.sh-master/dnsapi/dns_kinghost.sh b/acme.sh-master/dnsapi/dns_kinghost.sh new file mode 100644 index 0000000..f640242 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_kinghost.sh @@ -0,0 +1,107 @@ +#!/usr/bin/env sh + +############################################################ +# KingHost API support # +# https://api.kinghost.net/doc/ # +# # +# Author: Felipe Keller Braz # +# Report Bugs here: https://github.com/kinghost/acme.sh # +# # +# Values to export: # +# export KINGHOST_Username="email@provider.com" # +# export KINGHOST_Password="xxxxxxxxxx" # +############################################################ + +KING_Api="https://api.kinghost.net/acme" + +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Used to add txt record +dns_kinghost_add() { + fulldomain=$1 + txtvalue=$2 + + KINGHOST_Username="${KINGHOST_Username:-$(_readaccountconf_mutable KINGHOST_Username)}" + KINGHOST_Password="${KINGHOST_Password:-$(_readaccountconf_mutable KINGHOST_Password)}" + if [ -z "$KINGHOST_Username" ] || [ -z "$KINGHOST_Password" ]; then + KINGHOST_Username="" + KINGHOST_Password="" + _err "You don't specify KingHost api password and email yet." + _err "Please create you key and try again." + return 1 + fi + + #save the credentials to the account conf file. + _saveaccountconf_mutable KINGHOST_Username "$KINGHOST_Username" + _saveaccountconf_mutable KINGHOST_Password "$KINGHOST_Password" + + _debug "Getting txt records" + _kinghost_rest GET "dns" "name=$fulldomain&content=$txtvalue" + + #This API call returns "status":"ok" if dns record does not exist + #We are creating a new txt record here, so we expect the "ok" status + if ! echo "$response" | grep '"status":"ok"' >/dev/null; then + _err "Error" + _err "$response" + return 1 + fi + + _kinghost_rest POST "dns" "name=$fulldomain&content=$txtvalue" + if ! echo "$response" | grep '"status":"ok"' >/dev/null; then + _err "Error" + _err "$response" + return 1 + fi + + return 0 +} + +# Usage: fulldomain txtvalue +# Used to remove the txt record after validation +dns_kinghost_rm() { + fulldomain=$1 + txtvalue=$2 + + KINGHOST_Password="${KINGHOST_Password:-$(_readaccountconf_mutable KINGHOST_Password)}" + KINGHOST_Username="${KINGHOST_Username:-$(_readaccountconf_mutable KINGHOST_Username)}" + if [ -z "$KINGHOST_Password" ] || [ -z "$KINGHOST_Username" ]; then + KINGHOST_Password="" + KINGHOST_Username="" + _err "You don't specify KingHost api key and email yet." + _err "Please create you key and try again." + return 1 + fi + + _kinghost_rest DELETE "dns" "name=$fulldomain&content=$txtvalue" + if ! echo "$response" | grep '"status":"ok"' >/dev/null; then + _err "Error" + _err "$response" + return 1 + fi + + return 0 +} + +#################### Private functions below ################################## +_kinghost_rest() { + method=$1 + uri="$2" + data="$3" + _debug "$uri" + + export _H1="X-Auth-Email: $KINGHOST_Username" + export _H2="X-Auth-Key: $KINGHOST_Password" + + if [ "$method" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$KING_Api/$uri.json" "" "$method")" + else + response="$(_get "$KING_Api/$uri.json?$data")" + fi + + if [ "$?" != "0" ]; then + _err "error $uri" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_knot.sh b/acme.sh-master/dnsapi/dns_knot.sh new file mode 100644 index 0000000..729a89c --- /dev/null +++ b/acme.sh-master/dnsapi/dns_knot.sh @@ -0,0 +1,97 @@ +#!/usr/bin/env sh + +######## Public functions ##################### + +#Usage: dns_knot_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_knot_add() { + fulldomain=$1 + txtvalue=$2 + _checkKey || return 1 + [ -n "${KNOT_SERVER}" ] || KNOT_SERVER="localhost" + # save the dns server and key to the account.conf file. + _saveaccountconf KNOT_SERVER "${KNOT_SERVER}" + _saveaccountconf KNOT_KEY "${KNOT_KEY}" + + if ! _get_root "$fulldomain"; then + _err "Domain does not exist." + return 1 + fi + + _info "Adding ${fulldomain}. 60 TXT \"${txtvalue}\"" + + knsupdate < +#Utilize leaseweb.com API to finish dns-01 verifications. +#Requires a Leaseweb API Key (export LSW_Key="Your Key") +#See https://developer.leaseweb.com for more information. +######## Public functions ##################### + +LSW_API="https://api.leaseweb.com/hosting/v2/domains/" + +#Usage: dns_leaseweb_add _acme-challenge.www.domain.com +dns_leaseweb_add() { + fulldomain=$1 + txtvalue=$2 + + LSW_Key="${LSW_Key:-$(_readaccountconf_mutable LSW_Key)}" + if [ -z "$LSW_Key" ]; then + LSW_Key="" + _err "You don't specify Leaseweb api key yet." + _err "Please create your key and try again." + return 1 + fi + + #save the api key to the account conf file. + _saveaccountconf_mutable LSW_Key "$LSW_Key" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _root_domain "$_domain" + _debug _domain "$fulldomain" + + if _lsw_api "POST" "$_domain" "$fulldomain" "$txtvalue"; then + if [ "$_code" = "201" ]; then + _info "Added, OK" + return 0 + else + _err "Add txt record error, invalid code. Code: $_code" + return 1 + fi + fi + _err "Add txt record error." + + return 1 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_leaseweb_rm() { + fulldomain=$1 + txtvalue=$2 + + LSW_Key="${LSW_Key:-$(_readaccountconf_mutable LSW_Key)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _root_domain "$_domain" + _debug _domain "$fulldomain" + + if _lsw_api "DELETE" "$_domain" "$fulldomain" "$txtvalue"; then + if [ "$_code" = "204" ]; then + _info "Deleted, OK" + return 0 + else + _err "Delete txt record error." + return 1 + fi + fi + _err "Delete txt record error." + + return 1 +} + +#################### Private functions below ################################## +# _acme-challenge.www.domain.com +# returns +# _domain=domain.com +_get_root() { + rdomain=$1 + i="$(echo "$rdomain" | tr '.' ' ' | wc -w)" + i=$(_math "$i" - 1) + + while true; do + h=$(printf "%s" "$rdomain" | cut -d . -f "$i"-100) + _debug h "$h" + if [ -z "$h" ]; then + return 1 #not valid domain + fi + + #Check API if domain exists + if _lsw_api "GET" "$h"; then + if [ "$_code" = "200" ]; then + _domain="$h" + return 0 + fi + fi + i=$(_math "$i" - 1) + if [ "$i" -lt 2 ]; then + return 1 #not found, no need to check _acme-challenge.sub.domain in leaseweb api. + fi + done + + return 1 +} + +_lsw_api() { + cmd=$1 + d=$2 + fd=$3 + tvalue=$4 + + # Construct the HTTP Authorization header + export _H2="Content-Type: application/json" + export _H1="X-Lsw-Auth: ${LSW_Key}" + + if [ "$cmd" = "GET" ]; then + response="$(_get "$LSW_API/$d")" + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" + _debug "http response code $_code" + _debug response "$response" + return 0 + fi + + if [ "$cmd" = "POST" ]; then + data="{\"name\": \"$fd.\",\"type\": \"TXT\",\"content\": [\"$tvalue\"],\"ttl\": 60}" + response="$(_post "$data" "$LSW_API/$d/resourceRecordSets" "$data" "POST")" + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" + _debug "http response code $_code" + _debug response "$response" + return 0 + fi + + if [ "$cmd" = "DELETE" ]; then + response="$(_post "" "$LSW_API/$d/resourceRecordSets/$fd/TXT" "" "DELETE")" + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" + _debug "http response code $_code" + _debug response "$response" + return 0 + fi + + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_lexicon.sh b/acme.sh-master/dnsapi/dns_lexicon.sh new file mode 100644 index 0000000..1970234 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_lexicon.sh @@ -0,0 +1,113 @@ +#!/usr/bin/env sh + +# dns api wrapper of lexicon for acme.sh + +# https://github.com/AnalogJ/lexicon +lexicon_cmd="lexicon" + +wiki="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-lexicon-dns-api" + +_lexicon_init() { + if ! _exists "$lexicon_cmd"; then + _err "Please install $lexicon_cmd first: $wiki" + return 1 + fi + + PROVIDER="${PROVIDER:-$(_readdomainconf PROVIDER)}" + if [ -z "$PROVIDER" ]; then + PROVIDER="" + _err "Please define env PROVIDER first: $wiki" + return 1 + fi + + _savedomainconf PROVIDER "$PROVIDER" + export PROVIDER + + # e.g. busybox-ash does not know [:upper:] + # shellcheck disable=SC2018,SC2019 + Lx_name=$(echo LEXICON_"${PROVIDER}"_USERNAME | tr 'a-z' 'A-Z') + eval "$Lx_name=\${$Lx_name:-$(_readaccountconf_mutable "$Lx_name")}" + Lx_name_v=$(eval echo \$"$Lx_name") + _secure_debug "$Lx_name" "$Lx_name_v" + if [ "$Lx_name_v" ]; then + _saveaccountconf_mutable "$Lx_name" "$Lx_name_v" + eval export "$Lx_name" + fi + + # shellcheck disable=SC2018,SC2019 + Lx_token=$(echo LEXICON_"${PROVIDER}"_TOKEN | tr 'a-z' 'A-Z') + eval "$Lx_token=\${$Lx_token:-$(_readaccountconf_mutable "$Lx_token")}" + Lx_token_v=$(eval echo \$"$Lx_token") + _secure_debug "$Lx_token" "$Lx_token_v" + if [ "$Lx_token_v" ]; then + _saveaccountconf_mutable "$Lx_token" "$Lx_token_v" + eval export "$Lx_token" + fi + + # shellcheck disable=SC2018,SC2019 + Lx_password=$(echo LEXICON_"${PROVIDER}"_PASSWORD | tr 'a-z' 'A-Z') + eval "$Lx_password=\${$Lx_password:-$(_readaccountconf_mutable "$Lx_password")}" + Lx_password_v=$(eval echo \$"$Lx_password") + _secure_debug "$Lx_password" "$Lx_password_v" + if [ "$Lx_password_v" ]; then + _saveaccountconf_mutable "$Lx_password" "$Lx_password_v" + eval export "$Lx_password" + fi + + # shellcheck disable=SC2018,SC2019 + Lx_domaintoken=$(echo LEXICON_"${PROVIDER}"_DOMAINTOKEN | tr 'a-z' 'A-Z') + eval "$Lx_domaintoken=\${$Lx_domaintoken:-$(_readaccountconf_mutable "$Lx_domaintoken")}" + Lx_domaintoken_v=$(eval echo \$"$Lx_domaintoken") + _secure_debug "$Lx_domaintoken" "$Lx_domaintoken_v" + if [ "$Lx_domaintoken_v" ]; then + _saveaccountconf_mutable "$Lx_domaintoken" "$Lx_domaintoken_v" + eval export "$Lx_domaintoken" + fi + + # shellcheck disable=SC2018,SC2019 + Lx_api_key=$(echo LEXICON_"${PROVIDER}"_API_KEY | tr 'a-z' 'A-Z') + eval "$Lx_api_key=\${$Lx_api_key:-$(_readaccountconf_mutable "$Lx_api_key")}" + Lx_api_key_v=$(eval echo \$"$Lx_api_key") + _secure_debug "$Lx_api_key" "$Lx_api_key_v" + if [ "$Lx_api_key_v" ]; then + _saveaccountconf_mutable "$Lx_api_key" "$Lx_api_key_v" + eval export "$Lx_api_key" + fi +} + +######## Public functions ##################### + +#Usage: dns_lexicon_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_lexicon_add() { + fulldomain=$1 + txtvalue=$2 + + if ! _lexicon_init; then + return 1 + fi + + domain=$(printf "%s" "$fulldomain" | cut -d . -f 2-999) + + _secure_debug LEXICON_OPTS "$LEXICON_OPTS" + _savedomainconf LEXICON_OPTS "$LEXICON_OPTS" + + # shellcheck disable=SC2086 + $lexicon_cmd "$PROVIDER" $LEXICON_OPTS create "${domain}" TXT --name="_acme-challenge.${domain}." --content="${txtvalue}" --output QUIET + +} + +#Usage: dns_lexicon_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_lexicon_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _lexicon_init; then + return 1 + fi + + domain=$(printf "%s" "$fulldomain" | cut -d . -f 2-999) + + # shellcheck disable=SC2086 + $lexicon_cmd "$PROVIDER" $LEXICON_OPTS delete "${domain}" TXT --name="_acme-challenge.${domain}." --content="${txtvalue}" --output QUIET + +} diff --git a/acme.sh-master/dnsapi/dns_linode.sh b/acme.sh-master/dnsapi/dns_linode.sh new file mode 100644 index 0000000..ead5b16 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_linode.sh @@ -0,0 +1,183 @@ +#!/usr/bin/env sh + +#Author: Philipp Grosswiler + +LINODE_API_URL="https://api.linode.com/?api_key=$LINODE_API_KEY&api_action=" + +######## Public functions ##################### + +#Usage: dns_linode_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_linode_add() { + fulldomain="${1}" + txtvalue="${2}" + + if ! _Linode_API; then + return 1 + fi + + _info "Using Linode" + _debug "Calling: dns_linode_add() '${fulldomain}' '${txtvalue}'" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "Domain does not exist." + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _parameters="&DomainID=$_domain_id&Type=TXT&Name=$_sub_domain&Target=$txtvalue" + + if _rest GET "domain.resource.create" "$_parameters" && [ -n "$response" ]; then + _resource_id=$(printf "%s\n" "$response" | _egrep_o "\"ResourceID\":\s*[0-9]+" | cut -d : -f 2 | tr -d " " | _head_n 1) + _debug _resource_id "$_resource_id" + + if [ -z "$_resource_id" ]; then + _err "Error adding the domain resource." + return 1 + fi + + _info "Domain resource successfully added." + return 0 + fi + + return 1 +} + +#Usage: dns_linode_rm _acme-challenge.www.domain.com +dns_linode_rm() { + fulldomain="${1}" + + if ! _Linode_API; then + return 1 + fi + + _info "Using Linode" + _debug "Calling: dns_linode_rm() '${fulldomain}'" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "Domain does not exist." + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _parameters="&DomainID=$_domain_id" + + if _rest GET "domain.resource.list" "$_parameters" && [ -n "$response" ]; then + response="$(echo "$response" | tr -d "\n" | tr '{' "|" | sed 's/|/&{/g' | tr "|" "\n")" + + resource="$(echo "$response" | _egrep_o "{.*\"NAME\":\s*\"$_sub_domain\".*}")" + if [ "$resource" ]; then + _resource_id=$(printf "%s\n" "$resource" | _egrep_o "\"RESOURCEID\":\s*[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ ) + if [ "$_resource_id" ]; then + _debug _resource_id "$_resource_id" + + _parameters="&DomainID=$_domain_id&ResourceID=$_resource_id" + + if _rest GET "domain.resource.delete" "$_parameters" && [ -n "$response" ]; then + _resource_id=$(printf "%s\n" "$response" | _egrep_o "\"ResourceID\":\s*[0-9]+" | cut -d : -f 2 | tr -d " " | _head_n 1) + _debug _resource_id "$_resource_id" + + if [ -z "$_resource_id" ]; then + _err "Error deleting the domain resource." + return 1 + fi + + _info "Domain resource successfully deleted." + return 0 + fi + fi + + return 1 + fi + + return 0 + fi + + return 1 +} + +#################### Private functions below ################################## + +_Linode_API() { + if [ -z "$LINODE_API_KEY" ]; then + LINODE_API_KEY="" + + _err "You didn't specify the Linode API key yet." + _err "Please create your key and try again." + + return 1 + fi + + _saveaccountconf LINODE_API_KEY "$LINODE_API_KEY" +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=12345 +_get_root() { + domain=$1 + i=2 + p=1 + + if _rest GET "domain.list"; then + response="$(echo "$response" | tr -d "\n" | tr '{' "|" | sed 's/|/&{/g' | tr "|" "\n")" + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + hostedzone="$(echo "$response" | _egrep_o "{.*\"DOMAIN\":\s*\"$h\".*}")" + if [ "$hostedzone" ]; then + _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "\"DOMAINID\":\s*[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ ) + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + fi + return 1 +} + +#method method action data +_rest() { + mtd="$1" + ep="$2" + data="$3" + + _debug mtd "$mtd" + _debug ep "$ep" + + export _H1="Accept: application/json" + export _H2="Content-Type: application/json" + + if [ "$mtd" != "GET" ]; then + # both POST and DELETE. + _debug data "$data" + response="$(_post "$data" "$LINODE_API_URL$ep" "" "$mtd")" + else + response="$(_get "$LINODE_API_URL$ep$data")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_linode_v4.sh b/acme.sh-master/dnsapi/dns_linode_v4.sh new file mode 100644 index 0000000..9504afb --- /dev/null +++ b/acme.sh-master/dnsapi/dns_linode_v4.sh @@ -0,0 +1,187 @@ +#!/usr/bin/env sh + +#Original Author: Philipp Grosswiler +#v4 Update Author: Aaron W. Swenson + +LINODE_V4_API_URL="https://api.linode.com/v4/domains" + +######## Public functions ##################### + +#Usage: dns_linode_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_linode_v4_add() { + fulldomain="${1}" + txtvalue="${2}" + + if ! _Linode_API; then + return 1 + fi + + _info "Using Linode" + _debug "Calling: dns_linode_add() '${fulldomain}' '${txtvalue}'" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "Domain does not exist." + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _payload="{ + \"type\": \"TXT\", + \"name\": \"$_sub_domain\", + \"target\": \"$txtvalue\", + \"ttl_sec\": 300 + }" + + if _rest POST "/$_domain_id/records" "$_payload" && [ -n "$response" ]; then + _resource_id=$(printf "%s\n" "$response" | _egrep_o "\"id\": *[0-9]+" | cut -d : -f 2 | tr -d " " | _head_n 1) + _debug _resource_id "$_resource_id" + + if [ -z "$_resource_id" ]; then + _err "Error adding the domain resource." + return 1 + fi + + _info "Domain resource successfully added." + return 0 + fi + + return 1 +} + +#Usage: dns_linode_rm _acme-challenge.www.domain.com +dns_linode_v4_rm() { + fulldomain="${1}" + + if ! _Linode_API; then + return 1 + fi + + _info "Using Linode" + _debug "Calling: dns_linode_rm() '${fulldomain}'" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "Domain does not exist." + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + if _rest GET "/$_domain_id/records" && [ -n "$response" ]; then + response="$(echo "$response" | tr -d "\n" | tr '{' "|" | sed 's/|/&{/g' | tr "|" "\n")" + + resource="$(echo "$response" | _egrep_o "\{.*\"name\": *\"$_sub_domain\".*}")" + if [ "$resource" ]; then + _resource_id=$(printf "%s\n" "$resource" | _egrep_o "\"id\": *[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ ) + if [ "$_resource_id" ]; then + _debug _resource_id "$_resource_id" + + if _rest DELETE "/$_domain_id/records/$_resource_id" && [ -n "$response" ]; then + # On 200/OK, empty set is returned. Check for error, if any. + _error_response=$(printf "%s\n" "$response" | _egrep_o "\"errors\"" | cut -d : -f 2 | tr -d " " | _head_n 1) + + if [ -n "$_error_response" ]; then + _err "Error deleting the domain resource: $_error_response" + return 1 + fi + + _info "Domain resource successfully deleted." + return 0 + fi + fi + + return 1 + fi + + return 0 + fi + + return 1 +} + +#################### Private functions below ################################## + +_Linode_API() { + LINODE_V4_API_KEY="${LINODE_V4_API_KEY:-$(_readaccountconf_mutable LINODE_V4_API_KEY)}" + if [ -z "$LINODE_V4_API_KEY" ]; then + LINODE_V4_API_KEY="" + + _err "You didn't specify the Linode v4 API key yet." + _err "Please create your key and try again." + + return 1 + fi + + _saveaccountconf_mutable LINODE_V4_API_KEY "$LINODE_V4_API_KEY" +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=12345 +_get_root() { + domain=$1 + i=2 + p=1 + + if _rest GET; then + response="$(echo "$response" | tr -d "\n" | tr '{' "|" | sed 's/|/&{/g' | tr "|" "\n")" + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + hostedzone="$(echo "$response" | _egrep_o "\{.*\"domain\": *\"$h\".*}")" + if [ "$hostedzone" ]; then + _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "\"id\": *[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ ) + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + fi + return 1 +} + +#method method action data +_rest() { + mtd="$1" + ep="$2" + data="$3" + + _debug mtd "$mtd" + _debug ep "$ep" + + export _H1="Accept: application/json" + export _H2="Content-Type: application/json" + export _H3="Authorization: Bearer $LINODE_V4_API_KEY" + + if [ "$mtd" != "GET" ]; then + # both POST and DELETE. + _debug data "$data" + response="$(_post "$data" "$LINODE_V4_API_URL$ep" "" "$mtd")" + else + response="$(_get "$LINODE_V4_API_URL$ep$data")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_loopia.sh b/acme.sh-master/dnsapi/dns_loopia.sh new file mode 100644 index 0000000..399c786 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_loopia.sh @@ -0,0 +1,326 @@ +#!/usr/bin/env sh + +# +#LOOPIA_User="username" +# +#LOOPIA_Password="password" +# +#LOOPIA_Api="https://api.loopia./RPCSERV" + +LOOPIA_Api_Default="https://api.loopia.se/RPCSERV" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_loopia_add() { + fulldomain=$1 + txtvalue=$2 + + if ! _loopia_load_config; then + return 1 + fi + + _loopia_save_config + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + + if ! _loopia_add_sub_domain "$_domain" "$_sub_domain"; then + return 1 + fi + if ! _loopia_add_record "$_domain" "$_sub_domain" "$txtvalue"; then + return 1 + fi + +} + +dns_loopia_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _loopia_load_config; then + return 1 + fi + + _loopia_save_config + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + xml_content=$(printf ' + + removeSubdomain + + + %s + + + %s + + + %s + + + %s + + + ' "$LOOPIA_User" "$Encoded_Password" "$_domain" "$_sub_domain") + + response="$(_post "$xml_content" "$LOOPIA_Api" "" "POST")" + + if ! _contains "$response" "OK"; then + err_response=$(echo "$response" | sed 's/.*\(.*\)<\/string>.*/\1/') + _err "Error could not get txt records: $err_response" + return 1 + fi +} + +#################### Private functions below ################################## + +_loopia_load_config() { + LOOPIA_Api="${LOOPIA_Api:-$(_readaccountconf_mutable LOOPIA_Api)}" + LOOPIA_User="${LOOPIA_User:-$(_readaccountconf_mutable LOOPIA_User)}" + LOOPIA_Password="${LOOPIA_Password:-$(_readaccountconf_mutable LOOPIA_Password)}" + + if [ -z "$LOOPIA_Api" ]; then + LOOPIA_Api="$LOOPIA_Api_Default" + fi + + if [ -z "$LOOPIA_User" ] || [ -z "$LOOPIA_Password" ]; then + LOOPIA_User="" + LOOPIA_Password="" + + _err "A valid Loopia API user and password not provided." + _err "Please provide a valid API user and try again." + + return 1 + fi + + if _contains "$LOOPIA_Password" "'" || _contains "$LOOPIA_Password" '"'; then + _err "Password contains quoute or double quoute and this is not supported by dns_loopia.sh" + return 1 + fi + + Encoded_Password=$(_xml_encode "$LOOPIA_Password") + return 0 +} + +_loopia_save_config() { + if [ "$LOOPIA_Api" != "$LOOPIA_Api_Default" ]; then + _saveaccountconf_mutable LOOPIA_Api "$LOOPIA_Api" + fi + _saveaccountconf_mutable LOOPIA_User "$LOOPIA_User" + _saveaccountconf_mutable LOOPIA_Password "$LOOPIA_Password" +} + +_loopia_get_records() { + domain=$1 + sub_domain=$2 + + xml_content=$(printf ' + + getZoneRecords + + + %s + + + %s + + + %s + + + %s + + + ' "$LOOPIA_User" "$Encoded_Password" "$domain" "$sub_domain") + + response="$(_post "$xml_content" "$LOOPIA_Api" "" "POST")" + if ! _contains "$response" ""; then + err_response=$(echo "$response" | sed 's/.*\(.*\)<\/string>.*/\1/') + _err "Error: $err_response" + return 1 + fi + return 0 +} + +_get_root() { + domain=$1 + _debug "get root" + + domain=$1 + i=2 + p=1 + + xml_content=$(printf ' + + getDomains + + + %s + + + %s + + + ' "$LOOPIA_User" "$Encoded_Password") + + response="$(_post "$xml_content" "$LOOPIA_Api" "" "POST")" + while true; do + h=$(echo "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" "$h"; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 + +} + +_loopia_add_record() { + domain=$1 + sub_domain=$2 + txtval=$3 + + xml_content=$(printf ' + + addZoneRecord + + + %s + + + %s + + + %s + + + %s + + + + + + type + TXT + + + priority + 0 + + + ttl + 300 + + + rdata + %s + + + + + + ' "$LOOPIA_User" "$Encoded_Password" "$domain" "$sub_domain" "$txtval") + + response="$(_post "$xml_content" "$LOOPIA_Api" "" "POST")" + + if ! _contains "$response" "OK"; then + err_response=$(echo "$response" | sed 's/.*\(.*\)<\/string>.*/\1/') + _err "Error: $err_response" + return 1 + fi + return 0 +} + +_sub_domain_exists() { + domain=$1 + sub_domain=$2 + + xml_content=$(printf ' + + getSubdomains + + + %s + + + %s + + + %s + + + ' "$LOOPIA_User" "$Encoded_Password" "$domain") + + response="$(_post "$xml_content" "$LOOPIA_Api" "" "POST")" + + if _contains "$response" "$sub_domain"; then + return 0 + fi + return 1 +} + +_loopia_add_sub_domain() { + domain=$1 + sub_domain=$2 + + if _sub_domain_exists "$domain" "$sub_domain"; then + return 0 + fi + + xml_content=$(printf ' + + addSubdomain + + + %s + + + %s + + + %s + + + %s + + + ' "$LOOPIA_User" "$Encoded_Password" "$domain" "$sub_domain") + + response="$(_post "$xml_content" "$LOOPIA_Api" "" "POST")" + + if ! _contains "$response" "OK"; then + err_response=$(echo "$response" | sed 's/.*\(.*\)<\/string>.*/\1/') + _err "Error: $err_response" + return 1 + fi + return 0 +} + +_xml_encode() { + encoded_string=$1 + encoded_string=$(echo "$encoded_string" | sed 's/&/\&/') + encoded_string=$(echo "$encoded_string" | sed 's//\>/') + printf "%s" "$encoded_string" +} diff --git a/acme.sh-master/dnsapi/dns_lua.sh b/acme.sh-master/dnsapi/dns_lua.sh new file mode 100644 index 0000000..30c1557 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_lua.sh @@ -0,0 +1,154 @@ +#!/usr/bin/env sh + +# bug reports to dev@1e.ca + +# +#LUA_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" +# +#LUA_Email="user@luadns.net" + +LUA_Api="https://api.luadns.com/v1" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_lua_add() { + fulldomain=$1 + txtvalue=$2 + + LUA_Key="${LUA_Key:-$(_readaccountconf_mutable LUA_Key)}" + LUA_Email="${LUA_Email:-$(_readaccountconf_mutable LUA_Email)}" + LUA_auth=$(printf "%s" "$LUA_Email:$LUA_Key" | _base64) + + if [ -z "$LUA_Key" ] || [ -z "$LUA_Email" ]; then + LUA_Key="" + LUA_Email="" + _err "You don't specify luadns api key and email yet." + _err "Please create you key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable LUA_Key "$LUA_Key" + _saveaccountconf_mutable LUA_Email "$LUA_Email" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + if _LUA_rest POST "zones/$_domain_id/records" "{\"type\":\"TXT\",\"name\":\"$fulldomain.\",\"content\":\"$txtvalue\",\"ttl\":120}"; then + if _contains "$response" "$fulldomain"; then + _info "Added" + #todo: check if the record takes effect + return 0 + else + _err "Add txt record error." + return 1 + fi + fi +} + +#fulldomain +dns_lua_rm() { + fulldomain=$1 + txtvalue=$2 + + LUA_Key="${LUA_Key:-$(_readaccountconf_mutable LUA_Key)}" + LUA_Email="${LUA_Email:-$(_readaccountconf_mutable LUA_Email)}" + LUA_auth=$(printf "%s" "$LUA_Email:$LUA_Key" | _base64) + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _LUA_rest GET "zones/${_domain_id}/records" + + count=$(printf "%s\n" "$response" | _egrep_o "\"name\":\"$fulldomain.\",\"type\":\"TXT\"" | wc -l | tr -d " ") + _debug count "$count" + if [ "$count" = "0" ]; then + _info "Don't need to remove." + else + record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[^,]*,\"name\":\"$fulldomain.\",\"type\":\"TXT\"" | _head_n 1 | cut -d: -f2 | cut -d, -f1) + _debug "record_id" "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if ! _LUA_rest DELETE "/zones/$_domain_id/records/$record_id"; then + _err "Delete record error." + return 1 + fi + _contains "$response" "$record_id" + fi +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=2 + p=1 + if ! _LUA_rest GET "zones"; then + return 1 + fi + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" "\"name\":\"$h\""; then + _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[^,]*,\"name\":\"$h\"" | cut -d : -f 2 | cut -d , -f 1) + _debug _domain_id "$_domain_id" + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_LUA_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Accept: application/json" + export _H2="Authorization: Basic $LUA_auth" + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$LUA_Api/$ep" "" "$m")" + else + response="$(_get "$LUA_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_maradns.sh b/acme.sh-master/dnsapi/dns_maradns.sh new file mode 100644 index 0000000..4ff6ca2 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_maradns.sh @@ -0,0 +1,69 @@ +#!/usr/bin/env sh + +#Usage: dns_maradns_add _acme-challenge.www.domain.com "token" +dns_maradns_add() { + fulldomain="$1" + txtvalue="$2" + + MARA_ZONE_FILE="${MARA_ZONE_FILE:-$(_readaccountconf_mutable MARA_ZONE_FILE)}" + MARA_DUENDE_PID_PATH="${MARA_DUENDE_PID_PATH:-$(_readaccountconf_mutable MARA_DUENDE_PID_PATH)}" + + _check_zone_file "$MARA_ZONE_FILE" || return 1 + _check_duende_pid_path "$MARA_DUENDE_PID_PATH" || return 1 + + _saveaccountconf_mutable MARA_ZONE_FILE "$MARA_ZONE_FILE" + _saveaccountconf_mutable MARA_DUENDE_PID_PATH "$MARA_DUENDE_PID_PATH" + + printf "%s. TXT '%s' ~\n" "$fulldomain" "$txtvalue" >>"$MARA_ZONE_FILE" + _reload_maradns "$MARA_DUENDE_PID_PATH" || return 1 +} + +#Usage: dns_maradns_rm _acme-challenge.www.domain.com "token" +dns_maradns_rm() { + fulldomain="$1" + txtvalue="$2" + + MARA_ZONE_FILE="${MARA_ZONE_FILE:-$(_readaccountconf_mutable MARA_ZONE_FILE)}" + MARA_DUENDE_PID_PATH="${MARA_DUENDE_PID_PATH:-$(_readaccountconf_mutable MARA_DUENDE_PID_PATH)}" + + _check_zone_file "$MARA_ZONE_FILE" || return 1 + _check_duende_pid_path "$MARA_DUENDE_PID_PATH" || return 1 + + _saveaccountconf_mutable MARA_ZONE_FILE "$MARA_ZONE_FILE" + _saveaccountconf_mutable MARA_DUENDE_PID_PATH "$MARA_DUENDE_PID_PATH" + + _sed_i "/^$fulldomain.\+TXT '$txtvalue' ~/d" "$MARA_ZONE_FILE" + _reload_maradns "$MARA_DUENDE_PID_PATH" || return 1 +} + +_check_zone_file() { + zonefile="$1" + if [ -z "$zonefile" ]; then + _err "MARA_ZONE_FILE not passed!" + return 1 + elif [ ! -w "$zonefile" ]; then + _err "MARA_ZONE_FILE not writable: $zonefile" + return 1 + fi +} + +_check_duende_pid_path() { + pidpath="$1" + if [ -z "$pidpath" ]; then + _err "MARA_DUENDE_PID_PATH not passed!" + return 1 + fi + if [ ! -r "$pidpath" ]; then + _err "MARA_DUENDE_PID_PATH not readable: $pidpath" + return 1 + fi +} + +_reload_maradns() { + pidpath="$1" + kill -s HUP -- "$(cat "$pidpath")" + if [ $? -ne 0 ]; then + _err "Unable to reload MaraDNS, kill returned $?" + return 1 + fi +} diff --git a/acme.sh-master/dnsapi/dns_me.sh b/acme.sh-master/dnsapi/dns_me.sh new file mode 100644 index 0000000..4900740 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_me.sh @@ -0,0 +1,157 @@ +#!/usr/bin/env sh + +# bug reports to dev@1e.ca + +# ME_Key=qmlkdjflmkqdjf +# ME_Secret=qmsdlkqmlksdvnnpae + +ME_Api=https://api.dnsmadeeasy.com/V2.0/dns/managed + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_me_add() { + fulldomain=$1 + txtvalue=$2 + + if [ -z "$ME_Key" ] || [ -z "$ME_Secret" ]; then + ME_Key="" + ME_Secret="" + _err "You didn't specify DNSMadeEasy api key and secret yet." + _err "Please create you key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf ME_Key "$ME_Key" + _saveaccountconf ME_Secret "$ME_Secret" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _me_rest GET "${_domain_id}/records?recordName=$_sub_domain&type=TXT" + + if ! _contains "$response" "\"totalRecords\":"; then + _err "Error" + return 1 + fi + + _info "Adding record" + if _me_rest POST "$_domain_id/records/" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":\"$txtvalue\",\"gtdLocation\":\"DEFAULT\",\"ttl\":120}"; then + if printf -- "%s" "$response" | grep \"id\": >/dev/null; then + _info "Added" + #todo: check if the record takes effect + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + +} + +#fulldomain +dns_me_rm() { + fulldomain=$1 + txtvalue=$2 + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _me_rest GET "${_domain_id}/records?recordName=$_sub_domain&type=TXT" + + count=$(printf "%s\n" "$response" | _egrep_o "\"totalRecords\":[^,]*" | cut -d : -f 2) + _debug count "$count" + if [ "$count" = "0" ]; then + _info "Don't need to remove." + else + record_id=$(printf "%s\n" "$response" | _egrep_o ",\"value\":\"..$txtvalue..\",\"id\":[^,]*" | cut -d : -f 3 | head -n 1) + _debug "record_id" "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if ! _me_rest DELETE "$_domain_id/records/$record_id"; then + _err "Delete record error." + return 1 + fi + _contains "$response" '' + fi +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _me_rest GET "name?domainname=$h"; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\""; then + _domain_id=$(printf "%s\n" "$response" | sed 's/^{//; s/}$//; s/{.*}//' | sed -r 's/^.*"id":([0-9]+).*$/\1/') + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_me_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + cdate=$(LANG=C date -u +"%a, %d %b %Y %T %Z") + hmac=$(printf "%s" "$cdate" | _hmac sha1 "$(printf "%s" "$ME_Secret" | _hex_dump | tr -d " ")" hex) + + export _H1="x-dnsme-apiKey: $ME_Key" + export _H2="x-dnsme-requestDate: $cdate" + export _H3="x-dnsme-hmac: $hmac" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$ME_Api/$ep" "" "$m")" + else + response="$(_get "$ME_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_miab.sh b/acme.sh-master/dnsapi/dns_miab.sh new file mode 100644 index 0000000..dad69bd --- /dev/null +++ b/acme.sh-master/dnsapi/dns_miab.sh @@ -0,0 +1,211 @@ +#!/usr/bin/env sh + +# Name: dns_miab.sh +# +# Authors: +# Darven Dissek 2018 +# William Gertz 2019 +# +# Thanks to Neil Pang and other developers here for code reused from acme.sh from DNS-01 +# used to communicate with the MailinaBox Custom DNS API +# Report Bugs here: +# https://github.com/billgertz/MIAB_dns_api (for dns_miab.sh) +# https://github.com/acmesh-official/acme.sh (for acme.sh) +# +######## Public functions ##################### + +#Usage: dns_miab_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_miab_add() { + fulldomain=$1 + txtvalue=$2 + _info "Using miab challange add" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + #retrieve MIAB environemt vars + if ! _retrieve_miab_env; then + return 1 + fi + + #check domain and seperate into doamin and host + if ! _get_root "$fulldomain"; then + _err "Cannot find any part of ${fulldomain} is hosted on ${MIAB_Server}" + return 1 + fi + + _debug2 _sub_domain "$_sub_domain" + _debug2 _domain "$_domain" + + #add the challenge record + _api_path="custom/${fulldomain}/txt" + _miab_rest "$txtvalue" "$_api_path" "POST" + + #check if result was good + if _contains "$response" "updated DNS"; then + _info "Successfully created the txt record" + return 0 + else + _err "Error encountered during record add" + _err "$response" + return 1 + fi +} + +#Usage: dns_miab_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_miab_rm() { + fulldomain=$1 + txtvalue=$2 + + _info "Using miab challage delete" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + #retrieve MIAB environemt vars + if ! _retrieve_miab_env; then + return 1 + fi + + #check domain and seperate into doamin and host + if ! _get_root "$fulldomain"; then + _err "Cannot find any part of ${fulldomain} is hosted on ${MIAB_Server}" + return 1 + fi + + _debug2 _sub_domain "$_sub_domain" + _debug2 _domain "$_domain" + + #Remove the challenge record + _api_path="custom/${fulldomain}/txt" + _miab_rest "$txtvalue" "$_api_path" "DELETE" + + #check if result was good + if _contains "$response" "updated DNS"; then + _info "Successfully removed the txt record" + return 0 + else + _err "Error encountered during record remove" + _err "$response" + return 1 + fi +} + +#################### Private functions below ################################## +# +#Usage: _get_root _acme-challenge.www.domain.com +#Returns: +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + _passed_domain=$1 + _debug _passed_domain "$_passed_domain" + _i=2 + _p=1 + + #get the zones hosed on MIAB server, must be a json stream + _miab_rest "" "zones" "GET" + + if ! _is_json "$response"; then + _err "ERROR fetching domain list" + _err "$response" + return 1 + fi + + #cycle through the passed domain seperating out a test domain discarding + # the subdomain by marching thorugh the dots + while true; do + _test_domain=$(printf "%s" "$_passed_domain" | cut -d . -f ${_i}-100) + _debug _test_domain "$_test_domain" + + if [ -z "$_test_domain" ]; then + return 1 + fi + + #report found if the test domain is in the json response and + # report the subdomain + if _contains "$response" "\"$_test_domain\""; then + _sub_domain=$(printf "%s" "$_passed_domain" | cut -d . -f 1-${_p}) + _domain=${_test_domain} + return 0 + fi + + #cycle to the next dot in the passed domain + _p=${_i} + _i=$(_math "$_i" + 1) + done + + return 1 +} + +#Usage: _retrieve_miab_env +#Returns (from store or environment variables): +# MIAB_Username +# MIAB_Password +# MIAB_Server +#retrieve MIAB environment variables, report errors and quit if problems +_retrieve_miab_env() { + MIAB_Username="${MIAB_Username:-$(_readaccountconf_mutable MIAB_Username)}" + MIAB_Password="${MIAB_Password:-$(_readaccountconf_mutable MIAB_Password)}" + MIAB_Server="${MIAB_Server:-$(_readaccountconf_mutable MIAB_Server)}" + + #debug log the environmental variables + _debug MIAB_Username "$MIAB_Username" + _debug MIAB_Password "$MIAB_Password" + _debug MIAB_Server "$MIAB_Server" + + #check if MIAB environemt vars set and quit if not + if [ -z "$MIAB_Username" ] || [ -z "$MIAB_Password" ] || [ -z "$MIAB_Server" ]; then + _err "You didn't specify one or more of MIAB_Username, MIAB_Password or MIAB_Server." + _err "Please check these environment variables and try again." + return 1 + fi + + #save the credentials to the account conf file. + _saveaccountconf_mutable MIAB_Username "$MIAB_Username" + _saveaccountconf_mutable MIAB_Password "$MIAB_Password" + _saveaccountconf_mutable MIAB_Server "$MIAB_Server" + return 0 +} + +#Useage: _miab_rest "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" "custom/_acme-challenge.www.domain.com/txt "POST" +#Returns: "updated DNS: domain.com" +#rest interface MIAB dns +_miab_rest() { + _data="$1" + _api_path="$2" + _httpmethod="$3" + + #encode username and password for basic authentication + _credentials="$(printf "%s" "$MIAB_Username:$MIAB_Password" | _base64)" + export _H1="Authorization: Basic $_credentials" + _url="https://${MIAB_Server}/admin/dns/${_api_path}" + + _debug2 _data "$_data" + _debug _api_path "$_api_path" + _debug2 _url "$_url" + _debug2 _credentails "$_credentials" + _debug _httpmethod "$_httpmethod" + + if [ "$_httpmethod" = "GET" ]; then + response="$(_get "$_url")" + else + response="$(_post "$_data" "$_url" "" "$_httpmethod")" + fi + + _retcode="$?" + + if [ "$_retcode" != "0" ]; then + _err "MIAB REST authentication failed on $_httpmethod" + return 1 + fi + + _debug response "$response" + return 0 +} + +#Usage: _is_json "\[\n "mydomain.com"\n]" +#Reurns "\[\n "mydomain.com"\n]" +#returns the string if it begins and ends with square braces +_is_json() { + _str="$(echo "$1" | _normalizeJson)" + echo "$_str" | grep '^\[.*\]$' >/dev/null 2>&1 +} diff --git a/acme.sh-master/dnsapi/dns_misaka.sh b/acme.sh-master/dnsapi/dns_misaka.sh new file mode 100644 index 0000000..36ba5cf --- /dev/null +++ b/acme.sh-master/dnsapi/dns_misaka.sh @@ -0,0 +1,159 @@ +#!/usr/bin/env sh + +# bug reports to support+acmesh@misaka.io +# based on dns_nsone.sh by dev@1e.ca + +# +#Misaka_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" +# + +Misaka_Api="https://dnsapi.misaka.io/dns" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_misaka_add() { + fulldomain=$1 + txtvalue=$2 + + if [ -z "$Misaka_Key" ]; then + Misaka_Key="" + _err "You didn't specify misaka.io dns api key yet." + _err "Please create you key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf Misaka_Key "$Misaka_Key" + + _debug "checking root zone [$fulldomain]" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _misaka_rest GET "zones/${_domain}/recordsets?search=${_sub_domain}" + + if ! _contains "$response" "\"results\":"; then + _err "Error" + return 1 + fi + + count=$(printf "%s\n" "$response" | _egrep_o "\"name\":\"$_sub_domain\",[^{]*\"type\":\"TXT\"" | wc -l | tr -d " ") + _debug count "$count" + if [ "$count" = "0" ]; then + _info "Adding record" + + if _misaka_rest POST "zones/${_domain}/recordsets/${_sub_domain}/TXT" "{\"records\":[{\"value\":\"\\\"$txtvalue\\\"\"}],\"filters\":[],\"ttl\":1}"; then + _debug response "$response" + if _contains "$response" "$_sub_domain"; then + _info "Added" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + else + _info "Updating record" + + _misaka_rest PUT "zones/${_domain}/recordsets/${_sub_domain}/TXT?append=true" "{\"records\": [{\"value\": \"\\\"$txtvalue\\\"\"}],\"ttl\":1}" + if [ "$?" = "0" ] && _contains "$response" "$_sub_domain"; then + _info "Updated!" + #todo: check if the record takes effect + return 0 + fi + _err "Update error" + return 1 + fi + +} + +#fulldomain +dns_misaka_rm() { + fulldomain=$1 + txtvalue=$2 + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _misaka_rest GET "zones/${_domain}/recordsets?search=${_sub_domain}" + + count=$(printf "%s\n" "$response" | _egrep_o "\"name\":\"$_sub_domain\",[^{]*\"type\":\"TXT\"" | wc -l | tr -d " ") + _debug count "$count" + if [ "$count" = "0" ]; then + _info "Don't need to remove." + else + if ! _misaka_rest DELETE "zones/${_domain}/recordsets/${_sub_domain}/TXT"; then + _err "Delete record error." + return 1 + fi + _contains "$response" "" + fi +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=2 + p=1 + if ! _misaka_rest GET "zones?limit=1000"; then + return 1 + fi + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" "\"name\":\"$h\""; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_misaka_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Content-Type: application/json" + export _H2="User-Agent: acme.sh/$VER misaka-dns-acmesh/20191213" + export _H3="Authorization: Token $Misaka_Key" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$Misaka_Api/$ep" "" "$m")" + else + response="$(_get "$Misaka_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_myapi.sh b/acme.sh-master/dnsapi/dns_myapi.sh new file mode 100644 index 0000000..7f3c5a8 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_myapi.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env sh + +#Here is a sample custom api script. +#This file name is "dns_myapi.sh" +#So, here must be a method dns_myapi_add() +#Which will be called by acme.sh to add the txt record to your api system. +#returns 0 means success, otherwise error. +# +#Author: Neilpang +#Report Bugs here: https://github.com/acmesh-official/acme.sh +# +######## Public functions ##################### + +# Please Read this guide first: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide + +#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_myapi_add() { + fulldomain=$1 + txtvalue=$2 + _info "Using myapi" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + _err "Not implemented!" + return 1 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_myapi_rm() { + fulldomain=$1 + txtvalue=$2 + _info "Using myapi" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" +} + +#################### Private functions below ################################## diff --git a/acme.sh-master/dnsapi/dns_mydevil.sh b/acme.sh-master/dnsapi/dns_mydevil.sh new file mode 100644 index 0000000..953290a --- /dev/null +++ b/acme.sh-master/dnsapi/dns_mydevil.sh @@ -0,0 +1,99 @@ +#!/usr/bin/env sh + +# MyDevil.net API (2019-02-03) +# +# MyDevil.net already supports automatic Let's Encrypt certificates, +# except for wildcard domains. +# +# This script depends on `devil` command that MyDevil.net provides, +# which means that it works only on server side. +# +# Author: Marcin Konicki +# +######## Public functions ##################### + +#Usage: dns_mydevil_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_mydevil_add() { + fulldomain=$1 + txtvalue=$2 + domain="" + + if ! _exists "devil"; then + _err "Could not find 'devil' command." + return 1 + fi + + _info "Using mydevil" + + domain=$(mydevil_get_domain "$fulldomain") + if [ -z "$domain" ]; then + _err "Invalid domain name: could not find root domain of $fulldomain." + return 1 + fi + + # No need to check if record name exists, `devil` always adds new record. + # In worst case scenario, we end up with multiple identical records. + + _info "Adding $fulldomain record for domain $domain" + if devil dns add "$domain" "$fulldomain" TXT "$txtvalue"; then + _info "Successfully added TXT record, ready for validation." + return 0 + else + _err "Unable to add DNS record." + return 1 + fi +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_mydevil_rm() { + fulldomain=$1 + txtvalue=$2 + domain="" + + if ! _exists "devil"; then + _err "Could not find 'devil' command." + return 1 + fi + + _info "Using mydevil" + + domain=$(mydevil_get_domain "$fulldomain") + if [ -z "$domain" ]; then + _err "Invalid domain name: could not find root domain of $fulldomain." + return 1 + fi + + # catch one or more numbers + num='[0-9][0-9]*' + # catch one or more whitespace + w=$(printf '[\t ][\t ]*') + # catch anything, except newline + any='.*' + # filter to make sure we do not delete other records + validRecords="^${num}${w}${fulldomain}${w}TXT${w}${any}${txtvalue}$" + for id in $(devil dns list "$domain" | tail -n+2 | grep "${validRecords}" | cut -w -s -f 1); do + _info "Removing record $id from domain $domain" + echo "y" | devil dns del "$domain" "$id" || _err "Could not remove DNS record." + done +} + +#################### Private functions below ################################## + +# Usage: domain=$(mydevil_get_domain "_acme-challenge.www.domain.com" || _err "Invalid domain name") +# echo $domain +mydevil_get_domain() { + fulldomain=$1 + domain="" + + for domain in $(devil dns list | cut -w -s -f 1 | tail -n+2); do + _debug "Checking domain: $domain" + if _endswith "$fulldomain" "$domain"; then + _debug "Fulldomain '$fulldomain' matches '$domain'" + printf -- "%s" "$domain" + return 0 + fi + done + + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_mydnsjp.sh b/acme.sh-master/dnsapi/dns_mydnsjp.sh new file mode 100644 index 0000000..13866f7 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_mydnsjp.sh @@ -0,0 +1,196 @@ +#!/usr/bin/env sh + +#Here is a api script for MyDNS.JP. +#This file name is "dns_mydnsjp.sh" +#So, here must be a method dns_mydnsjp_add() +#Which will be called by acme.sh to add the txt record to your api system. +#returns 0 means success, otherwise error. +# +#Author: epgdatacapbon +#Report Bugs here: https://github.com/epgdatacapbon/acme.sh +# +######## Public functions ##################### + +# Export MyDNS.JP MasterID and Password in following variables... +# MYDNSJP_MasterID=MasterID +# MYDNSJP_Password=Password + +MYDNSJP_API="https://www.mydns.jp" + +#Usage: dns_mydnsjp_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_mydnsjp_add() { + fulldomain=$1 + txtvalue=$2 + + _info "Using mydnsjp" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + # Load the credentials from the account conf file + MYDNSJP_MasterID="${MYDNSJP_MasterID:-$(_readaccountconf_mutable MYDNSJP_MasterID)}" + MYDNSJP_Password="${MYDNSJP_Password:-$(_readaccountconf_mutable MYDNSJP_Password)}" + if [ -z "$MYDNSJP_MasterID" ] || [ -z "$MYDNSJP_Password" ]; then + MYDNSJP_MasterID="" + MYDNSJP_Password="" + _err "You don't specify mydnsjp api MasterID and Password yet." + _err "Please export as MYDNSJP_MasterID / MYDNSJP_Password and try again." + return 1 + fi + + # Save the credentials to the account conf file + _saveaccountconf_mutable MYDNSJP_MasterID "$MYDNSJP_MasterID" + _saveaccountconf_mutable MYDNSJP_Password "$MYDNSJP_Password" + + _debug "First detect the root zone." + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + if _mydnsjp_api "REGIST" "$_domain" "$txtvalue"; then + if printf -- "%s" "$response" | grep "OK." >/dev/null; then + _info "Added, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + + return 1 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_mydnsjp_rm() { + fulldomain=$1 + txtvalue=$2 + + _info "Removing TXT record" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + # Load the credentials from the account conf file + MYDNSJP_MasterID="${MYDNSJP_MasterID:-$(_readaccountconf_mutable MYDNSJP_MasterID)}" + MYDNSJP_Password="${MYDNSJP_Password:-$(_readaccountconf_mutable MYDNSJP_Password)}" + if [ -z "$MYDNSJP_MasterID" ] || [ -z "$MYDNSJP_Password" ]; then + MYDNSJP_MasterID="" + MYDNSJP_Password="" + _err "You don't specify mydnsjp api MasterID and Password yet." + _err "Please export as MYDNSJP_MasterID / MYDNSJP_Password and try again." + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + if _mydnsjp_api "DELETE" "$_domain" "$txtvalue"; then + if printf -- "%s" "$response" | grep "OK." >/dev/null; then + _info "Deleted, OK" + return 0 + else + _err "Delete txt record error." + return 1 + fi + fi + _err "Delete txt record error." + + return 1 +} + +#################### Private functions below ################################## +# _acme-challenge.www.domain.com +# returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + fulldomain=$1 + i=2 + p=1 + + # Get the root domain + _mydnsjp_retrieve_domain + if [ "$?" != "0" ]; then + # not valid + return 1 + fi + + while true; do + _domain=$(printf "%s" "$fulldomain" | cut -d . -f $i-100) + + if [ -z "$_domain" ]; then + # not valid + return 1 + fi + + if [ "$_domain" = "$_root_domain" ]; then + _sub_domain=$(printf "%s" "$fulldomain" | cut -d . -f 1-$p) + return 0 + fi + + p=$i + i=$(_math "$i" + 1) + done + + return 1 +} + +# Retrieve the root domain +# returns 0 success +_mydnsjp_retrieve_domain() { + _debug "Login to MyDNS.JP" + + response="$(_post "MENU=100&masterid=$MYDNSJP_MasterID&masterpwd=$MYDNSJP_Password" "$MYDNSJP_API/members/")" + cookie="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2)" + + # If cookies is not empty then logon successful + if [ -z "$cookie" ]; then + _err "Fail to get a cookie." + return 1 + fi + + _root_domain=$(echo "$response" | grep "DNSINFO\[domainname\]" | sed 's/^.*value="\([^"]*\)".*/\1/') + + _debug _root_domain "$_root_domain" + + if [ -z "$_root_domain" ]; then + _err "Fail to get the root domain." + return 1 + fi + + return 0 +} + +_mydnsjp_api() { + cmd=$1 + domain=$2 + txtvalue=$3 + + # Base64 encode the credentials + credentials=$(printf "%s:%s" "$MYDNSJP_MasterID" "$MYDNSJP_Password" | _base64) + + # Construct the HTTP Authorization header + export _H1="Content-Type: application/x-www-form-urlencoded" + export _H2="Authorization: Basic ${credentials}" + + response="$(_post "CERTBOT_DOMAIN=$domain&CERTBOT_VALIDATION=$txtvalue&EDIT_CMD=$cmd" "$MYDNSJP_API/directedit.html")" + + if [ "$?" != "0" ]; then + _err "error $domain" + return 1 + fi + + _debug2 response "$response" + + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_mythic_beasts.sh b/acme.sh-master/dnsapi/dns_mythic_beasts.sh new file mode 100644 index 0000000..294ae84 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_mythic_beasts.sh @@ -0,0 +1,261 @@ +#!/usr/bin/env sh +# Mythic Beasts is a long-standing UK service provider using standards-based OAuth2 authentication +# To test: ./acme.sh --dns dns_mythic_beasts --test --debug 1 --output-insecure --issue --domain domain.com +# Cannot retest once cert is issued +# OAuth2 tokens only valid for 300 seconds so we do not store +# NOTE: This will remove all TXT records matching the fulldomain, not just the added ones (_acme-challenge.www.domain.com) + +# Test OAuth2 credentials +#MB_AK="aaaaaaaaaaaaaaaa" +#MB_AS="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" + +# URLs +MB_API='https://api.mythic-beasts.com/dns/v2/zones' +MB_AUTH='https://auth.mythic-beasts.com/login' + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_mythic_beasts_add() { + fulldomain=$1 + txtvalue=$2 + + _info "MYTHIC BEASTS Adding record $fulldomain = $txtvalue" + if ! _initAuth; then + return 1 + fi + + if ! _get_root "$fulldomain"; then + return 1 + fi + + # method path body_data + if _mb_rest POST "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then + + if _contains "$response" "1 records added"; then + _info "Added, verifying..." + # Max 120 seconds to publish + for i in $(seq 1 6); do + # Retry on error + if ! _mb_rest GET "$_domain/records/$_sub_domain/TXT?verify"; then + _sleep 20 + else + _info "Record published!" + return 0 + fi + done + + else + _err "\n$response" + fi + + fi + _err "Add txt record error." + return 1 +} + +#Usage: rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_mythic_beasts_rm() { + fulldomain=$1 + txtvalue=$2 + + _info "MYTHIC BEASTS Removing record $fulldomain = $txtvalue" + if ! _initAuth; then + return 1 + fi + + if ! _get_root "$fulldomain"; then + return 1 + fi + + # method path body_data + if _mb_rest DELETE "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then + _info "Record removed" + return 0 + fi + _err "Remove txt record error." + return 1 +} + +#################### Private functions below ################################## + +#Possible formats: +# _acme-challenge.www.example.com +# _acme-challenge.example.com +# _acme-challenge.example.co.uk +# _acme-challenge.www.example.co.uk +# _acme-challenge.sub1.sub2.www.example.co.uk +# sub1.sub2.example.co.uk +# example.com +# example.co.uk +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=1 + p=1 + + _debug "Detect the root zone" + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + _err "Domain exhausted" + return 1 + fi + + # Use the status errors to find the domain, continue on 403 Access denied + # method path body_data + _mb_rest GET "$h/records" + ret="$?" + if [ "$ret" -eq 0 ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + return 0 + elif [ "$ret" -eq 1 ]; then + return 1 + fi + + p=$i + i=$(_math "$i" + 1) + + if [ "$i" -gt 50 ]; then + break + fi + done + _err "Domain too long" + return 1 +} + +_initAuth() { + MB_AK="${MB_AK:-$(_readaccountconf_mutable MB_AK)}" + MB_AS="${MB_AS:-$(_readaccountconf_mutable MB_AS)}" + + if [ -z "$MB_AK" ] || [ -z "$MB_AS" ]; then + MB_AK="" + MB_AS="" + _err "Please specify an OAuth2 Key & Secret" + return 1 + fi + + _saveaccountconf_mutable MB_AK "$MB_AK" + _saveaccountconf_mutable MB_AS "$MB_AS" + + if ! _oauth2; then + return 1 + fi + + _info "Checking authentication" + _secure_debug access_token "$MB_TK" + _sleep 1 + + # GET a list of zones + # method path body_data + if ! _mb_rest GET ""; then + _err "The token is invalid" + return 1 + fi + _info "Token OK" + return 0 +} + +# Github appears to use an outbound proxy for requests which means subsequent requests may not have the same +# source IP. The standard Mythic Beasts OAuth2 tokens are tied to an IP, meaning github test requests fail +# authentication. This is a work around using an undocumented MB API to obtain a token not tied to an +# IP just for the github tests. +_oauth2() { + if [ "$GITHUB_ACTIONS" = "true" ]; then + _oauth2_github + else + _oauth2_std + fi + return $? +} + +_oauth2_std() { + # HTTP Basic Authentication + _H1="Authorization: Basic $(echo "$MB_AK:$MB_AS" | _base64)" + _H2="Accepts: application/json" + export _H1 _H2 + body="grant_type=client_credentials" + + _info "Getting OAuth2 token..." + # body url [needbase64] [POST|PUT|DELETE] [ContentType] + response="$(_post "$body" "$MB_AUTH" "" "POST" "application/x-www-form-urlencoded")" + if _contains "$response" "\"token_type\":\"bearer\""; then + MB_TK="$(echo "$response" | _egrep_o "access_token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')" + if [ -z "$MB_TK" ]; then + _err "Unable to get access_token" + _err "\n$response" + return 1 + fi + else + _err "OAuth2 token_type not Bearer" + _err "\n$response" + return 1 + fi + _debug2 response "$response" + return 0 +} + +_oauth2_github() { + _H1="Accepts: application/json" + export _H1 + body="{\"login\":{\"handle\":\"$MB_AK\",\"pass\":\"$MB_AS\",\"floating\":1}}" + + _info "Getting Floating token..." + # body url [needbase64] [POST|PUT|DELETE] [ContentType] + response="$(_post "$body" "$MB_AUTH" "" "POST" "application/json")" + MB_TK="$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')" + if [ -z "$MB_TK" ]; then + _err "Unable to get token" + _err "\n$response" + return 1 + fi + _debug2 response "$response" + return 0 +} + +# method path body_data +_mb_rest() { + # URL encoded body for single API operations + m="$1" + ep="$2" + data="$3" + + if [ -z "$ep" ]; then + _mb_url="$MB_API" + else + _mb_url="$MB_API/$ep" + fi + + _H1="Authorization: Bearer $MB_TK" + _H2="Accepts: application/json" + export _H1 _H2 + if [ "$data" ] || [ "$m" = "POST" ] || [ "$m" = "PUT" ] || [ "$m" = "DELETE" ]; then + # body url [needbase64] [POST|PUT|DELETE] [ContentType] + response="$(_post "data=$data" "$_mb_url" "" "$m" "application/x-www-form-urlencoded")" + else + response="$(_get "$_mb_url")" + fi + + if [ "$?" != "0" ]; then + _err "Request error" + return 1 + fi + + header="$(cat "$HTTP_HEADER")" + status="$(echo "$header" | _egrep_o "^HTTP[^ ]* .*$" | cut -d " " -f 2-100 | tr -d "\f\n")" + code="$(echo "$status" | _egrep_o "^[0-9]*")" + if [ "$code" -ge 400 ] || _contains "$response" "\"error\"" || _contains "$response" "invalid_client"; then + _err "error $status" + _err "\n$response" + _debug "\n$header" + return 2 + fi + + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_namecheap.sh b/acme.sh-master/dnsapi/dns_namecheap.sh new file mode 100644 index 0000000..a5f667a --- /dev/null +++ b/acme.sh-master/dnsapi/dns_namecheap.sh @@ -0,0 +1,411 @@ +#!/usr/bin/env sh + +# Namecheap API +# https://www.namecheap.com/support/api/intro.aspx +# +# Requires Namecheap API key set in +#NAMECHEAP_API_KEY, +#NAMECHEAP_USERNAME, +#NAMECHEAP_SOURCEIP +# Due to Namecheap's API limitation all the records of your domain will be read and re applied, make sure to have a backup of your records you could apply if any issue would arise. + +######## Public functions ##################### + +NAMECHEAP_API="https://api.namecheap.com/xml.response" + +#Usage: dns_namecheap_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_namecheap_add() { + fulldomain=$1 + txtvalue=$2 + + if ! _namecheap_check_config; then + _err "$error" + return 1 + fi + + if ! _namecheap_set_publicip; then + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + _debug domain "$_domain" + _debug sub_domain "$_sub_domain" + + _set_namecheap_TXT "$_domain" "$_sub_domain" "$txtvalue" +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_namecheap_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _namecheap_set_publicip; then + return 1 + fi + + if ! _namecheap_check_config; then + _err "$error" + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + _debug domain "$_domain" + _debug sub_domain "$_sub_domain" + + _del_namecheap_TXT "$_domain" "$_sub_domain" "$txtvalue" +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + fulldomain=$1 + + if ! _get_root_by_getList "$fulldomain"; then + _debug "Failed domain lookup via domains.getList api call. Trying domain lookup via domains.dns.getHosts api." + # The above "getList" api will only return hosts *owned* by the calling user. However, if the calling + # user is not the owner, but still has administrative rights, we must query the getHosts api directly. + # See this comment and the official namecheap response: https://disq.us/p/1q6v9x9 + if ! _get_root_by_getHosts "$fulldomain"; then + return 1 + fi + fi + + return 0 +} + +_get_root_by_getList() { + domain=$1 + + if ! _namecheap_post "namecheap.domains.getList"; then + _err "$error" + return 1 + fi + + i=2 + p=1 + + while true; do + + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + if ! _contains "$h" "\\."; then + #not valid + return 1 + fi + + if ! _contains "$response" "$h"; then + _debug "$h not found" + else + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + p="$i" + i=$(_math "$i" + 1) + done + return 1 +} + +_get_root_by_getHosts() { + i=100 + p=99 + + while [ $p -ne 0 ]; do + + h=$(printf "%s" "$1" | cut -d . -f $i-100) + if [ -n "$h" ]; then + if _contains "$h" "\\."; then + _debug h "$h" + if _namecheap_set_tld_sld "$h"; then + _sub_domain=$(printf "%s" "$1" | cut -d . -f 1-$p) + _domain="$h" + return 0 + else + _debug "$h not found" + fi + fi + fi + i="$p" + p=$(_math "$p" - 1) + done + return 1 +} + +_namecheap_set_publicip() { + + if [ -z "$NAMECHEAP_SOURCEIP" ]; then + _err "No Source IP specified for Namecheap API." + _err "Use your public ip address or an url to retrieve it (e.g. https://ifconfig.co/ip) and export it as NAMECHEAP_SOURCEIP" + return 1 + else + _saveaccountconf NAMECHEAP_SOURCEIP "$NAMECHEAP_SOURCEIP" + _debug sourceip "$NAMECHEAP_SOURCEIP" + + ip=$(echo "$NAMECHEAP_SOURCEIP" | _egrep_o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') + addr=$(echo "$NAMECHEAP_SOURCEIP" | _egrep_o '(http|https):\/\/.*') + + _debug2 ip "$ip" + _debug2 addr "$addr" + + if [ -n "$ip" ]; then + _publicip="$ip" + elif [ -n "$addr" ]; then + _publicip=$(_get "$addr") + else + _err "No Source IP specified for Namecheap API." + _err "Use your public ip address or an url to retrieve it (e.g. https://ifconfig.co/ip) and export it as NAMECHEAP_SOURCEIP" + return 1 + fi + fi + + _debug publicip "$_publicip" + + return 0 +} + +_namecheap_post() { + command=$1 + data="ApiUser=${NAMECHEAP_USERNAME}&ApiKey=${NAMECHEAP_API_KEY}&ClientIp=${_publicip}&UserName=${NAMECHEAP_USERNAME}&Command=${command}" + _debug2 "_namecheap_post data" "$data" + response="$(_post "$data" "$NAMECHEAP_API" "" "POST")" + _debug2 response "$response" + + if _contains "$response" "Status=\"ERROR\"" >/dev/null; then + error=$(echo "$response" | _egrep_o ">.*<\\/Error>" | cut -d '<' -f 1 | tr -d '>') + _err "error $error" + return 1 + fi + + return 0 +} + +_namecheap_parse_host() { + _host=$1 + _debug _host "$_host" + + _hostid=$(echo "$_host" | _egrep_o ' HostId="[^"]*' | cut -d '"' -f 2) + _hostname=$(echo "$_host" | _egrep_o ' Name="[^"]*' | cut -d '"' -f 2) + _hosttype=$(echo "$_host" | _egrep_o ' Type="[^"]*' | cut -d '"' -f 2) + _hostaddress=$(echo "$_host" | _egrep_o ' Address="[^"]*' | cut -d '"' -f 2 | _xml_decode) + _hostmxpref=$(echo "$_host" | _egrep_o ' MXPref="[^"]*' | cut -d '"' -f 2) + _hostttl=$(echo "$_host" | _egrep_o ' TTL="[^"]*' | cut -d '"' -f 2) + + _debug hostid "$_hostid" + _debug hostname "$_hostname" + _debug hosttype "$_hosttype" + _debug hostaddress "$_hostaddress" + _debug hostmxpref "$_hostmxpref" + _debug hostttl "$_hostttl" +} + +_namecheap_check_config() { + + if [ -z "$NAMECHEAP_API_KEY" ]; then + _err "No API key specified for Namecheap API." + _err "Create your key and export it as NAMECHEAP_API_KEY" + return 1 + fi + + if [ -z "$NAMECHEAP_USERNAME" ]; then + _err "No username key specified for Namecheap API." + _err "Create your key and export it as NAMECHEAP_USERNAME" + return 1 + fi + + _saveaccountconf NAMECHEAP_API_KEY "$NAMECHEAP_API_KEY" + _saveaccountconf NAMECHEAP_USERNAME "$NAMECHEAP_USERNAME" + + return 0 +} + +_set_namecheap_TXT() { + subdomain=$2 + txt=$3 + + if ! _namecheap_set_tld_sld "$1"; then + return 1 + fi + + request="namecheap.domains.dns.getHosts&SLD=${_sld}&TLD=${_tld}" + + if ! _namecheap_post "$request"; then + _err "$error" + return 1 + fi + + hosts=$(echo "$response" | _egrep_o ']*') + _debug hosts "$hosts" + + if [ -z "$hosts" ]; then + _err "Hosts not found" + return 1 + fi + + _namecheap_reset_hostList + + while read -r host; do + if _contains "$host" "]*') + _debug hosts "$hosts" + + if [ -z "$hosts" ]; then + _err "Hosts not found" + return 1 + fi + + _namecheap_reset_hostList + + found=0 + + while read -r host; do + if _contains "$host" "300") + if [ "$retcode" ]; then + _info "Successfully added TXT record, ready for validation." + return 0 + else + _err "Unable to add the DNS record." + return 1 + fi + fi +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_namesilo_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _get_root "$fulldomain"; then + _err "Unable to find domain specified." + return 1 + fi + + # Get the record id. + if _namesilo_rest GET "dnsListRecords?version=1&type=xml&key=$Namesilo_Key&domain=$_domain"; then + retcode=$(printf "%s\n" "$response" | _egrep_o "300") + if [ "$retcode" ]; then + _record_id=$(echo "$response" | _egrep_o "([^<]*)TXT$fulldomain" | _egrep_o "([^<]*)" | sed -r "s/([^<]*)<\/record_id>/\1/" | tail -n 1) + _debug _record_id "$_record_id" + if [ "$_record_id" ]; then + _info "Successfully retrieved the record id for ACME challenge." + else + _info "Empty record id, it seems no such record." + return 0 + fi + else + _err "Unable to retrieve the record id." + return 1 + fi + fi + + # Remove the DNS record using record id. + if _namesilo_rest GET "dnsDeleteRecord?version=1&type=xml&key=$Namesilo_Key&domain=$_domain&rrid=$_record_id"; then + retcode=$(printf "%s\n" "$response" | _egrep_o "300") + if [ "$retcode" ]; then + _info "Successfully removed the TXT record." + return 0 + else + _err "Unable to remove the DNS record." + return 1 + fi + fi +} + +#################### Private functions below ################################## + +# _acme-challenge.www.domain.com +# returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=2 + p=1 + + if ! _namesilo_rest GET "listDomains?version=1&type=xml&key=$Namesilo_Key"; then + return 1 + fi + + # Need to exclude the last field (tld) + numfields=$(echo "$domain" | _egrep_o "\." | wc -l) + while [ $i -le "$numfields" ]; do + host=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug host "$host" + if [ -z "$host" ]; then + return 1 + fi + + if _contains "$response" ">$host"; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$host" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_namesilo_rest() { + method=$1 + param=$2 + data=$3 + + if [ "$method" != "GET" ]; then + response="$(_post "$data" "$Namesilo_API/$param" "" "$method")" + else + response="$(_get "$Namesilo_API/$param")" + fi + + if [ "$?" != "0" ]; then + _err "error $param" + return 1 + fi + + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_nanelo.sh b/acme.sh-master/dnsapi/dns_nanelo.sh new file mode 100644 index 0000000..8ccc8c2 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_nanelo.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env sh + +# Official DNS API for Nanelo.com + +# Provide the required API Key like this: +# NANELO_TOKEN="FmD408PdqT1E269gUK57" + +NANELO_API="https://api.nanelo.com/v1/" + +######## Public functions ##################### + +# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_nanelo_add() { + fulldomain=$1 + txtvalue=$2 + + NANELO_TOKEN="${NANELO_TOKEN:-$(_readaccountconf_mutable NANELO_TOKEN)}" + if [ -z "$NANELO_TOKEN" ]; then + NANELO_TOKEN="" + _err "You didn't configure a Nanelo API Key yet." + _err "Please set NANELO_TOKEN and try again." + _err "Login to Nanelo.com and go to Settings > API Keys to get a Key" + return 1 + fi + _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" + + _info "Adding TXT record to ${fulldomain}" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")" + if _contains "${response}" 'success'; then + return 0 + fi + _err "Could not create resource record, please check the logs" + _err "${response}" + return 1 +} + +dns_nanelo_rm() { + fulldomain=$1 + txtvalue=$2 + + NANELO_TOKEN="${NANELO_TOKEN:-$(_readaccountconf_mutable NANELO_TOKEN)}" + if [ -z "$NANELO_TOKEN" ]; then + NANELO_TOKEN="" + _err "You didn't configure a Nanelo API Key yet." + _err "Please set NANELO_TOKEN and try again." + _err "Login to Nanelo.com and go to Settings > API Keys to get a Key" + return 1 + fi + _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN" + + _info "Deleting resource record $fulldomain" + response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")" + if _contains "${response}" 'success'; then + return 0 + fi + _err "Could not delete resource record, please check the logs" + _err "${response}" + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_nederhost.sh b/acme.sh-master/dnsapi/dns_nederhost.sh new file mode 100644 index 0000000..abaae42 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_nederhost.sh @@ -0,0 +1,127 @@ +#!/usr/bin/env sh + +#NederHost_Key="sdfgikogfdfghjklkjhgfcdcfghj" + +NederHost_Api="https://api.nederhost.nl/dns/v1" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_nederhost_add() { + fulldomain=$1 + txtvalue=$2 + + NederHost_Key="${NederHost_Key:-$(_readaccountconf_mutable NederHost_Key)}" + if [ -z "$NederHost_Key" ]; then + NederHost_Key="" + _err "You didn't specify a NederHost api key." + _err "You can get yours from https://www.nederhost.nl/mijn_nederhost" + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable NederHost_Key "$NederHost_Key" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + if _nederhost_rest PATCH "zones/$_domain/records/$fulldomain/TXT" "[{\"content\":\"$txtvalue\",\"ttl\":60}]"; then + if _contains "$response" "$fulldomain"; then + _info "Added, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 + +} + +#fulldomain txtvalue +dns_nederhost_rm() { + fulldomain=$1 + txtvalue=$2 + + NederHost_Key="${NederHost_Key:-$(_readaccountconf_mutable NederHost_Key)}" + if [ -z "$NederHost_Key" ]; then + NederHost_Key="" + _err "You didn't specify a NederHost api key." + _err "You can get yours from https://www.nederhost.nl/mijn_nederhost" + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Removing txt record" + _nederhost_rest DELETE "zones/${_domain}/records/$fulldomain/TXT?content=$txtvalue" + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + _domain=$(printf "%s" "$domain" | cut -d . -f $i-100) + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _debug _domain "$_domain" + if [ -z "$_domain" ]; then + #not valid + return 1 + fi + + if _nederhost_rest GET "zones/${_domain}"; then + if [ "${_code}" = "204" ]; then + return 0 + fi + else + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_nederhost_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Authorization: Bearer $NederHost_Key" + export _H2="Content-Type: application/json" + + _debug data "$data" + response="$(_post "$data" "$NederHost_Api/$ep" "" "$m")" + + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" + _debug "http response code $_code" + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_neodigit.sh b/acme.sh-master/dnsapi/dns_neodigit.sh new file mode 100644 index 0000000..64ea878 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_neodigit.sh @@ -0,0 +1,181 @@ +#!/usr/bin/env sh + +# +# NEODIGIT_API_TOKEN="jasdfhklsjadhflnhsausdfas" + +# This is Neodigit.net api wrapper for acme.sh +# +# Author: Adrian Almenar +# Report Bugs here: https://github.com/tecnocratica/acme.sh +# +NEODIGIT_API_URL="https://api.neodigit.net/v1" +# +######## Public functions ##################### + +# Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_neodigit_add() { + fulldomain=$1 + txtvalue=$2 + + NEODIGIT_API_TOKEN="${NEODIGIT_API_TOKEN:-$(_readaccountconf_mutable NEODIGIT_API_TOKEN)}" + if [ -z "$NEODIGIT_API_TOKEN" ]; then + NEODIGIT_API_TOKEN="" + _err "You haven't specified a Token api key." + _err "Please create the key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable NEODIGIT_API_TOKEN "$NEODIGIT_API_TOKEN" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + _debug domain "$_domain" + _debug sub_domain "$_sub_domain" + + _debug "Getting txt records" + _neo_rest GET "dns/zones/${_domain_id}/records?type=TXT&name=$fulldomain" + + _debug _code "$_code" + + if [ "$_code" != "200" ]; then + _err "error retrieving data!" + return 1 + fi + + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + _debug domain "$_domain" + _debug sub_domain "$_sub_domain" + + _info "Adding record" + if _neo_rest POST "dns/zones/$_domain_id/records" "{\"record\":{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":60}}"; then + if printf -- "%s" "$response" | grep "$_sub_domain" >/dev/null; then + _info "Added, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 +} + +#fulldomain txtvalue +dns_neodigit_rm() { + fulldomain=$1 + txtvalue=$2 + + NEODIGIT_API_TOKEN="${NEODIGIT_API_TOKEN:-$(_readaccountconf_mutable NEODIGIT_API_TOKEN)}" + if [ -z "$NEODIGIT_API_TOKEN" ]; then + NEODIGIT_API_TOKEN="" + _err "You haven't specified a Token api key." + _err "Please create the key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable NEODIGIT_API_TOKEN "$NEODIGIT_API_TOKEN" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _neo_rest GET "dns/zones/${_domain_id}/records?type=TXT&name=$fulldomain&content=$txtvalue" + + if [ "$_code" != "200" ]; then + _err "error retrieving data!" + return 1 + fi + + record_id=$(echo "$response" | _egrep_o "\"id\":\s*[0-9]+" | _head_n 1 | cut -d: -f2 | cut -d, -f1) + _debug "record_id" "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if ! _neo_rest DELETE "dns/zones/$_domain_id/records/$record_id"; then + _err "Delete record error." + return 1 + fi + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=dasfdsafsadg5ythd +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _neo_rest GET "dns/zones?name=$h"; then + return 1 + fi + + _debug p "$p" + + if _contains "$response" "\"name\":\"$h\"" >/dev/null; then + _domain_id=$(echo "$response" | _egrep_o "\"id\":\s*[0-9]+" | _head_n 1 | cut -d: -f2 | cut -d, -f1) + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_neo_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="X-TCPanel-Token: $NEODIGIT_API_TOKEN" + export _H2="Content-Type: application/json" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$NEODIGIT_API_URL/$ep" "" "$m")" + else + response="$(_get "$NEODIGIT_API_URL/$ep")" + fi + + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_netcup.sh b/acme.sh-master/dnsapi/dns_netcup.sh new file mode 100644 index 0000000..776fa02 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_netcup.sh @@ -0,0 +1,134 @@ +#!/usr/bin/env sh +#developed by linux-insideDE + +NC_Apikey="${NC_Apikey:-$(_readaccountconf_mutable NC_Apikey)}" +NC_Apipw="${NC_Apipw:-$(_readaccountconf_mutable NC_Apipw)}" +NC_CID="${NC_CID:-$(_readaccountconf_mutable NC_CID)}" +end="https://ccp.netcup.net/run/webservice/servers/endpoint.php?JSON" +client="" + +dns_netcup_add() { + _debug NC_Apikey "$NC_Apikey" + login + if [ "$NC_Apikey" = "" ] || [ "$NC_Apipw" = "" ] || [ "$NC_CID" = "" ]; then + _err "No Credentials given" + return 1 + fi + _saveaccountconf_mutable NC_Apikey "$NC_Apikey" + _saveaccountconf_mutable NC_Apipw "$NC_Apipw" + _saveaccountconf_mutable NC_CID "$NC_CID" + fulldomain=$1 + txtvalue=$2 + domain="" + exit=$(echo "$fulldomain" | tr -dc '.' | wc -c) + exit=$(_math "$exit" + 1) + i=$exit + + while + [ "$exit" -gt 0 ] + do + tmp=$(echo "$fulldomain" | cut -d'.' -f"$exit") + if [ "$(_math "$i" - "$exit")" -eq 0 ]; then + domain="$tmp" + else + domain="$tmp.$domain" + fi + if [ "$(_math "$i" - "$exit")" -ge 1 ]; then + msg=$(_post "{\"action\": \"updateDnsRecords\", \"param\": {\"apikey\": \"$NC_Apikey\", \"apisessionid\": \"$sid\", \"customernumber\": \"$NC_CID\",\"clientrequestid\": \"$client\" , \"domainname\": \"$domain\", \"dnsrecordset\": { \"dnsrecords\": [ {\"id\": \"\", \"hostname\": \"$fulldomain.\", \"type\": \"TXT\", \"priority\": \"\", \"destination\": \"$txtvalue\", \"deleterecord\": \"false\", \"state\": \"yes\"} ]}}}" "$end" "" "POST") + _debug "$msg" + if [ "$(_getfield "$msg" "5" | sed 's/"statuscode"://g')" != 5028 ]; then + if [ "$(_getfield "$msg" "4" | sed s/\"status\":\"//g | sed s/\"//g)" != "success" ]; then + _err "$msg" + return 1 + else + break + fi + fi + fi + exit=$(_math "$exit" - 1) + done + logout +} + +dns_netcup_rm() { + login + fulldomain=$1 + txtvalue=$2 + + domain="" + exit=$(echo "$fulldomain" | tr -dc '.' | wc -c) + exit=$(_math "$exit" + 1) + i=$exit + rec="" + + while + [ "$exit" -gt 0 ] + do + tmp=$(echo "$fulldomain" | cut -d'.' -f"$exit") + if [ "$(_math "$i" - "$exit")" -eq 0 ]; then + domain="$tmp" + else + domain="$tmp.$domain" + fi + if [ "$(_math "$i" - "$exit")" -ge 1 ]; then + msg=$(_post "{\"action\": \"infoDnsRecords\", \"param\": {\"apikey\": \"$NC_Apikey\", \"apisessionid\": \"$sid\", \"customernumber\": \"$NC_CID\", \"domainname\": \"$domain\"}}" "$end" "" "POST") + rec=$(echo "$msg" | sed 's/\[//g' | sed 's/\]//g' | sed 's/{\"serverrequestid\".*\"dnsrecords\"://g' | sed 's/},{/};{/g' | sed 's/{//g' | sed 's/}//g') + _debug "$msg" + if [ "$(_getfield "$msg" "5" | sed 's/"statuscode"://g')" != 5028 ]; then + if [ "$(_getfield "$msg" "4" | sed s/\"status\":\"//g | sed s/\"//g)" != "success" ]; then + _err "$msg" + return 1 + else + break + fi + fi + fi + exit=$(_math "$exit" - 1) + done + + ida=0000 + idv=0001 + ids=0000000000 + i=1 + while + [ "$i" -ne 0 ] + do + specrec=$(_getfield "$rec" "$i" ";") + idv="$ida" + ida=$(_getfield "$specrec" "1" "," | sed 's/\"id\":\"//g' | sed 's/\"//g') + txtv=$(_getfield "$specrec" "5" "," | sed 's/\"destination\":\"//g' | sed 's/\"//g') + i=$(_math "$i" + 1) + if [ "$txtvalue" = "$txtv" ]; then + i=0 + ids="$ida" + fi + if [ "$ida" = "$idv" ]; then + i=0 + fi + done + msg=$(_post "{\"action\": \"updateDnsRecords\", \"param\": {\"apikey\": \"$NC_Apikey\", \"apisessionid\": \"$sid\", \"customernumber\": \"$NC_CID\",\"clientrequestid\": \"$client\" , \"domainname\": \"$domain\", \"dnsrecordset\": { \"dnsrecords\": [ {\"id\": \"$ids\", \"hostname\": \"$fulldomain.\", \"type\": \"TXT\", \"priority\": \"\", \"destination\": \"$txtvalue\", \"deleterecord\": \"TRUE\", \"state\": \"yes\"} ]}}}" "$end" "" "POST") + _debug "$msg" + if [ "$(_getfield "$msg" "4" | sed s/\"status\":\"//g | sed s/\"//g)" != "success" ]; then + _err "$msg" + return 1 + fi + logout +} + +login() { + tmp=$(_post "{\"action\": \"login\", \"param\": {\"apikey\": \"$NC_Apikey\", \"apipassword\": \"$NC_Apipw\", \"customernumber\": \"$NC_CID\"}}" "$end" "" "POST") + sid=$(echo "$tmp" | tr '{}' '\n' | grep apisessionid | cut -d '"' -f 4) + _debug "$tmp" + if [ "$(_getfield "$tmp" "4" | sed s/\"status\":\"//g | sed s/\"//g)" != "success" ]; then + _err "$tmp" + return 1 + fi +} +logout() { + tmp=$(_post "{\"action\": \"logout\", \"param\": {\"apikey\": \"$NC_Apikey\", \"apisessionid\": \"$sid\", \"customernumber\": \"$NC_CID\"}}" "$end" "" "POST") + _debug "$tmp" + if [ "$(_getfield "$tmp" "4" | sed s/\"status\":\"//g | sed s/\"//g)" != "success" ]; then + _err "$tmp" + return 1 + fi +} diff --git a/acme.sh-master/dnsapi/dns_netlify.sh b/acme.sh-master/dnsapi/dns_netlify.sh new file mode 100644 index 0000000..0e5dc32 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_netlify.sh @@ -0,0 +1,162 @@ +#!/usr/bin/env sh + +#NETLIFY_ACCESS_TOKEN="xxxx" + +NETLIFY_HOST="api.netlify.com/api/v1/" +NETLIFY_URL="https://$NETLIFY_HOST" + +######## Public functions ##################### + +#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_netlify_add() { + fulldomain=$1 + txtvalue=$2 + + NETLIFY_ACCESS_TOKEN="${NETLIFY_ACCESS_TOKEN:-$(_readaccountconf_mutable NETLIFY_ACCESS_TOKEN)}" + + if [ -z "$NETLIFY_ACCESS_TOKEN" ]; then + NETLIFY_ACCESS_TOKEN="" + _err "Please specify your Netlify Access Token and try again." + return 1 + else + _saveaccountconf_mutable NETLIFY_ACCESS_TOKEN "$NETLIFY_ACCESS_TOKEN" + fi + + _info "Using Netlify" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + dnsRecordURI="dns_zones/$_domain_id/dns_records" + + body="{\"type\":\"TXT\", \"hostname\":\"$_sub_domain\", \"value\":\"$txtvalue\", \"ttl\":\"10\"}" + + _netlify_rest POST "$dnsRecordURI" "$body" "$NETLIFY_ACCESS_TOKEN" + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" + if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then + _info "validation value added" + return 0 + else + _err "error adding validation value ($_code)" + return 1 + fi + + _err "Not fully implemented!" + return 1 +} + +#Usage: dns_myapi_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +#Remove the txt record after validation. +dns_netlify_rm() { + _info "Using Netlify" + txtdomain="$1" + txt="$2" + _debug txtdomain "$txtdomain" + _debug txt "$txt" + + NETLIFY_ACCESS_TOKEN="${NETLIFY_ACCESS_TOKEN:-$(_readaccountconf_mutable NETLIFY_ACCESS_TOKEN)}" + + if ! _get_root "$txtdomain"; then + _err "invalid domain" + return 1 + fi + + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + dnsRecordURI="dns_zones/$_domain_id/dns_records" + + _netlify_rest GET "$dnsRecordURI" "" "$NETLIFY_ACCESS_TOKEN" + + _record_id=$(echo "$response" | _egrep_o "\"type\":\"TXT\",[^\}]*\"value\":\"$txt\"" | head -n 1 | _egrep_o "\"id\":\"[^\"\}]*\"" | cut -d : -f 2 | tr -d \") + _debug _record_id "$_record_id" + if [ "$_record_id" ]; then + _netlify_rest DELETE "$dnsRecordURI/$_record_id" "" "$NETLIFY_ACCESS_TOKEN" + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" + if [ "$_code" = "200" ] || [ "$_code" = '204' ]; then + _info "validation value removed" + return 0 + else + _err "error removing validation value ($_code)" + return 1 + fi + return 0 + fi + return 1 +} + +#################### Private functions below ################################## + +_get_root() { + domain=$1 + accesstoken=$2 + i=1 + p=1 + + _netlify_rest GET "dns_zones" "" "$accesstoken" + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug2 "Checking domain: $h" + if [ -z "$h" ]; then + #not valid + _err "Invalid domain" + return 1 + fi + + if _contains "$response" "\"name\":\"$h\"" >/dev/null; then + _domain_id=$(echo "$response" | _egrep_o "\"[^\"]*\",\"name\":\"$h\"" | cut -d , -f 1 | tr -d \") + if [ "$_domain_id" ]; then + if [ "$i" = 1 ]; then + #create the record at the domain apex (@) if only the domain name was provided as --domain-alias + _sub_domain="@" + else + _sub_domain=$(echo "$domain" | cut -d . -f 1-$p) + fi + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_netlify_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + token_trimmed=$(echo "$NETLIFY_ACCESS_TOKEN" | tr -d '"') + + export _H1="Content-Type: application/json" + export _H2="Authorization: Bearer $token_trimmed" + + : >"$HTTP_HEADER" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$NETLIFY_URL$ep" "" "$m")" + else + response="$(_get "$NETLIFY_URL$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_nic.sh b/acme.sh-master/dnsapi/dns_nic.sh new file mode 100644 index 0000000..56170f8 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_nic.sh @@ -0,0 +1,205 @@ +#!/usr/bin/env sh + +# +#NIC_ClientID='0dc0xxxxxxxxxxxxxxxxxxxxxxxxce88' +#NIC_ClientSecret='3LTtxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxnuW8' +#NIC_Username="000000/NIC-D" +#NIC_Password="xxxxxxx" + +NIC_Api="https://api.nic.ru" + +dns_nic_add() { + fulldomain="${1}" + txtvalue="${2}" + + if ! _nic_get_authtoken save; then + _err "get NIC auth token failed" + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "Invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + _debug _service "$_service" + + _info "Adding record" + if ! _nic_rest PUT "services/$_service/zones/$_domain/records" "$_sub_domainTXT$txtvalue"; then + _err "Add TXT record error" + return 1 + fi + + if ! _nic_rest POST "services/$_service/zones/$_domain/commit" ""; then + return 1 + fi + _info "Added, OK" +} + +dns_nic_rm() { + fulldomain="${1}" + txtvalue="${2}" + + if ! _nic_get_authtoken; then + _err "get NIC auth token failed" + return 1 + fi + + if ! _get_root "$fulldomain"; then + _err "Invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + _debug _service "$_service" + + if ! _nic_rest GET "services/$_service/zones/$_domain/records"; then + _err "Get records error" + return 1 + fi + + _domain_id=$(printf "%s" "$response" | grep "$_sub_domain" | grep -- "$txtvalue" | sed -r "s/.*"; then + error=$(printf "%s" "$response" | grep "error code" | sed -r "s/.*(.*)<\/error>/\1/g") + _err "Error: $error" + return 1 + fi + + if ! _contains "$response" "success"; then + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_njalla.sh b/acme.sh-master/dnsapi/dns_njalla.sh new file mode 100644 index 0000000..e924328 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_njalla.sh @@ -0,0 +1,168 @@ +#!/usr/bin/env sh + +# +#NJALLA_Token="sdfsdfsdfljlbjkljlkjsdfoiwje" + +NJALLA_Api="https://njal.la/api/1/" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_njalla_add() { + fulldomain=$1 + txtvalue=$2 + + NJALLA_Token="${NJALLA_Token:-$(_readaccountconf_mutable NJALLA_Token)}" + + if [ "$NJALLA_Token" ]; then + _saveaccountconf_mutable NJALLA_Token "$NJALLA_Token" + else + NJALLA_Token="" + _err "You didn't specify a Njalla api token yet." + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so + # we can not use updating anymore. + # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) + # _debug count "$count" + # if [ "$count" = "0" ]; then + _info "Adding record" + if _njalla_rest "{\"method\":\"add-record\",\"params\":{\"domain\":\"$_domain\",\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":120}}"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 + +} + +#fulldomain txtvalue +dns_njalla_rm() { + fulldomain=$1 + txtvalue=$2 + + NJALLA_Token="${NJALLA_Token:-$(_readaccountconf_mutable NJALLA_Token)}" + + if [ "$NJALLA_Token" ]; then + _saveaccountconf_mutable NJALLA_Token "$NJALLA_Token" + else + NJALLA_Token="" + _err "You didn't specify a Njalla api token yet." + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting records for domain" + if ! _njalla_rest "{\"method\":\"list-records\",\"params\":{\"domain\":\"${_domain}\"}}"; then + return 1 + fi + + if ! echo "$response" | tr -d " " | grep "\"id\":" >/dev/null; then + _err "Error: $response" + return 1 + fi + + records=$(echo "$response" | _egrep_o "\"records\":\s?\[(.*)\]\}" | _egrep_o "\[.*\]" | _egrep_o "\{[^\{\}]*\"id\":[^\{\}]*\}") + count=$(echo "$records" | wc -l) + _debug count "$count" + + if [ "$count" = "0" ]; then + _info "Don't need to remove." + else + echo "$records" | while read -r record; do + record_name=$(echo "$record" | _egrep_o "\"name\":\s?\"[^\"]*\"" | cut -d : -f 2 | tr -d " " | tr -d \") + record_content=$(echo "$record" | _egrep_o "\"content\":\s?\"[^\"]*\"" | cut -d : -f 2 | tr -d " " | tr -d \") + record_id=$(echo "$record" | _egrep_o "\"id\":\s?[0-9]+" | cut -d : -f 2 | tr -d " " | tr -d \") + if [ "$_sub_domain" = "$record_name" ]; then + if [ "$txtvalue" = "$record_content" ]; then + _debug "record_id" "$record_id" + if ! _njalla_rest "{\"method\":\"remove-record\",\"params\":{\"domain\":\"${_domain}\",\"id\":${record_id}}}"; then + _err "Delete record error." + return 1 + fi + echo "$response" | tr -d " " | grep "\"result\"" >/dev/null + fi + fi + done + fi + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=1 + p=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _njalla_rest "{\"method\":\"get-domain\",\"params\":{\"domain\":\"${h}\"}}"; then + return 1 + fi + + if _contains "$response" "\"$h\""; then + _domain_returned=$(echo "$response" | _egrep_o "\{\"name\": *\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ") + if [ "$_domain_returned" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_njalla_rest() { + data="$1" + + token_trimmed=$(echo "$NJALLA_Token" | tr -d '"') + + export _H1="Content-Type: application/json" + export _H2="Accept: application/json" + export _H3="Authorization: Njalla $token_trimmed" + + _debug data "$data" + response="$(_post "$data" "$NJALLA_Api" "" "POST")" + + if [ "$?" != "0" ]; then + _err "error $data" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_nm.sh b/acme.sh-master/dnsapi/dns_nm.sh new file mode 100644 index 0000000..4dfcc77 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_nm.sh @@ -0,0 +1,88 @@ +#!/usr/bin/env sh + +######################################################################## +# https://namemaster.de hook script for acme.sh +# +# Environment variables: +# +# - $NM_user (your namemaster.de API username) +# - $NM_sha256 (your namemaster.de API password_as_sha256hash) +# +# Author: Thilo Gass +# Git repo: https://github.com/ThiloGa/acme.sh + +#-- dns_nm_add() - Add TXT record -------------------------------------- +# Usage: dns_nm_add _acme-challenge.subdomain.domain.com "XyZ123..." + +namemaster_api="https://namemaster.de/api/api.php" + +dns_nm_add() { + fulldomain=$1 + txt_value=$2 + _info "Using DNS-01 namemaster hook" + + NM_user="${NM_user:-$(_readaccountconf_mutable NM_user)}" + NM_sha256="${NM_sha256:-$(_readaccountconf_mutable NM_sha256)}" + if [ -z "$NM_user" ] || [ -z "$NM_sha256" ]; then + NM_user="" + NM_sha256="" + _err "No auth details provided. Please set user credentials using the \$NM_user and \$NM_sha256 environment variables." + return 1 + fi + #save the api user and sha256 password to the account conf file. + _debug "Save user and hash" + _saveaccountconf_mutable NM_user "$NM_user" + _saveaccountconf_mutable NM_sha256 "$NM_sha256" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" "$fulldomain" + return 1 + fi + + _info "die Zone lautet:" "$zone" + + get="$namemaster_api?User=$NM_user&Password=$NM_sha256&Antwort=csv&Typ=ACME&zone=$zone&hostname=$fulldomain&TXT=$txt_value&Action=Auto&Lifetime=3600" + + if ! erg="$(_get "$get")"; then + _err "error Adding $fulldomain TXT: $txt_value" + return 1 + fi + + if _contains "$erg" "Success"; then + _info "Success, TXT Added, OK" + else + _err "error Adding $fulldomain TXT: $txt_value erg: $erg" + return 1 + fi + + _debug "ok Auto $fulldomain TXT: $txt_value erg: $erg" + return 0 +} + +dns_nm_rm() { + + fulldomain=$1 + txtvalue=$2 + _info "TXT enrty in $fulldomain is deleted automatically" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + +} + +_get_root() { + + domain=$1 + + get="$namemaster_api?User=$NM_user&Password=$NM_sha256&Typ=acme&hostname=$domain&Action=getzone&antwort=csv" + + if ! zone="$(_get "$get")"; then + _err "error getting Zone" + return 1 + else + if _contains "$zone" "hostname not found"; then + return 1 + fi + fi + +} diff --git a/acme.sh-master/dnsapi/dns_nsd.sh b/acme.sh-master/dnsapi/dns_nsd.sh new file mode 100644 index 0000000..0d29a48 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_nsd.sh @@ -0,0 +1,64 @@ +#!/usr/bin/env sh + +#Nsd_ZoneFile="/etc/nsd/zones/example.com.zone" +#Nsd_Command="sudo nsd-control reload" + +# args: fulldomain txtvalue +dns_nsd_add() { + fulldomain=$1 + txtvalue=$2 + ttlvalue=300 + + Nsd_ZoneFile="${Nsd_ZoneFile:-$(_readdomainconf Nsd_ZoneFile)}" + Nsd_Command="${Nsd_Command:-$(_readdomainconf Nsd_Command)}" + + # Arg checks + if [ -z "$Nsd_ZoneFile" ] || [ -z "$Nsd_Command" ]; then + Nsd_ZoneFile="" + Nsd_Command="" + _err "Specify ENV vars Nsd_ZoneFile and Nsd_Command" + return 1 + fi + + if [ ! -f "$Nsd_ZoneFile" ]; then + Nsd_ZoneFile="" + Nsd_Command="" + _err "No such file: $Nsd_ZoneFile" + return 1 + fi + + _savedomainconf Nsd_ZoneFile "$Nsd_ZoneFile" + _savedomainconf Nsd_Command "$Nsd_Command" + + echo "$fulldomain. $ttlvalue IN TXT \"$txtvalue\"" >>"$Nsd_ZoneFile" + _info "Added TXT record for $fulldomain" + _debug "Running $Nsd_Command" + if eval "$Nsd_Command"; then + _info "Successfully updated the zone" + return 0 + else + _err "Problem updating the zone" + return 1 + fi +} + +# args: fulldomain txtvalue +dns_nsd_rm() { + fulldomain=$1 + txtvalue=$2 + ttlvalue=300 + + Nsd_ZoneFile="${Nsd_ZoneFile:-$(_readdomainconf Nsd_ZoneFile)}" + Nsd_Command="${Nsd_Command:-$(_readdomainconf Nsd_Command)}" + + _sed_i "/$fulldomain. $ttlvalue IN TXT \"$txtvalue\"/d" "$Nsd_ZoneFile" + _info "Removed TXT record for $fulldomain" + _debug "Running $Nsd_Command" + if eval "$Nsd_Command"; then + _info "Successfully reloaded NSD " + return 0 + else + _err "Problem reloading NSD" + return 1 + fi +} diff --git a/acme.sh-master/dnsapi/dns_nsone.sh b/acme.sh-master/dnsapi/dns_nsone.sh new file mode 100644 index 0000000..9a99834 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_nsone.sh @@ -0,0 +1,158 @@ +#!/usr/bin/env sh + +# bug reports to dev@1e.ca + +# +#NS1_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" +# + +NS1_Api="https://api.nsone.net/v1" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_nsone_add() { + fulldomain=$1 + txtvalue=$2 + + if [ -z "$NS1_Key" ]; then + NS1_Key="" + _err "You didn't specify nsone dns api key yet." + _err "Please create you key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf NS1_Key "$NS1_Key" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _nsone_rest GET "zones/${_domain}" + + if ! _contains "$response" "\"records\":"; then + _err "Error" + return 1 + fi + + count=$(printf "%s\n" "$response" | _egrep_o "\"domain\":\"$fulldomain\",[^{]*\"type\":\"TXT\"" | wc -l | tr -d " ") + _debug count "$count" + if [ "$count" = "0" ]; then + _info "Adding record" + + if _nsone_rest PUT "zones/$_domain/$fulldomain/TXT" "{\"answers\":[{\"answer\":[\"$txtvalue\"]}],\"type\":\"TXT\",\"domain\":\"$fulldomain\",\"zone\":\"$_domain\",\"ttl\":0}"; then + if _contains "$response" "$fulldomain"; then + _info "Added" + #todo: check if the record takes effect + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + else + _info "Updating record" + prev_txt=$(printf "%s\n" "$response" | _egrep_o "\"domain\":\"$fulldomain\",\"short_answers\":\[\"[^,]*\]" | _head_n 1 | cut -d: -f3 | cut -d, -f1) + _debug "prev_txt" "$prev_txt" + + _nsone_rest POST "zones/$_domain/$fulldomain/TXT" "{\"answers\": [{\"answer\": [\"$txtvalue\"]},{\"answer\": $prev_txt}],\"type\": \"TXT\",\"domain\":\"$fulldomain\",\"zone\": \"$_domain\",\"ttl\":0}" + if [ "$?" = "0" ] && _contains "$response" "$fulldomain"; then + _info "Updated!" + #todo: check if the record takes effect + return 0 + fi + _err "Update error" + return 1 + fi + +} + +#fulldomain +dns_nsone_rm() { + fulldomain=$1 + txtvalue=$2 + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _nsone_rest GET "zones/${_domain}/$fulldomain/TXT" + + count=$(printf "%s\n" "$response" | _egrep_o "\"domain\":\"$fulldomain\",.*\"type\":\"TXT\"" | wc -l | tr -d " ") + _debug count "$count" + if [ "$count" = "0" ]; then + _info "Don't need to remove." + else + if ! _nsone_rest DELETE "zones/${_domain}/$fulldomain/TXT"; then + _err "Delete record error." + return 1 + fi + _contains "$response" "" + fi +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=2 + p=1 + if ! _nsone_rest GET "zones"; then + return 1 + fi + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" "\"zone\":\"$h\""; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_nsone_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Accept: application/json" + export _H2="X-NSONE-Key: $NS1_Key" + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$NS1_Api/$ep" "" "$m")" + else + response="$(_get "$NS1_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_nsupdate.sh b/acme.sh-master/dnsapi/dns_nsupdate.sh new file mode 100644 index 0000000..cd4b714 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_nsupdate.sh @@ -0,0 +1,98 @@ +#!/usr/bin/env sh + +######## Public functions ##################### + +#Usage: dns_nsupdate_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_nsupdate_add() { + fulldomain=$1 + txtvalue=$2 + NSUPDATE_SERVER="${NSUPDATE_SERVER:-$(_readaccountconf_mutable NSUPDATE_SERVER)}" + NSUPDATE_SERVER_PORT="${NSUPDATE_SERVER_PORT:-$(_readaccountconf_mutable NSUPDATE_SERVER_PORT)}" + NSUPDATE_KEY="${NSUPDATE_KEY:-$(_readaccountconf_mutable NSUPDATE_KEY)}" + NSUPDATE_ZONE="${NSUPDATE_ZONE:-$(_readaccountconf_mutable NSUPDATE_ZONE)}" + + _checkKeyFile || return 1 + + # save the dns server and key to the account conf file. + _saveaccountconf_mutable NSUPDATE_SERVER "${NSUPDATE_SERVER}" + _saveaccountconf_mutable NSUPDATE_SERVER_PORT "${NSUPDATE_SERVER_PORT}" + _saveaccountconf_mutable NSUPDATE_KEY "${NSUPDATE_KEY}" + _saveaccountconf_mutable NSUPDATE_ZONE "${NSUPDATE_ZONE}" + + [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost" + [ -n "${NSUPDATE_SERVER_PORT}" ] || NSUPDATE_SERVER_PORT=53 + + _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\"" + [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d" + [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D" + if [ -z "${NSUPDATE_ZONE}" ]; then + nsupdate -k "${NSUPDATE_KEY}" $nsdebug < + +NW_API_VERSION="0" + +# dns_nw_add() - Add TXT record +# Usage: dns_nw_add _acme-challenge.subdomain.domain.com "XyZ123..." +dns_nw_add() { + host="${1}" + txtvalue="${2}" + + _debug host "${host}" + _debug txtvalue "${txtvalue}" + + if ! _check_nw_api_creds; then + return 1 + fi + + _info "Using NocWorx (${NW_API_ENDPOINT})" + _debug "Calling: dns_nw_add() '${host}' '${txtvalue}'" + + _debug "Detecting root zone" + if ! _get_root "${host}"; then + _err "Zone for domain does not exist." + return 1 + fi + _debug _zone_id "${_zone_id}" + _debug _sub_domain "${_sub_domain}" + _debug _domain "${_domain}" + + _post_data="{\"zone_id\": \"${_zone_id}\", \"type\": \"TXT\", \"host\": \"${host}\", \"target\": \"${txtvalue}\", \"ttl\": \"300\"}" + + if _rest POST "dns-record" "${_post_data}" && [ -n "${response}" ]; then + _record_id=$(printf "%s\n" "${response}" | _egrep_o "\"record_id\": *[0-9]+" | cut -d : -f 2 | tr -d " " | _head_n 1) + _debug _record_id "${_record_id}" + + if [ -z "$_record_id" ]; then + _err "Error adding the TXT record." + return 1 + fi + + _info "TXT record successfully added." + return 0 + fi + + return 1 +} + +# dns_nw_rm() - Remove TXT record +# Usage: dns_nw_rm _acme-challenge.subdomain.domain.com "XyZ123..." +dns_nw_rm() { + host="${1}" + txtvalue="${2}" + + _debug host "${host}" + _debug txtvalue "${txtvalue}" + + if ! _check_nw_api_creds; then + return 1 + fi + + _info "Using NocWorx (${NW_API_ENDPOINT})" + _debug "Calling: dns_nw_rm() '${host}'" + + _debug "Detecting root zone" + if ! _get_root "${host}"; then + _err "Zone for domain does not exist." + return 1 + fi + _debug _zone_id "${_zone_id}" + _debug _sub_domain "${_sub_domain}" + _debug _domain "${_domain}" + + _parameters="?zone_id=${_zone_id}" + + if _rest GET "dns-record" "${_parameters}" && [ -n "${response}" ]; then + response="$(echo "${response}" | tr -d "\n" | sed 's/^\[\(.*\)\]$/\1/' | sed -e 's/{"record_id":/|"record_id":/g' | sed 's/|/&{/g' | tr "|" "\n")" + _debug response "${response}" + + record="$(echo "${response}" | _egrep_o "{.*\"host\": *\"${_sub_domain}\", *\"target\": *\"${txtvalue}\".*}")" + _debug record "${record}" + + if [ "${record}" ]; then + _record_id=$(printf "%s\n" "${record}" | _egrep_o "\"record_id\": *[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ ) + if [ "${_record_id}" ]; then + _debug _record_id "${_record_id}" + + _rest DELETE "dns-record/${_record_id}" + + _info "TXT record successfully deleted." + return 0 + fi + + return 1 + fi + + return 0 + fi + + return 1 +} + +_check_nw_api_creds() { + NW_API_TOKEN="${NW_API_TOKEN:-$(_readaccountconf_mutable NW_API_TOKEN)}" + NW_API_ENDPOINT="${NW_API_ENDPOINT:-$(_readaccountconf_mutable NW_API_ENDPOINT)}" + + if [ -z "${NW_API_ENDPOINT}" ]; then + NW_API_ENDPOINT="https://portal.nexcess.net" + fi + + if [ -z "${NW_API_TOKEN}" ]; then + _err "You have not defined your NW_API_TOKEN." + _err "Please create your token and try again." + _err "If you need to generate a new token, please visit one of the following URLs:" + _err " - https://portal.nexcess.net/api-token" + _err " - https://core.thermo.io/api-token" + _err " - https://my.futurehosting.com/api-token" + + return 1 + fi + + _saveaccountconf_mutable NW_API_TOKEN "${NW_API_TOKEN}" + _saveaccountconf_mutable NW_API_ENDPOINT "${NW_API_ENDPOINT}" +} + +_get_root() { + domain="${1}" + i=2 + p=1 + + if _rest GET "dns-zone"; then + response="$(echo "${response}" | tr -d "\n" | sed 's/^\[\(.*\)\]$/\1/' | sed -e 's/{"zone_id":/|"zone_id":/g' | sed 's/|/&{/g' | tr "|" "\n")" + + _debug response "${response}" + while true; do + h=$(printf "%s" "${domain}" | cut -d . -f $i-100) + _debug h "${h}" + if [ -z "${h}" ]; then + #not valid + return 1 + fi + + hostedzone="$(echo "${response}" | _egrep_o "{.*\"domain\": *\"${h}\".*}")" + if [ "${hostedzone}" ]; then + _zone_id=$(printf "%s\n" "${hostedzone}" | _egrep_o "\"zone_id\": *[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ ) + if [ "${_zone_id}" ]; then + _sub_domain=$(printf "%s" "${domain}" | cut -d . -f 1-${p}) + _domain="${h}" + return 0 + fi + return 1 + fi + p=$i + i=$(_math "${i}" + 1) + done + fi + return 1 +} + +_rest() { + method="${1}" + ep="/${2}" + data="${3}" + + _debug method "${method}" + _debug ep "${ep}" + + export _H1="Accept: application/json" + export _H2="Content-Type: application/json" + export _H3="Api-Version: ${NW_API_VERSION}" + export _H4="User-Agent: NW-ACME-CLIENT" + export _H5="Authorization: Bearer ${NW_API_TOKEN}" + + if [ "${method}" != "GET" ]; then + _debug data "${data}" + response="$(_post "${data}" "${NW_API_ENDPOINT}${ep}" "" "${method}")" + else + response="$(_get "${NW_API_ENDPOINT}${ep}${data}")" + fi + + if [ "${?}" != "0" ]; then + _err "error ${ep}" + return 1 + fi + _debug2 response "${response}" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_oci.sh b/acme.sh-master/dnsapi/dns_oci.sh new file mode 100644 index 0000000..3b81143 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_oci.sh @@ -0,0 +1,325 @@ +#!/usr/bin/env sh +# +# Acme.sh DNS API plugin for Oracle Cloud Infrastructure +# Copyright (c) 2021, Oracle and/or its affiliates +# +# The plugin will automatically use the default profile from an OCI SDK and CLI +# configuration file, if it exists. +# +# Alternatively, set the following environment variables: +# - OCI_CLI_TENANCY : OCID of tenancy that contains the target DNS zone +# - OCI_CLI_USER : OCID of user with permission to add/remove records from zones +# - OCI_CLI_REGION : Should point to the tenancy home region +# +# One of the following two variables is required: +# - OCI_CLI_KEY_FILE: Path to private API signing key file in PEM format; or +# - OCI_CLI_KEY : The private API signing key in PEM format +# +# NOTE: using an encrypted private key that needs a passphrase is not supported. +# + +dns_oci_add() { + _fqdn="$1" + _rdata="$2" + + if _get_oci_zone; then + + _add_record_body="{\"items\":[{\"domain\":\"${_sub_domain}.${_domain}\",\"rdata\":\"$_rdata\",\"rtype\":\"TXT\",\"ttl\": 30,\"operation\":\"ADD\"}]}" + response=$(_signed_request "PATCH" "/20180115/zones/${_domain}/records" "$_add_record_body") + if [ "$response" ]; then + _info "Success: added TXT record for ${_sub_domain}.${_domain}." + else + _err "Error: failed to add TXT record for ${_sub_domain}.${_domain}." + _err "Check that the user has permission to add records to this zone." + return 1 + fi + + else + return 1 + fi + +} + +dns_oci_rm() { + _fqdn="$1" + _rdata="$2" + + if _get_oci_zone; then + + _remove_record_body="{\"items\":[{\"domain\":\"${_sub_domain}.${_domain}\",\"rdata\":\"$_rdata\",\"rtype\":\"TXT\",\"operation\":\"REMOVE\"}]}" + response=$(_signed_request "PATCH" "/20180115/zones/${_domain}/records" "$_remove_record_body") + if [ "$response" ]; then + _info "Success: removed TXT record for ${_sub_domain}.${_domain}." + else + _err "Error: failed to remove TXT record for ${_sub_domain}.${_domain}." + _err "Check that the user has permission to remove records from this zone." + return 1 + fi + + else + return 1 + fi + +} + +#################### Private functions below ################################## +_get_oci_zone() { + + if ! _oci_config; then + return 1 + fi + + if ! _get_zone "$_fqdn"; then + _err "Error: DNS Zone not found for $_fqdn in $OCI_CLI_TENANCY" + return 1 + fi + + return 0 + +} + +_oci_config() { + + _DEFAULT_OCI_CLI_CONFIG_FILE="$HOME/.oci/config" + OCI_CLI_CONFIG_FILE="${OCI_CLI_CONFIG_FILE:-$(_readaccountconf_mutable OCI_CLI_CONFIG_FILE)}" + + if [ -z "$OCI_CLI_CONFIG_FILE" ]; then + OCI_CLI_CONFIG_FILE="$_DEFAULT_OCI_CLI_CONFIG_FILE" + fi + + if [ "$_DEFAULT_OCI_CLI_CONFIG_FILE" != "$OCI_CLI_CONFIG_FILE" ]; then + _saveaccountconf_mutable OCI_CLI_CONFIG_FILE "$OCI_CLI_CONFIG_FILE" + else + _clearaccountconf_mutable OCI_CLI_CONFIG_FILE + fi + + _DEFAULT_OCI_CLI_PROFILE="DEFAULT" + OCI_CLI_PROFILE="${OCI_CLI_PROFILE:-$(_readaccountconf_mutable OCI_CLI_PROFILE)}" + if [ "$_DEFAULT_OCI_CLI_PROFILE" != "$OCI_CLI_PROFILE" ]; then + _saveaccountconf_mutable OCI_CLI_PROFILE "$OCI_CLI_PROFILE" + else + OCI_CLI_PROFILE="$_DEFAULT_OCI_CLI_PROFILE" + _clearaccountconf_mutable OCI_CLI_PROFILE + fi + + OCI_CLI_TENANCY="${OCI_CLI_TENANCY:-$(_readaccountconf_mutable OCI_CLI_TENANCY)}" + if [ "$OCI_CLI_TENANCY" ]; then + _saveaccountconf_mutable OCI_CLI_TENANCY "$OCI_CLI_TENANCY" + elif [ -f "$OCI_CLI_CONFIG_FILE" ]; then + _debug "Reading OCI_CLI_TENANCY value from: $OCI_CLI_CONFIG_FILE" + OCI_CLI_TENANCY="${OCI_CLI_TENANCY:-$(_readini "$OCI_CLI_CONFIG_FILE" tenancy "$OCI_CLI_PROFILE")}" + fi + + if [ -z "$OCI_CLI_TENANCY" ]; then + _err "Error: unable to read OCI_CLI_TENANCY from config file or environment variable." + return 1 + fi + + OCI_CLI_USER="${OCI_CLI_USER:-$(_readaccountconf_mutable OCI_CLI_USER)}" + if [ "$OCI_CLI_USER" ]; then + _saveaccountconf_mutable OCI_CLI_USER "$OCI_CLI_USER" + elif [ -f "$OCI_CLI_CONFIG_FILE" ]; then + _debug "Reading OCI_CLI_USER value from: $OCI_CLI_CONFIG_FILE" + OCI_CLI_USER="${OCI_CLI_USER:-$(_readini "$OCI_CLI_CONFIG_FILE" user "$OCI_CLI_PROFILE")}" + fi + if [ -z "$OCI_CLI_USER" ]; then + _err "Error: unable to read OCI_CLI_USER from config file or environment variable." + return 1 + fi + + OCI_CLI_REGION="${OCI_CLI_REGION:-$(_readaccountconf_mutable OCI_CLI_REGION)}" + if [ "$OCI_CLI_REGION" ]; then + _saveaccountconf_mutable OCI_CLI_REGION "$OCI_CLI_REGION" + elif [ -f "$OCI_CLI_CONFIG_FILE" ]; then + _debug "Reading OCI_CLI_REGION value from: $OCI_CLI_CONFIG_FILE" + OCI_CLI_REGION="${OCI_CLI_REGION:-$(_readini "$OCI_CLI_CONFIG_FILE" region "$OCI_CLI_PROFILE")}" + fi + if [ -z "$OCI_CLI_REGION" ]; then + _err "Error: unable to read OCI_CLI_REGION from config file or environment variable." + return 1 + fi + + OCI_CLI_KEY="${OCI_CLI_KEY:-$(_readaccountconf_mutable OCI_CLI_KEY)}" + if [ -z "$OCI_CLI_KEY" ]; then + _clearaccountconf_mutable OCI_CLI_KEY + OCI_CLI_KEY_FILE="${OCI_CLI_KEY_FILE:-$(_readini "$OCI_CLI_CONFIG_FILE" key_file "$OCI_CLI_PROFILE")}" + if [ "$OCI_CLI_KEY_FILE" ] && [ -f "$OCI_CLI_KEY_FILE" ]; then + _debug "Reading OCI_CLI_KEY value from: $OCI_CLI_KEY_FILE" + OCI_CLI_KEY=$(_base64 <"$OCI_CLI_KEY_FILE") + _saveaccountconf_mutable OCI_CLI_KEY "$OCI_CLI_KEY" + fi + else + _saveaccountconf_mutable OCI_CLI_KEY "$OCI_CLI_KEY" + fi + + if [ -z "$OCI_CLI_KEY_FILE" ] && [ -z "$OCI_CLI_KEY" ]; then + _err "Error: unable to find key file path in OCI config file or OCI_CLI_KEY_FILE." + _err "Error: unable to load private API signing key from OCI_CLI_KEY." + return 1 + fi + + if [ "$(printf "%s\n" "$OCI_CLI_KEY" | wc -l)" -eq 1 ]; then + OCI_CLI_KEY=$(printf "%s" "$OCI_CLI_KEY" | _dbase64) + fi + + return 0 + +} + +# _get_zone(): retrieves the Zone name and OCID +# +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_ociid=ocid1.dns-zone.oc1.. +_get_zone() { + domain=$1 + i=1 + p=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + # not valid + return 1 + fi + + _domain_id=$(_signed_request "GET" "/20180115/zones/$h" "" "id") + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + return 0 + fi + + p=$i + i=$(_math "$i" + 1) + done + return 1 + +} + +#Usage: privatekey +#Output MD5 fingerprint +_fingerprint() { + + pkey="$1" + if [ -z "$pkey" ]; then + _usage "Usage: _fingerprint privkey" + return 1 + fi + + printf "%s" "$pkey" | ${ACME_OPENSSL_BIN:-openssl} rsa -pubout -outform DER 2>/dev/null | ${ACME_OPENSSL_BIN:-openssl} md5 -c | cut -d = -f 2 | tr -d ' ' + +} + +_signed_request() { + + _sig_method="$1" + _sig_target="$2" + _sig_body="$3" + _return_field="$4" + + _key_fingerprint=$(_fingerprint "$OCI_CLI_KEY") + _sig_host="dns.$OCI_CLI_REGION.oraclecloud.com" + _sig_keyId="$OCI_CLI_TENANCY/$OCI_CLI_USER/$_key_fingerprint" + _sig_alg="rsa-sha256" + _sig_version="1" + _sig_now="$(LC_ALL=C \date -u "+%a, %d %h %Y %H:%M:%S GMT")" + + _request_method=$(printf %s "$_sig_method" | _lower_case) + _curl_method=$(printf %s "$_sig_method" | _upper_case) + + _request_target="(request-target): $_request_method $_sig_target" + _date_header="date: $_sig_now" + _host_header="host: $_sig_host" + + _string_to_sign="$_request_target\n$_date_header\n$_host_header" + _sig_headers="(request-target) date host" + + if [ "$_sig_body" ]; then + _secure_debug3 _sig_body "$_sig_body" + _sig_body_sha256="x-content-sha256: $(printf %s "$_sig_body" | _digest sha256)" + _sig_body_type="content-type: application/json" + _sig_body_length="content-length: ${#_sig_body}" + _string_to_sign="$_string_to_sign\n$_sig_body_sha256\n$_sig_body_type\n$_sig_body_length" + _sig_headers="$_sig_headers x-content-sha256 content-type content-length" + fi + + _tmp_file=$(_mktemp) + if [ -f "$_tmp_file" ]; then + printf '%s' "$OCI_CLI_KEY" >"$_tmp_file" + _signature=$(printf '%b' "$_string_to_sign" | _sign "$_tmp_file" sha256 | tr -d '\r\n') + rm -f "$_tmp_file" + fi + + _signed_header="Authorization: Signature version=\"$_sig_version\",keyId=\"$_sig_keyId\",algorithm=\"$_sig_alg\",headers=\"$_sig_headers\",signature=\"$_signature\"" + _secure_debug3 _signed_header "$_signed_header" + + if [ "$_curl_method" = "GET" ]; then + export _H1="$_date_header" + export _H2="$_signed_header" + _response="$(_get "https://${_sig_host}${_sig_target}")" + elif [ "$_curl_method" = "PATCH" ]; then + export _H1="$_date_header" + # shellcheck disable=SC2090 + export _H2="$_sig_body_sha256" + export _H3="$_sig_body_type" + export _H4="$_sig_body_length" + export _H5="$_signed_header" + _response="$(_post "$_sig_body" "https://${_sig_host}${_sig_target}" "" "PATCH")" + else + _err "Unable to process method: $_curl_method." + fi + + _ret="$?" + if [ "$_return_field" ]; then + _response="$(echo "$_response" | sed 's/\\\"//g'))" + _return=$(echo "${_response}" | _egrep_o "\"$_return_field\"\\s*:\\s*\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d "\"") + else + _return="$_response" + fi + + printf "%s" "$_return" + return $_ret + +} + +# file key [section] +_readini() { + _file="$1" + _key="$2" + _section="${3:-DEFAULT}" + + _start_n=$(grep -n '\['"$_section"']' "$_file" | cut -d : -f 1) + _debug3 _start_n "$_start_n" + if [ -z "$_start_n" ]; then + _err "Can not find section: $_section" + return 1 + fi + + _start_nn=$(_math "$_start_n" + 1) + _debug3 "_start_nn" "$_start_nn" + + _left="$(sed -n "${_start_nn},99999p" "$_file")" + _debug3 _left "$_left" + _end="$(echo "$_left" | grep -n "^\[" | _head_n 1)" + _debug3 "_end" "$_end" + if [ "$_end" ]; then + _end_n=$(echo "$_end" | cut -d : -f 1) + _debug3 "_end_n" "$_end_n" + _seg_n=$(echo "$_left" | sed -n "1,${_end_n}p") + else + _seg_n="$_left" + fi + + _debug3 "_seg_n" "$_seg_n" + _lineini="$(echo "$_seg_n" | grep "^ *$_key *= *")" + _inivalue="$(printf "%b" "$(eval "echo $_lineini | sed \"s/^ *${_key} *= *//g\"")")" + _debug2 _inivalue "$_inivalue" + echo "$_inivalue" + +} diff --git a/acme.sh-master/dnsapi/dns_one.sh b/acme.sh-master/dnsapi/dns_one.sh new file mode 100644 index 0000000..1565b76 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_one.sh @@ -0,0 +1,227 @@ +#!/usr/bin/env sh +# one.com ui wrapper for acme.sh + +# +# export ONECOM_User="username" +# export ONECOM_Password="password" + +dns_one_add() { + fulldomain=$1 + txtvalue=$2 + + if ! _dns_one_login; then + _err "login failed" + return 1 + fi + + _debug "detect the root domain" + if ! _get_root "$fulldomain"; then + _err "root domain not found" + return 1 + fi + + subdomain="${_sub_domain}" + maindomain=${_domain} + + _debug subdomain "$subdomain" + _debug maindomain "$maindomain" + + #Check if the TXT exists + _dns_one_getrecord "TXT" "$subdomain" "$txtvalue" + if [ -n "$id" ]; then + _info "$(__green "Txt record with the same value found. Skip adding.")" + return 0 + fi + + _dns_one_addrecord "TXT" "$subdomain" "$txtvalue" + if [ -z "$id" ]; then + _err "Add TXT record error." + return 1 + else + _info "$(__green "Added, OK ($id)")" + return 0 + fi +} + +dns_one_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _dns_one_login; then + _err "login failed" + return 1 + fi + + _debug "detect the root domain" + if ! _get_root "$fulldomain"; then + _err "root domain not found" + return 1 + fi + + subdomain="${_sub_domain}" + maindomain=${_domain} + + _debug subdomain "$subdomain" + _debug maindomain "$maindomain" + + #Check if the TXT exists + _dns_one_getrecord "TXT" "$subdomain" "$txtvalue" + if [ -z "$id" ]; then + _err "Txt record not found." + return 1 + fi + + # delete entry + if _dns_one_delrecord "$id"; then + _info "$(__green Removed, OK)" + return 0 + else + _err "Removing txt record error." + return 1 + fi +} + +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain="$1" + i=1 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + + if [ -z "$h" ]; then + #not valid + return 1 + fi + + response="$(_get "https://www.one.com/admin/api/domains/$h/dns/custom_records")" + + if ! _contains "$response" "CRMRST_000302"; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + _err "Unable to parse this domain" + return 1 +} + +_dns_one_login() { + + # get credentials + ONECOM_User="${ONECOM_User:-$(_readaccountconf_mutable ONECOM_User)}" + ONECOM_Password="${ONECOM_Password:-$(_readaccountconf_mutable ONECOM_Password)}" + if [ -z "$ONECOM_User" ] || [ -z "$ONECOM_Password" ]; then + ONECOM_User="" + ONECOM_Password="" + _err "You didn't specify a one.com username and password yet." + _err "Please create the key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable ONECOM_User "$ONECOM_User" + _saveaccountconf_mutable ONECOM_Password "$ONECOM_Password" + + # Login with user and password + postdata="loginDomain=true" + postdata="$postdata&displayUsername=$ONECOM_User" + postdata="$postdata&username=$ONECOM_User" + postdata="$postdata&targetDomain=" + postdata="$postdata&password1=$ONECOM_Password" + postdata="$postdata&loginTarget=" + #_debug postdata "$postdata" + + response="$(_post "$postdata" "https://www.one.com/admin/login.do" "" "POST" "application/x-www-form-urlencoded")" + #_debug response "$response" + + # Get SessionID + JSESSIONID="$(grep "OneSIDCrmAdmin" "$HTTP_HEADER" | grep "^[Ss]et-[Cc]ookie:" | _head_n 1 | _egrep_o 'OneSIDCrmAdmin=[^;]*;' | tr -d ';')" + _debug jsessionid "$JSESSIONID" + + if [ -z "$JSESSIONID" ]; then + _err "error sessionid cookie not found" + return 1 + fi + + export _H1="Cookie: ${JSESSIONID}" + + return 0 +} + +_dns_one_getrecord() { + type="$1" + name="$2" + value="$3" + if [ -z "$type" ]; then + type="TXT" + fi + if [ -z "$name" ]; then + _err "Record name is empty." + return 1 + fi + + response="$(_get "https://www.one.com/admin/api/domains/$maindomain/dns/custom_records")" + response="$(echo "$response" | _normalizeJson)" + _debug response "$response" + + if [ -z "${value}" ]; then + id=$(printf -- "%s" "$response" | sed -n "s/.*{\"type\":\"dns_custom_records\",\"id\":\"\([^\"]*\)\",\"attributes\":{\"prefix\":\"${name}\",\"type\":\"${type}\",\"content\":\"[^\"]*\",\"priority\":0,\"ttl\":600}.*/\1/p") + response=$(printf -- "%s" "$response" | sed -n "s/.*{\"type\":\"dns_custom_records\",\"id\":\"[^\"]*\",\"attributes\":{\"prefix\":\"${name}\",\"type\":\"${type}\",\"content\":\"\([^\"]*\)\",\"priority\":0,\"ttl\":600}.*/\1/p") + else + id=$(printf -- "%s" "$response" | sed -n "s/.*{\"type\":\"dns_custom_records\",\"id\":\"\([^\"]*\)\",\"attributes\":{\"prefix\":\"${name}\",\"type\":\"${type}\",\"content\":\"${value}\",\"priority\":0,\"ttl\":600}.*/\1/p") + fi + if [ -z "$id" ]; then + return 1 + fi + return 0 +} + +_dns_one_addrecord() { + type="$1" + name="$2" + value="$3" + if [ -z "$type" ]; then + type="TXT" + fi + if [ -z "$name" ]; then + _err "Record name is empty." + return 1 + fi + + postdata="{\"type\":\"dns_custom_records\",\"attributes\":{\"priority\":0,\"ttl\":600,\"type\":\"${type}\",\"prefix\":\"${name}\",\"content\":\"${value}\"}}" + _debug postdata "$postdata" + response="$(_post "$postdata" "https://www.one.com/admin/api/domains/$maindomain/dns/custom_records" "" "POST" "application/json")" + response="$(echo "$response" | _normalizeJson)" + _debug response "$response" + + id=$(echo "$response" | sed -n "s/{\"result\":{\"data\":{\"type\":\"dns_custom_records\",\"id\":\"\([^\"]*\)\",\"attributes\":{\"prefix\":\"$subdomain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"priority\":0,\"ttl\":600}}},\"metadata\":null}/\1/p") + + if [ -z "$id" ]; then + return 1 + else + return 0 + fi +} + +_dns_one_delrecord() { + id="$1" + if [ -z "$id" ]; then + return 1 + fi + + response="$(_post "" "https://www.one.com/admin/api/domains/$maindomain/dns/custom_records/$id" "" "DELETE" "application/json")" + response="$(echo "$response" | _normalizeJson)" + _debug response "$response" + + if [ "$response" = '{"result":null,"metadata":null}' ]; then + return 0 + else + return 1 + fi +} diff --git a/acme.sh-master/dnsapi/dns_online.sh b/acme.sh-master/dnsapi/dns_online.sh new file mode 100644 index 0000000..9158c26 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_online.sh @@ -0,0 +1,217 @@ +#!/usr/bin/env sh + +# Online API +# https://console.online.net/en/api/ +# +# Requires Online API key set in ONLINE_API_KEY + +######## Public functions ##################### + +ONLINE_API="https://api.online.net/api/v1" + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_online_add() { + fulldomain=$1 + txtvalue=$2 + + if ! _online_check_config; then + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + _debug _real_dns_version "$_real_dns_version" + + _info "Creating temporary zone version" + _online_create_temporary_zone_version + _info "Enabling temporary zone version" + _online_enable_zone "$_temporary_dns_version" + + _info "Adding record" + _online_create_TXT_record "$_real_dns_version" "$_sub_domain" "$txtvalue" + _info "Disabling temporary version" + _online_enable_zone "$_real_dns_version" + _info "Destroying temporary version" + _online_destroy_zone "$_temporary_dns_version" + + _info "Record added." + return 0 +} + +#fulldomain +dns_online_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _online_check_config; then + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + _debug _real_dns_version "$_real_dns_version" + + _debug "Getting txt records" + if ! _online_rest GET "domain/$_domain/version/active"; then + return 1 + fi + + rid=$(echo "$response" | _egrep_o "\"id\":[0-9]+,\"name\":\"$_sub_domain\",\"data\":\"\\\u0022$txtvalue\\\u0022\"" | cut -d ':' -f 2 | cut -d ',' -f 1) + _debug rid "$rid" + if [ -z "$rid" ]; then + return 1 + fi + + _info "Creating temporary zone version" + _online_create_temporary_zone_version + _info "Enabling temporary zone version" + _online_enable_zone "$_temporary_dns_version" + + _info "Removing DNS record" + _online_rest DELETE "domain/$_domain/version/$_real_dns_version/zone/$rid" + _info "Disabling temporary version" + _online_enable_zone "$_real_dns_version" + _info "Destroying temporary version" + _online_destroy_zone "$_temporary_dns_version" + + return 0 +} + +#################### Private functions below ################################## + +_online_check_config() { + ONLINE_API_KEY="${ONLINE_API_KEY:-$(_readaccountconf_mutable ONLINE_API_KEY)}" + if [ -z "$ONLINE_API_KEY" ]; then + _err "No API key specified for Online API." + _err "Create your key and export it as ONLINE_API_KEY" + return 1 + fi + if ! _online_rest GET "domain/"; then + _err "Invalid API key specified for Online API." + return 1 + fi + + _saveaccountconf_mutable ONLINE_API_KEY "$ONLINE_API_KEY" + + return 0 +} + +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + _online_rest GET "domain/$h/version/active" + + if ! _contains "$response" "Domain not found" >/dev/null; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + _real_dns_version=$(echo "$response" | _egrep_o '"uuid_ref":.*' | cut -d ':' -f 2 | cut -d '"' -f 2) + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + _err "Unable to retrive DNS zone matching this domain" + return 1 +} + +# this function create a temporary zone version +# as online.net does not allow updating an active version +_online_create_temporary_zone_version() { + + _online_rest POST "domain/$_domain/version" "name=acme.sh" + if [ "$?" != "0" ]; then + return 1 + fi + + _temporary_dns_version=$(echo "$response" | _egrep_o '"uuid_ref":.*' | cut -d ':' -f 2 | cut -d '"' -f 2) + + # Creating a dummy record in this temporary version, because online.net doesn't accept enabling an empty version + _online_create_TXT_record "$_temporary_dns_version" "dummy.acme.sh" "dummy" + + return 0 +} + +_online_destroy_zone() { + version_id=$1 + _online_rest DELETE "domain/$_domain/version/$version_id" + + if [ "$?" != "0" ]; then + return 1 + fi + return 0 +} + +_online_enable_zone() { + version_id=$1 + _online_rest PATCH "domain/$_domain/version/$version_id/enable" + + if [ "$?" != "0" ]; then + return 1 + fi + return 0 +} + +_online_create_TXT_record() { + version=$1 + txt_name=$2 + txt_value=$3 + + _online_rest POST "domain/$_domain/version/$version/zone" "type=TXT&name=$txt_name&data=%22$txt_value%22&ttl=60&priority=0" + + # Note : the normal, expected response SHOULD be "Unknown method". + # this happens because the API HTTP response contains a Location: header, that redirect + # to an unknown online.net endpoint. + if [ "$?" != "0" ] || _contains "$response" "Unknown method" || _contains "$response" "\$ref"; then + return 0 + else + _err "error $response" + return 1 + fi +} + +_online_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + _online_url="$ONLINE_API/$ep" + _debug2 _online_url "$_online_url" + export _H1="Authorization: Bearer $ONLINE_API_KEY" + export _H2="X-Pretty-JSON: 1" + if [ "$data" ] || [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$_online_url" "" "$m")" + else + response="$(_get "$_online_url")" + fi + if [ "$?" != "0" ] || _contains "$response" "invalid_grant" || _contains "$response" "Method not allowed"; then + _err "error $response" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_openprovider.sh b/acme.sh-master/dnsapi/dns_openprovider.sh new file mode 100644 index 0000000..0a9e5ad --- /dev/null +++ b/acme.sh-master/dnsapi/dns_openprovider.sh @@ -0,0 +1,247 @@ +#!/usr/bin/env sh + +# This is the OpenProvider API wrapper for acme.sh +# +# Author: Sylvia van Os +# Report Bugs here: https://github.com/acmesh-official/acme.sh/issues/2104 +# +# export OPENPROVIDER_USER="username" +# export OPENPROVIDER_PASSWORDHASH="hashed_password" +# +# Usage: +# acme.sh --issue --dns dns_openprovider -d example.com + +OPENPROVIDER_API="https://api.openprovider.eu/" +#OPENPROVIDER_API="https://api.cte.openprovider.eu/" # Test API + +######## Public functions ##################### + +#Usage: dns_openprovider_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_openprovider_add() { + fulldomain="$1" + txtvalue="$2" + + OPENPROVIDER_USER="${OPENPROVIDER_USER:-$(_readaccountconf_mutable OPENPROVIDER_USER)}" + OPENPROVIDER_PASSWORDHASH="${OPENPROVIDER_PASSWORDHASH:-$(_readaccountconf_mutable OPENPROVIDER_PASSWORDHASH)}" + + if [ -z "$OPENPROVIDER_USER" ] || [ -z "$OPENPROVIDER_PASSWORDHASH" ]; then + _err "You didn't specify the openprovider user and/or password hash." + return 1 + fi + + # save the username and password to the account conf file. + _saveaccountconf_mutable OPENPROVIDER_USER "$OPENPROVIDER_USER" + _saveaccountconf_mutable OPENPROVIDER_PASSWORDHASH "$OPENPROVIDER_PASSWORDHASH" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _domain_name "$_domain_name" + _debug _domain_extension "$_domain_extension" + + _debug "Getting current records" + existing_items="" + results_retrieved=0 + while true; do + _openprovider_request "$(printf '%s.%s%s' "$_domain_name" "$_domain_extension" "$results_retrieved")" + + items="$response" + while true; do + item="$(echo "$items" | _egrep_o '.*<\/openXML>' | sed -n 's/.*\(.*<\/item>\).*/\1/p')" + _debug existing_items "$existing_items" + _debug results_retrieved "$results_retrieved" + _debug item "$item" + + if [ -z "$item" ]; then + break + fi + + tmpitem="$(echo "$item" | sed 's/\*/\\*/g')" + items="$(echo "$items" | sed "s|${tmpitem}||")" + + results_retrieved="$(_math "$results_retrieved" + 1)" + new_item="$(echo "$item" | sed -n 's/.*.*\(\(.*\)\.'"$_domain_name"'\.'"$_domain_extension"'<\/name>.*\(.*<\/type>\).*\(.*<\/value>\).*\(.*<\/prio>\).*\(.*<\/ttl>\)\).*<\/item>.*/\2<\/name>\3\4\5\6<\/item>/p')" + if [ -z "$new_item" ]; then + # Domain apex + new_item="$(echo "$item" | sed -n 's/.*.*\(\(.*\)'"$_domain_name"'\.'"$_domain_extension"'<\/name>.*\(.*<\/type>\).*\(.*<\/value>\).*\(.*<\/prio>\).*\(.*<\/ttl>\)\).*<\/item>.*/\2<\/name>\3\4\5\6<\/item>/p')" + fi + + if [ -z "$(echo "$new_item" | _egrep_o ".*(A|AAAA|CNAME|MX|SPF|SRV|TXT|TLSA|SSHFP|CAA|NS)<\/type>.*")" ]; then + _debug "not an allowed record type, skipping" "$new_item" + continue + fi + + existing_items="$existing_items$new_item" + done + + total="$(echo "$response" | _egrep_o '.*?<\/total>' | sed -n 's/.*\(.*\)<\/total>.*/\1/p')" + + _debug total "$total" + if [ "$results_retrieved" -eq "$total" ]; then + break + fi + done + + _debug "Creating acme record" + acme_record="$(echo "$fulldomain" | sed -e "s/.$_domain_name.$_domain_extension$//")" + _openprovider_request "$(printf '%s%smaster%s%sTXT%s600' "$_domain_name" "$_domain_extension" "$existing_items" "$acme_record" "$txtvalue")" + + return 0 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_openprovider_rm() { + fulldomain="$1" + txtvalue="$2" + + OPENPROVIDER_USER="${OPENPROVIDER_USER:-$(_readaccountconf_mutable OPENPROVIDER_USER)}" + OPENPROVIDER_PASSWORDHASH="${OPENPROVIDER_PASSWORDHASH:-$(_readaccountconf_mutable OPENPROVIDER_PASSWORDHASH)}" + + if [ -z "$OPENPROVIDER_USER" ] || [ -z "$OPENPROVIDER_PASSWORDHASH" ]; then + _err "You didn't specify the openprovider user and/or password hash." + return 1 + fi + + # save the username and password to the account conf file. + _saveaccountconf_mutable OPENPROVIDER_USER "$OPENPROVIDER_USER" + _saveaccountconf_mutable OPENPROVIDER_PASSWORDHASH "$OPENPROVIDER_PASSWORDHASH" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _domain_name "$_domain_name" + _debug _domain_extension "$_domain_extension" + + _debug "Getting current records" + existing_items="" + results_retrieved=0 + while true; do + _openprovider_request "$(printf '%s.%s%s' "$_domain_name" "$_domain_extension" "$results_retrieved")" + + # Remove acme records from items + items="$response" + while true; do + item="$(echo "$items" | _egrep_o '.*<\/openXML>' | sed -n 's/.*\(.*<\/item>\).*/\1/p')" + _debug existing_items "$existing_items" + _debug results_retrieved "$results_retrieved" + _debug item "$item" + + if [ -z "$item" ]; then + break + fi + + tmpitem="$(echo "$item" | sed 's/\*/\\*/g')" + items="$(echo "$items" | sed "s|${tmpitem}||")" + + results_retrieved="$(_math "$results_retrieved" + 1)" + if ! echo "$item" | grep -v "$fulldomain"; then + _debug "acme record, skipping" "$item" + continue + fi + + new_item="$(echo "$item" | sed -n 's/.*.*\(\(.*\)\.'"$_domain_name"'\.'"$_domain_extension"'<\/name>.*\(.*<\/type>\).*\(.*<\/value>\).*\(.*<\/prio>\).*\(.*<\/ttl>\)\).*<\/item>.*/\2<\/name>\3\4\5\6<\/item>/p')" + + if [ -z "$new_item" ]; then + # domain apex + new_item="$(echo "$item" | sed -n 's/.*.*\(\(.*\)'"$_domain_name"'\.'"$_domain_extension"'<\/name>.*\(.*<\/type>\).*\(.*<\/value>\).*\(.*<\/prio>\).*\(.*<\/ttl>\)\).*<\/item>.*/\2<\/name>\3\4\5\6<\/item>/p')" + fi + + if [ -z "$(echo "$new_item" | _egrep_o ".*(A|AAAA|CNAME|MX|SPF|SRV|TXT|TLSA|SSHFP|CAA|NS)<\/type>.*")" ]; then + _debug "not an allowed record type, skipping" "$new_item" + continue + fi + + existing_items="$existing_items$new_item" + done + + total="$(echo "$response" | _egrep_o '.*?<\/total>' | sed -n 's/.*\(.*\)<\/total>.*/\1/p')" + + _debug total "$total" + + if [ "$results_retrieved" -eq "$total" ]; then + break + fi + done + + _debug "Removing acme record" + _openprovider_request "$(printf '%s%smaster%s' "$_domain_name" "$_domain_extension" "$existing_items")" + + return 0 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _domain_name=domain +# _domain_extension=com +_get_root() { + domain=$1 + i=2 + + results_retrieved=0 + while true; do + h=$(echo "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + _openprovider_request "$(printf '%s%s' "$(echo "$h" | cut -d . -f 1)" "$results_retrieved")" + + items="$response" + while true; do + item="$(echo "$items" | _egrep_o '.*<\/openXML>' | sed -n 's/.*\(.*<\/domain>\).*/\1/p')" + _debug existing_items "$existing_items" + _debug results_retrieved "$results_retrieved" + _debug item "$item" + + if [ -z "$item" ]; then + break + fi + + tmpitem="$(echo "$item" | sed 's/\*/\\*/g')" + items="$(echo "$items" | sed "s|${tmpitem}||")" + + results_retrieved="$(_math "$results_retrieved" + 1)" + + _domain_name="$(echo "$item" | sed -n 's/.*.*\(.*\)<\/name>.*<\/domain>.*/\1/p')" + _domain_extension="$(echo "$item" | sed -n 's/.*.*\(.*\)<\/extension>.*<\/domain>.*/\1/p')" + _debug _domain_name "$_domain_name" + _debug _domain_extension "$_domain_extension" + if [ "$_domain_name.$_domain_extension" = "$h" ]; then + return 0 + fi + done + + total="$(echo "$response" | _egrep_o '.*?<\/total>' | sed -n 's/.*\(.*\)<\/total>.*/\1/p')" + + _debug total "$total" + + if [ "$results_retrieved" -eq "$total" ]; then + results_retrieved=0 + i="$(_math "$i" + 1)" + fi + done + return 1 +} + +_openprovider_request() { + request_xml=$1 + + xml_prefix='' + xml_content=$(printf '%s%s%s' "$OPENPROVIDER_USER" "$OPENPROVIDER_PASSWORDHASH" "$request_xml") + response="$(_post "$(echo "$xml_prefix$xml_content" | tr -d '\n')" "$OPENPROVIDER_API" "" "POST" "application/xml")" + _debug response "$response" + if ! _contains "$response" "0.*"; then + _err "API request failed." + return 1 + fi +} diff --git a/acme.sh-master/dnsapi/dns_openstack.sh b/acme.sh-master/dnsapi/dns_openstack.sh new file mode 100644 index 0000000..fcc1dc2 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_openstack.sh @@ -0,0 +1,348 @@ +#!/usr/bin/env sh + +# OpenStack Designate API plugin +# +# This requires you to have OpenStackClient and python-desginateclient +# installed. +# +# You will require Keystone V3 credentials loaded into your environment, which +# could be either password or v3applicationcredential type. +# +# Author: Andy Botting + +######## Public functions ##################### + +# Usage: dns_openstack_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_openstack_add() { + fulldomain=$1 + txtvalue=$2 + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + _dns_openstack_credentials || return $? + _dns_openstack_check_setup || return $? + _dns_openstack_find_zone || return $? + _dns_openstack_get_recordset || return $? + _debug _recordset_id "$_recordset_id" + if [ -n "$_recordset_id" ]; then + _dns_openstack_get_records || return $? + _debug _records "$_records" + fi + _dns_openstack_create_recordset || return $? +} + +# Usage: dns_openstack_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +# Remove the txt record after validation. +dns_openstack_rm() { + fulldomain=$1 + txtvalue=$2 + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + _dns_openstack_credentials || return $? + _dns_openstack_check_setup || return $? + _dns_openstack_find_zone || return $? + _dns_openstack_get_recordset || return $? + _debug _recordset_id "$_recordset_id" + if [ -n "$_recordset_id" ]; then + _dns_openstack_get_records || return $? + _debug _records "$_records" + fi + _dns_openstack_delete_recordset || return $? +} + +#################### Private functions below ################################## + +_dns_openstack_create_recordset() { + + if [ -z "$_recordset_id" ]; then + _info "Creating a new recordset" + if ! _recordset_id=$(openstack recordset create -c id -f value --type TXT --record="$txtvalue" "$_zone_id" "$fulldomain."); then + _err "No recordset ID found after create" + return 1 + fi + else + _info "Updating existing recordset" + # Build new list of --record= args for update + _record_args="--record=$txtvalue" + for _rec in $_records; do + _record_args="$_record_args --record=$_rec" + done + # shellcheck disable=SC2086 + if ! _recordset_id=$(openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain."); then + _err "Recordset update failed" + return 1 + fi + fi + + _max_retries=60 + _sleep_sec=5 + _retry_times=0 + while [ "$_retry_times" -lt "$_max_retries" ]; do + _retry_times=$(_math "$_retry_times" + 1) + _debug3 _retry_times "$_retry_times" + + _record_status=$(openstack recordset show -c status -f value "$_zone_id" "$_recordset_id") + _info "Recordset status is $_record_status" + if [ "$_record_status" = "ACTIVE" ]; then + return 0 + elif [ "$_record_status" = "ERROR" ]; then + return 1 + else + _sleep $_sleep_sec + fi + done + + _err "Recordset failed to become ACTIVE" + return 1 +} + +_dns_openstack_delete_recordset() { + + if [ "$_records" = "$txtvalue" ]; then + _info "Only one record found, deleting recordset" + if ! openstack recordset delete "$_zone_id" "$fulldomain." >/dev/null; then + _err "Failed to delete recordset" + return 1 + fi + else + _info "Found existing records, updating recordset" + # Build new list of --record= args for update + _record_args="" + for _rec in $_records; do + if [ "$_rec" = "$txtvalue" ]; then + continue + fi + _record_args="$_record_args --record=$_rec" + done + # shellcheck disable=SC2086 + if ! openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain." >/dev/null; then + _err "Recordset update failed" + return 1 + fi + fi +} + +_dns_openstack_get_root() { + # Take the full fqdn and strip away pieces until we get an exact zone name + # match. For example, _acme-challenge.something.domain.com might need to go + # into something.domain.com or domain.com + _zone_name=$1 + _zone_list=$2 + while [ "$_zone_name" != "" ]; do + _zone_name="$(echo "$_zone_name" | sed 's/[^.]*\.*//')" + echo "$_zone_list" | while read -r id name; do + if _startswith "$_zone_name." "$name"; then + echo "$id" + fi + done + done | _head_n 1 +} + +_dns_openstack_find_zone() { + if ! _zone_list="$(openstack zone list -c id -c name -f value)"; then + _err "Can't list zones. Check your OpenStack credentials" + return 1 + fi + _debug _zone_list "$_zone_list" + + if ! _zone_id="$(_dns_openstack_get_root "$fulldomain" "$_zone_list")"; then + _err "Can't find a matching zone. Check your OpenStack credentials" + return 1 + fi + _debug _zone_id "$_zone_id" +} + +_dns_openstack_get_records() { + if ! _records=$(openstack recordset show -c records -f value "$_zone_id" "$fulldomain."); then + _err "Failed to get records" + return 1 + fi + return 0 +} + +_dns_openstack_get_recordset() { + if ! _recordset_id=$(openstack recordset list -c id -f value --name "$fulldomain." "$_zone_id"); then + _err "Failed to get recordset" + return 1 + fi + return 0 +} + +_dns_openstack_check_setup() { + if ! _exists openstack; then + _err "OpenStack client not found" + return 1 + fi +} + +_dns_openstack_credentials() { + _debug "Check OpenStack credentials" + + # If we have OS_AUTH_URL already set in the environment, then assume we want + # to use those, otherwise use stored credentials + if [ -n "$OS_AUTH_URL" ]; then + _debug "OS_AUTH_URL env var found, using environment" + else + _debug "OS_AUTH_URL not found, loading stored credentials" + OS_AUTH_URL="${OS_AUTH_URL:-$(_readaccountconf_mutable OS_AUTH_URL)}" + OS_IDENTITY_API_VERSION="${OS_IDENTITY_API_VERSION:-$(_readaccountconf_mutable OS_IDENTITY_API_VERSION)}" + OS_AUTH_TYPE="${OS_AUTH_TYPE:-$(_readaccountconf_mutable OS_AUTH_TYPE)}" + OS_APPLICATION_CREDENTIAL_ID="${OS_APPLICATION_CREDENTIAL_ID:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID)}" + OS_APPLICATION_CREDENTIAL_SECRET="${OS_APPLICATION_CREDENTIAL_SECRET:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET)}" + OS_USERNAME="${OS_USERNAME:-$(_readaccountconf_mutable OS_USERNAME)}" + OS_PASSWORD="${OS_PASSWORD:-$(_readaccountconf_mutable OS_PASSWORD)}" + OS_PROJECT_NAME="${OS_PROJECT_NAME:-$(_readaccountconf_mutable OS_PROJECT_NAME)}" + OS_PROJECT_ID="${OS_PROJECT_ID:-$(_readaccountconf_mutable OS_PROJECT_ID)}" + OS_USER_DOMAIN_NAME="${OS_USER_DOMAIN_NAME:-$(_readaccountconf_mutable OS_USER_DOMAIN_NAME)}" + OS_USER_DOMAIN_ID="${OS_USER_DOMAIN_ID:-$(_readaccountconf_mutable OS_USER_DOMAIN_ID)}" + OS_PROJECT_DOMAIN_NAME="${OS_PROJECT_DOMAIN_NAME:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_NAME)}" + OS_PROJECT_DOMAIN_ID="${OS_PROJECT_DOMAIN_ID:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_ID)}" + fi + + # Check each var and either save or clear it depending on whether its set. + # The helps us clear out old vars in the case where a user may want + # to switch between password and app creds + _debug "OS_AUTH_URL" "$OS_AUTH_URL" + if [ -n "$OS_AUTH_URL" ]; then + export OS_AUTH_URL + _saveaccountconf_mutable OS_AUTH_URL "$OS_AUTH_URL" + else + unset OS_AUTH_URL + _clearaccountconf SAVED_OS_AUTH_URL + fi + + _debug "OS_IDENTITY_API_VERSION" "$OS_IDENTITY_API_VERSION" + if [ -n "$OS_IDENTITY_API_VERSION" ]; then + export OS_IDENTITY_API_VERSION + _saveaccountconf_mutable OS_IDENTITY_API_VERSION "$OS_IDENTITY_API_VERSION" + else + unset OS_IDENTITY_API_VERSION + _clearaccountconf SAVED_OS_IDENTITY_API_VERSION + fi + + _debug "OS_AUTH_TYPE" "$OS_AUTH_TYPE" + if [ -n "$OS_AUTH_TYPE" ]; then + export OS_AUTH_TYPE + _saveaccountconf_mutable OS_AUTH_TYPE "$OS_AUTH_TYPE" + else + unset OS_AUTH_TYPE + _clearaccountconf SAVED_OS_AUTH_TYPE + fi + + _debug "OS_APPLICATION_CREDENTIAL_ID" "$OS_APPLICATION_CREDENTIAL_ID" + if [ -n "$OS_APPLICATION_CREDENTIAL_ID" ]; then + export OS_APPLICATION_CREDENTIAL_ID + _saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID "$OS_APPLICATION_CREDENTIAL_ID" + else + unset OS_APPLICATION_CREDENTIAL_ID + _clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_ID + fi + + _secure_debug "OS_APPLICATION_CREDENTIAL_SECRET" "$OS_APPLICATION_CREDENTIAL_SECRET" + if [ -n "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then + export OS_APPLICATION_CREDENTIAL_SECRET + _saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET "$OS_APPLICATION_CREDENTIAL_SECRET" + else + unset OS_APPLICATION_CREDENTIAL_SECRET + _clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_SECRET + fi + + _debug "OS_USERNAME" "$OS_USERNAME" + if [ -n "$OS_USERNAME" ]; then + export OS_USERNAME + _saveaccountconf_mutable OS_USERNAME "$OS_USERNAME" + else + unset OS_USERNAME + _clearaccountconf SAVED_OS_USERNAME + fi + + _secure_debug "OS_PASSWORD" "$OS_PASSWORD" + if [ -n "$OS_PASSWORD" ]; then + export OS_PASSWORD + _saveaccountconf_mutable OS_PASSWORD "$OS_PASSWORD" + else + unset OS_PASSWORD + _clearaccountconf SAVED_OS_PASSWORD + fi + + _debug "OS_PROJECT_NAME" "$OS_PROJECT_NAME" + if [ -n "$OS_PROJECT_NAME" ]; then + export OS_PROJECT_NAME + _saveaccountconf_mutable OS_PROJECT_NAME "$OS_PROJECT_NAME" + else + unset OS_PROJECT_NAME + _clearaccountconf SAVED_OS_PROJECT_NAME + fi + + _debug "OS_PROJECT_ID" "$OS_PROJECT_ID" + if [ -n "$OS_PROJECT_ID" ]; then + export OS_PROJECT_ID + _saveaccountconf_mutable OS_PROJECT_ID "$OS_PROJECT_ID" + else + unset OS_PROJECT_ID + _clearaccountconf SAVED_OS_PROJECT_ID + fi + + _debug "OS_USER_DOMAIN_NAME" "$OS_USER_DOMAIN_NAME" + if [ -n "$OS_USER_DOMAIN_NAME" ]; then + export OS_USER_DOMAIN_NAME + _saveaccountconf_mutable OS_USER_DOMAIN_NAME "$OS_USER_DOMAIN_NAME" + else + unset OS_USER_DOMAIN_NAME + _clearaccountconf SAVED_OS_USER_DOMAIN_NAME + fi + + _debug "OS_USER_DOMAIN_ID" "$OS_USER_DOMAIN_ID" + if [ -n "$OS_USER_DOMAIN_ID" ]; then + export OS_USER_DOMAIN_ID + _saveaccountconf_mutable OS_USER_DOMAIN_ID "$OS_USER_DOMAIN_ID" + else + unset OS_USER_DOMAIN_ID + _clearaccountconf SAVED_OS_USER_DOMAIN_ID + fi + + _debug "OS_PROJECT_DOMAIN_NAME" "$OS_PROJECT_DOMAIN_NAME" + if [ -n "$OS_PROJECT_DOMAIN_NAME" ]; then + export OS_PROJECT_DOMAIN_NAME + _saveaccountconf_mutable OS_PROJECT_DOMAIN_NAME "$OS_PROJECT_DOMAIN_NAME" + else + unset OS_PROJECT_DOMAIN_NAME + _clearaccountconf SAVED_OS_PROJECT_DOMAIN_NAME + fi + + _debug "OS_PROJECT_DOMAIN_ID" "$OS_PROJECT_DOMAIN_ID" + if [ -n "$OS_PROJECT_DOMAIN_ID" ]; then + export OS_PROJECT_DOMAIN_ID + _saveaccountconf_mutable OS_PROJECT_DOMAIN_ID "$OS_PROJECT_DOMAIN_ID" + else + unset OS_PROJECT_DOMAIN_ID + _clearaccountconf SAVED_OS_PROJECT_DOMAIN_ID + fi + + if [ "$OS_AUTH_TYPE" = "v3applicationcredential" ]; then + # Application Credential auth + if [ -z "$OS_APPLICATION_CREDENTIAL_ID" ] || [ -z "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then + _err "When using OpenStack application credentials, OS_APPLICATION_CREDENTIAL_ID" + _err "and OS_APPLICATION_CREDENTIAL_SECRET must be set." + _err "Please check your credentials and try again." + return 1 + fi + else + # Password auth + if [ -z "$OS_USERNAME" ] || [ -z "$OS_PASSWORD" ]; then + _err "OpenStack username or password not found." + _err "Please check your credentials and try again." + return 1 + fi + + if [ -z "$OS_PROJECT_NAME" ] && [ -z "$OS_PROJECT_ID" ]; then + _err "When using password authentication, OS_PROJECT_NAME or" + _err "OS_PROJECT_ID must be set." + _err "Please check your credentials and try again." + return 1 + fi + fi + + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_opnsense.sh b/acme.sh-master/dnsapi/dns_opnsense.sh new file mode 100644 index 0000000..c2806a1 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_opnsense.sh @@ -0,0 +1,272 @@ +#!/usr/bin/env sh + +#OPNsense Bind API +#https://docs.opnsense.org/development/api.html +# +#OPNs_Host="opnsense.example.com" +#OPNs_Port="443" +# optional, defaults to 443 if unset +#OPNs_Key="qocfU9RSbt8vTIBcnW8bPqCrpfAHMDvj5OzadE7Str+rbjyCyk7u6yMrSCHtBXabgDDXx/dY0POUp7ZA" +#OPNs_Token="pZEQ+3ce8dDlfBBdg3N8EpqpF5I1MhFqdxX06le6Gl8YzyQvYCfCzNaFX9O9+IOSyAs7X71fwdRiZ+Lv" +#OPNs_Api_Insecure=0 +# optional, defaults to 0 if unset +# Set 1 for insecure and 0 for secure -> difference is whether ssl cert is checked for validity (0) or whether it is just accepted (1) + +######## Public functions ##################### +#Usage: add _acme-challenge.www.domain.com "123456789ABCDEF0000000000000000000000000000000000000" +#fulldomain +#txtvalue +OPNs_DefaultPort=443 +OPNs_DefaultApi_Insecure=0 + +dns_opnsense_add() { + fulldomain=$1 + txtvalue=$2 + + _opns_check_auth || return 1 + + if ! set_record "$fulldomain" "$txtvalue"; then + return 1 + fi + + return 0 +} + +#fulldomain +dns_opnsense_rm() { + fulldomain=$1 + txtvalue=$2 + + _opns_check_auth || return 1 + + if ! rm_record "$fulldomain" "$txtvalue"; then + return 1 + fi + + return 0 +} + +set_record() { + fulldomain=$1 + new_challenge=$2 + _info "Adding record $fulldomain with challenge: $new_challenge" + + _debug "Detect root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _domain "$_domain" + _debug _host "$_host" + _debug _domainid "$_domainid" + _return_str="" + _record_string="" + _build_record_string "$_domainid" "$_host" "$new_challenge" + _uuid="" + if _existingchallenge "$_domain" "$_host" "$new_challenge"; then + # Update + if _opns_rest "POST" "/record/setRecord/${_uuid}" "$_record_string"; then + _return_str="$response" + else + return 1 + fi + + else + #create + if _opns_rest "POST" "/record/addRecord" "$_record_string"; then + _return_str="$response" + else + return 1 + fi + fi + + if echo "$_return_str" | _egrep_o "\"result\":\"saved\"" >/dev/null; then + _opns_rest "POST" "/service/reconfigure" "{}" + _debug "Record created" + else + _err "Error creating record $_record_string" + return 1 + fi + + return 0 +} + +rm_record() { + fulldomain=$1 + new_challenge="$2" + _info "Remove record $fulldomain with challenge: $new_challenge" + + _debug "Detect root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _domain "$_domain" + _debug _host "$_host" + _debug _domainid "$_domainid" + _uuid="" + if _existingchallenge "$_domain" "$_host" "$new_challenge"; then + # Delete + if _opns_rest "POST" "/record/delRecord/${_uuid}" "\{\}"; then + if echo "$_return_str" | _egrep_o "\"result\":\"deleted\"" >/dev/null; then + _opns_rest "POST" "/service/reconfigure" "{}" + _debug "Record deleted" + else + _err "Error deleting record $_host from domain $fulldomain" + return 1 + fi + else + _err "Error deleting record $_host from domain $fulldomain" + return 1 + fi + else + _info "Record not found, nothing to remove" + fi + + return 0 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _domainid=domid +#_domain=domain.com +_get_root() { + domain=$1 + i=2 + p=1 + if _opns_rest "GET" "/domain/searchMasterDomain"; then + _domain_response="$response" + else + return 1 + fi + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + _debug h "$h" + id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"master\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2) + if [ -n "$id" ]; then + _debug id "$id" + _host=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="${h}" + _domainid="${id}" + return 0 + fi + p=$i + i=$(_math $i + 1) + done + _debug "$domain not found" + + return 1 +} + +_opns_rest() { + method=$1 + ep=$2 + data=$3 + #Percent encode user and token + key=$(echo "$OPNs_Key" | tr -d "\n\r" | _url_encode) + token=$(echo "$OPNs_Token" | tr -d "\n\r" | _url_encode) + + opnsense_url="https://${key}:${token}@${OPNs_Host}:${OPNs_Port:-$OPNs_DefaultPort}/api/bind${ep}" + export _H1="Content-Type: application/json" + _debug2 "Try to call api: https://${OPNs_Host}:${OPNs_Port:-$OPNs_DefaultPort}/api/bind${ep}" + if [ ! "$method" = "GET" ]; then + _debug data "$data" + export _H1="Content-Type: application/json" + response="$(_post "$data" "$opnsense_url" "" "$method")" + else + export _H1="" + response="$(_get "$opnsense_url")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + + return 0 +} + +_build_record_string() { + _record_string="{\"record\":{\"enabled\":\"1\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"}}" +} + +_existingchallenge() { + if _opns_rest "GET" "/record/searchRecord"; then + _record_response="$response" + else + return 1 + fi + _uuid="" + _uuid=$(echo "$_record_response" | _egrep_o "\"uuid\":\"[^\"]*\",\"enabled\":\"[01]\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"" | cut -d ':' -f 2 | cut -d '"' -f 2) + + if [ -n "$_uuid" ]; then + _debug uuid "$_uuid" + return 0 + fi + _debug "${2}.$1{1} record not found" + + return 1 +} + +_opns_check_auth() { + OPNs_Host="${OPNs_Host:-$(_readaccountconf_mutable OPNs_Host)}" + OPNs_Port="${OPNs_Port:-$(_readaccountconf_mutable OPNs_Port)}" + OPNs_Key="${OPNs_Key:-$(_readaccountconf_mutable OPNs_Key)}" + OPNs_Token="${OPNs_Token:-$(_readaccountconf_mutable OPNs_Token)}" + OPNs_Api_Insecure="${OPNs_Api_Insecure:-$(_readaccountconf_mutable OPNs_Api_Insecure)}" + + if [ -z "$OPNs_Host" ]; then + _err "You don't specify OPNsense address." + return 1 + else + _saveaccountconf_mutable OPNs_Host "$OPNs_Host" + fi + + if ! printf '%s' "$OPNs_Port" | grep '^[0-9]*$' >/dev/null; then + _err 'OPNs_Port specified but not numeric value' + return 1 + elif [ -z "$OPNs_Port" ]; then + _info "OPNSense port not specified. Defaulting to using port $OPNs_DefaultPort" + else + _saveaccountconf_mutable OPNs_Port "$OPNs_Port" + fi + + if ! printf '%s' "$OPNs_Api_Insecure" | grep '^[01]$' >/dev/null; then + _err 'OPNs_Api_Insecure specified but not 0/1 value' + return 1 + elif [ -n "$OPNs_Api_Insecure" ]; then + _saveaccountconf_mutable OPNs_Api_Insecure "$OPNs_Api_Insecure" + fi + export HTTPS_INSECURE="${OPNs_Api_Insecure:-$OPNs_DefaultApi_Insecure}" + + if [ -z "$OPNs_Key" ]; then + _err "you have not specified your OPNsense api key id." + _err "Please set OPNs_Key and try again." + return 1 + else + _saveaccountconf_mutable OPNs_Key "$OPNs_Key" + fi + + if [ -z "$OPNs_Token" ]; then + _err "you have not specified your OPNsense token." + _err "Please create OPNs_Token and try again." + return 1 + else + _saveaccountconf_mutable OPNs_Token "$OPNs_Token" + fi + + if ! _opns_rest "GET" "/general/get"; then + _err "Call to OPNsense API interface failed. Unable to access OPNsense API." + return 1 + fi + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_ovh.sh b/acme.sh-master/dnsapi/dns_ovh.sh new file mode 100644 index 0000000..5e35011 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_ovh.sh @@ -0,0 +1,322 @@ +#!/usr/bin/env sh + +#Application Key +#OVH_AK="sdfsdfsdfljlbjkljlkjsdfoiwje" +# +#Application Secret +#OVH_AS="sdfsafsdfsdfdsfsdfsa" +# +#Consumer Key +#OVH_CK="sdfsdfsdfsdfsdfdsf" + +#OVH_END_POINT=ovh-eu + +#'ovh-eu' +OVH_EU='https://eu.api.ovh.com/1.0' + +#'ovh-ca': +OVH_CA='https://ca.api.ovh.com/1.0' + +#'kimsufi-eu' +KSF_EU='https://eu.api.kimsufi.com/1.0' + +#'kimsufi-ca' +KSF_CA='https://ca.api.kimsufi.com/1.0' + +#'soyoustart-eu' +SYS_EU='https://eu.api.soyoustart.com/1.0' + +#'soyoustart-ca' +SYS_CA='https://ca.api.soyoustart.com/1.0' + +#'runabove-ca' +RAV_CA='https://api.runabove.com/1.0' + +wiki="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-OVH-domain-api" + +ovh_success="https://github.com/acmesh-official/acme.sh/wiki/OVH-Success" + +_ovh_get_api() { + _ogaep="$1" + + case "${_ogaep}" in + + ovh-eu | ovheu) + printf "%s" $OVH_EU + return + ;; + ovh-ca | ovhca) + printf "%s" $OVH_CA + return + ;; + kimsufi-eu | kimsufieu) + printf "%s" $KSF_EU + return + ;; + kimsufi-ca | kimsufica) + printf "%s" $KSF_CA + return + ;; + soyoustart-eu | soyoustarteu) + printf "%s" $SYS_EU + return + ;; + soyoustart-ca | soyoustartca) + printf "%s" $SYS_CA + return + ;; + runabove-ca | runaboveca) + printf "%s" $RAV_CA + return + ;; + + *) + + _err "Unknown parameter : $1" + return 1 + ;; + esac +} + +_initAuth() { + OVH_AK="${OVH_AK:-$(_readaccountconf_mutable OVH_AK)}" + OVH_AS="${OVH_AS:-$(_readaccountconf_mutable OVH_AS)}" + + if [ -z "$OVH_AK" ] || [ -z "$OVH_AS" ]; then + OVH_AK="" + OVH_AS="" + _err "You don't specify OVH application key and application secret yet." + _err "Please create you key and try again." + return 1 + fi + + if [ "$OVH_AK" != "$(_readaccountconf OVH_AK)" ]; then + _info "It seems that your ovh key is changed, let's clear consumer key first." + _clearaccountconf_mutable OVH_CK + fi + _saveaccountconf_mutable OVH_AK "$OVH_AK" + _saveaccountconf_mutable OVH_AS "$OVH_AS" + + OVH_END_POINT="${OVH_END_POINT:-$(_readaccountconf_mutable OVH_END_POINT)}" + if [ -z "$OVH_END_POINT" ]; then + OVH_END_POINT="ovh-eu" + fi + _info "Using OVH endpoint: $OVH_END_POINT" + if [ "$OVH_END_POINT" != "ovh-eu" ]; then + _saveaccountconf_mutable OVH_END_POINT "$OVH_END_POINT" + fi + + OVH_API="$(_ovh_get_api $OVH_END_POINT)" + _debug OVH_API "$OVH_API" + + OVH_CK="${OVH_CK:-$(_readaccountconf_mutable OVH_CK)}" + if [ -z "$OVH_CK" ]; then + _info "OVH consumer key is empty, Let's get one:" + if ! _ovh_authentication; then + _err "Can not get consumer key." + fi + #return and wait for retry. + return 1 + fi + _saveaccountconf_mutable OVH_CK "$OVH_CK" + + _info "Checking authentication" + + if ! _ovh_rest GET "domain" || _contains "$response" "INVALID_CREDENTIAL" || _contains "$response" "NOT_CREDENTIAL"; then + _err "The consumer key is invalid: $OVH_CK" + _err "Please retry to create a new one." + _clearaccountconf_mutable OVH_CK + return 1 + fi + _info "Consumer key is ok." + return 0 +} + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_ovh_add() { + fulldomain=$1 + txtvalue=$2 + + if ! _initAuth; then + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + if _ovh_rest POST "domain/zone/$_domain/record" "{\"fieldType\":\"TXT\",\"subDomain\":\"$_sub_domain\",\"target\":\"$txtvalue\",\"ttl\":60}"; then + if _contains "$response" "$txtvalue"; then + _ovh_rest POST "domain/zone/$_domain/refresh" + _debug "Refresh:$response" + _info "Added, sleep 10 seconds." + _sleep 10 + return 0 + fi + fi + _err "Add txt record error." + return 1 + +} + +#fulldomain +dns_ovh_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _initAuth; then + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + _debug "Getting txt records" + if ! _ovh_rest GET "domain/zone/$_domain/record?fieldType=TXT&subDomain=$_sub_domain"; then + return 1 + fi + + for rid in $(echo "$response" | tr '][,' ' '); do + _debug rid "$rid" + if ! _ovh_rest GET "domain/zone/$_domain/record/$rid"; then + return 1 + fi + if _contains "$response" "\"target\":\"$txtvalue\""; then + _debug "Found txt id:$rid" + if ! _ovh_rest DELETE "domain/zone/$_domain/record/$rid"; then + return 1 + fi + _ovh_rest POST "domain/zone/$_domain/refresh" + _debug "Refresh:$response" + return 0 + fi + done + + return 1 +} + +#################### Private functions below ################################## + +_ovh_authentication() { + + _H1="X-Ovh-Application: $OVH_AK" + _H2="Content-type: application/json" + _H3="" + _H4="" + + _ovhdata='{"accessRules": [{"method": "GET","path": "/auth/time"},{"method": "GET","path": "/domain"},{"method": "GET","path": "/domain/zone/*"},{"method": "GET","path": "/domain/zone/*/record"},{"method": "POST","path": "/domain/zone/*/record"},{"method": "POST","path": "/domain/zone/*/refresh"},{"method": "PUT","path": "/domain/zone/*/record/*"},{"method": "DELETE","path": "/domain/zone/*/record/*"}],"redirection":"'$ovh_success'"}' + + response="$(_post "$_ovhdata" "$OVH_API/auth/credential")" + _debug3 response "$response" + validationUrl="$(echo "$response" | _egrep_o "validationUrl\":\"[^\"]*\"" | _egrep_o "http.*\"" | tr -d '"')" + if [ -z "$validationUrl" ]; then + _err "Unable to get validationUrl" + return 1 + fi + _debug validationUrl "$validationUrl" + + consumerKey="$(echo "$response" | _egrep_o "consumerKey\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')" + if [ -z "$consumerKey" ]; then + _err "Unable to get consumerKey" + return 1 + fi + _secure_debug consumerKey "$consumerKey" + + OVH_CK="$consumerKey" + _saveaccountconf_mutable OVH_CK "$OVH_CK" + _info "Please open this link to do authentication: $(__green "$validationUrl")" + + _info "Here is a guide for you: $(__green "$wiki")" + _info "Please retry after the authentication is done." + +} + +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=1 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _ovh_rest GET "domain/zone/$h"; then + return 1 + fi + + if ! _contains "$response" "This service does not exist" >/dev/null && + ! _contains "$response" "This call has not been granted" >/dev/null && + ! _contains "$response" "NOT_GRANTED_CALL" >/dev/null; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_ovh_timestamp() { + _H1="" + _H2="" + _H3="" + _H4="" + _H5="" + _get "$OVH_API/auth/time" "" 30 +} + +_ovh_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + _ovh_url="$OVH_API/$ep" + _debug2 _ovh_url "$_ovh_url" + _ovh_t="$(_ovh_timestamp)" + _debug2 _ovh_t "$_ovh_t" + _ovh_p="$OVH_AS+$OVH_CK+$m+$_ovh_url+$data+$_ovh_t" + _secure_debug _ovh_p "$_ovh_p" + _ovh_hex="$(printf "%s" "$_ovh_p" | _digest sha1 hex)" + _debug2 _ovh_hex "$_ovh_hex" + + export _H1="X-Ovh-Application: $OVH_AK" + export _H2="X-Ovh-Signature: \$1\$$_ovh_hex" + _debug2 _H2 "$_H2" + export _H3="X-Ovh-Timestamp: $_ovh_t" + export _H4="X-Ovh-Consumer: $OVH_CK" + export _H5="Content-Type: application/json;charset=utf-8" + if [ "$data" ] || [ "$m" = "POST" ] || [ "$m" = "PUT" ] || [ "$m" = "DELETE" ]; then + _debug data "$data" + response="$(_post "$data" "$_ovh_url" "" "$m")" + else + response="$(_get "$_ovh_url")" + fi + + if [ "$?" != "0" ] || _contains "$response" "INVALID_CREDENTIAL"; then + _err "error $response" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_pdns.sh b/acme.sh-master/dnsapi/dns_pdns.sh new file mode 100644 index 0000000..6aa2e95 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_pdns.sh @@ -0,0 +1,233 @@ +#!/usr/bin/env sh + +#PowerDNS Embedded API +#https://doc.powerdns.com/md/httpapi/api_spec/ +# +#PDNS_Url="http://ns.example.com:8081" +#PDNS_ServerId="localhost" +#PDNS_Token="0123456789ABCDEF" +#PDNS_Ttl=60 + +DEFAULT_PDNS_TTL=60 + +######## Public functions ##################### +#Usage: add _acme-challenge.www.domain.com "123456789ABCDEF0000000000000000000000000000000000000" +#fulldomain +#txtvalue +dns_pdns_add() { + fulldomain=$1 + txtvalue=$2 + + if [ -z "$PDNS_Url" ]; then + PDNS_Url="" + _err "You don't specify PowerDNS address." + _err "Please set PDNS_Url and try again." + return 1 + fi + + if [ -z "$PDNS_ServerId" ]; then + PDNS_ServerId="" + _err "You don't specify PowerDNS server id." + _err "Please set you PDNS_ServerId and try again." + return 1 + fi + + if [ -z "$PDNS_Token" ]; then + PDNS_Token="" + _err "You don't specify PowerDNS token." + _err "Please create you PDNS_Token and try again." + return 1 + fi + + if [ -z "$PDNS_Ttl" ]; then + PDNS_Ttl="$DEFAULT_PDNS_TTL" + fi + + #save the api addr and key to the account conf file. + _saveaccountconf PDNS_Url "$PDNS_Url" + _saveaccountconf PDNS_ServerId "$PDNS_ServerId" + _saveaccountconf PDNS_Token "$PDNS_Token" + + if [ "$PDNS_Ttl" != "$DEFAULT_PDNS_TTL" ]; then + _saveaccountconf PDNS_Ttl "$PDNS_Ttl" + fi + + _debug "Detect root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain "$_domain" + + if ! set_record "$_domain" "$fulldomain" "$txtvalue"; then + return 1 + fi + + return 0 +} + +#fulldomain +dns_pdns_rm() { + fulldomain=$1 + txtvalue=$2 + + if [ -z "$PDNS_Ttl" ]; then + PDNS_Ttl="$DEFAULT_PDNS_TTL" + fi + + _debug "Detect root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _domain "$_domain" + + if ! rm_record "$_domain" "$fulldomain" "$txtvalue"; then + return 1 + fi + + return 0 +} + +set_record() { + _info "Adding record" + root=$1 + full=$2 + new_challenge=$3 + + _record_string="" + _build_record_string "$new_challenge" + _list_existingchallenges + for oldchallenge in $_existing_challenges; do + _build_record_string "$oldchallenge" + done + + if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}" "application/json"; then + _err "Set txt record error." + return 1 + fi + + if ! notify_slaves "$root"; then + return 1 + fi + + return 0 +} + +rm_record() { + _info "Remove record" + root=$1 + full=$2 + txtvalue=$3 + + #Enumerate existing acme challenges + _list_existingchallenges + + if _contains "$_existing_challenges" "$txtvalue"; then + #Delete all challenges (PowerDNS API does not allow to delete content) + if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"DELETE\", \"name\": \"$full.\", \"type\": \"TXT\"}]}" "application/json"; then + _err "Delete txt record error." + return 1 + fi + _record_string="" + #If the only existing challenge was the challenge to delete: nothing to do + if ! [ "$_existing_challenges" = "$txtvalue" ]; then + for oldchallenge in $_existing_challenges; do + #Build up the challenges to re-add, ommitting the one what should be deleted + if ! [ "$oldchallenge" = "$txtvalue" ]; then + _build_record_string "$oldchallenge" + fi + done + #Recreate the existing challenges + if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}" "application/json"; then + _err "Set txt record error." + return 1 + fi + fi + if ! notify_slaves "$root"; then + return 1 + fi + else + _info "Record not found, nothing to remove" + fi + + return 0 +} + +notify_slaves() { + root=$1 + + if ! _pdns_rest "PUT" "/api/v1/servers/$PDNS_ServerId/zones/$root/notify"; then + _err "Notify slaves error." + return 1 + fi + + return 0 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _domain=domain.com +_get_root() { + domain=$1 + i=1 + + if _pdns_rest "GET" "/api/v1/servers/$PDNS_ServerId/zones"; then + _zones_response=$(echo "$response" | _normalizeJson) + fi + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + + if _contains "$_zones_response" "\"name\":\"$h.\""; then + _domain="$h." + if [ -z "$h" ]; then + _domain="=2E" + fi + return 0 + fi + + if [ -z "$h" ]; then + return 1 + fi + i=$(_math $i + 1) + done + _debug "$domain not found" + + return 1 +} + +_pdns_rest() { + method=$1 + ep=$2 + data=$3 + ct=$4 + + export _H1="X-API-Key: $PDNS_Token" + + if [ ! "$method" = "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$PDNS_Url$ep" "" "$method" "$ct")" + else + response="$(_get "$PDNS_Url$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + + return 0 +} + +_build_record_string() { + _record_string="${_record_string:+${_record_string}, }{\"content\": \"\\\"${1}\\\"\", \"disabled\": false}" +} + +_list_existingchallenges() { + _pdns_rest "GET" "/api/v1/servers/$PDNS_ServerId/zones/$root" + _existing_challenges=$(echo "$response" | _normalizeJson | _egrep_o "\"name\":\"${fulldomain}[^]]*}" | _egrep_o 'content\":\"\\"[^\\]*' | sed -n 's/^content":"\\"//p') +} diff --git a/acme.sh-master/dnsapi/dns_pleskxml.sh b/acme.sh-master/dnsapi/dns_pleskxml.sh new file mode 100644 index 0000000..f598682 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_pleskxml.sh @@ -0,0 +1,417 @@ +#!/usr/bin/env sh + +## Name: dns_pleskxml.sh +## Created by Stilez. +## Also uses some code from PR#1832 by @romanlum (https://github.com/acmesh-official/acme.sh/pull/1832/files) + +## This DNS-01 method uses the Plesk XML API described at: +## https://docs.plesk.com/en-US/12.5/api-rpc/about-xml-api.28709 +## and more specifically: https://docs.plesk.com/en-US/12.5/api-rpc/reference.28784 + +## Note: a DNS ID with host = empty string is OK for this API, see +## https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-dns/managing-dns-records/adding-dns-record.34798 +## For example, to add a TXT record to DNS alias domain "acme-alias.com" would be a valid Plesk action. +## So this API module can handle such a request, if needed. + +## For ACME v2 purposes, new TXT records are appended when added, and removing one TXT record will not affect any other TXT records. + +## The user credentials (username+password) and URL/URI for the Plesk XML API must be set by the user +## before this module is called (case sensitive): +## +## ``` +## export pleskxml_uri="https://address-of-my-plesk-server.net:8443/enterprise/control/agent.php" +## (or probably something similar) +## export pleskxml_user="my plesk username" +## export pleskxml_pass="my plesk password" +## ``` + +## Ok, let's issue a cert now: +## ``` +## acme.sh --issue --dns dns_pleskxml -d example.com -d www.example.com +## ``` +## +## The `pleskxml_uri`, `pleskxml_user` and `pleskxml_pass` will be saved in `~/.acme.sh/account.conf` and reused when needed. + +#################### INTERNAL VARIABLES + NEWLINE + API TEMPLATES ################################## + +pleskxml_init_checks_done=0 + +# Variable containing bare newline - not a style issue +# shellcheck disable=SC1004 +NEWLINE='\ +' + +pleskxml_tplt_get_domains="" +# Get a list of domains that PLESK can manage, so we can check root domain + host for acme.sh +# Also used to test credentials and URI. +# No params. + +pleskxml_tplt_get_dns_records="%s" +# Get all DNS records for a Plesk domain ID. +# PARAM = Plesk domain id to query + +pleskxml_tplt_add_txt_record="%sTXT%s%s" +# Add a TXT record to a domain. +# PARAMS = (1) Plesk internal domain ID, (2) "hostname" for the new record, eg '_acme_challenge', (3) TXT record value + +pleskxml_tplt_rmv_dns_record="%s" +# Delete a specific TXT record from a domain. +# PARAM = the Plesk internal ID for the DNS record to be deleted + +#################### Public functions ################################## + +#Usage: dns_pleskxml_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_pleskxml_add() { + fulldomain=$1 + txtvalue=$2 + + _info "Entering dns_pleskxml_add() to add TXT record '$txtvalue' to domain '$fulldomain'..." + + # Get credentials if not already checked, and confirm we can log in to Plesk XML API + if ! _credential_check; then + return 1 + fi + + # Get root and subdomain details, and Plesk domain ID + if ! _pleskxml_get_root_domain "$fulldomain"; then + return 1 + fi + + _debug 'Credentials OK, and domain identified. Calling Plesk XML API to add TXT record' + + # printf using template in a variable - not a style issue + # shellcheck disable=SC2059 + request="$(printf "$pleskxml_tplt_add_txt_record" "$root_domain_id" "$sub_domain_name" "$txtvalue")" + if ! _call_api "$request"; then + return 1 + fi + + # OK, we should have added a TXT record. Let's check and return success if so. + # All that should be left in the result, is one section, containing okNEW_DNS_RECORD_ID + + results="$(_api_response_split "$pleskxml_prettyprint_result" 'result' '')" + + if ! _value "$results" | grep 'ok' | grep '[0-9]\{1,\}' >/dev/null; then + # Error - doesn't contain expected string. Something's wrong. + _err 'Error when calling Plesk XML API.' + _err 'The result did not contain the expected XXXXX section, or contained other values as well.' + _err 'This is unexpected: something has gone wrong.' + _err 'The full response was:' + _err "$pleskxml_prettyprint_result" + return 1 + fi + + recid="$(_value "$results" | grep '[0-9]\{1,\}' | sed 's/^.*\([0-9]\{1,\}\)<\/id>.*$/\1/')" + + _info "Success. TXT record appears to be correctly added (Plesk record ID=$recid). Exiting dns_pleskxml_add()." + + return 0 +} + +#Usage: dns_pleskxml_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_pleskxml_rm() { + fulldomain=$1 + txtvalue=$2 + + _info "Entering dns_pleskxml_rm() to remove TXT record '$txtvalue' from domain '$fulldomain'..." + + # Get credentials if not already checked, and confirm we can log in to Plesk XML API + if ! _credential_check; then + return 1 + fi + + # Get root and subdomain details, and Plesk domain ID + if ! _pleskxml_get_root_domain "$fulldomain"; then + return 1 + fi + + _debug 'Credentials OK, and domain identified. Calling Plesk XML API to get list of TXT records and their IDs' + + # printf using template in a variable - not a style issue + # shellcheck disable=SC2059 + request="$(printf "$pleskxml_tplt_get_dns_records" "$root_domain_id")" + if ! _call_api "$request"; then + return 1 + fi + + # Reduce output to one line per DNS record, filtered for TXT records with a record ID only (which they should all have) + # Also strip out spaces between tags, redundant and group tags and any tags + reclist="$( + _api_response_split "$pleskxml_prettyprint_result" 'result' 'ok' | + sed 's# \{1,\}<\([a-zA-Z]\)#<\1#g;s###g;s#<[a-z][^/<>]*/>##g' | + grep "${root_domain_id}" | + grep '[0-9]\{1,\}' | + grep 'TXT' + )" + + if [ -z "$reclist" ]; then + _err "No TXT records found for root domain ${root_domain_name} (Plesk domain ID ${root_domain_id}). Exiting." + return 1 + fi + + _debug "Got list of DNS TXT records for root domain '$root_domain_name':" + _debug "$reclist" + + recid="$( + _value "$reclist" | + grep "${fulldomain}." | + grep "${txtvalue}" | + sed 's/^.*\([0-9]\{1,\}\)<\/id>.*$/\1/' + )" + + if ! _value "$recid" | grep '^[0-9]\{1,\}$' >/dev/null; then + _err "DNS records for root domain '${root_domain_name}' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'" + _err "Cannot delete TXT record. Exiting." + return 1 + fi + + _debug "Found Plesk record ID for target text string '${txtvalue}': ID=${recid}" + _debug 'Calling Plesk XML API to remove TXT record' + + # printf using template in a variable - not a style issue + # shellcheck disable=SC2059 + request="$(printf "$pleskxml_tplt_rmv_dns_record" "$recid")" + if ! _call_api "$request"; then + return 1 + fi + + # OK, we should have removed a TXT record. Let's check and return success if so. + # All that should be left in the result, is one section, containing okPLESK_DELETED_DNS_RECORD_ID + + results="$(_api_response_split "$pleskxml_prettyprint_result" 'result' '')" + + if ! _value "$results" | grep 'ok' | grep '[0-9]\{1,\}' >/dev/null; then + # Error - doesn't contain expected string. Something's wrong. + _err 'Error when calling Plesk XML API.' + _err 'The result did not contain the expected XXXXX section, or contained other values as well.' + _err 'This is unexpected: something has gone wrong.' + _err 'The full response was:' + _err "$pleskxml_prettyprint_result" + return 1 + fi + + _info "Success. TXT record appears to be correctly removed. Exiting dns_pleskxml_rm()." + return 0 +} + +#################### Private functions below (utility functions) ################################## + +# Outputs value of a variable without additional newlines etc +_value() { + printf '%s' "$1" +} + +# Outputs value of a variable (FQDN) and cuts it at 2 specified '.' delimiters, returning the text in between +# $1, $2 = where to cut +# $3 = FQDN +_valuecut() { + printf '%s' "$3" | cut -d . -f "${1}-${2}" +} + +# Counts '.' present in a domain name or other string +# $1 = domain name +_countdots() { + _value "$1" | tr -dc '.' | wc -c | sed 's/ //g' +} + +# Cleans up an API response, splits it "one line per item in the response" and greps for a string that in the context, identifies "useful" lines +# $1 - result string from API +# $2 - plain text tag to resplit on (usually "result" or "domain"). NOT REGEX +# $3 - basic regex to recognise useful return lines +# note: $3 matches via basic NOT extended regex (BRE), as extended regex capabilities not needed at the moment. +# Last line could change to instead, with suitable escaping of ['"/$], +# if future Plesk XML API changes ever require extended regex +_api_response_split() { + printf '%s' "$1" | + sed 's/^ +//;s/ +$//' | + tr -d '\n\r' | + sed "s/<\/\{0,1\}$2>/${NEWLINE}/g" | + grep "$3" +} + +#################### Private functions below (DNS functions) ################################## + +# Calls Plesk XML API, and checks results for obvious issues +_call_api() { + request="$1" + errtext='' + + _debug 'Entered _call_api(). Calling Plesk XML API with request:' + _debug "'$request'" + + export _H1="HTTP_AUTH_LOGIN: $pleskxml_user" + export _H2="HTTP_AUTH_PASSWD: $pleskxml_pass" + export _H3="content-Type: text/xml" + export _H4="HTTP_PRETTY_PRINT: true" + pleskxml_prettyprint_result="$(_post "${request}" "$pleskxml_uri" "" "POST")" + pleskxml_retcode="$?" + _debug 'The responses from the Plesk XML server were:' + _debug "retcode=$pleskxml_retcode. Literal response:" + _debug "'$pleskxml_prettyprint_result'" + + # Detect any that isn't "ok". None of the used calls should fail if the API is working correctly. + # Also detect if there simply aren't any status lines (null result?) and report that, as well. + + statuslines_count_total="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *[^<]* *$')" + statuslines_count_okay="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *ok *$')" + + if [ -z "$statuslines_count_total" ]; then + + # We have no status lines at all. Results are empty + errtext='The Plesk XML API unexpectedly returned an empty set of results for this call.' + + elif [ "$statuslines_count_okay" -ne "$statuslines_count_total" ]; then + + # We have some status lines that aren't "ok". Any available details are in API response fields "status" "errcode" and "errtext" + # Workaround for basic regex: + # - filter output to keep only lines like this: "SPACEStextSPACES" (shouldn't be necessary with prettyprint but guarantees subsequent code is ok) + # - then edit the 3 "useful" error tokens individually and remove closing tags on all lines + # - then filter again to remove all lines not edited (which will be the lines not starting A-Z) + errtext="$( + _value "$pleskxml_prettyprint_result" | + grep '^ *<[a-z]\{1,\}>[^<]*<\/[a-z]\{1,\}> *$' | + sed 's/^ */Status: /;s/^ */Error code: /;s/^ */Error text: /;s/<\/.*$//' | + grep '^[A-Z]' + )" + + fi + + if [ "$pleskxml_retcode" -ne 0 ] || [ "$errtext" != "" ]; then + # Call failed, for reasons either in the retcode or the response text... + + if [ "$pleskxml_retcode" -eq 0 ]; then + _err "The POST request was successfully sent to the Plesk server." + else + _err "The return code for the POST request was $pleskxml_retcode (non-zero = failure in submitting request to server)." + fi + + if [ "$errtext" != "" ]; then + _err 'The error responses received from the Plesk server were:' + _err "$errtext" + else + _err "No additional error messages were received back from the Plesk server" + fi + + _err "The Plesk XML API call failed." + return 1 + + fi + + _debug "Leaving _call_api(). Successful call." + + return 0 +} + +# Startup checks (credentials, URI) +_credential_check() { + _debug "Checking Plesk XML API login credentials and URI..." + + if [ "$pleskxml_init_checks_done" -eq 1 ]; then + _debug "Initial checks already done, no need to repeat. Skipped." + return 0 + fi + + pleskxml_user="${pleskxml_user:-$(_readaccountconf_mutable pleskxml_user)}" + pleskxml_pass="${pleskxml_pass:-$(_readaccountconf_mutable pleskxml_pass)}" + pleskxml_uri="${pleskxml_uri:-$(_readaccountconf_mutable pleskxml_uri)}" + + if [ -z "$pleskxml_user" ] || [ -z "$pleskxml_pass" ] || [ -z "$pleskxml_uri" ]; then + pleskxml_user="" + pleskxml_pass="" + pleskxml_uri="" + _err "You didn't specify one or more of the Plesk XML API username, password, or URI." + _err "Please create these and try again." + _err "Instructions are in the 'dns_pleskxml' plugin source code or in the acme.sh documentation." + return 1 + fi + + # Test the API is usable, by trying to read the list of managed domains... + _call_api "$pleskxml_tplt_get_domains" + if [ "$pleskxml_retcode" -ne 0 ]; then + _err 'Failed to access Plesk XML API.' + _err "Please check your login credentials and Plesk URI, and that the URI is reachable, and try again." + return 1 + fi + + _saveaccountconf_mutable pleskxml_uri "$pleskxml_uri" + _saveaccountconf_mutable pleskxml_user "$pleskxml_user" + _saveaccountconf_mutable pleskxml_pass "$pleskxml_pass" + + _debug "Test login to Plesk XML API successful. Login credentials and URI successfully saved to the acme.sh configuration file for future use." + + pleskxml_init_checks_done=1 + + return 0 +} + +# For a FQDN, identify the root domain managed by Plesk, its domain ID in Plesk, and the host if any. + +# IMPORTANT NOTE: a result with host = empty string is OK for this API, see +# https://docs.plesk.com/en-US/obsidian/api-rpc/about-xml-api/reference/managing-dns/managing-dns-records/adding-dns-record.34798 +# See notes at top of this file + +_pleskxml_get_root_domain() { + original_full_domain_name="$1" + + _debug "Identifying DNS root domain for '$original_full_domain_name' that is managed by the Plesk account." + + # test if the domain as provided is valid for splitting. + + if [ "$(_countdots "$original_full_domain_name")" -eq 0 ]; then + _err "Invalid domain. The ACME domain must contain at least two parts (aa.bb) to identify a domain and tld for the TXT record." + return 1 + fi + + _debug "Querying Plesk server for list of managed domains..." + + _call_api "$pleskxml_tplt_get_domains" + if [ "$pleskxml_retcode" -ne 0 ]; then + return 1 + fi + + # Generate a crude list of domains known to this Plesk account. + # We convert tags to so it'll flag on a hit with either or fields, + # for non-Western character sets. + # Output will be one line per known domain, containing 2 tages and a single tag + # We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned. + + output="$(_api_response_split "$pleskxml_prettyprint_result" 'domain' 'domain' | sed 's///g;s/<\/ascii-name>/<\/name>/g' | grep '' | grep '')" + + _debug 'Domains managed by Plesk server are (ignore the hacked output):' + _debug "$output" + + # loop and test if domain, or any parent domain, is managed by Plesk + # Loop until we don't have any '.' in the string we're testing as a candidate Plesk-managed domain + + root_domain_name="$original_full_domain_name" + + while true; do + + _debug "Checking if '$root_domain_name' is managed by the Plesk server..." + + root_domain_id="$(_value "$output" | grep "$root_domain_name" | _head_n 1 | sed 's/^.*\([0-9]\{1,\}\)<\/id>.*$/\1/')" + + if [ -n "$root_domain_id" ]; then + # Found a match + # SEE IMPORTANT NOTE ABOVE - THIS FUNCTION CAN RETURN HOST='', AND THAT'S OK FOR PLESK XML API WHICH ALLOWS IT. + # SO WE HANDLE IT AND DON'T PREVENT IT + sub_domain_name="$(_value "$original_full_domain_name" | sed "s/\.\{0,1\}${root_domain_name}"'$//')" + _info "Success. Matched host '$original_full_domain_name' to: DOMAIN '${root_domain_name}' (Plesk ID '${root_domain_id}'), HOST '${sub_domain_name}'. Returning." + return 0 + fi + + # No match, try next parent up (if any)... + + root_domain_name="$(_valuecut 2 1000 "$root_domain_name")" + + if [ "$(_countdots "$root_domain_name")" -eq 0 ]; then + _debug "No match, and next parent would be a TLD..." + _err "Cannot find '$original_full_domain_name' or any parent domain of it, in Plesk." + _err "Are you sure that this domain is managed by this Plesk server?" + return 1 + fi + + _debug "No match, trying next parent up..." + + done +} diff --git a/acme.sh-master/dnsapi/dns_pointhq.sh b/acme.sh-master/dnsapi/dns_pointhq.sh new file mode 100644 index 0000000..6231310 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_pointhq.sh @@ -0,0 +1,164 @@ +#!/usr/bin/env sh + +# +#PointHQ_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" +# +#PointHQ_Email="xxxx@sss.com" + +PointHQ_Api="https://api.pointhq.com" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_pointhq_add() { + fulldomain=$1 + txtvalue=$2 + + PointHQ_Key="${PointHQ_Key:-$(_readaccountconf_mutable PointHQ_Key)}" + PointHQ_Email="${PointHQ_Email:-$(_readaccountconf_mutable PointHQ_Email)}" + if [ -z "$PointHQ_Key" ] || [ -z "$PointHQ_Email" ]; then + PointHQ_Key="" + PointHQ_Email="" + _err "You didn't specify a PointHQ API key and email yet." + _err "Please create the key and try again." + return 1 + fi + + if ! _contains "$PointHQ_Email" "@"; then + _err "It seems that the PointHQ_Email=$PointHQ_Email is not a valid email address." + _err "Please check and retry." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable PointHQ_Key "$PointHQ_Key" + _saveaccountconf_mutable PointHQ_Email "$PointHQ_Email" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + if _pointhq_rest POST "zones/$_domain/records" "{\"zone_record\": {\"name\":\"$_sub_domain\",\"record_type\":\"TXT\",\"data\":\"$txtvalue\",\"ttl\":3600}}"; then + if printf -- "%s" "$response" | grep "$fulldomain" >/dev/null; then + _info "Added, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 +} + +#fulldomain txtvalue +dns_pointhq_rm() { + fulldomain=$1 + txtvalue=$2 + + PointHQ_Key="${PointHQ_Key:-$(_readaccountconf_mutable PointHQ_Key)}" + PointHQ_Email="${PointHQ_Email:-$(_readaccountconf_mutable PointHQ_Email)}" + if [ -z "$PointHQ_Key" ] || [ -z "$PointHQ_Email" ]; then + PointHQ_Key="" + PointHQ_Email="" + _err "You didn't specify a PointHQ API key and email yet." + _err "Please create the key and try again." + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _pointhq_rest GET "zones/${_domain}/records?record_type=TXT&name=$_sub_domain" + + if ! printf "%s" "$response" | grep "^\[" >/dev/null; then + _err "Error" + return 1 + fi + + if [ "$response" = "[]" ]; then + _info "No records to remove." + else + record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[^,]*" | cut -d : -f 2 | tr -d \" | head -n 1) + _debug "record_id" "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if ! _pointhq_rest DELETE "zones/$_domain/records/$record_id"; then + _err "Delete record error." + return 1 + fi + _contains "$response" '"status":"OK"' + fi +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _pointhq_rest GET "zones"; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\"" >/dev/null; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_pointhq_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + _pointhq_auth=$(printf "%s:%s" "$PointHQ_Email" "$PointHQ_Key" | _base64) + + export _H1="Authorization: Basic $_pointhq_auth" + export _H2="Content-Type: application/json" + export _H3="Accept: application/json" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$PointHQ_Api/$ep" "" "$m")" + else + response="$(_get "$PointHQ_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_porkbun.sh b/acme.sh-master/dnsapi/dns_porkbun.sh new file mode 100644 index 0000000..ad4455b --- /dev/null +++ b/acme.sh-master/dnsapi/dns_porkbun.sh @@ -0,0 +1,157 @@ +#!/usr/bin/env sh + +# +#PORKBUN_API_KEY="pk1_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" +#PORKBUN_SECRET_API_KEY="sk1_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" + +PORKBUN_Api="https://porkbun.com/api/json/v3" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_porkbun_add() { + fulldomain=$1 + txtvalue=$2 + + PORKBUN_API_KEY="${PORKBUN_API_KEY:-$(_readaccountconf_mutable PORKBUN_API_KEY)}" + PORKBUN_SECRET_API_KEY="${PORKBUN_SECRET_API_KEY:-$(_readaccountconf_mutable PORKBUN_SECRET_API_KEY)}" + + if [ -z "$PORKBUN_API_KEY" ] || [ -z "$PORKBUN_SECRET_API_KEY" ]; then + PORKBUN_API_KEY='' + PORKBUN_SECRET_API_KEY='' + _err "You didn't specify a Porkbun api key and secret api key yet." + _err "You can get yours from here https://porkbun.com/account/api." + return 1 + fi + + #save the credentials to the account conf file. + _saveaccountconf_mutable PORKBUN_API_KEY "$PORKBUN_API_KEY" + _saveaccountconf_mutable PORKBUN_SECRET_API_KEY "$PORKBUN_SECRET_API_KEY" + + _debug 'First detect the root zone' + if ! _get_root "$fulldomain"; then + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so + # we can not use updating anymore. + # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) + # _debug count "$count" + # if [ "$count" = "0" ]; then + _info "Adding record" + if _porkbun_rest POST "dns/create/$_domain" "{\"name\":\"$_sub_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":120}"; then + if _contains "$response" '\"status\":"SUCCESS"'; then + _info "Added, OK" + return 0 + elif _contains "$response" "The record already exists"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error. ($response)" + return 1 + fi + fi + _err "Add txt record error." + return 1 + +} + +#fulldomain txtvalue +dns_porkbun_rm() { + fulldomain=$1 + txtvalue=$2 + + PORKBUN_API_KEY="${PORKBUN_API_KEY:-$(_readaccountconf_mutable PORKBUN_API_KEY)}" + PORKBUN_SECRET_API_KEY="${PORKBUN_SECRET_API_KEY:-$(_readaccountconf_mutable PORKBUN_SECRET_API_KEY)}" + + _debug 'First detect the root zone' + if ! _get_root "$fulldomain"; then + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + count=$(echo "$response" | _egrep_o "\"count\": *[^,]*" | cut -d : -f 2 | tr -d " ") + _debug count "$count" + if [ "$count" = "0" ]; then + _info "Don't need to remove." + else + record_id=$(echo "$response" | tr '{' '\n' | grep -- "$txtvalue" | cut -d, -f1 | cut -d: -f2 | tr -d \") + _debug "record_id" "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if ! _porkbun_rest POST "dns/delete/$_domain/$record_id"; then + _err "Delete record error." + return 1 + fi + echo "$response" | tr -d " " | grep '\"status\":"SUCCESS"' >/dev/null + fi + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + return 1 + fi + + if _porkbun_rest POST "dns/retrieve/$h"; then + if _contains "$response" "\"status\":\"SUCCESS\""; then + _domain=$h + _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")" + return 0 + else + _debug "Go to next level of $_domain" + fi + else + _debug "Go to next level of $_domain" + fi + i=$(_math "$i" + 1) + done + + return 1 +} + +_porkbun_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + api_key_trimmed=$(echo "$PORKBUN_API_KEY" | tr -d '"') + secret_api_key_trimmed=$(echo "$PORKBUN_SECRET_API_KEY" | tr -d '"') + + test -z "$data" && data="{" || data="$(echo $data | cut -d'}' -f1)," + data="$data\"apikey\":\"$api_key_trimmed\",\"secretapikey\":\"$secret_api_key_trimmed\"}" + + export _H1="Content-Type: application/json" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$PORKBUN_Api/$ep" "" "$m")" + else + response="$(_get "$PORKBUN_Api/$ep")" + fi + + _sleep 3 # prevent rate limit + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_rackcorp.sh b/acme.sh-master/dnsapi/dns_rackcorp.sh new file mode 100644 index 0000000..6aabfdd --- /dev/null +++ b/acme.sh-master/dnsapi/dns_rackcorp.sh @@ -0,0 +1,156 @@ +#!/usr/bin/env sh + +# Provider: RackCorp (www.rackcorp.com) +# Author: Stephen Dendtler (sdendtler@rackcorp.com) +# Report Bugs here: https://github.com/senjoo/acme.sh +# Alternate email contact: support@rackcorp.com +# +# You'll need an API key (Portal: ADMINISTRATION -> API) +# Set the environment variables as below: +# +# export RACKCORP_APIUUID="UUIDHERE" +# export RACKCORP_APISECRET="SECRETHERE" +# + +RACKCORP_API_ENDPOINT="https://api.rackcorp.net/api/rest/v2.4/json.php" + +######## Public functions ##################### + +dns_rackcorp_add() { + fulldomain="$1" + txtvalue="$2" + + _debug fulldomain="$fulldomain" + _debug txtvalue="$txtvalue" + + if ! _rackcorp_validate; then + return 1 + fi + + _debug "Searching for root zone" + if ! _get_root "$fulldomain"; then + return 1 + fi + _debug _lookup "$_lookup" + _debug _domain "$_domain" + + _info "Creating TXT record." + + if ! _rackcorp_api dns.record.create "\"name\":\"$_domain\",\"type\":\"TXT\",\"lookup\":\"$_lookup\",\"data\":\"$txtvalue\",\"ttl\":300"; then + return 1 + fi + + return 0 +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_rackcorp_rm() { + fulldomain=$1 + txtvalue=$2 + + _debug fulldomain="$fulldomain" + _debug txtvalue="$txtvalue" + + if ! _rackcorp_validate; then + return 1 + fi + + _debug "Searching for root zone" + if ! _get_root "$fulldomain"; then + return 1 + fi + _debug _lookup "$_lookup" + _debug _domain "$_domain" + + _info "Creating TXT record." + + if ! _rackcorp_api dns.record.delete "\"name\":\"$_domain\",\"type\":\"TXT\",\"lookup\":\"$_lookup\",\"data\":\"$txtvalue\""; then + return 1 + fi + + return 0 +} + +#################### Private functions below ################################## +#_acme-challenge.domain.com +#returns +# _lookup=_acme-challenge +# _domain=domain.com +_get_root() { + domain=$1 + i=1 + p=1 + if ! _rackcorp_api dns.domain.getall "\"name\":\"$domain\""; then + return 1 + fi + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug searchhost "$h" + if [ -z "$h" ]; then + _err "Could not find domain for record $domain in RackCorp using the provided credentials" + #not valid + return 1 + fi + + _rackcorp_api dns.domain.getall "\"exactName\":\"$h\"" + + if _contains "$response" "\"matches\":1"; then + if _contains "$response" "\"name\":\"$h\""; then + _lookup=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + fi + p=$i + i=$(_math "$i" + 1) + done + + return 1 +} + +_rackcorp_validate() { + RACKCORP_APIUUID="${RACKCORP_APIUUID:-$(_readaccountconf_mutable RACKCORP_APIUUID)}" + if [ -z "$RACKCORP_APIUUID" ]; then + RACKCORP_APIUUID="" + _err "You require a RackCorp API UUID (export RACKCORP_APIUUID=\"\")" + _err "Please login to the portal and create an API key and try again." + return 1 + fi + + _saveaccountconf_mutable RACKCORP_APIUUID "$RACKCORP_APIUUID" + + RACKCORP_APISECRET="${RACKCORP_APISECRET:-$(_readaccountconf_mutable RACKCORP_APISECRET)}" + if [ -z "$RACKCORP_APISECRET" ]; then + RACKCORP_APISECRET="" + _err "You require a RackCorp API secret (export RACKCORP_APISECRET=\"\")" + _err "Please login to the portal and create an API key and try again." + return 1 + fi + + _saveaccountconf_mutable RACKCORP_APISECRET "$RACKCORP_APISECRET" + + return 0 +} +_rackcorp_api() { + _rackcorpcmd=$1 + _rackcorpinputdata=$2 + _debug cmd "$_rackcorpcmd $_rackcorpinputdata" + + export _H1="Accept: application/json" + response="$(_post "{\"APIUUID\":\"$RACKCORP_APIUUID\",\"APISECRET\":\"$RACKCORP_APISECRET\",\"cmd\":\"$_rackcorpcmd\",$_rackcorpinputdata}" "$RACKCORP_API_ENDPOINT" "" "POST")" + + if [ "$?" != "0" ]; then + _err "error $response" + return 1 + fi + _debug2 response "$response" + if _contains "$response" "\"code\":\"OK\""; then + _debug code "OK" + else + _debug code "FAILED" + response="" + return 1 + fi + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_rackspace.sh b/acme.sh-master/dnsapi/dns_rackspace.sh new file mode 100644 index 0000000..b50d916 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_rackspace.sh @@ -0,0 +1,208 @@ +#!/usr/bin/env sh +# +# +#RACKSPACE_Username="" +# +#RACKSPACE_Apikey="" + +RACKSPACE_Endpoint="https://dns.api.rackspacecloud.com/v1.0" + +# 20210923 - RS changed the fields in the API response; fix sed +# 20190213 - The name & id fields swapped in the API response; fix sed +# 20190101 - Duplicating file for new pull request to dev branch +# Original - tcocca:rackspace_dnsapi https://github.com/acmesh-official/acme.sh/pull/1297 + +######## Public functions ##################### +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_rackspace_add() { + fulldomain="$1" + _debug fulldomain="$fulldomain" + txtvalue="$2" + _debug txtvalue="$txtvalue" + _rackspace_check_auth || return 1 + _rackspace_check_rootzone || return 1 + _info "Creating TXT record." + if ! _rackspace_rest POST "$RACKSPACE_Tenant/domains/$_domain_id/records" "{\"records\":[{\"name\":\"$fulldomain\",\"type\":\"TXT\",\"data\":\"$txtvalue\",\"ttl\":300}]}"; then + return 1 + fi + _debug2 response "$response" + if ! _contains "$response" "$txtvalue" >/dev/null; then + _err "Could not add TXT record." + return 1 + fi + return 0 +} + +#fulldomain txtvalue +dns_rackspace_rm() { + fulldomain=$1 + _debug fulldomain="$fulldomain" + txtvalue=$2 + _debug txtvalue="$txtvalue" + _rackspace_check_auth || return 1 + _rackspace_check_rootzone || return 1 + _info "Checking for TXT record." + if ! _get_recordid "$_domain_id" "$fulldomain" "$txtvalue"; then + _err "Could not get TXT record id." + return 1 + fi + if [ "$_dns_record_id" = "" ]; then + _err "TXT record not found." + return 1 + fi + _info "Removing TXT record." + if ! _delete_txt_record "$_domain_id" "$_dns_record_id"; then + _err "Could not remove TXT record $_dns_record_id." + fi + return 0 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root_zone() { + domain="$1" + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + if ! _rackspace_rest GET "$RACKSPACE_Tenant/domains/search?name=$h"; then + return 1 + fi + _debug2 response "$response" + if _contains "$response" "\"name\":\"$h\"" >/dev/null; then + # Response looks like: + # {"id":"12345","accountId":"1111111","name": "example.com","ttl":3600,"emailAddress": ... + _domain_id=$(echo "$response" | sed -n "s/^.*\"id\":\"\([^,]*\)\",\"accountId\":\"[0-9]*\",\"name\":\"$h\",.*/\1/p") + _debug2 domain_id "$_domain_id" + if [ -n "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_get_recordid() { + domainid="$1" + fulldomain="$2" + txtvalue="$3" + if ! _rackspace_rest GET "$RACKSPACE_Tenant/domains/$domainid/records?name=$fulldomain&type=TXT"; then + return 1 + fi + _debug response "$response" + if ! _contains "$response" "$txtvalue"; then + _dns_record_id=0 + return 0 + fi + _dns_record_id=$(echo "$response" | tr '{' "\n" | grep "\"data\":\"$txtvalue\"" | sed -n 's/^.*"id":"\([^"]*\)".*/\1/p') + _debug _dns_record_id "$_dns_record_id" + return 0 +} + +_delete_txt_record() { + domainid="$1" + _dns_record_id="$2" + if ! _rackspace_rest DELETE "$RACKSPACE_Tenant/domains/$domainid/records?id=$_dns_record_id"; then + return 1 + fi + _debug response "$response" + if ! _contains "$response" "RUNNING"; then + return 1 + fi + return 0 +} + +_rackspace_rest() { + m="$1" + ep="$2" + data="$3" + _debug ep "$ep" + export _H1="Accept: application/json" + export _H2="X-Auth-Token: $RACKSPACE_Token" + export _H3="X-Project-Id: $RACKSPACE_Tenant" + export _H4="Content-Type: application/json" + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$RACKSPACE_Endpoint/$ep" "" "$m")" + retcode=$? + else + _info "Getting $RACKSPACE_Endpoint/$ep" + response="$(_get "$RACKSPACE_Endpoint/$ep")" + retcode=$? + fi + + if [ "$retcode" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} + +_rackspace_authorization() { + export _H1="Content-Type: application/json" + data="{\"auth\":{\"RAX-KSKEY:apiKeyCredentials\":{\"username\":\"$RACKSPACE_Username\",\"apiKey\":\"$RACKSPACE_Apikey\"}}}" + _debug data "$data" + response="$(_post "$data" "https://identity.api.rackspacecloud.com/v2.0/tokens" "" "POST")" + retcode=$? + _debug2 response "$response" + if [ "$retcode" != "0" ]; then + _err "Authentication failed." + return 1 + fi + if _contains "$response" "token"; then + RACKSPACE_Token="$(echo "$response" | _normalizeJson | sed -n 's/^.*"token":{.*,"id":"\([^"]*\)",".*/\1/p')" + RACKSPACE_Tenant="$(echo "$response" | _normalizeJson | sed -n 's/^.*"token":{.*,"id":"\([^"]*\)"}.*/\1/p')" + _debug RACKSPACE_Token "$RACKSPACE_Token" + _debug RACKSPACE_Tenant "$RACKSPACE_Tenant" + fi + return 0 +} + +_rackspace_check_auth() { + # retrieve the rackspace creds + RACKSPACE_Username="${RACKSPACE_Username:-$(_readaccountconf_mutable RACKSPACE_Username)}" + RACKSPACE_Apikey="${RACKSPACE_Apikey:-$(_readaccountconf_mutable RACKSPACE_Apikey)}" + # check their vals for null + if [ -z "$RACKSPACE_Username" ] || [ -z "$RACKSPACE_Apikey" ]; then + RACKSPACE_Username="" + RACKSPACE_Apikey="" + _err "You didn't specify a Rackspace username and api key." + _err "Please set those values and try again." + return 1 + fi + # save the username and api key to the account conf file. + _saveaccountconf_mutable RACKSPACE_Username "$RACKSPACE_Username" + _saveaccountconf_mutable RACKSPACE_Apikey "$RACKSPACE_Apikey" + if [ -z "$RACKSPACE_Token" ]; then + _info "Getting authorization token." + if ! _rackspace_authorization; then + _err "Can not get token." + fi + fi +} + +_rackspace_check_rootzone() { + _debug "First detect the root zone" + if ! _get_root_zone "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" +} diff --git a/acme.sh-master/dnsapi/dns_rage4.sh b/acme.sh-master/dnsapi/dns_rage4.sh new file mode 100644 index 0000000..4af4541 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_rage4.sh @@ -0,0 +1,115 @@ +#!/usr/bin/env sh + +# +#RAGE4_TOKEN="sdfsdfsdfljlbjkljlkjsdfoiwje" +# +#RAGE4_USERNAME="xxxx@sss.com" + +RAGE4_Api="https://rage4.com/rapi/" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_rage4_add() { + fulldomain=$1 + txtvalue=$2 + + unquotedtxtvalue=$(echo "$txtvalue" | tr -d \") + + RAGE4_USERNAME="${RAGE4_USERNAME:-$(_readaccountconf_mutable RAGE4_USERNAME)}" + RAGE4_TOKEN="${RAGE4_TOKEN:-$(_readaccountconf_mutable RAGE4_TOKEN)}" + + if [ -z "$RAGE4_USERNAME" ] || [ -z "$RAGE4_TOKEN" ]; then + RAGE4_USERNAME="" + RAGE4_TOKEN="" + _err "You didn't specify a Rage4 api token and username yet." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable RAGE4_USERNAME "$RAGE4_USERNAME" + _saveaccountconf_mutable RAGE4_TOKEN "$RAGE4_TOKEN" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + + _rage4_rest "createrecord/?id=$_domain_id&name=$fulldomain&content=$unquotedtxtvalue&type=TXT&active=true&ttl=1" + return 0 +} + +#fulldomain txtvalue +dns_rage4_rm() { + fulldomain=$1 + txtvalue=$2 + + RAGE4_USERNAME="${RAGE4_USERNAME:-$(_readaccountconf_mutable RAGE4_USERNAME)}" + RAGE4_TOKEN="${RAGE4_TOKEN:-$(_readaccountconf_mutable RAGE4_TOKEN)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + + _debug "Getting txt records" + _rage4_rest "getrecords/?id=${_domain_id}" + + _record_id=$(echo "$response" | sed -rn 's/.*"id":([[:digit:]]+)[^\}]*'"$txtvalue"'.*/\1/p') + _rage4_rest "deleterecord/?id=${_record_id}" + return 0 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + + if ! _rage4_rest "getdomains"; then + return 1 + fi + _debug _get_root_domain "$domain" + + for line in $(echo "$response" | tr '}' '\n'); do + __domain=$(echo "$line" | sed -rn 's/.*"name":"([^"]*)",.*/\1/p') + __domain_id=$(echo "$line" | sed -rn 's/.*"id":([^,]*),.*/\1/p') + if [ "$domain" != "${domain%"$__domain"*}" ]; then + _domain_id="$__domain_id" + break + fi + done + + if [ -z "$_domain_id" ]; then + return 1 + fi + + return 0 +} + +_rage4_rest() { + ep="$1" + _debug "$ep" + + username_trimmed=$(echo "$RAGE4_USERNAME" | tr -d '"') + token_trimmed=$(echo "$RAGE4_TOKEN" | tr -d '"') + auth=$(printf '%s:%s' "$username_trimmed" "$token_trimmed" | _base64) + + export _H1="Content-Type: application/json" + export _H2="Authorization: Basic $auth" + + response="$(_get "$RAGE4_Api$ep")" + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_rcode0.sh b/acme.sh-master/dnsapi/dns_rcode0.sh new file mode 100644 index 0000000..d3f7f21 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_rcode0.sh @@ -0,0 +1,224 @@ +#!/usr/bin/env sh + +#Rcode0 API Integration +#https://my.rcodezero.at/api-doc +# +# log into https://my.rcodezero.at/enableapi and get your ACME API Token (the ACME API token has limited +# access to the REST calls needed for acme.sh only) +# +#RCODE0_URL="https://my.rcodezero.at" +#RCODE0_API_TOKEN="0123456789ABCDEF" +#RCODE0_TTL=60 + +DEFAULT_RCODE0_URL="https://my.rcodezero.at" +DEFAULT_RCODE0_TTL=60 + +######## Public functions ##################### +#Usage: add _acme-challenge.www.domain.com "123456789ABCDEF0000000000000000000000000000000000000" +#fulldomain +#txtvalue +dns_rcode0_add() { + fulldomain=$1 + txtvalue=$2 + + RCODE0_API_TOKEN="${RCODE0_API_TOKEN:-$(_readaccountconf_mutable RCODE0_API_TOKEN)}" + RCODE0_URL="${RCODE0_URL:-$(_readaccountconf_mutable RCODE0_URL)}" + RCODE0_TTL="${RCODE0_TTL:-$(_readaccountconf_mutable RCODE0_TTL)}" + + if [ -z "$RCODE0_URL" ]; then + RCODE0_URL="$DEFAULT_RCODE0_URL" + fi + + if [ -z "$RCODE0_API_TOKEN" ]; then + RCODE0_API_TOKEN="" + _err "Missing Rcode0 ACME API Token." + _err "Please login and create your token at httsp://my.rcodezero.at/enableapi and try again." + return 1 + fi + + if [ -z "$RCODE0_TTL" ]; then + RCODE0_TTL="$DEFAULT_RCODE0_TTL" + fi + + #save the token to the account conf file. + _saveaccountconf_mutable RCODE0_API_TOKEN "$RCODE0_API_TOKEN" + + if [ "$RCODE0_URL" != "$DEFAULT_RCODE0_URL" ]; then + _saveaccountconf_mutable RCODE0_URL "$RCODE0_URL" + fi + + if [ "$RCODE0_TTL" != "$DEFAULT_RCODE0_TTL" ]; then + _saveaccountconf_mutable RCODE0_TTL "$RCODE0_TTL" + fi + + _debug "Detect root zone" + if ! _get_root "$fulldomain"; then + _err "No 'MASTER' zone for $fulldomain found at RcodeZero Anycast." + return 1 + fi + _debug _domain "$_domain" + + _debug "Adding record" + + _record_string="" + _build_record_string "$txtvalue" + _list_existingchallenges + for oldchallenge in $_existing_challenges; do + _build_record_string "$oldchallenge" + done + + _debug "Challenges: $_existing_challenges" + + if [ -z "$_existing_challenges" ]; then + if ! _rcode0_rest "PATCH" "/api/v1/acme/zones/$_domain/rrsets" "[{\"changetype\": \"add\", \"name\": \"$fulldomain.\", \"type\": \"TXT\", \"ttl\": $RCODE0_TTL, \"records\": [$_record_string]}]"; then + _err "Add txt record error." + return 1 + fi + else + # try update in case a records exists (need for wildcard certs) + if ! _rcode0_rest "PATCH" "/api/v1/acme/zones/$_domain/rrsets" "[{\"changetype\": \"update\", \"name\": \"$fulldomain.\", \"type\": \"TXT\", \"ttl\": $RCODE0_TTL, \"records\": [$_record_string]}]"; then + _err "Set txt record error." + return 1 + fi + fi + + return 0 +} + +#fulldomain txtvalue +dns_rcode0_rm() { + fulldomain=$1 + txtvalue=$2 + + RCODE0_API_TOKEN="${RCODE0_API_TOKEN:-$(_readaccountconf_mutable RCODE0_API_TOKEN)}" + RCODE0_URL="${RCODE0_URL:-$(_readaccountconf_mutable RCODE0_URL)}" + RCODE0_TTL="${RCODE0_TTL:-$(_readaccountconf_mutable RCODE0_TTL)}" + + if [ -z "$RCODE0_URL" ]; then + RCODE0_URL="$DEFAULT_RCODE0_URL" + fi + + if [ -z "$RCODE0_API_TOKEN" ]; then + RCODE0_API_TOKEN="" + _err "Missing Rcode0 API Token." + _err "Please login and create your token at httsp://my.rcodezero.at/enableapi and try again." + return 1 + fi + + #save the api addr and key to the account conf file. + _saveaccountconf_mutable RCODE0_URL "$RCODE0_URL" + _saveaccountconf_mutable RCODE0_API_TOKEN "$RCODE0_API_TOKEN" + + if [ "$RCODE0_TTL" != "$DEFAULT_RCODE0_TTL" ]; then + _saveaccountconf_mutable RCODE0_TTL "$RCODE0_TTL" + fi + + if [ -z "$RCODE0_TTL" ]; then + RCODE0_TTL="$DEFAULT_RCODE0_TTL" + fi + + _debug "Detect root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug "Remove record" + + #Enumerate existing acme challenges + _list_existingchallenges + + if _contains "$_existing_challenges" "$txtvalue"; then + #Delete all challenges (PowerDNS API does not allow to delete content) + if ! _rcode0_rest "PATCH" "/api/v1/acme/zones/$_domain/rrsets" "[{\"changetype\": \"delete\", \"name\": \"$fulldomain.\", \"type\": \"TXT\"}]"; then + _err "Delete txt record error." + return 1 + fi + _record_string="" + #If the only existing challenge was the challenge to delete: nothing to do + if ! [ "$_existing_challenges" = "$txtvalue" ]; then + for oldchallenge in $_existing_challenges; do + #Build up the challenges to re-add, ommitting the one what should be deleted + if ! [ "$oldchallenge" = "$txtvalue" ]; then + _build_record_string "$oldchallenge" + fi + done + #Recreate the existing challenges + if ! _rcode0_rest "PATCH" "/api/v1/acme/zones/$_domain/rrsets" "[{\"changetype\": \"update\", \"name\": \"$fulldomain.\", \"type\": \"TXT\", \"ttl\": $RCODE0_TTL, \"records\": [$_record_string]}]"; then + _err "Set txt record error." + return 1 + fi + fi + else + _info "Record not found, nothing to remove" + fi + + return 0 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _domain=domain.com +_get_root() { + domain=$1 + i=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + + _debug "try to find: $h" + if _rcode0_rest "GET" "/api/v1/acme/zones/$h"; then + if [ "$response" = "[\"found\"]" ]; then + _domain="$h" + if [ -z "$h" ]; then + _domain="=2E" + fi + return 0 + elif [ "$response" = "[\"not a master domain\"]" ]; then + return 1 + fi + fi + + if [ -z "$h" ]; then + return 1 + fi + i=$(_math $i + 1) + done + _debug "no matching domain for $domain found" + + return 1 +} + +_rcode0_rest() { + method=$1 + ep=$2 + data=$3 + + export _H1="Authorization: Bearer $RCODE0_API_TOKEN" + + if [ ! "$method" = "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$RCODE0_URL$ep" "" "$method")" + else + response="$(_get "$RCODE0_URL$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + + return 0 +} + +_build_record_string() { + _record_string="${_record_string:+${_record_string}, }{\"content\": \"\\\"${1}\\\"\", \"disabled\": false}" +} + +_list_existingchallenges() { + _rcode0_rest "GET" "/api/v1/acme/zones/$_domain/rrsets" + _existing_challenges=$(echo "$response" | _normalizeJson | _egrep_o "\"name\":\"${fulldomain}[^]]*}" | _egrep_o 'content\":\"\\"[^\\]*' | sed -n 's/^content":"\\"//p') + _debug2 "$_existing_challenges" +} diff --git a/acme.sh-master/dnsapi/dns_regru.sh b/acme.sh-master/dnsapi/dns_regru.sh new file mode 100644 index 0000000..8ff380f --- /dev/null +++ b/acme.sh-master/dnsapi/dns_regru.sh @@ -0,0 +1,127 @@ +#!/usr/bin/env sh + +# +# REGRU_API_Username="test" +# +# REGRU_API_Password="test" +# + +REGRU_API_URL="https://api.reg.ru/api/regru2" + +######## Public functions ##################### + +dns_regru_add() { + fulldomain=$1 + txtvalue=$2 + + REGRU_API_Username="${REGRU_API_Username:-$(_readaccountconf_mutable REGRU_API_Username)}" + REGRU_API_Password="${REGRU_API_Password:-$(_readaccountconf_mutable REGRU_API_Password)}" + if [ -z "$REGRU_API_Username" ] || [ -z "$REGRU_API_Password" ]; then + REGRU_API_Username="" + REGRU_API_Password="" + _err "You don't specify regru password or username." + return 1 + fi + + _saveaccountconf_mutable REGRU_API_Username "$REGRU_API_Username" + _saveaccountconf_mutable REGRU_API_Password "$REGRU_API_Password" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain "$_domain" + + _subdomain=$(echo "$fulldomain" | sed -r "s/.$_domain//") + _debug _subdomain "$_subdomain" + + _info "Adding TXT record to ${fulldomain}" + _regru_rest POST "zone/add_txt" "input_data={%22username%22:%22${REGRU_API_Username}%22,%22password%22:%22${REGRU_API_Password}%22,%22domains%22:[{%22dname%22:%22${_domain}%22}],%22subdomain%22:%22${_subdomain}%22,%22text%22:%22${txtvalue}%22,%22output_content_type%22:%22plain%22}&input_format=json" + + if ! _contains "${response}" 'error'; then + return 0 + fi + _err "Could not create resource record, check logs" + _err "${response}" + return 1 +} + +dns_regru_rm() { + fulldomain=$1 + txtvalue=$2 + + REGRU_API_Username="${REGRU_API_Username:-$(_readaccountconf_mutable REGRU_API_Username)}" + REGRU_API_Password="${REGRU_API_Password:-$(_readaccountconf_mutable REGRU_API_Password)}" + if [ -z "$REGRU_API_Username" ] || [ -z "$REGRU_API_Password" ]; then + REGRU_API_Username="" + REGRU_API_Password="" + _err "You don't specify regru password or username." + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain "$_domain" + + _subdomain=$(echo "$fulldomain" | sed -r "s/.$_domain//") + _debug _subdomain "$_subdomain" + + _info "Deleting resource record $fulldomain" + _regru_rest POST "zone/remove_record" "input_data={%22username%22:%22${REGRU_API_Username}%22,%22password%22:%22${REGRU_API_Password}%22,%22domains%22:[{%22dname%22:%22${_domain}%22}],%22subdomain%22:%22${_subdomain}%22,%22content%22:%22${txtvalue}%22,%22record_type%22:%22TXT%22,%22output_content_type%22:%22plain%22}&input_format=json" + + if ! _contains "${response}" 'error'; then + return 0 + fi + _err "Could not delete resource record, check logs" + _err "${response}" + return 1 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _domain=domain.com +_get_root() { + domain=$1 + + _regru_rest POST "service/get_list" "username=${REGRU_API_Username}&password=${REGRU_API_Password}&output_format=xml&servtype=domain" + domains_list=$(echo "${response}" | grep dname | sed -r "s/.*dname=\"([^\"]+)\".*/\\1/g") + + for ITEM in ${domains_list}; do + IDN_ITEM=${ITEM} + case "${domain}" in + *${IDN_ITEM}*) + _domain="$(_idn "${ITEM}")" + _debug _domain "${_domain}" + return 0 + ;; + esac + done + + return 1 +} + +#returns +# response +_regru_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Content-Type: application/x-www-form-urlencoded" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$REGRU_API_URL/$ep" "" "$m")" + else + response="$(_get "$REGRU_API_URL/$ep?$data")" + fi + + _debug response "${response}" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_scaleway.sh b/acme.sh-master/dnsapi/dns_scaleway.sh new file mode 100644 index 0000000..a0a0f31 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_scaleway.sh @@ -0,0 +1,176 @@ +#!/usr/bin/env sh + +# Scaleway API +# https://developers.scaleway.com/en/products/domain/dns/api/ +# +# Requires Scaleway API token set in SCALEWAY_API_TOKEN + +######## Public functions ##################### + +SCALEWAY_API="https://api.scaleway.com/domain/v2beta1" + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_scaleway_add() { + fulldomain=$1 + txtvalue=$2 + + if ! _scaleway_check_config; then + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + _scaleway_create_TXT_record "$_domain" "$_sub_domain" "$txtvalue" + if _contains "$response" "records"; then + return 0 + else + _err error "$response" + return 1 + fi + _info "Record added." + + return 0 +} + +dns_scaleway_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _scaleway_check_config; then + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Deleting record" + _scaleway_delete_TXT_record "$_domain" "$_sub_domain" "$txtvalue" + if _contains "$response" "records"; then + return 0 + else + _err error "$response" + return 1 + fi + _info "Record deleted." + + return 0 +} + +#################### Private functions below ################################## + +_scaleway_check_config() { + SCALEWAY_API_TOKEN="${SCALEWAY_API_TOKEN:-$(_readaccountconf_mutable SCALEWAY_API_TOKEN)}" + if [ -z "$SCALEWAY_API_TOKEN" ]; then + _err "No API key specified for Scaleway API." + _err "Create your key and export it as SCALEWAY_API_TOKEN" + return 1 + fi + if ! _scaleway_rest GET "dns-zones"; then + _err "Invalid API key specified for Scaleway API." + return 1 + fi + + _saveaccountconf_mutable SCALEWAY_API_TOKEN "$SCALEWAY_API_TOKEN" + + return 0 +} + +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=1 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + _scaleway_rest GET "dns-zones/$h/records" + + if ! _contains "$response" "subdomain not found" >/dev/null; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + _err "Unable to retrive DNS zone matching this domain" + return 1 +} + +# this function add a TXT record +_scaleway_create_TXT_record() { + txt_zone=$1 + txt_name=$2 + txt_value=$3 + + _scaleway_rest PATCH "dns-zones/$txt_zone/records" "{\"return_all_records\":false,\"changes\":[{\"add\":{\"records\":[{\"name\":\"$txt_name\",\"data\":\"$txt_value\",\"type\":\"TXT\",\"ttl\":60}]}}]}" + + if _contains "$response" "records"; then + return 0 + else + _err "error1 $response" + return 1 + fi +} + +# this function delete a TXT record based on name and content +_scaleway_delete_TXT_record() { + txt_zone=$1 + txt_name=$2 + txt_value=$3 + + _scaleway_rest PATCH "dns-zones/$txt_zone/records" "{\"return_all_records\":false,\"changes\":[{\"delete\":{\"id_fields\":{\"name\":\"$txt_name\",\"data\":\"$txt_value\",\"type\":\"TXT\"}}}]}" + + if _contains "$response" "records"; then + return 0 + else + _err "error2 $response" + return 1 + fi +} + +_scaleway_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + _scaleway_url="$SCALEWAY_API/$ep" + _debug2 _scaleway_url "$_scaleway_url" + export _H1="x-auth-token: $SCALEWAY_API_TOKEN" + export _H2="Accept: application/json" + export _H3="Content-Type: application/json" + + if [ "$data" ] || [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$_scaleway_url" "" "$m")" + else + response="$(_get "$_scaleway_url")" + fi + if [ "$?" != "0" ] || _contains "$response" "denied_authentication" || _contains "$response" "Method not allowed" || _contains "$response" "json parse error: unexpected EOF"; then + _err "error $response" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_schlundtech.sh b/acme.sh-master/dnsapi/dns_schlundtech.sh new file mode 100644 index 0000000..399c50e --- /dev/null +++ b/acme.sh-master/dnsapi/dns_schlundtech.sh @@ -0,0 +1,261 @@ +#!/usr/bin/env sh +# -*- mode: sh; tab-width: 2; indent-tabs-mode: s; coding: utf-8 -*- + +# Schlundtech DNS API +# Author: mod242 +# Created: 2019-40-29 +# Completly based on the autoDNS xml api wrapper by auerswald@gmail.com +# +# export SCHLUNDTECH_USER="username" +# export SCHLUNDTECH_PASSWORD="password" +# +# Usage: +# acme.sh --issue --dns dns_schlundtech -d example.com + +SCHLUNDTECH_API="https://gateway.schlundtech.de" + +# Arguments: +# txtdomain +# txt +dns_schlundtech_add() { + fulldomain="$1" + txtvalue="$2" + + SCHLUNDTECH_USER="${SCHLUNDTECH_USER:-$(_readaccountconf_mutable SCHLUNDTECH_USER)}" + SCHLUNDTECH_PASSWORD="${SCHLUNDTECH_PASSWORD:-$(_readaccountconf_mutable SCHLUNDTECH_PASSWORD)}" + + if [ -z "$SCHLUNDTECH_USER" ] || [ -z "$SCHLUNDTECH_PASSWORD" ]; then + _err "You didn't specify schlundtech user and password." + return 1 + fi + + _saveaccountconf_mutable SCHLUNDTECH_USER "$SCHLUNDTECH_USER" + _saveaccountconf_mutable SCHLUNDTECH_PASSWORD "$SCHLUNDTECH_PASSWORD" + + _debug "First detect the root zone" + + if ! _get_autodns_zone "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _zone "$_zone" + _debug _system_ns "$_system_ns" + + _info "Adding TXT record" + + autodns_response="$(_autodns_zone_update "$_zone" "$_sub_domain" "$txtvalue" "$_system_ns")" + + if [ "$?" -eq "0" ]; then + _info "Added, OK" + return 0 + fi + + return 1 +} + +# Arguments: +# txtdomain +# txt +dns_schlundtech_rm() { + fulldomain="$1" + txtvalue="$2" + + SCHLUNDTECH_USER="${SCHLUNDTECH_USER:-$(_readaccountconf_mutable SCHLUNDTECH_USER)}" + SCHLUNDTECH_PASSWORD="${SCHLUNDTECH_PASSWORD:-$(_readaccountconf_mutable SCHLUNDTECH_PASSWORD)}" + + if [ -z "$SCHLUNDTECH_USER" ] || [ -z "$SCHLUNDTECH_PASSWORD" ]; then + _err "You didn't specify schlundtech user and password." + return 1 + fi + + _debug "First detect the root zone" + + if ! _get_autodns_zone "$fulldomain"; then + _err "zone not found" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _zone "$_zone" + _debug _system_ns "$_system_ns" + + _info "Delete TXT record" + + autodns_response="$(_autodns_zone_cleanup "$_zone" "$_sub_domain" "$txtvalue" "$_system_ns")" + + if [ "$?" -eq "0" ]; then + _info "Deleted, OK" + return 0 + fi + + return 1 +} + +#################### Private functions below ################################## + +# Arguments: +# fulldomain +# Returns: +# _sub_domain=_acme-challenge.www +# _zone=domain.com +# _system_ns +_get_autodns_zone() { + domain="$1" + + i=2 + p=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + + if [ -z "$h" ]; then + # not valid + return 1 + fi + + autodns_response="$(_autodns_zone_inquire "$h")" + + if [ "$?" -ne "0" ]; then + _err "invalid domain" + return 1 + fi + + if _contains "$autodns_response" "1" >/dev/null; then + _zone="$(echo "$autodns_response" | _egrep_o '[^<]*' | cut -d '>' -f 2 | cut -d '<' -f 1)" + _system_ns="$(echo "$autodns_response" | _egrep_o '[^<]*' | cut -d '>' -f 2 | cut -d '<' -f 1)" + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + return 0 + fi + + p=$i + i=$(_math "$i" + 1) + done + + return 1 +} + +_build_request_auth_xml() { + printf " + %s + %s + 10 + " "$SCHLUNDTECH_USER" "$SCHLUNDTECH_PASSWORD" +} + +# Arguments: +# zone +_build_zone_inquire_xml() { + printf " + + %s + + 0205 + + 1 + 1 + + + name + eq + %s + + + " "$(_build_request_auth_xml)" "$1" +} + +# Arguments: +# zone +# subdomain +# txtvalue +# system_ns +_build_zone_update_xml() { + printf " + + %s + + 0202001 + + + %s + 600 + TXT + %s + + + + %s + %s + + + " "$(_build_request_auth_xml)" "$2" "$3" "$1" "$4" +} + +# Arguments: +# zone +_autodns_zone_inquire() { + request_data="$(_build_zone_inquire_xml "$1")" + autodns_response="$(_autodns_api_call "$request_data")" + ret="$?" + + printf "%s" "$autodns_response" + return "$ret" +} + +# Arguments: +# zone +# subdomain +# txtvalue +# system_ns +_autodns_zone_update() { + request_data="$(_build_zone_update_xml "$1" "$2" "$3" "$4")" + autodns_response="$(_autodns_api_call "$request_data")" + ret="$?" + + printf "%s" "$autodns_response" + return "$ret" +} + +# Arguments: +# zone +# subdomain +# txtvalue +# system_ns +_autodns_zone_cleanup() { + request_data="$(_build_zone_update_xml "$1" "$2" "$3" "$4")" + # replace 'rr_add>' with 'rr_rem>' in request_data + request_data="$(printf -- "%s" "$request_data" | sed 's/rr_add>/rr_rem>/g')" + autodns_response="$(_autodns_api_call "$request_data")" + ret="$?" + + printf "%s" "$autodns_response" + return "$ret" +} + +# Arguments: +# request_data +_autodns_api_call() { + request_data="$1" + + _debug request_data "$request_data" + + autodns_response="$(_post "$request_data" "$SCHLUNDTECH_API")" + ret="$?" + + _debug autodns_response "$autodns_response" + + if [ "$ret" -ne "0" ]; then + _err "error" + return 1 + fi + + if _contains "$autodns_response" "success" >/dev/null; then + _info "success" + printf "%s" "$autodns_response" + return 0 + fi + + return 1 +} diff --git a/acme.sh-master/dnsapi/dns_selectel.sh b/acme.sh-master/dnsapi/dns_selectel.sh new file mode 100644 index 0000000..1b09882 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_selectel.sh @@ -0,0 +1,161 @@ +#!/usr/bin/env sh + +# +#SL_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" +# + +SL_Api="https://api.selectel.ru/domains/v1" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_selectel_add() { + fulldomain=$1 + txtvalue=$2 + + SL_Key="${SL_Key:-$(_readaccountconf_mutable SL_Key)}" + + if [ -z "$SL_Key" ]; then + SL_Key="" + _err "You don't specify selectel.ru api key yet." + _err "Please create you key and try again." + return 1 + fi + + #save the api key to the account conf file. + _saveaccountconf_mutable SL_Key "$SL_Key" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + if _sl_rest POST "/$_domain_id/records/" "{\"type\": \"TXT\", \"ttl\": 60, \"name\": \"$fulldomain\", \"content\": \"$txtvalue\"}"; then + if _contains "$response" "$txtvalue" || _contains "$response" "record_already_exists"; then + _info "Added, OK" + return 0 + fi + fi + _err "Add txt record error." + return 1 +} + +#fulldomain txtvalue +dns_selectel_rm() { + fulldomain=$1 + txtvalue=$2 + + SL_Key="${SL_Key:-$(_readaccountconf_mutable SL_Key)}" + + if [ -z "$SL_Key" ]; then + SL_Key="" + _err "You don't specify slectel api key yet." + _err "Please create you key and try again." + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _sl_rest GET "/${_domain_id}/records/" + + if ! _contains "$response" "$txtvalue"; then + _err "Txt record not found" + return 1 + fi + + _record_seg="$(echo "$response" | _egrep_o "[^{]*\"content\" *: *\"$txtvalue\"[^}]*}")" + _debug2 "_record_seg" "$_record_seg" + if [ -z "$_record_seg" ]; then + _err "can not find _record_seg" + return 1 + fi + + _record_id="$(echo "$_record_seg" | tr "," "\n" | tr "}" "\n" | tr -d " " | grep "\"id\"" | cut -d : -f 2)" + _debug2 "_record_id" "$_record_id" + if [ -z "$_record_id" ]; then + _err "can not find _record_id" + return 1 + fi + + if ! _sl_rest DELETE "/$_domain_id/records/$_record_id"; then + _err "Delete record error." + return 1 + fi + return 0 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + + if ! _sl_rest GET "/"; then + return 1 + fi + + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" "\"name\" *: *\"$h\","; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + _debug "Getting domain id for $h" + if ! _sl_rest GET "/$h"; then + return 1 + fi + _domain_id="$(echo "$response" | tr "," "\n" | tr "}" "\n" | tr -d " " | grep "\"id\":" | cut -d : -f 2)" + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_sl_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="X-Token: $SL_Key" + export _H2="Content-Type: application/json" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$SL_Api/$ep" "" "$m")" + else + response="$(_get "$SL_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_selfhost.sh b/acme.sh-master/dnsapi/dns_selfhost.sh new file mode 100644 index 0000000..a6ef1f9 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_selfhost.sh @@ -0,0 +1,94 @@ +#!/usr/bin/env sh +# +# Author: Marvin Edeler +# Report Bugs here: https://github.com/Marvo2011/acme.sh/issues/1 +# Last Edit: 17.02.2022 + +dns_selfhost_add() { + fulldomain=$1 + txt=$2 + _info "Calling acme-dns on selfhost" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txt" + + SELFHOSTDNS_UPDATE_URL="https://selfhost.de/cgi-bin/api.pl" + + # Get values, but don't save until we successfully validated + SELFHOSTDNS_USERNAME="${SELFHOSTDNS_USERNAME:-$(_readaccountconf_mutable SELFHOSTDNS_USERNAME)}" + SELFHOSTDNS_PASSWORD="${SELFHOSTDNS_PASSWORD:-$(_readaccountconf_mutable SELFHOSTDNS_PASSWORD)}" + # These values are domain dependent, so read them from there + SELFHOSTDNS_MAP="${SELFHOSTDNS_MAP:-$(_readdomainconf SELFHOSTDNS_MAP)}" + # Selfhost api can't dynamically add TXT record, + # so we have to store the last used RID of the domain to support a second RID for wildcard domains + # (format: 'fulldomainA:lastRid fulldomainB:lastRid ...') + SELFHOSTDNS_MAP_LAST_USED_INTERNAL=$(_readdomainconf SELFHOSTDNS_MAP_LAST_USED_INTERNAL) + + if [ -z "${SELFHOSTDNS_USERNAME:-}" ] || [ -z "${SELFHOSTDNS_PASSWORD:-}" ]; then + _err "SELFHOSTDNS_USERNAME and SELFHOSTDNS_PASSWORD must be set" + return 1 + fi + + # get the domain entry from SELFHOSTDNS_MAP + # only match full domains (at the beginning of the string or with a leading whitespace), + # e.g. don't match mytest.example.com or sub.test.example.com for test.example.com + # if the domain is defined multiple times only the last occurance will be matched + mapEntry=$(echo "$SELFHOSTDNS_MAP" | sed -n -E "s/(^|^.*[[:space:]])($fulldomain)(:[[:digit:]]+)([:]?[[:digit:]]*)(.*)/\2\3\4/p") + _debug2 mapEntry "$mapEntry" + if test -z "$mapEntry"; then + _err "SELFHOSTDNS_MAP must contain the fulldomain incl. prefix and at least one RID" + return 1 + fi + + # get the RIDs from the map entry + rid1=$(echo "$mapEntry" | cut -d: -f2) + rid2=$(echo "$mapEntry" | cut -d: -f3) + + # read last used rid domain + lastUsedRidForDomainEntry=$(echo "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL" | sed -n -E "s/(^|^.*[[:space:]])($fulldomain:[[:digit:]]+)(.*)/\2/p") + _debug2 lastUsedRidForDomainEntry "$lastUsedRidForDomainEntry" + lastUsedRidForDomain=$(echo "$lastUsedRidForDomainEntry" | cut -d: -f2) + + rid="$rid1" + if [ "$lastUsedRidForDomain" = "$rid" ] && ! test -z "$rid2"; then + rid="$rid2" + fi + + _info "Trying to add $txt on selfhost for rid: $rid" + + data="?username=$SELFHOSTDNS_USERNAME&password=$SELFHOSTDNS_PASSWORD&rid=$rid&content=$txt" + response="$(_get "$SELFHOSTDNS_UPDATE_URL$data")" + + if ! echo "$response" | grep "200 OK" >/dev/null; then + _err "Invalid response of acme-dns for selfhost" + return 1 + fi + + # write last used rid domain + newLastUsedRidForDomainEntry="$fulldomain:$rid" + if ! test -z "$lastUsedRidForDomainEntry"; then + # replace last used rid entry for domain + SELFHOSTDNS_MAP_LAST_USED_INTERNAL=$(echo "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL" | sed -n -E "s/$lastUsedRidForDomainEntry/$newLastUsedRidForDomainEntry/p") + else + # add last used rid entry for domain + if test -z "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL"; then + SELFHOSTDNS_MAP_LAST_USED_INTERNAL="$newLastUsedRidForDomainEntry" + else + SELFHOSTDNS_MAP_LAST_USED_INTERNAL="$SELFHOSTDNS_MAP_LAST_USED_INTERNAL $newLastUsedRidForDomainEntry" + fi + fi + + # Now that we know the values are good, save them + _saveaccountconf_mutable SELFHOSTDNS_USERNAME "$SELFHOSTDNS_USERNAME" + _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD" + # These values are domain dependent, so store them there + _savedomainconf SELFHOSTDNS_MAP "$SELFHOSTDNS_MAP" + _savedomainconf SELFHOSTDNS_MAP_LAST_USED_INTERNAL "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL" +} + +dns_selfhost_rm() { + fulldomain=$1 + txt=$2 + _debug fulldomain "$fulldomain" + _debug txtvalue "$txt" + _info "Creating and removing of records is not supported by selfhost API, will not delete anything." +} diff --git a/acme.sh-master/dnsapi/dns_servercow.sh b/acme.sh-master/dnsapi/dns_servercow.sh new file mode 100644 index 0000000..5213790 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_servercow.sh @@ -0,0 +1,196 @@ +#!/usr/bin/env sh + +########## +# Custom servercow.de DNS API v1 for use with [acme.sh](https://github.com/acmesh-official/acme.sh) +# +# Usage: +# export SERVERCOW_API_Username=username +# export SERVERCOW_API_Password=password +# acme.sh --issue -d example.com --dns dns_servercow +# +# Issues: +# Any issues / questions / suggestions can be posted here: +# https://github.com/jhartlep/servercow-dns-api/issues +# +# Author: Jens Hartlep +########## + +SERVERCOW_API="https://api.servercow.de/dns/v1/domains" + +# Usage dns_servercow_add _acme-challenge.www.domain.com "abcdefghijklmnopqrstuvwxyz" +dns_servercow_add() { + fulldomain=$1 + txtvalue=$2 + + _info "Using servercow" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + SERVERCOW_API_Username="${SERVERCOW_API_Username:-$(_readaccountconf_mutable SERVERCOW_API_Username)}" + SERVERCOW_API_Password="${SERVERCOW_API_Password:-$(_readaccountconf_mutable SERVERCOW_API_Password)}" + if [ -z "$SERVERCOW_API_Username" ] || [ -z "$SERVERCOW_API_Password" ]; then + SERVERCOW_API_Username="" + SERVERCOW_API_Password="" + _err "You don't specify servercow api username and password yet." + _err "Please create your username and password and try again." + return 1 + fi + + # save the credentials to the account conf file + _saveaccountconf_mutable SERVERCOW_API_Username "$SERVERCOW_API_Username" + _saveaccountconf_mutable SERVERCOW_API_Password "$SERVERCOW_API_Password" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # check whether a txt record already exists for the subdomain + if printf -- "%s" "$response" | grep "{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\"" >/dev/null; then + _info "A txt record with the same name already exists." + # trim the string on the left + txtvalue_old=${response#*{\"name\":\""$_sub_domain"\",\"ttl\":20,\"type\":\"TXT\",\"content\":\"} + # trim the string on the right + txtvalue_old=${txtvalue_old%%\"*} + + _debug txtvalue_old "$txtvalue_old" + + _info "Add the new txtvalue to the existing txt record." + if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":[\"$txtvalue\",\"$txtvalue_old\"],\"ttl\":20}"; then + if printf -- "%s" "$response" | grep "ok" >/dev/null; then + _info "Added additional txtvalue, OK" + return 0 + else + _err "add txt record error." + return 1 + fi + fi + _err "add txt record error." + return 1 + else + _info "There is no txt record with the name yet." + if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":20}"; then + if printf -- "%s" "$response" | grep "ok" >/dev/null; then + _info "Added, OK" + return 0 + else + _err "add txt record error." + return 1 + fi + fi + _err "add txt record error." + return 1 + fi + + return 1 +} + +# Usage fulldomain txtvalue +# Remove the txt record after validation +dns_servercow_rm() { + fulldomain=$1 + txtvalue=$2 + + _info "Using servercow" + _debug fulldomain "$fulldomain" + _debug txtvalue "$fulldomain" + + SERVERCOW_API_Username="${SERVERCOW_API_Username:-$(_readaccountconf_mutable SERVERCOW_API_Username)}" + SERVERCOW_API_Password="${SERVERCOW_API_Password:-$(_readaccountconf_mutable SERVERCOW_API_Password)}" + if [ -z "$SERVERCOW_API_Username" ] || [ -z "$SERVERCOW_API_Password" ]; then + SERVERCOW_API_Username="" + SERVERCOW_API_Password="" + _err "You don't specify servercow api username and password yet." + _err "Please create your username and password and try again." + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + if _servercow_api DELETE "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\"}"; then + if printf -- "%s" "$response" | grep "ok" >/dev/null; then + _info "Deleted, OK" + _contains "$response" '"message":"ok"' + else + _err "delete txt record error." + return 1 + fi + fi + +} + +#################### Private functions below ################################## + +# _acme-challenge.www.domain.com +# returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + fulldomain=$1 + i=2 + p=1 + + while true; do + _domain=$(printf "%s" "$fulldomain" | cut -d . -f $i-100) + + _debug _domain "$_domain" + if [ -z "$_domain" ]; then + # not valid + return 1 + fi + + if ! _servercow_api GET "$_domain"; then + return 1 + fi + + if ! _contains "$response" '"error":"no such domain in user context"' >/dev/null; then + _sub_domain=$(printf "%s" "$fulldomain" | cut -d . -f 1-$p) + if [ -z "$_sub_domain" ]; then + # not valid + return 1 + fi + + return 0 + fi + + p=$i + i=$(_math "$i" + 1) + done + + return 1 +} + +_servercow_api() { + method=$1 + domain=$2 + data="$3" + + export _H1="Content-Type: application/json" + export _H2="X-Auth-Username: $SERVERCOW_API_Username" + export _H3="X-Auth-Password: $SERVERCOW_API_Password" + + if [ "$method" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$SERVERCOW_API/$domain" "" "$method")" + else + response="$(_get "$SERVERCOW_API/$domain")" + fi + + if [ "$?" != "0" ]; then + _err "error $domain" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_simply.sh b/acme.sh-master/dnsapi/dns_simply.sh new file mode 100644 index 0000000..6a8d0e1 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_simply.sh @@ -0,0 +1,269 @@ +#!/usr/bin/env sh + +# API-integration for Simply.com (https://www.simply.com) + +#SIMPLY_AccountName="accountname" +#SIMPLY_ApiKey="apikey" +# +#SIMPLY_Api="https://api.simply.com/2/" +SIMPLY_Api_Default="https://api.simply.com/2" + +#This is used for determining success of REST call +SIMPLY_SUCCESS_CODE='"status":200' + +######## Public functions ##################### +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_simply_add() { + fulldomain=$1 + txtvalue=$2 + + if ! _simply_load_config; then + return 1 + fi + + _simply_save_config + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + + if ! _simply_add_record "$_domain" "$_sub_domain" "$txtvalue"; then + _err "Could not add DNS record" + return 1 + fi + return 0 +} + +dns_simply_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _simply_load_config; then + return 1 + fi + + _simply_save_config + + _debug "Find the DNS zone" + + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + _debug txtvalue "$txtvalue" + + _info "Getting all existing records" + + if ! _simply_get_all_records "$_domain"; then + _err "invalid domain" + return 1 + fi + + records=$(echo "$response" | tr '{' "\n" | grep 'record_id\|type\|data\|\name' | sed 's/\"record_id/;\"record_id/' | tr "\n" ' ' | tr -d ' ' | tr ';' ' ') + + nr_of_deleted_records=0 + _info "Fetching txt record" + + for record in $records; do + _debug record "$record" + + record_data=$(echo "$record" | sed -n "s/.*\"data\":\"\([^\"]*\)\".*/\1/p") + record_type=$(echo "$record" | sed -n "s/.*\"type\":\"\([^\"]*\)\".*/\1/p") + + _debug2 record_data "$record_data" + _debug2 record_type "$record_type" + + if [ "$record_data" = "$txtvalue" ] && [ "$record_type" = "TXT" ]; then + + record_id=$(echo "$record" | cut -d "," -f 1 | grep "record_id" | cut -d ":" -f 2) + + _info "Deleting record $record" + _debug2 record_id "$record_id" + + if [ "$record_id" -gt 0 ]; then + + if ! _simply_delete_record "$_domain" "$_sub_domain" "$record_id"; then + _err "Record with id $record_id could not be deleted" + return 1 + fi + + nr_of_deleted_records=1 + break + else + _err "Fetching record_id could not be done, this should not happen, exiting function. Failing record is $record" + break + fi + fi + + done + + if [ "$nr_of_deleted_records" -eq 0 ]; then + _err "No record deleted, the DNS record needs to be removed manually." + else + _info "Deleted $nr_of_deleted_records record" + fi + + return 0 +} + +#################### Private functions below ################################## + +_simply_load_config() { + SIMPLY_Api="${SIMPLY_Api:-$(_readaccountconf_mutable SIMPLY_Api)}" + SIMPLY_AccountName="${SIMPLY_AccountName:-$(_readaccountconf_mutable SIMPLY_AccountName)}" + SIMPLY_ApiKey="${SIMPLY_ApiKey:-$(_readaccountconf_mutable SIMPLY_ApiKey)}" + + if [ -z "$SIMPLY_Api" ]; then + SIMPLY_Api="$SIMPLY_Api_Default" + fi + + if [ -z "$SIMPLY_AccountName" ] || [ -z "$SIMPLY_ApiKey" ]; then + SIMPLY_AccountName="" + SIMPLY_ApiKey="" + + _err "A valid Simply API account and apikey not provided." + _err "Please provide a valid API user and try again." + + return 1 + fi + + return 0 +} + +_simply_save_config() { + if [ "$SIMPLY_Api" != "$SIMPLY_Api_Default" ]; then + _saveaccountconf_mutable SIMPLY_Api "$SIMPLY_Api" + fi + _saveaccountconf_mutable SIMPLY_AccountName "$SIMPLY_AccountName" + _saveaccountconf_mutable SIMPLY_ApiKey "$SIMPLY_ApiKey" +} + +_simply_get_all_records() { + domain=$1 + + if ! _simply_rest GET "my/products/$domain/dns/records/"; then + return 1 + fi + + return 0 +} + +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _simply_rest GET "my/products/$h/dns/"; then + return 1 + fi + + if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then + _debug "$h not found" + else + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + p="$i" + i=$(_math "$i" + 1) + done + return 1 +} + +_simply_add_record() { + domain=$1 + sub_domain=$2 + txtval=$3 + + data="{\"name\": \"$sub_domain\", \"type\":\"TXT\", \"data\": \"$txtval\", \"priority\":0, \"ttl\": 3600}" + + if ! _simply_rest POST "my/products/$domain/dns/records/" "$data"; then + _err "Adding record not successfull!" + return 1 + fi + + if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then + _err "Call to API not sucessfull, see below message for more details" + _err "$response" + return 1 + fi + + return 0 +} + +_simply_delete_record() { + domain=$1 + sub_domain=$2 + record_id=$3 + + _debug record_id "Delete record with id $record_id" + + if ! _simply_rest DELETE "my/products/$domain/dns/records/$record_id/"; then + _err "Deleting record not successfull!" + return 1 + fi + + if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then + _err "Call to API not sucessfull, see below message for more details" + _err "$response" + return 1 + fi + + return 0 +} + +_simply_rest() { + m=$1 + ep="$2" + data="$3" + + _debug2 data "$data" + _debug2 ep "$ep" + _debug2 m "$m" + + basicauth=$(printf "%s:%s" "$SIMPLY_AccountName" "$SIMPLY_ApiKey" | _base64) + + if [ "$basicauth" ]; then + export _H1="Authorization: Basic $basicauth" + fi + + export _H2="Content-Type: application/json" + + if [ "$m" != "GET" ]; then + response="$(_post "$data" "$SIMPLY_Api/$ep" "" "$m")" + else + response="$(_get "$SIMPLY_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + + response="$(echo "$response" | _normalizeJson)" + + _debug2 response "$response" + + if _contains "$response" "Invalid account authorization"; then + _err "It seems that your api key or accountnumber is not correct." + return 1 + fi + + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_tele3.sh b/acme.sh-master/dnsapi/dns_tele3.sh new file mode 100644 index 0000000..76c9091 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_tele3.sh @@ -0,0 +1,69 @@ +#!/usr/bin/env sh +# +# tele3.cz DNS API +# +# Author: Roman Blizik +# Report Bugs here: https://github.com/par-pa/acme.sh +# +# -- +# export TELE3_Key="MS2I4uPPaI..." +# export TELE3_Secret="kjhOIHGJKHg" +# -- + +TELE3_API="https://www.tele3.cz/acme/" + +######## Public functions ##################### + +dns_tele3_add() { + _info "Using TELE3 DNS" + data="\"ope\":\"add\", \"domain\":\"$1\", \"value\":\"$2\"" + if ! _tele3_call; then + _err "Publish zone failed" + return 1 + fi + + _info "Zone published" +} + +dns_tele3_rm() { + _info "Using TELE3 DNS" + data="\"ope\":\"rm\", \"domain\":\"$1\", \"value\":\"$2\"" + if ! _tele3_call; then + _err "delete TXT record failed" + return 1 + fi + + _info "TXT record successfully deleted" +} + +#################### Private functions below ################################## + +_tele3_init() { + TELE3_Key="${TELE3_Key:-$(_readaccountconf_mutable TELE3_Key)}" + TELE3_Secret="${TELE3_Secret:-$(_readaccountconf_mutable TELE3_Secret)}" + if [ -z "$TELE3_Key" ] || [ -z "$TELE3_Secret" ]; then + TELE3_Key="" + TELE3_Secret="" + _err "You must export variables: TELE3_Key and TELE3_Secret" + return 1 + fi + + #save the config variables to the account conf file. + _saveaccountconf_mutable TELE3_Key "$TELE3_Key" + _saveaccountconf_mutable TELE3_Secret "$TELE3_Secret" +} + +_tele3_call() { + _tele3_init + data="{\"key\":\"$TELE3_Key\", \"secret\":\"$TELE3_Secret\", $data}" + + _debug data "$data" + + response="$(_post "$data" "$TELE3_API" "" "POST")" + _debug response "$response" + + if [ "$response" != "success" ]; then + _err "$response" + return 1 + fi +} diff --git a/acme.sh-master/dnsapi/dns_transip.sh b/acme.sh-master/dnsapi/dns_transip.sh new file mode 100644 index 0000000..64a256e --- /dev/null +++ b/acme.sh-master/dnsapi/dns_transip.sh @@ -0,0 +1,183 @@ +#!/usr/bin/env sh +TRANSIP_Api_Url="https://api.transip.nl/v6" +TRANSIP_Token_Read_Only="false" +TRANSIP_Token_Expiration="30 minutes" +# You can't reuse a label token, so we leave this empty normally +TRANSIP_Token_Label="" + +######## Public functions ##################### +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_transip_add() { + fulldomain="$1" + _debug fulldomain="$fulldomain" + txtvalue="$2" + _debug txtvalue="$txtvalue" + _transip_setup "$fulldomain" || return 1 + _info "Creating TXT record." + if ! _transip_rest POST "domains/$_domain/dns" "{\"dnsEntry\":{\"name\":\"$_sub_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"expire\":300}}"; then + _err "Could not add TXT record." + return 1 + fi + return 0 +} + +dns_transip_rm() { + fulldomain=$1 + _debug fulldomain="$fulldomain" + txtvalue=$2 + _debug txtvalue="$txtvalue" + _transip_setup "$fulldomain" || return 1 + _info "Removing TXT record." + if ! _transip_rest DELETE "domains/$_domain/dns" "{\"dnsEntry\":{\"name\":\"$_sub_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"expire\":300}}"; then + _err "Could not remove TXT record $_sub_domain for $domain" + return 1 + fi + return 0 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain="$1" + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + + if [ -z "$h" ]; then + #not valid + return 1 + fi + + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + + if _transip_rest GET "domains/$h/dns" && _contains "$response" "dnsEntries"; then + return 0 + fi + + p=$i + i=$(_math "$i" + 1) + done + _err "Unable to parse this domain" + return 1 +} + +_transip_rest() { + m="$1" + ep="$2" + data="$3" + _debug ep "$ep" + export _H1="Accept: application/json" + export _H2="Authorization: Bearer $_token" + export _H4="Content-Type: application/json" + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$TRANSIP_Api_Url/$ep" "" "$m")" + retcode=$? + else + response="$(_get "$TRANSIP_Api_Url/$ep")" + retcode=$? + fi + + if [ "$retcode" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} + +_transip_get_token() { + nonce=$(echo "TRANSIP$(_time)" | _digest sha1 hex | cut -c 1-32) + _debug nonce "$nonce" + + # make IP whitelisting configurable + TRANSIP_Token_Global_Key="${TRANSIP_Token_Global_Key:-$(_readaccountconf_mutable TRANSIP_Token_Global_Key)}" + _saveaccountconf_mutable TRANSIP_Token_Global_Key "$TRANSIP_Token_Global_Key" + + data="{\"login\":\"${TRANSIP_Username}\",\"nonce\":\"${nonce}\",\"read_only\":\"${TRANSIP_Token_Read_Only}\",\"expiration_time\":\"${TRANSIP_Token_Expiration}\",\"label\":\"${TRANSIP_Token_Label}\",\"global_key\":\"${TRANSIP_Token_Global_Key:-false}\"}" + _debug data "$data" + + #_signature=$(printf "%s" "$data" | openssl dgst -sha512 -sign "$TRANSIP_Key_File" | _base64) + _signature=$(printf "%s" "$data" | _sign "$TRANSIP_Key_File" "sha512") + _debug2 _signature "$_signature" + + export _H1="Signature: $_signature" + export _H2="Content-Type: application/json" + + response="$(_post "$data" "$TRANSIP_Api_Url/auth" "" "POST")" + retcode=$? + _debug2 response "$response" + if [ "$retcode" != "0" ]; then + _err "Authentication failed." + return 1 + fi + if _contains "$response" "token"; then + _token="$(echo "$response" | _normalizeJson | sed -n 's/^{"token":"\(.*\)"}/\1/p')" + _debug _token "$_token" + return 0 + fi + return 1 +} + +_transip_setup() { + fulldomain=$1 + + # retrieve the transip creds + TRANSIP_Username="${TRANSIP_Username:-$(_readaccountconf_mutable TRANSIP_Username)}" + TRANSIP_Key_File="${TRANSIP_Key_File:-$(_readaccountconf_mutable TRANSIP_Key_File)}" + # check their vals for null + if [ -z "$TRANSIP_Username" ] || [ -z "$TRANSIP_Key_File" ]; then + TRANSIP_Username="" + TRANSIP_Key_File="" + _err "You didn't specify a TransIP username and api key file location" + _err "Please set those values and try again." + return 1 + fi + # save the username and api key to the account conf file. + _saveaccountconf_mutable TRANSIP_Username "$TRANSIP_Username" + _saveaccountconf_mutable TRANSIP_Key_File "$TRANSIP_Key_File" + + # download key file if it's an URL + if _startswith "$TRANSIP_Key_File" "http"; then + _debug "download transip key file" + TRANSIP_Key_URL=$TRANSIP_Key_File + TRANSIP_Key_File="$(_mktemp)" + chmod 600 "$TRANSIP_Key_File" + if ! _get "$TRANSIP_Key_URL" >"$TRANSIP_Key_File"; then + _err "Error getting key file from : $TRANSIP_Key_URL" + return 1 + fi + fi + + if [ -f "$TRANSIP_Key_File" ]; then + if ! grep "BEGIN PRIVATE KEY" "$TRANSIP_Key_File" >/dev/null 2>&1; then + _err "Key file doesn't seem to be a valid key: ${TRANSIP_Key_File}" + return 1 + fi + else + _err "Can't read private key file: ${TRANSIP_Key_File}" + return 1 + fi + + if [ -z "$_token" ]; then + if ! _transip_get_token; then + _err "Can not get token." + return 1 + fi + fi + + if [ -n "${TRANSIP_Key_URL}" ]; then + _debug "delete transip key file" + rm "${TRANSIP_Key_File}" + TRANSIP_Key_File=$TRANSIP_Key_URL + fi + + _get_root "$fulldomain" || return 1 + + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_udr.sh b/acme.sh-master/dnsapi/dns_udr.sh new file mode 100644 index 0000000..caada82 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_udr.sh @@ -0,0 +1,160 @@ +#!/usr/bin/env sh + +# united-domains Reselling (https://www.ud-reselling.com/) DNS API +# Author: Andreas Scherer (https://github.com/andischerer) +# Created: 2021-02-01 +# +# Set the environment variables as below: +# +# export UDR_USER="your_username_goes_here" +# export UDR_PASS="some_password_goes_here" +# + +UDR_API="https://api.domainreselling.de/api/call.cgi" +UDR_TTL="30" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "some_long_string_of_characters_go_here_from_lets_encrypt" +dns_udr_add() { + fulldomain=$1 + txtvalue=$2 + + UDR_USER="${UDR_USER:-$(_readaccountconf_mutable UDR_USER)}" + UDR_PASS="${UDR_PASS:-$(_readaccountconf_mutable UDR_PASS)}" + if [ -z "$UDR_USER" ] || [ -z "$UDR_PASS" ]; then + UDR_USER="" + UDR_PASS="" + _err "You didn't specify an UD-Reselling username and password yet" + return 1 + fi + # save the username and password to the account conf file. + _saveaccountconf_mutable UDR_USER "$UDR_USER" + _saveaccountconf_mutable UDR_PASS "$UDR_PASS" + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _dnszone "${_dnszone}" + + _debug "Getting txt records" + if ! _udr_rest "QueryDNSZoneRRList" "dnszone=${_dnszone}"; then + return 1 + fi + + rr="${fulldomain}. ${UDR_TTL} IN TXT ${txtvalue}" + _debug resource_record "${rr}" + if _contains "$response" "$rr" >/dev/null; then + _err "Error, it would appear that this record already exists. Please review existing TXT records for this domain." + return 1 + fi + + _info "Adding record" + if ! _udr_rest "UpdateDNSZone" "dnszone=${_dnszone}&addrr0=${rr}"; then + _err "Adding the record did not succeed, please verify/check." + return 1 + fi + + _info "Added, OK" + return 0 +} + +dns_udr_rm() { + fulldomain=$1 + txtvalue=$2 + + UDR_USER="${UDR_USER:-$(_readaccountconf_mutable UDR_USER)}" + UDR_PASS="${UDR_PASS:-$(_readaccountconf_mutable UDR_PASS)}" + if [ -z "$UDR_USER" ] || [ -z "$UDR_PASS" ]; then + UDR_USER="" + UDR_PASS="" + _err "You didn't specify an UD-Reselling username and password yet" + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _dnszone "${_dnszone}" + + _debug "Getting txt records" + if ! _udr_rest "QueryDNSZoneRRList" "dnszone=${_dnszone}"; then + return 1 + fi + + rr="${fulldomain}. ${UDR_TTL} IN TXT ${txtvalue}" + _debug resource_record "${rr}" + if _contains "$response" "$rr" >/dev/null; then + if ! _udr_rest "UpdateDNSZone" "dnszone=${_dnszone}&delrr0=${rr}"; then + _err "Deleting the record did not succeed, please verify/check." + return 1 + fi + _info "Removed, OK" + return 0 + else + _info "Text record is not present, will not delete anything." + return 0 + fi +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain=$1 + i=1 + + if ! _udr_rest "QueryDNSZoneList" ""; then + return 1 + fi + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "${response}" "${h}." >/dev/null; then + _dnszone=$(echo "$response" | _egrep_o "${h}") + if [ "$_dnszone" ]; then + return 0 + fi + return 1 + fi + i=$(_math "$i" + 1) + done + return 1 +} + +_udr_rest() { + if [ -n "$2" ]; then + data="command=$1&$2" + else + data="command=$1" + fi + + _debug data "${data}" + response="$(_post "${data}" "${UDR_API}?s_login=${UDR_USER}&s_pw=${UDR_PASS}" "" "POST")" + + _code=$(echo "$response" | _egrep_o "code = ([0-9]+)" | _head_n 1 | cut -d = -f 2 | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//') + _description=$(echo "$response" | _egrep_o "description = .*" | _head_n 1 | cut -d = -f 2 | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//') + + _debug response_code "$_code" + _debug response_description "$_description" + + if [ ! "$_code" = "200" ]; then + _err "DNS-API-Error: $_description" + return 1 + fi + + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_ultra.sh b/acme.sh-master/dnsapi/dns_ultra.sh new file mode 100644 index 0000000..0f26bd9 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_ultra.sh @@ -0,0 +1,167 @@ +#!/usr/bin/env sh + +# +# ULTRA_USR="your_user_goes_here" +# +# ULTRA_PWD="some_password_goes_here" + +ULTRA_API="https://api.ultradns.com/v3/" +ULTRA_AUTH_API="https://api.ultradns.com/v2/" + +#Usage: add _acme-challenge.www.domain.com "some_long_string_of_characters_go_here_from_lets_encrypt" +dns_ultra_add() { + fulldomain=$1 + txtvalue=$2 + export txtvalue + ULTRA_USR="${ULTRA_USR:-$(_readaccountconf_mutable ULTRA_USR)}" + ULTRA_PWD="${ULTRA_PWD:-$(_readaccountconf_mutable ULTRA_PWD)}" + if [ -z "$ULTRA_USR" ] || [ -z "$ULTRA_PWD" ]; then + ULTRA_USR="" + ULTRA_PWD="" + _err "You didn't specify an UltraDNS username and password yet" + return 1 + fi + # save the username and password to the account conf file. + _saveaccountconf_mutable ULTRA_USR "$ULTRA_USR" + _saveaccountconf_mutable ULTRA_PWD "$ULTRA_PWD" + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "${_domain_id}" + _debug _sub_domain "${_sub_domain}" + _debug _domain "${_domain}" + _debug "Getting txt records" + _ultra_rest GET "zones/${_domain_id}/rrsets/TXT?q=value:${fulldomain}" + if printf "%s" "$response" | grep \"totalCount\" >/dev/null; then + _err "Error, it would appear that this record already exists. Please review existing TXT records for this domain." + return 1 + fi + + _info "Adding record" + if _ultra_rest POST "zones/$_domain_id/rrsets/TXT/${_sub_domain}" '{"ttl":300,"rdata":["'"${txtvalue}"'"]}'; then + if _contains "$response" "Successful"; then + _info "Added, OK" + return 0 + elif _contains "$response" "Resource Record of type 16 with these attributes already exists"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + +} + +dns_ultra_rm() { + fulldomain=$1 + txtvalue=$2 + export txtvalue + ULTRA_USR="${ULTRA_USR:-$(_readaccountconf_mutable ULTRA_USR)}" + ULTRA_PWD="${ULTRA_PWD:-$(_readaccountconf_mutable ULTRA_PWD)}" + if [ -z "$ULTRA_USR" ] || [ -z "$ULTRA_PWD" ]; then + ULTRA_USR="" + ULTRA_PWD="" + _err "You didn't specify an UltraDNS username and password yet" + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "${_domain_id}" + _debug _sub_domain "${_sub_domain}" + _debug _domain "${domain}" + + _debug "Getting TXT records" + _ultra_rest GET "zones/${_domain_id}/rrsets?q=kind:RECORDS+owner:${_sub_domain}" + + if ! printf "%s" "$response" | grep \"resultInfo\" >/dev/null; then + _err "There was an error in obtaining the resource records for ${_domain_id}" + return 1 + fi + + count=$(echo "$response" | _egrep_o "\"returnedCount\":[^,]*" | cut -d: -f2 | cut -d'}' -f1) + _debug count "${count}" + if [ "${count}" = "" ]; then + _info "Text record is not present, will not delete anything." + else + if ! _ultra_rest DELETE "zones/$_domain_id/rrsets/TXT/${_sub_domain}" '{"ttl":300,"rdata":["'"${txtvalue}"'"]}'; then + _err "Deleting the record did not succeed, please verify/check." + return 1 + fi + _contains "$response" "" + fi + +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + _debug response "$response" + if [ -z "$h" ]; then + #not valid + return 1 + fi + if ! _ultra_rest GET "zones"; then + return 1 + fi + if _contains "${response}" "${h}." >/dev/null; then + _domain_id=$(echo "$response" | _egrep_o "${h}" | head -1) + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="${h}" + _debug sub_domain "${_sub_domain}" + _debug domain "${_domain}" + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_ultra_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + if [ -z "$AUTH_TOKEN" ]; then + _ultra_login + fi + _debug TOKEN "$AUTH_TOKEN" + + export _H1="Content-Type: application/json" + export _H2="Authorization: Bearer $AUTH_TOKEN" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$ULTRA_API$ep" "" "$m")" + else + response="$(_get "$ULTRA_API$ep")" + fi +} + +_ultra_login() { + export _H1="" + export _H2="" + AUTH_TOKEN=$(_post "grant_type=password&username=${ULTRA_USR}&password=${ULTRA_PWD}" "${ULTRA_AUTH_API}authorization/token" | cut -d, -f3 | cut -d\" -f4) + export AUTH_TOKEN +} diff --git a/acme.sh-master/dnsapi/dns_unoeuro.sh b/acme.sh-master/dnsapi/dns_unoeuro.sh new file mode 100644 index 0000000..13ba8a0 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_unoeuro.sh @@ -0,0 +1,179 @@ +#!/usr/bin/env sh + +# +#UNO_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" +# +#UNO_User="UExxxxxx" + +Uno_Api="https://api.simply.com/1" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_unoeuro_add() { + fulldomain=$1 + txtvalue=$2 + + UNO_Key="${UNO_Key:-$(_readaccountconf_mutable UNO_Key)}" + UNO_User="${UNO_User:-$(_readaccountconf_mutable UNO_User)}" + if [ -z "$UNO_Key" ] || [ -z "$UNO_User" ]; then + UNO_Key="" + UNO_User="" + _err "You haven't specified a UnoEuro api key and account yet." + _err "Please create your key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable UNO_Key "$UNO_Key" + _saveaccountconf_mutable UNO_User "$UNO_User" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _uno_rest GET "my/products/$h/dns/records" + + if ! _contains "$response" "\"status\": 200" >/dev/null; then + _err "Error" + return 1 + fi + _info "Adding record" + + if _uno_rest POST "my/products/$h/dns/records" "{\"name\":\"$fulldomain\",\"type\":\"TXT\",\"data\":\"$txtvalue\",\"ttl\":120,\"priority\":0}"; then + if _contains "$response" "\"status\": 200" >/dev/null; then + _info "Added, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi +} + +#fulldomain txtvalue +dns_unoeuro_rm() { + fulldomain=$1 + txtvalue=$2 + + UNO_Key="${UNO_Key:-$(_readaccountconf_mutable UNO_Key)}" + UNO_User="${UNO_User:-$(_readaccountconf_mutable UNO_User)}" + if [ -z "$UNO_Key" ] || [ -z "$UNO_User" ]; then + UNO_Key="" + UNO_User="" + _err "You haven't specified a UnoEuro api key and account yet." + _err "Please create your key and try again." + return 1 + fi + + if ! _contains "$UNO_User" "UE"; then + _err "It seems that the UNO_User=$UNO_User is not a valid username." + _err "Please check and retry." + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _uno_rest GET "my/products/$h/dns/records" + + if ! _contains "$response" "\"status\": 200"; then + _err "Error" + return 1 + fi + + if ! _contains "$response" "$_sub_domain"; then + _info "Don't need to remove." + else + for record_line_number in $(echo "$response" | grep -n "$_sub_domain" | cut -d : -f 1); do + record_line_number=$(_math "$record_line_number" - 1) + _debug "record_line_number" "$record_line_number" + record_id=$(echo "$response" | _head_n "$record_line_number" | _tail_n 1 1 | _egrep_o "[0-9]{1,}") + _debug "record_id" "$record_id" + + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + + if ! _uno_rest DELETE "my/products/$h/dns/records/$record_id"; then + _err "Delete record error." + return 1 + fi + _contains "$response" "\"status\": 200" + done + fi +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=2 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _uno_rest GET "my/products/$h/dns/records"; then + return 1 + fi + + if _contains "$response" "\"status\": 200"; then + _domain_id=$h + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_uno_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Content-Type: application/json" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$Uno_Api/$UNO_User/$UNO_Key/$ep" "" "$m")" + else + response="$(_get "$Uno_Api/$UNO_User/$UNO_Key/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_variomedia.sh b/acme.sh-master/dnsapi/dns_variomedia.sh new file mode 100644 index 0000000..a35b8f0 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_variomedia.sh @@ -0,0 +1,147 @@ +#!/usr/bin/env sh + +# +#VARIOMEDIA_API_TOKEN=000011112222333344445555666677778888 + +VARIOMEDIA_API="https://api.variomedia.de" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_variomedia_add() { + fulldomain=$1 + txtvalue=$2 + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + VARIOMEDIA_API_TOKEN="${VARIOMEDIA_API_TOKEN:-$(_readaccountconf_mutable VARIOMEDIA_API_TOKEN)}" + if test -z "$VARIOMEDIA_API_TOKEN"; then + VARIOMEDIA_API_TOKEN="" + _err 'VARIOMEDIA_API_TOKEN was not exported' + return 1 + fi + + _saveaccountconf_mutable VARIOMEDIA_API_TOKEN "$VARIOMEDIA_API_TOKEN" + + _debug 'First detect the root zone' + if ! _get_root "$fulldomain"; then + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + if ! _variomedia_rest POST "dns-records" "{\"data\": {\"type\": \"dns-record\", \"attributes\": {\"record_type\": \"TXT\", \"name\": \"$_sub_domain\", \"domain\": \"$_domain\", \"data\": \"$txtvalue\", \"ttl\":300}}}"; then + _err "$response" + return 1 + fi + + _debug2 _response "$response" + return 0 +} + +#fulldomain txtvalue +dns_variomedia_rm() { + fulldomain=$1 + txtvalue=$2 + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + VARIOMEDIA_API_TOKEN="${VARIOMEDIA_API_TOKEN:-$(_readaccountconf_mutable VARIOMEDIA_API_TOKEN)}" + if test -z "$VARIOMEDIA_API_TOKEN"; then + VARIOMEDIA_API_TOKEN="" + _err 'VARIOMEDIA_API_TOKEN was not exported' + return 1 + fi + + _saveaccountconf_mutable VARIOMEDIA_API_TOKEN "$VARIOMEDIA_API_TOKEN" + + _debug 'First detect the root zone' + if ! _get_root "$fulldomain"; then + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug 'Getting txt records' + + if ! _variomedia_rest GET "dns-records?filter[domain]=$_domain"; then + _err 'Error' + return 1 + fi + + _record_id="$(echo "$response" | cut -d '[' -f2 | cut -d']' -f1 | sed 's/},[ \t]*{/\},§\{/g' | tr § '\n' | grep "$_sub_domain" | grep "$txtvalue" | sed 's/^{//;s/}[,]?$//' | tr , '\n' | tr -d '\"' | grep ^id | cut -d : -f2 | tr -d ' ')" + _debug _record_id "$_record_id" + if [ "$_record_id" ]; then + _info "Successfully retrieved the record id for ACME challenge." + else + _info "Empty record id, it seems no such record." + return 0 + fi + + if ! _variomedia_rest DELETE "/dns-records/$_record_id"; then + _err "$response" + return 1 + fi + + _debug2 _response "$response" + return 0 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + fulldomain=$1 + i=1 + while true; do + h=$(printf "%s" "$fulldomain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + return 1 + fi + + if ! _variomedia_rest GET "domains/$h"; then + return 1 + fi + + if _startswith "$response" "\{\"data\":"; then + if _contains "$response" "\"id\":\"$h\""; then + _sub_domain="$(echo "$fulldomain" | sed "s/\\.$h\$//")" + _domain=$h + return 0 + fi + fi + i=$(_math "$i" + 1) + done + + _debug "root domain not found" + return 1 +} + +_variomedia_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Authorization: token $VARIOMEDIA_API_TOKEN" + export _H2="Content-Type: application/vnd.api+json" + export _H3="Accept: application/vnd.variomedia.v1+json" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$VARIOMEDIA_API/$ep" "" "$m")" + else + response="$(_get "$VARIOMEDIA_API/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "Error $ep" + return 1 + fi + + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_veesp.sh b/acme.sh-master/dnsapi/dns_veesp.sh new file mode 100644 index 0000000..b8a41d0 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_veesp.sh @@ -0,0 +1,158 @@ +#!/usr/bin/env sh + +# bug reports to stepan@plyask.in + +# +# export VEESP_User="username" +# export VEESP_Password="password" + +VEESP_Api="https://secure.veesp.com/api" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_veesp_add() { + fulldomain=$1 + txtvalue=$2 + + VEESP_Password="${VEESP_Password:-$(_readaccountconf_mutable VEESP_Password)}" + VEESP_User="${VEESP_User:-$(_readaccountconf_mutable VEESP_User)}" + VEESP_auth=$(printf "%s" "$VEESP_User:$VEESP_Password" | _base64) + + if [ -z "$VEESP_Password" ] || [ -z "$VEESP_User" ]; then + VEESP_Password="" + VEESP_User="" + _err "You don't specify veesp api key and email yet." + _err "Please create you key and try again." + return 1 + fi + + #save the api key and email to the account conf file. + _saveaccountconf_mutable VEESP_Password "$VEESP_Password" + _saveaccountconf_mutable VEESP_User "$VEESP_User" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + if VEESP_rest POST "service/$_service_id/dns/$_domain_id/records" "{\"name\":\"$fulldomain\",\"ttl\":1,\"priority\":0,\"type\":\"TXT\",\"content\":\"$txtvalue\"}"; then + if _contains "$response" "\"success\":true"; then + _info "Added" + #todo: check if the record takes effect + return 0 + else + _err "Add txt record error." + return 1 + fi + fi +} + +# Usage: fulldomain txtvalue +# Used to remove the txt record after validation +dns_veesp_rm() { + fulldomain=$1 + txtvalue=$2 + + VEESP_Password="${VEESP_Password:-$(_readaccountconf_mutable VEESP_Password)}" + VEESP_User="${VEESP_User:-$(_readaccountconf_mutable VEESP_User)}" + VEESP_auth=$(printf "%s" "$VEESP_User:$VEESP_Password" | _base64) + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + VEESP_rest GET "service/$_service_id/dns/$_domain_id" + + count=$(printf "%s\n" "$response" | _egrep_o "\"type\":\"TXT\",\"content\":\".\"$txtvalue.\"\"" | wc -l | tr -d " ") + _debug count "$count" + if [ "$count" = "0" ]; then + _info "Don't need to remove." + else + record_id=$(printf "%s\n" "$response" | _egrep_o "{\"id\":[^}]*\"type\":\"TXT\",\"content\":\".\"$txtvalue.\"\"" | cut -d\" -f4) + _debug "record_id" "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if ! VEESP_rest DELETE "service/$_service_id/dns/$_domain_id/records/$record_id"; then + _err "Delete record error." + return 1 + fi + _contains "$response" "\"success\":true" + fi +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=2 + p=1 + if ! VEESP_rest GET "dns"; then + return 1 + fi + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if _contains "$response" "\"name\":\"$h\""; then + _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"domain_id\":[^,]*,\"name\":\"$h\"" | cut -d : -f 2 | cut -d , -f 1 | cut -d '"' -f 2) + _debug _domain_id "$_domain_id" + _service_id=$(printf "%s\n" "$response" | _egrep_o "\"name\":\"$h\",\"service_id\":[^}]*" | cut -d : -f 3 | cut -d '"' -f 2) + _debug _service_id "$_service_id" + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain="$h" + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +VEESP_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + export _H1="Accept: application/json" + export _H2="Authorization: Basic $VEESP_auth" + if [ "$m" != "GET" ]; then + _debug data "$data" + export _H3="Content-Type: application/json" + response="$(_post "$data" "$VEESP_Api/$ep" "" "$m")" + else + response="$(_get "$VEESP_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_vercel.sh b/acme.sh-master/dnsapi/dns_vercel.sh new file mode 100644 index 0000000..7bf6b0e --- /dev/null +++ b/acme.sh-master/dnsapi/dns_vercel.sh @@ -0,0 +1,142 @@ +#!/usr/bin/env sh + +# Vercel DNS API +# +# This is your API token which can be acquired on the account page. +# https://vercel.com/account/tokens +# +# VERCEL_TOKEN="sdfsdfsdfljlbjkljlkjsdfoiwje" + +VERCEL_API="https://api.vercel.com" + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_vercel_add() { + fulldomain=$1 + txtvalue=$2 + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + VERCEL_TOKEN="${VERCEL_TOKEN:-$(_readaccountconf_mutable VERCEL_TOKEN)}" + + if [ -z "$VERCEL_TOKEN" ]; then + VERCEL_TOKEN="" + _err "You have not set the Vercel API token yet." + _err "Please visit https://vercel.com/account/tokens to generate it." + return 1 + fi + + _saveaccountconf_mutable VERCEL_TOKEN "$VERCEL_TOKEN" + + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _info "Adding record" + if _vercel_rest POST "v2/domains/$_domain/records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":\"$txtvalue\"}"; then + if printf -- "%s" "$response" | grep "\"uid\":\"" >/dev/null; then + _info "Added" + return 0 + else + _err "Unexpected response while adding text record." + return 1 + fi + fi + _err "Add txt record error." +} + +dns_vercel_rm() { + fulldomain=$1 + txtvalue=$2 + + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _vercel_rest GET "v2/domains/$_domain/records" + + count=$(printf "%s\n" "$response" | _egrep_o "\"name\":\"$_sub_domain\",[^{]*\"type\":\"TXT\"" | wc -l | tr -d " ") + + if [ "$count" = "0" ]; then + _info "Don't need to remove." + else + _record_id=$(printf "%s" "$response" | _egrep_o "\"id\":[^,]*,\"slug\":\"[^,]*\",\"name\":\"$_sub_domain\",[^{]*\"type\":\"TXT\",\"value\":\"$txtvalue\"" | cut -d: -f2 | cut -d, -f1 | tr -d '"') + + if [ "$_record_id" ]; then + echo "$_record_id" | while read -r item; do + if _vercel_rest DELETE "v2/domains/$_domain/records/$item"; then + _info "removed record" "$item" + return 0 + else + _err "failed to remove record" "$item" + return 1 + fi + done + fi + fi +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +_get_root() { + domain="$1" + ep="$2" + i=1 + p=1 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _vercel_rest GET "v4/domains/$h"; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\"" >/dev/null; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_vercel_rest() { + m="$1" + ep="$2" + data="$3" + + path="$VERCEL_API/$ep" + + export _H1="Content-Type: application/json" + export _H2="Authorization: Bearer $VERCEL_TOKEN" + + if [ "$m" != "GET" ]; then + _secure_debug2 data "$data" + response="$(_post "$data" "$path" "" "$m")" + else + response="$(_get "$path")" + fi + _ret="$?" + _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" + _debug "http response code $_code" + _secure_debug2 response "$response" + if [ "$_ret" != "0" ]; then + _err "error $ep" + return 1 + fi + + response="$(printf "%s" "$response" | _normalizeJson)" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_vscale.sh b/acme.sh-master/dnsapi/dns_vscale.sh new file mode 100644 index 0000000..d717d6e --- /dev/null +++ b/acme.sh-master/dnsapi/dns_vscale.sh @@ -0,0 +1,149 @@ +#!/usr/bin/env sh + +#This is the vscale.io api wrapper for acme.sh +# +#Author: Alex Loban +#Report Bugs here: https://github.com/LAV45/acme.sh + +#VSCALE_API_KEY="sdfsdfsdfljlbjkljlkjsdfoiwje" +VSCALE_API_URL="https://api.vscale.io/v1" + +######## Public functions ##################### + +#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_vscale_add() { + fulldomain=$1 + txtvalue=$2 + + if [ -z "$VSCALE_API_KEY" ]; then + VSCALE_API_KEY="" + _err "You didn't specify the VSCALE api key yet." + _err "Please create you key and try again." + return 1 + fi + + _saveaccountconf VSCALE_API_KEY "$VSCALE_API_KEY" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _vscale_tmpl_json="{\"type\":\"TXT\",\"name\":\"$_sub_domain.$_domain\",\"content\":\"$txtvalue\"}" + + if _vscale_rest POST "domains/$_domain_id/records/" "$_vscale_tmpl_json"; then + response=$(printf "%s\n" "$response" | _egrep_o "{\"error\": \".+\"" | cut -d : -f 2) + if [ -z "$response" ]; then + _info "txt record updated success." + return 0 + fi + fi + + return 1 +} + +#fulldomain txtvalue +dns_vscale_rm() { + fulldomain=$1 + txtvalue=$2 + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _vscale_rest GET "domains/$_domain_id/records/" + + if [ -n "$response" ]; then + record_id=$(printf "%s\n" "$response" | _egrep_o "\"TXT\", \"id\": [0-9]+, \"name\": \"$_sub_domain.$_domain\"" | cut -d : -f 2 | tr -d ", \"name\"") + _debug record_id "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if _vscale_rest DELETE "domains/$_domain_id/records/$record_id" && [ -z "$response" ]; then + _info "txt record deleted success." + return 0 + fi + _debug response "$response" + return 1 + fi + + return 1 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=12345 +_get_root() { + domain=$1 + i=2 + p=1 + + if _vscale_rest GET "domains/"; then + response="$(echo "$response" | tr -d "\n" | sed 's/{/\n&/g')" + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + hostedzone="$(echo "$response" | tr "{" "\n" | _egrep_o "\"name\":\s*\"$h\".*}")" + if [ "$hostedzone" ]; then + _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "\"id\":\s*[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ ) + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + fi + return 1 +} + +#method uri qstr data +_vscale_rest() { + mtd="$1" + ep="$2" + data="$3" + + _debug mtd "$mtd" + _debug ep "$ep" + + export _H1="Accept: application/json" + export _H2="Content-Type: application/json" + export _H3="X-Token: ${VSCALE_API_KEY}" + + if [ "$mtd" != "GET" ]; then + # both POST and DELETE. + _debug data "$data" + response="$(_post "$data" "$VSCALE_API_URL/$ep" "" "$mtd")" + else + response="$(_get "$VSCALE_API_URL/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_vultr.sh b/acme.sh-master/dnsapi/dns_vultr.sh new file mode 100644 index 0000000..54e5b6c --- /dev/null +++ b/acme.sh-master/dnsapi/dns_vultr.sh @@ -0,0 +1,161 @@ +#!/usr/bin/env sh + +# +#VULTR_API_KEY=000011112222333344445555666677778888 + +VULTR_Api="https://api.vultr.com/v2" + +######## Public functions ##################### +# +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_vultr_add() { + fulldomain=$1 + txtvalue=$2 + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + VULTR_API_KEY="${VULTR_API_KEY:-$(_readaccountconf_mutable VULTR_API_KEY)}" + if test -z "$VULTR_API_KEY"; then + VULTR_API_KEY='' + _err 'VULTR_API_KEY was not exported' + return 1 + fi + + _saveaccountconf_mutable VULTR_API_KEY "$VULTR_API_KEY" + + _debug 'First detect the root zone' + if ! _get_root "$fulldomain"; then + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug 'Getting txt records' + _vultr_rest GET "domains/$_domain/records" + + if printf "%s\n" "$response" | grep -- "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then + _err 'Error' + return 1 + fi + + if ! _vultr_rest POST "domains/$_domain/records" "{\"name\":\"$_sub_domain\",\"data\":\"$txtvalue\",\"type\":\"TXT\"}"; then + _err "$response" + return 1 + fi + + _debug2 _response "$response" + return 0 +} + +#fulldomain txtvalue +dns_vultr_rm() { + fulldomain=$1 + txtvalue=$2 + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + VULTR_API_KEY="${VULTR_API_KEY:-$(_readaccountconf_mutable VULTR_API_KEY)}" + if test -z "$VULTR_API_KEY"; then + VULTR_API_KEY="" + _err 'VULTR_API_KEY was not exported' + return 1 + fi + + _saveaccountconf_mutable VULTR_API_KEY "$VULTR_API_KEY" + + _debug 'First detect the root zone' + if ! _get_root "$fulldomain"; then + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug 'Getting txt records' + _vultr_rest GET "domains/$_domain/records" + + if printf "%s\n" "$response" | grep -- "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then + _err 'Error' + return 1 + fi + + _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'id' | cut -d : -f 2 | tr -d '"')" + _debug _record_id "$_record_id" + if [ "$_record_id" ]; then + _info "Successfully retrieved the record id for ACME challenge." + else + _info "Empty record id, it seems no such record." + return 0 + fi + + if ! _vultr_rest DELETE "domains/$_domain/records/$_record_id"; then + _err "$response" + return 1 + fi + + _debug2 _response "$response" + return 0 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=1 + while true; do + _domain=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$_domain" + if [ -z "$_domain" ]; then + return 1 + fi + + if ! _vultr_rest GET "domains"; then + return 1 + fi + + if printf "%s\n" "$response" | grep -E '^\{.*\}' >/dev/null; then + if _contains "$response" "\"domain\":\"$_domain\""; then + _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")" + return 0 + else + _debug "Go to next level of $_domain" + fi + else + _err "$response" + return 1 + fi + i=$(_math "$i" + 1) + done + + return 1 +} + +_vultr_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + api_key_trimmed=$(echo "$VULTR_API_KEY" | tr -d '"') + + export _H1="Authorization: Bearer $api_key_trimmed" + export _H2='Content-Type: application/json' + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$VULTR_Api/$ep" "" "$m")" + else + response="$(_get "$VULTR_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "Error $ep" + return 1 + fi + + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_websupport.sh b/acme.sh-master/dnsapi/dns_websupport.sh new file mode 100644 index 0000000..e824c9c --- /dev/null +++ b/acme.sh-master/dnsapi/dns_websupport.sh @@ -0,0 +1,207 @@ +#!/usr/bin/env sh + +# Acme.sh DNS API wrapper for websupport.sk +# +# Original author: trgo.sk (https://github.com/trgosk) +# Tweaks by: akulumbeg (https://github.com/akulumbeg) +# Report Bugs here: https://github.com/akulumbeg/acme.sh + +# Requirements: API Key and Secret from https://admin.websupport.sk/en/auth/apiKey +# +# WS_ApiKey="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" +# (called "Identifier" in the WS Admin) +# +# WS_ApiSecret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +# (called "Secret key" in the WS Admin) + +WS_Api="https://rest.websupport.sk" + +######## Public functions ##################### + +dns_websupport_add() { + fulldomain=$1 + txtvalue=$2 + + WS_ApiKey="${WS_ApiKey:-$(_readaccountconf_mutable WS_ApiKey)}" + WS_ApiSecret="${WS_ApiSecret:-$(_readaccountconf_mutable WS_ApiSecret)}" + + if [ "$WS_ApiKey" ] && [ "$WS_ApiSecret" ]; then + _saveaccountconf_mutable WS_ApiKey "$WS_ApiKey" + _saveaccountconf_mutable WS_ApiSecret "$WS_ApiSecret" + else + WS_ApiKey="" + WS_ApiSecret="" + _err "You did not specify the API Key and/or API Secret" + _err "You can get the API login credentials from https://admin.websupport.sk/en/auth/apiKey" + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so + # we can not use updating anymore. + # count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2) + # _debug count "$count" + # if [ "$count" = "0" ]; then + _info "Adding record" + if _ws_rest POST "/v1/user/self/zone/$_domain/record" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":120}"; then + if _contains "$response" "$txtvalue"; then + _info "Added, OK" + return 0 + elif _contains "$response" "The record already exists"; then + _info "Already exists, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 + +} + +dns_websupport_rm() { + fulldomain=$1 + txtvalue=$2 + + _debug2 fulldomain "$fulldomain" + _debug2 txtvalue "$txtvalue" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + _ws_rest GET "/v1/user/self/zone/$_domain/record" + + if [ "$(printf "%s" "$response" | tr -d " " | grep -c \"items\")" -lt "1" ]; then + _err "Error: $response" + return 1 + fi + + record_line="$(_get_from_array "$response" "$txtvalue")" + _debug record_line "$record_line" + if [ -z "$record_line" ]; then + _info "Don't need to remove." + else + record_id=$(echo "$record_line" | _egrep_o "\"id\": *[^,]*" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ") + _debug "record_id" "$record_id" + if [ -z "$record_id" ]; then + _err "Can not get record id to remove." + return 1 + fi + if ! _ws_rest DELETE "/v1/user/self/zone/$_domain/record/$record_id"; then + _err "Delete record error." + return 1 + fi + if [ "$(printf "%s" "$response" | tr -d " " | grep -c \"success\")" -lt "1" ]; then + return 1 + else + return 0 + fi + fi + +} + +#################### Private Functions ################################## + +_get_root() { + domain=$1 + i=1 + p=1 + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _ws_rest GET "/v1/user/self/zone"; then + return 1 + fi + + if _contains "$response" "\"name\":\"$h\""; then + _domain_id=$(echo "$response" | _egrep_o "\[.\"id\": *[^,]*" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ") + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_ws_rest() { + me=$1 + pa="$2" + da="$3" + + _debug2 api_key "$WS_ApiKey" + _debug2 api_secret "$WS_ApiSecret" + + timestamp=$(_time) + datez="$(_utc_date | sed "s/ /T/" | sed "s/$/+0000/")" + canonical_request="${me} ${pa} ${timestamp}" + signature_hash=$(printf "%s" "$canonical_request" | _hmac sha1 "$(printf "%s" "$WS_ApiSecret" | _hex_dump | tr -d " ")" hex) + basicauth="$(printf "%s:%s" "$WS_ApiKey" "$signature_hash" | _base64)" + + _debug2 method "$me" + _debug2 path "$pa" + _debug2 data "$da" + _debug2 timestamp "$timestamp" + _debug2 datez "$datez" + _debug2 canonical_request "$canonical_request" + _debug2 signature_hash "$signature_hash" + _debug2 basicauth "$basicauth" + + export _H1="Accept: application/json" + export _H2="Content-Type: application/json" + export _H3="Authorization: Basic ${basicauth}" + export _H4="Date: ${datez}" + + _debug2 H1 "$_H1" + _debug2 H2 "$_H2" + _debug2 H3 "$_H3" + _debug2 H4 "$_H4" + + if [ "$me" != "GET" ]; then + _debug2 "${me} $WS_Api${pa}" + _debug data "$da" + response="$(_post "$da" "${WS_Api}${pa}" "" "$me")" + else + _debug2 "GET $WS_Api${pa}" + response="$(_get "$WS_Api${pa}")" + fi + + _debug2 response "$response" + return "$?" +} + +_get_from_array() { + va="$1" + fi="$2" + for i in $(echo "$va" | sed "s/{/ /g"); do + if _contains "$i" "$fi"; then + echo "$i" + break + fi + done +} diff --git a/acme.sh-master/dnsapi/dns_world4you.sh b/acme.sh-master/dnsapi/dns_world4you.sh new file mode 100644 index 0000000..dfda4ef --- /dev/null +++ b/acme.sh-master/dnsapi/dns_world4you.sh @@ -0,0 +1,220 @@ +#!/usr/bin/env sh + +# World4You - www.world4you.com +# Lorenz Stechauner, 2020 - https://www.github.com/NerLOR + +WORLD4YOU_API="https://my.world4you.com/en" +PAKETNR='' +TLD='' +RECORD='' + +################ Public functions ################ + +# Usage: dns_world4you_add +dns_world4you_add() { + fqdn=$(echo "$1" | _lower_case) + value="$2" + _info "Using world4you to add record" + _debug fulldomain "$fqdn" + _debug txtvalue "$value" + + _login + if [ "$?" != 0 ]; then + return 1 + fi + + export _H1="Cookie: W4YSESSID=$sessid" + form=$(_get "$WORLD4YOU_API/") + _get_paketnr "$fqdn" "$form" + paketnr="$PAKETNR" + if [ -z "$paketnr" ]; then + _err "Unable to parse paketnr" + return 3 + fi + _debug paketnr "$paketnr" + + export _H1="Cookie: W4YSESSID=$sessid" + form=$(_get "$WORLD4YOU_API/$paketnr/dns") + formiddp=$(echo "$form" | grep 'AddDnsRecordForm\[uniqueFormIdDP\]' | sed 's/^.*name="AddDnsRecordForm\[uniqueFormIdDP\]" value="\([^"]*\)".*$/\1/') + form_token=$(echo "$form" | grep 'AddDnsRecordForm\[_token\]' | sed 's/^.*name="AddDnsRecordForm\[_token\]" value="\([^"]*\)".*$/\1/') + if [ -z "$formiddp" ]; then + _err "Unable to parse form" + return 3 + fi + + _resethttp + export ACME_HTTP_NO_REDIRECTS=1 + body="AddDnsRecordForm[name]=$RECORD&AddDnsRecordForm[dnsType][type]=TXT&AddDnsRecordForm[value]=$value&AddDnsRecordForm[uniqueFormIdDP]=$formiddp&AddDnsRecordForm[_token]=$form_token" + _info "Adding record..." + ret=$(_post "$body" "$WORLD4YOU_API/$paketnr/dns" '' POST 'application/x-www-form-urlencoded') + _resethttp + + if _contains "$(_head_n 1 <"$HTTP_HEADER")" '302'; then + res=$(_get "$WORLD4YOU_API/$paketnr/dns") + if _contains "$res" "successfully"; then + return 0 + else + msg=$(echo "$res" | grep -A 15 'data-type="danger"' | grep "]*>[^<]" | sed 's/<[^>]*>//g' | sed 's/^\s*//g') + if [ "$msg" = '' ]; then + _err "Unable to add record: Unknown error" + echo "$ret" >'error-01.html' + echo "$res" >'error-02.html' + _err "View error-01.html and error-02.html for debugging" + else + _err "Unable to add record: my.world4you.com: $msg" + fi + return 1 + fi + else + msg=$(echo "$ret" | grep '"form-error-message"' | sed 's/^.*
\([^<]*\)<\/div>.*$/\1/') + _err "Unable to add record: my.world4you.com: $msg" + return 1 + fi +} + +# Usage: dns_world4you_rm +dns_world4you_rm() { + fqdn=$(echo "$1" | _lower_case) + value="$2" + _info "Using world4you to remove record" + _debug fulldomain "$fqdn" + _debug txtvalue "$value" + + _login + if [ "$?" != 0 ]; then + return 1 + fi + + export _H1="Cookie: W4YSESSID=$sessid" + form=$(_get "$WORLD4YOU_API/") + _get_paketnr "$fqdn" "$form" + paketnr="$PAKETNR" + if [ -z "$paketnr" ]; then + _err "Unable to parse paketnr" + return 3 + fi + _debug paketnr "$paketnr" + + form=$(_get "$WORLD4YOU_API/$paketnr/dns") + formiddp=$(echo "$form" | grep 'DeleteDnsRecordForm\[uniqueFormIdDP\]' | sed 's/^.*name="DeleteDnsRecordForm\[uniqueFormIdDP\]" value="\([^"]*\)".*$/\1/') + form_token=$(echo "$form" | grep 'DeleteDnsRecordForm\[_token\]' | sed 's/^.*name="DeleteDnsRecordForm\[_token\]" value="\([^"]*\)".*$/\1/') + if [ -z "$formiddp" ]; then + _err "Unable to parse form" + return 3 + fi + + recordid=$(printf "TXT:%s.:\"%s\"" "$fqdn" "$value" | _base64) + _debug recordid "$recordid" + + _resethttp + export ACME_HTTP_NO_REDIRECTS=1 + body="DeleteDnsRecordForm[recordId]=$recordid&DeleteDnsRecordForm[uniqueFormIdDP]=$formiddp&DeleteDnsRecordForm[_token]=$form_token" + _info "Removing record..." + ret=$(_post "$body" "$WORLD4YOU_API/$paketnr/dns/record/delete" '' POST 'application/x-www-form-urlencoded') + _resethttp + + if _contains "$(_head_n 1 <"$HTTP_HEADER")" '302'; then + res=$(_get "$WORLD4YOU_API/$paketnr/dns") + if _contains "$res" "successfully"; then + return 0 + else + msg=$(echo "$res" | grep -A 15 'data-type="danger"' | grep "]*>[^<]" | sed 's/<[^>]*>//g' | sed 's/^\s*//g') + if [ "$msg" = '' ]; then + _err "Unable to remove record: Unknown error" + echo "$ret" >'error-01.html' + echo "$res" >'error-02.html' + _err "View error-01.html and error-02.html for debugging" + else + _err "Unable to remove record: my.world4you.com: $msg" + fi + return 1 + fi + else + msg=$(echo "$ret" | grep "form-error-message" | sed 's/^.*
\([^<]*\)<\/div>.*$/\1/') + _err "Unable to remove record: my.world4you.com: $msg" + return 1 + fi +} + +################ Private functions ################ + +# Usage: _login +_login() { + WORLD4YOU_USERNAME="${WORLD4YOU_USERNAME:-$(_readaccountconf_mutable WORLD4YOU_USERNAME)}" + WORLD4YOU_PASSWORD="${WORLD4YOU_PASSWORD:-$(_readaccountconf_mutable WORLD4YOU_PASSWORD)}" + + if [ -z "$WORLD4YOU_USERNAME" ] || [ -z "$WORLD4YOU_PASSWORD" ]; then + WORLD4YOU_USERNAME="" + WORLD4YOU_PASSWORD="" + _err "You didn't specify world4you username and password yet." + _err "Usage: export WORLD4YOU_USERNAME=" + _err "Usage: export WORLD4YOU_PASSWORD=" + return 1 + fi + + _saveaccountconf_mutable WORLD4YOU_USERNAME "$WORLD4YOU_USERNAME" + _saveaccountconf_mutable WORLD4YOU_PASSWORD "$WORLD4YOU_PASSWORD" + + _resethttp + export ACME_HTTP_NO_REDIRECTS=1 + page=$(_get "$WORLD4YOU_API/login") + _resethttp + + if _contains "$(_head_n 1 <"$HTTP_HEADER")" '302'; then + _info "Already logged in" + _parse_sessid + return 0 + fi + + _info "Logging in..." + + username="$WORLD4YOU_USERNAME" + password="$WORLD4YOU_PASSWORD" + csrf_token=$(echo "$page" | grep '_csrf_token' | sed 's/^.*]*value=\"\([^"]*\)\".*$/\1/') + _parse_sessid + + export _H1="Cookie: W4YSESSID=$sessid" + export _H2="X-Requested-With: XMLHttpRequest" + body="_username=$username&_password=$password&_csrf_token=$csrf_token" + ret=$(_post "$body" "$WORLD4YOU_API/login" '' POST 'application/x-www-form-urlencoded') + unset _H2 + + _debug ret "$ret" + if _contains "$ret" "\"success\":true"; then + _info "Successfully logged in" + _parse_sessid + else + msg=$(echo "$ret" | sed 's/^.*"message":"\([^\"]*\)".*$/\1/') + _err "Unable to log in: my.world4you.com: $msg" + return 1 + fi +} + +# Usage: _get_paketnr
+_get_paketnr() { + fqdn="$1" + form="$2" + + domains=$(echo "$form" | grep '
    ' | sed 's/
  • ]*>/ /g' | sed 's/^.*>\([^>]*\)$/\1/') + domain='' + for domain in $domains; do + if _contains "$fqdn" "$domain\$"; then + break + fi + domain='' + done + if [ -z "$domain" ]; then + return 1 + fi + + TLD="$domain" + _debug domain "$domain" + RECORD=$(echo "$fqdn" | cut -c"1-$((${#fqdn} - ${#TLD} - 1))") + PAKETNR=$(echo "$domains" | grep "$domain" | sed 's/^[^,]*, *\([0-9]*\).*$/\1/') + return 0 +} + +# Usage: _parse_sessid +_parse_sessid() { + sessid=$(grep 'W4YSESSID' <"$HTTP_HEADER" | _tail_n 1 | sed 's/^.*W4YSESSID=\([^;]*\);.*$/\1/') +} diff --git a/acme.sh-master/dnsapi/dns_yandex.sh b/acme.sh-master/dnsapi/dns_yandex.sh new file mode 100644 index 0000000..0a2c333 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_yandex.sh @@ -0,0 +1,121 @@ +#!/usr/bin/env sh +# Author: non7top@gmail.com +# 07 Jul 2017 +# report bugs at https://github.com/non7top/acme.sh + +# Values to export: +# export PDD_Token="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + +# Sometimes cloudflare / google doesn't pick new dns records fast enough. +# You can add --dnssleep XX to params as workaround. + +######## Public functions ##################### + +#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_yandex_add() { + fulldomain="${1}" + txtvalue="${2}" + _debug "Calling: dns_yandex_add() '${fulldomain}' '${txtvalue}'" + + _PDD_credentials || return 1 + + _PDD_get_domain || return 1 + _debug "Found suitable domain: $domain" + + _PDD_get_record_ids || return 1 + _debug "Record_ids: $record_ids" + + if [ -n "$record_ids" ]; then + _info "All existing $subdomain records from $domain will be removed at the very end." + fi + + data="domain=${domain}&type=TXT&subdomain=${subdomain}&ttl=300&content=${txtvalue}" + uri="https://pddimp.yandex.ru/api2/admin/dns/add" + result="$(_post "${data}" "${uri}" | _normalizeJson)" + _debug "Result: $result" + + if ! _contains "$result" '"success":"ok"'; then + if _contains "$result" '"success":"error"' && _contains "$result" '"error":"record_exists"'; then + _info "Record already exists." + else + _err "Can't add $subdomain to $domain." + return 1 + fi + fi +} + +#Usage: dns_myapi_rm _acme-challenge.www.domain.com +dns_yandex_rm() { + fulldomain="${1}" + _debug "Calling: dns_yandex_rm() '${fulldomain}'" + + _PDD_credentials || return 1 + + _PDD_get_domain "$fulldomain" || return 1 + _debug "Found suitable domain: $domain" + + _PDD_get_record_ids "${domain}" "${subdomain}" || return 1 + _debug "Record_ids: $record_ids" + + for record_id in $record_ids; do + data="domain=${domain}&record_id=${record_id}" + uri="https://pddimp.yandex.ru/api2/admin/dns/del" + result="$(_post "${data}" "${uri}" | _normalizeJson)" + _debug "Result: $result" + + if ! _contains "$result" '"success":"ok"'; then + _info "Can't remove $subdomain from $domain." + fi + done +} + +#################### Private functions below ################################## + +_PDD_get_domain() { + subdomain_start=1 + while true; do + domain_start=$(_math $subdomain_start + 1) + domain=$(echo "$fulldomain" | cut -d . -f "$domain_start"-) + subdomain=$(echo "$fulldomain" | cut -d . -f -"$subdomain_start") + + _debug "Checking domain $domain" + if [ -z "$domain" ]; then + return 1 + fi + + uri="https://pddimp.yandex.ru/api2/admin/dns/list?domain=$domain" + result="$(_get "${uri}" | _normalizeJson)" + _debug "Result: $result" + + if _contains "$result" '"success":"ok"'; then + return 0 + fi + subdomain_start=$(_math $subdomain_start + 1) + done +} + +_PDD_credentials() { + if [ -z "${PDD_Token}" ]; then + PDD_Token="" + _err "You need to export PDD_Token=xxxxxxxxxxxxxxxxx." + _err "You can get it at https://pddimp.yandex.ru/api2/admin/get_token." + return 1 + else + _saveaccountconf PDD_Token "${PDD_Token}" + fi + export _H1="PddToken: $PDD_Token" +} + +_PDD_get_record_ids() { + _debug "Check existing records for $subdomain" + + uri="https://pddimp.yandex.ru/api2/admin/dns/list?domain=${domain}" + result="$(_get "${uri}" | _normalizeJson)" + _debug "Result: $result" + + if ! _contains "$result" '"success":"ok"'; then + return 1 + fi + + record_ids=$(echo "$result" | _egrep_o "{[^{]*\"subdomain\":\"${subdomain}\"[^}]*}" | sed -n -e 's#.*"record_id": \([0-9]*\).*#\1#p') +} diff --git a/acme.sh-master/dnsapi/dns_yc.sh b/acme.sh-master/dnsapi/dns_yc.sh new file mode 100644 index 0000000..ec3bbc8 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_yc.sh @@ -0,0 +1,264 @@ +#!/usr/bin/env sh + +#YC_Zone_ID="" # DNS Zone ID +#YC_Folder_ID="" # YC Folder ID +#YC_SA_ID="" # Service Account ID +#YC_SA_Key_ID="" # Service Account IAM Key ID +#YC_SA_Key_File_Path="/path/to/private.key" # Path to private.key use instead of YC_SA_Key_File_PEM_b64 +#YC_SA_Key_File_PEM_b64="" # Base64 content of private.key use instead of YC_SA_Key_File_Path +YC_Api="https://dns.api.cloud.yandex.net/dns/v1" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_yc_add() { + fulldomain="$(echo "$1". | _lower_case)" # Add dot at end of domain name + txtvalue=$2 + + YC_SA_Key_File_PEM_b64="${YC_SA_Key_File_PEM_b64:-$(_readaccountconf_mutable YC_SA_Key_File_PEM_b64)}" + YC_SA_Key_File_Path="${YC_SA_Key_File_Path:-$(_readaccountconf_mutable YC_SA_Key_File_Path)}" + + if [ "$YC_SA_Key_File_PEM_b64" ]; then + echo "$YC_SA_Key_File_PEM_b64" | _dbase64 >private.key + YC_SA_Key_File="private.key" + _savedomainconf YC_SA_Key_File_PEM_b64 "$YC_SA_Key_File_PEM_b64" + else + YC_SA_Key_File="$YC_SA_Key_File_Path" + _savedomainconf YC_SA_Key_File_Path "$YC_SA_Key_File_Path" + fi + + YC_Zone_ID="${YC_Zone_ID:-$(_readaccountconf_mutable YC_Zone_ID)}" + YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}" + YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}" + YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}" + + if [ "$YC_SA_ID" ] && [ "$YC_SA_Key_ID" ] && [ "$YC_SA_Key_File" ]; then + if [ -f "$YC_SA_Key_File" ]; then + if _isRSA "$YC_SA_Key_File" >/dev/null 2>&1; then + if [ "$YC_Zone_ID" ]; then + _savedomainconf YC_Zone_ID "$YC_Zone_ID" + _savedomainconf YC_SA_ID "$YC_SA_ID" + _savedomainconf YC_SA_Key_ID "$YC_SA_Key_ID" + elif [ "$YC_Folder_ID" ]; then + _savedomainconf YC_Folder_ID "$YC_Folder_ID" + _saveaccountconf_mutable YC_SA_ID "$YC_SA_ID" + _saveaccountconf_mutable YC_SA_Key_ID "$YC_SA_Key_ID" + _clearaccountconf_mutable YC_Zone_ID + _clearaccountconf YC_Zone_ID + else + _err "You didn't specify a Yandex Cloud Zone ID or Folder ID yet." + return 1 + fi + else + _err "YC_SA_Key_File not a RSA file(_isRSA function return false)." + return 1 + fi + else + _err "YC_SA_Key_File not found in path $YC_SA_Key_File." + return 1 + fi + else + _clearaccountconf YC_Zone_ID + _clearaccountconf YC_Folder_ID + _clearaccountconf YC_SA_ID + _clearaccountconf YC_SA_Key_ID + _clearaccountconf YC_SA_Key_File_PEM_b64 + _clearaccountconf YC_SA_Key_File_Path + _err "You didn't specify a YC_SA_ID or YC_SA_Key_ID or YC_SA_Key_File." + return 1 + fi + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + if ! _yc_rest GET "zones/${_domain_id}:getRecordSet?type=TXT&name=$_sub_domain"; then + _err "Error: $response" + return 1 + fi + + _info "Adding record" + if _yc_rest POST "zones/$_domain_id:upsertRecordSets" "{\"merges\": [ { \"name\":\"$_sub_domain\",\"type\":\"TXT\",\"ttl\":\"120\",\"data\":[\"$txtvalue\"]}]}"; then + if _contains "$response" "\"done\": true"; then + _info "Added, OK" + return 0 + else + _err "Add txt record error." + return 1 + fi + fi + _err "Add txt record error." + return 1 + +} + +#fulldomain txtvalue +dns_yc_rm() { + fulldomain="$(echo "$1". | _lower_case)" # Add dot at end of domain name + txtvalue=$2 + + YC_Zone_ID="${YC_Zone_ID:-$(_readaccountconf_mutable YC_Zone_ID)}" + YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}" + YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}" + YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}" + + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + _debug _domain_id "$_domain_id" + _debug _sub_domain "$_sub_domain" + _debug _domain "$_domain" + + _debug "Getting txt records" + if _yc_rest GET "zones/${_domain_id}:getRecordSet?type=TXT&name=$_sub_domain"; then + exists_txtvalue=$(echo "$response" | _normalizeJson | _egrep_o "\"data\".*\][^,]*" | _egrep_o "[^:]*$") + _debug exists_txtvalue "$exists_txtvalue" + else + _err "Error: $response" + return 1 + fi + + if _yc_rest POST "zones/$_domain_id:updateRecordSets" "{\"deletions\": [ { \"name\":\"$_sub_domain\",\"type\":\"TXT\",\"ttl\":\"120\",\"data\":$exists_txtvalue}]}"; then + if _contains "$response" "\"done\": true"; then + _info "Delete, OK" + return 0 + else + _err "Delete record error." + return 1 + fi + fi + _err "Delete record error." + return 1 +} + +#################### Private functions below ################################## +#_acme-challenge.www.domain.com +#returns +# _sub_domain=_acme-challenge.www +# _domain=domain.com +# _domain_id=sdjkglgdfewsdfg +_get_root() { + domain=$1 + i=1 + p=1 + + # Use Zone ID directly if provided + if [ "$YC_Zone_ID" ]; then + if ! _yc_rest GET "zones/$YC_Zone_ID"; then + return 1 + else + if echo "$response" | tr -d " " | _egrep_o "\"id\":\"$YC_Zone_ID\"" >/dev/null; then + _domain=$(echo "$response" | _egrep_o "\"zone\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ") + if [ "$_domain" ]; then + _cutlength=$((${#domain} - ${#_domain})) + _sub_domain=$(printf "%s" "$domain" | cut -c "1-$_cutlength") + _domain_id=$YC_Zone_ID + return 0 + else + return 1 + fi + else + return 1 + fi + fi + fi + + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + if [ "$YC_Folder_ID" ]; then + if ! _yc_rest GET "zones?folderId=$YC_Folder_ID"; then + return 1 + fi + else + echo "You didn't specify a Yandex Cloud Folder ID." + return 1 + fi + if _contains "$response" "\"zone\": \"$h\""; then + _domain_id=$(echo "$response" | _normalizeJson | _egrep_o "[^{]*\"zone\":\"$h\"[^}]*" | _egrep_o "\"id\"[^,]*" | _egrep_o "[^:]*$" | tr -d '"') + _debug _domain_id "$_domain_id" + if [ "$_domain_id" ]; then + _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) + _domain=$h + return 0 + fi + return 1 + fi + p=$i + i=$(_math "$i" + 1) + done + return 1 +} + +_yc_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + if [ ! "$YC_Token" ]; then + _debug "Login" + _yc_login + else + _debug "Token already exists. Skip Login." + fi + + token_trimmed=$(echo "$YC_Token" | tr -d '"') + + export _H1="Content-Type: application/json" + export _H2="Authorization: Bearer $token_trimmed" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$YC_Api/$ep" "" "$m")" + else + response="$(_get "$YC_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} + +_yc_login() { + header=$(echo "{\"typ\":\"JWT\",\"alg\":\"PS256\",\"kid\":\"$YC_SA_Key_ID\"}" | _normalizeJson | _base64 | _url_replace) + _debug header "$header" + + _current_timestamp=$(_time) + _expire_timestamp=$(_math "$_current_timestamp" + 1200) # 20 minutes + payload=$(echo "{\"iss\":\"$YC_SA_ID\",\"aud\":\"https://iam.api.cloud.yandex.net/iam/v1/tokens\",\"iat\":$_current_timestamp,\"exp\":$_expire_timestamp}" | _normalizeJson | _base64 | _url_replace) + _debug payload "$payload" + + #signature=$(printf "%s.%s" "$header" "$payload" | ${ACME_OPENSSL_BIN:-openssl} dgst -sign "$YC_SA_Key_File -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _base64 | _url_replace ) + _signature=$(printf "%s.%s" "$header" "$payload" | _sign "$YC_SA_Key_File" "sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _url_replace) + _debug2 _signature "$_signature" + + rm -rf "$YC_SA_Key_File" + + _jwt=$(printf "{\"jwt\": \"%s.%s.%s\"}" "$header" "$payload" "$_signature") + _debug2 _jwt "$_jwt" + + export _H1="Content-Type: application/json" + _iam_response="$(_post "$_jwt" "https://iam.api.cloud.yandex.net/iam/v1/tokens" "" "POST")" + _debug3 _iam_response "$(echo "$_iam_response" | _normalizeJson)" + + YC_Token="$(echo "$_iam_response" | _normalizeJson | _egrep_o "\"iamToken\"[^,]*" | _egrep_o "[^:]*$" | tr -d '"')" + _debug3 YC_Token + + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_zilore.sh b/acme.sh-master/dnsapi/dns_zilore.sh new file mode 100644 index 0000000..4211102 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_zilore.sh @@ -0,0 +1,139 @@ +#!/usr/bin/env sh + +Zilore_API="https://api.zilore.com/dns/v1" +# Zilore_Key="YOUR-ZILORE-API-KEY" + +######## Public functions ##################### + +dns_zilore_add() { + fulldomain=$1 + txtvalue=$2 + + _info "Using Zilore" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + Zilore_Key="${Zilore_Key:-$(_readaccountconf_mutable Zilore_Key)}" + if [ -z "$Zilore_Key" ]; then + Zilore_Key="" + _err "Please define Zilore API key" + return 1 + fi + _saveaccountconf_mutable Zilore_Key "$Zilore_Key" + + if ! _get_root "$fulldomain"; then + _err "Unable to determine root domain" + return 1 + else + _debug _domain "$_domain" + fi + + if _zilore_rest POST "domains/$_domain/records?record_type=TXT&record_ttl=600&record_name=$fulldomain&record_value=\"$txtvalue\""; then + if _contains "$response" '"added"' >/dev/null; then + _info "Added TXT record, waiting for validation" + return 0 + else + _debug response "$response" + _err "Error while adding DNS records" + return 1 + fi + fi + + return 1 +} + +dns_zilore_rm() { + fulldomain=$1 + txtvalue=$2 + + _info "Using Zilore" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + + Zilore_Key="${Zilore_Key:-$(_readaccountconf_mutable Zilore_Key)}" + if [ -z "$Zilore_Key" ]; then + Zilore_Key="" + _err "Please define Zilore API key" + return 1 + fi + _saveaccountconf_mutable Zilore_Key "$Zilore_Key" + + if ! _get_root "$fulldomain"; then + _err "Unable to determine root domain" + return 1 + else + _debug _domain "$_domain" + fi + + _debug "Getting TXT records" + _zilore_rest GET "domains/${_domain}/records?search_text=$txtvalue&search_record_type=TXT" + _debug response "$response" + + if ! _contains "$response" '"ok"' >/dev/null; then + _err "Error while getting records list" + return 1 + else + _record_id=$(printf "%s\n" "$response" | _egrep_o "\"record_id\":\"[^\"]+\"" | cut -d : -f 2 | tr -d \" | _head_n 1) + if [ -z "$_record_id" ]; then + _err "Cannot determine _record_id" + return 1 + else + _debug _record_id "$_record_id" + fi + if ! _zilore_rest DELETE "domains/${_domain}/records?record_id=$_record_id"; then + _err "Error while deleting chosen record" + return 1 + fi + _contains "$response" '"ok"' + fi +} + +#################### Private functions below ################################## + +_get_root() { + domain=$1 + i=2 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + #not valid + return 1 + fi + + if ! _zilore_rest GET "domains?search_text=$h"; then + return 1 + fi + + if _contains "$response" "\"$h\"" >/dev/null; then + _domain=$h + return 0 + else + _debug "$h not found" + fi + i=$(_math "$i" + 1) + done + return 1 +} + +_zilore_rest() { + method=$1 + param=$2 + data=$3 + + export _H1="X-Auth-Key: $Zilore_Key" + + if [ "$method" != "GET" ]; then + response="$(_post "$data" "$Zilore_API/$param" "" "$method")" + else + response="$(_get "$Zilore_API/$param")" + fi + + if [ "$?" != "0" ]; then + _err "error $param" + return 1 + fi + + _debug2 response "$response" + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_zone.sh b/acme.sh-master/dnsapi/dns_zone.sh new file mode 100644 index 0000000..176fc49 --- /dev/null +++ b/acme.sh-master/dnsapi/dns_zone.sh @@ -0,0 +1,149 @@ +#!/usr/bin/env sh + +# Zone.ee dns API +# https://help.zone.eu/kb/zoneid-api-v2/ +# required ZONE_Username and ZONE_Key + +ZONE_Api="https://api.zone.eu/v2" +######## Public functions ##################### + +#Usage: dns_zone_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_zone_add() { + fulldomain=$1 + txtvalue=$2 + _info "Using zone.ee dns api" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + ZONE_Username="${ZONE_Username:-$(_readaccountconf_mutable ZONE_Username)}" + ZONE_Key="${ZONE_Key:-$(_readaccountconf_mutable ZONE_Key)}" + if [ -z "$ZONE_Username" ] || [ -z "$ZONE_Key" ]; then + ZONE_Username="" + ZONE_Key="" + _err "Zone api key and username must be present." + return 1 + fi + _saveaccountconf_mutable ZONE_Username "$ZONE_Username" + _saveaccountconf_mutable ZONE_Key "$ZONE_Key" + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug "Adding txt record" + + if _zone_rest POST "dns/${_domain}/txt" "{\"name\": \"$fulldomain\", \"destination\": \"$txtvalue\"}"; then + if printf -- "%s" "$response" | grep "$fulldomain" >/dev/null; then + _info "Added, OK" + return 0 + else + _err "Adding txt record error." + return 1 + fi + else + _err "Adding txt record error." + fi +} + +#Usage: fulldomain txtvalue +#Remove the txt record after validation. +dns_zone_rm() { + fulldomain=$1 + txtvalue=$2 + _info "Using zone.ee dns api" + _debug fulldomain "$fulldomain" + _debug txtvalue "$txtvalue" + ZONE_Username="${ZONE_Username:-$(_readaccountconf_mutable ZONE_Username)}" + ZONE_Key="${ZONE_Key:-$(_readaccountconf_mutable ZONE_Key)}" + if [ -z "$ZONE_Username" ] || [ -z "$ZONE_Key" ]; then + ZONE_Username="" + ZONE_Key="" + _err "Zone api key and username must be present." + return 1 + fi + _saveaccountconf_mutable ZONE_Username "$ZONE_Username" + _saveaccountconf_mutable ZONE_Key "$ZONE_Key" + _debug "First detect the root zone" + if ! _get_root "$fulldomain"; then + _err "invalid domain" + return 1 + fi + + _debug "Getting txt records" + _debug _domain "$_domain" + + _zone_rest GET "dns/${_domain}/txt" + + if printf "%s" "$response" | grep \"error\" >/dev/null; then + _err "Error" + return 1 + fi + + count=$(printf "%s\n" "$response" | _egrep_o "\"name\":\"$fulldomain\"" | wc -l) + _debug count "$count" + if [ "$count" = "0" ]; then + _info "Nothing to remove." + else + record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\",\"resource_url\":\"[^\"]*\",\"name\":\"$fulldomain\"," | cut -d : -f2 | cut -d , -f1 | tr -d \" | _head_n 1) + if [ -z "$record_id" ]; then + _err "No id found to remove." + return 1 + fi + if ! _zone_rest DELETE "dns/${_domain}/txt/$record_id"; then + _err "Record deleting error." + return 1 + fi + _info "Record deleted" + return 0 + fi + +} + +#################### Private functions below ################################## + +_zone_rest() { + m=$1 + ep="$2" + data="$3" + _debug "$ep" + + realm="$(printf "%s" "$ZONE_Username:$ZONE_Key" | _base64)" + + export _H1="Authorization: Basic $realm" + export _H2="Content-Type: application/json" + + if [ "$m" != "GET" ]; then + _debug data "$data" + response="$(_post "$data" "$ZONE_Api/$ep" "" "$m")" + else + response="$(_get "$ZONE_Api/$ep")" + fi + + if [ "$?" != "0" ]; then + _err "error $ep" + return 1 + fi + _debug2 response "$response" + return 0 +} + +_get_root() { + domain=$1 + i=2 + while true; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100) + _debug h "$h" + if [ -z "$h" ]; then + return 1 + fi + if ! _zone_rest GET "dns/$h"; then + return 1 + fi + if _contains "$response" "\"identificator\":\"$h\"" >/dev/null; then + _domain=$h + return 0 + fi + i=$(_math "$i" + 1) + done + return 0 +} diff --git a/acme.sh-master/dnsapi/dns_zonomi.sh b/acme.sh-master/dnsapi/dns_zonomi.sh new file mode 100644 index 0000000..52a889e --- /dev/null +++ b/acme.sh-master/dnsapi/dns_zonomi.sh @@ -0,0 +1,85 @@ +#!/usr/bin/env sh + +# +#ZM_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" +# +#https://zonomi.com dns api + +ZM_Api="https://zonomi.com/app/dns/dyndns.jsp" + +######## Public functions ##################### + +#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +dns_zonomi_add() { + fulldomain=$1 + txtvalue=$2 + + ZM_Key="${ZM_Key:-$(_readaccountconf_mutable ZM_Key)}" + + if [ -z "$ZM_Key" ]; then + ZM_Key="" + _err "You don't specify zonomi api key yet." + _err "Please create your key and try again." + return 1 + fi + + #save the api key to the account conf file. + _saveaccountconf_mutable ZM_Key "$ZM_Key" + + _info "Get existing txt records for $fulldomain" + if ! _zm_request "action=QUERY&name=$fulldomain"; then + _err "error" + return 1 + fi + + if _contains "$response" "' | tr "<" "\n" | grep record | grep 'type="TXT"' | cut -d '"' -f 6); do + _debug2 t "$t" + _qstr="$_qstr&action[$_qindex]=SET&type[$_qindex]=TXT&name[$_qindex]=$fulldomain&value[$_qindex]=$t" + _qindex="$(_math "$_qindex" + 1)" + done + _zm_request "$_qstr" + else + _debug "Just add record" + _zm_request "action=SET&type=TXT&name=$fulldomain&value=$txtvalue" + fi + +} + +#fulldomain txtvalue +dns_zonomi_rm() { + fulldomain=$1 + txtvalue=$2 + + ZM_Key="${ZM_Key:-$(_readaccountconf_mutable ZM_Key)}" + if [ -z "$ZM_Key" ]; then + ZM_Key="" + _err "You don't specify zonomi api key yet." + _err "Please create your key and try again." + return 1 + fi + + _zm_request "action=DELETE&type=TXT&name=$fulldomain" + +} + +#################### Private functions below ################################## +#qstr +_zm_request() { + qstr="$1" + + _debug2 "qstr" "$qstr" + + _zm_url="$ZM_Api?api_key=$ZM_Key&$qstr" + _debug2 "_zm_url" "$_zm_url" + response="$(_get "$_zm_url")" + + if [ "$?" != "0" ]; then + return 1 + fi + _debug2 response "$response" + _contains "$response" "OK:" +} diff --git a/acme.sh-master/notify/bark.sh b/acme.sh-master/notify/bark.sh new file mode 100644 index 0000000..bbd5bf3 --- /dev/null +++ b/acme.sh-master/notify/bark.sh @@ -0,0 +1,51 @@ +#!/usr/bin/env sh + +#Support iOS Bark Notification + +#BARK_API_URL="https://api.day.app/xxxx" +#BARK_SOUND="yyyy" +#BARK_GROUP="zzzz" + +# subject content statusCode +bark_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_subject" "$_subject" + _debug "_content" "$_content" + _debug "_statusCode" "$_statusCode" + + BARK_API_URL="${BARK_API_URL:-$(_readaccountconf_mutable BARK_API_URL)}" + if [ -z "$BARK_API_URL" ]; then + BARK_API_URL="" + _err "You didn't specify a Bark API URL BARK_API_URL yet." + _err "You can download Bark from App Store and get yours." + return 1 + fi + _saveaccountconf_mutable BARK_API_URL "$BARK_API_URL" + + BARK_SOUND="${BARK_SOUND:-$(_readaccountconf_mutable BARK_SOUND)}" + _saveaccountconf_mutable BARK_SOUND "$BARK_SOUND" + + BARK_GROUP="${BARK_GROUP:-$(_readaccountconf_mutable BARK_GROUP)}" + if [ -z "$BARK_GROUP" ]; then + BARK_GROUP="ACME" + _info "The BARK_GROUP is not set, so use the default ACME as group name." + else + _saveaccountconf_mutable BARK_GROUP "$BARK_GROUP" + fi + + _content=$(echo "$_content" | _url_encode) + _subject=$(echo "$_subject" | _url_encode) + + response="$(_get "$BARK_API_URL/$_subject/$_content?sound=$BARK_SOUND&group=$BARK_GROUP")" + + if [ "$?" = "0" ] && _contains "$response" "success"; then + _info "Bark API fired success." + return 0 + fi + + _err "Bark API fired error." + _err "$response" + return 1 +} diff --git a/acme.sh-master/notify/callmebotWhatsApp.sh b/acme.sh-master/notify/callmebotWhatsApp.sh new file mode 100644 index 0000000..1c15b28 --- /dev/null +++ b/acme.sh-master/notify/callmebotWhatsApp.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env sh + +#Support CallMeBot Whatsapp webhooks + +#CALLMEBOT_YOUR_PHONE_NO="" +#CALLMEBOT_API_KEY="" + +callmebotWhatsApp_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_statusCode" "$_statusCode" + + CALLMEBOT_YOUR_PHONE_NO="${CALLMEBOT_YOUR_PHONE_NO:-$(_readaccountconf_mutable CALLMEBOT_YOUR_PHONE_NO)}" + if [ -z "$CALLMEBOT_YOUR_PHONE_NO" ]; then + CALLMEBOT_YOUR_PHONE_NO="" + _err "You didn't specify a Slack webhook url CALLMEBOT_YOUR_PHONE_NO yet." + return 1 + fi + _saveaccountconf_mutable CALLMEBOT_YOUR_PHONE_NO "$CALLMEBOT_YOUR_PHONE_NO" + + CALLMEBOT_API_KEY="${CALLMEBOT_API_KEY:-$(_readaccountconf_mutable CALLMEBOT_API_KEY)}" + if [ "$CALLMEBOT_API_KEY" ]; then + _saveaccountconf_mutable CALLMEBOT_API_KEY "$CALLMEBOT_API_KEY" + fi + + _waUrl="https://api.callmebot.com/whatsapp.php" + + _Phone_No="$(printf "%s" "$CALLMEBOT_YOUR_PHONE_NO" | _url_encode)" + _apikey="$(printf "%s" "$CALLMEBOT_API_KEY" | _url_encode)" + _message="$(printf "*%s*\\n%s" "$_subject" "$_content" | _url_encode)" + + _finalUrl="$_waUrl?phone=$_Phone_No&apikey=$_apikey&text=$_message" + response="$(_get "$_finalUrl")" + + if [ "$?" = "0" ] && _contains ".

    Message queued. You will receive it in a few seconds."; then + _info "wa send success." + return 0 + fi + _err "wa send error." + _debug "URL" "$_finalUrl" + _debug "Response" "$response" + return 1 +} diff --git a/acme.sh-master/notify/cqhttp.sh b/acme.sh-master/notify/cqhttp.sh new file mode 100644 index 0000000..ac76f5b --- /dev/null +++ b/acme.sh-master/notify/cqhttp.sh @@ -0,0 +1,64 @@ +#!/usr/bin/env sh + +#Support for CQHTTP api. Push notification on CoolQ +#CQHTTP_TOKEN="" Recommended to be not empty, QQ application token +#CQHTTP_USER="" Required, QQ receiver ID +#CQHTTP_APIROOT="" Required, CQHTTP Server URL (without slash suffix) +#CQHTTP_CUSTOM_MSGHEAD="" Optional, custom message header + +CQHTTP_APIPATH="/send_private_msg" + +cqhttp_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_statusCode" "$_statusCode" + + CQHTTP_TOKEN="${CQHTTP_TOKEN:-$(_readaccountconf_mutable CQHTTP_TOKEN)}" + if [ -z "$CQHTTP_TOKEN" ]; then + CQHTTP_TOKEN="" + _info "You didn't specify a CQHTTP application token yet, which is unsafe. Assuming it to be empty." + else + _saveaccountconf_mutable CQHTTP_TOKEN "$CQHTTP_TOKEN" + fi + + CQHTTP_USER="${CQHTTP_USER:-$(_readaccountconf_mutable CQHTTP_USER)}" + if [ -z "$CQHTTP_USER" ]; then + CQHTTP_USER="" + _err "You didn't specify a QQ user yet." + return 1 + fi + _saveaccountconf_mutable CQHTTP_USER "$CQHTTP_USER" + + CQHTTP_APIROOT="${CQHTTP_APIROOT:-$(_readaccountconf_mutable CQHTTP_APIROOT)}" + if [ -z "$CQHTTP_APIROOT" ]; then + CQHTTP_APIROOT="" + _err "You didn't specify the API root yet." + return 1 + fi + _saveaccountconf_mutable CQHTTP_APIROOT "$CQHTTP_APIROOT" + + CQHTTP_CUSTOM_MSGHEAD="${CQHTTP_CUSTOM_MSGHEAD:-$(_readaccountconf_mutable CQHTTP_CUSTOM_MSGHEAD)}" + if [ -z "$CQHTTP_CUSTOM_MSGHEAD" ]; then + CQHTTP_CUSTOM_MSGHEAD="A message from acme.sh:" + else + _saveaccountconf_mutable CQHTTP_CUSTOM_MSGHEAD "$CQHTTP_CUSTOM_MSGHEAD" + fi + + _access_token="$(printf "%s" "$CQHTTP_TOKEN" | _url_encode)" + _user_id="$(printf "%s" "$CQHTTP_USER" | _url_encode)" + _message="$(printf "$CQHTTP_CUSTOM_MSGHEAD %s\\n%s" "$_subject" "$_content" | _url_encode)" + + _finalUrl="$CQHTTP_APIROOT$CQHTTP_APIPATH?access_token=$_access_token&user_id=$_user_id&message=$_message" + response="$(_get "$_finalUrl")" + + if [ "$?" = "0" ] && _contains "$response" "\"retcode\":0,\"status\":\"ok\""; then + _info "QQ send success." + return 0 + fi + + _err "QQ send error." + _debug "URL" "$_finalUrl" + _debug "Response" "$response" + return 1 +} diff --git a/acme.sh-master/notify/dingtalk.sh b/acme.sh-master/notify/dingtalk.sh new file mode 100644 index 0000000..c547da6 --- /dev/null +++ b/acme.sh-master/notify/dingtalk.sh @@ -0,0 +1,68 @@ +#!/usr/bin/env sh + +#Support dingtalk webhooks api + +#DINGTALK_WEBHOOK="xxxx" + +#optional +#DINGTALK_KEYWORD="yyyy" + +#DINGTALK_SIGNING_KEY="SEC08ffdbd403cbc3fc8a65xxxxxxxxxxxxxxxxxxxx" + +# subject content statusCode +dingtalk_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_subject" "$_subject" + _debug "_content" "$_content" + _debug "_statusCode" "$_statusCode" + + DINGTALK_WEBHOOK="${DINGTALK_WEBHOOK:-$(_readaccountconf_mutable DINGTALK_WEBHOOK)}" + if [ -z "$DINGTALK_WEBHOOK" ]; then + DINGTALK_WEBHOOK="" + _err "You didn't specify a dingtalk webhooks DINGTALK_WEBHOOK yet." + _err "You can get yours from https://dingtalk.com" + return 1 + fi + _saveaccountconf_mutable DINGTALK_WEBHOOK "$DINGTALK_WEBHOOK" + + DINGTALK_KEYWORD="${DINGTALK_KEYWORD:-$(_readaccountconf_mutable DINGTALK_KEYWORD)}" + if [ "$DINGTALK_KEYWORD" ]; then + _saveaccountconf_mutable DINGTALK_KEYWORD "$DINGTALK_KEYWORD" + fi + + # DINGTALK_SIGNING_KEY="${DINGTALK_SIGNING_KEY:-$(_readaccountconf_mutable DINGTALK_SIGNING_KEY)}" + # if [ -z "$DINGTALK_SIGNING_KEY" ]; then + # DINGTALK_SIGNING_KEY="value1" + # _info "The DINGTALK_SIGNING_KEY is not set, so use the default value1 as key." + # elif ! _hasfield "$_IFTTT_AVAIL_MSG_KEYS" "$DINGTALK_SIGNING_KEY"; then + # _err "The DINGTALK_SIGNING_KEY \"$DINGTALK_SIGNING_KEY\" is not available, should be one of $_IFTTT_AVAIL_MSG_KEYS" + # DINGTALK_SIGNING_KEY="" + # return 1 + # else + # _saveaccountconf_mutable DINGTALK_SIGNING_KEY "$DINGTALK_SIGNING_KEY" + # fi + + # if [ "$DINGTALK_SIGNING_KEY" = "$IFTTT_CONTENT_KEY" ]; then + # DINGTALK_SIGNING_KEY="" + # IFTTT_CONTENT_KEY="" + # _err "The DINGTALK_SIGNING_KEY must not be same as IFTTT_CONTENT_KEY." + # return 1 + # fi + + _content=$(echo "$_content" | _json_encode) + _subject=$(echo "$_subject" | _json_encode) + _data="{\"msgtype\": \"text\", \"text\": {\"content\": \"[$DINGTALK_KEYWORD]\n$_subject\n$_content\"}}" + + response="$(_post "$_data" "$DINGTALK_WEBHOOK" "" "POST" "application/json")" + + if [ "$?" = "0" ] && _contains "$response" "errmsg\":\"ok"; then + _info "dingtalk webhooks event fired success." + return 0 + fi + + _err "dingtalk webhooks event fired error." + _err "$response" + return 1 +} diff --git a/acme.sh-master/notify/discord.sh b/acme.sh-master/notify/discord.sh new file mode 100644 index 0000000..58362a4 --- /dev/null +++ b/acme.sh-master/notify/discord.sh @@ -0,0 +1,57 @@ +#!/usr/bin/env sh + +#Support Discord webhooks + +# Required: +#DISCORD_WEBHOOK_URL="" +# Optional: +#DISCORD_USERNAME="" +#DISCORD_AVATAR_URL="" + +discord_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_statusCode" "$_statusCode" + + DISCORD_WEBHOOK_URL="${DISCORD_WEBHOOK_URL:-$(_readaccountconf_mutable DISCORD_WEBHOOK_URL)}" + if [ -z "$DISCORD_WEBHOOK_URL" ]; then + DISCORD_WEBHOOK_URL="" + _err "You didn't specify a Discord webhook url DISCORD_WEBHOOK_URL yet." + return 1 + fi + _saveaccountconf_mutable DISCORD_WEBHOOK_URL "$DISCORD_WEBHOOK_URL" + + DISCORD_USERNAME="${DISCORD_USERNAME:-$(_readaccountconf_mutable DISCORD_USERNAME)}" + if [ "$DISCORD_USERNAME" ]; then + _saveaccountconf_mutable DISCORD_USERNAME "$DISCORD_USERNAME" + fi + + DISCORD_AVATAR_URL="${DISCORD_AVATAR_URL:-$(_readaccountconf_mutable DISCORD_AVATAR_URL)}" + if [ "$DISCORD_AVATAR_URL" ]; then + _saveaccountconf_mutable DISCORD_AVATAR_URL "$DISCORD_AVATAR_URL" + fi + + export _H1="Content-Type: application/json" + + _content="$(printf "**%s**\n%s" "$_subject" "$_content" | _json_encode)" + _data="{\"content\": \"$_content\" " + if [ "$DISCORD_USERNAME" ]; then + _data="$_data, \"username\": \"$DISCORD_USERNAME\" " + fi + if [ "$DISCORD_AVATAR_URL" ]; then + _data="$_data, \"avatar_url\": \"$DISCORD_AVATAR_URL\" " + fi + _data="$_data}" + + if _post "$_data" "$DISCORD_WEBHOOK_URL?wait=true"; then + # shellcheck disable=SC2154 + if [ "$response" ]; then + _info "discord send success." + return 0 + fi + fi + _err "discord send error." + _err "$response" + return 1 +} diff --git a/acme.sh-master/notify/feishu.sh b/acme.sh-master/notify/feishu.sh new file mode 100644 index 0000000..18693c2 --- /dev/null +++ b/acme.sh-master/notify/feishu.sh @@ -0,0 +1,48 @@ +#!/usr/bin/env sh + +#Support feishu webhooks api + +#required +#FEISHU_WEBHOOK="xxxx" + +#optional +#FEISHU_KEYWORD="yyyy" + +# subject content statusCode +feishu_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_subject" "$_subject" + _debug "_content" "$_content" + _debug "_statusCode" "$_statusCode" + + FEISHU_WEBHOOK="${FEISHU_WEBHOOK:-$(_readaccountconf_mutable FEISHU_WEBHOOK)}" + if [ -z "$FEISHU_WEBHOOK" ]; then + FEISHU_WEBHOOK="" + _err "You didn't specify a feishu webhooks FEISHU_WEBHOOK yet." + _err "You can get yours from https://www.feishu.cn" + return 1 + fi + _saveaccountconf_mutable FEISHU_WEBHOOK "$FEISHU_WEBHOOK" + + FEISHU_KEYWORD="${FEISHU_KEYWORD:-$(_readaccountconf_mutable FEISHU_KEYWORD)}" + if [ "$FEISHU_KEYWORD" ]; then + _saveaccountconf_mutable FEISHU_KEYWORD "$FEISHU_KEYWORD" + fi + + _content=$(echo "$_content" | _json_encode) + _subject=$(echo "$_subject" | _json_encode) + _data="{\"msg_type\": \"text\", \"content\": {\"text\": \"[$FEISHU_KEYWORD]\n$_subject\n$_content\"}}" + + response="$(_post "$_data" "$FEISHU_WEBHOOK" "" "POST" "application/json")" + + if [ "$?" = "0" ] && _contains "$response" "StatusCode\":0"; then + _info "feishu webhooks event fired success." + return 0 + fi + + _err "feishu webhooks event fired error." + _err "$response" + return 1 +} diff --git a/acme.sh-master/notify/gotify.sh b/acme.sh-master/notify/gotify.sh new file mode 100644 index 0000000..e370bc2 --- /dev/null +++ b/acme.sh-master/notify/gotify.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env sh + +#Support Gotify + +#GOTIFY_URL="https://gotify.example.com" +#GOTIFY_TOKEN="123456789ABCDEF" + +#optional +#GOTIFY_PRIORITY=0 + +# subject content statusCode +gotify_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_subject" "$_subject" + _debug "_content" "$_content" + _debug "_statusCode" "$_statusCode" + + GOTIFY_URL="${GOTIFY_URL:-$(_readaccountconf_mutable GOTIFY_URL)}" + if [ -z "$GOTIFY_URL" ]; then + GOTIFY_URL="" + _err "You didn't specify the gotify server url GOTIFY_URL." + return 1 + fi + _saveaccountconf_mutable GOTIFY_URL "$GOTIFY_URL" + + GOTIFY_TOKEN="${GOTIFY_TOKEN:-$(_readaccountconf_mutable GOTIFY_TOKEN)}" + if [ -z "$GOTIFY_TOKEN" ]; then + GOTIFY_TOKEN="" + _err "You didn't specify the gotify token GOTIFY_TOKEN." + return 1 + fi + _saveaccountconf_mutable GOTIFY_TOKEN "$GOTIFY_TOKEN" + + GOTIFY_PRIORITY="${GOTIFY_PRIORITY:-$(_readaccountconf_mutable GOTIFY_PRIORITY)}" + if [ -z "$GOTIFY_PRIORITY" ]; then + GOTIFY_PRIORITY=0 + else + _saveaccountconf_mutable GOTIFY_PRIORITY "$GOTIFY_PRIORITY" + fi + + export _H1="X-Gotify-Key: ${GOTIFY_TOKEN}" + export _H2="Content-Type: application/json" + + _content=$(echo "$_content" | _json_encode) + _subject=$(echo "$_subject" | _json_encode) + + _data="{\"title\": \"${_subject}\", \"message\": \"${_content}\", \"priority\": ${GOTIFY_PRIORITY}}" + + response="$(_post "${_data}" "${GOTIFY_URL}/message" "" "POST" "application/json")" + + if [ "$?" != "0" ]; then + _err "Failed to send message" + _err "$response" + return 1 + fi + + _debug2 response "$response" + + return 0 +} diff --git a/acme.sh-master/notify/ifttt.sh b/acme.sh-master/notify/ifttt.sh new file mode 100644 index 0000000..7b82963 --- /dev/null +++ b/acme.sh-master/notify/ifttt.sh @@ -0,0 +1,86 @@ +#!/usr/bin/env sh + +#Support ifttt.com webhooks api + +#IFTTT_API_KEY="xxxx" +#IFTTT_EVENT_NAME="yyyy" + +#IFTTT_SUBJECT_KEY="value1|value2|value3" #optional, use "value1" as default +#IFTTT_CONTENT_KEY="value1|value2|value3" #optional, use "value2" as default + +_IFTTT_AVAIL_MSG_KEYS="value1,value2,value3" + +# subject content statusCode +ifttt_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_subject" "$_subject" + _debug "_content" "$_content" + _debug "_statusCode" "$_statusCode" + + IFTTT_API_KEY="${IFTTT_API_KEY:-$(_readaccountconf_mutable IFTTT_API_KEY)}" + if [ -z "$IFTTT_API_KEY" ]; then + IFTTT_API_KEY="" + _err "You didn't specify a ifttt webhooks api key IFTTT_API_KEY yet." + _err "You can get yours from https://ifttt.com" + return 1 + fi + _saveaccountconf_mutable IFTTT_API_KEY "$IFTTT_API_KEY" + + IFTTT_EVENT_NAME="${IFTTT_EVENT_NAME:-$(_readaccountconf_mutable IFTTT_EVENT_NAME)}" + if [ -z "$IFTTT_EVENT_NAME" ]; then + IFTTT_EVENT_NAME="" + _err "You didn't specify a ifttt webhooks event name IFTTT_EVENT_NAME yet." + return 1 + fi + _saveaccountconf_mutable IFTTT_EVENT_NAME "$IFTTT_EVENT_NAME" + + IFTTT_SUBJECT_KEY="${IFTTT_SUBJECT_KEY:-$(_readaccountconf_mutable IFTTT_SUBJECT_KEY)}" + if [ -z "$IFTTT_SUBJECT_KEY" ]; then + IFTTT_SUBJECT_KEY="value1" + _info "The IFTTT_SUBJECT_KEY is not set, so use the default value1 as key." + elif ! _hasfield "$_IFTTT_AVAIL_MSG_KEYS" "$IFTTT_SUBJECT_KEY"; then + _err "The IFTTT_SUBJECT_KEY \"$IFTTT_SUBJECT_KEY\" is not available, should be one of $_IFTTT_AVAIL_MSG_KEYS" + IFTTT_SUBJECT_KEY="" + return 1 + else + _saveaccountconf_mutable IFTTT_SUBJECT_KEY "$IFTTT_SUBJECT_KEY" + fi + + IFTTT_CONTENT_KEY="${IFTTT_CONTENT_KEY:-$(_readaccountconf_mutable IFTTT_CONTENT_KEY)}" + if [ -z "$IFTTT_CONTENT_KEY" ]; then + IFTTT_CONTENT_KEY="value2" + _info "The IFTTT_CONTENT_KEY is not set, so use the default value2 as key." + elif ! _hasfield "$_IFTTT_AVAIL_MSG_KEYS" "$IFTTT_CONTENT_KEY"; then + _err "The IFTTT_CONTENT_KEY \"$IFTTT_CONTENT_KEY\" is not available, should be one of $_IFTTT_AVAIL_MSG_KEYS" + IFTTT_CONTENT_KEY="" + return 1 + else + _saveaccountconf_mutable IFTTT_CONTENT_KEY "$IFTTT_CONTENT_KEY" + fi + + if [ "$IFTTT_SUBJECT_KEY" = "$IFTTT_CONTENT_KEY" ]; then + IFTTT_SUBJECT_KEY="" + IFTTT_CONTENT_KEY="" + _err "The IFTTT_SUBJECT_KEY must not be same as IFTTT_CONTENT_KEY." + return 1 + fi + + IFTTT_API_URL="https://maker.ifttt.com/trigger/$IFTTT_EVENT_NAME/with/key/$IFTTT_API_KEY" + + _content=$(echo "$_content" | _json_encode) + _subject=$(echo "$_subject" | _json_encode) + _data="{\"$IFTTT_SUBJECT_KEY\": \"$_subject\", \"$IFTTT_CONTENT_KEY\": \"$_content\"}" + + response="$(_post "$_data" "$IFTTT_API_URL" "" "POST" "application/json")" + + if [ "$?" = "0" ] && _contains "$response" "Congratulations"; then + _info "IFTTT webhooks event fired success." + return 0 + fi + + _err "IFTTT webhooks event fired error." + _err "$response" + return 1 +} diff --git a/acme.sh-master/notify/mail.sh b/acme.sh-master/notify/mail.sh new file mode 100644 index 0000000..656dd37 --- /dev/null +++ b/acme.sh-master/notify/mail.sh @@ -0,0 +1,144 @@ +#!/usr/bin/env sh + +#Support local mail app + +#MAIL_BIN="sendmail" +#MAIL_FROM="yyyy@gmail.com" +#MAIL_TO="yyyy@gmail.com" +#MAIL_NOVALIDATE="" +#MAIL_MSMTP_ACCOUNT="" + +mail_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_subject" "$_subject" + _debug "_content" "$_content" + _debug "_statusCode" "$_statusCode" + + MAIL_NOVALIDATE="${MAIL_NOVALIDATE:-$(_readaccountconf_mutable MAIL_NOVALIDATE)}" + if [ -n "$MAIL_NOVALIDATE" ]; then + _saveaccountconf_mutable MAIL_NOVALIDATE 1 + else + _clearaccountconf "MAIL_NOVALIDATE" + fi + + MAIL_BIN="${MAIL_BIN:-$(_readaccountconf_mutable MAIL_BIN)}" + if [ -n "$MAIL_BIN" ] && ! _exists "$MAIL_BIN"; then + _err "It seems that the command $MAIL_BIN is not in path." + return 1 + fi + _MAIL_BIN=$(_mail_bin) + if [ -n "$MAIL_BIN" ]; then + _saveaccountconf_mutable MAIL_BIN "$MAIL_BIN" + else + _clearaccountconf "MAIL_BIN" + fi + + MAIL_FROM="${MAIL_FROM:-$(_readaccountconf_mutable MAIL_FROM)}" + if [ -n "$MAIL_FROM" ]; then + if ! _mail_valid "$MAIL_FROM"; then + _err "It seems that the MAIL_FROM=$MAIL_FROM is not a valid email address." + return 1 + fi + + _saveaccountconf_mutable MAIL_FROM "$MAIL_FROM" + fi + + MAIL_TO="${MAIL_TO:-$(_readaccountconf_mutable MAIL_TO)}" + if [ -n "$MAIL_TO" ]; then + if ! _mail_valid "$MAIL_TO"; then + _err "It seems that the MAIL_TO=$MAIL_TO is not a valid email address." + return 1 + fi + + _saveaccountconf_mutable MAIL_TO "$MAIL_TO" + else + MAIL_TO="$(_readaccountconf ACCOUNT_EMAIL)" + if [ -z "$MAIL_TO" ]; then + _err "It seems that account email is empty." + return 1 + fi + fi + + contenttype="text/plain; charset=utf-8" + subject="=?UTF-8?B?$(printf -- "%b" "$_subject" | _base64)?=" + result=$({ _mail_body | eval "$(_mail_cmnd)"; } 2>&1) + + # shellcheck disable=SC2181 + if [ $? -ne 0 ]; then + _debug "mail send error." + _err "$result" + return 1 + fi + + _debug "mail send success." + return 0 +} + +_mail_bin() { + _MAIL_BIN="" + + for b in $MAIL_BIN sendmail ssmtp mutt mail msmtp; do + if _exists "$b"; then + _MAIL_BIN="$b" + break + fi + done + + if [ -z "$_MAIL_BIN" ]; then + _err "Please install sendmail, ssmtp, mutt, mail or msmtp first." + return 1 + fi + + echo "$_MAIL_BIN" +} + +_mail_cmnd() { + _MAIL_ARGS="" + + case $(basename "$_MAIL_BIN") in + sendmail) + if [ -n "$MAIL_FROM" ]; then + _MAIL_ARGS="-f '$MAIL_FROM'" + fi + ;; + mutt | mail) + _MAIL_ARGS="-s '$_subject'" + ;; + msmtp) + if [ -n "$MAIL_FROM" ]; then + _MAIL_ARGS="-f '$MAIL_FROM'" + fi + + if [ -n "$MAIL_MSMTP_ACCOUNT" ]; then + _MAIL_ARGS="$_MAIL_ARGS -a '$MAIL_MSMTP_ACCOUNT'" + fi + ;; + *) ;; + esac + + echo "'$_MAIL_BIN' $_MAIL_ARGS '$MAIL_TO'" +} + +_mail_body() { + case $(basename "$_MAIL_BIN") in + sendmail | ssmtp | msmtp) + if [ -n "$MAIL_FROM" ]; then + echo "From: $MAIL_FROM" + fi + + echo "To: $MAIL_TO" + echo "Subject: $subject" + echo "Content-Type: $contenttype" + echo "MIME-Version: 1.0" + echo + ;; + esac + + echo "$_content" +} + +_mail_valid() { + [ -n "$MAIL_NOVALIDATE" ] || _contains "$1" "@" +} diff --git a/acme.sh-master/notify/mailgun.sh b/acme.sh-master/notify/mailgun.sh new file mode 100644 index 0000000..93cdf79 --- /dev/null +++ b/acme.sh-master/notify/mailgun.sh @@ -0,0 +1,131 @@ +#!/usr/bin/env sh + +#Support mailgun.com api + +#MAILGUN_API_KEY="xxxx" +#MAILGUN_TO="yyyy@gmail.com" + +#MAILGUN_REGION="us|eu" #optional, use "us" as default +#MAILGUN_API_DOMAIN="xxxxxx.com" #optional, use the default sandbox domain +#MAILGUN_FROM="xxx@xxxxx.com" #optional, use the default sandbox account + +_MAILGUN_BASE_US="https://api.mailgun.net/v3" +_MAILGUN_BASE_EU="https://api.eu.mailgun.net/v3" + +_MAILGUN_BASE="$_MAILGUN_BASE_US" + +# subject content statusCode +mailgun_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_statusCode" "$_statusCode" + + MAILGUN_API_KEY="${MAILGUN_API_KEY:-$(_readaccountconf_mutable MAILGUN_API_KEY)}" + if [ -z "$MAILGUN_API_KEY" ]; then + MAILGUN_API_KEY="" + _err "You didn't specify a mailgun api key MAILGUN_API_KEY yet ." + _err "You can get yours from here https://mailgun.com" + return 1 + fi + _saveaccountconf_mutable MAILGUN_API_KEY "$MAILGUN_API_KEY" + + MAILGUN_REGION="${MAILGUN_REGION:-$(_readaccountconf_mutable MAILGUN_REGION)}" + if [ -z "$MAILGUN_REGION" ]; then + MAILGUN_REGION="" + _debug "The MAILGUN_REGION is not set, so use the default us region." + _MAILGUN_BASE="$_MAILGUN_BASE_US" + else + MAILGUN_REGION="$(echo "$MAILGUN_REGION" | _lower_case)" + _saveaccountconf_mutable MAILGUN_REGION "$MAILGUN_REGION" + if [ "$MAILGUN_REGION" = "us" ]; then + _MAILGUN_BASE="$_MAILGUN_BASE_US" + else + _MAILGUN_BASE="$_MAILGUN_BASE_EU" + fi + fi + _debug _MAILGUN_BASE "$_MAILGUN_BASE" + MAILGUN_TO="${MAILGUN_TO:-$(_readaccountconf_mutable MAILGUN_TO)}" + if [ -z "$MAILGUN_TO" ]; then + MAILGUN_TO="" + _err "You didn't specify an email to MAILGUN_TO receive messages." + return 1 + fi + _saveaccountconf_mutable MAILGUN_TO "$MAILGUN_TO" + + MAILGUN_API_DOMAIN="${MAILGUN_API_DOMAIN:-$(_readaccountconf_mutable MAILGUN_API_DOMAIN)}" + if [ -z "$MAILGUN_API_DOMAIN" ]; then + _info "The MAILGUN_API_DOMAIN is not set, try to get the default sending sandbox domain for you." + if ! _mailgun_rest GET "/domains"; then + _err "Can not get sandbox domain." + return 1 + fi + _sendboxDomain="$(echo "$response" | _egrep_o '"name": *"sandbox.*.mailgun.org"' | cut -d : -f 2 | tr -d '" ')" + _debug _sendboxDomain "$_sendboxDomain" + MAILGUN_API_DOMAIN="$_sendboxDomain" + if [ -z "$MAILGUN_API_DOMAIN" ]; then + _err "Can not get sandbox domain for MAILGUN_API_DOMAIN" + return 1 + fi + + _info "$(__green "When using sandbox domain, you must verify your email first.")" + #todo: add recepient + fi + if [ -z "$MAILGUN_API_DOMAIN" ]; then + _err "Can not get MAILGUN_API_DOMAIN" + return 1 + fi + _saveaccountconf_mutable MAILGUN_API_DOMAIN "$MAILGUN_API_DOMAIN" + + MAILGUN_FROM="${MAILGUN_FROM:-$(_readaccountconf_mutable MAILGUN_FROM)}" + if [ -z "$MAILGUN_FROM" ]; then + MAILGUN_FROM="$PROJECT_NAME@$MAILGUN_API_DOMAIN" + _info "The MAILGUN_FROM is not set, so use the default value: $MAILGUN_FROM" + else + _debug MAILGUN_FROM "$MAILGUN_FROM" + _saveaccountconf_mutable MAILGUN_FROM "$MAILGUN_FROM" + fi + + #send from url + _msg="/$MAILGUN_API_DOMAIN/messages?from=$(printf "%s" "$MAILGUN_FROM" | _url_encode)&to=$(printf "%s" "$MAILGUN_TO" | _url_encode)&subject=$(printf "%s" "$_subject" | _url_encode)&text=$(printf "%s" "$_content" | _url_encode)" + _debug "_msg" "$_msg" + _mailgun_rest POST "$_msg" + if _contains "$response" "Queued. Thank you."; then + _debug "mailgun send success." + return 0 + else + _err "mailgun send error" + _err "$response" + return 1 + fi + +} + +# method uri data +_mailgun_rest() { + _method="$1" + _mguri="$2" + _mgdata="$3" + _debug _mguri "$_mguri" + _mgurl="$_MAILGUN_BASE$_mguri" + _debug _mgurl "$_mgurl" + + _auth="$(printf "%s" "api:$MAILGUN_API_KEY" | _base64)" + export _H1="Authorization: Basic $_auth" + export _H2="Content-Type: application/json" + + if [ "$_method" = "GET" ]; then + response="$(_get "$_mgurl")" + else + _debug _mgdata "$_mgdata" + response="$(_post "$_mgdata" "$_mgurl" "" "$_method")" + fi + if [ "$?" != "0" ]; then + _err "Error: $_mguri" + _err "$response" + return 1 + fi + _debug2 response "$response" + return 0 + +} diff --git a/acme.sh-master/notify/pop.sh b/acme.sh-master/notify/pop.sh new file mode 100644 index 0000000..f118d79 --- /dev/null +++ b/acme.sh-master/notify/pop.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env sh + +# support pop + +pop_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_subject" "$_subject" + _debug "_content" "$_content" + _debug "_statusCode" "$_statusCode" + + _err "Not implemented yet." + return 1 +} diff --git a/acme.sh-master/notify/postmark.sh b/acme.sh-master/notify/postmark.sh new file mode 100644 index 0000000..6523feb --- /dev/null +++ b/acme.sh-master/notify/postmark.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env sh + +#Support postmarkapp.com API (https://postmarkapp.com/developer/user-guide/sending-email/sending-with-api) + +#POSTMARK_TOKEN="" +#POSTMARK_TO="xxxx@xxx.com" +#POSTMARK_FROM="xxxx@cccc.com" + +postmark_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_statusCode" "$_statusCode" + + POSTMARK_TOKEN="${POSTMARK_TOKEN:-$(_readaccountconf_mutable POSTMARK_TOKEN)}" + if [ -z "$POSTMARK_TOKEN" ]; then + POSTMARK_TOKEN="" + _err "You didn't specify a POSTMARK api token POSTMARK_TOKEN yet ." + _err "You can get yours from here https://account.postmarkapp.com" + return 1 + fi + _saveaccountconf_mutable POSTMARK_TOKEN "$POSTMARK_TOKEN" + + POSTMARK_TO="${POSTMARK_TO:-$(_readaccountconf_mutable POSTMARK_TO)}" + if [ -z "$POSTMARK_TO" ]; then + POSTMARK_TO="" + _err "You didn't specify an email to POSTMARK_TO receive messages." + return 1 + fi + _saveaccountconf_mutable POSTMARK_TO "$POSTMARK_TO" + + POSTMARK_FROM="${POSTMARK_FROM:-$(_readaccountconf_mutable POSTMARK_FROM)}" + if [ -z "$POSTMARK_FROM" ]; then + POSTMARK_FROM="" + _err "You didn't specify an email from POSTMARK_FROM receive messages." + return 1 + fi + _saveaccountconf_mutable POSTMARK_FROM "$POSTMARK_FROM" + + export _H1="Accept: application/json" + export _H2="Content-Type: application/json" + export _H3="X-Postmark-Server-Token: $POSTMARK_TOKEN" + + _content="$(echo "$_content" | _json_encode)" + _data="{\"To\": \"$POSTMARK_TO\", \"From\": \"$POSTMARK_FROM\", \"Subject\": \"$_subject\", \"TextBody\": \"$_content\"}" + if _post "$_data" "https://api.postmarkapp.com/email"; then + # shellcheck disable=SC2154 + _message=$(printf "%s\n" "$response" | _lower_case | _egrep_o "\"message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | head -n 1) + if [ "$_message" = "ok" ]; then + _info "postmark send success." + return 0 + fi + fi + _err "postmark send error." + _err "$response" + return 1 + +} diff --git a/acme.sh-master/notify/pushbullet.sh b/acme.sh-master/notify/pushbullet.sh new file mode 100644 index 0000000..ca997c8 --- /dev/null +++ b/acme.sh-master/notify/pushbullet.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env sh + +#Support for pushbullet.com's api. Push notification, notification sync and message platform for multiple platforms +#PUSHBULLET_TOKEN="" Required, pushbullet application token +#PUSHBULLET_DEVICE="" Optional, Specific device, ignore to send to all devices + +PUSHBULLET_URI="https://api.pushbullet.com/v2/pushes" +pushbullet_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_statusCode" "$_statusCode" + + PUSHBULLET_TOKEN="${PUSHBULLET_TOKEN:-$(_readaccountconf_mutable PUSHBULLET_TOKEN)}" + if [ -z "$PUSHBULLET_TOKEN" ]; then + PUSHBULLET_TOKEN="" + _err "You didn't specify a Pushbullet application token yet." + return 1 + fi + _saveaccountconf_mutable PUSHBULLET_TOKEN "$PUSHBULLET_TOKEN" + + PUSHBULLET_DEVICE="${PUSHBULLET_DEVICE:-$(_readaccountconf_mutable PUSHBULLET_DEVICE)}" + if [ -z "$PUSHBULLET_DEVICE" ]; then + _clearaccountconf_mutable PUSHBULLET_DEVICE + else + _saveaccountconf_mutable PUSHBULLET_DEVICE "$PUSHBULLET_DEVICE" + fi + + export _H1="Content-Type: application/json" + export _H2="Access-Token: ${PUSHBULLET_TOKEN}" + _content="$(printf "*%s*\n" "$_content" | _json_encode)" + _subject="$(printf "*%s*\n" "$_subject" | _json_encode)" + _data="{\"type\": \"note\",\"title\": \"${_subject}\",\"body\": \"${_content}\",\"device_iden\": \"${PUSHBULLET_DEVICE}\"}" + response="$(_post "$_data" "$PUSHBULLET_URI")" + + if [ "$?" != "0" ] || _contains "$response" "\"error_code\""; then + _err "PUSHBULLET send error." + _err "$response" + return 1 + fi + + _info "PUSHBULLET send success." + return 0 +} diff --git a/acme.sh-master/notify/pushover.sh b/acme.sh-master/notify/pushover.sh new file mode 100644 index 0000000..0f99739 --- /dev/null +++ b/acme.sh-master/notify/pushover.sh @@ -0,0 +1,63 @@ +#!/usr/bin/env sh + +#Support for pushover.net's api. Push notification platform for multiple platforms +#PUSHOVER_TOKEN="" Required, pushover application token +#PUSHOVER_USER="" Required, pushover userkey +#PUSHOVER_DEVICE="" Optional, Specific device or devices by hostnames, joining multiples with a comma (such as device=iphone,nexus5) +#PUSHOVER_PRIORITY="" Optional, Lowest Priority (-2), Low Priority (-1), Normal Priority (0), High Priority (1) + +PUSHOVER_URI="https://api.pushover.net/1/messages.json" + +pushover_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_statusCode" "$_statusCode" + + PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-$(_readaccountconf_mutable PUSHOVER_TOKEN)}" + if [ -z "$PUSHOVER_TOKEN" ]; then + PUSHOVER_TOKEN="" + _err "You didn't specify a PushOver application token yet." + return 1 + fi + _saveaccountconf_mutable PUSHOVER_TOKEN "$PUSHOVER_TOKEN" + + PUSHOVER_USER="${PUSHOVER_USER:-$(_readaccountconf_mutable PUSHOVER_USER)}" + if [ -z "$PUSHOVER_USER" ]; then + PUSHOVER_USER="" + _err "You didn't specify a PushOver UserKey yet." + return 1 + fi + _saveaccountconf_mutable PUSHOVER_USER "$PUSHOVER_USER" + + PUSHOVER_DEVICE="${PUSHOVER_DEVICE:-$(_readaccountconf_mutable PUSHOVER_DEVICE)}" + if [ "$PUSHOVER_DEVICE" ]; then + _saveaccountconf_mutable PUSHOVER_DEVICE "$PUSHOVER_DEVICE" + fi + + PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-$(_readaccountconf_mutable PUSHOVER_PRIORITY)}" + if [ "$PUSHOVER_PRIORITY" ]; then + _saveaccountconf_mutable PUSHOVER_PRIORITY "$PUSHOVER_PRIORITY" + fi + + PUSHOVER_SOUND="${PUSHOVER_SOUND:-$(_readaccountconf_mutable PUSHOVER_SOUND)}" + if [ "$PUSHOVER_SOUND" ]; then + _saveaccountconf_mutable PUSHOVER_SOUND "$PUSHOVER_SOUND" + fi + + export _H1="Content-Type: application/json" + _content="$(printf "*%s*\n" "$_content" | _json_encode)" + _subject="$(printf "*%s*\n" "$_subject" | _json_encode)" + _data="{\"token\": \"$PUSHOVER_TOKEN\",\"user\": \"$PUSHOVER_USER\",\"title\": \"$_subject\",\"message\": \"$_content\",\"sound\": \"$PUSHOVER_SOUND\", \"device\": \"$PUSHOVER_DEVICE\", \"priority\": \"$PUSHOVER_PRIORITY\"}" + + response="$(_post "$_data" "$PUSHOVER_URI")" + + if [ "$?" = "0" ] && _contains "$response" "{\"status\":1"; then + _info "PUSHOVER send success." + return 0 + fi + + _err "PUSHOVER send error." + _err "$response" + return 1 +} diff --git a/acme.sh-master/notify/sendgrid.sh b/acme.sh-master/notify/sendgrid.sh new file mode 100644 index 0000000..82d3f6c --- /dev/null +++ b/acme.sh-master/notify/sendgrid.sh @@ -0,0 +1,64 @@ +#!/usr/bin/env sh + +#Support SENDGRID.com api + +#SENDGRID_API_KEY="" +#SENDGRID_TO="xxxx@xxx.com" +#SENDGRID_FROM="xxxx@cccc.com" + +sendgrid_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_statusCode" "$_statusCode" + + SENDGRID_API_KEY="${SENDGRID_API_KEY:-$(_readaccountconf_mutable SENDGRID_API_KEY)}" + if [ -z "$SENDGRID_API_KEY" ]; then + SENDGRID_API_KEY="" + _err "You didn't specify a sendgrid api key SENDGRID_API_KEY yet ." + _err "You can get yours from here https://sendgrid.com" + return 1 + fi + _saveaccountconf_mutable SENDGRID_API_KEY "$SENDGRID_API_KEY" + + SENDGRID_TO="${SENDGRID_TO:-$(_readaccountconf_mutable SENDGRID_TO)}" + if [ -z "$SENDGRID_TO" ]; then + SENDGRID_TO="" + _err "You didn't specify an email to SENDGRID_TO receive messages." + return 1 + fi + _saveaccountconf_mutable SENDGRID_TO "$SENDGRID_TO" + + SENDGRID_FROM="${SENDGRID_FROM:-$(_readaccountconf_mutable SENDGRID_FROM)}" + if [ -z "$SENDGRID_FROM" ]; then + SENDGRID_FROM="" + _err "You didn't specify an email to SENDGRID_FROM receive messages." + return 1 + fi + _saveaccountconf_mutable SENDGRID_FROM "$SENDGRID_FROM" + + SENDGRID_FROM_NAME="${SENDGRID_FROM_NAME:-$(_readaccountconf_mutable SENDGRID_FROM_NAME)}" + _saveaccountconf_mutable SENDGRID_FROM_NAME "$SENDGRID_FROM_NAME" + + export _H1="Authorization: Bearer $SENDGRID_API_KEY" + export _H2="Content-Type: application/json" + + _content="$(echo "$_content" | _json_encode)" + + if [ -z "$SENDGRID_FROM_NAME" ]; then + _data="{\"personalizations\": [{\"to\": [{\"email\": \"$SENDGRID_TO\"}]}],\"from\": {\"email\": \"$SENDGRID_FROM\"},\"subject\": \"$_subject\",\"content\": [{\"type\": \"text/plain\", \"value\": \"$_content\"}]}" + else + _data="{\"personalizations\": [{\"to\": [{\"email\": \"$SENDGRID_TO\"}]}],\"from\": {\"email\": \"$SENDGRID_FROM\", \"name\": \"$SENDGRID_FROM_NAME\"},\"subject\": \"$_subject\",\"content\": [{\"type\": \"text/plain\", \"value\": \"$_content\"}]}" + fi + response="$(_post "$_data" "https://api.sendgrid.com/v3/mail/send")" + + if [ "$?" = "0" ] && [ -z "$response" ]; then + _info "sendgrid send sccess." + return 0 + fi + + _err "sendgrid send error." + _err "$response" + return 1 + +} diff --git a/acme.sh-master/notify/slack.sh b/acme.sh-master/notify/slack.sh new file mode 100644 index 0000000..cc1ed76 --- /dev/null +++ b/acme.sh-master/notify/slack.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env sh + +#Support Slack webhooks + +#SLACK_WEBHOOK_URL="" +#SLACK_CHANNEL="" +#SLACK_USERNAME="" + +slack_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_statusCode" "$_statusCode" + + SLACK_WEBHOOK_URL="${SLACK_WEBHOOK_URL:-$(_readaccountconf_mutable SLACK_WEBHOOK_URL)}" + if [ -z "$SLACK_WEBHOOK_URL" ]; then + SLACK_WEBHOOK_URL="" + _err "You didn't specify a Slack webhook url SLACK_WEBHOOK_URL yet." + return 1 + fi + _saveaccountconf_mutable SLACK_WEBHOOK_URL "$SLACK_WEBHOOK_URL" + + SLACK_CHANNEL="${SLACK_CHANNEL:-$(_readaccountconf_mutable SLACK_CHANNEL)}" + if [ -n "$SLACK_CHANNEL" ]; then + _saveaccountconf_mutable SLACK_CHANNEL "$SLACK_CHANNEL" + fi + + SLACK_USERNAME="${SLACK_USERNAME:-$(_readaccountconf_mutable SLACK_USERNAME)}" + if [ -n "$SLACK_USERNAME" ]; then + _saveaccountconf_mutable SLACK_USERNAME "$SLACK_USERNAME" + fi + + export _H1="Content-Type: application/json" + + _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)" + _data="{\"text\": \"$_content\", " + if [ -n "$SLACK_CHANNEL" ]; then + _data="$_data\"channel\": \"$SLACK_CHANNEL\", " + fi + if [ -n "$SLACK_USERNAME" ]; then + _data="$_data\"username\": \"$SLACK_USERNAME\", " + fi + _data="$_data\"mrkdwn\": \"true\"}" + + if _post "$_data" "$SLACK_WEBHOOK_URL"; then + # shellcheck disable=SC2154 + if [ "$response" = "ok" ]; then + _info "slack send success." + return 0 + fi + fi + _err "slack send error." + _err "$response" + return 1 +} diff --git a/acme.sh-master/notify/slack_app.sh b/acme.sh-master/notify/slack_app.sh new file mode 100644 index 0000000..84d4733 --- /dev/null +++ b/acme.sh-master/notify/slack_app.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env sh + +#Support Slack APP notifications + +#SLACK_APP_CHANNEL="" +#SLACK_APP_TOKEN="" + +slack_app_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_statusCode" "$_statusCode" + + SLACK_APP_CHANNEL="${SLACK_APP_CHANNEL:-$(_readaccountconf_mutable SLACK_APP_CHANNEL)}" + if [ -n "$SLACK_APP_CHANNEL" ]; then + _saveaccountconf_mutable SLACK_APP_CHANNEL "$SLACK_APP_CHANNEL" + fi + + SLACK_APP_TOKEN="${SLACK_APP_TOKEN:-$(_readaccountconf_mutable SLACK_APP_TOKEN)}" + if [ -n "$SLACK_APP_TOKEN" ]; then + _saveaccountconf_mutable SLACK_APP_TOKEN "$SLACK_APP_TOKEN" + fi + + _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)" + _data="{\"text\": \"$_content\", " + if [ -n "$SLACK_APP_CHANNEL" ]; then + _data="$_data\"channel\": \"$SLACK_APP_CHANNEL\", " + fi + _data="$_data\"mrkdwn\": \"true\"}" + + export _H1="Authorization: Bearer $SLACK_APP_TOKEN" + + SLACK_APP_API_URL="https://slack.com/api/chat.postMessage" + if _post "$_data" "$SLACK_APP_API_URL" "" "POST" "application/json; charset=utf-8"; then + # shellcheck disable=SC2154 + SLACK_APP_RESULT_OK=$(echo "$response" | _egrep_o 'ok" *: *true') + if [ "$?" = "0" ] && [ "$SLACK_APP_RESULT_OK" ]; then + _info "slack send success." + return 0 + fi + fi + _err "slack send error." + _err "$response" + return 1 +} diff --git a/acme.sh-master/notify/smtp.sh b/acme.sh-master/notify/smtp.sh new file mode 100644 index 0000000..f5ebebc --- /dev/null +++ b/acme.sh-master/notify/smtp.sh @@ -0,0 +1,399 @@ +#!/usr/bin/env sh + +# support smtp + +# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3358 + +# This implementation uses either curl or Python (3 or 2.7). +# (See also the "mail" notify hook, which supports other ways to send mail.) + +# SMTP_FROM="from@example.com" # required +# SMTP_TO="to@example.com" # required +# SMTP_HOST="smtp.example.com" # required +# SMTP_PORT="25" # defaults to 25, 465 or 587 depending on SMTP_SECURE +# SMTP_SECURE="tls" # one of "none", "ssl" (implicit TLS, TLS Wrapper), "tls" (explicit TLS, STARTTLS) +# SMTP_USERNAME="" # set if SMTP server requires login +# SMTP_PASSWORD="" # set if SMTP server requires login +# SMTP_TIMEOUT="30" # seconds for SMTP operations to timeout +# SMTP_BIN="/path/to/python_or_curl" # default finds first of python3, python2.7, python, pypy3, pypy, curl on PATH + +SMTP_SECURE_DEFAULT="tls" +SMTP_TIMEOUT_DEFAULT="30" + +# subject content statuscode +smtp_send() { + SMTP_SUBJECT="$1" + SMTP_CONTENT="$2" + # UNUSED: _statusCode="$3" # 0: success, 1: error 2($RENEW_SKIP): skipped + + # Load and validate config: + SMTP_BIN="$(_readaccountconf_mutable_default SMTP_BIN)" + if [ -n "$SMTP_BIN" ] && ! _exists "$SMTP_BIN"; then + _err "SMTP_BIN '$SMTP_BIN' does not exist." + return 1 + fi + if [ -z "$SMTP_BIN" ]; then + # Look for a command that can communicate with an SMTP server. + # (Please don't add sendmail, ssmtp, mutt, mail, or msmtp here. + # Those are already handled by the "mail" notify hook.) + for cmd in python3 python2.7 python pypy3 pypy curl; do + if _exists "$cmd"; then + SMTP_BIN="$cmd" + break + fi + done + if [ -z "$SMTP_BIN" ]; then + _err "The smtp notify-hook requires curl or Python, but can't find any." + _err 'If you have one of them, define SMTP_BIN="/path/to/curl_or_python".' + _err 'Otherwise, see if you can use the "mail" notify-hook instead.' + return 1 + fi + fi + _debug SMTP_BIN "$SMTP_BIN" + _saveaccountconf_mutable_default SMTP_BIN "$SMTP_BIN" + + SMTP_FROM="$(_readaccountconf_mutable_default SMTP_FROM)" + SMTP_FROM="$(_clean_email_header "$SMTP_FROM")" + if [ -z "$SMTP_FROM" ]; then + _err "You must define SMTP_FROM as the sender email address." + return 1 + fi + if _email_has_display_name "$SMTP_FROM"; then + _err "SMTP_FROM must be only a simple email address (sender@example.com)." + _err "Change your SMTP_FROM='$SMTP_FROM' to remove the display name." + return 1 + fi + _debug SMTP_FROM "$SMTP_FROM" + _saveaccountconf_mutable_default SMTP_FROM "$SMTP_FROM" + + SMTP_TO="$(_readaccountconf_mutable_default SMTP_TO)" + SMTP_TO="$(_clean_email_header "$SMTP_TO")" + if [ -z "$SMTP_TO" ]; then + _err "You must define SMTP_TO as the recipient email address(es)." + return 1 + fi + if _email_has_display_name "$SMTP_TO"; then + _err "SMTP_TO must be only simple email addresses (to@example.com,to2@example.com)." + _err "Change your SMTP_TO='$SMTP_TO' to remove the display name(s)." + return 1 + fi + _debug SMTP_TO "$SMTP_TO" + _saveaccountconf_mutable_default SMTP_TO "$SMTP_TO" + + SMTP_HOST="$(_readaccountconf_mutable_default SMTP_HOST)" + if [ -z "$SMTP_HOST" ]; then + _err "You must define SMTP_HOST as the SMTP server hostname." + return 1 + fi + _debug SMTP_HOST "$SMTP_HOST" + _saveaccountconf_mutable_default SMTP_HOST "$SMTP_HOST" + + SMTP_SECURE="$(_readaccountconf_mutable_default SMTP_SECURE "$SMTP_SECURE_DEFAULT")" + case "$SMTP_SECURE" in + "none") smtp_port_default="25" ;; + "ssl") smtp_port_default="465" ;; + "tls") smtp_port_default="587" ;; + *) + _err "Invalid SMTP_SECURE='$SMTP_SECURE'. It must be 'ssl', 'tls' or 'none'." + return 1 + ;; + esac + _debug SMTP_SECURE "$SMTP_SECURE" + _saveaccountconf_mutable_default SMTP_SECURE "$SMTP_SECURE" "$SMTP_SECURE_DEFAULT" + + SMTP_PORT="$(_readaccountconf_mutable_default SMTP_PORT "$smtp_port_default")" + case "$SMTP_PORT" in + *[!0-9]*) + _err "Invalid SMTP_PORT='$SMTP_PORT'. It must be a port number." + return 1 + ;; + esac + _debug SMTP_PORT "$SMTP_PORT" + _saveaccountconf_mutable_default SMTP_PORT "$SMTP_PORT" "$smtp_port_default" + + SMTP_USERNAME="$(_readaccountconf_mutable_default SMTP_USERNAME)" + _debug SMTP_USERNAME "$SMTP_USERNAME" + _saveaccountconf_mutable_default SMTP_USERNAME "$SMTP_USERNAME" + + SMTP_PASSWORD="$(_readaccountconf_mutable_default SMTP_PASSWORD)" + _secure_debug SMTP_PASSWORD "$SMTP_PASSWORD" + _saveaccountconf_mutable_default SMTP_PASSWORD "$SMTP_PASSWORD" + + SMTP_TIMEOUT="$(_readaccountconf_mutable_default SMTP_TIMEOUT "$SMTP_TIMEOUT_DEFAULT")" + _debug SMTP_TIMEOUT "$SMTP_TIMEOUT" + _saveaccountconf_mutable_default SMTP_TIMEOUT "$SMTP_TIMEOUT" "$SMTP_TIMEOUT_DEFAULT" + + SMTP_X_MAILER="$(_clean_email_header "$PROJECT_NAME $VER --notify-hook smtp")" + + # Run with --debug 2 (or above) to echo the transcript of the SMTP session. + # Careful: this may include SMTP_PASSWORD in plaintext! + if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then + SMTP_SHOW_TRANSCRIPT="True" + else + SMTP_SHOW_TRANSCRIPT="" + fi + + SMTP_SUBJECT=$(_clean_email_header "$SMTP_SUBJECT") + _debug SMTP_SUBJECT "$SMTP_SUBJECT" + _debug SMTP_CONTENT "$SMTP_CONTENT" + + # Send the message: + case "$(basename "$SMTP_BIN")" in + curl) _smtp_send=_smtp_send_curl ;; + py*) _smtp_send=_smtp_send_python ;; + *) + _err "Can't figure out how to invoke '$SMTP_BIN'." + _err "Check your SMTP_BIN setting." + return 1 + ;; + esac + + if ! smtp_output="$($_smtp_send)"; then + _err "Error sending message with $SMTP_BIN." + if [ -n "$smtp_output" ]; then + _err "$smtp_output" + fi + return 1 + fi + + return 0 +} + +# Strip CR and NL from text to prevent MIME header injection +# text +_clean_email_header() { + printf "%s" "$(echo "$1" | tr -d "\r\n")" +} + +# Simple check for display name in an email address (< > or ") +# email +_email_has_display_name() { + _email="$1" + echo "$_email" | grep -q -E '^.*[<>"]' +} + +## +## curl smtp sending +## + +# Send the message via curl using SMTP_* variables +_smtp_send_curl() { + # Build curl args in $@ + case "$SMTP_SECURE" in + none) + set -- --url "smtp://${SMTP_HOST}:${SMTP_PORT}" + ;; + ssl) + set -- --url "smtps://${SMTP_HOST}:${SMTP_PORT}" + ;; + tls) + set -- --url "smtp://${SMTP_HOST}:${SMTP_PORT}" --ssl-reqd + ;; + *) + # This will only occur if someone adds a new SMTP_SECURE option above + # without updating this code for it. + _err "Unhandled SMTP_SECURE='$SMTP_SECURE' in _smtp_send_curl" + _err "Please re-run with --debug and report a bug." + return 1 + ;; + esac + + set -- "$@" \ + --upload-file - \ + --mail-from "$SMTP_FROM" \ + --max-time "$SMTP_TIMEOUT" + + # Burst comma-separated $SMTP_TO into individual --mail-rcpt args. + _to="${SMTP_TO}," + while [ -n "$_to" ]; do + _rcpt="${_to%%,*}" + _to="${_to#*,}" + set -- "$@" --mail-rcpt "$_rcpt" + done + + _smtp_login="${SMTP_USERNAME}:${SMTP_PASSWORD}" + if [ "$_smtp_login" != ":" ]; then + set -- "$@" --user "$_smtp_login" + fi + + if [ "$SMTP_SHOW_TRANSCRIPT" = "True" ]; then + set -- "$@" --verbose + else + set -- "$@" --silent --show-error + fi + + raw_message="$(_smtp_raw_message)" + + _debug2 "curl command:" "$SMTP_BIN" "$*" + _debug2 "raw_message:\n$raw_message" + + echo "$raw_message" | "$SMTP_BIN" "$@" +} + +# Output an RFC-822 / RFC-5322 email message using SMTP_* variables. +# (This assumes variables have already been cleaned for use in email headers.) +_smtp_raw_message() { + echo "From: $SMTP_FROM" + echo "To: $SMTP_TO" + echo "Subject: $(_mime_encoded_word "$SMTP_SUBJECT")" + echo "Date: $(_rfc2822_date)" + echo "Content-Type: text/plain; charset=utf-8" + echo "X-Mailer: $SMTP_X_MAILER" + echo + echo "$SMTP_CONTENT" +} + +# Convert text to RFC-2047 MIME "encoded word" format if it contains non-ASCII chars +# text +_mime_encoded_word() { + _text="$1" + # (regex character ranges like [a-z] can be locale-dependent; enumerate ASCII chars to avoid that) + _ascii='] $`"'"[!#%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ~^_abcdefghijklmnopqrstuvwxyz{|}~-" + if echo "$_text" | grep -q -E "^.*[^$_ascii]"; then + # At least one non-ASCII char; convert entire thing to encoded word + printf "%s" "=?UTF-8?B?$(printf "%s" "$_text" | _base64)?=" + else + # Just printable ASCII, no conversion needed + printf "%s" "$_text" + fi +} + +# Output current date in RFC-2822 Section 3.3 format as required in email headers +# (e.g., "Mon, 15 Feb 2021 14:22:01 -0800") +_rfc2822_date() { + # Notes: + # - this is deliberately not UTC, because it "SHOULD express local time" per spec + # - the spec requires weekday and month in the C locale (English), not localized + # - this date format specifier has been tested on Linux, Mac, Solaris and FreeBSD + _old_lc_time="$LC_TIME" + LC_TIME=C + date +'%a, %-d %b %Y %H:%M:%S %z' + LC_TIME="$_old_lc_time" +} + +## +## Python smtp sending +## + +# Send the message via Python using SMTP_* variables +_smtp_send_python() { + _debug "Python version" "$("$SMTP_BIN" --version 2>&1)" + + # language=Python + "$SMTP_BIN" </dev/null; then + # shellcheck disable=SC2154 + _message=$(printf "%s\n" "$response" | sed -n 's/.*"ok":\([^,]*\).*/\1/p') + if [ "$_message" = "true" ]; then + _info "telegram send success." + return 0 + fi + fi + _err "telegram send error." + _err "$response" + return 1 +} diff --git a/acme.sh-master/notify/weixin_work.sh b/acme.sh-master/notify/weixin_work.sh new file mode 100644 index 0000000..bf3e9ad --- /dev/null +++ b/acme.sh-master/notify/weixin_work.sh @@ -0,0 +1,49 @@ +#!/usr/bin/env sh + +#Support weixin work webhooks api + +#WEIXIN_WORK_WEBHOOK="xxxx" + +#optional +#WEIXIN_WORK_KEYWORD="yyyy" + +#`WEIXIN_WORK_SIGNING_KEY`="SEC08ffdbd403cbc3fc8a65xxxxxxxxxxxxxxxxxxxx" + +# subject content statusCode +weixin_work_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_subject" "$_subject" + _debug "_content" "$_content" + _debug "_statusCode" "$_statusCode" + + WEIXIN_WORK_WEBHOOK="${WEIXIN_WORK_WEBHOOK:-$(_readaccountconf_mutable WEIXIN_WORK_WEBHOOK)}" + if [ -z "$WEIXIN_WORK_WEBHOOK" ]; then + WEIXIN_WORK_WEBHOOK="" + _err "You didn't specify a weixin_work webhooks WEIXIN_WORK_WEBHOOK yet." + _err "You can get yours from https://work.weixin.qq.com/api/doc/90000/90136/91770" + return 1 + fi + _saveaccountconf_mutable WEIXIN_WORK_WEBHOOK "$WEIXIN_WORK_WEBHOOK" + + WEIXIN_WORK_KEYWORD="${WEIXIN_WORK_KEYWORD:-$(_readaccountconf_mutable WEIXIN_WORK_KEYWORD)}" + if [ "$WEIXIN_WORK_KEYWORD" ]; then + _saveaccountconf_mutable WEIXIN_WORK_KEYWORD "$WEIXIN_WORK_KEYWORD" + fi + + _content=$(echo "$_content" | _json_encode) + _subject=$(echo "$_subject" | _json_encode) + _data="{\"msgtype\": \"text\", \"text\": {\"content\": \"[$WEIXIN_WORK_KEYWORD]\n$_subject\n$_content\"}}" + + response="$(_post "$_data" "$WEIXIN_WORK_WEBHOOK" "" "POST" "application/json")" + + if [ "$?" = "0" ] && _contains "$response" "errmsg\":\"ok"; then + _info "weixin_work webhooks event fired success." + return 0 + fi + + _err "weixin_work webhooks event fired error." + _err "$response" + return 1 +} diff --git a/acme.sh-master/notify/xmpp.sh b/acme.sh-master/notify/xmpp.sh new file mode 100644 index 0000000..0ce1119 --- /dev/null +++ b/acme.sh-master/notify/xmpp.sh @@ -0,0 +1,90 @@ +#!/usr/bin/env sh + +#Support xmpp via sendxmpp + +#XMPP_BIN="/usr/bin/sendxmpp" +#XMPP_BIN_ARGS="-n -t --tls-ca-path=/etc/ssl/certs" +#XMPP_TO="zzzz@example.com" + +xmpp_send() { + _subject="$1" + _content="$2" + _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped + _debug "_subject" "$_subject" + _debug "_content" "$_content" + _debug "_statusCode" "$_statusCode" + + XMPP_BIN="${XMPP_BIN:-$(_readaccountconf_mutable XMPP_BIN)}" + if [ -n "$XMPP_BIN" ] && ! _exists "$XMPP_BIN"; then + _err "It seems that the command $XMPP_BIN is not in path." + return 1 + fi + _XMPP_BIN=$(_xmpp_bin) + if [ -n "$XMPP_BIN" ]; then + _saveaccountconf_mutable XMPP_BIN "$XMPP_BIN" + else + _clearaccountconf "XMPP_BIN" + fi + + XMPP_BIN_ARGS="${XMPP_BIN_ARGS:-$(_readaccountconf_mutable XMPP_BIN_ARGS)}" + if [ -n "$XMPP_BIN_ARGS" ]; then + _saveaccountconf_mutable XMPP_BIN_ARGS "$XMPP_BIN_ARGS" + else + _clearaccountconf "XMPP_BIN_ARGS" + fi + + XMPP_TO="${XMPP_TO:-$(_readaccountconf_mutable XMPP_TO)}" + if [ -n "$XMPP_TO" ]; then + if ! _xmpp_valid "$XMPP_TO"; then + _err "It seems that the XMPP_TO=$XMPP_TO is not a valid xmpp address." + return 1 + fi + + _saveaccountconf_mutable XMPP_TO "$XMPP_TO" + fi + + result=$({ _xmpp_message | eval "$(_xmpp_cmnd)"; } 2>&1) + + # shellcheck disable=SC2181 + if [ $? -ne 0 ]; then + _debug "xmpp send error." + _err "$result" + return 1 + fi + + _debug "xmpp send success." + return 0 +} + +_xmpp_bin() { + if [ -n "$XMPP_BIN" ]; then + _XMPP_BIN="$XMPP_BIN" + elif _exists "sendxmpp"; then + _XMPP_BIN="sendxmpp" + else + _err "Please install sendxmpp first." + return 1 + fi + + echo "$_XMPP_BIN" +} + +_xmpp_cmnd() { + case $(basename "$_XMPP_BIN") in + sendxmpp) + echo "'$_XMPP_BIN' '$XMPP_TO' $XMPP_BIN_ARGS" + ;; + *) + _err "Command $XMPP_BIN is not supported, use sendxmpp." + return 1 + ;; + esac +} + +_xmpp_message() { + echo "$_subject" +} + +_xmpp_valid() { + _contains "$1" "@" +} diff --git a/acme.sh.zip b/acme.sh.zip new file mode 100644 index 0000000000000000000000000000000000000000..f02819f390bb1e184a844bfb911d88228f705795 GIT binary patch literal 414688 zcma%jb8sw5w{L9QwzFen$F^YV%Tt20wI)&KOM*ZQGX zuO2x`U=S#Pe?7#hja2?U_|F%307w9RLu+F?M>AS$eMcu_2YO{CPyoO`BEUv+|LZLD z|2d1!)ZEF;+2DW9hWPhqvRMPY{s063@C5<@Ao|~Dizv$oiOY!6xm#QP_t)@_Z?^zu zLL9fW28bKcy#vI{d21HzK+bvi8G&;H z+u@j2mg#;%OnPl%q-3x%nUC|Q@HQt7PHu)fg&U*5?a^|x(<>qIU=gzxRxXLRYA7X^ zHCtca#M`C#Jz(F|4BPGvyBZOe)b!A9h9U+r`j?M|W6buMK!d3@6W7xDRp17Sv1t_K z^OWnPFBgy+Hm8_y>zmKmUc#K`-GtED<@<&wf5O&GxR5zqlfdX#;QtETe=NOjn29ve z_p0{~F`?@KSPsHiNgt0XKfCncaHOlNKM-vKC2n6*U`KpDLud553Pl;)H?h{uq{ zBiXs^Pa82xHP&O(b{U_kYHnRvL0gJgQBsi53{xur7Z_5A?Bi=>>inS3Qb%JM$!rY$ zeaCxq_2O-6v&&DBzL(5qrJ>(gXuQ{rb>U^ytkcG$-z?ju4%)H`)d9W=ZrXQ&zWSs; z=d~}ZAz%nDCCJ?cbLkbC%la|t{n>!UeGy?ngprf_JC(M@vnfw#rmG6z10R;Px=~^m zKlWpskc-zi`@T?{#>uuj4ZETgdCh{H_(=XK*TTG(C$IIKPgw*lzrgV^Q-Suxy|nF zwDC?<$_(ZE#;DtrCCuGn;r>}(J4@2j5zkPJ z3Ku6C=^dw4#OG7SdF(`<6G#0;11NL+P)_#a_U4@F{Blbx3<$Hsb^C64;p&qb7-htS ztMTSBuuFY<<|xQiF|<{PS%Kthq$P&XaePP2fq#v6dqX-I*3bABP5SfMLA?ge>}d#9ce`$qkIC6wN*gDqxC=-7PJV&10V7F z$T3p%=KeL|ybH2q9=`d-@Eh;+|9is8DN9M|DhSIf3o9!9Kl9Eyj!|}q0VeoG;sZW5 zyD8u-)d!#^GB1>z3HxZ2x1H;ze93q$EU#Ok0>BCdFXO2q0|w$ z#vOMjo!t#LC-ofD&jW5Qd^$z6Y%dt-kTKkRQ+j=H^8?#7e;}uc%U@GXMLrC4U{e}FSGVN+fK`zm zDBzM!A9<&-LI~Gz1UK2KS471&y#W8UkpGjY3IF$nbhUM`G_kUEb^PDR_pHny?;Q*P zKu`Gp%K-oPeS~Bb|3bl6nbwXQ>o8Tn2TjHhSVj3n3B*+QRCN*qP zb)c^XB&rShTA4RK)O`9;$pb8jmKqNMeq9~N*7hd0fFSWWmA$VK zL5AsFAPjl?Kg5A%|4b(xjub58xbL%LsWH*ngz)ByLwlz`gztuB|MtVgK-TC!T2Bcl<=F z4!I?_Dg+Y86|f(2Yh!xc?CRbQ>D_C0n1jJBc;_YSon~KcdvUXz$_IC>T zqUVLaE<3)fJXbilS}ql$lp0DeH`@3vGrKrWvyX5NiBRy}i-(8M(yOl<1+()4H)~+I z&&zO+iH;p-*N^XKdrKiE8!H^VT|Uj195x#4O8sl2$S;Rp>sIqUR@BZT4OZRk+Y*Y@ zSsuoVDI-nI78@&REvnM4EG3$r9t=QP)rnjG5{fdkGEr?O({oZP$8Hh z=GTko#MCLq$sp)(Srge+Rl4K*r56po4*S(qboGts^nKB?1jx;3u_Y`^O{}Vm3l-+x z)fvwx78@EYSGCHGo$VRg)fwC0qt^Bep6ZNlu4S6zKI5TB$aK-335vx5=yFjhO1Z0{ zm)0fVJy`o0&tfbNLby~^(jSy%&i<9qTQ4em9W*nL5F9VYjM=wLk4- z&ZPsV&M`l%A>T3V5G@W3eU~+LKyE58xAXIgRp&Oe{9Bg3ht;ZcJKw{u?R-7eT0K`s z(2WF_&;Xw90G?NsTgH;2?O5UZ_hpoqhw4>f8XGJyqE2>4`xOT z#e9;c6G=IWw>yi1$k@=-(;^wFI}{q&wFfcfLVO#AcCq`q&dH4kI&5rR7C~){;Ir1k z(dyozpS9hqKRs>{gIccPHRtwT?)LEZUK{Pt;r&r3t_lk5tW_uz%^8dD3?Kti9NH~& zJbGtRImS+jyqu({ICGevCHidaNaV^n4g$}}1-`&il9;-FwTdQgTy9?VX0>8Ow2OjrubV9jnGD2h!L?F9-f04zj- z9gsO60DlT8>VHtSrDQ$J-rb*r-^85;9|v%?04wkjefhM$=X0i4PWMhO*oH5nrW+cA zd>x9ivYKBQ{I(zb$di*PPkFNY4(|$H00HrF9V-c!|gHzkQfAwPQP-N)XTObVo{w0f6 z0UgR@#kyxnXhpB!H7X>*EC%r`eT{#@Eh_BGM)GfvLq9?POOpS?Oovg#p?`jxX-{wf z0LFhJ$wChLrnWXBR_=m|LVwZJYUN$oO$G!X(F0$0RH0UJaXn9gc>W|-ep0=%UnS-l zO6}Lp<91h5E)!HMU*0YYAmk|K@QU~vxxH`uZ#|t34MPZE2{a(R1{afVb-mK=_~nvSQCNN@ih4I_H;28R<-P zOGN|=6${S&5XJ6&e@9ttP-_jbev*(Zu&=MdZzRzu>AfK4pP-yHJyV+k9+l_LdHmx# z|Lv3nF$GW2nj_egFQncC>Bu&k8V=b3A3YPx_`*EFwtCj|GlX2b_pd4=i5>WD3+jHsd(l&*b zd!vq4XKBMbnuuaUs8H-z)(gqzjnLAq;$;D>G=@$0$;>o1L>^63op1p$pT5 zlY@&AFMohwjgE+k%^$V^Np|X#QW_GvBF_anAo?fMEs0gJ)+x-6#Y5GaqGL-=MS80S z=d?}pN(*Jsb!1xpe7*a=GvvbeoN&-5aaENo(eE9DaAZJ!Df2V#%Xf>UKwIJL6r^HyWNe{+lODW zS6R`!=qvPJQB?z z+pWLE;{hCJLNvh#K*n7}B3RD_q&DZXO9y98QP?qnCcnwP`Jg7UKBUgnlSXPqo25;HAh?2SXa`t1Rl5mOzqOKqxOA z&Et#X)bXOTN32Wen$IFc$u03pmdtwiz)$t65rWL$itM(XvnxL$Jq#$nx9tix$RnKd z+x}?VqcDCIy2CZQKM>mX!@iWy?W{LYGzRGx3LfLp?bCa2EfxX&>-b9my|?XUKsh(> z+9KQ0)JrIp$0t{@ok6pS-mla;;no=LVqkN)g+JVp!t#O=R)~FAwgBh3nz)B zl53H^Cq@C1XpX#oxpCgBcv{^IABsUyWkj00-+rl$shM9Bd~6R7==fEMgKP4+BHN{; z{&bE0e3-n`ZdiVB$hXtXbY_Kt`2rJw8O%nDB$;C`uBYZia4V!im`z zz$?k4t)NNi!4*(^D33)2C*oJv-fr&+f6D=z#(tnyFN+G#2EJD& zR(vERgjneGPJ=ElELyhz={1JKS&X9&TO8KvCKL=22U-CGA_ji)v}Vvt03PQ$```r_gZVEBIeAc2(QUkMgZt<{$t7 zRR08HQsy?!Zhw_5MeRsrMig)QM?S3xE9ET6NnQ%zfZ~`7L2b!RaDn2Y^v(48bdr<8 zPUGz_n}lDZOTxDT_X(a3Hyo#AYyqrk{Y7ZkJ-dlS7cT%wOv+mTRm`YWf{pNiNEkgh zE&c^9oP1)^ESE#(>YEeQW7$iYEUB&`LfKBMcDXB5_B~6li~04wsx)?QxhQWuWT1{3 zg?gPZg2v^=ikRGyNh!F4`k$`?!% zH@Mi9<--oHR(bgAUwm@}vf{Y~k=$6ctpD4Cw;ViJ7KguKwszhtR zb~ksLkjd@_L9H#tHP>?T*YIrh;%Ct($4~Ff68euZ*|U%F@7HO3dvSbmwzo`fy?QXT zceiwU{mMlm3;ZY*V0C9EMGj?uJH&WIat8K;RF8u$av3X@PZ~S;tMmm#D9((FAVL3h`Ko|LdBv*_(I~((jDr9o7@jMyo&ET!zk(UUk zrzF|TgHu3ANb+5Mjo;{(DGtXk(e4HOYm!}}6!0j0C)ow)KTI-deM8y5)*7mnb}j$q zi|8MH**E5`fH#A>F~L}3RzVY3hukp?^^}g0Je5gg6B2`4zTQZ_GOmo~Lif=xu6y2i zx3gmsasM!oKN9wIA#C+_0gOQ>r|<#9CfH>ZRKxm#awOsl8sWb(+~^K!t<_ct40yN9_&0dEz7e3 z4qjC)HB4z^M1#&3!T&*iC_^`_QlP+Vrk*!#+nak(zo4eDYLT2Gbojg$v5QFCxO;_2 zaF~Q@d8sxPtRmkf5nzW$$~eIzfnQ@%raV;6eX@b-kZGpaQ3(e@0FywGHRKP8$2pUh zV1_4UN*2N_1Hh@58Ao>H2F(ZUJ@2HA7)M zfO@nGb5V*aX)tVBsXgvyQzk{+1YTc{VwA_QR>)DdB{V^`jrr3jeDmf27ArG_$7Pd0%wZ$yO&v?JFxPf^L7XGS^AEqL-?if9+^9fP@i0$^F)IIhj7q#KbZ& z8-zJ-=HulxSmNac8iPhm#RrhYQ$Q+Q;{$}j=)qQrjFnZTd zZV=U1_Mfs&q0&O7k_L|Hh5EJ{afmjbs$v5al-(rAXP{D=#T~DP- z=uwQ1-r8TrGiST)_jWiF(_wAjgB_XDx4VKpW01^2UN9V9SuNIcaHQV298TU86YHvQ z&x#VS@j!Ae2GWf61^Y#ZF#~eNl*Z6YXbanK-V5aw9fWJI_mstcC;=}I;#~`FQ|ZX* zmkrAsA(2JRzez+nE!L@Vrun$wqS`DWx@;7hR%bvo)^5S;q^_a$pt;!b2+fKrd(VcV zwb+GH-<+-kGd~L&=+IXJ2Fp>y62?Oo4k$p&;HeSTvf_96Nw4s$gwRk7KUz5IkS7UQ zEK2Cpx+`5auL#o?83h%y4k?__avUy%L_S15aN^L?=f)~1l3ElQEP|0R2KEa|3kj|+ zGiz5AOnOXFb(K5JLQ_h~-#2c;?j4GP0I5rVk7G<&o4>fP_onI;U$yCum zBse&K{rcMuSl_d23+~&i8~jtRE^B9O^LO|xD@$8$e!~a-9v_T+$XY;QK_`HKFs7Ol z@DzB`T#^#Poux%-vh)0UqFnr8x3jXg3I*KbtoT*W{A7A&DzlXst7blU6XsVi--hR4 zS?3EF!KAPjH^7v;n0Qoy2WVa1SC4LwQGV1WoaT`C;kFLhkD1dM;KNGc3A`Xh(?y7wm6GTZeyUtFIb zVL2W?!llf_!GR+O7NtI(Z7N1=U2|4eF6DIi*GAK7 zfzNXkUiLVKuwu1sXS-fp0z|#W@JIEfl!hZ9HF|uzb?AS)b^U+4b=1k@-zSFHb?R(! z!K987j6AzI%cLan8?3?gE!<`9*jztpNyi~1wZn?1V7Lw!f)fi93psIVc>#DOc(mk+ zm*2Jdk(kb=lR}U>Xr5dvI%xmYPd>I(@Jtrh2{X=@mf~e)_xHbAxVZZwy0PVMnukyp zLTJQkq*oh}0Bwd0{`_|9DD0CF42j?S?D-%&+)|Cf^Ae6f2#A_i^?+N6;mhQ{;S0F4X}SyVv;j9Ft9RKbaF5^ zboz^5-&WqV_(qvG{1HBwq5(w}37fqp2&FR4Pgom6qSj(Lga+o8q$-!??PTr5lU*+A z@tEvMMF~n$1m@K2$#loMFz849fJV&GxiW6XP;iCUP;da_;>JI~dL;(&MrE4FegZGX zt&9_EMsI+krrWri>PKXiCf5=b7aXb7SJy3$E1);5SM0GUpJj5HrJE&f?}^q|xO&mHhqG-I9Gu}a*Tx`Q%;L;L z7R?TLlQK-*9T@^o5kx;V3;ot(^1=}Jj-c=l9MVEz1g9X>?b>c*mX_PygZ#B@JqA^+*Zz++j zmSK=4D-@CvcXOCR-HM&I95t#!MU|o(piDQnGC13Dx^Fmi^~iC& z%Cc63NhR7YaZ0Y3RT^o5+1~T~Zc|Zn0(Vsr*7zZ|m6sAN%sizFE+cV<>BceO5)dUBg{C zZ{&BLPIbjm8#e+@1zMt;{N)&8-_Pzf!;gIE84=Uo0Ck?wlsAs0DCo6ad)SLJzL4|5qUNjr28`){dH`0O#3WK4k{L@N4j|Wl_)NvCuSdH z?gmunYvhK~?rqPH^7h(eaDGQ1=ePc)_v47+4cXc5bI1!_*E4x{|EU4Kpwp=l3a1EglUG7g&urNG|Po86#_zEr$^v1D6-uq*ZW%%YA{AzYce*?_u*dut6Z!1+6rR8&MIR8Psmt(-3yv7 z=LsuFWGE6`*n*?pAf;2g%LaI%44ba`qYx$W;z?aukXtd6j7=paI-|9oX-P04s%|J) zY+|X7iB7wXy_3CiVg3NvPXS(4NsPr8Jx&OQ6S+7)jSlKVyTazd=aQ(q+Cr9z(kfoo zsr90788r(gByn>T-rx1BJ-sBCAtDd7Jb7JA#6)k?&ZAXzmEumFl0^;Quv+qDyp_67`y>O!2ep^|D?034Cq_t!h<>?6hS$z514hjUwrHuKz zj^qXV4|hb^Z)T}{!^=ZK^UOteRz{X!sI86^@AIArN34x@!Zyh(nI^P zEm}%496nsvX4;mZW^ge{g2#

HzKOLHvjD2|!!(3C~$td8wz^WAP6dl?V3r_9$!5w7K}BiJ@e{pgD=u z(~2mIzu>+wk&6>Ns zDm^23C~Sp69)->fAnD=}@>!l%l_aYkb(zBX;osIi^Agg(_D*GTg#xw>{E5IJ;<*SA z-{%1V#{19cU~%r)VMZKps(WDqlY9HHvZlx??M`GqA2GRk^<@2B3= zr2yBt`Mz5Pa%WV1*qu$UoB5thE92XrvZ%Z50{1?=IPj9ezv2-nyBYl%H%u!yO*Xk9 z3TKL+4koZxh)es6aYRpIwGZ^EUqxr~R(eaQzy|dC)M@(IL26|>o*vCbKM8bXOx{N? zcC`!YisEGpA*90fNIY^M8gy^7MYy`iD-1pWFG?DAMASJS ztz|7#ZIBnie`4f>vu!Ul47DvyqzInH$w%r>devxDkH;Yr+@2>-vot14z!OCwJtSBm znVfVY;yQ87NixzKOZ3cqDRvJK)m7EJoN?(G`6XjPguB%o&Lf;(b8C&=tthh=M})8C z;X_JaZDjq1V_z6&ctV1EDHvhuym&^^e3mN3wiHd7KtX!v-kXR*3pmA7bJ1uoIXGw9 zr~hlQk(Lk_Ch}Y0|NK*dS2edW`fii@3k_8(Z`yp*kT=_&FUFel78=ny0X<+Oh`jMI zS{{2qnT{L?g32V~xJUEkB^_y{`Db@yS8zeqj$H2;m#4{0`Xn6brXB>J=?@hyN1qZS zHy^M#bTZm6Ks9qR_lOc+AUC^@D`)4ibZK~cuS6Z!8J~ppCN)s5V*Hf=jDU>sU0V=9 zYC6IcEIu@|OY<3w)-UYS-@HO(s3)#QL@!SnG}t1qF;q5=K10Nb(?wu#p-EUU#-L5^ zpKZHg=I<21?Hfd_M3Jt(ZT*oTmy|s2JYxrp3Yok+Bf~;!^Sui)=kQ_6l8U91I9d04 zcj3;BwM{AP+&|(Csx2J8b#d^0gPmg5NMf9dGk-mHAAPwOU+*nYk!OBt-*5`2gFjj! zz=##GD`cffL?C2=A)KH=x*uykWR4B_nk$!XKd-Lb!yaK1`>yBkY6q7nb;OMnrUG|X ztmf#^sW^u_Y(C$&;n_4)Al|;EKBeKhGz8j4fw$ompchKCq7PznwJD4|ewc}kwPdG8 zqU;~L#!*`nGRa{?={MVkU`v&|0dNH+StC|CAn5f$8!neTV*Ak+2?;180i`jZj+CIx zZok2Xxnqeq|47@Cmtz3n3~5YZp>JID6(i(t{`pnmS;2BvFbMc`?r}ybV;ANP|yy{4ktDYmbeE*clbt8NKPxL}sSQ7nnZ8 z6ss-<1M4SS)G$Bf%PX;Wn51W@n8R_EGK_}r%k;Mg#h8Oa0Io^KLAigS!IvWjkBz*t`{-u1cJz zS;v&ykjTtzYZX%qCnvBpU#GP?Vo&a%EAC4|Px27sjInrG&Hffxem=A54{vVn2jpMT zy)HL>`mZ{Z{x`bm{z;YA$kx!(*x|be{V(_~R{H&Az_9i zPq?VuXkB6(qEekD@r*HsCgnFlNLI!pDmF>Opnl^E{x}7m&d=3sXK7X3>FQ(TzZ01NB;&HHG*#+^dtWL6ebd^`keJBTe zyP`SIZ7WPpP;mtqp3@Z1iK^jD;4m7(IiMgsGqKczr=kC#F)M#$+(c>5UQhx2f}(qp z2!|p&MT?sRmPpIS&Zc>(-1s?kTjgbrU2h z>E4UWQ1svjP@0bZY9VZWqp;1~89L-wiX&Z^S+HQteF@v+O6OS~X+9Fh*sjW*Xira& zXbzL)|{#JtO)fH^yCT)JzCj1$C2$f+Holk*;!0g&z0m zEU+KnU`yt$w0MJZGnal!(F2+E;VB3!*0?@^EJZneo+N;Q;9y5Y+{sOkK2{?g!#xzd z`jpz!T@8)bc;HjMCdTmPmS8A-=$Ws#7ravE?Qd-tB({tSQr}J5LEqJ;e{>{l?&#=j z{1

%Xi8QF(6z%pcYyJP{JXB3R96#L6Kll1%)MEl7B9(sfOz_HZD4|+>DH<$rkoWAL4l`aN zjEIr;PNT#htI_e}e@x7-3iz?H%SzQ$kJ95X5fZxiK?Mv(cK;QjZ6X|#3k{>T!8F>~ zVEn7fVW<&5^|+>&?Ve>lG{#$;?i7M^&fR(%jd|NSO+Z%yS3PlhO^2P4YuoA4xVT)@ z=Os0!h+JrsT^%_2Pd5fZ&^(sD`23#t^^z9Wka^}Nm0pF$+8raFBBA^1(ji7CsDBe z1nh+31ehYTl0sqei~%zv*X4li#BL_vU-?fYWo@?NJ2)KQ9Qcn;sq7qdjcopEZj2Qs zV;1=ly56YIQ=*$)Y;e4Qt|Y>sBZeeA`6;-bnePxhH>QY3fIfrZ_c~vZHV(~_M~9iT zmAADQZ7Mw~Zs!yn{aWxW7}Q5vCj1CpwrA#F#CR_Q96X_zV1mpEdbRw4xZ_B(2fov@ z>GViq(LT9AAow|;PA9|qexbFJX0pdVdo8{rWLOcY!_1q|2I0c&Ck-d+kW_(J-hP$V z;{s|0WJvYyrL>u$_UlMGVHZyi$9Pc(!m=faazepCEfb7f;SWH`_yzIN1vh#_3T)AX zJ^!~HtF|}yco35LnUNkc)qH*Ivr)=st+}^K7`&_YrTISNftp|@$Kp)B)rO2GrG3)b z+*Hbw-^l=LE=An=s^9^!F%0%v;9lzqqkUsrbik@kJZ-p1C++{FDa;51f{bof4`+;)s;O%%p#nhZ#; zbONMTI1Zj9g_n|)0$DWT9Z*WhJObcIl|2Acf)l|`yMFoel$p~~Q4I8!QNh&oB$q9Y z)FKSzRBsL!<0EpvkC4PAkFm&)!Fm6HIM#=&zM!baX1xM-MpJj}xk$ z@#c|8G7e8i-c(v*aL0_O-NcK`7G~T;Xc7%&U=rY!XG4hI?G#)Qpnu^?j(o0W(&JD9 z4WDYOno$NV=Ot3`gAwXo=Lle#8kr&TNQU!d#1r$U4hIsrr;TRA{`G1qkscAQm6fCe zC{>I9PEGOetZrRpJKIzxQQT8S8)=+)RNMC|bJC0aKFbW=X+^0;R6sW?F?Yer84!G2 z{k^vM+%2iV!oi0e7GtleqRbd&xAw^gZQB`>R-hI+mC3p$kuq@|{%i;qj`h;h-}Yar zGk2`L^$*=-Tst+GeJV~-qLMyI9pI5w7tyJQ44jokyMgrf# zCl?&_8j07g%~CtIOs_9hf0lp7S>*|>T?b`+_#5U_RxvBdB?9Ql`QPWv-PNT&Ue)L z&{TC)yiei_FS7B8GaL7~bw9{ErKJ(R^bq=rG_0VSRrX12*!s`Oqcud5EXWmobmO^f@d2(d_F}cL2E=7Ju zFV3wf(3Z~cCXhe|6Nky27$N0=*a-e6|0_m*o}~t+*WQUy``ll}0<#Qt_yDV`$RPTT zy*k^~A*-F8@O4`EUfEjV3dma8OTJ$o$<`7H&dWioEhWV1VdAHk4c|dspT| zC7U0e%WD%0HllhgRr!9gzi<32Dxok26>-x@f>UcwQfB7<#{1Q_agZb5g8cg3LWB7~ zeXr2JU9O3_mGOVy&vX7yi<_fsUj)M{U8DT0j|{;K5=FgIoAz0&RE~UuTm@UZm zyn8w%F1~p;?izdZf%j&$)(ezkB6#qb>T+s{0AuUX*FcFtgt{L^4nY&)H^cx1pcJx@ z)o~OIX8vqEb|{G$JT6M5SELy}C26cO*NU{?gb>Y?2;3VWq$+9ZVXmFt!u+ z>t1SDO{f7S*XQ?`hPc1L+|~Ag@ylJ&E>|bJ@B4i3Igqheh;<@J|J^N4jBU+ZEL-5i z{+;dXSfMHZqi+JJPhmNTfuBV&jdg8lLHj(j^Q2h0 zCZ@HM9L!1sBZ4ZZ6tl^k*kwzbrG_X!ah76wsX3vkhW$pqy%1NO>yq4yM(2z<=3FW& zHLT;3Ap#PTRHH*C9E0F*&{ZaiBdr>m#_g%(+rlqv^O)Aa^f^~zalzq!LbY943;J9l!H+?rQVo8owqm-Qy3f4-|c9pwNb zjkHe~Yo85~igp7zM8k6Z7#2p3S&D*e56OAQQTeIA71924Whog1tlINaWhk;3OMmKq zse@i0SwgD^iN|kj7Mx&FaAR#AV*vgTVPHi?yfHwJ;?%~E_%|FbmoPK9Q3?7R(SfZ>en5xmvBRJYCq2^d75r_;j#?p?gQ?ON2ovwNvF^eHZI1t ze7&6-S{i@8em{L|;kaXceOza>lu^GOE`8p@zxn=|SjX@A`ZP7XH16JH8$K*)G)+By zmwd~&pV?WxxaP3T`jC53&T)QxUZSg54*obTxp29n-}P>_Sw(k#c-^iYnaR~^tTkUQ zXy#hAimY*Lzq05oIJQJwRY3Cg^qXrJ)3?;})&nEJt z@~V+F8_RZXPFoqL>al}ttoMr1Vbj}m(2Vge02~9tUiyJ7yYAsijXD2j5XbOu6cig5*zEA@Ebsux z$JQ8@9HUP&&7*&$bw!vW{eatCylAryuqK_;kDpMvUT4Tc-1TFkd8w|*9qe$AW=S`J z=$*)A(Ye~HK&CQnU%j_hlCf*E+(H(|%ZEXr+oy3|#&Zq&IhJuxv^TY3`-l8wrpLTb z0XA1Or$euupH2Jl;EsT9xJqjg(H7y)1}>vQJ8?2bZ2F=Y$=N*+JapDwjP z5?>Cj*uH@qyR#&OJ|ZuXktuME$&YwzSJLV?BoOP~4WStFC2JfN#z#d}29dPRtBqg! ztvq*!be6wtQT6nP+LQ&LRe}V0&9i z3gKoGcbm`bWFfD|ZC$9XhTVfYfTcoD@V@P5*~t(Iov;3yoe3>H``1~ z=qz6|cME7-bEU*cQ0%YNTjI$)MZ74-zf9nV9@FC|#7CFZ z9w5n`poLNcoizOc+|mZ6z{NmtR$ZmIb(CVnuukW^yHKBp34#>IH6$S53-QLdbA3Te zT&;#1KM;rJK$ls426)0hpa`BUdTR4$0te4I#i<-Xi4sTslLp+0Tx13uRl^p{yW4Qeh1eY68HhUflwc?rYvoeyGruRH2p|V7Rzi53`R^1gCOb7JGGpQ(PJJ&NHd-aqkSCRp!y1PNDPF8 zgc_oIe9+qU$DBD*@*k;L{J^w9f zfe03okDWMZuUyhEDIiD!yr2#vLSFAk5+A-0(<$XIv^H29fWB5&c6h+51(fCq)p&%` z)?}m=7`g)}1R;>GNFA|5fHf!_jYiNKdZ4u0Z=idm?Rs~#HeS3u-=F;XIMBCu^o|Yf z?Imz-p`%)l-_7MF;WQySq1>%KEx-rH&u$tp&fim!8QR}5l+`eeYqo!yyO};Qt zSQPoWJ5guKq&zQ3a@GPGCsYM#EHa|%w;A6#8Ya^p5{>^nr3N&xqKY3~rf6Gk79F~? z;VzQ-i}(QZghShXl4?Xo>{#ZkJiKRb15$UK1d9bZzzW_%%owL%vd2LM^(#@>3prg{ zh;)$%D3f5qbH>VdAa9}(w-MK8%~<;M2Ji;M0JGqsYI`q2NMEo>^nwTrTydB|zgxk1 z0F36nZ6Xe`4XILylqb8BUY(D@4%Doh#vc-tTiyUUc)X97qDyyph2YDw!RQML-r(?& z@|$O5R9LEoXZKu@g@dV4^bTsMF3VH1X=W?2n+qRj0mt{QFXPvq5N0_NAw3}r@YSh} zj!O4RJIGmO>t3dQ#DRvbjX7N*WPylY@Mjd^o{cu>Sp?oFDOqlX7{*h8jNY3M%MNi7 znGi63fIDG-#A-fek8t-rj6jQHN3p-7hPd4&g$KuQbuK#wAc#Gr@=y*Eh)(gxWZmhT zbMTZ%2SahVNnoriswBZwVBDCDZqb2JA?iSDh7DN=Qx6L7O$P9KBfSKwovbGtw?Pif zCt@dZy`pf}stB?JO@gWFdung^y)IYpYx)Tn|NZ|U5pUca>wdlhXc>W9WZ3Sqf`%=~ z9|4se2A&@sA>;EhQGbN2a3PMvJ1bLD$77WDS*U26XsJfeu~88WS?3TW3bdo)wr$(CZQHhO+tzKnZ`-zQ+qUhwZ!=Z%W|i|-mf4(2@_+dR z=O1)&kvxc_Ox0t%P)*9E?5DE*8$O2)#hSQ&K-f4O4%Zc6tEmB{<_W9E4rNxW2BPG) zE`f`Bqe)K&0$&86U&Z-`dK<`MOC1JiOTACXM}i2Tx!4YIiW_}gX3ZpwvnfBkjvBK# zOz>}AAxwRPYgCQ~#8}wh)&iC+h8_KgwC>Uqa&__YOY$IIZb?;cI58a*0xB`4h~FOE zDfdu&AeFK)Dtum$a+~INvi@HI6I%_u$7V+8Ghsn)d1aQX#;*s6X?t=Bl-?9UocjHV zUz-AO$wuhZ#tfAao=l|745mL4UGToI@CnkYXI>-pWO%96Gc+O%i`1sLQ=fuJ%sy51 z%?LMIK(VA6em<@c`xB)4m?L%&3;uXBjx^ZH&WggP#ZM=x4oB+~?acFbvWqB8k_9Vd zMYySy<4i*w&*$^0v}WdOzf&e4wKKY&r##FyI7jw8Y_^LFiJ}WT3EqYuZCz-;Pze1f zzvzdANF%Acq7EGNYX+%AkpbHF#b+Hkp4=aET9%za1~nmROM_JYv$`3$B0>HE{|tJL zTtXm2g5JeLg40h25JwaBP;*uC&R3|SK$$0H41wSwFft}1rXZ7IGic9b`wreyQX)O+ zE2>*wV>E`GrO#-zKPv7(BI=otjEI1yE+c$QVbOEw4}DNWJ4&iYN)4aZ1Y}yv6DFPn z6m@_v5BmCaqjH06p_f|qXcgF=z-UT4jff`NglbJhI6LsxSRA!U7oxuuJMj58ZxCcg zARl&+C8H8m(#%vepmC%aX1_!LNr?zWn$_BiF*jxOoe3~(c43YiU*TIqiKhaYeIwCq zHy)jL=qaRIK8|(+*8Lv+z|^}$xnQWxLFhQ;?7ga7iCO=X$mPb=*?~r^^DBUZ0GYUm z%vW}0*{Wzy$H)a)DS|9O7Jem85KJxW<2jZJbUjS5;B|#3tMDC3i1@|QNhj4(vEc<8 zn+x4}VLO4(YE)~HhR}}9oMw{bq+}e$HokCOX%ju9(#~$GNLaPW@pvKCCc^>)&WgTGRtKaXRGf?p1Q3|_|N$ZEzLBZy{Hf%X(-WP5wh(Tpf^h} zdPhb0lM)uRekjjJ(sUw#j<3*FKiCbviMf7bsu5PjmFkU@M+g`*=E1WL zkN%>&l4Q~W3m4gz$ov4!y7o1u+4U6xI4pAhdlkzugqLp%2Q=Tx*Ef4_pb_X2RjQSZ zWh=)iT?@mJ&5yH(Ci^q_)s9m3+P}8 zu1|`I;%I{?jbg<0&U}#pxx5GIMX|(v-+2e-khxGfb3imEFe1!32@i{PLp*Dh(7l9Z zWrYAUaS+1Pu7TW;3u)tO0M=IXfnuWPPd-j6L7PS)br{JXhz#+h`O~%)B=y=tjg>w{ zp>n=c2`)@WQ>}gvIEzs^kaQ*vFC4ePEi0({SruW3uvo58nvQ{KMq3GlMtk8HQcx!s zOR;#Wa!R;!cm_e5e)J}ntSTM(KfUkjNWlbKn6ZRFDU{4id9p%9l6~IPG>5o8k%^Li z@(=6#7 z3_;lvMKlIyM-fh1-m@n}+ep~=!Cnci5&d;so{zlXp4w}0Ax=k$+9Ga%d-3QA#C*5+ znh$sfDZ7w^egIx(f2;NMnZ_c3jhCrSM=!k`JQa#Xh@{Uf8(bgrUkn-F5twyHtdy5c zzadP8dQ3+wry`0-C`4@RSA8Wnx=cC>fcdH1&mJAZ#vr^OM=JB_qc^ie99$r77Be~9 zn{k{Q`F-qnk+E8&y}qaUf9{bzCYne*_LUq7R+1ygRbkJaNgM;frk~%Ko9Yh)F=C1b z6x5{X-Z+7Y95kji7mDk}1&4ZRB*J4_G54lEzONWe2GBq-gGE(>^d79r93 zGc3>6ZUjmaPYk~?;7SP~)RP?{HllpLw58W<;BtN?r5t}bz!($i0#nY}39Q52dsQ=g zGp;?a_&D2zV+*HnC#x`=IuIHK5pu9(8vLku2SY@$%jXKskg5OjYFA&3WF1fi`Nc`X z5*B}f0-*S>C-JQQL0+$iXKZbS86jqdZ?~6xAG*iD;8p#!c;Udpqf@Hzu7h303aqKn z`h_(`na|XNf`L551iX~+723RYV-3+m1`e(FAXo`ufbf@(yiRVtUSj&;m2HYIqlBe%%nQ(#*$=9dVg>ozk| zDe|3vr5;k}i)6whl~OPft}r}_g0(s?ln?{GmaAYSy7OnzX79nj8QpyI{aXRWeJTfG zMuN5ZE|{mX?ZDLUrKG_t6o-3ZQDTny8yJTu-a>~!Ej`;HI}*>u70)`P3wDw!C`2Eb zXP*Qq&E)5A22uL&sR4Bqww#Y*Yqhm6sUVuONfBt--CbW2oH?;_>yhS92V>7|^$l~kgV?vOpszhj`Pz@wl+pl&F= z{7?N#I$rjyl-W}+nT_#?ScEfCI$1y=WzEQrinMfxQn4$DdqlIo^=a_Vnpt^8Pee9d z;~VHov>}wK>PEcM55el386KX{TNXZ+`CTL2=Yc{dT9Zg?H%mEkw?tf7X?w~c7$Dqy zHqp}WaYOs01{gM>1+b(~#Obf;i!?enZWJ74TzL%mVFhc?q04%bnGvw1g4^?bbB6DH zI)MP%PAa?R622PZQ?ay6)N|y7T>PPf5a#IR=cOH2t%b`H3rnzwgg6(-yQBVR1&jT&|nUSakUu zydxXA!v%wa6Nv#1OCcmN6044M9Omfv`!A6Ul9#rTOkvI{MTk*`I|~uphKm_VAm_!w@1CZ(c)p>$a)t{-G2R zX*5X>5pHvbcyd**&?v%#DaPtCA6Ix@3$DB#op3F;3_dE6cy>3o>NrM-!wV#vjFP)fR70PC%d(B39x#Fnn_Hi@`V{h(D|6h8N6# zZQ3i*c2|^O^A(AWx?5_R_C%2O{N&%1Eail+GcdlP%ovqXrIL&_D?7mH75Qaurqneg zz>>;~DwaVb(XtnuiFCtvOubyS<`Z?+2zjkSkCMfzIhI%|2f^G;;BnXuSWaPak0|L-x8gWJdMs_hw@VA>A3peq@PF9 zbB^OszLPTcIe3*VBmXX}x0&hR9O}qO_Z!40k+=RFgjR}^W<42 zF%ZEQ2nppvop=Ez1`fxNbX+4wx^aRJIVA>$J0{ZlJ42Qe0aP**3CQ7oxL~*(Mv92A z^R>aI{qXpncvlfJRgO%!o+2NsE;RST-4xEfnifN_RF+EZN4R8~nf5}PaucGh)d%;Q~|t z;6XWAz1K;*?KB$3SuH6-9MU}WVHB;iW&o_v7d9B3>#Y$gz17zcC`_p>_y_R zUWPm=PNFyPAorS$jGVV5$N~Y*S&=I1j0R;4P-aJpP4NV;X@9Ev0fYbI4vBOENb%kp z%0gElh{9n*wD}H8H_`^|&iQH8jA25wkO>&$ETz6b$8n57r>cC} z>*J*~Xebf36&o*ma)a7d>BJ57seJY|8EyMHdkfY=^bpltgWBabaXBIgUW9HXwp0(E zh1HH?13*BUGz7mElQ;3&&bI@4L_lS=iUWe%247aOztr^5ps(xNR{$$!gc)_usmH@_ zN@~$pPiR`RSGNUHx*6Ll7+p)BqP?3DMp9ldJZh6>m!T40vT$K#`K^IrY>`c9H8pU} zJN7p%epKXKeiUwkcP>SMPZv{}iw|ZALujkTJt1oj{1$o4^REX#H=;otl5$6es0L^#Mv>6 z$0+#99gB%X8O^Va5=F!zka5o!nEBa$SU2`K zq6#ia0YRl+BTN`7Z+?9tpfg6kE2cV+{)*^baDa!KBZXEVC89r_6e zLW6S&CdD-CdjsTnuK(Pt)*6_up%WUBNJa?nNESj0q*;0Wj$sddSBk7gN!svhWw+(<6pHBhIana_X_wybJE)-Q+6RD8Y%T; zuY+5Sh{9F-KDwio*!y7(-l4IT$O~9*lnzhog%{L|)v zKM25}+VaO=!Yj{Q_b)r5j|;rR)>uwaOdW~|(K?V3w(2tL(bS%Y(rDQYcqw9wl(mOY ze)`DhaJ!0h!u{fi?S{folZb?g)JC){f79+*~VeVM(J$%NlH>d(PfyKF;jw7jlrq|qaR09z#J}t zlAX#BTMe6GPV61Xx_g2(GVFAg0@TC_>`YB|#9QDjV(7#shQaHEs|G;2^K}vzuU;p* zk`=w4dX=LevH#pY$mDy~i5LJ9 zEYsF!j;wJ4Qo;M*@z8DxQBntpmfPU3MWJzt9MD!S&Kq;n3<8)fCNkhsTr|K(1zHTc z=V5NT3+zO4erwYq}WXrwxDcwh{1+6CDn z8VG9>XZD@b0yf==bEBhwDPm&Xm-r{fgxz}MGb3`e24W$ZiAirWLn=nW@{chPN707> z`Plm*{)9A$g>mMK%}9AJ#o@T9sGtSRj#* znR9U@`3K7@wXtzVzdtt09FIWPBd>@CPox@M9`N+$Z>g-zEs#@=ye>xhdf|O@FoUtP z;Z}LcGK{DK`}xb7~HGT>{3#0&@~pp|>MpK+A;f)yf?Ounzla z3WU<{LSWwsI%W#n_1t-p@=RGfiqKuA4C4F8;lq{$XF2ze-y%6p}d34F}fp zRSkmFa#QGru?FM#90e8sb=&Fykr$3tl*RW;iEB~p45`hLNhW6Mw2^?(p~#SKj{;8t zA#;C+rAjh-J*?77+?x8E!Yw1sNyB+$!Iw3a89L?@6>ad41LmIuzz(Sa1s}#<3CKj!>~K`~^_C8nnE9xPU9u==bB|-XCpYlvS6J+FiQ68s zPr?auI1qzt$%{gQ&yp_JOb~DlrK*7l4(>yL7}m6fp87Cl&F3o;d;a>&tjIEgj$H6Q zfbJI=t_(WvT)1kLu8L`)PG7n))W`coAI!|SEVgA?hemQx)k+ks=P}!orUJ654?G0t zDOj4EYJ)c1LVi9;gJC_%fYp zvF#O`R0-Uu`E4ta`)^Ei$!x!2hT)V~lZ&9}zO9Xz%7{~HMt!}AY`g)&fn#bWRBNU{GZk69x&TJ`I*VHV#Z2xyr?f$=67;lQ z;N)^eqGChR86C)#brxJ1IB;SX~?)Ud^a=%NkC1a~25P55TQxXGOfPFQlGZlg+qeXu^Z5)Ykxi6hDTlF7a$jTV(@k7bJzakw3L zl!}b+?`HWb3P$dzW&hF0`W~5aO;9_w*1)vk_>-3m4h~%ko~3MbY$6kD#6+3k8S|pk zQZj+#K_qxUEDY)F=ctxf{1q*Z?Lr?lJ_Vd}#)at0F$tVcbSNrcSB0}!fqPK486NUq z$+4PaaiRW80+qhaX>aooF2(_-IO~vm;B>FG6wVSW(DFwuvlAGd8<8jY$U6|& zfi?!Fg`mp@hqQ?^rRy0TIvTvuo-vgubQz>|U3kAJ29kv1PJYF6TA`5eVK3L=`O@*b z1R|1(Zuoc%uO&+tsfAln@_Y7cdSOR_>YGUwopP;fywM$6a=F=owf2cx9|P#i6rQU=4Ibfsz@WG_7akQeKWU^4O+~ zoK;@6V-_ZTMzPTRlbSvyo4X4Dm2)L-&FoAp7(a=jx|noj0J15mQ^x+XtS8_3_q-Mo zP5sSWO#Q_K8zw7H2&v3Um^+fRWE93BgN_6RQ3n=E-)C4O@);>}fhokrMAt`+vM7_i zA`U#bMxkNx{U8+4`2|&y1R)z&5d^~!Z=_JjkVF7zB#0hN( zO<~^+IMlE7FzpD#@WBT-m2t(e%lf&niNjj{wFV`W>!ixFc-=?vuoKBWxiDYEOQkEq z|1$Ytk@Ykgzlz#ivcWw^J)#XUMa0dN@la~e*MnGU#CdH%w_|YW8XpssEl9v&*UrO+ z8ATmoCIv_e7M}pco@A!h5j01zv~W9RPx%K31H_P$SAn^&`%Svaxyn$S!3CG2aAl5+ zs=G?;=|MfJR>hb-6@SLAqHWq-h-ZQ;;sVzaN%~~p1aSN8xlY(hQohH4^2w9)ra%qK zbp=X5i#BO>Ig>p*gT}v13wub4eIKr#7V;#75OA~&D@yTHeyyzpiVnUK4?W%4Zd9j5 zX6Nt@^kqr_+Qb=yv`@Jx0L2uIi{ zZSh?<{o!U*DtBkdutq?-BUbV$#UMiUd3wvNNDFTB!TM1IxQAuN^J9WT^~``+asr?~ z8S-_{@#%zWq4RvgC^-1$U<(w2HmmbM$}Mh{=(9ooV=q>mzEND5SDCC~Ab{YBhLL?~*y6g-@?Ak6SI{lV$`4-{5!ti1J%0)Mua&C;nGu zSB1z>WJJ(!z`CeEjl7BP`OKVE4`kPhJ7dj)Z00zkQEzb{x(J@b!hY%=$wY3rRP-Yl z5=EyBS?dfgr0U+axo72LZtEAiG%GW~<1_IxP^~7hq1zi#z3E9{o*0p@G07$!_b$@z*d@;>|RD2{8ZCx1fN0x0BxGlCH$7s)8!MSz`bVcO78 zr*0iozRoQid2eDjC~v_6l@i6iKV?_VT^{sZuSNaHpWlJ;G~=t*xIQp&^iH|+IYnbm0+ z{bIV>0m9%}(U{D#*<^d@LMM6UoBUZ=mDhuq5k>3-sUx)+po33oe;_qb;(kx=uD%IC z9U`kL4Nx(v?(SMq1+rc@Ue{HifYxl-1 zujFMv%s=<{)6nnR!2Z-d4-Fpv@%3d}ow>8STT5qVM|b*q`3kxx`{{P_{W|#j!O_pw zzV0h+_x{}7bk-mZ6t*6;JpfNw{qJ8$K1VHHv07ug^W968+i@+)AauC{^U^@U}wuGU$ke#pSEUK{@SM>divMbo4vP}9Khmw zm^{cs&R<7IU(eT1zE0+vTWkO0q+gHr%;afpaC*sr-FKxH&cNbZ{;_j1{^{^)`@l-@ zZNR*lj|Q*C5_)7?hM@P$hqaTrHSgBW{^k^2O+g|WVc-_+^|!$VNc76zFE=z4qO)nF zbp81l$D7og%|(`@=G*HLlPYM&_t`H1g}};gcb0#O9v`iDw$vl3rTzEIvgWPFKVNkE z>S97~mL76veOuj|zxUJEaonRVYj+0Cy>H=odK*`*y&a9|<6J0eQh4BSLY+2xs0|Es z+8^B4r>6&q?B?Y6J!1xns$Q6?|D$pD<|O7UglsAe6fkTPI>a!Pq2vqdn-FP4ov0rB z^Zexd0JugJ^7P+^&g=WCcd}9F9gd{i%MDnBr+5Gj23`<=#z1#>o^R$iTdzC?us7EC z#LLpo?hHNp8~At5St7)ql!B|Ty!r6*0=)|&cM$ zlc%+-?^|dy@$K*c9SXTKm#&}##j@K|==T-~zDPuhyPteXQdPZofwRy!3?2$^-p*!KOpUDcs-XmY*-$a%g#H_+Hu0;a_7Jc7KmAWrq*}b5{IopqTb?@N5LXsHg`wg?K!#V)p1Z3wrglpVzU| zrSj^Q$`pt4Ure)FAlNr_!}>O-=l5H`@0p{hEx56^bV0P2!q8*G)_RlY5~z8M!@p9( zI3|BDQ5+E~b-?|Z9-Qb{guc{iH$l@JDsBrFxhnHl4j)?b=F zbnn?Y?9_)W#I$;yb4{LM>qkLE%*6pnvyXqA^9K3I>=;<1@S!2uEN}^hOS78Ly@;^N zaLo|YF43EMudOx_kXXbtRr-me&WqX%WW;Pa?2l!-X31HL9%tQX{E**%UG1HU0uP~R z%)l&fbbn=6&%-}a*H>0Qq1CV0DZPFXDfms}fB*TqAfjV8J1gVXNbf}YlrVAX+wBUf zb3TiLD+p;lcdJyVBna^dNoD)QJ&4VwZ`x-L!Q%@f?5YMi<5$mX;esb0$c6CG@@_Pf zCNXI#ntRgDqSXf!)ASg9sjhh4<)c4%GyaYP23~Tm>z5ldBI?js@s|Ibw)-5g>3|4h$j_^hPt>Zi+s_Wn&=`{Ab!f_pnD8U3Yl`PHjK*ku4f6`$*B=vSS z8lIqn&lKmg!TDbEH{Iebv|~B2^ZwlSK$`4MZ}ZyZj^5oZND>p9D8Ic$fl9KU7eW6IuMX==bBnQAb}bsh_&>koRCo%X`<*MGTEK#f?7=+FTGhSUK7F#f+QMM+dpME3uz<1g#{XC2?o zFHe8Igecm8gBid>T(gBTsiB!Vk|wy}fPt=%aS=cZM<%}19Kr~?xz=;Dw0f!Mh>)M4 zlipK8wIYfC(Dm5-D0`6?{f-D4r3PZQxbgluqH}hm{7i1C5YHu^UoY20gNVD2KSiVB&MOe>OMMYuyA?x1;8CJI_&{%l zO8pBtRX2u+RiUr+a8?{~@9ZF2(chl(#Q$L%qmG0yeCsK7gZx#cR%sLV|ra~d$Z?_bQEcuYB9_ySv}inhPK5gz&? z^5DZN{`gBJT82NTdGBA&VFz#6q{gYSAkbnw#&^G1@l1(c3o?5HF!ZXu{MG3a$(FZq ze(c3}EqeM#>u)-hJg`H`g|C!sF`^WYj@5*Fhar=OUo4W_TGUmNLmB7hF3~L!=P{+M z+5j>kxPOSCn#up*E0O1Mz1Jrw4jdZR->w=IrKJB1T|9~Tw>Tk;?**Ag=}IvY%1toh zLv6`JgNv9I!_kiyotf_|mi7|zyd9?At0q;*1g6&$B=s4xNjiQS3FJmuOb8gsfV6y& zrK-yuo`OXi?BGav3!HK0_lilyB}>EvVu>3E=X7``m9ZF$gNJYXqD8PQHm}_LSdSbg z$O?P{<%X$(7dFixu_B%m#FwoWOO(nu@D3NBXn9<5{~06#w51UlV_VZ0@g!s6iwBW6 zCSwM7hNaF)U9xxgf0>r`$Qj!wn%9d$N)ZDRm z$`OpNbEJ}^X`TV}q%vBA&XyY?2otb{q7r~kF$m)rILfau4nXWXq)g)G;k#&99W7<} z2-hhIdR8iC(myRgvV;%X6R?oQoo*=!3RiynI5=|Z{BlYF8gj3IAG=nucv}}J21CIh zeWO@F`JDlpb<{JFXR$NNdkuu8;O8}9reQPAW8yub44C#31GA#e3ASH>{hl6390M@g zZwDPzu|E#IsuQ(gfpN$_4Op&u=Ztp^&p{p79Vff+0m;e{th{bWM-G7evVT}>hOLRw zEwayNC`E3tWY|p$-O#;{^7+@X`M%(!+8}m&IrRVel>dF0{ryb)eLI);*T9)SEZQFZ zoW_OO4wzflA(@4+pHyK-~{c~If1(!7*_?Ir-_L?`6CCr-3P*mTJ>X`|Un z=z-JqSrVYK+{x?chu|6GDR_6|SB`{f>Yd-%+|G9-FYmyrth5pU@}pvmZDP?H5Nv)v zt@VI01C|9wlmH8mj@Di`%0m^WM5hfU(>}kwnLmp>gO}k^Mhr+i^_I$hxvU;jM!yDCbb~GlMgvEu z(*R^ov1BVQ7b*v405#}6Il+vM@phi|ne$0Bg@JrF(uB!yNGy5F?*wsj;Qdi1xY4P$Nour{JwwNsOkt76M=8$rWGO*(40& zffYkcKdkhWOPy}&3js$bK^)x=g$QJ?fq5rffiU7hAq3XEh0&WMvL@sEV2aHg{xqMjQ9pZq$j)HjCu;7d%J?z( z0XRHEo~D6a2Jlu4t_T%;HK`6sxmY{bb*mOFhkP@%6-IjZ_eqm74h1DMw1ElFlZHBk zTiB>VYF`+=pU1bB?3PTsC0-|$+qH^8E ztUn7h z-iA0#$6)hG>qWQYab9PqIOhOT?l8^^W)n!65Xyabqd+U%IBORi^T3<*-nwOggtlPc zDuwLtA_>*jPb6@m#e)Vl>|4Amb~RzfJx`JM>@-z67-l98VwpFZyj+LsTV6w39=Qk- zelUMn?xYW?azhbU0k@=AV$7}RvVsFFC{RmfMbk{FimN|R_N!M~VDs`862VlG$|VAk z0!BTaes!JA&8m|z)Toy7Q8ogR^i#|q=LCInu;`Wah$7FJwjR0wBLM36J$Msu6>m;&9ojxTgR=;v4zje-%qSzBEIY&Z zW{dqX5fW#gNi?IKwGkvtrN@kQIVze=p(GYQBGdFXhLXbwGEqXojfqR4Cw>aWrVwHy zg$~(zwX3IhfW#M84$HyQbv`FnWFtCa@}rCN!>FTLxJe`Pan9LpR9wgylUv3o4cWDNN5Cb-n#$m*G;)50Y8JHSbWf+n`S?&g3!M_ubL#C*)vLBG0 zw+n|(P0X^ z0YGfRPn#+wCB*?%OS4}rV;usAoY^J_2_+U&8Y)yEKx148L+{j|C4)ub%DiZV_L%?3 z{X?DPtlJpL+GJLZublZ)^VO`(HcLq3P_sJbN9v|&I9cnza6SqgJaAB>QysN~35#Tn69YqhL z5)mjd(Lt-G6*giGwA)6+$VrSq0s|^0lw-&S;LG3g^IX69`cd?xUc}8%O(;>4-9k7L zS#VrgiG$(RtZZx<=|IrwJ5>l=8Pyx!&lH+>U^ijaHM$AGG?ODku87`MU{Ph~#g~F@ zB|EtzBwY1~>$&hdqVtSe`-&23zGI{NLKPuoqD-sF=uRs#^fFoonhIF+VY;tj1&wUQ z7@Y$l;W@^LEv|Amzs1|ZJlmdT`0Sbq#KU6J*%o;kUqk)i?T5%Vari5sGUg+IPb=sQ zjqXZY%;_q;7Sm9uOlM9Mk$m z4uc#cEQLyO1+;-355sPWFSv)fLsgH?M*|AuA9AX~i%e>K81jL1A5b8iIUI&;*SU|3 zeHgHO)fNAoyI#^MW4=AH687G`8J74w*tos54J)W_y|U7h)mNGze_t{}4Vq$^MmL=(-6~s!z&~nwB;8-R=B;rU5;!58q)k@>2agzZ4=E&3d#||8 z<`%V0x-&Bn58O_p4wR>Qb08MEht%<#X zbvbHK)UrbNj#VE4sG}T{h0tulQa3&3p-Yb~&$y#6T4}6WCRCPk`Dv zF(kQEb5v^}aJeD-HbC|7*#!+pF)K6cIYzY=k&bzG7)L$28TEX7xI5&-Bd(phnLa&RK6lB0Mn8jbF}1Z)wGJyffk=0?zJ#U2VZz-Xqb+622|PJ=;>3X4Ov14CFws)yY& zza!S&7CoAqSzQFP@VtRz%1jZah8_bM8f=y;BFX%faW}7GWkSRg1!a-%E-23c1csvv zJ;q&I$JONF<*;D0zd^LUI;V3jD|zI0chaij_1UF36E{Mni*Lgp?UOJ^<_Ro`;CNc^ z_GgEd(l2RNeB;v>G*a}5I6Q`0?CfIV{MM(}x3=2qx#wP}?chxte)Mf&uBKYnGrY{M zPu&f2EF)9vB`h)Gje%J27rVlZ2p-PQI&Kqa!OeC-VI5>N@ z=kkagx(_HbXnGDQ$NW8_9Xj+xAnOsyN}H|C6q4a!DKbqVn*^6rwUD`91D4{c#?dmY zz8J;t6DBu-RU|&qHT*y|K2*bC7f12ErV(x(t8OG3v^)4`e~q2m^6B!+*}_}3Ph?=e z*kNjE5sN-`ZLx5M{~h79>IR8(+Zd@BLgU_QQ}VtkBG`ID8vxrLS&Z_W)W=ud^qa|uiAX8t+Y@ng?;WMEYLohtMF^aIISf!ugVnl{hw_^CDA@tB0^r4Lb;&g+ZiFWrI^K z$59HJNj+zfE?BWO5XUX9DHnai`@?#~uV#EXrLSXnn)+6Ge%WR5ZM)>UYWx|hqX237 zdjx8^J(uDDjVpal*!C+edFrCPvaqyGQbQnxR!nE|X3gW{HfnDR7LKOTG!&`KLB}hnk zX`m)Y(*rHA%4$;90H%~|rKCG~#C5Y^vWA*851>NY3w<~^ICo@S!^Grj8Q}zefZM~4 zHQ0Vr?bc@LfHz*0U>FCX(DzOeNQ{)@@ZrFbnWFjZ8x2o`&2m_xCc!;Jn2`(j=SNpz zf&wW&&6zn@=v5l;xUi92Jp9{z7gjF5=A{=o-0Sgf9Xm0vV&%p@@7vDF)9dL*b}J_Y z+m_wohW)nrc{ly@Lii_unvq% zNn5#A&((C1?3`)>p6&x3oI3F4$PzZQ;2#02B1|8zmy z^3xhL(nnEnaJ&BXayAVp2)a>}QbMd(^8_GchOwDBL9K>72;B(OTVr=cLRg7q&6Bfl z#Vf^uHxwrO(;_V*Q{Vi~M$0f|w%;!+wlU&Kny5o`Xd7_KcD6)0bQS&9w84&g8inWX zgG89vIz_M9MWeNK7=^a15+~Z-c|-Gz+ElHb{M|TITP~5W=!J2zRtkF-8IbUB3u#k* z=eQc7i`1Sllna&6TwM?^yUlF1+vHOS{3CBc0Uzl_09~zTz*`SWncRyJa#qxoa7UIz z>-N@`X-u`>;`V6#T2JUT_H<5*?SG!J*ICouwwrPIlxL!mcBn|-EkBP3QdQ^XwHrSR z=`bS-Mj53aoKA@Mn5oZObuGl~h0UE*u5aJtTDn-d440aFy^jV4^jri-Zl3FhS{WOT zdenzgGAIf|+N+i8q9g!_($xb_c^~k52+sT5@l6e*vrb0Jd)HeqI`+)Pb25X`2NzuH z4?@7`BtXAW1Qa(Bbt_`yoDdVp$Qm1Y+`-ay)yKDa;Ao!BT#lqcT@n)NJqYMrYH7~{ z1bTeqVud7O@A=yOi*43tvk)(@s`t$@ddfe$R#BMPYR;ib`fC&j{VNRpgd~jgQGHxQ zK1y}Tl>^vb?x&}jlBD9xb9k`n5?S0XE~s~;+-&wy?Bb&a{$ivp=Qxo?7&~b-6!ixb(x;>p?%V)|#p>}x326BD0MbQ6P++UIW+}zZZD>a&a z06z0?xpllo^alz9h)7+ zFJCJ+V&2x)rOR%u>};VHp}wuVyLRnag3g22;9ci0jOQJ#ezqwkRGcboaoA;b&F7 z`bRv5IEvEU>suAmcSl(x7BG7}BQ9(m&@^LUx_7GuhwCFF7)}^VtKAlj!`o!`eaw@* z%*I_DwP$m6za_|gIzAThe;*G0zt3y^e^$eO)%K#l)qX#A{eSNL zf2!vV%|XS8XeNXWKz}xX_ntEVL8exqdvX)~poN2Vd7#*{fB)-pfnP=UA=wB3z>*O# z0NVd=wi_DTn$kI2{4f9M%GX*Oo3r80{TE915Hp;nrC%rMzRG+Rklau>Aehh@GQ$t6 z6A*m!+O@UahV0hfzf#J*c>^P9eUsC92CP+u>W@^hk|foi)SmL$1r}l| zsar1b>gNqB+e#HK9+^qf3hvKQ@m>!mt$x!~*#)z1KgKaS zbMt0BrV3&eFHPB*S@3Q_mZ~(_D+RaG#|Ga9cbuCW_xMe3@BK^Qs-_tK3s!WFFH3j- z)4fu=wQaxcbmvPtD|gswg(IV9uYbOfD62sZ=|e|*FZOY(@u$Kae3?VNRGGkBoT$6DMP9eNznU(L z82U6p@Q6Je@5go9*H{wyQ|niDNX6wBM&S^OBh|Q2W{#P*We0~O>R8dg8=PEcZm%{S z*1r*@l9_PjGnZn%r`xY{)gahz8}tG+?r`vKuQ?x6LMo~_IjY`^ZTRub38PI|@rC^f z>d>lo_+7B^9k!)rkpMpfc~-w2T(U)d6btJ+J*^U3m-kkBxHw%Kmlkh7uG1I0N5WhNOG$rtpr_~oiia^4>&(d$ zhoYa1kH|~WLGGX7bRP!mINOuXQpqDZ#xD%lG5BA~(E2`&cW%B(CWwjW0*D%Zs)Cd5 zEcib&Axz|sHJKL4czb{Dnf!A2EWU$AZ27x>b)ddh#7@(K);r&|ba&nY{tp1fKsvur z5C?~yeV{dbvAf?2l1V%U{z4V+j(<7qgs+c}54m(!SJwiO2%3=8sgcy)JA~31jK63& z8B<1ScPF&K1C_E1I0q8|**n;7?}hFCU&8jz&QS-o(rS(V&uHXPXTS4PYiqSs+CK>2 zwf9assOSOUCj<3Qf&{ESC_y@W@3y<);Zf)1?$50NWW4nDV5frvb|i120Fa~#db&_!nf`HllER~9SGan0Aw#EJHwDT_M+YGY;A-*H4GFKG1Y-Vih(3h z+Ayj?wBUn&pS+~5FMkp_pSjB3J9q_S;az7hTx+cvUk#v7f2{*;QUX;fATvsnjJ`NA zv6Fmql^8RwrhZ*w2lgTiS(wIg4KC4u#$t;`9vg%-*#=Y4zuCOd&X&kfc za*(p?XgG^e*>r#DVxv1pM+YEyvoxO8;^{P*1~O-N|K)+m7>v&ol};@Y8U6Tdb^*wi zsHlYCt>l>3OG{YV&LY%Xr6nqEXL0P$L|(&_2|e&!WUu?O*IVD0+;q_;dHPCA<76D$ z;IezT$tQ8_cH1xZFx^V#ja;)6xoT_Ji8NH!U96I_e0c>)`t8NZ-Wy#vCDCYJv%y?^ zsw~*RVqC$D2Z^8zUcLflxfh3r)A)6gTrvEaq?!DE6p!N@l`)Oap^HIrZeK=&G0z_+ zQGa{XNBf#{{-@nHy9+HZ#G<5rGq@VmUne)!EU8k5R`qfPb^IX=i*Rpu|INd(?v7y| z7!IqGX*`Lhq`p#G3CM}!k<@nO>{5N3^kZtfnw1`h5z52#I*8Kh$iT=o=_66%EIx|H zvuJ4HgoV!I5z;EFB-TNXL?ah+xFFj(cqEc^)<-h|M#;N_H=Rc!na0=2RosiG8KM$~ z;v;bxR(5r}O|9cb;v*%@MnwkgV^PIZuz18^dI`D;$Ng)x93O{Isevk~0YnT_(eBRf z@na?89Y}tEklhIp-G1HKe)D)4?On#bD`x~jt6RbGWy~O-@j=0GP_SM!W+0Gkii(a! zvn&~bn&^SjxLaX&$&8I=X~qU=I*ZvLW6=dFK8|2`S7W~5K4ffc_?XpM>KJ&Uf8>S^3$Wv7Mt zHshrJph}K_R&F8;2jeStKA5JNQxWzH)&%qSap$PLeZ2b)tdO8IIA`x!HDhb+!w<-Y zafvYp2&}5}0T#WO#_{;cGW!HDR1OR|3-)vQ6F068!tH~-gQI43^>e^lELd9&ST#X- z%71xqwB6w#B0n&yXKXSZjI(oAIbC0WzxKm=WAyDA{#+eZ00oePFw;1jO%WVuQzfcZ z7JPdaaH!8nGYI^@fa0~sQ%vd6^dc2xhw<$o!*$Ut1zYzofow_jA5aF!KHhx`Yl`;U zLm-I#{yVkNP6ldMz0^|ODb)SG{G<<4*8S=7i708# z#dF1Sx>=@fHCEb!u~<)jHsV>J4%8D@^awVRCWL-~;J^We2W8o7Hk| z0m3yzKHVNjwmJx*Qlg+GMpSw^IM1ws7$VF?JPijnBIHUh0i^-67JxnBP%s29WP8uK^JE zW4#|=*T=KrPNWdA|40{ij1#=SEGO|~>42yi_DWe%SU zOl-z{Ad*GbuMsC^X><`wUI;9Im5^>(n(%3`hi6fG8KV5hl9NlUopBp!l0Y$*jE8ri z4A^;sLxrn|b))xbSqy#eZvJ4`4^hsojih-)dkO3_YEpcgO(VvuLfKqbjDJSsKA{79GiKx2=nT|Hlmc2#ANE%N>@vhD zefMRzRfc~c4SxoVPyBDuLPy&>z6LuMIw8G-VQ|Z6H;P?G6P!cYY}^OTeW10*a3Mgz z>18q-_OUQ$2~;?Y+23bL2Bteukqohroc&pH&dz4(-C1%AX#3donc#LmnVlIWMVqjW z8vQx}@+!Eh0CZ~=M12#pn~0<*X2bY89(DXi%InBn?eTkErLfOyKxF3p)}!!dW6Hl}_W|*>P67-`sb$6``S(waR?V zj6yo*o+(AZ`0AUd!>BTApWCU2R48$$1#@;@uP$>ibNc#Z6#A_7v@o#v-ZmdCFt!KT z;5ufbI7JnYh8OL4{}KHm&>Wl`AD)mOL}&ZtsN-A4*?nhQLOf#)Ic;v`yY|pOr?0(a ze6_xR5W`$Ei@Mxqoe7esTosW_RKv3Ig>v8;C|`G6=FtC9Bh#(tYmZE8=zV3L{|Ak| z#ryLskG?Nq*&jIi*1u2^*8kYi=c50kMxR^HA3FNJGSB~$M&H8y`ISfCm$2-Q8GSQY z`%J;kO=GoorG*+Dk$@qdMzCsWb+;RYv_s;raQXrK^XOn@d>k@&f_LLnW8V-96EJ;rTTb zar?Rl%du)-)mlB57?uOG&!Mo})45|FgmJo7_okxxNjQqKOHC(RqnfCZo)f@F?Uuo7s;@rNFM+XR3*bTJpkljsU{*N=_4dfb7)STbMj)#D-myAZyxIYJz zgs5K6LnUSu=<42OF&wcQ+9gjbgjK-{@H3CJRR#cKxZo#^k%;|?ot3DI2-es$dl;I3Srcmz^rr`lLJpvJIb8|^z zUR&i|^TQAD=M3^+IQeTveh>1uo&1K8--rAiCx6|@k0HO~$=@{cpW1ms zWP6up6=~Gt@_TahYVViu@Mw4c_@z2{2PUeMhjIc@Zz9nPhyYDRY-+~H0r7ECJ9D?U8qds>kw2+GmFB@mtG*wmI_UD{K zL9TlU6{YEH1RA{BTVJ)0qo6RsPw~X4+GF3te^5*bxCLx%Ya2Sou(~X455po2G5Gfq zrU2Z5&9I*bJ>)ZEAH`oeHCf$*{cnCdbG?=2vpOx-J4d?IYyRn$vZVSII{p%8rr()i zOu|2m#){<}S0t6#Vh;_?r$@QY95V@Pls?e&{MDUZnQ)DO=kDT@Qtq zp>&`*Cxu+r$A1fc;-H{o(=<$zVKf~mYuXs~pTh8<8-`67I5RvbVAW_D^nD;o1b7&^ z2z+-oKIqb{vJ^&XZ!mz>^(~rHr6oG6LJu%H!kbK!UYz2&4*)UbO}ZjaU98&7tLYYyj0Pz=RME-RS=76lP1sFzS1ai%WfSF4JD~zPKgg{nvS~Ps@laz4e}Bfb z%W%+Iv+cA?JjJgLV`1cA5zAh~H0p3?b}=oto!F2c!lskqAOjwXL#%WX^Z>_Pd2HS#} z78w-wXQN4e>PXC)1A3*}W@EH~su{aouhs_ZEmv7Ew=fLZ9Zq4-?Pn#>{BoaL4|{12euoSXY2xc5X1_U z6=PS74H+9ThSCdzfw8~C3=iC4EMsiO*fk75=o7~782d+QNs1}k+F)CoY-@{cJ!4zX z+1B@LD`Hz`Y^%q%`fMv^Tj%WADtorZo;BFBb@pt7J=4sZ2cKq zf6msy=;^b~bJmF2vsevB_!q`kDTMwDdH+ehgd>dizZz`IrrmE8vDO2!ASo63yTm6+ z`oU!-L(i%I*Qv0!5@Shi;;uE^SQmLV${0ULh67dgOnKj3x_ zaKjI{lLOrJ19ozNTYkWoIlyOrz*jlI=YGJ~Il%AzfV(-s$Pf6p9N?KB@J$Y|=Lg)& z0rvfXZ*zdLA8y2t?*bk=1Ku%NRBIlzL>`j`VOP##w~zyjql%mEfC zk5LY=KzWRFfCb7UaRHwdD33`Fus|OFo&zk9$7v3*KpxW^V1YblIluyWoaF!ujgc!mIEy4(MAriphwqp zfCW9ekpnE~(ajuSL62_b01JBbSq`wEN1x{a3wrc>7qC$<%&WP1qhR!gIgADRpq3M+ z0>J<0050*1U|`JB=ToOp<=bz+O)JuBmUgvKp0<4Tf;z-I_m0v2QS2Bz5i8rEetH`4 zoj0*QJe@+)6c&ifw$*MRb25}M|52Lq^04Ql+%!-t1pKYfh4l)1HL7pIq9^90@P%oG zRj6p=%vySn`QFU=G#ND+UiWLB)=%pU@2k^Sy)IhbkLR>}>GZU|RA0KN_?pQ}KCqeG z({MsQwdB5x{uTXjAP5jSa<@kMH_MYgy{jj4=A9^U%*?EfiV&!MxTJTGBy>;~zeK&r zkm@Dvl*^On;Iuk8eb0j?e8`>lgw_Fwwh1->{gUxhLFP!oPJ-Z5pG% z)}Ed|sUT$Kbh-Ale!5nlR22Fpaqfo|GxA&@Z}oWG$G_qLcqm2F5Cwk!Mix-M0lZxP z2w!B(J$v-iP;?B5T;_ZjbN2&P(&|2ag4@KiTfUKJY)m^8#nUM)lf}(hJUr$Ekq>{9 z8FhH&*V;QYHV%c{3@8<;|Cpm*F=%nxKi*3_AeEHQ;ie!*(*04NISaZ!QYz9dqzam` zQvUSu^TZx0ra+Bm!)(B1=nVAd)`q%}6yTZ7(rkJ$yep|g9oMm1Dl=YIV{2B*Yr;Qb z?xjLet{Ufuuf{4aMIheVLvU)nk4ip2n2fgft;YKsyHKTlvmuL>VAZxJjjMTbXu_xf z>Qv&~@(~bTUk{+~c60T65Q!u~K}E#|nvw3L_0EHZNuGzqe}Hdr`!Y%|qu~XJ7T;cn z3H(E8>45LezaVB*xi!#d{lNvs(hB)s!2~Frca(s{`Hm7Cg{-|mODT%Dg4Ap#^ewPr zE~CcgmT>{i$XN3vkNTV5Ls3{6m9H#1wxQ=IRXPT#DDWb zpi#(a&Fn_k!%0KWmlv!{k;x001Qtzm4-=OM2*#5K^dFM``fYogeu2Hh0zh~b-!-k) z8-@sy_Yld$3UcRoCT?zBF9*wikc2MQLMh1qjF!sEzW!K&W|65Sgi#KSrmHN|!NoWN zBry-F1&aho5W_{_kVA%#p2h=JDB^ReDHsO?8w#ej<^~=R94F*uiCqrbaF8B#+d!Pi zn73jmTa~gZG2GN){IqkBc6ztXY0?(__^k z`?Kc3G8t8BhtB9u?d_=6t0q7A`MsGSB)%6;E$2+D3@zKEemEw55N6Q85M5kt`+37z zoG)wK=_0t-AC6nPESbFtBRl>(3%DM)`bfJzd|ILw%X`#Y8>Zib!I0JRCjlsOlv__8 zTRIy5A3o&t1>G)Rvrtd+(R z{m5sgGEGWhy>vCOR2kjguQv<$Mv3Iw;C&g%c3~!kX~{mYd0xas7Ed zj4s#{y2DQn;jJHOVvBpdNI&z$q7SOz}2(LlGp`QohC6T3Nr7%@lc8!Sv^u>i<0rxa1GYsyG)r5-EQ3K?qEwbj+- zk~!`qXv?b%6>)%n6a&DuIB>8BuYts)f)o<4uqKc{y${D`BX@zx!U6dP4%V=Z96yD=r16?Qi;2IHGG9wrF{QB6Q_0PjeM8ff;KbVs5AeK?y zkb(*UMt2VAm&~WSMpsZ)1gR0(jw`3V^~B|kAs`wVHb%!7uw9BD);OP4(YqWaeYUl_ zO2y6oQA$L2QsM4!+@k;vxNXKeU(M!VEx|w{t8Jb|29gp@qYHs6kWYefWz&+|{D7{@> zH}<*AAn$f)@HCBdq$LBX8*|C3&jNHLWx>u6RhKQy#!&rwoq*NgqS5A{kNwu_{x5tM za6%1)EvuiND z=0^AL55_r|xLc{e`SnQk{j|1H4J*qQA)-F2LHrKnB&`y}t)FP*|XF=i}{#^DgUQSD|h z$l`yK@j1ibs}#PKf-7IIm2`Q_;hpL961EVBp%gs+g_TIN44}BqS{GmNb3^>ZYT=Wd z7Tnq)eajrc95XPE|Hx-i%Vaiwm>`@A$mTzsES~Np5>F@te+9->#Na)Qk-vw1r~{^u z*&w})VY!SG--pvN<>3!ccB`P==@`>t^^Fm5@Eo|suGd3ILv;KXVkCfm+=n@xc9dG= zr#)@Yvdfj;a1f6({7He&Y`W#9s>5P?a9CaUL}(6!n{xNyex~F0m>M=X(ECGcq#MxU zZt+Us4tBK<>>0v@9kW(|&WkwP?H}_im;Ir0b7#4UX>xKi$2Z6Ekm6$Os}XJ7OFbQ@ zv$KzJFKZ98eKegp-9MV$Aa>7$ell60_O{JLyiYCP(Qx8%iBmi=|8Z4?f#ZU%nGsk+ z#ZV1&6=7EIpRO0uihjwN#X6LRw#`gBYTNjUkEsVM|Ny(9qWv zuasvbU@L-SFq02jb>xDS^nhW`^>BVB zg+se*+!Dl*jV=)-nW>Msq#4J}G;Y6f8;x6UP)eF_av3d=kf9Nd(u;eSr`-90THlZE zQntReDcm0r4L``@oZxIQ>>^z{~JV03i5-~x>IS6H-gHRa5 zB}j?-U9MbTPLt7g_egn z0lz~i{pw(az0aPuYEO+VOLej=zU$qI2PJskkdEG1bX0KU3KeDmX!}B-x zbZ5WYTo?mvg9G+Z7-U{{r2!e zwO%gdOKQfxP=bgpMd>%Icl;&zZ&;= z7UcMbPG@_YK@){FAh%QnR=(gp#e;ul>tz`B?e6{>JJ{W6TI#vdtoU4ia-xBb9;)7O zdNnlVc%k}vvue;Thk_>+XNthxIpw0OPnMz5{BaT|0JB{CXmR4OZ4al;wTHq~g{MIG zA@e|0zafzpo|80LDpXRMg3x7?q3szZ^fxF4@{_-RJ2e=`^p3%t8YP5ev-oB@hK_MF zV1gThSz;a|S$(mDOW~WrxS!mpmrxYOEJ=m}PE`_(@f(FA+X-!h%aBV@#kTY`_ zLgbvIzzqlE*=?R863k+*7`tGEO2)x|5|7T}K03k?-XGXFVUs~$`r0k~Dq3U!xJRD3 z0bxGwfFVQ3w8s?y+ViXz(VzGD!0=5n?X&l^e16}H@b8BYA4*}C9A5Qw;F-z!tvdec z@l_4?5a@{o%)0oBeu(x!&1ZaZQ^h}G?Sn1A$5bR^0{qo18;uFnfvji_B8YU7puD6uCk?>= zgw{BOYrua);>{WRpGHzi`yh$MnHonQ*n9F2_)xNjkA0qF4-CiORc=tuad}m{C!PJ{ zqhCPhW=U1HuPP||Gyhx5hW#Je`>JN*pXIL~KVW(cv=$kQ)Dq>a9uCHXOgMPxT~rRl z0eF)k5g%O*4`2Qq9=4BP2QmSD50Z-J#p_y05Y; z7h}QcKrwtcU*BwZp9{`Du(R?Abl1E`N2d=Zek$7T^^(~*Go1H0Ch}{bxMCcDiDO9J zSMFx~J>A5ss|s|qcL-f0KDEQ)pU(za`lHodsW8g1Lp%;{%8WX z=@F=87QqZ(Fc|wgyGOduP<@y+aC!3xQCs)8h_<@I(yPHFw?0tw!_q}Oj&V=Tloq)H zF#H=0Z^b+*jthpCLJKQPuGFn~D@bq7<;PRj^w25t`Z1Lkr&bP?9ZD@8DWcR@8Ymna zjgvyfw%D){+Exr3JRfX0Ub(&guvo06bnYCy#g}`vaJI^YSz=9(l?C&mq#E|>U8GBq z`VEim?C47|R=?r$?aO?EBbnYl6@ED1h-W8Jk?(f-Yv+))EJyub9KKAZy?8&qQC;pk zespDj zEH49n19(T1o>wLJ5$P%1Pv{+CdcQ17SaKatZ>EEczkUpWe+euM?LImaJ1PRTl1FVF=!@62N^75vtNxQllV(?P%K44c3x zBwW|T(8x>_EOz};1QaDZL8 zaX!f-Tt3D_&+^)Wcwg`xFpgKSaSgc`-CVKCCtei_z&Ud9N#JP#tPob0e_)?03si~S zF~%E1!@)n|zom(E;+0{30`|1Yo}NB=e;Rx`eUG80PlF}~n>LPbej|Y280D_jb8e*K zVHSDi-|QB?ch_T;Z%>-vzT$6@FUlw>G#m#8KI+b({TC0xq95cS^Kpe$5L-p-5_x5c zpGeUKR_7KjnO;B!-)?--d9}OG=!D>C_g(wA!$2VftoVlNy?2<=ubr` zZ9?Y~9azVY@p>rtK=AM1+IyeQ)~C^Am=qRha%cOiwK(qG)8PCr?{E9N-D9?Wa`dkA z724d3hP{tBSN`kPdfHdy&AVqUa7io$TNT3W`rA)$!q=VlPUpy+Z^LbT5q&4bT%2C` zW74fc3UnxNeBiZr38NG#P#4fx0ZI>tO8$%6p49{bC=(N;FpO{U8p9WfcCl2?J8!$q zr7Vl{LDRzhv?Pe+kD+h6Hm+>KYFYf!7Now;DY9_$jsFVxCA(O=Y08Y;RnBD#6J1mi zrAJABHk_r8;hrce*{E62;!LqCmC!+1{NlYg&WClE`MFk*OQ|+OEPsM^hQy6Ut3U)> zl}|w&G|}fZuD~=ETxECo39^G-!Gz|pDtFP#F`4iUnc@mi8ZhSg*b)X=H7o!-F zoWxsvDkV1^N*KLBZ{lJdL$UM(Vk)S4a!c>0)R{BwW3tQ@6~^O!uAJ)s+qtxuebcBy zVZh}!6yMyqm33`xZv6@pu9W&d552mv1&Tqiaq&N{%{k=Q>DGt zL(2C6pDse9A66CI!ofW_6$`7T7mL=)M=efdm{t|FsOS(^a7)u|uagkOx0-2b)N0R3 zo=}Uupx{sVuoS&1B%;YSMD&!jSz1DB8mo;)b#+6g{2s5^}wekG< z>gv||dT9w*V1OP=&|mYQA=ce6Xz}h*;pG3s-1`xl>sRTOc+Br8!eAmPf5eW}#UEH1 z)b%#%)$_Z0A89bl9V;extb#v)0{bL{2k6qwXM8DduKvSW)+2ztkmTqk_|X+!j?X_F z#nbJhB%W6I(4TWs;@;6xrDgaAHkrof15ni8eJ4>@aV*)_gNkY+M?2^smZY~n0-Oi4 zu_x-;$a(aYcNeDD%b(18Ki|aX?Va<+MtWWY)sNg>u4NzFu6Ng z`4;=%l~fEU>$VrZ-uxOG3*Cag{4nc4>j$)b-S;~WxG_KYvAC+xdBrm5fk9v`n?P0!C=hTYu9)3(O<;$(kkuk#R$ zNJK42QOr;K6Ic3 zxlo0cMl%~|#cZ-jaKw+)TrSL4Q3Lt~uI-BqN*_OZQI#_znclS?IW!CK;@BLV4|;e4 zTR23yq*G6?)z&te=oUg@cCQ8#l4cb5jnxe(KyopPp# zh&4)nT3-`RCPXm9k@kKZ$08#A2loE(pnLrL;mPsuJDt7GaR*Yic{LcV;X^5$Bq~HY zqEL4TFddhy(z8P&m3IknD38GENc!q}G!`<@^J@jxaMXqD4mFV>$?AY#Y_J*ybz-2X zB)1avQ8K1*(kqZlf6WY+ScSq&Q%)>cy=iT@vpSvhP~u6KcWAS^`q}Gbn^S0(mcb70 zLJxO4kd>EuSy(7Ski)o#!JED6#AG%Qf+oW~2zMPsiqX8O0?r~>3r2y0;ysXi7+Nqg z*9-aBRbbps5@;w7qbynuGuX5mU7&dsl!50*Vf$5QA9P^#XH!^M6;z7AU&RXWP%>91 z0+qwpYwA}+{aRPQHq@`pfV+1@s&%IH87FUgo7jo7^~Fv4W2sdkzbvx`yoBp`318f7<44Gow>W0;UFJh~EruqK%M#dQ`aw$qN!#mqN}j5? zE~C{Ky>&NCE}DS@DR;;9l3O#(nhe4dS8b!trZ>>P_FyqG|kWAaJr=fY1x~zJ@s@8yNIRi@W9VvZf zd~Z14>&|z>`Cc=>@7E|*Od|c*^4cGbAD!*P2T#raIxc*TrhVmE;XgtogkrapJZ*53PV!v9l14;`id{^Iob1{um`@fq}s<)fNT2H1fA)q?UbWx`jHnE#ue{;Rae zS8nCQ7gzWuPR?3K@KyOC3~<_J=jTuqvfm6pd%mu#W4#a15)x zdgpeKRl8Y~&F)_f8n0oPLEFT-gpOux&kME_Q-I~kFuvtS9GsQ>p-2J6SALd_@#A;W zA67i+U8(Ji&fqPOfg$@lMreMwC^@K~$-7qj{QijA%R+t+&7zE*w|IGD`w?vwuFEvsVb z4^dBISW3%m{pVREWCUpsdoIg5vh{;zz(wakeS=&!-kbz|x!m#JKQI2k^qf^KT$%r? zSX_YB3_J774UL6Njr%mI&x-xGFk=5LY*^cbRfE9b<%4ZDkjlKR zCQLO^owUb?(UVUJo?t7O&2*-W#AaN)XFAzgwO9;!d~IA`GS9`% za(L>qGi5V^viPOnu~Zk(y?0de*DYjAQRRRJ3^VR9w0*FD3_378{^hU}{;hkk&mW=U zwPAzZn>>P!;=4AA`gM&)7ZjIn-nM@Zk2?Qz(&-+<-{YfS!sFeyoo=gv!#GTbaXdle zetHL;)oW1@EJ;64#tAv4L2tbI>w}Rm0GA7@G@k|b)}ik?`LaEC_8*Yd3C$r;esvnCpJtg-$KlzIpK3K0{jMKFtM(@y~(ycMKbPk`wLq+-8sR#t; zG~B*m0V0wG0{Y~8ozO_1D9(vRY_?q5nFX67x~;MZ)+c^iU?!u@5atqA-IE-!;0PuA zuDXw{X_}9h>*p&dA`0`zQx_>K=FLiLW>r5H6old)MP1E1l)K9w9Q~p?RHqbns0YMk zJuav1UNwwcqhSm6!9T4B+;zx2Hp|t~V@H(c|JNE&|Bd`t^qC~&dc)Rn{^wi?n|aigD%$OZB zn9q!q-c*Bs1txw0;L~ZK8Y(){XgC)J(Ri6HS-~@r7qBFp#v&WOPlL~P)%@O$@X8k} z1br+fOg41_B|Q91Z!6)+P-MNymfDj_U}=~l74BT=MN&|EtDV(+Cs_@6y?|{fwXRdf zI97Nq=f@IPlzn21i2H&V19xKux|*+KX%dvtU~vD&iUyMp%tP22J}cLkk)b4g$#ifr z;18*r=N)FuK$l>1nzqkcpGK3(5cfO>$+-S8O~$#1ZO$f&76_*7vDCbe_f2)jpg@PVjX-#{WhAWi0T`a^_l6n(0LaeGU-CwQS~>UdpW6%~%@8Bfi_W z-IiO0gA}*OrZA|6cTA#;`_kgNi3S-3D5gqktcz9S-e@t&fEg5LKQ-)7VWkz9QIO7S z^yZ4j+DaCR{BJ*X*=3Zn!T1{Ap9M;@L6zpFJ0@&Q=O(OM5|narVYhql<0L);1VwKa z=H6VUxl>I6H@}#P7>=0h9!9!Hh9sT>Nf%?ho?gI+W7;>)7bJE{9-t8)F?^vFX492_ zEerB*CyDo?MT1@qu939agy9Y<{)Bm2_b`oKRz5wH`~RiPUit!VTW?jav-aVk9vDFpo*+MFGzz%}m^XBm#rvlC zOa!Gcre2q0q!}1D^x`pEO`z`pkV4G>Y)KcBYAp?Wp;l{Y-+Wyz?Gr+!+Rh|aso$h~ zg#a|e4J%kj&uN^WUTke(5c{xu+&((~>@IRYNzl)xcf2mu+28qW>n)Tcp3(O&uFD6UMH8&1H_|AcBfA)iMaw@OY@U$^!t2(Hi`@inbuvmo~vP|A}Y{C;*k=qkaT&am6UcWkIS&h5KBPS00@71x ziOy2+bdB8r>lLrFG#;MYEEf+9_y-v8h#cu|_ZWmo5&&#T`ddYOSH#mlLa=F6z)CV- z(=_T?Vv65#wtqrOm-O6e8C5ce1_G+5Yfvus$5Izt574 zwk+8wnqH;W1fghb83-i+f5}vV_*S%RNdz6b#8-B#!9v^M?#LAVVspl!1l2bppe&aL zrH{pfc3k4;i;Ds3)4lSHhvpgi2+>~yR}Sam4M(#qIvd7|;(v&Ink}^j6uIkZoT<0H zjhlnRZAebsZSZ`L8WWe*MaInKA=#R`?xoqq;u4)_o8tGwxJ>=ni(DZq8R@U&wDu-Nl}v>8rtNx{5J=xL^)GKqP^Q0uoqi_L z&rI)XuBa!rhIVTK2seo;T@t~iaiTrm>!PbsN%>~$7iRHo1C)0GVnskTpFBo(U8_2B zFCXU|x@Gmf6s>}2h&)pb7b4FaY>7Gtgnw5wJLG=dH`a5QKu`@EUQ6leXDDJeL;T$C z9;u&V!p<>k!4_ks^IJ@dFYdRm2*ywTdguL=(Qot`Ta+RUIXsu7Fzm{wOFVTIq;2Ne~AygCJW*qrH1~&t@s%?F&y7j;8z!^m9`Sk6Z643|0iFWX z?X6h31v@==9KnqE?+WV4`O5d$Ot7O?862|G9Ew$)vH9`T2a_``kd^yVDr!~-O!-P9#%W~UoLjcTTy(q{@ zlkw7xElM&Yk4C&i_QT4)mRXK6H{VKf;C+ZIjWwPw}1OZM5?3<-5OPH*Xn+k$qefm) zV-FKQ>KHu}!h}^|?X`UwjV~biX_Gw--v1VScp6j;H}Zho$k#aqLX|s}7&Ys$cu&RS z_@+I}F8}fHdQ}xpwS2hWU+uw^0+KwYTB^crtx!@6w3km|k8Clo#;Dv>XZKV-jjxld zcpDbp53k&)#%Vd%n)kPRpSxQ>rqxu1QLR?Y_f(t3(@}bG-i2X3cueK0BJ+|83mm~$ z7hH{`JiHQE>pm<`@k5iGSk@X+}pqI&Hen8 zN%91V0sr3NJw$u!#DfZ2=Sj7;QT!0Ot&|);=HRt9QwkZW z8JOQJ5iPRI=6e$%4TgXabdL=;OSkX+x6)Ep*Ew|^T|hrFL1QMCTxx{0FGx+b zkev1E9D1a0NIntifq}tSiDHD*^K{pJMU5QwejiSM>lJ}|uvxTu$6x_Hni|6^${w6n zyvj-NZ3T7Q)~wTUu($XjUPR<}%Zv8*n-kAgm>(v$E9OIQhH5lX>U3kS zGJrj(?1z<=w(G&Q2YM>Z^%3J9^?%iV{`~{+&Wc@k%&H^%}+VI178rIA#vy{p)X} zDxye5o+%~l67P9L3|PXQ8pMH;2y}_B69aC_GOicj z+tys{d2R|C<(ytF76PFW^0JW6Z&^6&XHoBJHkpGuuMCY02U*#;2r~yIj)6k7GP4ME zIxR%M-97TKK&BQWG@W=%W#gaqt*ip1`btp_X#v7{6vkc(+hGwtBga9BR-7Lj7I=BG zx3~S;uT(q$4({{WaM-(?Lom_w^5;Shh^zuGOwMl$k-pjPJ}*S8GK&yj_0s1)anim| zCQ_N|U_*B=?fYbkXbvS0yyc>#6Q#K*W93)mqRgpAkvJcrUr3enSB}E&(LDsJkwm*r z@on78`+;8#!~(h>MedWsM(ybOB4ol3l_Xhlofr z?y?E8y)|*?6f0=E4YEwvCizmB-#>L|z?z~-)Vqui^|n~Z4ZQ8+y;i_8d)ZKV21#!i zmE(7y;n@v4--o*)klW$n5`5yMka0vUf`kQcJRgosIVF zj%W1eZX@O3y*Q{Wn!$Y$bK^b`^c}(xfcKDuACZ+O?o!Fl%awB&A|e=xodjWG)1kiJ zfoVAbjDm_CcFU?GM~@MzOud}0bLWOEql>sgq>L-Oh5fIj-g1F+Dy-D)TXH7z9m*Ym z#aM5R9Lh&2E@nON>7#>#<3(6*Go8kVpaOsANNyRK^{>=CIneU`Z8ywE4WJpy&*-M3hw$AMoHWiXp?RzX zEM*urGZXEE#A%w9v_A>HuY#v3fD&N%doiFF`Ktu58pVQn-N?@3bL3zuZj00cXF?2& zehHvs7MT)xA07KE#OvvH58;afgN!$b-iH|H=5CI0CmB~VcEkH#HBww7W<7Epp*v_` zI!sx5mx9fg?{w{g&pCJSMq7nTd=;y>Y>3ATo|A7;PLUAzdJ|hY6-tli5`>t}&WdVW zVQIpmvt*jpn9CCfTsq!z-dNl`zJ$!t;NlW$!c7T!#^l^_dR3hSQx6_T4$^dn?^_6< zf)T|T`?r_B?5~)Qrkdltph)J8tj_9H8#U!x#fBBx9*GR@lcG2DeS7 z^o~cy$J0{Ohw6ueD8(<{L+{8>uV9i7y8J8>{+Ggv$QvFqAL&#&lGH2iksJ$DrF1n& zeJFC?Mjw-@ar9=uE5tP&IbReSj2A1^SPl%+*Z@=h3kDTs1G&7C;oMK*^_AMlQdY0s z#KU3rYMk7R>vR_c#C?dnhB4EJ$)(btcLwNvoBTe}Lx-0B zTvxC^LWMjul{Luq>hCL(Lf&9VNOH5%kH>d_6@KzZeIRuKvc#77D80xDSEiqon(N1C z&9I)CRUH7?CXvT3FPH%asTz~Dg0*9}NS_e`&)|0T6v({&I8dQM)h|4DG0uS$0A=(p zVU5Y2ZEiX_xz(gSd4h2DVz4UinK#W&Q)TWmYV5x7YGuPjZ3SztnX*LJUor}n8NrJE zVlcjyhQ=^1iHVV7L=uz+C@sl%oC-^$4YZGG>Jdogw$l@<9Uc}SyPS>ACgK(Pd81J@?whBrh)*}jbA+L{cLG9^i-$_`W#PAC=-m4x z17jvb%TG8en6~JWo8j^p(0i5VRWx&3_`cawiUuvBL$ll!CXLo^qqkPkJtixhh42H> zFT!5eIHRu9a&EBBmAUy0HP?0b*IqGTDy*NxDO!Kj>5ryB3gb%@0e9#&bL^65OnSW7 z5Z0QCE}?^&gi-V@)Z}T{CxLIeLkF)v<7#GG#J=hW=0GYmm#Ie-;Z%hZ#cPtr4*kJGEcgtL8)68CI4 z7_+YDOcGnhry?12I1f|@s%j)`>hwgi*(iz)H$Dp{jU0^NfmjXtdw>UAa|-HJp}*H$ zdUA3u79i$5_(eEtSv>P*hy`bdf9N! z7wi(?j;>s;&Q;6hFk0h7h>swP<+y+4?;L|9aa6NdIfJn`(?Mo2M_6=cGko3AS;V_` zGM#5Yx_XyFEDVd{Ay`u+jpP!><)LT_|BsypztvBRS1R=<@2g={{YSg{>uUA;4}V%d zEuRM53zL3`@KL_*^wQMLKgB+->PXX(B6nmOCaTh~xo;`ZB z<*sx`))an&VJ4@^RXmoJ+dIh*=XlZZK8pDhqNK3=EyBwAbC_S$Fpfm_@gLMGYt@Ah zq0k~qn>?O1QYfA-wPL4n+sZJNgfYdT-E)$La(xuKp`o55sXQ%L%!n20(Ak2i%!^D9 z17$Gm_oAt=w9xnpZ(v=7HbTP)&t$k|-q5OuPQguck3!#3regtHS8bFXs-iG0nbB9B z4PRYr!@m&2rSVWd@e>ZxBUs1MlGP;3eT+uN7-^^%dzBSlFg5co%r!@cgXaR)5UZu& z6hlNX)eXUK?CD_K8_xPMds=(?L*Z+klC zYCGi`x`)4e^}v3RFOlWQfJVmr%%A?61NFU3^u1w)FO-`-L~w=uW7j6w&VQLOX?$TJ zl})!+C{zpQI5#l zPuNMkl)c$!%>$a}vH~CD6_jR@f;RUVd1~z`(C@T^9nc6NeSk#!g_^f zmcnv{8&a6J&}3(ubomKOxqE<->YPEy^AGcs!QIw9>U56}jymBxjBZ=#9)nK^8h$an z63$9%QY|@KofZYAo$jsNPZRbzj=k{(4F8NwH|FejJ9zjwEcdVJDI6G!da$V|$^se1 zQI@|s1P0iZ=rx!=S}qe-t>eP+1?{>mR;Zy0@#WG3ii#izY5|Cx#T_I%ASqiI#p?za z+Ko%B(M%xjKC6M`0Q(oOFpJJC=Q^U%CH$EVv#Ub=GCNwJ9cz#z(mf=!WR_N%9Cv@5 zTH{AXOEle+gin<6ZO^Bw01jpb8lpPK9ANNCqBMvp0<`(*+>0^+ zy~{utD52-~cJ{mU_TZG>0u&=x4_l)$H6;5YxX}3^9-_F50U$G)>RZ0Pfoc@JF{VB& z7^6u%!ma+a;LIkGEn|MWwTk-ebZQGxNk8PG`@Kq`0}v{0&#s&afjR=yCAnnr!rq7C z_hC)OkC?=v2}OJ22TcYU^IwIxSY%hD#m2)riAFvKMVhUqDE1yQ?xBX_{#pbjjvScq zwdV_Xa9hmFXnz z(KfhgujY;gK`i)wj&X3=pofpwDs~MLP?KPKWpUpv3qj*S2%N(b55Dy;!B^+;*K?aY zU7VWErDX69YVute`$7}1%^S7FGmYyCcJL3_0T;X*lmuc>I)Rf)7^?`J!l&m(r6nbQ z&Q>?g>&ZCe2ZAAak*WtrF0YU;Au=Y_d)|q zsHiFI8>Ql9gwr_Ok*xDkZ-cfe9KDZjnwk2{xh9Th1pL~Y-2kpzJidTjthy&w zkQ;WYLh}g>2}65}mLb*GhMr*rxvE8Pc-R-yg|mR3)=az6VvTKex}9I<^x32>VkPpX z>OEBY);p+t>z+S{VcCc_>Xs>ee%r5`!PFlOVVb3DiAtc1khR9^M7bRuBeV5fZv0mY^*QZ zY=zE3eqW<4IL9{Eumy9g2C$*6y2K2X7kERBV01pICtM##jYU2N8IwEI=ch|`Pt7w^rrf(q_~MK8;1S=p61Q#=?Tqf5Fx9xU+|Z@@D$GN& z!;E|L+_p&4OqzAtHoV5|c*iBeLSfj%GVr+Xo`bch9VQprd31!kzx^1G_EIo{6%xxj zH*w%4pGvh#v{dj0JA44f3OzAS_)V17U94`5y8$5?=;2ShZ+5j^Pj(~jb|W9W#-rp< zvGpiRD)Uhm@!5~}8+)q4g{?hFz`YjLQZ^l2T*OmqvGD{Du<(31OD{Pm;xRor7h%k1 z)%_UePf11~iRE7o%LItYF4=m8i@W9Ho6K?4%Ldo@E)i8In{X|5_gc0kCUECB=H-x0 zro1TMCcJj{2=PB-TmJgqO?mw9D!xP7lIh?d#IJ?QH+1>gbg)p7bzS5dod6dqv|*e} z+nbX2m)$hVhC((%LoR|ckdB@0azOTya-di)xhrKJ!?hb8b@n?ysY5mLE-~~cO#VN~ zoeZ>TcJ{k@uh}vthi}{aColnt_#jqg^ImFn?_WuGjwfM%co7Ou&ve6tS^^Q_)%VYS8CDE=N%hpROxS;|p|CkZ=8}w?T3klyZRLAw3S-P@jlRJm1VW z*Nlh-z}XA&b^ubHN6dX*2&wuh5sJsXU_H|lINro}ucP!*#Yrj(mP%T=Ke)gU2#(DXRaWOYD3o!(Y~jZKJ>A!{m7h!vpCgGr{UH^;;i(K21m7m6xB8bOfC^wN@# zt?e{Gys^zCpk&C1C*}p_K1K+I7m6c*`b$Y_`*7E}NF>9!N@jdhC}+7<5r2r&lygyQ z=nG3}y<#cKb_6|pE)Z_RDD**LkWSuUeF zbTYo%q>m$tAL@!>MXuo(^#e&`;=ysbaX%NSqOr4oeDn*eR^_Z&mAI=THoE(3d>f4> z!?@N~cp<*{jNdus>zjJu7yMMfF_D%6q zRK`NKEUR&Mn&ibGA0_h=v!ZLGv_t-32S~G*~$eKm;j8 zVx~ke4SC`x_j#Vrr@?3QY--)E1n9B8#qPV6wzUDu!M0fKGH9G)1iq~e$4p%=u6S$1 zMYFYGRvz7$fbIK3b~?@cpkuF zRgZz0z9lWUFs+TF;fn!nnYK`1WtuQ@L>9;}$h_(SF49h?fV?w+;hkbY$X??4iUti~ zB)KEPCJ>upr?|@)pD98~A;vs94Mb=hsGGe%4KO21nxfQc@L`21gfQ#l6Cp6x%M!t9 zV87MY#_^XOUXnxyK z)~ReF+R}h(?MEl`7i*zU+WesE1=@m^R~0_-NLHz`HFa90vFf;6chf)0M zoH{>NRcx$&U-8zwTJddZiFUB*y=bvKzix^m!aa2~-4%*fCHN@f9z-|MfFc*jj#mI@ zTmmZh(}Sj!I_q)RZeQd3qAssSGm@Y1ux{Nho z!Ebva$UxJ)Rkvn@rfXKLmz!V?Je{77RX`x+!@;W!#1<3&bk{=?VqQRC3JIh7w9i15 z>PJ%fzMHqzz7@K&(33KLa4PqRS>ti(?ybZ&6M+~=NjY35+ zE+n6hU!S~vad@;#ug^Rw-2F2HDCCQpj|v&7w6Qh7Mc@clMq(K%aF?vF+(y@f_L@Yv zVw+RyGB1nxRN{N^DX-hbh;{Z+OnEf}4{>N_3)(%y%!uwMD29QB6vv}UcBikk%*J>G z&eFNxIp)wnZ{;Kkt6N&hzh|LX=|U)bfR=!KEZQd&qD69%m!N+Ndu zeFKAI3+7mUChEXr((UBLuUP(h{}1~2ya^2p72H0cr=Z{ew({ZWit8C>?C`J^@*c_A zv;oY)g%R2eQ`R%(y0ltehl+RKfB!v2+*r=rshTHERni;KS>BSev|( z%I73|pH^JWr9es4m8B3TN#TeTqI(g!gUV5V(I4xGZCv5M5^*m9wo0(hl@}^wxh=rY zx6!Re4i*jQ!7v+);F9z|6k|zhOIwbR_5DT%&i4cK7!fYB*-72IE z3)T$Ju=_VJPmW*zid&ap!QnyCY}&)kV0Id)YWP<1fDRnN@R(vYK%-MBhwP724s#t1 zXCe*kltF*2IJXRT;AgJ`hHyz+(;eV6ww_pX204neq9H)dJ-?y=sqZ|2ChU`I`I?75NTeG^hEs#NXN3Rdu67CA-^;tUe3~Qak^gUBNG?XE z0Gg3~bh0l*$!k2JNvma43LUiCaM#PkF>Ue(1!16xfYX@~8 z%0IvH?d-b*#EWc1qq>~Iau!BG+jPe+`MkHS@E#4+L)`aY3|ZqvNK%p+9)&3tE6=zo z75Pd(1Rx%y5!JS{bHmExh191g%Kh3cr?ZAi=SApeFmGFi(*pVr*Qv-80GlK*y)fB0 zL{SRIX*h(bXf_FPlTq>mBZo{>L*dK00}UxYA_HEKW)}X-%`~PS{pA8t;{=FmsO)qa zNw3#h0T|%%B!jizWHKD^P5(Nm>?&Vt<4mc@_zPLOMwQ?3s{^V6zBLPy)GGhQq{dJo zmei@M?s4XIe-ScC0BV0B8mBk$H1(WhNGFU>=!Eg-A1mfMy#mS$%LUET_wRrE@Zsr) zihxEy?y|9LvrtsTPX)y9lG<|9N!qel$w@;`#bE56heIP0EPlz(Z^$GR7JLOJZPx3( zVKVEV52I;Z#XvT_WJKKplF6e!IUX4wN-!6DZ@=yEw^*qsJZGd zlH_6-7mXlx=_3=5*{q#n#8*BLVCPl=ePrN&OFxOl=QWFrjR|FhDY&6)A$GQ zr#~rVPjXqC%+9_BU&b)N`X)zItq*4ir|N4cK`fQV!?=fwz{^~a!JUKG;YruMWU8X8 z&=V*?h13ydgbCzjUQ2kxw4C5&RjoyV5P?t{!QvEIP}3r^w)YNBc3$qak2)p3H|ML6 z52?aRdG>-8zB)K~wKuOakkP`LAn$HAUa+S2-tL@g`jf(1uq!~y7OZCHP}Jh=YQnM* z5af3X3x>8~;b}?I7L5|2miW*eXFGoTWzDo7n0Sy}ZGPo&^FAs>A^Q7XG|&NsIG`u* zN3e5PSiV2e#jVqalQG3kqRta5Z&;dGJ%)7{ixL$#YlTP9TfxX$cvlFg?+|_~1rwS9 z)novED&vMCLP*;P$1BL873a(Pw&4t%0@6&$;ndgyp9q--u4Z8#FFXGEm|Hf+V%;)Y zMIAQVfK}Y&Ggvk8uu7b;7+HvNVl&~ZiMzBy-8x_``SY&8}9Bp;c8yc6G zAYSj}Yx+&xLXmDzBFPXabPc1pcl>HUt;~hO!z~r9p0B zHTDPjw#YBZjGkOX?;MP8FiwdZ6xX0XNKw%OPtRZ(NDSZxvD_aq?@HhuM|{}ujS6wV zWN2}rLGO*A$?l1vxo8wk2afM5YWa~siw4`wL2`s@Lpal`c|KV2<#vq9Cr5c&e@CI z{bn_p#HgG)<%6^}ZL6oL5!4M0ltcvme5g~T2_Ij@DQm-|weZydT zpFM4nXHV{RQp+sq={SGl-31CfBVJCC&tFulz{MAxSG)T>tTtbr(&O{epD0uA|si1B{NI1hrv$Okc8rQ(fDY81u}kdz<}<4sInop>=r zzUs%Dm5=zfP_g?&<92iPd#^A&SQ7LbO6=+BliJhM<@)KG^1YF=p`*3+oIr*8r3BO_ zrY1>eXCGm0@PDf0KTDN#dAI$aF8N=tOCBW+UssmI+!Gx!mqATD-h(+Fu94RVGkW0Tme(~H5xiVR9{X5 zR0Sf*!JpqhF)*3M`2CRyzOc4?c)cO`hC?%rFRa&H*5oNSyer9lNSF4~3KGB%$_ z!gTF0{2t$Jt>oTAq9+nD((!mUI*X^aLF@X#yl04%RWD+;D*Xj`$}nSiTh+$xK3?Ep z7LsMXeL0wH3C3(Gfzm9+C-a&%1C@(EF;g(@ck#VN-yB|f715Nq+dsaWm^*)>@2<*jM46A=udx~SV{OYB)+PdW>c{kfRXehXsk9G z)z$ys-q*IZaU_d==T}U|x>vy~fgxURmNhwtfRb>6fd@gdxyGv_qye-Rl8z)yh|Pb$ zT`%2T)!j1^wsTMRJlFed(9CpKSHD$PRoBb&=Ch5{XJ2n^Jlp!}tN)X)Hbg~Gxm*<1 zq#w-nLG@4Z^U%5j>`}2jR}^fEU{x*OV1{WRvwkt0cWu!>{kadX|Frq+dUXY+`I<^H6+Vc!wlZL8K&vZFvC z5Fl+e^b|LcH=(kwvYN{k?Gfgxh_U@`TZLmF#yB(ze}@_Hgkq1u7;^mLS@x9v<0+Aa z<2L!9uFVc#Wiht2)&9q{y7_!T(|yr&bR#myoBXTM;5TvxFf9=`LU7RRo9DQk0?CoK znfu=P+EAnKEOm5BPKdJ@PBJ4AkxB1e!xl(rh;H`rfMX(dXY(!F8*}n5 z)16=_J@Md-5DjbcKz|^HCPLliA*)`Jd&XqbN5B#Qf!!Uee#S`LO?u zd27>gyzCFm^v%c9`)^VfUb6j-bo(}fG3NES&&=$@3)D5qkghj|T#fr%pi<_x>kW9A zxya!3OhJd~Hzv`tv32{SS>4dQURj#$IH^P`p+uBSA{LNT1i~y=`bY)SZJEu6ffNMY zx54FQgOwG~OPcvP!(7@>^AELk^2m|t=fZRqC8;WcG!-h<0~Ay70iUy3R(FU}i%Xw@ zZz!J43sIzNp8vwn5Duc#yMc@PuYD0XmXHTDum6g#MaGWz8_yo-orquheq-Z->x=NE z?>9E-t;+53e&Z{8>vE~ky%&CZ{$Sg?EWiS_WAS*u@n`ykE3*S}kMQja`F1|WcYk>Z zo%6z2oZ1zO91-IMRFmNnv9Rzdl2I*Jn6!VPBYLa+7g0pogQ9aZ?HAMU1|x&~Z-u>F zfh-k+(Odi$yxT2os)KaWjYNZ=65q0Qa&mN%+O%$PFa1D}pVJ%N!9yc3oxqYn4um}| zMWFw%h{{tIe#|g}r+OuLY~Mv;HXD`qpTx!5JY6z4ka>ksu7Y%5e&RAg@UNh*%kUoX zOkpX_JMmhz_Rma0AU$e7FqhPdtT?VtW4E(gU5so@suw13<`4h3;S#na%#0MeyHaCxTcp&T!sa}C^3$~5Gi z;XDntOO6=s!2ui@jtE#I)tt0TRUaA>1Vbt;`v-s`Rw`EYYgjfJTE|hLqTn3MYh-aZs+Xa zw8Ih%V0_Rz{QmR@2!D)mvCyYAyXoHZfM($K$>5N)0GCjVZ4B*GX|Plu6x6g$nu-iH z;UR-(YYxQWF4Us5j8jpg0Sq+Z*N9&nCk8eK$02xIH6MIchS~||$!!XmB>*=9V_*vy zWWNJ;=die=1@j|(=EN)tO`F-Ns)BUzkCtI6Lr4@C@>5=!NMa%~BbJfo zG#5-_($?#Ho)R)%Gn3S`lcXYn*u_{ZIra1LZSOi=*3aSxN6AedUg(h8Q<$DCT_ zqJ*P$k($j^usP#Eqhiy7CD}UvRR?n5VF!0%N{&qy%V_%TWR_Vm*{(l<&~2FfYugCC zimON@AA54seT(kx*%-8Q*1eriHg}sj!;n}UBH^5G)#-LKoX}MaO>ILb$jAvnDI1Pg zCY(*CoXvF7*~g`q&6Z9u>kb={Vzx5LtaSTV$%VQF1i4Jclv3Bc*10!!2J;O>|G zV?{Nczq2wOfhK0%so|3ZB(GYO=#x9P7w~-FDL&v;7yFT+_kAL;m)iR-|>n;@a+S6KH+Jl9Wr$yGu zElP{o)WN7_Q#7e z6@5>K%TCW>+@K4Hx)z3k`CK#o1fxHUAh6QtwmZbM;45YHF6dfnIH<153<`deS7mbq z;Y-YLLs%R=Wf}xc9E1cpfBoj^`5QTRuj@hhP8%{rC2MhqMT{G=SJB&WYEwm$vzuzc zPvmEwKFcAG`V?);%;O|E2j;!>`r`mb7{*puMJ7ARDRTllNqGV|V7Z0yn+*=Mhy;q# z$>Z&cZbd~%Bzav_HsE>HoCY;35KqYD%Shz$DeLCYM?gvK2DnATjr1R8TSS)H$&e_v z$YLUhEOr?M+zQeJ)H9Lhs60yBd44w-_Irk7;Mlq#!bB5kkbAmT>+}P*Pi#uGdhl+Q zskLjqH(b*z(d?QsWuih{GO;?aJ_~>-H<81cN}y~7iO0%rrI)vVP)Sb7;MPt}hf?%& z723E5Chma08w+v85pj!Zn;oob_!{eY#VJE60{td62&dE<+COu?t)N)+eUyp2gir; z;AogwCISjlH<1x9fBVDA955ib6v`+ev4vE2k{ZEmD`wwP2Bae z=8&b(ji|SHzJXN?MYM7?Rm%6o^vK4fcfbd*>=&Q0Q$c~qXF47>1gpNw?WdNipkm@} z;`9i{g^d^OxP#qdq?9NN^5#YziG?qfmO4M;SjOd1LU{d%ea_?7cgLqCNhqV;x5fEP zG<*yau<+nDJnMUN*kV|tt-M~t%~&@_@cF}=r;%+Ag=4S*2>9FE;$DrK*P!?=a>RnL zcg%aqb#B&f{pnggzNugW2^QsDPu*-7mtirtAusN($@O7=tt^a1=zDytZZ`}fiDBa0 ziz)ML}wNaZFuOfzt}HAs*h@=z0#w>~;cI!G_DmZ)Fh}WoiUxC4!kB zIPjti(^$8bWjI+FIxv!)*$NHH`NVx<4B&=7z$-NZnQ#Vh<>eB?npt;>7K|Z8itLLq zdg;2hfGh{m2#NXmy)NCN-MM)BadO36@qSh;JeD!L1ljlHQk1&&OpC{mLWHrBSfcdh zqt~S-S)YAu-S1nK9xXLYAi>3hB$lenl(s4cg2(9=lf&F{VwiA@ZsQba%Z!kzw)T4u zko}n;cQ`?7@)Qhvy%e>R;pTY2mCu9PRc?IVo6!(ZsS^Qa19&qjys8I zUZ%DSI7LFwGF6^CQB?|&%hYr+q)J8a6zK<1Em*H5?(=24f$hO)p-IkL&WZ}c?%!*j zL3N}iz@N@fMB2-w5x#Cc)t}WxC(ObFaUTUs;k}S>G<78nJ$bs8u%l71ysxCFM*>iN zw*GW&eO(@bf;x8k&Pz!rVT!D6gHaRU=B&Ex+oIYA6cS&#Rz7WRoX(;zu_MZzKEm+~LQ`_>V0|Bba#R$3RPPur0%ZL8 zuX7tMp6&^U_iLqllHpkQ8g#Y+AeZCeaE#`^r++_Xa9f%gcY3Gdh>s&SJD^Rnp>%*%jRI*?PnBZi8d5pN%Js}+6TL47ct&B z#;J1XUnHMs3^Q0+z447%Onsz=Vo^ST7egL)p~Lxq@|v$%-W#11S)*+Y>&H`YyKiKJ zd3FOqXwg%vn_b?HdMF-15)Duvi1wD~Vl>@m^~2o44&tQJR+sfKe*v-|IkXn|TGF8gGTD0NfvE*DO6Dt8o z2D5^VeLmVJMJENS*@7b?$Ms~r(fY2T?tY-$;A-54te_@0|#?h zRYp%0F|47-Zc6XgI04qCkE|*a7i2b`>gF>qq=BJ%82dVTX+y1I(CqNWW(loRwB;5X z6Q+Dm-SFtq(xb##z}%TFi>~^S;mmoSAkpFl| zk4}teez4y@CHc+nzVTZdq83FdXbT1Md-5P0_4b`Mk*2SFu2-^fb$d1xS=n=#VdP36&&2Yi!mC@p`A+o@u0 zIKFl$7E>=E<0I}S`(UB^9KF$0y@Jyax70zaosc#Cgw4&WoXu#yB#SA-lxXxQa9X8N z3{v5efGLL%j;gY~ClE#Dc9LP>Djo#)@w=n5!#zXbcMdv4>w!U%D!OlXc7HrOF8OG! z80Ulq-lNCpi#wM8M++fbipgFk*Chmr+BFCBc3CA^_@di;dkc1W(I6!*TO8;Nqb<;H zSuT0j^3{r~Ku^>#Yi<(t(rVst-D$7Ri58l0$xY;AoF zJ~#3Ex>h4Z7w2Eld019GtqPJyh8I!@&1Im5NG)z;Q#TUmcvaD_WKnH45fU*yiUwi* zBEG!M@1~Rk08hv*y7)wqNY`ACuE9k_u+m150xUXmzX<`@wn{FIYyB;&vjgOd%;Ajc zimg)A1t6v?cf|$SYQ|(q%m7lUG7!Jd8AX27=+N8!(=;05@)6=$rK%vl0mlYL9(M($ z4ziruT9OLzS~tuTIGOL1?r&3$&0ISMr(z1`tZ;uFX`d_Xkai)k04zO(uzocin`3Bv znTc)13sE$rbud=bRrH|CP@#DOu0^WKd5+#jB|G;#Pw9ljb>f%gIp1mhy|vppZM`~% z=x|!ONNdwzffFBG+pBU)Llo_Lp8|^GSR_V=yH;*V6$+PS+-S=16{wiE9eTI%k(V9$ zwKB)1UWKqhGa0-R_rTT!Z$6wk_OhRof2R>iPY>G1GzBH@=&@aGWSK3u#A>9TQ%AEsQxd(03ELF8|8Bi#Z z$#11bmS%;M3XTa+8e+hVR8=kK97}VXJWeSlhXXPbn?G9_IZyzne>)upx2HbO^Va%$ ztzRLTS=yW&0H;-D6H=Z~?D^`AGLOZ4`v_5rw0)IM9 z(rvfQVgUmJ!wi?|){g0WBZKSK-5pR|1Foi*z(V7FHad zG4&QcsDKs;TR4x#0k}-r;1hUNiF*UvcSV*7t5EGj|30h$7{5QydovrHqz`(7hd4AS z#BXH1icKKA;3hbkok9pDxsf9p_kk^POhtKlUb;% zy#498z&KraIEU&cOSC9>3p2oGezjYk%7U;>Xl0oIT(X9jS;tk!iRUlqBCTwi{D~Y*5K*0QekS5zM?X(Gi^%fFEE{ir zf{$H{YqiXN$^UTz6`B|s$xL6Eu22Y2nF!l*J`JR)EEg?v3~%?SPd!zzgpom{GAsi& zu`w)n9LtYM4n?2Z2_u+j@!UWE(<@o*QE#Ik z+sMbA*N*RVOQ?6(sYv zmXB}LLxtqjoFCQvs68`Zep6ScE$rwm#jsAnY^*yp$JYp0sASA1%SZjq8Hvfk!k{5T zrprS|jKKoOJfp=TyjS5>thu<^@8%oc4rqN}>0X0^C91z=cA9FZf(=XiP`GLa4Ci2T z+h9#36`~R{zgl9R;|iFwO>Qk+B(<9@CXz9Ux3nw8za3`wMXwuaTT6ADc8kE|F1#Rys;6n-fnW{GtXUbI9Hl{Q<_| z-zgtg2?cvy$=HZic1G+<3D!77s-O`R;labDNQ`faWvNaC!K~IY$sFWN%j^(+N*Dq2 z4s62Zty$ZJUkjXsB{4RM28GTH@>3ZY6hGIdqO=L9lNqs8X(l|u%Ov3Td}?8H*5kP1 za*Y~D$#&s=MEOoA+udIGex}p3s1K;ZdlsoOMVW0l-ig(wRH-X6^-x)UGz&j!F{DXm z1%G>XxOWgHyb8CME2ruxTu^ndwxlW;Hk-&qlxP%6iSmmZw8d0&aF^RQB&OZkJv&*{ zRb4o)y#R-}bbJWR=EbP<)AJ=#()pr6Rnff8S!9d6SP_?l^8NCyzR1I>3tN4j=4_=oikX2Nj*T1(?ud}qY-EPGdyl^5=*o{nWnXik00$|x zTuM8I$gGyuO&(i1AF{2iwAfK^z^@1UviUr_HmCb6)fxEkNxk{%#b@e_OupngR*FjM zFwg#!IB3tGLjTQwUp%A#rZ=nx9HgICbM}#4Bn@YR)`h_G1O#L>mZ+YptFofH%=9&v zlHR`T){F_ch_wCcf%*;rCZU=J}EoqfPUZ4LppHM2>s_EQ~H4F&rwc527t5l6@-}5@_!{ zPF9~V>UYp}m+%-7Drj6{5fOD{tja)fYqhl2;|>8sb^Jl!ASjnR>khYW|e~?q248wwdq9UJquiUhhrzn(Xl2tl(1OSv{}`s_n$; z@Cv*m)TG?bx?m)I27e5{aeQ+0AFbWfPV4aW@_PW_D5S3<= zEe08<60J-JQFjXrLASAnU1;LM+I{o;g`e3-XfU6+b3-JpL0|lo9ALWVOyzy2zx?;0)|!9x{&yP|5jJ@qL$b;0Ld3B4E$=BpiP-W*v>C8O2-@7|2 zF6pt()V;0d_X(YTW}e}~=W=j0TM^QL+krla)iS%%Q>5>XPIgLdNwGH@;TY ziW_<7;2;_Gq2@^yx~ypO1iL>r#=#pvLr1_?ljq-$Ig*kI#7@e;ACLQ#Alm9w`P&*s z44{U7I6C?f9zD5nHy7SY7wDiMA|g= z+c_SHk}q}H*+Wvv-&eW9@w9-DizUVRt1E2yysFatdDS6fX0D>V`!0~-JHB1MJ}p5? zmcq)PFO&FZ%_IJiS;QrJC4=CTiASuE$h{lTSr3#mi<8z0PHL+9GrQe}G!6*o(7sl= zeG^hzEKnuIvQUaD6OH^bv`@Uuq(WLegCXwFkhQ51POOIA`o-+n(6;e1;w!*k zImIw>|0cwSDR|-~jOiUQnHI5{9EP@-49E9`bs$H;hs5}c8r*`zB~20n^PFm8ExVI) z4OoJdBjDv|dEeefCTTb;5Mvr{W1GdsluMx3IypHySr$F^as#F46cu0Hkrh}&q*8gl zX+rcG067PHwqqn_8>Avk&0${Aq+WLBb=EKRVa zvZ*0>A!R1y6VtJ6vqZ2W&12_gcEvH#aG1n1pU6=O7G5H5U`T8(Kr$Eke)3vt zcem3%`z{gPn`b*3Z&h#QI}dzR|? z@jIc7#y;xPp1K(^k5v>+EJjr9EJf4g3eFQXgi)4U%7T7uaY+cxW#g&27pyo+ z*m3<1BsrNHLsN&^d-?nT1#0~jd+VcTOY-0!GjD0JqGH;lSWroT9zB0aRDO@?`&?2{ zdMdr(VgO|#&!eL6FvtEmoa6AguAak^1G{1pu|~-(mSlnZ7@pyGn7ohRH`3E2PG3;N z+9y2|LLU>c2x%WD3L8CTbQ=&QVLZXOw91eb>|&?Fom$!>YVVl1Y^os#T{2f}eCYJs zViDzPO$k;;%yM}0r`95bI~P^bF@4qiJDZ%!Rq^fF!H*FWV5Y|q#*2TN!+)DrL^w-s z8WYo_YMUt+&ktEk$1%W<{qDTG&Et$lVp}U}rK|*FE)%sm>it+m*cU&E3YUe42QDWN zlSf7cYM$sk8a1Yy3sGazCr}fVPNL>0qulB>*=lZ|0dj&UOUf1596GTAHWA4cz1h@8 z%vu4%dGqY9!e&!&V|K!UdH&h*`9eD6Vs0V3w?9AbN(EYP0y<6n?@RNaCIJ4%ys#OA zUph|ro3hIkcd6+vPwd5}dGXx8K*RYz^RvCpG_PLxBGMTDFZg;gE%0^{=J)FddSx## z;oV;!{1uLSx$%tN`na9F5O>zHy{S2Wyr-BQ$XuvH%sZ-rdDHX|?+oXM2F~m= z4K<^N`PLpg+_^?HXI#Xam1wKd$SS1V2!!dYH1P0tI6c?V=*i5&8lX73Gy zRrT$&XFg^oojA%BpH- z+0XlKcRaa=M#-Mf#_eySS z3bdI=yI@vKw(}3-mIi8;rDk!qbXsii@n9jAPyPz5?&v-SIR9eu;JU%j?VUp|FylA7 zJN5_O2KV_%hp{TGE&w(HyWV4LP9)e&ojSTc4&(B@R2K$=-rzc^HIaZwVs-gtO> zGg56+3S!)T0?iLxG;5j_G$WPFB+?R=)kS;g4&})?pVzf~Y-kAIp<1fZcQgZ7gBg*G z720(jN@@qL>W;z1QZ~tbqYl2!tMZZuVDF?dR)&cxTgL}Szu*_lv9}u8&p24=_$la- zLD#`(Fu6@nr!pa5TdbaKGb7?6fF z6Zrsf03Nu-Tq5lg0lFG#%s*!iK;P8jjv$u42CtaNV>S%Kp*%~|uA3DaTV6ggDN3gj zS={G|wMfm)O-yIvSnD$bCijx!!ce&k~0WU}F~^CH`cVg>ZVXt3fzE z#1`P%E#fgNfLm(f@GP_ihf*kyWiL@G!k2kF)bw??cZDnMnOgsZA7 zqZ_rx=1w;%l%>cFSzW2njsDpek-E_rYHR%^vP6#@PdJ=PiN zqg|0c#Sw{ZV^WTuD8iZ1ZP;&b;^2Do3t|t-9SEQ;&jqD--*q?NLn2d$(caydK;;jVW z$0dz{SOSX>5yLK&PIjCrNf%QK&Ts}qW4)%QB2d4|`eiee(1h*N3bR4#*y}oQdi0XA zf<|gb5dwt`K||Ss6uo*s32fIfI^IS1t!(w*r?@lqHx95wE z1Z?Es!RU5g2z8EE=JoEcV9!QkB)|7+(9-)y56fVN2u8r{hqdC@Lg`i;7!dp3$e`m< z_OlTl$9J=TE4kV-{WroEI%`?vns-_4OEZCne8Z>JRcVjNSA2d&h#{`)KL;(a@22p&wZleZZOfsotcd}+F1B}nINfRg*v17|U+>|?P~H4$@0$Pa z?d%`?0#B!hb%6cz{^8!y&+U$>)!I8dXq{kha#P?ttaEBgJ$trQQ@aa3pPbd@l$saE z_`)IsuTD?uV)13oVb<({rUoVpEE1+;2uyK3z9}Gk$U&>~^U=wV`-k6ym-RW^f6xxE z=OR6*r5b;CU&?IaHZmcILuCvP3`T%i zl|XHm_1lQ`vZ`ErQt;F?Lbd)f_oGT{M3WlYRCbtOF$4iug(C=D-cSOkf9lL-tU97f z9p-I(%$#}lzc5@_xaSQ>UOdRby4RO>B}u&8GP@M(OvY%6fojv2fWMM0N*a@zRd;;~ z)CQ=Ir#KCm#Cd(@X2+hC`aE}20*I6nMuWU#6?h)tw;I=y6oC7c&HF&et{$%q>&uqN zG`9ex%9ItYwlL5HGf*^j>vj$uKY|khDOnnjlckqf@tIljGj+uQKE?Motn!TF@l}Om zRF&N=OSj+WOnrAF*AU#QKpk^BhF51$q;8}wb9(f<_sLjZN!2DpcI>`erf?2(ih?}Z zTFE-T#VaARis?tQYoWAnM@Q}Sft7{LzL(k(_uIzwmg_EimOaJ))s|-$XbFFlIaKUo zc`!{2OqwC#`$J-xrlM7*l>5Q@wR;Bd_(nwmAx5*C?&ublCp&=o6|L6m(G-af>sN6y%6Z* z2snKV2%KYDC3)*%`oKrfHyMV#7r0}7Zh{B#`a*`1@mNO#&qt7@$H0<9sdu69GwDr* zi7B`k8IJR>Dyw!bLe(HeIFY8x8~+#DyZK@oc5 zg;p9WYi4<4J(#t2cVYFt8^0}1itcPYTA_#EF+w7MuQrP*HG&EPA_Be%qb>Rn-^^m^ zXL&Rxx-%&|lND*SrOdb36pvL98m z-g8)kAL7D`Sr^8fE}Jgokjl^t>1<}n=;tmWqL`Xtp{38YTrMj+o2+-|wpSiEkKwM* zLz+}Mk=4^!I*A`Og^!p(HGPSDLO*qD0Y?x{mOuR6#+FCFIcHZWpZf23)C2fWKI)e{ zsyoygSi@sfZgI4&@u#IvbY(f%2EVduk+#Sh7%7zsx=-i% zgIBMl4<8&jh-!6ove!B>_?adJ3cv`xu1TccJfsp8_+-U4@&u$e5ebj7Me4RiVHvvL3l@kg7j^B5(jH*}b#RyVJTD(u zTdNGkPaUO2xh>bx^1gGyf;EGON zvm+7uFXeKIWkf%?Aw}}AjLm}@<(*FH_^3zJzL`R-Pkxmou9mlkRvva)<56M;3(~KK z%{IO&Z`d@#G7U9qcqp~ww;883xw<5Pu!4aWzT)zoIW44)Ur1h@itG3@w%-|Gd{Oh` zru!>|1~cnP4GeA^o5g0u+7^=gcxPbK56JqsK&<04i;a#0+sec$=FWBoGCz!Y6xm_I z6)sQ`iDOKihe=+!l9yV_jwalUr-dL4_kme}GK8c?-HxqV!ngyor#6@G@{5?j!$7}N zEEAwh$%EXNPg>w)m}HU2;`Hv-OWXw(AjZyTt8j0~I{qDhPK`chIZ*wK0~wdEEjb9C z{y$M2{9YUr=ed^#`p6Yp#220V*o%Ln(iyJC#Fc=jx^)RXucx|~KsV4#l$x)2*tTZr zg4EG2d9SX>34*O#{8wu0hDW5w*cmy0p)H8m*V|zyq%$^WE*HT%94V|)4zs^GWs40^ zAVJ9Ev14O|`Tb5?At(}rAu}}RkzU}g$EErY{d$w$udS^ml_D;>ME^zym(U&aK_<-q zRFddI>!1C)|cRJ`^3{ixK+8wU#%^zRW31DXCyM4$X-0YH0$Gwof z#00nlaj$i1X1KN2;X>PWuxxMt&^kCc{pA?1^L!|s^%{Q2SEYpS%Hnv(#@Jr(1b2Ar zYfu8hSL^AB@Cb@Cp-2I|_|szG7~3CuPv?r0>#Ye)59CzNcWmF?8IdKH?42Dyn<1HsnIX|onC_;~+Rhpx zbtw$-^?W`7VR?KzHP4l|!9=bJ*=QR`jM=6qKssd!^wGvVOPceT{-UAalIA=qvq(-3 z0MRTA&qZS=EfvA8k#7Dl>W}zZhtCaL$o-hXq`VvaIw;7xFuLUW*-sL9P)RFAG8(hd zAZAI6M-S-86rA1-W<{gSauN0dWhmPUJZ%qsRwzCongoOW~vA)?vGS(D`=%aH~0<6rdSdSyOz}?+zjRHKz+Tjl-_PV*caJxL+tp`&7)ZSM_`h((59>4R|oTDi2bnlg64U zCxx%u$5}*@u5<6xN>BK762|vZa@Xg#FLV zAbk!Pv+Fb%?Xq0$NReqzin=Xd7X}Ar{f;LJpDed-z}l)W%MHYomrTA0q3SlIX`XCD zyr(w2;A}>#Gcbb0Kax<^DK?KDv=TIEyhG=pbWelj=?u65JAlu;DJtc(;3e%$(|oVa zXw5}H)1esN*t(zaH#D^FigJV{(OuVKzJ~5J-2L-hK|T7hk?ju0GYT6xEr9;hVLdOV zH-k|Zj{?*36i6pJj7bkqJwr|-Xa(27%$ijJ0j7hWIg2Ye0U+0HU{`8h0f~-Up_Tgt z4ual{^0dvamm(-Va{PtzVzx*a=viSvSUB{`#FXlZ5Y^(zU|h{)n0IC-;%%0dZ?o!+ zwy+(&)w1%frnPBqyCosnLrepl^Is@Z9`{9O+4V0GgSO4a--M_O7# z8Nl4ik`4rZLgTMYWekvaX!r#&+lPfixbO5;Asqp_#HTX`C^w8CFv0l4aD?z%L?{on zU&CU(=2)9V9yPlBM^JgXQi&@Ii6)lQ=KR<0gEv+KrH3nKyS+BMP82@@WiXUF_lTV5 zSH+rh;ftQ;s8QmoP?zfQ%u7|tEOSbrL?({=mJpB%Vb z#mZemUGKF1(RpZDfCK=xN390zd7TPKdFmZYsL?0M=7w0hWEV2ZTD(^=dM$G!6uwpz zl(iNPM-bgFeqG&cTs{FK#SA1b29z^#YQ=g0hesW{{^_&>B%iz*_aO>0E7j~ewrWqf zqtdjDZmlS=>6aA!rkCY5EPeAGg_PR#2d~eYAv)xsBz$g?E!64W9`7K%gQRw>wX;?V zoM{VXxJAfbil2=k4BF_5%=URWtjLaK4Ows*pS(kcRfyJ~d{I|z3xS0dstbv%)Na}y zE~Gk|@+3)1;ywWl47!tnup_Ck!-BYbs zJNpNDRNKl7aYep&?EJ9P#*K(3mS@Q96+b}4wcMRXM?b1dM(35Dx@26qZ^JME4nw6< zcBSw z4M8!0A{F7h_!X^hSs`tKS`$K2S3@DGp7*(%jTgq>gy>mjL#fH;m%>M-xbr@z)!a`9E0BaJIQy15uOn?%^?`lf$bV5CCMNa z^NLLA?2ZnfS(?;pBd+KbYc_igY1KyPS0eRkB5ydF)~Lkcl!<56nR! zO9NA+syB?3Issq|XQz zqywW~B1CfP(VmrUgA7oUcY`imvW9r4*l*a#Hg_coc&zl{jZoo%&u-^n=Rp?2OP+%++Z*O*-bG+`wrM0 zkHJNGzNZp~wTpRjW`$J6yRS5TnB9(x^N2ZoY7Q)4zyJU=iD9aZ5FP2ZgqchWJM&^T z?>O4=LopnV8)R|=zTz1|fLIzZfv8H3E`kY!I{?_Y$1H_n@Q$r_c*NQ2Ou+=b=xj|8 zC&C$-B!OD)UZ@FYI`xct{u&Baf&`RKyZ{@{X2{@ijz z_qlfSPaPRGhE*dVWrTcDGUQ_3Sjwm0GvHkrMA_F?10=7+D;C%^)~sJDE9 z_tKssHtUu}tj1)!^Yi|X`&H(jx$SV0KZeb~{U8)64+7Va9APex?QLBomVhipo?VwO8j?8&v z305S)lah;9V~OjNaSV=S52DJ0!{%xS-(U&Ukxuj)PIUy>u*g_~Jfai<^oRuK1COHs zx1FnQRE{Gy??=&N6P*}IYhufd%odGh`ebr{SjvM;>et0^k}!;Cp}?{KY5L=m^nsgC z_IhH*{HB3F{*EUEH-N%ni{MVq$JE+2#L{;p2SPEF$ z+4Khg?0t=nZEplFJYHt^vw3kt0DRm=_0PvfR3IA2XZbp4R?WBY43A~c;GY#qBZL6L zunXrF3RC(7Gp57hZXJfD)mvE;IjG+S-=;|M)a#pxwp=LA>T+j|RMm^>77)B`k z$I*o}WK{OWC0#I^p1=GDuetFh>lNRQAmlGx)G2KWLdBBtzXN!kKo^Nu{Es(6xGp$& zNdv|e0nsyxA6@Hsj(N*pH*MscH<{at)Z~2JoV@MLHa2yWEh1(XKaPWj>zXo8nHDCO zzarzV0DT?czROk?cO-z0$DjE!V#3xho6Er2t zK;2II0Llghv;WTUwTl(z>DRQlGMz7`L5&lBt)h$Z9=Gm_s*3PVg#qGEs(bv-_0M@3JGSs(>T}6X*zG9M@dP0d%)46J#oXhk#2+}|8_Xb^?T@Y!!Aek& zf|bBa7u~$eCKYh%7nj}J;k*f1KkcFg1v65aI+OvTUT-)|xdLSxw6IG5wF|V8ZnsW; zYMr3m5VwrE(9~$yHr)LrCrl$cxVy7VlgB5m?^-7(t-TKAqnZCdcfX?!0$RsW;5VZnOFmxK*>q4k54dl0Di7r)~n*P>U3?bW0R1 z=P%G9s=t>1L?s3Kh=ycBfaj7)ZdZ=<&^9J~vAZfse5=9M(ne zb{Y=`1GmT1tQgG(bI`@HBsN=iCceFQ%io`{1;&u;4rl8zV7#lp9`sES;{Tuup}UTK zT_29G$T|d2AI$04y@SEND=wyEBMHCk4?vAPhLj9$NjUNh08PmZi*lGsfal)%6I3`A zCjXr!ycDrwcQ{Eg0c91jxN3G@48fDSvNo6b2x{9t-8pR?wAzx|lDJllGM5o7#%Pwk zHvj36+B8`S%20+1(vq2>hF9ImK(AO?=I+`|f63~7L_hIVIo_8i8+gJN#Uy)amd|+9 zpM9e%!pR1t2`;m^1mJep9gxGSUBvTW=ji-8rSFDqnsl$=xH0v(caNHweMk`jTAWb< zs`@T@eS--W9!D2$8#Mw+a55eaXV@f#_<^E(M?WMu)3>li4Cf9^ggN{`#VkeZBG5O_mebeosh=@?(2|yFv zA71V3Qf%x>P_PxvMl*|BC2QehUsS&&={%<8lD77n06~c#xMtv{Pw2k50KTZ zMjKmjnUqT!idt|LmI6=lb$d5`p$3-!So;eQieJqE4*G>?@=!d+IK9MtkhYNJL7ecH z^tWRe01Y3kU$Q-W{2RWKFF(#s_9c_;w*BtTBUx=JpwhW1H2SG&lX7A2c4nyZ;5P_~ z!JC5JA-pmT-Q7|gOazZC4@_yWuSdg!SPO|uzXD_lH1H3`t9PlNXk_Ej@SdXrLVI>bt2XPN=K1nh-o8-@;YBi_-06Fz=t44s77-uyALrjJp$%kFrQCQ z4gC`SyXc%1tTd?I3yAZPLB+M~$dAI{QqU7<{i3)A3!X0MW6Tj$02}w~J)AH|d@j1f z?x^Rq<-=JOLgg5lioYLL!?9uTn%#bX3ZlTv!K89Kc&yd|D{j*x$8Z|J#rD9E2sE;2 zgX2^ygNZFw%=|^iw0jqi2>-*rq9%-K22^khqd`|Hj>tgM08QK#K&&AUipCSZ1R9T; zl-NVIpvaQDED{T_Z2-V%!<^uHy@qIe2nX6E@!l!1({eHY+Z&U)5}H|w*%Nvv9K#t> zw&LBu@bsh$0=a-Sr8A|by6N8A07~ zi*cr?DMQ0x#9~d($M(oeS+`1TiSJam=~#Lzv+GxgD%!DxFbx&ZqU z^arbtSO%B?Q?}-u6EFr1WSP%ECLj7M)H0iJJyLFKkUgoaXYIe4Wctdsp7;R$i*^~K zC=B(QlugsjTXW-?nm9P7`Qs(qP7oA|vcXsAD6)=6|FoVWj;-_@om6=&^N%%toX%6& zC3I)AyYaN2y|ljq9b_M7!IeT)Cy4z9NoO~QH)DvSU@}27j^1=k%?(8yj0$gv8^oi* z>(McmF{f+q+HlnD1wn*yJFk6vvU9lmL*N`nUjut=Tjiz;W@X-ndv4Bc^e$xG;ySmq zZsDw%5^Gn#2}i@d@!bei6&P8N>cdx5Rltha&J%UXmk5rs+}6pysku5)z!lqw@{b7v zW|4yxqt*I#j&cWJ<={Fi^DnY5O|#jrzg>#2kU!umew}jMvCzk(z+(sfDuYlqeG#Sx zbhS-4DfHb2r_q+x7S)Q##d+=D^ORA%HNTVTD-=F!YxEPG?WdR3=vjw+HHfR|7;mQS zq?n8$jDTIX*Dk6>4Mt&hJ-D2^_lAer&Oz5V+ge|T8{sRnC2lX)%uY1|gpp#_yFEiI zuAAdaLpuiDq4rx|H^oi4%b8h?*D?SFE~J`kBTh98PKoay8k|r|q|~bCv+HiYB~!@d zm_qKk?Vt#iVEcGcy4Av67HlvchiwYNV23Wtfir_nUF548;I+)BP*Qo`z2drm<4gvW z`U46>Czwz2NhI7hahCpB7?;}yV~c}Dpijn^kPNwB9%f>dL0H#jP9S!h>uz1ixyuD2p`RLDYZvgAvQ+heuus`Mio7f&mplMhQf zor@@gZX$F^5VSn3FMAdjcKwS#sb1Z)t zpsMExU$b;NnC4-b(J*t}`T6^nTXa-2ni*g0kudd(73Y7{L9KfGwm()`ZVWL}Q4@k_ zPGmMt3VBmuV9ja3LUoi$o#X7fz@Q1CbG=VsbGCQX`F?*-EHr$zd-Tf4w9#wW6VW@Y z9jCYz70f~fW3yzH;&&fH^|}v$nf~43m$ZMc)KmdXWO_0gEh!^hP8qbg5-kcQNFE z1??K4!L=Bwz!4seREjT8%jD<~4}vulVb#)jp?!A7m3(0W+aFAA?oqNq&S3z_^rM}- z-mm(K8ZA?waDrOx1G54u)TuvZr($m(f}C`skOW7+jU{ZLRXw_%9W1NWTy%xQ);`fE_IkdgyRbEpRz_M-b@NMY$3z2Bcr{$)4n!E!1kVZO|Odr zLl|xhUk3*QC^Cn|d{&Hl)BDLBg4hMt2Xybwxyo%27OL!S`B1}vTD2Zr<$8l;vnE`8 zT+%04+{{EBv`*Wt!`+i#j!!#3Z8}z;*NC1;TqcPQ2yk)*J^3ev#ejR~F=m-XbqkCW zYFlhuSUsQ})XXw;1B%H_DHp%0PTRDhH|a9eg2zIj$(uMD2neCz(Nlz@gtW;z0*6tE zgTuppYhD!|*+ecPK@TjQ+7RE>hA0jB$4@-8H1&LR%>C7L7u`yO-C;^_fnGP{j)JnO zAhjGF=4yaJRh%)McMDBxQDSD!hX*xH(#ptV3|72PK3`2Km$0o&M&k?WuF{YMEkrSR@ggFetHjr0TIR64H=5{V5qX5%<p5i{Vzzhm3cRGCx$T;GP_ajgD8urs^+YL8>M**V6C?r=`evuzO%1HP~e z43~30gB`RD;kT02v`dgX2*G#{T8H1$6m&wXeNjP%?-e!Rih-kg*|y|kuPdLNX|a6i zEQtBp>d|f2JssjVP9dU8aQcOy9~KXTCI$VcN0(@VUs&@)eq`G}I~D9h!jEkK#!q0T zhA|0_MlA|h2d|%WtVx+42r|g>&lLHWVg_+sReo^MCjIuNO0%gQq-oKikVN!2p3UVm z-j~T2Wa%K^498cZ4fEuF^}53joBa8&9S(U!!z)x7Vo-`v=iT$*`2{}P ziuwlojfEv14;PR{zmX{MD~iM<-`HqOJT7oC)S=rYJG|g4G3bjY>*L_ZS|2d@7B8+l zz#ys@^D#Zztnsz?PaX`LG0&cfB=N{e<+b-454oW^q=@IRC?B%swY5;Uky%y}+{WMj z#Pl^`L2dpDvBDS3cOM9r+MVoGp@o1UoJ)4DS*}A^u8O6y8Nefx75| zHUYX`2Zm<~hv;%#y1H$Y2sy~~Dm~8hEncco*ohDFZ4zYoH3ACnbrrnq2#fg;FCY99 z|2{T9H3)iF2IOl|@9R{>uM=2Cfki&J*L*edqk1Wv9?Z*L_ifloU9+r3VPEHA@8L_` z9u>6B^^?uHdSPq5-c*2cdzv11+b7~F+T*TJf(Y6893dgH?-SHe1(o^WUh$idOo~s5 zZ5ITb`5;~<;RPQnI@Cok8z7+Hx3nW47AJ zCORu}-8AOo@yIm8II)oN6)0TGHQYRyLt0u|c+-#>rz-bOr{9;tWv@0%ru zDZ~(oaQxW}&+*|O1Vb0HBtjDnZCy~3KM1dI>DDhzJ2#*2`a^yHS@{?4>vCHi=EAZOG2(*)W8m&P^T{d$K}~V_5KcK=Ncj5Eoz}L` z&<15I+ku;ifR&7rR@=MzO`GYdKKrm<`|!ah2`pc57;(ccIN6xE81Y?U3|zWMSBB7zD_+@>y909Vh+84wjJIFi4lQZRK;PgvQ5+Dl_3=fx25iRf zuv;ospI8SjQ{SQmXZCM`#H5y+&88_@dFvHdX%4%4@AZK25YY1z((vxl7c5Z;&&PUn zQ03*wf-PnPRt9z99%VsIduQir`b#|3pC3+7kB{lKD^dxVZ~q)zcN?g{o*uL5!R#L#iUGaLVcyy`Do2 zZX%Cw9w=ZD3eyI^rkR7oqzl8?~QJ=z&Q*hsX8yia?)kswav2l}h_I~p{&A@w#E zO0^d#`ngbU)=52FT*^oz8mHta*tnM40(3NOP>8c3g#xAfw5?-hx@1Y|F?Vq?^-s@n-ffvucrPM&FVgT{ zNO&(Icp`|0gQzT#BtxyezqVr+wbCVO!+S_!gw2^Y6nyLcl%l&F+`^ERi+~=Hr|H5Y zP5AhG1|&QTWBS9Hwh~91y=BA_;*t@g2%sYe9&hSivFuE9dA+aDPzELnZOA!CO4QH$tSV%Rv1UDdc@5ixM!mUhK~cb6Nsz|>7Ax~uLIoOixQoT9L* zLzMQesy|TTvvh~Ck(u$TJ404{zB?|*VpWH1w!Eq?Q5n}Mx<7|BhmT$0p}k>{RIikY z6|pb`AFIq1t2(KQR(4gD{G?e-_Jm_kd-=keRW6`fGQ_m1?5!{tiyzWdUrHf?V?Y(0 zr@nFY`5sZOFK<7wmDL>44n~GS6tixRF4qx0eny+`mC#=-be@%tYN8P2;WcvFR#Pao zA97oVuhe5F4CMs;9_&~i$Wz)HSEgK5LuXr7tUKpiwX8g^V&eq_tL_PeJIO&~nP(6p zsDZW|hU11{Qyt1)f!?L_@i;5G)8W0VN@~t1c`(Kcm!7a}BLX@FiqeRh1vC!X$^&SS zVS4XKWG5|O-u$P7&ILb=ZwfU?3HDI%ZH|?X4mK|dgz@L|Wb>lEWLoOTL&t&3V!ppr zB(N4DqP0#UJ8M~cE}v@5$yf3DVXJAb8%Q0S8kw(#K*bhQs&>kU8c~n4fEp$qhF>fa zZG02=*47XWy7I#GhKp@Sr4m^@A<9vmdge`=m?&RD26Kvb1dqi?qyZ3yPs?=8p%kw( zTIX@x3P(Y#C#}AUNQC3?)CTQo^fX9g^eQTtIme%~nNO7Cy;*a=KgdgsOP}11FfeBC z1`>rcxm)o@_Duf<(26xW&wTuxjtd*2E+6QNjUtkTI(#De-ilph02Lsq5X*lqTzq|F zjBQ)DZP~VW*|u%lwr$(CZQHi3UD##Yu6q04y!Ud>O};ymH8cN=l`;FuY8|b&K5%m}K1ty(O**Fsu= zS&FZ$6R)jrXLq2&$2c~P4$8&7yy0dm#std;o2$@O)lA<${UK&==~aL~>lp0|-4&$+r4qf; z`Eg_I))oU}DMy9DzCfiBuZ9cE15z#8e3uH5JFHm~*+`ATTj=Q4HcT+!pvgHpe+STX zRTDp;)G>B9Y|=O68%CMwK2Chb4Pv-rlmzDHKEHt+ylIm+0iZvs;Qkeoyq0C$tkU=w zkxHCjt7lTCGT68o1?#40_E)dfSdT>NL!ka`W9D!pg86ThAr4_~sEqbFafN+nA0?4!KM{_71CyiCFx%ad)&VTAE~(wN2b7p*ZS4KXp_XKYODPPbZwcBb zw&tlH9=*3dc`0BJD1iUEB&dv4|NG(p-p~Lb0St_6OlY0VX>1IfoJ}0*j7{vV?L6pI zltBRi-$j9q|KDPW|6ZI&$yuWEcd^Oe&#(WuSW!ekSVn}_#`yn#3(YhSoIgGc|6WfS zzC-HupCMp;AR7QF#qhi5(Y&jkqpaylZ{nsf)kDTwhW;Jm#2NXtK_LDfHXQ_HH>|8D z#f3MlWYdTQp04{|mBA#Y12gVmpsjyzO+}kU3jpx%zJUI>tr^%G7@7aq`~Lr}`6zVA z4$~uCeWAjeLC32GACaGtmm~PqJ7z;R*zb>z6++zINMDi=A{l0SgqeLBtD(C<_1aFW zFS!ezhLq<{AWQoT&i|1{Tqr1+=)}zQF11wbBm=o8yI&}Q(40=Tqwxy~LeSgC{e zK>z^yVF3V$|KksAWNqSV;^=7d*Ovb@<+hrQ-6ku-_qExn1@RP^J+ZI zfZ?HukQyowO%4q$BSn0&8rhWJPC_#-rGsJHFK`fgz3Zcnt`phm3pIrr73O_HAO@mN z^Bz*Ne1CfxX+UAKNVQN53CD6t4!1B&ayRC*7Q!)-X?`7mDJaKelSZ`A<;I9NcZ!4wpw{(Mtu2UbdfB#RnYOasUM$7&#N7kjX~+sjWSPj9pzL_O_c zu`#lC-Wb0=NjdPZv+NTsaoy1|^gC2Zt8tWcRVpV3Dr~oNsrpS)HyXjk>4WQ~9N_b3 zHu|xdf}M4&z3XkmG5fC|y||0UX{fq4BAee#pc}>b_mYkQnjs7+*CGi#*I)ph8QGp8 zIHFI+paJtaM~R_r5aT*~b_ZK`W4h}i520^PtL!=iu4z>{VT^zW4}sE{edo}BAl4um9`U&~JCMs=n$W9g{7snF8hbMwKcqo;>#iOf zv-aaDW|yIaFS+~L(If>YL_x)EN)arj1VgNg?EFWt)S855U>{$!1;``85;NU_!O!A? zJ}rvXDzSapDVzmf@F(0ahS-Vg^LHsb)otTSf zf2CwN3M=8Yd6OENE9e7G*(hB=#bc1f;*iChIfWj90vA@H2_OFO?qs^jBylKdnr zgZQa3rUBcq92W;B%8EiN$T|M98gNF-Pv#5Zn~sxn01YYLP9WT*MNy+Zk%%H@fJWFT zs~h`X>A5(M6+STHBX&9@Ua#AxP$-&~#Wn>m2n~F26~VwC6al6;gmiHhTL3dl(~aXE zo~7m&fb*gQNLVyfEv2fkB4a`Q$TlIr@${)BXKgyErX%U2s+&f;%;V@~+8v12c`FgX zksm6Q`O_e>Gs=A0N)PA_43;`Z9Rq`2se2>y&bsL5OWD=}W02qJ_kEJr*f}(8gPL!E zcw0vSg~lU%#CN@z!dG6(Q?RMSa<<#AhwHVW1MF!Yd*95>KkhPmUXk@9>Z*wTfC$ORXVpLrCgMI&3 zEQAJGJhp`6A!v9?@awN+#s-qbj$7lIMoSVFb~g^88W^>^x;Eqsd`PjU*71VczWdt4 zdFLJe-(dAC%LR1+7yv*J=6{2HBRg9s7wdoGRE_GU?Ex!-&zjowm!o?^Rr zCNvWBHiibcdOkUfCf10svEq?PY}QQQO?;!tM5<1^PG9&T%v?5RZbtC~ZKI}$5iKDK z=&1yP^DY=F&{{wLSmX&S$NGP#IC)ebgf*G zIcpYf8r+z+=ytx4s4f5APAb)M{3LY}lUq`u6UhilNI)RP>?r2BlHcC`_tME&*TU}J z`TH~UW50Abb^+FCNGYyhE&UN)JQEWjEn2cFn_cM8!0G4xeE==psVWRN21&AGLcg|V z%j0}GlyWYB6q0Q_3iZ^n*eoQ7;l3?FhhoiiaE568-q(#HWVIoS#k1MMmcmc$AEC*PCDT(Ll-spV(0k~$|q05o$h|BX99}6+UvK5-Q z(GSUHr+E$9^gj|dsUyhu5R#fj_Z{$Ew^$$mMeW@?@bI#NePs9>pX#RC`{?KG-L^ezUu1GSF0W8VAjUyD=-XN@wx&jJfnd zQXIsxp|ZXk2HXV{Q~WFvS(L;~a(i;8UqbD$QV@P$`+wBpp$+Df1lCdNmtxblFe<9V z-B6zE6CW~@p-q{VV0qLl5ZDW3CUFI3pteTsgVgF-N-B9a8Y`o@khGrGuD8$<%i{R! z)YdeXgFX8|)b=#hJDJhL(EYTZ;mO~fC(GNsMhJb|yg!sHG4}SapCLw9UsH=I#+PxB zB%B1qfnNt(0>0}^4pdegG(A7PSqi(9QQUugYm8CaTGXZ4<@wAlf%9SBYiodV%T`Xe zDX?-VY+CPL-(5V~Q^3(Hf^Ri73+EyHn$vG=k>=PX<_zAsVm#<0nR-L}2$%q-nO6^V z?m;T2-NJZ&HHVsT*r^V@unD9TUdDWHnTK z0VVWU7_@d&?{m=s=$U=M91Q;pABP)Gs4PDdKns7H*%p*&NVYnKc$MG_$8IRPmuvuO zTH^(vh>zq-y|(;=aq|mH!Q@ZGW~q_oL}~2y`eyB}Uy?#i$6km37Uz2%YavVMASEU{W@P&^J|~QTC?hqt-+68z8X@+gXs>Sr%V9LYmMCb z(JSn~VF0y3Bi{ONfD4TGzs4-~2DT>FdM*a`7XQS89t|(2O;)5Iy*xu9ij>3f!mBN- zLvp3OgVtQ9Z0T(2%?2D;VL_x(lmQ}fuFm0|FV{Q#inJ?juCxqh!uoZc%kSp^n+FZ~ za_aPO;@t_Fa*ra&zT4;^`S>}Ga(ZM7xQ^iPvIgz*k$5vt3yLV1!DJHdP{9aeQ`ecn zyN@Pb#*gCmKzUj;>Ii%^$gseYLipW}kbTT?W^_gZ2gnn|IDXPQq+ygsLcmh|Bt|mc zU+%ib5rIDKSq~t}h@sjPTLV4F8PX%w{53n-y?lNzAFqdBcOz$SudhpEZU<^#zCSIf zMdDVu^%BzprtuCbW`xrLs2$q%+QH-0`yB8svW}K?J-d*9(oC3glT;WrrjKtS=^${G znG-n3b6?`!CnGT=NV!wp`sIIh8!q1vs{N9si~aHNeFp=ZpKS_kGl;~Zj@NyaJj4NN zM|MDIqz;TPu_iQ3po`-#lxX5Am`63=O~>93iFVg(>T!R0em$6=L)Gdgh?4Ntaf5V@ zPB!BZR=kKthdU|Z8&M9XZj+v)m7V45;Seb$JLJ&2OEzhj!c*oz!my1JRI#29QW`iI zw`c#lI>Vv;w&J^c`HbRnyhy+?NoIJf&-ho^<@K# z;KpcnKG@yH*4iG-Iv@{W$~csqd6_TDTUYwso|VLW2$!jJsy%faqNH+n9F7NllGqF) z2lQs3rhl`adrpZ30_f4I;dJLNV*iwc#1wK)`IiuWKg&*aK2LER;@(`zq(UM=U@d^&ZmEgLHqNdSd6uGprU!hSXA;yDf-sl;zR|mH z%-vynRs+iV5-@#nGU4~b_2{n9hj#oJ`lSA}KdRLQSjm8(3lc_CXlyk~2Z+=E0R^4> zdjzchUf|0L4yj0O5UUB45>$cXfGxZBtOrisw1+#eQ);P{F$X~1(^Ga_+<`a!W49L# zI2}EOY00tpzOUz#PIuU!K|i%sm%%dF_lC})X-+K-8oElhDY_ac(`hsM(Q%b@iiviy zSz@|2PNOZ%%^J0m zkWOKN{B=S8)+<$B4(96S0@Y}*a*p}V=g@{NR9`n?5Z{F-{qT|7PFtR8Ik0l~m$OuW zHD#H8^=L8}f*^9Nr5aeIM*>Po##n?<^IUe-_i(h!pD_QH31|K^?Sn>%m7W(>XO~{y zqKygkRz`(Y5_H9d8v)Bi)>IWs>~i@GESOG*d}bDR{EQCeV+{|MVe@HoTo`>exdRn8 zbl9>6!?sTWrWS4 z&T-2+BJ#*guGO2;K6cw^A)ScKp|rp~D+>~bF`*|Kj47RNF>r$zPQ%Gaf-uKh^{c6i!LkUTT@MYsnv)tGI&FBmxwa`X zLuF2{0GhFRCy)KwQ8h9YW3I*p7nekv)8taMw!)IS4(uaH2K0&@R#c_bUvSbYlsCMU zdZH!7+yoGc$FUL2KGXtPr_)NnODvz12vvujT4+(@ztsXNKH7@~x>uvI5xHCOy(?Wg zjdMH^k2B!lPZ}+uuf6cRfh~!=A2XqN(`NYTAh^5Mt7x8q>bhd|Bo-pWjdBIL)%yijd|VrQIVGMD0(m{%1v2UqX6eY|fG?CS1(Ozk(}?LTGv9&5y^ zJ){nNcMr|oRG!2^w34n{OK2c|s%Wn6u3DS3b_}LA$D+^Fzki}J4Red9E*4EqaS`;5 zqtZul2wXmoeNE%4_IzvPNvPJeXY8AErL3=A(+_Du_;jOar3&LXz`G*mMH4GQF6$UN z;y2;f29fHfFatwR!Ab`&&SS_FJ@@vM%B>fSIEn^CY~+9aSy&!VWj7;f2F)pxBN}ai zRM(%P`em@I#gf%^^b|euw*ZVXnCz ztW2E&|PkTq6Q*v^(cy6A1JnC8n7HK?)JIP0%dGcF!$-h~= zfTCd@;A3Jd=i|E@ zz)#Y>uE#w0HMb#s`<=AH=(aeNwFNc~yI&CUh3a8cdTa4)3_R9eG=*E>60HO8{9->* zLTAa(&&w9f2TPY14ap;jB*c>}A$l7?4HfxC_X#1)=gyoehab!S{bF^P+B!XF13Lh(oNrw=4BSW2u%3k}{B6&9aIqsITtrOJ^=;T! zzNh@JmE4HC7@Pwoy5kAzJU317?cLk)7K-Dadu@wMD`LwOE#)n)z1;ioSj6$mcb-6>kU-)y6-ev8p^BWVRExG7SiTlPN?Al-~Ww)|M04n_`Nr0L(R62VF$A$$96>?MEE*k~8`Z4Gd0C zniV-YoBQ*7ubpiJjQ656J$(1K68fWJo}1ZNvA23vK#I#?1F085msnXz6J)qucAx0~ z4qFqeX4u9d000&U{ja>=gZ-rqs#`|~wXti3 zfqvxJl`V}EEfG}%+SufTq`%4Q%~~S0maFvswDi?ofVgVk%Jz9GtL|Hq^lKaSlLe=k z#@3lN4m@9O?hh7D-mjitx*%dFW@r=)j^61J+3qjaz5$5S4U19)pA2+W^M-_fW7Y2+bwT7z4D%eMG6PJ>Iy0nuJZ2?8z zp92+et0Jv-3(nMZ%UTd_LVkoK;tYa~e3kDNX^IINSRWtU#w?IXq#lI=uY9Qw&vi*l z!6Tdn%Uk3xT3u9~7~-_C8d+6iGz08kg1$msz#bZWt3e4nh13|TCJxCA{NB%)L2%$; zZZ#EqyxSUGcFKeW%_)M{1pNadmiIxyo-&nFLKJ)JGP>9R8tk7DY++0-_N!D|97S6X zPKt)l8zUR{6jKLOE&OUwJ1^%GNt?32%6B9Ji(DD@Sg`{`*Ya`2l(rCDFGB2! zv!j(^j@VsfW;Q1J8OE>55i)^@$^~CFixJFMAY2B04ah=AmmrQ%TSqK!{$$Sd%GaT$ zu;%FvDn6#r9Fi)WL{#7Bjlh?FT|SCoU7lo`ZFBXfdY zA|42YlrV`$JLnVBk*6d9Fd)D8WWTmeQ=SMSf}#T&#WEgTP$tvV`76oH-_>FnZ-9oe z0#qlFmRdYPPRpOxG=XK+_4MMU1uU-oBL&Q`=EBo(6Ds!9E0Z9t5 z8X3k{te|S5am~?kv@jZLMGmtb>&Yx4EjU873Md3|6)Lr_k^+7bgGzX5 z9d)FzNRGJdpA}J=EmHHC*S7eV5qDNVrvhy2Q%Gf#ElR)T9dSr6ot!t~lY|3&r^-aVQ+<=x~Jcx`bFcdL7{)9(KkR$qfp6B53 z@fmGDw>PUe%_sBB;ycw(Fc%)Y%g#59IQFgDK}ix@z)F zZ2}+A`3=xc*7lqI5sRz9EZP@G(Ci|ujk>q+)pZyNGO2e@6&XZpRPx%;`kevE>4k`# z81$U?%30xs^olda9zBQ+uaZtcdWhT~)}J9m;!vc1U1ig6m$k*pn&`F6QIb6!Aww9K z4X)a5Q9hc9ek<#q796EYc)Apj5#YFgDK~q>nt1KSTm~5hJX&1L5RFJ~$YqrfY!3?T$B$U@o(n>+Zneq6d9O;qeiW_c#hEn(~&5RcOA;UB5$i`DK1 zK}s=Td!})Vnu?skCnqT0bcwv({ND^I1Q98YMF>FpCt!LLV}_mis532vC8{0p>2yz< z=uX&s{A?y~by3|3yU4-BH_2f&F+6PPK%i>c{gS#{y&HxO@8z~b_`ei{9F>g9yTWAv z*ajwo896?S_k?$r`UhLF*P(>L@sQs%n%y}w^Ru@oja(P!7)^ZkAp8- z&GU#Ok@mtaeyyx5uBLLmjOMR??~`aIfhB4p=lkg!)oig%bu~Vx&&rsbVTQEZF`N^1 zcj2f1?w-P2F4jGo$_4oFV){uPR-|CHdG9@D1~a|opnW%ja3v@0`5L5{PP@p)C?>u^G!a}p!c3Z z38`u_cX3=qfI@8Q^v-&8;zW53n)H|+!IV4r^Zh6FPXwrd%H=9F-SSu38cPo)d!pMD zdr261wk)!!;Dr0R6Jf<8Bcz6YAa){Ez;MW^V_I$SFuJK$j%`Z}sq!ceC0?ee5*$<^ zd2+#ZQVJLn^Xc-mos%}CC>h`^XG-9irp)Gt}?;125@JFM52M(L}sRGD^kTVN4rcc$nl`L z2Fz4cl=dz|urO&TD=}C7kk+=0uyes8!8g2X@6!;kc3Q1Yzs3AcIa4qfQ-1p%)sKO~ z4sFXmj;s)W=0JP7uoyB&P}0u_J9}+oal{l^WF!y_FO~#9XF*Wl2#Lqx=rI&u0o^0f zf4_it#k}ZGLOdj*Gh;AIbs?EFRrvl2#0`%4%?3{A_mm+s2J|ehBA>bV(i5aJ4Engy z=w9ek5ov*R-_;raR<*%$J84J~2ZgMRNB4|66*F=CG6f|()HC!0@b74dxf*Ea?Js+K z_?N=P|Bu9@v7M`lk)88D!yy}mDam1alQ<$Sc@Cfq0@qz`w3T;V%DjA)$Y{5WN3rKNEKg8|HsnuSE6#QML{Wfrh|XU002Cc#Qor z+RWxi;1-cKf7=;LWf=@KP{b!KR1f=Z#Lq)glbHp+29Wfw_nh43a9jG=C|WY9MR*6i zp*>l!uKa{U@R{l7wIc@o6XNv~CcJjbw-EXwW)RJlwUmt*70e}5tlWXIjUWG#4dqW( z@unf?vgRPllAS$e4^%VCvB3D?iT?Nw-*1_)@JY=emzKZN)i#ScRxa8}*(B4KjuzC$|1G)*z}7Ge{) zsGbR4kJMgyfxFc?wrRSM(HNgV5tw(dC)-<*2o2rxq-@(Q{O`43{p;KHAnC3u$ zhJ}EZ!xr-SGv+Lz2^J^|IS)FHmjKqrV@8%vBPsud?5n52fHr3FkRtqh<-`{1YY|_o zBw%W}e23Wi#`Uqzfcwu;6=NK+S!raN*Q7s|UAzk&sK+SR$@rPi+-W{UWeDo9@ih~{ zm{*FF_De;}q1_~_vpw0m@q+{5xwCxJz1ch5b+Oq>8OD$t4?g(-Wnth#?(nj_hsSE{ zpK;yXAJWii4}FBMZ1(1B_YsS2S-9(XIHe$KY+In;fR73(u+Y4$?G%iP#e5@23!xh+ z?c4KCTY*notx52Bg|*dagQXp~Puq~_T)xc&mky`4HK6-Ur?VxcHd3@HCb`|AghHY* zYy--N5I)^tWbx5o2Bi&7qZtLJao92^Ns$pCr$8OzprrGBep8GKxpQjcYX@R-RgCgH z=k(h=xTJIEq3-RL5N)f()&un>p@8tIJB37g`5O>5XRhY%SM`-D4aVL&Xf4#T=;%#N zQ?Fl_hf8Tyua>S449hEtHB>yWaL<2!Un>@6J>Y{pfpwp9V!OD8w4*a3p7|g=QNUEv zteP7ec+Qh9HC&Y@bK6b<6dJkdm!WpdWT;%RM>k!J1;lMT zLOU!__1+h%uqD3wU|6Ha;L%ltP@jH`cN}iig;+;?uTM!92~BQyNYqW?aAW!zEjN>c z;MVS~D0Nw)b5=N#yhnedShb4$5F7}uFkyh4RRk#EEGyCXJTC-1u`NffdnAeZ>yFN2 zhu~Cs_h5pO>msSNQ)N_X_Q|a4QT{fAa22oZ(fs77xbEEc=4LU#;EDbQ|2N>;AlO-g zfdK$8Aprmo{71krb+mByG_-U7CuWSO+bC_aBYe-+se@3=4>4Hmou)`}p)3w+Yo>!- z*SbA2M$(XBSx==H>q5QVv?c0=D}|-O_dLL?uS!;#sm0}{G&P@=N_Gn2by4>Mu;{9* zbLuAos__eWB$8n@1LTnuw1dS-d`KFte|-^k-{9tcw!F$}2cT4#HbxYYELB9KTJsN+ z|4}*jkgjk+@SHv*QG-cO9(>-u!EuY@g|E(X6Z3U!!rYFYFTkTh}auW9=DgR1I}&i3fl;7X(xac`Uk^{ zdYzqNTA)?4%F4b8fc};d+@^7h@EMn9Zz}3?qcpeslbE7&KO?^zZ4c+2sd&v=}FFdb>RCN~Z=rypxW#8Gsjzrvc|Z zB8cK}{)H%{VhOOxkUMrmPNU5r{+k<)n0vrH%;9Vj7FA;@8LAF5>DWeFecQ$&)Ca|h zV|EIlatFn9sQqu)*|v}4Ksu%1>2Y=vi4I1r5ZaD*ILKOR$*MUZyrvFBR;EQ+#MMS; z-cqFZo^&VzU!>B(rzD1qk#0VbcA3279Njjw;B5$>L!RAEDYT0U9?Q0&p<%yx#g{G* zlnT56)9=!HhHL07YP;!fCoRy5h~$s?8#kMtJ;0ZGgxaBa4;0Ms_Ysydf=cvSL09T= zCR^~@Af*0*NE_y?Tq|=2w*Escc6~g(ofr$wRKl|5;o!?wnE*msm zdmcCt_&N-NW~IK^YDa~e%*mh#7s42g?!)!YHCQ|Yw|18MdF=%lckcP^J1|O;yJ#qe zju_SCFL}ogdM{97cG_+vc0W(kJyy27dZJTU6Bt}|_}c{7N-V7TNE1f502btB1>pf| zLB4|L_UKf64E9ZwMlOH3Iwaxi4Dl13cw*xlaMbV{!I#z3 zkOP(LxXi`tOXIJr(d+3Qxv2L$wGIi;Q->MGlmo~mXUb{VW}Ux_UG91AKEgg!CbL2l zFHwDZD?lQ8d;70wu&k(U@S6}beJkMx|-o+0tu1emFK*z-B*4^zgFCJ zAhLXp3LF>}+4)cp=+`ZAQMhx^6K3uYo++AlN!O7N$#}%*87di8^rPQJhBj2lHAi(w%IMa_UWgz|f(m16*;=pO*BrC^FC_df4dqNS zb7%#o>PT1aOyohdqRyS=6;q|O<#pBF^yW%O?F3GpH3PwP6pa>pV7uy?Ecn60XtafY z@Xa=B$1^4g`XQPe8b_IbX&0Lvhf9YauI$OECy&baO-;H8?g7grE-=8HJ%W;Bx+15+ zjENj?YFHmAWc%fru`BCSG9!Gq9qrT<7~|x~7{F#HDb-6wW^Bopw+|Vv8jHem65ORU zx|_d33%tg9OAgB-SH5hUVL;yIPD8#K?5`GOt-MgPf<{>N{3o32I4sS7>NIhGOrM^S zlRJ@`0h|sP#RPgz>FTI0WS7>AhP)VCWxJXf|7Qkttx!{{rv2E55tjxUwNlT=(&=cL zOgEkS6Z+rYBxdNRj}sICp!%;jA^eZt#LURf(L~S4*!G|9q~-s*lU%(97yU$gVldB_ z0*bR_A_{u300R0PykqXcROGbbdkI!%l<$w4LpBa#f`AV1hUUduyer-=tFrgmXizr0 z&;H^8+;D>u#So!MidUdQ0?<8szG!^I-9`IhQpr>KT4C@RpHQurE;4-bz6V^WCj*p_ zLYqur@H9<0>@3*ukY6y#rj-uTwjh5;eWGqkoOVqk)(Flx1c^c~WG|5)2l&&p|5^kP zzGPR1&>m>9+lnJZ`GZf(X__lWR-YAZ|LQ?c`Yn$25$rX$pOtXqKP8W0Jvh7i44$kT zN*htmJb#oNE!RWTJxuE`=6m})1?hONMN{?`@)ID%^-odQ>0EpPcxO-3!P3q1!1tNQ zoG96P+Si}Ai9c()X50}A1b~=JZ&`EC?_YLhCpud=NCelIZVS%uK`^!G;IfBI-F_~s z@GObY12j4A-{cW8jQHn!BSi^J!?-Dt_cbxTElKLD*tbB)`ipPst?(te6Ml{%1@01&AQm@n#sC9>dILT__gk&TZaQrmK zO(2p1wl#PTZ~e{H{W!~5i^Y#q)<*ZF zP1A=PSeHnau+9xcPjQa$kv{OX`EUM(9nnm???uw}0BsjgW6Rf->YF0BOqQuGx6YFs z7-mG0AS2cWfZgaS1C{kOiq`YCO&w~2K@TXpoyI-pzNmH)^e^kliIWLS-quV^h$Gq<~PQqo4Ha@a!XlJD_Vw*$g^Ri9i-Q6^;CvQfpDl?H7^85ejCSha)DX z30r2+d?~Q3P!_7BQhy>lsir0OjH}*}%NLXc?O6|ZAyHd2MME#n5Hxn@eF7J(Y`8+2 zu(3#R#p>B9ECe*RVn@0Rk?^rm496}toSJZjMK4~dsj#Kh(ph5x2WIWw9fRJyi>Y!7 zGFrgcz6sUP=Xv8vC&Ikf=}X)ScI(ZAVcxBRFMmGrvRm-oX6L5nueQ~`p?3qXFDtK} zJZ%j-gSjNgbE`>dp(kpXbzcY3P9{Hv>DFwAAGoxi!X)Rh8XTI1A>Ea~CtgWKG&{;^ za!4%&&7alX2!+7XfZMam(Ab#RYGopN;MaDgGoGcD$ab62F&%+WFL?YtMw@f`hiT9Q znrVtdt!gjp{Agq{!A}X2yWqtRj&EZ=FuIBG(}bb>f_f@cks?AR`GkItW5yV9mU2BA zWiHLe?|ds*N(9$PeaQ@^;1iTj<#Z8I!LX!ri~k?}UFjrT^TUZ)V|aZD9CM{4G)0 zQQD-3@txBnkhTNw3c4-244{F>eN<;-WnaBAX`3pES@djoFy#t~z3Y>6T_mQVxxn>^ zFpTUOUG(I5bOsaSi`tM7NiSM z#+nyj7)wVA9f!nMVn1SBGX&$zL_&}wNKFba`w+??jkga#sNjGDbb&}iz>-jJ8QkGe z!_bN%q-Z~VqT{+5`d%r!PV?VJ|K(NK*W2;F&T|pg^RT;nd)n@EKfM2W?o=j*kff3F zJJ{pTI0Gu0@b%?j5I6!HbdrAyTtXl*6p&-my$O&Y?l5TX6 zw=w~c)l6D-1&McA;m=?%>=BAq2@)eK6ec8UGzaPSg*h$vZ2EHX98nY56a zRxG!gN|nyq$#utiReE`qnGq)=iQnFQF!$fk0qbpKco{KBCBjZr0roymsD`Y{yf`L; zvg(T?5o#D6S()X^urLcz>FJ~sSUK3d$lN>BrLN6&P&)zvl0($JZQY}*B@CC4%Gze` zMsqhH+G3K~)MH-rZ&|}&*}b-5iUZx39cKMW=EkdRXWPlf3Cc<O8Nw6L!(6AjB&-hWBfFLaQ12f^XnoR1E>F~ zjrX(UH)}X^uLW?{;h??1k;1$PDzQq;Xf}7AGZ^lzP|1$(jAj(xWx{}}KDbHC68SWtEC)M);#l(8fIm$*SC&<1$eb;|51y|(Tll;5h)-8(=X~@~rc!Q^Jem9^L^{5UlKZ$t)M?hj$jYrX!bFO)HD*;b zM5;q(d?u3G+OOF<+Awsx@fggQH%Ezw;N(P-;$20JA9K25q(9xH`ks=Ge~v&sav6~* z6dF$cXyKA9GRQEU zM$06Ceh@TfP0xVO1Mp#gOH*{h)-U78R{?d@b97+BUo^PpnPU3y$0p>)qp(;=&X*3g z1Hhpro2H7wgoI%U1;g`S(#qh+JHApeqr?3`>;kw05$6*K%&|*p)Z)iObILR+mq@G9 z&P(N{ctkG<7$5``_Yn4A<0v}qH1fwuTmcO$ zpY(qd9Cl`#T4+ZkALd`dPtz~R@iwKf!q)!bmPhV3NgaXCKV4VPO2_c@74CI~$QU-| zEiOzF?*k@s_ps27$L{WFv_r}DW1K_Pdwt|Q?`IpYKoC@sA54RVG)n>+S;AI&t$1QleNg0{3e|k5sxtWgo9g7ZD#^cBvR9&tOLmd8%voD#tTe#ZAVh{`?E|JC?45yfRr>$2B#GeIVrGmL_dst zUPUmKL3XKXV;cJDH+SXlhUwGq9i3)5wZ7vF4NGmlNfU~6F#s=r8%b4CnO-Rx==Spc zR+riolWG93lH>m1buZsRf)GMs7NP^30c8qDMEeKegZS?KX=d<&+!p-8xGWOnHipxD$CWEG>8p$l;EBkh$ z4FftQyB2jSgvPik*gV&hj0T^rOY*!@=c=F?*H0AiHMU0{9BWc**LoF;q+(n+S79z| zlk-nBEl|N{hx)yxYgVS#xFFo4rDR)|dWw?V{asIn*07+N;2F49N}I&yp@CTQuo~&K zO~WewabCFAZO5w3>2+Q>*JL@R&Xob9Z4sums<&1sl+LhNq{t+7`pR46mKfq^Lw^9X zlPd``{zBBG7(tR5vut5IShk^Goz$08>B`g$t09kxLUiCfS;mJ5!k@FMm{TY6>j7KJ z8T&z|^gJ4S4*t0+Y{o1l2HZBimi7pk5&9@oK!GMGV|`hy`LkuCBellPo{>J;w($d@ zks~XV2qYV=LFHrn!ioxwr6LhNvw8hRZZKo{COzUp&^7Y2Abn*p^iW%}-d z34bTR*;87-23@6?`B@1dP7Z>qW`Ik4GC;!IsiXM<>^z#mAJI50Ral#mBNSaLUj%^U_1TbyO(l8JB`78 zt6P09gGTdXErUcbW1wpq76w|nJ4J1s?35Q`?f(W3uR@P0UmW=mhqyJKMh?dmvW{{b zUzVT{#8yc#0{}H(s;W!*l<@sb2tV53SHIAr5RmnlyZNjjlW-c52p}{6qsJc*d3f3D z+IuJ=#Kw-!Jae=1NrJQL%KN#Z$zjAyW>Roh1NWv*EN*u&TgmzG=4wS+R~bca zq*uU>6Y1gaInnYK+!K#DEXG|r#n)Lsol}aHwYjU$9){|MluqU9 zYQ@qH?nVx;-j1?p!zjfjFB7=Ceeal1BC~_8x?B|{JDDd~*`7a5dYU_6u&;Iz4zAE}TT-YuXWx*Us z2SxX@QtRH9qV0%BkBYwo9IJ`hs@Ol6N8Ti3hDp0uQe4AVf+FSQAxZ3hl&c2jH=DK+1jqc@og;|?LeI&XlB+^|AN3e!j&>(Isf8rCM?^^!-d-yB!+D!1c_Rf#jU_s?thnR| zOXj{=aHB}7JYB#wV?fjZG;X8czBx{Xw|sO3!(DNOCiuZpJ~OKN^NfK-QFER0j((<0 z->na%w4L)PTR%~#R9+lAbA^d6Wog@U*V5%*3Vvy+*xstso&UyN|9d#l#E`DRRbX=4 zMWvhoi{%2};+7>N|C=T_8e4NwPJ7u=)=8Emll!9JGN}lS*5W%yI}r7?82dapV5m3U z2deD?3=&E>k)w%tr`KjbkeE)(!F-D)0VXqNz_dBUxER#}d>AZm?wj`gvs6C_PDqLp zuEer(m8K%et$SH!6;1v0>V;K)ktD+tWJSU`eW#PAnIm%Z#KvaLLQ&nhFQ^7|yjum& z?qXBcDVJ5Gg8PL9%3p$0OXiW~zLlgI#Mb5$I|EuZ{u;e+n$39D1Bo=rbeKJ9ZT^54 zjA7{7yftdHg@cBFu<8b914X2X?N)p+ld)U~;xdK9ZdtFF4n`@0RzE8Q>$_73y{5mo zO(1k>jgVcwsiOEecD(;LlP-{J0gxRULJmuaHH8jc(RQQu(a~#2b){1BY$j)Ecl}ZC zHGckDQ?Gs2s+%hj_N2}wiB19Dq!YDPW;8J4G;G@B`Zdfn2bv6ms*XhFsjkqPjwhv; zd_9)ZS68JKn)2@&t9d2`U8$XYE~KTF$HK|EvUh8tdJ;Tnou-O)UkS?mfa(7 zg)ia*L~YbIVivtB4^j|A+ysO-l|4bf9RO&p1j2he4n>#qF}AIm zV0UzjN-Dmovel2oW1sr%@8fMHyqi^Y$X7K?N7AY0@m-11sIF!_b3|zaoNVZ1lH95u zN6Cqcbb3Zl_xZ`7eH{>Gw#{{x=&q@HFk*ENSXOmV`>I#Xcrl@WZ(M%k@|h(r9!9_k zy>^-81NiT>d(MTMH~6n&S`-=p0QWyuKCSF*&Hj~5sQ%^9ME^@F-N2DGAk8pp!I+fE zsbq;HjtqgU{|<;Tr@^VgmU@%ig*;O5`SQ1`zg1X#vUtVc#qQ(sf~V@a$=5)}k5Wai z9J}743ibvmJlKIT0nrV}-4rA)4d1rJ1+6%!&p1^eVXV1IrS)+vpbF#Iume_-%f2&Q zvBET8hZ5#+>o&xGaJ}x%h^BhO8PE^(#vzJ(iQ5-I4p`A3#0%z2n5a~WV;{ejKbV9V zlu(o+4GR9#qS#4rz!@@3kSt;W2|W1q!dmoZ$M*3`nW_Q#Y~(_(t+`7w5=8ZQUwIOhFSkNj>6qTk8}i- zSzlT+oH4pVchE>Fy01j#2r$>(1q#%sd@Il!1vYULT(tyzz>I#9$6kPo?jLtY_Kw%b zfPp8xQAP4Ck$!dQD9n1xG(j1S_0T~iUuq;>V>rc=dxO5bvv9MDR@+xgx3v!-`H0wc zHh7Z870t8C!T?qkA=RCc^;a5iwpE{zc`(>aF7E1w(Q`_7UndqLW62MMznq%2A_`-u zbmjkH?H!v$>$auAUAAr8cGWK1wr$(CZSAscdzWq7c2(E8H~Q`SoQ`|?OaFouF=MVA zW9Ar{*%nsUO+gDU)i1dCRXU&jH>hH$Ru`({vS!n-N57y^{YJ_M!BUYa%UuWN3lg-F}Q71bR9YIpX5=Ml%YP#Gy66D^2sba;f|q z5l#Nx9JQof`68&p(QRjPwEjA(*tN~PX^j|)Qm zyx{(rnf;w~ShxjcmM$dXeHHPd1@>6u`N9M;Un{PSYjMLW$h)C%UM5`|wo(|XvVl_q zM-J1IKbA3mP9_4IJ6e+<+$31&loNX|qzbWnx_gUoPrp&5TaHu0egB#*KRrt#qPruC zK)8;$1c>)&n>&@MBQ&euE3TTWHBoWPF;$8W+gOfAsy4+@IVw03L~B_l=M{dpKMDD+ zKm&g9W?Kq++0HK0cTXKoZ#K{_`aZ+xHpet-YA5)E=lgckOuBMz=6W9(rk)Q`9UjlIT!r>FH7gpC2He%*mYkJ?Q0kafaRh3Y14Q$$;)=weggdy$Anv1 z|8D#cBb7hI$o~%iR_3N=PEK}4|G+X0YsYnV*#BZi7}rfmn=@TJUDvr>N2EKK|F(<& zk>T6Wa^e0LH9{K>>0sm5d>_+S2D_`lzFN_;3HzNn|(s5^)ZR!_0x z#MK7dh#hs{G5=JOr3g77)^YDrA=V2F-?JAbKzw8kMiwWzFL3y!FH3^XCj@PetOjh% z68>obJ`u=>#~`{OI1VO4=w;+WpwU{K-DP z8pEvCva*2SjtA$$aB;vdSdFa5mB?Unb%6UZkW^@zyW%J)ISiII?rg2T0J9u&XO6bx zp-a}}E$?=AET9v{t%VaQAYJudLB8@7#T{U^JYo={5p8VJ2F6H46P(|L;9mpC;a?XOku&!K-Hj-G|0iIHU~f zlPJaoHuKR7ngTjZsEo6>dVT(OMo$$-r1dW_6tpQ9JbguYT_Z5Uv;d7ul>vN&&DuFE z_ThKAc^dDOcl#3NQ;pi4KhFc&#vc+OR<484Wi>85T|If;ExCQvP_f7jaG#gv_^@zh z#c=vbOzO%EIMFSc+dV5)TB%Mv#XcHU^67gFATT{FsK>u$f%>qoEyWEAeG7}AW(ksw zX0Q-3`}8z+03R4>r=PJ{yr)G56tD5^0N*1^|&F~(8bA0iuW6nBq)VsI(^a%j+ zDk{@YL3|zSq8xEE3K4q?>muVtv@##%f^(M-0{D@~5D)wWL-Utj;~KeD>OIXOZNuqY z<)m3oR@X)~hxJV%?#9Gn%0pR33#aDwx~zkX_xaDC>@kdLidDr5xqfIR*)(C)&S%Dy zPG(AHYAJ)oT?+Q>&`jc8epEHJw78s@rA@cm@Pf=b>c;%yI z%S`r6N5szgi^g9kOSOH50`+3+=yx)p(ge)D0r7%yw_uti)SAEf!2=A-Do`?dAIyS7 zp)6E3(-xCLK9fKy`uOum0+gYlz_aDizw+0^ICC-48WLttDV_q$7eR?6P*o~^SCa3; z2H-*w@jo7yi&ePkId+4^_B+Upw`)uzqF=W^4Yi_bqJ5gJqds(TX$%a+0BgJemI$cR zugF(DwW#8DGiw~Ldqmob`dpiaBtQOb(2x@=Uean@$jmZ^c|kaX{cGYP`E%3dtKy z5tildU3DOPcRyVuwha35)hl*;HxA}=467)fB`)K@9q0H32&qJD_}nx=DSFn?*PdtY zQ*xx~tG4=j!)ACGG#i!FR$sz$_)M*2|3jD%JTn~NX7~%5W$D$791|~|o9Uj%-mH8g zuKsyXvy2qvJw%wx>}4vS(jMQ;nXCvflw?&!loQnz*?F$l`P^6K(qV3^EsI{>Gr_C4 zvR#flrZhKm|D4}dxo<{qO%J0oY9oa4FMi~BuGF=N-N99H2XIkSe~!02&&(N=Qh%LQ z#grAs5e;6oK`VQI>#@;*Tvaw*`@7(lebgO3vNa!0s9wX}*$1GuWy6l^b2i_{N48F& z$Y(s#$7#2qFYKZ#5k6qJcWLbMv~pyi37cpQ>6IIcCJ|?do&; zXCi+AfzX{8u15C*Qkm#j@4Y%5IkB4KN|9s7Od88b%RGoK7Bma&fKgIKjWSdUyb4JT zbU`6z42o2Z^qk#=8#yggjThe}-a=E&fnbrpuXCsD&0u-6RGbxKI0F>J-&(EpK$@mI z9zGi35#Vo4%muaYEBoqXKbxf=3lj4+k&}6u4UQSig-N@J!7O+|hVaH!cyiuRo{Y6@lTq-SAB>|=SXvYF0HC_NZAfZ>y$gG+D_Yv zmToy_^bFe)QG4K^Ca>o$czkRgJn=~m?BbHYs*Z)>o!%@x=AV>|6ifELNF--Ers5&M zwMA%FL?XWpw~!8qtUVp;t*PGljF`R_-9Qant4G_|?)bg4m~y@tQ;>lPO8Ui3@oQi% z8qPq4GqvrZTf*WuUL4&HNi(nBYR+J)^i8tzPK7_~n~0#;~67hUSXm<4hTunC~L z*$`*jUZX4dNj^uyG{?-xN(EyLxZ}JW7Q2Y1+haqT{*vw8GU)6Vky|Bp9X4@!zlqi9 z1@A7`NomFI>QO@1v=#gEHZiP3GG#?H;$41A-LzfU7EW73lAh2v1|7&%3_ENlP`Zbf zSu`~F3Rw5B$lTTu2xxYPHpvQ6QV?W^~h?*tp!)PuN#o`Xb^Hhk&bP+?^VP=&( z4@lf8I-MsQ&+HBqJ6J=}#TnGAlYT4md59^q~;A1z{8R$ zL3tGhoyBuZqK8I#V*)U%t~i=B_sF|_DSld6RyYBrcvS%ln8C9T)nV>! z%2uDhF=R4_de+T7QC~d9jz1vfSQceH-B)Qi3+%IqG8BKtqO@83rydNVVs^2os{KeO zd9xjq1?jNqfu@>hR$G#;^uwzhmJKpxukH6^2cm^99I?6&G*z6W4sFWSGfr;4Ji#qs z0v%FZ&y4%qGSfm}oaJitT3qJjq-mcigk+OiBXb(}Ef?8zTEl;QFBKYL_q4u7BcA9{og z>^}_;t@X{V3~gQiXNw%IY%RM^5C4^;YY&407|vRoN|()979b-<2}tnAd`-?MLDG_@ ziD{jJe$aRON6*|yTly>;Z>g7uGz0}CA`l@= zi$}nJI7qVZPIw)9P&JbzVa6Up!l>b#PF(tkAlC5Pd71@~k|g=Dir25=j`kSBs8|d- z6}f5oNnVJOBH3^ICG8el+own0W^9~W7WDu@Dat_hVFx}3(2xE0cE8paku%*-%fZ}q{#<&~&A%_}=w$0xRilnHF6Qvfyv7z<1g+Lubco{7Guf*4RbwXg@Ua7>g3)ld|a)jl6IPTaLD zI|0G|)nG=|&EuOhUiL}k6j49T#dS~cH=c1s)0Cm-fjt?V?pS5E8MCN=1V$7M059Iz zkc_>qEPV0b+A#BI5zzz8VCP${EnH}Y^;FBG=1eZ*pYRB@QxA<_uN|4#{6x+B39X~V z`J;RBk!{}Jz2Id&JdoE=cTaaQ(IZ+SRyI5RK=5#Tkz{AIwi*@W3)ZPVP?kete=dptQ|kOwf1Qel(B@q z*64j-XLw2(0t0$CB?o3^#a1Cs0W|j1M_Sy_ORnwKl82B;=A4zm3(Q^TD+6bwj$;bt zYl`QA=rC`W3%LU#xmu}!+;Mbao60OBC=&#g$&+&`byKxpwvXjHHIi=Fz|(zv|Gd{J zzufgXeuOu2KX?0o7mrxG|C@J?wZeqV06l!?J5@*#SX_C^9lOJEP~7i5HI6A%%@z9t zFy){Z*CmsYq+com&!n$Vg zaC!`{WK^rmL26S;IS%Pp@xpDolRuj!J29sj)VHR%7{#hZw;GKbx5e}Li4%a1e z?7O^#+l|Gqme#^&nG66t=0$*s6h}f!b|cGVlVEl{5M98PinjNB^~;Qi)sVhP=m@mJ zb)?a9}@@#1%pBn??@A6@L(N}u^7x{0skJvS9PP2~dO*#4IA zqcO6yJ0fhDa6I#ZGcG<*7XhzGynmj)@-ouIzfh(3XMgg4mp)m$8yUNp|HH>DTFKgW z{=ZR0lBy|rspG zLoZ|r+g}LS+!+{ZFS!k+HlUc{a3#B=8C)drEqh|;a+o9m(yVk~#0cc^9N-kX^jf_( zgo9+g7|Oallnv6HchuG`t2BvT~~>2y!CezQ5Ei@xC?AH?0|cS{6K2< z>Gr7mCx*jOwbqDPatRZM4l_R0;zjraOHN(l$PS$5V z$MtSftAiIkmS&s7feopGm4qNgYkRr$&6oD%d_F?9P*E@-fTI0hx@e66CFb2AFyr~{ zu(+fCieqcRwD*&&*2ai5e;VfQk>wQEn5XSC~^n}&e^n0;sTju9T z=7FV>&k~pcuCAjoVx4=121&3C=GqGqRjbH;hE*B^V7lg#4h1LlYCssPClF@>K5aAH zOe2lsPI%AY&|vVK621E-FbZtNUu`wwq%(3*3*-9|`c5+aX!;C$VL%l&1m`jYRtAQ0 zK0+aY@3sybjsbNP45LL-MR20`%g$={!k1viqudJHm{J@f0F`XC>s6k;1d_By5}xiL za{<}U7{AC}!O}Ud^&K=v>!VgT(m>zH7w@N+Yua|fevj`pG_m*MW$>1 zrRn1=Kd~sR2B>eVM-0wIy6drB-Cq?>)30ZqK`$GUdR@9xWe2|{>HfFz0zx=C-`CF> ze*VDo{|?PIrsg*P(CB!}kNpdpyWXjA#o_RkgX*!{90fl357`r!$_+(zAQASq(^vjw zYD;^MI{h+MU6XYWq{f1(M&aXetFamIZIeip_4$2p;G#Fh)eqKMvX& zK9F1l-GglZyoUi|;=G+d*b0F0)4Bbx6B=7PV;gH@BXfNheP^qGC`>O^J^y8E`@NmJ zR}S0&vm)^}xHj3l)~E)>EIs?+PXG(8!MUzQE{{S{VzYeR&83i1JRH7WG_+L3|0|LE zZYwsox%v{BbQ@#B32dGtO}(NCgwAyCcU1ZuRGPUrU}KXR^>Cgd`zZb9h+4#QfgGw$ z=(T{GK_9aEA4f~Q%1h{^m>|IT;W)zrnv@GfDeDtr{HzENF{lzwJ_eb7DYZBxczAu8 zb<3_ zzB-}J8Zd=#Ez&Tjp!trF*%jd2loft*hNTNrQ!^jIts-C}T#44$ST{4RlfdbE!X5EJ+}n)%^T{ z3Zs57-hTpYU_Pj}yJL4fd==fXh2G7za%C5*W%*%ix;b=srVa1JlV~jdKK}-CU9X(X z={~v8NnYEHpbV=kAM>$)S6_9lWfosP?EPGrR-2JmqW9s*ZX;-mV%SgC-~~nzh*tm*&_O*un$tpqv?XTx`Bd)Qz-Kji@2DFG8TobC?rWmQo>_*ePqm1l| z#EvMa)ly^aQ#H2%ofsa@DS*aFxqWiiRP-}rK}t_MbdUj7SeiXq<{|I~|Kw01l%Ow? zdQ?%Mv~nF4xNv~+GU=F@jjK`}dx^%Wk$K)ryHM>j78%9D{?-w@-VkiWR+tajbvcg2 zl|7I39tbPdM=!LHAG2pv3$EP!?C$i?A=qFe(*m9JI+kUQH~#o!MLI>6Mh}^(`$+zY zIg99C8ierXGJE@IVC=)ap`pbJ`C92xYJ-1@SBwZw>^L5Ja}amZB0u1;clv8Cn@bR% zNr=RMbL=U34dX9X!stEnH7#$B;Cm(^dzA_L+Cjg`zZkjr`6>hCs*NGw0elKjG!mN& zgU2Tv%ko3ywe&Vi`*fC*sn*8G;kaKx|0!%cgx3Z+!Op4J(SpAvavh^pwP>4JEKsY) zc5uvWsI7WGR6Fg1t9$^W(nh4J;v}64e%lVrvb~D==H`4Y;c>%IyR~+Hf@!p>?x>2b z>iM@~O7XQC^6RINg8s)9hksQ9M@O@N>q-9SQ-@N({r|3~SO&W*@p!^N^>lT`T8Ma1 z$HjD*3wQNVIWfRi!y2oeEQmksEts1hObqz&5g7r8Gb1W9f7JAZw4MMO2k;f?Rdeg^ zzbmTve^*pEG_bo|PWVyJ)ae{3H_575Nbh<|ixJI7-Ju_&f#T+uytbc;8pAlc@n#f- z`4ZGh%#|{@%=UuVD~}R*Y~fnUXhH`13_|S^g*zp7_n~&Qm{wLIL9Hcf?V*b!e@Scj zsA>F7ZNGi<3WBDO(HueDxlwEBM_pYivt-Qs$z)fA3Uf)k++ zZxmh~JX%1eVBgjJ?JcT6S0tt}?&mEob*GcdwUu3zIE|}Z>D4$MAzIW5)SNCQvtuC| zK@yv&>4utGK^+byHbz?lwj$@j#lfGDDLtG=?5nCSj*e{xlGRVzO@wnVoD&})s8v+U zbpu1wuS`P|Pex8cg&upKRdlRyqKVuvebv5r2kY5;Bkn;EA5w%xI~M+ z$_G5R8}{fU4ad$NRg;+5nEhjs&d|%d<)f$ep?kf2);2IwU21~zV|6lkU*M5xUT%Sx zd(d~ZcfJH}7~YY1<&&Xd3(IfZW-4=u=8$Q8!fU2sjK&;aFmMO|5%S<95@2oAGB-hf zj!JXoBL5;vh?;Rg+3L`XiE?!2M8fhzv-J7<-YG$k`<>UkmYUww&H!U+he z6F3_o2J49YZ4nr+Pv^sAPU6|4G&Ws_{uEbDkDP z8e0=jurlK_z!T<}gplCJ8c>*sxyCQ{z|Vz>Cv-!uuz`sqmBct6mRC0{UD|8`D8<Fbq`s-fJRKZF%Z#ZgYeJ@3v!_S(d0;5;XZ)?&aALvGp+&1JGJTXP zD|kve!N*d}LVRt!2xngWhI!VfnTp~8glt*m7P_~sLF}kKOkgD%@cYAKEmX-;P+C-# zg|T%7UJ9gY$T?{)6e+DnU-m5C3`1IXyE9Bjw?}AnNSafxmSc(zlGWP{fdbG>GI%xU z;~gE0gaEcso&kD1gwX+137YvGnr-k8wP2Y|pu9iJV;7_rSK&I@pWcpErRX>4p~xKz z)CjZqEQA`r=84=f25A+?3Et#=Of1mvz-BK@gF?jLLl83dAhKq4G0iBks%-$rrzI+L zAFmg8CO-G98MH^UnX8WuKF;cr&NwjUcDH70MF4EJXiS@Sb-2cD_zS@_sC36@^H@p< z+FH{^N2ij^`3P5BcuGfx*ecywyL(5i01-!gnE7cef;x1j%c=9KFa?tiVqStJ;u=z^ z6MWUxST7leaYZ3AsZQRH>lb^Za~E?hpd=QJuw~YM9np1&(eRMq1;?s2f9@wrL-V?M zK*h7S3iF%RHacS;+Mo>A0Y=8uyf$neWN1D_xeOV|Nh|<)02Xn?vaF0~P`vAXK#dFV z!bCx`JS0a4PXc*_RKzuQN`;A)Lk4JA!|t17ZN<6`)uJqUXCDTWg8S9yg%PoFgMZDY z3agUqW8p=8^*v#TMydo|L$IbdKSSKxsU-h+_GBsZoHWJTe->ZOuC<+E0tWf_+nifw z$|#3znL{LxnkndWcr$t8raL_n2^{BD{9T^njD3sgc-_QrH3I{%XTWKh1|6?ify)RT z0j#|=^@td4ViH9@j3-6_-me#u<8<=4D@x>wBWKCKEUigpjq#kO!T(6$?tMWI@xQZ= zsa*v)u;+^T2-oTs2L42!cb!_vbQDHiS`t6+Ot>FD*8sx3EM9H93wno zMdHJxx0u#4!P|+GjWu@U1>YDlvt%l$5Bca>HT#NKjqz>4w{E;W9W!-l>d1RyDrk1z z@W~wf_PKCU`TK0%Y`>`6n8RYmGi%W-1ZOF1^9?6P6EcR~cFqI9%(A(8*KtcXnJZ#8 zhRu0-;oQ}uwH`BRs-hyce+`ATSzC4W;9l1}+h$>L3FG6bwWhu5;wAZd77wI!GGgn9 z;U|MnUttp}ja1T#D<+UJiw3pnIbub8pYv8b1EFjmAICeo68LWAs7LKtjEHRl-cBX_ z_Bb)n5!vXul&fpdVT~Dl>BYdvG|j2?8~FwZIA^++6p)PmGHj>dT@6dsi--a_=Nme9 zc`tDmzt|GrN@w+(Kxeuq#_$6+}jFwj0~dpmNfKwCHMg^oy8UM{bmkROy{| zyPNY1ud~7XB%1B!^*CnW%i8InPbO3Xy_j+LZ-$$hdAl(z=(npK3g{ZzwC}&QSh0e# zJNG}fBKD~NiLdzaVz+htpKZaV+RqLVEA-C}kw1e4qG=tE={awsy^DHcQ&+QjwTB^=m!eZv^1l2AYp zAZ|_`(00s$;immX<57oyQwkjvX@k@E3;ZdbV_tI47=LgGQ^=tM9;6gsU_so8upFa9 zY~=48OKK(zP^%!xJ5;D}qELWZW)v4Qun`hM#2t>KJV#y$7LylADD;zxq$+brtn9s^ zLMB!WTS%C2LN8|yQ6mLxtv<*r$}K` }$3*T6tqwPINpBXLah)e`+eBl{UjcDl_ z+9J9~o1ZsD8vfNxSxr0fdh7HCkpd=LGTlKvWm?KTH9sSfoIr3g7iCE_3UG6uIKso0 zQJ9@B5xsIb(1GixZES#uy^|QVtEvZpfG(wX+@z)*;RL3$=}apG`^&Ixa*}ujWmkaU zKCREw$pM(l;w)y>h%F6V3u`*WH>*i^3t5P;-cgxI$zJ24A>qkdJ7pcUM7)sC{ z+vEh0kxR)W%Eeo7178v=h6no=+JFGFe)j7KhJUdz6Db@4WF8S_C)J>TW&$Yan#dm_ z?~d5v_njUN;|TVI&i3_5<&O z2d`r=Z9!ySa~dvqD&>OV;H0A$BkVEn=sWG=vw2XgMOzZ;>v4SRD4qZ1E|^S~o`h&9 zJpLZ8_#^D3GowC~C6l8mGbCgvT~ZxU&KSab;!Or0y6g&%?Y&=AClL1p;+jAFLLpn= z`T042<%5IYn-FHXm=G`VqQE9$*M;@?jJP>8Of!=Ww2hX$FiAjat?~qTM9GeJh8H?? zfEcmEDQK}Z8Diq7Sp69+dmy3BtM>IC#{HY=1uZ+$4@C(aPsMdcLAYC5X1obR+1L*o zwHV+TxPf*rwz6XcN!5t(Di)OtQwUUU!jUME%Xcj{Z0abTAF7O_U(`bA$VOwoiyd!5Ai4E3hcB6AEX0qqZMG! z0(aOwAqeWu_}kXRs5Ww5TRnQfaNp%+yN`a!NENuwmw5Es@Z~;vMn9g0IiOjEnfK+X zV}1J@>s7$#<3q|`L4%{-nND7eHAPQBK>gl8O!3(xX8W;m@TKqRV&XiW?naH|0_;x>;x|Xm+f2uLkFEd6eiL6C zRTVakBJpU768YRTgFF(j)ay0_Md|3TEzL5F2}g$6ZKEBEN7B;eKzGYN0k2S&@lhjJ zZpJC*=bvS7Y>f3DUIgJ=#Ui0-gZ>Wb_PJ9=8 z4=-pTXFG>rp|z1RGwAcjQv$fjuW3 zX}v>}g6RrDb!%4ImrVjV4dsfZsM)=JQ;wubmsV|@(ZZ!{7qSv+@UoFTjOZ2>4PL1P z3l&B1LVa~Wp^RmsmJ<|xy(w2H@32h#Y0;7!ObgAW<)}4< z=75c)i~HZC953pN7y>YMvR1%CKkgz`@lY>Twi30r*!81?7irXaB%M_$g)V3ex1o9k^4Gul_tAI^EAIY~)Vc`&X$WZdlg?*u z^N$C0^#2K6vsYv!qqt}_@1Psw#usZaQcJ~jZudIT@J}Jn43n}bLSDAK-*y!}n@q4; z_9M7;vgO|5apit7Pr~5IfZ*7>gZNvp%;jgEC!8Qqj(;Ftxdd-#or?aYV;xJ|mDJuoV8rkM=Y@(26PtVQMB9M4K*1>o6^pCC#x zxQ8%F*E&;5d4Mosu;!R$-_SNj6{XWIGwSVu5)ZBxQ6MDXtMKQzluH4VxqSjqhBnV@ zgpSQnY)bPM11eR(0|-2g7%zFy*J+Ce>ISe=FMg7ny<34%n5bp-!U(KEf}S*7=G=S*n%4D}Ov3O)j7L)8c2M5{fS!f{ZL=u-ulu+x>p6 zuyU4rvXS`)F(qqv-iW_98pE$&X`V`--L5K`cSvB;_gA77YUHm1DbO-Ga_5=H^T&_D z#lTpIV=xIG$g5Cl;}No(DlqzykHGw2*SVns4Rv7KRO6`>vZ1Ofds)0M6i9V+yHQ&l zb+4@uNpBB_d-su02I4Hxg6!?=XFP>9`5KJeOQPK|LVsxrTG34K z|5BS>Xa~&!Kg`>A!?&@}@+bIyw*f47_x%}FR9~MM z0SYsX@0Vepf!=*E{k(ziR(Ug?-mFNoBRl+BJfPVG$8+Py80BfGCib%D&jSyGm~RW&`K`Dz^By6 z{-2cl*-~ZkV;B$=EmR9|#>nRn=ISj(tg(F-8QYh-X zqbr*>Hy`>k5puzLJVINZpOL1oI|1bkm>nJ$Do(pKZg%2HU9>mRsF@FTxi2lq8@n{KeD3tYSXo2L zZWjqz>lZA}pQ6ff%%|P|Y?q0;Z&L`8nt&t`j!5 ztXlgY@@&%5En(5N{h1eZ(&<0=e84q)r`rm}?nhp|AZ^*#Xp@6%f3+z5I8)Tl?802C zoRJDHP4Nh@weJkh^nRy7+HH;H$QN$SZspY&kx*9=4h;%0gQ8bAtL(G~ zn=H|T=)&eg!qVUr8DCyfjUwSWyL}JyHzjD~-o9`eCspL7Rl8-KVPEW+3EIRLxqjm^2^5U}g?qqFlco5T_u$ZW_vP^JAA zK7(|Z6uCN$H5NNZyFy`#BLVm3-XQ--O>(H)%`QCvKEs9E0D-n5wdplLlF0G={x_M% z7eA_?-A|p^{EtRk|8lRewsmv)N78As+W(u7;R4Pt&=-pUq^AMH_q^;OxW({zZ zL<)$i7|Rlp=9%w(w{b`&5-ht0$uY%$3dQqAeCPfw65ITES9tKm5T+9|I(8q2ERs7M zfGVlZFaVQQV0I%z$4JKJwxO#udB%|X}-6H*N1_jhXK#&p1Y&#uGeD*YB_V_CIqV? ze%h*dM7WkC(J-&E`ayWDg{8auK)Gr)Y7rWd&sC>xa_SO={K(a_5GqUeA>fX~r7|`2 z>J;i7c*{5y!{r)4Bp=_ekCp*)+LGg!p9Du$y;2XG)$aWPVggVg3ShXXLmd~O(hN3` zs-*$7h$?`|#f%CWWsXSHHGQ(`n(-6k(uQ8GU!Z?18GuNN&6oD4yBb{4f>~1tr1Z&o zAe#56)zuG{q>Pi!ufjHlNXv=DSI_9-rL24zyw9~+gF!*$`p{_cf6Il0)+VuLCF$8dYXADJz7WU<-F<4%Oy2SJG_=on{a7bnCD~@#g z?moZV5&Gt5|JwGU-9qR6PT-?!AciRLI;xrS>kj@P?Vw=^aP0JU8lOdL1K48nKMIM4@QIWO+>GSW0nQS>Ea>c5*289g82HYZkg_v&3+XhAf zeSh%#qX0o>*`^6Bez_!OEbttMA4xk%zd5>3E_GtrK}jh!L{S~ES+0zvh&H0>yR=*k zWT0?M;au_~g}Mv|MjZ}Zdf*ABXU~E(lDTVYD_3@{P`SRkTuIdN9G&3bSYzVw9r6>y zfgpSZ;xpY)WA`;2o{C4WZGNZ}ewxu7uJfD}HI|!()~e0b98gNP?%MJAnl3x;+Wbif zN5V)vt2@W#yJ)DzxbBv>W2KecN4x6LfJ~J#%TQcfYh64Wfnl^hD6hY!o;vb%hr%OJ z0v81a8HOrjXMdaZgv)lgbpMU$Nm08#e|nL|?i9APJl!o6xaPx8IxAw7olj$O&41RU z;6n17O}I^qO1_&0gA_LB!P?4tNaOOsls0z;paU(k_)nmpCxb?f@tS(o1S?}?Z2$Z&;-J8o=|r8$8foKEN$)z zSf!>@CUf**IacMx4Iof8G_WNw8du+s)((6DY<@6o&2{N@+6IFR6vloWl*~t<)JzC* z=a?O1egu2jLgYg;YSO}r2J7h^^U(DXbk=e&!mJ}N%5$bW&rTdq8%V8CKXESxREl}R3Rpg&gHWXZ%CC>#0B<>y0BEE7%-1CO#kM8B7pepk$KHsxWKPAzUJndehXzsAnXX@y0PR=n?R0CRx zhsIce{yT85Az*L)f6pH6oE?l!{!L%!E&u=T?2(;B);o*yUlG+Uore^pwm?_(2?w|d z3dsGqw6F(!|Gmw_gZBSy^R)bI^RRKUNm$?VJJ!G)VjIV`J&vKX+(6iiyHJPM*xr!% z6;gsuFJ8$R|CNEhf>OIc=gEpcc&+2rdO`n>m+dPZcF+szzwN4Cn(v2_|LCow zfArS>`$CkxxsAE=|0EcTRWubhSdo3Ub?pgHs2lwnm@k3Sz42?AR_RH^Q@Ne?77Ck; zFZ3j1h!yb`-&KwiNa7+2;C&B2Fm1~Ip0?{j zPOfT`6otf2OdOV+JQ&DaoIPAv)oEx`f8h%zDqGfT{G`aYVlr`X^+Zi=f4j7IW+k%k zieAK|DECQ)47;TFca;(pwm?e|)CEO3z-RFjN@Uyvy=YK<;>nnHtN!l0HAxd!oC!64 zIC5%AOO!g7$OZKH#1$1KVRPB^~(JvR3~X9<6=5^WxK*-6SFz&gy+h~#uag{ zYLmSrj9_|oKzD*=457KaoGpsqahdR<@nEa`vKf~tr=pLViFtP5B)CSRm%KUkC!yp9 z0~Swiek!9kb$P{WSUyrFE$O!g4t`kc40sXqF*OI_k_e-=BrMZLtpJ0o%r3sRblr}5 zC^6rUvh!69vBFo};ISuBP5Z^4HPH-(ry4Xp%HyJH1p5WUy3ob&fi^K4rxd}B`IaKu zp_t^3`Rul_qa?0R5#<6@e>Ct^ult703?kGF;qKJux_8Irp%h?kCyt{SGEr1XK6_Gp z#!9?|qM%7E4q{ud-+WBK0r5#W_yC`Hv`pcqbQyMir?ONLcA{}y;s{GaiiJ3KP%@Sf zCn=(_RX@bsQ(oM5B?Q^>!IIz|S8}-1?WubOc0pTUc6~J~Yl#zy(KnA1?E{#%8^QJF zpihN1y&PB-8Vo^M;FLDyob=RvZbLb<>?b@4Z>y$yCPqbBA3mTjuts8~PIN4T^69+d z6Lf{{1{Ge*kSSSJDHDj3;r)RQ@-rxq z{J89w!x4{lc{2^mO{=Y2e*%ye32onz%%j^O`OsBkQC%|#HIgUOdU79RLF75|C|pF; z6ByTcFtvF+U#;tkA(7s4f^xi>XXr@~p5WcU@2+?e2YVK{R!SC(Ar2#Ah zw{5zlUK(B*m~;?d_}TRkoA@P^ZN(?wwkR76u|2Fv*_T3 z_Mb%24z|ut#t#1+XmtHF+xx8u|0RkByujH>9rUD`q1kZBJgDV=X64VKk;{S#O*#1q zjkOS`)M+{Ky=E#Bl5D=1#BGK_6e2VYneKEDA*&H7o-GXiD@y2VVzPLiUHdEmMGCY3 zcTfX0MSTcSzQ|(0Ab+z$r5Hsc{Y)RcT2fYD)j*Pj(O4M&D%(jw3_q>$Uwfb4iKJ7m zJ*_a{id&2`m*oq_(vuSJ94aCox{5CMKOOD&d zuDxl%h~a*84;GU}GMsmMXxXg4O(`nCHl_WysTKJA2VU`z1_tmS)P~$tm$la34JvPC zvZO4HbwA?aqqec4rntf!e{&D}byKP))CYmP9X-yWTtn&$F;4y)g+KlD$!yf{@JD@K zF_LPcK{N3hhv}m+@6o4T8mwtwzr=PNp5uYKAw z;>f5XuMxU>(zj$O!=ign3A?)5I&z~%u4b+gJr6FM4J_0D&>rnR3PhTgNhI1(5~@`q zBo4nq0pQa}CgG3t;aQrisuhb-HS|lo{OYm8>~K8ZmQtT$lADNXbY$2-l-Q-d7acSU zdVEzMlxou&r;A#SkqG$}Q+Q+Pd|Ch@0FMM(g7Ngeo5_In0rBn2iPwGFAZ!jnI22KT zQFj1Nb>1l(Pe+xFM(adrZ>7G5h=6WXO<^^@C-2yQwCU4jC6qdi6b!PdFtR={#M$Ul zuF3%0FcS|&Ahy2N>%BJKMZu+IpgP_N8F;I<1+q@xWL2cH&G+8Oq+i|Q!$<84T=31a0=#vSW#?jCn zH?n2q?qu`u@bU9;a>NzyXtcCPS654#Y*x(X9D;;_t_WyJ&ccB+7Ae_29nPDaMc|t> z6imzOF6l1}-V93qD3>Kbq@?P#K@vyO_9e?6^~nQq;w|$dKR$1&0@0s<{v`DFzdV9N z)Ma;=*uf5AAAf%HYJ6Zy}AKILW3hV2bSc?d*BUnP!=SMZVt(i*`B8J zX>;PPdW_WU>8`ROKb26VFTol&Bm!Q1!khAS>SRyDr9fGWEAPGCso3ebBPnswZ-JvS zOB|J(O|Vizshx#~D*SvK0gdnuVEIm|aQ@Q4u=Ej;&TU-HF>~xL*et!5t6_tUj{IKC zhjSJ(_s{UxupeghkAyOw*v#emCwr$(CZTqxs+qP|6r)_sn&o?nM z_r5dttBCxWRZ&qDyJ}~y^{j4ELj_*2H)<#jbQZUAf_$1!yXsEXDAu$5?!hlkyJ|3Y zTc$1%xQW6#-E;Nh$!w~>5J!n$6JS3;R$g?5Kc9t_oq3REBDv&Bt&#b(P3`Y63WG7V zya+O_(2kN(Yj8wl7N?1JnWhwRhBaPcLTwjcIG6TtQM}hLtOO5SvA6m@uMH2iLWQhH z2-F)~rZd9S9_a;h3I(yFHkC*Zt?JF!VLg#;l)Pd5YMWv9QT`d0==LeYxXG>_RBJU7 zy8iR46+swZ&w$a3U?Xkp!SyPzc7DJku~DxGJ8%oOmw5a7Y=mtk@ZEYYWUFlFHE7w> z{J@<8M6PvEm!;nde>sIZm~P0aG@SXEVjGkhmM}9$F}sbp4v)!=!f1N`2{Yb9Qb`VZ zu$YAQ4~PsPHsP4bR9zO2drt#mMM-pf0kL~T0Xv_dLE(nW%pot z@LWva+Z}TL$Y>u%QXx|8);;(@`c^sP0f2pco|(o_sA8c{8M9`JJif>mQC_tgK5D7s5F<_GIA2{sHX# zcv*?6usD*mFE&V{Em-6e%Wn^FsR>`Jgp8W$c;BHC91kzs@0c*LUr;m}u)-=iUI=a6 z-`v(JaLt={u-7-VPRrYvDFVBAqCo5=HQPgMs>R0bs;->{TSi-tr5L=DEt*k}fA(WQ zdt|pQ{rL|UN}n8go$7BWk~j|lz@Pt7{r{`?{IA`@mDX=6yeQmnDm+l}^2xlUueQ_T zMxn0qXtwFUBHPQy5~rT|s_~TJh*t4KvZ|pNVMRuew-KF)TTM@HWb`BzMq=<1|Ueban^K>eYD~ zm)-CovUDY5*4RWC50m@w+FW4+d?6&SZc^)eWl!SkMUr5JP=BOG@{<_#Q*nIRqZqv7 zb5CFj!9767YmtE4!E)>nDfM@VYH=8xqDQ0fAW#Q==pnk7mnI-uPBN7UC}_m5I_U7{W#BS8VxjWonjz%FD(~(|; z`LaI2(3RDJyu^z$etg=Uj`DSJFLvzYwdWNF&!dAL1-IGSU@~EQz|Rk_e;$0KGZovk z@lR@y+YM0-2R~1+!s4z?J+zPMQ0^!$JjWr z;*_$NRVsjq)|YcxS39lq)~-6+eGl$k;RdlnXGs&*Y|A1iEd>V-N+nkVj2876>&{9t z8Tf~@KfDmcxYwH!T~5+r9GwjZXS(yRhDodmK%@8Er9clh4RLO7uwVZX-(T6+7esK> zKf%lP?gl|OM=K-9hvkPWX?;gA=n?igi33%X+An5lEVpr_9}lGx5tyf#l(2cd-Wh+ zRB&4lHR!62<5?Rtqch?ws*&}!w?Q2cn-z)(5MCJM0W*M~@j_gwyx~QC`^N)#vN7_2 znQEjEC8eP;w(3PlETwyOJCJhwGd4yDE~=z`d~+w#(iAtpHdAhD@DZ?iw}M5a(`5q= zDBubP;g6XNj<_+J(%G5x+JN9`SDLET@}CTBd{ptv0#sVuEE^e%q|%qSkdATkx(Pn% zx8AoDl>WHo-T#Y>LJr1hM3u~qR4TaQkMid7iShH6CqsZg?O?oWGtzU6fDTt z>Zn&1G{31WW#4|a)dG1cG_2yyh3#uq#IiVul9e8+hw0u8YL-}`86Ev**TFP~TnPz& z8Y|c00%QXYCG7FR33~I!KNxko9h4>wc=Q(h>bBx!)-6GuSM$n(rJ$@SA&&Oe)o_k^HUke@>F#>{7&jDSaEP(m0E_MuBiXG zt@+@RyAdI&A@7D|?|ivepf_Bdgn6ZBB~D!mV>KRzPc@gLds7WuL!k(F5l!)P1`L=| zO&BfqdYr|^5{hNd9$=a%=P33?^Y9kg1HapF^Qp-lcgdW#Y_U3Q8j&E0f{o|B@<$ip zkm;;JQQUw%JCZrhewDyJW*L^Hth8#9(21DRF#v8K3Z!Nzi1^LT#?z;f*qG!4G3*o% zx`?I`j_r$Ts;$V;?Iuqy)DtTd>71ZUGTtXtZseiO0n^POQN|etcPSF-ZG7Ba%HZzB zXo!`UmPJ7?+ViY5Z&e6psb0H;+VZz)4}f-nhsWcUA3$(#yxUx9lY__mt`L=H*km;{ zJKfL6aZwgRy^ZVy!D5Gxrl$)+H3XFSqv&`9*=J|Tf0mF_YULJL8zOj%8tcj($- zdFqM4x=|);+!$ezOuG9L$!Uk~Y4HZv0D3v=9q$IWJb~M83+VhyIAs)h=d4g3B`q%7 zp^%nv@Fja~xhMjMPW0f%Q)ee_JIuZkG~2EtYIG@gDy%C|W?r z6K#O+AjTb}7dQWp0hpc*?QY5hJN zUZ&JJPLY8SAY!?u;%u;tEoN;|O{OALgez+jo@vV1#2DgbA%0-Tiz%!@3e2_m>kz z;aElD`)uJNTXEYhl;|4FE6v_ahxEq~OmVddn|xwe(T(@zZyRqsw_<~ctRptoZfwvC znX!-5yGm7nNsMvTRRyq*i#3TG)+=(=Vc+QVSvH-S(kvG2x(kWQ?*(Oc@>JRLT5`P| z1$ieJrDep%VivLtRIQz_UKfHA^%sTrc*|%nx}Ktxa3fvxt_foVzO&zGxfRiM&vRG+ z8?!C#mH=UnAiemr?1f|4%t0>WSN)s>5~5Z16CM+mf41NnEYY~&8Z??eF0KN-VNEG1 zt#6}mXkH<1H_YgRrW@OjqsQu}KW>%1o7Iu~vM!ksa4zKo*Ye=CYbF~$yzNFZOahOv zy9a$C%RaMwbq{FSHC{V6ZE>d?ppWcVZ(=76o!12|?pG5{om|(~tU-r-k<) z$1Ho!kZ7xgVwJW5=VDX4r;mR;|VbaqTUIPxNR!}rfjkBB;DlxCaN zp?n^Y*@x}zRmB&69fkioevZp#I?Ejts3W;_P~^5RLg#6GsMVLH`+XW2`P3CVvqG3v zHcQp=Bca(mNB5VO^M5e{{kSaqf9&CHC3a_cLYX{QOPegos zJ``3nPcpbfyd;ah0Y*F&n5cSKm(kqHY$IPw)YlI^d{JLDMrzT=R@-58B-lik+pFaS zVCmj@;#WPAA)kDZd_;)mM34*B9C5bqqr4wG)=>67U1WVU2yMwvqewUu&wGHDgp=vZ zolUTK_=@eQ%}z(by}>vd$lu&$bE&zNK_X3^bhPy@`Gcw)GKI8ty)ScV!A#d?{ zwbYu+hBM>|pnA=-%6mUXNT+0&W23J_4hr1#G8>v2P+J_#j64#+S;o^&!6z#^SWjAN z-gG%@#-{6h29K}nPxiB?ih3L*ZjEKX%d?9x8Sp%CA^zim&cs9%5fQ?S(#)x+OLs`C zTU;rASexJAcBZ`Oa%1Um=*9Z^kH{>eU5ydcUn834?`}TP|J;~3JN}|$o!kum8*w*9 zS;p=+v!(k&&E63Xa*p_dS5~OyA{MyCAS|EUI6XFGJdt30y5ZMAm7KihkO7xXNBD+| zClO(PXSwawN}Hll*bcl)uj(xtmd6coTX4l3ckXgd=jF=2Eve*wt$Y;0Hu*O1p_LnV#sRx{wws6VWvx&zfl zTB>?@d|c3Hwm!B>SzS(b%-Z-y05f?^(88{Jb%{(3yO6luHz@SyP7Z~m?$x;t8Wui~ z?&dMgUXe5(_3xLfdL@WiQf@($F=T-gQryR1e{*TXghN9loEG|kpj6ESLKv1kqTFpf zY@eyxwu+T(B{#x7Pgc5+(MK87QvnnfYj<)S9a+Fct94fg zIg35MR7k1@Z%49;@3u$42C=8{&dXc6q9$gA3s@^iAE9Am62GvmE%8toG z)OhmU#lHc*kwaPN4C`dHmLu)ZsRL;xS^4MEliYIK!L5>~#ZR9U^-vyNL-iA!P}!=v z4`1i!<=8!49n6Jsj41xI>{WQiP;4))T9reT)2p`YJh9+zcC@~pPH~H6A(5f!^mp|L z5o2RT)q?U<#o{7J5yZ)&b{MaCmV($7Kur8<3UZ1r$rbmXR*9jabh$L!h;l5AftLZ!TEFVASjXJIYnsr4bmn;QxW&T z_F7Yhm;+tnf*Znv28-Zo!j{7fu6RS9v_=Lc4^-XzS^fH&@LMc-h<=c#xtk#%4W5S*0Fl&DiXBXLl zovwLcd_|set;De4buqmCXLBzGuf<(oSxC$S746Ajfc0Ja{@DV?1(Czhnxd_r1u|Jr znH(oQ&}XL}HlLA8O#a z2>}LZEu2T#m)i@u1yAf%^&oUMhm%LdJ({~useUf;`&SUYnc*M%Eg5R6jae*LUe`VRYSmOgkqsCJ9_8{X`*DJ!Yk0O z!uc^N<$x_^Fe;%O4^%yuJ9Ok7!_}h{Yo-KxLvon4;KbdDf)QZ^4$z-F=?kVjR_YH} z9d50bSNXYjF^kFPyfRo}?`(KCS#8>}~Fs|J;+Yq-{!})#^3e z@|wipV*VBD6Gf7nDt64`FSt3XZ25Csw+2K>zR zLQUW6%C;TA&fc8%yf}Ka++Z}CRG9?YH6KXKgjyimcMqVelJu^m73<N#BM}!`&_0685VUfAS zMBH>b7$2a{71(j^r(*qVxNeJy5g!^e_-v7hLDSSMB znHt?w;|^`H1ID%bkb0kU+gnH!c+eOZ5i2J@B7u`km$k+|3*`WkX%!IXMH1YxsxbwC z^o@vWpRKj_%`!b)Y4k2y2%LF;LQ7jc+SSv(>!vK!^PG$3SFRBkC2!e=IZ*9FdQS;v zuL*rZQ=?E+qU#ypVE97=?CcVZwZD0SLI?f>`rm)a0{OGt(ti=_uB87vkB76Pi;1nl ze{)AxYkH||ilY7G$~jQ2VZE#|#$Dx9YuTmxE3s#iQm36f?)|~hz&eyLmM|v{mwLVS zx|tHk?d~%;Jkqx~>A~y8jOqH?#z!949~lIMzTu~C`8B*IlfbkApa+j0qAWmoqk+#u zEr0^YkvN*8nm|e?MtAdc1WVuEipuIm(~;Rb`VRo&lArkuEGCE0YxQ3Y!SeNc>_Gvt zaf?v=2+}~929r`NqMlcZ&1pD9h036oPl%t9 z@=X(qaO5bYK~Q;KXS7iT?Sc(YqHCq&8!B*m@XMIQ}}s;dLP`J38}mM|JvdDv^;C zmAV{%4L(+Dj6zx>R5F0`t93V{mbzoru8`tX0JhV2qOaFGkZ z5jQfoocjGqB$C(E%ie+QbEbi=`?;ZcDo6o0W$=z}3yUX(UWZhjaLW``(Q7_4%mnsm z;ti$LDhr{ETA|^!0AfpD#a3o|NNyAmcK(!MCx*I(z0V9^^j2O7(!zb2+svoUny$+b zAXa66E-;!Y^kfa(EVNw;WaLHNM^}z)FPIznXHj1#Q?OC1*m^3k+tErD3_^8;e(RCv zCkzF`^C`)Mh(`)CNa!D*`JQ^dh*9yO=SUfT?IstX{>ON3n~8dQ5iw-`4(G}Fz3QQxGPL8?TNFCXJ3zdI83 z!TQ*MCmMp0hr!cG;xRzq9!q7)5LKFMRO+NLR*58M{Lxsd6D3(C)a4hYIeCj-o~fEI z9H|&d(bUGvqJ|Wu5pDx&qWEhywH?rH))I~;_LWbUlCk)e;F4S%MZWLXu8b$-KD-r7 zGN&q)qRCB+N&M`rC-G}Z7+C3JiOu_9hY})HpsJ;(08H(}2#AhxbuEvCX#_J2ky>%Y zSJV!usv%Hd%gg}h;0w+cOtwksY)do$w^bSM856%gZBBWN8(H`1h>L*Eue+C9xMe5S0ir>eY9N-Dz~&f_CvO2mbuc_if?VqK2j~)r5571^v7}oRU6Y zV8>HDKy5fr+@XA2LVN-L_x7!#>ur1=wpDtqZ%d6PN@I~0oa)$lGVuqKkJUHBUq&^_ zYcvP=%+=gWwJ$XLy(wOXQ#Iw>u7VVRi0kGUHnz?ZPOizQ>^U8Mz? z@xZs>7955;Ka4<@?dDSWkM8rsCaWh`u*ENds-scc16mx7G{^^zl-Wf}M%|K{%EnOr zGAawDJ+~t74o;`oRSo+YS>r6J`lcKsPbn(Z5E-!ih=fa5$Igh#{x=r$=4G^K{wInW zwOv0tNNi9<96%A!Yh{%jS<=%lzxiFMF%F3Sy5jU;!Cl62Iu}GXH^2g8v47X(C1mqr z5nrN}>p$D2pl9TKweqnSNu>mxbWh~(=C0&2j+hNv8N3| z+c!<^Pgx@4R{QeK=R?lF^qt?=Y{`(HA;>GRwsB+R1Y1DJLiKqW>?%ikdu%KM`xl3L z8SS1MO=HztMuW{nQ;yo2@=XoDNhgJuVZnw zGE9giZ&KMxR_6V8$wGGb`Jk?y-@Cark0l2abwl2)?et%o;wo`Xp=Q%$u_obMEJXd< zTZPq17q zA5Z*+Ak&-GkDewq`hcUSqfbzB#?dQ%=-|EN0r-M)blVvVd~j7$EC}RWY=Ph?{cE^v z%6JS*-EhJbgk*vt1ij^wGxH+;*bb^pe{tHTVElINN~|rJx}daNz*ubyF3YCl<6{6t z1}mY*vcG3h`GpMgGHnT?B^>%HEs<(6v9^JznO3!gB0}(fR%vbA-hh(fgDY33`2!F| zWvOMRm6tR*!J(x3>XW_%w8=iSg9DoGA}PL2T+}zDJwPx`RY+*&4yq)B#!vaQ>3L)(eMZv^N%i3UC*Ep^mMaP_|um2X#yY| zpce{=cg-Q1b#g{c4`l*pgg#1nY^i+Fp>Fd&E?8#JGLg_(F7S%!Hmz}0)BK@4iJ?G# zXp z8%9LvP_Uay%iO)_z4iVdYFVGR$JD;xB}Z+-|D817#n!^q;=isn{$AmKB`fFX^;Zm! zh!Sy0*adV_JBATTyf|L53M~4nU*f=MmKf;}E0RgN`Ure~@CyA4@oZdd>9eKonSwbz zPT#*hjVH`#yj9B^$N;sXCnD$OMXfj5d zJf(;#LTEy1f}Svee%ZZd_{Iq{1Ts{^RPsQqU{NxAJDxV%6#n;H@?4sl(>Ri3*j~i$ zu`-@)aq;~8;;t`}Ih8T_#r5+fHfE(X>2Un+f+)1Q3DHnYYr_W{vIbNN6mt0Ft-A!c zrh$6iZ1LPDt@{3rSpF^Kk0#Xs;eO0p?$Hvx5=i%hES3swH>|WW@b;_{+ zPVH0xzlqn7QY*q4IWR?BDMePiIajSfo&+Ti7h{$Q^?@439VKCf5z!bw!J&Q6qC8vP z5I?d`S^}0(s!a1%e|RY|K&)KP9GMkHiNuJ2iN~NN95Og?Yq7XER(nv8JG<Qw4MgYvQ#sll#gBbsldse;8SSy7I&W^l!Qs*!r(&z^kWi(Lxke^yHAmw?CzJ944 z%uW$juGN~>J~EPaT*)Fd!Iae6nc^>Z93#=EsG(R9D>4Q`)Q#|8gG|;6^G<~J^)NvI z&duJ}j7ISK5aYdYSPq-CWTK=WUVm8($ji>IjxYO%kITu?3%AwA7q#A9pPn~om+N$l zh=I4I%Pd;=k^7T(SG|v4_wi?yx@$@dmKzAdn3%;C8cYu7jgTK=j-dO zLj$a}uevJnBoy6a%%@QX?U3knD0axtb}?+&jNBUDt*&nFm%c2)CCb9BD_G0cNG2#@ z*2I_m&xuz;IFg}W^bBLOR0F6V75W=f5e%d`T5?OIq9cnaPk^6#a&0$f-@E;jNs?He z&bIf*xBGWwXSxRc3K!<#{8esjPS>e?D}r{IVAQc&tGx;F2laS9(~+cl!ORGixjc^ z;1gJ!=uv=z(%!Hxrp53eDEj~~Fw!2<$b{%W7@gCn3K(@Jw7@~ymnOS>m+IvAEI=qg zutMYCdndDuaRvGzsNg4OOp}hxrg7lW(?FdcTV5^)>2~q`qvc=tny;Qp-VUGNQC~U= z!*jDcfH5>6ifSSW9<>v>Ib2e{{7SEz7;F()q-SDIp_>jn7}X&3Nz19I$GXPPX-9lt zq}#pG@wT%SEku`Ex*tP1DJy_Fz=0=TCM24FC|5K2OCe?@|-^X*z^1KUcr%C)m)#F5JE)D^OTjLUc{ z`rN0ycjN6fW?D-;^*bX$h$4rB93cWe*Dj>ZzG)@pjHyvf{pkH9^4Ey})&G17@{`p= z{1Iwbp6YCYDpeNkk9{hO5w<%Y5{)smxYXbTg<$r0vS+I#*n(zdx~+^*EKxp!0Cgk} zOIMpp(=;!4Y`=}P(2{FJerSi0%JB2A=v{X^O5|K#AECTDPCkw}CWU39bcs_ptOfRG z@~~?ZCS1T^;ce(M7ALPvjbv7__W>&==X?05XeGPpTdodcrXvqj$H=sjxJNikS`_?o zwKg5?Gh>dzi#JPJ;7#usMmaC3U#N`l6@5qA#EvAs>uz9Ipkz|kE4W4jc_4JxkCIPn znYp2rmHYNo+#K?Hf{*KFH`{UO#i=1K(}!z>g=VHOs0o z^NN-yzuovZt-PhO<}#(%Zhr3Dv#frM`$Ow4fc8oUo8ai#WP*mG$5j$0So}-5?bBIp zz?aEvx6Xuc{rEn(K5D}Kqpv%Eq5u)y6#7&wsfbFZu_!I`q>_lzx`v)|eOO~}Dk-e_ zn6_0z9L4392iB%++Pv8_Ne~*0b&I;zT_gYX0|@OMYiXy0vM4j$mVUTg_{)QNPk9hI z{#xYsxxrVLD*&E<-b*T$5ABBD)v0pr-(pD(kDR-#Rmq?z5R}Re2Uv=KdZ+6T`#OS? z;@25mMT5%#Vu9k~D5(o|Ki?|FYFDE?PgTR;rTbmxA?ldnaGTDyXmioa>Tr`y3Y!eT zq_9UU!P&D-RT~?lDX6CYT+4r3(*LNo@c6OmOi$a~f*ore>B4H76yDHaOp`=k-frxy z%vSKTc=b<`e!`F6bUtJsULAVu2l!L+T3Dn_u!w}e((Kq;%0w~dt88K2VbwWNQLx<} zV-N>^5SE{yDl>y!1D#=#+vkihqS6Xu$zBlYoPR`6r(6L`IUaLP3p7YrLEATKbDF(O zqJ%&O@Z6(3f1|&R?8US4L3nYkU#;&oJF7$`(%g`uF zN77_xNJhxX^?^Cv|Fh8U=Bq_}&in%Bmh{uJrAUgv)`*|pS4SQB~o^RI|A#PZ2~k9El+=@lvq z^H%F&)#v(nbX>*pXz{I(g;*M6Cr{AU6pFR?lwEJeo3+P=tc)bqQ?2C1xcJGD`{f4I zBTH5ek0z)T2(vUIu1cEY1r8xJ8BovK!%z>=ylF2tm%c~f$lV#h`H&RT)eY{4*yt&> zHatedzbLtEoF5*LXP0j`o1YqV|7?)lAEdgdsU7ry0s2vJIdH%K&|4GI@Tl1SN*Yvt z0R{iFKlA?sSs(tdZ~|t)19OQ@x^+%`nJgBoRFv2xv^4P4zp@PI>5t;$wks#SH?d8| z6e&<%z?{G$!uPMY?QRWPasyi#_S7ojmT;~M=hppJ%n%EK0N9uullY4Wht$h22>A|! z5p~Fz7ED3yV~a43RLeBN?GhG0GsKgo&*U)ZQNul2xtL#MqU$|N`?h9L!p2}=KNH0Q z&=Imq-Fsic0$9~0WsCzXiqT39bfy|keMAyKH|t-c3ouwZru(GjFS?qPG!_wj6O zg_(n{?gE)znI~a+$ZmbxS=PQ(zkBXc?0?gjB#X|!ayAPQj79`aoCYH!tUc0JLxPNH zMJ8ei0eD#==RD(SUZ|)r^iNqaI z85p3oWcW4^E+|BRw)TApm7ER!@dbY*9a&(>h!-4+$8_Dfy6!ub0@Fu+KBx9S3+#;q z3k3=B>C{p*6)0Usi+LT`Fmz(vr~*tcPr*2^6H_G zNdwt7?08gWodB$e83hv+9>>woUQcbbWq2~pZ;`xoAEioR>Kk^w3!sjsJh_dtd+Jd)=yATMHRigV-1YeCa6DGr@C!nJJ%Q;LWVCZ!|u zCWz3`5)x=IDgesb_0*P|Tz>`Asb7~ug;3$ncdwLQBdoTsE7qDNd8mqnJEtCsrz+T6 zB75)^5{KoOWL)eX-}g*z^SuVwmvQVbxB@#^u)URIhBA_BKJ4^V7pb!Ff(d6y^Q|iK ztr~QqEDnqeh*b&*&QiNq=glwse1Q=?fC|%FlMD>1xKrga})LOuC*_sIc_35l+;1FuE4D#95r zMnyiPql-h!W9ylPu26Evnt}7^7tJuhmg0u!*#l<>{pAj34XWK>gLpFXl_p7Ez5w81 zRYU3Y{yh&Y9TW<&@t9{DWob<`t~3gCrl+33df57fF78pmQmPh~k4>B zeW@8!@;*aMdW~lgcWwXsgJD1fM>aamikPV>ywnyxUEPnk@YGsCDry2?BVL8%PUY)T z=R)++8?0#b=^b}#5t)92#R%(g{}UqNWo?a%)x&pdqR(Hfu|>dFOT<$g)lw9e-V1Ht zsxfz%aUk+a^*W05MMQnZ!k3R;R!m0tM7|J#o32!Z&VV&ZS6eU_GofW)*FEUgJP=5- zsH2!S*{jyAH$%5qw2GINo1Oay-qV)V{45&y;CU<^xqxxmc{*_Dj3W8gTJNU1`@jI( z>WTUAg?Nt&&TP$>k5SK0!2LE|`m)-Yj`~FRJ;m zfH5^j)LE?k!NR?>#^eOIdZpNBCQz$t@Y2L+2S+_=!$n9+=7iAcfAsBLQrzJAzm|Gg zxc?o_`+t>eJtOP?*1Ko_zx1&LSZcsT_wC74xb+hjIL#`Xz$qDUm>?l3vdk#qiX!7_ zng5eMCfSfYHjU($Af7PG^Wuwp9RqFk3+5OpThUhw>POHm6o^LyS(_W94$~G2)+k^@ zC~%lesiVTQOzPJ}k&sP&R`bYNPd#+d_&aLL#Pp5_^I%jy3LZp&lfZ%TsVp9Zc8~gA z$=?vNPJad@@QbAyA|!Z&q9tuy4Z~MHk{#ugaHd#Jj1RA5)+{b_6l6%WTT7K4TRs}x z{Iy*;dOn}Xu@__(iI=I+7Tqf{1=W9|GbYrki%;+FW@hE+F3`+YiTvdc*Qbt{6h$xL z)Ss`KXHNY|)0R1HeAq3$fgC7cN|wj&sQ!y@)B{;8Z@U}G!pYg*Be2Y`ExRkn_pJvL z1T{$$?xu8^Hf?G*o>fmO<~hsJnSg;P!kDTVLA?HllQ{(APDQzeeoEp96;mz<*nlSF zCDPQUw)?qYOl|cKBz^;R!r8X)ji}jC;-76unoE)0MvA$SL*Xk8Fn8TF>u89I!3)m=3zfg8Tp z7qE;LUzk72!BK|m_=5BmdO^=>18%uz>+5b2<9M&dA0n?l^XoPcZE@2R3YdxLNSO8D zl_=rthwO{gM$`;1rg>eFT##aV6rw+Yg|i@=-w1uXeD!{)+4vy$m>}8G$K*{ahM(8D3!VLH;1c6Y_G1sY7K5Scl9>U0qDv{fxlLs z&MM@tYQlAoJ1kY8IE+^)Q>2967CT&6->#-TTvoehce8V4-|BX~o~|E_g%c7>wr*or zRN_~;U-TcP;tulVB~N=8nlJw8=1%Z%wrhq!v|-2D zUMzTxE}uwK7lkT|omn&|cWDTz+HY^iAh4H{^}0?{M?HIKkL^#Uwp664dq;n-TExAb zIfR}&Vc5|*;gQchIQtyq&V$3?v6X?>cC0?6aYQwzJ*nRU)~h9vX~=Q!x*p^o4;4PL z)5m&q`2tOoX5~z`M9q8o$D!Wclyfl|y3wJz z`^&JXxQEBc<_j2Jc-i5u1i2M0vvI&Li4O;LygXCKoKe7T`WBQFNQWU!We2$T=vZOC z`5_k5M{?_;w^73J8Z+DQ5XoY{acj{Dy9?ba93rKUc`HeITK;(v711MSGkLSU{f|m_ zAN1t51^lbI{WS#Q{g0wZSEv6(uoSCq+HSHV_`Ik|C+D33#cW?64@Xh&jlf}9V_{2l zL>bm2m|LPCCx`?T{V|UE^a?8?R!U`tRHZ|rb8o=zc$!GMHBOZNtdoq%=YWDxp;f> zOi8r8@viSs_l^1K;O*3yK3qILUYB4N7$n1WnKH={-L_GSiaNITMOr5U9nA<3v`J$` z>{o^FtI#$J6w*A|f{-wV3&U*?Kl&T-=lYfa6_fMy6Wpn`X^OEYABV_K{W9qGne3Gn zD7>AGFCvy#*jAdI`E?zh8Y9NHTr|4J?`ap7TINf1$bz=t#bXm+&{^3}bf0p+lf<+2 zL`U&5@XNfGo^MvO5f-p@Et(s(y0J~)RH-=ljwbf0L^37>k>XF^Gc6)iEOeB-mT)id zF=r_ah|qZGS@Lnb6tFe{6N+3qNm)ri$mT^cFrIll)TqEwIkA-nclhT@3AlO={~=Dk zNjb_WDL=Gy2Syg-<+DwnpsEPM%F+#($FIA8HoN73Q#3r3ri+_DUYnJf%aa@ zs5RaPPw&^(g$7vrpXf_(2i6Zqhlhm>#~qVIlB4C;e8((YJXk?qPMU%+ubgT6?q!$ zo6OZaN*X8QT;z<#OD{;$BC+)TYxtlM4e+K|T%}pqmMv||L;g)d%>3wMB9!z2fM8sI zBY1#&1bo?i@7YTaPgF+#eW$B?=&}tBmDe@5mKdZ=tYCsktNTX9`UO~0HI;yE(_7tD zoDErx+)NbAe0slmxcXxHWo3WAnV{C1vgHcaN3UMiAVuF0;AK06{n^$NBdBWK6PevF zYornWrbbTS4X)2^iL*#Xw_*zn* z7EC2~BnY{zp*9nhU&z_WVD5Jpcd+Dr43EGq3LdKG6PuDuk`mZwMxxiZUnw z;JYZW@qZWi1mPTis{hW`{T=^*<>mjHtSBNNEF(f|WBmV|MM?E`j82VwT#cMYR>l4f zTGbxr_6TS`0yLe!e&|t|ik7w}Ix#WOkjm%laVjx-fw=qVQ~PV^Xlv;JX8W_LY3gWd z=nuVKExS-JHxriwC0_I|l*ZvyG<{v? z%Vw?FBWr^(_O+mn&hi`ZSjKg_uTO{9mXASkpw_B_;rtPr@Y=a|WW zFJadB#mx^2BSGOW$DQEZnQn~@K~dJ=FBIe|igua;CL`Y8F`U&GJy_0dy@4@k1H|F_ zg6A#v5?<}ypo?j8TgXH}#XuN}F)qj~&*+bTS3FW2Z4VGb-SN(>|C~8eDC9t*@5Ir6 zqJF=!2)h76wmsn>pc5R2g|elcsRi=h;LqN;?T}rCyoY1St{tb&Gi||a=gQ_XuK3B0 zw64@vSmX5FxE|J~6z9V1#sUZ)3D{cgP1&^cHSMB>^T@AN;^E0qRv#ZXq}jHmnSKB> z3m5G7_~OWNqA)K1T72a3*xMEjsi5(4bhUA_KOxHVw7n)}ywf@bsgutOK!DIjtpjBJ zwa}M)W6R}BfwD-O4%~ca-mVM_NyjyMDs`-DUl7e*l3DNjjV?(S_6fJND&T)gSty%a zdE$yAgeQps8&F5pi>n}uH&!t)110q(yy2tbN%ul*8H;=Fk7ft53z9SkpaK54EFqLL zRK*)K{n8V8GusskwgNzo1{r!Yb9)U2_&9xE>|df9{obzbKJ?@Q`F?nLKkrC&~0+ifKh2_SGon4pet8+8FY$^`g^ z$$F@8!rw>EY)mYmGZj7P$O8y%I@}0ODyTisrJ?9`W=U5SSdz9_EPYG>h8a*9zyPfB z%U|@NDRg!e3>e(prhu<%gyOpM7 zlfq|`^tLwHJ89qRoNWmAHX(K3H?MXdI7scxmd8LS6P)J;v zT(lrKejfaJc9q)%#G~Z1PQ#XWFs`vj=w8Nh0?eH^j?7kK5UW~xF3}xJCW>;~Sb#ia zg3bm1o1{P9$6b#vl$uC1O98GRN!gicHAj|D<*b5W3{EWOS1Z%RJ$zqbI+P&ExoBvA z_1C@!4p1!1F*!A+t>jL!p5ET{PA|jb!7k$d)mx89A(y-~KL&^m)h{_g)IJ#)kan)q zW5`0mN!36Ba!9;95;%D{-yuF>y+%9q%=^UQL`o$HI+U0 z1dqk?S1wO^Q&%wq(8YJ<mM}>Y5 z6`$HJ=fjc!rfhQ53ckQfO@E6SSkuZdPfhzj!3S(7!No{%w>!vPSeSH_vRpUFN=MLB zOvQIV+AK3FL~+VUXS`P~nK7J@XL$*il5$EmVh#9;xv=~f2VvSeRHHtSbm%^N~%U+b#XQ9m_QJW!PkJ#irq8c)Jj zD$wN;gcMH~8>>j9y9}EKa%kwPP9V!^r8o~Sq9#3HdDzrIX3`+Vw)t0;EZ@|i^;z%=H#k^S7m1(CoPvt+SC5*#zdD@#& zETFDt}*P||^l-G@UdfVC+ zIlev1?1Su4IApbQMQ+rAkAuv(0u zo3`3hM0zjp(TNRn4?005K7A!rA6V6V(+WOShDV0#6fMxgR*HsoAy>T6k&e&q6)UQ= zAwUD4iVTjsbDx@*PzDWn?g2X^VQaXcAJIkQ(+zkV<)O8P2DW1kRP~ywdF-bGi4Toy zO04P@oYF@iULH%xU@hXsH7**jWx_#SFCY<=YZ+;) z3w>s8c3%<~$*c#MaBV{gM|;jqJHuW(vk zWepkGj5%AE|6o9Ja_Bpb&_MVatROWd6ApHh-_;DV+(JlJ@`jnOT=!ip)3z-JZ@-#e zZmP6y1r#pW~}?W ziTNqhrw~PuSe%>1Ka>KtH7w1~OD`6ntpd9R*vmU(rcNw~eIQ@B0s4YVME%2UX&HuF zpcW=$d3Nd)FMcQ**r>C`e(E?-3m?y~jj$Pi3g{p~A#a3@sF+nZpt|={5QxQxeceKo z)aG0~`jL>mWlfE;b8CNa=XSNSR-B^`KJygYixe&O=ZHkMqBV#P|!Qsqp>~uq7A(0OJ4aXk=jYQxa?YFL(B^ znugt`D7^1#ZF&{R5G*C5vi}aVVWYgMO>3VAWW@aPo#pT9Nnn%S_?{$zmur z@@bEK97hj_tLvJ#*+@R4Sq{BI6}~oeMvN(6EUKc*zT)5OtSAm>Qy`UkKHYqOrf4&U z)lDMkqDXzdoUl6n5FK@41$b8(r)!ZYchfaT3r=s0Hotep^ex?j1j;~(v6Ho8$Q@F~ zzu=`oKaugxyLfO_Fr9Nigq+cYoeaELhq(ttnG~qtZoUIFMehu>1+_=)?%D^Zya!d zM3YV3_-*oI^R2Bd^m588M?!tI(Q{VxtI0VI&M$92FAE&)4{z`L)!*+Ie0aUSZ`1E< z?Y-Slz8vU3x%iOaobVEJ2Zfsu$Q#D`MnVrWwA{@8{_nmO)vM=o8R)88arLWzg{dZy zYCu>al}1Y)jQ;lZYjA_B)(KUnr%^Bl%uSe935?39QR2S?;d&hPpTcU3tkeWakqwYk zoH*FbgjB@eHenWRIL?-_lywQ&w`?>7zlp$8IPm}F$Un~waqc5t%WR0exzDn^%Il6d;dBSlA>0Jo2|IoPKO9UpsU1#ssolr2k#?); zmBW~JEuDJ3HJ0Tvz4dL4_E*pmu@eboJf`J#lLA%B`K@IzkyC;D=zqalVr1Ak335r9_JLiQ}>1fTyXP=c)T#;^D4aZ$+^eg&}ZkwpGv_~9| za_w*v*humxh|>12c@CL-UGs^BRs$cUChi77zoyp=!QVM4IGL;O)0%IZ#nM)9TxIR* zP9cDGP@-U7B|%h5@~&y;Z6T6?4T-GM0l*Gz5traa&RC|i34UYTNq6roNLsQ^Lg z^HSE_23Mc%rOs|oyglT1cOxqpHZ{tV5`wt<$0gGZlh-5d{fcnCGC~FDnn$IJGsqzE z;MVC0iS|}>z!yysKd`J&^d1eAd!j9@H}J(w_T&|Qq$%->1K+$xa>Uv#x=d5R6V&xQ ziufOU)3zi{fv#YynHV9^KwrElCJ^W~uBm2+zGXy1zQ($E>@OK5zE}L@Z0jZ2Hu!Da zt|ovIUYU@YHf6J_PsavBVy9W#ex*18M@?~eL~1Uhc7dpgdem`Jpm7lW6Kf{e z-95Lsm4sN?cauuPWyo0+pEqU2T26s!Uf{atXZFIy}68p5ghJ+If}i0$*}9F~+5B1749PvH%+&Uy1(TcY_d`C$Hv zafPw8hNC+I>6bvn@100&0ra`vx13ukP(zi_SeXNMzcuI$Vjy#&1*@SaCb z4V=hsm8xBQsoACWqO0=ttM6|kCS0YcVFt?LxT2d?y|N4>nrF)jfGh6Y=Fax~j9j31 z3ey-1bmq`66jF!$vegRYq~9wTxyaQ(xz{&h^hN3BM1IKxzZco_WO~rTb>{Hb=#b2B z(A)76fQ?@Es5Z;hb@_s(37m z$bvCawQ9G*_Z3Apy-0=BM!2I@3L6K|YL7fi3>iyXEYxI!r)Hp!`z%`+UU?AP!jan> zcAbsn-s)Ii+d*=FUDrXAAXEjZWBKsiq*`;B)5YZD!iY#62CKFK?9132W&?NBkKgmw z@iek@Sk%-E47+>-(=$2>pf3DX715{JHc!@w&sSZ6QwOjTr(}YVZRXmwTGE}uSv-9GsrP_TN=!5kw( ztM7r@#!MOD@TWjD#S;XrRzq-aDV|O);k_jRx%t!^WZ~Z&riQXyRxe!ACW>c8Z~*|u zPMn%0cyT9_bFzEew?Fo?rFC<9-!FV#4|hLXOZo1;_FNx0-u90U*hx$sLMaZZQ7gw8e^I4Gp(Js^%Jilq4&c+eEz`=1KhQ(?%PlC6h*;NkgKi ztD%-wIaasMoc?;X?=jhBt0i!o*i<82R=B2-;<%!Sa&eTapIca6CU5 z`ngS|eq&ion66`wQ7m>uxJY8cf}Jh?G@KOMz_uKEV@Zpgjl8)l82>`7qS+zhi{X}C zOz4~q6lX>K0RKFRB*BH%)7{m(gPy`ihUsfEoTeN!}Biod$|l#D#XUz~#k`;_I1 zLzPq!0SO+dF6afLj0&FA^qE4Kh*HtqyZ&(@CpBxd>5bluB;BcAQI-}cWk7$i_NWbi z5PxV)S)(r7uMF)L_y&Ejd`_cc_^kBm!KU+)<0(TOFWKDbZg>v>nFaFNM&Y2HR~=C4 zF-e)5QKw#PJ8mxRtUOp=G)10LJZF)J7vku)i*Q)Is|7)9lNU#2dT^H#XdQ-`T)R7! z@Q@VKV%_IsL|w0WH55ZhElQxa#CZnBg}Td$zKwAnaBNT-v4{~}rU*Oa3*qk;b1+4@ zSam3!3X*}Oxq*H9cJ^P4!MB&(k~rH=18B31tsp9*Nj6DIMp5Sy(NFj=lYsbME3}+L zDp!@bYNda)c0+U8F4S~U&7MkZ&s3hE`mu}NruM|z+sN(#fL%on$t1E0P}S?8VooL^ zID~nu%V+p}d?%_8oHq=S6KxVJTHNlyiXM?KCMbWbkiQXNGwJ2Gbxtoz6_=*9jU@K% zK!|v9TLdbAjss`@J(^8q6X|Bi_MuAd!$n>1`cXRN??~CR8c#~Sw~uza zUp9qvdmC{dBYPWiR&(Wsz=Zb;UcaS-8yB5RFHf3E+c@Xf5|W-G-ILnog_n01&3p81 zDAf^yNe1W!ar_1LmSJnW<`(7KU<&RGVO;NDZFE42KX)9LHaz|#2n*+oRy`S=ZeRap z;r6=sjRF40ix&QKt@}Uo`2Qtx|7v^R{{LJJ|HxZ6v#i;q>nflNfwM(M555SRG3`nX zEr><|4e3u)jxsjcwBN46lGSC^CwG7Rn`0N(&cjy1`DOd>#Oo}Fw0kP~`a|cenR%-3 z)5~l>&--;EO3gJr$Al?5+B+YQ0G|F8wB)=;W>cu!QX?p_an7|e@;N{dilAobg=9%} z2uOjp0$^pkCNoY{M<6qS)V^|lglp#+3(BIrZ=;ag^!> zatLZ)mO-AM_>lm8Y%`C8?Ba+MY0h=JwcrWrpwU=Xqv_e($4; zWTiLXZ*{Mqo3~e)X4dQ-?O(~fJiK1z;YLf~3G+U4L0aH*^~CjmyRISL|7z-iN{Dt} zul3Vv^`V{a0$5mQ_N|_PLB~D-$Pi2L9w<=+c%xznQy;`JmnDZ<*VhB|OaycmVXevY znAfmNndgxQCxT@RfURPc`-|m~e9=wkRCg6|CSgbS{xaQqRIwKcqDRJ9&EJa(RkQgi ziV2@-B#B>@ri4LQW?pKyQ-pwF3sf?6>jD2twB*Ah-R4v*s`t6zJVa+k6=3Kc9G|GN zGx1I)-R=;=M5N3_LlP~zPN1P_hU#PrR;^ta>Xi@lI&u}gJc^daEb+}o=$4>>of&&v zbQZPu2dCniYf76vvaVAiVKY67MLwcOB^jpA`FvYN4ll}&Pmqe%lhK2?yh#%lyhBC` zXt6kA>VfB<15qc5FHTot21*GbP^p0VtPAXcdcYx7h*1zZO1yV`a*F=OYb;z_$EsjC zlqxf-78l6Do?s(mNu-+)U+%fYs&TiOR4Lwr1F}Xr@T~QUmmGNl8l$ruk+2$egI-r$ zSQ4Y1f{22?TiQ=E_+DQfHD#S*ek4lg_X9M#w6f?Z8?1_^umv>QXsmDDtiC*Ujcggt zqqTh!o;*S9JM;$@OGmg#%r2Arby+opLQ}R5)a>7!OlD*B+oTAQ!%e_h5$ynUMyLHTraIr0>{oZx)@zQ?mT;=k|IV1SR zwTcmO*xJd5D5-1yb=*!an^G%^bFK<-3hR*TN%Un>Gv}A;0tpT4=9)*57yqF87LkL1 z)Zq0^9(=yoM7N8X_pT1_`MP_pQK~%h)TxtmF#xSCNti?o;h^O?9Q0FX6(1(77YPG( z6GP-E38y_ZV_G_V{LP`+$lx!PzTi!}uJUABuSpAJJ_awLd~=Ik&Fncvpct&j_$8<7){$^6~X~axz_mQ8Cew zm$82#MaxKu2}u2Ckw;b@{>HG|;YU6N>^w7C;p$uSrXSb+7(!~fvfS-YKUOh2J~&v3~9eT>0>jE?^{i!H0!DE+u7zH;>PBfH{T zWDn%qsFu1VEGVQUV*#%vwLEdfR1I72ekI}nHN9-wk!Z9a3F(<`v{T>(QeW|I__(TR zR&QUFWVwv`t`+ZNJJhOTO?i9SJL?cEK|4zJiRcCl~V z{3`2hV=CT+XsI{A+H}wfj=zfc#~gApWx|xTIJv)XI1~*y3>yG}?=ur>36IMa+2TRJ z)}hng>@39^RI?LHs*c+EnjH0=?b6K}&g>MMWv@x;TirY@37sR(o<`17VcX}@Aa*iK zRjk~p?KivD`y|D(#d>ndR2X%Eh*+Q}P++eQVs;o|suFn$RHb0&T{)@-Lu4?&UWg zzp9m>dP$`~Xj!MlDOC!7@g6}sS_n=Q#vCdj7g$vgXUe!C@RCH*l0EcHKx-4W8g`1| z^|v-j7M@B874%&{U+fX5K=NI~$Uwh$*8aOh5vI@>VeH8WRYGgvTl1%VGSE(Z`55bt@;=_$iQHhgLRZs8btXV444_;e2J9FB zGH_*l^D6}GwE|`|g;prVpEtG!L(HeP>SmR{$^5F4WNAuVM>D7uAsY>n$9i(_WM9Jo zduG-F&8~aIxQI%pfQ*}rkb;_24#2HV?Y7+qdDX@V@l|K-X@_>|{qbRJ0Sv+}_m&iH1a{9Q=b^7@F;-D?wZ4vMFo%zGz zuCPQ}WApd)TM3{dKG{U!O@P=@onB-9Er}c z`g5?q#-V|aUX8$kfD=(*Q7j=^A8QxpgUv+y)z;Nhg-OnbykiK`kltxq_ED{q(j7(V zYW{590!6}Z@#c4?=q$5moEGJzs%IPZ0Uz-XxJw~=OX1Jh#S)l1`(6O-BvNeXv{`2B z;RvP87TA1S9C+0p@Z(6-gH2IR)KUrhs06vRy|=TH^rQaX^`rDPWB5E5h_5B~(NM9i z@7ygu&`2TlOYU}==?BX9r z`VYIf)^jjv;@F{_e16V%$_Eulv>9$;=I6%ON``6@7PB^%#HTnJe)8K*@RUn(1qHMI z!jIy_ecR%h#c6*Tph|vB)pnP*<|hg2$Hj(n9i_l7)j;Cv93ZCZ@3&u|CMd* z2-}Nya5T6WWuLH3zn{eQk7uWP3YsAMm$MTBTNwu0_Wril{Q*tosudS zjH_@BKGVsAjv%1$MOaQIOKtO7JsOanK&g)vYN@?*meXL!ru@bNtY-;y9=%6{a>HV( zB*d{?4M2vtVfmm5jUlxc{`t3~gK2^+^;Bs_eykUU`q;!XK`8oh?K=T1z_$pgVgl0) zkqv&3-zJ#2jQ!#mW4|D3f5Tp#=wfytXsB!JgSkW7WaO-&xuoqZc!7?wY8Fb5oRe(b zGsl)i3(%tm^-NnLX*wG^P;{8$-x~B`wTp-L&F0o0XD#d zJ3x~Bae=0nR9+aWo$d>PY0 zVAA5+bjo&srI-`+Ah8$h@sORDQKz z&7rwxQnRc*W(^@;EN{2jpW2T3YWzKl0r+vmYmD&PvA_dHq|AB_q*u0SH$aY0G3zJ5 z#A_aX!&!%3%I1Yz9BowTEP}9OW461=!f>PZugddlid<&OqL6zr!WN70n;BG{R)ZoU z*BzJT)IZtrOpDUBqc1m{U5H_SQl(te%oK%QCzr^?(siNdbntnc@;qYMuq-7V zlMb9d8Krr5>aeA3Em!6yr^M|9Cw`e`8a2ByoulK;yx$By3@A0}*FA(nRa{VNmrz%k zs#YBpt%P+eO&Twgk_k*oDgmJD_o>74wCKZz;@-YIdzuos1x3ly=Xr{1raALNA6;^} zSGdygBK0v(!fo1ebB{o1g;-V2Y~u*9GvI8HhFGzy^!xwKh!FqFj93%YR#))DFZSX7 z`^Aj^n6w>T|D6y#{J$47ig}24EGK1K0G;*$Ei!))29~kyYV|dUMiF%jW4WU8CGq4x zDp!czNfX+A8bqV$HhSpf1{b&OrJF-x*B>%EL}Khvx)_4wf&t-2%E!n+LPqgDR-+#T zcjhchyOY)RC^wV)UQ4GdEm7r?A;T>PLV*V+N+WG78>a0+fU@&4m>~9ta*vQ`#J0w$ zob;A7oFjxRpa9#9PMtC(H0+HrD4l{eVB$RSf?W?(WTTYup}NtRp90`@R*otmgb}RZimohK|A@i>ij|U$?bFb$O*j@ zE_LGRl`Fl?q3$3z`t~qIC*DN2Ux26SkjVUK>5BZmNgVRB!vUexCIoRc`m)&B9Dp`o z`;lh^>x$68fKnyLI`T{y6z~DSfaps?!Q_d)L9JWn=-JEydcFCKUT3&`3XX|6ELedJC5+vRy!D4O6FH7b8WpT* zCK!_aWN#@^Cr74cQY5J`Y(2bH>Y2urgq3rX8#4hNnaVz@OdK0Ck~OwAa%snKZO?f>H-F>-_xt ziBXkeBUs=Cnk$(AC@aabt(db#NDJfn}}GX8hkz_;Cb&(^w9Ni$$?L}jsN>vL{S#zHSe zvz^wk-W9Kk_9?^|TPR%C#w${4WU;$?aJ!i=jQ*4V&laJ&`w4fd(}O{02Zl5V09|K1{fW>QqcwNxs=O zvfg8di)f{dN)2@4xU#EQJ>8iJ?|VB*DMccAofLNfX|?8o4ImexxYkHBvEW*)!*nw0 znK?H7i0wPu?KZ6rxi_nv+lFt@UQ(rsC0tF>!f(sVZcvUH^Kf`+<&(Wf zJZTTFOZGaPEH@YES_si*Gq`!t!yF^T)~j+Fr80!jGK7z>`rMdLQDZ3e;R@`e%V+A( zjt-qcgR~O(R2nPmPTI;~*H>llZ9b9PJQloe^s^E!x0yw8C&m}z*0)<4VYV9Be)-gv zKQyI11f+@Z+odiJyt`@lRIS5-XPL9rO5Rl{Mb?YNw5_8Tswo1W>=q~boz)8Df;~f> zOjdYeNz)>-bYm?zyZF`Bc;^-Z_V#lvvC}5lr~1`$7~5P+#y4aKkb|D8F{az*ZFa=H zx$%X;*GBFM@=^0RBMSH|pA4h~2C!Y0dzK~AG&>M z+Po1C3F@O#y=)A8Yb!rja?ov9t&!km8g`364dUMwEP)zB7lck?Z zWPX$YVkb;G)y##)FPcAuK~Zd3uOHyQ$Jr`nh$);O zsN(vwHvQkF!T*QUyExi88vN%(`-7{UFxmcj^`qO%DVKrkTARb_1#T%rt1u%UAn6|0?cdS*8G0DF4l33M0HrsVv-F?oEKmTSrZ1 zphG5gxO7LjQ;de-yjr?<;lc!3HEFr}Y)v?fg)kiy99MXEhF2aqLN( zZI;MDOyO@F(}CY$OZFQ&36$aiHW*@X+@#4Z$@BEsnf;*7wgF8QArRgn@9)hHS0PHZ z{IAS{tDXWw*c1(mL98-L__>GB+{Yqvptr#t)~>*^AYo8KeV?IJlw#a_6BxE-r#0`L zrwnOM4ylgm#cd9}G8D*74oS8L3&r9V;++cmDaeA7i^(T<^q#4r_-^JS#1Jyq+DaNL zCEUVQX3Tl`2qLZiuJiM$v2ZtU}oY z3I(l?kZTZ0)u9rV1tbita)lFw#^ew9xx4;y?N!w_)=i|<=K<)b+?mHn3q_uUyTavy zrxWVTQ32SVxKYRH{#d2Dx>EC|6vG*OzU)}Q2`P?~WBm)bSpe;s@D53HkQmZquio4Q zUPy=>`MC5>icD>Qfue$Ps8~Uo-8CRSV}^Sj>Oed5~)iZdZQd%fpz(8Lw&=&B$pKec}V>lIfMWghQb*- zKd8+5gPvk<)$C?geSK5KF%Ncxo0K7J+-m;(D_T=zmgN{1mDV{>Cr}Uh*-Ff?K1s}7 zQKW4*BFRzH_%FX1$}+z9pbXWFQii@|NK1dC_V!e}_VJOn&Z%^v*I`>T^+5APzFEh%v%@aa_DEznZL{ZqZ0HFd=RrX&6@-V~C=hPJGRW09dcPY4YU zxUu1|Y9(W=k&GzPkT|g$(ZhLQu}G7nMuJQuO#MT@G~d+7DiFs(aJx2&PFH$sm*MOM zd|m6F(-ph!=`gyEm=fI_wu};fXf}6=DDRa=wq&!h?#W6I`WI8@0JOgzg-h+)%Q7Nn zLT}l7Y+uygT>=C$jDMkGkokGk|)|aWbNFwAn8o;+rLN?YQB(JKgsOm!)S5D=v%&;Lr7$c?sGc5p==Oc z>gv^Z%itcPz_Daq1fhd}Z*ZMOfc^5*&#EXAL2`NCuMDP9L=9b9Q+g1o!PlQM{*XVwjWLEm>=Kcu<)}Dv$5Oq-TdnIc^0`MHG3HAzc+{Rt(<*>+>=D9+vXJUvaC+ah@qDzA`aTG)l_&&6(BnA#i+PJP@bkdLbUb zbU$wwJbE)*^PY!Bzk+p&0IZfGppe=QqA)jSf>;W4+4@Pqu^^^r7HxJ4p!byM-)`x0 zfrxdElJ|GtfF?9|q?U^hanZw1e1^-!FxzOz9RN(UD&qu!bkxQ|xt(&hKadrw5kCTcu~siF;zd z6^Z8+Mdi_4&RhO@pLZRXUhNfS<_BVJmM^e>A2S;t_9y=wGiE=9#{YxS)y3KFzZhMw z)V=;8C*Qld2P19bTPg`zEA2SqZy@3G0|3b9!o zLY*+f(L)3tqh24^0*qRGZ7F-#9Fsa3dV%6#T6^PcGoi*nCiZ;y^%3f1Juil9T(k-2pTUyn}zoHeeN zA|axj&ZQ7*Uj2qRaqeB8e+7sg3@#)8ig5yb#Uh_wUW-t$PEVm&zJ`vz9Xv!sN)*?K z^jXa=42rt-Y+Wy6j{tg#pRI%j#<%pjmmC2lOv+sETR;wW=wb?t1NPTQDPcJbh8{J} z^Pn4SDq!Cg8m|jnyDj9|bqnPJ48#pnP*!dielZhJH9#zCYIJyvP%qHb)^aelAxa2s zr*g#zQMGJrN|*~(8yC*E2D9sX128s!7udtu+Nx5_$o>>IqEduYo;d+dfd%}7J%%R& z>X2Y31y2&Qc8Mv?ST^MiKzfBgWn}JXm1Yi@H4%A2uPR_XvBw{r_UPoG?qZhYGZMg? z%euasw-}Vh%2jf*j6LQw5)zy)i7By->8>FD`eT0$J_Lt2R;Eo-Pmnjw>_0;7q8?Q? zWng|}X&6iv3A4j*1Tg|=+0>RuIGpzdocuQpYDAHCNAJfc_4hL=SEmnGVk zh&T7%S56k8Ri3|c#)ht79EsFB*JgkzEzy-wdn%JLWb~Hq%SYqyO2O975IqF9f7AlU zw}YHRte4ZYfN{^JgJdMrjL@l*U}Fc+;&glZy;!9_ZY9_#fmr`hV3=iz zL!@PwjX_!3t@7t0u8YMquaAG3^S+!>y%`GdUL?hYpf@MhXB8S!dOKaWgCn%7Qcny) zCtpGFaiUWI>m(~x0C2OX!&PqgoMB9`Trn2m6=C^YdG^dw2mAy@%Ekbjmf31boZrpv}A6(tyKuoMJLvxye&MxUB`*FF{_mTIS~L zNtvYgrb3}pcW;s{88mm{C;CfPvxAqr_(UIR=@FebPn7K8rVDP<*DrmTa?KGlW7 zMu8y*XmT8YI{-A~SziOF6&vBshpTUObxz+M#(ccH`p;Rk%ofYL4K+E9y$3s#rspO; zZeNGZP0`(oF5TJ9(RjzMmjx|7kGsk}tDQ)!EeDqyR25_ef(+T7gGV{(YOTvbH) zhA$+Jc}tTp+rZ0od_L#EB@)^Kgoawe-RX1%x>$0U5BoQCl3?Zx+~N!4UFPjEiH&El zuZQK$zS(49Q+=gG`3I7ALIDuNE?J+nbUHaxv9F0z)~7=HpWz>c85m3)8h$-|`~^**{W_?A7ct(CkF?n4zZ+Iye`j|jVJ3^E{*qT;TJ8zqR0Wpyx~4q z4^Fxw+wn;6 z1kfl&dZ37E_CS*WK=5}1!K*m}?1`yA->qu3_4G5iOX%X}GGunySAQC~35bpE>5f6rf3$O$?Id>QR*B}LMq3?k^A{Nq(m?SX= zUlQN=CK(~9&1j4S1(y`}yU5r9cbQ=o*pxJx03|$fw2E%S@#k)gl0yL{5YdGW1X&Lz zcHMgp^JCyNZh^=lT)5X#v-9HN$9zD6)w2>aON~`pw%mq=sxfX(6zZo{y>@4%UhKz3 z!S|&jQl)4YNCs*@*z?ColG&57xMK+;@sSXzmmYu{QiCObKTVP8YN zX+un!!?0?t$ECrf;MMt|Ovgyo2gMhDz4_-KF=_87Hty}iIJAbt`^u1;_zKi~2E!R1 z2s0!L9*g`fS<2C{jmc-tUp?d)=$3tnnD?-B?#S>q#U=|j3>NYN)nGNd_ur`+*Z=a> zm7jMN31?9`5Z4EE34JDC@(9z;97^-G2`}dW~n-Rn~ukIhYdZ zj9BMOS~J7;5Ivn6I(9^(H;;C`qa8RQ7z}gQ-X#IdQx7K4s8fuvTJT+Blgi6S1X2qY z4=wr4XQL{SDMS4baKCk5!ocK%0ftO0E*=m+%n>Xl&I&O>W{aHY00SpJ1cz(gC?~bN z9>^2C`tx4Z2UFBYz@^`OCdzKGAlfM9*A1qzu_;un6tS9cVfjVnoy9?=Qw@CKi2`l^ z-Pf2uSccBQfpmomR7H=GWj3v7GdbMB!}Q|yfDK1-sAnTyXqi~nU-wfQI)8h0X6?;- zlj*2=XpIt<__dTPv;{3-;FA>h_u*~+R-zPG30)bx#IOu;r0$!maq^bCb)Mro6G;81 z@*cmOzwNYSqx$#NE_K;(m)N_|vWqdsF>=Nlml8Ax*zrvDCdTf5(xyl}IZI7Or$vWr zzIrFQ1P(YQCDUSzvw{N6V8?(W`EQI(4R{;*Da&4%Yy08XYohCusR)nzYGoR8l7jg5 zmLuYUf}T{1c^xQx1eQPil=vnZuc#Z(TUd=V999j7%ey?!-*$1IZlw=DAKI1k067!i zOV}uRK+a+3M$C74&cUBob8fudb)~Ic9OYjhtWLX&;U6OJKxrUHwaaL?BYDSg`HShl zs&&A1;aiF~r1}?N3{;JcmGaq;zx;h__LH`q@N*GsicTYk!bx^Pc$zlRY)Y>PjlvrO zJ{({CEf3%15iPP3(fTrOma&>}YmE4ceg(TB9y2z8@nbqFMna=CC)D%P?4G)EdW9f6 z?jf8cVu-|F7N(YNW~tcJ8XA))&ZjbJkVCd}NP6jPO7R`(khj@k%3mV_8q-fkAp&Ss zS(9ZsYJD<-mQ>s{N4~{69xba7)GS4RrecDifFXB!;a*#US`3u)0xi#3^NvX=IH?&} zx`+y0%Wd!DeP4fHDD=V^22xH{?=?bwH)3@Cv zG54mg#GZuR$(j;dOuG9GdQzKqnDplC%-lFLB3AhJ_)`D$Y^})|PBAPNjYGJff+w~g z8H}v6UOzhHWhP-swB_^V)cJC0(fO`ay8W)3z-WU!V79})$W>v$PoR2877M#Wa&Rl>GO`60#V^74|eV|jvZXE`aPty-aNTI{{`kMupr zBd~Y7<(k`9`a9To{ZKXCAW|XpqCssJF$X$bP@Ma&x43P|H7=r{nq4$9+v9`ECJ(VOLE%g}%4;^LMHM?O_GMLa2lWIej{!w)e-jdk z@Ev5saaH2D^)Rh-?ELmY)+y8!CIZ^oh;Fn-br*E--nn|_e7Ih;Jz0NYb&S*xU@ra>y}FTi<0Bzp# zqp++{XsO*1dL69daW`1O!~m^ytJ*h9J&=T%!-W)9#4iaD?V;iTrVRB+wth&nH{6~& zFmT~qd-R^Ts6gVm7V&w3#YF%VVz3Vj`T0c1lpi&{M$!Z}^yhS0CN(b>hKkzR<{3$O zR<=Xc>vAOg!7<@Zy#P;9#2!z8XeP*1fA3&zne~nj%jwy1anKvb!!Ef^v-9iGyXM)>jHOo!?=xJHP9x*XiB~aRSGbQ+$wN?K03oE|U5kKcj|JdjuPDQy@jh-#gQh zs?}F0?-?}%($^CnNsi)6RjQH-Fq+09){7zbp`q|Hf7^Lr87_UrP~~M(Fmaq$3B#Eq z*}<7C$8MXUz$Q`1Bf_J&BrB`&OU$q?3#bZR??1+km{ip?e(J@ z){P3?a?d)rgvq z--p(I27J>iMhj7A0xvEl8nJU?C6AlcXonQ*$+ZEf4KEz(s>)}D!(=_+TR761;e?w$ zm-mWB-;cy&6aO9BN`5=3IA{DTiE@q#E-4Q9jJ%+L?v2r>ro+Vl^x&dpy*?-jRhP~A zUORWJy)&rrYl`{xb_eT@rr74WVOo3@SW3oUqDlVw3gt|iTp^cm8RcG2(^gvT{+4@j zzQ8z8-S`MLmJ~%9>q-oQpm77+;a3BY(8qm+nD?4lSHdkoC^XdKV`0aLP@mI*e>f7^#_s#A0 zc7T9~t)1f=c2UVs)%1 zpMPTHS|2(!W)$@tag329osz!>ok*T&p8*PkpW|g8mrarcr(1fXnCqWfedt(_fm%Wy zd^a2c!@E4DhtMJ-$s!R*@z!aIjA#+`XqZ6zN`x90@fS(PV0S_kbb<2ST&!PKo^Juj z!dhX1vCabGWAI~xhs!FwQy;SHpGK4P&6k*SVR(6=x#cJ$u789kj0^!7>0Vh=V{os5 z!3^zmo-JO2MfqzDLTrF&3inc*&oKvPr~H}m?HZC8WFz}~k@s{PX~W$50t4%zknp$? zs32b96*xn}yB)^6=n%TFp!291ZI!tU)Hb(!W2ROJuajU)ZTnd!<6|fYs0kwjACK-BRNT4N!KbvEppT7C z4T|Bh%dSzo!Ubx6ZuT9T{a1FkMZ+$^2q5W2SM(M0T$T18bTV>ba7Uclmkdq=%x&dC zHQ?N5?{g>Hh5dPk1?CNg!Bdq5Ei(C@<*XF&U~F^yD=0@`S;%U(HN}hxXx|8^Z_80j z@Y)_N-eX(JO6=azt-&9vFY-}63k>@9iDE?TQV7{%@$I2S=XoDy-+YNG5c1&CG}#Oa zG8mX|ZCUX$`m@)?g=RR58un?cn!&-%Uj|M~)}z_~ynI}oMSaaDv_Lyr-umS`8%q>| zGm&0#V>mF22`ZT}D{qYDS_}(=OqZ(YuYylUV!W_MY=ISc6w1N}#wrTN--w#1N5;P9 zm&jTbO~7n46E5>|AfhdaRt9~VG@r(?yvLG(#(M61Gx3WN<*{$Z6SFsGnmp3o--MpS@Z&y?+4A?jI2PhKiqWW) zJ+KZXW4UNV5yp?u=PmmwZ~1z{qZc3`qsZ?Q1GP3MAclxP`DDZ zMY6==ud-a;5PqC(J3V*nzA1?mlM#Ai%uhT#Om99RZf!(;8-c0T1;jiSGE%TH|AVPJ zQi7BCkH)M^U~dQgSE;Ze{V)#6U1a+AGndl~JO`s4XraZSsoyNWLNVN47@nhLzl}$) zmoRjg94lv~+K2uHgK1gvbAVOG=8qYQT(^ed2Nr(S_kWcW5|yrGo`2Ik6t@3;q&Pbm z|9`s)*P5P=n=FVwy178b>uWc`1=mF0ZH1CJn$lk4*tu0&iz4KqBm~fC5qgkf4G*t3 ztJ_0e0njvVknVsV3U@49lNo71wfd6$!rR41KZ=Kxa^upm-VSa*;EfUb3^X^73`6^#6NMgj9bNY^)zU)8qn@|AVYP5SpFQTl$3abNbF*+@V`M`| zYh_|$Jz_rWhYP)Dx1sdT*`f$}B#nm_?dh_|@3`_S$E{+TgUc`oeB?czyPX-1qE~a#b(#Cv{4mN)8=kZeEf-%j8KTzhzrwyN%5D^w4 zVCfPt3aO*9XJ$u|nPOxh0;()`WlgB(ASPX=^^b-?oF+kdk}XcGHV~3gp=Zp|M8VoU zQWv>J?^#rMx!XD1HTgPufqZb`erqfmAFg{$SV=WBncFX+AI0IuzeTMmVb(cKg+FN2 zJr0aHW0vfB(T|0fB#cv1t5J`gFd{-F96P~m1a$7hoJ*hvOUx-!kaG3N76gT`BQWJQ zh7H)Ih)_Wz0o@dg1%=}uVr#XRL^?OkukAZ$>LwcKcMPe!hBTZ%g>H`2n9d8yX`-df zhaPZmPzWudbO7$lm_6bqyHP9ISYAEQ>F+fkMFsp!ShiLgI>e6~PzZwMH&M55lhThayOBUjj;EaxH33DG z0d+)>>SFtj!dsqQ8(K&1ZqvN8{CSTIxQF^x7z2STC_#+xDwb`vNNKwQDyY5yKkaRN zZer@DWZR?s-Nea0>LqNmh;yXTw^EkjSY5V{v8=ycL-A`6OA+`3l^mbHq#+4P&z-B? zmx_thXEs_*gKY`2qEFT9uha~@)E@}z~=i}BG~1Xu9sX4;%4Pv-pk`pW0@`g8C4O5-!Xi%REi z9L!yUI6qZNOsb8q(GM0vA&D8E0be$mez{bz!nO>6q`X1*F)Q}3=odEohplLgCO|;^ zgN(7jIDpf*T?YTnCe)q9CdErY*eJ3kr>U)JDenFWWL-p}8I%9O0O$>apEfcm@?2z= z3E&nD8ea4e>&GiSX1B8L%;v6tsO@8-D;s5o_`$GIuA5;4_$tGwbjo4OtpdGbIs1u|b|aPOTs{JLzw4Tl_Jg(wOccCnrTToJCKXn7 zzU9n-2lFnp#0N?PKf6@ye^TI%MZ-w|bPWS0FvOO%Hs$MtRhEGD_iE)Hm=ln8$}xnv z_3B#0c0)~2Je?6q<-3rwiImC`12lfbZ2(eGTUY>+1ISys;bcKL0l(0bMQj(u68vV! z+~a_(MKU3vI_|VA!|L%_f&v|c98YlWB!_N{u@>;bDdZCZ+@tvU<+%I{aLo9zN+WGa1OczvwWcrJ|p?W+k_H^GLdHgq7c&H%gR4rQp!y;QPHRr z27{^CEjL}>1>}3`>ZYFMLkVWgF(`5Eo6slB)l)&ODL77mN6joZiriaKXsPiG1|aV( zHyD#)rhsBU={|;jJw@eh4SBfj@0%C~TBr5jRkdQGRVEF~9zSE!Yc*bTn5jj?5KFa~ z8Sd8#RpHx&A1$RLitJz(4fg)fS6NbAy3F0ATx@8IYHRTQv0nDusa{?MdsDHj6?4d~ zd;zZF6_9acfg^6-L18O})NSgepL6r>Lu}@^Rs6F-7Shda^v4;d7mqEP=&}t?S;fu$ zjs*Sj=dHt+CFpj4Z&lCjv%z=8GsvH{)Ys3307oHRw;Z3sgREgVh@U><{dJAyr12)0 z?FQChKKCyDv^|F3Xp*|QL!tH645c{@<;RTWDK19G_DkJp^&v};;iBx>*NZp(?0IKNz{Zrn~?`;$Vvc5ZHk@9 zwTxaVNAn1qhaLrqiNww_x$RZzf@Fi|t@Drv3syGJ^eeFNJ8xdCD1CX=ajRUg2PoFP zLyG_`K*WsP;sDovjv_2FS6RPgF-sy91FekbNsG2{@UlrvGNpHkWT5BKjj_h;(f@hx z?eL(fU`C4HU#VRsRxlo4J((bTR~~jOm>N!M!VO*N)^DK91kNcbR>Zt9z6?Z{rj|*M zFp7GG0+l<6!Gs)~hAh2ou{;SmIfsR-pi+fD`Jlf*O=hyn?IC@>^7Jdw7pIGj2eXH8 zMyC6Y1sZ_LL@r8t@a6Rcd}&M7D<$)vrWq1ag*Rk9T0+c~05h!SP->0}+EE)Rwu_;w zI4B;& zyU%*4Zac+s5R{sxzZMq!YWXld67Usj^zRxo7|1d( z*AXhJ%VgboKwH1~egOBi$_uMtl@@dw*DbaHrF><&)AD=oKPO_(vH!WZJOXS5N#foM zxnV!3o|7b?@v=rO^^0;{-{(M)XS;Z5B>{A_x>#vgmPA%^Py*a-bGJnxGmTb)A19BT zbHC^##cW1bkbVX7`{oHOdU#V<2H1q2(~$w`kXng$GGn=}z$^j=62b7h`Og@@+UBJw z6#H$A9}eVnH_3Yj#O`*ga+R@FVb$9Q14(5dnl76ifqDP>-RSIO$NOrXWA0#5rDy<) z(=VDfs?cyP_1Yhr)#Q0rFEl76(T1!Gge4jjnztkEA_$3#Bf%Jz^~}&UEq~k&BfUrE zUZgV7`yxw43{L!{Ldi`Ox+6GqEnfUSfoKYSJtb0b8S0dndzj$ObnCT-Vnmn&8T}u& zZGF#fxINaGcYOeJKMMk{DM@!8mMaQP;Ep_PO=maPakeSZZ?#u_?pssS)oJaRvCLU< z=~U+h_j@+8sbaIP1yN3<-`LF4pOxy(&rMgBq znPO;~RawT8NNrlkkSJ(2wCk8opy#E_A6e}~`B>(hT5r$muLobE*d{!f)~xuBmV&UmkgivJH9-=?W-c|GjI&JM?Bb= z0%fbrd(NtUfR%0sMqBDg^52k*QV5W@x7P_QK!6}$Yw+pHh)dxC5Ee@6DQZjIK!Hud zk<|wGF8N+#^=DB9vj>{$MpkV3EfKi@>kSa&E!D+sn;43WY&_z>j8o2dFTC5a8**@i=mOh9Bwv=?r`!eh24meIkQt3 z!z>?Mqmyn|nr{U6c}>@d|LLZ5a^ySoKfIK26{nB>RsB~5-uJi@ahS9c@&fjTp#aMV z0GWrKWC|OwU?(BJivA^Goa)V0

    4Wkg<$46bKfc5YB+pAMd|*|I?np92>u=*4ZC z+m?6|X_{EffDtX8Jk$(3YCoC(dq=$hFby*juE7!vM}~<=&*|r?pww)>GG!_jJ+dnoeoZ=%u2?z6=RUTe0S#~GEwR7MC0x%ba4lR z1stP?c#F@53T=BiaNtEcLwNAJEcFDY;U^qTPHC~zaydC8mJdBLg7gl4pfH+x&PYx0xUSKw2{3G`xiN=3E&%;(nIf3c>3q3j4- zf4#7mzwD*|dm?GzY-95uK)Y>qYeyvZ|AQPS2&zSFtjF1e)ap9j1VR*u097Em;zzKN z$cg7}#E9+s8=c*E(yQC5W5N{kFtDT0>P#axQm9h7Oe@Q)fXj1+%5WQ#ST)%Q8gE~C ze@F19nowdiB|f&0Bx>X(uEutVgMma05lL8JAS1(@m5>!m7&}I&|GwNvI7u`9or(1C z@wF^4!=WaEE72%(iY;)r0YZ@G7!?6OmlkOpa@H~4^|3=18YR+8jDaB0ssAB6;B(N^ zB;xMaVO@NPSN@$&o;LD6Zb)MKxNb9>go0)yTW+djxu~WY`{}SK&?^3jF!Nq2URN!r z&VGW}ebkpSAxl({^6Ba;lNAqmP3Z1o?=XyK9p|y7(5@7xfmC+GlM1^pc1OqapIcog zRxYwwBRm_5BrVw_Y2 zl~Oo>ZhUjVhWxDK4Du?E>Zd?Eo0O0YDwQ;02&NOjjwH*m;9N#Yd|Exx-wOeMss3hG z*w7%bvjP`%!@5TD+q_6;Hx3gpk0iwRePthd-xsN|v)1d>P|tCf+sWb3x0{DU(*%|R zDKNt*AAs}vbwXXNAx%f2%uKE*(EMp!;@(7j6v-TLg2XOi{)KcVi)XAm=i!g(+Geyt z7e_|FFHtHO;rMbnqeMLwvM3{Oi%Y2Fz*Ym?oJ6Alb#a}0$pk(^2T;Si8zggIz)lM! z^0&{w9IU|cmM3yw41P_-kA-AnNkVaT5o7FdiQ~oO0Wu@WIyYImE}s~q9@b~ugPm6vm zm9#lQ(4bMBq7jn<4Pq^H}ZH! zG^bjjAY8bH&;8h$R{fJZVLYIp*_8zPj(7RtiZ80>EJ_nk(OF4yRDundz_NC91+&5> z08*Q!b$1@kqqns;qi+8Zte*1cg-uHDuy(kl|&PwSgsv4zpKk7Nade`L)J zBM$nNNPaK*NzGC{i+s{=VT7F)4 z#pb~M`8=6pW_#_Dj@ix0%Fs`dJ&xN8q6XS%87qx?IJ=)ou~B4%{X_G<)wdMy2;d$w zhkiEJ?wo}aG|+qaQrdK!0?QoJo(|h%_CP9u8wIglGng`Nv8_#?yv-C=>e)pd{&5VV zmY1OilTM^gXh>!Pfh;6hoEoh#>vAa3TIT9SLZwqyAy^Mt(ErmRdfeFS70J;iR+R9w zOHIK_{*TnP{B|De`F0VDOQ6biWTDq5b?(n6rwbGv2v@XNnRXCZaon1a)FXYr05=4# zk7lA>=T-9$BS9B!07COV7?-=M}>_9-+8e-)~zo*KLBu= z@0>M0BD`N87mQx>sILpft?L#S0fS2mW$QqpnwP}Y5KxmK`Nv(7ExLm5fDuT^HY_# z*f=_ulpW(CMH{$86H-esZ9q%C!74uUswQGoT!6g<iDJ4RDm z^^cQ6gg%O{!1{ggfFZ17uEo;Z(W4bzm7{SWayw^D`jfsio6bfyb?d1IYz6XzHL2t| zU}Vk)oRSdBJyeF7MUu<{Lu2qcD4AJ~?BRiV>A&pYPM7fu^} zn`37eK@qbN8hLm`F6jnG@lajzcLCla7_+`O7mn(4AUaf3eog67HCgKDFXKyfQQBK8Cf_)N8Yaw5qZ?7C{*w6gldVN5G0%#zmeb4y zPV@!DGHUb=7n6ymcJ^67FVdiI=>?BJ0?Q$wbADk?Vpt#jhp| zcyw6?Hb`UkLR)QArudJu`60+4tbT-%&Jlg&H3tkju5G?RkNEG!HW%iV9zw_RotZxo z)vC(&5A0suT3=MUscqLHc_}!{kqMRBvfV_`{vP;yd6i9;ecLo`J|I4J2y;~PoOWLA zu8$8RhZrcL;We1i4FNm~W9D!;DNPzQ{_!L~B#f^T zo{C1y8mS9XgbrF^>`nmYJYO>F**!;-(XugiSx|EOtzB;W{dVchdN$fQE4r7M1 zlI0@F)@q%!GBHvL^}3-5yQh!uePO*^)4GdftL6|=t)&qupc*it2Z3@%EOZG`3&6hm^y*zV*`WeGnIakK`thlFnatd zSYi&attXab0Qh*a9zG6sYaJ1Kd3`_ZejM#Q-VQ!Hb$fDso;L4WZ@-_U3_?NTj2?>UoDu-Dz(Jnu-j6h6YDRq`wWHJeOWxfMo{Rn7$+a zSz%5|V(64MnXtJLhHN`mq|A4%5trpx6)*SC6V*=51EQm`|fVzt05W;)sw><({|WH8P#jD{8X>9>lqA4Tsgm7U?lnXxgV z;EO+5KPXyBbAUbKb%&&nY~+S4$V14aAqZORume~@Xe)kYi1eobtSkCwrYwSNLRW~G z;yw;4#jfHXMChv=dmu-&9iVjQHKCv(d8m}a6{vq4H1TPA*1(kr0W{x`<|VjcwzSbD zDoK_Ntp!=EVPjS6?hiTU5ME-SuAgkI=F2v0u+?${R7gxF1Q~79j3p=CvsKpgenC!l zUah)K>e#3^0LSsY0lh;5Z@`5Ge^tcd!g0fJvlXG34c9r2`FLC6Y~PLgs`>nx)xE{t z1;xxSRr`DO(HaE}NuSKbAhyR2_60Z|u1WySk9D>>WZMxFNf`)~f>E^QT#Mv^u@0fGa4}&b1`J=rc#(z$3q2 zgleJj!Bf5*iB-$Qr;c^6hTCRfbU#IDl$urj1mvDvcI%nO1y%N6Rf{`xxeSf^rW zWrRPiqTUqpF$a=-<#v&9y+NN*%Iv7X=a-V9%(t@uBE`QpqweS~%cjffQ#-nCL3i@d zdvfsep!KN={bopg)LxBsNOJkpDs2oB-S_lWOmS-2qN_T*ANl0Gwfx+-sWsQC`p|*f zJ-&REEst3_AGhf4V@h(+0feDjc452smB6xR#YSZN9tl* z`m_?4Lli0W;xHrqbBRUMS)k51&iQ(qNoo_=Pxv^q@%Qm(T^`%~3uiH{cjk~E-W(~} zKjphLex1&(G&gvCpr)<_7mHf`T8m7&RlQ;6yAzKsx@HvQjeWA*8=pafDHWG~;Ad(1hsGUB{=-OnIDSaF#S!&Va^2oP z^`>IEd2p}rOtOQ4z^T)Kk(@sjm~z%8D6xJpA3lw6=Hupbhq*4d{3<3jGI=TiXGKP# zb%G}075p%~Xpp$|{KNN_L*+WsF6yX*@lfHj?}LYjD)LfsZ09L`MVCK06>c5Jw{5#^ z8tqCKVjCdesU?>rv)6o%MqgKA7x)I;WL4Q^sjv zCGjyKp4SmK_*SCd+Bnu`aW*N|;v>l*R;9ZcCoj6h3Bgz-it|Ns)0s}(K3mVP?=#9# z-kU=9FM7BV!CE4Fw`sQ>2Bu5gp?Z-O0=Aa#TS<-@d)VFu@Uh^>@V>ovBT@&80&uSH z0hDoB)2B<2qK^8iZ+5X)<=3|74%E#(M^|$a&Qj`<*0>`ral2s6gtbE;R~ zj)Z`{$4m<)KJto{g>bJigJRknRTqvxvvy-cQP)xFBw`dcP>!$4(W4~dbZH;_@zCnk z8wN^s{t=Y$1;KbuA_}4Ef1Igv0#S~2FpoQs>T*UNKS41CanLzQ3lcpfS$nxjv2wb0 z|EnO7w1;pY`#a&E(Em4@xS^G;v(f+WuJr%qLe`_SLptI6+pV@s&bo^FFTfz9iBqd&tUmQbVal{Ne08gW7C3kFOS}8$GZ-fQ@@hSS~I?s{?o-wYM?#f8iD zUiWgolWc2uc6E&ZZ1Q{;hy$~ko_smWe_m#8vjy-#78WU8+!}Co|6BWMHj!n5w#zj^ zQ~DRb7#VP(X$O-`DUjEEXEyekC8JVj!s`MYFn5Gu?|v>*s@NB!9+TJ-Zb-$3VL+uy zG)1vO*c3Ts+~|A?JXJAMl5)C?1AD-8txYiKgb2dRuU7Z8q*)jG1Pb5on|+Kva$bmg z;}^us&&;TCvnu6ACGFpJsF+6(t%)c!5Mbv9&2v@3)z2LFDxmd{R0BL{C%QL^96)AN zAM}m8#jwuOp+Hh<4nyG|lFxqt=?0N8M1;W1N#YA{DLazP)6uskwAV(vd~_9K(!@uG ze}ecm9QDWihOn3%sleLyACp0k9(F*fW+2-z_+SQ5MP(lK>qnt-SZRn z_^^MTA-Ur_^b_e$U703fcv5JWQAvgV5Mii`@F72eI17{5Je67FaOxS2c?F-iU@#od z-l)yZFoOI@xAKZDMQkN^);|K@as1KYq58m}Tzh74Vuw37(7>SHMb--C!Pwq1S&Fdy zC-eeWAcR{0;l5+a68Y18gygg0sCh%7uGP1RcWpM3f7Hde++YuJx&`81iaG58$6G&z z^as(R=54>4{7*RlD$bj4AED4Q?n3=?cYXza?ptHla=xK&F*{#O0p zv(ni@GojEcjk*0Y`PX=q#D+Lzn1uL9#0E~J{!b?KzglPhJE`~U}ZUYLs z7s!3A&%;qC)lfVuOqmyPJX7HDWg|hz_Ds)_Cq;MLNN%OVs1_+q?%X3ZY`qgk3KpF2 zu!3)e;#MixXh!;24)L@VBZIQCWg~{2#xJ@ zA&+>_giyv$Pa;d1!R4TZvNe?JeG1RtTSGCp;DR$>Gbb$LL z;Jdz71UU0R)`U02jkJt=;s3d95`xpgZ=nk2z*0xWG=ku=_tTRzaY>NJB{ag3phO(A z(isSzGW~6)WIb~dd+~)CQ}d!wt9F!Q30hV!5Gy|#R)2(Scu1F=ssYlQ$Q$)6&&ich z20Qj_Zoj)%g6z3AzD%cQU+S3ZKJn`v_Z>*`x7ux-M1(jmJ?hszv|}QNMwq>ZJ1@#^ zUzgD*3aVpXn%0&9zhf;>rCvg(=^uVhE>wy6q)+q^F9|m`DTSNgV{8sF7T$^~I8o2G z1}nu_1)RF~@iw}}ESk!B1jU{@AA|ZWF+GzwZ$&XSIw~=nl@_;bQDEsMr?dPm(2kq9 zd${_@JDI{aMxKZK67x!=Q4ab1F9!Y|#r2ZKZymfB^?xHi{Lg6qPqo>!+K=M~3-V8P z?}4=bToq%;)k^0=y|%zYvSgy2zt&>P3aJ&~MwB!)JGuFL@9p?*Ty(yX`t1px0M$9S z_l~OfQ8(U{9LPzUC&_~i-xNhMHyh0H6x@d05p6lRcT1D$6_^i}XsuGf^?Uvyq@5Qe zZenlY7_sJSfF!S4i$2M*K$EoN#4!~%tCg>fi~PZ>m!5*>45ooe!BBW%N^3rN>35cg zB6?7N0>@GzME=M70o1BysOq4q%59rtbNC?hGvWVB#d~fdsCf51UK-pTxOF;+J_ePh&U< zEl3VyYrZd)hFIZWc^TC)^k9zss_{+|vyH7S7OY2r=Y(OKpH?ndE?TN+kDW&;?JZAl zeaE1#jBYPyF4xDB*VC!vj@7nzkIv`DH6Ek_xz(K!UXPL;(v7qizG^^WV4}G~KO~Po zUf)7++h}pHf6I>#pu-5476?2Y1{iMBo$)~OR`zW@Y&p+(xJ-J}Qqb`{JFtRvyf@$I|o!u9?o$Pzv;~;?5ZleF~K!C>- z=monTc$7p5)87qQ0=Trs1=jmOGZBo@a%iAybtbWPYero$W2{C~A0yDMLO)=kv_cW1 z!7_`CdTYSOufB67xTL(}I(xQgSE(rNXo_mK3ZJHVHQdod--0xvehw$>VdH*P6a z3Q2f{B7Vp22}9__wFdfFzrDEdc~*n`5#50oh!_!bSn6%YVmWI9A@zp1`2>ODWSPxAVs{tk|IK46oT}G*9aIvEz=<1vMWG77+8jivx7VI zBYvE)juOBHAAdCz##NXobtfq)(|mUapiXuxYg(2k1TAbjOMZm6kE>(_zRrNC9;C1f zi*QwoMMKh_(i)Ykmo1aUlm23}6$&))X`=3Kqr9B74K zh_$A=S#_;x?P_qBGJjtqp1`KiuBQ}JRAC1~sYj_m-SC6S{V0e^=Xhj-S=C?Ie$d8I z6G<%l4b!`nBj!l_WTmpmV4nu9&QJxQ7A%Zl6s!;6s-KXDDt#$rk#1Ol?@>seG{78D-l*YYAJdzrdwjETQ~G{ zF0=l~C#7dWvc#3(a8Z}{`k|b6x)@Shto(CZq^X&^s;jpOdUQT?^Qsu`mbyHzOxK_R z1k(-k@=^>`zT$8GfWMO@U&p8pghTn$7}$RMjPCa$a@@N?de}~=apWbE0__aLBM4j^ZmQni699Kc@s2$YX8b9C1sHKnCKOfOBYI>fbwPJg@tZkSi3D>rb8f*2MjKNY^*vVO zm>sFfce_$$E*h4Hp`!j#qv~cs)cmG=6)Xvl!|{(i&qc`ydWV1G#lA6Q#M-EeO5^|X zWsnyIfnL7?DW~$`s@&tw0Se7h> z23h$g*y>4INeZiJaqGd~ws9!P8=9olsTY!Skg}yoEZDx2Log4<`ijfZy!-pCR=78B z)0f$fe3h1EE-Y$&|3(r&eNsC;`u^7q6X34v(CIJSxd!%sO^pBJfazF8-S&_L-shz@ zjgA7lwH^ihEE3Hop2Vz`EDmg&YHqNaPqIn4O3Fi=qV>l!G?a?MJ_hwn@hdJ4d#2yE zCw=}~N5e9Crd=$(4M_Xhj+rA{JJ$k;8B%lKseSY_0sDl|4#%4r4Y3jD-I20=#T7R$EWEMHPK?lQW zzl4RpY~-jRpOh&h8G!^Arhh~9Xz0YW_+z>*+2G5m-qOfPe=ux0XMnzq`JD*!=e7l_nfS$TF0$-!7 z0o)?IEaA}1>qkFAfXqM-D71g zQi+IoCyVLK)CzZ1Ac_*>sU@n|f^vNwI^-oB+coTw$eF|+fuOB*6zYvS28(`AP9zE& z|6T?vX9#EY0Z@4h<^aqVVY+L^>hE;~4$)8zB!k7QL^nb&IS$lS4+?(PuBv&#)SN3G z({QqGDkxR{2oiflWYtHc`zlKOI5#7+(3x18Kr0HNEI1TGK?TYo+@ZUP}uf zv%a;Z)L)bdI13fzzo*P%oL5R~l+fX2#Oeq%kZj_U0l6<;29(#RF0Qs&r}2?!=uxKr!yfd#Z@CJ3ZVPDx@WDyUhOxa zwDhw2cGq6mNGiAgK79XM+Eif`hN0sWFO|2Oake?Fi1ei$c7adL9_}q zw4aGx&z&64l6x-_1_ogs(trPejf1TT+>mSTReW{zT(@w&|7>zyFR7@}eglu~!(U7pQkG+TnH^X(=X~wBMbR^G zh$AXg=?;EYmWO+!_p)4DH&xA0PicB*ALqwg!JuL_0=g04UvNvzAcUnO=fIS}KuQz8sZ}`uBCHt$?HULRCDBX{Zv)!gJPg{0M-s{n~#th zO}^1)@=Dqtn;Ul4k#7=(v3Pocc~Hi=x=5P?J2l^ZO~%AJkokK{RP&IYW{iyt zgeT|o7>51s5A0E;68>qYf3q&A?bNngS`~P-OQE{UU+#aP8%lhdM7^wZsEC}c)9P*l zc^EMMSS4kH0YiA@m*xj(*oRXpOKJmlK)U^IbB;_XE9v0xe{9yGD^txbV(S6^o9Px* zuDm$%8@}!1{cq?{Lt7hLv;RPcUaMOtZm=Q#qC@3CT7$a%LdSPha6GjvQsRtk6d;-P zElyd8Xkw}Runaw^F;1R(buXt=qV&gnI^Yuy}oHbpQrPktv@ia@2#t;=e#0`y5u%% z@42pX+Q9uc1!5P!ywEw5RjX@Zc8r#o{Ns>&F8mFvl7-K*UQTlU2zH&XPcdJz=%u;I^T#0 zToOV;p0E1_SJqP!C_@|{F`RAtRZ#}@A3?WwRl%A;Ex@1TEx=n>L(O~fTZrhd3Pvv1 zu4r&fol{#{J1(b4N!y4f;lFJY3h`kMSOl4feb{>WbAUMhEx;dJAfYnN|Iz1GoFpQ| zB_0DGWE_AaJPLxDXQwafO2b$>Cic2EAg60J;$D#hPurlhZK6KREa>u09q}> zu=fD1(U|Ka)`BZc5Rf`~v8HNIl)KpBCV+phrPF38>lp9@dWbHSg+2<%u`BUgb(`Ql z$-*Q1fgd3;ryUz4Rv0iaBf8iFhsgL&>=l+6)x}#p2#IBjj>40;;uA;}{s~EZ--?BE zJZlc1*K!#v7aqGyqu#rGb`u@QD@M8F>>xBM{2{|u;nqrs_MB@R6T2WO^L}}|98AT- z+c?uXJKW|IVQU0p0P2Do47(bBqMA?ucO2lGdi`_`>HQ=NIi5+4d(&PcmwIsw=>Wvc zyTQg0%rx#|AH<Gu6fSO*R06Rvm5_VfX zpnih&;r8LpiRm33jd5=o-TulDg4cHbtRDG@faFP%mHYkrCsJuWNXYewYR8kUFZD_& z=afwuQpU6dNG+g+69(5Beh>2l?b5!rW|#UPvXHErC(s}DT*BQ$MwMCtJW)jp=-Tn0 z!exZfQJvtx-9xZ38ZF%*+o|(v9+1?mEeOcu-yOs2y2v`TT*<4MVjx z51g&TANX=r?zQ8~&gLzaNZ7 zk~tQd)w1sZ2ac95ZY#48qvpjBH`&k;_W7 z$^S?+(aGAAzb6FKO;IxbJP2I{Si_a49*7O|oQBmDpZvGJMYCKSHs0aUYFKqVe&3Ef z=E~ACWL?m>Fa;N93dUI-uOlhL_tkSdHwra!c9**hvVx}m6S{TxoW@n1({_CD1npTOFb!^k?8 zYYTUjP07J%UF5^deX-T7yj9!R8+Dt^-0U`Dw^@PU)v=e<)*j{8;S%oyKv609D zf$Sa*#cV;Zsa5(SHD%cydP2(Z@$(PFn)$?d(>zNp+aMMtpKx@>{YbWjL?C|;ZGk8Q zIX2c5di2422~{J~E|HJxI%+W|&V6Zz^H_DOM!YD;7O`>k{UK&=i~1h{;4-t&r>Qs8(m5>60(eQd*xZvOW^ zdS>m4bWXnOlH#CX$vjD15ApWBI#MlAY|-XG-3n@lp{{ZN6@%GxXLZw`39EIJc@q^& zR2P>JRAv3O1biOgcIsFMb%C)T+$V0J3Pua{+2x=AvPNL}&7B7PCVo-Bi68m@2!Qzg zA8>Luv9`AO4?)hAx{cGu|0fY&%Q{~p0rP)gLRL!PlFM+Fj!WuH z1mymFx!#7118FHQolafBk8*BpZT-011lEGjQidv>B@Pu$B?y!x*q)K+1hY%Km@`LI7{Ha{Z@#BK1J&46*Pfnjmlo zV?+=iqoKFSvi@Rx5{2L;GOS^W0e0nK0*9P?8!T!I(yr_xl_hrWE1nH2oiOR(dvNKF zqBvIdCQIWHH=&4R0Pi_hwQlCnGYBz_4~;ba`a_}qKv)-fvi`Dd$_!$|3^BuMc(4Xj zDtvToov6EmoG9JDa4;ohUk%-uVu z5JyRh`=FeWVNcw-PXYOgH#<3i^*xfMo>v>gDNyMpUvj zunc29sm@-^K=in|I$VfiRBrfOQ-y*s#=8fKkL-=+!>5PxrEZ+jA$ob~mKh8-B>jAI zq@6keZHJvml!NHw_Vv+*h`1W{L`)|^N`$t&RtJT1*I7eroerXv>;{u?Gu*H_8BeB- zc$95#?0L!Mr;HYLq}4FdxEhO;gP%I)Cn?sJ$!OkaOxhyMwjkXQJX(I)mC+}L;lT;V zv*{I{m52PZ2g_yY9aKC=O>L@ZgUjXD#%Tlu+hs7}lPnZ;n(L(6qgMqQzB^uJtvonM zF8D2*n+o`Sx>qUI>vcl*W(KQOI6UZ)OQ-{^h$)#F-Pw~EI+WWEgBLZ=U3p2e8$@d*O)M-KS-4wgZ!FJp%NCuRv-!+ep* zLkT4RUcpMxp*qwT&TZBcsQ)cPvE#dD(VhIG5l2WB_UxZ<1d*>({A*EqlyC}&OF`BL zV_#ump8gs>|I>8?e&2&H)&+DFHfJ{0YOVVUP1PbbV9aC4&QSlukk3`$Hf_~92X^1c zLH;ESk!C_J4ac@en9^2k06ZhKE3qjUu<2m9v(EmIf}c1H_#ls1a}p9%>0&pa0yVXP z=M8;~#4c|6kkWMm-+Kq`Q{G!f(|iA-ff2jvdq@8TRd)ud!9COZ`+>n9$mAXP8Ex1`>Z*S-{G!9ZNQ=hl0rtV};9zU@#VO z)14Jt8<1f~_%Si5W~t&>bf(xN52ZO$QJqPpclNQn;F8El?1{ZI`qRjQj^Acr$oy`F zS|X2Rb1Ca{GU`P~TZj2*#MS}~ZQEb1WNoQrQYn?@vS`PqNAZR74e%J-PT~loU}a8! z@wtk0=NR?!kcsmI((kbo9%%$WUK{9V=!n@^NxF|p8pbt+?+EziZrr=7_eAXcWe0}6qd2vWSYJ&jqP1eT6(ga>FrN!quNhD~{>krjX znG0Q#c$;O50an2PR{mp}qZh~ffteb1b1FO}C$Ww=@2tdS+q}4MiZPz^IPc5xa7$p> z1O<5~Yl)d$rWhzkd2S~@9sWVVM!AlLu@6Lla9jfQ719dh!UEvpMjZYV?O`-*F}qP& z!}60((YP1n>oY$f!jpuIdi$L|XsM9n-KG<>>2%QHg^`|y5w_KOE^Y`Jq~v?f50@D( zmR_!1cB=M-UM zF8VN%8FZqNL}N--RtbL1S?yuduyslpvu9^ia z68qK108^po7F9c!cjTv)NrgFH`;f->;n6Y~5An6G{_v@V`v*D~7)&7Z1(h>8@#4Uc z4ah7y@GCR|LYr#Kdr?J*5U5*^dh_B!RR5^~m-qGVkj`w{xCXXQh%rJGNSf$_AZ2aJ zqq&P-6StI=G|2D5S-UW?Z|U$S8ycWNZsv1aP4t78E9$&25B{y`hnmUI8P zxTwIdz(h^}3I^KgR2zT#d=xmpJ+4G=UG;qrHIvut_W2=uKVE#kyO|w&p1FGJe47m= z2j8&Lc;Fcd)ciQv5EuYX4ysnLJH5c^E=zc#9H0MMJC-#H&`94ca1(lh78D=8^1k8ugWpL|{ZTLLo|4Zxh^J z=fjcnxJBd|H8UgszMKDkDEt$qFxrTQY`Y)=L`r~EJ)m(DEYaj2hmD63xgbIb+$yCx zJT(c)-jiK3DPHpwHa@xq>M?6}*;DM#oa`0#d6h51CGt~N=-1+uK+sU5s za~CJ(Q{t*(mmu#k7;M_RURxQS4Tth47c3BMtEI<9PN;jDQV-3Rmxe0ib6#Z&oQWEL zf_;h%Qp0E&+D7+XDo=UN5Zec(Q;Am@+BRA9c>zCBu>9x-pzQv(WNs;@kCKpk)jv|c z65wz6%683ky}qPMAVh@1nTML3Dw&j?j&R*tSx=&8{U+RZgpNb&X$cTxNOd8m?9w$fS3}dR7@B5HQs^Cz0GZDr=2UKd)I{_v#*5J)2g7GMxTi~A| zUyJS_ZvXm^^X7d4w0a4ASXtLDtz4J;NwtPh~?&SSLSoo(;uzo@MkaK*sTAM9N^dV;(^21-vd85o$Ia?IZK;!_Ylk z;-28&M0H)ZQ`pivVFayxjUX7%nO(fLHuZ+8GA+(<{4 zZWf<+@K9JTph)DS{woLm(PzD*>XLfB6rGpj+eDWRLO<6u%%dA;s zkJLtFTR~P4h+X`5=kpJ)7yaIr;qG341wX^qQ8JDik}%;6cD9~`-j~V}zTqHn+pfIU zaFuT&NpXulk~Wu~Wbu|B0bc&aV?VpweEyq4(|De33G3Xso6 z*0mMCrapsTebfK!)i82#{Jo@{|L;rc>i@XCC5iM&ICDd{b`f1-?Mf#Q_3X2WEVZNzb@VhbY`?0jSKxE1ZF7FIRdr|k<)CFs>OVLCFz0v{8%(Ts zU!*uR6tx~XJU~~lKgmf)UE1-FQs;ZSxjc-&qyKricUxO{9x315y-M#<>+5pI z=EKLaBdEN>wszUq4C>xPF%jKy#TWAw%vTx~vFQ^*92;2<;#kr4EBFwO;?XxduPT5k z>c&!5O**mf`4mY4s363`xrUD&`RJsx&|@EO?YNSKKSWm8O)a0ph%9H9XXTAlFU+5T z)z~~R=D>g*{fB+D0G>IUdOGrkvLpBcwQb1-;Qw;_=Cl~G1vb+Qgv;cgay<~Rl|h|7 zX2z33BJiC=38M5_COABGx;V)sv}k-JwYJOM+QUxepRdUK^irvnY7p-5lpe=q2CP zu`h#I|5$Jfz%Jw|F4={Ygj1lDh&lXw4~s&o7cnfkSVT&PK19p(1#|@vUSEX<7HwUW z1{roocb62Hk|kghR}V|5*dc022)3L9KM7?!&65AGHJ_x)UAc6Nckb|eiE1uZ6u1-6sqtJbvE~a7KG=@bOo^T zS`$y~dA*ay5(ZQ%czOn3MzJCqbLYtQ_@}SqkE`QPEV6KVN^Saz=pK^ry{M^(wh20K z&OGBYaAE`poO+NN?Y+y=z0Rv~_XKRwuJRVPp4yI8{1hOS!4?e3j#co~Mk*tuH1S+} zV@Wg>{MIwsgRlnopxKsPO5K_;BN91$-1W{=2mLO;Peai>w}x}J$SP-(P(HHZCbgT@ zrs^{bvQI_+zrhFF(TZ&|Df$byq>?VZnyPt|0n8-NX6UN0{}OBJO*i=J;Rj$7!`=RIf*QzxHT^gEloeVkB4#$_^-Q+fq2t~&?^ zAxN#Cf;I!rC+_ilxdl0FCb58>Go!7-|cy>ufe z7}*`>OD+X8Km&EouIj&A3ZB92B@oa60Mldu0EGW@(B|=JVg$up?diiORl-VL9Je#eZVt?*P%1}6-Dz&M4?A`3;>U$0FW5A8emHsr!$Pv8{ zNPQ2`wY}NGjHtdgVC-a`HEexkB;|X3Eg(^*=nkjL1P8VYGpnb|?@(>l0Es*f5{_Mv zEAXX;{S=t-qmEm8F&Jb086~u_(jR@+CIgw7I!6YG-db z_EX(@Da0Y=@cr8sUlkkRf;UQM_YUbgvD%hG-wgbesu7yq;gsh%9H8Y3xl)NHfj}x7 z)6H8sFyC1xTkB97gukkW0*hZ99P*&=DbsMSJPCaW0xUjpg)=Z|^VtT4%Eu8pGM zHM3dezfjY?<$tHWxOzGLZ<(p&sk6SrmkZ3eJlIz~b1?(X(S=qyMFJogVbE$}nH+b7 z(N~fI9)FLazQ5e|pu#vDKY)**$Zqkznz=kqyA~d2W_NvCO>g%RD8!3&ir0x-x~aQ4 z0iUDwue#j!UM-vXgaLW1HA=i7ksN=REW;O|67>f$jJ#Kd>_Fs+U?4RiuCFKl;Bpbv z7(cur&DBE!L36=@00pJd2)awwNdP{~e+(u1E3Q{L{C2Vw-{xvlYqOwZv{DxGB2aSl z2^tn2IynNkVYi)iZClQv_RBkLki&kuJ-*!H_TAL5Z@ zcTJRAC64&p1MxFagvQEEoJOYnR@LWo$dsYhk^hxjdGob=v#zz`kQwox;<_@)BliGM zgSldBq#P7DPjNoLP)5T#)XlYk)pMS7iAhw0X+wru)Oxdezdb9JEISgc4@HIM%aGjy z3+}r+J23rqynXS0JEeT1f))<$dU*@Vr?v<2E|{Wf8$&qKMkTf?`OUe?vHLrsA%&-> z9u`v#bL|z$p#2Mfg*tyo-IN8_Qk85?0m;ao1%Iu1$sPa3i%Qc! za}uyXTcfj_r5FKNYNiw*QnE7&+X2Tz2`nrq)81KVu)~ChefCHg#zG600FuUxKU?;w zG3^}v-F_mOpSX~E)`(XA(2DP@K9cGQ2{CMu+Z0=TM2;@Q9R~V)6@pp1jhC`M4Z@gV zh76M0DBx!caZ3rW7XeN$O~EywAVJ~fYCp82S=)a3(`NS-gS!o}^L>AS+2Zc04%B}| zG;$yLD7uq`4WG?Yf~Ew6e_m4&ARx#R{;-j!+tZBq@L&`C0vF?*+o5-{`@mB~P@aU* zjqavrvpoUbhnID@(_gM_3KC6Q8<&vLJMS88-__vJ3>vW_)VcWRs<&Ebqsv>IoZ*vP zy|Vgzx%xm?nVe54k4qoJ588!Q3}!EXv;~23dp#jF5cUwZldEIs;pOW3*YlaHmih7! zRGxO49J_f5RtQ`$B!_dJgYmH_>IEO3{}T84{(Xh}l29qB0`3{dBYdeu^Oh(_Zv4)j z00+jH&#Z&Lk1V^drBIsIC8!LNteq@%&v@hbLsXf2E&?Kn@Tqv7*fhrX;aFhQ|LOp6 z7VdV<)9Rz1q*=Q@iYLYC-S&cQg|!9OruM?L#w}`vLxbIqY%%@l)6{)t0*g$W=JrS` zto`3yJ8CsGi~bw7W`P$BXqn3ItHNc-@84|OevngzS=L@A1uol#ZS^F<>`A>v2yVQG z^87mt8{_no7VWHwMPX@g8`z3uN75O89`no~V&7STwXcV(qpO3%=lk{v8Cb=23<&^@ z0!tgRb##)^Gh|?Che7NsY#EO-t2mnzF6Bn8a%R4A=us0WZXmu*uHGi%fxi+%^q0G` z?Vs1c5Z&3+l_NDhy%#`us%k(iUd~QCB9DLy64w?#e zY;a2*X6>!cGHjB|xSzYQ?=C+;7XzfROk83}ibq(grFU{C(#K;ms$L$U#Iush!<{om z-et5;WVbQ%vPV*WtKNhD=qMHNNe&$j5mCapN<$6jov%#89BT)jIGy23o)Wbkjki| zFy+CbhAN`n$wDhrwt+lk8!=h}r?Ph-brsMblRi%XV_xH8Dr;T}oXx#TFq>sA95V|y z!V$?tr)&Y`TA#5$qb07z85bDq<6j*u5^Nk#UQpw1vRdmU4DW zqL_#%b0}ED4YagE?NNz0}mmuz{ZhUveGQaE2)N)$6>0XCr;E%Oc_{3inyENYS*o_krM$g}e@c1a8)soUN z>(?K#zwE18{xxDRs%{}sZbw-Y0S$$*n;>#akIMvV>;6ABF?MP!O{M+hAJUV`w_+WY zG=WX(YE|Y2)%D7EqNq5y#p)E<`Uf!NHO%lJzr<`61EHLXP%dQYCN4rvp&Awa;$>6P zq+jk{wB57$LpM!vju*%ZNXVDwzZH*ohXs<#+@X&Bn#HKvoswq3h;O=i zkc5`TMnQz>CCpATIYl%6yom@H)d61Xg~$ZUpfbmI&X}^Kl^RYkZVN0tUhjKjavi!? zM5=~DTb_#-EHQO04O;pkshcOVUb;ZGQoiRoeY<-Xkq*Kotxcp8Sw%fKxWPajos8z= z8R1|mz$Y9B73-v#@290Qs@u3G^<|#=Z)rie&ax#P=9p_Kz(u>+po2~WwDm&=>jxY485Q7YJx z&uy`@c~BjnJj{^pO1Y`QxFf<|^MB^`r1Kg~9j7xj5EfPecr-O3Ihx44^BL~p>+8k{ z$oL>lql;)18@r^Qu07RD;8>23omN}@z1Bj%4%Ex2QdNb>$;6z`rN=7NMQ7O`%6DeG z80m0Lx)!Vw;ji0O68J2;6NE&aw62jA6q@y<0Z}BsZjY3CqCHg*S3C_!53Rja*u1*` zK-FKVELO2vDK=L}ETfq%=bzlwiDqqWp4@ggn%Ubyua0cRf1?I=RBBa@g*x+-j?7TK zKb*tPU6=%&Qp^Bq-Jb4$D(C+8@ zzVgEU?EoxN)Tj?R9eqcmKW0)?1K0Ap#~W8fmxNns@qjA=PoB*ZrTHvKsPbTKd@JTN z@4nOf&!Arj&KLdXx5##m`u}SE8vjR$t@(Fg{mYpCuF=sI&a2>6A>b+K^Z3|7>_9Y@#zGRh>uv{$j<3W193zDxW5bxmd|lkWBNBEvUPli zWvtHa|Ey-CP6mj-_YVOjvzeVpVIN>7gy6t$v?4mP!Nw$HkK8{D9az2G;{&w3FuqwG z&W~DQffu;lVb+qojSC6$W!a++h4GPl_9GiFE0+FlkmV>jmPnN+lQ~y-j09piDbCuk z?c{ODh<~#L>ZEc_jVN4$Wa*i5O0`Xgf+Qo+hfJZ*jB$#iiUeMOv~G`aHtk^VK_6#2-&zGki7T{TUC=-WaQYm6-<586=KC5uJ)IqQHG1E4fq&(&G~tESa^w%*bfoX%!(d3G zMDB%|;cgCI%-x;cHC6JuyWf}5w!2w+J2K9<$TR+;Oq5w`)@<1V;u91~_eGOR^OA!} z3I0^RWSpZQRZMh}pI(S?}0cMAE52;D>7OLi0nkQ5gWMpF}j@Av}`LTXWi z_zVbyFXu(u_oA(9KK_HiQ9ef*kVdd*7w`KF&Y(L@w2z*bVDEUTwy16fefdC;vf~(O z@}!Oc;GXo@g5N-Ka2McK)=+E=$Z=EC@bP#ZDgu_O#^2NXv)-A;*V*y?GX0tP^Q_zZ zuKM_XbF*8lrx)cL7h^%WU1Y4YO)U_o4{Otqjm zysB)k$+<|a+lR=$r=91UkxAv6@f6yfu9LXqgxp!8I*MdyhO`P9#KnT;Y0EE5b%CQ)>MVmE=$=EQDVw`D5P?I@IC zdMM-7A$AcnHeuSKNi|ek4C^c~jjn-Pd${G?*g*?$}+5;CuJWDdjy#=&I;LwJE2Jw&ZWI|FekB#%?nW0+ z(0|9Aj_Oh<`p5(_h9Z{`ohwEuE85w!+@$}ps$~5$y@E)M`9YPNF}#@U&VIR3*}<4N zp-yj73vFf{uAa!HBB_rOfxzYb4Mf-A0z(97w%j-dShQ%H&GDqz-<_~-_?~N7 zm}>>vVRRxDOAvV2_H5l+a*I{I(1_=?=9j<6F260JoDsDV1Qqmpf-?Q8v`&{4ArKa4-dxrUBIg(X;>sj`}?zv$u@rPW>hh5;%bM z=JnoBQ%$78?e7ha0^p2W)J@{#1v`9`>{Tl2pMwoJ$|AntV!47I>E(-wF_$Q8`&G3B zH7g~!u>_Yd=SVj5SAI${!VLkb!0vT5PPjE@1Q&Mi?#lS0DNA$aTkgvXJg05%u|k5m z=~ui~?JZHzA+%Cna3wXDkNdY|6;A;_7EUlFb_-WC1#^_9(Sto*6x0havT8_B&cY|2 z;Q(U}_c4Fn zyhX;*zUVFMRYP*i_M0==j1(1l(cgT(nC%8_M_~)RAUITI9w=VrJR(pf8YgNaA8-l( zaqzl)Cwb?bzDEv@;^a=8%V#KLUmuu}}=GJfl8wHF2T-a_Qxv{y`BvLLIqn z_$)Vyxj0cElNBn>yS7RbO&E$^@(OZ$ocl9zy&*M?R|83KV-sWY#?Y%j>qvDy>}-0x z{Hou!&5D7yrjuevVKb?7(QOgzD>c~oIpzxMlw4Cq>Dt;d&(%+V`^psUvee);fK2q310lmtkP{ zSJCEWy1yP4l>dB-JH)9Js~z{{i^o2$m%2YOP<48GA!0h&^#Wk2y-~3KyZtsi*(hi7 zJBeBTT^;(LVWa;WL-C*PSv9L){SnI7?;M62TUJR#>C$vCWqSL)CY}&_0pu#f6^K?x zONc~~xO_-%@uz1p)TZ1)p$hxm0;mdod~(ofmbbv`r9dpgJV6anHI;yQ_8%|m7)l9) zMjzzlpQ@2V9R(b$@Y^a$x*Xi@orK$0_bR;xmS~WaPb9&8ZU4TYNM+CNgwi*bRs$v) zvPKl2;O@}*Jp-04?9aT>iISRjg}9RBB!h@;L1+Fg{0qU4dHbK|yuVzc{>j*Il=K?9 z^FyPcOhTFt!QgpJLF^v!WHLp!0V~T8K@IUxWFT#bsMEvLX^sXRJqM2MAhn|vOI*4RTd_2VBDW9hxc~LCR!ODRPqAcguoDb0k`eHPzIOCi#Xv0R@s6iTW?Y z2xmsva}vMW!4G%wc?_6v@%?q+^+o3A^>%;V>?}Ng@xAKyd^74{Z_DYe?)CEg6nWPr ze}0Dh`{?I~8XWx#+&j~lUM8i+!g&hC<8@uT@U`Z}1Npj2d(3Je*_SOw(v>}IP~@_> zGT_er8<8l#j}u^Z`%z7X&-Yp6qM!)whY<|$1HYq=+U~5w6#p*{{3^}Is*mzq;yhJM z1bPQz6B&nYjC7nzkTP98=-ccMX;nbL1N0aw3+vHx2!w5%K(*x@iLBGKEPTu>szeF2 za->J~Y@DXi_ARI_U*RAaZ>2e5Mfn(I#Bfbuf@4z0tpHIUwk<=>; z@;PG=qs%h{>1tv_rO7+_SQ1R8jSYQJxl}USq9CETLxpV19V#KUtf4ETU&g2dsVn1Z z0Chk`7llC>6b8p$OUoQ|2RZ0 z<0i|Um@_PR#Pq9ic{_YgR`v{~>#q;gHz=Lh70K4@Secmj>g+(Lyr^Of*gMk&J@k;B zKikFg$0X|q1JF;ET=XiufOr)Kri$8))!08)6B#dTNMW|{l&YGUU|qzxeuP?*VvWb#!u;> zY$_rcF5{HZ##;uHyrOTt9^YCIpPIx7|E!xYOih^F(*3cY_1^n$vAO($Z&o~7q5rCk zXRPg(nBSyb%rtD<&&5a`r4CtHNwf9`B-J|@J-yLYs?_VPX?gHQhCX-Cjen2nc4-~3 zmgxV+-K}Fj7K?Q11yhDL@bBV&LeTwWN`VfvnvL0#pWkd`m==Y-A(w-&Lruyk4h8H7 zk3r1-E>i~ocs}jFOTT#YK5URL$#j$jb>Uy0V7uqg-MHJv&xG-`_k##@3fd^qPlCM) zOkQ=+g^oM{$!-EIC1BvZhp1+;Fn`4KWmNj?h8Z@oD7O~>m~3B&DUxFeo3*kxs+jR* zZ_qyKvHv-mjIE$EvpWVuOS}WR*fud$(M~e2CS-?=r!CiQF@AjDgs#B{zu6H_S`x>{ zqyXGCm0+@%|6oVY@y%nNKtx9(iq_nbX(qv}bH?ESB~xs_;N zd)e=4J@(t}`hT3(CQc?s|1mZHKh>`PJvHae+p(N!`~2Yb2~z(cTRG+Fm{8rJ9x^$bM&P7 z@<)JXMcQDL+PmHrp7T>Li5)S&x&)qM`NRx1A+8GbiHclBE2U?((}{=AQ;fz{!Y;%W zQCeWKL!wF@bIm-wMT!b|;#pP3sizHJKMfs^0F2|5s__D#4>N@mtD{;J8OBSU;d)9O z7Q?J^0Ow5fO<@OR0Sh3AY2k=vGDwcW;#3EzhrERm?-p-Z0F2d&*(e@>6mEoIX6L$p;QMl0TH<{p)ScXf*iI%}YcOi>FXR z4R=PhhDN1BZdwMrnG(5!qBC%pe$X<4slfvxWhC|gUEy;EO*`$=4F__cB1DBU4pHpd zSRbepW^Fj8M}i?05?P@P%BFC1kLHH>14mW5%lfvX)HmO;?UNX;-3;??f6?R_Q!(~u zPD69}@nZZIt2va5FmK38=3K`$$p9Fa9ZAldsSU z6bdgN=r6K#aemjUiJ+AT(P>H`i2)d7;c}kwN=zKyL;B4JY?#ZS+46>`*0D0t-uzz! zZtcwdlXekOolWc1OM7gP#PRsOu|8ln+}KS3G{{z(^W8ynVeVh8w5hVZ#5sJ#Dc2}X zo^7rQ+^hA;N9x8ky57Z0a!Mo=s4yHeMvcCdP4Yjo&aV5X!KN^gi@0lV^et9w<=g6m zrHF%wxgo8?mVD#9ZJOhW?F`pZ%^js3QCoS?q=l4EVIUdOjfr_a?t4Dvw}z#Rr1MZ@ z_vuo=^k|mNz?3%?QJzC>@w}*pYdxr*hqYs^Tt&}C`$(>P+NgIK>>^hUPLY0UuM8O- zHfbG9jbw$JyVb+H&Pps&wgo!fZ_1r01Z=zoK*_@^P zO4qYB7RGq>$xL3^gB3QQ3*@)5LM{u@owvLT-76j8M6{Qs6YlQQHdGaZCNd~BC?|$u zvLzIrhBJm;AJf4fc5ELco~Lt!Wiz?=8_sg5U7y&&_|=>q?hk%~hKiV-ev42?<2Q9s zel9#XxTJD8U^bIm9AxDmHpqcpqP|$5#;cTR7qrE79+e4i5EWeaGrqLZ)eb{8^Z`<` zgOl6lIw$caB8B;t6eR9>Xd^MbKVPCG=nF6PWW0$d*%WY-19?>SVc_4OoHs<+F>T8BJZUy)7h^$ESK#49Gsk( zDqr_0lC;RxqNK>po(SLgrKFUJ(SGqtt5MXF>;!sVo)2oASiIP>IjD! znz$5OJZhyIwPG(8mi@r6Bi%b3V8ncG6s*>b8wPgmXhv>ZWZ#E z4CEz%EwWh{f)};@D@mio-H`1x7OZy!@cX>(?8$TVA>I98DR;^ z1|QJx>lpxeG?VPgmL1WIG*JS^hy>BT@;f&YOMz3e@gtXx3R@TNQlqwL(kyVSI}p1U z^>3e75cbqXilbh8QQydD= z*9uBYb)50cu8^vbPIOOC-D%Bz_6CSk6`co|4J~bQ>(%Z$5Dk9V$FwmjSAxA<2~u0{9;Td9cbcXM|?`?CHTzlG9{p}M{Q=V*52nkn}{EoS7WW3fj#RGGfGS4d+SwQT5EZ92i$YHcza9Dot1=` zGwQ+BEbT{_?ZDqPozRT*BNq^Jrd$^p3x$qHQ{rMCt*V{@3pUI zHW9|<1d$S&cm&eq5mm{6mFqax)rXFHoK@m52}PX2(pWrf=*XYA6n>H`-kbejO#1v| zDQ9JFY_lL2BwnY1amo`77f;l)Sv)^6)!~YOwzsauxh~q7!mIQz7DmQAqGp|KH|Hg0 zp#_hYbbXVw`J3_ezm~hQ2t6+}eq9=8zb=jcxpQJ{_Me@T-&Jp?%{IjUostVK)gL#K zNVgw z8mf@6cve>cy$S{NtQ4ocNXQaSRE)7+_G{aJR#$SMY2E}3JPj*Z0v1px&ogK8RZJ+O z5-)V4fPPw#O*Ul!&~Ho7t3L22?v>NzswN^9nY7Op`s_k2uy~7%_cW#~Ed(TfDxp#3 zMs@}D-V5DJlCgB5^r|)>jE_m;=8DGZ@817M=%w z4GtPRzS{db+M`4k5~2t02M!K;GfLvYD1_ZO)%)I#eg$%v79s!GyaKu_$}(XNHccEV zQ4N8zL18K6pai529MEF*l~(vk=Zps>f&o8cPn#JAX*SX*{^kl$2ouT!0`^=$Xoz&% z9K~fP%=21wsl3P$IXZ#}O!{`Y=xULvvB`2i+g_fYBrjn2wL5fhxn1s68r0)1NmI&r z23Xc^dw-w7^}!4yjva1^JS&lr*((V{m8(R^SL?R+hJep`xH5V-R0 zIF(fNM#=Jp9x6&(0ixO13*i{WL_GkUpg5tY2Uv17MRcq)`)gijJ|a#TDlmM1<=sy> zdM$yNi4jXk>f9;+eG0s|=^VZ~3ChHYWfK44zkJS&;f5AlStIZq=tr3-Wvh{#lEV0f(9 z_JAPa`DDG|V_rqQ<-ZkAGa33z>zc2L-9+unmFgNdfHaL^%rjD^8Q30_*Gi#K##2zy znzJiCAJ0{b4Q=YX5)f~tG!5Tj3fdTXz!#)b6ha2z*xa*(Rlh~AH5lfz$Z69D^{?+m<4EA! zXHOQKo$F8Kly!;RU-XErBR0?gnGDYTh-wX5o$se<5GDT#1tIXDb@yth{fHsEJ>C}G zC;w0&xzWpT3YVk~_B;u{w022rd1tzLMmqEGar?0Eybq0mvl-Uz_Lz3koI1TXpcXU* zAEtG0MSW})_BTwenKNv4u3NGSB-n%zeL?N9cFr?=J%40pA5?o z1GVX+D{Rtr%?3;0;ap}MFrq^!-{*@eu0k6d3WA`e*S&go;o|lhS+9-I-;xY&@H4cr zgSE6y(6hnICKnz(Op47trs58uvYzyq#kQEusejF{cat@o))4ApN9c6)(zo=w!G+D zRW+Zfl|+cOC3}FL7Ry}&l5c;DbI>8eeevv$JByw5d4~A`4vz^PI$QJDk$gM>d*Lmf z7`WEd;Mvkm4*f#;63$`lF>pdGOmL;jjOhiU)c$M;atr7s)3>qfFFts&^ z`$xB#S%GM2P#M`>JP3yxN8-m~@0VbielTqnzOJM1Na-T@Du3>CQu$R_vQnE%X>SQE z1RqUciQXtgLzKm7#>8oM>UsKC?O0}XLiJN`xohd^CK4WEFspEh!VQT0eez$ zJNn}fOzIw=@`?hxZv&c@Bi1~lD+4P1ovz;BX2LJx-uNEOX13PO`cl@ zTFB9r7UXg76L-53KrY@r#TwR^a1?#t97GU_|DMSfzV!ikeQcX;D563?V#px8sDK4z z?8weD^S`*W9sc;vXxN!~2Q2;NlXJMZihF;!yNI{&WU}kyDngctkCd%CLl3fw_N!L! z*PqOHJQeeL;Fc$(r_{&{%?a;|d6u5#tzF416ZHqDLtOeunvki3R3&GhwziTe>^MsE ziWHJLMrDTm`lo#1X*ahfq2F;)VxX`#U{pbz-qF3XLA|gaTrT@SHhok)Ha${uyy%Cv zx}xZI3fjs~6oRXCSlx8;l&Lltp7*a+;{BJO>xAg>boNNn6}IL1Ly=mcRuYWBdvuvB zEphuUfgc#bxKlJdwhEM~GBDGK@8+i+ut^fs&GAcLQ@SAe3y&>_tS#-S*ZjOa+|@U( zA}t)dnrY?M*s`*ox>HcDTQ9PX$9U_J*)Dw56cnrlk+b9ot6_?Q@3KhDe!ubv#?2E z*I|$Dnbm_}2*?~9=pubRwobt^wdH);!|L`AR)5nWI4fhbW8qDx)F%6#{<8Uajqc&L ziPYJQ^b&M!=`0QEU-)`_F8%TISxYNAXu=iB8a|5_Z>oF3A(U1Di07QBe~YositA~d zOGY-0Jw^{^w;aVqC`A>rT()oi$%&_QMa#KM6GOQE4-_zwd{;pU!pF!@<4Q^Skf4!a zruBwrziewz`7zUgx}O@eHBcDo-Ssj0=3|$1;oX}}|1L^KN#_WFcb|8V?~TRQgqo83 zFs1foSeGlW6W^Z}C;s}KE)F8(Dd-lsRyNbcHbXR2DIomTFh0z!1HYn!a1dS+d<&)g;5dD|ac zIcSw>CASM{jioLdO#)%JlUiXES7d4|y7T!y5K$6Uy@H^bX~OnCQS=ZQ!^ha~AW^%i z{o#jav)<&^KdV%i14T^qC|oKkA@&i{G{+)^;|Fs)oByz7AFJBPZ!#c!@8~(SEmPo|Lzyq?U$E(06R?%#EzXrtIvz?Jl}9sg zoy<>BxVYe+B+qOEkZQHhO+qP}n?BoeM zwrwXJb?lQ>=hWHzT_4u^3wPB$<~7G0sJEEwz6cr-v;tNKj+ks^Sc;tFq}frh6ZI^^ zm>%2s^Ve%faD(!y1BC70zuWTuxY`R4)G|7}QqV&|8tSb;@(ooZO3?8Lef~y@IH`G0 zo`w#07SddENx~WWgxNm4*O-0oSU%({XA^Q)k_<5`19-x{d>-CRk}@*OvyTdV7(%3nXtYx)X(uMvQ}#o682L5;qR(E@ifpG$A=v>x8S1X$@t2f2(OZ7Mk`n!gka zdXbyra@14%uCK~NK>caRPp$0w>nMK0%bs`17r4D zaL~rGsKLV$14C5fP;QR-#u1fYnA{TZzp+`d1rNCXUMkrduaUZh7@;AU zbG^EV%&GO}|AK&d(i$>Jg_q2ibBEJ03!lepa`?usCxhXDkEB0jjjwfiB2}`sCnlj! z5VuzjdY~&LX-ciSz{DsOkhaoReTuqkHaQ^LJP|~A31rD?cezHfC`=hQYfGh?!haMi zmNd=r_5B5Qk=Z1E?IH5>zzG{$*Cn?J6e_iJq?S~*O&p+uVaZ0cC^(DgOrX#;J;0Iidf#q>eS_VH*0-A>@i< z54J%jzpy<+z#H`GDhSGR`k|NQlM8U{4mv$8`dwZ?Y0RFG)+$_0w&-=Ty*8rkQhOIa zpbe?%qbBI`d+rW0#{3zYCVWFb)+u2hCGWp;z-4op6-qz;-t`~v6xshw3D~<>**V(& z=P#pi<+8|*^?luUP?ZhOEty+7dQA!24TA4@T*xsP7sp&+Ow$%^f-NO4P4)dwFy8!& z0^#A^8Nll8wG%KK^YlEZJnlGhpLi^zXod85sAbjRwRjAR)L6(1p>?k_$6Bwlgt2Fj zo6aIclXj2cvCEnK%Mxyq1`s+>wAFu*{RN@z~GqHvfZeTe$l35IFf zXe4l?K!#omgak4#+l_WYS44NCB-e)f>@n{0aGOlpnL481*UV$Luy5n^=HJTRm*o)lT<-`7sB)gZ3&x?Q36!p7ZPvNr4AW z$0W^+lMj*}di=_V>T#{Uws8I|c;X@H{!iEoo@Chpj#aXea{<7M$F2pTL2O1< zvjs8F7w!Hr_lyCYheG1i^v&N}{<Uhen(uNY?EmRb$zO2D!aj9;k zF)<7LmjWOxK3XeX)L%het>MNw{pdp{;m0?t0vHv>hc6>xs?6Df2F7y6F%p(>u&3_j zygXiR%zRyH^`U%2ajk}HKuXPFn%b7@wW8rq&MtLf(-_>{!Zx0tk;`Ltnt~u3nJv`9 zyDN2b--bG({h7jm>ll`FGvnoLf=z()H{=yEgQ|Cyy2FGQ>X;Oyk=tmVk1S5+Z_+zl zvVz#V?nK*hu_|)&n&`H4G8^Mud2bKB0jK5i@I&}NW#RrHpl7p1qwgjAw}tge^{3@_ zfmt(V+!fPN_~=C^jU7?7rxZNWjvL`~^x;WVZIxZtYEwMo1zgUu*R7XEgXYI!Ou*T= zrZq_3N?mz5;-C6gcOl}+!~LE#mNFg^`p9dX29r0H2s&2EJS9pro}nNm9+K8eW8L8gnztfppUBkTOn!w z6STX8N95ZguFuBoHa1&2)Gsodd(PQ*D9VCOX*|nQJ>>3W*^#>o>l>0ax^*<*$oZiK zT}8pmC7l@!DDuE;txf0<>0uISEMKnFyR-AUSRvL=aJ`B`@NtFvtaW=IYW%)ENaQ_CkEH8e4jl2!u^Gkuo#AToamS#qG-a=)uk%P) z>Imb#tH@oMT5RvS)53L_*#KXxafzN7 z2@m&_?t96GBM(^F* z-JzL%xAhm~e`-=s=zF5cxemAR`jsr9%K*zp&Pq!jm%_gM`ttjc0!e|tD$^iqw44Rn}&|ef?osppQ5zaH(S1p2nCh>}8 z`-2KboDm>LEr?!d)4Og56hz!i^2d4QEgI3*#qgYg?|BU-l1_;SipnBw3(#J9QGczy zZ)4tY{f#P?+>ba<{ra?Ozdba?GL8AKc#GaCQ3Ri1*}+^`erl?j17CgF^UPC7So+ft z+UNtKCsemMW1pr}@Qj_qD+iB63SOD!s)GJ72IGKeoKtKtt?Yk96%DVsDKJAUzsPvG zxUBc#efS10x5?dj1F(O2-2-z{l}q6Xs+I~7SX70&FGB8m(tTo6w;JC>5rzYyE*K$A zeUk2<$09N?Fhm%Ihf7JB02w;yN7fvl>yrAd`-s~`18g0z8}utTYSe7 z+68oaw|uyNn<_M`gC^7w_}T(TXOU*#(qG!L^rRRZWBMyQ_UstZ^)N*(Qi48dCtK)E zr-6e%yC5h$84y%MQHqf(rz9%GtRoP0OASM5R{YlFGw(ViepiE@4_CR4P$Y7QR&_X+ z@yd!qA_;ox_ly@yr}xYT4L_R`4TA(3D(=ebtF2P?i511_I8N zyjS7$bw5^9Yv6MKts>Nt#?Mac{dI!JMM*ujBfT$3s+UaOXHF%+E;LV+DmH`S2B|HK zX20vJHJ~kWpmbSYEr?)HBV6OxUsnC9IVc_ph?yz{$!{!vSBfXo*IKA>8EWJHg<()N z1w|KV&yD7?s%v#E-#E!y?w4l@{m%)o}_r7@G0y#rWe^01h9vzy&ZweG6 zcBw6jbgvGC2>na!FVSpmKH%xI`*s0c<=0ezE>&sWynykPpNoGLVldali-0zy3Yronzq#cWb4XXARKbLsreAF(KPk?XZVdaBF(l$6L>!_x)=8-(f0ruHcu2* z{}7JYCL?a!!{*C*-Sl-^#If^~zPyt6pw6*0#hZjY>Ury4gw0Tqo0VT8G8ip2Nz){LXAew6mSgiI0omkFkbno^a+ z2$Ddn4Tt+{f=G`+UdgsQRgK$^1ntz_Q?{O1f)(+57>=xhv#Qf=jdO)V+hJk_nj%Dw zIj8>D(-Z#tm66BvMb15?j1ud%ot+5VJ@Hulg*#=0g335e$gVno1{8avz6!Eqqp~Q< z@4RpHLftT`TU7=KfWmah<;Fh&%L)4C)&pR3$0b>vuh#(GOeSxP_O1BPt_f9xG*HA) zXdo7G3R}Fd0^ArYm8$M^g_pKXGoX;xRnqO~t(F+u4ICg1fD{?Y5ZfUZ6|WLHBzU~F z*kAqWu7gqZ)}glbj+OU#yI>5P@_S|1oTG}fNjhWy*IkQY+MIbo)z7PQs3R0c)p%$m zRp>xt7dPQQ`1zn;s;;q3#y8myM+s?Qh&XK&GKKna-`R{O3Jh1V#J~ZXuPeRCd;U zc`ar<-_3^oN_+kLsDeI0bz0!g`mi%tjZHV|lpM}@B{}krOftmx@|e7b$NFd!$RrbP z+$C%b(`5p7n&=}Gb`@?=KEm{!GiJ~%kiuz{cjKq!l>M6ddL8fYnME}==y^u*5?muv zKFiELSp@IPufq8$9hc&Y463E81Hui#s=GQZb~>>r>1ohuZ41>WVcRKF z`PMTzB*#^Ri}EFJuXF1W-9ChB*>U?cgeoPaB$Y-Y_2)dGIx3pyVlDGNQ|$K1qq3jr zMXQWIf>ap#$D-q%nrqUWy4op(vuJ0F64nvH+AhKm8sstUS{cf@ws)+5*MobX+>wZ~iN+a!fS z7>~pZ|K=O^KOdw07uEp6AEt!+f2~C@b@;!fa%md>r(mxax>XKO#Gu~l00G>aaV}lz zJe3QCU{u{0KR#938S3h8*MV#^>VELyf+4F;-**w;)1f0zF6Bu}A`4PK6qKRTW`qtoGPg87`C^!`qdlG+c;X8Od6* zHNUd`GCotjS%?M2L_-OqByKx{LBHFGwOlT(Q?@FWx}>2JB5#i?P@jqFCDR#xQL))E zQ5jsjpL0nG|EpFdw*ZNU4CA>DmUU+OHpamul; zxVvA5!;w;{vB`67Fv7BX*~U*h6TX=E(FC6kGw+afb@c;Fkxy1q`(Lq-$_a^7U)ne? zgN`P`>{4VRNyQcc1W@DRv7lO&sC)aF*=g0#bI+*O39%yh+1m?VEfp$jHf?{I$fG44 z=cU&Svl$n&trE7FE@2wGkeo8nquA`SE>ksa4^r%!Se95YG5GsxoM)oh*bvtw(2ms}b zalffaeOW68!HzI3Op=!uqLp+T)va{n-VsJDT}35^7Ny1{F7A&GYZZrh1sX$ume$Z! z!N1!*XXvTAnJ;pR}CYyXl_o&vr@x1({UDLkMTcWLXw(S5R zXm)h>G;OmiRSr&tWeZAc48Dp^%zQ4Qov+L>i~5X671zR9sb@;qORmb~u)|MG!Y>9a zrN2f&Y{WAlaAZ1)J&b{9;96FlFveEZmf%gxjNlPQW6IHt@MLsryZSIIRz6LJS53gK z-rx4W{5AH~Pg=9-VvARKM1thD_21PD0$zIpb~xW$=XNrfdkmx#;4P=U!z}O5(v=U= zlv0syP%Lu9qcpjm4QfisSR14Lb~60*=&5l;LWK3Y@XOD!%%j`j-`$}#x~~%ULtpF* zx=Xx?1(IDs{&=*5N=dk4grWY{oy&{2$=cX;6y9aCuw~SI*4lD%I0x)DO&psGPP-E+ z?o}^)x_mDBTm!t%mNH1H-}Bz$$0yZDe?$siM$Ytt%bKq}&xUi| zLpJ{{4R>{NZ?|R_oMmc^LfiXMWV-9#4?$sss-`*7^uBV9z?ZuRW#$iszs7^6kN7h$ ztW~ie35_ID)b$^avXq1>xn1UYyaZF311T+&>9>eE;>3hvgZ)0b9F7<%ILb4)+zVad zKTs*9vkm4Y>`X;eHjf{?bjGVDzg|m{9!turo9eN0(>*xMTAA{Bm}od{O7tGhYgqob zd(7m|_qH?Fs=I+ zCs&Ux+^&%>zD`aAc!XDk1dmA8NLbrIdX0*i6eb<&HH?)5BI85gSn1&?Ju)0f`uqpD z+RQne4H&tlUjo}eS|YCYCDCs+xZiJC0d9*-$o0via>Tm^N}d;oeXt?lT-U8rXLv4B ztLyohRQ^y$h-MSow`k?G!hcF)fBYXe>Vj*Z&N9_<27}T>2lPY0D*@ zm*$|i%Z|zK64MOn>O-`=jumDThV6sBKvD`t>|A$-;}Mt} zXSLA!xdI#XcRPoJ<%X~RAIZNJQP3(9Rn*23qRM`?WJ!807|b(k4DRS0t&_b{4}>Uo zB3BV2(YX~9a<#m<%Gz8*#iETbN$tXfMAywi=R_<%2o7PSi4kE?R9Y8HccZ{uuXoRa z=vHZqJv!V{P1j;))~qD3gB@-@ag$ZPe^zG^W$Ba@vgKlFi-IrEE@jb@)Wj6Zo`V=H zPqF2{FhsC>?iUKjJlZbh@_NO0u-!!&o%xHLVI}EM>=TY5X{-=9q zo}Sx$zW5NpLY9^4oX+$u)0Dsa`W(=-#b{HMq(3^3C~VE#fFC}H((q6kI#aZ@DtSGW zhTF_UY?FOKh|GOs-S~~IqOBw2%xbpcAt>5_2XpGP%nNpGXlA-C5Ep0ftiH{j4=&A| zT|1udhMKlE12T6^BPsyT>~QG_bE!;C4mbV0Ksc0g8L4#_{CV3;a+()SYJ5;^q zcCZ4LFrW!Jf*{$ zZ8lktCi-N@kFoLvmY^CG2WKL5%6a3MUYs2gj;5>{=tMv|c-Hu}bV3E}@NB1*KFxir&!*I=e`F6-aI@F6S-4J9I6}wa60KaUfYt9^*Bh^_9X{wN z5}=-yQad(t=aX=tBE*mo^+7U0jp!bsn2wPa_=3W`Yf1n8B!v#1N!D27`UDDzbw6yf z!aGpGgPvQ@c1$UC;kLjbDeNUQt%;Jsi=xR-4yX3cw{#FxXVy$a31;;M#iwyxEj0(t zrBaE{I-vI+Pm_Xqz-51S3WGu$Nl^NY?PBw~F49EVPRolgUxYzIj-H#Jix`Ndu+Ywo z$Buyj?94-Yp)(d<%0n6wGm!YfNvcnz#%##NOh8AMjGaMkZN6YF9iH~jsdd|`h~Q?G zBhK=vCqL+ivz&}H|MrOeRvdkKw!Q=CXQ&zX=3z^>PqvdQR?~lGPh2q(d1~V(*aYP^ zX)%85tE}Aw{6&1b+yLnj>z`^g>~1lxk42Rt z6=MQRzgz;qe>Y;3%7;^jf3%4$HN;&|EyI5G0jUAgBW_epK+h<$7-wqu?zu^S6U>SV zc5egGFl|EHkELSJluj%ojEMqa`&;&QOXQZNnETc|wiKzV3-?^osFA&2#aQgpvYGpQ^ zdZy)bT}5()vHn?OmYxN(4*y=RD~!}&$IV(2rH)!W>AOizrloRQC|YZL6(LQ2E^|Rd z%$g~Q)3v}o6}B(z0pq*xLBNyDqvnq$#jEt9Bn_>)<<>vlBjr5c$91q1Fh735!sK7< zhJ?(H$X4iz&pOQ`=;eoXSBUpzXCYta!Nt}6p$d?#+Eji}^54CvDAFl2v#=C=o|?cv z&ypdkYr!$DA0w6vo_GtRl%l+otD76!LH(3c=?PH(4uQq$`FZ}r$Jxv4^rOST*ZR}l zq=5dgz-QO%WK4yzi?7Qk`=`^-v4JIl8rBm>@$3=U_g`SOR5D5aF8<=0Zq6j*`23B% z7b`8(nZGjw&(O7ZqS4q8rE(W*QnC}{tej`Qp%HhdSy+b1MA!W0>c?2ABN|gr$Ub~y zeay%npYPXJCW%P44}^Jm@>IrSll9&LMhQ?0+}aH_WWDKbpga@G9Z085haI!-9*FSx zwu+->AvT+z0ty_PuxJ`?D7aWPo~-z6m7TCrLD4u1G)BLs<`y@1kEo704I;`6G?p4I znr0w)NDm5Ll7ZppwU|fLqy{Z?7!HGueE%J90f-Mhvt3}xz*r{F$rv_G6DLJ?0@h@!$%^uR zsWxKOf{uOG7=VUlz(1Y1_u>O?jyX-UXFCLHZX!x}@Ody0wSr_kl8`SNaBw}>K5V@) zO<*3!O-&N#?l9)u8X4P)HQjQ`;!XywQOj~|EB?hV@TaKTEJ>bh^UOiVHBw`?&F_9N z3qKt3t{~zFe5{d1wS@OpOA81#==3hVg@1rL`$t!qX&9_$5$NPIAzmtzBu>7-V`-3F zZqF|&7}mX7nZAZ^v5N?*#^2wvr%IvPi|v$U{Xb}qt7IZgE3Qw$FeA|s5eTJqS#M?Vs-NTob3Xe*Y3)^p#O!C`n zYel2zB%xj`tF!gg#*cw}R8+677r(7RIxoUOLciigP%fhfBJc}_!A7Z`{jMZg&}BM+I!C7`o-ndROOb8 zxeknLRv_(%Hy;2#V)uFB69a73&{h{28!b&!b`!&v&1$!O9BQ-e^hNl(g!F*eKJ}Rm zi1ioTUo>CD!=RGiq7C~#I^T=T5-cT~Y&~3jB;9kN`6aqt5+`V0w!ccIo6L4=;Q`E5F?O5uZbn|?an^w{$Srk_DI zH1lW6k@j8xY!S}~dg0Qj?W&i3Oz07z$DBgG9ax4K&The7D4JbTg;r-9 zrde{`*7PSynsjC|U^gjMmda@XefS4$|73I@-g(9U!0m>4RrEA8W{zxbNH(|-Kk3f?5ULu`vasKrU4Gs-=88w-ZmcTpUJ4WC4kTn{7p|1gy`t9h$o_g=L_OJ0>=Hq zJKk)8>9HM&4xT7r2CW*M50TaqS^?`QioLNPOGkw9lOh@hzBp8VqcmbXOf>Mo76L9_ zjqe(?TeUy5jwzcF1_Ww00UwNyUci!KX@eggX;D~~;}{qy1O{Mc7wsE+;frmCJe6sO z5(Q;TQ5Ib<%?0rqfGrDRo<^}lr7B%=Bm=L})C{qla5asPTFrp5BDw)O0I7ipsyWdR z2~vvyPaGRGB~&XfubPl5(a9h>@s1fCVCbfuF~i5a|F*;aj^ON$1RoMh*y-T|cD5BF z>^+eF)t{B?jBMpKf<)V~PI&pIsbI#G;PxUV)pU&!#R+fI-UzrJhtZkZo?LE#S<4s} zp#WQqLlTPz|MMAilK*P?74aq#{EA>OZTG{k>6D^P^444Wp=_xLjtxfM34H#-uH!jhmF^czq-1 zpDOzZ^m{C>zF?b)HKY&JD+bwTIa=w9$rkYah5oU%)%cafYLwNZ`KfB%m&2VPkQN-j zSv{Cx@WZ!-Wi(Zq=X~w0L!p1VvQL+@nqfwlFB($qsztFikPu|UOo}Y_X6|3bJF7HP zSejsG7LgutLuHdn_#k`f#BzeRbAsL#<677b?GVA z#y1!Ot-Wq&SVmg3B)gl-Hc-*63xq$*v5dR&DXKa`X5q%)N5(HvP8h$=?D^&-C+sCe zZ5D1*dTHVz|2*baZ~k=tDpHPmLit+xgO5_EX8awyJ71Xd3$=s<+>&pezPzP--E<@wCjS!VD)wQ3}A98w|E%|_ZWq=#JuEe zG}FjS;Swjv8k?$ZveO=c*yJg_3%qFFa-Ad@%6coPm*cspbHt##bEq2)FX0M88k;<& zu#3J(9&p4x`Kum38GRNPqrZESMup)i+F|D%F7lE1UgTWm%J*(Kbu4Fx@)6gMW8T?z zangZFp_({9de=sg#)(>5%Aw^bmE#VC}E&LK+#Y@K;-{3!aAE7*;zWc{6}K{ zw3^<3CB^uyHguN7(PCTkjL!kzS0l)!&^-JeJ%Ad92~+M4P__lfifXRwvFzG1*R+!hPDDM-tQfMkZ^YM z=6(A+d0n+&Bv+3liRV{Ltifb?5y~v#nzSWG&0-a?WA^vxnv;ZfrWT<~<6!Z+&!alP zD@b~h$|X8P{@POl0}5K?hEd5kqeR7PP_J<+b*3*ZDF<<9S-d>B5Y0L>etPr&l(@Zk zi&)PQU^pZcAjtoIOX1}GZLo_rt3Ry(caQg>-czzB5U4;^_m*`FP;d(E=pqUt*-X&NLnV9n$eJdjBMfmwDVxX zh)=Hr9@SDu_3M6f#q_GUVzsJVOj!&;27Q}Vh-qMmcG9A1$bBvvwDWPtl@sktQoaiX zw|521d5{a%1?5@QvGNiU01Ok}#XN6}Tos^3;rJi&XXiU#UD2@0qhYkwAqt@R<~6}u z0fv3cX|U{ijn4seYY{h?Q_G=cVM<^sSi_F8HZ|MMLd-P5*;*)$B5jkq?u~%Wzfati z-j=vlTh?MvkN#|!M$!9pN=~pep{Xhho_Uakzk;ysd)V>6=@o+#nY`{+=GF(;6KYeI zVPEC9en(?85eh=`5gltA-ZMM?qqIY^@y70kf0KuFy?+N(k)N|L;*#RwiwvZD&fQ#I{0}r{V%=?Hxrv5@5O(TcK?6!)2L?? zK)gA{h%S4Oa)bOb7R@S=)3W0?x@A;**hKM21b)R;z%H5Cc=BbdPSf=w6luHU9Y4Y> zU(e2aQAOFATypJbGuc?z=@lPpEH%cEDSQTNlomT4LEu3lSqLgVK!B^yTE^3vi8X~a z-Y1yuB{|5L0|qRnGqUWbym*(#dyeOVkY6yxQK&3blCiZMC0jbPkqQ$IDh`7-(dG72 zRC@ZBWrlRm0IP)No(~En7{izFyD29ZR!tl^{>3L99?ET~VDI)9o`39+MVnG~e*&s& zNKy?~2vr=Ke^HuLN@*yKSlI91-oR)f=4XtUzEP5qpr{t)TBS@+;Cdn>NR+JXM&=f9 zHKNl4$46dfxsl6(Q)v^&P7OcuaF7h0{^8n+d#ru($Yfj~Oz&iJWLYYQT7=L_)QfjX;#x7Z$QVjTynF;bgy?ySfec9h${|*zL zF1`mm1^9e1o)hlu^vwLEAm6E?I7|vvz!LKI11+{P@>${^wER|*$+l*<#P@pXbd#+^ zjEgeqTZT@uW{M-JXFi3hJmr1ARVw96L`RC}NH4q=>{<7O9nU4O?5*cQ38gH3@~u zFNhCB10EBq(WWtfqJs%J;kq(ehSN4XPt;yZzbjQUmp24DI@U_L&7tIwnyQ-DFb!Qw z+OMHnY=iEdtA=38V@@n@a;euWim4>BG(TVl$t!|6fLRIV(WS|R5R<}mqohee_~`XB ztuig6(c!5Ob|hvx;-Tdh1Hu}I8l-g2~UL{^PTpvtG3{v0ougXr%lJUWFA4!-Md9)URR8W*brEc$b-&Nsfe0rF1`$5<~Xgv7p$<& zudyMBGr~}z`&*w~oHM!Zs7jhdEw=px>QEW5`Aqoc5K`Y!QdsM_e&98{;VET!&k${& z%|-Jv85}jW1(U7~f!kpWQ>6u3X_bekpd=UcK?&XL14>-VBgMz zZ~>tWxKm;XSh_}OC@R%?{kxznvx!oXToH%!E}K=IT%*Tdu5-YoYk&XiGCRgtwyf^TaN^7o#=VI}&**2e4Y;f>22{QX_scdJD}WzOM9 zJ9Fs!U51<-4|Z!J<5YTGEa=j3*ICc{@H9h7=H6%Vi;?;ruEbow%ug&`{q^>Wd?T%y zr~=L?ucW@)(iTV}$3NK?dTw`meJb2@nOcX@jf;F0lR`nfg5n6ap-`V=$s3imeyhrN zHS2OAX%Hb8|Buz}3B!LPJmmDWFW=8m()-6J^gs97n*MYw8QYrucaZ--fl*~_oacs< z@=Zo=W|&e2D+jsFEvw+*w znO_ZPTRBZrCF?Mv2b_5s3?ZK-9Rm_VubH*W3AT|D4?V@i^U#UjjR7ClvM5xrO#ga1 zkM?QHoXFpldLI;rqs3G`CHp_~E+8FMXOuApdZtLm|H%qkY$B5JM>`5hAdN8n5Rft( zG0BW_R_%qKEiEnnxeOxdRYO0;wFLj%?)Hf=?>2{4F)syze?B0>uAjHS_v_}~bc4dW zp=T36oxit}Yv4(toREn_pv2$5gJqzWYS}md6OYInXF3fd?S-c9(>)tl!si8V{Ku`l zz(q!c5=sUZ?BjJ_&2(jaqnIoG6!C;`*Aj?bf@1IvY%*Jff+7##KWz`FFCZEk99WdW z4;DnI*+qNs0+DhHOLNZ3&>PM$8ABhVT}$S1qK(rcdi`ypEx+_nLKFX0(R_qm**}#PEg=y~Q@yod zUU@h~3lV)MBXkmOln4e+CSBH=;2f0vE?;WD_Xb4ur#`NWnJMzTRu{-?x-$_;Me0`- z{Gk{9KFO>l`lJLBk$4a}YKN4l@$j_Z1oM;>hREhM(Bs-gqk{=+Uh$~p{<%Vwlo|&auowD&Z@}*AcHMgPdLr@5#o}2)B-h- z(onpS;d~Szx}|qCt?lfkuVBE^jWs;^Q(U?7Jn;dUo-y?QNF(ekV7INxcQA4>1j*~U za{g*Ns%cVAThGhiN3TpAwfDKe&T^5P9>yMLlC5$!;^UV@x9PEq>lVQrOD2k}j{0iB zvMcMsOZ-AkXf#V2KNY$;&lv3;J&@`UM`aq!*ui_Ejc%YC+7xVrfN4jEdotvV{lFmH z#Kv4q<*yvADc@qhNyiq)+~Yp=K)-$J_0tvSWP;hQ=6O!=l^>-=~q zmouWM2kidtU?QT*>p!(=k-nO? zQkgcfZ82_B^7D7v?+tOb>)#jq-2~TE*FhE7$Ge&^-UC)+&p#rh zarn4Wu6T9_>y?+)u9x;_P)0c>rdGbioR93HJ}#9P?iLCUT0S8Ib0V_wZTNh&y4dE( zcBKb5GRSGX5T&4C_z%_X-z4W=h=!W^*45|#z;NtXykgM(Eyl=-%__m6Y_he zl|y-Zdog!z4;sBoM(PiK0D=M4!*Zj`B`r3xy4LC=Ri5gMvGPljQYvX4PKJlw$Sxncs_d_}`~P+gTb$LbEc_Wo?1cX-LF;AzAB%?8|Jz6V6Ixi- zQg&`lbN)0QA^;{ghrZTaC>7}DL^FqCXS2L1I$@vv)OQoV1WUH*lx(ciF(POi^^;lX zG0Vrx43MxVcJV+Vub0FiI+dS2ADCBTzFowMU&xGr#>?+rnvMv|u6RY#kK_$RrT^@b zOee`QTGg$RMbPuWsPUQHJfi4V@JQlAy2L%3_C&`TZ3YFQnW@A7PMR5)~G)@Amlr8HI0pe_&L4$*#a!$;;9kMzbVx6{9 z-|J;4#Vc&S?*e-A$%ca79i&;xf<%!QBZyEAw<5uof3QG4sdR7#w~l9#5kO=C=fxCJ zox3^AK<0%DetRW>?L>LJOo|MBd=sYhEw{>{NadFTRq6$xIQ>RaAF^VK5{^#DM-Gth zO8p5R6D<}dkjjK&MXcNRr-g8iKb#8}-ed4ay`2@g88l=xTy7qIr=3Q}1MuJFV=9+5 zjY&)~6lnVNgL5Tm2#jua{0s;arNKCv2jgp_Dhm=*1xw?rMmi zoyj_UI9pweq!a+!Fon}jdWkj$2DlNX0ur%qi$;JvP5pNZ?kR;WqX(S3@W60JaTb97 zdM&R$&jY5Y_zsI+4*5FWfh=N4ez6$yK*H%P`LyjR1+Coh4lN6hTJWqsy*KvVuT6p@ zBAHtyQ3}YF>+4eTM~TWf-k{Q`vF)%`S3lQPR|myalOu_%J@%@pvCUP&R5(I^BKEug zMQ8B@B^21;TLw}0q4rz5|0%VRRJ2)jsU@0$2ykB5i4B2l={k2-NUc1G<-fkGolLvNL6xKNsGHLCVZjPIjtd9qbG znf(R&Z^NRpKlIUgx}ubJudO!L`6se?rXoBGN4P2r3|m2^X9SHsxC!h1*To61ir3>bj9Lla`xVl7r+p-vER9@~5plBP^R-?-H(T^1F& zaQqfrrNd{0=W4YpK%vQ5bGFbbVgs9E1@l+dsrt44VE|}mikt0{$m9;Wn_!i#RAP;w zWxq48+~f&uBsO|%CXgC`DzJ7cto*yxex6j2hVGxGDYp}weHTuKw@J__y6nuNfm@hV zFM5h`xkglD5ute-j^2_{eye2G(2fG+uP0tPw3Us|`(7^z|{0&;7ZzqnlTmX2lV0}`ZJTJ+2eVS46Z zSiIPSsP3=n0Iy~l&=bjG0%Mp0G6EfUvl}}f%Z83_3!YMChuNivcJ&Am?VDQpVSC8f zz;WS%mX%V|xH_Ipo#qv~+BOLslgB?0y*S6Mo6(NM()o09b_{lDOjoJf4i&X#iBEYu zFqAE^)l{RxN($;0yksqHDZ9S*PTu132UXIu5=YFG`C)i5JDttzVh<) zl)8v|P5ly?=JFb>BdaEU`1B90TeUQ&Z+CaMb9WE!M0|9+s?NENSGx~+8~DTn>~#pj zH3q(N3la&B++7i&q)~64E*Xkl2@r0L8=V8BlOFWuE79nv9zBF$If=^;LjTxKtTSOH zh?3zTT3WOW@&6F^PEDdkOSER$wr$(CZQHwS+qR8ewr#s=mu=hX>WF^mb8f^v5$gxc zSPwIEW{&ZVXj%Y0p52?Metb}>kqqsE?Ez;#;dgn!`y<`o)WCWd`QFw}Yv~!ZN*fG4ILtnly}UzdcB7}5 zEhEe@yiWSn-Fm8JYpPyBGbzvk*cGmmnAK9nz^|~B>SW5TROL4aToJ`T;7v6&?OylJ zGBydH^LMkOC!^KCH~)&Rc6uOrZhzL_iS?EJFjTg>2&)L}kVT4|Q_&{Qwy9j=J!I12 zF0P$yU3%~HfHzb7>^K&FgS`FzOACkd4o(XHTjt78{wHkC!`9_L>fCQ6OO_bI_e||- z_ELR{77%4Da-}eL{UsTexe~kUdXw4!0S6?Ov%>Xl=a1LRb)SDQj{N%6qwu5P{`K?I zTKAS{wYb@cvJ)0lQUmjDfMJuEqC|%OUC;b_uSrJHit!HFzemj-r?bWy>#J+mR&(yf zYp0z&7q`~D{Q!QS7UQ=e3(RWc^AeTAPftT+x5w+l#&E6|%1g*I|tCnqPo{CaJKN$>t${4(^3 ztzL{Tqhb8|x}Vq4a=AD?-w)F^Cw3RhlUsA=`np~6xv{a&9E{#0xMvMPiR|3=e*mzM zMYVFbt`D?y!kO78{%+x6w85C$Lv2wLTxm%_di!T(ttZ5y;e7%S^|=H1rY`s=XNlT8 zr3x>igad6YN}{~)GU2xo1;qnLf!+pt?$H$c)=s#hD5fb32&pTyMKilQu-K*&%Ll$C1tFVc^d_unmH+<0YumX($E z*O3oT<$WeM;UIkX7HT0A$$SJuJ@+v!SYPQPPmACaT(;7lgRZ}UQcpr}mB)1mfQ816}$c*~=KVbgEVotDK&z#fCFwY`>Y2o{}0*7rx+8 zB1|dWUtSuL3xAmeYe3N`$tO~>$}rrnO3CK_NTu6vd=kwN!{7qfooKFIcZ^FbPnNBW zrDLR)g?*~V*;=@j+1_w;&03(~v&-E*KhU}OUa)9t60>b`?pcL>yst_maSi#Rb9j)_ ztWGT8?YkLDojn2E_Koj81TR)(0Cn|ZmUN)V1$>L0Or}gc0qc?xSP8>(HlKs*^qD-j zuy6qbm%!Q7UH)tUe^TkgBJEdyA>H{4(%a|NeAUA<)=B3{hRdvIFMG*FX}zvDUpZNW zBg0_r$KvB@#?-~cx>u1@3!og?DF{Q#boky9xR^R*sZbMUwMBWZ!s>dJzp6U#s{!%8 z<+@PbX_q1@H_}#(FNAVRqeBRcg7k{_j+=rKjfJ{v;aX+3VW01%l&Kb&g9|!@!%?Kv^6PKD=X4xqzBp7WDkc)$BW z-%{gxP^b)6)@A{3?0%Qn=Jm69;Zq`utYUH=`bp@j>wH6`*F8+VVievmu7gsxfQwHB z6O0Ybjm)0vbRqz2Cpn2^0vzOl9*y~5HGCrvA@MScO@h7$w}=h1jk z(unRl`1nEgZYPkEHwjkJ>Wm_aST5^02kf^qd~j^3P;?EiUrO;Kx`oJT$kbx=-FsA+ zSBNp+d)$?CV#UNN(#0RWZ#z)HrY)X-vR2O`4toOp1k0v`8{*!`nI#LF6oy}y8bvSe zH)o6~kp@^Ucojws6l7bRQC}kXuz(mk4o13xy}CiFQx)=Da!cWFH_;0=zls4JZxRr z{-dsFojGoZA$`Y{Sp>;Y{K*KWz{jQ@o_JTFN$ZN7D0I7u(V>XPNYn@bh!$QlJaT#F zeI9S=JozmzCY&kwAH+2(FjMo3i(gMGTlw7ZT@_>9lF9BwoMA?L&bjJGMALi4D2)Uj zd=WV_A4KWU6ikdUW@!ilsp2Psl)ExIGld!g8A7TM8lp!)1CxiJl#fHAsmG)^*M2zd znhJDXOixRWttZY3d{-3cKyV`m#_p|tOuvC>b_R};KjlS*Cb4BHXBiUFL+bc(-*-#+ zKaOpFERM55ZAdkX5oYnlVmW^mfQS(Jf+w4VruQ+(fCBerg8eH!7$l^Wd@`XsWHNVW zK)OUbQ1o8D#=p7k6i}e$^(Z6;v`fJ>SsieEAA@MH+M^n#B6;Pf^^iW5aP z5@dMwJ5z%FJ*47_>QWac_hGU7N#VHZC4-zO_d*~GsZE9#2FPo9DvKhB6=gyXTDD?^ zSTsc-CBg0cvQO7HxzQ^YeLcQCsf_Y_ryq@j+xfn*cz%4C>Ax_apSeBX7k)lGx{Dfc z!5V07*;@zfa>9|0D7r@2nT$%@;yAzF&%!5dMA>`+ebdX}i_*!294^k(-sr#jNB<9s z7UATHcy>ng3_SdorZLY#(0D*$w5P5^kz!KZetRYkL^ho$^8v+&nLX;HsOAB*m3J#U z6cQg*a*s+KX8{sggj6$6uTBKuSxhsa=6WQ?mG9HK z8FlSsy04}%y;w9fYnN97v%u=aP7Fwkz7gW7LY_+MnVFj)?@-_BK70uVBQz*rC4YC2= zDsE1TFxW7qZ2S{Y#3EP)<#JLeoOEbDgXG`Sg`lErSs?`kd77KYD%JtwgRim1V5HC= zkFp0jnnfoMwl}dH`adz!h4DeQ2K7QcpWVg&CeMC?P;dA0a&7$N6vp1z_y!Wve0?13 z-UyKza$|s*LcO*dOM?!}T+EHUw5tUDNBf=L|y~y;WC#j%fmE4m|PzAr7P>+b5 zx$aK~&RFP17zIrcma!kR!&PBJ9TAi3AS3{3oR5hRIURxyF2wQEk|ivM zVRLizStg1O*_D0g2xrnlJx}Wr3htE8g~=2Af$;1W17T_#g-&p?#26aeBuuGq(AZP} zwO-s{v1B@kF^->8V~dC~$k?-uH~~S{UC#$*Gd7YbOxhR@YSZ~*Z>*^ z!k5PG4+Y~OJ}_M>tXqU6(=bHuTXv2BGg<%}$Bz}IfeOoU9qEXx!THNqpM(_g5ytZm zA%gW`WEBm#+fwQksQ($l6Apf!{TZotMun6fS0M_FpRgoz~?-EQ)v#287Et zz36ZLWlPHC=kPEpI~@;30?@xHtQ;z0b~iuv-7Qbp-+H~|-8)Iw#H}oI$BNCJkk}6;{*+jS`X{shtRb>DJRYq7OAwU;d9X12N zepozo1q@8vMy5W!60_k`-zp1cqIn?Xg6rk*%@9LFDA%9U6>b zniFjBg9nkjI^LpptS;80E6HWaV&;uXj@afWfL*eS%nRB3L=qZ;M>Eq)j$0UQVW!Jc zmK$0LaluSx--XT3hJ%l_S`D&;Tu%*yUvU>nSa|0~fl&FO6sNX?UE0X!&!MT{7`Y#iDa(&E~`2FmslaujAv@u z{i-G&max3VBg(e>FvmuHwT=)m{4kuHCL~R(`PWYkqF|^^=QYf*CH5bNtXNcUEKg{t zjjK^D|IpG^q3IBW5`N5)3}{m|OmAPxUw-zlW?)~AL1SaK4nX|Dw{BxySqYS3GV`rX zcs`?k6`C*nBt{qsybh^{)9S;(lI_b-Im#@rS+tKX&5LKz`HIsi@d7Yq*Zrwv zf2`n>%r&B-WJp{hX@Sxr9OaV?&~H~mUn`}imJZ@|iL>=_!WC12?A^wHXb6OI^sSS+ zTi4XjpDJ)$4BEC_P_~1g-rzyUWVr1CSWfC5;Qm^EIJPpy7q6){SO0g@Aas+t2>rN- z!prCA;^H^F%uCPU@`b8Oua3+0r&cq1u7h{!{XEsq8>>&qW{3zkoTb#JxHL z&35I0we6{c)t*_P-b7i&-@Iv0ehuHpiyppi`ifXPCvZley;DEWu^NwCk>XGJp924& z80Bf=p?=uZ`A_Xh?CnUp+Hr~Ic<$@>IkBw%_?YIFD9VDBr>uS`Q4TQLujA$s7hT-n zuZQ43J#O+fMIURL{AApe_|*ZK6@qMES_lcWRz~!*6Sn1`gD=kq4jIah*^rOMU@g1> zh8Tl2r}SUz>W;zyUH5oxwe5>ymbK0q_5qf>Pl&adfKxvI`L^2E zAE0Q!fBquc6TJt{gMRnR{2dGU=4xUg6WKXSJ_{F7v7ckbM(X2|6IH3Ci^&iFQ=fqBj6 z`FVJz?`O}&g>Fbvf{AJ*D3eD7fSsDm2R#QbC>Y=#<7i7uwvTgQ5@}?5KH}5h=tKjH z0yQxyvkClNA??>?Hpk_Q*SXGec%R_)Cms-u1urlFWGOvgaX~m{Lj2h>Eaa&sAY`v; z5>Xz%5KQHi^vR7Uc|gcw-pR9|`jN@Ig&TwK%dn0aql5huRYfT4y71Ro4q#tlYpujhj3GThs z&(*iPAG7(XQ=sP6Hj{&EBR`t(p_ZVImf?({GZ!6)y z=9kOZx^@G*r_s|LUWf)7weIMb8zNZ^TF|SK&)^7l+ppE(-im+umUAbmc_p8w$>!53 zr+FN6Tm3GYd=Kg6-Pj)|g`2A_SDE`_<*!L94rMXRw|*+WOi8YEG-~XQ#=hvAy=&rH3oOHq+p`EAzBpy?U-%;`-MU58M`W6q(6EO|@6S^G@oF zMuP(Q@Rwy|#ll69n2;4`)CrU?#TnOerU_r3y9R<*Ip}`Fi0wBb3W&OL+(>FzMf2-q z)|Y|O<_#cwbkV<^A*$V4N~tbF*Vxb5`3*6larV?v0*#x`q}!IJN8x*J!h26~D3ql3 zFC1R~*i8!aXd&(_aGk8~pB1-2|9j4>&FyVh9z?EaY!ra8Fy{7fy4aBW?d)zHTHi+b zkuY;RKRN_@@MRxR)F9)3=KwPHihEYQaJFG1*QEPoCV!E>k8%RLSH#~9=x z=haJgdkyM35A`>rIa|EdM6TR}4x;0ARByAede>6G>dcmF$#HF0PLGYJzDg6rh#cCu<+5Y5RRpi#*3BQJwN+0lr8Kp5r?^*1zE$HZ34w!sWR6G4c#v zWJb3kblmpi$2_rp^PtpQe^2ub%}(tv^Gg0=OP8jhX=zb0o{RX3B;F>TYdA7kEDFrC zkREN$^@=zYZI7-I0kCq&9Ap44JfE`U0(*=XFYGG*{uF;8%HYtH-Q;5Xn*iRjb-5n0 zX;$kou$pM%fOPOR?{1T5?ciorp5{fD(Izn2P~mkW1a%2{(iV?; zv#9>cd5rLKQOz|h=+@-ru1TJ4<6fMz_v0)VIMBssg2dJLex5n=-~mBM?~wLl zM450QpXlXanD;HZPZN*Fk$s4HFg9Y!kWH|N@r=6+0LMd*(tMVAm`^LtlN=8Dh~q9hM@;ELo1TDe`c(+RcW_LIsOqfUf+ps7nd-Bj!|O`8@IsB@g8{D1z{Q@870~*C&AbV3XxIDW<9kGgvoY)+ zc(A!#!QN&tO3m=t#9k79tp`S!0B7qk^NugM5Ka!xVXq>zbUO-Liw4X{*t9}R<{P`> z=`NAv8a~;vrzFTV37k=_%)KF*w=ok7Vwq}|#;PmPT^1$2F;m)3++;Of^(Rux5y)*& zjs;AQ96NV4dY4Y4L+-+XhQ;}fd3P0ZEyA@Do0daIDd0`7I8_?=WP7&Qb}+qU z(oP44%lA^Al7P0YE_yo;Zys-_KbK{i)Ll1e&r9}EDVhn>sh7~rO)ixHs;^Q~k zc?ETrn2YFbWc?$xb@L1)$g!-;T%lI7|E^s+QH|c(R%;i>Y8TCS>c|k=adFp06Lf_R z)hX*Iw+=G(Ow}PjMhh0K*^AU{bF|+#X0~`5Emo)4Ktt<<#j#N^18x>{FATenkWtn& z1WB#!)1Ont-1DDgp{Kq;fB0!~K#L`dL{jcpCw0K}^RPu#>1Tu1kpWA_c!Klztug7H z6L>_fR=NrM4-&<&^i36m?M4qNZG6-M(;gcjw2p-LO8806g3_xS${y?M{SyrdpED-o z`|!@`?~TG{2MIa*OAju(c=g1by?jCWz?c>_K9lg7D5Vibfw>1djrg>Mpmr)#`%xhz znXHycdJg+3j!F%!i>mS#8_q|i3Y{Zb1Q*7(*n@l#TV-$|Q-uW)cExrF-g5Ts}Kb?3sF+ugq zcRh}secujl{5nu}?H*jc9w&^>Cgm}Eppn!>30vtIUE2r;7vYTXfiF+Tc8UWpznMZx z4W-F(#1a?tjW3?DIWG3aXj(-OGvb3+o?$w?0Our>Wpt_G+`!JhVjgwz2;3A1)~UcB z^e3N!sPC|qGxxoJs0pc8q&F;&%NBc!i*tp)`u?u`HmH3`b70GYY#5U)(@%lCT>Rd?y}fdny?U*gDn#wq99Bk7_HS)N9b{_M*q+eu^?5&8tzP@^rm%rNESotz8o}l#@ z4x)P6&Jvyz5xko5Zdx5&s!JF2`YHMq&r3Yb) zoWH{`Qgx$0+B(0R#c&6w@Aq;2eDl10dv?Ljj~A!^xxnfEv~Xk7+xf-k+2eLEYZM{y zFc%W<<(VavosV5xRg+xm+t7cljv*Wr_2wD#r!7pqW**in2Dhz|7j9;n=CPrF?~Xb; zPKUnpS4=3^I9L^!GF%nvT82#dEs>~S3lPF@mRFbEdd#kGLv z1stjr_XQOODbE-UALL*mrM%~c;g5nq8Pa6B{SM^HTRXW8Xs!eJ6{5&eIEHQ>G^lqV ziSi-HW%f^NA@m2xeCCX(J8IYH^$TG~RC|@@wh+O>$*i;r`)x|z(#)03J&0t)o1%}( zYgqZ#kzex5V88&%)Ln;k2IT={AJt?s2Ozij5*0)s1AqElqz9IheL69B`E`8(bRM&i zWu%*7h?9>_L!$~3vw4t?QwFDWAxqZ zh>``xx(hE$L+gUsLnOO4?=uaigl*xKnto*#xtvl(Djs}sG)2E!mbcKRvKYv-0G+~r z{0YTtOUbL2($&#k5|bdkhoD2#GS`a2eWndV2Gw>i`1e~w6yQ(!Q=%_8RijSmw(e{P zzGnJf-vTkOM+{9m05cwJpVz)1SI`G~&I}qg&k&b7ldc9d@$&8`2eh``=E2Tz$5TOc zC?owZyohQKut76*9}ivpnI`*`(r~O`2I{GbRKr~qG#0fjd9OB&k9QOs72GFm7O7^X z)0;@jgCij0pnuO;j8$g;0NxC@v5PhpAQ|Is6dYipHiR56?=G2MoZ{}2ADkkn=m*ie zaGalmYHs{D?$4K&ubmxWVxJMh)c!FHDEa3gb_c+X2kXevz@Yc1l>buOL-f^7D3KrZ zlfpj$jz$7>TA=odv`ryIIa*LHhZ~CaP*i&>b#G`C07^CzN6s5Tfd_`t*>Bu@g`_-j znOsAZ%&{1(-MQu|zY=VX1NdQ>kH|fm% zU(O|3D8rNil=vA4X@`B{cZ@`}eC#}t@E%o|!uZU+P1{KDN!Ve^6wmC+v0GeVS?!q8 zrG{(|w;~Aej`p=E`}6r-xnX+SD~V--;DdYP0i_pKeRvn7-y1_&@Fnwth>w!xEAcA3R(bV4!Z8E)vcyO8Z^ab;St< zy+rL%zq7G~*6i7+Z$a6gePb?+UQ>AC4MJ5=jfJ7VGxV{GyoQB9qK);ya;K6EuvC&n z0DayWBqi4&?Jng_SFD`X2_eh}VB?o9f4?y`HFA(PPwbAh|GJ^DRVd~o*S*xON=^}T z)0ASyBu>+PV`-l7$5cVTN(U=bbh3rRuh^y<=@(398n+ZRW73@Ak-jivdr6VNTo;-u zaD~o&O@uSflPmP-*$R|vKDh_S1$>J35)?bDhS-1%HD7Yr&sry$^-2+Gnp;{#+_`S zI#n2A&>Ezr%Lvq-Yzv>=m!-%Jw{OwsH{NFPGbQR6l9)(>8Jsae7cRMJkEi&7&EK#Z zh;=l>bbdCt5e^0rmfxLCk@-gVPrQmN;ne-0Wxdo@{Gfcju*kv!$sdia1w5GAzlj94 z6bsut5M`3sSi~6{i&Ng%96c3(vzMd~d{Swe^EtMURN7NlJ0qdik zq`b+Vnv2P;>a>XV zNVDaS?)EPwIbxU4s39U~)D;iLkzJe{{TE(3E8#IbJVXF_j8Ee4U#zJ$Z~p&)BaUhWbMfkGIrRI6`wa=B=qNpo;%Iow0W(a|${y`dc(4R%ZlVd* zR3FJ^AUezJU5QpD-i77=1p36c!cPUY2Z3@4&W--bTNo8D$i^5z=TA(5XbY%@Y8Sb) zB*N}{TRBp&l6s)ghSIU*L;%`n<;Z~}zkj@>oNTC_twOVBCNVt9Fl&PTPP8JWAqL#x z4Bl{mun#?i6Jm7uJD9kSwnOQr8XFkOFmb7D>j_Bc|E--=`oP?n7yC!aJ4lFX^e2XXmK_HAZ5>>c6kzM$X_i75E&^q7_GyxT~mP4b0 z4Q8Da!9l%roq*uJdsl-7b4-1MIqbDaesFu82)pd*mSfaa4(eeO${|H;PAs|P(v9+R zju}GYJGyXa!)y8D?7J;XGj>cWdH@j;QMbr1Nh9(khi?@!tb{O*jl0 z`BY4q7Z?gib~r1unNQ2};JWv85-nxW#Og;iX`Txg#x6!GRtjSR8MLpE0vR(NhA;Ll z_LyV9WE%GsBOLVBo+_LssRg*7$ToH{&upGSi)85xn}39MiE!E<_PlGG^mn3`CJ4p= zIyFqs)Z!qi+`iIf(l_V7e}$L4E#HN8kwLtx8U+lbA9gS$D3(kwzSK9SgNnAgkI(wA zXCBaHyqjzn*{{1NHBa??D3N0B{xTfPfuAp;=b#T>nQvX8Z1?^XpmfG0sL;Pa+All~E zi;okQ5|g^M^hua)mjvH+Ml-8Lm}f;EJ4$Y0RTaZcO~DODBy+V%?b$f2wIK{N=?~A4 z5YudQoZXg9S#?w!o=|0CqvS%)E;J7MB!Qs9-4!z`YiIb4>4xn0 zVr@#f%<${k!AZ%aidJ-UocEzPO=P*B%pKKcW!*&EgZoUmeFYx_u^sJxJ?Qa6GIhF2 z7G9V!T%+Y(D<>wGL`s+mK9!QSd`}ftSn#SQ1v5yq=$`A?^`e%FhM{VQI6pP^>4%h% z)RHnj8*xy#NC5kJQ7^ks3NF6AG4}BB|^0hwYOfl@YLCq z5|$|6(U*LNF?zTJ!CGp#;c9~wqZ@dpJJ5T z1I;%KpZ2?#s?otCjC-{>Qez?$jdq*!rJrQ7DyNnl9HSp1oWmv{EkR=(Jw2L&C*GWB zYNhQGzEdZtH=UJ>SiL9^*~TO_Gj$6zwYH>97wr#9iB$_vh$FbJXTpqEa0VpLI#Q>B z5JDN2z$#8kUnn8FF4w@>1-p&W{Lisu$`F|5V{zHGF zdEvOhhW1@s#!=8jOdUf~d3N1YQ_SX&q?hQ*Ti%ehRXSKOMhuAzWdbzO{027$pF9%{7 z38WU`Pq4Wk{_MuR<(08cvJc{GvPag3aUBISh>jy#_5rdeLeZ92eFSNfEOj*Q-nDTh zW?jm*=7>VJ!FV9U$l3w|7|vmnwtwO6i()9w>~Z^e0xti3#82wsUN@YPwkDt3=!quL zE-k|Hp!6|bHNc)u6c--`a|9U^b{&TYEYC4ew^$#1U1D>LdY^bsYz+}RLF{k|->2CU ztqD;X9TrKdBh-2oCdZS~k0nnKP6VJ|$wi_)%y`cl+r(RFg3VBK1qiU+D85hRxsCaMSY@h%2wB$0PmY>*=cRnG-I}k3LI&FAn_L4NRhl zbHZY-cLOmf3#4ba-;et0&>*}Q7BCbb&b=JM1-}nt-Yw6~vf1c#^D?qDUgvfQ4O2(} zlN4Raut)8eRc?T3{P4P)qCQ{MrMy5>S|i-Jnzd*`{R$dNFIfpD4euLLSvg|lkc!s3 z6fhkj6jhVUts9Xg|3Lxb{v*j0je*rND522E=%P^m7vQDdunO!6~o(P}lW~>mA(d-KRhl300ARO-P zeU7zj$!N$ro9=Sa$dtAoe~(E!=p`PqoIog~fT=K&MDaH9e!Alh?bTYPC*#>ub=Nbt z%n_JLE@6VG?t(V8V)dO#``wi|!6odP&OEGf;x+RANDqavhYYS@z8s-tf|Xz25ssZ> zzD|N(JuB2rU(x695*_k_tW7knhTnYih4(iLRJZAEHI*tDIZ1XFhnU?^CY3H1Zjf;Cv)hBYeXTN zcq13wu|tEIH`g&~uT{5XhmpYh%#T>ZdR&atL28gztqQU8q9%U0Eu)J&;yV{C=;CiXdxKyxo6kW<#U_LqQAWtvEq&?hh+xKCnbh{sv7P!mq(CJOuh;jJZ@LV+PZ&3iO# z3mos0(nFSLE#}D2p9}&)>&J3+z6u6#FC7F(m0;Iw>b6#g@&L!!LPgbPY*@ZW!U{Mt z%hz|bS&=~ktzJEp(?3y?+qo$FT4=r+dg_pO!2duYNtM%&6>oLY&Bgz6luJh3rYfune>jA(4(Xuq;WMDZ7uj>iQy&_Q7@kEzUXa2F(>VQax z7|>m&MX`~^F|B!$yKPhX!dCb;2Ei~?9|>^KQ8`2wP-9{j?`-b6 zo=~+uKwFKi$s>uoabO~g3xI6Rr3G8XlpN;@>I)_S7&VpR-zg`@g)EbNXt%Qh4)qO{ z+Tq~0!L?|`$cGDqgFGuVdd}NHEOXY3=Nq_~)$4|UrIXUb8%ZsZGcd!vN@6h$2L?A= zXs2r{Pk`Eq8&-WcJ|;T=_e-#!_Rt!T%{s%$Mg5}T5~Lic&2AeuXzCCAPnM{;A1;9z zzF1^1V-`OS%0*_RKC1VkXCaM9o7*#Q@FAh@oi?+N8oA!Tyl0|;LUuF+y zBkavmMs>io2|dVTMt_C`TfO&)2sJ6m=_r4w;0oZTXFfG?>$gNQTf@xiDR4opGysZ% za}pS4!IDd)MAZ^75bBVDKX)Oko{@7AbM&ws0yh~u!}{Q$tp+l^m?-C-U);Rl(VTAF zL49l>oX-dt!w#^1^KByfxUJ+jJ2_UoTyZapObam|RK}AEft|?NUu2Y$4iBIqyHtrki1j5Zv^Vt+Qi?mczcR8Mmpt=6?PJ<#WbZ}3gO&ZgRRgzrd|(_b*<* zYRU~)T)n#)+q`mOZw2+HEgP=9_V`_T|I#@;XU%6_W7l&1{1+lfSp{2C^>^3a^9uqd z{lB*f?siVbhW{B$d8MZ5w84hpyHdN_XJf>gKtcJ(yaHy!!R83V97(=PE@uQXj7*)# z2+Bl4p=bYR8`M33OUIln?kEU^#uYtk%PuYl+%>o4855l?lGMbojG5EJt*iINZ2ua! z+f|4%$;M_wZ{Win)4T`Wa3>Dkm4L~M^U~RM0)Cf*KdKGBQRg*rlqe`i7GJVYKZAXg z(OnQ=*Yg|5%lA|iF_QC{o{sKauVFdtyn^T59>1FnS#@*+2|NY+1&F}s3cADSL zyw?Y}%kzyJAEuUGK2iTAF4tU!dKAERB3_ufGbl4@9 zwU}3urkg^16wAe8()<=chhOB!n?7xiIi3)z5V$xisH-Kv^fm(nw882Y)Fg5g3Cfz%8t*IIRcol-8s3lQOVzWdI$4R_;TpAy(n!AAlF~36?RKhO*9(^pZWJ zvnO)|r3H*TRmnPm9Qu!O+lam8t8}tbL7Rh7sp$rXFDIj+_u}qr3($QYR4Sa{eF0G2 zVgu+Z*E^S6fvq(f!|NcNy(RR0-dP(HtNX4-=V_RO^cH(OB~OQkh-b+9w6e?+uJ*lH zecRvkO^teolyrQ4{z%x{$zszH|lXeHfn17^o|A&&e(q4D-nRLN{97J!}d6 zWzFd~UO*s(K?F*I8Q2UrJ2616{)iK$XaOGDz^ASf@MLymi{m-N}oMbf~Se(k%Q|ag_R=#noqV<`~21S)GSclQs>lG9HcMoncAvaE-QVmIt}b()7{&B)5sdU>LfVdpNay$bwO+1@eZW)X6@|2a3UZ zp#tVqUFyZXNU4-xv&$5Xuy+})Lm$EBNrTsMMO-F9QG8DASp(^u%bL*d!=p z@0XIp$e43zULE=3j{9Ng8w}Xk;atROa#m!;%lcE54Ak6Q)mxdp$lSypvpB4L5FH&0 zWSqRkc(mAxrLv24#xU#hmeP$?r}JyFd{o(Kx3S^Cwt#R&IiVvsO_mLm_PK3}Fb%|) zrMDxQ1Ia(V!R zH&|DRNI#dY@Z_&W#-d_-)AUe&$pM{gh=Veo7_WB@O&nsCDZ{J9uX;fgJM~_I5!8E3 za(!%h*i@PJhZ1x|W>gAD@s=q<8S=WaVDQ-+ADNTQy6%fKN_0`uVvf?-IJiKK(Q#Gs zX7|eBM&P4~UA4=&?mPju2&Oe$rOR5@#R>6`tOSasqtw=1y6S6efG}}Lu5t^;=aS*a zFv?2S!e{&0k(i-knu=QrXbl9xFFa0mU*=!x-|UJa#TmX5#jR9gEvlv07C}eVwx@f3 zOrCsmIJTG&PyfKw0oags&z-+)BQ%g#wom`X1KEn7tN-^)YIlVBU+*|GJ4ahn_y7Mp zZc9zpc0&wh`vPT_c)4LyDjBCqAepH=X~Jm@Bn}* zihY8VPnu-h`3n%i@d8vCe-am&Ef4@WkIZIE2tZd=7W#~{g{o4iXgcz3C6HaRo(lo_ zj5r^SOt2(zzz%!>O;%bk@$+G&LD(esnSrpRIQZUsk|>F2Oc>aNs90&D#QZskl0E6( zWjUYAw>d9tN=q_OEsdHPJ4tbi`iA%9bUzuNtY4Pz&@%io-|3q`HT*JuxtseBUx#j+ zT{%5=Do%jM7ou16yQlHRAC^y9chsqDU(z%1C8%l(_dwSX`2{Q|=B|xMYXNTLb<&`B zKa6t7kd6W+DiYHZm{bKImEc~~1?%p(P~R4?pA97HLZMT4o!PeJ+)A;M&!R(DB{++> z$eclIT;(>3lZc@75E@(%f9-akpWZ4jqORy7a$Lt-yW3m;V zAJPK&Voy25v0`&U$*)8UOl z6JNy5(URK?D`CPgT#}y5ubopuI$O#9?t)&Vo8{6;(Nx#egfREYz#dBLOF<+9oi&C{x@( zc$BbtMU!A=sK&7b3jzOk#bjR*8n|~LYxUfmPPARhii(7Q#2rED6FVJ>mMG)23=^)2w$D^ev`(^vtKpO|d3W3UpL4D}IiIJ` z-@8$b;eUyV%p6Vs4>6I}kJI7^($ALPFj3Z!Tzz)%LWUAdNH8A;h5>=hN8|^O`I(J% zJgKT%q>B`Oh7enyanJLh_h z35g-j2o6%)p^siKJ^YO41n1}7=**?VZb7^5kTXn`kYtL3LBpY4M%X@7P7~u9Jm)%Y zl0riWbC@v(Mg!*o!OYsAKeC7;o^n?rUK;LRNN6UA1^(=ei`LOV6U2y?ME@)GB!=MA;QD?24$QI5tnBZ(vBQ=d9CA#bIZ;HYUzNia6++R8 zj7YzCoMbthFy7+~NDC4dZLuM%2^Y;1p*4T@5-S7|X9c zNe0|n(n0&s!i~&rkoo4{$;8@hrggQt5M*T)Nb0^K2JvVQB9SLagI@sf>d`$kY0#h| zvCOb)?)rNq|JA4=%j4xAo|O?AC!|G&l6Lnr=8AV5rW=Fc(I`x7#{tI#1hAFiszCr6Yi!E1U1bdQgEVdV)G|q z%2KO0=;RY5G{ksk$R3PGYvoX&&|+*~qVfS1KaP=Uv>q!SA1oRaW?s|kRfCb$^RtAj zP%o@g@=^Q;EZ}s0qqr*2<;x*D`n)Mg*VDZX43Bt(YYPH~iy{Bi&$XBk0mZ^siE)9p zbn%FzTE#x=II~?jo04{oB+qE!1PO&i+Q8TVX9my6f5KSo6qu|2p_@+Dg=wYhf`xrK zu-Gm-y{K#?&@)jS=?STXd&DUMNGgs-^MJzttSH`Hhgc`P6EKnu7pcBkv>k>l;~akq zr#^o ztsR(2ymVRilKA1synB6S|3lb2MTgb}+q!X9Y}>Y-tZ>D) zZQHhO+qP}nw(Z=U+wQ~t_rpGqbH0w&MjzFy>g$HkX@w*R8TlfSbhDzM%4XBx)yjD& z2Llg@XN+Wml~fRg_4}d`W{)0yYSF)gP(u~=fBb6bcY%k<4l{Mjgi31_<+YMlnZk%M zxS|oqsVSe!n%FWi*{mx3rDdk%->HV4&hx#R$CVETt`aMSS~ER4q?X~=iVOMqFyytL zH6A^Vn?~zSQh{ozHHI9^VH)#{9{vo}2jg^YW7b9H!d!3s?yEgDGfUJJiF0W;gN(UQyC&@&5jyiE+`scp>v&*eKo~b5&MZ~M~p8XQeu|{eTU9b&tjSc zH8#a*mQDg{+4-^5C~6@mFSuy%l`W=nbbkQhk!EtDtF{_MMbcKTqqXP;j}eHddDhde zt>1Y5eXMA{8aS)|W6J7SYU(=idl9=iMkDV#QX6v*ueLPV)Xfc&GdHw^S3$l@pAZPj z4^S#lT0bpx)k?UuahKN8$F7(MfgWk*R7>gg{$u+kMo%$qA_pRp|6 zip-A7H%6+QEnZYCqz-&b)ztt+r-fRx3r`huL(Ip*JyTX~Fx8hU%%=NMtWm}r6dmF! zpyD+ArG>a)pT=603X>>P4azg-q&GoedHxeJ)zuGecJmZAZMVov_s_J#ymdt-&KSM# z+h^OBgIkX76PVFKm-odqMrL|iTPla!+x7jmY5f?nA&nw@k>n8m%Pn3e(;Uh+M$r}r z4m#+7cB(w_lnSjZ!D~|`T{Sn)g5^Af@|0~_7;u->b-6JWTM6*-o$O>_EFS!(Z>vNc zo{obb7~rP(78_=Rx0(l$)eO;3@0?{QNt{E%nq3OP-`&6@aJFO%#+mDwI4UI72Z=!y zqU+#lRRN+o7{~p4LE&`m{&ZqsR_&ukK(A?62f9~zBplWL}4#2p6h2vL$+Y0n^Vk=+7$MO|fSa{uJT9fZ$++=) zS36SswOae>8c9k)kN46408Wa@Wk&*?>v37}Hf3tzFQ}9S%kfb(wxW5JmbM>O(&D)w zt9F!^I>WD5GSLzB;mDZ?j{YPcH*$_3bC;J2oUv)~w-X!vLN&8Q*={nUX-3v4g(BX> zcXI&z{BMgk^l46K0)r(W4JT?<3OcZ`XpNC8@`r-?a4b^K?7&Qo=UJYb+O>ntTg<+S zY&Gr*-VD9@a^;)euVcV=&B|EKg7&K5n+ISVJ8nf715YhsG(o5f+I1q5kQ>)mB7`E! zIojQtoDDyMKJ=OIM3Fv!^mkC*Y)I@I-0$B1KA7Mm63%N$l_107lQx{A2ObMa0SHGfWnF@5SIf!ec`5cON&s@yHk zBKfOnr7AM$u*VAvFQp=5u(Gs2&?U}-8gb3syOxkkjxHiqvUaE(Ej5ZxMKrE+jIA2f zE{bI(E;BY>ZeH|!;&<5^%BSP5$8NoA_5xl+ zUQO@q9)x%J&`VRaNd_Jt?1X=G=Sw)v^6h2b6-R>aItKPyEMNEbZclVzNr8WKnK>|x znn;Tin3}z?w}f~F*&8slkfzy-VbNu24WnsEGAlGut{`3<8P^piWdPdCFH-Y>bAwJ@ z%o!xM14dPIr=-|y&(#M?f=-QLtwg&vXLI+gRnSeGD& zzbJzh0l`!hS|-Qzch_(~lTw&Wg!YWDYIoQ{!7j)TN3(^JusFf=TpU*v?PyA#64~4ZB44sJf{jK~^ zxO#T#r~h)pOm`~%^mgCciBF@lw(oW4ZPD!ek!q-2YDCVQm>5jQovHvo$rkN1k1=Ox zh{)vhVX_(I82xeb=VJehDHL%sDN<=haP$9tr% z^ERbRq;y_rf+Uw3CHBgTT}rfF*#)RIx;$_3^3zk(QAF58s~tAz=ull}*tB!deN42@ z*7oP#WtI(2&)bFJiVnduL)H3R| zgvBLfW5VPyPGk`Ggu)mS0Cncf%4Efn_<%dN!N`he`;x^cZUl!b2wrnv!v)&-B3_(f z1N@p)MNH4~vXZG~e#pE%Wn1xiRc;^?$)*J81ZNDcdU%LohRDef%kI9Te#^4r>W0M8 z1pkLO1EXfu3uI%Rt`+IuZZ#uJ&^iD4YGN&wyD$Hg7@R>tg!vT1` zJYWNe>4>G0>L0Mz&7M;I7!#h~hB(GlJketpLznk_EeDiqT43K)%~zr6+8^S24@S&D z@h!{^P`gAz2rWGld(Xic^TroBXvvPL?UI%4#W#81TGh#QJpmcA&;|w)pd_Q9Wh-#*}xb4kO-*p9CK&+Ox zPMSJp}Y3s)D+PmiXPUA-2Gw)J76iSvC>9*5M2XlU(&0$UW3TR`&+O{ zGJ?1qXjNZiu8YLSeO`C+Bg~hr(yB`C3|J-*yZu8(h`nI&ss~I zI9Y{U775FO&?q;W!KmkxG$WqH|AO!zdv3($P_Nk4l#vHmfrF*OMYn%bvj-F`_|nXh zBHP4LQv+z9pVe<|jUmgT_gp9ogG(f3jdnv^oF5g=L>N-|_QihyU0JbGxP!(d3xg%{ z@|rFTUcB?nrlSdv+!ITRGL4ARjR5HL&4%(Db4jve8(iyD2h%Fa(d;OxH2Jl8!pe7mN3f(=*fJUr)QtTw-oL4Ncp?xPWrw7wL);%{N*8YUeK(g5OO%}v~p>l?q$B@#MkUk zrq04}CK)H?0K9+YPJ$$uU@66CFe}CUJ?@JqilI*iwUdfh(R`4~o9R#ny-`=o2 zL6MC8fdE_L`D}c zay2OKI%Y@GLLq1c)(G8>xskc(u<^ z`$>!c(!}W5`$5*d070*za__`XP0prlZ^f*444=jT+)2{P z@JF#_3JFUGdt}h2QX<%7+lffo{J4b2(u>WpS4}3Xcr!Kb*0#D%(N(QKF>KOZWrse1 zS5Y(9k96bh&wSI+mWYnvHEr2=Q&SIU*aglqF-l{7n0X?D^&d+~GYYG5-E;l%;29m> zp0Gn7B|N!Dl!;tGVrpQ#!?m>TAl%oEAz<@>?v)=zLo4u4AHO97M1Avt4xHSJ=|REu zev3q@GJXC$S}#XrukzA=P>Zk~iYp4vaoKhQr>%xg7-*_|lITtd9aYk{(KKc(G;4iH z$+8pSd48hp39n=%VyA9&@Eg%HGUv=Tup{&{#jbcf7m*Q4^@fuix52W*enRN)tWB&td*dh zq(2$7cFdNrH2pnZI8!-K%u1`TI=#ptU>3 z@K=dd;W7x@X_WdRq+Rpg%cQb{+I#xyGX~#>BXl*M*v`V)2K`(LMXjgJeghgZD@iuo zFj~E$K6Tt=dZEl=9B%tj0k+CJd?e6RHXMo@mqrRYMD6&lYew@hDr9Mmtn_XGKKkW7 z3N0kUA5dhB%(zJMqG;Hty%u-E&22)^M9WB!hb5ov;#<28G{-v)l}nMbx?~vB&V}-H za}$OB>T4|hHF^J<)BCZ7f9i<<+ga~6&sx3c=dvVD=;Uqv2_^=i;vD1RIh@Y2y3R@yzmP#s=Ozwphk1;ZVbtI4^v~f<3-_6} zfg3qp*C#EvZ3=u>5T)?nAGxF;#xW*9vJqafyM|mgPl!YYfSh0~UI>HqV(yN;5*HVj z66&2ErPloq^h zVJBI#p5l)Epb^t|kDVB+(qh0mw35|4RPop+qP3JzsWrGe?>B<%FF$Pk-RFyR7 z2kLvaq(XsluK2lVa@2nyIePa1gXS`SG<|>>k1=px3}f8~PK+Q9@!UYE_10wl$z4;0 zG;(e87Qr3aJ~M3eCXUVs{)sWQ?jbh2DM5ycKPpVd4Vw=XQ;5@6FajGnB$D&UfOH*+ zS0r~$KFMQ2jEi?>+$(fmRcy?p?=Y!C++x6$W8vQ<$cyP}-pein;oe6Iim+vxx^w~I z(fq=4Qbr3S;2AQDVWb(MmHTr!`1Dn&mR00ENkHA4q4YQ5m3A$p&&699ZyZlPmHx~k2U(fwVJWYx92M;gejxzrh+FvsW^qeOfXz8b>0D4sU8y9R>+t-b&h~sex4V(L5`Pp70dm>7Fu* z&KkBVi!n@-9w~Q?TJA45MiA$vqEYh`k?qff4w+%}dt?k3oe3g-BXEZ=U zGBL7s?QTLn9P^P&uqTVL{_Z9fymH{R`YgAxHXs)Qb<0aPSDhGy3(G2*ng93+co zrhv?B@Fd{TvKI5wOQ`r%w%@yMKAre5f`6|*i&L{FVPr?r`kYcumTtvXUbmQ%JBHGPwlF5FTH>YCv{ZuKbCTV)vC#vSB5_UkG@`P3o(T{6hG6Qj0OtkVn_*aBPTwRLdvO#ncaB#D4hPd5wl4uQo zI-;AujT+=7K`42niup(pw_H>Y64`5ZEtt*XG{1OnS0^_QzSFr;)B)yXPKjliGy6Zs zYO9M`binZ`JXS#Nwb%1~xv|@y;T6_yx~&WENdzlqWU8g{%&%${)69ympApAM&cG8& ziEN_~`bwl|ZQyzGv3AZKKhS2fXQ; zX`OgtFXZyBx9Ad86)z$7$14U!4t)nMAg{jRPcg*hET=8kuQceWT9~o-TCA83R_hJ0 zk*5=eZ#I`<1CLFOni{K5Hf)U3`ykAD39o3_EvFj(hXA^M#x|t`*%xAH*Yq76AM|IP zFtQLh!9eN*J$Cjv29y9Kqzz@!(%j~Hx?#G99HzQ(Inkby zsEw-a!}-5Mb^sL0$=@UbXS}fAl*kZ%HN6;1cQdbjruwbT|Kg*j;k5D3TPef;kR$u# zV9=zhc9zDW>>PJfCrkxn#eg5gKzYPsB4Qt)tb7pCk-YA3P~9sN%^X60EF$W>3#SJv zCgprZj9vuqY&)wQR>s?Dlfpekkz{(kYV%yu2m&IVvw>(6OdHfc8Z4gHNXjGh)p)hc zndQYU)7cZelvHt;2`A1u@V|%DN%k)Rj~8O)&@6V_U1a@ zFB~Lph_gJn>l#j4-(vk&^U{khTHJm$ulg5Sj`zQ7-hV2rE7c2y4H5XC>mGfM3I^-D z2uUsl6K)LfKYF9^#Vl6qv2%aUEOACTm0a$D`+v5(La4`92@2n0;hubH&a7R0KDHIS zN)o~v9ftN{qfGGo)vLTGf$9Dv!{3&T=-(nLR}3&D(R1_pVYP$M!Sc)U4T&Bk$`B+n zB78}cCHXAH7Zn4-3z`X(t-aFUfSdn+A*AGUl0=86L%5bq)-2MfSX`+JgpqDw+ZHRre#O4*d|JM~M+%^E9S1DKH z{|pO9ku~z<%xnygi-Q2fzLcC1zFnc9^^KifYz*aG_np3-ZS>3x_k1pRIeb!GJX@pP zB;>$N>p;jeQMQk|w?MeC@H5L9zQSbUZchYdy2*)vPkY1IIFPZs9GCCdJ8vbr`<;An zM-s_NrSywuA1YcZ2Zum&g>E7&GyD12X=y zz>!`5d8Y)>!)c}$^MCJSfKZ2GAqxHVV%7F{$_U?la@CSwqgBWeT|`2*ok~DX=9W-F zW*piHyN@E^zo(88SaX_8hTTuR7BiEn%dScCH7JXtj5+g%@QRbqDe)ukgQdTgZ96DHfFBTWwAaSz z=wfo`J68lqe02B4#pp2AEmI|+HO$dfR`6eOLsh!$-)8`4giNcw?Tt{RrG~Mr1K$rO zf#|PEtmcT|8|DUuFr_j{c_*mh{|ID&jOqZ3olxD9 zl26}d3G1R@nG|2wiOLsg37{%$Nn~++9 zJirqtu_`6cX~2y%hsct3j{%e3w(+dUSn3oW77KwXN3cvqkXr+=q9774koV_deJFahx=I9Xxr3!<0pt0BZu@x3#_;KG7ug#mu$f!e zH-{oAo~1o1!|ATfxkO)c+rK250#Pr1_1nTz?Tk3YnCCw5QxZWZtr9sWMARlmMD(XF z3fr{~vK(?8{Hu_E{?)%;v!x&?>*4OP2;JP}dhb+9Hl6Q383{4Alth3Ms}BcefYzBD*|N`q{1$u$y( ziGEL(lGF&#GtJ4JhRm#52wmJLs~mBQa5hmibih(S7un@}FS7)I4rd$&9NGkEo)ubRYP*>0(@T*Lf3+xr3RCULt2Z;Im@g8 zj<}=+X5JMIWy1-H_AtDIHvtZ5S&kEkKwUZ^u|h4#H9qIS0kg|x=>TOqr8vZCh5j7K z;MfK?!)$Y;veC6E3{M(XSZ-3TQtE0$W&q7(K*c6zbB@c!mBHP?k(HAJJ%10EpHr@Y zE(_B0`rm^-iI0T8?9~RkF)3VSkSaXe%vjRiv(A6z>&eKxNCW}^;PN+G>VHo;G%@;r z*G|l=P5x82sr|~B7~;>g&K#8|`l>4T{TZ}zgv4k8rEn>~^$Q{yr5dJ2LmUh5)F^-N z&xg~?sTmYdM&UUxwXmKV)56WS(@X95gmm#jR-B}>5FM1Xs030Ws%yu>(m-jDhzvx9f zg88llNcTbA$Sg}hnfj?$NFMmxnDgP_6;pag+c(FT@5u<-8@>4NMU~RNN%wLJC5%Ss z%zY6JvrG-RUVhiVwsV59DH>vD>|oow5zsopVpFfMpnS9lJmsfmFS}STA7ARN7FuIvTbtW<}oF1?Jniw|MBWdW4&vzAM z33WgxU8G()IoU7HFXyPeY#*0Ghk&#D@qPxiQuc?j)W zp>%(T^4=LqkUV?Qa@!okg0Z%GEJZT@3=ODSkRhzu$t z#fWBV2b^Sb6jBMK+*))ANU*D!Az&V`t7sE0zCdXT-Hre>Y}NF5HL{yi8GJG zA_A-`un7@t@pfEo>vC!i?G+1J0TvAo5D$Tg9+-|Q>RP2=VPfF7UFT;*hX&N71O!l# z;&yHC=wOg2!n~~S&$~Ak$3hM%<=Pb*o^Z8)9F;{zv z{ET&k>F}@AmfO9;-Y&&@moqZ1g8nMzw}?>Al_`mQxEWNO8ZyZHmj3Vd3Ar++;OysT%YH^e-8|fESy}8GU5pe`Z7q2!XzVr zMsw)7dG+!AE_5EvPXMT|sFefI74~#c;tr8ksPcWYl!l1F#Du zf-6EB*SJDN)rVUM!xNTqU~Tc{uMMAiF}gF5Y(6j&f7Fj~%$El>q@AY9?9~=)YCEf#ZpE z6}zVAsk+PX>A2TiOJHlbGDjQBRZxvUQ@u9Y#VIu=-mVsf+|7KE#(If0cq!ziHFbsa5O&#rQ4NW4lzsP+T^FlxmS~3m#DNPe zLT`r*xW2i3b}zRseDHKKdm~;-W@xp0cz8lSth<*jhh{YF=_Cv`A|fi%#9>@(p21B2 zJPGg9&z3peox(*8ClEjiS40wTaynXvhNCdOcnV|zhmL88eE1~E;Yzbf+U-@+3j>b_ zwkbOdVqM0M(y-^ZHiuDO?{UY)8kL3Z4AwC+7}$R2WpQbU0x2CP;~BuySa0Eql%L~j zh^wtDGlMc?w)s0ZC>SjE+8!-lTG~sUdwV`&59Xa43O$3)FhHckBeG zG;ts6`ZGie{J~T_al15&fkDd_CVT~wS~KN_w`zd??jl>H2(`3JDdmLKP7)_SHFp0+Nm^p7QJiZ2>%;c8P>wP0xI`Eid*@ z4g0Wm{D9ZKKhyU0Nl@JR zORlwAZ+{$+n@fnnqH#`egEd}OdC-VnvFU6X z@)aH>$U3nStz1OZI*gMx zx+W!5RtDIbFkKGn@?NVJ{N>VYIT68ZL>aQ)(xt`+GpOp>@k9qpu~-vv4nccSsMf~) z$+0?w+;+q`WLF2U!qFz@j0f)dMWAz{{ zGBHN#aLIl9VQac!uSzRr?0%kw?5z%Jypv;lHDTx9t4YeRmzghp(pj02c`;1J0#6T0Y z0&J~A0V9lLy4<8_yvAsFS)cm5k?EvH(HiQRFawM2dJGd56^~yI@xmueW<;XSfZlkI zf_3lg2f6$i!uU5nwQ093QfQS{>X<7x8tZg1Gau|xCK)(5_`$tu*0rtJ2N(m~-(hDk z)AirG%*v_Lh-!psN5Z#70}H}#)`)W zc){H0g(GJ1rZa%QS~9T!?e)vE>EO3ffKjU9=FQbYM=TTQb`gR->`qP=oXg8KB(*hw zEL6hHleI-nf}Rc8EVrQ^a+&11*qB^yG&9I5TaIKNZ@8}5zCV4@POt-vjxXcdLLBH`(XNB;1vElXaH!5KKz7 ze9JSFA&yn5J4Knn36Z-+gCz;1zO^+@i%`X(JR0iWBg>01-jWBy;!zbagD5B0*w2Py zzWc7Pfs>EOZf6?ID5=NHtx?4>|K?`t`t`@s4X!5Fc3p!R%mgL=1Z@|S@8#Q29p1Vx zwSo(NlU=gH=kt$XW)n5rgONrMT0`S}4;RtMK-Ulqhm9kWek2cSomKuGMQ5Ux(WOd> zfWi34XKZ!wIjXaARC0mBik|T^+9= znD`;o{300z*0QOpXgVPrEqyJyEa-}_;$RWeShqhL#=1%MP<|hbGZp_B8fbq|q-dSF zl)$OkURvU!b8G`<*%bohas z@jo}bpkSug_Pw#DqsB^iGsMnySENFRQ5d6ZO3IjW=H`S_>#(#7#`i<>KZm2Nbm zqMp#8wYpa(*K?e#m2_@n2olLOwSobLbI$XDBn3EIW@Ar|Wb${ovf&DDhlwlRP}9~< z7Z?EN`ygQRii^W)T1p4uuKhQP`*=k$y-L_BSwt>$=Up}Qqm~3slGXhfP5wIk~gr>rVN{3YvxlQs@MOTtGwEU^dCH9x8$_pf7%mj#K zv_`*vazz$hj4lxe4nN$!j77&duviG#Boxd{@92w-)fn7lxHebWC2u)JM~~CB^vIYM z>E-*bmFobzX%?Wk#=7?zOfsU0~&1;po@!*ouXBu?L%E zAh(D8%{5IvDd>|l;MFG)TPMjW>2dn?ghW0OXSeuLXB)l^>zDQXWB>W zE%-B$X*sAZ_!j$^=WJ#EeUHuDIIrl7@MwoP+T4^a9EWfN<+jHfI?LfLAL zRMm3R?xsXQo}sP+7Umfy85z=k75yMr;YoR8*d_pOG`<>z;IOyZUAkPaaqh<%7qz)6 zU)S9b5H^0J0oJNM5))c}vX%g?2x22&ZboX6D!IvByt#)mKe|aCi4dyd`ob6jFGB2w zE~@(6c1GW_x9W6z!C|%TaWN9$`tHy;_<5i1O4|?SUBoY8c&6evUt>$HXM^8wVBnv{ zHzu?{M$2dlhwfna*Or8}l61W#0mD|I*9<2vgOZ4o_T30$`Tid49LkyA`LCIBTnkpK z^alW70Q3L00%>aG=x%Lf{~sqs^*5`V9r0Ja8H&6vTBCO6xAL9zkk?qf1YVpYD$!Of zGEoe}niEIkrSlIu7k|7=#KZ}WM$F)#HdC1ViHSo5rzajJXQxEJl(L^p^fpiKP!0tO z<}8_aawNMy-R;jM<0Wuo)UIciWE>HuXld_WjzFX1ZN2(1#@Qg>4w$hU_(PfTo<6)Y zUw~+>4YHp)4cA;2YJFG?U46d+Jk_W2X9M0SpM_EfIhb9%Y{5U{I-q!gR$c(HS2XUc z(OTsO4?u6KRxYx0sJG~g9RPg2zEibIO8Cgye)bMFHZFWPYRF{xzVDA#-Wqq;)jw6|?`!wXcf7wu;KI>2(3 z9r5%eTv5;Ba~2q-OO?01*SH;_8pzv-bqG2 z26=5AO@-#-p~l(xr~9-JZuWRXo_S82X!z#hqGwDhKxasW16rAikLwqlpz_*3r-;K~6Ng zPy*1uanGe?H_R8ip?^fDSCx(ErS%p^Y3Nnl%Tf^nR}wq+yJiD$J$to>Aj(_!b&BDoL-In(H1zO?kUEq}2~lAhA)TT$mPQhHe$5(@Vuu&EqyH zrk6N|{wWC&4Tv(UY9};K;s@ne4{ec*YkTebW`O2Z@)i!?{U-Q)j#C118+3ydJqmn2 z=a(79ruZps(hR-ffmYa^`Sj0U#9N5Qrl27|Nx02e>`XDHQo>ubTeb=ru*l z7$pZq`Pe9Bf-MUtF_a$f^Bn8-Q#)}IVCO#>n&#d1m6b2*HFV=|ejo z3E;4brJS6(QdsL)1+ZAjDn`Gdsu((?=^arDn{B=Fgk!Ts?lvgXmT!FJ89V)NKP8_% zA@?#$+VJ)U({W%PxoSbh#0{f|RR6@a=K3Eq5_F_V$-pY3m}s_@@>~aqpwHOq3XRl; znn~F<6i+3#7?m;cxp-HPjrWowTuR?JF=FDMuB}(By;#5;29=GDSG}%(9zDGs5BWUq z9N9DYd^mTjxpuc3@N&LF2l5^>9*-sXHQ~(2VXRW;mR&XSumbb4?nU52&ym3*Fpxqv zdZLbE+x zx+*_+IA`DbyYTB=KP=Sx&@f1)&{S@wzcaU`*iK@qSO;%!6Z1f-ZJL{zDvDLBGZ_`! zaddB>2Hj_;8o_l4KN5iyAwf9gmNlr&6qTctP$c$a0_I8AlKWI1(X@vD<QI*z9T56oT@ZUU|jVW*)!KjWa^6vz6>o_|&3hzmNqP6aQsT z7ac&|(|j!?e4ja&N0nu?NkmC^RV{b0qnngCwH)A&Gv+dGO@EjyY&UvrySzs@j|3i2 zkRtZU1xS)gbuSp=NmYbw0%N``;t5?uE zCLQq9nN;1h)wqhm5;TV8U?WIOG88EMPXn5Wub0ZZN{? zC+9=XZnT+Mda$!Srg2p-)!JQLW${$Y{yXZg_NkSI-2dB4#C)XfXpy+?Z zcb6CYRR-(aAPm(f{b93rrLK=Xd4;!F@zo~vmHTqe^^=-$Ct0pFW-33E_h;M@D0tZ| zQ0RM|ynbxqzr!i33J5yOa&8vDO;q@ee9yAMzR8p!*`oCbR8)+Lh~de_M~?P zIUW_;ha`;KUZ28MRh0p^_BRpvH=2@5sg)Rj)DVMrnJ z0s&{Yqkrfp2UEs~nIcJ`^NaZQ{>tbBU{1nUry z?E*6-&s&$s524KAK_@aFX2U_!pZ1X)UdN>ti^aL`;O19=AKl7>QVc3S9_sS=6EeHOwzmpw5Lq$9_ z+nP;{YcE%$a&8<*xiCa#tWiAx|9ziyI{jft`$gEK!~NgiC$2WuMvnh^pZtF#;nlw* z;Y-xR$1TuUwa9#Ttbb^A+Rkw}`)QxXy=)KjRI7gROcW1yIL2 z4z?Uz;Le7n$rAD%MqESgAx3BGF_nRNXVv=4>}L`f4q(TKQ8pvaqQwZ^F=NvucM|N= zLwgC_n=lb3%0XZij$>uZ6mcCny$MTG>YZhJY?}glaCRc{oB51O7s>H_y`9k*@I)|P zP$XIdhl{~kc*Sib;d-Hf09GCh*6#(G#okhzOBT$y#PnnCnsWvL_^YP}sc|}`3~k+? zuf3l;JeWW4EtR@htuw_3Ds4sro;5CARgv*SzZV; zl5F*oqjoXXU-&QAvq7x)?(Ce*;uKrGU?>Z*VJe6InI}lNM7X6u0v;;F3uOKSbxbDx z+c$_L$wdKozTA7zmtNK%n@fp=&3sK{j1qV08$m!N8L9~vdI>*p)*qt)8b7bP-&yjw zFHY}-)k}OUQwd zL0w9$L(K%qSyYNK$9mqb{<8M27O+o}jfG#Wi1;ihR|M#Vo zAC&{6z@As?(rBWREWqv(7nQ%Q8?bt)xq9+?^Dk@^CXxOq^-2ZHz|D&y#qdbGi5-$* z0snEkQpyE1ut0Sv1J-m62Fgw}o%ctiML-`%f;k$6fauvO++JrF7dkZGlT7B`QmkdA zFmno_iyZYp!NdWQNzaBB_^wc>kR=6D%AFk0A^o4mm7o!lehts>RIu#)qJ`iN63kO( z#x!^>o+c36Z}T1xcRxC4(4A*NVRMHCovw?C0;aB#J~&%9k?}XiNo(H1-~P5|G-$v2iC2t;>`&NGvM^7yh$K)U^hDs!AEc=bLnw+%O zDwi&tGeF~o-Ga!mKz$U?wpPB&@S(N>9?;wXruQf7%3BNBbvk&zde9 z)y!1V_lg@js7Ds-BH)6#TI))fGb4LnW-X2>4i~ut>!>Ym6VtxS>+BR{T!yY>d&*no>}6J<(ML$Wk1~7WtQ9qnFGlV?Roc%M)%Y|{I-UdCCNi0+@)w03f_taI zlE*gKY*bb6>^^v$efB!j_$GRtt-k>Od&l+39?B#9nx|(3005-_>pYgJjf3NFH{0+( z9_p2vhRp^mviD1kE=GZP1Zi{!ZLcPX;GC>`9_i-rbDFyUMsY8o=}xYYh@&rK{c zNq92S1k8Kw5?!3DH8+|!XULk{;@Etl1MWO*oLgYKQA+s=-Q;#xL?io89Vr(56NQca9eh@!>I1uZ@U-!U` zh-<_F%$|LRy(m>TT9siyju~2b?<-*h)6=~2YJxj8LT1h@;WFE^P?svpGcn;{P3&%x zmD4)|hdck!PvMv27T7@S5DZ{TkWEjnJ@6i>{zaAo3Nu&b* zP$uV=vQW$T?IUPn4xhrRkB8wX34&QY2ql{Sg6wr2 zWeTR)tzJuBv&Pe>f`v>8CygkE5Rg{xOtb9fgPw_#@XQEOphOQ;I_qUa--v?Gp zb~*VTqCq03VPI1m%5qyau`uWaLH6%x6Y2{RM7=(=YqXPnUNvF~P~vvbb-$g;pBSE^ zilK6zyJ;9DR7G(cOsIAc@o*3aPQYRyxj!QCj7e0HLgg!?I~T{N6(OLO4>uQqwT^p= z%n_}H%J&4wJ&i8t!q$xAKzFH(8#)3?tnFOh*D_Ri?gVIn_?FT?`}(5$^w4_+HRp9J zya;PDI|oecN@rg#qdP~-I0%1$NO>y~!od{#G`~-`$ix|seSRPSPd0|K9hp~=OtGlj z4=qdrsB<&9aWCIA#5o@Km(q}68jox?EZ!g|eUviCWOPHzag! z0KNf2H5BaYpRp*VoZQSYLne?Rx1T|{o!w)7#{A$7`x`>6fRNqr_#Y3XIHv=du9+CS zvsX$|l2X0QF!?2P1?)GoOh>?ZrotPo8A}VtTb=Edj58L8pUig7P z6^G5!Kd7FTFy#&OI&GmnHyc^>!zFMf8P_q&Dlk@mhiK%hEW~3`sho|YTIO`v%q^c; z=X@1xQc_`#bhzDFIbYYp#%<6pOm-_1besPwKNB9ITXCv3nX!6mT}7|6N3JY*GqBs8 z@~E#u;~43Fm78?|~jP~Q@`sZVlOutTJJFb{$Mb8-F)XKZ3)ddr7yybH zzeI9lG27v`^w32bwmeW_r0Nl1 zZ}JWWT;8k%WEI-^#g!i3^tCPUqXAlb|7s8BWx#fRZ4f;5fjCHN9vtF<4Z3qHvkAE@#UxP{&q$nO4( z``#dRv?n@Iy-##A?$Vp0>jwd4fCAE<)w|6l@O=0a$Kd{beqKpHX(f&eRKJ+E?&A4D z`>Q`H?Yq1CYjB%y-RJducC~5r8wZ!i4;lUk|13L`d$-GlE=_*`GA?YNw1UQZN$Ise zOP>{$*QB{;kzro9!#ovk$mVJ@n2p1Glts)b6swh97;}Rh+|D6z3zf^|J_~bXQuBT( zJ!RHcLBcH74VC+G5(PfUNs%dFQbeLf+Cv8YG?4bfB#Yb>nrLm>uL3_ldDrH!UL!a} zKkIrvWXE-K;o-I(EvCENY#fVqU#Dg{Fx-0cjT@a&-2GRiZq|$kP0-2e#vLJO*%!5>lBqSH)K31tR^Xo-@&Sdk_Su%TOZ1L6h}Mh8}5Ui~CZ>Uxo7 z(sO@&4@>D`mu$fSF(dsThKA+EObZoFIu$a{c>i1ah{O#<=+O~i;?ZN9a)pNI{GM=KPpG}@yij74iYs zc`W0^eb)yBkU@E>&$ZTfH7-6@I=h;yZ7VId7sSGfdm{XG0aE2>N%3Y8(cam;0VE}Z zyk|fH1K>mHzU_(H{lw!?uU(kplE6Nv6vKxa^mO*xbB?(t<$vyn;9?93CKdKtjWc0A zg1l-6prRVgJ%%P#=qs`H;?4QcTB)usWH2zAM7&m6>Fb&py40d&gkjzGHiH~mu&OX2 zIn3D--}$;0Oy)}{{<@T9IXYTgOkeM?&PsAFYdCu#Zyj{5Ors@c%jCM(|LE!B61%`&6_WpkH6(s-}XvG6|U!tEj}fZ8%UFSx8@b*?%Q+DH8cL`dm&d zw}DF5?o987>lou+nQ8n&KSZe|?Hb>{H6wYXZB2)4^NVx-ky^8PywKlf<#E|IPfW1T z{yI#;Xi_XVI4Zh~o?hDiJve6X9h%FF&*0==a~BIS!_}U;DN8ovL*(^#>revG1q|ti zALYWoGj*{-|022uo55dH%F6qZbW04DS(02+Y|~UT7zYA2qAp&Onp(t`(kp_qVbd>J zE;%h99QDefKKmv#wdpu$v>(hH`SCm2JDUat8af`*g4QQQwv0}2U!a3FLRzR7mPx1j z8&MaU#nzqV(kD(aLPztg?#a9hpX+2M-|C$4S3m?aslOfToRB=u8;d82i4=yK?%&yl7z;vyEj6GRfgV zE84j8E~1r~g$)5s8d1E?cXin^4_Rzq{0t9Do_ z5D+K7fHusNT@tXm6lD}G;D5?q4Ooq~m;--Z_DM?>Rh;A)pBd8#b}hQYSEHjm>z6| zy)C!lR7rH|U8DkP+fCc2y++iWLM+)Q#<~gpEsg;KWXEbHIreAcG$dO3l6oejG@ezEgG zpDN9!a&|Smh*413h2!vS7Y%j?4H|(vuMHj32l_4B#8>XvF{U()leS);R9CHC1g~LT zR(BL?sX2WrAe!TN1m{jZYk7RW7p4g7d;$tM9tG6o7OxPviSEIf=zUc7&LMP%h{jDa z7drvkOg2`ILwSvIZhxt9T(aKN76c*vOuD2>F2lKE&a*wjv-=Pb^zd?V*%k^IyWf{^ zJCbh~KDs_eDtO{kcS%}cBfZMV*IM{a`51bdD6__NacU^0guI}cXdYuh9@R+gE;Tas z?0=X9_mU9B6bTn3o;HJ4%{HtBnDwRX?p1!t!8EkDHV4(_BVpK@=Q$q>8thc9@alPb zE}NU9%|=U+0XgT*M!a;>alNgymu>lox^IW=L|bF$3BR=IEgz0WzdIp@!DQSM$7d(_ zNorJ@FFhdBr&=KoKslIoSWR7|rm9DpwVapT1Jz$C45O%Eh}GPE#cyoOBK3zyn>AfYJ;|6ALFg{`Tbp|#zA#Cb3Oe^BVPo`XVH7ivrk*dT8^VU+;IvwaMI4rED6K4r_$@z6;J<%8_zlH-U@Y$k5kw8wt3d&ave26`O$Q7)S>Roh%_FHROiCltmkQPS9JAY+;nJ(mQEw|GaIW(nbVb* zU1Smyf*VoEq#ETVy~z{aTDGR#+p0Mvb#Ej4cIF!7d%|Iz-T*uR5k^yx{@<#+yFRIO zI93sFst#{7lR-#*7|yb*Wl(+xTy7yD>Q+6tEl3~m8eRjXVn{P7?VP|wytNBDRfaXH zH4bgwGF4U+s7T)O{i_{%jpUK5cL=kh11OVjc4I^WwEBWE=<_j;AV$<2pv%PUH040x zg>qGx8X9bOI`9gCr>}X=P_u)x*85vH|LqR4{KF1Wxs&<(yaJoek@X?eiXB4|yDDld z2xCWvoP>kHx{~Ev9a%q;R#ax7{T`Lw$Bh$erU=T(%W?RyOW*0Ti2H9hbf%yg=~DBe z8}uDi2iF0Dt7y?(9Z1AQIlS}Lekt?##X6p-E7HRn z`YM^|IzBgq#BgkF1}A_J2TS#;%m9Ug{+d!K6KV!705Ej z)v!*ON>hp=Y5h*qr0f7pSgH~UzK&5f1^?tRk-5wPFq3TBeGG8rTAQ@!bk~+`v83cj zeIr0>^3tslXF_fzFeim$sG8IkRM~b~&@69`c-wJx;VA|=8>f5LlQr^R#=N3GKTVaW z5x-@$T%CL`n_>!7LeRI_p?YOrsUu;w_ufxZ6g1#9C1=l?eX`%g48LlonSC{Pg8oLegzhZf{D0&p@N{Cn6hBtf zXpH~O%ky7D&Bnmi!occ37@q%9ps@Xye$=68n-dy&(zdn0#^eH*%2 zSWDYj5sm7^=7-@)Or+y-Ohwz~g@X{tI+1}ErYs^Pv50gy zc3R9I#BVBC1Wg43(SRFwhn|^+WRX)|ds3jqX=)KQD`XDt2*Lu_Uj+SvE_#=E_xSZO z1mS}IJ5r#8HlZTafK9bL;C|pX{elt)+Xx??Tv~+7k!2satl@Jq>^kHQ&7?3s-53D7taRQGZVb;_thQX zOpO8>f`!E$LszB7)&8I7&8Nh!-d)_RDaG#?^Q=?55R2Lrj4sdNhrA7Mft`VGwd;dg z=mvC1SJy!}_QD2R*Lb8wod;^9*U)g9w1#j1-OFZ_!ARH2|2CytdWyLgifE(vcxY2L zdXhoB9yU5_L4+S`K9qEuJlzR#)nRe7_Y)^|KdX)M0K1$(Ao-Rl6MJUH8&BR{W7-H& zi!P-NVRcWf<-JJoi2zkU&G~W(jENzKW)rj;c^8r}m?toCxWvY~FEWBVrHNrpVEXu) zs$7!=FIFaoEW44;z_j5r=3tgGy;X@~Ad4BG&BY+l0m>7ax7wn=UQ+YAno>j=;V?wg z7Ud4#0vrD%l8}j$)gZjG7dyhCN|zG}A8ZP{G99`rO2}B7!&}#;E=YWq#J3rRDo0Wb zVlsrs2}8lUpLbFDL^w$g&rlrs%|eJak``jBQS_efU84xX`&6*NoI9{YDvzVN=6#2}bp zz9af{SL{jdK3(o10P{(EM~aFSjyBqe7jUMeFF^WZ^$m;*shE!rBp2{Nw^|^hh6N$T zvPhNKTl2d<4Usl7;FWXin{}%CcltMonP~%@$&quM7NMV!x{s+`Lv~BCq`HZNV#B(j zI{CbIOsK|phP?6gK&_)3j&os+{j$A@C%>g5q&R7m?9c()Lt79(E#A)v+G7o2;WU{& zexzyi>An4>MwKjRrlsi^XBdbwE2>wx&!FzfDZ6z zuOSgj%IXHO>)9y+F9MsUR?u{RSqA$LmoMPabfsm-R=(|dVCoC32I~g-dznltC?@VI z2P5wmeO<6XD`hUFZ}1oyJ_~Gid!d;lZ*eXgyG+6<1M^{3b-}PlRGswXF(`gmy2;WO zRU%WX6-N|s1WdDmVQZ%QN@sq!cY9dx_m7~)8X^AHfGb0Z{>oTNN^SV3&vK&7G*0Uy zz+%kML*vt|G^O_s7V^8((B+#7YUTUQ+HUI5r-?s~Xgc^C#qa`^m?I3Q0gu_YMLZQ9 z1+B{fx7~7!!$qW#YGtgAoxD~}^sbEohmM$e&_?0+(M=Pc-Biks=$b>w zks%!2W;m+nYc>ECz|u3KwHE4-NC%bRMr@9tDIP3OPj{M0Wh4Cu&x_@T5cU=pCrj2~ zW^(yHC@`~iG~+<~GTpFO-IA_l|4nuBNxvT{>A!0VsxHaqYk%@e^MCRW{$~TJg{`y6 zPce?Oq0@gX9W@)L4N;`8TD^ups1&&fcCL%EIh7SxdrL;E20-i*7qOz^kep)T=iB3$ zC|_PLq%P~_9gx`Mg1rp@=?<|hb5)F4M9gNG_i&UlkvsUJ0 ziER%~GN$Y+%f=62Frke-eu z@Qi31^mQfH<=Zvf79L|qrJ=RJd+oa0ebx1~#c5=+?Q*g}j7?(OGt&I~4WxwT6)`{O z5%hR~5L#!vP@cc!GK{7+%G~{-Qo3pd9SkmmR>?5}iV=#rJ9T}?&4b}4o3J3&Lx0aIqip)@?Nnje+t%saJ@!IWf^wS@cdba6^V2_- zay>7>T4PSBGkxAFnT}-y;ucbwz(4)M9_j-+kJl!B)l>eoWa1ksC50ThK}Zq|W`=A)TFmf>pS80WFYMEbY%!F(1 z3}j?f6xuU2zIsC6UObc1HOtgSdt0A>@d)Q6bnRH5qa{oY^N!KJ<@emDO-pikVB>k68hMHeEPRsK|geDSo zl5&pmi|Pd}gF&B~PF}3P4JX}>Zlsdhx(|u?q6~1l&=H-g{eetVyzIEWAz$j^`sc$+<01{eDo6Y~~sjn!YFH zjU{~KNKbk)PcCJYFDY8mR0lJK*hYh_Dp{CUOS=xz=2&AoXwXg%(@Apr!oC6G_XSX0 z!}3-K#a8T)Y>~ocyCSp}3UyC&(Im7btPN*Ik0(7sx%20i8I^*M1bwVes7}x!v`<8( zqr@(A-YD)1AJDxrAd8Ocf{W*=G#w$MXt4t>IPmK@6=4JZ##`W+u>N z8q5H@{EUjH`l7K|Cl4>K!i6|)|BIPFFkA~vs*8+#)FjqOSrelyBW0jZ#Y1Txm@me@gDE*M#zE3x}*YPmLkNt2?TTcXOy9H`?b)3vfJ~^)yy=HcnViOY4PW zY*ixu5bGPHEuPa+#KrbB7OD$Zh{6B%`I@$9jav@{W^8>uu%6APHY*7wQ@itX9n34a zwID2S7&{7Ds-iZ!62CBfoCn@9E{^1f|n@=C-dF{mRE7cj{v61RLU`F16Akpiho zOKjB#5(QyKIMT8qX>)W0=zMvO$XAFP`p0fho_u&97K?PkeeX#stu>B&ITsIs53emc z4DqaWEcX<^8Jg0guSRUDDEt1J)WDO z*7e$*4|cTq`^Sg2grj=?ArO$qH+2WpZqJX({MGX2d_Sjq+wcDTi6Cq+?^}~=&2M6b zQw`&0Ft0UE7fSH~#Gq;KV?gvchTOXr`265K)2MEzzo#qSES6wV*QYyF=V0t2?_ox? zYNwv$zoz#+M?5`Z=rd{ROkde>;xYU<2Wnc9<2VGm(*z~F?Whq&VXlw#cKAfLiG?%M zF7jW~nb2EcO*Q`WS9~b%;ERg|`%)xX9?%eYZ4FLJML5*=l_0hlV#3}BOm6&YNhBhd z^;_hn68`}fjsQq3e?a0y>)+e4veJyje(<_r{1ztESrpYg()oAo5bURMrVFu@GW1DHT*) z%5Vp4p8W1T1ac5tiZJ|qN{A1B7u$23w+p;&9*Ho+Q!g zgkkj?KCuV(q9g$ZU1FS9tRU&S_9jt0jtje1pOU$D`}fzu6HG6yOzt?_LQ|S-D(8W1 zVbU8D$(^Z8W#U2?d7wuY7+@H#|AYbifzJ$Z2E$u0#|#@6TCt~G>5a7xyS zvgIGgLh~&Prm~hP<|&1x$?JkgCgQ#F#@{~Q7h}qPsV&pN+9JOA~ zU08N2m}TN2=lDWB%QYg531+yxgsB+)kqDa)x5wjlxlGY&rQ|UgLX#1=@zz)4LR!3s zp&uF1BmYpXREWH(+aDW;PKDrgdQQIGAfPK0_!euVhizd?tiu9AGQ3&?)OjTFeFbQ1 zO?;jv5L7#u)dK4<3PI3FPeaaqg_6c!>*WmPrK?744{%A|l&Um=HkHDgxT>3R*jR=v ziY!6LCo?idpXKZS>Q_A9?i$W(Q&%huk6pf($|dKQL?W_0Wioj2tWsS|S``rHHR4ye zSoWQJ7!vWXW$ru~{r)9}uVvhy4F7cf`1ta^3n+N#m;=c=8IAIQV0L|$99k8yUrFEfMnc`8gm6CwPUa!OHOOz2ORCv zqZxSS5YV3e!KfZBE}@(iP~40WrJ747OhiLo*=mV3ryf=03((05C)rvxz>?mLvGC($ znp@QyeeeNK#BR%`z9;pJXqcv9p&Yk=y)U^qp zbMLnn0fqbBRWxvjy3c^$T^yBF+fUoL&z~OES~arWzKW|XtLgV{0=gm+Np4MqX(jCE zpQYl7GMQl2ZLxlXJIV_mEi^d18}IjxnR8eQc{1tR$!6tV9+7-LLNAF%TT~H190WAV z`5@`7p4<%0g+&btnwFY(8GqG`ZVKPuONV&q8InvC>}G|K?v2CX>m4k2wZpXJ6S9?Yt1OL} zVvswkqwhru&1wMAe=ZCA{QgUkZ;_J<-|UR@^0D^82B@h^_nzfv;AJsw!T3GP2-?>X z@JjLWY$4+JqRDpZmo7*99pmD+N#I(Ux2RI}7;wVH_%CbYzd7E#JBuRIeqMjHKdsgO zbKX9=cJSOnWxfv}?4HtD;E zq(W^|qNzq;U;Hq^?Pbe}VaMxGIgo3z+TPp&o)|CYd9RRKYNW*fU@>VC*4@JqSj=qH zo(E5EWN{u}vI_%%mU95=|DrOEJ->Ik<>m4LJV0EFLEnXOvICOJVvsF}dhDU9Er3~b zs$T5mgW(VE{EnO!J!;fwwY#-`xr+RhqQ9Aegf{%`Km_z17>yA~Xs63%K zg-1c#D@g`Sbzt zs-K9oR;igw4^K@Tsn@1C^ei+x87;eZX2xzw1vkLGA?SPg#jkkeF{Nst+P;Fid!*)p zcZ}vzvks-#1coo*1BEtjMyRB@2LV*pxDQ?~BvEP{L>9G5|M%lMiC9}9Z_39IyigND zw12IV!23Q+?y!S}*t}3TT%E{*Xu4qpj)dAty9HwAz;XOHo3>i+zG!xYea0dtdlDnY z<1+3eIM6r7`8?o{MZfiY_tj`jov-iOTcesXM9cEf zxwAQtrTmgpQOx6KX*Q@we=jw%}RZ$fC*6y-xaT<&(V zD-{_s%Ub3e#P$iO$||_2G<`p-09H>Vg7&{y*Xc$$V`u7q#%Mzt+T00*lGrBW*irU6 zy$wSG;}(fN%OM)_hdsfpDXfvlp-wEAnU(Fu%($bEna9<|-bMT)OA#8RxTNLrL~0EQ zaE{o-_f+qNy7sUGHYK1TpC{m+LClJOTRN(=9ufa_dWF_y2FhJ0RU5TxIaWmtRXSL+ zC2=i~ApuxFfBCQ#eH=Ksz;5sHtI;{<=%*hAQ8(zo4;0dYGf&Uq(Lw#|G)1#(H=J72 z_@yk%I&mI-p4L63l1Juin-;seGjq>dj|?uQ3KeCZdI?f!8>?F|YI}eA*KHgi~L|E=|N3mU%?fH2hRj(CDR%D}k)nB-)!!cjh zhVR=exiE1jvQ)!R$Wu|sA#GqLs~>e&5(Q+=&>{B zdCl|r8~NdjaFKIOH89#Vv}%F$e0+3Y9V4rx(c@8%>HO0cm!}s_Y=*_7=vqrIZ}wxX zir)PeF0X)Xd-sx$bt(o&(%&`2Z?o8?>kqC(*Ac=L-uJdh!9lDBjVr{+p0|0>hN6%hPb3|8}xp&!P#g^mP)qe-ci2Gl^)Zl}c}Os1g5E6-UlUcMlc7-Mv;I z{JcL%+%J5T0jD20SQYVi4fKM<8m) zw-gOKwCHC2I5(#yZadTXL(H;B?!is#7t_#1Dx6N^316naM>7hinkbW@!XDc6!LcNH zT^!z)rs~n++{W!tI4K>bL=&wT%BUH;$ZyS*zL z%YOs*{x6&K;}}7??9%-ypjPoEhw(3nG*a@z4!hcyg<{f81rqu}>riX~B_~I?0ixoI zXBh`qk8_hBf6UVPE_%^Ul;~*%*rEl`5Ufyer8wRX)ZlK5oF{UzD00!%(e)aM&$nNFdKb>mOx8Cvu^8s$J^k5y<%nP@_wh&OQZ&KX`+Djx^abM3vFTU4X1HFg~JHO~KhMz{B6sf0Dwuzdn zUo8&U=>Qk)yyL7KKT^7^#ONdwTkZJOTuEN6`Ri8gUr}n|?hdui6t0)6-#wD4;(%O3 zK7q9hSKmBz6+XbnncsC{ZXX&Bfg8x^|1$stJ%0R?ZvBQzOaBJ@QN33Ld!r z(Z}7p^x(^ORe-)|BRAOx?3;v|2O>K#l{i1-Kk9rP1=7S?=SyszyCH;cTa79Olv?u zUU>hTLCM0&-pJ0@)Z#w^H)}L({wr|vhoqnXWgOxpz^~ZWA~oTbLRK$DmR894canU^ z5!%99PBpbTGa&%!`{g2+y_+z4dL*wnH^a=cBhMGh<6>NwDzaND_qxFu*l^{-rvL2r zl2VGo8-^hW)ZNE5vJo*5jgcWFxN8iZ+ce%-DOV780%?FH6!GMS-;~g-x;3{yY_u@Hg*o_@u;&@ypB=_6c zP`N6xSzW6STGV}N8bhwpp0<2l=N`W8d}u-Zi%gX&fZ9{ligK8d^V`;%(WQp}@rc(Do@H^?PjGvs<NYNU#~_nDhgX=txUH=umpb&5V<|4+7L3TOry9R{MYJ-}YFzqE}Zoi+*;;WmUU z&>{uQvN6$uuBxtKVxw%3&Z=5;kX5I32ixq@>tmxTGLe-Ofpks6*aTV0p^dddxBgh8 z`pUR++YaL=U-$0p9dI`v_HZB@SXD!wttde^pB_)(B$>ZcCoMT;SRRA4zLFo0o|;EIqKOLe zL~_3A2K(M2bYIHN)`e8f9drBqUfVI4r?skk5B9OXTPL;hRtXCbPAPtt&)7#@extv- z-!@aHX>o0e6_Xe&-?RVVfQ^Vs#DZs@o~~V$!}4G`!qml^1V2sOya%)-D4FPBDtI0# zfLcl@|D;XD3jlA~H7Mw+CPjGr168ZZbC%^AGos}aI3QUD(_5PFvE_;0ZjXLsJWxmE zpKRc=Oh;@{g)Ox@2!TExl6E(mzKK+cTMSyg_fX$Hf55><(~eNAP%_Gl=^<4#E~+3> z14|{5yV&od=f14nNj-M%?~780XG1q+I>m$P!ab5+1(|)k2u*(EP8gNA96TyBpEIVQ zTL@w{rc?1T9=k?@10NkJ?o)JTW}X0&3ny<(IxT4n&{IZoRt>N7~IcxGH&Xuvo9L^cBGu z?e8!J4SGb^7;uouMcC^8=C^4uRiba)O<1c3vR$7?SC+Hd{;llfQbcKpVT|o6`(U|M zefFg5GktPE|M=R*ku)v3?pTkMt7u`d!$VfxJRb-crgWZ*)(-YILtj4UES1d)>!d5!Aq==J4G!=O=G_lHjF< zFq%})yc`D)!a2JVT&e6gaG|t3j^Yi+N{RGA`lQE>cITMo(l6WH^OGawVG~&h zd@j0j_%&|oiU=Xl1V6RmV%Kk>?R;QOtY|dF-w3ei09MCt4qTpNd=)BTob^4YO}3yq zWIjyq*7d^Kmb$nvCpfWdL5I7$f$XSzRwj>_cyGML6hrvpT1J&!6q#f;nh<3_s`MgA z9Oh;pCJh=?1v4)d4^*;ko|3G@^YRPE1zovoqhipv_dF0bk~VB8JAoO9=+{!V*Hx6Jl zi1J|Fz}!&o+K^g|oi-iYNd~Y1a|;tbR)nwNRrfJ{&LRe7lN1IB=#cP#iJ981ow0Bb+7oL_i zcPBTvBi|%4=cTKY+xv#oAjeDVw)?z`Hv3Fbv=54;-B|aQ8!s>D2uBWvg5<(xAGj{Z z;cG+)S?C!l@F0~e7heM(ZX88++GbBaAE&RA{p*(@Yg|ziG^07{s4WgMOzP?(f#At2 z3!FB~Bndn0et2O^E8m)fM9v>9;=K*sEl{u40}m*oO$Ur2XCDeU2^NaYpSq?^-7fpU z@H<4Xe+Qk;8PR&9OI#i=#~1f}&w$~X&X+tnvtIABn4KOt&(FHaxbYppt5qZy+}DQD z+ARCL5G1gX0p%@i5#oV$#x|#cEUnR8fWhMFh>(x1Iri*TGDj{;B#zi`uLQFh7E*Zs zX|XMTI_)9^x??{eU2DoXO4?C};k~>*Ff<{caQ)CP;bXPnm=09T&yXG;E4?4=a+oIh zl@uhKjdefuRS?l|n%pAtwv0op$4RO%25vsMy+7I=4nsmtbdMV9g8&>qa?w#ZA}bMY zJIPv0gbOi32s)6Jg5;EUMoIQc*gs?7CHoc4njC7$cveY}*qHLJovIIrQ;uZl!vvjC zW*t@CJMwkY`StNrP@sxMw=KQC#1?9kWYIhJmJGh|&;8ic_#oV2hLANvNV(@$nk#iq zMNVjNayUv4NhINFI|_BM4dc_BzN58XtlS}yr0O{gf`!`ldc}|jN-+zl1M|M=7S{sD z%-kvmu_DcEJP$?2bXkJ}IFG8!pblv`;a7jgp=VV0q>+t)5h$y@HbT9iz(a+$KIt+P zyF4`%{kkU6hE}4_{j&2;!E=Azs{sFjN7kFu8jOn*SRL;1y3o#-! z{7A)c#IR;b6U|i8N~W>TL4X57G>!KG(UNSJiUSOaJ-63J_dvbx z25z|^4){hd?&!W_Esg*fRqh~lL27!``~YzvC$Yf4ddMmJ&}WhWe{HI8trC64-d?`7 z;W(UuyZp6cFz*N4NU}s_9g*8>cR2JRD5GN_ZO>_n#l9eWcUf&d2oQfsLO3YVT|$F` zn6S|r_+|$*n?B4&l|VMef4lMU+uTB>VWDH$1p!l9DxUi7o~D!^-*XZ2U<%Bzgj6tf zhJRgB1zV01L@0~lGE`dT;`@R51z13B1#-ZF#=tGIj=QuB=H2v)O{l>SMI_8aOyGn2 z?S6t(bpl_qab@bMft+^Op23mzHjzOrr5n1M-~0tBEW2JNK6E8t*QhkZo$tO8_D4Cx zzb$zZU0!!p&;Y$6$7GZKrjoHDzs*^euoqqh_~@gAsHq`eOm%eV@aYF0Pz950ir57j z2QZnS`sZN#8ok%a1G8&@L$lB`X)$m)RnH*s!h{&9e{DWa75Sl`qI0 z*cTrcP`qjHvLwo&6|7y+BuQ3B@STxO2(4S#jPXiwZs^3n&RMJ2ZeH6(n23*p_FRR4 zX4U`FfBb!JcW)jg-ff|w6+acnlUxS;_Vb_TCjG&~LSmN0z-ki8+dW2h$F479K&3|> zLGUux+VfEB_U*&xz~N2VnzlBM7tR1iN)MDXi7j9f8N`4Dvl&v@<0N8O))AuH)`7Rp zp9cx$Tx$3llknsl?`w9d8tKbVkrYuX{d1n~JuaXn7LS(E>q*O%`R5I*&QDXX+6&{N z=xKMAB2Og0+F~h4_uJ$~#P6iAjqmj4%4bAQyr`z4W&i&W_KsbGt=qD0+NiXhS(UbJ z+qP}9(zb2ewr$(Cb#tH7+C6*D4{QC15##OAdpx1t3tp6n(7YX|BGx%CC@z<%?jx||FOod@}+`J#Ixlf8a5>s5c} zGOgWzQ_I1}XP8b$65OzD`45e;!W~FxdY|2gI6L>k09MJ~?V&ig*d|#$pbHZfd_oZ} z-@LHAxn7c)SVHQBFsox6ae$KYXWKHeJ6LMzpI%Nv?ei>^wf30b-W0sAhy`LcoD0Xe zYJagY2ccKWP0dhgoKi*LldbS?8RaE zFKKfYhp=4_WVibkT);fKOTOH%HiB#W<&#DTV6S6A62C`6e|9y(oe&F6d~`LPx>M{B zmNhu&uZE+>xio~Om+T3aRY(4proQ&*R7Rst;U%COQ z@rGrq2a0B}dyTdlXH~V)Wc5l;X?1IUByJ9V3=Y4hR@ZTS^m>`XbwI$5PM-Y*9O&71 zw&Z)03w%|%m*?Nqkhdr*L()jYrF#N@>vm6$4SIXwrN?4sa$+?m^a{cw_dF#u_BJ3BFVhq$NO&_& zd5sDkV^x_^OQ8^uc464Hxu6iJavh$$UK^NHkjEd-1R&2=?2uz9gC;+U-w9|+ra_!F z<4*?%>1(Mpi72}yvV&3xbr#-~pL_ib+)t{i_GRqj#ivL7!k0!Es><#^Qtk=wl(K~! z5Ir!+rMwb)gS59FL>T-!A^=T^QQ#am=vmW!Dw4z8TCZXVU9>L%IWoLU#S_!p;l+}4 z97Vp?FvYhsDghOCns;Z_3HI)i0cZOkH)|4-p2HQ-|*SyKKUGSSzxvtvRMroY4WYv5w=gFY4 z=!Ondp^xytSbY``?lF(+bWOV9`U(glCr73TCk%8{g*eN~hA-29z-V5-fh2e~4k;wu zmX}=tX>_Woc&>9U0_<~TUS4aRze0z+DQRzD3=isM7?)(Ocxx?a>q>a<2*3R6HcSSV zG*<9ubCCa&u=~%OVRIXcf09r)l{IAcg^|6dt64eh5K0DqC(KcobJjpxsj2f4K&)9C zNnO}+Y783~4?*hfc0W(JX0Q@p2w5qWDkls$uq9u69?y9rB#46vWPwv=`-*E+GIyZ( z(4UIv!vv%KiGhG*#ALu@S#RMGZ3RLR(>BeqtKcn$u}7sVEXnBIF$Rbe;vdQZl?@q8 zxx>C;Ks(o9>kdO4D&!}KJwhtOz@D^cKSIFH)S}L8hK?OU;wC3q)I5l>EoB_@qZlOK z(&xQLhbmiGFvYEtl$?zS5Hk=`prxAK(!3vmS`$WSouNf4v?QGvfPf7l4xf}uBg;RF zs|6Nqq+a0r)loeS2H6Qa!y5U=-iRbI36xRgRul~OG zwihw0R(EVIe=P5pe1C$8o#1SKh}a~O0h7Y|iH@Mept63WJs$ADJ;F(;DTr{cYUWxC zSpZyNiM{IJXt01wzvZ5p;Gz(c)F`iHN``n;FFm*=GVj3!!|p2lllB#sBYly;qMjSE zN#GT$0S+wyujjT1Xh^tWGl@c*JhfWvEQCPhcls83kh%vnDuFO%6F+{wC@}ieg*L%p zz%V7433M$2s~|mu8$g0NS7x8F)fdDqS@6=AImJrd@%uy`JEh3jjrpeC1ahLY;NM#Q zJrHUKpekf`#0&54W&@H=E*`F{V3p+I&-#9yD31d;JbImO){c%2?rXfo^Gb6JfeoTY zd8W`0&JZ$5UkAexJeizV7C-|)vdB*@i!M{Pu<{=A!5Rspmq(UQV z-1=XR?2kAKFvqltEX8+KC*7#z+-#q_Usvp&3@=9y$JHwFeLeOk%V$bYYU;a zn&#{iEAitR(T3EvezsIK+OIHvk8(u6NbW$qgQvKD*{I?9@$BsCxm9GKl7zc*4X*j7t!0JV>cdb;nih^~1!s4Cxz7>S{ITJHPdq(u(qG>rw9#ae1xHYGVS{2C7AG~Uku>0*)`*=xh(B{M$6m#%#P=T~y;By( zf+jASs}HzVtjv$T~@=H3K+%R&}H(6bMSH&>>J; zo%fv&nP?z};gna)8Dhs05*UYbW(a~&50JwP>O+v8uv!Aq=vqyIWrUEYG<_z)pCA+_ zAB@MCv>b>;{K%Upae<`u0c8`@c`ZvZ=*j*3DYQy|jw11nWj%YR2VV~XaI{O?mCR_{ zMSY!&T&(#jD=@;8fs2NhbpAQ^15|~%vHXa!CgOkFIauh~+Ww!E#y?iM|1TJ5l)%`l z%jWC{>Of#=9S_U5%q*&4*`p2-A*iNlBu-S?qPG6s#S!XWTM2VI1HUdyR6})lgsor+)tEb#vQTQ=f@e$x3AZvpY}hSs zMD(u0{Yi?w^znE7wY2oiv`Kh)c>Oqt*vA)y(*$C zBf=o2qxdjoW3@D_@)xLhtGmRSQbh@!j$?`ns6(v63lER}dPI^FA^C*+LRo%?@S%vs z62?B{0H+6Z&yoF?8wlSdbTY|DSf&3P_Ximo|{DSnYpnX=|dk!|Dy zgpg$f)N*u;Cr@5Iw2E0C=gVT<`9X#xsLO|lEAxti*ENtk4M&38)j+}loW8#t5YIUO zFnnt3a)B(6B|@$94@Id4(=TPAr`@qTf=p<4dfUICK*9kaexE=OOV~ zT!Kjf=UNtT-S8Eg*E>JYHV+S93g;SaUCnHdmX14QyZ;j9$3PO>SVHO#L5YWLMYl8wk zzFsZbxc)m8R@I$4VpoFrg?dMdr)bdtv`+Hw2>|0;p|-U zjXnNrnZYb%s!{cj#feud+&VtMfJ=ULC+wU2e3E^)I-P3b{cWBnEO)P7KKu~+p>S~Ie zX}Q0hAVbW61E$!2Wu2KdVmCNMmsy6D|6%uNb5KjSvmtLCq;yzI{LS`ianD;VEvj>` zgez~UfD-mG^1hQ7Pz_p?lSI=_5T2@+g_f%+0gF(T);DLa4k+ zFX|)>l-mp>D-tRA#pB_$U+{LD1;G7TKL$w8FO_t3s~*2U*z(&stY&zzn@vwlksZp` zHTnu1@%{1jPbN!iR|d8V6z|2e|I%Rfd6>caAM3T43IG8AKZYeN^!{-ud8z(W>mv;J zlaTY9Nn4vzEjUbXZHSV%^hdDKH$q_2JP?E=Wo^NM>%e zxSDH-Y=PDVr1S-EKNw=5Kni8L;|~vJ_!U1ir1Dl=3;5G=b=Ox4f1UD+GxZkaw;Utr zF0pn-pHc#V1CaGxnW#7NR0lB>Fm4g8LFlkBHyREbD3xi~dUwsXhyhJNWnjl=y}`|) z?g&sr4P-@JE=D_nO~|iMFbVv)Y(4{d_kccrlw|UA>@fgdX97(B;)d)B(w#4)KO}T95c*m?e@~xD z+zzmWe8UwEG*H$HrK4LNunAIjboK6@Z~^Bp+c&T_zXFD0%*}DtxKwH62WU0v^M&V; zv}a0ehtfld<$bCH^mI+qHnFs!JOi~ckiF(SXXM6P9*Z%MaISj`urNp0i&dK_Fs}So zqi8oM;aq{Pt%en_(#Q~1%gMlVjTWvE^En%XbyC4t^eah1+O#xV;4a=Y-tj=Gk9*J| z$mrZdzgd!>8_hOIw7zKUBzL(LB747eGl=qLGgtu&%M;0h9N{{)hPM+s`M#$<3e7ha z%{La)N249htnOfbwES68{R@}%hz_NEyBupL>hEsjr^B5}V;1vxtgEtydZY==ZRn1M zXO$J--qT&Op)G_p58x6x?7+YN<3=s=>InxmBrQmRRVzWS0e`S%NnclxX!#k6v{`@K zf06AIGGYD9nHfez+YUSA&^UEU02NW9W8x28kzK26LF-_?UWu<=SfHwZ+$Wh~3zknK zUNNqjo-rRZ>%Zh5J^%dkn2Hxo3vfOhj!5J!sh1ABY$2@*`vSU4+^ z=AVF?rvz3({+ZRJ;&q7CnMEwXz}@LGJMREsiHmOuk)Kos>uO`;7L4Q^Jj(;W1%C$B zDV-5ZD37z?*HqaOFaDh&_DE_=>Whp=M=P=jAqkTnCwP-UTKJSgd;BqvA)z|M5ERrD zE0E8i=_(ybX~)=DoEewtt6rB+9c@hLJGD$%_b}T**`8F<4(~9Mk|{_yxtwP*sFXmX zwuU3gMlK_);5O|WhEJYpZz8hlS{>&t4i<}cX9!oK`cVPDjTIV*pTYph88V-aW9iD; zkD#VdvOFR?jHLi7-#1SQnM>sliB?~`RFvYISC=>2$-2p7fs^?$=O(q-VPi@@@6a})xj^;yLd3}vzI_H|FT3Y=k#dugMl|#hGS;W%rLxD0 z@l(5kH}G=bxvcb4&`_f-hj@7IEKl+rO@chC{8Kyq^%6bI6iswnQo*SURjV&9-}sTq zE@Q+GAp_T>(U>8r?ar;)Zkd#h8?uWigooEaK%FVvPpi<8-0h?7m@~u}-UVVDv3vPy zCz8K7508~wa}%oKQ2}m}cG%&Uy^EtFa~B`{t+UFW^!BQ%LS2|hguY!zN7|^(3&eR%JS?Bo; zc-rrK-&dT?0)*5Uqj)H)pzFOYS$)XflAP8YIpF0E%>6Qy0q45br7fH1v}P>O@l4G1 zd^#B}S@gRZlskNR@q|sDj|Ze9|Jet**rk-R$Zi#>kTCjJJ3iEoj|tslh2}yaW3#HH z{j|xnKMgS!s2@fJsAmt81$6ksYr=_@v?g*MePZ*4D}d1YLk!s~x;qQR1u ztd}RcsJqQ6Jd?!Bbq3>LI@XhROURaLHARwlS{zJ{-AC;eal75V<1=k zONZ?6>yFmaMZ2Ais<8R2Z+bx$zp?Y9(K3GVg(CsYvgy^o-#hI9cOE7N)>~a+uC#E( zQq+Ij-?Tlt>>q#SX<`R5T#2lx5owUJ54y^9r4LOh>oS8%rm#xcv`ms>ls6x9nlwaY zFd<)N`K52S!nv}CYUXnP!G|`DU&Oloi!RWpsn4CAe%~!R>e1eAb-o|`jAp+GTKi0E z2MsMU#vhEOqyUF&5OxQjCjVB5-Y#n6`Gt&-W}_oST}1X)81G{=b3G=7V&Pu8KBRmjZ{jCN*EE*F-bX-J#wHVFE@&%4$wzO0Y3Fl&?!c3OJIFrZ;GI={x8wn?RiEl}AK$!ubg#K}W{A7jYuXZtE3bHx(Nt)+ACNR4BuQFC zZ#8*rf%Wnho`)TA4z@_wdg9|yQW%}D7*1vL+9<4gaDCdvhJHNr)UM|`dcebi{e=gt zd+|x|LD8f$RKE63@2T`asSS1Jr&&3a=8F6xJvUoy6^1&vrJQm-)@+BlPfq-MKMQO? z$u?FT9aQ!czVA^O_dB}RL_EG4Xu3qVGR*+t<6l-VMza0HEieE8GwgqZty%o=*#8I1 z{=dzKMdkmWN|YN&0%%MjRttE4)FgKN+b?|TWP@q_rvbpRsbQo*Sl(M~{<|w*+j3P| z)?|`4LdP<;BY1j~%YER;FWvkwif}hC#SacE@(3+L80jrGMN`ab$I}*;T?(-j=7Pb} z)>JZ&qiQ_9#7lyg0I(4hlO?9>ef7kL)AGj6oWGR)26La3@5BH*|1b35^-i!IGfUn# zjY@?ln^p9}J?9IK@lQW75-b7vMFoAT;BQG0=VpzdwvB9kjbIu6cQoAMl3vlCz{43g zNn2c?&-3PF6`oJdhb;@mzcRJswqyA(MtKL6P_k-o7Y@C^RgaowIpe71y|}Ee62wb2 zf83A77L4G>29;A{6Lvd~kj}v1fdHnbnm%F_Oa?*L?_WD`M8y?XK0?sjPs@ewuK3S( z+P>ecZ+ktMJePd#*Vk{GeKIw*ywNf{q+sy| zTcGVeLX~2damw(Mn8)5 z9zA;n3VlDx6(9;&8FP>x@^9@gxrre~!|-L#w>I+tjGBY2kzfo8Q$nbkl2#>CAxONfV*wHVYur=U#cF}#BLo6dxalNLV)8Pn zhkiQo;pILXR%fQWW*cw5q<5F3w)@M}j=C`hTT)aY3DL}ej$0N~X%CA z$3KZy#6s{Sz2XAH)mxr=8kmM}SOfW0u`PKxTJ9V^H}k`5L8lxqRf7IJ z%Hl(8(aXWoy_>V})KoZAL#XTGC`6a$h!~7K^{;Lup=ngoAPG?0DblH-oaBdGHd01(mht z)}mSRX2V5b<6^zm1@Gswe&e@gV|VoU*;OQsz;Df?g9&tO$5WzNEbFkk9YeD@<#z>T z#%dZno;$?yM*YT_*3Rly=Gdofb*MC>^Y|!+s@fr~0?0IVUoZfby-AUB`f8R62uNjz6l15T=*nqz|})q09dcOc04j3kKlL z8?0I=_iLE+O*LKeH`DK6Kr|-uU{qe}HFNf}3yI07_2Bwbm+zeSqR+!&u@(o7Z_kIQ zWvu$s!IR70)vn*#Tkp!CS6nrzgSY;}#;tnYlM504ti8ssjh}aB0gf|694XU$xnc z5H9)ySV)gBl=O!m!YzU+If!9Gdd^=n=8qX?xJ@&4vhKTeEb5rR3P5-CkcvE}M;Bqh zMO#Dws9JOha*WI=H*F{;Wu&h{l~iOw2sQ_SOO_WkKjZ)^SIciRVc^_&1ZbGPE$#D%nQ>S3>N$smL-Si>`JBxgJR;Xr_~QJ%mDia8VT6fx zsg_&K32^@j>1{33*G@-5kjjbqhjA zIagFrRY90tt_&U6FBrMsLT2Ca7*4jN!=U_inqR<+v=PuipIxFgqQpK02btAEReF41MX8N}j$BcBc zMza3qDQ~6BXOH6MiBGlc_3a317W?YibJB&AlVNr@o($(^nLt`B7*BCu^qyt+GgAgh z7MlG`)^6|&S<0mczn%OVsEvU71+iv`3OF0)f!mIUMWVms@aGAK6+O0+WAWbuV7Or^z(OOlPPVP=KYIYIKK`Gf9j*@em4OviKFpjU!hg6YS77r4`X{6oS)}>I)=XX9rcg-?w zpC%F{uE>S1;QjK^>%KE39Ytgzl2cc)lRHn(Sf zx?*Rq6~AdXS$R3bPq(WW!_GMszJ%Q4C~QP%-i_(kWV>aq2L%|{UqN=iozTZiyGI;p zLubmIty3GvOqx&F3rfU7Oc>cHx4v) zEKpk-@k<-%PP3ue3quCjjfJbj*eIAw>N>ZgmAsw>+xB+Gloa0jMhV+a^P2|{%Z^d# za)>^%^Igji-t`1AlsVmj->aHcr=Iym#-(TKWS|kkJMOd^#UqEu#+)z_Fs;rJnA_)< z@Q$(PHi>{)jcFOh{%#n$4C1S|JrKFM$DmjWXFxw76n=JvGl;VMIB;!Pw=;aRfo(w) zFZUoMrG$0RmgP78jVuD#fLh$iQPi(FL8k9!-)&@cxG^_TE~Yk_WiMVB{(ThlhS#hk zw~Do}#;EJ%T}EwYgC{IV_3C7$nq|Kl@LfXHyz6B&(rnVSp7+#LZs*gi6`tjek**;` zXzu`7&=OK@dk==8C|5zWo#2sDz<)+oV}ra7;R0Nb96wpofNqT0hCMWs*;kSj9l=Sg zRxE7!9ovNU*U|;^SWT!IP(p9N&+5c;1L%f020wIA@VG8_aI1`Bh`R^P;{6)2C}7HB zpmTEih`ac}57&$N6q z8oZz42+D$-6xavhge`^S1vMx$BMdQJCS?6h1R*mIS|zUN z#*dt=dmY$_6MC%>dG+oOQ}`%t%XmGQ zDB1VK%$iU*4QtCUCcP-;A-i+X9K9;8;KQ!%abrD)lhr?HhYJ=p()U0ojY}-SkqEU@ zIrO5IA%45h0=vY>l9IumQbG7$_`4pw6J(TTQ zWMg?OYSdkK^dfrSRnPo=&?w6jInd}mMo?c;>7*5jI@W19O4=1mWx~pgYECiG>!1oW@qBpOmTX21b*q+HvXqj*dv@lwHBkOh6nPNE?cLZ>pB!nq&Za z%}pP7=->+8>7k3$J-PDAB1g|8(#q@8{ zNMbk?;@v3z#;UuzDy2MaSQd1;pFD3aSpopoamM=18oPGBQ|XfQh5a}^Yt1YI^RVws ztdP&|3*iD~w}ib4Re<+U3M+ge|4_TJ#00RbLf-5`lV4Obg4XFyO(=SimWj3Ye1p4W zFW15Tcg~qzC4zBlrW6W*XEw0$m2-up%jqLW0a~41sWm|#)EUYs25DPubMcad3Wl^` z%op&^$~B1?+z0G)vk5G^gJX z9gkX-z|94muRbyqu$tuNwZoUI>p?o%sOyeNa|)%oWLa2>JD&HI`p4*Hhdy3V-I$nJ znL1fAQ{S+J+&+IpOi~oAzW`Ar`~(JGu@XGgU9+9Qy%|lAb=IAmaTpmeRnq(Sja{A^ zx*5sVwz`^Rr^kkl(}=U$%fvLLvAKqb^F5svmC~XYLUu`6f!?1Hm?0mSwM5$JYEyzt zg-xe&!2PRWed6W%Nm7Ayehq5A(eqa!qZz|pU`;wV{t5Kch5~#zl9scXxpt9gOG2)H zV`w4?z!G2OhA*oS(3pWVrSB-q@o3U9PVuy5fs#KO4R6-O`bnzHJsmqNb22m;oB~k1 zzi;tozOOyYke*^F@xUF{>rGo9f(2zqdPrXe!1=}C|5D(9M?$;i{^3sD7vx@PY|mX_ z!!}XRk`8?jl7hRr2aSKWMdh&fK2Z$xUD5yBUrfAwit(9#7dTNjCtLx{^55J$UzqgP$ z9vR?_w&XK6M;eRsP{k!_r^_rmRa{8(if(QmT|;Ambs5SDUIbtl`f@4`em=+TLUVRQ zGaZsLpu(*WCPVtkeOrPkoQ;{$8vRi)COth|I=CFTBsOBZIN|_GBFU1HN|`(K)qcy_;C$nBf zc!JPC90(X(LN}`@(+`QZh99VW1WEuK(5ZLWLVq4W6VuO##+FOSJtMfn44t8`(^b9s zw9gbg=_dq%u?k7`&U_g-&%X*}wiY%a2CbBld@(U!dXAW`+7-KLJOVuA(Kg4nXb|)m zA&xeAmZ!#NcBB&PdlN3}XDJ5lX=>pZ<%s1I}z9T+8ha#@0(Y z*leOp>Qucs1srY=253wVcLv4NddS`|O$UkgzUF!zx9NE2m$8)B2IlsbrdIbW-K#mo z%;y?R1*r8Rb>Y@B_ExT-FdnV7@0~ za$u#o)%e1I@2AuyqH#CFeZc@q5pFqiu>APE{GeVVk}8=?UBwcI zfHHKJHTiUV-0>h1<2TwA)S|+{Xk9R>0R<-8dm>)b@P4%a>?YtXbe-h4r`O6~Y_+x+ zm9j|E+eK~U_w{itk%TwMq6?DhnxdZU3+cD%n-GzmxoOT7EPB?+lg;-@tVP%VrS zWXkW2PGxKKD0g{v78_4XkXtx*5`q3_rSVe8WIY-CHt(>O@a@Lc_s4+u_GJ?-mToHz zFshhIC}or6GmFB9>l)=+{$qELM;Cfkv?LGW!-WKscyt0faIZI__~f&Lg()yn1W?4b0pPyp^1Lg%&*N%Y0*?~i7mvmKcq z3+>+vE;`>%k6&8;np!-Sc>UQn!8RCk&eS9FIau%B;%jB2=mX1|A0w&-QCO7_q2}(2 z37)Z8_Ics7i1}wgZ+>C~;~X*Q)Eq}S9J1h>fmofhrkdt7l2hQ0v>6eFb7P1~1r41y zUe%-N%la-9lVy4i;SiQ|Tbk0N4(|70y$5zcZCQpC4d=>$mN0*GULS=bsBOou3OZqW`QB zX4W?U>cmu0`w7DR@;JUuY5w*= zBX$*gh;`g3zT+eG-5ku?rpB6fuifcXKz%T^1?yvo7*eL}jIrs<9ri>Oy2%RW&tS;5 ze_;}TZoBuqcKJZc+n4V>;$z9VW9eU6U*$oMtgP(EIe#&oCeBKTUAcI?2yya44WPbc z-_3glTVB$6n6pemcOK5xFyD42h6aw$;eP{Ujgav=>Y;>-699~C180j0f2oPa&fv1Zsc;SZGS%g zx=8MR$J^@G|Lk2H6nn6Lzp2C*R{C0F*TnK&d-W!tC!Rd-rRwE!Bbc`2DKa++;b<8& zzJaOeOu&Nmft||-#09V=H^A-Tg)|6T((k1Nv8Pm}4NedeYt(edoc6QKXLGHyq&b_n z)+u$(Q8$KeyTFpOK_B>ISVvYNbN}Dvmxb& z{b2-ZxDjmdY`TPH6-s1<{qY=Org!r4h8Wq$A0=bJgwELH0b|_~BA0{I8Ty>>vsPZ24SFcdZMG=U-_J=7 z5XY&Q-|@N5T1wo|e>vKEHgIVNCS&to1*DNxoR2qJKkE&-_{#Es(3YW%m~N3Ael^&Y z%J=|`;GJI=``_c;92?|%q3j^haDm)1@n&;lY*@5L1AH=)TMIctemK;Q-&wRzd}`$% z^%5l1GhAF3l0786?YezZwlSt8sRvm930y8`uwA@fWQafMDb#zx9@?R2F_rj*;Iwi< z4=Lo1f)BqF0s8}ax=lErDQ?P%fupbujglU@=oy^o`)(x%mA{oQ4TgM=Sc^g$@^kFd zZ7SF)W0KjM8Uns-k3FM`5N-ubWzr1e&rW)k$ehH6(fRn88)+|r%QiMAU#4{k>5gS< zsV5-uI^i*;6Mtg!E|uGeKDAhoU-nhuBMcO1TSR@CQ+k;*%;f9N_6r3=gdgp!I1B4| zR3^yF1p~)UPEEI=O7xaX(k87*TP(S2(Pm|TX=$v_b`hwa1HPA55Uo6CaFbQBYn@OP zI(pdiSq2Z6R*j%>>da55jD}vxnU5%2sc!8Q$u-pSoJ$_DG_Hnmszq&5bnAiOoNkK@ zpBnq!2j!{X|G1<`1FOsL0yr;;uSS^;WCb=JcfgR;7}KHZPkxv6*H3=8R>>Z=K`H~pok1$ST|S2f zSRnM}7(WJSE9oamhx10vzun?l1|LNb?O`Q84D*V62Hw#xZgE%b@&kK7#FVV~X} zjN*)WBRp}o9iPC8xZ|%;I&3h`13Q>%!-54i_|yOsJLaWq6octok0jIx@Euw<*jDg)LDw`9e!lio zzDNTh6HAybS?i!P`E783WOs+9dmzjp$sDcYslye{5(@)whIA zK<<3KzKIbC5!(=%UEG#;3;^pp$ez#s%Xk4uU3`>39vvu9;VP&~n+&EVMUo2xW%7H7mbYStqmsS(p9s-cA!S+dkcs{j z>b{USB>TiPS?)iAH2Ti`Lodz`wIlCatwGByn8nP=?R+XMyGA4bvOA*OM;r|4 z%BEA(_b0;S+qvF+L4+u*{t}_5iR&U95;;fndw)j=d#T5t; zGoeb-JRytGSqQ~vDzriGO*O0yA9dz$v9a{LahvhDJIqaeK!oMO8=6V)gXnH#%!bfI z1{U^0BWlm0G9!{#TTRh?mDG~T6k4ZA{$ufU9NI`>L=4EVp5Qkshjpzvd!$M=euqdN zW?EbYOn%E*lpuBz*lX;~r35a7f?Bd1NlbLyY(If$GV&UkaC;9)sO1@o_w^@27I~$7 z6YKoEDQ!%IPS;`rIs*WhV8ez4;9gt2#hg z!_ofUF48_(>y)J2K{dBJ9|R1T-`m5s;sIibdk!ir53IuM7t5^6p}VD$LMTGluNWP{ zrAYaPg3gj@7k<&ofmIxK7VrUppt3Y+%1jl|1}fFH^txn1Fwa7Jg|2*K&dNkMm6Z{7 z$?t-HxZwLY$)d;TU9vSlYI_B=Yx)cp9+#7Zhhcc@?!axV@1*1Pqty|;@}~Ll?TyXV z<~ct1BeB=6x<1H5-0RFuj<5kOw3I`JkqdT}eBiCI&~RN`1>{W5nzk2J4)s|^4v70% zNX0)ab+|a3@hO$U_ZdLZzuFQII;q~Z$Q7Nw4Bgd~^=cW&AT?~)3P1tb$D{~8P92|| zOLCUM`Hu@0*9Y0H#rE9vdMaAkVpUVVn151iO})~mcy>CB2v&NuhLB9-t9~N8asG>8 zfY1J@ZEN@^c;u*V_P$W;u4`Xbo>tSuU(8SpsQSt#;<7G+GPrA4aQ}=Cs%mgj+=D=^ z-?la45>^hjJpxS6;khKvWE4Ch$cRB~WgE5rN3aa%xqOulsF7uYR^|#q=qhBLWiK>O z({=ty!}(y$)xVE637IaO_8!Ukt8g|#{nCNrI|t&Wzs6=!U8Ebu0Hk;HyzOr6lJD|$ zBh!v0!DHc{f{PMixEC7|mHjG{T8BKeO-u=g^*ymtS%?C!u@?8Kp!UXIn(fsM>ELQv zQ4G-Rh?!cdgOTb2CrOtKa_q3}qtg;IyA=~~8KGNe11v@O8FD>DT+2Iz+=1ohzw>U! z74>0g&=V#3k?I@6M6o<}w?H74Jh_&vSR-v2<|*=b*DpX8sr`N4V{7)0z0swrmBai`amSTTttL#==}Mj6 znwh`RZ{ivH(O)tUR092`Q**0J5tO0r3R@80ogQ)0?4!=KgSp5zu9n;5T^n2V?-h+s z!{Q*#L*AyfH!uSgvn%G7IJh{GS=a2Hw*<1!V!rGD0`fHKX{Ojx13i-E_2govp{Omrs`NGsv(+8;_gqiD*e=S)v7j~_=);olJVD6BvvpErnuh`<&=UxuHei-em26?*sf923gz zENKtR3`sxE`_`Bpx>3#227qWnNENw|WxB>WCm2H1duTYLa zH4$QiKkLEbkqC583Fq!oRByY)Ky~MC-mF58)=)X_mb7_HNUdRMjfs95c{KHn>S%C} zPL)gRFEg|@S<~Io;ltD6ZaEz>lnKrb97o=ye`YW_hul~VG<9*;3brp1baSyv*BeL6 z<4rPkM)wKA;EyDy2yNi&ZBj5t{%GsEVc0WAPpym_X1LMTL^N7DNU~*yTjm722kbL0 z_4~z~EIGQWz*Kx3_lzYq+2_!i=byx`(=auQe(4KHddlG;`)2d_uLN$L_(XZ9&Oq_@_W z)O})t+~<%~TzTPS&R<@A&Ohxa2A6njvtMddHUT~qXNX{LkV0}o&{5IyC>9+ViC*x| zH?&hCa3?StcE!ZC_z06Qu$oQ$J@I5?STr>k(;FEN8!elBJ~S=%-#w0SUl^PZkcVWu z7o4-}fysRWmnR=3?VQOAIxmrXCwCtM%b6)GUYad_CeOqm{tB8>f@QIRB~{d~Sz(FE z$IX0A zG1k%-jRq11owwk1FhZe<(*epXLnUG9kWIRsG3KYjj%f&C|Bm!fFKFz6bVq^ebrDOz z@1gVSAeBQ)lPU0?@&tTQ4n`5f7SYsqkD|#v7^_OD)J<}S?ela|loE3bpt5V(ByD(5 z6sFc2;pv%Pxw7F7H79GxR@V~6V{nrUs0^k?QqLy&RIB;$e94^ltcZ#GbAg~O z;~tLVT%Nb1K&22$~%Ak;L!=gW7JMtj_Tt}HE2MFbBqL*#Arb!TkYq)pgMb; z(x~Deuz_M&nExrwU~O@#DPLOoHb4JWQoUkr%;PDP<3Mgwf|LJ*^sr9$S73=&S|3s5 z_4y^gBlml4Z8ErdlHf#Xlz@ly!1)2$AcK!9lwz{7u8Njd+P!K$bJP&^~^#cs1SzR`d-hbU%6F;M2ljjoS=5i zm0Yg%gJvrRd3w7m^$%?JR#L*Q?Mfic!Sc*7TJ&MpGPAdU={8K6iW4>qH}dsj&r)@~ z4_PPNP68IRs8-?JM z1gTt%UnXxSDLtlzNoa)cS#k8*fN<56;g1f1peE}1ZGT~aw74_$=3dWcEpmJ`oa62k z_PhQ%v$0Q_n4UU){)kXk>);kp7Q3SAWVKTrt#yr0(2lv&3;U~`ZY*Rd-!W z?ASqM>)9F^CibAUw3=-zf}K2B{6Z)yn72<}l-T#{+SQi>cxRv>7@0c;a*guF*8V%i zE(_Shru{b=%vTnEqW0NRe-8k&#w{sZ*ma1%&R{R49^}%5_xINYD$l z)Bwzy4PsCE35kyiXg`X|Nd89=@o;`U+E5hRxZ75@-}HocJ+4bmcq+n zT+y!Fu4#{6nG4w^pnNtH1!pn#7vyHP^l0m4xCFgo7>xaZT$Q|!ba%ATLuZ#xSdL?xS z0i^BX4&QJc9YV?OX854sngV}7P#|?GhK_7TEgcOO)e08&zL8Bp!?Z_TnJ{FA`0DmP zlNLb{{|w4CF2@HxcNFm8kNa)99`AR3;P&$ZECqs2Wq^lmI?z{+AOZGjH9B*aQ!8-k zElY1q`Q|dtSd2oNa=J~pLd)CiR6$7;sba0iKzAm>buB@a2bc7&ZLSTjEnwD;*11?s z^A>%NILNv4avI31%kpgXwCUzUq2q2s-7$h~?3bf7UD~FE4OiA zx^kJjrhc}@!n5$a0_X4F2AX`0I-9CgyRA#T{{-Tv90;Yq0slwO_}|Go8v{oJW7~gP z0hM&@7XC-l_{dp}LTtc|%Ai~>k~t(ftO?oQcej^GV!5XryCD6((>f!O;phq>od_y$;}mIi4S4?TYit!+PWeHH*cVDvIJnM6~K(VebIgV0*8_SEK{g;5VZ3+YTNd= z6pB~<$bn8E6oL~5)FCj3EKZttcHfwTCs1z<=v>|-7n;iF2*~s_CW%Be;>dZ|#~f-- z1`_4I5D?}5_v^>;orKZ>Gsxc8MtGsqXT{_hWg=$-E!mVLTvT!Uxk*!G2l=^v2(LHz zyKdtW8HjHeFiPHRsVAo-WVJtc*f{;{82#zftQBm9!MlRuvA z3R6NobNNJp=c$87ol?weP4AClin_d6%>&=#6-g!3>IJTMox+@z6S@%M0(rXBsLqC_ ze4n8?zp8Uh^c{EwXjdj^shr%Y2C+Nvwxl>3j`g{?w>iX z_A|%-yWr2p5Ek2NGgsq_WKYsXPtAC%=u-mHl*yFZGb8bah^31D(EQiwgdX(y)l9IowZAR44_wB))cpCWIX= zm!v(zL_(5DFH-W-VYIxfW!@jxP6 z`wy}E9J+sHZVkZ#MUR+oZf$9D!|CuTJ^}dqa7&?$b*k0x_~mr>=zZ*C!^6!?^XWzV zc3O0E_*}KFJx9fj)sCjtf>g#^$%ey~Z`t(;f&R(Fr+@QoX1zQVoZi$A?ba+6)baz- z%kzM*GF2Sef$H(2%T9NmyM>NNiWUdCyI@SYZpbnPhby6|le>j!nJa0B!Ux+8pM&TtlDMFYa;qJl?>rlM28knQEik=G$=RU$P9$C{YT9} zC4@`t@FoMNh#3TmDr3jvmO5c)crLsMs7ZWU!4X3QNxDqL)Ac3|q{>9Peb-)@+@$tX zSzNG8Sk7|a0$Zvrj>z~3F2|oq^z_6?mFg-wxxqGJPt4heH!Qk`b2l`2 zIN?<9=WFZk9|f$eaul*i5k@SEY$8?G`r{9q9$k#p#q<_h^={PiW`SACMZfnlM-JvX z)DG3>o~ScA{yEXR1;3P#>SdSs3GV3cO)@AX`USVzNDxJi?IRB-q2#=Xp{N`5=1u+T zanW93WPT>`{WurqR46mi#N zt8S&kT+5Eda509uoC)>M43`EbZ^7?RJ&W(|d1t=!#V00ngqqMf(gtkh6~{fA=I6un z#!BGf{V8H*4(EK1K-ofwK4&e}1*!=#xt=iGx}~?IF?>(NN(4j#$HjIfn0*dQ;%a)c zfx>XS%TG-X&7}%_8mZLmnyhL-oO$0s+Az|9JcEtNE3?B8hD^J=$SG3Gh;z$se3qlw zO$b6kQUPW<96zS3OO&J_uCPIg?=HR*yK5a1x|SFFK)~b~BPujk=i_c3C8CMF5aq8q zD~iWs%Nn$qVk?-v^~<=DM>OTfGbiUQ9d->f*`M!W-B z{bKv$6+Xs3P#xA;flZxb(uT!p-i!1)q z#z>4RA;_DBt{c;+>L;}Mp?{@}IOk;y8e)TVJYA=E4bNmkt$~$9Nd0uP1EIX-R`l?! z-$5a~G?>nVTO!M_ zO#hu4QkWs$q?I)$E^VxcYLE5ZmI=BvR9X$!!8KX&Cb|7e3u^2#Rgw}3gyV4aHW&e=uvD74Mz(cDZ(%hDXRQGtO(-_|bm%ynE zjchQqE1fFq=aJ-of>kB$`;bM1OqP>czBx9jbObO|chxf#N)GIQC=sO2b(PFA9_wNr zvx*hi&UTOl^{j2$B}|VSw@*`&#M4rJ|A*$go}O(n_{SJ=iu!+o9SGSLi(?O2u+DwvGTd<{dFKVJc;%8dPZ8)Q~18@ew6e`WluLtbVBY*n-?;{M;MfPq}NQ2%riX zG*uFFUGr&Jj+e~}_uWr|Jt98Yq(QyD%hX}kwXU}IMM{N%V1gpR>I~hZiI;bt^y}Us zUk#n#cy5mG?cKXycSVmk-`CTtnjv?4&qw>``9dLZBCO$s7}t#fK$)73SKsLq$mr92 zPGiUZ!X*#(p`a>M!?I{zrv(|i%IqulFCwDf2{RoY!N99emcJxGjJ4svr@-2}irW`~ zAVCf=_(`FwiS4Mfm~74FFy>(FO4NQ8!C8G|rplFwEh&P|5Z9yp1J)i%T1WHBWC~G$UNTLoLK)Rs-MM(0g}yXNGOyY;^X~e77ZA$c;LWR?VwtVz|-CP zW1m5J0~OlQz1Ei|`g7{awX28H5{k6Cqumbe^AT7-SM>y9QKKuCWbu7iF)i>E5e*XR z)`IV?QZGkGV6bU9uH)EVu$;QMJ1Qiv&}FoDgrb%?pRW6%OoVnFs(~-I;oPg@;#P$OQ^YH(drzE+-79rj5E|Yc8|;^zdS+j6DdChMoRKMCEL`sXO!l} z1*vfyn(dF@yvwTJSyZA#GMn0K-ScXYtVuWa)P+WT60AWaN{m6JKK>?D*>X;SlWo0f zqs-bci9jX25`#`a$Y>oxoPfU;yK@W{S{)cQt3Haw_>G~_&3Hg5L&hfLNxW|@LwkaK zFyO8;ZG~L)VP3sqXSqsGu{Kn?LIt}goj?h0_mjhDLGVNZmn`v=*W&Ma!$APjYmyA3p z=oJbJ3AAIh9UMKI2po<>u6M8F2zl9-I*pa>dpyl$VShY5H5BfcGsC}8ny2#f-vACB z`OI^+`T2{b`j>9>#1^>)-LnBnjzTPBl5;&tmHM0+r8f?&YDMS>1OmF~9kGk$w**Z0ckK>&!fnrnt`~!;FNHn>>%aESbc0rv1aa}lEc#CS4)y3rtwcBsmV;mK#Ln&82JL2bi{nnzR$gnN)EL;sOeP6Etc*(X$ms(uG@F{_ zHYwrf%TTM`DlgyNOVH+Tr?X9R{x<5EZ$hgrH<*P-X(N3@{wK*``=QSRKwavafN%wg z$y7I(VZIXPsL&QLEliV9j;-XfhOny%h+3QY%r&@diCYn2h-yzN& z*$AUY>)DHlpWS>Sid8zDvd8Pf2e5Az1LnKiLm!3-n>chtCx(uT%Fm?+@Xy9ETRtsa zj)3vy_H}dm?0h%va{IWQ$sNSwjpOa|>lb^PdenIP%uHN1j*S&C$d}s7ecEjSHdeq! zW6aKxv2v-d>0%cvZC%eNf#1ajW9##DiALA%0zt{o^YJ&mNPFEgOaXi+8Y9>Vcu@_I zo;%)!s<=6E1^|UQY70cEFi5;579GcY!SIAK5HVy$vqGZ$PJHgGsH&Bt$ZEFX;k1^eA1?J0R9VL>>K=*1s!OZ zK;A}R-S1HgcMM83&(e`V)TuXr`?eTM2x+*EG}o8jr# zxLo(eLs=YC>Ya$lHwI+kF6D1bj?%@43A_+1QR$`yrJ+T_Lg|4&H}UZ&e`+m|%TQHsZsHh>@YwoMWUC zAw9Y&OuN(S9*6HCiT+Sc!gT9WqAXN)+aBfLxg#x^21`L*_B~y+%&sJ?MMHp9y=j(s zDEs!Q8%`O}3&6nU0a=E_Ttn7Pz?aBZjP{C`H6^!Xmjskv9ad&nEr=bT^+_oq2NX77 zUmw9{LLAl=?jO{DUJ7WfA%ZPVULMHgobDvCod|nxQxFCg zz}!BUpS?@iKHyr7`f5FLayd6zcsp09W!{M{{kCl=O}@5esTpG$^l-^C3RPBhPEhw+ z7(lufVIS$xu)&Mg5;k;|dORT8O0P8kv2MSzI#5h8zDfFhR5$@F29|oS!3`~_ zJ&(+NuB@V*V%EsqUMR)raxvY4yhzU*{u)R%iW?(31+ziZU?RMaagy?y@E1LyEW{+{ zprHgJ(6@#eEQ}r^e-xa!d)orr6ahgjX3HXUtqhj`%scQcsQepTQ5R<$eu~uvQbd{1 z#-F9(*2Q-vNO!Fk?l7>?(a7sqCR_J*Kq9R3CdoC6$sNpf`#|ahvtonLpS4lh)J1_9 zS!uqdvRMJ|`NXGoZbcnlX~FnLQ?Ix0Q=jVsRs=KzGrC-9mWEX3bZOthTPxN1-B9LC zCoEfX5-g0#5MNV}OlP`k%T6qJJafQ*I!M5wve8xS3EFFU%PL~UX~m$XfOwznM+Y07 z$N|;H)sPxv)~_Gd0S9<1yG?;T&wD04Yqanf)s?U>x5@n5vQbM9>IBvNlwH0b3-nVp z*Ag;spnYc9Y|&mT_k>GJv+z`=1S=roeXw-?O2|noB*o?UKe#inw7=S*KW=o4A6wdg zPc^pjFtE4yci3%MQO0ha9;W+UtSwW()M1+=022E>kf1l{JA(5Ls6RlyaULycWB0;B6Bpwc(y+kXdFX&zr*ouVR z*5n*q!j%j{K_Ze>+HTikwXJyTm*tLdhH>i=vT)IS5*#REt|*-}B!FMOlxoWL7TIc0 zyf!~sa-{fl(g0#4EPc)IlRhkbV)uZZWn5}UqluRehW@K0n=CPzaq2gHEN~&p(UWta z0EBsFhpzr!UrxKx$MYDZ+P)JKMR(Hu5pVuEVU!HVakS?gf{=SRzR zTB9Ny4yPW@7v2m!9G)HCF5j!(KAhZr9!229f}v9ZNJ5+;L`jOPNBYXwx4ZS{I1?#nfxt;+T=LQjq6^= zZ_=?Z>uoc^_fG_uPaC#P@aH6z{KNwOA6$Tkv5BjN^}nB|%m3fsn9Rd|N;oPp2PBaS zXt8E1u!b*=M6I6E&g{|{-wHc*$BW zWKEO>JoCZR=cUU#&WS(_3I{s}XK>`o-HZ)C}$tm7^b2Of$AQK=4mE6Ow>%ir}gO#vvgBDm7c6tVmjZ zB(*uH9ueLu~Q)92P!4aGW=&cg_Ca_q~uyk5_RAI<+nX~JEc({T1I za!2nKK?NO6<}R=Bxa_=1`f{)c0)RBS9K!)*BH|*9n216&rK4yP8xBN`>?9$VU#X3= z_uZ}S?dZYD-r`s(pWHs%ceLNPja;j@83T|MM855Bjesw_Mh*TWU6 z?X+<$_z(6~=@ytLMn@QmM&BP&r@WizjNC;csxU{|FJgqxKHnbAZ$Vj+HvltXG*}{E zn8$57dng(ZhX#G^NvK>!(AFe4l?SFVVx4F6(_42!x=08Tgz}=_2;>gCi(~UQ%Kjc? zyT0H-c)=u3U2@}|*1Ygk&4+(<7U~}Ri#N+sKKyS4rhDMWQV_!*7M7+sKolFTZLU;_ zGkiozVc6=rvYA*(z0vXKQj&K1sK1|OX$YRsP>w=3chN(8Wra?s!lVdgHYgS`V{6bB zX2Yij$R3JX63lH~XJ^Twb&*4e1$N@_wZo=i_HAt)dC4VuoZ0dsUkOgJOP-m<&%zh( znUrs+%0z=f)glblV19T{M1za8zBe7mu2TcXo7JA%pAEp71=@{q?f7nb_%mBS)K9;Wy& zQyR1q46lL+iq(&>^M%F8!zmWT<0d6@rYo0&cCPz*if`%L=uR35i?s1Ml+TfqdNNTx z(cN3R7{l#qr(=={NmvvrWw-kn)*u&WIv>1D=?kacSp&iS!jItwfCQlpV7M~vD1urP zr3hZ&DoE(_+UoPUj!xb2Mec&7Q?@RlP!;AdkO>Pu?c_Aql_R~1*266|B3-70(8>{< z-g;*{BudF$>c4n>yxRqxI={r>_BC6&9PD|k*l^B&0XT2~_();HyP^#0rYHs4F zR%`q!D-dMwF>bHu2=$i6_kCMqiQgi=`Bb(@Hs`*&6RIid9N!&Sq{3(#2`qw}LQ+)E zlk-}t4$(t@eHd$9onJ1s(H#qJB6Kfxxu1MO|MM~;FG&;?`%##W|0vA=&&$Zx$ufk>d&wCX z3?_|_9o56FEA=?1P|@qJWU@7^$A;l8O<7-q<)}2{4ix!paL^sG9CLJVaHGZX$GGoe zYxNpFe*gkJ#t`#(Q3M_pTgKk==#VO4y`|b71;~hM5+$rqC>T)*@GdaF$Vzcf?`EB) z9ncjh{jPzzF%M?wWY{ip85#pKgeHJwARPJ$7i@xu;G3xnrDA#~r%Hy%NwzU(a(y5U zcl@4SvL~+683n}O6r>t-dWsNXh02!P0y#%`b;hUi5?q;3!WPR^Y6QhW0Zvs7WUpW5 z*=60TR+BFAa5i$n)u7p`yX6d;-T-f>^ar@n^D7J5d34P#c$1vY*A2iE#Df^a=Ek+a z%uo4p$r)+x9?``RLJYgN=(gnt&ghIL>*!E@t6YD57Tu&&N{yA6riB!b8_?(=xh+6T5AQKF#uU&IjvFNsA>-T09q2fE;3sW! zadh;0?c>7bWM_T3@_K%aPTx-CzR13RUD@328+`L4Sb<{Ri~&jOqaTT8dt&7x0JSnp zrz>qY-^?A}iUW95OKU>e7%us+N{^!0;6J_!i4-)2y&uXM!YuD7&tkje81qK4loAN) z85*1Z_RJACg3SpR(-2a(8s|UDO<8`*c(hStJVOJE?!hWvOL7|K--oVWLasAx(e{d8 zRb*$I5WB(6ct(G@s|T^&xj#PKRK#-AOG6$qH`19jHt@M}?zu7q2J#?Nybr1lev@FD9w8Z4J!>dr$4p@prOBbQ}tvv!((%zoM(wAp7bibxIr`4k9 zRg@)@?1n_4}kB6dGBPI$goW z7_LT{Iz{fG$+mRiEAcqlc!DLD*AOy_o?p3z%HN(zj8;KilNVENk%B(cVMH8)Bz!6~ zmi-Z3eI*PZq;yj;bY7e;9Axkhx$yq&76k>@lDQzMYqQIMGI zZS;k&F818^nw$na$0*6C4y6lBhsK)@E>hYXtD^zMKhc2Vu<^N~VswJgr;N*V;+7=z zx2l??SE0FSMm(pgB$B83sXfX=OW;|V#pI8to~C67DFxK+r(vqupwYFSEKqQq zxKM~JLgIQhM@`krT5J^%PwgO=E9C|eXK zFmdlf8{Jlz+f>*Dq$Z5Y4zEO;FnHNetr6MTVUw-f62_nY(Rlu74tjLQHbEZuF*9LB z)*35nV9SNMw+OJas16qqB2|fEmS*x2{FrWBU}Us#TzSh&vpqWZ(kk=jMt|7czw#~h zvS_#jW1rQQp5nfD4<7rpEkvL1RxnUYU-k-uLnZOdP(c%9Ky^r`ral;$omfQ8k53#& zILseIb;X+<_!v=82tZLy_Xtp*$VyAv`eCIW-?jgK@a?^gSW_JhrdayaBF1d6zFP6oIjyp``wV)2HM?Wv(r{=X#EMfdXC|hJu%A1P%$VwTvzM$1! z%Q*z)>P!Fp0N1Z4`$%p@H8S~XnvL@E;HuG8S<;dJ#W{G9CF*-ZfC?N@k+uhB68|j} zvTepDPtR|JXcDy^?6u(vVQJx9%#lXw-d`+%=tzfTx5@ImDU;~Obx%3SopQ0pp|tJt zX8_WR)c#7~Q;DRHF7xfC&WnS+4ZSTps_}EHU1^5ttxfyO<-2Kl74L!8zEb*T-?o&^ z9)5;X76-b1BZ7DIHry!PifdLu9Mh@EdhZ*Xbd^2i4Y-D;vys07wk|l6?>{_G;;CpX zUq4OBoR|Orl>gPUYUAN-ZegTn_!9%-{13s*qPmyeIy>U`cCO+0ON~RVuWM_csR6P? zhD~5o3<6c#*6_auQ*kwQIbpKe!nH3G@nhXy(dzo(?zA~h1UB69ZDwj~&ZATMKU=$4#vq}#Qkmas<%g0-i55@qSHF#2e-&c~`*V9v4{Qt^@65dYwX7b{DU-aL#V9qWT<0dVMs zC{*NfT(JF0BS(S07h{~MyJuS)NVT=$FjCv7w#sgi?6tjvFp(B z%M$8FZY?gV)XrBg5K1K|s(RBQ@usJXH8ejO{6sC{GHt!kH!|Tgz82z%PR__~PoVym ziyfH(E>>(`xV~q;z(8|}i4srY<*f1JINMIxnR!fSI<9kt0Nt>sluR-Bz^-k;^OxX_ z`{fWZs2cKiE&fA4X* zf45U_p#SFSP3i6a%UG^qiRV{``-CfaPjlW;tAkhg^_eDtq9cQCoaW0}=q(}O(=Oih z?i}w0&V_6?#l;(^H4I#yPQ5=v6Eql%To|;wD7Byn+-LI5uYJZ}?)TJS9rg$M;~v7aOQm!BB{JiZwuKWM47oPQ$QbZY*w00}BVnXZUi<^cPwH&+9dl$HRn# znFKNvJ>4pLQeE`A$nz3K0yz{Niuj*((O@z69aY7*t`^56+L6@S8+p5)-MEd&X<08U zFk&kF6(EX%Fs8IZf(TeZYc1V0!)lXgwOqZ1eQP>~4wTBSK?q=k6A4ut^rSS>H&;6p zsP0C=+G;|TghT|2=&<7~2oefp^c^{v(&{L|-_eWaRnL^TCqnl-MrjyI%PSpa@O2v6 ztDPqB%@+zn0Z$|=sP2DNXHjYA?z$sutsnIueja26=SdBh-)i37Jnnuw*dLh)u6R5p zTQ60M05Vg@r6t6lE0ObT*{6oVebAORt{p==ctL)4^!?ifZRX&n#Qp8)-F+mRD5gU6Rd4v4)7CILP`B;D zbz^Z-;dxGI^Ke|lf&@y%FOFxsMb`ZLhdu9>*uAXwWVOMuu`+-XtpXH-p+G0nku_B> zuvBPaNnK?1g6nJDB5@9qQxe4m^kR8HtvUZ>3PXw5%!A1I#37AYT z*{T$OTc#M!4g)copK09hFTk*0v@FOvtmO~`r%0{2u=FIMSG1Dqh&1-}s?rGm{cE%` zYg8yU@35Yf_RGad%~*U14&wthG+T9(yKPB_@}=D(+k^BaHL$o^3D&xdcDH(?a&w$5IyeJ@FaS>%|jv9x5k{1jeJ=2W>7&Uy;EAJ)z7 zvG|m8tJ=QGI~|oybXg)e8P*{i3jQ5<$6>AzFAD30N;*U=c2!$QdyH;4$TEfSE8J02 zQWvEu`0ZxS2y{|4<&)oCudJ*l&h|)=$3=tP5htuBCu=e!7Da}QUq}g=;=(=>#sWa= zq=?v0nL4w3Me}um)s>zn&C4Pw>ank7tf*KqmXw#HhQKZ_3bzYdC4MHLw0wsY@bHA^ z0W&tksi{UT=;|@XmX_(31&uk~Q1%f>Ilzc#$UeCVx6;yY*zUm`?M5o|@Fj9YB>eyb zE?+DWm!0(aG`*d{tv0R*dsI6lJyuw#K9-d3arhv=__vN+>)|FeuBiKB$FrxY=pxdm zN`j9-jV2pYCy|!7M3;96*-Z(&m%kI9PTFL7;;7KbT9Fb7^p+zt!#=I0aLk-P`%2f3sf$}*O0hsq4l4z$?~VmZY}#0 zcBGYkM47J6FE5ZgF6>y0YEljNN;EfW3ok8q0Y#8a+27DteZ_k0y5E22^!c!N9ioGg z*Rcc@j5VJ9Qc2B+Tr!L!uLuma@tfjS8TacQ7iB0%bdd|hZEZr$n%%w0k_gEb6%39G zXr`d?X9(HjLT+O8(d=c7HZ~6?+nGK|Yc7mXM6Td;-Scfs!9XWd*KISzEuAAU8sGLH z;^JQ7*mrX~OqX>oG&}w-xZIi|ctK7%;jEkT(SJ>)rD$7m8*wp(0`rqLtZF)+V+#^$ zOsE~tof)P_{2e~@+?%VK=9^g=hBj77-o~NqCGu9o=;k$>;c6z-J8(UAccODbJ^yKB z8Kt$RnX6~%@IqSt+|vxJ;Z=GrYzd96;IWDE#AzRW*R@=*a98eVu&ou%(1It!LIZo1 z3$le=w__^tYZvI;H}Zd_V!UEjU^JpLqdrtrwNmPC2}hKrA9>t;zRtY)%q)J<<8Nc- zA7w?6<1Yez#sk?el-~du!UX!hNB1ZrMr&@HEHNv+?g#6>g(LB+AR;GEjv+=#XC*>; zLs_#et54cn2+s+p;_bC`)+4k*2e=k#jf-g|6|<&E!p!vH)OBIZbnJkmFKedo<91qy z5`{{#A+)M>hGinRq|MpXV{+G7ew6F;CYo)IsLo=iK{vu^N<@~MIx22ouE8f(mF7xb zt@hZWcMtW1W8HoI>r7#~;gtsoS7(8Sp%a2g$XBs-wcCHS9;D=yiGg7yU?E!-c3{To z`h`KO%YQA>i5gwj11E-QGZAmxI6NuJeX6%_Lu+-zi|6du?%rQPZfe6Rn)tg9!$sfw zOP}QL+BwWE{%;#godv9oYkwAK@**#4669X^ozP~b&5J@x^PDWoum2zzmE66$av^`P zYtsMALT+ndV`5}(V(`xuU&BjjT^#XSFSo$Wp8jYLt$mXcQ5t2U0V|T59N(oKx=N~L z#GSQ)m>DsR*!%h1Ljse>I-yhBW>beUq&Pk2D(6biO)ier_oS5jN=|*Yw4dgtec!qd z%T1uv=}gq#-ZT38o;c#=-uGvy*Px}fZ!v2>cwmYcWIb$#KWfAe8O$8c&9C-}m_3l1 zFdVY7y@+22EP$x*Sa)%_`#8Vco$NSAGwml9_VUrhc60G@BH1nNyso>Mg^7)plJBG@ z2_ha{tZPHvtOkI@%MCT12Vl9s0N5hG zMtjN`?D`haZDwl9MmmhPpbh9eg6HkIFi zStUrhG6pGNO8Hb_F&%!fMyuw+(NwcLBx=-XzVK5x1ay+}^ITWD3&%U4-dPB-Iy1oj z^;|l$SI)6d`TZ=HkiC?d5VGR@Te(9MCl|-@UZZ5azM5Y)-tM;-2a9}LlfE4oT^}~7 zu%Wpr*M)fSa(+ic<>4!5eP-bHc0IK#v6@2Oaw%ig=cUen*Bow8rXGNiQTMh_M{k*7 zOfTL-ZnXS`%cx_F@M%7JcAJx-mR^zCl z-Z?W)m)^4x4nw~mEOog1DeNc|v=Z|j)KQ+;9%aWcbwDu42ZK7ukAk-~29MxR5e_z} z0ZDhguy%1TO?>laeb(*`7k;tr7a!q~_NHxiK++iZLOu?5zG0h_4aF>uO{~faogzcGv;Ed1>uDjq-`*&#ogo>1drjAlv%*j z?s=hV*Q)Q8o6rg6*w@#T;x_@JK}fj~4*WK65xz?np@XTDwn&>goWH!G&D&y?z9PvB zaVB6tWWMU3xQX4Ge<@$_GEkL5WLCexhftyac~x8zNIMbntZoV{cKtxggd@oQoWmEM zIX9*DVg|qWV(k<$sm6w<{KLS*E%vsbo64Lh8=%Jp~|5VVJOq-^GY2z`b1(t`* zH10=@zR1uWewOidy`H+dwNte(y(yK?9>`M(o5W{`FYW^aesV^e%P#^@#?_J|tB*%{ zLE6f_T2MJtc(8SH62i5yb~7TNP1BjBT&E(t zY{NDcEuwW2N|7$eU2LrsijaM!9fa%#3|EdaKkHVr4(~FNYj%~G*aSH00p=?MdIK^P zqq7j^ClR+`&ruj?kUEeS^XraO6Kz(dQR=EHA5<6PjuNRk1}IHxXqL6q1@)rvVY6TKCs(>YxV%13_N!Xo z8>+vMRlU2yX$+?5=8LkAQ$Hts?XX^vS(||!`KSq(^5O#r_rlnV+eFqBcT9g_9cGo~ z*2Y_7F5_1)e4;nVk_7ldLwtkKThl&Z%8mf+AzSB29OCOQyJqJOBY>eORKvN7UWH=| z!>~oozG!!YdaMksB6-@$oLMD?O$p`hI-H>6+;S}J8z|8urP%1Zn=`*uxp@5H3dF%b zB#M|-Q02a*YAvgv1TvMv)6@(dQA7a0`9590hn}a9q=$(_(IjgPJ@d(FlNc9EJvh0z zxLhS^*u3_7Xu;cIsP>okz#RvsHj{^-YS>=i>g>9}gIxO*Y&XAdHtFyCO`HP!&S{N; zP2!~Pab)S(gXP4TbNnlQ1_}UE&QaK3;-lh7ikpFMJ0_!n5hT3B?;_?;*!I|>YiAuA z;d8?RLo`rCs7e*F?h=#aRUu0>Ey%E^C})z|J?E@&%mv7+<8C2JX}%cKQIrYt!m8y~ z?RG9yhL|P)dkA{I-CFAW04AUfuw zDr(|OdeRUX2{js>f+~)rbEqYIqVZ3I6ZdcI5oK+xKbH7Q)#3-D_WM87he{$kmNSY? z&BLUdB0JL0s`1zRZBDDY`TZlj~F>$T2gsSsHnvb}$ z=F-qJQBgXMCENaX-st{gk*?s3U?OY^`Z1aiSKP^JbH1v#Au$Dw#HvElOHSVB#pl~n z3pGZNd(2h*0};#LvI@-U46fj>sj`DYn|Sd+Phf5v*&i?7SD!*GDH`LM(wRWjLed3{ z-)E_u2OU7Bs_Hrqvbsh$5Au_`D45BERmiIOV~83YaVq38tW+dS5^7ZpMH{4=Ss{40 zPl_Mof4?-&K#I&%hrBN zqwAd8Q9hAQ)LCP-Ed^doHfUYCk*E?6Y_e1H6)zvLOn8$u^)%g#7cIFrGKB+3cENV- zxMw<4g}TZMq&eL(%2K>d6L7R+sjUNt`PpZ)jc2oZl|p<8vQs?OHNTQ)xZ7;95N&@Q zJ3Jng#WBf#nqf$MPwAN=Y7~ROpPyYPVo>WHoT4-76&`Z3sJw?9{w!W0T_dV{uZ7LH zt`g_)h8ES9l{*TH8MVt9wR3Nk;|;&c1UFmuh>Wf z%=!QR_3Ui^oy^%(`=7>*e~~#V_yXsxMdzCEBk?5`m`xLbBg2u4A^1{cnVHh%#3p2? zZ`*FfCRz#EsXiEW7y(AVJNCPIW^lCPIzkdQA<=Y@q2-xotZ+~~Q^o+jf3oNIE+(yT zq+nP^X1%s}+~;^s9{nCP@$Ofuaa_H88lUzk#I?tziB4dYe;=p+#UJ2sEwF|YLo=&$ z7j?`i{Qx`1B96E3UxYEtU+d|4YyyoU6iVO_{q`Uu7J|hd z@FzJnU_5(5dU8xqJvagDS<)b)BOXXv5b^4gdGoDz{feKC){u%j>|delp{UH#0%z zK`m_sGthy<8^j8t;>! zep9nuih1;<<<6=fL1F%6A-ttPdW5wPg^^$h;!7R_WwVtb(?l|ERe$n>A0@Fbo556W zR9f%Y+)X@D2O>nXz?rT#ZM3^wsnc`iJSH8KqrH?u+<`Tl=@4}qBT(ENr%ghc&8}6$MpxM(gotN_c zp(;@B9z1ex(hc9MW<6gIL3&qC8FwkcviSZ>=HK2iA?vHcrT20WL+B_dKYc;b7)?m* zRhp+&PQPe7r`80(kM9Cln&$+hM;i*Mf!KF3ZDp3Y8G2NkN5vh(Rx+xV3^#jD+6d#j0NANWR)A6t$eJJ^C- z_J#I44xoRMb&nn)OI979|LWrHS}{u69NyC#*uTItUr%x&}igkm%Fvh!;rEu zJg;BN_2&2*lk`ILB9>y(Fg&_(c!zwA=hA{{r$Mwx5CRVydvCD4Zn>v*{&m>S(Ti~&tryj-xZygjY$CoHMeJW!$E_t zT(!7DJp5Blz`U&aS)cLLz~L%w_u$dFeZIK1J9!)Os&*Ri^k%V)xi|~+E=i2vXO2{> z$&0spCGORy;-ienL3wcBUnDd&|k92aq?)mFP<>U40 z6ZW68g}KFQ8}LV{-1>jUvj1zgI9XWR{rhkk{@>y9lQ&%4jlXI+A^Q~Qq8iD3*+HoD ztB69i>J&tz$glvh{C5(L*}32L?}A4#HW@bSdvGn{>)7YJjl%mI0eMRlZ3hJUdXR2( zm{74|4e>_^M^ZJ@{^9rj8}<4XdZ+~r`ghKi-02=H7(J|GY%YEMms6!bUWG z;v#MPZUD*$cg`RZCGJBB>o#OhM)WMt7>Ht_2KtiOxIq18O_{Zpz_uNb&09SG#yiS= z$f9ELEE06v_q-7+9KA-drzdi~!esIiWPk$pu~l}BA&rqCmdq9C@<}7wtaE^asfZ4W z>0EIcy{r#+uX`zHZwLFkyXA$4_3ctVp6?tvvsN~{NW0jX9COCHBet(KEZ66qIKVtF z4OIIhh>ph&2_w9LkeX>-gQ}XaiB;Ft}42Pc84klE`Q3J32D-gyq%V? zZ7ripGsP4`X7Pm>Y<6B7q46Qoh$Lq;2vK~ZdGZm4cCAONpi#FDR^dolE)I;$f{6Sc zV-;mz_NG92X^U75)~z<~#VfNdNMI7<#UsNyL-q!W_c*f ziR0UodAZYM$8r|j`kDu(rP1ore$gr_d#aE^F07@%018qlf^kNOfbo?k$$GM$y^<{JUykdYqK*vN>R6be#|!r29tC-1silqk%G6`cpxQ^ zg*|Uuy>v_7?%e!#VTRx3V4C*3<|<9(Qg}(QQtFrgrosLStE(W4WFP*2guP>%AX>Jp zo3?G+m9}l$wr$(CtxDTQrES}G<;lL!zUS=KAG-g-4nis$H|)AcXun`kv3n9_3`Z!FO~zt)SM? zn_h%kd$O{K-RVnXgsRQtWm&uHB)A#da2mTnOK2-~>iE(#VlCf{kD;SbzyxND+*O)q zo5)PW>p^NnW+6{aD`igD$E!|oW9V$_E`^Yy&w10eSS3&RBjs1}8jz$un}q6oZg zVq)x5F*8FcLx4kM=t$#P(?FFOb5+d!a~LzbYtrwHi@i4ZvKYx=p`v<;t4C-KXVGJU zqiMpkXJKfdmj^#qJXBa>wM?5GFPVe0Y6!6<;8CkWZdT|nf8^K7LN}@qn;K3=>sUH_ z?q$c&?^g4WW+GJwTQhLwI2oK+xN|;OV`WGrcLX4TKQ2mb5^(R`*r+P^HIVao4R_x{ z432KQtQOMOYYbLYr|APDui>C&$|)0EuWk1>>rd7DsGkF^v1;8`G&{d|D5`;HLx}L=P14Ue{B%OOS~k@O+m1#%CkKgoGz#rLjVP1 zjXw>eu{mq9E4Al-qqdE7Iq~rb@C18d;wwG8C-2!w>rv$loE>|Nf*e3hFo9UwB#>p< z5bWnV1HRudNF@bgBv4EFR1dU1HKN&stAv3goq<-y56g72{I^Q}$7C5eO7Y)|)#!Z0QpaX}KT(0~fV;CwXwm z24-7HVRt95_P3Q@f1A@Tw^{gdukTDR47_u0aGv3%F&HfNhokF*c26D}#^!@#fHu%UNg-miOnsf& z!JO9d2bE7bM4upqX*p#4U2m~mP>BZr1L-~_$~pYe^)E7XN~S%e{1GhG`AneYq02Mh z-M939oP2(nPcCRVU;7Joh8Z5(cgre$>3dN9_rKXR+@z7P*?wHiv(W$bU%|xK#PQ$x zj{m=p`RCd!V4>-^oOJ!M4ichBoG%AO(Lr$2X#H?n+#51}_>KzG8=pIF$;MKSiMAME zmy?hEXmM^`2Tm`W6;8WH8PCUpo)jzbw76vth#cqj6VeR*TzMwky5UyM;b(pxE;-tI zwCD~)#GQt*N>+Kr17=c2^Ovg+1ImxZTblE#a%6aE8LfEn0%e{6(+?g*MBz@Dm<7gQ zIc0bauawZ}?l6QW00I~_b=b6nBm(Vy+f!3AaaAf5#`KER0QzajK3TfimC@e}9&Uag zPWG%m9B;Q5qpwRhUw0ojB7XLMUKze_uD+SS!UmvR9l#FvZXxh+^79jmxtHC*n^;>- zamhH|uV)L6@IYtErU;hY9Hv>?T|o`(#-bdOt^s6lfAZ_ zHI}!`w<4)EfK_r!6pc57K+Dn4Q035Q7sa?=APJ5GLJosOQ?W@3_X!HBLOzet)w%jb zED^g`Px>El>j8L?GjAmq^^c*%HYtK#rwl>u0z;hE3J{vw=IAc_w*`xePc-eyU-3CC zyY*8{l@w8ukp@+xMkC9s|=5bKTIeqdGZuSneQQbmoS2UCA=tzfL;azOU@_=&Np zq8%c`$MDiF7xa%@W*HUQ=H~ieIjp|jgE(`NI%h0c1Rn7jn6OlCg?`alp-N@KApVW_ zRodyAEd~iMjX2zz`;+IsY5|Gorcw<>l~2F9;(GYnLy;wnD)O$P_(#)wTUDu z<%!MP4VPjfDTm~S&uJYz3yhR^`@voN3Eun_ExAgB6Jhb-5!Aoxv9)a2GqSJoadDuz(DWByZN@ec$Va62+4_-JI5bQ$Y3*@_0i^c}o20a#@ zh)9V!$%*O;Hs6*jb<_-h{RD5*QCcvdLX}63tHFkb68r#4&qOG=ZDXVb+s;!iNK@6B%0on8qQl(Z9m||t zr23xAPGW)v*mt?tMAzDEd4*DS+fVK_sBAm~u4syPLXDh?Kq@VRGGd>Fh2uz@^2cAq z1_*NGY-~nRujV9ab#kC<^Q#)vEY$Ru^xvG8SWZtu?7>dH zvynwOgckiC0ApbqlJCLPWi zIVt1ynAT59Bk<|Jw_Y9=bId%367Gz(<{qwOe`VxEJ|MtX(sj zn(=jOks}HW7~8F-9bFh(@W7Fnh0b**f}w*=t+(sOP0!oiS`3(m0)1<*GtKg}0nzzu zuj2_sD<}ub@nVTlfEue=vFcBIZ!1sNvm^-&W0^e0ALc~Py-D+7Z0bV&4Njhqq}HUh zLu$_(WuSKS5nlL&RhjcPz`D7PP)QEM`!pj$pE0AyUyS@30`-z_QrSlR zknzTE?Wy>d!+Re6+5? zwq(1M*3nz~JE~mo#-N+tR1MM>$8|w!ujwjSnGrzng0?^ggKaixmMx~%+W&-)8+D<< z!1_gF?0+mot|!6G+>idg+%bQ#XCOP-TH8*R#B;sEn~SnX-7^RRiX;2o+(u9;)Z&fSZJ!=-$%JCVVtm_N8S*pAETb(F(pGGJ`s5fUl z?t=$op436N@V-ju5V|a5Rt}lQOdnRQn@UZxYKXa8jUT{2=es?wgS^_$jw$zF@in$4 z&PFc(G_L#);PmCUz6P*t%W7m47zPr=VEm(jmv|T}FxXH4VbUn8LWZKmgzWBX@6BzY z6;c^!hc!H+e)wVgy*4jyuMaY+rU(-ualBPwT6ZhXa=a;rJ!2{@{ zUOf;6Z65M)8dVsQxU>0m?L1LLqc`zDgAgx~%J?}jQ>;ZzhVV=5b$t7Y-F=x}(f{pS$taUcu5Fen$bf>go51}O&XnjUHcilK`nS~eh9#V^jGrVC0ij!bE*i@7v} zc1N6d{EZgwvFP}M;oC0giFT<<46wEEJWa9`Pm-t5I#p*+~vrhzq=$vNPAGtswiRNeZZ&bWC6S)R4ly6*S>E~ z+c1x<4S?|)L;EZQRw36y=+spZ*;JT}{4rVDJmF!eFJv*#-z4$^l4oFnTVZ^HQQcOJ zIJdJFb0&-#R80fip7xgOw9M{VB%|3`HFA%`vtv5=rmEiGf;7ov$qa5XESnuP zNu1GN4W&|^P+(ouxdySg*x~E?LtkgO`9)lgjT=|xGKGhWExcb32PakX`l#o#yvGTl zjg?Sn`o}qwt z1?6=DeK{+#F8vs2pg#JAL-ofZoTo>5qI|1np|9U1>tVd*XnRi-2rxVdx6*-OC)Ety zI?!87RQ_I&+aI&%BD)h{!R>Lg)V4ekT7uJ!X<{`#=}o^wYy_)d+G{I4ogHnk8|!;5 zZtm!O4J`33qs_Y1F=>QanJG?rIo1i_T!a*lndN)DXfs!L`E;AbXU z%372euRKt`wMY{jKsUcOK7D>eZ2w!7mo&3DD(+_i4MF&?AFd|O))uB7|63E^Qd9WX z{^|SjyNv-0$NbHl$~eudd3i$DOY7;d@77F45PHh#Hl9%JfLncL z01X$pzjp8Hyg9J&o1t^Gogp$+Y6<4Pbbh8EO^Rwv>+KjNCqH1b+Z?}mxGND-eT|nb z)8zK~GTld@kBY@Wbzs)Rf3q+=Sk;BIR*d@59oR`wh$h8aY%(Uyt$MuyY9lpp-Wcf9 z=?jyO>UN&GQrJG=x*cbRH-#BaXO1VJnU{q?NInxMHp*bOD2u9sYn}uz z;eRnmxd>FV5CUH0_=A%R4u$?AG#@KY2WSs3PEsCXKHU}9$wI@Wy|3C|elX7%B>EP^ zaHIL}THT^C7OsPo74E_q6PRZ!*|5H(K3c^+&Jr3I6MLw$89tzl$>7zC9HnWy0CQ5K ziE_@)o9c@zLk>KhH%IQ{wLw#9=av>$*nr4`QyP|IfY#M-vwNLYZqF_W(nTU$F)?U6 zJ{TS^>tYi(7?~Iea>THB$b2P(v#prHC7^nyF=lRz@U~k(2&~1X|MJJ`LAfxlh z_aV`pzF6|YlY4;+Fk@j0B$jN)zTViR^f>>rI03pU|xzPs%>_}!nvOh-fey|NzM`` z_9W%}D;Vxh0__f6MPLs1#fMX2_R*=5oTSV7*?lVp$o(uB=P$<{x`f|^z-;YC2g~1) zoSEgmEVh78gYK#C>lm4?)k5cC>Huh&6St0KP~*x(Tf=9#uAVOjp5K2rY~V7HD$oo^ z^2;Fmm=QrG5mX{n$*@B)Sl$dIJ4E{|*-ZYN2T0&%jg#>)13emg|H_SSH8f^R?nR(C zxzRK1>m3f*VdJkosCrbxEF$~VO#S-sbn8!sv$FP~GM zHqYK}X-(DgF@?QN9Qe~Rqm+{nACqwT$uPWoy}&!lI8MFW(MJe2CKz{SLyW zSO$y8j2V}n4*Vv1u0fj3roorU(OS5jzjJdAq=?D`;)ta9T?Es#j2VE66_VdE8gG5% zkw=(OF~rR1wmhKU`Bo8agoc?)F1kL%S?IK29*mSBcjZrK6Pl*gxNOP#ZZ#3lpT^+V zWYh&WON^P{k9H};Z7uFfjnOPlV(@EKW7z)9-37vjP&KVUz9`YZJGyrFRzpow5>t17 zB-0tgwi|~r*1yjd=(c-hp^7KEH4R$}Q}`y{tXTJ#d<(6r*zaz0FdpiQ(nX{g#!QtO0L757o46ROSaoKl zSp@<|(7424ER}`74$3M6fE=fiCLI%sbbUOy?1v!K=v>v?AioO{P3Z?`6hsuBZ#*iY zdQuc{N+&VDPn?m^06iyaSa(mlyy*+N%BTe0!zJ`PATA+i{%BcS(t?Nt6dw zxKn7Zi8zi`(0IxD_Y~R@=xJ!#kCo;F^}p5S+gcd?@2S4@KbhzsRly{i?3!rOHH`Lw z2HhgjbvUw_U&mT#0Wwl}RPc#4pDZS6X-;f!dZi@@TsRb0JFCO8}=s6-j@shP%UJm?7~_C`xu$QQ}uhetrC zz<{=Pn=S&*%dQi+zOJxB{D^Kkd+~=y8=3e)tM{1*C~7jIVm!+99-#Of_Jq#wUFclj zd`Jd62|tjYd`L#XHs+ZC0_c2Pf>r*zscwcszy#^jNFq6X3R(CNN4ETxVc2*xgK2h< zWTialocJ=zFgXiB36nr}-9(9%bXiTZF7aD11AwEyIVT;}ZLX-qmNhlvF{78QFASoS zvt^3vK9YIu28?n6*`NaHo4aScp^?nq8A@F@7p+VLB{+@Ls4Z=+>QxWcq%#ol<4GIr zfuvI!>15NWn9ty9Am;mJ`vfFiIXsQB36I8{<7auGc!Buss3GS@oQRk#H9O9RQuD!n ze@>mBH>?dOe?yuMI1jkTdY0+rpdoh_6Qr%ShDdgD_AQ&W6b04-Eb6`k#it%~88)63 ztJz&2k@CeH#1|!PxC92K<^T`$Jyo+ghKEiC4-vo@`$TB`MnbF09fzlg=i zVtK`=$}8IU?q9Dh(VlPSpRKmtZ5LteKpu^~n$j)#GV>SZiu4%Gg~=4j?(HgBCM=cG z2Wl11ZnYHCOUl~;`RN6mTAuI0i9wpds;pp zZCaD$^<2p2WilyI-L8^!E;~@}RGuE?pQ<<$)5oHNFv7E~1Oq=s4B8=H4L7-m6v;sgQ2?X9-JISQJov zQx?0+uxl_Ix`-zIE$Na9YuwahZ(I@e^;O87-9-;gInt%m5@uE3md;8Jp{9~yi+#^8 zP5y2Cx5cd*nNI4S9u$cQG1y_bO|e`SI3T)6%(81St2e^I)C5-B3#i3D?#(P6FY%km zhg>YmFPq^zz7kjQQ?IIYh>K--&|gf#pQ6*3lGFtWLemSuMGDI>;9tMoHPAwOl=XKstCl7PdJwck@W$Oj(iOP|WJ41i z8d0D_HV<_NbnayB8yGX;p>^!1;97mlIkHWAHTjHvBcb5L%Gl}geEnkM2=C}+8D8_S z%HhQLaCmvSaCinGw<38)EMlYn?wwLn8b#dbaH0OKPw}%a1SE2f&xHz)IvaC1G_a%? z(veo0NUwUmNFfI%8{Zg_2pY5}(#J^SMyGZZc{~g^GScDV?T-MuU@Wf;*;5xAEXn=r zlJ%=BO8Zw8STxKdSE(en^zM0y{ISWCBjyBo8L=a^Q)nlc3kTMAPNFVKN)mDBXfZBW zL`i-(hn$rsi$aigM!P1L(IUG-#~_UfYc1NVx8OJWqgYpMljmH+pFi&=o9`HG#bHBO zaA4gXFQCjc#mAn0TGnt#EHmaiO^MY8)bV^BQFIov#K*Xfa!FyTY)mq}$=b^2i{ZU| z45~0f$hgsgzHsRv%LVhCQyXQ}fx@0LVlaQK2^6KZdiSnqr33b{*h*@mF#SilrLSkhTFW9hxHiv+5+evyW$KxE896fZ%b04=2|| zf2$rtK#N@7^66AhJb*DQnZh>04Jkb?GaqipQh+ zMJHZxeeWs}MXLU!KPyP@J08&gDYTS{4oT^60t=EmoZ+=25hR9U2w+;Y}i9smzg)N$!7te4|hKpW$5kJFNY6wA&x< zF9-Ec<#}d>e!~a6QFa8-xMfF8yr0g`f4?%^60{rLr5QO{^33scrheajc*fd6>P=%h zWCy;{92p@=W|$WF^5uRg(BFUfPJ9gVGB!to?<)DC-T{<);E3lAVK%w)P~2G^ t zO9FE9sn^*eyekatV_wjvP2$O*@y2-xGynkHziDrl^7TqHz8}10eQfM>siDiw?0nxD zyl>?Nx!L92_22$|c6z_6lA~wZpJjhYj!L*GcrSvh#^H}E96QBn4SS`tJBq zPp?5(vW+Fb1e%F7wYjHMv?3Wu{7w=MMcJJZq{ajgZ#OVL@2N3>ExLHkd+c~_0+RGG z5m-tBrP{Ptvd$3`fnD1ei9DGGLCOh1qVRwZ5|g2zH^_FhgdBa6YmTlVc%{$&FVjpV zic_vjRnu;o-g_8)s^;zRVWkBrEF`U4GQ_$=L|AVDLVdwp^In$U&kgYpMwO7LcJ+As zrRIXi^y!uG{12eCBPGaVNH*r<1h)>bD#w^X+$BAScQB|sv`GD)nUIgyu^VC)yY<;X zZ)8sOFydNuG{YnMAb$rw|A0t!gM>>l_ezN-(UYf*Mq(Tyb)bmO<_uVjQqU^qdnly+ zB@I)4Z zeL&AxT!1bKb4tZF_&C9ha-j-6kNz=mLZ@H#rmR%|N~$zS)Nn0cG$PvG#hp|A_m!vO zHWi_AJd2`6)W)UjYIJVjsFPwf`VrggZxyW+(5Oq#Z<#}XtB6yZaJZ+cS{JvU0O3vs{7w8lRLp86pyWjbTf2no!u>#U7T zP%p-&blZ}OwjD;homa4}leX)<+Ur{~y&cr9-|yS(J3V!fLF-A))t;MiON=o2+0NNN z2v#{j`cTojWtDSAqX`vBFz$)k4Z1~(E*bC~t(ljmW>G~lbB#ij`ZGx zjHI#qS0f~cmJJ%~XO4TTkc~5_XFuXapbx)6i?Z<=%34unWWct}(&YYDWEdh}k*R8} zwJ2_Gsz{Y{23kiDecBXsd{oVf(~eNqv%?elQx^T^sHBBpr%YVZRS{j0Q7`9S()r93 z39s&y8^$#&@?e%volygVntu?l#H#o;yr!uBSrC2=8d!ai75=qbBYcaEuk-u&Pf$)W zwUeHFDogTWZ!%(m@t2wGBro^~S22p1K=aY0h{`%|XPl6bv~3kOE}3mp}c$Vq%6!U|~1tGiBNfR+W| zLdbE(SeeSb&H2|*EerB>&4&HO?7E%9OnkVdV0Gnju)6V1x#8pPUSlOcN^F+>aR|gL zUPmLk)28UKo#AvS`9{0}`s#|!b=`(6SF<-IwyIQ&z^Y~K6{Xse=Emoq`IgqJ;u0kJ zEl4PCndOiqQs>3B{$`(p@CTsM{p{pmo%PRGD4>eGGV_L8%~lM zm`*3U`x(Ywb-F0`t;!EESHo~*Ch@~rdOFa*2R{16SQ{)r^pe>hOMjlgbg)m z9q98{V-F<`%)^)zvdVp^YM5)P;dY(*SXo@Jc6=-kUl+lx`RHvvqPh{Ca_F;6aajtq zD<;>n?eCo4fAe)DU=Y(}0RsU1`pJy`XTFH-KjH&5|5Hr&W9UeMB?hzPkf`^)Ewve0 z1|43e;YZ3Jd+ca(Fx%tfO^pgS87c zgD8v4?_+Asfl8XW8a3%itLjZh3T4>^D;D|m9cf+BS|oudt)wB=Ji6k&3R0>SG*_8u zS4#yO@5So;&yK39f0g&^k%KRpv&VM-R9s9CTupXda^jD=)!mVg&pz$jS3n2c!BX9|M1f@lZyb|SRiS_evS!sr zRLcmaF9f-}7~EQWYb24_r@)#|tj`fY0GDbjCVr7{J&N^?J?)JGXpvEA1~_|+UVi4w zy3$zE=j16fAv;tR@U{x3*YwNRt1$N_lNBX^78AH%=i%zpGxLH9L+PnAlF=uKev#}FIs~{??&2!SG z<;uJs1JfM(st8Cd0w^Xm@T+dYlAiq@q?XDUtUv#WGgOFp$lMoMC)J zC7zvkkzXRJW{y=euxdDRbW}!(-}{Q_ z2~m58ee4gQcd2sGrf)x|JysbHR{u9yQ$1Z)x|W)Es zyoLFvP#-kR-q-qz9}AqvDZpMVUS7dwt~T3FD!>{dC)s^dhi{9s#F;W(CnUIRP-=R4 zem+&ksWER0$Mx(zO^x1^&iq_xM$)7jIx|*%+T68xq36W(ViSr~3CqCpIc&8M)%g4J z?W}_QI4P)uz?Ga%OgQuU?(^W!Y)mN&EP2@gVs4fSH3k4*0x8f$c{Pc<1w=3brND|z zZqY9>eH+%naV0)TNR&6F*9SLrZ0aCAfyr)?8r*C035+4(URgS|xHwdz9MP9An#E@P z5crvaII$ldZ1Osuf89viKzt?jJc}D}&~x>e#g9WZ;AZSys0J(wE^)e3jEX1W%Bzr= z3*pOioHL^%FDHRDh%N|$vUY_IyNQQl&gvsUu~_IL(ii>xv%Iuhl6N-eMm(I$ks##* zeO{bblp_+Qv;=wF=keb(>ut1ghoc`96~d3YLGT~@b!?rC|DkLs|KBRpNcby4hn6kQ zV*YxUKDv=v6rnj629$`{m?KNYCa}XEc z+VDb!b7NN{W?xFwY4yNn@usA4;u7t^mo81pYzQTpbr|SZxzftERHoxDX8zlHhK?4| z01=Zm<6`Jdx-H5>T}lfoUCZ*Di%{ygghe`H#gP(j-heU)&vK2=*nL=Mv|hU+&5+YU zXDo#-D-PfD(XxYA_D1n}D~|h=n_W3w^|HEdVT98Gq0j5K5@bJ+6IaMWeuonZ8mCvl z12KJvUX-A`+s{qDGvU)+;zdx)LO8p@miC(7_=#Cf{Rh-YMnC_kM=s{g4qR4*E;(4? zsODCz^_F9kCI>H&gHN|!KPzgM-7bo902u&Rm6xnB9J|}T=+GXxJ}&a0?UsECD4{bw zEtUZHM&VnQkg5ynHj_KkNn6aI#zr0yshp(g_GF3`oTveH$oBeKWIZ8Lx=*Cll9i4{ zsc>+k{9NKCEcdJC&MKA{!F;EhSK!x_LzWaWgy5AGtD~mwGRM`d0X8c%sH#3Iol8PyRv=GJ1!1d2|eboQF z3vBYB?@4~{0>>ZN)PF9%wRN(y{ReOAr<`2w;QuQp|7AT-Z845ro-#3R*-kvFlFhEn zUqYIFmM> zxk-b-gerE!h7DG$Ufj@nm|~-mjyPZ#e%FyRToC@#;&PlJ0(7zEEBrvTO^6#T%?V)i ziEQ-|h%J%<&(MlDuhpH=VX*Cp6d6Fj^<+)xeIrZwR&Qp9hxhZktDBee`}QQ{`#>+} z#f&c`=lWpK=6!Huk}Xh!8!eV~mhkKY*1f?WCbCewSm$P5lXolwTV}2nU$Y6ur!DB1 zxXu$11MKCu02l@`VtzE*f)sco%qspkiu>4s9ceg9_pF}(GE^}>g*d|qD2;rJbm=67 zPQb3osbnx{gnZd%deEO!4rShx6Q<+^8ZeV;d@5|Kft-Sd3Y6N_c<)GMUzYxdL<^dJ zDZ{)rB5TCFqF1O$GL&tMX{tLou@H=BxUpU9@0YJm_+A>R#$1f0LbfX}3pCLs z@R!(gaT+48J0vFJBIhKMa<+&SXITzcjX|AqaxXhi8QR6=6)UYPKBa9Zc+A9}6EK-L z;;u%x2{=&IwRzT{_e)sT`Z-h+ISkL^vB=XZI8J3Q&dgPqW0P4f1X1iQuu&Vv_-prz zX0|lP=@nyJDb&pb;A*I=W-pT;K{6+BJqR&9syWCwMrsq`tXxt|676Rj$eqBQOY#I} zN47F#+#F!^{C3rc=jXEqKxeTE0PnmiG9Enu!ey&{;=7tbqVSXq0MO-qi-uW19mAn? z>GyZ^NRl=o^lX%FB^l}>QcT$#Lw{NL*UgCXCr30+y5u~1KAibyyH^x}oZE%2XFJ(a zf>({q-^Gs3{Z+R_ZJiVrsXvkhj=bQ;q44;0yD{SB1xTy~@ACy|Q?lek()3YX16)+} zDw+N0CXsZzJ%3qG2@~&V^`DxQ*XXwdHfh_&*44n;NvyoDvmRhglg+e+eD|`=nu&i^ zx`|!zb+XGMvp^4rYflkl$|ho}YANJ$5#yD0!*^e7GYKk!c1&MUih?9u)ilntt5Iz0 z%F>MXJMs)?@@1Mg+Lzk*;#q)WkUm@m*|<#9_;}PcTefEehPnXTJ)_aN6y|4sR>_bb zw(J(&F ziC%Azx)BpCGIWu4!R`lt0)&|UsGXAKhF6l<(YBD>F|P%3@)DlU@VK5eZJmm$ibL-v z^TC{*Qu8HF_R$~EkIMwuGcJNX>`39DGJRBM+2jT`KIlmz6Ra&CMu+gxX-Vl;j?(lj znrEWg3_gP`1*0CldLr#;EfG7*E$9R}-M#FAf|JT2^QIv#lKOWn`%Kek>B3Japcv-A zx*45Z?2Qea|1ocW4ApWQ3d$xJvzBb>yQ&OJPZ=Yi2RubU&ADL?seF19PkYC~4f4LCl zDFCJv%86=2%n#$*SJYL6f6ztDlGQ>3usR4b=iosC73);Pg$-6t3hpmd4ho*->#@9* z?`#_ld@XWkNAqrcoMcTMTp-(hXk8u5Y4xh+Mc2M-ebn$2SZRbVv9zu5Uo$|Mmctg& zt;|ti#S@H#))T6co1xbP!Jnl1m^RbbxC*gdGnL{ls5f&UrLn_BSsXH)uNmMZ$oj9{ zHdo}1HffbzJpkN`5{{`&g<7r51KqhTyl8 z<3z(<#0V%sL^nxdG8!WXC1!$f$I#`?f-CTRQ=3WBoW37&}VhNkAcc&pDMmR5<|0G9Z6Cz47|R1q|F) zIC&Q5v8Ktv?prdpH6v>?cN;Z%Qxwxk7MD=40ly`)yLeIQ-;_TGU0Y9G zafDbYPTd+B^td+SxU!-EMb!y5{Z_{$ubyt6YXaq_S2pp>zj)wQabZ^L-2Y7f*_1-3 zwlNbyWmIDKOZ*i@7%c))7#DjJ6TqJ*-2LX?BA$-5zUZ&&JeKSLDy~pVXJ^&Vjt#qtDf+10Om&C43j^}wlT zHE<01+T7s3FFxy!ZMkW03SLGMBr@y);kb!vNkZH9I;Nw~W5|Zt?NZ(2L>P$>`#{lq zVBBZ<%NWRJjEZaufdN2=J}#FyY#J(OrXN4Emm9@8UdK%76Q6M0P@G1XZ29S7`M zi)IA369b)Ksk}UtpS69J&>5Ai82SI@$PmZhPa4I(nrVSw_^ z9m_g84HBd-23bWul+Im>aO*R=^`|jLdR@5=g*Xd7lDt4*;pMPPP-IaT)1fz!s^Ltr znz_}Ci{{+{kzDn!fn2)-;en5kzD{Qc4mNoyw!h%8bMEiYvxHEZD6>xhi&eVRNct^v zcYFHSYR~75ep+%V=v$a%omNfr$aapeFoNIXkk6kKg42f#@(#8m?}Xv_rU!f8I*nK2 zTd_Em*@6Gw$<~4SC>FA$=r^jLvb7$4z>- zLk>fkWf)Apf|thuXqAD_j6C+y3BNU1q*^6niHaJ9<$qr$cOG?}xGTLq(T+@}T!XU@ zMYo36EnAuiXRq>Qso0q7P~L5w%?O6<4%Bj?^wOw`3EDzkj@~Q(GH!Y94LVG0GCMp@ zGCKjpy2oE@=rX5)#daQ*f}_qVg%*$ehvg8uDi&6N3 z;ZD-(Em=~N=JZ=Cbwe3~0ACq|`czyF+Ydofxo$yAdK7JK*SL05b^WqWX}{6oP2Z+V zYGX`=WVlICrEtt`$u$^lBiu$dk7i_O3_l4kdh&hbkb`clGrUv_!}cuEk-cbn8e39q zx84~0ts+wfvy@9LXFB~*Kp#4?z{%sz6a>U>OmZ;8JjsbV4J4O0Bu?K#EuQ$tsmdQH zcO)dIF?Z|RjR-l^0vT_&|BIMf8s42xNq`vJ$U@qY&Sa~9H1_GM%q((5hD06ju`jca zaJocZDY@j;=iHrjTa#(YT9ymFq-Msf;`h3i^Bx{sRCgt`#vx3wyvq24@-3w|HPTkF z45@v?=NMBlK^VIOYJ+qlLzfa#g&J&^Y_84^>l)H#NIGcBiu1tf9b-FuO>Hn{`3_$M z`$`Lr^&8vWA(%<%MR=2(5A*ITvefbZn{ze!qdhz)kxy$x-$H)n#EQ~xUag=Xc<428 zHEzQ%mM<2&Cdk3*vtk?1ZR5jqve42^fgkv+8K0{0%$M+};LACIE+6imzbTQ7l32)8 zVyQB-UOQsT(hX1rx`|nAJLqnrnIfKtLg=<13ak|_)k@VOcou7^JW#1*NhSOpXd3J1 zf0I>gz9yV2v{WH`O+|DWb;EVU@Bl(|=WN%T0V^4}t~+JV!THHN98inE8PsT!q8qde zU*r&W*F?T?la!*GX2wgkJD`U>_n?E@VE)M3a0aR3JsQeL>EsEjDW%v%suSXmd6q|R zRzoXT&eDa}LeJNk>^+laTJ4vH54QQx5EzvWGm50495Tb7U9KgS6pg8`5}GtZ7Y4h# zuKF)=i>E9+FI0G76sdD%l@`V*3u_FKy~LAlX!bVeBo;OWDmT2LfNS#>W=50tPFAK3 z_ZAlBjZ=I(OL0;J=DZH9O02*&b1yl=04y#v%(OqLIGRpQ^swBY`dUIic zo5piF6vIUPL%Aoh2<5)mjMAxwrA#u%CA}BlHmMsDMSbRF^|8Ypbe z%0IzM5;V&cCiv}883Vs6H^@iTGl|!L$s-5)T#WlPK7OZLbxoeZeH;ceNn|vMuAcY? zyhD@_0rU*3QC`0gfD=8aO*II9+2Ch^Q&k($0RBj*IWFG!AAOu0eAqBzs1rBxwSWC6 z+Ey~XZlPU3Q0u^wnu!7%8vV(A2*M4iQR#W`T=F^1ozc5PtvZJ3p4kMfJlpuiHOge! zutuD9hyrg_e`VwzOMZ#I=S36e$b@8_`>tv~c&?3i@od6HdyLUr`2qj)6&!vC#Etlg z+%=N_H}%HO=pP`OZVj8CXAtQp?NT3dv@S_I?wC2P!t*pjUKLU1o3;AWnV#Wjj)de< zARbC^)lvKR;|hoXQZbph^~{4i5rEFMeulTxeeYQ^krz z1b*~H&EDAqNFseE2*T6>3ccbW6oR+%;@Z?>!eN(07H?kv+N|!xb?KsEnWq%Gg^!5# z=VP#t)_k-H0Rs8}^L}`py0|fUWj9xOva)5wZO-=l=9CgaTriD?@es#|lpkaG#?k?85>>$+YxHu9sk}g1svtqqG2C&*M=e)l9~V;ymO|buMEqbrHgi zzos2QK##x&7z@cMBB`uVSwC2x@kTD^30zaiC+?O%`2@V}n`SyEA-l^xMB$5{$E!mom>P3m3>Ph%KjpA*5n^YpxpH z3IG!a!MGw!8S1OGUpNwq3Om7IdKPHVNzG`AzfVBoLFt|zSU_24mO5|-W&}AuI6rf% zSrl09JG~SU!I6gjk=sG6I@35V`NM3CQlLU5#i2R@5!%239gcp~6l3;itf4@!^Qm!M zk$Lw`s+VJLS7wI(o%xp~TkGjMZcg^>4LZC`>RE51yTxR02Fbqjhi0dkHm`x#j-m(H zijxLqo>cp7vxGqJxPv$9L7bRg zZ0>%}qWY+MtNNNfz8ph|R=X~)j1RY)tGfl-B`NA5PgZyG34!TxYIx0gcGLivCAzvv zinql%&NH2e(v5r6WiBMzc{Pf==&4Oc#!Uky82j`q6r*`;QK`U(PL5;vPq=(64<(FV z3|mGhZ8ld=L6X&DhIfm@&RH?`IrW!@!{Pl^2#_!zLy#J86;N3xD^zCc)kI<&oH*?w zK>ei;n!l%V6drP$%FVK@rBHseJESA=h4iQMis-Aw8kX-=urD6}aH_9L9EkYQqBSw2 z*C%TpuvZlCtZkFU-ZZ3>OEhLbClw!bIRVu2RMqPB?@%29Gh@dZ{U#%Gv{mlJ+wrH- zJJsyus`yF|%ayp{)+_xbJtem(saJnkgy`}F16+Y)s`7rrI6COiYW5nnhOR?jfk+x=G2IbMP`Zud9`Xy-jtl?Uo*r*W{94F zDCcmy?M>#xw!ntwFFhzMzPZa##H?&Ypc9zUgK1BZfK(>OhUJH`bLEWQw$LIa(F7bbcY6IAs@0k=9_K)$cFUcI7@Yz^+6 z&O}-+`YEQVkDssMEi_seYXV=G@z*tYp>Kl~bR9^Y;nB*uCcvh$Oj(9k%3+O0wfwR~ zHH=TS(r7bjy~@ca;xV}fBGng0clNeJbXQGg5AyU^JtgG>Y8RU*>Ul(hY(F3^J2?lg zT+TLgN&tHg&P$bZR?K8SqgZSp$i{9|H<`ZCm=IZ`q+2$^mTEu{C)so19KQ4 zCLACw9thC=KZLzwcPIdpgc;jTZfx7OZQHhO+qUiG#Yk9#y15*!o)fDe=(T} zVIn59x0&gm;a4(N6|*O4xDk?hY=L}tbfPSdFF8I%s93>`RYvg3qeK#}ejNxkOb6c2*sF@?)qK7xf#d#aVq@jlE!W3yf z1j3n!`mC*M1gRy$<`+Iy5v7mI?D0t#C5mJcWzoHvkCV=GYxX{wZ1E1 zYu&u9#0#EScz+3<9KpZ2y~9KP%{+;nB}-v0fk?~IhXy6Nrb?fwpmMYI7lX;4c>k&A z-Oi(MwSTW#LFoUdp8wDP+V%hEGw+|@Kr(AFY3t)9o(m&{TyeHR9-^%$kOdVjG-_=m zj#oxnee&DIsaRFF-LAor*B6MFKidAMo9mU($=8vQcoP$@gS(5!a_cOC^dJyVElxVt zZEP_?l0lMKuip>OKX(oU`+XP2oRFE_%fZ9zcipR^?a3U}%b;byA?ehg+$m>#HqWd# zFH07k0nETKS9A_x%OX%B=M$$&eOXxXs z2)A?QL;=b2*LXyDXdiAXP1}r-l-!O~J{s>n>ne3F-U`Q+|aJ{Sfow+~}W5fAGSD{V5!%7YRH*YcLR?%@z>62)!e?P6F=^k)UMlB`@MX>VPkw z-QJXJ;PE4YB<-8-Ij16jpkf4~=}s&D5jFmVGbW z&=I^2?lq|+eIjpeMeisdeE%@Hu{S(pyxOxCs@~c?TJ)cyFEQZ{SBPZ<-A-da~z#>7it_vp%mvQv*oZ)TKJ<4XRFBlqPG{P%r_BQ$JclC#l{%jG% zIJ>vK?{8mypCH)6#TINROCOqQU1)U0qcWCnBx?`SWO7VQH?MLD%kQ08zzyNaXgt7_ zdDk0`j|!BAT*UXL0d-V`58*)RBwul`Vm_kSv$)Vf-BEfKf^0S-2*mz$fohR-yQM7! zVOTbm%%Mmx3}E@ZxsH_zPG_A*nH>%tG}`=vM&))@vSUss^ukN9jD_)mwiz{bBB&Pp zr$FKrahMI%Rez1qv^u&`WIuLn-aou0uql_ayVICOJxR|{Hw)WN8_XW+>Cr!mvklOI zZm-Z_C4b~4#_Noim>8lEjnEA2j9h~pB*iC+1BbQCHA5(Ppw=u^nSlY4(9Rb5?-A|= z>mig{81&eyHVzH&m=m)@s3Gvznc3}6=ooF1%jch@OV-l`BsGRtXz!skshS3qt~vS9 z-X72A1^QQmbp}~AcPp2QTTs5K#>L48+~tr{?)j%ugH;|hdA$(P!iq8K#}Y3EbcRHR zFoVIor zK)dZxaxWbiL6@kNQe_$d>nz$stELK{$6K7NKYJK90b0S>WOEMRr^%Ny8&0-$_ECZd$a@W^s)bHex_6>Uw}nD#Og;HT6)>=aEHO!@^KQ08_(aDpK8 z-wwZF{Gsd;5GK^uByRYa125(6lA(Uj2);oere|JPsF1I0@6rXe;r0t#pg)le$ZtYk z^WfmciJP6-&Cba$oP$>qoHhFOdUK>kot7h@4WK8Dhx{BozKx%gs0v9v-&j`HcHHRU zfUip23)~5DKb*#Y@Z#gHVpDttU$KaIs@=xc!pA=Q3rkg3d5L*-Z*br1YQTaXG%m!u zVl5ZC&M}Iomr7F#1StHAa#H=SJ?_QucwEyI$yRY$=7hJ^J-ifY&knqotxlt$d#@Lu zbICo}fGb_{SfTb6-(ent>WipMa!ZWd=)!AF_sN)*RUgQ=yA!EQ+mxK=yBS;#Z!aNW zGkMU@WqxPCCjxsN$i7SHRhH0>`(iy)Ev<_NUX{5NQFpoZ?KR(fqC$nAwn}vb2d|QNf=^HptADp)*M^7NIvDm_tJOAaCPlqD*s8lKDQ_k9 zgO2k>WqI0~`-59~^g>ykZb_3^2?BgND1c`12cmhkw#R27WfwNn13Z2UM)#k_{)0rD z?%-jdRcaNEnL;z|z5OaS_2t4yTKV)XtOsLcy*KzS!{jExb4>hk=A^>L_<7ah__<#= z9dj@35Rq3Ewmd7g+{EkA{<_t}LOluGv03W>bOc_SckcYxi0b~0LjCWsGCNyqi~ljD z{(r`b$x>H!gUMg@fX=y4W{E6n4J2aP)EZh45l$^(YsnIFGTF_ao}wKas#s`eJg6x= z>!dC&+}qe$o-KFNkpyPDc6tSAg8M%)uW^)>tksZVUD2n7*LTL&;i$~~Z&S=qQ*IGfBCIk=xvnMU|N5pSjwS{S2!N?ETy z(e1K%avF8&mk8Io_oAE(R}76G1P-FBfI|;})4o*)=yk=Y4%i3s)hK*e4%H%jir_S5V#l!Do9%`a<1c)y;q~N!L z?@(>z>535R+i}38xRWoaYGxn9m%l@RFb+9Kq~yvl6+MTlQg2g`)Ypzz+X}MwIqq>q z*yw!x{PmOBXZMUT6;-2~`}fYj z{RZep#&zbUe7@bGrlBBe&EOt91GR(q98mHn^KHh|blw>vuxw0KMAdPYv3355;u=f? z2C^}sUoCP$+|YdS(ci(Y&l7KRdNoh?3NGFLH=)+AO$-*T$}Pq*KA}$^zIkoi)(-YI zY9`>BZ~>;DDO4Wef5b~@D?xASC+!^fIKiqA{$u2>SOP! z0xT*q0uLt#{}C2P=F`zA-QAlpdUq;N#IaQIhOi#*ElE*TAM*zr-0dmbD8PToKpxEC z;cCQiB<(FjcX4f{;0}8g*07+tktZSrZaMINrtPgWM=ytNA0>SzFwr{X?4CdjJ~W`3 zz5%Ujj0`lE9@;R2oMQmEt1KQ#L1|AI8g7|jTdA)xI(HP)v-bS_{x~|Df)}Uz*q>&3 z*phQ?O+19Cuo<0WmnV>e#f(LB$eC0V?&AaXnt<0Fi%!F2n#$_wK?3kp_cg(m*NQp zcw}*52WcPNLTV`+u3{;KgC7%5c4pxFMYi4YT&>%g>>`Alj{i*am_f|6|r4j-U!o)~JWg0U>ReP=omMzIV;wpb_h_+knzo`i7J*inj`H@9j+N>ve7gIwNH^|f?gjEldsv`6wr!qrNXMK{}17Q^Ewzx za33IDuC%E}-g4arF|yRORa$1`_j3J;6(y>bY>2&%bMzw|F(jxfz<@47#)?<~yqg zJVs=ocFs)-&s`pGJ};&0B7(Ez!hRtNqU3H8!}GW3aZ2nemK<|x#52Dn zd2$q84EbI2Wm2RbU!Q6T8f^WLqrN%&25n@lcL!{Pkli`-f9Z-HrNNXgMM*g+6T~z~ zFcn!YEt-iurd`$C;28l1DTt$v)+!OP8Fgd_+m+d&(T>F-jFo11F4V2)N)W_;V~uxc zI1$c~CP3=sE;O#&UHL&38V_+*4^6nvlmN9pvw?MCNz8adlxXf&p42osR3`rNv$#vqn^Fgh82Bs|Nx~L~HPPqNHN%X6Mfbm#=ss_4N4QoWW*O z0{&8j+vrD6(c<^S1V)SPz#8E{tcLt$%c3fLV+db&{y7uL14x;b0y%OlIo$%Si&Bbe zbV!lfHbUS&3*ZIzLjgg#xhtV&IGtu!Bj<4dUJ?sI4$o8?OehEvGV(oc6SCA67?1dE zm@Z=zNI~i|vM7_U1>3P zqu`O7$UPn|vcvVO(aH0Nw8QmDL^y3Ugk1@p5nJR7qwymgr?eyC#W^y8uO4pb&nKhM zy;TW*CX3pP9{Atf2NoiMT$Rc`q$RMbrX?FJIO&DIG1}dB+@6D?n4mtzKzluux{Mz} zrZJnsS%C_Y?YDitnej?N8Ur7 z36;~eef^#;J~Ct}dyv$9ps&DpJj9!&nc(?4^S?IUHb{XsyAfy6S_2|Df)oRMB$)R? zd^e6miU%Q4@Ql7xx|Bd59SwE@S0}u2!Z0xP#ln!Y=Fzbs3W5$xtcEw4;({Lbke^5y zWcMYiz(}3|%Hcr#t{^wv((~n!UP|;VO=?zxgrj6^>qz?#@q%Zs!N_q^h~|m*j|>rz zs-*8w98v=~kRv$@Vh%D71~4;N@8Z37E5#?5=BqC4Gk^+DnoC% z_P8TbM<&Tg^dKa->0ywW#>kBSW*|8<8W7RwCDqX!z-Xr|#8-y!U;#b<_#Y#bVZOly zDW* zp!{?;R`4M=wXs;JfPI<#?PO2DrOJv?I26W0g;$ICl^al8apCC1{7Qy~&7e$l6cRZg z#i$qUz8@#fcYV29Z$jwL^an-0(VbIR-067hKx#ILRUW^N=uA8i^5$p1P5ww|+m6~C!?y;E4rA*{{?9yuT&dnXkqv_DvK zpkSt2bL2A5POn?(HIn>*AkB{N^A+?T>72FeqsMESPSZOQ9FYSWimhhi^tZF%JGpRI zYy2h4E(2{y3W@vqiiOv;YJ+7_KE(jS!?EAjutL;Y|-QSIo@bu&ff!Kdtb+y$SiFnd6x7tyn>UGx(>^% z5SeoM2BSM^NXe;RW7;pn&3Q48uzd#OxSrn_WSv5eu>_oNq@muqvCZO|@;Wyg0cD}8 zCQ@JC=n+AKA+G*rti=)d*pf2IUeM~ut@Q$3)+$x;A)t>nuegw!)gR`>jGBDVtvQb1 z&4|6h2x5b(*jf_4q1r!enS8dh>{})ZG*lnsJ_Qb;qv*`WYVAWin!8{-+&*t9H%>YK zMGNqN;Dnw}L7c^{7Ofog&Mc%BW^h73g&mqPNdF)bhUt()%9N~-iJ>`XT*7%hIP~zt z{%;Immm{wp@1o9+ZDV?5!M@az%wv}Jp59@(+j@8G7*DizaO|lKyQ61qieyrAaO!C_ zJErH6f04e0*&88q&i>lb(0kQMs81=Y_g{tY*W%94muyu{dz9UsG^D7d4L>x8C{T?# z(-V8KSV8O=&fxsu%FjYAXwks>B;e*``)i|(|2y;&ct$-wNZ-U>R3R3EnGhIE3~fPrFr7! z}IbHHsuO>zW-K=vJ0Wh9|Ty$r)VfO9sy$*Bu5wEZu-@*l{$7K$Q47A7FG6(bvso=Lg=`b7NV(5Rr%h57UB6PPqce(n%^kG$v|^!ex#D1i5zb zm@nV?)S*r7kUh5x2;)AGK|`gt6a) z=q#cS?#LO!6Unb%fd-ZiMWxpX=|?p=Z8ZcsW!$c7;A88Z?mrKyRlop>|9&%TIyC(=D>PxwE)cRCR}T^>B`u*g-M@ zMnF?F^YcXuz#CB9znEz}EQ@1yh{4~-r~a=x|Av=+;{4Ik2)vxQJG3(o##O(H^uXnk z!;e3-;Fro-F^Fgr#gIVj{a`)7_&-`5 zvHb=y^7|s@G`a!|zTygGkfA@06}R#;EAWAWj9vI#nW6*%t8slY;bGc6$np?`qeQrk zMXJiV09dzV3he@cL~FG^ZZQX2XL}anRyDo}+P*n5r zH-?1Km?q}V_aLGLZ9!%VneY2hzM^ifKl;74L%%U7RyoAx-;VLr?R<50(}GE1rM1N` z`gA=7Gm%_>bVV+~Idb4>S8jL!>(T9aBe&^#NHyd3ZQC&2W{1!Cb0MJ1>!>5zT)wDs zHlN>E)%G8+F89ZS<6hddIKJ%f_sQMQ#ilqnyFx3+862yQOJ=p5VLjA#~139a{G}P{UFyHrJuWVBZh!4M2`C7>D zQgH+~dD^eJCcZ`pi!!Z*CE4((tT@H2=B=2>zGt3C5lkkxFOsgX!}CEe7b(3cf|I!Ml-ZGbNmf0+%4dC9R>V^7_ZdTgV3j>;C23X|;N8P@7VIUP zH^0}fxX?T?paoptOuXud2){|Vgi7+Ac>IkEDWe)$S7HG85~S=noW0k5Mj)#x<9f>* ze(_fM1+8od5*~TBL+_t_=KMl111Rjj{vR$~Ac(=EqgN0C!<(Sr6ydWaea2vo{`;-t zfIQ7`BvSLLiNyLkqKO0Npwvaw)Qr++ZI18We`a3eZ*d^W6SjR(y#{O?PnEvKrXP6R zQ{UVT8Rdb91I#tv?wG!RP_m6h=EFf4Nq^hU$gNvlZBt+r86A`2BNPq_V2^RXKy;N~ ztHjsS!cq{uHOC$hhPEs_Nd@|n(75wB*#J3uaewUJS4Uqq<(}(WGb%A(Hak5i)b&B7 zMn`2wyYyb8OtwZkgla4fkUhU&lc(qW<1sE1yuJ_pfm2AixSrU=`&JsZAt6Nhz-zP{ z_t?ePvx(!(gkswXO@9E!7hHsf^!BdgDN*B4YB`_yBfx~&rpqBOSWNj0X~HSHRDzeK zd6SJgfY{IjuFrZZJEu-wQpyb>XZo>X&=*&cTlkYV9Vfzw>6_$E9;!M5KB!M;9_rQv zo9nkGEH^#y;WHJ8211^e+1T6q(X=tRN za?)~%_Mn)DgUT{&>q10m#)0MJxE;Na4w6Y@a?|LK0xdm1lzUFQELSFX62zzMR3JW5 zcr5fbo`b*I5nbsFREJPr9yiry>a-~~**>H!O_{*m7m-CQc1#a!mfwV&E2fateeVQ) zX-d>ljO<%y;C{0?>hp}k?EW->C;`M6jImijc6WkiLhba_$v2)5vkpcM9?0NF)I?wPA{W-T%}sQH&&oA1DtNUQt!0V(+UEtKhK}OheC7htosK&eBSZ@{61I07sG) zpQ$KTz5yLp6=L?0Z)(Be&&NN0VElf*cL#6fWN~pLVdcv+3`J>{45ROImwiQe!-DfeRta5t@#iB5vts zAGphPZiF$n!Ww-D-=~20(v)~M-n!@=+m2b%wa)jCmMeKLgKg;JEL0&dC)NImXd6Tl>Pspn+)UseJK@9#IhZgw!_;f$drqw7xi;G=-K3hIe`&j-YVF#oV{axwy3nnLe z?m5S}0m2qw8brTqkW00(1Je~;rG-(bJco2)+IVH_B{D_Jbz22G;-oGv+Z^_zt?|6f zx?K_r^Crl96IIYOC4q|&f9l=Yvc^K29Ox!73#hGG zy*O~<(8>pJXUVi5&PX!lA=ql%D47^ssd{tw^yh8;^WOxCK$?ulsxHSr9Urv<%o(nb z^yVZIO^Yrs+0-6@dJNY{D)N&^rt7{rFzKwvX+0{H3Wci@G;Qr!=G6)tLtubD4ldf} z9~Wu~$mL!H6ieC6$!k=}Zi##<2iwp6O-tx_J=rX)U_ZUM7WEM%hyIM~?i3)5>O5#p zbiREG;ZDo|U*&B3?*-1@!&3mrO4iBP*1x?8pT~LT1fr z$teXr8gmJYKa~j6myXdH!07N?uK{fQ7l)>=mHvcZ>A)27d_=1m_B#EPna6>Scn8|6 z|FPs1`X-n6aR+?8)azDcd<){Uuz!MqF3iQ9ijyaC*ptj0)IdoO8A_#m-6~=R#a`qi z?L!0Z(pS~llP~H?mJfQMw5K$$QobntXYv&{pwfsWGF%%1=dr0^Ees-=0!3O3BrxmO3He5=jL_mY=N8ov1n?)u(kE%Of{Ks}zdoEPd9dO&TNWIdefDGOMgUTc+JfKi?7=g4*)57q& zl0`)y&ujAbKh)zEs8~P*1OUL&pZ_a+WoK{e^s68LBYSnMq2adKiu4;X@h5m*t1X(A zJtz^g=`MLbm#OyTSd}=smnSACC=dq&F`10~{=lIo7Kn(=S$e7PMTCR_V+wlXotk?} zQO&Gh@eidzl9gwyT)r^tc7udO4ums5EBM;6sNp@}mVMTwp>s?!MG154!E7*?Btk|K z{+Axybv)F}ad4QgswR1rM82<+J(#A7cb^b z2J0T^9;}a~fLD?qaH-;#Xo2n*q5Wg|@@d%TMw(UzZu`2MBXB!O5cTzy)FzfBS2uHm zbL;*Q*aXY^%FL7PyCbV7x7!#si0o^B{oBJOw(3T6>+{#m71hpfZC1K7nm4IF>JWa^ z&&ImLc$5q3GYHtO{mJ%}{Tr#*!)3#R%kyFQ?_b+qxUoyVz?_$t#a_}|_^-hax0$TV z?WXOR#ipop-$tMA?SFRNPVWYXd`Z$@zS7r9cf&H6=dE~;oi?x0v=CxAM`ADv-AEkv z%r+dw;8?wcaqqka#Lkd~kexV)yoB_5AY&xaQ4DUvTeCw+m!z`%JQHQ+HQlj$JV|AW z_ez=eNA0u`9AkAZD+COWc!J%|2=eG}7H3eK$jWu^Rm*iqX5!EBhaO|DTMQQML}U=+ z?8MW*sMAvP7#yrfXa4r4j;H(O%j=x&ub{!AL$>R(PXX~SW{BiW&756_I|>pO%u^y% z=?wjN!IJ(Erg9GhLo*G_pcbo3b5)^o`JEQdyIh;O7FMe}%Ct4c;?|^l#P@eph5;qC z!r1gMVC{g#eO4mdA@1NBL4wdWX`F9RfjuGhfXJtME>y`!{=cksDP1%fQzNtH41f5t z`a>Sz*U%HSxMm>@h}Xo0_ypZ|AI#Z>H;{hW_fq|L-t)MPl9Kh0i$p=r;dhApL&xDF zh+;1a5J?+iUgXrsgCuycz19O51I)?f0-ik^M%`I8*Mq4#;bu-m`hpBZzW)}mE>Nq= z$xfGPT?aJKF98uD82}vSje?TFbUjLo$#)TP(F#GT7Lz?C5r>9I-I(|D@zWTvJ=Eh6 z8#p^7dBTw22$?60jfB~Exc;^W57U@fLf;=~^Jp+xjA+{`I1VXyBfvu^kMMH|<3KSM$*Y?Rzz?Cw=f` z&+?@%qI%S@O`O2$r#@&+q}*%aCeG&b&Wl-`h}IT?*umZ{u>N=_nSfCsWcCYHLK6gi zk;8VQA2<-R1{x+xTWr#Bv-lxH+pyvLA>|EvPBJita;i=Z1em znzIvQ#t&~w{seNB$WU0-j0%A3h`W=E@YfHWs2h{{Evzq(z~XH*FIu#%GrRi;$9lo% z8aOKj3Fu^(m*9Xm70kUQs^GVH?2Cqpf!?7JRK(W=x-VL6w_|hth{?+Pcoo4*n!^MU zo_0Bc$Qu#vi8UcUPG7*~G-5HD7IgwV-`ZU6R@uKTWe8jjKkw3)P^eGtUX7JtE#~ki zG0ep{ksXX&b+Vy!DUNC9CU0NPgtVj@?XVf)xY4`_7`S;}3$Pk3GzWHBG0_bjYPV?S z0mW|s?1}}@O{n2)8lCeK$(^u9s4gHy zE1;Nx=dnr>;buqP@B6B+J7YHqs7Z$Sdwd@f(g^BnO;J7l2La>u;EE`K1z73CYel*; z_s4enJ`T{3`S#-lYsIjP6@3?BXcb~MGeI2}tRu<*Xq_yFmN!}uj=)@75LZwOb963* zGcZ>(FLA70mkqJUSgGHeHXZ?Dfk#>WMXowwy%WemF)TzuO=(&tLe3a2ya_o1fUlGI zlU7Z*^~k%~bhJ`Geq(PHhNtUrp!f;NEW=CH9Mn-qxm9-yc|ptiD|8;}bzS#PamP}4 z#}X}~%Cg{qyHO@Vq6V5xL4~WRpkeK6N|=N|)ZfWeMY?3J3_~IY1*S#gq;c|6iUVIu zi=<(B)QR2JU{SH4gr>5`_WoN`o2@g9UZ`~YwI`}n`Lkj)a0{K8SNg{9#R0U=&)Us4 zmrP%-_%n0-bs)<1dSL#r!q#uqS!U{oc z)JYq?*+Ic(<1jgD4^?V~ga%`maWeTn9E`xkJbss@1<2jko99>7Kcz|4@b~c43Pxf| zO74y@>YVHyQp#8qbeN{HdmL4+9r+|jMmeVx5tGtBm688oz{+qCdn{-lWE3Kyef?vD zuWIfdccc(vx*96-PQ#c(oo$-j3RyavE5i8r8YX`@yXNCWBqTv+^!Bbo^B2vA4pah zuYj7MFq+*YLTu1S5~MXyaNN=+Gx%Cn&Wu$o|9O<)PI09t2^E)0&|_IKR4r#1%2?{ zZru|nmKRL%#m%My1!Lm7%(h&Wmf@uemzl-~XXGYxj|g@3a_hSVXPoyy5wWO{r`{&# zhcojzyjMD?(v#h{jqlernD1{rf&vmvuY&d_rBiHqoLd$ucNQ4H|GsWn?ceEy^fmRQ>J$B)w0lx(uz%+#SWpxQs8lF9`#1f zitcv&NAXU|W00@FZIa}BmU;iZ1+fZ@7+$5ad7>n%JjpsGvr0q55$`xA8D<)km|sjK z3Yv0OdWdGfc7ZFfQ|jmuXGclmQ{hj=5alaOz+g+XZ6PkJa8r2LTZ=a7cVJ_EhICm1 zUP1?UoBA3W%yp6R`jG^aSu-SqIoNohumiF(e{%l^a_R@K$<-++v<1;HOd+Y@O7uOX z_>OIU7?xm?v8egRpf30d;yq*$gcrQ!J7N(z+9H(vS=ej72e2uEWE1&`Qt;0R{XNRU z5qBT=tl`_+P0qaY;-Pn80*HZHt(J zGpEF2f#LQAQqVO?2{=xHSWFd3g|(V^pr2lgr6Y5}CYb%nS5nzj21yA~wB$jCB@rMj zP^t?QQhCwO4Wd2DNTQutk8%MMS@Bx|AD671XW}Aa{GPlchL#^TvM<;kaTD0drx`pJio7PYYU_VX;yXaCf|Wo7+NQXJe$3+UYFPN>i2k-2 z8r6Byt2;&gGxA76$gl{!W3Ucb01W~i2)UOwE^5X%9D|qOF6yVvRMHJ2P|qaTT_O-* zj$t%yBU)txHKtcK1;!z2b9U;Bg5{Coq9jyb#HXmt9f{0wM`KJ?6sU#4{@WglDptY? z*RWmTcux{_kP!?K6T}?wd0B{BaIDWcAuQdp;jKFG$3Kx)(YH5BmYBHTI(ewM3IT#q zkDvo55n4gJESG4_c-w!7T(%u$&vH&ZbzjI_sw{hKgd~DJlQcto@Tx~8Az@b7gr1sJ zi)xMmqQZ{|K(TclTh~(v(*)axJ2<=&7a&T=8iZ}&R)GvI5z1i|S;{etc z{?E7dF~J@h)$mW7aHC;-R&SBl zEAKxFfpun-+RWzD)1qaa9encVjc2OK8-+_ciyn>DwC+^Pb%j=m9W?bmOXvHu(@bZA zIbl>fA1+zG&AZ4d8NhByz_x#Hrpvx!NGPRZ;g&=!9Ur4!%PGjff|GQ=0FmFY9TH|K z26Y~f0S85xq=8;X064m$lm>(tETM%qxi#fK+dn`uWRub7%FDaoAQhGTCa{4Ze@xIq z@=$Xp&04B$MEie8to7U+M1vqmjfpmfU1mM3Di23H2Z{u1y9A3Nkx%O*NNH^$DOKk{ zz<@N2V{^EM15gi6_^2n5wG2-gv!Fpy#nysn7&B${JB4Xxqv?J+2lRIP0u&07?Tl%7 zpuzQ-_+7N^lIe&@G^pH=z7Pnrl+CS&mkXqIx0@=H=@e=y66LHrt8f-R%-XKzYHikL zJJz(&S<1|RB7VDLb9c+7y7n)GzPO7#+u+_JOBYHUL@p-l3)z{-7*y4vQFKk<}kKv}uTa*x)#|r!=G~IIdjJ@u{%ks3Cg|$4!l)7WW zyNay>;jl|M;<$%$dQ6t@@8gzQwq^@edq^mr%lmCKiMESdXfziQyA_|^Fhq#w)Mc%R z5MDd2AIjl8UboBuR*?Q43QbLItMs5cLR8eiP_zpNwKP6G1qALId5FB*D(r%lf1(=r zA&S;*j+E9YOzvU*cSNF%9^+j3?KT;j6VINkYW6K8c!dE%ge5xA`qE86BK7Z*28K{S z4@G{Qy&=+`zsDmcb!|PcQM#ykb4t@#tse^5MZ8&C{{SK9+RpKh8Uro^6^mh9=gSU0 z5*@n=he{_Kjf@kr`0*py1lhnFz!5#2Ty%hTrC zF&v%P{TDpWMXPp>pu!lvwiF3_o zNz$ELvc;BMWR8Z+5A5utrh7W!M9dW#_Z%`)^pzM5Ok`w@4c!Ulr{1XtljHGD!Na4` z*d~I`S$ie8+h38vFyY0K$Li;ltD~}7_`~eq4JyjBomnHJTRVHcQ>iVYf)Julq=!E9 z)HD7ljphOLEZ826lf%?GQ^`2u$Q;?G(_ON=eEBc8_4zn1#Hz;M8;PIFE#-pO%uh+` zlzZk2{6Bx3yhgGCO21Cr`d=q5!T;)UvNyJM`tOSFm&RtdDE?nvhYZ_C%0R`kP@@ha z^A*hW9JJ(ck|=ZbXcJ>Ga>oc3GQ^(zxHu z6fTvVquzxaI?Jvno{Zk|_OWNo(-#w9=k~a8LK86h?sXDCKQoRam3q_ZM`Q)paz8YU z4g2BFn(uMqBnL5eHF4u2dPK7&3;|cehv!38)fb;{-vup(iunKl`MGUTYTS$On=V?DjS#p=7SYDV%yW35I4Wc z{%u4M$mEFAtfpGrG&D?kqq#o1021COm9o3D6?zPkR;{;cSnYH8?Wa1jWnvzypffkA zLi(T=645#_(TKnCR6w9A9{i%ByaiaPp6FKm&e+MH&cp?&76%2P&N(EZ*6cbNw>lBV zQCDBGZ%>#dHO4{vV|P~1tY|1C|Keu`LbJm<&?pcPei>-(-4#C*DTP0(Jjc&JlkQJP zT_S9?3wWCdC6^%4MyaBxR(_9DqTZqaaneOnqMA|WA)l}2n6}ZbEDD?&*0NY?`l-?y z-ihkAX9NLkcFdfaU?bphpAYv)kNw@pZijlt{YH17T{0WI61Bhq?1&Mn;0gIIzCn$% z+@FeNk`JiZ`FMqb<&sAs_J|r6g$;VKAN42D;v9`FMWKmrwgmIz1^{CjZhm5 zf@IDPUMz>y*l%$)T=;_snB6RJA< zLINwf4Q2TZLren&!2R-LKM|Lf1C@w20puV_$C_ent^97Hqy?p?+2xI8s5+V{%6ztrbAhB1#mRe{%g&YuMz5{=p}IJWM)KyMT6CG; zSGrgH#2%P#L{EAv(Xq^Sl$szUg>FrQxL7{E`D~o3Ry@F;S%*%ns#G^rIhjv51zKGw zj~l0_9K3}6moMIU_5ggwEbU9*$MGJ+9@7?3fWr4SauV*%)`;DIC}=<5BJM! zQZ$RlUsX~Q`=JHIm`MMX$ywR$(@x)!RaoF}^T*>>v}J_i4}ETY=`L$e{e5Bk+QX?{ zuaMM3*)H_jEXL;6D67sLkc`FdPCG|r%ppv*3!{3g zF_XY>@Izaa&z<#wnTsTsVy#XuVS%>JZn|1w6kMsldpQEW(GFIv7cPzOG z{$CFidutOXD|Z{~|303swSL?-MjC%|dJUj`CUtxzB? z0CA!rElZNdUcR*TW~}R2ko3uTdFk!Kua=b|E?By`_V}8*Hot@vmNth?KCK01%E1K*}e!OHc8v}3wIq&MfuE_ zN^}{gsd?qp<>4N@{)Fz@qL@mx_KGj2usddZ#M3rfY(}NUUea`^Hy^B1-vO}|@79+$ zO$^NSQ)FXOlVK(H{Ub!UvSzo$ab8O-i&{&oDubS(O)!4GdE&U#flHqaNdr;BUzdqH z)9G%<^D312AOdn<@?>)447;wwc0+AWOgU{|WS7#a|3KTa!1Mij39>T>W4m8xlx0Vz zx&h^{{}bva)@yVSJnKF{6n9vx$EPG6r=;H*wP_f{)C#s!FG8*8I`!(9vcr%-D!^=3 z{}82SjYd|l)gCItnz8rU_JSrSvIlP4?BfTj02e-qUS0I(L_S$OCDU>%2k^t7$J=g|h_tX9$ z_;guS(e4sa;3HU$0l%6+Yfk!JlBjob#JTwIUu^A!cT{zQ@r62y(W zLoz7?#w)gMt6Efw$gd^NXKjNrqU?sbi^vR!7&uI%9!8MO!kP>`m8&(??H+D%s;L!D zG!`p}C8)-G(AmLZ(U?Ha2GAM_)3RXHAeCGfFNM8m3&pDCs2y!Xc-*NmwQd@a<&R(O z>Se3LWIDZC1UzXSAM^BX{a^TESUgFucl>3zP>v z=K*EO3fRfDPa|u3?3cRGZl`CVTg$nR?=C(=y+(td>o@(iFe>F9ho7fo4?7sSRvCrw zs%6KCAaZfCoj@-(!-F7996SKnD{wYQen9$oVTyL}C4Y)c!gMnX|Av-gj{vDIA{nri zK`X=l!FW<5Uwr$(!+DF-y*&+?c~5J-RcoUsXVlUp4mq*~=m1@3wOY5q#iUyB5s;0v zZ0CIsDPFsf0Dm!raQ>{Eq}rx`V-&hhOVau3SD<2s4iHgh6UPSij!LeOQ{E!JQP?!? z(&5Ec=i^7Ji5RVwTSsY(g!x}o{R3B=uZd?K2Pz__vYWB6`fA;rT66 z>=<7G+#*0<#qGX|p<@HvfPRkb3NOztYm4$Y-`vA=clANfC`19SjV-t)GAd%=X5#lI zcT{d!hI$u@{GTCpc{-|Wfwkv}ztSshl-&a4A}VW^{vX2LsWG&uNyCh7+qQjT+qP}n zPEKswwr$(C&68x(Gjq{jUv&R~eYxMNRcqDrl)6#-0)4k%&Z(ed$`GFwKnqYDK56N? zWP5i^%e?$*8P(=>PEH*Z;%PJo``;<3?S%p1N2!5Zy79!%R;M=?lGZJ2n?UO-d; zqam_ASWelx-kJ<*WKq;Sl42Bjq3hIq7s2Nfv z)K(d|+d>d_YYXcX2CnC$WQ28tr}ga99IWCuC8l||wKqeO$K7Y;Bh-OMy^3FHfVvP& zD@Wkc$9dH8m&y6>8h8c~8psX0zY<9n9p@w)H~Ai^8$~?SG)VXka9%`IRGSR)3qgWB zhKf?49K<^fDK1FZuPY52@e?}mEHDw@Jfp6FdX!&Ye47QC{2q1)#3O?a#6|8*x2h|!R5PHIdXtyDamfqUb3hD}M zJ>Qt|KI=^?O8rWWP42A%!)DG39X?jb4m*L;86Pu!7)Uq0&~=Pf zWn9>-ze#+3166D!eAJ|K8;XA%I5)|p)w(tERxK1^7Hwwsnw;ana~H#D`%L$+?j^Cq zY5Vsrak)BULg*qJF%Vg^Es-)oh?YHHNRrgXVNX&v7B>fX4f1*n+ofMHj)T=&{Jzlj zYu-y8aT3|2pA(5pik~1sv4lT+(!rxnevA;5D9xa$c6rFc%F=_g2O!R6?O^0=B^$+ zkX?Y)?zw+tIo8N|C{$~lg&~Lf{sq9b&K>n0-vTRmZ*GUv9I-lGlsCJi#;TjrYp^gd zB#_Q*B8S#Ie@9G6ea+r})o}=8)lp3T*`7st()93S^~;;S4^m&TNY@74tJ^oNhe zKX{QHi{#z)TA{>@~Lz=nb$>DxzUUn3TFq(sHMbM2HMw>G$g?GMEG|6t&0IP?8jPQpyak8^b#e!An*K2W_ZYDs`-&MaP5(!VJLsn zE{qb8FvWrmZX(*@Loe32fu}|HekOw?+x3l(J08f%jU5kv{wgt5q{+^FoPIg{T=9*s z`z18;F>-zaLnbz);-({>ARetqdd$CAnjmcz&{Iw%E8&e;wd589o?YnN=iPgRNV^I^ zD2Trp<*|CB5b+P$yC*~?cI5MFBSx3%%22gV6eWo@{E%7e|K3jju1kDXrfGK7w|#N-pG10hI4uoDH1RR$W5CkBmBT0>SYbIYjm8IP8YxF=v94!QqO zZVfJ@jN7|WFU!sI>=WYkHETeBUHY8ntMu}D%YSkX12YK(2Mj=ri5BUp37`bwQ?)8v zShxwJSJ}ao%bev+|5eIA8~YLlmk{sI^7*U!o?QKB7lg0ugD2}-grTkM@Q_aHB%sl_eSkvf$N$QDNzMq}l7)HgTf zB3fn#(Vc!M=MP2c!+{411lJPSM3acc2a#p2KYOYzlmpZfll?Ld2P*<8{QYt8=dRu} zw#<`wGI&m>W2w2_7|4^)gE>kwx<)g|DoU}tG2zdQPP`}`xAnhDW-L!=MsG?;DMdM4aP-K zu$rslCep2IT4P`>R#yW(?x~ji2>oSjp%VOprm3FTYJ?3;YcOz`>apnaAabd1ZLB7K zR(p=xfEhy{-`*#}^0#eoSe|SWX9*OI^IVkxAf_-+H|&8l?qifDTs}%Al=_MQJ)8sR z^5sbDD)sg z3XgKkKBh4Ij6r&@!ud^RCmuGaq!GS9En^>rO{}5H58+j-0r|xWvrAQ}YG3znxp%Yr z9HIFVBMxiC1}XNdP{@$b^XxWv{Y*kmDIj;)-<@3;F{CN9f#e_sYo`q3Ze*tT*xxeZ z3dTX_B4D3MIxXN8e zo{r7+z3K5w05*InvQ2DbUyZce>h!ar1a_})w)xX4hwYq0@rHx(G# z_tXC!A!%$7mDebemUsS6_elxPb z;ve27p%=t7_z{oM_XjhkT%_>au}9!erX}q+uqXc9j0Nb`dy)MtylHzq08zW(awoOZ zwARzawzZC&MhSn~K9cP)6&hYcLCY|+JqYw0npv@?nhO#szp@*Kc_}f73y(Iz*<-=H zTLcnxknCM}3l-9bCgN*@^^OR6pcCwaZvdi-D)djSd!VY9F##Qhbi0`t1bp`8&5?&r z2sq_vD5&HfjH@w(2`A5wE?)hpS6I;2`NLdyc_>;YdI?0TNu(lX5?M*}v%z?quY*N@ zvPax%U?%*7H*W+&@+NJu5J9Y@*~QC*PxSsls5==}$C9#*nD0)t6OjK4? zg+)>1gIo7{wW?>~zhd$-%qUv_T6}~{2*ByWvzMQN;|3atjVBKmZ{(7ZSx%R_6>V?W z7rUV9hCJja5Evce@-1}(UQjWDoknmO32QoYW=GUeOypfLB4d%sgW_!@3fgHB)p{dT zUDF^yE}Y9@>2n|fvyRk2lIRN@4TZ$NAo#^QM_g`B!Biydh{iME*vLi@Q_}~D!0X{3 zQVpeF76@ACEAOa`J%ur1`aqMaRX{JGAG?SuC9895`q^=ei{(f?_$3%$!MYGbbk6Bk zPTme8D%QSaLbJ|OVM6=_7H3Np-DQWP$yOgwr?AOkzw}ZYVWBvYrU((WF|T)&{G-AljC zVF{Qq464jbo3kpLk}iEHNsJ9|qA&etbi~^I@X>TIK6$=HqDk#uz1TzJXQE<|89(Or%zNaoiXa5wcK~ZLR zx~njgD!$D0Wa$p+rNiq96IvFS@9YW#06=7E;SA9DN}_~GF~r&4VzcUgy)F?(MSDo& zp!~1i!B*!boCDtrQx$I86X0O%#~~heA~X$>fAkDw#?oBw79u~tjjIpp)G=hn74C}I zIZz=OH7@v-wMPpt@tVqP#?|RjWLdk+%8#3BqEqPNct5Vac^F?DvwvI01&to6_MKB0 zKzHjUEeUx`gjHi)l+0bP35<%!ch~EkQB1|Q_ey428n&rPhiyW)v0U@{VEATS)y+d$ z@|o-|VA);Ga-661iH4wMxVoaKgNjMuw0Le;r$BEbCRdJ<0iso%2c&|puVIdWB`T;$ zNp}C7GKSgsou7-|v*Q@B_?*m`@%gQEI%3;wg zrTK(~aTZ;PUNGeXdCTT(8Fs3R5ea}O0SZxrOz@@#Rgrp5%-%&q*uU z7t2)IRrzh>Cq~#`qW&@hU&6wvMjflOT;DgV4;J9$O{c9FSMg4*cJd=Jz{1qrtV6AX z;0LzY>QCP+DwK5*Klx1KW{4EwH+I(B%1vE3IUVbjm&D0q%wHAT0(V>qGo-*y z0PF7I+MyAj8hKP9Fi#zQNq1d5BH(zJzkHt2 z)g4GKr*Z$vGs7Ye$rHC@kAj#}&z;W4n+tO=!#12ty~nCESq%9O#5zLMH{@j8; ziu;y^hfrQcD|6c=LAAShD79xZ#HuZ@B>&7i4%eY<=NlO1RNjJRlFYH3a=?~3As9*p zqtsX{gmK=r$pUhrYOZXF3K~fK1NEI5E|KxCHWy*Bs21*62N9F} zVrP({N%=bdNW1osf>xfbt9AS~(VrAi(L_egYgMnQIE8KHQY^UFHV#yG4w5yAf3CI? zA<=YP8SI$zH;G08{o#N7n0avF=|ZoX*o}V+cV;D_ zmj@#j{-$f6K`O#$4SUlNKKeAlsoL;anb(aAr z>a)G}tUmYmumAUIcmEx`*63Bt4rAv$Ns8???qEhc*QuQqR}4)TMabN0B*`XO{uhK? zax$qIwLMBOG`5G2b(G2VDJ%JGVe9HJpDdnH*B~#*-4^~@nMwIzn-o>g_#<9 ziuz)BGsH-2L0>*9^;&u8^Ha?#B|ZT1Wey`oX(~La z6eqxJ6?n^kbOn^Sf=MI*1}L-U?6QS4h2D~0tE;QsBx3y9>)-$n_ibI2zCP(uN7wh4 zotblc;RRsaPhx>C88Gd%KVLE=yG!{w14q0m2Bb>Rxjgq2=(HoXpPKN8{hwV*84w&XPR$9BrWD&wksC^{*iRpiOCgQpdxSztxr2o)$Yadh z5?mS^{2te8E8-YL&XYv9Ex%g7AjgaW3Bl-2R5nl_n?&*}rOFiTDQckNEF+OlGwbpO zA{-Gch;u(f_7I?{opQB9BrRqRc#L1#Y_Dl&^M~AP7Y<`Mt#Sa2DlAgJtlSc}@GhSx z-gt1ueTWUOiEdm&sRkI|qDhkul4P|sX$teqU-%63v?Tpv)ErrL{f9Egkbh_ib;L>? z5*#dvm06a|8G1~2nnZ)dSj@DvIHbomJqW{KYp79M3o&Q7DX)AuHDnA`Fo^TK5uPMq; zERHzwgR^k7I)xoHvHi!r@+^6LbhM}tzNh8{jG5ajSkU_x97+L=BnW4KE&3QcRQO+W zXcAG$J!oku%{GP5+)v2v3#Y95t2KwbaiuqV>5F%+J>Wk@>3K0-vWSt?IhBWC9I2_@ zDHknx7uM-XJ~~eMtYS!dKzeiKgFVMreh*)*iMM_!n3h|1Wl53PDa%w%HG^<=aH&W3 zdRpo1Pj_1vF96(MTEox*&?S%p+cQ>P?~7;FGVqymI2EFrelR(lqQC@Zr?x7~Ja@cy z-YTQg5@zqH%aFSA{MX1*Kz>e;oxaXGAZwz!kE?hH{M(%;sfvH<(fvTgM!@`9a~Ag;-YA2KY3jtCP!5%gW`6 z?`mPUzoezrY#1NtX(*an^U$w5^$(C!xJH-BhRKYBYE*WeNb#%dK2 zscL78(+`)+=oYW4+wUJD8fAd~H{`_?dgqMvA)-<;quj;Tha> zoh^b`3qrMVT1*eoJxE7JRmrGm85CuG<(Ios16L(9jB1%+D&t1W_ZYh+AJjht!nbwH zhIW&Ih67=dn*E#{IoN4IXyVhx8J+y4R$mrfjccnlHnSBC?XT?r8O8yHLOy4|VLXHQ ze}}Q7m7$C6e-Gnhwf|4Jb6UH`Z)skfLa{Eh!BOanG|V}YJ%miXSY$GhFFqzbSP4M! z9{%HnzDF3BqUcrvpIwf30I;TWb${Kef19HOaYLhiG3N|Q)KHbP%M0ynQ z=s5GYheA;yffNp(*$h6BRQ57q*ve@RSc-Q$CY6(uVD5zfE_5K#q$<^fmR-bYQEZY7C(Ih$JK(*wcJ`_ zgWox$<@g^0aj4}m4bJDJAy4Rx*A?)#;RcObMKR|uLpSE4Glpn&^dt>j|t@<&%wO~ zRN{S^LK%`Lqd>+btyDhp@1pN%vGRjTSZ);0DOtNBo!O(?%?dMKggPjv`n~$v;t=IU z0ZXxuG>P`f#Y=RI_V7GY>7}g_enIYrORd=%BW>i7A!?F^74<}+Qzu=#O64Kwm|?6@ zgMFujAW4%x*V!q{J<6UHPZxRd)h~q|Yy)y-mePHfm5nH^F9OCN1+2?$;`7FY6eu2N zQYkrw`;#Px9oAz4T<445x-%M7sr)^NwvuxevLdlb!jRqqdD%`GUYH1}<{qgyUoW5E zrQjC~6eKW09D(~taA3vrRG_5t;(9-%$MLp3p3o)yBc@^=G&%>Ya)a_76BcpzaY@IP z>QH|Y!=oEH5lHC42`{8BSTw*KuaS}=oEL0RM@c{F;!{05n0^>mu^~7lT*N7K9;#r%4YfIIngdYVoXOi{IAi{R# znpwJ+B!ybCIb<0BQq)%fI)ZaX2d;YxnO~Y?Vlp?{6dn5Pf4vTCAa#Ggxs51GkBxh8`-$yz<1P-mczn-^zC0~2K zJzG3YlZ0*LukfTrWwtxY=q#*+66<}N)|nQh zGw4{|VG{}J1|#gX-INDcuDRhXM&!+Mn#ndw==Dr1{1hXJDM$7U#~6yifHN4_$PTib zFK-4dJtOE44CHl#mh}*c!k}lzfkoPkf>Qkjd3VC-^?HHf5O1T5_zXtX%CTi z2IYX@E0al<2->xFSzWL$GYGw)ix}+DOq~4&{2|8clWVK-Ra7d7_0U?hdOzK z9Gp7m9GgU?PLdYC;WkWqvVKfFy5Xa_DaC87GCw7)N&FOD^ zS#p@;Fk|m9Y2J){K>ugS`15cl^#cL`VEU_yCH-IfcgJ7!ijke8{eQ0+*J_t`hr$Ry zH@$|o$ih_O3n;vxjtCnCQE(d+*AfJQRn>nYQk`6vqC7J#=Mt- zPNX>KU``{Y*oQK)R$Q8!H2V4Y>X`y!E{6RlU*#k&e~5u()Zop7QxhT)2|md_rSP4< z6eos_6DMU%$y!Fr4$-zx6e2D$NX#7CHCEM=lAb4o)LU`z$O0OH0i4Q^J-bKS6SkAp z=D`(uzC7EQxxW2n=*idF9q=tRX^7h;1Wfj8Or>s0z)k{d(T4txGlb&_1D9StY-15b z@1Z`_kfztu+o3xlwD5Q|b!9bp`M&UUn3jFm*3qM@xh0?a^T!T>MPuMHv-17=DzvSF zLk*cT{;AB|ncgq2liAiuAhikNkAlw8`wL=JR zw43=217N(^qKe|)aiD`(6yEfi;oZ2OCEV9NDd^Qol|cSZ@ajf zPJd2gPt>Mw*b1&tV$}ybpFCbTciQ_Nn<8YX?TY&91`FQ z1AJDSNBvRw_}Hj8B1B1lpINpA#A0xa^!|nY#Fqr}*1ZoUk-q}Ms8Ylz4)iQJwl;dp z=D)eN!#h`t2OYT;xZvtPH4Vckk6bvo3z2g&g?*-8eGK*#Ec%A3zsD&t?B;y7yOb_N zQ7(Y0qdo%?Xg}29jAI&1VXSICD3hcwOGLa9`AJFmn|(+@Sn9LXb7i~JGp-FT>{9A7 zRc=wAG=vI#W3gU{#tcQ~NKB*{-hhRTNM%Ua+_uJUTLzntWxO~_9r&*nhrH?ezQ~Uh ziXkjX1uAWn(YXF_C|N!aI`ctRe%&$6LXULdZ~-h03MhVPg2Z>YBUfjp>G^J!E1C^< zw8oKwL-eUvRpm}OM6-yB%`IZ7j`Fl({25SEbsKm~7znh>=AJdQPiqlDM5kKbvYx-| zrE8T!tY9tF`(?8=Ax3@`Sh0uBf2i1VG~#h6-A>G9y2$iUN8j)(qMUBsU0-5rRHYuY z%1T5s*KpxkMaHTaUdo!7rMF`uX7Mgy8PD({lS+J;2Gt57Ger?ipWwsHFsE;hDOBKI ztDNVXseokYrzUuRM;bhR+M63;Iv&xh0eBC}&Id&BUm$aL>8i2rUlG^G_1}Yn&`+7W zJKLKBYGuaTw-{Y%0Ni%K^8taj&RbVl_sE4yBH2Nvr*Jv87x9rgO1(bYwihbJ=D6nb z7yT@wgU$G*jkz_oRHGF{IBrb=h5r+{+=uASS+V^dB^WVRf(n zGJXB%FOy<-ED+Gno%I|D^yzCxsZXT|e9q0^3KatYlC3d*Qx5%CH zW7&51sezrtYF$`FL+s)ENANqf!+5Y&U067O7{H26Hn|xutU7X=zg`b;IPnm^{_@L)`q`DU9l55w4Lg4bH zB#hRjMeIav2O&>PdMoS`_>qD;6IOiVh&tU4$HFGS(9Ef=81Hs&~Qf-g=7pI5DJ%mm#?H_Q{>WI9HF z?Y(l|PlofY+#!LE3}mnVa;AIt=|TM}eso<%vaY5hx}>JTs0z^q^*%xy?1SQ(aeP%HMN)-x7`KgjT2ud$3H-dGW{z z>T6r(v1+%K|NZ)N#Y0piwYj=)%TKLkLsZHB!KD2>@`J8SiKW9`XWc|(B~fgKRxce7 zWuJ6Q-J(o`Y%WtNA{&74*4E!Upa7|Hmt|vQ4a-+b?c2?o zEtnxM@rPv$YPYT{e+?PUOcJRYYn!9$*mj`iI7o#xs@6w>+T=Nb>|aTD8ynU2;&SsM z>jJ1Qe9jnsb^Bt9Qslsm>a5UtemMl64sD`ITOK=+HVrqJD1?Zd!Mv$dH`u6BGT^zg z$OW0ATKbe@*Nb4yHkOQ6r$s3H3((lEa`Odh-zSU!odH51a1iLzLBBc2Ri=EJb7UL` zllfd7*4AYRRxCgVm3sItM-w#a(b}7Jd5c|aE=^0|hX%q|o)i@|q${ zB`J4CA}uMRO~_-Q$H05CKZsV*xF_;n06`hKG0V=+2X=$lKZ3rb1ai-5Z+n$-B4mQ6 z6}@6e6^cHUs(1B=UR=0W2oZ3SFoSR`C=zEJ@bB|R1Q76-pUkk zFqm-rAA8+d1$vtu@7FIZ_TFrC(R(w z3@xf4%oPeimpgu1Gu_ao`MlJZ$;aV!^X?`(@RQOIF>dn(i&-L+VlQevs<}~+Z@9u9 zSyoZ*>4xt$)5NRR11E{j!m zsv%0|njC^5wS8U7vct_{N-}Pl57L3Jljf3eLH;F3zd&nQ)2#Mf5Hr?}`y_1`xOyM# zsW(&;ZP(*)Mt$mzIlE)*#WNR7w?#Vmy|8|(u!o@%u|J~D%L^GM0Ze`R8woB zdM4J&rj4_%zgtj=<=}FwPW?mK02P}&j51y^EOG! z%Lbwe!U9vh3n_wYRk)(rqD@%cD1W(UwOCR~(U^7+UYs+vl7v9;Po(rB;~}K(wXU5D zlfaVsBCI8SNS?k+h3-oVM}%$slM9he53{mrdIK60+iz`v4B!u)fS(5V#55^K2uI*8rS4w+cbb7ilUpdgchlTG{8zI#)e^StYYS&?{I?SSB{Y^|wg8TD^nH@8+imxh>Yz zIdRq_>&9e!qnIgg2%VGs8CybJ^1(5yg@#wPd>A%M2WjW$*b}4m)iL?4K8Dm36Asex zNxfrWsR^J0k3aw8cvUrQ*UI&Kywdn}e-iy4J%O1C%YQ#xO{>~C9kBh^?pHk`N$8V* zTnW39Ezc@R;^cObjNQT(i;XVNh%UdraV`n?!+_uI1d~3*`S$1{Lv*pveBriPbA@#? z6RDOCohHSN04z@FfifMOoE+T0NxoUxnLi~3IbXwrZQMBXKjz|%!E&KvDI0pesgG$DD^P&Uk;zBzK-7>;|*m=l5&ln#=WZH^z*iwM{%n<2w#{*~7+&0rhsk25Gtb>Lwq%lDLC=`Ughq z;YBB_LOZ*Ti%|xAB^o2#i??AZM-txt;Riq``^SF;kR2`0Pe3$=B8eD{h$qip4IaUj z2qZ1&xy4^wwuc9swB;HM-%hHyWB6bU$_Az%$gj%CHa^4dx(oL-8Rxyp#`mDv1*6P2 zV7mhT5+GGfC>WDJ12{o4f0qVf%!aPD_p0#u&QwVkF(%2_ntv2nHbP8sge};#w$jSQ zYteY&Xc({YAVs20L$YI@gh9q+*?k(Xwy?u^ekU2{diD=1{w&eB)R~m$ow#oUTL?Ak1lD z!6{H6NH(&#jdX6O{%%CuFI>Pz?<{~6|Z*K?B)o=jYg zgRO2tdMnun-WHBu*Ak0IL!(WBZ$0Q{cJ&KAMX6DF>S}nhTltFEyBpqgIF)O&U5d1- zcJG;*iE7G&`Vp4W2464!X^6%!%j|R)`iJJjJ%*Hkrrr9ZTG-@6+0peAYh^)tZ8}Ig zUYsda``jP<__3ry4H{cLE_y=@&*+pT?JHD1buGZKhhY1@%-3JRv zx;_Er9V_yr@1QMnJFjbm0^%foQ>@hThp-9FXC{J%Ufjz)IICJg^Q zgRa%J>^9j@ehFzD#eYa_54Ad6GNFy^k?pQmq~hB8>NrsU3#~s<}D8hffzp@^Y zbN`kyNC$PnP$s>3E)hX2N_-xG)T2kPc!+kcX!I}<@=X^vR_|fs5 z#H@q8!_&+0Pp`>_@fRQt>8ZofAdNxKh^}Da%_+-{q@67I9w=bj###$L5m?f+ zg;}$v3sBD;(aQZh&{zg&cjv#kDGj92l$b?%{G||d@+HVL=NOSc=pwf*dmDfh6k*f6 zJ!VUTCp|&6nR#rrtE*twCpEv)`#dL)fuz~>DIF5Yuqm*h6mUdzGywh=oii|E!B#?nDFFE=j)!tgG&Rh@CH*&5Qv#b(ct;fF@WDY3&D|uGi z84}zj(6QgN%~vC7q|j8({3f{5+Q)edp{=gwmDN!UR7rHLY$J+;^cr&R>7r%Fn<3Ky5Bl)~4;Q^o~7 z7U;6nqD81X+t0rB2}W#l{Gl1z^!GsRi`6;UDL!fu&%I39m|wZ)kg%lz6)7j5fq6DG zTwcG2d~wXqs$z4Ma2455p8mp9mS*y?^b=KOux_p9-qEJC4D8~+rtZ=)oFx{2Rw8XZ zg}6w+zNHo?vrkf+>t+b6WW#KSOtsO;2L*mn8Fg35K`LnzDoe8yAj*%x97yvaFH-jg zr&$+3ik}{4*IKjJ`0iPu$#mJGt|C||u8$MhGdjoV)L1XgFO>+`P#0b+A@oE{ouSpytY#ooyM?;<$#C&yBpl*5jC zqmJuF7XN6kI%Swv(n0tG8KbAwQKcQT%9UT#y9CITxM*?6_*z zhq!YM3;JyL&i~kmz!8;)&GFyP@&rTN(r6~qCaTp;ZzFkE=bk09+F%)Fd=S$1m)_3I;O)dQUCSEuvgKy=WXjIs-4H|!N%>{= z$6obFS&Z>3Id@KGtByNpk)a5m%l&6X?4PRpB>Zj4o#6h@rrgBL(d9o1qMFWs6-1xa z+P3^=k{Qd&`yC_*p?Xsre_L24^fd&tKpLIR4H5+cO77~zpB*X5Bx5l^pevJM)4n?4 z9r%YWC;0RJcs0rW>BOx;Z&=4;4q!8YR<&DOK2ST`njkqO5j@i~<`BjDp!H1o30QOo z?n`HFJH9vTVr4>l9(tOD`o3fJU-(j?n1U>ZNhKcu`!SCUk$RFx5mJs6#*+^Y`HYGF zRuDt1Tv(lpf7SxaiALH{kC*K2g+TRSlkjdf$J0hDuG^>cli^X0;uQm2VR&kLqD?Alqh=}u8)Del`g0pnmu?Secx8;Ip)^j;o+hOcEAa}Ks7@t#}`Ij zP`WGdvb4V-z-Le@!s9>T02&5KwA}taco7>|ZGMeW9JN>=6-vjsVs(-Zpa7WFHzwuJ z*N+AaSKu%Aw2&bV`qVyO*$ZNl&B8a}Vn^$gSYH`pi@+?*w{^ zqf8Fj2U2Oj+=UAw*o1>U+fCt6dlxH6OS883w@s9^k)c9W=(6&(9UFxT0yvd3yWUJ` z>;3clz#bo+=E8fmr)KYS#%9unlI6gnmaavOgKiX7pbdAo+Ud-%7P9F$*z!98)O(le+8`YlEdLSK7_ z1q12ns8v{cm>}N+6D%QF=_qjmlz2o^dXZq4VqJlzfipYtcg2R0%FKy#dE3=x@%S(L z_}y^fZ?oic+LE#+HrzS9j`o~YvH(myBl&mlK`52V*+wE2n>uRQqT?Snz$h2mpLYLe zov*Vhpu(&5!CO)aI=}b3A%GnE%e#j zDK=QOC=2SM?j{n=>O_b?*U4mx_?amozVtt_w2%LEXK+`KtF2z+ibuIZY8rN1#AGBA z>upwTIq?lB>i`CqzjppG8+}J-?|g9@z3#%BS$m&Mo1X3@WN4sgqFi};K10jncW&BN zY?GR>ZT+nSgfZRBJ)kj+5yu#66 z{?oSWCF|<_AM5o5^p}0mzYlUWe_u!b@3*T?Mh4aWAlVkPCLMjjK9 zqU6~HN)at-s$A27*A<1IBtKf=8I?i0v!_TYdF`M$`W~^s0_SJSztTIq|&Y^g8!yqgA`RKzu9Z-eJvO~vK zbBw7Jz;RAGM@Z4%!WhkQ_YMw_#(GDRz=s)P8{tAZC0I9#K+Pb~w}r+?ICIC8Zr3St)GJ{%olT=Wim7#;7bvH^4F z47{3?j$5YMe#x!$z1uggYzR6N<|xG>OC#bOv@E#fUBhE1Mv%8=XFG%}lSm*vG|5X2 zmRbX-y`ahW;?f{y3xwe@JT6=IV)W`tvF2_Jb_ zgZG6rDbQp3`m6>G15`HpKh}x0y~Di5_+!Bf$hh02_K4+dZ~wBnIg`1d8xXDn?z30+ z>X`!n1JiDRDk)=%D8KgtFk4Xis+qFgh_8zruVoLbSw^4%6{aLkk3dQz5MQ>%IQn=p z?3v|yAC09TTk_4SCMg+Y7v?r!)U5YZP~2C7yJ&k!m*^GHfLnt)3ngM$v3A8T3LA~{ zC3Qi%{kxa9sR!OXLlkVw<$8Hmw%kLDi3uCkD}aa_++IAkiHvqsJ$}_FjUSLxiX{9!;IN>t7|@_kN(hgON!ld#(Zs za36W45@g2e2&s2hoeq&R^^%G5;;_|axlgSfGkNTM2Rc{(bLID8s@Ol$o!u3~@M}h3 z^>rgnq~i@~Vl{>mC`u@H8SfOv7(Z=GI}xcbHPd;Ib0kXj@TE-k^WKc{Q9lx|K|9mh z2zAK!C4*_^qo8~R7RJ3tRU20#+#FW30wTFU)6qL>%t|Kfi4Df`7PdeWd{}re!1nV6 z!BL%06B}$zZUq?wjJRxygY=PGMUBwi^)gD)ANb^n&@EMdSDkYgu{3|SbIVBnouRsV z$iBfK9a+dKQ2x02TxldYL}DGvWPR>4#N-$TspOnYZ!9hZ!)v<)Pa^D(HPFbQ?i;u?0-C$|BgvxOr^{_7YnmLPS5D zpLpOG-Ya@JR@;oP6$ULd1=45ZkLnl_zyA@dn!Eyu$iE|vcr*Y2ivM-0>SSbY?P6=} zY-04Eq*QgU-!=~6XE*ntqRoCwCgsXRD0A#4utX#Z)@F`mEwlyMIKCxVGD%R;VXI`< zM@+H-FP^*AeAOT=faBM~j@R3HIOye8C2eno#}w5-jUZqLKjlR>1eqVk@dxO9dRj%? z*d8L07y>h2Izt@Al+X#pS5UBpCs>+p>eJE#zB%h%Ac>Kv9KUb;k(qX-2%RbT!-k-1MgZJ_GLovDSsK!zHQc*GrGhOMJ z>%h`cGqc`qcMm33MY(X5fr$KPT?jh~_$Zeg{Ka^PJ{BQDrpO;iWPiV!vV46cmc8=6 zCb#YmOkp!i5XF*%xrUVRu?elemQi9L*~)MCCTK=r!nT^aQVIH9RawuPqB?)$z6iT+ z0cjd2CPGR@{j8sw{w1TEpqwHv!QnzY@3vZmnfmPx7a`8RCPqu}89=ko)DaPR{vywV z<`uQ}*Ohe^+*I}GgfU;6#o?VT2fX;t!u;w$J^l*XMYPxb%B8}kbe zfFTJ>e%aTDdeW&J`;S5-sW37<8OoZBU`C_vF9wq(DGhGhhs`taRF}=3@Uiq4q!_MLMQpVHAHvSDOVBo3(rMeaZQHhO z+h(P0+qP}nR;8^SQAG&|Tv(|q09XsNRqTk*g_tL-w-oW!<4e)s@=RAM= z7Wzz!{73#S62Yv{AW%NYeq8=K?2zH_>H7@#qLJ>i3O??=-ZsL;4^YO_tB5g3VAK!A zfS$HYuFjY4d^@+;q$=a^t*}MU*1A$w*Tt9Nzbg!HB*m>!tI`nzWSt3l_=wiiAX@5D z6&3wn^VSz+&)Ik9!mXO1f@tU=nL9)LaZv_Y`tu(XCP6dYK!x~aBw^n%SJcuHGoa7I z&otP=JNG|&K`L;}i(U9)vLpf5mszXhBZ8Kwb(>nbQ5MGQnh}<5j@H|;*TJYRxoy4v zLAHv*E}tKnktocz3T{=0h$n93`19(;=2q=w(LYV}G-;InQ0ki_3Ipn%RII!Q``-SW z#T6NY7#B-i--K3{4GfIK~1GUm`?(nCW`C1vb}j9pr)3-v%bMqRW=TQ+9K zkIRN^$c}_K=g$xib@@UJZ-o>c%RVNORGKL-TFXd7$1LoRwMT{_|`v<{_;Yw>qHNfNM)-zh&Ih7IaR4mme z5Pgqanb&ANu2nOo`{#m!rQ|raRVy%@s_4ZADFhX{KW!*e3XEg;6R}tZE$nqBn|`yE zZ0A~7kK8Bx=_3)gaoQ0iE(fLw)dyo8ULoGK^IlV)iAcO;m=3y?*1?Kz(q0tF5}=Y6&+= z>}rARH8QQ*I#~-@7vl0F^su`4w=fiX>e+R}u#S~*BYHKH4>7N+h6=WMQVE|#qI>tv zn}ETU{8Gi#`|y9I!%@->=z%Bjs3eHz$`~j%EdiKuR-*{W5`TT_GmHMOuDcby8b?;XFu6S?ZH?^ny@GWWCUV6`5{`T2a^xDN-- zw9U<*R;VRF_dK^|ZaZI7?r7tNap~H;zR@ynl?fwve5Q_DJ={W{sxY8i1S$VQe!?g@af%cxkk= zp&CUtTuh`;E7s)>f9liA(W%@vjr#d)f($Rmk9zprdD`HwWQzYJJ7zs_BRr~A?O6GD zJItMr5)wf?lWU3mj6uIWy7waJ3J&)GI%Z4ZZwO}FX*4H5n;&>Q_g!~pE+Bdc0PVSb#k&4CqKL=Lo7y#MytI9% zW6}Tw>Zj*iZ`ZOkLHe_MJ9Xa<@}u;#^nc%3ecn30|6Y-=;&0d0CF0A|?LjO;wL3^F z>#8`c2Zo{L%PJO^aIFGZcBH!NB`c0$wZ_vB8}pvEDXww3C|`i)-i~3W`ArMEXGq#( zEd+HmkzSBMA7FL92+;J%?4O{Ha~`*=PmyvSFS39>m}d(jJl>Lq|9Yp{4nWlER~Vw* z=?|UE^}Jvz%+22~QcN5KGo_%511C`a%&G9O{F^*UbDZA|lfl$L+s$2RQ~7I3BWaUU zVVBTe#C!aj>gIH(7FV@!CqS+VGv1vB6$yxHAx_5yYYgeeSS})V0kEB!YR4x-!<8)@ zk>;A>C>;Y$prLQ9M5?CBQ|C9Cnk+)Fu*s5f=basOo*usYkkifCA)AZ(sT6D@{d!0@*At>cuOfW2* zp)hBqYIMx=QrmX>d^gTHZA zRd-j>QWY0fVo~FBsi(; z-yhoxz^bBVl``AgeZI~QPR7f1Ij{y4i+t+%ZS7-QiA21{W_$ z-l_0Yn3Gb*8man1R(AHW^7k~dYH4v>u*w3xxZ*6~h}3=TR(y+vKx=EVK>Otqf_zx5 z`kYb7x@PN1KHup!!*F9Zih1aMSe~+i1C9WqDyCnsob7+35hgj=4io4@j-nHZrbJv_ zhG5oklfQR+rgA>ZB!0q4Nk0Lk@<^8Iz@$VliEZ?#g`K>%scyIN07if56YKtx^szMF z-^R&&rX^X%qnn$p4n5PW$)awvV3;j*e*afy-)^Xxd>3t=b(xJjc;o)Bq&CL&E%Zki zBq)@0A47Cj*HiK2Pd73!3>W7OhcA;t@(tR!&V^jvlFX|S2UHtyl@UggZ> z07f1xScVM2yTqgSODPKzIw%)bpBo^GCKfoOUIM18?A5k6-OxS2-z-5xqW-UeBTfYA zyqND3pi=*6jHnr4p7~TJc75koTqY=2ud(B(Bi^?bZgxgA{qEmqKPKL;>}fuooS4$1 zjj+q8f)>tuGko&>+P>&_6uDF}Ijqwu_yc)60{6-|!(2>=Vh=-sCT_S421OWZIIc(E zT2@1?Bu5m6q2QC7r2FUNvmFl$*S^*m?=L(1QV!_!TWObT>4tRD48zCtHm*ke>QOZH zqKV&mFKgyAv}{M-_6?c}HjWTW@z#2wfa!+{CxrWy=z!=a7|kFLFl4_WX_95m@(y8t z-HNHpI&i2QP;DbspH#voN@mdalLXFDpbu!(lRRL8;_LQ5?NJKdmq5inl7_=LqbQ9= zgV>TBirXL{M=;L-xAXA>cZ`Ei1t%D$o|q2CM}?QyYe|4sQNa0>1}&Wc}**Cto2h#l)E3nClo8AnsbR1c0j zgr^{Dv!bFyXN*}0`p{X?(+e>CdsLt<23#()k16`rNn<-IwvJXJfVt%>aBLw# zcgh6~z8_Z^ZOPvpOFNPd2}|M}Zb!nOz}9Lkup1l39`*47SG2%k*2M3KGl(0dLQ~~GU^-OqYTt&UDS?8~z#u}wN z_*5q`&7D;Jk)$KL-KdiThunB3NmjF zyY{Q1a+2%ZUG)%;A4Il%Zp;*}DO8*-qnGXbDeO^rL_sa)K3>MG9odcAK2%sHgMK%h z9A|{5cxRs`{JsHfM{DZ|GUSEq$`=jsl8>9i9>D7&0&ZjJPNwF;*o9sH@I`wYD}r;Q zGCUE3Zl*t85cmH*qpvk=|23ok{zUZ) zbV<&ssO9=P?n3itR_%tcn$K4Y;6OABX<8f0Ba?C2pZ)g|3P~m#8f}Jl>oIL#>BVp(#K^ zSd$>Tp$AEEBYs~{Bru^P&uQ;FaN>vfoL6urwDZJjjt4C>TgTzLPGTd{oPpqbP;2r0Zh1gG&y*4TL9E_pK`6RBBYbu$qy>Mx-nT(* z8OgENk3`A^K4|>T?0b3`7w-)ewvYhE^M?jt-q1&5${=qUSARs?;i?eauMNJ!+;@=g zCGCn3b%5KRH$VS%fzTc_m-kXvL3)r$PJo}vQ;#UYkRKA?lx&mioiB2(#03753b>d)Xn&_O^Gf@;Q2z1D#l!&0Irb+%h zDl_UEV7P&3N{W<`2y=uBv49h=NjKc&bvt1Rl$6!b*U>J1;Kx+u&IUeZ*$Bs5reUq1 z2q|nyYvI1mAbGALa5V58y2`s(dlH3OGqrvbjPozid9p=3^h{@8#n~^iuWEMc@9H-% zxiJD6i&wx^$dN~A2$kGJ&VpE@%Kbh;te-VnS14JQqBl_?BN?40iSdCs9y}=jGbj?L z0?qL+CK~8W;P!O5(?_(78Sb;$?}ccIjKksc2(RtmD}_^SY0N_V()5MY^uqKTHx=z? z)2k}#tTkCs-XUYL4`9K-BBa`C)c24R(dO^8B@N5eR(21bSh8X4EwsU5tv~PMJzG#X zf^L#R?Ks=p)gpr^lRBb5m%-r74-S_qyJwA6nXMRVJxFCoY%~NH`O&r7Qf!oEx+Te$ zyw;zghOJXzNTVZDYiVeyF46XwyI?({@3G>$Gg`LKD&jAg9gRL+Elt0B*N^bM9F|?7 z*nl-)Gpvw;n(wEHJ>GCF)v}(r8G%_)n^TID)Kbi$Q#nSX7H9#DnFBa&e7`C|tlgb| zk^)MsOzWQlqc5c)v*D>T-`x&3Vvlu@JN&FNsFLi!Tdh@1??)T#dB@aA*hdm~?AUG4t1m(E!rc{%?6ex851E$fFI{L}Yj8u^MSxtfRU zdx^AN#jnD7NIWdnr-jI*t_qrld{T^wX>0S|xrWQ$vsBLIPFv-ZM0lz6%0dzm=NI9=U8d1AGyq&J#9*>y(@0qOT^oChsSyF+`eJ%U+Ccgx(D z18LfJ1Yxb-0!XhI&+wmwF@C>!Nad=*CVNNdFbh)6DWhFz-S(jC0GDd|a*^8WJ~t(8 zEi1JjWo})0Z(mtU9o_WKrl@h}z)&kg;K&3LRCnsJL#Ue_C_Sqtxq{+1KaZ>Px2!aE zr7U8z$w+Sw#YXHLy8SW~dzqZys#L%_?yG#_+gQ+YE(m3X`LLF;-L)(V%)y8SEvR|? zHy87G9logMPqJwR{l8fVoh@x0Z2ob?JpP{_$Bn+DX*1`I(UfB=kh39-WulvA7o7!D z^;S1zqsW%dGh2exA&5~CLn!KfD_y~(r&h{p5VTCLdU_wSW;5cl=SWIu%#x=Jcom*prmsX zo|__#FTi#RG(>0vO_D$tw6LC9dHY-Oo4PZUPX>^?PlD1RgP67j6H)QS1VgM38bvrT z0(^;sJ!@ zF;Nmvc=pS>a$?0z0(}H(+&R^`U>h5P67+!u)gg@x!`=BH5=!0{xlAoyBhBllDWe|5 z)s*n;5qz2Q_SvK1PD&`*swP}iIWLRZb3D-$>Nf|BDcx@tiO2Zn>|na*N#-cuOEMj- z@75Sj$ta3nATg-}{Jy@Lx+`o|T5;a^UTy}Dulmu}NR=K^D^ow^QAe6Nm|^RT4TWDp zP=rGe2!Cb{D) zRArb?(qM5RkKPRvXPCXI8eTc~&yYeyN@`)=#bHBQUN1 z4(NA)3?r+$_^gj8jkI85NOYZ+H|6@Nb&K8U(K2h|>Q(AaSYgrH<<^1x=~rk{^))5C zS@g9YP}8*nRdwy9G~H%s08_&xT!F3p)19C1oTu@r2Ah`Gm^dZxKC;{#mHmGE6e*Ui z24143%F9~}=e7mR0&x$muMTd_KV{)Wu$2ZCJ%C5-anm#oh1zH__rxPF$Wwr(Y@S9YQ_l`BvKrh39Ym-ywb4Rf9Od@ zwOq@61N`=OOTB<-r){H`Slf$Y$d#Q6`47fVX*-|I?;koGaKCuBGM|h}hpDI6j1X3A z_=q2(VxF=ySZ^xX$i6hOI+I8*pg*aiFYAStL;mar97-v(jC%3)wK((HlT8y-NqL-j z3+1Z8ygbut?G4-x9g~WJRzeGJ188qEyVYG6>?(pZq=%y$D9LU+Mn*jZh<>$cdcJ8iF#Gs5RuAYcdWz6=RF&09+-aZ7 z#)AV7-pVHb!FLCSv_DryG{t0PzwIP3L$d4DxJG9ICmA0xbO5=W%|2j-%H|Js2jwCU zes)V`At_l9p71I`^XO~r4HpjAMt*1E@8laREGD+laehps`ow?(TD>b`h|)z?3(q@U?0aB`+k}T`?|hBB z^=KG$iqVe7*#3M7JxfjM=IZ8ovHG;*wjWN|o!|076u9Na=xK&Uji53TswuOG6-BIo zU&YM!oK3X)QgAa@H5l$jBVBi#(4RsqTc6D~y1EvnA%-^t!h}x~X~58K>PA^#dAnwo zbp0QH9K>SpQL+Yd-ksc_=19ObqEqatN++VT4OlFRLeiXN}?#`~12z%LGU{6CZpCAcN7fjH3{;f#FXYkUE- zn#V~GK_EF7$R1NX5$O@64yol<5!4t`8!&u35&r($NgM-5P%RV)06_TXEdHN^MnAU- zQ|ABuw5w6kw%=qx@tdpTVC896l3aF^m*HvFYH75irjpqtRW?Bi^N_t7N7pF$eBpEx z5?Zs%X@&sgJN4P?@RhqIm{$UEo&*|9C19>QeHKW_&VIYc+V#mEd^53$In^@NfjLM; zPahDKTYH*Kx0jp<34-p4k4F>?ji*$dG(?~&pM2Vm^F&P6fRV!4Zzu4}F=k-U|6K+; zN4KY+E4udE?-!qp{8-(SNzhpDZP6H^G7@y5*x8M^8*{JM$IZJ{AWqsTkW2&dGD^Kx z&1WfU7Pmm|S`~gkMD8g|s7jND;w*{4ZN=Cl5*hIn@&O4aPf!dvf?}$ZKpu%Hw7L!} zjR_B=n#V7pVQHj7!*CcfkuikAVVGDZ>&rZjC8X0$(Pw#Kl>$pBa0T-y$J{=!6ht!| zGEzjK_!=#<`jcpZNJ}{+lN~b#Ed~z8uw*aW2>q)5#e&Lp+crYQPiOwZ*Su?z(GrMh zzBw6SM)Zj&uZv&OxML!dDyMI}9Bga9mAhD^(On{B2i-266CYQYyZlLhbs|odSB|YJ z+W9we!+?JcNg!nJbDU&Wq&KlpH4i>!H^&#zZZfhA+DUA`f%4GJD`pt_2M=H=_@@C6 zxO;f4vvY^vyQD6h1G~b=YL+)O(CY{nlvvrFAVF)Pl7!Jh8>C(-@-)rn4ofSk0;*cO zEF=aVuIjnleSsw-_bCa2ejM4nnBBSmqJFslMTP3xytSRI2GX_F0J(tM;Xb){?CLJ0 zRa;#`KVt=5oDA)p zE&o9!nbFvC`q3(U*VJtYSQ|Fa%*b;qn5D=iQ-)p1?m3*Yn(a6dASKHs13(4zi~Mha zy2Fdh*FDcA9&a;Kcic#ubf?Sdof#Z6>~X0EJ}t23%EJ5Y|A*h3(qM;K-{ zZ{BH=?JM7p2N*?|2@n=DqXjj5;032TOc0nn1qEt4!O}#|utHQ2VTG=>81HV>7z=6D zxcvcl$etFu8R9|g<<%GNIFl2jHW>M)fWR0 z;KQw`di`CpJaDk^gBscER$uBVa_{TQyZvVN`8W~h!`adCjr=K$@Qcs`6Y|!4|*KQD|yrd;lx~gPA9IeY?!}GJ#gz#_PlzMZDW1Pv zkPP6r+0sU30kF?u0r~*Gr<3`Eo&|?>+YVWXc>a9%;K3gnU+M$UeCv5X$^(J7B2){s zTV`Kk-V3+?^5yW3i~Ye~BFc%%!n>JL>CZ;J7zRJkq|rowkAV`+7y}bGoj=tOtl~qd zpvcCH=kDP}rFA2^OrwZNeg_=gN%tDm;uMez#nl9uhM-*16x%dvh=?VkI}%8fpqML+ zb_#;4AbjsxC$c)d$`zHftxA&uczbOjqxZ@e1126QM}OmCXxz5)-zE zIFwoI)NN~15MFkekRZR89@(&3ie4(ZD#|vilN#JUMtHN$hPtG!_jk99HF%aX1$ryy zhMzKqUu8z4to1Qh9JDOiLGIGpDx&-TWMjotIEnk)%#l#8@#vl@h3_jn(N`6SFMqdsRqq(;j3O=0tD zTLQ8um+Zy_Tr*{xO8PMzT|4`+#;#Zwv$3HZquv&o@)kjsw*KUU>G4g>GYe^EBEtz~ z5BWXzALvmqeG4=J`F>*F*Gsk~SAki#_q{yV2`dLStl>B&x0(L5$~I5xcj=P3)UpOE zeHUfhBZ6xPm=^gLdA1YP2&X=VMVmJBm+lMpe3OCKcRT)0Vd`?~0ia#9pFDq{;~qT&a?Ya~j;S-o0dy!EY?*o?W; zHIKgBO#|ag2_{tm(E!(BKuD;^2)j@wP)p4f#@zwL&vaE5slz1fkCv_IHi&#^?p?N_ z4%key3_Bi_Q`)Xn(d`ySbBS+0UD7xS<$&8J{x}_FD5Y|+2c=($V3z=favh!~Iblml z?wSKu!YK=B+py`d(-!_Rgjq$Xl*^~8@%T*{hCDXi1zyl_SM}a@8Yt$V*Yw1g{eKyDq-JAvo=)%}U4BkA36@kgeI&A?@G*=Of5<#zId?ifo zq*wc&ErW$sw|=NjcW%URd>lhJ;hUqc@|fu>>eSRhjhV3YVCKwlwhWlFjOotNf@RBm z`(ZZ19=4`#sUC?2fzX(Q+75I^UPMai*$Z^XmJXI527RUAt5zC+{u`}#6K1yKizjwrIb;WSEg)H<3xLT|Tqq6mQ6f~( z<`#@|C7DBpCpv~>Kl8o?E18IGW|m+j$`D`AKYeiGoSVr}sZ%D4F`L4W;m6d^%wnMh z?R?(&(77m`9M5+3BKd5tlz%klz{ABCDL!_8M!}W;Ov&Yd3G_x8qXw-4ml}~U;Tnr} z7HvKKY^5`?2+ohX$>SOYf8^M6*JP zoE6Zo{#FsNJbbyehzfRLVQ$y!f^))3Fjd}=#gj5db*1F5PFG8ZkbdJ7gOR; zY4AFI20FK(8B4`_IoKdUF(qxtk>j);mIX21zyse(-b3u=p0~|3A)WmcOYCKfc(cPY zchv4aP8mlesjN$tX2p6GwfLrEi~5eORs}vB-0AP9vI7n3${8#j&JX-^R>Ra8xVCj) zkzTr>md8hZvuWdNy7qP;>UL%UTgUGNAq??4=|@YS+`vK-ZFJN|gw3-M78pX)D1vr_ z>0G3^E1x0x;s(f~X(+t+lP#;7;j+66OfriFRyxspAr$B$;32y$x*j|_2GvV*Hn1;g zfCJ%@5gx&;!Sz{%vhL3V$SXQpVY+O2GQj->9HfM(TpZx#4^MX8k)3`DPng6$!(7sS zv`&AP4W0ubp{6uA)r#jit8||r-j`yrx*YkJ1lZjCw!{@i!`5N3WykR)S9#P!sI|cs z4B=H0wL8!qfB*BvSDvb5lLMt4 zhl=YFFWx?S;e=EIoLct;D6z1AI9}yYnZz~*oTP(3i?xLrY71_krR+u;bGT$!RpS}L z>(m;=uvC^o@gU(&kCm|J; zkb(%Cb}40{2c#&3bwp^SlZ3nY`^%A^_eflySA&)Xify57A9Ixb_068G`?tFE+o~eo z4TZjP1JGj+>Xykd>mthivuYQxdd{%zdG3J_{np`iGJT9~$4KoJryVoo^5W-x2>wK} zHzak&=}P3?tQTBe#qC0|+Zc;>>3WZ)%AWgDsNL>F*mw-?yt)SPkyD+T$%Jp zr+^7Cdi{!hlX-*XMFQE|rL}U70+QYHVErk%;lP)Ura^&A=~;jK6M%2Shn@xvCGrat0nyze8hTke|PkneJ>y^ z)8dKjOACa=(ThFAuho01nu)HJmD_JN$?|B#UFs4AWE^DX{=9r}vWX%YxnEg%Jh;>B z+19;YaN-xSS0;wm-;8@(LM%}RpZf+5bGr%nsSKx-=lP!bbLHOi@M)v3xy*1fu?pZh z7Asz)`>@RWHN;XHJ-Twm8OmMyXV3B4;2Hj(&z_Sub;`g0^3fpuw^zKY&CkQ<9}`+b zQF%)Y!SAJRJ$olW+s5$hX#lfDI5^8B5fUcdl3TJ8adA>9-t}T<0*>(S?GCr(>I6no z@9zR-yngph-D|(DkL%1EeWyOPbB<*5?p@$o!K zXg>uC;(ymVu1106c~erI8={48=`_IgEHTr+obi76wqF8>h-Rj)?(BxoULK3qCJVuv7j<*3e?)TSL3NLP3+L zYDo}zfCta@ds#2R@b#zBUt1@ZU7F_`O-ocAb2rgNQy+(f{bU@I&=JTCTgwDaFh~|? zUomwof6MLZ1=Z$G=Mn3MDx^Vf7gE_msDz9Q1Y?puRY5Q6=l?kblpUEFqH>r|NHU8Q zR{GO?Bd4HE!BZ(@3UR)(kwpkLl~ zYFjCfOlg8JyX;I_3Wp9!C$){s`=lZZ|V8MVwtIyRJaf(Y)41g0fWsUvbx?CSHX zF|b;28fbcB9Q|sCu|$cDkB^7Pfaob@ZuE8?&$OmA12u=Q`VWoDlXgWqs%AW`$%ZK+ z2nFf!V6D)WKMef-6>HT^l>qz<;!+r_etxkcB7sh_!Xw18Z7jn(WNJj@a~FiAJ|eh2 zI@GZkU90yJ(#ApRu+~B{u&7}QZGLU+LFmOej;wjgb&GUU(}l*8!1Omh*q#Z-C;Nok zmjm>M*7PI&L~8gSvWda_k>76{Bj?BPJ{biV_V3EZ&lHb~s68L3EeCcdITy!}slCgZ zY}Y_2q9i{w5VMN_7-s_%tFIglU3DfQ%;s9vL;*}V9i8w29&S$lBkfOS?e8jFDwhdh4kPi zL7}WH$io@iHw4S?=Hm@its>;QwEX~PMH}xRtINlMQsU8cj3?9TWjnu?&Tsw_&7Y_G zNxk0~1)kb1EF!HaYwsBWtB2y-o1N1{J5UZ;tZF*TvtnLV#J784{jUAn9c`%yN($v8 z#spTG4%NLAi^^CdjTWlXFfR>OG&JM~X|LJA2st+0ThY*JSa(@{_|mRB(d=+3gDth4 zFz@ZUIj`vL!k=%0KCFAaDJAZWUKa|l0J9#?F9f_9+Z$mCGib0}2cwd+y}l8Rr?qnD zT7d!U<=MAT=OT?>ZJm^`vs6IZ>5ISDcvl^`1LuD8hiaP=&;Ev5mmD$}zrP)8N)`&ZY<3 z0NfG#d8>Hfi@2lb2)8i7C*!{R7RLmmPw;>KM*K;ON%enzBPRcq1Mg~QZ|dq~|IZ)E z|8x5M9BhBg>jPF(at(m82e7smy#%7zHgKyolpva1+A<_RrCc0xnLp-riiyS}5?VF` z{R@y-iCx^dxgB2dlCC3ktv6*l9~AWbB)PJ!^W1K4e4GQPVHY0fzH?13UhcBnM`kR^ zUJhY3>0ApHVmGE<8vg1fPDCb;)JH_==!xgR+c3^s>)hk>M*N9s{6v|ycK{sprDSmi zY7vum6s*oIzGBD1Ax=C2j4=Q~4Ab?fL4rWHn)iljA-XF#fPOxlimA_+Q>8Kc zSUo-6znD03c=$bEA3IlRbHQtMxpxD17Z1XJ9}n)GXSf>X1qn&eq`*x4-QjDw1?WmD zn7JN8S=iD}h-9E~JU?);*eE>LR*nScwtjlX9Wg{35y%pa&`d%g%P3b5z1gc5UE4WL zKR)wYQJpS)!0-#)L8q&#nO;Hkdz;B?7-slDlky2tQv0egxzM*c1WE$FNTDSLp;7p; z<~hZDMj1m9C`yfmz$ua)Vx=KKXSnzcBTDyL9kY$f5sA2>1T`jwSgFJo_Bvpbloc$X zNc#)9kIgj#Aw!kU$?lJpFoZvuNjSA-YQlG(ynYY0Xy8NvS~ zQri-U1t(DEC@NvKCjwQ~UkNaXBPTCSYnviigANu9gOVc06=>}Ni8tBqn*b%6?OOF~ zA$6v!L93at8nsnd%T(uFp<)eT-d=6+2bTPp#^4Wn5wFgytH(?hmSJ6eAPpzkjU>w-Y3?iFq6s6d ze{vP3=@KeD=wkI!*>HFJ+*`j_^R1Z`f_-Hh>n3DJWR`s_II23)iJ@|U4O*uH850Mc z*%(~Ea0&WJU{ZCIrn+~$<`t;vzI&P`qj&;YgwSg*WDR-%+Pe7+Z!uCuT zSH|KL>lhG3+E_J71hhpd60Nm<06B+nKCwBLhLkhRM;!ooF=O2DmW;D4H(UCMl;nkw zQOerWF`Xs&&G@MLv_{yf>g^?s71e}6AQ9yXY&Y=NAkS0Qz@LYSS-|7QC&UHsCdsc2 ziL+n9fm70|i*;C=sLqwISCYP3)=(}-IABCJ`c=eRRi0)IYz@A-)~a+}H#@zIyk2`S z_0s!(rD|*Ecm-0be*IZ(nn{p)xwI-sj*Spi)3u%o+oeJ2tHAZpHT(V7?u!u@cDOcNir%lB=f4%a_ojt;&J3F@8wd82HXuhVK690J0iMx6v zDwv{YjRDHKkfiWGCnB1LS%?3VdbC5;-b>37_YxW$C_PC$7a69~2D-Zs74ia^>V@RsaqUd0-^9<&O1y1c{r)9qtlqJK%2MajP|^S1TE zfUP^ndxv)K2*%HuTgBA3Q2c41U&}=1JQ2jXlmEw7=K3oo7rzY)=aGT_4UFEo0tTcm zjMz;AqllpgQa9jSm3!`dg{QgYD9@7eqSo|&3gare95I&s@>O;9IuwoeU74K{o$0}d zeY}M2xw2=Z-5=w1CTFkB>q+yg%5_amS5RuS-WA25Tgj&r-oGcjn$>9m z*_Sf@M)?K&#JxKF7FXe;H5`m5fr7!L5%g-*>Q?-DJ^lUO+&&*Zhq*eq+Q`z-kKBv! zV) zpQ6{{-S{=hk&C0-`}wnb|53kv-k7Ui^Kb8p&CS*8K`1@}8>ITdQhpmkud)gxp+%`& zmM@I8bSFuBBQ7Z#2T)IyEP2#20$L_RD>?l(l9($yJjzmEJK>qwb%*BBV3K=7ocrvE`9)O z*`ib{b;W{DZKftgn+Q)!WVIDFZ4DN08S1Ik@v!P=9UZ?+fI)#PhpW&H6p)E6(pqY( zWN3i0C%z&pD=S@6v!ku_#0JYKk6AV40u?FQT2eA={g;h&8)wP!W3pC(iCVg;Zz%{R zdi&2o!Ill1*Fusp9?T2PuurLx{6I1t%;4BZn=qp<>^^282x!{cbWg^S{GBte0drud_Bt`^bYAj**%Wu&IT;N&`?af51 z+bT-kUsXGG)fY)se_xra)a2pOTRL|$ig16*B#NvaK;f0SlFhqbi5yBW#BT}U zeZwN_#6VPr;f^&v3!<<43X3HAI+JL@m>Re>0-sIpAI?xNfqUQyp^@;JsQ-bX^@n)^ z3CtG=oR~mERhuE*t2A4b?l~=3ObddlOAQ4oL%FZL4i*)KfP}MHbzmeC$!2<|F+wIV zU~>JmqM?UY8QDSFPEZ2ro}&GWyY&nBpCb_gPYo*jUmD2I^7@~h3~r{T&i^?49;@3r zFa2L&N<;PvVQGUYd2+^2PZS~Ke4r&WX>&8j%J||WT7rD#4a!*H=gUpbu3RKxDZaLE zy{mhd_s9EH<#+$AsM#E`9dRE}!`1UU!yJ0NVWx>vfQ*2I4DVlKEPEbD&Pa{~gaofU zEyMx)vNHSG?KU9hu;Ztxo*&B;iFq!!;<%wSr7~lSZJ=N7!5Nfd zF)_d9h8`B8X`c_k?1LxH8^XzUn&KenQycH_y_yGfb`UxUK<#Or!x?=Khgfg_f>#e7 z=)`1HduOnV>8+mW+Iig^65{96#oNsD?alq$LDic7UmU(S@6U&kmjw?e=P$aio7bxh zgPs6rb?dXlryf9`D?mz=u@H%|%y})nDQf!Jg$6jU<}0s(_x0TjxEfw|Vfs5C{)vt! zWW3HQ9j`|W?&)A{HE0?heMsdhTo6hor-%6v#+G$!F3v zdZ{Exc1W?+;cLJS=oGp=Gu33S8HnkFwuogku|O1aZ5-vjtF#u|5}M02>4Jn0o}T#< znW$aFC5Va|X!i_&ZYUs#>JZ0ic0}4x_$Cr)d0!7FI2fKsR1XWK(2?v)gQbZruq9VQ zzb2pJm`fF`M@yNPP?=l#jg>~5`3u;oVo9QYho&04)=NUiKDwV~CK{0>ObJP;elWXP zdnG5kqT))To8VVuBLxtiGZ+)S_@V^8nx+;_m}12NQop=2K_*hZNudr;eFt zw@5|vL_=rVY>TLFp-;J+s4(=*r61~jFhrm0n=z1#0bsM7pv=$Fe9cwHYSat>ve~_K zH|EQ`5Fc5nMb>t83PJD1r*LnHS)hTMjDGal(c^t#3xDY(hA@K--QDNUx58-E$T)hp zl;_u6J%X)>Vvo2G;d$e5lu#erf`TcoeO}iqn{_7;lb6-W&&l_}-PsBc&|c&i$Q-v) zBMr`a?Dn6ehJ|j@bSfE3GOx@s%B^mhZ~e*N`hKw4xApI-Xv`||P07TfIWi9DGHx3AyZ5 zsHaqt-e9r0975M%t;e3IJd$hwbKVPUrti(P1tW-ff)OeRq=6NBvyn&eZ5 zQ=ipw+E>+?sIr@;)I@Xw4%WFMJd%_-BMv*u@;Hw|_Vt))NmFt1PlRW-hWf z=XPJg6D|05m2wksW$IgO_AH<%dz?VNAGT(0jGj4CgTa>%Cqk6 z!{NGWKNB5two=+kQHrH_h??GVUJ@CX(&AObElH?}1|4nY3zh?CeN|mLZ-mwO%2CgJ z5;jz7Gr#?cAJwS37t8>z=dscpq)N^j_oZRbN#( z<`nB4-D?m*`UB*K0c@?^-pP2FX}eRT#*f4<1U#1u$?TpiX>oA)>^YlTBHhEBysI8f z$^@pOQ|P1KGlViA*oPtn>p9jk08t8znc_@pn@a?7KKFvqZY;v<>^an2oIpPWR<8hoa6tXa}Y9{>R?!N87V6JPX zJAM2>3Lt(6^i}8s0!f8&;0D>~o+41H|h` zEwiXWy?s;jUReiY6oL0gJzGrCI?^Te!4-!`vM<7vM62yvh_VJ{hEC7hkoBhu)K5%x zO-87lnZPbQCm&W&%B=k+$?(aPpUfvk>M6)Fb=Od(8x1Q8HNR2iVi8WddY1W{9oA2Jm%*rR5dWuuU@s4TmQ?m{Po4!zDvgs%5{p1JWo% zGbg26iYoYm9TbeE4oc`2mUb98>xBo)J}7DCkB*X4xCES(5{_aPcvdWLfydsy36+p9 zjt{)**|1W-h~3(P!*4PoWrMw0Fka{Low1Sme0#qh?2|afJWz$`3(C~yqWopt&Z!2q zySRf8>w8>5DI53__XEHJKnQRxL!diEpjBX7^gs^o%Tb4Q2!G}Je0-cN2=Cja9y*=Z z=d>qXXbE>;LZr(MX)8~^&t<`${~^YLJ#*&KhqvZB3$7lrI1VC$GwL9`sUc~q*q&2X zIk&$JhETHf_WOt%r5{VW%_+XoHVSEJwFOWTKu{$O#cAA!9axUo$}J;t;A;vW;Kv`0DD~8S484Z@zk` zh*ndqP}}BY<@ks6Dgkin6@(Swd zxyp2EO&QCwK2QI$hMu8SZD6WzsyX^-ELGnuowqUdKI>mMZ=SKK+8%am2^Bl?qk#{~ z&2pu_lw#gqR+Z{3A#QWuYYyszaJFur+%>~+&dH2&@fH~|HI%YP-#Nen<;s5^YsD%v zc2&{iJP|tVNMA>_G*+^>i39(k1UiHYypStJoP}i0(cx8V* z7%zLbsrG4EI-^ioP^+@&PEyuL|2+b1+bjK8zUd7!12kdSvL-q6gz;4P9-9Y@`(+&R>Nciu(@K30T z(>lk0^%0L>!(X^>^F_U1sF98a=Ya%kkxO z&8cnvu$j+?gNq0AJ*@2d#yhabNtfS%R{><>0m=*?|= z_FRb?Vlve73IRI0X6uw*>p^1naQpiBytetVaB}dy9?!no?Y!CTbnAZ(JpR>q`#5<> zA&FJ9vtD|`ciSBWWTBIcmaF6KZ|GF1BABRH!QkE zElz*5NCkYQaSZ=8j87R)3A^@DDbc#7Wc(JWJAkUn>$PGb1T0B7ZJtk|T>wXmdIO;n z+6RpbOq{2fVusUv=~OEFWKv%!h!L4xrEv3_>e5w3{h6UfRr|=hjp;$*e?$;gz9Ybt@F=Fz$SM(OnIW{JKiDVZZg0#?4lcQkNB5`9; ziJAcqwQ_B$#eSaj0Iwr6=^0gtGE-*a#G0{`Zw?Y3&F|ovZgmSP5r*_gN0VZzY?%pK z$^fODWJQ?0Q$2h#foa=QO}P$CSWz^|G;`s$n5Lm{PbFhmp<9Pc#@ZtR-vs5_XH{vC zUZZAoOj#emb^7S;@j0RN#O(#jKj#Lu`Pc&xolY38P`_C#twh;!87-q{6^T6|M|H;+ zAPO)7ribFCGz#sK=6xAy5-s)HB_C;#x<@BM_1SQn{(i2$@QYcTu3=ZA96*-?(?@{r z18Lfg@(Zi!biCwnvJJLhZr@an2d)|>jIO5nK98)Fd1^O;Ulq^7Avjbs@sd3H8qR5q z8XD;vD7?zK-e}QU1GkS~DfR~tgCW46#wz9^ar}xz-2%JK2fL*!`o_qMCO^Oz-)=qL z8~T=O3@3Z=C21NoPTn}au!DgWyYi?vFtaXsm)&YGV?jLs^yyj~*5bEamYd3^%Sru> zWH(Dkt601KPW$E&v^UUnJQKQaa$64#ejoah;~C`B(jl1NgPPWizrcW|r9uH%#d(KI zQhJ);Y`012cS48fA~UzbC`|!%^gz0?<3YOD3A-0{-b+CKNVd7rpNg z5`^_~%a#tHiFGQ9H%%z!}7 zZt*(P;;%#7-70q07#b<~PkCF}uNVu2*ORTB789tP-wh=uYFpb4Fj#ZldNW{KuImk~ zDqTiaje>engYU}5x=M9AJxt9bdSFt*0f_EUz)pt229=&FL7UQ%en|BuW-z^yFrcni z{SA}~Or{k?GT#E^aiuS8i*}kAJMb61!GZ2>UI;+Io z3VXVucti6`nESBR-(PFxIQ-v%-W(sVK{4RNj6(ei6tiK zp7@y^N)we?OhL;}@ihN25!>11o2W6YZbUDQXv0Bb(S_{y@Ws4G zFztX~l@AGAreieUuF{_oLl8j(fE^5W84^VplbP1AYteixWPxmFFarSS;7Czl+bB{I zwUg7^(*6{RD+4bx>-*&Jx>f&voM7+fZ|~?F&&AKfr`#72`U6BLdhUhW?gD@~;$Y#p ziMRVp@6-h0*m@IhKV0mBDNifQznLAlaZRym&+`-c6Wn|>wb>3ExyaTlP6|y#5TmqX z&Vb64Wx~ZCv#Hebcm`+GEI(s@u4ljr>->=P1Qfa5>|JJsmW(n9X>$~*8VHnVslT>S z#S$%rn{=TAML&@7U=+MEkkkulk5^=djO&V;4$*a(1-bs>Jj0-d8OU!)yAh^Shk)i9$>h_c zxB*@($e5ZQ3Xl>OWm&V5U-&f?{rY)m&6LBVO`LnVg~n>Z?*_itHPYkZMj+Dw&nMdxAj*o z8cv7ARCdqs5>xqOZI7&UW@xpipK=4Qa)Zq_?!$YIR8#p<$Zr(W-txIX*Yi`c5H=+> zavSlKRTiPIl&^(sCctO;@7CvzINY8jMksES46Q69Y_|9q%T7wVJJx5G#e#$t*s@wM2flB&&#gsx#C>LHX~<5#OJxqK=N`*bCeLFDmX@7WATQ8SQX`~eFc3@QCHwC z;h<`uvOqRU(~#bPL2`;}ft;}=0Wrp;wN$;u)!eBD2%$#^_wxfg;Ap=S*rp<(0sCxE z#9d_*$`XS`4_sC=SB!(`Vst&Qfqi%}l7_VDl_u5nSfp?Y6<0|c1fzN#(RmojC*OO+;Kiabgm;)AxEfF#M z(-E)?e`g>i-(v=(nh8+dnlg%KHW+JSY8z0=55fDlG8QncN^%4xMZ?Su0vvIPBj;l` ztGZ$X4yeZdDYFNsK-N-qwq>neh8k>LWJ_>3BwI)r2al%b zJae`l6y2{uCDO9dn&%5JbF4v7Xb|OkB#n8AB7?z&gaaC|@dY|hmg8|t@9)b&e%30? zj@sP4+_*QwaYu|f4pYK-H^R(8^=wEW9#B+96!0?5+kPZn&6UaT^@Edg?Ji?>FXsm- zP-Z1=+H{rLSrB4%UI6?klWE{zs22I|sZt!P&kvpkRG(^*@{t-qp=I(lJ&9OtdS~sW<3PL8od)n&XW`y3@+pI{YKO)R#$x`c z?1nar2Ib8Rg#I51s0eom^D+U`8vW|*r4-e!H}w;bjjG1X;4C4mnaa!~m`{8JC6uOE zQ+^v_B|wWR;V90E)$Osp_>CqFV0W3&6$HkSpe0HP1*dHqlM)$4tnNQt(LqovsHG+v_1_GiGfXHX#t2X8_DX4j3 zcs_G;YVU|@L7ed{2A!e+OX_BnwzvV)(S_8ejRndY5@4cuN+S!bP`#2&17e{NG8(_% z!a8;OtykazOX90`WHhfF4AZJ`99`fH8`m zX=mP(QJHZ$Dw~tqz)zdU;y zaZD}Qp_ahhj!+2|O0pgjn?a}{xj|@11XWx{Ju4)EN2K4?08aD`&N(SM*Xg$|?6wEu zqll?$+&&?zQNv5b3f9JFT{1(5lacbRG!4j|QT4m4ZF|S=z6$RgpPBLF%gf_0o#B}( z=OxQ&z|gvB;JDwRRznl)Km26f_+tuK2%OBiZUM95)--}$zl$A-*W>#Fwb=pBuAsb^ z9~0nR%J1|sTvru-&>|lZ*dsz@q|9<2S|k+HIw#gS_vX#P$LBgpCA43zC8EgA1m0;1 zGrX0Q&I{@Y50&sPY&+3m_OKSjtr;)JnIh-b>2wWxv~Z&3Vx}Bd^JII|ANnC~YRPkP z9F*F36q89?MwYd`y2JQdt=9r)`HWoYJkJ?$%z&3JC7r>W(@=j-qSlgL-w5Xv3Bdbj z3F%Cad^mU9UHO^bO;6{-sNW{~fxXRVjd~9>0 zCK8r^^ocuq)FwN>vc`((RRkPLO{c{f_t#)PcT8^hgV zA_J;P1!;Z*SExItd(IYi#%h(cf~K`$arw>^ZD91Gz(;k zVoP7_v9*@hp)o)1+yv#|S8dsb-8&3P79cObiD~URtj>w(4;9^qFeh*J7pO-_DONwN zTPfeXUjMSrnCBo^88zZnyRxq|n46RjwK!O833Go%%N zD#`n6<;36C1A`Jr#~bOVlR}3^@6qZdzQqk0rh3@b=34#;u+o_<@0NTQ9KPk%n#x$0 zhmg8K&{;8=ms*+OI9xtNb~TkH4xL9$A?bC}X~D1|bY1?Z7@BKR266lIH!6?)Kc#lL z**RJpvv}D3v#v(N%Who);X6;hVQUUSVIclUjteSVVK4b)o&?Cz0(6+^2}o@^({n}A zBI(+<$*K-NT_Lk{DQB@V5}%p-I_I@!&8y&bdV!2>38F{TI(O=_fO^HLx(L2DZt~>n zs@9P_PrX);aSL=#UMFsDwtO~%ligdYTm7Wo^B3q9=drZf3QL2f>3s)3qI5I!eopSQ zV@K8fw#D(u&}+$dFNcNUNYAelRewqjw?AK9+#Khu&>@?<&BSy)R~z@a-BXt}pTg*0 z!ws@5j};R(X-v&Cgdd&8qtS~Aq8WIn3$Rl{F{k2DtqKRr_TKZ8CKzy$C(>|)154BR z{ws8YuUKNw5^kH^`=_M?5{Mkd{$w-whVFAVT%e=UrVE&nhlE!|1q;Nb=NgH#M96+% zt=zGH>0q(~?F*;`5AxbkU{O3qI0cva^94o}CEyZCvL$XL^WXG?l0-uW0!hO<4-^;j44tUabXs*OJz(?Ck=Dj_gvxfQ_bN-3uzHf zi9*}XWMOW@{9}PU_x> zuyxo*IM*R!H);!}6R=E%q_?FQRB&DNCu8N5fqZgnSvAk??<;>udkU^_Mf>+dapm4h zHg_>vpb~%8E>k)6+CyoOrRsBO8$l(18zpfkBL%@&7A#^l04H3OGN_tPriui&c{TD4 zpG$<2Xj6MVt_wizh+!==jUSALnDl@x)8*6XM;|y(S^j#WWx@?=I3hbrJyC)EQ-MVc z`%7!W_tCj;e&KOXF?x@-RT#$Zb`xTV82UN&0|=8J(3pqX^#mcz{to1&eqr!h3<0~v z8W>Rv{lgju@d9iE=sGo5_7%kd%%y^kx*zz;4A|4MSya3XZV?8cXhZ2*XcoI?8SDm0JMr#`s_PI@T&@ggcbkmn!)&Y z27b5*n?V$QxNz@40}aZAH_`2dR#4JbZ$hvUe|zvQ$+l?Pr|ot1XDzhTv-Fcq4-EEf zP>p4J>A5l-wpAs)H(k$UBRaml)Qf1>P9GA!r_$ik25tzoDg4a+E!j{eb0@f52HmvX7b9YUR94^Zh@zRR*zy@v zAXH{^Xg1g;!aoss0z1a}RSx;UfMvB8-t|f|`UK_s=6qosRs8@ z@i}-+)j8GHoev#2LV%jsBlb4QgH{&keSa|!81dL{-yP!s$_=uA{iV*D{b{%9S}+=y zf58$TmyFv_RCjy#M2YO~+*nE49((Q@%*t2mMV)v-nUr!*mfjb`n@O^+n4k<2hjNa# z&++o-Z+cvk&rhsFU0V)7E5oR|RY|MBH7Rg+WeG4E z&t)@lK+gk0uJN>LQL@KviKcvj7SSWq-I%Q7YE4n1R=9{ATN6|Mk_Dm(jQkv1}Nup0m9uU!v zzaT14g=o25s7M}|k@RDU6t02g5if&J+yr?=9}oYq?;>IazC3yt%{Zz{vw?!U`i+o0 z5n+@FOf_M`!9Q%JZnQ+b97M4;^&7!JF4bs}OPMu=>T6N?m-qlM22!&4VkFf0mQMB? z0c-5V$3*qmmUQuVO#Qj6^{Vid-al35m~C9))*qs6^M6#CJq&D(P2B&TX{-5HhI_7_ zLrDzBjQ*Nj1E`CEwM}HLRVd*}BkfOyd$Yub2#FGL#cIUC&l)_5a^rod@lu#S*)<;C zwa3*si>?cEQI`>6m$q&|#wE+Hj;Waxya1Jlx$4^jO92raQOd67H3FX*BhJHH*o*YN ziUst6wWYsix<*!}U>i58Yidl6c-!#FJjEVhVbMY!%S=09l|OyL?lG5>6+BswI|_ekAr07@`nDB z$nVNph#pZET{z=@C43lXClm4W7={a40*G_rSYJrj*(!87r*G|>911^ z`f&WZH9k=Ba(el`9`km{_&+w@AMUaLobS-g%wNaJZDThc?ABEnd+*&muh(w^!qCM+ zPZL_uy;BD|xf;~raM~Ub_!}5QG`CEap6z zhr+^c?-^;{kdZ!lf23?P2xw@~7QOjnf+<5rgL`buwE@Ty1-J%4B>@Y{4DauA3l^@R zaZF(dbUc?Ja0YFEi*^w$tu2m1NDejL#UZu@WyHuh$FkNQy(29}tZw4XfNsuv)Sg~W zJ)_-1fT!)?6VqrEApIoL{)yS*EFoo?ImOh_^~CjeXrXCArw@_tjj?va{iSndBPO{y z{lp*!EG)-@k>vbM1`}Bl3xx-a>%8y*t}~f*6*OKShw-?mW5O`Xa1~lPCzHGx%V73hR;-Kr&&{huqJ~jf~&(kkzKa_Xo zpVw3;JJ%YNlFX`l&xWn!qp2_6t@CmmHDvDiVcY7&Xc1AfUJ*mZl&r(yKHg^th-&2A zMhmEVI-T95GQ9OjNPFD5w_YUJ>`J?Qj$WZ+8n!;$`Q&}hGYu2czv&muqMCWM>gIQJ zM0rM@G#fT#Yf*lsY?t^&)v`HhdljXE|E33eHcZB`bN#NZ(b)E=1>2~-YB+7Avi>Ce z#89v0s1}A_esKROl}E+$9I-$#cy39*lti6hhIE?@PE82QdlPmX{M8$|=pnuD)V5YJ z^?uqk?j_A4@nXU~6%OV+wPO6g0z>Sor+df_}78Hha4t>g4PSorM-EESiSrQoiRXB&%N$3tYJ&g=VFVjoSNE@2fb5!u^T93`FzZ?hs`-BnMY~l%3FQfkW?y3I3u?t8ZskUC#W=dJE;n zx@$U!b`eKulxgMGv;R5j8GEhxZ{(=iv10taK0f$&#S2}n?5EljAqb?Ze&M-NLIadd ze+NrW1i1pL>zf{r*Sj!PUQ6AzHZ#VzJMj7;e`OZ<5*{JI%*DZut#RBW&SOOE$9K7Y zPqo7*YkHaN?LjCU&kbk_bm-4>zyVnaKLEKz>Dd;8Ob|A=A%DTHD{xLen%XD zg+`zCmgCgpKl)-`?Ck8k2q7A4gYDZcg79Bez}rd@_1p z9rsfkd7C){TbIWtW1mU9Vw&cu9rdy(Jxc-aX!)$UWrr~l4WgGG5W^Vpcpspp=-UKb z*3lZ`Aa>}N4nlBf;8^1jlwuGxd4&|dQ+2fT1x7}zg9ZzH7|)N?MYRnkqZnS&0pRQw zmT!=4biC^X)lDR6>~c}_lunj=MQjPp7vk?xpCo=I_S z)?<@tc1&utB^h7clk&3_z-8#fe0>2}CNDJB76P6K7$fW9G{wOo$lTwW16xBa5Kow1 zitDeOfm4c^b)HV0+d}VDcM4WM0jhvt^muWTU!0v5dMYAq1!SajOm$|74hq6di8~@y zS)DntAEC~j1bF7YvU?|WO|-&tU1qEUrHjvyAg?)3Gt{WRhrtHHn5d*hXG;kC~1&bHI;Kn-GvBZ@e#&z z_U)-f9b5}d3(L@;&djB#sgy%9JHM{pQsq=TyqtJ2ZilN4?IFm=<5?{^ z$c_!&zY^~}%p=wCOPDqTH}wc80Bq1wZ#W8yok381m5({Sd1^^s<$Nv?emgY835Z6o zEP{i!JZ5vMTScS=0YB|WR0PNtKO zqbh=@PBUk$NtF)sRN+JMo{iLSx$sJz1~y>uasRFI@SShW#&{$%wZA3$4alLGW_gKt zlxS#D?H5VeH`TntKhnG|#ckE{n2fz*4;ksKdc5N3F`aFv&TMxia|-KJ+N7q-IWLvh zh)u+I_3I<%hW^WH$S(RQrv1P$y1fnI9cyH-CCW_G>VUPj1Mm-r6ad9#YU?aT1(}-% zj1G;u0F}i#7t}^bD&!x#;*=~+w4t}R{D~gvfG*yF!!b4kt?*Cii(qJOvHeM&>ED?W zSDed!$hh-0mnwAw8kdz_!iDw?JKnKJHki*gqMgBXy96fMu3TJEU|2@fkz4);s$Y7A z7#JCai{{wl`Bo@g5|VNOL`6?vzoaH7Lu;%}bA73UAJZynRBx|;Yi|~cw7g*6QmG$j z@i^s^w+`8N1?A)@MWEHmoF*lE9=9hUr>wS(l*r=c#<+-t`5kZzC_{DUO2rbRZUpuK z`NyEkg{=N&Kl{MyDP^dwTgQB1tUC&ScidXezZ(~R`Z(_yFH-45^8Iqr;I&p&V$U1& z@Z}|*udWL4l^WcnOb|atPBvMeRtwpQ*y`Qr=#D(}@@r>*OupdRP*!klx*4 zI2lL6o14r?0i>h7>#e+I8ANlT_&_t`@bxWlv0beY8Ij&c20d@OiBy|Z68oadHo+~K zJBl!86?uizpWe`i1^{8|7u>aUxo1v`O{vtnJ~GXm}-|21J8 zlQBLz9Pq+;GRi`z#&Hq`d;d1z_nbYrH@gIfNug*Xnyxu#=QW*Cr`aGiVt~kNme16& zrtfE)cl%r)-UI1Zy0Hr_UFU^rl|5`vyp^immjRBl8w1!WIpzeLlUYE>ySy}OUD>2A zmSYU~U+m|u_iOmyapYn6a`HPFUgG#-TMR;R>1`lpp&E0jLh8M={ihuv7ztAb!D+&# z840BL(K7tbClrR&-Q(#KH1f@~MOXeTo{;mu$Gi-e*CRxB2IkgfF)Y<4H(c1_y%68$ zVyt@O62iY-hgka%qBsiREKiBQCSj@`n~N)qVWAMKUgCIq7c;}nnrgwMJZ{Fl6-<;i zJydU%*?K9g0`?0kS^6@Oa1;4NCX`J+^m{G&4PTY|gSwEm9%Q_#w2i;P{`rW^lfaGH z2L=Gph54U$<~%K|?Ho=1F-WQH{J*hDKVIqqAAqSv=uwx zRLdSpI`2HY;k7u+Z<@&!Um9pXZj%{^%%STWuYNwgE$^G&ZXdr#gQJ9&XWOR?&YAL8 zK<%_C8Iky8rg@??&}g_%oUraNm-_gz+fxiY9D*vEsC!m)Ci}AHok& z<3!*t%3y8Q{PeY02aQ@9BYoSxdb#GS6R&r2X5Y(?%`jh=y^gX1A-sEvN$H9rZL+=2 z#h=6k6PE1^459$78{hcrFX*5;dciV^({~1#Dpw&Ds8yHHZh>${#KuQx6|EOByhS#w)^t!We;ZL8Sfscg`$*yIM8$%|G zw8XjyQXjEPU)em-og2`mB-UT${_DYH)xl=M*`i?bm<>oqPbj|kMw@SmJX)@}==8rS z3A7c!KTxmQ=R)%&YyF8L)3I^uN2@8KmHLD|@GtiTd0s@{bUNkWU`- z@UwPDbdxPwsxg$)dN+1pLCTlE&#(K6`i?-nf;x#T<+mgGfo*y-*5Ce8h%A&vo^1_r4~M8VNwSO|9tr zj6;>eikavXSz@?(dN&lbmbTY#ZsDIrKM{~xwSPR5X&9%j;rL~rwkdP;vk)!f#1XR> z`doxGQ(h8#)qX7i#=%5kAwFGjFkje*u;<8(w%RLmWjFG=7QYu`U^1z+O(jI)T9nls z7q~ANjK#ikZ-OQUWntanchPKAmV94fk=W@o$(Z+FF(y-C*LJX(Ai?A=NkuwEc&%jR zxGr?Ep0UK8FWa>5TRGJvFs|^}=VhVX`X*7s?%^-^``pn<=Xf4r1p*g+qyj9$VP=D{ z$eP_7B(0y#rMP0*-VMrlBS${618*_*Y7rL5E_35BdvU?yAY#L>$AMo{17E4eSTTvH zQX^86vXz3{w%aP@;d>=G!)|hZ1N;*!(7CBt#(xMW)Sn(K!vFTcZ9@N zEXm7R=)7qm!zZOMJR4ykA~FZL``r0qMR2g}r&$?{s;P?c`~r>N z|K1wW9z9j#Pzq03plibyP4Lo$HtbQtPdv#zqHy&bLV`( z2b`jjV4PO2i&%3?tHUu6rfiF`#u|^-NMD^Y&Q{-OF@?$WY;#D|)d&M{xduH{#3FTO zO5SCi;y&5s8XG&w*KHQ<#69+WRD)!TLv!7LEJxH|c4^zlBt}yOv+z32CSIX-ChZ3D z4I8S#AZx(P-Q64~0qU|B@YF~oQvOc=u@sJ6Z-WAaAw*7z77EBZD+44FXaC zrI=&96=ZToxWJ?7gsPyjSqMGap(GN$rBc4Br_1@O799lxJZYy=2@FweiI}ir3vRug z!n$YIAHO0Yk2{{iWhZz`?`C9{4?OqWK-|3$67Px&-lc@bRBZ$ z>5y3P_QVVprm%e)c(v8xt}xt742qg3mqTli)K5`BFpo$#-yGCA{;} zG4YebQ(zKb4P^L6(Nl)buJjDi>gDgY>Gr8epeLqhSa6oMhswWy(?zZ1*eUc` zWYvWOXwXy@EzqC&>SndHNu-}`K(-yBl=TM4IU^`}qw_0|(Uh7a=vW4*h<{02JD%|a zk8IEg1Xkm=SlAlA(`lsDDIwq%5Mf*>E#4m>;Lrx0mN6skI&t`=xE zR8DjyKSuP`_Sl{1wOp`(_iQCe?=(SIXJ$$3t$02e-x<2HZGw_bICl2mh|G-OffwC< zPc6%_OsNW2`q%3FGdeL^KTc$+UnUdGc`VT}hR-kMHIBx2RpZ~WY?25Ve?4w>Tpo@esz>B-Lgf5fV^*+Pr@;sjs@C1T(SlT zlb4uzs&ng?p14oO?n@w9Jkehxb&}+e6rlI0HGN4Ql;e1^k`V^sW+E1bEhis(lrKt1 zeNs~A8tIi7lRHpNEih5O(GMw202{4)*RiUFa{V#Zsv4u3qyYNhg|Fuw#*)V3&X?|a zbe!XirY<`=afP`-u%?=%^R(szdQs8&vdUZdOCTC*ccSusUv}A=I$L3B3eM6r_xJNB zua^1zEUA80Q~10s>`@D>fy_0}C#q34EvJ}Z0W87diD>wy1SrzbQ>6aPv4f)Fk4= z#%^#PUv(S~w_^S;jPGQ`WYKQczOftDKmqnlVS((F&UZx}LgY=iV>0+52?*T#{S#S|;~Pu%A2Cfh59laGl9V-j=nSL{oi#CB@%{HqLeZ!zYDhC`(z zS3FJ#?$7aG*4+DgX8Qa*9)+0W+(Tj=B=+RrZ$^L(lTGMMcjG45w4BgQ zK*7E`#7$|lzDHu{z`iWX8Keq1QbQOTP%PT%WLReFfu8%A&L@;#AcA-qc4V1fK2WBS zKx3b*~?Yz+08iLFD0g~HH2-6v%e*__8ksRDY$fZPAB z+c(rVB8B~`6cMIEeTli6j&K3m^Oc?7Mk|M{FRxD8opnoUyY3>=TnKH})|BF+Jdv*y zS1Q>hOkg`KkEjsJQ3fRfc0HxQ4Ux9jrSYc?|1naJBU9Us^eBC+VWX;`@W=9l`^lQ> zG)?`9HCt&)tix@iaGR>6B0oo}3UWx;W#gcyt%?Dp>*pVFr;I!K67GTu0$C-0l>Eg! z95Tq0JlEx{9lE0(yLqB9JFrGtayo~m^;c1gSDH&-Btyen8w0yfe3T%B{Ig6Ymb6MU z)oFj!d+1EEEJ&}nD+R|lML{~n^o&4`*+s8tS@T?3j#O;S4mX3e9&2P*3*#9#Rt}y^ zaiiq$MFYeXE6(+GB@m!>MJ2?3r=xO+D@_>e*#rN_OV?AkIE%Gd(9(>Zp!r?qbKc7RppebO-ad+eqvXVOpuWrj$R#&>O4>SiN!ql*V|lWLC__gd-A$RkLt}#)rUROyNPLD) zu6!vIzfWNzdsi2yS4#4q(lCCXT-`10;Q*2w&$fI}VIOZjV|MWK$*aK;VUMyhd7ZcJ{J1Dsltm_# zIrY7ss+-)>$I=&wVY4knb-Uyj{GJK6vHf*%`sfrqhFY<~b|Gy*p$> znt(RzS9`mAymZxbc-9NjRQ?nEhLn_6uYL*~W7@LJ5DbDL6onq(B{t56@ zcv#~2H#N|9I}I*OavBeeB6eLE`Y~a3Rp7gt+#uM0Ii?jkMeL}-SEII|GtfQJO~}gh zW(z;HRglKpMB7O0frZ}W3b%lX2QaJ80fr(wOF}Z?7W->b+mfZL@*SUQ9AfMk(Ds7F3K=^n++j&2GsY z8{P5$n-h8&N`1W51TTyn^i9G`77xt%Ff(*z>x4ZSa+}f8y|e#=0x9 zIdmHLwl`W`&!v@pV+0jV)`KX=wQ-mIpXq3^GDMpeKgYD_=a^FcUyrGgfwi@biJ_gd zy19X~lc4=Sf+kY_b!NAJ&aBW%VS>U_O%Z`WN~nLUWf%fh(q9tvebyG)i#f*8Z@y#o z6w7AA9mkIQF0bp4?)!l$=d;%z>v68YSk3Ybjj~iJ*o;P^_CW@VJvMVuhElxhS{*SwW1hX4gM}FE+*M}W-y*ugk{~ zwEx-kcSHatLYep-NBm&^_`wj-a%hH3-W0-R-7JVJ+*^JVfj|wvU>$sVDO1Q$EHiFw zXq&UE2jl5_B&Rym5DtL|zZbwf0Fgkp>1v}1wgo3Ww$i6hnXs}kAv911q!D=B2@&(O zygjn^Gwbm%@eAC0-z5t6B*e!H5Sf@kR9m!IBufhvKt~d0Fb@hota%7vTyDSsjln>- zE}pSPBP4Y0pLSC1NHS^A2Wx~|L%<8j@1T7&wR5hzS_$R7vt#a-no8_Swk-8E7segI zGOlMbwF)V^sl=_~3IE|yimhj!()O;-6I%lG?M9}!DnnI;vZP;7#l#krZYq-@5&jpJ zjhA>IfR-y_iXcyguF%4(a!%gcp$$Y|qo*N{uwMN~w>>&NZhrJq$?I_=ZhuGo0vwCO zp;J+?I7%?csgBw0)p$0R%H>#{Hg@TaiY!CDb5U9nh0yQkz*#(2u+o!bDtmGfFaS8~ zH-cTeyvZ=ovBJHIW8*#!&XG{?n5P+><9NO?9F=K25?9#(@5n)H{h_U*A=2{y7zVGC z{@xf6B?+LxJd{`YoT=tM(El4f=^O`F}koEDv&5_e|ev-3BAlV)9;$bj>x3K0s2I6C})bZiP>znx2s-L$GW{; z;1+`GvAe0{_fLoxiPFI1)^AJJFot8{bgi7g_)u~lDA+Wh6F1twS2NtypMgskpAQG= zjKB0rnqWku88INSodf(eY;(cv-NYg9b#g|=!BJ!*-~T!*n!Xr!47S^=V-Wg@fVN#@ zjZJ*GGG^6u_M&c+QXTvBy2{hh z?GQ%20z=TSF$Tl5#I;3Kf-zFbZL8zYtF|4z5JH|MQ2$_L!7%om;-P;_#!C8e^R0x@ z;|b(n9>GUXr@yLCuO*;>g*5G;w6Ya6ylIX~-9+`))jp*LW#^rM2>UUOoefvJ6oqs$m4CgJiJo znTF-`f2o6Kkl$c;e?>($&tiOh5vM2DqU_e=Q1^mrlOV0u%?nK%-STe9#v;n+5^Tb6 z4tVz?X99Z5c_ag^=!d`|;|z*eWjQo}+E#K>n_8bh?a3Kw$cM$f&`O2TP%!P)gr+#H zJxpcLTcq7{|DknrZq`_WN?tu(mv4@I8nn!GJe#g}Rx__gvR5_yW^+(K0g#V!Xwrv0 zJ)4qtSFa^6S1%J^yMBJ#!4_~3=*=ggocg{NRK4PCRU?NJEwqq$-X--p70Wi4UpX~T zgCms1%8){_P{T0cSUf%9zZ7IYmgM+t3Sv+oC)kj`n1W}K&j4Akp2>?G(nnZtiJl)W z5%CtX-*F1-?#wYdL%EJH3{BoR5M7Wf}tYZtK_V#v`aMYy^C(S-j!~uUbar}GZo!{>2M76oq;>vv?~E;M&72La|1sR8{5)dT z84$i^>e?}z0~YTZZ5M`vOKXjA&%jg#t16X5$vTpw^~D>8COf~Lb#x_gA*|3JN1nEL z-DbDe)P4R$s;p*u6owdrTIyD)j42|FD+C=xX#M^K{TN)+o(uuPb0_)c!N`@1?aR?f z`;^xcFKWW;DvC=G0b5TBd=H(`_&#%VzU>%Weqdbi7jl#L{Rv1LB5XFpDI)|m(Q}2z?A@}#^#^}6{2j{?*rOD3FBG4Y;eoh zRP=dn{B15TE)G+9Nyph>qjCnorPI%lOxRt!LiaZGRl>@Loy{&`v(^|KYHz z&MC*NQMQW!Z#*%mySD1Mb(?F;=MB@X0gWxFc&^PBV-jX}`)cE&*U1rFzhS}4Eyq19 zIN!tpYmUH7_`DMevC7HclGDE=;OnR{-O=lz>ORS34 z?9w44Iea)@CaYj5rvN^yu}GlUrU(qOcw?jV6N_PB=8zxRB-}B1JyR53G)K^L)YqO znKP#+Ud%bOym%nprVnm)t@|(P#DJ6MUksEEnHErVx+P=#IdUXxZX^&?NQgzVrBbwM zuZzXcUamsBR5@og=mm}G{ZsvlJJa|bO`u<}@h~?a1WP_JH3mwb`S<_86S(rXv5bF4 zH=7?x{Quxz@qZK1(a_ex=--!&WTpR|hd*jQCMDp-n0ag6wAn!lg-RRa0GB0ZvI&wA zJISj_I;X0Go*DZDvOFcj+=L%wm4nxGXGy22TIC88-5P~@Hjj1N;fm=gklqJ3*69uZ@`;>k)j}@D zbmm!O6fB3%o&iyjqGmClAM737hRD!P^RnUY$BZzDK=KDMy#tGdhXItQPWARt6))pc zZ*CQO1X39xLJR&p{RYoj@U&dD3Rh;Hk}e3G*~7;9bV;Tr0O{@lZsgnZo52ZwL2$P4 z_ew@1!V6CYbBZF&t@XdsAysRxG6-PFP^C;4FiiG~VLIMy&8W7Mm7h7KaBXly5XN@g z(fK{uR}6-x{IKhC@kL1}TWKKiE~g;p(-j=j-`-28lH8z&2Z^!_w#TY`t2vM4jg(yK5tp&3E0i^{WkJ zivw>&hxj_B0)5hi)sd|ileRIIq&2}q!g;&Jnrg41Iw4!4tR_cVE|6X>cYqplJ zEhGEcAMb;Mbedq!6oG>l3|Ac5VV;bM+*Gj0 z27dFzA8W_|+=ih~CK4onV)b8-nE(5*W@2paX!ajB8`1w3s%60CN5${ML1fm37Ru&I z#>f>CsOg75*O6Cia7heb@6+NCfECV&NKadi&sq4nwNEwK8Vfm4Ya;CcT<`(w6iXVI z;E+&Uviji*?FzAIZD@xqFVv`D2S0C7?KnDKFk`@T=|To7c|7xD5e3Z2lMZD`_bu$W z@V33K8d1IR09mtn^bQFW=JTEOa9ztk3k+Z!mS+p1u%*?&0rdT^8$D8Ay%B}qAFO&J z$rixDnq^`!3LvU~2iw5UVi@oKk?+Cu!jBr5TRL)1M2HozQYk?ho8O9)5@bx!%2G zlfUxB-1G%u6BSQ0)JRbmL;_u{mLNo{_mWl3V?Y{%dYS9GA@@V=Sk{jTlT6DGOqPfa z9xO9W<0`eT-O`~=t>!kQPH@lSPsM`NUMC^yKjh4=QFj;Jt>O|C#o`Ic|?Q&IX= z4z-O190=+7vQKuIqyn1ER@>?l+s0M)>_a3;)6-TLYKqR=oEaPi}C31Eat$@F_ye9pmA^YN-ftF+Fnhcu!v<>15_@4ne)Zz;k_7jk{ zKgILE2c+r$f_VPDc4jMC{|lh``l+31VwR*5>kTVXb4~R?sK~;_3n9yt5RP6cz?Y9zD;eo;`8GA;Nc=BhcjZ% zuSQaxzB+NI$C#$d=nC_bL|Q(Q`pFuG*MkuLP7f2r%8N&L0v+Zrg?oAt4*)#-n_mCp=p2&NXIt=@3*&>YE#tZfriUfRS z&B&8+hxjw5E{p&aGZ1{Selw61_A0698;+2C1Y+wdW#ZjzgRbhO~F2B_vLdjlixuD0O0*s z6vy1e$>~4t%Bxi@e-s%gpEbJn6ByaBZSwm*4|*u-yRhmT%w=0}!oMM!gw(B!6c8v| zbuzxUsmBw_(xx{<&0h8Uf$Erpd(=B)Fm*1F^EMF#5 z!joE|%!cQ7&u3n}@U%9yK~>3y8@@oyd<}4CivxXs!Ex&MQ$JtxOBjFw9|DhptMd&K-(e@@*2j%#<|UhP z1q5rhT!r}mS}27l4p!=oFkc-fQbjnSco({miuUf|fJl~|c8Z5)ABj!N+$zL=>apC` zG?6UxHnEV|s3$hFj^3JVd7yQ;dfb_y+elhRcj|&4GI-^}Y&2k3nY~{wr(m&P-bI{L zU$!}?0Y-O?DQGE-i&O(jCy$ZpMTH3e`RW5gDlOmN=FAX4C8M4r*AXI+LR3SJK%z91 zRV?q$stp>+Zm(HZneAMt!S01#1SZLrR7&ay!4VH?pvD*n^liuvaEu`9S)f;Lfcj@7 zSijKuSJS*|VeIs$+{FMEw*Y=hvnGCuza;*<>f)&%56wj3Bf}eq_i7vdTxhh#-tDLI z+v)A&z+2s12ip4Sz-7Thm~70JdT0SW?NPmAD{T@h2$6P0RbgATr+=1nlOth|=evc# zIkcs;t-8;;mS*?#tHqFmZ*AIJZo7<^Qv6L@Rt9bHim5))RSICYz^%AAB0ZvkBYmA` z)^dlr2+lI%l9RyoCX1<-MYW4=+#cYWvI&VrRpq51ac)hNKG|Cc( z%91(T8NN;q!;HF;tLIiUk0on|!YuJui6HZKvN`l*qm$!}_dkCBP6%8$BmU?otbVjs z|D8dw);G8M_XgFh@_(5^<)&4v0+Q(v!n(conhTiWbM~;M>j8R*B%u|JN3eLPjG@;b zrm%>#-Q@sCvwQHci`UglhTN7`LPhIE-h+QZRL^pNT|LD;2Nh?ZhJb;DB*OoY1M2wT z$6tKw(#4E1BSb*2Vj}Z>$jgjpZ)am>|BHJR>6asVC`oIi>;Zh^v!N>|^WQBm4%eGM zcSa2_ZWj@jf@FglB{C_5vsiDb`ERc zDqw)dmoOgQdBX9ic1z9IrL7CRe~xY%xv*LA3b;%2?GO}tK441Vi~`K9ec6tv>_}I7 zG@mwviXz|4^43)m)MmI;y+_VHKuHN91FEDrhSl7~$HMU!v>o4tgJM)}$=NAIHV`v! zR{&lzO3FwGh+-chN@oR~v6!f;1JV)-^udm8P!=_XH})&!<(2ntRwnq1yPS7_qXCqb z-hy$zks4&N2v3dIwd+l@(@P+SJO@GloJo_C!0KCqAOALjG0Nab~)QY$0z2oc4AEE{?Unx{BWR_P5D25=GWdf1Vv~ znc2;c-T>%s&%t4-^ZM+pUWAu(k!@h7M)p5v2gpkSFPW%SAPGVi2(5gFen`_BqQoGJKmNCK-YDB z1ktl>1IL7tCF)qt9elJ2=nyVEUVakg*$l@vkvma6N7+1QjJv*wN;yiAzB_eeh#F#9 zo!SgG_0$=<_U_YG5>$<#p{~OqKp|l^1sr<;8Mxe`5j*x6TWbSuzba4B(q$5h-meef zTlsU94>!+vYE~n*gE2(~DDIm%-@98Q*LKIj;s+}YgPUdCQGAPS`H;ngJV$dmhjYq1 zYb!LbSU9bA+pK8anUes~>JFK5C8AXPL)lOSfAy&pNa4IGWhs`j{4BX9g~G}s&}>Jf zK5rjSCSS;(Azl4y#pBE~7a**@9=iQ%{HvX3~ip;<2k zFX2XW@9-a2fD6LD!2~}`m^Z@z3pDswQ89J4`S-e#t!k}!!1}Mjw?3>X4qMFc;!%(@ zJ@7z5q80&4-^PX$H@1!~JXYvljgj>Eey20xN~j?_L8sgA(p0ypbLQH^wKTQ7=@}ss zFM?dIQN{9^RuU=QLhaU#XG(}I33^vt%C=^j_PedE2X5MiHt=~M7Wheux5bAC4|X-d zr&N*H5+t42nd?s*jyAknNw>kU-rtSn@R;J=2jEc@pf1y1R3Y}gHLZ7*o#<1iY-}H& z7BmZ}M;J+cIV~ahdrTs6yzu54U0YFAm5K67GiqgS7-KT0O4OwB?VK&x!1qqTO!MqA zpIXtm^OQN{GEdoBb)xLC$On`97>i|yWezxuK zvm20a-=1lMiu=^=jjj}x@I+CYNygd;;ExxfXgWWNs6i}Hx*mpXO0Ogl22w9EZ6%go zI97-9FG6(sVsy#$Vkk1oc(V{nfpq6k?RK*WPDxOl1%0FqrCajN{d?GFXJV}e8{FNG zF_pWi{LKE$9_ttz^A-q6dDH`SWwt@6pdzzE9sp9ystFWO6Nw}m;14270K1yHx%4NV z5T-S|z*>aKBi=MHLe*7Dnl6;@eIOQVm35Iy8?(4pHa3Het+DncNuYsutzH#*9SQfB z-xx}RX^KoGv9%Y*-0Kx8!-dk$jCd?7VGIvQuONB)P-bUg^5Q`lyo5AmzwRh2u3Z(v zl-zApG!;2)KCY8^w>tQbZokjvIr`xh5F*1LF&jfXs^-q-gGQLKZFS^VVuzX-f%FBg zGCdSrl}oq~k^+f@i}wuJ!ImfHB3^?n7Mx_n8HS_zb=~t9C57Ul5@DKFUD3|t;;YCM zD4LiD%_GDK^kX5r`IbXftLo;wo3Y{C6I2f zBxiwCD&eY*SfTxkcnus+I7M4rN|S%A@MrOEez)n^bdByTc*Fj*YtO88wOr14Q1N2v zm6l?;$-q|Ezdm+(e82U=(aP0^mBrTHc90 zaKFJ4G`f;blb!kJ*P>Ie2kgpK^44p#Km7W;I2QD8z^6ci<~pRm;<|oBMX2=;g(=u~ zCK*bzM+%y#l&xDG9$q$l=$&?`Q=82xHkS3rwOw5soVFsah9{)SaZBb{Uvc9LRdNv{Dfd+I5hKeHoA42)pY$16xsP*`SO0YMwgHGb=|oKbS^~~FOHU`# zK{6MpB|E_E=o>Gk*T-Y->q2P{FdRT|&D%oV5==GEG$Gj>l31Y># zy&A;y$88JxI=rS=Y%ngPLxm-1Jj}_0S0>q!)e>co??y-Z!g|VWN>=~;YG~I0zS{F6 zA0Yw+0KoaL3z?nme=w8EG1Ace^e`bepQ!a4eg5ohw!pFtfe=IY$jbOre z%g-0U@c4Q(XkM6AfV?fI2{Kc0*O|we0jL9-MKQ)bA1Jp|uq}D;Xp;HtuUbSC0e~#q zfPXlK0mpKEX7<4IKE!@)+~BzrcBce0e1qQxH_Ybzg`Dxh2GyE_10KwC77-Y}zWfKk zfCv?VDY zNWo-#OG&l$nv6Q;hwHQq=X~#KP*@VY>xrl5$EN#@j+O?pE(B(wR$#U(r{{r!r7@0~ z@fHP}SA`CK4JSbQ zFS>35SI7&vwAA(lxZ>1M{uWx-;@?W33FnZ3T_ePGq$g%q#28Tk(ehv+UDvO38-=cG zFNZHxvgBw2mNZ^|Ky>4nbs_{{RU0T=PE}jx&lajo5glEVdOC+$l?t3xjv3Vwsk$`v zN1NY!(C9w`w>dV6W=rGSGmbV63C;&k4YVdq7SPK;s(gfCuiajYLxT?gk9EM)klu38 zaTS==yueQvoE*utc>O{NLw$=dI!9&*&F)3*t5!F~V1`o(Vtu}Tr68`c6*n%pp4M%k zj^KN3!Y}A9>IAkXYeQsJuEx7p)G(ra@(Lm zY+Hb033pXBAY&J=Z+vD#jZQOoc%2aG)Gj=dOFt2vPQ*JMI?$PHImR!8WTPp^fgoI! zcj64IA47{b@&0X5QT6_fXF3%IjV#N_MOG8RlkknT zbE*7XHy+E)W;5>%=0j<3%ZWC!*o0dstKOLs zJsPkY)kQ;oV+!8FiFca?sdgrErXX757QPic#`wIYmkR?)?(jOCVNe+S%)x|X({2oZ zOE{u|goLVnC*DHw`#Qe&KXgA8`2uqXfHt1hkP2c?%qq>eS4+y}PRTg0l>o2gj zGk4Y0eVaGT?Rp*xACUhOtn4$s=dAnzE0ur1%Kt$*`hS=nJ7-5T17|BM^V$4JKjtz3D0osn49*`gFUjuYFotJriZx$4<;&MlH1Z}ITX=JE+j95@IzkT z?Nvk~TQ;8sxWd~uyux5K1<^P z$puWmTF}(K9Os;}_%+ThsfJVeBi?kzk#?LAS**}Lc$+V#8@|QO=%L)L!P^`0tV6bd z@6EqGJwi+de~~_l3lqvwqwiLA)bknqT5?E3{st8ow$2eZn=_>0&bJzlrQDU9=8~!o zHIJ+iaHCNT{_8tR1=F$?v7gjL1FlGc;pErz@g$mBO{;@)u#Pjy za+8FO$b(H(+UnxSB{=HP?K+QbV6(-bw zw5}Jc)bPk+x@krly>X{elw41%or-AF8gLD}{E6|V-**lk#HQWrh=t(h{j1GT0862o z0n#AsOG>C_ozTEN=_A0J2nBscGdEe)F3?4<631I0W{GF^Tp=5k#UuAY5A)+64dl2K z*k0kMf$04|bq4PjR!vAj;nag5TlJ1VVaSFQj@>>Kk0#7=kZ5BkG&iMU0LTDNLr%{WWmG|fdhN;Qy38xz9JX$@ZVlQ>#*c355v zA)P?KAj^E`SDsS@_V@rd7O4QQ_M~uFN(lqL6G4x)&h^ zsv;M7T>7JIJ7r;Pv&9j&O&U70bjz-Z;*K6v!nOBIhxvIMbI14|dA9{Xea>N3v<0?5 zU8Kca+wd$$*rgm$+0}%eah-~`cjkT4XfD4@S+~AaY?!9{bZ2kdpgi@fZr&+2umWXL zo%GZAdB3Rpra`i`NhJ04AZ)~82umnd4V^DM%9(}Z!A&70KCV4PwVN{<{!Y7^4#c#a zNz?Y}Eb}IYW8SQ)6RNzxk-H9nqKdSOBhzo(ijv_E7&~3rt_i%cyU8E_Y`ReVI}_E_ zhMrZZqF~l3o>5-_Y9(Cn+_)Z?3!^^qnmTpI706TPcn;h}2eo&v*>ZqD~V+tJ_Juaw=NcC_`Q zy!#&xyZ%o*ax}IvGIcQj59Ps-^8aPen3k3$X60T|%GWWRum$8mlF5YR56M=RXF21q zlu(wxyBimr&N5Z<%_C99o_(HQyjq{9XPWLk1>Pvg^Fni4T{DZ#3t%=|YNorlvT~OS zjbOM@RhUhK$yZMHgfD8w)WX-y+18l6bI)2ujMr8&pN_P!=29bnM>FD4Acj84Rrghb zBb-+~hsB#WNCc{LN)+*%pAm~%4oH{CCSrs;PwL&!17r&$T6Doj1IU#N^~pCoEOc0W zLfFzx*IE|ck<6nQUJwlHumY$!4EiaL7l~S2G^^;Sy7%!HV^RH3wgn`KAqrQa2a~tk z5Gy!~Cam6bp`Pq+`F@oSVDR{TF!Bk@CAX7zf>iLU+6nwL2Csd7G7Lzcly(%eO{t)= z?Ai~2ip+Alf06AWfsv#VrOZ#MJFW<+g7O*4;kr7M;}NohE$xz!u3s<+%|;Xt=*3?n*B8Pj$H-;Tu;8_i>r_Gs_L#8{AC?9E zEl)l#OesA?B{DDwSH}_ACks(+5XM+wuHp!$`9?6~S&rGChP`c6tDRCn#OB3J$LFdJ z@I1&SZtvi&7k;gP@49xW|5UeQ?2@5&$EutOM45Q(bv}dI4=P^Zt{r(ABvE5>yY_Mx z1}*L(B>O@!&_B>0pdFn_vFUOO$yA67sf?)kPIheFw=%T>wm-n23a8&XzQiE)ChnnIO!1}N2BYyj| zlk=a4XlwmfuBLI4zM>Bjg~OTdJ^x_kCJ&vsJB%H)(bY}WY@ zyq{I2&_#nOlK3{zsd(jrgp!k#W+^HpjDJ0~v8QQU(uq?X?R4sF=%E+Qlc#O0F){Hh zxGl{oIH56I5O@N$J7o<^l~STZnLxs-+(t!`o=~TQ+JFyWf9pTmd%3zE?8w^w7Ld5H z<4%(jQJ(pZ{$2-I{p?1ysG}%>?CSv4H(*U-G4gtW=hAQ_a^`(`mQfTf1I4m#D%9j__{S|f z9vqGR_QQW7CeN!@znY2Eau;~j&{;$=+!s8@LuVQewLGQ?v`cbKv_-xnUDTbT8pvbl zRARr{F5>lR6Q5S3BfRs>GX?>b8BDW9$I`W>g(aqx2Bn1gXz31*vb0CFfZ87~zll7#pUV5Nb3{ZI*|42bv1Gu>4gaqe0l;@3-kPFKbF4DWAB$B8V%$Z?K zSZ!=utzLBdnjWzyANePSLe@ z1a3k_7-uzyiYTe60HLBr1-%+zRIhO)%pZ!e3eEqK<5;orRk|RFB`f6K=UZEd9MiYZn(=CBB~g(T8omuI4uDmn;LP=d*Z|%yLHX zuVfW2zt2VjCMQ6}Z0sG`aewfa7B-5HcuY=I^iKjBu~*vqRRJIp?42{z*=U*t#bOV? z5LhV&(->w=XkcVo$=p~Bm_Tm^opN)48N>1J@vXA4;Xr(F0xIU!*~CzFj<5mR4mDu7 zx62fle^MdZdJx0jy!#@3y=|d*Euv+mKB{u&X_qUc;fT44x+>NerjGyO8veHRg8TsW zs4UK-XiIK7&?GkuA^llF!0@Fc48(Ma6&m1g6ivg?-fSh@`ht3e13M7kVQeX_gSN}v zpEPNRqbnFlWxGM|`eLzuUy&B+W(ri?$Kp3)bQ3C;={1^JIy{q`KEBPn*yu|YA5h#Q zyN(`d4^}WXP-YHDSUhY^!*%wB@Hms1H4s|{n*mhMeUYIrP`}qdbeawGI-v3bMpiOs z6tTYcp*JWrq-+tksoeryU5`p!aT2D(#dzlOzP_)7(uOWvJWzWuNc6Mb3#`+ioR8aJ zJkIY&_eV&qCOQIbVRY2kc;d$Hqmt~Y0zt+RQ)69TdrY9cIEz;^7LQ&TcFXLx%s*Ig zkVJvP@>sb4&G5YinupE__{Y2fb+HDb^J9Q&%JBapLLIID zq4UT3^ju(lc>X}`mrgB`oM#R01Hw!~5^446lI9$So^-?^ojYGmH*STkdf(XTOf;H! z^}D@)By4fw%)Wk?+4iW*9Cvdi=-0;ErstqcZb_3eZKRM%%OYd)>Vaq@=ZNHphMTW9 z5+5WJXZ-P*+o~5MJIgy0UC^G%b>J`;DvZAkMxXUmlyM18qD<`s2anAm=>8HCBP(h2 zlXXvX3l9@Wk)Xu{SK>DD!2+j=SR3L_?^XH>psO+U^E{WP=84@@hkzKYZZh42$W9G| z)PUJEk)orfaU=Ye{1_oYIOt(H6L~2iR4^nmgN3Bnb-l+2t5n%yfC{-FOtUE1)jFH3oPDWutm@WIblN6xiAhwZg%HmF-Wfpq7{Bt$cx;^ z^A~(iY|lo_SW5r_$;yvuu(QALbnmxHOz&EMJ5o(UOY4xWiQW4L!%B8Jx&c)#kbnG0 z3=vIExG(>1=je97Ejxc6EL^{$)}89f(mfX1QLI6{2vid1_IbXgUB+H$=FbbQT@(}P%ERBU=dNMT5eHat$l zR2lQ5vcmZB!{gNp$~!~wnoMMdTjTi?CDd|Px<8EO!)@mz&3W7>UaH9L!Fb0fq$37w zPT^%V@T=|Tjc)a*baX+*=P^ALHRMBxpaajT=ebmY)&)#k;$k{hKvxO-c(1m7U?Fcf zKp=YIgy3>OEU*F)k5S+&7C1x<>#T=Cwcl>X4zUgB?&8QQ;Nzt>w`~PE+a{7lAUNv?IVB z$i2Wmnm54&F~-ZeP{^R-)Eqs)HPVW=tt|uyX+QT#VaGr(=1f1dLywm2YzT#HhajP; zKbxzd?Krejl?!1LxjZ8uD&(==W5Rvn{&rObMZ+uG!wDkzd8C`@$Dl%)@s^rQQJMP57 zih9vqPu2PC05=Vw`2j3ByOiyTG~oxdN@l< zqy2so6aJyYR*@$Ib&xgFgh}6p?Iv@f8&8nzzG`z*?b0Kd2z`8#`508@;x)?j?Gu~5 z8%+>RQM$gEY!#BZf-EO=d~SkSDOt5JA8y4!xoQavf!`8Cs-0IJwt(bG;B3So<#cdo5S>yO zg%xrGaZ$C9*=(RGPA+Kyx=z zJsr%!BGN`Znl9iM-x+P7|9q_m)o&SPMpMPz8n)xBO>GtMTT60Xwe-cNn?Z+4Feoz( z-0Y8dESB-tsbj7SKPQe(oXr>~eReQS6GWwm#8b2-!63FdmezML=rOG4+G;IWYO1kB zp`Zi0cavfic%_%%PZRS1EZu4I>R%^W+7>-xTU!f%6wkBgN?WI}$(G?ND^G!hbc|`q zHIwp(iFZsGdiqE{P%g8~yO0QEDWB?AdG$)G7>uSvUj)NcYQ*H-TV>~aeL}L)3t0rly5#bH8}jO_ z?CW(Vlt@@c07%DYutYOU$6*Oo3^U}`5ARgX87K2*aNXp79(q+F*lXUFdLS-V%+3$o z%{LI%Vee7yDiuVDS8!bpM}l^!scXo&NpGTgrbp?(m(BRwG#;jw88~$B7l;FexoA-KyqVt>!W0Tj#ThnF_*3YjF5nwkBkR7n!G@ zD4S{6Tqqi$Oa{PM`zC1TG4Buc2CJ0Nsc`?%c&+fAqj4Um!+G*A@$YOTxDSbr2e33Z zDl8j>W!w=UCd=)%)NA#kM4!zF&9<}fW+lmWuTKR4m#T+2A*JI)VKYec@L&7&L^xeg zLIk`;0yOYemAbidXVi*ZB>zqiK(JHX8ADq$j7s0#rM)wURXo=_vn-<>yCzlF3YPT} z$+zfI^apH6Kots;g-m;LNjCK5y(-Rmd|4p$_bGj;wo{WZmV!9pvQ83*TC|-qj4K8~ ziP<;krW_owXSePxW#mUL`R;P0_cEMpJL=%{@M6rQaB*&qp(@5vl z>Ks;%D-QOe!2B0NO0}v$d3O147`*1N+u*0i6O@wKT-|OS3vTn~RodUbIsHVB_M@q_ zulUbQ;&6hXfo?iVP;^h5+oJ9;ra;oX=g@mcss*+P)io6>*mn`clSgD`( z7NvMCOjQzMpB6#krIfcQSFCTytYbxuQAy=3;8A>vOqpK$Mr;=ic!BtZ`a)Mi-}>J3!&&gl(kf z!^6SD#pf<}Lg)LuwY8_`{iesaZM!#g-JBcIR~vkRKI0P>kEN@Esy?h`@Urzi~qHuJnbkqh3B};Q~RiOw2TsfYUuwPMZlyj!` ztrlB0r^idD292pXiXDC71s`uY#}#U64DB8C9is`tTE@N&&dFS%ZaJWLQvcz|o5ka( z-pUoAn?j^VQeuYhKrPk3qq1VX{1tpA!Kf>AYAiM z(-m8GI1n7=OXj{GSmukZDX^U-t7hK;< z;1T`a#TgnZmgr4t-JdS^wZErc(_asRk)$r^`5p`Iw?0=b+DtkOGvT_KT{!yuF|&yhjNm z5$yh1ELU3BMH%1+bYWOHpUqX=RGtWE5{|4#l`oSf6JUt0*(P0NV#EWQp8p0RaY6;H ztRn6UmqbUOPMEil3vuK~CM?LwI6|Ln$lhWtrEJWTt=yu-WSJ4i(BTnU@l}l}U4us^ zP6KA%FP?b;lPKd+)hr2(*PHgpX~4Ki|GaH9GA#bw`8AR6nFgZ78ZecvK@>%cxVBVea$0C$ut?Zh`Yn zH50Q)jvCP$8tH8sL0B}OW|xh-j5f{MdQ1GaqfU$unOiQa*NsIpDILoV)=&jHvh1)L ztJeceB~Q-#Q>ocV(=?qs6A6bQ&0wp1&TJvE1|%AKWC`nqusRqtRO_}(efSidAt!D6{siWWZuTL1`0ntVW%`jV<`mKf+` zq~`%BW$5IwsXZ`eQ7KtD9G7>f%$aj%5t3Y^o+NI-zsFCN|3oxEXgs=h!GL(=70(_k-6kBjgnl0R3FYP4Orb7pca+3Z2*JchEbsT+>B%JK6bq*Qq7mZJJRM8*>|DnjdKu2Pwq{z zI=^`UUA=1c^7*JY;zm))^II@(i!A93>g|NJDs&rf)ytb7sEUMrOfJyJ4St7{y)SL38^kFj1KE^N zxhTH|hGgXh*9??&mjo%66)WwcNyEhUp9YZY3?Y3c8=hGn)+{newyKzI0!FWw`uBy# zEa@(N5c$(Ov{8hxEE*#<$Mq$4ndV>B=fH!-pP7Ha|0kw+2keFg@x#?-{&2Pb9qD#5 z*0*;2ccL~~MgLz1;h#ST;aEihN-BBU%?fw-1~v&RTKasPc~xJO5LkSOMi7@!X$*?gmc5~5F}7kT>$c9|3Y zTM`tbORepgP0y2uB|W>VZCG26prX0EWXFrP&%P-=GhtEJ&u%6x>!IvDJNiu#UEj|f zaB9Z#8>mB_E3ZZ;q7HzoR3vrqzv(&DEHvjOFt47wa1;bsJSnTM*@< zn9v5a%7P}4)Y-IlnFaL{9fvc!JV39AgS)SIyh#KC zMqgHtPAgab>>5@NeMm>(f|&VH#BkQlX|EnhkD$*;$`!;ndV4x0xJ?0`PO}0VxQFV- z&~lf%zDjED#abnp=}FPNic}>C+k!HHy0m2g?x{rr$8g=S>Y#LD!s>m$Nz_jr_|bN? z9jg8))J#FDgQY~1M_w^y!u&C$U;BD5NhnTcFebWH?g6+~?i76+*2p|C4%5!lZ@a}z z_UVnq7w(OQEpgGRB+dk1r;rZn)wM&;ip-*1v063BE?kMXZVF(cvK#Q|lO1fq5~+8Y z-TDqF5Uq`x(9$Z)b>ZN@8%BlMoW8!Ku$5hNapgh>HGX}UHw)4rw~j+(P6rQd;^?&U zF=v^9#|9mdi4R`0txNXMx)bA~PWQ|+l3XXYMJDoY?}a?;C&9lC!a=PyIm?F;mj0&7 z;ovdk^)EJ>q>1q}O6iFYsAUAdh-4(B_P$d(gAm5B^OtDB1{3J#j7{PJhrKYOdhOK` zId{z8r9@@O1xHiL9y?)LQv4(Z8cP*>PSprSEX)<7mUXFApbh-xw%6Y7voivv?l}CxtLWqur zS$`KaF4pM>Y~=sk)n&MWu+6?%U)aJD*}X$fg0#bKts#wNFHXZAhKdnJ5bH4Ik%ruz zBCf9EJMRTf0qaV|+lB^;GG777=Zm9;#;}OkPjhD;WS(qr%<~@7q8kLR@4sFRqTSWb zYXtofIDfF|PM+Tm!VD|4rvH{UhHUhPI4Nd5R~Xui^1D3q%9Mon=gngXKogMe6@aFk^O*4a<4*c>cz)v$};ZfcgpF?E@)-?sF93 zd(!_^mf;Id(u6b5P8HY+(@8ALSR6lXbw=boyvU67>?P`kauH?d5i3ZwhEcA>9(&g< zb`4@AAE&V$O7zROKlEdFE-^;bV~FC{x4Z#*T9P;pBQo^0iPE95s;M;vjI{E8d^m%G zt9I>i0VtFjgn4!HBSW+nPLgqv}+P#x--YK&G{C1r`#{?RYG_j-sBZpm{$zsr=y(}A$SATV7$dpvupy$xmRMs6 zc4PZu>=mP~u_UqU_aD*2do#>iH%HG&&dKlHx$WK8V-6RF4y*Ik#tnu2-)4CSy z{?d$!-FjBJQfInLz0uB@H+(DBGS+$CV`=oMlvv&~F8|igZx>JLU8?GU{V|7Tl6H@3DY z{AEJH@&&@fjr~0DbsaD!#_P;G&QO;oa-8Lt6QKU#3p7 z23x#^W_xvA%V26oYd4M**ng={@Sip$~34mVEw9waY>E%HZ}S*`^)?2h1qX%{;uC3vtOgk z7EfkpE%tXA{Ax7k7W8fO*Xt6!&dz?J&Uxl>vR3lYPCmodY+rjT)Xm*>7k{dKV41!Z zY%y;8p4ZB6@w7%`r+0UrynNDs`*UO4su4FkwyHS!CtLZ1bFSWn<4Zlwwj}6XU3T<0 zT+i-2xTgJl!!7=k-Y)OIq{^G%J|5GySIe5ybkk6moH;kvedf~n(TZIMwmow4+HowS z@bi(sUU#qGd3@E4ahsaAbJ}uf@}OF7kIPwC-VO7aV?HsbPHDdV?Y^H?E}vAPZ{C+D zI$!Hax2Obq{6ApagRpS<4u0rm* z@ZOe9Y3uTPZ4AteUp(c`ZjHDkIuNN7qm=iZR&Tzx~cDpty$CO z4=xyRdu)>-XMew+YH!`hd103w?QTS8`!*aC-n(06Vbb7rx%CguYtw!1#e#(grk`up zJ8tr{xm~*JpS%9rp!1WcYW;IOjxYPRE}q1AbN#DRf4Cj**t5pQupw1@x7f1buNz5i zMg~}gr=6njREykdxMJO@$_bATQn%RAE^4IfA9;w5r!s1v9#=S`T)H)EPeAavlLvSE zc-?odzP#aTuU3UG0z=bkdpfsl*?-L31vjtmY&K=FQ2p8Izrx4FCI@%2>^-sN3Qnq( zLO4`>f9t07{>`dL|3yC>TzmghsdeI|;VpG4lbJV?*KjIRoGFSwI1);$6v3QoNh*m} zbn9GzuJrRZIMgu;l8U=0#2@|@KQsO)(8A&)yLO8VZ zjPjzue}k_8?iL#xADS2!+AF$ea9n6BokkHqV%eg|r;tz$SZfMD2uF++@X_%-dnU$& z_KpvYjdRe7{KizVbS?Uc7F&beCJL>H9e1+UkYQ5R`rXw@OJAc17!)d1&f`zvc8!c> z>VCY}bmzCw{V-%=A4)kL@K~ZlvAY^oDF%I*HY+5yE3=)vstfN{hkXTXoNPh0GZQ*; z*iM*{=N&a+->|21EqsaqtBUt|ioYWN{IBLGG|^MgTQZs7@SxVRpg1&eABv|N=wIg( z8tA1`N3o4D)!1Xx12hl^V>G9}fUEZj4Mg&0M>CTNdZ(%=)Ch~|@$w0x}DD5%X$YrN~A|3jR3iIsgyp~ok*6Kl|_jDm^T z#Al_gtNq|j!x0L!Jwh6PLKE>x7QNZRY@wyQ>*tg35ieyQQPAuYT1XJ|8e|V<6BnY7 z7m6lVp@~+MQ{}Y!geEiwbsBF($G~i)k-;aXCxY#J7@iJ|3T-~25y51#@XQ9n=KgVV zEgA^Km(Zrj@%@Ab(v684JzGyZD|!rEjTXdSh}P4xwx8BQ(f&c^XZ+J}RFgGm4Nv)II2Q zWwWGNyOr_yUwQlyui6rSus(jlim;Nux2QNQ`rh~fZTr8+z{E85k|I@=u7cl?GiJpl zXA$*Z-_@6sknHv%*@-g_;;%?n4@9=4hyL*4YAufgNJbuP7P>*UrS?8}d{p#?q} zt%x@0O&02U7pcItH};*bg%>!vNd-P1r$|j#>3MCUMU_syF(IN!kD9sect8R2rEV_x* zWKJWLsHv)Sqaibkg$*9jx$fUk=?@V2<6xmE)?CLcVbl05b*f5`DS`Ccla>x0zefy* z;W9LFUge|J?6$ZGid=&}g(Yj~cK>6Spn_befR?rXR3)ZXND=QIrw%|#4b~#iHgX2O zzX^(6IvP4JP~wW0v#1RjQgKNY%;mCFfzV|%&}1~&ZFLtZVzV6NgZTf|JSxh%7oJPX zYPZe(K^dyyt@H&|QWebXw(!t9(MCYiKC54G8J2WLfuYp0eu54kQ%^)96u^i z^(lg$8Mog>bnCbiUtbCXktT#^aom5)l%NKT7IeHuP+3(LEi;8ReS2Xn2XV_n5wwqS zsFq6Zdqld)l*&|vMqS3~H2mw8yENNGpqONE&60yjQp-*25_Rn<(&G>e{AeAkHz|S9 z^%$r%U@5fa&_l7;q2oks_$R##i_1F{p{PIvJvI9;#l8)$(+$l?hrvQP}k>5wGiv{ zoxeEAF&uR#?P5Mhm7qq01@micqwS6I%KsWYZ$wbhbtlEb{&QN13%8Y~FtWZ=U+sIS zHX@-Pj3(ZBP>h^%RS{`6B9EIgRI>hoBo7!A-7g%#YZ&Z%Qsf8M70Fq8gVvCem8daM zE3Q%nf7f|Y#sc&cRt$}4?;UktiETDoc)f}l6eC{zGjA_M9^fI3w8a0Euok_LEUWKG zJ$SSXiq}KC@dybzd^O0$CFcc)No;424&{D?+eTKACL3quH3l?Mtz}C4Wc0romr&sK zlaVS5vO$Wlk_S3uU*4v2lVQhD z&v|`G&wbi$ZxyK+<|q0De&v^n>vixDgEY=a{I?@giWXt+tlG>|N@BN+7T~@6{=LWkitOb+G z4vdo-+>{@nh{;d{opO$~VPe^}PTuJ4`OBb#>v+AD9;4(3FtJ7}JN@Ryl|SYRHCT~$ z=)|5K!~|Q62BV7QZ-2f{FBHis=-ueSd+Dxhve{6AE0eZc(XUdDAH1O%W(!Fr+iiop zGtrorWJHKh`Ge|;koa%71g+%T2~6xz!NBa}X2m^-{15Wh{z?k|Y9Jeo(u5_kQ^jSU?7Bz5++>Nlc5{kN_( zOY|Mdq-qTojRT*!*35o(FpRecV1lWF}hX z6r?h~UlV`k5R`EpOAut_*=^@Bu2W8#YCK1p%8a}(zCBg=9aJ$Hs-Oo(cNRDxWARq2 z6=cIMQtq%(D}(!iej6)TwA@>lGU@N`W zj^>7r3CJmrj_-J5X{jBxo{7$qM>eU9kSe2`-@%A~)uvs;Zd}tOmFMwxjdKOia!z`<#Y1@oJXo7RJvi{SxDYZ=ef0L`END zf|>bZk^9hleUaYoBE69VB)e_@NhTEwz*1>RtF4(i&7~01&H$TqG`mf6fyve5daL*Q z92Bdpm8a&f>W%2Q03Rj`A*9kv4$y)wT`SA>q}X>_+D>=GaHfl=wD$D9>40tGjaEU; z%bbJ6@4Yv8R|AONPLk&Aw!L;H-oVoJUm;h1*$Q3%2{P$&cAMuvY-$M;U}Ux^%&h8u z7+Kj13n6rtYxIl_*715ChNN!$6o-zaGUnB|ai|F*rBJ4f_OF?ACe{AL%j5zohcb>X zTvnHIV#S|)ZGcooSf9-`#$Yry5d#ytw69o>iN!LBP8^l63^@Jjm)6i=hY>+Jw8SvC&2qR^%Pf&z$VDdMW7s=wL}@W31`Sq-V*J z2Pt&@m*qUG0=o)TBAJx1G1koimN^?#GpE+!$B6E?m{lMHh2zFGa=^9vOASa09O(B? z%p4f7JLd3619IHH)+{iuGG&#ZVlqlv&uM)A3t;DA&6PxBnX@eutx0iYz2nDy=3GW^ za;*_vW?)7(oQbxGxlXDNQs~$?mu~UU$8IDJGDX{MEu)y^OoIte@5)j%sq4$rPi;Jp zq-4bKk1UQj?nE4mooq1bd1l$QByz;RuR;CVTdL}ZeVJrzQ!2rVq|hgh-`n;=bP$9g zy;GuX3Jaa0(rbi7Ee7x{~S;;s`$810?7XB<-W+%+*zYgT*l7hx= zdu(Epv3|z_FI;(lTNc21h;p)^vDu+u8HS?c0a6l~@a(n~HYSyS?|Kd< zk1pQ&ZKeq!vm6T|w9H>&LyvNG$6kcLlV3JJ9v#d6FKEZZ`$jX_RP#_heHEy*lig`4 z?<39{EtGXFGqTy}OoM}he_!;inCfC-?k?>TElZi`qB%N^%sI$_so)k8ngx|u0H=3{ zo>|3&TU0n6QKD0m_=rpY{X79`nSpCQT-2>0x^N>lFB5G**?O)h*ENZ}_Nz4Lud}QM-Kf|WeJn5d- zZo9sZP0wJa*5SV_pD0#1Ezlv5J+Iw%^DvW(kvLP}Hj`&)DgvA;1Mfe{1gBg5nNy-y z@9J-P!vTl6(%x;i)xkC{6ku97G!hKr27d|YF=!FLgW^vxXCoaakDP7;DcqU zkEBLb_L|WZx>zn7)4nNWQVrPaC(YC(n9G}(6#(!6^j>uFJJHSpr{Oxi_f98;lMdbQ z%;yI;Ll>)B(lw;rR^=%hE^`c0=6dst#~!0#_s66l9pUBQGO_3ZN~+gMcAXLH+h50k z>mVY9u1`Ztf5z~QH0%|Ws)FR+JUryj$;e8JBqJg`d0U3X)iS3#oY%WWTmp5tEZ23e z$fTk=bYz`pw@t3e zL<@R@yl)}NF9tb1t$+mWhKh!CXS=OuJ;&rkt1NGjHk`3!&iHi@I|~ykq}Uv{tN{~l zFr*7IJCb5ss&p+aM&WeX$abD5lWbvPj}P(a`L0xvGt(xl-JFHRD;BB}ic(S+LiKNk z?t;V#keE($i7lCEW@)g|JK)^+V%>qcS33HVe3?{1zUzzB@3r*mkNba+mb9GR)~Y?5 zYf_~#Ra|!d*#TvcFW_C0-tSCjCfU&rrA`AXZw~=92loqHEHxWrvbq&B>AW`%_# zNRA*#Xmnn<1GL^Wm^nogG0(Z}TXe1MQ0|h0A-k<}BpYo`71W7I$V+Bf?k8oB%^bFK z3B~~R8cPFwS^}#9y-LSpzpRQWea!gY4XQⅈyT*p0~aOfVK}bG zP&V7Fw#a;hBzrDgF=-m49)qfs^brh8M>-&Dg=E>XA&I_S=I+>4aKBer4xy*q4q*?d za$Twyn5zq`BHUW+gTyW}UHmkOi5;xcvdfPdbsM(8P?PgPK+>JSo*7KCEL2D}T&Z(- z$Zhmm)u0Mm4NK=RsU~I#ty@y*Nh7Gih#rd^r*Pb{d2B33%Tiw>gXH8-uXD~I{8q?z zZvB+g|A58+3@YhWjjKvSnLpN$SCurCcW@&-(dVhSECsPj`*gMcC3=Z zUn&!Bn}DwNEH)XC>CkkvpBnown3fP)71+yspUKtornF2Q^H9o!J!_hWAZ?gs z`97d@8Af!c8w9;Mb%@kG$S|}m?=s>p&?jU|3kS-v(Z)3FL1CeTo;>RD4*g#;k{#(B z9QUj;3vI+UX&laA_JDhVtQWgLBqCo5WFwa6Pcy$ zwy&}Dr<_c2Y?+r0-bmkzyE1Hb0er6?rg!Nqa-jhetj3Vjo2Bc0$MRpfLu3<5J5pq9 zENaXoY9W&6e(37ya z-fVWN)}q&#QB1RR(&&n6#!cvCyrkUaxGEUuDx1-So1oO#MZ;p(tJE(x0csg3^X;Gx z4%o>h)ug1#>)N${{SEdH$R?z3+ill^*=!@u&6RMHg^c%t4Glv3B5=;3elB}f-oly<>AQ7p1}@s=-3*E!}%FFuFJpF>dkjRLeu048x1(EAB-szhA>4$yh%e z#w0sjV*caltBu)E^<7!APO~w|IPk>uyFE49`@cZ=MIcgW8%B*~fiVkji+HGesK3BG57FMw3%kES# z2K$D+LybDzT{?U@yMRe%4rrG|xK6o&Vdp^EHi3G}S=6DJM`5p9JGXDi8ssIU!YLHU-m{ zhDjSxFZ3MN2D%*&-O@wk62*&jSNi^8F*od*B3Jqvq6j6+9O?6QAE9>Jr5jAB^f5cBw9;3`K7u)J z>TN}^s|dwiGJ8AGjDg;-xZFep|4VE4^*Cm^`>cFow WetvCvZ;ii?TEnY-{FD6sRR0GL%C-&w literal 0 HcmV?d00001 diff --git a/crawlab/docker-compose.yml b/crawlab/docker-compose.yml index 086b9ad..014fb23 100644 --- a/crawlab/docker-compose.yml +++ b/crawlab/docker-compose.yml @@ -3,6 +3,7 @@ services: master: image: crawlabteam/crawlab container_name: crawlab-master + restart: always ports: - "8080:8080" # frontend port mapping 前端端口映射 depends_on: @@ -20,10 +21,11 @@ services: crawlab-mongo: image: mongo:4.2 container_name: crawlab-mongo + restart: always environment: MONGO_INITDB_ROOT_USERNAME: "username" # mongo username MONGO_INITDB_ROOT_PASSWORD: "password" # mongo password volumes: - "./mongo/data/db:/data/db" # 持久化 mongo 数据 # ports: - # - "27017:27017" # 开放 mongo 端口到宿主机 \ No newline at end of file + # - "27017:27017" # 开放 mongo 端口到宿主机 diff --git a/nginx/data/conf.d/thingsboard.conf b/nginx/data/conf.d/thingsboard.conf new file mode 100644 index 0000000..c8eb721 --- /dev/null +++ b/nginx/data/conf.d/thingsboard.conf @@ -0,0 +1,51 @@ + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name thingsboard.windymuse.site; + + ssl_certificate /ssl/fullchain.crt; + ssl_certificate_key /ssl/private.pem; + + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + client_max_body_size 100m; + + location / { + proxy_pass http://192.168.31.249:9191; + } +} + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream thingsboard-wsbackend { + server 192.168.31.249:9191; + keepalive 1000; +} + +server{ + listen 20038 ssl; + server_name thingsboard.windymuse.site; + ssl_certificate /ssl/fullchain.crt; + ssl_certificate_key /ssl/private.pem; + ssl_session_timeout 20m; + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_verify_client off; + location /{ + proxy_http_version 1.1; + proxy_pass http://thingsboard-wsbackend; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_read_timeout 3600s; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} diff --git a/server-init.sh b/server-init.sh new file mode 100644 index 0000000..4712c3d --- /dev/null +++ b/server-init.sh @@ -0,0 +1,50 @@ +# install docker +# https://www.runoob.com/docker/ubuntu-docker-install.html +curl -sSL https://get.daocloud.io/docker | sh + +# install docker-compose +# http://www.ppmy.cn/news/3878.html +apt -y install docker-compose + +apt -y install python-pip + +# config docker image source +# https://blog.csdn.net/whatday/article/details/86770609/ +echo { \ + \"registry-mirrors\": [ \ + \"http://hub-mirror.c.163.com\", \ + \"https://docker.mirrors.ustc.edu.cn\", \ + \"https://registry.docker-cn.com\" \ + ] \ +} > /etc/docker/daemon.json + +service docker restart + +docker info + +# install curl +apt -y install curl + +# install nginx +apt -y install nginx + + +# acme.sh +# https://blog.csdn.net/Dancen/article/details/121044863 +# https://github.com/acmesh-official/acme.sh +# download from github +# install acme.sh +chmod +x acme.sh +./acme.sh --install -m zeng32@qq.com +# change to ~/.acme.sh +cd ~/.acme.sh +# change default ca +./acme.sh --set-default-ca --server letsencrypt + +# ali key and secret +export Ali_Key="xxxxxxxxx" + +export Ali_Secret="xxxxxxxxxxxxxxxx" + +# generate ssl cert under DNS auto mode +./acme.sh --issue --dns dns_ali -d gitea.windymuse.com.cn diff --git a/thingsboard/docker-compose.yml b/thingsboard/docker-compose.yml new file mode 100644 index 0000000..87461e2 --- /dev/null +++ b/thingsboard/docker-compose.yml @@ -0,0 +1,16 @@ +version: '3' + +services: + thingsboard: + image: thingsboard/tb-postgres + container_name: thingsboard + restart: always + ports: + - 9191:9090 + - 7070:7070 + - 1883:1883 + - 5683-5688:5683-5688 + - 5433:5432 + volumes: + - ./tb-data:/data + - ./tb-logs:/var/log/thingsboard diff --git a/thingsboard/readme.md b/thingsboard/readme.md new file mode 100644 index 0000000..eafc03b --- /dev/null +++ b/thingsboard/readme.md @@ -0,0 +1,36 @@ +``` +mkdir -p ~/.mytb-data && sudo chown -R 799:799 ~/.mytb-data +mkdir -p ~/.mytb-logs && sudo chown -R 799:799 ~/.mytb-logs +docker run -it -p 9090:9090 -p 7070:7070 -p 1883:1883 -p 5683-5688:5683-5688/udp -v ~/.mytb-data:/data \ +-v ~/.mytb-logs:/var/log/thingsboard --name mytb --restart always thingsboard/tb-postgres +``` + +# 官网教程 + +https://thingsboard.io/docs/getting-started-guides/helloworld/ + +tenant@thingsboard.org + +tenant + +ThingsBoard UI will be available using the URL: [http://localhost:8080](http://localhost:8080/). You may use username **tenant@thingsboard.org** and password **tenant** . More info about demo accounts is available [here](https://thingsboard.io/docs/samples/demo-account/). + +SphDn4eHBputVhXSl5am + + +curl -v -X POST -d "{\"temperature\": 25}" http://192.168.31.249:9191/api/v1/SphDn4eHBputVhXSl5am/telemetry --header "Content-Type:application/json" + + +``` +curl -v -X POST -d "{\"temperature\": 25}" https://thingsboard.windymuse.site/api/v1/SphDn4eHBputVhXSl5am/telemetry --header "Content-Type:application/json" +``` + + +# 访问thingsboard内部的postgres数据库 + +https://blog.csdn.net/qq_38899062/article/details/127305731 + + +# 开源物联网平台ThingsBoard数据库40张数据表设计一览 + +https://blog.csdn.net/qq_40657528/article/details/124430504