vesta/bin/v-add-letsencrypt-user

#!/bin/bash
# info: register letsencrypt user account
# options: USER
#
# The function creates and register LetsEncript account 


#----------------------------------------------------------#
#                    Variable&Function                     #
#----------------------------------------------------------#

# Argument definition
user=$1

# LE API
API='https://acme-v02.api.letsencrypt.org'

# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf

# encode base64
encode_base64() {
    cat |base64 |tr '+/' '-_' |tr -d '\r\n='
}

# Let's Encrypt v2 curl function
query_le_v2() {
    protected='{"nonce": "'$3'",'
    protected=''$protected' "url": "'$1'",'
    protected=''$protected' "alg": "RS256", "jwk": '$jwk'}'
    content="Content-Type: application/jose+json"

    payload_=$(echo -n "$2" |encode_base64)
    protected_=$(echo -n "$protected" |encode_base64)
    signature_=$(printf "%s" "$protected_.$payload_" |\
        openssl dgst -sha256 -binary -sign $USER_DATA/ssl/user.key |\
        encode_base64)

    post_data='{"protected":"'"$protected_"'",'
    post_data=$post_data'"payload":"'"$payload_"'",'
    post_data=$post_data'"signature":"'"$signature_"'"}'

    curl -s -i -d "$post_data" "$1" -H "$content"
}


#----------------------------------------------------------#
#                    Verifications                         #
#----------------------------------------------------------#

check_args '1' "$#" 'USER'
is_format_valid 'user'
is_object_valid 'user' 'USER' "$user"
if [ -e "$USER_DATA/ssl/le.conf" ]; then
    source "$USER_DATA/ssl/le.conf"
fi
if [ ! -z "$KID" ]; then
    exit
fi


#----------------------------------------------------------#
#                       Action                             #
#----------------------------------------------------------#


# Defining user email
if [[ -z "$EMAIL" ]]; then
    EMAIL=$(get_user_value '$CONTACT')
fi

# Defining user agreement
agreement=''

# Generating user key
KEY="$USER_DATA/ssl/user.key"
if [ ! -e "$KEY" ]; then
    openssl genrsa -out $KEY 4096 >/dev/null 2>&1
    chmod 600 $KEY
fi

# Defining key exponent
if [ -z "$EXPONENT" ]; then
    EXPONENT=$(openssl pkey -inform pem -in "$KEY" -noout -text_pub |\
        grep Exponent: |cut -f 2 -d '(' |cut -f 1 -d ')' |sed -e 's/x//' |\
        xxd -r -p |encode_base64)
fi

# Defining key modulus
if [ -z "$MODULUS" ]; then
    MODULUS=$(openssl rsa -in "$KEY" -modulus -noout |\
        sed -e 's/^Modulus=//' |xxd -r -p |encode_base64)
fi

# Defining JWK
jwk='{"e":"'$EXPONENT'","kty":"RSA","n":"'"$MODULUS"'"}'

# Defining key thumbnail
if [ -z "$THUMB" ]; then
    THUMB="$(echo -n "$jwk" |openssl dgst -sha256 -binary |encode_base64)"
fi


# Requesting ACME nonce
nonce=$(curl -s -I "$API/directory" |grep -i nonce |cut -f2 -d\ |tr -d '\r\n')

# Creating ACME account
url="$API/acme/new-acct"
payload='{"termsOfServiceAgreed": true}'
answer=$(query_le_v2 "$url" "$payload" "$nonce")
kid=$(echo "$answer" |grep -i location: |cut -f2 -d ' '|tr -d '\r')

# Checking answer status
status=$(echo "$answer" |grep HTTP/ |tail -n1 |cut -f2 -d ' ')
if [[ "${status:0:2}" -ne "20" ]]; then
    check_result $E_CONNECT "Let's Encrypt acc registration failed $status"
fi


#----------------------------------------------------------#
#                       Vesta                              #
#----------------------------------------------------------#

# Adding le.conf
if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
    echo "EXPONENT='$EXPONENT'" > $USER_DATA/ssl/le.conf
    echo "MODULUS='$MODULUS'" >> $USER_DATA/ssl/le.conf
    echo "THUMB='$THUMB'" >> $USER_DATA/ssl/le.conf
    echo "EMAIL='$EMAIL'" >> $USER_DATA/ssl/le.conf
    echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
    chmod 660  $USER_DATA/ssl/le.conf
else
    sed -i '/^KID=/d' $USER_DATA/ssl/le.conf
    echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
fi

# Logging
log_event "$OK" "$ARGUMENTS"

exit