Merge branch 'dev' into dev

tomsommer · web-flow · commit c284efd9e833 · 2026-05-04T18:36:49.000+02:00
diff --git a/README.md b/README.md
@@ -146,7 +146,7 @@
 | 🌐 DNS mode | Use DNS TXT records |
 | 🔗 [DNS alias mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode) | Use DNS alias for verification |
 | 📡 [Stateless mode](https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode) | Stateless verification |
-| 📌 DNS persist mode | Persistent DNS TXT record ([draft-ietf-acme-dns-persist-01](https://datatracker.ietf.org/doc/draft-ietf-acme-dns-persist/)) |
+| 📌 [DNS persist mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-persist-mode) | Persistent DNS TXT record ([draft-ietf-acme-dns-persist-01](https://datatracker.ietf.org/doc/draft-ietf-acme-dns-persist/)) |
 
 ---
 
@@ -399,6 +399,8 @@ acme.sh --renew -d example.com
 
 ### 🔟 Use DNS Persist Mode
 
+📖 Wiki: https://github.com/acmesh-official/acme.sh/wiki/DNS-persist-mode
+
 📚 Spec: [draft-ietf-acme-dns-persist-01](https://datatracker.ietf.org/doc/draft-ietf-acme-dns-persist/)
 
 DNS persist mode lets you place a **single, long‑lived `_validation-persist` TXT record** in your zone and reuse it for every subsequent issuance and renewal. There is no per-issuance challenge token, so renewals require **no DNS edits** — useful when DNS API access is not available but you still want unattended renewals.
@@ -502,6 +504,8 @@ acme.sh --renew -d example.com --force --ecc
 
 #### 📡 ACME Renewal Information (ARI) — RFC 9773
 
+📖 Wiki: https://github.com/acmesh-official/acme.sh/wiki/ARI
+
 If the CA exposes a `renewalInfo` endpoint in its ACME directory (Let's Encrypt, ZeroSSL, etc.), `acme.sh` follows [RFC 9773](https://www.rfc-editor.org/rfc/rfc9773.html) automatically — **no flag needed, no opt-in**:
 
 | What | When | Why |
diff --git a/acme.sh b/acme.sh
@@ -1015,6 +1015,24 @@ _checkcert() {
   fi
 }
 
+#file
+_enddate() {
+  _cf="$1"
+  _res="$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -enddate -in "$_cf")"
+  if [ "$?" != "0" ] || [ -z "$_res" ]; then
+    return 1
+  fi
+
+  case "$_res" in
+  notAfter=*)
+    echo "${_res#notAfter=}"
+    ;;
+  *)
+    return 1
+    ;;
+  esac
+}
+
 #Usage: hashalg  [outputhex]
 #Output Base64-encoded digest
 _digest() {
@@ -1039,6 +1057,25 @@ _digest() {
 
 }
 
+#Usage: certpath hashalg
+#Output certificate fingerprint without colons
+_fingerprint() {
+  cert="$1"
+  alg="$2"
+  if [ -z "$alg" ]; then
+    _usage "Usage: _fingerprint certpath hashalg"
+    return 1
+  fi
+
+  if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ] || [ "$alg" = "md5" ]; then
+    # openssl prints "SHA1 Fingerprint=AA:BB:CC:..."; strip prefix and colons.
+    ${ACME_OPENSSL_BIN:-openssl} x509 -in "$cert" -noout -fingerprint -"$alg" | sed 's/.*=//; s/://g'
+  else
+    _err "$alg is not supported yet"
+    return 1
+  fi
+}
+
 #Usage: hashalg  secret_hex  [outputhex]
 #Output binary hmac
 _hmac() {
@@ -1846,6 +1883,25 @@ _date2time() {
   return 1
 }
 
+#support the output format of openssl -enddate:
+#     Apr 01 08:10:33 2022 GMT   to   1641283833
+_ssldate2time() {
+  #Linux
+  if date -u -d "$1" +"%s" 2>/dev/null; then
+    return
+  fi
+  #Solaris
+  if gdate -u -d "$1" +"%s" 2>/dev/null; then
+    return
+  fi
+  #Mac/BSD
+  if date -j -f "%b %d %T %Y %Z" "$1" +"%s" 2>/dev/null; then
+    return
+  fi
+  _err "Cannot parse _ssldate2time $1"
+  return 1
+}
+
 _utc_date() {
   date -u "+%Y-%m-%d %H:%M:%S"
 }
@@ -5564,7 +5620,7 @@ $_authorizations_map"
   Le_CertCreateTimeStr=$(_time2str "$Le_CertCreateTime")
   _savedomainconf "Le_CertCreateTimeStr" "$Le_CertCreateTimeStr"
 
-  if [ -z "$Le_RenewalDays" ] || [ "$Le_RenewalDays" -lt "0" ]; then
+  if [ -z "$Le_RenewalDays" ]; then
     Le_RenewalDays="$DEFAULT_RENEW"
   else
     _savedomainconf "Le_RenewalDays" "$Le_RenewalDays"
@@ -5623,6 +5679,20 @@ $_authorizations_map"
         Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
       fi
     fi
+  elif [ "$Le_RenewalDays" -lt "0" ]; then
+    _enddate_value=$(_enddate "$CERT_PATH")
+    if [ "$?" != "0" ] || [ -z "$_enddate_value" ]; then
+      _err "Failed to get certificate end date for $CERT_PATH"
+      return 1
+    fi
+
+    _endtime=$(_ssldate2time "$_enddate_value")
+    if [ "$?" != "0" ] || [ -z "$_endtime" ]; then
+      _err "Cannot parse _enddate_value: $_enddate_value"
+      return 1
+    fi
+    Le_NextRenewTime=$(_math "$_endtime" + "$Le_RenewalDays" \* 24 \* 60 \* 60)
+    Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
   else
     Le_NextRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60)
     Le_NextRenewTime=$(_math "$Le_NextRenewTime" - 86400)
@@ -7446,6 +7516,7 @@ Parameters:
   -m, --email <email>               Specifies the account email, only valid for the '--install' and '--update-account' command.
   --accountkey <file>               Specifies the account key path, only valid for the '--install' command.
   --days <ndays>                    Specifies the days to renew the cert when using '--issue' command. The default value is $DEFAULT_RENEW days.
+                                      Negative values could be used to specify a number of days relative to the expiration date of the certificate.
   --httpport <port>                 Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
   --tlsport <port>                  Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
   --local-address <ip>              Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
diff --git a/deploy/windows_rdp.sh b/deploy/windows_rdp.sh
@@ -0,0 +1,158 @@
+#!/usr/bin/env sh
+
+# install a certificate on a Windows host over OpenSSH and bind it to the Remote
+# Desktop listener (RDP-Tcp).
+#
+# One ssh invocation does the whole job:
+#   * the PFX is built locally, base64'd, and embedded as a string literal
+#     inside a generated PowerShell script;
+#   * the script is piped to `powershell.exe -Command -` over ssh. No scp,
+#     no temp files on the Windows host.
+#
+# First run:
+#   export DEPLOY_WIN_RDP_HOST=winserver.example.com
+#   acme.sh --deploy -d winserver.example.com --deploy-hook windows_rdp
+#
+# Available variables:
+#   DEPLOY_WIN_RDP_HOST        required   SSH host
+#   DEPLOY_WIN_RDP_USER        optional   SSH user, must be a local administrator (can also by set via ssh_config)
+#   DEPLOY_WIN_RDP_PORT        optional   SSH port, default 22
+#   DEPLOY_WIN_RDP_SSH_OPTS    optional   extra ssh options, e.g.
+#   									  "-i /root/.ssh/win_id_ed25519 -o StrictHostKeyChecking=yes"
+#   DEPLOY_WIN_RDP_LISTENER    optional   RDP listener name, default RDP-Tcp
+#   DEPLOY_WIN_RDP_RESTART     optional   "1" to restart TermService after install.
+#   									  Active RDP sessions will drop!
+
+windows_rdp_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  if ! _exists "ssh"; then
+    _err "ssh is required but was not found in PATH."
+    return 1
+  fi
+
+  # ---- configuration ------------------------------------------------------
+  _getdeployconf DEPLOY_WIN_RDP_HOST
+  _getdeployconf DEPLOY_WIN_RDP_USER
+  _getdeployconf DEPLOY_WIN_RDP_PORT
+  _getdeployconf DEPLOY_WIN_RDP_SSH_OPTS
+  _getdeployconf DEPLOY_WIN_RDP_LISTENER
+  _getdeployconf DEPLOY_WIN_RDP_RESTART
+
+  if [ -z "$DEPLOY_WIN_RDP_HOST" ]; then
+    _err "DEPLOY_WIN_RDP_HOST must be set."
+    return 1
+  fi
+
+  _savedeployconf DEPLOY_WIN_RDP_HOST "$DEPLOY_WIN_RDP_HOST"
+  [ -n "$DEPLOY_WIN_RDP_USER" ] && _savedeployconf DEPLOY_WIN_RDP_USER "$DEPLOY_WIN_RDP_USER"
+  [ -n "$DEPLOY_WIN_RDP_PORT" ] && _savedeployconf DEPLOY_WIN_RDP_PORT "$DEPLOY_WIN_RDP_PORT"
+  [ -n "$DEPLOY_WIN_RDP_SSH_OPTS" ] && _savedeployconf DEPLOY_WIN_RDP_SSH_OPTS "$DEPLOY_WIN_RDP_SSH_OPTS"
+  [ -n "$DEPLOY_WIN_RDP_LISTENER" ] && _savedeployconf DEPLOY_WIN_RDP_LISTENER "$DEPLOY_WIN_RDP_LISTENER"
+  [ -n "$DEPLOY_WIN_RDP_RESTART" ] && _savedeployconf DEPLOY_WIN_RDP_RESTART "$DEPLOY_WIN_RDP_RESTART"
+
+  _port="${DEPLOY_WIN_RDP_PORT:-22}"
+  _listener="${DEPLOY_WIN_RDP_LISTENER:-RDP-Tcp}"
+  if [ -n "$DEPLOY_WIN_RDP_USER" ]; then
+    _target="$DEPLOY_WIN_RDP_USER@$DEPLOY_WIN_RDP_HOST"
+  else
+    _target="$DEPLOY_WIN_RDP_HOST"
+  fi
+  _pfx_pass="acme"
+
+  # ---- build thumbprint + PFX locally ------------------------------------
+  _thumb="$(_fingerprint "$_ccert" 'sha1')"
+  if [ -z "$_thumb" ]; then
+    _err "Failed to compute certificate thumbprint."
+    return 1
+  fi
+  _debug "Thumbprint: $_thumb"
+
+  _debug "Building PFX at $_pfx_file"
+  _pfx_file="$(_mktemp)"
+  if ! _toPkcs "$_pfx_file" "$_ckey" "$_ccert" "$_cca" "$_pfx_pass"; then
+    _err "Failed to build PFX archive."
+    rm -f "$_pfx_file"
+    return 1
+  fi
+  _pfx_b64=$(_base64 "multiline" <"$_pfx_file")
+  rm -f "$_pfx_file"
+
+  # ---- build installer script --------------------------------------------
+  if [ "$DEPLOY_WIN_RDP_RESTART" = "1" ]; then
+    _restart_ps='Restart-Service -Name TermService -Force'
+  else
+    _restart_ps='# New RdP connections will pick up the new cert automatically.'
+  fi
+
+  # Escape every literal `$` with `\$` so the shell does not expand it.
+  # Values substituted from shell: $_pfx_b64, $_pfx_pass, $_thumb, $_listener.
+  _ps1=$(
+    cat <<PSEOF
+
+\$ErrorActionPreference = 'Stop'
+
+\$pfxBytes = [Convert]::FromBase64String('${_pfx_b64}')
+
+# Note: It is quite important to use a X509Certificate2Collection here in any case, since we otherwise
+# could run into quite a lot of trouble when importing the certificate including its entire chain
+# and its private key. Windows might behave arbitrarily and not consistently import the certificate
+# at all - unless "Exportable" is included in the storage flags. However, then the certificate seems
+# unaccessible to TermService for some weird reasons despite all permissions being set (at least on my
+# Win 11 lab machine). This might be some security setting that prevents TermService from working with
+# exportable keys? I don't know - importing the entire collection including chain or not always fixes
+# the issues.
+#
+# Note2: If you should have kicked yourself out for some reason, then deleting the certificate will make
+# TermService restore the original, self-signed certificate after at least after the second login attempt.
+# Deleting the certificate can be easily accomplished via the Powershell, since SSH access will still be
+# present in any case - the following command should get you out of trouble:
+# \$cert = Get-ChildItem -Path 'Cert:\LocalMachine\My\\${_thumb}' | Select-Object -First 1 | Remove-Item
+
+\$flags    = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]'MachineKeySet,PersistKeySet'
+\$certs    = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
+\$certs.Import(\$pfxBytes, '${_pfx_pass}', \$flags)
+
+\$store = [System.Security.Cryptography.X509Certificates.X509Store]::new('My', 'LocalMachine')
+\$store.Open('ReadWrite')
+\$store.AddRange(\$certs)
+\$store.Close()
+Write-Host "Installed certs into LocalMachine\\My"
+
+\$ts = Get-CimInstance -Namespace root/cimv2/terminalservices -ClassName Win32_TSGeneralSetting -Filter "TerminalName='${_listener}'"
+if (-not \$ts) { throw "Listener '${_listener}' not found." }
+Set-CimInstance -InputObject \$ts -Property @{SSLCertificateSHA1Hash="${_thumb}"}
+Write-Host "Listener ${_listener} now uses ${_thumb}"
+
+${_restart_ps}
+PSEOF
+  )
+  _debug "Powershell script:${_ps1}"
+
+  # ---- run over a single ssh connection ----------------------------------
+  _ssh_opts="-o BatchMode=yes -p $_port"
+  if [ -n "$DEPLOY_WIN_RDP_SSH_OPTS" ]; then
+    _ssh_opts="$_ssh_opts $DEPLOY_WIN_RDP_SSH_OPTS"
+  fi
+
+  _info "Deploying to $DEPLOY_WIN_RDP_HOST ..."
+  # shellcheck disable=SC2086
+  if ! printf '%s\n' "$_ps1" | ssh $_ssh_opts "$_target" \
+    'powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command -'; then
+    _err "Remote install failed. Re-run acme.sh with --debug to see the PowerShell output."
+    return 1
+  fi
+
+  _info "Certificate for $_cdomain deployed and bound to $_listener on $DEPLOY_WIN_RDP_HOST."
+  return 0
+}
