Add Support for challenge validation plugin hooks

Author: techknowlogick

README.md

@@ -114,6 +114,7 @@ https://github.com/acmesh-official/acmetest
 - DNS mode
 - [DNS alias mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode)
 - [Stateless mode](https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode)
+- [HTTP API mode](https://github.com/acmesh-official/acme.sh/wiki/HTTP-API)
 
 
 # 1. How to install
@@ -358,7 +359,30 @@ Ok, it's done.
 
 **Please use dns api mode instead.**
 
-# 10. Issue ECC certificates
+# 10. Use HTTP API mode
+
+If you want to deploy the challenge files using an external method like SCP or FTPS, you can use the HTTP API mode:
+
+```bash
+acme.sh --issue -d example.com --httpapi scp
+```
+
+You'll need to configure the required environment variables first:
+
+```bash
+# For SCP plugin
+export HTTP_SCP_USER="username"
+export HTTP_SCP_HOST="example.com"
+export HTTP_SCP_PATH="/var/www/html"
+```
+
+Available HTTP API plugins:
+- `scp`: Deploy challenge files via SCP
+- `ftps`: Deploy challenge files via FTPS
+
+More information: [HTTP API mode](https://github.com/acmesh-official/acme.sh/wiki/HTTP-API)
+
+# 11. Issue ECC certificates
 
 Just set the `keylength` parameter with a prefix `ec-`.
 
@@ -388,7 +412,7 @@ Valid values are:
 6. **4096   (RSA4096)**
 
 
-# 11. Issue Wildcard certificates
+# 12. Issue Wildcard certificates
 
 It's simple, just give a wildcard domain as the `-d` parameter.
 
@@ -398,7 +422,7 @@ acme.sh  --issue -d example.com  -d '*.example.com'  --dns dns_cf
 
 
 
-# 12. How to renew the certs
+# 13. How to renew the certs
 
 No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days.
 
@@ -415,7 +439,7 @@ acme.sh --renew -d example.com --force --ecc
 ```
 
 
-# 13. How to stop cert renewal
+# 14. How to stop cert renewal
 
 To stop renewal of a cert, you can execute the following to remove the cert from the renewal list:
 
@@ -428,7 +452,7 @@ The cert/key file is not removed from the disk.
 You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself.
 
 
-# 14. How to upgrade `acme.sh`
+# 15. How to upgrade `acme.sh`
 
 acme.sh is in constant development, so it's strongly recommended to use the latest code.
 
@@ -453,24 +477,24 @@ acme.sh --upgrade --auto-upgrade 0
 ```
 
 
-# 15. Issue a cert from an existing CSR
+# 16. Issue a cert from an existing CSR
 
 https://github.com/acmesh-official/acme.sh/wiki/Issue-a-cert-from-existing-CSR
 
 
-# 16. Send notifications in cronjob
+# 17. Send notifications in cronjob
 
 https://github.com/acmesh-official/acme.sh/wiki/notify
 
 
-# 17. Under the Hood
+# 18. Under the Hood
 
 Speak ACME language using shell, directly to "Let's Encrypt".
 
 TODO:
 
 
-# 18. Acknowledgments
+# 19. Acknowledgments
 
 1. Acme-tiny: https://github.com/diafygi/acme-tiny
 2. ACME protocol: https://github.com/ietf-wg-acme/acme
@@ -508,7 +532,7 @@ Support this project with your organization. Your logo will show up here with a
 
 
 
-# 19. License & Others
+# 20. License & Others
 
 License is GPLv3
 
@@ -517,7 +541,7 @@ Please Star and Fork me.
 [Issues](https://github.com/acmesh-official/acme.sh/issues) and [pull requests](https://github.com/acmesh-official/acme.sh/pulls) are welcome.
 
 
-# 20. Donate
+# 21. Donate
 Your donation makes **acme.sh** better:
 
 1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/)

acme.sh

@@ -17,8 +17,9 @@ _SCRIPT_="$0"
 _SUB_FOLDER_NOTIFY="notify"
 _SUB_FOLDER_DNSAPI="dnsapi"
 _SUB_FOLDER_DEPLOY="deploy"
+_SUB_FOLDER_HTTPAPI="httpapi"
 
-_SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY"
+_SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY $_SUB_FOLDER_HTTPAPI"
 
 CA_LETSENCRYPT_V2="https://acme-v02.api.letsencrypt.org/directory"
 CA_LETSENCRYPT_V2_TEST="https://acme-staging-v02.api.letsencrypt.org/directory"
@@ -72,6 +73,7 @@ DEFAULT_RENEW=60
 NO_VALUE="no"
 
 W_DNS="dns"
+W_HTTPAPI="http"
 W_ALPN="alpn"
 DNS_ALIAS_PREFIX="="
 
@@ -3396,6 +3398,7 @@ _restoreNginx() {
 _clearup() {
   _stopserver "$serverproc"
   serverproc=""
+  _cleanup_http_entries
   _restoreApache
   _restoreNginx
   _clearupdns
@@ -3407,6 +3410,42 @@ _clearup() {
   fi
 }
 
+_cleanup_http_entries() {
+  if [ -z "$_http_entries" ]; then
+    _debug "_cleanup_http_entries: No HTTP entries to clean up"
+    return 0
+  fi
+  _debug "Cleaning up HTTP entries: $_http_entries"
+
+  entries=$(echo "$_http_entries" | tr "$dvsep" ' ')
+  for entry in $entries; do
+    d=$(echo "$entry" | cut -d "$sep" -f 1)
+    token=$(echo "$entry" | cut -d "$sep" -f 2)
+    keyauthorization=$(echo "$entry" | cut -d "$sep" -f 3)
+    _httpapi=$(echo "$entry" | cut -d "$sep" -f 4)
+
+    _debug "Removing HTTP challenge for $d using $_httpapi"
+
+    h_api="$(_findHook "$d" $_SUB_FOLDER_HTTPAPI "$_httpapi")"
+    if [ "$h_api" ]; then
+      if ! . "$h_api"; then
+        _err "Error loading HTTP API file: $h_api"
+        continue
+      fi
+
+      _remove_fn="${_httpapi}_rm"
+      if ! _exists "$_remove_fn"; then
+        _err "HTTP API file doesn't implement removal function: $_remove_fn"
+        continue
+      fi
+
+      if ! "$_remove_fn" "$d" "$token" "$keyauthorization"; then
+        _err "Error removing HTTP challenge for domain: $d"
+      fi
+    fi
+  done
+}
+
 _clearupdns() {
   _debug "_clearupdns"
   _debug "dns_entries" "$dns_entries"
@@ -4987,6 +5026,56 @@ $_authorizations_map"
           NGINX_RESTORE_VLIST="$d$sep$_realConf$sep$_backup$dvsep$NGINX_RESTORE_VLIST"
         fi
         _sleep 1
+      elif _startswith "$_currentRoot" "http_"; then
+        _info "Using HTTP API validation for domain: $d"
+        _httpapi="$(echo "$_currentRoot" | cut -d "_" -f 2-)"
+        h_api="$(_findHook "$d" $_SUB_FOLDER_HTTPAPI "$_currentRoot")"
+        _debug h_api "$h_api"
+
+        if [ "$h_api" ]; then
+          _debug "Found domain HTTP API file: $h_api"
+          if ! . "$h_api"; then
+            _err "Error loading HTTP API file: $h_api"
+            _cleanup_http_entries
+            _clearup
+            _on_issue_err "$_post_hook" "$vlist"
+            return 1
+          fi
+
+          _deploy_fn="${_currentRoot}_deploy"
+          if ! _exists "$_deploy_fn"; then
+            _err "HTTP API file doesn't implement deployment function: $_deploy_fn"
+            _cleanup_http_entries
+            _clearup
+            _on_issue_err "$_post_hook" "$vlist"
+            return 1
+          fi
+
+          if ! "$_deploy_fn" "$d" "$token" "$keyauthorization"; then
+            _err "Error deploying HTTP challenge for domain: $d"
+            _cleanup_http_entries
+            _clearup
+            _on_issue_err "$_post_hook" "$vlist"
+            return 1
+          fi
+
+          _http_entries="${_http_entries}${d}${sep}${token}${sep}${keyauthorization}${sep}${_currentRoot}${dvsep}"
+        else
+          # Fall back to normal webroot challenge if no hook is found
+          _info "No HTTP API hook found for $_currentRoot, falling back to normal validation"
+          if [ "$_currentRoot" = "apache" ]; then
+            wellknown_path="$ACME_DIR"
+          else
+            wellknown_path="$_currentRoot/.well-known/acme-challenge"
+            if [ ! -d "$_currentRoot/.well-known" ]; then
+              removelevel='1'
+            elif [ ! -d "$_currentRoot/.well-known/acme-challenge" ]; then
+              removelevel='2'
+            else
+              removelevel='3'
+            fi
+          fi
+        fi
       else
         if [ "$_currentRoot" = "apache" ]; then
           wellknown_path="$ACME_DIR"
@@ -7073,6 +7162,7 @@ Parameters:
 
   --password <password>             Add a password to exported pfx file. Use with --to-pkcs12.
 
+  --http-api <provider>             Use HTTP API for challenge validation
 
 "
 }
@@ -7351,6 +7441,7 @@ _process() {
   _preferred_chain=""
   _valid_from=""
   _valid_to=""
+  _http_api=""
   while [ ${#} -gt 0 ]; do
     case "${1}" in
 
@@ -7873,6 +7964,18 @@ _process() {
       _preferred_chain="$2"
       shift
       ;;
+    --http-api)
+      wvalue="$W_HTTPAPI"
+      if [ "$2" ] && ! _startswith "$2" "-"; then
+        wvalue="$2"
+        shift
+      fi
+      if [ -z "$_webroot" ]; then
+        _webroot="$wvalue"
+      else
+        _webroot="$_webroot,$wvalue"
+      fi
+      ;;
     *)
       _err "Unknown parameter: $1"
       return 1