From 10d381b04ab0dcbb63454551aaeffba6bf02e89e12e1655933aadd96ea9adecf Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 27 Jan 2017 10:00:22 +0000 Subject: [PATCH] Accepting request 441496 from security Lightweight LE client (formally known as letsencrypt.sh). I'll maintain in in TW. OBS-URL: https://build.opensuse.org/request/show/441496 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dehydrated?expand=0&rev=1 --- .gitattributes | 23 ++++++ .gitignore | 1 + acme-challenge.conf.in | 7 ++ acme-challenge.in | 21 ++++++ dehydrated-0.3.1.tar.gz | 3 + dehydrated.changes | 68 ++++++++++++++++++ dehydrated.cron.in | 5 ++ dehydrated.spec | 156 ++++++++++++++++++++++++++++++++++++++++ 8 files changed, 284 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 acme-challenge.conf.in create mode 100644 acme-challenge.in create mode 100644 dehydrated-0.3.1.tar.gz create mode 100644 dehydrated.changes create mode 100644 dehydrated.cron.in create mode 100644 dehydrated.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/acme-challenge.conf.in b/acme-challenge.conf.in new file mode 100644 index 0000000..fc5dd93 --- /dev/null +++ b/acme-challenge.conf.in @@ -0,0 +1,7 @@ +Alias /.well-known/acme-challenge @CHALLENGEDIR@ + + Options None + AllowOverride None + Require all granted + Header add Content-Type text/plain + diff --git a/acme-challenge.in b/acme-challenge.in new file mode 100644 index 0000000..e261278 --- /dev/null +++ b/acme-challenge.in @@ -0,0 +1,21 @@ +# This adds a the acme challenge directory to +# your hosts config file. You will only need +# this on port 80. The following snippet shows +# how to use in on a HTTP server that only +# redirects to HTTPS otherwise. it's important +# to wrap the rest into a "location /" block. +# +#server { +# listen 80 default_server; +# listen [::]:80 default_server; +# +# include "acme-challenge"; +# location / { +# return 301 https://$host$request_uri; +# } +#} + +location /.well-known/acme-challenge { + alias @CHALLENGEDIR@; +} + diff --git a/dehydrated-0.3.1.tar.gz b/dehydrated-0.3.1.tar.gz new file mode 100644 index 0000000..4013bc8 --- /dev/null +++ b/dehydrated-0.3.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7c9b9475b442dd19dbc33a26426444054781e14a2f122d2a2405f81093484239 +size 71375 diff --git a/dehydrated.changes b/dehydrated.changes new file mode 100644 index 0000000..90d2e22 --- /dev/null +++ b/dehydrated.changes @@ -0,0 +1,68 @@ +------------------------------------------------------------------- +Mon Nov 14 09:26:41 UTC 2016 - jengelh@inai.de + +- Test for user/group before adding them and don't suppress errors + +------------------------------------------------------------------- +Thu Nov 10 10:41:09 UTC 2016 - daniel@molkentin.de + +- Fix MIN HOUR order in crontab (boo#1009452) + +------------------------------------------------------------------- +Tue Sep 13 18:57:09 UTC 2016 - danimo@owncloud.com + +- Bump to v0.3.1 +- Rename to dehydrated + +------------------------------------------------------------------- +Sun May 22 20:23:58 UTC 2016 - danimo@owncloud.com + +- Bump to v0.2.0 +- This version fixes a json-parsing bug which made letsencrypt.sh + incompatible with up-to-date ACME servers. +- PRIVATE_KEY config parameter has been renamed to ACCOUNT_KEY to avoid + confusion with certificate keys +- deploy_cert hook now also has the certificates timestamp as standalone + parameter +- Temporary files are now identifiable (template: letsencrypt.sh-XXXXXX) +- Private keys are now regenerated by default +- Added documentation to repository +- Fixed bug with uppercase names in domains.txt (script now converts everything + to lowercase) +- mktemp no longer uses the deprecated -t parameter. +- Compatibility with "pretty" json + +------------------------------------------------------------------- +Wed Apr 20 01:03:52 UTC 2016 - danimo@owncloud.com + +- Explicitly add group and license, required for SLES 11 + +------------------------------------------------------------------- +Wed Apr 20 00:57:18 UTC 2016 - danimo@owncloud.com + +- Add nginx integration package +- Proper dir permissions for apache package (755, not 644) + +------------------------------------------------------------------- +Mon Apr 18 18:25:44 UTC 2016 - draht@schaltsekun.de + +- fix build requirement for shadow (>=openSUSE-12.3) and pwdutils + (before 12.3). +- missing changelog for last change by danimo: do not require mod_ssl for + suse distrbutions. + +------------------------------------------------------------------- +Mon Mar 28 17:05:02 UTC 2016 - danimo@owncloud.com + +- Add alias to /.well-known/acme-challenge by default + +------------------------------------------------------------------- +Sat Mar 26 09:33:25 UTC 2016 - danimo@owncloud.com + +- Add cron, do not remove letsencrypt user, adjust permissions + +------------------------------------------------------------------- +Fri Mar 25 18:42:00 UTC 2016 - danimo@owncloud.com + +- Initial commit + diff --git a/dehydrated.cron.in b/dehydrated.cron.in new file mode 100644 index 0000000..0065bc9 --- /dev/null +++ b/dehydrated.cron.in @@ -0,0 +1,5 @@ +SHELL=/bin/sh +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +MAILTO=root + +25 3 * * * @USER@ test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron diff --git a/dehydrated.spec b/dehydrated.spec new file mode 100644 index 0000000..3e56470 --- /dev/null +++ b/dehydrated.spec @@ -0,0 +1,156 @@ +# +# spec file for package dehydrated +# +# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +# See also http://en.opensuse.org/openSUSE:Specfile_guidelines + +%if 0%{?suse_version} +%define _apache apache2 +%else +%define _apache httpd +%endif +%define _challengedir /var/lib/acme-challenge +%define _user dehydrated +%define _home /etc/dehydrated + +Name: dehydrated +Version: 0.3.1 +Release: 0 +Summary: A client for signing certificates with an ACME server +License: MIT +Group: Productivity/Networking/Security +Url: https://github.com/lukas2511/dehydrated +Source0: %{name}-%{version}.tar.gz +Source1: acme-challenge.conf.in +Source2: acme-challenge.in +Source3: dehydrated.cron.in +Requires: curl +Requires: openssl +Requires: coreutils +%if 0%{?suse_version} +Requires: cron +%endif +Requires(pre): /usr/sbin/useradd +Requires(pre): /usr/sbin/groupadd +Requires(pre): /usr/bin/getent +# openSUSE >= 12.3 has shadow, pwdutils is provided but obsoleted. +%if 0%{?suse_version} >= 1230 +BuildRequires: shadow +%endif +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildArch: noarch + +Obsoletes: letsencrypt.sh < %{version} +Provides: letsencrypt.sh = %{version} + +%description +This is a client for signing certificates with an ACME server +(currently only provided by letsencrypt) implemented as a relatively +simple bash-script. + +It uses the openssl utility for everything related to actually +handling keys and certificates, so you need to have that installed. + +Other dependencies are: curl, sed, grep, mktemp (all found on almost +any system, curl being the only exception) + +Current features: + +* Signing of a list of domains +* Signing of a CSR +* Renewal if a certificate is about to expire or SAN (subdomains) changed +* Certificate revocation + +%package %{_apache} +Group: Productivity/Networking/Security +License: MIT +Requires: %{name} +Requires: %{_apache} +%if ! 0%{?suse_version} +Requires: mod_ssl +%endif +Obsoletes: letsencrypt.sh-%{_apache} < %{version} +Provides: letsencrypt.sh-%{_apache} = %{version} +Summary: Apache Integration for dehydrated + +%description %{_apache} +This adds a configuration file for dehydrated's acme-challenge to Apache. + +%package nginx +Group: Productivity/Networking/Security +License: MIT +Requires: %{name} +Requires: nginx +Obsoletes: letsencrypt.sh-nginx < %{version} +Provides: letsencrypt.sh-nginx = %{version} +Summary: Nginx Integration for dehydrated + +%description nginx +This adds a configuration file for dehydrated's acme-challenge to nginx. + +%pre +getent group %{_user} >/dev/null || /usr/sbin/groupadd -r %{_user} +getent passwd %{_user} >/dev/null || /usr/sbin/useradd -g %{_user} \ + -s /bin/false -r -c "%{_user}" -d %{_home} %{_user} +if [ -d /etc/letsencrypt.sh ]; then mv /etc/letsencrypt.sh /etc/dehydrated; chown -R %{_user} /etc/dehydrated; fi +if [ -e /etc/dehydrated/config.sh ]; then mv /etc/dehydrated/config.sh /etc/dehydrated/config; fi + +%prep +%setup -q + +%build + +%install +# sensitive keys +mkdir -p %{buildroot}%{_home} + +sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config +install -m 0644 docs/examples/* %{buildroot}%{_home} +install -m 0755 -d %{buildroot}/usr/bin +install -m 0755 dehydrated %{buildroot}/usr/bin +install -m 0755 -d %{buildroot}%{_challengedir} + +install -m 0755 -d %{buildroot}/etc/%{_apache}/conf.d +sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE1} > acme-challenge.conf +install -m 0644 acme-challenge.conf %{buildroot}/etc/%{_apache}/conf.d +install -m 0755 -d %{buildroot}/etc/nginx +sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE2} > acme-challenge +install -m 0644 acme-challenge %{buildroot}/etc/nginx +install -m 0755 -d %{buildroot}/etc/cron.d +sed "s,@USER@,%{_user},g" %{SOURCE3} > dehydrated.cron +install -m 0644 dehydrated.cron %{buildroot}/etc/cron.d/dehydrated + +%files +%defattr(-,root,root) +%attr(750,%{_user},root) %dir %{_sysconfdir}/dehydrated +%config %{_sysconfdir}/dehydrated/config +%config %{_sysconfdir}/dehydrated/domains.txt +%config %{_sysconfdir}/dehydrated/hook.sh +%config %{_sysconfdir}/cron.d/dehydrated +%{_bindir}/dehydrated +%attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge +%doc LICENSE README.md docs/*.md docs/*.jpg + +%files %{_apache} +%defattr(-,root,root,-) +%config %{_sysconfdir}/%{_apache} + +%files nginx +%defattr(-,root,root,-) +%config %{_sysconfdir}/nginx + +%changelog +