Accepting request 531761 from home:dmolkentin:branches:security:dehydrated
- Remove unused hooks directory - Introduced a directory for custom post-run hooks executed as root, see README.SUSE for details. (not to be confused with the native hooks run as dehyrated user) - Clarify necessity of enabling dehydrated.timer in README.SUSE - Submit to SLE15 as per fate#323377 - Add optional post run hook directory, executed by cron/systemd after dehydrated --cron has run - Remove hook directory intended for packaging other native hooks. Will be approach differently OBS-URL: https://build.opensuse.org/request/show/531761 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=13
This commit is contained in:
parent
3a1b390a5c
commit
4089aed6d0
45
README.SUSE
45
README.SUSE
@ -7,16 +7,32 @@ certificates (aka SSL Certificates) as simple as possible, while still being
|
|||||||
useful in a broad amount of use cases. Please consult the dehydrated man page,
|
useful in a broad amount of use cases. Please consult the dehydrated man page,
|
||||||
then continue reading here.
|
then continue reading here.
|
||||||
|
|
||||||
Aqcuisition through HTTP (http-01)
|
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||||||
|
|
||||||
|
IMPORTANT: On systemd-enabled system (SLE12+), you need to enable the update
|
||||||
|
timer, which has obsoleted the cron job. This is independent on which method
|
||||||
|
you chose from below!
|
||||||
|
|
||||||
|
# systemctl enable dehydrated.timer
|
||||||
|
|
||||||
|
Also note that with the systemd timer, failures will not be mailed to the
|
||||||
|
system administrator, but are being logged to the systemd journal, as per
|
||||||
|
systemd's design philosophy.
|
||||||
|
|
||||||
|
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||||||
|
|
||||||
|
Acquisition through HTTP (http-01)
|
||||||
===================================
|
===================================
|
||||||
|
|
||||||
This is the primary method of acquiring certifictes.
|
This is the primary method of acquiring certifictes. The Certificate Authority
|
||||||
|
will provide a challenge that the requestor needs to provide via HTTP on port 80/TCP,
|
||||||
|
in /.well-known/acme-challenge/.
|
||||||
|
|
||||||
Setting up the acme-challenge auto-responder
|
Setting up the acme-challenge auto-responder
|
||||||
--------------------------------------------
|
--------------------------------------------
|
||||||
|
|
||||||
Apache
|
Apache (easiest)
|
||||||
~~~~~~
|
~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
If you are using Apache, just install dehydrated-apache2 and reload Apache.
|
If you are using Apache, just install dehydrated-apache2 and reload Apache.
|
||||||
This will take care of setting up the acme-challenge auto-responder.
|
This will take care of setting up the acme-challenge auto-responder.
|
||||||
@ -57,11 +73,11 @@ Machines without a webserver
|
|||||||
|
|
||||||
On machines that are not running any web server, e.g. mail relays, you can run
|
On machines that are not running any web server, e.g. mail relays, you can run
|
||||||
apache2 with dehydrated-apache2. If you do not want to run any web server on a
|
apache2 with dehydrated-apache2. If you do not want to run any web server on a
|
||||||
system with systemd, you can use dehydrated-acmeresponder, a small socket
|
system with systemd permnently, you can use dehydrated-acmeresponder. This is a
|
||||||
activated server. Once installed, it will automatically listen on port 80
|
small socket activated server. Once installed, it will automatically listen on
|
||||||
whenever the dehydrated cron job seeks renewal, assuming no other server is
|
port 80 whenever the dehydrated cron job seeks renewal, assuming no other
|
||||||
currently occupying the port. It will also shut down once the timer has
|
server is currently occupying the port. It will also shut down once the timer
|
||||||
finished execution.
|
has finished execution.
|
||||||
|
|
||||||
Acquisition of initial certificate
|
Acquisition of initial certificate
|
||||||
----------------------------------
|
----------------------------------
|
||||||
@ -107,7 +123,7 @@ Ansible or Salt. For details, please refer to dns-verification.md. For
|
|||||||
openSUSE, the python-dns-lexicon package provides hooks into many DNS providers
|
openSUSE, the python-dns-lexicon package provides hooks into many DNS providers
|
||||||
and DNS servers.
|
and DNS servers.
|
||||||
|
|
||||||
Proceeding After initial certificate Aquisition
|
Proceeding after initial certificate aquisition
|
||||||
===============================================
|
===============================================
|
||||||
|
|
||||||
Setting up the SSL host
|
Setting up the SSL host
|
||||||
@ -129,10 +145,13 @@ Limitations & Ceveats
|
|||||||
|
|
||||||
* It is currently not possible to aqcuire Wildcard certificates
|
* It is currently not possible to aqcuire Wildcard certificates
|
||||||
* No EV- or OV-validated certificates
|
* No EV- or OV-validated certificates
|
||||||
* Certificates expire within weeks, not years, this is by design. Ensure that
|
* Certificates expire within weeks, not years. This is by design. Ensure that
|
||||||
certificate renewal works and that daemons get reloaded frequently to pick
|
certificate renewal works and that daemons get reloaded frequently to pick
|
||||||
up certificate updates (This is currently not automated on the dehydrated end,
|
up certificate updates. Apache will work due to log rotation SIGHUP'ing
|
||||||
however Apache will reload every night due to log rotation).
|
the process frequently. However, any other actions, such as service reloads
|
||||||
|
need to be provided as a script in /etc/dehydrated/postrun-hooks.d, which
|
||||||
|
will be executed by the cron script / systemd timer *after* an update run
|
||||||
|
has been performed.
|
||||||
|
|
||||||
Links
|
Links
|
||||||
=====
|
=====
|
||||||
|
4
README.hooks
Normal file
4
README.hooks
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
Dehydrated's hooks only run as user dehydrated. To circumvent this limitation,
|
||||||
|
i.e. when services need to be restarted, all executable files in this directory
|
||||||
|
will be executed as root after the certificate update has run.
|
||||||
|
|
@ -1,3 +1,25 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 5 13:36:39 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Remove unused hooks directory
|
||||||
|
|
||||||
|
- Introduced a directory for custom post-run hooks executed as root,
|
||||||
|
see README.SUSE for details. (not to be confused with the native hooks
|
||||||
|
run as dehyrated user)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 29 15:14:29 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Clarify necessity of enabling dehydrated.timer in README.SUSE
|
||||||
|
|
||||||
|
- Submit to SLE15 as per fate#323377
|
||||||
|
|
||||||
|
- Add optional post run hook directory, executed by cron/systemd
|
||||||
|
after dehydrated --cron has run
|
||||||
|
|
||||||
|
- Remove hook directory intended for packaging other native hooks.
|
||||||
|
Will be approach differently
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Sep 27 10:09:16 UTC 2017 - daniel.molkentin@suse.com
|
Wed Sep 27 10:09:16 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
@ -2,4 +2,4 @@ SHELL=/bin/sh
|
|||||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||||
MAILTO=root
|
MAILTO=root
|
||||||
|
|
||||||
25 3 * * * @USER@ test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron
|
25 3 * * * root test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron && for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;
|
||||||
|
@ -6,7 +6,9 @@ Wants=acmeresponder.socket
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
ExecStartPre-=/usr/bin/sh -c 'for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;'
|
||||||
ExecStart=/usr/bin/dehydrated --cron
|
ExecStart=/usr/bin/dehydrated --cron
|
||||||
|
|
||||||
User=@USER@
|
# dehydrated --cron will drop permissions and run critical code as dehydrated user.
|
||||||
Group=@USER@
|
User=root
|
||||||
|
Group=root
|
||||||
|
@ -19,6 +19,7 @@
|
|||||||
%define _challengedir %{_localstatedir}/lib/acme-challenge
|
%define _challengedir %{_localstatedir}/lib/acme-challenge
|
||||||
%define _user dehydrated
|
%define _user dehydrated
|
||||||
%define _home %{_sysconfdir}/dehydrated
|
%define _home %{_sysconfdir}/dehydrated
|
||||||
|
%define _postrunhooks %{_home}/postrun-hooks.d
|
||||||
|
|
||||||
%if 0%{?suse_version} > 1230
|
%if 0%{?suse_version} > 1230
|
||||||
%define _lock_dir /run/dehydrated
|
%define _lock_dir /run/dehydrated
|
||||||
@ -28,7 +29,7 @@
|
|||||||
%bcond_with systemd
|
%bcond_with systemd
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{defined is_opensuse} || %{defined fedora}
|
%if 0%{?is_opensuse} || %{defined fedora}
|
||||||
%bcond_without nginx
|
%bcond_without nginx
|
||||||
%bcond_without lighttpd
|
%bcond_without lighttpd
|
||||||
%else
|
%else
|
||||||
@ -62,6 +63,7 @@ Source7: dehydrated.timer
|
|||||||
Source8: dehydrated.1
|
Source8: dehydrated.1
|
||||||
Source9: README.SUSE
|
Source9: README.SUSE
|
||||||
Source10: README.Fedora
|
Source10: README.Fedora
|
||||||
|
Source11: README.hooks
|
||||||
# Patch submitted to upstream
|
# Patch submitted to upstream
|
||||||
Patch1: 0001-Add-optional-user-and-group-configuration.patch
|
Patch1: 0001-Add-optional-user-and-group-configuration.patch
|
||||||
# Patch from upstream
|
# Patch from upstream
|
||||||
@ -199,12 +201,13 @@ mkdir -p %{buildroot}%{_home}/{accounts,certs}
|
|||||||
mkdir -p %{buildroot}%{_sbindir}
|
mkdir -p %{buildroot}%{_sbindir}
|
||||||
mkdir -p %{buildroot}%{_mandir}/man1
|
mkdir -p %{buildroot}%{_mandir}/man1
|
||||||
mkdir -p %{buildroot}%{_home}/config.d
|
mkdir -p %{buildroot}%{_home}/config.d
|
||||||
mkdir -p %{buildroot}%{_home}/hooks # used by hook packages
|
mkdir -p %{buildroot}%{_postrunhooks}
|
||||||
|
|
||||||
cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
|
cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
|
||||||
|
|
||||||
sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
|
sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
|
||||||
install -m 0644 docs/examples/* %{buildroot}%{_home}
|
install -m 0644 docs/examples/* %{buildroot}%{_home}
|
||||||
|
install -m 0644 %{SOURCE11} %{buildroot}%{_postrunhooks}
|
||||||
install -m 0755 -d %{buildroot}%{_bindir}
|
install -m 0755 -d %{buildroot}%{_bindir}
|
||||||
install -m 0755 dehydrated %{buildroot}%{_bindir}
|
install -m 0755 dehydrated %{buildroot}%{_bindir}
|
||||||
install -m 0755 -d %{buildroot}%{_challengedir}
|
install -m 0755 -d %{buildroot}%{_challengedir}
|
||||||
@ -227,10 +230,10 @@ install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/lighttpd/conf.d
|
|||||||
|
|
||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
install -D -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
install -D -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||||
sed "s,@USER@,%{_user},g" %{SOURCE6} > dehydrated.service
|
|
||||||
# Use timer
|
# Use timer
|
||||||
|
sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE6} > dehydrated.service
|
||||||
install -D -m 644 dehydrated.service %{buildroot}%{_unitdir}/dehydrated.service
|
install -D -m 644 dehydrated.service %{buildroot}%{_unitdir}/dehydrated.service
|
||||||
install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer
|
install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer
|
||||||
%if 0%{?suse_version}
|
%if 0%{?suse_version}
|
||||||
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcdehydrated
|
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcdehydrated
|
||||||
%endif
|
%endif
|
||||||
@ -238,7 +241,7 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcdehydrated
|
|||||||
install -D -d -m 0750 %{buildroot}%{_lock_dir}
|
install -D -d -m 0750 %{buildroot}%{_lock_dir}
|
||||||
# Use cron
|
# Use cron
|
||||||
install -m 0755 -d %{buildroot}%{_sysconfdir}/cron.d
|
install -m 0755 -d %{buildroot}%{_sysconfdir}/cron.d
|
||||||
sed "s,@USER@,%{_user},g" %{SOURCE4} > dehydrated.cron
|
sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE4} > dehydrated.cron
|
||||||
install -m 0644 dehydrated.cron %{buildroot}%{_sysconfdir}/cron.d/dehydrated
|
install -m 0644 dehydrated.cron %{buildroot}%{_sysconfdir}/cron.d/dehydrated
|
||||||
%endif #with systemd
|
%endif #with systemd
|
||||||
|
|
||||||
@ -259,7 +262,8 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
|
|||||||
%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/config.d
|
%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/config.d
|
||||||
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/domains.txt
|
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/domains.txt
|
||||||
%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hook.sh
|
%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hook.sh
|
||||||
%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hooks
|
%dir %attr(750,root,%{_user}) %{_postrunhooks}
|
||||||
|
%config(noreplace) %attr(640,root,%{_user}) %{_postrunhooks}/README.hooks
|
||||||
%{_bindir}/dehydrated
|
%{_bindir}/dehydrated
|
||||||
%attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge
|
%attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge
|
||||||
%{_mandir}/man1/*
|
%{_mandir}/man1/*
|
||||||
|
Loading…
Reference in New Issue
Block a user