From d58a1e75d6d5e87d463dd8beffb977b52b2336a0e5dbb9526702eb85d5b0adaa Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Fri, 27 Apr 2018 11:50:28 +0000 Subject: [PATCH 1/2] Accepting request 601877 from home:dmolkentin:branches:security:dehydrated - Update to dehydrated 0.6.2 Added * New deploy_ocsp hook * Allow account registration with custom key Changed * Don't walk certificate chain for ACMEv2 (certificate contains chain by default) * Improved documentation on wildcards Fixes * Added workaround for compatibility with filesystem ACLs * Close unwanted external file-descriptors * Fixed JSON parsing on force-renewal (bsc#1091216) * Fixed cleanup of challenge files/dns-entries on validation errors * A few more minor fixes OBS-URL: https://build.opensuse.org/request/show/601877 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=33 --- 0001-fixed-CA-url-in-example-config.patch | 36 ------------ ...ficate-chain-for-ACMEv2-certificate-.patch | 56 ------------------- dehydrated-0.6.1.tar.gz | 3 - dehydrated-0.6.1.tar.gz.asc | 11 ---- dehydrated-0.6.2.tar.gz | 3 + dehydrated-0.6.2.tar.gz.asc | 11 ++++ dehydrated.changes | 23 ++++++++ dehydrated.spec | 6 +- 8 files changed, 38 insertions(+), 111 deletions(-) delete mode 100644 0001-fixed-CA-url-in-example-config.patch delete mode 100644 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch delete mode 100644 dehydrated-0.6.1.tar.gz delete mode 100644 dehydrated-0.6.1.tar.gz.asc create mode 100644 dehydrated-0.6.2.tar.gz create mode 100644 dehydrated-0.6.2.tar.gz.asc diff --git a/0001-fixed-CA-url-in-example-config.patch b/0001-fixed-CA-url-in-example-config.patch deleted file mode 100644 index b7e86c3..0000000 --- a/0001-fixed-CA-url-in-example-config.patch +++ /dev/null @@ -1,36 +0,0 @@ -From b93eac389395c8228be48999bf51c9f45e775a88 Mon Sep 17 00:00:00 2001 -From: Lukas Schauer -Date: Tue, 13 Mar 2018 21:08:20 +0100 -Subject: [PATCH] fixed CA url in example config - ---- - docs/examples/config | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/docs/examples/config b/docs/examples/config -index 1aa7d63..665704d 100644 ---- a/docs/examples/config -+++ b/docs/examples/config -@@ -21,15 +21,15 @@ - # default: - #IP_VERSION= - --# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory) --#CA="https://acme-v01.api.letsencrypt.org/directory" -+# Path to certificate authority (default: https://acme-v02.api.letsencrypt.org/directory) -+#CA="https://acme-v02.api.letsencrypt.org/directory" - - # Path to old certificate authority - # Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint. - # If dehydrated detects an account-key for the old CA it will automatically reuse that key - # instead of registering a new one. --# default: --#OLDCA= -+# default: https://acme-v01.api.letsencrypt.org/directory -+#OLDCA="https://acme-v01.api.letsencrypt.org/directory" - - # Which challenge should be used? Currently http-01 and dns-01 are supported - #CHALLENGETYPE="http-01" --- -2.13.6 - diff --git a/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch b/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch deleted file mode 100644 index f994852..0000000 --- a/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001 -From: Lukas Schauer -Date: Wed, 14 Mar 2018 18:50:28 +0100 -Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains - chain by default) - ---- -diff --git a/dehydrated b/dehydrated -index 4103649..0751a0b 100755 ---- a/dehydrated -+++ b/dehydrated -@@ -990,20 +990,29 @@ sign_domain() { - - # Create fullchain.pem - echo " + Creating fullchain.pem..." -- cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem" -- local issuer_hash -- issuer_hash="$(get_issuer_hash "${crt_path}")" -- if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then -- echo " + Using cached chain!" -- cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem" -+ if [[ ${API} -eq 1 ]]; then -+ cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem" -+ local issuer_hash -+ issuer_hash="$(get_issuer_hash "${crt_path}")" -+ if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then -+ echo " + Using cached chain!" -+ cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem" -+ else -+ echo " + Walking chain..." -+ local issuer_cert_uri -+ issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")" -+ (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})" -+ cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain" -+ fi -+ cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem" - else -- echo " + Walking chain..." -- local issuer_cert_uri -- issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")" -- (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})" -- cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain" -+ tmpcert="$(_mktemp)" -+ tmpchain="$(_mktemp)" -+ awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem" -+ mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem" -+ mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem" -+ mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem" - fi -- cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem" - - # Update symlinks - [[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem" --- -2.13.6 - diff --git a/dehydrated-0.6.1.tar.gz b/dehydrated-0.6.1.tar.gz deleted file mode 100644 index e337a9d..0000000 --- a/dehydrated-0.6.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:441d89af4592e3eb5744eb177124b4d16ca78b416f634371e839db384012844a -size 76693 diff --git a/dehydrated-0.6.1.tar.gz.asc b/dehydrated-0.6.1.tar.gz.asc deleted file mode 100644 index 7dbd43c..0000000 --- a/dehydrated-0.6.1.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlqoLhwACgkQnE2+bPQ4 -8zON9Af8DubdQQGP0SJLiVA3+MpRJytaPluvmGQtrhlugIFSpeSiRDJEJ4PHJ3z1 -SjI69/1sCUsdzifAZOejmrPfd9vLGLLCVdMqkaUzG6YTQCIdIXxB6kEKhnU3Grad -cbZaMtWOKu87WGwlTDorQ3N6I+DUeAVL2csf8Chzep3qY6KfO8zryBG05PmJwKgM -hRss5OohW20tR5pvz4ybkBdd2KUvcQSedCf6g2UN+95+Io3TF/9ph1Ht7n8HWyxv -VMQ2g4N/Jc6BQ++cepfSCI/4vXdrFnp7HSmWlD73LhiQ0VRinqHcf0TVy6FhXBXL -PyGB4G1924U1cLuAt2XJdB82y0LNIw== -=JzFS ------END PGP SIGNATURE----- diff --git a/dehydrated-0.6.2.tar.gz b/dehydrated-0.6.2.tar.gz new file mode 100644 index 0000000..f1565e6 --- /dev/null +++ b/dehydrated-0.6.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:163384479199f06f59382ceb6291a299567a2f4f0b963b9b61f2db65a407e80e +size 77819 diff --git a/dehydrated-0.6.2.tar.gz.asc b/dehydrated-0.6.2.tar.gz.asc new file mode 100644 index 0000000..7f46650 --- /dev/null +++ b/dehydrated-0.6.2.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlrjA6gACgkQnE2+bPQ4 +8zNi/AgA7K3dhvkkMTGlUYYsT53McJflqhc/jb7Nbfi6nM6bw9avElvreJh0jvoD +Hw0As92p1NA1Jm0iXZu4WgKDsL+7MKURQcjgoKNYQZbgd2wXajJKvxCI7xmvaX0N +oKtzhKSp3MHPquAY/U6QYR7d74xFAsnoacNagSAiRUS72g5x4QO7txKfbbdq091d +ZHu9tmeQYYI3sjOJC1DxCRxYYouxdvK78TG6xD6rfpURUra15vykhgu+2qP1s7ed +b/t6MZwztwRiCWCeBilyunIOR1LQmvH2jhknT9Sf5KBMFoWgk1cCJega2FOUFpjD ++Jrg6CW2uTwA3KrQIG8T2wWyDQ2nqg== +=VsfZ +-----END PGP SIGNATURE----- diff --git a/dehydrated.changes b/dehydrated.changes index a95aded..c8e37c9 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Fri Apr 27 11:14:45 UTC 2018 - daniel.molkentin@suse.com + +- Update to dehydrated 0.6.2 + + Added + + * New deploy_ocsp hook + * Allow account registration with custom key + + Changed + + * Don't walk certificate chain for ACMEv2 (certificate contains chain by default) + * Improved documentation on wildcards + + Fixes + + * Added workaround for compatibility with filesystem ACLs + * Close unwanted external file-descriptors + * Fixed JSON parsing on force-renewal (bsc#1091216) + * Fixed cleanup of challenge files/dns-entries on validation errors + * A few more minor fixes + ------------------------------------------------------------------- Thu Mar 15 10:52:56 UTC 2018 - daniel.molkentin@suse.com diff --git a/dehydrated.spec b/dehydrated.spec index eab57b3..c4c3f92 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -46,7 +46,7 @@ %endif Name: dehydrated -Version: 0.6.1 +Version: 0.6.2 Release: 0 Summary: A client for signing certificates with an ACME server License: MIT @@ -65,8 +65,6 @@ Source10: README.Fedora Source11: README.hooks Source12: %{name}-%{version}.tar.gz.asc Source13: %{name}.keyring -Patch1: 0001-fixed-CA-url-in-example-config.patch -Patch2: 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch BuildRequires: %{_apache} Requires: coreutils Requires: curl @@ -184,8 +182,6 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||: %prep %setup -q -%patch1 -p1 -%patch2 -p1 cp %{SOURCE9} . cp %{SOURCE10} . From c421ebf0a9dbfe5176f3f9890664e509f6830c358ddbd422601bcd6833de9340 Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Fri, 27 Apr 2018 11:56:07 +0000 Subject: [PATCH 2/2] Accepting request 601881 from home:dmolkentin:branches:security:dehydrated * removes 0001-fixed-CA-url-in-example-config.patch * removes 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch OBS-URL: https://build.opensuse.org/request/show/601881 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=34 --- dehydrated.changes | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dehydrated.changes b/dehydrated.changes index c8e37c9..094ac15 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -2,6 +2,8 @@ Fri Apr 27 11:14:45 UTC 2018 - daniel.molkentin@suse.com - Update to dehydrated 0.6.2 + * removes 0001-fixed-CA-url-in-example-config.patch + * removes 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch Added