Accepting request 601877 from home:dmolkentin:branches:security:dehydrated
- Update to dehydrated 0.6.2 Added * New deploy_ocsp hook * Allow account registration with custom key Changed * Don't walk certificate chain for ACMEv2 (certificate contains chain by default) * Improved documentation on wildcards Fixes * Added workaround for compatibility with filesystem ACLs * Close unwanted external file-descriptors * Fixed JSON parsing on force-renewal (bsc#1091216) * Fixed cleanup of challenge files/dns-entries on validation errors * A few more minor fixes OBS-URL: https://build.opensuse.org/request/show/601877 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=33
This commit is contained in:
parent
697d443d67
commit
d58a1e75d6
@ -1,36 +0,0 @@
|
||||
From b93eac389395c8228be48999bf51c9f45e775a88 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Schauer <lukas@schauer.so>
|
||||
Date: Tue, 13 Mar 2018 21:08:20 +0100
|
||||
Subject: [PATCH] fixed CA url in example config
|
||||
|
||||
---
|
||||
docs/examples/config | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/docs/examples/config b/docs/examples/config
|
||||
index 1aa7d63..665704d 100644
|
||||
--- a/docs/examples/config
|
||||
+++ b/docs/examples/config
|
||||
@@ -21,15 +21,15 @@
|
||||
# default: <unset>
|
||||
#IP_VERSION=
|
||||
|
||||
-# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
|
||||
-#CA="https://acme-v01.api.letsencrypt.org/directory"
|
||||
+# Path to certificate authority (default: https://acme-v02.api.letsencrypt.org/directory)
|
||||
+#CA="https://acme-v02.api.letsencrypt.org/directory"
|
||||
|
||||
# Path to old certificate authority
|
||||
# Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
|
||||
# If dehydrated detects an account-key for the old CA it will automatically reuse that key
|
||||
# instead of registering a new one.
|
||||
-# default: <unset>
|
||||
-#OLDCA=
|
||||
+# default: https://acme-v01.api.letsencrypt.org/directory
|
||||
+#OLDCA="https://acme-v01.api.letsencrypt.org/directory"
|
||||
|
||||
# Which challenge should be used? Currently http-01 and dns-01 are supported
|
||||
#CHALLENGETYPE="http-01"
|
||||
--
|
||||
2.13.6
|
||||
|
@ -1,56 +0,0 @@
|
||||
From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Schauer <lukas@schauer.so>
|
||||
Date: Wed, 14 Mar 2018 18:50:28 +0100
|
||||
Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains
|
||||
chain by default)
|
||||
|
||||
---
|
||||
diff --git a/dehydrated b/dehydrated
|
||||
index 4103649..0751a0b 100755
|
||||
--- a/dehydrated
|
||||
+++ b/dehydrated
|
||||
@@ -990,20 +990,29 @@ sign_domain() {
|
||||
|
||||
# Create fullchain.pem
|
||||
echo " + Creating fullchain.pem..."
|
||||
- cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
|
||||
- local issuer_hash
|
||||
- issuer_hash="$(get_issuer_hash "${crt_path}")"
|
||||
- if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
|
||||
- echo " + Using cached chain!"
|
||||
- cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
|
||||
+ if [[ ${API} -eq 1 ]]; then
|
||||
+ cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
|
||||
+ local issuer_hash
|
||||
+ issuer_hash="$(get_issuer_hash "${crt_path}")"
|
||||
+ if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
|
||||
+ echo " + Using cached chain!"
|
||||
+ cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
|
||||
+ else
|
||||
+ echo " + Walking chain..."
|
||||
+ local issuer_cert_uri
|
||||
+ issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
|
||||
+ (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
|
||||
+ cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
|
||||
+ fi
|
||||
+ cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
|
||||
else
|
||||
- echo " + Walking chain..."
|
||||
- local issuer_cert_uri
|
||||
- issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
|
||||
- (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
|
||||
- cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
|
||||
+ tmpcert="$(_mktemp)"
|
||||
+ tmpchain="$(_mktemp)"
|
||||
+ awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem"
|
||||
+ mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem"
|
||||
+ mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem"
|
||||
+ mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem"
|
||||
fi
|
||||
- cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
|
||||
|
||||
# Update symlinks
|
||||
[[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem"
|
||||
--
|
||||
2.13.6
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:441d89af4592e3eb5744eb177124b4d16ca78b416f634371e839db384012844a
|
||||
size 76693
|
@ -1,11 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlqoLhwACgkQnE2+bPQ4
|
||||
8zON9Af8DubdQQGP0SJLiVA3+MpRJytaPluvmGQtrhlugIFSpeSiRDJEJ4PHJ3z1
|
||||
SjI69/1sCUsdzifAZOejmrPfd9vLGLLCVdMqkaUzG6YTQCIdIXxB6kEKhnU3Grad
|
||||
cbZaMtWOKu87WGwlTDorQ3N6I+DUeAVL2csf8Chzep3qY6KfO8zryBG05PmJwKgM
|
||||
hRss5OohW20tR5pvz4ybkBdd2KUvcQSedCf6g2UN+95+Io3TF/9ph1Ht7n8HWyxv
|
||||
VMQ2g4N/Jc6BQ++cepfSCI/4vXdrFnp7HSmWlD73LhiQ0VRinqHcf0TVy6FhXBXL
|
||||
PyGB4G1924U1cLuAt2XJdB82y0LNIw==
|
||||
=JzFS
|
||||
-----END PGP SIGNATURE-----
|
3
dehydrated-0.6.2.tar.gz
Normal file
3
dehydrated-0.6.2.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:163384479199f06f59382ceb6291a299567a2f4f0b963b9b61f2db65a407e80e
|
||||
size 77819
|
11
dehydrated-0.6.2.tar.gz.asc
Normal file
11
dehydrated-0.6.2.tar.gz.asc
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlrjA6gACgkQnE2+bPQ4
|
||||
8zNi/AgA7K3dhvkkMTGlUYYsT53McJflqhc/jb7Nbfi6nM6bw9avElvreJh0jvoD
|
||||
Hw0As92p1NA1Jm0iXZu4WgKDsL+7MKURQcjgoKNYQZbgd2wXajJKvxCI7xmvaX0N
|
||||
oKtzhKSp3MHPquAY/U6QYR7d74xFAsnoacNagSAiRUS72g5x4QO7txKfbbdq091d
|
||||
ZHu9tmeQYYI3sjOJC1DxCRxYYouxdvK78TG6xD6rfpURUra15vykhgu+2qP1s7ed
|
||||
b/t6MZwztwRiCWCeBilyunIOR1LQmvH2jhknT9Sf5KBMFoWgk1cCJega2FOUFpjD
|
||||
+Jrg6CW2uTwA3KrQIG8T2wWyDQ2nqg==
|
||||
=VsfZ
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,26 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 27 11:14:45 UTC 2018 - daniel.molkentin@suse.com
|
||||
|
||||
- Update to dehydrated 0.6.2
|
||||
|
||||
Added
|
||||
|
||||
* New deploy_ocsp hook
|
||||
* Allow account registration with custom key
|
||||
|
||||
Changed
|
||||
|
||||
* Don't walk certificate chain for ACMEv2 (certificate contains chain by default)
|
||||
* Improved documentation on wildcards
|
||||
|
||||
Fixes
|
||||
|
||||
* Added workaround for compatibility with filesystem ACLs
|
||||
* Close unwanted external file-descriptors
|
||||
* Fixed JSON parsing on force-renewal (bsc#1091216)
|
||||
* Fixed cleanup of challenge files/dns-entries on validation errors
|
||||
* A few more minor fixes
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 15 10:52:56 UTC 2018 - daniel.molkentin@suse.com
|
||||
|
||||
|
@ -46,7 +46,7 @@
|
||||
%endif
|
||||
|
||||
Name: dehydrated
|
||||
Version: 0.6.1
|
||||
Version: 0.6.2
|
||||
Release: 0
|
||||
Summary: A client for signing certificates with an ACME server
|
||||
License: MIT
|
||||
@ -65,8 +65,6 @@ Source10: README.Fedora
|
||||
Source11: README.hooks
|
||||
Source12: %{name}-%{version}.tar.gz.asc
|
||||
Source13: %{name}.keyring
|
||||
Patch1: 0001-fixed-CA-url-in-example-config.patch
|
||||
Patch2: 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
|
||||
BuildRequires: %{_apache}
|
||||
Requires: coreutils
|
||||
Requires: curl
|
||||
@ -184,8 +182,6 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
cp %{SOURCE9} .
|
||||
cp %{SOURCE10} .
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user