Accepting request 601877 from home:dmolkentin:branches:security:dehydrated

- Update to dehydrated 0.6.2
  Added
  * New deploy_ocsp hook
  * Allow account registration with custom key
  Changed
  * Don't walk certificate chain for ACMEv2 (certificate contains chain by default)
  * Improved documentation on wildcards
  Fixes
  * Added workaround for compatibility with filesystem ACLs
  * Close unwanted external file-descriptors
  * Fixed JSON parsing on force-renewal (bsc#1091216)
  * Fixed cleanup of challenge files/dns-entries on validation errors
  * A few more minor fixes

OBS-URL: https://build.opensuse.org/request/show/601877
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=33
This commit is contained in:
Daniel Molkentin 2018-04-27 11:50:28 +00:00 committed by Git OBS Bridge
parent 697d443d67
commit d58a1e75d6
8 changed files with 38 additions and 111 deletions

View File

@ -1,36 +0,0 @@
From b93eac389395c8228be48999bf51c9f45e775a88 Mon Sep 17 00:00:00 2001
From: Lukas Schauer <lukas@schauer.so>
Date: Tue, 13 Mar 2018 21:08:20 +0100
Subject: [PATCH] fixed CA url in example config
---
docs/examples/config | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/docs/examples/config b/docs/examples/config
index 1aa7d63..665704d 100644
--- a/docs/examples/config
+++ b/docs/examples/config
@@ -21,15 +21,15 @@
# default: <unset>
#IP_VERSION=
-# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
-#CA="https://acme-v01.api.letsencrypt.org/directory"
+# Path to certificate authority (default: https://acme-v02.api.letsencrypt.org/directory)
+#CA="https://acme-v02.api.letsencrypt.org/directory"
# Path to old certificate authority
# Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
# If dehydrated detects an account-key for the old CA it will automatically reuse that key
# instead of registering a new one.
-# default: <unset>
-#OLDCA=
+# default: https://acme-v01.api.letsencrypt.org/directory
+#OLDCA="https://acme-v01.api.letsencrypt.org/directory"
# Which challenge should be used? Currently http-01 and dns-01 are supported
#CHALLENGETYPE="http-01"
--
2.13.6

View File

@ -1,56 +0,0 @@
From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001
From: Lukas Schauer <lukas@schauer.so>
Date: Wed, 14 Mar 2018 18:50:28 +0100
Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains
chain by default)
---
diff --git a/dehydrated b/dehydrated
index 4103649..0751a0b 100755
--- a/dehydrated
+++ b/dehydrated
@@ -990,20 +990,29 @@ sign_domain() {
# Create fullchain.pem
echo " + Creating fullchain.pem..."
- cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
- local issuer_hash
- issuer_hash="$(get_issuer_hash "${crt_path}")"
- if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
- echo " + Using cached chain!"
- cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
+ if [[ ${API} -eq 1 ]]; then
+ cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
+ local issuer_hash
+ issuer_hash="$(get_issuer_hash "${crt_path}")"
+ if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
+ echo " + Using cached chain!"
+ cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
+ else
+ echo " + Walking chain..."
+ local issuer_cert_uri
+ issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
+ (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
+ cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
+ fi
+ cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
else
- echo " + Walking chain..."
- local issuer_cert_uri
- issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
- (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
- cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
+ tmpcert="$(_mktemp)"
+ tmpchain="$(_mktemp)"
+ awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem"
+ mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem"
+ mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem"
+ mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem"
fi
- cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
# Update symlinks
[[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem"
--
2.13.6

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:441d89af4592e3eb5744eb177124b4d16ca78b416f634371e839db384012844a
size 76693

View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlqoLhwACgkQnE2+bPQ4
8zON9Af8DubdQQGP0SJLiVA3+MpRJytaPluvmGQtrhlugIFSpeSiRDJEJ4PHJ3z1
SjI69/1sCUsdzifAZOejmrPfd9vLGLLCVdMqkaUzG6YTQCIdIXxB6kEKhnU3Grad
cbZaMtWOKu87WGwlTDorQ3N6I+DUeAVL2csf8Chzep3qY6KfO8zryBG05PmJwKgM
hRss5OohW20tR5pvz4ybkBdd2KUvcQSedCf6g2UN+95+Io3TF/9ph1Ht7n8HWyxv
VMQ2g4N/Jc6BQ++cepfSCI/4vXdrFnp7HSmWlD73LhiQ0VRinqHcf0TVy6FhXBXL
PyGB4G1924U1cLuAt2XJdB82y0LNIw==
=JzFS
-----END PGP SIGNATURE-----

3
dehydrated-0.6.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:163384479199f06f59382ceb6291a299567a2f4f0b963b9b61f2db65a407e80e
size 77819

View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlrjA6gACgkQnE2+bPQ4
8zNi/AgA7K3dhvkkMTGlUYYsT53McJflqhc/jb7Nbfi6nM6bw9avElvreJh0jvoD
Hw0As92p1NA1Jm0iXZu4WgKDsL+7MKURQcjgoKNYQZbgd2wXajJKvxCI7xmvaX0N
oKtzhKSp3MHPquAY/U6QYR7d74xFAsnoacNagSAiRUS72g5x4QO7txKfbbdq091d
ZHu9tmeQYYI3sjOJC1DxCRxYYouxdvK78TG6xD6rfpURUra15vykhgu+2qP1s7ed
b/t6MZwztwRiCWCeBilyunIOR1LQmvH2jhknT9Sf5KBMFoWgk1cCJega2FOUFpjD
+Jrg6CW2uTwA3KrQIG8T2wWyDQ2nqg==
=VsfZ
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Fri Apr 27 11:14:45 UTC 2018 - daniel.molkentin@suse.com
- Update to dehydrated 0.6.2
Added
* New deploy_ocsp hook
* Allow account registration with custom key
Changed
* Don't walk certificate chain for ACMEv2 (certificate contains chain by default)
* Improved documentation on wildcards
Fixes
* Added workaround for compatibility with filesystem ACLs
* Close unwanted external file-descriptors
* Fixed JSON parsing on force-renewal (bsc#1091216)
* Fixed cleanup of challenge files/dns-entries on validation errors
* A few more minor fixes
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Mar 15 10:52:56 UTC 2018 - daniel.molkentin@suse.com Thu Mar 15 10:52:56 UTC 2018 - daniel.molkentin@suse.com

View File

@ -46,7 +46,7 @@
%endif %endif
Name: dehydrated Name: dehydrated
Version: 0.6.1 Version: 0.6.2
Release: 0 Release: 0
Summary: A client for signing certificates with an ACME server Summary: A client for signing certificates with an ACME server
License: MIT License: MIT
@ -65,8 +65,6 @@ Source10: README.Fedora
Source11: README.hooks Source11: README.hooks
Source12: %{name}-%{version}.tar.gz.asc Source12: %{name}-%{version}.tar.gz.asc
Source13: %{name}.keyring Source13: %{name}.keyring
Patch1: 0001-fixed-CA-url-in-example-config.patch
Patch2: 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
BuildRequires: %{_apache} BuildRequires: %{_apache}
Requires: coreutils Requires: coreutils
Requires: curl Requires: curl
@ -184,8 +182,6 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
%prep %prep
%setup -q %setup -q
%patch1 -p1
%patch2 -p1
cp %{SOURCE9} . cp %{SOURCE9} .
cp %{SOURCE10} . cp %{SOURCE10} .