From 1d0402a9b61cfd78fd62a78831e1c6f40e820165164925ce8c39561a28fc56e7 Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Mon, 29 Mar 2021 14:02:51 +0000 Subject: [PATCH 1/4] Accepting request 879078 from home:oreinert:branches:security:dehydrated Add directory where cleanup can archive unused certificates OBS-URL: https://build.opensuse.org/request/show/879078 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=72 --- dehydrated.changes | 5 +++++ dehydrated.spec | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/dehydrated.changes b/dehydrated.changes index ea9cd24..869e5d3 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sun Mar 14 22:29:06 UTC 2021 - Olav Reinert + +- Add directory where cleanup can archive unused certificates + ------------------------------------------------------------------- Wed Mar 3 15:42:18 UTC 2021 - Daniel Molkentin diff --git a/dehydrated.spec b/dehydrated.spec index 77b7794..ac53f9b 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -164,7 +164,7 @@ cp %{SOURCE10} . %install # sensitive keys -mkdir -p %{buildroot}%{_home}/{accounts,certs,chains} +mkdir -p %{buildroot}%{_home}/{accounts,archive,certs,chains} mkdir -p %{buildroot}%{_sbindir} mkdir -p %{buildroot}%{_mandir}/man1 mkdir -p %{buildroot}%{_home}/config.d @@ -232,6 +232,7 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||: %defattr(-,root,root) %attr(750,root,%{_user}) %dir %{_sysconfdir}/dehydrated %attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/accounts +%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/archive %attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/certs %attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/chains %config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config From 5b368e02a5599943222e5de3ae63fcb47f69479e455e7b9fef34cf433443fd86 Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Mon, 29 Mar 2021 16:26:11 +0000 Subject: [PATCH 2/4] Accepting request 882014 from home:darix:playground - Do not use the full path for config.d in the config files, which will simplify implementing multi instance support. - Added more-examples.patch: Explain how we can have per certificate key algorithms OBS-URL: https://build.opensuse.org/request/show/882014 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=73 --- dehydrated.changes | 12 ++++++++++ dehydrated.spec | 4 +++- more-examples.patch | 55 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 more-examples.patch diff --git a/dehydrated.changes b/dehydrated.changes index 869e5d3..c755c5a 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Mon Mar 29 16:08:09 UTC 2021 - Marcus Rueckert + +- Do not use the full path for config.d in the config files, which + will simplify implementing multi instance support. + +------------------------------------------------------------------- +Mon Mar 29 16:07:44 UTC 2021 - Marcus Rueckert + +- Added more-examples.patch: + Explain how we can have per certificate key algorithms + ------------------------------------------------------------------- Sun Mar 14 22:29:06 UTC 2021 - Olav Reinert diff --git a/dehydrated.spec b/dehydrated.spec index ac53f9b..edfec66 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -63,6 +63,7 @@ Source11: README.hooks Source12: %{name}-%{version}.tar.gz.asc Source13: %{name}.keyring Source14: %{name}-rpmlintrc +Patch: more-examples.patch BuildRequires: %{_apache} Requires: coreutils Requires: curl @@ -157,6 +158,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||: %prep %setup -q +%patch -p1 cp %{SOURCE9} . cp %{SOURCE10} . @@ -215,7 +217,7 @@ install -m 0644 dehydrated.cron %{buildroot}%{_sysconfdir}/cron.d/dehydrated # Adjust config file perl -p -i -e 's|#LOCKFILE="\$\{BASEDIR\}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config -perl -p -i -e 's|#CONFIG_D=|CONFIG_D="%{_home}/config.d"|' %{buildroot}%{_home}/config +perl -p -i -e 's|#CONFIG_D=|CONFIG_D="\${BASEDIR}/config.d"|' %{buildroot}%{_home}/config perl -p -i -e 's|#DEHYDRATED_USER=|DEHYDRATED_USER="%{_user}"|' %{buildroot}%{_home}/config perl -p -i -e 's|#DEHYDRATED_GROUP=|DEHYDRATED_GROUP="%{_user}"|' %{buildroot}%{_home}/config diff --git a/more-examples.patch b/more-examples.patch new file mode 100644 index 0000000..4570724 --- /dev/null +++ b/more-examples.patch @@ -0,0 +1,55 @@ +Index: dehydrated-0.7.0/docs/domains_txt.md +=================================================================== +--- dehydrated-0.7.0.orig/docs/domains_txt.md ++++ dehydrated-0.7.0/docs/domains_txt.md +@@ -34,6 +34,30 @@ under your `CERTDIR`. + example.net www.example.net wiki.example.net > certalias + ``` + ++This allows to set per certificates options. The options you can change are ++explained in [Per Certificate Config](per-certificate-config.md). ++ ++If you want to create different certificate types for the same domain ++you can use: ++ ++```text ++*.service.example.org service.example.org > star_service_example_org_rsa ++*.service.example.org service.example.org > star_service_example_org_ecdsa ++``` ++ ++Then add a config file `certs/star_service_example_org_rsa/config` with ++the value ++ ++``` ++KEY_ALGO="rsa" ++``` ++ ++or respectively ++ ++``` ++KEY_ALGO="ecdsa" ++``` ++ + ### Wildcards + + Support for wildcards was added by the ACME v2 protocol. +Index: dehydrated-0.7.0/docs/examples/domains.txt +=================================================================== +--- dehydrated-0.7.0.orig/docs/examples/domains.txt ++++ dehydrated-0.7.0/docs/examples/domains.txt +@@ -24,6 +24,15 @@ example.net www.example.net > certalias + # NOTE: It is a certificate for 'service.example.org' + *.service.example.org service.example.org > star_service_example_org + ++# Optionally you can also append the certificate algorithm here to create ++# multiple certificate types for the same domain. ++# ++# This allows to set per certificates options. The options you can change are ++# explained in [domains.txt documentation](domains_txt.md). ++# ++*.service.example.org service.example.org > star_service_example_org_rsa ++*.service.example.org service.example.org > star_service_example_org_ecdsa ++ + # Create a certificate for 'service.example.net' with an alternative name of + # '*.service.example.net' (which is a wildcard domain) and store it in the + # directory ${CERTDIR}/service.example.net From abdad1b762f9fe23d13f5ed32a1dd5d4a782fa2a1575f96d329bcb150e8058aa Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Tue, 30 Mar 2021 14:53:39 +0000 Subject: [PATCH 3/4] Accepting request 882188 from home:darix:playground - Enable instantiated services (boo#1184165) - Prepare instantiated service/timer support but not enable it: This seems to fail due to missing systemd support right now. So the only option at the moment is to copy the timer and unit file for a 2nd instance. Mark all files as part of dehydrated.target - Rework support for /etc/dehydrated/postrun-hooks.d/: dehydrated.service nolonger starts them directly, the support was moved to a separate unit file. Please run: systemctl enable dehydrated-postrun-hooks.service to restore this functionality - Run dehydrated as dehydrated user again OBS-URL: https://build.opensuse.org/request/show/882188 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=74 --- dehydrated-postrun-hooks.service | 14 ++++++ dehydrated-postrun-hooks@.service | 14 ++++++ dehydrated.changes | 25 ++++++++++ dehydrated.service.in => dehydrated.service | 6 +-- dehydrated.spec | 53 ++++++++++++++++----- dehydrated.target | 4 ++ dehydrated.timer | 5 +- dehydrated@.service | 12 +++++ dehydrated@.timer | 11 +++++ 9 files changed, 126 insertions(+), 18 deletions(-) create mode 100644 dehydrated-postrun-hooks.service create mode 100644 dehydrated-postrun-hooks@.service rename dehydrated.service.in => dehydrated.service (72%) create mode 100644 dehydrated.target create mode 100644 dehydrated@.service create mode 100644 dehydrated@.timer diff --git a/dehydrated-postrun-hooks.service b/dehydrated-postrun-hooks.service new file mode 100644 index 0000000..eb347ae --- /dev/null +++ b/dehydrated-postrun-hooks.service @@ -0,0 +1,14 @@ +[Unit] +Description=Postrun Hooks Runner for Dehydrated +ConditionPathExists=/etc/dehydrated/postrun-hooks.d +After=dehydrated.service +PartOf=dehydrated.target + +[Service] +Type=oneshot +ExecStart=-/usr/bin/find -L /etc/dehydrated/postrun-hooks.d -maxdepth 1 -executable -type f -exec {} \; +User=root +Group=root + +[Install] +RequiredBy=dehydrated.service \ No newline at end of file diff --git a/dehydrated-postrun-hooks@.service b/dehydrated-postrun-hooks@.service new file mode 100644 index 0000000..413914c --- /dev/null +++ b/dehydrated-postrun-hooks@.service @@ -0,0 +1,14 @@ +[Unit] +Description=Postrun Hooks Runner for Dehydrated: %i +ConditionPathExists=/etc/dehydrated-%i/postrun-hooks.d/ +After=dehydrated@%i.service +PartOf=dehydrated.target + +[Service] +Type=oneshot +ExecStart=-/usr/bin/find -L /etc/dehydrated-%i/postrun-hooks.d/ -maxdepth 1 -executable -type f -exec {} \; +User=root +Group=root + +[Install] +RequiredBy=dehydrated@%i.service diff --git a/dehydrated.changes b/dehydrated.changes index c755c5a..45bbfd8 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Tue Mar 30 14:20:42 UTC 2021 - Marcus Rueckert + +- Enable instantiated services (boo#1184165) + +------------------------------------------------------------------- +Mon Mar 29 16:18:57 UTC 2021 - Marcus Rueckert + +- Prepare instantiated service/timer support but not enable it: + This seems to fail due to missing systemd support right now. + So the only option at the moment is to copy the timer and unit + file for a 2nd instance. Mark all files as part of dehydrated.target + +------------------------------------------------------------------- +Mon Mar 29 16:18:27 UTC 2021 - Marcus Rueckert + +- Rework support for /etc/dehydrated/postrun-hooks.d/: + dehydrated.service nolonger starts them directly, the support was + moved to a separate unit file. Please run: + + systemctl enable dehydrated-postrun-hooks.service + + to restore this functionality +- Run dehydrated as dehydrated user again + ------------------------------------------------------------------- Mon Mar 29 16:08:09 UTC 2021 - Marcus Rueckert diff --git a/dehydrated.service.in b/dehydrated.service similarity index 72% rename from dehydrated.service.in rename to dehydrated.service index 6038ab0..6cc2e3c 100644 --- a/dehydrated.service.in +++ b/dehydrated.service @@ -3,12 +3,12 @@ Description=Certificate Update Runner for Dehydrated ConditionPathExists=/etc/dehydrated/config After=network-online.target Wants=acmeresponder.socket +PartOf=dehydrated.target [Service] Type=oneshot -ExecStartPost=-/usr/bin/find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \; ExecStart=/usr/bin/dehydrated --cron # dehydrated --cron will drop permissions and run critical code as dehydrated user. -User=root -Group=root +User=dehydrated +Group=dehydrated diff --git a/dehydrated.spec b/dehydrated.spec index edfec66..e9fd6c3 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -16,6 +16,14 @@ # +%bcond_without instantiated_service +%define base_services dehydrated.timer dehydrated.service dehydrated-postrun-hooks.service +%if %{with instantiated_service} +%define services dehydrated.target %{base_services} dehydrated@.timer dehydrated@.service dehydrated-postrun-hooks@.service +%else +%define services %{base_services} +%endif + %define _challengedir %{_localstatedir}/lib/acme-challenge %define _user dehydrated %define _home %{_sysconfdir}/dehydrated @@ -55,7 +63,7 @@ Source1: acme-challenge.conf.apache.in Source2: acme-challenge.conf.nginx.in Source4: dehydrated.cron.in Source5: dehydrated.tmpfiles.d -Source6: dehydrated.service.in +Source6: dehydrated.service Source7: dehydrated.timer Source9: README.maintainer Source10: README.Fedora @@ -63,6 +71,11 @@ Source11: README.hooks Source12: %{name}-%{version}.tar.gz.asc Source13: %{name}.keyring Source14: %{name}-rpmlintrc +Source15: dehydrated@.service +Source16: dehydrated@.timer +Source17: dehydrated.target +Source18: dehydrated-postrun-hooks.service +Source19: dehydrated-postrun-hooks@.service Patch: more-examples.patch BuildRequires: %{_apache} Requires: coreutils @@ -143,17 +156,17 @@ getent passwd %{_user} >/dev/null || %{_sbindir}/useradd -g %{_user} \ if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi %if %{with systemd} -%service_add_pre dehydrated.service dehydrated.timer +%service_add_pre %{services} %post -systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||: -%service_add_post dehydrated.service dehydrated.timer +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf ||: +%service_add_post %{services} %preun -%service_del_preun dehydrated.service dehydrated.timer +%service_del_preun %{services} %postun -%service_del_postun dehydrated.service dehydrated.timer +%service_del_postun %{services} %endif %prep @@ -197,12 +210,23 @@ install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/nginx %if %{with systemd} install -D -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf # Use timer -sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE6} > dehydrated.service -install -D -m 644 dehydrated.service %{buildroot}%{_unitdir}/dehydrated.service -install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer +install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/dehydrated.service +install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer +install -D -m 644 %{SOURCE18} %{buildroot}%{_unitdir}/dehydrated-postrun-hooks.service + +%if %{with instantiated_service} +install -D -m 644 %{SOURCE15} %{buildroot}%{_unitdir}/dehydrated@.service +install -D -m 644 %{SOURCE16} %{buildroot}%{_unitdir}/dehydrated@.timer +install -D -m 644 %{SOURCE19} %{buildroot}%{_unitdir}/dehydrated-postrun-hooks@.service +install -D -m 644 %{SOURCE17} %{buildroot}%{_unitdir}/dehydrated.target +%else +perl -p -i -e 's|PartOf=dehydrated.target\n||g' %{buildroot}%{_unitdir}/* + +%endif + if [ $(rpm -q --queryformat='%{VERSION}' systemd) -lt 229 ]; then # No support for this attribute in systemd < v229 -sed -i 's/^RandomizedDelaySec/#&/' %{buildroot}%{_unitdir}/dehydrated.timer +sed -i 's/^RandomizedDelaySec/#&/' %{buildroot}%{_unitdir}/dehydrated.timer fi %if 0%{?suse_version} ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcdehydrated @@ -225,7 +249,7 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||: # Rename existing config file config files fror nginx %if %{with nginx} -%pre nginx +%pre nginx [ -f %{_sysconfdir}/nginx/conf.d/acme-challenge ] && \ mv %{_sysconfdir}/nginx/conf.d/acme-challenge %{_sysconfdir}/nginx/conf.d/acme-challenge.conf || : %endif @@ -253,8 +277,11 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||: %endif %if %{with systemd} %{_tmpfilesdir}/%{name}.conf -%{_unitdir}/dehydrated.service -%{_unitdir}/dehydrated.timer +%{_unitdir}/dehydrated*.service +%{_unitdir}/dehydrated*.timer +%if %{with instantiated_service} +%{_unitdir}/dehydrated.target +%endif %if 0%{?suse_version} %{_sbindir}/rcdehydrated %endif diff --git a/dehydrated.target b/dehydrated.target new file mode 100644 index 0000000..93f6b8c --- /dev/null +++ b/dehydrated.target @@ -0,0 +1,4 @@ +[Unit] +Description=Target to allow restarting and stopping of all parts of dehydrated +PartOf=dehydrated.target + diff --git a/dehydrated.timer b/dehydrated.timer index 7b03f4a..7445566 100644 --- a/dehydrated.timer +++ b/dehydrated.timer @@ -1,10 +1,11 @@ [Unit] -Description=Run Certificate Update Runner for Dehydrated +Description=Timer for Certificate Update Runner for Dehydrated +PartOf=dehydrated.target [Timer] OnCalendar=daily # Two hour window RandomizedDelaySec=7200 - + [Install] WantedBy=timers.target diff --git a/dehydrated@.service b/dehydrated@.service new file mode 100644 index 0000000..c5e26b5 --- /dev/null +++ b/dehydrated@.service @@ -0,0 +1,12 @@ +[Unit] +Description=Certificate Update Runner for Dehydrated +ConditionPathExists=/etc/dehydrated/config +After=network-online.target +Wants=acmeresponder.socket +PartOf=dehydrated.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/dehydrated --cron --config /etc/dehydrated-%i/config +User=dehydrated +Group=dehydrated diff --git a/dehydrated@.timer b/dehydrated@.timer new file mode 100644 index 0000000..7445566 --- /dev/null +++ b/dehydrated@.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Timer for Certificate Update Runner for Dehydrated +PartOf=dehydrated.target + +[Timer] +OnCalendar=daily +# Two hour window +RandomizedDelaySec=7200 + +[Install] +WantedBy=timers.target From af93c182f39fd2d30e4cfa9a884de8995b6e39668f8e487312cca58dea4b1942 Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Tue, 30 Mar 2021 15:03:35 +0000 Subject: [PATCH 4/4] Extend the package maintainer README OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=75 --- README.maintainer | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.maintainer b/README.maintainer index ef40e3f..9626c51 100644 --- a/README.maintainer +++ b/README.maintainer @@ -165,6 +165,19 @@ Upgrade Notes v0.7.0 ------ +Postrun Hooks +~~~~~~~~~~~~~ + +dehydrated.service no longer starts scripts in /etc/dehydrated/postrun-hooks.d/ +directly, the support was moved to a separate unit file. Please run + + systemctl enable dehydrated-postrun-hooks.service + +to restore this functionality. + +This change was required to ensure that the output of the dehydrated script stays +attached to the dehydrated unit in the journal. + Key Algorithm ~~~~~~~~~~~~~