Accepting request 882190 from security:dehydrated
- Enable instantiated services (boo#1184165) - Prepare instantiated service/timer support but not enable it: This seems to fail due to missing systemd support right now. So the only option at the moment is to copy the timer and unit file for a 2nd instance. Mark all files as part of dehydrated.target - Rework support for /etc/dehydrated/postrun-hooks.d/: dehydrated.service nolonger starts them directly, the support was moved to a separate unit file. Please run: systemctl enable dehydrated-postrun-hooks.service to restore this functionality - Run dehydrated as dehydrated user again - Do not use the full path for config.d in the config files, which will simplify implementing multi instance support. - Added more-examples.patch: Explain how we can have per certificate key algorithms - Add directory where cleanup can archive unused certificates OBS-URL: https://build.opensuse.org/request/show/882190 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dehydrated?expand=0&rev=22
This commit is contained in:
commit
e23c889637
@ -165,6 +165,19 @@ Upgrade Notes
|
|||||||
v0.7.0
|
v0.7.0
|
||||||
------
|
------
|
||||||
|
|
||||||
|
Postrun Hooks
|
||||||
|
~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
dehydrated.service no longer starts scripts in /etc/dehydrated/postrun-hooks.d/
|
||||||
|
directly, the support was moved to a separate unit file. Please run
|
||||||
|
|
||||||
|
systemctl enable dehydrated-postrun-hooks.service
|
||||||
|
|
||||||
|
to restore this functionality.
|
||||||
|
|
||||||
|
This change was required to ensure that the output of the dehydrated script stays
|
||||||
|
attached to the dehydrated unit in the journal.
|
||||||
|
|
||||||
Key Algorithm
|
Key Algorithm
|
||||||
~~~~~~~~~~~~~
|
~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
14
dehydrated-postrun-hooks.service
Normal file
14
dehydrated-postrun-hooks.service
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Postrun Hooks Runner for Dehydrated
|
||||||
|
ConditionPathExists=/etc/dehydrated/postrun-hooks.d
|
||||||
|
After=dehydrated.service
|
||||||
|
PartOf=dehydrated.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=-/usr/bin/find -L /etc/dehydrated/postrun-hooks.d -maxdepth 1 -executable -type f -exec {} \;
|
||||||
|
User=root
|
||||||
|
Group=root
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
RequiredBy=dehydrated.service
|
14
dehydrated-postrun-hooks@.service
Normal file
14
dehydrated-postrun-hooks@.service
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Postrun Hooks Runner for Dehydrated: %i
|
||||||
|
ConditionPathExists=/etc/dehydrated-%i/postrun-hooks.d/
|
||||||
|
After=dehydrated@%i.service
|
||||||
|
PartOf=dehydrated.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=-/usr/bin/find -L /etc/dehydrated-%i/postrun-hooks.d/ -maxdepth 1 -executable -type f -exec {} \;
|
||||||
|
User=root
|
||||||
|
Group=root
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
RequiredBy=dehydrated@%i.service
|
@ -1,3 +1,45 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Mar 30 14:20:42 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
||||||
|
|
||||||
|
- Enable instantiated services (boo#1184165)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 29 16:18:57 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
||||||
|
|
||||||
|
- Prepare instantiated service/timer support but not enable it:
|
||||||
|
This seems to fail due to missing systemd support right now.
|
||||||
|
So the only option at the moment is to copy the timer and unit
|
||||||
|
file for a 2nd instance. Mark all files as part of dehydrated.target
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 29 16:18:27 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
||||||
|
|
||||||
|
- Rework support for /etc/dehydrated/postrun-hooks.d/:
|
||||||
|
dehydrated.service nolonger starts them directly, the support was
|
||||||
|
moved to a separate unit file. Please run:
|
||||||
|
|
||||||
|
systemctl enable dehydrated-postrun-hooks.service
|
||||||
|
|
||||||
|
to restore this functionality
|
||||||
|
- Run dehydrated as dehydrated user again
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 29 16:08:09 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
||||||
|
|
||||||
|
- Do not use the full path for config.d in the config files, which
|
||||||
|
will simplify implementing multi instance support.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 29 16:07:44 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
||||||
|
|
||||||
|
- Added more-examples.patch:
|
||||||
|
Explain how we can have per certificate key algorithms
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Mar 14 22:29:06 UTC 2021 - Olav Reinert <seroton10@gmail.com>
|
||||||
|
|
||||||
|
- Add directory where cleanup can archive unused certificates
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Mar 3 15:42:18 UTC 2021 - Daniel Molkentin <daniel.molkentin@suse.com>
|
Wed Mar 3 15:42:18 UTC 2021 - Daniel Molkentin <daniel.molkentin@suse.com>
|
||||||
|
|
||||||
|
@ -3,12 +3,12 @@ Description=Certificate Update Runner for Dehydrated
|
|||||||
ConditionPathExists=/etc/dehydrated/config
|
ConditionPathExists=/etc/dehydrated/config
|
||||||
After=network-online.target
|
After=network-online.target
|
||||||
Wants=acmeresponder.socket
|
Wants=acmeresponder.socket
|
||||||
|
PartOf=dehydrated.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
ExecStartPost=-/usr/bin/find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \;
|
|
||||||
ExecStart=/usr/bin/dehydrated --cron
|
ExecStart=/usr/bin/dehydrated --cron
|
||||||
|
|
||||||
# dehydrated --cron will drop permissions and run critical code as dehydrated user.
|
# dehydrated --cron will drop permissions and run critical code as dehydrated user.
|
||||||
User=root
|
User=dehydrated
|
||||||
Group=root
|
Group=dehydrated
|
@ -16,6 +16,14 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
|
%bcond_without instantiated_service
|
||||||
|
%define base_services dehydrated.timer dehydrated.service dehydrated-postrun-hooks.service
|
||||||
|
%if %{with instantiated_service}
|
||||||
|
%define services dehydrated.target %{base_services} dehydrated@.timer dehydrated@.service dehydrated-postrun-hooks@.service
|
||||||
|
%else
|
||||||
|
%define services %{base_services}
|
||||||
|
%endif
|
||||||
|
|
||||||
%define _challengedir %{_localstatedir}/lib/acme-challenge
|
%define _challengedir %{_localstatedir}/lib/acme-challenge
|
||||||
%define _user dehydrated
|
%define _user dehydrated
|
||||||
%define _home %{_sysconfdir}/dehydrated
|
%define _home %{_sysconfdir}/dehydrated
|
||||||
@ -55,7 +63,7 @@ Source1: acme-challenge.conf.apache.in
|
|||||||
Source2: acme-challenge.conf.nginx.in
|
Source2: acme-challenge.conf.nginx.in
|
||||||
Source4: dehydrated.cron.in
|
Source4: dehydrated.cron.in
|
||||||
Source5: dehydrated.tmpfiles.d
|
Source5: dehydrated.tmpfiles.d
|
||||||
Source6: dehydrated.service.in
|
Source6: dehydrated.service
|
||||||
Source7: dehydrated.timer
|
Source7: dehydrated.timer
|
||||||
Source9: README.maintainer
|
Source9: README.maintainer
|
||||||
Source10: README.Fedora
|
Source10: README.Fedora
|
||||||
@ -63,6 +71,12 @@ Source11: README.hooks
|
|||||||
Source12: %{name}-%{version}.tar.gz.asc
|
Source12: %{name}-%{version}.tar.gz.asc
|
||||||
Source13: %{name}.keyring
|
Source13: %{name}.keyring
|
||||||
Source14: %{name}-rpmlintrc
|
Source14: %{name}-rpmlintrc
|
||||||
|
Source15: dehydrated@.service
|
||||||
|
Source16: dehydrated@.timer
|
||||||
|
Source17: dehydrated.target
|
||||||
|
Source18: dehydrated-postrun-hooks.service
|
||||||
|
Source19: dehydrated-postrun-hooks@.service
|
||||||
|
Patch: more-examples.patch
|
||||||
BuildRequires: %{_apache}
|
BuildRequires: %{_apache}
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
Requires: curl
|
Requires: curl
|
||||||
@ -142,21 +156,22 @@ getent passwd %{_user} >/dev/null || %{_sbindir}/useradd -g %{_user} \
|
|||||||
if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi
|
if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi
|
||||||
|
|
||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
%service_add_pre dehydrated.service dehydrated.timer
|
%service_add_pre %{services}
|
||||||
|
|
||||||
%post
|
%post
|
||||||
systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
|
%tmpfiles_create %{_tmpfilesdir}/%{name}.conf ||:
|
||||||
%service_add_post dehydrated.service dehydrated.timer
|
%service_add_post %{services}
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%service_del_preun dehydrated.service dehydrated.timer
|
%service_del_preun %{services}
|
||||||
|
|
||||||
%postun
|
%postun
|
||||||
%service_del_postun dehydrated.service dehydrated.timer
|
%service_del_postun %{services}
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch -p1
|
||||||
cp %{SOURCE9} .
|
cp %{SOURCE9} .
|
||||||
cp %{SOURCE10} .
|
cp %{SOURCE10} .
|
||||||
|
|
||||||
@ -164,7 +179,7 @@ cp %{SOURCE10} .
|
|||||||
|
|
||||||
%install
|
%install
|
||||||
# sensitive keys
|
# sensitive keys
|
||||||
mkdir -p %{buildroot}%{_home}/{accounts,certs,chains}
|
mkdir -p %{buildroot}%{_home}/{accounts,archive,certs,chains}
|
||||||
mkdir -p %{buildroot}%{_sbindir}
|
mkdir -p %{buildroot}%{_sbindir}
|
||||||
mkdir -p %{buildroot}%{_mandir}/man1
|
mkdir -p %{buildroot}%{_mandir}/man1
|
||||||
mkdir -p %{buildroot}%{_home}/config.d
|
mkdir -p %{buildroot}%{_home}/config.d
|
||||||
@ -195,9 +210,20 @@ install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/nginx
|
|||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
install -D -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
install -D -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||||
# Use timer
|
# Use timer
|
||||||
sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE6} > dehydrated.service
|
install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/dehydrated.service
|
||||||
install -D -m 644 dehydrated.service %{buildroot}%{_unitdir}/dehydrated.service
|
|
||||||
install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer
|
install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer
|
||||||
|
install -D -m 644 %{SOURCE18} %{buildroot}%{_unitdir}/dehydrated-postrun-hooks.service
|
||||||
|
|
||||||
|
%if %{with instantiated_service}
|
||||||
|
install -D -m 644 %{SOURCE15} %{buildroot}%{_unitdir}/dehydrated@.service
|
||||||
|
install -D -m 644 %{SOURCE16} %{buildroot}%{_unitdir}/dehydrated@.timer
|
||||||
|
install -D -m 644 %{SOURCE19} %{buildroot}%{_unitdir}/dehydrated-postrun-hooks@.service
|
||||||
|
install -D -m 644 %{SOURCE17} %{buildroot}%{_unitdir}/dehydrated.target
|
||||||
|
%else
|
||||||
|
perl -p -i -e 's|PartOf=dehydrated.target\n||g' %{buildroot}%{_unitdir}/*
|
||||||
|
|
||||||
|
%endif
|
||||||
|
|
||||||
if [ $(rpm -q --queryformat='%{VERSION}' systemd) -lt 229 ]; then
|
if [ $(rpm -q --queryformat='%{VERSION}' systemd) -lt 229 ]; then
|
||||||
# No support for this attribute in systemd < v229
|
# No support for this attribute in systemd < v229
|
||||||
sed -i 's/^RandomizedDelaySec/#&/' %{buildroot}%{_unitdir}/dehydrated.timer
|
sed -i 's/^RandomizedDelaySec/#&/' %{buildroot}%{_unitdir}/dehydrated.timer
|
||||||
@ -215,7 +241,7 @@ install -m 0644 dehydrated.cron %{buildroot}%{_sysconfdir}/cron.d/dehydrated
|
|||||||
|
|
||||||
# Adjust config file
|
# Adjust config file
|
||||||
perl -p -i -e 's|#LOCKFILE="\$\{BASEDIR\}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config
|
perl -p -i -e 's|#LOCKFILE="\$\{BASEDIR\}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config
|
||||||
perl -p -i -e 's|#CONFIG_D=|CONFIG_D="%{_home}/config.d"|' %{buildroot}%{_home}/config
|
perl -p -i -e 's|#CONFIG_D=|CONFIG_D="\${BASEDIR}/config.d"|' %{buildroot}%{_home}/config
|
||||||
perl -p -i -e 's|#DEHYDRATED_USER=|DEHYDRATED_USER="%{_user}"|' %{buildroot}%{_home}/config
|
perl -p -i -e 's|#DEHYDRATED_USER=|DEHYDRATED_USER="%{_user}"|' %{buildroot}%{_home}/config
|
||||||
perl -p -i -e 's|#DEHYDRATED_GROUP=|DEHYDRATED_GROUP="%{_user}"|' %{buildroot}%{_home}/config
|
perl -p -i -e 's|#DEHYDRATED_GROUP=|DEHYDRATED_GROUP="%{_user}"|' %{buildroot}%{_home}/config
|
||||||
|
|
||||||
@ -232,6 +258,7 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
|
|||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%attr(750,root,%{_user}) %dir %{_sysconfdir}/dehydrated
|
%attr(750,root,%{_user}) %dir %{_sysconfdir}/dehydrated
|
||||||
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/accounts
|
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/accounts
|
||||||
|
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/archive
|
||||||
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/certs
|
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/certs
|
||||||
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/chains
|
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/chains
|
||||||
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config
|
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config
|
||||||
@ -250,8 +277,11 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
|
|||||||
%endif
|
%endif
|
||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
%{_tmpfilesdir}/%{name}.conf
|
%{_tmpfilesdir}/%{name}.conf
|
||||||
%{_unitdir}/dehydrated.service
|
%{_unitdir}/dehydrated*.service
|
||||||
%{_unitdir}/dehydrated.timer
|
%{_unitdir}/dehydrated*.timer
|
||||||
|
%if %{with instantiated_service}
|
||||||
|
%{_unitdir}/dehydrated.target
|
||||||
|
%endif
|
||||||
%if 0%{?suse_version}
|
%if 0%{?suse_version}
|
||||||
%{_sbindir}/rcdehydrated
|
%{_sbindir}/rcdehydrated
|
||||||
%endif
|
%endif
|
||||||
|
4
dehydrated.target
Normal file
4
dehydrated.target
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Target to allow restarting and stopping of all parts of dehydrated
|
||||||
|
PartOf=dehydrated.target
|
||||||
|
|
@ -1,5 +1,6 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Run Certificate Update Runner for Dehydrated
|
Description=Timer for Certificate Update Runner for Dehydrated
|
||||||
|
PartOf=dehydrated.target
|
||||||
|
|
||||||
[Timer]
|
[Timer]
|
||||||
OnCalendar=daily
|
OnCalendar=daily
|
||||||
|
12
dehydrated@.service
Normal file
12
dehydrated@.service
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Certificate Update Runner for Dehydrated
|
||||||
|
ConditionPathExists=/etc/dehydrated/config
|
||||||
|
After=network-online.target
|
||||||
|
Wants=acmeresponder.socket
|
||||||
|
PartOf=dehydrated.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/bin/dehydrated --cron --config /etc/dehydrated-%i/config
|
||||||
|
User=dehydrated
|
||||||
|
Group=dehydrated
|
11
dehydrated@.timer
Normal file
11
dehydrated@.timer
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Timer for Certificate Update Runner for Dehydrated
|
||||||
|
PartOf=dehydrated.target
|
||||||
|
|
||||||
|
[Timer]
|
||||||
|
OnCalendar=daily
|
||||||
|
# Two hour window
|
||||||
|
RandomizedDelaySec=7200
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=timers.target
|
55
more-examples.patch
Normal file
55
more-examples.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
Index: dehydrated-0.7.0/docs/domains_txt.md
|
||||||
|
===================================================================
|
||||||
|
--- dehydrated-0.7.0.orig/docs/domains_txt.md
|
||||||
|
+++ dehydrated-0.7.0/docs/domains_txt.md
|
||||||
|
@@ -34,6 +34,30 @@ under your `CERTDIR`.
|
||||||
|
example.net www.example.net wiki.example.net > certalias
|
||||||
|
```
|
||||||
|
|
||||||
|
+This allows to set per certificates options. The options you can change are
|
||||||
|
+explained in [Per Certificate Config](per-certificate-config.md).
|
||||||
|
+
|
||||||
|
+If you want to create different certificate types for the same domain
|
||||||
|
+you can use:
|
||||||
|
+
|
||||||
|
+```text
|
||||||
|
+*.service.example.org service.example.org > star_service_example_org_rsa
|
||||||
|
+*.service.example.org service.example.org > star_service_example_org_ecdsa
|
||||||
|
+```
|
||||||
|
+
|
||||||
|
+Then add a config file `certs/star_service_example_org_rsa/config` with
|
||||||
|
+the value
|
||||||
|
+
|
||||||
|
+```
|
||||||
|
+KEY_ALGO="rsa"
|
||||||
|
+```
|
||||||
|
+
|
||||||
|
+or respectively
|
||||||
|
+
|
||||||
|
+```
|
||||||
|
+KEY_ALGO="ecdsa"
|
||||||
|
+```
|
||||||
|
+
|
||||||
|
### Wildcards
|
||||||
|
|
||||||
|
Support for wildcards was added by the ACME v2 protocol.
|
||||||
|
Index: dehydrated-0.7.0/docs/examples/domains.txt
|
||||||
|
===================================================================
|
||||||
|
--- dehydrated-0.7.0.orig/docs/examples/domains.txt
|
||||||
|
+++ dehydrated-0.7.0/docs/examples/domains.txt
|
||||||
|
@@ -24,6 +24,15 @@ example.net www.example.net > certalias
|
||||||
|
# NOTE: It is a certificate for 'service.example.org'
|
||||||
|
*.service.example.org service.example.org > star_service_example_org
|
||||||
|
|
||||||
|
+# Optionally you can also append the certificate algorithm here to create
|
||||||
|
+# multiple certificate types for the same domain.
|
||||||
|
+#
|
||||||
|
+# This allows to set per certificates options. The options you can change are
|
||||||
|
+# explained in [domains.txt documentation](domains_txt.md).
|
||||||
|
+#
|
||||||
|
+*.service.example.org service.example.org > star_service_example_org_rsa
|
||||||
|
+*.service.example.org service.example.org > star_service_example_org_ecdsa
|
||||||
|
+
|
||||||
|
# Create a certificate for 'service.example.net' with an alternative name of
|
||||||
|
# '*.service.example.net' (which is a wildcard domain) and store it in the
|
||||||
|
# directory ${CERTDIR}/service.example.net
|
Loading…
Reference in New Issue
Block a user