Accepting request 882190 from security:dehydrated

- Enable instantiated services (boo#1184165)

- Prepare instantiated service/timer support but not enable it:
  This seems to fail due to missing systemd support right now.
  So the only option at the moment is to copy the timer and unit
  file for a 2nd instance. Mark all files as part of dehydrated.target

- Rework support for /etc/dehydrated/postrun-hooks.d/:
  dehydrated.service nolonger starts them directly, the support was
  moved to a separate unit file. Please run:
  systemctl enable dehydrated-postrun-hooks.service
  to restore this functionality
- Run dehydrated as dehydrated user again

- Do not use the full path for config.d in the config files, which
  will simplify implementing multi instance support.

- Added more-examples.patch:
  Explain how we can have per certificate key algorithms

- Add directory where cleanup can archive unused certificates

OBS-URL: https://build.opensuse.org/request/show/882190
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dehydrated?expand=0&rev=22
This commit is contained in:
Richard Brown 2021-03-30 19:23:47 +00:00 committed by Git OBS Bridge
commit e23c889637
11 changed files with 216 additions and 20 deletions

View File

@ -165,6 +165,19 @@ Upgrade Notes
v0.7.0 v0.7.0
------ ------
Postrun Hooks
~~~~~~~~~~~~~
dehydrated.service no longer starts scripts in /etc/dehydrated/postrun-hooks.d/
directly, the support was moved to a separate unit file. Please run
systemctl enable dehydrated-postrun-hooks.service
to restore this functionality.
This change was required to ensure that the output of the dehydrated script stays
attached to the dehydrated unit in the journal.
Key Algorithm Key Algorithm
~~~~~~~~~~~~~ ~~~~~~~~~~~~~

View File

@ -0,0 +1,14 @@
[Unit]
Description=Postrun Hooks Runner for Dehydrated
ConditionPathExists=/etc/dehydrated/postrun-hooks.d
After=dehydrated.service
PartOf=dehydrated.target
[Service]
Type=oneshot
ExecStart=-/usr/bin/find -L /etc/dehydrated/postrun-hooks.d -maxdepth 1 -executable -type f -exec {} \;
User=root
Group=root
[Install]
RequiredBy=dehydrated.service

View File

@ -0,0 +1,14 @@
[Unit]
Description=Postrun Hooks Runner for Dehydrated: %i
ConditionPathExists=/etc/dehydrated-%i/postrun-hooks.d/
After=dehydrated@%i.service
PartOf=dehydrated.target
[Service]
Type=oneshot
ExecStart=-/usr/bin/find -L /etc/dehydrated-%i/postrun-hooks.d/ -maxdepth 1 -executable -type f -exec {} \;
User=root
Group=root
[Install]
RequiredBy=dehydrated@%i.service

View File

@ -1,3 +1,45 @@
-------------------------------------------------------------------
Tue Mar 30 14:20:42 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- Enable instantiated services (boo#1184165)
-------------------------------------------------------------------
Mon Mar 29 16:18:57 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- Prepare instantiated service/timer support but not enable it:
This seems to fail due to missing systemd support right now.
So the only option at the moment is to copy the timer and unit
file for a 2nd instance. Mark all files as part of dehydrated.target
-------------------------------------------------------------------
Mon Mar 29 16:18:27 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- Rework support for /etc/dehydrated/postrun-hooks.d/:
dehydrated.service nolonger starts them directly, the support was
moved to a separate unit file. Please run:
systemctl enable dehydrated-postrun-hooks.service
to restore this functionality
- Run dehydrated as dehydrated user again
-------------------------------------------------------------------
Mon Mar 29 16:08:09 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- Do not use the full path for config.d in the config files, which
will simplify implementing multi instance support.
-------------------------------------------------------------------
Mon Mar 29 16:07:44 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- Added more-examples.patch:
Explain how we can have per certificate key algorithms
-------------------------------------------------------------------
Sun Mar 14 22:29:06 UTC 2021 - Olav Reinert <seroton10@gmail.com>
- Add directory where cleanup can archive unused certificates
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Mar 3 15:42:18 UTC 2021 - Daniel Molkentin <daniel.molkentin@suse.com> Wed Mar 3 15:42:18 UTC 2021 - Daniel Molkentin <daniel.molkentin@suse.com>

View File

@ -3,12 +3,12 @@ Description=Certificate Update Runner for Dehydrated
ConditionPathExists=/etc/dehydrated/config ConditionPathExists=/etc/dehydrated/config
After=network-online.target After=network-online.target
Wants=acmeresponder.socket Wants=acmeresponder.socket
PartOf=dehydrated.target
[Service] [Service]
Type=oneshot Type=oneshot
ExecStartPost=-/usr/bin/find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \;
ExecStart=/usr/bin/dehydrated --cron ExecStart=/usr/bin/dehydrated --cron
# dehydrated --cron will drop permissions and run critical code as dehydrated user. # dehydrated --cron will drop permissions and run critical code as dehydrated user.
User=root User=dehydrated
Group=root Group=dehydrated

View File

@ -16,6 +16,14 @@
# #
%bcond_without instantiated_service
%define base_services dehydrated.timer dehydrated.service dehydrated-postrun-hooks.service
%if %{with instantiated_service}
%define services dehydrated.target %{base_services} dehydrated@.timer dehydrated@.service dehydrated-postrun-hooks@.service
%else
%define services %{base_services}
%endif
%define _challengedir %{_localstatedir}/lib/acme-challenge %define _challengedir %{_localstatedir}/lib/acme-challenge
%define _user dehydrated %define _user dehydrated
%define _home %{_sysconfdir}/dehydrated %define _home %{_sysconfdir}/dehydrated
@ -55,7 +63,7 @@ Source1: acme-challenge.conf.apache.in
Source2: acme-challenge.conf.nginx.in Source2: acme-challenge.conf.nginx.in
Source4: dehydrated.cron.in Source4: dehydrated.cron.in
Source5: dehydrated.tmpfiles.d Source5: dehydrated.tmpfiles.d
Source6: dehydrated.service.in Source6: dehydrated.service
Source7: dehydrated.timer Source7: dehydrated.timer
Source9: README.maintainer Source9: README.maintainer
Source10: README.Fedora Source10: README.Fedora
@ -63,6 +71,12 @@ Source11: README.hooks
Source12: %{name}-%{version}.tar.gz.asc Source12: %{name}-%{version}.tar.gz.asc
Source13: %{name}.keyring Source13: %{name}.keyring
Source14: %{name}-rpmlintrc Source14: %{name}-rpmlintrc
Source15: dehydrated@.service
Source16: dehydrated@.timer
Source17: dehydrated.target
Source18: dehydrated-postrun-hooks.service
Source19: dehydrated-postrun-hooks@.service
Patch: more-examples.patch
BuildRequires: %{_apache} BuildRequires: %{_apache}
Requires: coreutils Requires: coreutils
Requires: curl Requires: curl
@ -142,21 +156,22 @@ getent passwd %{_user} >/dev/null || %{_sbindir}/useradd -g %{_user} \
if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi
%if %{with systemd} %if %{with systemd}
%service_add_pre dehydrated.service dehydrated.timer %service_add_pre %{services}
%post %post
systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||: %tmpfiles_create %{_tmpfilesdir}/%{name}.conf ||:
%service_add_post dehydrated.service dehydrated.timer %service_add_post %{services}
%preun %preun
%service_del_preun dehydrated.service dehydrated.timer %service_del_preun %{services}
%postun %postun
%service_del_postun dehydrated.service dehydrated.timer %service_del_postun %{services}
%endif %endif
%prep %prep
%setup -q %setup -q
%patch -p1
cp %{SOURCE9} . cp %{SOURCE9} .
cp %{SOURCE10} . cp %{SOURCE10} .
@ -164,7 +179,7 @@ cp %{SOURCE10} .
%install %install
# sensitive keys # sensitive keys
mkdir -p %{buildroot}%{_home}/{accounts,certs,chains} mkdir -p %{buildroot}%{_home}/{accounts,archive,certs,chains}
mkdir -p %{buildroot}%{_sbindir} mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}%{_mandir}/man1 mkdir -p %{buildroot}%{_mandir}/man1
mkdir -p %{buildroot}%{_home}/config.d mkdir -p %{buildroot}%{_home}/config.d
@ -195,9 +210,20 @@ install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/nginx
%if %{with systemd} %if %{with systemd}
install -D -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf install -D -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
# Use timer # Use timer
sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE6} > dehydrated.service install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/dehydrated.service
install -D -m 644 dehydrated.service %{buildroot}%{_unitdir}/dehydrated.service install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer
install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer install -D -m 644 %{SOURCE18} %{buildroot}%{_unitdir}/dehydrated-postrun-hooks.service
%if %{with instantiated_service}
install -D -m 644 %{SOURCE15} %{buildroot}%{_unitdir}/dehydrated@.service
install -D -m 644 %{SOURCE16} %{buildroot}%{_unitdir}/dehydrated@.timer
install -D -m 644 %{SOURCE19} %{buildroot}%{_unitdir}/dehydrated-postrun-hooks@.service
install -D -m 644 %{SOURCE17} %{buildroot}%{_unitdir}/dehydrated.target
%else
perl -p -i -e 's|PartOf=dehydrated.target\n||g' %{buildroot}%{_unitdir}/*
%endif
if [ $(rpm -q --queryformat='%{VERSION}' systemd) -lt 229 ]; then if [ $(rpm -q --queryformat='%{VERSION}' systemd) -lt 229 ]; then
# No support for this attribute in systemd < v229 # No support for this attribute in systemd < v229
sed -i 's/^RandomizedDelaySec/#&/' %{buildroot}%{_unitdir}/dehydrated.timer sed -i 's/^RandomizedDelaySec/#&/' %{buildroot}%{_unitdir}/dehydrated.timer
@ -215,7 +241,7 @@ install -m 0644 dehydrated.cron %{buildroot}%{_sysconfdir}/cron.d/dehydrated
# Adjust config file # Adjust config file
perl -p -i -e 's|#LOCKFILE="\$\{BASEDIR\}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config perl -p -i -e 's|#LOCKFILE="\$\{BASEDIR\}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config
perl -p -i -e 's|#CONFIG_D=|CONFIG_D="%{_home}/config.d"|' %{buildroot}%{_home}/config perl -p -i -e 's|#CONFIG_D=|CONFIG_D="\${BASEDIR}/config.d"|' %{buildroot}%{_home}/config
perl -p -i -e 's|#DEHYDRATED_USER=|DEHYDRATED_USER="%{_user}"|' %{buildroot}%{_home}/config perl -p -i -e 's|#DEHYDRATED_USER=|DEHYDRATED_USER="%{_user}"|' %{buildroot}%{_home}/config
perl -p -i -e 's|#DEHYDRATED_GROUP=|DEHYDRATED_GROUP="%{_user}"|' %{buildroot}%{_home}/config perl -p -i -e 's|#DEHYDRATED_GROUP=|DEHYDRATED_GROUP="%{_user}"|' %{buildroot}%{_home}/config
@ -232,6 +258,7 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
%defattr(-,root,root) %defattr(-,root,root)
%attr(750,root,%{_user}) %dir %{_sysconfdir}/dehydrated %attr(750,root,%{_user}) %dir %{_sysconfdir}/dehydrated
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/accounts %attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/accounts
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/archive
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/certs %attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/certs
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/chains %attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/chains
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config %config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config
@ -250,8 +277,11 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
%endif %endif
%if %{with systemd} %if %{with systemd}
%{_tmpfilesdir}/%{name}.conf %{_tmpfilesdir}/%{name}.conf
%{_unitdir}/dehydrated.service %{_unitdir}/dehydrated*.service
%{_unitdir}/dehydrated.timer %{_unitdir}/dehydrated*.timer
%if %{with instantiated_service}
%{_unitdir}/dehydrated.target
%endif
%if 0%{?suse_version} %if 0%{?suse_version}
%{_sbindir}/rcdehydrated %{_sbindir}/rcdehydrated
%endif %endif

4
dehydrated.target Normal file
View File

@ -0,0 +1,4 @@
[Unit]
Description=Target to allow restarting and stopping of all parts of dehydrated
PartOf=dehydrated.target

View File

@ -1,5 +1,6 @@
[Unit] [Unit]
Description=Run Certificate Update Runner for Dehydrated Description=Timer for Certificate Update Runner for Dehydrated
PartOf=dehydrated.target
[Timer] [Timer]
OnCalendar=daily OnCalendar=daily

12
dehydrated@.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Certificate Update Runner for Dehydrated
ConditionPathExists=/etc/dehydrated/config
After=network-online.target
Wants=acmeresponder.socket
PartOf=dehydrated.target
[Service]
Type=oneshot
ExecStart=/usr/bin/dehydrated --cron --config /etc/dehydrated-%i/config
User=dehydrated
Group=dehydrated

11
dehydrated@.timer Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Timer for Certificate Update Runner for Dehydrated
PartOf=dehydrated.target
[Timer]
OnCalendar=daily
# Two hour window
RandomizedDelaySec=7200
[Install]
WantedBy=timers.target

55
more-examples.patch Normal file
View File

@ -0,0 +1,55 @@
Index: dehydrated-0.7.0/docs/domains_txt.md
===================================================================
--- dehydrated-0.7.0.orig/docs/domains_txt.md
+++ dehydrated-0.7.0/docs/domains_txt.md
@@ -34,6 +34,30 @@ under your `CERTDIR`.
example.net www.example.net wiki.example.net > certalias
```
+This allows to set per certificates options. The options you can change are
+explained in [Per Certificate Config](per-certificate-config.md).
+
+If you want to create different certificate types for the same domain
+you can use:
+
+```text
+*.service.example.org service.example.org > star_service_example_org_rsa
+*.service.example.org service.example.org > star_service_example_org_ecdsa
+```
+
+Then add a config file `certs/star_service_example_org_rsa/config` with
+the value
+
+```
+KEY_ALGO="rsa"
+```
+
+or respectively
+
+```
+KEY_ALGO="ecdsa"
+```
+
### Wildcards
Support for wildcards was added by the ACME v2 protocol.
Index: dehydrated-0.7.0/docs/examples/domains.txt
===================================================================
--- dehydrated-0.7.0.orig/docs/examples/domains.txt
+++ dehydrated-0.7.0/docs/examples/domains.txt
@@ -24,6 +24,15 @@ example.net www.example.net > certalias
# NOTE: It is a certificate for 'service.example.org'
*.service.example.org service.example.org > star_service_example_org
+# Optionally you can also append the certificate algorithm here to create
+# multiple certificate types for the same domain.
+#
+# This allows to set per certificates options. The options you can change are
+# explained in [domains.txt documentation](domains_txt.md).
+#
+*.service.example.org service.example.org > star_service_example_org_rsa
+*.service.example.org service.example.org > star_service_example_org_ecdsa
+
# Create a certificate for 'service.example.net' with an alternative name of
# '*.service.example.net' (which is a wildcard domain) and store it in the
# directory ${CERTDIR}/service.example.net