Accepting request 564525 from home:dmolkentin:branches:security:dehydrated

- Updated dehydrated to 0.5.0
  This removes the following patches and files, which are now part of the
  upstream package:
  * 0001-Add-optional-user-and-group-configuration.patch
  * 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
  * dehydrated.1: the man page has been adopted by upstream
  Starting with this version, upstream introduced signed releases, which
  is now being used for source validation.
  Upstream changes:
  Changed
  * Certificate chain is now cached (CHAINCACHE)
  * OpenSSL binary path is now configurable (OPENSSL)
  * Cleanup now also moves revoked certificates
  Added
  * New feature for updating contact information (--account)
  * Allow automatic cleanup on exit (AUTO_CLEANUP)
  * Initial support for fetching OCSP status to be used for OCSP stapling
    (OCSP_FETCH)
  * Certificates can now have aliases to create multiple certificates with
    identical set of domains (see --alias and domains.txt documentation)
  * Allow dehydrated to run as specified user (/group). This was already
    available previously as a patch to this package.

OBS-URL: https://build.opensuse.org/request/show/564525
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=21
This commit is contained in:
Marcus Rückert 2018-01-15 11:59:16 +00:00 committed by Git OBS Bridge
parent 69cee6f711
commit f303fdbcb8
10 changed files with 95 additions and 303 deletions

View File

@ -1,85 +0,0 @@
From b2b7e6b0801dc50388ec7ed29d91b8e98ec4e57c Mon Sep 17 00:00:00 2001
From: Daniel Molkentin <dmolkentin@suse.com>
Date: Thu, 21 Sep 2017 19:07:54 +0200
Subject: [PATCH] Add optional user and group configuration
when DEHYDRATED_USER is set, dehydrated will refuse to run as root,
and instead launch itself as the user in DEHYDRATED_USER (and
DEHYDRATED_GROUP if set).
Using sudo has a few practical advantages over su:
- it doesn't require to specify a login shell when no login shell is set
for the target user
- it allows (safe) handling of arguments.
---
dehydrated | 22 ++++++++++++++++++++++
docs/examples/config | 6 ++++++
2 files changed, 28 insertions(+)
diff --git a/dehydrated b/dehydrated
index 8b31ee1..acca1d0 100755
--- a/dehydrated
+++ b/dehydrated
@@ -22,6 +22,8 @@ SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
BASEDIR="${SCRIPTDIR}"
+ORIGARGS="$@"
+
# Create (identifiable) temporary files
_mktemp() {
# shellcheck disable=SC2068
@@ -126,6 +128,8 @@ load_config() {
LOCKFILE=
OCSP_MUST_STAPLE="no"
IP_VERSION=
+ DEHYDRATED_USER=
+ DEHYDRATED_GROUP=
if [[ -z "${CONFIG:-}" ]]; then
echo "#" >&2
@@ -159,6 +163,24 @@ load_config() {
done
fi
+ # Check if we are running & are allowed to run as root
+ if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then
+ sudo=`command -v sudo`
+ if [ -z $sudo ]; then
+ echo "DEHYDRATED_USER set but sudo not available. Please install sudo."
+ exit
+ fi
+ if [ ! -z "$DEHYDRATED_GROUP" ]; then
+ group="-g $DEHYDRATED_GROUP"
+ fi
+ echo "# INFO: Running $0 as $DEHYDRATED_USER"
+ $sudo -u $DEHYDRATED_USER $group "$0" $ORIGARGS
+ exit
+ fi
+
+ # Check for missing dependencies
+ check_dependencies
+
# Remove slash from end of BASEDIR. Mostly for cleaner outputs, doesn't change functionality.
BASEDIR="${BASEDIR%%/}"
diff --git a/docs/examples/config b/docs/examples/config
index 1b1b3d8..9a890f4 100644
--- a/docs/examples/config
+++ b/docs/examples/config
@@ -10,6 +10,12 @@
# Default values of this config are in comments #
########################################################
+# Which user should dehydrated run as? This will be implictly enforced when running as root
+#DEHYDRATED_USER=
+
+# Which group should dehydrated run as? This will be implictly enforced when running as root
+#DEHYDRATED_GROUP=
+
# Resolve names to addresses of IP version only. (curl)
# supported values: 4, 6
# default: <unset>
--
2.14.1

View File

@ -1,49 +0,0 @@
From 5214632c55c70c6c1f0dabce204a9fb8529c8ca8 Mon Sep 17 00:00:00 2001
From: Lukas Schauer <lukas@schauer.so>
Date: Thu, 21 Sep 2017 18:10:01 +0200
Subject: [PATCH] use nullglob, disable warning on empty CONFIG_D directory
---
dehydrated | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/dehydrated b/dehydrated
index 8b31ee1..a62b858 100755
--- a/dehydrated
+++ b/dehydrated
@@ -8,7 +8,9 @@
set -e
set -u
set -o pipefail
-[[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO
+[[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO && set -o NULL_GLOB
+[[ -z "${ZSH_VERSION:-}" ]] && shopt -s nullglob
+
umask 077 # paranoid umask, we're creating private keys
# Find directory in which this script is stored by traversing all symbolic links
@@ -146,10 +148,7 @@ load_config() {
fi
for check_config_d in "${CONFIG_D}"/*.sh; do
- if [[ ! -e "${check_config_d}" ]]; then
- echo "# !! WARNING !! Extra configuration directory ${CONFIG_D} exists, but no configuration found in it." >&2
- break
- elif [[ -f "${check_config_d}" ]] && [[ -r "${check_config_d}" ]]; then
+ if [[ -f "${check_config_d}" ]] && [[ -r "${check_config_d}" ]]; then
echo "# INFO: Using additional config file ${check_config_d}"
# shellcheck disable=SC1090
. "${check_config_d}"
@@ -1020,9 +1019,6 @@ command_cleanup() {
# Loop over all files of this type
for file in "${certdir}/${filebase}-"*".${fileext}"; do
- # Handle case where no files match the wildcard
- [[ -f "${file}" ]] || break
-
# Check if current file is in use, if unused move to archive directory
filename="$(basename "${file}")"
if [[ ! "${filename}" = "${current}" ]]; then
--
2.12.3

View File

@ -110,7 +110,7 @@ activated manually:
Aqcuisition through DNS (dns-01) Aqcuisition through DNS (dns-01)
================================ ================================
Tnis is mostly useful under these conditions This is mostly useful under these conditions
1. Your hosts are not directly exposed to the internet 1. Your hosts are not directly exposed to the internet
2. Your host names are part of a public DNS zone visible on the internet. 2. Your host names are part of a public DNS zone visible on the internet.

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:611da321330ffd43d1dc497990b486b2dec12c59149803ad7d156980c8527f48
size 74005

3
dehydrated-0.5.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3559de9c61f8cb9dda1d247fbb88d94eddcf2d9421941dad73b1d672cb933abe
size 79965

View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlpaWfkACgkQnE2+bPQ4
8zOw+Af/YhJVNxDCFFe8uhIm5oFgMvJPyNXk1rMf60kwGINXUUwSHTVXvwFUF/qN
9ZAnt/zaL4KmK3v5pSP8fIDBwsF17x9G1J0Xv9s5IG9YQOgyV89lVo8Tu15g3Yla
7Z1OhB4OvzwVioWRNiedyLK916ut9+XJ8YNmUC6LsIHttL7un2Yyqy1nR86x/iDr
Oh/2DxWtYYGjnr3+DTqcLvdySIy6MBJsRez1zW1MJCCiBIBeq+7fBseT5h9vu55h
F1vR8KthfCJFqQfdtA7Io3ql8H2hJHn7VintPTnbq8bEIvpDS7CTE+ICP+fuxqzU
KeElNt7vu/UuoQBnYNBPw2gA/L8fGw==
=Edom
-----END PGP SIGNATURE-----

View File

@ -1,155 +0,0 @@
.TH DEHYDRATED 1 2017-09-20 "Dehydrated ACME Client"
.SH NAME
dehydrated \- ACME client implemented as a shell-script
.SH SYNOPSIS
.B dehydrated
[\fBcommand\fR [\fBargument\fR]]
[\fBargument\fR [\fBargument\fR]]
.IR ...
.SH DESCRIPTION
A client for ACME-based Certificate Authorities, such as LetsEncrypt. It
allows to request and obtain TLS certificates from an ACME-based
certificate authority.
Before any certificates can be requested, Dehydrated needs
to acquire an account with the Certificate Authorities. Optionally, an email
address can be provided. It will be used to e.g. notify about expiring
certificates. You will usually need to accept the Terms of Service of the CA.
Dehydrated will notify if no account is configured. Run with \fB--register
--accept-terms\fR to create a new account.
Next, all domain names must be provided in domains.txt. The format is line
based: If the file contains two lines "example.com" and "example.net",
Dehydrated will request two certificate, one for "example.com" and the other
for "example.net". A single line while "example.com example.net" will request a
single certificate valid for both "example.net" and "example.com" through the \fISubject
Alternative Name\fR (SAN) field.
For the next step, one way of verifying domain name ownership needs to be
configured. Dehydrated implements \fIhttp-01\fR and \fIdns-01\fR verification.
The \fIhttp-01\fR verification provides proof of ownership by providing a
challenge token. In order to do that, the directory referenced in the
\fIWELLKNOWN\fR config variable needs to be exposed at
\fIhttp://{domain}/.well-known/acme-challenge/\fR, where {domain} is every
domain name specified in \fIdomains.txt\fR. Dehydrated does not provide its
own challenge responder, but relies on an existing web server to provide the
challenge response. See \fIwellknown.md\fR for configuration examples of
popular web servers.
The \fIdns-01\fR verification works by providing a challenge token through DNS.
This is especially interesting for hosts that cannot be exposed to the public
Internet. Because adding records to DNS zones is oftentimes highly specific to
the software or the DNS provider at hand, there are many third party hooks
available for dehydrated. See \fIdns-verification.md\fR for hooks for popular
DNS servers and DNS hosters.
Finally, the certificates need to be requested and updated on a regular basis.
This can happen through a cron job or a timer. Initially, you may enforce this
by invoking \fIdehydrated -c\fR manually.
After a successful run, certificates are stored in
\fI/etc/dehydrated/certs/{domain}\fR, where {domain} is the domain name in the
first column of \fIdomains.txt\fR.
.SH OPTIONS
.BR Commands
.TP
.BR \-\-version ", " \-v
Print version information
.TP
.BR \-\-register
Register account key
.TP
.BR \-\-account
Update account contact information
.TP
.BR \-\-cron ", " \-c
Sign/renew non\-existent/changed/expiring certificates.
.TP
.BR \-\-signcsr ", " \-s " " \fIpath/to/csr.pem\fR
Sign a given CSR, output CRT on stdout (advanced usage)
.TP
.BR \-\-revoke ", " \-r " " \fIpath/to/cert.pem\fR
Revoke specified certificate
.TP
.BR \-\-cleanup ", " \-gc
Move unused certificate files to archive directory
.TP
.BR \-\-help ", " \-h
Show help text
.TP
.BR \-\-env ", " \-e
Output configuration variables for use in other scripts
.PP
.BR Parameters
.TP
.BR \-\-accept\-terms
Accept CAs terms of service
.TP
.BR \-\-full\-chain ", " \-fc
Print full chain when using \fB\-\-signcsr\fR
.TP
.BR \-\-ipv4 ", " \-4
Resolve names to IPv4 addresses only
.TP
.BR \-\-ipv6 ", " \-6
Resolve names to IPv6 addresses only
.TP
.BR \-\-domain ", " \-d " " \fIdomain.tld\fR
Use specified domain name(s) instead of domains.txt entry (one certificate!)
.TP
.BR \-\-keep\-going ", " \-g
Keep going after encountering an error while creating/renewing multiple
certificates in cron mode
.TP
.BR \-\-force ", " \-x
Force renew of certificate even if it is longer valid than value in RENEW_DAYS
.TP
.BR \-\-no\-lock ", " \-n
Don't use lockfile (potentially dangerous!)
.TP
.BR \-\-lock\-suffix " " \fIexample.com\fR
Suffix lockfile name with a string (useful for use with \-d)
.TP
.BR \-\-ocsp
Sets option in CSR indicating OCSP stapling to be mandatory
.TP
.BR \-\-privkey ", " \-p " " \fIpath/to/key.pem\fR
Use specified private key instead of account key (useful for revocation)
.TP
.BR \-\-config ", " \-f " " \fIpath/to/config\fR
Use specified config file
.TP
.BR \-\-hook ", " \-k " " \fIpath/to/hook.sh\fR
Use specified script for hooks
.TP
.BR \-\-out ", " \-o " " \fIcerts/directory\fR
Output certificates into the specified directory
.TP
.BR \-\-challenge ", " \-t " " \fI[http\-01|dns\-01]\fR
Which challenge should be used? Currently http\-01 and dns\-01 are supported
.TP
.BR \-\-algo ", " \-a " " \fI[rsa|prime256v1|secp384r1]\fR
Which public key algorithm should be used? Supported: rsa, prime256v1 and
secp384r1
.SH DIAGNOSTICS
The program exits 0 if everything was fine, 1 if an error occurred.
.SH BUGS
Please report any bugs that you may encounter at the project web site
.UR https://github.com/lukas2511/dehydrated/issues
.UE .
.SH AUTHOR
Dehydrated was written by Lukas Schauer. This man page was contributed by
Daniel Molkentin.
.SH COPYRIGHT
Copyright 20015-2017 by Lukas Schauer and the respective contributors.
Provided under the MIT License. See the LICENSE file that accompanies the
distribution for licensing information.
.SH SEE ALSO
Full documentation along with configuration examples are provided in the \fIdocs\fR
directory of the distribution, or at
.UR https://github.com/lukas2511/dehydrated/tree/master/docs
.UE .

View File

@ -1,3 +1,36 @@
-------------------------------------------------------------------
Mon Jan 15 11:29:11 UTC 2018 - daniel.molkentin@suse.com
- Updated dehydrated to 0.5.0
This removes the following patches and files, which are now part of the
upstream package:
* 0001-Add-optional-user-and-group-configuration.patch
* 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
* dehydrated.1: the man page has been adopted by upstream
Starting with this version, upstream introduced signed releases, which
is now being used for source validation.
Upstream changes:
Changed
* Certificate chain is now cached (CHAINCACHE)
* OpenSSL binary path is now configurable (OPENSSL)
* Cleanup now also moves revoked certificates
Added
* New feature for updating contact information (--account)
* Allow automatic cleanup on exit (AUTO_CLEANUP)
* Initial support for fetching OCSP status to be used for OCSP stapling
(OCSP_FETCH)
* Certificates can now have aliases to create multiple certificates with
identical set of domains (see --alias and domains.txt documentation)
* Allow dehydrated to run as specified user (/group). This was already
available previously as a patch to this package.
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Oct 20 11:02:24 UTC 2017 - mrueckert@suse.de Fri Oct 20 11:02:24 UTC 2017 - mrueckert@suse.de

42
dehydrated.keyring Normal file
View File

@ -0,0 +1,42 @@
pub 2048R/F438F333 2013-04-05
uid [ unknown] Lukas Schauer <lukas@schauer.so>
uid [ unknown] Lukas Schauer <lukas2511@xxpro.net>
sub 2048R/57805524 2013-04-05
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQENBFFfGhMBCADuxAL1vqC7J1AmxMrFGxobyPaY9tmUEueRF+JuUJlk48qSbcWg
zAMEprSgw3HY/15Galu/7g8KxXnlN4WO2vgA6eu1CYx3CoukJ8dc/m6hEMxqwsIW
H/1sI7P2hLGB/6YC3MqgpyZxrXzS3coe/JLLkeOtcnBgeT1VpGnodSEKsK4unkfV
cmheLuF+zMb0t1DFtd//Ka99XtoF7HXW6p/n8NjiAXKkEkTWf+0qsOIzar3Hl7QE
dnEMK1EjDbrqNufTe+TyvM9hVMyDTptvA0EDOj+5Jmt29pWpriOgUgm2D1JgZi9b
YmGnTo149q5bUzfLvsTDI0IS7ClxXIES/dfXABEBAAG0IEx1a2FzIFNjaGF1ZXIg
PGx1a2FzQHNjaGF1ZXIuc28+iQE5BBMBAgAjBQJSHiDfAhsDBwsJCAcDAgEGFQgC
CQoLBBYCAwECHgECF4AACgkQnE2+bPQ48zPRxgf/Y1pJ9H6uB6rmCa3VHoxhvLkV
ruUSpI+JXNUhwpUWUKNE1yk78jmjRhMMZf7UMYifyGkuK/0/cErktr5j8kqJ2r60
hOnmkC3jEq5H0hKfGzhosenUvzR9cENYzgnm/4BNWWz1I16jkWRcEGjeC8y033U3
Tjrtc6f0jLe7R6LzospUCWKzp8WUWgTgqpAyjJY6I44Y6QpTjmRF6t1Nz2yRxxf2
NAbOQWkSTueusgLVYyvqLZ51u3fsuDJxbQiBnNt0ZGYSDBKrs59Rvg0Xj1cBv1t7
SrzHuwyiiCQsEaLMvYCygk7qRmZBZ6PKA0gE8oYIr5f10Kx0Mjqnrs8wmpegiLQj
THVrYXMgU2NoYXVlciA8bHVrYXMyNTExQHh4cHJvLm5ldD6JATgEEwECACIFAlFf
GhMCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJxNvmz0OPMzHXoH/jCy
wwo+W3hy7WAzaKqgnIjRfMQD63OFSwrPI8P7mU0WWrxURwET4C/i+eYHIZYPVaP0
HvdMMcpgSbBZ0sAW+gtv2qMtL+kB4s+FGVchV4lfh4q5w4EDRknuCEpD5bj7NsOT
ROvGu0gSvGbGG/EFLJuhrkct5s7ESH5sWonxstk6Ea9L5STR4PGH6swTq0WggbMq
VFQuWOkjw6KpQOeFTp9koQl3R6P6I0uqe6tVLKJD/nSTKbMYPMZX9Q+TvzqRSRlH
wL509ZIZV4IzdDFXGM28xvC7KIifbxEzWHVci2afdqbVNH2MBhgHt/SIaW8xBab2
wnd45rkdHuoK2wBPlPu5AQ0EUV8aEwEIAM1d0x6B/PUlXfUzkTlYtFmfm67OOPW2
EImld+53RgVc/HGY9RyYP0YwxNs1mjWalzJYV6/aQ9xke/Dz0pLYwIl2c1TCzwin
qgymkR17krDJ/+hj2GZBsiEHlMDbWskgwIc7WldhcmxsOvsvRrHSCcw7ZFD+iA9l
6XJoUrtP9QhJLaj6WoX0fU377t3me6hji5387pzYoDKiq8cfJu4q/K6oB42kmo+L
PVub+DvBBZPDakDnE46v0LfbgvPqjaVxM2KHjqllepk1CIOAbUbtyC9kVuavDgnI
OMe1couHsy0+7fXeQE0xMLPjGGZAXt6OVI8o/1IbgA2EbiVR225Tu2cAEQEAAYkB
HwQYAQIACQUCUV8aEwIbDAAKCRCcTb5s9DjzM09cCACGdENt71lx56EjzH6W5o/F
OYHHTm4ewcfgGSHWmdScq8gOI414kBkOg9ds9IMQt5hp60hXteSxG1l0qxEXbMX7
cO5FNnjer/ikcwPDS6eZ2a5Gni/h/UFRnVYcw2c+7UAAgouswhwqbkVUrRMDodG2
DT05fQIdgfbQLUBW5qFToS/CXNzvG47jqBEUS/mFMtZgF2+myU2buMlIXmarTi0K
EYMt0geGXhpS2DN9iQrQzQ8gjVz/EBgdHbEZOsHW4JMQaycYvouPFVqCIcZoN0s8
c9AilqEu9V8XLLWA0zRVC8Fp6m/ZpMX8t2kVQdBKMHb1NUz0b+uHynANCRQUGKIg
=2fWi
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -1,7 +1,7 @@
# #
# spec file for package dehydrated # spec file for package dehydrated
# #
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -46,7 +46,7 @@
%endif %endif
Name: dehydrated Name: dehydrated
Version: 0.4.0 Version: 0.5.0
Release: 0 Release: 0
Summary: A client for signing certificates with an ACME server Summary: A client for signing certificates with an ACME server
License: MIT License: MIT
@ -60,14 +60,11 @@ Source4: dehydrated.cron.in
Source5: dehydrated.tmpfiles.d Source5: dehydrated.tmpfiles.d
Source6: dehydrated.service.in Source6: dehydrated.service.in
Source7: dehydrated.timer Source7: dehydrated.timer
Source8: dehydrated.1
Source9: README.SUSE Source9: README.SUSE
Source10: README.Fedora Source10: README.Fedora
Source11: README.hooks Source11: README.hooks
# Patch submitted to upstream Source12: %{name}-%{version}.tar.gz.asc
Patch1: 0001-Add-optional-user-and-group-configuration.patch Source13: %{name}.keyring
# Patch from upstream
Patch2: 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
BuildRequires: %{_apache} BuildRequires: %{_apache}
Requires: coreutils Requires: coreutils
Requires: curl Requires: curl
@ -189,8 +186,6 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
%prep %prep
%setup -q %setup -q
%patch1 -p1
%patch2 -p1
cp %{SOURCE9} . cp %{SOURCE9} .
cp %{SOURCE10} . cp %{SOURCE10} .
@ -204,7 +199,7 @@ mkdir -p %{buildroot}%{_mandir}/man1
mkdir -p %{buildroot}%{_home}/config.d mkdir -p %{buildroot}%{_home}/config.d
mkdir -p %{buildroot}%{_postrunhooks} mkdir -p %{buildroot}%{_postrunhooks}
cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz cat dehydrated.1 | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
# Silence E: env-script-interpreter # Silence E: env-script-interpreter
find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \; find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \;