Accepting request 532177 from security:dehydrated
- Remove unused hooks directory - Introduced a directory for custom post-run hooks executed as root, see README.SUSE for details. (not to be confused with the native hooks run as dehyrated user) - Clarify necessity of enabling dehydrated.timer in README.SUSE - Submit to SLE15 as per fate#323377 - Add optional post run hook directory, executed by cron/systemd after dehydrated --cron has run - Remove hook directory intended for packaging other native hooks. Will be approach differently - No longer require nginx or lighttpd for SLE - Never go as far as to require acmeresponder, it might not be available - Drop -update from dehydrated-update.{timer,socket} for consistency - Add distro specific README.SUSE / README.Fedora - Ran spec-cleaner - Add man page - Ensure dehydrated is always run as designated user * adds 0001-Add-optional-user-and-group-configuration.patch - Introduce config.d directory for user configuration - Avoid warning about empty config.d directory * adds 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch - Fix sed warning about unescaped curly braces in regex - Swap statements in post: installing services requires tmp.d - (Weak) dependency on dehydrated-acmeresponder. OBS-URL: https://build.opensuse.org/request/show/532177 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dehydrated?expand=0&rev=4
This commit is contained in:
commit
f5e7e6d9b2
66
0001-Add-optional-user-and-group-configuration.patch
Normal file
66
0001-Add-optional-user-and-group-configuration.patch
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
From 700040068e3c08025f206e06ba5cfa76a124d805 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Molkentin <dmolkentin@suse.com>
|
||||||
|
Date: Thu, 21 Sep 2017 19:07:54 +0200
|
||||||
|
Subject: [PATCH] Add optional user and group configuration
|
||||||
|
|
||||||
|
when DEHYDRATED_USER is set, dehydrated will refuse to run as root,
|
||||||
|
and instead launch itself as the user in DEHYDRATED_USER (and
|
||||||
|
DEHYDRATED_GROUP if set).
|
||||||
|
---
|
||||||
|
dehydrated | 15 +++++++++++++++
|
||||||
|
docs/examples/config | 6 ++++++
|
||||||
|
2 files changed, 21 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/dehydrated b/dehydrated
|
||||||
|
index 8b31ee1..39c717f 100755
|
||||||
|
--- a/dehydrated
|
||||||
|
+++ b/dehydrated
|
||||||
|
@@ -126,6 +126,8 @@ load_config() {
|
||||||
|
LOCKFILE=
|
||||||
|
OCSP_MUST_STAPLE="no"
|
||||||
|
IP_VERSION=
|
||||||
|
+ DEHYDRATED_USER=
|
||||||
|
+ DEHYDRATED_GROUP=
|
||||||
|
|
||||||
|
if [[ -z "${CONFIG:-}" ]]; then
|
||||||
|
echo "#" >&2
|
||||||
|
@@ -159,6 +161,19 @@ load_config() {
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
+ # Check if we are running & are allowed to run as root
|
||||||
|
+ if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then
|
||||||
|
+ if [ ! -z "$DEHYDRATED_GROUP" ]; then
|
||||||
|
+ group="-g $DEHYDRATED_GROUP"
|
||||||
|
+ fi
|
||||||
|
+ echo "# INFO: Running $0 as $DEHYDRATED_USER"
|
||||||
|
+ su -c "$0" $group "$DEHYDRATED_USER"
|
||||||
|
+ exit
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ # Check for missing dependencies
|
||||||
|
+ check_dependencies
|
||||||
|
+
|
||||||
|
# Remove slash from end of BASEDIR. Mostly for cleaner outputs, doesn't change functionality.
|
||||||
|
BASEDIR="${BASEDIR%%/}"
|
||||||
|
|
||||||
|
diff --git a/docs/examples/config b/docs/examples/config
|
||||||
|
index 1b1b3d8..9a890f4 100644
|
||||||
|
--- a/docs/examples/config
|
||||||
|
+++ b/docs/examples/config
|
||||||
|
@@ -10,6 +10,12 @@
|
||||||
|
# Default values of this config are in comments #
|
||||||
|
########################################################
|
||||||
|
|
||||||
|
+# Which user should dehydrated run as? This will be implictly enforced when running as root
|
||||||
|
+#DEHYDRATED_USER=
|
||||||
|
+
|
||||||
|
+# Which group should dehydrated run as? This will be implictly enforced when running as root
|
||||||
|
+#DEHYDRATED_GROUP=
|
||||||
|
+
|
||||||
|
# Resolve names to addresses of IP version only. (curl)
|
||||||
|
# supported values: 4, 6
|
||||||
|
# default: <unset>
|
||||||
|
--
|
||||||
|
2.12.3
|
||||||
|
|
@ -0,0 +1,49 @@
|
|||||||
|
From 5214632c55c70c6c1f0dabce204a9fb8529c8ca8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Schauer <lukas@schauer.so>
|
||||||
|
Date: Thu, 21 Sep 2017 18:10:01 +0200
|
||||||
|
Subject: [PATCH] use nullglob, disable warning on empty CONFIG_D directory
|
||||||
|
|
||||||
|
---
|
||||||
|
dehydrated | 12 ++++--------
|
||||||
|
1 file changed, 4 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dehydrated b/dehydrated
|
||||||
|
index 8b31ee1..a62b858 100755
|
||||||
|
--- a/dehydrated
|
||||||
|
+++ b/dehydrated
|
||||||
|
@@ -8,7 +8,9 @@
|
||||||
|
set -e
|
||||||
|
set -u
|
||||||
|
set -o pipefail
|
||||||
|
-[[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO
|
||||||
|
+[[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO && set -o NULL_GLOB
|
||||||
|
+[[ -z "${ZSH_VERSION:-}" ]] && shopt -s nullglob
|
||||||
|
+
|
||||||
|
umask 077 # paranoid umask, we're creating private keys
|
||||||
|
|
||||||
|
# Find directory in which this script is stored by traversing all symbolic links
|
||||||
|
@@ -146,10 +148,7 @@ load_config() {
|
||||||
|
fi
|
||||||
|
|
||||||
|
for check_config_d in "${CONFIG_D}"/*.sh; do
|
||||||
|
- if [[ ! -e "${check_config_d}" ]]; then
|
||||||
|
- echo "# !! WARNING !! Extra configuration directory ${CONFIG_D} exists, but no configuration found in it." >&2
|
||||||
|
- break
|
||||||
|
- elif [[ -f "${check_config_d}" ]] && [[ -r "${check_config_d}" ]]; then
|
||||||
|
+ if [[ -f "${check_config_d}" ]] && [[ -r "${check_config_d}" ]]; then
|
||||||
|
echo "# INFO: Using additional config file ${check_config_d}"
|
||||||
|
# shellcheck disable=SC1090
|
||||||
|
. "${check_config_d}"
|
||||||
|
@@ -1020,9 +1019,6 @@ command_cleanup() {
|
||||||
|
|
||||||
|
# Loop over all files of this type
|
||||||
|
for file in "${certdir}/${filebase}-"*".${fileext}"; do
|
||||||
|
- # Handle case where no files match the wildcard
|
||||||
|
- [[ -f "${file}" ]] || break
|
||||||
|
-
|
||||||
|
# Check if current file is in use, if unused move to archive directory
|
||||||
|
filename="$(basename "${file}")"
|
||||||
|
if [[ ! "${filename}" = "${current}" ]]; then
|
||||||
|
--
|
||||||
|
2.12.3
|
||||||
|
|
6
README.Fedora
Normal file
6
README.Fedora
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
Packaging note
|
||||||
|
==============
|
||||||
|
|
||||||
|
On Fedora, CentOS and RHEL, the dehydrated-apache2 package is
|
||||||
|
called dehydrated-httpd in accordance with the Fedora naming scheme.
|
||||||
|
|
159
README.SUSE
Normal file
159
README.SUSE
Normal file
@ -0,0 +1,159 @@
|
|||||||
|
==========================================
|
||||||
|
Acquiring TLS Certificates with Dehydrated
|
||||||
|
==========================================
|
||||||
|
|
||||||
|
The SUSE dehydrated package has been designed to make acquiring TLS
|
||||||
|
certificates (aka SSL Certificates) as simple as possible, while still being
|
||||||
|
useful in a broad amount of use cases. Please consult the dehydrated man page,
|
||||||
|
then continue reading here.
|
||||||
|
|
||||||
|
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||||||
|
|
||||||
|
IMPORTANT: On systemd-enabled system (SLE12+), you need to enable the update
|
||||||
|
timer, which has obsoleted the cron job. This is independent on which method
|
||||||
|
you chose from below!
|
||||||
|
|
||||||
|
# systemctl enable dehydrated.timer
|
||||||
|
|
||||||
|
Also note that with the systemd timer, failures will not be mailed to the
|
||||||
|
system administrator, but are being logged to the systemd journal, as per
|
||||||
|
systemd's design philosophy.
|
||||||
|
|
||||||
|
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||||||
|
|
||||||
|
Acquisition through HTTP (http-01)
|
||||||
|
===================================
|
||||||
|
|
||||||
|
This is the primary method of acquiring certifictes. The Certificate Authority
|
||||||
|
will provide a challenge that the requestor needs to provide via HTTP on port 80/TCP,
|
||||||
|
in /.well-known/acme-challenge/.
|
||||||
|
|
||||||
|
Setting up the acme-challenge auto-responder
|
||||||
|
--------------------------------------------
|
||||||
|
|
||||||
|
Apache (easiest)
|
||||||
|
~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
If you are using Apache, just install dehydrated-apache2 and reload Apache.
|
||||||
|
This will take care of setting up the acme-challenge auto-responder.
|
||||||
|
|
||||||
|
nginx
|
||||||
|
~~~~~
|
||||||
|
|
||||||
|
(not part of SLE, use openSUSE backports)
|
||||||
|
|
||||||
|
For nginx, you will need to install dehydrated-nginx. Unfortunately, nginx does
|
||||||
|
not support directory mappings across vhosts, so in addition you will need to
|
||||||
|
include "/etc/nginx/acmechallenge" in all vhost configurations like this:
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name <hostname>;
|
||||||
|
include "acmechallenge";
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
lighttpd
|
||||||
|
~~~~~~~~
|
||||||
|
|
||||||
|
(not part of SLE, use openSUSE backports)
|
||||||
|
|
||||||
|
Lighttpd users can simply install dehydrated-lighttpd and reload lighttpd to
|
||||||
|
set up the acme-challenge auto-responder
|
||||||
|
|
||||||
|
NOTE: Never set up the SSL vhosts until you have initially acquired the first
|
||||||
|
host. Specifying an SSL vhost without certificates constitutes an error for web
|
||||||
|
servers.
|
||||||
|
|
||||||
|
Machines without a webserver
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
On machines that are not running any web server, e.g. mail relays, you can run
|
||||||
|
apache2 with dehydrated-apache2. If you do not want to run any web server on a
|
||||||
|
system with systemd permnently, you can use dehydrated-acmeresponder. This is a
|
||||||
|
small socket activated server. Once installed, it will automatically listen on
|
||||||
|
port 80 whenever the dehydrated cron job seeks renewal, assuming no other
|
||||||
|
server is currently occupying the port. It will also shut down once the timer
|
||||||
|
has finished execution.
|
||||||
|
|
||||||
|
Acquisition of initial certificate
|
||||||
|
----------------------------------
|
||||||
|
|
||||||
|
How set up an account as described in the man page (as root):
|
||||||
|
|
||||||
|
# dehydrated --register --accept-terms
|
||||||
|
|
||||||
|
(the current version of the LetsEncrypt Terms & Conditions are referenced in
|
||||||
|
/etc/dehydrated/config)
|
||||||
|
|
||||||
|
Next, fill in domains.txt and acquire the initial certificates (again, as root):
|
||||||
|
|
||||||
|
# echo "myhost.example.com myalias.example.com" >> domains.txt
|
||||||
|
# dehydrated --cron
|
||||||
|
|
||||||
|
adds myhost.example.com to the list of host names we want to request a certificate for.
|
||||||
|
The certificate will hold a Subject Alternative Name of "myalias.example.com".
|
||||||
|
LetsEncrypt will check both host names.
|
||||||
|
|
||||||
|
NOTE: As of 2017, LetsEncrypt certificates are only valid for three months, and
|
||||||
|
the validity period may be further reduced in the future. It is therefore
|
||||||
|
vital to ensure that the certificates are being automatically renewed. On
|
||||||
|
systems without systemd, a cron job is automatically set up to take care of
|
||||||
|
this. On systemd-enabled systems, a timer is provided which needs to be
|
||||||
|
activated manually:
|
||||||
|
|
||||||
|
# systemctl enable dehydrated.timer
|
||||||
|
|
||||||
|
Aqcuisition through DNS (dns-01)
|
||||||
|
================================
|
||||||
|
|
||||||
|
Tnis is mostly useful under these conditions
|
||||||
|
|
||||||
|
1. Your hosts are not directly exposed to the internet
|
||||||
|
2. Your host names are part of a public DNS zone visible on the internet.
|
||||||
|
3. You are comfortable with the service adding and removing records in your domain.
|
||||||
|
|
||||||
|
Usually, the scenario you want this is a central host which picks up
|
||||||
|
certificates for all other hosts on a network, and then deploys them to the
|
||||||
|
actual target host, using plain scp or configuration management tools like
|
||||||
|
Ansible or Salt. For details, please refer to dns-verification.md. For
|
||||||
|
openSUSE, the python-dns-lexicon package provides hooks into many DNS providers
|
||||||
|
and DNS servers.
|
||||||
|
|
||||||
|
Proceeding after initial certificate aquisition
|
||||||
|
===============================================
|
||||||
|
|
||||||
|
Setting up the SSL host
|
||||||
|
-----------------------
|
||||||
|
|
||||||
|
As recommended parameters shift, please refer to Mozillas excellent SSL
|
||||||
|
Configuration Generator [1] for details on how to configure your web server.
|
||||||
|
Replace the example paths with the following:
|
||||||
|
|
||||||
|
Key: /etc/dehydrated/certs/<domainname>/privkey.pem
|
||||||
|
Certificate: /etc/dehydrated/certs/<domainname>/cert.pem
|
||||||
|
Intermediate Chain: /etc/dehydrated/certs/<domainname>/chain.pem
|
||||||
|
Certificate + Intermediate: /etc/dehydrated/certs/<domainname>/fullchain.pem
|
||||||
|
|
||||||
|
where <domainname> should be the name of the first column in domains.txt
|
||||||
|
|
||||||
|
Limitations & Ceveats
|
||||||
|
=====================
|
||||||
|
|
||||||
|
* It is currently not possible to aqcuire Wildcard certificates
|
||||||
|
* No EV- or OV-validated certificates
|
||||||
|
* Certificates expire within weeks, not years. This is by design. Ensure that
|
||||||
|
certificate renewal works and that daemons get reloaded frequently to pick
|
||||||
|
up certificate updates. Apache will work due to log rotation SIGHUP'ing
|
||||||
|
the process frequently. However, any other actions, such as service reloads
|
||||||
|
need to be provided as a script in /etc/dehydrated/postrun-hooks.d, which
|
||||||
|
will be executed by the cron script / systemd timer *after* an update run
|
||||||
|
has been performed.
|
||||||
|
|
||||||
|
Links
|
||||||
|
=====
|
||||||
|
|
||||||
|
[1] https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
4
README.hooks
Normal file
4
README.hooks
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
Dehydrated's hooks only run as user dehydrated. To circumvent this limitation,
|
||||||
|
i.e. when services need to be restarted, all executable files in this directory
|
||||||
|
will be executed as root after the certificate update has run.
|
||||||
|
|
155
dehydrated.1
Normal file
155
dehydrated.1
Normal file
@ -0,0 +1,155 @@
|
|||||||
|
.TH DEHYDRATED 1 2017-09-20 "Dehydrated ACME Client"
|
||||||
|
.SH NAME
|
||||||
|
dehydrated \- ACME client implemented as a shell-script
|
||||||
|
.SH SYNOPSIS
|
||||||
|
.B dehydrated
|
||||||
|
[\fBcommand\fR [\fBargument\fR]]
|
||||||
|
[\fBargument\fR [\fBargument\fR]]
|
||||||
|
.IR ...
|
||||||
|
.SH DESCRIPTION
|
||||||
|
A client for ACME-based Certificate Authorities, such as LetsEncrypt. It
|
||||||
|
allows to request and obtain TLS certificates from an ACME-based
|
||||||
|
certificate authority.
|
||||||
|
|
||||||
|
Before any certificates can be requested, Dehydrated needs
|
||||||
|
to acquire an account with the Certificate Authorities. Optionally, an email
|
||||||
|
address can be provided. It will be used to e.g. notify about expiring
|
||||||
|
certificates. You will usually need to accept the Terms of Service of the CA.
|
||||||
|
Dehydrated will notify if no account is configured. Run with \fB--register
|
||||||
|
--accept-terms\fR to create a new account.
|
||||||
|
|
||||||
|
Next, all domain names must be provided in domains.txt. The format is line
|
||||||
|
based: If the file contains two lines "example.com" and "example.net",
|
||||||
|
Dehydrated will request two certificate, one for "example.com" and the other
|
||||||
|
for "example.net". A single line while "example.com example.net" will request a
|
||||||
|
single certificate valid for both "example.net" and "example.com" through the \fISubject
|
||||||
|
Alternative Name\fR (SAN) field.
|
||||||
|
|
||||||
|
For the next step, one way of verifying domain name ownership needs to be
|
||||||
|
configured. Dehydrated implements \fIhttp-01\fR and \fIdns-01\fR verification.
|
||||||
|
|
||||||
|
The \fIhttp-01\fR verification provides proof of ownership by providing a
|
||||||
|
challenge token. In order to do that, the directory referenced in the
|
||||||
|
\fIWELLKNOWN\fR config variable needs to be exposed at
|
||||||
|
\fIhttp://{domain}/.well-known/acme-challenge/\fR, where {domain} is every
|
||||||
|
domain name specified in \fIdomains.txt\fR. Dehydrated does not provide its
|
||||||
|
own challenge responder, but relies on an existing web server to provide the
|
||||||
|
challenge response. See \fIwellknown.md\fR for configuration examples of
|
||||||
|
popular web servers.
|
||||||
|
|
||||||
|
The \fIdns-01\fR verification works by providing a challenge token through DNS.
|
||||||
|
This is especially interesting for hosts that cannot be exposed to the public
|
||||||
|
Internet. Because adding records to DNS zones is oftentimes highly specific to
|
||||||
|
the software or the DNS provider at hand, there are many third party hooks
|
||||||
|
available for dehydrated. See \fIdns-verification.md\fR for hooks for popular
|
||||||
|
DNS servers and DNS hosters.
|
||||||
|
|
||||||
|
Finally, the certificates need to be requested and updated on a regular basis.
|
||||||
|
This can happen through a cron job or a timer. Initially, you may enforce this
|
||||||
|
by invoking \fIdehydrated -c\fR manually.
|
||||||
|
|
||||||
|
After a successful run, certificates are stored in
|
||||||
|
\fI/etc/dehydrated/certs/{domain}\fR, where {domain} is the domain name in the
|
||||||
|
first column of \fIdomains.txt\fR.
|
||||||
|
|
||||||
|
.SH OPTIONS
|
||||||
|
|
||||||
|
.BR Commands
|
||||||
|
.TP
|
||||||
|
.BR \-\-version ", " \-v
|
||||||
|
Print version information
|
||||||
|
.TP
|
||||||
|
.BR \-\-register
|
||||||
|
Register account key
|
||||||
|
.TP
|
||||||
|
.BR \-\-account
|
||||||
|
Update account contact information
|
||||||
|
.TP
|
||||||
|
.BR \-\-cron ", " \-c
|
||||||
|
Sign/renew non\-existent/changed/expiring certificates.
|
||||||
|
.TP
|
||||||
|
.BR \-\-signcsr ", " \-s " " \fIpath/to/csr.pem\fR
|
||||||
|
Sign a given CSR, output CRT on stdout (advanced usage)
|
||||||
|
.TP
|
||||||
|
.BR \-\-revoke ", " \-r " " \fIpath/to/cert.pem\fR
|
||||||
|
Revoke specified certificate
|
||||||
|
.TP
|
||||||
|
.BR \-\-cleanup ", " \-gc
|
||||||
|
Move unused certificate files to archive directory
|
||||||
|
.TP
|
||||||
|
.BR \-\-help ", " \-h
|
||||||
|
Show help text
|
||||||
|
.TP
|
||||||
|
.BR \-\-env ", " \-e
|
||||||
|
Output configuration variables for use in other scripts
|
||||||
|
|
||||||
|
.PP
|
||||||
|
.BR Parameters
|
||||||
|
.TP
|
||||||
|
.BR \-\-accept\-terms
|
||||||
|
Accept CAs terms of service
|
||||||
|
.TP
|
||||||
|
.BR \-\-full\-chain ", " \-fc
|
||||||
|
Print full chain when using \fB\-\-signcsr\fR
|
||||||
|
.TP
|
||||||
|
.BR \-\-ipv4 ", " \-4
|
||||||
|
Resolve names to IPv4 addresses only
|
||||||
|
.TP
|
||||||
|
.BR \-\-ipv6 ", " \-6
|
||||||
|
Resolve names to IPv6 addresses only
|
||||||
|
.TP
|
||||||
|
.BR \-\-domain ", " \-d " " \fIdomain.tld\fR
|
||||||
|
Use specified domain name(s) instead of domains.txt entry (one certificate!)
|
||||||
|
.TP
|
||||||
|
.BR \-\-keep\-going ", " \-g
|
||||||
|
Keep going after encountering an error while creating/renewing multiple
|
||||||
|
certificates in cron mode
|
||||||
|
.TP
|
||||||
|
.BR \-\-force ", " \-x
|
||||||
|
Force renew of certificate even if it is longer valid than value in RENEW_DAYS
|
||||||
|
.TP
|
||||||
|
.BR \-\-no\-lock ", " \-n
|
||||||
|
Don't use lockfile (potentially dangerous!)
|
||||||
|
.TP
|
||||||
|
.BR \-\-lock\-suffix " " \fIexample.com\fR
|
||||||
|
Suffix lockfile name with a string (useful for use with \-d)
|
||||||
|
.TP
|
||||||
|
.BR \-\-ocsp
|
||||||
|
Sets option in CSR indicating OCSP stapling to be mandatory
|
||||||
|
.TP
|
||||||
|
.BR \-\-privkey ", " \-p " " \fIpath/to/key.pem\fR
|
||||||
|
Use specified private key instead of account key (useful for revocation)
|
||||||
|
.TP
|
||||||
|
.BR \-\-config ", " \-f " " \fIpath/to/config\fR
|
||||||
|
Use specified config file
|
||||||
|
.TP
|
||||||
|
.BR \-\-hook ", " \-k " " \fIpath/to/hook.sh\fR
|
||||||
|
Use specified script for hooks
|
||||||
|
.TP
|
||||||
|
.BR \-\-out ", " \-o " " \fIcerts/directory\fR
|
||||||
|
Output certificates into the specified directory
|
||||||
|
.TP
|
||||||
|
.BR \-\-challenge ", " \-t " " \fI[http\-01|dns\-01]\fR
|
||||||
|
Which challenge should be used? Currently http\-01 and dns\-01 are supported
|
||||||
|
.TP
|
||||||
|
.BR \-\-algo ", " \-a " " \fI[rsa|prime256v1|secp384r1]\fR
|
||||||
|
Which public key algorithm should be used? Supported: rsa, prime256v1 and
|
||||||
|
secp384r1
|
||||||
|
.SH DIAGNOSTICS
|
||||||
|
The program exits 0 if everything was fine, 1 if an error occurred.
|
||||||
|
.SH BUGS
|
||||||
|
Please report any bugs that you may encounter at the project web site
|
||||||
|
.UR https://github.com/lukas2511/dehydrated/issues
|
||||||
|
.UE .
|
||||||
|
.SH AUTHOR
|
||||||
|
Dehydrated was written by Lukas Schauer. This man page was contributed by
|
||||||
|
Daniel Molkentin.
|
||||||
|
.SH COPYRIGHT
|
||||||
|
Copyright 20015-2017 by Lukas Schauer and the respective contributors.
|
||||||
|
Provided under the MIT License. See the LICENSE file that accompanies the
|
||||||
|
distribution for licensing information.
|
||||||
|
.SH SEE ALSO
|
||||||
|
Full documentation along with configuration examples are provided in the \fIdocs\fR
|
||||||
|
directory of the distribution, or at
|
||||||
|
.UR https://github.com/lukas2511/dehydrated/tree/master/docs
|
||||||
|
.UE .
|
@ -1,3 +1,75 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 5 13:36:39 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Remove unused hooks directory
|
||||||
|
|
||||||
|
- Introduced a directory for custom post-run hooks executed as root,
|
||||||
|
see README.SUSE for details. (not to be confused with the native hooks
|
||||||
|
run as dehyrated user)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 29 15:14:29 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Clarify necessity of enabling dehydrated.timer in README.SUSE
|
||||||
|
|
||||||
|
- Submit to SLE15 as per fate#323377
|
||||||
|
|
||||||
|
- Add optional post run hook directory, executed by cron/systemd
|
||||||
|
after dehydrated --cron has run
|
||||||
|
|
||||||
|
- Remove hook directory intended for packaging other native hooks.
|
||||||
|
Will be approach differently
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 27 10:09:16 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- No longer require nginx or lighttpd for SLE
|
||||||
|
|
||||||
|
- Never go as far as to require acmeresponder, it might not be available
|
||||||
|
|
||||||
|
- Drop -update from dehydrated-update.{timer,socket} for consistency
|
||||||
|
|
||||||
|
- Add distro specific README.SUSE / README.Fedora
|
||||||
|
|
||||||
|
- Ran spec-cleaner
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 22 11:18:55 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Add man page
|
||||||
|
|
||||||
|
- Ensure dehydrated is always run as designated user
|
||||||
|
* adds 0001-Add-optional-user-and-group-configuration.patch
|
||||||
|
|
||||||
|
- Introduce config.d directory for user configuration
|
||||||
|
|
||||||
|
- Avoid warning about empty config.d directory
|
||||||
|
* adds 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
|
||||||
|
|
||||||
|
- Fix sed warning about unescaped curly braces in regex
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 19 15:40:46 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Swap statements in post: installing services requires tmp.d
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 19 14:52:25 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- (Weak) dependency on dehydrated-acmeresponder.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Sep 14 13:47:06 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- systemd update service: ConditionPathExists goes into [Unit] section
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 13 15:27:08 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Use timer instead of cron for systemd-enabled distros
|
||||||
|
|
||||||
|
Note: Timer must be explicitly enabled!
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Feb 21 13:12:19 UTC 2017 - daniel.molkentin@suse.com
|
Tue Feb 21 13:12:19 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
@ -2,4 +2,4 @@ SHELL=/bin/sh
|
|||||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||||
MAILTO=root
|
MAILTO=root
|
||||||
|
|
||||||
25 3 * * * @USER@ test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron
|
25 3 * * * root test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron && for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;
|
||||||
|
14
dehydrated.service.in
Normal file
14
dehydrated.service.in
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Certificate Update Runner for Dehydrated
|
||||||
|
ConditionPathExists=/etc/dehydrated/config
|
||||||
|
After=network-online.target
|
||||||
|
Wants=acmeresponder.socket
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStartPre-=/usr/bin/sh -c 'for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;'
|
||||||
|
ExecStart=/usr/bin/dehydrated --cron
|
||||||
|
|
||||||
|
# dehydrated --cron will drop permissions and run critical code as dehydrated user.
|
||||||
|
User=root
|
||||||
|
Group=root
|
194
dehydrated.spec
194
dehydrated.spec
@ -16,6 +16,27 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
|
%define _challengedir %{_localstatedir}/lib/acme-challenge
|
||||||
|
%define _user dehydrated
|
||||||
|
%define _home %{_sysconfdir}/dehydrated
|
||||||
|
%define _postrunhooks %{_home}/postrun-hooks.d
|
||||||
|
|
||||||
|
%if 0%{?suse_version} > 1230
|
||||||
|
%define _lock_dir /run/dehydrated
|
||||||
|
%bcond_without systemd
|
||||||
|
%else
|
||||||
|
%define _lock_dir %{_localstatedir}/run/dehydrated
|
||||||
|
%bcond_with systemd
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if 0%{?is_opensuse} || %{defined fedora}
|
||||||
|
%bcond_without nginx
|
||||||
|
%bcond_without lighttpd
|
||||||
|
%else
|
||||||
|
%bcond_with nginx
|
||||||
|
%bcond_with lighttpd
|
||||||
|
%endif
|
||||||
|
%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d }
|
||||||
# See also http://en.opensuse.org/openSUSE:Specfile_guidelines
|
# See also http://en.opensuse.org/openSUSE:Specfile_guidelines
|
||||||
|
|
||||||
%if 0%{?suse_version}
|
%if 0%{?suse_version}
|
||||||
@ -23,27 +44,6 @@
|
|||||||
%else
|
%else
|
||||||
%define _apache httpd
|
%define _apache httpd
|
||||||
%endif
|
%endif
|
||||||
%define _challengedir /var/lib/acme-challenge
|
|
||||||
%define _user dehydrated
|
|
||||||
%define _home /etc/dehydrated
|
|
||||||
|
|
||||||
%if 0%{?suse_version} > 1230
|
|
||||||
%bcond_without systemd
|
|
||||||
%define _lock_dir /run/dehydrated
|
|
||||||
%else
|
|
||||||
%bcond_with systemd
|
|
||||||
%define _lock_dir /var/run/dehydrated
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if (0%{?suse_version} < 1200 && !0%{?is_opensuse}) || 0%{?centos_version} || 0%{?rhel_version}
|
|
||||||
%bcond_with nginx
|
|
||||||
%bcond_with lighttpd
|
|
||||||
%else
|
|
||||||
%bcond_without nginx
|
|
||||||
%bcond_without lighttpd
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d }
|
|
||||||
|
|
||||||
Name: dehydrated
|
Name: dehydrated
|
||||||
Version: 0.4.0
|
Version: 0.4.0
|
||||||
@ -58,26 +58,36 @@ Source2: acme-challenge.conf.nginx.in
|
|||||||
Source3: acme-challenge.conf.lighttpd.in
|
Source3: acme-challenge.conf.lighttpd.in
|
||||||
Source4: dehydrated.cron.in
|
Source4: dehydrated.cron.in
|
||||||
Source5: dehydrated.tmpfiles.d
|
Source5: dehydrated.tmpfiles.d
|
||||||
|
Source6: dehydrated.service.in
|
||||||
|
Source7: dehydrated.timer
|
||||||
|
Source8: dehydrated.1
|
||||||
|
Source9: README.SUSE
|
||||||
|
Source10: README.Fedora
|
||||||
|
Source11: README.hooks
|
||||||
|
# Patch submitted to upstream
|
||||||
|
Patch1: 0001-Add-optional-user-and-group-configuration.patch
|
||||||
|
# Patch from upstream
|
||||||
|
Patch2: 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
|
||||||
BuildRequires: %{_apache}
|
BuildRequires: %{_apache}
|
||||||
|
Requires: coreutils
|
||||||
|
Requires: curl
|
||||||
|
Requires: openssl
|
||||||
|
Requires(pre): %{_bindir}/getent
|
||||||
|
Requires(pre): %{_sbindir}/groupadd
|
||||||
|
Requires(pre): %{_sbindir}/useradd
|
||||||
|
Obsoletes: letsencrypt.sh < %{version}
|
||||||
|
Provides: letsencrypt.sh = %{version}
|
||||||
|
BuildArch: noarch
|
||||||
%if %{with lighttpd}
|
%if %{with lighttpd}
|
||||||
BuildRequires: lighttpd
|
BuildRequires: lighttpd
|
||||||
%endif
|
%endif
|
||||||
%if %{with nginx}
|
%if %{with nginx}
|
||||||
BuildRequires: nginx
|
BuildRequires: nginx
|
||||||
%endif
|
%endif
|
||||||
%if 0%{?fedora_version}
|
%if %{defined fedora}
|
||||||
BuildRequires: generic-logos
|
BuildRequires: generic-logos
|
||||||
BuildRequires: generic-logos-httpd
|
BuildRequires: generic-logos-httpd
|
||||||
%endif
|
%endif
|
||||||
Requires: coreutils
|
|
||||||
Requires: curl
|
|
||||||
Requires: openssl
|
|
||||||
%if 0%{?suse_version}
|
|
||||||
Requires: cron
|
|
||||||
%endif
|
|
||||||
Requires(pre): /usr/sbin/useradd
|
|
||||||
Requires(pre): /usr/sbin/groupadd
|
|
||||||
Requires(pre): /usr/bin/getent
|
|
||||||
# openSUSE >= 12.3 has shadow, pwdutils is provided but obsoleted.
|
# openSUSE >= 12.3 has shadow, pwdutils is provided but obsoleted.
|
||||||
%if 0%{?suse_version} >= 1230
|
%if 0%{?suse_version} >= 1230
|
||||||
BuildRequires: shadow
|
BuildRequires: shadow
|
||||||
@ -85,13 +95,17 @@ BuildRequires: shadow
|
|||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
BuildRequires: pkgconfig(systemd)
|
BuildRequires: pkgconfig(systemd)
|
||||||
%{?systemd_requires}
|
%{?systemd_requires}
|
||||||
|
%else #with_systemd
|
||||||
|
%if 0%{?suse_version}
|
||||||
|
Requires: cron
|
||||||
|
%endif
|
||||||
|
%endif #with_systemd
|
||||||
|
%if 0%{?suse_version}
|
||||||
|
Recommends: dehydrated-acmeresponder
|
||||||
%endif
|
%endif
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
Obsoletes: letsencrypt.sh < %{version}
|
|
||||||
Provides: letsencrypt.sh = %{version}
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This is a client for signing certificates with an ACME server
|
This is a client for signing certificates with an ACME server
|
||||||
(currently only provided by letsencrypt) implemented as a relatively
|
(currently only provided by letsencrypt) implemented as a relatively
|
||||||
@ -111,27 +125,29 @@ Current features:
|
|||||||
* Certificate revocation
|
* Certificate revocation
|
||||||
|
|
||||||
%package %{_apache}
|
%package %{_apache}
|
||||||
|
Summary: Apache Integration for dehydrated
|
||||||
|
Group: Productivity/Networking/Security
|
||||||
Requires: %{_apache}
|
Requires: %{_apache}
|
||||||
Requires: %{name}
|
Requires: %{name}
|
||||||
|
Obsoletes: letsencrypt.sh-%{_apache} < %{version}
|
||||||
|
Provides: letsencrypt.sh-%{_apache} = %{version}
|
||||||
%if ! 0%{?suse_version}
|
%if ! 0%{?suse_version}
|
||||||
Requires: mod_ssl
|
Requires: mod_ssl
|
||||||
%endif
|
%endif
|
||||||
Obsoletes: letsencrypt.sh-%{_apache} < %{version}
|
BuildArch: noarch
|
||||||
Provides: letsencrypt.sh-%{_apache} = %{version}
|
|
||||||
Summary: Apache Integration for dehydrated
|
|
||||||
Group: Productivity/Networking/Security
|
|
||||||
|
|
||||||
%description %{_apache}
|
%description %{_apache}
|
||||||
This adds a configuration file for dehydrated's acme-challenge to Apache.
|
This adds a configuration file for dehydrated's acme-challenge to Apache.
|
||||||
|
|
||||||
%if %{with nginx}
|
%if %{with nginx}
|
||||||
%package nginx
|
%package nginx
|
||||||
|
Summary: Nginx Integration for dehydrated
|
||||||
|
Group: Productivity/Networking/Security
|
||||||
Requires: %{name}
|
Requires: %{name}
|
||||||
Requires: nginx
|
Requires: nginx
|
||||||
Obsoletes: letsencrypt.sh-nginx < %{version}
|
Obsoletes: letsencrypt.sh-nginx < %{version}
|
||||||
Provides: letsencrypt.sh-nginx = %{version}
|
Provides: letsencrypt.sh-nginx = %{version}
|
||||||
Summary: Nginx Integration for dehydrated
|
BuildArch: noarch
|
||||||
Group: Productivity/Networking/Security
|
|
||||||
|
|
||||||
%description nginx
|
%description nginx
|
||||||
This adds a configuration file for dehydrated's acme-challenge to nginx.
|
This adds a configuration file for dehydrated's acme-challenge to nginx.
|
||||||
@ -139,67 +155,102 @@ This adds a configuration file for dehydrated's acme-challenge to nginx.
|
|||||||
|
|
||||||
%if %{with lighttpd}
|
%if %{with lighttpd}
|
||||||
%package lighttpd
|
%package lighttpd
|
||||||
Requires: %{name}
|
|
||||||
Requires: lighttpd
|
|
||||||
Summary: Lighttpd Integration for dehydrated
|
Summary: Lighttpd Integration for dehydrated
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
|
Requires: %{name}
|
||||||
|
Requires: lighttpd
|
||||||
|
BuildArch: noarch
|
||||||
|
|
||||||
%description lighttpd
|
%description lighttpd
|
||||||
This adds a configuration file for dehydrated's acme-challenge to lighttpd.
|
This adds a configuration file for dehydrated's acme-challenge to lighttpd.
|
||||||
%endif #with lighttpd
|
%endif #with lighttpd
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
getent group %{_user} >/dev/null || /usr/sbin/groupadd -r %{_user}
|
getent group %{_user} >/dev/null || %{_sbindir}/groupadd -r %{_user}
|
||||||
getent passwd %{_user} >/dev/null || /usr/sbin/useradd -g %{_user} \
|
getent passwd %{_user} >/dev/null || %{_sbindir}/useradd -g %{_user} \
|
||||||
-s /bin/false -r -c "%{_user}" -d %{_home} %{_user}
|
-s /bin/false -r -c "%{_user}" -d %{_home} %{_user}
|
||||||
if [ -d /etc/letsencrypt.sh ]; then mv /etc/letsencrypt.sh /etc/dehydrated; chown -R %{_user} /etc/dehydrated; fi
|
if [ -d %{_sysconfdir}/letsencrypt.sh ]; then mv %{_sysconfdir}/letsencrypt.sh %{_sysconfdir}/dehydrated; chown -R %{_user} %{_sysconfdir}/dehydrated; fi
|
||||||
if [ -e /etc/dehydrated/config.sh ]; then mv /etc/dehydrated/config.sh /etc/dehydrated/config; fi
|
if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi
|
||||||
|
|
||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
|
%service_add_pre dehydrated.service dehydrated.timer
|
||||||
|
|
||||||
%post
|
%post
|
||||||
systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
|
systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
|
||||||
|
%service_add_post dehydrated.service dehydrated.timer
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%service_del_preun dehydrated.service dehydrated.timer
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%service_del_postun dehydrated.service dehydrated.timer
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
cp %{SOURCE9} .
|
||||||
|
cp %{SOURCE10} .
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
%install
|
%install
|
||||||
# sensitive keys
|
# sensitive keys
|
||||||
mkdir -p %{buildroot}%{_home}/{accounts,certs}
|
mkdir -p %{buildroot}%{_home}/{accounts,certs}
|
||||||
|
mkdir -p %{buildroot}%{_sbindir}
|
||||||
|
mkdir -p %{buildroot}%{_mandir}/man1
|
||||||
|
mkdir -p %{buildroot}%{_home}/config.d
|
||||||
|
mkdir -p %{buildroot}%{_postrunhooks}
|
||||||
|
|
||||||
|
cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
|
||||||
|
|
||||||
sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
|
sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
|
||||||
install -m 0644 docs/examples/* %{buildroot}%{_home}
|
install -m 0644 docs/examples/* %{buildroot}%{_home}
|
||||||
install -m 0755 -d %{buildroot}/usr/bin
|
install -m 0644 %{SOURCE11} %{buildroot}%{_postrunhooks}
|
||||||
install -m 0755 dehydrated %{buildroot}/usr/bin
|
install -m 0755 -d %{buildroot}%{_bindir}
|
||||||
|
install -m 0755 dehydrated %{buildroot}%{_bindir}
|
||||||
install -m 0755 -d %{buildroot}%{_challengedir}
|
install -m 0755 -d %{buildroot}%{_challengedir}
|
||||||
|
|
||||||
install -m 0755 -d %{buildroot}/etc/%{_apache}/conf.d
|
install -m 0755 -d %{buildroot}%{_sysconfdir}/%{_apache}/conf.d
|
||||||
sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE1} > acme-challenge.conf
|
sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE1} > acme-challenge.conf
|
||||||
install -m 0644 acme-challenge.conf %{buildroot}/etc/%{_apache}/conf.d
|
install -m 0644 acme-challenge.conf %{buildroot}%{_sysconfdir}/%{_apache}/conf.d
|
||||||
|
|
||||||
%if %{with nginx}
|
%if %{with nginx}
|
||||||
install -m 0755 -d %{buildroot}/etc/nginx
|
install -m 0755 -d %{buildroot}%{_sysconfdir}/nginx
|
||||||
sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE2} > acme-challenge
|
sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE2} > acme-challenge
|
||||||
install -m 0644 acme-challenge %{buildroot}/etc/nginx
|
install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/nginx
|
||||||
%endif #with nginx
|
%endif #with nginx
|
||||||
|
|
||||||
%if %{with lighttpd}
|
%if %{with lighttpd}
|
||||||
install -m 0755 -d %{buildroot}/etc/lighttpd/conf.d
|
install -m 0755 -d %{buildroot}%{_sysconfdir}/lighttpd/conf.d
|
||||||
sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE3} > acme-challenge
|
sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE3} > acme-challenge
|
||||||
install -m 0644 acme-challenge %{buildroot}/etc/lighttpd/conf.d
|
install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/lighttpd/conf.d
|
||||||
%endif #with lighttpd
|
%endif #with lighttpd
|
||||||
|
|
||||||
install -m 0755 -d %{buildroot}/etc/cron.d
|
|
||||||
sed "s,@USER@,%{_user},g" %{SOURCE4} > dehydrated.cron
|
|
||||||
install -m 0644 dehydrated.cron %{buildroot}/etc/cron.d/dehydrated
|
|
||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
install -D -m 0644 %{S:5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
install -D -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||||
%else
|
# Use timer
|
||||||
install -D -d -m 0750 %{buildroot}%{_lock_dir}
|
sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE6} > dehydrated.service
|
||||||
|
install -D -m 644 dehydrated.service %{buildroot}%{_unitdir}/dehydrated.service
|
||||||
|
install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer
|
||||||
|
%if 0%{?suse_version}
|
||||||
|
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcdehydrated
|
||||||
%endif
|
%endif
|
||||||
perl -p -i -e 's|#LOCKFILE="\${BASEDIR}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config
|
%else #with systemd
|
||||||
|
install -D -d -m 0750 %{buildroot}%{_lock_dir}
|
||||||
|
# Use cron
|
||||||
|
install -m 0755 -d %{buildroot}%{_sysconfdir}/cron.d
|
||||||
|
sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE4} > dehydrated.cron
|
||||||
|
install -m 0644 dehydrated.cron %{buildroot}%{_sysconfdir}/cron.d/dehydrated
|
||||||
|
%endif #with systemd
|
||||||
|
|
||||||
|
# Adjust config file
|
||||||
|
perl -p -i -e 's|#LOCKFILE="\$\{BASEDIR\}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config
|
||||||
|
perl -p -i -e 's|#CONFIG_D=|CONFIG_D="%{_home}/config.d"|' %{buildroot}%{_home}/config
|
||||||
|
perl -p -i -e 's|#DEHYDRATED_USER=|DEHYDRATED_USER="%{_user}"|' %{buildroot}%{_home}/config
|
||||||
|
perl -p -i -e 's|#DEHYDRATED_GROUP=|DEHYDRATED_GROUP="%{_user}"|' %{buildroot}%{_home}/config
|
||||||
|
|
||||||
diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
|
diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
|
||||||
|
|
||||||
%files
|
%files
|
||||||
@ -208,32 +259,43 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
|
|||||||
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/accounts
|
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/accounts
|
||||||
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/certs
|
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/certs
|
||||||
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config
|
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config
|
||||||
|
%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/config.d
|
||||||
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/domains.txt
|
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/domains.txt
|
||||||
%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hook.sh
|
%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hook.sh
|
||||||
%config %{_sysconfdir}/cron.d/dehydrated
|
%dir %attr(750,root,%{_user}) %{_postrunhooks}
|
||||||
|
%config(noreplace) %attr(640,root,%{_user}) %{_postrunhooks}/README.hooks
|
||||||
%{_bindir}/dehydrated
|
%{_bindir}/dehydrated
|
||||||
%attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge
|
%attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge
|
||||||
|
%{_mandir}/man1/*
|
||||||
%doc LICENSE README.md docs/*.md docs/*.jpg
|
%doc LICENSE README.md docs/*.md docs/*.jpg
|
||||||
|
%doc README.SUSE
|
||||||
|
%if %{defined redhat}
|
||||||
|
%doc README.Fedora
|
||||||
|
%endif
|
||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
%{_tmpfilesdir}/%{name}.conf
|
%{_tmpfilesdir}/%{name}.conf
|
||||||
|
%{_unitdir}/dehydrated.service
|
||||||
|
%{_unitdir}/dehydrated.timer
|
||||||
|
%{_sbindir}/rcdehydrated
|
||||||
%ghost %attr(700,%{_user},%{_user}) %dir %{_lock_dir}
|
%ghost %attr(700,%{_user},%{_user}) %dir %{_lock_dir}
|
||||||
%else
|
%else
|
||||||
|
%config %{_sysconfdir}/cron.d/dehydrated
|
||||||
%attr(700,%{_user},%{_user}) %dir %{_lock_dir}
|
%attr(700,%{_user},%{_user}) %dir %{_lock_dir}
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%files %{_apache}
|
%files %{_apache}
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root)
|
||||||
%config %{_sysconfdir}/%{_apache}/conf.d/acme-challenge.conf
|
%config %{_sysconfdir}/%{_apache}/conf.d/acme-challenge.conf
|
||||||
|
|
||||||
%if %{with nginx}
|
%if %{with nginx}
|
||||||
%files nginx
|
%files nginx
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root)
|
||||||
%config %attr(640,root,nginx) %{_sysconfdir}/nginx/acme-challenge
|
%config %attr(640,root,nginx) %{_sysconfdir}/nginx/acme-challenge
|
||||||
%endif #with nginx
|
%endif #with nginx
|
||||||
|
|
||||||
%if %{with lighttpd}
|
%if %{with lighttpd}
|
||||||
%files lighttpd
|
%files lighttpd
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root)
|
||||||
%config %attr(640,root,lighttpd) %{_sysconfdir}/lighttpd/conf.d/acme-challenge
|
%config %attr(640,root,lighttpd) %{_sysconfdir}/lighttpd/conf.d/acme-challenge
|
||||||
%endif #with lighttpd
|
%endif #with lighttpd
|
||||||
|
|
||||||
|
10
dehydrated.timer
Normal file
10
dehydrated.timer
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Run Certificate Update Runner for Dehydrated
|
||||||
|
|
||||||
|
[Timer]
|
||||||
|
OnCalendar=daily
|
||||||
|
# Two hour window
|
||||||
|
RandomizedDelaySec=7200
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=timers.target
|
Loading…
Reference in New Issue
Block a user