Commit Graph

45 Commits

Author SHA256 Message Date
Daniel Molkentin
8f53c538c5 Accepting request 987889 from home:darix:branches:security:dehydrated
- Copy the changes entry into README.postrun-hooks to make it
  easier for users to find the information how to restore the
  postrun-hooks after the split.

OBS-URL: https://build.opensuse.org/request/show/987889
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=77
2022-07-08 11:28:23 +00:00
Daniel Molkentin
abdad1b762 Accepting request 882188 from home:darix:playground
- Enable instantiated services (boo#1184165)

- Prepare instantiated service/timer support but not enable it:
  This seems to fail due to missing systemd support right now.
  So the only option at the moment is to copy the timer and unit
  file for a 2nd instance. Mark all files as part of dehydrated.target

- Rework support for /etc/dehydrated/postrun-hooks.d/:
  dehydrated.service nolonger starts them directly, the support was
  moved to a separate unit file. Please run:
  systemctl enable dehydrated-postrun-hooks.service
  to restore this functionality
- Run dehydrated as dehydrated user again

OBS-URL: https://build.opensuse.org/request/show/882188
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=74
2021-03-30 14:53:39 +00:00
Daniel Molkentin
5b368e02a5 Accepting request 882014 from home:darix:playground
- Do not use the full path for config.d in the config files, which
  will simplify implementing multi instance support.

- Added more-examples.patch:
  Explain how we can have per certificate key algorithms

OBS-URL: https://build.opensuse.org/request/show/882014
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=73
2021-03-29 16:26:11 +00:00
Daniel Molkentin
1d0402a9b6 Accepting request 879078 from home:oreinert:branches:security:dehydrated
Add directory where cleanup can archive unused certificates

OBS-URL: https://build.opensuse.org/request/show/879078
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=72
2021-03-29 14:02:51 +00:00
Daniel Molkentin
4f691d6fef - Clarified new default settings. KEY_ALGO=secp384r1. Please consult
README.maintainer for details and how to return to RSA-based certificate
  issuance. (jsc#ECO-3435, jsc#SLE-15909)
- Added a note about ACMEv1 deprecation
- Added a note on new ACME providers and the new non-URL provider syntax
  See README.maintainer for details.

OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=69
2021-03-03 17:15:11 +00:00
Daniel Molkentin
9ddb42dcc7 - Update to dehydrated 0.7.0 (JSC#SLE-15909)
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=67
2020-12-10 16:32:35 +00:00
Daniel Molkentin
d28ade7659 - Update to dehydrated 0.7.0
Added
    Support for external account bindings
    Special support for ZeroSSL
    Support presets for some CAs instead of requiring URLs
    Allow requesting preferred chain (--preferred-chain)
    Added method to show CAs current terms of service (--display-terms)
    Allow setting path to domains.txt using cli arguments (--domains-txt)
    Added new cli command --cleanupdelete which deletes old files instead of archiving them
  Fixed
    No more silent failures on broken hook-scripts
    Better error-handling with KEEP_GOING enabled
    Check actual order status instead of assuming it's valid
    Don't include keyAuthorization in challenge validation (RFC compliance)
  Changed
    Using EC secp384r1 as default certificate type
    Use JSON.sh to parse JSON
    Use account URL instead of account ID (RFC compliance)
    Dehydrated now has a new home: https://github.com/dehydrated-io/dehydrated
    Added OCSP_FETCH and OCSP_DAYS to per-certificate configurable options
    Cleanup now also removes dangling symlinks

OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=66
2020-12-10 16:05:04 +00:00
Daniel Molkentin
bc6d4bfda6 - dehydrated-apache2: Check for mod_compat (bsc#1178927)
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=64
2020-11-19 11:29:46 +00:00
Daniel Molkentin
9d2a8c99b9 - Reenable nginx subpackage for factory
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=62
2020-09-14 13:43:34 +00:00
Daniel Molkentin
2ae092d676 - Update maintainer file and package description, remove features
that are better described in the (maintained) man page.

OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=60
2020-06-29 12:45:22 +00:00
Daniel Molkentin
169bd5f56b - Remove potentially harmful scriptlet (bsc#1154167). Documented
transition case in the maintainer README. Unlikely enough. The
  versions that have not transitioned yet would be broken for more
  than two years now.

OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=59
2020-06-29 12:40:34 +00:00
Daniel Molkentin
9810800404 - Removed lighttpd 1.x integration package. If you still would like
to use lighttpd with dehydrated, follow the instructions in the
  README.maintainers file.

OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=57
2020-05-06 15:00:46 +00:00
Daniel Molkentin
15c290c4eb - Provide nginx subpackage for SLE 15+ (jsc#SLE-11727)
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=55
2020-04-23 11:16:38 +00:00
Daniel Molkentin
a9f7c92991 - Fix lighttpd config file (boo#1169834)
- Provide nginx subpackage for SLE 15+ (jsc#11756)

OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=53
2020-04-20 10:44:17 +00:00
Daniel Molkentin
9952a18f28 Accepting request 769563 from home:dimstar:Factory
Shortcut through -mini

OBS-URL: https://build.opensuse.org/request/show/769563
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=51
2020-02-03 16:29:03 +00:00
Daniel Molkentin
f7dc01a76d Accepting request 740571 from home:RBrownSUSE:branches:security:dehydrated
Remove obsolete Groups tag (fate#326485)

OBS-URL: https://build.opensuse.org/request/show/740571
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=50
2019-10-17 17:28:18 +00:00
Daniel Molkentin
c29b838222 Fix version conditions
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=44
2019-08-10 17:43:44 +00:00
Daniel Molkentin
f49a7b4c9f - Behavioral change: Use cron only for older RHEL/CentOS versions
(along with openSUSE < 12.3). Everything else now uses systemd.
  Please adopt accordingly! Refer to README.md for

OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=43
2019-08-10 17:30:39 +00:00
Daniel Molkentin
8040ffa8f3 Accepting request 712111 from home:dmolkentin:branches:security:dehydrated
- Update to dehydrated 0.6.5
  * Fixed broken APIv1 compatibility from last update

OBS-URL: https://build.opensuse.org/request/show/712111
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=41
2019-06-26 11:06:19 +00:00
Daniel Molkentin
d5e40d1a3a Accepting request 712102 from home:dmolkentin:branches:security:dehydrated
* Fetch account ID from Location header instead of account json (bsc#1139408)

OBS-URL: https://build.opensuse.org/request/show/712102
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=40
2019-06-26 09:46:46 +00:00
Daniel Molkentin
b89a8c7363 Accepting request 712099 from home:dmolkentin:branches:security:dehydrated
* Fetch account ID from Location header instead of account json (osc#1139408)

OBS-URL: https://build.opensuse.org/request/show/712099
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=39
2019-06-26 09:23:56 +00:00
Daniel Molkentin
8b4b8c8c74 Accepting request 711919 from home:dmolkentin:branches:security:dehydrated
- Update to dehydrated 0.6.4
  * Fetch account ID from Location header instead of account json
- Update to dehydrated 0.6.3
  * OCSP refresh interval is now configurable
  * Implemented POST-as-GET
  * Call exit_hook on errors (with error-message as first parameter)
  * Initial support for tls-alpn-01 validation
  * New hook: sync_cert (for syncing certificate files to disk, see example
    hook description)
  * Fetch account information after registration to avoid missing account id

OBS-URL: https://build.opensuse.org/request/show/711919
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=38
2019-06-25 17:34:27 +00:00
Daniel Molkentin
7888635f15 Accepting request 667787 from home:dmolkentin:branches:security:dehydrated
- Remove RandomizedDelaySec attribute for distros with older systemd
  (boo#1110697)

OBS-URL: https://build.opensuse.org/request/show/667787
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=36
2019-01-22 12:52:01 +00:00
Daniel Molkentin
c421ebf0a9 Accepting request 601881 from home:dmolkentin:branches:security:dehydrated
* removes 0001-fixed-CA-url-in-example-config.patch
  * removes 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch

OBS-URL: https://build.opensuse.org/request/show/601881
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=34
2018-04-27 11:56:07 +00:00
Daniel Molkentin
d58a1e75d6 Accepting request 601877 from home:dmolkentin:branches:security:dehydrated
- Update to dehydrated 0.6.2
  Added
  * New deploy_ocsp hook
  * Allow account registration with custom key
  Changed
  * Don't walk certificate chain for ACMEv2 (certificate contains chain by default)
  * Improved documentation on wildcards
  Fixes
  * Added workaround for compatibility with filesystem ACLs
  * Close unwanted external file-descriptors
  * Fixed JSON parsing on force-renewal (bsc#1091216)
  * Fixed cleanup of challenge files/dns-entries on validation errors
  * A few more minor fixes

OBS-URL: https://build.opensuse.org/request/show/601877
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=33
2018-04-27 11:50:28 +00:00
Daniel Molkentin
697d443d67 Accepting request 587474 from home:dmolkentin:branches:security:dehydrated
- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) 
  * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch

OBS-URL: https://build.opensuse.org/request/show/587474
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=31
2018-03-15 11:01:55 +00:00
Daniel Molkentin
03c58b8a3c Accepting request 587022 from home:dmolkentin:branches:security:dehydrated
- Fix issues introduced by 0.6.1 (bsc#1085305)
  * bring back man page
  * reflect new endpoint in (commented out) config file section
    (adds 0001-fixed-CA-url-in-example-config.patch, backported
    from upstream's master branch)

OBS-URL: https://build.opensuse.org/request/show/587022
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=30
2018-03-14 17:34:36 +00:00
Daniel Molkentin
538dad42ce Accepting request 587013 from home:dmolkentin:branches:security:dehydrated
- Properly install man page again (bsc#1085305)

OBS-URL: https://build.opensuse.org/request/show/587013
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=29
2018-03-14 16:53:11 +00:00
Daniel Molkentin
fadfc27461 Accepting request 586503 from home:dmolkentin:branches:security:dehydrated
- Updated dehydrated to 0.6.1 (bsc#1084854)
  * Use new ACME v2 endpoint by default

- Updated dehydrated to 0.6.0 (bsc#1084854)

OBS-URL: https://build.opensuse.org/request/show/586503
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=28
2018-03-13 20:36:22 +00:00
Daniel Molkentin
8fa4c3f221 Accepting request 585800 from home:dmolkentin:branches:security:dehydrated
- Updated dehydrated to 0.6.0 (osc#1084854)
  Changed
  * Challenge validation loop has been modified to loop over authorization identifiers instead of altnames (ACMEv2 + wildcard support)
  * Removed LICENSE parameter from config (terms of service is now acquired directly from the CA directory)
  Added
  * Support for ACME v02 (including wildcard certificates!)
  * New hook: generate_csr (see example hook script for more information)
  * Calling random hook on startup to make it clear to hook script authors that unknown hooks should just be ignored...

OBS-URL: https://build.opensuse.org/request/show/585800
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=26
2018-03-12 09:53:49 +00:00
Daniel Molkentin
920b454f04 Accepting request 564949 from home:dmolkentin:branches:security:dehydrated
- Remove redundant noarch entries. They cause an error in RPM 4.14.

OBS-URL: https://build.opensuse.org/request/show/564949
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=22
2018-01-15 12:19:24 +00:00
f303fdbcb8 Accepting request 564525 from home:dmolkentin:branches:security:dehydrated
- Updated dehydrated to 0.5.0
  This removes the following patches and files, which are now part of the
  upstream package:
  * 0001-Add-optional-user-and-group-configuration.patch
  * 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
  * dehydrated.1: the man page has been adopted by upstream
  Starting with this version, upstream introduced signed releases, which
  is now being used for source validation.
  Upstream changes:
  Changed
  * Certificate chain is now cached (CHAINCACHE)
  * OpenSSL binary path is now configurable (OPENSSL)
  * Cleanup now also moves revoked certificates
  Added
  * New feature for updating contact information (--account)
  * Allow automatic cleanup on exit (AUTO_CLEANUP)
  * Initial support for fetching OCSP status to be used for OCSP stapling
    (OCSP_FETCH)
  * Certificates can now have aliases to create multiple certificates with
    identical set of domains (see --alias and domains.txt documentation)
  * Allow dehydrated to run as specified user (/group). This was already
    available previously as a patch to this package.

OBS-URL: https://build.opensuse.org/request/show/564525
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=21
2018-01-15 11:59:16 +00:00
69cee6f711 - actually try to find the real path to bash and don't hardcode
/usr/bin/bash

OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=19
2017-10-20 11:02:37 +00:00
dd7fda6243 - actually try to find the real path to bash and don't hardcode
/usr/bin/bash

OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=18
2017-10-20 10:57:53 +00:00
bae7cb3bbf Accepting request 535146 from home:dmolkentin:branches:security:dehydrated
- Use /usr/bin/bash directly, rather than via env 

- Use sudo instead of su to allow for argument handling, also
  works in all cases when no login shell is assigned to the
  dehydrated user
  * updates 0001-Add-optional-user-and-group-configuration.patch

OBS-URL: https://build.opensuse.org/request/show/535146
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=17
2017-10-20 09:54:53 +00:00
ea11f1cea0 Accepting request 534491 from home:dmolkentin:branches:security:dehydrated
- Commands in service files need some escaping after all. Fix ExecStartPost.

OBS-URL: https://build.opensuse.org/request/show/534491
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=16
2017-10-17 14:48:54 +00:00
bce49d6f11 Accepting request 534175 from home:dmolkentin:branches:security:dehydrated
- In the timer service, execute root post run hooks in ExecStartPost

- Fix run of root hooks 
- Simplify root hook execution, this is also more robust

OBS-URL: https://build.opensuse.org/request/show/534175
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=15
2017-10-17 02:03:39 +00:00
Daniel Molkentin
4089aed6d0 Accepting request 531761 from home:dmolkentin:branches:security:dehydrated
- Remove unused hooks directory
- Introduced a directory for custom post-run hooks executed as root,
  see README.SUSE for details. (not to be confused with the native hooks
  run as dehyrated user)

- Clarify necessity of enabling dehydrated.timer in README.SUSE
- Submit to SLE15 as per fate#323377
- Add optional post run hook directory, executed by cron/systemd
  after dehydrated --cron has run
- Remove hook directory intended for packaging other native hooks.
  Will be approach differently

OBS-URL: https://build.opensuse.org/request/show/531761
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=13
2017-10-06 10:52:01 +00:00
3a1b390a5c Accepting request 528993 from home:dmolkentin:branches:security:dehydrated
- No longer require nginx or lighttpd for SLE
- Never go as far as to require acmeresponder, it might not be available
- Drop -update from dehydrated-update.{timer,socket} for consistency
- Add distro specific README.SUSE / README.Fedora
- Ran spec-cleaner

OBS-URL: https://build.opensuse.org/request/show/528993
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=12
2017-09-27 16:31:31 +00:00
fc9dddc9f9 Accepting request 528299 from home:dmolkentin:branches:security:dehydrated
- Add man page
- Ensure dehydrated is always run as designated user
  * adds 0001-Add-optional-user-and-group-configuration.patch
- Introduce config.d directory for user configuration
- Avoid warning about empty config.d directory
  * adds 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
- Fix sed warning about unescaped curly braces in regex

- Use timer instead of cron for systemd-enabled distros
  Note: Timer must be explicitly enabled!

OBS-URL: https://build.opensuse.org/request/show/528299
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=11
2017-09-22 13:35:31 +00:00
19ef4a12d8 Accepting request 527349 from home:dmolkentin:branches:security:dehydrated
- Swap statements in post: installing services requires tmp.d 

- (Weak) dependency on dehydrated-acmeresponder.

- systemd update service: ConditionPathExists goes into [Unit] section 

- Use timer instead of cron for systemd-enabled distros

OBS-URL: https://build.opensuse.org/request/show/527349
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=10
2017-09-19 15:42:45 +00:00
Daniel Molkentin
b03ec4a263 - Drop the (undocumented) dependeny for mod_headers
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=8
2017-02-21 13:13:43 +00:00
Daniel Molkentin
78d0c8ad7b Accepting request 459171 from home:danimo:branches:security:dehydrated
- Unify configuration file source names 

- Bump to 0.4.0

OBS-URL: https://build.opensuse.org/request/show/459171
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=7
2017-02-21 12:11:20 +00:00
Dominique Leuenberger
5628f7872c Accepting request 455792 from security:dehydrated
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/455792
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dehydrated?expand=0&rev=2
2017-02-13 06:49:05 +00:00
Dominique Leuenberger
10d381b04a Accepting request 441496 from security
Lightweight LE client (formally known as letsencrypt.sh). I'll maintain in in TW.

OBS-URL: https://build.opensuse.org/request/show/441496
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dehydrated?expand=0&rev=1
2017-01-27 10:00:22 +00:00