Accepting request 528993 from home:dmolkentin:branches:security:dehydrated

- No longer require nginx or lighttpd for SLE - Never go as far as to require acmeresponder, it might not be available - Drop -update from dehydrated-update.{timer,socket} for consistency - Add distro specific README.SUSE / README.Fedora - Ran spec-cleaner OBS-URL: https://build.opensuse.org/request/show/528993 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=12
2017-09-27 16:31:31 +00:00 · 2017-09-27 16:31:31 +00:00 · 3a1b390a5c
commit 3a1b390a5c
parent fc9dddc9f9
6 changed files with 240 additions and 73 deletions
--- a/README.Fedora
+++ b/README.Fedora
@ -0,0 +1,6 @@
+Packaging note
+==============
+
+On Fedora, CentOS and RHEL, the dehydrated-apache2 package is
+called dehydrated-httpd in accordance with the Fedora naming scheme.
+
--- a/README.SUSE
+++ b/README.SUSE
@ -0,0 +1,140 @@
+==========================================
+Acquiring TLS Certificates with Dehydrated
+==========================================
+
+The SUSE dehydrated package has been designed to make acquiring TLS
+certificates (aka SSL Certificates) as simple as possible, while still being
+useful in a broad amount of use cases. Please consult the dehydrated man page,
+then continue reading here.
+
+Aqcuisition through HTTP (http-01)
+===================================
+
+This is the primary method of acquiring certifictes.
+
+Setting up the acme-challenge auto-responder
+--------------------------------------------
+
+Apache
+~~~~~~
+
+If you are using Apache, just install dehydrated-apache2 and reload Apache.
+This will take care of setting up the acme-challenge auto-responder.
+
+nginx
+~~~~~
+
+(not part of SLE, use openSUSE backports)
+
+For nginx, you will need to install dehydrated-nginx. Unfortunately, nginx does
+not support directory mappings across vhosts, so in addition you will need to
+include "/etc/nginx/acmechallenge" in all vhost configurations like this:
+
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  <hostname>;
+    include "acmechallenge";
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+lighttpd
+~~~~~~~~
+
+(not part of SLE, use openSUSE backports)
+
+Lighttpd users can simply install dehydrated-lighttpd and reload lighttpd to
+set up the acme-challenge auto-responder
+
+NOTE: Never set up the SSL vhosts until you have initially acquired the first
+host. Specifying an SSL vhost without certificates constitutes an error for web
+servers.
+
+Machines without a webserver
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+On machines that are not running any web server, e.g. mail relays, you can run
+apache2 with dehydrated-apache2. If you do not want to run any web server on a
+system with systemd, you can use dehydrated-acmeresponder, a small socket
+activated server. Once installed, it will automatically listen on port 80
+whenever the dehydrated cron job seeks renewal, assuming no other server is
+currently occupying the port. It will also shut down once the timer has
+finished execution.
+
+Acquisition of initial certificate
+----------------------------------
+
+How set up an account as described in the man page (as root):
+
+# dehydrated --register --accept-terms
+
+(the current version of the LetsEncrypt Terms & Conditions are referenced in
+/etc/dehydrated/config)
+
+Next, fill in domains.txt and acquire the initial certificates (again, as root):
+
+# echo "myhost.example.com myalias.example.com" >> domains.txt
+# dehydrated --cron
+
+adds myhost.example.com to the list of host names we want to request a certificate for.
+The certificate will hold a Subject Alternative Name of "myalias.example.com".
+LetsEncrypt will check both host names.
+
+NOTE: As of 2017, LetsEncrypt certificates are only valid for three months, and
+the validity period may be further reduced in the future.  It is therefore
+vital to ensure that the certificates are being automatically renewed. On
+systems without systemd, a cron job is automatically set up to take care of
+this. On systemd-enabled systems, a timer is provided which needs to be
+activated manually:
+
+# systemctl enable dehydrated.timer
+
+Aqcuisition through DNS (dns-01)
+================================
+
+Tnis is mostly useful under these conditions
+
+1. Your hosts are not directly exposed to the internet
+2. Your host names are part of a public DNS zone visible on the internet.
+3. You are comfortable with the service adding and removing records in your domain.
+
+Usually, the scenario you want this is a central host which picks up
+certificates for all other hosts on a network, and then deploys them to the
+actual target host, using plain scp or configuration management tools like
+Ansible or Salt. For details, please refer to dns-verification.md. For
+openSUSE, the python-dns-lexicon package provides hooks into many DNS providers
+and DNS servers.
+
+Proceeding After initial certificate Aquisition
+===============================================
+
+Setting up the SSL host
+-----------------------
+
+As recommended parameters shift, please refer to Mozillas excellent SSL
+Configuration Generator [1] for details on how to configure your web server.
+Replace the example paths with the following:
+
+Key: /etc/dehydrated/certs/<domainname>/privkey.pem
+Certificate: /etc/dehydrated/certs/<domainname>/cert.pem
+Intermediate Chain: /etc/dehydrated/certs/<domainname>/chain.pem
+Certificate + Intermediate: /etc/dehydrated/certs/<domainname>/fullchain.pem
+
+where <domainname> should be the name of the first column in domains.txt
+
+Limitations & Ceveats
+=====================
+
+* It is currently not possible to aqcuire Wildcard certificates
+* No EV- or OV-validated certificates
+* Certificates expire within weeks, not years, this is by design. Ensure that
+  certificate renewal works and that daemons get reloaded frequently to pick
+  up certificate updates (This is currently not automated on the dehydrated end,
+  however Apache will reload every night due to log rotation).
+
+Links
+=====
+
+[1] https://mozilla.github.io/server-side-tls/ssl-config-generator/
--- a/dehydrated.changes
+++ b/dehydrated.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Wed Sep 27 10:09:16 UTC 2017 - daniel.molkentin@suse.com
+
+- No longer require nginx or lighttpd for SLE
+
+- Never go as far as to require acmeresponder, it might not be available
+
+- Drop -update from dehydrated-update.{timer,socket} for consistency
+
+- Add distro specific README.SUSE / README.Fedora
+
+- Ran spec-cleaner
+
 -------------------------------------------------------------------
 Fri Sep 22 11:18:55 UTC 2017 - daniel.molkentin@suse.com

--- a/dehydrated-update.service.in
+++ b/dehydrated-update.service.in
--- a/dehydrated.spec
+++ b/dehydrated.spec
@ -16,6 +16,26 @@
 #


+%define _challengedir %{_localstatedir}/lib/acme-challenge
+%define _user         dehydrated
+%define _home         %{_sysconfdir}/dehydrated
+
+%if 0%{?suse_version} > 1230
+%define  _lock_dir /run/dehydrated
+%bcond_without systemd
+%else
+%define  _lock_dir %{_localstatedir}/run/dehydrated
+%bcond_with    systemd
+%endif
+
+%if %{defined is_opensuse} || %{defined fedora}
+%bcond_without nginx
+%bcond_without lighttpd
+%else
+%bcond_with nginx
+%bcond_with lighttpd
+%endif
+%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d }
 # See also http://en.opensuse.org/openSUSE:Specfile_guidelines

 %if 0%{?suse_version}
@ -23,27 +43,6 @@
 %else
 %define _apache httpd
 %endif
-%define _challengedir /var/lib/acme-challenge
-%define _user         dehydrated
-%define _home         /etc/dehydrated
-
-%if 0%{?suse_version} > 1230
-%bcond_without systemd
-%define  _lock_dir /run/dehydrated
-%else
-%bcond_with    systemd
-%define  _lock_dir /var/run/dehydrated
-%endif
-
-%if (0%{?suse_version} < 1200 && !0%{?is_opensuse}) || 0%{?centos_version} || 0%{?rhel_version}
-%bcond_with nginx
-%bcond_with lighttpd
-%else
-%bcond_without nginx
-%bcond_without lighttpd
-%endif
-
-%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d }

 Name:           dehydrated
 Version:        0.4.0
@ -58,30 +57,35 @@ Source2:        acme-challenge.conf.nginx.in
 Source3:        acme-challenge.conf.lighttpd.in
 Source4:        dehydrated.cron.in
 Source5:        dehydrated.tmpfiles.d
-Source6:        dehydrated-update.service.in
-Source7:        dehydrated-update.timer
+Source6:        dehydrated.service.in
+Source7:        dehydrated.timer
 Source8:        dehydrated.1
+Source9:        README.SUSE
+Source10:       README.Fedora
 # Patch submitted to  upstream
 Patch1:         0001-Add-optional-user-and-group-configuration.patch
 # Patch from upstream
 Patch2:         0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
 BuildRequires:  %{_apache}
+Requires:       coreutils
+Requires:       curl
+Requires:       openssl
+Requires(pre):  %{_bindir}/getent
+Requires(pre):  %{_sbindir}/groupadd
+Requires(pre):  %{_sbindir}/useradd
+Obsoletes:      letsencrypt.sh < %{version}
+Provides:       letsencrypt.sh = %{version}
+BuildArch:      noarch
 %if %{with lighttpd}
 BuildRequires:  lighttpd
 %endif
 %if %{with nginx}
 BuildRequires:  nginx
 %endif
-%if 0%{?fedora_version}
+%if %{defined fedora}
 BuildRequires:  generic-logos
 BuildRequires:  generic-logos-httpd
 %endif
-Requires:       coreutils
-Requires:       curl
-Requires:       openssl
-Requires(pre):  /usr/sbin/useradd
-Requires(pre):  /usr/sbin/groupadd
-Requires(pre):  /usr/bin/getent
 # openSUSE >= 12.3 has shadow, pwdutils is provided but obsoleted.
 %if 0%{?suse_version} >= 1230
 BuildRequires:  shadow
@ -96,15 +100,10 @@ Requires:       cron
 %endif #with_systemd
 %if 0%{?suse_version}
 Recommends:     dehydrated-acmeresponder
-%else
-Requires:       dehydrated-acmeresponder
 %endif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch

-Obsoletes:      letsencrypt.sh < %{version}
-Provides:       letsencrypt.sh = %{version}
-
 %description
 This is a client for signing certificates with an ACME server
 (currently only provided by letsencrypt) implemented as a relatively
@ -124,27 +123,29 @@ Current features:
 * Certificate revocation

 %package %{_apache}
+Summary:        Apache Integration for dehydrated
+Group:          Productivity/Networking/Security
 Requires:       %{_apache}
 Requires:       %{name}
+Obsoletes:      letsencrypt.sh-%{_apache} < %{version}
+Provides:       letsencrypt.sh-%{_apache} = %{version}
 %if ! 0%{?suse_version}
 Requires:       mod_ssl
 %endif
-Obsoletes:      letsencrypt.sh-%{_apache} < %{version}
-Provides:       letsencrypt.sh-%{_apache} = %{version}
-Summary:        Apache Integration for dehydrated
-Group:          Productivity/Networking/Security
+BuildArch:      noarch

 %description %{_apache}
 This adds a configuration file for dehydrated's acme-challenge to Apache.

 %if %{with nginx}
 %package nginx
+Summary:        Nginx Integration for dehydrated
+Group:          Productivity/Networking/Security
 Requires:       %{name}
 Requires:       nginx
 Obsoletes:      letsencrypt.sh-nginx < %{version}
 Provides:       letsencrypt.sh-nginx = %{version}
-Summary:        Nginx Integration for dehydrated
-Group:          Productivity/Networking/Security
+BuildArch:      noarch

 %description nginx
 This adds a configuration file for dehydrated's acme-challenge to nginx.
@ -152,40 +153,43 @@ This adds a configuration file for dehydrated's acme-challenge to nginx.

 %if %{with lighttpd}
 %package lighttpd
-Requires:       %{name}
-Requires:       lighttpd
 Summary:        Lighttpd Integration for dehydrated
 Group:          Productivity/Networking/Security
+Requires:       %{name}
+Requires:       lighttpd
+BuildArch:      noarch

 %description lighttpd
 This adds a configuration file for dehydrated's acme-challenge to lighttpd.
-%endif #with lighttpd 
+%endif #with lighttpd

 %pre
-getent group %{_user} >/dev/null || /usr/sbin/groupadd -r %{_user}
-getent passwd %{_user} >/dev/null || /usr/sbin/useradd -g %{_user} \
+getent group %{_user} >/dev/null || %{_sbindir}/groupadd -r %{_user}
+getent passwd %{_user} >/dev/null || %{_sbindir}/useradd -g %{_user} \
 	-s /bin/false -r -c "%{_user}" -d %{_home} %{_user}
-if [ -d /etc/letsencrypt.sh ]; then mv /etc/letsencrypt.sh /etc/dehydrated; chown -R %{_user} /etc/dehydrated; fi
-if [ -e /etc/dehydrated/config.sh ]; then mv /etc/dehydrated/config.sh /etc/dehydrated/config; fi
+if [ -d %{_sysconfdir}/letsencrypt.sh ]; then mv %{_sysconfdir}/letsencrypt.sh %{_sysconfdir}/dehydrated; chown -R %{_user} %{_sysconfdir}/dehydrated; fi
+if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi

 %if %{with systemd}
-%service_add_pre dehydrated-update.service dehydrated-update.timer
+%service_add_pre dehydrated.service dehydrated.timer

 %post
 systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
-%service_add_post dehydrated-update.service dehydrated-update.timer
+%service_add_post dehydrated.service dehydrated.timer

 %preun
-%service_del_preun dehydrated-update.service dehydrated-update.timer
+%service_del_preun dehydrated.service dehydrated.timer

 %postun
-%service_del_postun dehydrated-update.service dehydrated-update.timer
+%service_del_postun dehydrated.service dehydrated.timer
 %endif

 %prep
 %setup -q
 %patch1 -p1
 %patch2 -p1
+cp %{SOURCE9} .
+cp %{SOURCE10} .

 %build

@ -201,41 +205,41 @@ cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz

 sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
 install -m 0644 docs/examples/* %{buildroot}%{_home}
-install -m 0755 -d %{buildroot}/usr/bin
-install -m 0755 dehydrated %{buildroot}/usr/bin
+install -m 0755 -d %{buildroot}%{_bindir}
+install -m 0755 dehydrated %{buildroot}%{_bindir}
 install -m 0755 -d %{buildroot}%{_challengedir}

-install -m 0755 -d %{buildroot}/etc/%{_apache}/conf.d
+install -m 0755 -d %{buildroot}%{_sysconfdir}/%{_apache}/conf.d
 sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE1} > acme-challenge.conf
-install -m 0644 acme-challenge.conf %{buildroot}/etc/%{_apache}/conf.d
+install -m 0644 acme-challenge.conf %{buildroot}%{_sysconfdir}/%{_apache}/conf.d

 %if %{with nginx}
-install -m 0755 -d %{buildroot}/etc/nginx
+install -m 0755 -d %{buildroot}%{_sysconfdir}/nginx
 sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE2} > acme-challenge
-install -m 0644 acme-challenge %{buildroot}/etc/nginx
+install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/nginx
 %endif #with nginx

 %if %{with lighttpd}
-install -m 0755 -d %{buildroot}/etc/lighttpd/conf.d
+install -m 0755 -d %{buildroot}%{_sysconfdir}/lighttpd/conf.d
 sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE3} > acme-challenge
-install -m 0644 acme-challenge %{buildroot}/etc/lighttpd/conf.d
+install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/lighttpd/conf.d
 %endif #with lighttpd

 %if %{with systemd}
-install -D    -m 0644 %{S:5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
-sed "s,@USER@,%{_user},g" %{S:6} > dehydrated-update.service
+install -D    -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+sed "s,@USER@,%{_user},g" %{SOURCE6} > dehydrated.service
 # Use timer
-install -D -m 644 dehydrated-update.service  %{buildroot}%{_unitdir}/dehydrated-update.service
-install -D -m 644 %{S:7}                     %{buildroot}%{_unitdir}/dehydrated-update.timer
+install -D -m 644 dehydrated.service  %{buildroot}%{_unitdir}/dehydrated.service
+install -D -m 644 %{SOURCE7}                     %{buildroot}%{_unitdir}/dehydrated.timer
 %if 0%{?suse_version}
-ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcdehydrated-update
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcdehydrated
 %endif
 %else #with systemd
 install -D -d -m 0750 %{buildroot}%{_lock_dir}
 # Use cron
-install -m 0755 -d %{buildroot}/etc/cron.d
+install -m 0755 -d %{buildroot}%{_sysconfdir}/cron.d
 sed "s,@USER@,%{_user},g" %{SOURCE4} > dehydrated.cron
-install -m 0644 dehydrated.cron %{buildroot}/etc/cron.d/dehydrated
+install -m 0644 dehydrated.cron %{buildroot}%{_sysconfdir}/cron.d/dehydrated
 %endif #with systemd

 # Adjust config file
@ -260,11 +264,15 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
 %attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge
 %{_mandir}/man1/*
 %doc LICENSE README.md docs/*.md docs/*.jpg
+%doc README.SUSE
+%if %{defined redhat}
+%doc README.Fedora
+%endif
 %if %{with systemd}
 %{_tmpfilesdir}/%{name}.conf
-%{_unitdir}/dehydrated-update.service
-%{_unitdir}/dehydrated-update.timer
-%{_sbindir}/rcdehydrated-update
+%{_unitdir}/dehydrated.service
+%{_unitdir}/dehydrated.timer
+%{_sbindir}/rcdehydrated
 %ghost %attr(700,%{_user},%{_user}) %dir %{_lock_dir}
 %else
 %config %{_sysconfdir}/cron.d/dehydrated
@ -272,18 +280,18 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
 %endif

 %files %{_apache}
-%defattr(-,root,root,-)
+%defattr(-,root,root)
 %config %{_sysconfdir}/%{_apache}/conf.d/acme-challenge.conf

 %if %{with nginx}
 %files nginx
-%defattr(-,root,root,-)
+%defattr(-,root,root)
 %config %attr(640,root,nginx) %{_sysconfdir}/nginx/acme-challenge
 %endif #with nginx

 %if %{with lighttpd}
 %files lighttpd
-%defattr(-,root,root,-)
+%defattr(-,root,root)
 %config %attr(640,root,lighttpd) %{_sysconfdir}/lighttpd/conf.d/acme-challenge
 %endif #with lighttpd

--- a/dehydrated-update.timer
+++ b/dehydrated-update.timer