From 4089aed6d0cea02a80b5dfdb6731a437ba9764f613c8697d867d0cf68ae4ae87 Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Fri, 6 Oct 2017 10:52:01 +0000 Subject: [PATCH] Accepting request 531761 from home:dmolkentin:branches:security:dehydrated - Remove unused hooks directory - Introduced a directory for custom post-run hooks executed as root, see README.SUSE for details. (not to be confused with the native hooks run as dehyrated user) - Clarify necessity of enabling dehydrated.timer in README.SUSE - Submit to SLE15 as per fate#323377 - Add optional post run hook directory, executed by cron/systemd after dehydrated --cron has run - Remove hook directory intended for packaging other native hooks. Will be approach differently OBS-URL: https://build.opensuse.org/request/show/531761 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=13 --- README.SUSE | 45 ++++++++++++++++++++++++++++++------------- README.hooks | 4 ++++ dehydrated.changes | 22 +++++++++++++++++++++ dehydrated.cron.in | 2 +- dehydrated.service.in | 6 ++++-- dehydrated.spec | 16 +++++++++------ 6 files changed, 73 insertions(+), 22 deletions(-) create mode 100644 README.hooks diff --git a/README.SUSE b/README.SUSE index 1097b77..8f7755c 100644 --- a/README.SUSE +++ b/README.SUSE @@ -7,16 +7,32 @@ certificates (aka SSL Certificates) as simple as possible, while still being useful in a broad amount of use cases. Please consult the dehydrated man page, then continue reading here. -Aqcuisition through HTTP (http-01) +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + +IMPORTANT: On systemd-enabled system (SLE12+), you need to enable the update +timer, which has obsoleted the cron job. This is independent on which method +you chose from below! + +# systemctl enable dehydrated.timer + +Also note that with the systemd timer, failures will not be mailed to the +system administrator, but are being logged to the systemd journal, as per +systemd's design philosophy. + +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + +Acquisition through HTTP (http-01) =================================== -This is the primary method of acquiring certifictes. +This is the primary method of acquiring certifictes. The Certificate Authority +will provide a challenge that the requestor needs to provide via HTTP on port 80/TCP, +in /.well-known/acme-challenge/. Setting up the acme-challenge auto-responder -------------------------------------------- -Apache -~~~~~~ +Apache (easiest) +~~~~~~~~~~~~~~~~ If you are using Apache, just install dehydrated-apache2 and reload Apache. This will take care of setting up the acme-challenge auto-responder. @@ -57,11 +73,11 @@ Machines without a webserver On machines that are not running any web server, e.g. mail relays, you can run apache2 with dehydrated-apache2. If you do not want to run any web server on a -system with systemd, you can use dehydrated-acmeresponder, a small socket -activated server. Once installed, it will automatically listen on port 80 -whenever the dehydrated cron job seeks renewal, assuming no other server is -currently occupying the port. It will also shut down once the timer has -finished execution. +system with systemd permnently, you can use dehydrated-acmeresponder. This is a +small socket activated server. Once installed, it will automatically listen on +port 80 whenever the dehydrated cron job seeks renewal, assuming no other +server is currently occupying the port. It will also shut down once the timer +has finished execution. Acquisition of initial certificate ---------------------------------- @@ -107,7 +123,7 @@ Ansible or Salt. For details, please refer to dns-verification.md. For openSUSE, the python-dns-lexicon package provides hooks into many DNS providers and DNS servers. -Proceeding After initial certificate Aquisition +Proceeding after initial certificate aquisition =============================================== Setting up the SSL host @@ -129,10 +145,13 @@ Limitations & Ceveats * It is currently not possible to aqcuire Wildcard certificates * No EV- or OV-validated certificates -* Certificates expire within weeks, not years, this is by design. Ensure that +* Certificates expire within weeks, not years. This is by design. Ensure that certificate renewal works and that daemons get reloaded frequently to pick - up certificate updates (This is currently not automated on the dehydrated end, - however Apache will reload every night due to log rotation). + up certificate updates. Apache will work due to log rotation SIGHUP'ing + the process frequently. However, any other actions, such as service reloads + need to be provided as a script in /etc/dehydrated/postrun-hooks.d, which + will be executed by the cron script / systemd timer *after* an update run + has been performed. Links ===== diff --git a/README.hooks b/README.hooks new file mode 100644 index 0000000..d20b81c --- /dev/null +++ b/README.hooks @@ -0,0 +1,4 @@ +Dehydrated's hooks only run as user dehydrated. To circumvent this limitation, +i.e. when services need to be restarted, all executable files in this directory +will be executed as root after the certificate update has run. + diff --git a/dehydrated.changes b/dehydrated.changes index eb18e42..071ea65 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Thu Oct 5 13:36:39 UTC 2017 - daniel.molkentin@suse.com + +- Remove unused hooks directory + +- Introduced a directory for custom post-run hooks executed as root, + see README.SUSE for details. (not to be confused with the native hooks + run as dehyrated user) + +------------------------------------------------------------------- +Fri Sep 29 15:14:29 UTC 2017 - daniel.molkentin@suse.com + +- Clarify necessity of enabling dehydrated.timer in README.SUSE + +- Submit to SLE15 as per fate#323377 + +- Add optional post run hook directory, executed by cron/systemd + after dehydrated --cron has run + +- Remove hook directory intended for packaging other native hooks. + Will be approach differently + ------------------------------------------------------------------- Wed Sep 27 10:09:16 UTC 2017 - daniel.molkentin@suse.com diff --git a/dehydrated.cron.in b/dehydrated.cron.in index 0065bc9..ba90790 100644 --- a/dehydrated.cron.in +++ b/dehydrated.cron.in @@ -2,4 +2,4 @@ SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root -25 3 * * * @USER@ test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron +25 3 * * * root test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron && for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done; diff --git a/dehydrated.service.in b/dehydrated.service.in index 783e256..5f1fad2 100644 --- a/dehydrated.service.in +++ b/dehydrated.service.in @@ -6,7 +6,9 @@ Wants=acmeresponder.socket [Service] Type=oneshot +ExecStartPre-=/usr/bin/sh -c 'for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;' ExecStart=/usr/bin/dehydrated --cron -User=@USER@ -Group=@USER@ +# dehydrated --cron will drop permissions and run critical code as dehydrated user. +User=root +Group=root diff --git a/dehydrated.spec b/dehydrated.spec index 7c94fef..e289eed 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -19,6 +19,7 @@ %define _challengedir %{_localstatedir}/lib/acme-challenge %define _user dehydrated %define _home %{_sysconfdir}/dehydrated +%define _postrunhooks %{_home}/postrun-hooks.d %if 0%{?suse_version} > 1230 %define _lock_dir /run/dehydrated @@ -28,7 +29,7 @@ %bcond_with systemd %endif -%if %{defined is_opensuse} || %{defined fedora} +%if 0%{?is_opensuse} || %{defined fedora} %bcond_without nginx %bcond_without lighttpd %else @@ -62,6 +63,7 @@ Source7: dehydrated.timer Source8: dehydrated.1 Source9: README.SUSE Source10: README.Fedora +Source11: README.hooks # Patch submitted to upstream Patch1: 0001-Add-optional-user-and-group-configuration.patch # Patch from upstream @@ -199,12 +201,13 @@ mkdir -p %{buildroot}%{_home}/{accounts,certs} mkdir -p %{buildroot}%{_sbindir} mkdir -p %{buildroot}%{_mandir}/man1 mkdir -p %{buildroot}%{_home}/config.d -mkdir -p %{buildroot}%{_home}/hooks # used by hook packages +mkdir -p %{buildroot}%{_postrunhooks} cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config install -m 0644 docs/examples/* %{buildroot}%{_home} +install -m 0644 %{SOURCE11} %{buildroot}%{_postrunhooks} install -m 0755 -d %{buildroot}%{_bindir} install -m 0755 dehydrated %{buildroot}%{_bindir} install -m 0755 -d %{buildroot}%{_challengedir} @@ -227,10 +230,10 @@ install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/lighttpd/conf.d %if %{with systemd} install -D -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf -sed "s,@USER@,%{_user},g" %{SOURCE6} > dehydrated.service # Use timer +sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE6} > dehydrated.service install -D -m 644 dehydrated.service %{buildroot}%{_unitdir}/dehydrated.service -install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer +install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer %if 0%{?suse_version} ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcdehydrated %endif @@ -238,7 +241,7 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcdehydrated install -D -d -m 0750 %{buildroot}%{_lock_dir} # Use cron install -m 0755 -d %{buildroot}%{_sysconfdir}/cron.d -sed "s,@USER@,%{_user},g" %{SOURCE4} > dehydrated.cron +sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE4} > dehydrated.cron install -m 0644 dehydrated.cron %{buildroot}%{_sysconfdir}/cron.d/dehydrated %endif #with systemd @@ -259,7 +262,8 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||: %config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/config.d %config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/domains.txt %config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hook.sh -%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hooks +%dir %attr(750,root,%{_user}) %{_postrunhooks} +%config(noreplace) %attr(640,root,%{_user}) %{_postrunhooks}/README.hooks %{_bindir}/dehydrated %attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge %{_mandir}/man1/*