Accepting request 587475 from security:dehydrated

- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch (forwarded request 587474 from dmolkentin) OBS-URL: https://build.opensuse.org/request/show/587475 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dehydrated?expand=0&rev=8
2018-03-16 09:43:57 +00:00 · 2018-03-16 09:43:57 +00:00 · 77892e717b
commit 77892e717b
parent efe9f15753 697d443d67
8 changed files with 136 additions and 17 deletions
--- a/0001-fixed-CA-url-in-example-config.patch
+++ b/0001-fixed-CA-url-in-example-config.patch
@ -0,0 +1,36 @@
+From b93eac389395c8228be48999bf51c9f45e775a88 Mon Sep 17 00:00:00 2001
+From: Lukas Schauer <lukas@schauer.so>
+Date: Tue, 13 Mar 2018 21:08:20 +0100
+Subject: [PATCH] fixed CA url in example config
+
+---
+ docs/examples/config | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/docs/examples/config b/docs/examples/config
+index 1aa7d63..665704d 100644
+--- a/docs/examples/config
+++ b/docs/examples/config
+@@ -21,15 +21,15 @@
+ # default: <unset>
+ #IP_VERSION=
+ 
+-# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
+-#CA="https://acme-v01.api.letsencrypt.org/directory"
+# Path to certificate authority (default: https://acme-v02.api.letsencrypt.org/directory)
+#CA="https://acme-v02.api.letsencrypt.org/directory"
+ 
+ # Path to old certificate authority
+ # Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
+ # If dehydrated detects an account-key for the old CA it will automatically reuse that key
+ # instead of registering a new one.
+-# default: <unset>
+-#OLDCA=
+# default: https://acme-v01.api.letsencrypt.org/directory
+#OLDCA="https://acme-v01.api.letsencrypt.org/directory"
+ 
+ # Which challenge should be used? Currently http-01 and dns-01 are supported
+ #CHALLENGETYPE="http-01"
+-- 
+2.13.6
+
--- a/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
+++ b/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
@ -0,0 +1,56 @@
+From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001
+From: Lukas Schauer <lukas@schauer.so>
+Date: Wed, 14 Mar 2018 18:50:28 +0100
+Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains
+ chain by default)
+
+---
+diff --git a/dehydrated b/dehydrated
+index 4103649..0751a0b 100755
+--- a/dehydrated
+++ b/dehydrated
+@@ -990,20 +990,29 @@ sign_domain() {
+ 
+   # Create fullchain.pem
+   echo " + Creating fullchain.pem..."
+-  cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
+-  local issuer_hash
+-  issuer_hash="$(get_issuer_hash "${crt_path}")"
+-  if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
+-    echo " + Using cached chain!"
+-    cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
+  if [[ ${API} -eq 1 ]]; then
+    cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
+    local issuer_hash
+    issuer_hash="$(get_issuer_hash "${crt_path}")"
+    if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
+      echo " + Using cached chain!"
+      cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
+    else
+      echo " + Walking chain..."
+      local issuer_cert_uri
+      issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
+      (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
+      cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
+    fi
+    cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
+   else
+-    echo " + Walking chain..."
+-    local issuer_cert_uri
+-    issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
+-    (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
+-    cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
+    tmpcert="$(_mktemp)"
+    tmpchain="$(_mktemp)"
+    awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem"
+    mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem"
+    mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem"
+    mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem"
+   fi
+-  cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
+ 
+   # Update symlinks
+   [[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem"
+-- 
+2.13.6
+
--- a/dehydrated-0.6.0.tar.gz
+++ b/dehydrated-0.6.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2285a0691c13ec39b513ed5a2d49c4771d0bc0580a70ea585f06a35526123dbb
-size 76650
--- a/dehydrated-0.6.0.tar.gz.asc
+++ b/dehydrated-0.6.0.tar.gz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlqlgokACgkQnE2+bPQ4
-8zOlqAf+KaeYvJyjb1/7WqeSkIijHlqpewGp8ad92id74fydyLQsfg3irJorzJkY
-LV2PPbArN+iz6us8r7pmeoW4UUDUJSKRlKcRi+3Cg3zBJ8uOS7hIcRK7c2utTKgq
-9uwE15fWO3gZ5IuGfcbUaIokxLecuY4/QqgP+ZMBFXKonVatQXlFOCALC02rpnsF
-RyeMfWVYzvBkWX8Smh6CO6N7iRAZeHV+hzgLjqQDqTqlFaUUh7uud+XxoUo4ja0V
-IvIdDVeS7zt+O0/tG9iHbWnVjAuyKCp67Da+FU0FJFqXberS/53A4EVl36o9G2iv
-+Cs/y538rlSNlC1eakv0BiJ+6oqmPQ==
-=QKkR
-----END PGP SIGNATURE-----
--- a/dehydrated-0.6.1.tar.gz
+++ b/dehydrated-0.6.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:441d89af4592e3eb5744eb177124b4d16ca78b416f634371e839db384012844a
+size 76693
--- a/dehydrated-0.6.1.tar.gz.asc
+++ b/dehydrated-0.6.1.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlqoLhwACgkQnE2+bPQ4
+8zON9Af8DubdQQGP0SJLiVA3+MpRJytaPluvmGQtrhlugIFSpeSiRDJEJ4PHJ3z1
+SjI69/1sCUsdzifAZOejmrPfd9vLGLLCVdMqkaUzG6YTQCIdIXxB6kEKhnU3Grad
+cbZaMtWOKu87WGwlTDorQ3N6I+DUeAVL2csf8Chzep3qY6KfO8zryBG05PmJwKgM
+hRss5OohW20tR5pvz4ybkBdd2KUvcQSedCf6g2UN+95+Io3TF/9ph1Ht7n8HWyxv
+VMQ2g4N/Jc6BQ++cepfSCI/4vXdrFnp7HSmWlD73LhiQ0VRinqHcf0TVy6FhXBXL
+PyGB4G1924U1cLuAt2XJdB82y0LNIw==
+=JzFS
+-----END PGP SIGNATURE-----
--- a/dehydrated.changes
+++ b/dehydrated.changes
@ -1,7 +1,30 @@
+-------------------------------------------------------------------
+Thu Mar 15 10:52:56 UTC 2018 - daniel.molkentin@suse.com
+
+- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) 
+  * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
+
+-------------------------------------------------------------------
+Wed Mar 14 16:51:29 UTC 2018 - daniel.molkentin@suse.com
+
+- Fix issues introduced by 0.6.1 (bsc#1085305)
+
+  * bring back man page
+  * reflect new endpoint in (commented out) config file section
+    (adds 0001-fixed-CA-url-in-example-config.patch, backported
+    from upstream's master branch)
+
+-------------------------------------------------------------------
+Tue Mar 13 20:21:49 UTC 2018 - daniel.molkentin@suse.com
+
+- Updated dehydrated to 0.6.1 (bsc#1084854)
+
+  * Use new ACME v2 endpoint by default
+
 -------------------------------------------------------------------
 Mon Mar 12 08:16:13 UTC 2018 - daniel.molkentin@suse.com

- Updated dehydrated to 0.6.0 (osc#1084854)
+- Updated dehydrated to 0.6.0 (bsc#1084854)

  Changed

--- a/dehydrated.spec
+++ b/dehydrated.spec
@ -46,7 +46,7 @@
 %endif

 Name:           dehydrated
-Version:        0.6.0
+Version:        0.6.1
 Release:        0
 Summary:        A client for signing certificates with an ACME server
 License:        MIT
@ -65,6 +65,8 @@ Source10:       README.Fedora
 Source11:       README.hooks
 Source12:       %{name}-%{version}.tar.gz.asc
 Source13:       %{name}.keyring
+Patch1:         0001-fixed-CA-url-in-example-config.patch
+Patch2:         0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
 BuildRequires:  %{_apache}
 Requires:       coreutils
 Requires:       curl
@ -182,6 +184,8 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:

 %prep
 %setup -q
+%patch1 -p1
+%patch2 -p1
 cp %{SOURCE9} .
 cp %{SOURCE10} .

@ -195,7 +199,7 @@ mkdir -p %{buildroot}%{_mandir}/man1
 mkdir -p %{buildroot}%{_home}/config.d
 mkdir -p %{buildroot}%{_postrunhooks}

-cat dehydrated.1 | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
+cat docs/man/dehydrated.1 | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz

 # Silence E: env-script-interpreter
 find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \;