diff --git a/0001-fixed-CA-url-in-example-config.patch b/0001-fixed-CA-url-in-example-config.patch new file mode 100644 index 0000000..b7e86c3 --- /dev/null +++ b/0001-fixed-CA-url-in-example-config.patch @@ -0,0 +1,36 @@ +From b93eac389395c8228be48999bf51c9f45e775a88 Mon Sep 17 00:00:00 2001 +From: Lukas Schauer +Date: Tue, 13 Mar 2018 21:08:20 +0100 +Subject: [PATCH] fixed CA url in example config + +--- + docs/examples/config | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/docs/examples/config b/docs/examples/config +index 1aa7d63..665704d 100644 +--- a/docs/examples/config ++++ b/docs/examples/config +@@ -21,15 +21,15 @@ + # default: + #IP_VERSION= + +-# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory) +-#CA="https://acme-v01.api.letsencrypt.org/directory" ++# Path to certificate authority (default: https://acme-v02.api.letsencrypt.org/directory) ++#CA="https://acme-v02.api.letsencrypt.org/directory" + + # Path to old certificate authority + # Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint. + # If dehydrated detects an account-key for the old CA it will automatically reuse that key + # instead of registering a new one. +-# default: +-#OLDCA= ++# default: https://acme-v01.api.letsencrypt.org/directory ++#OLDCA="https://acme-v01.api.letsencrypt.org/directory" + + # Which challenge should be used? Currently http-01 and dns-01 are supported + #CHALLENGETYPE="http-01" +-- +2.13.6 + diff --git a/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch b/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch new file mode 100644 index 0000000..f994852 --- /dev/null +++ b/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch @@ -0,0 +1,56 @@ +From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001 +From: Lukas Schauer +Date: Wed, 14 Mar 2018 18:50:28 +0100 +Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains + chain by default) + +--- +diff --git a/dehydrated b/dehydrated +index 4103649..0751a0b 100755 +--- a/dehydrated ++++ b/dehydrated +@@ -990,20 +990,29 @@ sign_domain() { + + # Create fullchain.pem + echo " + Creating fullchain.pem..." +- cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem" +- local issuer_hash +- issuer_hash="$(get_issuer_hash "${crt_path}")" +- if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then +- echo " + Using cached chain!" +- cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem" ++ if [[ ${API} -eq 1 ]]; then ++ cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem" ++ local issuer_hash ++ issuer_hash="$(get_issuer_hash "${crt_path}")" ++ if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then ++ echo " + Using cached chain!" ++ cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem" ++ else ++ echo " + Walking chain..." ++ local issuer_cert_uri ++ issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")" ++ (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})" ++ cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain" ++ fi ++ cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem" + else +- echo " + Walking chain..." +- local issuer_cert_uri +- issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")" +- (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})" +- cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain" ++ tmpcert="$(_mktemp)" ++ tmpchain="$(_mktemp)" ++ awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem" ++ mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem" ++ mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem" ++ mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem" + fi +- cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem" + + # Update symlinks + [[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem" +-- +2.13.6 + diff --git a/dehydrated-0.6.0.tar.gz b/dehydrated-0.6.0.tar.gz deleted file mode 100644 index 5c0597c..0000000 --- a/dehydrated-0.6.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2285a0691c13ec39b513ed5a2d49c4771d0bc0580a70ea585f06a35526123dbb -size 76650 diff --git a/dehydrated-0.6.0.tar.gz.asc b/dehydrated-0.6.0.tar.gz.asc deleted file mode 100644 index a9c8b84..0000000 --- a/dehydrated-0.6.0.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlqlgokACgkQnE2+bPQ4 -8zOlqAf+KaeYvJyjb1/7WqeSkIijHlqpewGp8ad92id74fydyLQsfg3irJorzJkY -LV2PPbArN+iz6us8r7pmeoW4UUDUJSKRlKcRi+3Cg3zBJ8uOS7hIcRK7c2utTKgq -9uwE15fWO3gZ5IuGfcbUaIokxLecuY4/QqgP+ZMBFXKonVatQXlFOCALC02rpnsF -RyeMfWVYzvBkWX8Smh6CO6N7iRAZeHV+hzgLjqQDqTqlFaUUh7uud+XxoUo4ja0V -IvIdDVeS7zt+O0/tG9iHbWnVjAuyKCp67Da+FU0FJFqXberS/53A4EVl36o9G2iv -+Cs/y538rlSNlC1eakv0BiJ+6oqmPQ== -=QKkR ------END PGP SIGNATURE----- diff --git a/dehydrated-0.6.1.tar.gz b/dehydrated-0.6.1.tar.gz new file mode 100644 index 0000000..e337a9d --- /dev/null +++ b/dehydrated-0.6.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:441d89af4592e3eb5744eb177124b4d16ca78b416f634371e839db384012844a +size 76693 diff --git a/dehydrated-0.6.1.tar.gz.asc b/dehydrated-0.6.1.tar.gz.asc new file mode 100644 index 0000000..7dbd43c --- /dev/null +++ b/dehydrated-0.6.1.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlqoLhwACgkQnE2+bPQ4 +8zON9Af8DubdQQGP0SJLiVA3+MpRJytaPluvmGQtrhlugIFSpeSiRDJEJ4PHJ3z1 +SjI69/1sCUsdzifAZOejmrPfd9vLGLLCVdMqkaUzG6YTQCIdIXxB6kEKhnU3Grad +cbZaMtWOKu87WGwlTDorQ3N6I+DUeAVL2csf8Chzep3qY6KfO8zryBG05PmJwKgM +hRss5OohW20tR5pvz4ybkBdd2KUvcQSedCf6g2UN+95+Io3TF/9ph1Ht7n8HWyxv +VMQ2g4N/Jc6BQ++cepfSCI/4vXdrFnp7HSmWlD73LhiQ0VRinqHcf0TVy6FhXBXL +PyGB4G1924U1cLuAt2XJdB82y0LNIw== +=JzFS +-----END PGP SIGNATURE----- diff --git a/dehydrated.changes b/dehydrated.changes index 5d10e89..a95aded 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,7 +1,30 @@ +------------------------------------------------------------------- +Thu Mar 15 10:52:56 UTC 2018 - daniel.molkentin@suse.com + +- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) + * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch + +------------------------------------------------------------------- +Wed Mar 14 16:51:29 UTC 2018 - daniel.molkentin@suse.com + +- Fix issues introduced by 0.6.1 (bsc#1085305) + + * bring back man page + * reflect new endpoint in (commented out) config file section + (adds 0001-fixed-CA-url-in-example-config.patch, backported + from upstream's master branch) + +------------------------------------------------------------------- +Tue Mar 13 20:21:49 UTC 2018 - daniel.molkentin@suse.com + +- Updated dehydrated to 0.6.1 (bsc#1084854) + + * Use new ACME v2 endpoint by default + ------------------------------------------------------------------- Mon Mar 12 08:16:13 UTC 2018 - daniel.molkentin@suse.com -- Updated dehydrated to 0.6.0 (osc#1084854) +- Updated dehydrated to 0.6.0 (bsc#1084854) Changed diff --git a/dehydrated.spec b/dehydrated.spec index 6ad6427..eab57b3 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -46,7 +46,7 @@ %endif Name: dehydrated -Version: 0.6.0 +Version: 0.6.1 Release: 0 Summary: A client for signing certificates with an ACME server License: MIT @@ -65,6 +65,8 @@ Source10: README.Fedora Source11: README.hooks Source12: %{name}-%{version}.tar.gz.asc Source13: %{name}.keyring +Patch1: 0001-fixed-CA-url-in-example-config.patch +Patch2: 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch BuildRequires: %{_apache} Requires: coreutils Requires: curl @@ -182,6 +184,8 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||: %prep %setup -q +%patch1 -p1 +%patch2 -p1 cp %{SOURCE9} . cp %{SOURCE10} . @@ -195,7 +199,7 @@ mkdir -p %{buildroot}%{_mandir}/man1 mkdir -p %{buildroot}%{_home}/config.d mkdir -p %{buildroot}%{_postrunhooks} -cat dehydrated.1 | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz +cat docs/man/dehydrated.1 | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz # Silence E: env-script-interpreter find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \;