Accepting request 601877 from home:dmolkentin:branches:security:dehydrated

- Update to dehydrated 0.6.2 Added * New deploy_ocsp hook * Allow account registration with custom key Changed * Don't walk certificate chain for ACMEv2 (certificate contains chain by default) * Improved documentation on wildcards Fixes * Added workaround for compatibility with filesystem ACLs * Close unwanted external file-descriptors * Fixed JSON parsing on force-renewal (bsc#1091216) * Fixed cleanup of challenge files/dns-entries on validation errors * A few more minor fixes OBS-URL: https://build.opensuse.org/request/show/601877 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=33
2018-04-27 11:50:28 +00:00 · 2018-04-27 11:50:28 +00:00 · d58a1e75d6
commit d58a1e75d6
parent 697d443d67
8 changed files with 38 additions and 111 deletions
--- a/0001-fixed-CA-url-in-example-config.patch
+++ b/0001-fixed-CA-url-in-example-config.patch
@ -1,36 +0,0 @@
-From b93eac389395c8228be48999bf51c9f45e775a88 Mon Sep 17 00:00:00 2001
-From: Lukas Schauer <lukas@schauer.so>
-Date: Tue, 13 Mar 2018 21:08:20 +0100
-Subject: [PATCH] fixed CA url in example config
-
---
- docs/examples/config | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/docs/examples/config b/docs/examples/config
-index 1aa7d63..665704d 100644
--- a/docs/examples/config
-+++ b/docs/examples/config
-@@ -21,15 +21,15 @@
- # default: <unset>
- #IP_VERSION=
- 
-# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
-#CA="https://acme-v01.api.letsencrypt.org/directory"
-+# Path to certificate authority (default: https://acme-v02.api.letsencrypt.org/directory)
-+#CA="https://acme-v02.api.letsencrypt.org/directory"
- 
- # Path to old certificate authority
- # Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
- # If dehydrated detects an account-key for the old CA it will automatically reuse that key
- # instead of registering a new one.
-# default: <unset>
-#OLDCA=
-+# default: https://acme-v01.api.letsencrypt.org/directory
-+#OLDCA="https://acme-v01.api.letsencrypt.org/directory"
- 
- # Which challenge should be used? Currently http-01 and dns-01 are supported
- #CHALLENGETYPE="http-01"
-- 
-2.13.6
-
--- a/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
+++ b/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
@ -1,56 +0,0 @@
-From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001
-From: Lukas Schauer <lukas@schauer.so>
-Date: Wed, 14 Mar 2018 18:50:28 +0100
-Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains
- chain by default)
-
---
-diff --git a/dehydrated b/dehydrated
-index 4103649..0751a0b 100755
--- a/dehydrated
-+++ b/dehydrated
-@@ -990,20 +990,29 @@ sign_domain() {
- 
-   # Create fullchain.pem
-   echo " + Creating fullchain.pem..."
-  cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
-  local issuer_hash
-  issuer_hash="$(get_issuer_hash "${crt_path}")"
-  if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
-    echo " + Using cached chain!"
-    cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
-+  if [[ ${API} -eq 1 ]]; then
-+    cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
-+    local issuer_hash
-+    issuer_hash="$(get_issuer_hash "${crt_path}")"
-+    if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
-+      echo " + Using cached chain!"
-+      cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
-+    else
-+      echo " + Walking chain..."
-+      local issuer_cert_uri
-+      issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
-+      (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
-+      cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
-+    fi
-+    cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
-   else
-    echo " + Walking chain..."
-    local issuer_cert_uri
-    issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
-    (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
-    cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
-+    tmpcert="$(_mktemp)"
-+    tmpchain="$(_mktemp)"
-+    awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem"
-+    mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem"
-+    mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem"
-+    mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem"
-   fi
-  cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
- 
-   # Update symlinks
-   [[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem"
-- 
-2.13.6
-
--- a/dehydrated-0.6.1.tar.gz
+++ b/dehydrated-0.6.1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:441d89af4592e3eb5744eb177124b4d16ca78b416f634371e839db384012844a
-size 76693
--- a/dehydrated-0.6.1.tar.gz.asc
+++ b/dehydrated-0.6.1.tar.gz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlqoLhwACgkQnE2+bPQ4
-8zON9Af8DubdQQGP0SJLiVA3+MpRJytaPluvmGQtrhlugIFSpeSiRDJEJ4PHJ3z1
-SjI69/1sCUsdzifAZOejmrPfd9vLGLLCVdMqkaUzG6YTQCIdIXxB6kEKhnU3Grad
-cbZaMtWOKu87WGwlTDorQ3N6I+DUeAVL2csf8Chzep3qY6KfO8zryBG05PmJwKgM
-hRss5OohW20tR5pvz4ybkBdd2KUvcQSedCf6g2UN+95+Io3TF/9ph1Ht7n8HWyxv
-VMQ2g4N/Jc6BQ++cepfSCI/4vXdrFnp7HSmWlD73LhiQ0VRinqHcf0TVy6FhXBXL
-PyGB4G1924U1cLuAt2XJdB82y0LNIw==
-=JzFS
-----END PGP SIGNATURE-----
--- a/dehydrated-0.6.2.tar.gz
+++ b/dehydrated-0.6.2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:163384479199f06f59382ceb6291a299567a2f4f0b963b9b61f2db65a407e80e
+size 77819
--- a/dehydrated-0.6.2.tar.gz.asc
+++ b/dehydrated-0.6.2.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlrjA6gACgkQnE2+bPQ4
+8zNi/AgA7K3dhvkkMTGlUYYsT53McJflqhc/jb7Nbfi6nM6bw9avElvreJh0jvoD
+Hw0As92p1NA1Jm0iXZu4WgKDsL+7MKURQcjgoKNYQZbgd2wXajJKvxCI7xmvaX0N
+oKtzhKSp3MHPquAY/U6QYR7d74xFAsnoacNagSAiRUS72g5x4QO7txKfbbdq091d
+ZHu9tmeQYYI3sjOJC1DxCRxYYouxdvK78TG6xD6rfpURUra15vykhgu+2qP1s7ed
+b/t6MZwztwRiCWCeBilyunIOR1LQmvH2jhknT9Sf5KBMFoWgk1cCJega2FOUFpjD
+Jrg6CW2uTwA3KrQIG8T2wWyDQ2nqg==
+=VsfZ
+-----END PGP SIGNATURE-----
--- a/dehydrated.changes
+++ b/dehydrated.changes
@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Fri Apr 27 11:14:45 UTC 2018 - daniel.molkentin@suse.com
+
+- Update to dehydrated 0.6.2
+
+  Added
+
+  * New deploy_ocsp hook
+  * Allow account registration with custom key
+
+  Changed
+
+  * Don't walk certificate chain for ACMEv2 (certificate contains chain by default)
+  * Improved documentation on wildcards
+
+  Fixes
+
+  * Added workaround for compatibility with filesystem ACLs
+  * Close unwanted external file-descriptors
+  * Fixed JSON parsing on force-renewal (bsc#1091216)
+  * Fixed cleanup of challenge files/dns-entries on validation errors
+  * A few more minor fixes
+
 -------------------------------------------------------------------
 Thu Mar 15 10:52:56 UTC 2018 - daniel.molkentin@suse.com

--- a/dehydrated.spec
+++ b/dehydrated.spec
@ -46,7 +46,7 @@
 %endif

 Name:           dehydrated
-Version:        0.6.1
+Version:        0.6.2
 Release:        0
 Summary:        A client for signing certificates with an ACME server
 License:        MIT
@ -65,8 +65,6 @@ Source10:       README.Fedora
 Source11:       README.hooks
 Source12:       %{name}-%{version}.tar.gz.asc
 Source13:       %{name}.keyring
-Patch1:         0001-fixed-CA-url-in-example-config.patch
-Patch2:         0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
 BuildRequires:  %{_apache}
 Requires:       coreutils
 Requires:       curl
@ -184,8 +182,6 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:

 %prep
 %setup -q
-%patch1 -p1
-%patch2 -p1
 cp %{SOURCE9} .
 cp %{SOURCE10} .