diff --git a/0001-Add-optional-user-and-group-configuration.patch b/0001-Add-optional-user-and-group-configuration.patch deleted file mode 100644 index ef092d6..0000000 --- a/0001-Add-optional-user-and-group-configuration.patch +++ /dev/null @@ -1,85 +0,0 @@ -From b2b7e6b0801dc50388ec7ed29d91b8e98ec4e57c Mon Sep 17 00:00:00 2001 -From: Daniel Molkentin -Date: Thu, 21 Sep 2017 19:07:54 +0200 -Subject: [PATCH] Add optional user and group configuration - -when DEHYDRATED_USER is set, dehydrated will refuse to run as root, -and instead launch itself as the user in DEHYDRATED_USER (and -DEHYDRATED_GROUP if set). - -Using sudo has a few practical advantages over su: -- it doesn't require to specify a login shell when no login shell is set - for the target user -- it allows (safe) handling of arguments. ---- - dehydrated | 22 ++++++++++++++++++++++ - docs/examples/config | 6 ++++++ - 2 files changed, 28 insertions(+) - -diff --git a/dehydrated b/dehydrated -index 8b31ee1..acca1d0 100755 ---- a/dehydrated -+++ b/dehydrated -@@ -22,6 +22,8 @@ SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" - - BASEDIR="${SCRIPTDIR}" - -+ORIGARGS="$@" -+ - # Create (identifiable) temporary files - _mktemp() { - # shellcheck disable=SC2068 -@@ -126,6 +128,8 @@ load_config() { - LOCKFILE= - OCSP_MUST_STAPLE="no" - IP_VERSION= -+ DEHYDRATED_USER= -+ DEHYDRATED_GROUP= - - if [[ -z "${CONFIG:-}" ]]; then - echo "#" >&2 -@@ -159,6 +163,24 @@ load_config() { - done - fi - -+ # Check if we are running & are allowed to run as root -+ if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then -+ sudo=`command -v sudo` -+ if [ -z $sudo ]; then -+ echo "DEHYDRATED_USER set but sudo not available. Please install sudo." -+ exit -+ fi -+ if [ ! -z "$DEHYDRATED_GROUP" ]; then -+ group="-g $DEHYDRATED_GROUP" -+ fi -+ echo "# INFO: Running $0 as $DEHYDRATED_USER" -+ $sudo -u $DEHYDRATED_USER $group "$0" $ORIGARGS -+ exit -+ fi -+ -+ # Check for missing dependencies -+ check_dependencies -+ - # Remove slash from end of BASEDIR. Mostly for cleaner outputs, doesn't change functionality. - BASEDIR="${BASEDIR%%/}" - -diff --git a/docs/examples/config b/docs/examples/config -index 1b1b3d8..9a890f4 100644 ---- a/docs/examples/config -+++ b/docs/examples/config -@@ -10,6 +10,12 @@ - # Default values of this config are in comments # - ######################################################## - -+# Which user should dehydrated run as? This will be implictly enforced when running as root -+#DEHYDRATED_USER= -+ -+# Which group should dehydrated run as? This will be implictly enforced when running as root -+#DEHYDRATED_GROUP= -+ - # Resolve names to addresses of IP version only. (curl) - # supported values: 4, 6 - # default: --- -2.14.1 - diff --git a/0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch b/0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch deleted file mode 100644 index 47cc609..0000000 --- a/0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 5214632c55c70c6c1f0dabce204a9fb8529c8ca8 Mon Sep 17 00:00:00 2001 -From: Lukas Schauer -Date: Thu, 21 Sep 2017 18:10:01 +0200 -Subject: [PATCH] use nullglob, disable warning on empty CONFIG_D directory - ---- - dehydrated | 12 ++++-------- - 1 file changed, 4 insertions(+), 8 deletions(-) - -diff --git a/dehydrated b/dehydrated -index 8b31ee1..a62b858 100755 ---- a/dehydrated -+++ b/dehydrated -@@ -8,7 +8,9 @@ - set -e - set -u - set -o pipefail --[[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO -+[[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO && set -o NULL_GLOB -+[[ -z "${ZSH_VERSION:-}" ]] && shopt -s nullglob -+ - umask 077 # paranoid umask, we're creating private keys - - # Find directory in which this script is stored by traversing all symbolic links -@@ -146,10 +148,7 @@ load_config() { - fi - - for check_config_d in "${CONFIG_D}"/*.sh; do -- if [[ ! -e "${check_config_d}" ]]; then -- echo "# !! WARNING !! Extra configuration directory ${CONFIG_D} exists, but no configuration found in it." >&2 -- break -- elif [[ -f "${check_config_d}" ]] && [[ -r "${check_config_d}" ]]; then -+ if [[ -f "${check_config_d}" ]] && [[ -r "${check_config_d}" ]]; then - echo "# INFO: Using additional config file ${check_config_d}" - # shellcheck disable=SC1090 - . "${check_config_d}" -@@ -1020,9 +1019,6 @@ command_cleanup() { - - # Loop over all files of this type - for file in "${certdir}/${filebase}-"*".${fileext}"; do -- # Handle case where no files match the wildcard -- [[ -f "${file}" ]] || break -- - # Check if current file is in use, if unused move to archive directory - filename="$(basename "${file}")" - if [[ ! "${filename}" = "${current}" ]]; then --- -2.12.3 - diff --git a/README.SUSE b/README.SUSE index 8f7755c..b471228 100644 --- a/README.SUSE +++ b/README.SUSE @@ -110,7 +110,7 @@ activated manually: Aqcuisition through DNS (dns-01) ================================ -Tnis is mostly useful under these conditions +This is mostly useful under these conditions 1. Your hosts are not directly exposed to the internet 2. Your host names are part of a public DNS zone visible on the internet. diff --git a/dehydrated-0.4.0.tar.gz b/dehydrated-0.4.0.tar.gz deleted file mode 100644 index ce815fd..0000000 --- a/dehydrated-0.4.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:611da321330ffd43d1dc497990b486b2dec12c59149803ad7d156980c8527f48 -size 74005 diff --git a/dehydrated-0.5.0.tar.gz b/dehydrated-0.5.0.tar.gz new file mode 100644 index 0000000..7098da0 --- /dev/null +++ b/dehydrated-0.5.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3559de9c61f8cb9dda1d247fbb88d94eddcf2d9421941dad73b1d672cb933abe +size 79965 diff --git a/dehydrated-0.5.0.tar.gz.asc b/dehydrated-0.5.0.tar.gz.asc new file mode 100644 index 0000000..39bd524 --- /dev/null +++ b/dehydrated-0.5.0.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlpaWfkACgkQnE2+bPQ4 +8zOw+Af/YhJVNxDCFFe8uhIm5oFgMvJPyNXk1rMf60kwGINXUUwSHTVXvwFUF/qN +9ZAnt/zaL4KmK3v5pSP8fIDBwsF17x9G1J0Xv9s5IG9YQOgyV89lVo8Tu15g3Yla +7Z1OhB4OvzwVioWRNiedyLK916ut9+XJ8YNmUC6LsIHttL7un2Yyqy1nR86x/iDr +Oh/2DxWtYYGjnr3+DTqcLvdySIy6MBJsRez1zW1MJCCiBIBeq+7fBseT5h9vu55h +F1vR8KthfCJFqQfdtA7Io3ql8H2hJHn7VintPTnbq8bEIvpDS7CTE+ICP+fuxqzU +KeElNt7vu/UuoQBnYNBPw2gA/L8fGw== +=Edom +-----END PGP SIGNATURE----- diff --git a/dehydrated.1 b/dehydrated.1 deleted file mode 100644 index 49230ef..0000000 --- a/dehydrated.1 +++ /dev/null @@ -1,155 +0,0 @@ -.TH DEHYDRATED 1 2017-09-20 "Dehydrated ACME Client" -.SH NAME -dehydrated \- ACME client implemented as a shell-script -.SH SYNOPSIS -.B dehydrated -[\fBcommand\fR [\fBargument\fR]] -[\fBargument\fR [\fBargument\fR]] -.IR ... -.SH DESCRIPTION -A client for ACME-based Certificate Authorities, such as LetsEncrypt. It -allows to request and obtain TLS certificates from an ACME-based -certificate authority. - -Before any certificates can be requested, Dehydrated needs -to acquire an account with the Certificate Authorities. Optionally, an email -address can be provided. It will be used to e.g. notify about expiring -certificates. You will usually need to accept the Terms of Service of the CA. -Dehydrated will notify if no account is configured. Run with \fB--register ---accept-terms\fR to create a new account. - -Next, all domain names must be provided in domains.txt. The format is line -based: If the file contains two lines "example.com" and "example.net", -Dehydrated will request two certificate, one for "example.com" and the other -for "example.net". A single line while "example.com example.net" will request a -single certificate valid for both "example.net" and "example.com" through the \fISubject -Alternative Name\fR (SAN) field. - -For the next step, one way of verifying domain name ownership needs to be -configured. Dehydrated implements \fIhttp-01\fR and \fIdns-01\fR verification. - -The \fIhttp-01\fR verification provides proof of ownership by providing a -challenge token. In order to do that, the directory referenced in the -\fIWELLKNOWN\fR config variable needs to be exposed at -\fIhttp://{domain}/.well-known/acme-challenge/\fR, where {domain} is every -domain name specified in \fIdomains.txt\fR. Dehydrated does not provide its -own challenge responder, but relies on an existing web server to provide the -challenge response. See \fIwellknown.md\fR for configuration examples of -popular web servers. - -The \fIdns-01\fR verification works by providing a challenge token through DNS. -This is especially interesting for hosts that cannot be exposed to the public -Internet. Because adding records to DNS zones is oftentimes highly specific to -the software or the DNS provider at hand, there are many third party hooks -available for dehydrated. See \fIdns-verification.md\fR for hooks for popular -DNS servers and DNS hosters. - -Finally, the certificates need to be requested and updated on a regular basis. -This can happen through a cron job or a timer. Initially, you may enforce this -by invoking \fIdehydrated -c\fR manually. - -After a successful run, certificates are stored in -\fI/etc/dehydrated/certs/{domain}\fR, where {domain} is the domain name in the -first column of \fIdomains.txt\fR. - -.SH OPTIONS - -.BR Commands -.TP -.BR \-\-version ", " \-v -Print version information -.TP -.BR \-\-register -Register account key -.TP -.BR \-\-account -Update account contact information -.TP -.BR \-\-cron ", " \-c -Sign/renew non\-existent/changed/expiring certificates. -.TP -.BR \-\-signcsr ", " \-s " " \fIpath/to/csr.pem\fR -Sign a given CSR, output CRT on stdout (advanced usage) -.TP -.BR \-\-revoke ", " \-r " " \fIpath/to/cert.pem\fR -Revoke specified certificate -.TP -.BR \-\-cleanup ", " \-gc -Move unused certificate files to archive directory -.TP -.BR \-\-help ", " \-h -Show help text -.TP -.BR \-\-env ", " \-e -Output configuration variables for use in other scripts - -.PP -.BR Parameters -.TP -.BR \-\-accept\-terms -Accept CAs terms of service -.TP -.BR \-\-full\-chain ", " \-fc -Print full chain when using \fB\-\-signcsr\fR -.TP -.BR \-\-ipv4 ", " \-4 -Resolve names to IPv4 addresses only -.TP -.BR \-\-ipv6 ", " \-6 -Resolve names to IPv6 addresses only -.TP -.BR \-\-domain ", " \-d " " \fIdomain.tld\fR -Use specified domain name(s) instead of domains.txt entry (one certificate!) -.TP -.BR \-\-keep\-going ", " \-g -Keep going after encountering an error while creating/renewing multiple -certificates in cron mode -.TP -.BR \-\-force ", " \-x -Force renew of certificate even if it is longer valid than value in RENEW_DAYS -.TP -.BR \-\-no\-lock ", " \-n -Don't use lockfile (potentially dangerous!) -.TP -.BR \-\-lock\-suffix " " \fIexample.com\fR -Suffix lockfile name with a string (useful for use with \-d) -.TP -.BR \-\-ocsp -Sets option in CSR indicating OCSP stapling to be mandatory -.TP -.BR \-\-privkey ", " \-p " " \fIpath/to/key.pem\fR -Use specified private key instead of account key (useful for revocation) -.TP -.BR \-\-config ", " \-f " " \fIpath/to/config\fR -Use specified config file -.TP -.BR \-\-hook ", " \-k " " \fIpath/to/hook.sh\fR -Use specified script for hooks -.TP -.BR \-\-out ", " \-o " " \fIcerts/directory\fR -Output certificates into the specified directory -.TP -.BR \-\-challenge ", " \-t " " \fI[http\-01|dns\-01]\fR -Which challenge should be used? Currently http\-01 and dns\-01 are supported -.TP -.BR \-\-algo ", " \-a " " \fI[rsa|prime256v1|secp384r1]\fR -Which public key algorithm should be used? Supported: rsa, prime256v1 and -secp384r1 -.SH DIAGNOSTICS -The program exits 0 if everything was fine, 1 if an error occurred. -.SH BUGS -Please report any bugs that you may encounter at the project web site -.UR https://github.com/lukas2511/dehydrated/issues -.UE . -.SH AUTHOR -Dehydrated was written by Lukas Schauer. This man page was contributed by -Daniel Molkentin. -.SH COPYRIGHT -Copyright 20015-2017 by Lukas Schauer and the respective contributors. -Provided under the MIT License. See the LICENSE file that accompanies the -distribution for licensing information. -.SH SEE ALSO -Full documentation along with configuration examples are provided in the \fIdocs\fR -directory of the distribution, or at -.UR https://github.com/lukas2511/dehydrated/tree/master/docs -.UE . diff --git a/dehydrated.changes b/dehydrated.changes index c77f508..4935891 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,36 @@ +------------------------------------------------------------------- +Mon Jan 15 11:29:11 UTC 2018 - daniel.molkentin@suse.com + +- Updated dehydrated to 0.5.0 + + This removes the following patches and files, which are now part of the + upstream package: + * 0001-Add-optional-user-and-group-configuration.patch + * 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch + * dehydrated.1: the man page has been adopted by upstream + + Starting with this version, upstream introduced signed releases, which + is now being used for source validation. + + Upstream changes: + + Changed + + * Certificate chain is now cached (CHAINCACHE) + * OpenSSL binary path is now configurable (OPENSSL) + * Cleanup now also moves revoked certificates + + Added + + * New feature for updating contact information (--account) + * Allow automatic cleanup on exit (AUTO_CLEANUP) + * Initial support for fetching OCSP status to be used for OCSP stapling + (OCSP_FETCH) + * Certificates can now have aliases to create multiple certificates with + identical set of domains (see --alias and domains.txt documentation) + * Allow dehydrated to run as specified user (/group). This was already + available previously as a patch to this package. + ------------------------------------------------------------------- Fri Oct 20 11:02:24 UTC 2017 - mrueckert@suse.de diff --git a/dehydrated.keyring b/dehydrated.keyring new file mode 100644 index 0000000..df25c9a --- /dev/null +++ b/dehydrated.keyring @@ -0,0 +1,42 @@ +pub 2048R/F438F333 2013-04-05 +uid [ unknown] Lukas Schauer +uid [ unknown] Lukas Schauer +sub 2048R/57805524 2013-04-05 + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQENBFFfGhMBCADuxAL1vqC7J1AmxMrFGxobyPaY9tmUEueRF+JuUJlk48qSbcWg +zAMEprSgw3HY/15Galu/7g8KxXnlN4WO2vgA6eu1CYx3CoukJ8dc/m6hEMxqwsIW +H/1sI7P2hLGB/6YC3MqgpyZxrXzS3coe/JLLkeOtcnBgeT1VpGnodSEKsK4unkfV +cmheLuF+zMb0t1DFtd//Ka99XtoF7HXW6p/n8NjiAXKkEkTWf+0qsOIzar3Hl7QE +dnEMK1EjDbrqNufTe+TyvM9hVMyDTptvA0EDOj+5Jmt29pWpriOgUgm2D1JgZi9b +YmGnTo149q5bUzfLvsTDI0IS7ClxXIES/dfXABEBAAG0IEx1a2FzIFNjaGF1ZXIg +PGx1a2FzQHNjaGF1ZXIuc28+iQE5BBMBAgAjBQJSHiDfAhsDBwsJCAcDAgEGFQgC +CQoLBBYCAwECHgECF4AACgkQnE2+bPQ48zPRxgf/Y1pJ9H6uB6rmCa3VHoxhvLkV +ruUSpI+JXNUhwpUWUKNE1yk78jmjRhMMZf7UMYifyGkuK/0/cErktr5j8kqJ2r60 +hOnmkC3jEq5H0hKfGzhosenUvzR9cENYzgnm/4BNWWz1I16jkWRcEGjeC8y033U3 +Tjrtc6f0jLe7R6LzospUCWKzp8WUWgTgqpAyjJY6I44Y6QpTjmRF6t1Nz2yRxxf2 +NAbOQWkSTueusgLVYyvqLZ51u3fsuDJxbQiBnNt0ZGYSDBKrs59Rvg0Xj1cBv1t7 +SrzHuwyiiCQsEaLMvYCygk7qRmZBZ6PKA0gE8oYIr5f10Kx0Mjqnrs8wmpegiLQj +THVrYXMgU2NoYXVlciA8bHVrYXMyNTExQHh4cHJvLm5ldD6JATgEEwECACIFAlFf +GhMCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJxNvmz0OPMzHXoH/jCy +wwo+W3hy7WAzaKqgnIjRfMQD63OFSwrPI8P7mU0WWrxURwET4C/i+eYHIZYPVaP0 +HvdMMcpgSbBZ0sAW+gtv2qMtL+kB4s+FGVchV4lfh4q5w4EDRknuCEpD5bj7NsOT +ROvGu0gSvGbGG/EFLJuhrkct5s7ESH5sWonxstk6Ea9L5STR4PGH6swTq0WggbMq +VFQuWOkjw6KpQOeFTp9koQl3R6P6I0uqe6tVLKJD/nSTKbMYPMZX9Q+TvzqRSRlH +wL509ZIZV4IzdDFXGM28xvC7KIifbxEzWHVci2afdqbVNH2MBhgHt/SIaW8xBab2 +wnd45rkdHuoK2wBPlPu5AQ0EUV8aEwEIAM1d0x6B/PUlXfUzkTlYtFmfm67OOPW2 +EImld+53RgVc/HGY9RyYP0YwxNs1mjWalzJYV6/aQ9xke/Dz0pLYwIl2c1TCzwin +qgymkR17krDJ/+hj2GZBsiEHlMDbWskgwIc7WldhcmxsOvsvRrHSCcw7ZFD+iA9l +6XJoUrtP9QhJLaj6WoX0fU377t3me6hji5387pzYoDKiq8cfJu4q/K6oB42kmo+L +PVub+DvBBZPDakDnE46v0LfbgvPqjaVxM2KHjqllepk1CIOAbUbtyC9kVuavDgnI +OMe1couHsy0+7fXeQE0xMLPjGGZAXt6OVI8o/1IbgA2EbiVR225Tu2cAEQEAAYkB +HwQYAQIACQUCUV8aEwIbDAAKCRCcTb5s9DjzM09cCACGdENt71lx56EjzH6W5o/F +OYHHTm4ewcfgGSHWmdScq8gOI414kBkOg9ds9IMQt5hp60hXteSxG1l0qxEXbMX7 +cO5FNnjer/ikcwPDS6eZ2a5Gni/h/UFRnVYcw2c+7UAAgouswhwqbkVUrRMDodG2 +DT05fQIdgfbQLUBW5qFToS/CXNzvG47jqBEUS/mFMtZgF2+myU2buMlIXmarTi0K +EYMt0geGXhpS2DN9iQrQzQ8gjVz/EBgdHbEZOsHW4JMQaycYvouPFVqCIcZoN0s8 +c9AilqEu9V8XLLWA0zRVC8Fp6m/ZpMX8t2kVQdBKMHb1NUz0b+uHynANCRQUGKIg +=2fWi +-----END PGP PUBLIC KEY BLOCK----- diff --git a/dehydrated.spec b/dehydrated.spec index 3552df1..ea1b25a 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ # # spec file for package dehydrated # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -46,7 +46,7 @@ %endif Name: dehydrated -Version: 0.4.0 +Version: 0.5.0 Release: 0 Summary: A client for signing certificates with an ACME server License: MIT @@ -60,14 +60,11 @@ Source4: dehydrated.cron.in Source5: dehydrated.tmpfiles.d Source6: dehydrated.service.in Source7: dehydrated.timer -Source8: dehydrated.1 Source9: README.SUSE Source10: README.Fedora Source11: README.hooks -# Patch submitted to upstream -Patch1: 0001-Add-optional-user-and-group-configuration.patch -# Patch from upstream -Patch2: 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch +Source12: %{name}-%{version}.tar.gz.asc +Source13: %{name}.keyring BuildRequires: %{_apache} Requires: coreutils Requires: curl @@ -189,8 +186,6 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||: %prep %setup -q -%patch1 -p1 -%patch2 -p1 cp %{SOURCE9} . cp %{SOURCE10} . @@ -204,7 +199,7 @@ mkdir -p %{buildroot}%{_mandir}/man1 mkdir -p %{buildroot}%{_home}/config.d mkdir -p %{buildroot}%{_postrunhooks} -cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz +cat dehydrated.1 | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz # Silence E: env-script-interpreter find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \;