Accepting request 532177 from security:dehydrated

- Remove unused hooks directory
- Introduced a directory for custom post-run hooks executed as root,
  see README.SUSE for details. (not to be confused with the native hooks
  run as dehyrated user)

- Clarify necessity of enabling dehydrated.timer in README.SUSE
- Submit to SLE15 as per fate#323377
- Add optional post run hook directory, executed by cron/systemd
  after dehydrated --cron has run
- Remove hook directory intended for packaging other native hooks.
  Will be approach differently

- No longer require nginx or lighttpd for SLE
- Never go as far as to require acmeresponder, it might not be available
- Drop -update from dehydrated-update.{timer,socket} for consistency
- Add distro specific README.SUSE / README.Fedora
- Ran spec-cleaner

- Add man page
- Ensure dehydrated is always run as designated user
  * adds 0001-Add-optional-user-and-group-configuration.patch
- Introduce config.d directory for user configuration
- Avoid warning about empty config.d directory
  * adds 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
- Fix sed warning about unescaped curly braces in regex

- Swap statements in post: installing services requires tmp.d 

- (Weak) dependency on dehydrated-acmeresponder.

OBS-URL: https://build.opensuse.org/request/show/532177
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dehydrated?expand=0&rev=4

0001-Add-optional-user-and-group-configuration.patch

@@ -0,0 +1,66 @@
+From 700040068e3c08025f206e06ba5cfa76a124d805 Mon Sep 17 00:00:00 2001
+From: Daniel Molkentin <dmolkentin@suse.com>
+Date: Thu, 21 Sep 2017 19:07:54 +0200
+Subject: [PATCH] Add optional user and group configuration
+
+when DEHYDRATED_USER is set, dehydrated will refuse to run as root,
+and instead launch itself as the user in DEHYDRATED_USER (and
+DEHYDRATED_GROUP if set).
+---
+ dehydrated           | 15 +++++++++++++++
+ docs/examples/config |  6 ++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/dehydrated b/dehydrated
+index 8b31ee1..39c717f 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -126,6 +126,8 @@ load_config() {
+   LOCKFILE=
+   OCSP_MUST_STAPLE="no"
+   IP_VERSION=
++  DEHYDRATED_USER=
++  DEHYDRATED_GROUP=
+ 
+   if [[ -z "${CONFIG:-}" ]]; then
+     echo "#" >&2
+@@ -159,6 +161,19 @@ load_config() {
+    done
+   fi
+ 
++  # Check if we are running & are allowed to run as root
++  if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then
++    if [ ! -z "$DEHYDRATED_GROUP" ]; then
++        group="-g $DEHYDRATED_GROUP"
++    fi
++    echo "# INFO: Running $0 as $DEHYDRATED_USER"
++    su -c "$0" $group "$DEHYDRATED_USER"
++    exit
++  fi
++
++  # Check for missing dependencies
++  check_dependencies
++
+   # Remove slash from end of BASEDIR. Mostly for cleaner outputs, doesn't change functionality.
+   BASEDIR="${BASEDIR%%/}"
+ 
+diff --git a/docs/examples/config b/docs/examples/config
+index 1b1b3d8..9a890f4 100644
+--- a/docs/examples/config
++++ b/docs/examples/config
+@@ -10,6 +10,12 @@
+ # Default values of this config are in comments        #
+ ########################################################
+ 
++# Which user should dehydrated run as? This will be implictly enforced when running as root
++#DEHYDRATED_USER=
++
++# Which group should dehydrated run as? This will be implictly enforced when running as root
++#DEHYDRATED_GROUP=
++
+ # Resolve names to addresses of IP version only. (curl)
+ # supported values: 4, 6
+ # default: <unset>
+-- 
+2.12.3
+

0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch

@@ -0,0 +1,49 @@
+From 5214632c55c70c6c1f0dabce204a9fb8529c8ca8 Mon Sep 17 00:00:00 2001
+From: Lukas Schauer <lukas@schauer.so>
+Date: Thu, 21 Sep 2017 18:10:01 +0200
+Subject: [PATCH] use nullglob, disable warning on empty CONFIG_D directory
+
+---
+ dehydrated | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/dehydrated b/dehydrated
+index 8b31ee1..a62b858 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -8,7 +8,9 @@
+ set -e
+ set -u
+ set -o pipefail
+-[[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO
++[[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO && set -o NULL_GLOB
++[[ -z "${ZSH_VERSION:-}" ]] && shopt -s nullglob
++
+ umask 077 # paranoid umask, we're creating private keys
+ 
+ # Find directory in which this script is stored by traversing all symbolic links
+@@ -146,10 +148,7 @@ load_config() {
+     fi
+ 
+     for check_config_d in "${CONFIG_D}"/*.sh; do
+-      if [[ ! -e "${check_config_d}" ]]; then
+-        echo "# !! WARNING !! Extra configuration directory ${CONFIG_D} exists, but no configuration found in it." >&2
+-        break
+-      elif [[ -f "${check_config_d}" ]] && [[ -r "${check_config_d}" ]]; then
++      if [[ -f "${check_config_d}" ]] && [[ -r "${check_config_d}" ]]; then
+         echo "# INFO: Using additional config file ${check_config_d}"
+         # shellcheck disable=SC1090
+         . "${check_config_d}"
+@@ -1020,9 +1019,6 @@ command_cleanup() {
+ 
+       # Loop over all files of this type
+       for file in "${certdir}/${filebase}-"*".${fileext}"; do
+-        # Handle case where no files match the wildcard
+-        [[ -f "${file}" ]] || break
+-
+         # Check if current file is in use, if unused move to archive directory
+         filename="$(basename "${file}")"
+         if [[ ! "${filename}" = "${current}" ]]; then
+-- 
+2.12.3
+

README.Fedora

@@ -0,0 +1,6 @@
+Packaging note
+==============
+
+On Fedora, CentOS and RHEL, the dehydrated-apache2 package is
+called dehydrated-httpd in accordance with the Fedora naming scheme.
+

README.SUSE

@@ -0,0 +1,159 @@
+==========================================
+Acquiring TLS Certificates with Dehydrated
+==========================================
+
+The SUSE dehydrated package has been designed to make acquiring TLS
+certificates (aka SSL Certificates) as simple as possible, while still being
+useful in a broad amount of use cases. Please consult the dehydrated man page,
+then continue reading here.
+
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+IMPORTANT: On systemd-enabled system (SLE12+), you need to enable the update
+timer, which has obsoleted the cron job. This is independent on which method
+you chose from below!
+
+# systemctl enable dehydrated.timer
+
+Also note that with the systemd timer, failures will not be mailed to the
+system administrator, but are being logged to the systemd journal, as per
+systemd's design philosophy.
+
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+Acquisition through HTTP (http-01)
+===================================
+
+This is the primary method of acquiring certifictes. The Certificate Authority
+will provide a challenge that the requestor needs to provide via HTTP on port 80/TCP,
+in /.well-known/acme-challenge/.
+
+Setting up the acme-challenge auto-responder
+--------------------------------------------
+
+Apache (easiest)
+~~~~~~~~~~~~~~~~
+
+If you are using Apache, just install dehydrated-apache2 and reload Apache.
+This will take care of setting up the acme-challenge auto-responder.
+
+nginx
+~~~~~
+
+(not part of SLE, use openSUSE backports)
+
+For nginx, you will need to install dehydrated-nginx. Unfortunately, nginx does
+not support directory mappings across vhosts, so in addition you will need to
+include "/etc/nginx/acmechallenge" in all vhost configurations like this:
+
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  <hostname>;
+    include "acmechallenge";
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+lighttpd
+~~~~~~~~
+
+(not part of SLE, use openSUSE backports)
+
+Lighttpd users can simply install dehydrated-lighttpd and reload lighttpd to
+set up the acme-challenge auto-responder
+
+NOTE: Never set up the SSL vhosts until you have initially acquired the first
+host. Specifying an SSL vhost without certificates constitutes an error for web
+servers.
+
+Machines without a webserver
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+On machines that are not running any web server, e.g. mail relays, you can run
+apache2 with dehydrated-apache2. If you do not want to run any web server on a
+system with systemd permnently, you can use dehydrated-acmeresponder. This is a
+small socket activated server. Once installed, it will automatically listen on
+port 80 whenever the dehydrated cron job seeks renewal, assuming no other
+server is currently occupying the port. It will also shut down once the timer
+has finished execution.
+
+Acquisition of initial certificate
+----------------------------------
+
+How set up an account as described in the man page (as root):
+
+# dehydrated --register --accept-terms
+
+(the current version of the LetsEncrypt Terms & Conditions are referenced in
+/etc/dehydrated/config)
+
+Next, fill in domains.txt and acquire the initial certificates (again, as root):
+
+# echo "myhost.example.com myalias.example.com" >> domains.txt
+# dehydrated --cron
+
+adds myhost.example.com to the list of host names we want to request a certificate for.
+The certificate will hold a Subject Alternative Name of "myalias.example.com".
+LetsEncrypt will check both host names.
+
+NOTE: As of 2017, LetsEncrypt certificates are only valid for three months, and
+the validity period may be further reduced in the future.  It is therefore
+vital to ensure that the certificates are being automatically renewed. On
+systems without systemd, a cron job is automatically set up to take care of
+this. On systemd-enabled systems, a timer is provided which needs to be
+activated manually:
+
+# systemctl enable dehydrated.timer
+
+Aqcuisition through DNS (dns-01)
+================================
+
+Tnis is mostly useful under these conditions
+
+1. Your hosts are not directly exposed to the internet
+2. Your host names are part of a public DNS zone visible on the internet.
+3. You are comfortable with the service adding and removing records in your domain.
+
+Usually, the scenario you want this is a central host which picks up
+certificates for all other hosts on a network, and then deploys them to the
+actual target host, using plain scp or configuration management tools like
+Ansible or Salt. For details, please refer to dns-verification.md. For
+openSUSE, the python-dns-lexicon package provides hooks into many DNS providers
+and DNS servers.
+
+Proceeding after initial certificate aquisition
+===============================================
+
+Setting up the SSL host
+-----------------------
+
+As recommended parameters shift, please refer to Mozillas excellent SSL
+Configuration Generator [1] for details on how to configure your web server.
+Replace the example paths with the following:
+
+Key: /etc/dehydrated/certs/<domainname>/privkey.pem
+Certificate: /etc/dehydrated/certs/<domainname>/cert.pem
+Intermediate Chain: /etc/dehydrated/certs/<domainname>/chain.pem
+Certificate + Intermediate: /etc/dehydrated/certs/<domainname>/fullchain.pem
+
+where <domainname> should be the name of the first column in domains.txt
+
+Limitations & Ceveats
+=====================
+
+* It is currently not possible to aqcuire Wildcard certificates
+* No EV- or OV-validated certificates
+* Certificates expire within weeks, not years. This is by design. Ensure that
+  certificate renewal works and that daemons get reloaded frequently to pick
+  up certificate updates. Apache will work due to log rotation SIGHUP'ing
+  the process frequently. However, any other actions, such as service reloads
+  need to be provided as a script in /etc/dehydrated/postrun-hooks.d, which
+  will be executed by the cron script / systemd timer *after* an update run
+  has been performed.
+
+Links
+=====
+
+[1] https://mozilla.github.io/server-side-tls/ssl-config-generator/

README.hooks

@@ -0,0 +1,4 @@
+Dehydrated's hooks only run as user dehydrated. To circumvent this limitation,
+i.e. when services need to be restarted, all executable files in this directory
+will be executed as root after the certificate update has run.
+

dehydrated.1

@@ -0,0 +1,155 @@
+.TH DEHYDRATED 1 2017-09-20 "Dehydrated ACME Client"
+.SH NAME
+dehydrated \- ACME client implemented as a shell-script
+.SH SYNOPSIS
+.B dehydrated
+[\fBcommand\fR [\fBargument\fR]]
+[\fBargument\fR [\fBargument\fR]]
+.IR ...
+.SH DESCRIPTION
+A client for ACME-based Certificate Authorities, such as LetsEncrypt.  It
+allows to request and obtain TLS certificates from an ACME-based
+certificate authority.
+
+Before any certificates can be requested, Dehydrated needs
+to acquire an account with the Certificate Authorities. Optionally, an email
+address can be provided.  It will be used to e.g. notify about expiring
+certificates. You will usually need to accept the Terms of Service of the CA.
+Dehydrated will notify if no account is configured. Run with \fB--register
+--accept-terms\fR to create a new account.
+
+Next, all domain names must be provided in domains.txt. The format is line
+based: If the file contains two lines "example.com" and "example.net",
+Dehydrated will request two certificate, one for "example.com" and the other
+for "example.net". A single line while "example.com example.net" will request a
+single certificate valid for both "example.net" and "example.com" through the \fISubject
+Alternative Name\fR (SAN) field.
+
+For the next step, one way of verifying domain name ownership needs to be
+configured.  Dehydrated implements \fIhttp-01\fR and \fIdns-01\fR verification. 
+
+The \fIhttp-01\fR verification provides proof of ownership by providing a
+challenge token. In order to do that, the directory referenced in the
+\fIWELLKNOWN\fR config variable needs to be exposed at
+\fIhttp://{domain}/.well-known/acme-challenge/\fR, where {domain} is every
+domain name specified in \fIdomains.txt\fR.  Dehydrated does not provide its
+own challenge responder, but relies on an existing web server to provide the
+challenge response.  See \fIwellknown.md\fR for configuration examples of
+popular web servers.
+
+The \fIdns-01\fR verification works by providing a challenge token through DNS.
+This is especially interesting for hosts that cannot be exposed to the public
+Internet.  Because adding records to DNS zones is oftentimes highly specific to
+the software or the DNS provider at hand, there are many third party hooks
+available for dehydrated.  See \fIdns-verification.md\fR for hooks for popular
+DNS servers and DNS hosters.
+
+Finally, the certificates need to be requested and updated on a regular basis.
+This can happen through a cron job or a timer. Initially, you may enforce this
+by invoking \fIdehydrated -c\fR manually.
+
+After a successful run, certificates are stored in
+\fI/etc/dehydrated/certs/{domain}\fR, where {domain} is the domain name in the
+first column of \fIdomains.txt\fR.
+
+.SH OPTIONS
+
+.BR Commands
+.TP
+.BR \-\-version ", " \-v
+Print version information
+.TP
+.BR \-\-register
+Register account key
+.TP
+.BR \-\-account
+Update account contact information
+.TP
+.BR \-\-cron ", " \-c
+Sign/renew non\-existent/changed/expiring certificates.
+.TP
+.BR \-\-signcsr ", " \-s " " \fIpath/to/csr.pem\fR
+Sign a given CSR, output CRT on stdout (advanced usage)
+.TP
+.BR \-\-revoke ", " \-r " " \fIpath/to/cert.pem\fR
+Revoke specified certificate
+.TP
+.BR \-\-cleanup ", " \-gc
+Move unused certificate files to archive directory
+.TP
+.BR \-\-help ", " \-h
+Show help text
+.TP
+.BR \-\-env ", " \-e
+Output configuration variables for use in other scripts
+
+.PP
+.BR Parameters
+.TP
+.BR \-\-accept\-terms
+Accept CAs terms of service
+.TP
+.BR \-\-full\-chain ", " \-fc
+Print full chain when using \fB\-\-signcsr\fR
+.TP
+.BR \-\-ipv4 ", " \-4
+Resolve names to IPv4 addresses only
+.TP
+.BR \-\-ipv6 ", " \-6
+Resolve names to IPv6 addresses only
+.TP
+.BR \-\-domain ", " \-d " " \fIdomain.tld\fR
+Use specified domain name(s) instead of domains.txt entry (one certificate!)
+.TP
+.BR \-\-keep\-going ", " \-g
+Keep going after encountering an error while creating/renewing multiple
+certificates in cron mode
+.TP
+.BR \-\-force ", " \-x
+Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+.TP
+.BR \-\-no\-lock ", " \-n
+Don't use lockfile (potentially dangerous!)
+.TP
+.BR \-\-lock\-suffix " " \fIexample.com\fR
+Suffix lockfile name with a string (useful for use with \-d)
+.TP
+.BR \-\-ocsp
+Sets option in CSR indicating OCSP stapling to be mandatory
+.TP
+.BR \-\-privkey ", " \-p " " \fIpath/to/key.pem\fR
+Use specified private key instead of account key (useful for revocation)
+.TP
+.BR \-\-config ", " \-f " " \fIpath/to/config\fR
+Use specified config file
+.TP
+.BR \-\-hook ", " \-k " " \fIpath/to/hook.sh\fR
+Use specified script for hooks
+.TP
+.BR \-\-out ", " \-o " " \fIcerts/directory\fR
+Output certificates into the specified directory
+.TP
+.BR \-\-challenge ", " \-t " " \fI[http\-01|dns\-01]\fR
+Which challenge should be used? Currently http\-01 and dns\-01 are supported
+.TP
+.BR \-\-algo ", " \-a " " \fI[rsa|prime256v1|secp384r1]\fR
+Which public key algorithm should be used? Supported: rsa, prime256v1 and
+secp384r1
+.SH DIAGNOSTICS
+The program exits 0 if everything was fine, 1 if an error occurred.
+.SH BUGS
+Please report any bugs that you may encounter at the project web site
+.UR https://github.com/lukas2511/dehydrated/issues
+.UE .
+.SH AUTHOR
+Dehydrated was written by Lukas Schauer. This man page was contributed by
+Daniel Molkentin.
+.SH COPYRIGHT
+Copyright 20015-2017 by Lukas Schauer and the respective contributors.
+Provided under the MIT License. See the LICENSE file that accompanies the
+distribution for licensing information.
+.SH SEE ALSO
+Full documentation along with configuration examples are provided in the \fIdocs\fR
+directory of the distribution, or at
+.UR https://github.com/lukas2511/dehydrated/tree/master/docs
+.UE .

dehydrated.changes

@@ -1,3 +1,75 @@
+-------------------------------------------------------------------
+Thu Oct  5 13:36:39 UTC 2017 - daniel.molkentin@suse.com
+
+- Remove unused hooks directory
+
+- Introduced a directory for custom post-run hooks executed as root,
+  see README.SUSE for details. (not to be confused with the native hooks
+  run as dehyrated user)
+
+-------------------------------------------------------------------
+Fri Sep 29 15:14:29 UTC 2017 - daniel.molkentin@suse.com
+
+- Clarify necessity of enabling dehydrated.timer in README.SUSE
+
+- Submit to SLE15 as per fate#323377
+
+- Add optional post run hook directory, executed by cron/systemd
+  after dehydrated --cron has run
+
+- Remove hook directory intended for packaging other native hooks.
+  Will be approach differently
+
+-------------------------------------------------------------------
+Wed Sep 27 10:09:16 UTC 2017 - daniel.molkentin@suse.com
+
+- No longer require nginx or lighttpd for SLE
+
+- Never go as far as to require acmeresponder, it might not be available
+
+- Drop -update from dehydrated-update.{timer,socket} for consistency
+
+- Add distro specific README.SUSE / README.Fedora
+
+- Ran spec-cleaner
+
+-------------------------------------------------------------------
+Fri Sep 22 11:18:55 UTC 2017 - daniel.molkentin@suse.com
+
+- Add man page
+
+- Ensure dehydrated is always run as designated user
+  * adds 0001-Add-optional-user-and-group-configuration.patch
+
+- Introduce config.d directory for user configuration
+
+- Avoid warning about empty config.d directory
+  * adds 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
+
+- Fix sed warning about unescaped curly braces in regex
+
+-------------------------------------------------------------------
+Tue Sep 19 15:40:46 UTC 2017 - daniel.molkentin@suse.com
+
+- Swap statements in post: installing services requires tmp.d 
+
+-------------------------------------------------------------------
+Tue Sep 19 14:52:25 UTC 2017 - daniel.molkentin@suse.com
+
+- (Weak) dependency on dehydrated-acmeresponder.
+
+-------------------------------------------------------------------
+Thu Sep 14 13:47:06 UTC 2017 - daniel.molkentin@suse.com
+
+- systemd update service: ConditionPathExists goes into [Unit] section 
+
+-------------------------------------------------------------------
+Wed Sep 13 15:27:08 UTC 2017 - daniel.molkentin@suse.com
+
+- Use timer instead of cron for systemd-enabled distros
+
+  Note: Timer must be explicitly enabled!
+
 -------------------------------------------------------------------
 Tue Feb 21 13:12:19 UTC 2017 - daniel.molkentin@suse.com
 

dehydrated.cron.in

@@ -2,4 +2,4 @@ SHELL=/bin/sh
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 MAILTO=root
 
-25 3 * * *   @USER@    test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron
+25 3 * * *   root    test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron && for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;

dehydrated.service.in

@@ -0,0 +1,14 @@
+[Unit]
+Description=Certificate Update Runner for Dehydrated
+ConditionPathExists=/etc/dehydrated/config
+After=network-online.target
+Wants=acmeresponder.socket
+
+[Service]
+Type=oneshot
+ExecStartPre-=/usr/bin/sh -c 'for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;'
+ExecStart=/usr/bin/dehydrated --cron
+
+# dehydrated --cron will drop permissions and run critical code as dehydrated user.
+User=root
+Group=root

dehydrated.spec

@@ -16,6 +16,27 @@
 #
 
 
+%define _challengedir %{_localstatedir}/lib/acme-challenge
+%define _user         dehydrated
+%define _home         %{_sysconfdir}/dehydrated
+%define _postrunhooks %{_home}/postrun-hooks.d
+
+%if 0%{?suse_version} > 1230
+%define  _lock_dir /run/dehydrated
+%bcond_without systemd
+%else
+%define  _lock_dir %{_localstatedir}/run/dehydrated
+%bcond_with    systemd
+%endif
+
+%if 0%{?is_opensuse} || %{defined fedora}
+%bcond_without nginx
+%bcond_without lighttpd
+%else
+%bcond_with nginx
+%bcond_with lighttpd
+%endif
+%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d }
 # See also http://en.opensuse.org/openSUSE:Specfile_guidelines
 
 %if 0%{?suse_version}
@@ -23,27 +44,6 @@
 %else
 %define _apache httpd
 %endif
-%define _challengedir /var/lib/acme-challenge
-%define _user         dehydrated
-%define _home         /etc/dehydrated
-
-%if 0%{?suse_version} > 1230
-%bcond_without systemd
-%define  _lock_dir /run/dehydrated
-%else
-%bcond_with    systemd
-%define  _lock_dir /var/run/dehydrated
-%endif
-
-%if (0%{?suse_version} < 1200 && !0%{?is_opensuse}) || 0%{?centos_version} || 0%{?rhel_version}
-%bcond_with nginx
-%bcond_with lighttpd
-%else
-%bcond_without nginx
-%bcond_without lighttpd
-%endif
-
-%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d }
 
 Name:           dehydrated
 Version:        0.4.0
@@ -58,26 +58,36 @@ Source2:        acme-challenge.conf.nginx.in
 Source3:        acme-challenge.conf.lighttpd.in
 Source4:        dehydrated.cron.in
 Source5:        dehydrated.tmpfiles.d
+Source6:        dehydrated.service.in
+Source7:        dehydrated.timer
+Source8:        dehydrated.1
+Source9:        README.SUSE
+Source10:       README.Fedora
+Source11:       README.hooks
+# Patch submitted to  upstream
+Patch1:         0001-Add-optional-user-and-group-configuration.patch
+# Patch from upstream
+Patch2:         0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
 BuildRequires:  %{_apache}
+Requires:       coreutils
+Requires:       curl
+Requires:       openssl
+Requires(pre):  %{_bindir}/getent
+Requires(pre):  %{_sbindir}/groupadd
+Requires(pre):  %{_sbindir}/useradd
+Obsoletes:      letsencrypt.sh < %{version}
+Provides:       letsencrypt.sh = %{version}
+BuildArch:      noarch
 %if %{with lighttpd}
 BuildRequires:  lighttpd
 %endif
 %if %{with nginx}
 BuildRequires:  nginx
 %endif
-%if 0%{?fedora_version}
+%if %{defined fedora}
 BuildRequires:  generic-logos
 BuildRequires:  generic-logos-httpd
 %endif
-Requires:       coreutils
-Requires:       curl
-Requires:       openssl
-%if 0%{?suse_version}
-Requires:       cron
-%endif
-Requires(pre):  /usr/sbin/useradd
-Requires(pre):  /usr/sbin/groupadd
-Requires(pre):  /usr/bin/getent
 # openSUSE >= 12.3 has shadow, pwdutils is provided but obsoleted.
 %if 0%{?suse_version} >= 1230
 BuildRequires:  shadow
@@ -85,13 +95,17 @@ BuildRequires:  shadow
 %if %{with systemd}
 BuildRequires:  pkgconfig(systemd)
 %{?systemd_requires}
+%else #with_systemd
+%if 0%{?suse_version}
+Requires:       cron
+%endif
+%endif #with_systemd
+%if 0%{?suse_version}
+Recommends:     dehydrated-acmeresponder
 %endif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 
-Obsoletes:      letsencrypt.sh < %{version}
-Provides:       letsencrypt.sh = %{version}
-
 %description
 This is a client for signing certificates with an ACME server
 (currently only provided by letsencrypt) implemented as a relatively
@@ -111,27 +125,29 @@ Current features:
 * Certificate revocation
 
 %package %{_apache}
+Summary:        Apache Integration for dehydrated
+Group:          Productivity/Networking/Security
 Requires:       %{_apache}
 Requires:       %{name}
+Obsoletes:      letsencrypt.sh-%{_apache} < %{version}
+Provides:       letsencrypt.sh-%{_apache} = %{version}
 %if ! 0%{?suse_version}
 Requires:       mod_ssl
 %endif
-Obsoletes:      letsencrypt.sh-%{_apache} < %{version}
-Provides:       letsencrypt.sh-%{_apache} = %{version}
-Summary:        Apache Integration for dehydrated
-Group:          Productivity/Networking/Security
+BuildArch:      noarch
 
 %description %{_apache}
 This adds a configuration file for dehydrated's acme-challenge to Apache.
 
 %if %{with nginx}
 %package nginx
+Summary:        Nginx Integration for dehydrated
+Group:          Productivity/Networking/Security
 Requires:       %{name}
 Requires:       nginx
 Obsoletes:      letsencrypt.sh-nginx < %{version}
 Provides:       letsencrypt.sh-nginx = %{version}
-Summary:        Nginx Integration for dehydrated
-Group:          Productivity/Networking/Security
+BuildArch:      noarch
 
 %description nginx
 This adds a configuration file for dehydrated's acme-challenge to nginx.
@@ -139,67 +155,102 @@ This adds a configuration file for dehydrated's acme-challenge to nginx.
 
 %if %{with lighttpd}
 %package lighttpd
-Requires:       %{name}
-Requires:       lighttpd
 Summary:        Lighttpd Integration for dehydrated
 Group:          Productivity/Networking/Security
+Requires:       %{name}
+Requires:       lighttpd
+BuildArch:      noarch
 
 %description lighttpd
 This adds a configuration file for dehydrated's acme-challenge to lighttpd.
-%endif #with lighttpd 
+%endif #with lighttpd
 
 %pre
-getent group %{_user} >/dev/null || /usr/sbin/groupadd -r %{_user}
-getent passwd %{_user} >/dev/null || /usr/sbin/useradd -g %{_user} \
+getent group %{_user} >/dev/null || %{_sbindir}/groupadd -r %{_user}
+getent passwd %{_user} >/dev/null || %{_sbindir}/useradd -g %{_user} \
 	-s /bin/false -r -c "%{_user}" -d %{_home} %{_user}
-if [ -d /etc/letsencrypt.sh ]; then mv /etc/letsencrypt.sh /etc/dehydrated; chown -R %{_user} /etc/dehydrated; fi
-if [ -e /etc/dehydrated/config.sh ]; then mv /etc/dehydrated/config.sh /etc/dehydrated/config; fi
+if [ -d %{_sysconfdir}/letsencrypt.sh ]; then mv %{_sysconfdir}/letsencrypt.sh %{_sysconfdir}/dehydrated; chown -R %{_user} %{_sysconfdir}/dehydrated; fi
+if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi
 
 %if %{with systemd}
+%service_add_pre dehydrated.service dehydrated.timer
+
 %post
 systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
+%service_add_post dehydrated.service dehydrated.timer
+
+%preun
+%service_del_preun dehydrated.service dehydrated.timer
+
+%postun
+%service_del_postun dehydrated.service dehydrated.timer
 %endif
 
 %prep
 %setup -q
+%patch1 -p1
+%patch2 -p1
+cp %{SOURCE9} .
+cp %{SOURCE10} .
 
 %build
 
 %install
 # sensitive keys
 mkdir -p %{buildroot}%{_home}/{accounts,certs}
+mkdir -p %{buildroot}%{_sbindir}
+mkdir -p %{buildroot}%{_mandir}/man1
+mkdir -p %{buildroot}%{_home}/config.d
+mkdir -p %{buildroot}%{_postrunhooks}
+
+cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
 
 sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
 install -m 0644 docs/examples/* %{buildroot}%{_home}
-install -m 0755 -d %{buildroot}/usr/bin
-install -m 0755 dehydrated %{buildroot}/usr/bin
+install -m 0644 %{SOURCE11} %{buildroot}%{_postrunhooks}
+install -m 0755 -d %{buildroot}%{_bindir}
+install -m 0755 dehydrated %{buildroot}%{_bindir}
 install -m 0755 -d %{buildroot}%{_challengedir}
 
-install -m 0755 -d %{buildroot}/etc/%{_apache}/conf.d
+install -m 0755 -d %{buildroot}%{_sysconfdir}/%{_apache}/conf.d
 sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE1} > acme-challenge.conf
-install -m 0644 acme-challenge.conf %{buildroot}/etc/%{_apache}/conf.d
+install -m 0644 acme-challenge.conf %{buildroot}%{_sysconfdir}/%{_apache}/conf.d
 
 %if %{with nginx}
-install -m 0755 -d %{buildroot}/etc/nginx
+install -m 0755 -d %{buildroot}%{_sysconfdir}/nginx
 sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE2} > acme-challenge
-install -m 0644 acme-challenge %{buildroot}/etc/nginx
+install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/nginx
 %endif #with nginx
 
 %if %{with lighttpd}
-install -m 0755 -d %{buildroot}/etc/lighttpd/conf.d
+install -m 0755 -d %{buildroot}%{_sysconfdir}/lighttpd/conf.d
 sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE3} > acme-challenge
-install -m 0644 acme-challenge %{buildroot}/etc/lighttpd/conf.d
+install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/lighttpd/conf.d
 %endif #with lighttpd
 
-install -m 0755 -d %{buildroot}/etc/cron.d
-sed "s,@USER@,%{_user},g" %{SOURCE4} > dehydrated.cron
-install -m 0644 dehydrated.cron %{buildroot}/etc/cron.d/dehydrated
 %if %{with systemd}
-install -D    -m 0644 %{S:5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
-%else
-install -D -d -m 0750 %{buildroot}%{_lock_dir}
+install -D    -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+# Use timer
+sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE6} > dehydrated.service
+install -D -m 644 dehydrated.service  %{buildroot}%{_unitdir}/dehydrated.service
+install -D -m 644 %{SOURCE7}          %{buildroot}%{_unitdir}/dehydrated.timer
+%if 0%{?suse_version}
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcdehydrated
 %endif
-perl -p -i -e 's|#LOCKFILE="\${BASEDIR}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config
+%else #with systemd
+install -D -d -m 0750 %{buildroot}%{_lock_dir}
+# Use cron
+install -m 0755 -d %{buildroot}%{_sysconfdir}/cron.d
+sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE4} > dehydrated.cron
+install -m 0644 dehydrated.cron %{buildroot}%{_sysconfdir}/cron.d/dehydrated
+%endif #with systemd
+
+# Adjust config file
+perl -p -i -e 's|#LOCKFILE="\$\{BASEDIR\}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config
+perl -p -i -e 's|#CONFIG_D=|CONFIG_D="%{_home}/config.d"|' %{buildroot}%{_home}/config
+perl -p -i -e 's|#DEHYDRATED_USER=|DEHYDRATED_USER="%{_user}"|' %{buildroot}%{_home}/config
+perl -p -i -e 's|#DEHYDRATED_GROUP=|DEHYDRATED_GROUP="%{_user}"|' %{buildroot}%{_home}/config
+
 diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
 
 %files
@@ -208,32 +259,43 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
 %attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/accounts
 %attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/certs
 %config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config
+%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/config.d
 %config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/domains.txt
 %config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hook.sh
-%config %{_sysconfdir}/cron.d/dehydrated
+%dir %attr(750,root,%{_user}) %{_postrunhooks}
+%config(noreplace) %attr(640,root,%{_user}) %{_postrunhooks}/README.hooks
 %{_bindir}/dehydrated
 %attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge
+%{_mandir}/man1/*
 %doc LICENSE README.md docs/*.md docs/*.jpg
+%doc README.SUSE
+%if %{defined redhat}
+%doc README.Fedora
+%endif
 %if %{with systemd}
 %{_tmpfilesdir}/%{name}.conf
+%{_unitdir}/dehydrated.service
+%{_unitdir}/dehydrated.timer
+%{_sbindir}/rcdehydrated
 %ghost %attr(700,%{_user},%{_user}) %dir %{_lock_dir}
 %else
+%config %{_sysconfdir}/cron.d/dehydrated
 %attr(700,%{_user},%{_user}) %dir %{_lock_dir}
 %endif
 
 %files %{_apache}
-%defattr(-,root,root,-)
+%defattr(-,root,root)
 %config %{_sysconfdir}/%{_apache}/conf.d/acme-challenge.conf
 
 %if %{with nginx}
 %files nginx
-%defattr(-,root,root,-)
+%defattr(-,root,root)
 %config %attr(640,root,nginx) %{_sysconfdir}/nginx/acme-challenge
 %endif #with nginx
 
 %if %{with lighttpd}
 %files lighttpd
-%defattr(-,root,root,-)
+%defattr(-,root,root)
 %config %attr(640,root,lighttpd) %{_sysconfdir}/lighttpd/conf.d/acme-challenge
 %endif #with lighttpd
 

dehydrated.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Run Certificate Update Runner for Dehydrated 
+
+[Timer]
+OnCalendar=daily
+# Two hour window
+RandomizedDelaySec=7200
+ 
+[Install]
+WantedBy=timers.target