Date: Sun, 19 Jun 2016 12:36:09 +0000 (UTC) From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r417119 - in head/security/letskencrypt: . files Message-ID: <201606191236.u5JCa9s0077321@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brnrd Date: Sun Jun 19 12:36:09 2016 New Revision: 417119 URL: https://svnweb.freebsd.org/changeset/ports/417119 Log: security/letskencrypt: Add periodic(8) and multi-cert capability - Add periodic script - Make Domain+SAN names and challenge-dir configurable - Add multiple Domain+SAN certificates capability using scripts - Add sample renewal script - Add sample deployment script - Add pkg-message documenting periodic.conf variables Added: head/security/letskencrypt/files/ head/security/letskencrypt/files/000.letskencrypt.sh.in (contents, props changed) head/security/letskencrypt/files/deploy.sh.sample.in (contents, props changed) head/security/letskencrypt/files/letskencrypt.sh.sample.in (contents, props changed) head/security/letskencrypt/files/pkg-message.in (contents, props changed) Modified: head/security/letskencrypt/Makefile head/security/letskencrypt/pkg-plist Modified: head/security/letskencrypt/Makefile ============================================================================== --- head/security/letskencrypt/Makefile Sun Jun 19 12:34:47 2016 (r417118) +++ head/security/letskencrypt/Makefile Sun Jun 19 12:36:09 2016 (r417119) @@ -24,16 +24,30 @@ OPENSSL_PORT= security/libressl WWWDIR= ${PREFIX}/www/letsencrypt +SAMPLE_FILES= letskencrypt.sh.sample deploy.sh.sample +SUB_FILES= 000.letskencrypt.sh pkg-message ${SAMPLE_FILES} +SUB_LIST= PORTNAME=${PORTNAME} + +PERIODIC_DIRS= etc/periodic/weekly +PERIODIC_FILES= 000.letskencrypt.sh + post-patch: ${REINPLACE_CMD} -e "s|/etc/|${PREFIX}/etc/|" \ -e "s|/var/www/letsencrypt|${WWWDIR}|" \ ${WRKSRC}/main.c ${WRKSRC}/letskencrypt.1 +post-install: + ${MKDIR} -p ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS} + ${INSTALL_SCRIPT} ${WRKDIR}/${PERIODIC_FILES} ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS}/${PERIODIC_FILES} + post-stage: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/letskencrypt . for d in etc/ssl/letsencrypt etc/ssl/letsencrypt/private \ etc/letsencrypt www/letsencrypt ${MKDIR} ${STAGEDIR}${PREFIX}/${d} . endfor +. for d in ${SAMPLE_FILES} + ${INSTALL_SCRIPT} ${WRKDIR}/${d} ${STAGEDIR}${PREFIX}/etc/letsencrypt/${d} +. endfor .include <bsd.port.mk> Added: head/security/letskencrypt/files/000.letskencrypt.sh.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/letskencrypt/files/000.letskencrypt.sh.in Sun Jun 19 12:36:09 2016 (r417119) @@ -0,0 +1,42 @@ +#/bin/sh + +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +PATH=$PATH:%%LOCALBASE%%/bin:%%LOCALBASE%%/sbin +export PATH + +case "$weekly_letskencrypt_enable" in + [Yy][Ee][Ss]) + echo + echo "Checking Let's Encrypt certificate status:" + + if [ -x "$weekly_letskencrypt_renewscript" ] ; then + $weekly_letskencrypt_renewscript + elif [ -x %%PREFIX%%/letsencrypt/letskencrypt.sh ] ; then + %%PREFIX%%/letsencrypt/letskencrypt.sh + else + if [ -z "$weekly_letskencrypt_domains" ] ; then + weekly_letskencrypt_domains=$(hostname -f) + echo "Using hostname: $weekly_letskencrypt_domains" + fi + if [ -n "$weekly_letskencrypt_challengedir" ] ; then + weekly_letskencrypt_args="$weekly_letskencrypt_args -C $weekly_letskencrypt_challengedir" + fi + %%LOCALBASE%%/bin/letskencrypt $weekly_letskencrypt_args $weekly_letskencrypt_domains + fi + + echo "Deploying Let's Encrypt certificates:" + + if [ -x "$weekly_letskencrypt_deployscript" ] ; then + $weekly_letskencrypt_deployscript + else + echo 'Skipped, deploy script not set.' + fi + ;; + *) + ;; +esac Added: head/security/letskencrypt/files/deploy.sh.sample.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/letskencrypt/files/deploy.sh.sample.in Sun Jun 19 12:36:09 2016 (r417119) @@ -0,0 +1,37 @@ +#!/bin/sh + +set -e + +DOMAIN="example.net" +LEDIR="%%PREFIX%%/etc/ssl/letsencrypt" +JAILSDIR="/usr/jails" +TARGETS="mail http" +for jail in ${targets}; do + targetdir="${JAILSDIR}/${jail}/etc/ssl" + # Check if the certificate has changed + [[ -z "`diff -rq ${LEDIR}/${domain}/fullchain.pem ${targetdir}/certs/${domain}.pem`" ]] && continue + cp -L "${LEDIR}/private/${domain}.pem" "${targetdir}/priv/${domain}.pem" + cp -L "${LEDIR}/${domain}/fullchain.pem" "${targetdir}/certs/${domain}.pem" + chmod 400 "${targetdir}/priv/${domain}.pem" + chmod 644 "${targetdir}/certs/${domain}.pem" + # Restart/-load relevant services + [[ "${jail}" = "http" ]] && jexec ${jail} service apache24 restart + [[ "${jail}" = "mail" ]] && jexec ${jail} service smtpd restart +done + +# Repeat for other certificates +#DOMAIN="example.org" +#TARGETS="mail" +#for jail in ${targets}; do +# targetdir="${JAILSDIR}/${jail}/etc/ssl" +# # Check if the certificate has changed +# [[ -z "`diff -rq ${LEDIR}/${domain}/fullchain.pem ${targetdir}/certs/${domain}.pem`" ]] && continue +# cp -L "${LEDIR}/private/${domain}.pem" "${targetdir}/priv/${domain}.pem" +# cp -L "${LEDIR}/${domain}/fullchain.pem" "${targetdir}/certs/${domain}.pem" +# chmod 400 "${targetdir}/priv/${domain}.pem" +# chmod 644 "${targetdir}/certs/${domain}.pem" +# # Restart/-load relevant services +# [[ "${jail}" = "http" ]] && jexec ${jail} service apache24 restart +# [[ "${jail}" = "mail" ]] && jexec ${jail} service smtpd restart +#done + Added: head/security/letskencrypt/files/letskencrypt.sh.sample.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/letskencrypt/files/letskencrypt.sh.sample.in Sun Jun 19 12:36:09 2016 (r417119) @@ -0,0 +1,19 @@ +#!/bin/sh + +set -e + +BASEDIR="%%PREFIX%%/etc/letsencrypt" +SSLDIR="%%PREFIX%%/etc/ssl/letsencrypt" +DOMAINSFILE="${BASEDIR}/domains.txt" +CHALLENGEDIR="/usr/jails/http/usr/local/www/.well-known/acme-challenge" + +[ ! -d "${SSLDIR}/priv" ] && mkdir -pm700 "${SSLDIR}/private" + +cat "${DOMAINSFILE}" | while read domain line ; do + CERTSDIR="${SSLDIR}/${domain}" + [ ! -d "${CERTSDIR}" ] && mkdir -pm755 "${CERTSDIR}" + letskencrypt -C "${CHALLENGEDIR}" \ + -k "${SSLDIR}/private/${domain}.pem" \ + -c "${CERTSDIR}" \ + ${domain} ${line} +done Added: head/security/letskencrypt/files/pkg-message.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/letskencrypt/files/pkg-message.in Sun Jun 19 12:36:09 2016 (r417119) @@ -0,0 +1,28 @@ + +There are example scripts in +%%PREFIX%%/etc/letsencrypt +that you can for renewing and deploying multiple certificates + +In order to run the script regularly to update +the certificates add this line to /etc/periodic.conf + +weekly_letskencrypt_enable="YES" + +Additionally the following parameters can be added to +/etc/periodic.conf (showing default values): + +To specify the domain name(s) to include in the certificate +weekly_letskencrypt_domains="$(hostname -f)" + +To specify the .well-known/acme-challenge directory (full path) +weekly_letskencrypt_challengedir="/usr/local/www/letsencrypt" + +To set additional letskencrypt arguments (see letskencrypt(1)) +weekly_letskencrypt_args="" + +To run a specific script for the renewal (ignore previously set variables) +allows generating/renewing multiple keys/certificates +weekly_letskencrypt_renewscript=""%%PREFIX%%/etc/letsencrypt/%%PORTNAME%%.sh" + +To run a script after the renewal to deploy changed certs +weekly_letskencrypt_deployscript="%%PREFIX%%/etc/letsencrypt/deploy.sh" Modified: head/security/letskencrypt/pkg-plist ============================================================================== --- head/security/letskencrypt/pkg-plist Sun Jun 19 12:34:47 2016 (r417118) +++ head/security/letskencrypt/pkg-plist Sun Jun 19 12:36:09 2016 (r417119) @@ -1,7 +1,10 @@ bin/letskencrypt man/man1/letskencrypt.1.gz +etc/periodic/weekly/000.letskencrypt.sh @dir(,,0700) etc/letsencrypt @dir(,,0755) etc/ssl @dir(,,0755) etc/ssl/letsencrypt @dir(,,0700) etc/ssl/letsencrypt/private @dir(,www,) %%WWWDIR%% +@sample etc/letsencrypt/deploy.sh.sample +@sample etc/letsencrypt/letskencrypt.sh.sample
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606191236.u5JCa9s0077321>