Import spec and other resources

7 years ago · 68cabc8898
commit 68cabc8898
4 changed files with 250 additions and 0 deletions
--- a/dehydrated.spec
+++ b/dehydrated.spec
@ -0,0 +1,219 @@
+Name:		dehydrated
+Version:	0.4.0
+Release:	10%{?dist}
+Summary:	ACME client in bash
+
+Group:		Application/System
+License:	MIT
+URL:		https://github.com/lukas2511/dehydrated
+Source0:	%{name}-%{version}.tar.gz
+Source1:	dehydrated_hooks
+SOurce2:	dehydrated_revoke
+Source3:	httpd.sh.sample
+
+BuildArch:	noarch
+BuildRoot:	/var/tmp/%{name}-%{version}-%{release}-buildroot
+
+BuildRequires: 	httpd
+Requires:	openssl
+Requires:	sed
+Requires:	/bin/awk
+Requires:	curl
+Requires:	/bin/mktemp
+
+Conflicts:	letsencrypt.sh
+Obsoletes:	letsencrypt.sh
+
+%if 0%{?fedora} >= 11 || 0%{?rhel} >= 5
+%global useselinux 1
+%else
+%global useselinux 0
+%endif
+
+%description
+This is a client for signing certificates with an ACME server
+(currently only provided by Let's Encrypt) implemented as a
+relatively simple bash-script.
+
+%prep
+%setup -q -n %{name}-%{version}
+
+%build
+sed -i -e "s|#BASEDIR=.*|BASEDIR=%{_localstatedir}/lib/%{name}/certificates|" \
+       -e "s|#WELLKNOWN=.*|WELLKNOWN=%{_localstatedir}/lib/%{name}/challenges|" \
+       -e "s|#HOOK=.*|HOOK=%{_bindir}/dehydrated_hooks|" \
+       -e "s|#DOMAINS_TXT=.*|DOMAINS_TXT=%{_sysconfdir}/%{name}/domains.txt|" \
+        docs/examples/config
+
+%install
+install -d $RPM_BUILD_ROOT/%{_localstatedir}/lib/%{name}/challenges
+install -d $RPM_BUILD_ROOT/%{_localstatedir}/lib/%{name}/certificates
+install -D dehydrated $RPM_BUILD_ROOT/%{_bindir}/%{name}
+install %{SOURCE1} $RPM_BUILD_ROOT/%{_bindir}/dehydrated_hooks
+install %{SOURCE2} $RPM_BUILD_ROOT/%{_bindir}/dehydrated_revoke
+install -d $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/hooks_deploy_cert.d
+install -d $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/hooks_clean_challenge.d
+install -D -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/hooks_deploy_cert.d/10httpd.sh.sample
+install -D -m 0644 docs/examples/config $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/config
+install -D -m 0644 docs/examples/domains.txt $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/domains.txt
+install -d $RPM_BUILD_ROOT/%{_sysconfdir}/cron.daily/
+cat <<"_EOF" > $RPM_BUILD_ROOT/%{_sysconfdir}/cron.daily/%{name}
+#!/bin/sh
+# Uncomment to enable auto-renewal
+# %{_bindir}/%{name} -c 2>&1 | awk '{ print strftime(), $0; fflush(); }' >> %{_localstatedir}/log/%{name}.log
+
+# Uncomment this to auto revoke old certs
+# %{_bindir}/dehydrated_revoke 2>&1 | awk '{ print strftime(), $0; fflush(); }' >> %{_localstatedir}/log/%{name}.log
+
+_EOF
+install -d $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d
+cat <<"_EOF" > $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/dehydrated.conf
+
+Alias /.well-known/acme-challenge/ %{_localstatedir}/lib/%{name}/challenges/
+
+<Directory %{_localstatedir}/lib/%{name}/challenges>
+  Options None
+  AllowOverride None
+  Header set Content-Type "application/jose+json"
+  <IfModule mod_authz_core.c>
+    # Apache 2.4
+    Require all granted
+  </IfModule>
+  <IfModule !mod_authz_core.c>
+    # Apache 2.2
+    Order deny,allow
+    Allow from all
+  </IfModule>
+</Directory>
+_EOF
+install -d -m 750 $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d
+cat <<"_EOF" > $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/%{name}
+/var/log/%{name}.log {
+  missingok
+  copytruncate
+  rotate 12
+  compress
+  weekly
+  create 0660 root root
+}
+_EOF
+
+%post
+%if %{useselinux}
+(
+# New File context
+semanage fcontext -a -t cert_t "%{_localstatedir}/lib/dehydrated(/.*)?"
+# files created by app
+restorecon -R %{_localstatedir}/lib/dehydrated
+) &>/dev/null || :
+%endif
+
+# Migrate from letsencrypt.sh
+if [ -e %{_sysconfdir}/letsencrypt.sh/config ]; then
+  sed -e 's/letsencrypt.sh/dehydrated/g' \
+      -e 's/le_hooks.sh/dehydrated_hooks/g' \
+      %{_sysconfdir}/letsencrypt.sh/config > %{_sysconfdir}/%{name}/config
+fi
+if [ -e %{_sysconfdir}/letsencrypt.sh/domains.txt ]; then
+  cat %{_sysconfdir}/letsencrypt.sh/domains.txt > %{_sysconfdir}/%{name}/domains.txt
+fi
+if [ -d %{_localstatedir}/lib/letsencrypt.sh/certificates/certs ]; then
+  mv %{_localstatedir}/lib/letsencrypt.sh/certificates/* %{_localstatedir}/lib/%{name}/certificates/
+fi
+sed -i -e 's|%{_localstatedir}/lib/letsencrypt.sh|%{_localstatedir}/lib/%{name}|g' %{_sysconfdir}/httpd/conf.d/ssl.conf
+if [ -d %{_sysconfdir}/letsencrypt.sh/hooks_deploy_cert.d/ ]; then
+  find %{_sysconfdir}/letsencrypt.sh/hooks_deploy_cert.d/ -type f -perm /111 -exec mv "{}" %{_sysconfdir}/%{name}/hooks_deploy_cert.d/ \;
+fi
+if [ -d %{_sysconfdir}/letsencrypt.sh/hooks_clean_challenge.d/ ]; then
+  find %{_sysconfdir}/letsencrypt.sh/hooks_clean_challenge.d/ -type f -perm /111 -exec mv "{}" %{_sysconfdir}/%{name}/hooks_clean_challenge.d/ \;
+fi
+
+%postun
+%if %{useselinux}
+if [ "$1" -eq "0" ]; then
+    # Remove the File Context
+    (
+    semanage fcontext -d "%{_localstatedir}/lib/dehydrated(/.*)?"
+    ) &>/dev/null || :
+fi
+%endif
+
+%files
+%doc LICENSE README.md docs/examples/hook.sh
+%config(noreplace) %{_sysconfdir}/%{name}/*
+%config(noreplace) %attr(0755,root,root) %{_sysconfdir}/cron.daily/%{name}
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/%{name}.conf
+%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
+%attr(0644, root,root) %{_sysconfdir}/%{name}/hooks_deploy_cert.d/*
+%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/hooks_clean_challenge.d/
+%attr(0755,root,root) %{_bindir}/%{name}
+%attr(0755,root,root) %{_bindir}/dehydrated_hooks
+%attr(0755,root,root) %{_bindir}/dehydrated_revoke
+%dir %attr(0750,root,apache) %{_localstatedir}/lib/%{name}/challenges
+%dir %attr(0750,root,root) %{_localstatedir}/lib/%{name}/certificates
+
+%changelog
+* Wed May 31 2017 Daniel Berteaud <daniel@firewall-services.com> - 0.4.0-10
+- Bump release (priority vs EPEL)
+
+* Tue Mar 14 2017 Daniel Berteaud <daniel@firewall-services.com> - 0.4.0-1
+- Update to 0.4.0
+
+* Thu Jan 19 2017 Daniel Berteaud <daniel@firewall-services.com> - 0.3.1.20170119.gitb36d638-1
+- Set context to cert_t so it isn't changed to cron_var_lib_t when exec via cron
+- Update to git b36d638
+
+* Mon Oct 24 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.3.0.20160914.gitcaeed7d-3
+- Fix warning when installing dehydrated without upgrading from letsencrypt.sh
+- Update the default hook to use dehydrated_hooks
+
+* Mon Sep 19 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.3.0.20160914.gitcaeed7d-2
+- Fix find command to work with older find versions (on el5), replace -executable with -perm /111
+
+* Wed Sep 14 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.3.0.20160914.gitcaeed7d-1
+- Renamed to dehydrated
+
+* Wed Aug 24 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.20160803.gitafabfff-2
+- Set var_lib_t context to files
+
+* Wed Aug 3 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.20160803.gitafabfff-1
+- Update to git afabfff
+
+* Mon Jun 6 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.20160531.gitec48906-4
+- Default to enable HOOK in config
+
+* Fri Jun 3 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.20160531.gitec48906-3
+- Add missing exec permission on daily cronjob script
+
+* Wed Jun 1 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.20160531.gitec48906-2
+- Fix le_revoke.sh script to use config instead of config.sh
+
+* Tue May 31 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.20160531.gitec48906-1
+- Update to git ec48906
+
+* Fri May 13 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.20160513.gita286741-1
+- Update to git a286741
+
+* Wed Mar 30 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.20160330.gitdca25e8-1
+- Update to git dca25e8
+- Fix arg shifting in le_hooks script
+
+* Tue Feb 23 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.20160223.git2099c77-1
+- Update to GIT git2099c77
+
+* Sat Jan 30 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.20160127.git79ff846-2
+- Rename httpd.sh hook to 10httpd.sh
+- Provide le_revoke.sh script to revoke old certificates
+- Add timestamp to logs using awk
+
+* Fri Jan 29 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.20160127.git79ff846-1
+- Use date based version number
+
+* Wed Jan 27 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.3.git79ff846-1
+- Update to git 79ff846
+
+* Mon Jan 25 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.2.git3432f60-1
+- Add hooks directory
+
+* Mon Jan 25 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.0.1.git3432f60-1
+- First package
--- a/10
+++ b/10
@ -0,0 +1,10 @@
+#!/bin/sh
+
+ACTION=${1}
+
+if [ -d "/etc/dehydrated/hooks_"$ACTION".d" ]; then
+  shift
+  for H in $(find /etc/dehydrated/hooks_"$ACTION".d/ -type f -o -type l | sort); do
+    [ -x $H ] && exec $H $@
+  done
+fi
--- a/18
+++ b/18
@ -0,0 +1,18 @@
+#!/bin/sh
+
+. /etc/dehydrated/config
+
+for DOM in $(find $BASEDIR/certs/ -mindepth 1 -maxdepth 1 -type d); do
+  CUR_ID=$(readlink $DOM/cert.pem | perl -pe 's/cert-(\d+)\.pem/$1/')
+  for ID in $(find $DOM/ -type f -name cert\*.csr -exec basename "{}" \; | perl -pe 's/cert-(\d+)\.csr/$1/'); do
+    if [[ "$ID" != "$CUR_ID" ]]; then
+      # Is the cert signed ?
+      if /usr/bin/openssl x509 -in $DOM/cert-"$ID".pem -noout > /dev/null 2>&1; then
+        /usr/bin/dehydrated -r $DOM/cert-"$ID".pem
+      else
+        # Cert not signed, probably a failed challenge
+        rm -f $DOM/cert-"$ID".{pem,csr}
+      fi
+    fi
+  done
+done
--- a/httpd.sh.sample
+++ b/httpd.sh.sample
@ -0,0 +1,3 @@
+#!/bin/sh
+
+/sbin/service httpd reload