commit 051e021fdd88de788a5b3e64296f98604c05783d Author: Daniel Berteaud Date: Fri Jan 22 23:39:26 2016 +0100 First commit diff --git a/createlinks b/createlinks new file mode 100644 index 0000000..56f1efb --- /dev/null +++ b/createlinks @@ -0,0 +1,18 @@ +#!/usr/bin/perl -w + +use esmith::Build::CreateLinks qw(:all); + +templates2events("/etc/letsencrypt.sh/config.sh", qw(le-update ssl-update bootstrap-console-save)); +templates2events("/etc/crontab", qw(le-update)); +templates2events("/etc/letsencrypt.sh/domains.txt", + qw( + le-update + bootstrap-console-save + domain-create + domain-delete + host-create + host-delete + host-modify + )); +templates2events("/etc/httpd/conf/httpd.conf", qw(le-update)); +safe_symlink("sigusr1", "root/etc/e-smith/events/le-update/services2adjust/httpd-e-smith"); diff --git a/root/etc/e-smith/db/configuration/defaults/letsencrypt/status b/root/etc/e-smith/db/configuration/defaults/letsencrypt/status new file mode 100644 index 0000000..86981e6 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/letsencrypt/status @@ -0,0 +1 @@ +enabled diff --git a/root/etc/e-smith/db/configuration/defaults/letsencrypt/type b/root/etc/e-smith/db/configuration/defaults/letsencrypt/type new file mode 100644 index 0000000..24e1098 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/letsencrypt/type @@ -0,0 +1 @@ +service diff --git a/root/etc/e-smith/events/actions/exec-letsencrypt b/root/etc/e-smith/events/actions/exec-letsencrypt new file mode 100644 index 0000000..9658ffb --- /dev/null +++ b/root/etc/e-smith/events/actions/exec-letsencrypt @@ -0,0 +1,3 @@ +#!/bin/sh + +exec /usr/bin/letsencrypt.sh -c diff --git a/root/etc/e-smith/templates/etc/crontab/80letsencrypt b/root/etc/e-smith/templates/etc/crontab/80letsencrypt new file mode 100644 index 0000000..618e55b --- /dev/null +++ b/root/etc/e-smith/templates/etc/crontab/80letsencrypt @@ -0,0 +1,13 @@ +{ + +my $le = $letsencrypt{'status'} || 'disabled'; + +if ($le eq 'enabled'){ + $OUT .= '# Letsencrypt renewal' . "\n"; + $OUT .= '2 4 * * * root sleep $[ $RANDOM \% 3600 ]; /usr/bin/letsencrypt.sh -c > /dev/null 2>&1' . "\n"; +} +else{ + $OUT .= '# Letsencrypt is disabled' . "\n"; +} + +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/80LetsencryptChallengeDir b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/80LetsencryptChallengeDir new file mode 100644 index 0000000..fab0b1d --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/80LetsencryptChallengeDir @@ -0,0 +1,19 @@ +{ + if (($letsencrypt{'status'} || 'disabled') eq 'enabled'){ + $OUT .=<<"_EOF"; + + + Options None + AllowOverride None + Order deny,allow + Deny from all + Allow from all + Header set Content-Type "application/jose+json" + + +_EOF + } + else{ + $OUT .= "# Letsencrypt is disabled\n"; + } +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/Ejabberd/80Letsencrypt b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/Ejabberd/80Letsencrypt new file mode 100644 index 0000000..b246f24 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/Ejabberd/80Letsencrypt @@ -0,0 +1,13 @@ +{ + if (($domain->prop('Letsencrypt') || 'enabled') ne 'disabled' && ((${'httpd-e-smith'}{'TCPPort'} || '80') eq $port)){ + $OUT .=<<"_EOF"; + Alias /.well-known/acme-challenge/ /var/lib/letsencrypt.sh/ + + Allow from all + +_EOF + } + else{ + $OUT .= "# Support for Letsencrypt is disabled on this domain\n"; + } +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/80Letsencrypt b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/80Letsencrypt new file mode 100644 index 0000000..b246f24 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/80Letsencrypt @@ -0,0 +1,13 @@ +{ + if (($domain->prop('Letsencrypt') || 'enabled') ne 'disabled' && ((${'httpd-e-smith'}{'TCPPort'} || '80') eq $port)){ + $OUT .=<<"_EOF"; + Alias /.well-known/acme-challenge/ /var/lib/letsencrypt.sh/ + + Allow from all + +_EOF + } + else{ + $OUT .= "# Support for Letsencrypt is disabled on this domain\n"; + } +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/80Letsencrypt b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/80Letsencrypt new file mode 100644 index 0000000..b246f24 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/80Letsencrypt @@ -0,0 +1,13 @@ +{ + if (($domain->prop('Letsencrypt') || 'enabled') ne 'disabled' && ((${'httpd-e-smith'}{'TCPPort'} || '80') eq $port)){ + $OUT .=<<"_EOF"; + Alias /.well-known/acme-challenge/ /var/lib/letsencrypt.sh/ + + Allow from all + +_EOF + } + else{ + $OUT .= "# Support for Letsencrypt is disabled on this domain\n"; + } +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/80Letsencrypt b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/80Letsencrypt new file mode 100644 index 0000000..b246f24 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/80Letsencrypt @@ -0,0 +1,13 @@ +{ + if (($domain->prop('Letsencrypt') || 'enabled') ne 'disabled' && ((${'httpd-e-smith'}{'TCPPort'} || '80') eq $port)){ + $OUT .=<<"_EOF"; + Alias /.well-known/acme-challenge/ /var/lib/letsencrypt.sh/ + + Allow from all + +_EOF + } + else{ + $OUT .= "# Support for Letsencrypt is disabled on this domain\n"; + } +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/UserManagerVirtualHost/80Letsencrypt b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/UserManagerVirtualHost/80Letsencrypt new file mode 100644 index 0000000..b246f24 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/UserManagerVirtualHost/80Letsencrypt @@ -0,0 +1,13 @@ +{ + if (($domain->prop('Letsencrypt') || 'enabled') ne 'disabled' && ((${'httpd-e-smith'}{'TCPPort'} || '80') eq $port)){ + $OUT .=<<"_EOF"; + Alias /.well-known/acme-challenge/ /var/lib/letsencrypt.sh/ + + Allow from all + +_EOF + } + else{ + $OUT .= "# Support for Letsencrypt is disabled on this domain\n"; + } +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/80Letsencrypt b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/80Letsencrypt new file mode 100644 index 0000000..b246f24 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/80Letsencrypt @@ -0,0 +1,13 @@ +{ + if (($domain->prop('Letsencrypt') || 'enabled') ne 'disabled' && ((${'httpd-e-smith'}{'TCPPort'} || '80') eq $port)){ + $OUT .=<<"_EOF"; + Alias /.well-known/acme-challenge/ /var/lib/letsencrypt.sh/ + + Allow from all + +_EOF + } + else{ + $OUT .= "# Support for Letsencrypt is disabled on this domain\n"; + } +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/80Letsencrypt b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/80Letsencrypt new file mode 100644 index 0000000..b246f24 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/80Letsencrypt @@ -0,0 +1,13 @@ +{ + if (($domain->prop('Letsencrypt') || 'enabled') ne 'disabled' && ((${'httpd-e-smith'}{'TCPPort'} || '80') eq $port)){ + $OUT .=<<"_EOF"; + Alias /.well-known/acme-challenge/ /var/lib/letsencrypt.sh/ + + Allow from all + +_EOF + } + else{ + $OUT .= "# Support for Letsencrypt is disabled on this domain\n"; + } +} diff --git a/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/20BaseDir b/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/20BaseDir new file mode 100644 index 0000000..b977a6a --- /dev/null +++ b/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/20BaseDir @@ -0,0 +1 @@ +BASEDIR=/home/e-smith/db/letsencrypt.sh/ diff --git a/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/30WellKnown b/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/30WellKnown new file mode 100644 index 0000000..fc1bb36 --- /dev/null +++ b/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/30WellKnown @@ -0,0 +1 @@ +WELLKNOWN=/var/lib/letsencrypt.sh/ diff --git a/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/40KeySize b/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/40KeySize new file mode 100644 index 0000000..d4a4307 --- /dev/null +++ b/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/40KeySize @@ -0,0 +1 @@ +KEYSIZE="{ $letsencrypt{KeySize} || '4096' }" diff --git a/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/50Hook b/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/50Hook new file mode 100644 index 0000000..074c6b1 --- /dev/null +++ b/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/50Hook @@ -0,0 +1 @@ +HOOK=/sbin/e-smith/le_hook.sh diff --git a/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/60Renew b/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/60Renew new file mode 100644 index 0000000..7a0e270 --- /dev/null +++ b/root/etc/e-smith/templates/etc/letsencrypt.sh/config.sh/60Renew @@ -0,0 +1,2 @@ +RENEW_DAYS="30" +PRIVATE_KEY_RENEW="yes" diff --git a/root/etc/e-smith/templates/etc/letsencrypt.sh/domains.txt/10domains b/root/etc/e-smith/templates/etc/letsencrypt.sh/domains.txt/10domains new file mode 100644 index 0000000..e6d4c20 --- /dev/null +++ b/root/etc/e-smith/templates/etc/letsencrypt.sh/domains.txt/10domains @@ -0,0 +1,32 @@ +{ + +use esmith::DomainsDB; +use esmith::HostsDB; + +my $d = esmith::DomainsDB->open_ro || die "Couldn't open DomainsDB\n"; +my $h = esmith::HostsDB->open_ro || die "Couldn't open HostsDB\n"; + +my $names = (); + +foreach my $domain ($d->domains, $d->get_all_by_prop(type => 'vhost')){ + my $le = $domain->prop('Letsencrypt') || 'enabled'; + push @names, $domain->key unless $le ne 'enabled'; +} + +foreach my $host ($h->hosts){ + my $name = $host->key; + my $dom = $DomainName; + if ($name =~ m/[a-z0-9]*\.(.*)/i){ + $dom = $1; + } + my $type = $host->prop('HostType') || 'Self'; + my $le = $host->prop('Letsencrypt') || 'disabled'; + if ($le =~ m/^enabled|yes|1|on$/i || + $type eq 'Self' && $dom eq $DomainName){ + push @names, $host->key; + } +} + +$OUT .= join(" ", @names); + +} diff --git a/root/etc/e-smith/templates/etc/letsencrypt.sh/domains.txt/template-begin b/root/etc/e-smith/templates/etc/letsencrypt.sh/domains.txt/template-begin new file mode 100644 index 0000000..e69de29 diff --git a/root/sbin/e-smith/le_hook.sh b/root/sbin/e-smith/le_hook.sh new file mode 100644 index 0000000..158af28 --- /dev/null +++ b/root/sbin/e-smith/le_hook.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +ACTION=shift + +if [ "$ACTION" == "deploy_cert" ]; then + # New cert + KEY=shift + CRT=shift + CHAIN=shift + /sbin/e-smith/db configuration setprop modSSL key $KEY crt $CRT CertificateChainFile $CHAIN + /sbin/e-smith/signal-event ssl-update +elif [ "$ACTION" == "clean_challenge" ]; then + ALTNAME=shift + if [ "$ALTNAME" == "" ]; then + echo "Error while creating or renewing letsencrypt certificate" | mail -s "Letsencrypt error" admin + fi +fi diff --git a/smeserver-letsencrypt-client.spec b/smeserver-letsencrypt-client.spec new file mode 100644 index 0000000..8e3f191 --- /dev/null +++ b/smeserver-letsencrypt-client.spec @@ -0,0 +1,53 @@ +%define version 0.0.1 +%define release 0.beta9 +%define name smeserver-letsencrypt-client + +Summary: Letencrypt client for SME Server +Name: %{name} +Version: %{version} +Release: %{release}%{?dist} +License: GPL +Group: Applications/System +Source: %{name}-%{version}.tar.gz + +BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot +BuildArchitectures: noarch +BuildRequires: e-smith-devtools + +Requires: e-smith-base >= 5.4.0-26 +Requires: letsencrypt.sh + +%description +Automatically get certificates from letsencrypt +Using https://github.com/lukas2511/letsencrypt.sh + +%changelog +* Fri Jan 22 2016 Daniel Berteaud - 0.1.0-1.sme +- Initial release + +%prep +%setup -q -n %{name}-%{version} + +%build +%{__mkdir_p} root/home/e-smith/db/letsencrypt.sh +perl createlinks + +%install +/bin/rm -rf $RPM_BUILD_ROOT +(cd root; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT) +/bin/rm -f %{name}-%{version}-filelist +/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ + --dir /var/lib/letsencrypt 'attr(0750,root,apache)' \ + --dir /home/e-smith/db/letsencrypt.sh 'attr(0750,root,root)' \ + > %{name}-%{version}-filelist + +%files -f %{name}-%{version}-filelist +%defattr(-,root,root) + +%clean +rm -rf $RPM_BUILD_ROOT + +%pre + +%post +