diff options
| author | Bernard Spil <brnrd@FreeBSD.org> | 2016-06-19 12:36:09 +0000 |
|---|---|---|
| committer | Bernard Spil <brnrd@FreeBSD.org> | 2016-06-19 12:36:09 +0000 |
| commit | 520b5e48f3c8a1b80b9f14920b43e96d0c03c957 (patch) | |
| tree | 98c05d984500e4671dbf7b7bb4fed5a43c43f1fe | |
| parent | 02203645635f5336deddbe9231a11e6b3fc1a331 (diff) | |
| download | freebsd-ports-520b5e48f3c8a1b80b9f14920b43e96d0c03c957.zip | |
security/letskencrypt: Add periodic(8) and multi-cert capability
- Add periodic script
- Make Domain+SAN names and challenge-dir configurable
- Add multiple Domain+SAN certificates capability using scripts
- Add sample renewal script
- Add sample deployment script
- Add pkg-message documenting periodic.conf variables
| -rw-r--r-- | security/letskencrypt/Makefile | 14 | ||||
| -rw-r--r-- | security/letskencrypt/files/000.letskencrypt.sh.in | 42 | ||||
| -rw-r--r-- | security/letskencrypt/files/deploy.sh.sample.in | 37 | ||||
| -rw-r--r-- | security/letskencrypt/files/letskencrypt.sh.sample.in | 19 | ||||
| -rw-r--r-- | security/letskencrypt/files/pkg-message.in | 28 | ||||
| -rw-r--r-- | security/letskencrypt/pkg-plist | 3 |
6 files changed, 143 insertions, 0 deletions
diff --git a/security/letskencrypt/Makefile b/security/letskencrypt/Makefile index 8967b2bafa10..938c91d11ad8 100644 --- a/security/letskencrypt/Makefile +++ b/security/letskencrypt/Makefile @@ -24,16 +24,30 @@ OPENSSL_PORT= security/libressl WWWDIR= ${PREFIX}/www/letsencrypt +SAMPLE_FILES= letskencrypt.sh.sample deploy.sh.sample +SUB_FILES= 000.letskencrypt.sh pkg-message ${SAMPLE_FILES} +SUB_LIST= PORTNAME=${PORTNAME} + +PERIODIC_DIRS= etc/periodic/weekly +PERIODIC_FILES= 000.letskencrypt.sh + post-patch: ${REINPLACE_CMD} -e "s|/etc/|${PREFIX}/etc/|" \ -e "s|/var/www/letsencrypt|${WWWDIR}|" \ ${WRKSRC}/main.c ${WRKSRC}/letskencrypt.1 +post-install: + ${MKDIR} -p ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS} + ${INSTALL_SCRIPT} ${WRKDIR}/${PERIODIC_FILES} ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS}/${PERIODIC_FILES} + post-stage: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/letskencrypt . for d in etc/ssl/letsencrypt etc/ssl/letsencrypt/private \ etc/letsencrypt www/letsencrypt ${MKDIR} ${STAGEDIR}${PREFIX}/${d} . endfor +. for d in ${SAMPLE_FILES} + ${INSTALL_SCRIPT} ${WRKDIR}/${d} ${STAGEDIR}${PREFIX}/etc/letsencrypt/${d} +. endfor .include <bsd.port.mk> diff --git a/security/letskencrypt/files/000.letskencrypt.sh.in b/security/letskencrypt/files/000.letskencrypt.sh.in new file mode 100644 index 000000000000..71887253730e --- /dev/null +++ b/security/letskencrypt/files/000.letskencrypt.sh.in @@ -0,0 +1,42 @@ +#/bin/sh + +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +PATH=$PATH:%%LOCALBASE%%/bin:%%LOCALBASE%%/sbin +export PATH + +case "$weekly_letskencrypt_enable" in + [Yy][Ee][Ss]) + echo + echo "Checking Let's Encrypt certificate status:" + + if [ -x "$weekly_letskencrypt_renewscript" ] ; then + $weekly_letskencrypt_renewscript + elif [ -x %%PREFIX%%/letsencrypt/letskencrypt.sh ] ; then + %%PREFIX%%/letsencrypt/letskencrypt.sh + else + if [ -z "$weekly_letskencrypt_domains" ] ; then + weekly_letskencrypt_domains=$(hostname -f) + echo "Using hostname: $weekly_letskencrypt_domains" + fi + if [ -n "$weekly_letskencrypt_challengedir" ] ; then + weekly_letskencrypt_args="$weekly_letskencrypt_args -C $weekly_letskencrypt_challengedir" + fi + %%LOCALBASE%%/bin/letskencrypt $weekly_letskencrypt_args $weekly_letskencrypt_domains + fi + + echo "Deploying Let's Encrypt certificates:" + + if [ -x "$weekly_letskencrypt_deployscript" ] ; then + $weekly_letskencrypt_deployscript + else + echo 'Skipped, deploy script not set.' + fi + ;; + *) + ;; +esac diff --git a/security/letskencrypt/files/deploy.sh.sample.in b/security/letskencrypt/files/deploy.sh.sample.in new file mode 100644 index 000000000000..9b44272878aa --- /dev/null +++ b/security/letskencrypt/files/deploy.sh.sample.in @@ -0,0 +1,37 @@ +#!/bin/sh + +set -e + +DOMAIN="example.net" +LEDIR="%%PREFIX%%/etc/ssl/letsencrypt" +JAILSDIR="/usr/jails" +TARGETS="mail http" +for jail in ${targets}; do + targetdir="${JAILSDIR}/${jail}/etc/ssl" + # Check if the certificate has changed + [[ -z "`diff -rq ${LEDIR}/${domain}/fullchain.pem ${targetdir}/certs/${domain}.pem`" ]] && continue + cp -L "${LEDIR}/private/${domain}.pem" "${targetdir}/priv/${domain}.pem" + cp -L "${LEDIR}/${domain}/fullchain.pem" "${targetdir}/certs/${domain}.pem" + chmod 400 "${targetdir}/priv/${domain}.pem" + chmod 644 "${targetdir}/certs/${domain}.pem" + # Restart/-load relevant services + [[ "${jail}" = "http" ]] && jexec ${jail} service apache24 restart + [[ "${jail}" = "mail" ]] && jexec ${jail} service smtpd restart +done + +# Repeat for other certificates +#DOMAIN="example.org" +#TARGETS="mail" +#for jail in ${targets}; do +# targetdir="${JAILSDIR}/${jail}/etc/ssl" +# # Check if the certificate has changed +# [[ -z "`diff -rq ${LEDIR}/${domain}/fullchain.pem ${targetdir}/certs/${domain}.pem`" ]] && continue +# cp -L "${LEDIR}/private/${domain}.pem" "${targetdir}/priv/${domain}.pem" +# cp -L "${LEDIR}/${domain}/fullchain.pem" "${targetdir}/certs/${domain}.pem" +# chmod 400 "${targetdir}/priv/${domain}.pem" +# chmod 644 "${targetdir}/certs/${domain}.pem" +# # Restart/-load relevant services +# [[ "${jail}" = "http" ]] && jexec ${jail} service apache24 restart +# [[ "${jail}" = "mail" ]] && jexec ${jail} service smtpd restart +#done + diff --git a/security/letskencrypt/files/letskencrypt.sh.sample.in b/security/letskencrypt/files/letskencrypt.sh.sample.in new file mode 100644 index 000000000000..a60140587f13 --- /dev/null +++ b/security/letskencrypt/files/letskencrypt.sh.sample.in @@ -0,0 +1,19 @@ +#!/bin/sh + +set -e + +BASEDIR="%%PREFIX%%/etc/letsencrypt" +SSLDIR="%%PREFIX%%/etc/ssl/letsencrypt" +DOMAINSFILE="${BASEDIR}/domains.txt" +CHALLENGEDIR="/usr/jails/http/usr/local/www/.well-known/acme-challenge" + +[ ! -d "${SSLDIR}/priv" ] && mkdir -pm700 "${SSLDIR}/private" + +cat "${DOMAINSFILE}" | while read domain line ; do + CERTSDIR="${SSLDIR}/${domain}" + [ ! -d "${CERTSDIR}" ] && mkdir -pm755 "${CERTSDIR}" + letskencrypt -C "${CHALLENGEDIR}" \ + -k "${SSLDIR}/private/${domain}.pem" \ + -c "${CERTSDIR}" \ + ${domain} ${line} +done diff --git a/security/letskencrypt/files/pkg-message.in b/security/letskencrypt/files/pkg-message.in new file mode 100644 index 000000000000..dd4585715a78 --- /dev/null +++ b/security/letskencrypt/files/pkg-message.in @@ -0,0 +1,28 @@ + +There are example scripts in +%%PREFIX%%/etc/letsencrypt +that you can for renewing and deploying multiple certificates + +In order to run the script regularly to update +the certificates add this line to /etc/periodic.conf + +weekly_letskencrypt_enable="YES" + +Additionally the following parameters can be added to +/etc/periodic.conf (showing default values): + +To specify the domain name(s) to include in the certificate +weekly_letskencrypt_domains="$(hostname -f)" + +To specify the .well-known/acme-challenge directory (full path) +weekly_letskencrypt_challengedir="/usr/local/www/letsencrypt" + +To set additional letskencrypt arguments (see letskencrypt(1)) +weekly_letskencrypt_args="" + +To run a specific script for the renewal (ignore previously set variables) +allows generating/renewing multiple keys/certificates +weekly_letskencrypt_renewscript=""%%PREFIX%%/etc/letsencrypt/%%PORTNAME%%.sh" + +To run a script after the renewal to deploy changed certs +weekly_letskencrypt_deployscript="%%PREFIX%%/etc/letsencrypt/deploy.sh" diff --git a/security/letskencrypt/pkg-plist b/security/letskencrypt/pkg-plist index 77cb450f1a01..89d0ea6b76b0 100644 --- a/security/letskencrypt/pkg-plist +++ b/security/letskencrypt/pkg-plist @@ -1,7 +1,10 @@ bin/letskencrypt man/man1/letskencrypt.1.gz +etc/periodic/weekly/000.letskencrypt.sh @dir(,,0700) etc/letsencrypt @dir(,,0755) etc/ssl @dir(,,0755) etc/ssl/letsencrypt @dir(,,0700) etc/ssl/letsencrypt/private @dir(,www,) %%WWWDIR%% +@sample etc/letsencrypt/deploy.sh.sample +@sample etc/letsencrypt/letskencrypt.sh.sample |