acme-acmesh: Provide a 'combined' certificate bundle as well

The haproxy hotplug script creates a 'combined' certificate bundle that
contains both the certificate chain and the private key. However, having a
daemon hotplug script write into CERT_DIR is not great; so let's provide
the bundle as part of the main acme framework, keeping it in $domain_dir
and just linking it into CERT_DIR. That way we can keep CERT_DIR as just a
collection of links for everything, that no consumers should need to write
into.

Also make sure to set the umask correctly so the combined file is not
world-readable (since it contains the private key).

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>

diff --git a/net/acme-acmesh/Makefile b/net/acme-acmesh/Makefile
index 0a198cc528b9829edd9995fd5a2e3b3b6b6c314d..a5ffe76a5576aea2fe6041fb3468bb600ad2ef71 100644 (file)
--- a/net/acme-acmesh/Makefile
+++ b/net/acme-acmesh/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=acme-acmesh
 PKG_VERSION:=3.0.1
-PKG_RELEASE:=9
+PKG_RELEASE:=10
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/acmesh-official/acme.sh/tar.gz/$(PKG_VERSION)?

diff --git a/net/acme-acmesh/files/hook.sh b/net/acme-acmesh/files/hook.sh
index 4eb3f04faddb3ded34712c736f60aba2134a7678..03343dacbffbc956c7342471b6247c0aeffb81e8 100644 (file)
--- a/net/acme-acmesh/files/hook.sh
+++ b/net/acme-acmesh/files/hook.sh
@@ -20,6 +20,7 @@ link_certs()
     domain_dir="$1"
     main_domain="$2"
 
+    (umask 077; cat "$domain_dir/fullchain.cer" "$domain_dir/$main_domain.key" > "$domain_dir/combined.cer")
 
     if [ ! -e "$CERT_DIR/$main_domain.crt" ]; then
                ln -s "$domain_dir/$main_domain.cer" "$CERT_DIR/$main_domain.crt"
@@ -30,6 +31,9 @@ link_certs()
     if [ ! -e "$CERT_DIR/$main_domain.fullchain.crt" ]; then
                ln -s "$domain_dir/fullchain.cer" "$CERT_DIR/$main_domain.fullchain.crt"
     fi
+    if [ ! -e "$CERT_DIR/$main_domain.combined.crt" ]; then
+               ln -s "$domain_dir/combined.cer" "$CERT_DIR/$main_domain.combined.crt"
+    fi
     if [ ! -e "$CERT_DIR/$main_domain.chain.crt" ]; then
                ln -s "$domain_dir/ca.cer" "$CERT_DIR/$main_domain.chain.crt"
     fi

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 179658361bb1b5f80ecaa82712ee8bfdc7dd911f..1c0d8fde142d30e4a4a7deb39db1ac27b7704511 100644 (file)
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=haproxy
 PKG_VERSION:=2.6.6
-PKG_RELEASE:=103
+PKG_RELEASE:=104
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://www.haproxy.org/download/2.6/src
@@ -122,8 +122,6 @@ define Package/haproxy/install
        $(INSTALL_CONF) ./files/haproxy.cfg $(1)/etc/
        $(INSTALL_DIR) $(1)/etc/init.d
        $(INSTALL_BIN) ./files/haproxy.init $(1)/etc/init.d/haproxy
-       $(INSTALL_DIR) $(1)/etc/hotplug.d/acme
-       $(INSTALL_DATA) ./files/acme.hotplug $(1)/etc/hotplug.d/acme/00-haproxy
 endef
 
 Package/haproxy-nossl/install = $(Package/haproxy/install)

diff --git a/net/haproxy/files/acme.hotplug b/net/haproxy/files/acme.hotplug
deleted file mode 100644 (file)
index 9896bbd..0000000
--- a/net/haproxy/files/acme.hotplug
+++ /dev/null
@@ -1,8 +0,0 @@
-case $ACTION in
-issued|renewed)
-       cat \
-               "/etc/ssl/acme/$main_domain.fullchain.crt" \
-               "/etc/ssl/acme/$main_domain.key" \
-               >"/etc/ssl/acme/$main_domain.combined.crt"
-       ;;
-esac