From: Toke Høiland-Jørgensen Date: Wed, 14 Dec 2022 14:21:59 +0000 (+0100) Subject: acme-acmesh: Provide a 'combined' certificate bundle as well X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=17691a5a52833511ef3fcd31ae835c3c4a230542;p=feed%2Fpackages.git acme-acmesh: Provide a 'combined' certificate bundle as well The haproxy hotplug script creates a 'combined' certificate bundle that contains both the certificate chain and the private key. However, having a daemon hotplug script write into CERT_DIR is not great; so let's provide the bundle as part of the main acme framework, keeping it in $domain_dir and just linking it into CERT_DIR. That way we can keep CERT_DIR as just a collection of links for everything, that no consumers should need to write into. Also make sure to set the umask correctly so the combined file is not world-readable (since it contains the private key). Signed-off-by: Toke Høiland-Jørgensen --- diff --git a/net/acme-acmesh/Makefile b/net/acme-acmesh/Makefile index 0a198cc528..a5ffe76a55 100644 --- a/net/acme-acmesh/Makefile +++ b/net/acme-acmesh/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=acme-acmesh PKG_VERSION:=3.0.1 -PKG_RELEASE:=9 +PKG_RELEASE:=10 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/acmesh-official/acme.sh/tar.gz/$(PKG_VERSION)? diff --git a/net/acme-acmesh/files/hook.sh b/net/acme-acmesh/files/hook.sh index 4eb3f04fad..03343dacbf 100644 --- a/net/acme-acmesh/files/hook.sh +++ b/net/acme-acmesh/files/hook.sh @@ -20,6 +20,7 @@ link_certs() domain_dir="$1" main_domain="$2" + (umask 077; cat "$domain_dir/fullchain.cer" "$domain_dir/$main_domain.key" > "$domain_dir/combined.cer") if [ ! -e "$CERT_DIR/$main_domain.crt" ]; then ln -s "$domain_dir/$main_domain.cer" "$CERT_DIR/$main_domain.crt" @@ -30,6 +31,9 @@ link_certs() if [ ! -e "$CERT_DIR/$main_domain.fullchain.crt" ]; then ln -s "$domain_dir/fullchain.cer" "$CERT_DIR/$main_domain.fullchain.crt" fi + if [ ! -e "$CERT_DIR/$main_domain.combined.crt" ]; then + ln -s "$domain_dir/combined.cer" "$CERT_DIR/$main_domain.combined.crt" + fi if [ ! -e "$CERT_DIR/$main_domain.chain.crt" ]; then ln -s "$domain_dir/ca.cer" "$CERT_DIR/$main_domain.chain.crt" fi diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index 179658361b..1c0d8fde14 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy PKG_VERSION:=2.6.6 -PKG_RELEASE:=103 +PKG_RELEASE:=104 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.haproxy.org/download/2.6/src @@ -122,8 +122,6 @@ define Package/haproxy/install $(INSTALL_CONF) ./files/haproxy.cfg $(1)/etc/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/haproxy.init $(1)/etc/init.d/haproxy - $(INSTALL_DIR) $(1)/etc/hotplug.d/acme - $(INSTALL_DATA) ./files/acme.hotplug $(1)/etc/hotplug.d/acme/00-haproxy endef Package/haproxy-nossl/install = $(Package/haproxy/install) diff --git a/net/haproxy/files/acme.hotplug b/net/haproxy/files/acme.hotplug deleted file mode 100644 index 9896bbdee5..0000000000 --- a/net/haproxy/files/acme.hotplug +++ /dev/null @@ -1,8 +0,0 @@ -case $ACTION in -issued|renewed) - cat \ - "/etc/ssl/acme/$main_domain.fullchain.crt" \ - "/etc/ssl/acme/$main_domain.key" \ - >"/etc/ssl/acme/$main_domain.combined.crt" - ;; -esac