From e3d6422dc551fae6a502a10a554296765e2c59f6 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk> Date: Wed, 14 Dec 2022 15:11:58 +0100 Subject: [PATCH] acme-common: Export canonical paths for storing certificates and challenges MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The contract between the acme-common framework and consumers and hook scripts is that certificates can be consumed from /etc/ssl/acme and that web challenges are stored in /var/run/acme/challenge. Make this explicit by exporting $CERT_DIR and $CHALLENGE_DIR as environment variables as well, instead of having knowledge of those paths depend on out-of-band information. We already exported $challenge_dir, but let's change it to upper-case to make it clear that it's not a user configuration variable. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> --- net/acme-common/files/acme.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/acme-common/files/acme.sh b/net/acme-common/files/acme.sh index 5a2f7d7394..defd660059 100644 --- a/net/acme-common/files/acme.sh +++ b/net/acme-common/files/acme.sh @@ -9,7 +9,8 @@ # Authors: Toke Høiland-Jørgensen <toke@toke.dk> run_dir=/var/run/acme -export challenge_dir=$run_dir/challenge +export CHALLENGE_DIR=$run_dir/challenge +export CERT_DIR=/etc/ssl/acme NFT_HANDLE= HOOK=/usr/lib/acme/hook LOG_TAG=acme @@ -63,7 +64,7 @@ load_options() { config_get webroot "$section" webroot export webroot if [ "$webroot" ]; then - log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $challenge_dir." + log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR." fi } @@ -79,7 +80,7 @@ get_cert() { load_options "$section" if [ -z "$dns" ] && [ "$standalone" = 0 ]; then - mkdir -p "$challenge_dir" + mkdir -p "$CHALLENGE_DIR" fi if [ "$standalone" = 1 ] && [ -z "$NFT_HANDLE" ]; then @@ -109,7 +110,7 @@ load_globals() { config_get state_dir "$section" state_dir if [ "$state_dir" ]; then - log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in /etc/ssl/acme." + log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in $CERT_DIR." mkdir -p "$state_dir" else state_dir=/etc/acme -- 2.30.2