From e3d6422dc551fae6a502a10a554296765e2c59f6 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
Date: Wed, 14 Dec 2022 15:11:58 +0100
Subject: [PATCH] acme-common: Export canonical paths for storing certificates
 and challenges
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

The contract between the acme-common framework and consumers and hook
scripts is that certificates can be consumed from /etc/ssl/acme and that
web challenges are stored in /var/run/acme/challenge. Make this explicit by
exporting $CERT_DIR and $CHALLENGE_DIR as environment variables as well,
instead of having knowledge of those paths depend on out-of-band
information. We already exported $challenge_dir, but let's change it to
upper-case to make it clear that it's not a user configuration variable.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
---
 net/acme-common/files/acme.sh | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/acme-common/files/acme.sh b/net/acme-common/files/acme.sh
index 5a2f7d7394..defd660059 100644
--- a/net/acme-common/files/acme.sh
+++ b/net/acme-common/files/acme.sh
@@ -9,7 +9,8 @@
 # Authors: Toke Høiland-Jørgensen <toke@toke.dk>
 
 run_dir=/var/run/acme
-export challenge_dir=$run_dir/challenge
+export CHALLENGE_DIR=$run_dir/challenge
+export CERT_DIR=/etc/ssl/acme
 NFT_HANDLE=
 HOOK=/usr/lib/acme/hook
 LOG_TAG=acme
@@ -63,7 +64,7 @@ load_options() {
 	config_get webroot "$section" webroot
 	export webroot
 	if [ "$webroot" ]; then
-		log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $challenge_dir."
+		log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
 	fi
 }
 
@@ -79,7 +80,7 @@ get_cert() {
 
 	load_options "$section"
 	if [ -z "$dns" ] && [ "$standalone" = 0 ]; then
-		mkdir -p "$challenge_dir"
+		mkdir -p "$CHALLENGE_DIR"
 	fi
 
 	if [ "$standalone" = 1 ] && [ -z "$NFT_HANDLE" ]; then
@@ -109,7 +110,7 @@ load_globals() {
 
 	config_get state_dir "$section" state_dir
 	if [ "$state_dir" ]; then
-		log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in /etc/ssl/acme."
+		log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in $CERT_DIR."
 		mkdir -p "$state_dir"
 	else
 		state_dir=/etc/acme
-- 
2.30.2