acme: use the hotplug system

Signed-off-by: Glen Huang <heyhgl@gmail.com>
2025-12-21 19:14:30 +04:00 · 2022-01-29 20:54:35 +08:00
parent b02fea131b
commit e84f651453
15 changed files with 450 additions and 487 deletions
--- a/net/acme-acmesh/Makefile
+++ b/net/acme-acmesh/Makefile
@@ -0,0 +1,69 @@
+#
+# Copyright (C) 2016 Toke Høiland-Jørgensen
+#
+# This is free software, licensed under the GNU General Public License v3 or
+# later.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=acme-acmesh
+PKG_VERSION:=3.0.1
+PKG_RELEASE:=$(AUTORELEASE)
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://codeload.github.com/acmesh-official/acme.sh/tar.gz/$(PKG_VERSION)?
+PKG_HASH:=6212cc0c2bca99a7dd6cbb4236b4c7dd5d1113dab0841e66dae4d307d902a8e6
+PKG_BUILD_DIR:=$(BUILD_DIR)/acme.sh-$(PKG_VERSION)
+
+PKG_MAINTAINER:=Toke Høiland-Jørgensen <toke@toke.dk>
+PKG_LICENSE:=GPL-3.0-only
+PKG_LICENSE_FILES:=LICENSE.md
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/acme-acmesh
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+acme-common +wget-ssl +ca-bundle +openssl-util +socat
+  TITLE:=ACME client acme.sh wrapper script
+  URL:=https://acme.sh
+  PKGARCH:=all
+  PROVIDES:=acme-client
+endef
+
+define Package/acme-acmesh/description
+A client for issuing ACME (e.g, Letsencrypt) certificates.
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/acme-acmesh/install
+	$(INSTALL_DIR) $(1)/usr/lib/acme/client
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/acme.sh $(1)/usr/lib/acme/client
+	$(INSTALL_BIN) ./files/hook.sh $(1)/usr/lib/acme/hook
+endef
+
+define Package/acme-acmesh-dnsapi
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+acme
+  TITLE:=DNS API integration for ACME (Letsencrypt) client
+  PKGARCH:=all
+endef
+
+define Package/acme-acmesh-dnsapi/description
+ This package provides DNS API integration for ACME (Letsencrypt) client.
+endef
+
+define Package/acme-acmesh-dnsapi/install
+	$(INSTALL_DIR) $(1)/usr/lib/acme/client/dnsapi
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/dnsapi/*.sh $(1)/usr/lib/acme/client/dnsapi
+endef
+
+$(eval $(call BuildPackage,acme-acmesh))
+$(eval $(call BuildPackage,acme-acmesh-dnsapi))
--- a/net/acme-acmesh/files/hook.sh
+++ b/net/acme-acmesh/files/hook.sh
@@ -0,0 +1,125 @@
+#!/bin/sh
+set -u
+ACME=/usr/lib/acme/acme.sh
+LOG_TAG=acme-acmesh
+# webroot option deprecated, use the hardcoded value directly in the next major version
+WEBROOT=${webroot:-/var/run/acme/challenge}
+
+# shellcheck source=net/acme/files/functions.sh
+. /usr/lib/acme/functions.sh
+
+# Needed by acme.sh
+export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+export NO_TIMESTAMP=1
+
+cmd="$1"
+
+case $cmd in
+get)
+	set --
+	[ "$debug" = 1 ] && set -- "$@" --debug
+
+	case $keylength in
+	ec-*)
+		domain_dir="$state_dir/${main_domain}_ecc"
+		set -- "$@" --ecc
+		;;
+	*)
+		domain_dir="$state_dir/$main_domain"
+		;;
+	esac
+
+	log info "Running ACME for $main_domain"
+
+	if [ -e "$domain_dir" ]; then
+		if [ "$staging" = 0 ] && grep -q "acme-staging" "$domain_dir/$main_domain.conf"; then
+			mv "$domain_dir" "$domain_dir.staging"
+			log info "Certificates are previously issued from a staging server, but staging option is diabled, moved to $domain_dir.staging."
+			staging_moved=1
+		else
+			set -- "$@" --renew --home "$state_dir" -d "$main_domain"
+			log info "$*"
+			trap 'ACTION=renewed-failed hotplug-call acme;exit 1' INT
+			"$ACME" "$@"
+			status=$?
+			trap - INT
+
+			case $status in
+			0) ;; # renewed ok, handled by acme.sh hook, ignore.
+			2) ;; # renew skipped, ignore.
+			*)
+				ACTION=renew-failed hotplug-call acme
+				;;
+			esac
+			return 0
+		fi
+	fi
+
+	for d in $domains; do
+		set -- "$@" -d "$d"
+	done
+	set -- "$@" --keylength "$keylength" --accountemail "$account_email"
+
+	if [ "$acme_server" ]; then
+		set -- "$@" --server "$acme_server"
+	# default to letsencrypt because the upstream default may change
+	elif [ "$staging" = 1 ]; then
+		set -- "$@" --server letsencrypt_test
+	else
+		set -- "$@" --server letsencrypt
+	fi
+
+	if [ "$days" ]; then
+		set -- "$@" --days "$days"
+	fi
+
+	if [ "$dns" ]; then
+		set -- "$@" --dns "$dns"
+		if [ "$dalias" ]; then
+			set -- "$@" --domain-alias "$dalias"
+			if [ "$calias" ]; then
+				log err "Both domain and challenge aliases are defined. Ignoring the challenge alias."
+			fi
+		elif [ "$calias" ]; then
+			set -- "$@" --challenge-alias "$calias"
+		fi
+	elif [ "$standalone" = 1 ]; then
+		set -- "$@" --standalone --listen-v6
+	else
+		mkdir -p "$WEBROOT"
+		set -- "$@" --webroot "$WEBROOT"
+	fi
+
+	set -- "$@" --issue --home "$state_dir"
+
+	log info "$*"
+	trap 'ACTION=issue-failed hotplug-call acme;exit 1' INT
+	"$ACME" "$@" \
+		--pre-hook 'ACTION=prepare hotplug-call acme' \
+		--renew-hook 'ACTION=renewed hotplug-call acme'
+	status=$?
+	trap - INT
+
+	case $status in
+	0)
+		ln -s "$domain_dir/$main_domain.cer" /etc/ssl/acme
+		ln -s "$domain_dir/$main_domain.key" /etc/ssl/acme
+		ln -s "$domain_dir/fullchain.cer" "/etc/ssl/acme/$main_domain.fullchain.cer"
+		ln -s "$domain_dir/ca.cer" "/etc/ssl/acme/$main_domain.chain.cer"
+		ACTION=issued hotplug-call acme
+		;;
+	*)
+		if [ "$staging_moved" = 1 ]; then
+			mv "$domain_dir.staging" "$domain_dir"
+			log err "Staging certificate restored"
+		elif [ -d "$domain_dir" ]; then
+			failed_dir="$domain_dir.failed-$(date +%s)"
+			mv "$domain_dir" "$failed_dir"
+			log err "State moved to $failed_dir"
+		fi
+		ACTION=issue-failed hotplug-call acme
+		return 0
+		;;
+	esac
+	;;
+esac