* Bump acme-common to 1.5.0
* New `abort` command added and logging behaviour improved
* Bump acme-acmesh to 3.1.1-r4
* Fix logging and support killing from procd (`stop` and `abort`) via SIGTERM
Signed-off-by: Aditya Bhargava <rightaditya@gmail.com>
For runs started interactively, improve messaging and allow a run to be
aborted with `service acme abort`.
Signed-off-by: Aditya Bhargava <rightaditya@gmail.com>
acme.sh error output never made it to the syslog, so:
* Add procd setup to catch stderr
* Make sure a message goes to syslog if acme.sh dies due to SIGINT
Signed-off-by: Aditya Bhargava <rightaditya@gmail.com>
listen_port option allows to redefine the default 80/443 port
used in standalone/alpn challenges.
It's also useful for other types of challenges which require
accepting a connection on some TCP port so we need to expose
it via nft as well.
Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
The '/etc/init.d/acme start' crontab migration
should also delete the existing
'/etc/init.d/acme start' line.
Otherwise, on every sysupgrade that carries
forward existing configurations, a new
'0 0 * * * /etc/init.d/acme renew' line is
added to the crontab.
Furthermore, do not add an 'acme renew' crontab
line if it already exists.
Signed-off-by: Satadru Pramanik, DO, MPH, MEng <satadru@gmail.com>
Until now it was not possible to stop the acme service, because the handling
was done via cron. With this change, the acme handler can now be stopped by
calling '/etc/init.d/acme' stop. This call removes the entry from the crontab.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Since procd is now used, the call of '/etc/init.d/acme' does not have to be
locked separately. This code block can therefore be removed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
In the current implementation, the config change trigger is no longer set
at boot time. This is because during boot, only the '$CHALLENGE_DIR' is
created with the boot function. The 'start_service' is first called by first
cron call at midnight. This call is installing the service_triggers reload
handling.
To fix this, add a new extra_command 'renew' that is responsible to renew
the acme. This function is called from cron and the start_service
function does the rest.
* Create directories
* Install service reload trigger form acme config change
Fixes: 76f17ab15b (acme-common: Create challenge directory on boot)
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The challenge directory (for webroot challenges) is on a tmpfs, which
means it doesn't exist on boot. Some web servers (uhttpd in particular)
don't like being configured to serve files from a non-existent
directory. So add a boot() section to the ACME init script that just
creates the challenge directory, and make sure it runs relatively early.
That should take care of the non-existent directory issue, while still
keeping the actual certificate renewal controlled by cron.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Add to uci-defaults script a migration from old deprecated options to new:
use_staging to staging
keylength to key_type
remove standalone
add missing validation_method
We still support the old options in the acme.init if old config was copied after installing of the newer version of the acme-common.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
The webroot option was deprecated and users should use the /var/run/acme/challenge by default.
The folder itself should be exposed to web.
The simplest way to do this is to create a symlink from /www.
This is a default web location for most routers and should cover most cases.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
The use_staging option was deprecated in 9d2d8787ca.
But it still has a bigger priority than the staging option.
This happens because config_get_bool returns 0 when the use_staging option wasn't set.
So the next check for the staging var emptiness is always false.
As the simplest fix, use the config_get staging that returns a plain string when the option is not set and if it's empty then fallback to the use_staging.
Once the use_staging option is removed we should get back to the config_get_bool staging.
Also use config_get_bool debug.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
The new validation_method option can be: dns, webroot or standalone.
Previously we guessed the challenge type:
1. if the DNS provider is specified then it's dns
2. if standalone=1
3. fallback to webroot
The logic is preserved and if the validation_method wasn't set explicitly we'll guess it in old manner.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
keylength, being an acme.sh value type, uses pure numbers for rsa keys.
This can be disorienting for other acme clients. This change introduces
a new option "key_type" that aims to remove this ambiguity, and makes
all key type names follow the same pattern, making acme-common more
client agnostic.
Signed-off-by: Glen Huang <me@glenhuang.com>
ACME clients shouldn't deal with deprecated values. They should be
processed by acme-common.
Reformatting is done by shfmt.
Signed-off-by: Glen Huang <me@glenhuang.com>
opkg runs uci-defaults if a package installs one, in acme-common's case
that's identical to postinst.
prerm shouldn't be run a image builder, so it's unnecessary to check
IPKG_INSTROOT
Signed-off-by: Glen Huang <me@glenhuang.com>
The contract between the acme-common framework and consumers and hook
scripts is that certificates can be consumed from /etc/ssl/acme and that
web challenges are stored in /var/run/acme/challenge. Make this explicit by
exporting $CERT_DIR and $CHALLENGE_DIR as environment variables as well,
instead of having knowledge of those paths depend on out-of-band
information. We already exported $challenge_dir, but let's change it to
upper-case to make it clear that it's not a user configuration variable.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
state_dir is actually a hardcoded value in conffiles. Allowing users to
customize it could result in losing certificates after upgrading if they
don't also specify the dir as being preserved. We shouldn't default to
this dangerous behavior.
With the new ACME package, certificates live in the standard location
/etc/ssl/acme, users who need to do certificate customizations should
look for them in that dir instead.
Signed-off-by: Glen Huang <i@glenhuang.com>
acme.sh by default use public DNS resolvers to check if TXT record was
correctly added when using DNS-01. This can be undesirable in a private
environment where the DNS server is not publicly accessible.
This option allows bypassing such check and simply waiting for a
specific length of time for the TXT record to take effect.
Signed-off-by: Glen Huang <i@glenhuang.com>
Directly calling `/etc/init.d/<service> reload` in a hotplug script can
inadvertently start a stopped service.
Signed-off-by: Glen Huang <i@glenhuang.com>
