From 20d72339130ec5244ac8a3f15f2c8795c0af7ae0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= Date: Fri, 4 Nov 2016 12:40:54 +0100 Subject: [PATCH] acme: New version 1.2. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This version will use the standalone (netcat) mode of acme.sh during verification instead of exposing uhttpd to the internet for the duration of the verification. It will also add an ip6tables rule to also support verification over IPv6. Also contains an updated version of acme.sh. Signed-off-by: Toke Høiland-Jørgensen --- net/acme/Makefile | 6 +++--- net/acme/files/run.sh | 35 +++++++++++++++++++---------------- 2 files changed, 22 insertions(+), 19 deletions(-) diff --git a/net/acme/Makefile b/net/acme/Makefile index ee7df1ca5..dc6ac8e9c 100644 --- a/net/acme/Makefile +++ b/net/acme/Makefile @@ -8,8 +8,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=acme -PKG_SOURCE_VERSION:=1e6b68f5d187fa3d64c889d04a77ee1c79726282 -PKG_VERSION:=1.1 +PKG_SOURCE_VERSION:=3c33cdfa3da68000a40b85304821705f0deea951 +PKG_VERSION:=1.2 PKG_RELEASE:=1 PKG_LICENSE:=GPLv3 @@ -25,7 +25,7 @@ include $(INCLUDE_DIR)/package.mk define Package/acme SECTION:=net CATEGORY:=Network - DEPENDS:=+curl +ca-certificates +uhttpd-mod-tls +openssl-util + DEPENDS:=+curl +ca-certificates +openssl-util +netcat TITLE:=ACME (Letsencrypt) client PKGARCH:=all MAINTAINER:=Toke Høiland-Jørgensen diff --git a/net/acme/files/run.sh b/net/acme/files/run.sh index de303d5f0..7deb22d4b 100644 --- a/net/acme/files/run.sh +++ b/net/acme/files/run.sh @@ -12,7 +12,6 @@ CHECK_CRON=$1 ACME=/usr/lib/acme/acme.sh export SSL_CERT_DIR=/etc/ssl/certs -UHTTPD_REDIRECT_HTTPS= UHTTPD_LISTEN_HTTP= STATE_DIR='/etc/acme' ACCOUNT_EMAIL= @@ -32,15 +31,17 @@ pre_checks() echo "Running pre checks." check_cron - UHTTPD_REDIRECT_HTTPS=$(uci get uhttpd.main.redirect_https) - UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http) + if [ -e /etc/init.d/uhttpd ]; then - uci set uhttpd.main.redirect_https=1 - uci set uhttpd.main.listen_http='0.0.0.0:80' - uci commit uhttpd - /etc/init.d/uhttpd reload || return 1 + UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http) + + uci set uhttpd.main.listen_http='' + uci commit uhttpd + /etc/init.d/uhttpd reload || return 1 + fi iptables -I input_rule -p tcp --dport 80 -j ACCEPT || return 1 + ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT || return 1 return 0 } @@ -48,11 +49,13 @@ post_checks() { echo "Running post checks (cleanup)." iptables -D input_rule -p tcp --dport 80 -j ACCEPT + ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT - uci set uhttpd.main.redirect_https="$UHTTPD_REDIRECT_HTTPS" - uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP" - uci commit uhttpd - /etc/init.d/uhttpd reload + if [ -e /etc/init.d/uhttpd ]; then + uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP" + uci commit uhttpd + /etc/init.d/uhttpd reload + fi } err_out() @@ -64,8 +67,8 @@ err_out() int_out() { post_checks - trap - SIGINT - kill -SIGINT $$ + trap - INT + kill -INT $$ } issue_cert() @@ -99,7 +102,7 @@ issue_cert() acme_args="$acme_args $(for d in $domains; do echo -n "-d $d "; done)" - acme_args="$acme_args --webroot $(uci get uhttpd.main.home)" + acme_args="$acme_args --standalone" acme_args="$acme_args --keylength $keylength" [ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL" [ "$use_staging" -eq "1" ] && acme_args="$acme_args --staging" @@ -135,8 +138,8 @@ config_load acme config_foreach load_vars acme pre_checks || exit 1 -trap err_out SIGHUP SIGTERM -trap int_out SIGINT +trap err_out HUP TERM +trap int_out INT config_foreach issue_cert cert post_checks