From 9ba7b1799c2326d97157059f0888f33fc16f5721 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@redhat.com>
Date: Thu, 26 Mar 2020 16:37:09 +0100
Subject: [PATCH] acme: Backport two bug fixes from master
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This backports the following bug-fix commits from the master branch:

c6b4d7f367de ("acme: Include empty 'dns' config option by default")
983cc995a3b2 ("acme: Correctly handle domain state dir for ECC certificates")

Fixes #11675.

Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
---
 net/acme/Makefile          |  2 +-
 net/acme/files/acme.config |  1 +
 net/acme/files/run.sh      | 34 ++++++++++++++++++++++------------
 3 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/net/acme/Makefile b/net/acme/Makefile
index d20bad1f2..8ce6e3dd4 100644
--- a/net/acme/Makefile
+++ b/net/acme/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=acme
 PKG_VERSION:=2.8.5
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/Neilpang/acme.sh/tar.gz/$(PKG_VERSION)?
diff --git a/net/acme/files/acme.config b/net/acme/files/acme.config
index 95565c832..313481f3b 100644
--- a/net/acme/files/acme.config
+++ b/net/acme/files/acme.config
@@ -10,4 +10,5 @@ config cert 'example'
        option update_uhttpd 1
        option update_nginx 1
        option webroot ""
+       option dns ""
        list domains example.org
diff --git a/net/acme/files/run.sh b/net/acme/files/run.sh
index 3d25321d7..1405c70e7 100644
--- a/net/acme/files/run.sh
+++ b/net/acme/files/run.sh
@@ -165,9 +165,12 @@ int_out()
 
 is_staging()
 {
-    local main_domain="$1"
+    local main_domain
+    local domain_dir
+    main_domain="$1"
+    domain_dir="$2"
 
-    grep -q "acme-staging" "$STATE_DIR/$main_domain/${main_domain}.conf"
+    grep -q "acme-staging" "${domain_dir}/${main_domain}.conf"
     return $?
 }
 
@@ -187,6 +190,7 @@ issue_cert()
     local webroot
     local dns
     local ret
+    local domain_dir
 
     config_get_bool enabled "$section" enabled 0
     config_get_bool use_staging "$section" use_staging
@@ -209,6 +213,12 @@ issue_cert()
 
     [ -n "$webroot" ] || [ -n "$dns" ] || pre_checks "$main_domain" || return 1
 
+    if echo $keylength | grep -q "^ec-"; then
+        domain_dir="$STATE_DIR/${main_domain}_ecc"
+    else
+        domain_dir="$STATE_DIR/${main_domain}"
+    fi
+
     log "Running ACME for $main_domain"
 
     handle_credentials() {
@@ -217,10 +227,10 @@ issue_cert()
     }
     config_list_foreach "$section" credentials handle_credentials
 
-    if [ -e "$STATE_DIR/$main_domain" ]; then
-        if [ "$use_staging" -eq "0" ] && is_staging "$main_domain"; then
+    if [ -e "$domain_dir" ]; then
+        if [ "$use_staging" -eq "0" ] && is_staging "$main_domain" "$domain_dir"; then
             log "Found previous cert issued using staging server. Moving it out of the way."
-            mv "$STATE_DIR/$main_domain" "$STATE_DIR/$main_domain.staging"
+            mv "$domain_dir" "${domain_dir}.staging"
             moved_staging=1
         else
             log "Found previous cert config. Issuing renew."
@@ -253,26 +263,26 @@ issue_cert()
     fi
 
     if ! run_acme --home "$STATE_DIR" --issue $acme_args; then
-        failed_dir="$STATE_DIR/${main_domain}.failed-$(date +%s)"
+        failed_dir="${domain_dir}.failed-$(date +%s)"
         err "Issuing cert for $main_domain failed. Moving state to $failed_dir"
-        [ -d "$STATE_DIR/$main_domain" ] && mv "$STATE_DIR/$main_domain" "$failed_dir"
+        [ -d "$domain_dir" ] && mv "$domain_dir" "$failed_dir"
         if [ "$moved_staging" -eq "1" ]; then
             err "Restoring staging certificate"
-            mv "$STATE_DIR/${main_domain}.staging" "$STATE_DIR/${main_domain}"
+            mv "${domain_dir}.staging" "${domain_dir}"
         fi
         post_checks
         return 1
     fi
 
     if [ -e /etc/init.d/uhttpd ] && [ "$update_uhttpd" -eq "1" ]; then
-        uci set uhttpd.main.key="$STATE_DIR/${main_domain}/${main_domain}.key"
-        uci set uhttpd.main.cert="$STATE_DIR/${main_domain}/fullchain.cer"
+        uci set uhttpd.main.key="${domain_dir}/${main_domain}.key"
+        uci set uhttpd.main.cert="${domain_dir}/fullchain.cer"
         # commit and reload is in post_checks
     fi
 
     if [ -e /etc/init.d/nginx ] && [ "$update_nginx" -eq "1" ]; then
-        sed -i "s#ssl_certificate\ .*#ssl_certificate $STATE_DIR/${main_domain}/fullchain.cer;#g" /etc/nginx/nginx.conf
-        sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key $STATE_DIR/${main_domain}/${main_domain}.key;#g" /etc/nginx/nginx.conf
+        sed -i "s#ssl_certificate\ .*#ssl_certificate ${domain_dir}/fullchain.cer;#g" /etc/nginx/nginx.conf
+        sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key ${domain_dir}/${main_domain}.key;#g" /etc/nginx/nginx.conf
         # commit and reload is in post_checks
     fi