Merge pull request #19669 from hgl/acme

acme: refactor

net/acme-acmesh/files/hook.sh

@@ -4,6 +4,7 @@ ACME=/usr/lib/acme/client/acme.sh
 LOG_TAG=acme-acmesh
 # webroot option deprecated, use the hardcoded value directly in the next major version
 WEBROOT=${webroot:-/var/run/acme/challenge}
+NOTIFY=/usr/lib/acme/notify
 
 # shellcheck source=net/acme/files/functions.sh
 . /usr/lib/acme/functions.sh
@@ -12,9 +13,7 @@ WEBROOT=${webroot:-/var/run/acme/challenge}
 export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 export NO_TIMESTAMP=1
 
-cmd="$1"
+case $1 in
-
-case $cmd in
 get)
 	set --
 	[ "$debug" = 1 ] && set -- "$@" --debug
@@ -38,20 +37,25 @@ get)
 			staging_moved=1
 		else
 			set -- "$@" --renew --home "$state_dir" -d "$main_domain"
-			log info "$*"
+			log info "$ACME $*"
-			trap 'ACTION=renewed-failed hotplug-call acme;exit 1' INT
+			trap '$NOTIFY renew-failed;exit 1' INT
-			"$ACME" "$@"
+			$ACME "$@"
 			status=$?
 			trap - INT
 
 			case $status in
-			0) ;; # renewed ok, handled by acme.sh hook, ignore.
+			0)
-			2) ;; # renew skipped, ignore.
+				$NOTIFY renewed
+				exit;;
+			2)
+				# renew skipped, ignore.
+				exit
+				;;
 			*)
-				ACTION=renew-failed hotplug-call acme
+				$NOTIFY renew-failed
+				exit 1
 				;;
 			esac
-			return 0
 		fi
 	fi
 
@@ -83,6 +87,9 @@ get)
 		elif [ "$calias" ]; then
 			set -- "$@" --challenge-alias "$calias"
 		fi
+		if [ "$dns_wait" ]; then
+			set -- "$@" --dnssleep "$dns_wait"
+		fi
 	elif [ "$standalone" = 1 ]; then
 		set -- "$@" --standalone --listen-v6
 	else
@@ -92,11 +99,11 @@ get)
 
 	set -- "$@" --issue --home "$state_dir"
 
-	log info "$*"
+	log info "$ACME $*"
-	trap 'ACTION=issue-failed hotplug-call acme;exit 1' INT
+	trap '$NOTIFY issue-failed;exit 1' INT
 	"$ACME" "$@" \
-		--pre-hook 'ACTION=prepare hotplug-call acme' \
+		--pre-hook "$NOTIFY prepare" \
-		--renew-hook 'ACTION=renewed hotplug-call acme'
+		--renew-hook "$NOTIFY renewed"
 	status=$?
 	trap - INT
 
@@ -106,7 +113,7 @@ get)
 		ln -s "$domain_dir/$main_domain.key" /etc/ssl/acme
 		ln -s "$domain_dir/fullchain.cer" "/etc/ssl/acme/$main_domain.fullchain.cer"
 		ln -s "$domain_dir/ca.cer" "/etc/ssl/acme/$main_domain.chain.cer"
-		ACTION=issued hotplug-call acme
+		$NOTIFY issued
 		;;
 	*)
 		if [ "$staging_moved" = 1 ]; then
@@ -117,8 +124,7 @@ get)
 			mv "$domain_dir" "$failed_dir"
 			log err "State moved to $failed_dir"
 		fi
-		ACTION=issue-failed hotplug-call acme
+		$NOTIFY issue-failed
-		return 0
 		;;
 	esac
 	;;

net/acme-common/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=acme-common
-PKG_VERSION:=1.0.0
+PKG_VERSION:=1.0.1
 
 PKG_MAINTAINER:=Toke Høiland-Jørgensen <toke@toke.dk>
 PKG_LICENSE:=GPL-3.0-only
@@ -34,17 +34,19 @@ define Package/acme-common/conffiles
 endef
 
 define Package/acme-common/install
-	$(INSTALL_DIR) $(1)/etc/acme
+	$(INSTALL_DIR) $(1)/etc/ssl/acme
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/acme.config $(1)/etc/config/acme
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) ./files/acme.sh $(1)/usr/bin/acme
 	$(INSTALL_DIR) $(1)/usr/lib/acme
 	$(INSTALL_DATA) ./files/functions.sh $(1)/usr/lib/acme
+	$(INSTALL_BIN) ./files/acme-notify.sh $(1)/usr/lib/acme/notify
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/acme.init $(1)/etc/init.d/acme
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_DATA) ./files/acme.uci-defaults $(1)/etc/uci-defaults/acme
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/acme
 endef
 
 define Package/acme/postinst

net/acme-common/files/acme-notify.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+set -u
+
+event="$1"
+
+# Call hotplug first, giving scripts a chance to modify certificates before
+# reloadaing the services
+ACTION=$event hotplug-call acme
+
+case $event in
+renewed)
+    ubus call service event '{"type":"acme.renew","data":{}}'
+    ;;
+issued)
+    ubus call service event '{"type":"acme.issue","data":{}}'
+    ;;
+esac

net/acme-common/files/acme.config

@@ -5,7 +5,7 @@ config acme
 
 config cert 'example_wildcard'
 	option enabled 0
-	option use_staging 1
+	option staging 1
 	list domains example.org
 	list domains sub.example.org
 	list domains *.sub.example.org
@@ -17,6 +17,6 @@ config cert 'example_wildcard'
 
 config cert 'example'
 	option enabled 0
-	option use_staging 1
+	option staging 1
 	list domains example.org
 	list domains sub.example.org

net/acme-common/files/acme.sh

@@ -8,10 +8,10 @@
 #
 # Authors: Toke Høiland-Jørgensen <toke@toke.dk>
 
-export state_dir='/etc/acme'
+export state_dir=/etc/acme
 export account_email=
 export debug=0
-export challenge_dir='/var/run/acme/challenge'
+export run_dir=/var/run/acme
 NFT_HANDLE=
 HOOK=/usr/lib/acme/hook
 LOG_TAG=acme
@@ -23,6 +23,9 @@ LOG_TAG=acme
 
 cleanup() {
 	log debug "cleaning up"
+	if [ -e $run_dir/lock ]; then
+		rm $run_dir/lock
+	fi
 	if [ "$NFT_HANDLE" ]; then
 		# $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
 		nft delete rule inet fw4 input $NFT_HANDLE
@@ -33,7 +36,7 @@ load_options() {
 	section=$1
 
 	# compatibility for old option name
-	config_get_bool use_staging "$section" staging
+	config_get_bool staging "$section" use_staging
 	if [ -z "$staging" ]; then
 		config_get_bool staging "$section" staging 0
 	fi
@@ -56,11 +59,13 @@ load_options() {
 	export days
 	config_get standalone "$section" standalone 0
 	export standalone
+	config_get dns_wait "$section" dns_wait
+	export dns_wait
 
 	config_get webroot "$section" webroot
 	export webroot
 	if [ "$webroot" ]; then
-		log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from /var/run/acme/challenge."
+		log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $run_dir/challenge."
 	fi
 }
 
@@ -112,6 +117,15 @@ load_globals() {
 	return 1
 }
 
+cmd_get() {
+	trap cleanup EXIT
+
+	config_load acme
+	config_foreach load_globals acme
+
+	config_foreach get_cert cert
+}
+
 usage() {
 	cat <<EOF
 Usage: acme <command> [arguments]
@@ -128,12 +142,14 @@ fi
 
 case $1 in
 get)
-	config_load acme
+	mkdir -p $run_dir
-	config_foreach load_globals acme
+	{
-
+		if ! flock -n 200; then
-	mkdir -p /etc/ssl/acme
+			log err "Another ACME instance is already running."
-	trap cleanup EXIT
+			exit 1
-	config_foreach get_cert cert
+		fi
+		cmd_get "$@"
+	} 200>$run_dir/lock
 	;;
 *)
 	usage

net/haproxy/files/acme.hotplug

@@ -6,7 +6,3 @@ issued|renewed)
 		>"/etc/ssl/acme/$main_domain.combined.cer"
 	;;
 esac
-
-if [ "$ACTION" = renewed ]; then
-	/etc/init.d/haproxy reload
-fi

net/haproxy/files/haproxy.init

@@ -18,6 +18,10 @@ start_service() {
 	procd_close_instance
 }
 
+service_triggers() {
+	procd_add_raw_trigger acme.renew 5000 /etc/init.d/haproxy reload
+}
+
 extra_command "check" "Check haproxy config"
 check() {
 	$HAPROXY_BIN -c -q -V -f $HAPROXY_CONFIG

net/nginx/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=nginx
 PKG_VERSION:=1.21.3
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://nginx.org/download/
@@ -376,9 +376,6 @@ ifeq ($(CONFIG_NGINX_NAXSI),y)
 endif
 	$(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx))
 	$(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules))
-
-	$(INSTALL_DIR) $(1)/etc/hotplug.d/acme
-	$(INSTALL_DATA) ./files/acme.hotplug $(1)/etc/hotplug.d/acme/00-nginx
 endef
 
 Package/nginx-all-module/install = $(Package/nginx-ssl/install)

net/nginx/files/acme.hotplug

@@ -1,3 +0,0 @@
-if [ "$ACTION" = renewed ]; then
-	/etc/init.d/nginx reload
-fi

net/nginx/files/nginx.init

@@ -66,6 +66,11 @@ reload_service() {
 }
 
 
+service_triggers() {
+	procd_add_raw_trigger acme.renew 5000 /etc/init.d/nginx reload
+}
+
+
 extra_command "relog" "Reopen log files (without reloading)"
 relog() {
 	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx