acme-acmesh: Provide a 'combined' certificate bundle as well
The haproxy hotplug script creates a 'combined' certificate bundle that contains both the certificate chain and the private key. However, having a daemon hotplug script write into CERT_DIR is not great; so let's provide the bundle as part of the main acme framework, keeping it in $domain_dir and just linking it into CERT_DIR. That way we can keep CERT_DIR as just a collection of links for everything, that no consumers should need to write into. Also make sure to set the umask correctly so the combined file is not world-readable (since it contains the private key). Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
This commit is contained in:
Toke Høiland-Jørgensen
parent
152a26da57
commit
17691a5a52
4 changed files with 6 additions and 12 deletions
|
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=acme-acmesh
|
||||
PKG_VERSION:=3.0.1
|
||||
PKG_RELEASE:=9
|
||||
PKG_RELEASE:=10
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/acmesh-official/acme.sh/tar.gz/$(PKG_VERSION)?
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ link_certs()
|
|||
domain_dir="$1"
|
||||
main_domain="$2"
|
||||
|
||||
(umask 077; cat "$domain_dir/fullchain.cer" "$domain_dir/$main_domain.key" > "$domain_dir/combined.cer")
|
||||
|
||||
if [ ! -e "$CERT_DIR/$main_domain.crt" ]; then
|
||||
ln -s "$domain_dir/$main_domain.cer" "$CERT_DIR/$main_domain.crt"
|
||||
|
|
@ -30,6 +31,9 @@ link_certs()
|
|||
if [ ! -e "$CERT_DIR/$main_domain.fullchain.crt" ]; then
|
||||
ln -s "$domain_dir/fullchain.cer" "$CERT_DIR/$main_domain.fullchain.crt"
|
||||
fi
|
||||
if [ ! -e "$CERT_DIR/$main_domain.combined.crt" ]; then
|
||||
ln -s "$domain_dir/combined.cer" "$CERT_DIR/$main_domain.combined.crt"
|
||||
fi
|
||||
if [ ! -e "$CERT_DIR/$main_domain.chain.crt" ]; then
|
||||
ln -s "$domain_dir/ca.cer" "$CERT_DIR/$main_domain.chain.crt"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=haproxy
|
||||
PKG_VERSION:=2.6.6
|
||||
PKG_RELEASE:=103
|
||||
PKG_RELEASE:=104
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://www.haproxy.org/download/2.6/src
|
||||
|
|
@ -122,8 +122,6 @@ define Package/haproxy/install
|
|||
$(INSTALL_CONF) ./files/haproxy.cfg $(1)/etc/
|
||||
$(INSTALL_DIR) $(1)/etc/init.d
|
||||
$(INSTALL_BIN) ./files/haproxy.init $(1)/etc/init.d/haproxy
|
||||
$(INSTALL_DIR) $(1)/etc/hotplug.d/acme
|
||||
$(INSTALL_DATA) ./files/acme.hotplug $(1)/etc/hotplug.d/acme/00-haproxy
|
||||
endef
|
||||
|
||||
Package/haproxy-nossl/install = $(Package/haproxy/install)
|
||||
|
|
|
|||
|
|
@ -1,8 +0,0 @@
|
|||
case $ACTION in
|
||||
issued|renewed)
|
||||
cat \
|
||||
"/etc/ssl/acme/$main_domain.fullchain.crt" \
|
||||
"/etc/ssl/acme/$main_domain.key" \
|
||||
>"/etc/ssl/acme/$main_domain.combined.crt"
|
||||
;;
|
||||
esac
|
||||
Loading…
Reference in a new issue