From b907223d57765d49858c2fb1bd6e0b0f4222db0e Mon Sep 17 00:00:00 2001 From: Glen Huang Date: Sun, 11 Dec 2022 13:25:00 +0800 Subject: [PATCH 1/2] acme: deprecate state_dir state_dir is actually a hardcoded value in conffiles. Allowing users to customize it could result in losing certificates after upgrading if they don't also specify the dir as being preserved. We shouldn't default to this dangerous behavior. With the new ACME package, certificates live in the standard location /etc/ssl/acme, users who need to do certificate customizations should look for them in that dir instead. Signed-off-by: Glen Huang --- net/acme-common/Makefile | 3 ++- net/acme-common/files/acme.config | 1 - net/acme-common/files/acme.sh | 22 ++++++++++++++-------- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/net/acme-common/Makefile b/net/acme-common/Makefile index 268df5c68..c8c4a0bb3 100644 --- a/net/acme-common/Makefile +++ b/net/acme-common/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=acme-common -PKG_VERSION:=1.0.1 +PKG_VERSION:=1.0.2 PKG_MAINTAINER:=Toke Høiland-Jørgensen PKG_LICENSE:=GPL-3.0-only @@ -34,6 +34,7 @@ define Package/acme-common/conffiles endef define Package/acme-common/install + $(INSTALL_DIR) $(1)/etc/acme $(INSTALL_DIR) $(1)/etc/ssl/acme $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/acme.config $(1)/etc/config/acme diff --git a/net/acme-common/files/acme.config b/net/acme-common/files/acme.config index d72547a6e..75fd1cf09 100644 --- a/net/acme-common/files/acme.config +++ b/net/acme-common/files/acme.config @@ -1,5 +1,4 @@ config acme - option state_dir '/etc/acme' option account_email 'email@example.org' option debug 0 diff --git a/net/acme-common/files/acme.sh b/net/acme-common/files/acme.sh index 582575f89..5a2f7d739 100644 --- a/net/acme-common/files/acme.sh +++ b/net/acme-common/files/acme.sh @@ -8,10 +8,8 @@ # # Authors: Toke Høiland-Jørgensen -export state_dir=/etc/acme -export account_email= -export debug=0 -export run_dir=/var/run/acme +run_dir=/var/run/acme +export challenge_dir=$run_dir/challenge NFT_HANDLE= HOOK=/usr/lib/acme/hook LOG_TAG=acme @@ -65,7 +63,7 @@ load_options() { config_get webroot "$section" webroot export webroot if [ "$webroot" ]; then - log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $run_dir/challenge." + log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $challenge_dir." fi } @@ -107,11 +105,19 @@ load_globals() { log err "account_email option is required" exit 1 fi + export account_email - config_get state_dir "$section" state_dir "$state_dir" - mkdir -p "$state_dir" + config_get state_dir "$section" state_dir + if [ "$state_dir" ]; then + log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in /etc/ssl/acme." + mkdir -p "$state_dir" + else + state_dir=/etc/acme + fi + export state_dir - config_get debug "$section" debug "$debug" + config_get debug "$section" debug 0 + export debug # only look for the first acme section return 1 From c40d7c09b987092f546250e16fbe97d59b09f10b Mon Sep 17 00:00:00 2001 From: Glen Huang Date: Wed, 14 Dec 2022 21:16:57 +0800 Subject: [PATCH 2/2] acme-acmesh: use $challenge_dir Signed-off-by: Glen Huang --- net/acme-acmesh/files/hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/acme-acmesh/files/hook.sh b/net/acme-acmesh/files/hook.sh index 4df82643d..149a3e751 100644 --- a/net/acme-acmesh/files/hook.sh +++ b/net/acme-acmesh/files/hook.sh @@ -3,7 +3,7 @@ set -u ACME=/usr/lib/acme/client/acme.sh LOG_TAG=acme-acmesh # webroot option deprecated, use the hardcoded value directly in the next major version -WEBROOT=${webroot:-/var/run/acme/challenge} +WEBROOT=${webroot:-$challenge_dir} NOTIFY=/usr/lib/acme/notify # shellcheck source=net/acme/files/functions.sh