Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

acme: deprecate state_dir

Browse source 
state_dir is actually a hardcoded value in conffiles. Allowing users to
customize it could result in losing certificates after upgrading if they
don't also specify the dir as being preserved. We shouldn't default to
this dangerous behavior.

With the new ACME package, certificates live in the standard location
/etc/ssl/acme, users who need to do certificate customizations should
look for them in that dir instead.

Signed-off-by: Glen Huang <i@glenhuang.com>
This commit is contained in:
Glen Huang 2022-12-11 13:25:00 +08:00
parent dd7e606f17
commit b907223d57
3 changed files with 16 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
net/acme-common/Makefile
View file

@ -8,7 +8,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=acme-common PKG_NAME:=acme-common
PKG_VERSION:=1.0.1 PKG_VERSION:=1.0.2
PKG_MAINTAINER:=Toke Høiland-Jørgensen <toke@toke.dk> PKG_MAINTAINER:=Toke Høiland-Jørgensen <toke@toke.dk>
PKG_LICENSE:=GPL-3.0-only PKG_LICENSE:=GPL-3.0-only
@ -34,6 +34,7 @@ define Package/acme-common/conffiles
endef endef
define Package/acme-common/install define Package/acme-common/install
$(INSTALL_DIR) $(1)/etc/acme
$(INSTALL_DIR) $(1)/etc/ssl/acme $(INSTALL_DIR) $(1)/etc/ssl/acme
$(INSTALL_DIR) $(1)/etc/config $(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/acme.config $(1)/etc/config/acme $(INSTALL_CONF) ./files/acme.config $(1)/etc/config/acme

1
net/acme-common/files/acme.config
View file

@ -1,5 +1,4 @@
config acme config acme
option state_dir '/etc/acme'
option account_email 'email@example.org' option account_email 'email@example.org'
option debug 0 option debug 0

20
net/acme-common/files/acme.sh
View file

@ -8,10 +8,8 @@
# #
# Authors: Toke Høiland-Jørgensen <toke@toke.dk> # Authors: Toke Høiland-Jørgensen <toke@toke.dk>
export state_dir=/etc/acme run_dir=/var/run/acme
export account_email= export challenge_dir=$run_dir/challenge
export debug=0
export run_dir=/var/run/acme
NFT_HANDLE= NFT_HANDLE=
HOOK=/usr/lib/acme/hook HOOK=/usr/lib/acme/hook
LOG_TAG=acme LOG_TAG=acme
@ -65,7 +63,7 @@ load_options() {
config_get webroot "$section" webroot config_get webroot "$section" webroot
export webroot export webroot
if [ "$webroot" ]; then if [ "$webroot" ]; then
log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $run_dir/challenge." log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $challenge_dir."
fi fi
} }
@ -107,11 +105,19 @@ load_globals() {
log err "account_email option is required" log err "account_email option is required"
exit 1 exit 1
fi fi
export account_email
config_get state_dir "$section" state_dir "$state_dir" config_get state_dir "$section" state_dir
if [ "$state_dir" ]; then
log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in /etc/ssl/acme."
mkdir -p "$state_dir" mkdir -p "$state_dir"
else
state_dir=/etc/acme
fi
export state_dir
config_get debug "$section" debug "$debug" config_get debug "$section" debug 0
export debug
# only look for the first acme section # only look for the first acme section
return 1 return 1