From 38eeca5df92c6f8fedd153e7383904eb5b893beb Mon Sep 17 00:00:00 2001 From: Glen Huang Date: Wed, 17 May 2023 17:27:38 +0800 Subject: [PATCH 1/2] acme-common: no exporting webroot ACME clients shouldn't deal with deprecated values. They should be processed by acme-common. Reformatting is done by shfmt. Signed-off-by: Glen Huang --- net/acme-acmesh/Makefile | 2 +- net/acme-acmesh/files/hook.sh | 46 ++++++++++++++++----------------- net/acme-common/Makefile | 2 +- net/acme-common/files/acme.init | 2 +- 4 files changed, 26 insertions(+), 26 deletions(-) diff --git a/net/acme-acmesh/Makefile b/net/acme-acmesh/Makefile index a5ffe76a5..553d8ddf5 100644 --- a/net/acme-acmesh/Makefile +++ b/net/acme-acmesh/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=acme-acmesh PKG_VERSION:=3.0.1 -PKG_RELEASE:=10 +PKG_RELEASE:=11 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/acmesh-official/acme.sh/tar.gz/$(PKG_VERSION)? diff --git a/net/acme-acmesh/files/hook.sh b/net/acme-acmesh/files/hook.sh index 03343dacb..1e784edc3 100644 --- a/net/acme-acmesh/files/hook.sh +++ b/net/acme-acmesh/files/hook.sh @@ -2,8 +2,6 @@ set -u ACME=/usr/lib/acme/client/acme.sh LOG_TAG=acme-acmesh -# webroot option deprecated, use the exported value directly in the next major version -WEBROOT=${webroot:-$CHALLENGE_DIR} NOTIFY=/usr/lib/acme/notify # shellcheck source=net/acme/files/functions.sh @@ -13,30 +11,32 @@ NOTIFY=/usr/lib/acme/notify export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt export NO_TIMESTAMP=1 -link_certs() -{ - local main_domain - local domain_dir - domain_dir="$1" - main_domain="$2" +link_certs() { + local main_domain + local domain_dir + domain_dir="$1" + main_domain="$2" - (umask 077; cat "$domain_dir/fullchain.cer" "$domain_dir/$main_domain.key" > "$domain_dir/combined.cer") + ( + umask 077 + cat "$domain_dir/fullchain.cer" "$domain_dir/$main_domain.key" >"$domain_dir/combined.cer" + ) - if [ ! -e "$CERT_DIR/$main_domain.crt" ]; then + if [ ! -e "$CERT_DIR/$main_domain.crt" ]; then ln -s "$domain_dir/$main_domain.cer" "$CERT_DIR/$main_domain.crt" - fi - if [ ! -e "$CERT_DIR/$main_domain.key" ]; then + fi + if [ ! -e "$CERT_DIR/$main_domain.key" ]; then ln -s "$domain_dir/$main_domain.key" "$CERT_DIR/$main_domain.key" - fi - if [ ! -e "$CERT_DIR/$main_domain.fullchain.crt" ]; then + fi + if [ ! -e "$CERT_DIR/$main_domain.fullchain.crt" ]; then ln -s "$domain_dir/fullchain.cer" "$CERT_DIR/$main_domain.fullchain.crt" - fi - if [ ! -e "$CERT_DIR/$main_domain.combined.crt" ]; then + fi + if [ ! -e "$CERT_DIR/$main_domain.combined.crt" ]; then ln -s "$domain_dir/combined.cer" "$CERT_DIR/$main_domain.combined.crt" - fi - if [ ! -e "$CERT_DIR/$main_domain.chain.crt" ]; then + fi + if [ ! -e "$CERT_DIR/$main_domain.chain.crt" ]; then ln -s "$domain_dir/ca.cer" "$CERT_DIR/$main_domain.chain.crt" - fi + fi } case $1 in @@ -71,7 +71,7 @@ get) case $status in 0) - link_certs "$domain_dir" "$main_domain" + link_certs "$domain_dir" "$main_domain" $NOTIFY renewed exit ;; @@ -121,8 +121,8 @@ get) elif [ "$standalone" = 1 ]; then set -- "$@" --standalone --listen-v6 else - mkdir -p "$WEBROOT" - set -- "$@" --webroot "$WEBROOT" + mkdir -p "$CHALLENGE_DIR" + set -- "$@" --webroot "$CHALLENGE_DIR" fi set -- "$@" --issue --home "$state_dir" @@ -137,7 +137,7 @@ get) case $status in 0) - link_certs "$domain_dir" "$main_domain" + link_certs "$domain_dir" "$main_domain" $NOTIFY issued ;; *) diff --git a/net/acme-common/Makefile b/net/acme-common/Makefile index ac92fc564..324b742b6 100644 --- a/net/acme-common/Makefile +++ b/net/acme-common/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=acme-common -PKG_VERSION:=1.0.3 +PKG_VERSION:=1.0.4 PKG_MAINTAINER:=Toke Høiland-Jørgensen PKG_LICENSE:=GPL-3.0-only diff --git a/net/acme-common/files/acme.init b/net/acme-common/files/acme.init index a97856496..a365ecd3e 100644 --- a/net/acme-common/files/acme.init +++ b/net/acme-common/files/acme.init @@ -53,9 +53,9 @@ load_options() { export dns_wait config_get webroot "$section" webroot - export webroot if [ "$webroot" ]; then log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR." + CHALLENGE_DIR=$webroot fi } From 6d61014e51266f1cb083d9f31491f9c5fb73eeb0 Mon Sep 17 00:00:00 2001 From: Glen Huang Date: Wed, 17 May 2023 17:53:51 +0800 Subject: [PATCH 2/2] acme: standardize key_type keylength, being an acme.sh value type, uses pure numbers for rsa keys. This can be disorienting for other acme clients. This change introduces a new option "key_type" that aims to remove this ambiguity, and makes all key type names follow the same pattern, making acme-common more client agnostic. Signed-off-by: Glen Huang --- net/acme-acmesh/files/hook.sh | 8 +++++--- net/acme-common/files/acme.init | 14 +++++++++++--- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/net/acme-acmesh/files/hook.sh b/net/acme-acmesh/files/hook.sh index 1e784edc3..477003e3f 100644 --- a/net/acme-acmesh/files/hook.sh +++ b/net/acme-acmesh/files/hook.sh @@ -44,12 +44,14 @@ get) set -- [ "$debug" = 1 ] && set -- "$@" --debug - case $keylength in - ec-*) + case $key_type in + ec*) + keylength=${key_type/ec/ec-} domain_dir="$state_dir/${main_domain}_ecc" set -- "$@" --ecc ;; - *) + rsa*) + keylength=${key_type#rsa} domain_dir="$state_dir/$main_domain" ;; esac diff --git a/net/acme-common/files/acme.init b/net/acme-common/files/acme.init index a365ecd3e..d4ff51063 100644 --- a/net/acme-common/files/acme.init +++ b/net/acme-common/files/acme.init @@ -39,8 +39,17 @@ load_options() { export domains export main_domain main_domain="$(first_arg $domains)" - config_get keylength "$section" keylength ec-256 - export keylength + config_get keylength "$section" keylength + if [ "$keylength" ]; then + log warn "Option \"keylength\" is deprecated, please use key_type (e.g., ec256, rsa2048) instead." + case $keylength in + ec-*) key_type=${keylength/-/} ;; + *) key_type=rsa$keylength ;; + esac + else + config_get key_type "$section" key_type ec256 + fi + export key_type config_get dns "$section" dns export dns config_get acme_server "$section" acme_server @@ -51,7 +60,6 @@ load_options() { export standalone config_get dns_wait "$section" dns_wait export dns_wait - config_get webroot "$section" webroot if [ "$webroot" ]; then log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."