diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 14:59:14 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 14:59:14 +0000 |
| commit | 67badd0db444736a407f6994c1a7d01c0de1ad76 (patch) | |
| tree | 7e64a77b0110330f4c2bb28f3767d4786b24e8a0 /dehydrated | |
| parent | Initial commit. (diff) | |
| download | open-infrastructure-service-tools-67badd0db444736a407f6994c1a7d01c0de1ad76.tar.xz open-infrastructure-service-tools-67badd0db444736a407f6994c1a7d01c0de1ad76.zip | |
Adding upstream version 20221223.upstream/20221223upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
| -rw-r--r-- | dehydrated/Makefile | 138 | ||||
| -rw-r--r-- | dehydrated/TODO | 7 | ||||
| -rwxr-xr-x | dehydrated/bin/dehydrated-cron | 29 | ||||
| -rwxr-xr-x | dehydrated/bin/dehydrated-hook | 115 | ||||
| -rwxr-xr-x | dehydrated/bin/dehydrated-nsupdate | 212 | ||||
| -rwxr-xr-x | dehydrated/share/cron/dehydrated | 3 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/deploy_cert.chrony | 35 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/deploy_cert.extra | 49 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/deploy_ocsp.extra | 37 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/exit_hook.extra-cleanup | 77 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/exit_hook.fix-permissions | 40 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/exit_hook.service-reload | 112 | ||||
| -rw-r--r-- | dehydrated/share/logrotate/dehydrated | 13 | ||||
| -rw-r--r-- | dehydrated/share/man/Makefile | 59 | ||||
| -rw-r--r-- | dehydrated/share/man/dehydrated-cron.1.rst | 95 | ||||
| -rw-r--r-- | dehydrated/share/man/dehydrated-hook.1.rst | 108 | ||||
| -rw-r--r-- | dehydrated/share/man/dehydrated-nsupdate.1.rst | 170 | ||||
| -rw-r--r-- | dehydrated/share/man/man.in | 19 |
18 files changed, 1318 insertions, 0 deletions
diff --git a/dehydrated/Makefile b/dehydrated/Makefile new file mode 100644 index 0000000..2b6da9f --- /dev/null +++ b/dehydrated/Makefile @@ -0,0 +1,138 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +SHELL := sh -e + +SCRIPTS = bin/* share/hooks/* + +all: build + +test: + @echo -n "Checking for syntax errors with sh... " + @for SCRIPT in $(SCRIPTS); \ + do \ + sh -n $${SCRIPT}; \ + echo -n "."; \ + done + @echo " done." + + @echo -n "Checking for bashisms... " + @if [ -x /usr/bin/checkbashisms ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + checkbashisms -f -x $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: devscripts not installed, skipping checkbashisms."; \ + fi + @echo " done." + + @echo -n "Checking with shellcheck... " + @if [ -x /usr/bin/shellcheck ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + shellcheck -e SC1090 -e SC2039 $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: shellcheck not installed, skipping shellcheck."; \ + fi + @echo " done." + +build: share/man/*.rst + $(MAKE) -C share/man + +install: build + mkdir -p $(DESTDIR)/etc/dehydrated/hook.d + + mkdir -p $(DESTDIR)/etc/cron.d + cp -r share/cron/* $(DESTDIR)/etc/cron.d + + mkdir -p $(DESTDIR)/etc/cron.daily + ln -s /usr/bin/dehydrated-cron $(DESTDIR)/etc/cron.daily/dehydrated + + mkdir -p $(DESTDIR)/etc/logrotate.d + cp -r share/logrotate/* $(DESTDIR)/etc/logrotate.d + + mkdir -p $(DESTDIR)/usr/bin + cp -r bin/* $(DESTDIR)/usr/bin + + mkdir -p $(DESTDIR)/usr/share/dehydrated/hooks + cp -r share/hooks/* $(DESTDIR)/usr/share/dehydrated/hooks + + ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/clean_challenge.nsupdate + ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/deploy_challenge.nsupdate + + for SECTION in $$(seq 1 8); \ + do \ + if ls share/man/*.$${SECTION} > /dev/null 2>&1; \ + then \ + mkdir -p $(DESTDIR)/usr/share/man/man$${SECTION}; \ + cp share/man/*.$${SECTION} $(DESTDIR)/usr/share/man/man$${SECTION}; \ + fi; \ + done + +uninstall: + for SECTION in $$(seq 1 8); \ + do \ + for FILE in share/man/*.$${SECTION}; \ + do \ + rm -f $(DESTDIR)/usr/share/man/man$${SECTION}/$$(basename $${FILE}); \ + done; \ + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/share/man/man$${SECTION} || true; \ + done + + rm -rf $(DESTDIR)/usr/share/dehydrated/hooks + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/share/dehydrated || true + + for FILE in bin/*; \ + do \ + rm -f $(DESTDIR)/usr/bin/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/bin || true + + for FILE in share/logrotate/*; \ + do \ + rm -f $(DESTDIR)/etc/logrotate.d/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/etc/logrotate.d || true + + rm -f $(DESTDIR)/etc/cron.daily/dehydrated + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/etc/cron.daily || true + + for FILE in share/cron/*; \ + do \ + rm -f $(DESTDIR)/etc/cron.d/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/etc/cron.d || true + + rm -rf $(DESTDIR)/etc/dehydrated/hook.d + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/etc/dehydrated || true + + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR) || true + +clean: + $(MAKE) -C share/man clean + +distclean: clean + +reinstall: uninstall install diff --git a/dehydrated/TODO b/dehydrated/TODO new file mode 100644 index 0000000..efbd047 --- /dev/null +++ b/dehydrated/TODO @@ -0,0 +1,7 @@ +TODO +==== + + * add manpages for individual dehydrated hooks + * use /etc/default for dehydrated-cron + * use /etc/default for dehydrated-hook + * use settings from _dehydrated.$domain.$tld for automatic configuration diff --git a/dehydrated/bin/dehydrated-cron b/dehydrated/bin/dehydrated-cron new file mode 100755 index 0000000..2f283e4 --- /dev/null +++ b/dehydrated/bin/dehydrated-cron @@ -0,0 +1,29 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +mkdir -p /var/log/dehydrated + +dehydrated --cron --keep-going >> /var/log/dehydrated/dehydrated.log +dehydrated --cleanup-delete >> /var/log/dehydrated/dehydrated.log + +chown -R root:adm /var/log/dehydrated diff --git a/dehydrated/bin/dehydrated-hook b/dehydrated/bin/dehydrated-hook new file mode 100755 index 0000000..9103495 --- /dev/null +++ b/dehydrated/bin/dehydrated-hook @@ -0,0 +1,115 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +HOOKS="/etc/dehydrated/hook.d" + +deploy_challenge () +{ + export DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" + + run-parts --regex '^deploy_challenge.*' "${HOOKS}" +} + +clean_challenge () +{ + export DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" + + run-parts --regex '^clean_challenge.*' "${HOOKS}" +} + +sync_cert () +{ + export KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}" + + run-parts --regex '^sync_cert.*' "${HOOKS}" +} + +deploy_cert () +{ + export DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" + + run-parts --regex '^deploy_cert.*' "${HOOKS}" +} + +deploy_ocsp () +{ + export DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}" + + run-parts --regex '^deploy_ocsp.*' "${HOOKS}" +} + +unchanged_cert () +{ + export DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" + + run-parts --regex '^unchanged_cert.*' "${HOOKS}" +} + +invalid_challenge () +{ + export DOMAIN="${1}" RESPONSE="${2}" + + run-parts --regex '^invalid_challenge.*' "${HOOKS}" +} + +request_failure () +{ + export STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}" + + run-parts --regex '^request_failure.*' "${HOOKS}" +} + +generate_csr () +{ + export DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}" + + run-parts --regex '^generate_csr.*' "${HOOKS}" +} + +startup_hook () +{ + run-parts --regex '^startup_hook.*' "${HOOKS}" +} + +exit_hook () +{ + export ERROR="${1:-}" + + run-parts --regex '^exit_hook.*' "${HOOKS}" +} + +HANDLER="${1}" + +if [ -z "${HANDLER}" ] +then + echo "Usage: ${0} HANDLER" >&2 + exit 1 +fi + +shift + +case "${HANDLER}" in + deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook) + "${HANDLER}" "${@}" + ;; +esac diff --git a/dehydrated/bin/dehydrated-nsupdate b/dehydrated/bin/dehydrated-nsupdate new file mode 100755 index 0000000..c6bf6c5 --- /dev/null +++ b/dehydrated/bin/dehydrated-nsupdate @@ -0,0 +1,212 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +HOOK="$(basename "${0}")" +HOOK_ACTION="$(echo "${HOOK}" | awk -F. '{ print $1 }')" + +# set nsupdate action +case "${HOOK}" in + clean_challenge.*) + HOOK_ACTION="delete" + ;; + + deploy_challenge.*) + HOOK_ACTION="add" + ;; + + *) + echo "'${HOOK}': no such hook action '${HOOK_ACTION}'" >&2 + echo "'${HOOK}': use 'clean_challenge.' or 'deploy_challenge.' as prefix in your symlink" >&2 + exit 1 + ;; +esac + +# alternatives handling for dig +if command -v kdig > /dev/null 2>&1 +then + # knot-dnsutils + DIG_VARIANT="knot" +elif command -v dig > /dev/null 2>&1 +then + # bind-dnsutils + DIG_VARIANT="bind" +else + echo "'${HOOK}': need dig from bind-dnsutils or knot-dnsutils" >&2 + exit 1 +fi + +case "${DIG_VARIANT}" in + knot) + DIG="kdig +noidn" + ;; + + bind) + DIG="dig +noidnout" + ;; +esac + +# alternatives handling for nsupdate +if command -v knsupdate > /dev/null 2>&1 +then + # knot-dnsutils + NSUPDATE_VARIANT="knot" +elif command -v nsupdate > /dev/null 2>&1 +then + # bind-dnsutils + NSUPDATE_VARIANT="bind" +else + echo "'${HOOK}': need nsupdate from bind-dnsutils or knot-dnsutils" >&2 + exit 1 +fi + +case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE="knsupdate" + ;; + + bind) + NSUPDATE="nsupdate" + ;; +esac + +# config +for FILE in /etc/default/dehydrated-nsupdate /etc/default/dehydrated-nsupdate.d/* +do + if [ -e "${FILE}" ] + then + . "${FILE}" + fi +done + +# find txt record to update +CNAME="$(${DIG} +nocomments +noquestion "_acme-challenge.${DOMAIN}" 2>&1 | grep -v '^;' | awk '/CNAME/ { print $5 }' | tail -n1)" + +if [ -n "${CNAME}" ] +then + TXT_RECORD="${CNAME}" +else + TXT_RECORD="_acme-challenge.${DOMAIN}" +fi + +ZONE="${TXT_RECORD}" + +# find all nameservers to update +while true +do + NAMESERVERS="$(${DIG} +nocomments +noquestion NS "${ZONE}" 2>&1 | grep -v '^;' | awk '/NS/ { print $5 }')" + + if [ -n "${NAMESERVERS}" ] + then + ZONE="$(${DIG} +nocomments +noquestion NS "${ZONE}" 2>&1 | grep -v '^;' | awk '/NS/ { print $1 }' | tail -n1)" + break + else + ZONE="$(echo "${ZONE}" | cut -d '.' -f 2-)" + fi +done + +NAMESERVERS_IPV6="" +NAMESERVERS_IPV4="" + +for NAMESERVER in ${NAMESERVERS} +do + if [ -n "$(${DIG} +nocomments +noquestion +short AAAA "${NAMESERVER}")" ] + then + NAMESERVERS_IPV6="${NAMESERVERS_IPV6} ${NAMESERVER}" + fi + + if [ -n "$(${DIG} +nocomments +noquestion +short A "${NAMESERVER}")" ] + then + NAMESERVERS_IPV4="${NAMESERVERS_IPV4} ${NAMESERVER}" + fi +done + +# filter nameservers by available IP protocol +NAMESERVERS="" + +if hostname -I | grep -qs ':' +then + NAMESERVERS="${NAMESERVERS} ${NAMESERVERS_IPV6}" +fi + +if hostname -I | grep -qs '\.' +then + NAMESERVERS="${NAMESERVERS} ${NAMESERVERS_IPV4}" +fi + +NAMESERVERS="$(echo "${NAMESERVERS}" | sed -e 's| |\n|g' | sort -u -V)" + +# update nameservers +for NAMESERVER in ${NAMESERVERS} +do + if [ -e "/etc/dehydrated/tsig/$(basename "${TXT_RECORD}" .).key" ] + then + # specific key per record + KEY="/etc/dehydrated/tsig/$(basename "${TXT_RECORD}" .).key" + elif [ -e "/etc/dehydrated/tsig/$(basename "${ZONE}" .).key" ] + then + # specific key per zone + KEY="/etc/dehydrated/tsig/$(basename "${ZONE}" .).key" + elif [ -e "/etc/dehydrated/tsig/$(basename "${NAMESERVER}" .).key" ] + then + # specific key per nameserver + KEY="/etc/dehydrated/tsig/$(basename "${NAMESERVER}" .).key" + elif [ -e "/etc/dehydrated/tsig.key" ] + then + # global key (filesystem) + KEY="/etc/dehydrated/tsig.key" + elif [ -n "${TSIG_KEYFILE}" ] && [ -e "${TSIG_KEYFILE}" ] + then + # global key (conffile) + KEY="${TSIG_KEYFILE}" + else + # no key + KEY="" + fi + + # ignoring comments to allow empty keyfiles to disable TSIG individually + TSIG="$(grep -sv '^#' "${KEY}" || true)" + + if [ -n "${KEY}" ] && [ -n "${TSIG}" ] + then + case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE_OPTIONS="-k ${KEY}" + ;; + + bind) + NSUPDATE_OPTIONS="-y $(cat "${KEY}")" + ;; + esac + fi + + echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}..." + +# shellcheck disable=SC2086 +echo "server ${NAMESERVER} +zone ${ZONE} +ttl 0 +update ${HOOK_ACTION} ${TXT_RECORD} 0 TXT ${TOKEN_VALUE} +send" | "${NSUPDATE}" ${NSUPDATE_OPTIONS} + + echo " done." +done diff --git a/dehydrated/share/cron/dehydrated b/dehydrated/share/cron/dehydrated new file mode 100755 index 0000000..bece74f --- /dev/null +++ b/dehydrated/share/cron/dehydrated @@ -0,0 +1,3 @@ +# /etc/cron.d/dehydrated + +@reboot root /usr/bin/dehydrated-cron diff --git a/dehydrated/share/hooks/deploy_cert.chrony b/dehydrated/share/hooks/deploy_cert.chrony new file mode 100755 index 0000000..b6744ff --- /dev/null +++ b/dehydrated/share/hooks/deploy_cert.chrony @@ -0,0 +1,35 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +if grep -Eqrs '^ *ntsservercert' /etc/chrony +then + echo -n " + Copying certificate for chrony..." + + # https://bugs.debian.org/1013882 + cp -fL "${FULLCHAINFILE}" /etc/chrony/cert.pem + cp -fL "${KEYFILE}" /etc/chrony/key.pem + + chown _chrony:_chrony /etc/chrony/cert.pem /etc/chrony/key.pem + + echo " done." +fi diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra new file mode 100755 index 0000000..56ca2f4 --- /dev/null +++ b/dehydrated/share/hooks/deploy_cert.extra @@ -0,0 +1,49 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +echo -n " + Creating extra certificate files..." + +DIRECTORY="$(dirname "${CERTFILE}")" + +# root and intermediate CA +TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" +grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' + +mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" +ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + +mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" +ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + +# extra certificate permutations: +# * privkey_fullchain.pem: postfix +for EXTRA in fullchain_privkey privkey_fullchain +do + EXTRA1="$(echo ${EXTRA} | awk -F_ '{ print $1 }')" + EXTRA2="$(echo ${EXTRA} | awk -F_ '{ print $2 }')" + + cat "${DIRECTORY}/${EXTRA1}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA2}-${TIMESTAMP}.pem" > "${DIRECTORY}/${EXTRA1}_${EXTRA2}-${TIMESTAMP}.pem" + ln -sf "${EXTRA1}_${EXTRA2}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA1}_${EXTRA2}.pem" +done + +echo " done." diff --git a/dehydrated/share/hooks/deploy_ocsp.extra b/dehydrated/share/hooks/deploy_ocsp.extra new file mode 100755 index 0000000..35a13f6 --- /dev/null +++ b/dehydrated/share/hooks/deploy_ocsp.extra @@ -0,0 +1,37 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +echo " + Creating extra ocsp links..." + +DIRECTORY="$(dirname "${OCSPFILE}")" +OCSP="$(readlink "${OCSPFILE}")" + +for EXTRA in fullchain_privkey privkey_fullchain +do + EXTRA1="$(echo ${EXTRA} | awk -F_ '{ print $1 }')" + EXTRA2="$(echo ${EXTRA} | awk -F_ '{ print $2 }')" + + ln -sf "${OCSP}" "${DIRECTORY}/${EXTRA1}_${EXTRA2}.pem.ocsp" +done + +echo " done." diff --git a/dehydrated/share/hooks/exit_hook.extra-cleanup b/dehydrated/share/hooks/exit_hook.extra-cleanup new file mode 100755 index 0000000..59e203e --- /dev/null +++ b/dehydrated/share/hooks/exit_hook.extra-cleanup @@ -0,0 +1,77 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +echo -n " + Cleanup extra certificate files..." + +for EXTRA in root intermediate fullchain_privkey privkey_fullchain +do + for CERTIFICATE in "${CERTDIR}"/*/ + do + if ! ls "${CERTIFICATE}"/${EXTRA}*.pem > /dev/null 2>&1 + then + continue + fi + + SYMLINK="${CERTIFICATE}/${EXTRA}.pem" + ORIGINAL="$(readlink -f "${SYMLINK}")" + + if [ -e "${SYMLINK}" ] && [ ! -e "${ORIGINAL}" ] + then + # remove dangling symlink + rm -f "${SYMLINK}" + fi + + if [ -e "${SYMLINK}.ocsp" ] && [ ! -e "${ORIGINAL}.ocsp" ] + then + # remove dangling symlink + rm -f "${SYMLINK}.ocsp" + fi + + if [ -e "${SYMLINK}" ] + then + for FILE in "${CERTIFICATE}/${EXTRA}"-[0-9]*.pem + do + case "$(basename "${FILE}")" in + "$(basename "${ORIGINAL}")") + continue + ;; + + *) + # archive unused files + ARCHIVE="${BASEDIR}/archive/$(basename "${CERTIFICATE}")" + mkdir -p "${ARCHIVE}" + + mv "${FILE}" "${ARCHIVE}" + + if [ -e "${FILE}.ocsp" ] + then + mv "${FILE}.ocsp" "${ARCHIVE}" + fi + ;; + esac + done + fi + done +done + +echo " done." diff --git a/dehydrated/share/hooks/exit_hook.fix-permissions b/dehydrated/share/hooks/exit_hook.fix-permissions new file mode 100755 index 0000000..aa15553 --- /dev/null +++ b/dehydrated/share/hooks/exit_hook.fix-permissions @@ -0,0 +1,40 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +if [ ! -e "${CERTDIR}" ] +then + exit 0 +fi + +if getent group ssl-cert > /dev/null 2>&1 +then + echo -n " + Fixing file owner and permissions..." + + # https://bugs.debian.org/854431 + chown -R root:ssl-cert "${CERTDIR}" + + find "${CERTDIR}" -type d -exec chmod 0750 {} \; + find "${CERTDIR}" -type f -exec chmod 0640 {} \; + + echo " done." +fi diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload new file mode 100755 index 0000000..c62c133 --- /dev/null +++ b/dehydrated/share/hooks/exit_hook.service-reload @@ -0,0 +1,112 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +Run_apache2 () +{ + if grep -Eqrs '^ *SSLCertificateFile' /etc/apache2/sites-enabled + then + service apache2 stop + service apache2 start + fi +} + +Run_chrony () +{ + if grep -Eqrs '^ *ntsservercert' /etc/chrony/chrony.conf /etc/chrony/conf.d/* + then + service chrony restart + fi +} + +Run_haproxy () +{ + if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#' + then + service haproxy reload + fi +} + +Run_knot_resolver () +{ + if grep -Eqrs '^ *net.tls' /etc/knot-resolver/* + then + INSTANCES="$(systemctl | grep -c 'kresd@*.service')" + + if [ "${INSTANCES}" -gt 0 ] + then + for INSTANCE in $(seq 1 "${INSTANCES}") + do + service kresd@"${INSTANCE}" restart + done + fi + fi +} + +Run_postfix () +{ + if grep -Eqrs '^ *smtpd_tls' /etc/postfix/main.cf + then + service postfix restart + fi +} + +Run_postgresql () +{ + if grep -Eqrs '^ *ssl_cert_file' /etc/postgresql/* + then + service postgresql reload + fi +} + +Run_redis_sentinel () +{ + if grep -Eqrs '^ *tls-cert-file' /etc/redis/sentinel.conf + then + service redis-sentinel restart + fi +} + +Run_redis_server () +{ + if grep -Eqrs '^ *tls-cert-file' /etc/redis/redis.conf + then + service redis-server restart + fi +} + +echo " + Reloading services:" + +SERVICES="apache2 chrony haproxy knot-resolver postfix postgresql redis-sentinel redis-server" + +for SERVICE in ${SERVICES} +do + if service "${SERVICE}" status > /dev/null 2>&1 + then + echo -n " + ${SERVICE}:" + + RELOAD="Run_$(echo "${SERVICE}" | sed -e 's|-|_|g')" + ${RELOAD} + + echo " done." + fi +done diff --git a/dehydrated/share/logrotate/dehydrated b/dehydrated/share/logrotate/dehydrated new file mode 100644 index 0000000..385a4aa --- /dev/null +++ b/dehydrated/share/logrotate/dehydrated @@ -0,0 +1,13 @@ +# /etc/logrotate.d/dehydrated + +/var/log/dehydrated/dehydrated.log { + compress + create 0640 root adm + dateext + dateformat -%Y%m + dateyesterday + missingok + monthly + notifempty + rotate 12 +} diff --git a/dehydrated/share/man/Makefile b/dehydrated/share/man/Makefile new file mode 100644 index 0000000..a6d6bf2 --- /dev/null +++ b/dehydrated/share/man/Makefile @@ -0,0 +1,59 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +# Depends: python3-docutils + +RST2MAN = rst2man \ + --no-datestamp \ + --no-generator \ + --strict \ + --strip-comments \ + --tab-width=4 \ + --verbose + +VERSION := $(shell cat ../../../VERSION.txt) + +SHELL := sh -e + +all: build + +build: man + +man: man.in *.rst + @echo -n "Creating manpages... " + + @for FILE in *.rst; \ + do \ + cp man.in $$(basename $${FILE} .rst); \ + $(RST2MAN) $${FILE} | \ + sed -e '/^.\\" Man page generated/d' \ + -e '/^.\\" Generated by/d' \ + -e "s|^\(.TH .*\) \(\"\" \"\"\) |\1 $${VERSION} service-tools |" \ + >> $$(basename $${FILE} .rst); \ + echo -n "."; \ + done + + @echo " done." + +clean: + rm -f *.[0-9] + +distclean: clean + +rebuild: clean build diff --git a/dehydrated/share/man/dehydrated-cron.1.rst b/dehydrated/share/man/dehydrated-cron.1.rst new file mode 100644 index 0000000..cd93a30 --- /dev/null +++ b/dehydrated/share/man/dehydrated-cron.1.rst @@ -0,0 +1,95 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +=============== +dehydrated-cron +=============== + +---------------------------------------------------- +dehydrated cronjob for automatic certificate renewal +---------------------------------------------------- + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **dehydrated-cron** + +Description +=========== + +**dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority. + +The **dehydrated-cron** script runs dehydrated once per day and on system reboot for an automatic certificate renewal. + +It uses the dehydrated '--keep-going' option to keep going after encountering an error while creating/renewing multiple certificates. Afterwards it also removes all unused certificates by using the dehydrated '--cleanup-delete' option. + +Usage +===== + +Installation +------------ + +| sudo ln -s /usr/bin/dehydrated-cron /etc/cron.d/dehydrated + +Removal +------- + +| sudo rm -f /etc/cron.d/dehydrated + + +Files +===== + +The following files are used: + +/etc/cron.d/dehydrated: + cronjob file. + +/usr/bin/dehydrated-cron: + script that gets executed by cron. + +/var/log/dehydrated/dehydrated.log + logfile for dehydrated-cron. + +See also +======== + +| dehydrated(1), +| dehydrated-hook(1), +| dehydrated-nsupdate(1). + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others. diff --git a/dehydrated/share/man/dehydrated-hook.1.rst b/dehydrated/share/man/dehydrated-hook.1.rst new file mode 100644 index 0000000..de63127 --- /dev/null +++ b/dehydrated/share/man/dehydrated-hook.1.rst @@ -0,0 +1,108 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +=============== +dehydrated-hook +=============== + +------------------------- +dehydrated run-parts hook +------------------------- + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **dehydrated-hook** 'HANDLER' + +Description +=========== + +**dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority. + +The **dehydrated-hook** makes it possible to run multiple scripts in every stage within the process of creating, signing and deploying a certificate. + +Scripts need to be placed in /etc/dehydrated/hook.d and need to be prefixed with the name of the handler, e.g. exit_hook.example1 or exit_hook.example2.sh + +Handlers +======== + +The following **dehydrated** handlers are available: + +| +| deploy_challenge +| clean_challenge +| sync_cert +| deploy_cert +| deploy_ocsp +| unchanged_cert +| invalid_challenge +| request_failure +| generate_csr +| startup_hook +| exit_hook + +Usage +===== + +Installation +------------ + +| sudo echo HOOK="/usr/bin/dehydrated-hook" > /etc/dehydrated/conf.d/zz-hook.sh +| sudo mkdir -p /etc/dehydrated/hook.d + +Removal +------- + +| sudo rm -f /etc/dehydrated/conf.d/zz-hook.sh +| sudo rmdir /etc/dehydrated/hook.d + +Files +===== + +The following files are used: + +/etc/dehydrated/hook.d: + directory to place individual hooks. + +See also +======== + +| dehydrated(1), +| dehydrated-cron(1), +| dehydrated-nsupdate(1). + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others. diff --git a/dehydrated/share/man/dehydrated-nsupdate.1.rst b/dehydrated/share/man/dehydrated-nsupdate.1.rst new file mode 100644 index 0000000..d4b097b --- /dev/null +++ b/dehydrated/share/man/dehydrated-nsupdate.1.rst @@ -0,0 +1,170 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +=================== +dehydrated-nsupdate +=================== + +--------------------------------------- +dehydrated hook for dns-01 verification +--------------------------------------- + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **dehydrated-nsupdate** + +Description +=========== + +**dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority. + +The **dehydrated-nsupdate** hook implements the dns-01 verification. It is typically run together with **dehydrated-hook** as: + +| +| /etc/dehydrated/hook.d/deploy_challenge.nsupdate +| /etc/dehydrated/hook.d/clean_challenge.nsupdate + +Features +======== + +**dehydrated-nsupdate** has the following features: + +Automatic nameserver detection (IPv4 and IPv6) +---------------------------------------------- + +dehydrated-nsupdate automatically finds and updates all authoritative nameservers for a given record by looking up the records in the DNS by itself, supporting IPv6-only, IPv4-only, and dual-stacked environments. + +Proper CNAME support +-------------------- + +dehydrated-nsupdate follows CNAMEs delegating the TXT record update to another zone. + +Handling nameserver subzone shortcuts +------------------------------------- + +dehydrated-nsupdate correctly handles authoritative nameserver answers that (wrongly) give shortcut answers for their own zones when using multiple authoritative subzones on the same nameservers. + +TSIG support +------------ + +dehydrated-nsupdate uses TSIG, if provided, to authenticate itself to the nameserver. Additionally to a global TSIG to be used for all record updates, separate TSIGs can individually be specified per record, per zone, and per nameserver. + +Proper removal of TXT records +----------------------------- + +dehydrated-nsupdate removes records after succesfull verification. + +bind9-dnsutils and knot-dnsutils support +---------------------------------------- + +dehydrated-nsupdate works with both nsupdate (bind9) and knsupdate (knot). + +IDN handling +------------ + +dehydrated-nsupdate works with IDN domains by not expanding the punycode to update the correct records. + +Usage +===== + +dehydrated-hook(1) is a prerequisite for dehydrated-nsupdate. + +Installation +------------ + +| sudo echo CHALLENGETYPE="dns-01" > /etc/dehydrated/conf.d/zz-challengetype.sh +| sudo ln -s /usr/bin/dehydrated-nsupdate /etc/dehydrated/hook.d/deploy_challenge.nsupdate +| sudo ln -s /usr/bin/dehydrated-nsupdate /etc/dehydrated/hook.d/clean_challenge.nsupdate + +Removal +------- + +| sudo rm -f /etc/dehydrated/conf.d/zz-challengetype.sh +| sudo rm -f /etc/dehydrated/hook.d/deploy_challenge.nsupdate +| sudo rm -f /etc/dehydrated/hook.d/clean_challenge.nsupdate + +Configuration +============= + +Depending on the nameserver requirements, dehydrated-nsupdate can send record updates either unauthenticated or using a TSIG (recommended). + +A TSIG file consists of one single line containing the key (nsupdate/knsupdate do not allow comments), e.g.: + +| +| hmac-sha512:example:/LXPy6U8HAWA+QmvulZWm0owsQgNf8qJ5MNLTvirzvVtDb+PzLKoBmVHjnL6TUffkvRYa7Do448dSIrAuJ1G/A== + +Instead of using a global TSIG for all record update, specific TSIGs can be used individually per record, zone, and nameserver. + +The lookup hierarchy is the following (first match wins): + +| +| /etc/dehydrated/tsig/${record}.key +| /etc/dehydrated/tsig/${zone}.key +| /etc/dehydrated/tsig/${nameserver}.key +| /etc/dehydrated/tsig.key +| +| TSIG_KEYFILE variable in /etc/default/dehydrated-nsupdate/* +| TSIG_KEYFILE variable in /etc/default/dehydrated-nsupdate + +In order to explicitly not use a TSIG for a specific record, zone, or nameserver, an empty keyfile or a keyfile with only comments can be used, e.g.: + +| +| echo "# disabled" > /etc/dehydrated/tsig/ns1.example.org.key + +Files +===== + +The following files are used: + +/etc/dehydrated/tsig.key: + default location for global TSIG key to be used. + +/etc/dehydrated/tsig/${record}.key, /etc/dehydrated/tsig/${zone}.key, /etc/dehydrated/tsig/${nameserver}.key: + default locations for specific TSIG keys to be used individually per record, zone, or nameserver. + +/etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/\*: + configuration file, currently only used for TSIG_KEYFILE variable pointing to the location of the global TSIG key to be used (default: /etc/dehydrated/tsig.key). + +See also +======== + +| dehydrated(1), +| dehydrated-cron(1), +| dehydrated-hook(1). + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others. diff --git a/dehydrated/share/man/man.in b/dehydrated/share/man/man.in new file mode 100644 index 0000000..f95ca67 --- /dev/null +++ b/dehydrated/share/man/man.in @@ -0,0 +1,19 @@ +.\" Open Infrastructure: service-tools +.\" +.\" Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.\" +.\" SPDX-License-Identifier: GPL-3.0+ +.\" +.\" This program is free software: you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see <https://www.gnu.org/licenses/>. +.\" |