diff options
-rw-r--r-- | CHANGELOG.txt | 9 | ||||
-rw-r--r-- | VERSION.txt | 2 | ||||
-rwxr-xr-x | dehydrated/share/hooks/deploy_cert.extra | 33 | ||||
-rwxr-xr-x | dehydrated/share/hooks/deploy_ocsp.extra | 8 | ||||
-rwxr-xr-x | dehydrated/share/hooks/exit_hook.extra-cleanup | 77 | ||||
-rwxr-xr-x | dehydrated/share/hooks/exit_hook.fix-permissions | 8 |
6 files changed, 110 insertions, 27 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt index ecf2274..735e15a 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,12 @@ +2022-11-22 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20221122. + + [ Daniel Baumann ] + * Using certdir variable in dehydrated hook instead of hardcoded path. + * Using shortnames for extra certificates in dehydrated extra hooks. + * Adding dehydrated hook to cleanup extra files. + 2022-11-08 Daniel Baumann <daniel.baumann@open-infrastructure.net> * Releasing version 20221108. diff --git a/VERSION.txt b/VERSION.txt index f47121e..00ec7ae 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -20221108 +20221122 diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra index 47a8391..56ca2f4 100755 --- a/dehydrated/share/hooks/deploy_cert.extra +++ b/dehydrated/share/hooks/deploy_cert.extra @@ -21,32 +21,29 @@ set -e -echo " + Creating extra certificate files:" +echo -n " + Creating extra certificate files..." DIRECTORY="$(dirname "${CERTFILE}")" -echo -n " + root and intermediate CA:" - +# root and intermediate CA TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' -mv "${TMPFILE}00" "${DIRECTORY}/ca.intermediate-${TIMESTAMP}.pem" -ln -sf "${DIRECTORY}/ca.intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/ca.intermediate.pem" - -mv "${TMPFILE}01" "${DIRECTORY}/ca.root-${TIMESTAMP}.pem" -ln -sf "${DIRECTORY}/ca.root-${TIMESTAMP}.pem" "${DIRECTORY}/ca.root.pem" +mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" +ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" -echo " done." +mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" +ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" -for EXTRA in fullchain-privkey privkey-fullchain +# extra certificate permutations: +# * privkey_fullchain.pem: postfix +for EXTRA in fullchain_privkey privkey_fullchain do - EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')" - EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')" - - echo -n " + creating ${EXTRA1}-${EXTRA2}:" + EXTRA1="$(echo ${EXTRA} | awk -F_ '{ print $1 }')" + EXTRA2="$(echo ${EXTRA} | awk -F_ '{ print $2 }')" - cat "${DIRECTORY}/${EXTRA1}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA2}-${TIMESTAMP}.pem" > "${DIRECTORY}/${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem" - ln -sf "${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem" - - echo " done." + cat "${DIRECTORY}/${EXTRA1}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA2}-${TIMESTAMP}.pem" > "${DIRECTORY}/${EXTRA1}_${EXTRA2}-${TIMESTAMP}.pem" + ln -sf "${EXTRA1}_${EXTRA2}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA1}_${EXTRA2}.pem" done + +echo " done." diff --git a/dehydrated/share/hooks/deploy_ocsp.extra b/dehydrated/share/hooks/deploy_ocsp.extra index 36d0302..35a13f6 100755 --- a/dehydrated/share/hooks/deploy_ocsp.extra +++ b/dehydrated/share/hooks/deploy_ocsp.extra @@ -26,12 +26,12 @@ echo " + Creating extra ocsp links..." DIRECTORY="$(dirname "${OCSPFILE}")" OCSP="$(readlink "${OCSPFILE}")" -for EXTRA in fullchain-privkey privkey-fullchain +for EXTRA in fullchain_privkey privkey_fullchain do - EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')" - EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')" + EXTRA1="$(echo ${EXTRA} | awk -F_ '{ print $1 }')" + EXTRA2="$(echo ${EXTRA} | awk -F_ '{ print $2 }')" - ln -sf "${OCSP}" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem.ocsp" + ln -sf "${OCSP}" "${DIRECTORY}/${EXTRA1}_${EXTRA2}.pem.ocsp" done echo " done." diff --git a/dehydrated/share/hooks/exit_hook.extra-cleanup b/dehydrated/share/hooks/exit_hook.extra-cleanup new file mode 100755 index 0000000..59e203e --- /dev/null +++ b/dehydrated/share/hooks/exit_hook.extra-cleanup @@ -0,0 +1,77 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +echo -n " + Cleanup extra certificate files..." + +for EXTRA in root intermediate fullchain_privkey privkey_fullchain +do + for CERTIFICATE in "${CERTDIR}"/*/ + do + if ! ls "${CERTIFICATE}"/${EXTRA}*.pem > /dev/null 2>&1 + then + continue + fi + + SYMLINK="${CERTIFICATE}/${EXTRA}.pem" + ORIGINAL="$(readlink -f "${SYMLINK}")" + + if [ -e "${SYMLINK}" ] && [ ! -e "${ORIGINAL}" ] + then + # remove dangling symlink + rm -f "${SYMLINK}" + fi + + if [ -e "${SYMLINK}.ocsp" ] && [ ! -e "${ORIGINAL}.ocsp" ] + then + # remove dangling symlink + rm -f "${SYMLINK}.ocsp" + fi + + if [ -e "${SYMLINK}" ] + then + for FILE in "${CERTIFICATE}/${EXTRA}"-[0-9]*.pem + do + case "$(basename "${FILE}")" in + "$(basename "${ORIGINAL}")") + continue + ;; + + *) + # archive unused files + ARCHIVE="${BASEDIR}/archive/$(basename "${CERTIFICATE}")" + mkdir -p "${ARCHIVE}" + + mv "${FILE}" "${ARCHIVE}" + + if [ -e "${FILE}.ocsp" ] + then + mv "${FILE}.ocsp" "${ARCHIVE}" + fi + ;; + esac + done + fi + done +done + +echo " done." diff --git a/dehydrated/share/hooks/exit_hook.fix-permissions b/dehydrated/share/hooks/exit_hook.fix-permissions index 4a467a7..aa15553 100755 --- a/dehydrated/share/hooks/exit_hook.fix-permissions +++ b/dehydrated/share/hooks/exit_hook.fix-permissions @@ -21,7 +21,7 @@ set -e -if [ ! -e /var/lib/dehydrated/certs ] +if [ ! -e "${CERTDIR}" ] then exit 0 fi @@ -31,10 +31,10 @@ then echo -n " + Fixing file owner and permissions..." # https://bugs.debian.org/854431 - chown -R root:ssl-cert /var/lib/dehydrated/certs + chown -R root:ssl-cert "${CERTDIR}" - find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \; - find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \; + find "${CERTDIR}" -type d -exec chmod 0750 {} \; + find "${CERTDIR}" -type f -exec chmod 0640 {} \; echo " done." fi |