diff options
Diffstat (limited to 'dehydrated')
-rw-r--r-- | dehydrated/TODO | 3 | ||||
-rwxr-xr-x | dehydrated/bin/dehydrated-nsupdate | 38 | ||||
-rwxr-xr-x | dehydrated/share/hooks/deploy_cert.chrony (renamed from dehydrated/share/hooks/exit_hook.zz-chrony) | 15 | ||||
-rwxr-xr-x | dehydrated/share/hooks/deploy_cert.extra | 52 | ||||
-rwxr-xr-x | dehydrated/share/hooks/deploy_cert.fullchain-privkey | 28 | ||||
-rwxr-xr-x | dehydrated/share/hooks/deploy_cert.privkey-fullchain | 28 | ||||
-rwxr-xr-x | dehydrated/share/hooks/deploy_ocsp.extra (renamed from dehydrated/share/hooks/deploy_ocsp.fullchain-privkey) | 14 | ||||
-rwxr-xr-x | dehydrated/share/hooks/deploy_ocsp.privkey-fullchain | 27 | ||||
-rwxr-xr-x | dehydrated/share/hooks/exit_hook.fix-permissions | 10 | ||||
-rwxr-xr-x | dehydrated/share/hooks/exit_hook.service-reload | 95 | ||||
-rw-r--r-- | dehydrated/share/man/dehydrated-nsupdate.1.rst | 2 |
11 files changed, 182 insertions, 130 deletions
diff --git a/dehydrated/TODO b/dehydrated/TODO index 1a2504f..efbd047 100644 --- a/dehydrated/TODO +++ b/dehydrated/TODO @@ -4,5 +4,4 @@ TODO * add manpages for individual dehydrated hooks * use /etc/default for dehydrated-cron * use /etc/default for dehydrated-hook - * use settings from _dehydrated.$domain.$tld - * allow specifing multiple certificates in preseeding with e.g. '|' as devider + * use settings from _dehydrated.$domain.$tld for automatic configuration diff --git a/dehydrated/bin/dehydrated-nsupdate b/dehydrated/bin/dehydrated-nsupdate index 05027ab..c6bf6c5 100755 --- a/dehydrated/bin/dehydrated-nsupdate +++ b/dehydrated/bin/dehydrated-nsupdate @@ -45,30 +45,50 @@ esac if command -v kdig > /dev/null 2>&1 then # knot-dnsutils - DIG="kdig +noidn" + DIG_VARIANT="knot" elif command -v dig > /dev/null 2>&1 then # bind-dnsutils - DIG="dig +noidnout" + DIG_VARIANT="bind" else echo "'${HOOK}': need dig from bind-dnsutils or knot-dnsutils" >&2 exit 1 fi +case "${DIG_VARIANT}" in + knot) + DIG="kdig +noidn" + ;; + + bind) + DIG="dig +noidnout" + ;; +esac + # alternatives handling for nsupdate if command -v knsupdate > /dev/null 2>&1 then # knot-dnsutils - NSUPDATE="knsupdate" + NSUPDATE_VARIANT="knot" elif command -v nsupdate > /dev/null 2>&1 then # bind-dnsutils - NSUPDATE="nsupdate" + NSUPDATE_VARIANT="bind" else echo "'${HOOK}': need nsupdate from bind-dnsutils or knot-dnsutils" >&2 exit 1 fi +case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE="knsupdate" + ;; + + bind) + NSUPDATE="nsupdate" + ;; +esac + # config for FILE in /etc/default/dehydrated-nsupdate /etc/default/dehydrated-nsupdate.d/* do @@ -168,7 +188,15 @@ do if [ -n "${KEY}" ] && [ -n "${TSIG}" ] then - NSUPDATE_OPTIONS="-k ${KEY}" + case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE_OPTIONS="-k ${KEY}" + ;; + + bind) + NSUPDATE_OPTIONS="-y $(cat "${KEY}")" + ;; + esac fi echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}..." diff --git a/dehydrated/share/hooks/exit_hook.zz-chrony b/dehydrated/share/hooks/deploy_cert.chrony index 13a7e9a..9bccf75 100755 --- a/dehydrated/share/hooks/exit_hook.zz-chrony +++ b/dehydrated/share/hooks/deploy_cert.chrony @@ -21,22 +21,15 @@ set -e -if grep -r -qs -E '^ntsserver(cert|key)' /etc/chrony +if grep -Eqrs '^ *ntsservercert' /etc/chrony then - echo -n " + chrony (workaround):" - # https://bugs.debian.org/1013882 - HOST="$(cat /etc/hostname)" + echo -n " + Copying certificate for chrony..." - cp -L "/var/lib/dehydrated/certs/${HOST}/fullchain.pem" /etc/chrony/cert.pem - cp -L "/var/lib/dehydrated/certs/${HOST}/privkey.pem" /etc/chrony/key.pem + cp -fL "${FULLCHAINFILE}" /etc/chrony/cert.pem + cp -fL "${KEYFILE}" /etc/chrony/key.pem chown _chrony:_chrony /etc/chrony/cert.pem /etc/chrony/key.pem - if service chrony status > /dev/null 2>&1 - then - service chrony restart - fi - echo " done." fi diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra new file mode 100755 index 0000000..efca7b0 --- /dev/null +++ b/dehydrated/share/hooks/deploy_cert.extra @@ -0,0 +1,52 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +echo " + Creating extra certificate files:" + +DIRECTORY="$(dirname "${CERTFILE}")" + +echo -n " + root and intermediate CA:" + +TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" +grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' + +mv "${TMPFILE}00" "${DIRECTORY}/ca-intermediate-${TIMESTAMP}.pem" +ln -s "${DIRECTORY}/ca-intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/ca-intermediate.pem" + +mv "${TMPFILE}01" "${DIRECTORY}/ca-root-${TIMESTAMP}.pem" +ln -s "${DIRECTORY}/ca-root-${TIMESTAMP}.pem" "${DIRECTORY}/ca-root.pem" + +echo " done." + +for EXTRA in fullchain-privkey privkey-fullchain +do + echo -n " + creating ${EXTRA1}-${EXTRA2}:" + + EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')" + EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')" + + cat "${EXTRA1}-${TIMESTAMP}.pem" "${EXTRA2}-${TIMESTAMP}.pem" > "${DIRECTORY}/${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem" + ln -sf "${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem" + + echo " done." +done diff --git a/dehydrated/share/hooks/deploy_cert.fullchain-privkey b/dehydrated/share/hooks/deploy_cert.fullchain-privkey deleted file mode 100755 index 57d735b..0000000 --- a/dehydrated/share/hooks/deploy_cert.fullchain-privkey +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh - -# Open Infrastructure: service-tools - -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> -# -# SPDX-License-Identifier: GPL-3.0+ -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <https://www.gnu.org/licenses/>. - -set -e - -DIRECTORY="$(dirname "${FULLCHAINFILE}")" -FILE="cert.fullchain-privkey-${TIMESTAMP}.pem" - -cat "${FULLCHAINFILE}" "${KEYFILE}" > "${DIRECTORY}/${FILE}" -ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem" diff --git a/dehydrated/share/hooks/deploy_cert.privkey-fullchain b/dehydrated/share/hooks/deploy_cert.privkey-fullchain deleted file mode 100755 index bd2c4a0..0000000 --- a/dehydrated/share/hooks/deploy_cert.privkey-fullchain +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh - -# Open Infrastructure: service-tools - -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> -# -# SPDX-License-Identifier: GPL-3.0+ -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <https://www.gnu.org/licenses/>. - -set -e - -DIRECTORY="$(dirname "${FULLCHAINFILE}")" -FILE="cert.privkey-fullchain-${TIMESTAMP}.pem" - -cat "${KEYFILE}" "${FULLCHAINFILE}" > "${DIRECTORY}/${FILE}" -ln -sf "${FILE}" "${DIRECTORY}/cert.privkey-fullchain.pem" diff --git a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey b/dehydrated/share/hooks/deploy_ocsp.extra index b408f03..36d0302 100755 --- a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey +++ b/dehydrated/share/hooks/deploy_ocsp.extra @@ -21,7 +21,17 @@ set -e -FILE="$(readlink "${OCSPFILE}")" +echo " + Creating extra ocsp links..." + DIRECTORY="$(dirname "${OCSPFILE}")" +OCSP="$(readlink "${OCSPFILE}")" + +for EXTRA in fullchain-privkey privkey-fullchain +do + EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')" + EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')" + + ln -sf "${OCSP}" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem.ocsp" +done -ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem.ocsp" +echo " done." diff --git a/dehydrated/share/hooks/deploy_ocsp.privkey-fullchain b/dehydrated/share/hooks/deploy_ocsp.privkey-fullchain deleted file mode 100755 index d0dacf1..0000000 --- a/dehydrated/share/hooks/deploy_ocsp.privkey-fullchain +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh - -# Open Infrastructure: service-tools - -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> -# -# SPDX-License-Identifier: GPL-3.0+ -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <https://www.gnu.org/licenses/>. - -set -e - -FILE="$(readlink "${OCSPFILE}")" -DIRECTORY="$(dirname "${OCSPFILE}")" - -ln -sf "${FILE}" "${DIRECTORY}/cert.privkey-fullchain.pem.ocsp" diff --git a/dehydrated/share/hooks/exit_hook.fix-permissions b/dehydrated/share/hooks/exit_hook.fix-permissions index 6a1958d..4a467a7 100755 --- a/dehydrated/share/hooks/exit_hook.fix-permissions +++ b/dehydrated/share/hooks/exit_hook.fix-permissions @@ -26,17 +26,15 @@ then exit 0 fi -echo " + Fixing permissions..." - if getent group ssl-cert > /dev/null 2>&1 then - echo -n " + /var/lib/dehydrated/certs:" - - find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \; - find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \; + echo -n " + Fixing file owner and permissions..." # https://bugs.debian.org/854431 chown -R root:ssl-cert /var/lib/dehydrated/certs + find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \; + find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \; + echo " done." fi diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload index 486c62f..cf297ab 100755 --- a/dehydrated/share/hooks/exit_hook.service-reload +++ b/dehydrated/share/hooks/exit_hook.service-reload @@ -21,36 +21,91 @@ set -e -SERVICES="apache2 haproxy knot postgresql redis-server" +Run_apache2 () +{ + if grep -Eqrs '^ *SSLCertificateFile' /etc/apache2/sites-enabled + then + service apache2 reload + fi +} -echo " + Reloading services..." +Run_chrony () +{ + if grep -Eqrs '^ *ntsservercert' /etc/chrony/chrony.conf /etc/chrony/conf.d/* + then + service chrony restart + fi +} -for SERVICE in ${SERVICES} -do - if service "${SERVICE}" status > /dev/null 2>&1 +Run_haproxy () +{ + if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#' then - echo -n " + ${SERVICE}:" + service haproxy reload + fi +} - service "${SERVICE}" reload || service "${SERVICE}" restart +Run_knot_resolver () +{ + if grep -Eqrs '^ *net.tls' /etc/knot-resolver/* + then + INSTANCES="$(systemctl | grep -c 'kresd@*.service')" - echo " done." + if [ "${INSTANCES}" -gt 0 ] + then + for INSTANCE in $(seq 1 "${INSTANCES}") + do + service kresd@"${INSTANCE}" restart + done + fi fi -done +} + +Run_postfix () +{ + if grep -Eqrs '^ *smtpd_tls' /etc/postfix/main.cf + then + service postfix restart + fi +} -if grep -r -qs '^net.tls' /etc/knot-resolver/* && service kresd@1 status > /dev/null 2>&1 -then - NUMBER="$(systemctl | grep -c 'kresd@[0-9].service')" +Run_postgresql () +{ + if grep -Eqrs '^ *ssl_cert_file' /etc/postgresql/* + then + service postgresql reload + fi +} + +Run_redis_sentinel () +{ + if grep -Eqrs '^ *tls-cert-file' /etc/redis/sentinel.conf + then + service redis-sentinel restart + fi +} - if [ "${NUMBER}" -gt 0 ] +Run_redis_server () +{ + if grep -Eqrs '^ *tls-cert-file' /etc/redis/redis.conf then - echo -n " + knot-resolver:" + service redis-server restart + fi +} - for NUMBER in $(seq 1 "${NUMBER}") - do - echo -n " #${NUMBER}" - service kresd@"${NUMBER}" restart - done +echo " + Reloading services:" + +SERVICES="apache2 chrony haproxy knot-resolver postfix postgresql redis-sentinel redis-server" + +for SERVICE in ${SERVICES} +do + if service "${SERVICE}" status > /dev/null 2>&1 + then + echo -n " + ${SERVICE}:" + + RELOAD="Run_$(echo "${SERVICE}" | sed -e 's|-|_|g')" + ${RELOAD} echo " done." fi -fi +done diff --git a/dehydrated/share/man/dehydrated-nsupdate.1.rst b/dehydrated/share/man/dehydrated-nsupdate.1.rst index 059a269..d4b097b 100644 --- a/dehydrated/share/man/dehydrated-nsupdate.1.rst +++ b/dehydrated/share/man/dehydrated-nsupdate.1.rst @@ -115,7 +115,7 @@ A TSIG file consists of one single line containing the key (nsupdate/knsupdate d Instead of using a global TSIG for all record update, specific TSIGs can be used individually per record, zone, and nameserver. -The lookup hierarchy is the following (earliest match wins): +The lookup hierarchy is the following (first match wins): | | /etc/dehydrated/tsig/${record}.key |