summaryrefslogtreecommitdiffstats
path: root/dehydrated
diff options
context:
space:
mode:
Diffstat (limited to 'dehydrated')
-rw-r--r--dehydrated/TODO3
-rwxr-xr-xdehydrated/bin/dehydrated-nsupdate38
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.chrony (renamed from dehydrated/share/hooks/exit_hook.zz-chrony)15
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.extra52
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.fullchain-privkey28
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.privkey-fullchain28
-rwxr-xr-xdehydrated/share/hooks/deploy_ocsp.extra (renamed from dehydrated/share/hooks/deploy_ocsp.fullchain-privkey)14
-rwxr-xr-xdehydrated/share/hooks/deploy_ocsp.privkey-fullchain27
-rwxr-xr-xdehydrated/share/hooks/exit_hook.fix-permissions10
-rwxr-xr-xdehydrated/share/hooks/exit_hook.service-reload95
-rw-r--r--dehydrated/share/man/dehydrated-nsupdate.1.rst2
11 files changed, 182 insertions, 130 deletions
diff --git a/dehydrated/TODO b/dehydrated/TODO
index 1a2504f..efbd047 100644
--- a/dehydrated/TODO
+++ b/dehydrated/TODO
@@ -4,5 +4,4 @@ TODO
* add manpages for individual dehydrated hooks
* use /etc/default for dehydrated-cron
* use /etc/default for dehydrated-hook
- * use settings from _dehydrated.$domain.$tld
- * allow specifing multiple certificates in preseeding with e.g. '|' as devider
+ * use settings from _dehydrated.$domain.$tld for automatic configuration
diff --git a/dehydrated/bin/dehydrated-nsupdate b/dehydrated/bin/dehydrated-nsupdate
index 05027ab..c6bf6c5 100755
--- a/dehydrated/bin/dehydrated-nsupdate
+++ b/dehydrated/bin/dehydrated-nsupdate
@@ -45,30 +45,50 @@ esac
if command -v kdig > /dev/null 2>&1
then
# knot-dnsutils
- DIG="kdig +noidn"
+ DIG_VARIANT="knot"
elif command -v dig > /dev/null 2>&1
then
# bind-dnsutils
- DIG="dig +noidnout"
+ DIG_VARIANT="bind"
else
echo "'${HOOK}': need dig from bind-dnsutils or knot-dnsutils" >&2
exit 1
fi
+case "${DIG_VARIANT}" in
+ knot)
+ DIG="kdig +noidn"
+ ;;
+
+ bind)
+ DIG="dig +noidnout"
+ ;;
+esac
+
# alternatives handling for nsupdate
if command -v knsupdate > /dev/null 2>&1
then
# knot-dnsutils
- NSUPDATE="knsupdate"
+ NSUPDATE_VARIANT="knot"
elif command -v nsupdate > /dev/null 2>&1
then
# bind-dnsutils
- NSUPDATE="nsupdate"
+ NSUPDATE_VARIANT="bind"
else
echo "'${HOOK}': need nsupdate from bind-dnsutils or knot-dnsutils" >&2
exit 1
fi
+case "${NSUPDATE_VARIANT}" in
+ knot)
+ NSUPDATE="knsupdate"
+ ;;
+
+ bind)
+ NSUPDATE="nsupdate"
+ ;;
+esac
+
# config
for FILE in /etc/default/dehydrated-nsupdate /etc/default/dehydrated-nsupdate.d/*
do
@@ -168,7 +188,15 @@ do
if [ -n "${KEY}" ] && [ -n "${TSIG}" ]
then
- NSUPDATE_OPTIONS="-k ${KEY}"
+ case "${NSUPDATE_VARIANT}" in
+ knot)
+ NSUPDATE_OPTIONS="-k ${KEY}"
+ ;;
+
+ bind)
+ NSUPDATE_OPTIONS="-y $(cat "${KEY}")"
+ ;;
+ esac
fi
echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}..."
diff --git a/dehydrated/share/hooks/exit_hook.zz-chrony b/dehydrated/share/hooks/deploy_cert.chrony
index 13a7e9a..9bccf75 100755
--- a/dehydrated/share/hooks/exit_hook.zz-chrony
+++ b/dehydrated/share/hooks/deploy_cert.chrony
@@ -21,22 +21,15 @@
set -e
-if grep -r -qs -E '^ntsserver(cert|key)' /etc/chrony
+if grep -Eqrs '^ *ntsservercert' /etc/chrony
then
- echo -n " + chrony (workaround):"
-
# https://bugs.debian.org/1013882
- HOST="$(cat /etc/hostname)"
+ echo -n " + Copying certificate for chrony..."
- cp -L "/var/lib/dehydrated/certs/${HOST}/fullchain.pem" /etc/chrony/cert.pem
- cp -L "/var/lib/dehydrated/certs/${HOST}/privkey.pem" /etc/chrony/key.pem
+ cp -fL "${FULLCHAINFILE}" /etc/chrony/cert.pem
+ cp -fL "${KEYFILE}" /etc/chrony/key.pem
chown _chrony:_chrony /etc/chrony/cert.pem /etc/chrony/key.pem
- if service chrony status > /dev/null 2>&1
- then
- service chrony restart
- fi
-
echo " done."
fi
diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra
new file mode 100755
index 0000000..efca7b0
--- /dev/null
+++ b/dehydrated/share/hooks/deploy_cert.extra
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+echo " + Creating extra certificate files:"
+
+DIRECTORY="$(dirname "${CERTFILE}")"
+
+echo -n " + root and intermediate CA:"
+
+TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)"
+grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}'
+
+mv "${TMPFILE}00" "${DIRECTORY}/ca-intermediate-${TIMESTAMP}.pem"
+ln -s "${DIRECTORY}/ca-intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/ca-intermediate.pem"
+
+mv "${TMPFILE}01" "${DIRECTORY}/ca-root-${TIMESTAMP}.pem"
+ln -s "${DIRECTORY}/ca-root-${TIMESTAMP}.pem" "${DIRECTORY}/ca-root.pem"
+
+echo " done."
+
+for EXTRA in fullchain-privkey privkey-fullchain
+do
+ echo -n " + creating ${EXTRA1}-${EXTRA2}:"
+
+ EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')"
+ EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')"
+
+ cat "${EXTRA1}-${TIMESTAMP}.pem" "${EXTRA2}-${TIMESTAMP}.pem" > "${DIRECTORY}/${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem"
+ ln -sf "${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem"
+
+ echo " done."
+done
diff --git a/dehydrated/share/hooks/deploy_cert.fullchain-privkey b/dehydrated/share/hooks/deploy_cert.fullchain-privkey
deleted file mode 100755
index 57d735b..0000000
--- a/dehydrated/share/hooks/deploy_cert.fullchain-privkey
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/sh
-
-# Open Infrastructure: service-tools
-
-# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
-#
-# SPDX-License-Identifier: GPL-3.0+
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <https://www.gnu.org/licenses/>.
-
-set -e
-
-DIRECTORY="$(dirname "${FULLCHAINFILE}")"
-FILE="cert.fullchain-privkey-${TIMESTAMP}.pem"
-
-cat "${FULLCHAINFILE}" "${KEYFILE}" > "${DIRECTORY}/${FILE}"
-ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem"
diff --git a/dehydrated/share/hooks/deploy_cert.privkey-fullchain b/dehydrated/share/hooks/deploy_cert.privkey-fullchain
deleted file mode 100755
index bd2c4a0..0000000
--- a/dehydrated/share/hooks/deploy_cert.privkey-fullchain
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/sh
-
-# Open Infrastructure: service-tools
-
-# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
-#
-# SPDX-License-Identifier: GPL-3.0+
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <https://www.gnu.org/licenses/>.
-
-set -e
-
-DIRECTORY="$(dirname "${FULLCHAINFILE}")"
-FILE="cert.privkey-fullchain-${TIMESTAMP}.pem"
-
-cat "${KEYFILE}" "${FULLCHAINFILE}" > "${DIRECTORY}/${FILE}"
-ln -sf "${FILE}" "${DIRECTORY}/cert.privkey-fullchain.pem"
diff --git a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey b/dehydrated/share/hooks/deploy_ocsp.extra
index b408f03..36d0302 100755
--- a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey
+++ b/dehydrated/share/hooks/deploy_ocsp.extra
@@ -21,7 +21,17 @@
set -e
-FILE="$(readlink "${OCSPFILE}")"
+echo " + Creating extra ocsp links..."
+
DIRECTORY="$(dirname "${OCSPFILE}")"
+OCSP="$(readlink "${OCSPFILE}")"
+
+for EXTRA in fullchain-privkey privkey-fullchain
+do
+ EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')"
+ EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')"
+
+ ln -sf "${OCSP}" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem.ocsp"
+done
-ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem.ocsp"
+echo " done."
diff --git a/dehydrated/share/hooks/deploy_ocsp.privkey-fullchain b/dehydrated/share/hooks/deploy_ocsp.privkey-fullchain
deleted file mode 100755
index d0dacf1..0000000
--- a/dehydrated/share/hooks/deploy_ocsp.privkey-fullchain
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/sh
-
-# Open Infrastructure: service-tools
-
-# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
-#
-# SPDX-License-Identifier: GPL-3.0+
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <https://www.gnu.org/licenses/>.
-
-set -e
-
-FILE="$(readlink "${OCSPFILE}")"
-DIRECTORY="$(dirname "${OCSPFILE}")"
-
-ln -sf "${FILE}" "${DIRECTORY}/cert.privkey-fullchain.pem.ocsp"
diff --git a/dehydrated/share/hooks/exit_hook.fix-permissions b/dehydrated/share/hooks/exit_hook.fix-permissions
index 6a1958d..4a467a7 100755
--- a/dehydrated/share/hooks/exit_hook.fix-permissions
+++ b/dehydrated/share/hooks/exit_hook.fix-permissions
@@ -26,17 +26,15 @@ then
exit 0
fi
-echo " + Fixing permissions..."
-
if getent group ssl-cert > /dev/null 2>&1
then
- echo -n " + /var/lib/dehydrated/certs:"
-
- find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \;
- find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \;
+ echo -n " + Fixing file owner and permissions..."
# https://bugs.debian.org/854431
chown -R root:ssl-cert /var/lib/dehydrated/certs
+ find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \;
+ find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \;
+
echo " done."
fi
diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload
index 486c62f..cf297ab 100755
--- a/dehydrated/share/hooks/exit_hook.service-reload
+++ b/dehydrated/share/hooks/exit_hook.service-reload
@@ -21,36 +21,91 @@
set -e
-SERVICES="apache2 haproxy knot postgresql redis-server"
+Run_apache2 ()
+{
+ if grep -Eqrs '^ *SSLCertificateFile' /etc/apache2/sites-enabled
+ then
+ service apache2 reload
+ fi
+}
-echo " + Reloading services..."
+Run_chrony ()
+{
+ if grep -Eqrs '^ *ntsservercert' /etc/chrony/chrony.conf /etc/chrony/conf.d/*
+ then
+ service chrony restart
+ fi
+}
-for SERVICE in ${SERVICES}
-do
- if service "${SERVICE}" status > /dev/null 2>&1
+Run_haproxy ()
+{
+ if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#'
then
- echo -n " + ${SERVICE}:"
+ service haproxy reload
+ fi
+}
- service "${SERVICE}" reload || service "${SERVICE}" restart
+Run_knot_resolver ()
+{
+ if grep -Eqrs '^ *net.tls' /etc/knot-resolver/*
+ then
+ INSTANCES="$(systemctl | grep -c 'kresd@*.service')"
- echo " done."
+ if [ "${INSTANCES}" -gt 0 ]
+ then
+ for INSTANCE in $(seq 1 "${INSTANCES}")
+ do
+ service kresd@"${INSTANCE}" restart
+ done
+ fi
fi
-done
+}
+
+Run_postfix ()
+{
+ if grep -Eqrs '^ *smtpd_tls' /etc/postfix/main.cf
+ then
+ service postfix restart
+ fi
+}
-if grep -r -qs '^net.tls' /etc/knot-resolver/* && service kresd@1 status > /dev/null 2>&1
-then
- NUMBER="$(systemctl | grep -c 'kresd@[0-9].service')"
+Run_postgresql ()
+{
+ if grep -Eqrs '^ *ssl_cert_file' /etc/postgresql/*
+ then
+ service postgresql reload
+ fi
+}
+
+Run_redis_sentinel ()
+{
+ if grep -Eqrs '^ *tls-cert-file' /etc/redis/sentinel.conf
+ then
+ service redis-sentinel restart
+ fi
+}
- if [ "${NUMBER}" -gt 0 ]
+Run_redis_server ()
+{
+ if grep -Eqrs '^ *tls-cert-file' /etc/redis/redis.conf
then
- echo -n " + knot-resolver:"
+ service redis-server restart
+ fi
+}
- for NUMBER in $(seq 1 "${NUMBER}")
- do
- echo -n " #${NUMBER}"
- service kresd@"${NUMBER}" restart
- done
+echo " + Reloading services:"
+
+SERVICES="apache2 chrony haproxy knot-resolver postfix postgresql redis-sentinel redis-server"
+
+for SERVICE in ${SERVICES}
+do
+ if service "${SERVICE}" status > /dev/null 2>&1
+ then
+ echo -n " + ${SERVICE}:"
+
+ RELOAD="Run_$(echo "${SERVICE}" | sed -e 's|-|_|g')"
+ ${RELOAD}
echo " done."
fi
-fi
+done
diff --git a/dehydrated/share/man/dehydrated-nsupdate.1.rst b/dehydrated/share/man/dehydrated-nsupdate.1.rst
index 059a269..d4b097b 100644
--- a/dehydrated/share/man/dehydrated-nsupdate.1.rst
+++ b/dehydrated/share/man/dehydrated-nsupdate.1.rst
@@ -115,7 +115,7 @@ A TSIG file consists of one single line containing the key (nsupdate/knsupdate d
Instead of using a global TSIG for all record update, specific TSIGs can be used individually per record, zone, and nameserver.
-The lookup hierarchy is the following (earliest match wins):
+The lookup hierarchy is the following (first match wins):
|
| /etc/dehydrated/tsig/${record}.key