6 files changed, 285 insertions, 16 deletions
diff --git a/dehydrated/share/hooks/deploy_cert.fullchain-privkey b/dehydrated/share/hooks/deploy_cert.chrony
index 57d735b..b6744ff 100755
--- a/dehydrated/share/hooks/deploy_cert.fullchain-privkey
+++ b/dehydrated/share/hooks/deploy_cert.chrony
@@ -21,8 +21,15 @@
 
 set -e
 
-DIRECTORY="$(dirname "${FULLCHAINFILE}")"
-FILE="cert.fullchain-privkey-${TIMESTAMP}.pem"
+if grep -Eqrs '^ *ntsservercert' /etc/chrony
+then
+	echo -n " + Copying certificate for chrony..."
 
-cat "${FULLCHAINFILE}" "${KEYFILE}" > "${DIRECTORY}/${FILE}"
-ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem"
+	# https://bugs.debian.org/1013882
+	cp -fL "${FULLCHAINFILE}" /etc/chrony/cert.pem
+	cp -fL "${KEYFILE}" /etc/chrony/key.pem
+
+	chown _chrony:_chrony /etc/chrony/cert.pem /etc/chrony/key.pem
+
+	echo " done."
+fi
diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra
new file mode 100755
index 0000000..391f767
--- /dev/null
+++ b/dehydrated/share/hooks/deploy_cert.extra
@@ -0,0 +1,88 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+echo -n " + Creating extra certificate files..."
+
+DIRECTORY="$(dirname "${CERTFILE}")"
+
+if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ]
+then
+	# long chain:
+	# * chain.pem: (R3 | ISRG Root X1)
+	# * fullchain.pem: (Certificate | R3 | ISRG Root X1)
+	CHAIN="long"
+else
+	# short chain:
+	# * chain.pem: (R3)
+	# * fullchain.pem (Certificate | R3)
+	CHAIN="short"
+fi
+
+case "${CHAIN}" in
+	long)
+		# split chain.pem
+		TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)"
+		grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}'
+
+		# intermediate (R3)
+		mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
+		ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
+
+		# root (ISRG Root X1)
+		mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem"
+		ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
+		;;
+
+	short)
+		# intermediate (R3)
+		grep -Ev '^$' "${DIRECTORY}/chain-${TIMESTAMP}.pem" > "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
+		ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
+
+		# root (ISRG Root X1)
+		ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')"
+
+		if [ -n "${ISSUER_URI}" ]
+		then
+			wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem"
+			ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
+		fi
+		;;
+esac
+
+# extra certificate permutations:
+# * privkey_fullchain.pem: postfix
+# * root_intermediate_cert.pem: redis
+
+for EXTRA in fullchain_privkey privkey_fullchain root_intermediate_cert
+do
+	rm -f "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem"
+
+	for FILE in $(echo ${EXTRA} | sed -e 's|_| |g')
+	do
+		cat "${DIRECTORY}/${FILE}-${TIMESTAMP}.pem" >> "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem"
+	done
+
+	ln -sf "${EXTRA}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA}.pem"
+done
+
+echo " done."
diff --git a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey b/dehydrated/share/hooks/deploy_ocsp.extra
index b408f03..35a13f6 100755
--- a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey
+++ b/dehydrated/share/hooks/deploy_ocsp.extra
@@ -21,7 +21,17 @@
 
 set -e
 
-FILE="$(readlink "${OCSPFILE}")"
+echo " + Creating extra ocsp links..."
+
 DIRECTORY="$(dirname "${OCSPFILE}")"
+OCSP="$(readlink "${OCSPFILE}")"
+
+for EXTRA in fullchain_privkey privkey_fullchain
+do
+	EXTRA1="$(echo ${EXTRA} | awk -F_ '{ print $1 }')"
+	EXTRA2="$(echo ${EXTRA} | awk -F_ '{ print $2 }')"
+
+	ln -sf "${OCSP}" "${DIRECTORY}/${EXTRA1}_${EXTRA2}.pem.ocsp"
+done
 
-ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem.ocsp"
+echo " done."
diff --git a/dehydrated/share/hooks/exit_hook.extra-cleanup b/dehydrated/share/hooks/exit_hook.extra-cleanup
new file mode 100755
index 0000000..fc09f7b
--- /dev/null
+++ b/dehydrated/share/hooks/exit_hook.extra-cleanup
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+echo -n " + Cleanup extra certificate files..."
+
+for EXTRA in root intermediate fullchain_privkey privkey_fullchain root_intermediate_cert
+do
+	for CERTIFICATE in "${CERTDIR}"/*/
+	do
+		if ! ls "${CERTIFICATE}"/${EXTRA}*.pem > /dev/null 2>&1
+		then
+			continue
+		fi
+
+		SYMLINK="${CERTIFICATE}/${EXTRA}.pem"
+		ORIGINAL="$(readlink -f "${SYMLINK}")"
+
+		if [ -e "${SYMLINK}" ] && [ ! -e "${ORIGINAL}" ]
+		then
+			# remove dangling symlink
+			rm -f "${SYMLINK}"
+		fi
+
+		if [ -e "${SYMLINK}.ocsp" ] && [ ! -e "${ORIGINAL}.ocsp" ]
+		then
+			# remove dangling symlink
+			rm -f "${SYMLINK}.ocsp"
+		fi
+
+		if [ -e "${SYMLINK}" ]
+		then
+			for FILE in "${CERTIFICATE}/${EXTRA}"-[0-9]*.pem
+			do
+				case "$(basename "${FILE}")" in
+					"$(basename "${ORIGINAL}")")
+						continue
+						;;
+
+					*)
+						# archive unused files
+						ARCHIVE="${BASEDIR}/archive/$(basename "${CERTIFICATE}")"
+						mkdir -p "${ARCHIVE}"
+
+						mv "${FILE}" "${ARCHIVE}"
+
+						if [ -e "${FILE}.ocsp" ]
+						then
+							mv "${FILE}.ocsp" "${ARCHIVE}"
+						fi
+						;;
+				esac
+			done
+		fi
+	done
+done
+
+echo " done."
diff --git a/dehydrated/share/hooks/exit_hook.fix-permissions b/dehydrated/share/hooks/exit_hook.fix-permissions
index 1e089f7..aa15553 100755
--- a/dehydrated/share/hooks/exit_hook.fix-permissions
+++ b/dehydrated/share/hooks/exit_hook.fix-permissions
@@ -21,17 +21,20 @@
 
 set -e
 
-echo " + Fixing permissions..."
+if [ ! -e "${CERTDIR}" ]
+then
+	exit 0
+fi
 
 if getent group ssl-cert > /dev/null 2>&1
 then
-	echo -n "   + /var/lib/dehydrated/certs:"
-
-	find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \;
-	find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \;
+	echo -n " + Fixing file owner and permissions..."
 
 	# https://bugs.debian.org/854431
-	chown -R root:ssl-cert /var/lib/dehydrated/certs
+	chown -R root:ssl-cert "${CERTDIR}"
+
+	find "${CERTDIR}" -type d -exec chmod 0750 {} \;
+	find "${CERTDIR}" -type f -exec chmod 0640 {} \;
 
 	echo " done."
 fi
diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload
index daba7dd..6d20eb9 100755
--- a/dehydrated/share/hooks/exit_hook.service-reload
+++ b/dehydrated/share/hooks/exit_hook.service-reload
@@ -21,15 +21,99 @@
 
 set -e
 
-echo " + Reloading services..."
+Run_apache2 ()
+{
+	if grep -Eqrs '^ *SSLCertificateFile' /etc/apache2/sites-enabled
+	then
+		service apache2 stop
+		service apache2 start
+	fi
+}
+
+Run_chrony ()
+{
+	if grep -Eqrs '^ *ntsservercert' /etc/chrony/chrony.conf /etc/chrony/conf.d/*
+	then
+		service chrony restart
+	fi
+}
+
+Run_freeradius ()
+{
+	if grep -Eqrs 'certificate_file = /var/lib/dehydrated' /etc/freeradius/*/*
+	then
+		service freeradius reload
+	fi
+}
+
+Run_haproxy ()
+{
+	if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#'
+	then
+		service haproxy reload
+	fi
+}
+
+Run_knot_resolver ()
+{
+	if grep -Eqrs '^ *net.tls' /etc/knot-resolver/*
+	then
+		INSTANCES="$(systemctl | grep -c 'kresd@*.service')"
+
+		if [ "${INSTANCES}" -gt 0 ]
+		then
+			for INSTANCE in $(seq 1 "${INSTANCES}")
+			do
+				service kresd@"${INSTANCE}" restart
+			done
+		fi
+	fi
+}
+
+Run_postfix ()
+{
+	if grep -Eqrs '^ *smtpd_tls' /etc/postfix/main.cf
+	then
+		service postfix restart
+	fi
+}
+
+Run_postgresql ()
+{
+	if grep -Eqrs '^ *ssl_cert_file' /etc/postgresql/*
+	then
+		service postgresql reload
+	fi
+}
+
+Run_redis_sentinel ()
+{
+	if grep -Eqrs '^ *tls-cert-file' /etc/redis/sentinel.conf
+	then
+		service redis-sentinel restart
+	fi
+}
+
+Run_redis_server ()
+{
+	if grep -Eqrs '^ *tls-cert-file' /etc/redis/redis.conf
+	then
+		service redis-server restart
+	fi
+}
+
+echo " + Reloading services:"
+
+SERVICES="apache2 chrony freeradius haproxy knot-resolver postfix postgresql redis-sentinel redis-server"
 
-for SERVICE in apache2 haproxy postgresql redis-server
+for SERVICE in ${SERVICES}
 do
-	if service ${SERVICE} status > /dev/null 2>&1
+	if service "${SERVICE}" status > /dev/null 2>&1
 	then
 		echo -n "   + ${SERVICE}:"
 
-		service ${SERVICE} reload || service ${SERVICE} restart
+		RELOAD="Run_$(echo "${SERVICE}" | sed -e 's|-|_|g')"
+		${RELOAD}
 
 		echo " done."
 	fi