diff options
Diffstat (limited to 'dehydrated')
| -rw-r--r-- | dehydrated/Makefile | 3 | ||||
| -rw-r--r-- | dehydrated/TODO | 7 | ||||
| -rwxr-xr-x | dehydrated/bin/dehydrated-get | 212 | ||||
| -rwxr-xr-x | dehydrated/bin/dehydrated-nsupdate | 103 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/deploy_cert.chrony (renamed from dehydrated/share/hooks/deploy_cert.fullchain-privkey) | 15 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/deploy_cert.extra | 88 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/deploy_ocsp.extra (renamed from dehydrated/share/hooks/deploy_ocsp.fullchain-privkey) | 14 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/exit_hook.extra-cleanup | 77 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/exit_hook.fix-permissions | 15 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/exit_hook.service-reload | 92 | ||||
| -rw-r--r-- | dehydrated/share/man/dehydrated-cron.1.rst | 36 | ||||
| -rw-r--r-- | dehydrated/share/man/dehydrated-hook.1.rst | 49 | ||||
| -rw-r--r-- | dehydrated/share/man/dehydrated-nsupdate.1.rst | 126 |
13 files changed, 732 insertions, 105 deletions
diff --git a/dehydrated/Makefile b/dehydrated/Makefile index 2b6da9f..80f2e30 100644 --- a/dehydrated/Makefile +++ b/dehydrated/Makefile @@ -82,6 +82,9 @@ install: build ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/clean_challenge.nsupdate ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/deploy_challenge.nsupdate + ln -sf /usr/bin/dehydrated-get $(DESTDIR)/usr/share/dehydrated/hooks/clean_challenge.get + ln -sf /usr/bin/dehydrated-get $(DESTDIR)/usr/share/dehydrated/hooks/deploy_challenge.get + for SECTION in $$(seq 1 8); \ do \ if ls share/man/*.$${SECTION} > /dev/null 2>&1; \ diff --git a/dehydrated/TODO b/dehydrated/TODO index 9295784..b6cc845 100644 --- a/dehydrated/TODO +++ b/dehydrated/TODO @@ -1,8 +1,9 @@ TODO ==== + * add cleanup hook for extra certificates + * add manpages for individual dehydrated hooks * use /etc/default for dehydrated-cron * use /etc/default for dehydrated-hook - * maybe handling multiple different CNAMEs - (not sure if letsencrypt allows that, however, dehydrated-nsupdate only - processes one CNAME) + * use settings from _dehydrated.$domain.$tld for automatic configuration + * allow to configure 'use NS records' or 'use mname in SOA' per zone/tsig diff --git a/dehydrated/bin/dehydrated-get b/dehydrated/bin/dehydrated-get new file mode 100755 index 0000000..4368bab --- /dev/null +++ b/dehydrated/bin/dehydrated-get @@ -0,0 +1,212 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +HOOK="$(basename "${0}")" +HOOK_ACTION="$(echo "${HOOK}" | awk -F. '{ print $1 }')" + +# set nsupdate action +case "${HOOK}" in + clean_challenge.*) + HOOK_ACTION="delete" + ;; + + deploy_challenge.*) + HOOK_ACTION="add" + ;; + + *) + echo "'${HOOK}': no such hook action '${HOOK_ACTION}'" >&2 + echo "'${HOOK}': use 'clean_challenge.' or 'deploy_challenge.' as prefix in your symlink" >&2 + exit 1 + ;; +esac + +# alternatives handling for dig +if command -v wget > /dev/null 2>&1 +then + # wget + GET_VARIANT="wget" +elif command -v curl > /dev/null 2>&1 +then + # curl + GET_VARIANT="curl" +else + echo "'${HOOK}': need wget or curl" >&2 + exit 1 +fi + +case "${DIG_VARIANT}" in + knot) + DIG="kdig +noidn" + ;; + + bind) + DIG="dig +noidnout" + ;; +esac + +# alternatives handling for nsupdate +if command -v knsupdate > /dev/null 2>&1 +then + # knot-dnsutils + NSUPDATE_VARIANT="knot" +elif command -v nsupdate > /dev/null 2>&1 +then + # bind-dnsutils + NSUPDATE_VARIANT="bind" +else + echo "'${HOOK}': need nsupdate from bind-dnsutils or knot-dnsutils" >&2 + exit 1 +fi + +case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE="knsupdate" + ;; + + bind) + NSUPDATE="nsupdate" + ;; +esac + +# config +for FILE in /etc/default/dehydrated-nsupdate /etc/default/dehydrated-nsupdate.d/* +do + if [ -e "${FILE}" ] + then + . "${FILE}" + fi +done + +# find txt record to update +CNAME="$(${DIG} +nocomments +noquestion "_acme-challenge.${DOMAIN}" 2>&1 | grep -v '^;' | awk '/CNAME/ { print $5 }' | tail -n1)" + +if [ -n "${CNAME}" ] +then + TXT_RECORD="${CNAME}" +else + TXT_RECORD="_acme-challenge.${DOMAIN}" +fi + +ZONE="${TXT_RECORD}" + +# find all nameservers to update +while true +do + NAMESERVERS="$(${DIG} +nocomments +noquestion NS "${ZONE}" 2>&1 | grep -v '^;' | awk '/NS/ { print $5 }')" + + if [ -n "${NAMESERVERS}" ] + then + ZONE="$(${DIG} +nocomments +noquestion NS "${ZONE}" 2>&1 | grep -v '^;' | awk '/NS/ { print $1 }' | tail -n1)" + break + else + ZONE="$(echo "${ZONE}" | cut -d '.' -f 2-)" + fi +done + +NAMESERVERS_IPV6="" +NAMESERVERS_IPV4="" + +for NAMESERVER in ${NAMESERVERS} +do + if [ -n "$(${DIG} +nocomments +noquestion +short AAAA "${NAMESERVER}")" ] + then + NAMESERVERS_IPV6="${NAMESERVERS_IPV6} ${NAMESERVER}" + fi + + if [ -n "$(${DIG} +nocomments +noquestion +short A "${NAMESERVER}")" ] + then + NAMESERVERS_IPV4="${NAMESERVERS_IPV4} ${NAMESERVER}" + fi +done + +# filter nameservers by available IP protocol +NAMESERVERS="" + +if hostname -I | grep -qs ':' +then + NAMESERVERS="${NAMESERVERS} ${NAMESERVERS_IPV6}" +fi + +if hostname -I | grep -qs '\.' +then + NAMESERVERS="${NAMESERVERS} ${NAMESERVERS_IPV4}" +fi + +NAMESERVERS="$(echo "${NAMESERVERS}" | sed -e 's| |\n|g' | sort -u -V)" + +# update nameservers +for NAMESERVER in ${NAMESERVERS} +do + if [ -e "/etc/dehydrated/tsig/$(basename "${TXT_RECORD}" .).key" ] + then + # specific key per record + KEY="/etc/dehydrated/tsig/$(basename "${TXT_RECORD}" .).key" + elif [ -e "/etc/dehydrated/tsig/$(basename "${ZONE}" .).key" ] + then + # specific key per zone + KEY="/etc/dehydrated/tsig/$(basename "${ZONE}" .).key" + elif [ -e "/etc/dehydrated/tsig/$(basename "${NAMESERVER}" .).key" ] + then + # specific key per nameserver + KEY="/etc/dehydrated/tsig/$(basename "${NAMESERVER}" .).key" + elif [ -e "/etc/dehydrated/tsig.key" ] + then + # global key (filesystem) + KEY="/etc/dehydrated/tsig.key" + elif [ -n "${TSIG_KEYFILE}" ] && [ -e "${TSIG_KEYFILE}" ] + then + # global key (conffile) + KEY="${TSIG_KEYFILE}" + else + # no key + KEY="" + fi + + # ignoring comments to allow empty keyfiles to disable TSIG individually + TSIG="$(grep -sv '^#' "${KEY}" || true)" + + if [ -n "${KEY}" ] && [ -n "${TSIG}" ] + then + case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE_OPTIONS="-k ${KEY}" + ;; + + bind) + NSUPDATE_OPTIONS="-y $(cat "${KEY}")" + ;; + esac + fi + + echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}.." + +# shellcheck disable=SC2086 +echo "server ${NAMESERVER} +zone ${ZONE} +ttl 0 +update ${HOOK_ACTION} ${TXT_RECORD} 0 TXT ${TOKEN_VALUE} +send" | "${NSUPDATE}" ${NSUPDATE_OPTIONS} + + echo " done." +done diff --git a/dehydrated/bin/dehydrated-nsupdate b/dehydrated/bin/dehydrated-nsupdate index fa421ea..657cc48 100755 --- a/dehydrated/bin/dehydrated-nsupdate +++ b/dehydrated/bin/dehydrated-nsupdate @@ -45,30 +45,50 @@ esac if command -v kdig > /dev/null 2>&1 then # knot-dnsutils - DIG="kdig +noidn" + DIG_VARIANT="knot" elif command -v dig > /dev/null 2>&1 then # bind-dnsutils - DIG="dig +noidnout" + DIG_VARIANT="bind" else echo "'${HOOK}': need dig from bind-dnsutils or knot-dnsutils" >&2 exit 1 fi +case "${DIG_VARIANT}" in + knot) + DIG="kdig +noidn" + ;; + + bind) + DIG="dig +noidnout" + ;; +esac + # alternatives handling for nsupdate if command -v knsupdate > /dev/null 2>&1 then # knot-dnsutils - NSUPDATE="knsupdate" + NSUPDATE_VARIANT="knot" elif command -v nsupdate > /dev/null 2>&1 then # bind-dnsutils - NSUPDATE="nsupdate" + NSUPDATE_VARIANT="bind" else echo "'${HOOK}': need nsupdate from bind-dnsutils or knot-dnsutils" >&2 exit 1 fi +case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE="knsupdate" + ;; + + bind) + NSUPDATE="nsupdate" + ;; +esac + # config for FILE in /etc/default/dehydrated-nsupdate /etc/default/dehydrated-nsupdate.d/* do @@ -88,9 +108,9 @@ else TXT_RECORD="_acme-challenge.${DOMAIN}" fi -# find nameservers to update ZONE="${TXT_RECORD}" +# find all nameservers to update while true do NAMESERVERS="$(${DIG} +nocomments +noquestion NS "${ZONE}" 2>&1 | grep -v '^;' | awk '/NS/ { print $5 }')" @@ -104,15 +124,82 @@ do fi done -if [ -n "${TSIG_KEYFILE}" ] && [ -e "${TSIG_KEYFILE}" ] +NAMESERVERS_IPV6="" +NAMESERVERS_IPV4="" + +for NAMESERVER in ${NAMESERVERS} +do + if [ -n "$(${DIG} +nocomments +noquestion +short AAAA "${NAMESERVER}")" ] + then + NAMESERVERS_IPV6="${NAMESERVERS_IPV6} ${NAMESERVER}" + fi + + if [ -n "$(${DIG} +nocomments +noquestion +short A "${NAMESERVER}")" ] + then + NAMESERVERS_IPV4="${NAMESERVERS_IPV4} ${NAMESERVER}" + fi +done + +# filter nameservers by available IP protocol +NAMESERVERS="" + +if hostname -I | grep -qs ':' +then + NAMESERVERS="${NAMESERVERS} ${NAMESERVERS_IPV6}" +fi + +if hostname -I | grep -qs '\.' then - NSUPDATE_OPTIONS="-k ${TSIG_KEYFILE}" + NAMESERVERS="${NAMESERVERS} ${NAMESERVERS_IPV4}" fi +NAMESERVERS="$(echo "${NAMESERVERS}" | sed -e 's| |\n|g' | sort -u -V)" + # update nameservers for NAMESERVER in ${NAMESERVERS} do - echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}..." + if [ -e "/etc/dehydrated/tsig/$(basename "${TXT_RECORD}" .).key" ] + then + # specific key per record + KEY="/etc/dehydrated/tsig/$(basename "${TXT_RECORD}" .).key" + elif [ -e "/etc/dehydrated/tsig/$(basename "${ZONE}" .).key" ] + then + # specific key per zone + KEY="/etc/dehydrated/tsig/$(basename "${ZONE}" .).key" + elif [ -e "/etc/dehydrated/tsig/$(basename "${NAMESERVER}" .).key" ] + then + # specific key per nameserver + KEY="/etc/dehydrated/tsig/$(basename "${NAMESERVER}" .).key" + elif [ -e "/etc/dehydrated/tsig.key" ] + then + # global key (filesystem) + KEY="/etc/dehydrated/tsig.key" + elif [ -n "${TSIG_KEYFILE}" ] && [ -e "${TSIG_KEYFILE}" ] + then + # global key (conffile) + KEY="${TSIG_KEYFILE}" + else + # no key + KEY="" + fi + + # ignoring comments to allow empty keyfiles to disable TSIG individually + TSIG="$(grep -sv '^#' "${KEY}" || true)" + + if [ -n "${KEY}" ] && [ -n "${TSIG}" ] + then + case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE_OPTIONS="-k ${KEY}" + ;; + + bind) + NSUPDATE_OPTIONS="-y $(cat "${KEY}")" + ;; + esac + fi + + echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}.." # shellcheck disable=SC2086 echo "server ${NAMESERVER} diff --git a/dehydrated/share/hooks/deploy_cert.fullchain-privkey b/dehydrated/share/hooks/deploy_cert.chrony index 57d735b..b6744ff 100755 --- a/dehydrated/share/hooks/deploy_cert.fullchain-privkey +++ b/dehydrated/share/hooks/deploy_cert.chrony @@ -21,8 +21,15 @@ set -e -DIRECTORY="$(dirname "${FULLCHAINFILE}")" -FILE="cert.fullchain-privkey-${TIMESTAMP}.pem" +if grep -Eqrs '^ *ntsservercert' /etc/chrony +then + echo -n " + Copying certificate for chrony..." -cat "${FULLCHAINFILE}" "${KEYFILE}" > "${DIRECTORY}/${FILE}" -ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem" + # https://bugs.debian.org/1013882 + cp -fL "${FULLCHAINFILE}" /etc/chrony/cert.pem + cp -fL "${KEYFILE}" /etc/chrony/key.pem + + chown _chrony:_chrony /etc/chrony/cert.pem /etc/chrony/key.pem + + echo " done." +fi diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra new file mode 100755 index 0000000..391f767 --- /dev/null +++ b/dehydrated/share/hooks/deploy_cert.extra @@ -0,0 +1,88 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +echo -n " + Creating extra certificate files..." + +DIRECTORY="$(dirname "${CERTFILE}")" + +if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ] +then + # long chain: + # * chain.pem: (R3 | ISRG Root X1) + # * fullchain.pem: (Certificate | R3 | ISRG Root X1) + CHAIN="long" +else + # short chain: + # * chain.pem: (R3) + # * fullchain.pem (Certificate | R3) + CHAIN="short" +fi + +case "${CHAIN}" in + long) + # split chain.pem + TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" + grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' + + # intermediate (R3) + mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + ;; + + short) + # intermediate (R3) + grep -Ev '^$' "${DIRECTORY}/chain-${TIMESTAMP}.pem" > "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')" + + if [ -n "${ISSUER_URI}" ] + then + wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + fi + ;; +esac + +# extra certificate permutations: +# * privkey_fullchain.pem: postfix +# * root_intermediate_cert.pem: redis + +for EXTRA in fullchain_privkey privkey_fullchain root_intermediate_cert +do + rm -f "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem" + + for FILE in $(echo ${EXTRA} | sed -e 's|_| |g') + do + cat "${DIRECTORY}/${FILE}-${TIMESTAMP}.pem" >> "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem" + done + + ln -sf "${EXTRA}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA}.pem" +done + +echo " done." diff --git a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey b/dehydrated/share/hooks/deploy_ocsp.extra index b408f03..35a13f6 100755 --- a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey +++ b/dehydrated/share/hooks/deploy_ocsp.extra @@ -21,7 +21,17 @@ set -e -FILE="$(readlink "${OCSPFILE}")" +echo " + Creating extra ocsp links..." + DIRECTORY="$(dirname "${OCSPFILE}")" +OCSP="$(readlink "${OCSPFILE}")" + +for EXTRA in fullchain_privkey privkey_fullchain +do + EXTRA1="$(echo ${EXTRA} | awk -F_ '{ print $1 }')" + EXTRA2="$(echo ${EXTRA} | awk -F_ '{ print $2 }')" + + ln -sf "${OCSP}" "${DIRECTORY}/${EXTRA1}_${EXTRA2}.pem.ocsp" +done -ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem.ocsp" +echo " done." diff --git a/dehydrated/share/hooks/exit_hook.extra-cleanup b/dehydrated/share/hooks/exit_hook.extra-cleanup new file mode 100755 index 0000000..fc09f7b --- /dev/null +++ b/dehydrated/share/hooks/exit_hook.extra-cleanup @@ -0,0 +1,77 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +echo -n " + Cleanup extra certificate files..." + +for EXTRA in root intermediate fullchain_privkey privkey_fullchain root_intermediate_cert +do + for CERTIFICATE in "${CERTDIR}"/*/ + do + if ! ls "${CERTIFICATE}"/${EXTRA}*.pem > /dev/null 2>&1 + then + continue + fi + + SYMLINK="${CERTIFICATE}/${EXTRA}.pem" + ORIGINAL="$(readlink -f "${SYMLINK}")" + + if [ -e "${SYMLINK}" ] && [ ! -e "${ORIGINAL}" ] + then + # remove dangling symlink + rm -f "${SYMLINK}" + fi + + if [ -e "${SYMLINK}.ocsp" ] && [ ! -e "${ORIGINAL}.ocsp" ] + then + # remove dangling symlink + rm -f "${SYMLINK}.ocsp" + fi + + if [ -e "${SYMLINK}" ] + then + for FILE in "${CERTIFICATE}/${EXTRA}"-[0-9]*.pem + do + case "$(basename "${FILE}")" in + "$(basename "${ORIGINAL}")") + continue + ;; + + *) + # archive unused files + ARCHIVE="${BASEDIR}/archive/$(basename "${CERTIFICATE}")" + mkdir -p "${ARCHIVE}" + + mv "${FILE}" "${ARCHIVE}" + + if [ -e "${FILE}.ocsp" ] + then + mv "${FILE}.ocsp" "${ARCHIVE}" + fi + ;; + esac + done + fi + done +done + +echo " done." diff --git a/dehydrated/share/hooks/exit_hook.fix-permissions b/dehydrated/share/hooks/exit_hook.fix-permissions index 1e089f7..aa15553 100755 --- a/dehydrated/share/hooks/exit_hook.fix-permissions +++ b/dehydrated/share/hooks/exit_hook.fix-permissions @@ -21,17 +21,20 @@ set -e -echo " + Fixing permissions..." +if [ ! -e "${CERTDIR}" ] +then + exit 0 +fi if getent group ssl-cert > /dev/null 2>&1 then - echo -n " + /var/lib/dehydrated/certs:" - - find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \; - find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \; + echo -n " + Fixing file owner and permissions..." # https://bugs.debian.org/854431 - chown -R root:ssl-cert /var/lib/dehydrated/certs + chown -R root:ssl-cert "${CERTDIR}" + + find "${CERTDIR}" -type d -exec chmod 0750 {} \; + find "${CERTDIR}" -type f -exec chmod 0640 {} \; echo " done." fi diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload index daba7dd..6d20eb9 100755 --- a/dehydrated/share/hooks/exit_hook.service-reload +++ b/dehydrated/share/hooks/exit_hook.service-reload @@ -21,15 +21,99 @@ set -e -echo " + Reloading services..." +Run_apache2 () +{ + if grep -Eqrs '^ *SSLCertificateFile' /etc/apache2/sites-enabled + then + service apache2 stop + service apache2 start + fi +} + +Run_chrony () +{ + if grep -Eqrs '^ *ntsservercert' /etc/chrony/chrony.conf /etc/chrony/conf.d/* + then + service chrony restart + fi +} + +Run_freeradius () +{ + if grep -Eqrs 'certificate_file = /var/lib/dehydrated' /etc/freeradius/*/* + then + service freeradius reload + fi +} + +Run_haproxy () +{ + if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#' + then + service haproxy reload + fi +} + +Run_knot_resolver () +{ + if grep -Eqrs '^ *net.tls' /etc/knot-resolver/* + then + INSTANCES="$(systemctl | grep -c 'kresd@*.service')" + + if [ "${INSTANCES}" -gt 0 ] + then + for INSTANCE in $(seq 1 "${INSTANCES}") + do + service kresd@"${INSTANCE}" restart + done + fi + fi +} + +Run_postfix () +{ + if grep -Eqrs '^ *smtpd_tls' /etc/postfix/main.cf + then + service postfix restart + fi +} + +Run_postgresql () +{ + if grep -Eqrs '^ *ssl_cert_file' /etc/postgresql/* + then + service postgresql reload + fi +} + +Run_redis_sentinel () +{ + if grep -Eqrs '^ *tls-cert-file' /etc/redis/sentinel.conf + then + service redis-sentinel restart + fi +} + +Run_redis_server () +{ + if grep -Eqrs '^ *tls-cert-file' /etc/redis/redis.conf + then + service redis-server restart + fi +} + +echo " + Reloading services:" + +SERVICES="apache2 chrony freeradius haproxy knot-resolver postfix postgresql redis-sentinel redis-server" -for SERVICE in apache2 haproxy postgresql redis-server +for SERVICE in ${SERVICES} do - if service ${SERVICE} status > /dev/null 2>&1 + if service "${SERVICE}" status > /dev/null 2>&1 then echo -n " + ${SERVICE}:" - service ${SERVICE} reload || service ${SERVICE} restart + RELOAD="Run_$(echo "${SERVICE}" | sed -e 's|-|_|g')" + ${RELOAD} echo " done." fi diff --git a/dehydrated/share/man/dehydrated-cron.1.rst b/dehydrated/share/man/dehydrated-cron.1.rst index c060127..cd93a30 100644 --- a/dehydrated/share/man/dehydrated-cron.1.rst +++ b/dehydrated/share/man/dehydrated-cron.1.rst @@ -36,12 +36,25 @@ Synopsis Description =========== -**dehydrated** is a client for ACME-based Certificate Authorities, such as -LetsEncrypt. It can be used to request and obtain TLS certificates from an -ACME-based certificate authority. +**dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority. + +The **dehydrated-cron** script runs dehydrated once per day and on system reboot for an automatic certificate renewal. + +It uses the dehydrated '--keep-going' option to keep going after encountering an error while creating/renewing multiple certificates. Afterwards it also removes all unused certificates by using the dehydrated '--cleanup-delete' option. + +Usage +===== + +Installation +------------ + +| sudo ln -s /usr/bin/dehydrated-cron /etc/cron.d/dehydrated + +Removal +------- + +| sudo rm -f /etc/cron.d/dehydrated -The **dehydrated-cron** script runs dehydrated once per day and on system -reboot for an automatic certificate renewal. Files ===== @@ -67,21 +80,16 @@ See also Homepage ======== -More information about service-tools and the Open Infrastructure project can be -found on the homepage (https://open-infrastructure.net). +More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net). Contact ======= -Bug reports, feature requests, help, patches, support and everything else are -welcome on the Open Infrastructure Software Mailing List -<software@lists.open-infrastructure.net>. +Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>. -Debian specific bugs can also be reported in the Debian Bug Tracking System -(https://bugs.debian.org). +Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org). Authors ======= -service-tools were written by Daniel Baumann -<daniel.baumann@open-infrastructure.net> and others. +service-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others. diff --git a/dehydrated/share/man/dehydrated-hook.1.rst b/dehydrated/share/man/dehydrated-hook.1.rst index 607be92..de63127 100644 --- a/dehydrated/share/man/dehydrated-hook.1.rst +++ b/dehydrated/share/man/dehydrated-hook.1.rst @@ -36,43 +36,45 @@ Synopsis Description =========== -**dehydrated** is a client for ACME-based Certificate Authorities, such as -LetsEncrypt. It can be used to request and obtain TLS certificates from an -ACME-based certificate authority. +**dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority. -The **dehydrated-hook** makes it possible to run multiple scripts in every -stage within the process of creating, signing and deploying a certificate. +The **dehydrated-hook** makes it possible to run multiple scripts in every stage within the process of creating, signing and deploying a certificate. -Scripts need to be placed in /etc/dehydrated/hook.d and need to be prefixed -with the name of the handler, e.g. exit_hook.example1 or exit_hook.example2.sh +Scripts need to be placed in /etc/dehydrated/hook.d and need to be prefixed with the name of the handler, e.g. exit_hook.example1 or exit_hook.example2.sh Handlers ======== The following **dehydrated** handlers are available: +| | deploy_challenge - | clean_challenge - | sync_cert - | deploy_cert - | deploy_ocsp - | unchanged_cert - | invalid_challenge - | request_failure - | generate_csr - | startup_hook - | exit_hook +Usage +===== + +Installation +------------ + +| sudo echo HOOK="/usr/bin/dehydrated-hook" > /etc/dehydrated/conf.d/zz-hook.sh +| sudo mkdir -p /etc/dehydrated/hook.d + +Removal +------- + +| sudo rm -f /etc/dehydrated/conf.d/zz-hook.sh +| sudo rmdir /etc/dehydrated/hook.d + Files ===== @@ -91,21 +93,16 @@ See also Homepage ======== -More information about service-tools and the Open Infrastructure project can be -found on the homepage (https://open-infrastructure.net). +More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net). Contact ======= -Bug reports, feature requests, help, patches, support and everything else are -welcome on the Open Infrastructure Software Mailing List -<software@lists.open-infrastructure.net>. +Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>. -Debian specific bugs can also be reported in the Debian Bug Tracking System -(https://bugs.debian.org). +Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org). Authors ======= -service-tools were written by Daniel Baumann -<daniel.baumann@open-infrastructure.net> and others. +service-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others. diff --git a/dehydrated/share/man/dehydrated-nsupdate.1.rst b/dehydrated/share/man/dehydrated-nsupdate.1.rst index 058785f..d4b097b 100644 --- a/dehydrated/share/man/dehydrated-nsupdate.1.rst +++ b/dehydrated/share/man/dehydrated-nsupdate.1.rst @@ -36,15 +36,12 @@ Synopsis Description =========== -**dehydrated** is a client for ACME-based Certificate Authorities, such as -LetsEncrypt. It can be used to request and obtain TLS certificates from an -ACME-based certificate authority. +**dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority. -The **dehydrated-nsupdate** hook implements the dns-01 verification. It is -typically run together with **dehydrated-hook** as: +The **dehydrated-nsupdate** hook implements the dns-01 verification. It is typically run together with **dehydrated-hook** as: +| | /etc/dehydrated/hook.d/deploy_challenge.nsupdate - | /etc/dehydrated/hook.d/clean_challenge.nsupdate Features @@ -52,31 +49,87 @@ Features **dehydrated-nsupdate** has the following features: -| **automatic nameserver detection** -| **dehydrated-nsupdate** automatically finds and updates all authoritative -| nameservers for a given record by looking up the records in the DNS by itself. +Automatic nameserver detection (IPv4 and IPv6) +---------------------------------------------- + +dehydrated-nsupdate automatically finds and updates all authoritative nameservers for a given record by looking up the records in the DNS by itself, supporting IPv6-only, IPv4-only, and dual-stacked environments. + +Proper CNAME support +-------------------- + +dehydrated-nsupdate follows CNAMEs delegating the TXT record update to another zone. + +Handling nameserver subzone shortcuts +------------------------------------- + +dehydrated-nsupdate correctly handles authoritative nameserver answers that (wrongly) give shortcut answers for their own zones when using multiple authoritative subzones on the same nameservers. + +TSIG support +------------ -| **proper CNAME support** -| **dehydrated-nsupdate** follows CNAMEs delegating the TXT record creation to -| another zone. +dehydrated-nsupdate uses TSIG, if provided, to authenticate itself to the nameserver. Additionally to a global TSIG to be used for all record updates, separate TSIGs can individually be specified per record, per zone, and per nameserver. -| **handling nameserver subzone shortcuts** -| **dehydrated-nsupdate** correctly handles authoritative nameserver -| answers that give shortcut answers for their own zones when using -| multiple subzones. +Proper removal of TXT records +----------------------------- -| **TSIG support** -| **dehydrated-nsupdate** uses TSIG, if provided, to authenticate -| itself to the nameserver. +dehydrated-nsupdate removes records after succesfull verification. + +bind9-dnsutils and knot-dnsutils support +---------------------------------------- + +dehydrated-nsupdate works with both nsupdate (bind9) and knsupdate (knot). + +IDN handling +------------ + +dehydrated-nsupdate works with IDN domains by not expanding the punycode to update the correct records. + +Usage +===== -| **proper removal of TXT records** -| **dehydrated-nsupdate** removes records after succesfull verification. +dehydrated-hook(1) is a prerequisite for dehydrated-nsupdate. -| **bind9-dnsutils and knot-dnsutils support* -| **dehydrated-nsupdate** works with both nsupdate (bind9) and knsupdate (knot). +Installation +------------ -| **IDN handling** -| **dehydrated-nsupdate** works with IDN domains by not expanding the punycode. +| sudo echo CHALLENGETYPE="dns-01" > /etc/dehydrated/conf.d/zz-challengetype.sh +| sudo ln -s /usr/bin/dehydrated-nsupdate /etc/dehydrated/hook.d/deploy_challenge.nsupdate +| sudo ln -s /usr/bin/dehydrated-nsupdate /etc/dehydrated/hook.d/clean_challenge.nsupdate + +Removal +------- + +| sudo rm -f /etc/dehydrated/conf.d/zz-challengetype.sh +| sudo rm -f /etc/dehydrated/hook.d/deploy_challenge.nsupdate +| sudo rm -f /etc/dehydrated/hook.d/clean_challenge.nsupdate + +Configuration +============= + +Depending on the nameserver requirements, dehydrated-nsupdate can send record updates either unauthenticated or using a TSIG (recommended). + +A TSIG file consists of one single line containing the key (nsupdate/knsupdate do not allow comments), e.g.: + +| +| hmac-sha512:example:/LXPy6U8HAWA+QmvulZWm0owsQgNf8qJ5MNLTvirzvVtDb+PzLKoBmVHjnL6TUffkvRYa7Do448dSIrAuJ1G/A== + +Instead of using a global TSIG for all record update, specific TSIGs can be used individually per record, zone, and nameserver. + +The lookup hierarchy is the following (first match wins): + +| +| /etc/dehydrated/tsig/${record}.key +| /etc/dehydrated/tsig/${zone}.key +| /etc/dehydrated/tsig/${nameserver}.key +| /etc/dehydrated/tsig.key +| +| TSIG_KEYFILE variable in /etc/default/dehydrated-nsupdate/* +| TSIG_KEYFILE variable in /etc/default/dehydrated-nsupdate + +In order to explicitly not use a TSIG for a specific record, zone, or nameserver, an empty keyfile or a keyfile with only comments can be used, e.g.: + +| +| echo "# disabled" > /etc/dehydrated/tsig/ns1.example.org.key Files ===== @@ -84,11 +137,13 @@ Files The following files are used: /etc/dehydrated/tsig.key: - default location for the TSIG key to be used. + default location for global TSIG key to be used. + +/etc/dehydrated/tsig/${record}.key, /etc/dehydrated/tsig/${zone}.key, /etc/dehydrated/tsig/${nameserver}.key: + default locations for specific TSIG keys to be used individually per record, zone, or nameserver. -/etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/*: - configuration file, currently only used for TSIG_KEYFILE variable pointing - to the tsig.key file to be used (default: /etc/dehydrated/tsig.key). +/etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/\*: + configuration file, currently only used for TSIG_KEYFILE variable pointing to the location of the global TSIG key to be used (default: /etc/dehydrated/tsig.key). See also ======== @@ -100,21 +155,16 @@ See also Homepage ======== -More information about service-tools and the Open Infrastructure project can be -found on the homepage (https://open-infrastructure.net). +More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net). Contact ======= -Bug reports, feature requests, help, patches, support and everything else are -welcome on the Open Infrastructure Software Mailing List -<software@lists.open-infrastructure.net>. +Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>. -Debian specific bugs can also be reported in the Debian Bug Tracking System -(https://bugs.debian.org). +Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org). Authors ======= -service-tools were written by Daniel Baumann -<daniel.baumann@open-infrastructure.net> and others. +service-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others. |