diff options
Diffstat (limited to 'dehydrated')
-rw-r--r-- | dehydrated/Makefile | 2 | ||||
-rw-r--r-- | dehydrated/TODO | 2 | ||||
-rwxr-xr-x | dehydrated/bin/dehydrated-cron | 2 | ||||
-rwxr-xr-x | dehydrated/bin/dehydrated-hook | 2 | ||||
-rwxr-xr-x | dehydrated/bin/dehydrated-nsupdate | 8 | ||||
-rwxr-xr-x | dehydrated/share/hooks/deploy_cert.chrony | 2 | ||||
-rwxr-xr-x | dehydrated/share/hooks/deploy_cert.extra | 67 | ||||
-rwxr-xr-x | dehydrated/share/hooks/deploy_ocsp.extra | 9 | ||||
-rwxr-xr-x | dehydrated/share/hooks/exit_hook.extra-cleanup | 4 | ||||
-rwxr-xr-x | dehydrated/share/hooks/exit_hook.fix-permissions | 2 | ||||
-rwxr-xr-x | dehydrated/share/hooks/exit_hook.service-reload | 12 | ||||
-rw-r--r-- | dehydrated/share/man/Makefile | 2 | ||||
-rw-r--r-- | dehydrated/share/man/dehydrated-cron.1.rst | 2 | ||||
-rw-r--r-- | dehydrated/share/man/dehydrated-hook.1.rst | 2 | ||||
-rw-r--r-- | dehydrated/share/man/dehydrated-nsupdate.1.rst | 2 | ||||
-rw-r--r-- | dehydrated/share/man/man.in | 2 |
16 files changed, 85 insertions, 37 deletions
diff --git a/dehydrated/Makefile b/dehydrated/Makefile index 2b6da9f..afa7737 100644 --- a/dehydrated/Makefile +++ b/dehydrated/Makefile @@ -1,6 +1,6 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # diff --git a/dehydrated/TODO b/dehydrated/TODO index 9e49d83..6542da7 100644 --- a/dehydrated/TODO +++ b/dehydrated/TODO @@ -1,6 +1,8 @@ TODO ==== + * nsupdate: don't fail when one of many nameservers don't work + * add cleanup hook for extra certificates * add manpages for individual dehydrated hooks * use /etc/default for dehydrated-cron * use /etc/default for dehydrated-hook diff --git a/dehydrated/bin/dehydrated-cron b/dehydrated/bin/dehydrated-cron index 2f283e4..c0adb76 100755 --- a/dehydrated/bin/dehydrated-cron +++ b/dehydrated/bin/dehydrated-cron @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # diff --git a/dehydrated/bin/dehydrated-hook b/dehydrated/bin/dehydrated-hook index 9103495..f430e3d 100755 --- a/dehydrated/bin/dehydrated-hook +++ b/dehydrated/bin/dehydrated-hook @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # diff --git a/dehydrated/bin/dehydrated-nsupdate b/dehydrated/bin/dehydrated-nsupdate index 657cc48..127b6a4 100755 --- a/dehydrated/bin/dehydrated-nsupdate +++ b/dehydrated/bin/dehydrated-nsupdate @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -51,7 +51,7 @@ then # bind-dnsutils DIG_VARIANT="bind" else - echo "'${HOOK}': need dig from bind-dnsutils or knot-dnsutils" >&2 + echo "'${HOOK}': need dig from bind-dnsutils or kdig from knot-dnsutils" >&2 exit 1 fi @@ -75,7 +75,7 @@ then # bind-dnsutils NSUPDATE_VARIANT="bind" else - echo "'${HOOK}': need nsupdate from bind-dnsutils or knot-dnsutils" >&2 + echo "'${HOOK}': need nsupdate from bind-dnsutils or knsupdate from knot-dnsutils" >&2 exit 1 fi @@ -199,7 +199,7 @@ do esac fi - echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}.." + echo -n " + ${DOMAIN}: sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}.." # shellcheck disable=SC2086 echo "server ${NAMESERVER} diff --git a/dehydrated/share/hooks/deploy_cert.chrony b/dehydrated/share/hooks/deploy_cert.chrony index b6744ff..f79d38f 100755 --- a/dehydrated/share/hooks/deploy_cert.chrony +++ b/dehydrated/share/hooks/deploy_cert.chrony @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra index 56ca2f4..de57c87 100755 --- a/dehydrated/share/hooks/deploy_cert.extra +++ b/dehydrated/share/hooks/deploy_cert.extra @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -25,25 +25,64 @@ echo -n " + Creating extra certificate files..." DIRECTORY="$(dirname "${CERTFILE}")" -# root and intermediate CA -TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" -grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' +if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ] +then + # long chain: + # * chain.pem: (R3 | ISRG Root X1) + # * fullchain.pem: (Certificate | R3 | ISRG Root X1) + CHAIN="long" +else + # short chain: + # * chain.pem: (R3) + # * fullchain.pem (Certificate | R3) + CHAIN="short" +fi -mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" -ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" +case "${CHAIN}" in + long) + # split chain.pem + TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" + grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' -mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" -ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + # intermediate (R3) + mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + ;; + + short) + # intermediate (R3) + grep -Ev '^$' "${DIRECTORY}/chain-${TIMESTAMP}.pem" > "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')" + + if [ -n "${ISSUER_URI}" ] + then + wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + fi + ;; +esac # extra certificate permutations: -# * privkey_fullchain.pem: postfix -for EXTRA in fullchain_privkey privkey_fullchain +# * privkey_fullchain.pem: postfix +# * root_intermediate_cert.pem: redis + +for EXTRA in fullchain_privkey privkey_fullchain root_intermediate_cert do - EXTRA1="$(echo ${EXTRA} | awk -F_ '{ print $1 }')" - EXTRA2="$(echo ${EXTRA} | awk -F_ '{ print $2 }')" + rm -f "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem" + + for FILE in $(echo ${EXTRA} | sed -e 's|_| |g') + do + cat "${DIRECTORY}/${FILE}-${TIMESTAMP}.pem" >> "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem" + done - cat "${DIRECTORY}/${EXTRA1}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA2}-${TIMESTAMP}.pem" > "${DIRECTORY}/${EXTRA1}_${EXTRA2}-${TIMESTAMP}.pem" - ln -sf "${EXTRA1}_${EXTRA2}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA1}_${EXTRA2}.pem" + ln -sf "${EXTRA}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA}.pem" done echo " done." diff --git a/dehydrated/share/hooks/deploy_ocsp.extra b/dehydrated/share/hooks/deploy_ocsp.extra index 35a13f6..6977a7f 100755 --- a/dehydrated/share/hooks/deploy_ocsp.extra +++ b/dehydrated/share/hooks/deploy_ocsp.extra @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -26,12 +26,11 @@ echo " + Creating extra ocsp links..." DIRECTORY="$(dirname "${OCSPFILE}")" OCSP="$(readlink "${OCSPFILE}")" -for EXTRA in fullchain_privkey privkey_fullchain +for EXTRA in fullchain_privkey privkey_fullchain root_intermediate_cert do - EXTRA1="$(echo ${EXTRA} | awk -F_ '{ print $1 }')" - EXTRA2="$(echo ${EXTRA} | awk -F_ '{ print $2 }')" + rm -f "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem.ocsp" - ln -sf "${OCSP}" "${DIRECTORY}/${EXTRA1}_${EXTRA2}.pem.ocsp" + ln -sf "${OCSP}" "${DIRECTORY}/${EXTRA}.pem.ocsp" done echo " done." diff --git a/dehydrated/share/hooks/exit_hook.extra-cleanup b/dehydrated/share/hooks/exit_hook.extra-cleanup index 59e203e..6c5ca5d 100755 --- a/dehydrated/share/hooks/exit_hook.extra-cleanup +++ b/dehydrated/share/hooks/exit_hook.extra-cleanup @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -23,7 +23,7 @@ set -e echo -n " + Cleanup extra certificate files..." -for EXTRA in root intermediate fullchain_privkey privkey_fullchain +for EXTRA in root intermediate fullchain_privkey privkey_fullchain root_intermediate_cert do for CERTIFICATE in "${CERTDIR}"/*/ do diff --git a/dehydrated/share/hooks/exit_hook.fix-permissions b/dehydrated/share/hooks/exit_hook.fix-permissions index aa15553..672dd7b 100755 --- a/dehydrated/share/hooks/exit_hook.fix-permissions +++ b/dehydrated/share/hooks/exit_hook.fix-permissions @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload index c62c133..68bc6ec 100755 --- a/dehydrated/share/hooks/exit_hook.service-reload +++ b/dehydrated/share/hooks/exit_hook.service-reload @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -38,6 +38,14 @@ Run_chrony () fi } +Run_freeradius () +{ + if grep -Eqrs 'certificate_file = /var/lib/dehydrated' /etc/freeradius/*/* + then + service freeradius reload + fi +} + Run_haproxy () { if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#' @@ -96,7 +104,7 @@ Run_redis_server () echo " + Reloading services:" -SERVICES="apache2 chrony haproxy knot-resolver postfix postgresql redis-sentinel redis-server" +SERVICES="apache2 chrony freeradius haproxy knot-resolver postfix postgresql redis-sentinel redis-server" for SERVICE in ${SERVICES} do diff --git a/dehydrated/share/man/Makefile b/dehydrated/share/man/Makefile index a6d6bf2..001325f 100644 --- a/dehydrated/share/man/Makefile +++ b/dehydrated/share/man/Makefile @@ -1,6 +1,6 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # diff --git a/dehydrated/share/man/dehydrated-cron.1.rst b/dehydrated/share/man/dehydrated-cron.1.rst index cd93a30..e1193ae 100644 --- a/dehydrated/share/man/dehydrated-cron.1.rst +++ b/dehydrated/share/man/dehydrated-cron.1.rst @@ -1,6 +1,6 @@ .. Open Infrastructure: service-tools -.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> .. .. SPDX-License-Identifier: GPL-3.0+ .. diff --git a/dehydrated/share/man/dehydrated-hook.1.rst b/dehydrated/share/man/dehydrated-hook.1.rst index de63127..70a1be8 100644 --- a/dehydrated/share/man/dehydrated-hook.1.rst +++ b/dehydrated/share/man/dehydrated-hook.1.rst @@ -1,6 +1,6 @@ .. Open Infrastructure: service-tools -.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> .. .. SPDX-License-Identifier: GPL-3.0+ .. diff --git a/dehydrated/share/man/dehydrated-nsupdate.1.rst b/dehydrated/share/man/dehydrated-nsupdate.1.rst index d4b097b..2068b6e 100644 --- a/dehydrated/share/man/dehydrated-nsupdate.1.rst +++ b/dehydrated/share/man/dehydrated-nsupdate.1.rst @@ -1,6 +1,6 @@ .. Open Infrastructure: service-tools -.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> .. .. SPDX-License-Identifier: GPL-3.0+ .. diff --git a/dehydrated/share/man/man.in b/dehydrated/share/man/man.in index f95ca67..1eec258 100644 --- a/dehydrated/share/man/man.in +++ b/dehydrated/share/man/man.in @@ -1,6 +1,6 @@ .\" Open Infrastructure: service-tools .\" -.\" Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.\" Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net> .\" .\" SPDX-License-Identifier: GPL-3.0+ .\" |