diff options
| author | Toke Høiland-Jørgensen <toke@toke.dk> | 2016-11-25 15:40:13 +0100 |
|---|---|---|
| committer | Toke Høiland-Jørgensen <toke@toke.dk> | 2016-11-25 15:42:16 +0100 |
| commit | 5a90e41b3059fb823b2308e81cf73949398df223 (patch) | |
| tree | 59c5425f374f739392e0972cb6a8a0452aa975a1 | |
| parent | 413ce0d03370bd88633f698b9173228028134130 (diff) | |
acme: Update to v1.3.
This version handles transitioning from a previous certificate that was
issues using the staging server, adds more debug logging, and handles
state directories better if issuing fails.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
| -rw-r--r-- | net/acme/Makefile | 4 | ||||
| -rw-r--r-- | net/acme/files/run.sh | 39 |
2 files changed, 38 insertions, 5 deletions
diff --git a/net/acme/Makefile b/net/acme/Makefile index a20b0aa80..07e5d8d0e 100644 --- a/net/acme/Makefile +++ b/net/acme/Makefile @@ -9,8 +9,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=acme PKG_SOURCE_VERSION:=3c33cdfa3da68000a40b85304821705f0deea951 -PKG_VERSION:=1.2 -PKG_RELEASE:=2 +PKG_VERSION:=1.3 +PKG_RELEASE:=1 PKG_LICENSE:=GPLv3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE).tar.xz diff --git a/net/acme/files/run.sh b/net/acme/files/run.sh index 7deb22d4b..2e227c04a 100644 --- a/net/acme/files/run.sh +++ b/net/acme/files/run.sh @@ -26,11 +26,18 @@ check_cron() /etc/init.d/cron start } +debug() +{ + [ "$DEBUG" -eq "1" ] && echo "$@" >&2 +} + pre_checks() { echo "Running pre checks." check_cron + [ -d "$STATE_DIR" ] || mkdir -p "$STATE_DIR" + if [ -e /etc/init.d/uhttpd ]; then UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http) @@ -42,6 +49,9 @@ pre_checks() iptables -I input_rule -p tcp --dport 80 -j ACCEPT || return 1 ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT || return 1 + debug "v4 input_rule: $(iptables -nvL input_rule)" + debug "v6 input_rule: $(ip6tables -nvL input_rule)" + debug "port80 listens: $(netstat -ntpl | grep :80)" return 0 } @@ -71,6 +81,14 @@ int_out() kill -INT $$ } +is_staging() +{ + local main_domain="$1" + + grep -q "acme-staging" "$STATE_DIR/$main_domain/${main_domain}.conf" + return $? +} + issue_cert() { local section="$1" @@ -81,6 +99,8 @@ issue_cert() local keylength local domains local main_domain + local moved_staging=0 + local failed_dir config_get_bool enabled "$section" enabled 0 config_get_bool use_staging "$section" use_staging @@ -96,8 +116,15 @@ issue_cert() main_domain=$1 if [ -e "$STATE_DIR/$main_domain" ]; then - $ACME --home "$STATE_DIR" --renew -d "$main_domain" $acme_args || return 1 - return 0 + if [ "$use_staging" -eq "0" ] && is_staging "$main_domain"; then + echo "Found previous cert issued using staging server. Moving it out of the way." + mv "$STATE_DIR/$main_domain" "$STATE_DIR/$main_domain.staging" + moved_staging=1 + else + echo "Found previous cert config. Issuing renew." + $ACME --home "$STATE_DIR" --renew -d "$main_domain" $acme_args || return 1 + return 0 + fi fi @@ -108,7 +135,13 @@ issue_cert() [ "$use_staging" -eq "1" ] && acme_args="$acme_args --staging" if ! $ACME --home "$STATE_DIR" --issue $acme_args; then - echo "Issuing cert for $main_domain failed. It may be necessary to remove $STATE_DIR/$main_domain to recover." >&2 + failed_dir="$STATE_DIR/${main_domain}.failed-$(date +%s)" + echo "Issuing cert for $main_domain failed. Moving state to $failed_dir" >&2 + [ -d "$STATE_DIR/$main_domain" ] && mv "$STATE_DIR/$main_domain" "$failed_dir" + if [ "$moved_staging" -eq "1" ]; then + echo "Restoring staging certificate" >&2 + mv "$STATE_DIR/${main_domain}.staging" "$STATE_DIR/${main_domain}" + fi return 1 fi |