Merge pull request #19669 from hgl/acme

acme: refactor
author: Toke Høiland-Jørgensen <toke@toke.dk> 2022-10-24 12:53:43 +0200
committer: GitHub <noreply@github.com> 2022-10-24 12:53:43 +0200
commit: 14f151ac9c075ec6b634b322535154342ac9efa7 (patch)
tree: c276bd7701ccbcaf422e40e8d6cefed550cc43f5 /net/acme-common
parent: e90b4c01e1619ce4adf16abb9f63c772b44fefe9 (diff)
parent: 230c2d5fc423c28eb9fa8e3fa5a2bd3e626de87e (diff)
4 files changed, 49 insertions, 14 deletions
diff --git a/net/acme-common/Makefile b/net/acme-common/Makefile
index 4e69702be..268df5c68 100644
--- a/net/acme-common/Makefile
+++ b/net/acme-common/Makefile
@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=acme-common
-PKG_VERSION:=1.0.0
+PKG_VERSION:=1.0.1
 
 PKG_MAINTAINER:=Toke Høiland-Jørgensen <toke@toke.dk>
 PKG_LICENSE:=GPL-3.0-only
@@ -34,17 +34,19 @@ define Package/acme-common/conffiles
 endef
 
 define Package/acme-common/install
-	$(INSTALL_DIR) $(1)/etc/acme
+	$(INSTALL_DIR) $(1)/etc/ssl/acme
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/acme.config $(1)/etc/config/acme
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) ./files/acme.sh $(1)/usr/bin/acme
 	$(INSTALL_DIR) $(1)/usr/lib/acme
 	$(INSTALL_DATA) ./files/functions.sh $(1)/usr/lib/acme
+	$(INSTALL_BIN) ./files/acme-notify.sh $(1)/usr/lib/acme/notify
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/acme.init $(1)/etc/init.d/acme
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_DATA) ./files/acme.uci-defaults $(1)/etc/uci-defaults/acme
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/acme
 endef
 
 define Package/acme/postinst
diff --git a/net/acme-common/files/acme-notify.sh b/net/acme-common/files/acme-notify.sh
new file mode 100644
index 000000000..4f06f9412
--- /dev/null
+++ b/net/acme-common/files/acme-notify.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -u
+
+event="$1"
+
+# Call hotplug first, giving scripts a chance to modify certificates before
+# reloadaing the services
+ACTION=$event hotplug-call acme
+
+case $event in
+renewed)
+    ubus call service event '{"type":"acme.renew","data":{}}'
+    ;;
+issued)
+    ubus call service event '{"type":"acme.issue","data":{}}'
+    ;;
+esac
diff --git a/net/acme-common/files/acme.config b/net/acme-common/files/acme.config
index 12bffd60f..d72547a6e 100644
--- a/net/acme-common/files/acme.config
+++ b/net/acme-common/files/acme.config
@@ -5,7 +5,7 @@ config acme
 
 config cert 'example_wildcard'
 	option enabled 0
-	option use_staging 1
+	option staging 1
 	list domains example.org
 	list domains sub.example.org
 	list domains *.sub.example.org
@@ -17,6 +17,6 @@ config cert 'example_wildcard'
 
 config cert 'example'
 	option enabled 0
-	option use_staging 1
+	option staging 1
 	list domains example.org
 	list domains sub.example.org
diff --git a/net/acme-common/files/acme.sh b/net/acme-common/files/acme.sh
index 5663dddee..bcf3d8451 100644
--- a/net/acme-common/files/acme.sh
+++ b/net/acme-common/files/acme.sh
@@ -8,10 +8,10 @@
 #
 # Authors: Toke Høiland-Jørgensen <toke@toke.dk>
 
-export state_dir='/etc/acme'
+export state_dir=/etc/acme
 export account_email=
 export debug=0
-export challenge_dir='/var/run/acme/challenge'
+export run_dir=/var/run/acme
 NFT_HANDLE=
 HOOK=/usr/lib/acme/hook
 LOG_TAG=acme
@@ -23,6 +23,9 @@ LOG_TAG=acme
 
 cleanup() {
 	log debug "cleaning up"
+	if [ -e $run_dir/lock ]; then
+		rm $run_dir/lock
+	fi
 	if [ "$NFT_HANDLE" ]; then
 		# $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
 		nft delete rule inet fw4 input $NFT_HANDLE
@@ -33,7 +36,7 @@ load_options() {
 	section=$1
 
 	# compatibility for old option name
-	config_get_bool use_staging "$section" staging
+	config_get_bool staging "$section" use_staging
 	if [ -z "$staging" ]; then
 		config_get_bool staging "$section" staging 0
 	fi
@@ -56,11 +59,13 @@ load_options() {
 	export days
 	config_get standalone "$section" standalone 0
 	export standalone
+	config_get dns_wait "$section" dns_wait
+	export dns_wait
 
 	config_get webroot "$section" webroot
 	export webroot
 	if [ "$webroot" ]; then
-		log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from /var/run/acme/challenge."
+		log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $run_dir/challenge."
 	fi
 }
 
@@ -112,6 +117,15 @@ load_globals() {
 	return 1
 }
 
+cmd_get() {
+	trap cleanup EXIT
+
+	config_load acme
+	config_foreach load_globals acme
+
+	config_foreach get_cert cert
+}
+
 usage() {
 	cat <<EOF
 Usage: acme <command> [arguments]
@@ -128,12 +142,14 @@ fi
 
 case $1 in
 get)
-	config_load acme
-	config_foreach load_globals acme
-
-	mkdir -p /etc/ssl/acme
-	trap cleanup EXIT
-	config_foreach get_cert cert
+	mkdir -p $run_dir
+	{
+		if ! flock -n 200; then
+			log err "Another ACME instance is already running."
+			exit 1
+		fi
+		cmd_get "$@"
+	} 200>$run_dir/lock
 	;;
 *)
 	usage
author	Toke Høiland-Jørgensen <toke@toke.dk>	2022-10-24 12:53:43 +0200
committer	GitHub <noreply@github.com>	2022-10-24 12:53:43 +0200
commit	14f151ac9c075ec6b634b322535154342ac9efa7 (patch)
tree	c276bd7701ccbcaf422e40e8d6cefed550cc43f5 /net/acme-common
parent	e90b4c01e1619ce4adf16abb9f63c772b44fefe9 (diff)
parent	230c2d5fc423c28eb9fa8e3fa5a2bd3e626de87e (diff)