diff options
| -rw-r--r-- | net/acme-acmesh/files/hook.sh | 37 | ||||
| -rw-r--r-- | net/acme-common/Makefile | 2 | ||||
| -rw-r--r-- | net/acme-common/files/acme-notify.sh | 17 | ||||
| -rw-r--r-- | net/haproxy/files/acme.hotplug | 4 | ||||
| -rw-r--r-- | net/haproxy/files/haproxy.init | 4 | ||||
| -rw-r--r-- | net/nginx/Makefile | 3 | ||||
| -rw-r--r-- | net/nginx/files/acme.hotplug | 3 | ||||
| -rw-r--r-- | net/nginx/files/nginx.init | 5 |
8 files changed, 48 insertions, 27 deletions
diff --git a/net/acme-acmesh/files/hook.sh b/net/acme-acmesh/files/hook.sh index cd92cec9d..bbe23b4a1 100644 --- a/net/acme-acmesh/files/hook.sh +++ b/net/acme-acmesh/files/hook.sh @@ -4,6 +4,7 @@ ACME=/usr/lib/acme/client/acme.sh LOG_TAG=acme-acmesh # webroot option deprecated, use the hardcoded value directly in the next major version WEBROOT=${webroot:-/var/run/acme/challenge} +NOTIFY=/usr/lib/acme/notify # shellcheck source=net/acme/files/functions.sh . /usr/lib/acme/functions.sh @@ -12,9 +13,7 @@ WEBROOT=${webroot:-/var/run/acme/challenge} export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt export NO_TIMESTAMP=1 -cmd="$1" - -case $cmd in +case $1 in get) set -- [ "$debug" = 1 ] && set -- "$@" --debug @@ -38,20 +37,25 @@ get) staging_moved=1 else set -- "$@" --renew --home "$state_dir" -d "$main_domain" - log info "$*" - trap 'ACTION=renewed-failed hotplug-call acme;exit 1' INT - "$ACME" "$@" + log info "$ACME $*" + trap '$NOTIFY renew-failed;exit 1' INT + $ACME "$@" status=$? trap - INT case $status in - 0) ;; # renewed ok, handled by acme.sh hook, ignore. - 2) ;; # renew skipped, ignore. + 0) + $NOTIFY renewed + exit;; + 2) + # renew skipped, ignore. + exit + ;; *) - ACTION=renew-failed hotplug-call acme + $NOTIFY renew-failed + exit 1 ;; esac - return 0 fi fi @@ -92,11 +96,11 @@ get) set -- "$@" --issue --home "$state_dir" - log info "$*" - trap 'ACTION=issue-failed hotplug-call acme;exit 1' INT + log info "$ACME $*" + trap '$NOTIFY issue-failed;exit 1' INT "$ACME" "$@" \ - --pre-hook 'ACTION=prepare hotplug-call acme' \ - --renew-hook 'ACTION=renewed hotplug-call acme' + --pre-hook "$NOTIFY prepare" \ + --renew-hook "$NOTIFY renewed" status=$? trap - INT @@ -106,7 +110,7 @@ get) ln -s "$domain_dir/$main_domain.key" /etc/ssl/acme ln -s "$domain_dir/fullchain.cer" "/etc/ssl/acme/$main_domain.fullchain.cer" ln -s "$domain_dir/ca.cer" "/etc/ssl/acme/$main_domain.chain.cer" - ACTION=issued hotplug-call acme + $NOTIFY issued ;; *) if [ "$staging_moved" = 1 ]; then @@ -117,8 +121,7 @@ get) mv "$domain_dir" "$failed_dir" log err "State moved to $failed_dir" fi - ACTION=issue-failed hotplug-call acme - return 0 + $NOTIFY issue-failed ;; esac ;; diff --git a/net/acme-common/Makefile b/net/acme-common/Makefile index 997c31e31..a279641c2 100644 --- a/net/acme-common/Makefile +++ b/net/acme-common/Makefile @@ -41,10 +41,12 @@ define Package/acme-common/install $(INSTALL_BIN) ./files/acme.sh $(1)/usr/bin/acme $(INSTALL_DIR) $(1)/usr/lib/acme $(INSTALL_DATA) ./files/functions.sh $(1)/usr/lib/acme + $(INSTALL_BIN) ./files/acme-notify.sh $(1)/usr/lib/acme/notify $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/acme.init $(1)/etc/init.d/acme $(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_DATA) ./files/acme.uci-defaults $(1)/etc/uci-defaults/acme + $(INSTALL_DIR) $(1)/etc/hotplug.d/acme endef define Package/acme/postinst diff --git a/net/acme-common/files/acme-notify.sh b/net/acme-common/files/acme-notify.sh new file mode 100644 index 000000000..4f06f9412 --- /dev/null +++ b/net/acme-common/files/acme-notify.sh @@ -0,0 +1,17 @@ +#!/bin/sh +set -u + +event="$1" + +# Call hotplug first, giving scripts a chance to modify certificates before +# reloadaing the services +ACTION=$event hotplug-call acme + +case $event in +renewed) + ubus call service event '{"type":"acme.renew","data":{}}' + ;; +issued) + ubus call service event '{"type":"acme.issue","data":{}}' + ;; +esac diff --git a/net/haproxy/files/acme.hotplug b/net/haproxy/files/acme.hotplug index 5a4dc5cdd..726d2b216 100644 --- a/net/haproxy/files/acme.hotplug +++ b/net/haproxy/files/acme.hotplug @@ -6,7 +6,3 @@ issued|renewed) >"/etc/ssl/acme/$main_domain.combined.cer" ;; esac - -if [ "$ACTION" = renewed ]; then - /etc/init.d/haproxy reload -fi diff --git a/net/haproxy/files/haproxy.init b/net/haproxy/files/haproxy.init index 01d80d781..51c0ebb65 100644 --- a/net/haproxy/files/haproxy.init +++ b/net/haproxy/files/haproxy.init @@ -18,6 +18,10 @@ start_service() { procd_close_instance } +service_triggers() { + procd_add_raw_trigger acme.renew 5000 /etc/init.d/haproxy reload +} + extra_command "check" "Check haproxy config" check() { $HAPROXY_BIN -c -q -V -f $HAPROXY_CONFIG diff --git a/net/nginx/Makefile b/net/nginx/Makefile index 41436aa39..0cb8c65b0 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -376,9 +376,6 @@ ifeq ($(CONFIG_NGINX_NAXSI),y) endif $(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx)) $(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules)) - - $(INSTALL_DIR) $(1)/etc/hotplug.d/acme - $(INSTALL_DATA) ./files/acme.hotplug $(1)/etc/hotplug.d/acme/00-nginx endef Package/nginx-all-module/install = $(Package/nginx-ssl/install) diff --git a/net/nginx/files/acme.hotplug b/net/nginx/files/acme.hotplug deleted file mode 100644 index 74f1448d7..000000000 --- a/net/nginx/files/acme.hotplug +++ /dev/null @@ -1,3 +0,0 @@ -if [ "$ACTION" = renewed ]; then - /etc/init.d/nginx reload -fi diff --git a/net/nginx/files/nginx.init b/net/nginx/files/nginx.init index 300a8c657..632a3f10a 100644 --- a/net/nginx/files/nginx.init +++ b/net/nginx/files/nginx.init @@ -66,6 +66,11 @@ reload_service() { } +service_triggers() { + procd_add_raw_trigger acme.renew 5000 /etc/init.d/nginx reload +} + + extra_command "relog" "Reopen log files (without reloading)" relog() { [ -d /var/log/nginx ] || mkdir -p /var/log/nginx |