| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
| |
Make sure we quote all strings, and add missing "option" in second example.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
|
| |
|
|
|
|
| |
Make it more practical to easier get an idea
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The new validation_method option can be: dns, webroot or standalone.
Previously we guessed the challenge type:
1. if the DNS provider is specified then it's dns
2. if standalone=1
3. fallback to webroot
The logic is preserved and if the validation_method wasn't set explicitly we'll guess it in old manner.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
keylength, being an acme.sh value type, uses pure numbers for rsa keys.
This can be disorienting for other acme clients. This change introduces
a new option "key_type" that aims to remove this ambiguity, and makes
all key type names follow the same pattern, making acme-common more
client agnostic.
Signed-off-by: Glen Huang <me@glenhuang.com>
|
| |
|
|
|
|
|
|
|
| |
ACME clients shouldn't deal with deprecated values. They should be
processed by acme-common.
Reformatting is done by shfmt.
Signed-off-by: Glen Huang <me@glenhuang.com>
|
| |
|
|
|
|
|
|
|
|
| |
opkg runs uci-defaults if a package installs one, in acme-common's case
that's identical to postinst.
prerm shouldn't be run a image builder, so it's unnecessary to check
IPKG_INSTROOT
Signed-off-by: Glen Huang <me@glenhuang.com>
|
| |
|
|
| |
Signed-off-by: Glen Huang <i@glenhuang.com>
|
| |
|
|
| |
Signed-off-by: Glen Huang <i@glenhuang.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The contract between the acme-common framework and consumers and hook
scripts is that certificates can be consumed from /etc/ssl/acme and that
web challenges are stored in /var/run/acme/challenge. Make this explicit by
exporting $CERT_DIR and $CHALLENGE_DIR as environment variables as well,
instead of having knowledge of those paths depend on out-of-band
information. We already exported $challenge_dir, but let's change it to
upper-case to make it clear that it's not a user configuration variable.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
state_dir is actually a hardcoded value in conffiles. Allowing users to
customize it could result in losing certificates after upgrading if they
don't also specify the dir as being preserved. We shouldn't default to
this dangerous behavior.
With the new ACME package, certificates live in the standard location
/etc/ssl/acme, users who need to do certificate customizations should
look for them in that dir instead.
Signed-off-by: Glen Huang <i@glenhuang.com>
|
| |
|
|
| |
Signed-off-by: Glen Huang <i@glenhuang.com>
|
| |
|
|
| |
Signed-off-by: Glen Huang <i@glenhuang.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
acme.sh by default use public DNS resolvers to check if TXT record was
correctly added when using DNS-01. This can be undesirable in a private
environment where the DNS server is not publicly accessible.
This option allows bypassing such check and simply waiting for a
specific length of time for the TXT record to take effect.
Signed-off-by: Glen Huang <i@glenhuang.com>
|
| |
|
|
|
|
|
| |
Legacy use_staging option was not respected, and the example config
still use the legacy name.
Signed-off-by: Glen Huang <i@glenhuang.com>
|
| |
|
|
|
|
|
| |
Directly calling `/etc/init.d/<service> reload` in a hotplug script can
inadvertently start a stopped service.
Signed-off-by: Glen Huang <i@glenhuang.com>
|
| |
|
|
|
|
| |
Issuing certificates concurrently should not be supported.
Signed-off-by: Glen Huang <i@glenhuang.com>
|
| |
|
|
|
|
|
| |
Since the dir is a standardized one, it should not be created
dynamically
Signed-off-by: Glen Huang <i@glenhuang.com>
|
| |
|
|
|
|
|
| |
Since state_dir can be customized, it should be create dynamically,
which it already does.
Signed-off-by: Glen Huang <i@glenhuang.com>
|
| |
|
|
| |
Signed-off-by: Glen Huang <i@glenhuang.com>
|
|
|
Signed-off-by: Glen Huang <heyhgl@gmail.com>
|