rpms/acme-tiny
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:main
rpms:f43
rpms:f42
rpms:f41
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:epel9
rpms:epel7
rpms:epel8-playground
rpms:f36
rpms:f33
rpms:f34
rpms:f35
rpms:epel8
rpms:f32
rpms:f30
rpms:f31
rpms:f29
rpms:f27
rpms:f28
rpms:f26
rpms:f25
rpms:el6
rpms:f24
rpms:f23
..
compare: rpms:f32
Branches Tags
rpms:main
rpms:rawhide
rpms:f43
rpms:f42
rpms:f41
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:epel9
rpms:epel7
rpms:epel8-playground
rpms:f36
rpms:f33
rpms:f34
rpms:f35
rpms:epel8
rpms:f32
rpms:f30
rpms:f31
rpms:f29
rpms:f27
rpms:f28
rpms:f26
rpms:f25
rpms:el6
rpms:f24
rpms:f23

No commits in common. "rawhide" and "f32" have entirely different histories.
rawhide ... f32

9 changed files with 52 additions and 199 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored
View file

@ -4,6 +4,3 @@
/*.src.rpm
/.build-*
/acme-tiny-4.1.0.tar.gz
/results_acme-tiny
/acme-tiny-4.1.1.tar.gz
/acme-tiny-5.0.1.tar.gz

52
README-fedora.md
View file

@ -1,8 +1,3 @@
# acme-tiny-core Fedora package
This package contains only the upstream python script - for those
who prefer their own framework for cert maintenance.
# acme-tiny Fedora package
The Fedora package for acme-tiny adds a tiny framework to make issuing
@ -105,32 +100,28 @@ Sendmail is a special problem - it insists that any certificates it loads be
only writable by root. This is at odds with the privilege separation of the
acme user. (Obviously, the private key must be accessible only by root.) You
can, of course, copy the crt file to `/etc/pki/tls/certs` as root and change
the mode. But this has to be done every time the cert is renewed.
The systemd `acme-tiny.service` runs `acme-tiny-notify.service`
afterward which executes as root. It calls
`/usr/libexec/acme-tiny/notify` for each nenewed cert. (This used
to be `/etc/acme-tiny/notify.sh` - which is now a symlink.)
Suppose `/var/lib/acme/certs/mail.crt` is renewed, where `mail.crt` is the
certificate sendmail will use. The notify script
the mode. But this has to be done every time the cert is renewed. You can
install `incron` to do this. After installing, create `/etc/incron.d/acme`
with the line
```
/var/lib/acme/certs/mail.crt IN_MOVED_TO /etc/acme-tiny/notify.sh $@
```
where `mail.crt` is the certificate sendmail will use. The notify.sh script
sees the reference to `/etc/pki/tls/certs/mail.crt` in `/etc/mail/*.cf`, and
copies the renewed cert to `/etc/pki/tls/certs`. Sendmail can then load it
from there and be happy. This also solves the file context problem.
The notify script has built in support for the httpd, sendmail, and dovecot
packages for Fedora. To avoid restarting services multiple times,
the notify script records in `/var/lib/acme/.notify`
when it last restarted each service.
By dropping scripts with names ending in `.sh` in `/etc/acme-tiny/notify.d`,
additional packages (e.g. nginx) can be supported.
This new system should be compatible with older incrond configs,
but the additional `/etc/acme-tiny/notify.sh` calls from incrond are redundant.
Making them redundant, incidentally fixes
[BZ#1839904](https://bugzilla.redhat.com/show_bug.cgi?id=1839904). There
could still be a race condition missed in testing, so I would disable your old
acme incrontab.
copies it to `/etc/pki/tls/certs`. Sendmail can then load it from there and be
happy. This also solves the file context problem if you add lines for other
certificates. You might wonder why we don't simply supply an acme incrontab as
part of the package with a wildcard, for example:
```
/var/lib/acme/certs/*.crt IN_MOVED_TO /etc/acme-tiny/notify.sh $@
```
The answer is that incron is insecure, and very nasty things can be
done by putting shell meta characters (including semicolon and quote!) in
filenames that then become part of a command run as root. The first example
above uses a fixed filename, so that is safe. Complain to incron
upstream - they need an option to use a simple execvpe instead of
using the shell. Then it would at least be possible to carefully
handle [malicious names](https://www.xkcd.com/327/).
## Logging and Error Reporting
@ -149,4 +140,3 @@ so notify.sh simply does `apachectl graceful`.
Put all the CSRs in `/var/lib/acme/csr` and the acme-tiny service will keep
them all renewed. This also works for certificates used by other SSL
applications, such as dovecot, sendmail, jabberd, or znc.

8
acme-tiny-notify.service
View file

@ -1,8 +0,0 @@
[Unit]
Description=Notify services of updates to acme certs
[Service]
Type=oneshot
Nice=19
SyslogIdentifier=acme-tiny
ExecStart=/usr/libexec/acme-tiny/notify --scan

14
acme-tiny-sign.sh Executable file → Normal file
View file

@ -1,20 +1,11 @@
#!/bin/bash
#!/bin/sh
if test "$(id -u)" -eq 0; then
echo "Do not run as root!"
exit 2
fi
. /etc/sysconfig/acme-tiny
DAYS="${1:-$DAYS}"
test -n "$DAYS" || DAYS="7"
if [[ "$DAYS" =~ ^[0-9]+$ ]]; then
echo "Days before expiration: $DAYS"
secs=$(( $DAYS * 24 * 60 * 60 ))
else
echo "Invalid number of days: $DAYS"
exit 1
fi
DAYS="${1:-7}"
cd /var/lib/acme
@ -31,6 +22,7 @@ for csr in csr/*.csr; do
crt="${csr%%.csr}"
tmp="certs/${crt##csr/}.tmp"
crt="certs/${crt##csr/}.crt"
secs=$(( "$DAYS" * 24 * 60 * 60 ))
if test -s "$crt" && openssl x509 -in "$crt" -noout -checkend "$secs"; then
continue
fi

4
acme-tiny.conf
View file

@ -1,4 +0,0 @@
# Default settings for acme-tiny wrapper script
# Number of days before expiration to renew a certificate
DAYS=7

4
acme-tiny.service
View file

@ -1,7 +1,5 @@
[Unit]
Description=Check for acme certs about to expire
Wants=acme-tiny-notify.service
Before=acme-tiny-notify.service
[Service]
Type=oneshot
@ -11,7 +9,7 @@ ProtectSystem=true
User=acme
Group=acme
SyslogIdentifier=acme-tiny
ExecStart=/usr/libexec/acme-tiny/sign
ExecStart=/usr/libexec/acme-tiny/sign 7
[Install]
Also=acme-tiny.timer

93
acme-tiny.spec
View file

@ -8,8 +8,8 @@
%endif
Name: acme-tiny
Version: 5.0.1
Release: 13%{?dist}
Version: 4.1.0
Release: 3%{?dist}
Summary: Tiny auditable script to issue, renew Let's Encrypt certificates
License: MIT
@ -23,11 +23,10 @@ Source7: acme-tiny.service
Source8: README-fedora.md
# simple script hook to kick services when cert is updated
Source9: notify.sh
Source10: acme-tiny-notify.service
Source11: acme-tiny.conf
Requires(pre): shadow-utils
BuildRequires: systemd-rpm-macros
# systemd macros are not defined unless systemd is present
BuildRequires: systemd
%{?systemd_requires}
Requires: %{name}-core = %{version}-%{release}
BuildArch: noarch
@ -48,7 +47,7 @@ This package adds a simple directory layout and timer service that runs
acme_tiny on installed CSRs as the acme user for privilege separation.
%package core
Summary: Core python module of acme-tiny
Summary: core python module of acme-tiny
Requires: openssl
%if 0%{?rhel} >= 5 && 0%{?rhel} < 7
# EL6 uses python2.6, which does not include argparse
@ -69,8 +68,6 @@ sed -i.orig -e '1,1 s,^.*python$,#!/usr/bin/python,' acme_tiny.py
sed -i.old -e '1,1 s/python$/python3/' *.py
%endif
echo 'u acme - "Tiny Auditable ACME Client" %{_sharedstatedir}/acme' >acme.sysusers.conf
%build
%install
@ -78,25 +75,20 @@ mkdir -p %{buildroot}/var/www/challenges
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d
mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}%{_libexecdir}/%{name}
mkdir -p %{buildroot}%{_sharedstatedir}/acme/{private,csr,certs,.notify}
mkdir -p %{buildroot}%{_sharedstatedir}/acme/{private,csr,certs}
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/notify.d
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
chmod 0700 %{buildroot}%{_sharedstatedir}/acme/private
install -m 0755 acme-tiny-sign.sh %{buildroot}%{_libexecdir}/%{name}/sign
install -m 0755 %{SOURCE9} %{buildroot}%{_libexecdir}/%{name}/notify
install -m 0755 acme_tiny.py %{buildroot}%{_sbindir}/acme_tiny
ln -sf acme_tiny %{buildroot}%{_sbindir}/%{name}
ln -sf %{_libexecdir}/%{name}/sign %{buildroot}%{_sbindir}/acme-tiny-sign
ln -sf %{_libexecdir}/%{name}/notify %{buildroot}%{_sysconfdir}/%{name}/notify.sh
install -m 0755 cert-check.py %{buildroot}%{_sbindir}/cert-check
install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/httpd/conf.d
install -m 0755 %{SOURCE9} %{buildroot}%{_sysconfdir}/%{name}
mkdir -p %{buildroot}%{_unitdir}
install -pm 644 %{SOURCE6} %{buildroot}%{_unitdir}
install -pm 644 %{SOURCE7} %{buildroot}%{_unitdir}
install -pm 644 %{SOURCE10} %{buildroot}%{_unitdir}
install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
install -m 0644 -D acme.sysusers.conf %{buildroot}%{_sysusersdir}/acme.conf
%pre
getent group acme > /dev/null || groupadd -r acme
@ -106,13 +98,13 @@ getent passwd acme > /dev/null || /usr/sbin/useradd -g acme \
exit 0
%post
%systemd_post acme-tiny.service acme-tiny-notice.service acme-tiny.timer
%systemd_post acme-tiny.service acme-tiny.timer
%postun
%systemd_postun_with_restart acme-tiny.service acme-tiny-notice.service acme-tiny.timer
%systemd_postun_with_restart acme-tiny.service acme-tiny.timer
%preun
%systemd_preun acme-tiny.service acme-tiny-notice.service acme-tiny.timer
%systemd_preun acme-tiny.service acme-tiny.timer
%files
%{!?_licensedir:%global license %%doc}
@ -122,13 +114,11 @@ exit 0
%attr(-,acme,acme) %{_sharedstatedir}/acme
%{_libexecdir}/%{name}
%config(noreplace) %{_sysconfdir}/httpd/conf.d/acme.conf
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%{_unitdir}/*
%{_sbindir}/acme-tiny-sign
%{_sbindir}/cert-check
%{_sbindir}/%{name}
%{_sysconfdir}/%{name}
%{_sysusersdir}/acme.conf
%files core
%license LICENSE
@ -136,69 +126,6 @@ exit 0
%{_sbindir}/acme_tiny
%changelog
* Fri Jan 16 2026 Fedora Release Engineering <releng@fedoraproject.org> - 5.0.1-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 5.0.1-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Thu Jan 16 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.0.1-11
- Add sysusers.d config file
* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 5.0.1-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.0.1-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.0.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.0.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.0.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Tue Mar 28 2023 Stuart D. Gathman <stuart@gathman.org> - 5.0.1-5
- Verified SPDX license
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.0.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.0.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.0.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Oct 28 2021 Stuart D. Gathman <stuart@gathman.org> 5.0.1-1
- New upstream release
* Wed Sep 8 2021 Stuart D. Gathman <stuart@gathman.org> 4.1.1-2
- Remove CLI override in acme-tiny.service (uses /etc/sysconfig/acme-tiny now)
* Tue Sep 7 2021 Stuart D. Gathman <stuart@gathman.org> 4.1.1-1
- New upstream release
- Set days before expiration in /etc/sysconfig
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Thu May 27 2021 Stuart D. Gathman <stuart@gathman.org> 4.1.0-7
- Fix BZ#1839904
- enhance notify after cert update, incrond no longer needed
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 4.1.0-6
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Apr 9 2020 Stuart D. Gathman <stuart@gathman.org> 4.1.0-3
- Update README-fedora.md to describe notify.sh
- Apply selected changes from Marcel Metz <mmetz@adrian-broher.net>:

70
notify.sh
View file

@ -1,58 +1,20 @@
#!/usr/bin/sh
#!/bin/sh
acmedir="/var/lib/acme"
#acmedir="test"
notify="${acmedir}/.notify"
verbose="n"
mkdir -p "$notify"
cert="$1"
name="${cert##*/}"
script="/etc/acme-tiny/notify.d/${name%.crt}.sh"
scancerts() {
if test -e "${notify}/notify"; then
find "${acmedir}/certs" -name '*.crt' -newer "${notify}/notify" -print0
else
find "${acmedir}/certs" -name '*.crt' -print0
fi | xargs -0 /usr/libexec/acme-tiny/notify -v
touch "${notify}/notify"
}
# kick apache if cert is mentioned
if grep "$cert" /etc/httpd/conf.d/*.conf >/dev/null 2>&1; then
apachectl graceful
fi
for cert in "$@"; do
case "$cert" in
-v|--verbose) verbose="y"; continue;;
-s|--scan) scancerts; continue;;
-*) echo "Invalid option $cert"; exit 2;;
esac
name="${cert##*/}"
script="/etc/acme-tiny/notify.d/${name%.crt}.sh"
# kick sendmail if cert is mentioned
if grep "/etc/pki/tls/certs/$name" /etc/mail/*.cf >/dev/null 2>&1; then
cp "$cert" /etc/pki/tls/certs && systemctl restart sendmail
fi
# kick apache if cert is mentioned
if test "$cert" -nt "${notify}/httpd"; then
if grep "$cert" /etc/httpd/conf.d/*.conf >/dev/null 2>&1; then
apachectl graceful && touch "${notify}/httpd" && \
[ "$verbose" = "y" ] && echo "Httpd reloaded"
fi
fi
# kick sendmail if cert is mentioned
if test "$cert" -nt "${notify}/sendmail"; then
if grep "/etc/pki/tls/certs/$name" /etc/mail/*.cf >/dev/null 2>&1; then
cp "$cert" /etc/pki/tls/certs && systemctl restart sendmail \
&& touch "${notify}/sendmail" && \
[ "$verbose" = "y" ] && echo "Sendmail reloaded"
fi
fi
# kick dovecot if cert is mentioned
if test "$cert" -nt "${notify}/dovecot"; then
if grep "/etc/pki/dovecot/certs/$name" /etc/dovecot/conf.d/10-ssl.conf >/dev/null 2>&1; then
cp "$cert" /etc/pki/dovecot/certs && systemctl restart dovecot \
&& touch "${notify}/dovecot" && \
[ "$verbose" = "y" ] && echo "Dovecot reloaded"
fi
fi
# run any dropin extension
if test -x "$script"; then
[ "$verbose" = "y" ] && echo "Running $script $cert"
ACMEDIR="$acmedir" NOTIFY="$notify" VERBOSE="$verbose" "$script" "$cert"
fi
done
# run any dropin extension
if test -x "$script"; then
"$script" "$cert"
fi

3
sources
View file

@ -1,2 +1 @@
SHA512 (acme-tiny-4.1.1.tar.gz) = 9e1aac03f3aa744061b8b03bb7bb6ede52ccf1a72d729775f106eb0fef786ee495dedd4f44c672e4ee2a8fc385477366bf164ab5e78d85e0a031558cde68f4b1
SHA512 (acme-tiny-5.0.1.tar.gz) = 6e0619917b31a5795c2c7d8aa811b46231b81fc6b57227f611f7f4b9f73eb3de669676482563c33d935a4a0812498677bcbe974663a561af61abb441a880947e
SHA512 (acme-tiny-4.1.0.tar.gz) = 31d69a5031c019acbc23b3f06041eae8e261766396d4a7420fd70a71cfa16de953bea4c0c2ad0c6a6e793ed61ab5331f40145352ffce69f4f062f35dd0db7519