From 2198863d0e6461e09da59df9156ee1db484cf56c Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 21 Mar 2017 10:38:21 -0400 Subject: [PATCH 01/23] - Initial package --- .gitignore | 1 + dehydrated.spec | 86 +++++++++++++++++++++++++++++++++++++++++++++++++ sources | 1 + 3 files changed, 88 insertions(+) create mode 100644 dehydrated.spec diff --git a/.gitignore b/.gitignore index e69de29..714ae61 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1 @@ +/dehydrated-0.4.0.tar.gz diff --git a/dehydrated.spec b/dehydrated.spec new file mode 100644 index 0000000..5f7770f --- /dev/null +++ b/dehydrated.spec @@ -0,0 +1,86 @@ +Summary: A client for signing certificates with an ACME server +Name: dehydrated +Version: 0.4.0 +Release: 1%{?dist} +License: MIT +URL: https://github.com/lukas2511/dehydrated +Group: System Environment/Daemons +Source0: https://github.com/lukas2511/dehydrated/archive/v%{version}/%{name}-%{version}.tar.gz +Requires: openssl +Requires: curl +BuildArch: noarch + +%description +This is a client for signing certificates with an ACME-server +(currently only provided by Let's Encrypt) implemented as a relatively +simple bash-script. + +It uses the openssl utility for everything related to actually +handling keys and certificates, so you need to have that installed. + +Current features: +* Signing of a list of domains +* Signing of a CSR +* Renewal if a certificate is about to expire or SAN (subdomains) changed +* Certificate revocation + +%prep +%setup -q + +%build +: nothing to do + +%install +rm -rf %{buildroot} +mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/accounts +mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/archive +mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/certs +mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/conf.d +mkdir -p %{buildroot}%{_bindir} +mkdir -p %{buildroot}%{_rundir}/dehydrated +sed \ + -e 's|^#LOCKFILE="\${BASEDIR}/lock"|LOCKFILE="%{_rundir}/dehydrated/lock"|' \ + -e 's|^#CONFIG_D=|CONFIG_D="\${BASEDIR}/conf.d"|' \ + -e 's|^#HOOK=|HOOK="\${BASEDIR}/hook.sh"|' \ + -e 's|^#PRIVATE_KEY_RENEW="yes"|PRIVATE_KEY_RENEW="no"|' \ + docs/examples/config >%{buildroot}%{_sysconfdir}/dehydrated/config +install docs/examples/hook.sh %{buildroot}%{_sysconfdir}/dehydrated/ +install dehydrated %{buildroot}%{_bindir}/dehydrated + +%clean +rm -rf %{buildroot} + +%post +if [ ! -f %{_sysconfdir}/cron.d/dehydrated ]; then + echo "$(($RANDOM % 60)) $(($RANDOM % 6)) * * $(($RANDOM % 7)) root test -s %{_sysconfdir}/dehydrated/domains.txt && %{_bindir}/dehydrated --cron" \ + >%{_sysconfdir}/cron.d/dehydrated +fi +umask=$(umask) +umask 027 +if [ -z "$(ls %{_sysconfdir}/dehydrated/conf.d/*.sh 2>/dev/null)" ]; then + touch %{_sysconfdir}/dehydrated/conf.d/local.sh +fi +if [ ! -e %{_sysconfdir}/dehydrated/domains.txt ]; then + touch %{_sysconfdir}/dehydrated/domains.txt +fi +umask ${umask} || : + +%files +%defattr(-,root,root) +%attr(0644,root,root) %doc README.md docs/* +%doc LICENSE +%attr(0644,root,root) %ghost %{_sysconfdir}/cron.d/dehydrated +%attr(0750,root,root) %dir %{_sysconfdir}/dehydrated +%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/dehydrated/config +%attr(0750,root,root) %config(noreplace) %{_sysconfdir}/dehydrated/hook.sh +%attr(0750,root,root) %dir %{_sysconfdir}/dehydrated/accounts +%attr(0750,root,root) %dir %{_sysconfdir}/dehydrated/archive +%attr(0750,root,root) %dir %{_sysconfdir}/dehydrated/certs +%attr(0750,root,root) %dir %{_sysconfdir}/dehydrated/conf.d +%attr(0640,root,root) %ghost %{_sysconfdir}/dehydrated/conf.d/local.sh +%attr(0640,root,root) %ghost %{_sysconfdir}/dehydrated/domains.txt +%{_bindir}/dehydrated + +%changelog +* Tue Mar 21 2017 Paul Wouters - 0.4.0-1 +- Initial package diff --git a/sources b/sources index e69de29..fc02235 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +SHA512 (dehydrated-0.4.0.tar.gz) = 3c8c0f2fab57a432b69451f8372c02666dd953985679d12a2af9f6b917335b5b10a1196699106e317660039178ce1139a4d5455d4825a152b6911596fba16738 From 0d01f447981103fadc857236f5310889d280c44f Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Mon, 2 Apr 2018 14:49:19 +0200 Subject: [PATCH 02/23] - Resolves: rhbz#1554153 Updated to 0.6.1 with ACME v2 support --- dehydrated.spec | 47 +++++++++++++++++++++++++++++------------------ 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/dehydrated.spec b/dehydrated.spec index 5f7770f..236093f 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,22 +1,26 @@ +%{!?_rundir:%global _rundir %%{_localstatedir}/run} + Summary: A client for signing certificates with an ACME server Name: dehydrated -Version: 0.4.0 +Version: 0.6.1 Release: 1%{?dist} License: MIT URL: https://github.com/lukas2511/dehydrated -Group: System Environment/Daemons Source0: https://github.com/lukas2511/dehydrated/archive/v%{version}/%{name}-%{version}.tar.gz Requires: openssl Requires: curl +Requires: sed +%if 0%{?fedora} || 0%{?rhel} >= 7 +Source1: dehydrated.tmpfiles +BuildRequires: systemd +%endif BuildArch: noarch %description -This is a client for signing certificates with an ACME-server -(currently only provided by Let's Encrypt) implemented as a relatively -simple bash-script. - -It uses the openssl utility for everything related to actually -handling keys and certificates, so you need to have that installed. +This is a client for signing certificates with an ACME-server (currently +only provided by Let's Encrypt) implemented as a relatively simple bash- +script. Dehydrated supports both ACME v1 and the new ACME v2 including +support for wildcard certificates! Current features: * Signing of a list of domains @@ -31,24 +35,24 @@ Current features: : nothing to do %install -rm -rf %{buildroot} mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/accounts mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/archive mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/certs mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/conf.d -mkdir -p %{buildroot}%{_bindir} mkdir -p %{buildroot}%{_rundir}/dehydrated +%if 0%{?fedora} || 0%{?rhel} >= 7 +install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/dehydrated.conf +%endif sed \ -e 's|^#LOCKFILE="\${BASEDIR}/lock"|LOCKFILE="%{_rundir}/dehydrated/lock"|' \ -e 's|^#CONFIG_D=|CONFIG_D="\${BASEDIR}/conf.d"|' \ -e 's|^#HOOK=|HOOK="\${BASEDIR}/hook.sh"|' \ -e 's|^#PRIVATE_KEY_RENEW="yes"|PRIVATE_KEY_RENEW="no"|' \ docs/examples/config >%{buildroot}%{_sysconfdir}/dehydrated/config -install docs/examples/hook.sh %{buildroot}%{_sysconfdir}/dehydrated/ -install dehydrated %{buildroot}%{_bindir}/dehydrated - -%clean -rm -rf %{buildroot} +install -p docs/examples/hook.sh %{buildroot}%{_sysconfdir}/dehydrated/ +install -D -p -m 0755 dehydrated %{buildroot}%{_bindir}/dehydrated +install -D -p -m 0644 docs/man/dehydrated.1 %{buildroot}%{_mandir}/man1/dehydrated.1 +rm -rf docs/man/ %post if [ ! -f %{_sysconfdir}/cron.d/dehydrated ]; then @@ -66,9 +70,8 @@ fi umask ${umask} || : %files -%defattr(-,root,root) -%attr(0644,root,root) %doc README.md docs/* -%doc LICENSE +%doc README.md docs/* +%license LICENSE %attr(0644,root,root) %ghost %{_sysconfdir}/cron.d/dehydrated %attr(0750,root,root) %dir %{_sysconfdir}/dehydrated %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/dehydrated/config @@ -79,8 +82,16 @@ umask ${umask} || : %attr(0750,root,root) %dir %{_sysconfdir}/dehydrated/conf.d %attr(0640,root,root) %ghost %{_sysconfdir}/dehydrated/conf.d/local.sh %attr(0640,root,root) %ghost %{_sysconfdir}/dehydrated/domains.txt +%attr(0750,root,root) %dir %{_rundir}/dehydrated +%if 0%{?fedora} || 0%{?rhel} >= 7 +%{_tmpfilesdir}/dehydrated.conf +%endif %{_bindir}/dehydrated +%{_mandir}/man1/dehydrated.1* %changelog +* Sat Mar 31 2018 Robert Scheck - 0.6.1-1 +- Resolves: rhbz#1554153 Updated to 0.6.1 with ACME v2 support + * Tue Mar 21 2017 Paul Wouters - 0.4.0-1 - Initial package From 3791c0c9052cf0e292c11a58c8035b9ecf706498 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Mon, 2 Apr 2018 15:04:09 +0200 Subject: [PATCH 03/23] new sources --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 714ae61..9a1e769 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /dehydrated-0.4.0.tar.gz +/dehydrated-0.6.1.tar.gz diff --git a/sources b/sources index fc02235..b119b04 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (dehydrated-0.4.0.tar.gz) = 3c8c0f2fab57a432b69451f8372c02666dd953985679d12a2af9f6b917335b5b10a1196699106e317660039178ce1139a4d5455d4825a152b6911596fba16738 +SHA512 (dehydrated-0.6.1.tar.gz) = c3ef92da4e0e12100d267422eb2667607842f6fb0fe10cbc4d10aee9b5137d292db2348eca34b1f492e21c6c325dcbb595a9ab4de634e4d4a43346be1e2ce0ad From cc9ee97178182cf3af86b995c8c41ab05db43f5e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 24 Jul 2019 21:49:12 +0000 Subject: [PATCH 04/23] - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index c37c733..a54cd21 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -3,7 +3,7 @@ Summary: A client for signing certificates with an ACME server Name: dehydrated Version: 0.6.5 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT URL: https://github.com/lukas2511/dehydrated Source0: https://github.com/lukas2511/dehydrated/releases/download/v%{version}/%{name}-%{version}.tar.gz @@ -90,6 +90,9 @@ umask ${umask} || : %{_mandir}/man1/dehydrated.1* %changelog +* Wed Jul 24 2019 Fedora Release Engineering - 0.6.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + * Wed Jun 26 2019 Paul Wouters - 0.6.5-1 - Resolves: rhbz#1723766 Updated to 0.6.5 From d3c46d249d7ecbfa5c84d54f781cd4500d0e1bb0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 28 Jan 2020 15:39:40 +0000 Subject: [PATCH 05/23] - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index a54cd21..5164dce 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -3,7 +3,7 @@ Summary: A client for signing certificates with an ACME server Name: dehydrated Version: 0.6.5 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT URL: https://github.com/lukas2511/dehydrated Source0: https://github.com/lukas2511/dehydrated/releases/download/v%{version}/%{name}-%{version}.tar.gz @@ -90,6 +90,9 @@ umask ${umask} || : %{_mandir}/man1/dehydrated.1* %changelog +* Tue Jan 28 2020 Fedora Release Engineering - 0.6.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + * Wed Jul 24 2019 Fedora Release Engineering - 0.6.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild From 7b3265b7485ba0d28dccfdc0991c2bd28cd4d2a6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Mon, 27 Jul 2020 15:15:00 +0000 Subject: [PATCH 06/23] - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index 5164dce..2bfa140 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -3,7 +3,7 @@ Summary: A client for signing certificates with an ACME server Name: dehydrated Version: 0.6.5 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT URL: https://github.com/lukas2511/dehydrated Source0: https://github.com/lukas2511/dehydrated/releases/download/v%{version}/%{name}-%{version}.tar.gz @@ -90,6 +90,9 @@ umask ${umask} || : %{_mandir}/man1/dehydrated.1* %changelog +* Mon Jul 27 2020 Fedora Release Engineering - 0.6.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Tue Jan 28 2020 Fedora Release Engineering - 0.6.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild From 7dcf7d9141284c6cc502ff339c20f13f4f9cb699 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 26 Jan 2021 03:14:48 +0000 Subject: [PATCH 07/23] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index 2bfa140..f415b25 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -3,7 +3,7 @@ Summary: A client for signing certificates with an ACME server Name: dehydrated Version: 0.6.5 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT URL: https://github.com/lukas2511/dehydrated Source0: https://github.com/lukas2511/dehydrated/releases/download/v%{version}/%{name}-%{version}.tar.gz @@ -90,6 +90,9 @@ umask ${umask} || : %{_mandir}/man1/dehydrated.1* %changelog +* Tue Jan 26 2021 Fedora Release Engineering - 0.6.5-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Mon Jul 27 2020 Fedora Release Engineering - 0.6.5-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild From 82d39058ebee3db735e93a2e33a3d655066c314c Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 1 Jun 2021 12:44:49 -0400 Subject: [PATCH 08/23] update to 0.7.0 - Resolved: rhbz#1872621 [RFE] Ship systemd units for auto-renewal - Resolved: rhbz#1906674 dehydrated-0.7.0 is available - Pulled in improvements by Tuomo Soini --- 50-dehydrated.preset | 1 + dehydrated-autowash.patch | 12 +++ dehydrated-cron | 21 +++++ dehydrated-hook.sh-defaults.patch | 69 ++++++++++++++++ dehydrated-improve-trap-handling.patch | 12 +++ dehydrated.service | 6 ++ dehydrated.spec | 110 ++++++++++++++++++------- dehydrated.timer | 10 +++ sources | 2 +- 9 files changed, 212 insertions(+), 31 deletions(-) create mode 100644 50-dehydrated.preset create mode 100644 dehydrated-autowash.patch create mode 100644 dehydrated-cron create mode 100644 dehydrated-hook.sh-defaults.patch create mode 100644 dehydrated-improve-trap-handling.patch create mode 100644 dehydrated.service create mode 100644 dehydrated.timer diff --git a/50-dehydrated.preset b/50-dehydrated.preset new file mode 100644 index 0000000..ea5c6ad --- /dev/null +++ b/50-dehydrated.preset @@ -0,0 +1 @@ +enable dehydrated.timer diff --git a/dehydrated-autowash.patch b/dehydrated-autowash.patch new file mode 100644 index 0000000..22b9e31 --- /dev/null +++ b/dehydrated-autowash.patch @@ -0,0 +1,12 @@ +diff -up dehydrated-0.7.0/dehydrated.autowash dehydrated-0.7.0/dehydrated +--- dehydrated-0.7.0/dehydrated.autowash 2021-01-22 13:11:47.018517599 +0200 ++++ dehydrated-0.7.0/dehydrated 2021-01-22 13:12:44.673042823 +0200 +@@ -1734,7 +1734,7 @@ command_sign_domains() { + + [[ -n "${HOOK}" ]] && ("${HOOK}" "exit_hook" || echo 'exit_hook returned with non-zero exit code!' >&2) + if [[ "${AUTO_CLEANUP}" == "yes" ]]; then +- echo "+ Running automatic cleanup" ++ echo " + Running automatic cleanup" + command_cleanup noinit + fi + diff --git a/dehydrated-cron b/dehydrated-cron new file mode 100644 index 0000000..75c9976 --- /dev/null +++ b/dehydrated-cron @@ -0,0 +1,21 @@ +#!/bin/bash +# Run dehydrated if there is configured domains +if [ -s /etc/dehydrated/domains.txt ]; then + tempfile=$(mktemp -p /run/dehydrated) + if [ $? -gt 0 ]; then + echo "ERROR, could not create tempfile" >&2 + exit 1 + else + # clean up tempfile on exit + trap "rm -f ${tempfile}" EXIT TERM + fi + set -o pipefail + /usr/bin/dehydrated --cron 2>&1 | tee -a ${tempfile} + RC=$? + if [ ${RC} -gt 0 ]; then + cat ${tempfile} | mailx -S sendwait -s "dehydrated --cron returned error" ${NOTIFY_EMAIL:=root} + fi + exit ${RC} +else + echo "No domains configured" >&2 +fi diff --git a/dehydrated-hook.sh-defaults.patch b/dehydrated-hook.sh-defaults.patch new file mode 100644 index 0000000..203fc10 --- /dev/null +++ b/dehydrated-hook.sh-defaults.patch @@ -0,0 +1,69 @@ +diff -up dehydrated-0.6.5/docs/examples/hook.sh.orig dehydrated-0.6.5/docs/examples/hook.sh +--- dehydrated-0.6.5/docs/examples/hook.sh.orig 2019-06-26 13:33:35.000000000 +0300 ++++ dehydrated-0.6.5/docs/examples/hook.sh 2019-07-08 13:06:21.445513447 +0300 +@@ -21,7 +21,7 @@ deploy_challenge() { + # be found in the $TOKEN_FILENAME file. + + # Simple example: Use nsupdate with local named +- # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key ++ # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 30 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /etc/named/session.key + } + + clean_challenge() { +@@ -34,7 +34,7 @@ clean_challenge() { + # The parameters are the same as for deploy_challenge. + + # Simple example: Use nsupdate with local named +- # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key ++ # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /etc/named/session.key + } + + sync_cert() { +@@ -86,8 +86,14 @@ deploy_cert() { + # Timestamp when the specified certificate was created. + + # Simple example: Copy file to nginx config +- # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl +- # systemctl reload nginx ++ # umask=$(umask) # save original umask ++ # umask 077 # use secure umask for key file creation ++ # cat "${KEYFILE}" > /etc/pki/tls/private/${DOMAIN}.key ++ # touch --reference="${KEYFILE}" /etc/pki/tls/private/${DOMAIN}.key ++ # umask 022 # wider permission for certificates ++ # cat "${FULLCHAINFILE}" > /etc/pki/tls/certs/${DOMAIN}.crt ++ # umask ${umask} # restore umask ++ # systemctl reload nginx.service + } + + deploy_ocsp() { +@@ -204,16 +210,23 @@ startup_hook() { + } + + exit_hook() { +- local ERROR="${1:-}" ++ local ERROR="${1:-}" + +- # This hook is called at the end of the cron command and can be used to +- # do some final (cleanup or other) tasks. +- # +- # Parameters: +- # - ERROR +- # Contains error message if dehydrated exits with error ++ # This hook is called at the end of the cron command and can be used to ++ # do some final (cleanup or other) tasks. ++ # ++ # Parameters: ++ # - ERROR ++ # Contains error message if dehydrated exits with error + } + ++# Include local overrides for hook.sh functions ++if [ -d /etc/dehydrated/hook.d ]; then ++ for localhook in $(ls -1 /etc/dehydrated/hook.d/*.sh 2>/dev/null); do ++ . "${localhook}" ++ done ++fi ++ + HANDLER="$1"; shift + if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then + "$HANDLER" "$@" diff --git a/dehydrated-improve-trap-handling.patch b/dehydrated-improve-trap-handling.patch new file mode 100644 index 0000000..a4da047 --- /dev/null +++ b/dehydrated-improve-trap-handling.patch @@ -0,0 +1,12 @@ +diff -up dehydrated-0.7.0/dehydrated.improve-trap-handling dehydrated-0.7.0/dehydrated +--- dehydrated-0.7.0/dehydrated.improve-trap-handling 2021-01-23 10:53:56.138791571 +0200 ++++ dehydrated-0.7.0/dehydrated 2021-01-23 11:02:55.124007858 +0200 +@@ -528,7 +528,7 @@ init_system() { + [[ -w "${LOCKDIR}" ]] || _exiterr "Directory ${LOCKDIR} for LOCKFILE ${LOCKFILE} is not writable, aborting." + ( set -C; date > "${LOCKFILE}" ) 2>/dev/null || _exiterr "Lock file '${LOCKFILE}' present, aborting." + remove_lock() { rm -f "${LOCKFILE}"; } +- trap 'remove_lock' EXIT ++ trap 'remove_lock' EXIT TERM + fi + + # Get CA URLs diff --git a/dehydrated.service b/dehydrated.service new file mode 100644 index 0000000..6a55914 --- /dev/null +++ b/dehydrated.service @@ -0,0 +1,6 @@ +[Unit] +Description=dehydrated client for signing certificates with an ACME server + +[Service] +Type=oneshot +ExecStart=/usr/libexec/dehydrated-cron diff --git a/dehydrated.spec b/dehydrated.spec index f415b25..c8a4237 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,20 +1,29 @@ -%{!?_rundir:%global _rundir %%{_localstatedir}/run} - Summary: A client for signing certificates with an ACME server Name: dehydrated -Version: 0.6.5 -Release: 5%{?dist} +Version: 0.7.0 +Release: 1%{?dist} License: MIT -URL: https://github.com/lukas2511/dehydrated -Source0: https://github.com/lukas2511/dehydrated/releases/download/v%{version}/%{name}-%{version}.tar.gz +URL: https://github.com/dehydrated-io/dehydrated +Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz Source1: dehydrated.tmpfiles -Requires: openssl -Requires: curl -Requires: sed -%if 0%{?fedora} || 0%{?rhel} >= 7 -BuildRequires: systemd -%endif +Source2: dehydrated.timer +Source3: dehydrated.service +Source4: 50-dehydrated.preset +Source5: dehydrated-cron + +Patch0: dehydrated-autowash.patch +Patch1: dehydrated-improve-trap-handling.patch +Patch2: dehydrated-hook.sh-defaults.patch + BuildArch: noarch +BuildRequires: systemd +%{?systemd_requires} +Requires: coreutils +Requires: curl +Requires: grep +Requires: mailx +Requires: openssl +Requires: sed %description This is a client for signing certificates with an ACME-server (currently @@ -23,45 +32,69 @@ script. Dehydrated supports both ACME v1 and the new ACME v2 including support for wildcard certificates! Current features: -* Signing of a list of domains -* Signing of a CSR -* Renewal if a certificate is about to expire or SAN (subdomains) changed -* Certificate revocation +- Signing of a list of domains (including wildcard domains!) +- Signing of a custom CSR (either standalone or completely automated using + hooks!) +- Renewal if a certificate is about to expire or defined set of domains changed +- Certificate revocation %prep %setup -q +%patch0 -p1 -b .autowash +%patch1 -p1 -b .improve-trap-handling +%patch2 -p1 %build : nothing to do %install +mkdir -p %{buildroot}%{_libexecdir} +mkdir -p %{buildroot}%{_rundir}/dehydrated mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/accounts mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/archive mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/certs mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/conf.d -mkdir -p %{buildroot}%{_rundir}/dehydrated -%if 0%{?fedora} || 0%{?rhel} >= 7 +mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/hook.d install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/dehydrated.conf -%endif +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/dehydrated.timer +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/dehydrated.service +install -D -p -m 0644 %{SOURCE4} %{buildroot}%{_presetdir}/50-dehydrated.preset +install -D -p -m 0755 %{SOURCE5} %{buildroot}%{_libexecdir}/dehydrated-cron sed \ -e 's|^#LOCKFILE="\${BASEDIR}/lock"|LOCKFILE="%{_rundir}/dehydrated/lock"|' \ -e 's|^#CONFIG_D=|CONFIG_D="\${BASEDIR}/conf.d"|' \ -e 's|^#HOOK=|HOOK="\${BASEDIR}/hook.sh"|' \ -e 's|^#PRIVATE_KEY_RENEW="yes"|PRIVATE_KEY_RENEW="no"|' \ + -e 's|^#AUTO_CLEANUP="no"|AUTO_CLEANUP="yes"|' \ + -e 's|^#KEY_ALGO=secp384r1|KEY_ALGO=rsa|' \ docs/examples/config >%{buildroot}%{_sysconfdir}/dehydrated/config -install -p docs/examples/hook.sh %{buildroot}%{_sysconfdir}/dehydrated/ +touch --reference=docs/examples/config \ + %{buildroot}%{_sysconfdir}/dehydrated/config +sed -i.orig -e 's|^\#!/usr/bin/env bash|#!/bin/bash|' \ + docs/examples/hook.sh +touch --reference=docs/examples/hook.sh.orig \ + docs/examples/hook.sh && rm docs/examples/hook.sh.orig +install -p docs/examples/hook.sh %{buildroot}%{_sysconfdir}/dehydrated/hook.sh +sed -i.orig -e 's|^\#!/usr/bin/env bash|#!/bin/bash|' \ + dehydrated +touch --reference=dehydrated.orig dehydrated && \ + rm dehydrated.orig + install -D -p -m 0755 dehydrated %{buildroot}%{_bindir}/dehydrated -install -D -p -m 0644 docs/man/dehydrated.1 %{buildroot}%{_mandir}/man1/dehydrated.1 +install -D -p -m 0644 docs/man/dehydrated.1 \ + %{buildroot}%{_mandir}/man1/dehydrated.1 rm -rf docs/man/ +# remove execute bits from documentation +chmod a-x docs/examples/hook.sh %post -if [ ! -f %{_sysconfdir}/cron.d/dehydrated ]; then - echo "$(($RANDOM % 60)) $(($RANDOM % 6)) * * $(($RANDOM % 7)) root test -s %{_sysconfdir}/dehydrated/domains.txt && %{_bindir}/dehydrated --cron" \ - >%{_sysconfdir}/cron.d/dehydrated +%systemd_post dehydrated.timer dehydrated.service +if [ $1 -eq 1 ]; then + systemctl start dehydrated.timer >/dev/null 2>&1 || : fi umask=$(umask) umask 027 -if [ -z "$(ls %{_sysconfdir}/dehydrated/conf.d/*.sh 2>/dev/null)" ]; then +if [ -z "$(ls -1 %{_sysconfdir}/dehydrated/conf.d/*.sh 2>/dev/null)" ]; then touch %{_sysconfdir}/dehydrated/conf.d/local.sh fi if [ ! -e %{_sysconfdir}/dehydrated/domains.txt ]; then @@ -69,10 +102,25 @@ if [ ! -e %{_sysconfdir}/dehydrated/domains.txt ]; then fi umask ${umask} || : +%preun +%systemd_preun dehydrated.timer dehydrated.service + +%postun +%systemd_postun_with_restart dehydrated.timer +%systemd_postun dehydrated.service + +%triggerun -- dehydrated < 0.6.2-7 +systemctl preset dehydrated.timer dehydrated.service >/dev/null 2>&1 || : +systemctl start dehydrated.timer >/dev/null 2>&1 || : + %files -%doc README.md docs/* +%doc README.md CHANGELOG docs/* %license LICENSE -%attr(0644,root,root) %ghost %{_sysconfdir}/cron.d/dehydrated +%{_presetdir}/50-dehydrated.preset +%{_unitdir}/dehydrated.service +%{_unitdir}/dehydrated.timer +%{_tmpfilesdir}/dehydrated.conf +%{_libexecdir}/dehydrated-cron %attr(0750,root,root) %dir %{_sysconfdir}/dehydrated %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/dehydrated/config %attr(0750,root,root) %config(noreplace) %{_sysconfdir}/dehydrated/hook.sh @@ -82,14 +130,16 @@ umask ${umask} || : %attr(0750,root,root) %dir %{_sysconfdir}/dehydrated/conf.d %attr(0640,root,root) %ghost %{_sysconfdir}/dehydrated/conf.d/local.sh %attr(0640,root,root) %ghost %{_sysconfdir}/dehydrated/domains.txt +%attr(0750,root,root) %dir %{_sysconfdir}/dehydrated/hook.d %attr(0750,root,root) %dir %{_rundir}/dehydrated -%if 0%{?fedora} || 0%{?rhel} >= 7 -%{_tmpfilesdir}/dehydrated.conf -%endif %{_bindir}/dehydrated %{_mandir}/man1/dehydrated.1* %changelog +* Tue Jun 01 2021 Paul Wouters - 0.7.0-1 +- Resolved: rhbz#1872621 [RFE] Ship systemd units for auto-renewal +- Resolved: rhbz#1906674 dehydrated-0.7.0 is available + * Tue Jan 26 2021 Fedora Release Engineering - 0.6.5-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild diff --git a/dehydrated.timer b/dehydrated.timer new file mode 100644 index 0000000..e0024ad --- /dev/null +++ b/dehydrated.timer @@ -0,0 +1,10 @@ +[Unit] +Description=dehydrated client for signing certificates with an ACME server + +[Timer] +OnCalendar=daily +Persistent=true +RandomizedDelaySec=2h + +[Install] +WantedBy=timers.target diff --git a/sources b/sources index 7369fd6..3441ebb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (dehydrated-0.6.5.tar.gz) = da8ff3ecb7ddeb25356469fa272aef4e7c3705049caf88d09656dbc4baf29e0efa135e6f154c78cec82da17a27a78f2145ee3b7bd71521a080e10550d09b8a53 +SHA512 (dehydrated-0.7.0.tar.gz) = 47740d2d31ca73482a4fc5ed0dfce986af907dd5449cb3a5230bf9683845686c8122fc32e6219a4439574ef11d6fb104ee09591c5ff667927a2c9c13ba005511 From b8dbaaf73ff18f4bd950e756b1193035a56ec014 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 1 Jun 2021 13:19:01 -0400 Subject: [PATCH 09/23] - Update trigger to proper version --- dehydrated.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/dehydrated.spec b/dehydrated.spec index c8a4237..6689713 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: A client for signing certificates with an ACME server Name: dehydrated Version: 0.7.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz @@ -109,7 +109,7 @@ umask ${umask} || : %systemd_postun_with_restart dehydrated.timer %systemd_postun dehydrated.service -%triggerun -- dehydrated < 0.6.2-7 +%triggerun -- dehydrated <= 0.7.0-2 systemctl preset dehydrated.timer dehydrated.service >/dev/null 2>&1 || : systemctl start dehydrated.timer >/dev/null 2>&1 || : @@ -136,6 +136,9 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %{_mandir}/man1/dehydrated.1* %changelog +* Tue Jun 01 2021 Paul Wouters - 0.7.0-2 +- Update trigger to proper version + * Tue Jun 01 2021 Paul Wouters - 0.7.0-1 - Resolved: rhbz#1872621 [RFE] Ship systemd units for auto-renewal - Resolved: rhbz#1906674 dehydrated-0.7.0 is available From e796d05c55011a3065f02bb15a4e84866eb2837d Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 21 Jul 2021 20:38:39 +0000 Subject: [PATCH 10/23] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index 6689713..399ee6c 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: A client for signing certificates with an ACME server Name: dehydrated Version: 0.7.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz @@ -136,6 +136,9 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %{_mandir}/man1/dehydrated.1* %changelog +* Wed Jul 21 2021 Fedora Release Engineering - 0.7.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Tue Jun 01 2021 Paul Wouters - 0.7.0-2 - Update trigger to proper version From cd3a549fd42047223d109a544d0a0909628d142a Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 20 Jan 2022 00:31:04 +0000 Subject: [PATCH 11/23] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index 399ee6c..83eb786 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: A client for signing certificates with an ACME server Name: dehydrated Version: 0.7.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz @@ -136,6 +136,9 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %{_mandir}/man1/dehydrated.1* %changelog +* Thu Jan 20 2022 Fedora Release Engineering - 0.7.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Wed Jul 21 2021 Fedora Release Engineering - 0.7.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From f35bfc28c38c8ac54a79e8e7d5529b23ef6c3c7c Mon Sep 17 00:00:00 2001 From: Carl George Date: Fri, 4 Feb 2022 13:53:04 -0600 Subject: [PATCH 12/23] Require path instead of package name for mailx Resolves: rhbz#2050852 --- dehydrated.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/dehydrated.spec b/dehydrated.spec index 83eb786..e9ea638 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: A client for signing certificates with an ACME server Name: dehydrated Version: 0.7.0 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz @@ -21,7 +21,8 @@ BuildRequires: systemd Requires: coreutils Requires: curl Requires: grep -Requires: mailx +# provided by either mailx or s-nail +Requires: /usr/bin/mailx Requires: openssl Requires: sed @@ -136,6 +137,9 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %{_mandir}/man1/dehydrated.1* %changelog +* Fri Feb 04 2022 Carl George - 0.7.0-5 +- Require path instead of package name for mailx rhbz#2050852 + * Thu Jan 20 2022 Fedora Release Engineering - 0.7.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From 355d594770e2c316b53f393450a95f4ab82a6ca8 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 21 Jul 2022 00:18:12 +0000 Subject: [PATCH 13/23] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index e9ea638..fe16b81 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: A client for signing certificates with an ACME server Name: dehydrated Version: 0.7.0 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz @@ -137,6 +137,9 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %{_mandir}/man1/dehydrated.1* %changelog +* Thu Jul 21 2022 Fedora Release Engineering - 0.7.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Fri Feb 04 2022 Carl George - 0.7.0-5 - Require path instead of package name for mailx rhbz#2050852 From 49254a974a15b1107c79c905e499a92a2bbf96b0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 19 Jan 2023 01:14:33 +0000 Subject: [PATCH 14/23] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index fe16b81..71e0897 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: A client for signing certificates with an ACME server Name: dehydrated Version: 0.7.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz @@ -137,6 +137,9 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %{_mandir}/man1/dehydrated.1* %changelog +* Thu Jan 19 2023 Fedora Release Engineering - 0.7.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Thu Jul 21 2022 Fedora Release Engineering - 0.7.0-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From c38537d59eb96d1c75adecf130aa3dd44fbec44b Mon Sep 17 00:00:00 2001 From: Robert Scheck Date: Wed, 31 May 2023 03:34:13 +0200 Subject: [PATCH 15/23] - Resolved: rhbz#2139056 dehydrated-0.7.1 is available - Resolved: rhbz#2035549 genkey ecparam - ECDSA key, P-384 (secp384r1) --- .gitignore | 1 + 3C2F2605E078A1E18F4793909C4DBE6CF438F333 | 149 +++++++++++++++++++++++ dehydrated-hook.sh-defaults.patch | 69 ++++------- dehydrated.spec | 36 ++++-- sources | 3 +- 5 files changed, 201 insertions(+), 57 deletions(-) create mode 100644 3C2F2605E078A1E18F4793909C4DBE6CF438F333 diff --git a/.gitignore b/.gitignore index a82d686..a63dccd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /dehydrated-*.tar.gz +/dehydrated-*.tar.gz.asc diff --git a/3C2F2605E078A1E18F4793909C4DBE6CF438F333 b/3C2F2605E078A1E18F4793909C4DBE6CF438F333 new file mode 100644 index 0000000..9737767 --- /dev/null +++ b/3C2F2605E078A1E18F4793909C4DBE6CF438F333 @@ -0,0 +1,149 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: 3C2F 2605 E078 A1E1 8F47 9390 9C4D BE6C F438 F333 +Comment: Lukas Schauer +Comment: Lukas Schauer +Comment: Lukas Schauer +Comment: Lukas Schauer +Comment: Lukas Schauer +Comment: Lukas Schauer + +xsBNBFFfGhMBCADuxAL1vqC7J1AmxMrFGxobyPaY9tmUEueRF+JuUJlk48qSbcWg +zAMEprSgw3HY/15Galu/7g8KxXnlN4WO2vgA6eu1CYx3CoukJ8dc/m6hEMxqwsIW +H/1sI7P2hLGB/6YC3MqgpyZxrXzS3coe/JLLkeOtcnBgeT1VpGnodSEKsK4unkfV +cmheLuF+zMb0t1DFtd//Ka99XtoF7HXW6p/n8NjiAXKkEkTWf+0qsOIzar3Hl7QE +dnEMK1EjDbrqNufTe+TyvM9hVMyDTptvA0EDOj+5Jmt29pWpriOgUgm2D1JgZi9b +YmGnTo149q5bUzfLvsTDI0IS7ClxXIES/dfXABEBAAHNJkx1a2FzIFNjaGF1ZXIg +PGx1a2FzLnNjaGF1ZXJAaC1icnMuZGU+wsCOBBMBCgA4FiEEPC8mBeB4oeGPR5OQ +nE2+bPQ48zMFAmGLB7ECGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQnE2+ +bPQ48zOiHAf9EaE/FleDKNicSlYc2tazUVx+qXiks6ADi40T8bLycu1rtXQCa5wC +G3Ucnx5sWqOOHRwgruWpr5ksl9rFImozQaP6IvVzmWl7o5+7Bki8Bf8a5OU/D4IP +EUdPO+UEoxr54KrSV9Cuk0K2tiENT8WLy+57rMSx49f4AF1svG/FUbMgkENR90Gi +8YxyEGfm2K8yNoPcg9XukUfcL48cI2OH52GMaRpJVDhRG6bNKCJbUoczY249a8Ar +4wWsZMN/ajeA5hFj3J8Ol2rl6h4x4kBVRrgW3nbx2Pu8SRVKwIW3mnNv1PovqDuP +kxDiBLRHIdojyrn0ZDXLkJAavYReQXo2Kc0qTHVrYXMgU2NoYXVlciA8bHVrYXMu +c2NoYXVlckBpbmYuaC1icnMuZGU+wsCOBBMBCgA4FiEEPC8mBeB4oeGPR5OQnE2+ +bPQ48zMFAlqZuscCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQnE2+bPQ4 +8zMsQAgA5ZbXLDtr4di+spbmykqKKvC+7teyaG/5VOTlwjlWBu9Vq5ijdKskogUu +i49e3xC9Pnu3TTYeIDKQ/8GVBojMhQfEzPEWwAupK07dwL4N/VIEIowaYmTIggZb +C0IkyHBG1esg//tFmyC2WGTdKDaCPB0Y+reB+DVkYCcSycSpjxDS3SpDqmyeEm7+ +BFgCsNIPJaj+YEscvJF7S+Bzga3uPitlNdIp4hBW7SpdNi3sx3PguOyHuSkqJm+t +qblgA7p2RVcc4uHpXS77xUw3lI2KMmWkd+yL7Mrfspc+cDscU4mXEjk8bqM70F4y +C2BnE8hPGURYIsnNbPOCzWXKqNIrRs0mTHVrYXMgU2NoYXVlciA8bHVrYXMyNTEx +QGtvZWxuLmNjYy5kZT7CwI4EEwEKADgWIQQ8LyYF4Hih4Y9Hk5CcTb5s9DjzMwUC +ZHIzXwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCcTb5s9DjzMxOKCADr +S9SUhsh7e+pyQ2+8dof41moWsJOyNygFZLCgJVHqhaSG/k83C0/UIjxsPKzJS/RO +6pBMTns02tGh7UVx+4X/frMOH5LHtUIX91qRRMFyq+ulbNQpGCJ05JGyxwgAZ7N0 +eWrSTR5CTeCR3imxeN4pqQTMrn+u5Zvwo0BtrUnZuS0m1cBwMuocrdvl3hZFwlL/ +fOYLObqzrVsygRQerZqt7WxFIeJCqslHdrxrI05UNU+rhO5ECHAWWtSp8iC71F7r +QerDeX8Bbw7zVFxxL/+XdkXSrVkA3TcKwyHizlnrBEDaZLbRri5SR6x3wF3L4D35 +QsxEUtDDR4sPIhF1sJDQzR5MdWthcyBTY2hhdWVyIDxsdWthc0Bmc2xhYi5kZT7C +wI4EEwEKADgWIQQ8LyYF4Hih4Y9Hk5CcTb5s9DjzMwUCWsTl3gIbAwULCQgHAwUV +CgkICwUWAgMBAAIeAQIXgAAKCRCcTb5s9DjzM0TrB/0YkMpsYbcyk5Ly+nhFKi3E +U3Q20XBTFTBDG957+djPhjHO6brnKBCXi87F6eGKTmCmAtN9GSciwVQ9J23Qc8dI +b3/gNT4WtqwFqzBoVzeyk/fBoda5kRpdczwu/4fc61U/4UUPmR9JuRoCDgRKjYQ0 +MDAv92tDfIPbK4yVE6PsU0/7aPuaa9u4V+g3J1V5ILazhrsAyGTh3AFDGmGICcAt +rwsPOyYEHC8bzGch4AqOFCLEsPJBOuGZdueryBtIcIpt9dMwz0dNVwuDldoUWzuE +vGGf0N2gRqMnRcXYrkIKOKqoqSQZb/uwTCagk9oRP6LOuVaR7N6Nwaul9NwyOXV0 +zSFMdWthcyBTY2hhdWVyIDxsdWthc0BzY2hhdWVyLmRldj7CwI4EEwEKADgWIQQ8 +LyYF4Hih4Y9Hk5CcTb5s9DjzMwUCYYsIrgIbAwULCQgHAwUVCgkICwUWAgMBAAIe +AQIXgAAKCRCcTb5s9DjzM0xYCACpqhuKTb7Dcy/5SwmWCdFtMMeaORd321+IV0lY +3JG55blOsBgIZujaLWK9sVlE5FS3x6EaQYHEUUu1cEBJlUT9T1Ko5qo/6zz7Y2ic +NK5LPfCPYDirGLYsSK08R/ts2E6IL09u3cFWaiZbvDepjnEakgyNpVcJYlhXayie +DH7t3Om6FPte3ihyT5J5fP6tW1PD0s7HjIFSErmQ1CpgrL5MkGoShcWpYt9IDcmo +7Q8LQE/M/CNCULEnEXXvdtdWL9HsbXlKwIok2ReJ8N4XlcKdaucgP3oTSqtX0/yC +TrytyhTemHgIaXRb3rYcXntQcJHFDlU6K/iWL5ib5bUb53AEwsCOBBMBCgA4FiEE +PC8mBeB4oeGPR5OQnE2+bPQ48zMFAl+9ZiQCGwMFCwkIBwMFFQoJCAsFFgIDAQAC +HgECF4AACgkQnE2+bPQ48zPzJgf/TUZJLdwue6xbI6nz9QynyHn8dM6F5nEz4zEx +Go+lEqR9prXvKVG7xecEMGYuydtS/vzYkLy6pnXDGzkUBgues7CWATz05MezjH+6 +k49EKm0nOubANpCeBVw+hBvtxqBWcdxY2gS7Nl4Qt33hXmAl0A/sn4Yt4bXC3m1e +8nQthj/hMsKiw5gXT3nGZc62fyZPLY6qTDO8L+9j8JhzNoE7dhh5vK5STYpFPY3k +sjUuiAIRqiH+rMshBMaCSWAuTBh0Kv2rzFbtVBhoarSmyaZ+LsFVEV+MXaUN2sv/ +gEta75uKlOYSGwTvecGjm4xtjHjor9DJ16+gJBHwcjnsV6e6+c0gTHVrYXMgU2No +YXVlciA8bHVrYXNAc2NoYXVlci5zbz7CwJMEEwEKACYCGwMHCwkIBwMCAQYVCAIJ +CgsEFgIDAQIeAQIXgAUCVczrqQIZAQAhCRCcTb5s9DjzMxYhBDwvJgXgeKHhj0eT +kJxNvmz0OPMzdycIANghzH+bFgEhJdfIwOX6D4Id3B746XdZmRNbWLToIbJbJflD +TjgZUGNLtmbH8Hv57ss8ssNmkp0nB+c2fb6Ar/Tl3sEheJM49PWbI96ERqSDhr+f +mKKhOEjptwQTAy1prBAvTZ1LbyN9ChJwf00nU3tjBfvS19z8ZFGATY6yBGvnbxHn +qz+n06COcBXsz8dsAtDzvxCMMhfSmgL+PAere8pJCLi3WklazbkzjuKqsfd02GJC +CH/OeLmrtyBG8fkQzVpg4zDFgdetiqvc2bJeYYGmvPhBYtqgTWm8iZvfVRIyN2fF +br04b3hx6eXVjRHSp2+d10so2fVD6Cf3gidBX4LCwJAEEwECACMFAlIeIN8CGwMH +CwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAhCRCcTb5s9DjzMxYhBDwvJgXgeKHh +j0eTkJxNvmz0OPMz0cYH/2NaSfR+rgeq5gmt1R6MYby5Fa7lEqSPiVzVIcKVFlCj +RNcpO/I5o0YTDGX+1DGIn8hpLiv9P3BK5La+Y/JKidq+tITp5pAt4xKuR9ISnxs4 +aLHp1L80fXBDWM4J5v+ATVls9SNeo5FkXBBo3gvMtN91N0467XOn9Iy3u0ei86LK +VAlis6fFlFoE4KqQMoyWOiOOGOkKU45kRerdTc9skccX9jQGzkFpEk7nrrIC1WMr +6i2edbt37LgycW0IgZzbdGRmEgwSq7OfUb4NF49XAb9be0q8x7sMoogkLBGizL2A +soJO6kZmQWejygNIBPKGCK+X9dCsdDI6p67PMJqXoIjOwE0EUV8aEwEIAM1d0x6B +/PUlXfUzkTlYtFmfm67OOPW2EImld+53RgVc/HGY9RyYP0YwxNs1mjWalzJYV6/a +Q9xke/Dz0pLYwIl2c1TCzwinqgymkR17krDJ/+hj2GZBsiEHlMDbWskgwIc7Wldh +cmxsOvsvRrHSCcw7ZFD+iA9l6XJoUrtP9QhJLaj6WoX0fU377t3me6hji5387pzY +oDKiq8cfJu4q/K6oB42kmo+LPVub+DvBBZPDakDnE46v0LfbgvPqjaVxM2KHjqll +epk1CIOAbUbtyC9kVuavDgnIOMe1couHsy0+7fXeQE0xMLPjGGZAXt6OVI8o/1Ib +gA2EbiVR225Tu2cAEQEAAcLAdgQYAQIACQUCUV8aEwIbDAAhCRCcTb5s9DjzMxYh +BDwvJgXgeKHhj0eTkJxNvmz0OPMzT1wIAIZ0Q23vWXHnoSPMfpbmj8U5gcdObh7B +x+AZIdaZ1JyryA4jjXiQGQ6D12z0gxC3mGnrSFe15LEbWXSrERdsxftw7kU2eN6v ++KRzA8NLp5nZrkaeL+H9QVGdVhzDZz7tQACCi6zCHCpuRVStEwOh0bYNPTl9Ah2B +9tAtQFbmoVOhL8Jc3O8bjuOoERRL+YUy1mAXb6bJTZu4yUheZqtOLQoRgy3SB4Ze +GlLYM32JCtDNDyCNXP8QGB0dsRk6wdbgkxBrJxi+i48VWoIhxmg3Szxz0CKWoS71 +XxcstYDTNFULwWnqb9mkxfy3aRVB0EowdvU1TPRv64fKcA0JFBQYoiDOwU0EWpna +/QEQAJqV4HrVPY3MiFYjBbxVl9isBIRG73ySOcOFLKILe1PUre2gz5cIvFzoM+jQ +vtZH5lxndUaC6NEAxFLZVICLIkXF0mv0DreLrjbN+bZiqh1FQ6qJvKKvMSwSTZAh +e/2Fe5frKImEEKlpxB/JdMMTbESHeGs1523Yndmcd6DsgpjfTdoX2b9MmwtBZipE +2ybyzoFo7QDjioIsPTerAvZLf/EsfC8X5XG6uGDE7u/k0i/EnefBmqErXeV3hziq ++YLN0Ja7ltGsl6B0ZLb86HMSj2ZpuGkzWrDzX3JyZVGDMrBie/wKXCxWAOaAwOfJ +F3BTp3LA5Bajg6VzJMGxoQUGiXcoJxAixwC9jUlIj48K3nnS9Wz3mAa3N/UXIr81 +wEKhGpSW+/KuQdLjLXW9W1BF+cJWze0yA6eJzLiQYt6R64p9jIKTWUaPnVg6yrB6 +vbAeecFLZPqjXnzVcb51GvuTWrKK7PyvNIyic59XZaNujC+Cc4L5AS1svA7VcOAW +Hepl3F5JwNhYcKxgpY7J5FCq24B3/xQ4UQb52hh6Rfhv4s9KoeaqDGhObBZ6cBz9 +SVqGGipnyQq6vg7h5Az3hcrC6/blf/IibtkXJzf8Z3N/Jk3zg3AQszy79oqz5K/S +H9Da7Q8drpMWABFldro5eqZ83Agvnje31it/pHJ+ZBYn+dXBABEBAAHCwHYEGAEK +ACAWIQQ8LyYF4Hih4Y9Hk5CcTb5s9DjzMwUCWpna/QIbIAAKCRCcTb5s9DjzM2rH +CADYzgi9AQdCbbjCmrrXqY1dom2zz34tZrIvFnm0IMzmXv8mXxwBnWbVC+K6m/nk +sidv9F9HkErEkc8JVDchnFwVxTEISPQZlg7WHKZri2ILL0NMOzqCpQbJZH1ZkSIh +sizlD/fJ9Dl/nyzJoJN9TUXe10m7zGURaR9+BB/I5UqaeXI1zJDbFg36vDh1NUNJ +YUMl+WFjhbOsMcC9FZbQ3IuBzWrWzljtFNwYj3L5JINu+SiBhknJpRAF4Y2lQYEA +6rQkFR6/k2N9FpetK6hmSo0m/lGC4OvffFEDHKZ8uD5LenRgl8JQSgjHTKViZxCL +pOgUUMWJjqJmuOp9orbdFSXKzsFNBFqZxdUBEAC13KtkbRv6sBOgqFW3RuGRq0MJ +82j3HLbWla8FuvnzEM8ekK7Zb7a3q4aLT/P0hKyIrYunKgpKo4mYR5hX8uMQ84Ux +A/wW9vhM55iDfNxMS7tC3bLICNddz3Xn3do6nwWh3u5hU6ISm3Te/w2ofZtIT2H2 +Y+O9avLfZLQ5SHVL0wwNNXOpJa3VmCn5CeZ7MADnlRMK+vRE20et8mjEkRZMVqwA +jDnQCQi9Qh/EQAl82yI4P6a2HZuDb4iVi/U1rGtZnAS11eIrjp2+WPuECcMkSg3i +fA2gk1Qt1CFQSurTPQfDJEB/nf7atdRajAjF27fgSWAppKbBNn7zjH8HOpxWt0QS +0Lj371eDJmKV0F5r+kZRLaiCT8kksVNR6P5wEQgYvDIUQbWskSbMFzu8oMGt+AKS +fm2341itRNoyjwMGPTTuFkjMRcaLuygheZIbWa3sSny955qNxiujBYdJrYHMn/ja +WYKQA0F6LYyuFgwmUJGc3qdibZ3/Mj8MU/f7uodC23IJTGuFHNJFy9uYzCmTkptG +0yVsSs8fPSjToxdiEb2dgp7XT37qQDrWMIzgFg2WOcyFR6mSwjre2VogPXog2o+i +2l/7ze9Lx+9gF9wZcOvP3pJMS8b9ALIJT48w0mricBcblUWD5IJ4X3NgGn9fJMcH +NtSS4dCyOhAxPYB5wQARAQABwsB2BCgBCgAgFiEEPC8mBeB4oeGPR5OQnE2+bPQ4 +8zMFAlqZ2uACHQMACgkQnE2+bPQ48zPlhQgA4tu4Wey8dT/NTDZZiihT77wxdcXP +w5wO6Bg/lr9BRVJh73kiTIRzQbH3LDnP7y2ZIAH192k6wmM1PFrl9ivaKVocq5Iu +AuJmUQ47vRj0o4zHGss0G6js1K9P2oqt0v2evDK1VRNunOQNA7fubwYL1Mb0J4pl +dfOBKpFzUpo6MKhSKiU4rcNrBYAlbM5m7z6h6PNal/bXWhjJv5HnJD73CqNpinuz +RwefjQqtrjz3kjm8Ss8DhVuVYi3damDiIvQFuOabBWtuGPtnHX0QgH5qS+kIDPYp +zPJTabKAFLuZwZWFRM7WZilELrZfAZrcXFaPdTYCyfPdiLM5BmIHA7r7gcLAdgQY +AQoAIBYhBDwvJgXgeKHhj0eTkJxNvmz0OPMzBQJamcXVAhsgAAoJEJxNvmz0OPMz +T2oIAI56dTjge+TgsloxgGu+Ajlu/eH+oOhyqulqMasWYUemTlQKwGEtrHRNFMB2 +dWOmSWAcJgQ2w3nLmpugFquusZ1zZO7Dkgzw8Krz8a93OXdR08qew8xDSbHGNT6W +20bnP3fGIKt/FwT3Sus5WfWpAjVxsDF7LPy4p4DYGJchi+VSIjwSKR+4cAVP/xBi +evicQSEdZpc2idCEmJtBTDo75dALiEt5vYzCvteFJagI18PzCCdIT+YhONrf8w8j +4CAlh1ZpYqjCb1Vp774YDPqZxn1MBXa8+tCO5rw8F6P6kOE291mblSMQ/3ED6kx/ +yLl3pAvi+WLjSZiq64goYOxF2PjOwU0EW5UcwgEQAM9Hn/9qevhbi6CRF7DBhqDR +KCG/+vWMsyercQgFqd10n4DmRJy3ZBe2035UrnOANJ/l+y8c/wAAPTeSJHhXHZqh +Kd968H118UMe6o9xb7gjDCUmUoEnDEmvM3sygbd76jBeS/6CWfLviRj4eeHuifUw +y9uljVtcqvo2ZiOxuVPKlh2MZU8CCil3WHU+8ZsypSl/sXgljk+QajTm5lFVOS37 +7s72hkekGs9XE+nZqY72v3PD1oev9f1ARwsStFm4WajJ4eWjlmp5NshGowd5Cb6F +0m7iDanqqNNnsJZS6IMEqw8rFJLihtpqkYHRJ9yYq1nofP2wzJraPYAp2zV6hmw8 +45mfkkGYybfSyUtoV21REq6C/0sV7khAzjIa+a7V/6fks6+xlpR9yck97Hgo+iSU +WchacxjSVlvcibf9CadiYYSaN/8JlxM/QSx39AxTrfBI7NZMnR5wmYKCUhskb+rR +QjKWXmkuyaDuVA4dmahZL3OawqSGbt91mpdZIh3tvEP1vGPKnHqt+9WcTQSuPYDY +bM1nXwN5+ZzYlCg92rk8nzdGjPyBT4BkCeGVsjYoY3OcyY/mfyqkfFoqi+4p8/VJ +Il560v3SJW7ZwMRiAWV4WTwsxk0Z4nnQuNy9zbD7wNWUywK3oOkaTBZS7s/bCKWH +dDs0ED0OcdzThAH1aS3vABEBAAHCwHYEGAEKACAWIQQ8LyYF4Hih4Y9Hk5CcTb5s +9DjzMwUCW5UcwgIbIAAKCRCcTb5s9DjzMxJGB/9vTHH4v1GQho6QDVUrn7qd9DWN +4L+OECYIMc0WS4v1OLiFdJvNXQUuldQUqttF5Fb211RFNnXE8F8GyBWbIkyFV+Kr +Sj7uncbmoijnFEsFUh8NSWF9XGDMlvRxV7njGIBNXu0Zks5rydOT9LStuQO9lYYR +Cvzfyi/ZT/Qu6VKcIcoDazU/PqyAmWbbsncdAibvhjumEHCVw0MNdl6h9XhCI69b +dssYonLOao4NX8Kf1+vu1q39oVI5E2DEAOG6/FOXGa1Y73iBcccd7c26HnCY4CkJ +ekb/rlxYhCOaoqRGiSmODvfl6IkQdGhiEjXrgJmT9SWmA8SFMikCen8Tvfdg +=rFgw +-----END PGP PUBLIC KEY BLOCK----- diff --git a/dehydrated-hook.sh-defaults.patch b/dehydrated-hook.sh-defaults.patch index 203fc10..495fa3c 100644 --- a/dehydrated-hook.sh-defaults.patch +++ b/dehydrated-hook.sh-defaults.patch @@ -1,66 +1,49 @@ -diff -up dehydrated-0.6.5/docs/examples/hook.sh.orig dehydrated-0.6.5/docs/examples/hook.sh ---- dehydrated-0.6.5/docs/examples/hook.sh.orig 2019-06-26 13:33:35.000000000 +0300 -+++ dehydrated-0.6.5/docs/examples/hook.sh 2019-07-08 13:06:21.445513447 +0300 +diff -up dehydrated-0.7.1/docs/examples/hook.sh.orig dehydrated-0.7.1/docs/examples/hook.sh +--- dehydrated-0.7.1/docs/examples/hook.sh.orig 2022-10-31 15:12:38.000000000 +0100 ++++ dehydrated-0.7.1/docs/examples/hook.sh 2023-05-31 03:12:35.312025334 +0200 @@ -21,7 +21,7 @@ deploy_challenge() { - # be found in the $TOKEN_FILENAME file. + # be found in the $TOKEN_FILENAME file. - # Simple example: Use nsupdate with local named -- # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key -+ # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 30 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /etc/named/session.key + # Simple example: Use nsupdate with local named +- # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key ++ # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 30 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /etc/named/session.key } clean_challenge() { @@ -34,7 +34,7 @@ clean_challenge() { - # The parameters are the same as for deploy_challenge. + # The parameters are the same as for deploy_challenge. - # Simple example: Use nsupdate with local named -- # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key -+ # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /etc/named/session.key + # Simple example: Use nsupdate with local named +- # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key ++ # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /etc/named/session.key } sync_cert() { @@ -86,8 +86,14 @@ deploy_cert() { - # Timestamp when the specified certificate was created. + # Timestamp when the specified certificate was created. - # Simple example: Copy file to nginx config -- # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl -- # systemctl reload nginx -+ # umask=$(umask) # save original umask -+ # umask 077 # use secure umask for key file creation -+ # cat "${KEYFILE}" > /etc/pki/tls/private/${DOMAIN}.key -+ # touch --reference="${KEYFILE}" /etc/pki/tls/private/${DOMAIN}.key -+ # umask 022 # wider permission for certificates -+ # cat "${FULLCHAINFILE}" > /etc/pki/tls/certs/${DOMAIN}.crt -+ # umask ${umask} # restore umask -+ # systemctl reload nginx.service + # Simple example: Copy file to nginx config +- # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl +- # systemctl reload nginx ++ # umask=$(umask) # save original umask ++ # umask 077 # use secure umask for key file creation ++ # cat "${KEYFILE}" > /etc/pki/tls/private/${DOMAIN}.key ++ # touch --reference="${KEYFILE}" /etc/pki/tls/private/${DOMAIN}.key ++ # umask 022 # wider permission for certificates ++ # cat "${FULLCHAINFILE}" > /etc/pki/tls/certs/${DOMAIN}.crt ++ # umask ${umask} # restore umask ++ # systemctl reload nginx.service } deploy_ocsp() { -@@ -204,16 +210,23 @@ startup_hook() { - } - - exit_hook() { -- local ERROR="${1:-}" -+ local ERROR="${1:-}" - -- # This hook is called at the end of the cron command and can be used to -- # do some final (cleanup or other) tasks. -- # -- # Parameters: -- # - ERROR -- # Contains error message if dehydrated exits with error -+ # This hook is called at the end of the cron command and can be used to -+ # do some final (cleanup or other) tasks. -+ # -+ # Parameters: -+ # - ERROR -+ # Contains error message if dehydrated exits with error +@@ -214,6 +220,13 @@ exit_hook() { + # Contains error message if dehydrated exits with error } +# Include local overrides for hook.sh functions +if [ -d /etc/dehydrated/hook.d ]; then + for localhook in $(ls -1 /etc/dehydrated/hook.d/*.sh 2>/dev/null); do -+ . "${localhook}" ++ . "${localhook}" + done +fi + diff --git a/dehydrated.spec b/dehydrated.spec index 71e0897..bacb240 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,21 +1,24 @@ -Summary: A client for signing certificates with an ACME server +Summary: Client for signing certificates with an ACME server Name: dehydrated -Version: 0.7.0 -Release: 7%{?dist} +Version: 0.7.1 +Release: 1%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz -Source1: dehydrated.tmpfiles -Source2: dehydrated.timer -Source3: dehydrated.service -Source4: 50-dehydrated.preset -Source5: dehydrated-cron +Source1: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz.asc +Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/3C2F2605E078A1E18F4793909C4DBE6CF438F333 +Source3: dehydrated.tmpfiles +Source4: dehydrated.timer +Source5: dehydrated.service +Source6: 50-dehydrated.preset +Source7: dehydrated-cron Patch0: dehydrated-autowash.patch Patch1: dehydrated-improve-trap-handling.patch Patch2: dehydrated-hook.sh-defaults.patch BuildArch: noarch +BuildRequires: gnupg2 BuildRequires: systemd %{?systemd_requires} Requires: coreutils @@ -40,6 +43,7 @@ Current features: - Certificate revocation %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %setup -q %patch0 -p1 -b .autowash %patch1 -p1 -b .improve-trap-handling @@ -55,12 +59,13 @@ mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/accounts mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/archive mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/certs mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/conf.d +mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/domains.txt.d mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/hook.d -install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/dehydrated.conf -install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/dehydrated.timer -install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/dehydrated.service -install -D -p -m 0644 %{SOURCE4} %{buildroot}%{_presetdir}/50-dehydrated.preset -install -D -p -m 0755 %{SOURCE5} %{buildroot}%{_libexecdir}/dehydrated-cron +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/dehydrated.conf +install -D -p -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/dehydrated.timer +install -D -p -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/dehydrated.service +install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_presetdir}/50-dehydrated.preset +install -D -p -m 0755 %{SOURCE7} %{buildroot}%{_libexecdir}/dehydrated-cron sed \ -e 's|^#LOCKFILE="\${BASEDIR}/lock"|LOCKFILE="%{_rundir}/dehydrated/lock"|' \ -e 's|^#CONFIG_D=|CONFIG_D="\${BASEDIR}/conf.d"|' \ @@ -131,12 +136,17 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %attr(0750,root,root) %dir %{_sysconfdir}/dehydrated/conf.d %attr(0640,root,root) %ghost %{_sysconfdir}/dehydrated/conf.d/local.sh %attr(0640,root,root) %ghost %{_sysconfdir}/dehydrated/domains.txt +%attr(0750,root,root) %dir %{_sysconfdir}/dehydrated/domains.txt.d %attr(0750,root,root) %dir %{_sysconfdir}/dehydrated/hook.d %attr(0750,root,root) %dir %{_rundir}/dehydrated %{_bindir}/dehydrated %{_mandir}/man1/dehydrated.1* %changelog +* Wed May 31 2023 Robert Scheck - 0.7.1-1 +- Resolved: rhbz#2139056 dehydrated-0.7.1 is available +- Resolved: rhbz#2035549 genkey ecparam - ECDSA key, P-384 (secp384r1) + * Thu Jan 19 2023 Fedora Release Engineering - 0.7.0-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild diff --git a/sources b/sources index 3441ebb..1352885 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (dehydrated-0.7.0.tar.gz) = 47740d2d31ca73482a4fc5ed0dfce986af907dd5449cb3a5230bf9683845686c8122fc32e6219a4439574ef11d6fb104ee09591c5ff667927a2c9c13ba005511 +SHA512 (dehydrated-0.7.1.tar.gz) = b7ac078d6034e784f3f485e8ce56b5fa2f1e2a3b5ef014d260046b5f1d5cbd99727501e95a9530d0d1b2f300003d3fa5bf7e7f532092041597236d92fbeb0f3c +SHA512 (dehydrated-0.7.1.tar.gz.asc) = f03872b7e087b3f719a76aaebd46f017f47595feb03a29f5fcbe33796655cdcd0a34580ae34a85e3280c8305a2fe2ada47e4436bfbec294b7dbf67768df86394 From f352d64d14f924c920f98194afe8cb0cdc4090e6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 19 Jul 2023 17:16:00 +0000 Subject: [PATCH 16/23] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index bacb240..a09e7c5 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: Client for signing certificates with an ACME server Name: dehydrated Version: 0.7.1 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz @@ -143,6 +143,9 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %{_mandir}/man1/dehydrated.1* %changelog +* Wed Jul 19 2023 Fedora Release Engineering - 0.7.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Wed May 31 2023 Robert Scheck - 0.7.1-1 - Resolved: rhbz#2139056 dehydrated-0.7.1 is available - Resolved: rhbz#2035549 genkey ecparam - ECDSA key, P-384 (secp384r1) From 3927d057dc9a04818a3e128b7b7e2fce48f240bd Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jan 2024 17:00:11 +0000 Subject: [PATCH 17/23] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index a09e7c5..7c826db 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: Client for signing certificates with an ACME server Name: dehydrated Version: 0.7.1 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz @@ -143,6 +143,9 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %{_mandir}/man1/dehydrated.1* %changelog +* Fri Jan 19 2024 Fedora Release Engineering - 0.7.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Wed Jul 19 2023 Fedora Release Engineering - 0.7.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild From 348456243202fe64c3f2731ab4bfbef76efafc09 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 24 Jan 2024 09:17:14 +0000 Subject: [PATCH 18/23] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index 7c826db..34fd39f 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: Client for signing certificates with an ACME server Name: dehydrated Version: 0.7.1 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz @@ -143,6 +143,9 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %{_mandir}/man1/dehydrated.1* %changelog +* Wed Jan 24 2024 Fedora Release Engineering - 0.7.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Fri Jan 19 2024 Fedora Release Engineering - 0.7.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 766d400d3efb84cf219ebe83b15592f4801b1b28 Mon Sep 17 00:00:00 2001 From: Software Management Team Date: Thu, 30 May 2024 12:46:46 +0200 Subject: [PATCH 19/23] Eliminate use of obsolete %patchN syntax (#2283636) --- dehydrated.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dehydrated.spec b/dehydrated.spec index 34fd39f..c88fcec 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -45,9 +45,9 @@ Current features: %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %setup -q -%patch0 -p1 -b .autowash -%patch1 -p1 -b .improve-trap-handling -%patch2 -p1 +%patch -P0 -p1 -b .autowash +%patch -P1 -p1 -b .improve-trap-handling +%patch -P2 -p1 %build : nothing to do From a6338bbe13422f7dae43eccda7831f6ceb0c9e92 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 17 Jul 2024 20:48:51 +0000 Subject: [PATCH 20/23] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index c88fcec..73fe2cd 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: Client for signing certificates with an ACME server Name: dehydrated Version: 0.7.1 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz @@ -143,6 +143,9 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %{_mandir}/man1/dehydrated.1* %changelog +* Wed Jul 17 2024 Fedora Release Engineering - 0.7.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Wed Jan 24 2024 Fedora Release Engineering - 0.7.1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 37a52d5c2114ab153dc24b4f2e0bd79cad8ccc66 Mon Sep 17 00:00:00 2001 From: Robert Scheck Date: Thu, 26 Dec 2024 17:26:10 +0100 Subject: [PATCH 21/23] - Added missing dehydrated run-time requirements - Resolved: rhbz#2279854 dehydrated dependency issue on EL8 --- dehydrated.spec | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/dehydrated.spec b/dehydrated.spec index 73fe2cd..45f73a1 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: Client for signing certificates with an ACME server Name: dehydrated Version: 0.7.1 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz @@ -19,15 +19,23 @@ Patch2: dehydrated-hook.sh-defaults.patch BuildArch: noarch BuildRequires: gnupg2 -BuildRequires: systemd +BuildRequires: systemd-rpm-macros %{?systemd_requires} Requires: coreutils Requires: curl +Requires: diffutils +Requires: gawk Requires: grep -# provided by either mailx or s-nail +%if 0%{?fedora} || 0%{?rhel} >= 9 +# Usually provided by s-nail, historically by mailx Requires: /usr/bin/mailx +%else +# s-nail (EPEL 8) provides /usr/bin/mailx, mailx (RHEL 8) provides /bin/mailx +Requires: (/usr/bin/mailx or /bin/mailx) +%endif Requires: openssl Requires: sed +Requires: util-linux %description This is a client for signing certificates with an ACME-server (currently @@ -53,7 +61,6 @@ Current features: : nothing to do %install -mkdir -p %{buildroot}%{_libexecdir} mkdir -p %{buildroot}%{_rundir}/dehydrated mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/accounts mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/archive @@ -143,6 +150,10 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %{_mandir}/man1/dehydrated.1* %changelog +* Thu Dec 26 2024 Robert Scheck - 0.7.1-6 +- Added missing dehydrated run-time requirements +- Resolved: rhbz#2279854 dehydrated dependency issue on EL8 + * Wed Jul 17 2024 Fedora Release Engineering - 0.7.1-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 13927f6ab42b708a4e3ba7ac0e8e9d265bb1da0b Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 15:33:56 +0000 Subject: [PATCH 22/23] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index 45f73a1..519e789 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: Client for signing certificates with an ACME server Name: dehydrated Version: 0.7.1 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz @@ -150,6 +150,9 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %{_mandir}/man1/dehydrated.1* %changelog +* Thu Jan 16 2025 Fedora Release Engineering - 0.7.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Thu Dec 26 2024 Robert Scheck - 0.7.1-6 - Added missing dehydrated run-time requirements - Resolved: rhbz#2279854 dehydrated dependency issue on EL8 From 732f47e98f59519a25df9726791a791d474ff953 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 19:11:15 +0000 Subject: [PATCH 23/23] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- dehydrated.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dehydrated.spec b/dehydrated.spec index 519e789..eaf1da0 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: Client for signing certificates with an ACME server Name: dehydrated Version: 0.7.1 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT URL: https://github.com/dehydrated-io/dehydrated Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz @@ -150,6 +150,9 @@ systemctl start dehydrated.timer >/dev/null 2>&1 || : %{_mandir}/man1/dehydrated.1* %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 0.7.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Thu Jan 16 2025 Fedora Release Engineering - 0.7.1-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild