From 4d6853f844c98f21130b9a18c52e1d952c4ae2a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 19 Oct 2017 22:21:18 +0200 Subject: [PATCH] evoacme: use hooks after certificate creation --- evoacme/files/apache_update_and_reload.sh | 47 ----------------------- evoacme/files/evoacme.sh | 44 +++++++++++---------- evoacme/files/hooks/reload_apache | 28 ++++++++++++++ evoacme/files/hooks/reload_nginx | 28 ++++++++++++++ evoacme/files/nginx_update_and_reload.sh | 47 ----------------------- 5 files changed, 80 insertions(+), 114 deletions(-) delete mode 100644 evoacme/files/apache_update_and_reload.sh create mode 100755 evoacme/files/hooks/reload_apache create mode 100755 evoacme/files/hooks/reload_nginx delete mode 100644 evoacme/files/nginx_update_and_reload.sh diff --git a/evoacme/files/apache_update_and_reload.sh b/evoacme/files/apache_update_and_reload.sh deleted file mode 100644 index 66b73df1..00000000 --- a/evoacme/files/apache_update_and_reload.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh - -error() { - >&2 echo "${PROGNAME}: $1" - exit 1 -} -debug() { - if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then - >&2 echo "${PROGNAME}: $1" - fi -} - -readonly PROGNAME=$(basename "$0") - -readonly VERBOSE=${VERBOSE:-"0"} - -if [ -z "${EVOACME_VHOST_PATH}"]; then - error "Missing EVOACME_VHOST_PATH environment variable" -fi -if [ -z "${EVOACME_CERT_PATH}"]; then - error "Missing EVOACME_CERT_PATH environment variable" -fi - -readonly APACHE2CTL_BIN=$(command -v apache2ctl) || error "apache2ctl command not installed" - -[ -r "${EVOACME_VHOST_PATH}"] || error "File ${EVOACME_VHOST_PATH} is not readable" - -local search="^SSLCertificateFile.*$" -local replace="SSLCertificateFile ${EVOACME_VHOST_PATH}" - -if ! $(grep -qE "${search}" "${EVOACME_VHOST_PATH}"); then - [ -w "${EVOACME_VHOST_PATH}" ] || error "File ${EVOACME_VHOST_PATH} is not writable" - - sed -i "s~${search}~${replace}~" "${EVOACME_VHOST_PATH}" - debug "Config in ${EVOACME_VHOST_PATH} has been updated" -fi - -if [ -n "$(pidof apache2)" ]; then - if $(${APACHE2CTL_BIN} -t 2> /dev/null); then - debug "Apache detected... reloading" - service apache2 reload - else - error "Apache config is broken, you must fix it !" - fi -fi - -exit 0 diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 022f8599..9e971028 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -92,6 +92,20 @@ csr_verify() { "${OPENSSL_BIN}" req -noout -modulus -in "$file" >/dev/null } +exec_hooks() { + local hooks_dir="$1" + + export EVOACME_VHOST_NAME="${VHOST}" + export EVOACME_LIVE_FULLCHAIN="${LIVE_FULLCHAIN}" + + for hook in $(find ${HOOKS_DIR} -type f | grep -v ".disabled$"); do + if [ -x "${hook}" ]; then + debug "Executing ${hook}" + ${hook} + fi + done +} + main() { # check arguments [ "$#" -eq 1 ] || error "invalid argument(s)" @@ -112,6 +126,10 @@ main() { chown root: "${LOG_DIR}" [ -w "${LOG_DIR}" ] || error "Directory ${LOG_DIR} is not writable" + mkdir -p "${HOOKS_DIR}" + chown root: "${HOOKS_DIR}" + [ -d "${HOOKS_DIR}" ] || error "Directory ${HOOKS_DIR} is not found" + readonly VHOST=$(basename "$1" .conf) # check for important programs @@ -239,27 +257,12 @@ main() { # verify final path x509_verify "${LIVE_CERT}" || error "${LIVE_CERT} is invalid" - # update and reload Apache - command -v apache2ctl > /dev/null && sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}" - if [ -n "$(pidof apache2)" ]; then - if $($(command -v apache2ctl) -t 2>/dev/null); then - debug "Apache detected... reloading" - service apache2 reload - else - error "Apache config is broken, you must fix it !" - fi - fi + # update Apache + sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}" + # update Nginx + sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}" - # update and reload Nginx - command -v nginx > /dev/null && sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}" - if [ -n "$(pidof nginx)" ]; then - if $($(command -v nginx) -t 2>/dev/null); then - debug "Nginx detected... reloading" - service nginx reload - else - error "Nginx config is broken, you must fix it !" - fi - fi + exec_hooks "${HOOKS_DIR}" } readonly PROGNAME=$(basename "$0") @@ -280,6 +283,7 @@ readonly ACME_DIR=${ACME_DIR:-"/var/lib/letsencrypt"} readonly CSR_DIR=${CSR_DIR:-"/etc/ssl/requests"} readonly CRT_DIR=${CRT_DIR:-"/etc/letsencrypt"} readonly LOG_DIR=${LOG_DIR:-"/var/log/evoacme"} +readonly HOOKS_DIR=${HOOKS_DIR:-"${CRT_DIR}/hooks"} readonly SSL_MINDAY=${SSL_MINDAY:-"30"} readonly SSL_EMAIL=${SSL_EMAIL:-""} diff --git a/evoacme/files/hooks/reload_apache b/evoacme/files/hooks/reload_apache new file mode 100755 index 00000000..2cceb972 --- /dev/null +++ b/evoacme/files/hooks/reload_apache @@ -0,0 +1,28 @@ +#!/bin/sh + +readonly PROGNAME=$(basename "$0") +readonly ARGS=$@ + +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} + +if [ -n "$(pidof apache2)" ]; then + if $($(command -v apache2ctl) -t 2> /dev/null); then + debug "Apache detected... reloading" + service apache2 reload + else + error " Apache config is broken, you must fix it !" + fi +else + debug "Apache is not running. Skip." +fi diff --git a/evoacme/files/hooks/reload_nginx b/evoacme/files/hooks/reload_nginx new file mode 100755 index 00000000..35db3787 --- /dev/null +++ b/evoacme/files/hooks/reload_nginx @@ -0,0 +1,28 @@ +#!/bin/sh + +readonly PROGNAME=$(basename "$0") +readonly ARGS=$@ + +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} + +if [ -n "$(pidof nginx)" ]; then + if $($(command -v nginx) -t 2> /dev/null); then + debug "Nginx detected... reloading" + service nginx reload + else + error "Nginx config is broken, you must fix it !" + fi +else + debug "Nginx is not running. Skip." +fi diff --git a/evoacme/files/nginx_update_and_reload.sh b/evoacme/files/nginx_update_and_reload.sh deleted file mode 100644 index 988c7389..00000000 --- a/evoacme/files/nginx_update_and_reload.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh - -error() { - >&2 echo "${PROGNAME}: $1" - exit 1 -} -debug() { - if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then - >&2 echo "${PROGNAME}: $1" - fi -} - -readonly PROGNAME=$(basename "$0") - -readonly VERBOSE=${VERBOSE:-"0"} - -if [ -z "${EVOACME_VHOST_PATH}"]; then - error "Missing EVOACME_VHOST_PATH environment variable" -fi -if [ -z "${EVOACME_CERT_PATH}"]; then - error "Missing EVOACME_CERT_PATH environment variable" -fi - -readonly NGINX_BIN=$(command -v nginx) || error "nginx command not installed" - -[ -r "${EVOACME_VHOST_PATH}"] || error "File ${EVOACME_VHOST_PATH} is not readable" - -readonly search="^ssl_certificate[^_].*$" -readonly replace="ssl_certificate ${EVOACME_CERT_PATH};" - -if ! $(grep -qE "${search}" "${EVOACME_VHOST_PATH}"); then - [ -w "${EVOACME_VHOST_PATH}" ] || error "File ${EVOACME_VHOST_PATH} is not writable" - - sed -i "s~${search}~${replace}~" "${EVOACME_VHOST_PATH}" - debug "Config in ${EVOACME_VHOST_PATH} has been updated" -fi - -if [ -n "$(pidof nginx)" ]; then - if $(${NGINX_BIN} -t 2> /dev/null); then - debug "Nginx detected... reloading" - service nginx reload - else - error "Nginx config is broken, you must fix it !" - fi -fi - -exit 0