evolix/evoacme
21
0
Fork 0
Code Issues Pull requests 1 Releases 1 Wiki Activity

Compare commits

base: evolix:19.11
Branches Tags
evolix:master
evolix:openssl-pkey
evolix:20.06.1
evolix:20.06
evolix:19.11
...
compare: evolix:master
Branches Tags
evolix:openssl-pkey
evolix:master
evolix:20.06.1
evolix:20.06
evolix:19.11

16 commits
19.11 ... master

Author SHA1 Message Date
Jérémy Lecour 692b50ebf9 Release 21.01 2021-01-07 19:14:08 +01:00
Jérémy Lecour 630da81b9e Do not upgrade certbot when executing the command 2021-01-07 19:14:08 +01:00
Brice Waegeneire c3ebb21cd3 Do not update certbot by default 2021-01-06 09:40:25 +01:00
Jérémy Lecour 9002c87ee7 Release 20.12 2020-12-01 22:25:53 +01:00
Jérémy Lecour 3da0006927 pass the proper value to RENEWED_LINEAGE environment variable 2020-12-01 22:24:46 +01:00
Jérémy Lecour d169061c81 Release 20.11 2020-11-19 21:20:00 +01:00
Jérémy Lecour b52d983754 emulate certbot hooks environment variables 2020-11-19 21:20:00 +01:00
Jérémy Lecour 86e64187cc don't stop global execution when hooks return errors 2020-11-19 21:20:00 +01:00
Jérémy Lecour 7b8896d3e8 exclude only hooks with .disable to execute hooks with .sh 2020-11-19 21:20:00 +01:00
Ludovic Poujol ab10877ccc evoacme: Don't ignore hooks with . in the name 
Instead, ignore when it contains ".disable"
 2020-10-20 10:54:04 +02:00
Jérémy Lecour be1aaa36ca Release 20.08 2020-08-21 13:59:15 +02:00
Jérémy Lecour 9fe4dc24b9 evoacme: use Let's Encrypt deploy hooks by default 2020-08-21 13:57:30 +02:00
Jérémy Lecour 81e7548c73 Release 20.06.1 2020-06-05 11:00:11 +02:00
Jérémy Lecour 1fb604802b fixed a bad logic for arguments parsing 2020-06-05 10:58:35 +02:00
Jérémy Lecour 4d46d4ffe0 Release 20.06 2020-06-03 12:09:37 +02:00
Jérémy Lecour fdbfc13d79 remove usage of "acme" user, root does all the work 
Recent versions of certbot need to be run as root, so there is no good 
reason to run it as an unprivileged user anymore.
 2020-06-03 12:03:08 +02:00
4 changed files with 69 additions and 21 deletions
Show stats Expand all files Collapse all files

41
CHANGELOG.md
View file

@ -17,8 +17,49 @@ This project does not follow semantic versioning.
### Fixed
## [21.01] - 2021-01-07
### Added
* Do not upgrade certbot when executing the command
## [20.12] - 2020-12-01
### Fixed
* pass the proper value to RENEWED_LINEAGE environment variable
## [20.11] - 2020-11-19
### Added
* emulate certbot hooks environment variables
### Fixed
* exclude only hooks with .disable to execute hooks with .sh
* don't stop global execution when hooks return errors
## [20.08] - 2020-08-21
### Changed
* evoacme: use Let's Encrypt deploy hooks by default
### Security
## [20.06.1] - 2020-06-05
### Fixed
* fixed a bad logic for arguments parsing
## [20.06] - 2020-06-03
### Changed
* remove usage of "acme" user, root does all the work
## [19.11] - 2019-11-05
### Added

37
evoacme.sh
View file

@ -14,7 +14,7 @@ show_version() {
cat <<END
evoacme version ${VERSION}
Copyright 2009-2019 Evolix <info@evolix.fr>,
Copyright 2009-2021 Evolix <info@evolix.fr>,
Victor Laborie <vlaborie@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>,
Benoit Série <bserie@evolix.fr>
@ -118,21 +118,21 @@ main() {
[ "$1" = "-V" ] || [ "$1" = "--version" ] && show_version && exit 0
mkdir -p "${ACME_DIR}"
chown acme: "${ACME_DIR}"
chown root: "${ACME_DIR}"
[ -w "${ACME_DIR}" ] || error "Directory ${ACME_DIR} is not writable"
[ -d "${CSR_DIR}" ] || error "Directory ${CSR_DIR} is not found"
mkdir -p "${CRT_DIR}"
chown acme: "${CRT_DIR}"
chown root: "${CRT_DIR}"
[ -w "${CRT_DIR}" ] || error "Directory ${CRT_DIR} is not writable"
mkdir -p "${LOG_DIR}"
chown acme: "${LOG_DIR}"
chown root: "${LOG_DIR}"
[ -w "${LOG_DIR}" ] || error "Directory ${LOG_DIR} is not writable"
mkdir -p "${HOOKS_DIR}"
chown acme: "${HOOKS_DIR}"
chown root: "${HOOKS_DIR}"
[ -d "${HOOKS_DIR}" ] || error "Directory ${HOOKS_DIR} is not found"
readonly VHOST=$(basename "$1" .conf)
@ -195,7 +195,7 @@ main() {
[ -d "${NEW_DIR}" ] && error "${NEW_DIR} directory already exists, remove it manually."
mkdir -p "${NEW_DIR}"
chown -R acme: "${CRT_DIR}"
chown -R root: "${CRT_DIR}"
chmod -R 0700 "${CRT_DIR}"
chmod -R g+rX "${CRT_DIR}"
debug "New cert will be created in ${NEW_DIR}"
@ -208,6 +208,7 @@ main() {
[ "${TEST}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --test-cert"
[ "${QUIET}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --quiet"
[ "${DRY_RUN}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --dry-run"
[ "${CERTBOT_SELF_UPGRADE}" = "0" ] && CERTBOT_MODE="${CERTBOT_MODE} --no-self-upgrade"
local CERTBOT_REGISTRATION="--agree-tos"
if [ -n "${SSL_EMAIL}" ]; then
@ -218,15 +219,14 @@ main() {
CERTBOT_REGISTRATION="${CERTBOT_REGISTRATION} --register-unsafely-without-email"
fi
# Permissions checks for acme user
sudo -u acme test -r "${CSR_FILE}" || error "File ${CSR_FILE} is not readable by user 'acme'"
sudo -u acme test -w "${NEW_DIR}" || error "Directory ${NEW_DIR} is not writable by user 'acme'"
# Permissions checks
test -r "${CSR_FILE}" || error "File ${CSR_FILE} is not readable"
test -w "${NEW_DIR}" || error "Directory ${NEW_DIR} is not writable"
# create a certificate with certbot
# we disable the set -e during the certbot call
set +e
sudo -u acme \
"${CERTBOT_BIN}" \
"${CERTBOT_BIN}" \
certonly \
${CERTBOT_MODE} \
${CERTBOT_REGISTRATION} \
@ -285,13 +285,19 @@ main() {
export EVOACME_CHAIN="${LIVE_CHAIN}"
export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}"
# emulate certbot hooks environment variables
export RENEWED_LINEAGE="${LIVE_DIR}"
export RENEWED_DOMAINS="${VHOST}"
# search for files in hooks directory
for hook in $(find ${HOOKS_DIR} -type f); do
for hook in $(find ${HOOKS_DIR} -type f -executable | sort); do
set +e
# keep only executables files, not containing a "."
if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF "."); then
if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF ".disable"); then
debug "Executing ${hook}"
${hook}
fi
set -e
done
}
@ -304,7 +310,7 @@ readonly QUIET=${QUIET:-"0"}
readonly TEST=${TEST:-"0"}
readonly DRY_RUN=${DRY_RUN:-"0"}
readonly VERSION="19.11"
readonly VERSION="21.01"
# Read configuration file, if it exists
[ -r /etc/default/evoacme ] && . /etc/default/evoacme
@ -315,8 +321,9 @@ readonly ACME_DIR=${ACME_DIR:-"/var/lib/letsencrypt"}
readonly CSR_DIR=${CSR_DIR:-"/etc/ssl/requests"}
readonly CRT_DIR=${CRT_DIR:-"/etc/letsencrypt"}
readonly LOG_DIR=${LOG_DIR:-"/var/log/evoacme"}
readonly HOOKS_DIR=${HOOKS_DIR:-"${CRT_DIR}/hooks"}
readonly HOOKS_DIR=${HOOKS_DIR:-"${CRT_DIR}/renewal-hooks/deploy"}
readonly SSL_MINDAY=${SSL_MINDAY:-"30"}
readonly SSL_EMAIL=${SSL_EMAIL:-""}
readonly CERTBOT_SELF_UPGRADE=${CERTBOT_SELF_UPGRADE:-"0"}
main ${ARGS}

8
make-csr.sh
View file

@ -13,7 +13,7 @@ show_version() {
cat <<END
make-csr version ${VERSION}
Copyright 2009-2019 Evolix <info@evolix.fr>,
Copyright 2009-2021 Evolix <info@evolix.fr>,
Victor Laborie <vlaborie@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>,
Benoit Série <bserie@evolix.fr>
@ -204,8 +204,8 @@ main() {
[ "$1" = "-V" ] || [ "$1" = "--version" ] && show_version && exit 0
if [ -t 0 ]; then
# We have STDIN, so we should have 2 arguments
[ "$#" -eq 2 ] || error "invalid argument(s)"
# We have STDIN, so we should at least 2 arguments
[ "$#" -ge 2 ] || error "invalid argument(s)"
# read VHOST from first argument
VHOST="$1"
@ -265,7 +265,7 @@ readonly ARGS=$@
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
readonly VERSION="19.11"
readonly VERSION="21.01"
# Read configuration file, if it exists
[ -r /etc/default/evoacme ] && . /etc/default/evoacme

4
vhost-domains.sh
View file

@ -13,7 +13,7 @@ show_version() {
cat <<END
vhost-domains version ${VERSION}
Copyright 2009-2019 Evolix <info@evolix.fr>,
Copyright 2009-2021 Evolix <info@evolix.fr>,
Victor Laborie <vlaborie@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>,
Benoit Série <bserie@evolix.fr>
@ -170,7 +170,7 @@ readonly ARGS=$@
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
readonly VERSION="19.11"
readonly VERSION="21.01"
readonly SRV_IP=${SRV_IP:-""}