diff --git a/packages/acme-acmesh/Makefile b/packages/acme-acmesh/Makefile deleted file mode 100644 index 5d2f0d765..000000000 --- a/packages/acme-acmesh/Makefile +++ /dev/null @@ -1,69 +0,0 @@ -# -# Copyright (C) 2016 Toke Høiland-Jørgensen -# -# This is free software, licensed under the GNU General Public License v3 or -# later. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=acme-acmesh -PKG_VERSION:=3.0.7 -PKG_RELEASE:=2 - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://codeload.github.com/acmesh-official/acme.sh/tar.gz/$(PKG_VERSION)? -PKG_HASH:=abd446d6bd45d0b44dca1dcbd931348797a3f82d1ed6fb171472eaf851a8d849 -PKG_BUILD_DIR:=$(BUILD_DIR)/acme.sh-$(PKG_VERSION) - -PKG_MAINTAINER:=Toke Høiland-Jørgensen -PKG_LICENSE:=GPL-3.0-only -PKG_LICENSE_FILES:=LICENSE.md - -include $(INCLUDE_DIR)/package.mk - -define Package/acme-acmesh - SECTION:=net - CATEGORY:=Network - DEPENDS:=+acme-common +wget-ssl +ca-bundle +openssl-util +socat - TITLE:=ACME client acme.sh wrapper script - URL:=https://acme.sh - PKGARCH:=all - PROVIDES:=acme-client -endef - -define Package/acme-acmesh/description -A client for issuing ACME (e.g, Letsencrypt) certificates. -endef - -define Build/Configure -endef - -define Build/Compile -endef - -define Package/acme-acmesh/install - $(INSTALL_DIR) $(1)/usr/lib/acme/client - $(INSTALL_BIN) $(PKG_BUILD_DIR)/acme.sh $(1)/usr/lib/acme/client - $(INSTALL_BIN) ./files/hook.sh $(1)/usr/lib/acme/hook -endef - -define Package/acme-acmesh-dnsapi - SECTION:=net - CATEGORY:=Network - DEPENDS:=+acme-acmesh - TITLE:=DNS API integration for ACME (Letsencrypt) client - PKGARCH:=all -endef - -define Package/acme-acmesh-dnsapi/description - This package provides DNS API integration for ACME (Letsencrypt) client. -endef - -define Package/acme-acmesh-dnsapi/install - $(INSTALL_DIR) $(1)/usr/lib/acme/client/dnsapi - $(INSTALL_DATA) $(PKG_BUILD_DIR)/dnsapi/*.sh $(1)/usr/lib/acme/client/dnsapi -endef - -$(eval $(call BuildPackage,acme-acmesh)) -$(eval $(call BuildPackage,acme-acmesh-dnsapi)) diff --git a/packages/acme-acmesh/files/hook.sh b/packages/acme-acmesh/files/hook.sh deleted file mode 100644 index a433776d7..000000000 --- a/packages/acme-acmesh/files/hook.sh +++ /dev/null @@ -1,165 +0,0 @@ -#!/bin/sh -set -u -ACME=/usr/lib/acme/client/acme.sh -LOG_TAG=acme-acmesh -NOTIFY=/usr/lib/acme/notify - -# shellcheck source=net/acme/files/functions.sh -. /usr/lib/acme/functions.sh - -# Needed by acme.sh -export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt -export NO_TIMESTAMP=1 - -link_certs() { - local main_domain - local domain_dir - domain_dir="$1" - main_domain="$2" - - ( - umask 077 - cat "$domain_dir/fullchain.cer" "$domain_dir/$main_domain.key" >"$domain_dir/combined.cer" - ) - - if [ ! -e "$CERT_DIR/$main_domain.crt" ]; then - ln -s "$domain_dir/$main_domain.cer" "$CERT_DIR/$main_domain.crt" - fi - if [ ! -e "$CERT_DIR/$main_domain.key" ]; then - ln -s "$domain_dir/$main_domain.key" "$CERT_DIR/$main_domain.key" - fi - if [ ! -e "$CERT_DIR/$main_domain.fullchain.crt" ]; then - ln -s "$domain_dir/fullchain.cer" "$CERT_DIR/$main_domain.fullchain.crt" - fi - if [ ! -e "$CERT_DIR/$main_domain.combined.crt" ]; then - ln -s "$domain_dir/combined.cer" "$CERT_DIR/$main_domain.combined.crt" - fi - if [ ! -e "$CERT_DIR/$main_domain.chain.crt" ]; then - ln -s "$domain_dir/ca.cer" "$CERT_DIR/$main_domain.chain.crt" - fi -} - -case $1 in -get) - set -- - [ "$debug" = 1 ] && set -- "$@" --debug - - case $key_type in - ec*) - keylength=${key_type/ec/ec-} - domain_dir="$state_dir/${main_domain}_ecc" - set -- "$@" --ecc - ;; - rsa*) - keylength=${key_type#rsa} - domain_dir="$state_dir/$main_domain" - ;; - esac - - log info "Running ACME for $main_domain with validation_method $validation_method" - - if [ -e "$domain_dir" ]; then - if [ "$staging" = 0 ] && grep -q "acme-staging" "$domain_dir/$main_domain.conf"; then - mv "$domain_dir" "$domain_dir.staging" - log info "Certificates are previously issued from a staging server, but staging option is disabled, moved to $domain_dir.staging." - staging_moved=1 - else - set -- "$@" --renew --home "$state_dir" -d "$main_domain" - log info "$ACME $*" - trap '$NOTIFY renew-failed;exit 1' INT - $ACME "$@" - status=$? - trap - INT - - case $status in - 0) - link_certs "$domain_dir" "$main_domain" - $NOTIFY renewed - exit - ;; - 2) - # renew skipped, ignore. - exit - ;; - *) - $NOTIFY renew-failed - exit 1 - ;; - esac - fi - fi - - for d in $domains; do - set -- "$@" -d "$d" - done - set -- "$@" --keylength "$keylength" --accountemail "$account_email" - - if [ "$acme_server" ]; then - set -- "$@" --server "$acme_server" - # default to letsencrypt because the upstream default may change - elif [ "$staging" = 1 ]; then - set -- "$@" --server letsencrypt_test - else - set -- "$@" --server letsencrypt - fi - - if [ "$days" ]; then - set -- "$@" --days "$days" - fi - - case "$validation_method" in - "dns") - set -- "$@" --dns "$dns" - if [ "$dalias" ]; then - set -- "$@" --domain-alias "$dalias" - if [ "$calias" ]; then - log err "Both domain and challenge aliases are defined. Ignoring the challenge alias." - fi - elif [ "$calias" ]; then - set -- "$@" --challenge-alias "$calias" - fi - if [ "$dns_wait" ]; then - set -- "$@" --dnssleep "$dns_wait" - fi - ;; - "standalone") - set -- "$@" --standalone --listen-v6 - ;; - "webroot") - mkdir -p "$CHALLENGE_DIR" - set -- "$@" --webroot "$CHALLENGE_DIR" - ;; - *) - log err "Unsupported validation_method $validation_method" - ;; - esac - - set -- "$@" --issue --home "$state_dir" - - log info "$ACME $*" - trap '$NOTIFY issue-failed;exit 1' INT - "$ACME" "$@" \ - --pre-hook "$NOTIFY prepare" \ - --renew-hook "$NOTIFY renewed" - status=$? - trap - INT - - case $status in - 0) - link_certs "$domain_dir" "$main_domain" - $NOTIFY issued - ;; - *) - if [ "$staging_moved" = 1 ]; then - mv "$domain_dir.staging" "$domain_dir" - log err "Staging certificate restored" - elif [ -d "$domain_dir" ]; then - failed_dir="$domain_dir.failed-$(date +%s)" - mv "$domain_dir" "$failed_dir" - log err "State moved to $failed_dir" - fi - $NOTIFY issue-failed - ;; - esac - ;; -esac diff --git a/packages/acme-common/Makefile b/packages/acme-common/Makefile deleted file mode 100644 index cfc72dc4e..000000000 --- a/packages/acme-common/Makefile +++ /dev/null @@ -1,62 +0,0 @@ -# -# Copyright (C) 2016 Toke Høiland-Jørgensen -# -# This is free software, licensed under the GNU General Public License v3 or -# later. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=acme-common -PKG_VERSION:=1.1.2 - -PKG_MAINTAINER:=Toke Høiland-Jørgensen -PKG_LICENSE:=GPL-3.0-only -PKG_LICENSE_FILES:=LICENSE.md - -include $(INCLUDE_DIR)/package.mk - -define Package/acme-common - SECTION:=net - CATEGORY:=Network - TITLE:=ACME client wrapper common files - PKGARCH:=all -endef - -define Package/acme-common/description -ACME client wrapper common files. -endef - -define Package/acme-common/conffiles -/etc/config/acme -/etc/acme -/etc/ssl/acme -endef - -define Package/acme-common/install - $(INSTALL_DIR) $(1)/etc/acme - $(INSTALL_DIR) $(1)/etc/ssl/acme - $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_CONF) ./files/acme.config $(1)/etc/config/acme - $(INSTALL_DIR) $(1)/usr/lib/acme - $(INSTALL_DATA) ./files/functions.sh $(1)/usr/lib/acme - $(INSTALL_BIN) ./files/acme-notify.sh $(1)/usr/lib/acme/notify - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/acme.init $(1)/etc/init.d/acme - $(INSTALL_DIR) $(1)/etc/uci-defaults - $(INSTALL_DATA) ./files/acme.uci-defaults $(1)/etc/uci-defaults/acme - $(INSTALL_DIR) $(1)/etc/hotplug.d/acme -endef - -define Package/acme-common/prerm -#!/bin/sh -sed -i '\|/etc/init.d/acme|d' /etc/crontabs/root -endef - -define Build/Configure -endef - -define Build/Compile -endef - -$(eval $(call BuildPackage,acme-common)) diff --git a/packages/acme-common/files/acme-notify.sh b/packages/acme-common/files/acme-notify.sh deleted file mode 100644 index 4f06f9412..000000000 --- a/packages/acme-common/files/acme-notify.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -set -u - -event="$1" - -# Call hotplug first, giving scripts a chance to modify certificates before -# reloadaing the services -ACTION=$event hotplug-call acme - -case $event in -renewed) - ubus call service event '{"type":"acme.renew","data":{}}' - ;; -issued) - ubus call service event '{"type":"acme.issue","data":{}}' - ;; -esac diff --git a/packages/acme-common/files/acme.config b/packages/acme-common/files/acme.config deleted file mode 100644 index 8d1c4934b..000000000 --- a/packages/acme-common/files/acme.config +++ /dev/null @@ -1,23 +0,0 @@ -config acme - option account_email 'email@example.org' - option debug 0 - -config cert 'example_wildcard' - option enabled 0 - option staging 1 - list domains "example.org" - list domains "*.example.org" - option validation_method "dns" - option dns "dns_freedns" - list credentials 'FREEDNS_User="ssladmin@example.org"' - list credentials 'FREEDNS_Password="1234"' - option calias "example.com" - option dalias "dalias.example.com" - -config cert 'example_subdomain' - option enabled 0 - option staging 1 - list domains "example.net" - list domains "www.example.net" - list domains "mail.example.net" - option validation_method "webroot" diff --git a/packages/acme-common/files/acme.init b/packages/acme-common/files/acme.init deleted file mode 100644 index 8222e3f3e..000000000 --- a/packages/acme-common/files/acme.init +++ /dev/null @@ -1,152 +0,0 @@ -#!/bin/sh /etc/rc.common - -USE_PROCD=1 -run_dir=/var/run/acme -export CHALLENGE_DIR=$run_dir/challenge -export CERT_DIR=/etc/ssl/acme -NFT_HANDLE= -HOOK=/usr/lib/acme/hook -LOG_TAG=acme - -# shellcheck source=net/acme/files/functions.sh -. "$IPKG_INSTROOT/usr/lib/acme/functions.sh" - -cleanup() { - log debug "cleaning up" - if [ -e $run_dir/lock ]; then - rm $run_dir/lock - fi - if [ "$NFT_HANDLE" ]; then - # $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft - nft delete rule inet fw4 input $NFT_HANDLE - fi -} - -load_options() { - section=$1 - - # compatibility for old option name - config_get_bool staging "$section" use_staging - if [ -z "$staging" ]; then - config_get_bool staging "$section" staging 0 - fi - export staging - config_get calias "$section" calias - export calias - config_get dalias "$section" dalias - export dalias - config_get domains "$section" domains - export domains - export main_domain - main_domain="$(first_arg $domains)" - config_get keylength "$section" keylength 2048 - export keylength - config_get key_type "$section" key_type ec256 - export key_type - config_get dns "$section" dns - export dns - config_get acme_server "$section" acme_server - export acme_server - config_get days "$section" days - export days - config_get standalone "$section" standalone - [ -n "$standalone" ] && log warn "Option \"standalone\" is deprecated." - config_get dns_wait "$section" dns_wait - export dns_wait - config_get webroot "$section" webroot - if [ "$webroot" ]; then - log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR." - CHALLENGE_DIR=$webroot - fi - - config_get validation_method "$section" validation_method - # if validation_method isn't set then guess it - if [ -z "$validation_method" ]; then - if [ -n "$dns" ]; then - validation_method="dns" - elif [ "$standalone" = 1 ]; then - validation_method="standalone" - else - validation_method="webroot" - fi - log warn "Please set \"option validation_method $validation_method\"." - fi - export validation_method -} - -first_arg() { - echo "$1" -} - -get_cert() { - section=$1 - - config_get_bool enabled "$section" enabled 1 - [ "$enabled" = 1 ] || return - - load_options "$section" - if [ "$validation_method" = "webroot" ]; then - mkdir -p "$CHALLENGE_DIR" - fi - - if [ "$validation_method" = "standalone" ] && [ -z "$NFT_HANDLE" ]; then - if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+'); then - return 1 - fi - log debug "added nft rule: $NFT_HANDLE" - fi - - load_credentials() { - eval export "$1" - } - config_list_foreach "$section" credentials load_credentials - - "$HOOK" get -} - -load_globals() { - section=$1 - - config_get account_email "$section" account_email - if [ -z "$account_email" ]; then - log err "account_email option is required" - exit 1 - fi - export account_email - - config_get state_dir "$section" state_dir - if [ "$state_dir" ]; then - log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in $CERT_DIR." - mkdir -p "$state_dir" - else - state_dir=/etc/acme - fi - export state_dir - - config_get debug "$section" debug 0 - export debug - - # only look for the first acme section - return 1 -} - -start_service() { - mkdir -p $run_dir - exec 200>$run_dir/lock - if ! flock -n 200; then - log err "Another ACME instance is already running." - exit 1 - fi - - trap cleanup EXIT - - config_load acme - config_foreach load_globals acme - - config_foreach get_cert cert -} - -service_triggers() { - procd_add_config_trigger config.change acme \ - /etc/init.d/acme start -} diff --git a/packages/acme-common/files/acme.uci-defaults b/packages/acme-common/files/acme.uci-defaults deleted file mode 100644 index 206f87e23..000000000 --- a/packages/acme-common/files/acme.uci-defaults +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - -grep -q '/etc/init.d/acme' /etc/crontabs/root 2>/dev/null && exit 0 -echo "0 0 * * * /etc/init.d/acme start" >>/etc/crontabs/root diff --git a/packages/acme-common/files/functions.sh b/packages/acme-common/files/functions.sh deleted file mode 100644 index 5828a6b1f..000000000 --- a/packages/acme-common/files/functions.sh +++ /dev/null @@ -1,7 +0,0 @@ -log() { - prio="$1" - shift - if [ "$prio" != debug ] || [ "$debug" = 1 ]; then - logger -t "$LOG_TAG" -s -p "daemon.$prio" -- "$@" - fi -}