Merge branch 'uacme' into 'master'

TLS certificates with uacme

See merge request ungleich-public/cdist-contrib!25
This commit is contained in:
fnux 2021-03-27 18:18:04 +01:00
commit 16b5158ef5
12 changed files with 389 additions and 0 deletions

View file

@ -0,0 +1,32 @@
#!/bin/sh
os="$(cat "${__global:?}"/explorer/os)"
case "$os" in
alpine|ubuntu|debian)
default_confdir=/etc/ssl/uacme
;;
*)
echo "This type currently has no implementation for $os. Aborting." >&2;
exit 1
;;
esac
admin_mail=
if [ -f "${__object:?}/parameter/admin-mail" ];
then
admin_mail="$(cat "${__object:?}/parameter/admin-mail")";
fi
confdir="${default_confdir:?}"
if [ -f "${__object:?}/parameter/confdir" ];
then
confdir="$(cat "${__object:?}/parameter/confdir")"
fi
cat << EOF
if ! [ -f "${confdir}/private/key.pem" ];
then
uacme -y new ${admin_mail}
fi
EOF

View file

@ -0,0 +1,52 @@
cdist-type__uacme_account(7)
============================
NAME
----
cdist-type__uacme_account - Install uacme and register Let's Encrypt account.
DESCRIPTION
-----------
This type is used to bootstrap acquiring certificates from the Let's Encrypt
C.A by creating an account and accepting terms of use. The
`cdist-type__uacme_obtain(7)` type instances expect to depend on this type.
OPTIONAL PARAMETERS
-------------------
confdir
An alternative configuration directory for uacme's private keys and
certificates.
admin-mail
Administrative contact email to register the account with.
EXAMPLES
--------
.. code-block:: sh
# Create account with default settings for the OS.
__uacme_account
# Create an account with email and custom location.
__uacme_account --confdir /opt/custom/uacme --admin-mail admin@domain.tld
SEE ALSO
--------
:strong:`cdist-type__letsencrypt_cert`\ (7)
:strong:`cdist-type__uacme_obtain`\ (7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2020 Joachim Desroches. You can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the Free
Software Foundation, either version 3 of the License, or (at your option) any
later version.

View file

@ -0,0 +1,14 @@
#!/bin/sh
os="$(cat "${__global:?}"/explorer/os)"
case "$os" in
"alpine"|"debian"|"ubuntu")
uacme_package=uacme
;;
*)
echo "__uacme_account is not yet implemented for os $os. Aborting." >&2;
exit 1;
esac
__package $uacme_package

View file

@ -0,0 +1,2 @@
confdir
admin-mail

View file

View file

@ -0,0 +1,52 @@
#!/bin/sh
cat << EOF
#!/bin/sh
UACME_CHALLENGE_PATH=${CHALLENGEDIR:?}
export UACME_CHALLENGE_PATH
# Issue certificate.
uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${MUST_STAPLE?} ${KEYTYPE?} \\
issue -- ${DOMAIN:?}
# Note: exit code 0 means that certificate was issued.
# Note: exit code 1 means that certificate was still valid, hence not renewed.
# Note: exit code 2 means that something went wrong.
status=\$?
# All is well: we can stop now.
if [ \$status -eq 1 ];
then
exit 0
fi
# An error occured.
if [ \$status -eq 2 ]; then
echo "Failed to renew certificate - exiting." >&2
exit 1
fi
EOF
# Re-deploy, if needed.
if [ -n "${KEY_TARGET?}" ] && [ -n "${CERT_TARGET?}" ];
then
cat << EOF
# Deploy newly issued certificate.
set -e
CERT_SOURCE=${CONFDIR:?}/${MAIN_DOMAIN:?}/cert.pem
KEY_SOURCE=${CONFDIR:?}/private/${MAIN_DOMAIN:?}/key.pem
mkdir -p -- $(dirname "${CERT_TARGET?}") $(dirname "${KEY_TARGET?}")
if ! cmp \${CERT_SOURCE:?} ${CERT_TARGET?} >/dev/null 2>&1; then
install -m 0640 \${KEY_SOURCE:?} ${KEY_TARGET?}
install -m 0644 \${CERT_SOURCE:?} ${CERT_TARGET?}
chown ${OWNER?} ${KEY_TARGET?} ${CERT_TARGET?}
${RENEW_HOOK?}
fi
EOF
fi

View file

@ -0,0 +1,24 @@
#!/bin/sh
# FIXME: this code is duplicated from the manifest -> let's share it somehow.
os="$(cat "${__global:?}"/explorer/os)"
case "$os" in
alpine|ubuntu|debian)
default_confdir=/etc/ssl/uacme
;;
*)
echo "__uacme_obtain currently has no implementation for $os. Aborting." >&2;
exit 1;
;;
esac
confdir="${default_confdir:?}"
if [ -f "${__object:?}/parameter/confdir" ];
then
confdir="$(cat "${__object:?}/parameter/confdir")"
fi
# Run renew script 'by hand' for intial issue - renews will be handled by the
# cronjob.
echo "$confdir/${__object_id:?}/renew.sh"

View file

@ -0,0 +1,81 @@
cdist-type__uacme_obtain(7)
===========================
NAME
----
cdist-type__uacme_obtain - obtain, renew and deploy Let's Encrypt certificates
DESCRIPTION
-----------
This type leverage uacme to issue and renew Let's Encrypt certificates and
provides a simple deployment mechanism. It is expected to be called after
`__uacme_account`.
REQUIRED PARAMETERS
-------------------
None.
OPTIONAL PARAMETERS
-------------------
challengedir
Path to publicly available (served by a third-party HTTP server, under
`$DOMAIN/.well-known/acme-challenge`) challenge directory.
confdir
uacme configuration directory.
hookscript
Path to the challenge hook program.
owner
Owner of installed certificate (e.g. `www-data`), passed to `chown`.
install-cert-to
Installation path of the issued certificate.
install-key-to
Installation path of the certificate's private key.
renew-hook
Renew hook executed on certificate renewal (e.g. `service nginx reload`).
force-cert-ownership-to
Override default ownership for TLS certificate, passed as argument to chown.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
altdomains
Alternative domain names for this certificate.
BOOLEAN PARAMETERS
------------------
no-ocsp
When this flag is *not* specified and the certificate has an Authority
Information Access extension with an OCSP server location *uacme* makes an
OCSP request to the server; if the certificate is reported as revoked *uacme*
forces reissuance regardless of the expiration date.
must-staple
Request certificates with the RFC7633 Certificate Status Request
TLS Feature Extension, informally also known as "OCSP Must-Staple".
use-rsa
Use RSA instead of EC for the private key. Only applies to newly generated keys.
SEE ALSO
--------
:strong:`cdist-type__letsencrypt_cert`\ (7)
:strong:`cdist-type__uacme_account`\ (7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
Timothée Floure <timothee.floure@posteo.net>
COPYING
-------
Copyright \(C) 2020 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,121 @@
#!/bin/sh
os="$(cat "${__global:?}"/explorer/os)"
case "$os" in
alpine|ubuntu|debian)
__package uacme
default_challengedir=/var/www/.well-known/acme-challenge
default_hookscript=/usr/share/uacme/uacme.sh
default_confdir=/etc/ssl/uacme
;;
*)
echo "__uacme_obtain currently has no implementation for $os. Aborting." >&2;
exit 1;
;;
esac
CHALLENGEDIR=${default_challengedir:?}
if [ -f "${__object:?}/parameter/challengedir" ];
then
CHALLENGEDIR="$(cat "${__object:?}/parameter/challengedir")"
fi
export CHALLENGEDIR
CONFDIR="${default_confdir:?}"
if [ -f "${__object:?}/parameter/confdir" ];
then
CONFDIR="$(cat "${__object:?}/parameter/confdir")"
fi
export CONFDIR
DISABLE_OCSP=
if [ -f "${__object:?}/parameter/no-ocsp" ];
then
DISABLE_OCSP="--no-ocsp"
fi
export DISABLE_OCSP
MAIN_DOMAIN=${__object_id:?}
DOMAIN=$MAIN_DOMAIN
if [ -f "${__object:?}/parameter/altdomains" ];
then
# shellcheck disable=SC2013
for altdomain in $(cat "${__object:?}/parameter/altdomains");
do
DOMAIN="$DOMAIN $altdomain"
done
fi
export MAIN_DOMAIN DOMAIN
HOOKSCRIPT=${default_hookscript}
if [ -f "${__object:?}/parameter/hookscript" ];
then
HOOKSCRIPT="$(cat "${__object:?}/parameter/hookscript")"
fi
export HOOKSCRIPT
KEYTYPE="-t EC"
if [ -f "${__object:?}/parameter/use-rsa" ];
then
KEYTYPE="-t RSA"
fi
export KEYTYPE
MUST_STAPLE=
if [ -f "${__object:?}/parameter/must-staple" ];
then
MUST_STAPLE="--must-staple"
fi
export MUST_STAPLE
OWNER=root
if [ -f "${__object:?}/parameter/owner" ];
then
OWNER="$(cat "${__object:?}/parameter/owner")"
fi
export OWNER
KEY_TARGET=
if [ -f "${__object:?}/parameter/install-key-to" ];
then
KEY_TARGET="$(cat "${__object:?}/parameter/install-key-to")"
fi
export KEY_TARGET
CERT_TARGET=
if [ -f "${__object:?}/parameter/install-cert-to" ];
then
CERT_TARGET="$(cat "${__object:?}/parameter/install-cert-to")"
fi
export CERT_TARGET
RENEW_HOOK=
if [ -f "${__object:?}/parameter/renew-hook" ];
then
RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
fi
export RENEW_HOOK
if [ -n "$KEY_TARGET" ] && [ -z "$CERT_TARGET" ]; then
echo "You cannot specify --install-key-to without --install-cert-to." >&2
exit 1
elif [ -z "$KEY_TARGET" ] && [ -n "$CERT_TARGET" ]; then
echo "You cannot specify --install-cert-to without --install-key-to." >&2
exit 1
fi
# Make sure challengedir exist.
__directory "$CHALLENGEDIR" --parents
# Generate and deploy renew script.
mkdir -p "${__object:?}/files"
"${__type:?}/files/renew.sh.sh" > "${__object:?}/files/uacme-renew.sh"
__directory "$CONFDIR/$MAIN_DOMAIN"
require="__directory/$CONFDIR/$MAIN_DOMAIN" __file "$CONFDIR/$MAIN_DOMAIN/renew.sh" \
--mode 0755 --source "${__object:?}/files/uacme-renew.sh"
# Set up renew cronjob - initial issue done in gencode-remote.
__cron "uacme-$MAIN_DOMAIN" --user root --hour 2 --minute 0 \
--command "$CONFDIR/$MAIN_DOMAIN/renew.sh"

View file

@ -0,0 +1,3 @@
no-ocsp
must-staple
use-rsa

View file

@ -0,0 +1,7 @@
challengedir
confdir
hookscript
owner
install-cert-to
install-key-to
renew-hook

View file

@ -0,0 +1 @@
altdomains