From 01f5d5fe3e05aec48c56bdeb3ff969f3a21dd3b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
Date: Tue, 8 Feb 2022 21:20:37 +0100
Subject: [PATCH] 1.2.9

---
 md-message               | 59 +++++++++++++++++++++++++++++-------
 md-renewed               | 52 ++++++++++++++++++++++++--------
 md-renewed-httpd.conf    |  6 ++++
 md-renewed-tmpfiles.conf |  1 -
 md-renewed.conf          |  1 +
 md-renewed.path          | 10 +++++--
 md-renewed.spec          | 65 ++++++++++++++++++++++------------------
 7 files changed, 139 insertions(+), 55 deletions(-)
 delete mode 100644 md-renewed-tmpfiles.conf

diff --git a/md-message b/md-message
index 76d89e9..8fa7994 100755
--- a/md-message
+++ b/md-message
@@ -11,36 +11,73 @@ MSG="$1"
 DOMAIN="$2"
 
 mkdir -p $MD_RENEWED_DIR
-mkdir -p $MD_RENEWED_DIR/{ready,renewing,renewed,installed,expiring,errored,ocsp-renewed,oscp-errored}
+mkdir -p $MD_RENEWED_DIR/{renewing,renewed,installed,expiring,errored,ocsp-renewed,oscp-errored}
 
 case $1 in
     renewing)
+      if [[ ! -d $MD_RENEWED_DIR/renewing ]]; then
+        mkdir -p $MD_RENEWED_DIR/renewing
+      fi
       if [[ -f $MD_RENEWED_DIR/renewing/$DOMAIN ]]; then
         exit 1
       fi
-      hostname > $MD_RENEWED_DIR/renewing/$DOMAIN
+      echo $(date) $(hostname) > $MD_RENEWED_DIR/renewing/$DOMAIN
       ;;
     renewed)
-      rm -f $MD_RENEWED_DIR/renewing/$DOMAIN
-      hostname > $MD_RENEWED_DIR/renewed/$DOMAIN
-      hostname > $MD_RENEWED_DIR/ready/$DOMAIN
+      if [[ ! -d $MD_RENEWED_DIR/renewed ]]; then
+        mkdir -p $MD_RENEWED_DIR/renewed
+      fi
+      if [[ -f $MD_RENEWED_DIR/renewing/$DOMAIN ]]; then
+        rm -f $MD_RENEWED_DIR/renewing/$DOMAIN
+      fi
+      if [[ -z $MD_RENEWED_HOST_DIR ]]; then
+        echo $(date) $(hostname) > $MD_RENEWED_DIR/renewed/$DOMAIN
+      else
+        mkdir -p $MD_RENEWED_DIR/renewed/$MD_RENEWED_HOST_DIR
+        for f in $MD_RENEWED_DIR/renewed/*/; do
+          if [[ ! -d "$f" ]]; then
+            continue
+          fi
+          echo $(date) $(hostname) > ${f}${DOMAIN}
+        done
+      fi
       ;;
     installed)
-      rm -f $MD_RENEWED_DIR/renewing/$DOMAIN
-      hostname > $MD_RENEWED_DIR/installed/$DOMAIN
+      DEST=$MD_RENEWED_DIR/installed
+      if [[ ! -d $DEST ]]; then
+        mkdir -p $DEST
+      fi
+      if [[ ! -z $MD_RENEWED_HOST_DIR ]]; then
+        DEST=$MD_RENEWED_DIR/installed/$MD_RENEWED_HOST_DIR
+        mkdir -p $DEST
+      fi
+      mkdir -p $DEST
+      echo $(date) $(hostname) > $DEST/$DOMAIN
       ;;
     expiring)
-      hostname > $MD_RENEWED_DIR/expiring/$DOMAIN
+      if [[ ! -d $MD_RENEWED_DIR/expiring ]]; then
+        mkdir -p $MD_RENEWED_DIR/expiring
+      fi
+      echo $(date) $(hostname) > $MD_RENEWED_DIR/expiring/$DOMAIN
       ;;
     errored)
+      if [[ ! -d $MD_RENEWED_DIR/errored ]]; then
+        mkdir -p $MD_RENEWED_DIR/errored
+      fi
       rm -f $MD_RENEWED_DIR/renewing/$DOMAIN
-      hostname > $MD_RENEWED_DIR/errored/$DOMAIN
+      echo $(date) $(hostname) > $MD_RENEWED_DIR/errored/$DOMAIN
       ;;
     ocsp-renewed)
-      hostname > $MD_RENEWED_DIR/ocsp-renewed/$DOMAIN
+      if [[ ! -d $MD_RENEWED_DIR/ocsp-renewed ]]; then
+        mkdir -p $MD_RENEWED_DIR/ocsp-renewed
+      fi
+      echo $(date) $(hostname) > $MD_RENEWED_DIR/ocsp-renewed/$DOMAIN
       ;;
     ocsp-errored)
-      hostname > $MD_RENEWED_DIR/ocsp-errored/$DOMAIN
+      if [[ ! -d $MD_RENEWED_DIR/ocsp-errored ]]; then
+        mkdir -p $MD_RENEWED_DIR/ocsp-errored
+      fi
+      echo $(date) $(hostname) > $MD_RENEWED_DIR/ocsp-errored/$DOMAIN
       ;;
 esac
 
diff --git a/md-renewed b/md-renewed
index d940c5d..2f22003 100755
--- a/md-renewed
+++ b/md-renewed
@@ -7,6 +7,8 @@ if [[ -f /etc/md-renewed/md-renewed.conf ]]; then
     . /etc/md-renewed/md-renewed.conf
 fi
 
+MYDOMAINS=$(curl -s http://127.0.0.1/md-renewed-status | tail -n +1 | jq -r '."managed-domains"[].name' 2>/dev/null)
+
 function set_permissions
 {
   local FILE="$1"
@@ -55,15 +57,29 @@ function run_copy
     KEY_FILE="$CERT_FILE"
   fi
 
-  cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem > $CERT_FILE
+  if [[ -f ${MOD_MD_DIR}/staging/$DOMAIN/pubcert.pem ]]; then
+       cat ${MOD_MD_DIR}/staging/$DOMAIN/pubcert.pem > $CERT_FILE
+  else
+       cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem > $CERT_FILE
+  fi
+
   set_permissions "$CERT_FILE" "$CERT_OWNER" "$CERT_GROUP" "$CERT_MODE"
 
   if [[ $CERT_FILE != $KEY_FILE ]]; then
-    cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem > $KEY_FILE
+    if [[ -f ${MOD_MD_DIR}/staging/$DOMAIN/privkey.pem ]]; then
+       cat ${MOD_MD_DIR}/staging/$DOMAIN/privkey.pem > $KEY_FILE
+    else
+       cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem > $KEY_FILE
+    fi
   else
-    cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem >> $KEY_FILE
+    if [[ -f ${MOD_MD_DIR}/staging/$DOMAIN/privkey.pem ]]; then
+      cat ${MOD_MD_DIR}/staging/$DOMAIN/privkey.pem >> $KEY_FILE
+    else
+      cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem >> $KEY_FILE
+    fi
   fi
-  set_permissions "$CERT_FILE" "$KEY_OWNER" "$KEY_GROUP" "$KEY_MODE"
+
+  set_permissions "$KEY_FILE" "$KEY_OWNER" "$KEY_GROUP" "$KEY_MODE"
 }
 
 function run_service
@@ -100,25 +116,37 @@ function domain_renew
 
 HTTP_RELOAD=n
 
-for f in ${MD_RENEWED_DIR}/renewed/*; do
+if [ -z $MD_RENEWED_HOST_DIR ]; then
+  MY_RENEWED_DIR=${MD_RENEWED_DIR}/renewed
+else
+  MY_RENEWED_DIR=${MD_RENEWED_DIR}/renewed/${MD_RENEWED_HOST_DIR}
+fi
+
+echo "md-renewed.service Looking for our domains: ${MYDOMAINS[*]}"
+for f in ${MY_RENEWED_DIR}/*; do
   if [[ ! -f $f ]]; then
     continue
   fi
 
-  HTTPD_RELOAD=y
   DOMAIN=$(basename $f)
+  rm -f $f
+  echo "md-renewed.service Checking domain $DOMAIN"
 
-  #rm -f $f
+  for i in ${MYDOMAINS[@]}; do
+    if [[ $DOMAIN == $i ]]; then
+      echo "md-renewed.service $DOMAIN is our."
+      HTTPD_RELOAD=y
+    fi
+  done
 
-  if [[ ! -d /etc/md-renewed/$f ]]; then
-    continue
+  if [[ -d /etc/md-renewed/$DOMAIN ]]; then
+    domain_renew "$DOMAIN"
   fi
-
-  domain_renew "$DOMAIN"
-
 done
 
 if [[ $HTTPD_RELOAD == y ]]; then
+  echo "md-renewed.service Restarting apache."
+  sleep $[ ( $RANDOM % 60 )  + 1 ]s
   /usr/bin/systemctl reload httpd
 fi
 
diff --git a/md-renewed-httpd.conf b/md-renewed-httpd.conf
index 4f746f0..ddcf6b5 100644
--- a/md-renewed-httpd.conf
+++ b/md-renewed-httpd.conf
@@ -1,2 +1,8 @@
 MDMessageCmd /usr/libexec/md-renewed/md-message
 
+<Location "/md-renewed-status">
+  <If "%{HTTP_HOST} == '127.0.0.1'">
+    SetHandler md-status
+    Require local
+  </If>
+</Location>
diff --git a/md-renewed-tmpfiles.conf b/md-renewed-tmpfiles.conf
deleted file mode 100644
index b815fb8..0000000
--- a/md-renewed-tmpfiles.conf
+++ /dev/null
@@ -1 +0,0 @@
-d /run/md-renewed 0770 root apache
diff --git a/md-renewed.conf b/md-renewed.conf
index 033300f..b27a4fe 100644
--- a/md-renewed.conf
+++ b/md-renewed.conf
@@ -1,4 +1,5 @@
 MOD_MD_DIR=/var/lib/httpd/md
 MD_RENEWED_DIR=/var/lib/httpd/md-renewed
+MD_RENEWED_HOST_DIR=
 
 
diff --git a/md-renewed.path b/md-renewed.path
index 8574d6d..b4f682d 100644
--- a/md-renewed.path
+++ b/md-renewed.path
@@ -1,7 +1,13 @@
 [Path]
-#PathExistsGlob=/var/lib/httpd/md-renewed/renewed/*
-PathModified=/var/lib/httpd/md-renewed/renewed
+PathExistsGlob=/var/lib/httpd/md-renewed/renewed/%H/*
 Unit=md-renewed.service
+MakeDirectory=true
+DirectoryMode=0777
+
+[Unit]
+BindsTo=httpd.service
+After=httpd.service
 
 [Install]
 WantedBy=multi-user.target
+
diff --git a/md-renewed.spec b/md-renewed.spec
index da65c58..7dfc8eb 100644
--- a/md-renewed.spec
+++ b/md-renewed.spec
@@ -1,5 +1,5 @@
 Name:           md-renewed
-Version:        1.1.4
+Version:        1.2.9
 Release:        1%{?dist}
 Summary:        Restart service on Apache module mod_md certificate renewal
 License:        MIT
@@ -11,15 +11,16 @@ Source0:        md-renewed
 Source1:        md-message
 Source2:        md-renewed.path
 Source3:        md-renewed.service
-Source4:        md-renewed-tmpfiles.conf
-Source5:        md-renewed-httpd.conf
-Source6:        md-renewed.conf
-Source7:        example.service
-Source8:        example.cert
-Source9:        example.sh
+
+Source10:       md-renewed-httpd.conf
+Source11:       md-renewed.conf
+Source20:       example.service
+Source21:       example.cert
+Source22:       example.sh
 
 Requires:       httpd
 Requires:       mod_md
+
 %{?systemd_requires}
 BuildRequires:      systemd-rpm-macros
 
@@ -29,40 +30,39 @@ Restart service on Apache module mod_md certificate renewal
 %install
 %{__rm} -rf %{buildroot}
 
-install -d -m 0755 %{buildroot}%{_libexecdir}/md-renewed
-install -m 0755 %{SOURCE0} %{buildroot}%{_libexecdir}/md-renewed/md-renewed
-install -m 0755 %{SOURCE1} %{buildroot}%{_libexecdir}/md-renewed/md-message
+%{__install} -d -m 0755 %{buildroot}%{_libexecdir}/md-renewed
+%{__install} -m 0755 %{SOURCE0} %{buildroot}%{_libexecdir}/md-renewed/md-renewed
+%{__install} -m 0755 %{SOURCE1} %{buildroot}%{_libexecdir}/md-renewed/md-message
 
-install -d -m 0755 %{buildroot}%{_unitdir}
-install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
-install -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/
+%{__install} -d -m 0755 %{buildroot}%{_unitdir}
+%{__install} -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
+%{__install} -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/
 
-install -d -m 0755 %{buildroot}%{_tmpfilesdir}
-install -m 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/md-renewed.conf
+%{__install} -d -m 0755 %{buildroot}%{_sysconfdir}/httpd/conf.d
+%{__install} -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/httpd/conf.d/md-renewed.conf
 
-install -d -m 0755 %{buildroot}%{_sysconfdir}/httpd/conf.d
-install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/httpd/conf.d/md-renewed.conf
+%{__install} -d -m 0755 %{buildroot}%{_sysconfdir}/md-renewed
+%{__install} -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/md-renewed/
 
-install -d -m 0755 %{buildroot}%{_sysconfdir}/md-renewed
-install -m 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/md-renewed/
+%{__install} -d -m 0755 %{buildroot}%{_sysconfdir}/md-renewed/example.com
+%{__install} -m 0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/md-renewed/example.com/
+%{__install} -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/md-renewed/example.com/
+%{__install} -m 0755 %{SOURCE22} %{buildroot}%{_sysconfdir}/md-renewed/example.com/
 
-install -d -m 0755 %{buildroot}%{_sysconfdir}/md-renewed/example.com
-install -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/md-renewed/example.com/
-install -m 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/md-renewed/example.com/
-install -m 0755 %{SOURCE9} %{buildroot}%{_sysconfdir}/md-renewed/example.com/
+%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/
+%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/renewed
+%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/renewing
+%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/errored
+%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/ocsp-renewed
+%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/ocsp-errored
 
 %post
-%systemd_post md-renewed.service
 %systemd_post md-renewed.path
 
-%tmpfiles_create %{_tmpfilesdir}/md-renewed.conf
-
 %preun
-%systemd_preun md-renewed.service
 %systemd_preun md-renewed.path
 
 %postun
-%systemd_postun md-renewed.service
 %systemd_postun md-renewed.path
 
 %clean
@@ -77,9 +77,16 @@ install -m 0755 %{SOURCE9} %{buildroot}%{_sysconfdir}/md-renewed/example.com/
 
 %{_libexecdir}/md-renewed/md-renewed
 %{_libexecdir}/md-renewed/md-message
+
 %{_unitdir}/md-renewed.service
 %{_unitdir}/md-renewed.path
-%{_tmpfilesdir}/md-renewed.conf
+
+%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/
+%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/renewed
+%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/renewing
+%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/errored
+%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/ocsp-renewed
+%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/ocsp-errored
 
 %changelog
 * Tue Nov  30 2021 Zoran Pericic <zpericic@netst.org> - 1.0.0-1