rpms-fedora-ims/md-renewed
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.3.4

Browse Source 
systemd.path uses inotify to watch changes so md-renewed-install.path
is only activated on non-shared storage or on same host in shared
storage enviroment.
This commit is contained in:
Zoran Peričić
2022-02-09 22:04:42 +01:00
parent 01f5d5fe3e
commit 9c8e7db788
7 changed files with 257 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
md-message
View File

@@ -11,22 +11,20 @@ MSG="$1"
DOMAIN="$2"
mkdir -p $MD_RENEWED_DIR
mkdir -p $MD_RENEWED_DIR/{renewing,renewed,installed,expiring,errored,ocsp-renewed,oscp-errored}
mkdir -p $MD_RENEWED_DIR/{errored,expiring,installed,installing,renewing,renewed,ocsp-renewed,oscp-errored}
if [[ ! -z $MD_RENEWED_HOST_DIR ]]; then
mkdir -p $MD_RENEWED_DIR/{installed/$MD_RENEWED_HOST_DIR,installing/$MD_RENEWED_HOST_DIR,renewed/$MD_RENEWED_HOST_DIR}
fi
case $1 in
renewing)
if [[ ! -d $MD_RENEWED_DIR/renewing ]]; then
mkdir -p $MD_RENEWED_DIR/renewing
fi
if [[ -f $MD_RENEWED_DIR/renewing/$DOMAIN ]]; then
exit 1
fi
echo $(date) $(hostname) > $MD_RENEWED_DIR/renewing/$DOMAIN
;;
renewed)
if [[ ! -d $MD_RENEWED_DIR/renewed ]]; then
mkdir -p $MD_RENEWED_DIR/renewed
fi
if [[ -f $MD_RENEWED_DIR/renewing/$DOMAIN ]]; then
rm -f $MD_RENEWED_DIR/renewing/$DOMAIN
fi
@@ -34,7 +32,14 @@ case $1 in
echo $(date) $(hostname) > $MD_RENEWED_DIR/renewed/$DOMAIN
else
mkdir -p $MD_RENEWED_DIR/renewed/$MD_RENEWED_HOST_DIR
for f in $MD_RENEWED_DIR/renewed/*/; do
echo $(date) $(hostname) > $MD_RENEWED_DIR/renewed/$MD_RENEWED_HOST_DIR/$DOMAIN
fi
;;
installed)
if [[ -z $MD_RENEWED_HOST_DIR ]]; then
echo $(date) $(hostname) > $MD_RENEWED_DIR/installing/$DOMAIN
else
for f in $MD_RENEWED_DIR/installing/*/; do
if [[ ! -d "$f" ]]; then
continue
fi
@@ -42,41 +47,17 @@ case $1 in
done
fi
;;
installed)
DEST=$MD_RENEWED_DIR/installed
if [[ ! -d $DEST ]]; then
mkdir -p $DEST
fi
if [[ ! -z $MD_RENEWED_HOST_DIR ]]; then
DEST=$MD_RENEWED_DIR/installed/$MD_RENEWED_HOST_DIR
mkdir -p $DEST
fi
mkdir -p $DEST
echo $(date) $(hostname) > $DEST/$DOMAIN
;;
expiring)
if [[ ! -d $MD_RENEWED_DIR/expiring ]]; then
mkdir -p $MD_RENEWED_DIR/expiring
fi
echo $(date) $(hostname) > $MD_RENEWED_DIR/expiring/$DOMAIN
;;
errored)
if [[ ! -d $MD_RENEWED_DIR/errored ]]; then
mkdir -p $MD_RENEWED_DIR/errored
fi
rm -f $MD_RENEWED_DIR/renewing/$DOMAIN
echo $(date) $(hostname) > $MD_RENEWED_DIR/errored/$DOMAIN
;;
ocsp-renewed)
if [[ ! -d $MD_RENEWED_DIR/ocsp-renewed ]]; then
mkdir -p $MD_RENEWED_DIR/ocsp-renewed
fi
echo $(date) $(hostname) > $MD_RENEWED_DIR/ocsp-renewed/$DOMAIN
;;
ocsp-errored)
if [[ ! -d $MD_RENEWED_DIR/ocsp-errored ]]; then
mkdir -p $MD_RENEWED_DIR/ocsp-errored
fi
echo $(date) $(hostname) > $MD_RENEWED_DIR/ocsp-errored/$DOMAIN
;;
esac

129
md-renewed
View File

@@ -9,121 +9,30 @@ fi
MYDOMAINS=$(curl -s http://127.0.0.1/md-renewed-status | tail -n +1 | jq -r '."managed-domains"[].name' 2>/dev/null)
function set_permissions
{
local FILE="$1"
local OWNER="$2"
local GROUP="$3"
local MODE="$4"
if [[ -z $OWNER ]]; then
chown root $FILE
else
chown $OWNER $FILE
fi
if [[ -z $GROUP ]]; then
chgrp root $FILE
else
chgrp $GROUP $FILE
fi
if [[ -z $MODE ]]; then
chmod 0600 $FILE
else
chmod $MODE $FILE
fi
}
function run_copy
{
local DOMAIN="$1"
local CONFIG="$2"
CERT_OWNER=""
CERT_GROUP=""
CERT_MODE=""
CERT_FILE=""
KEY_OWNER=""
KEY_GROUP=""
KEY_MODE=""
KEY_FILE=""
. $CONFIG
[[ -z $CERT_FILE ]] && exit 0;
if [[ -z $KEY_FILE ]]; then
KEY_FILE="$CERT_FILE"
fi
if [[ -f ${MOD_MD_DIR}/staging/$DOMAIN/pubcert.pem ]]; then
cat ${MOD_MD_DIR}/staging/$DOMAIN/pubcert.pem > $CERT_FILE
else
cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem > $CERT_FILE
fi
set_permissions "$CERT_FILE" "$CERT_OWNER" "$CERT_GROUP" "$CERT_MODE"
if [[ $CERT_FILE != $KEY_FILE ]]; then
if [[ -f ${MOD_MD_DIR}/staging/$DOMAIN/privkey.pem ]]; then
cat ${MOD_MD_DIR}/staging/$DOMAIN/privkey.pem > $KEY_FILE
else
cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem > $KEY_FILE
fi
else
if [[ -f ${MOD_MD_DIR}/staging/$DOMAIN/privkey.pem ]]; then
cat ${MOD_MD_DIR}/staging/$DOMAIN/privkey.pem >> $KEY_FILE
else
cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem >> $KEY_FILE
fi
fi
set_permissions "$KEY_FILE" "$KEY_OWNER" "$KEY_GROUP" "$KEY_MODE"
}
function run_service
{
local DOMAIN="$1"
local CONFIG="$2"
SERVICE=""
ACTION=""
. $CONFIG
[[ -z $SERVICE ]] && exit 0;
if [[ -z $ACTION ]]; then
ACTION="restart"
fi
/usr/bin/systemctl $ACTION $SERVICE > /dev/null 2>&1
}
function domain_renew
{
local DOMAIN="$1"
for scr in /etc/md-renewed/$DOMAIN/*.cert; do
run_copy "$1" "$scr"
done
for scr in /etc/md-renewed/$DOMAIN/*.service; do
run_service "$1" "$scr"
done
for scr in /etc/md-renewed/$DOMAIN/*.sh; do
$scr "$1"
done
}
HTTP_RELOAD=n
if [ -z $MD_RENEWED_HOST_DIR ]; then
MY_RENEWED_DIR=${MD_RENEWED_DIR}/renewed
MD_RENEWED_RENEWED_TARGET=${MD_RENEWED_DIR}/renewed
MD_RENEWED_INSTALLING_TARGET=${MD_RENEWED_DIR}/installing
MD_RENEWED_INSTALLED_TARGET=${MD_RENEWED_DIR}/installed
else
MY_RENEWED_DIR=${MD_RENEWED_DIR}/renewed/${MD_RENEWED_HOST_DIR}
MD_RENEWED_RENEWED_TARGET=${MD_RENEWED_DIR}/renewed/${MD_RENEWED_HOST_DIR}
MD_RENEWED_INSTALLING_TARGET=${MD_RENEWED_DIR}/installing/${MD_RENEWED_HOST_DIR}
MD_RENEWED_INSTALLED_TARGET=${MD_RENEWED_DIR}/installed/${MD_RENEWED_HOST_DIR}
fi
if [[ ! -d $MD_RENEWED_INSTALLING_TARGET ]]; then
mkdir -p $MD_RENEWED_INSTALLING_TARGET
chown apache.apache $MD_RENEWED_INSTALLING_TARGET
fi
if [[ ! -d $MD_RENEWED_INSTALLED_TARGET ]]; then
mkdir -p $MD_RENEWED_INSTALLED_TARGET
chown apache.apache $MD_RENEWED_INSTALLED_TARGET
fi
echo "md-renewed.service Looking for our domains: ${MYDOMAINS[*]}"
for f in ${MY_RENEWED_DIR}/*; do
for f in ${MD_RENEWED_RENEWED_TARGET}/*; do
if [[ ! -f $f ]]; then
continue
fi
@@ -138,10 +47,6 @@ for f in ${MY_RENEWED_DIR}/*; do
HTTPD_RELOAD=y
fi
done
if [[ -d /etc/md-renewed/$DOMAIN ]]; then
domain_renew "$DOMAIN"
fi
done
if [[ $HTTPD_RELOAD == y ]]; then

183
md-renewed-install Executable file
View File

@@ -0,0 +1,183 @@
#!/bin/bash
MOD_MD_DIR=/var/lib/httpd/md
MD_RENEWED_DIR=/var/lib/httpd/md-renewed
if [[ -f /etc/md-renewed/md-renewed.conf ]]; then
. /etc/md-renewed/md-renewed.conf
fi
MYDOMAINS=$(curl -s http://127.0.0.1/md-renewed-status | tail -n +1 | jq -r '."managed-domains"[].name' 2>/dev/null)
function set_permissions
{
local FILE="$1"
local OWNER="$2"
local GROUP="$3"
local MODE="$4"
if [[ -z $OWNER ]]; then
chown root $FILE
else
chown $OWNER $FILE
fi
if [[ -z $GROUP ]]; then
chgrp root $FILE
else
chgrp $GROUP $FILE
fi
if [[ -z $MODE ]]; then
chmod 0600 $FILE
else
chmod $MODE $FILE
fi
}
function run_copy
{
local DOMAIN="$1"
local CONFIG="$2"
CERT_OWNER=""
CERT_GROUP=""
CERT_MODE=""
CERT_FILE=""
KEY_OWNER=""
KEY_GROUP=""
KEY_MODE=""
KEY_FILE=""
. $CONFIG
[[ -z $CERT_FILE ]] && exit 0;
if [[ -z $KEY_FILE ]]; then
KEY_FILE="$CERT_FILE"
fi
cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem > $CERT_FILE
set_permissions "$CERT_FILE" "$CERT_OWNER" "$CERT_GROUP" "$CERT_MODE"
if [[ $CERT_FILE != $KEY_FILE ]]; then
cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem > $KEY_FILE
else
cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem >> $KEY_FILE
fi
set_permissions "$KEY_FILE" "$KEY_OWNER" "$KEY_GROUP" "$KEY_MODE"
}
function run_service
{
local DOMAIN="$1"
local CONFIG="$2"
SERVICE=""
ACTION=""
. $CONFIG
[[ -z $SERVICE ]] && exit 0;
if [[ -z $ACTION ]]; then
ACTION="restart"
fi
/usr/bin/systemctl $ACTION $SERVICE > /dev/null 2>&1
}
function domain_renew
{
local DOMAIN="$1"
for scr in /etc/md-renewed/$DOMAIN/*.cert; do
run_copy "$1" "$scr"
done
for scr in /etc/md-renewed/$DOMAIN/*.service; do
run_service "$1" "$scr"
done
for scr in /etc/md-renewed/$DOMAIN/*.sh; do
$scr "$1"
done
}
HTTP_RELOAD=n
if [ -z $MD_RENEWED_HOST_DIR ]; then
MD_RENEWED_INSTALLING_TARGET=${MD_RENEWED_DIR}/installing
MD_RENEWED_INSTALLED_TARGET=${MD_RENEWED_DIR}/installed
else
MD_RENEWED_INSTALLING_TARGET=${MD_RENEWED_DIR}/installing/${MD_RENEWED_HOST_DIR}
MD_RENEWED_INSTALLED_TARGET=${MD_RENEWED_DIR}/installed/${MD_RENEWED_HOST_DIR}
fi
if [[ ! -d $MD_RENEWED_INSTALLING_TARGET ]]; then
mkdir -p $MD_RENEWED_INSTALLING_TARGET
chown apache.apache $MD_RENEWED_INSTALLING_TARGET
fi
if [[ ! -d $MD_RENEWED_INSTALLED_TARGET ]]; then
mkdir -p $MD_RENEWED_INSTALLED_TARGET
chown apache.apache $MD_RENEWED_INSTALLED_TARGET
fi
echo "md-renewed-install.service Looking for our domains: ${MYDOMAINS[*]}"
for f in ${MD_RENEWED_INSTALLING_TARGET}/*; do
if [[ ! -f $f ]]; then
continue
fi
DOMAIN=$(basename $f)
rm -f $f
echo "md-renewed-install.service Checking domain $DOMAIN"
if [[ ! -f $MD_RENEWED_INSTALLED_TARGET/$DOMAIN ]]; then
echo "md-renewed-install.service Installing domain $DOMAIN"
touch $MD_RENEWED_INSTALLED_TARGET/$DOMAIN
if [[ -d /etc/md-renewed/$DOMAIN ]]; then
domain_renew "$DOMAIN"
fi
for i in ${MYDOMAINS[@]}; do
if [[ $DOMAIN == $i ]]; then
echo "md-renewed-install.service $DOMAIN is our."
HTTPD_RELOAD=y
fi
done
fi
done
echo "md-renewed-install.service Looking for our already installed domains: ${MYDOMAINS[*]}"
for f in ${MOD_MD_DIR}/domains/*; do
if [[ ! -d $f ]]; then
continue
fi
DOMAIN=$(basename $f)
echo "md-renewed-install.service Checking already installed domain $DOMAIN"
if [[ ! -f $MD_RENEWED_INSTALLED_TARGET/$DOMAIN ]]; then
touch $MD_RENEWED_INSTALLED_TARGET/$DOMAIN
if [[ -d /etc/md-renewed/$DOMAIN ]]; then
domain_renew "$DOMAIN"
fi
for i in ${MYDOMAINS[@]}; do
if [[ $DOMAIN == $i ]]; then
echo "md-renewed-install.service Already installed $DOMAIN is our."
HTTPD_RELOAD=y
fi
done
fi
done
if [[ $HTTPD_RELOAD == y ]]; then
echo "md-renewed-install.service Restarting apache."
sleep $[ ( $RANDOM % 60 ) + 1 ]s
/usr/bin/systemctl reload httpd
fi
exit 0

13
md-renewed-install.path Normal file
View File

@@ -0,0 +1,13 @@
[Path]
PathExistsGlob=/var/lib/httpd/md-renewed/installing/*
Unit=md-renewed-install.service
MakeDirectory=true
DirectoryMode=0777
[Unit]
BindsTo=httpd.service
After=httpd.service
[Install]
WantedBy=multi-user.target

11
md-renewed-install.service Normal file
View File

@@ -0,0 +1,11 @@
[Unit]
Description=The Apache HTTP Server reloader
After=network.target
[Service]
Type=oneshot
EnvironmentFile=/etc/md-renewed/md-renewed.conf
ExecStart=/usr/libexec/md-renewed/md-renewed-install
[Install]
WantedBy=multi-user.target

2
md-renewed.path
View File

@@ -1,5 +1,5 @@
[Path]
PathExistsGlob=/var/lib/httpd/md-renewed/renewed/%H/*
PathExistsGlob=/var/lib/httpd/md-renewed/renewed/*
Unit=md-renewed.service
MakeDirectory=true
DirectoryMode=0777

22
md-renewed.spec
View File

@@ -1,5 +1,5 @@
Name: md-renewed
Version: 1.2.9
Version: 1.3.4
Release: 1%{?dist}
Summary: Restart service on Apache module mod_md certificate renewal
License: MIT
@@ -11,6 +11,9 @@ Source0: md-renewed
Source1: md-message
Source2: md-renewed.path
Source3: md-renewed.service
Source5: md-renewed-install
Source6: md-renewed-install.path
Source7: md-renewed-install.service
Source10: md-renewed-httpd.conf
Source11: md-renewed.conf
@@ -33,10 +36,13 @@ Restart service on Apache module mod_md certificate renewal
%{__install} -d -m 0755 %{buildroot}%{_libexecdir}/md-renewed
%{__install} -m 0755 %{SOURCE0} %{buildroot}%{_libexecdir}/md-renewed/md-renewed
%{__install} -m 0755 %{SOURCE1} %{buildroot}%{_libexecdir}/md-renewed/md-message
%{__install} -m 0755 %{SOURCE5} %{buildroot}%{_libexecdir}/md-renewed/md-renewed-install
%{__install} -d -m 0755 %{buildroot}%{_unitdir}
%{__install} -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
%{__install} -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/
%{__install} -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/
%{__install} -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/
%{__install} -d -m 0755 %{buildroot}%{_sysconfdir}/httpd/conf.d
%{__install} -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/httpd/conf.d/md-renewed.conf
@@ -50,20 +56,25 @@ Restart service on Apache module mod_md certificate renewal
%{__install} -m 0755 %{SOURCE22} %{buildroot}%{_sysconfdir}/md-renewed/example.com/
%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/
%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/errored
%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/installed
%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/installing
%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/renewed
%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/renewing
%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/errored
%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/ocsp-renewed
%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/ocsp-errored
%post
%systemd_post md-renewed.path
%systemd_post md-renewed-install.path
%preun
%systemd_preun md-renewed.path
%systemd_preun md-renewed-install.path
%postun
%systemd_postun md-renewed.path
%systemd_postun md-renewed-install.path
%clean
%{__rm} -rf %{buildroot}
@@ -76,15 +87,20 @@ Restart service on Apache module mod_md certificate renewal
%config %{_sysconfdir}/httpd/conf.d/md-renewed.conf
%{_libexecdir}/md-renewed/md-renewed
%{_libexecdir}/md-renewed/md-renewed-install
%{_libexecdir}/md-renewed/md-message
%{_unitdir}/md-renewed.service
%{_unitdir}/md-renewed-install.service
%{_unitdir}/md-renewed.path
%{_unitdir}/md-renewed-install.path
%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/
%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/errored
%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/installed
%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/installing
%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/renewed
%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/renewing
%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/errored
%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/ocsp-renewed
%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/ocsp-errored