diff --git a/md-message b/md-message index 8fa7994..6582bca 100755 --- a/md-message +++ b/md-message @@ -11,22 +11,20 @@ MSG="$1" DOMAIN="$2" mkdir -p $MD_RENEWED_DIR -mkdir -p $MD_RENEWED_DIR/{renewing,renewed,installed,expiring,errored,ocsp-renewed,oscp-errored} +mkdir -p $MD_RENEWED_DIR/{errored,expiring,installed,installing,renewing,renewed,ocsp-renewed,oscp-errored} + +if [[ ! -z $MD_RENEWED_HOST_DIR ]]; then + mkdir -p $MD_RENEWED_DIR/{installed/$MD_RENEWED_HOST_DIR,installing/$MD_RENEWED_HOST_DIR,renewed/$MD_RENEWED_HOST_DIR} +fi case $1 in renewing) - if [[ ! -d $MD_RENEWED_DIR/renewing ]]; then - mkdir -p $MD_RENEWED_DIR/renewing - fi if [[ -f $MD_RENEWED_DIR/renewing/$DOMAIN ]]; then exit 1 fi echo $(date) $(hostname) > $MD_RENEWED_DIR/renewing/$DOMAIN ;; renewed) - if [[ ! -d $MD_RENEWED_DIR/renewed ]]; then - mkdir -p $MD_RENEWED_DIR/renewed - fi if [[ -f $MD_RENEWED_DIR/renewing/$DOMAIN ]]; then rm -f $MD_RENEWED_DIR/renewing/$DOMAIN fi @@ -34,7 +32,14 @@ case $1 in echo $(date) $(hostname) > $MD_RENEWED_DIR/renewed/$DOMAIN else mkdir -p $MD_RENEWED_DIR/renewed/$MD_RENEWED_HOST_DIR - for f in $MD_RENEWED_DIR/renewed/*/; do + echo $(date) $(hostname) > $MD_RENEWED_DIR/renewed/$MD_RENEWED_HOST_DIR/$DOMAIN + fi + ;; + installed) + if [[ -z $MD_RENEWED_HOST_DIR ]]; then + echo $(date) $(hostname) > $MD_RENEWED_DIR/installing/$DOMAIN + else + for f in $MD_RENEWED_DIR/installing/*/; do if [[ ! -d "$f" ]]; then continue fi @@ -42,41 +47,17 @@ case $1 in done fi ;; - installed) - DEST=$MD_RENEWED_DIR/installed - if [[ ! -d $DEST ]]; then - mkdir -p $DEST - fi - if [[ ! -z $MD_RENEWED_HOST_DIR ]]; then - DEST=$MD_RENEWED_DIR/installed/$MD_RENEWED_HOST_DIR - mkdir -p $DEST - fi - mkdir -p $DEST - echo $(date) $(hostname) > $DEST/$DOMAIN - ;; expiring) - if [[ ! -d $MD_RENEWED_DIR/expiring ]]; then - mkdir -p $MD_RENEWED_DIR/expiring - fi echo $(date) $(hostname) > $MD_RENEWED_DIR/expiring/$DOMAIN ;; errored) - if [[ ! -d $MD_RENEWED_DIR/errored ]]; then - mkdir -p $MD_RENEWED_DIR/errored - fi rm -f $MD_RENEWED_DIR/renewing/$DOMAIN echo $(date) $(hostname) > $MD_RENEWED_DIR/errored/$DOMAIN ;; ocsp-renewed) - if [[ ! -d $MD_RENEWED_DIR/ocsp-renewed ]]; then - mkdir -p $MD_RENEWED_DIR/ocsp-renewed - fi echo $(date) $(hostname) > $MD_RENEWED_DIR/ocsp-renewed/$DOMAIN ;; ocsp-errored) - if [[ ! -d $MD_RENEWED_DIR/ocsp-errored ]]; then - mkdir -p $MD_RENEWED_DIR/ocsp-errored - fi echo $(date) $(hostname) > $MD_RENEWED_DIR/ocsp-errored/$DOMAIN ;; esac diff --git a/md-renewed b/md-renewed index 2f22003..08f6813 100755 --- a/md-renewed +++ b/md-renewed @@ -9,121 +9,30 @@ fi MYDOMAINS=$(curl -s http://127.0.0.1/md-renewed-status | tail -n +1 | jq -r '."managed-domains"[].name' 2>/dev/null) -function set_permissions -{ - local FILE="$1" - local OWNER="$2" - local GROUP="$3" - local MODE="$4" - - if [[ -z $OWNER ]]; then - chown root $FILE - else - chown $OWNER $FILE - fi - - if [[ -z $GROUP ]]; then - chgrp root $FILE - else - chgrp $GROUP $FILE - fi - - if [[ -z $MODE ]]; then - chmod 0600 $FILE - else - chmod $MODE $FILE - fi -} - -function run_copy -{ - local DOMAIN="$1" - local CONFIG="$2" - - CERT_OWNER="" - CERT_GROUP="" - CERT_MODE="" - CERT_FILE="" - KEY_OWNER="" - KEY_GROUP="" - KEY_MODE="" - KEY_FILE="" - - . $CONFIG - - [[ -z $CERT_FILE ]] && exit 0; - - if [[ -z $KEY_FILE ]]; then - KEY_FILE="$CERT_FILE" - fi - - if [[ -f ${MOD_MD_DIR}/staging/$DOMAIN/pubcert.pem ]]; then - cat ${MOD_MD_DIR}/staging/$DOMAIN/pubcert.pem > $CERT_FILE - else - cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem > $CERT_FILE - fi - - set_permissions "$CERT_FILE" "$CERT_OWNER" "$CERT_GROUP" "$CERT_MODE" - - if [[ $CERT_FILE != $KEY_FILE ]]; then - if [[ -f ${MOD_MD_DIR}/staging/$DOMAIN/privkey.pem ]]; then - cat ${MOD_MD_DIR}/staging/$DOMAIN/privkey.pem > $KEY_FILE - else - cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem > $KEY_FILE - fi - else - if [[ -f ${MOD_MD_DIR}/staging/$DOMAIN/privkey.pem ]]; then - cat ${MOD_MD_DIR}/staging/$DOMAIN/privkey.pem >> $KEY_FILE - else - cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem >> $KEY_FILE - fi - fi - - set_permissions "$KEY_FILE" "$KEY_OWNER" "$KEY_GROUP" "$KEY_MODE" -} - -function run_service -{ - local DOMAIN="$1" - local CONFIG="$2" - SERVICE="" - ACTION="" - - . $CONFIG - - [[ -z $SERVICE ]] && exit 0; - - if [[ -z $ACTION ]]; then - ACTION="restart" - fi - - /usr/bin/systemctl $ACTION $SERVICE > /dev/null 2>&1 -} - -function domain_renew -{ - local DOMAIN="$1" - for scr in /etc/md-renewed/$DOMAIN/*.cert; do - run_copy "$1" "$scr" - done - for scr in /etc/md-renewed/$DOMAIN/*.service; do - run_service "$1" "$scr" - done - for scr in /etc/md-renewed/$DOMAIN/*.sh; do - $scr "$1" - done -} - HTTP_RELOAD=n if [ -z $MD_RENEWED_HOST_DIR ]; then - MY_RENEWED_DIR=${MD_RENEWED_DIR}/renewed + MD_RENEWED_RENEWED_TARGET=${MD_RENEWED_DIR}/renewed + MD_RENEWED_INSTALLING_TARGET=${MD_RENEWED_DIR}/installing + MD_RENEWED_INSTALLED_TARGET=${MD_RENEWED_DIR}/installed else - MY_RENEWED_DIR=${MD_RENEWED_DIR}/renewed/${MD_RENEWED_HOST_DIR} + MD_RENEWED_RENEWED_TARGET=${MD_RENEWED_DIR}/renewed/${MD_RENEWED_HOST_DIR} + MD_RENEWED_INSTALLING_TARGET=${MD_RENEWED_DIR}/installing/${MD_RENEWED_HOST_DIR} + MD_RENEWED_INSTALLED_TARGET=${MD_RENEWED_DIR}/installed/${MD_RENEWED_HOST_DIR} +fi + +if [[ ! -d $MD_RENEWED_INSTALLING_TARGET ]]; then + mkdir -p $MD_RENEWED_INSTALLING_TARGET + chown apache.apache $MD_RENEWED_INSTALLING_TARGET +fi + +if [[ ! -d $MD_RENEWED_INSTALLED_TARGET ]]; then + mkdir -p $MD_RENEWED_INSTALLED_TARGET + chown apache.apache $MD_RENEWED_INSTALLED_TARGET fi echo "md-renewed.service Looking for our domains: ${MYDOMAINS[*]}" -for f in ${MY_RENEWED_DIR}/*; do +for f in ${MD_RENEWED_RENEWED_TARGET}/*; do if [[ ! -f $f ]]; then continue fi @@ -138,10 +47,6 @@ for f in ${MY_RENEWED_DIR}/*; do HTTPD_RELOAD=y fi done - - if [[ -d /etc/md-renewed/$DOMAIN ]]; then - domain_renew "$DOMAIN" - fi done if [[ $HTTPD_RELOAD == y ]]; then diff --git a/md-renewed-install b/md-renewed-install new file mode 100755 index 0000000..eb0d299 --- /dev/null +++ b/md-renewed-install @@ -0,0 +1,183 @@ +#!/bin/bash + +MOD_MD_DIR=/var/lib/httpd/md +MD_RENEWED_DIR=/var/lib/httpd/md-renewed + +if [[ -f /etc/md-renewed/md-renewed.conf ]]; then + . /etc/md-renewed/md-renewed.conf +fi + +MYDOMAINS=$(curl -s http://127.0.0.1/md-renewed-status | tail -n +1 | jq -r '."managed-domains"[].name' 2>/dev/null) + +function set_permissions +{ + local FILE="$1" + local OWNER="$2" + local GROUP="$3" + local MODE="$4" + + if [[ -z $OWNER ]]; then + chown root $FILE + else + chown $OWNER $FILE + fi + + if [[ -z $GROUP ]]; then + chgrp root $FILE + else + chgrp $GROUP $FILE + fi + + if [[ -z $MODE ]]; then + chmod 0600 $FILE + else + chmod $MODE $FILE + fi +} + +function run_copy +{ + local DOMAIN="$1" + local CONFIG="$2" + + CERT_OWNER="" + CERT_GROUP="" + CERT_MODE="" + CERT_FILE="" + KEY_OWNER="" + KEY_GROUP="" + KEY_MODE="" + KEY_FILE="" + + . $CONFIG + + [[ -z $CERT_FILE ]] && exit 0; + + if [[ -z $KEY_FILE ]]; then + KEY_FILE="$CERT_FILE" + fi + + cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem > $CERT_FILE + + set_permissions "$CERT_FILE" "$CERT_OWNER" "$CERT_GROUP" "$CERT_MODE" + + if [[ $CERT_FILE != $KEY_FILE ]]; then + cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem > $KEY_FILE + else + cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem >> $KEY_FILE + fi + + set_permissions "$KEY_FILE" "$KEY_OWNER" "$KEY_GROUP" "$KEY_MODE" +} + +function run_service +{ + local DOMAIN="$1" + local CONFIG="$2" + SERVICE="" + ACTION="" + + . $CONFIG + + [[ -z $SERVICE ]] && exit 0; + + if [[ -z $ACTION ]]; then + ACTION="restart" + fi + + /usr/bin/systemctl $ACTION $SERVICE > /dev/null 2>&1 +} + +function domain_renew +{ + local DOMAIN="$1" + for scr in /etc/md-renewed/$DOMAIN/*.cert; do + run_copy "$1" "$scr" + done + for scr in /etc/md-renewed/$DOMAIN/*.service; do + run_service "$1" "$scr" + done + for scr in /etc/md-renewed/$DOMAIN/*.sh; do + $scr "$1" + done +} + +HTTP_RELOAD=n + +if [ -z $MD_RENEWED_HOST_DIR ]; then + MD_RENEWED_INSTALLING_TARGET=${MD_RENEWED_DIR}/installing + MD_RENEWED_INSTALLED_TARGET=${MD_RENEWED_DIR}/installed +else + MD_RENEWED_INSTALLING_TARGET=${MD_RENEWED_DIR}/installing/${MD_RENEWED_HOST_DIR} + MD_RENEWED_INSTALLED_TARGET=${MD_RENEWED_DIR}/installed/${MD_RENEWED_HOST_DIR} +fi + +if [[ ! -d $MD_RENEWED_INSTALLING_TARGET ]]; then + mkdir -p $MD_RENEWED_INSTALLING_TARGET + chown apache.apache $MD_RENEWED_INSTALLING_TARGET +fi + +if [[ ! -d $MD_RENEWED_INSTALLED_TARGET ]]; then + mkdir -p $MD_RENEWED_INSTALLED_TARGET + chown apache.apache $MD_RENEWED_INSTALLED_TARGET +fi + +echo "md-renewed-install.service Looking for our domains: ${MYDOMAINS[*]}" +for f in ${MD_RENEWED_INSTALLING_TARGET}/*; do + if [[ ! -f $f ]]; then + continue + fi + + DOMAIN=$(basename $f) + rm -f $f + echo "md-renewed-install.service Checking domain $DOMAIN" + + if [[ ! -f $MD_RENEWED_INSTALLED_TARGET/$DOMAIN ]]; then + echo "md-renewed-install.service Installing domain $DOMAIN" + touch $MD_RENEWED_INSTALLED_TARGET/$DOMAIN + + if [[ -d /etc/md-renewed/$DOMAIN ]]; then + domain_renew "$DOMAIN" + fi + + for i in ${MYDOMAINS[@]}; do + if [[ $DOMAIN == $i ]]; then + echo "md-renewed-install.service $DOMAIN is our." + HTTPD_RELOAD=y + fi + done + fi +done + +echo "md-renewed-install.service Looking for our already installed domains: ${MYDOMAINS[*]}" +for f in ${MOD_MD_DIR}/domains/*; do + if [[ ! -d $f ]]; then + continue + fi + + DOMAIN=$(basename $f) + echo "md-renewed-install.service Checking already installed domain $DOMAIN" + + if [[ ! -f $MD_RENEWED_INSTALLED_TARGET/$DOMAIN ]]; then + touch $MD_RENEWED_INSTALLED_TARGET/$DOMAIN + + if [[ -d /etc/md-renewed/$DOMAIN ]]; then + domain_renew "$DOMAIN" + fi + + for i in ${MYDOMAINS[@]}; do + if [[ $DOMAIN == $i ]]; then + echo "md-renewed-install.service Already installed $DOMAIN is our." + HTTPD_RELOAD=y + fi + done + fi +done + +if [[ $HTTPD_RELOAD == y ]]; then + echo "md-renewed-install.service Restarting apache." + sleep $[ ( $RANDOM % 60 ) + 1 ]s + /usr/bin/systemctl reload httpd +fi + +exit 0 \ No newline at end of file diff --git a/md-renewed-install.path b/md-renewed-install.path new file mode 100644 index 0000000..be3a875 --- /dev/null +++ b/md-renewed-install.path @@ -0,0 +1,13 @@ +[Path] +PathExistsGlob=/var/lib/httpd/md-renewed/installing/* +Unit=md-renewed-install.service +MakeDirectory=true +DirectoryMode=0777 + +[Unit] +BindsTo=httpd.service +After=httpd.service + +[Install] +WantedBy=multi-user.target + diff --git a/md-renewed-install.service b/md-renewed-install.service new file mode 100644 index 0000000..68a3c5f --- /dev/null +++ b/md-renewed-install.service @@ -0,0 +1,11 @@ +[Unit] +Description=The Apache HTTP Server reloader +After=network.target + +[Service] +Type=oneshot +EnvironmentFile=/etc/md-renewed/md-renewed.conf +ExecStart=/usr/libexec/md-renewed/md-renewed-install + +[Install] +WantedBy=multi-user.target diff --git a/md-renewed.path b/md-renewed.path index b4f682d..25f9208 100644 --- a/md-renewed.path +++ b/md-renewed.path @@ -1,5 +1,5 @@ [Path] -PathExistsGlob=/var/lib/httpd/md-renewed/renewed/%H/* +PathExistsGlob=/var/lib/httpd/md-renewed/renewed/* Unit=md-renewed.service MakeDirectory=true DirectoryMode=0777 diff --git a/md-renewed.spec b/md-renewed.spec index 7dfc8eb..5f8ad07 100644 --- a/md-renewed.spec +++ b/md-renewed.spec @@ -1,5 +1,5 @@ Name: md-renewed -Version: 1.2.9 +Version: 1.3.4 Release: 1%{?dist} Summary: Restart service on Apache module mod_md certificate renewal License: MIT @@ -11,6 +11,9 @@ Source0: md-renewed Source1: md-message Source2: md-renewed.path Source3: md-renewed.service +Source5: md-renewed-install +Source6: md-renewed-install.path +Source7: md-renewed-install.service Source10: md-renewed-httpd.conf Source11: md-renewed.conf @@ -33,10 +36,13 @@ Restart service on Apache module mod_md certificate renewal %{__install} -d -m 0755 %{buildroot}%{_libexecdir}/md-renewed %{__install} -m 0755 %{SOURCE0} %{buildroot}%{_libexecdir}/md-renewed/md-renewed %{__install} -m 0755 %{SOURCE1} %{buildroot}%{_libexecdir}/md-renewed/md-message +%{__install} -m 0755 %{SOURCE5} %{buildroot}%{_libexecdir}/md-renewed/md-renewed-install %{__install} -d -m 0755 %{buildroot}%{_unitdir} %{__install} -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/ %{__install} -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/ +%{__install} -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/ +%{__install} -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ %{__install} -d -m 0755 %{buildroot}%{_sysconfdir}/httpd/conf.d %{__install} -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/httpd/conf.d/md-renewed.conf @@ -50,20 +56,25 @@ Restart service on Apache module mod_md certificate renewal %{__install} -m 0755 %{SOURCE22} %{buildroot}%{_sysconfdir}/md-renewed/example.com/ %{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/ +%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/errored +%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/installed +%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/installing %{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/renewed %{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/renewing -%{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/errored %{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/ocsp-renewed %{__install} -d -m 0775 %{buildroot}%{_sharedstatedir}/httpd/md-renewed/ocsp-errored %post %systemd_post md-renewed.path +%systemd_post md-renewed-install.path %preun %systemd_preun md-renewed.path +%systemd_preun md-renewed-install.path %postun %systemd_postun md-renewed.path +%systemd_postun md-renewed-install.path %clean %{__rm} -rf %{buildroot} @@ -76,15 +87,20 @@ Restart service on Apache module mod_md certificate renewal %config %{_sysconfdir}/httpd/conf.d/md-renewed.conf %{_libexecdir}/md-renewed/md-renewed +%{_libexecdir}/md-renewed/md-renewed-install %{_libexecdir}/md-renewed/md-message %{_unitdir}/md-renewed.service +%{_unitdir}/md-renewed-install.service %{_unitdir}/md-renewed.path +%{_unitdir}/md-renewed-install.path %dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/ +%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/errored +%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/installed +%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/installing %dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/renewed %dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/renewing -%dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/errored %dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/ocsp-renewed %dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/ocsp-errored