Initial commit

example.cert

@@ -0,0 +1,17 @@
+#
+# CERT_FILE     - Destination of cert file
+# KEY_FILE      - Destination of key file. If empty appended to CERT_FILE
+# *_OWNER       - Owner (default: root)
+# *_GROUP       - Group (default: root)
+# *_MODE        - Mode (default: 0600)
+#
+
+CERT_FILE=/etc/pki/tls/certs/example.com.pem
+CERT_OWNER=root
+CERT_GROUP=root
+CERT_MODE=0644
+
+KEY_FILE=/etc/pki/tls/private/example.com.pem
+KEY_OWNER=root
+KEY_GROUP=root
+KEY_MODE=0600

example.service

@@ -0,0 +1,5 @@
+# systemd service
+SERVICE=someservice
+
+# ACTION defaults to restart
+ACTION=reload

example.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+DOMAIN=$1
+
+echo "$DOMAIN certificate renewed!"

md-message

@@ -0,0 +1,9 @@
+
+MSG="$1"
+DOMAIN="$2"
+
+if [[ $MSG == renewed ]]; then
+    touch /run/md-renewed/$DOMAIN
+fi
+
+exit 0

md-renewed

@@ -0,0 +1,113 @@
+#!/bin/bash
+
+function set_permissions
+{
+  local FILE="$1"
+  local OWNER="$2"
+  local GROUP="$3"
+  local MODE="$4"
+
+  if [[ -z $OWNER ]]; then
+    chown root $FILE
+  else
+    chown $OWNER $FILE
+  fi
+
+  if [[ -z $GROUP ]]; then
+    chgrp root $FILE
+  else
+    chgrp $GROUP $FILE
+  fi
+
+  if [[ -z $MODE ]]; then
+    chmod 0600 $FILE
+  else
+    chmod $MODE $FILE
+  fi
+}
+
+function run_copy
+{
+  local DOMAIN="$1"
+  local CONFIG="$2"
+
+  CERT_OWNER=""
+  CERT_GROUP=""
+  CERT_MODE=""
+  CERT_FILE=""
+  KEY_OWNER=""
+  KEY_GROUP=""
+  KEY_MODE=""
+  KEY_FILE=""
+
+  . $CONFIG
+
+  [[ -z $CERT_FILE ]] && exit 0;
+
+  if [[ -z $KEY_FILE ]]; then
+    KEY_FILE="$CERT_FILE"
+  fi
+
+  cat /var/lib/httpd/md/domains/$DOMAIN/pubcert.pem > $CERT_FILE
+  set_permissions "$CERT_FILE" "$CERT_OWNER" "$CERT_GROUP" "$CERT_MODE"
+
+  if [[ $CERT_FILE != $KEY_FILE ]]; then
+    cat /var/lib/httpd/md/domains/$DOMAIN/pubcert.pem > $KEY_FILE
+  else
+    cat /var/lib/httpd/md/domains/$DOMAIN/pubcert.pem >> $KEY_FILE
+  fi
+  set_permissions "$CERT_FILE" "$KEY_OWNER" "$KEY_GROUP" "$KEY_MODE"
+}
+
+function run_service
+{
+  local DOMAIN="$1"
+  local CONFIG="$2"
+  SERVICE=""
+  ACTION=""
+
+  . $CONFIG
+
+  [[ -z $SERVICE ]] && exit 0;
+
+  if [[ -z $ACTION ]]; then
+    ACTION="restart"
+  fi
+
+  /usr/bin/systemctl $ACTION $SERVICE > /dev/null 2>&1
+}
+
+function domain_renew
+{
+  local DOMAIN="$1"
+  for scr in /etc/md-renewed/$DOMAIN/*.cert; do
+    run_copy "$1" "/etc/md-renewed/$DOMAIN/$scr"
+  done
+  for scr in /etc/md-renewed/$DOMAIN/*.service; do
+    run_service "$1" "/etc/md-renewed/$DOMAIN/$scr"
+  done
+  for scr in /etc/md-renewed/$DOMAIN/*.sh; do
+    /etc/md-renewed/$DOMAIN/$scr "$1"
+  done
+}
+
+HTTP_RELOAD=n
+
+for f in /run/md-renewed/*; do
+  if [[ ! -f $f ]]; then
+    continue
+  fi
+  HTTPD_RELOAD=y
+
+  if [[ ! -d /etc/md-renewed/$f ]]; then
+    continue
+  fi
+
+  domain_renew "$1"
+done
+
+if [[ $HTTPD_RELOAD == y ]]; then
+  /usr/bin/systemctl reload httpd
+fi
+
+exit 0

md-renewed-tmpfiles.conf

@@ -0,0 +1 @@
+d /run/md-renewed 0770 root apache

md-renewed.conf

@@ -0,0 +1,2 @@
+MDMessageCmd /usr/libexec/md-renewed/md-message
+

md-renewed.path

@@ -0,0 +1,5 @@
+[Path]
+PathExistsGlob=/run/md-renewed/*
+
+[Install]
+WantedBy=multi-user.target

md-renewed.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=The Apache HTTP Server reloader
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/md-renewed/md-renewed
+
+[Install]
+WantedBy=multi-user.target

md-renewed.spec

@@ -0,0 +1,81 @@
+Name:           md-renewed
+Version:        1.0.0
+Release:        1%{?dist}
+Summary:        Restart service on Apache module mod_md certificate renewal
+License:        MIT
+Group:          System Environment/Base
+URL:            http://netst.org/pub/fedora/st/
+BuildArch:      noarch
+
+Source0:        md-renewed
+Source1:        md-message
+Source2:        md-renewed.path
+Source3:        md-renewed.service
+Source4:        md-renewed-tmpfiles.conf
+Source5:        md-renewed.conf
+Source6:        example.service
+Source7:        example.cert
+Source8:        example.sh
+
+Requires:       httpd
+%{?systemd_requires}
+BuildRequires:      systemd-rpm-macros
+
+%description
+Restart service on Apache module mod_md certificate renewal
+
+%install
+%{__rm} -rf %{buildroot}
+
+install -d -m 0755 %{buildroot}%{_libexecdir}/md-renewed
+install -m 0644 %{SOURCE0} %{buildroot}%{_libexecdir}/md-renewed/
+install -m 0644 %{SOURCE1} %{buildroot}%{_libexecdir}/md-renewed/
+
+install -d -m 0755 %{buildroot}%{_unitdir}
+install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/
+
+install -d -m 0755 %{buildroot}%{_tmpfilesdir}
+install -m 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/md-renewed.conf
+
+install -d -m 0755 %{buildroot}%{_sysconfdir}/httpd/conf.d
+install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/httpd/conf.d/
+
+
+install -d -m 0755 %{buildroot}%{_sysconfdir}/md-renewed
+install -d -m 0755 %{buildroot}%{_sysconfdir}/md-renewed/example.com
+install -m 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/md-renewed/example.com/
+install -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/md-renewed/example.com/
+install -m 0755 %{SOURCE8} %{buildroot}%{_sysconfdir}/md-renewed/example.com/
+
+%post
+%systemd_post md-renewed.service
+
+%tmpfiles_create %{_tmpfilesdir}/md-renewed.conf
+
+%preun
+%systemd_preun md-renewed.service
+
+
+%postun
+%systemd_postun md-renewed.service
+
+%clean
+%{__rm} -rf %{buildroot}
+
+%files
+%defattr(-,root,root,-)
+
+%dir %{_sysconfdir}/md-renewed
+%config %{_sysconfdir}/md-renewed/*
+%config %{_sysconfdir}/httpd/conf.d/md-renewed.conf
+
+%{_libexecdir}/md-renewed/md-renewed
+%{_libexecdir}/md-renewed/md-message
+%{_unitdir}/md-renewed.service
+%{_unitdir}/md-renewed.path
+%{_tmpfilesdir}/md-renewed.conf
+
+%changelog
+* Thu Nov  30 2021 Zoran Pericic <zpericic@netst.org> - 1.0.0-1
+Initial release