From e5ac6a1d47bcd8e73416a8d2c21f4e2c520bfeb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= Date: Tue, 30 Nov 2021 11:42:48 +0100 Subject: [PATCH] Initial commit --- example.cert | 17 ++++++ example.service | 5 ++ example.sh | 5 ++ md-message | 9 ++++ md-renewed | 113 +++++++++++++++++++++++++++++++++++++++ md-renewed-tmpfiles.conf | 1 + md-renewed.conf | 2 + md-renewed.path | 5 ++ md-renewed.service | 10 ++++ md-renewed.spec | 81 ++++++++++++++++++++++++++++ 10 files changed, 248 insertions(+) create mode 100644 example.cert create mode 100644 example.service create mode 100755 example.sh create mode 100755 md-message create mode 100755 md-renewed create mode 100644 md-renewed-tmpfiles.conf create mode 100644 md-renewed.conf create mode 100644 md-renewed.path create mode 100644 md-renewed.service create mode 100644 md-renewed.spec diff --git a/example.cert b/example.cert new file mode 100644 index 0000000..55ba783 --- /dev/null +++ b/example.cert @@ -0,0 +1,17 @@ +# +# CERT_FILE - Destination of cert file +# KEY_FILE - Destination of key file. If empty appended to CERT_FILE +# *_OWNER - Owner (default: root) +# *_GROUP - Group (default: root) +# *_MODE - Mode (default: 0600) +# + +CERT_FILE=/etc/pki/tls/certs/example.com.pem +CERT_OWNER=root +CERT_GROUP=root +CERT_MODE=0644 + +KEY_FILE=/etc/pki/tls/private/example.com.pem +KEY_OWNER=root +KEY_GROUP=root +KEY_MODE=0600 diff --git a/example.service b/example.service new file mode 100644 index 0000000..31bad38 --- /dev/null +++ b/example.service @@ -0,0 +1,5 @@ +# systemd service +SERVICE=someservice + +# ACTION defaults to restart +ACTION=reload diff --git a/example.sh b/example.sh new file mode 100755 index 0000000..e3a1b90 --- /dev/null +++ b/example.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +DOMAIN=$1 + +echo "$DOMAIN certificate renewed!" \ No newline at end of file diff --git a/md-message b/md-message new file mode 100755 index 0000000..39b147c --- /dev/null +++ b/md-message @@ -0,0 +1,9 @@ + +MSG="$1" +DOMAIN="$2" + +if [[ $MSG == renewed ]]; then + touch /run/md-renewed/$DOMAIN +fi + +exit 0 \ No newline at end of file diff --git a/md-renewed b/md-renewed new file mode 100755 index 0000000..b222589 --- /dev/null +++ b/md-renewed @@ -0,0 +1,113 @@ +#!/bin/bash + +function set_permissions +{ + local FILE="$1" + local OWNER="$2" + local GROUP="$3" + local MODE="$4" + + if [[ -z $OWNER ]]; then + chown root $FILE + else + chown $OWNER $FILE + fi + + if [[ -z $GROUP ]]; then + chgrp root $FILE + else + chgrp $GROUP $FILE + fi + + if [[ -z $MODE ]]; then + chmod 0600 $FILE + else + chmod $MODE $FILE + fi +} + +function run_copy +{ + local DOMAIN="$1" + local CONFIG="$2" + + CERT_OWNER="" + CERT_GROUP="" + CERT_MODE="" + CERT_FILE="" + KEY_OWNER="" + KEY_GROUP="" + KEY_MODE="" + KEY_FILE="" + + . $CONFIG + + [[ -z $CERT_FILE ]] && exit 0; + + if [[ -z $KEY_FILE ]]; then + KEY_FILE="$CERT_FILE" + fi + + cat /var/lib/httpd/md/domains/$DOMAIN/pubcert.pem > $CERT_FILE + set_permissions "$CERT_FILE" "$CERT_OWNER" "$CERT_GROUP" "$CERT_MODE" + + if [[ $CERT_FILE != $KEY_FILE ]]; then + cat /var/lib/httpd/md/domains/$DOMAIN/pubcert.pem > $KEY_FILE + else + cat /var/lib/httpd/md/domains/$DOMAIN/pubcert.pem >> $KEY_FILE + fi + set_permissions "$CERT_FILE" "$KEY_OWNER" "$KEY_GROUP" "$KEY_MODE" +} + +function run_service +{ + local DOMAIN="$1" + local CONFIG="$2" + SERVICE="" + ACTION="" + + . $CONFIG + + [[ -z $SERVICE ]] && exit 0; + + if [[ -z $ACTION ]]; then + ACTION="restart" + fi + + /usr/bin/systemctl $ACTION $SERVICE > /dev/null 2>&1 +} + +function domain_renew +{ + local DOMAIN="$1" + for scr in /etc/md-renewed/$DOMAIN/*.cert; do + run_copy "$1" "/etc/md-renewed/$DOMAIN/$scr" + done + for scr in /etc/md-renewed/$DOMAIN/*.service; do + run_service "$1" "/etc/md-renewed/$DOMAIN/$scr" + done + for scr in /etc/md-renewed/$DOMAIN/*.sh; do + /etc/md-renewed/$DOMAIN/$scr "$1" + done +} + +HTTP_RELOAD=n + +for f in /run/md-renewed/*; do + if [[ ! -f $f ]]; then + continue + fi + HTTPD_RELOAD=y + + if [[ ! -d /etc/md-renewed/$f ]]; then + continue + fi + + domain_renew "$1" +done + +if [[ $HTTPD_RELOAD == y ]]; then + /usr/bin/systemctl reload httpd +fi + +exit 0 \ No newline at end of file diff --git a/md-renewed-tmpfiles.conf b/md-renewed-tmpfiles.conf new file mode 100644 index 0000000..b815fb8 --- /dev/null +++ b/md-renewed-tmpfiles.conf @@ -0,0 +1 @@ +d /run/md-renewed 0770 root apache diff --git a/md-renewed.conf b/md-renewed.conf new file mode 100644 index 0000000..4f746f0 --- /dev/null +++ b/md-renewed.conf @@ -0,0 +1,2 @@ +MDMessageCmd /usr/libexec/md-renewed/md-message + diff --git a/md-renewed.path b/md-renewed.path new file mode 100644 index 0000000..533695c --- /dev/null +++ b/md-renewed.path @@ -0,0 +1,5 @@ +[Path] +PathExistsGlob=/run/md-renewed/* + +[Install] +WantedBy=multi-user.target diff --git a/md-renewed.service b/md-renewed.service new file mode 100644 index 0000000..9b77008 --- /dev/null +++ b/md-renewed.service @@ -0,0 +1,10 @@ +[Unit] +Description=The Apache HTTP Server reloader +After=network.target + +[Service] +Type=oneshot +ExecStart=/usr/libexec/md-renewed/md-renewed + +[Install] +WantedBy=multi-user.target diff --git a/md-renewed.spec b/md-renewed.spec new file mode 100644 index 0000000..1d83f2c --- /dev/null +++ b/md-renewed.spec @@ -0,0 +1,81 @@ +Name: md-renewed +Version: 1.0.0 +Release: 1%{?dist} +Summary: Restart service on Apache module mod_md certificate renewal +License: MIT +Group: System Environment/Base +URL: http://netst.org/pub/fedora/st/ +BuildArch: noarch + +Source0: md-renewed +Source1: md-message +Source2: md-renewed.path +Source3: md-renewed.service +Source4: md-renewed-tmpfiles.conf +Source5: md-renewed.conf +Source6: example.service +Source7: example.cert +Source8: example.sh + +Requires: httpd +%{?systemd_requires} +BuildRequires: systemd-rpm-macros + +%description +Restart service on Apache module mod_md certificate renewal + +%install +%{__rm} -rf %{buildroot} + +install -d -m 0755 %{buildroot}%{_libexecdir}/md-renewed +install -m 0644 %{SOURCE0} %{buildroot}%{_libexecdir}/md-renewed/ +install -m 0644 %{SOURCE1} %{buildroot}%{_libexecdir}/md-renewed/ + +install -d -m 0755 %{buildroot}%{_unitdir} +install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/ +install -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/ + +install -d -m 0755 %{buildroot}%{_tmpfilesdir} +install -m 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/md-renewed.conf + +install -d -m 0755 %{buildroot}%{_sysconfdir}/httpd/conf.d +install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/httpd/conf.d/ + + +install -d -m 0755 %{buildroot}%{_sysconfdir}/md-renewed +install -d -m 0755 %{buildroot}%{_sysconfdir}/md-renewed/example.com +install -m 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/md-renewed/example.com/ +install -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/md-renewed/example.com/ +install -m 0755 %{SOURCE8} %{buildroot}%{_sysconfdir}/md-renewed/example.com/ + +%post +%systemd_post md-renewed.service + +%tmpfiles_create %{_tmpfilesdir}/md-renewed.conf + +%preun +%systemd_preun md-renewed.service + + +%postun +%systemd_postun md-renewed.service + +%clean +%{__rm} -rf %{buildroot} + +%files +%defattr(-,root,root,-) + +%dir %{_sysconfdir}/md-renewed +%config %{_sysconfdir}/md-renewed/* +%config %{_sysconfdir}/httpd/conf.d/md-renewed.conf + +%{_libexecdir}/md-renewed/md-renewed +%{_libexecdir}/md-renewed/md-message +%{_unitdir}/md-renewed.service +%{_unitdir}/md-renewed.path +%{_tmpfilesdir}/md-renewed.conf + +%changelog +* Thu Nov 30 2021 Zoran Pericic - 1.0.0-1 +Initial release