From e82685fc21d77cfe2f9d97078b9cd08a63e11549 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
Date: Wed, 23 Mar 2022 09:15:16 +0100
Subject: [PATCH] v1.4.3

---
 example.cert               |   3 +
 md-message                 |  15 +++-
 md-renewed                 |   5 +-
 md-renewed-install         | 136 ++++++++++++++++++++-----------------
 md-renewed-install.path    |  13 ----
 md-renewed-install.service |   1 +
 md-renewed-install.timer   |  11 +++
 md-renewed.conf            |   2 +
 md-renewed.spec            |  21 ++++--
 md-renewed.timer           |  11 +++
 10 files changed, 130 insertions(+), 88 deletions(-)
 delete mode 100644 md-renewed-install.path
 create mode 100644 md-renewed-install.timer
 create mode 100644 md-renewed.timer

diff --git a/example.cert b/example.cert
index 55ba783..b9720cf 100644
--- a/example.cert
+++ b/example.cert
@@ -15,3 +15,6 @@ KEY_FILE=/etc/pki/tls/private/example.com.pem
 KEY_OWNER=root
 KEY_GROUP=root
 KEY_MODE=0600
+
+SERVICE=someservice
+ACTION=reload
diff --git a/md-message b/md-message
index 6582bca..ae58cd7 100755
--- a/md-message
+++ b/md-message
@@ -30,9 +30,20 @@ case $1 in
       fi
       if [[ -z $MD_RENEWED_HOST_DIR ]]; then
         echo $(date) $(hostname) > $MD_RENEWED_DIR/renewed/$DOMAIN
+        rm -f $MD_RENEWED_DIR/installed/$DOMAIN
       else
-        mkdir -p $MD_RENEWED_DIR/renewed/$MD_RENEWED_HOST_DIR
-        echo $(date) $(hostname) > $MD_RENEWED_DIR/renewed/$MD_RENEWED_HOST_DIR/$DOMAIN
+        for f in $MD_RENEWED_DIR/renewed/*/; do
+          if [[ ! -d "$f" ]]; then
+            continue
+          fi
+          echo $(date) $(hostname) > ${f}${DOMAIN}
+        done
+        for f in $MD_RENEWED_DIR/installed/*/; do
+          if [[ ! -d "$f" ]]; then
+            continue
+          fi
+              rm -f ${f}${DOMAIN}
+        done
       fi
       ;;
     installed)
diff --git a/md-renewed b/md-renewed
index 08f6813..073ef8b 100755
--- a/md-renewed
+++ b/md-renewed
@@ -23,12 +23,12 @@ fi
 
 if [[ ! -d $MD_RENEWED_INSTALLING_TARGET ]]; then
   mkdir -p $MD_RENEWED_INSTALLING_TARGET
-  chown apache.apache $MD_RENEWED_INSTALLING_TARGET
+  chown ${MD_USER}.${MD_GROUP} $MD_RENEWED_INSTALLING_TARGET
 fi
 
 if [[ ! -d $MD_RENEWED_INSTALLED_TARGET ]]; then
   mkdir -p $MD_RENEWED_INSTALLED_TARGET
-  chown apache.apache $MD_RENEWED_INSTALLED_TARGET
+  chown ${MD_USER}.${MD_GROUP} $MD_RENEWED_INSTALLED_TARGET
 fi
 
 echo "md-renewed.service Looking for our domains: ${MYDOMAINS[*]}"
@@ -51,7 +51,6 @@ done
 
 if [[ $HTTPD_RELOAD == y ]]; then
   echo "md-renewed.service Restarting apache."
-  sleep $[ ( $RANDOM % 60 )  + 1 ]s
   /usr/bin/systemctl reload httpd
 fi
 
diff --git a/md-renewed-install b/md-renewed-install
index eb0d299..ffaf175 100755
--- a/md-renewed-install
+++ b/md-renewed-install
@@ -40,34 +40,65 @@ function run_copy
   local DOMAIN="$1"
   local CONFIG="$2"
 
-  CERT_OWNER=""
-  CERT_GROUP=""
-  CERT_MODE=""
+  CERT_OWNER="root"
+  CERT_GROUP="root"
+  CERT_MODE="0700"
   CERT_FILE=""
-  KEY_OWNER=""
-  KEY_GROUP=""
-  KEY_MODE=""
+  KEY_OWNER="root"
+  KEY_GROUP="root"
+  KEY_MODE="0700"
   KEY_FILE=""
+  SERVICE=""
+  ACRION="restart"
 
   . $CONFIG
 
   [[ -z $CERT_FILE ]] && exit 0;
 
-  if [[ -z $KEY_FILE ]]; then
-    KEY_FILE="$CERT_FILE"
+  TEMP_CERT_FILE=$(mktemp)
+
+  if [[ ! -z $KEY_FILE ]]; then
+    TEMP_KEY_FILE=$(mktemp)
   fi
 
-  cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem > $CERT_FILE
+  OLD_UMASK=$(umask)
+  umask 0077
+  DO_ACTION=n
 
-  set_permissions "$CERT_FILE" "$CERT_OWNER" "$CERT_GROUP" "$CERT_MODE"
+  if [[ ! -z $KEY_FILE && $KEY_FILE != $CERT_FILE ]]; then
+    cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem > $TEMP_CERT_FILE
+    cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem > $TEMP_KEY_FILE
 
-  if [[ $CERT_FILE != $KEY_FILE ]]; then
-    cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem > $KEY_FILE
+    if [[ $(md5sum $TEMP_CERT_FILE) != $(md5sum $CERT_FILE) ]]; then
+      cp -f $TEMP_CERT_FILE $CERT_FILE
+      set_permissions "$CERT_FILE" "$CERT_OWNER" "$CERT_GROUP" "$CERT_MODE"
+      DO_ACTION=y
+    fi
+    rm -f $TEMP_CERT_FILE
+
+    if [[ $(md5sum $TEMP_KEY_FILE) != $(md5sum $KEY_FILE) ]]; then
+      cp -f $TEMP_KEY_FILE $KEY_FILE
+      set_permissions "$KEY_FILE" "$KEY_OWNER" "$KEY_GROUP" "$KEY_MODE"
+      DO_ACTION=y
+    fi
+    rm -f $TEMP_KEY_FILE
   else
-    cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem >> $KEY_FILE
-  fi
+    cat ${MOD_MD_DIR}/domains/$DOMAIN/pubcert.pem > $TEMP_CERT_FILE
+    cat ${MOD_MD_DIR}/domains/$DOMAIN/privkey.pem >> $TEMP_CERT_FILE
 
-  set_permissions "$KEY_FILE" "$KEY_OWNER" "$KEY_GROUP" "$KEY_MODE"
+    if [[ $(md5sum $TEMP_CERT_FILE) != $(md5sum $CERT_FILE) ]]; then
+      cp -f $TEMP_CERT_FILE $CERT_FILE
+      set_permissions "$CERT_FILE" "$CERT_OWNER" "$CERT_GROUP" "$CERT_MODE"
+      DO_ACTION=y
+    fi
+    rm -f $TEMP_CERT_FILE
+  fi
+  umask $OLD_UMASK
+
+  if [[ $DO_ACTION == y && ! -z $SERVICE ]]; then
+    ACTION=${ACTION:-restart}
+    /usr/bin/systemctl $ACTION $SERVICE > /dev/null 2>&1
+  fi
 }
 
 function run_service
@@ -81,9 +112,7 @@ function run_service
 
   [[ -z $SERVICE ]] && exit 0;
 
-  if [[ -z $ACTION ]]; then
-    ACTION="restart"
-  fi
+  ACTION=${ACTION:-restart}
 
   /usr/bin/systemctl $ACTION $SERVICE > /dev/null 2>&1
 }
@@ -102,8 +131,6 @@ function domain_renew
   done
 }
 
-HTTP_RELOAD=n
-
 if [ -z $MD_RENEWED_HOST_DIR ]; then
   MD_RENEWED_INSTALLING_TARGET=${MD_RENEWED_DIR}/installing
   MD_RENEWED_INSTALLED_TARGET=${MD_RENEWED_DIR}/installed
@@ -114,12 +141,12 @@ fi
 
 if [[ ! -d $MD_RENEWED_INSTALLING_TARGET ]]; then
   mkdir -p $MD_RENEWED_INSTALLING_TARGET
-  chown apache.apache $MD_RENEWED_INSTALLING_TARGET
+  chown ${MD_USER}.${MD_GROUP} $MD_RENEWED_INSTALLING_TARGET
 fi
 
 if [[ ! -d $MD_RENEWED_INSTALLED_TARGET ]]; then
   mkdir -p $MD_RENEWED_INSTALLED_TARGET
-  chown apache.apache $MD_RENEWED_INSTALLED_TARGET
+  chown ${MD_USER}.${MD_GROUP} $MD_RENEWED_INSTALLED_TARGET
 fi
 
 echo "md-renewed-install.service Looking for our domains: ${MYDOMAINS[*]}"
@@ -132,52 +159,33 @@ for f in ${MD_RENEWED_INSTALLING_TARGET}/*; do
   rm -f $f
   echo "md-renewed-install.service Checking domain $DOMAIN"
 
-  if [[ ! -f $MD_RENEWED_INSTALLED_TARGET/$DOMAIN ]]; then
-    echo "md-renewed-install.service Installing domain $DOMAIN"
-    touch $MD_RENEWED_INSTALLED_TARGET/$DOMAIN
+  echo "md-renewed-install.service Installing domain $DOMAIN"
+  touch $MD_RENEWED_INSTALLED_TARGET/$DOMAIN
+
+  if [[ -d /etc/md-renewed/$DOMAIN ]]; then
+    domain_renew "$DOMAIN"
+  fi
+done
+
+if [[ $1 == "force" ]]; then
+  echo "md-renewed-install.service Looking for our already installed domains: ${MYDOMAINS[*]}"
+  for f in ${MOD_MD_DIR}/domains/*; do
+    if [[ ! -d $f ]]; then
+      continue
+    fi
+
+    DOMAIN=$(basename $f)
+
+    echo "md-renewed-install.service Checking already installed domain $DOMAIN"
+
+    if [[ ! -f $MD_RENEWED_INSTALLED_TARGET/$DOMAIN ]]; then
+      touch $MD_RENEWED_INSTALLED_TARGET/$DOMAIN
+    fi
 
     if [[ -d /etc/md-renewed/$DOMAIN ]]; then
       domain_renew "$DOMAIN"
     fi
-
-    for i in ${MYDOMAINS[@]}; do
-      if [[ $DOMAIN == $i ]]; then
-        echo "md-renewed-install.service $DOMAIN is our."
-        HTTPD_RELOAD=y
-      fi
-    done
-  fi
-done
-
-echo "md-renewed-install.service Looking for our already installed domains: ${MYDOMAINS[*]}"
-for f in ${MOD_MD_DIR}/domains/*; do
-  if [[ ! -d $f ]]; then
-    continue
-  fi
-
-  DOMAIN=$(basename $f)
-  echo "md-renewed-install.service Checking already installed domain $DOMAIN"
-
-  if [[ ! -f $MD_RENEWED_INSTALLED_TARGET/$DOMAIN ]]; then
-    touch $MD_RENEWED_INSTALLED_TARGET/$DOMAIN
-
-    if [[ -d /etc/md-renewed/$DOMAIN ]]; then
-      domain_renew "$DOMAIN"
-    fi
-
-    for i in ${MYDOMAINS[@]}; do
-      if [[ $DOMAIN == $i ]]; then
-        echo "md-renewed-install.service Already installed $DOMAIN is our."
-        HTTPD_RELOAD=y
-      fi
-    done
-  fi
-done
-
-if [[ $HTTPD_RELOAD == y ]]; then
-  echo "md-renewed-install.service Restarting apache."
-  sleep $[ ( $RANDOM % 60 )  + 1 ]s
-  /usr/bin/systemctl reload httpd
+  done
 fi
 
 exit 0
\ No newline at end of file
diff --git a/md-renewed-install.path b/md-renewed-install.path
deleted file mode 100644
index be3a875..0000000
--- a/md-renewed-install.path
+++ /dev/null
@@ -1,13 +0,0 @@
-[Path]
-PathExistsGlob=/var/lib/httpd/md-renewed/installing/*
-Unit=md-renewed-install.service
-MakeDirectory=true
-DirectoryMode=0777
-
-[Unit]
-BindsTo=httpd.service
-After=httpd.service
-
-[Install]
-WantedBy=multi-user.target
-
diff --git a/md-renewed-install.service b/md-renewed-install.service
index 68a3c5f..4df894c 100644
--- a/md-renewed-install.service
+++ b/md-renewed-install.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=The Apache HTTP Server reloader
 After=network.target
+Wants=md-renewed-install.timer
 
 [Service]
 Type=oneshot
diff --git a/md-renewed-install.timer b/md-renewed-install.timer
new file mode 100644
index 0000000..3d94399
--- /dev/null
+++ b/md-renewed-install.timer
@@ -0,0 +1,11 @@
+[Unit]
+BindsTo=httpd.service
+After=httpd.service
+
+[Timer]
+Unit=md-renewed-install.service
+OnUnitActiveSec=5min
+
+[Install]
+WantedBy=timers.target
+
diff --git a/md-renewed.conf b/md-renewed.conf
index b27a4fe..6c1acae 100644
--- a/md-renewed.conf
+++ b/md-renewed.conf
@@ -1,5 +1,7 @@
 MOD_MD_DIR=/var/lib/httpd/md
 MD_RENEWED_DIR=/var/lib/httpd/md-renewed
 MD_RENEWED_HOST_DIR=
+MD_USER=apache
+MD_GROUP=apache
 
 
diff --git a/md-renewed.spec b/md-renewed.spec
index 5f8ad07..56d8c03 100644
--- a/md-renewed.spec
+++ b/md-renewed.spec
@@ -1,5 +1,5 @@
 Name:           md-renewed
-Version:        1.3.4
+Version:        1.4.3
 Release:        1%{?dist}
 Summary:        Restart service on Apache module mod_md certificate renewal
 License:        MIT
@@ -9,14 +9,18 @@ BuildArch:      noarch
 
 Source0:        md-renewed
 Source1:        md-message
+
 Source2:        md-renewed.path
 Source3:        md-renewed.service
+Source4:        md-renewed.timer
+
 Source5:        md-renewed-install
-Source6:        md-renewed-install.path
+Source6:        md-renewed-install.timer
 Source7:        md-renewed-install.service
 
 Source10:       md-renewed-httpd.conf
 Source11:       md-renewed.conf
+
 Source20:       example.service
 Source21:       example.cert
 Source22:       example.sh
@@ -41,6 +45,7 @@ Restart service on Apache module mod_md certificate renewal
 %{__install} -d -m 0755 %{buildroot}%{_unitdir}
 %{__install} -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
 %{__install} -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/
+%{__install} -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/
 %{__install} -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/
 %{__install} -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/
 
@@ -66,15 +71,18 @@ Restart service on Apache module mod_md certificate renewal
 
 %post
 %systemd_post md-renewed.path
-%systemd_post md-renewed-install.path
+%systemd_post md-renewed.timer
+%systemd_post md-renewed-install.timer
 
 %preun
 %systemd_preun md-renewed.path
-%systemd_preun md-renewed-install.path
+%systemd_preun md-renewed.timer
+%systemd_preun md-renewed-install.timer
 
 %postun
 %systemd_postun md-renewed.path
-%systemd_postun md-renewed-install.path
+%systemd_postun md-renewed.timer
+%systemd_postun md-renewed-install.timer
 
 %clean
 %{__rm} -rf %{buildroot}
@@ -93,7 +101,8 @@ Restart service on Apache module mod_md certificate renewal
 %{_unitdir}/md-renewed.service
 %{_unitdir}/md-renewed-install.service
 %{_unitdir}/md-renewed.path
-%{_unitdir}/md-renewed-install.path
+%{_unitdir}/md-renewed.timer
+%{_unitdir}/md-renewed-install.timer
 
 %dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/
 %dir %attr(-, root, apache) %{_sharedstatedir}/httpd/md-renewed/errored
diff --git a/md-renewed.timer b/md-renewed.timer
new file mode 100644
index 0000000..7f79cc4
--- /dev/null
+++ b/md-renewed.timer
@@ -0,0 +1,11 @@
+[Unit]
+BindsTo=httpd.service
+After=httpd.service
+
+[Timer]
+Unit=md-renewed.service
+OnUnitActiveSec=5min
+
+[Install]
+WantedBy=timers.target
+