From 914c2a821d97c01b49b8070939383d5d7fd24fda Mon Sep 17 00:00:00 2001 From: Christopher Engelhard Date: Feb 03 2021 15:54:11 +0000 Subject: move files out of subdir --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6aa4d44 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +acme.sh-2.8.6 +src diff --git a/0001-fix-sudo-detection.patch b/0001-fix-sudo-detection.patch new file mode 100644 index 0000000..b0e7d7e --- /dev/null +++ b/0001-fix-sudo-detection.patch @@ -0,0 +1,23 @@ +diff -Naur a/acme.sh b/acme.sh +--- a/acme.sh 2020-05-04 02:41:37.000000000 +0200 ++++ b/acme.sh 2020-08-19 14:15:09.045969454 +0200 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env sh ++#!/usr/bin/sh + + VER=2.8.6 + +@@ -6415,10 +6415,10 @@ + #it's root using sudo, no matter it's using sudo or not, just fine + return 0 + fi +- if [ "$SUDO_COMMAND" = "/bin/su" ] || [ "$SUDO_COMMAND" = "/bin/bash" ]; then ++ if [ -n "$SUDO_COMMAND" ]; then + #it's a normal user doing "sudo su", or `sudo -i` or `sudo -s` +- #fine +- return 0 ++ _endswith "$SUDO_COMMAND" /bin/su || grep "^$SUDO_COMMAND\$" /etc/shells >/dev/null 2>&1 ++ return $? + fi + #otherwise + return 1 diff --git a/2.8.6.tar.gz b/2.8.6.tar.gz new file mode 100644 index 0000000..810807a Binary files /dev/null and b/2.8.6.tar.gz differ diff --git a/CHANGELOG b/CHANGELOG index 2d13e5c..1591f59 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,2 +1 @@ -The changelog for the packages can be found at the end of their -respective spec files '/.spec'. +The changelog can be found at the end of acme-sh.spec diff --git a/README-fedora.md b/README-fedora.md new file mode 100644 index 0000000..2f9f7cb --- /dev/null +++ b/README-fedora.md @@ -0,0 +1,25 @@ +# Fedora-specific information + +## System-wide use +Acme.sh by default expects to be run without root privileges from the user's home directory. + +This package provides a systemd timer `%{name}.timer` for automatically renewing systemwide certificates +from the root account. By default, it uses %{_sharedstatedir}/%{binname} for +configuration and %{_sharedstatedir}/%{binname}/certs for certificates. These values can +be changed by editing %{_sysconfdir}/sysconfig/%{binname}. + +To interact with the systemwide %{binname}, either source & export the variables from that +file, or start %{binname} using `%{binname}-system` from a root shell (NOT with +`sudo %{binname}`), which performs the source & export steps automatically. + +## Auto-renewal of user-generated certificates +For convenience, this package also ships a systemd user timer to automate certificate +renewal for non-root users. This can be activated using `systemctl --user [enable|start} %{name}.timer`. +If you're using non-default paths for your %{binname} config, you can set these by setting the +appropriate environment variables in `~/.config/environment.d/%{binname}.conf`. You can use +%{_sysconfdir}/sysconfig/%{binname} as a template for this file. + +## Bugs & issues +Please report any issues regarding the use of these systemd units to Fedora's bugtracker +https://bugzilla.redhat.com, not to the %{binname} developer's issue tracker, as these +units are only part of the Fedora package. diff --git a/README.md b/README.md new file mode 100644 index 0000000..28f5157 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# acme.sh-rpm + +RPM packaging for acme.sh \ No newline at end of file diff --git a/acme-sh.rpmlintrc b/acme-sh.rpmlintrc new file mode 100644 index 0000000..9440ec4 --- /dev/null +++ b/acme-sh.rpmlintrc @@ -0,0 +1,4 @@ +# ignore spurios spelling errors +addFilter("spelling-error .*(wildcard|usr|md).*") +# acme.sh unfortunately has no manpage +addFilter("no-manual-page-for-binary .*acme.sh.*") diff --git a/acme-sh.service b/acme-sh.service new file mode 100644 index 0000000..9ef6dc3 --- /dev/null +++ b/acme-sh.service @@ -0,0 +1,9 @@ +[Unit] +Description=Automatically renew certificates using %{binname} + +[Service] +EnvironmentFile=%{_sysconfdir}/sysconfig/%{binname} +Type=oneshot +ExecStart=%{_bindir}/%{binname} --renew-all $ACME_SH_EXTRAOPTS +# %{binname} returns 2 when renewal is skipped (i.e. certs up to date) +SuccessExitStatus=0 2 diff --git a/acme-sh.spec b/acme-sh.spec new file mode 100644 index 0000000..be0968a --- /dev/null +++ b/acme-sh.spec @@ -0,0 +1,152 @@ +%global binname acme.sh + +Name: acme-sh +Version: 2.8.6 +Release: 4.1%{?dist} +Summary: An ACME client written purely in POSIX Shell +Url: https://github.com/acmesh-official/acme.sh +License: GPLv3 +Source0: https://github.com/acmesh-official/%{binname}/archive/%{version}.tar.gz +Source1: %{binname}.sysconfig +Source2: %{name}.service +Source3: %{name}.timer +Source4: %{binname}-system +Source5: README-fedora.md +Patch1: 0001-fix-sudo-detection.patch + +BuildArch: noarch +Requires: /usr/bin/sh +%if "0%{?rhel}" >= "8" || 0%{?fedora} +Requires: (curl or wget) +%else +Requires: curl +%endif +Requires: systemd +%if "0%{?rhel}" >= "8" || 0%{?fedora} +BuildRequires: systemd-rpm-macros +%else +BuildRequires: systemd +%endif + +%description +Acme.sh is an ACME client written purely in POSIX Shell language. It implements +the full ACME protocol and supports both ACMEv1 and ACMEv2 as well as ACMEv2 +wildcard certificates. + +It can automatically issue, renew and install certificates and supports a +wide variety of DNS provider APIs for DNS-01 challenges. + +#-- PREP, BUILD & INSTALL -----------------------------------------------------# +%prep +%autosetup -p1 -n %{binname}-%{version} + +# replace macros in source files +sed -i -e "s|%%{_bindir}|%{_bindir}|g" \ + -e "s|%%{_sbindir}|%{_sbindir}|g" \ + -e "s|%%{_libexecdir}|%{_libexecdir}|g" \ + -e "s|%%{_sysconfdir}|%{_sysconfdir}|g" \ + -e "s|%%{_initddir}|%{_initddir}|g" \ + -e "s|%%{_localstatedir}|%{_localstatedir}|g" \ + -e "s|%%{_sharedstatedir}|%{_sharedstatedir}|g" \ + -e "s|%%{_rundir}|%{_rundir}|g" \ + -e "s|%%{_pkgdocdir}|%{_pkgdocdir}|g" \ + -e "s|%%{_datadir}|%{_datadir}|g" \ + -e "s|%%{name}|%{name}|g" \ + -e "s|%%{binname}|%{binname}|g" \ + %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} + +# mangle shebangs +find . -type f -name "*.sh" -exec sed -i 's\#!/usr/bin/env sh\#!/usr/bin/sh\g' {} + + +# move all documentation to buildir root +mv deploy/README.md README-deploy.md +mv dnsapi/README.md README-dnsapi.md +cp %{SOURCE5} README-fedora.md + +%build +# nothing to build + +%install +# set up directory structure +install -p -d -m 0755 %{buildroot}%{_bindir} +install -p -d -m 0755 %{buildroot}%{_unitdir} +install -p -d -m 0755 %{buildroot}%{_userunitdir} +install -p -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig +install -p -d -m 0755 %{buildroot}%{_datadir}/%{binname}/ +install -p -d -m 0700 %{buildroot}%{_sharedstatedir}/%{binname}/ + +# install upstream files +install -p -d -m 0755 %{buildroot}%{_datadir}/%{binname}/deploy +install -p -d -m 0755 %{buildroot}%{_datadir}/%{binname}/dnsapi +install -p -d -m 0755 %{buildroot}%{_datadir}/%{binname}/notify +install -p -m 0755 %{binname} %{buildroot}%{_datadir}/%{binname}/%{binname} +install -m 0755 deploy/*.sh %{buildroot}%{_datadir}/%{binname}/deploy +install -m 0755 dnsapi/*.sh %{buildroot}%{_datadir}/%{binname}/dnsapi +install -m 0755 notify/*.sh %{buildroot}%{_datadir}/%{binname}/notify + +# install Fedora-specific files +install -p -m 0755 %{SOURCE4} %{buildroot}%{_bindir}/%{binname}-system +install -p -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/sysconfig/%{binname} +install -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.service +install -p -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/%{name}.timer +install -p -m 0644 %{SOURCE2} %{buildroot}%{_userunitdir}/%{name}.service +install -p -m 0644 %{SOURCE3} %{buildroot}%{_userunitdir}/%{name}.timer + +# create link to executable in /usr/bin +ln -sf %{_datadir}/%{binname}/%{binname} %{buildroot}%{_bindir}/%{binname} + +# don't source /etc/sysconfig/acme.sh in user unit +sed -i '/EnvironmentFile/d' %{buildroot}%{_userunitdir}/%{name}.service + +#-- SCRIPTLETS -----------------------------------------------------------------# +%post +%systemd_post %{name}.service + +%preun +%systemd_preun %{name}.service + +%postun +%systemd_postun_with_restart %{name}.service + +#-- FILES ---------------------------------------------------------------------# +%files +%doc README.md +%doc README-deploy.md +%doc README-dnsapi.md +%doc README-fedora.md +%license LICENSE.md +%{_bindir}/%{binname} +%{_bindir}/%{binname}-system +%{_datadir}/%{binname}/ +%{_unitdir}/%{name}.* +%{_userunitdir}/%{name}.* +%dir %attr(0700, root, -) %{_sharedstatedir}/%{binname}/ +%config(noreplace) %{_sysconfdir}/sysconfig/%{binname} + +#-- CHANGELOG -----------------------------------------------------------------# +%changelog +* Fri Aug 21 2020 Christopher Engelhard 2.8.6-4.1 +- add curl/wget dep, go back to testrelease + +* Fri Aug 21 2020 Christopher Engelhard 2.8.6-4 +- fix missing %%, $ + +* Fri Aug 21 2020 Christopher Engelhard 2.8.6-3 +- add Fedora-specific documentation +- add -system executable that mimics service environment +- add user units for auto-renewal + +* Thu Aug 20 2020 Christopher Engelhard 2.8.6-2 +- remove leftover references to logrotate files + +* Thu Aug 20 2020 Christopher Engelhard 2.8.6-1 +- initial non-test release +- specfile and directory cleanup, no functional changes + +* Thu Aug 20 2020 Christopher Engelhard 2.8.6-0.16 +- this is a test release +- add patch to fix failed sudo detection when shell is not bash +- mangle shebangs to remove /usr/bin/env +- add /var/lib/acme.sh as global config dir +- add systemd service/timer and sysconfig file to enable auto-renew + using the global config dir diff --git a/acme-sh.timer b/acme-sh.timer new file mode 100644 index 0000000..380b6a0 --- /dev/null +++ b/acme-sh.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Automatically renew certificates using %{binname} + +[Timer] +OnCalendar=daily +RandomizedDelaySec=1h +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/acme.sh-system b/acme.sh-system new file mode 100644 index 0000000..b2e4e29 --- /dev/null +++ b/acme.sh-system @@ -0,0 +1,18 @@ +#!/usr/bin/sh +# launch %{binname} using the same environment +# as the global systemd renewal service + +# set environment file +ENVFILE="%{_sysconfdir}/sysconfig/%{binname}" + +# load vars from environment file and export them +if [ -f "$ENVFILE" ]; then + set -o allexport + . "$ENVFILE" + set +o allexport +fi + +# launch %{binname} +sh %{_datadir}/%{binname}/%{binname} "$@" "$ACME_SH_EXTRARGS" + +exit $? diff --git a/acme.sh.sysconfig b/acme.sh.sysconfig new file mode 100644 index 0000000..bbfedbb --- /dev/null +++ b/acme.sh.sysconfig @@ -0,0 +1,8 @@ +# set up environment for %{binname} when run systemwide + +# set default paths +LE_WORKING_DIR="%{_datadir}/%{binname}" +LE_CONFIG_HOME="%{_sharedstatedir}/%{binname}" +CERT_HOME="%{_sharedstatedir}/%{binname}/certs" +# set additional options +#ACME_SH_EXTRAOPTS=