acme: use the hotplug system

Signed-off-by: Glen Huang <[email protected]>

net/acme-acmesh/Makefile

@@ -0,0 +1,69 @@
+#
+# Copyright (C) 2016 Toke Høiland-Jørgensen
+#
+# This is free software, licensed under the GNU General Public License v3 or
+# later.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=acme-acmesh
+PKG_VERSION:=3.0.1
+PKG_RELEASE:=$(AUTORELEASE)
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://codeload.github.com/acmesh-official/acme.sh/tar.gz/$(PKG_VERSION)?
+PKG_HASH:=6212cc0c2bca99a7dd6cbb4236b4c7dd5d1113dab0841e66dae4d307d902a8e6
+PKG_BUILD_DIR:=$(BUILD_DIR)/acme.sh-$(PKG_VERSION)
+
+PKG_MAINTAINER:=Toke Høiland-Jørgensen <[email protected]>
+PKG_LICENSE:=GPL-3.0-only
+PKG_LICENSE_FILES:=LICENSE.md
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/acme-acmesh
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+acme-common +wget-ssl +ca-bundle +openssl-util +socat
+  TITLE:=ACME client acme.sh wrapper script
+  URL:=https://acme.sh
+  PKGARCH:=all
+  PROVIDES:=acme-client
+endef
+
+define Package/acme-acmesh/description
+A client for issuing ACME (e.g, Letsencrypt) certificates.
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/acme-acmesh/install
+	$(INSTALL_DIR) $(1)/usr/lib/acme/client
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/acme.sh $(1)/usr/lib/acme/client
+	$(INSTALL_BIN) ./files/hook.sh $(1)/usr/lib/acme/hook
+endef
+
+define Package/acme-acmesh-dnsapi
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+acme
+  TITLE:=DNS API integration for ACME (Letsencrypt) client
+  PKGARCH:=all
+endef
+
+define Package/acme-acmesh-dnsapi/description
+ This package provides DNS API integration for ACME (Letsencrypt) client.
+endef
+
+define Package/acme-acmesh-dnsapi/install
+	$(INSTALL_DIR) $(1)/usr/lib/acme/client/dnsapi
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/dnsapi/*.sh $(1)/usr/lib/acme/client/dnsapi
+endef
+
+$(eval $(call BuildPackage,acme-acmesh))
+$(eval $(call BuildPackage,acme-acmesh-dnsapi))

net/acme-acmesh/files/hook.sh

@@ -0,0 +1,125 @@
+#!/bin/sh
+set -u
+ACME=/usr/lib/acme/acme.sh
+LOG_TAG=acme-acmesh
+# webroot option deprecated, use the hardcoded value directly in the next major version
+WEBROOT=${webroot:-/var/run/acme/challenge}
+
+# shellcheck source=net/acme/files/functions.sh
+. /usr/lib/acme/functions.sh
+
+# Needed by acme.sh
+export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+export NO_TIMESTAMP=1
+
+cmd="$1"
+
+case $cmd in
+get)
+	set --
+	[ "$debug" = 1 ] && set -- "$@" --debug
+
+	case $keylength in
+	ec-*)
+		domain_dir="$state_dir/${main_domain}_ecc"
+		set -- "$@" --ecc
+		;;
+	*)
+		domain_dir="$state_dir/$main_domain"
+		;;
+	esac
+
+	log info "Running ACME for $main_domain"
+
+	if [ -e "$domain_dir" ]; then
+		if [ "$staging" = 0 ] && grep -q "acme-staging" "$domain_dir/$main_domain.conf"; then
+			mv "$domain_dir" "$domain_dir.staging"
+			log info "Certificates are previously issued from a staging server, but staging option is diabled, moved to $domain_dir.staging."
+			staging_moved=1
+		else
+			set -- "$@" --renew --home "$state_dir" -d "$main_domain"
+			log info "$*"
+			trap 'ACTION=renewed-failed hotplug-call acme;exit 1' INT
+			"$ACME" "$@"
+			status=$?
+			trap - INT
+
+			case $status in
+			0) ;; # renewed ok, handled by acme.sh hook, ignore.
+			2) ;; # renew skipped, ignore.
+			*)
+				ACTION=renew-failed hotplug-call acme
+				;;
+			esac
+			return 0
+		fi
+	fi
+
+	for d in $domains; do
+		set -- "$@" -d "$d"
+	done
+	set -- "$@" --keylength "$keylength" --accountemail "$account_email"
+
+	if [ "$acme_server" ]; then
+		set -- "$@" --server "$acme_server"
+	# default to letsencrypt because the upstream default may change
+	elif [ "$staging" = 1 ]; then
+		set -- "$@" --server letsencrypt_test
+	else
+		set -- "$@" --server letsencrypt
+	fi
+
+	if [ "$days" ]; then
+		set -- "$@" --days "$days"
+	fi
+
+	if [ "$dns" ]; then
+		set -- "$@" --dns "$dns"
+		if [ "$dalias" ]; then
+			set -- "$@" --domain-alias "$dalias"
+			if [ "$calias" ]; then
+				log err "Both domain and challenge aliases are defined. Ignoring the challenge alias."
+			fi
+		elif [ "$calias" ]; then
+			set -- "$@" --challenge-alias "$calias"
+		fi
+	elif [ "$standalone" = 1 ]; then
+		set -- "$@" --standalone --listen-v6
+	else
+		mkdir -p "$WEBROOT"
+		set -- "$@" --webroot "$WEBROOT"
+	fi
+
+	set -- "$@" --issue --home "$state_dir"
+
+	log info "$*"
+	trap 'ACTION=issue-failed hotplug-call acme;exit 1' INT
+	"$ACME" "$@" \
+		--pre-hook 'ACTION=prepare hotplug-call acme' \
+		--renew-hook 'ACTION=renewed hotplug-call acme'
+	status=$?
+	trap - INT
+
+	case $status in
+	0)
+		ln -s "$domain_dir/$main_domain.cer" /etc/ssl/acme
+		ln -s "$domain_dir/$main_domain.key" /etc/ssl/acme
+		ln -s "$domain_dir/fullchain.cer" "/etc/ssl/acme/$main_domain.fullchain.cer"
+		ln -s "$domain_dir/ca.cer" "/etc/ssl/acme/$main_domain.chain.cer"
+		ACTION=issued hotplug-call acme
+		;;
+	*)
+		if [ "$staging_moved" = 1 ]; then
+			mv "$domain_dir.staging" "$domain_dir"
+			log err "Staging certificate restored"
+		elif [ -d "$domain_dir" ]; then
+			failed_dir="$domain_dir.failed-$(date +%s)"
+			mv "$domain_dir" "$failed_dir"
+			log err "State moved to $failed_dir"
+		fi
+		ACTION=issue-failed hotplug-call acme
+		return 0
+		;;
+	esac
+	;;
+esac

net/acme-common/Makefile

@@ -0,0 +1,67 @@
+#
+# Copyright (C) 2016 Toke Høiland-Jørgensen
+#
+# This is free software, licensed under the GNU General Public License v3 or
+# later.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=acme-common
+PKG_VERSION:=1.0.0
+
+PKG_MAINTAINER:=Toke Høiland-Jørgensen <[email protected]>
+PKG_LICENSE:=GPL-3.0-only
+PKG_LICENSE_FILES:=LICENSE.md
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/acme-common
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=ACME client wrapper common files
+  PKGARCH:=all
+endef
+
+define Package/acme-common/description
+ACME client wrapper common files.
+endef
+
+define Package/acme-common/conffiles
+/etc/config/acme
+/etc/acme
+/etc/ssl/acme
+endef
+
+define Package/acme-common/install
+	$(INSTALL_DIR) $(1)/etc/acme
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/acme.config $(1)/etc/config/acme
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) ./files/acme.sh $(1)/usr/bin/acme
+	$(INSTALL_DIR) $(1)/usr/lib/acme
+	$(INSTALL_DATA) ./files/functions.sh $(1)/usr/lib/acme
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/acme.init $(1)/etc/init.d/acme
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DATA) ./files/acme.uci-defaults $(1)/etc/uci-defaults/acme
+endef
+
+define Package/acme/postinst
+#!/bin/sh
+grep -q '/usr/bin/acme' /etc/crontabs/root 2>/dev/null && exit 0
+echo "0 0 * * * /usr/bin/acme get" >> /etc/crontabs/root
+endef
+
+define Package/acme-common/prerm
+#!/bin/sh
+sed -i '\|/usr/bin/acme|d' /etc/crontabs/root
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+$(eval $(call BuildPackage,acme-common))

net/acme/files/acme.config → net/acme-common/files/acme.config

@@ -6,15 +6,9 @@ config acme
 config cert 'example_wildcard'
 	option enabled 0
 	option use_staging 1
-	option keylength 2048
-	option update_uhttpd 1
-	option update_nginx 1
-	option update_haproxy 0
 	list domains example.org
 	list domains sub.example.org
 	list domains *.sub.example.org
-	# option user_setup "path-to-custom-setup.script"
-	# option user_cleanup "path-to-custom-cleanup.script"
 	option dns "dns_freedns"
 	list credentials 'FREEDNS_User="[email protected]"'
 	list credentials 'FREEDNS_Password="1234"'
@@ -24,12 +18,5 @@ config cert 'example_wildcard'
 config cert 'example'
 	option enabled 0
 	option use_staging 1
-	option keylength 2048
-	option update_uhttpd 1
-	option update_nginx 1
-	option update_haproxy 0
 	list domains example.org
 	list domains sub.example.org
-	option webroot ""
-	# option user_setup "path-to-custom-setup.script"
-	# option user_cleanup "path-to-custom-cleanup.script"

net/acme-common/files/acme.init

@@ -0,0 +1,9 @@
+#!/bin/sh /etc/rc.common
+
+START=80
+USE_PROCD=1
+
+service_triggers() {
+	procd_add_config_trigger config.change acme \
+		/usr/bin/acme get
+}