Slackware/configs
1
0
Fork 0
Code Releases Wiki Activity

Add dehydrated config.

Browse source
This commit is contained in:
Darren 'Tadgy' Austin 2022-08-24 22:05:39 +01:00
commit 1a8798d2bf
5 changed files with 626 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
dehydrated/cron.d/dehydrated Normal file
View file

@ -0,0 +1 @@
25 3 * * * /usr/bin/dehydrated -c >/dev/null

147
dehydrated/dehydrated/config Normal file
View file

@ -0,0 +1,147 @@
# This is the main config file for dehydrated.
# This file is looked for in the following locations:
# $SCRIPTDIR/config (next to this script)
# /usr/local/etc/dehydrated/config
# /etc/dehydrated/config
# ${PWD}/config (in current working-directory)
# Which user should dehydrated run as? This will be implictly enforced when running as root.
# Default: <unset>
#DEHYDRATED_USER=""
# Which group should dehydrated run as? This will be implictly enforced when running as root.
# Default: <unset>
#DEHYDRATED_GROUP=""
# Resolve names to addresses of IP version only, for curl.
# Supported values: 4, 6.
# Default: <unset>
#IP_VERSION=""
# Path to certificate authority.
# Default: https://acme-v02.api.letsencrypt.org/directory
#CA="https://acme-v02.api.letsencrypt.org/directory"
# Use staging server for testing:
#CA="https://acme-staging-v02.api.letsencrypt.org/directory"
# Path to old certificate authority.
# Set this value to your old CA when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
# If dehydrated detects an account-key for the old CA it will automatically reuse that key
# instead of registering a new one.
# Default: https://acme-v01.api.letsencrypt.org/directory
#OLDCA="https://acme-v01.api.letsencrypt.org/directory"
# Which challenge should be used?
# Supported values: http-01, dns-01, tls-alpn-01.
# Default: http-01
#CHALLENGETYPE="http-01"
# Path to a directory containing additional config files.
# This allows overriding the defaults found in the main configuration file.
# Additional config files in this directory must be named with a '.sh' ending.
# Default: <unset>
#CONFIG_D=""
# Base directory for account key, generated certificates and list of domains.
# Default: $SCRIPTDIR
BASEDIR="/etc/dehydrated"
# File containing the list of domains for which to request certificates.
# Default: $BASEDIR/domains.txt
DOMAINS_TXT="${BASEDIR}/domains"
# Directory for per-domain configuration files.
# If not set, per-domain configurations are sourced from each certificates output directory.
# Default: <unset>
DOMAINS_D="${BASEDIR}/domains.d"
# Output directory for generated certificates.
# Default: ${BASEDIR}/certs
#CERTDIR="${BASEDIR}/certs"
# Output directory for alpn verification certificates.
# Default: ${BASEDIR}/alpn-certs
#ALPNCERTDIR="${BASEDIR}/alpn-certs"
# Directory for account keys and registration information.
# Default: ${BASEDIR}/accounts
#ACCOUNTDIR="${BASEDIR}/accounts"
# Output directory for challenge-tokens to be served by webserver, or deployed in $HOOK.
# Default: /var/www/dehydrated
WELLKNOWN="/srv/www/dehydrated"
# Default keysize for private keys.
# Default: 4096
#KEYSIZE="4096"
# Path to openssl config file.
# To try and figure out the system default, leave this unset.
# Default: <unset>
#OPENSSL_CNF=""
# Path to OpenSSL binary.
# Default: openssl
#OPENSSL="openssl"
# Extra options passed to the curl binary.
# Default: <unset>
#CURL_OPTS=""
# Program or function called at certain stages of processing.
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program.
# Default: <unset>
HOOK="${BASEDIR}/hooks/default.sh"
# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate?
# Default: no
#HOOK_CHAIN="no"
# Minimum days before expiration to automatically renew certificate.
# Default: 30
#RENEW_DAYS="30"
# Regenerate private keys instead of just signing new certificates on renewal?
# Default: yes
PRIVATE_KEY_RENEW="no"
# Create an extra private key for rollover?
# Default: no
#PRIVATE_KEY_ROLLOVER="no"
# Which public key algorithm should be used?
# Supported: rsa, prime256v1, secp384r1.
# Default: rsa
#KEY_ALGO="rsa"
# E-mail to use during the registration.
# Default: <unset>
CONTACT_EMAIL="sysadmin@slackware.network"
# Lockfile location, to prevent concurrent execution.
# Default: $BASEDIR/lock
LOCKFILE="/run/dehydrated.lock"
# Option to add CSR-flag indicating OCSP stapling to be mandatory.
# Default: no
#OCSP_MUST_STAPLE="no"
# Fetch OCSP responses.
# Default: no
#OCSP_FETCH="no"
# OCSP refresh interval, in days.
# Default: 5
#OCSP_DAYS="5"
# Issuer chain cache directory.
# Default: $BASEDIR/chains
#CHAINCACHE="${BASEDIR}/chains"
# Automatic cleanup?
# Default: no
AUTO_CLEANUP="yes"
# ACME API version.
# Default: auto
#API=auto

30
dehydrated/dehydrated/domains Normal file
View file

@ -0,0 +1,30 @@
# Create certificate for 'example.org' with an alternative name of
# 'www.example.org'. It will be stored in the directory ${CERT_DIR}/example.org
#example.org www.example.org
# Create certificate for 'example.com' with alternative names of
# 'www.example.com' & 'wiki.example.com'. It will be stored in the directory
# ${CERT_DIR}/example.com
#example.com www.example.com wiki.example.com
# Using the alias 'certalias' create certificate for 'example.net' with
# alternate name 'www.example.net' and store it in the directory
# ${CERTDIR}/certalias
#example.net www.example.net > certalias
# Using the alias 'service_example_com' create a wildcard certificate for
# '*.service.example.com' and store it in the directory
# ${CERTDIR}/service_example_com
# NOTE: It is NOT a certificate for 'service.example.com'
#*.service.example.com > service_example_com
# Using the alias 'star_service_example_org' create a wildcard certificate for
# '*.service.example.org' with an alternative name of `service.example.org'
# and store it in the directory ${CERTDIR}/star_service_example_org
# NOTE: It is a certificate for 'service.example.org'
#*.service.example.org service.example.org > star_service_example_org
# Create a certificate for 'service.example.net' with an alternative name of
# '*.service.example.net' (which is a wildcard domain) and store it in the
# directory ${CERTDIR}/service.example.net
#service.example.net *.service.example.net

48
dehydrated/dehydrated/domains.d/_example_ Normal file
View file

@ -0,0 +1,48 @@
# The settings in this file can be used to override those in the global config file in /etc/dehydrated
# Which challenge should be used?
# Supported values: http-01, dns-01, tls-alpn-01.
# Default: http-01
#CHALLENGETYPE="http-01"
# Default keysize for private keys.
# Default: 4096
#KEYSIZE="4096"
# Program or function called at certain stages of processing.
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program.
# Default: <unset>
#HOOK=""
# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate?
# Default: no
#HOOK_CHAIN="no"
# Minimum days before expiration to automatically renew certificate.
# Default: 30
#RENEW_DAYS="30"
# Regenerate private keys instead of just signing new certificates on renewal?
# Default: yes
# PRIVATE_KEY_RENEW="yes"
# Create an extra private key for rollover?
# Default: no
#PRIVATE_KEY_ROLLOVER="no"
# Which public key algorithm should be used?
# Supported: rsa, prime256v1, secp384r1.
# Default: rsa
KEY_ALGO="prime256v1"
# Option to add CSR-flag indicating OCSP stapling to be mandatory.
# Default: no
#OCSP_MUST_STAPLE="no"
# Fetch OCSP responses.
# Default: no
#OCSP_FETCH="no"
# OCSP refresh interval, in days.
# Default: 5
#OCSP_DAYS="5"

400
dehydrated/dehydrated/hooks/default.sh Executable file
View file

@ -0,0 +1,400 @@
#!/usr/bin/env bash
# Copyright (c) 2022:
# Darren 'Tadgy' Austin <darren (at) afterdark.org.uk>
# Licensed under the terms of the GNU General Public License version 3.
#
# This file contains the default hook functions for dehydrated - these functions will be used when there is no overriding certificate specific hooks file.
# All but startup_hook and ext_hook can be overridden by a hooks script on a per certificate basis.
#
# Get the mail configuration.
source /etc/mail.conf "dehydrated" || exit 1
# Write a message to syslog, and send a copy via email.
notify() {
local LEVEL="$1" MESSAGE="$2"
local FACILITY="cron" TAG="dehydrated"
local LINE INDENT LOG_PREFIX="${LOG_PREFIX:-Certificate renewal} $LEVEL"
case "$LEVEL" in
'error') local PRIORITY="err" ;;
'warning') local PRIORITY="warn" ;;
'information') local PRIORITY="info" ;;
esac
while read LINE; do
logger --id="$$" -p "$FACILITY.$PRIORITY" -t "$TAG" <<<"${INDENT:-$LOG_PREFIX:} $LINE"
INDENT=" "
done <<<"$MESSAGE"
mailx "${MAILX_ARGS[@]}" -r "$EMAIL_FROM" -s "$LOG_PREFIX" "${EMAIL_TO[@]}" <<<"$MESSAGE"
return 0
}
deploy_challenge() {
local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
# This hook is called once for every domain that needs to be
# validated, including any alternative names you may have listed.
#
# Parameters:
# - DOMAIN
# The domain name (CN or subject alternative name) being
# validated.
# - TOKEN_FILENAME
# The name of the file containing the token to be served for HTTP
# validation. Should be served by your web server as
# /.well-known/acme-challenge/${TOKEN_FILENAME}.
# - TOKEN_VALUE
# The token value that needs to be served for validation. For DNS
# validation, this is what you want to put in the _acme-challenge
# TXT record. For HTTP validation it is the value that is expected
# be found in the $TOKEN_FILENAME file.
# Simple example: Use nsupdate with local named
# printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
}
clean_challenge() {
local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
# This hook is called after attempting to validate each domain,
# whether or not validation was successful. Here you can delete
# files or DNS records that are no longer needed.
#
# The parameters are the same as for deploy_challenge.
# Simple example: Use nsupdate with local named
# printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
}
sync_cert() {
local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}"
# This hook is called after the certificates have been created but before
# they are symlinked. This allows you to sync the files to disk to prevent
# creating a symlink to empty files on unexpected system crashes.
#
# This hook is not intended to be used for further processing of certificate
# files, see deploy_cert for that.
#
# Parameters:
# - KEYFILE
# The path of the file containing the private key.
# - CERTFILE
# The path of the file containing the signed certificate.
# - FULLCHAINFILE
# The path of the file containing the full certificate chain.
# - CHAINFILE
# The path of the file containing the intermediate certificate(s).
# - REQUESTFILE
# The path of the file containing the certificate signing request.
# Simple example: sync the files before symlinking them
# sync "${KEYFILE}" "${CERTFILE}" "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}"
}
deploy_cert() {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
# This hook is called once for each certificate that has been
# produced. Here you might, for instance, copy your new certificates
# to service-specific locations and reload the service.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - KEYFILE
# The path of the file containing the private key.
# - CERTFILE
# The path of the file containing the signed certificate.
# - FULLCHAINFILE
# The path of the file containing the full certificate chain.
# - CHAINFILE
# The path of the file containing the intermediate certificate(s).
# - TIMESTAMP
# Timestamp when the specified certificate was created.
# Override the default log line/mail subject prefix.
local LOG_PREFIX="Certificate deployment"
# Where the copies of the current certificates/keys should be placed.
local CERTDIR="/etc/certificates"
# If any of the files are symlinks, bail out - we don't want to clobber something.
for FILE in "$CERTDIR/$DOMAIN-"{cert,key,chain,fullchain}.pem; do
[[ -e "$FILE" ]] && [[ -L "$FILE" ]] && {
notify "error" "Will not copy to symlink '$FILE' during '$DOMAIN' certificate deployment."
# Return 0 so that dehydrated doesn't stop - there may be some more certificates to renew.
return 0
}
done
# The first time through this will create the files readable by root only, but better to err on the side of caution.
# Subsequent runs will retain whatever permissions were set by the admin after the first run.
umask 066
cat "$CERTFILE" >"$CERTDIR/$DOMAIN-cert.pem" && cat "$KEYFILE" >"$CERTDIR/$DOMAIN-key.pem" && \
cat "$CHAINFILE" >"$CERTDIR/$DOMAIN-chain.pem" && cat "$FULLCHAINFILE" >"$CERTDIR/$DOMAIN-fullchain.pem" || {
notify "error" "Failed to copy certificates/keys during '$DOMAIN' certificate deployment."
# Return 0 so that dehydrated doesn't stop - there may be some more certificates to renew.
return 0
}
# Set a marker (used in the exit_hook function) to signal that services should be restarted at the end of deployments.
touch /run/dehydrated-reload-marker || {
notify "error" "Failed to create reload marker during '$DOMAIN' certificate deployment."
# Return 0 so that dehydrated doesn't stop - there may be some more certificates to renew.
return 0
}
# Notify the sysadmin of the sucessful renewal.
notify "information" "Sucessful renewal and deployment of certificate for '$DOMAIN'."
return 0
}
deploy_ocsp() {
local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}"
# This hook is called once for each updated ocsp stapling file that has
# been produced. Here you might, for instance, copy your new ocsp stapling
# files to service-specific locations and reload the service.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - OCSPFILE
# The path of the ocsp stapling file
# - TIMESTAMP
# Timestamp when the specified ocsp stapling file was created.
# Simple example: Copy file to nginx config
# cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
# systemctl reload nginx
}
unchanged_cert() {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
# This hook is called once for each certificate that is still
# valid and therefore wasn't reissued.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - KEYFILE
# The path of the file containing the private key.
# - CERTFILE
# The path of the file containing the signed certificate.
# - FULLCHAINFILE
# The path of the file containing the full certificate chain.
# - CHAINFILE
# The path of the file containing the intermediate certificate(s).
}
invalid_challenge() {
local DOMAIN="${1}" RESPONSE="${2}"
# This hook is called if the challenge response has failed, so domain
# owners can be aware and act accordingly.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - RESPONSE
# The response that the verification server returned
# Notify the sysadmin.
notify "error" "Validation of '$DOMAIN' failed:"$'\n'"$RESPONSE"
return 0
}
request_failure() {
local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
# This hook is called when an HTTP request fails (e.g., when the ACME
# server is busy, returns an error, etc). It will be called upon any
# response code that does not start with '2'. Useful to alert admins
# about problems with requests.
#
# Parameters:
# - STATUSCODE
# The HTML status code that originated the error.
# - REASON
# The specified reason for the error.
# - REQTYPE
# The kind of request that was made (GET, POST...)
# Notify the sysadmin.
notify "error" "HTTP $REQTYPE request failed for '$DOMAIN' with code $STATUSCODE."$'\n'"Reason: $REASON."$'\n'"Headers:"$'\n'"$HEADERS"
return 0
}
generate_csr() {
local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
# This hook is called before any certificate signing operation takes place.
# It can be used to generate or fetch a certificate signing request with external
# tools.
# The output should be just the cerificate signing request formatted as PEM.
#
# Parameters:
# - DOMAIN
# The primary domain as specified in domains.txt. This does not need to
# match with the domains in the CSR, it's basically just the directory name.
# - CERTDIR
# Certificate output directory for this particular certificate. Can be used
# for storing additional files.
# - ALTNAMES
# All domain names for the current certificate as specified in domains.txt.
# Again, this doesn't need to match with the CSR, it's just there for convenience.
# Simple example: Look for pre-generated CSRs
# if [ -e "${CERTDIR}/pre-generated.csr" ]; then
# cat "${CERTDIR}/pre-generated.csr"
# fi
}
startup_hook() {
# This hook is called before the cron command to do some initial tasks
# (e.g. starting a webserver).
# Override the default log line/mail subject prefix.
local LOG_PREFIX="Dehydrated startup"
# Start thttpd if it's not running and its rc file is executable.
[[ -x /etc/rc.d/rc.thttpd ]] && {
if ! pgrep -c -F /run/thttpd.pid thttpd >/dev/null 2>&1; then
/etc/rc.d/rc.thttpd start >/dev/null 2>&1
sleep 1
if pgrep -c -F /run/thttpd.pid thttpd >/dev/null 2>&1; then
# Set a marker (used in the exit_hook function) to signal that thttpd should be stopped at the end of deployments.
touch /run/dehydrated-thttpd-stop-marker || notify "warning" "Failed to create thttpd stop marker - thttpd will be left running."
# Add firewall rules to allow http traffic.
iptables -I INPUT 1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT && \
ip6tables -I INPUT 1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT || {
notify "error" "Failed to insert firewall rules to allow validation."
return 1
}
else
notify "error" "Failure of 'rc.thttpd start'."
return 1
fi
else
notify "warning" "thttpd is already running - will not be shutdown at exit."
fi
}
return 0
}
exit_hook() {
local ERROR="${1}"
# This hook is called at the end of the cron command and can be used to
# do some final (cleanup or other) tasks.
#
# Parameters:
# - ERROR
# Contains error message if dehydrated exits with error
# Override the default log line/mail subject prefix.
local LOG_PREFIX="Dehydrated shutdown"
# Stop thttpd if it was started in startup_hook.
[[ -e /run/dehydrated-thttpd-stop-marker ]] && {
# Stop thttpd.
if [[ -x /etc/rc.d/rc.thttpd ]]; then
/etc/rc.d/rc.thttpd stop >/dev/null 2>&1
sleep 1
pgrep -c -F /run/thttpd.pid thttpd >/dev/null 2>&1 && notify "error" "Failed to stop thttpd."
else
notify "error" "'rc.thttpd' not executable, but thttp stop marker eexists - not stopped."
fi
# Delete firewall rules which allow http traffic.
iptables -D INPUT -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT && \
ip6tables -D INPUT -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT || \
notify "warning" "Failed to delete firewall rules added for validation."
# Remove the stop marker.
rm -f /run/dehydrated-thttpd-stop-marker || notify "error" "Failed to remove thttpd stop marker."
}
# If the marker was set by deploy_cert(), restart services.
[[ -e /run/dehydrated-reload-marker ]] && {
# Restart Apache httpd if it's running and its rc file is executable.
pgrep -c -F /run/httpd.pid httpd >/dev/null 2>&1 && {
if [[ -x /etc/rc.d/rc.httpd ]]; then
if [[ -x /usr/sbin/apachectl ]]; then
if /usr/sbin/apachectl configtest >/dev/null 2>&1; then
# A rc.httpd restart often craps out because Apache can take time to exit. Do a stop/start instead.
/etc/rc.d/rc.httpd stop >/dev/null 2>&1
local TIMER=0 MAXTRIES=30
while pgrep -c httpd >/dev/null 2>&1; do
sleep 1
(( TIMER == MAXTRIES )) && break
(( TIMER++ ))
done
if (( TIMER != MAXTRIES )); then
/etc/rc.d/rc.httpd start >/dev/null 2>&1 || notify "error" "'rc.httpd start' failed - httpd in uncertain state."
else
notify "error" "failed to stop httpd after ${MAXTRIES}s - httpd in uncertain state."
fi
else
notify "warning" "'apachectl configtest' failed - not restarted."
fi
else
notify "warning" "'apachectl' not executable, but httpd is running - not restarted."
fi
else
notify "warning" "'rc.httpd' not executable, but httpd is running - not restarted."
fi
}
# Restart proftpd if it's running and its rc file is executable.
pgrep -c -F /run/proftpd.pid proftpd >/dev/null 2>&1 && {
if [[ -x /etc/rc.d/rc.proftpd ]]; then
if [[ -x /usr/sbin/proftpd ]]; then
if /usr/sbin/proftpd -t >/dev/null 2>&1; then
/etc/rc.d/rc.proftpd restart >/dev/null 2>&1 || notify "error" "'rc.proftpd restart' failed - proftpd in uncertain state."
else
notify "warning" "'proftpd -t' failed - not restarted."
fi
else
notify "warning" "'proftpd' binary not executable, but ftpd is running - not restarted."
fi
else
notify "warning" "'rc.proftpd' not executable, but ftpd is running - not restarted."
fi
}
# Remove the restart marker.
rm /run/dehydrated-reload-marker || notify "error" "Failed to remove reload marker."
}
return 0
}
HANDLER="$1"; shift
if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then
"$HANDLER" "$@"
fi