Browse Source

acme: Support running in webroot mode, detect other daemons on port 80

For configurations where another web server is running on port 80, running
acme.sh in standalone mode fails. Try to detect this and refuse to run; and
allow the user to configure a webroot directory to use the running webserver for
certificate verification.

This also updates acme.sh to the latest version.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
lilik-openwrt-22.03
Toke Høiland-Jørgensen 8 years ago
parent
commit
34ed7a9f2c
4 changed files with 105 additions and 35 deletions
  1. +2
    -1
      net/acme/Makefile
  2. +8
    -1
      net/acme/files/acme-cbi.lua
  3. +2
    -1
      net/acme/files/acme.config
  4. +93
    -32
      net/acme/files/run.sh

+ 2
- 1
net/acme/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=acme
PKG_SOURCE_VERSION:=7b40cbe8c1a52041351524bcde4b37665a7cdf79
PKG_VERSION:=1.5
PKG_VERSION:=1.6
PKG_RELEASE:=1
PKG_LICENSE:=GPLv3
@ -47,6 +47,7 @@ define Build/Compile
endef
define Package/acme/install
$(INSTALL_DIR) $(1)/etc/acme
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/acme.config $(1)/etc/config/acme
$(INSTALL_DIR) $(1)/etc/init.d


+ 8
- 1
net/acme/files/acme-cbi.lua View File

@ -25,11 +25,12 @@ s.anonymous = true
st = s:option(Value, "state_dir", translate("State directory"),
translate("Where certs and other state files are kept."))
st.rmempty = false
st.datatype = "string"
st.datatype = "directory"
ae = s:option(Value, "account_email", translate("Account email"),
translate("Email address to associate with account key."))
ae.rmempty = false
ae.datatype = "minlength(1)"
d = s:option(Flag, "debug", translate("Enable debug logging"))
d.rmempty = false
@ -56,6 +57,12 @@ u = cs:option(Flag, "update_uhttpd", translate("Use for uhttpd"),
"(only select this for one certificate)."))
u.rmempty = false
wr = cs:option(Value, "webroot", translate("Webroot directory"),
translate("Webserver root directory. Set this to the webserver " ..
"document root to run Acme in webroot mode. The web " ..
"server must be accessible from the internet on port 80."))
wr.rmempty = false
dom = cs:option(DynamicList, "domains", translate("Domain names"),
translate("Domain names to include in the certificate. " ..
"The first name will be the subject name, subsequent names will be alt names. " ..


+ 2
- 1
net/acme/files/acme.config View File

@ -5,7 +5,8 @@ config acme
config cert 'example'
option enabled 0
option use_staging 0
option use_staging 1
option keylength 2048
option update_uhttpd 1
option webroot ""
list domains example.org

+ 93
- 32
net/acme/files/run.sh View File

@ -27,45 +27,85 @@ check_cron()
/etc/init.d/cron start
}
debug()
log()
{
[ "$DEBUG" -eq "1" ] && echo "$@" >&2
logger -t acme -s -p daemon.info "$@"
}
pre_checks()
err()
{
echo "Running pre checks."
check_cron
[ -d "$STATE_DIR" ] || mkdir -p "$STATE_DIR"
if [ -e /etc/init.d/uhttpd ]; then
logger -t acme -s -p daemon.err "$@"
}
UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http)
debug()
{
[ "$DEBUG" -eq "1" ] && logger -t acme -s -p daemon.debug "$@"
}
uci set uhttpd.main.listen_http=''
uci commit uhttpd
/etc/init.d/uhttpd reload || return 1
fi
get_listeners()
{
netstat -nptl 2>/dev/null | awk 'match($4, /:80$/){split($7, parts, "/"); print parts[2];}' | uniq | tr "\n" " "
}
iptables -I input_rule -p tcp --dport 80 -j ACCEPT || return 1
ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT || return 1
pre_checks()
{
main_domain="$1"
log "Running pre checks for $main_domain."
listeners="$(get_listeners)"
debug "port80 listens: $listeners"
case "$listeners" in
"uhttpd")
debug "Found uhttpd listening on port 80; trying to disable."
UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http)
if [ -z "$UHTTPD_LISTEN_HTTP" ]; then
err "$main_domain: Unable to find uhttpd listen config."
err "Manually disable uhttpd or set webroot to continue."
return 1
fi
uci set uhttpd.main.listen_http=''
uci commit uhttpd || return 1
if ! /etc/init.d/uhttpd reload ; then
uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
uci commit uhttpd
return 1
fi
;;
"")
debug "Nothing listening on port 80."
;;
*)
err "$main_domain: Cannot run in standalone mode; another daemon is listening on port 80."
err "Disable other daemon or set webroot to continue."
return 1
;;
esac
iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
debug "v4 input_rule: $(iptables -nvL input_rule)"
debug "v6 input_rule: $(ip6tables -nvL input_rule)"
debug "port80 listens: $(netstat -ntpl | grep :80)"
return 0
}
post_checks()
{
echo "Running post checks (cleanup)."
iptables -D input_rule -p tcp --dport 80 -j ACCEPT
ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT
log "Running post checks (cleanup)."
# The comment ensures we only touch our own rules. If no rules exist, that
# is fine, so hide any errors
iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null
ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null
if [ -e /etc/init.d/uhttpd ]; then
if [ -e /etc/init.d/uhttpd ] && [ -n "$UHTTPD_LISTEN_HTTP" ]; then
uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
uci commit uhttpd
/etc/init.d/uhttpd reload
UHTTPD_LISTEN_HTTP=
fi
}
@ -102,12 +142,14 @@ issue_cert()
local main_domain
local moved_staging=0
local failed_dir
local webroot
config_get_bool enabled "$section" enabled 0
config_get_bool use_staging "$section" use_staging
config_get_bool update_uhttpd "$section" update_uhttpd
config_get domains "$section" domains
config_get keylength "$section" keylength
config_get webroot "$section" webroot
[ "$enabled" -eq "1" ] || return
@ -116,13 +158,17 @@ issue_cert()
set -- $domains
main_domain=$1
[ -n "$webroot" ] || pre_checks "$main_domain" || return 1
log "Running ACME for $main_domain"
if [ -e "$STATE_DIR/$main_domain" ]; then
if [ "$use_staging" -eq "0" ] && is_staging "$main_domain"; then
echo "Found previous cert issued using staging server. Moving it out of the way."
log "Found previous cert issued using staging server. Moving it out of the way."
mv "$STATE_DIR/$main_domain" "$STATE_DIR/$main_domain.staging"
moved_staging=1
else
echo "Found previous cert config. Issuing renew."
log "Found previous cert config. Issuing renew."
$ACME --home "$STATE_DIR" --renew -d "$main_domain" $acme_args || return 1
return 0
fi
@ -130,17 +176,28 @@ issue_cert()
acme_args="$acme_args $(for d in $domains; do echo -n "-d $d "; done)"
acme_args="$acme_args --standalone"
acme_args="$acme_args --keylength $keylength"
[ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL"
[ "$use_staging" -eq "1" ] && acme_args="$acme_args --staging"
if [ -z "$webroot" ]; then
log "Using standalone mode"
acme_args="$acme_args --standalone"
else
if [ ! -d "$webroot" ]; then
err "$main_domain: Webroot dir '$webroot' does not exist!"
return 1
fi
log "Using webroot dir: $webroot"
acme_args="$acme_args --webroot \"$webroot\""
fi
if ! $ACME --home "$STATE_DIR" --issue $acme_args; then
failed_dir="$STATE_DIR/${main_domain}.failed-$(date +%s)"
echo "Issuing cert for $main_domain failed. Moving state to $failed_dir" >&2
err "Issuing cert for $main_domain failed. Moving state to $failed_dir"
[ -d "$STATE_DIR/$main_domain" ] && mv "$STATE_DIR/$main_domain" "$failed_dir"
if [ "$moved_staging" -eq "1" ]; then
echo "Restoring staging certificate" >&2
err "Restoring staging certificate"
mv "$STATE_DIR/${main_domain}.staging" "$STATE_DIR/${main_domain}"
fi
return 1
@ -152,6 +209,7 @@ issue_cert()
# commit and reload is in post_checks
fi
post_checks
}
load_vars()
@ -163,19 +221,22 @@ load_vars()
DEBUG=$(config_get "$section" debug)
}
if [ -n "$CHECK_CRON" ]; then
check_cron
exit 0
fi
check_cron
[ -n "$CHECK_CRON" ] && exit 0
config_load acme
config_foreach load_vars acme
pre_checks || exit 1
if [ -z "$STATE_DIR" ] || [ -z "$ACCOUNT_EMAIL" ]; then
err "state_dir and account_email must be set"
exit 1
fi
[ -d "$STATE_DIR" ] || mkdir -p "$STATE_DIR"
trap err_out HUP TERM
trap int_out INT
config_foreach issue_cert cert
post_checks
exit 0

Loading…
Cancel
Save