Hello community,
here is the log from the commit of package dehydrated for openSUSE:Leap:15.2 checked in at 2020-04-30 18:53:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/dehydrated (Old)
and /work/SRC/openSUSE:Leap:15.2/.dehydrated.new.2738 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dehydrated"
Thu Apr 30 18:53:09 2020 rev:31 rq:799246 version:0.6.5
Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/dehydrated/dehydrated.changes 2020-01-15 14:52:05.609476605 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.dehydrated.new.2738/dehydrated.changes 2020-04-30 18:53:59.252921285 +0200
@@ -1,0 +2,24 @@
+Mon Apr 20 00:37:26 UTC 2020 - Daniel Molkentin
+
+- Fix lighttpd config file (boo#1169834)
+- Provide nginx subpackage for SLE 15+ (jsc#SLE-11727)
+
+-------------------------------------------------------------------
+Mon Feb 3 12:25:00 UTC 2020 - Dominique Leuenberger
+
+- Drop systemd BuildRequires: pkgconfig(systemd) is already in
+ place and is synonymous.
+
+-------------------------------------------------------------------
+Thu Oct 17 17:23:53 UTC 2019 - Richard Brown
+
+- Remove obsolete Groups tag (fate#326485)
+
+-------------------------------------------------------------------
+Sat Aug 10 17:18:25 UTC 2019 - Daniel Molkentin
+
+- Behavioral change: Use cron only for older RHEL/CentOS versions
+ (along with SLE < 12.0). Everything else now uses systemd.
+ Please adopt accordingly! Refer to README.md for
+
+-------------------------------------------------------------------
Old:
----
README.SUSE
New:
----
README.maintainer
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dehydrated.spec ++++++
--- /var/tmp/diff_new_pack.iZ0qtx/_old 2020-04-30 18:53:59.776922392 +0200
+++ /var/tmp/diff_new_pack.iZ0qtx/_new 2020-04-30 18:53:59.780922400 +0200
@@ -1,7 +1,7 @@
#
# spec file for package dehydrated
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -21,7 +21,7 @@
%define _home %{_sysconfdir}/dehydrated
%define _postrunhooks %{_home}/postrun-hooks.d
-%if 0%{?suse_version} > 1230
+%if 0%{?sle_version} >= 120100 || 0%{?suse_version} >= 1210 || 0%{?rhel_version} >= 700 || 0%{?centos_version} >= 700
%define _lock_dir /run/dehydrated
%bcond_without systemd
%else
@@ -29,13 +29,18 @@
%bcond_with systemd
%endif
-%if 0%{?is_opensuse} || %{defined fedora}
+%if 0%{?sle_version} >= 150000 || 0%{?is_opensuse} || %{defined fedora}
%bcond_without nginx
-%bcond_without lighttpd
%else
%bcond_with nginx
+%endif
+
+%if 0%{?is_opensuse} || %{defined fedora}
+%bcond_without lighttpd
+%else
%bcond_with lighttpd
%endif
+
%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d }
# See also http://en.opensuse.org/openSUSE:Specfile_guidelines
@@ -50,8 +55,7 @@
Release: 0
Summary: A client for signing certificates with an ACME server
License: MIT
-Group: Productivity/Networking/Security
-Url: https://github.com/lukas2511/dehydrated
+URL: https://github.com/lukas2511/dehydrated
Source0: %{name}-%{version}.tar.gz
Source1: acme-challenge.conf.apache.in
Source2: acme-challenge.conf.nginx.in
@@ -60,7 +64,7 @@
Source5: dehydrated.tmpfiles.d
Source6: dehydrated.service.in
Source7: dehydrated.timer
-Source9: README.SUSE
+Source9: README.maintainer
Source10: README.Fedora
Source11: README.hooks
Source12: %{name}-%{version}.tar.gz.asc
@@ -90,7 +94,6 @@
BuildRequires: shadow
%endif
%if %{with systemd}
-BuildRequires: systemd
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%else #with_systemd
@@ -124,7 +127,6 @@
%package %{_apache}
Summary: Apache Integration for dehydrated
-Group: Productivity/Networking/Security
Requires: %{_apache}
Requires: %{name}
Obsoletes: letsencrypt.sh-%{_apache} < %{version}
@@ -139,7 +141,6 @@
%if %{with nginx}
%package nginx
Summary: Nginx Integration for dehydrated
-Group: Productivity/Networking/Security
Requires: %{name}
Requires: nginx
Obsoletes: letsencrypt.sh-nginx < %{version}
@@ -152,7 +153,6 @@
%if %{with lighttpd}
%package lighttpd
Summary: Lighttpd Integration for dehydrated
-Group: Productivity/Networking/Security
Requires: %{name}
Requires: lighttpd
@@ -220,8 +220,8 @@
%if %{with lighttpd}
install -m 0755 -d %{buildroot}%{_sysconfdir}/lighttpd/conf.d
-sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE3} > acme-challenge
-install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/lighttpd/conf.d
+sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE3} > acme-challenge.conf
+install -m 0644 acme-challenge.conf %{buildroot}%{_sysconfdir}/lighttpd/conf.d
%endif #with lighttpd
%if %{with systemd}
@@ -253,6 +253,13 @@
diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
+# Rename existing config file config files fror nginx and lighttpd
+%if %{with nginx}
+%pre nginx
+[ -f %{_sysconfdir}/nginx/conf.d/acme-challenge ] && \
+ mv %{_sysconfdir}/nginx/conf.d/acme-challenge %{_sysconfdir}/nginx/conf.d/acme-challenge.conf || :
+%endif
+
%files
%defattr(-,root,root)
%attr(750,root,%{_user}) %dir %{_sysconfdir}/dehydrated
@@ -269,7 +276,7 @@
%attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge
%{_mandir}/man1/*
%doc LICENSE README.md docs/*.md docs/*.jpg
-%doc README.SUSE
+%doc README.maintainer
%if %{defined redhat}
%doc README.Fedora
%endif
@@ -277,9 +284,11 @@
%{_tmpfilesdir}/%{name}.conf
%{_unitdir}/dehydrated.service
%{_unitdir}/dehydrated.timer
+%if 0%{?suse_version}
%{_sbindir}/rcdehydrated
+%endif
%ghost %attr(700,%{_user},%{_user}) %dir %{_lock_dir}
-%else
+%else #with systemd
%config %{_sysconfdir}/cron.d/dehydrated
%attr(700,%{_user},%{_user}) %dir %{_lock_dir}
%endif
@@ -297,7 +306,7 @@
%if %{with lighttpd}
%files lighttpd
%defattr(-,root,root)
-%config %attr(640,root,lighttpd) %{_sysconfdir}/lighttpd/conf.d/acme-challenge
+%config %attr(640,root,lighttpd) %{_sysconfdir}/lighttpd/conf.d/acme-challenge.conf
%endif #with lighttpd
%changelog
++++++ README.maintainer ++++++
==========================================
Acquiring TLS Certificates with Dehydrated
==========================================
The dehydrated package has been designed to make acquiring TLS
certificates (aka SSL Certificates) as simple as possible, while still being
useful in a broad amount of use cases. Please consult the dehydrated man page,
then continue reading here.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
IMPORTANT: On systemd-based systems, you need to enable the update
timer, which has obsoleted the cron job. This is independent on which method
you chose from below!
# systemctl enable dehydrated.timer
Also note that with the systemd timer, failures will not be mailed to the
system administrator, but are being logged to the systemd journal, as per
systemd's design philosophy.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Acquisition through HTTP (http-01)
===================================
This is the primary method of acquiring certifictes. The Certificate Authority
will provide a challenge that the requestor needs to provide via HTTP on port 80/TCP,
in /.well-known/acme-challenge/.
Setting up the acme-challenge auto-responder
--------------------------------------------
Apache (easiest)
~~~~~~~~~~~~~~~~
If you are using Apache, just install dehydrated-apache2 and reload Apache.
This will take care of setting up the acme-challenge auto-responder.
nginx
~~~~~
(not part of SLE, use openSUSE backports)
For nginx, you will need to install dehydrated-nginx. Unfortunately, nginx does
not support directory mappings across vhosts, so in addition you will need to
include "/etc/nginx/acmechallenge" in all vhost configurations like this:
server {
listen 80;
listen [::]:80;
server_name <hostname>;
include "acmechallenge";
location / {
return 301 https://$host$request_uri;
}
}
lighttpd
~~~~~~~~
(not part of SLE, use openSUSE backports)
Lighttpd users can simply install dehydrated-lighttpd and reload lighttpd to
set up the acme-challenge auto-responder
NOTE: Never set up the SSL vhosts until you have initially acquired the first
host. Specifying an SSL vhost without certificates constitutes an error for web
servers.
Machines without a webserver
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On machines that are not running any web server, e.g. mail relays, you can run
apache2 with dehydrated-apache2. If you do not want to run any web server on a
system with systemd permnently, you can use dehydrated-acmeresponder. This is a
small socket activated server. Once installed, it will automatically listen on
port 80 whenever the dehydrated cron job seeks renewal, assuming no other
server is currently occupying the port. It will also shut down once the timer
has finished execution.
Acquisition of initial certificate
----------------------------------
How set up an account as described in the man page (as root):
# dehydrated --register --accept-terms
(the current version of the LetsEncrypt Terms & Conditions are referenced in
/etc/dehydrated/config)
Next, fill in domains.txt and acquire the initial certificates (again, as root):
# echo "myhost.example.com myalias.example.com" >> domains.txt
# dehydrated --cron
adds myhost.example.com to the list of host names we want to request a certificate for.
The certificate will hold a Subject Alternative Name of "myalias.example.com".
LetsEncrypt will check both host names.
NOTE: As of 2017, LetsEncrypt certificates are only valid for three months, and
the validity period may be further reduced in the future. It is therefore
vital to ensure that the certificates are being automatically renewed. On
systems without systemd, a cron job is automatically set up to take care of
this. On systemd-enabled systems, a timer is provided which needs to be
activated manually:
# systemctl enable dehydrated.timer
Aqcuisition through DNS (dns-01)
================================
This is mostly useful under these conditions
1. Your hosts are not directly exposed to the internet
2. Your host names are part of a public DNS zone visible on the internet.
3. You are comfortable with the service adding and removing records in your domain.
Usually, the scenario you want this is a central host which picks up
certificates for all other hosts on a network, and then deploys them to the
actual target host, using plain scp or configuration management tools like
Ansible or Salt. For details, please refer to dns-verification.md. For
openSUSE, the python-dns-lexicon package provides hooks into many DNS providers
and DNS servers.
Proceeding after initial certificate aquisition
===============================================
Setting up the SSL host
-----------------------
As recommended parameters shift, please refer to Mozillas excellent SSL
Configuration Generator [1] for details on how to configure your web server.
Replace the example paths with the following:
Key: /etc/dehydrated/certs/<domainname>/privkey.pem
Certificate: /etc/dehydrated/certs/<domainname>/cert.pem
Intermediate Chain: /etc/dehydrated/certs/<domainname>/chain.pem
Certificate + Intermediate: /etc/dehydrated/certs/<domainname>/fullchain.pem
where <domainname> should be the name of the first column in domains.txt
Limitations & Ceveats
=====================
* It is currently not possible to aqcuire Wildcard certificates
* No EV- or OV-validated certificates
* Certificates expire within weeks, not years. This is by design. Ensure that
certificate renewal works and that daemons get reloaded frequently to pick
up certificate updates. Apache will work due to log rotation SIGHUP'ing
the process frequently. However, any other actions, such as service reloads
need to be provided as a script in /etc/dehydrated/postrun-hooks.d, which
will be executed by the cron script / systemd timer *after* an update run
has been performed.
Links
=====
[1] https://mozilla.github.io/server-side-tls/ssl-config-generator/
++++++ acme-challenge.conf.lighttpd.in ++++++
--- /var/tmp/diff_new_pack.iZ0qtx/_old 2020-04-30 18:53:59.860922569 +0200
+++ /var/tmp/diff_new_pack.iZ0qtx/_new 2020-04-30 18:53:59.860922569 +0200
@@ -1,4 +1,4 @@
-server.modules += ("alias")
+server.modules += ("mod_alias")
alias.url += (
- "/.well-known/acme-challenge/" => "@CHALLENGEDIR@",
+ "/.well-known/acme-challenge/" => "@CHALLENGEDIR@/",
)
