Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package dehydrated for openSUSE:Factory checked in at 2021-03-30 21:23:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dehydrated (Old) and /work/SRC/openSUSE:Factory/.dehydrated.new.2401 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "dehydrated" Tue Mar 30 21:23:47 2021 rev:22 rq:882190 version:0.7.0 Changes: -------- --- /work/SRC/openSUSE:Factory/dehydrated/dehydrated.changes 2021-03-05 13:49:35.331857403 +0100 +++ /work/SRC/openSUSE:Factory/.dehydrated.new.2401/dehydrated.changes 2021-03-30 21:50:45.686931158 +0200 @@ -1,0 +2,42 @@ +Tue Mar 30 14:20:42 UTC 2021 - Marcus Rueckert <mrueckert@suse.de> + +- Enable instantiated services (boo#1184165) + +------------------------------------------------------------------- +Mon Mar 29 16:18:57 UTC 2021 - Marcus Rueckert <mrueckert@suse.de> + +- Prepare instantiated service/timer support but not enable it: + This seems to fail due to missing systemd support right now. + So the only option at the moment is to copy the timer and unit + file for a 2nd instance. Mark all files as part of dehydrated.target + +------------------------------------------------------------------- +Mon Mar 29 16:18:27 UTC 2021 - Marcus Rueckert <mrueckert@suse.de> + +- Rework support for /etc/dehydrated/postrun-hooks.d/: + dehydrated.service nolonger starts them directly, the support was + moved to a separate unit file. Please run: + + systemctl enable dehydrated-postrun-hooks.service + + to restore this functionality +- Run dehydrated as dehydrated user again + +------------------------------------------------------------------- +Mon Mar 29 16:08:09 UTC 2021 - Marcus Rueckert <mrueckert@suse.de> + +- Do not use the full path for config.d in the config files, which + will simplify implementing multi instance support. + +------------------------------------------------------------------- +Mon Mar 29 16:07:44 UTC 2021 - Marcus Rueckert <mrueckert@suse.de> + +- Added more-examples.patch: + Explain how we can have per certificate key algorithms + +------------------------------------------------------------------- +Sun Mar 14 22:29:06 UTC 2021 - Olav Reinert <seroton10@gmail.com> + +- Add directory where cleanup can archive unused certificates + +------------------------------------------------------------------- Old: ---- dehydrated.service.in New: ---- dehydrated-postrun-hooks.service dehydrated-postrun-hooks@.service dehydrated.service dehydrated.target dehydrated@.service dehydrated@.timer more-examples.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dehydrated.spec ++++++ --- /var/tmp/diff_new_pack.gCUTQr/_old 2021-03-30 21:50:46.798932100 +0200 +++ /var/tmp/diff_new_pack.gCUTQr/_new 2021-03-30 21:50:46.798932100 +0200 @@ -16,6 +16,14 @@ # +%bcond_without instantiated_service +%define base_services dehydrated.timer dehydrated.service dehydrated-postrun-hooks.service +%if %{with instantiated_service} +%define services dehydrated.target %{base_services} dehydrated@.timer dehydrated@.service dehydrated-postrun-hooks@.service +%else +%define services %{base_services} +%endif + %define _challengedir %{_localstatedir}/lib/acme-challenge %define _user dehydrated %define _home %{_sysconfdir}/dehydrated @@ -55,7 +63,7 @@ Source2: acme-challenge.conf.nginx.in Source4: dehydrated.cron.in Source5: dehydrated.tmpfiles.d -Source6: dehydrated.service.in +Source6: dehydrated.service Source7: dehydrated.timer Source9: README.maintainer Source10: README.Fedora @@ -63,6 +71,12 @@ Source12: %{name}-%{version}.tar.gz.asc Source13: %{name}.keyring Source14: %{name}-rpmlintrc +Source15: dehydrated@.service +Source16: dehydrated@.timer +Source17: dehydrated.target +Source18: dehydrated-postrun-hooks.service +Source19: dehydrated-postrun-hooks@.service +Patch: more-examples.patch BuildRequires: %{_apache} Requires: coreutils Requires: curl @@ -142,21 +156,22 @@ if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi %if %{with systemd} -%service_add_pre dehydrated.service dehydrated.timer +%service_add_pre %{services} %post -systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||: -%service_add_post dehydrated.service dehydrated.timer +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf ||: +%service_add_post %{services} %preun -%service_del_preun dehydrated.service dehydrated.timer +%service_del_preun %{services} %postun -%service_del_postun dehydrated.service dehydrated.timer +%service_del_postun %{services} %endif %prep %setup -q +%patch -p1 cp %{SOURCE9} . cp %{SOURCE10} . @@ -164,7 +179,7 @@ %install # sensitive keys -mkdir -p %{buildroot}%{_home}/{accounts,certs,chains} +mkdir -p %{buildroot}%{_home}/{accounts,archive,certs,chains} mkdir -p %{buildroot}%{_sbindir} mkdir -p %{buildroot}%{_mandir}/man1 mkdir -p %{buildroot}%{_home}/config.d @@ -195,9 +210,20 @@ %if %{with systemd} install -D -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf # Use timer -sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE6} > dehydrated.service -install -D -m 644 dehydrated.service %{buildroot}%{_unitdir}/dehydrated.service +install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/dehydrated.service install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer +install -D -m 644 %{SOURCE18} %{buildroot}%{_unitdir}/dehydrated-postrun-hooks.service + +%if %{with instantiated_service} +install -D -m 644 %{SOURCE15} %{buildroot}%{_unitdir}/dehydrated@.service +install -D -m 644 %{SOURCE16} %{buildroot}%{_unitdir}/dehydrated@.timer +install -D -m 644 %{SOURCE19} %{buildroot}%{_unitdir}/dehydrated-postrun-hooks@.service +install -D -m 644 %{SOURCE17} %{buildroot}%{_unitdir}/dehydrated.target +%else +perl -p -i -e 's|PartOf=dehydrated.target\n||g' %{buildroot}%{_unitdir}/* + +%endif + if [ $(rpm -q --queryformat='%{VERSION}' systemd) -lt 229 ]; then # No support for this attribute in systemd < v229 sed -i 's/^RandomizedDelaySec/#&/' %{buildroot}%{_unitdir}/dehydrated.timer @@ -215,7 +241,7 @@ # Adjust config file perl -p -i -e 's|#LOCKFILE="\$\{BASEDIR\}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config -perl -p -i -e 's|#CONFIG_D=|CONFIG_D="%{_home}/config.d"|' %{buildroot}%{_home}/config +perl -p -i -e 's|#CONFIG_D=|CONFIG_D="\${BASEDIR}/config.d"|' %{buildroot}%{_home}/config perl -p -i -e 's|#DEHYDRATED_USER=|DEHYDRATED_USER="%{_user}"|' %{buildroot}%{_home}/config perl -p -i -e 's|#DEHYDRATED_GROUP=|DEHYDRATED_GROUP="%{_user}"|' %{buildroot}%{_home}/config @@ -232,6 +258,7 @@ %defattr(-,root,root) %attr(750,root,%{_user}) %dir %{_sysconfdir}/dehydrated %attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/accounts +%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/archive %attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/certs %attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/chains %config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config @@ -250,8 +277,11 @@ %endif %if %{with systemd} %{_tmpfilesdir}/%{name}.conf -%{_unitdir}/dehydrated.service -%{_unitdir}/dehydrated.timer +%{_unitdir}/dehydrated*.service +%{_unitdir}/dehydrated*.timer +%if %{with instantiated_service} +%{_unitdir}/dehydrated.target +%endif %if 0%{?suse_version} %{_sbindir}/rcdehydrated %endif ++++++ README.maintainer ++++++ --- /var/tmp/diff_new_pack.gCUTQr/_old 2021-03-30 21:50:46.874932164 +0200 +++ /var/tmp/diff_new_pack.gCUTQr/_new 2021-03-30 21:50:46.874932164 +0200 @@ -165,6 +165,19 @@ v0.7.0 ------ +Postrun Hooks +~~~~~~~~~~~~~ + +dehydrated.service no longer starts scripts in /etc/dehydrated/postrun-hooks.d/ +directly, the support was moved to a separate unit file. Please run + + systemctl enable dehydrated-postrun-hooks.service + +to restore this functionality. + +This change was required to ensure that the output of the dehydrated script stays +attached to the dehydrated unit in the journal. + Key Algorithm ~~~~~~~~~~~~~ ++++++ dehydrated-postrun-hooks.service ++++++ [Unit] Description=Postrun Hooks Runner for Dehydrated ConditionPathExists=/etc/dehydrated/postrun-hooks.d After=dehydrated.service PartOf=dehydrated.target [Service] Type=oneshot ExecStart=-/usr/bin/find -L /etc/dehydrated/postrun-hooks.d -maxdepth 1 -executable -type f -exec {} \; User=root Group=root [Install] RequiredBy=dehydrated.service++++++ dehydrated-postrun-hooks@.service ++++++ [Unit] Description=Postrun Hooks Runner for Dehydrated: %i ConditionPathExists=/etc/dehydrated-%i/postrun-hooks.d/ After=dehydrated@%i.service PartOf=dehydrated.target [Service] Type=oneshot ExecStart=-/usr/bin/find -L /etc/dehydrated-%i/postrun-hooks.d/ -maxdepth 1 -executable -type f -exec {} \; User=root Group=root [Install] RequiredBy=dehydrated@%i.service ++++++ dehydrated.service ++++++ [Unit] Description=Certificate Update Runner for Dehydrated ConditionPathExists=/etc/dehydrated/config After=network-online.target Wants=acmeresponder.socket PartOf=dehydrated.target [Service] Type=oneshot ExecStart=/usr/bin/dehydrated --cron # dehydrated --cron will drop permissions and run critical code as dehydrated user. User=dehydrated Group=dehydrated ++++++ dehydrated.target ++++++ [Unit] Description=Target to allow restarting and stopping of all parts of dehydrated PartOf=dehydrated.target ++++++ dehydrated.timer ++++++ --- /var/tmp/diff_new_pack.gCUTQr/_old 2021-03-30 21:50:47.010932279 +0200 +++ /var/tmp/diff_new_pack.gCUTQr/_new 2021-03-30 21:50:47.010932279 +0200 @@ -1,10 +1,11 @@ [Unit] -Description=Run Certificate Update Runner for Dehydrated +Description=Timer for Certificate Update Runner for Dehydrated +PartOf=dehydrated.target [Timer] OnCalendar=daily # Two hour window RandomizedDelaySec=7200 - + [Install] WantedBy=timers.target ++++++ dehydrated@.service ++++++ [Unit] Description=Certificate Update Runner for Dehydrated ConditionPathExists=/etc/dehydrated/config After=network-online.target Wants=acmeresponder.socket PartOf=dehydrated.target [Service] Type=oneshot ExecStart=/usr/bin/dehydrated --cron --config /etc/dehydrated-%i/config User=dehydrated Group=dehydrated ++++++ dehydrated@.timer ++++++ [Unit] Description=Timer for Certificate Update Runner for Dehydrated PartOf=dehydrated.target [Timer] OnCalendar=daily # Two hour window RandomizedDelaySec=7200 [Install] WantedBy=timers.target ++++++ more-examples.patch ++++++ Index: dehydrated-0.7.0/docs/domains_txt.md =================================================================== --- dehydrated-0.7.0.orig/docs/domains_txt.md +++ dehydrated-0.7.0/docs/domains_txt.md @@ -34,6 +34,30 @@ under your `CERTDIR`. example.net www.example.net wiki.example.net > certalias ``` +This allows to set per certificates options. The options you can change are +explained in [Per Certificate Config](per-certificate-config.md). + +If you want to create different certificate types for the same domain +you can use: + +```text +*.service.example.org service.example.org > star_service_example_org_rsa +*.service.example.org service.example.org > star_service_example_org_ecdsa +``` + +Then add a config file `certs/star_service_example_org_rsa/config` with +the value + +``` +KEY_ALGO="rsa" +``` + +or respectively + +``` +KEY_ALGO="ecdsa" +``` + ### Wildcards Support for wildcards was added by the ACME v2 protocol. Index: dehydrated-0.7.0/docs/examples/domains.txt =================================================================== --- dehydrated-0.7.0.orig/docs/examples/domains.txt +++ dehydrated-0.7.0/docs/examples/domains.txt @@ -24,6 +24,15 @@ example.net www.example.net > certalias # NOTE: It is a certificate for 'service.example.org' *.service.example.org service.example.org > star_service_example_org +# Optionally you can also append the certificate algorithm here to create +# multiple certificate types for the same domain. +# +# This allows to set per certificates options. The options you can change are +# explained in [domains.txt documentation](domains_txt.md). +# +*.service.example.org service.example.org > star_service_example_org_rsa +*.service.example.org service.example.org > star_service_example_org_ecdsa + # Create a certificate for 'service.example.net' with an alternative name of # '*.service.example.net' (which is a wildcard domain) and store it in the # directory ${CERTDIR}/service.example.net