|
 |
3bb45ec |
%global commit af025f5bf19c70be7fafab67f4dd718ca7bf9adf
|
|
|
3bb45ec |
%global shortcommit af025f5
|
|
|
3bb45ec |
%global checkout 20170516git%{shortcommit}
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%if 0%{?rhel} >= 5 && 0%{?rhel} < 7
|
|
|
9ddfc06 |
%global use_systemd 0
|
|
|
9ddfc06 |
%else
|
|
|
9ddfc06 |
%global use_systemd 1
|
|
|
9ddfc06 |
%endif
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%if 0%{?fedora}
|
|
|
9ddfc06 |
# Explicity require python3 on Fedora to help track which packages
|
|
|
9ddfc06 |
# no longer need python2.
|
|
|
9ddfc06 |
%global use_python3 1
|
|
|
9ddfc06 |
%else
|
|
|
9ddfc06 |
%global use_python3 0
|
|
|
9ddfc06 |
%endif
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
Name: acme-tiny
|
|
|
55e6566 |
Version: 0.2
|
|
|
880c508 |
Release: 3.%{checkout}%{?dist}
|
|
|
9ddfc06 |
Summary: Tiny auditable script to issue, renew Let's Encrypt certificates
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
Group: Applications/Internet
|
|
|
9ddfc06 |
License: MIT
|
|
|
9ddfc06 |
URL: https://github.com/diafygi/acme-tiny
|
|
|
9ddfc06 |
Source0: https://github.com/diafygi/%{name}/archive/%{commit}.tar.gz#/%{name}-%{shortcommit}.tar.gz
|
|
|
9ddfc06 |
Source1: acme-tiny-sign.sh
|
|
|
9ddfc06 |
Source2: cert-check.py
|
|
|
9ddfc06 |
Source3: acme.conf
|
|
|
9ddfc06 |
Source4: lets-encrypt-x3-cross-signed.pem
|
|
|
9ddfc06 |
Source5: acme-tiny.cron
|
|
|
9ddfc06 |
Source6: acme-tiny.timer
|
|
|
9ddfc06 |
Source7: acme-tiny.service
|
|
|
9ddfc06 |
Source8: README-fedora.md
|
|
|
9ddfc06 |
# Fetch and include intermediate cert(s), too.
|
|
|
9ddfc06 |
Patch0: acme-tiny-chain.patch
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
Requires: openssl
|
|
|
9ddfc06 |
Requires(pre): shadow-utils
|
|
|
880c508 |
%if 0%{?rhel} >= 5 && 0%{?rhel} < 7
|
|
|
880c508 |
# EL6 uses python2.6, which does not include argparse
|
|
|
880c508 |
Requires: python-argparse
|
|
|
880c508 |
%endif
|
|
|
9ddfc06 |
%if %{use_systemd}
|
|
|
9ddfc06 |
# systemd macros are not defined unless systemd is present
|
|
|
9ddfc06 |
BuildRequires: systemd
|
|
|
9ddfc06 |
%{?systemd_requires}
|
|
|
9ddfc06 |
%else
|
|
|
9ddfc06 |
Requires: cronie
|
|
|
9ddfc06 |
%endif
|
|
|
9ddfc06 |
BuildArch: noarch
|
|
|
80c0679 |
%if 0%{?fedora}
|
|
|
9ddfc06 |
Suggests: httpd, mod_ssl, nginx
|
|
|
9ddfc06 |
Enhances: httpd, mod_ssl, nginx
|
|
|
9ddfc06 |
%endif
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%description
|
|
|
9ddfc06 |
This is a tiny, auditable script that you can throw on your server to issue and
|
|
|
9ddfc06 |
renew Let's Encrypt certificates. Since it has to be run on your server and
|
|
|
9ddfc06 |
have access to your private Let's Encrypt account key, I tried to make it as
|
|
|
9ddfc06 |
tiny as possible (currently less than 200 lines). The only prerequisites are
|
|
|
9ddfc06 |
python and openssl.
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
Well, that and a web server - but then you only need this with a web server.
|
|
|
9ddfc06 |
This package adds a simple directory layout and timer service that runs
|
|
|
9ddfc06 |
acme_tiny on installed CSRs as the acme user for privilege separation.
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%prep
|
|
|
9ddfc06 |
%setup -q -n %{name}-%{commit}
|
|
|
9ddfc06 |
%patch0 -p1 -b .chain
|
|
|
9ddfc06 |
cp -p %{SOURCE1} %{SOURCE2} %{SOURCE8} .
|
|
|
9ddfc06 |
%if %{use_python3}
|
|
|
9ddfc06 |
sed -i.old -e '1,1 s/python$/python3/' *.py
|
|
|
9ddfc06 |
%endif
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%build
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%install
|
|
|
9ddfc06 |
mkdir -p %{buildroot}/var/www/challenges
|
|
|
9ddfc06 |
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d
|
|
|
9ddfc06 |
mkdir -p %{buildroot}%{_sbindir}
|
|
|
9ddfc06 |
mkdir -p %{buildroot}%{_libexecdir}/%{name}
|
|
|
9ddfc06 |
mkdir -p %{buildroot}%{_sharedstatedir}/acme/{private,csr,certs}
|
|
|
9ddfc06 |
chmod 0700 %{buildroot}%{_sharedstatedir}/acme/private
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
install -m 0755 acme-tiny-sign.sh %{buildroot}%{_libexecdir}/%{name}/sign
|
|
|
9ddfc06 |
install -m 0755 acme_tiny.py %{buildroot}%{_sbindir}/acme_tiny
|
|
|
9ddfc06 |
ln -sf acme_tiny %{buildroot}%{_sbindir}/acme-tiny
|
|
|
9ddfc06 |
ln -sf %{_libexecdir}/%{name}/sign %{buildroot}%{_sbindir}/acme-tiny-sign
|
|
|
9ddfc06 |
install -m 0755 cert-check.py %{buildroot}%{_sbindir}/cert-check
|
|
|
9ddfc06 |
install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/httpd/conf.d
|
|
|
9ddfc06 |
install -m 0644 %{SOURCE4} %{buildroot}%{_sharedstatedir}/acme
|
|
|
9ddfc06 |
%if %{use_systemd}
|
|
|
9ddfc06 |
mkdir -p %{buildroot}%{_unitdir}
|
|
|
aed9609 |
install -pm 644 %{SOURCE6} %{buildroot}%{_unitdir}
|
|
|
aed9609 |
install -pm 644 %{SOURCE7} %{buildroot}%{_unitdir}
|
|
|
9ddfc06 |
%else
|
|
|
9ddfc06 |
mkdir -p %{buildroot}%{_sysconfdir}/cron.d
|
|
|
9ddfc06 |
install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/cron.d/acme-tiny
|
|
|
9ddfc06 |
%endif
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%pre
|
|
|
9ddfc06 |
getent group acme > /dev/null || groupadd -r acme
|
|
|
9ddfc06 |
getent passwd acme > /dev/null || /usr/sbin/useradd -g acme \
|
|
|
9ddfc06 |
-c "Tiny Auditable ACME Client" \
|
|
|
9ddfc06 |
-r -d %{_sharedstatedir}/acme -s /sbin/nologin acme
|
|
|
9ddfc06 |
exit 0
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%if %{use_systemd}
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%post
|
|
|
9ddfc06 |
%systemd_post acme-tiny.service acme-tiny.timer
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%postun
|
|
|
9ddfc06 |
%systemd_postun_with_restart acme-tiny.service acme-tiny.timer
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%preun
|
|
|
9ddfc06 |
%systemd_preun acme-tiny.service acme-tiny.timer
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%endif
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%files
|
|
|
9ddfc06 |
%{!?_licensedir:%global license %%doc}
|
|
|
9ddfc06 |
%license LICENSE
|
|
|
9ddfc06 |
%doc README.md README-fedora.md
|
|
|
9ddfc06 |
%attr(0755,acme,acme) /var/www/challenges
|
|
|
9ddfc06 |
%attr(-,acme,acme) %{_sharedstatedir}/acme
|
|
|
9ddfc06 |
%{_libexecdir}/%{name}
|
|
|
9ddfc06 |
%config(noreplace) %{_sysconfdir}/httpd/conf.d/acme.conf
|
|
|
9ddfc06 |
%if %{use_systemd}
|
|
|
9ddfc06 |
%{_unitdir}/*
|
|
|
9ddfc06 |
%else
|
|
|
9ddfc06 |
%config(noreplace) %{_sysconfdir}/cron.d/acme-tiny
|
|
|
9ddfc06 |
%endif
|
|
|
9b5f083 |
/usr/sbin/acme_tiny
|
|
|
9ddfc06 |
/usr/sbin/acme-tiny
|
|
|
9ddfc06 |
/usr/sbin/acme-tiny-sign
|
|
|
9ddfc06 |
/usr/sbin/cert-check
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%changelog
|
|
|
880c508 |
* Wed Nov 22 2017 Stuart D. Gathman <stuart@gathman.org> 0.2-3.20170616gitaf025f5
|
|
|
880c508 |
- BZ#1507333 EL6 missing python-argparse dependency
|
|
|
880c508 |
- BZ#1515781 Agreement updated.
|
|
|
880c508 |
- BZ#1409345 Unwritable certs silently skipped
|
|
|
880c508 |
|
|
 |
63d5d90 |
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-2.20170516gitaf025f5
|
|
|
63d5d90 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
|
|
63d5d90 |
|
|
|
55e6566 |
* Thu Jul 6 2017 Stuart D. Gathman <stuart@gathman.org> 0.2-1.20170616gitaf025f5
|
|
|
b8abc0a |
- BZ#1468045 Update to new upstream version
|
|
|
9b5f083 |
- BZ#1409686 Message.getallmatchingheaders() is broken in python3.
|
|
|
9b5f083 |
|
|
|
d0dda28 |
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1-12.20160810git5a7b4e7
|
|
|
d0dda28 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
|
|
d0dda28 |
|
|
 |
1eacdf0 |
* Mon Dec 19 2016 Miro HronĨok <mhroncok@redhat.com> - 0.1-11.20160810git5a7b4e7
|
|
|
1eacdf0 |
- Rebuild for Python 3.6
|
|
|
1eacdf0 |
|
|
|
8d1d687 |
* Mon Aug 22 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-10.20160810git5a7b4e7
|
|
|
9ddfc06 |
- Fix cert writable check in sign script
|
|
|
9ddfc06 |
- More tips in README-fedora.md
|
|
|
9ddfc06 |
|
|
|
8d1d687 |
* Mon Aug 22 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-9.20160810git5a7b4e7
|
|
|
9ddfc06 |
- Use %%{systemd_requires}
|
|
|
9ddfc06 |
- Remove unneeded cronie, python dependencies
|
|
|
9ddfc06 |
- Add acme-tiny.timer to systemd scriptlets
|
|
|
9ddfc06 |
- Add README-fedora.md
|
|
|
9ddfc06 |
- acme_tiny: Fix --chain patch for python2.6 (el6)
|
|
|
9ddfc06 |
- acme_tiny: Suppress traceback on error
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Sun Aug 21 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-8
|
|
|
9ddfc06 |
- Add use_systemd flag to use systemd timer and enable on Fedora and epel7
|
|
|
9ddfc06 |
- Enable use_python3 flag for Fedora (but not epel7).
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Sat Aug 20 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-7
|
|
|
9ddfc06 |
- sign: Actually use the new --chain flag
|
|
|
9ddfc06 |
- cron: Make days to expiration explicit
|
|
|
9ddfc06 |
- spec: Set file modes with install
|
|
|
9ddfc06 |
- acme.conf: mark as config
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Fri Aug 19 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-6
|
|
|
9ddfc06 |
- Python3 fixes for cert-check
|
|
|
9ddfc06 |
- acme-tiny: Update patch to leave default behavior unchanged
|
|
|
9ddfc06 |
- make /var/lib/acme readable by all except private
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Thu Aug 11 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-5
|
|
|
9ddfc06 |
- sign: Use tmp output to avoid wiping existing cert on error
|
|
|
9ddfc06 |
- acme_tiny: get intermediate cert from acme protocol
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Thu Aug 11 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-4
|
|
|
9ddfc06 |
- Fix path of acme_tiny and make days explicit in sign script
|
|
|
9ddfc06 |
- Add crontab
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Wed Aug 10 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-3
|
|
|
9ddfc06 |
- Add global acme httpd conf
|
|
|
9ddfc06 |
- Append intermediate certs, add current lets-encrypt intermediate cert
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Tue Aug 9 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-2
|
|
|
9ddfc06 |
- add private, csr, certs directories
|
|
|
9ddfc06 |
- add sign script suitable for cron
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Mon Aug 8 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-1
|
|
|
9ddfc06 |
- Initial RPM
|