From 2ea4b87521352a2aa8606b2fa22be1ecc78591a5 Mon Sep 17 00:00:00 2001
From: Stuart D. Gathman <stuart@gathman.org>
Date: Apr 08 2019 15:47:30 +0000
Subject: Add generic notify script.


---

diff --git a/acme-tiny.spec b/acme-tiny.spec
index 8628dfe..0b0356d 100644
--- a/acme-tiny.spec
+++ b/acme-tiny.spec
@@ -15,7 +15,7 @@
 
 Name:		acme-tiny
 Version:	4.0.4
-Release:	3%{?dist}
+Release:	4%{?dist}
 Summary:	Tiny auditable script to issue, renew Let's Encrypt certificates
 
 License:	MIT
@@ -29,6 +29,8 @@ Source5:	acme-tiny.cron
 Source6:	acme-tiny.timer
 Source7:	acme-tiny.service
 Source8:	README-fedora.md
+# simple script hook to kick services when cert is updated
+Source9:	notify.sh
 # Fetch and include intermediate cert(s), too.
 Patch0:		acme-tiny-chain.patch
 # Python3 broke getallmatchingheaders() and the fix breaks python2
@@ -93,6 +95,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d
 mkdir -p %{buildroot}%{_sbindir}
 mkdir -p %{buildroot}%{_libexecdir}/%{name}
 mkdir -p %{buildroot}%{_sharedstatedir}/acme/{private,csr,certs}
+mkdir -p %{buildroot}%{_sysconfdir}/acme/notify.d
 chmod 0700 %{buildroot}%{_sharedstatedir}/acme/private
 
 install -m 0755 acme-tiny-sign.sh %{buildroot}%{_libexecdir}/%{name}/sign
@@ -102,6 +105,7 @@ ln -sf %{_libexecdir}/%{name}/sign %{buildroot}%{_sbindir}/acme-tiny-sign
 install -m 0755 cert-check.py %{buildroot}%{_sbindir}/cert-check
 install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/httpd/conf.d
 install -m 0644 %{SOURCE4} %{buildroot}%{_sharedstatedir}/acme
+install -m 0755 %{SOURCE9} %{buildroot}%{_sysconfdir}/acme
 %if %{use_systemd}
 mkdir -p %{buildroot}%{_unitdir}
 install -pm 644	 %{SOURCE6} %{buildroot}%{_unitdir}
@@ -154,6 +158,9 @@ exit 0
 %{_sbindir}/acme_tiny
 
 %changelog
+* Mon Mar 08 2019 Stuart D. Gathman <stuart@gathman.org> 4.0.4-4
+- Add notify script for incron
+
 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.4-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 
diff --git a/notify.sh b/notify.sh
new file mode 100755
index 0000000..d027247
--- /dev/null
+++ b/notify.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+cert="$1"
+name="${cert##*/}"
+script="/etc/acme/notify.d/${name%.crt}.sh"
+
+# kick apache if cert is mentioned
+if grep "$cert" /etc/httpd/conf.d/*.conf >/dev/null 2>&1; then
+  apachectl graceful
+fi
+
+# kick sendmail if cert is mentioned
+if grep "/etc/pki/tls/certs/$name" /etc/mail/*.cf >/dev/null 2>&1; then
+  cp "$cert" /etc/pki/tls/certs && systemctl restart sendmail 
+fi
+
+# run any dropin extension
+if test -x "$script"; then
+  "$script" "$cert"
+fi