From 5bf9ac63df57d8e3e07c59cec48d60ca7a3d3fe5 Mon Sep 17 00:00:00 2001 From: Stuart D. Gathman Date: Dec 06 2019 00:47:24 +0000 Subject: Update README-fedora.md to describe notify.sh --- diff --git a/README-fedora.md b/README-fedora.md index 775e524..afe51af 100644 --- a/README-fedora.md +++ b/README-fedora.md @@ -99,20 +99,21 @@ and other apps. Sendmail is a special problem - it insists that any certificates it loads be only writable by root. This is at odds with the privilege separation of the acme user. (Obviously, the private key must be accessible only by root.) You -can, of course, copy the crt file to /etc/pki/tls/certs as root and change the -mode. But this has to be done every time the cert is renewed. You can +can, of course, copy the crt file to `/etc/pki/tls/certs` as root and change +the mode. But this has to be done every time the cert is renewed. You can install `incron` to do this. After installing, create `/etc/incron.d/acme` with the line ``` -/var/lib/acme/certs/mail.crt IN_MOVED_TO cp $@ /etc/pki/tls/certs +/var/lib/acme/certs/mail.crt IN_MOVED_TO /etc/acme-tiny/notify.sh $@ ``` -where `mail.crt` is the certificate sendmail will use. Sendmail -can then load it from /etc/pki/tls/certs and be happy. This also -solves the file context problem if you add lines for other certificates. -You might wonder why we don't simply supply an acme incrontab as part -of the package with a wildcard, for example: +where `mail.crt` is the certificate sendmail will use. The notify.sh script +sees the reference to `/etc/pki/tls/certs/mail.crt` in `/etc/mail/*.cf`, and +copies it to `/etc/pki/tls/certs`. Sendmail can then load it from there and be +happy. This also solves the file context problem if you add lines for other +certificates. You might wonder why we don't simply supply an acme incrontab as +part of the package with a wildcard, for example: ``` -/var/lib/acme/certs/*.crt IN_MOVED_TO cp $@ /etc/pki/tls/certs +/var/lib/acme/certs/*.crt IN_MOVED_TO /etc/acme-tiny/notify.sh $@ ``` The answer is that incron is insecure, and very nasty things can be done by putting shell meta characters (including semicolon and quote!) in @@ -134,6 +135,9 @@ Most web servers can handle multiple logical web hosts - configuring that is beyond the scope of this document. Each virtual host may need to have its own certificate for SSL. They can all share the same key file (see above for how to use an existing key for certificate requests), or use different keys. -Put all the CSRs in /var/lib/acme/csr and the acme-tiny service will keep them -all renewed. This also works for certificates used by other SSL applications, -such as dovecot, sendmail, jabberd, or znc. +Note that apache can load certs directly from `/var/lib/acme/certs`, and +so notify.sh simply does `apachectl graceful`. + +Put all the CSRs in `/var/lib/acme/csr` and the acme-tiny service will keep +them all renewed. This also works for certificates used by other SSL +applications, such as dovecot, sendmail, jabberd, or znc.