acme: Update to v1.3.

This version handles transitioning from a previous certificate that was
issues using the staging server, adds more debug logging, and handles
state directories better if issuing fails.

Signed-off-by: Toke Høiland-Jørgensen <redacted>

diff --git a/net/acme/Makefile b/net/acme/Makefile
index a20b0aa809c526170ec419771fe0975496528668..07e5d8d0e83717181a5181444246ce9b875df69d 100644 (file)
--- a/net/acme/Makefile
+++ b/net/acme/Makefile
@@ -9,8 +9,8 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=acme
 PKG_SOURCE_VERSION:=3c33cdfa3da68000a40b85304821705f0deea951
-PKG_VERSION:=1.2
-PKG_RELEASE:=2
+PKG_VERSION:=1.3
+PKG_RELEASE:=1
 PKG_LICENSE:=GPLv3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE).tar.xz

diff --git a/net/acme/files/run.sh b/net/acme/files/run.sh
index 7deb22d4b7f66e577fb3d3c76732b1a8830c9f4f..2e227c04ad7a35e883ad0a31613a207996c41abd 100644 (file)
--- a/net/acme/files/run.sh
+++ b/net/acme/files/run.sh
@@ -26,11 +26,18 @@ check_cron()
     /etc/init.d/cron start
 }
 
+debug()
+{
+    [ "$DEBUG" -eq "1" ] && echo "$@" >&2
+}
+
 pre_checks()
 {
     echo "Running pre checks."
     check_cron
 
+    [ -d "$STATE_DIR" ] || mkdir -p "$STATE_DIR"
+
     if [ -e /etc/init.d/uhttpd ]; then
 
        UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http)
@@ -42,6 +49,9 @@ pre_checks()
 
     iptables -I input_rule -p tcp --dport 80 -j ACCEPT || return 1
     ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT || return 1
+    debug "v4 input_rule: $(iptables -nvL input_rule)"
+    debug "v6 input_rule: $(ip6tables -nvL input_rule)"
+    debug "port80 listens: $(netstat -ntpl | grep :80)"
     return 0
 }
 
@@ -71,6 +81,14 @@ int_out()
     kill -INT $$
 }
 
+is_staging()
+{
+    local main_domain="$1"
+
+    grep -q "acme-staging" "$STATE_DIR/$main_domain/${main_domain}.conf"
+    return $?
+}
+
 issue_cert()
 {
     local section="$1"
@@ -81,6 +99,8 @@ issue_cert()
     local keylength
     local domains
     local main_domain
+    local moved_staging=0
+    local failed_dir
 
     config_get_bool enabled "$section" enabled 0
     config_get_bool use_staging "$section" use_staging
@@ -96,8 +116,15 @@ issue_cert()
     main_domain=$1
 
     if [ -e "$STATE_DIR/$main_domain" ]; then
-        $ACME --home "$STATE_DIR" --renew -d "$main_domain" $acme_args || return 1
-        return 0
+        if [ "$use_staging" -eq "0" ] && is_staging "$main_domain"; then
+            echo "Found previous cert issued using staging server. Moving it out of the way."
+            mv "$STATE_DIR/$main_domain" "$STATE_DIR/$main_domain.staging"
+            moved_staging=1
+        else
+            echo "Found previous cert config. Issuing renew."
+            $ACME --home "$STATE_DIR" --renew -d "$main_domain" $acme_args || return 1
+            return 0
+        fi
     fi
 
 
@@ -108,7 +135,13 @@ issue_cert()
     [ "$use_staging" -eq "1" ] && acme_args="$acme_args --staging"
 
     if ! $ACME --home "$STATE_DIR" --issue $acme_args; then
-        echo "Issuing cert for $main_domain failed. It may be necessary to remove $STATE_DIR/$main_domain to recover." >&2
+        failed_dir="$STATE_DIR/${main_domain}.failed-$(date +%s)"
+        echo "Issuing cert for $main_domain failed. Moving state to $failed_dir" >&2
+        [ -d "$STATE_DIR/$main_domain" ] && mv "$STATE_DIR/$main_domain" "$failed_dir"
+        if [ "$moved_staging" -eq "1" ]; then
+            echo "Restoring staging certificate" >&2
+            mv "$STATE_DIR/${main_domain}.staging" "$STATE_DIR/${main_domain}"
+        fi
         return 1
     fi