From: Toke Høiland-Jørgensen <redacted>
Date: Sun, 12 Jan 2020 18:59:01 +0000 (+0100)
Subject: acme: Correctly handle domain state dir for ECC certificates
X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=983cc995a3b2a0a1fce99172057ccdac36b805c6;p=openwrt-packages.git

acme: Correctly handle domain state dir for ECC certificates

When issuing an ECC certificate, acme.sh for some reason changes the name
of the directory used for the certificate state. Handle this correctly when
moving directories and updating config files.

Fixes #7941.

Signed-off-by: Toke Høiland-Jørgensen <redacted>
---

diff --git a/net/acme/Makefile b/net/acme/Makefile
index f62847d46..bf3a4c070 100644
--- a/net/acme/Makefile
+++ b/net/acme/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=acme
 PKG_VERSION:=2.8.3
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/Neilpang/acme.sh/tar.gz/$(PKG_VERSION)?
diff --git a/net/acme/files/run.sh b/net/acme/files/run.sh
index 3d25321d7..1405c70e7 100644
--- a/net/acme/files/run.sh
+++ b/net/acme/files/run.sh
@@ -165,9 +165,12 @@ int_out()
 
 is_staging()
 {
-    local main_domain="$1"
+    local main_domain
+    local domain_dir
+    main_domain="$1"
+    domain_dir="$2"
 
-    grep -q "acme-staging" "$STATE_DIR/$main_domain/${main_domain}.conf"
+    grep -q "acme-staging" "${domain_dir}/${main_domain}.conf"
     return $?
 }
 
@@ -187,6 +190,7 @@ issue_cert()
     local webroot
     local dns
     local ret
+    local domain_dir
 
     config_get_bool enabled "$section" enabled 0
     config_get_bool use_staging "$section" use_staging
@@ -209,6 +213,12 @@ issue_cert()
 
     [ -n "$webroot" ] || [ -n "$dns" ] || pre_checks "$main_domain" || return 1
 
+    if echo $keylength | grep -q "^ec-"; then
+        domain_dir="$STATE_DIR/${main_domain}_ecc"
+    else
+        domain_dir="$STATE_DIR/${main_domain}"
+    fi
+
     log "Running ACME for $main_domain"
 
     handle_credentials() {
@@ -217,10 +227,10 @@ issue_cert()
     }
     config_list_foreach "$section" credentials handle_credentials
 
-    if [ -e "$STATE_DIR/$main_domain" ]; then
-        if [ "$use_staging" -eq "0" ] && is_staging "$main_domain"; then
+    if [ -e "$domain_dir" ]; then
+        if [ "$use_staging" -eq "0" ] && is_staging "$main_domain" "$domain_dir"; then
             log "Found previous cert issued using staging server. Moving it out of the way."
-            mv "$STATE_DIR/$main_domain" "$STATE_DIR/$main_domain.staging"
+            mv "$domain_dir" "${domain_dir}.staging"
             moved_staging=1
         else
             log "Found previous cert config. Issuing renew."
@@ -253,26 +263,26 @@ issue_cert()
     fi
 
     if ! run_acme --home "$STATE_DIR" --issue $acme_args; then
-        failed_dir="$STATE_DIR/${main_domain}.failed-$(date +%s)"
+        failed_dir="${domain_dir}.failed-$(date +%s)"
         err "Issuing cert for $main_domain failed. Moving state to $failed_dir"
-        [ -d "$STATE_DIR/$main_domain" ] && mv "$STATE_DIR/$main_domain" "$failed_dir"
+        [ -d "$domain_dir" ] && mv "$domain_dir" "$failed_dir"
         if [ "$moved_staging" -eq "1" ]; then
             err "Restoring staging certificate"
-            mv "$STATE_DIR/${main_domain}.staging" "$STATE_DIR/${main_domain}"
+            mv "${domain_dir}.staging" "${domain_dir}"
         fi
         post_checks
         return 1
     fi
 
     if [ -e /etc/init.d/uhttpd ] && [ "$update_uhttpd" -eq "1" ]; then
-        uci set uhttpd.main.key="$STATE_DIR/${main_domain}/${main_domain}.key"
-        uci set uhttpd.main.cert="$STATE_DIR/${main_domain}/fullchain.cer"
+        uci set uhttpd.main.key="${domain_dir}/${main_domain}.key"
+        uci set uhttpd.main.cert="${domain_dir}/fullchain.cer"
         # commit and reload is in post_checks
     fi
 
     if [ -e /etc/init.d/nginx ] && [ "$update_nginx" -eq "1" ]; then
-        sed -i "s#ssl_certificate\ .*#ssl_certificate $STATE_DIR/${main_domain}/fullchain.cer;#g" /etc/nginx/nginx.conf
-        sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key $STATE_DIR/${main_domain}/${main_domain}.key;#g" /etc/nginx/nginx.conf
+        sed -i "s#ssl_certificate\ .*#ssl_certificate ${domain_dir}/fullchain.cer;#g" /etc/nginx/nginx.conf
+        sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key ${domain_dir}/${main_domain}.key;#g" /etc/nginx/nginx.conf
         # commit and reload is in post_checks
     fi