Use nft instead of iptables to open port 80 in the firewall when getting a
cert. Since nft doesn't allow deleting a rule by its contents, capture and
save the handle when creating the rule, and use that to delete.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Default to letsencrypt because the upstream default may change.
Passing --staging is no longer needed, since --serever will
select a staging server if needed.
Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
Tested-by: Georgi Valkov <gvalkov@abv.bg>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time.
Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a
standard style.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
It seems the command name output from netstat can be truncated in weird
ways, so let's get the binary name from /proc instead and use that for
matching which listener we have.
Fixes#15071.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The underlying `acme.sh` allows custom ACME server URLs (using `--server`). Adding the necessary field to specify a custom ACME server URL from UCI.
Signed-off-by: Jannis Pinter <jannis+openwrt@pinterjann.is>
If a daemon listens on multiple addresses at once, it'll show up multiple
times in get_listeners() which will clobber the config for uhttpd. Fix this
by skipping subsequent handlings of the same daemon binary.
Fixes#13325.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Add possibility for user to provide setup and cleanup scripts for
additional flexibility. Setup-script takes precedence over the built-in
behavior of acme.
This helps users with more complex use-cases to utilize acme to update
certificates without adding complexity to the provided run.sh script.
Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
Error was:
The domain 'example.com' seems to have a ECC cert already, please add '--ecc' parameter if you want to use that cert.
Signed-off-by: David Yang <mmyangfl@gmail.com>
When issuing an ECC certificate, acme.sh for some reason changes the name
of the directory used for the certificate state. Handle this correctly when
moving directories and updating config files.
Fixes#7941.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
The variables can be empty if not set in the UCI config.
Reported-by: Petr Novák <petrn@me.com>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Move loading credential function before cert renewal call as credentials might be needed for some renewal operations ( ex: DNS )
Signed-off-by: Adrien DAURIAT <16813527+dauriata@users.noreply.github.com>
[toke@toke.dk: Port to master branch]
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
issue_cert fuction may return without calling post_checks, which leaves
port 80 open and uhttpd configuration is not restored is listen_http was
set.
Always call post_checks when returning from issue_cert.
Signed-off-by: Alexey I. Froloff <raorn@raorn.name>
This adds a metapakcge for acme luci ap without uhttpd dependency and adds entities and check to stop handle nginx server and modify the certificate set automatically.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
The upstream acme.sh package changed to using socat instead of netcat;
update the dependencies to reflect this, and pass --listen-v6 when running
in standalone mode (since socat only listens on IPv4 by default).
Also add a missing cleanup call when certificate issuance fails.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The new procd config dependency tracking requires the start method to be
called even on boot. So add a state file that is checked by the run script
to condition the special-case boot run instead of the previous independent
call to the run script.
Ref: https://github.com/openwrt/luci/pull/1769
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
fixes webroot to be defined as
_currentRoot='/www'
instead of being interpreted as
_currentRoot='"/www"'
Signed-off-by: Aleksei Nosachev <nos1609@hotmail.com>
For configurations where another web server is running on port 80, running
acme.sh in standalone mode fails. Try to detect this and refuse to run; and
allow the user to configure a webroot directory to use the running webserver for
certificate verification.
This also updates acme.sh to the latest version.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Use newest acme.sh release (2.6.8).
Remove dependency on ca-certificates and add dependency on ca-bundle.
Update environment variable.
Signed-off-by: Daniel Halmschlager <da@halms.at>
This updates to the latest git version of acme.sh and drops the patch to
disable timestamps from the output (since that is now supported
upstream).
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
This version handles transitioning from a previous certificate that was
issues using the staging server, adds more debug logging, and handles
state directories better if issuing fails.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
This version will use the standalone (netcat) mode of acme.sh during
verification instead of exposing uhttpd to the internet for the duration
of the verification. It will also add an ip6tables rule to also support
verification over IPv6.
Also contains an updated version of acme.sh.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
This adds a package wrapping the acme.sh script from
https://github.com/Neilpang/acme.sh in Uci config and hooks to interact
correctly with uhttpd.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Toke Høiland-Jørgensen