|
|
9ddfc06 |
|
|
|
ebceebf |
%if 0%{?fedora} || 0%{?rhel} > 7
|
|
|
9ddfc06 |
# Explicity require python3 on Fedora to help track which packages
|
|
|
9ddfc06 |
# no longer need python2.
|
|
|
9ddfc06 |
%global use_python3 1
|
|
|
9ddfc06 |
%else
|
|
|
9ddfc06 |
%global use_python3 0
|
|
|
9ddfc06 |
%endif
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
Name: acme-tiny
|
|
|
4c3d613 |
Version: 5.0.1
|
|
|
63da791 |
Release: 2%{?dist}
|
|
|
9ddfc06 |
Summary: Tiny auditable script to issue, renew Let's Encrypt certificates
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
License: MIT
|
|
|
50fcf9d |
URL: https://github.com/diafygi/%{name}
|
|
|
50fcf9d |
Source0: https://github.com/diafygi/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
|
|
9ddfc06 |
Source1: acme-tiny-sign.sh
|
|
|
9ddfc06 |
Source2: cert-check.py
|
|
|
9ddfc06 |
Source3: acme.conf
|
|
|
9ddfc06 |
Source6: acme-tiny.timer
|
|
|
9ddfc06 |
Source7: acme-tiny.service
|
|
|
9ddfc06 |
Source8: README-fedora.md
|
|
|
2ea4b87 |
# simple script hook to kick services when cert is updated
|
|
|
2ea4b87 |
Source9: notify.sh
|
|
|
766eae2 |
Source10: acme-tiny-notify.service
|
|
|
e847943 |
Source11: acme-tiny.conf
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
Requires(pre): shadow-utils
|
|
|
9ddfc06 |
# systemd macros are not defined unless systemd is present
|
|
|
9ddfc06 |
BuildRequires: systemd
|
|
|
9ddfc06 |
%{?systemd_requires}
|
|
|
7f90430 |
Requires: %{name}-core = %{version}-%{release}
|
|
|
9ddfc06 |
BuildArch: noarch
|
|
|
80c0679 |
%if 0%{?fedora}
|
|
|
9ddfc06 |
Suggests: httpd, mod_ssl, nginx
|
|
|
9ddfc06 |
Enhances: httpd, mod_ssl, nginx
|
|
|
9ddfc06 |
%endif
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%description
|
|
|
9ddfc06 |
This is a tiny, auditable script that you can throw on your server to issue and
|
|
|
9ddfc06 |
renew Let's Encrypt certificates. Since it has to be run on your server and
|
|
|
9ddfc06 |
have access to your private Let's Encrypt account key, I tried to make it as
|
|
|
9ddfc06 |
tiny as possible (currently less than 200 lines). The only prerequisites are
|
|
|
9ddfc06 |
python and openssl.
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
Well, that and a web server - but then you only need this with a web server.
|
|
|
9ddfc06 |
This package adds a simple directory layout and timer service that runs
|
|
|
9ddfc06 |
acme_tiny on installed CSRs as the acme user for privilege separation.
|
|
|
9ddfc06 |
|
|
|
7f90430 |
%package core
|
|
|
766eae2 |
Summary: Core python module of acme-tiny
|
|
|
63da791 |
Requires: openssl python3
|
|
|
7f90430 |
%if 0%{?rhel} >= 5 && 0%{?rhel} < 7
|
|
|
7f90430 |
# EL6 uses python2.6, which does not include argparse
|
|
|
7f90430 |
Requires: python-argparse
|
|
|
7f90430 |
%endif
|
|
|
7f90430 |
BuildArch: noarch
|
|
|
7f90430 |
|
|
|
7f90430 |
%description core
|
|
|
7f90430 |
Includes only the core acme_tiny.py script and its dependencies.
|
|
|
7f90430 |
Alternate frameworks that use acme_tiny.py can install this to avoid pulling in
|
|
|
7f90430 |
unneeded packages.
|
|
|
7f90430 |
|
|
|
9ddfc06 |
%prep
|
|
|
7f90430 |
%setup -q -n %{name}-%{version}
|
|
|
9ddfc06 |
cp -p %{SOURCE1} %{SOURCE2} %{SOURCE8} .
|
|
|
ecd867a |
sed -i.orig -e '1,1 s,^.*python$,#!/usr/bin/python,' acme_tiny.py
|
|
|
9ddfc06 |
%if %{use_python3}
|
|
|
9ddfc06 |
sed -i.old -e '1,1 s/python$/python3/' *.py
|
|
|
9ddfc06 |
%endif
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%build
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%install
|
|
|
9ddfc06 |
mkdir -p %{buildroot}/var/www/challenges
|
|
|
9ddfc06 |
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d
|
|
|
9ddfc06 |
mkdir -p %{buildroot}%{_sbindir}
|
|
|
9ddfc06 |
mkdir -p %{buildroot}%{_libexecdir}/%{name}
|
|
|
766eae2 |
mkdir -p %{buildroot}%{_sharedstatedir}/acme/{private,csr,certs,.notify}
|
|
|
50fcf9d |
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/notify.d
|
|
|
e847943 |
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
|
|
|
9ddfc06 |
chmod 0700 %{buildroot}%{_sharedstatedir}/acme/private
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
install -m 0755 acme-tiny-sign.sh %{buildroot}%{_libexecdir}/%{name}/sign
|
|
|
766eae2 |
install -m 0755 %{SOURCE9} %{buildroot}%{_libexecdir}/%{name}/notify
|
|
|
9ddfc06 |
install -m 0755 acme_tiny.py %{buildroot}%{_sbindir}/acme_tiny
|
|
|
50fcf9d |
ln -sf acme_tiny %{buildroot}%{_sbindir}/%{name}
|
|
|
9ddfc06 |
ln -sf %{_libexecdir}/%{name}/sign %{buildroot}%{_sbindir}/acme-tiny-sign
|
|
|
766eae2 |
ln -sf %{_libexecdir}/%{name}/notify %{buildroot}%{_sysconfdir}/%{name}/notify.sh
|
|
|
9ddfc06 |
install -m 0755 cert-check.py %{buildroot}%{_sbindir}/cert-check
|
|
|
9ddfc06 |
install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/httpd/conf.d
|
|
|
9ddfc06 |
mkdir -p %{buildroot}%{_unitdir}
|
|
|
aed9609 |
install -pm 644 %{SOURCE6} %{buildroot}%{_unitdir}
|
|
|
aed9609 |
install -pm 644 %{SOURCE7} %{buildroot}%{_unitdir}
|
|
|
766eae2 |
install -pm 644 %{SOURCE10} %{buildroot}%{_unitdir}
|
|
|
e847943 |
install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%pre
|
|
|
9ddfc06 |
getent group acme > /dev/null || groupadd -r acme
|
|
|
9ddfc06 |
getent passwd acme > /dev/null || /usr/sbin/useradd -g acme \
|
|
|
9ddfc06 |
-c "Tiny Auditable ACME Client" \
|
|
|
9ddfc06 |
-r -d %{_sharedstatedir}/acme -s /sbin/nologin acme
|
|
|
9ddfc06 |
exit 0
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%post
|
|
|
766eae2 |
%systemd_post acme-tiny.service acme-tiny-notice.service acme-tiny.timer
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%postun
|
|
|
766eae2 |
%systemd_postun_with_restart acme-tiny.service acme-tiny-notice.service acme-tiny.timer
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%preun
|
|
|
766eae2 |
%systemd_preun acme-tiny.service acme-tiny-notice.service acme-tiny.timer
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%files
|
|
|
9ddfc06 |
%{!?_licensedir:%global license %%doc}
|
|
|
9ddfc06 |
%license LICENSE
|
|
|
7f90430 |
%doc README-fedora.md
|
|
|
9ddfc06 |
%attr(0755,acme,acme) /var/www/challenges
|
|
|
9ddfc06 |
%attr(-,acme,acme) %{_sharedstatedir}/acme
|
|
|
9ddfc06 |
%{_libexecdir}/%{name}
|
|
|
9ddfc06 |
%config(noreplace) %{_sysconfdir}/httpd/conf.d/acme.conf
|
|
|
e847943 |
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
|
|
|
9ddfc06 |
%{_unitdir}/*
|
|
|
7f90430 |
%{_sbindir}/acme-tiny-sign
|
|
|
7f90430 |
%{_sbindir}/cert-check
|
|
|
50fcf9d |
%{_sbindir}/%{name}
|
|
|
50fcf9d |
%{_sysconfdir}/%{name}
|
|
|
7f90430 |
|
|
|
7f90430 |
%files core
|
|
|
7f90430 |
%license LICENSE
|
|
|
7f90430 |
%doc README.md
|
|
|
7f90430 |
%{_sbindir}/acme_tiny
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
%changelog
|
|
|
63da791 |
* Tue May 17 2022 Stuart D. Gathman <stuart@gathman.org> 5.0.1-2
|
|
|
63da791 |
- Add missing python3 dependency for new version
|
|
|
63da791 |
|
|
|
4c3d613 |
* Thu Oct 28 2021 Stuart D. Gathman <stuart@gathman.org> 5.0.1-1
|
|
|
4c3d613 |
- New upstream release
|
|
|
4c3d613 |
|
|
|
4ec0479 |
* Tue Sep 8 2021 Stuart D. Gathman <stuart@gathman.org> 4.1.1-2
|
|
|
4ec0479 |
- Remove CLI override in acme-tiny.service (uses /etc/sysconfig/acme-tiny now)
|
|
|
4ec0479 |
|
|
|
8ae6121 |
* Tue Sep 7 2021 Stuart D. Gathman <stuart@gathman.org> 4.1.1-1
|
|
|
8ae6121 |
- New upstream release
|
|
|
e847943 |
- Set days before expiration in /etc/sysconfig
|
|
|
8ae6121 |
|
|
|
e96af0a |
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-8
|
|
|
e96af0a |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
|
|
e96af0a |
|
|
|
766eae2 |
* Thu May 27 2021 Stuart D. Gathman <stuart@gathman.org> 4.1.0-7
|
|
|
766eae2 |
- Fix BZ#1839904
|
|
|
766eae2 |
- enhance notify after cert update, incrond no longer needed
|
|
|
766eae2 |
|
|
|
6859d70 |
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 4.1.0-6
|
|
|
6859d70 |
- Rebuilt for updated systemd-rpm-macros
|
|
|
6859d70 |
See https://pagure.io/fesco/issue/2583.
|
|
|
6859d70 |
|
|
|
1d4a4aa |
* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-5
|
|
|
1d4a4aa |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
|
|
1d4a4aa |
|
|
|
e62eb52 |
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-4
|
|
|
e62eb52 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
|
e62eb52 |
|
|
|
5c6956e |
* Thu Apr 9 2020 Stuart D. Gathman <stuart@gathman.org> 4.1.0-3
|
|
|
592fc09 |
- Update README-fedora.md to describe notify.sh
|
|
|
640fa49 |
- Apply selected changes from Marcel Metz <mmetz@adrian-broher.net>:
|
|
|
640fa49 |
- Use openssl x509 -checkend parameter to determine certificate expiration
|
|
|
640fa49 |
- Remove Let's Encrypt intermediate certificate
|
|
|
640fa49 |
- Remove cron job used on non systemd systems
|
|
|
592fc09 |
|
|
|
28ca092 |
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-2
|
|
|
28ca092 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
|
28ca092 |
|
|
|
640fa49 |
* Fri Oct 11 2019 Tim Jackson <rpm@timj.co.uk> - 4.1.0-1
|
|
|
73d7264 |
- Update to 4.1.0
|
|
|
73d7264 |
|
|
|
8531572 |
* Fri Oct 11 2019 Stuart D. Gathman <stuart@gathman.org> 4.0.4-5
|
|
|
a9e8ec5 |
- Add generic notify script for incron
|
|
|
a9e8ec5 |
|
|
|
b767ed5 |
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.4-4
|
|
|
b767ed5 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
|
2ea4b87 |
|
|
|
04841bd |
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.4-3
|
|
|
04841bd |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
|
04841bd |
|
|
|
1074567 |
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.4-2
|
|
|
1074567 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
|
1074567 |
|
|
|
7f90430 |
* Tue May 22 2018 Stuart D. Gathman <stuart@gathman.org> 4.0.4-1
|
|
|
0b10f97 |
- Official upstream release! BZ#1560531
|
|
|
0b10f97 |
- Move acme_tiny.py to acme-tiny-core subpackage BZ#1438181
|
|
|
7f90430 |
|
|
|
daf0c4b |
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-4.20170516gitaf025f5
|
|
|
daf0c4b |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
|
|
daf0c4b |
|
|
|
880c508 |
* Wed Nov 22 2017 Stuart D. Gathman <stuart@gathman.org> 0.2-3.20170616gitaf025f5
|
|
|
880c508 |
- BZ#1507333 EL6 missing python-argparse dependency
|
|
|
880c508 |
- BZ#1515781 Agreement updated.
|
|
|
880c508 |
- BZ#1409345 Unwritable certs silently skipped
|
|
|
880c508 |
|
|
|
63d5d90 |
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-2.20170516gitaf025f5
|
|
|
63d5d90 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
|
|
63d5d90 |
|
|
|
55e6566 |
* Thu Jul 6 2017 Stuart D. Gathman <stuart@gathman.org> 0.2-1.20170616gitaf025f5
|
|
|
b8abc0a |
- BZ#1468045 Update to new upstream version
|
|
|
9b5f083 |
- BZ#1409686 Message.getallmatchingheaders() is broken in python3.
|
|
|
9b5f083 |
|
|
|
d0dda28 |
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1-12.20160810git5a7b4e7
|
|
|
d0dda28 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
|
|
d0dda28 |
|
|
|
1eacdf0 |
* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 0.1-11.20160810git5a7b4e7
|
|
|
1eacdf0 |
- Rebuild for Python 3.6
|
|
|
1eacdf0 |
|
|
|
8d1d687 |
* Mon Aug 22 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-10.20160810git5a7b4e7
|
|
|
9ddfc06 |
- Fix cert writable check in sign script
|
|
|
9ddfc06 |
- More tips in README-fedora.md
|
|
|
9ddfc06 |
|
|
|
8d1d687 |
* Mon Aug 22 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-9.20160810git5a7b4e7
|
|
|
9ddfc06 |
- Use %%{systemd_requires}
|
|
|
9ddfc06 |
- Remove unneeded cronie, python dependencies
|
|
|
9ddfc06 |
- Add acme-tiny.timer to systemd scriptlets
|
|
|
9ddfc06 |
- Add README-fedora.md
|
|
|
9ddfc06 |
- acme_tiny: Fix --chain patch for python2.6 (el6)
|
|
|
9ddfc06 |
- acme_tiny: Suppress traceback on error
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Sun Aug 21 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-8
|
|
|
9ddfc06 |
- Add use_systemd flag to use systemd timer and enable on Fedora and epel7
|
|
|
9ddfc06 |
- Enable use_python3 flag for Fedora (but not epel7).
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Sat Aug 20 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-7
|
|
|
9ddfc06 |
- sign: Actually use the new --chain flag
|
|
|
9ddfc06 |
- cron: Make days to expiration explicit
|
|
|
9ddfc06 |
- spec: Set file modes with install
|
|
|
9ddfc06 |
- acme.conf: mark as config
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Fri Aug 19 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-6
|
|
|
9ddfc06 |
- Python3 fixes for cert-check
|
|
|
9ddfc06 |
- acme-tiny: Update patch to leave default behavior unchanged
|
|
|
9ddfc06 |
- make /var/lib/acme readable by all except private
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Thu Aug 11 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-5
|
|
|
9ddfc06 |
- sign: Use tmp output to avoid wiping existing cert on error
|
|
|
9ddfc06 |
- acme_tiny: get intermediate cert from acme protocol
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Thu Aug 11 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-4
|
|
|
9ddfc06 |
- Fix path of acme_tiny and make days explicit in sign script
|
|
|
9ddfc06 |
- Add crontab
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Wed Aug 10 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-3
|
|
|
9ddfc06 |
- Add global acme httpd conf
|
|
|
9ddfc06 |
- Append intermediate certs, add current lets-encrypt intermediate cert
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Tue Aug 9 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-2
|
|
|
9ddfc06 |
- add private, csr, certs directories
|
|
|
9ddfc06 |
- add sign script suitable for cron
|
|
|
9ddfc06 |
|
|
|
9ddfc06 |
* Mon Aug 8 2016 Stuart D. Gathman <stuart@gathman.org> 0.1-1
|
|
|
9ddfc06 |
- Initial RPM
|