diff options
| author | Benjamin Tietz <bt@bahntechnik.de> | 2020-09-23 17:22:32 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2021-02-14 15:47:53 +0100 |
| commit | 9dfb2cde7baf686113e49266c28940c8a564c1ca (patch) | |
| tree | 35c0ab9b2b01b49a42758065cebd4980eeed9eee | |
| parent | 1005c094839b76dffde6a10138af978cb8d83375 (diff) | |
lacme: allow direct use challenge-directory .well-known/acme-challenge
| -rw-r--r-- | config/lacme.conf | 4 | ||||
| -rwxr-xr-x | lacme | 26 | ||||
| -rw-r--r-- | lacme.8.md | 5 |
3 files changed, 31 insertions, 4 deletions
diff --git a/config/lacme.conf b/config/lacme.conf index e49bd39..2955984 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -71,6 +71,10 @@ # #challenge-directory = +# Do not symlink the challenge-directory, but copy the challenge-files +# explictly. +#hard-copy-challenge-directory = No + # username to drop privileges to (setting both effective and real uid). # Skip privilege drop if the value is empty (not recommended). # @@ -28,6 +28,7 @@ my $NAME = 'lacme'; use Errno 'EINTR'; use Fcntl qw/F_GETFD F_SETFD FD_CLOEXEC SEEK_SET/; use File::Temp (); +use File::Path 'remove_tree'; use Getopt::Long qw/:config posix_default no_ignore_case gnu_getopt auto_version/; use List::Util 'first'; use POSIX (); @@ -104,6 +105,7 @@ do { webserver => { listen => '@@runstatedir@@/lacme-www.socket', 'challenge-directory' => undef, + 'hard-copy-challenge-directory' => 'No', user => '@@lacme_www_user@@', group => '@@lacme_www_group@@', command => '@@libexecdir@@/lacme/webserver', @@ -289,10 +291,26 @@ sub spawn_webserver() { # serve ACME challenge reponses). if (defined (my $dir = $conf->{'challenge-directory'})) { print STDERR "[$$] Using existing webserver on $dir\n" if $OPTS{debug}; - symlink $tmpdir, $dir or die "Can't symlink $dir -> $tmpdir: $!"; - push @CLEANUP, sub() { - print STDERR "Unlinking $dir\n" if $OPTS{debug}; - unlink $dir or warn "Warning: Can't unlink $dir: $!"; + if (lc ($conf->{'hard-copy-challenge-directory'} // 'No') eq 'yes') { + mkdir $dir or die "Can't create directory $dir: $!"; + $tmpdir = $dir; + push @CLEANUP, sub() { + my $error = undef; + remove_tree($dir, { safe => 1, error => \$error }); + if ($error && @$error) { + foreach my $e (@$error) { + my ($file, $message) = %$e; + my $msghead = $file?"Error removing $file in":"Error while removing"; + warn "$msghead challenge dir $dir: $message\n"; + } + } + } + } else { + symlink $tmpdir, $dir or die "Can't symlink $dir -> $tmpdir: $!"; + push @CLEANUP, sub() { + print STDERR "Unlinking $dir\n" if $OPTS{debug}; + unlink $dir or warn "Warning: Can't unlink $dir: $!"; + } } } elsif (!@sockaddr) { @@ -244,6 +244,11 @@ served during certificate issuance. authorization) as static files. This option is required when *listen* is empty. +*hard-copy-challenge-directory* + +: Do not symlink the challenge-directory, but copy the challenge-files + explictly. + *user* : The username to drop privileges to (setting both effective and real |