aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.gitignore4
-rw-r--r--Changelog4
-rw-r--r--Makefile39
-rw-r--r--config/lacme-certs.conf2
-rw-r--r--config/lacme.conf10
-rwxr-xr-xlacme14
-rwxr-xr-xlacme-accountd2
-rw-r--r--lacme-accountd.1.md2
-rw-r--r--lacme.8.md18
-rw-r--r--snippets/apache2.conf2
-rw-r--r--snippets/nginx.conf2
11 files changed, 54 insertions, 45 deletions
diff --git a/.gitignore b/.gitignore
index 21f822a..f6e4380 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,4 @@
# vim swapfiles
.*.sw[po]
-# generated man-pages
-/lacme.8
-/lacme-accountd.1
+/build/
diff --git a/Changelog b/Changelog
index 95d17bf..2b1bbe2 100644
--- a/Changelog
+++ b/Changelog
@@ -1,13 +1,11 @@
lacme (0.7) UNRELEASED;
- + Default listening socket for the webserver component is now
- /run/lacme-www.socket. (It was previously under the legacy directory
- /var/run.)
+ Adapt Apache2 snippet to Apache2 2.4.
* Makefile: major refactoring, add install and uninstall targets, honor
BUILD_DOCDIR and DESTDIR variables.
* Install lacme manual to section 8.
* Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme.
+ * Makefile: Use variables for target directories etc.
-- Guilhem Moulin <guilhem@debian.org> Thu, 22 Aug 2019 00:31:35 +0200
diff --git a/Makefile b/Makefile
index 467b834..757a581 100644
--- a/Makefile
+++ b/Makefile
@@ -1,14 +1,14 @@
DESTDIR ?= /usr/local
-BUILD_DOCDIR ?= .
-MANUAL_FILES = $(addprefix $(BUILD_DOCDIR)/,$(patsubst ./%.md,%,$(wildcard ./*.[1-9].md)))
+BUILDDIR ?= ./build
+MANUAL_FILES = $(addprefix $(BUILDDIR)/,$(patsubst ./%.md,%,$(wildcard ./*.[1-9].md)))
-all: manual
+all: manual $(addprefix $(BUILDDIR)/,lacme lacme-accountd client webserver $(wildcard config/* snippets/*))
doc: manual
manual: $(MANUAL_FILES)
# upper case the headers and remove the links
-$(MANUAL_FILES): $(BUILD_DOCDIR)/%: ./%.md
+$(MANUAL_FILES): $(BUILDDIR)/%: $(BUILDDIR)/%.md
pandoc -f markdown -t json -- "$<" | ./pandoc2man.jq | pandoc -s -f json -t man -o "$@"
prefix ?= $(DESTDIR)
@@ -17,27 +17,40 @@ bindir ?= $(exec_prefix)/bin
sbindir ?= $(exec_prefix)/sbin
libexecdir ?= $(exec_prefix)/libexec
datarootdir ?= $(prefix)/share
+datadir ?= $(datarootdir)
sysconfdir ?= $(prefix)/etc
+localstatedir =? $(prefix)/var
+runstatedir ?= $(localstatedir)/run
mandir ?= $(datarootdir)/man
man1dir ?= $(mandir)/man1
man8dir ?= $(mandir)/man8
+$(BUILDDIR)/%: %
+ mkdir -pv -- $(dir $@)
+ cp --no-dereference --preserve=mode,links,xattr -vfT -- "$<" "$@"
+ sed -i "s#@@bindir@@#$(bindir)#g; \
+ s#@@sbindir@@#$(sbindir)#g; \
+ s#@@libexecdir@@#$(libexecdir)#g; \
+ s#@@datadir@@#$(datadir)#g; \
+ s#@@runstatedir@@#$(runstatedir)#g; \
+ s#@@sysconfdir@@#$(sysconfdir)#g;" -- "$@"
+
install: all
- install -m0644 -vDt $(sysconfdir)/lacme config/*.conf snippets/*.conf
+ install -m0644 -vDt $(sysconfdir)/lacme $(BUILDDIR)/config/*.conf $(BUILDDIR)/snippets/*.conf
install -vd $(sysconfdir)/lacme/lacme-certs.conf.d
- install -m0644 -vDt $(datarootdir)/lacme certs/lets-encrypt-x[1-4]-cross-signed.pem
- install -m0755 -vDt $(libexecdir)/lacme ./client ./webserver
- install -m0644 -vDt $(man1dir) $(BUILD_DOCDIR)/lacme-accountd.1
- install -m0644 -vDt $(man8dir) $(BUILD_DOCDIR)/lacme.8
- install -m0644 -vDt $(bindir) ./lacme-accountd
- install -m0644 -vDt $(sbindir) ./lacme
+ install -m0644 -vDt $(datadir)/lacme certs/lets-encrypt-x[1-4]-cross-signed.pem
+ install -m0755 -vDt $(libexecdir)/lacme $(BUILDDIR)/client $(BUILDDIR)/webserver
+ install -m0644 -vDt $(man1dir) $(BUILDDIR)/lacme-accountd.1
+ install -m0644 -vDt $(man8dir) $(BUILDDIR)/lacme.8
+ install -m0644 -vDt $(bindir) $(BUILDDIR)/lacme-accountd
+ install -m0644 -vDt $(sbindir) $(BUILDDIR)/lacme
uninstall:
rm -vf -- $(bindir)/lacme-accountd $(sbindir)/lacme
rm -vf -- $(man1dir)/lacme-accountd.1 $(man8dir)/lacme.8
- rm -rvf -- $(sysconfdir)/lacme $(datarootdir)/lacme $(libexecdir)/lacme
+ rm -rvf -- $(sysconfdir)/lacme $(datadir)/lacme $(libexecdir)/lacme
clean:
- rm -vf -- $(MANUAL_FILES)
+ rm -rvf -- $(BUILDDIR)
.PHONY: all doc manual install uninstall clean
diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index 97d588a..dd02f95 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -34,7 +34,7 @@
# and to verify the validity of each issued certificate. Specifying an
# empty value skip certificate validation.
#
-#CAfile = /usr/share/lacme/lets-encrypt-x3-cross-signed.pem
+#CAfile = @@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem
# Subject field of the Certificate Signing Request. This option is
# required.
diff --git a/config/lacme.conf b/config/lacme.conf
index 236d203..cf7edfd 100644
--- a/config/lacme.conf
+++ b/config/lacme.conf
@@ -31,7 +31,7 @@
# Path to the ACME client executable.
#
-#command = /usr/libexec/lacme/client
+#command = @@libexecdir@@/lacme/client
# URI of the ACME server's directory. NOTE: Use the staging server
# <https://acme-staging-v02.api.letsencrypt.org/directory> for testing
@@ -62,7 +62,7 @@
# Comma- or space-separated list of addresses to listen on, for instance
# "0.0.0.0:80 [::]:80".
#
-#listen = /run/lacme-www.socket
+#listen = @@runstatedir@@/lacme-www.socket
# Non-existent directory under which an external HTTP daemon is
# configured to serve GET requests for challenge files under
@@ -84,7 +84,7 @@
# Path to the ACME webserver executable.
#
-#command = /usr/libexec/lacme/webserver
+#command = @@libexecdir@@/lacme/webserver
# Whether to automatically install iptables(8) rules to open the
# ADDRESS[:PORT] specified with listen. Theses rules are automatically
@@ -111,11 +111,11 @@
# Path to the lacme-accountd(1) executable.
#
-#command = /usr/bin/lacme-accountd
+#command = @@bindir@@/lacme-accountd
# Path to the lacme-accountd(1) configuration file.
#
-#config = /etc/lacme/lacme-accountd.conf
+#config = @@sysconfdir@@/lacme/lacme-accountd.conf
# The (private) account key to use for signing requests. See
# lacme-accountd(1) for details.
diff --git a/lacme b/lacme
index 73180f0..566545b 100755
--- a/lacme
+++ b/lacme
@@ -75,7 +75,7 @@ sub set_FD_CLOEXEC($$);
my $CONFFILENAME = $OPTS{config} // first { -f $_ }
( "./$NAME.conf"
, ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf"
- , "/etc/lacme/$NAME.conf"
+ , "@@sysconfdir@@/lacme/$NAME.conf"
);
do {
die "Error: Can't find configuration file\n" unless defined $CONFFILENAME;
@@ -93,24 +93,24 @@ do {
socket => (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef),
user => 'nobody',
group => 'nogroup',
- command => '/usr/libexec/lacme/client',
+ command => '@@libexecdir@@/lacme/client',
# the rest is for the ACME client
map {$_ => undef} qw/server timeout SSL_verify SSL_version SSL_cipher_list/
},
webserver => {
- listen => '/run/lacme-www.socket',
+ listen => '@@runstatedir@@/lacme-www.socket',
'challenge-directory' => undef,
user => 'www-data',
group => 'www-data',
- command => '/usr/libexec/lacme/webserver',
+ command => '@@libexecdir@@/lacme/webserver',
iptables => 'No'
},
accountd => {
user => '',
group => '',
- command => '/usr/bin/lacme-accountd',
- config => '/etc/lacme/lacme-accountd.conf',
+ command => '@@bindir@@/lacme-accountd',
+ config => '@@sysconfdir@@/lacme/lacme-accountd.conf',
privkey => undef,
quiet => 'Yes',
}
@@ -743,7 +743,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {
};
# verify certificate validity against the CA
- $conf->{CAfile} //= '/usr/share/lacme/lets-encrypt-x3-cross-signed.pem';
+ $conf->{CAfile} //= '@@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem';
if ($conf->{CAfile} ne '' and spawn({in => $x509}, 'openssl', 'verify', '-CAfile', $conf->{CAfile},
qw/-purpose sslserver -x509_strict/)) {
print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n";
diff --git a/lacme-accountd b/lacme-accountd
index 822894b..89774c2 100755
--- a/lacme-accountd
+++ b/lacme-accountd
@@ -67,7 +67,7 @@ do {
my $conffile = $OPTS{config} // first { -f $_ }
( "./$NAME.conf"
, ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf"
- , "/etc/lacme/$NAME.conf"
+ , "@@sysconfdir@@/lacme/$NAME.conf"
);
die "Error: Can't find configuration file\n" unless defined $conffile;
print STDERR "Using configuration file: $conffile\n" if $OPTS{debug};
diff --git a/lacme-accountd.1.md b/lacme-accountd.1.md
index 215adf6..77cc8ed 100644
--- a/lacme-accountd.1.md
+++ b/lacme-accountd.1.md
@@ -85,7 +85,7 @@ If `--config=` is not given, `lacme-accountd` uses the first existing
configuration file among *./lacme-accountd.conf*,
*$XDG_CONFIG_HOME/lacme/lacme-accountd.conf* (or
*~/.config/lacme/lacme-accountd.conf* if the `XDG_CONFIG_HOME`
-environment variable is not set), and */etc/lacme/lacme-accountd.conf*.
+environment variable is not set), and *@@sysconfdir@@/lacme/lacme-accountd.conf*.
When given on the command line, the `--privkey=`, `--socket=` and
`--quiet` options take precedence over their counterpart (without
diff --git a/lacme.8.md b/lacme.8.md
index 1d1aede..e250858 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -133,7 +133,7 @@ If `--config=` is not given, `lacme` uses the first existing
configuration file among *./lacme.conf*,
*$XDG_CONFIG_HOME/lacme/lacme.conf* (or *~/.config/lacme/lacme.conf* if
the `XDG_CONFIG_HOME` environment variable is not set), and
-*/etc/lacme/lacme.conf*.
+*@@sysconfdir@@/lacme/lacme.conf*.
Valid options are:
Default section
@@ -185,7 +185,7 @@ of [ACME] commands and dialogues with the remote [ACME] server).
*command*
: Path to the [ACME] client executable.
- Default: `/usr/libexec/lacme/client`.
+ Default: `@@libexecdir@@/lacme/client`.
*server*
@@ -224,13 +224,13 @@ served during certificate issuance.
addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the
`:PORT` suffix is optional and defaults to the HTTP port 80), or an
absolute path of a UNIX-domain socket (created with mode `0666`).
- Default: `/run/lacme-www.socket`.
+ Default: `@@runstatedir@@/lacme-www.socket`.
**Note**: The default value is only suitable when an external HTTP
daemon is publicly reachable and passes all ACME challenge requests
to the webserver component through the UNIX-domain socket
- `/run/lacme-www.socket` (for instance using the provided
- `/etc/lacme/apache2.conf` or `/etc/lacme/nginx.conf` configuration
+ `@@runstatedir@@/lacme-www.socket` (for instance using the provided
+ `@@sysconfdir@@/lacme/apache2.conf` or `@@sysconfdir@@/lacme/nginx.conf` configuration
snippets for each virtual host requiring authorization). If there
is no HTTP daemon bound to port 80 one needs to set *listen* to
`[::]` (or `0.0.0.0 [::]` when dual IPv4/IPv6 stack is disabled or
@@ -264,7 +264,7 @@ served during certificate issuance.
: Path to the [ACME] webserver executable. A separate process is
spawned for each address to *listen* on. (In particular no
webserver process is forked when the *listen* option is empty.)
- Default: `/usr/libexec/lacme/webserver`.
+ Default: `@@libexecdir@@/lacme/webserver`.
*iptables*
@@ -295,12 +295,12 @@ If the section (including its header) is absent or commented out,
*command*
: Path to the [`lacme-accountd`(1)] executable.
- Default: `/usr/bin/lacme-accountd`.
+ Default: `@@bindir@@/lacme-accountd`.
*config*
: Path to the [`lacme-accountd`(1)] configuration file.
- Default: `/etc/lacme/lacme-accountd.conf`.
+ Default: `@@sysconfdir@@/lacme/lacme-accountd.conf`.
*privkey*
@@ -355,7 +355,7 @@ Valid options are:
*certificate-chain* and to verify the validity of each issued
certificate.
Specifying an empty value skip certificate validation.
- Default: `/usr/share/lacme/lets-encrypt-x3-cross-signed.pem`.
+ Default: `@@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem`.
*hash*
diff --git a/snippets/apache2.conf b/snippets/apache2.conf
index c42a9fb..45d7c7f 100644
--- a/snippets/apache2.conf
+++ b/snippets/apache2.conf
@@ -5,7 +5,7 @@
# non-ssl one) of each virtual host requiring authorization.
<Location /.well-known/acme-challenge/>
- ProxyPass unix:///run/lacme-www.socket|http://localhost/.well-known/acme-challenge/
+ ProxyPass unix://@@runstatedir@@/lacme-www.socket|http://localhost/.well-known/acme-challenge/
Require all granted
</Location>
diff --git a/snippets/nginx.conf b/snippets/nginx.conf
index 86592d2..6775489 100644
--- a/snippets/nginx.conf
+++ b/snippets/nginx.conf
@@ -6,7 +6,7 @@
location ^~ /.well-known/acme-challenge/ {
# Pass ACME requests to lacme's webserver component
- proxy_pass http://unix:/run/lacme-www.socket;
+ proxy_pass http://unix:@@runstatedir@@/lacme-www.socket;
## Alternatively, you can let nginx serve the requests by
## setting 'challenge-directory' to '/var/www/acme-challenge' in