diff options
-rw-r--r-- | .gitignore | 4 | ||||
-rw-r--r-- | Changelog | 4 | ||||
-rw-r--r-- | Makefile | 39 | ||||
-rw-r--r-- | config/lacme-certs.conf | 2 | ||||
-rw-r--r-- | config/lacme.conf | 10 | ||||
-rwxr-xr-x | lacme | 14 | ||||
-rwxr-xr-x | lacme-accountd | 2 | ||||
-rw-r--r-- | lacme-accountd.1.md | 2 | ||||
-rw-r--r-- | lacme.8.md | 18 | ||||
-rw-r--r-- | snippets/apache2.conf | 2 | ||||
-rw-r--r-- | snippets/nginx.conf | 2 |
11 files changed, 54 insertions, 45 deletions
@@ -1,6 +1,4 @@ # vim swapfiles .*.sw[po] -# generated man-pages -/lacme.8 -/lacme-accountd.1 +/build/ @@ -1,13 +1,11 @@ lacme (0.7) UNRELEASED; - + Default listening socket for the webserver component is now - /run/lacme-www.socket. (It was previously under the legacy directory - /var/run.) + Adapt Apache2 snippet to Apache2 2.4. * Makefile: major refactoring, add install and uninstall targets, honor BUILD_DOCDIR and DESTDIR variables. * Install lacme manual to section 8. * Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme. + * Makefile: Use variables for target directories etc. -- Guilhem Moulin <guilhem@debian.org> Thu, 22 Aug 2019 00:31:35 +0200 @@ -1,14 +1,14 @@ DESTDIR ?= /usr/local -BUILD_DOCDIR ?= . -MANUAL_FILES = $(addprefix $(BUILD_DOCDIR)/,$(patsubst ./%.md,%,$(wildcard ./*.[1-9].md))) +BUILDDIR ?= ./build +MANUAL_FILES = $(addprefix $(BUILDDIR)/,$(patsubst ./%.md,%,$(wildcard ./*.[1-9].md))) -all: manual +all: manual $(addprefix $(BUILDDIR)/,lacme lacme-accountd client webserver $(wildcard config/* snippets/*)) doc: manual manual: $(MANUAL_FILES) # upper case the headers and remove the links -$(MANUAL_FILES): $(BUILD_DOCDIR)/%: ./%.md +$(MANUAL_FILES): $(BUILDDIR)/%: $(BUILDDIR)/%.md pandoc -f markdown -t json -- "$<" | ./pandoc2man.jq | pandoc -s -f json -t man -o "$@" prefix ?= $(DESTDIR) @@ -17,27 +17,40 @@ bindir ?= $(exec_prefix)/bin sbindir ?= $(exec_prefix)/sbin libexecdir ?= $(exec_prefix)/libexec datarootdir ?= $(prefix)/share +datadir ?= $(datarootdir) sysconfdir ?= $(prefix)/etc +localstatedir =? $(prefix)/var +runstatedir ?= $(localstatedir)/run mandir ?= $(datarootdir)/man man1dir ?= $(mandir)/man1 man8dir ?= $(mandir)/man8 +$(BUILDDIR)/%: % + mkdir -pv -- $(dir $@) + cp --no-dereference --preserve=mode,links,xattr -vfT -- "$<" "$@" + sed -i "s#@@bindir@@#$(bindir)#g; \ + s#@@sbindir@@#$(sbindir)#g; \ + s#@@libexecdir@@#$(libexecdir)#g; \ + s#@@datadir@@#$(datadir)#g; \ + s#@@runstatedir@@#$(runstatedir)#g; \ + s#@@sysconfdir@@#$(sysconfdir)#g;" -- "$@" + install: all - install -m0644 -vDt $(sysconfdir)/lacme config/*.conf snippets/*.conf + install -m0644 -vDt $(sysconfdir)/lacme $(BUILDDIR)/config/*.conf $(BUILDDIR)/snippets/*.conf install -vd $(sysconfdir)/lacme/lacme-certs.conf.d - install -m0644 -vDt $(datarootdir)/lacme certs/lets-encrypt-x[1-4]-cross-signed.pem - install -m0755 -vDt $(libexecdir)/lacme ./client ./webserver - install -m0644 -vDt $(man1dir) $(BUILD_DOCDIR)/lacme-accountd.1 - install -m0644 -vDt $(man8dir) $(BUILD_DOCDIR)/lacme.8 - install -m0644 -vDt $(bindir) ./lacme-accountd - install -m0644 -vDt $(sbindir) ./lacme + install -m0644 -vDt $(datadir)/lacme certs/lets-encrypt-x[1-4]-cross-signed.pem + install -m0755 -vDt $(libexecdir)/lacme $(BUILDDIR)/client $(BUILDDIR)/webserver + install -m0644 -vDt $(man1dir) $(BUILDDIR)/lacme-accountd.1 + install -m0644 -vDt $(man8dir) $(BUILDDIR)/lacme.8 + install -m0644 -vDt $(bindir) $(BUILDDIR)/lacme-accountd + install -m0644 -vDt $(sbindir) $(BUILDDIR)/lacme uninstall: rm -vf -- $(bindir)/lacme-accountd $(sbindir)/lacme rm -vf -- $(man1dir)/lacme-accountd.1 $(man8dir)/lacme.8 - rm -rvf -- $(sysconfdir)/lacme $(datarootdir)/lacme $(libexecdir)/lacme + rm -rvf -- $(sysconfdir)/lacme $(datadir)/lacme $(libexecdir)/lacme clean: - rm -vf -- $(MANUAL_FILES) + rm -rvf -- $(BUILDDIR) .PHONY: all doc manual install uninstall clean diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 97d588a..dd02f95 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -34,7 +34,7 @@ # and to verify the validity of each issued certificate. Specifying an # empty value skip certificate validation. # -#CAfile = /usr/share/lacme/lets-encrypt-x3-cross-signed.pem +#CAfile = @@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem # Subject field of the Certificate Signing Request. This option is # required. diff --git a/config/lacme.conf b/config/lacme.conf index 236d203..cf7edfd 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -31,7 +31,7 @@ # Path to the ACME client executable. # -#command = /usr/libexec/lacme/client +#command = @@libexecdir@@/lacme/client # URI of the ACME server's directory. NOTE: Use the staging server # <https://acme-staging-v02.api.letsencrypt.org/directory> for testing @@ -62,7 +62,7 @@ # Comma- or space-separated list of addresses to listen on, for instance # "0.0.0.0:80 [::]:80". # -#listen = /run/lacme-www.socket +#listen = @@runstatedir@@/lacme-www.socket # Non-existent directory under which an external HTTP daemon is # configured to serve GET requests for challenge files under @@ -84,7 +84,7 @@ # Path to the ACME webserver executable. # -#command = /usr/libexec/lacme/webserver +#command = @@libexecdir@@/lacme/webserver # Whether to automatically install iptables(8) rules to open the # ADDRESS[:PORT] specified with listen. Theses rules are automatically @@ -111,11 +111,11 @@ # Path to the lacme-accountd(1) executable. # -#command = /usr/bin/lacme-accountd +#command = @@bindir@@/lacme-accountd # Path to the lacme-accountd(1) configuration file. # -#config = /etc/lacme/lacme-accountd.conf +#config = @@sysconfdir@@/lacme/lacme-accountd.conf # The (private) account key to use for signing requests. See # lacme-accountd(1) for details. @@ -75,7 +75,7 @@ sub set_FD_CLOEXEC($$); my $CONFFILENAME = $OPTS{config} // first { -f $_ } ( "./$NAME.conf" , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf" - , "/etc/lacme/$NAME.conf" + , "@@sysconfdir@@/lacme/$NAME.conf" ); do { die "Error: Can't find configuration file\n" unless defined $CONFFILENAME; @@ -93,24 +93,24 @@ do { socket => (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef), user => 'nobody', group => 'nogroup', - command => '/usr/libexec/lacme/client', + command => '@@libexecdir@@/lacme/client', # the rest is for the ACME client map {$_ => undef} qw/server timeout SSL_verify SSL_version SSL_cipher_list/ }, webserver => { - listen => '/run/lacme-www.socket', + listen => '@@runstatedir@@/lacme-www.socket', 'challenge-directory' => undef, user => 'www-data', group => 'www-data', - command => '/usr/libexec/lacme/webserver', + command => '@@libexecdir@@/lacme/webserver', iptables => 'No' }, accountd => { user => '', group => '', - command => '/usr/bin/lacme-accountd', - config => '/etc/lacme/lacme-accountd.conf', + command => '@@bindir@@/lacme-accountd', + config => '@@sysconfdir@@/lacme/lacme-accountd.conf', privkey => undef, quiet => 'Yes', } @@ -743,7 +743,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') { }; # verify certificate validity against the CA - $conf->{CAfile} //= '/usr/share/lacme/lets-encrypt-x3-cross-signed.pem'; + $conf->{CAfile} //= '@@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem'; if ($conf->{CAfile} ne '' and spawn({in => $x509}, 'openssl', 'verify', '-CAfile', $conf->{CAfile}, qw/-purpose sslserver -x509_strict/)) { print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n"; diff --git a/lacme-accountd b/lacme-accountd index 822894b..89774c2 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -67,7 +67,7 @@ do { my $conffile = $OPTS{config} // first { -f $_ } ( "./$NAME.conf" , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf" - , "/etc/lacme/$NAME.conf" + , "@@sysconfdir@@/lacme/$NAME.conf" ); die "Error: Can't find configuration file\n" unless defined $conffile; print STDERR "Using configuration file: $conffile\n" if $OPTS{debug}; diff --git a/lacme-accountd.1.md b/lacme-accountd.1.md index 215adf6..77cc8ed 100644 --- a/lacme-accountd.1.md +++ b/lacme-accountd.1.md @@ -85,7 +85,7 @@ If `--config=` is not given, `lacme-accountd` uses the first existing configuration file among *./lacme-accountd.conf*, *$XDG_CONFIG_HOME/lacme/lacme-accountd.conf* (or *~/.config/lacme/lacme-accountd.conf* if the `XDG_CONFIG_HOME` -environment variable is not set), and */etc/lacme/lacme-accountd.conf*. +environment variable is not set), and *@@sysconfdir@@/lacme/lacme-accountd.conf*. When given on the command line, the `--privkey=`, `--socket=` and `--quiet` options take precedence over their counterpart (without @@ -133,7 +133,7 @@ If `--config=` is not given, `lacme` uses the first existing configuration file among *./lacme.conf*, *$XDG_CONFIG_HOME/lacme/lacme.conf* (or *~/.config/lacme/lacme.conf* if the `XDG_CONFIG_HOME` environment variable is not set), and -*/etc/lacme/lacme.conf*. +*@@sysconfdir@@/lacme/lacme.conf*. Valid options are: Default section @@ -185,7 +185,7 @@ of [ACME] commands and dialogues with the remote [ACME] server). *command* : Path to the [ACME] client executable. - Default: `/usr/libexec/lacme/client`. + Default: `@@libexecdir@@/lacme/client`. *server* @@ -224,13 +224,13 @@ served during certificate issuance. addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the `:PORT` suffix is optional and defaults to the HTTP port 80), or an absolute path of a UNIX-domain socket (created with mode `0666`). - Default: `/run/lacme-www.socket`. + Default: `@@runstatedir@@/lacme-www.socket`. **Note**: The default value is only suitable when an external HTTP daemon is publicly reachable and passes all ACME challenge requests to the webserver component through the UNIX-domain socket - `/run/lacme-www.socket` (for instance using the provided - `/etc/lacme/apache2.conf` or `/etc/lacme/nginx.conf` configuration + `@@runstatedir@@/lacme-www.socket` (for instance using the provided + `@@sysconfdir@@/lacme/apache2.conf` or `@@sysconfdir@@/lacme/nginx.conf` configuration snippets for each virtual host requiring authorization). If there is no HTTP daemon bound to port 80 one needs to set *listen* to `[::]` (or `0.0.0.0 [::]` when dual IPv4/IPv6 stack is disabled or @@ -264,7 +264,7 @@ served during certificate issuance. : Path to the [ACME] webserver executable. A separate process is spawned for each address to *listen* on. (In particular no webserver process is forked when the *listen* option is empty.) - Default: `/usr/libexec/lacme/webserver`. + Default: `@@libexecdir@@/lacme/webserver`. *iptables* @@ -295,12 +295,12 @@ If the section (including its header) is absent or commented out, *command* : Path to the [`lacme-accountd`(1)] executable. - Default: `/usr/bin/lacme-accountd`. + Default: `@@bindir@@/lacme-accountd`. *config* : Path to the [`lacme-accountd`(1)] configuration file. - Default: `/etc/lacme/lacme-accountd.conf`. + Default: `@@sysconfdir@@/lacme/lacme-accountd.conf`. *privkey* @@ -355,7 +355,7 @@ Valid options are: *certificate-chain* and to verify the validity of each issued certificate. Specifying an empty value skip certificate validation. - Default: `/usr/share/lacme/lets-encrypt-x3-cross-signed.pem`. + Default: `@@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem`. *hash* diff --git a/snippets/apache2.conf b/snippets/apache2.conf index c42a9fb..45d7c7f 100644 --- a/snippets/apache2.conf +++ b/snippets/apache2.conf @@ -5,7 +5,7 @@ # non-ssl one) of each virtual host requiring authorization. <Location /.well-known/acme-challenge/> - ProxyPass unix:///run/lacme-www.socket|http://localhost/.well-known/acme-challenge/ + ProxyPass unix://@@runstatedir@@/lacme-www.socket|http://localhost/.well-known/acme-challenge/ Require all granted </Location> diff --git a/snippets/nginx.conf b/snippets/nginx.conf index 86592d2..6775489 100644 --- a/snippets/nginx.conf +++ b/snippets/nginx.conf @@ -6,7 +6,7 @@ location ^~ /.well-known/acme-challenge/ { # Pass ACME requests to lacme's webserver component - proxy_pass http://unix:/run/lacme-www.socket; + proxy_pass http://unix:@@runstatedir@@/lacme-www.socket; ## Alternatively, you can let nginx serve the requests by ## setting 'challenge-directory' to '/var/www/acme-challenge' in |