diff options
| -rw-r--r-- | Changelog | 2 | ||||
| -rw-r--r-- | config/lacme-certs.conf | 4 | ||||
| -rwxr-xr-x | lacme | 8 | ||||
| -rw-r--r-- | lacme.8.md | 4 | ||||
| -rw-r--r-- | tests/cert-install | 20 | 
5 files changed, 22 insertions, 16 deletions
| @@ -7,6 +7,8 @@ lacme (0.8.1) upstream;     umask restrictions.  Also, always spawn the client with umask 0022 so     a starting lacme(8) with a restrictive umask doesn't impede serving     challenge files. + + lacme: add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. +   'chmod'.   - lacme: in the [accountd] config, let lacme-accountd(1) do the     %-expansion for 'config', not lacme(8) when building the command.   - lacme-accountd: don't log debug messages unless --debug is set. diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 5259690..4af5652 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -52,11 +52,11 @@  # username[:groupname] to chown the issued certificate and  # certificate-chain with.  # -#chown = root:root +#owner = root:root  # Octal mode to chmod the issued certificate and certificate-chain with.  # -#chmod = 0644 +#mode = 0644  # Command to pass the the system's command shell ("/bin/sh -c") after  # successful installation of the certificate and/or certificate-chain. @@ -761,7 +761,8 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {              my $def = delete $h->{_} // {};              $defaults{$_} = $def->{$_} foreach keys %$def;              my @valid = qw/certificate certificate-chain certificate-key min-days CAfile -                           hash keyUsage subject subjectAltName tlsfeature chown chmod notify/; +                           hash keyUsage subject subjectAltName tlsfeature +                           owner chown mode chmod notify/;              foreach my $s (keys %$h) {                  $conf->{$s} = { map { $_ => delete $h->{$s}->{$_} } @valid };                  die "Unknown option(s) in [$s]: ".join(', ', keys %{$h->{$s}})."\n" if %{$h->{$s}}; @@ -855,7 +856,10 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {              }          } -        my %install = ( content => $x509, mode => $conf->{chmod} // "", owner => $conf->{chown} // "" ); +        my %install = ( content => $x509, +            mode  => $conf->{mode}  // $conf->{chmod} // "", +            owner => $conf->{owner} // $conf->{chown} // "" +        );          # install certificate          if ((my $path = $conf->{'certificate'} // "") ne "") { @@ -421,12 +421,12 @@ Valid settings are:      See [`x509v3_config`(5ssl)] for a list of possible values.  Note      that the ACME server might override the value provided here. -*chown* +*owner*, *chown*  :   An optional `username[:groupname]` to chown the issued *certificate*      and *certificate-chain* to. -*chmod* +*mode*, *chmod*  :   An optional octal mode to chmod the issued *certificate* and      *certificate-chain* to.  By default the files are created with mode diff --git a/tests/cert-install b/tests/cert-install index c49a294..4b3e820 100644 --- a/tests/cert-install +++ b/tests/cert-install @@ -103,14 +103,14 @@ st="$(stat -c "%U:%G %#a" /etc/lacme/test3.pem)"  st="$(stat -c "%U:%G %#a" /etc/lacme/test3.crt)"  [ "$st" = "root:root 0644" ] -# chown user +# owner user  openssl genpkey -algorithm RSA -out /etc/lacme/test4.key  cat >"/etc/lacme/lacme-certs.conf.d/test4.conf" <<- EOF  	[test4]  	certificate-key = /etc/lacme/test4.key  	certificate = /etc/lacme/test4.pem  	certificate-chain = /etc/lacme/test4.crt -	chown = nonexistent-user +	owner = nonexistent-user  	subject = $subject  EOF @@ -119,21 +119,21 @@ grepstderr -Fxq "getpwnam(nonexistent-user)"  ! test -e /etc/lacme/test4.pem  ! test -e /etc/lacme/test4.crt -sed -ri "s/^chown\\s*=.*/chown = nobody/" /etc/lacme/lacme-certs.conf.d/test4.conf +sed -ri "s/^owner\\s*=.*/owner = nobody/" /etc/lacme/lacme-certs.conf.d/test4.conf  lacme newOrder test4 2>"$STDERR" || fail newOrder test4  st="$(stat -c "%U:%G %#a" /etc/lacme/test4.pem)"  [ "$st" = "nobody:root 0644" ]  st="$(stat -c "%U:%G %#a" /etc/lacme/test4.crt)"  [ "$st" = "nobody:root 0644" ] -# chown user:group +# owner user:group  openssl genpkey -algorithm RSA -out /etc/lacme/test5.key  cat >"/etc/lacme/lacme-certs.conf.d/test5.conf" <<- EOF  	[test5]  	certificate-key = /etc/lacme/test5.key  	certificate = /etc/lacme/test5.pem  	certificate-chain = /etc/lacme/test5.crt -	chown = nobody:nonexistent-group +	owner = nobody:nonexistent-group  	subject = $subject  EOF @@ -142,7 +142,7 @@ grepstderr -Fxq "getgrnam(nonexistent-group)"  ! test -e /etc/lacme/test5.pem  ! test -e /etc/lacme/test5.crt -sed -ri "s/^chown\\s*=.*/chown = nobody:nogroup/" /etc/lacme/lacme-certs.conf.d/test5.conf +sed -ri "s/^owner\\s*=.*/owner = nobody:nogroup/" /etc/lacme/lacme-certs.conf.d/test5.conf  lacme newOrder test5 2>"$STDERR" || fail newOrder test5  st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)"  [ "$st" = "nobody:nogroup 0644" ] @@ -156,8 +156,8 @@ cat >"/etc/lacme/lacme-certs.conf.d/test6.conf" <<- EOF  	certificate-key = /etc/lacme/test6.key  	certificate-chain = /etc/lacme/test6.crt  	certificate = -	chmod = -	chown = +	mode = +	owner =  	subject = $subject  EOF @@ -166,14 +166,14 @@ EOF  st="$(stat -c "%U:%G %#a" /etc/lacme/test6.crt)"  [ "$st" = "root:root 0600" ] -# chmod +# mode  openssl genpkey -algorithm RSA -out /etc/lacme/test7.key  cat >"/etc/lacme/lacme-certs.conf.d/test7.conf" <<- EOF  	[test7]  	certificate-key = /etc/lacme/test7.key  	certificate = /etc/lacme/test7.pem  	certificate-chain = /etc/lacme/test7.crt -	chmod = 0400 +	mode = 0400  	subject = $subject  EOF | 
