From 9dfb2cde7baf686113e49266c28940c8a564c1ca Mon Sep 17 00:00:00 2001 From: Benjamin Tietz Date: Wed, 23 Sep 2020 17:22:32 +0200 Subject: lacme: allow direct use challenge-directory .well-known/acme-challenge --- config/lacme.conf | 4 ++++ lacme | 26 ++++++++++++++++++++++---- lacme.8.md | 5 +++++ 3 files changed, 31 insertions(+), 4 deletions(-) diff --git a/config/lacme.conf b/config/lacme.conf index e49bd39..2955984 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -71,6 +71,10 @@ # #challenge-directory = +# Do not symlink the challenge-directory, but copy the challenge-files +# explictly. +#hard-copy-challenge-directory = No + # username to drop privileges to (setting both effective and real uid). # Skip privilege drop if the value is empty (not recommended). # diff --git a/lacme b/lacme index 7f3d65d..d7ae8ce 100755 --- a/lacme +++ b/lacme @@ -28,6 +28,7 @@ my $NAME = 'lacme'; use Errno 'EINTR'; use Fcntl qw/F_GETFD F_SETFD FD_CLOEXEC SEEK_SET/; use File::Temp (); +use File::Path 'remove_tree'; use Getopt::Long qw/:config posix_default no_ignore_case gnu_getopt auto_version/; use List::Util 'first'; use POSIX (); @@ -104,6 +105,7 @@ do { webserver => { listen => '@@runstatedir@@/lacme-www.socket', 'challenge-directory' => undef, + 'hard-copy-challenge-directory' => 'No', user => '@@lacme_www_user@@', group => '@@lacme_www_group@@', command => '@@libexecdir@@/lacme/webserver', @@ -289,10 +291,26 @@ sub spawn_webserver() { # serve ACME challenge reponses). if (defined (my $dir = $conf->{'challenge-directory'})) { print STDERR "[$$] Using existing webserver on $dir\n" if $OPTS{debug}; - symlink $tmpdir, $dir or die "Can't symlink $dir -> $tmpdir: $!"; - push @CLEANUP, sub() { - print STDERR "Unlinking $dir\n" if $OPTS{debug}; - unlink $dir or warn "Warning: Can't unlink $dir: $!"; + if (lc ($conf->{'hard-copy-challenge-directory'} // 'No') eq 'yes') { + mkdir $dir or die "Can't create directory $dir: $!"; + $tmpdir = $dir; + push @CLEANUP, sub() { + my $error = undef; + remove_tree($dir, { safe => 1, error => \$error }); + if ($error && @$error) { + foreach my $e (@$error) { + my ($file, $message) = %$e; + my $msghead = $file?"Error removing $file in":"Error while removing"; + warn "$msghead challenge dir $dir: $message\n"; + } + } + } + } else { + symlink $tmpdir, $dir or die "Can't symlink $dir -> $tmpdir: $!"; + push @CLEANUP, sub() { + print STDERR "Unlinking $dir\n" if $OPTS{debug}; + unlink $dir or warn "Warning: Can't unlink $dir: $!"; + } } } elsif (!@sockaddr) { diff --git a/lacme.8.md b/lacme.8.md index 384f21b..404180c 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -244,6 +244,11 @@ served during certificate issuance. authorization) as static files. This option is required when *listen* is empty. +*hard-copy-challenge-directory* + +: Do not symlink the challenge-directory, but copy the challenge-files + explictly. + *user* : The username to drop privileges to (setting both effective and real -- cgit v1.2.3