summaryrefslogtreecommitdiffabout
authorSergey Poznyakoff <gray@gnu.org>2018-10-06 08:45:01 (GMT)
committer Sergey Poznyakoff <gray@gnu.org>2018-10-06 08:45:01 (GMT)
commit4463698e4210bbf5d8c8cc152916bf8b52594141 (patch) (unidiff)
tree24bd011980a098623eb71d7d57543072ca0ae45d
parentab2566689e861fd9308ad986721400dee86f55ee (diff)
downloadacmeman-4463698e4210bbf5d8c8cc152916bf8b52594141.tar.gz
acmeman-4463698e4210bbf5d8c8cc152916bf8b52594141.tar.bz2
Support explicit declaration of server root directory in apache source configuration statement
* acmeman: Document apache source --server-root option. * lib/App/Acmeman/Source/Apache.pm (new): Handle command line option. Declare '--server-root' option. (setup): Improve the SSLCipherSuite settings. (probe): Bail out if unable to determine server root.
Diffstat (more/less context) (ignore whitespace changes)
-rwxr-xr-xacmeman8
-rw-r--r--lib/App/Acmeman/Source/Apache.pm15
2 files changed, 19 insertions, 4 deletions
diff --git a/acmeman b/acmeman
index 83519f7..ea9198a 100755
--- a/acmeman
+++ b/acmeman
@@ -222,7 +222,7 @@ The B<null> module is an empty source. Command line arguments are ignored.
222Use this source if all domains are described in the configuration file. 222Use this source if all domains are described in the configuration file.
223 223
224The B<apache> source module is the default. It scans B<httpd> configuration 224The B<apache> source module is the default. It scans B<httpd> configuration
225files as described in section B<APACHE>. One argument is allowed. If supplied, 225files as described in section B<apache>. One argument is allowed. If supplied,
226it defines the apache configuration layout. Allowed values are: B<debian>, 226it defines the apache configuration layout. Allowed values are: B<debian>,
227B<slackware>, B<suse> and B<rh> (for Red Hat). Without arguments, the layout 227B<slackware>, B<suse> and B<rh> (for Red Hat). Without arguments, the layout
228will be autodetected. 228will be autodetected.
@@ -365,7 +365,7 @@ setting.
365=head2 apache 365=head2 apache
366 366
367 [core] 367 [core]
368 source = apache [LAYOUT] 368 source = apache [--server-root=DIR] [LAYOUT]
369 369
370This is the default source. It assumes Apache httpd, version 2.4 or later 370This is the default source. It assumes Apache httpd, version 2.4 or later
371(although only minor changes are necessary to make it work with version 2.2). 371(although only minor changes are necessary to make it work with version 2.2).
@@ -373,6 +373,10 @@ The optional I<LAYOUT> argument defines the layout of the apache configuration
373files. Allowed layout values are: B<debian>, B<slackware>, B<suse> and 373files. Allowed layout values are: B<debian>, B<slackware>, B<suse> and
374B<rh> (for Red Hat). If not supplied, the layout is determined automatically. 374B<rh> (for Red Hat). If not supplied, the layout is determined automatically.
375 375
376Use the B<--server-root> option to supply the name of the server root
377directory, if for some reason the module is unable to determine it
378automatically.
379
376A special directory should be configured for receiving ACME challenges. 380A special directory should be configured for receiving ACME challenges.
377 381
378The package provides two Apache macros: for serving ACME challenges and 382The package provides two Apache macros: for serving ACME challenges and
diff --git a/lib/App/Acmeman/Source/Apache.pm b/lib/App/Acmeman/Source/Apache.pm
index 2041bb1..b429f89 100644
--- a/lib/App/Acmeman/Source/Apache.pm
+++ b/lib/App/Acmeman/Source/Apache.pm
@@ -9,10 +9,16 @@ use File::Spec;
9use IPC::Open3; 9use IPC::Open3;
10use App::Acmeman::Apache::Layout; 10use App::Acmeman::Apache::Layout;
11use parent 'App::Acmeman::Source'; 11use parent 'App::Acmeman::Source';
12use Getopt::Long qw(GetOptionsFromArray :config gnu_getopt no_ignore_case);
12 13
13sub new { 14sub new {
14 my $class = shift; 15 my $class = shift;
15 bless { _layout => new App::Acmeman::Apache::Layout(@_) }, $class; 16 my $server_root;
17 GetOptionsFromArray(\@_,
18 'server-root=s' => \$server_root);
19 my $self = bless { _layout => new App::Acmeman::Apache::Layout(@_) }, $class;
20 $self->server_root($server_root) if $server_root;
21 return $self;
16} 22}
17 23
18sub layout { shift->{_layout} } 24sub layout { shift->{_layout} }
@@ -238,7 +244,7 @@ sub setup {
238 SSLEngine on 244 SSLEngine on
239 SSLProtocol all -SSLv2 -SSLv3 245 SSLProtocol all -SSLv2 -SSLv3
240 SSLHonorCipherOrder on 246 SSLHonorCipherOrder on
241 SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5 247 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
242 SSLCertificateFile /etc/ssl/acme/\$domain/cert.pem 248 SSLCertificateFile /etc/ssl/acme/\$domain/cert.pem
243 SSLCertificateKeyFile /etc/ssl/acme/\$domain/privkey.pem 249 SSLCertificateKeyFile /etc/ssl/acme/\$domain/privkey.pem
244 SSLCACertificateFile /etc/ssl/acme/lets-encrypt-x3-cross-signed.pem 250 SSLCACertificateFile /etc/ssl/acme/lets-encrypt-x3-cross-signed.pem
@@ -289,6 +295,11 @@ sub probe {
289 } 295 }
290 close $nullin; 296 close $nullin;
291 close $nullout; 297 close $nullout;
298 unless ($self->server_root) {
299 ::error("can't deduce server root directory");
300 ::error("use `source = apache --server-root=DIR' in [core] section of /etc/acmeman.conf to declare it");
301 exit(1);
302 }
292} 303}
293 304
294 305

Return to:

Send suggestions and report system problems to the System administrator.