diff options
-rw-r--r-- | Changes | 5 | ||||
-rw-r--r-- | Makefile.PL | 4 | ||||
-rw-r--r-- | lib/App/Acmeman.pm | 19 | ||||
-rw-r--r-- | lib/App/Acmeman/Source/Apache.pm | 4 |
4 files changed, 25 insertions, 7 deletions
@@ -1,3 +1,8 @@ +3.07 2021-01-12 + + - Change bugtracker address. + - Change root certificate URL and make it configurable. + 3.06 2020-06-15 - Improve error reporting diff --git a/Makefile.PL b/Makefile.PL index 28bbee2..8ad492a 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -45,6 +45,10 @@ my %makefile_args = ( url => 'git://git.gnu.org.ua/acmeman.git', web => 'http://git.gnu.org.ua/cgit/acmeman.git/', }, + bugtracker => { + web => 'https://puszcza.gnu.org.ua/bugs/?group=acmeman', + mailto => 'gray+acmeman@gnu.org.ua' + } }, provides => Module::Metadata->provides(version => '1.4', dir => 'lib') diff --git a/lib/App/Acmeman.pm b/lib/App/Acmeman.pm index 65aac4f..cbafc05 100644 --- a/lib/App/Acmeman.pm +++ b/lib/App/Acmeman.pm @@ -8,6 +8,7 @@ use Crypt::OpenSSL::RSA; use Crypt::OpenSSL::X509; use File::Basename; use File::Path qw(make_path); +use File::Spec; use DateTime::Format::Strptime; use LWP::UserAgent; use LWP::Protocol::https; @@ -24,12 +25,14 @@ use Text::ParseWords; use App::Acmeman::Log qw(:all :sysexits); use feature 'state'; -our $VERSION = '3.06'; +our $VERSION = '3.07'; my $progdescr = "manages ACME certificates"; -my $letsencrypt_root_cert_url = - 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem'; +our $acme_dir = '/etc/ssl/acme'; +our $letsencrypt_root_cert_basename = 'lets-encrypt-root.pem'; +our $letsencrypt_root_cert_url = + 'https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem'; sub new { my $class = shift; @@ -151,6 +154,7 @@ sub host_ns_ok { foreach my $ip ($self->resolve($host)) { return 1 if $self->myip($ip); } + error("$host does not resolve to our IP"); return 0 } @@ -203,7 +207,8 @@ sub setup { $self->prep_dir($self->cf->get(qw(core rootdir)).'/file'); - $self->get_root_cert('/etc/ssl/acme/lets-encrypt-x3-cross-signed.pem'); + $self->get_root_cert(File::Spec->catfile($acme_dir, + $letsencrypt_root_cert_basename)); foreach my $src ($self->cf->get(qw(core source))) { unless ($src->setup(dry_run => $self->dry_run_option, @@ -228,7 +233,11 @@ sub collect { || $self->host_ns_ok($_) } ($k, ($v->{alt} ? @{$v->{alt}} : ()))]; if (@$alt) { - $k = shift @$alt; + my $name = shift @$alt; + if ($name ne $k) { + error("$k: CN changed to $name, update your configuration"); + } + $k = $name; $alt = undef unless @$alt; } else { error("ignoring $k: none of its names resolves to our IP"); diff --git a/lib/App/Acmeman/Source/Apache.pm b/lib/App/Acmeman/Source/Apache.pm index 8497e00..1f5f7ac 100644 --- a/lib/App/Acmeman/Source/Apache.pm +++ b/lib/App/Acmeman/Source/Apache.pm @@ -170,7 +170,7 @@ sub setup { debug(2, "writing $filename"); unless ($args{dry_run}) { my $challenge_dir = "$www_root/.well-known/acme-challenge"; - my $acme_dir = "/etc/ssl/acme"; + my $acme_dir = $App::Acmeman::acme_dir; foreach my $dir ($self->layout->incdir(), $challenge_dir, $acme_dir) { unless ($self->mkpath($dir)) { @@ -207,7 +207,7 @@ sub setup { SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLCertificateFile $acme_dir/\$domain/cert.pem SSLCertificateKeyFile $acme_dir/\$domain/privkey.pem - SSLCACertificateFile $acme_dir/lets-encrypt-x3-cross-signed.pem + SSLCACertificateFile $acme_dir/$App::Acmeman::letsencrypt_root_cert_basename </Macro> <Macro LetsEncryptServer \$domain> |