acme: Export the canonical paths for certificates and challenges #20088
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…lenges The contract between the acme-common framework and consumers and hook scripts is that certificates can be consumed from /etc/ssl/acme and that web challenges are stored in /var/run/acme/challenge. Make this explicit by exporting $CERT_DIR and $CHALLENGE_DIR as environment variables as well, instead of having knowledge of those paths depend on out-of-band information. We already exported $challenge_dir, but let's change it to upper-case to make it clear that it's not a user configuration variable. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The acme-acmesh package hardcoded the certificate path in its hook script. Now that we export it as a variable we can avoid hard-coding and use the variable version instead. Also factor out the linking of certificates into a function so it's not repeated. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
|
LGTM |
The haproxy hotplug script creates a 'combined' certificate bundle that contains both the certificate chain and the private key. However, having a daemon hotplug script write into CERT_DIR is not great; so let's provide the bundle as part of the main acme framework, keeping it in $domain_dir and just linking it into CERT_DIR. That way we can keep CERT_DIR as just a collection of links for everything, that no consumers should need to write into. Also make sure to set the umask correctly so the combined file is not world-readable (since it contains the private key). Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds an export of the canonical paths for certificates and challenges so
the contract for consumers becomes explicit. Also contains a couple of cleanups
to make use of those exports in the hook scripts.
Cc @hgl