Hello community, here is the log from the commit of package dehydrated for openSUSE:Factory checked in at 2018-03-16 10:43:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dehydrated (Old) and /work/SRC/openSUSE:Factory/.dehydrated.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dehydrated" Fri Mar 16 10:43:57 2018 rev:8 rq:587475 version:0.6.1 Changes: -------- --- /work/SRC/openSUSE:Factory/dehydrated/dehydrated.changes 2018-03-13 10:24:00.161847464 +0100 +++ /work/SRC/openSUSE:Factory/.dehydrated.new/dehydrated.changes 2018-03-16 10:45:10.736519895 +0100 @@ -1,0 +2,23 @@ +Thu Mar 15 10:52:56 UTC 2018 - [email protected] + +- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) + * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch + +------------------------------------------------------------------- +Wed Mar 14 16:51:29 UTC 2018 - [email protected] + +- Fix issues introduced by 0.6.1 (bsc#1085305) + + * bring back man page + * reflect new endpoint in (commented out) config file section + (adds 0001-fixed-CA-url-in-example-config.patch, backported + from upstream's master branch) + +------------------------------------------------------------------- +Tue Mar 13 20:21:49 UTC 2018 - [email protected] + +- Updated dehydrated to 0.6.1 (bsc#1084854) + + * Use new ACME v2 endpoint by default + +------------------------------------------------------------------- @@ -4 +27 @@ -- Updated dehydrated to 0.6.0 (osc#1084854) +- Updated dehydrated to 0.6.0 (bsc#1084854) Old: ---- dehydrated-0.6.0.tar.gz dehydrated-0.6.0.tar.gz.asc New: ---- 0001-fixed-CA-url-in-example-config.patch 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch dehydrated-0.6.1.tar.gz dehydrated-0.6.1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dehydrated.spec ++++++ --- /var/tmp/diff_new_pack.pJtED0/_old 2018-03-16 10:45:11.836480287 +0100 +++ /var/tmp/diff_new_pack.pJtED0/_new 2018-03-16 10:45:11.840480143 +0100 @@ -46,7 +46,7 @@ %endif Name: dehydrated -Version: 0.6.0 +Version: 0.6.1 Release: 0 Summary: A client for signing certificates with an ACME server License: MIT @@ -65,6 +65,8 @@ Source11: README.hooks Source12: %{name}-%{version}.tar.gz.asc Source13: %{name}.keyring +Patch1: 0001-fixed-CA-url-in-example-config.patch +Patch2: 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch BuildRequires: %{_apache} Requires: coreutils Requires: curl @@ -182,6 +184,8 @@ %prep %setup -q +%patch1 -p1 +%patch2 -p1 cp %{SOURCE9} . cp %{SOURCE10} . @@ -195,7 +199,7 @@ mkdir -p %{buildroot}%{_home}/config.d mkdir -p %{buildroot}%{_postrunhooks} -cat dehydrated.1 | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz +cat docs/man/dehydrated.1 | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz # Silence E: env-script-interpreter find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \; ++++++ 0001-fixed-CA-url-in-example-config.patch ++++++ >From b93eac389395c8228be48999bf51c9f45e775a88 Mon Sep 17 00:00:00 2001 From: Lukas Schauer <[email protected]> Date: Tue, 13 Mar 2018 21:08:20 +0100 Subject: [PATCH] fixed CA url in example config --- docs/examples/config | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/examples/config b/docs/examples/config index 1aa7d63..665704d 100644 --- a/docs/examples/config +++ b/docs/examples/config @@ -21,15 +21,15 @@ # default: <unset> #IP_VERSION= -# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory) -#CA="https://acme-v01.api.letsencrypt.org/directory"; +# Path to certificate authority (default: https://acme-v02.api.letsencrypt.org/directory) +#CA="https://acme-v02.api.letsencrypt.org/directory"; # Path to old certificate authority # Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint. # If dehydrated detects an account-key for the old CA it will automatically reuse that key # instead of registering a new one. -# default: <unset> -#OLDCA= +# default: https://acme-v01.api.letsencrypt.org/directory +#OLDCA="https://acme-v01.api.letsencrypt.org/directory"; # Which challenge should be used? Currently http-01 and dns-01 are supported #CHALLENGETYPE="http-01" -- 2.13.6 ++++++ 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch ++++++ >From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001 From: Lukas Schauer <[email protected]> Date: Wed, 14 Mar 2018 18:50:28 +0100 Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains chain by default) --- diff --git a/dehydrated b/dehydrated index 4103649..0751a0b 100755 --- a/dehydrated +++ b/dehydrated @@ -990,20 +990,29 @@ sign_domain() { # Create fullchain.pem echo " + Creating fullchain.pem..." - cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem" - local issuer_hash - issuer_hash="$(get_issuer_hash "${crt_path}")" - if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then - echo " + Using cached chain!" - cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem" + if [[ ${API} -eq 1 ]]; then + cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem" + local issuer_hash + issuer_hash="$(get_issuer_hash "${crt_path}")" + if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then + echo " + Using cached chain!" + cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem" + else + echo " + Walking chain..." + local issuer_cert_uri + issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")" + (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})" + cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain" + fi + cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem" else - echo " + Walking chain..." - local issuer_cert_uri - issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")" - (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})" - cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain" + tmpcert="$(_mktemp)" + tmpchain="$(_mktemp)" + awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem" + mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem" + mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem" + mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem" fi - cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem" # Update symlinks [[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem" -- 2.13.6 ++++++ dehydrated-0.6.0.tar.gz -> dehydrated-0.6.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.6.0/CHANGELOG new/dehydrated-0.6.1/CHANGELOG --- old/dehydrated-0.6.0/CHANGELOG 2018-03-11 20:19:25.000000000 +0100 +++ new/dehydrated-0.6.1/CHANGELOG 2018-03-13 20:57:52.000000000 +0100 @@ -1,6 +1,10 @@ # Change Log This file contains a log of major changes in dehydrated +## [0.6.1] - 2018-03-13 +## Changed +- Use new ACME v2 endpoint by default + ## [0.6.0] - 2018-03-11 ## Changed - Challenge validation loop has been modified to loop over authorization identifiers instead of altnames (ACMEv2 + wildcard support) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.6.0/dehydrated new/dehydrated-0.6.1/dehydrated --- old/dehydrated-0.6.0/dehydrated 2018-03-11 20:19:25.000000000 +0100 +++ new/dehydrated-0.6.1/dehydrated 2018-03-13 20:57:52.000000000 +0100 @@ -13,7 +13,7 @@ umask 077 # paranoid umask, we're creating private keys -VERSION="0.6.0" +VERSION="0.6.1" # Find directory in which this script is stored by traversing all symbolic links SOURCE="${0}" @@ -118,7 +118,7 @@ fi # Default values - CA="https://acme-v01.api.letsencrypt.org/directory"; + CA="https://acme-v02.api.letsencrypt.org/directory"; OLDCA= CERTDIR= ACCOUNTDIR= @@ -218,6 +218,10 @@ # Check BASEDIR and set default variables [[ -d "${BASEDIR}" ]] || _exiterr "BASEDIR does not exist: ${BASEDIR}" + if [[ -z "${OLDCA}" ]] && [[ "${CA}" = "https://acme-v02.api.letsencrypt.org/directory"; ]]; then + OLDCA="https://acme-v01.api.letsencrypt.org/directory"; + fi + # Create new account directory or symlink to account directory from old CA CAHASH="$(echo "${CA}" | urlbase64)" [[ -z "${ACCOUNTDIR}" ]] && ACCOUNTDIR="${BASEDIR}/accounts"
