Attachment #206022 for bug #237349

Lines 549-555 Link Here

(-)UIDs (-1 / +1 lines)
549	_tss:*:601:601:daemon:0:0:TrouSerS user:/var/empty:/usr/sbin/nologin	549	_tss:*:601:601:daemon:0:0:TrouSerS user:/var/empty:/usr/sbin/nologin
550	_pkcs11:*:602:602:daemon:0:0:opencryptoki user:/var/empty:/usr/sbin/nologin	550	_pkcs11:*:602:602:daemon:0:0:opencryptoki user:/var/empty:/usr/sbin/nologin
551	_acme:*:603:603::0:0:ACME client user:/var/empty:/usr/sbin/nologin	551	_acme:*:603:603::0:0:ACME client user:/var/empty:/usr/sbin/nologin
552	# free: 604	552	_lego:*:604:604::0:0:lego client user:/nonexistent:/usr/sbin/nologin
553	_hockeypuck:*:605:605::0:0:hockeypuck pgp keyserver user:/var/empty:/usr/sbin/nologin	553	_hockeypuck:*:605:605::0:0:hockeypuck pgp keyserver user:/var/empty:/usr/sbin/nologin
554	# free: 606	554	# free: 606
555	# free: 607	555	# free: 607

Lines 544-550 Link Here

(-)GIDs (-1 / +1 lines)
544	_tss:*:601:	544	_tss:*:601:
545	_pkcs11:*:602:	545	_pkcs11:*:602:
546	_acme:*:603:	546	_acme:*:603:
547	# free: 604	547	_lego:*:604:
548	_hockeypuck:*:605:	548	_hockeypuck:*:605:
549	# free: 606	549	# free: 606
550	# free: 607	550	# free: 607




# $FreeBSD$

PORTNAME=	lego
DISTVERSIONPREFIX=	v
DISTVERSION=	2.7.1
CATEGORIES=	security

MAINTAINER=	matt@matthoran.com
COMMENT=	Let's Encrypt client and ACME library written in Go

LICENSE=	MIT
LICENSE_FILE=	${WRKSRC}/LICENSE

RUN_DEPENDS=	${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss

USES=		go

GO_PKGNAME=	github.com/go-acme/lego
GO_TARGET=	${GO_PKGNAME}/cmd/lego
GO_BUILDFLAGS=	-ldflags '-X "main.version=${GH_TAGNAME}"'

USE_GITHUB=	yes
GH_ACCOUNT=	go-acme

SAMPLE_FILES=	lego.sh.sample deploy.sh.sample
SUB_FILES=	604.lego pkg-message ${SAMPLE_FILES}
SUB_LIST=	PORTNAME=${PORTNAME} LEGO_USER=${LEGO_USER}

PERIODIC_DIRS=	etc/periodic/weekly
PERIODIC_FILES=	604.lego

LEGO_USER?=	_lego

USERS=		${LEGO_USER}
GROUPS=		${LEGO_USER}

post-install:
	${MKDIR} ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS}
	${INSTALL_SCRIPT} ${WRKDIR}/${PERIODIC_FILES} ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS}/${PERIODIC_FILES}
	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl/lego \
		${STAGEDIR}${ETCDIR} ${STAGEDIR}${WWWDIR}
.	for d in ${SAMPLE_FILES}
		${INSTALL_SCRIPT} ${WRKDIR}/${d} ${STAGEDIR}${ETCDIR}/${d}
.	endfor

.include <bsd.port.mk>

Line 0 Link Here

(-)security/lego/distinfo (+3 lines)
	1	TIMESTAMP = 1563919890
	2	SHA256 (go-acme-lego-v2.7.1_GH0.tar.gz) = 835fef2148e586ca81cd6116861baaada94f7c0b5bda37dcf14ca666544cb0f9
	3	SIZE (go-acme-lego-v2.7.1_GH0.tar.gz) = 5298835




#!/bin/sh

if [ -r /etc/defaults/periodic.conf ]
then
    . /etc/defaults/periodic.conf
    source_periodic_confs
fi

PATH=$PATH:%%LOCALBASE%%/bin:%%LOCALBASE%%/sbin
export PATH

case "$weekly_lego_enable" in
    [Yy][Ee][Ss])
	echo
	echo "Checking Let's Encrypt certificate status:"

	if [ -x "$weekly_lego_renewscript" ] ; then
		echo "$weekly_lego_renewscript" | su -fm _lego || exit 3
	fi

	if [ -n "$weekly_lego_deployscript" ] ; then
		if [ -x "$weekly_lego_deployscript" ] ; then
			echo "Deploying Let's Encrypt certificates:"
			$weekly_lego_deployscript || exit 3
		else
			echo 'Skipped, deploy script does not exist or is not executable'
		fi
	fi
	;;
    *)
        ;;
esac




#!/bin/sh -e

SSLDIR="%%PREFIX%%/etc/ssl"

copy_certs () {
  local certdir certfile domain keyfile rc
  rc=1

  certdir="${SSLDIR}/lego/certificates"
  certfiles="$(find "${certdir}" -name "*.crt" -not -name "*.issuer.crt")"
  for certfile in $certfiles
  do
    domain="$(basename "$certfile" .crt)"
    keyfile="$(dirname "$certfile")/${domain}.key"

    if ! cmp -s "${certfile}" "${SSLDIR}/certs/${domain}.crt"
    then
      cp "${certfile}" "${SSLDIR}/certs/${domain}.crt"
      cp "${keyfile}" "${SSLDIR}/private/${domain}.key"
      rc=0
    fi
  done

  return $rc
}

if copy_certs
then
  output=$(service nginx reload 2>&1) || (echo "$output" && exit 1)
fi




#!/bin/sh -e

# Email used for registration and recovery contact.
EMAIL=""

BASEDIR="%%ETCDIR%%"
SSLDIR="%%PREFIX%%/etc/ssl/lego"
DOMAINSFILE="${BASEDIR}/domains.txt"

if [ -z "${EMAIL}" ]; then
	echo "Please set EMAIL to a valid address in ${BASEDIR}/lego.sh"
	exit 1
fi

if [ ! -e "${DOMAINSFILE}" ]; then
	echo "Please create ${DOMAINSFILE} as specified in ${BASEDIR}/lego.sh"
	exit 1
fi

if [ "$1" = "run" ]; then
	command="run"
else
	command="renew --days 30"
fi

run_or_renew() {
	%%PREFIX%%/bin/lego --path "${SSLDIR}" \
		--email="${EMAIL}" \
		$(printf -- "--domains=%s " $line) \
		--http --http.webroot="%%WWWDIR%%" \
		$1
}

while read line <&3; do
	if [ "$command" = "run" ]; then
		run_or_renew "$command"
	else
		output=$(run_or_renew "$command") || (echo "$output" && exit 1)
	fi
done 3<"${DOMAINSFILE}"





There are example scripts in
    %%ETCDIR%%
that you can use for renewing and deploying certificates.

In order to run the script regularly to update the certificates add this line
to /etc/periodic.conf:

    weekly_lego_enable="YES"

Additionally the following parameters may be added to /etc/periodic.conf:

Script to run to renew certificates, will be run as %%LEGO_USER%% (required)
    weekly_lego_renewscript="%%ETCDIR%%/lego.sh"

To run a script after the renewal to deploy certificates
    weekly_lego_deployscript="%%ETCDIR%%/deploy.sh"

If using the example renew script, add the domains for which lego will manage
certificates to
    %%ETCDIR%%/domains.txt, one domain on each line.

To add a Subject Alternate Name to the certificate, append the domain(s) to the
line:
    example.com www.example.com

To run lego for the first time, edit
    %%ETCDIR%%/lego.sh
and set the EMAIL variable.

Then run lego.sh with the run argument as the %%LEGO_USER%% user:
    $ %%ETCDIR%%/lego.sh run

Subsequent periodic runs will run with the renew argument by default, with a
renewal interval of 30 days.



Line 0 Link Here

(-)security/lego/pkg-descr (+4 lines)
	1	lego is a client for Let's Encrypt users, written in Go. It has support for a
	2	number of ACME challenges, and no external dependencies.
	3
	4	WWW: https://github.com/go-acme/lego

Line 0 Link Here

(-)security/lego/pkg-plist (+8 lines)
	1	bin/lego
	2	etc/periodic/weekly/604.lego
	3	@dir(_lego,_lego,0700) etc/lego
	4	@dir(,,0755) etc/ssl
	5	@dir(_lego,_lego,0755) etc/ssl/lego
	6	@dir(_lego,www,) %%WWWDIR%%
	7	@sample(_lego,_lego,0700) etc/lego/lego.sh.sample
	8	@sample etc/lego/deploy.sh.sample

Return to bug 237349

Line 0 Link Here

(-)security/lego/Makefile (+46 lines)
	1	# $FreeBSD$
	2
	3	PORTNAME= lego
	4	DISTVERSIONPREFIX= v
	5	DISTVERSION= 2.7.1
	6	CATEGORIES= security
	7
	8	MAINTAINER= matt@matthoran.com
	9	COMMENT= Let's Encrypt client and ACME library written in Go
	10
	11	LICENSE= MIT
	12	LICENSE_FILE= ${WRKSRC}/LICENSE
	13
	14	RUN_DEPENDS= ${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss
	15
	16	USES= go
	17
	18	GO_PKGNAME= github.com/go-acme/lego
	19	GO_TARGET= ${GO_PKGNAME}/cmd/lego
	20	GO_BUILDFLAGS= -ldflags '-X "main.version=${GH_TAGNAME}"'
	21
	22	USE_GITHUB= yes
	23	GH_ACCOUNT= go-acme
	24
	25	SAMPLE_FILES= lego.sh.sample deploy.sh.sample
	26	SUB_FILES= 604.lego pkg-message ${SAMPLE_FILES}
	27	SUB_LIST= PORTNAME=${PORTNAME} LEGO_USER=${LEGO_USER}
	28
	29	PERIODIC_DIRS= etc/periodic/weekly
	30	PERIODIC_FILES= 604.lego
	31
	32	LEGO_USER?= _lego
	33
	34	USERS= ${LEGO_USER}
	35	GROUPS= ${LEGO_USER}
	36
	37	post-install:
	38	${MKDIR} ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS}
	39	${INSTALL_SCRIPT} ${WRKDIR}/${PERIODIC_FILES} ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS}/${PERIODIC_FILES}
	40	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl/lego \
	41	${STAGEDIR}${ETCDIR} ${STAGEDIR}${WWWDIR}
	42	. for d in ${SAMPLE_FILES}
	43	${INSTALL_SCRIPT} ${WRKDIR}/${d} ${STAGEDIR}${ETCDIR}/${d}
	44	. endfor
	45
	46	.include <bsd.port.mk>

Line 0 Link Here

(-)security/lego/files/604.lego.in (+32 lines)
	1	#!/bin/sh
	2
	3	if [ -r /etc/defaults/periodic.conf ]
	4	then
	5	. /etc/defaults/periodic.conf
	6	source_periodic_confs
	7	fi
	8
	9	PATH=$PATH:%%LOCALBASE%%/bin:%%LOCALBASE%%/sbin
	10	export PATH
	11
	12	case "$weekly_lego_enable" in
	13	[Yy][Ee][Ss])
	14	echo
	15	echo "Checking Let's Encrypt certificate status:"
	16
	17	if [ -x "$weekly_lego_renewscript" ] ; then
	18	echo "$weekly_lego_renewscript" \| su -fm _lego \|\| exit 3
	19	fi
	20
	21	if [ -n "$weekly_lego_deployscript" ] ; then
	22	if [ -x "$weekly_lego_deployscript" ] ; then
	23	echo "Deploying Let's Encrypt certificates:"
	24	$weekly_lego_deployscript \|\| exit 3
	25	else
	26	echo 'Skipped, deploy script does not exist or is not executable'
	27	fi
	28	fi
	29	;;
	30	*)
	31	;;
	32	esac

Line 0 Link Here

(-)security/lego/files/deploy.sh.sample.in (+30 lines)
	1	#!/bin/sh -e
	2
	3	SSLDIR="%%PREFIX%%/etc/ssl"
	4
	5	copy_certs () {
	6	local certdir certfile domain keyfile rc
	7	rc=1
	8
	9	certdir="${SSLDIR}/lego/certificates"
	10	certfiles="$(find "${certdir}" -name ".crt" -not -name ".issuer.crt")"
	11	for certfile in $certfiles
	12	do
	13	domain="$(basename "$certfile" .crt)"
	14	keyfile="$(dirname "$certfile")/${domain}.key"
	15
	16	if ! cmp -s "${certfile}" "${SSLDIR}/certs/${domain}.crt"
	17	then
	18	cp "${certfile}" "${SSLDIR}/certs/${domain}.crt"
	19	cp "${keyfile}" "${SSLDIR}/private/${domain}.key"
	20	rc=0
	21	fi
	22	done
	23
	24	return $rc
	25	}
	26
	27	if copy_certs
	28	then
	29	output=$(service nginx reload 2>&1) \|\| (echo "$output" && exit 1)
	30	fi

Line 0 Link Here

(-)security/lego/files/lego.sh.sample.in (+40 lines)
	1	#!/bin/sh -e
	2
	3	# Email used for registration and recovery contact.
	4	EMAIL=""
	5
	6	BASEDIR="%%ETCDIR%%"
	7	SSLDIR="%%PREFIX%%/etc/ssl/lego"
	8	DOMAINSFILE="${BASEDIR}/domains.txt"
	9
	10	if [ -z "${EMAIL}" ]; then
	11	echo "Please set EMAIL to a valid address in ${BASEDIR}/lego.sh"
	12	exit 1
	13	fi
	14
	15	if [ ! -e "${DOMAINSFILE}" ]; then
	16	echo "Please create ${DOMAINSFILE} as specified in ${BASEDIR}/lego.sh"
	17	exit 1
	18	fi
	19
	20	if [ "$1" = "run" ]; then
	21	command="run"
	22	else
	23	command="renew --days 30"
	24	fi
	25
	26	run_or_renew() {
	27	%%PREFIX%%/bin/lego --path "${SSLDIR}" \
	28	--email="${EMAIL}" \
	29	$(printf -- "--domains=%s " $line) \
	30	--http --http.webroot="%%WWWDIR%%" \
	31	$1
	32	}
	33
	34	while read line <&3; do
	35	if [ "$command" = "run" ]; then
	36	run_or_renew "$command"
	37	else
	38	output=$(run_or_renew "$command") \|\| (echo "$output" && exit 1)
	39	fi
	40	done 3<"${DOMAINSFILE}"

Line 0 Link Here

(-)security/lego/files/pkg-message.in (+37 lines)
	1
	2	There are example scripts in
	3	%%ETCDIR%%
	4	that you can use for renewing and deploying certificates.
	5
	6	In order to run the script regularly to update the certificates add this line
	7	to /etc/periodic.conf:
	8
	9	weekly_lego_enable="YES"
	10
	11	Additionally the following parameters may be added to /etc/periodic.conf:
	12
	13	Script to run to renew certificates, will be run as %%LEGO_USER%% (required)
	14	weekly_lego_renewscript="%%ETCDIR%%/lego.sh"
	15
	16	To run a script after the renewal to deploy certificates
	17	weekly_lego_deployscript="%%ETCDIR%%/deploy.sh"
	18
	19	If using the example renew script, add the domains for which lego will manage
	20	certificates to
	21	%%ETCDIR%%/domains.txt, one domain on each line.
	22
	23	To add a Subject Alternate Name to the certificate, append the domain(s) to the
	24	line:
	25	example.com www.example.com
	26
	27	To run lego for the first time, edit
	28	%%ETCDIR%%/lego.sh
	29	and set the EMAIL variable.
	30
	31	Then run lego.sh with the run argument as the %%LEGO_USER%% user:
	32	$ %%ETCDIR%%/lego.sh run
	33
	34	Subsequent periodic runs will run with the renew argument by default, with a
	35	renewal interval of 30 days.
	36
	37