acme: deprecate state_dir

state_dir is actually a hardcoded value in conffiles. Allowing users to
customize it could result in losing certificates after upgrading if they
don't also specify the dir as being preserved. We shouldn't default to
this dangerous behavior.

With the new ACME package, certificates live in the standard location
/etc/ssl/acme, users who need to do certificate customizations should
look for them in that dir instead.

Signed-off-by: Glen Huang <i@glenhuang.com>

diff --git a/net/acme-common/Makefile b/net/acme-common/Makefile
index 268df5c68023fcea6d3a9b55aa275e63ad099f62..c8c4a0bb38992da11f4d818b3af92fbd2316bcc3 100644 (file)
--- a/net/acme-common/Makefile
+++ b/net/acme-common/Makefile
@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=acme-common
-PKG_VERSION:=1.0.1
+PKG_VERSION:=1.0.2
 
 PKG_MAINTAINER:=Toke Høiland-Jørgensen <toke@toke.dk>
 PKG_LICENSE:=GPL-3.0-only
@@ -34,6 +34,7 @@ define Package/acme-common/conffiles
 endef
 
 define Package/acme-common/install
+       $(INSTALL_DIR) $(1)/etc/acme
        $(INSTALL_DIR) $(1)/etc/ssl/acme
        $(INSTALL_DIR) $(1)/etc/config
        $(INSTALL_CONF) ./files/acme.config $(1)/etc/config/acme

diff --git a/net/acme-common/files/acme.config b/net/acme-common/files/acme.config
index d72547a6ed17c42f87e73254ce8e28ab192185ea..75fd1cf096a3929e38ddb0c47f12d72e3cb69185 100644 (file)
--- a/net/acme-common/files/acme.config
+++ b/net/acme-common/files/acme.config
@@ -1,5 +1,4 @@
 config acme
-       option state_dir '/etc/acme'
        option account_email 'email@example.org'
        option debug 0
 

diff --git a/net/acme-common/files/acme.sh b/net/acme-common/files/acme.sh
index 582575f89658ec558211e0d621d8259ae6d6c630..5a2f7d739425f4ab673a54016126a78bf1624a09 100644 (file)
--- a/net/acme-common/files/acme.sh
+++ b/net/acme-common/files/acme.sh
@@ -8,10 +8,8 @@
 #
 # Authors: Toke Høiland-Jørgensen <toke@toke.dk>
 
-export state_dir=/etc/acme
-export account_email=
-export debug=0
-export run_dir=/var/run/acme
+run_dir=/var/run/acme
+export challenge_dir=$run_dir/challenge
 NFT_HANDLE=
 HOOK=/usr/lib/acme/hook
 LOG_TAG=acme
@@ -65,7 +63,7 @@ load_options() {
        config_get webroot "$section" webroot
        export webroot
        if [ "$webroot" ]; then
-               log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $run_dir/challenge."
+               log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $challenge_dir."
        fi
 }
 
@@ -107,11 +105,19 @@ load_globals() {
                log err "account_email option is required"
                exit 1
        fi
+       export account_email
+
+       config_get state_dir "$section" state_dir
+       if [ "$state_dir" ]; then
+               log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in /etc/ssl/acme."
+               mkdir -p "$state_dir"
+       else
+               state_dir=/etc/acme
+       fi
+       export state_dir
 
-       config_get state_dir "$section" state_dir "$state_dir"
-       mkdir -p "$state_dir"
-
-       config_get debug "$section" debug "$debug"
+       config_get debug "$section" debug 0
+       export debug
 
        # only look for the first acme section
        return 1