From owner-svn-ports-head@freebsd.org Wed Jul 24 07:50:17 2019 Return-Path: Delivered-To: svn-ports-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 87049A1257; Wed, 24 Jul 2019 07:50:17 +0000 (UTC) (envelope-from rodrigo@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 684846DC0C; Wed, 24 Jul 2019 07:50:17 +0000 (UTC) (envelope-from rodrigo@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4162EB0B9; Wed, 24 Jul 2019 07:50:17 +0000 (UTC) (envelope-from rodrigo@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x6O7oH5I093975; Wed, 24 Jul 2019 07:50:17 GMT (envelope-from rodrigo@FreeBSD.org) Received: (from rodrigo@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x6O7oFvt093964; Wed, 24 Jul 2019 07:50:15 GMT (envelope-from rodrigo@FreeBSD.org) Message-Id: <201907240750.x6O7oFvt093964@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rodrigo set sender to rodrigo@FreeBSD.org using -f From: Rodrigo Osorio Date: Wed, 24 Jul 2019 07:50:15 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r507266 - in head: . security security/lego security/lego/files X-SVN-Group: ports-head X-SVN-Commit-Author: rodrigo X-SVN-Commit-Paths: in head: . security security/lego security/lego/files X-SVN-Commit-Revision: 507266 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 684846DC0C X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.97)[-0.965,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jul 2019 07:50:17 -0000 Author: rodrigo Date: Wed Jul 24 07:50:14 2019 New Revision: 507266 URL: https://svnweb.freebsd.org/changeset/ports/507266 Log: Add new port security/lego Lego is a new let's encrypt client write in Go with support for number of ACME challenges and no external dependencies. PR: 237349 Submitted by: Matthew Horan Added: head/security/lego/ head/security/lego/Makefile (contents, props changed) head/security/lego/distinfo (contents, props changed) head/security/lego/files/ head/security/lego/files/604.lego.in (contents, props changed) head/security/lego/files/deploy.sh.sample.in (contents, props changed) head/security/lego/files/lego.sh.sample.in (contents, props changed) head/security/lego/files/pkg-message.in (contents, props changed) head/security/lego/pkg-descr (contents, props changed) head/security/lego/pkg-plist (contents, props changed) Modified: head/GIDs head/UIDs head/security/Makefile Modified: head/GIDs ============================================================================== --- head/GIDs Wed Jul 24 07:47:50 2019 (r507265) +++ head/GIDs Wed Jul 24 07:50:14 2019 (r507266) @@ -544,7 +544,7 @@ _xsi:*:600: _tss:*:601: _pkcs11:*:602: _acme:*:603: -# free: 604 +_lego:*:604: _hockeypuck:*:605: # free: 606 # free: 607 Modified: head/UIDs ============================================================================== --- head/UIDs Wed Jul 24 07:47:50 2019 (r507265) +++ head/UIDs Wed Jul 24 07:50:14 2019 (r507266) @@ -549,7 +549,7 @@ _xsi:*:600:600::0:0:XMLSysInfo User:/nonexistent:/usr/ _tss:*:601:601:daemon:0:0:TrouSerS user:/var/empty:/usr/sbin/nologin _pkcs11:*:602:602:daemon:0:0:opencryptoki user:/var/empty:/usr/sbin/nologin _acme:*:603:603::0:0:ACME client user:/var/empty:/usr/sbin/nologin -# free: 604 +_lego:*:604:604::0:0:lego client user:/nonexistent:/usr/sbin/nologin _hockeypuck:*:605:605::0:0:hockeypuck pgp keyserver user:/var/empty:/usr/sbin/nologin # free: 606 # free: 607 Modified: head/security/Makefile ============================================================================== --- head/security/Makefile Wed Jul 24 07:47:50 2019 (r507265) +++ head/security/Makefile Wed Jul 24 07:50:14 2019 (r507266) @@ -278,6 +278,7 @@ SUBDIR += l5 SUBDIR += lasso SUBDIR += lastpass-cli + SUBDIR += lego SUBDIR += libadacrypt SUBDIR += libargon2 SUBDIR += libassuan Added: head/security/lego/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/lego/Makefile Wed Jul 24 07:50:14 2019 (r507266) @@ -0,0 +1,46 @@ +# $FreeBSD$ + +PORTNAME= lego +DISTVERSIONPREFIX= v +DISTVERSION= 2.6.0 +CATEGORIES= security + +MAINTAINER= matt@matthoran.com +COMMENT= Let's Encrypt client and ACME library written in Go + +LICENSE= MIT +LICENSE_FILE= ${WRKSRC}/LICENSE + +RUN_DEPENDS= ${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss + +USES= go + +GO_PKGNAME= github.com/go-acme/lego +GO_TARGET= ${GO_PKGNAME}/cmd/lego +GO_BUILDFLAGS= -ldflags '-X "main.version=${GH_TAGNAME}"' + +USE_GITHUB= yes +GH_ACCOUNT= go-acme + +SAMPLE_FILES= lego.sh.sample deploy.sh.sample +SUB_FILES= 604.lego pkg-message ${SAMPLE_FILES} +SUB_LIST= PORTNAME=${PORTNAME} LEGO_USER=${LEGO_USER} + +PERIODIC_DIRS= etc/periodic/weekly +PERIODIC_FILES= 604.lego + +LEGO_USER?= _lego + +USERS= ${LEGO_USER} +GROUPS= ${LEGO_USER} + +post-install: + ${MKDIR} ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS} + ${INSTALL_SCRIPT} ${WRKDIR}/${PERIODIC_FILES} ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS}/${PERIODIC_FILES} + ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl/lego \ + ${STAGEDIR}${ETCDIR} ${STAGEDIR}${WWWDIR} +. for d in ${SAMPLE_FILES} + ${INSTALL_SCRIPT} ${WRKDIR}/${d} ${STAGEDIR}${ETCDIR}/${d} +. endfor + +.include Added: head/security/lego/distinfo ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/lego/distinfo Wed Jul 24 07:50:14 2019 (r507266) @@ -0,0 +1,3 @@ +TIMESTAMP = 1559482047 +SHA256 (go-acme-lego-v2.6.0_GH0.tar.gz) = 1abba13871f58fe483a3d4ac3900d44cddeacfc3dfe9fae2d96e45a9a39e7ce7 +SIZE (go-acme-lego-v2.6.0_GH0.tar.gz) = 4996556 Added: head/security/lego/files/604.lego.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/lego/files/604.lego.in Wed Jul 24 07:50:14 2019 (r507266) @@ -0,0 +1,32 @@ +#!/bin/sh + +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +PATH=$PATH:%%LOCALBASE%%/bin:%%LOCALBASE%%/sbin +export PATH + +case "$weekly_lego_enable" in + [Yy][Ee][Ss]) + echo + echo "Checking Let's Encrypt certificate status:" + + if [ -x "$weekly_lego_renewscript" ] ; then + echo "$weekly_lego_renewscript" | su -fm _lego || exit 3 + fi + + if [ -n "$weekly_lego_deployscript" ] ; then + if [ -x "$weekly_lego_deployscript" ] ; then + echo "Deploying Let's Encrypt certificates:" + $weekly_lego_deployscript || exit 3 + else + echo 'Skipped, deploy script does not exist or is not executable' + fi + fi + ;; + *) + ;; +esac Added: head/security/lego/files/deploy.sh.sample.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/lego/files/deploy.sh.sample.in Wed Jul 24 07:50:14 2019 (r507266) @@ -0,0 +1,30 @@ +#!/bin/sh -e + +SSLDIR="%%PREFIX%%/etc/ssl" + +copy_certs () { + local certdir certfile domain keyfile rc + rc=1 + + certdir="${SSLDIR}/lego/certificates" + certfiles="$(find "${certdir}" -name "*.crt" -not -name "*.issuer.crt")" + for certfile in $certfiles + do + domain="$(basename "$certfile" .crt)" + keyfile="$(dirname "$certfile")/${domain}.key" + + if ! cmp -s "${certfile}" "${SSLDIR}/certs/${domain}.crt" + then + cp "${certfile}" "${SSLDIR}/certs/${domain}.crt" + cp "${keyfile}" "${SSLDIR}/private/${domain}.key" + rc=0 + fi + done + + return $rc +} + +if copy_certs +then + output=$(service nginx reload 2>&1) || (echo "$output" && exit 1) +fi Added: head/security/lego/files/lego.sh.sample.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/lego/files/lego.sh.sample.in Wed Jul 24 07:50:14 2019 (r507266) @@ -0,0 +1,40 @@ +#!/bin/sh -e + +# Email used for registration and recovery contact. +EMAIL="" + +BASEDIR="%%ETCDIR%%" +SSLDIR="%%PREFIX%%/etc/ssl/lego" +DOMAINSFILE="${BASEDIR}/domains.txt" + +if [ -z "${EMAIL}" ]; then + echo "Please set EMAIL to a valid address in ${BASEDIR}/lego.sh" + exit 1 +fi + +if [ ! -e "${DOMAINSFILE}" ]; then + echo "Please create ${DOMAINSFILE} as specified in ${BASEDIR}/lego.sh" + exit 1 +fi + +if [ "$1" = "run" ]; then + command="run" +else + command="renew --days 30" +fi + +run_or_renew() { + %%PREFIX%%/bin/lego --path "${SSLDIR}" \ + --email="${EMAIL}" \ + $(printf -- "--domains=%s " $line) \ + --http --http.webroot="%%WWWDIR%%" \ + $1 +} + +while read line <&3; do + if [ "$command" = "run" ]; then + run_or_renew "$command" + else + output=$(run_or_renew "$command") || (echo "$output" && exit 1) + fi +done 3<"${DOMAINSFILE}" Added: head/security/lego/files/pkg-message.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/lego/files/pkg-message.in Wed Jul 24 07:50:14 2019 (r507266) @@ -0,0 +1,37 @@ + +There are example scripts in + %%ETCDIR%% +that you can use for renewing and deploying certificates. + +In order to run the script regularly to update the certificates add this line +to /etc/periodic.conf: + + weekly_lego_enable="YES" + +Additionally the following parameters may be added to /etc/periodic.conf: + +Script to run to renew certificates, will be run as %%LEGO_USER%% (required) + weekly_lego_renewscript="%%ETCDIR%%/lego.sh" + +To run a script after the renewal to deploy certificates + weekly_lego_deployscript="%%ETCDIR%%/deploy.sh" + +If using the example renew script, add the domains for which lego will manage +certificates to + %%ETCDIR%%/domains.txt, one domain on each line. + +To add a Subject Alternate Name to the certificate, append the domain(s) to the +line: + example.com www.example.com + +To run lego for the first time, edit + %%ETCDIR%%/lego.sh +and set the EMAIL variable. + +Then run lego.sh with the run argument as the %%LEGO_USER%% user: + $ %%ETCDIR%%/lego.sh run + +Subsequent periodic runs will run with the renew argument by default, with a +renewal interval of 30 days. + + Added: head/security/lego/pkg-descr ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/lego/pkg-descr Wed Jul 24 07:50:14 2019 (r507266) @@ -0,0 +1,4 @@ +lego is a client for Let's Encrypt users, written in Go. It has support for a +number of ACME challenges, and no external dependencies. + +WWW: https://github.com/go-acme/lego Added: head/security/lego/pkg-plist ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/lego/pkg-plist Wed Jul 24 07:50:14 2019 (r507266) @@ -0,0 +1,8 @@ +bin/lego +etc/periodic/weekly/604.lego +@dir(_lego,_lego,0700) etc/lego +@dir(,,0755) etc/ssl +@dir(_lego,_lego,0755) etc/ssl/lego +@dir(_lego,www,) %%WWWDIR%% +@sample(_lego,_lego,0700) etc/lego/lego.sh.sample +@sample etc/lego/deploy.sh.sample