Openwrt/packages
0
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2025-07-01 02:27:04 +00:00
Code Activity
Files
master
packages/net/acme-common/files/acme.init
Florian Eckert 692f3afe4a acme: remove crontab entry if service is stopped 
Until now it was not possible to stop the acme service, because the handling
was done via cron. With this change, the acme handler can now be stopped by
calling '/etc/init.d/acme' stop. This call removes the entry from the crontab.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2025-04-01 22:53:08 +02:00

174 lines
4.0 KiB
Bash
Raw Permalink Blame History

#!/bin/sh /etc/rc.common
START=20
USE_PROCD=1
run_dir=/var/run/acme
export CHALLENGE_DIR=$run_dir/challenge
export CERT_DIR=/etc/ssl/acme
NFT_HANDLE=
HOOK=/usr/lib/acme/hook
LOG_TAG=acme
# shellcheck source=net/acme/files/functions.sh
. "$IPKG_INSTROOT/usr/lib/acme/functions.sh"
extra_command "renew" "Start a certificate renew"
cleanup() {
log debug "cleaning up"
if [ "$NFT_HANDLE" ]; then
# $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
nft delete rule inet fw4 input $NFT_HANDLE
fi
}
load_options() {
section=$1
config_get staging "$section" staging
# compatibility for old option name
if [ -z "$staging" ]; then
config_get_bool staging "$section" use_staging 0
fi
export staging
config_get calias "$section" calias
export calias
config_get dalias "$section" dalias
export dalias
config_get domains "$section" domains
export domains
main_domain="$(first_arg $domains)"
export main_domain
config_get keylength "$section" keylength
if [ "$keylength" ]; then
log warn "Option \"keylength\" is deprecated, please use key_type (e.g., ec256, rsa2048) instead."
case $keylength in
ec-*) key_type=${keylength/-/} ;;
*) key_type=rsa$keylength ;;
esac
else
config_get key_type "$section" key_type ec256
fi
export key_type
config_get dns "$section" dns
export dns
config_get acme_server "$section" acme_server
export acme_server
config_get days "$section" days
export days
config_get standalone "$section" standalone
[ -n "$standalone" ] && log warn "Option \"standalone\" is deprecated."
config_get dns_wait "$section" dns_wait
export dns_wait
config_get webroot "$section" webroot
if [ "$webroot" ]; then
log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
CHALLENGE_DIR=$webroot
fi
config_get validation_method "$section" validation_method
# if validation_method isn't set then guess it
if [ -z "$validation_method" ]; then
if [ -n "$dns" ]; then
validation_method="dns"
elif [ "$standalone" = 1 ]; then
validation_method="standalone"
else
validation_method="webroot"
fi
log warn "Please set \"option validation_method $validation_method\"."
fi
export validation_method
}
first_arg() {
echo "$1"
}
get_cert() {
section=$1
config_get_bool enabled "$section" enabled 1
[ "$enabled" = 1 ] || return
load_options "$section"
if [ "$validation_method" = "webroot" ]; then
mkdir -p "$CHALLENGE_DIR"
fi
if [ "$validation_method" = "standalone" ] && [ -z "$NFT_HANDLE" ]; then
if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+'); then
return 1
fi
log debug "added nft rule: $NFT_HANDLE"
fi
load_credentials() {
eval export "$1"
}
config_list_foreach "$section" credentials load_credentials
"$HOOK" get
}
load_globals() {
section=$1
config_get account_email "$section" account_email
if [ -z "$account_email" ]; then
log err "account_email option is required"
exit 1
fi
export account_email
config_get state_dir "$section" state_dir
if [ "$state_dir" ]; then
log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in $CERT_DIR."
mkdir -p "$state_dir"
else
state_dir=/etc/acme
fi
export state_dir
config_get_bool debug "$section" debug 0
export debug
# only look for the first acme section
return 1
}
start_service() {
mkdir -p $run_dir
mkdir -p "$CHALLENGE_DIR"
grep -q '/etc/init.d/acme' /etc/crontabs/root 2>/dev/null || {
echo "0 0 * * * /etc/init.d/acme renew" >>/etc/crontabs/root
}
}
service_started() {
echo "Certificate renewal enabled via cron. To renew now, run '/etc/init.d/acme renew'."
}
stop_service() {
sed -i '\|/etc/init.d/acme|d' /etc/crontabs/root
}
service_stopped() {
echo "Certificate renewal is disabled."
}
service_triggers() {
procd_add_config_trigger config.change acme \
/etc/init.d/acme renew
}
renew() {
trap cleanup EXIT
config_load acme
config_foreach load_globals acme
config_foreach get_cert cert
}
View Git Blame Copy Permalink