update haproxy and acme from master

Author: anaelorlinski

openwrt-22.03/patches/package/acme-acmesh/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=acme-acmesh
 PKG_VERSION:=3.0.1
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=10
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/acmesh-official/acme.sh/tar.gz/$(PKG_VERSION)?
@@ -51,7 +51,7 @@ endef
 define Package/acme-acmesh-dnsapi
   SECTION:=net
   CATEGORY:=Network
-  DEPENDS:=+acme
+  DEPENDS:=+acme-acmesh
   TITLE:=DNS API integration for ACME (Letsencrypt) client
   PKGARCH:=all
 endef

openwrt-22.03/patches/package/acme-acmesh/files/hook.sh

@@ -2,8 +2,9 @@
 set -u
 ACME=/usr/lib/acme/client/acme.sh
 LOG_TAG=acme-acmesh
-# webroot option deprecated, use the hardcoded value directly in the next major version
-WEBROOT=${webroot:-/var/run/acme/challenge}
+# webroot option deprecated, use the exported value directly in the next major version
+WEBROOT=${webroot:-$CHALLENGE_DIR}
+NOTIFY=/usr/lib/acme/notify
 
 # shellcheck source=net/acme/files/functions.sh
 . /usr/lib/acme/functions.sh
@@ -12,9 +13,33 @@ WEBROOT=${webroot:-/var/run/acme/challenge}
 export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 export NO_TIMESTAMP=1
 
-cmd="$1"
+link_certs()
+{
+    local main_domain
+    local domain_dir
+    domain_dir="$1"
+    main_domain="$2"
 
-case $cmd in
+    (umask 077; cat "$domain_dir/fullchain.cer" "$domain_dir/$main_domain.key" > "$domain_dir/combined.cer")
+
+    if [ ! -e "$CERT_DIR/$main_domain.crt" ]; then
+		ln -s "$domain_dir/$main_domain.cer" "$CERT_DIR/$main_domain.crt"
+    fi
+    if [ ! -e "$CERT_DIR/$main_domain.key" ]; then
+		ln -s "$domain_dir/$main_domain.key" "$CERT_DIR/$main_domain.key"
+    fi
+    if [ ! -e "$CERT_DIR/$main_domain.fullchain.crt" ]; then
+		ln -s "$domain_dir/fullchain.cer" "$CERT_DIR/$main_domain.fullchain.crt"
+    fi
+    if [ ! -e "$CERT_DIR/$main_domain.combined.crt" ]; then
+		ln -s "$domain_dir/combined.cer" "$CERT_DIR/$main_domain.combined.crt"
+    fi
+    if [ ! -e "$CERT_DIR/$main_domain.chain.crt" ]; then
+		ln -s "$domain_dir/ca.cer" "$CERT_DIR/$main_domain.chain.crt"
+    fi
+}
+
+case $1 in
 get)
 	set --
 	[ "$debug" = 1 ] && set -- "$@" --debug
@@ -38,20 +63,27 @@ get)
 			staging_moved=1
 		else
 			set -- "$@" --renew --home "$state_dir" -d "$main_domain"
-			log info "$*"
-			trap 'ACTION=renewed-failed hotplug-call acme;exit 1' INT
-			"$ACME" "$@"
+			log info "$ACME $*"
+			trap '$NOTIFY renew-failed;exit 1' INT
+			$ACME "$@"
 			status=$?
 			trap - INT
 
 			case $status in
-			0) ;; # renewed ok, handled by acme.sh hook, ignore.
-			2) ;; # renew skipped, ignore.
+			0)
+                                link_certs "$domain_dir" "$main_domain"
+				$NOTIFY renewed
+				exit
+				;;
+			2)
+				# renew skipped, ignore.
+				exit
+				;;
 			*)
-				ACTION=renew-failed hotplug-call acme
+				$NOTIFY renew-failed
+				exit 1
 				;;
 			esac
-			return 0
 		fi
 	fi
 
@@ -83,6 +115,9 @@ get)
 		elif [ "$calias" ]; then
 			set -- "$@" --challenge-alias "$calias"
 		fi
+		if [ "$dns_wait" ]; then
+			set -- "$@" --dnssleep "$dns_wait"
+		fi
 	elif [ "$standalone" = 1 ]; then
 		set -- "$@" --standalone --listen-v6
 	else
@@ -92,21 +127,18 @@ get)
 
 	set -- "$@" --issue --home "$state_dir"
 
-	log info "$*"
-	trap 'ACTION=issue-failed hotplug-call acme;exit 1' INT
+	log info "$ACME $*"
+	trap '$NOTIFY issue-failed;exit 1' INT
 	"$ACME" "$@" \
-		--pre-hook 'ACTION=prepare hotplug-call acme' \
-		--renew-hook 'ACTION=renewed hotplug-call acme'
+		--pre-hook "$NOTIFY prepare" \
+		--renew-hook "$NOTIFY renewed"
 	status=$?
 	trap - INT
 
 	case $status in
 	0)
-		ln -s "$domain_dir/$main_domain.cer" /etc/ssl/acme
-		ln -s "$domain_dir/$main_domain.key" /etc/ssl/acme
-		ln -s "$domain_dir/fullchain.cer" "/etc/ssl/acme/$main_domain.fullchain.cer"
-		ln -s "$domain_dir/ca.cer" "/etc/ssl/acme/$main_domain.chain.cer"
-		ACTION=issued hotplug-call acme
+                link_certs "$domain_dir" "$main_domain"
+		$NOTIFY issued
 		;;
 	*)
 		if [ "$staging_moved" = 1 ]; then
@@ -117,8 +149,7 @@ get)
 			mv "$domain_dir" "$failed_dir"
 			log err "State moved to $failed_dir"
 		fi
-		ACTION=issue-failed hotplug-call acme
-		return 0
+		$NOTIFY issue-failed
 		;;
 	esac
 	;;

openwrt-22.03/patches/package/acme-common/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=acme-common
-PKG_VERSION:=1.0.0
+PKG_VERSION:=1.0.2
 
 PKG_MAINTAINER:=Toke Høiland-Jørgensen <toke@toke.dk>
 PKG_LICENSE:=GPL-3.0-only
@@ -35,16 +35,19 @@ endef
 
 define Package/acme-common/install
 	$(INSTALL_DIR) $(1)/etc/acme
+	$(INSTALL_DIR) $(1)/etc/ssl/acme
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/acme.config $(1)/etc/config/acme
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) ./files/acme.sh $(1)/usr/bin/acme
 	$(INSTALL_DIR) $(1)/usr/lib/acme
 	$(INSTALL_DATA) ./files/functions.sh $(1)/usr/lib/acme
+	$(INSTALL_BIN) ./files/acme-notify.sh $(1)/usr/lib/acme/notify
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/acme.init $(1)/etc/init.d/acme
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_DATA) ./files/acme.uci-defaults $(1)/etc/uci-defaults/acme
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/acme
 endef
 
 define Package/acme/postinst

openwrt-22.03/patches/package/acme-common/files/acme-notify.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+set -u
+
+event="$1"
+
+# Call hotplug first, giving scripts a chance to modify certificates before
+# reloadaing the services
+ACTION=$event hotplug-call acme
+
+case $event in
+renewed)
+    ubus call service event '{"type":"acme.renew","data":{}}'
+    ;;
+issued)
+    ubus call service event '{"type":"acme.issue","data":{}}'
+    ;;
+esac

openwrt-22.03/patches/package/acme-common/files/acme.config

@@ -1,11 +1,10 @@
 config acme
-	option state_dir '/etc/acme'
 	option account_email 'email@example.org'
 	option debug 0
 
 config cert 'example_wildcard'
 	option enabled 0
-	option use_staging 1
+	option staging 1
 	list domains example.org
 	list domains sub.example.org
 	list domains *.sub.example.org
@@ -17,6 +16,6 @@ config cert 'example_wildcard'
 
 config cert 'example'
 	option enabled 0
-	option use_staging 1
+	option staging 1
 	list domains example.org
 	list domains sub.example.org

openwrt-22.03/patches/package/acme-common/files/acme.sh

@@ -8,10 +8,9 @@
 #
 # Authors: Toke Høiland-Jørgensen <toke@toke.dk>
 
-export state_dir='/etc/acme'
-export account_email=
-export debug=0
-export challenge_dir='/var/run/acme/challenge'
+run_dir=/var/run/acme
+export CHALLENGE_DIR=$run_dir/challenge
+export CERT_DIR=/etc/ssl/acme
 NFT_HANDLE=
 HOOK=/usr/lib/acme/hook
 LOG_TAG=acme
@@ -23,6 +22,9 @@ LOG_TAG=acme
 
 cleanup() {
 	log debug "cleaning up"
+	if [ -e $run_dir/lock ]; then
+		rm $run_dir/lock
+	fi
 	if [ "$NFT_HANDLE" ]; then
 		# $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
 		nft delete rule inet fw4 input $NFT_HANDLE
@@ -33,7 +35,7 @@ load_options() {
 	section=$1
 
 	# compatibility for old option name
-	config_get_bool use_staging "$section" staging
+	config_get_bool staging "$section" use_staging
 	if [ -z "$staging" ]; then
 		config_get_bool staging "$section" staging 0
 	fi
@@ -56,11 +58,13 @@ load_options() {
 	export days
 	config_get standalone "$section" standalone 0
 	export standalone
+	config_get dns_wait "$section" dns_wait
+	export dns_wait
 
 	config_get webroot "$section" webroot
 	export webroot
 	if [ "$webroot" ]; then
-		log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from /var/run/acme/challenge."
+		log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
 	fi
 }
 
@@ -76,7 +80,7 @@ get_cert() {
 
 	load_options "$section"
 	if [ -z "$dns" ] && [ "$standalone" = 0 ]; then
-		mkdir -p "$challenge_dir"
+		mkdir -p "$CHALLENGE_DIR"
 	fi
 
 	if [ "$standalone" = 1 ] && [ -z "$NFT_HANDLE" ]; then
@@ -102,11 +106,19 @@ load_globals() {
 		log err "account_email option is required"
 		exit 1
 	fi
+	export account_email
+
+	config_get state_dir "$section" state_dir
+	if [ "$state_dir" ]; then
+		log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in $CERT_DIR."
+		mkdir -p "$state_dir"
+	else
+		state_dir=/etc/acme
+	fi
+	export state_dir
 
-	config_get state_dir "$section" state_dir "$state_dir"
-	mkdir -p "$state_dir"
-
-	config_get debug "$section" debug "$debug"
+	config_get debug "$section" debug 0
+	export debug
 
 	# only look for the first acme section
 	return 1
@@ -117,7 +129,6 @@ usage() {
 Usage: acme <command> [arguments]
 Commands:
 	get                issue or renew certificates
-	cert <domain>      show certificate matching domain
 EOF
 	exit 1
 }
@@ -129,11 +140,18 @@ fi
 
 case $1 in
 get)
+	mkdir -p $run_dir
+	exec 200>$run_dir/lock
+	if ! flock -n 200; then
+		log err "Another ACME instance is already running."
+		exit 1
+	fi
+
+	trap cleanup EXIT
+
 	config_load acme
 	config_foreach load_globals acme
 
-	mkdir -p /etc/ssl/acme
-	trap cleanup EXIT
 	config_foreach get_cert cert
 	;;
 *)

openwrt-22.03/patches/package/haproxy/Makefile

@@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=haproxy
 PKG_VERSION:=2.6.6
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=104
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://www.haproxy.org/download/2.6/src
@@ -122,8 +122,6 @@ define Package/haproxy/install
 	$(INSTALL_CONF) ./files/haproxy.cfg $(1)/etc/
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/haproxy.init $(1)/etc/init.d/haproxy
-	$(INSTALL_DIR) $(1)/etc/hotplug.d/acme
-	$(INSTALL_DATA) ./files/acme.hotplug $(1)/etc/hotplug.d/acme/00-haproxy
 endef
 
 Package/haproxy-nossl/install = $(Package/haproxy/install)

openwrt-22.03/patches/package/haproxy/files/acme.hotplug

@@ -18,6 +18,10 @@ start_service() {
 	procd_close_instance
 }
 
+service_triggers() {
+	procd_add_raw_trigger acme.renew 5000 /etc/init.d/haproxy reload
+}
+
 extra_command "check" "Check haproxy config"
 check() {
 	$HAPROXY_BIN -c -q -V -f $HAPROXY_CONFIG

openwrt-22.03/patches/package/haproxy/files/haproxy.init

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 CLONEURL=https://git.haproxy.org/git/haproxy-2.6.git
-BASE_TAG=v2.6.2
+BASE_TAG=v2.6.6
 TMP_REPODIR=tmprepo
 PATCHESDIR=patches