LOG_TAG=acme-acmesh
# webroot option deprecated, use the hardcoded value directly in the next major version
WEBROOT=${webroot:-/var/run/acme/challenge}
+NOTIFY=/usr/lib/acme/notify
# shellcheck source=net/acme/files/functions.sh
. /usr/lib/acme/functions.sh
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
export NO_TIMESTAMP=1
-cmd="$1"
-
-case $cmd in
+case $1 in
get)
set --
[ "$debug" = 1 ] && set -- "$@" --debug
staging_moved=1
else
set -- "$@" --renew --home "$state_dir" -d "$main_domain"
- log info "$*"
- trap 'ACTION=renewed-failed hotplug-call acme;exit 1' INT
- "$ACME" "$@"
+ log info "$ACME $*"
+ trap '$NOTIFY renew-failed;exit 1' INT
+ $ACME "$@"
status=$?
trap - INT
case $status in
- 0) ;; # renewed ok, handled by acme.sh hook, ignore.
- 2) ;; # renew skipped, ignore.
+ 0)
+ $NOTIFY renewed
+ exit;;
+ 2)
+ # renew skipped, ignore.
+ exit
+ ;;
*)
- ACTION=renew-failed hotplug-call acme
+ $NOTIFY renew-failed
+ exit 1
;;
esac
- return 0
fi
fi
set -- "$@" --issue --home "$state_dir"
- log info "$*"
- trap 'ACTION=issue-failed hotplug-call acme;exit 1' INT
+ log info "$ACME $*"
+ trap '$NOTIFY issue-failed;exit 1' INT
"$ACME" "$@" \
- --pre-hook 'ACTION=prepare hotplug-call acme' \
- --renew-hook 'ACTION=renewed hotplug-call acme'
+ --pre-hook "$NOTIFY prepare" \
+ --renew-hook "$NOTIFY renewed"
status=$?
trap - INT
ln -s "$domain_dir/$main_domain.key" /etc/ssl/acme
ln -s "$domain_dir/fullchain.cer" "/etc/ssl/acme/$main_domain.fullchain.cer"
ln -s "$domain_dir/ca.cer" "/etc/ssl/acme/$main_domain.chain.cer"
- ACTION=issued hotplug-call acme
+ $NOTIFY issued
;;
*)
if [ "$staging_moved" = 1 ]; then
mv "$domain_dir" "$failed_dir"
log err "State moved to $failed_dir"
fi
- ACTION=issue-failed hotplug-call acme
- return 0
+ $NOTIFY issue-failed
;;
esac
;;
$(INSTALL_BIN) ./files/acme.sh $(1)/usr/bin/acme
$(INSTALL_DIR) $(1)/usr/lib/acme
$(INSTALL_DATA) ./files/functions.sh $(1)/usr/lib/acme
+ $(INSTALL_BIN) ./files/acme-notify.sh $(1)/usr/lib/acme/notify
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/acme.init $(1)/etc/init.d/acme
$(INSTALL_DIR) $(1)/etc/uci-defaults
$(INSTALL_DATA) ./files/acme.uci-defaults $(1)/etc/uci-defaults/acme
+ $(INSTALL_DIR) $(1)/etc/hotplug.d/acme
endef
define Package/acme/postinst
--- /dev/null
+#!/bin/sh
+set -u
+
+event="$1"
+
+# Call hotplug first, giving scripts a chance to modify certificates before
+# reloadaing the services
+ACTION=$event hotplug-call acme
+
+case $event in
+renewed)
+ ubus call service event '{"type":"acme.renew","data":{}}'
+ ;;
+issued)
+ ubus call service event '{"type":"acme.issue","data":{}}'
+ ;;
+esac
endif
$(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx))
$(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules))
-
- $(INSTALL_DIR) $(1)/etc/hotplug.d/acme
- $(INSTALL_DATA) ./files/acme.hotplug $(1)/etc/hotplug.d/acme/00-nginx
endef
Package/nginx-all-module/install = $(Package/nginx-ssl/install)