svn commit: r541967 - in branches/2020Q3/security/py-certbot: . files
Danilo G. Baio
dbaio at FreeBSD.org
Sat Jul 11 12:50:22 UTC 2020
Author: dbaio
Date: Sat Jul 11 12:50:20 2020
New Revision: 541967
URL: https://svnweb.freebsd.org/changeset/ports/541967
Log:
MFH: r541966
security/py-certbot: Improve periodic script
This change will keep the default behavior in the periodic script
and will add options to customize each parameter for those who want to:
- weekly_certbot_pre_hook
- weekly_certbot_post_hook
- weekly_certbot_deploy_hook
- weekly_certbot_custom_args
PR: 245674, 245954
Reported by: amdmi3, fjoe
Reviewed by: koobs
Approved by: dbaio, koobs (python, maintainer)
Differential Revision: https://reviews.freebsd.org/D25391
Approved by: ports-secteam (joneum)
Added:
branches/2020Q3/security/py-certbot/files/pkg-message.in
- copied unchanged from r541966, head/security/py-certbot/files/pkg-message.in
Deleted:
branches/2020Q3/security/py-certbot/pkg-message
Modified:
branches/2020Q3/security/py-certbot/Makefile
branches/2020Q3/security/py-certbot/files/500.certbot.in
Directory Properties:
branches/2020Q3/ (props changed)
Modified: branches/2020Q3/security/py-certbot/Makefile
==============================================================================
--- branches/2020Q3/security/py-certbot/Makefile Sat Jul 11 12:33:23 2020 (r541966)
+++ branches/2020Q3/security/py-certbot/Makefile Sat Jul 11 12:50:20 2020 (r541967)
@@ -3,7 +3,7 @@
PORTNAME= certbot
PORTVERSION= ${ACME_VERSION}
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= security python
MASTER_SITES= CHEESESHOP
@@ -34,7 +34,7 @@ USES= python
USE_PYTHON= autoplist concurrent distutils
NO_ARCH= yes
-SUB_FILES= 500.certbot
+SUB_FILES= 500.certbot pkg-message
PLIST_FILES= etc/periodic/weekly/500.certbot-${PYTHON_VER}
SUB_LIST= PYTHON_VER=${PYTHON_VER}
Modified: branches/2020Q3/security/py-certbot/files/500.certbot.in
==============================================================================
--- branches/2020Q3/security/py-certbot/files/500.certbot.in Sat Jul 11 12:33:23 2020 (r541966)
+++ branches/2020Q3/security/py-certbot/files/500.certbot.in Sat Jul 11 12:50:20 2020 (r541967)
@@ -7,11 +7,23 @@
# Add the following lines to /etc/periodic.conf:
#
# weekly_certbot_enable (bool): Set to "NO" by default
-# weekly_certbot_service (str): If defined, certbot will try to
-# shutdown this this service before
-# renewing the certificate, and restart
-# it afterwards. For example, set to
-# "nginx" or "apache24"
+# weekly_certbot_service (str): If defined, certbot will try to shutdown this
+# service before renewing the certificate, and restart it afterwards.
+# For example, set to "nginx" or "apache24". This is usually used to avoid
+# conflict with the standalone plugin webserver.
+# If any of pre_hook or post_hook is set, this behavior is disabled.
+# weekly_certbot_pre_hook (str): Command to be run in a shell before obtaining
+# any certificates.
+# weekly_certbot_post_hook (str): Command to be run in a shell after
+# attempting to obtain/renew certificates.
+# An example to reload nginx after renewing all certificates.
+# weekly_certbot_post_hook="service nginx onereload"
+# weekly_certbot_deploy_hook (str): Command to be run in a shell once for each
+# successfully issued certificate.
+# weekly_certbot_custom_args (str): Any other misc arguments for the renewal
+# See certbot -h renew for full list
+# An example to force renewal for certificates not due yet
+# weekly_certbot_custom_args="--force-renewal"
# If there is a global system configuration file, suck it in.
#
@@ -28,23 +40,41 @@ case "$weekly_certbot_enable" in
PRE_HOOK=""
POST_HOOK=""
- if [ -n "$weekly_certbot_service" ]
+ DEPLOY_HOOK=""
+
+ if [ -n "$weekly_certbot_service" ] && \
+ [ -z "$weekly_certbot_pre_hook" ] && [ -z "$weekly_certbot_post_hook" ];
then
- if service "$weekly_certbot_service" onestatus
- then
- PRE_HOOK="service $weekly_certbot_service onestop"
- POST_HOOK="service $weekly_certbot_service onestart"
- fi
+ if service "$weekly_certbot_service" onestatus
+ then
+ PRE_HOOK="--pre-hook 'service $weekly_certbot_service onestop'"
+ POST_HOOK="--post-hook 'service $weekly_certbot_service onestart'"
+ fi
+ else
+ if [ -n "$weekly_certbot_pre_hook" ]; then
+ PRE_HOOK="--pre-hook '$weekly_certbot_pre_hook'"
+ fi
+
+ if [ -n "$weekly_certbot_post_hook" ]; then
+ POST_HOOK="--post-hook '$weekly_certbot_post_hook'"
+ fi
fi
+ if [ -n "$weekly_certbot_deploy_hook" ]; then
+ DEPLOY_HOOK="--deploy-hook '$weekly_certbot_deploy_hook'"
+ fi
+
anticongestion
- if %%LOCALBASE%%/bin/certbot-%%PYTHON_VER%% renew --pre-hook "$PRE_HOOK" \
- --post-hook "$POST_HOOK" \
- --no-random-sleep-on-renew
+
+ eval %%LOCALBASE%%/bin/certbot-%%PYTHON_VER%% renew "$PRE_HOOK" "$POST_HOOK" \
+ "$DEPLOY_HOOK" "$weekly_certbot_custom_args" --no-random-sleep-on-renew
+ if [ $? -gt 0 ]
then
- rc=0
+ echo
+ echo "Errors were reported when renewing Let's Encrypt certificate(s)."
+ rc=3
else
- rc=1
+ rc=0
fi
;;
*) rc=0;;
Copied: branches/2020Q3/security/py-certbot/files/pkg-message.in (from r541966, head/security/py-certbot/files/pkg-message.in)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2020Q3/security/py-certbot/files/pkg-message.in Sat Jul 11 12:50:20 2020 (r541967, copy of r541966, head/security/py-certbot/files/pkg-message.in)
@@ -0,0 +1,56 @@
+[
+{ type: install
+ message: <<EOM
+This port installs the "standalone" client only, which does not use and
+is not the certbot-auto bootstrap/wrapper script.
+
+The simplest form of usage to obtain certificates is:
+
+ # sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]>
+
+NOTE:
+
+The client requires the ability to bind on TCP port 80 or 443 (depending
+on the --preferred-challenges option used). If a server is running on that
+port, it will need to be temporarily stopped so that the standalone server
+can listen on that port to complete the challenge authentication process.
+
+For more information on the 'standalone' mode, see:
+
+ https://certbot.eff.org/docs/using.html#standalone
+
+The certbot plugins to support apache and nginx certificate installation
+will be made available in the following ports:
+
+ * Apache plugin: security/py-certbot-apache
+ * Nginx plugin: security/py-certbot-nginx
+
+In order to automatically renew the certificates, add this line to
+/etc/periodic.conf:
+
+ weekly_certbot_enable="YES"
+
+More config details in the certbot periodic script:
+
+ %%LOCALBASE%%/etc/periodic/weekly/500.certbot-%%PYTHON_VER%%
+
+EOM
+}
+{
+ type: upgrade
+ maximum_version: "1.5.0_2,1"
+ message: <<EOM
+The certbot periodic script has new config options:
+
+ * weekly_certbot_pre_hook
+ * weekly_certbot_post_hook
+ * weekly_certbot_deploy_hook
+ * weekly_certbot_custom_args
+
+For config details, see the certbot periodic script:
+
+ %%LOCALBASE%%/etc/periodic/weekly/500.certbot-%%PYTHON_VER%%
+
+EOM
+}
+]
More information about the svn-ports-all
mailing list