Merge branch 'develop' of code.greenhost.net:open/certbot-haproxy into develop

README.rst

@@ -155,6 +155,7 @@ Now to allow the certbot user to restart HAProxy, put the following in the
 sudoers file:
 
 .. code:: bash
+
     cat <<EOF >> /etc/sudoers
     %certbot ALL=NOPASSWD: /bin/systemctl restart haproxy
     EOF
@@ -182,6 +183,7 @@ probably not "copy-paste compatible" with your setup. So you need to piece
 together a configuration that works for you.
 
 .. code::
+
     cat <<EOF > /etc/haproxy/haproxy.cfg
     global
         log /dev/log local0
@@ -223,13 +225,13 @@ together a configuration that works for you.
 
     frontend http-in
         # Listen on port 80
-        bind *:80
+        bind \*:80
         # Listen on port 443
         # Uncomment after running certbot for the first time, a certificate
         # needs to be installed *before* HAProxy will be able to start when this
         # directive is not commented.
         #
-        bind *:443 ssl crt /opt/certbot/haproxy_fullchains/__fallback.pem crt /opt/certbot/haproxy_fullchains
+        bind \*:443 ssl crt /opt/certbot/haproxy_fullchains/__fallback.pem crt /opt/certbot/haproxy_fullchains
 
         # Forward Certbot verification requests to the certbot-haproxy plugin
         acl is_certbot path_beg -i /.well-known/acme-challenge
@@ -263,7 +265,7 @@ together a configuration that works for you.
         server node3 127.0.0.1:8080 check
         server node4 127.0.0.1:8080 check
         # If redirection from port 80 to 443 is to be forced, uncomment the next
-        # line. Keep in mind that the bind *:443 line should be uncommented and a
+        # line. Keep in mind that the bind \*:443 line should be uncommented and a
         # certificate should be present for all domains
         redirect scheme https if !{ ssl_fc }
 
@@ -313,6 +315,7 @@ minutes after the server boots, this is done so renewal starts immediately
 after the server has been offline for a long time.
 
 .. code:: bash
+
     cat <<EOF > /etc/systemd/system/letsencrypt.timer
     [Unit]
     Description=Run Let's Encrypt every 12 hours
@@ -334,6 +337,7 @@ after the server has been offline for a long time.
 
     [Service]
     Type=simple
+    User=certbot
     ExecStart=/usr/bin/certbot renew -q
     EOF
 

certbot_haproxy/authenticator.py

@@ -16,8 +16,8 @@ file::
 
     default_backend nodes
 
-    acl is_cerbot path_beg -i /.well-known/acme-challenge
-    use_backend certbot if is_cerbot
+    acl is_certbot path_beg -i /.well-known/acme-challenge
+    use_backend certbot if is_certbot
 
     backend certbot
         log global

provisioning_client.sh

@@ -56,7 +56,6 @@ agree-tos = True
 no-self-upgrade = True
 register-unsafely-without-email = True
 text = True
-domains testsite.nl
 debug = True
 verbose = True
 authenticator certbot-haproxy:haproxy-authenticator
@@ -82,7 +81,8 @@ EOF
 # TODO: Does this even work with the `chroot` directive?
 usermod -a -G vagrant haproxy
 
-mkdir -p /opt/cerbot/haproxy_fullchains
+mkdir -p /opt/certbot/haproxy_fullchains
+chown -R vagrant: /opt/certbot/
 
 cat <<EOF > /etc/haproxy/haproxy.cfg
 global
@@ -130,7 +130,7 @@ frontend http-in
     # needs to be installed *before* HAProxy will be able to start when this
     # directive is not commented.
     #
-    ## bind *:443 ssl crt /opt/cerbot/haproxy_fullchains
+    ## bind *:443 ssl crt /opt/certbot/haproxy_fullchains
 
     # Forward Cerbot verification requests to the certbot-haproxy plugin
     acl is_certbot path_beg -i /.well-known/acme-challenge
@@ -198,31 +198,37 @@ bash -c 'echo "vagrant ALL=NOPASSWD: /bin/systemctl restart haproxy"
 systemctl restart apache2
 systemctl restart haproxy
 
-#cat <<EOF > /etc/systemd/system/letsencrypt.timer
-#[Unit]
-#Description=Run Let's Encrypt every 12 hours
-#
-#[Timer]
-## Time to wait after booting before we run first time
-#OnBootSec=2min
-## Time between running each consecutive time
-#OnUnitActiveSec=12h
-#Unit=letsencrypt.service
-#
-#[Install]
-#WantedBy=timers.target
-#EOF
-#
-#cat <<EOF > /etc/systemd/system/letsencrypt.service
-#[Unit]
-#Description=Renew Let's Encrypt Certificates
-#
-#[Service]
-#Type=simple
-#ExecStart=/usr/bin/certbot renew -q
-#EOF
-#
-#systemctl enable letsencrypt.timer
-#systemctl start letsencrypt.timer
+# Scripts that run certificate renewal for all certificates every 12 hours. Only
+# certificates that are due are renewed.
+cat <<EOF > /etc/systemd/system/letsencrypt.service
+[Unit]
+Description=Renew Let's Encrypt Certificates
+
+[Service]
+Type=simple
+User=vagrant
+ExecStart=/usr/bin/certbot renew -q
+EOF
+
+cat <<EOF > /etc/systemd/system/letsencrypt.timer
+[Unit]
+Description=Run Let's Encrypt every 12 hours
+
+[Timer]
+# Time to wait after booting before we run first time
+OnBootSec=2min
+# Time between running each consecutive time
+OnUnitActiveSec=12h
+Unit=letsencrypt.service
+
+[Install]
+WantedBy=timers.target
+EOF
+
+# Reload for when there were already other scripts in place.
+systemctl daemon-reload
+# Enable and start the timer, which runs the service.
+systemctl enable letsencrypt.timer
+systemctl start letsencrypt.timer
 
 echo "Provisioning completed."

tests/boulder-integration.sh

@@ -46,7 +46,8 @@ export CSR_PATH="${root}/csr.der" KEY_PATH="${root}/key.pem" \
 ./examples/generate-csr.sh le3.wtf
 common auth --csr "$CSR_PATH" \
        --cert-path "${root}/csr/cert.pem" \
-       --chain-path "${root}/csr/chain.pem"
+       --chain-path "${root}/csr/chain.pem" \
+       --fullchain-path "${root}/csr/fullchain.pem"
 openssl x509 -in "${root}/csr/cert.pem" -text
 openssl x509 -in "${root}/csr/chain.pem" -text
 
@@ -100,7 +101,8 @@ SAN="DNS:ecdsa.le.wtf" openssl req -new -sha256 \
     -out "${root}/csr-p384.der"
 common auth --csr "${root}/csr-p384.der" \
     --cert-path "${root}/csr/cert-p384.pem" \
-    --chain-path "${root}/csr/chain-p384.pem"
+    --chain-path "${root}/csr/chain-p384.pem" \
+    --fullchain-path "${root}/csr/fullchain-p384.pem"
 openssl x509 -in "${root}/csr/cert-p384.pem" -text | grep 'ASN1 OID: secp384r1'
 
 # OCSP Must Staple
@@ -109,8 +111,6 @@ openssl x509 -in "${root}/conf/live/must-staple.le.wtf/cert.pem" -text | grep '1
 
 # revoke by account key
 common revoke --cert-path "$root/conf/live/le.wtf/cert.pem"
-# revoke renewed
-# common revoke --cert-path "$root/conf/live/le1.wtf/cert.pem"
 # revoke by cert key
 common revoke --cert-path "$root/conf/live/le2.wtf/cert.pem" \
        --key-path "$root/conf/live/le2.wtf/privkey.pem"