From be653e8e6ba51134310046179ed2ee56d597c8c5 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 11 Jan 2016 12:53:39 -0800 Subject: [PATCH 1/8] Use SHA256 openssl signatures --- tools/half-sign.c | 12 ++++++------ tools/release.sh | 6 +++--- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/half-sign.c b/tools/half-sign.c index b4ab99e4c..e56bc397c 100644 --- a/tools/half-sign.c +++ b/tools/half-sign.c @@ -12,18 +12,18 @@ // To compile: // gcc half-sign.c -lssl -lcrypto -o half-sign -// Sign with SHA1 -#define HASH_SIZE 20 +// Sign with SHA256 +#define HASH_SIZE 32 void usage() { printf("half-sign [binary hash file]\n"); printf("\n"); - printf(" Computes and prints a binary RSA signature over data given the SHA1 hash of\n"); + printf(" Computes and prints a binary RSA signature over data given the SHA256 hash of\n"); printf(" the data as input.\n"); printf("\n"); printf(" should be PEM encoded.\n"); printf("\n"); - printf(" The input SHA1 hash should be %d bytes in length. If no binary hash file is\n", HASH_SIZE); + printf(" The input SHA256 hash should be %d bytes in length. If no binary hash file is\n", HASH_SIZE); printf(" specified, it will be read from stdin.\n"); exit(1); } @@ -41,7 +41,7 @@ void sign_hashed_data(EVP_PKEY *signing_key, unsigned char *md, size_t mdlen) { if ((!ctx) || (EVP_PKEY_sign_init(ctx) <= 0) || (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) - || (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0)) { + || (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)) { fprintf(stderr, "Failure establishing ctx for signature\n"); exit(1); } @@ -108,7 +108,7 @@ int main(int argc, char *argv[]) { exit(1); } if (fread(buffer, HASH_SIZE, 1, input) != 1) { - perror("half-sign: Failed to read SHA1 from input\n"); + perror("half-sign: Failed to read SHA256 from input\n"); exit(1); } diff --git a/tools/release.sh b/tools/release.sh index 61506f79e..0d3aa8808 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -34,8 +34,8 @@ else echo Releasing developer version "$version"... fi -if [ "$RELEASE_OPENSSL_KEY" = "" ] ; then - RELEASE_OPENSSL_KEY="`realpath \`dirname $0\``/eff-pubkey.pem" +if [ "$RELEASE_OPENSSL_PUBKEY" = "" ] ; then + RELEASE_OPENSSL_PUBKEY="`realpath \`dirname $0\``/eff-pubkey.pem" fi RELEASE_GPG_KEY=${RELEASE_GPG_KEY:-A2CFB51FA275A7286234E7B24D17C995CD9775F2} # Needed to fix problems with git signatures and pinentry @@ -85,7 +85,7 @@ git checkout "$RELEASE_BRANCH" letsencrypt-auto-source/build.py # and that it's signed correctly -if ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_KEY -signature \ +if ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \ letsencrypt-auto-source/letsencrypt-auto.sig \ letsencrypt-auto-source/letsencrypt-auto ; then echo Failed letsencrypt-auto signature check on "$RELEASE_BRANCH" From 916f8916d86f6d9a0c615590f1d79d8131e5bf61 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 11 Jan 2016 12:55:01 -0800 Subject: [PATCH 2/8] Clearer notes about when / how to edit the script --- letsencrypt-auto-source/letsencrypt-auto.template | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index b1852079a..23e77de38 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -2,8 +2,14 @@ # # Download and run the latest release version of the Let's Encrypt client. # -# WARNING: "letsencrypt-auto" IS A GENERATED FILE. EDIT -# letsencrypt-auto.template INSTEAD. +# NOTE: THIS SCRIPT IS AUTO-GENERATED AND SELF-UPDATING +# +# IF YOU WANT TO EDIT IT LOCALLY, *ALWAYS* RUN YOUR COPY WITH THE +# "--no-self-upgrade" FLAG +# +# IF YOU WANT TO SEND PULL REQUESTS, THE REAL SOURCE FOR THIS FILE IS +# letsencrypt-auto-source/letsencrypt-auto.template AND +# letsencrypt-auto-source/pieces/bootstrappers/* set -e # Work even if somebody does "sh thisscript.sh". From 1b3c8e87c7b14646fbbf820df1a1c59e78660cc0 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 11 Jan 2016 13:57:46 -0800 Subject: [PATCH 3/8] Better processing & documentation of leauto flags - move them to the top for clarity - accept them in any position - shadow & document them in the Python client --- .../letsencrypt-auto.template | 35 +++++++++++-------- letsencrypt/cli.py | 7 ++++ 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index 23e77de38..3d2180280 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -21,6 +21,24 @@ VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"} VENV_BIN=${VENV_PATH}/bin LE_AUTO_VERSION="{{ LE_AUTO_VERSION }}" +# This script takes the same arguments as the main letsencrypt program, but it +# additionally responds to --verbose (more output) and --debug (allow support +# for experimental platforms) +for arg in "$@" ; do + # This first clause is redundant with the third, but hedging on portability + if [ "$arg" = "-v" ] || [ "$arg" = "--verbose" ] || echo "$arg" | grep -E -- "-v+$" ; then + VERBOSE=1 + elif [ "$arg" = "--no-self-upgrade" ] ; then + # Do not upgrade this script (also prevents client upgrades, because each + # copy of the script pins a hash of the python client) + NO_SELF_UPGRADE=1 + elif [ "$arg" = "--os-packages-only" ] ; then + OS_PACKAGES_ONLY=1 + elif [ "$arg" = "--debug" ]; then + DEBUG=1 + fi +done + # letsencrypt-auto needs root access to bootstrap OS dependencies, and # letsencrypt itself needs root access for almost all modes of operation # The "normal" case is that sudo is used for the steps that need root, but @@ -150,22 +168,11 @@ TempDir() { mktemp -d 2>/dev/null || mktemp -d -t 'le' # Linux || OS X } -# This script takes the same arguments as the main letsencrypt program, but it -# additionally responds to --verbose (more output) and --debug (allow support -# for experimental platforms) -for arg in "$@" ; do - # This first clause is redundant with the third, but hedging on portability - if [ "$arg" = "-v" ] || [ "$arg" = "--verbose" ] || echo "$arg" | grep -E -- "-v+$" ; then - VERBOSE=1 - elif [ "$arg" = "--debug" ]; then - DEBUG=1 - fi -done -if [ "$1" = "--no-self-upgrade" ]; then + +if [ "$NO_SELF_UPGRADE" = 1 ]; then # Phase 2: Create venv, install LE, and run. - shift 1 # the --no-self-upgrade arg if [ -f "$VENV_BIN/letsencrypt" ]; then INSTALLED_VERSION=$("$VENV_BIN/letsencrypt" --version 2>&1 | cut -d " " -f 2) else @@ -226,7 +233,7 @@ else # If it looks like we've never bootstrapped before, bootstrap: Bootstrap fi - if [ "$1" = "--os-packages-only" ]; then + if [ "$OS_PACKAGES_ONLY" = 1 ]; then echo "OS packages installed." exit 0 fi diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py index aba9116f9..1f9504c6e 100644 --- a/letsencrypt/cli.py +++ b/letsencrypt/cli.py @@ -998,6 +998,13 @@ def prepare_and_parse_args(plugins, args): "automation", "--duplicate", dest="duplicate", action="store_true", help="Allow making a certificate lineage that duplicates an existing one " "(both can be renewed in parallel)") + helpful.add( + "automation", "--os-packages-only", action="store_true", + help="(letsencrypt-auto only) install OS package dependencies and then stop") + helpful.add( + "automation", "--no-self-upgrade", action="store_true", + help="(letsencrypt-auto only) prevent the letsencrypt-auto script from" + " upgrading itself to newer released versions") helpful.add_group( "testing", description="The following flags are meant for " From 2d4c21ad4f0a6faa3bfd68c179a4e819739abde6 Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Tue, 12 Jan 2016 18:16:08 -0500 Subject: [PATCH 4/8] Bring built le-auto script up to date. --- letsencrypt-auto-source/letsencrypt-auto | 51 +++++++++++++++--------- 1 file changed, 33 insertions(+), 18 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 7000d3027..d080d8800 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -123,28 +123,42 @@ BootstrapDebCommon() { virtualenv="$virtualenv python-virtualenv" fi - augeas_pkg=libaugeas0 + augeas_pkg="libaugeas0 augeas-lenses" AUGVERSION=`apt-cache show --no-all-versions libaugeas0 | grep ^Version: | cut -d" " -f2` + AddBackportRepo() { + # ARGS: + BACKPORT_NAME="$1" + BACKPORT_SOURCELINE="$2" + if ! grep -v -e ' *#' /etc/apt/sources.list | grep -q "$BACKPORT_NAME" ; then + # This can theoretically error if sources.list.d is empty, but in that case we don't care. + if ! grep -v -e ' *#' /etc/apt/sources.list.d/* 2>/dev/null | grep -q "$BACKPORT_NAME"; then + /bin/echo -n "Installing augeas from $BACKPORT_NAME in 3 seconds..." + sleep 1s + /bin/echo -ne "\e[0K\rInstalling augeas from $BACKPORT_NAME in 2 seconds..." + sleep 1s + /bin/echo -e "\e[0K\rInstalling augeas from $BACKPORT_NAME in 1 second ..." + sleep 1s + if echo $BACKPORT_NAME | grep -q wheezy ; then + /bin/echo '(Backports are only installed if explicitly requested via "apt-get install -t wheezy-backports")' + fi + + sudo sh -c "echo $BACKPORT_SOURCELINE >> /etc/apt/sources.list.d/$BACKPORT_NAME.list" + $SUDO apt-get update + fi + fi + $SUDO apt-get install -y --no-install-recommends -t "$BACKPORT_NAME" $augeas_pkg + augeas_pkg= + + } + + if dpkg --compare-versions 1.0 gt "$AUGVERSION" ; then if lsb_release -a | grep -q wheezy ; then - if ! grep -v -e ' *#' /etc/apt/sources.list | grep -q wheezy-backports ; then - # This can theoretically error if sources.list.d is empty, but in that case we don't care. - if ! grep -v -e ' *#' /etc/apt/sources.list.d/* 2>/dev/null | grep -q wheezy-backports ; then - /bin/echo -n "Installing augeas from wheezy-backports in 3 seconds..." - sleep 1s - /bin/echo -ne "\e[0K\rInstalling augeas from wheezy-backports in 2 seconds..." - sleep 1s - /bin/echo -e "\e[0K\rInstalling augeas from wheezy-backports in 1 second ..." - sleep 1s - /bin/echo '(Backports are only installed if explicitly requested via "apt-get install -t wheezy-backports")' - - sudo sh -c 'echo deb http://http.debian.net/debian wheezy-backports main >> /etc/apt/sources.list.d/wheezy-backports.list' - $SUDO apt-get update - fi - fi - $SUDO apt-get install -y --no-install-recommends -t wheezy-backports libaugeas0 - augeas_pkg= + AddBackportRepo wheezy-backports "deb http://http.debian.net/debian wheezy-backports main" + elif lsb_release -a | grep -q precise ; then + # XXX add ARM case + AddBackportRepo precise-backports "deb http://archive.ubuntu.com/ubuntu precise-backports main restricted universe multiverse" else echo "No libaugeas0 version is available that's new enough to run the" echo "Let's Encrypt apache plugin..." @@ -209,6 +223,7 @@ BootstrapRpmCommon() { gcc \ dialog \ augeas-libs \ + openssl \ openssl-devel \ libffi-devel \ redhat-rpm-config \ From 435dfc0c52c0494cefb01f563686dba304ec8744 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 12 Jan 2016 14:30:33 -0800 Subject: [PATCH 5/8] Undelete the old letsencrypt-auto for now --- bootstrap/_arch_common.sh | 26 +++++ bootstrap/_deb_common.sh | 94 +++++++++++++++++ bootstrap/_gentoo_common.sh | 23 ++++ bootstrap/_rpm_common.sh | 55 ++++++++++ bootstrap/_suse_common.sh | 14 +++ bootstrap/archlinux.sh | 1 + bootstrap/centos.sh | 1 + bootstrap/debian.sh | 1 + bootstrap/fedora.sh | 1 + bootstrap/freebsd.sh | 7 ++ bootstrap/gentoo.sh | 1 + bootstrap/install-deps.sh | 46 ++++++++ bootstrap/mac.sh | 18 ++++ bootstrap/manjaro.sh | 1 + bootstrap/suse.sh | 1 + bootstrap/ubuntu.sh | 1 + letsencrypt-auto | 204 ++++++++++++++++++++++++++++++++++++ 17 files changed, 495 insertions(+) create mode 100755 bootstrap/_arch_common.sh create mode 100755 bootstrap/_deb_common.sh create mode 100755 bootstrap/_gentoo_common.sh create mode 100755 bootstrap/_rpm_common.sh create mode 100755 bootstrap/_suse_common.sh create mode 120000 bootstrap/archlinux.sh create mode 120000 bootstrap/centos.sh create mode 120000 bootstrap/debian.sh create mode 120000 bootstrap/fedora.sh create mode 100755 bootstrap/freebsd.sh create mode 120000 bootstrap/gentoo.sh create mode 100755 bootstrap/install-deps.sh create mode 100755 bootstrap/mac.sh create mode 120000 bootstrap/manjaro.sh create mode 120000 bootstrap/suse.sh create mode 120000 bootstrap/ubuntu.sh create mode 100755 letsencrypt-auto diff --git a/bootstrap/_arch_common.sh b/bootstrap/_arch_common.sh new file mode 100755 index 000000000..2b512792f --- /dev/null +++ b/bootstrap/_arch_common.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Tested with: +# - ArchLinux (x86_64) +# +# "python-virtualenv" is Python3, but "python2-virtualenv" provides +# only "virtualenv2" binary, not "virtualenv" necessary in +# ./bootstrap/dev/_common_venv.sh + +deps=" + python2 + python-virtualenv + gcc + dialog + augeas + openssl + libffi + ca-certificates + pkg-config +" + +missing=$(pacman -T $deps) + +if [ "$missing" ]; then + pacman -S --needed $missing +fi diff --git a/bootstrap/_deb_common.sh b/bootstrap/_deb_common.sh new file mode 100755 index 000000000..c2f58db75 --- /dev/null +++ b/bootstrap/_deb_common.sh @@ -0,0 +1,94 @@ +#!/bin/sh + +# Current version tested with: +# +# - Ubuntu +# - 14.04 (x64) +# - 15.04 (x64) +# - Debian +# - 7.9 "wheezy" (x64) +# - sid (2015-10-21) (x64) + +# Past versions tested with: +# +# - Debian 8.0 "jessie" (x64) +# - Raspbian 7.8 (armhf) + +# Believed not to work: +# +# - Debian 6.0.10 "squeeze" (x64) + +apt-get update + +# virtualenv binary can be found in different packages depending on +# distro version (#346) + +virtualenv= +if apt-cache show virtualenv > /dev/null 2>&1; then + virtualenv="virtualenv" +fi + +if apt-cache show python-virtualenv > /dev/null 2>&1; then + virtualenv="$virtualenv python-virtualenv" +fi + +augeas_pkg="libaugeas0 augeas-lenses" +AUGVERSION=`apt-cache show --no-all-versions libaugeas0 | grep ^Version: | cut -d" " -f2` + +AddBackportRepo() { + # ARGS: + BACKPORT_NAME="$1" + BACKPORT_SOURCELINE="$2" + if ! grep -v -e ' *#' /etc/apt/sources.list | grep -q "$BACKPORT_NAME" ; then + # This can theoretically error if sources.list.d is empty, but in that case we don't care. + if ! grep -v -e ' *#' /etc/apt/sources.list.d/* 2>/dev/null | grep -q "$BACKPORT_NAME"; then + /bin/echo -n "Installing augeas from $BACKPORT_NAME in 3 seconds..." + sleep 1s + /bin/echo -ne "\e[0K\rInstalling augeas from $BACKPORT_NAME in 2 seconds..." + sleep 1s + /bin/echo -e "\e[0K\rInstalling augeas from $BACKPORT_NAME in 1 second ..." + sleep 1s + if echo $BACKPORT_NAME | grep -q wheezy ; then + /bin/echo '(Backports are only installed if explicitly requested via "apt-get install -t wheezy-backports")' + fi + + echo $BACKPORT_SOURCELINE >> /etc/apt/sources.list.d/"$BACKPORT_NAME".list + apt-get update + fi + fi + apt-get install -y --no-install-recommends -t "$BACKPORT_NAME" $augeas_pkg + augeas_pkg= + +} + + +if dpkg --compare-versions 1.0 gt "$AUGVERSION" ; then + if lsb_release -a | grep -q wheezy ; then + AddBackportRepo wheezy-backports "deb http://http.debian.net/debian wheezy-backports main" + elif lsb_release -a | grep -q precise ; then + # XXX add ARM case + AddBackportRepo precise-backports "deb http://archive.ubuntu.com/ubuntu precise-backports main restricted universe multiverse" + else + echo "No libaugeas0 version is available that's new enough to run the" + echo "Let's Encrypt apache plugin..." + fi + # XXX add a case for ubuntu PPAs +fi + +apt-get install -y --no-install-recommends \ + python \ + python-dev \ + $virtualenv \ + gcc \ + dialog \ + $augeas_pkg \ + libssl-dev \ + libffi-dev \ + ca-certificates \ + + + +if ! command -v virtualenv > /dev/null ; then + echo Failed to install a working \"virtualenv\" command, exiting + exit 1 +fi diff --git a/bootstrap/_gentoo_common.sh b/bootstrap/_gentoo_common.sh new file mode 100755 index 000000000..f49dc00f0 --- /dev/null +++ b/bootstrap/_gentoo_common.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +PACKAGES=" + dev-lang/python:2.7 + dev-python/virtualenv + dev-util/dialog + app-admin/augeas + dev-libs/openssl + dev-libs/libffi + app-misc/ca-certificates + virtual/pkgconfig" + +case "$PACKAGE_MANAGER" in + (paludis) + cave resolve --keep-targets if-possible $PACKAGES -x + ;; + (pkgcore) + pmerge --noreplace $PACKAGES + ;; + (portage|*) + emerge --noreplace $PACKAGES + ;; +esac diff --git a/bootstrap/_rpm_common.sh b/bootstrap/_rpm_common.sh new file mode 100755 index 000000000..db1665268 --- /dev/null +++ b/bootstrap/_rpm_common.sh @@ -0,0 +1,55 @@ +#!/bin/sh + +# Tested with: +# - Fedora 22, 23 (x64) +# - Centos 7 (x64: on DigitalOcean droplet) + +if type dnf 2>/dev/null +then + tool=dnf +elif type yum 2>/dev/null +then + tool=yum + +else + echo "Neither yum nor dnf found. Aborting bootstrap!" + exit 1 +fi + +# Some distros and older versions of current distros use a "python27" +# instead of "python" naming convention. Try both conventions. +if ! $tool install -y \ + python \ + python-devel \ + python-virtualenv +then + if ! $tool install -y \ + python27 \ + python27-devel \ + python27-virtualenv + then + echo "Could not install Python dependencies. Aborting bootstrap!" + exit 1 + fi +fi + +if ! $tool install -y \ + gcc \ + dialog \ + augeas-libs \ + openssl-devel \ + libffi-devel \ + redhat-rpm-config \ + ca-certificates +then + echo "Could not install additional dependencies. Aborting bootstrap!" + exit 1 +fi + + +if $tool list installed "httpd" >/dev/null 2>&1; then + if ! $tool install -y mod_ssl + then + echo "Apache found, but mod_ssl could not be installed." + fi +fi diff --git a/bootstrap/_suse_common.sh b/bootstrap/_suse_common.sh new file mode 100755 index 000000000..efeebe4f8 --- /dev/null +++ b/bootstrap/_suse_common.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +# SLE12 don't have python-virtualenv + +zypper -nq in -l \ + python \ + python-devel \ + python-virtualenv \ + gcc \ + dialog \ + augeas-lenses \ + libopenssl-devel \ + libffi-devel \ + ca-certificates \ diff --git a/bootstrap/archlinux.sh b/bootstrap/archlinux.sh new file mode 120000 index 000000000..c5c9479f7 --- /dev/null +++ b/bootstrap/archlinux.sh @@ -0,0 +1 @@ +_arch_common.sh \ No newline at end of file diff --git a/bootstrap/centos.sh b/bootstrap/centos.sh new file mode 120000 index 000000000..a0db46d70 --- /dev/null +++ b/bootstrap/centos.sh @@ -0,0 +1 @@ +_rpm_common.sh \ No newline at end of file diff --git a/bootstrap/debian.sh b/bootstrap/debian.sh new file mode 120000 index 000000000..068a039cb --- /dev/null +++ b/bootstrap/debian.sh @@ -0,0 +1 @@ +_deb_common.sh \ No newline at end of file diff --git a/bootstrap/fedora.sh b/bootstrap/fedora.sh new file mode 120000 index 000000000..a0db46d70 --- /dev/null +++ b/bootstrap/fedora.sh @@ -0,0 +1 @@ +_rpm_common.sh \ No newline at end of file diff --git a/bootstrap/freebsd.sh b/bootstrap/freebsd.sh new file mode 100755 index 000000000..4482c35cd --- /dev/null +++ b/bootstrap/freebsd.sh @@ -0,0 +1,7 @@ +#!/bin/sh -xe + +pkg install -Ay \ + python \ + py27-virtualenv \ + augeas \ + libffi \ diff --git a/bootstrap/gentoo.sh b/bootstrap/gentoo.sh new file mode 120000 index 000000000..125d6a592 --- /dev/null +++ b/bootstrap/gentoo.sh @@ -0,0 +1 @@ +_gentoo_common.sh \ No newline at end of file diff --git a/bootstrap/install-deps.sh b/bootstrap/install-deps.sh new file mode 100755 index 000000000..e907e7035 --- /dev/null +++ b/bootstrap/install-deps.sh @@ -0,0 +1,46 @@ +#!/bin/sh -e +# +# Install OS dependencies. In the glorious future, letsencrypt-auto will +# source this... + +if test "`id -u`" -ne "0" ; then + SUDO=sudo +else + SUDO= +fi + +BOOTSTRAP=`dirname $0` +if [ ! -f $BOOTSTRAP/debian.sh ] ; then + echo "Cannot find the letsencrypt bootstrap scripts in $BOOTSTRAP" + exit 1 +fi +if [ -f /etc/debian_version ] ; then + echo "Bootstrapping dependencies for Debian-based OSes..." + $SUDO $BOOTSTRAP/_deb_common.sh +elif [ -f /etc/arch-release ] ; then + echo "Bootstrapping dependencies for Archlinux..." + $SUDO $BOOTSTRAP/archlinux.sh +elif [ -f /etc/redhat-release ] ; then + echo "Bootstrapping dependencies for RedHat-based OSes..." + $SUDO $BOOTSTRAP/_rpm_common.sh +elif [ -f /etc/gentoo-release ] ; then + echo "Bootstrapping dependencies for Gentoo-based OSes..." + $SUDO $BOOTSTRAP/_gentoo_common.sh +elif uname | grep -iq FreeBSD ; then + echo "Bootstrapping dependencies for FreeBSD..." + $SUDO $BOOTSTRAP/freebsd.sh +elif `grep -qs openSUSE /etc/os-release` ; then + echo "Bootstrapping dependencies for openSUSE.." + $SUDO $BOOTSTRAP/suse.sh +elif uname | grep -iq Darwin ; then + echo "Bootstrapping dependencies for Mac OS X..." + echo "WARNING: Mac support is very experimental at present..." + $BOOTSTRAP/mac.sh +else + echo "Sorry, I don't know how to bootstrap Let's Encrypt on your operating system!" + echo + echo "You will need to bootstrap, configure virtualenv, and run a pip install manually" + echo "Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites" + echo "for more info" + exit 1 +fi diff --git a/bootstrap/mac.sh b/bootstrap/mac.sh new file mode 100755 index 000000000..4d1fb8208 --- /dev/null +++ b/bootstrap/mac.sh @@ -0,0 +1,18 @@ +#!/bin/sh -e +if ! hash brew 2>/dev/null; then + echo "Homebrew Not Installed\nDownloading..." + ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" +fi + +brew install augeas +brew install dialog + +if ! hash pip 2>/dev/null; then + echo "pip Not Installed\nInstalling python from Homebrew..." + brew install python +fi + +if ! hash virtualenv 2>/dev/null; then + echo "virtualenv Not Installed\nInstalling with pip" + pip install virtualenv +fi diff --git a/bootstrap/manjaro.sh b/bootstrap/manjaro.sh new file mode 120000 index 000000000..c5c9479f7 --- /dev/null +++ b/bootstrap/manjaro.sh @@ -0,0 +1 @@ +_arch_common.sh \ No newline at end of file diff --git a/bootstrap/suse.sh b/bootstrap/suse.sh new file mode 120000 index 000000000..fc4c1dee4 --- /dev/null +++ b/bootstrap/suse.sh @@ -0,0 +1 @@ +_suse_common.sh \ No newline at end of file diff --git a/bootstrap/ubuntu.sh b/bootstrap/ubuntu.sh new file mode 120000 index 000000000..068a039cb --- /dev/null +++ b/bootstrap/ubuntu.sh @@ -0,0 +1 @@ +_deb_common.sh \ No newline at end of file diff --git a/letsencrypt-auto b/letsencrypt-auto new file mode 100755 index 000000000..20465dbb1 --- /dev/null +++ b/letsencrypt-auto @@ -0,0 +1,204 @@ +#!/bin/sh -e +# +# A script to run the latest release version of the Let's Encrypt in a +# virtual environment +# +# Installs and updates the letencrypt virtualenv, and runs letsencrypt +# using that virtual environment. This allows the client to function decently +# without requiring specific versions of its dependencies from the operating +# system. + +# Note: you can set XDG_DATA_HOME or VENV_PATH before running this script, +# if you want to change where the virtual environment will be installed +XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share} +VENV_NAME="letsencrypt" +VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"} +VENV_BIN=${VENV_PATH}/bin +# The path to the letsencrypt-auto script. Everything that uses these might +# at some point be inlined... +LEA_PATH=`dirname "$0"` +BOOTSTRAP=${LEA_PATH}/bootstrap + +# This script takes the same arguments as the main letsencrypt program, but it +# additionally responds to --verbose (more output) and --debug (allow support +# for experimental platforms) +for arg in "$@" ; do + # This first clause is redundant with the third, but hedging on portability + if [ "$arg" = "-v" ] || [ "$arg" = "--verbose" ] || echo "$arg" | grep -E -- "-v+$" ; then + VERBOSE=1 + elif [ "$arg" = "--debug" ] ; then + DEBUG=1 + fi +done + +# letsencrypt-auto needs root access to bootstrap OS dependencies, and +# letsencrypt itself needs root access for almost all modes of operation +# The "normal" case is that sudo is used for the steps that need root, but +# this script *can* be run as root (not recommended), or fall back to using +# `su` +if test "`id -u`" -ne "0" ; then + if command -v sudo 1>/dev/null 2>&1; then + SUDO=sudo + else + echo \"sudo\" is not available, will use \"su\" for installation steps... + # Because the parameters in `su -c` has to be a string, + # we need properly escape it + su_sudo() { + args="" + # This `while` loop iterates over all parameters given to this function. + # For each parameter, all `'` will be replace by `'"'"'`, and the escaped string + # will be wrapped in a pair of `'`, then appended to `$args` string + # For example, `echo "It's only 1\$\!"` will be escaped to: + # 'echo' 'It'"'"'s only 1$!' + # │ │└┼┘│ + # │ │ │ └── `'s only 1$!'` the literal string + # │ │ └── `\"'\"` is a single quote (as a string) + # │ └── `'It'`, to be concatenated with the strings following it + # └── `echo` wrapped in a pair of `'`, it's totally fine for the shell command itself + while [ $# -ne 0 ]; do + args="$args'$(printf "%s" "$1" | sed -e "s/'/'\"'\"'/g")' " + shift + done + su root -c "$args" + } + SUDO=su_sudo + fi +else + SUDO= +fi + +ExperimentalBootstrap() { + # Arguments: Platform name, boostrap script name, SUDO command (iff needed) + if [ "$DEBUG" = 1 ] ; then + if [ "$2" != "" ] ; then + echo "Bootstrapping dependencies for $1..." + if [ "$3" != "" ] ; then + "$3" "$BOOTSTRAP/$2" + else + "$BOOTSTRAP/$2" + fi + fi + else + echo "WARNING: $1 support is very experimental at present..." + echo "if you would like to work on improving it, please ensure you have backups" + echo "and then run this script again with the --debug flag!" + exit 1 + fi +} + +DeterminePythonVersion() { + if command -v python2.7 > /dev/null ; then + export LE_PYTHON=${LE_PYTHON:-python2.7} + elif command -v python27 > /dev/null ; then + export LE_PYTHON=${LE_PYTHON:-python27} + elif command -v python2 > /dev/null ; then + export LE_PYTHON=${LE_PYTHON:-python2} + elif command -v python > /dev/null ; then + export LE_PYTHON=${LE_PYTHON:-python} + else + echo "Cannot find any Pythons... please install one!" + exit 1 + fi + + PYVER=`$LE_PYTHON --version 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//'` + if [ $PYVER -eq 26 ] ; then + ExperimentalBootstrap "Python 2.6" + elif [ $PYVER -lt 26 ] ; then + echo "You have an ancient version of Python entombed in your operating system..." + echo "This isn't going to work; you'll need at least version 2.6." + exit 1 + fi +} + + +# virtualenv call is not idempotent: it overwrites pip upgraded in +# later steps, causing "ImportError: cannot import name unpack_url" +if [ ! -d $VENV_PATH ] +then + if [ ! -f $BOOTSTRAP/debian.sh ] ; then + echo "Cannot find the letsencrypt bootstrap scripts in $BOOTSTRAP" + exit 1 + fi + + if [ -f /etc/debian_version ] ; then + echo "Bootstrapping dependencies for Debian-based OSes..." + $SUDO $BOOTSTRAP/_deb_common.sh + elif [ -f /etc/redhat-release ] ; then + echo "Bootstrapping dependencies for RedHat-based OSes..." + $SUDO $BOOTSTRAP/_rpm_common.sh + elif `grep -q openSUSE /etc/os-release` ; then + echo "Bootstrapping dependencies for openSUSE-based OSes..." + $SUDO $BOOTSTRAP/_suse_common.sh + elif [ -f /etc/arch-release ] ; then + if [ "$DEBUG" = 1 ] ; then + echo "Bootstrapping dependencies for Archlinux..." + $SUDO $BOOTSTRAP/archlinux.sh + else + echo "Please use pacman to install letsencrypt packages:" + echo "# pacman -S letsencrypt letsencrypt-apache" + echo + echo "If you would like to use the virtualenv way, please run the script again with the" + echo "--debug flag." + exit 1 + fi + elif [ -f /etc/manjaro-release ] ; then + ExperimentalBootstrap "Manjaro Linux" manjaro.sh "$SUDO" + elif [ -f /etc/gentoo-release ] ; then + ExperimentalBootstrap "Gentoo" _gentoo_common.sh "$SUDO" + elif uname | grep -iq FreeBSD ; then + ExperimentalBootstrap "FreeBSD" freebsd.sh "$SUDO" + elif uname | grep -iq Darwin ; then + ExperimentalBootstrap "Mac OS X" mac.sh # homebrew doesn't normally run as root + elif grep -iq "Amazon Linux" /etc/issue ; then + ExperimentalBootstrap "Amazon Linux" _rpm_common.sh "$SUDO" + else + echo "Sorry, I don't know how to bootstrap Let's Encrypt on your operating system!" + echo + echo "You will need to bootstrap, configure virtualenv, and run a pip install manually" + echo "Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites" + echo "for more info" + fi + + DeterminePythonVersion + echo "Creating virtual environment..." + if [ "$VERBOSE" = 1 ] ; then + virtualenv --no-site-packages --python $LE_PYTHON $VENV_PATH + else + virtualenv --no-site-packages --python $LE_PYTHON $VENV_PATH > /dev/null + fi +else + DeterminePythonVersion +fi + + +printf "Updating letsencrypt and virtual environment dependencies..." +if [ "$VERBOSE" = 1 ] ; then + echo + $VENV_BIN/pip install -U setuptools + $VENV_BIN/pip install -U pip + $VENV_BIN/pip install -U letsencrypt letsencrypt-apache + # nginx is buggy / disabled for now, but upgrade it if the user has + # installed it manually + if $VENV_BIN/pip freeze | grep -q letsencrypt-nginx ; then + $VENV_BIN/pip install -U letsencrypt letsencrypt-nginx + fi +else + $VENV_BIN/pip install -U setuptools > /dev/null + printf . + $VENV_BIN/pip install -U pip > /dev/null + printf . + # nginx is buggy / disabled for now... + $VENV_BIN/pip install -U letsencrypt > /dev/null + printf . + $VENV_BIN/pip install -U letsencrypt-apache > /dev/null + if $VENV_BIN/pip freeze | grep -q letsencrypt-nginx ; then + printf . + $VENV_BIN/pip install -U letsencrypt-nginx > /dev/null + fi + echo +fi + +# Explain what's about to happen, for the benefit of those getting sudo +# password prompts... +echo "Requesting root privileges to run with virtualenv:" $SUDO $VENV_BIN/letsencrypt "$@" +$SUDO $VENV_BIN/letsencrypt "$@" From e192cce1fce3eab3ab37e35a55c713fd6b368b7e Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 12 Jan 2016 18:43:34 -0800 Subject: [PATCH 6/8] Fix fake letsencrypt --- letsencrypt-auto-source/tests/fake-letsencrypt/letsencrypt.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt-auto-source/tests/fake-letsencrypt/letsencrypt.py b/letsencrypt-auto-source/tests/fake-letsencrypt/letsencrypt.py index 370f70c51..9d811fab5 100755 --- a/letsencrypt-auto-source/tests/fake-letsencrypt/letsencrypt.py +++ b/letsencrypt-auto-source/tests/fake-letsencrypt/letsencrypt.py @@ -4,5 +4,5 @@ from sys import argv, stderr def main(): """Act like letsencrypt --version insofar as printing the version number to stderr.""" - if len(argv) >= 2 and argv[1] == '--version': + if '--version' in argv: stderr.write('letsencrypt 99.9.9\n') From 7945db7a2d1fab129e32be91a5f3c795fa32a9c3 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 12 Jan 2016 18:44:02 -0800 Subject: [PATCH 7/8] Rebuild sdist --- .../dist/letsencrypt-99.9.9.tar.gz | Bin 899 -> 876 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/letsencrypt-auto-source/tests/fake-letsencrypt/dist/letsencrypt-99.9.9.tar.gz b/letsencrypt-auto-source/tests/fake-letsencrypt/dist/letsencrypt-99.9.9.tar.gz index fb6d62477154ac7cb693a42b211fdcbe967879f3..5f9a48a34a22ca70c28ac318336ba986ea32b60e 100644 GIT binary patch delta 838 zcmV-M1G)Tz2kZt1ABzYG<++uS2O)o3PunmQfcxxUVet}>NJ*NTsMH6vyVzPZ#P-0d zC^Sy-NbJaQ%c^PreNIB#Gy@8>WScl&h0@r$7>>V_6B84e5jGODRO*L^ZS^^5Z5u=3 zIZnPcJ;$hS=d{d@Yde-@d$u~xwA_x-!cMCJCYcNb#;uFw`rhN#_0NBi`SyQ5A^tP| zm8Nz&Yasqs$6ChU$m8!iw$;K0#Q)ie1W#}_%P>t+E+h`bc)E`>84@87LLrH85>U3g z*F{*dv$JzFk~pSU1Xtz>*7Ye78RZO9mhnjaMS~2df-*_j7|Tn7=lyJwTo8dJFRoYK zsI4wr?9vEpi%V(hTE%$ETUUP$zZO)IU9CERa_)X(+8$~F8~L9RIZ3x;{!$Isw(s=c zwif;yp6e<9)wd4#-<#3kqPA`KKR%Ku`!TlmLWLg)moQ`|dfpqgkrwxmG(t81ohvY{)Z$bEL6=iKc?&| zdrTTw>%U>v{I@*I2LFGX0Hg>1AL9S%;Oz6OH>Xc{`mgujGVA`Ej@p3#&BkB7@}v2? zKe}}ioE*Q?KlI-Y(7Gvt9{dcs{mAP3+}%fQQj-FY^S>UEt=9i;r~dpmU0DBVg!9@G z$q?PYK7ycNc#;0kQ~y)ff9`$$J5J4i!^_uy!2jpx6Olm}$UuMpQZBf5vDr3IKS)To z>ONX@my-mYPLd=Lvo3!6+Aey}6QZZVSl#NZf7~B@?W3cKyyT+3uM?Ge;$`bcIwCBq zoc4OT+PrK$i31sNkt|z4_lNkuiR#<&-?Y8_|Nr1W_z(U!?tl3XIEuzi`EPhu&40(X zP4K^w`d?LeeqJHr4Ur7S{>6mGp(^`}9hDb|`fe0E*_8Q$Ole_x-Uv1UlVJlElW+qE Q4Ezm#16P1_umDg108rDr&Hw-a delta 881 zcmV-%1CIRc27?C&ABzYGQ7@E{2O)oJZ<{a_hWYGYVf72C)TBUwsF9dd?XGTVwW`~P zEJ8Gxlof1boNUpw|2_k0LRghsQ`W8Li6Y15W;lNB_k@Uul+YocCZc(A(vqKJW#4F$ zj%5|4U6h((7G;5=8@6d_M#nOAMbk~wYAe`MYG9lSk7KM5&Qh{sKe<~Fths;5>_+a& ze}w4I_?MbmWHf4qG+@WI#^2Dg0^fM!6P|{Q zcCp^lP|u4=x2%0M-&_n5bUBV=k59Y!6vu3Mizmf)%!2Y^SloC5f0NG`Cp=p^a45gC zebGA>lV;+LEBHMde#3+1E7KaYmR>_nWB`4agzO5xd@=rhB-?y8nOM)?)oP z^|qqv9aC$A{_7y%EXIH7R2uU*VO(I3k0wVr6+Yn{A>@+)XK8=qu#2$d;NakNC~y?s zk|m$tY~CdRAx&8zpQx7>mOrE;nFWw}fR_h+jC^ zz#jGUKK1nhb{wqEFQgV7DxKsz4+Uwcy~AK{vrQ| z{Qqz0zsLcH!Kg0%Yn^sQ|F$#&p#M7P%M8!WGQ0s2-pIWkhmnsRoLA($K;&;NucQ;| zaxw{Xm1m8hrvF<1dvX4o>ECS6^>131k?CKzA^)$@|7Q^wj79S_Aa9ZWKQ9}()27lB zIAwRO9_8(`)!boGi{UeC^%pC$qwekzW@k&LZp{2~L{g`})P+H@z5IWn^K+gUsFjzS zY8NjZe$V?&b&wzZ3qi&J00000000000000000000000000000000000z!T*+!vj@6 H08jt`rHsBB From ab0762050490cc0243582d37bd9c0d49452886db Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 12 Jan 2016 18:50:52 -0800 Subject: [PATCH 8/8] Fixed fake letsencrypt hash --- letsencrypt-auto-source/tests/auto_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt-auto-source/tests/auto_test.py b/letsencrypt-auto-source/tests/auto_test.py index 4fa4b4e27..ae86fdcbc 100644 --- a/letsencrypt-auto-source/tests/auto_test.py +++ b/letsencrypt-auto-source/tests/auto_test.py @@ -267,7 +267,7 @@ class AutoTests(TestCase): """ NEW_LE_AUTO = build_le_auto( version='99.9.9', - requirements='# sha256: 7NpInQZj4v2dvdCBUYtcBHqVlBfnUmlsKF_oSOzU9zY\n' + requirements='# sha256: HMFNYatCTN7kRvUeUPESP4SC7HQFh_54YmyTO7ooc6A\n' 'letsencrypt==99.9.9') NEW_LE_AUTO_SIG = signed(NEW_LE_AUTO)