diff -ur dehydrated-0.7.0.orig/dehydrated dehydrated-0.7.0/dehydrated --- dehydrated-0.7.0.orig/dehydrated 2020-12-10 16:54:26.000000000 +0100 +++ dehydrated-0.7.0/dehydrated 2021-01-01 18:41:50.608417166 +0100 @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/bin/bash # dehydrated by lukas2511 # Source: https://dehydrated.io @@ -11,7 +11,7 @@ [[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO && set -o NULL_GLOB && set -o noglob [[ -z "${ZSH_VERSION:-}" ]] && shopt -s nullglob && set -f -umask 077 # paranoid umask, we're creating private keys +umask 027 # allow root and dehydrated group only to protect private keys # Close weird external file descriptors exec 3>&- @@ -28,7 +28,7 @@ done SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" -BASEDIR="${SCRIPTDIR}" +BASEDIR="/var/lib/dehydrated" ORIGARGS=("${@}") # Generate json.sh path matching string @@ -340,7 +340,7 @@ HOOK= PREFERRED_CHAIN= HOOK_CHAIN="no" - RENEW_DAYS="30" + RENEW_DAYS="10" KEYSIZE="4096" WELLKNOWN= PRIVATE_KEY_RENEW="yes" @@ -356,8 +356,8 @@ IP_VERSION= CHAINCACHE= AUTO_CLEANUP="no" - DEHYDRATED_USER= - DEHYDRATED_GROUP= + DEHYDRATED_USER="root" + DEHYDRATED_GROUP="dehydrated" API="auto" if [[ -z "${CONFIG:-}" ]]; then @@ -495,8 +495,8 @@ [[ -z "${CERTDIR}" ]] && CERTDIR="${BASEDIR}/certs" [[ -z "${ALPNCERTDIR}" ]] && ALPNCERTDIR="${BASEDIR}/alpn-certs" [[ -z "${CHAINCACHE}" ]] && CHAINCACHE="${BASEDIR}/chains" - [[ -z "${DOMAINS_TXT}" ]] && DOMAINS_TXT="${BASEDIR}/domains.txt" - [[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/dehydrated" + [[ -z "${DOMAINS_TXT}" ]] && DOMAINS_TXT="/etc/dehydrated/domains.txt" + [[ -z "${WELLKNOWN}" ]] && WELLKNOWN="${BASEDIR}/acme-challenges" [[ -z "${LOCKFILE}" ]] && LOCKFILE="${BASEDIR}/lock" [[ -z "${OPENSSL_CNF}" ]] && OPENSSL_CNF="$("${OPENSSL}" version -d | cut -d\" -f2)/openssl.cnf" [[ -n "${PARAM_LOCKFILE_SUFFIX:-}" ]] && LOCKFILE="${LOCKFILE}-${PARAM_LOCKFILE_SUFFIX}" diff -ur dehydrated-0.7.0.orig/docs/examples/config dehydrated-0.7.0/docs/examples/config --- dehydrated-0.7.0.orig/docs/examples/config 2020-12-10 16:54:26.000000000 +0100 +++ dehydrated-0.7.0/docs/examples/config 2021-01-01 18:41:13.934417166 +0100 @@ -47,11 +47,11 @@ # default: #DOMAINS_D= -# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined) -#BASEDIR=$SCRIPTDIR +# Base directory for account key, generated certificates and list of domains (default: /var/lib/dehydrated) +#BASEDIR="/var/lib/dehydrated" # File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt) -#DOMAINS_TXT="${BASEDIR}/domains.txt" +#DOMAINS_TXT="/etc/dehydrated/domains.txt" # Output directory for generated certificates #CERTDIR="${BASEDIR}/certs" @@ -63,7 +63,7 @@ #ACCOUNTDIR="${BASEDIR}/accounts" # Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated) -#WELLKNOWN="/var/www/dehydrated" +#WELLKNOWN="${BASEDIR}/acme-challenges" # Default keysize for private keys (default: 4096) #KEYSIZE="4096" @@ -87,13 +87,13 @@ # # BASEDIR and WELLKNOWN variables are exported and can be used in an external program # default: -#HOOK= +#HOOK="/etc/dehydrated/hooks/hook.sh" # Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no) #HOOK_CHAIN="no" -# Minimum days before expiration to automatically renew certificate (default: 30) -#RENEW_DAYS="30" +# Minimum days before expiration to automatically renew certificate (default: 10) +#RENEW_DAYS="10" # Regenerate private keys instead of just signing new certificates on renewal (default: yes) #PRIVATE_KEY_RENEW="yes"