acme2certifier: store some ssl.conf, too

3 files changed, 84 insertions, 5 deletions

diff --git a/acme2certifier/PKGBUILD b/acme2certifier/PKGBUILD
index cb0e62f8..e94188a8 100644
--- a/acme2certifier/PKGBUILD
+++ b/acme2certifier/PKGBUILD
@@ -23,9 +23,11 @@ makedepends=(
 source=(
   "${pkgname}::git+https://github.com/grindsa/${pkgname}.git#commit=${_commit}"
   'systemd.patch'
+  'ssl.conf'
 )
 sha512sums=('SKIP'
-            '34a402525cd0ca469cb67af25c2611f7f17a4901e4a40cbd66fe0b35e481a9681ab499c72b2805fd6b53219de62ef8418226aeb539b553efb064ab543a530f3f')
+            '6700736f127297293067930e92b711c579d800c684b587ca2c5cbc2430dee241500932b57398d87a4dbf4111483bf0942814a06587bbe2a77958c9da18a18e63'
+            '3ed87346bf0776f50e452b1928c8f24db5498a5af1010042e9680ca136242f49e78d30ebca5e4328f485d1c051ab51f859a1ae2f936e0c6eb5b1cde700b3b201')
 
 pkgver() {
   _commit=$(
@@ -75,6 +77,8 @@ package() {
     "${pkgdir}/etc/uwsgi/acme2certifier.ini"
   install -dm755 -o http -g http "${pkgdir}/var/lib/${pkgname}"
   mv acme examples tools "${pkgdir}/var/lib/${pkgname}/"
+  install -dm755 -o http -g http "${pkgdir}/var/lib/${pkgname}/acme/ca"
+  install -Dm644 -t "${pkgdir}/var/lib/${pkgname}/examples/" "${srcdir}/ssl.conf"
   chown -R http:http "${pkgdir}/var/lib/${pkgname}"
   install -Dm644 -t "${pkgdir}/usr/share/doc/${pkgname}" docs/*
 }
diff --git a/acme2certifier/ssl.conf b/acme2certifier/ssl.conf
new file mode 100644
index 00000000..8db62df0
--- /dev/null
+++ b/acme2certifier/ssl.conf
@@ -0,0 +1,72 @@
+# Simple Root & Signing CA
+
+# The [default] section contains global constants that can be referred to from
+# the entire configuration file. It may also hold settings pertaining to more
+# than one openssl command.
+
+[ default ]
+ca                      = opennic_intermediate_ca
+dir                     = /var/lib/acme2certifier/acme/ca   # Top dir
+
+# The next part of the configuration file is used by the openssl req command.
+# It defines the CA's key pair, its DN, and the desired extensions for the CA
+# certificate.
+
+[ req ]
+default_bits            = 4096                  # RSA key size
+encrypt_key             = no                    # Protect private key
+default_md              = sha1                  # MD to use
+utf8                    = yes                   # Input is UTF-8
+string_mask             = utf8only              # Emit UTF-8 strings
+prompt                  = no                    # Don't prompt for DN
+distinguished_name      = ca_dn                 # DN section
+req_extensions          = ca_reqext             # Desired extensions
+
+[ ca_dn ]
+0.domainComponent       = "libre"
+1.domainComponent       = "acme"
+2.domainComponent       = "playground"
+organizationName        = "OpenNIC"
+organizationalUnitName  = "OpenNIC CA"
+commonName              = OpenNIC Intermediate CA
+
+[ ca_reqext ]
+keyUsage                = critical,keyCertSign,cRLSign
+basicConstraints        = critical,CA:true
+subjectKeyIdentifier    = hash
+
+# The remainder of the configuration file is used by the openssl ca command.
+# The CA section defines the locations of CA assets, as well as the policies
+# applying to the CA.
+
+[ opennic_intermediate_ca ]
+certificate             = $dir/$ca.crt       # The CA cert
+private_key             = $dir/$ca/private/$ca.key # CA private key
+new_certs_dir           = $dir/$ca           # Certificate archive
+serial                  = $dir/$ca/db/$ca.crt.srl # Serial number file
+crlnumber               = $dir/$ca/db/$ca.crl.srl # CRL number file
+database                = $dir/$ca/db/$ca.db # Index file
+unique_subject          = no                    # Require unique subject
+default_days            = 60                    # How long to certify for
+default_md              = sha1                  # MD to use
+policy                  = match_pol             # Default naming policy
+email_in_dn             = no                    # Add email to cert DN
+preserve                = no                    # Keep passed DN ordering
+name_opt                = ca_default            # Subject DN display options
+cert_opt                = ca_default            # Certificate display options
+copy_extensions         = copy                  # Copy extensions from CSR
+x509_extensions         = email_ext             # Default cert extensions
+default_crl_days        = 7                     # How long before next CRL
+crl_extensions          = crl_ext               # CRL extensions
+
+[ opennic_intermediate_ca_ext ]
+keyUsage                = critical,keyCertSign,cRLSign,digitalSignature
+basicConstraints        = critical,CA:true,pathlen:0
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+
+# CRL extensions exist solely to point to the CA certificate that has issued
+# the CRL.
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always
diff --git a/acme2certifier/systemd.patch b/acme2certifier/systemd.patch
index 3b38776e..9666da79 100644
--- a/acme2certifier/systemd.patch
+++ b/acme2certifier/systemd.patch
@@ -9,20 +9,23 @@
  master = true
  processes = 5
 -uid = nginx
-+uid = http
- socket = /run/uwsgi/acme.sock
+-socket = /run/uwsgi/acme.sock
 -chown-socket = nginx
++uid = http
++socket = /run/acme2certifier/acme.sock
 +chown-socket = http
  chmod-socket = 660
  vacuum = true
  die-on-term = true
 --- a/examples/nginx/uwsgi.service	2020-05-24 16:26:36.289592292 +0200
 +++ b/examples/nginx/uwsgi.service	2020-05-24 13:44:56.156306673 +0200
-@@ -3,11 +3,11 @@
+@@ -2,12 +2,12 @@
+ Description=uWSGI instance to serve acme2certifier
  
  [Service]
- RuntimeDirectory=uwsgi
+-RuntimeDirectory=uwsgi
 -ExecStart=/usr/bin/bash -c 'cd /opt/acme2certifier; uwsgi --ini acme2certifier.ini'
++RuntimeDirectory=acme2certifier
 +ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/acme2certifier.ini
  Restart=always
  Type=notify