security/lego: Update 4.35.2 => 5.2.1

Changelog: https://github.com/go-acme/lego/releases/tag/v5.0.0 https://github.com/go-acme/lego/releases/tag/v5.0.1 https://github.com/go-acme/lego/releases/tag/v5.0.2 https://github.com/go-acme/lego/releases/tag/v5.0.3 https://github.com/go-acme/lego/releases/tag/v5.0.4 https://github.com/go-acme/lego/releases/tag/v5.1.0 https://github.com/go-acme/lego/releases/tag/v5.2.0 https://github.com/go-acme/lego/releases/tag/v5.2.1 While here sort plist. PR: 295779 Sponsored by: UNIS Labs
2026-06-02 11:08:52 +00:00 · 2026-06-02 01:54:18 +03:00
parent 08276729cb
commit d09c2fdb88
7 changed files with 80 additions and 65 deletions
@@ -5,6 +5,23 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.

+20260601:
+  AFFECTS: Users of security/lego
+  AUTHOR: matt@matthoran.com
+
+  To migrate from lego v4 to v5 run
+
+  $ lego migrate --path PREFIX/etc/ssl/lego
+
+  as the LEGO_USER user. This command migrates to a new file structure and
+  outputs configuration that can be used as the basis for ETCDIR/lego.yml. See
+  https://go-acme.github.io/lego/references/ref-file/index.html for more
+  details on the configuration file format.
+
+  ETCDIR/lego.sh will need to be updated as well, as the renew command has been
+  removed. The script can also be simplified when a configuration file is used.
+  See ETCDIR/lego.sh.sample for an example.
+
 20260531:
  AFFECTS: Users of x11-wm/hyprland
  AUTHOR: tagattie@FreeBSD.org
@@ -1,7 +1,6 @@
 PORTNAME=	lego
 DISTVERSIONPREFIX=	v
-DISTVERSION=	4.35.2
-PORTREVISION=	1
+DISTVERSION=	5.2.1
 CATEGORIES=	security

 MAINTAINER=	matt@matthoran.com
@@ -14,11 +13,10 @@ LICENSE_FILE=	${WRKSRC}/LICENSE
 RUN_DEPENDS=	${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss

 USES=		go:modules
-GO_MODULE=	github.com/go-acme/lego/v4
-GO_TARGET=	./cmd/lego
+GO_MODULE=	github.com/go-acme/lego/v5
 GO_BUILDFLAGS=	-ldflags '-X "main.version=${DISTVERSION}"'

-SAMPLE_FILES=	deploy.sh.sample lego.sh.sample
+SAMPLE_FILES=	deploy.sh.sample lego.sh.sample lego.yml.sample
 SUB_FILES=	${SAMPLE_FILES} 604.lego pkg-message
 SUB_LIST=	LEGO_USER=${LEGO_USER} \
 		PORTNAME=${PORTNAME}
@@ -1,5 +1,5 @@
-TIMESTAMP = 1777133723
-SHA256 (go/security_lego/lego-v4.35.2/v4.35.2.mod) = b68766ca7b44dcbe485d2a0c45b47bec4108c1aad0c689d49b4f98d1e00cc43b
-SIZE (go/security_lego/lego-v4.35.2/v4.35.2.mod) = 11657
-SHA256 (go/security_lego/lego-v4.35.2/v4.35.2.zip) = b6a432fae648c15105625fd355cbad174a05cf94d611bd8d198c59830c2d71ae
-SIZE (go/security_lego/lego-v4.35.2/v4.35.2.zip) = 2030758
+TIMESTAMP = 1780313524
+SHA256 (go/security_lego/lego-v5.2.1/v5.2.1.mod) = b27760ca7d3f57ccd0f6c1252358420faa83a886fd477f53e4ed82940d02a2e4
+SIZE (go/security_lego/lego-v5.2.1/v5.2.1.mod) = 10895
+SHA256 (go/security_lego/lego-v5.2.1/v5.2.1.zip) = 8271825d08e4b6eeb8e22b37d117b2cc2a23abe978ee9ca14c19bfc17dd000de
+SIZE (go/security_lego/lego-v5.2.1/v5.2.1.zip) = 2410294
@@ -1,40 +1,5 @@
 #!/bin/sh -e

-# Email used for registration and recovery contact.
-EMAIL=""
+export LEGO_CONFIG="%%ETCDIR%%/lego.yml"

-BASEDIR="%%ETCDIR%%"
-SSLDIR="%%PREFIX%%/etc/ssl/lego"
-DOMAINSFILE="${BASEDIR}/domains.txt"
-
-if [ -z "${EMAIL}" ]; then
-	echo "Please set EMAIL to a valid address in ${BASEDIR}/lego.sh"
-	exit 1
-fi
-
-if [ ! -e "${DOMAINSFILE}" ]; then
-	echo "Please create ${DOMAINSFILE} as specified in ${BASEDIR}/lego.sh"
-	exit 1
-fi
-
-if [ "$1" = "run" ]; then
-	command="run"
-else
-	command="renew --days 30"
-fi
-
-run_or_renew() {
-	%%PREFIX%%/bin/lego --path "${SSLDIR}" \
-		--email="${EMAIL}" \
-		$(printf -- "--domains=%s " $line) \
-		--http --http.webroot="%%WWWDIR%%" \
-		$1
-}
-
-while read line <&3; do
-	if [ "$command" = "run" ]; then
-		run_or_renew "$command"
-	else
-		output=$(run_or_renew "$command") || (echo "$output" && exit 1)
-	fi
-done 3<"${DOMAINSFILE}"
+output=$(%%PREFIX%%/bin/lego) || (echo "$output" && exit 1)
@@ -0,0 +1,21 @@
+# See https://go-acme.github.io/lego/references/ref-file/index.html
+
+storage: %%PREFIX%%/etc/ssl/lego
+
+accounts:
+  example:
+    email: foo@example.com
+    acceptsTermsOfService: true
+
+challenges:
+  http-webroot:
+    http:
+      webroot: %%WWWDIR%%
+
+certificates:
+  example.com:
+    challenge: http-webroot
+    account: example
+    domains:
+      - example.com
+      - '*.example.com'
@@ -20,28 +20,41 @@ To run a script after the renewal to deploy certificates

 Note that the deploy script is provided as a sample and may need to be modified
 for your environment. The script will attempt to deploy certificates to
-    %%ETCDIR%%/ssl/certs
+    %%PREFIX%%/etc/ssl/certs
 and private keys to
-    %%ETCDIR%%/ssl/private.
+    %%PREFIX%%/etc/ssl/private.
 The script also tries to restart nginx.

-If using the sample renew script, add the domains for which lego will manage
-certificates to
-    %%ETCDIR%%/domains.txt, one domain on each line.
+If using the sample renew script, lego will load its configuration from
+    %%ETCDIR%%/lego.yml.
+See https://go-acme.github.io/lego/references/ref-file/index.html for more
+details.

-To add a Subject Alternate Name to the certificate, append the domain(s) to the
-line:
-    example.com www.example.com
+To run lego for the first time, configure an account and certificate in
+    %%ETCDIR%%/lego.yml.
+Then execute lego as the %%LEGO_USER%% user:
+    $ lego --config %%ETCDIR%%/lego.yml
+EOM
+},
+{ type: upgrade
+  maximum_version: 5.0
+  message: <<EOM
+To migrate from lego v4 to v5 run
+
+    $ lego migrate --path %%PREFIX%%/etc/ssl/lego
+
+as the %%LEGO_USER%% user. This command migrates to a new file structure and
+outputs configuration that can be used as the basis for
+    %%ETCDIR%%/lego.yml.
+See https://go-acme.github.io/lego/references/ref-file/index.html for more
+details on the configuration file format.

-To run lego for the first time, edit
    %%ETCDIR%%/lego.sh
-and set the EMAIL variable.
-
-Then run lego.sh with the run argument as the %%LEGO_USER%% user:
-    $ %%ETCDIR%%/lego.sh run
-
-Subsequent periodic runs will run with the renew argument by default, with a
-renewal interval of 30 days.
+will need to be updated as well, as the renew command has been
+removed. The script can also be simplified when a configuration file is used.
+See
+    %%ETCDIR%%/lego.sh.sample
+for an example.
 EOM
 }
 ]
@@ -1,8 +1,9 @@
 bin/lego
-etc/periodic/weekly/604.lego
@dir(%%LEGO_USER%%,%%LEGO_USER%%,0700) etc/lego
@dir(,,0755) etc/ssl
@dir(%%LEGO_USER%%,%%LEGO_USER%%,0755) etc/ssl/lego
@dir(%%LEGO_USER%%,www,) %%WWWDIR%%
-@sample(%%LEGO_USER%%,%%LEGO_USER%%,0700) etc/lego/lego.sh.sample
@sample etc/lego/deploy.sh.sample
+@sample(%%LEGO_USER%%,%%LEGO_USER%%,0700) etc/lego/lego.sh.sample
+@sample(%%LEGO_USER%%,%%LEGO_USER%%,0700) etc/lego/lego.yml.sample
+etc/periodic/weekly/604.lego