diff --git a/UPDATING b/UPDATING index 26dab0fdf157..ed382b9040d2 100644 --- a/UPDATING +++ b/UPDATING @@ -5,6 +5,23 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20260601: + AFFECTS: Users of security/lego + AUTHOR: matt@matthoran.com + + To migrate from lego v4 to v5 run + + $ lego migrate --path PREFIX/etc/ssl/lego + + as the LEGO_USER user. This command migrates to a new file structure and + outputs configuration that can be used as the basis for ETCDIR/lego.yml. See + https://go-acme.github.io/lego/references/ref-file/index.html for more + details on the configuration file format. + + ETCDIR/lego.sh will need to be updated as well, as the renew command has been + removed. The script can also be simplified when a configuration file is used. + See ETCDIR/lego.sh.sample for an example. + 20260531: AFFECTS: Users of x11-wm/hyprland AUTHOR: tagattie@FreeBSD.org diff --git a/security/lego/Makefile b/security/lego/Makefile index 20aa7fd8fd73..6646969c8e79 100644 --- a/security/lego/Makefile +++ b/security/lego/Makefile @@ -1,7 +1,6 @@ PORTNAME= lego DISTVERSIONPREFIX= v -DISTVERSION= 4.35.2 -PORTREVISION= 1 +DISTVERSION= 5.2.1 CATEGORIES= security MAINTAINER= matt@matthoran.com @@ -14,11 +13,10 @@ LICENSE_FILE= ${WRKSRC}/LICENSE RUN_DEPENDS= ${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss USES= go:modules -GO_MODULE= github.com/go-acme/lego/v4 -GO_TARGET= ./cmd/lego +GO_MODULE= github.com/go-acme/lego/v5 GO_BUILDFLAGS= -ldflags '-X "main.version=${DISTVERSION}"' -SAMPLE_FILES= deploy.sh.sample lego.sh.sample +SAMPLE_FILES= deploy.sh.sample lego.sh.sample lego.yml.sample SUB_FILES= ${SAMPLE_FILES} 604.lego pkg-message SUB_LIST= LEGO_USER=${LEGO_USER} \ PORTNAME=${PORTNAME} diff --git a/security/lego/distinfo b/security/lego/distinfo index 22568caa697b..f46f10955274 100644 --- a/security/lego/distinfo +++ b/security/lego/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1777133723 -SHA256 (go/security_lego/lego-v4.35.2/v4.35.2.mod) = b68766ca7b44dcbe485d2a0c45b47bec4108c1aad0c689d49b4f98d1e00cc43b -SIZE (go/security_lego/lego-v4.35.2/v4.35.2.mod) = 11657 -SHA256 (go/security_lego/lego-v4.35.2/v4.35.2.zip) = b6a432fae648c15105625fd355cbad174a05cf94d611bd8d198c59830c2d71ae -SIZE (go/security_lego/lego-v4.35.2/v4.35.2.zip) = 2030758 +TIMESTAMP = 1780313524 +SHA256 (go/security_lego/lego-v5.2.1/v5.2.1.mod) = b27760ca7d3f57ccd0f6c1252358420faa83a886fd477f53e4ed82940d02a2e4 +SIZE (go/security_lego/lego-v5.2.1/v5.2.1.mod) = 10895 +SHA256 (go/security_lego/lego-v5.2.1/v5.2.1.zip) = 8271825d08e4b6eeb8e22b37d117b2cc2a23abe978ee9ca14c19bfc17dd000de +SIZE (go/security_lego/lego-v5.2.1/v5.2.1.zip) = 2410294 diff --git a/security/lego/files/lego.sh.sample.in b/security/lego/files/lego.sh.sample.in index 92cd2bc50420..c9a838c6717e 100644 --- a/security/lego/files/lego.sh.sample.in +++ b/security/lego/files/lego.sh.sample.in @@ -1,40 +1,5 @@ #!/bin/sh -e -# Email used for registration and recovery contact. -EMAIL="" +export LEGO_CONFIG="%%ETCDIR%%/lego.yml" -BASEDIR="%%ETCDIR%%" -SSLDIR="%%PREFIX%%/etc/ssl/lego" -DOMAINSFILE="${BASEDIR}/domains.txt" - -if [ -z "${EMAIL}" ]; then - echo "Please set EMAIL to a valid address in ${BASEDIR}/lego.sh" - exit 1 -fi - -if [ ! -e "${DOMAINSFILE}" ]; then - echo "Please create ${DOMAINSFILE} as specified in ${BASEDIR}/lego.sh" - exit 1 -fi - -if [ "$1" = "run" ]; then - command="run" -else - command="renew --days 30" -fi - -run_or_renew() { - %%PREFIX%%/bin/lego --path "${SSLDIR}" \ - --email="${EMAIL}" \ - $(printf -- "--domains=%s " $line) \ - --http --http.webroot="%%WWWDIR%%" \ - $1 -} - -while read line <&3; do - if [ "$command" = "run" ]; then - run_or_renew "$command" - else - output=$(run_or_renew "$command") || (echo "$output" && exit 1) - fi -done 3<"${DOMAINSFILE}" +output=$(%%PREFIX%%/bin/lego) || (echo "$output" && exit 1) diff --git a/security/lego/files/lego.yml.sample.in b/security/lego/files/lego.yml.sample.in new file mode 100644 index 000000000000..879a523a580a --- /dev/null +++ b/security/lego/files/lego.yml.sample.in @@ -0,0 +1,21 @@ +# See https://go-acme.github.io/lego/references/ref-file/index.html + +storage: %%PREFIX%%/etc/ssl/lego + +accounts: + example: + email: foo@example.com + acceptsTermsOfService: true + +challenges: + http-webroot: + http: + webroot: %%WWWDIR%% + +certificates: + example.com: + challenge: http-webroot + account: example + domains: + - example.com + - '*.example.com' diff --git a/security/lego/files/pkg-message.in b/security/lego/files/pkg-message.in index 69b84ae40d90..e8cf5f8adc4b 100644 --- a/security/lego/files/pkg-message.in +++ b/security/lego/files/pkg-message.in @@ -20,28 +20,41 @@ To run a script after the renewal to deploy certificates Note that the deploy script is provided as a sample and may need to be modified for your environment. The script will attempt to deploy certificates to - %%ETCDIR%%/ssl/certs + %%PREFIX%%/etc/ssl/certs and private keys to - %%ETCDIR%%/ssl/private. + %%PREFIX%%/etc/ssl/private. The script also tries to restart nginx. -If using the sample renew script, add the domains for which lego will manage -certificates to - %%ETCDIR%%/domains.txt, one domain on each line. +If using the sample renew script, lego will load its configuration from + %%ETCDIR%%/lego.yml. +See https://go-acme.github.io/lego/references/ref-file/index.html for more +details. -To add a Subject Alternate Name to the certificate, append the domain(s) to the -line: - example.com www.example.com +To run lego for the first time, configure an account and certificate in + %%ETCDIR%%/lego.yml. +Then execute lego as the %%LEGO_USER%% user: + $ lego --config %%ETCDIR%%/lego.yml +EOM +}, +{ type: upgrade + maximum_version: 5.0 + message: <