Add security/uacme package. Lightweight client for the RFC8555 ACMEv2 protocol, written in plain C with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). The ACMEv2 protocol allows a Certificate Authority (Let's Encrypt is a popular one) and an applicant to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation.

(hauke)

 @@ -1,14 +1,14 @@
-# $NetBSD: Makefile,v 1.945 2024/04/26 15:16:52 wiz Exp $
+# $NetBSD: Makefile,v 1.946 2024/05/02 13:34:56 hauke Exp $
+#
 COMMENT=	Security and cryptography tools and libraries
 SUBDIR+=	2fa
 SUBDIR+=	Bastille
 SUBDIR+=	CSP
 SUBDIR+=	CoolKey
 SUBDIR+=	EasyPG
 SUBDIR+=	HElib
 SUBDIR+=	KeePass
 SUBDIR+=	PACK
 SUBDIR+=	PortableSigner
 @@ -654,26 +654,27 @@ SUBDIR+=	subfinder
 SUBDIR+=	sudo
 SUBDIR+=	tcl-tls
 SUBDIR+=	tcp_wrappers
 SUBDIR+=	tct
 SUBDIR+=	terrapin-scanner
 SUBDIR+=	tkpasman
 SUBDIR+=	tlswrapper
 SUBDIR+=	tlsx
 SUBDIR+=	tor-browser
 SUBDIR+=	tor-browser-https-everywhere
 SUBDIR+=	tor-browser-noscript
 SUBDIR+=	tripwire
 SUBDIR+=	trufflehog
 SUBDIR+=	uacme
 SUBDIR+=	validns
 SUBDIR+=	vault
 SUBDIR+=	vaultwarden
 SUBDIR+=	volatility3
 SUBDIR+=	wfuzz
 SUBDIR+=	wolfssl
 SUBDIR+=	xca
 SUBDIR+=	xhash
 SUBDIR+=	xml-security-c
 SUBDIR+=	xmlsec1
 SUBDIR+=	yafic
 SUBDIR+=	yara
 SUBDIR+=	ykclient

Lightweight client for the RFC8555 ACMEv2 protocol, written in plain C with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). The ACMEv2 protocol allows a Certificate Authority (Let's Encrypt is a popular one) and an applicant to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation.

=========================================================================== $NetBSD: MESSAGE,v 1.1 2024/05/02 13:34:56 hauke Exp $ The http-01 challenge protocol expects that the letsencrypt server can read back the provided domain challenge via http under the path "/.well-known/acme-challenge/". Your web server needs to alias this directory to "${UACME_CHALLENGE_PATH}". ===========================================================================

# $NetBSD: Makefile,v 1.1 2024/05/02 13:34:56 hauke Exp $ PKGNAME= uacme-${PKGVER} DISTNAME= v${PKGVER} PKGVER= 1.7.5 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_GITHUB:=ndilieto/uacme/archive/refs/tags/} MAINTAINER= hauke@NetBSD.org COMMENT= Lightweight C ACMEv2 client which uses external authenticators HOMEPAGE= https://github.com/ndilieto/uacme LICENSE= gnu-gpl-v3 BUILD_DEPENDS+= asciidoc-[0-9]*:../../textproc/asciidoc USE_TOOLS+= gmake pkg-config autoconf autoreconf automake USE_LANGUAGES= c USE_CC_FEATURES= c11 GNU_CONFIGURE= yes WRKSRC= ${WRKDIR}/uacme-${PKGVER} HOOKDIR= libexec DOCDIR= share/doc/uacme UACME_CONFDIR= ${VARBASE}/uacme UACME_CHALLENGE_PATH= ${UACME_CONFDIR}/challenge CONFIGURE_ARGS= --datadir=${PREFIX}/${HOOKDIR} CONFIGURE_ARGS+= --disable-maintainer-mode CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR} BUILD_DEFS+= VARBASE .include "options.mk" REPLACE_SH+= nsupdate.sh uacme.sh ualpn.sh MESSAGE_SUBST+= UACME_CHALLENGE_PATH=${UACME_CHALLENGE_PATH} SUBST_CLASSES+= confdir SUBST_STAGE.confdir= pre-configure SUBST_MESSAGE.confdir= Set CONFDIR default SUBST_FILES.confdir= uacme.c SUBST_VARS.confdir= UACME_CONFDIR SUBST_CLASSES+= challenge SUBST_STAGE.challenge= pre-configure SUBST_MESSAGE.challenge= Set http-01 challenge default directory SUBST_FILES.challenge= uacme.sh SUBST_VARS.challenge= UACME_CHALLENGE_PATH INSTALLATION_DIRS+= ${HOOKDIR}/uacme ${DOCDIR} OWN_DIRS= ${UACME_CONFDIR} ${UACME_CHALLENGE_PATH} OWN_DIRS_PERMS+= ${UACME_CONFDIR}/private ${REAL_ROOT_USER} \ ${REAL_ROOT_GROUP} 0700 pre-configure: cd ${WRKSRC} && autoreconf -if post-install: ${INSTALL_MAN} ${WRKSRC}/README.md ${DESTDIR}${PREFIX}/${DOCDIR} .include "../../devel/libev/buildlink3.mk" .include "../../www/curl/buildlink3.mk" .include "../../mk/bsd.pkg.mk"

@comment $NetBSD: PLIST,v 1.1 2024/05/02 13:34:56 hauke Exp $ bin/uacme bin/ualpn libexec/uacme/nsupdate.sh libexec/uacme/uacme.sh libexec/uacme/ualpn.sh man/man1/uacme.1 man/man1/ualpn.1 share/doc/uacme/README.md

$NetBSD: distinfo,v 1.1 2024/05/02 13:34:56 hauke Exp $ BLAKE2s (v1.7.5.tar.gz) = 1947951f05e8b61a896394d1f67367446969dc14205440514ad679e1951bf208 SHA512 (v1.7.5.tar.gz) = c219e3ade3a81e3088cc95ecc6422022d18bffd11f26aa1618d7e4bdbf492034ae886ad6d4428ba9bbe64dbe6e6576945f50ea8ae9d6f85098758a20ff82051c Size (v1.7.5.tar.gz) = 258398 bytes SHA1 (patch-Makefile.am) = 562ca9e346d95771798c8fab146f59aaefb57b52 SHA1 (patch-uacme.c) = ef74f682f7a4336da4b3686aa50678298608f67e SHA1 (patch-uacme.sh) = 24da3e33aac08634d61287d1fb971f0b4095de8e

# $NetBSD: options.mk,v 1.1 2024/05/02 13:34:56 hauke Exp $ PKG_OPTIONS_VAR= PKG_OPTIONS.uacme PKG_OPTIONS_REQUIRED_GROUPS= tls PKG_OPTIONS_GROUP.tls= openssl gnutls mbedtls PKG_SUGGESTED_OPTIONS= openssl .include "../../mk/bsd.options.mk" .if !empty(PKG_OPTIONS:Mopenssl) CONFIGURE_ARGS+= --with-openssl=${BUILDLINK_PREFIX.openssl} .include "../../security/openssl/buildlink3.mk" .endif .if !empty(PKG_OPTIONS:Mgnutls) CONFIGURE_ARGS+= --with-gnutls=${BUILDLINK_PREFIX.gnutls} .include "../../security/gnutls/buildlink3.mk" .endif .if !empty(PKG_OPTIONS:Mmbedtls) CONFIGURE_ARGS+= --with-mbedtls=${BUILDLINK_PREFIX.mbedtls3} .include "../../security/mbedtls3/buildlink3.mk" .endif

$NetBSD: patch-Makefile.am,v 1.1 2024/05/02 13:34:56 hauke Exp $ Do not bother with html docs - man pages are good enough for Ents and Men --- Makefile.am.orig 2024-04-21 18:01:13.826158561 +0000 +++ Makefile.am @@ -67,23 +67,15 @@ endif if ENABLE_DOCS dist_man1_MANS = uacme.1 -dist_html_DATA = docs/uacme.html if ENABLE_UALPN dist_man1_MANS += ualpn.1 -dist_html_DATA += docs/ualpn.html ualpn.1: ualpn.1.txt $(top_srcdir)/.version $(AM_V_GEN)$(A2X) -L -d manpage -f manpage \ -a revision=$(VERSION) \ -a sysconfdir="${sysconfdir}" \ -a runstatedir="${runstatedir}" $< - -docs/ualpn.html: ualpn.1.txt $(top_srcdir)/.version - $(AM_V_GEN)$(ASCIIDOC) -d manpage -b html5 -o $@ \ - -a revision=$(VERSION) \ - -a sysconfdir="${sysconfdir}" \ - -a runstatedir="${runstatedir}" $< endif uacme.1: uacme.1.txt $(top_srcdir)/.version @@ -91,12 +83,6 @@ uacme.1: uacme.1.txt $(top_srcdir)/.vers -a revision=$(VERSION) \ -a sysconfdir="${sysconfdir}" \ -a runstatedir="${runstatedir}" $< - -docs/uacme.html: uacme.1.txt $(top_srcdir)/.version - $(AM_V_GEN)$(ASCIIDOC) -d manpage -b html5 -o $@ \ - -a revision=$(VERSION) \ - -a sysconfdir="${sysconfdir}" \ - -a runstatedir="${runstatedir}" $< endif .PHONY: valgrind

$NetBSD: patch-uacme.c,v 1.1 2024/05/02 13:34:56 hauke Exp $ Set CONFDIR default - we prefer not to write under /etc --- uacme.c.orig 2024-04-24 20:06:00.457609312 +0000 +++ uacme.c @@ -46,7 +46,7 @@ #define PRODUCTION_URL "https://acme-v02.api.letsencrypt.org/directory" #define STAGING_URL "https://acme-staging-v02.api.letsencrypt.org/directory" -#define DEFAULT_CONFDIR SYSCONFDIR "/ssl/uacme" +#define DEFAULT_CONFDIR "@UACME_CONFDIR@" typedef struct acme { privkey_t key;

$NetBSD: patch-uacme.sh,v 1.1 2024/05/02 13:34:56 hauke Exp $ Make location of the http-01 challenges build-configurable. The web server used then has to map the directory to "/.well-known/acme-challenge/". --- uacme.sh.orig 2024-04-25 11:12:57.787219060 +0000 +++ uacme.sh @@ -16,7 +16,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -CHALLENGE_PATH="${UACME_CHALLENGE_PATH:-/var/www/.well-known/acme-challenge}" +CHALLENGE_PATH="${UACME_CHALLENGE_PATH:-@UACME_CHALLENGE_PATH@}" ARGS=5 E_BADARGS=85