security/letskencrypt: Add periodic(8) and multi-cert capability

- Add periodic script
  - Make Domain+SAN names and challenge-dir configurable
  - Add multiple Domain+SAN certificates capability using scripts
  - Add sample renewal script
  - Add sample deployment script
  - Add pkg-message documenting periodic.conf variables

security/letskencrypt/Makefile

@@ -24,16 +24,30 @@ OPENSSL_PORT=	security/libressl
 
 WWWDIR=		${PREFIX}/www/letsencrypt
 
+SAMPLE_FILES=	letskencrypt.sh.sample deploy.sh.sample
+SUB_FILES=	000.letskencrypt.sh pkg-message ${SAMPLE_FILES}
+SUB_LIST=       PORTNAME=${PORTNAME}
+
+PERIODIC_DIRS=  etc/periodic/weekly
+PERIODIC_FILES= 000.letskencrypt.sh
+
 post-patch:
 	${REINPLACE_CMD} -e "s|/etc/|${PREFIX}/etc/|" \
 		-e "s|/var/www/letsencrypt|${WWWDIR}|" \
 		${WRKSRC}/main.c ${WRKSRC}/letskencrypt.1
 
+post-install:
+	${MKDIR} -p ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS}
+	${INSTALL_SCRIPT} ${WRKDIR}/${PERIODIC_FILES} ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS}/${PERIODIC_FILES}
+
 post-stage:
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/letskencrypt
 .	for d in etc/ssl/letsencrypt etc/ssl/letsencrypt/private \
 		etc/letsencrypt www/letsencrypt 
 		${MKDIR} ${STAGEDIR}${PREFIX}/${d}
 .	endfor
+.	for d in ${SAMPLE_FILES}
+		${INSTALL_SCRIPT} ${WRKDIR}/${d} ${STAGEDIR}${PREFIX}/etc/letsencrypt/${d}
+.	endfor
 
 .include <bsd.port.mk>

security/letskencrypt/files/000.letskencrypt.sh.in

@@ -0,0 +1,42 @@
+#/bin/sh
+
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+PATH=$PATH:%%LOCALBASE%%/bin:%%LOCALBASE%%/sbin
+export PATH
+
+case "$weekly_letskencrypt_enable" in
+    [Yy][Ee][Ss])
+	echo
+	echo "Checking Let's Encrypt certificate status:"
+
+	if [ -x "$weekly_letskencrypt_renewscript" ] ; then
+		$weekly_letskencrypt_renewscript
+	elif [ -x %%PREFIX%%/letsencrypt/letskencrypt.sh ] ; then
+		%%PREFIX%%/letsencrypt/letskencrypt.sh 
+	else
+		if [ -z "$weekly_letskencrypt_domains" ] ; then
+			weekly_letskencrypt_domains=$(hostname -f)
+			echo "Using hostname: $weekly_letskencrypt_domains"
+		fi
+		if [ -n "$weekly_letskencrypt_challengedir" ] ; then
+			weekly_letskencrypt_args="$weekly_letskencrypt_args -C $weekly_letskencrypt_challengedir"
+		fi
+		%%LOCALBASE%%/bin/letskencrypt $weekly_letskencrypt_args $weekly_letskencrypt_domains
+	fi
+
+	echo "Deploying Let's Encrypt certificates:"
+
+	if [ -x "$weekly_letskencrypt_deployscript" ] ; then
+		$weekly_letskencrypt_deployscript
+	else
+		echo 'Skipped, deploy script not set.'
+	fi
+        ;;
+    *)
+        ;;
+esac

security/letskencrypt/files/deploy.sh.sample.in

@@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -e
+
+DOMAIN="example.net"
+LEDIR="%%PREFIX%%/etc/ssl/letsencrypt"
+JAILSDIR="/usr/jails"
+TARGETS="mail http"
+for jail in ${targets}; do
+  targetdir="${JAILSDIR}/${jail}/etc/ssl"
+  # Check if the certificate has changed
+  [[ -z "`diff -rq ${LEDIR}/${domain}/fullchain.pem ${targetdir}/certs/${domain}.pem`" ]] && continue
+  cp -L "${LEDIR}/private/${domain}.pem"   "${targetdir}/priv/${domain}.pem"
+  cp -L "${LEDIR}/${domain}/fullchain.pem" "${targetdir}/certs/${domain}.pem"
+  chmod 400 "${targetdir}/priv/${domain}.pem"
+  chmod 644 "${targetdir}/certs/${domain}.pem"
+  # Restart/-load relevant services
+  [[ "${jail}" = "http" ]] && jexec ${jail} service apache24 restart
+  [[ "${jail}" = "mail" ]] && jexec ${jail} service smtpd    restart
+done
+
+# Repeat for other certificates
+#DOMAIN="example.org"
+#TARGETS="mail"
+#for jail in ${targets}; do
+#  targetdir="${JAILSDIR}/${jail}/etc/ssl"
+#  # Check if the certificate has changed
+#  [[ -z "`diff -rq ${LEDIR}/${domain}/fullchain.pem ${targetdir}/certs/${domain}.pem`" ]] && continue
+#  cp -L "${LEDIR}/private/${domain}.pem"   "${targetdir}/priv/${domain}.pem"
+#  cp -L "${LEDIR}/${domain}/fullchain.pem" "${targetdir}/certs/${domain}.pem"
+#  chmod 400 "${targetdir}/priv/${domain}.pem"
+#  chmod 644 "${targetdir}/certs/${domain}.pem"
+#  # Restart/-load relevant services
+#  [[ "${jail}" = "http" ]] && jexec ${jail} service apache24 restart
+#  [[ "${jail}" = "mail" ]] && jexec ${jail} service smtpd    restart
+#done
+

security/letskencrypt/files/letskencrypt.sh.sample.in

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+BASEDIR="%%PREFIX%%/etc/letsencrypt"
+SSLDIR="%%PREFIX%%/etc/ssl/letsencrypt"
+DOMAINSFILE="${BASEDIR}/domains.txt"
+CHALLENGEDIR="/usr/jails/http/usr/local/www/.well-known/acme-challenge"
+
+[ ! -d "${SSLDIR}/priv" ] && mkdir -pm700 "${SSLDIR}/private"
+
+cat "${DOMAINSFILE}" | while read domain line ; do
+   CERTSDIR="${SSLDIR}/${domain}"
+   [ ! -d "${CERTSDIR}" ] && mkdir -pm755 "${CERTSDIR}"
+   letskencrypt -C "${CHALLENGEDIR}" \
+                -k "${SSLDIR}/private/${domain}.pem" \
+                -c "${CERTSDIR}" \
+                ${domain} ${line}
+done

security/letskencrypt/files/pkg-message.in

@@ -0,0 +1,28 @@
+
+There are example scripts in
+%%PREFIX%%/etc/letsencrypt
+that you can for renewing and deploying multiple certificates
+
+In order to run the script regularly to update
+the certificates add this line to /etc/periodic.conf
+
+weekly_letskencrypt_enable="YES"
+
+Additionally the following parameters can be added to
+/etc/periodic.conf (showing default values):
+
+To specify the domain name(s) to include in the certificate
+weekly_letskencrypt_domains="$(hostname -f)"
+
+To specify the .well-known/acme-challenge directory (full path)
+weekly_letskencrypt_challengedir="/usr/local/www/letsencrypt"
+
+To set additional letskencrypt arguments (see letskencrypt(1))
+weekly_letskencrypt_args=""
+
+To run a specific script for the renewal (ignore previously set variables)
+allows generating/renewing multiple keys/certificates
+weekly_letskencrypt_renewscript=""%%PREFIX%%/etc/letsencrypt/%%PORTNAME%%.sh"
+
+To run a script after the renewal to deploy changed certs
+weekly_letskencrypt_deployscript="%%PREFIX%%/etc/letsencrypt/deploy.sh"

security/letskencrypt/pkg-plist

@@ -1,7 +1,10 @@
 bin/letskencrypt
 man/man1/letskencrypt.1.gz
+etc/periodic/weekly/000.letskencrypt.sh
 @dir(,,0700) etc/letsencrypt
 @dir(,,0755) etc/ssl
 @dir(,,0755) etc/ssl/letsencrypt
 @dir(,,0700) etc/ssl/letsencrypt/private
 @dir(,www,) %%WWWDIR%%
+@sample etc/letsencrypt/deploy.sh.sample
+@sample etc/letsencrypt/letskencrypt.sh.sample