11 files changed, 203 insertions, 2 deletions
diff --git a/GIDs b/GIDs
index 9c466ba30768..e7ad3664374a 100644
--- a/GIDs
+++ b/GIDs
@@ -544,7 +544,7 @@ _xsi:*:600:
 _tss:*:601:
 _pkcs11:*:602:
 _acme:*:603:
-# free: 604
+_lego:*:604:
 _hockeypuck:*:605:
 # free: 606
 # free: 607
diff --git a/UIDs b/UIDs
index 718a8e2500d2..a3240f13b1c6 100644
--- a/UIDs
+++ b/UIDs
@@ -549,7 +549,7 @@ _xsi:*:600:600::0:0:XMLSysInfo User:/nonexistent:/usr/sbin/nologin
 _tss:*:601:601:daemon:0:0:TrouSerS user:/var/empty:/usr/sbin/nologin
 _pkcs11:*:602:602:daemon:0:0:opencryptoki user:/var/empty:/usr/sbin/nologin
 _acme:*:603:603::0:0:ACME client user:/var/empty:/usr/sbin/nologin
-# free: 604
+_lego:*:604:604::0:0:lego client user:/nonexistent:/usr/sbin/nologin
 _hockeypuck:*:605:605::0:0:hockeypuck pgp keyserver user:/var/empty:/usr/sbin/nologin
 # free: 606
 # free: 607
diff --git a/security/Makefile b/security/Makefile
index a43c3b39cb7e..5ec5a43ec820 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -278,6 +278,7 @@
     SUBDIR += l5
     SUBDIR += lasso
     SUBDIR += lastpass-cli
+    SUBDIR += lego
     SUBDIR += libadacrypt
     SUBDIR += libargon2
     SUBDIR += libassuan
diff --git a/security/lego/Makefile b/security/lego/Makefile
new file mode 100644
index 000000000000..91f30a78dddf
--- /dev/null
+++ b/security/lego/Makefile
@@ -0,0 +1,46 @@
+# $FreeBSD$
+
+PORTNAME=	lego
+DISTVERSIONPREFIX=	v
+DISTVERSION=	2.6.0
+CATEGORIES=	security
+
+MAINTAINER=	matt@matthoran.com
+COMMENT=	Let's Encrypt client and ACME library written in Go
+
+LICENSE=	MIT
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+RUN_DEPENDS=	${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss
+
+USES=		go
+
+GO_PKGNAME=	github.com/go-acme/lego
+GO_TARGET=	${GO_PKGNAME}/cmd/lego
+GO_BUILDFLAGS=	-ldflags '-X "main.version=${GH_TAGNAME}"'
+
+USE_GITHUB=	yes
+GH_ACCOUNT=	go-acme
+
+SAMPLE_FILES=	lego.sh.sample deploy.sh.sample
+SUB_FILES=	604.lego pkg-message ${SAMPLE_FILES}
+SUB_LIST=	PORTNAME=${PORTNAME} LEGO_USER=${LEGO_USER}
+
+PERIODIC_DIRS=	etc/periodic/weekly
+PERIODIC_FILES=	604.lego
+
+LEGO_USER?=	_lego
+
+USERS=		${LEGO_USER}
+GROUPS=		${LEGO_USER}
+
+post-install:
+	${MKDIR} ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS}
+	${INSTALL_SCRIPT} ${WRKDIR}/${PERIODIC_FILES} ${STAGEDIR}${PREFIX}/${PERIODIC_DIRS}/${PERIODIC_FILES}
+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl/lego \
+		${STAGEDIR}${ETCDIR} ${STAGEDIR}${WWWDIR}
+.	for d in ${SAMPLE_FILES}
+		${INSTALL_SCRIPT} ${WRKDIR}/${d} ${STAGEDIR}${ETCDIR}/${d}
+.	endfor
+
+.include <bsd.port.mk>
diff --git a/security/lego/distinfo b/security/lego/distinfo
new file mode 100644
index 000000000000..6f16b9505fa8
--- /dev/null
+++ b/security/lego/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1559482047
+SHA256 (go-acme-lego-v2.6.0_GH0.tar.gz) = 1abba13871f58fe483a3d4ac3900d44cddeacfc3dfe9fae2d96e45a9a39e7ce7
+SIZE (go-acme-lego-v2.6.0_GH0.tar.gz) = 4996556
diff --git a/security/lego/files/604.lego.in b/security/lego/files/604.lego.in
new file mode 100644
index 000000000000..c2a776f6d1c5
--- /dev/null
+++ b/security/lego/files/604.lego.in
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+PATH=$PATH:%%LOCALBASE%%/bin:%%LOCALBASE%%/sbin
+export PATH
+
+case "$weekly_lego_enable" in
+    [Yy][Ee][Ss])
+	echo
+	echo "Checking Let's Encrypt certificate status:"
+
+	if [ -x "$weekly_lego_renewscript" ] ; then
+		echo "$weekly_lego_renewscript" | su -fm _lego || exit 3
+	fi
+
+	if [ -n "$weekly_lego_deployscript" ] ; then
+		if [ -x "$weekly_lego_deployscript" ] ; then
+			echo "Deploying Let's Encrypt certificates:"
+			$weekly_lego_deployscript || exit 3
+		else
+			echo 'Skipped, deploy script does not exist or is not executable'
+		fi
+	fi
+	;;
+    *)
+        ;;
+esac
diff --git a/security/lego/files/deploy.sh.sample.in b/security/lego/files/deploy.sh.sample.in
new file mode 100644
index 000000000000..ceddaacab5da
--- /dev/null
+++ b/security/lego/files/deploy.sh.sample.in
@@ -0,0 +1,30 @@
+#!/bin/sh -e
+
+SSLDIR="%%PREFIX%%/etc/ssl"
+
+copy_certs () {
+  local certdir certfile domain keyfile rc
+  rc=1
+
+  certdir="${SSLDIR}/lego/certificates"
+  certfiles="$(find "${certdir}" -name "*.crt" -not -name "*.issuer.crt")"
+  for certfile in $certfiles
+  do
+    domain="$(basename "$certfile" .crt)"
+    keyfile="$(dirname "$certfile")/${domain}.key"
+
+    if ! cmp -s "${certfile}" "${SSLDIR}/certs/${domain}.crt"
+    then
+      cp "${certfile}" "${SSLDIR}/certs/${domain}.crt"
+      cp "${keyfile}" "${SSLDIR}/private/${domain}.key"
+      rc=0
+    fi
+  done
+
+  return $rc
+}
+
+if copy_certs
+then
+  output=$(service nginx reload 2>&1) || (echo "$output" && exit 1)
+fi
diff --git a/security/lego/files/lego.sh.sample.in b/security/lego/files/lego.sh.sample.in
new file mode 100644
index 000000000000..92cd2bc50420
--- /dev/null
+++ b/security/lego/files/lego.sh.sample.in
@@ -0,0 +1,40 @@
+#!/bin/sh -e
+
+# Email used for registration and recovery contact.
+EMAIL=""
+
+BASEDIR="%%ETCDIR%%"
+SSLDIR="%%PREFIX%%/etc/ssl/lego"
+DOMAINSFILE="${BASEDIR}/domains.txt"
+
+if [ -z "${EMAIL}" ]; then
+	echo "Please set EMAIL to a valid address in ${BASEDIR}/lego.sh"
+	exit 1
+fi
+
+if [ ! -e "${DOMAINSFILE}" ]; then
+	echo "Please create ${DOMAINSFILE} as specified in ${BASEDIR}/lego.sh"
+	exit 1
+fi
+
+if [ "$1" = "run" ]; then
+	command="run"
+else
+	command="renew --days 30"
+fi
+
+run_or_renew() {
+	%%PREFIX%%/bin/lego --path "${SSLDIR}" \
+		--email="${EMAIL}" \
+		$(printf -- "--domains=%s " $line) \
+		--http --http.webroot="%%WWWDIR%%" \
+		$1
+}
+
+while read line <&3; do
+	if [ "$command" = "run" ]; then
+		run_or_renew "$command"
+	else
+		output=$(run_or_renew "$command") || (echo "$output" && exit 1)
+	fi
+done 3<"${DOMAINSFILE}"
diff --git a/security/lego/files/pkg-message.in b/security/lego/files/pkg-message.in
new file mode 100644
index 000000000000..5b02884f4bb2
--- /dev/null
+++ b/security/lego/files/pkg-message.in
@@ -0,0 +1,37 @@
+
+There are example scripts in
+    %%ETCDIR%%
+that you can use for renewing and deploying certificates.
+
+In order to run the script regularly to update the certificates add this line
+to /etc/periodic.conf:
+
+    weekly_lego_enable="YES"
+
+Additionally the following parameters may be added to /etc/periodic.conf:
+
+Script to run to renew certificates, will be run as %%LEGO_USER%% (required)
+    weekly_lego_renewscript="%%ETCDIR%%/lego.sh"
+
+To run a script after the renewal to deploy certificates
+    weekly_lego_deployscript="%%ETCDIR%%/deploy.sh"
+
+If using the example renew script, add the domains for which lego will manage
+certificates to
+    %%ETCDIR%%/domains.txt, one domain on each line.
+
+To add a Subject Alternate Name to the certificate, append the domain(s) to the
+line:
+    example.com www.example.com
+
+To run lego for the first time, edit
+    %%ETCDIR%%/lego.sh
+and set the EMAIL variable.
+
+Then run lego.sh with the run argument as the %%LEGO_USER%% user:
+    $ %%ETCDIR%%/lego.sh run
+
+Subsequent periodic runs will run with the renew argument by default, with a
+renewal interval of 30 days.
+
+
diff --git a/security/lego/pkg-descr b/security/lego/pkg-descr
new file mode 100644
index 000000000000..43df72f321bd
--- /dev/null
+++ b/security/lego/pkg-descr
@@ -0,0 +1,4 @@
+lego is a client for Let's Encrypt users, written in Go. It has support for a
+number of ACME challenges, and no external dependencies.
+
+WWW: https://github.com/go-acme/lego
diff --git a/security/lego/pkg-plist b/security/lego/pkg-plist
new file mode 100644
index 000000000000..65ad98b95bb8
--- /dev/null
+++ b/security/lego/pkg-plist
@@ -0,0 +1,8 @@
+bin/lego
+etc/periodic/weekly/604.lego
+@dir(_lego,_lego,0700) etc/lego
+@dir(,,0755) etc/ssl
+@dir(_lego,_lego,0755) etc/ssl/lego
+@dir(_lego,www,) %%WWWDIR%%
+@sample(_lego,_lego,0700) etc/lego/lego.sh.sample
+@sample etc/lego/deploy.sh.sample