aboutsummaryrefslogtreecommitdiffstats
path: root/letsencrypt
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2015-12-09 00:17:20 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-12-09 00:43:47 +0100
commit8eb679e08e08b4bb992c8d43f57c3458aab4cf1a (patch)
tree4c76f6984d625d5a7edf778b0124ac8f7ca5502d /letsencrypt
parent594b65f8960c38fde1a8ffd567df852a69a670ff (diff)
Ship LE's intermediate CA files and add cert validation.
Diffstat (limited to 'letsencrypt')
-rwxr-xr-xletsencrypt31
1 files changed, 25 insertions, 6 deletions
diff --git a/letsencrypt b/letsencrypt
index 4c932e4..7465378 100755
--- a/letsencrypt
+++ b/letsencrypt
@@ -11,13 +11,14 @@ WWW_USER=www-data
WWW_GROUP=www-data
ACME_WEBSERVER=acme-webserver
ACME_CLIENT=acme-slave
+CAfile=/usr/share/lets-encrypt/letsencryptauthorityx1.pem
declare COMMAND ACCOUNTKEY
declare -l GENKEY
declare RUNAS QUIET= DEBUG=
declare SRVCRT= CHAIN= CSR SRVKEY
-delcale -i MIN_AGE=0
+declare -i MIN_AGE=0
declare -l HASH=
declare SUBJECT=/
declare SAN=
@@ -168,7 +169,7 @@ elif [ "$COMMAND" = 'new-cert' ]; then
echo "Error: Missing --output" >&2
exit 1
fi
- if [ -s "$SRVCRT" ] && \
+ if [ -s "$SRVCRT" ] && [ $MIN_AGE -gt 0 ] && \
exp=$(openssl x509 -noout -enddate <"$SRVCRT" 2>/dev/null) && \
[ $(( $(date -d "${exp#*=}" +%s) - $(date +%s))) -gt $MIN_AGE ]; then
[ ! "$DEBUG" ] || echo "Expiration date ($(date -d"${exp#*=}")) is too far away, come back later." >&2
@@ -277,17 +278,35 @@ while read data; do
done >"$pipe"
if [ "$COMMAND" = 'new-cert' ]; then
- # TODO
- # Verify: dump and compare public keys
- # Valid cert, signed by the right CA
- # https://crt.sh/?q=cse-fresti.cse.chalmers.se&iCAID=7395
+ # https://crt.sh/?q=mail.fripost.org&iCAID=7395
+ # https://crt.sh/?spkisha1=$sha1
+
+ # Ensure the cert's pubkey matches that of the CSR, and that it's signed by the intended CA
+ if [ ! -s "$x509" ] ||
+ ! diff <(openssl req -in "$CSR" -pubkey -noout) \
+ <(openssl x509 -in "$x509" -pubkey -noout) >/dev/null ||
+ ! openssl verify -CAfile "$CAfile" -purpose sslserver -x509_strict <"$x509" >/dev/null; then
+ echo "Error: Got an invalid X.509 certificate from the ACME server!" >&2
+ exit 1
+ fi
# if it doesn't exist, create the file with mode 0644 minus the process's umask(2)
[ -e "$SRVCRT" ] || touch "$SRVCRT"
cat "$x509" >"$SRVCRT"
[ ! "$DEBUG" ] || openssl x509 -noout -text <"$SRVCRT"
+ if [ ! "$QUIET" ]; then
+ echo "X.509 certificate $SRVCRT has been updated or renewed"
+ echo
+ openssl x509 -noout \
+ -text -certopt no_header,no_version,no_pubkey,no_sigdump \
+ -fingerprint -sha256 <"$SRVCRT"
+ fi
+
for (( i=0; i<${#NOTIFY[@]}; i++ )); do
${NOTIFY[$i]}
done
+
+else
+ [ "$QUIET" ] || echo OK
fi