aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xletsencrypt35
1 files changed, 21 insertions, 14 deletions
diff --git a/letsencrypt b/letsencrypt
index 7465378..3486265 100755
--- a/letsencrypt
+++ b/letsencrypt
@@ -17,7 +17,7 @@ declare COMMAND ACCOUNTKEY
declare -l GENKEY
declare RUNAS QUIET= DEBUG=
-declare SRVCRT= CHAIN= CSR SRVKEY
+declare SRVCRT= CHAIN CSR SRVKEY
declare -i MIN_AGE=0
declare -l HASH=
declare SUBJECT=/
@@ -53,8 +53,10 @@ usage() {
$NAME new-cert ACCOUNTKEY --output=CERT --csr=FILE
$NAME new-cert ACCOUNTKEY --output=CERT --key=FILE [--hash=ALGO] [--subject=STRING] [--san=STRING] [--keyusage=STRING]
Request a new Certificate Issuance. The Certificate Signing Request can be supplied directly, or
- generated from the server key.
+ generated from the server key using options --hash, --subject, --san and --keyusage.
+ --min-age=SECONDS Skip the issuance if the certificate specified by --output exists and its
+ expiration date is more than SECONDS ahead.
--csr=FILE Certificate Signing Request to send (alternatively, use --key to generate it)
--key=FILE Server private key (use --genkey to generate it)
--hash=DGST Message digest to sign the CSR with (in PEM format)
@@ -62,11 +64,9 @@ usage() {
--san=STRING Comma-separated list of Subject Alternative Names formatted as "type:value"
--keyusage=STRING Comma-separated list of Key Usages, see x509v3_config(5ssl)
(default: "digitalSignature,keyEncipherment,keyCertSign")
- --chain Store not only the server certificate in the file specified with --output, but
- also the CA's
- --min-age=SECONDS Don't do anything if the certificate specified by --output exists and its expiration
- is more than SECONDS ahead.
--output=FILE Where to store the issued (signed) X.509 certificate
+ --chain[=FILE] Store the server certificate along with its intermediate CA in FILE; if FILE is
+ empty or omitted, use the file specified with --output
--notify=COMMAND Command to run upon success. (This option can be repeated.)
$NAME revoke-cert {ACCOUNTKEY|SVRKEY} FILE [FILE ..]
@@ -102,7 +102,8 @@ while [ $# -gt 0 ]; do
--output=*) SRVCRT="${1#*=}";;
--min-age=*) MIN_AGE="${1#*=}";;
- --chain) CHAIN=1;;
+ --chain) CHAIN=;;
+ --chain=*) CHAIN="${1#*=}";;
--csr=*) CSR="${1#*=}";;
--key=*) SRVKEY="${1#*=}";;
--hash=*) HASH="${1#*=}";;
@@ -277,10 +278,9 @@ while read data; do
echo -n "$data" | openssl dgst -sha256 -sign "$ACCOUNTKEY" -hex | sed 's/.*=\s*//'
done >"$pipe"
-if [ "$COMMAND" = 'new-cert' ]; then
- # https://crt.sh/?q=mail.fripost.org&iCAID=7395
- # https://crt.sh/?spkisha1=$sha1
-
+if [ "$COMMAND" != 'new-cert' ]; then
+ [ "$QUIET" ] || echo OK
+else
# Ensure the cert's pubkey matches that of the CSR, and that it's signed by the intended CA
if [ ! -s "$x509" ] ||
! diff <(openssl req -in "$CSR" -pubkey -noout) \
@@ -295,6 +295,16 @@ if [ "$COMMAND" = 'new-cert' ]; then
cat "$x509" >"$SRVCRT"
[ ! "$DEBUG" ] || openssl x509 -noout -text <"$SRVCRT"
+ # add the CA chain
+ if [ ${CHAIN+x} ]; then
+ if [ "${CHAIN:-$SRVCRT}" = "$SRVCRT" ]; then
+ cat "$CAfile" >>"$SRVCRT"
+ else
+ [ -e "$CHAIN" ] || touch "$CHAIN"
+ cat "$SRVCRT" "$CAfile" >"$CHAIN"
+ fi
+ fi
+
if [ ! "$QUIET" ]; then
echo "X.509 certificate $SRVCRT has been updated or renewed"
echo
@@ -306,7 +316,4 @@ if [ "$COMMAND" = 'new-cert' ]; then
for (( i=0; i<${#NOTIFY[@]}; i++ )); do
${NOTIFY[$i]}
done
-
-else
- [ "$QUIET" ] || echo OK
fi