diff options
| -rwxr-xr-x | letsencrypt | 35 | 
1 files changed, 21 insertions, 14 deletions
| diff --git a/letsencrypt b/letsencrypt index 7465378..3486265 100755 --- a/letsencrypt +++ b/letsencrypt @@ -17,7 +17,7 @@ declare COMMAND ACCOUNTKEY  declare -l GENKEY  declare RUNAS QUIET= DEBUG= -declare SRVCRT= CHAIN= CSR SRVKEY +declare SRVCRT= CHAIN CSR SRVKEY  declare -i MIN_AGE=0  declare -l HASH=  declare SUBJECT=/ @@ -53,8 +53,10 @@ usage() {  		$NAME new-cert ACCOUNTKEY --output=CERT --csr=FILE  		$NAME new-cert ACCOUNTKEY --output=CERT --key=FILE [--hash=ALGO] [--subject=STRING] [--san=STRING] [--keyusage=STRING]  		  Request a new Certificate Issuance.  The Certificate Signing Request can be supplied directly, or -		  generated from the server key. +		  generated from the server key using options --hash, --subject, --san and --keyusage. +		    --min-age=SECONDS Skip the issuance if the certificate specified by --output exists and its +		                      expiration date is more than SECONDS ahead.  		    --csr=FILE        Certificate Signing Request to send (alternatively, use --key to generate it)  		    --key=FILE        Server private key (use --genkey to generate it)  		    --hash=DGST       Message digest to sign the CSR with (in PEM format) @@ -62,11 +64,9 @@ usage() {  		    --san=STRING      Comma-separated list of Subject Alternative Names formatted as "type:value"  		    --keyusage=STRING Comma-separated list of Key Usages, see x509v3_config(5ssl)  		                      (default: "digitalSignature,keyEncipherment,keyCertSign") -		    --chain           Store not only the server certificate in the file specified with --output, but -		                      also the CA's -		    --min-age=SECONDS Don't do anything if the certificate specified by --output exists and its expiration -		                      is more than SECONDS ahead.  		    --output=FILE     Where to store the issued (signed) X.509 certificate +		    --chain[=FILE]    Store the server certificate along with its intermediate CA in FILE; if FILE is +		                      empty or omitted, use the file specified with --output  		    --notify=COMMAND  Command to run upon success.  (This option can be repeated.)  		$NAME revoke-cert {ACCOUNTKEY|SVRKEY} FILE [FILE ..] @@ -102,7 +102,8 @@ while [ $# -gt 0 ]; do          --output=*) SRVCRT="${1#*=}";;          --min-age=*) MIN_AGE="${1#*=}";; -        --chain) CHAIN=1;; +        --chain) CHAIN=;; +        --chain=*) CHAIN="${1#*=}";;          --csr=*) CSR="${1#*=}";;          --key=*) SRVKEY="${1#*=}";;          --hash=*) HASH="${1#*=}";; @@ -277,10 +278,9 @@ while read data; do      echo -n "$data" | openssl dgst -sha256 -sign "$ACCOUNTKEY" -hex | sed 's/.*=\s*//'  done >"$pipe" -if [ "$COMMAND" = 'new-cert' ]; then -    # https://crt.sh/?q=mail.fripost.org&iCAID=7395 -    # https://crt.sh/?spkisha1=$sha1 - +if [ "$COMMAND" != 'new-cert' ]; then +    [ "$QUIET" ] || echo OK +else      # Ensure the cert's pubkey matches that of the CSR, and that it's signed by the intended CA      if [ ! -s "$x509" ] ||           ! diff <(openssl req  -in "$CSR"  -pubkey -noout) \ @@ -295,6 +295,16 @@ if [ "$COMMAND" = 'new-cert' ]; then      cat "$x509" >"$SRVCRT"      [ ! "$DEBUG" ] || openssl x509 -noout -text <"$SRVCRT" +    # add the CA chain +    if [ ${CHAIN+x} ]; then +        if [ "${CHAIN:-$SRVCRT}" = "$SRVCRT" ]; then +            cat "$CAfile" >>"$SRVCRT" +        else +            [ -e "$CHAIN" ] || touch "$CHAIN" +            cat "$SRVCRT" "$CAfile" >"$CHAIN" +        fi +    fi +      if [ ! "$QUIET" ]; then          echo "X.509 certificate $SRVCRT has been updated or renewed"          echo @@ -306,7 +316,4 @@ if [ "$COMMAND" = 'new-cert' ]; then      for (( i=0; i<${#NOTIFY[@]}; i++ )); do          ${NOTIFY[$i]}      done - -else -    [ "$QUIET" ] || echo OK  fi | 
