From 73a9239019b7dd3ace938f9bd4766cf0dabec6fd Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Dec 2015 01:02:27 +0100
Subject: Add an option --chain[=FILE].

---
 letsencrypt | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/letsencrypt b/letsencrypt
index 7465378..593ab8f 100755
--- a/letsencrypt
+++ b/letsencrypt
@@ -17,7 +17,7 @@ declare COMMAND ACCOUNTKEY
 declare -l GENKEY
 declare RUNAS QUIET= DEBUG=
 
-declare SRVCRT= CHAIN= CSR SRVKEY
+declare SRVCRT= CHAIN CSR SRVKEY
 declare -i MIN_AGE=0
 declare -l HASH=
 declare SUBJECT=/
@@ -62,8 +62,8 @@ usage() {
 		    --san=STRING      Comma-separated list of Subject Alternative Names formatted as "type:value"
 		    --keyusage=STRING Comma-separated list of Key Usages, see x509v3_config(5ssl)
 		                      (default: "digitalSignature,keyEncipherment,keyCertSign")
-		    --chain           Store not only the server certificate in the file specified with --output, but
-		                      also the CA's
+		    --chain[=FILE]    Store the server certificate along with its intermediate CA in FILE; if FILE is
+		                      empty or omitted, use the file specified with --output
 		    --min-age=SECONDS Don't do anything if the certificate specified by --output exists and its expiration
 		                      is more than SECONDS ahead.
 		    --output=FILE     Where to store the issued (signed) X.509 certificate
@@ -102,7 +102,8 @@ while [ $# -gt 0 ]; do
 
         --output=*) SRVCRT="${1#*=}";;
         --min-age=*) MIN_AGE="${1#*=}";;
-        --chain) CHAIN=1;;
+        --chain) CHAIN=;;
+        --chain=*) CHAIN="${1#*=}";;
         --csr=*) CSR="${1#*=}";;
         --key=*) SRVKEY="${1#*=}";;
         --hash=*) HASH="${1#*=}";;
@@ -295,6 +296,16 @@ if [ "$COMMAND" = 'new-cert' ]; then
     cat "$x509" >"$SRVCRT"
     [ ! "$DEBUG" ] || openssl x509 -noout -text <"$SRVCRT"
 
+    # add the CA chain
+    if [ ${CHAIN+x} ]; then
+        if [ "${CHAIN:-$SRVCRT}" = "$SRVCRT" ]; then
+            cat "$CAfile" >>"$SRVCRT"
+        else
+            [ -e "$CHAIN" ] || touch "$CHAIN"
+            cat "$SRVCRT" "$CAfile" >"$CHAIN"
+        fi
+    fi
+
     if [ ! "$QUIET" ]; then
         echo "X.509 certificate $SRVCRT has been updated or renewed"
         echo
-- 
cgit v1.2.3


From b4ae4b14c2d01f61d61408308475c3885d050112 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Dec 2015 01:05:21 +0100
Subject: wibble

---
 letsencrypt | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

diff --git a/letsencrypt b/letsencrypt
index 593ab8f..3486265 100755
--- a/letsencrypt
+++ b/letsencrypt
@@ -53,8 +53,10 @@ usage() {
 		$NAME new-cert ACCOUNTKEY --output=CERT --csr=FILE
 		$NAME new-cert ACCOUNTKEY --output=CERT --key=FILE [--hash=ALGO] [--subject=STRING] [--san=STRING] [--keyusage=STRING]
 		  Request a new Certificate Issuance.  The Certificate Signing Request can be supplied directly, or
-		  generated from the server key.
+		  generated from the server key using options --hash, --subject, --san and --keyusage.
 
+		    --min-age=SECONDS Skip the issuance if the certificate specified by --output exists and its
+		                      expiration date is more than SECONDS ahead.
 		    --csr=FILE        Certificate Signing Request to send (alternatively, use --key to generate it)
 		    --key=FILE        Server private key (use --genkey to generate it)
 		    --hash=DGST       Message digest to sign the CSR with (in PEM format)
@@ -62,11 +64,9 @@ usage() {
 		    --san=STRING      Comma-separated list of Subject Alternative Names formatted as "type:value"
 		    --keyusage=STRING Comma-separated list of Key Usages, see x509v3_config(5ssl)
 		                      (default: "digitalSignature,keyEncipherment,keyCertSign")
+		    --output=FILE     Where to store the issued (signed) X.509 certificate
 		    --chain[=FILE]    Store the server certificate along with its intermediate CA in FILE; if FILE is
 		                      empty or omitted, use the file specified with --output
-		    --min-age=SECONDS Don't do anything if the certificate specified by --output exists and its expiration
-		                      is more than SECONDS ahead.
-		    --output=FILE     Where to store the issued (signed) X.509 certificate
 		    --notify=COMMAND  Command to run upon success.  (This option can be repeated.)
 
 		$NAME revoke-cert {ACCOUNTKEY|SVRKEY} FILE [FILE ..]
@@ -278,10 +278,9 @@ while read data; do
     echo -n "$data" | openssl dgst -sha256 -sign "$ACCOUNTKEY" -hex | sed 's/.*=\s*//'
 done >"$pipe"
 
-if [ "$COMMAND" = 'new-cert' ]; then
-    # https://crt.sh/?q=mail.fripost.org&iCAID=7395
-    # https://crt.sh/?spkisha1=$sha1
-
+if [ "$COMMAND" != 'new-cert' ]; then
+    [ "$QUIET" ] || echo OK
+else
     # Ensure the cert's pubkey matches that of the CSR, and that it's signed by the intended CA
     if [ ! -s "$x509" ] ||
          ! diff <(openssl req  -in "$CSR"  -pubkey -noout) \
@@ -317,7 +316,4 @@ if [ "$COMMAND" = 'new-cert' ]; then
     for (( i=0; i<${#NOTIFY[@]}; i++ )); do
         ${NOTIFY[$i]}
     done
-
-else
-    [ "$QUIET" ] || echo OK
 fi
-- 
cgit v1.2.3