From 73a9239019b7dd3ace938f9bd4766cf0dabec6fd Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2015 01:02:27 +0100 Subject: Add an option --chain[=FILE]. --- letsencrypt | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/letsencrypt b/letsencrypt index 7465378..593ab8f 100755 --- a/letsencrypt +++ b/letsencrypt @@ -17,7 +17,7 @@ declare COMMAND ACCOUNTKEY declare -l GENKEY declare RUNAS QUIET= DEBUG= -declare SRVCRT= CHAIN= CSR SRVKEY +declare SRVCRT= CHAIN CSR SRVKEY declare -i MIN_AGE=0 declare -l HASH= declare SUBJECT=/ @@ -62,8 +62,8 @@ usage() { --san=STRING Comma-separated list of Subject Alternative Names formatted as "type:value" --keyusage=STRING Comma-separated list of Key Usages, see x509v3_config(5ssl) (default: "digitalSignature,keyEncipherment,keyCertSign") - --chain Store not only the server certificate in the file specified with --output, but - also the CA's + --chain[=FILE] Store the server certificate along with its intermediate CA in FILE; if FILE is + empty or omitted, use the file specified with --output --min-age=SECONDS Don't do anything if the certificate specified by --output exists and its expiration is more than SECONDS ahead. --output=FILE Where to store the issued (signed) X.509 certificate @@ -102,7 +102,8 @@ while [ $# -gt 0 ]; do --output=*) SRVCRT="${1#*=}";; --min-age=*) MIN_AGE="${1#*=}";; - --chain) CHAIN=1;; + --chain) CHAIN=;; + --chain=*) CHAIN="${1#*=}";; --csr=*) CSR="${1#*=}";; --key=*) SRVKEY="${1#*=}";; --hash=*) HASH="${1#*=}";; @@ -295,6 +296,16 @@ if [ "$COMMAND" = 'new-cert' ]; then cat "$x509" >"$SRVCRT" [ ! "$DEBUG" ] || openssl x509 -noout -text <"$SRVCRT" + # add the CA chain + if [ ${CHAIN+x} ]; then + if [ "${CHAIN:-$SRVCRT}" = "$SRVCRT" ]; then + cat "$CAfile" >>"$SRVCRT" + else + [ -e "$CHAIN" ] || touch "$CHAIN" + cat "$SRVCRT" "$CAfile" >"$CHAIN" + fi + fi + if [ ! "$QUIET" ]; then echo "X.509 certificate $SRVCRT has been updated or renewed" echo -- cgit v1.2.3 From b4ae4b14c2d01f61d61408308475c3885d050112 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2015 01:05:21 +0100 Subject: wibble --- letsencrypt | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/letsencrypt b/letsencrypt index 593ab8f..3486265 100755 --- a/letsencrypt +++ b/letsencrypt @@ -53,8 +53,10 @@ usage() { $NAME new-cert ACCOUNTKEY --output=CERT --csr=FILE $NAME new-cert ACCOUNTKEY --output=CERT --key=FILE [--hash=ALGO] [--subject=STRING] [--san=STRING] [--keyusage=STRING] Request a new Certificate Issuance. The Certificate Signing Request can be supplied directly, or - generated from the server key. + generated from the server key using options --hash, --subject, --san and --keyusage. + --min-age=SECONDS Skip the issuance if the certificate specified by --output exists and its + expiration date is more than SECONDS ahead. --csr=FILE Certificate Signing Request to send (alternatively, use --key to generate it) --key=FILE Server private key (use --genkey to generate it) --hash=DGST Message digest to sign the CSR with (in PEM format) @@ -62,11 +64,9 @@ usage() { --san=STRING Comma-separated list of Subject Alternative Names formatted as "type:value" --keyusage=STRING Comma-separated list of Key Usages, see x509v3_config(5ssl) (default: "digitalSignature,keyEncipherment,keyCertSign") + --output=FILE Where to store the issued (signed) X.509 certificate --chain[=FILE] Store the server certificate along with its intermediate CA in FILE; if FILE is empty or omitted, use the file specified with --output - --min-age=SECONDS Don't do anything if the certificate specified by --output exists and its expiration - is more than SECONDS ahead. - --output=FILE Where to store the issued (signed) X.509 certificate --notify=COMMAND Command to run upon success. (This option can be repeated.) $NAME revoke-cert {ACCOUNTKEY|SVRKEY} FILE [FILE ..] @@ -278,10 +278,9 @@ while read data; do echo -n "$data" | openssl dgst -sha256 -sign "$ACCOUNTKEY" -hex | sed 's/.*=\s*//' done >"$pipe" -if [ "$COMMAND" = 'new-cert' ]; then - # https://crt.sh/?q=mail.fripost.org&iCAID=7395 - # https://crt.sh/?spkisha1=$sha1 - +if [ "$COMMAND" != 'new-cert' ]; then + [ "$QUIET" ] || echo OK +else # Ensure the cert's pubkey matches that of the CSR, and that it's signed by the intended CA if [ ! -s "$x509" ] || ! diff <(openssl req -in "$CSR" -pubkey -noout) \ @@ -317,7 +316,4 @@ if [ "$COMMAND" = 'new-cert' ]; then for (( i=0; i<${#NOTIFY[@]}; i++ )); do ${NOTIFY[$i]} done - -else - [ "$QUIET" ] || echo OK fi -- cgit v1.2.3