From f23e4e0d0cf48153dbc5134cf1bf1bb7189c3005 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 8 Dec 2015 19:50:09 +0100 Subject: Various fixes. --- acme-slave | 8 ++++---- letsencrypt | 14 ++++++++------ 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/acme-slave b/acme-slave index ee39f8d..5ff9834 100755 --- a/acme-slave +++ b/acme-slave @@ -79,7 +79,7 @@ sub request($$;$) { # ACME client -# https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md +# https://tools.ietf.org/html/draft-ietf-acme-acme-01 sub acme($$) { my ($uri, $h) = @_; @@ -119,7 +119,7 @@ if ($COMMAND eq 'new-reg') { acme($RES{'new-reg'}, { resource => 'new-reg', - contact => [ map {"mailto:$_"} split(',', @ARGV) ], + contact => [ map {"mailto:$_"} @ARGV ], agreement => $uri, }); exit; @@ -168,7 +168,7 @@ my @domains = do { open my $fh1, '-|', @req, '-subject' or die "Can't run req(1ssl): $!"; my $subject = <$fh1>; close $fh1; - $domains{$1} = 1 if $subject =~ /\Asubject=\/CN=($RE_domain)(?:,.*)?\n\z/o; + $domains{$1} = 1 if $subject =~ /\Asubject=.*\/CN=($RE_domain)\n\z/o; open my $fh2, '-|', @req, '-text', '-reqopt', 'no_header,no_version,no_subject,no_pubkey,no_sigdump' or die "Can't run req(1ssl): $!"; @@ -224,7 +224,7 @@ foreach my $domain (@domains) { for (my $i=0;; $i++) { my $status = request('GET' => $challenge->{uri})->{status} // 'pending'; - die "Invalid challenge for $domain" if $status eq 'invalid'; + die "Error: Invalid challenge for $domain\n" if $status eq 'invalid'; last if $status eq 'valid'; die "Timeout exceeded while waiting for challenge to pass ($domain)\n" if $i >= $TIMEOUT; sleep 1; diff --git a/letsencrypt b/letsencrypt index 50406f7..5c10ea1 100755 --- a/letsencrypt +++ b/letsencrypt @@ -16,7 +16,7 @@ declare COMMAND ACCOUNTKEY declare -l GENKEY declare RUNAS QUIET= DEBUG= -declare SRVCERT= CHAIN= CSR SRVKEY +declare SRVCRT= CHAIN= CSR SRVKEY declare -l HASH= declare SUBJECT=/ declare SAN= @@ -96,7 +96,7 @@ while [ $# -gt 0 ]; do --quiet|-q) QUIET=1;; --debug) DEBUG=1;; - --output=*) SRVCERT="${1#*=}";; + --output=*) SRVCRT="${1#*=}";; --chain) CHAIN=1;; --csr=*) CSR="${1#*=}";; --key=*) SRVKEY="${1#*=}";; @@ -160,7 +160,7 @@ if [ "$COMMAND" = 'revoke-cert' ]; then exit 1 fi elif [ "$COMMAND" = 'new-cert' ]; then - if [ ! "${SRVCERT:-}" ]; then + if [ ! "${SRVCRT:-}" ]; then echo "Error: Missing --output" >&2 exit 1 fi @@ -270,10 +270,12 @@ if [ "$COMMAND" = 'new-cert' ]; then # TODO # Verify: dump and compare public keys # Valid cert, signed by the right CA - - # Copy "$x509" to "$SRVCERT", possibly chained # https://crt.sh/?q=cse-fresti.cse.chalmers.se&iCAID=7395 - cp "$x509" "$SRVCERT" + + # if it doesn't exist, create the file with mode 0644 minus the process's umask(2) + [ -e "$SRVCRT" ] || touch "$SRVCRT" + cat "$x509" >"$SRVCRT" + [ ! "$DEBUG" ] || openssl x509 -noout -text <"$SRVCRT" for (( i=0; i<${#NOTIFY[@]}; i++ )); do ${NOTIFY[$i]} -- cgit v1.2.3