blob: a6cd3360a581039baf5314217bc76dfc02d00f38 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
# Certificate verification
DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends ssl-cert
# add staging root certificates to the trust store to emulate the production environment
for ca in /usr/share/lacme/letsencrypt-stg-root-*.pem; do
ln -sT "$ca" "/usr/local/share/ca-certificates/$(basename -s.pem "$ca").crt"
done
update-ca-certificates
# test (modified) trust store
openssl verify -no-CAfile -CApath /etc/ssl/certs -show_chain /usr/share/lacme/letsencrypt-stg-root-x1.pem
openssl verify -no-CApath -CAfile /etc/ssl/certs/ca-certificates.crt -show_chain /usr/share/lacme/letsencrypt-stg-root-x1.pem
mv /usr/share/lacme/ca-certificates.crt /usr/share/lacme/ca-certificates.crt.back
! lacme newOrder 2>"$STDERR" || fail
grepstderr -Fq "Could not open file or uri for loading trusted certificates from /usr/share/lacme/ca-certificates.crt:"
grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
# verification error for unrelated CA bundle
cat /etc/ssl/certs/ssl-cert-snakeoil.pem >/usr/share/lacme/ca-certificates.crt
! lacme newOrder 2>"$STDERR" || fail
grepstderr -Fxq "error 20 at 1 depth lookup: unable to get local issuer certificate"
grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
# use saved bundle as custom CAfile
sed -ri 's|^#?CAfile\s*=.*|CAfile = /usr/share/lacme/ca-certificates.crt.back|' /etc/lacme/lacme-certs.conf
lacme newOrder 2>"$STDERR" || fail
test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key
# vim: set filetype=sh :
|