summaryrefslogtreecommitdiffstats
path: root/dehydrated/share/hooks/deploy_cert.extra
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@open-infrastructure.net>2023-03-07 13:21:03 +0000
committerDaniel Baumann <daniel.baumann@open-infrastructure.net>2023-06-17 13:05:24 +0000
commitf617f5562acc1a5b7abb0c222a0b0552fc1f6d34 (patch)
treee2d1101bdc8c88cbfee05b9c6aba407035822ffd /dehydrated/share/hooks/deploy_cert.extra
parentAdding freeradius to dehydrated service-reload hook. (diff)
downloadservice-tools-f617f5562acc1a5b7abb0c222a0b0552fc1f6d34.tar.xz
service-tools-f617f5562acc1a5b7abb0c222a0b0552fc1f6d34.zip
Adding preferred chain compatibility in deploy_cert.extra dehydrated hook.
Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>
Diffstat (limited to '')
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.extra46
1 files changed, 39 insertions, 7 deletions
diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra
index 56ca2f4..fd93fad 100755
--- a/dehydrated/share/hooks/deploy_cert.extra
+++ b/dehydrated/share/hooks/deploy_cert.extra
@@ -25,15 +25,47 @@ echo -n " + Creating extra certificate files..."
DIRECTORY="$(dirname "${CERTFILE}")"
-# root and intermediate CA
-TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)"
-grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}'
+if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ]
+then
+ # - chain.pem: R3 | ISRG Root X1
+ # - fullchain.pem: Certificate | R3 | ISRG Root X1
+ CHAIN="long"
+else
+ # - chain.pem: R3
+ # - fullchain.pem: Certificate | R3
+ CHAIN="short"
+fi
-mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
-ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
+case "${CHAIN}" in
+ long)
+ # split chain.pem
+ TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)"
+ grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}'
-mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem"
-ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
+ # intermediate (R3)
+ mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
+ ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
+
+ # root (ISRG Root X1)
+ mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem"
+ ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
+ ;;
+
+ short)
+ # intermediate (R3)
+ cp "${DIRECTORY}/chain-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
+ ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
+
+ # root (ISRG Root X1)
+ ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')"
+
+ if [ -n "${ISSUER_URI}" ]
+ then
+ wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem"
+ ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
+ fi
+ ;;
+esac
# extra certificate permutations:
# * privkey_fullchain.pem: postfix