diff options
author | Daniel Baumann <daniel.baumann@open-infrastructure.net> | 2023-03-07 13:21:03 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@open-infrastructure.net> | 2023-06-17 13:05:24 +0000 |
commit | f617f5562acc1a5b7abb0c222a0b0552fc1f6d34 (patch) | |
tree | e2d1101bdc8c88cbfee05b9c6aba407035822ffd /dehydrated | |
parent | Adding freeradius to dehydrated service-reload hook. (diff) | |
download | service-tools-f617f5562acc1a5b7abb0c222a0b0552fc1f6d34.tar.xz service-tools-f617f5562acc1a5b7abb0c222a0b0552fc1f6d34.zip |
Adding preferred chain compatibility in deploy_cert.extra dehydrated hook.
Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>
Diffstat (limited to '')
-rwxr-xr-x | dehydrated/share/hooks/deploy_cert.extra | 46 |
1 files changed, 39 insertions, 7 deletions
diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra index 56ca2f4..fd93fad 100755 --- a/dehydrated/share/hooks/deploy_cert.extra +++ b/dehydrated/share/hooks/deploy_cert.extra @@ -25,15 +25,47 @@ echo -n " + Creating extra certificate files..." DIRECTORY="$(dirname "${CERTFILE}")" -# root and intermediate CA -TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" -grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' +if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ] +then + # - chain.pem: R3 | ISRG Root X1 + # - fullchain.pem: Certificate | R3 | ISRG Root X1 + CHAIN="long" +else + # - chain.pem: R3 + # - fullchain.pem: Certificate | R3 + CHAIN="short" +fi -mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" -ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" +case "${CHAIN}" in + long) + # split chain.pem + TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" + grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' -mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" -ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + # intermediate (R3) + mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + ;; + + short) + # intermediate (R3) + cp "${DIRECTORY}/chain-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')" + + if [ -n "${ISSUER_URI}" ] + then + wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + fi + ;; +esac # extra certificate permutations: # * privkey_fullchain.pem: postfix |