diff options
Diffstat (limited to 'dehydrated/share/hooks/deploy_cert.extra')
-rwxr-xr-x | dehydrated/share/hooks/deploy_cert.extra | 65 |
1 files changed, 58 insertions, 7 deletions
diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra index ec61676..5cf7b72 100755 --- a/dehydrated/share/hooks/deploy_cert.extra +++ b/dehydrated/share/hooks/deploy_cert.extra @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2023 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -21,17 +21,68 @@ set -e -echo " + Creating extra certificate files..." +echo -n " + Creating extra certificate files..." DIRECTORY="$(dirname "${CERTFILE}")" -for EXTRA in fullchain-privkey privkey-fullchain +if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ] +then + # long chain: + # * chain.pem: (R3 | ISRG Root X1) + # * fullchain.pem: (Certificate | R3 | ISRG Root X1) + CHAIN="long" +else + # short chain: + # * chain.pem: (R3) + # * fullchain.pem (Certificate | R3) + CHAIN="short" +fi + +case "${CHAIN}" in + long) + # split chain.pem + TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" + grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' + + # intermediate (R3) + mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + ;; + + short) + # intermediate (R3) + grep -Ev '^$' "${DIRECTORY}/chain-${TIMESTAMP}.pem" > "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')" + + if [ -n "${ISSUER_URI}" ] + then + wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + fi + ;; +esac + +# extra certificate permutations: +# * privkey_fullchain.pem: postfix +# * root_intermediate_cert.pem: redis + +for EXTRA in fullchain_privkey privkey_fullchain root_intermediate_cert do - EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')" - EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')" + rm -f "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem" + + for FILE in $(echo ${EXTRA} | sed -e 's|_| |g') + do + cat "${DIRECTORY}/${FILE}-${TIMESTAMP}.pem" >> "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem" + done - cat "${EXTRA1}-${TIMESTAMP}.pem" "${EXTRA2}-${TIMESTAMP}.pem" > "${DIRECTORY}/${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem" - ln -sf "${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem" + ln -sf "${EXTRA}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA}.pem" done echo " done." |