#!/bin/sh # Open Infrastructure: service-tools # Copyright (C) 2014-2024 Daniel Baumann # # SPDX-License-Identifier: GPL-3.0+ # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . set -e echo -n " + Creating extra certificate files..." DIRECTORY="$(dirname "${CERTFILE}")" if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ] then # long chain: # * chain.pem: (R3 | ISRG Root X1) # * fullchain.pem: (Certificate | R3 | ISRG Root X1) CHAIN="long" else # short chain: # * chain.pem: (R3) # * fullchain.pem (Certificate | R3) CHAIN="short" fi case "${CHAIN}" in long) # split chain.pem TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' # intermediate (R3) mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" # root (ISRG Root X1) mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" ;; short) # intermediate (R3) grep -Ev '^$' "${DIRECTORY}/chain-${TIMESTAMP}.pem" > "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" # root (ISRG Root X1) ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')" if [ -n "${ISSUER_URI}" ] then wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem" ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" fi ;; esac # extra certificate permutations: # * privkey_fullchain.pem: postfix # * root_intermediate_cert.pem: redis for EXTRA in fullchain_privkey privkey_fullchain root_intermediate_cert do rm -f "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem" for FILE in $(echo ${EXTRA} | sed -e 's|_| |g') do cat "${DIRECTORY}/${FILE}-${TIMESTAMP}.pem" >> "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem" done ln -sf "${EXTRA}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA}.pem" done echo " done."