From 697d443d67f0d444a9f3317681003ca81506937ff0a5cb5560bd4febfa6e3ece Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Thu, 15 Mar 2018 11:01:55 +0000 Subject: [PATCH] Accepting request 587474 from home:dmolkentin:branches:security:dehydrated - Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch OBS-URL: https://build.opensuse.org/request/show/587474 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=31 --- ...ficate-chain-for-ACMEv2-certificate-.patch | 56 +++++++++++++++++++ dehydrated.changes | 6 ++ dehydrated.spec | 2 + 3 files changed, 64 insertions(+) create mode 100644 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch diff --git a/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch b/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch new file mode 100644 index 0000000..f994852 --- /dev/null +++ b/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch @@ -0,0 +1,56 @@ +From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001 +From: Lukas Schauer +Date: Wed, 14 Mar 2018 18:50:28 +0100 +Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains + chain by default) + +--- +diff --git a/dehydrated b/dehydrated +index 4103649..0751a0b 100755 +--- a/dehydrated ++++ b/dehydrated +@@ -990,20 +990,29 @@ sign_domain() { + + # Create fullchain.pem + echo " + Creating fullchain.pem..." +- cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem" +- local issuer_hash +- issuer_hash="$(get_issuer_hash "${crt_path}")" +- if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then +- echo " + Using cached chain!" +- cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem" ++ if [[ ${API} -eq 1 ]]; then ++ cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem" ++ local issuer_hash ++ issuer_hash="$(get_issuer_hash "${crt_path}")" ++ if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then ++ echo " + Using cached chain!" ++ cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem" ++ else ++ echo " + Walking chain..." ++ local issuer_cert_uri ++ issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")" ++ (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})" ++ cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain" ++ fi ++ cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem" + else +- echo " + Walking chain..." +- local issuer_cert_uri +- issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")" +- (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})" +- cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain" ++ tmpcert="$(_mktemp)" ++ tmpchain="$(_mktemp)" ++ awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem" ++ mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem" ++ mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem" ++ mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem" + fi +- cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem" + + # Update symlinks + [[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem" +-- +2.13.6 + diff --git a/dehydrated.changes b/dehydrated.changes index a54219f..a95aded 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Mar 15 10:52:56 UTC 2018 - daniel.molkentin@suse.com + +- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) + * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch + ------------------------------------------------------------------- Wed Mar 14 16:51:29 UTC 2018 - daniel.molkentin@suse.com diff --git a/dehydrated.spec b/dehydrated.spec index 05a4a96..eab57b3 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -66,6 +66,7 @@ Source11: README.hooks Source12: %{name}-%{version}.tar.gz.asc Source13: %{name}.keyring Patch1: 0001-fixed-CA-url-in-example-config.patch +Patch2: 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch BuildRequires: %{_apache} Requires: coreutils Requires: curl @@ -184,6 +185,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||: %prep %setup -q %patch1 -p1 +%patch2 -p1 cp %{SOURCE9} . cp %{SOURCE10} .