Accepting request 587474 from home:dmolkentin:branches:security:dehydrated
- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch OBS-URL: https://build.opensuse.org/request/show/587474 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=31
This commit is contained in:
parent
03c58b8a3c
commit
697d443d67
@ -0,0 +1,56 @@
|
||||
From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Schauer <lukas@schauer.so>
|
||||
Date: Wed, 14 Mar 2018 18:50:28 +0100
|
||||
Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains
|
||||
chain by default)
|
||||
|
||||
---
|
||||
diff --git a/dehydrated b/dehydrated
|
||||
index 4103649..0751a0b 100755
|
||||
--- a/dehydrated
|
||||
+++ b/dehydrated
|
||||
@@ -990,20 +990,29 @@ sign_domain() {
|
||||
|
||||
# Create fullchain.pem
|
||||
echo " + Creating fullchain.pem..."
|
||||
- cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
|
||||
- local issuer_hash
|
||||
- issuer_hash="$(get_issuer_hash "${crt_path}")"
|
||||
- if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
|
||||
- echo " + Using cached chain!"
|
||||
- cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
|
||||
+ if [[ ${API} -eq 1 ]]; then
|
||||
+ cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
|
||||
+ local issuer_hash
|
||||
+ issuer_hash="$(get_issuer_hash "${crt_path}")"
|
||||
+ if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
|
||||
+ echo " + Using cached chain!"
|
||||
+ cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
|
||||
+ else
|
||||
+ echo " + Walking chain..."
|
||||
+ local issuer_cert_uri
|
||||
+ issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
|
||||
+ (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
|
||||
+ cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
|
||||
+ fi
|
||||
+ cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
|
||||
else
|
||||
- echo " + Walking chain..."
|
||||
- local issuer_cert_uri
|
||||
- issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
|
||||
- (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
|
||||
- cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
|
||||
+ tmpcert="$(_mktemp)"
|
||||
+ tmpchain="$(_mktemp)"
|
||||
+ awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem"
|
||||
+ mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem"
|
||||
+ mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem"
|
||||
+ mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem"
|
||||
fi
|
||||
- cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
|
||||
|
||||
# Update symlinks
|
||||
[[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem"
|
||||
--
|
||||
2.13.6
|
||||
|
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 15 10:52:56 UTC 2018 - daniel.molkentin@suse.com
|
||||
|
||||
- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305)
|
||||
* Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 14 16:51:29 UTC 2018 - daniel.molkentin@suse.com
|
||||
|
||||
|
@ -66,6 +66,7 @@ Source11: README.hooks
|
||||
Source12: %{name}-%{version}.tar.gz.asc
|
||||
Source13: %{name}.keyring
|
||||
Patch1: 0001-fixed-CA-url-in-example-config.patch
|
||||
Patch2: 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
|
||||
BuildRequires: %{_apache}
|
||||
Requires: coreutils
|
||||
Requires: curl
|
||||
@ -184,6 +185,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
cp %{SOURCE9} .
|
||||
cp %{SOURCE10} .
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user