Accepting request 587475 from security:dehydrated

- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) 
  * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch (forwarded request 587474 from dmolkentin)

OBS-URL: https://build.opensuse.org/request/show/587475
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dehydrated?expand=0&rev=8
This commit is contained in:
Dominique Leuenberger 2018-03-16 09:43:57 +00:00 committed by Git OBS Bridge
commit 77892e717b
8 changed files with 136 additions and 17 deletions

View File

@ -0,0 +1,36 @@
From b93eac389395c8228be48999bf51c9f45e775a88 Mon Sep 17 00:00:00 2001
From: Lukas Schauer <lukas@schauer.so>
Date: Tue, 13 Mar 2018 21:08:20 +0100
Subject: [PATCH] fixed CA url in example config
---
docs/examples/config | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/docs/examples/config b/docs/examples/config
index 1aa7d63..665704d 100644
--- a/docs/examples/config
+++ b/docs/examples/config
@@ -21,15 +21,15 @@
# default: <unset>
#IP_VERSION=
-# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
-#CA="https://acme-v01.api.letsencrypt.org/directory"
+# Path to certificate authority (default: https://acme-v02.api.letsencrypt.org/directory)
+#CA="https://acme-v02.api.letsencrypt.org/directory"
# Path to old certificate authority
# Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
# If dehydrated detects an account-key for the old CA it will automatically reuse that key
# instead of registering a new one.
-# default: <unset>
-#OLDCA=
+# default: https://acme-v01.api.letsencrypt.org/directory
+#OLDCA="https://acme-v01.api.letsencrypt.org/directory"
# Which challenge should be used? Currently http-01 and dns-01 are supported
#CHALLENGETYPE="http-01"
--
2.13.6

View File

@ -0,0 +1,56 @@
From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001
From: Lukas Schauer <lukas@schauer.so>
Date: Wed, 14 Mar 2018 18:50:28 +0100
Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains
chain by default)
---
diff --git a/dehydrated b/dehydrated
index 4103649..0751a0b 100755
--- a/dehydrated
+++ b/dehydrated
@@ -990,20 +990,29 @@ sign_domain() {
# Create fullchain.pem
echo " + Creating fullchain.pem..."
- cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
- local issuer_hash
- issuer_hash="$(get_issuer_hash "${crt_path}")"
- if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
- echo " + Using cached chain!"
- cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
+ if [[ ${API} -eq 1 ]]; then
+ cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
+ local issuer_hash
+ issuer_hash="$(get_issuer_hash "${crt_path}")"
+ if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
+ echo " + Using cached chain!"
+ cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
+ else
+ echo " + Walking chain..."
+ local issuer_cert_uri
+ issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
+ (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
+ cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
+ fi
+ cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
else
- echo " + Walking chain..."
- local issuer_cert_uri
- issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
- (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
- cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
+ tmpcert="$(_mktemp)"
+ tmpchain="$(_mktemp)"
+ awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem"
+ mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem"
+ mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem"
+ mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem"
fi
- cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
# Update symlinks
[[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem"
--
2.13.6

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2285a0691c13ec39b513ed5a2d49c4771d0bc0580a70ea585f06a35526123dbb
size 76650

View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlqlgokACgkQnE2+bPQ4
8zOlqAf+KaeYvJyjb1/7WqeSkIijHlqpewGp8ad92id74fydyLQsfg3irJorzJkY
LV2PPbArN+iz6us8r7pmeoW4UUDUJSKRlKcRi+3Cg3zBJ8uOS7hIcRK7c2utTKgq
9uwE15fWO3gZ5IuGfcbUaIokxLecuY4/QqgP+ZMBFXKonVatQXlFOCALC02rpnsF
RyeMfWVYzvBkWX8Smh6CO6N7iRAZeHV+hzgLjqQDqTqlFaUUh7uud+XxoUo4ja0V
IvIdDVeS7zt+O0/tG9iHbWnVjAuyKCp67Da+FU0FJFqXberS/53A4EVl36o9G2iv
+Cs/y538rlSNlC1eakv0BiJ+6oqmPQ==
=QKkR
-----END PGP SIGNATURE-----

3
dehydrated-0.6.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:441d89af4592e3eb5744eb177124b4d16ca78b416f634371e839db384012844a
size 76693

View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlqoLhwACgkQnE2+bPQ4
8zON9Af8DubdQQGP0SJLiVA3+MpRJytaPluvmGQtrhlugIFSpeSiRDJEJ4PHJ3z1
SjI69/1sCUsdzifAZOejmrPfd9vLGLLCVdMqkaUzG6YTQCIdIXxB6kEKhnU3Grad
cbZaMtWOKu87WGwlTDorQ3N6I+DUeAVL2csf8Chzep3qY6KfO8zryBG05PmJwKgM
hRss5OohW20tR5pvz4ybkBdd2KUvcQSedCf6g2UN+95+Io3TF/9ph1Ht7n8HWyxv
VMQ2g4N/Jc6BQ++cepfSCI/4vXdrFnp7HSmWlD73LhiQ0VRinqHcf0TVy6FhXBXL
PyGB4G1924U1cLuAt2XJdB82y0LNIw==
=JzFS
-----END PGP SIGNATURE-----

View File

@ -1,7 +1,30 @@
-------------------------------------------------------------------
Thu Mar 15 10:52:56 UTC 2018 - daniel.molkentin@suse.com
- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305)
* Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
-------------------------------------------------------------------
Wed Mar 14 16:51:29 UTC 2018 - daniel.molkentin@suse.com
- Fix issues introduced by 0.6.1 (bsc#1085305)
* bring back man page
* reflect new endpoint in (commented out) config file section
(adds 0001-fixed-CA-url-in-example-config.patch, backported
from upstream's master branch)
-------------------------------------------------------------------
Tue Mar 13 20:21:49 UTC 2018 - daniel.molkentin@suse.com
- Updated dehydrated to 0.6.1 (bsc#1084854)
* Use new ACME v2 endpoint by default
-------------------------------------------------------------------
Mon Mar 12 08:16:13 UTC 2018 - daniel.molkentin@suse.com
- Updated dehydrated to 0.6.0 (osc#1084854)
- Updated dehydrated to 0.6.0 (bsc#1084854)
Changed

View File

@ -46,7 +46,7 @@
%endif
Name: dehydrated
Version: 0.6.0
Version: 0.6.1
Release: 0
Summary: A client for signing certificates with an ACME server
License: MIT
@ -65,6 +65,8 @@ Source10: README.Fedora
Source11: README.hooks
Source12: %{name}-%{version}.tar.gz.asc
Source13: %{name}.keyring
Patch1: 0001-fixed-CA-url-in-example-config.patch
Patch2: 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
BuildRequires: %{_apache}
Requires: coreutils
Requires: curl
@ -182,6 +184,8 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
%prep
%setup -q
%patch1 -p1
%patch2 -p1
cp %{SOURCE9} .
cp %{SOURCE10} .
@ -195,7 +199,7 @@ mkdir -p %{buildroot}%{_mandir}/man1
mkdir -p %{buildroot}%{_home}/config.d
mkdir -p %{buildroot}%{_postrunhooks}
cat dehydrated.1 | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
cat docs/man/dehydrated.1 | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
# Silence E: env-script-interpreter
find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \;