697d443d67
- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch OBS-URL: https://build.opensuse.org/request/show/587474 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=31
57 lines
3.2 KiB
Diff
57 lines
3.2 KiB
Diff
From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001
|
|
From: Lukas Schauer <lukas@schauer.so>
|
|
Date: Wed, 14 Mar 2018 18:50:28 +0100
|
|
Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains
|
|
chain by default)
|
|
|
|
---
|
|
diff --git a/dehydrated b/dehydrated
|
|
index 4103649..0751a0b 100755
|
|
--- a/dehydrated
|
|
+++ b/dehydrated
|
|
@@ -990,20 +990,29 @@ sign_domain() {
|
|
|
|
# Create fullchain.pem
|
|
echo " + Creating fullchain.pem..."
|
|
- cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
|
|
- local issuer_hash
|
|
- issuer_hash="$(get_issuer_hash "${crt_path}")"
|
|
- if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
|
|
- echo " + Using cached chain!"
|
|
- cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
|
|
+ if [[ ${API} -eq 1 ]]; then
|
|
+ cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
|
|
+ local issuer_hash
|
|
+ issuer_hash="$(get_issuer_hash "${crt_path}")"
|
|
+ if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
|
|
+ echo " + Using cached chain!"
|
|
+ cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
|
|
+ else
|
|
+ echo " + Walking chain..."
|
|
+ local issuer_cert_uri
|
|
+ issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
|
|
+ (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
|
|
+ cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
|
|
+ fi
|
|
+ cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
|
|
else
|
|
- echo " + Walking chain..."
|
|
- local issuer_cert_uri
|
|
- issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
|
|
- (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
|
|
- cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
|
|
+ tmpcert="$(_mktemp)"
|
|
+ tmpchain="$(_mktemp)"
|
|
+ awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem"
|
|
+ mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem"
|
|
+ mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem"
|
|
+ mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem"
|
|
fi
|
|
- cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
|
|
|
|
# Update symlinks
|
|
[[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem"
|
|
--
|
|
2.13.6
|
|
|