Accepting request 587474 from home:dmolkentin:branches:security:dehydrated

- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch OBS-URL: https://build.opensuse.org/request/show/587474 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=31
2018-03-15 11:01:55 +00:00 · 2018-03-15 11:01:55 +00:00 · 697d443d67
commit 697d443d67
parent 03c58b8a3c
3 changed files with 64 additions and 0 deletions
--- a/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
+++ b/0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
@ -0,0 +1,56 @@
+From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001
+From: Lukas Schauer <lukas@schauer.so>
+Date: Wed, 14 Mar 2018 18:50:28 +0100
+Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains
+ chain by default)
+
+---
+diff --git a/dehydrated b/dehydrated
+index 4103649..0751a0b 100755
+--- a/dehydrated
+++ b/dehydrated
+@@ -990,20 +990,29 @@ sign_domain() {
+ 
+   # Create fullchain.pem
+   echo " + Creating fullchain.pem..."
+-  cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
+-  local issuer_hash
+-  issuer_hash="$(get_issuer_hash "${crt_path}")"
+-  if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
+-    echo " + Using cached chain!"
+-    cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
+  if [[ ${API} -eq 1 ]]; then
+    cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
+    local issuer_hash
+    issuer_hash="$(get_issuer_hash "${crt_path}")"
+    if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
+      echo " + Using cached chain!"
+      cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
+    else
+      echo " + Walking chain..."
+      local issuer_cert_uri
+      issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
+      (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
+      cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
+    fi
+    cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
+   else
+-    echo " + Walking chain..."
+-    local issuer_cert_uri
+-    issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
+-    (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
+-    cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
+    tmpcert="$(_mktemp)"
+    tmpchain="$(_mktemp)"
+    awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem"
+    mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem"
+    mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem"
+    mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem"
+   fi
+-  cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
+ 
+   # Update symlinks
+   [[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem"
+-- 
+2.13.6
+
--- a/dehydrated.changes
+++ b/dehydrated.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Mar 15 10:52:56 UTC 2018 - daniel.molkentin@suse.com
+
+- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) 
+  * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
+
 -------------------------------------------------------------------
 Wed Mar 14 16:51:29 UTC 2018 - daniel.molkentin@suse.com

--- a/dehydrated.spec
+++ b/dehydrated.spec
@ -66,6 +66,7 @@ Source11:       README.hooks
 Source12:       %{name}-%{version}.tar.gz.asc
 Source13:       %{name}.keyring
 Patch1:         0001-fixed-CA-url-in-example-config.patch
+Patch2:         0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
 BuildRequires:  %{_apache}
 Requires:       coreutils
 Requires:       curl
@ -184,6 +185,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1
 cp %{SOURCE9} .
 cp %{SOURCE10} .