rpm/dehydrated
SHA256
1
0
Fork 0
forked from pool/dehydrated
Code Pull Requests Activity

Accepting request 587474 from home:dmolkentin:branches:security:dehydrated

Browse Source 
- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) 
  * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch

OBS-URL: https://build.opensuse.org/request/show/587474
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=31
This commit is contained in:
Daniel Molkentin 2018-03-15 11:01:55 +00:00 committed by Git OBS Bridge
parent 03c58b8a3c
commit 697d443d67
3 changed files with 64 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch Normal file
View File

@ -0,0 +1,56 @@
From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001
From: Lukas Schauer <lukas@schauer.so>
Date: Wed, 14 Mar 2018 18:50:28 +0100
Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains
chain by default)
---
diff --git a/dehydrated b/dehydrated
index 4103649..0751a0b 100755
--- a/dehydrated
+++ b/dehydrated
@@ -990,20 +990,29 @@ sign_domain() {
# Create fullchain.pem
echo " + Creating fullchain.pem..."
- cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
- local issuer_hash
- issuer_hash="$(get_issuer_hash "${crt_path}")"
- if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
- echo " + Using cached chain!"
- cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
+ if [[ ${API} -eq 1 ]]; then
+ cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
+ local issuer_hash
+ issuer_hash="$(get_issuer_hash "${crt_path}")"
+ if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
+ echo " + Using cached chain!"
+ cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
+ else
+ echo " + Walking chain..."
+ local issuer_cert_uri
+ issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
+ (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
+ cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
+ fi
+ cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
else
- echo " + Walking chain..."
- local issuer_cert_uri
- issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
- (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
- cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
+ tmpcert="$(_mktemp)"
+ tmpchain="$(_mktemp)"
+ awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem"
+ mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem"
+ mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem"
+ mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem"
fi
- cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
# Update symlinks
[[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem"
--
2.13.6

6
dehydrated.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Mar 15 10:52:56 UTC 2018 - daniel.molkentin@suse.com
- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305)
* Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Mar 14 16:51:29 UTC 2018 - daniel.molkentin@suse.com Wed Mar 14 16:51:29 UTC 2018 - daniel.molkentin@suse.com

2
dehydrated.spec
View File

@ -66,6 +66,7 @@ Source11: README.hooks
Source12: %{name}-%{version}.tar.gz.asc Source12: %{name}-%{version}.tar.gz.asc
Source13: %{name}.keyring Source13: %{name}.keyring
Patch1: 0001-fixed-CA-url-in-example-config.patch Patch1: 0001-fixed-CA-url-in-example-config.patch
Patch2: 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
BuildRequires: %{_apache} BuildRequires: %{_apache}
Requires: coreutils Requires: coreutils
Requires: curl Requires: curl
@ -184,6 +185,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
%prep %prep
%setup -q %setup -q
%patch1 -p1 %patch1 -p1
%patch2 -p1
cp %{SOURCE9} . cp %{SOURCE9} .
cp %{SOURCE10} . cp %{SOURCE10} .