forked from pool/dehydrated
Accepting request 587475 from security:dehydrated
- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305) * Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch (forwarded request 587474 from dmolkentin) OBS-URL: https://build.opensuse.org/request/show/587475 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dehydrated?expand=0&rev=8
This commit is contained in:
commit
77892e717b
36
0001-fixed-CA-url-in-example-config.patch
Normal file
36
0001-fixed-CA-url-in-example-config.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
From b93eac389395c8228be48999bf51c9f45e775a88 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Schauer <lukas@schauer.so>
|
||||||
|
Date: Tue, 13 Mar 2018 21:08:20 +0100
|
||||||
|
Subject: [PATCH] fixed CA url in example config
|
||||||
|
|
||||||
|
---
|
||||||
|
docs/examples/config | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs/examples/config b/docs/examples/config
|
||||||
|
index 1aa7d63..665704d 100644
|
||||||
|
--- a/docs/examples/config
|
||||||
|
+++ b/docs/examples/config
|
||||||
|
@@ -21,15 +21,15 @@
|
||||||
|
# default: <unset>
|
||||||
|
#IP_VERSION=
|
||||||
|
|
||||||
|
-# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
|
||||||
|
-#CA="https://acme-v01.api.letsencrypt.org/directory"
|
||||||
|
+# Path to certificate authority (default: https://acme-v02.api.letsencrypt.org/directory)
|
||||||
|
+#CA="https://acme-v02.api.letsencrypt.org/directory"
|
||||||
|
|
||||||
|
# Path to old certificate authority
|
||||||
|
# Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
|
||||||
|
# If dehydrated detects an account-key for the old CA it will automatically reuse that key
|
||||||
|
# instead of registering a new one.
|
||||||
|
-# default: <unset>
|
||||||
|
-#OLDCA=
|
||||||
|
+# default: https://acme-v01.api.letsencrypt.org/directory
|
||||||
|
+#OLDCA="https://acme-v01.api.letsencrypt.org/directory"
|
||||||
|
|
||||||
|
# Which challenge should be used? Currently http-01 and dns-01 are supported
|
||||||
|
#CHALLENGETYPE="http-01"
|
||||||
|
--
|
||||||
|
2.13.6
|
||||||
|
|
@ -0,0 +1,56 @@
|
|||||||
|
From 2533931cf1311e33252bc2492975afae71bd447f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Schauer <lukas@schauer.so>
|
||||||
|
Date: Wed, 14 Mar 2018 18:50:28 +0100
|
||||||
|
Subject: [PATCH] don't walk certificate chain for ACMEv2 (certificate contains
|
||||||
|
chain by default)
|
||||||
|
|
||||||
|
---
|
||||||
|
diff --git a/dehydrated b/dehydrated
|
||||||
|
index 4103649..0751a0b 100755
|
||||||
|
--- a/dehydrated
|
||||||
|
+++ b/dehydrated
|
||||||
|
@@ -990,20 +990,29 @@ sign_domain() {
|
||||||
|
|
||||||
|
# Create fullchain.pem
|
||||||
|
echo " + Creating fullchain.pem..."
|
||||||
|
- cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
|
||||||
|
- local issuer_hash
|
||||||
|
- issuer_hash="$(get_issuer_hash "${crt_path}")"
|
||||||
|
- if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
|
||||||
|
- echo " + Using cached chain!"
|
||||||
|
- cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
|
||||||
|
+ if [[ ${API} -eq 1 ]]; then
|
||||||
|
+ cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem"
|
||||||
|
+ local issuer_hash
|
||||||
|
+ issuer_hash="$(get_issuer_hash "${crt_path}")"
|
||||||
|
+ if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
|
||||||
|
+ echo " + Using cached chain!"
|
||||||
|
+ cat "${CHAINCACHE}/${issuer_hash}.chain" > "${certdir}/chain-${timestamp}.pem"
|
||||||
|
+ else
|
||||||
|
+ echo " + Walking chain..."
|
||||||
|
+ local issuer_cert_uri
|
||||||
|
+ issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
|
||||||
|
+ (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
|
||||||
|
+ cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
|
||||||
|
+ fi
|
||||||
|
+ cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
|
||||||
|
else
|
||||||
|
- echo " + Walking chain..."
|
||||||
|
- local issuer_cert_uri
|
||||||
|
- issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
|
||||||
|
- (walk_chain "${crt_path}" > "${certdir}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
|
||||||
|
- cat "${certdir}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
|
||||||
|
+ tmpcert="$(_mktemp)"
|
||||||
|
+ tmpchain="$(_mktemp)"
|
||||||
|
+ awk '{print >out}; /----END CERTIFICATE-----/{out=tmpchain}' out="${tmpcert}" tmpchain="${tmpchain}" "${certdir}/cert-${timestamp}.pem"
|
||||||
|
+ mv "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem"
|
||||||
|
+ mv "${tmpcert}" "${certdir}/cert-${timestamp}.pem"
|
||||||
|
+ mv "${tmpchain}" "${certdir}/chain-${timestamp}.pem"
|
||||||
|
fi
|
||||||
|
- cat "${certdir}/chain-${timestamp}.pem" >> "${certdir}/fullchain-${timestamp}.pem"
|
||||||
|
|
||||||
|
# Update symlinks
|
||||||
|
[[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem"
|
||||||
|
--
|
||||||
|
2.13.6
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:2285a0691c13ec39b513ed5a2d49c4771d0bc0580a70ea585f06a35526123dbb
|
|
||||||
size 76650
|
|
@ -1,11 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlqlgokACgkQnE2+bPQ4
|
|
||||||
8zOlqAf+KaeYvJyjb1/7WqeSkIijHlqpewGp8ad92id74fydyLQsfg3irJorzJkY
|
|
||||||
LV2PPbArN+iz6us8r7pmeoW4UUDUJSKRlKcRi+3Cg3zBJ8uOS7hIcRK7c2utTKgq
|
|
||||||
9uwE15fWO3gZ5IuGfcbUaIokxLecuY4/QqgP+ZMBFXKonVatQXlFOCALC02rpnsF
|
|
||||||
RyeMfWVYzvBkWX8Smh6CO6N7iRAZeHV+hzgLjqQDqTqlFaUUh7uud+XxoUo4ja0V
|
|
||||||
IvIdDVeS7zt+O0/tG9iHbWnVjAuyKCp67Da+FU0FJFqXberS/53A4EVl36o9G2iv
|
|
||||||
+Cs/y538rlSNlC1eakv0BiJ+6oqmPQ==
|
|
||||||
=QKkR
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
dehydrated-0.6.1.tar.gz
Normal file
3
dehydrated-0.6.1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:441d89af4592e3eb5744eb177124b4d16ca78b416f634371e839db384012844a
|
||||||
|
size 76693
|
11
dehydrated-0.6.1.tar.gz.asc
Normal file
11
dehydrated-0.6.1.tar.gz.asc
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlqoLhwACgkQnE2+bPQ4
|
||||||
|
8zON9Af8DubdQQGP0SJLiVA3+MpRJytaPluvmGQtrhlugIFSpeSiRDJEJ4PHJ3z1
|
||||||
|
SjI69/1sCUsdzifAZOejmrPfd9vLGLLCVdMqkaUzG6YTQCIdIXxB6kEKhnU3Grad
|
||||||
|
cbZaMtWOKu87WGwlTDorQ3N6I+DUeAVL2csf8Chzep3qY6KfO8zryBG05PmJwKgM
|
||||||
|
hRss5OohW20tR5pvz4ybkBdd2KUvcQSedCf6g2UN+95+Io3TF/9ph1Ht7n8HWyxv
|
||||||
|
VMQ2g4N/Jc6BQ++cepfSCI/4vXdrFnp7HSmWlD73LhiQ0VRinqHcf0TVy6FhXBXL
|
||||||
|
PyGB4G1924U1cLuAt2XJdB82y0LNIw==
|
||||||
|
=JzFS
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,7 +1,30 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Mar 15 10:52:56 UTC 2018 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Don't add intermediate certificates twice when using ACMEv2 (bsc#1085305)
|
||||||
|
* Adds 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Mar 14 16:51:29 UTC 2018 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Fix issues introduced by 0.6.1 (bsc#1085305)
|
||||||
|
|
||||||
|
* bring back man page
|
||||||
|
* reflect new endpoint in (commented out) config file section
|
||||||
|
(adds 0001-fixed-CA-url-in-example-config.patch, backported
|
||||||
|
from upstream's master branch)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Mar 13 20:21:49 UTC 2018 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Updated dehydrated to 0.6.1 (bsc#1084854)
|
||||||
|
|
||||||
|
* Use new ACME v2 endpoint by default
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Mar 12 08:16:13 UTC 2018 - daniel.molkentin@suse.com
|
Mon Mar 12 08:16:13 UTC 2018 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
- Updated dehydrated to 0.6.0 (osc#1084854)
|
- Updated dehydrated to 0.6.0 (bsc#1084854)
|
||||||
|
|
||||||
Changed
|
Changed
|
||||||
|
|
||||||
|
@ -46,7 +46,7 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
Name: dehydrated
|
Name: dehydrated
|
||||||
Version: 0.6.0
|
Version: 0.6.1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: A client for signing certificates with an ACME server
|
Summary: A client for signing certificates with an ACME server
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -65,6 +65,8 @@ Source10: README.Fedora
|
|||||||
Source11: README.hooks
|
Source11: README.hooks
|
||||||
Source12: %{name}-%{version}.tar.gz.asc
|
Source12: %{name}-%{version}.tar.gz.asc
|
||||||
Source13: %{name}.keyring
|
Source13: %{name}.keyring
|
||||||
|
Patch1: 0001-fixed-CA-url-in-example-config.patch
|
||||||
|
Patch2: 0002-don-t-walk-certificate-chain-for-ACMEv2-certificate-.patch
|
||||||
BuildRequires: %{_apache}
|
BuildRequires: %{_apache}
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
Requires: curl
|
Requires: curl
|
||||||
@ -182,6 +184,8 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
cp %{SOURCE9} .
|
cp %{SOURCE9} .
|
||||||
cp %{SOURCE10} .
|
cp %{SOURCE10} .
|
||||||
|
|
||||||
@ -195,7 +199,7 @@ mkdir -p %{buildroot}%{_mandir}/man1
|
|||||||
mkdir -p %{buildroot}%{_home}/config.d
|
mkdir -p %{buildroot}%{_home}/config.d
|
||||||
mkdir -p %{buildroot}%{_postrunhooks}
|
mkdir -p %{buildroot}%{_postrunhooks}
|
||||||
|
|
||||||
cat dehydrated.1 | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
|
cat docs/man/dehydrated.1 | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
|
||||||
|
|
||||||
# Silence E: env-script-interpreter
|
# Silence E: env-script-interpreter
|
||||||
find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \;
|
find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \;
|
||||||
|
Loading…
Reference in New Issue
Block a user