diff options
author | Peter Palfrader <peter@palfrader.org> | 2016-04-04 22:39:07 +0200 |
---|---|---|
committer | Peter Palfrader <peter@palfrader.org> | 2016-04-04 22:39:07 +0200 |
commit | 1a06cdc887ec1ac4da7af9948a4fb7723df0f76d (patch) | |
tree | 22e06b359833814a0baf797a80b6d176637f22a7 | |
parent | ad1527334c90424b101da3c6a03da3c46e301d8b (diff) |
make-combined-crt: actually support longer chains
By downloading all intermediates, repeatedly.
Also works for non-LE certs.
If an explicity $cn-chain.pem file exists, that takes precedence.
-rwxr-xr-x | letsencrypt-helpers/make-combined-crt | 66 |
1 files changed, 46 insertions, 20 deletions
diff --git a/letsencrypt-helpers/make-combined-crt b/letsencrypt-helpers/make-combined-crt index 56a2989..a550e4b 100755 --- a/letsencrypt-helpers/make-combined-crt +++ b/letsencrypt-helpers/make-combined-crt @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # Copyright (c) 2016 Peter Palfrader <peter@palfrader.org> # @@ -39,39 +39,65 @@ if ! [ -e "$cn.key" ] ; then exit 1 fi +tmpdir=$(mktemp -d) +trap "rm -rf '$tmpdir'" EXIT + +chain="" if [ -e "$cn-letsencrypt.pem" ] ; then pem="$cn-letsencrypt.pem" - - tmp=$(tempfile) - trap "rm -f '$tmp'" EXIT - issuers_uri="$(openssl x509 -in "$pem" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)" - if [ "${issuers_uri#http}" != "$issuers_uri" ]; then - wget -q -O "$tmp" "$issuers_uri" - chain="$tmp" - else - chain="" - fi elif [ -e "$cn.pem" ] ; then pem="$cn.pem" - if [ -e "$cn-chain.pem" ]; then - chain="$cn-chain.pem" - else - chain="" - fi elif [ -e "$cn-selfsigned.pem" ] ; then pem="$cn-selfsigned.pem" - chain="" echo >&2 "Warning: only selfsigned cert available for $cn." else echo >&2 "Error: no cert available for $cn." exit 1 fi +chain="$tmpdir/chain.pem" +(cat "$pem" ; echo) >> "$chain" + +max_length=10 + +if [ -e "$cn-chain.pem" ]; then + (cat "$cn-chain.pem"; echo) >> "$chain" +else + last_pem="$pem" + + issuers_uri="$(openssl x509 -in "$last_pem" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)" + while [ "${issuers_uri#http}" != "$issuers_uri" ] && [ "$max_length" -gt 0 ]; do + # we include the EE, but not the root certificate in our chain. + intermediate="$tmpdir/intermediate" + intermediatepem="$tmpdir/intermediate.pem" + wget -q -O "$intermediate" "$issuers_uri" + if grep -q "BEGIN CERTIFICATE" "$intermediate"; then + mv "$intermediate" "$intermediatepem" + elif [ "${issuers_uri%.p7c}" != "${issuers_uri}" ]; then + openssl pkcs7 -inform DER -in "$intermediate" -outform PEM -print_certs -out "$intermediatepem" + else + openssl x509 -inform DER -in "$intermediate" -outform PEM -out "$intermediatepem" + fi + + # do not include roots + issuer="$( openssl x509 -in "$intermediatepem" -issuer -noout | cut -d'=' -f2-)" + subject="$(openssl x509 -in "$intermediatepem" -subject -noout | cut -d'=' -f2-)" + if [ "$issuer" = "$subject" ]; then + break + fi + + (cat "$intermediatepem"; echo) >> "$chain" + + last_pem="$intermediatepem" + issuers_uri="$(openssl x509 -in "$last_pem" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)" + + max_length=$((max_length - 1)) + done +fi + + ( -cat "$pem" -if [ -n "$chain" ]; then cat "$chain" -fi size=$(openssl rsa < "$cn".key -text -noout | awk -F: '$1 == "Private-Key" {print $2}' | sed -e 's/[^0-9]//g') if [ -e extra/dh-"$size".pem ]; then |