summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Palfrader <peter@palfrader.org>2016-04-04 22:39:07 +0200
committerPeter Palfrader <peter@palfrader.org>2016-04-04 22:39:07 +0200
commit1a06cdc887ec1ac4da7af9948a4fb7723df0f76d (patch)
tree22e06b359833814a0baf797a80b6d176637f22a7
parentad1527334c90424b101da3c6a03da3c46e301d8b (diff)
make-combined-crt: actually support longer chains
By downloading all intermediates, repeatedly. Also works for non-LE certs. If an explicity $cn-chain.pem file exists, that takes precedence.
-rwxr-xr-xletsencrypt-helpers/make-combined-crt66
1 files changed, 46 insertions, 20 deletions
diff --git a/letsencrypt-helpers/make-combined-crt b/letsencrypt-helpers/make-combined-crt
index 56a2989..a550e4b 100755
--- a/letsencrypt-helpers/make-combined-crt
+++ b/letsencrypt-helpers/make-combined-crt
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
# Copyright (c) 2016 Peter Palfrader <peter@palfrader.org>
#
@@ -39,39 +39,65 @@ if ! [ -e "$cn.key" ] ; then
exit 1
fi
+tmpdir=$(mktemp -d)
+trap "rm -rf '$tmpdir'" EXIT
+
+chain=""
if [ -e "$cn-letsencrypt.pem" ] ; then
pem="$cn-letsencrypt.pem"
-
- tmp=$(tempfile)
- trap "rm -f '$tmp'" EXIT
- issuers_uri="$(openssl x509 -in "$pem" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)"
- if [ "${issuers_uri#http}" != "$issuers_uri" ]; then
- wget -q -O "$tmp" "$issuers_uri"
- chain="$tmp"
- else
- chain=""
- fi
elif [ -e "$cn.pem" ] ; then
pem="$cn.pem"
- if [ -e "$cn-chain.pem" ]; then
- chain="$cn-chain.pem"
- else
- chain=""
- fi
elif [ -e "$cn-selfsigned.pem" ] ; then
pem="$cn-selfsigned.pem"
- chain=""
echo >&2 "Warning: only selfsigned cert available for $cn."
else
echo >&2 "Error: no cert available for $cn."
exit 1
fi
+chain="$tmpdir/chain.pem"
+(cat "$pem" ; echo) >> "$chain"
+
+max_length=10
+
+if [ -e "$cn-chain.pem" ]; then
+ (cat "$cn-chain.pem"; echo) >> "$chain"
+else
+ last_pem="$pem"
+
+ issuers_uri="$(openssl x509 -in "$last_pem" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)"
+ while [ "${issuers_uri#http}" != "$issuers_uri" ] && [ "$max_length" -gt 0 ]; do
+ # we include the EE, but not the root certificate in our chain.
+ intermediate="$tmpdir/intermediate"
+ intermediatepem="$tmpdir/intermediate.pem"
+ wget -q -O "$intermediate" "$issuers_uri"
+ if grep -q "BEGIN CERTIFICATE" "$intermediate"; then
+ mv "$intermediate" "$intermediatepem"
+ elif [ "${issuers_uri%.p7c}" != "${issuers_uri}" ]; then
+ openssl pkcs7 -inform DER -in "$intermediate" -outform PEM -print_certs -out "$intermediatepem"
+ else
+ openssl x509 -inform DER -in "$intermediate" -outform PEM -out "$intermediatepem"
+ fi
+
+ # do not include roots
+ issuer="$( openssl x509 -in "$intermediatepem" -issuer -noout | cut -d'=' -f2-)"
+ subject="$(openssl x509 -in "$intermediatepem" -subject -noout | cut -d'=' -f2-)"
+ if [ "$issuer" = "$subject" ]; then
+ break
+ fi
+
+ (cat "$intermediatepem"; echo) >> "$chain"
+
+ last_pem="$intermediatepem"
+ issuers_uri="$(openssl x509 -in "$last_pem" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)"
+
+ max_length=$((max_length - 1))
+ done
+fi
+
+
(
-cat "$pem"
-if [ -n "$chain" ]; then
cat "$chain"
-fi
size=$(openssl rsa < "$cn".key -text -noout | awk -F: '$1 == "Private-Key" {print $2}' | sed -e 's/[^0-9]//g')
if [ -e extra/dh-"$size".pem ]; then