diff options
| author | Peter Palfrader <peter@palfrader.org> | 2016-04-04 22:09:18 +0200 |
|---|---|---|
| committer | Peter Palfrader <peter@palfrader.org> | 2016-04-04 22:09:18 +0200 |
| commit | ad1527334c90424b101da3c6a03da3c46e301d8b (patch) | |
| tree | 14076c071feb141bb8c3ba5d8c17229c96147645 | |
| parent | 8e77b0d63a29c806ca2264c3fee735e92244001a (diff) | |
Fetch intermediate certs from the url in the cert
| -rw-r--r-- | letsencrypt-helpers/README | 2 | ||||
| -rwxr-xr-x | letsencrypt-helpers/make-combined-crt | 11 |
2 files changed, 10 insertions, 3 deletions
diff --git a/letsencrypt-helpers/README b/letsencrypt-helpers/README index e5f65fa..6909fcf 100644 --- a/letsencrypt-helpers/README +++ b/letsencrypt-helpers/README @@ -6,8 +6,6 @@ o Furthermore, that there is a ~/acme-challenge and that is aliased in apache: | Alias "/.well-known/acme-challenge" "/srv/letsencrypt/acme-challenge" o Also, we want an account key in ~: (umask 277 && ! [ -e account.key ] && openssl genrsa 4096 > account.key) -o And you want the letsencrypt chain file lets-encrypt-x1-cross-signed.pem - in ~/certs/extra o Optionally, a dh file in ~/certs/extra/dh-4096.pem openssl dhparam -out ~/certs/extra/dh-4096.pem 4096 o And you want this bin directory in PATH for your letsencrypt role user. diff --git a/letsencrypt-helpers/make-combined-crt b/letsencrypt-helpers/make-combined-crt index 2c6dc59..56a2989 100755 --- a/letsencrypt-helpers/make-combined-crt +++ b/letsencrypt-helpers/make-combined-crt @@ -41,7 +41,16 @@ fi if [ -e "$cn-letsencrypt.pem" ] ; then pem="$cn-letsencrypt.pem" - chain="extra/lets-encrypt-x1-cross-signed.pem" + + tmp=$(tempfile) + trap "rm -f '$tmp'" EXIT + issuers_uri="$(openssl x509 -in "$pem" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)" + if [ "${issuers_uri#http}" != "$issuers_uri" ]; then + wget -q -O "$tmp" "$issuers_uri" + chain="$tmp" + else + chain="" + fi elif [ -e "$cn.pem" ] ; then pem="$cn.pem" if [ -e "$cn-chain.pem" ]; then |