From ad1527334c90424b101da3c6a03da3c46e301d8b Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Mon, 4 Apr 2016 22:09:18 +0200 Subject: Fetch intermediate certs from the url in the cert --- letsencrypt-helpers/README | 2 -- letsencrypt-helpers/make-combined-crt | 11 ++++++++++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/letsencrypt-helpers/README b/letsencrypt-helpers/README index e5f65fa..6909fcf 100644 --- a/letsencrypt-helpers/README +++ b/letsencrypt-helpers/README @@ -6,8 +6,6 @@ o Furthermore, that there is a ~/acme-challenge and that is aliased in apache: | Alias "/.well-known/acme-challenge" "/srv/letsencrypt/acme-challenge" o Also, we want an account key in ~: (umask 277 && ! [ -e account.key ] && openssl genrsa 4096 > account.key) -o And you want the letsencrypt chain file lets-encrypt-x1-cross-signed.pem - in ~/certs/extra o Optionally, a dh file in ~/certs/extra/dh-4096.pem openssl dhparam -out ~/certs/extra/dh-4096.pem 4096 o And you want this bin directory in PATH for your letsencrypt role user. diff --git a/letsencrypt-helpers/make-combined-crt b/letsencrypt-helpers/make-combined-crt index 2c6dc59..56a2989 100755 --- a/letsencrypt-helpers/make-combined-crt +++ b/letsencrypt-helpers/make-combined-crt @@ -41,7 +41,16 @@ fi if [ -e "$cn-letsencrypt.pem" ] ; then pem="$cn-letsencrypt.pem" - chain="extra/lets-encrypt-x1-cross-signed.pem" + + tmp=$(tempfile) + trap "rm -f '$tmp'" EXIT + issuers_uri="$(openssl x509 -in "$pem" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)" + if [ "${issuers_uri#http}" != "$issuers_uri" ]; then + wget -q -O "$tmp" "$issuers_uri" + chain="$tmp" + else + chain="" + fi elif [ -e "$cn.pem" ] ; then pem="$cn.pem" if [ -e "$cn-chain.pem" ]; then -- cgit v1.2.3