starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-05-17 04:17:00 +02:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Merge pull request #37 from germeier/privatekey

Browse Source 
fix logic if private key is specified via command line option
This commit is contained in:
Lukas Schauer
2015-12-12 04:45:01 +01:00
parent 8d00950572 4a6f797469
commit 06feebe171
2 changed files with 31 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config.sh.example
+6 -3
View File
@@ -22,12 +22,15 @@
# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: $SCRIPTDIR/.acme-challenges) # Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: $SCRIPTDIR/.acme-challenges)
#WELLKNOWN="${SCRIPTDIR}/.acme-challenges" #WELLKNOWN="${SCRIPTDIR}/.acme-challenges"
# Default keysize for private keys (default: 4096)
#KEYSIZE="4096"
# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined) # Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
#BASEDIR=$SCRIPTDIR #BASEDIR=$SCRIPTDIR
# Location of private account key
#PRIVATE_KEY=${BASEDIR}/private_key.pem
# Default keysize for private keys (default: 4096)
#KEYSIZE="4096"
# Path to openssl config file (default: <unset> - tries to figure out system default) # Path to openssl config file (default: <unset> - tries to figure out system default)
#OPENSSL_CNF= #OPENSSL_CNF=
letsencrypt.sh
+25 -17
View File
@@ -8,15 +8,18 @@ umask 077 # paranoid umask, we're creating private keys
# Get the directory in which this script is stored # Get the directory in which this script is stored
SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# directory for config, private key and certificates
BASEDIR="${SCRIPTDIR}"
# Default config values # Default config values
CA="https://acme-v01.api.letsencrypt.org/directory" CA="https://acme-v01.api.letsencrypt.org/directory"
LICENSE="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" LICENSE="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"
HOOK= HOOK=
RENEW_DAYS="14" RENEW_DAYS="14"
PRIVATE_KEY=${BASEDIR}/private_key.pem
KEYSIZE="4096" KEYSIZE="4096"
WELLKNOWN="${SCRIPTDIR}/.acme-challenges" WELLKNOWN="${SCRIPTDIR}/.acme-challenges"
PRIVATE_KEY_RENEW="no" PRIVATE_KEY_RENEW="no"
BASEDIR="${SCRIPTDIR}"
OPENSSL_CNF="$(openssl version -d | cut -d'"' -f2)/openssl.cnf" OPENSSL_CNF="$(openssl version -d | cut -d'"' -f2)/openssl.cnf"
ROOTCERT="lets-encrypt-x1-cross-signed.pem" ROOTCERT="lets-encrypt-x1-cross-signed.pem"
CONTACT_EMAIL= CONTACT_EMAIL=
@@ -80,25 +83,30 @@ init_system() {
CA_REVOKE_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value revoke-cert)" || CA_REVOKE_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value revoke-cert)" ||
(echo "Error retrieving ACME/CA-URLs, check if your configured CA points to the directory entrypoint."; exit 1) (echo "Error retrieving ACME/CA-URLs, check if your configured CA points to the directory entrypoint."; exit 1)
# Check if private account key exists, if it doesn't exist yet generate a new one (rsa key)
# check private key ...
register="0" register="0"
if [[ -z "${USEPRIVATEKEY:-}" ]]; then if [[ -n "${PARAM_PRIVATE_KEY:-}" ]]; then
USEPRIVATEKEY="${BASEDIR}/private_key.pem" # a private key was specified from the command line so use it for this run
if [[ ! -e "${USEPRIVATEKEY}" ]]; then echo "Using private key "${PARAM_PRIVATE_KEY}" instead of account key"
PRIVATE_KEY="${PARAM_PRIVATE_KEY}"
if ! openssl rsa -in "${PRIVATE_KEY}" -check 2>/dev/null > /dev/null; then
echo " + ERROR: private key is not valid, can not continue"
exit 1
fi
else
# Check if private account key exists, if it doesn't exist yet generate a new one (rsa key)
PRIVATE_KEY="${BASEDIR}/private_key.pem"
if [[ ! -e "${PRIVATE_KEY}" ]]; then
echo "+ Generating account key..." echo "+ Generating account key..."
_openssl genrsa -out "${USEPRIVATEKEY}" "${KEYSIZE}" _openssl genrsa -out "${PRIVATE_KEY}" "${KEYSIZE}"
register="1" register="1"
fi fi
elif [[ ! -e "${USEPRIVATEKEY}" ]]; then
echo "ERROR: Unable to find specified private key."
exit 1
else
echo "Using private key ${USEPRIVATEKEY} instead of account key"
fi fi
# Get public components from private key and calculate thumbprint # Get public components from private key and calculate thumbprint
pubExponent64="$(printf "%06x" "$(openssl rsa -in "${USEPRIVATEKEY}" -noout -text | grep publicExponent | head -1 | cut -d' ' -f2)" | hex2bin | urlbase64)" pubExponent64="$(printf "%06x" "$(openssl rsa -in "${PRIVATE_KEY}" -noout -text | grep publicExponent | head -1 | cut -d' ' -f2)" | hex2bin | urlbase64)"
pubMod64="$(printf '%s' "$(openssl rsa -in "${USEPRIVATEKEY}" -noout -modulus | cut -d'=' -f2)" | hex2bin | urlbase64)" pubMod64="$(printf '%s' "$(openssl rsa -in "${PRIVATE_KEY}" -noout -modulus | cut -d'=' -f2)" | hex2bin | urlbase64)"
thumbprint="$(printf '%s' "$(printf '%s' '{"e":"'"${pubExponent64}"'","kty":"RSA","n":"'"${pubMod64}"'"}' | shasum -a 256 | awk '{print $1}')" | hex2bin | urlbase64)" thumbprint="$(printf '%s' "$(printf '%s' '{"e":"'"${pubExponent64}"'","kty":"RSA","n":"'"${pubMod64}"'"}' | shasum -a 256 | awk '{print $1}')" | hex2bin | urlbase64)"
@@ -232,7 +240,7 @@ signed_request() {
protected64="$(printf '%s' "${protected}" | urlbase64)" protected64="$(printf '%s' "${protected}" | urlbase64)"
# Sign header with nonce and our payload with our private key and encode signature as urlbase64 # Sign header with nonce and our payload with our private key and encode signature as urlbase64
signed64="$(printf '%s' "${protected64}.${payload64}" | openssl dgst -sha256 -sign "${USEPRIVATEKEY}" | urlbase64)" signed64="$(printf '%s' "${protected64}.${payload64}" | openssl dgst -sha256 -sign "${PRIVATE_KEY}" | urlbase64)"
# Send header + extended header + payload + signature to the acme-server # Send header + extended header + payload + signature to the acme-server
data='{"header": '"${header}"', "protected": "'"${protected64}"'", "payload": "'"${payload64}"'", "signature": "'"${signed64}"'"}' data='{"header": '"${header}"', "protected": "'"${protected64}"'", "payload": "'"${payload64}"'", "signature": "'"${signed64}"'"}'
@@ -480,7 +488,7 @@ for arg; do
--cron) args="${args}-c ";; --cron) args="${args}-c ";;
--sign) args="${args}-s ";; --sign) args="${args}-s ";;
--revoke) args="${args}-r ";; --revoke) args="${args}-r ";;
--privkey) args="${args}-p ";; --privkey) args="${args}-p ";;
--config) args="${args}-f ";; --config) args="${args}-f ";;
--*) --*)
echo "Unknown parameter detected: ${arg}" echo "Unknown parameter detected: ${arg}"
@@ -544,7 +552,7 @@ while getopts ":hcr:s:f:p:" option; do
# PARAM_Usage: --privkey (-p) path/to/key.pem # PARAM_Usage: --privkey (-p) path/to/key.pem
# PARAM_Description: Use specified private key instead of account key (useful for revocation) # PARAM_Description: Use specified private key instead of account key (useful for revocation)
check_parameters "${OPTARG:-}" check_parameters "${OPTARG:-}"
USEPRIVATEKEY="${OPTARG}" PARAM_PRIVATE_KEY="${OPTARG}"
;; ;;
*) *)
echo "Unknown parameter detected: -${OPTARG}" echo "Unknown parameter detected: -${OPTARG}"