starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-04-19 23:11:22 +02:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

add support for Elliptic Curve Cryptography (ECC)

Browse Source
This commit is contained in:
Markus Germeier
2016-01-16 18:55:36 +01:00
parent 67a44aa4e3
commit c71ca3a8b1
3 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -84,3 +84,7 @@ An alternative to setting the WELLKNOWN variable would be to create a symlink to
This script also supports the new `dns-01`-type verification. Be aware that at the moment this is not available on the production servers from letsencrypt. Please read https://community.letsencrypt.org/t/dns-challenge-is-in-staging/8322 for the current state of `dns-01` support. This script also supports the new `dns-01`-type verification. Be aware that at the moment this is not available on the production servers from letsencrypt. Please read https://community.letsencrypt.org/t/dns-challenge-is-in-staging/8322 for the current state of `dns-01` support.
You need a hook script that deploys the challenge to your DNS server! You need a hook script that deploys the challenge to your DNS server!
### Elliptic Curve Cryptography (ECC)
This script also supports certificates with Elliptic Curve public keys! Be aware that at the moment this is not available on the production servers from letsencrypt. Please read https://community.letsencrypt.org/t/ecdsa-testing-on-staging/8809/ for the current state of ECC support.

3
config.sh.example
View File

@@ -54,5 +54,8 @@
# Regenerate private keys instead of just signing new certificates on renewal (default: no) # Regenerate private keys instead of just signing new certificates on renewal (default: no)
#PRIVATE_KEY_RENEW="no" #PRIVATE_KEY_RENEW="no"
# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
#KEY_ALGO=rsa
# E-mail to use during the registration (default: <unset>) # E-mail to use during the registration (default: <unset>)
#CONTACT_EMAIL= #CONTACT_EMAIL=

16
letsencrypt.sh
View File

@@ -40,6 +40,7 @@ load_config() {
KEYSIZE="4096" KEYSIZE="4096"
WELLKNOWN="${BASEDIR}/.acme-challenges" WELLKNOWN="${BASEDIR}/.acme-challenges"
PRIVATE_KEY_RENEW="no" PRIVATE_KEY_RENEW="no"
KEY_ALGO=rsa
OPENSSL_CNF="$(openssl version -d | cut -d'"' -f2)/openssl.cnf" OPENSSL_CNF="$(openssl version -d | cut -d'"' -f2)/openssl.cnf"
CONTACT_EMAIL= CONTACT_EMAIL=
LOCKFILE="${BASEDIR}/lock" LOCKFILE="${BASEDIR}/lock"
@@ -65,11 +66,13 @@ load_config() {
[[ -n "${PARAM_HOOK:-}" ]] && HOOK="${PARAM_HOOK}" [[ -n "${PARAM_HOOK:-}" ]] && HOOK="${PARAM_HOOK}"
[[ -n "${PARAM_CHALLENGETYPE:-}" ]] && CHALLENGETYPE="${PARAM_CHALLENGETYPE}" [[ -n "${PARAM_CHALLENGETYPE:-}" ]] && CHALLENGETYPE="${PARAM_CHALLENGETYPE}"
[[ -n "${PARAM_KEY_ALGO:-}" ]] && KEY_ALGO="${PARAM_KEY_ALGO}"
[[ "${CHALLENGETYPE}" =~ (http-01|dns-01) ]] || _exiterr "Unknown challenge type ${CHALLENGETYPE}... can not continue." [[ "${CHALLENGETYPE}" =~ (http-01|dns-01) ]] || _exiterr "Unknown challenge type ${CHALLENGETYPE}... can not continue."
if [[ "${CHALLENGETYPE}" = "dns-01" ]] && [[ -z "${HOOK}" ]]; then if [[ "${CHALLENGETYPE}" = "dns-01" ]] && [[ -z "${HOOK}" ]]; then
_exiterr "Challenge type dns-01 needs a hook script for deployment... can not continue." _exiterr "Challenge type dns-01 needs a hook script for deployment... can not continue."
fi fi
[[ "${KEY_ALGO}" =~ ^(rsa|prime256v1|secp384r1)$ ]] || _exiterr "Unknown public key algorithm ${KEY_ALGO}... can not continue."
} }
# Initialize system # Initialize system
@@ -254,7 +257,10 @@ sign_domain() {
if [[ ! -f "${BASEDIR}/certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then if [[ ! -f "${BASEDIR}/certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
echo " + Generating private key..." echo " + Generating private key..."
privkey="privkey-${timestamp}.pem" privkey="privkey-${timestamp}.pem"
_openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}" case "${KEY_ALGO}" in
rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";;
prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";;
esac
fi fi
# Generate signing request config and the actual signing request # Generate signing request config and the actual signing request
@@ -594,6 +600,14 @@ main() {
PARAM_CHALLENGETYPE="${1}" PARAM_CHALLENGETYPE="${1}"
;; ;;
# PARAM_Usage: --algo (-a) rsa|prime256v1|secp384r1
# PARAM_Description: Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
--algo|-a)
shift 1
check_parameters "${1:-}"
PARAM_KEY_ALGO="${1}"
;;
*) *)
echo "Unknown parameter detected: ${1}" >&2 echo "Unknown parameter detected: ${1}" >&2
echo >&2 echo >&2