mirror of
https://github.com/dehydrated-io/dehydrated.git
synced 2026-07-08 14:05:25 +02:00
implemented issuer-chain cache
This commit is contained in:
@@ -3,7 +3,7 @@ This file contains a log of major changes in dehydrated
|
|||||||
|
|
||||||
## [x.x.x] - xxxx-xx-xx
|
## [x.x.x] - xxxx-xx-xx
|
||||||
## Changed
|
## Changed
|
||||||
- ...
|
- Certificate chain is now cached (CHAINCACHE)
|
||||||
|
|
||||||
## Added
|
## Added
|
||||||
- New feature for updating contact information (--account)
|
- New feature for updating contact information (--account)
|
||||||
|
|||||||
+23
-1
@@ -126,6 +126,7 @@ load_config() {
|
|||||||
LOCKFILE=
|
LOCKFILE=
|
||||||
OCSP_MUST_STAPLE="no"
|
OCSP_MUST_STAPLE="no"
|
||||||
IP_VERSION=
|
IP_VERSION=
|
||||||
|
CHAINCACHE=
|
||||||
|
|
||||||
if [[ -z "${CONFIG:-}" ]]; then
|
if [[ -z "${CONFIG:-}" ]]; then
|
||||||
echo "#" >&2
|
echo "#" >&2
|
||||||
@@ -182,6 +183,7 @@ load_config() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
[[ -z "${CERTDIR}" ]] && CERTDIR="${BASEDIR}/certs"
|
[[ -z "${CERTDIR}" ]] && CERTDIR="${BASEDIR}/certs"
|
||||||
|
[[ -z "${CHAINCACHE}" ]] && CHAINCACHE="${BASEDIR}/chains"
|
||||||
[[ -z "${DOMAINS_TXT}" ]] && DOMAINS_TXT="${BASEDIR}/domains.txt"
|
[[ -z "${DOMAINS_TXT}" ]] && DOMAINS_TXT="${BASEDIR}/domains.txt"
|
||||||
[[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/dehydrated"
|
[[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/dehydrated"
|
||||||
[[ -z "${LOCKFILE}" ]] && LOCKFILE="${BASEDIR}/lock"
|
[[ -z "${LOCKFILE}" ]] && LOCKFILE="${BASEDIR}/lock"
|
||||||
@@ -646,6 +648,11 @@ get_issuer_cert_uri() {
|
|||||||
openssl x509 -in "${certificate}" -noout -text | (grep 'CA Issuers - URI:' | cut -d':' -f2-) || true
|
openssl x509 -in "${certificate}" -noout -text | (grep 'CA Issuers - URI:' | cut -d':' -f2-) || true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
get_issuer_hash() {
|
||||||
|
certificate="${1}"
|
||||||
|
openssl x509 -in "${certificate}" -noout -issuer_hash
|
||||||
|
}
|
||||||
|
|
||||||
# walk certificate chain, retrieving all intermediate certificates
|
# walk certificate chain, retrieving all intermediate certificates
|
||||||
walk_chain() {
|
walk_chain() {
|
||||||
local certificate
|
local certificate
|
||||||
@@ -701,6 +708,10 @@ sign_domain() {
|
|||||||
echo " + Creating new directory ${CERTDIR}/${domain} ..."
|
echo " + Creating new directory ${CERTDIR}/${domain} ..."
|
||||||
mkdir -p "${CERTDIR}/${domain}" || _exiterr "Unable to create directory ${CERTDIR}/${domain}"
|
mkdir -p "${CERTDIR}/${domain}" || _exiterr "Unable to create directory ${CERTDIR}/${domain}"
|
||||||
fi
|
fi
|
||||||
|
if [ ! -d "${CHAINCACHE}" ]; then
|
||||||
|
echo " + Creating chain cache directory ${CHAINCACHE}"
|
||||||
|
mkdir "${CHAINCACHE}"
|
||||||
|
fi
|
||||||
|
|
||||||
privkey="privkey.pem"
|
privkey="privkey.pem"
|
||||||
# generate a new private key if we need or want one
|
# generate a new private key if we need or want one
|
||||||
@@ -757,7 +768,18 @@ sign_domain() {
|
|||||||
# Create fullchain.pem
|
# Create fullchain.pem
|
||||||
echo " + Creating fullchain.pem..."
|
echo " + Creating fullchain.pem..."
|
||||||
cat "${crt_path}" > "${CERTDIR}/${domain}/fullchain-${timestamp}.pem"
|
cat "${crt_path}" > "${CERTDIR}/${domain}/fullchain-${timestamp}.pem"
|
||||||
walk_chain "${crt_path}" > "${CERTDIR}/${domain}/chain-${timestamp}.pem"
|
local issuer_hash
|
||||||
|
issuer_hash="$(get_issuer_hash "${crt_path}")"
|
||||||
|
if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
|
||||||
|
echo " + Using cached chain!"
|
||||||
|
cat "${CHAINCACHE}/${issuer_hash}.chain" > "${CERTDIR}/${domain}/chain-${timestamp}.pem"
|
||||||
|
else
|
||||||
|
echo " + Walking chain..."
|
||||||
|
local issuer_cert_uri
|
||||||
|
issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
|
||||||
|
(walk_chain "${crt_path}" > "${CERTDIR}/${domain}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
|
||||||
|
cat "${CERTDIR}/${domain}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
|
||||||
|
fi
|
||||||
cat "${CERTDIR}/${domain}/chain-${timestamp}.pem" >> "${CERTDIR}/${domain}/fullchain-${timestamp}.pem"
|
cat "${CERTDIR}/${domain}/chain-${timestamp}.pem" >> "${CERTDIR}/${domain}/fullchain-${timestamp}.pem"
|
||||||
|
|
||||||
# Update symlinks
|
# Update symlinks
|
||||||
|
|||||||
@@ -89,3 +89,6 @@
|
|||||||
|
|
||||||
# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
|
# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
|
||||||
#OCSP_MUST_STAPLE="no"
|
#OCSP_MUST_STAPLE="no"
|
||||||
|
|
||||||
|
# Issuer chain cache directory (default: $BASEDIR/chains)
|
||||||
|
#CHAINCACHE="${BASEDIR}/chains"
|
||||||
|
|||||||
Reference in New Issue
Block a user