mirror of
https://github.com/dehydrated-io/dehydrated.git
synced 2026-07-02 19:21:39 +02:00
exclude root certificate from certificate chain
This commit is contained in:
+17
-5
@@ -621,12 +621,20 @@ sign_csr() {
|
|||||||
echo " + Done!"
|
echo " + Done!"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# grep issuer cert uri from certificate
|
||||||
|
get_issuer_cert_uri() {
|
||||||
|
certificate="${1}"
|
||||||
|
openssl x509 -in "${certificate}" -noout -text | (grep 'CA Issuers - URI:' | cut -d':' -f2-) || true
|
||||||
|
}
|
||||||
|
|
||||||
|
# walk certificate chain, retrieving all intermediate certificates
|
||||||
walk_chain() {
|
walk_chain() {
|
||||||
|
local certificate
|
||||||
certificate="${1}"
|
certificate="${1}"
|
||||||
|
|
||||||
# grep uri from certificate
|
|
||||||
local issuer_cert_uri
|
local issuer_cert_uri
|
||||||
issuer_cert_uri="$(openssl x509 -in "${certificate}" -noout -text | (grep 'CA Issuers - URI:' | cut -d':' -f2-) || true)"
|
issuer_cert_uri="${2:-}"
|
||||||
|
if [[ -z "${issuer_cert_uri}" ]]; then issuer_cert_uri="$(get_issuer_cert_uri "${certificate}")"; fi
|
||||||
if [[ -n "${issuer_cert_uri}" ]]; then
|
if [[ -n "${issuer_cert_uri}" ]]; then
|
||||||
# create temporary files
|
# create temporary files
|
||||||
local tmpcert
|
local tmpcert
|
||||||
@@ -647,9 +655,13 @@ walk_chain() {
|
|||||||
else _exiterr "Unknown certificate type in chain"
|
else _exiterr "Unknown certificate type in chain"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
printf "\n%s\n" "${issuer_cert_uri}"
|
local next_issuer_cert_uri
|
||||||
cat "${tmpcert}"
|
next_issuer_cert_uri="$(get_issuer_cert_uri "${tmpcert}")"
|
||||||
walk_chain "${tmpcert}"
|
if [[ -n "${next_issuer_cert_uri}" ]]; then
|
||||||
|
printf "\n%s\n" "${issuer_cert_uri}"
|
||||||
|
cat "${tmpcert}"
|
||||||
|
walk_chain "${tmpcert}" "${next_issuer_cert_uri}"
|
||||||
|
fi
|
||||||
rm -f "${tmpcert}" "${tmpcert_raw}"
|
rm -f "${tmpcert}" "${tmpcert_raw}"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -214,7 +214,8 @@ _CHECK_LOG "${TMP2_URL}"
|
|||||||
_SUBTEST "Verifying file with full chain..."
|
_SUBTEST "Verifying file with full chain..."
|
||||||
openssl x509 -in "certs/${TMP_URL}/fullchain.pem" -noout -text > /dev/null 2>> errorlog && _PASS || _FAIL
|
openssl x509 -in "certs/${TMP_URL}/fullchain.pem" -noout -text > /dev/null 2>> errorlog && _PASS || _FAIL
|
||||||
_SUBTEST "Verifying certificate against CA certificate..."
|
_SUBTEST "Verifying certificate against CA certificate..."
|
||||||
(openssl verify -verbose -CAfile "certs/${TMP_URL}/fullchain.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 || true) | (grep -v ': OK$' || true) >> errorlog 2>> errorlog && _PASS || _FAIL
|
curl -s https://testca.kurz.pw/acme/issuer-cert | openssl x509 -inform DER -outform PEM > ca.pem
|
||||||
|
(openssl verify -verbose -CAfile "ca.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 || true) | (grep -v ': OK$' || true) >> errorlog 2>> errorlog && _PASS || _FAIL
|
||||||
_CHECK_ERRORLOG
|
_CHECK_ERRORLOG
|
||||||
|
|
||||||
# Revoke certificate using certificate key
|
# Revoke certificate using certificate key
|
||||||
|
|||||||
Reference in New Issue
Block a user