starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-03-19 07:43:50 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

update symlinks after signing the certificate

Browse Source
This commit is contained in:
Lukas Schauer
2015-12-07 14:28:53 +01:00
parent c764d03ee2
commit f343dc11e8
1 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
letsencrypt.sh
View File

@@ -120,12 +120,12 @@ sign_domain() {
mkdir -p "${BASEDIR}/certs/${domain}"
fi
privkey="privkey.pem"
# generate a new private key if we need or want one
if [[ ! -f "${BASEDIR}/certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
echo " + Generating private key..."
privkey="privkey-${timestamp}.pem"
openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}" 2> /dev/null > /dev/null
rm -f "${BASEDIR}/certs/${domain}/privkey.pem"
ln -s "privkey-${timestamp}.pem" "${BASEDIR}/certs/${domain}/privkey.pem"
fi
# Generate signing request config and the actual signing request
@@ -135,9 +135,7 @@ sign_domain() {
done
SAN="${SAN%%, }"
echo " + Generating signing request..."
openssl req -new -sha256 -key "${BASEDIR}/certs/${domain}/privkey.pem" -out "${BASEDIR}/certs/${domain}/cert-${timestamp}.csr" -subj "/CN=${domain}/" -reqexts SAN -config <(cat "${OPENSSL_CNF}" <(printf "[SAN]\nsubjectAltName=%s" "${SAN}")) > /dev/null
rm -f "${BASEDIR}/certs/${domain}/cert.csr"
ln -s "cert-${timestamp}.csr" "${BASEDIR}/certs/${domain}/cert.csr"
openssl req -new -sha256 -key "${BASEDIR}/certs/${domain}/${privkey}" -out "${BASEDIR}/certs/${domain}/cert-${timestamp}.csr" -subj "/CN=${domain}/" -reqexts SAN -config <(cat "${OPENSSL_CNF}" <(printf "[SAN]\nsubjectAltName=%s" "${SAN}")) > /dev/null
# Request and respond to challenges
for altname in $altnames; do
@@ -192,11 +190,9 @@ sign_domain() {
# Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
echo " + Requesting certificate..."
csr64="$(openssl req -in "${BASEDIR}/certs/${domain}/cert.csr" -outform DER | urlbase64)"
csr64="$(openssl req -in "${BASEDIR}/certs/${domain}/cert-${timestamp}.csr" -outform DER | urlbase64)"
crt64="$(signed_request "${CA}/acme/new-cert" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | openssl base64 -e)"
printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "${BASEDIR}/certs/${domain}/cert-${timestamp}.pem"
rm -f "${BASEDIR}/certs/${domain}/cert.pem"
ln -s "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem"
# Create fullchain.pem
if [[ -e "${BASEDIR}/certs/${ROOTCERT}" ]] || [[ -e "${SCRIPTDIR}/certs/${ROOTCERT}" ]]; then
@@ -211,6 +207,18 @@ sign_domain() {
ln -s "fullchain-${timestamp}.pem" "${BASEDIR}/certs/${domain}/fullchain.pem"
fi
# Update remaining symlinks
if [ ! "${privkey}" = "privkey.pem" ]; then
rm -f "${BASEDIR}/certs/${domain}/privkey.pem"
ln -s "privkey-${timestamp}.pem" "${BASEDIR}/certs/${domain}/privkey.pem"
fi
rm -f "${BASEDIR}/certs/${domain}/cert.csr"
ln -s "cert-${timestamp}.csr" "${BASEDIR}/certs/${domain}/cert.csr"
rm -f "${BASEDIR}/certs/${domain}/cert.pem"
ln -s "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem"
echo " + Done!"
}