neil 4 years ago committed by GitHub
parent
commit
12b1916599
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 58
      acme.sh

58
acme.sh

@ -4009,12 +4009,42 @@ _check_dns_entries() {
}
#file
_get_cert_issuers() {
_get_chain_issuers() {
_cfile="$1"
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
else
${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
_cindex=1
for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
_endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
_debug2 "_startn" "$_startn"
_debug2 "_endn" "$_endn"
if [ "$DEBUG" ]; then
_debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
fi
sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
_cindex=$(_math $_cindex + 1)
done
fi
}
#
_get_chain_subjects() {
_cfile="$1"
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
else
_cindex=1
for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
_endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
_debug2 "_startn" "$_startn"
_debug2 "_endn" "$_endn"
if [ "$DEBUG" ]; then
_debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
fi
sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
_cindex=$(_math $_cindex + 1)
done
fi
}
@ -4022,14 +4052,12 @@ _get_cert_issuers() {
_match_issuer() {
_cfile="$1"
_missuer="$2"
_fissuers="$(_get_cert_issuers $_cfile)"
_fissuers="$(_get_chain_issuers $_cfile)"
_debug2 _fissuers "$_fissuers"
if _contains "$_fissuers" "$_missuer"; then
return 0
fi
_fissuers="$(echo "$_fissuers" | _lower_case)"
_rootissuer="$(echo "$_fissuers" | _lower_case | _tail_n 1)"
_debug2 _rootissuer "$_rootissuer"
_missuer="$(echo "$_missuer" | _lower_case)"
_contains "$_fissuers" "$_missuer"
_contains "$_rootissuer" "$_missuer"
}
#webroot, domain domainlist keylength
@ -4803,6 +4831,9 @@ $_authorizations_map"
_split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
if [ "$DEBUG" ]; then
_debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
fi
if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
_debug2 "rels" "$rels"
@ -4818,13 +4849,22 @@ $_authorizations_map"
_relca="$CA_CERT_PATH.alt"
echo "$response" >"$_relcert"
_split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
if [ "$DEBUG" ]; then
_debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
fi
if _match_issuer "$_relfullchain" "$_preferred_chain"; then
_info "Matched issuer in: $rel"
cat $_relcert >"$CERT_PATH"
cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
cat $_relca >"$CA_CERT_PATH"
rm -f "$_relcert"
rm -f "$_relfullchain"
rm -f "$_relca"
break
fi
rm -f "$_relcert"
rm -f "$_relfullchain"
rm -f "$_relca"
done
fi
fi

Loading…
Cancel
Save