|
|
|
@ -4009,12 +4009,42 @@ _check_dns_entries() {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#file
|
|
|
|
|
_get_cert_issuers() {
|
|
|
|
|
_get_chain_issuers() {
|
|
|
|
|
_cfile="$1"
|
|
|
|
|
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
|
|
|
|
|
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
|
|
|
|
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
|
|
|
|
else
|
|
|
|
|
${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
|
|
|
|
_cindex=1
|
|
|
|
|
for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
|
|
|
|
|
_endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
|
|
|
|
|
_debug2 "_startn" "$_startn"
|
|
|
|
|
_debug2 "_endn" "$_endn"
|
|
|
|
|
if [ "$DEBUG" ]; then
|
|
|
|
|
_debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
|
|
|
|
|
fi
|
|
|
|
|
sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
|
|
|
|
|
_cindex=$(_math $_cindex + 1)
|
|
|
|
|
done
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
_get_chain_subjects() {
|
|
|
|
|
_cfile="$1"
|
|
|
|
|
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
|
|
|
|
|
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
|
|
|
|
else
|
|
|
|
|
_cindex=1
|
|
|
|
|
for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
|
|
|
|
|
_endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
|
|
|
|
|
_debug2 "_startn" "$_startn"
|
|
|
|
|
_debug2 "_endn" "$_endn"
|
|
|
|
|
if [ "$DEBUG" ]; then
|
|
|
|
|
_debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
|
|
|
|
|
fi
|
|
|
|
|
sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
|
|
|
|
|
_cindex=$(_math $_cindex + 1)
|
|
|
|
|
done
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -4022,14 +4052,12 @@ _get_cert_issuers() {
|
|
|
|
|
_match_issuer() {
|
|
|
|
|
_cfile="$1"
|
|
|
|
|
_missuer="$2"
|
|
|
|
|
_fissuers="$(_get_cert_issuers $_cfile)"
|
|
|
|
|
_fissuers="$(_get_chain_issuers $_cfile)"
|
|
|
|
|
_debug2 _fissuers "$_fissuers"
|
|
|
|
|
if _contains "$_fissuers" "$_missuer"; then
|
|
|
|
|
return 0
|
|
|
|
|
fi
|
|
|
|
|
_fissuers="$(echo "$_fissuers" | _lower_case)"
|
|
|
|
|
_rootissuer="$(echo "$_fissuers" | _lower_case | _tail_n 1)"
|
|
|
|
|
_debug2 _rootissuer "$_rootissuer"
|
|
|
|
|
_missuer="$(echo "$_missuer" | _lower_case)"
|
|
|
|
|
_contains "$_fissuers" "$_missuer"
|
|
|
|
|
_contains "$_rootissuer" "$_missuer"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#webroot, domain domainlist keylength
|
|
|
|
@ -4803,6 +4831,9 @@ $_authorizations_map"
|
|
|
|
|
_split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
|
|
|
|
|
|
|
|
|
|
if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
|
|
|
|
|
if [ "$DEBUG" ]; then
|
|
|
|
|
_debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
|
|
|
|
|
fi
|
|
|
|
|
if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
|
|
|
|
|
rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
|
|
|
|
|
_debug2 "rels" "$rels"
|
|
|
|
@ -4818,13 +4849,22 @@ $_authorizations_map"
|
|
|
|
|
_relca="$CA_CERT_PATH.alt"
|
|
|
|
|
echo "$response" >"$_relcert"
|
|
|
|
|
_split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
|
|
|
|
|
if [ "$DEBUG" ]; then
|
|
|
|
|
_debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
|
|
|
|
|
fi
|
|
|
|
|
if _match_issuer "$_relfullchain" "$_preferred_chain"; then
|
|
|
|
|
_info "Matched issuer in: $rel"
|
|
|
|
|
cat $_relcert >"$CERT_PATH"
|
|
|
|
|
cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
|
|
|
|
|
cat $_relca >"$CA_CERT_PATH"
|
|
|
|
|
rm -f "$_relcert"
|
|
|
|
|
rm -f "$_relfullchain"
|
|
|
|
|
rm -f "$_relca"
|
|
|
|
|
break
|
|
|
|
|
fi
|
|
|
|
|
rm -f "$_relcert"
|
|
|
|
|
rm -f "$_relfullchain"
|
|
|
|
|
rm -f "$_relca"
|
|
|
|
|
done
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|