horok/open-infrastructure-service-tools
1
0
Fork 0
Code Activity
open-infrastructure-service.../dehydrated/share/hooks/deploy_cert.extra
Daniel Baumann 40aba0ca65
Adding upstream version 20240930. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-22 14:52:24 +02:00

88 lines
2.7 KiB
Bash
Executable file
Raw Permalink Blame History

#!/bin/sh
# Open Infrastructure: service-tools
# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net>
#
# SPDX-License-Identifier: GPL-3.0+
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
set -e
echo -n " + Creating extra certificate files..."
DIRECTORY="$(dirname "${CERTFILE}")"
if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ]
then
# long chain:
# * chain.pem: (R3 | ISRG Root X1)
# * fullchain.pem: (Certificate | R3 | ISRG Root X1)
CHAIN="long"
else
# short chain:
# * chain.pem: (R3)
# * fullchain.pem (Certificate | R3)
CHAIN="short"
fi
case "${CHAIN}" in
long)
# split chain.pem
TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)"
grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}'
# intermediate (R3)
mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
# root (ISRG Root X1)
mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem"
ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
;;
short)
# intermediate (R3)
grep -Ev '^$' "${DIRECTORY}/chain-${TIMESTAMP}.pem" > "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
# root (ISRG Root X1)
ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')"
if [ -n "${ISSUER_URI}" ]
then
wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem"
ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
fi
;;
esac
# extra certificate permutations:
# * privkey_fullchain.pem: postfix
# * root_intermediate_cert.pem: redis
for EXTRA in fullchain_privkey privkey_fullchain root_intermediate_cert
do
rm -f "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem"
for FILE in $(echo ${EXTRA} | sed -e 's|_| |g')
do
cat "${DIRECTORY}/${FILE}-${TIMESTAMP}.pem" >> "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem"
done
ln -sf "${EXTRA}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA}.pem"
done
echo " done."
View git blame Copy permalink