summaryrefslogtreecommitdiffstats
path: root/dehydrated
diff options
context:
space:
mode:
Diffstat (limited to 'dehydrated')
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.extra33
-rwxr-xr-xdehydrated/share/hooks/deploy_ocsp.extra8
-rwxr-xr-xdehydrated/share/hooks/exit_hook.extra-cleanup77
-rwxr-xr-xdehydrated/share/hooks/exit_hook.fix-permissions8
4 files changed, 100 insertions, 26 deletions
diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra
index 47a8391..56ca2f4 100755
--- a/dehydrated/share/hooks/deploy_cert.extra
+++ b/dehydrated/share/hooks/deploy_cert.extra
@@ -21,32 +21,29 @@
set -e
-echo " + Creating extra certificate files:"
+echo -n " + Creating extra certificate files..."
DIRECTORY="$(dirname "${CERTFILE}")"
-echo -n " + root and intermediate CA:"
-
+# root and intermediate CA
TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)"
grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}'
-mv "${TMPFILE}00" "${DIRECTORY}/ca.intermediate-${TIMESTAMP}.pem"
-ln -sf "${DIRECTORY}/ca.intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/ca.intermediate.pem"
-
-mv "${TMPFILE}01" "${DIRECTORY}/ca.root-${TIMESTAMP}.pem"
-ln -sf "${DIRECTORY}/ca.root-${TIMESTAMP}.pem" "${DIRECTORY}/ca.root.pem"
+mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
+ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
-echo " done."
+mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem"
+ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
-for EXTRA in fullchain-privkey privkey-fullchain
+# extra certificate permutations:
+# * privkey_fullchain.pem: postfix
+for EXTRA in fullchain_privkey privkey_fullchain
do
- EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')"
- EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')"
-
- echo -n " + creating ${EXTRA1}-${EXTRA2}:"
+ EXTRA1="$(echo ${EXTRA} | awk -F_ '{ print $1 }')"
+ EXTRA2="$(echo ${EXTRA} | awk -F_ '{ print $2 }')"
- cat "${DIRECTORY}/${EXTRA1}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA2}-${TIMESTAMP}.pem" > "${DIRECTORY}/${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem"
- ln -sf "${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem"
-
- echo " done."
+ cat "${DIRECTORY}/${EXTRA1}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA2}-${TIMESTAMP}.pem" > "${DIRECTORY}/${EXTRA1}_${EXTRA2}-${TIMESTAMP}.pem"
+ ln -sf "${EXTRA1}_${EXTRA2}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA1}_${EXTRA2}.pem"
done
+
+echo " done."
diff --git a/dehydrated/share/hooks/deploy_ocsp.extra b/dehydrated/share/hooks/deploy_ocsp.extra
index 36d0302..35a13f6 100755
--- a/dehydrated/share/hooks/deploy_ocsp.extra
+++ b/dehydrated/share/hooks/deploy_ocsp.extra
@@ -26,12 +26,12 @@ echo " + Creating extra ocsp links..."
DIRECTORY="$(dirname "${OCSPFILE}")"
OCSP="$(readlink "${OCSPFILE}")"
-for EXTRA in fullchain-privkey privkey-fullchain
+for EXTRA in fullchain_privkey privkey_fullchain
do
- EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')"
- EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')"
+ EXTRA1="$(echo ${EXTRA} | awk -F_ '{ print $1 }')"
+ EXTRA2="$(echo ${EXTRA} | awk -F_ '{ print $2 }')"
- ln -sf "${OCSP}" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem.ocsp"
+ ln -sf "${OCSP}" "${DIRECTORY}/${EXTRA1}_${EXTRA2}.pem.ocsp"
done
echo " done."
diff --git a/dehydrated/share/hooks/exit_hook.extra-cleanup b/dehydrated/share/hooks/exit_hook.extra-cleanup
new file mode 100755
index 0000000..59e203e
--- /dev/null
+++ b/dehydrated/share/hooks/exit_hook.extra-cleanup
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+echo -n " + Cleanup extra certificate files..."
+
+for EXTRA in root intermediate fullchain_privkey privkey_fullchain
+do
+ for CERTIFICATE in "${CERTDIR}"/*/
+ do
+ if ! ls "${CERTIFICATE}"/${EXTRA}*.pem > /dev/null 2>&1
+ then
+ continue
+ fi
+
+ SYMLINK="${CERTIFICATE}/${EXTRA}.pem"
+ ORIGINAL="$(readlink -f "${SYMLINK}")"
+
+ if [ -e "${SYMLINK}" ] && [ ! -e "${ORIGINAL}" ]
+ then
+ # remove dangling symlink
+ rm -f "${SYMLINK}"
+ fi
+
+ if [ -e "${SYMLINK}.ocsp" ] && [ ! -e "${ORIGINAL}.ocsp" ]
+ then
+ # remove dangling symlink
+ rm -f "${SYMLINK}.ocsp"
+ fi
+
+ if [ -e "${SYMLINK}" ]
+ then
+ for FILE in "${CERTIFICATE}/${EXTRA}"-[0-9]*.pem
+ do
+ case "$(basename "${FILE}")" in
+ "$(basename "${ORIGINAL}")")
+ continue
+ ;;
+
+ *)
+ # archive unused files
+ ARCHIVE="${BASEDIR}/archive/$(basename "${CERTIFICATE}")"
+ mkdir -p "${ARCHIVE}"
+
+ mv "${FILE}" "${ARCHIVE}"
+
+ if [ -e "${FILE}.ocsp" ]
+ then
+ mv "${FILE}.ocsp" "${ARCHIVE}"
+ fi
+ ;;
+ esac
+ done
+ fi
+ done
+done
+
+echo " done."
diff --git a/dehydrated/share/hooks/exit_hook.fix-permissions b/dehydrated/share/hooks/exit_hook.fix-permissions
index 4a467a7..aa15553 100755
--- a/dehydrated/share/hooks/exit_hook.fix-permissions
+++ b/dehydrated/share/hooks/exit_hook.fix-permissions
@@ -21,7 +21,7 @@
set -e
-if [ ! -e /var/lib/dehydrated/certs ]
+if [ ! -e "${CERTDIR}" ]
then
exit 0
fi
@@ -31,10 +31,10 @@ then
echo -n " + Fixing file owner and permissions..."
# https://bugs.debian.org/854431
- chown -R root:ssl-cert /var/lib/dehydrated/certs
+ chown -R root:ssl-cert "${CERTDIR}"
- find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \;
- find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \;
+ find "${CERTDIR}" -type d -exec chmod 0750 {} \;
+ find "${CERTDIR}" -type f -exec chmod 0640 {} \;
echo " done."
fi