|
|
|
@ -1224,6 +1224,37 @@ _readKeyLengthFromCSR() { |
|
|
|
fi |
|
|
|
} |
|
|
|
|
|
|
|
# _substitute_compatibility_chain _leaf _issuer |
|
|
|
_substitute_compatibility_chain() { |
|
|
|
_leaf="$1" |
|
|
|
_issuer="$2" |
|
|
|
|
|
|
|
# We only want to replace the issuer if it's the Let's Encrypt Authority X3 key |
|
|
|
_aki="$(printf "%s" "$_leaf" | ${ACME_OPENSSL_BIN:-openssl} x509 -noout -ext authorityKeyIdentifier | grep 'keyid:' | cut -d ':' -f 2-)" |
|
|
|
if [ "$_aki" != "A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1" ]; then |
|
|
|
_debug "Issuer is not X3, using default chain" |
|
|
|
printf "%s" "$_issuer" |
|
|
|
return |
|
|
|
fi |
|
|
|
|
|
|
|
# We only want to replace the issuer if the leaf is expiring after the cross-signed issuer |
|
|
|
_expiry="$(printf "%s" "$_leaf" | ${ACME_OPENSSL_BIN:-openssl} x509 -noout -enddate | grep "notAfter" | cut -d '=' -f 2 | date +"%s" -f - )" |
|
|
|
if [ "$_expiry" -gt "1615999246" ]; then |
|
|
|
_debug "Leaf is expiring after cross-signed X3, using default chain" |
|
|
|
printf "%s" "$_issuer" |
|
|
|
return |
|
|
|
fi |
|
|
|
|
|
|
|
_debug "Using legacy cross-signed X3 issuer" |
|
|
|
_newissuer="$(_get "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt")" |
|
|
|
if [ "$?" != "0" ]; then |
|
|
|
_debug "Failed to download legacy chain, using default chain" |
|
|
|
printf "%s" "$_issuer" |
|
|
|
else |
|
|
|
printf "%s" "$_newissuer" |
|
|
|
fi |
|
|
|
} |
|
|
|
|
|
|
|
_ss() { |
|
|
|
_port="$1" |
|
|
|
|
|
|
|
@ -3783,6 +3814,12 @@ issue() { |
|
|
|
_cleardomainconf "Le_ChallengeAlias" |
|
|
|
fi |
|
|
|
|
|
|
|
if [ "$Le_UseCompatibilityChain" = "1" ]; then |
|
|
|
_savedomainconf "Le_UseCompatibilityChain" "$Le_UseCompatibilityChain" |
|
|
|
else |
|
|
|
_cleardomainconf "Le_UseCompatibilityChain" |
|
|
|
fi |
|
|
|
|
|
|
|
if [ "$ACME_DIRECTORY" != "$DEFAULT_CA" ]; then |
|
|
|
Le_API="$ACME_DIRECTORY" |
|
|
|
_savedomainconf "Le_API" "$Le_API" |
|
|
|
@ -4432,11 +4469,18 @@ $_authorizations_map" |
|
|
|
cat "$CERT_PATH" >"$CERT_FULLCHAIN_PATH" |
|
|
|
_end_n="$(grep -n -- "$END_CERT" "$CERT_FULLCHAIN_PATH" | _head_n 1 | cut -d : -f 1)" |
|
|
|
_debug _end_n "$_end_n" |
|
|
|
sed -n "1,${_end_n}p" "$CERT_FULLCHAIN_PATH" >"$CERT_PATH" |
|
|
|
_leaf="$(sed -n "1,${_end_n}p" "$CERT_FULLCHAIN_PATH")" |
|
|
|
_end_n="$(_math $_end_n + 1)" |
|
|
|
sed -n "${_end_n},9999p" "$CERT_FULLCHAIN_PATH" >"$CA_CERT_PATH" |
|
|
|
_issuer="$(sed -n "${_end_n},9999p" "$CERT_FULLCHAIN_PATH")" |
|
|
|
if [ "$Le_UseCompatibilityChain" = "1" ]; then |
|
|
|
_issuer="$(_substitute_compatibility_chain "$_leaf" "$_issuer")" |
|
|
|
fi |
|
|
|
echo "$_leaf" > "$CERT_PATH" |
|
|
|
echo "$_issuer" > "$CA_CERT_PATH" |
|
|
|
printf "%s\n%s" "$_leaf" "$_issuer" > "$CERT_FULLCHAIN_PATH" |
|
|
|
fi |
|
|
|
|
|
|
|
# ACME_VERSION != "2" |
|
|
|
else |
|
|
|
if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then |
|
|
|
_err "Sign failed. $response" |
|
|
|
@ -4506,12 +4550,6 @@ $_authorizations_map" |
|
|
|
_MAX_ISSUER_RETRY=5 |
|
|
|
while [ "$_link_issuer_retry" -lt "$_MAX_ISSUER_RETRY" ]; do |
|
|
|
_debug _link_issuer_retry "$_link_issuer_retry" |
|
|
|
if [ "$ACME_VERSION" = "2" ]; then |
|
|
|
if _send_signed_request "$Le_LinkIssuer"; then |
|
|
|
echo "$response" >"$CA_CERT_PATH" |
|
|
|
break |
|
|
|
fi |
|
|
|
else |
|
|
|
if _get "$Le_LinkIssuer" >"$CA_CERT_PATH.der"; then |
|
|
|
echo "$BEGIN_CERT" >"$CA_CERT_PATH" |
|
|
|
_base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH" |
|
|
|
@ -4522,8 +4560,14 @@ $_authorizations_map" |
|
|
|
fi |
|
|
|
cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH" |
|
|
|
rm -f "$CA_CERT_PATH.der" |
|
|
|
break |
|
|
|
|
|
|
|
if [ "$Le_UseCompatibilityChain" = "1" ]; then |
|
|
|
_leaf="$(cat "$CERT_PATH")" |
|
|
|
_issuer="$(_substitute_compatibility_chain "$_leaf" "$(cat "$CA_CERT_PATH")")" |
|
|
|
echo "$_issuer" > "$CA_CERT_PATH" |
|
|
|
printf "%s\n%s" "$_leaf" "$_issuer" > "$CERT_FULLCHAIN_PATH" |
|
|
|
fi |
|
|
|
break |
|
|
|
fi |
|
|
|
_link_issuer_retry=$(_math $_link_issuer_retry + 1) |
|
|
|
_sleep "$_link_issuer_retry" |
|
|
|
@ -6078,6 +6122,7 @@ Parameters: |
|
|
|
--openssl-bin Specifies a custom openssl bin location. |
|
|
|
--use-wget Force to use wget, if you have both curl and wget installed. |
|
|
|
--yes-I-know-dns-manual-mode-enough-go-ahead-please Force to use dns manual mode: $_DNS_MANUAL_WIKI |
|
|
|
--compatibility-chain If possible, use the older and more compatible cross-signed issuer certificate (Let's Encrypt only). |
|
|
|
--branch, -b Only valid for '--upgrade' command, specifies the branch name to upgrade to. |
|
|
|
|
|
|
|
--notify-level 0|1|2|3 Set the notification level: Default value is $NOTIFY_LEVEL_DEFAULT. |
|
|
|
@ -6607,6 +6652,9 @@ _process() { |
|
|
|
--yes-I-know-dns-manual-mode-enough-go-ahead-please) |
|
|
|
export FORCE_DNS_MANUAL=1 |
|
|
|
;; |
|
|
|
--compatibility-chain) |
|
|
|
Le_UseCompatibilityChain="1" |
|
|
|
;; |
|
|
|
--log | --logfile) |
|
|
|
_log="1" |
|
|
|
_logfile="$2" |
|
|
|
|
Alex Zorin
7 years ago