Mirror
/
acme.sh
mirror of https://github.com/acmesh-official/acme.sh.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

support multiple intermediate CA matching for `--preferred-chain`

pull/3109/head
neil 4 years ago
parent
bd04638d27
commit
d5d38b3331
1 changed files with 12 additions and 9 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 21
      acme.sh

21
acme.sh
View File

@ -3990,17 +3990,22 @@ _check_dns_entries() {
} }
#file #file
_get_cert_issuer() {
_get_cert_issuers() {
_cfile="$1" _cfile="$1"
echo $(openssl x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2)
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7"; then
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | openssl pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
else
${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
fi
} }
#cert issuer #cert issuer
_match_issuer() { _match_issuer() {
_cfile="$1" _cfile="$1"
_missuer="$2" _missuer="$2"
_fissuer=$(_get_cert_issuer $_cfile)
[ "$_missuer" = "$_fissuer" ]
_fissuers="$(_get_cert_issuers $_cfile)"
_debug2 _fissuers "$_fissuers"
_contains "$_fissuers" "$_missuer"
} }
#webroot, domain domainlist keylength #webroot, domain domainlist keylength
@ -4773,10 +4778,8 @@ $_authorizations_map"
echo "$response" >"$CERT_PATH" echo "$response" >"$CERT_PATH"
_split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH" _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
if [ "$_preferred_chain" ]; then
_cert_issuer=$(_get_cert_issuer "$CA_CERT_PATH")
_debug _cert_issuer "$_cert_issuer"
if ! _match_issuer "$CA_CERT_PATH" "$_preferred_chain"; then
if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)" rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
_debug2 "rels" "$rels" _debug2 "rels" "$rels"
for rel in $rels; do for rel in $rels; do
@ -4791,7 +4794,7 @@ $_authorizations_map"
_relca="$CA_CERT_PATH.alt" _relca="$CA_CERT_PATH.alt"
echo "$response" >"$_relcert" echo "$response" >"$_relcert"
_split_cert_chain "$_relcert" "$_relfullchain" "$_relca" _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
if _match_issuer "$_relca" "$_preferred_chain"; then
if _match_issuer "$_relfullchain" "$_preferred_chain"; then
_info "Matched issuer in: $rel" _info "Matched issuer in: $rel"
cat $_relcert >"$CERT_PATH" cat $_relcert >"$CERT_PATH"
cat $_relfullchain >"$CERT_FULLCHAIN_PATH" cat $_relfullchain >"$CERT_FULLCHAIN_PATH"

Write Preview
Loading…
Cancel
Save