From 0c9546ccb0d1de464e43ef16e460e83a1c43d3ad Mon Sep 17 00:00:00 2001 From: neil Date: Thu, 15 Sep 2016 10:41:47 +0800 Subject: [PATCH] fix https://github.com/Neilpang/acme.sh/issues/288 add --ocsp-must-staple, --ocsp --- acme.sh | 66 ++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 39 insertions(+), 27 deletions(-) diff --git a/acme.sh b/acme.sh index 1e8fd545..76015113 100755 --- a/acme.sh +++ b/acme.sh @@ -1,6 +1,6 @@ #!/usr/bin/env sh -VER=2.5.0 +VER=2.5.1 PROJECT_NAME="acme.sh" @@ -163,11 +163,11 @@ _hasfield() { for f in $(echo "$_str" | tr ',' ' ') ; do if [ "$f" = "$_field" ] ; then - _debug "'$_str' contains '$_field'" + _debug2 "'$_str' contains '$_field'" return 0 #contains ok fi done - _debug "'$_str' does not contain '$_field'" + _debug2 "'$_str' does not contain '$_field'" return 1 #not contains } @@ -440,16 +440,20 @@ _createcsr() { _debug _createcsr domain="$1" domainlist="$2" - key="$3" + csrkey="$3" csr="$4" csrconf="$5" _debug2 domain "$domain" _debug2 domainlist "$domainlist" + _debug2 csrkey "$csrkey" + _debug2 csr "$csr" + _debug2 csrconf "$csrconf" + + printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" > "$csrconf" + if [ -z "$domainlist" ] || [ "$domainlist" = "no" ]; then #single domain _info "Single domain" "$domain" - printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\n" > "$csrconf" - openssl req -new -sha256 -key "$key" -subj "/CN=$domain" -config "$csrconf" -out "$csr" else if _contains "$domainlist" "," ; then alt="DNS:$(echo $domainlist | sed "s/,/,DNS:/g")" @@ -458,9 +462,13 @@ _createcsr() { fi #multi _info "Multi domain" "$alt" - printf -- "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment\nsubjectAltName=$alt" > "$csrconf" - openssl req -new -sha256 -key "$key" -subj "/CN=$domain" -config "$csrconf" -out "$csr" + printf -- "\nsubjectAltName=$alt" >> "$csrconf" fi + if [ "$Le_OCSP_Stable" ] ; then + _savedomainconf Le_OCSP_Stable "$Le_OCSP_Stable" + printf -- "\nbasicConstraints = CA:FALSE\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >> "$csrconf" + fi + openssl req -new -sha256 -key "$csrkey" -subj "/CN=$domain" -config "$csrconf" -out "$csr" } #_signcsr key csr conf cert @@ -1066,56 +1074,56 @@ _setopt() { #_savedomainconf key value #save to domain.conf _savedomainconf() { - key="$1" - value="$2" + _sdkey="$1" + _sdvalue="$2" if [ "$DOMAIN_CONF" ] ; then - _setopt "$DOMAIN_CONF" "$key" "=" "\"$value\"" + _setopt "$DOMAIN_CONF" "$_sdkey" "=" "\"$_sdvalue\"" else - _err "DOMAIN_CONF is empty, can not save $key=$value" + _err "DOMAIN_CONF is empty, can not save $_sdkey=$_sdvalue" fi } #_cleardomainconf key _cleardomainconf() { - key="$1" + _sdkey="$1" if [ "$DOMAIN_CONF" ] ; then - _sed_i "s/^$key.*$//" "$DOMAIN_CONF" + _sed_i "s/^$_sdkey.*$//" "$DOMAIN_CONF" else - _err "DOMAIN_CONF is empty, can not save $key=$value" + _err "DOMAIN_CONF is empty, can not save $_sdkey=$value" fi } #_readdomainconf key _readdomainconf() { - key="$1" + _sdkey="$1" if [ "$DOMAIN_CONF" ] ; then ( - eval $(grep "^$key *=" "$DOMAIN_CONF") - eval "printf \"%s\" \"\$$key\"" + eval $(grep "^$_sdkey *=" "$DOMAIN_CONF") + eval "printf \"%s\" \"\$$_sdkey\"" ) else - _err "DOMAIN_CONF is empty, can not read $key" + _err "DOMAIN_CONF is empty, can not read $_sdkey" fi } #_saveaccountconf key value _saveaccountconf() { - key="$1" - value="$2" + _sckey="$1" + _scvalue="$2" if [ "$ACCOUNT_CONF_PATH" ] ; then - _setopt "$ACCOUNT_CONF_PATH" "$key" "=" "\"$value\"" + _setopt "$ACCOUNT_CONF_PATH" "$_sckey" "=" "\"$_scvalue\"" else - _err "ACCOUNT_CONF_PATH is empty, can not save $key=$value" + _err "ACCOUNT_CONF_PATH is empty, can not save $_sckey=$_scvalue" fi } #_clearaccountconf key _clearaccountconf() { - key="$1" + _scvalue="$1" if [ "$ACCOUNT_CONF_PATH" ] ; then - _sed_i "s/^$key.*$//" "$ACCOUNT_CONF_PATH" + _sed_i "s/^$_scvalue.*$//" "$ACCOUNT_CONF_PATH" else - _err "ACCOUNT_CONF_PATH is empty, can not clear $key" + _err "ACCOUNT_CONF_PATH is empty, can not clear $_scvalue" fi } @@ -1357,7 +1365,7 @@ _initpath() { fi if [ -z "$DOMAIN_SSL_CONF" ] ; then - DOMAIN_SSL_CONF="$DOMAIN_PATH/$domain.ssl.conf" + DOMAIN_SSL_CONF="$DOMAIN_PATH/$domain.csr.conf" fi if [ -z "$CSR_PATH" ] ; then @@ -3079,6 +3087,7 @@ Parameters: --pre-hook Command to be run before obtaining any certificates. --post-hook Command to be run after attempting to obtain/renew certificates. No matter the obain/renew is success or failed. --renew-hook Command to be run once for each successfully renewed certificate. + --ocsp-must-staple, --ocsp Generate ocsp must Staple extension. " } @@ -3431,6 +3440,9 @@ _process() { _renew_hook="$2" shift ;; + --ocsp-must-staple|--ocsp) + Le_OCSP_Stable="1" + ;; *) _err "Unknown parameter : $1" return 1