~jacksonchen666/certbot-ocsp-fetcher-uacme-compat

931785fa93ea7c8a03d28df7c2b5738274ea1157 — Jackson 2 months ago 18d9652 main
some stuff for uacme compatibility
3 files changed, 19 insertions(+), 4 deletions(-)

M certbot-ocsp-fetcher
A extract-chain.sh
A extract-chains.sh
M certbot-ocsp-fetcher => certbot-ocsp-fetcher +4 -4
@@ 367,20 367,20 @@ run_standalone() {
  # or otherwise all lineages in Certbot's dir
  if [[ -n ${!CERT_LINEAGES[*]} ]]; then
    for lineage_name in "${!CERT_LINEAGES[@]}"; do
      if [[ -r ${CERTBOT_DIR}/live/${lineage_name} ]]; then
      if [[ -r ${CERTBOT_DIR}/${lineage_name} ]]; then
        fetch_ocsp_response \
          --standalone \
          "${temp_output_dir}" \
          "${lineage_name}" \
          "${CERT_LINEAGES["${lineage_name}"]}"
      else
        exit_with_error "can't access ${CERTBOT_DIR}/live/${lineage_name}"
        exit_with_error "can't access ${CERTBOT_DIR}/${lineage_name}"
      fi
    done
  else
    set +f
    shopt -s nullglob
    for lineage_dir in "${CERTBOT_DIR}"/live/*; do
    for lineage_dir in "${CERTBOT_DIR}"/*; do
      set -f

      # Skip non-directories, like Certbot's README file


@@ 492,7 492,7 @@ fetch_ocsp_response() {

  case ${1} in
    --standalone)
      local -r lineage_dir=${CERTBOT_DIR}/live/${lineage_name}
      local -r lineage_dir=${CERTBOT_DIR}/${lineage_name}

      # `set -o errexit` is not respected here, but in case of failure we still
      # err on the safe side by renewing the OCSP staple file.

A extract-chain.sh => extract-chain.sh +9 -0
@@ 0,0 1,9 @@
#!/bin/bash
# extracts chain certificates from a fullchain certficate
# stdin: fullchain contents
# stdout: the chain only

# stolen from https://serverfault.com/questions/391396/how-to-split-a-pem-file/#957985 and modified
FULLCHAIN=$(cat)
#CERTIFICATE="${FULLCHAIN%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
echo -e "${FULLCHAIN#*-----END CERTIFICATE-----}" | sed '/./,$!d'

A extract-chains.sh => extract-chains.sh +6 -0
@@ 0,0 1,6 @@
#!/bin/bash
set -eu
domains=(gotosocial.gts.hazmat.jacksonchen666.com jacksonchen666.com jc666.xyz jc6.xyz reinfo.wiki this.is.the.least.exciting.thing.ever.on.jacksonchen666.com)
for i in "${domains[@]}"; do
  /etc/ssl/uacme/certbot-ocsp-fetcher/extract-chain.sh < /etc/ssl/uacme/"$i"/cert.pem > /etc/ssl/uacme/"$i"/chain.pem
done