Add FULL_CHAIN_INCLUDE_ROOT

Fixes #594 #272 #564
5 years ago · 522918f023
--- a/+ 29
+++ b/+ 29
@ -256,7 +256,8 @@
 # 2021-02-07 Allow -u --upgrade without any domain, so that one can only update the script (Benno-K)(2.34)
 # 2021-02-09 Prevent listing the complete file if version tag missing (#637)(softins)
 # 2021-02-12 Add PREFERRED_CHAIN
 # 2021-02-15 ADD ftp explicit SSL with curl for upload the challenge
 # 2021-02-15 ADD ftp explicit SSL with curl for upload the challenge (CoolMischa)
 # 2021-02-18 Add FULL_CHAIN_INCLUDE_ROOT
 # ----------------------------------------------------------------------------------------

 case :$SHELLOPTS: in
@ -283,6 +284,7 @@ DEFAULT_REVOKE_CA="https://acme-v02.api.letsencrypt.org"
 DOMAIN_KEY_LENGTH=4096
 DUAL_RSA_ECDSA="false"
 FTP_OPTIONS=""
 FULL_CHAIN_INCLUDE_ROOT="false"
 GETSSL_IGNORE_CP_PRESERVE="false"
 HTTP_TOKEN_CHECK_WAIT=0
 IGNORE_DIRECTORY_DOMAIN="false"
@ -1598,7 +1600,27 @@ get_certificate() { # get certificate for csr, if all domains validated.
      # tidy up
      rm -f "$cert_to_check"
    fi

    awk -v CERT_FILE="$gc_certfile" -v CA_CERT="$gc_cafile" 'BEGIN {outfile=CERT_FILE} split_after==1 {outfile=CA_CERT;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > outfile}' "$gc_fullchain"
    if [[ "$FULL_CHAIN_INCLUDE_ROOT" = "true" ]]; then
      # Some of the code below was copied from zakjan/cert-chain-resolver

      # Download the certificate for the issuer using the "CA Issuers" attribute from the AIA x509 extension
      issuer_url=$(openssl x509 -inform pem -noout -text -in "$gc_certfile" | awk 'BEGIN {FS="CA Issuers - URI:"} NF==2 {print $2; exit}')
      debug Issuer for "$gc_certfile" is "$issuer_url"

      # Keep downloading issuer certficates until we find the root certificate (which doesn't have a "CA Issuers" attribure)
      cp "$gc_certfile" "$gc_fullchain"
      while [[ -n "$issuer_url" ]]; do
        debug Fetching certificate issuer from "$issuer_url"
        issuer_cert=$(curl --user-agent "$CURL_USERAGENT" --silent "$issuer_url" | openssl x509 -inform der -outform pem)
        debug Fetched issuer certificate "$(echo "$issuer_cert" | openssl x509 -inform pem -noout -text | awk 'BEGIN {FS="Subject: "} NF==2 {print $2; exit}')"
        echo "$issuer_cert" >> "$gc_fullchain"

        # get issuer for the certificate that's just been downloaded
        issuer_url=$(echo "$issuer_cert" | openssl x509 -inform pem -noout -text | awk 'BEGIN {FS="CA Issuers - URI:"} NF==2 {print $2; exit}')
      done
    fi
    info "Certificate saved in $gc_certfile"
  fi
 }
@ -2382,6 +2404,9 @@ write_domain_template() { # write out a template file for a domain.
    # Production options are: "ISRG Root X1" and "ISRG Root X2"
    #PREFERRED_CHAIN=""

    # Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)
    #FULL_CHAIN_INCLUDE_ROOT="true"

 		# Location for all your certs, these can either be on the server (full path name)
 		# or using ssh /sftp as for the ACL
 		#DOMAIN_CERT_LOCATION="/etc/ssl/${DOMAIN}.crt" # this is domain cert
@ -2441,6 +2466,9 @@ write_getssl_template() { # write out the main template file
  # Production options are: "ISRG Root X1" and "ISRG Root X2"
  #PREFERRED_CHAIN=""

  # Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)
  #FULL_CHAIN_INCLUDE_ROOT="true"

 	# The command needed to reload apache / nginx or whatever you use.
 	# Several (ssh) commands may be given using a bash array:
 	# RELOAD_CMD=('ssh:sshuserid@server5:systemctl reload httpd' 'logger getssl for server5 efficient.')
--- a/test/36-full-chain-inc-root.bats
+++ b/test/36-full-chain-inc-root.bats
@ -0,0 +1,81 @@
 #! /usr/bin/env bats

 load '/bats-support/load.bash'
 load '/bats-assert/load.bash'
 load '/getssl/test/test_helper.bash'


 # This is run for every test
 setup() {
    if [ -z "$STAGING" ]; then
        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
    fi
 }


@test "Use FULL_CHAIN_INCLUDE_ROOT to include the root certificate in the fullchain" {
    CONFIG_FILE="getssl-dns01.cfg"
    setup_environment
    init_getssl

    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
 FULL_CHAIN_INCLUDE_ROOT="true"
 EOF

    create_certificate
    assert_success
    check_output_for_errors

    if [ -n "$STAGING" ]; then
        PREFERRED_CHAIN="Fake LE Root X1"
    else
        # pebble doesn't support CA Issuers so the fullchain.crt will just contain the certificate (code path means it won't contain the intermediate cert in this case)
        # This is testing that requesting FULL_CHAIN_INCLUDE_ROOT doesn't fail if there is no CA Issuers in the certificate
        PREFERRED_CHAIN=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
    fi

    final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
    # verify certificate includes the chain root
    [ "$PREFERRED_CHAIN" = "$final_issuer" ]
 }


@test "Use FULL_CHAIN_INCLUDE_ROOT with dual certificates" {
    if [ -n "$STAGING" ]; then
        PREFERRED_CHAIN="Fake LE Root X1"
    fi

    CONFIG_FILE="getssl-dns01.cfg"
    setup_environment
    init_getssl

    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
 FULL_CHAIN_INCLUDE_ROOT="true"
 DUAL_RSA_ECDSA="true"
 ACCOUNT_KEY_TYPE="prime256v1"
 PRIVATE_KEY_ALG="prime256v1"
 CHECK_REMOTE="false"
 EOF

    create_certificate
    assert_success
    check_output_for_errors
    check_certificates
    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/chain.ec.crt" ]
    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.ec.crt" ]
    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.ec.crt" ]

    if [ -n "$STAGING" ]; then
        PREFERRED_CHAIN="Fake LE Root X1"
    else
        # pebble doesn't support CA Issuers so the fullchain.crt will just contain the certificate (code path means it won't contain the intermediate cert in this case)
        # This is testing that requesting FULL_CHAIN_INCLUDE_ROOT doesn't fail if there is no CA Issuers in the certificate
        PREFERRED_CHAIN=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
    fi

    # verify both rsa and ecdsa certificates include the chain root
    final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
    [ "$PREFERRED_CHAIN" = "$final_issuer" ]
    ecdsa_final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.ec.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
    [ "$PREFERRED_CHAIN" = "$ecdsa_final_issuer" ]
 }