implemented issuer-chain cache

diff --git a/CHANGELOG b/CHANGELOG
index 9580d5c7fd2020e2bd7b5c852910af4a507b2a10..b4c04c98793a67d788c2cba47d72eb304a0bb249 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,7 +3,7 @@ This file contains a log of major changes in dehydrated
 
 ## [x.x.x] - xxxx-xx-xx
 ## Changed
-- ...
+- Certificate chain is now cached (CHAINCACHE)
 
 ## Added
 - New feature for updating contact information (--account)

diff --git a/dehydrated b/dehydrated
index 35b601820d0d1fd2f47148ece69e8c1a7d6dbd2f..34a3ffbc94335a8734738e8aa9cedc8737454157 100755 (executable)
--- a/dehydrated
+++ b/dehydrated
@@ -126,6 +126,7 @@ load_config() {
   LOCKFILE=
   OCSP_MUST_STAPLE="no"
   IP_VERSION=
+  CHAINCACHE=
 
   if [[ -z "${CONFIG:-}" ]]; then
     echo "#" >&2
@@ -182,6 +183,7 @@ load_config() {
   fi
 
   [[ -z "${CERTDIR}" ]] && CERTDIR="${BASEDIR}/certs"
+  [[ -z "${CHAINCACHE}" ]] && CHAINCACHE="${BASEDIR}/chains"
   [[ -z "${DOMAINS_TXT}" ]] && DOMAINS_TXT="${BASEDIR}/domains.txt"
   [[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/dehydrated"
   [[ -z "${LOCKFILE}" ]] && LOCKFILE="${BASEDIR}/lock"
@@ -646,6 +648,11 @@ get_issuer_cert_uri() {
   openssl x509 -in "${certificate}" -noout -text | (grep 'CA Issuers - URI:' | cut -d':' -f2-) || true
 }
 
+get_issuer_hash() {
+  certificate="${1}"
+  openssl x509 -in "${certificate}" -noout -issuer_hash
+}
+
 # walk certificate chain, retrieving all intermediate certificates
 walk_chain() {
   local certificate
@@ -701,6 +708,10 @@ sign_domain() {
     echo " + Creating new directory ${CERTDIR}/${domain} ..."
     mkdir -p "${CERTDIR}/${domain}" || _exiterr "Unable to create directory ${CERTDIR}/${domain}"
   fi
+  if [ ! -d "${CHAINCACHE}" ]; then
+    echo " + Creating chain cache directory ${CHAINCACHE}"
+    mkdir "${CHAINCACHE}"
+  fi
 
   privkey="privkey.pem"
   # generate a new private key if we need or want one
@@ -757,7 +768,18 @@ sign_domain() {
   # Create fullchain.pem
   echo " + Creating fullchain.pem..."
   cat "${crt_path}" > "${CERTDIR}/${domain}/fullchain-${timestamp}.pem"
-  walk_chain "${crt_path}" > "${CERTDIR}/${domain}/chain-${timestamp}.pem"
+  local issuer_hash
+  issuer_hash="$(get_issuer_hash "${crt_path}")"
+  if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then
+    echo " + Using cached chain!"
+    cat "${CHAINCACHE}/${issuer_hash}.chain" > "${CERTDIR}/${domain}/chain-${timestamp}.pem"
+  else
+    echo " + Walking chain..."
+    local issuer_cert_uri
+    issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")"
+    (walk_chain "${crt_path}" > "${CERTDIR}/${domain}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})"
+    cat "${CERTDIR}/${domain}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain"
+  fi
   cat "${CERTDIR}/${domain}/chain-${timestamp}.pem" >> "${CERTDIR}/${domain}/fullchain-${timestamp}.pem"
 
   # Update symlinks

diff --git a/docs/examples/config b/docs/examples/config
index 1b1b3d86cb2bdb060f0403dd69a4aeda55856816..2183f3bba1223924dd2174044dbc46f12191b36c 100644 (file)
--- a/docs/examples/config
+++ b/docs/examples/config
@@ -89,3 +89,6 @@
 
 # Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
 #OCSP_MUST_STAPLE="no"
+
+# Issuer chain cache directory (default: $BASEDIR/chains)
+#CHAINCACHE="${BASEDIR}/chains"