From: Lukas Schauer Date: Mon, 10 Jul 2017 13:06:06 +0000 (+0200) Subject: implemented issuer-chain cache X-Git-Tag: v0.5.0~52 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d685463673919ba4f9d2035d021293f241a66055;p=thirdparty%2Fdehydrated.git implemented issuer-chain cache --- diff --git a/CHANGELOG b/CHANGELOG index 9580d5c..b4c04c9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,7 +3,7 @@ This file contains a log of major changes in dehydrated ## [x.x.x] - xxxx-xx-xx ## Changed -- ... +- Certificate chain is now cached (CHAINCACHE) ## Added - New feature for updating contact information (--account) diff --git a/dehydrated b/dehydrated index 35b6018..34a3ffb 100755 --- a/dehydrated +++ b/dehydrated @@ -126,6 +126,7 @@ load_config() { LOCKFILE= OCSP_MUST_STAPLE="no" IP_VERSION= + CHAINCACHE= if [[ -z "${CONFIG:-}" ]]; then echo "#" >&2 @@ -182,6 +183,7 @@ load_config() { fi [[ -z "${CERTDIR}" ]] && CERTDIR="${BASEDIR}/certs" + [[ -z "${CHAINCACHE}" ]] && CHAINCACHE="${BASEDIR}/chains" [[ -z "${DOMAINS_TXT}" ]] && DOMAINS_TXT="${BASEDIR}/domains.txt" [[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/dehydrated" [[ -z "${LOCKFILE}" ]] && LOCKFILE="${BASEDIR}/lock" @@ -646,6 +648,11 @@ get_issuer_cert_uri() { openssl x509 -in "${certificate}" -noout -text | (grep 'CA Issuers - URI:' | cut -d':' -f2-) || true } +get_issuer_hash() { + certificate="${1}" + openssl x509 -in "${certificate}" -noout -issuer_hash +} + # walk certificate chain, retrieving all intermediate certificates walk_chain() { local certificate @@ -701,6 +708,10 @@ sign_domain() { echo " + Creating new directory ${CERTDIR}/${domain} ..." mkdir -p "${CERTDIR}/${domain}" || _exiterr "Unable to create directory ${CERTDIR}/${domain}" fi + if [ ! -d "${CHAINCACHE}" ]; then + echo " + Creating chain cache directory ${CHAINCACHE}" + mkdir "${CHAINCACHE}" + fi privkey="privkey.pem" # generate a new private key if we need or want one @@ -757,7 +768,18 @@ sign_domain() { # Create fullchain.pem echo " + Creating fullchain.pem..." cat "${crt_path}" > "${CERTDIR}/${domain}/fullchain-${timestamp}.pem" - walk_chain "${crt_path}" > "${CERTDIR}/${domain}/chain-${timestamp}.pem" + local issuer_hash + issuer_hash="$(get_issuer_hash "${crt_path}")" + if [ -e "${CHAINCACHE}/${issuer_hash}.chain" ]; then + echo " + Using cached chain!" + cat "${CHAINCACHE}/${issuer_hash}.chain" > "${CERTDIR}/${domain}/chain-${timestamp}.pem" + else + echo " + Walking chain..." + local issuer_cert_uri + issuer_cert_uri="$(get_issuer_cert_uri "${crt_path}" || echo "unknown")" + (walk_chain "${crt_path}" > "${CERTDIR}/${domain}/chain-${timestamp}.pem") || _exiterr "Walking chain has failed, your certificate has been created and can be found at ${crt_path}, the corresponding private key at ${privkey}. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under ${CHAINCACHE}/${issuer_hash}.chain (see ${issuer_cert_uri})" + cat "${CERTDIR}/${domain}/chain-${timestamp}.pem" > "${CHAINCACHE}/${issuer_hash}.chain" + fi cat "${CERTDIR}/${domain}/chain-${timestamp}.pem" >> "${CERTDIR}/${domain}/fullchain-${timestamp}.pem" # Update symlinks diff --git a/docs/examples/config b/docs/examples/config index 1b1b3d8..2183f3b 100644 --- a/docs/examples/config +++ b/docs/examples/config @@ -89,3 +89,6 @@ # Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no) #OCSP_MUST_STAPLE="no" + +# Issuer chain cache directory (default: $BASEDIR/chains) +#CHAINCACHE="${BASEDIR}/chains"