From 8e77ba5e02a4b76d3a76a2354f74c0b53ba4fec8 Mon Sep 17 00:00:00 2001 From: Lukas Schauer Date: Thu, 26 May 2016 14:58:19 +0200 Subject: [PATCH] added option to set csr-flag indicating ocsp stapling to be mandatory --- CHANGELOG | 3 +++ README.md | 1 + docs/examples/config | 3 +++ letsencrypt.sh | 11 +++++++++++ 4 files changed, 18 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index a26cdf5..095e11a 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -6,6 +6,9 @@ This file contains a log of major changes in letsencrypt.sh - Config is now named `config` instead of `config.sh`! - Location of domains.txt is now configurable via DOMAINS_TXT config variable +## Added +- Added option to add CSR-flag indicating OCSP stapling to be mandatory + ## [0.2.0] - 2016-05-22 ### Changed - PRIVATE_KEY config parameter has been renamed to ACCOUNT_KEY to avoid confusion with certificate keys diff --git a/README.md b/README.md index 904cda1..6563243 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,7 @@ Commands: Parameters: --domain (-d) domain.tld Use specified domain name(s) instead of domains.txt entry (one certificate!) --force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS + --ocsp Sets option in CSR indicating OCSP stapling to be mandatory --privkey (-p) path/to/key.pem Use specified private key instead of account key (useful for revocation) --config (-f) path/to/config Use specified config file --hook (-k) path/to/hook.sh Use specified script for hooks diff --git a/docs/examples/config b/docs/examples/config index b27481f..23322e6 100644 --- a/docs/examples/config +++ b/docs/examples/config @@ -78,3 +78,6 @@ # Lockfile location, to prevent concurrent access (default: $BASEDIR/lock) #LOCKFILE="${BASEDIR}/lock" + +# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no) +#OCSP_MUST_STAPLE="no" diff --git a/letsencrypt.sh b/letsencrypt.sh index df7adf2..0b8810b 100755 --- a/letsencrypt.sh +++ b/letsencrypt.sh @@ -78,6 +78,7 @@ load_config() { OPENSSL_CNF="$(openssl version -d | cut -d\" -f2)/openssl.cnf" CONTACT_EMAIL= LOCKFILE= + OCSP_MUST_STAPLE="no" if [[ -z "${CONFIG:-}" ]]; then echo "#" >&2 @@ -128,6 +129,7 @@ load_config() { [[ -n "${PARAM_CERTDIR:-}" ]] && CERTDIR="${PARAM_CERTDIR}" [[ -n "${PARAM_CHALLENGETYPE:-}" ]] && CHALLENGETYPE="${PARAM_CHALLENGETYPE}" [[ -n "${PARAM_KEY_ALGO:-}" ]] && KEY_ALGO="${PARAM_KEY_ALGO}" + [[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}" [[ "${CHALLENGETYPE}" =~ (http-01|dns-01) ]] || _exiterr "Unknown challenge type ${CHALLENGETYPE}... can not continue." if [[ "${CHALLENGETYPE}" = "dns-01" ]] && [[ -z "${HOOK}" ]]; then @@ -535,6 +537,9 @@ sign_domain() { tmp_openssl_cnf="$(_mktemp)" cat "${OPENSSL_CNF}" > "${tmp_openssl_cnf}" printf "[SAN]\nsubjectAltName=%s" "${SAN}" >> "${tmp_openssl_cnf}" + if [ "${OCSP_MUST_STAPLE}" = "yes" ]; then + printf "\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >> "${tmp_openssl_cnf}" + fi openssl req -new -sha256 -key "${CERTDIR}/${domain}/${privkey}" -out "${CERTDIR}/${domain}/cert-${timestamp}.csr" -subj "/CN=${domain}/" -reqexts SAN -config "${tmp_openssl_cnf}" rm -f "${tmp_openssl_cnf}" @@ -854,6 +859,12 @@ main() { PARAM_FORCE="yes" ;; + # PARAM_Usage: --ocsp + # PARAM_Description: Sets option in CSR indicating OCSP stapling to be mandatory + --ocsp) + PARAM_OCSP_MUST_STAPLE="yes" + ;; + # PARAM_Usage: --privkey (-p) path/to/key.pem # PARAM_Description: Use specified private key instead of account key (useful for revocation) --privkey|-p) -- 2.47.3