diff --git a/cm.sh b/cm.sh
index fe63f57d7d3b3bf8d3dfe25c14aa11cdff4c8044..18ee74283dd968ecfdc9f0cd62cf686cd879c398 100755
--- a/cm.sh
+++ b/cm.sh
@@ -58,25 +58,37 @@ function _certMustNotExist(){
# known directory (based on CM_diracme - see inc_config.sh)
# used in public_add and public_renew
function _certTransfer(){
- _wd "--- acme internal data"
+ _wd "--- acme internal data - ~/.acme.sh/${CM_fqdn}"
ls -l ~/.acme.sh/${CM_fqdn}
_wd "--- transfer acme.sh files to ${CM_dircerts}"
$ACME \
--install-cert \
-d ${CM_fqdn} \
- --cert-file ${CM_dircerts}/${CM_fqdn}.cert.pem \
- --fullchain-file ${CM_dircerts}/${CM_fqdn}.fullchain.pem \
+ --cert-file ${CM_outfile_cert} \
+ --fullchain-file ${CM_outfile_chain} \
+ --ca-file ${CM_outfile_ca} \
|| exit 1
# --key-file ${CM_dircerts}/${CM_fqdn}.key.pem \
_wd "--- copy key to ${CM_dircerts}"
- cp ${CM_filekey} ${CM_dircerts}/${CM_fqdn}.key.pem
+ cp ${CM_filekey} ${CM_outfile_key}
_wd "--- content of output dir $CM_dircerts:"
ls -l $CM_dircerts/*
}
+# internal function; show md5 hashsums for certificate, csr and key
+# for visual comparison if the match
+# TODO: script a comparison to write out MATCH or FAIL
+function _certMatching(){
+ echo
+ echo "--- compare hashes to see if they match"
+ echo -n "cert : "; openssl x509 -noout -modulus -in ${CM_outfile_cert} | openssl md5
+ echo -n "csr : "; openssl req -noout -modulus -in ${CM_filecsr} | openssl md5
+ echo -n "key : "; openssl rsa -noout -modulus -in ${CM_outfile_key} | openssl md5
+ echo
+}
# internal function: dig for given fqdn.
# Function stops if fqdn was not found in DNS.
@@ -143,6 +155,18 @@ function _requiresFqdn(){
fi
}
+function _testStaging(){
+ echo $ACME_Params | grep "\-\-staging" >/dev/null
+ if [ $? -eq 0 ]; then
+ _wd "Using LE STAGE environment ..."
+ _wd "You can test and mess around. Do not use certs in production."
+ else
+ _wd "Using LE LIVE environment for production."
+ _wd "Be careful with count of connects to LE servers."
+ fi
+ echo
+}
+
# set update message in a file
# param string(s) message
function _update(){
@@ -171,13 +195,20 @@ function public_add(){
_wd "--- create output dir $dircerts"
mkdir -p "${CM_dircerts}" 2>/dev/null
- # _wd "--- domains in csr"
+ _wd "--- csr data"
$ACME --showcsr --csr $CM_filecsr || exit 1
_wd "--- create certificate"
- $ACME --signcsr --force --csr $CM_filecsr $ACME_Params || exit 1
+ $ACME --signcsr --csr $CM_filecsr $ACME_Params
+ if [ $? -ne 0 ]; then
+ echo "ERROR: adding cert failed. Trying to delete internal data ..."
+ public_delete $CM_fqdn
+ exit 1
+ fi
+ # $ACME --issue -d $CM_fqdn $ACME_Params || exit 1
_certTransfer
+ _certMatching
_update "added $CM_fqdn $*"
}
@@ -192,7 +223,9 @@ function public_delete(){
# TODO: revoke it too??
# $ACME --revoke -d ${CM_fqdn} || exit 2
- $ACME --remove -d ${CM_fqdn} || exit 2
+ _wd "--- delete ACME.SH data"
+ $ACME --remove -d ${CM_fqdn} $ACME_Params
+ _wd "--- delete local data"
rm -rf ${CM_dircerts} ${CM_filecnf} ${CM_filekey} ${CM_filecsr} ~/.acme.sh/${CM_fqdn}
_update "deleted ${CM_fqdn}"
}
@@ -211,8 +244,11 @@ function public_list(){
function public_renew(){
_requiresFqdn
_certMustExist
- $ACME --renew --force -d ${CM_fqdn} || exit 2
+ $ACME --renew -d ${CM_fqdn} $ACME_Params || exit 2
+
_certTransfer
+ _certMatching
+
_update "renew ${CM_fqdn}"
}
@@ -225,12 +261,14 @@ function public_show(){
ls -l ${CM_filecsr} ${CM_dircerts}/*
echo $line
- echo $CM_filecsr
- openssl req -noout -text -in $CM_filecsr
+ echo CSR $CM_filecsr
+ openssl req -noout -text -in $CM_filecsr | grep -E "(Subject:|DNS:)"
echo $line
- echo ${CM_dircerts}/${CM_fqdn}.cert.pem
- openssl x509 -noout -text -in ${CM_dircerts}/${CM_fqdn}.cert.pem
+ echo Cert ${CM_outfile_cert}
+ # openssl x509 -noout -text -in ${CM_outfile_cert}
+ openssl x509 -noout -text -in ${CM_outfile_cert} | grep -E "(Issuer:|Subject:|DNS:)"
+ _certMatching
}
@@ -254,9 +292,7 @@ ENDOFHEADER
which openssl >/dev/null || exit 1
-
. ./inc_config.sh
-
if [ $? -ne 0 ]; then
echo "ERROR: loading the config failed."
echo "Copy the inc_config.sh.dist to inc_config.sh and make your settings in it."
@@ -264,7 +300,7 @@ if [ $? -ne 0 ]; then
exit 1
fi
-
+_testStaging
grep "function\ public_$1" $0 >/dev/null
if [ $# -gt 0 -a $? -eq 0 ]; then
@@ -287,9 +323,12 @@ if [ $# -gt 0 -a $? -eq 0 ]; then
CM_filekey="${CM_dircsr}/${CM_fqdn}.key"
CM_dircerts="${CM_diracme}/${CM_fqdn}"
+ CM_outfile_cert=${CM_dircerts}/${CM_fqdn}.cert.cer
+ CM_outfile_chain=${CM_dircerts}/${CM_fqdn}.fullchain.cer
+ CM_outfile_key=${CM_dircerts}/${CM_fqdn}.key.pem
+ CM_outfile_ca=${CM_dircerts}/${CM_fqdn}.ca.cer
- # echo $CM_fqdn
- # set | grep "^CM_"
+ # echo $CM_fqdn; set | grep "^CM_"; echo
_wd "A C T I O N -->> $action <<--"
eval "public_$action $*"
@@ -326,3 +365,6 @@ ACTIONs for all certs
EOF
fi
+
+echo
+_testStaging
\ No newline at end of file
diff --git a/templates/csr.txt.dist b/templates/csr.txt.dist
index bdf6cf21b1c75549d5c796bd716aea398adc6f34..f7b6a54d65bee995631e42d12c31a04723860ae3 100644
--- a/templates/csr.txt.dist
+++ b/templates/csr.txt.dist
@@ -3,13 +3,19 @@
# openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr
# on the command line.
-# (1) the name of your location
+# state as 2 letter code
+COUNTRY = CH
+
+# state
+STATE = Bern
+
+# the name of your location
LOCATION = Anywhere
-# (2) the name of your organization
+# the name of your organization
ORGNAME = My company
-# (3) the name of your organization unit
+# the name of your organization unit
UNITNAME = Department for magic things
@@ -33,12 +39,13 @@ req_extensions = req_ext
[ dn ]
-C = CH
-ST = Bern
+C = $COUNTRY
+ST = $STATE
L = $LOCATION
O = $ORGNAME
OU = $UNITNAME
CN = $FQDN
+# emailAddress=webmaster@example.com
[ req_ext ]
subjectAltName = $ALTNAMES