Browse Source

Add script to check if alternative subjects (DNS) has changed

update $le_check_command to fail if alternative subject changed for renewing certificate
pull/15/head
Daniel Klockenkämper 4 years ago
parent
commit
144b57f231
4 changed files with 32 additions and 1 deletions
  1. +20
    -0
      files/letsencrypt_check_altnames.sh
  2. +1
    -0
      manifests/params.pp
  3. +2
    -1
      manifests/request.pp
  4. +9
    -0
      manifests/request/handler.pp

+ 20
- 0
files/letsencrypt_check_altnames.sh View File

@@ -0,0 +1,20 @@
#!/usr/bin/env bash

set -e
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

CSR=${1}
CRT=${2}

declare -a CSR_DNS=($(openssl req -text -noout -in ${CSR} | awk '/DNS/ {print}' | sed s/,//g))
declare -a CRT_DNS=($(openssl x509 -text -noout -in ${CRT} -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux | awk '/DNS/ {print}' | sed s/,//g))
declare -a DIFF=()

OLD_IFS=$IFS
IFS=$'\n\t'

DIFF=($(comm -3 <(echo "${CSR_DNS[*]}" | sort -u) <(echo "${CRT_DNS[*]}" | sort -u)))
IFS=${OLD_IFS}

test -z "${DIFF[*]}" || exit 1
exit 0

+ 1
- 0
manifests/params.pp View File

@@ -30,4 +30,5 @@ class letsencrypt::params {

$letsencrypt_chain_request = "${handler_base_dir}/letsencrypt_get_certificate_chain.sh"
$letsencrypt_ocsp_request = "${handler_base_dir}/letsencrypt_get_certificate_ocsp.sh"
$letsencrypt_check_altnames = "${handler_base_dir}/letsencrypt_check_altnames.sh"
}

+ 2
- 1
manifests/request.pp View File

@@ -44,7 +44,7 @@ define letsencrypt::request (
$dehydrated_hook = $::letsencrypt::params::dehydrated_hook
$dehydrated_conf = $::letsencrypt::params::dehydrated_conf
$letsencrypt_chain_request = $::letsencrypt::params::letsencrypt_chain_request
$letsencrypt_check_altnames = $::letsencrypt::params::letsencrypt_check_altnames

File {
owner => 'letsencrypt',
@@ -69,6 +69,7 @@ define letsencrypt::request (
$le_check_command = join([
"/usr/bin/test -f ${crt_file}",
"/usr/bin/openssl x509 -checkend 2592000 -noout -in ${crt_file}",
"${letsencrypt_check_altnames} ${csr_file} ${crt_file}"
], ' && ')

$le_command = join([


+ 9
- 0
manifests/request/handler.pp View File

@@ -48,6 +48,7 @@ class letsencrypt::request::handler(
$dehydrated_conf = $::letsencrypt::params::dehydrated_conf
$letsencrypt_chain_request = $::letsencrypt::params::letsencrypt_chain_request
$letsencrypt_ocsp_request = $::letsencrypt::params::letsencrypt_ocsp_request
$letsencrypt_check_altnames = $::letsencrypt::params::letsencrypt_check_altnames

user { 'letsencrypt' :
gid => 'letsencrypt',
@@ -141,5 +142,13 @@ class letsencrypt::request::handler(
content => template('letsencrypt/letsencrypt_get_certificate_ocsp.sh.erb'),
}

file { $letsencrypt_check_altnames :
ensure => file,
owner => root,
group => letsencrypt,
mode => '0755',
content => file('letsencrypt/letsencrypt_check_altnames.sh'),
}

Letsencrypt::Request<<| tag == $::fqdn |>>
}

Loading…
Cancel
Save