Skip to content

Add ARI support to getssl #894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kenh wants to merge 1 commit into
base: master
Choose a base branch
from
+95 −3
Open

Add ARI support to getssl #894

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
98 changes: 95 additions & 3 deletions getssl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,7 @@ VERSION="2.49"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY_TYPE="rsa"
ACME_RESPONSE_PENDING_WAIT=5
ARI_ENABLE="true"
CA_CERT_LOCATION=""
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
CHALLENGE_CHECK_TYPE="http"
Expand Down Expand Up @@ -375,6 +376,7 @@ _NOMETER=""
_QUIET=0
_RECREATE_CSR=0
_REDIRECT_OUTPUT="1>/dev/null 2>&1"
_REPLACES=""
_REVOKE=0
_SHOW_ACCOUNT_ID=0
_TEST_SKIP_CNAME_CALL=0
Expand Down Expand Up @@ -1212,12 +1214,13 @@ create_order() {
dstring="${dstring}{\"type\":\"dns\",\"value\":\"$d\"},"
done
dstring="${dstring::${#dstring}-1}]"
replaces="${_REPLACES:+, \"replaces\": \"${_REPLACES}\"}"

# Check if the server supports profiles using the URL_profiles variable
if [[ -z "$URL_profiles" ]]; then
request="{\"identifiers\": $dstring}"
request="{\"identifiers\": $dstring$replaces}"
else
request="{\"identifiers\": $dstring, \"profile\": \"$PROFILE\"}"
request="{\"identifiers\": $dstring, \"profile\": \"$PROFILE\"$replaces}"
fi
send_signed_request "$URL_newOrder" "$request"
OrderLink=$(echo "$responseHeaders" | grep -i location | awk '{print $2}'| tr -d '\r\n ')
Expand Down Expand Up @@ -1267,6 +1270,94 @@ create_order() {
fi
}

renew_ari() { # Output "1" if ARI says we should renew
if [[ "$ARI_ENABLE" == "false" ]]; then
debug "ARI is disabled"
return 1
fi

if [[ -z "$URL_renewInfo" ]]; then
debug "Endpoint does not support ARI"
return 1
fi

# If cert has expired, don't fetch ARI info and just say we should renew

if [[ "$1" -lt "$(date +s)" ]]; then
debug "Certificate expired, not fetching ARI info"
return 0
fi

# Construct the certificate identifier which is the base64url encoding
# of the authority key identifier and serial number

aki=$(openssl x509 -noout -text -in "$CERT_FILE" 2>/dev/null |
grep "Authority Key Identifier" -A1 | \
grep -E '^[A-Fa-f0-9: ]+$' | \
tr -d ':' | \
hex2bin | \
urlbase64)

serial=$(openssl x509 -noout -text -in "$CERT_FILE" 2>/dev/null | \
grep "Serial Number" -A1 | \
grep -E '^[A-Fa-f0-9: ]+$' | \
tr -d ': ')

# If the high bit is set then we need to prepend an extra byte so
# the DER encoding is positive

if printf "%s\n" "$serial" | grep -q -E '^[89ABCDEFabcdef]'; then
serial="00$serial"
fi

serialb64=$(printf "%s\n" "$serial" | hex2bin | urlbase64)

debug "Authority key id is $aki, serial is $serialb64"

response=$(curl ${_NOMETER} --user-agent "$CURL_USERAGENT" --silent "${URL_renewInfo}/${aki}.${serialb64}")

debug "ARI response is $response"

starttime=$(json_get "$response" suggestedWindow start)

if [[ -z "$starttime" ]]; then
info "Warning: ARI query returned $response"
info "Not processing ARI renewal info"
return 1
fi

debug "Renewal window starts at $starttime"

if [[ "$(date +%s)" -gt $(date_rfc3339 "$starttime") ]]; then
debug "Within ARI rewewal window, using ARI"
_REPLACES="${aki}.${serialb64}"
return 0
fi

debug "Not within ARI renewal window"

return 1
}

date_rfc3339() { # convert rfc3339 format date into epoch time
convdate=$(printf "%s\n" "$1" | tr a-z A-Z)
if [[ "${convdate: -1:1}" == 'Z' ]]; then
convdate="${convdate:0:${#convdate}-1}+0000"
else
convdate=$(printf "%s\n" "$convdate" | sed -e 's/:\([0-9][0-9]\)$/\1/')
fi

if [[ "$os" == "bsd" ]]; then
date -j -f "%Y-%m-%dT%H:%M:%S%z" "$convdate" +%s
elif [[ "$os" == "mac" ]]; then
date -j -f "%Y-%m-%dT%H:%M:%S%z" "$convdate" +%s
elif [[ "$os" == "busybox" ]]; then
date -D "%Y-%m-%dT%H:%M:%S%z" -d "$convdate" +%s
else
date -d "$convdate" +%s
fi
}

date_epoc() { # convert the date into epoch time
if [[ "$os" == "bsd" ]]; then
date -j -f "%b %d %T %Y %Z" "$1" +%s
Expand Down Expand Up @@ -2512,6 +2603,7 @@ obtain_ca_resource_locations()
URL_newNonce=$(echo "$ca_all_loc" | grep "newNonce" | awk -F'"' '{print $4}')
URL_newOrder=$(echo "$ca_all_loc" | grep "newOrder" | awk -F'"' '{print $4}')
URL_revoke=$(echo "$ca_all_loc" | grep "revokeCert" | awk -F'"' '{print $4}')
URL_renewInfo=$(echo "$ca_all_loc" | grep "renewalInfo" | awk -F'"' '{print $4}')

URL_profiles=""
# Check if we have a profiles element
Expand Down Expand Up @@ -3586,7 +3678,7 @@ if [[ -s "$CERT_FILE" ]] && [[ $_SHOW_ACCOUNT_ID -eq 0 ]]; then
debug "existing cert is for domains: ${sorted_sanlist}"
if [[ "$enddate" != "-" ]]; then
enddate_s=$(date_epoc "$enddate")
if [[ $(date_renew) -lt "$enddate_s" ]] && [[ $_FORCE_RENEW -ne 1 ]] && [[ "$existing_sanlist" == "$sorted_sanlist" ]]; then
if ! renew_ari "$enddate_s" && [[ $(date_renew) -lt "$enddate_s" ]] && [[ $_FORCE_RENEW -ne 1 ]] && [[ "$existing_sanlist" == "$sorted_sanlist" ]]; then
issuer=$(openssl x509 -in "$CERT_FILE" -noout -issuer 2>/dev/null)
if [[ "$issuer" == *"Fake LE Intermediate"* ]] && [[ "$CA" == "https://acme-v02.api.letsencrypt.org" ]]; then
debug "upgrading from fake cert to real"
Expand Down