added option to set csr-flag indicating ocsp stapling to be mandatory

8e77ba5e · Lukas Schauer · 0d8b9289 · 8e77ba5e · 8e77ba5e · 8e77ba5e
Commit 8e77ba5e authored May 26, 2016 by Lukas Schauer
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 0 deletions

CHANGELOG CHANGELOG +3 -0

README.md README.md +1 -0

docs/examples/config docs/examples/config +3 -0

letsencrypt.sh letsencrypt.sh +11 -0

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,9 @@ This file contains a log of major changes in letsencrypt.sh
 - Config is now named `config` instead of `config.sh`!
 - Location of domains.txt is now configurable via DOMAINS_TXT config variable
+## Added
+- Added option to add CSR-flag indicating OCSP stapling to be mandatory
 ## [0.2.0] - 2016-05-22
 ### Changed
 - PRIVATE_KEY config parameter has been renamed to ACCOUNT_KEY to avoid confusion with certificate keys

--- a/README.md
+++ b/README.md
@@ -43,6 +43,7 @@ Commands:
 Parameters:
 --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
 --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+ --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory
 --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
 --config (-f) path/to/config     Use specified config file
 --hook (-k) path/to/hook.sh      Use specified script for hooks

--- a/docs/examples/config
+++ b/docs/examples/config
@@ -78,3 +78,6 @@
 # Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
 #LOCKFILE="${BASEDIR}/lock"
+# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
+#OCSP_MUST_STAPLE="no"
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -78,6 +78,7 @@ load_config() {
  OPENSSL_CNF="$(openssl version -d | cut -d\" -f2)/openssl.cnf"
  CONTACT_EMAIL=
  LOCKFILE=
+  OCSP_MUST_STAPLE="no"
  if [[ -z "${CONFIG:-}" ]]; then
    echo "#" >&2
@@ -128,6 +129,7 @@ load_config() {
  [[ -n "${PARAM_CERTDIR:-}" ]] && CERTDIR="${PARAM_CERTDIR}"
  [[ -n "${PARAM_CHALLENGETYPE:-}" ]] && CHALLENGETYPE="${PARAM_CHALLENGETYPE}"
  [[ -n "${PARAM_KEY_ALGO:-}" ]] && KEY_ALGO="${PARAM_KEY_ALGO}"
+  [[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}"
  [[ "${CHALLENGETYPE}" =~ (http-01|dns-01) ]] || _exiterr "Unknown challenge type ${CHALLENGETYPE}... can not continue."
  if [[ "${CHALLENGETYPE}" = "dns-01" ]] && [[ -z "${HOOK}" ]]; then
@@ -535,6 +537,9 @@ sign_domain() {
  tmp_openssl_cnf="$(_mktemp)"
  cat "${OPENSSL_CNF}" > "${tmp_openssl_cnf}"
  printf "[SAN]\nsubjectAltName=%s" "${SAN}" >> "${tmp_openssl_cnf}"
+  if [ "${OCSP_MUST_STAPLE}" = "yes" ]; then
+    printf "\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >> "${tmp_openssl_cnf}"
+  fi
  openssl req -new -sha256 -key "${CERTDIR}/${domain}/${privkey}" -out "${CERTDIR}/${domain}/cert-${timestamp}.csr" -subj "/CN=${domain}/" -reqexts SAN -config "${tmp_openssl_cnf}"
  rm -f "${tmp_openssl_cnf}"
@@ -854,6 +859,12 @@ main() {
        PARAM_FORCE="yes"
        ;;
+      # PARAM_Usage: --ocsp
+      # PARAM_Description: Sets option in CSR indicating OCSP stapling to be mandatory
+      --ocsp)
+        PARAM_OCSP_MUST_STAPLE="yes"
+        ;;
      # PARAM_Usage: --privkey (-p) path/to/key.pem
      # PARAM_Description: Use specified private key instead of account key (useful for revocation)
      --privkey|-p)