Only print full chain on signcsr command if --full-chain/-fc is set (related to #150)

d81eb585 · Lukas Schauer · 117d5d62 · d81eb585 · d81eb585
Commit d81eb585 authored Aug 04, 2016 by Lukas Schauer
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 13 deletions

CHANGELOG CHANGELOG +1 -1

letsencrypt.sh letsencrypt.sh +23 -12

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,7 +6,7 @@ This file contains a log of major changes in letsencrypt.sh
 - Config is now named `config` instead of `config.sh`!
 - Location of domains.txt is now configurable via DOMAINS_TXT config variable
 - Location of certs directory is now configurable via CERTDIR config variable
- signcsr command now also outputs chain certificate
+- signcsr command now also outputs chain certificate if --full-chain/-fc is set
 - Location of account-key(s) changed
 - Default WELLKNOWN location is now `/var/www/letsencrypt`
 - New version of Let's Encrypt Subscriber Agreement

--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -788,24 +788,29 @@ command_sign_csr() {
  certfile="$(_mktemp)"
  sign_csr "$(< "${csrfile}" )" 3> "${certfile}"

-  # get and convert ca cert
-  chainfile="$(_mktemp)"
-  http_request get "$(openssl x509 -in "${certfile}" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)" > "${chainfile}"
-
-  if ! grep -q "BEGIN CERTIFICATE" "${chainfile}"; then
-    openssl x509 -inform DER -in "${chainfile}" -outform PEM -out "${chainfile}"
-  fi
-
-  # output full chain
+  # print cert
  echo "# CERT #" >&3
  cat "${certfile}" >&3
  echo >&3
-  echo "# CHAIN #" >&3
-  cat "${chainfile}" >&3
+
+  # print chain
+  if [ -n "${PARAM_FULL_CHAIN:-}" ]; then
+    # get and convert ca cert
+    chainfile="$(_mktemp)"
+    http_request get "$(openssl x509 -in "${certfile}" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)" > "${chainfile}"
+
+    if ! grep -q "BEGIN CERTIFICATE" "${chainfile}"; then
+      openssl x509 -inform DER -in "${chainfile}" -outform PEM -out "${chainfile}"
+    fi
+
+    echo "# CHAIN #" >&3
+    cat "${chainfile}" >&3
+
+    rm "${chainfile}"
+  fi

  # cleanup
  rm "${certfile}"
-  rm "${chainfile}"

  exit 0
 }
@@ -978,6 +983,12 @@ main() {
        set_command cleanup
        ;;

+      # PARAM_Usage: --full-chain (-fc)
+      # PARAM_Description: Print full chain when using --signcsr
+      --full-chain|-fc)
+        PARAM_FULL_CHAIN="1"
+        ;;
+
      # PARAM_Usage: --ipv4 (-4)
      # PARAM_Description: Resolve names to IPv4 addresses only
      --ipv4|-4)