Include backup pin for certificates

src/freedombone-pin-cert

@@ -35,10 +35,16 @@ export TEXTDOMAINDIR="/usr/share/locale"
 
 DOMAIN_NAME=$1
 KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
+BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
 SITE_FILENAME=/etc/nginx/sites-available/${DOMAIN_NAME}
 
 if [ ! -f "$KEY_FILENAME" ]; then
-    echo $"No certificate found for $DOMAIN_NAME"
+    echo $"No private key certificate found for $DOMAIN_NAME"
+    exit 1
+fi
+
+if [ ! -f "$BACKUP_KEY_FILENAME" ]; then
+    echo $"No fullchain certificate found for $DOMAIN_NAME"
     exit 1
 fi
 
@@ -47,8 +53,9 @@ if [ ! -f "$SITE_FILENAME" ]; then
 fi
 
 KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
+BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
 
-PIN_HEADER="add_header Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; max-age=5184000; includeSubDomains';"
+PIN_HEADER="add_header Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
 if ! grep -q "add_header Public-Key-Pins" $SITE_FILENAME; then
     sed -i "/ssl_ciphers.*/a     $PIN_HEADER" $SITE_FILENAME
 else