free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Include backup pin for certificates

Bob Mottram 8 years ago
parent
019c3ba542
commit
ec9395fcec
No account linked to committer's email
1 changed files with 9 additions and 2 deletions
Split View Show Diff Stats
  1. 9
    2
      src/freedombone-pin-cert

+ 9
- 2
src/freedombone-pin-cert View File 

@@ -35,10 +35,16 @@ export TEXTDOMAINDIR="/usr/share/locale"
35 35
36 36 
 DOMAIN_NAME=$1
37 37 
 KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
38 
+BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
38 39 
 SITE_FILENAME=/etc/nginx/sites-available/${DOMAIN_NAME}
39 40
40 41 
 if [ ! -f "$KEY_FILENAME" ]; then
41 
-    echo $"No certificate found for $DOMAIN_NAME"
42 
+    echo $"No private key certificate found for $DOMAIN_NAME"
43 
+    exit 1
44 
+fi
45 
+
46 
+if [ ! -f "$BACKUP_KEY_FILENAME" ]; then
47 
+    echo $"No fullchain certificate found for $DOMAIN_NAME"
42 48 
     exit 1
43 49 
 fi
44 50 
 
@@ -47,8 +53,9 @@ if [ ! -f "$SITE_FILENAME" ]; then
47 53 
 fi
48 54
49 55 
 KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
56 
+BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
50 57
51 
-PIN_HEADER="add_header Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; max-age=5184000; includeSubDomains';"
58 
+PIN_HEADER="add_header Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
52 59 
 if ! grep -q "add_header Public-Key-Pins" $SITE_FILENAME; then
53 60 
     sed -i "/ssl_ciphers.*/a     $PIN_HEADER" $SITE_FILENAME
54 61 
 else