1
0

Compare commits

...

3 Commits

Author SHA1 Message Date
d3684274e3
doc: SSL example 2024-09-20 03:10:13 +03:00
91ec2a4c86
treewide: rework certificate handling
also:
- reorder some blocks in dockerfiles
- provide sane requirements.txt
2024-09-20 02:39:40 +03:00
62eeabff2b
bump Angie version
adjust versions across scripts/dockerfiles
2024-09-20 02:07:12 +03:00
32 changed files with 677 additions and 214 deletions

View File

@ -1,33 +1,33 @@
FROM docker.io/rockdrilla/angie-conv:v0.0.1-deps AS deps ARG IMAGE_VERSION
FROM docker.io/rockdrilla/angie-conv:${IMAGE_VERSION}-deps AS deps
## --- ## ---
FROM deps AS certs FROM deps AS setup
SHELL [ "/bin/sh", "-ec" ] SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/ COPY /scripts/* /usr/local/sbin/
COPY /extra-scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/
## consult https://github.com/certifi/python-certifi/ ADD https://angie.software/keys/angie-signing.gpg /tmp/angie.gpg.bin
ENV CERTIFI_COMMIT=bd8153872e9c6fc98f4023df9c2deaffea2fa463 COPY /apt/sources.angie /etc/apt/sources.list.d/angie.txt
RUN apt-install.sh ca-certificates ; \ RUN pkg='gnupg' ; \
## process certifi apt-install.sh ${pkg} ; \
ca_file='/etc/ssl/certs/ca-certificates.crt' ; \ ## process Angie GPG keyring / APT sources
openssl-cert-fingerprint.sh "${ca_file}" | sort -uV > "${ca_file}.fp.orig" ; \ gpg-export.sh /tmp/angie.gpg.bin /etc/apt/keyrings/angie.gpg.asc ; \
ls -l "${ca_file}" ; \ rm -f /tmp/angie.gpg.bin ; \
certifi-extras.sh ; \ env -C /etc/apt/sources.list.d mv angie.txt angie.sources ; \
openssl-cert-fingerprint.sh "${ca_file}" | sort -uV > "${ca_file}.fp" ; \ ## verify sources!
chmod 0444 "${ca_file}" "${ca_file}.fp" "${ca_file}.fp.orig" ; \ apt-env.sh apt-get update ; \
ls -l "${ca_file}" "${ca_file}.fp" "${ca_file}.fp.orig" apt-remove.sh ${pkg} ; \
apt-clean.sh
## --- ## ---
FROM deps AS pycache FROM deps AS pycache
SHELL [ "/bin/sh", "-ec" ] SHELL [ "/bin/sh", "-ec" ]
COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY /scripts/* /usr/local/sbin/ COPY /scripts/* /usr/local/sbin/
COPY /extra-scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/
@ -73,7 +73,8 @@ SHELL [ "/bin/sh", "-ec" ]
COPY /Dockerfile /usr/local/share/ COPY /Dockerfile /usr/local/share/
COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/ COPY --from=setup /etc/apt/keyrings/angie.gpg.asc /etc/apt/keyrings/
COPY --from=setup /etc/apt/sources.list.d/angie.sources /etc/apt/sources.list.d/
## RFC: Python cache ## RFC: Python cache
## TODO: reduce load by selecting only __pycache__ directories in either way ## TODO: reduce load by selecting only __pycache__ directories in either way
@ -109,7 +110,7 @@ RUN apt-install.sh angie ; \
fi fi
## preserve snippets from Angie config directory ## preserve snippets from Angie config directory
## ref: https://git.angie.software/web-server/angie/src/tag/Angie-1.6.2/conf ## ref: https://git.angie.software/web-server/angie/src/tag/Angie-1.7.0/conf
RUN d=/etc/angie ; t=$(mktemp -d) ; \ RUN d=/etc/angie ; t=$(mktemp -d) ; \
tar -C "$d" -cf - \ tar -C "$d" -cf - \
fastcgi_params \ fastcgi_params \

View File

@ -2,7 +2,7 @@
ARG PYTHONTAG=3.11.10-slim-bookworm ARG PYTHONTAG=3.11.10-slim-bookworm
FROM docker.io/python:${PYTHONTAG} AS base-upstream FROM docker.io/python:${PYTHONTAG} AS base-upstream
FROM base-upstream AS base FROM base-upstream AS base-intermediate
SHELL [ "/bin/sh", "-ec" ] SHELL [ "/bin/sh", "-ec" ]
COPY /Dockerfile.base /usr/local/share/ COPY /Dockerfile.base /usr/local/share/
@ -223,5 +223,39 @@ RUN find /usr/local/sbin/ ! -type d -ls -delete ; \
find /run/ -mindepth 1 -ls -delete || : ; \ find /run/ -mindepth 1 -ls -delete || : ; \
install -d -m 01777 /run/lock install -d -m 01777 /run/lock
## ---
FROM base-intermediate AS certs
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
COPY /extra-scripts/* /usr/local/sbin/
## "2024.08.30"
ENV CERTIFI_COMMIT=325c2fde4f8eec10d682b09f3b0414dc05e69a81
# 'https://raw.githubusercontent.com/certifi/python-certifi'
ARG CERTIFI_BASE_URI='https://github.com/certifi/python-certifi/raw'
ARG CERTIFI_URI="${CERTIFI_BASE_URI}/${CERTIFI_COMMIT}/certifi/cacert.pem"
ADD "${CERTIFI_URI}" /tmp/certifi.crt
RUN apt-install.sh ca-certificates ; \
apt-clean.sh ; \
ca_file='/etc/ssl/certs/ca-certificates.crt' ; \
ls -l "${ca_file}" ; \
## process certifi
certifi-extras.sh /tmp/certifi.crt ; \
openssl-cert-auto-pem.sh "${ca_file}" "${ca_file}.new" "${ca_file}.fp" ; \
mv -f "${ca_file}.new" "${ca_file}" ; \
chmod 0444 "${ca_file}" "${ca_file}.fp" ; \
ls -l "${ca_file}" "${ca_file}.fp"
## ---
FROM base-intermediate AS base
COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/
ENTRYPOINT [ ] ENTRYPOINT [ ]
CMD [ "bash" ] CMD [ "bash" ]

View File

@ -1,28 +1,16 @@
FROM docker.io/rockdrilla/angie-conv:v0.0.1-base AS base ARG IMAGE_VERSION
FROM docker.io/rockdrilla/angie-conv:${IMAGE_VERSION}-base AS base
## --- ## ---
FROM base AS setup FROM base AS build
SHELL [ "/bin/sh", "-ec" ] SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/ COPY /scripts/* /usr/local/sbin/
COPY /extra-scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/
ADD https://angie.software/keys/angie-signing.gpg /tmp/angie.gpg.bin COPY /requirements.txt /tmp/
COPY /apt/sources.angie /etc/apt/sources.list.d/angie.txt
RUN pkg='gnupg' ; \
apt-install.sh ${pkg} ; \
## process Angie GPG keyring / APT sources
gpg-export.sh /tmp/angie.gpg.bin /etc/apt/keyrings/angie.gpg.asc ; \
rm -f /tmp/angie.gpg.bin ; \
env -C /etc/apt/sources.list.d mv angie.txt angie.sources ; \
## verify sources!
apt-env.sh apt-get update ; \
apt-remove.sh ${pkg} ; \
apt-clean.sh
ENV INSTALL_WHEELS='jinja2 netaddr psutil pyyaml wcmatch'
ENV DEV_PACKAGES='libyaml-dev' ENV DEV_PACKAGES='libyaml-dev'
# markupsafe, psutil # markupsafe, psutil
ENV CIBUILDWHEEL=1 ENV CIBUILDWHEEL=1
@ -42,7 +30,7 @@ RUN w=$(mktemp -d) ; : "${w:?}" ; \
rm -rf "$w/" ; unset w ; \ rm -rf "$w/" ; unset w ; \
apt-install.sh build-essential ; \ apt-install.sh build-essential ; \
pip-env.sh pip install 'cython' ; \ pip-env.sh pip install 'cython' ; \
pip-env.sh pip install --no-binary :all: ${INSTALL_WHEELS} ; \ pip-env.sh pip install --no-binary :all: -r /tmp/requirements.txt ; \
pip-env.sh pip uninstall -y 'cython' ; \ pip-env.sh pip uninstall -y 'cython' ; \
python-rm-cache.sh "${PYTHON_SITE_PACKAGES}" ; \ python-rm-cache.sh "${PYTHON_SITE_PACKAGES}" ; \
rm -rf \ rm -rf \
@ -66,12 +54,9 @@ SHELL [ "/bin/sh", "-ec" ]
COPY /Dockerfile.deps /usr/local/share/ COPY /Dockerfile.deps /usr/local/share/
COPY --from=setup /etc/apt/keyrings/angie.gpg.asc /etc/apt/keyrings/
COPY --from=setup /etc/apt/sources.list.d/angie.sources /etc/apt/sources.list.d/
## Python: site-packages ## Python: site-packages
COPY --from=setup /usr/local/bin/ /usr/local/bin/ COPY --from=build /usr/local/bin/ /usr/local/bin/
COPY --from=setup /${PYTHON_SITE_PACKAGES}/ /${PYTHON_SITE_PACKAGES}/ COPY --from=build /${PYTHON_SITE_PACKAGES}/ /${PYTHON_SITE_PACKAGES}/
COPY /scripts/* /usr/local/sbin/ COPY /scripts/* /usr/local/sbin/

View File

@ -2,6 +2,8 @@
set -ef set -ef
cd "$(dirname "$0")/.." cd "$(dirname "$0")/.."
IMAGE_VERSION="${IMAGE_VERSION:-v0.0.1}"
set -a set -a
BUILDAH_FORMAT="${BUILDAH_FORMAT:-docker}" BUILDAH_FORMAT="${BUILDAH_FORMAT:-docker}"
BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}" BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}"
@ -27,7 +29,7 @@ grab_site_packages() {
PYTHON_SITE_PACKAGES=$(grab_site_packages "docker.io/python:${PYTHONTAG}") PYTHON_SITE_PACKAGES=$(grab_site_packages "docker.io/python:${PYTHONTAG}")
[ -n "${PYTHON_SITE_PACKAGES:?}" ] [ -n "${PYTHON_SITE_PACKAGES:?}" ]
img="docker.io/rockdrilla/angie-conv:v0.0.1-base" img="docker.io/rockdrilla/angie-conv:${IMAGE_VERSION}-base"
buildah bud --network="${BUILDAH_NETWORK}" \ buildah bud --network="${BUILDAH_NETWORK}" \
-f ./Dockerfile.base \ -f ./Dockerfile.base \

View File

@ -2,15 +2,18 @@
set -ef set -ef
cd "$(dirname "$0")/.." cd "$(dirname "$0")/.."
IMAGE_VERSION="${IMAGE_VERSION:-v0.0.1}"
set -a set -a
BUILDAH_FORMAT="${BUILDAH_FORMAT:-docker}" BUILDAH_FORMAT="${BUILDAH_FORMAT:-docker}"
BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}" BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}"
BUILDAH_NETWORK="${BUILDAH_NETWORK:-host}" BUILDAH_NETWORK="${BUILDAH_NETWORK:-host}"
set +a set +a
img="docker.io/rockdrilla/angie-conv:v0.0.1-deps" img="docker.io/rockdrilla/angie-conv:${IMAGE_VERSION}-deps"
exec buildah bud \ exec buildah bud \
-f ./Dockerfile.deps \ -f ./Dockerfile.deps \
-t "${img}" \ -t "${img}" \
--pull=missing --no-cache --pull=missing --no-cache \
--build-arg "IMAGE_VERSION=${IMAGE_VERSION}" \

View File

@ -2,13 +2,15 @@
set -ef set -ef
cd "$(dirname "$0")/.." cd "$(dirname "$0")/.."
IMAGE_VERSION="${IMAGE_VERSION:-v0.0.1}"
set -a set -a
BUILDAH_FORMAT="${BUILDAH_FORMAT:-docker}" BUILDAH_FORMAT="${BUILDAH_FORMAT:-docker}"
BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}" BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}"
BUILDAH_NETWORK="${BUILDAH_NETWORK:-host}" BUILDAH_NETWORK="${BUILDAH_NETWORK:-host}"
set +a set +a
ANGIE_VERSION="${ANGIE_VERSION:-1.6.2}" ANGIE_VERSION="${ANGIE_VERSION:-1.7.0}"
## likely the same as in https://pkg.go.dev/strconv#ParseBool ## likely the same as in https://pkg.go.dev/strconv#ParseBool
gobool_to_int() { gobool_to_int() {
@ -21,10 +23,10 @@ gobool_to_int() {
esac esac
} }
NGX_DEBUG=$(gobool_to_int "${1:-0}" 0) NGX_DEBUG=$(gobool_to_int "${NGX_DEBUG:-0}" 0)
case "${NGX_DEBUG}" in case "${NGX_DEBUG}" in
0 ) img="docker.io/rockdrilla/angie-conv:v0.0.1-${ANGIE_VERSION}" ;; 0 ) img="docker.io/rockdrilla/angie-conv:${IMAGE_VERSION}-${ANGIE_VERSION}" ;;
1 ) img="docker.io/rockdrilla/angie-conv:v0.0.1-${ANGIE_VERSION}-debug" ;; 1 ) img="docker.io/rockdrilla/angie-conv:${IMAGE_VERSION}-${ANGIE_VERSION}-debug" ;;
esac esac
exec buildah bud \ exec buildah bud \
@ -32,4 +34,5 @@ exec buildah bud \
-t "${img}" \ -t "${img}" \
--env "ANGIE_VERSION=${ANGIE_VERSION}" \ --env "ANGIE_VERSION=${ANGIE_VERSION}" \
--env "NGX_DEBUG=${NGX_DEBUG}" \ --env "NGX_DEBUG=${NGX_DEBUG}" \
--pull=missing --no-cache --pull=missing --no-cache \
--build-arg "IMAGE_VERSION=${IMAGE_VERSION}" \

View File

@ -4,3 +4,4 @@
- [static site with templates](static-template/README.md) - [static site with templates](static-template/README.md)
- [print env via NJS](njs/README.md) - [print env via NJS](njs/README.md)
- [print env via Perl](perl/README.md) - [print env via Perl](perl/README.md)
- [SSL with subdomains](ssl/README.md)

View File

@ -0,0 +1,16 @@
FROM docker.io/rockdrilla/angie-conv:v0.0.1
SHELL [ "/bin/sh", "-ec" ]
COPY /site/ /etc/angie/site/
COPY /static/ /etc/angie/static/
COPY /tls/ /etc/angie/tls/
ENV NGX_HTTP_CONFLOAD='ssl'
## same as above (adjusted to above variant by entrypoint):
## ENV NGX_HTTP_MODULES='ssl'
## serve with HTTP/2 (disabled by default):
## ENV NGX_HTTP_CONFLOAD='ssl v2'
## or
## ENV NGX_HTTP_MODULES='ssl v2'

View File

@ -0,0 +1,52 @@
# SSL with subdomains
configuration:
```nginx
server {
listen 8443 ssl;
server_name example.org;
ssl_certificate tls.d/example.org.chain.crt;
ssl_certificate_key tls.d/example.org.pem;
root static.d/example.org;
}
```
Dockerfile:
```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1
COPY /site/ /etc/angie/site/
COPY /static/ /etc/angie/static/
COPY /tls/ /etc/angie/tls/
ENV NGX_HTTP_CONFLOAD='ssl'
```
Optional cut-off SSL server block:
```nginx
server {
listen 8443 ssl default_server bind deferred;
server_name _;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
## reject connections early
ssl_reject_handshake on;
}
```
Test URI e.g. with `curl`:
```sh
curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve example.org:8443:127.0.0.1 https://example.org:8443/
curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve www.example.org:8443:127.0.0.1 https://www.example.org:8443/
curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve test.example.org:8443:127.0.0.1 https://test.example.org:8443/
```

View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIITliyKcJbVmEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE
AxMHQ0EgUm9vdDAeFw0yNDA5MTkwMDAwMDBaFw0zNjA5MTgyMzU5NTlaMBIxEDAO
BgNVBAMTB0NBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP
0HWgtUwQ+OMm30ANf8Iy4H3tfGnfrDd4oQXqMjuW6Eh0nxzlWMIcvrN1l2Y2QscI
i+/6CNq6tirbkN3PIYFdboejROXPDRsh7ck+92PyJiEcbK0SbI/S/3bKGpeqmTy+
HvbkMvzlUJ/+SH6FgU3sCkYga43QDE8DT3PRf0zd7mBF2ij/OXtv69JehdTJBDa2
hW09Ivjfq5cHoMIEfIvTp8847TGIQDqU8k1N8A5brrU+2gHJ+H3GoV09ej5/cv6Q
9FU9DE/mTW7iDHjNVNgq4JQXJWyCYH6TfoKet+/8Q1odhe+4dG22lO6EgHdp5IIN
J5322FKKsuwZ1JhA/ZJ9AgMBAAGjYDBeMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFDHRuuHS1LwoRcTtUhLcp+DaEa/IMAsGA1UdDwQEAwIBBjAfBgNVHSUEGDAW
BgorBgEEAYI3CgMBBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAxRGAJ3nV
/ycyml5mm4q330Mnsa8Rc0DoVaQXfEyIIBkgYD2dIhvjnA5cK6AVStAJ/16lx77T
v5bG5/AyC2D7ISd8PLcpWrAtxo06cYM3OJjpWwl18oH1tS1L2hi6L8I2LNkW4TKQ
yFjRCYJvsM2QUnRL99S4JKiXACDMCTP/ZP87fQvmfi4lXCnUlQqgtnCq0+iCwXVJ
oR1SdOrmPz/NI23RA41U15LePwFuK5cTE0WhtyZej8ksv6V+5Z1aiIBTt/cMl+KH
2K9dmO+dNp1DJeSaeH+8rsDd44FkPvDi1nMjm4G51U2JVrbjift70DM/Ia/DPH72
bYJLgeFDhdfzMg==
-----END CERTIFICATE-----

View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAz9B1oLVMEPjjJt9ADX/CMuB97Xxp36w3eKEF6jI7luhIdJ8c
5VjCHL6zdZdmNkLHCIvv+gjaurYq25DdzyGBXW6Ho0Tlzw0bIe3JPvdj8iYhHGyt
EmyP0v92yhqXqpk8vh725DL85VCf/kh+hYFN7ApGIGuN0AxPA09z0X9M3e5gRdoo
/zl7b+vSXoXUyQQ2toVtPSL436uXB6DCBHyL06fPOO0xiEA6lPJNTfAOW661PtoB
yfh9xqFdPXo+f3L+kPRVPQxP5k1u4gx4zVTYKuCUFyVsgmB+k36Cnrfv/ENaHYXv
uHRttpTuhIB3aeSCDSed9thSirLsGdSYQP2SfQIDAQABAoIBADAlMD9DiWQsOToO
AlGuTeBKHLqato+cnzxZ99wWd7JCTdkA7OmgitYsgzik0wgSp/htrTL8/qm/nwW/
1feRIF60RwXXJjO2KllNtPBa0cOtvEGQ1vb8AkUkrNFtYEJknotAcrwTKP56k5qO
kotdFd+v0KfdqxzuYRbX/zHjv3vxvQ/GxPAjyliAfrY+kt4I7tL30ZSCnLbmUEE5
22v5zAeehi5QnFx6P3jnuv6f5Nn84fl0BV5xHOVrAj3WHRVb5UiHrZc1N+A2hKAC
5SPYwLpf5RYQ4oJFCeUL3zZSSCSQnwa3jcSmCMV3flqL7ZsDI+EWJ9PwAEb1t7HF
gCAF1skCgYEA+iXXOB0IR5N1nHVVGUWJSCL8JihDE/xyw1EbXGJPfz2648R7sOEq
RqjnUNa7ODPlZ09Mf0zFhbWxAVEw4lCH++ZHCAw5JQ8mWCXwqd4zbcjJ6jzHtnn5
U7JoEwPfPXZ5bx1avSaXHoOjgHXeGCMuLEF2faJd8iqnGh9epGq4PEkCgYEA1K0U
SovG/1OoJw13LK5BQhSdcko5B03kAKROMVA6tvOekCYGC+MAqJtj/+lxkbLlTEtr
FUzFdAIv+djU7yd0CxGcsiic25AKUq/Ko3Etxe89agpI3I+kSfb2zzOiRqAPyYBP
AF9Crm6uJFZdATc2j/60DIElFlhD2qdDO6rWnJUCgYAhQqrNMT8KlVbMCOXZyF8q
kkxIno3cuHJh+gTTUdcUKhcRdeykZiwC3S50lzipjmzwQaEARCr3TmNMs4j2bpLG
MaY8MbPfc5Y7nj/TtlHMRShj1tUPNESslko0TQ1/1KLs3VBVWi45xnMU/5caSoM3
KzUgG1i2fGlfldA1uGLq0QKBgFENuasDhI7wwihIEIBd1Q8rLipNsVhgTiIUfJx8
uDPbuzWy2CEVnb2ko0L4JElkBdHC+IfAn4wr/T7abaTLw4UobDDWG5nuVpDW4ILT
8p76I8zTKJuuvu1VixDC2/jQrdOc6/73T0GNex7sLzv0X/4XE2Wkno7aitm9X3lR
DcPVAoGAUvleRG0hFMOFJH6jdX61/FW9tPZc+nPY3JXNYVvQLj9oEArgoT6crKfa
cBgRLYd3AZUfz6CY+8Ln81oNKWM2iTkv/+y8Mtt35r1+GeBHXvfgsDcJmKsaZ+Oh
/avdDrMT9UnLbIImYmhmixrMrypGtBMN5f2EVQZmk2CGe1lG5rw=
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDLDCCAhSgAwIBAgIIc9z+Nze+1ngwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE
AxMHQ0EgUm9vdDAeFw0yNDA5MTkwMDAwMDBaFw0zNTA5MTgyMzU5NTlaMBYxFDAS
BgNVBAMTC0NBIEludGVybmFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAs0SnuACpBbkmoPrdnrMKuGhA+dUML/PoF8RZI9BdQvnSa3r1mINw3442Hcrh
Nij0BeVqjK6DTk8yrLA3l9/bpXIubimXDWvzeMRRVduWPdEc9cdDhuksbrIApQow
3cP68U95pqwYbDsXtGqXOzDWnKQppok42OjaKL6zwNsM6Qs/UKVADJ7rmPSoZSa/
RCywhurnZt3eIDQjQqfJCnNifUXnLOD8JwyhSACBvxdQQnn2ibh78KA6LuECUDX9
jKOdgJvffwl1XaXqX9pfM9KwmoNs+utVOm9weENC0tnss/BftqzBo6szAeyIKzkk
xOjppCNz2Uou3UsVEVyCA6GAjQIDAQABo4GBMH8wDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQUSsSalxeTY1qmvFLILIS3gZ4ynGMwHwYDVR0jBBgwFoAUMdG64dLU
vChFxO1SEtyn4NoRr8gwCwYDVR0PBAQDAgEGMB8GA1UdJQQYMBYGCisGAQQBgjcK
AwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQDJyKWDN6lD4/UTx12HrVqI
taOkOzFIBho+FSvCRI/ZLpeMj01WZIb9XkdhLZvUAh+c7jC/caMghGX5N8Kqunmr
x1HYnLm+C6QOdYy2djEml3ZwnbEn9yT1YYhRIZC993ipEzeNFm39J433l1PXYsLa
XNC99j58tVPFELcpimqe8eoUW2hYKZqFvswuta2PhX9mNYOSVk5ICl3rs0kr8gDR
3PC6vKmMxmTWTlg94JuTRCT0L5LD5Ode76iR7q0TY3XOzeDeEw3H99nPv3i69d2D
15pEo78xeNOZhbJ1OGUqBO45JrwhhJ4x9N+5SSnLSEvgv+qghVK+mkxAtvM/6fsp
-----END CERTIFICATE-----

View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAs0SnuACpBbkmoPrdnrMKuGhA+dUML/PoF8RZI9BdQvnSa3r1
mINw3442HcrhNij0BeVqjK6DTk8yrLA3l9/bpXIubimXDWvzeMRRVduWPdEc9cdD
huksbrIApQow3cP68U95pqwYbDsXtGqXOzDWnKQppok42OjaKL6zwNsM6Qs/UKVA
DJ7rmPSoZSa/RCywhurnZt3eIDQjQqfJCnNifUXnLOD8JwyhSACBvxdQQnn2ibh7
8KA6LuECUDX9jKOdgJvffwl1XaXqX9pfM9KwmoNs+utVOm9weENC0tnss/BftqzB
o6szAeyIKzkkxOjppCNz2Uou3UsVEVyCA6GAjQIDAQABAoIBABwMEkeGBuvHz4Th
KvpQ3c0DNqM/02PPP9E0HZQuXeEEMAkz2Cfv7KF1YP8hRkIQfzlK7vQqu41tc6qz
+UawNe+5IQ2IQUNOz+1lnaoWrHdod6T2c5iwc4ywGcy4fvO7XVAS1KAgjcOlLSzD
fny6w+EHCCMvle7N44/7Yik6vFbbcThUiaHhg52rfWVkxydEzSRLj/SnBwQTGuk2
vE/N2W3OkRWGpKmdjnrRsCJhF3XbHBqMQq9NoTxRUV9Uil2iGIvggW4cqT6hc0w6
gC+P/9/5atpOlbtKgEDMCMUM+ltwgDN12SnYwJDbp/pXNm6v7818bccueJ+W8KTX
kgRyF9ECgYEA+7/nRzFrFAkXItlASjuhtbachwu0bXBBYJMADHtN5V8scosX43vp
0Q150W6b8pJB/HYCrCpVv+9tSlT20PPwQR/UcpZKrEWkuAcNjQs/UNSRuZ2qyibc
nIp+jk9Rdt86BEj5UFmiylIUnHsHgW6O3tE+phedK0zH11d6mdwzT1kCgYEAtkt6
GZpFnmH8VFOoU006fPPETVnNNSNkn4ysNHzRC1OBDynWhiFWUW+23SdRaayCYTl9
IWpUTRVuW8Y4B1qO+rUd1C68+p8FlIaFFIT5Z1bCJ7e/M0hl6TSuIhrNa/ItUmEB
Ax330guUVr9IIGZiROliIcSdoGf9T9UqhvG8aFUCgYAmZt6TuJEZ7E0QLs2kxTXk
rydvXjS2oPIIFkRiowh93ae9DUSmmcdP8VtMvC+jr/XK2gGMW6Ta813bgdxogV17
waw5kn1vi+wVelXx1u5gmRxlkQx1a7opUuL9OFI37NM/xhXp0NKJRD4KpKW/c6rt
iEOjOGTsLvko+xojkDhveQKBgFY9Rrot/Zl8CX9rREqEUpMiT0+4mBf3cnb4ec8q
7UpKatfdlxtFUiyciQn+u8keT1/nbocMYm1FIjxQfdkcwl9gp4flxIlcCavGJ9cZ
QVPd+2QGzXFZYrz8qxR/UYcrvr0mHvB2kPLRf4+6VkjdpserET2gYmGsUG4gDkpg
uh0xAoGBAOcZk8EGQUiesG8mk3r1ylVpxjlpbVyQ0dwuehSsyKqYlFDAF/TWF6EQ
1k1GjwjXZmL5FuOhW1Ozh5m1kkg0tBW2jCevniRzLrUzBFRImuwfrOHH6FYyXBBs
q3+fn1htEiDB3xelFGPyFEMzUrEvUQNU3jkiypR8JNPoE09X5XtD
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIIKr9NphMObcAwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UE
AxMLQ0EgSW50ZXJuYWwwHhcNMjQwOTE5MDAwMDAwWhcNMzQwOTE4MjM1OTU5WjAW
MRQwEgYDVQQDEwtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAJ+WCrO6ML91DNYfgzrc6XiZvOFNxBfbuPkPdFw6dx4wwJCFg0VcdH1W
BpVMMvczlntphpARGZ+bsktKRhsbDHNfbExo6Sn6b0x/xnUkFg34ukYhRdFs+xHC
/PO9t2a9LDcMsBr0yLBugbMYGZj2Ln+sp478aKyWNkQLBKOEfeijtg3qrIx0B/we
vd8Tx49ahQYB8XELiZa1mntqRpHewMr+ul6sf5z6JR3Jrokvzu7kGLjt1FN1VAQR
pkzqNYJX/vUJ3KIdZxWHyzyoIbra/VjeP/POIY22eQGDWwbg9sNVUyVKFPzkaSwV
+BAytQiEn2cEQtmxoPZ+iLkyiGgGFWUCAwEAAaOBrjCBqzAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBRrZV8OY2075agO7UQfsDcPKmt87TAfBgNVHSMEGDAWgBRKxJqX
F5NjWqa8UsgshLeBnjKcYzALBgNVHQ8EBAMCA/gwJwYDVR0lBCAwHgYIKwYBBQUH
AwEGCCsGAQUFBwMCBggrBgEFBQcDCDAlBgNVHREEHjAcggtleGFtcGxlLm9yZ4IN
Ki5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEApijiwX+Y6XR25Z0yyv9P
gAkZkE+X/rQuk+9PyuSXLWUg9x0p3G0RUwPHHwiUpYHnTmAf3iKoPHLltX+KxqkO
W3Kx07TId5FmK8UrCZ+Xs1yuvMHtwdAvf8DA8QCaWSa8N9QeYmbzArjM8035j16+
rFiMaO8mLEftqnVZksYt3pPWsus0UnhK9gnTw9PSxqWpC1EoTyiuDwTLdVqqYAeM
oqqdpHfSFPBXmCRZc5dbptnrJmLiMHoVeeKjdYXLr1GgIVYPN+Dbldwb8gcIQ+TM
zN+J7p0W7rHhsGSleackNlWWfodjnc0WHZWkyplg4W48V6KbLxsK+LOpvnuoy+mu
vw==
-----END CERTIFICATE-----

View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAn5YKs7owv3UM1h+DOtzpeJm84U3EF9u4+Q90XDp3HjDAkIWD
RVx0fVYGlUwy9zOWe2mGkBEZn5uyS0pGGxsMc19sTGjpKfpvTH/GdSQWDfi6RiFF
0Wz7EcL88723Zr0sNwywGvTIsG6BsxgZmPYuf6ynjvxorJY2RAsEo4R96KO2Deqs
jHQH/B693xPHj1qFBgHxcQuJlrWae2pGkd7Ayv66Xqx/nPolHcmuiS/O7uQYuO3U
U3VUBBGmTOo1glf+9Qncoh1nFYfLPKghutr9WN4/884hjbZ5AYNbBuD2w1VTJUoU
/ORpLBX4EDK1CISfZwRC2bGg9n6IuTKIaAYVZQIDAQABAoIBAA52Ufz3VCCdp8P7
Mht9AU7Txolie0awO63yfRiN7H/uFMgOxBaJP5NLiagxB3Nd7Pa9LvEnuOXn0xC9
/Twf8ju9u4+ceE48wFEInqsR/J+tLpsEET2JPfgzmVSGGQn0qH5KpjujJabQ35cj
3s9SYWS3owMIaSdZgOHKCn8TwYykriGYgagV3c+tMdqDaqvrrWAu9mkCp9/MzREb
X3XBJ9NE/5dlMeMfXJiRKvLc16hQCSrXVdCLLm3U3/sHncDKOEOF4kvEBR5ciXXN
zXkuvbE4GKjC0rCGZtocbC2EkkHRMD96Y2cNwmNnWp0fJ0KOVYGw3S3YsWNMex0u
n57vEUcCgYEAy+x9NB4pCF/5Va82yRYYRUZCyDWLAYAC7kJ933R2wugUgs8FUQzK
xh0d7PuGDYB/zrsZfdQoZGmEbffZ/pze6pdIpaFKFnQoHPtS92aQdBPwyCdBnJUy
cuVQekPBsDtRFSOaznzOej+bkFH43RujYjDPPRAIP2Oily20CRcXzb8CgYEAyFb6
X2mQn2EM+vIxGIIUe09YsT9OhZyzI2TG4M4yvapFF8FVA5qZJTQh7mxJzlACev3J
Rmrpo/36j4co9x8Ph9ojcQzd0qhiwYPaFc4sBjFRPm8k22+mf2zIm5VV1xHqML65
ciGGCLxfBO+j1y0ktUL6g9QGwyr/0RaFo7UhrdsCgYBcEyipGqEeVe9Hn/hVrTNC
PCo1Ke/cuocYO0+IUJa7BH0WXxEgem0oLMdxVFQ/znBm0JX++YdPZ1FTMeDtFLmW
JL65gmzoXIQsKdJZQKcisko6pXb7k2YW+LFwsx1GTFIdAFmKuFGmYwgDju+WLj+E
O1OnV5DRxlQIfKtYm2O1EwKBgHb1hrgPFAw/cZi1JUf7PbQ22mBtSe/2qzxyA9HL
Pr/2kg5YA2Yfb55yxU8wx+aVBdQITHLe2xtAnX6KcF3E+NDfS7o+PJ1w1Ss5Ys8d
3HBU6nwbPRR7yK7TZo9T7mPFxHzrU2yc0Vzwla91qKEFsk1blyueQ+Gx77M1H2el
D3mPAoGAfd9V3aNVaNjjj/ILQlX6ypPeqWLjzsHRnsIedDXgGRh5/ZgXetSgp+f9
MtZdaHkYiBMYJJXFqn3KcIaRGAgxQbaqnZtSmHpUg4AXDmxEbu01ryVjPIW/EvZb
4oTikKQyUW8jqWS3irvxZga+nwJFNNYMyVgK+W29UYZzW53GMV4=
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDVjCCAj6gAwIBAgIIKpxUKA9KjPcwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UE
AxMLQ0EgSW50ZXJuYWwwHhcNMjQwOTE5MDAwMDAwWhcNMzQwOTE4MjM1OTU5WjAa
MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC7IBurNJ8FFtPgMBX8n8wQuAypCfFucM3reIblnPpHsWifRlk/
XrOmD1FDhErz4V38ouloS7q4jxAbbrPlLW93u4En5UZ5jPzN3T2h0vIrPl6sCKf1
edEju5lu7WIcNUH8VF4j6kDP71LwBW99kdFrYHSRCtWIXeJrB1MLx7c9lekrm89/
lz08UdGd7udJOcKDrsvsIj4cJYImHENLYB4LoWVMsiD7ap+zKud9Zf9YsRNG7XTT
HtZSTdrgN5opAU/0vA10Jzp1S3HDfPL5+7Xw6Xq62ZJXOyAofpItxc9dGOOoNiZi
wtYCMZwz2H3LujDgc5wMbPV9k1UxU/Y6QHrjAgMBAAGjgaMwgaAwDAYDVR0TAQH/
BAIwADAdBgNVHQ4EFgQUDhDi+m6Iocrd9LJ6ZJBFMfsp3F0wHwYDVR0jBBgwFoAU
SsSalxeTY1qmvFLILIS3gZ4ynGMwCwYDVR0PBAQDAgP4MCcGA1UdJQQgMB4GCCsG
AQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwgwGgYDVR0RBBMwEYIPd3d3LmV4YW1w
bGUub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQBr03L9bIY5unzvN8psu+a410Gwgkma
8D37SeJ23fV0FR0gemgIJsq0SoVRuwbHQMum1Rs9MC+fRIcN5UZGKDTb6WQIb+In
1qnX3A5OU/rTOjkWELQLxJ+ejqJT86pHuODwpX+YME1nDo+3nmb/OLAzrXjgfY3j
w5GCU4dobXU3RvbQAbvpw4ECOBPbuizq+fngIGmeJt7kcdJ6vZw3OvKlk451REGI
gt3TrELsmvH7D2qNyPYgEn7ifdVKEbiMcFcHoMz/zZ2ZxlGSQ7YnWOZd0++uB2od
iBWE+faUZ2ApEWEnX1FPcPIQ7x7dDvYHkmGVh0tAwXcgPs1NCX7rJcVF
-----END CERTIFICATE-----

View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuyAbqzSfBRbT4DAV/J/MELgMqQnxbnDN63iG5Zz6R7Fon0ZZ
P16zpg9RQ4RK8+Fd/KLpaEu6uI8QG26z5S1vd7uBJ+VGeYz8zd09odLyKz5erAin
9XnRI7uZbu1iHDVB/FReI+pAz+9S8AVvfZHRa2B0kQrViF3iawdTC8e3PZXpK5vP
f5c9PFHRne7nSTnCg67L7CI+HCWCJhxDS2AeC6FlTLIg+2qfsyrnfWX/WLETRu10
0x7WUk3a4DeaKQFP9LwNdCc6dUtxw3zy+fu18Ol6utmSVzsgKH6SLcXPXRjjqDYm
YsLWAjGcM9h9y7ow4HOcDGz1fZNVMVP2OkB64wIDAQABAoIBAD+Cd0GVO397ru+B
AoVaKuVlwg5BLKsCKDGKF6aor51TjiG4u6OxXaG3wyn6JYI+dCrBlBxsz3PCQoI9
AVuAHzvw7LYAr/mjK04nj7pzoPOiWHlk+rRq4tuQ2VN3x/uw67NbYxQndlXccTa7
cYqZygz6kLWFitGco7MVqk7uOrfwqu4O5GbktR4Vm6apEh2eFsSfgFE4LN3z7bbf
A7dzePBy2BOEvy/CjNX5stkLKJuWzuVTcYXB82bqp/VsSXSQG9o/9VmR6OUhXWjA
Clf+m3HqVmZ1IivOFz48LHVzvUj26AclvwwXkaGptbA6s08QWJMS2mpZlWbWNwzr
Mqgl/3ECgYEA8xpGCQrxfw7LTI9sMVnQo3S1rbB23DMuP2PmX6Aad0U3eGSxrv6B
RweXpb1Kduu8FeLMngihPjv/UsHJkNMX6IRILc2kLbRYoQOLdJ5k42bYzhDKYN33
e8jr6twJJsCgva4DoLM0woZTvgaRzLJBzMWoL1BT6JJkKGUukgwCiskCgYEAxQ2S
1oN1ZHc454y2bJ0JYg6c/MGEKHFjIRLKMMxwhNXQzOr8EzzwwF+5IsJORQfJNu+P
DaFT/3QAuByKG+Dyx4C0ssIhj6u75g1Thzgv8qHwE6DYh1VUUYO656kFTtexlFyg
gJPYXCOWPelSNNNQXbZTV929R1Wx95+LfqLqQksCgYEApmCj8ApqT3AbmVFLVddH
YKc+tBnirz/j9gR0JZwYoOphVWds5/xNFATRN+B+NzeNKVloevwjBsnfK49vWUvv
v/XQxHBKXfFg+wnHBtBk8fFwjk+VgohHmZNgSwO+y6PoHwkaeIBNqphudc5fOL4D
JJdeTMtoMfMG01K0dcX8c2kCgYEAwE1n0GqIJNxoryfWW5bBMm2abNwZsjI9kGg6
43aQFEJpu6FTER82wDZqgW5oXdukVTViQOYBCFpX3VUUvvI/W8zSC2WCxSfOfkrh
CiQePsYkebNNvHzchZRt0WhUYsYCagwfInul+P1NwOuzKxRR6LJnEWe3MSeDP2n3
A0XQIZMCgYAzubLPZnJjFihAX0M9k8Cjc+q6KKnA6Fp1JqnPmzoTO/r46o1shmCZ
kRS8iqnKfTCW/MWGSPyRc0OubIVbR9hAdCZjR8wmeVdkiV+VfBRzxpcYpcZbxjmy
6F0xz1Fv0UeKdjHQyb9UNO6Y1qVaNVVYo3tyD6VGaMdboddHPPxLDw==
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1,12 @@
#!/usr/bin/make -f
intermediate_ca_certs := 1-CA-Internal.crt
certs := $(patsubst %.pem,%.crt,$(sort $(wildcard *.pem)))
target_certs := $(patsubst %.crt,%.chain.crt,$(certs))
.PHONY: all
all: $(target_certs)
%.chain.crt: %.crt $(intermediate_ca_certs)
cat $+ | tee $@ >/dev/null

View File

@ -0,0 +1,33 @@
server {
listen 8443 ssl;
server_name .example.org;
ssl_certificate tls.d/example.org.chain.crt;
ssl_certificate_key tls.d/example.org.pem;
root static.d/example.org;
}
server {
listen 8443 ssl;
server_name www.example.org;
ssl_certificate tls.d/www.example.org.chain.crt;
ssl_certificate_key tls.d/www.example.org.pem;
root static.d/www.example.org;
}
## optional: cut-off server
server {
listen 8443 ssl default_server bind deferred;
server_name _;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
## reject connections early
ssl_reject_handshake on;
}

View File

@ -0,0 +1,5 @@
<hmtl>
<body>
<h1>This is main site.</h1>
</body>
</hmtl>

View File

@ -0,0 +1,5 @@
<hmtl>
<body>
<h1>This is WWW site.</h1>
</body>
</hmtl>

View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDLDCCAhSgAwIBAgIIc9z+Nze+1ngwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE
AxMHQ0EgUm9vdDAeFw0yNDA5MTkwMDAwMDBaFw0zNTA5MTgyMzU5NTlaMBYxFDAS
BgNVBAMTC0NBIEludGVybmFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAs0SnuACpBbkmoPrdnrMKuGhA+dUML/PoF8RZI9BdQvnSa3r1mINw3442Hcrh
Nij0BeVqjK6DTk8yrLA3l9/bpXIubimXDWvzeMRRVduWPdEc9cdDhuksbrIApQow
3cP68U95pqwYbDsXtGqXOzDWnKQppok42OjaKL6zwNsM6Qs/UKVADJ7rmPSoZSa/
RCywhurnZt3eIDQjQqfJCnNifUXnLOD8JwyhSACBvxdQQnn2ibh78KA6LuECUDX9
jKOdgJvffwl1XaXqX9pfM9KwmoNs+utVOm9weENC0tnss/BftqzBo6szAeyIKzkk
xOjppCNz2Uou3UsVEVyCA6GAjQIDAQABo4GBMH8wDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQUSsSalxeTY1qmvFLILIS3gZ4ynGMwHwYDVR0jBBgwFoAUMdG64dLU
vChFxO1SEtyn4NoRr8gwCwYDVR0PBAQDAgEGMB8GA1UdJQQYMBYGCisGAQQBgjcK
AwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQDJyKWDN6lD4/UTx12HrVqI
taOkOzFIBho+FSvCRI/ZLpeMj01WZIb9XkdhLZvUAh+c7jC/caMghGX5N8Kqunmr
x1HYnLm+C6QOdYy2djEml3ZwnbEn9yT1YYhRIZC993ipEzeNFm39J433l1PXYsLa
XNC99j58tVPFELcpimqe8eoUW2hYKZqFvswuta2PhX9mNYOSVk5ICl3rs0kr8gDR
3PC6vKmMxmTWTlg94JuTRCT0L5LD5Ode76iR7q0TY3XOzeDeEw3H99nPv3i69d2D
15pEo78xeNOZhbJ1OGUqBO45JrwhhJ4x9N+5SSnLSEvgv+qghVK+mkxAtvM/6fsp
-----END CERTIFICATE-----

View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIITliyKcJbVmEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE
AxMHQ0EgUm9vdDAeFw0yNDA5MTkwMDAwMDBaFw0zNjA5MTgyMzU5NTlaMBIxEDAO
BgNVBAMTB0NBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP
0HWgtUwQ+OMm30ANf8Iy4H3tfGnfrDd4oQXqMjuW6Eh0nxzlWMIcvrN1l2Y2QscI
i+/6CNq6tirbkN3PIYFdboejROXPDRsh7ck+92PyJiEcbK0SbI/S/3bKGpeqmTy+
HvbkMvzlUJ/+SH6FgU3sCkYga43QDE8DT3PRf0zd7mBF2ij/OXtv69JehdTJBDa2
hW09Ivjfq5cHoMIEfIvTp8847TGIQDqU8k1N8A5brrU+2gHJ+H3GoV09ej5/cv6Q
9FU9DE/mTW7iDHjNVNgq4JQXJWyCYH6TfoKet+/8Q1odhe+4dG22lO6EgHdp5IIN
J5322FKKsuwZ1JhA/ZJ9AgMBAAGjYDBeMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFDHRuuHS1LwoRcTtUhLcp+DaEa/IMAsGA1UdDwQEAwIBBjAfBgNVHSUEGDAW
BgorBgEEAYI3CgMBBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAxRGAJ3nV
/ycyml5mm4q330Mnsa8Rc0DoVaQXfEyIIBkgYD2dIhvjnA5cK6AVStAJ/16lx77T
v5bG5/AyC2D7ISd8PLcpWrAtxo06cYM3OJjpWwl18oH1tS1L2hi6L8I2LNkW4TKQ
yFjRCYJvsM2QUnRL99S4JKiXACDMCTP/ZP87fQvmfi4lXCnUlQqgtnCq0+iCwXVJ
oR1SdOrmPz/NI23RA41U15LePwFuK5cTE0WhtyZej8ksv6V+5Z1aiIBTt/cMl+KH
2K9dmO+dNp1DJeSaeH+8rsDd44FkPvDi1nMjm4G51U2JVrbjift70DM/Ia/DPH72
bYJLgeFDhdfzMg==
-----END CERTIFICATE-----

View File

@ -0,0 +1,40 @@
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIIKr9NphMObcAwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UE
AxMLQ0EgSW50ZXJuYWwwHhcNMjQwOTE5MDAwMDAwWhcNMzQwOTE4MjM1OTU5WjAW
MRQwEgYDVQQDEwtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAJ+WCrO6ML91DNYfgzrc6XiZvOFNxBfbuPkPdFw6dx4wwJCFg0VcdH1W
BpVMMvczlntphpARGZ+bsktKRhsbDHNfbExo6Sn6b0x/xnUkFg34ukYhRdFs+xHC
/PO9t2a9LDcMsBr0yLBugbMYGZj2Ln+sp478aKyWNkQLBKOEfeijtg3qrIx0B/we
vd8Tx49ahQYB8XELiZa1mntqRpHewMr+ul6sf5z6JR3Jrokvzu7kGLjt1FN1VAQR
pkzqNYJX/vUJ3KIdZxWHyzyoIbra/VjeP/POIY22eQGDWwbg9sNVUyVKFPzkaSwV
+BAytQiEn2cEQtmxoPZ+iLkyiGgGFWUCAwEAAaOBrjCBqzAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBRrZV8OY2075agO7UQfsDcPKmt87TAfBgNVHSMEGDAWgBRKxJqX
F5NjWqa8UsgshLeBnjKcYzALBgNVHQ8EBAMCA/gwJwYDVR0lBCAwHgYIKwYBBQUH
AwEGCCsGAQUFBwMCBggrBgEFBQcDCDAlBgNVHREEHjAcggtleGFtcGxlLm9yZ4IN
Ki5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEApijiwX+Y6XR25Z0yyv9P
gAkZkE+X/rQuk+9PyuSXLWUg9x0p3G0RUwPHHwiUpYHnTmAf3iKoPHLltX+KxqkO
W3Kx07TId5FmK8UrCZ+Xs1yuvMHtwdAvf8DA8QCaWSa8N9QeYmbzArjM8035j16+
rFiMaO8mLEftqnVZksYt3pPWsus0UnhK9gnTw9PSxqWpC1EoTyiuDwTLdVqqYAeM
oqqdpHfSFPBXmCRZc5dbptnrJmLiMHoVeeKjdYXLr1GgIVYPN+Dbldwb8gcIQ+TM
zN+J7p0W7rHhsGSleackNlWWfodjnc0WHZWkyplg4W48V6KbLxsK+LOpvnuoy+mu
vw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDLDCCAhSgAwIBAgIIc9z+Nze+1ngwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE
AxMHQ0EgUm9vdDAeFw0yNDA5MTkwMDAwMDBaFw0zNTA5MTgyMzU5NTlaMBYxFDAS
BgNVBAMTC0NBIEludGVybmFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAs0SnuACpBbkmoPrdnrMKuGhA+dUML/PoF8RZI9BdQvnSa3r1mINw3442Hcrh
Nij0BeVqjK6DTk8yrLA3l9/bpXIubimXDWvzeMRRVduWPdEc9cdDhuksbrIApQow
3cP68U95pqwYbDsXtGqXOzDWnKQppok42OjaKL6zwNsM6Qs/UKVADJ7rmPSoZSa/
RCywhurnZt3eIDQjQqfJCnNifUXnLOD8JwyhSACBvxdQQnn2ibh78KA6LuECUDX9
jKOdgJvffwl1XaXqX9pfM9KwmoNs+utVOm9weENC0tnss/BftqzBo6szAeyIKzkk
xOjppCNz2Uou3UsVEVyCA6GAjQIDAQABo4GBMH8wDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQUSsSalxeTY1qmvFLILIS3gZ4ynGMwHwYDVR0jBBgwFoAUMdG64dLU
vChFxO1SEtyn4NoRr8gwCwYDVR0PBAQDAgEGMB8GA1UdJQQYMBYGCisGAQQBgjcK
AwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQDJyKWDN6lD4/UTx12HrVqI
taOkOzFIBho+FSvCRI/ZLpeMj01WZIb9XkdhLZvUAh+c7jC/caMghGX5N8Kqunmr
x1HYnLm+C6QOdYy2djEml3ZwnbEn9yT1YYhRIZC993ipEzeNFm39J433l1PXYsLa
XNC99j58tVPFELcpimqe8eoUW2hYKZqFvswuta2PhX9mNYOSVk5ICl3rs0kr8gDR
3PC6vKmMxmTWTlg94JuTRCT0L5LD5Ode76iR7q0TY3XOzeDeEw3H99nPv3i69d2D
15pEo78xeNOZhbJ1OGUqBO45JrwhhJ4x9N+5SSnLSEvgv+qghVK+mkxAtvM/6fsp
-----END CERTIFICATE-----

View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAn5YKs7owv3UM1h+DOtzpeJm84U3EF9u4+Q90XDp3HjDAkIWD
RVx0fVYGlUwy9zOWe2mGkBEZn5uyS0pGGxsMc19sTGjpKfpvTH/GdSQWDfi6RiFF
0Wz7EcL88723Zr0sNwywGvTIsG6BsxgZmPYuf6ynjvxorJY2RAsEo4R96KO2Deqs
jHQH/B693xPHj1qFBgHxcQuJlrWae2pGkd7Ayv66Xqx/nPolHcmuiS/O7uQYuO3U
U3VUBBGmTOo1glf+9Qncoh1nFYfLPKghutr9WN4/884hjbZ5AYNbBuD2w1VTJUoU
/ORpLBX4EDK1CISfZwRC2bGg9n6IuTKIaAYVZQIDAQABAoIBAA52Ufz3VCCdp8P7
Mht9AU7Txolie0awO63yfRiN7H/uFMgOxBaJP5NLiagxB3Nd7Pa9LvEnuOXn0xC9
/Twf8ju9u4+ceE48wFEInqsR/J+tLpsEET2JPfgzmVSGGQn0qH5KpjujJabQ35cj
3s9SYWS3owMIaSdZgOHKCn8TwYykriGYgagV3c+tMdqDaqvrrWAu9mkCp9/MzREb
X3XBJ9NE/5dlMeMfXJiRKvLc16hQCSrXVdCLLm3U3/sHncDKOEOF4kvEBR5ciXXN
zXkuvbE4GKjC0rCGZtocbC2EkkHRMD96Y2cNwmNnWp0fJ0KOVYGw3S3YsWNMex0u
n57vEUcCgYEAy+x9NB4pCF/5Va82yRYYRUZCyDWLAYAC7kJ933R2wugUgs8FUQzK
xh0d7PuGDYB/zrsZfdQoZGmEbffZ/pze6pdIpaFKFnQoHPtS92aQdBPwyCdBnJUy
cuVQekPBsDtRFSOaznzOej+bkFH43RujYjDPPRAIP2Oily20CRcXzb8CgYEAyFb6
X2mQn2EM+vIxGIIUe09YsT9OhZyzI2TG4M4yvapFF8FVA5qZJTQh7mxJzlACev3J
Rmrpo/36j4co9x8Ph9ojcQzd0qhiwYPaFc4sBjFRPm8k22+mf2zIm5VV1xHqML65
ciGGCLxfBO+j1y0ktUL6g9QGwyr/0RaFo7UhrdsCgYBcEyipGqEeVe9Hn/hVrTNC
PCo1Ke/cuocYO0+IUJa7BH0WXxEgem0oLMdxVFQ/znBm0JX++YdPZ1FTMeDtFLmW
JL65gmzoXIQsKdJZQKcisko6pXb7k2YW+LFwsx1GTFIdAFmKuFGmYwgDju+WLj+E
O1OnV5DRxlQIfKtYm2O1EwKBgHb1hrgPFAw/cZi1JUf7PbQ22mBtSe/2qzxyA9HL
Pr/2kg5YA2Yfb55yxU8wx+aVBdQITHLe2xtAnX6KcF3E+NDfS7o+PJ1w1Ss5Ys8d
3HBU6nwbPRR7yK7TZo9T7mPFxHzrU2yc0Vzwla91qKEFsk1blyueQ+Gx77M1H2el
D3mPAoGAfd9V3aNVaNjjj/ILQlX6ypPeqWLjzsHRnsIedDXgGRh5/ZgXetSgp+f9
MtZdaHkYiBMYJJXFqn3KcIaRGAgxQbaqnZtSmHpUg4AXDmxEbu01ryVjPIW/EvZb
4oTikKQyUW8jqWS3irvxZga+nwJFNNYMyVgK+W29UYZzW53GMV4=
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1,39 @@
-----BEGIN CERTIFICATE-----
MIIDVjCCAj6gAwIBAgIIKpxUKA9KjPcwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UE
AxMLQ0EgSW50ZXJuYWwwHhcNMjQwOTE5MDAwMDAwWhcNMzQwOTE4MjM1OTU5WjAa
MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC7IBurNJ8FFtPgMBX8n8wQuAypCfFucM3reIblnPpHsWifRlk/
XrOmD1FDhErz4V38ouloS7q4jxAbbrPlLW93u4En5UZ5jPzN3T2h0vIrPl6sCKf1
edEju5lu7WIcNUH8VF4j6kDP71LwBW99kdFrYHSRCtWIXeJrB1MLx7c9lekrm89/
lz08UdGd7udJOcKDrsvsIj4cJYImHENLYB4LoWVMsiD7ap+zKud9Zf9YsRNG7XTT
HtZSTdrgN5opAU/0vA10Jzp1S3HDfPL5+7Xw6Xq62ZJXOyAofpItxc9dGOOoNiZi
wtYCMZwz2H3LujDgc5wMbPV9k1UxU/Y6QHrjAgMBAAGjgaMwgaAwDAYDVR0TAQH/
BAIwADAdBgNVHQ4EFgQUDhDi+m6Iocrd9LJ6ZJBFMfsp3F0wHwYDVR0jBBgwFoAU
SsSalxeTY1qmvFLILIS3gZ4ynGMwCwYDVR0PBAQDAgP4MCcGA1UdJQQgMB4GCCsG
AQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwgwGgYDVR0RBBMwEYIPd3d3LmV4YW1w
bGUub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQBr03L9bIY5unzvN8psu+a410Gwgkma
8D37SeJ23fV0FR0gemgIJsq0SoVRuwbHQMum1Rs9MC+fRIcN5UZGKDTb6WQIb+In
1qnX3A5OU/rTOjkWELQLxJ+ejqJT86pHuODwpX+YME1nDo+3nmb/OLAzrXjgfY3j
w5GCU4dobXU3RvbQAbvpw4ECOBPbuizq+fngIGmeJt7kcdJ6vZw3OvKlk451REGI
gt3TrELsmvH7D2qNyPYgEn7ifdVKEbiMcFcHoMz/zZ2ZxlGSQ7YnWOZd0++uB2od
iBWE+faUZ2ApEWEnX1FPcPIQ7x7dDvYHkmGVh0tAwXcgPs1NCX7rJcVF
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDLDCCAhSgAwIBAgIIc9z+Nze+1ngwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE
AxMHQ0EgUm9vdDAeFw0yNDA5MTkwMDAwMDBaFw0zNTA5MTgyMzU5NTlaMBYxFDAS
BgNVBAMTC0NBIEludGVybmFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAs0SnuACpBbkmoPrdnrMKuGhA+dUML/PoF8RZI9BdQvnSa3r1mINw3442Hcrh
Nij0BeVqjK6DTk8yrLA3l9/bpXIubimXDWvzeMRRVduWPdEc9cdDhuksbrIApQow
3cP68U95pqwYbDsXtGqXOzDWnKQppok42OjaKL6zwNsM6Qs/UKVADJ7rmPSoZSa/
RCywhurnZt3eIDQjQqfJCnNifUXnLOD8JwyhSACBvxdQQnn2ibh78KA6LuECUDX9
jKOdgJvffwl1XaXqX9pfM9KwmoNs+utVOm9weENC0tnss/BftqzBo6szAeyIKzkk
xOjppCNz2Uou3UsVEVyCA6GAjQIDAQABo4GBMH8wDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQUSsSalxeTY1qmvFLILIS3gZ4ynGMwHwYDVR0jBBgwFoAUMdG64dLU
vChFxO1SEtyn4NoRr8gwCwYDVR0PBAQDAgEGMB8GA1UdJQQYMBYGCisGAQQBgjcK
AwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQDJyKWDN6lD4/UTx12HrVqI
taOkOzFIBho+FSvCRI/ZLpeMj01WZIb9XkdhLZvUAh+c7jC/caMghGX5N8Kqunmr
x1HYnLm+C6QOdYy2djEml3ZwnbEn9yT1YYhRIZC993ipEzeNFm39J433l1PXYsLa
XNC99j58tVPFELcpimqe8eoUW2hYKZqFvswuta2PhX9mNYOSVk5ICl3rs0kr8gDR
3PC6vKmMxmTWTlg94JuTRCT0L5LD5Ode76iR7q0TY3XOzeDeEw3H99nPv3i69d2D
15pEo78xeNOZhbJ1OGUqBO45JrwhhJ4x9N+5SSnLSEvgv+qghVK+mkxAtvM/6fsp
-----END CERTIFICATE-----

View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuyAbqzSfBRbT4DAV/J/MELgMqQnxbnDN63iG5Zz6R7Fon0ZZ
P16zpg9RQ4RK8+Fd/KLpaEu6uI8QG26z5S1vd7uBJ+VGeYz8zd09odLyKz5erAin
9XnRI7uZbu1iHDVB/FReI+pAz+9S8AVvfZHRa2B0kQrViF3iawdTC8e3PZXpK5vP
f5c9PFHRne7nSTnCg67L7CI+HCWCJhxDS2AeC6FlTLIg+2qfsyrnfWX/WLETRu10
0x7WUk3a4DeaKQFP9LwNdCc6dUtxw3zy+fu18Ol6utmSVzsgKH6SLcXPXRjjqDYm
YsLWAjGcM9h9y7ow4HOcDGz1fZNVMVP2OkB64wIDAQABAoIBAD+Cd0GVO397ru+B
AoVaKuVlwg5BLKsCKDGKF6aor51TjiG4u6OxXaG3wyn6JYI+dCrBlBxsz3PCQoI9
AVuAHzvw7LYAr/mjK04nj7pzoPOiWHlk+rRq4tuQ2VN3x/uw67NbYxQndlXccTa7
cYqZygz6kLWFitGco7MVqk7uOrfwqu4O5GbktR4Vm6apEh2eFsSfgFE4LN3z7bbf
A7dzePBy2BOEvy/CjNX5stkLKJuWzuVTcYXB82bqp/VsSXSQG9o/9VmR6OUhXWjA
Clf+m3HqVmZ1IivOFz48LHVzvUj26AclvwwXkaGptbA6s08QWJMS2mpZlWbWNwzr
Mqgl/3ECgYEA8xpGCQrxfw7LTI9sMVnQo3S1rbB23DMuP2PmX6Aad0U3eGSxrv6B
RweXpb1Kduu8FeLMngihPjv/UsHJkNMX6IRILc2kLbRYoQOLdJ5k42bYzhDKYN33
e8jr6twJJsCgva4DoLM0woZTvgaRzLJBzMWoL1BT6JJkKGUukgwCiskCgYEAxQ2S
1oN1ZHc454y2bJ0JYg6c/MGEKHFjIRLKMMxwhNXQzOr8EzzwwF+5IsJORQfJNu+P
DaFT/3QAuByKG+Dyx4C0ssIhj6u75g1Thzgv8qHwE6DYh1VUUYO656kFTtexlFyg
gJPYXCOWPelSNNNQXbZTV929R1Wx95+LfqLqQksCgYEApmCj8ApqT3AbmVFLVddH
YKc+tBnirz/j9gR0JZwYoOphVWds5/xNFATRN+B+NzeNKVloevwjBsnfK49vWUvv
v/XQxHBKXfFg+wnHBtBk8fFwjk+VgohHmZNgSwO+y6PoHwkaeIBNqphudc5fOL4D
JJdeTMtoMfMG01K0dcX8c2kCgYEAwE1n0GqIJNxoryfWW5bBMm2abNwZsjI9kGg6
43aQFEJpu6FTER82wDZqgW5oXdukVTViQOYBCFpX3VUUvvI/W8zSC2WCxSfOfkrh
CiQePsYkebNNvHzchZRt0WhUYsYCagwfInul+P1NwOuzKxRR6LJnEWe3MSeDP2n3
A0XQIZMCgYAzubLPZnJjFihAX0M9k8Cjc+q6KKnA6Fp1JqnPmzoTO/r46o1shmCZ
kRS8iqnKfTCW/MWGSPyRc0OubIVbR9hAdCZjR8wmeVdkiV+VfBRzxpcYpcZbxjmy
6F0xz1Fv0UeKdjHQyb9UNO6Y1qVaNVVYo3tyD6VGaMdboddHPPxLDw==
-----END RSA PRIVATE KEY-----

View File

@ -1,89 +1,41 @@
#!/bin/sh #!/bin/sh
set -ef set -ef
certifi_uri="https://raw.githubusercontent.com/certifi/python-certifi/${CERTIFI_COMMIT:?}/certifi/cacert.pem"
dst_dir=/usr/local/share/ca-certificates dst_dir=/usr/local/share/ca-certificates
w=$(mktemp -d) ; : "${w:?}" w=$(mktemp -d) ; : "${w:?}"
w_cleanup() { w_cleanup() {
[ -z "$w" ] || ls -lA "$w/" [ -z "$w" ] || ls -lA "$w/" >&2
[ -z "$w" ] || rm -rf "$w" [ -z "$w" ] || rm -rf "$w"
unset w unset w
exit "${1:-0}" exit "${1:-0}"
} }
curl -sSL "${certifi_uri}" > "$w/certifi.crt"
def_bundle='/etc/ssl/certs/ca-certificates.crt' def_bundle='/etc/ssl/certs/ca-certificates.crt'
openssl-cert-auto-pem.sh "${def_bundle}" > "$w/cacert.pem" openssl-cert-auto-pem.sh "${def_bundle}" "$w/cacert.pem" "$w/cacert.fp"
openssl-cert-auto-pem.sh "$w/certifi.crt" > "$w/certifi.pem"
[ -s "$w/cacert.pem" ] || w_cleanup 1 [ -s "$w/cacert.pem" ] || w_cleanup 1
[ -s "$w/cacert.fp" ] || w_cleanup 1
openssl-cert-auto-pem.sh "$1" "$w/certifi.pem" "$w/certifi.fp" "$w/certifi.off"
[ -s "$w/certifi.pem" ] || w_cleanup 1 [ -s "$w/certifi.pem" ] || w_cleanup 1
[ -s "$w/certifi.fp" ] || w_cleanup 1
bundle_offsets() {
awk '
BEGIN {
OFS = ","
m_begin="-----BEGIN CERTIFICATE-----"
m_end="-----END CERTIFICATE-----"
i_begin = 0
}
$0 == m_begin { i_begin = NR ; }
$0 == m_end {
if (i_begin > 0) {
print i_begin,NR
i_begin = 0
}
}
' "$1"
}
bundle_offsets "$w/cacert.pem" > "$w/cacert.off"
bundle_offsets "$w/certifi.pem" > "$w/certifi.off"
[ -s "$w/cacert.off" ] || w_cleanup 1
[ -s "$w/certifi.off" ] || w_cleanup 1 [ -s "$w/certifi.off" ] || w_cleanup 1
bundle_fingerprints() {
local a
while read -r a ; do
[ -n "$a" ] || continue
{
sed -ne "${a}p" "$1" | openssl x509 -noout -fingerprint -sha256 \
|| \
sed -ne "${a}p" "$1" | openssl x509 -noout -fingerprint
} | tr '[:upper:]' '[:lower:]'
done < "$2"
}
bundle_fingerprints "$w/cacert.pem" "$w/cacert.off" | sort -uV > "$w/cacert.fp"
bundle_fingerprints "$w/certifi.pem" "$w/certifi.off" | sort -uV > "$w/certifi.fp"
[ -s "$w/cacert.fp" ] || w_cleanup 1
[ -s "$w/certifi.fp" ] || w_cleanup 1
set +e set +e
grep -Fxv -f "$w/cacert.fp" "$w/certifi.fp" > "$w/diff.fp" grep -Fxnv -f "$w/cacert.fp" "$w/certifi.fp" | cut -d : -f 1 > "$w/diff.ln"
set -e set -e
if [ -s "$w/diff.fp" ] ; then if [ -s "$w/diff.ln" ] ; then
set +e terse_fingerprint() { cut -d = -f 2- | tr -cd '[:alnum:]' ; }
grep -Fxn -f "$w/diff.fp" "$w/certifi.fp" | cut -d : -f 1 > "$w/records.diff"
set -e
terse_fingerprint() {
cut -d = -f 2- | tr -cd '[:alnum:]'
}
mkdir "$w/extras"
while read -r n ; do while read -r n ; do
[ -n "$n" ] || continue [ -n "$n" ] || continue
fp=$(sed -ne "${n}p" "$w/certifi.fp" | terse_fingerprint) fp=$(sed -ne "${n}p" "$w/certifi.fp" | terse_fingerprint)
off=$(sed -ne "${n}p" "$w/certifi.off") off=$(sed -ne "${n}p" "$w/certifi.off")
sed -ne "${off}p" "$w/certifi.pem" | openssl x509 > "${dst_dir}/certifi-${fp}.crt" sed -ne "${off}p" "$w/certifi.pem" > "${dst_dir}/certifi-${fp}.crt"
done < "$w/records.diff" done < "$w/diff.ln"
fi fi
rm -rf "$w" ; unset w rm -rf "$w" ; unset w

View File

@ -30,34 +30,40 @@ while : ; do
unset orig_ca_file unset orig_ca_file
[ -s "$w/all.pem" ] || break [ -s "$w/all.pem" ] || break
openssl-cert-fingerprint.sh "$w/all.pem" | sort -uV > "$w/all.fp" openssl-cert-auto-pem.sh "$w/all.pem" "$w/new.pem" "$w/new.fp" "$w/new.off"
[ -s "$w/all.fp" ] || break [ -s "$w/new.pem" ] || break
[ -s "$w/new.fp" ] || break
[ -s "$w/new.off" ] || break
rm -f "$w/all.pem"
## leaving processing section ## leaving processing section
rm -f "$w/processing" rm -f "$w/processing"
unset dev_root dev_bundle dev_bundle_fp
dev_root=$(env stat -c '%d' / )
dev_bundle=$(env stat -L -c '%d' "${def_bundle}")
dev_bundle_fp=$(env stat -L -c '%d' "${def_bundle_fp}")
unset def_bundle_bind_mount unset def_bundle_bind_mount
def_bundle_bind_mount=1 def_bundle_bind_mount=1
while : ; do while : ; do
[ "${dev_root}" = "${dev_bundle}" ] || break unset devno_root devno_bundle devno_bundle_fp
[ "${dev_root}" = "${dev_bundle_fp}" ] || break devno_root=$(env stat -c '%d' / )
[ "${dev_bundle}" = "${dev_bundle_fp}" ] || break
[ -f "${def_bundle}" ] || break
devno_bundle=$(env stat -L -c '%d' "${def_bundle}")
[ "${devno_root}" = "${devno_bundle}" ] || break
[ -f "${def_bundle_fp}" ] || break
devno_bundle_fp=$(env stat -L -c '%d' "${def_bundle_fp}")
[ "${devno_root}" = "${devno_bundle_fp}" ] || break
def_bundle_bind_mount=0 def_bundle_bind_mount=0
break ; done break ; done
unset dev_root dev_bundle dev_bundle_fp unset devno_root devno_bundle devno_bundle_fp
if [ "${def_bundle_bind_mount}" = 1 ] ; then if [ "${def_bundle_bind_mount}" = 1 ] ; then
log_always "detected bind-mount inside ${def_bundle%/*}/" log_always "detected bind-mount inside ${def_bundle%/*}/"
log_always "this is merely misuse!" log_always "this is merely misuse!"
openssl-cert-auto-pem.sh "${def_bundle}" > "$w/cacert.pem" if [ -s "${def_bundle}" ] ; then
openssl-cert-fingerprint.sh "$w/cacert.pem" | sort -uV > "$w/cacert.fp" openssl-cert-auto-pem.sh "${def_bundle}" "$w/cacert.pem" "$w/cacert.fp"
fi
else else
ln -s "${def_bundle}" "$w/cacert.pem" ln -s "${def_bundle}" "$w/cacert.pem"
ln -s "${def_bundle_fp}" "$w/cacert.fp" ln -s "${def_bundle_fp}" "$w/cacert.fp"
@ -73,19 +79,10 @@ while : ; do
break ; done break ; done
if [ "${with_def_bundle}" = 1 ] ; then if [ "${with_def_bundle}" = 1 ] ; then
grep -Fxv -f "$w/cacert.fp" "$w/all.fp" > "$w/diff.fp" grep -Fxnv -f "$w/cacert.fp" "$w/new.fp" | cut -d : -f 1 > "$w/diff.ln"
[ -s "$w/diff.fp" ] || break [ -s "$w/diff.ln" ] || break
## entering processing section
touch "$w/processing"
grep -Fxn -f "$w/diff.fp" "$w/all.fp" | cut -d : -f 1 > "$w/diff.lineno"
[ -s "$w/diff.lineno" ] || break
## leaving processing section
rm -f "$w/processing"
else else
: > "$w/diff.lineno" : > "$w/diff.ln"
fi fi
: > "${volume_root}/ca.pem" : > "${volume_root}/ca.pem"
@ -99,9 +96,11 @@ while : ; do
while read -r n ; do while read -r n ; do
[ -n "$n" ] || continue [ -n "$n" ] || continue
off=$(sed -ne "${n}p" "$w/all.off") off=$(sed -ne "${n}p" "$w/new.off")
sed -ne "${off}p" "$w/all.pem" | openssl x509 [ -n "${off}" ] || continue
done < "$w/diff.lineno" >> "${volume_root}/ca.pem"
sed -ne "${off}p" "$w/new.pem"
done < "$w/diff.ln" >> "${volume_root}/ca.pem"
unset n off unset n off
set -a set -a
@ -110,10 +109,14 @@ while : ; do
SSL_CERT_DIR="${empty_dir}" SSL_CERT_DIR="${empty_dir}"
set +a set +a
break ; done break ; done
unset def_bundle_bind_mount with_def_bundle unset def_bundle_fp def_bundle_bind_mount with_def_bundle
[ -f "${volume_root}/ca.pem" ] || ln -s "${def_bundle}" "${volume_root}/ca.pem" while ! [ -f "${volume_root}/ca.pem" ] ; do
unset def_bundle def_bundle_fp [ -s "${def_bundle}" ] || break
ln -s "${def_bundle}" "${volume_root}/ca.pem"
break ; done
unset def_bundle
[ -f "${volume_root}/ca.pem" ] || : > "${volume_root}/ca.pem"
if [ -n "${w:-}" ] ; then if [ -n "${w:-}" ] ; then
if [ -f "$w/processing" ] ; then if [ -f "$w/processing" ] ; then

5
requirements.txt Normal file
View File

@ -0,0 +1,5 @@
jinja2==3.1.4
netaddr==1.3.0
psutil==6.0.0
pyyaml==6.0.2
wcmatch==9.0

View File

@ -13,38 +13,83 @@ me=${0##*/}
w=$(mktemp -d) || exit 1 w=$(mktemp -d) || exit 1
w_cleanup() { w_cleanup() {
[ -z "$w" ] || ls -lA "$w/" [ -z "$w" ] || ls -lA "$w/" >&2
[ -z "$w" ] || rm -rf "$w" [ -z "$w" ] || rm -rf "$w"
unset w unset w
exit "${1:-0}" exit "${1:-0}"
} }
bundle_offsets() {
awk '
BEGIN { OFS = "," ; i_begin = 0 ; }
$0 == "-----BEGIN CERTIFICATE-----" { i_begin = NR ; }
$0 == "-----END CERTIFICATE-----" { if (i_begin > 0) { print i_begin,NR ; i_begin = 0 ; } }
' "$1"
}
bundle_fingerprints() {
local x f
while read -r x ; do
[ -n "$x" ] || continue
f=$(sed -ne "${x}p" "$1" | openssl x509 -noout -fingerprint -sha256)
[ -n "$f" ] || f=$(sed -ne "${x}p" "$1" | openssl x509 -noout -fingerprint)
[ -n "$f" ] || continue
printf '%s\n' "$f" | tr '[:upper:]' '[:lower:]'
done < "$2"
}
openssl storeutl -certs "$1" > "$w/cert.pem" || w_cleanup 1 openssl storeutl -certs "$1" > "$w/cert.pem" || w_cleanup 1
[ -s "$w/cert.pem" ] || w_cleanup 1 [ -s "$w/cert.pem" ] || w_cleanup 1
tr -s '\r\n' '\n' < "$w/cert.pem" > "$w/cert.txt" tr -s '\r\n' '\n' < "$w/cert.pem" > "$w/cert.txt"
[ -s "$w/cert.txt" ] || w_cleanup 1 [ -s "$w/cert.txt" ] || w_cleanup 1
rm -f "$w/cert.pem"
awk ' bundle_offsets "$w/cert.txt" > "$w/cert.off"
BEGIN { [ -s "$w/cert.off" ] || w_cleanup 1
OFS = ","
m_begin="-----BEGIN CERTIFICATE-----"
m_end="-----END CERTIFICATE-----"
i_begin = 0
}
$0 == m_begin { i_begin = NR ; }
$0 == m_end {
if (i_begin > 0) {
print i_begin,NR
i_begin = 0
}
}
' "$w/cert.txt" > "$w/cert.offsets"
[ -s "$w/cert.offsets" ] || w_cleanup 1
while read -r a ; do bundle_fingerprints "$w/cert.txt" "$w/cert.off" > "$w/cert.fp.all"
[ -n "$a" ] || continue [ -s "$w/cert.fp.all" ] || w_cleanup 1
sed -ne "${a}p" "$w/cert.txt" sort -uV < "$w/cert.fp.all" > "$w/cert.fp"
done < "$w/cert.offsets" while read -r fp ; do
[ -n "${fp}" ] || continue
n=$(grep -m1 -Fxn -e "${fp}" "$w/cert.fp.all" | cut -d : -f 1)
[ -n "$n" ] || continue
off=$(sed -ne "${n}p" "$w/cert.off")
[ -n "${off}" ] || continue
sed -ne "${off}p" "$w/cert.txt"
done < "$w/cert.fp" > "$w/cert.pem"
[ -s "$w/cert.pem" ] || w_cleanup 1
rm -f "$w/cert.txt" "$w/cert.off" "$w/cert.fp.all"
if [ -n "$2" ] ; then
while : ; do
if [ -e "$2" ] ; then
[ -f "$2" ] || break
fi
cat > "$2"
break ; done
else
cat
fi < "$w/cert.pem"
while [ -n "$3" ] ; do
if [ -e "$3" ] ; then
[ -f "$3" ] || break
fi
cat "$w/cert.fp" > "$3"
break ; done
while [ -n "$4" ] ; do
if [ -e "$4" ] ; then
[ -f "$4" ] || break
fi
bundle_offsets "$w/cert.pem" > "$4"
break ; done
rm -rf "$w" ; unset w rm -rf "$w" ; unset w

View File

@ -1,52 +0,0 @@
#!/bin/sh
set -f
[ $# -gt 0 ] || exit 0
me=${0##*/}
[ -n "$1" ] || exit 1
[ -f "$1" ] || {
env printf '%s: not a file or does not exist: %q\n' "${me}" "$1" >&2
exit 1
}
[ -s "$1" ] || exit 0
w=$(mktemp -d) || exit 1
w_cleanup() {
[ -z "$w" ] || ls -lA "$w/"
[ -z "$w" ] || rm -rf "$w"
unset w
exit "${1:-0}"
}
openssl-cert-auto-pem.sh "$1" > "$w/cert.pem" || w_cleanup 1
[ -s "$w/cert.pem" ] || w_cleanup 1
awk '
BEGIN {
OFS = ","
m_begin="-----BEGIN CERTIFICATE-----"
m_end="-----END CERTIFICATE-----"
i_begin = 0
}
$0 == m_begin { i_begin = NR ; }
$0 == m_end {
if (i_begin > 0) {
print i_begin,NR
i_begin = 0
}
}
' "$w/cert.pem" > "$w/cert.off"
[ -s "$w/cert.off" ] || w_cleanup 1
while read -r a ; do
[ -n "$a" ] || continue
{
sed -ne "${a}p" "$w/cert.pem" | openssl x509 -noout -fingerprint -sha256 \
|| \
sed -ne "${a}p" "$w/cert.pem" | openssl x509 -noout -fingerprint
} | tr '[:upper:]' '[:lower:]'
done < "$w/cert.off"
w_cleanup 0