aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Lange <code@nerdmind.de>2016-12-20 18:30:46 +0100
committerThomas Lange <code@nerdmind.de>2016-12-20 18:30:46 +0100
commitea7522622440da7b342a00b1bf65af5c4d1c70f1 (patch)
tree8849164e761198ac1654ac7944079d3c6703842c
parent7975aa7fc57c91fcc0bc6e567bd59e7b93e7ee13 (diff)
downloadpainlessle-ea7522622440da7b342a00b1bf65af5c4d1c70f1.tar.gz
painlessle-ea7522622440da7b342a00b1bf65af5c4d1c70f1.tar.xz
painlessle-ea7522622440da7b342a00b1bf65af5c4d1c70f1.zip
ARGUMENT_HOSTNAMES must now contain only a colon separated string with the hostnames.
-rwxr-xr-xpainless-le.sh2
-rw-r--r--readme.md4
2 files changed, 3 insertions, 3 deletions
diff --git a/painless-le.sh b/painless-le.sh
index ad5a376..7ed121f 100755
--- a/painless-le.sh
+++ b/painless-le.sh
@@ -42,7 +42,7 @@ CERTIFICATE_FULL="${ARGUMENT_DIRECTORY%/}/certificate_full.pem"
#===============================================================================
# Generate Certificate-Signing-Request (CSR)
#===============================================================================
-openssl req -config <(cat "${OPENSSLCONF}" <(printf "[SAN]\nsubjectAltName=${ARGUMENT_HOSTNAMES}")) \
+openssl req -config <(cat "${OPENSSLCONF}" <(printf "[SAN]\nsubjectAltName=DNS:`echo ${ARGUMENT_HOSTNAMES} | sed "s/:/,DNS:/"`")) \
-new -sha256 -key "${CONFIDENTIAL}" -out "${REQUESTFILE}" -outform der -reqexts SAN -subj "/"
#===============================================================================
diff --git a/readme.md b/readme.md
index 89beda9..bb73578 100644
--- a/readme.md
+++ b/readme.md
@@ -10,7 +10,7 @@ Change the `LETSENCRYPT_ENDPOINT` to the address of the ACME staging API for tes
## Arguments
1. `ARGUMENT_DIRECTORY` contains a string with the directory path where the certificates should be installed. This directory should already contain a manually created RSA private key for the Certificate-Signing-Request (CSR). It's always a good idea to handle the RSA private keys manually because you may use [HTTP Public-Key-Pinning (HPKP)](https://tools.ietf.org/html/rfc7469) so that you must ensure, that the RSA private key does not change.
-2. `ARGUMENT_HOSTNAMES` contains a string with the hostnames to include within the certificate. The string must be formatted as follows because he get injected directly into to OpenSSL command to generate the Certificate-Signing-Request: `DNS:example.org,DNS:blog.example.org,DNS:shop.example.org`
+2. `ARGUMENT_HOSTNAMES` contains a colon (`:`) separated string with the DNS hostnames to include within the certificate. The string must be formatted as follows, without containing colons anywhere except **between** the hostnames: `example.org:blog.example.org:shop.example.org`
## Example
Lets assume that you want to get a single X.509 certificate from the Let's Encrypt CA which includes three hostnames of your domain `example.org` (main domain, blog subdomain and shop subdomain). You already have a RSA private key with the correct UNIX file permissions stored within the following example directory with the name `confidential.pem`:
@@ -20,7 +20,7 @@ Lets assume that you want to get a single X.509 certificate from the Let's Encry
The next step is to execute `painless-le.sh` and providing the only two command-line arguments which are described above. In this example, the complete command-line string with the desired install directory `/etc/painless-le/example.org` and the desired hostnames `example.org`, `blog.example.org` and `shop.example.org` looks as follows:
- painless-le.sh /etc/painless-le/example.org/ "DNS:example.org,DNS:blog.example.org,DNS:shop.example.org"
+ painless-le.sh /etc/painless-le/example.org/ "example.org:blog.example.org:shop.example.org"
The certbot client will now contacting the ACME challenge servers and runs a temporary standalone webserver on your machine to accomplish the ACME challenge. If all works fine, you have nothing to intervene. After the command was successfully executed, you will see your certificates within your desired install directory (the certificates inherit the permissions of the `confidential.pem` file) and you're done: