added option to set csr-flag indicating ocsp stapling to be mandatory

diff --git a/CHANGELOG b/CHANGELOG
index a26cdf5801002aa62da4cdabddd1c8a6e428fc43..095e11a81d92ffe9afaaef1eee6b52519a4321a3 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,9 @@ This file contains a log of major changes in letsencrypt.sh
 - Config is now named `config` instead of `config.sh`!
 - Location of domains.txt is now configurable via DOMAINS_TXT config variable
 
+## Added
+- Added option to add CSR-flag indicating OCSP stapling to be mandatory
+
 ## [0.2.0] - 2016-05-22
 ### Changed
 - PRIVATE_KEY config parameter has been renamed to ACCOUNT_KEY to avoid confusion with certificate keys

diff --git a/README.md b/README.md
index 904cda1acb59b1154feab6da2b1a5f0d576c1be8..65632430bbfed0a08e5d15cb0bf7c3bc615dae84 100644 (file)
--- a/README.md
+++ b/README.md
@@ -43,6 +43,7 @@ Commands:
 Parameters:
  --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
  --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+ --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory
  --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
  --config (-f) path/to/config     Use specified config file
  --hook (-k) path/to/hook.sh      Use specified script for hooks

diff --git a/docs/examples/config b/docs/examples/config
index b27481f46076d03b255719839ecf1028c2c6f9a6..23322e6134d70d5a9262cf406caac1e6ce427b6d 100644 (file)
--- a/docs/examples/config
+++ b/docs/examples/config
@@ -78,3 +78,6 @@
 
 # Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
 #LOCKFILE="${BASEDIR}/lock"
+
+# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
+#OCSP_MUST_STAPLE="no"

diff --git a/letsencrypt.sh b/letsencrypt.sh
index df7adf223afef834dba48d74ccb8554ba82eb58a..0b8810bc6ec0782a9747bd8303255d0a959c81f3 100755 (executable)
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -78,6 +78,7 @@ load_config() {
   OPENSSL_CNF="$(openssl version -d | cut -d\" -f2)/openssl.cnf"
   CONTACT_EMAIL=
   LOCKFILE=
+  OCSP_MUST_STAPLE="no"
 
   if [[ -z "${CONFIG:-}" ]]; then
     echo "#" >&2
@@ -128,6 +129,7 @@ load_config() {
   [[ -n "${PARAM_CERTDIR:-}" ]] && CERTDIR="${PARAM_CERTDIR}"
   [[ -n "${PARAM_CHALLENGETYPE:-}" ]] && CHALLENGETYPE="${PARAM_CHALLENGETYPE}"
   [[ -n "${PARAM_KEY_ALGO:-}" ]] && KEY_ALGO="${PARAM_KEY_ALGO}"
+  [[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}"
 
   [[ "${CHALLENGETYPE}" =~ (http-01|dns-01) ]] || _exiterr "Unknown challenge type ${CHALLENGETYPE}... can not continue."
   if [[ "${CHALLENGETYPE}" = "dns-01" ]] && [[ -z "${HOOK}" ]]; then
@@ -535,6 +537,9 @@ sign_domain() {
   tmp_openssl_cnf="$(_mktemp)"
   cat "${OPENSSL_CNF}" > "${tmp_openssl_cnf}"
   printf "[SAN]\nsubjectAltName=%s" "${SAN}" >> "${tmp_openssl_cnf}"
+  if [ "${OCSP_MUST_STAPLE}" = "yes" ]; then
+    printf "\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >> "${tmp_openssl_cnf}"
+  fi
   openssl req -new -sha256 -key "${CERTDIR}/${domain}/${privkey}" -out "${CERTDIR}/${domain}/cert-${timestamp}.csr" -subj "/CN=${domain}/" -reqexts SAN -config "${tmp_openssl_cnf}"
   rm -f "${tmp_openssl_cnf}"
 
@@ -854,6 +859,12 @@ main() {
         PARAM_FORCE="yes"
         ;;
 
+      # PARAM_Usage: --ocsp
+      # PARAM_Description: Sets option in CSR indicating OCSP stapling to be mandatory
+      --ocsp)
+        PARAM_OCSP_MUST_STAPLE="yes"
+        ;;
+
       # PARAM_Usage: --privkey (-p) path/to/key.pem
       # PARAM_Description: Use specified private key instead of account key (useful for revocation)
       --privkey|-p)