From d81eb58536e3ae1170de3eda305688ae28d0575b Mon Sep 17 00:00:00 2001
From: Lukas Schauer <lukas@schauer.so>
Date: Thu, 4 Aug 2016 00:11:02 +0200
Subject: [PATCH] Only print full chain on signcsr command if --full-chain/-fc
 is set (related to #150)

---
 CHANGELOG      |  2 +-
 letsencrypt.sh | 35 +++++++++++++++++++++++------------
 2 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 6e9b577..20769e1 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,7 +6,7 @@ This file contains a log of major changes in letsencrypt.sh
 - Config is now named `config` instead of `config.sh`!
 - Location of domains.txt is now configurable via DOMAINS_TXT config variable
 - Location of certs directory is now configurable via CERTDIR config variable
-- signcsr command now also outputs chain certificate
+- signcsr command now also outputs chain certificate if --full-chain/-fc is set
 - Location of account-key(s) changed
 - Default WELLKNOWN location is now `/var/www/letsencrypt`
 - New version of Let's Encrypt Subscriber Agreement
diff --git a/letsencrypt.sh b/letsencrypt.sh
index cfc4244..787c31f 100755
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -788,24 +788,29 @@ command_sign_csr() {
   certfile="$(_mktemp)"
   sign_csr "$(< "${csrfile}" )" 3> "${certfile}"
 
-  # get and convert ca cert
-  chainfile="$(_mktemp)"
-  http_request get "$(openssl x509 -in "${certfile}" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)" > "${chainfile}"
-
-  if ! grep -q "BEGIN CERTIFICATE" "${chainfile}"; then
-    openssl x509 -inform DER -in "${chainfile}" -outform PEM -out "${chainfile}"
-  fi
-
-  # output full chain
+  # print cert
   echo "# CERT #" >&3
   cat "${certfile}" >&3
   echo >&3
-  echo "# CHAIN #" >&3
-  cat "${chainfile}" >&3
+
+  # print chain
+  if [ -n "${PARAM_FULL_CHAIN:-}" ]; then
+    # get and convert ca cert
+    chainfile="$(_mktemp)"
+    http_request get "$(openssl x509 -in "${certfile}" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)" > "${chainfile}"
+
+    if ! grep -q "BEGIN CERTIFICATE" "${chainfile}"; then
+      openssl x509 -inform DER -in "${chainfile}" -outform PEM -out "${chainfile}"
+    fi
+
+    echo "# CHAIN #" >&3
+    cat "${chainfile}" >&3
+
+    rm "${chainfile}"
+  fi
 
   # cleanup
   rm "${certfile}"
-  rm "${chainfile}"
 
   exit 0
 }
@@ -978,6 +983,12 @@ main() {
         set_command cleanup
         ;;
 
+      # PARAM_Usage: --full-chain (-fc)
+      # PARAM_Description: Print full chain when using --signcsr
+      --full-chain|-fc)
+        PARAM_FULL_CHAIN="1"
+        ;;
+
       # PARAM_Usage: --ipv4 (-4)
       # PARAM_Description: Resolve names to IPv4 addresses only
       --ipv4|-4)
-- 
2.39.5