rewrite #5
Loading…
Reference in New Issue
No description provided.
Delete Branch "dev"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
With a new command line option, we can accept a file containing the user password.
if
--password-file
is provided with a path to a readable file, the first line is read and stored into thePASSWORD
variable.WIP: Accept a password fileto WIP: rewriteI've also added
--end-date
and--days
to specify the expiration date.I've also added
--non-interactive
and--replace-existing
command line optionsI would really like to see this new feature set merged. It would save us a lot of time when renewing certificates.
What is missing for this work-in-progress to be a reall PR? How can I help?
@ -4,3 +4,3 @@
#
set -e
set -u
This cause somes bugs, especially with "list" options.
Whit "set -u" :
Without "set -u" :
This bug is also present on the current master version if I add "set -u" but I cannot find the reason.
Not sure if some code need a fix or not, but I think we should at least remove "set -u".
This option also cause the error messages added in the code to handle a missing variable to not be displayed.
I'm pretty sure we can find a way to keep the security added by
set -u
and fix this.@ -354,0 +766,4 @@
if [ -z "${1}" ]; then
show_usage >&2
exit 1
fi
This is not needed as "shellpki list" should, thanks to lines 771 and 772, list all valids certificates by default.
We should update the README file and the show_usage function with the new options.
Great ! We can automate the creation of many secured certificates with a loop, for example :
Maybe we could have an option in shellpki to not have to use a loop by ourselves ?
Ok for "--days" option, but I had to examine the code for the "--end-date" one : it uses
date -d
, so the format is MM/DD/[YY]YY [hh:mm:ss].This option is compatible on Debian, but
date
on OpenBSD does not implement the-d
option. Why don't we directly use the date format expected by opensslYYMMDDHHMMSSZ
, with an explicit readme ?Great !
--non-interactive
could be use to automate the installation with Ansible.But I've found a bug with the two options at once, if we do not provide CA_PASSWORD :
The
In non-interactive mode, you must pass CA_PASSWORD as environment variable
message error is not displayed anymore.In fact it is not possible for now, because openssl still ask for the CA password :
But we could add
-passout pass:${CA_PASSWORD}
to openssl command :@ -171,0 +354,4 @@
--password-file)
# password-file option, with value separated by space
if [ -n "$2" ]; then
password_file=$(readlink --canonicalize -- "${2}")
Option
--canonicalize
is not compatible with OpenBSD, but option-f
is :On Debian,
man readlink
:On OpenBSD,
man readlink
:I suggest to replace all "--canonicalize" occurences by "-f".
As of now, those topics remain:
Everything mentioned here has been reviewed, and I fixed some other bugs.
I found one that I don't know how to fix for now, but not sure if very important :
If we use shellpki with
--end-date --days
in this particular order, --days is seen as correct on Linux fordate(1)
, as it is interpreted as "one day", and the certificate is created for one day :Plus, if we use it with
--end-date --days 5 cert.example.org
for example, it won't create the certificate "cert.example.org" for 5 days, but the certificate "5" for one day.I still have some tests to do before we can merge this PR.
I finished testing everything and I made some more fixes and improvements.
Everything is working fine for me. We can merge this PR.
WIP: rewriteto rewrite