search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.5k stars 4.9k forks source link

Missing new line in ca.cer when requesting a wildcard certificate #1361

Closed casperklein closed 1 day ago

casperklein commented 6 years ago

v2.7.7

Steps to reproduce

I noticed a curious behaviour when requesting a wildcard certificate.

I have a script, that concatenates example.com.cer example.com.key ca.cer and my custom dhparam in a file used by apache.

This one works: ./acme.sh --home /home/test/ --issue -d example.com --dns dns_cf cat example.com.cer example.com.key ca.cer dhparam > apache.pem

apache.pem looks good and can be used by apache webserver.

But when I request a wildcard certificate: ./acme.sh --home /home/test/ --issue -d example.com -d '*.example.com' --dns dns_cf cat example.com.cer example.com.key ca.cer dhparam > apache.pem

apache.pem is broken (missing new line between content of ca.cer and dhparm). I investigated, that ca.cer did not contain a new line (0A) at the end.

I also noticed an extra newline in fullchain.cer between the two certificates.

Neilpang commented 6 years ago

Yes, I will fix it soon.

For now, please use fullchain.cer instead:

cat  fullchain.cer example.com.key  dhparam > apache.pem
FernandoMiguel commented 6 years ago

FYI dhparam is being phased out. Apparently more people missuse it, and causes more issues than benefits

For example https://mozilla.github.io/server-side-tls/ssl-config-generator/ No longer references it

casperklein commented 6 years ago

FYI dhparam is being phased out. Apparently more people missuse it, and causes more issues than benefits

Do you have any sources for that?

When "Logjam" arrived, it was advised, to use custom dhparams > 1024 (https://weakdh.org/sysadmin.html). Since using, I haven't encounter any disadvantage/trouble yet.