aboutsummaryrefslogtreecommitdiffstats
path: root/package/sbin
diff options
context:
space:
mode:
authorThomas Lange <code@nerdmind.de>2022-11-01 15:27:42 +0100
committerThomas Lange <code@nerdmind.de>2022-11-01 15:27:42 +0100
commit094e9d130195156f31d32b7cd250e6de55b88fe2 (patch)
tree381716c9a1a405f97359f6a1b559d0a385c42040 /package/sbin
parentc17cf529c48659d10eb3444c9f628f895e9cfead (diff)
downloadpainlessle-094e9d130195156f31d32b7cd250e6de55b88fe2.tar.gz
painlessle-094e9d130195156f31d32b7cd250e6de55b88fe2.tar.xz
painlessle-094e9d130195156f31d32b7cd250e6de55b88fe2.zip
Don't use system-wide OpenSSL config anymore
Use an inline assembled OpenSSL configuration instead of relying on the system-wide OpenSSL configuration (/etc/ssl/openssl.cnf) which location was specified by the hardcoded OPENSSLCONF variable inside the script. If the system-wide OpenSSL configuration file was not properly formatted or otherwise customized by the system administrator, it could've lead to conflicts with the CSR generation process in PainlessLE. The inline configuration now only consists of the neccessary parts which are relevant for generating the Certificate-Signing-Request. Tested on: - OpenSSL 1.1.1n @ Debian 11 (bullseye) - OpenSSL 1.1.1d @ openSUSE Leap 15.3
Diffstat (limited to 'package/sbin')
-rwxr-xr-xpackage/sbin/painless-le15
1 files changed, 12 insertions, 3 deletions
diff --git a/package/sbin/painless-le b/package/sbin/painless-le
index d910db0..d970ef7 100755
--- a/package/sbin/painless-le
+++ b/package/sbin/painless-le
@@ -64,7 +64,6 @@ DNS_DOMAIN="${@:2}"
#===============================================================================
# Define filename variables
#===============================================================================
- OPENSSLCONF="/etc/ssl/openssl.cnf"
REQUESTFILE="$(mktemp /tmp/painless-le.XXXXXX.csr)"
CONFIDENTIAL="${TARGET_DIR%/}/${OPT_CONFIDENTIAL:-confidential.pem}"
INTERMEDIATE="${TARGET_DIR%/}/${OPT_INTERMEDIATE:-intermediate.pem}"
@@ -77,10 +76,20 @@ CERTIFICATE_FULL="${TARGET_DIR%/}/${OPT_CERTIFICATE_FULL:-certificate_full.pem}"
trap 'rm ${REQUESTFILE}' EXIT
#===============================================================================
+# Assemble OpenSSL configuration for CSR generation
+#===============================================================================
+SUBJECT_ALT_NAME="DNS:$(echo ${DNS_DOMAIN} | sed "s/ /,DNS:/g")"
+OPENSSL_CONFIG="[req]
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[SAN]
+subjectAltName=${SUBJECT_ALT_NAME}"
+
+#===============================================================================
# Create Certificate-Signing-Request
#===============================================================================
-openssl req -config <(cat "${OPENSSLCONF}" <(printf "[SAN]\nsubjectAltName=DNS:`echo ${DNS_DOMAIN} | sed "s/ /,DNS:/g"`")) \
- -new -sha256 -key "${CONFIDENTIAL}" -out "${REQUESTFILE}" -reqexts SAN -subj "/"
+openssl req -config <(echo "$OPENSSL_CONFIG") -new -sha256 -reqexts SAN \
+ -subj "/" -key "${CONFIDENTIAL}" -out "${REQUESTFILE}"
#===============================================================================
# Check if Certificate-Signing-Request creation failed