diff options
| author | Thomas Lange <code@nerdmind.de> | 2022-11-01 15:27:42 +0100 |
|---|---|---|
| committer | Thomas Lange <code@nerdmind.de> | 2022-11-01 15:27:42 +0100 |
| commit | 094e9d130195156f31d32b7cd250e6de55b88fe2 (patch) | |
| tree | 381716c9a1a405f97359f6a1b559d0a385c42040 /package | |
| parent | c17cf529c48659d10eb3444c9f628f895e9cfead (diff) | |
| download | painlessle-094e9d130195156f31d32b7cd250e6de55b88fe2.tar.gz painlessle-094e9d130195156f31d32b7cd250e6de55b88fe2.tar.xz painlessle-094e9d130195156f31d32b7cd250e6de55b88fe2.zip | |
Don't use system-wide OpenSSL config anymore
Use an inline assembled OpenSSL configuration instead of relying on the
system-wide OpenSSL configuration (/etc/ssl/openssl.cnf) which location
was specified by the hardcoded OPENSSLCONF variable inside the script.
If the system-wide OpenSSL configuration file was not properly formatted
or otherwise customized by the system administrator, it could've lead to
conflicts with the CSR generation process in PainlessLE.
The inline configuration now only consists of the neccessary parts which
are relevant for generating the Certificate-Signing-Request.
Tested on:
- OpenSSL 1.1.1n @ Debian 11 (bullseye)
- OpenSSL 1.1.1d @ openSUSE Leap 15.3
Diffstat (limited to 'package')
| -rwxr-xr-x | package/sbin/painless-le | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/package/sbin/painless-le b/package/sbin/painless-le index d910db0..d970ef7 100755 --- a/package/sbin/painless-le +++ b/package/sbin/painless-le @@ -64,7 +64,6 @@ DNS_DOMAIN="${@:2}" #=============================================================================== # Define filename variables #=============================================================================== - OPENSSLCONF="/etc/ssl/openssl.cnf" REQUESTFILE="$(mktemp /tmp/painless-le.XXXXXX.csr)" CONFIDENTIAL="${TARGET_DIR%/}/${OPT_CONFIDENTIAL:-confidential.pem}" INTERMEDIATE="${TARGET_DIR%/}/${OPT_INTERMEDIATE:-intermediate.pem}" @@ -77,10 +76,20 @@ CERTIFICATE_FULL="${TARGET_DIR%/}/${OPT_CERTIFICATE_FULL:-certificate_full.pem}" trap 'rm ${REQUESTFILE}' EXIT #=============================================================================== +# Assemble OpenSSL configuration for CSR generation +#=============================================================================== +SUBJECT_ALT_NAME="DNS:$(echo ${DNS_DOMAIN} | sed "s/ /,DNS:/g")" +OPENSSL_CONFIG="[req] +distinguished_name = req_distinguished_name +[req_distinguished_name] +[SAN] +subjectAltName=${SUBJECT_ALT_NAME}" + +#=============================================================================== # Create Certificate-Signing-Request #=============================================================================== -openssl req -config <(cat "${OPENSSLCONF}" <(printf "[SAN]\nsubjectAltName=DNS:`echo ${DNS_DOMAIN} | sed "s/ /,DNS:/g"`")) \ - -new -sha256 -key "${CONFIDENTIAL}" -out "${REQUESTFILE}" -reqexts SAN -subj "/" +openssl req -config <(echo "$OPENSSL_CONFIG") -new -sha256 -reqexts SAN \ + -subj "/" -key "${CONFIDENTIAL}" -out "${REQUESTFILE}" #=============================================================================== # Check if Certificate-Signing-Request creation failed |