From 094e9d130195156f31d32b7cd250e6de55b88fe2 Mon Sep 17 00:00:00 2001
From: Thomas Lange <code@nerdmind.de>
Date: Tue, 1 Nov 2022 15:27:42 +0100
Subject: Don't use system-wide OpenSSL config anymore

Use an inline assembled OpenSSL configuration instead of relying on the
system-wide OpenSSL configuration (/etc/ssl/openssl.cnf) which location
was specified by the hardcoded OPENSSLCONF variable inside the script.

If the system-wide OpenSSL configuration file was not properly formatted
or otherwise customized by the system administrator, it could've lead to
conflicts with the CSR generation process in PainlessLE.

The inline configuration now only consists of the neccessary parts which
are relevant for generating the Certificate-Signing-Request.

Tested on:
- OpenSSL 1.1.1n @ Debian 11 (bullseye)
- OpenSSL 1.1.1d @ openSUSE Leap 15.3
---
 package/sbin/painless-le | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/package/sbin/painless-le b/package/sbin/painless-le
index d910db0..d970ef7 100755
--- a/package/sbin/painless-le
+++ b/package/sbin/painless-le
@@ -64,7 +64,6 @@ DNS_DOMAIN="${@:2}"
 #===============================================================================
 # Define filename variables
 #===============================================================================
-     OPENSSLCONF="/etc/ssl/openssl.cnf"
      REQUESTFILE="$(mktemp /tmp/painless-le.XXXXXX.csr)"
     CONFIDENTIAL="${TARGET_DIR%/}/${OPT_CONFIDENTIAL:-confidential.pem}"
     INTERMEDIATE="${TARGET_DIR%/}/${OPT_INTERMEDIATE:-intermediate.pem}"
@@ -76,11 +75,21 @@ CERTIFICATE_FULL="${TARGET_DIR%/}/${OPT_CERTIFICATE_FULL:-certificate_full.pem}"
 #===============================================================================
 trap 'rm ${REQUESTFILE}' EXIT
 
+#===============================================================================
+# Assemble OpenSSL configuration for CSR generation
+#===============================================================================
+SUBJECT_ALT_NAME="DNS:$(echo ${DNS_DOMAIN} | sed "s/ /,DNS:/g")"
+OPENSSL_CONFIG="[req]
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[SAN]
+subjectAltName=${SUBJECT_ALT_NAME}"
+
 #===============================================================================
 # Create Certificate-Signing-Request
 #===============================================================================
-openssl req -config <(cat "${OPENSSLCONF}" <(printf "[SAN]\nsubjectAltName=DNS:`echo ${DNS_DOMAIN} | sed "s/ /,DNS:/g"`")) \
-	-new -sha256 -key "${CONFIDENTIAL}" -out "${REQUESTFILE}" -reqexts SAN -subj "/"
+openssl req -config <(echo "$OPENSSL_CONFIG") -new -sha256 -reqexts SAN \
+	-subj "/" -key "${CONFIDENTIAL}" -out "${REQUESTFILE}"
 
 #===============================================================================
 # Check if Certificate-Signing-Request creation failed
-- 
cgit v1.2.3