From 094e9d130195156f31d32b7cd250e6de55b88fe2 Mon Sep 17 00:00:00 2001 From: Thomas Lange Date: Tue, 1 Nov 2022 15:27:42 +0100 Subject: Don't use system-wide OpenSSL config anymore Use an inline assembled OpenSSL configuration instead of relying on the system-wide OpenSSL configuration (/etc/ssl/openssl.cnf) which location was specified by the hardcoded OPENSSLCONF variable inside the script. If the system-wide OpenSSL configuration file was not properly formatted or otherwise customized by the system administrator, it could've lead to conflicts with the CSR generation process in PainlessLE. The inline configuration now only consists of the neccessary parts which are relevant for generating the Certificate-Signing-Request. Tested on: - OpenSSL 1.1.1n @ Debian 11 (bullseye) - OpenSSL 1.1.1d @ openSUSE Leap 15.3 --- package/sbin/painless-le | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'package') diff --git a/package/sbin/painless-le b/package/sbin/painless-le index d910db0..d970ef7 100755 --- a/package/sbin/painless-le +++ b/package/sbin/painless-le @@ -64,7 +64,6 @@ DNS_DOMAIN="${@:2}" #=============================================================================== # Define filename variables #=============================================================================== - OPENSSLCONF="/etc/ssl/openssl.cnf" REQUESTFILE="$(mktemp /tmp/painless-le.XXXXXX.csr)" CONFIDENTIAL="${TARGET_DIR%/}/${OPT_CONFIDENTIAL:-confidential.pem}" INTERMEDIATE="${TARGET_DIR%/}/${OPT_INTERMEDIATE:-intermediate.pem}" @@ -76,11 +75,21 @@ CERTIFICATE_FULL="${TARGET_DIR%/}/${OPT_CERTIFICATE_FULL:-certificate_full.pem}" #=============================================================================== trap 'rm ${REQUESTFILE}' EXIT +#=============================================================================== +# Assemble OpenSSL configuration for CSR generation +#=============================================================================== +SUBJECT_ALT_NAME="DNS:$(echo ${DNS_DOMAIN} | sed "s/ /,DNS:/g")" +OPENSSL_CONFIG="[req] +distinguished_name = req_distinguished_name +[req_distinguished_name] +[SAN] +subjectAltName=${SUBJECT_ALT_NAME}" + #=============================================================================== # Create Certificate-Signing-Request #=============================================================================== -openssl req -config <(cat "${OPENSSLCONF}" <(printf "[SAN]\nsubjectAltName=DNS:`echo ${DNS_DOMAIN} | sed "s/ /,DNS:/g"`")) \ - -new -sha256 -key "${CONFIDENTIAL}" -out "${REQUESTFILE}" -reqexts SAN -subj "/" +openssl req -config <(echo "$OPENSSL_CONFIG") -new -sha256 -reqexts SAN \ + -subj "/" -key "${CONFIDENTIAL}" -out "${REQUESTFILE}" #=============================================================================== # Check if Certificate-Signing-Request creation failed -- cgit v1.2.3