From f6188405bc2914583500e4b912397117367248fc Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Thu, 1 Dec 2016 23:09:02 -0500
Subject: [PATCH 1/4] [fix] Fix the way name of self-CA is determined

---
 locales/en.json             |  3 ++-
 src/yunohost/certificate.py | 27 +++++++++++++++++++--------
 2 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/locales/en.json b/locales/en.json
index efeb66e69..806def22a 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -255,5 +255,6 @@
     "certmanager_hit_rate_limit" :"Too many certificates already issued for exact set of domains {domain:s} recently. Please try again later. See https://letsencrypt.org/docs/rate-limits/ for more details.",
     "certmanager_cert_signing_failed" : "Signing the new certificate failed.",
     "certmanager_no_cert_file" : "Unable to read certificate file for domain {domain:s} (file : {file:s})",
-    "certmanager_conflicting_nginx_file": "Unable to prepare domain for ACME challenge : the nginx configuration file {filepath:s} is conflicting and should be removed first."
+    "certmanager_conflicting_nginx_file": "Unable to prepare domain for ACME challenge : the nginx configuration file {filepath:s} is conflicting and should be removed first.",
+    "certmanager_unable_to_determine_self_CA_name": "Unable to determine name of self-signing authority."
 }
diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py
index f8a927e08..db99da733 100644
--- a/src/yunohost/certificate.py
+++ b/src/yunohost/certificate.py
@@ -56,6 +56,8 @@ WEBROOT_FOLDER = "/tmp/acme-challenge-public/"
 SELF_CA_FILE = "/etc/ssl/certs/ca-yunohost_crt.pem"
 ACCOUNT_KEY_FILE = "/etc/yunohost/letsencrypt_account.pem"
 
+SSL_DIR = '/usr/share/yunohost/yunohost-config/ssl/yunoCA'
+
 KEY_SIZE = 3072
 
 VALIDITY_LIMIT = 15  # days
@@ -161,11 +163,9 @@ def _certificate_install_selfsigned(domain_list, force=False):
         new_cert_folder = "%s/%s-history/%s-selfsigned" % (
             CERT_FOLDER, domain, date_tag)
 
-        original_ca_file = '/etc/ssl/certs/ca-yunohost_crt.pem'
-        ssl_dir = '/usr/share/yunohost/yunohost-config/ssl/yunoCA'
-        conf_template = os.path.join(ssl_dir, "openssl.cnf")
+        conf_template = os.path.join(SSL_DIR, "openssl.cnf")
 
-        csr_file = os.path.join(ssl_dir, "certs", "yunohost_csr.pem")
+        csr_file = os.path.join(SSL_DIR, "certs", "yunohost_csr.pem")
         conf_file = os.path.join(new_cert_folder, "openssl.cnf")
         key_file = os.path.join(new_cert_folder, "key.pem")
         crt_file = os.path.join(new_cert_folder, "crt.pem")
@@ -214,7 +214,7 @@ def _certificate_install_selfsigned(domain_list, force=False):
         # Link the CA cert (not sure it's actually needed in practice though,
         # since we append it at the end of crt.pem. For instance for Let's
         # Encrypt certs, we only need the crt.pem and key.pem)
-        os.symlink(original_ca_file, ca_file)
+        os.symlink(SELF_CA_FILE, ca_file)
 
         # Append ca.pem at the end of crt.pem
         with open(ca_file, "r") as ca_pem, open(crt_file, "a") as crt_pem:
@@ -810,9 +810,20 @@ def _domain_is_accessible_through_HTTP(ip, domain):
 
 
 def _name_self_CA():
-    cert = crypto.load_certificate(
-        crypto.FILETYPE_PEM, open(SELF_CA_FILE).read())
-    return cert.get_subject().CN
+    ca_conf = os.path.join(SSL_DIR, "openssl.ca.cnf")
+
+    try :
+        with open("%s/openssl.ca.cnf" % SSL_DIR) as f:
+            lines = f.readlines()
+
+        for line in lines:
+            if (line.startswith("commonName_default")):
+                return line.split()[2]
+    except :
+        pass
+
+    logger.warning(m18n.n('certmanager_unable_to_determine_self_CA_name'))
+    return ""
 
 
 def _tail(n, file_path):

From 4eaefe5145a41453a6109c81972c31d52bbe43d8 Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Fri, 2 Dec 2016 14:19:20 +0100
Subject: [PATCH 2/4] [mod] use unused variable

---
 src/yunohost/certificate.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py
index db99da733..c8f2598a2 100644
--- a/src/yunohost/certificate.py
+++ b/src/yunohost/certificate.py
@@ -813,7 +813,7 @@ def _name_self_CA():
     ca_conf = os.path.join(SSL_DIR, "openssl.ca.cnf")
 
     try :
-        with open("%s/openssl.ca.cnf" % SSL_DIR) as f:
+        with open(ca_conf) as f:
             lines = f.readlines()
 
         for line in lines:

From 005d624f2fd3bb9133158a2fd1dd2992eb0dd6cc Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Fri, 2 Dec 2016 14:19:28 +0100
Subject: [PATCH 3/4] [mod] pep8

---
 src/yunohost/certificate.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py
index c8f2598a2..74e93314c 100644
--- a/src/yunohost/certificate.py
+++ b/src/yunohost/certificate.py
@@ -817,9 +817,9 @@ def _name_self_CA():
             lines = f.readlines()
 
         for line in lines:
-            if (line.startswith("commonName_default")):
+            if line.startswith("commonName_default"):
                 return line.split()[2]
-    except :
+    except:
         pass
 
     logger.warning(m18n.n('certmanager_unable_to_determine_self_CA_name'))

From 6aa64a071ffd4cf16447ee1ed9f492a5906315ea Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Wed, 7 Dec 2016 16:14:01 -0500
Subject: [PATCH 4/4] Improving exception handling

---
 locales/en.json             |  3 ++-
 src/yunohost/certificate.py | 19 ++++++++++---------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/locales/en.json b/locales/en.json
index 806def22a..7de00f395 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -256,5 +256,6 @@
     "certmanager_cert_signing_failed" : "Signing the new certificate failed.",
     "certmanager_no_cert_file" : "Unable to read certificate file for domain {domain:s} (file : {file:s})",
     "certmanager_conflicting_nginx_file": "Unable to prepare domain for ACME challenge : the nginx configuration file {filepath:s} is conflicting and should be removed first.",
-    "certmanager_unable_to_determine_self_CA_name": "Unable to determine name of self-signing authority."
+    "certmanager_self_ca_conf_file_not_found" : "Configuration file not found for self-signing CA ({file:s})",
+    "certmanager_unable_to_parse_self_CA_name": "Unable to parse name of self-signing authority in {file:s}."
 }
diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py
index 74e93314c..8209160a4 100644
--- a/src/yunohost/certificate.py
+++ b/src/yunohost/certificate.py
@@ -812,17 +812,18 @@ def _domain_is_accessible_through_HTTP(ip, domain):
 def _name_self_CA():
     ca_conf = os.path.join(SSL_DIR, "openssl.ca.cnf")
 
-    try :
-        with open(ca_conf) as f:
-            lines = f.readlines()
+    if not os.path.exists(ca_conf) :
+        logger.warning(m18n.n('certmanager_self_ca_conf_file_not_found', file=ca_conf))
+        return ""
 
-        for line in lines:
-            if line.startswith("commonName_default"):
-                return line.split()[2]
-    except:
-        pass
+    with open(ca_conf) as f:
+        lines = f.readlines()
 
-    logger.warning(m18n.n('certmanager_unable_to_determine_self_CA_name'))
+    for line in lines:
+        if line.startswith("commonName_default"):
+            return line.split()[2]
+
+    logger.warning(m18n.n('certmanager_unable_to_parse_self_CA_name', file=ca_conf))
     return ""