[fix] Fix the way name of self-CA is determined

2024-09-03 20:06:10 +02:00 · 2016-12-01 23:09:02 -05:00 · 2016-12-01 23:09:02 -05:00 · f6188405bc
commit f6188405bc
parent 777c4833fd
2 changed files with 21 additions and 9 deletions
--- a/locales/en.json
+++ b/locales/en.json
@ -255,5 +255,6 @@
    "certmanager_hit_rate_limit" :"Too many certificates already issued for exact set of domains {domain:s} recently. Please try again later. See https://letsencrypt.org/docs/rate-limits/ for more details.",
    "certmanager_cert_signing_failed" : "Signing the new certificate failed.",
    "certmanager_no_cert_file" : "Unable to read certificate file for domain {domain:s} (file : {file:s})",
-    "certmanager_conflicting_nginx_file": "Unable to prepare domain for ACME challenge : the nginx configuration file {filepath:s} is conflicting and should be removed first."
+    "certmanager_conflicting_nginx_file": "Unable to prepare domain for ACME challenge : the nginx configuration file {filepath:s} is conflicting and should be removed first.",
+    "certmanager_unable_to_determine_self_CA_name": "Unable to determine name of self-signing authority."
 }
--- a/src/yunohost/certificate.py
+++ b/src/yunohost/certificate.py
@ -56,6 +56,8 @@ WEBROOT_FOLDER = "/tmp/acme-challenge-public/"
 SELF_CA_FILE = "/etc/ssl/certs/ca-yunohost_crt.pem"
 ACCOUNT_KEY_FILE = "/etc/yunohost/letsencrypt_account.pem"

+SSL_DIR = '/usr/share/yunohost/yunohost-config/ssl/yunoCA'
+
 KEY_SIZE = 3072

 VALIDITY_LIMIT = 15  # days
@ -161,11 +163,9 @@ def _certificate_install_selfsigned(domain_list, force=False):
        new_cert_folder = "%s/%s-history/%s-selfsigned" % (
            CERT_FOLDER, domain, date_tag)

-        original_ca_file = '/etc/ssl/certs/ca-yunohost_crt.pem'
-        ssl_dir = '/usr/share/yunohost/yunohost-config/ssl/yunoCA'
-        conf_template = os.path.join(ssl_dir, "openssl.cnf")
+        conf_template = os.path.join(SSL_DIR, "openssl.cnf")

-        csr_file = os.path.join(ssl_dir, "certs", "yunohost_csr.pem")
+        csr_file = os.path.join(SSL_DIR, "certs", "yunohost_csr.pem")
        conf_file = os.path.join(new_cert_folder, "openssl.cnf")
        key_file = os.path.join(new_cert_folder, "key.pem")
        crt_file = os.path.join(new_cert_folder, "crt.pem")
@ -214,7 +214,7 @@ def _certificate_install_selfsigned(domain_list, force=False):
        # Link the CA cert (not sure it's actually needed in practice though,
        # since we append it at the end of crt.pem. For instance for Let's
        # Encrypt certs, we only need the crt.pem and key.pem)
-        os.symlink(original_ca_file, ca_file)
+        os.symlink(SELF_CA_FILE, ca_file)

        # Append ca.pem at the end of crt.pem
        with open(ca_file, "r") as ca_pem, open(crt_file, "a") as crt_pem:
@ -810,9 +810,20 @@ def _domain_is_accessible_through_HTTP(ip, domain):


 def _name_self_CA():
-    cert = crypto.load_certificate(
-        crypto.FILETYPE_PEM, open(SELF_CA_FILE).read())
-    return cert.get_subject().CN
+    ca_conf = os.path.join(SSL_DIR, "openssl.ca.cnf")
+
+    try :
+        with open("%s/openssl.ca.cnf" % SSL_DIR) as f:
+            lines = f.readlines()
+
+        for line in lines:
+            if (line.startswith("commonName_default")):
+                return line.split()[2]
+    except :
+        pass
+
+    logger.warning(m18n.n('certmanager_unable_to_determine_self_CA_name'))
+    return ""


 def _tail(n, file_path):