From d1a862d9cb98a54e12c9fdbc405b896f3f0efcfe Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 24 Feb 2021 13:25:38 +0100
Subject: lacme: Ignore empty values in
 'chown'/'chmod'/'certificate'/'certificate-chain'.

---
 Changelog |  2 ++
 lacme     | 30 +++++++++++++++---------------
 2 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/Changelog b/Changelog
index ee90be3..1682847 100644
--- a/Changelog
+++ b/Changelog
@@ -11,6 +11,8 @@ lacme (0.8.1) upstream;
    error instead of retaining root priviliges.
  - tests/cert-install: include tests for failing chown(2) due to unknown
    user/group name.
+ - lacme: ignore empty values in settings 'chown', 'chmod', 'certificate'
+   and 'certificate-chain'.
 
  -- Guilhem Moulin <guilhem@fripost.org>  Mon, 22 Feb 2021 12:04:28 +0100
 
diff --git a/lacme b/lacme
index a1e6b10..66dd6f6 100755
--- a/lacme
+++ b/lacme
@@ -766,15 +766,15 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {
             print STDERR "    $_ = $conf->{$_}\n" foreach grep { defined $conf->{$_} } (sort keys %$conf);
         }
 
-        my $cert = $conf->{'certificate-chain'} // $conf->{'certificate'};
-        unless (defined $cert) {
+        my @certs = grep {defined $_ and $_ ne ""} @$conf{qw/certificate-chain certificate/};
+        unless (@certs) {
             print STDERR "[$s] Warning: Missing 'certificate' and 'certificate-chain', skipping\n";
             $rv = 1;
             next;
         }
 
         # skip certificates that expire at least $conf->{'min-days'} days in the future
-        if (-f $cert and defined (my $t = x509_enddate($cert))) {
+        if (-f $certs[0] and defined (my $t = x509_enddate($certs[0]))) {
             my $d = $OPTS{'min-days'} // $conf->{'min-days'} // 21;
             if ($d >= 0 and $t - time > $d*86400) {
                 my $d = POSIX::strftime('%Y-%m-%d %H:%M:%S UTC', gmtime($t));
@@ -838,26 +838,26 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {
         }
 
         # install certificate
-        if (defined $conf->{'certificate'}) {
-            print STDERR "Installing X.509 certificate $conf->{'certificate'}\n";
-            install_cert($conf->{'certificate'}, $x509, 1);
+        if ((my $path = $conf->{'certificate'} // "") ne "") {
+            print STDERR "Installing X.509 certificate $path\n";
+            install_cert($path, $x509, 1);
         }
-        if (defined $conf->{'certificate-chain'}) {
-            print STDERR "Installing X.509 certificate chain $conf->{'certificate-chain'}\n";
-            install_cert($conf->{'certificate-chain'}, $x509);
+        if ((my $path = $conf->{'certificate-chain'} // "") ne "") {
+            print STDERR "Installing X.509 certificate chain $path\n";
+            install_cert($path, $x509);
         }
 
-        if (defined $conf->{chown}) {
-            my ($user, $group) = split /:/, $conf->{chown}, 2;
+        if ((my $own = $conf->{chown} // "") ne "") {
+            my ($user, $group) = split /:/, $own, 2;
             my $uid = getpwnam($user) // die "getpwnam($user)", ($! ? ": $!" : "\n");
             my $gid = getgrnam($group) // die "getgrnam($group)", ($! ? ": $!" : "\n") if defined $group;
-            foreach (grep defined, @$conf{qw/certificate certificate-chain/}) {
+            foreach (@certs) {
                 chown($uid, $gid // -1, $_) or die "chown: $!";
             }
         }
-        if (defined $conf->{chmod}) {
-            my $mode = oct($conf->{chmod}) // die;
-            foreach (grep defined, @$conf{qw/certificate certificate-chain/}) {
+        if ((my $mode = $conf->{chmod} // "") ne "") {
+            my $mode = oct($mode) // die;
+            foreach (@certs) {
                 chmod($mode, $_) or die "chown: $!";
             }
         }
-- 
cgit v1.2.3