From f23e4e0d0cf48153dbc5134cf1bf1bb7189c3005 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 8 Dec 2015 19:50:09 +0100
Subject: Various fixes.

---
 acme-slave  |  8 ++++----
 letsencrypt | 14 ++++++++------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/acme-slave b/acme-slave
index ee39f8d..5ff9834 100755
--- a/acme-slave
+++ b/acme-slave
@@ -79,7 +79,7 @@ sub request($$;$) {
 
 
 # ACME client
-# https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md
+# https://tools.ietf.org/html/draft-ietf-acme-acme-01
 sub acme($$) {
     my ($uri, $h) = @_;
 
@@ -119,7 +119,7 @@ if ($COMMAND eq 'new-reg') {
 
     acme($RES{'new-reg'}, {
         resource => 'new-reg',
-        contact => [ map {"mailto:$_"} split(',', @ARGV) ],
+        contact => [ map {"mailto:$_"} @ARGV ],
         agreement => $uri,
     });
     exit;
@@ -168,7 +168,7 @@ my @domains = do {
     open my $fh1, '-|', @req, '-subject' or die "Can't run req(1ssl): $!";
     my $subject = <$fh1>;
     close $fh1;
-    $domains{$1} = 1 if $subject =~ /\Asubject=\/CN=($RE_domain)(?:,.*)?\n\z/o;
+    $domains{$1} = 1 if $subject =~ /\Asubject=.*\/CN=($RE_domain)\n\z/o;
 
     open my $fh2, '-|', @req, '-text', '-reqopt', 'no_header,no_version,no_subject,no_pubkey,no_sigdump'
         or die "Can't run req(1ssl): $!";
@@ -224,7 +224,7 @@ foreach my $domain (@domains) {
 
     for (my $i=0;; $i++) {
         my $status = request('GET' => $challenge->{uri})->{status} // 'pending';
-        die "Invalid challenge for $domain" if $status eq 'invalid';
+        die "Error: Invalid challenge for $domain\n" if $status eq 'invalid';
         last if $status eq 'valid';
         die "Timeout exceeded while waiting for challenge to pass ($domain)\n" if $i >= $TIMEOUT;
         sleep 1;
diff --git a/letsencrypt b/letsencrypt
index 50406f7..5c10ea1 100755
--- a/letsencrypt
+++ b/letsencrypt
@@ -16,7 +16,7 @@ declare COMMAND ACCOUNTKEY
 declare -l GENKEY
 declare RUNAS QUIET= DEBUG=
 
-declare SRVCERT= CHAIN= CSR SRVKEY
+declare SRVCRT= CHAIN= CSR SRVKEY
 declare -l HASH=
 declare SUBJECT=/
 declare SAN=
@@ -96,7 +96,7 @@ while [ $# -gt 0 ]; do
         --quiet|-q) QUIET=1;;
         --debug) DEBUG=1;;
 
-        --output=*) SRVCERT="${1#*=}";;
+        --output=*) SRVCRT="${1#*=}";;
         --chain) CHAIN=1;;
         --csr=*) CSR="${1#*=}";;
         --key=*) SRVKEY="${1#*=}";;
@@ -160,7 +160,7 @@ if [ "$COMMAND" = 'revoke-cert' ]; then
         exit 1
     fi
 elif [ "$COMMAND" = 'new-cert' ]; then
-    if [ ! "${SRVCERT:-}" ]; then
+    if [ ! "${SRVCRT:-}" ]; then
         echo "Error: Missing --output" >&2
         exit 1
     fi
@@ -270,10 +270,12 @@ if [ "$COMMAND" = 'new-cert' ]; then
     # TODO
     # Verify: dump and compare public keys
     # Valid cert, signed by the right CA
-
-    # Copy "$x509" to "$SRVCERT", possibly chained
     # https://crt.sh/?q=cse-fresti.cse.chalmers.se&iCAID=7395
-    cp "$x509" "$SRVCERT"
+
+    # if it doesn't exist, create the file with mode 0644 minus the process's umask(2)
+    [ -e "$SRVCRT" ] || touch "$SRVCRT"
+    cat "$x509" >"$SRVCRT"
+    [ ! "$DEBUG" ] || openssl x509 -noout -text <"$SRVCRT"
 
     for (( i=0; i<${#NOTIFY[@]}; i++ )); do
         ${NOTIFY[$i]}
-- 
cgit v1.2.3