From 385c02fd531e0b16da2cd7f9b6c61966f5329837 Mon Sep 17 00:00:00 2001
From: Michael Hierweck <michael@hierweck.de>
Date: Tue, 27 Jun 2017 09:35:49 +0200
Subject: [PATCH] Initially generated TLS self-signed certificates are not
 wildcard certificates any more but single domain certificats (cn=vhost-name).

---
 .../hsadmin/mods/dom/DomainProcessorFactory.java   | 14 +++++++-------
 hsarback/src/de/hsadmin/mods/dom/openssl-sna.vm    | 12 ------------
 2 files changed, 7 insertions(+), 19 deletions(-)
 delete mode 100644 hsarback/src/de/hsadmin/mods/dom/openssl-sna.vm

diff --git a/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java b/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java
index 0474f1e..2ff02d0 100644
--- a/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java
+++ b/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java
@@ -272,20 +272,20 @@ public class DomainProcessorFactory implements EntityProcessorFactory {
 		ifOption(templateVars, query, "htdocsfallback", Boolean.TRUE, Boolean.FALSE);
 		ifOption(templateVars, query, "letsencrypt", Boolean.TRUE, Boolean.FALSE);
 		final Processor domSetupProcessor = new CompoundProcessor(
-			new CreateFileProcessor("/de/hsadmin/mods/dom/openssl-sna.vm", templateVars, dom, "/tmp/openssl-sna.cnf", "root", "root", "644", true),
 			new ShellProcessor("export PEMS_DIR=/etc/apache2/pems-generated && "
 					+ "mkdir -p $PEMS_DIR && "
 					+ "cd $PEMS_DIR && "
-					+ "( ls _." + domName + ".crt || ( echo \"\" > _." + domName + ".chain && "
-					+ "openssl req -x509 -newkey rsa:2048 -keyout _." + domName + ".key -out _." + domName + ".crt -days 1100 -nodes -sha256 -config /tmp/openssl-sna.cnf ) ) && "
-					+ "chmod 400 _." + domName + "*"),
+					+ "( ls " + domName + ".crt || ( echo \"\" >" + domName + ".chain && "
+          + "openssl req -x509 -newkey rsa:4096 -sha256 -subj '/CN=" + domName + "' -keyout domName + ".key -out " + domName + ".crt -days 1 -nodes) ) &&
+					+ "chmod 660 " + domName + "*" && "
+          + "chown root:acmebot" + domName + "*" ),
 			new ShellProcessor("export PEMS_DIR=/etc/apache2/pems-enabled && "
 					+ "mkdir -p $PEMS_DIR && "
 					+ "cd $PEMS_DIR && "
 					+ "( ls " + domName + ".crt ||"
-					+ " ( ln -s ../pems-generated/_." + domName + ".key " + domName + ".key"
-							+ " && ln -s ../pems-generated/_." + domName + ".crt " + domName + ".crt"
-							+ " && ln -s ../pems-generated/_." + domName + ".chain " + domName + ".chain ) ) && "
+					+ " ( ln -s ../pems-generated/" + domName + ".key " + domName + ".key"
+							+ " && ln -s ../pems-generated/" + domName + ".crt " + domName + ".crt"
+							+ " && ln -s ../pems-generated/" + domName + ".chain " + domName + ".chain ) ) && "
 					+ "chmod 400 " + domName + "*"),
 			new CreateFileProcessor("/de/hsadmin/mods/dom/apache-vhost.vm", templateVars, dom, "/etc/apache2/sites-available/" + domName + ".tmp", "root", "root", "644", true),
 			new ShellProcessor(
diff --git a/hsarback/src/de/hsadmin/mods/dom/openssl-sna.vm b/hsarback/src/de/hsadmin/mods/dom/openssl-sna.vm
deleted file mode 100644
index b5cd207..0000000
--- a/hsarback/src/de/hsadmin/mods/dom/openssl-sna.vm
+++ /dev/null
@@ -1,12 +0,0 @@
-[req]
-prompt = no
-distinguished_name = req_dn
-x509_extensions = v3_ca 
-
-[req_dn]
-commonName = *.${dom.name}
-
-[v3_ca]
-basicConstraints = CA:FALSE
-extendedKeyUsage=serverAuth
-subjectAltName=DNS:*.${dom.name},DNS:${dom.name}