Initially generated TLS self-signed certificates are not wildcard certificates any more but single domain certificats (cn=vhost-name).

This commit is contained in:
Michael Hierweck 2017-06-27 09:35:49 +02:00
parent 4ec40ed6a6
commit 385c02fd53
2 changed files with 7 additions and 19 deletions

View File

@ -272,20 +272,20 @@ public class DomainProcessorFactory implements EntityProcessorFactory {
ifOption(templateVars, query, "htdocsfallback", Boolean.TRUE, Boolean.FALSE); ifOption(templateVars, query, "htdocsfallback", Boolean.TRUE, Boolean.FALSE);
ifOption(templateVars, query, "letsencrypt", Boolean.TRUE, Boolean.FALSE); ifOption(templateVars, query, "letsencrypt", Boolean.TRUE, Boolean.FALSE);
final Processor domSetupProcessor = new CompoundProcessor( final Processor domSetupProcessor = new CompoundProcessor(
new CreateFileProcessor("/de/hsadmin/mods/dom/openssl-sna.vm", templateVars, dom, "/tmp/openssl-sna.cnf", "root", "root", "644", true),
new ShellProcessor("export PEMS_DIR=/etc/apache2/pems-generated && " new ShellProcessor("export PEMS_DIR=/etc/apache2/pems-generated && "
+ "mkdir -p $PEMS_DIR && " + "mkdir -p $PEMS_DIR && "
+ "cd $PEMS_DIR && " + "cd $PEMS_DIR && "
+ "( ls _." + domName + ".crt || ( echo \"\" > _." + domName + ".chain && " + "( ls " + domName + ".crt || ( echo \"\" >" + domName + ".chain && "
+ "openssl req -x509 -newkey rsa:2048 -keyout _." + domName + ".key -out _." + domName + ".crt -days 1100 -nodes -sha256 -config /tmp/openssl-sna.cnf ) ) && " + "openssl req -x509 -newkey rsa:4096 -sha256 -subj '/CN=" + domName + "' -keyout domName + ".key -out " + domName + ".crt -days 1 -nodes) ) &&
+ "chmod 400 _." + domName + "*"), + "chmod 660 " + domName + "*" && "
+ "chown root:acmebot" + domName + "*" ),
new ShellProcessor("export PEMS_DIR=/etc/apache2/pems-enabled && " new ShellProcessor("export PEMS_DIR=/etc/apache2/pems-enabled && "
+ "mkdir -p $PEMS_DIR && " + "mkdir -p $PEMS_DIR && "
+ "cd $PEMS_DIR && " + "cd $PEMS_DIR && "
+ "( ls " + domName + ".crt ||" + "( ls " + domName + ".crt ||"
+ " ( ln -s ../pems-generated/_." + domName + ".key " + domName + ".key" + " ( ln -s ../pems-generated/" + domName + ".key " + domName + ".key"
+ " && ln -s ../pems-generated/_." + domName + ".crt " + domName + ".crt" + " && ln -s ../pems-generated/" + domName + ".crt " + domName + ".crt"
+ " && ln -s ../pems-generated/_." + domName + ".chain " + domName + ".chain ) ) && " + " && ln -s ../pems-generated/" + domName + ".chain " + domName + ".chain ) ) && "
+ "chmod 400 " + domName + "*"), + "chmod 400 " + domName + "*"),
new CreateFileProcessor("/de/hsadmin/mods/dom/apache-vhost.vm", templateVars, dom, "/etc/apache2/sites-available/" + domName + ".tmp", "root", "root", "644", true), new CreateFileProcessor("/de/hsadmin/mods/dom/apache-vhost.vm", templateVars, dom, "/etc/apache2/sites-available/" + domName + ".tmp", "root", "root", "644", true),
new ShellProcessor( new ShellProcessor(

View File

@ -1,12 +0,0 @@
[req]
prompt = no
distinguished_name = req_dn
x509_extensions = v3_ca
[req_dn]
commonName = *.${dom.name}
[v3_ca]
basicConstraints = CA:FALSE
extendedKeyUsage=serverAuth
subjectAltName=DNS:*.${dom.name},DNS:${dom.name}