freebsd and old openssl compatible

Никита Миропольский
Commit 3567b93f authored Nov 17, 2016 by Никита Миропольский
Showing 1 changed file with 30 additions and 12 deletions
acme_init
--- a/acme_init
+++ b/acme_init
@@ -32,12 +32,6 @@ function readconfig {
  fi
 }
-OPENSSL=$(/usr/bin/env which openssl)
-if [[ ! -x $OPENSSL ]] ; then
-  echo Cannot find openssl
-  exit 1
-fi
 # теперь считываем конфиг
 readconfig acme_dir
 ACMEDIR=$readconfig_return_value
@@ -53,8 +47,28 @@ then
 	exit 0
 fi
+# создаём путь
 mkdir -p $ACMEDIR/challenges
+# находим openssl
+OPENSSL=$(/usr/bin/env which openssl)
+if [[ ! -x $OPENSSL ]] ; then
+  echo Cannot find openssl
+  exit 1
+fi
+# вычисляем версию
+OPENSSL_VERSION=$(${OPENSSL} version)
+# для старых версий выбираем sha1
+if [[ "OPENSSL_VERSION" < "OpenSSL 0.9.8" ]] ; then
+        OPT_DIGEST="-sha1"
+else
+        OPT_DIGEST="-sha256"
+fi
+echo "Using ${OPT_DIGEST} digest."
 # создаём необходимые сертификаты
 $OPENSSL genrsa 4096 > $ACMEDIR/account.key
 $OPENSSL genrsa 4096 > $ACMEDIR/site.key
@@ -72,21 +86,25 @@ if [[ -z "$ALT_DOMAINS" ]]
 then
  $OPENSSL req \
    -new \
-    -sha256 \
+    $OPT_DIGEST \
    -key $ACMEDIR/site.key \
    -subj "/CN=$PRIMARY_DOMAIN"
 else
+  cat /etc/ssl/openssl.cnf > $ACMEDIR/openssl.cnf
+  echo "[SAN]" >> $ACMEDIR/openssl.cnf
+  echo $ALT_DOMAINS | sed \
+       -e 's/[[:space:], ]\{1,\}/,DNS:/g' \
+       -e 's/^/subjectAltName=DNS:/' \
+     >> $ACMEDIR/openssl.cnf
  $OPENSSL req \
    -new \
-    -sha256 \
+    $OPT_DIGEST \
    -key $ACMEDIR/site.key \
    -subj "/CN=$PRIMARY_DOMAIN" \
    -reqexts SAN \
-    -config \
+    -config $ACMEDIR/openssl.cnf
-       <(cat /etc/ssl/openssl.cnf \
-       <(sed -e 's/[[:space:],]\+/,DNS:/g' -e 's/^/[SAN]\nsubjectAltName=DNS:/' \
-       <(echo "$ALT_DOMAINS")))
 fi \
 > $ACMEDIR/site.csr
+# пишем в лог
 echo "`date` initialized" > $ACMEDIR/log.txt