выбор openssl из конфига

acme-client

@@ -11,6 +11,7 @@ try:
     config = ConfigParser()
     config.read(['/etc/acme.conf'])
     DEFAULT_CA = config.get("general", "server_url")
+    OPENSSL_BIN = config.get("general", "openssl_bin")
     print('server_url =', DEFAULT_CA)
 except:
     print('Cannot read server_url from section [general] in /etc/acme.conf')
@@ -27,7 +28,7 @@ def get_crt(account_key, csr, acme_dir, log=LOGGER, CA=DEFAULT_CA):
 
     # parse account key to get public key
     log.info("Parsing account key...")
-    proc = subprocess.Popen(["openssl", "rsa", "-in", account_key, "-noout", "-text"],
+    proc = subprocess.Popen([OPENSSL_BIN, "rsa", "-in", account_key, "-noout", "-text"],
         stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     out, err = proc.communicate()
     if proc.returncode != 0:
@@ -54,7 +55,7 @@ def get_crt(account_key, csr, acme_dir, log=LOGGER, CA=DEFAULT_CA):
         protected = copy.deepcopy(header)
         protected["nonce"] = urlopen(CA + "/directory").headers['Replay-Nonce']
         protected64 = _b64(json.dumps(protected).encode('utf8'))
-        proc = subprocess.Popen(["openssl", "dgst", "-sha256", "-sign", account_key],
+        proc = subprocess.Popen([OPENSSL_BIN, "dgst", "-sha256", "-sign", account_key],
             stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
         out, err = proc.communicate("{0}.{1}".format(protected64, payload64).encode('utf8'))
         if proc.returncode != 0:
@@ -71,7 +72,7 @@ def get_crt(account_key, csr, acme_dir, log=LOGGER, CA=DEFAULT_CA):
 
     # find domains
     log.info("Parsing CSR...")
-    proc = subprocess.Popen(["openssl", "req", "-in", csr, "-noout", "-text"],
+    proc = subprocess.Popen([OPENSSL_BIN, "req", "-in", csr, "-noout", "-text"],
         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     out, err = proc.communicate()
     if proc.returncode != 0:
@@ -158,7 +159,7 @@ def get_crt(account_key, csr, acme_dir, log=LOGGER, CA=DEFAULT_CA):
 
     # get the new certificate
     log.info("Signing certificate...")
-    proc = subprocess.Popen(["openssl", "req", "-in", csr, "-outform", "DER"],
+    proc = subprocess.Popen([OPENSSL_BIN, "req", "-in", csr, "-outform", "DER"],
         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     csr_der, err = proc.communicate()
     code, result = _send_signed_request(CA + "/acme/new-cert", {

acme-init

@@ -39,6 +39,8 @@ readconfig primary_domain
 PRIMARY_DOMAIN=$readconfig_return_value
 readconfig alt_domains
 ALT_DOMAINS=$readconfig_return_value
+readconfig openssl_bin
+OPENSSL=$readconfig_return_value
 
 # если файл уже есть, ничего не делаем
 if [[ -f "$ACMEDIR/site.csr" ]]
@@ -51,7 +53,6 @@ fi
 mkdir -p $ACMEDIR/challenges
 
 # находим openssl
-OPENSSL=$(/usr/bin/env which openssl)
 if [[ ! -x $OPENSSL ]] ; then
   echo Cannot find openssl
   exit 1

acme-refresh

@@ -37,6 +37,9 @@ function readconfig {
 readconfig acme_dir
 ACMEDIR=$readconfig_return_value
 
+readconfig openssl_bin
+OPENSSL=$readconfig_return_value
+
 # выводим дату (для лога)
 date
 
@@ -68,7 +71,7 @@ function get_issuer_cer {
   SAVE_FILENAME_CRT=$3
 
   # находим нужное поле в сертификате
-  ISSUER_URL=$(/usr/bin/openssl x509 -in $FROM_CERT -noout -text \
+  ISSUER_URL=$($OPENSSL x509 -in $FROM_CERT -noout -text \
         | grep "^ *Authority Information Access: $" -A 5 \
         | grep "^ *CA Issuers - URI:http://" | cut -d ":" -f 2-)
   echo downloading $ISSUER_URL
@@ -79,7 +82,7 @@ function get_issuer_cer {
     echo converting x509/der
 
     # пробуем прочесть через x509
-    set +e && /usr/bin/openssl x509 -inform der -in $SAVE_FILENAME_BIN -out $SAVE_FILENAME_CRT
+    set +e && $OPENSSL x509 -inform der -in $SAVE_FILENAME_BIN -out $SAVE_FILENAME_CRT
     ERRCODE=$?
     set -e
 

acme.conf

@@ -17,3 +17,6 @@ alt_domains=test.ashmanov.com
 
 # папка для хранения сертификатов
 acme_dir=/var/cache/acme
+
+# openssl
+openssl_bin=/usr/bin/openssl