From 3116fe0c8cd62096e20f586d3b08d1a012d88085 Mon Sep 17 00:00:00 2001
From: typingArtist <matthias@waechter.wiz.at>
Date: Thu, 8 Jun 2017 08:32:34 +0200
Subject: [PATCH] Dictate certdir to sign_domain by command_sign_domains

Now the first parameter is the certificate output directory. This is
dictated by command_sign_domains as a single point of authority.
Also in sign_domain and command_sign_domains, the variables have been
rephrased to idicate that the first domain is only the primary, which
is put into the CN field, being part of alldomains. The primary still
indicates the configuration file in DOMAINS_D and the output directory.
---
 dehydrated | 33 +++++++++++++++++----------------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/dehydrated b/dehydrated
index 4d3a2bc..a4b3064 100755
--- a/dehydrated
+++ b/dehydrated
@@ -678,8 +678,10 @@ walk_chain() {
 
 # Create certificate for domain(s)
 sign_domain() {
-  domain="${1}"
-  altnames="${*}"
+  local certdir="${1}"
+  shift
+  local primary="${1}"
+  local alldomains="${*}"
   timestamp="$(date +%s)"
 
   echo " + Signing domains..."
@@ -687,8 +689,6 @@ sign_domain() {
     _exiterr "Certificate authority doesn't allow certificate signing"
   fi
 
-  local certdir="${CERTDIR}/${domain}"
-
   # If there is no existing certificate directory => make it
   if [[ ! -e "${certdir}" ]]; then
     echo " + Creating new directory ${certdir} ..."
@@ -729,7 +729,7 @@ sign_domain() {
   # Generate signing request config and the actual signing request
   echo " + Generating signing request..."
   SAN=""
-  for altname in ${altnames}; do
+  for altname in ${alldomains}; do
     SAN+="DNS:${altname}, "
   done
   SAN="${SAN%%, }"
@@ -740,12 +740,12 @@ sign_domain() {
   if [ "${OCSP_MUST_STAPLE}" = "yes" ]; then
     printf "\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >> "${tmp_openssl_cnf}"
   fi
-  openssl req -new -sha256 -key "${certdir}/${privkey}" -out "${certdir}/cert-${timestamp}.csr" -subj "/CN=${domain}/" -reqexts SAN -config "${tmp_openssl_cnf}"
+  openssl req -new -sha256 -key "${certdir}/${privkey}" -out "${certdir}/cert-${timestamp}.csr" -subj "/CN=${primary}/" -reqexts SAN -config "${tmp_openssl_cnf}"
   rm -f "${tmp_openssl_cnf}"
 
   crt_path="${certdir}/cert-${timestamp}.pem"
   # shellcheck disable=SC2086
-  sign_csr "$(< "${certdir}/cert-${timestamp}.csr" )" ${altnames} 3>"${crt_path}"
+  sign_csr "$(< "${certdir}/cert-${timestamp}.csr" )" ${alldomains} 3>"${crt_path}"
 
   # Create fullchain.pem
   echo " + Creating fullchain.pem..."
@@ -798,19 +798,20 @@ command_sign_domains() {
   for line in $(<"${DOMAINS_TXT}" tr -d '\r' | awk '{print tolower($0)}' | _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' | (grep -vE '^(#|$)' || true)); do
     reset_configvars
     IFS="${ORIGIFS}"
-    domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)"
+    primary="$(printf '%s\n' "${line}" | cut -d' ' -f1)"
     morenames="$(printf '%s\n' "${line}" | cut -s -d' ' -f2-)"
+    alldomains="${primary} ${morenames}"
 
-    local certdir="${CERTDIR}/${domain}"
+    local certdir="${CERTDIR}/${primary}"
 
     cert="${certdir}/cert.pem"
 
     force_renew="${PARAM_FORCE:-no}"
 
     if [[ -z "${morenames}" ]];then
-      echo "Processing ${domain}"
+      echo "Processing ${primary}"
     else
-      echo "Processing ${domain} with alternative names: ${morenames}"
+      echo "Processing ${primary} with alternative names: ${morenames}"
     fi
 
     # read cert config
@@ -818,7 +819,7 @@ command_sign_domains() {
     # we could just source the config file but i decided to go this way to protect people from accidentally overriding
     # variables used internally by this script itself.
     if [[ -n "${DOMAINS_D}" ]]; then
-      certconfig="${DOMAINS_D}/${domain}"
+      certconfig="${DOMAINS_D}/${primary}"
     else
       certconfig="${certdir}/config"
     fi
@@ -858,7 +859,7 @@ command_sign_domains() {
       printf " + Checking domain name(s) of existing cert..."
 
       certnames="$(openssl x509 -in "${cert}" -text -noout | grep DNS: | _sed 's/DNS://g' | tr -d ' ' | tr ',' '\n' | sort -u | tr '\n' ' ' | _sed 's/ $//')"
-      givennames="$(echo "${domain}" "${morenames}"| tr ' ' '\n' | sort -u | tr '\n' ' ' | _sed 's/ $//' | _sed 's/^ //')"
+      givennames="$(echo "${alldomains}"| tr ' ' '\n' | sort -u | tr '\n' ' ' | _sed 's/ $//' | _sed 's/^ //')"
 
       if [[ "${certnames}" = "${givennames}" ]]; then
         echo " unchanged."
@@ -884,7 +885,7 @@ command_sign_domains() {
         else
           # Certificate-Names unchanged and cert is still valid
           echo "Skipping renew!"
-          [[ -n "${HOOK}" ]] && "${HOOK}" "unchanged_cert" "${domain}" "${certdir}/privkey.pem" "${certdir}/cert.pem" "${certdir}/fullchain.pem" "${certdir}/chain.pem"
+          [[ -n "${HOOK}" ]] && "${HOOK}" "unchanged_cert" "${primary}" "${certdir}/privkey.pem" "${certdir}/cert.pem" "${certdir}/fullchain.pem" "${certdir}/chain.pem"
           continue
         fi
       else
@@ -894,10 +895,10 @@ command_sign_domains() {
 
     # shellcheck disable=SC2086
     if [[ "${PARAM_KEEP_GOING:-}" = "yes" ]]; then
-      sign_domain ${line} &
+      sign_domain "${certdir}" ${alldomains} &
       wait $! || true
     else
-      sign_domain ${line}
+      sign_domain "${certdir}" ${alldomains}
     fi
   done