contrib/shell/kedifa_generateauth: Do not push a self-signed cert if curl status is 60

60 means no CA can validate the provided certificate. The self-signed certificate we would generate would be no better. 60 means the frontend could serve some certificate, whatever its content, which means the domain is minimally functional. So do not bother pushing a self-signed certifiate, and do not signal a failure to the caller.

contrib/shell/kedifa_generateauth: Do not push a self-signed cert if curl status is 60
60 means no CA can validate the provided certificate. The self-signed certificate we would generate would be no better. 60 means the frontend could serve some certificate, whatever its content, which means the domain is minimally functional. So do not bother pushing a self-signed certifiate, and do not signal a failure to the caller.
fb4280a7 · Vincent Pelletier · a78c1d11 · fb4280a7
Commit fb4280a7 authored Nov 21, 2024 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 23 deletions

contrib/shell/kedifa_generateauth contrib/shell/kedifa_generateauth +33 -23

No files found.
--- a/contrib/shell/kedifa_generateauth
+++ b/contrib/shell/kedifa_generateauth
@@ -70,28 +70,38 @@ printf 'CA=%q\nCRL=%q\nURL=%q\n' "$cafile" "$crlfile" "${kedifa_url_base}?auth=$
 echo "done."
 if curl --output /dev/null --silent "https://$domain"; then
  :
-elif [ 35 -eq $? ]; then
-  echo -n "Bootstrapping $domain certificate..."
-  tmpdir="$(mktemp --directory --tmpdir "$(basename "$0").XXXXXXXXXX")"
-  # Note: this trap is responsible for the final deletion
-  trap 'rm -r "${tmpdir}"' EXIT
-  openssl req \
-    -outform PEM \
-    -out "${tmpdir}/bootstrap.crt" \
-    -new \
-    -newkey rsa:2048 \
-    -keyout "${tmpdir}/bootstrap.key" \
-    -nodes \
-    -subj "/CN=${domain}" \
-    -x509 \
-    -batch \
-    > /dev/null 2>&1
-  kedifa_update_cert \
-    "$outfile" \
-    "${tmpdir}/bootstrap.key" \
-    "${tmpdir}/bootstrap.crt"
-  echo " done."
 else
-  echo "Unexpected curl status: $?"
-  exit 1
+  status="$?"
+  case "$status" in
+  35)
+    echo -n "Bootstrapping $domain certificate..."
+    tmpdir="$(mktemp --directory --tmpdir "$(basename "$0").XXXXXXXXXX")"
+    # Note: this trap is responsible for the final deletion
+    trap 'rm -r "${tmpdir}"' EXIT
+    openssl req \
+      -outform PEM \
+      -out "${tmpdir}/bootstrap.crt" \
+      -new \
+      -newkey rsa:2048 \
+      -keyout "${tmpdir}/bootstrap.key" \
+      -nodes \
+      -subj "/CN=${domain}" \
+      -x509 \
+      -batch \
+      > /dev/null 2>&1
+    kedifa_update_cert \
+      "$outfile" \
+      "${tmpdir}/bootstrap.key" \
+      "${tmpdir}/bootstrap.crt"
+    echo " done."
+    ;;
+  60)
+    # There is a cert, but it cannot pass CA check. The one we would probably
+    # be no different, so do nothing & succeed.
+    ;;
+  *)
+    echo "Unexpected curl status: $?"
+    exit 1
+    ;;
+  esac
 fi