turn off the automated checking of cert vs ca cert - mostly for using dsissl certificates

diff --git a/plc.d/ssl b/plc.d/ssl
index 4e35e41..7d5bd37 100755 (executable)
--- a/plc.d/ssl
+++ b/plc.d/ssl
@@ -81,14 +81,23 @@ function verify_or_generate_certificate() {
                cp -a $crt $ca
     fi
 
-    if [ -f $crt ] ; then
-               # Backup (i.e. move under other name) if invalid or if cname is not in that cert
-               cert_is_valid_and_about $crt $ca $cname || {
-                       backup_file $crt
-                       backup_file $ca
-                       backup_file $key
-               }
-    fi
+       # 2024 nov 21
+       # turning this off as it is most of the time an impediment rather than a help
+       # particularly in the context of using /etc/dsissl/
+       # so the new behaviour is still to create a self-signed certificate
+       # if that's missing altogether, but otherwise let people manage their certs as they see fit
+       # in addition, the criteria that we used to use for checking the config
+       # i.e. openssl verify -CAfile $ca $crt
+       # doe not work with the certificates generated by the dsissl script
+       # although the resulting setup is perfectly valid, as far as chrome and safari at least
+    # if [ -f $crt ] ; then
+       #       # Backup (i.e. move under other name) if invalid or if cname is not in that cert
+       #       cert_is_valid_and_about $crt $ca $cname || {
+       #               backup_file $crt
+       #               backup_file $ca
+       #               backup_file $key
+       #       }
+    # fi
 
     if [ ! -f $crt ] ; then
         # Set subject