From 3ed347caf54e34b8b13883723f52d0e1948f06f6 Mon Sep 17 00:00:00 2001
From: Thierry Parmentelat <thierry.parmentelat@inria.fr>
Date: Thu, 21 Nov 2024 15:43:26 +0100
Subject: [PATCH] turn off the automated checking of cert vs ca cert - mostly
 for using dsissl certificates

---
 plc.d/ssl | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/plc.d/ssl b/plc.d/ssl
index 4e35e41..7d5bd37 100755
--- a/plc.d/ssl
+++ b/plc.d/ssl
@@ -81,14 +81,23 @@ function verify_or_generate_certificate() {
 		cp -a $crt $ca
     fi
 
-    if [ -f $crt ] ; then
-		# Backup (i.e. move under other name) if invalid or if cname is not in that cert
-		cert_is_valid_and_about $crt $ca $cname || {
-			backup_file $crt
-			backup_file $ca
-			backup_file $key
-		}
-    fi
+	# 2024 nov 21
+	# turning this off as it is most of the time an impediment rather than a help
+	# particularly in the context of using /etc/dsissl/
+	# so the new behaviour is still to create a self-signed certificate
+	# if that's missing altogether, but otherwise let people manage their certs as they see fit
+	# in addition, the criteria that we used to use for checking the config
+	# i.e. openssl verify -CAfile $ca $crt
+	# doe not work with the certificates generated by the dsissl script
+	# although the resulting setup is perfectly valid, as far as chrome and safari at least
+    # if [ -f $crt ] ; then
+	# 	# Backup (i.e. move under other name) if invalid or if cname is not in that cert
+	# 	cert_is_valid_and_about $crt $ca $cname || {
+	# 		backup_file $crt
+	# 		backup_file $ca
+	# 		backup_file $key
+	# 	}
+    # fi
 
     if [ ! -f $crt ] ; then
         # Set subject
-- 
2.47.0