5 years ago · d5d38b3331
--- a/acme.sh
+++ b/acme.sh
@@ -3990,17 +3990,22 @@ _check_dns_entries() {
 
				 }
			
 
				 
			
 
				 #file
			
 
				-_get_cert_issuer() {
			
 
				+_get_cert_issuers() {
			
 
				   _cfile="$1"
			
 
				-  echo $(openssl x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2)
			
 
				+  if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7"; then
			
 
				+    ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | openssl pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
			
 
				+  else
			
 
				+    ${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
			
 
				+  fi
			
 
				 }
			
 
				 
			
 
				 #cert  issuer
			
 
				 _match_issuer() {
			
 
				   _cfile="$1"
			
 
				   _missuer="$2"
			
 
				-  _fissuer=$(_get_cert_issuer $_cfile)
			
 
				-  [ "$_missuer" = "$_fissuer" ]
			
 
				+  _fissuers="$(_get_cert_issuers $_cfile)"
			
 
				+  _debug2 _fissuers "$_fissuers"
			
 
				+  _contains "$_fissuers" "$_missuer"
			
 
				 }
			
 
				 
			
 
				 #webroot, domain domainlist  keylength
			
@@ -4773,10 +4778,8 @@ $_authorizations_map"
 
				     echo "$response" >"$CERT_PATH"
			
 
				     _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
			
 
				 
			
 
				-    if [ "$_preferred_chain" ]; then
			
 
				-      _cert_issuer=$(_get_cert_issuer "$CA_CERT_PATH")
			
 
				-      _debug _cert_issuer "$_cert_issuer"
			
 
				-      if ! _match_issuer "$CA_CERT_PATH" "$_preferred_chain"; then
			
 
				+    if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
			
 
				+      if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
			
 
				         rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
			
 
				         _debug2 "rels" "$rels"
			
 
				         for rel in $rels; do
			
@@ -4791,7 +4794,7 @@ $_authorizations_map"
 
				           _relca="$CA_CERT_PATH.alt"
			
 
				           echo "$response" >"$_relcert"
			
 
				           _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
			
 
				-          if _match_issuer "$_relca" "$_preferred_chain"; then
			
 
				+          if _match_issuer "$_relfullchain" "$_preferred_chain"; then
			
 
				             _info "Matched issuer in: $rel"
			
 
				             cat $_relcert >"$CERT_PATH"
			
 
				             cat $_relfullchain >"$CERT_FULLCHAIN_PATH"