[pki] pki-realm specify input format to convert DER to PEM

When the input format has been determined to be other than PEM, -in by itself fails to read the DER format file. -inform DER enables openssl to read the DER file and output a PEM format file as intermediate.pem.tmp (then immediately rename to intermediate.pem) Resolves issue where Let's Encrypt ACME certificates were issued and retrieved, but stored in DER format as intermediate.pem.tmp, and where conversion to PEM failed, leaving the /etc/pki/realm/example.org/acme directory containing: account_key.pem cert.pem ← good cert error.log ← no errors intermediate.pem.tmp ← DER format file openssl.conf request.pem and thus no usable ACME cert chain was prepared and pki was configured with private key and certificate instead. With this patch, the ACME certificate chain is complete and pki uses it. (cherry picked from commit a952be5)
debops · Apr 19, 2023 · d433c09 · d433c09
1 parent 5a06243
commit d433c09
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/ansible/roles/pki/files/usr/local/lib/pki/pki-realm b/ansible/roles/pki/files/usr/local/lib/pki/pki-realm
@@ -1072,7 +1072,7 @@ convert_der_to_pem () {
 
     if [ -n "${input_file}" ] && [ -r "${input_file}" ] ; then
         if ! openssl x509 -inform PEM -in "${input_file}" -noout 2>/dev/null ; then
-            openssl x509 -in "${input_file}" -outform PEM -out "${input_file}.tmp"
+            openssl x509 -inform DER -in "${input_file}" -outform PEM -out "${input_file}.tmp"
             mv "${input_file}.tmp" "${input_file}"
         fi
     fi