From d5d38b3331d2c4018ff4d5662e8a6f62d1055f9a Mon Sep 17 00:00:00 2001
From: neil <win10@neilpang.com>
Date: Mon, 17 Aug 2020 22:06:02 +0800
Subject: [PATCH] support multiple intermediate CA matching for
 `--preferred-chain`

---
 acme.sh | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/acme.sh b/acme.sh
index bc64f377..e7f6a5d9 100755
--- a/acme.sh
+++ b/acme.sh
@@ -3990,17 +3990,22 @@ _check_dns_entries() {
 }
 
 #file
-_get_cert_issuer() {
+_get_cert_issuers() {
   _cfile="$1"
-  echo $(openssl x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2)
+  if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7"; then
+    ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | openssl pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+  else
+    ${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+  fi
 }
 
 #cert  issuer
 _match_issuer() {
   _cfile="$1"
   _missuer="$2"
-  _fissuer=$(_get_cert_issuer $_cfile)
-  [ "$_missuer" = "$_fissuer" ]
+  _fissuers="$(_get_cert_issuers $_cfile)"
+  _debug2 _fissuers "$_fissuers"
+  _contains "$_fissuers" "$_missuer"
 }
 
 #webroot, domain domainlist  keylength
@@ -4773,10 +4778,8 @@ $_authorizations_map"
     echo "$response" >"$CERT_PATH"
     _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
 
-    if [ "$_preferred_chain" ]; then
-      _cert_issuer=$(_get_cert_issuer "$CA_CERT_PATH")
-      _debug _cert_issuer "$_cert_issuer"
-      if ! _match_issuer "$CA_CERT_PATH" "$_preferred_chain"; then
+    if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
+      if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
         rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
         _debug2 "rels" "$rels"
         for rel in $rels; do
@@ -4791,7 +4794,7 @@ $_authorizations_map"
           _relca="$CA_CERT_PATH.alt"
           echo "$response" >"$_relcert"
           _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
-          if _match_issuer "$_relca" "$_preferred_chain"; then
+          if _match_issuer "$_relfullchain" "$_preferred_chain"; then
             _info "Matched issuer in: $rel"
             cat $_relcert >"$CERT_PATH"
             cat $_relfullchain >"$CERT_FULLCHAIN_PATH"