From 2dd9e9acd41cd68ef5ab637b369b3dce3738211e Mon Sep 17 00:00:00 2001
From: Tim Kimber <tkimber@mobius.org.uk>
Date: Tue, 16 Mar 2021 12:02:03 +0000
Subject: [PATCH 1/2] Tweak full chain heading

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index cb226e3..def44c5 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ for automating the process on remote servers.
 - [Revoke a certificate](#revoke-a-certificate)
 - [Elliptic curve keys](#elliptic-curve-keys)
 - [Preferred Chain](#preferred-chain)
-- [Full chain](#full-chain)
+- [Include Root certificate in full chain](#include-root-certificate-in-full-chain)
 - [Issues / problems / help](#issues--problems--help)
 
 ## Features
@@ -395,7 +395,7 @@ any characters which special characters, e.g.
 * Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
 * Production options are: "ISRG Root X1" and "ISRG Root X2"
 
-## Full chain
+## Include Root certificate in full chain
 
 Some servers, including those that use Java keystores, will not accept a server certificate if it cannot valid the full chain of signers.
 

From 073b33c7f617ded56e3533a9e4b240825c1d0e4b Mon Sep 17 00:00:00 2001
From: Tim Kimber <tkimber@mobius.org.uk>
Date: Tue, 16 Mar 2021 12:03:14 +0000
Subject: [PATCH 2/2] Add more info to message for "Certificate on remote
 domain does not match"

---
 getssl | 36 ++++++++++++++++++++----------------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/getssl b/getssl
index 1f1ca7c..cebd7f7 100755
--- a/getssl
+++ b/getssl
@@ -2401,14 +2401,14 @@ write_domain_template() { # write out a template file for a domain.
 		# Set USE_SINGLE_ACL="true" to use a single ACL for all checks
 		#USE_SINGLE_ACL="false"
 
-    # Preferred Chain - use an different certificate root from the default
-    # This uses wildcard matching so requesting "X1" returns the correct certificate - may need to escape characters
-    # Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
-    # Production options are: "ISRG Root X1" and "ISRG Root X2"
-    #PREFERRED_CHAIN="\(STAGING\) Pretend Pear X1"
+		# Preferred Chain - use an different certificate root from the default
+		# This uses wildcard matching so requesting "X1" returns the correct certificate - may need to escape characters
+		# Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
+		# Production options are: "ISRG Root X1" and "ISRG Root X2"
+		#PREFERRED_CHAIN="\(STAGING\) Pretend Pear X1"
 
-    # Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)
-    #FULL_CHAIN_INCLUDE_ROOT="true"
+		# Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)
+		#FULL_CHAIN_INCLUDE_ROOT="true"
 
 		# Location for all your certs, these can either be on the server (full path name)
 		# or using ssh /sftp as for the ACL
@@ -2464,14 +2464,14 @@ write_getssl_template() { # write out the main template file
 	PRIVATE_KEY_ALG="rsa"
 	#REUSE_PRIVATE_KEY="true"
 
-  # Preferred Chain - use an different certificate root from the default
-  # This uses wildcard matching so requesting "X1" returns the correct certificate - may need to escape characters
-  # Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
-  # Production options are: "ISRG Root X1" and "ISRG Root X2"
-  #PREFERRED_CHAIN="\(STAGING\) Pretend Pear X1"
+	# Preferred Chain - use an different certificate root from the default
+	# This uses wildcard matching so requesting "X1" returns the correct certificate - may need to escape characters
+	# Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
+	# Production options are: "ISRG Root X1" and "ISRG Root X2"
+	#PREFERRED_CHAIN="\(STAGING\) Pretend Pear X1"
 
-  # Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)
-  #FULL_CHAIN_INCLUDE_ROOT="true"
+	# Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)
+	#FULL_CHAIN_INCLUDE_ROOT="true"
 
 	# The command needed to reload apache / nginx or whatever you use.
 	# Several (ssh) commands may be given using a bash array:
@@ -2857,7 +2857,7 @@ if [[ "${CHECK_REMOTE}" == "true" ]] && [[ $_FORCE_RENEW -eq 0 ]]; then
     else
       # check if the certificate is for the right domain
       EX_CERT_DOMAIN=$(echo "$EX_CERT" | openssl x509 -text \
-        | sed -n -e 's/^ *Subject: .* CN=\([A-Za-z0-9.-]*\).*$/\1/p; /^ *DNS:.../ { s/ *DNS://g; y/,/\n/; p; }' \
+        | sed -n -e 's/^ *Subject: .*CN=\([A-Za-z0-9.-]*\).*$/\1/p; /^ *DNS:.../ { s/ *DNS://g; y/,/\n/; p; }' \
         | sort -u | grep "^$DOMAIN\$")
       if [[ "$EX_CERT_DOMAIN" == "$DOMAIN" ]]; then
         # check renew-date on ex_cert and compare to local ( if local exists)
@@ -2901,7 +2901,11 @@ if [[ "${CHECK_REMOTE}" == "true" ]] && [[ $_FORCE_RENEW -eq 0 ]]; then
           reload_service
         fi
       else
-        info "${DOMAIN}: Certificate on remote domain does not match, ignoring remote certificate"
+        # Get the domain from the existing certificate for the error message
+        EX_CERT_DOMAIN=$(echo "$EX_CERT" | openssl x509 -text \
+          | sed -n -e 's/^ *Subject: .*CN=\([A-Za-z0-9.-]*\).*$/\1/p; /^ *DNS:.../ { s/ *DNS://g; y/,/\n/; p; }' \
+          | sort -u | head -1)
+        info "${DOMAIN}: Certificate on remote domain does not match, ignoring remote certificate ($EX_CERT_DOMAIN != $real_d)"
       fi
     fi
   else