Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The script retrieves the subject of the certificate using the command
openssl x509 -noout -subject -in "$SSTCERT"
and then pipes it to extract the CN. However, the current method for extracting the CN encounters issues when the CN is the first field of the subject. This pull request aims to address this issue and ensure the successful extraction of the CN from the subject of the certificate, regardless of its position within the subject field.Here are the lines (864-866) that extracts the CN:
CN=$("$OPENSSL_BINARY" x509 -noout -subject -in "$SSTCERT" | tr ',' '\n' | grep -F 'CN =' | cut -d '=' -f2 | sed s/^\ // | sed s/\ %//)
This method of extracting the CN works when the CN is not the first field of the subject (e.g., subject=OU = Example, CN = www.example.com, C = EX), but it fails when the CN is the first field (e.g., subject=CN = www.exemple.com).
As the ACME challenge can only validate the CN of the certificate, this is the only field in the subject of the certificates produced by certbot.
A simple fix is to remove "subject=" from this return, and the pipe works again.
Release Notes
Fix the command to get CN in wsrep_sst_rsync when the CN field is the first field of the subject of the certificate
How can this PR be tested?
Using a certificate which only contain the CN field in it's subject.
Basing the PR against the correct MariaDB version
PR quality check