From 6e3b04ce8347396d25661d514255a374b0e784ad Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 23 Aug 2014 17:49:33 -0400
Subject: [PATCH] when generating SSL CSRs, using SHA256 as SHA1 is being
 phased out, per @konklone

---
 management/web_update.py | 1 +
 setup/ssl.sh             | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/management/web_update.py b/management/web_update.py
index 2afdaea1..5131d9c9 100644
--- a/management/web_update.py
+++ b/management/web_update.py
@@ -177,6 +177,7 @@ def ensure_ssl_certificate_exists(domain, ssl_key, ssl_certificate, csr_path, en
 		"openssl", "req", "-new",
 		"-key", ssl_key,
 		"-out",  csr_path,
+		"-sha256",
 		"-subj", "/C=%s/ST=/L=/O=/CN=%s" % (env["CSR_COUNTRY"], domain)])
 
 	# And then make the certificate.
diff --git a/setup/ssl.sh b/setup/ssl.sh
index d440219f..5c2280c3 100755
--- a/setup/ssl.sh
+++ b/setup/ssl.sh
@@ -31,7 +31,7 @@ if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then
 	# Generate a certificate signing request if one doesn't already exist.
 	hide_output \
 	openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
-	  -subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PRIMARY_HOSTNAME"
+	  -sha256 -subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PRIMARY_HOSTNAME"
 fi
 if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
 	# Generate a SSL certificate by self-signing if a SSL certificate doesn't yet exist.