From f9acf0adec4db2779989269ec1e7bb51f18e4585 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Fri, 24 Oct 2014 21:30:33 +0000
Subject: [PATCH] better errors for ssl certificates

---
 management/status_checks.py | 3 +++
 management/web_update.py    | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/management/status_checks.py b/management/status_checks.py
index 8787b5b2..b098a1dd 100755
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -514,6 +514,9 @@ def check_certificate(domain, ssl_certificate, ssl_private_key):
 		# Certificate is self-signed.
 		return ("SELF-SIGNED", None)
 	elif retcode != 0:
+		if "unable to get local issuer certificate" in verifyoutput:
+			return ("The certificate is missing an intermediate chain or the intermediate chain is incorrect or incomplete.", None)
+
 		# There is some unknown problem. Return the `openssl verify` raw output.
 		return ("There is a problem with the SSL certificate.", verifyoutput.strip())
 	else:
diff --git a/management/web_update.py b/management/web_update.py
index 9fd0a8f8..558343be 100644
--- a/management/web_update.py
+++ b/management/web_update.py
@@ -229,6 +229,8 @@ def install_cert(domain, ssl_cert, ssl_chain, env):
 		if cert_status == "SELF-SIGNED":
 			cert_status = "This is a self-signed certificate. I can't install that."
 		os.unlink(fn)
+		if cert_status_details is not None:
+			cert_status += " " + cert_status_details
 		return cert_status
 
 	# Copy the certificate to its expected location.