fixup! ACME: alternative chains support.

Author: bavshin-f5

README.md

@@ -237,24 +237,6 @@ Accepted values:
 The generated account keys are preserved across reloads,
 but will be lost on restart unless [state_path](#state_path) is configured.
 
-### chain
-
-**Syntax:** **`chain`** `issuer`=_`name`_
-
-**Default:** -
-
-**Context:** acme_issuer
-
-_This directive appeared in version 0.3.0._
-
-Specifies the preferred certificate chain.
-
-If the ACME issuer offers multiple certificate chains,
-prefer the chain with the topmost certificate issued from the
-Subject Common Name _`name`_.
-
-If no matches, the default chain will be used.
-
 ### challenge
 
 **Syntax:** **`challenge`** _`type`_
@@ -308,6 +290,24 @@ In both cases, the key is expected to be encoded in
 
 [RFC8555#eab]: https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.4
 
+### preferred_chain
+
+**Syntax:** **`preferred_chain`** _`issuer name`_
+
+**Default:** -
+
+**Context:** acme_issuer
+
+_This directive appeared in version 0.3.0._
+
+Specifies the preferred certificate chain.
+
+If the ACME issuer offers multiple certificate chains,
+prefer the chain with the topmost certificate issued from the
+Subject Common Name _`issuer name`_.
+
+If no matches, the default chain will be used.
+
 ### profile
 
 **Syntax:** **`profile`** _`name`_ \[`require`]

src/conf.rs

@@ -101,14 +101,6 @@ static mut NGX_HTTP_ACME_ISSUER_COMMANDS: [ngx_command_t; 12] = [
         offset: 0,
         post: ptr::null_mut(),
     },
-    ngx_command_t {
-        name: ngx_string!("chain"),
-        type_: NGX_CONF_TAKE1 as ngx_uint_t,
-        set: Some(cmd_issuer_set_chain),
-        conf: 0,
-        offset: 0,
-        post: ptr::null_mut(),
-    },
     ngx_command_t {
         name: ngx_string!("challenge"),
         type_: NGX_CONF_TAKE1 as ngx_uint_t,
@@ -133,6 +125,14 @@ static mut NGX_HTTP_ACME_ISSUER_COMMANDS: [ngx_command_t; 12] = [
         offset: 0,
         post: ptr::null_mut(),
     },
+    ngx_command_t {
+        name: ngx_string!("preferred_chain"),
+        type_: NGX_CONF_TAKE1 as ngx_uint_t,
+        set: Some(cmd_issuer_set_preferred_chain),
+        conf: 0,
+        offset: 0,
+        post: ptr::null_mut(),
+    },
     ngx_command_t {
         name: ngx_string!("profile"),
         type_: nginx_sys::NGX_CONF_TAKE12 as ngx_uint_t,
@@ -351,36 +351,6 @@ extern "C" fn cmd_add_certificate(
     NGX_CONF_OK
 }
 
-extern "C" fn cmd_issuer_set_chain(
-    cf: *mut ngx_conf_t,
-    _cmd: *mut ngx_command_t,
-    conf: *mut c_void,
-) -> *mut c_char {
-    let cf = unsafe { cf.as_mut().expect("cf") };
-    let issuer = unsafe { conf.cast::<Issuer>().as_mut().expect("issuer conf") };
-
-    if issuer.chain.is_some() {
-        return NGX_CONF_DUPLICATE;
-    }
-
-    for value in &cf.args()[1..] {
-        // SAFETY: the value is well aligned, and the conversion result is assigned to an object in
-        // the same pool.
-        let Ok(value) = (unsafe { conf_value_to_str(value) }) else {
-            return NGX_CONF_INVALID_VALUE;
-        };
-
-        if let Some(name) = value.strip_prefix("issuer=") {
-            issuer.chain = Some(issuer::CertificateChainMatcher::new(name));
-            continue;
-        }
-
-        return NGX_CONF_INVALID_VALUE;
-    }
-
-    NGX_CONF_OK
-}
-
 extern "C" fn cmd_issuer_set_challenge(
     cf: *mut ngx_conf_t,
     _cmd: *mut ngx_command_t,
@@ -552,6 +522,32 @@ extern "C" fn cmd_issuer_set_external_account_key(
     NGX_CONF_OK
 }
 
+extern "C" fn cmd_issuer_set_preferred_chain(
+    cf: *mut ngx_conf_t,
+    _cmd: *mut ngx_command_t,
+    conf: *mut c_void,
+) -> *mut c_char {
+    let cf = unsafe { cf.as_mut().expect("cf") };
+    let issuer = unsafe { conf.cast::<Issuer>().as_mut().expect("issuer conf") };
+
+    if issuer.chain.is_some() {
+        return NGX_CONF_DUPLICATE;
+    }
+
+    // NGX_CONF_TAKE1 ensures that args contains 2 elements
+    let args = cf.args();
+
+    // SAFETY: the value is well aligned, and the conversion result is assigned to an object in
+    // the same pool.
+    let Ok(issuer_name) = (unsafe { conf_value_to_str(&args[1]) }) else {
+        return NGX_CONF_INVALID_VALUE;
+    };
+
+    issuer.chain = Some(issuer::CertificateChainMatcher::new(issuer_name));
+
+    NGX_CONF_OK
+}
+
 extern "C" fn cmd_issuer_set_profile(
     cf: *mut ngx_conf_t,
     _cmd: *mut ngx_command_t,