--- aox/servers.cpp.orig	Mon Mar 10 14:44:59 2014
+++ aox/servers.cpp	Thu May  1 10:57:40 2014
@@ -27,6 +27,7 @@
 #include <pwd.h>
 #include <grp.h>
 
+#include <err.h>
 
 static const char * buildinfo[] = {
 #include "buildinfo.inc"
@@ -316,8 +317,7 @@ static void checkFilePermissions()
     if ( Configuration::toggle( Configuration::UseTls ) ) {
         EString c = Configuration::text( Configuration::TlsCertFile );
         if ( c.isEmpty() ) {
-            c = Configuration::compiledIn( Configuration::LibDir );
-            c.append( "/automatic-key.pem" );
+            c = "/etc/ssl/archiveopteryx.pem";
         }
         addPath( Path::ReadableFile, Configuration::TlsCertFile );
     }
@@ -1072,65 +1072,19 @@ static void selfSignCertificate()
 {
     EString keyFile( Configuration::text( Configuration::TlsCertFile ) );
 
+    // no need to bother if use-tls is set to no
+    if ( !Configuration::toggle( Configuration::UseTls ) )
+        return;
+
     if ( keyFile.isEmpty() ) {
-        keyFile = Configuration::compiledIn( Configuration::LibDir );
-        keyFile.append( "/automatic-key.pem" );
+        keyFile = "/etc/ssl/archiveopteryx.pem";
     }
 
     File key( keyFile );
     if ( !key.contents().isEmpty() )
         return; // could verify here, for the expiry date
-
-    File osslcf( "/tmp/aox-ossl.conf", File::Write );
-    osslcf.write( "[ req ]\n"
-                  " default_bits = 1024\n"
-                  " default_keyfile = privkey.pem\n"
-                  " distinguished_name = req_distinguished_name\n"
-                  " attributes = req_attributes\n"
-                  " x509_extensions = v3_ca\n"
-                  " prompt = no\n"
-                  "\n"
-                  " dirstring_type = nobmp\n"
-                  "\n"
-                  "[ req_distinguished_name ]\n"
-                  " CN=" + Configuration::hostname() + "\n"
-                  "\n"
-                  "[ req_attributes ]\n"
-                  " challengePassword = \"\"\n"
-                  "\n"
-                  " [ v3_ca ]\n"
-                  "\n"
-                  " nsCertType = server\n"
-                  " nsComment = \"Automatically generated self-signed certificate\"\n"
-                  " subjectKeyIdentifier=hash\n"
-                  " authorityKeyIdentifier=keyid:always,issuer:always\n"
-                  " basicConstraints = CA:true\n" );
-
-
-
-    int r = system( "openssl req -config /tmp/aox-ossl.conf -x509 -days 1764 -newkey rsa:1024 -nodes -keyout /tmp/aox-ossl.pem -out /tmp/aox-ossl.pem" );
-    if ( r == -1 )
-        error( "Needed to execute openssl req, but failed" );
-
-    // one one hand, File::write() does no checking. On the other,
-    // this does at least not pass user-supplied data to the shell.
-    File ossl( "/tmp/aox-ossl.pem" );
-    File result( keyFile, File::Write );
-    result.write( ossl.contents() );
-    result.write( "\n"
-                  "  This certificate was autogenerated by Archiveopteryx,\n"
-                  "  since Archiveopteryx was configured to use TLS, but\n"
-                  "  no certificate was specified. You may want to replace\n"
-                  "  it with a CA-supplied certificate.\n"
-                  "\n" );
-
-    File::unlink( "/tmp/aox-ossl.pem" );
-
-    printf( "Created self-signed certificate for\n    %s\n"
-            "and stored it in\n    %s\n"
-            "Please verify that file's permissions.\n",
-            Configuration::hostname().cstr(),
-            keyFile.cstr() );
+    else
+        errx(1, "Didn't found certificate in %s, exiting\n", keyFile.cstr());
 }