-Add support for including Subject Alternative Names (SANs) from

existing certificates during both manual and automatic renewals. -Enhance filtering and normalization of domain names from the UI to ensure only valid domains are included when requesting certificates.
2025-10-21 10:09:37 +02:00 · 2025-09-22 00:30:51 +02:00
parent d5a980094b
commit 2140e5b0b5
3 changed files with 114 additions and 5 deletions
--- a/src/mod/acme/acme.go
+++ b/src/mod/acme/acme.go
@@ -432,6 +432,21 @@ func (a *ACMEHandler) HandleGetExpiredDomains(w http.ResponseWriter, r *http.Req
 // to renew the certificate, and sends a JSON response indicating the result of the renewal process.
 func (a *ACMEHandler) HandleRenewCertificate(w http.ResponseWriter, r *http.Request) {
 	domainPara, err := utils.PostPara(r, "domains")
+	
+	//Clean each domain
+	cleanedDomains := []string{}
+	if (domainPara != "") {
+		for _, d := range strings.Split(domainPara, ",") {
+			// Apply normalization on each domain
+			nd, err := NormalizeDomain(d)
+			if err != nil {
+				utils.SendErrorResponse(w, jsonEscape(err.Error()))
+				return
+			}	
+			cleanedDomains = append(cleanedDomains, nd) 
+		}
+	}
+
 	if err != nil {
 		utils.SendErrorResponse(w, jsonEscape(err.Error()))
 		return
@@ -492,7 +507,6 @@ func (a *ACMEHandler) HandleRenewCertificate(w http.ResponseWriter, r *http.Requ
 		dns = true
 	}

-	domains := strings.Split(domainPara, ",")

 	// Default propagation timeout is 300 seconds
 	propagationTimeout := 300
@@ -511,12 +525,31 @@ func (a *ACMEHandler) HandleRenewCertificate(w http.ResponseWriter, r *http.Requ
 		}
 	}

-	//Clean spaces in front or behind each domain
-	cleanedDomains := []string{}
-	for _, domain := range domains {
-		cleanedDomains = append(cleanedDomains, strings.TrimSpace(domain))
+	// Extract SANs from existing PEM to ensure all domains are included
+	pemPath := fmt.Sprintf("./conf/certs/%s.pem", filename)
+	sanDomains, err := ExtractDomainsFromPEM(pemPath)
+	if err == nil {
+		// Merge domainPara + SANs
+		domainSet := map[string]struct{}{}
+		for _, d := range cleanedDomains {
+			domainSet[d] = struct{}{}
+		}
+		for _, d := range sanDomains {
+			domainSet[d] = struct{}{}
+		}
+
+		// Rebuild cleanedDomains with all unique domains
+		cleanedDomains = []string{}
+		for d := range domainSet {
+			cleanedDomains = append(cleanedDomains, d)
+		}
+
+		a.Logf("Renewal domains including SANs from PEM: "+strings.Join(cleanedDomains, ","), nil)
+	} else {
+		a.Logf("Could not extract SANs from PEM, using domainPara only", err)
 	}

+
 	// Extract DNS servers from the request
 	var dnsServers []string
 	dnsServersPara, err := utils.PostPara(r, "dnsServers")